9.3.0beta2

1654 files changed, 128554 insertions, 151012 deletions

diff --git a/CHANGES b/CHANGES
index b46b6cdf..402c6e99 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,1130 +1,861 @@
 
-	--- 9.2.9b1 released ---
+	--- 9.3.0beta2 released ---
 
-2208.	[port]		win32: make sure both build methods produce the
-			same output. [RT #17058]
+1609.	[func]		dig now has support to chase DNSSEC signature chains.
+			Requires -DDIG_SIGCHASE=1 to be set in STD_CDEFINES.
 
-2205.	[bug]		libbind: change #2119 broke thread support. [RT #16982]
+1608.	[func]		dig and host now accept -4/-6 to select IP transport
+			to use when making queries.
 
-2203.	[security]	Query id generation was cryptographically weak.
-			[RT # 16915]
-
-2199.	[bug]		win32: don't call WSAStartup() while loading dlls.
-			[RT #16911]
-
-2198.	[bug]		win32: RegCloseKey() could be called when
-			RegOpenKeyEx() failed. [RT #16911]
-
-2197.	[bug]		Add INSIST to catch negative responses which are
-			not setting the event result code appropriately.
-			[RT #16909]
-
-2196.	[port]		win32: yield processor while waiting for once to
-			to complete. [RT #16958]
-
-2194.	[bug]		Close journal before calling 'done' in xfrin.c.
-
-2193.	[port]		win32: BINDInstall.exe is now linked statically.
-			[RT #16906]
-
-2192.	[port]		win32: use vcredist_x86.exe to install Visual
-			Studio's redistributable dlls if building with
-			Visual Stdio 2005 or later.
-
-2189.	[bug]		Handle socket() returning EINTR. [RT #15949]
-
-2186.	[port]		cygwin: libbind: check for struct sockaddr_storage
-			independently of IPv6. [RT #16482]
-
-2185.	[port]		sunos: libbind: check for ssize_t, memmove() and
-			memchr(). [RT #16463]
-
-2182.	[bug]		dns_dispatch_createtcp() and dispatch_createudp()
-			could return ISC_R_SUCCESS when they ran out of
-			memory. [RT #16365]
-
-2181.	[port]		sunos: libbind: add paths.h from BIND 8. [RT #16462]
-
-2177.	[bug]		Array bounds overrun on read (rcodetext). [RT #16798]
-
-2176.	[contrib]	dbus update to handle race condition during
-			initialisation (Bugzilla 235809). [RT #16842]
-
-2175.	[bug]		win32: windows broadcast condition variable support
-			was broken. [RT #16592]
-
-2174.	[bug]		I/O errors should always be fatal when reading
-			master files. [RT #16825]
-
-2173.	[port]		win32: When compiling with MSVS 2005 SP1 we also
-			need to ship Microsoft.VC80.MFCLOC.
-
-2172.	[bug]		query_addsoa() was being called with a non zone db.
-			[RT #16834]
-
-2169.	[bug]		host, nslookup: when reporting NXDOMAIN report the
-			given name and not the last name searched for.
-			[RT #16763]
-
-2168.	[bug]		nsupdate: in non-interactive mode treat syntax errors
-			as fatal errors. [RT #16785]
-
-2166.	[bug]		When running in batch mode, dig could misinterpret
-			a server address as a name to be looked up, causing
-			unexpected output. [RT #16743]
-
-2161.	[bug]		'rndc flush' could report a false success. [RT #16698]
-
-2156.	[bug]		Fix node reference leaks in lookup.c:lookup_find(),
-			resolver.c:validated() and resolver.c:cache_name().
-			Make lookup.c:lookup_find() robust against
-			event leaks. [RT #16685]
-
-2155.	[contrib]	SQLite sdb module from jaboydjr@netwalk.com.
-			[RT #16694]
-
-2151.	[bug]		Missing newline in usage message for journalprint.
-			[RT #16679]
-
-2147.	[bug]		libbind: remove potential buffer overflow from
-			hmac_link.c. [RT #16437]
-
-2146.	[cleanup]	Silence Linux's spurious "obsolete setsockopt
-			SO_BSDCOMPAT" message. [RT #16641]
-
-2143.	[bug]		We failed to restart the IPv6 client when the
-			kernel failed to return the destination the
-			packet was sent to. [RT #16613]
-
-2142.	[bug]		Handle master files with a modification time that
-			matches the epoch. [RT# 16612]
-
-2140.	[bug]		libbind: missing unlock on pthread_key_create()
-			failures. [RT #16654]
-
-2139.	[bug]		dns_view_find() was being called with wrong type
-			in adb.c. [RT #16670]
-
-2136.	[bug]		nslookup/host looped if there was no search list
-			and the host didn't exist. [RT #16657]
-
-2132.	[bug]		Missing unlock on out of memory in
-			dns_dispatchmgr_setudp().
-
-2128.	[doc]		xsltproc --nonet, update DTD versions.  [RT #16635]
-
-2127.	[port]		Improved OpenSSL 0.9.8 support. [RT #16563]
-
-2120.	[doc]		Fix markup on nsupdate man page. [RT #16556]
-
-2119.	[compat]	libbind: allow res_init() to succeed enough to
-			return the default domain even if it was unable
-			to allocate memory.
-
-2118.	[bug]		Handle response with long chains of domain name
-			compression pointers which point to other compression
-			pointers. [RT #16427]
-
-2116.	[bug]		'rndc reload' could cause the cache to continually
-			be cleaned. [RT #16401]
-
-2115.	[bug]		'rndc reconfig' could trigger a INSIST if the
-			number of masters for a zone was reduced. [RT #16444]
-
-2114.	[bug]		dig/host/nslookup: searches for names with multiple
-			labels were failing. [RT #16447]
+1607.	[bug]		dig, host and nslookup were still using random()
+			to generate query ids. [RT# 11013]
 
-2113.	[bug]		nsupdate: if a zone is specified it should be used
-			for server discover. [RT# 16455]
+1604.	[bug]		A xfrout_ctx_create() failure would result in
+			xfrout_ctx_destroy() being called with a
+			partially initialized structure.
 			
-2112.	[security]	Warn if weak RSA exponent is used. [RT #16460]
-
-2111.	[bug]		Fix a number of errors reported by Coverity.
-			[RT #16507]
-
-2110.	[bug]		"minimal-response yes;" interacted badly with BIND 8
-			priming queries. [RT #16491]
-
-2109.	[port]		libbind: silence aix 5.3 compiler warnings. [RT #16502]
-
-	--- 9.2.8 released ---
-
-2126.	[security]	Serialise validation of type ANY responses. [RT #16555]
-
-	--- 9.2.7 released ---
-
-2107.	[bug]		dighost.c: more cleanup of buffers. [RT #16499]
-
-2103.	[port]		Add /usr/sfw to list of locations for OpenSSL
-			under Solaris.
-
-2102.	[port]		Silence solaris 10 warnings.
-
-2101.	[bug]		OpenSSL version checks were not quite right.
-			[RT #16476]
-
-2100.	[port]		win32: copy libeay32.dll to Build\Debug.
-
-2099.	[port]		win32: more manifiest issues.
-
-	--- 9.2.7rc3 released ---
-
-2096.	[bug]		libbind: handle applications that fail to detect
-			res_init() failures better.
-
-2095.	[port]		libbind: alway prototype inet_cidr_ntop_ipv6() and
-			net_cidr_ntop_ipv6(). [RT #16388]
- 
-2094.	[contrib]	Update named-bootconf.  [RT# 16404]
-
-2091.	[port]		dighost.c: race condition on cleanup. [RT #16417]
-
-2090.	[port]		win32: Visual C++ 2005 command line manifest support.
-			[RT #16417]
-
-2089.	[security]	Raise the minimum safe OpenSSL versions to
-			OpenSSL 0.9.7l and OpenSSL 0.9.8d.  Versions
-			prior to these have known security flaws which
-			are (potentially) exploitable in named. [RT #16391]
-
-2088.	[security]	Change the default RSA exponent from 3 to 65537.
-			[RT #16391]
-
-2086.	[port]		libbind: FreeBSD now has get*by*_r() functions.
-			[RT #16403]
-
-2085.	[doc]		win32: added index.html and README to zip. [RT #16201]
-
-2084.	[contrib]	dbus update for 9.3.3rc2.
-
-2083.	[port]		win32: Visual C++ 2005 support.
-
-2082.	[doc]		Document 'cache-file' as a test only option.
-
-	--- 9.2.7rc2 released ---
-
-2081.	[port]		libbind: minor 64-bit portability fix in memcluster.c.
-			[RT #16360]
-
-2080.	[port]		libbind: res_init.c did not compile on older versions
-			of Solaris. [RT #16363]
-
-2076.	[bug]		Several files were missing #include <config.h>
-			causing build failures on OSF. [RT #16341]
-
-	--- 9.2.7rc1 released ---
-
-2071.	[port]		Test whether gcc accepts -fno-strict-aliasing.
-			[RT #16324]
-
-2070.	[bug]		The remote address was not always displayed when
-			reporting dispatch failures. [RT #16315]
-
-2069.	[bug]		Cross compiling was not working. [RT #16330]
-
-2067.	[bug]		'rndc' could close the socket too early triggering
-			a INSIST under Windows. [RT #16317]
-
-2065.	[bug]		libbind: probe for HPUX prototypes for
-			endprotoent_r() and endservent_r().  [RT 16313]
-
-2064.	[bug]		libbind: silence AIX compiler warnings. [RT #16218]
-
-2063.	[bug]		Change #1955 introduced a bug which caused the first
-			'rndc flush' call to not free memory. [RT #16244]
-
-2062.	[bug]		'dig +nssearch' was reusing a buffer before it had
-			been returned by the socket code. [RT #16307]
-
-2057.	[bug]		Make setting "ra" dependent on both allow-query and
-			allow-recursion. [RT #16290]
-
-2056.	[bug]		dig: ixfr= was not being treated case insensitively
-			at all times. [RT #15955]
-
-2055.	[bug]		Missing goto after dropping multicast query.
-			[RT #15944]
-
-2054.	[port]		freebsd: do not explicitly link against -lpthread.
-			[RT #16170]
-
-2053.	[port]		netbsd:libbind: silence compiler warnings. [RT #16220]
-
-2050.	[bug]		Parsing of NSAP records was not case insensitive.
-			[RT #16287]
-
-2043.	[port]		nsupdate/nslookup: Force the flushing of the prompt
-			for interactive sessions. [RT#16148]
-
-2038.	[bug]		dig/nslookup/host was unlinking from wrong list
-			when handling errors. [RT #16122]
-
-2037.	[func]		When unlinking the first or last element in a list
-			check that the list head points to the element to
-			be unlinked. [RT #15959]
-
-2034.	[bug]		gcc: set -fno-strict-aliasing. [RT #16124]
-
-1941.	[bug]		ncache_adderesult() should set eresult even if no
-			rdataset is passed to it. [RT #15642]
-
-	--- 9.2.7b1 released ---
-
-2030.	[bug]		We were being overly conservative when disabling
-			openssl engine support. [RT #16030]
-
-2028.	[port]		linux: socket.c compatability for old systems.
-			[RT #16015]
-
-2027.	[port]		libbind: Solaris x86 support. [RT #16020]
-
-2026.	[bug]		Rate limit the recursive client exceeded message.
-			[RT #16044]
-
-2024.	[bug]		named emited spurious "zone serial unchanged"
-			messages on reload. [RT #16027]
-
-2023.	[bug]		"make install" should create ${localstatedir}/run and
-			${sysconfdir} if they do not exist. [RT #16033]
-
-2016.	[bug]		Return a partial answer if recursion is not
-			allowed but requested and we had the answer
-			to the original qname. [RT #15945]
-
-2013.	[bug]		Handle unexpected TSIGs on unsigned AXFR/IXFR
-			responses more gracefully. [RT #15941]
-
-2009.	[bug]		libbind: coverity fixes. [RT #15808]
-
-2005.	[bug]		libbind: Retransmission timeouts should be
-			based on which attempt it is to the nameserver
-			and not the nameserver itself. [RT #13548]
-
-2004.	[bug]		dns_tsig_sign() could pass a NULL pointer to
-			dst_context_destroy() when cleaning up after a
-			error. [RT #15835]
-
-2003.	[bug]		libbind: The DNS name/address lookup functions could
-			occasionally follow a random pointer due to
-			structures not being completely zeroed. [RT #15806]
-
-2002.	[bug]		libbind: tighten the constraints on when
-			struct addrinfo._ai_pad exists.  [RT #15783]
-
-1997.	[bug]		Named was failing to replace negative cache entries
-			when a positive one for the type was learnt.
-			[RT #15818]
-
-1994.	[port]		OpenSSL 0.9.8 support. [RT #15694]
+1603.	[bug]		nsupdate: set interactive based on isatty().
+			[RT# 10929]
 
-1991.	[cleanup]	The configuration data, once read, should be treated
-			as readonly.  Expand the use of const to enforce this
-			at compile time. [RT #15813]
+1602.	[bug]		Logging to a file failed unless a size was specified.
+			[RT# 10925]
 
-1990.	[bug]		libbind:  isc's override of broken gettimeofday()
-			implementions was not always effective.
-			[RT #15709]
+1601.	[bug]		Silence spurious warning 'both "recursion no;" and 
+			"allow-recursion" active' warning from view "_bind".
+			[RT# 10920]
 
-1981.	[bug]		win32: condition.c:wait() could fail to reattain
-			the mutex lock.
+1594.	[bug]		'rndc dumpdb' could prevent named from answering
+			queries while the dump was in progress.  [RT #10565]
 
-1979.	[port]		linux: allow named to drop core after changing
-			user ids. [RT #15753]
+1593.	[bug]		rndc should return "unknown command" to unknown
+			commands. [RT# 10642]
 
-1978.	[port]		Handle systems which have a broken recvmsg().
-			[RT #15742]
+	--- 9.3.0beta1 released ---
 
-1977.	[bug]		Silence noisy log message. [RT #15704]
+1592.	[bug]		configure_view() could leak a dispatch. [RT #10675]
 
-1976.	[bug]		Handle systems with no IPv4 addresses. [RT #15695]
+1591.	[bug]		libbind: updated to BIND 8.4.5.
 
-1975.	[bug]		libbind: isc_gethexstring() could misparse multi-line
-			hex strings with comments. [RT #15814]
+1590.	[port]		netbsd: update thread support.
 
-1974.	[doc]		List each of the zone types and associated zone
-			options separately in the ARM.
+1589.	[func]		DNSSEC lookaside validation.
 
-1972.	[contrib]	DBUS dynamic forwarders integation from
-			Jason Vas Dias <jvdias@redhat.com>.
+1588.	[bug]		win32: TCP sockets could become blocked. [RT #10115]
 
-1971.	[port]		linux: make detection of missing IF_NAMESIZE more
-			robust. [RT #15443]
+1587.	[bug]		dns_message_settsigkey() failed to clear existing key.
+			[RT #10590]
 
-1969.	[bug]		win32: the socket code was freeing the socket
-			structure too early. [RT #15776]
+1586.	[func]		"check-names" is now implemented.
 
-1966.	[bug]		Don't set CD when we have fallen back to plain DNS.
-			[RT #15727]
+1584.	[bug]		"make test" failed with a read only source tree.
+			[RT #10461]
 
-1962.	[bug]		Named failed to clear old update-policy when it
-			was removed. [RT #15491]
+1583.	[bug]		Records add via UPDATE failed to get the correct trust
+			level. [RT #10452]
 
-1961.	[bug]		Check the port and address of responses forwarded
-			to dispatch. [RT #15474]
+1582.	[bug]		rrset-order failed to work on RRsets with more
+			than 32 elements. [RT #10381]
 
-1960.	[bug]		Update code should set NXT ttls from SOA MINIMUM.
-			[RT #15465]
+1581.	[func]		Disable DNSSEC support by default.  To enable
+			DNSSEC specify "dnssec-enable yes;" in named.conf.
 
-1958.	[bug]		Named failed to update the zone's secure state
-			until the zone was reloaded. [RT #15412]
+1580.	[bug]		Zone destruction on final detach takes a long time.
+			[RT #3746]
 
-1957.	[bug]		Dig mishandled responses to class ANY queries.
-			[RT #15402]
+1579.	[bug]		Multiple task managers could not be created.
 
-1956.	[bug]		Improve cross compile support, 'gen' is now built
-			by native compiler.  See README for additional
-			cross compile support information. [RT #15148]
+1578.	[bug]		Don't use CLASS E IPv4 addresses when resolving.
+			[RT #10346]
 
-1955.	[bug]		Pre-allocate the cache cleaning interator. [RT #14998]
+1577.	[bug]		Use isc_uint32_t in ultrasparc optimizer bug
+			workaround code. [RT #10331]
 
-1952.	[port]		hpux: tell the linker to build a runtime link
-			path "-Wl,+b:". [RT #14816].
+1576.	[bug]		Race condition in dns_dispatch_addresponse().
+			[RT# 10272]
 
-1951.	[security]	Drop queries from particular well known ports.
-			Don't return FORMERR to queries from particular
-			well known ports.  [RT #15636]
-			
-1950.	[port]		Solaris 2.5.1 and earlier cannot bind() then connect()
-			a TCP socket. This prevents the source address being
-			set for TCP connections. [RT #15628]
+1575.	[func]		Log TSIG name on TSIG verify failure. [RT #4404]
 
-1948.	[bug]		If was possible to trigger a REQUIRE failure in
-			xfrin.c:maybe_free() if named ran out of memory.
-			[RT #15568]
+1574.	[bug]		Don't attempt to open the controls socket(s) when
+			running tests. [RT #9091]
 
-1944.	[cleanup]	isc_hash_create() does not need a read/write lock.
-			[RT #15522]
+1573.	[port]		linux: update to libtool 1.5.2 so that
+			"make install DESTDIR=/xx" works with
+			"configure --with-libtool".  [RT #9941]
 
-1943.	[bug]		Set the loadtime after rolling forward the journal.
-			[RT #15647]
+1572.	[bug]		nsupdate: sign the soa query to find the enclosing
+			zone if the server is specified. [RT #10148]
 
-1940.	[bug]		Fixed a number of error conditions reported by
-			Coverity.
+1571.	[bug]		rbt:hash_node() could fail leaving the hash table
+			in an inconsistent state.  [RT #10208]
 
-	--- 9.2.6 released ---
+1570.	[bug]		nsupdate failed to handle classes other than IN.
+			New keyword 'class' which sets the default class.
+			[RT #10202]
 
-	--- 9.2.6rc1 released ---
+1569.	[func]		nsupdate new command 'answer' which displays the
+			complete answer message to the last update.
 
-1932.	[bug]		hpux: LDFLAGS was getting corrupted. [RT #15530]
+1568.	[bug]		nsupdate now reports that the update failed in
+			interactive mode. [RT# 10236]
 
-	--- 9.2.6b2 released ---
+1567.	[bug]		B.ROOT-SERVERS.NET is now 192.228.79.201.
 
-1930.	[port]		HPUX: ia64 support. [RT #15473]
+1566.	[port]		Support for the cmsg framework on Solaris and HP/UX.
+			This also solved the problem that match-destinations
+			for IPv6 addresses did not work on these systems.
+			[RT #10221]
 
-1929.	[port]		FreeBSD: extend use of PTHREAD_SCOPE_SYSTEM.
+1565.	[bug]		CD flag should be copied to outgoing queries unless
+			the query is under a secure entry point in which case
+			CD should be set.
 
-1926.	[bug]		BINDinstall was being installed in the wrong place.
-			[RT #15483]
+1564.	[func]		Attempt to provide a fallback entropy source to be
+			used if named is running chrooted and named is unable
+			to open entropy source within the chroot area.
+			[RT #10133]
 
-1925.	[port]		All outer level AC_TRY_RUNs need cross compiling
-			defaults. [RT #15469]
+1563.	[bug]		Gracefully fail when unable to obtain neither an IPv4
+			nor an IPv6 dispatch. [RT #10230]
 
-1924.	[port]		libbind: hpux ia64 support. [RT #15473]
+1562.	[bug]		isc_socket_create() and isc_socket_accept() could
+			leak memory under error conditions. [RT #10230]
 
-1923.	[bug]		ns_client_detach() called too early. [RT #15499]
+1561.	[bug]		It was possible to release the same name twice if
+			named ran out of memory. [RT #10197]
 
-	--- 9.2.6b1 released ---
+1560.	[port]		FreeBSD: work around FreeBSD 5.2 mapping EAI_NODATA
+			and EAI_NONAME to the same value.
 
-1917.	[doc]		funcsynopsisinfo wasn't being treated as verbatim
-			when generating man pages. [RT #15385]
+1559.	[port]		named should ignore SIGFSZ.
 
-1911.	[bug]		Update windows socket code. [RT #14965]
+1558.	[func]		New DNSSEC 'disable-algorithms'.  Support entry into
+			child zones for which we don't have a supported
+			algorithm.  Such child zones are treated as unsigned.
 
-1905.	[bug]		Strings returned from cfg_obj_asstring() should be
-                        treated as read-only.  [RT #15256]
+1557.	[func]		Implement missing DNSSEC tests for
+			* NOQNAME proof with wildcard answers.
+			* NOWILDARD proof with NXDOMAIN.
+			Cache and return NOQNAME with wildcard answers.
 
-1895.	[bug]		A escaped character is, potentially, converted to
-			the output character set too early. [RT #14666]
+1556.	[bug]		nsupdate now treats all names as fully qualified.
+			[RT #6427]
 
-1893.	[port]		Use uintptr_t if available. [RT #14606]
+1555.	[func]		'rrset-order cyclic' no longer has a random starting
+			point. [RT #7572]
 
-1889.	[port]		sunos: non blocking i/o support. [RT #14951]
+1554.	[bug]		dig, host, nslookup failed when no nameservers
+			were specified in /etc/resolv.conf. [RT #8232]
 
-1887.	[bug]		The cache could delete expired records too fast for
-			clients with a virtual time in the past. [RT #14991]
+1553.	[bug]		The windows socket code could stop accepting
+			connections. [RT#10115]
 
-1886.	[bug]		fctx_create() could return success even though it
-			failed. [RT #14993]
+1552.	[bug]		Accept NOTIFY requests from mapped masters if
+			matched-mapped is set. [RT #10049]
 
-1884.	[cleanup]	dighost.c: move external declarations into <dig/dig.h>.
+1551.	[port]		Open "/dev/null" before calling chroot().
 
-1883.	[bug]		dnssec-signzone, dnssec-keygen, dnssec-signkey,
-			dnssec-makekeyset: handle negative debug levels.
-			[RT #14962]
+1550.	[port]		Call tzset(), if available, before calling chroot().
 
-1881.	[func]		Add a system test for named-checkconf. [RT #14931]
+1549.	[func]		named-checkzone can now write out the zone contents
+			in a easily parsable format (-D and -o).
 
-1877.	[bug]		Fix unreasonably low quantum on call to
-			dns_rbt_destroy2().  Remove unnecessay unhash_node()
-			call. [RT #14919]
+1548.	[bug]		When parsing APL records it was possible to silently
+			accept out of range ADDRESSFAMILY values. [RT# 9979]
 
-1875.	[bug]		process_dhtkey() was using the wrong memory context
-			to free some memory. [RT #14890]
+1547.	[bug]		Named wasted memory recording duplicate lame zone
+			entries. [RT #9341]
 
-1873.	[port]		win32: isc__errno2result() now reports its caller.
-			[RT #13753]
+1546.	[bug]		We were rejecting valid secure CNAME to negative
+			answers.
 
-1872.	[port]		win32: Handle ERROR_NETNAME_DELETED.  [RT #13753]
+1545.	[bug]		It was possible to leak memory if named was unable to
+			bind to the specified transfer source and TSIG was
+			being used. [RT #10120]
 
-1871.	[bug]		dnssec_makekeyset and dnssec-signkey failed to
-			initalize the hash context. [RT #13771]
+1544.	[bug]		Named would logged a single entry to a file despite it
+			being over the specified size limit.
 
-1865.	[bug]		Silently ignore nameservers in /etc/resolv.conf with
-			bad addresses. [RT #14841]
+1543.	[bug]		Logging using "versions unlimited" did not work.
 
-1861.	[bug]		dig could trigger a INSIST on certain malformed
-			responses. [RT #14801]
+1541.	[func]		NSEC now uses new bitmap format.
 
-1860.	[port]		solaris 2.8: hack_shutup_pthreadmutexinit was
-			incorrectly set. [RT #14775]
+1540.	[bug]		"rndc reload <dynamiczone>" was silently accepted.
+			[RT #8934]
 
-1856.	[doc]		Switch Docbook toolchain from DSSSL to XSL.
-			[RT #11398]
+1539.	[bug]		Open UDP sockets for notify-source and transfer-source
+			that use reserved ports at startup. [RT #9475]
 
-1854.	[bug]		lwres also needs to know the print format for
-			(long long).  [RT #13754]
+1537.	[func]		New option "querylog".  If set specify whether query
+			logging is to be enabled or disabled at startup.
 
-1850.	[bug]		Memory leak in lwres_getipnodebyaddr(). [RT #14591]
+1536.	[bug]		Windows socket code failed to log a error description
+			when returning ISC_R_UNEXPECTED. [RT #9998]
 
-1849.	[doc]		All forms of the man pages (docbook, man, html) should
-			have consistant copyright dates.
+1534.	[bug]		Race condition when priming cache. [RT# 9940]
 
-1848.	[bug]		Improve SMF integration. [RT #13238]
+1533.	[func]		Warn if both "recursion no;" and "allow-recursion"
+			are active. [RT# 4389]
 
-1847.	[bug]		isc_ondestroy_init() is called too late in
-			dns_rbtdb_create()/dns_rbtdb64_create(). 
-			[RT #13661]
-			
-1846.	[contrib]	query-loc-0.3.0 from Stephane Bortzmeyer
-			<bortzmeyer@nic.fr>.
+1532.	[port]		netbsd: the configure test for <sys/sysctl.h>
+			requires <sys/param.h>.
 
-1845.	[bug]		Improve error reporting to distingish between
-			accept()/fcntl() and socket()/fcntl() errors.
-			[RT #13745]
+1531.	[port]		AIX more libtool fixes.
 
-1844.	[bug]		inet_pton() accepted more that 4 hexadecimal digits
-			for each 16 bit piece of the IPv6 address.  The text
-			representation of a IPv6 address has been tighted
-			to disallow this (draft-ietf-ipv6-addr-arch-v4-02.txt).
-			[RT #5662]
+1530.	[bug]		It was possible to trigger a INSIST() failure if a
+			slave master file was removed at just the correct
+			moment. [RT #9462]
 
-1843.	[cleanup]	CINCLUDES takes precedence over CFLAGS.  This helps
-			when CFLAGS contains "-I /usr/local/include"
-			resulting in old header files being used.
+1529.	[bug]		"notify explicit;" failed to log that NOTIFY messages
+			were being sent for the zone. [RT# 9442]
 
-1842.	[port]		cmsg_len() could produce incorrect results on
-			some platform. [RT #13744]
+1528.	[cleanup]	Simplify some dns_name_ functions based on the
+			deprecation of bitstring labels.
 
-1841.	[bug]		"dig +nssearch" now makes a recursive query to
-			find the list of nameservers to query. [RT #13694]
+1527.	[cleanup]	Reduce the number of gettimeofday() calls without
+			losing necessary timer granularity.
 
-1839.	[bug]		<isc/hash.h> was not being installed.
+1525.	[bug]		dns_cache_create() could trigger a REQUIRE
+			failure in isc_mem_put() during error cleanup.
+			[RT# 9360]
 
-1838.	[cleanup]	Don't allow Linux capabilities to be inherited.
-			[RT #13707]
+1524.	[port]		AIX needs to be able to resolve all symbols when
+			creating shared libraries (--with-libtool).
 
-1836.	[cleanup]	Silence compiler warnings in hash_test.c.
+1523.	[bug]		Fix race condition in rbtdb. [RT# 9189]
 
-1835.	[bug]		Update dnssec-signzone's usage message. [RT #13657]
+1522.	[bug]		dns_db_findnode() relax the requirements on 'name'.
+			[RT# 9286]
 
-1834.	[bug]		Bad memset in rdata_test.c. [RT #13658]
+1521.	[bug]		dns_view_createresolver() failed to check the
+			result from isc_mem_create(). [RT# 9294]
 
-1833.	[bug]		Race condition in isc_mutex_lock_profile(). [RT #13660]
+1520.	[protocol]	Add SSHFP (SSH Finger Print) type.
 
-1832.	[bug]		named fails to return BADKEY on unknown TSIG algorithm.
-			[RT #13620]
+1519.	[bug]		dnssec-signzone:nsec_setbit() computed the wrong
+			length of the new bitmap.
 
-1830.	[bug]		adb lame cache has sence of test reversed. [RT #13600]
+1518.	[bug]		dns_nsec_buildrdata(), and hence dns_nsec_build(),
+			contained a off-by-one error when working out the
+			number of octets in the bitmap.
 
-1828.	[bug]		isc_rwlock_init() failed to properly cleanup if it
-			encountered a error. [RT #13549]
+1517.	[port]		Support for IPv6 interface scanning on HP/UX and
+			TrueUNIX 5.1.
 
-1827.	[bug]		host: update usage message for '-a'. [RT #37116]
+1516.	[func]		Roll the DNSSEC types to RRSIG, NSEC and DNSKEY.
 
-1826.	[bug]		Missing DESTROYLOCK() in isc_mem_createx() on out
-			of memory error. [RT #13537]
+1515.	[func]		Allow transfer source to be set in a server statement.
+			[RT #6496]
 
-1825.	[bug]		Missing UNLOCK() on out of memory error from in
-			rbtdb.c:subtractrdataset(). [RT #13519]
+1514.	[bug]		named: isc_hash_destroy() was being called too early.
+			[RT #9160]
 
-1824.	[bug]		Memory leak on dns_zone_setdbtype() failure.
-			[RT #13510]
+1513.	[doc]		Add "US" to root-delegation-only exclude list.
 
-1823.	[bug]		Wrong macro used to check for point to point interface.
-			[RT#13418]
+1512.	[bug]		Extend the delegation-only logging to return query
+			type, class and responding nameserver.
 
-1821.	[doc]		acls definitions are no longer required to be
-			in named.conf prior to reference.  They can be
-			defined after being referenced.
+1511.	[bug]		delegation-only was generating false positives
+			on negative answers from subzones.
 
-1820.	[bug]		Gracefully handle acl loops. [RT #13659]
+1510.	[func]		New view option "root-delegation-only".  Apply
+			delegation-only check to all TLDs and root.
+			Note there are some TLDs that are NOT delegation
+			only (e.g. DE, LV, US and MUSEUM) these can be excluded
+			from the checks by using exclude.
 
-1815.	[bug]		nsupdate triggered a REQUIRE if the server was set
-			without also setting the zone and it encountered
-			a CNAME and was using TSIG.  [RT #13086]
+			root-delegation-only exclude {
+				"DE"; "LV"; "US"; "MUSEUM";
+			};
 
-1810.	[bug]		configure, lib/bind/configure make different default
-			decisions about whether to do a threaded build.
-			[RT #13212]
+1509.	[bug]		Hint zones should accept delegation-only.  Forward
+			zone should not accept delegation-only.
 
-1809.	[bug]		"make distclean" failed for libbind if the platform
-			is not supported.
+1508.	[bug]		Don't apply delegation-only checks to answers from
+			forwarders.
 
-1807.	[bug]		When forwarding (forward only) set the active domain
-			from the forward zone name. [RT #13526]
-			
-1804.	[bug]		Ensure that if we are queried for glue that it fits
-			in the additional section or TC is set to tell the
-			client to retry using TCP. [RT #10114]
+1507.	[bug]		Handle BIND 8 style returns to NS queries to parents
+			when making delegation-only checks.
 
-1802.	[bug]		Handle connection resets better. [RT #11280]
+1506.	[bug]		Wrong return type for dns_view_isdelegationonly().
 
-	--- 9.2.5 released ---
+1505.	[bug]		Uninitialized rdataset in sdb. [RT #8750]
 
-	--- 9.2.5rc1 released ---
+1504.	[func]		New zone type "delegation-only".
 
-1812.	[port]		win32: IN6_IS_ADDR_UNSPECIFIED macro is incorrect.
-			[RT #13453]
+1503.	[port]		win32: install libeay32.dll outside of system32.
 
-1808.	[bug]		zone.c:notify_zone() contained a race condition,
-			zone->db could change underneath it.  [RT #13511]
+1502.	[bug]		nsupdate: adjust timeouts for UPDATE requests over TCP.
 
-	--- 9.2.5beta2 released ---
+1501.	[func]		Allow TCP queue length to be specified via
+			named.conf, tcp-listen-queue.
 
-1800.	[bug]		Changes #1719 allowed a INSIST to be triggered.
-			[RT #13428]
+1500.	[bug]		host failed to lookup MX records.  Also look up
+			AAAA records.
 
-	--- 9.2.5beta1 released ---
+1475.	[port]		Probe for old sprintf().
 
-1790.	[cleanup]	Move lib/dns/sec/dst up into lib/dns.  This should
-			allow parallel make to succeed.
+1474.	[port]		Provide strtoul() and memmove() for platforms
+			without them.
 
-1789.	[bug]		Prerequisite test for tkey and dnssec could fail
-			with "configure --with-libtool".
+1469.	[func]		Log end of outgoing zone transfer at same level
+			as the start of transfer is logged. [RT #4441]
 
-1787.	[port]		HPUX: both "cc" and "gcc" need -Wl,+vnocompatwarnings.
+1468.	[func]		Internal zones are no longer counted for
+			'rndc status'.  [RT #4706]
 
-1786.	[port]		AIX: libt_api needs to be taught to look for
-			T_testlist in the main executable (--with-libtool).
-			[RT #13239]
+1467.	[func]		$GENERATES now supports optional class and ttl.
 
-1784.	[cleanup]	"libtool -allow-undefined" is the default.
-			Leave hooks in configure to allow it to be set
-			if needed in the future.
+1458.	[cleanup]	sprintf() -> snprintf().
 
-1783.	[cleanup]	We only need one copy of libtool.m4, ltmain.sh in the
-			source tree.
+1457.	[port]		Provide strlcat() and strlcpy() for platforms without
+			them.
 
-1782.	[port]		OSX: --with-libtool + --enable-libbind broke on
-			__evOptMonoTime.  [RT #13219]
+1455.	[bug]		<netaddr> missing from server grammar in
+			doc/misc/options. [RT #5616]
 
-1781.	[port]		FreeBSD 5.3: set PTHREAD_SCOPE_SYSTEM. [RT #12810]
+1454.	[port]		Use getifaddrs() if available for interface scanning.
+			--disable-getifaddrs to override.  Glibc currently
+			has a getifaddrs() that does not support IPv6.
+			Use --enable-getifaddrs=glibc to force the use of
+			this version under linux machines.
 
-1780.	[bug]		Update libtool to 1.5.10.
+1446.	[func]		Implemented undocumented alternate transfer sources
+			from BIND 8.  See use-alt-transfer-source,
+			alt-transfer-source and alt-transfer-source-v6.
 
-1779.	[port]		OSF 5.1: libtool didn't handle -pthread correctly.
+			SECURITY: use-alt-transfer-source is ENABLED unless
+			you are using views.  This may cause a security risk
+			resulting in accidental disclosure of wrong zone
+			content if the master supplying different source
+			content based on IP address.  If you are not certain
+			ISC recommends setting use-alt-transfer-source no;
 
-1778.	[port]		HUX 11.11: fix broken IN6ADDR_ANY_INIT and
-			IN6ADDR_LOOPBACK_INIT macros.
+1444.	[func]		dns_view_findzonecut2() allows you to specify if the
+			cache should be searched for zone cuts.
 
-1777.	[port]		OSF 5.1: fix broken IN6ADDR_ANY_INIT and
-			IN6ADDR_LOOPBACK_INIT macros.
+1443.	[func]		Masters lists can now be specified and referenced
+			in zone masters clauses and other masters lists.
 
-1776.	[port]		Solaris 2.9: fix broken IN6ADDR_ANY_INIT and
-			IN6ADDR_LOOPBACK_INIT macros.
+1442.	[func]		New functions for manipulating port lists:
+			dns_portlist_create(), dns_portlist_add(),
+			dns_portlist_remove(), dns_portlist_match(),
+			dns_portlist_attach() and dns_portlist_detach().
 
-1775.	[bug]		Only compile getnetent_r.c when threaded. [RT #13205]
+1441.	[func]		It is now possible to tell dig to bind to a specific
+			source port.
 
-1774.	[port]		Aix: Silence compiler warnings / build failures.
-			[RT #13154]
+1440.	[func]		It is now possible to tell named to avoid using
+			certain source ports (avoid-v4-udp-ports,
+			avoid-v6-udp-ports).
 
-1773.	[bug]		Fast retry on host / net unreachable. [RT #13153]
+1438.	[func]		Log TSIG (if any) when logging NOTIFY requests.
 
-1772.	[bug]		Change #1740 needed more work in 9.2 as bit-labels
-			are still supported. [RT #13015]
+1436.	[func]		dns_zonemgr_resumexfrs() can be used to restart
+			stalled transfers.
 
-1771.	[bug]		Built-in zones did not have SOA or NS records.
-			[RT #13015]
+1433.	[bug]		named could trigger a REQUIRE failure if it could
+			not get a file descriptor when attempting to write
+			a master file. [RT #4347]
 
-1770.	[bug]		named-checkconf failed to report missing a missing
-			file clause for rbt{64} master/hint zones. [RT#13009]
+1432.	[func]		The advertised EDNS UDP buffer size can now be set
+			via named.conf (edns-udp-size).
 
-1769.	[port]		win32: change compiler flags /MTd ==> /MDd,
-			/MT ==> /MD.
+1430.	[port]		linux: IPv6 interface scanning support.
 
-1767.	[port]		Builds on IPv6 platforms without IPv6 Advanced API
-			support for (struct in6_pktinfo) failed.  [RT #13077]
+1422.	[func]		Log name/type/class when denying a query.  [RT #4663]
 
-1766.	[bug]		Update the master file timestamp on successful refresh
-			as well as the journal's timestamp. [RT# 13062]
+1421.	[func]		Differentiate updates that don't succeed due to
+			prerequisites (unsuccessful) vs other reasons
+			(failed).
 
-1764.	[bug]		dns_zone_replacedb failed to emit a error message
-			if there was no SOA record in the replacment db.
-			[RT #13016]
+1417.	[func]		ID.SERVER/CHAOS is now a built in zone.
+			See "server-id" for how to configure.
 
-1760.	[bug]		Host / net unreachable was not penalising rtt
-			estimates. [RT #12970]
+1415.	[func]		DS TTL now derived from NS ttl.  NXT TTL now derived
+			from SOA MINIMUM.
 
-1753.	[bug]		Don't serve a slave zone which has no NS records.
-			[RT #12894]
+1414.	[func]		Support for KSK flag.
 
-1752.	[port]		Move isc_app_start() to after ns_os_daemonise()
-			as some fork() implementations unblock the signals
-			that are blocked by isc_app_start(). [RT #12810]
+1413.	[func]		Explictly request the (re-)generation of DS records from
+			keysets (dnssec-signzone -g).
 
-1750.	[port]		lib/bind/make/rules.in:subdirs was not bash friendly.
-			[RT #12864]
+1412.	[func]		You can now specify servers to be tried if a nameserver
+			has IPv6 address and you only support IPv4 or the
+			reverse. See dual-stack-servers.
 
-1747.	[bug]		BIND 8 compatability: named/named-checkconf failed
-			to parse "host-statistics-max" in named.conf.
+1410.	[func]		Handle records that live in the parent zone, e.g. DS.
 
-1744.	[bug]		If tuple2msgname() failed to convert a tuple to
-			a name a REQUIRE could be triggered. [RT #12796]
+1409.	[bug]		DS should have attribute DNS_RDATATYPEATTR_DNSSEC.
 
-1743.	[bug]		If isc_taskmgr_create() was not able to create the
-			requested number of worker threads then destruction
-			of the manager would trigger an INSIST() failure.
-			[RT #12790]
-			
-1742.	[bug]		Deleting all records at a node then adding a
-			previously existing record, in a single UPDATE
-			transaction, failed to leave / regenerate the
-			associated SIG records. [RT #12788]
+1404.	[bug]		libbind: ns_name_ntol() could overwrite a zero length
+			buffer.
 
-1741.	[bug]		Deleting all records at a node in a secure zone
-			using a update-policy grant failed. [RT #12787]
+1403.	[func]		dnssec-signzone, dnssec-keygen, dnssec-makekeyset
+			dnssec-signkey now report their version in the
+			usage message.
 
-1740.	[bug]		Replace rbt's hash algorithm as it performed badly
-			with certain zones. [RT #12729]
-			
-			NOTE: a hash context now needs to be established
-			via isc_hash_create() if the application was not
-			already doing this.
+1402.	[cleanup]	A6 has been moved to experimental and is no longer
+			fully supported.
 
-1739.	[bug]		dns_rbt_deletetree() could incorrectly return
-			ISC_R_QUOTA.  [RT #12695]
+1400.	[bug]		Block the addition of wildcard NS records by IXFR
+			or UPDATE. [RT #3502]
 
-1738.	[bug]		Enable overrun checking by default. [RT #12695]
+1398.	[doc]		ARM: notify-also should have been also-notify.
+			[RT #4345]
 
-1734.	[cleanup]	'rndc-confgen -a -t' remove extra '/' in path.
-			[RT #12588]
+1396.	[func]		dnssec-signzone: adjust the default signing time by
+			1 hour to allow for clock skew.
 
-1733.	[bug]		Return non-zero exit status on initial load failure.
-			[RT #12658]
+1394.	[func]		It is now possible to check if a particular element is
+			in a acl.  Remove duplicate entries from the localnets
+			acl.
 
-1731.	[port]		darwin: relax version test in ifconfig.sh.
-			[RT #12581]
+1393.	[port]		Bind to individual IPv6 interfaces if IPV6_IPV6ONLY
+			is not available in the kernel to prevent accidently
+			listening on IPv4 interfaces.
 
-1730.	[port]		Determine the length type used by the socket API.
-			[RT #12581]
+1392.	[bug]		named-checkzone: update usage.
 
-1726.	[port]		aix5: add support for aix5.
+1391.	[func]		Add support for IPv6 scoped addresses in named.
 
-1725.	[port]		linux: update error message on interaction of threads,
-			capabilities and setuid support (named -u). [RT #12541]
+1390.	[func]		host now supports ixfr.
 
-1723.	[cleanup]	Silence compiler warnings from t_tasks.c. [RT #12493]
+1386.	[bug]		named-checkzone -z stopped on errors in a zone.
+			[RT #3653]
 
-1722.	[bug]		Don't commit the journal on malformed ixfr streams.
-			[RT #12519]
+1383.	[func]		Track the serial number in a IXFR response and log if
+			a mismatch occurs.  This is a more specific error than
+			"not exact". [RT #3445]
 
-1721.	[bug]		Error message from the journal processing were not
-			always identifing the relevent journal. [RT #12519]
+1380.	[func]		'rndc recursing' dump recursing queries to
+			'recursing-file = "named.recursing";'.
 
-1720.	[bug]		'dig +chase' did not terminate on a RFC 2308 Type 1
-			negative response. [RT #12506]
+1379.	[func]		'rndc status' now reports tcp and recursion quota
+			states.
 
-1719.	[bug]		named was not correctly caching a RFC 2308 Type 1
-			negative response. [RT #12506]
+1378.	[func]		Improved positive feedback for 'rndc {reload|refresh}.
 
-1718.	[bug]		nsupdate was not handling RFC 2308 Type 3 negative
-			responses when looking for the zone / master server.
-			[RT #12506]
+1377.	[func]		dns_zone_load{new}() now reports if the zone was
+			loaded, queued for loading to up to date.
 
-1717.	[port]		solaris: ifconfig.sh did not support Solaris 10.
-			"ifconfig.sh down" didn't work for Solaris 9.
+1376.	[func]		New function dns_zone_logc() to log to specified
+			category.
 
-1716.	[doc]		named.conf(5) was being installed in the wrong
-			location.  [RT# 12441]
+1375.	[func]		'rndc dumpdb' now dumps the adb cache along with the
+			data cache.
 
-1714.	[bug]		dig/host/nslookup were only trying the first
-			address when a nameserver was specified by name.
-			[RT #12286]
+1374.	[func]		dns_adb_dump() now logs the lame zones associated
+			with each server.
 
-1713.	[port]		linux: extend capset failure message to say:
-			please ensure that the capset kernel module is
-			loaded.  see insmod(8)
+1371.	[bug]		notify-source-v6, transfer-source-v6 and
+			query-source-v6 with explicit addresses and using the
+			same ports as named was listening on could interfere
+			with named's ability to answer queries sent to those
+			addresses.
 
-	--- 9.2.4 released ---
+1368.	[func]		remove support for bitstring labels.
 
-	--- 9.2.4rc8 released ---
+1367.	[func]		Use response times to select forwarders.
 
-1709.	[port]		solaris: add SMF support from Sun.
+1365.	[func]		"localhost" and "localnets" acls now include IPv6
+			addresses / prefixes.
 
-1708.	[cleanup]	Replaced dns_fullname_hash() with dns_name_fullhash()
-			for conformance to the name space convention.  Binary
-			backward compatibility to the old function name is
-			provided. [RT #12376]
+1364.	[func]		Log file name when unable to open memory statistics
+			and dump database files. [RT# 3437]
 
-1707.	[contrib]	sdb/ldap updated to version 1.0-beta.
+1363.	[func]		Listen-on-v6 now supports specific addresses.
 
-1704.	[port]		lwres needed a snprintf() implementation for
-			platforms without snprintf(). [RT #12321]
+1362.	[bug]		remove IFF_RUNNING test when scanning interfaces.
 
-1701.	[doc]		A minimal named.conf man page.
+1361.	[func]		log the reason for rejecting a server when resolving
+			queries.
 
-1700.	[func]		nslookup is no longer to be treated as deprecated.
-			Remove "deprecated" warning message.  Add man page.
+1355.	[bug]		Fix DNSSEC wildcard proof for CNAME/DNAME.
 
-1698.	[doc]		Use reserved IPv6 documentation prefix.
+1344.	[func]		Log if the serial number on the master has gone
+			backwards.
+			If you have multiple machines specified in the masters
+			clause you may want to set 'multi-master yes;' to
+			suppress this warning.
 
-	--- 9.2.4rc7 released ---
+1343.	[func]		Log successful notifies received (info).  Adjust log
+			level for failed notifies to notice.
 
-1694.	[bug]		Report if the builtin views of "_default" / "_bind"
-			are defined in named.conf. [RT #12023]
+1342.	[func]		Log remote address with TCP dispatch failures.
 
-1692.	[bug]		Don't set -I, -L and -R flags when libcrypto is in
-			/usr/lib. [RT #11971]
+1341.	[func]		Allow a rate limiter to be stalled.
 
-1691.	[bug]		sdb's attachversion was not complete. [RT #11990]
+1339.	[func]		dig, host and nslookup now use IP6.ARPA for nibble
+			lookups.  Bit string lookups are no longer attempted.
 
-1690.	[bug]		Delay detaching view from the client until UPDATE
-			processing completes when shutting down. [RT #11714]
+1336.	[func]		Nibble lookups under IP6.ARPA are now supported by
+			dns_byaddr_create().  dns_byaddr_createptrname() is
+			deprecated, use dns_byaddr_createptrname2() instead.
 
-1689.	[bug]		DNS_NAME_TOREGION() macros contained a gratuitous
-			semicolons. [RT #11707]
+1332.	[func]		Report the current serial with periodic commits when
+			rolling forward the journal.
 
-1688.	[bug]		LDFLAGS was not supported.
+1331.	[func]		Generate DNSSEC wildcard proofs.
 
-1687.	[bug]		Race condition in dispatch. [RT #10272]
+1329.	[func]		named-checkzone will now check if nameservers that
+			appear to be IP addresses.  Available modes "fail",
+			"warn" (default) and "ignore" the results of the
+			check.
 
-1686.	[bug]		Named sent a extraneous NOTIFY when it received a
-			redundant UPDATE request. [RT #11943]
+1328.	[bug]		The validator could incorrectly verify an invalid
+			negative proof.
 
-	--- 9.2.4rc6 released ---
+1322.	[bug]		dnssec-signzone usage message was misleading.
 
-1685.	[bug]		Change #1679 loop tests weren't quite right.
+1321.	[bug]		If the last RRset in a zone is glue, dnssec-signzone
+			would incorrectly duplicate its output and sign it.
 
-1682.	[port]		Update configure test for (long long) printf format.
-			[RT #5066]
+1313.	[func]		Query log now says if the query was signed (S) or
+			if EDNS was used (E).
 
-1681.	[bug]		Only set SO_REUSEADDR when a port is specified in
-			isc_socket_bind(). [RT #11742]
+1312.	[func]		Log TSIG key used w/ outgoing zone transfers.
 
-1679.	[bug]		When there was a single nameserver with multiple
-			addresses for a zone not all addresses were tried.
-			[RT #11706]
+1309.	[func]		Log that a zone transfer was covered by a TSIG.
 
-1672.	[cleanup]	Tests which only function in a threaded build
-			now return R:THREADONLY (rather than R:UNTESTED)
-			in a non-threaded build.
+1308.	[func]		DS (delegation signer) support.
 
-1671.	[contrib]	queryperf: add NAPTR to the list of known types.
+1304.	[func]		New function: dns_zone_name().
 
-1669.	[bug]		Restore "update forwarding denied" log messages
-			accidentally suppressed by change #1633. [RT# 11657]
+1303.	[func]		Option 'flush-zones-on-shutdown <boolean>;'.
 
-1660.	[bug]		win32: connection_reset_fix() was being called
-			unconditionally.  [RT #11595]
+1302.	[func]		Extended rndc dumpdb to support dumping of zones and
+			view selection: 'dumpdb [-all|-zones|-cache] [view]'.
 
-	--- 9.2.4rc5 released ---
+1301.	[func]		New category 'update-security'.
 
-1655.	[bug]		Logging multiple versions w/o a size was broken.
-			[RT #11446]
+1300.	[port]		Compaq Trucluster support.
 
-1654.	[bug]		isc_result_totext() contained array bounds read
-			error.
+1293.	[func]		Entropy can now be retrieved from EGDs. [RT #2438]
 
-1650.	[bug]		dig, nslookup: flush standard out after each command.
+1292.	[func]		Enable IPv6 support when using ioctl style interface
+			scanning and OS supports SIOCGLIFADDR using struct
+			if_laddrreq.
 
-1649.	[bug]		Silence "unexpected non-minimal diff" message.
-			[RT #11206]
+1291.	[func]		Enable IPv6 support when using sysctl style interface
+			scanning.
 
-1646.	[bug]		win32: logging file versions didn't work with
-			non-UNC filenames.  [RT#11486]
+1290.	[func]		"dig axfr" now reports the number of messages
+			as well as the number of records.
 
-1644.	[bug]		Update the journal modification time after a
-			sucessfull refresh query. [RT #11436]
+1285.	[func]		lwres: probe the system to see what address families
+			are currently in use.
 
-1643.	[bug]		dns_db_closeversion() could leak memory / node
-			references. [RT #11163]
+1283.	[func]		Use "dataready" accept filter if available.
 
-	--- 9.2.4rc4 released ---
+1281.	[func]		Log zone when unable to get private keys to update
+			zone.  Log zone when NXT records are missing from
+			secure zone.
 
-1640.	[bug]		win32: isc_socket_cancel(ISC_SOCKCANCEL_ACCEPT) was
-			incorrectly closing the socket.  [RT #11291]
+1278.	[func]		dig: now supports +[no]cl +[no]ttlid.
 
-1634.	[bug]		named didn't supply a useful error message when it
-			detected duplicate views.  [RT #11208]
+1277.	[func]		You can now create your own customized printing
+			styles: dns_master_stylecreate() and
+			dns_master_styledestroy().
 
-1633.	[bug]		named should return NOTIMP to update requests to a
-			slaves without a allow-update-forwarding acl specified.
-			[RT #11331]
+1271.	[bug]		"recursion available: {denied,approved}" was too
+			confusing.
 
-1632.	[bug]		nsupdate failed to send prerequisite only UPDATE
-			messages. [RT #11288]
+1267.	[func]		isc_file_openunique() now creates file using mode
+			0666 rather than 0600.
 
-1627.	[bug]		win32: sockets were not being closed when the
-			last external reference was removed. [RT# 11179]
+1254.	[func]		preferred-glue option from BIND 8.3.
 
-	--- 9.2.4rc3 released ---
+1250.	[func]		Nsupdate will report the address the update was
+			sent to.
 
-1623.	[bug]		A serial number of zero was being displayed in the
-			"sending notifies" log message when also-notify was
-			used. [RT #11177]
+1247.	[bug]		Don't reset the interface index for link/site local
+			addresses. [RT #2576]
 
-1621.	[bug]		match-destinations did not work for IPv6 TCP queries.
-			[RT# 11156]
+1246.	[func]		New functions isc_sockaddr_issitelocal(),
+			isc_sockaddr_islinklocal(), isc_netaddr_issitelocal()
+			and isc_netaddr_islinklocal().
 
-1619.	[bug]		Missing ISC_LIST_UNLINK in end_reserved_dispatches().
-			[RT# 11118]
+1243.	[bug]		It was possible to trigger a REQUIRE() in
+			dns_message_findtype(). [RT #2659]
 
-1617.	[port]		win32: VC++ 6.0 support.
+1235.	[func]		Report 'out of memory' errors from openssl.
 
-1616.	[compat]	Ensure that named's version is visible in the core
-			dump. [RT #11127]
+1234.	[bug]		contrib/sdb: 'zonetodb' failed to call
+			dns_result_register().  DNS_R_SEENINCLUDE should not
+			be fatal.
 
-1615.	[port]		Define ISC_SOCKADDR_LEN_T based on _BSD_SOCKLEN_T_ if
-			it is defined.
+1233.	[bug]		The flags field of a KEY record can be expressed in
+			hex as well as decimal.
 
-1614.	[port]		win32: silence resource limit messages. [RT# 11101]
+1226.	[func]		Use EDNS for zone refresh queries. [RT #2551]
 
-1610.	[bug]		On dual stack machines "dig -b" failed to set the
-			address type to be looked up with "@server".
-			[RT #11069]
+1225.	[func]		dns_message_setopt() no longer requires that
+			dns_message_renderbegin() to have been called.
 
-1600.	[bug]		Duplicate zone pre-load checks were not case
-			insensitive.
+1224.	[bug]		'rrset-order' and 'sortlist' should be additive
+			not exclusive.
 
-1599.	[bug]		Fix memory leak on error path when checking named.conf.
+1223.	[func]		'rrset-order' partially works 'cyclic' and 'random'
+			are supported.
 
-	--- 9.2.4rc2 released ---
+1220.	[func]		Support for APL rdata type.
 
-1607.	[bug]		dig, host and nslookup were still using random()
-			to generate query ids. [RT# 11013]
+1219.	[func]		Named now reports the TSIG extended error code when
+			signature verification fails. [RT #1651]
 
-1604.	[bug]		A xfrout_ctx_create() failure would result in
-			xfrout_ctx_destroy() being called with a
-			partially initialized structure.
-			
-1603.	[bug]		nsupdate: set interactive based on isatty().
-			[RT# 10929]
+1217.	[func]		Report locations of previous key definition when a
+			duplicate is detected.
 
-1602.	[bug]		Logging to a file failed unless a size was specified.
-			[RT# 10925]
+1213.	[func]		Report view associated with client if it is not a
+			standard view (_default or _bind).
 
-1601.	[bug]		Silence spurious warning 'both "recursion no;" and 
-			"allow-recursion" active' warning from view "_bind".
-			[RT# 10920]
+1203.	[func]		Report locations of previous acl and zone definitions
+			when a duplicate is detected.
 
-1455.   [bug]           <netaddr> missing from server grammar in
-                        doc/misc/options. [RT #5616]
+1202.	[func]		New functions: cfg_obj_line() and cfg_obj_file().
 
-1593.	[bug]		rndc should return "unknown command" to unknown
-			commands. [RT# 10642]
+1192.	[bug]		The seconds fields in LOC records were restricted
+			to three decimal places.  More decimal places should
+			be allowed but warned about.
 
-	--- 9.2.4rc1 released ---
+1190.	[func]		Add the "rndc freeze" and "rndc unfreeze" commands.
+			[RT #2394]
 
-1592.	[bug]		configure_view() could leak a dispatch. [RT# 10675]
+1187.	[bug]		named was incorrectly returning DNSSEC records
+			in negative responses when the DO bit was not set.
 
-1591.	[bug]		libbind: updated to BIND 8.4.5.
+1181.	[func]		Add the "key-directory" configuration statement,
+			which allows the server to look for online signing
+			keys in alternate directories.
 
-1590.	[port]		netbsd: update thread support.
+1180.	[func]		dnssec-keygen should always generate keys with
+			protocol 3 (DNSSEC), since it's less confusing
+			that way.
 
-1588.	[bug]		win32: TCP sockets could become blocked. [RT #10115]
+1179.	[func]		Add SIG(0) support to nsupdate.
 
-1587.	[bug]		dns_message_settsigkey() failed to clear existing key.
-			[RT #10590]
+1177.	[func]		Report view when loading zones if it is not a
+			standard view (_default or _bind). [RT #2270]
 
-1585.	[bug]		allow-v6-synthesis was not performing lookups under
-			IP6.INT.  allow-v6-synthesis now performs a nibble
-			lookups under IP6.ARPA rather than a bitstring lookups.
-			[RT #10497]
+1171.	[func]		Added function isc_region_compare(), updated files in
+			lib/dns to use this function instead of local one.
 
-			NOTE: allow-v6-synthesis has been deprecated.
+1169.	[func]		Identify recursive queries in the query log.
 
-1584.	[bug]		"make test" failed with a read only source tree.
-			[RT #10461]
+1163.	[func]		isc_time_formattimestamp() now includes the year.
 
-1583.	[bug]		Records add via UPDATE failed to get the correct trust
-			level. [RT #10452]
+1159.	[bug]		MD and MF are not permitted to be loaded by RFC1123.
 
-1582.	[bug]		rrset-order failed to work on RRsets with more
-			than 32 elements. [RT #10381]
+1158.	[func]		Report the client's address when logging notify
+			messages.
 
-1580.	[bug]		Zone destruction on final detach takes a long time.
-			[RT #3746]
+1157.	[func]		match-clients and match-destinations now accept
+			keys. [RT #2045]
 
-1579.	[bug]		Multiple task managers could not be created.
+1155.	[func]		Recover from master files being removed from under
+			us.
 
-1578.	[bug]		Don't use CLASS E IPv4 addresses when resolving.
-			[RT #10346]
+1153.	[func]		'rndc {stop|halt} -p' now reports the process id
+			of the instance of named being shutdown.
 
-1577.	[bug]		Use isc_uint32_t in ultrasparc optimizer bug
-			workaround code. [RT #10331]
+1151.	[bug]		nslookup failed to check that the arguments to
+			the port, timeout, and retry options were
+			valid integers and in range. [RT #2099]
 
-1576.	[bug]		Race condition in dns_dispatch_addresponse().
-			[RT# 10272]
+1150.	[bug]		named incorrectly accepted TTL values
+			containing plus or minus signs, such as
+			1d+1h-1s.
 
-1574.	[bug]		Don't attempt to open the controls socket(s) when
-			running tests. [RT #9091]
+1149.	[func]		New function isc_parse_uint32().
 
-1573.	[port]		linux: update to libtool 1.5.2 so that
-			"make install DESTDIR=/xx" works with
-			"configure --with-libtool".  [RT #9941]
+1148.	[func]		'rndc-confgen -a' now provides positive feedback.
 
-1572.	[bug]		nsupdate: sign the soa query to find the enclosing
-			zone if the server is specified. [RT #10148]
+1147.	[func]		Set IPV6_V6ONLY on IPv6 sockets if supported by
+			the OS.  listen-on-v6 { any; }; should no longer
+			result in IPv4 queries be accepted.  Similarly
+			control { inet :: ... }; should no longer result
+			in IPv4 connections being accepted.  This can be
+			overridden at compile time by defining
+			ISC_ALLOW_MAPPED=1.
 
-1571.	[bug]		rbt:hash_node() could fail leaving the hash table
-			in an inconsistent state.  [RT #10208]
+1146.	[func]		Allow IPV6_IPV6ONLY to be set/cleared on a socket if
+			supported by the OS by a new function
+			isc_socket_ipv6only().
 
-1570.	[bug]		nsupdate failed to handle classes other than IN.
-			New keyword 'class' which sets the default class.
-			[RT #10202]
+1145.	[func]		"host" no longer reports a NOERROR/NODATA response
+			by printing nothing. [RT #2065]
 
-1568.	[bug]		nsupdate now reports that the update failed in
-			interactive mode. [RT# 10236]
+1143.	[bug]		When a trusted-keys statement was present and named
+			was built without crypto support, it would leak memory.
 
-1567.	[bug]		B.ROOT-SERVERS.NET is now 192.228.79.201.
+1139.	[func]		It is now possible to flush a given name from the
+			cache(s) via 'rndc flushname name [view]'. [RT #2051]
 
-1566.	[port]		Support for the cmsg framework on Solaris and HP/UX.
-			This also solved the problem that match-destinations
-			for IPv6 addresses did not work on these systems.
-			[RT #10221]
+1138.	[func]		It is now possible to flush a given name from the
+			cache by calling the new function
+			dns_cache_flushname().
 
-1563.	[bug]		Gracefully fail when unable to obtain neither an IPv4
-			nor an IPv6 dispatch. [RT #10230]
+1137.	[func]		It is now possible to flush a given name from the
+			ADB by calling the new function dns_adb_flushname().
 
-1562.	[bug]		isc_socket_create() and isc_socket_accept() could
-			leak memory under error conditions. [RT #10230]
+1135.	[func]		You can now override the default syslog() facility for
+			named/lwresd at compile time. [RT #1982]
 
-1561.	[bug]		It was possible to release the same name twice if
-			named ran out of memory. [RT #10197]
+1132.	[func]		Improve UPDATE prerequisite failure diagnostic messages.
 
-1559.	[port]		named should ignore SIGFSZ.
+1128.	[func]		sdb drivers can now provide RR data in either text
+			or wire format, the latter using the new functions
+			dns_sdb_putrdata() and dns_sdb_putnamedrdata().
 
-1556.	[bug]		nsupdate now treats all names as fully qualified.
-			[RT #6427]
+1127.	[func]		rndc: If the server to contact has multiple addresses,
+			try all of them.
 
-1553.	[bug]		The windows socket code could stop accepting
-			connections.
+1119.	[func]		Added support in Win32 for NTFS file/directory ACL's
+			for access control.
 
-1552.	[bug]		Accept NOTIFY requests from mapped masters if
-			matched-mapped is set. [RT #10049]
+1115.	[func]		Set maximum values for cleaning-interval,
+			heartbeat-interval, interface-interval,
+			max-transfer-idle-in, max-transfer-idle-out,
+			max-transfer-time-in, max-transfer-time-out,
+			statistics-interval of 28 days and
+			sig-validity-interval of 3660 days. [RT #2002]
 
-1551.	[port]		Open "/dev/null" before calling chroot().
+1110.	[bug]		dig should only accept valid abbreviations of +options.
+			[RT #2003]
 
-1550.	[port]		Call tzset(), if available, before calling chroot().
+1105.	[port]		OpenUNIX 8 enable threads by default. [RT #1970]
 
-1547.	[bug]		Named wasted memory recording duplicate lame zone
-			entries. [RT #9341]
+1080.	[bug]		BIND 8 compatibility: accept bare IP prefixes
+			as the second element of a two-element top level
+			sort list statement. [RT #1964]
 
-1546.	[bug]		We were rejecting valid secure CNAME to negative
-			answers.
+1079.	[bug]		BIND 8 compatibility: accept bare elements at top
+			level of sort list treating them as if they were
+			a single element list. [RT #1963]
 
-1545.	[bug]		It was possible to leak memory if named was unable to
-			bind to the specified transfer source and TSIG was
-			being used. [RT #10120]
+1077.	[func]		Do not accept further recursive clients when
+			the total number of recursive lookups being
+			processed exceeds max-recursive-clients, even
+			if some of the lookups are internally generated.
+			[RT #1915, #1938]
 
-1544.	[bug]		Named would logged a single entry to a file despite it
-			being over the specified size limit.
+1073.	[bug]		The ADB cache cleaning should also be space driven.
+			[RT #1915, #1938]
 
-1543.	[bug]		Logging using "versions unlimited" did not work.
+1067.	[func]		Allow quotas to be soft, isc_quota_soft().
 
-1542.	[bug]		Reversed timestamp sanity test on SIG. [RT #10095]
+1065.	[func]		Runtime support to select new / old style interface
+			scanning using ioctls.
 
-1540.	[bug]		"rndc reload <dynamiczone>" was silently accepted.
-			[RT #8934]
+1060.	[func]		Move refresh, stub and notify UDP retry processing
+			into dns_request.
 
-1539.	[bug]		Open UDP sockets for notify-source and transfer-source
-			that use reserved ports at startup. [RT #9475]
+1059.	[func]		dns_request now support will now retry UDP queries,
+			dns_request_createvia2() and dns_request_createraw2().
 
-1536.	[bug]		Windows socket code failed to log a error description
-			when returning ISC_R_UNEXPECTED. [RT #9998]
+1058.	[func]		Limited lifetime ticker timers are now available,
+			isc_timertype_limited.
 
-1535.	[bug]		dig -x of a partial IPv4 address broken. [RT# 9949]
+1055.	[func]		Version and hostname queries can now be disabled
+			using "version none;" and "hostname none;",
+			respectively.
 
-1534.	[bug]		Race condition when priming cache. [RT# 9940]
+1049.	[func]		"pid-file none;" will disable writing a pid file.
+			[RT #1848]
 
-1533.	[func]		Warn if both "recursion no;" and "allow-recursion"
-			are active. [RT# 4389]
+1037.	[bug]		Negative responses whose authority section contain
+			SOA or NS records whose owner names are not equal
+			equal to or parents of the query name should be
+			rejected. [RT #1862]
 
-1532.	[port]		netbsd: the configure test for <sys/sysctl.h>
-			requires <sys/param.h>.
+1036.	[func]		Silently drop requests received via multicast as
+			long as there is no final multicast DNS standard.
 
-1531.	[port]		AIX more libtool fixes.
+1035.	[bug]		If we respond to multicast queries (which we
+			currently do not), respond from a unicast address
+			as specified in RFC 1123. [RT #137]
 
-1530.	[bug]		It was possible to trigger a INSIST() failure if a
-			slave master file was removed at just the correct
-			moment. [RT #9462]
+1034.	[bug]		Ignore the RD bit on multicast queries as specified
+			in RFC 1123. [RT #137]
 
-1529.	[bug]		"notify explicit;" failed to log that NOTIFY messages
-			were being sent for the zone. [RT #9442]
+1032.	[func]		hostname.bind/txt/chaos now returns the name of
+			the machine hosting the nameserver.  This is useful
+			in diagnosing problems with anycast servers.
 
 1025.	[bug]		Don't use multicast addresses to resolve iterative
 			queries. [RT #101]
 
-	--- 9.2.3 released ---
+1024.	[port]		Compilation failed on HP-UX 11.11 due to
+			incompatible use of the SIOCGLIFCONF macro
+			name. [RT #1831]
 
-1525.	[bug]		dns_cache_create() could trigger a REQUIRE
-			failure in isc_mem_put() during error cleanup.
+1023.	[func]		Accept hints without TTLs.
 
-1524.	[port]		AIX needs to be able to resolve all symbols when
-			creating shared libraries (--with-libtool).
+1011.	[cleanup]	Removed isc_dir_current().
 
-1523.	[bug]		Fix race condition in rbtdb. [RT# 9189]
+1009.	[port]		OpenUNIX 8 support. [RT #1728]
 
-1522.	[bug]		dns_db_findnode() relax the requirements on 'name'.
-			[RT# 9286]
+1008.	[port]		libtool.m4, ltmain.sh from libtool-1.4.2.
 
-1518.	[bug]		dns_nxt_buildrdata(), and hence dns_nxt_build(),
-			contained a off-by-one error when working out the
-			number of octets in the bitmap.
+1007.	[port]		config.guess, config.sub from autoconf-2.52.
 
-1514.	[bug]		named: isc_hash_destroy() was being called too early.
-			[RT #9160]
+1003.	[func]		Add the +retry option to dig.
 
-1513.	[doc]		Add "US" to root-delegation-only exclude list.
+ 999.	[func]		"rndc retransfer zone [class [view]]" added.
+			[RT #1752]
 
-	--- 9.2.3rc4 released ---
+ 998.	[func]		named-checkzone now has arguments to specify the
+			chroot directory (-t) and working directory (-w).
+			[RT #1755]
 
-1512.	[bug]		Extend the delegation-only logging to return query
-			type, class and responding nameserver.
+ 997.	[func]		Add support for RSA-SHA1 keys (RFC3110).
 
-1511.	[bug]		delegation-only was generating false positives
-			on negative answers from subzones.
+ 996.	[func]		Issue warning if the configuration filename contains
+			the chroot path.
 
-	--- 9.2.3rc3 released ---
+ 994.	[func]		Treat non-authoritative responses to queries for type
+			NS as referrals even if the NS records are in the
+			answer section, because BIND 8 servers incorrectly
+			send them that way.  This is necessary for DNSSEC
+			validation of the NS records of a secure zone to
+			succeed when the parent is a BIND 8 server. [RT #1706]
 
-1510.	[func]		New view option "root-delegation-only".  Apply
-			delegation-only check to all TLDs and root.
-			Note there are some TLDs that are NOT delegation
-			only (e.g. DE, LV, US and MUSEUM) these can be excluded
-			from the checks by using exclude.
+ 993.	[func]		dig: -v now reports the version.
 
-			root-delegation-only exclude {
-				"DE"; "LV"; "US"; "MUSEUM";
-			};
+ 991.	[func]		Lower UDP refresh timeout messages to level
+			debug 1.
 
-1509.	[bug]		Hint zones should accept delegation-only.  Forward
-			zone should not accept delegation-only.
+ 985.	[func]		Consider network interfaces to be up iff they have
+			a nonzero IP address rather than based on the
+			IFF_UP flag. [RT #1160]
 
-1508.	[bug]		Don't apply delegation-only checks to answers from
-			forwarders.
+ 983.	[func]		The server now supports generating IXFR difference
+			sequences for non-dynamic zones by comparing zone
+			versions, when enabled using the new config
+			option "ixfr-from-differences". [RT #1727]
 
-1507.	[bug]		Handle BIND 8 style returns to NS queries to parents
-			when making delegation-only checks.
+ 982.	[func]		If "memstatistics-file" is set in options the memory
+			statistics will be written to it.
 
-1506.	[bug]		Wrong return type for dns_view_isdelegationonly().
+ 981.	[func]		The dnssec tools can now take multiple '-r randomfile'
+			arguments.
 
-	--- 9.2.3rc2 released ---
+ 979.	[func]		Incremental master file dumping.  dns_master_dumpinc(),
+			dns_master_dumptostreaminc(), dns_dumpctx_attach(),
+			dns_dumpctx_detach(), dns_dumpctx_cancel(),
+			dns_dumpctx_db() and dns_dumpctx_version().
 
-1505.	[bug]		Uninitialized rdataset in sdb. [RT #8750]
+ 976.	[func]		named-checkconf can now test load master zones
+			(named-checkconf -z). [RT #1468]
 
-1504.	[func]		New zone type "delegation-only".
+ 970.	[func]		'max-journal-size' can now be used to set a target
+			size for a journal.
 
-1503.	[port]		win32: install libeay32.dll outside of system32.
+ 969.	[func]		dig now supports the undocumented dig 8 feature
+			of allowing arbitrary labels, not just dotted
+			decimal quads, with the -x option.  This can be
+			used to conveniently look up RFC2317 names as in
+			"dig -x 10.0.0.0-127". [RT #827, #1576, #1598]
 
 	--- 9.2.3rc1 released ---
 
@@ -4859,7 +4590,7 @@
 			and has been removed.
 
  170.	[cleanup]	Remove inter server consistancy checks from zone,
-			these should return as a separate module in 9.1.
+			these should return as a seperate module in 9.1.
 			dns_zone_checkservers(), dns_zone_checkparents(),
 			dns_zone_checkchildren(), dns_zone_checkglue().
 
@@ -5044,7 +4775,7 @@
 			<isc/bufferlist.h>, <isc/task.h>, <isc/mem.h> or
 			<isc/net.h>.
 
- 119.	[cleanup]	structure definitions for generic rdata structures do
+ 119.	[cleanup]	structure definitions for generic rdata stuctures do
 			not have _generic_ in their names.
 
  118.	[cleanup]	libdns.a is now namespace-clean, on NetBSD, excepting
diff --git a/COPYRIGHT b/COPYRIGHT
index 796a9926..ee104781 100644
--- a/COPYRIGHT
+++ b/COPYRIGHT
@@ -1,4 +1,4 @@
-Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
+Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
 Copyright (C) 1996-2003  Internet Software Consortium.
 
 Permission to use, copy, modify, and distribute this software for any
@@ -13,7 +13,7 @@ LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
 OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 PERFORMANCE OF THIS SOFTWARE.
 
-$Id: COPYRIGHT,v 1.6.2.7 2007/01/08 02:45:02 marka Exp $
+$Id: COPYRIGHT,v 1.6.2.2.8.2 2004/03/08 04:04:12 marka Exp $
 
 Portions Copyright (C) 1996-2001  Nominum, Inc.
 
diff --git a/FAQ b/FAQ
index af6c89a4..dab25ced 100644
--- a/FAQ
+++ b/FAQ
@@ -1,721 +1,417 @@
-Frequently Asked Questions about BIND 9
-
-Copyright © 2004-2007 Internet Systems Consortium, Inc. ("ISC")
 
-Copyright © 2000-2003 Internet Software Consortium.
 
--------------------------------------------------------------------------------
-
-Q: Why doesn't -u work on Linux 2.2.x when I build with --enable-threads?
 
-A: Linux threads do not fully implement the Posix threads (pthreads) standard. In
-   particular, setuid() operates only on the current thread, not the full process.
-   Because of this limitation, BIND 9 cannot use setuid() on Linux as it can on
-   all other supported platforms. setuid() cannot be called before creating
-   threads, since the server does not start listening on reserved ports until
-   after threads have started.
+Frequently Asked Questions about BIND 9
 
-   In the 2.2.18 or 2.3.99-pre3 and newer kernels, the ability to preserve
-   capabilities across a setuid() call is present. This allows BIND 9 to call
-   setuid() early, while retaining the ability to bind reserved ports. This is a
-   Linux-specific hack.
 
-   On a 2.2 kernel, BIND 9 does drop many root privileges, so it should be less of
-   a security risk than a root process that has not dropped privileges.
+Q: Why doesn't -u work on Linux 2.2.x when I build with --enable-threads?
 
-   If Linux threads ever work correctly, this restriction will go away.
+A: Linux threads do not fully implement the Posix threads (pthreads) standard.
+In particular, setuid() operates only on the current thread, not the full
+process.  Because of this limitation, BIND 9 cannot use setuid() on Linux as it
+can on all other supported platforms.  setuid() cannot be called before
+creating threads, since the server does not start listening on reserved ports
+until after threads have started.
 
-   Configuring BIND9 with the --disable-threads option (the default) causes a
-   non-threaded version to be built, which will allow -u to be used.
+  In the 2.2.18 or 2.3.99-pre3 and newer kernels, the ability to preserve
+capabilities across a setuid() call is present.  This allows BIND 9 to call
+setuid() early, while retaining the ability to bind reserved ports.  This is
+a Linux-specific hack.
 
-Q: Why do I get the following errors:
+  On a 2.2 kernel, BIND 9 does drop many root privileges, so it should be less
+of a security risk than a root process that has not dropped privileges.
 
-   general: errno2result.c:109: unexpected error:
-   general: unable to convert errno to isc_result: 14: Bad address
-   client: UDP client handler shutting down due to fatal receive error: unexpected error
+  If Linux threads ever work correctly, this restriction will go away.
 
-A: This is the result of a Linux kernel bug.
+  Configuring BIND9 with the --disable-threads option (the default) causes a
+non-threaded version to be built, which will allow -u to be used.
 
-   See: http://marc.theaimsgroup.com/?l=linux-netdev&m=113081708031466&w=2
 
-Q: Why does named log the warning message "no TTL specified - using SOA MINTTL
-   instead"?
+Q: Why does named log the warning message "no TTL specified - using SOA
+MINTTL instead"?
 
-A: Your zone file is illegal according to RFC1035. It must either have a line
-   like:
+A: Your zone file is illegal according to RFC1035.  It must either
+have a line like
 
    $TTL 86400
 
-   at the beginning, or the first record in it must have a TTL field, like the
-   "84600" in this example:
+at the beginning, or the first record in it must have a TTL field,
+like the "84600" in this example:
 
    example.com. 86400 IN SOA ns hostmaster ( 1 3600 1800 1814400 3600 )
 
 Q: Why do I see 5 (or more) copies of named on Linux?
 
-A: Linux threads each show up as a process under ps. The approximate number of
-   threads running is n+4, where n is the number of CPUs. Note that the amount of
-   memory used is not cumulative; if each process is using 10M of memory, only a
-   total of 10M is used.
-
-   Newer versions of Linux's ps command hide the individual threads and require -L
-   to display them.
-
-Q: Why does BIND 9 log "permission denied" errors accessing its configuration
-   files or zones on my Linux system even though it is running as root?
-
-A: On Linux, BIND 9 drops most of its root privileges on startup. This including
-   the privilege to open files owned by other users. Therefore, if the server is
-   running as root, the configuration files and zone files should also be owned by
-   root.
-
-Q: Why do I get errors like "dns_zone_load: zone foo/IN: loading master file bar:
-   ran out of space"?
-
-A: This is often caused by TXT records with missing close quotes. Check that all
-   TXT records containing quoted strings have both open and close quotes.
-
-Q: How do I produce a usable core file from a multi-threaded named on Linux?
-
-A: If the Linux kernel is 2.4.7 or newer, multi-threaded core dumps are usable
-   (that is, the correct thread is dumped). Otherwise, if using a 2.2 kernel,
-   apply the kernel patch found in contrib/linux/coredump-patch and rebuild the
-   kernel. This patch will cause multi-threaded programs to dump the correct
-   thread.
-
-Q: How do I restrict people from looking up the server version?
-
-A: Put a "version" option containing something other than the real version in the
-   "options" section of named.conf. Note doing this will not prevent attacks and
-   may impede people trying to diagnose problems with your server. Also it is
-   possible to "fingerprint" nameservers to determine their version.
-
-Q: How do I restrict only remote users from looking up the server version?
-
-A: The following view statement will intercept lookups as the internal view that
-   holds the version information will be matched last. The caveats of the previous
-   answer still apply, of course.
-
-   view "chaos" chaos {
-           match-clients { <those to be refused>; };
-           allow-query { none; };
-           zone "." {
-                   type hint;
-                   file "/dev/null";  // or any empty file
-           };
-   };
-
-Q: What do "no source of entropy found" or "could not open entropy source foo"
-   mean?
-
-A: The server requires a source of entropy to perform certain operations, mostly
-   DNSSEC related. These messages indicate that you have no source of entropy. On
-   systems with /dev/random or an equivalent, it is used by default. A source of
-   entropy can also be defined using the random-device option in named.conf.
-
-Q: I installed BIND 9 and restarted named, but it's still BIND 8. Why?
-
-A: BIND 9 is installed under /usr/local by default. BIND 8 is often installed
-   under /usr. Check that the correct named is running.
-
-Q: I'm trying to use TSIG to authenticate dynamic updates or zone transfers. I'm
-   sure I have the keys set up correctly, but the server is rejecting the TSIG.
-   Why?
+A: Linux threads each show up as a process under ps.  The approximate
+number of threads running is n+4, where n is the number of CPUs.  Note that
+the amount of memory used is not cumulative; if each process is using 10M of
+memory, only a total of 10M is used.
 
-A: This may be a clock skew problem. Check that the the clocks on the client and
-   server are properly synchronised (e.g., using ntp).
 
-Q: I'm trying to compile BIND 9, and "make" is failing due to files not being
-   found. Why?
+Q: Why does BIND 9 log "permission denied" errors accessing its
+configuration files or zones on my Linux system even though it is running
+as root?
 
-A: Using a parallel or distributed "make" to build BIND 9 is not supported, and
-   doesn't work. If you are using one of these, use normal make or gmake instead.
+A: On Linux, BIND 9 drops most of its root privileges on startup.
+This including the privilege to open files owned by other users.
+Therefore, if the server is running as root, the configuration files
+and zone files should also be owned by root.
 
-Q: I have a BIND 9 master and a BIND 8.2.3 slave, and the master is logging error
-   messages like "notify to 10.0.0.1#53 failed: unexpected end of input". What's
-   wrong?
 
-A: This error message is caused by a known bug in BIND 8.2.3 and is fixed in BIND
-   8.2.4. It can be safely ignored - the notify has been acted on by the slave
-   despite the error message.
+Q: Why do I get errors like "dns_zone_load: zone foo/IN: loading master file
+bar: ran out of space"
 
-Q: I keep getting log messages like the following. Why?
+A: This is often caused by TXT records with missing close quotes.  Check that
+all TXT records containing quoted strings have both open and close quotes.
 
-   Dec 4 23:47:59 client 10.0.0.1#1355: updating zone 'example.com/IN': update
-   failed: 'RRset exists (value dependent)' prerequisite not satisfied (NXRRSET)
-
-A: DNS updates allow the update request to test to see if certain conditions are
-   met prior to proceeding with the update. The message above is saying that
-   conditions were not met and the update is not proceeding. See doc/rfc/
-   rfc2136.txt for more details on prerequisites.
-
-Q: I keep getting log messages like the following. Why?
-
-   Jun 21 12:00:00.000 client 10.0.0.1#1234: update denied
-
-A: Someone is trying to update your DNS data using the RFC2136 Dynamic Update
-   protocol. Windows 2000 machines have a habit of sending dynamic update requests
-   to DNS servers without being specifically configured to do so. If the update
-   requests are coming from a Windows 2000 machine, see http://
-   support.microsoft.com/support/kb/articles/q246/8/04.asp for information about
-   how to turn them off.
-
-Q: I see a log message like the following. Why?
-
-   couldn't open pid file '/var/run/named.pid': Permission denied
-
-A: You are most likely running named as a non-root user, and that user does not
-   have permission to write in /var/run. The common ways of fixing this are to
-   create a /var/run/named directory owned by the named user and set pid-file to "
-   /var/run/named/named.pid", or set pid-file to "named.pid", which will put the
-   file in the directory specified by the directory option (which, in this case,
-   must be writable by the named user).
-
-Q: When I do a "dig . ns", many of the A records for the root servers are missing.
-   Why?
-
-A: This is normal and harmless. It is a somewhat confusing side effect of the way
-   BIND 9 does RFC2181 trust ranking and of the efforts BIND 9 makes to avoid
-   promoting glue into answers.
-
-   When BIND 9 first starts up and primes its cache, it receives the root server
-   addresses as additional data in an authoritative response from a root server,
-   and these records are eligible for inclusion as additional data in responses.
-   Subsequently it receives a subset of the root server addresses as additional
-   data in a non-authoritative (referral) response from a root server. This causes
-   the addresses to now be considered non-authoritative (glue) data, which is not
-   eligible for inclusion in responses.
-
-   The server does have a complete set of root server addresses cached at all
-   times, it just may not include all of them as additional data, depending on
-   whether they were last received as answers or as glue. You can always look up
-   the addresses with explicit queries like "dig a.root-servers.net A".
-
-Q: Zone transfers from my BIND 9 master to my Windows 2000 slave fail. Why?
-
-A: This may be caused by a bug in the Windows 2000 DNS server where DNS messages
-   larger than 16K are not handled properly. This can be worked around by setting
-   the option "transfer-format one-answer;". Also check whether your zone contains
-   domain names with embedded spaces or other special characters, like "John\
-   032Doe\213s\032Computer", since such names have been known to cause Windows
-   2000 slaves to incorrectly reject the zone.
-
-Q: Why don't my zones reload when I do an "rndc reload" or SIGHUP?
-
-A: A zone can be updated either by editing zone files and reloading the server or
-   by dynamic update, but not both. If you have enabled dynamic update for a zone
-   using the "allow-update" option, you are not supposed to edit the zone file by
-   hand, and the server will not attempt to reload it.
-
-Q: I can query the nameserver from the nameserver but not from other machines.
-   Why?
-
-A: This is usually the result of the firewall configuration stopping the queries
-   and / or the replies.
-
-Q: How can I make a server a slave for both an internal and an external view at
-   the same time? When I tried, both views on the slave were transferred from the
-   same view on the master.
-
-A: You will need to give the master and slave multiple IP addresses and use those
-   to make sure you reach the correct view on the other machine.
-
-   Master: 10.0.1.1 (internal), 10.0.1.2 (external, IP alias)
-       internal:
-           match-clients { !10.0.1.2; !10.0.1.4; 10.0.1/24; };
-                   notify-source 10.0.1.1;
-                   transfer-source 10.0.1.1;
-                   query-source address 10.0.1.1;
-       external:
-           match-clients { any; };
-           recursion no;   // don't offer recursion to the world
-           notify-source 10.0.1.2;
-           transfer-source 10.0.1.2;
-           query-source address 10.0.1.2;
-
-   Slave: 10.0.1.3 (internal), 10.0.1.4 (external, IP alias)
-       internal:
-           match-clients { !10.0.1.2; !10.0.1.4; 10.0.1/24; };
-           notify-source 10.0.1.3;
-           transfer-source 10.0.1.3;
-           query-source address 10.0.1.3;
-      external:
-           match-clients { any; };
-           recursion no;   // don't offer recursion to the world
-           notify-source 10.0.1.4;
-           transfer-source 10.0.1.4;
-           query-source address 10.0.1.4;
-
-   You put the external address on the alias so that all the other dns clients on
-   these boxes see the internal view by default.
-
-A: BIND 9.3 and later: Use TSIG to select the appropriate view.
-
-   Master 10.0.1.1:
-           key "external" {
-                   algorithm hmac-md5;
-                   secret "xxxxxxxx";
-           };
-           view "internal" {
-                   match-clients { !key external; 10.0.1/24; };
-                   ...
-           };
-           view "external" {
-                   match-clients { key external; any; };
-                   server 10.0.1.2 { keys external; };
-                   recursion no;
-                   ...
-           };
-
-   Slave 10.0.1.2:
-           key "external" {
-                   algorithm hmac-md5;
-                   secret "xxxxxxxx";
-           };
-           view "internal" {
-                   match-clients { !key external; 10.0.1/24; };
-                   ...
-           };
-           view "external" {
-                   match-clients { key external; any; };
-                   server 10.0.1.1 { keys external; };
-                   recursion no;
-                   ...
-           };
-
-Q: I have FreeBSD 4.x and "rndc-confgen -a" just sits there.
-
-A: /dev/random is not configured. Use rndcontrol(8) to tell the kernel to use
-   certain interrupts as a source of random events. You can make this permanent by
-   setting rand_irqs in /etc/rc.conf.
-
-   /etc/rc.conf
-   rand_irqs="3 14 15"
-
-   See also http://people.freebsd.org/~dougb/randomness.html
-
-Q: Why is named listening on UDP port other than 53?
-
-A: Named uses a system selected port to make queries of other nameservers. This
-   behaviour can be overridden by using query-source to lock down the port and/or
-   address. See also notify-source and transfer-source.
-
-Q: I get error messages like "multiple RRs of singleton type" and "CNAME and other
-   data" when transferring a zone. What does this mean?
-
-A: These indicate a malformed master zone. You can identify the exact records
-   involved by transferring the zone using dig then running named-checkzone on it.
-
-   dig axfr example.com @master-server > tmp
-   named-checkzone example.com tmp
-
-   A CNAME record cannot exist with the same name as another record except for the
-   DNSSEC records which prove its existence (NSEC).
-
-   RFC 1034, Section 3.6.2: "If a CNAME RR is present at a node, no other data
-   should be present; this ensures that the data for a canonical name and its
-   aliases cannot be different. This rule also insures that a cached CNAME can be
-   used without checking with an authoritative server for other RR types."
-
-Q: I get error messages like "named.conf:99: unexpected end of input" where 99 is
-   the last line of named.conf.
-
-A: Some text editors (notepad and wordpad) fail to put a line title indication
-   (e.g. CR/LF) on the last line of a text file. This can be fixed by "adding" a
-   blank line to the end of the file. Named expects to see EOF immediately after
-   EOL and treats text files where this is not met as truncated.
-
-Q: I get warning messages like "zone example.com/IN: refresh: failure trying
-   master 1.2.3.4#53: timed out".
-
-A: Check that you can make UDP queries from the slave to the master
 
-   dig +norec example.com soa @1.2.3.4
+Q: How do I produce a usable core file from a multithreaded named on Linux?
 
-   You could be generating queries faster than the slave can cope with. Lower the
-   serial query rate.
+A: If the Linux kernel is 2.4.7 or newer, multithreaded core dumps
+are usable (that is, the correct thread is dumped).  Otherwise, if using
+a 2.2 kernel, apply the kernel patch found in contrib/linux/coredump-patch
+and rebuild the kernel.  This patch will cause multithreaded programs to dump
+the correct thread.
 
-   serial-query-rate 5; // default 20
 
-Q: How do I share a dynamic zone between multiple views?
-
-A: You choose one view to be master and the second a slave and transfer the zone
-   between views.
-
-   Master 10.0.1.1:
-           key "external" {
-                   algorithm hmac-md5;
-                   secret "xxxxxxxx";
-           };
-
-           key "mykey" {
-                   algorithm hmac-md5;
-                   secret "yyyyyyyy";
-           };
-
-           view "internal" {
-                   match-clients { !external; 10.0.1/24; };
-                   server 10.0.1.1 {
-                           /* Deliver notify messages to external view. */
-                           keys { external; };
-                   };
-                   zone "example.com" {
-                           type master;
-                           file "internal/example.db";
-                           allow-update { key mykey; };
-                           notify-also { 10.0.1.1; };
-                   };
-           };
-
-           view "external" {
-                   match-clients { external; any; };
-                   zone "example.com" {
-                           type slave;
-                           file "external/example.db";
-                           masters { 10.0.1.1; };
-                           transfer-source { 10.0.1.1; };
-                           // allow-update-forwarding { any; };
-                           // allow-notify { ... };
-                   };
-           };
-
-Q: I get a error message like "zone wireless.ietf56.ietf.org/IN: loading master
-   file primaries/wireless.ietf56.ietf.org: no owner".
-
-A: This error is produced when a line in the master file contains leading white
-   space (tab/space) but the is no current record owner name to inherit the name
-   from. Usually this is the result of putting white space before a comment.
-   Forgetting the "@" for the SOA record or indenting the master file.
-
-Q: Why are my logs in GMT (UTC).
-
-A: You are running chrooted (-t) and have not supplied local timezone information
-   in the chroot area.
-
-   FreeBSD: /etc/localtime
-   Solaris: /etc/TIMEZONE and /usr/share/lib/zoneinfo
-   OSF: /etc/zoneinfo/localtime
-
-   See also tzset(3) and zic(8).
-
-Q: I get the error message "named: capset failed: Operation not permitted" when
-   starting named.
-
-A: The capability module, part of "Linux Security Modules/LSM", has not been
-   loaded into the kernel. See insmod(8).
-
-Q: I get "rndc: connect failed: connection refused" when I try to run rndc.
-
-A: This is usually a configuration error.
-
-   First ensure that named is running and no errors are being reported at startup
-   (/var/log/messages or equivalent). Running "named -g <usual arguments>" from a
-   title can help at this point.
-
-   Secondly ensure that named is configured to use rndc either by "rndc-confgen
-   -a", rndc-confgen or manually. The Administrators Reference manual has details
-   on how to do this.
-
-   Old versions of rndc-confgen used localhost rather than 127.0.0.1 in /etc/
-   rndc.conf for the default server. Update /etc/rndc.conf if necessary so that
-   the default server listed in /etc/rndc.conf matches the addresses used in
-   named.conf. "localhost" has two address (127.0.0.1 and ::1).
-
-   If you use "rndc-confgen -a" and named is running with -t or -u ensure that /
-   etc/rndc.conf has the correct ownership and that a copy is in the chroot area.
-   You can do this by re-running "rndc-confgen -a" with appropriate -t and -u
-   arguments.
-
-Q: I don't get RRSIG's returned when I use "dig +dnssec".
-
-A: You need to ensure DNSSEC is enabled (dnssec-enable yes;).
-
-Q: I get "Error 1067" when starting named under Windows.
-
-A: This is the service manager saying that named exited. You need to examine the
-   Application log in the EventViewer to find out why.
-
-   Common causes are that you failed to create "named.conf" (usually "C:\windows\
-   dns\etc\named.conf") or failed to specify the directory in named.conf.
-
-   options {
-           Directory "C:\windows\dns\etc";
-   };
-
-Q: I get "transfer of 'example.net/IN' from 192.168.4.12#53: failed while
-   receiving responses: permission denied" error messages.
-
-A: These indicate a filesystem permission error preventing named creating /
-   renaming the temporary file. These will usually also have other associated
-   error messages like
-
-   "dumping master file: sl/tmp-XXXX5il3sQ: open: permission denied"
-
-   Named needs write permission on the directory containing the file. Named writes
-   the new cache file to a temporary file then renames it to the name specified in
-   named.conf to ensure that the contents are always complete. This is to prevent
-   named loading a partial zone in the event of power failure or similar
-   interrupting the write of the master file.
-
-   Note file names are relative to the directory specified in options and any
-   chroot directory ([<chroot dir>/][<options dir>]).
-
-   If named is invoked as "named -t /chroot/DNS" with the following named.conf
-   then "/chroot/DNS/var/named/sl" needs to be writable by the user named is
-   running as.
-
-   options {
-           directory "/var/named";
-   };
-
-   zone "example.net" {
-           type slave;
-           file "sl/example.net";
-           masters { 192.168.4.12; };
-   };
-
-Q: How do I integrate BIND 9 and Solaris SMF
-
-A: Sun has a blog entry describing how to do this.
-
-   http://blogs.sun.com/roller/page/anay/Weblog?catname=%2FSolaris
-
-Q: Can a NS record refer to a CNAME.
-
-A: No. The rules for glue (copies of the *address* records in the parent zones)
-   and additional section processing do not allow it to work.
-
-   You would have to add both the CNAME and address records (A/AAAA) as glue to
-   the parent zone and have CNAMEs be followed when doing additional section
-   processing to make it work. No nameserver implementation supports either of
-   these requirements.
-
-Q: What does "RFC 1918 response from Internet for 0.0.0.10.IN-ADDR.ARPA" mean?
+Q: How do I restrict people from looking up the server version?
 
-A: If the IN-ADDR.ARPA name covered refers to a internal address space you are
-   using then you have failed to follow RFC 1918 usage rules and are leaking
-   queries to the Internet. You should establish your own zones for these
-   addresses to prevent you querying the Internet's name servers for these
-   addresses. Please see http://as112.net/ for details of the problems you are
-   causing and the counter measures that have had to be deployed.
+A: Put a "version" option containing something other than the real
+version in the "options" section of named.conf.  Note doing this will
+not prevent attacks and may impede people trying to diagnose problems
+with your server.  Also it is possible to "fingerprint" nameservers to
+determine their version.
 
-   If you are not using these private addresses then a client has queried for
-   them. You can just ignore the messages, get the offending client to stop
-   sending you these messages as they are most probably leaking them or setup your
-   own zones empty zones to serve answers to these queries.
 
-   zone "10.IN-ADDR.ARPA" {
-           type master;
-           file "empty";
-   };
+Q: How do I restrict only remote users from looking up the server
+version?
 
-   zone "16.172.IN-ADDR.ARPA" {
-           type master;
-           file "empty";
-   };
+A: The following view statement will intercept lookups as the internal
+view that holds the version information will be matched last.  The
+caveats of the previous answer still apply, of course.
 
-   ...
+  view "chaos" chaos {
+	  match-clients { <those to be refused>; };
+	  allow-query { none; };
+	  zone "." {
+		  type hint;
+		  file "/dev/null";  // or any empty file
+	  };
+  };
 
-   zone "31.172.IN-ADDR.ARPA" {
-           type master;
-           file "empty";
-   };
 
-   zone "168.192.IN-ADDR.ARPA" {
-           type master;
-           file "empty";
-   };
+Q: What do "no source of entropy found" or "could not open entropy source foo"
+mean?
 
-   empty:
-   @ 10800 IN SOA <name-of-server>. <contact-email>. (
-                  1 3600 1200 604800 10800 )
-   @ 10800 IN NS <name-of-server>.
+A: The server requires a source of entropy to perform certain operations,
+mostly DNSSEC related.  These messages indicate that you have no source
+of entropy.  On systems with /dev/random or an equivalent, it is used by
+default.  A source of entropy can also be defined using the random-device
+option in named.conf.
 
-   Note
 
-   Future versions of named are likely to do this automatically.
+Q: I installed BIND 9 and restarted named, but it's still BIND 8.  Why?
 
-Q: I'm running BIND on Red Hat Enterprise Linux or Fedora Core -
+A: BIND 9 is installed under /usr/local by default.  BIND 8 is often
+installed under /usr.  Check that the correct named is running.
 
-   Why can't named update slave zone database files?
 
-   Why can't named create DDNS journal files or update the master zones from
-   journals?
+Q: I'm trying to use TSIG to authenticate dynamic updates or zone
+transfers.  I'm sure I have the keys set up correctly, but the server
+is rejecting the TSIG.  Why?
 
-   Why can't named create custom log files?
+A: This may be a clock skew problem.  Check that the the clocks on
+the client and server are properly synchronized (e.g., using ntp).
 
-A: Red Hat Security Enhanced Linux (SELinux) policy security protections :
 
-   Red Hat have adopted the National Security Agency's SELinux security policy (
-   see http://www.nsa.gov/selinux ) and recommendations for BIND security , which
-   are more secure than running named in a chroot and make use of the bind-chroot
-   environment unnecessary .
+Q: I'm trying to compile BIND 9, and "make" is failing due to files not
+being found.  Why?
 
-   By default, named is not allowed by the SELinux policy to write, create or
-   delete any files EXCEPT in these directories:
+A: Using a parallel or distributed "make" to build BIND 9 is not
+supported, and doesn't work.  If you are using one of these, use
+normal make or gmake instead.
 
-   $ROOTDIR/var/named/slaves
-   $ROOTDIR/var/named/data
-   $ROOTDIR/var/tmp
 
+Q: I have a BIND 9 master and a BIND 8.2.3 slave, and the master is
+logging error messages like "notify to 10.0.0.1#53 failed: unexpected
+end of input".  What's wrong?
 
-   where $ROOTDIR may be set in /etc/sysconfig/named if bind-chroot is installed.
+A: This error message is caused by a known bug in BIND 8.2.3 and is fixed
+in BIND 8.2.4.  It can be safely ignored - the notify has been acted on by
+the slave despite the error message.
 
-   The SELinux policy particularly does NOT allow named to modify the $ROOTDIR/var
-   /named directory, the default location for master zone database files.
 
-   SELinux policy overrules file access permissions - so even if all the files
-   under /var/named have ownership named:named and mode rw-rw-r--, named will
-   still not be able to write or create files except in the directories above,
-   with SELinux in Enforcing mode.
+Q: I keep getting log messages like the following.  Why?
 
-   So, to allow named to update slave or DDNS zone files, it is best to locate
-   them in $ROOTDIR/var/named/slaves, with named.conf zone statements such as:
+   Dec  4 23:47:59 client 10.0.0.1#1355: updating zone 'example.com/IN':
+   update failed: 'RRset exists (value dependent)' prerequisite not
+   satisfied (NXRRSET)
 
-   zone "slave.zone." IN {
-           type slave;
-           file "slaves/slave.zone.db";
-           ...
-   };
-   zone "ddns.zone." IN  {
-           type master;
-           allow-updates {...};
-           file "slaves/ddns.zone.db";
-   };
+A: DNS updates allow the update request to test to see if certain
+conditions are met prior to proceeding with the update.  The message
+above is saying that conditions were not met and the update is not
+proceeding.  See doc/rfc/rfc2136.txt for more details on prerequisites.
 
 
-   To allow named to create its cache dump and statistics files, for example, you
-   could use named.conf options statements such as:
+Q: I keep getting log messages like the following.  Why?
 
-   options {
-           ...
-           dump-file "/var/named/data/cache_dump.db";
-           statistics-file "/var/named/data/named_stats.txt";
-           ...
-   };
+   Jun 21 12:00:00.000 client 10.0.0.1#1234: update denied
 
+A: Someone is trying to update your DNS data using the RFC2136 Dynamic
+Update protocol.  Windows 2000 machines have a habit of sending dynamic
+update requests to DNS servers without being specifically configured to
+do so.  If the update requests are coming from a Windows 2000 machine,
+see <http://support.microsoft.com/support/kb/articles/q246/8/04.asp>
+for information about how to turn them off.
 
-   You can also tell SELinux to allow named to update any zone database files, by
-   setting the SELinux tunable boolean parameter 'named_write_master_zones=1',
-   using the system-config-securitylevel GUI, using the 'setsebool' command, or in
-   /etc/selinux/targeted/booleans.
 
-   You can disable SELinux protection for named entirely by setting the
-   'named_disable_trans=1' SELinux tunable boolean parameter.
+Q: I see a log message like the following.  Why?
 
-   The SELinux named policy defines these SELinux contexts for named:
+   couldn't open pid file '/var/run/named.pid': Permission denied
 
-   named_zone_t : for zone database files       - $ROOTDIR/var/named/*
-   named_conf_t : for named configuration files - $ROOTDIR/etc/{named,rndc}.*
-   named_cache_t: for files modifiable by named - $ROOTDIR/var/{tmp,named/{slaves,data}}
+A: You are most likely running named as a non-root user, and that user
+does not have permission to write in /var/run.  The common ways of
+fixing this are to create a /var/run/named directory owned by the named
+user and set pid-file to "/var/run/named/named.pid", or set
+pid-file to "named.pid", which will put the file in the directory
+specified by the directory option (which, in this case, must be writable
+by the named user).
 
 
-   If you want to retain use of the SELinux policy for named, and put named files
-   in different locations, you can do so by changing the context of the custom
-   file locations .
+Q: When I do a "dig . ns", many of the A records for the root
+servers are missing.  Why?
 
-   To create a custom configuration file location, e.g. '/root/named.conf', to use
-   with the 'named -c' option, do:
+A: This is normal and harmless.  It is a somewhat confusing side effect
+of the way BIND 9 does RFC2181 trust ranking and of the efforts BIND 9
+makes to avoid promoting glue into answers.
 
-   # chcon system_u:object_r:named_conf_t /root/named.conf
+When BIND 9 first starts up and primes its cache, it receives the root
+server addresses as additional data in an authoritative response from
+a root server, and these records are eligible for inclusion as
+additional data in responses.  Subsequently it receives a subset of
+the root server addresses as additional data in a non-authoritative
+(referral) response from a root server.  This causes the addresses to
+now be considered non-authoritative (glue) data, which is not eligible
+for inclusion in responses.
 
+The server does have a complete set of root server addresses cached
+at all times, it just may not include all of them as additional data,
+depending on whether they were last received as answers or as glue.
+You can always look up the addresses with explicit queries like
+"dig a.root-servers.net A".
 
-   To create a custom modifiable named data location, e.g. '/var/log/named' for a
-   log file, do:
 
-   # chcon system_u:object_r:named_cache_t /var/log/named
+Q: Zone transfers from my BIND 9 master to my Windows 2000 slave
+fail.  Why?
 
+A: This may be caused by a bug in the Windows 2000 DNS server where
+DNS messages larger than 16K are not handled properly.  This can be
+worked around by setting the option "transfer-format one-answer;".
+Also check whether your zone contains domain names with embedded
+spaces or other special characters, like "John\032Doe\213s\032Computer",
+since such names have been known to cause Windows 2000 slaves to
+incorrectly reject the zone.
 
-   To create a custom zone file location, e.g. /root/zones/, do:
 
-   # chcon system_u:object_r:named_zone_t /root/zones/{.,*}
+Q: Why don't my zones reload when I do an "rndc reload" or SIGHUP?
 
+A: A zone can be updated either by editing zone files and reloading
+the server or by dynamic update, but not both.  If you have enabled
+dynamic update for a zone using the "allow-update" option, you are not
+supposed to edit the zone file by hand, and the server will not
+attempt to reload it.
+
+
+Q: I can query the nameserver from the nameserver but not from other
+machines.  Why?
+
+A: This is usually the result of the firewall configuration stopping
+the queries and / or the replies.
+
+
+Q: How can I make a server a slave for both an internal and
+an external view at the same time?  When I tried, both views
+on the slave were transferred from the same view on the master.
+
+A: You will need to give the master and slave multiple IP addresses and
+use those to make sure you reach the correct view on the other machine.
+
+	e.g.
+	Master: 10.0.1.1 (internal), 10.0.1.2 (external, IP alias)
+	    internal:
+		match-clients { !10.0.1.2; !10.0.1.4; 10.0.1/24; };
+		notify-source 10.0.1.1;
+		transfer-source 10.0.1.1;
+		query-source address 10.0.1.1;
+	    external:
+		match-clients { any; };
+		recursion no;	// don't offer recursion to the world
+		notify-source 10.0.1.2;
+		transfer-source 10.0.1.2;
+		query-source address 10.0.1.2;
+
+	Slave: 10.0.1.3 (internal), 10.0.1.4 (external, IP alias)
+	    internal:
+		match-clients { !10.0.1.2; !10.0.1.4; 10.0.1/24; };
+		notify-source 10.0.1.3;
+		transfer-source 10.0.1.3;
+		query-source address 10.0.1.3;
+	    external:
+		match-clients { any; };
+		recursion no;	// don't offer recursion to the world
+		notify-source 10.0.1.4;
+		transfer-source 10.0.1.4;
+		query-source address 10.0.1.4;
+
+	You put the external address on the alias so that all the other
+	dns clients on these boxes see the internal view by default.
+
+A: (BIND 9.3 and later) Use TSIG to select the appropriate view.
+
+	Master 10.0.1.1:
+	key "external" {
+		algorithm hmac-md5;
+		secret "xxxxxxxx";
+	};
+	view "internal" {
+		match-clients { !key external; 10.0.1/24; };
+		...
+	};
+	view "external" {
+		match-clients { key external; any; };
+		server 10.0.0.2 { keys external; };
+		recursion no;
+		...
+	};
+
+	Slave 10.0.1.2:
+	key "external" {
+		 algorithm hmac-md5;
+		 secret "xxxxxxxx";
+	};
+	view "internal" {
+		match-clients { !key external; 10.0.1/24; };
+	};
+	view "external" {
+		match-clients { key external; any; };
+		server 10.0.0.1 { keys external; };
+		recursion no;
+		...
+	};
+
+
+Q: I have Freebsd 4.x and "rndc-confgen -a" just sits there.
+
+A: /dev/random is not configured.  Use rndcontrol(8) to tell the kernel
+to use certain interrupts as a source of random events.  You can make this
+permanent by setting rand_irqs in /etc/rc.conf.
+
+e.g.
+	/etc/rc.conf
+	rand_irqs="3 14 15"
+
+See also http://people.freebsd.org/~dougb/randomness.html
 
-   See these man-pages for more information : selinux(8), named_selinux(8), chcon
-   (1), setsebool(8)
 
-Q: I want to forward all DNS queries from my caching nameserver to another server.
-   But there are some domains which have to be served locally, via rbldnsd.
+Q: Why is named listening on UDP port other than 53?
 
-   How do I achieve this ?
+A: Named uses a system selected port to make queries of other nameservers.
+This behaviour can be overridden by using query-source to lock down the
+port and/or address.  See also notify-source and transfer-source.
 
-A: options {
-           forward only;
-           forwarders { <ip.of.primary.nameserver>; };
-   };
 
-   zone "sbl-xbl.spamhaus.org" {
-           type forward; forward only;
-           forwarders { <ip.of.rbldns.server> port 530; };
-   };
+Q: I get error messages like "multiple RRs of singleton type" and
+"CNAME and other data" when transferring a zone.  What does this mean?
 
-   zone "list.dsbl.org" {
-           type forward; forward only;
-           forwarders { <ip.of.rbldns.server> port 530; };
-   };
+A: These indicate a malformed master zone.  You can identify the
+exact records involved by transferring the zone using dig then
+running named-checkzone on it.
 
+	e.g.
+		dig axfr example.com @master-server > tmp
+		named-checkzone example.com tmp
 
-Q: Will named be affected by the 2007 changes to daylight savings rules in the US.
 
-A: No, so long as the machines internal clock (as reported by "date -u") remains
-   at UTC. The only visible change if you fail to upgrade your OS, if you are in a
-   affected area, will be that log messages will be a hour out during the period
-   where the old rules do not match the new rules.
+Q: I get error messages like "named.conf:99: unexpected end of input" where
+99 is the last line of named.conf.
 
-   For most OS's this change just means that you need to update the conversion
-   rules from UTC to local time. Normally this involves updating a file in /etc
-   (which sets the default timezone for the machine) and possibly a directory
-   which has all the conversion rules for the world (e.g. /usr/share/zoneinfo).
-   When updating the OS do not forget to update any chroot areas as well. See your
-   OS's documentation for more details.
+A: Some text editors (notepad and wordpad) fail to put a line termination
+indication (e.g. CR/LF) on the last line of a text file.  This can be fixed
+by "adding" a blank line to the end of the file.  Named expects to see EOF
+immediately after EOL and treats text files where this is not met as truncated.
 
-   The local timezone conversion rules can also be done on a individual basis by
-   setting the TZ environment variable appropriately. See your OS's documentation
-   for more details.
 
-Q: Why do we get the following warning at run time:
+Q: I get warning messages like "zone example.com/IN: refresh: failure trying master
+1.2.3.4#53: timed out".
 
-   kernel: process `named' is using obsolete setsockopt SO_BSDCOMPAT
+A: Check that you can make UDP queries from the slave to the master
 
-A: The early Linux kernels broke sendto() by having it return that a ICMP
-   unreachable had be received for non connected UDP sockets. This made non
-   connected UDP sockets work like connected UDP socket which is fine when you are
-   only talking to one destination. Named however talks to multiple destinations
-   and it caused problems.
+	dig +norec example.com soa @1.2.3.4
 
-   Rather than fix sendto() to just have BSD behaviour they added SO_BSDCOMPAT to
-   turn BSD behaviour on/off on a per socket basis.
+A: You could be generating queries faster than the slave can cope with.  Lower
+the serial query rate.
 
-   Later they decided to make BSD behaviour the default and to aggressively track
-   down applications that used SO_BSDCOMPAT by issuing a warning. This is the sort
-   of things vendors do in alpha/beta stages of a release so that their code is
-   clean. They then turn the warning *off* for release code.
+	serial-query-rate 5; // default 20
 
-   We still have customers that have kernels that require SO_BSDCOMPAT to operate.
-   We therefore cannot remove the setsockopt(SO_BSDCOMPAT) call.
+Q: How do I share a dynamic zone between multiple views?
 
-   Now most/all portable applications that use SO_BSDCOMPAT use it conditionally
-   manner so just removing SO_BSDCOMPAT from the header file would be safe as long
-   as the binary was not to be moved between systems. BIND's use is conditional.
+A: You choose one view to be master and the second a slave and transfer
+the zone between views.
+
+	Master 10.0.1.1:
+	key "external" {
+		algorithm hmac-md5;
+		secret "xxxxxxxx";
+	};
+
+	key "mykey" {
+		algorithm hmac-md5;
+		secret "yyyyyyyy";
+	};
+
+	view "internal" {
+		match-clients { !external; 10.0.1/24; };
+		server 10.0.1.1 {
+			/* Deliver notify messages to external view. */
+			keys { external; };
+		};
+		zone "example.com" {
+			type master;
+			file "internal/example.db";
+			allow-update { key mykey; };
+			notify-also { 10.0.1.1; };
+		};
+	};
+
+	view "external" {
+		match-clients { external; any; };
+		zone "example.com" {
+			type slave;
+			file "external/example.db";
+			masters { 10.0.1.1; };
+			transfer-source { 10.0.1.1; };
+			// allow-update-forwarding { any; };
+			// allow-notify { ... };
+		};
+	};
 
-   In short, the Linux developers should either, remove the #define for
-   SO_BSDCOMPAT, and/or remove the warning.
+Q: I get a error message like "zone wireless.ietf56.ietf.org/IN: loading master
+file primaries/wireless.ietf56.ietf.org: no owner".
 
-Q: Isn't "make install" supposed to generate a default named.conf?
+A: This error is produced when a line in the master file contains leading
+white space (tab/space) but the is no current record owner name to inherit
+the name from.  Usually this is the result of putting white space before
+a comment.  Forgeting the "@" for the SOA record or indenting the master
+file.
 
-A: Short Answer: No.
 
-   Long Answer: There really isn't a default configuration which fits any site
-   perfectly. There are lots of decisions that need to be made and there is no
-   consensus on what the defaults should be. For example FreeBSD uses /etc/namedb
-   as the location where the configuration files for named are stored. Others use
-   /var/named.
+Q: Why are my logs in GMT (UTC).
 
-   What addresses to listen on? For a laptop on the move a lot you may only want
-   to listen on the loop back interfaces.
+A: You are running chrooted (-t) and have not supplied local timzone
+information in the chroot area.
 
-   Who do you offer recursive service to? Is there are firewall to consider? If so
-   is it stateless or stateful. Are you directly on the Internet? Are you on a
-   private network? Are you on a NAT'd network? The answers to all these questions
-   change how you configure even a caching name server.
+	FreeBSD: /etc/localtime
+	Solaris: /etc/TIMEZONE and /usr/share/lib/zoneinfo
+	OSF: /etc/zoneinfo/localtime
 
+	See also tzset(3) and zic(8).
diff --git a/FAQ.xml b/FAQ.xml
deleted file mode 100644
index 77c9e603..00000000
--- a/FAQ.xml
+++ /dev/null
@@ -1,1357 +0,0 @@
-<?xml-stylesheet href="common.css" type="text/css"?>
-<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
-       "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" []>
-<!--
- - Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000-2003  Internet Software Consortium.
- -
- - Permission to use, copy, modify, and distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- -
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-
-<!-- $Id: FAQ.xml,v 1.4.8.8 2007/02/05 05:24:11 marka Exp $ -->
-
-<article class="faq">
-  <title>Frequently Asked Questions about BIND 9</title>
-  <articleinfo>
-    <copyright>
-      <year>2004</year>
-      <year>2005</year>
-      <year>2006</year>
-      <year>2007</year>
-      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
-    </copyright>
-    <copyright>
-      <year>2000</year>
-      <year>2001</year>
-      <year>2002</year>
-      <year>2003</year>
-      <holder>Internet Software Consortium.</holder>
-    </copyright>
-  </articleinfo>
-  <qandaset defaultlabel='qanda'>
-    <qandaentry>
-      <question>
-	<para>
-	  Why doesn't -u work on Linux 2.2.x when I build with
-	  --enable-threads?
-	</para>
-      </question>
-      <answer>
-	<para>
-	  Linux threads do not fully implement the Posix threads
-	  (pthreads) standard.  In particular, setuid() operates only
-	  on the current thread, not the full process.  Because of
-	  this limitation, BIND 9 cannot use setuid() on Linux as it
-	  can on all other supported platforms.  setuid() cannot be
-	  called before creating threads, since the server does not
-	  start listening on reserved ports until after threads have
-	  started.
-	</para>
-	<para>
-	  In the 2.2.18 or 2.3.99-pre3 and newer kernels, the ability
-	  to preserve capabilities across a setuid() call is present.
-	  This allows BIND 9 to call setuid() early, while retaining
-	  the ability to bind reserved ports.  This is a Linux-specific
-	  hack.
-	</para>
-	<para>
-	  On a 2.2 kernel, BIND 9 does drop many root privileges, so
-	  it should be less of a security risk than a root process
-	  that has not dropped privileges.
-	</para>
-	<para>
-	  If Linux threads ever work correctly, this restriction will
-	  go away.
-	</para>
-	<para>
-	  Configuring BIND9 with the --disable-threads option (the
-	  default) causes a non-threaded version to be built, which
-	  will allow -u to be used.
-	</para>
-      </answer>
-    </qandaentry>
-
-    <qandaentry>
-      <question>
-	<para>
-	  Why do I get the following errors:
-<programlisting>general: errno2result.c:109: unexpected error:
-general: unable to convert errno to isc_result: 14: Bad address
-client: UDP client handler shutting down due to fatal receive error: unexpected error</programlisting>
-	</para>
-      </question>
-      <answer>
-	<para>
-	  This is the result of a Linux kernel bug.
-	</para>
-	<para>
-	  See:
-	  <ulink url="http://marc.theaimsgroup.com/?l=linux-netdev&amp;m=113081708031466&amp;w=2">http://marc.theaimsgroup.com/?l=linux-netdev&amp;m=113081708031466&amp;w=2</ulink>
-	</para>
-      </answer>
-    </qandaentry>
-
-    <qandaentry>
-      <question>
-	<para>
-	  Why does named log the warning message <quote>no TTL specified -
-	  using SOA MINTTL instead</quote>?
-	</para>
-      </question>
-      <answer>
-	<para>
-	  Your zone file is illegal according to RFC1035.  It must either
-	  have a line like:
-	</para>
-	<informalexample>
-	  <programlisting>
-$TTL 86400</programlisting>
-	</informalexample>
-	<para>
-	  at the beginning, or the first record in it must have a TTL field,
-	  like the "84600" in this example:
-	</para>
-	<informalexample>
-	  <programlisting>
-example.com. 86400 IN SOA ns hostmaster ( 1 3600 1800 1814400 3600 )</programlisting>
-	</informalexample>
-      </answer>
-    </qandaentry>
-
-    <qandaentry>
-      <question>
-	<para>
-	  Why do I see 5 (or more) copies of named on Linux?
-	</para>
-      </question>
-      <answer>
-	<para>
-	  Linux threads each show up as a process under ps.  The
-	  approximate number of threads running is n+4, where n is
-	  the number of CPUs.  Note that the amount of memory used
-	  is not cumulative; if each process is using 10M of memory,
-	  only a total of 10M is used.
-	</para>
-	<para>
-	  Newer versions of Linux's ps command hide the individual threads
-	  and require -L to display them.
-	</para>
-      </answer>
-    </qandaentry>
-
-    <qandaentry>
-      <question>
-	<para>
-	  Why does BIND 9 log <quote>permission denied</quote> errors accessing
-	  its configuration files or zones on my Linux system even
-	  though it is running as root?
-	</para>
-      </question>
-      <answer>
-	<para>
-	  On Linux, BIND 9 drops most of its root privileges on
-	  startup.  This including the privilege to open files owned
-	  by other users.  Therefore, if the server is running as
-	  root, the configuration files and zone files should also
-	  be owned by root.
-	</para>
-      </answer>
-    </qandaentry>
-
-    <qandaentry>
-      <question>
-	<para>
-	  Why do I get errors like <quote>dns_zone_load: zone foo/IN: loading
-	  master file bar: ran out of space</quote>?
-	</para>
-      </question>
-      <answer>
-	<para>
-	This is often caused by TXT records with missing close
-	quotes.  Check that all TXT records containing quoted strings
-	have both open and close quotes.
-	</para>
-      </answer>
-    </qandaentry>
-
-    <qandaentry>
-      <question>
-	<para>
-	How do I produce a usable core file from a multi-threaded
-	named on Linux?
-	</para>
-      </question>
-      <answer>
-	<para>
-	If the Linux kernel is 2.4.7 or newer, multi-threaded core
-	dumps are usable (that is, the correct thread is dumped).
-	Otherwise, if using a 2.2 kernel, apply the kernel patch
-	found in contrib/linux/coredump-patch and rebuild the kernel.
-	This patch will cause multi-threaded programs to dump the
-	correct thread.
-	</para>
-      </answer>
-    </qandaentry>
-
-    <qandaentry>
-      <question>
-	<para>
-	  How do I restrict people from looking up the server version?
-	</para>
-      </question>
-      <answer>
-	<para>
-	  Put a "version" option containing something other than the
-	  real version in the "options" section of named.conf.  Note
-	  doing this will not prevent attacks and may impede people
-	  trying to diagnose problems with your server.  Also it is
-	  possible to "fingerprint" nameservers to determine their
-	  version.
-	</para>
-      </answer>
-    </qandaentry>
-
-    <qandaentry>
-      <question>
-	<para>
-	  How do I restrict only remote users from looking up the
-	  server version?
-	</para>
-      </question>
-      <answer>
-	<para>
-	  The following view statement will intercept lookups as the
-	  internal view that holds the version information will be
-	  matched last.  The caveats of the previous answer still
-	  apply, of course.
-	</para>
-	<informalexample>
-	  <programlisting>
-view "chaos" chaos {
-	match-clients { &lt;those to be refused&gt;; };
-	allow-query { none; };
-	zone "." {
-		type hint;
-		file "/dev/null";  // or any empty file
-	};
-};</programlisting>
-	</informalexample>
-      </answer>
-    </qandaentry>
-
-    <qandaentry>
-      <question>
-	<para>
-	  What do <quote>no source of entropy found</quote> or <quote>could not
-	  open entropy source foo</quote> mean?
-	</para>
-      </question>
-      <answer>
-	<para>
-	  The server requires a source of entropy to perform certain
-	  operations, mostly DNSSEC related.  These messages indicate
-	  that you have no source of entropy.  On systems with
-	  /dev/random or an equivalent, it is used by default.  A
-	  source of entropy can also be defined using the random-device
-	  option in named.conf.
-	</para>
-      </answer>
-    </qandaentry>
-
-    <qandaentry>
-      <question>
-	<para>
-	  I installed BIND 9 and restarted named, but it's still BIND 8.  Why?
-	</para>
-      </question>
-      <answer>
-	<para>
-	  BIND 9 is installed under /usr/local by default.  BIND 8
-	  is often installed under /usr.  Check that the correct named
-	  is running.
-	</para>
-      </answer>
-    </qandaentry>
-
-    <qandaentry>
-      <question>
-	<para>
-	  I'm trying to use TSIG to authenticate dynamic updates or
-	  zone transfers.  I'm sure I have the keys set up correctly,
-	  but the server is rejecting the TSIG.  Why?
-	</para>
-      </question>
-      <answer>
-	<para>
-	  This may be a clock skew problem.  Check that the the clocks
-	  on the client and server are properly synchronised (e.g.,
-	  using ntp).
-	</para>
-      </answer>
-    </qandaentry>
-
-    <qandaentry>
-      <question>
-	<para>
-	  I'm trying to compile BIND 9, and "make" is failing due to
-	  files not being found.  Why?
-	</para>
-      </question>
-      <answer>
-	<para>
-	  Using a parallel or distributed "make" to build BIND 9 is
-	  not supported, and doesn't work.  If you are using one of
-	  these, use normal make or gmake instead.
-	</para>
-      </answer>
-    </qandaentry>
-
-    <qandaentry>
-      <question>
-	<para>
-	  I have a BIND 9 master and a BIND 8.2.3 slave, and the
-	  master is logging error messages like <quote>notify to 10.0.0.1#53
-	  failed: unexpected end of input</quote>.  What's wrong?
-	</para>
-      </question>
-      <answer>
-	<para>
-	  This error message is caused by a known bug in BIND 8.2.3
-	  and is fixed in BIND 8.2.4.  It can be safely ignored - the
-	  notify has been acted on by the slave despite the error
-	  message.
-	</para>
-      </answer>
-    </qandaentry>
-
-    <qandaentry>
-      <question>
-	<para>
-	  I keep getting log messages like the following.  Why?
-	</para>
-	<para>
-	  Dec  4 23:47:59 client 10.0.0.1#1355: updating zone
-	  'example.com/IN': update failed: 'RRset exists (value
-	  dependent)' prerequisite not satisfied (NXRRSET)
-	</para>
-      </question>
-      <answer>
-	<para>
-	  DNS updates allow the update request to test to see if
-	  certain conditions are met prior to proceeding with the
-	  update.  The message above is saying that conditions were
-	  not met and the update is not proceeding.  See doc/rfc/rfc2136.txt
-	  for more details on prerequisites.
-	</para>
-      </answer>
-    </qandaentry>
-
-    <qandaentry>
-      <question>
-	<para>
-	  I keep getting log messages like the following.  Why?
-	</para>
-	<para>
-	  Jun 21 12:00:00.000 client 10.0.0.1#1234: update denied
-	</para>
-      </question>
-      <answer>
-	<para>
-	  Someone is trying to update your DNS data using the RFC2136
-	  Dynamic Update protocol.  Windows 2000 machines have a habit
-	  of sending dynamic update requests to DNS servers without
-	  being specifically configured to do so.  If the update
-	  requests are coming from a Windows 2000 machine, see
-	  <ulink
-	   url="http://support.microsoft.com/support/kb/articles/q246/8/04.asp">
-	    http://support.microsoft.com/support/kb/articles/q246/8/04.asp
-	  </ulink>
-	  for information about how to turn them off.
-	</para>
-      </answer>
-    </qandaentry>
-
-    <qandaentry>
-      <question>
-	<para>
-	  I see a log message like the following.  Why?
-	</para>
-	<para>
-	  couldn't open pid file '/var/run/named.pid': Permission denied
-	</para>
-      </question>
-      <answer>
-	<para>
-	  You are most likely running named as a non-root user, and
-	  that user does not have permission to write in /var/run.
-	  The common ways of fixing this are to create a /var/run/named
-	  directory owned by the named user and set pid-file to
-	  "/var/run/named/named.pid", or set pid-file to "named.pid",
-	  which will put the file in the directory specified by the
-	  directory option (which, in this case, must be writable by
-	  the named user).
-	</para>
-      </answer>
-    </qandaentry>
-
-    <qandaentry>
-      <question>
-	<para>
-	  When I do a "dig . ns", many of the A records for the root
-	  servers are missing.  Why?
-	</para>
-      </question>
-      <answer>
-	<para>
-	  This is normal and harmless.  It is a somewhat confusing
-	  side effect of the way BIND 9 does RFC2181 trust ranking
-	  and of the efforts BIND 9 makes to avoid promoting glue
-	  into answers.
-	</para>
-	<para>
-	 When BIND 9 first starts up and primes its cache, it receives
-	 the root server addresses as additional data in an authoritative
-	 response from a root server, and these records are eligible
-	 for inclusion as additional data in responses.  Subsequently
-	 it receives a subset of the root server addresses as
-	 additional data in a non-authoritative (referral) response
-	 from a root server.  This causes the addresses to now be
-	 considered non-authoritative (glue) data, which is not
-	 eligible for inclusion in responses.
-	</para>
-	<para>
-	 The server does have a complete set of root server addresses
-	 cached at all times, it just may not include all of them
-	 as additional data, depending on whether they were last
-	 received as answers or as glue.  You can always look up the
-	 addresses with explicit queries like "dig a.root-servers.net A".
-	</para>
-      </answer>
-    </qandaentry>
-
-    <qandaentry>
-      <question>
-	<para>
-	  Zone transfers from my BIND 9 master to my Windows 2000
-	  slave fail.  Why?
-	</para>
-      </question>
-      <answer>
-	<para>
-	  This may be caused by a bug in the Windows 2000 DNS server
-	  where DNS messages larger than 16K are not handled properly.
-	  This can be worked around by setting the option "transfer-format
-	  one-answer;".  Also check whether your zone contains domain
-	  names with embedded spaces or other special characters,
-	  like "John\032Doe\213s\032Computer", since such names have
-	  been known to cause Windows 2000 slaves to incorrectly
-	  reject the zone.
-	</para>
-      </answer>
-    </qandaentry>
-
-    <qandaentry>
-      <question>
-	<para>
-	  Why don't my zones reload when I do an "rndc reload" or SIGHUP?
-	</para>
-      </question>
-      <answer>
-	<para>
-	  A zone can be updated either by editing zone files and
-	  reloading the server or by dynamic update, but not both.
-	  If you have enabled dynamic update for a zone using the
-	  "allow-update" option, you are not supposed to edit the
-	  zone file by hand, and the server will not attempt to reload
-	  it.
-	</para>
-      </answer>
-    </qandaentry>
-
-    <qandaentry>
-      <question>
-	<para>
-	  I can query the nameserver from the nameserver but not from other
-	  machines.  Why?
-	</para>
-      </question>
-      <answer>
-	<para>
-	  This is usually the result of the firewall configuration stopping
-	  the queries and / or the replies.
-	</para>
-      </answer>
-    </qandaentry>
-
-    <qandaentry>
-      <question>
-	<para>
-	  How can I make a server a slave for both an internal and
-	  an external view at the same time?  When I tried, both views
-	  on the slave were transferred from the same view on the master.
-	</para>
-      </question>
-      <answer>
-	<para>
-	  You will need to give the master and slave multiple IP
-	  addresses and use those to make sure you reach the correct
-	  view on the other machine.
-	</para>
-	<informalexample>
-	  <programlisting>
-Master: 10.0.1.1 (internal), 10.0.1.2 (external, IP alias)
-    internal:
-	match-clients { !10.0.1.2; !10.0.1.4; 10.0.1/24; };
-		notify-source 10.0.1.1;
-		transfer-source 10.0.1.1;
-		query-source address 10.0.1.1;
-    external:
-	match-clients { any; };
-	recursion no;	// don't offer recursion to the world
-	notify-source 10.0.1.2;
-	transfer-source 10.0.1.2;
-	query-source address 10.0.1.2;
-
-Slave: 10.0.1.3 (internal), 10.0.1.4 (external, IP alias)
-    internal:
-	match-clients { !10.0.1.2; !10.0.1.4; 10.0.1/24; };
-	notify-source 10.0.1.3;
-	transfer-source 10.0.1.3;
-	query-source address 10.0.1.3;
-   external:
-	match-clients { any; };
-	recursion no;	// don't offer recursion to the world
-	notify-source 10.0.1.4;
-	transfer-source 10.0.1.4;
-	query-source address 10.0.1.4;</programlisting>
-	</informalexample>
-	<para>
-	  You put the external address on the alias so that all the other
-	  dns clients on these boxes see the internal view by default.
-	</para>
-      </answer>
-      <answer>
-	<para>
-	  BIND 9.3 and later: Use TSIG to select the appropriate view.
-	</para>
-	<informalexample>
-	  <programlisting>
-Master 10.0.1.1:
-	key "external" {
-		algorithm hmac-md5;
-		secret "xxxxxxxx";
-	};
-	view "internal" {
-		match-clients { !key external; 10.0.1/24; };
-		...
-	};
-	view "external" {
-		match-clients { key external; any; };
-		server 10.0.1.2 { keys external; };
-		recursion no;
-		...
-	};
-
-Slave 10.0.1.2:
-	key "external" {
-		algorithm hmac-md5;
-		secret "xxxxxxxx";
-	};
-	view "internal" {
-		match-clients { !key external; 10.0.1/24; };
-		...
-	};
-	view "external" {
-		match-clients { key external; any; };
-		server 10.0.1.1 { keys external; };
-		recursion no;
-		...
-	};</programlisting>
-	</informalexample>
-      </answer>
-    </qandaentry>
-
-    <qandaentry>
-      <question>
-	<para>
-	  I have FreeBSD 4.x and "rndc-confgen -a" just sits there.
-	</para>
-      </question>
-      <answer>
-	<para>
-	  /dev/random is not configured.  Use rndcontrol(8) to tell
-	  the kernel to use certain interrupts as a source of random
-	  events.  You can make this permanent by setting rand_irqs
-	  in /etc/rc.conf.
-	</para>
-	<informalexample>
-	  <programlisting>
-/etc/rc.conf
-rand_irqs="3 14 15"</programlisting>
-	</informalexample>
-	<para>
-	  See also
-	  <ulink url="http://people.freebsd.org/~dougb/randomness.html">
-	    http://people.freebsd.org/~dougb/randomness.html
-	  </ulink>
-	</para>
-      </answer>
-    </qandaentry>
-
-    <qandaentry>
-      <question>
-	<para>
-	  Why is named listening on UDP port other than 53?
-	</para>
-      </question>
-      <answer>
-	<para>
-	  Named uses a system selected port to make queries of other
-	  nameservers.  This behaviour can be overridden by using
-	  query-source to lock down the port and/or address.  See
-	  also notify-source and transfer-source.
-	</para>
-      </answer>
-    </qandaentry>
-
-    <qandaentry>
-      <question>
-	<para>
-	  I get error messages like <quote>multiple RRs of singleton type</quote>
-	  and <quote>CNAME and other data</quote> when transferring a zone.  What
-	  does this mean?
-	</para>
-      </question>
-      <answer>
-	<para>
-	  These indicate a malformed master zone.  You can identify
-	  the exact records involved by transferring the zone using
-	  dig then running named-checkzone on it.
-	</para>
-	<informalexample>
-	  <programlisting>
-dig axfr example.com @master-server &gt; tmp
-named-checkzone example.com tmp</programlisting>
-	</informalexample>
-	<para>
-	  A CNAME record cannot exist with the same name as another record
-	  except for the DNSSEC records which prove its existence (NSEC).
-	</para>
-	<para>
-	  RFC 1034, Section 3.6.2: <quote>If a CNAME RR is present at a node,
-	  no other data should be present; this ensures that the data for a
-	  canonical name and its aliases cannot be different.  This rule also
-	  insures that a cached CNAME can be used without checking with an
-	  authoritative server for other RR types.</quote>
-	</para>
-      </answer>
-    </qandaentry>
-
-    <qandaentry>
-      <question>
-	<para>
-	  I get error messages like <quote>named.conf:99: unexpected end
-	  of input</quote> where 99 is the last line of named.conf.
-	</para>
-      </question>
-      <answer>
-	<para>
-	  Some text editors (notepad and wordpad) fail to put a line
-	  title indication (e.g. CR/LF) on the last line of a
-	  text file.  This can be fixed by "adding" a blank line to
-	  the end of the file.  Named expects to see EOF immediately
-	  after EOL and treats text files where this is not met as
-	  truncated.
-	</para>
-      </answer>
-    </qandaentry>
-
-    <qandaentry>
-      <question>
-	<para>
-	  I get warning messages like <quote>zone example.com/IN: refresh:
-	  failure trying master 1.2.3.4#53: timed out</quote>.
-	</para>
-      </question>
-      <answer>
-	<para>
-	Check that you can make UDP queries from the slave to the master
-	</para>
-	<informalexample>
-	  <programlisting>
-dig +norec example.com soa @1.2.3.4</programlisting>
-	</informalexample>
-	<para>
-	  You could be generating queries faster than the slave can
-	  cope with.  Lower the serial query rate.
-	</para>
-	<informalexample>
-	  <programlisting>
-serial-query-rate 5; // default 20</programlisting>
-	</informalexample>
-      </answer>
-    </qandaentry>
-
-    <qandaentry>
-      <question>
-	<para>
-	  How do I share a dynamic zone between multiple views?
-	</para>
-      </question>
-      <answer>
-	<para>
-	  You choose one view to be master and the second a slave and
-	  transfer the zone between views.
-	</para>
-	<informalexample>
-	  <programlisting>
-Master 10.0.1.1:
-	key "external" {
-		algorithm hmac-md5;
-		secret "xxxxxxxx";
-	};
-
-	key "mykey" {
-		algorithm hmac-md5;
-		secret "yyyyyyyy";
-	};
-
-	view "internal" {
-		match-clients { !external; 10.0.1/24; };
-		server 10.0.1.1 {
-			/* Deliver notify messages to external view. */
-			keys { external; };
-		};
-		zone "example.com" {
-			type master;
-			file "internal/example.db";
-			allow-update { key mykey; };
-			notify-also { 10.0.1.1; };
-		};
-	};
-
-	view "external" {
-		match-clients { external; any; };
-		zone "example.com" {
-			type slave;
-			file "external/example.db";
-			masters { 10.0.1.1; };
-			transfer-source { 10.0.1.1; };
-			// allow-update-forwarding { any; };
-			// allow-notify { ... };
-		};
-	};</programlisting>
-	</informalexample>
-      </answer>
-    </qandaentry>
-
-    <qandaentry>
-      <question>
-	<para>
-	  I get a error message like <quote>zone wireless.ietf56.ietf.org/IN:
-	  loading master file primaries/wireless.ietf56.ietf.org: no
-	  owner</quote>.
-	</para>
-      </question>
-      <answer>
-	<para>
-	  This error is produced when a line in the master file
-	  contains leading white space (tab/space) but the is no
-	  current record owner name to inherit the name from.  Usually
-	  this is the result of putting white space before a comment.
-	  Forgetting the "@" for the SOA record or indenting the master
-	  file.
-	</para>
-      </answer>
-    </qandaentry>
-
-    <qandaentry>
-      <question>
-	<para>
-	  Why are my logs in GMT (UTC).
-	</para>
-      </question>
-      <answer>
-	<para>
-	  You are running chrooted (-t) and have not supplied local timezone
-	  information in the chroot area.
-	</para>
-	<simplelist>
-	  <member>FreeBSD: /etc/localtime</member>
-	  <member>Solaris: /etc/TIMEZONE and /usr/share/lib/zoneinfo</member>
-	  <member>OSF: /etc/zoneinfo/localtime</member>
-	  </simplelist>
-	<para>
-	  See also tzset(3) and zic(8).
-	</para>
-      </answer>
-    </qandaentry>
-
-    <qandaentry>
-      <question>
-	<para>
-	  I get the error message <quote>named: capset failed: Operation
-	  not permitted</quote> when starting named.
-	</para>
-      </question>
-      <answer>
-	<para>
-	  The capability module, part of "Linux Security Modules/LSM",
-	  has not been loaded into the kernel.  See insmod(8).
-	</para>
-      </answer>
-    </qandaentry>
-
-    <qandaentry>
-      <question>
-	<para>
-	  I get <quote>rndc: connect failed: connection refused</quote> when
-	  I try to run rndc.
-	</para>
-      </question>
-      <answer>
-	<para>
-	  This is usually a configuration error.
-	</para>
-	<para>
-	  First ensure that named is running and no errors are being
-	  reported at startup (/var/log/messages or equivalent).
-	  Running "named -g &lt;usual arguments&gt;" from a title
-	  can help at this point.
-	</para>
-	<para>
-	  Secondly ensure that named is configured to use rndc either
-	  by "rndc-confgen -a", rndc-confgen or manually.  The
-	  Administrators Reference manual has details on how to do
-	  this.
-	</para>
-	<para>
-	  Old versions of rndc-confgen used localhost rather than
-	  127.0.0.1 in /etc/rndc.conf for the default server.  Update
-	  /etc/rndc.conf if necessary so that the default server
-	  listed in /etc/rndc.conf matches the addresses used in
-	  named.conf.  "localhost" has two address (127.0.0.1 and
-	  ::1).
-	</para>
-	<para>
-	  If you use "rndc-confgen -a" and named is running with -t or -u
-	  ensure that /etc/rndc.conf has the correct ownership and that
-	  a copy is in the chroot area.  You can do this by re-running
-	  "rndc-confgen -a" with appropriate -t and -u arguments.
-	</para>
-      </answer>
-    </qandaentry>
-
-    <qandaentry>
-      <question>
-	<para>
-	  I don't get RRSIG's returned when I use "dig +dnssec".
-	</para>
-      </question>
-      <answer>
-	<para>
-	  You need to ensure DNSSEC is enabled (dnssec-enable yes;).
-	</para>
-      </answer>
-    </qandaentry>
-
-    <qandaentry>
-      <question>
-	<para>
-	  I get <quote>Error 1067</quote> when starting named under Windows.
-	</para>
-      </question>
-      <answer>
-	<para>
-	  This is the service manager saying that named exited.   You
-	  need to examine the Application log in the EventViewer to
-	  find out why.
-	</para>
-	<para>
-	  Common causes are that you failed to create "named.conf"
-	  (usually "C:\windows\dns\etc\named.conf") or failed to
-	  specify the directory in named.conf.
-	</para>
-	<informalexample>
-	  <programlisting>
-options {
-	Directory "C:\windows\dns\etc";
-};</programlisting>
-	</informalexample>
-      </answer>
-    </qandaentry>
-
-    <qandaentry>
-      <question>
-	<para>
-	  I get <quote>transfer of 'example.net/IN' from 192.168.4.12#53:
-	  failed while receiving responses: permission denied</quote> error
-	  messages.
-	</para>
-      </question>
-      <answer>
-	<para>
-	  These indicate a filesystem permission error preventing
-	  named creating / renaming the temporary file.  These will
-	  usually also have other associated error messages like
-	</para>
-	<informalexample>
-	  <programlisting>
-"dumping master file: sl/tmp-XXXX5il3sQ: open: permission denied"</programlisting>
-	</informalexample>
-	<para>
-	  Named needs write permission on the directory containing
-	  the file.  Named writes the new cache file to a temporary
-	  file then renames it to the name specified in named.conf
-	  to ensure that the contents are always complete.  This is
-	  to prevent named loading a partial zone in the event of
-	  power failure or similar interrupting the write of the
-	  master file.
-	</para>
-	<para>
-	  Note file names are relative to the directory specified in
-	  options and any chroot directory  ([&lt;chroot
-	  dir&gt;/][&lt;options dir&gt;]).
-	</para>
-	<informalexample>
-	  <para>
-	    If named is invoked as "named -t /chroot/DNS" with
-	    the following named.conf then "/chroot/DNS/var/named/sl"
-	    needs to be writable by the user named is running as.
-	  </para>
-	  <programlisting>
-options {
-	directory "/var/named";
-};
-
-zone "example.net" {
-	type slave;
-	file "sl/example.net";
-	masters { 192.168.4.12; };
-};</programlisting>
-	</informalexample>
-      </answer>
-    </qandaentry>
-
-    <qandaentry>
-      <question>
-	<para>
-	  How do I integrate BIND 9 and Solaris SMF
-	</para>
-      </question>
-      <answer>
-	<para>
-	  Sun has a blog entry describing how to do this.
-	</para>
-	<para>
-	  <ulink
-	  url="http://blogs.sun.com/roller/page/anay/Weblog?catname=%2FSolaris">
-	     http://blogs.sun.com/roller/page/anay/Weblog?catname=%2FSolaris
-	  </ulink>
-	</para>
-      </answer>
-    </qandaentry>
-
-    <qandaentry>
-      <question>
-	<para>
-	  Can a NS record refer to a CNAME.
-	</para>
-      </question>
-      <answer>
-	<para>
-	  No.  The rules for glue (copies of the *address* records
-	  in the parent zones) and additional section processing do
-	  not allow it to work.
-	</para>
-	<para>
-	  You would have to add both the CNAME and address records
-	  (A/AAAA) as glue to the parent zone and have CNAMEs be
-	  followed when doing additional section processing to make
-	  it work.  No nameserver implementation supports either of
-	  these requirements.
-	</para>
-      </answer>
-    </qandaentry>
-
-    <qandaentry>
-      <question>
-	<para>
-	  What does <quote>RFC 1918 response from Internet for
-	  0.0.0.10.IN-ADDR.ARPA</quote> mean?
-	</para>
-      </question>
-      <answer>
-	<para>
-	  If the IN-ADDR.ARPA name covered refers to a internal address
-	  space you are using then you have failed to follow RFC 1918
-	  usage rules and are leaking queries to the Internet.  You
-	  should establish your own zones for these addresses to prevent
-	  you querying the Internet's name servers for these addresses.
-	  Please see <ulink url="http://as112.net/">http://as112.net/</ulink>
-	  for details of the problems you are causing and the counter
-	  measures that have had to be deployed.
-	</para>
-	<para>
-	  If you are not using these private addresses then a client
-	  has queried for them.  You can just ignore the messages,
-	  get the offending client to stop sending you these messages
-	  as they are most probably leaking them or setup your own zones
-	  empty zones to serve answers to these queries.
-	</para>
-	<informalexample>
-	  <programlisting>
-zone "10.IN-ADDR.ARPA" {
-	type master;
-	file "empty";
-};
-
-zone "16.172.IN-ADDR.ARPA" {
-	type master;
-	file "empty";
-};
-
-...
-
-zone "31.172.IN-ADDR.ARPA" {
-	type master;
-	file "empty";
-};
-
-zone "168.192.IN-ADDR.ARPA" {
-	type master;
-	file "empty";
-};
-
-empty:
-@ 10800 IN SOA &lt;name-of-server&gt;. &lt;contact-email&gt;. (
-	       1 3600 1200 604800 10800 )
-@ 10800 IN NS &lt;name-of-server&gt;.</programlisting>
-	</informalexample>
-	<para>
-	<note>
-	  Future versions of named are likely to do this automatically.
-	</note>
-	</para>
-      </answer>
-    </qandaentry>
-
-    <qandaentry>
-      <question>
-	<para>
-	   I'm running BIND on Red Hat Enterprise Linux or Fedora Core -
-	</para>
-	<para>
-	  Why can't named update slave zone database files?
-	</para>
-	<para>
-	  Why can't named create DDNS journal files or update
-	  the master zones from journals?
-	</para>
-	<para>
-	  Why can't named create custom log files?
-	</para>
-      </question>
-
-      <answer>
-	<para>
-	  Red Hat Security Enhanced Linux (SELinux) policy security
-	  protections :
-	</para>
-
-	<para>
-	   Red Hat have adopted the National Security Agency's
-	   SELinux security policy ( see http://www.nsa.gov/selinux
-	   ) and recommendations for BIND security , which are more
-	   secure than running named in a chroot and make use of
-	   the bind-chroot environment unnecessary .
-	</para>
-
-	<para>
-	  By default, named is not allowed by the SELinux policy
-	  to write, create or delete any files EXCEPT in these
-	  directories:
-	  <informalexample>
-	    <programlisting>
-$ROOTDIR/var/named/slaves
-$ROOTDIR/var/named/data
-$ROOTDIR/var/tmp
-	    </programlisting>
-	  </informalexample>
-	  where $ROOTDIR may be set in /etc/sysconfig/named if
-	  bind-chroot is installed.
-	</para>
-
-	<para>
-	  The SELinux policy particularly does NOT allow named to modify
-	  the $ROOTDIR/var/named directory, the default location for master
-	  zone database files.
-	</para>
-
-	<para>
-	  SELinux policy overrules file access permissions - so
-	  even if all the files under /var/named have ownership
-	  named:named and mode rw-rw-r--, named will still not be
-	  able to write or create files except in the directories
-	  above, with SELinux in Enforcing mode.
-	</para>
-  
-	<para>
-	  So, to allow named to update slave or DDNS zone files,
-	  it is best to locate them in $ROOTDIR/var/named/slaves,
-	  with named.conf zone statements such as:
-	  <informalexample>
-	    <programlisting>
-zone "slave.zone." IN {
-	type slave;
-	file "slaves/slave.zone.db";
-	...
-};   
-zone "ddns.zone." IN  {
-	type master;
-	allow-updates {...};
-	file "slaves/ddns.zone.db";
-};
-	    </programlisting>
-	  </informalexample>
-	</para>
-
-	<para>
-	  To allow named to create its cache dump and statistics
-	  files, for example, you could use named.conf options
-	  statements such as:
-	  <informalexample>
-	    <programlisting>
-options {
-	...
-	dump-file "/var/named/data/cache_dump.db";
-	statistics-file "/var/named/data/named_stats.txt";
-	...
-};
-	    </programlisting>
-	  </informalexample>
-	</para>
-
-	<para>
-	  You can also tell SELinux to allow named to update any
-	  zone database files, by setting the SELinux tunable boolean
-	  parameter 'named_write_master_zones=1', using the
-	  system-config-securitylevel GUI, using the 'setsebool'
-	  command, or in /etc/selinux/targeted/booleans.
-	</para>
-  
-	<para>
-	  You can disable SELinux protection for named entirely by
-	  setting the 'named_disable_trans=1' SELinux tunable boolean
-	  parameter.
-	</para>
-    
-	<para>
-	  The SELinux named policy defines these SELinux contexts for named:
-	  <informalexample>
-	    <programlisting>
-named_zone_t : for zone database files       - $ROOTDIR/var/named/*
-named_conf_t : for named configuration files - $ROOTDIR/etc/{named,rndc}.*
-named_cache_t: for files modifiable by named - $ROOTDIR/var/{tmp,named/{slaves,data}}
-	    </programlisting>
-	  </informalexample>
-	</para>
-   
-	<para>
-	  If you want to retain use of the SELinux policy for named,
-	  and put named files in different locations, you can do
-	  so by changing the context of the custom file locations
-	  .
-	</para>
-
-	<para>
-	  To create a custom configuration file location, e.g.
-	  '/root/named.conf', to use with the 'named -c' option,
-	  do:
-	  <informalexample>
-	    <programlisting>
-# chcon system_u:object_r:named_conf_t /root/named.conf
-	    </programlisting>
-	  </informalexample>
-	</para>
-  
-	<para>
-	  To create a custom modifiable named data location, e.g.
-	  '/var/log/named' for a log file, do:
-	  <informalexample>
-	    <programlisting>
-# chcon system_u:object_r:named_cache_t /var/log/named
-	    </programlisting>
-	  </informalexample>
-	</para>
-   
-	<para>
-   To create a custom zone file location, e.g. /root/zones/, do:
-	  <informalexample>
-	    <programlisting>
-# chcon system_u:object_r:named_zone_t /root/zones/{.,*}
-	    </programlisting>
-	  </informalexample>
-	</para>
-  
-	<para>
-	  See these man-pages for more information : selinux(8),
-	  named_selinux(8), chcon(1), setsebool(8)
-	</para>
-      </answer>
-    </qandaentry>
-
-    <qandaentry>
-      <question>
-	<para>
-	  I want to forward all DNS queries from my caching nameserver to
-	  another server. But there are some domains which have to be
-	  served locally, via rbldnsd.
-	</para>
-	<para>
-	  How do I achieve this ?
-	</para>
-      </question>
-      <answer>
-        <programlisting>
-options {
-	forward only;
-	forwarders { &lt;ip.of.primary.nameserver&gt;; };
-};
-
-zone "sbl-xbl.spamhaus.org" {
-	type forward; forward only;
-	forwarders { &lt;ip.of.rbldns.server&gt; port 530; };
-};
-
-zone "list.dsbl.org" {
-	type forward; forward only;
-	forwarders { &lt;ip.of.rbldns.server&gt; port 530; };
-};
-        </programlisting>
-      </answer>
-    </qandaentry>
-
-    <qandaentry>
-      <question>
-	<para>
-	  Will named be affected by the 2007 changes to daylight savings
-	  rules in the US.
-	</para>
-      </question>
-      <answer>
-	<para>
-	  No, so long as the machines internal clock (as reported
-	  by "date -u") remains at UTC.  The only visible change
-	  if you fail to upgrade your OS, if you are in a affected
-	  area, will be that log messages will be a hour out during
-	  the period where the old rules do not match the new rules.
-	</para>
-	<para>
-	  For most OS's this change just means that you need to
-	  update the conversion rules from UTC to local time.
-	  Normally this involves updating a file in /etc (which
-	  sets the default timezone for the machine) and possibly
-	  a directory which has all the conversion rules for the
-	  world (e.g. /usr/share/zoneinfo).  When updating the OS
-	  do not forget to update any chroot areas as well.
-	  See your OS's documentation for more details.
-	</para>
-	<para>
-	  The local timezone conversion rules can also be done on
-	  a individual basis by setting the TZ environment variable
-	  appropriately.  See your OS's documentation for more
-	  details.
-	</para>
-      </answer>
-    </qandaentry>
-
-    <qandaentry>
-      <question>
-	<para>
-	  Why do we get the following warning at run time:
-<programlisting>kernel: process `named' is using obsolete setsockopt SO_BSDCOMPAT</programlisting>
-	</para>
-      </question>
-      <answer>
-	<para>
-          The early Linux kernels broke sendto() by having it return     
-          that a ICMP unreachable had be received for non connected
-          UDP sockets.  This made non connected UDP sockets work like
-          connected UDP socket which is fine when you are only talking
-          to one destination.  Named however talks to multiple
-          destinations and it caused problems.
-	</para>
-	<para>
-          Rather than fix sendto() to just have BSD behaviour they added
-          SO_BSDCOMPAT to turn BSD behaviour on/off on a per socket basis.
-	</para>
-	<para>
-          Later they decided to make BSD behaviour the default and
-          to aggressively track down applications that used SO_BSDCOMPAT
-          by issuing a warning.  This is the sort of things vendors
-          do in alpha/beta stages of a release so that their code is
-          clean.  They then turn the warning *off* for release code.
-	</para>
-	<para>
-          We still have customers that have kernels that require
-          SO_BSDCOMPAT to operate.  We therefore cannot remove the
-          setsockopt(SO_BSDCOMPAT) call.
-	</para>
-	<para>
-          Now most/all portable applications that use SO_BSDCOMPAT use it
-          conditionally manner so just removing SO_BSDCOMPAT from the
-          header file would be safe as long as the binary was not to
-          be moved between systems.  BIND's use is conditional.
-	</para>
-	<para>
-	  In short, the Linux developers should either, remove the #define for
-	  SO_BSDCOMPAT, and/or remove the warning.
-	</para>
-      </answer>
-    </qandaentry>
-
-    <qandaentry>
-      <question>
-	<para>
-	  Isn't "make install"  supposed to generate a default named.conf?
-	</para>
-      </question>
-      <answer>
-	<para>
-	  Short Answer: No. 
-	</para>
-	<para>
-	  Long Answer: There really isn't a default configuration which fits
-	  any site perfectly.  There are lots of decisions that need to
-	  be made and there is no consensus on what the defaults should be.
-	  For example FreeBSD uses /etc/namedb as the location where the
-	  configuration files for named are stored.  Others use /var/named.
-	</para>
-	<para>
-	  What addresses to listen on?  For a laptop on the move a lot
-	  you may only want to listen on the loop back interfaces.
-	</para>
-	<para>
-	  Who do you offer recursive service to?  Is there are firewall
-	  to consider?  If so is it stateless or stateful.  Are you
-	  directly on the Internet?  Are you on a private network? Are
-	  you on a NAT'd network? The answers
-	  to all these questions change how you configure even a
-	  caching name server.
-	</para>
-      </answer>
-    </qandaentry>
-
-  </qandaset>
-</article>
diff --git a/Makefile.in b/Makefile.in
index 8f7945cb..a2a06531 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -1,5 +1,5 @@
-# Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 1998-2001, 2003  Internet Software Consortium.
+# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 1998-2002  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.41.2.5 2006/05/19 00:03:59 marka Exp $
+# $Id: Makefile.in,v 1.41.2.2.2.2 2004/03/08 04:04:12 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
@@ -44,8 +44,7 @@ maintainer-clean::
 	rm -f configure
 
 installdirs:
-	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${bindir} \
-	${DESTDIR}${localstatedir}/run ${DESTDIR}${sysconfdir}
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${bindir}
 
 install:: isc-config.sh installdirs
 	${INSTALL_SCRIPT} isc-config.sh ${DESTDIR}${bindir}
diff --git a/README b/README
index effef26c..aa7ce950 100644
--- a/README
+++ b/README
@@ -28,7 +28,7 @@ BIND 9
 
 
 	BIND version 9 development has been underwritten by the following
-	organisations:
+	organizations:
 
 		Sun Microsystems, Inc.
 		Hewlett Packard
@@ -43,73 +43,44 @@ BIND 9
 		Nominum, Inc.
 
 
-BIND 9.2.9
+BIND 9.3.0
 
-	BIND 9.2.9 is the final maintenance release for BIND 9.2.
-	BIND 9.2.9 contains fixes for a number of bugs in 9.2.8.
-	
-BIND 9.2.8
+	BIND 9.3.0 has a number of new features over 9.2,
+	including:
 
-	BIND 9.2.9 is a security release for BIND 9.2.
+	DNSSEC is now DS based.
+	See doc/draft/draft-ietf-dnsext-dnssec-*
 
-BIND 9.2.7
+	DNSSEC lookaside validation.
 
-	BIND 9.2.7 is a maintenance release, containing fixes for
-	a number of bugs in 9.2.6.
+	check-names is now implemented.
+	rrset-order in more complete.
 
-BIND 9.2.6
+	IPv4/IPv6 transition support, dual-stack-servers.
 
-	BIND 9.2.6 is a maintenance release, containing fixes for
-	a number of bugs in 9.2.5.
+	IXFR deltas can now be generated when loading master files,
+	ixfr-from-differences.
 
-	libbind: corresponds to that from BIND 8.4.7-REL.
+	It is now possible to specify the size of a journal, max-journal-size.
 
-BIND 9.2.5
+	It is now possible to define a named set of master servers to be
+	used in masters clause, masters.
 
-	BIND 9.2.5 is a maintenance release, containing fixes for
-	a number of bugs in 9.2.4.
+	The advertised EDNS UDP size can now be set, edns-udp-size.
 
-	libbind: corresponds to that from BIND 8.4.6-REL.
+	allow-v6-synthesis has been obsoleted.
 
-BIND 9.2.4
+	NOTE:
+	* Zones containing MD and MF will now be rejected.
+	* dig, nslookup name. now report "Not Implemented" as
+	  NOTIMP rather than NOTIMPL.  This will have impact on scripts
+	  that are looking for NOTIMPL.
 
-	BIND 9.2.4 is a maintenance release, containing fixes for
-	a number of bugs in 9.2.3.
-	
 	libbind: corresponds to that from BIND 8.4.5.
 
-BIND 9.2.3
-	
-	BIND 9.2.3 is a maintenance release, containing fixes for
-	a number of bugs in 9.2.2.
-
-	A new zone type delegation-only is now supported.
-	A new view option root-delegation-only is now supported.
-
-	libbind: corresponds to that from BIND 8.4.0.
-
-BIND 9.2.2
-
-	BIND 9.2.2 is a maintenance release, containing fixes for
-	a number of bugs in 9.2.1 but no new features.  RFC 2535
-	style DNSSEC is disabled as it is incompatible with the
-	forthcoming DS style DNSSEC.
-
-	libbind: from BIND 8.3.3. [CERT CA-2002-19]
-	Minimum OpenSSL version now 0.9.6e. [CERT CA-2002-23]
-
-BIND 9.2.1
-
-	BIND 9.2.1 is a maintenance release, containing fixes for
-	a number of bugs in 9.2.0 but no new features.
-
-	NOTE: dig, nslookup name. now report "Not Implemented" as
-	NOTIMP rather than NOTIMPL.  This will have impact on scripts
-	that are looking for NOTIMPL.
-
 BIND 9.2.0
 
-	BIND 9.2.0 introduces a number of new features over 9.1,
+	BIND 9.2.0 has a number of new features over 9.1,
 	including:
 
 	  - The size of the cache can now be limited using the
@@ -163,8 +134,8 @@ BIND 9.2.0
 
 	BIND 9.2 is capable of acting as an authoritative server
 	for DNSSEC secured zones.  This functionality is believed to
-	be stable and complete except for lacking support for wildcard
-	records in secure zones.
+	be stable and complete except for lacking support for
+	verifications involving wildcard records in secure zones.
 
 	When acting as a caching server, BIND 9.2 can be configured
 	to perform DNSSEC secure resolution on behalf of its clients.
@@ -188,16 +159,14 @@ BIND 9.2.0
 		This is due to a bug in "/dev/random" and impacts the
 		server's DNSSEC support.
 
-		OS X 10.1.4 (Darwin 5.4) reports errors like
+		OS X 10.1.4 (Darwin 5.4), OS X 10.1.5 (Darwin 5.5) and
+		OS X 10.2 (Darwin 6.0) reports errors like
 		"fcntl(3, F_SETFL, 4): Operation not supported by device".
 		This is due to a bug in "/dev/random" and impacts the
 		server's DNSSEC support.
 
 		--with-libtool does not work on AIX.
 
-		--with-libtool does not work on SunOS 4.  configure
-		requires "printf" which is not available.
-
 	A bug in the Windows 2000 DNS server can cause zone transfers
 	from a BIND 9 server to a W2K server to fail.  For details,
 	see the "Zone Transfers" section in doc/misc/migration.
@@ -213,13 +182,16 @@ Building
 
 	We've had successful builds and tests on the following systems:
 
-                COMPAQ Tru64 UNIX 5.1B
-                FreeBSD 4.10, 5.2.1
-                HP-UX 11.11
-                NetBSD 1.5
-                Slackware Linux 8.1
-                Solaris 8, 9, 9 (x86)
-                Windows NT/2000/XP/2003
+		AIX 4.3
+		COMPAQ Tru64 UNIX 4.0D
+		COMPAQ Tru64 UNIX 5 (with IPv6 EAK)
+		FreeBSD 3.4-STABLE, 3.5, 4.0, 4.1
+		HP-UX 11
+		IRIX64 6.5
+		NetBSD 1.5
+		Red Hat Linux 6.0, 6.1, 6.2, 7.0
+		Solaris 2.6, 7, 8
+		Windows NT/W2K
 
 	Additionally, we have unverified reports of success building
 	previous versions of BIND 9 from users of the following systems:
@@ -229,12 +201,12 @@ Building
 		Slackware Linux 7.x, 8.0
 	        Red Hat Linux 7.1
 		Debian GNU/Linux 2.2 and 3.0
-		OpenBSD 2.6, 2.8, 2.9, 3.1, 3.6, 3.8
+		Mandrake 8.1
+		OpenBSD 2.6, 2.8, 2.9
 		UnixWare 7.1.1
 		HP-UX 10.20
 		BSD/OS 4.2
-		OpenUNIX 8
-		Mac OS X 10.1, 10.3.8
+		Mac OS X 10.1
 
 	To build, just
 
@@ -252,7 +224,7 @@ Building
 
 	    CFLAGS
 		C compiler flags.  Defaults to include -g and/or -O2
-		as supported by the compiler.
+		as supported by the compiler.  
 
 	    STD_CINCLUDES
 		System header file directories.	 Can be used to specify
@@ -264,28 +236,11 @@ Building
 		Defaults to empty string.
 
 		Possible settings:
-		-DISC_RFC2535
-			Enable support RFC 2535 style DNSSEC.  This
-			is incompatable with the upcoming DS support
-			and SHOULD NOT be set unless you are currently
-			making use of it.
-		-DNS_CLIENT_DROPPORT=0
-			Disable dropping queries from particular well
-			known ports.
-
-	    LDFLAGS
-		Linker flags. Defaults to empty string.
-
-	The following need to be set when cross compiling.
-
-	    BUILD_CC
-		The native C compiler.
-	    BUILD_CFLAGS (optional)
-	    BUILD_CPPFLAGS (optional)
-		Possible Settings:
-		-DNEED_OPTARG=1		(optarg is not declared in <unistd.h>)
-	    BUILD_LDFLAGS (optional)
-	    BUILD_LIBS (optional)
+		Change the default syslog facility of named/lwresd.
+		  -DISC_FACILITY=LOG_LOCAL0	
+		Enable DNSSEC signature chasing support in dig.
+		  -DDIG_SIGCHASE=1 (sets -DDIG_SIGCHASE_TD=1 and
+				    -DDIG_SIGCHASE_BU=1)
 
 	To build shared libraries, specify "--with-libtool" on the
 	configure command line.
@@ -338,18 +293,15 @@ Building
 	Building with gcc is not supported, unless gcc is the vendor's usual
 	compiler (e.g. the various BSD systems, Linux).
 	
-	Known compiler issues:
-	* gcc-3.2.1 and gcc-3.1.1 is known to cause problems with solaris-x86
-	  if the optimiser is enabled.  Use -O0 to disable the optimiser.
-	* gcc ultrasparc generates incorrect code at -02.
-	* gcc-3.3.5 powerpc generates incorrect code at -02.
-	* Irix, MipsPRO 7.4.1m is known to cause problems.
+	* gcc-3.2.1 and gcc-3.1.1 is known to cause problems with solaris-x86.
+	* gcc prior to gcc-3.2.3 ultrasparc generates incorrect code at -02.
 
 	A limited test suite can be run with "make test".  Many of
 	the tests require you to configure a set of virtual IP addresses
 	on your system, and some require Perl; see bin/tests/system/README
 	for details.
 
+
 Documentation
 
 	The BIND 9 Administrator Reference Manual is included with the
@@ -375,17 +327,13 @@ Bug Reports and Mailing Lists
 
 		bind9-bugs@isc.org
 
-	Configuration questions should be sent to the BIND 9 Users
-	mailing list.  Compilation questions should be sent to the
-	BIND 9 Users mailing list.
+	To join the BIND 9 Users mailing list, send mail to
 
-	To join the BIND Users mailing list, send mail to
+		bind9-users-request@isc.org
 
-		bind-users-request@isc.org
- 
 	archives of which can be found via
 
-		http://www.isc.org/ml-archives/
+		http://www.isc.org/ops/lists/
 
 	If you're planning on making changes to the BIND 9 source
 	code, you might want to join the BIND Workers mailing list.
diff --git a/acconfig.h b/acconfig.h
index be55df8c..8d26c7d3 100644
--- a/acconfig.h
+++ b/acconfig.h
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
+ * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: acconfig.h,v 1.35.2.10 2004/12/04 06:44:36 marka Exp $ */
+/* $Id: acconfig.h,v 1.35.2.4.2.7 2004/03/08 04:04:12 marka Exp $ */
 
 /***
  *** This file is not to be included by any public header files, because
@@ -53,6 +53,9 @@
 /* define if catgets() is available */
 #undef HAVE_CATGETS
 
+/* define if getifaddrs() exists */
+#undef HAVE_GETIFADDRS
+
 /* define if you have the NET_RT_IFLIST sysctl variable and sys/sysctl.h */
 #undef HAVE_IFLIST_SYSCTL
 
@@ -131,8 +134,5 @@ int sigwait(const unsigned int *set, int *sig);
 /* define if you have strerror in the C library. */
 #undef HAVE_STRERROR
 
-/* Define to the length type used by the socket API (socklen_t, size_t, int). */
-#undef ISC_SOCKADDR_LEN_T
-
-/* Define if threads need PTHREAD_SCOPE_SYSTEM */
-#undef NEED_PTHREAD_SCOPE_SYSTEM
+/* Define if you are running under Compaq TruCluster..  */
+#undef HAVE_TRUCLUSTER
diff --git a/bin/Makefile.in b/bin/Makefile.in
index c14c9d13..d8261d7b 100644
--- a/bin/Makefile.in
+++ b/bin/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.22.2.1 2004/03/09 06:09:08 marka Exp $
+# $Id: Makefile.in,v 1.22.208.1 2004/03/06 10:21:10 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/bin/check/Makefile.in b/bin/check/Makefile.in
index c3bec581..5b6347db 100644
--- a/bin/check/Makefile.in
+++ b/bin/check/Makefile.in
@@ -1,5 +1,5 @@
 # Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 2000-2002  Internet Software Consortium.
+# Copyright (C) 2000-2003  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.15.2.6 2004/07/20 07:00:09 marka Exp $
+# $Id: Makefile.in,v 1.15.2.3.8.5 2004/03/06 10:21:10 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
@@ -21,27 +21,30 @@ top_srcdir =	@top_srcdir@
 
 @BIND9_VERSION@
 
-@BIND9_INCLUDES@
+@BIND9_MAKE_INCLUDES@
 
-CINCLUDES =	${DNS_INCLUDES} ${ISCCFG_INCLUDES} ${ISC_INCLUDES}
+CINCLUDES =	${BIND9_INCLUDES} ${DNS_INCLUDES} ${ISCCFG_INCLUDES} \
+		${ISC_INCLUDES}
 
 CDEFINES = 	-DNAMED_CONFFILE=\"${sysconfdir}/named.conf\"
 CWARNINGS =
 
-DNSLIBS =	../../lib/dns/libdns.@A@ @DNS_OPENSSL_LIBS@ @DNS_GSSAPI_LIBS@
+DNSLIBS =	../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
 ISCCFGLIBS =	../../lib/isccfg/libisccfg.@A@
 ISCLIBS =	../../lib/isc/libisc.@A@
+BIND9LIBS =	../../lib/bind9/libbind9.@A@
 
 DNSDEPLIBS =	../../lib/dns/libdns.@A@
 ISCCFGDEPLIBS =	../../lib/isccfg/libisccfg.@A@
 ISCDEPLIBS =	../../lib/isc/libisc.@A@
+BIND9DEPLIBS =	../../lib/bind9/libbind9.@A@
 
 LIBS =		@LIBS@
 
 SUBDIRS =
 
 # Alphabetically
-TARGETS =	named-checkconf named-checkzone
+TARGETS =	named-checkconf@EXEEXT@ named-checkzone@EXEEXT@
 
 # Alphabetically
 SRCS =		named-checkconf.c named-checkzone.c check-tool.c
@@ -55,21 +58,24 @@ MANOBJS =	${MANPAGES} ${HTMLPAGES}
 @BIND9_MAKE_RULES@
 
 named-checkconf.@O@: named-checkconf.c
-	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} -DVERSION=\"${VERSION}\" \
+	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
+		-DVERSION=\"${VERSION}\" \
 		-c ${srcdir}/named-checkconf.c
 
 named-checkzone.@O@: named-checkzone.c
-	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} -DVERSION=\"${VERSION}\" \
+	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
+		-DVERSION=\"${VERSION}\" \
 		-c ${srcdir}/named-checkzone.c
 
-named-checkconf: named-checkconf.@O@ check-tool.@O@ ${ISCDEPLIBS} \
-		 ${ISCCFGDEPLIBS} ${DNSDEPLIBS}
-	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ named-checkconf.@O@ \
-	check-tool.@O@ ${ISCCFGLIBS} ${DNSLIBS} ${ISCLIBS} ${LIBS}
+named-checkconf@EXEEXT@: named-checkconf.@O@ check-tool.@O@ ${ISCDEPLIBS} \
+		${ISCCFGDEPLIBS} ${BIND9DEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} -o $@ \
+	named-checkconf.@O@ check-tool.@O@ ${BIND9LIBS} ${ISCCFGLIBS} \
+	${DNSLIBS} ${ISCLIBS} ${LIBS}
 
-named-checkzone: named-checkzone.@O@ check-tool.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
-	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ named-checkzone.@O@ \
-	check-tool.@O@ ${DNSLIBS} ${ISCLIBS} ${LIBS}
+named-checkzone@EXEEXT@: named-checkzone.@O@ check-tool.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} -o $@ \
+	named-checkzone.@O@ check-tool.@O@ ${DNSLIBS} ${ISCLIBS} ${LIBS}
 
 doc man:: ${MANOBJS}
 
@@ -80,9 +86,9 @@ installdirs:
 	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir}
 	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8
 
-install:: named-checkconf named-checkzone installdirs
-	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named-checkconf ${DESTDIR}${sbindir}
-	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named-checkzone ${DESTDIR}${sbindir}
+install:: named-checkconf@EXEEXT@ named-checkzone@EXEEXT@ installdirs
+	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named-checkconf@EXEEXT@ ${DESTDIR}${sbindir}
+	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named-checkzone@EXEEXT@ ${DESTDIR}${sbindir}
 	for m in ${MANPAGES}; do ${INSTALL_DATA} ${srcdir}/$$m ${DESTDIR}${mandir}/man8; done
 
 clean distclean::
diff --git a/bin/check/check-tool.c b/bin/check/check-tool.c
index fda04f4e..cefee82c 100644
--- a/bin/check/check-tool.c
+++ b/bin/check/check-tool.c
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
+ * Copyright (C) 2000-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,18 +15,41 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: check-tool.c,v 1.4.2.1 2004/03/09 06:09:08 marka Exp $ */
+/* $Id: check-tool.c,v 1.4.12.5 2004/03/08 04:04:13 marka Exp $ */
 
 #include <config.h>
 
 #include <stdio.h>
+#include <string.h>
 
 #include "check-tool.h"
 #include <isc/util.h>
 
+#include <isc/buffer.h>
 #include <isc/log.h>
+#include <isc/region.h>
+#include <isc/stdio.h>
 #include <isc/types.h>
 
+#include <dns/fixedname.h>
+#include <dns/name.h>
+#include <dns/rdataclass.h>
+#include <dns/types.h>
+#include <dns/zone.h>
+
+#define CHECK(r) \
+        do { \
+		result = (r); \
+                if (result != ISC_R_SUCCESS) \
+                        goto cleanup; \
+        } while (0)   
+
+static const char *dbtype[] = { "rbt" };
+
+int debug = 0;
+isc_boolean_t nomerge = ISC_TRUE;
+unsigned int zone_options = DNS_ZONEOPT_CHECKNS|DNS_ZONEOPT_MANYERRORS;
+
 isc_result_t
 setup_logging(isc_mem_t *mctx, isc_log_t **logp) {
 	isc_logdestination_t destination;
@@ -50,3 +73,87 @@ setup_logging(isc_mem_t *mctx, isc_log_t **logp) {
 	*logp = log;
 	return (ISC_R_SUCCESS);
 }
+
+isc_result_t
+load_zone(isc_mem_t *mctx, const char *zonename, const char *filename,
+	  const char *classname, dns_zone_t **zonep)
+{
+	isc_result_t result;
+	dns_rdataclass_t rdclass;
+	isc_textregion_t region;
+	isc_buffer_t buffer;
+	dns_fixedname_t fixorigin;
+	dns_name_t *origin;
+	dns_zone_t *zone = NULL;
+
+	REQUIRE(zonep == NULL || *zonep == NULL);
+
+	if (debug)
+		fprintf(stderr, "loading \"%s\" from \"%s\" class \"%s\"\n",
+			zonename, filename, classname);
+
+	CHECK(dns_zone_create(&zone, mctx));
+
+	dns_zone_settype(zone, dns_zone_master);
+
+	isc_buffer_init(&buffer, zonename, strlen(zonename));
+	isc_buffer_add(&buffer, strlen(zonename));
+	dns_fixedname_init(&fixorigin);
+	origin = dns_fixedname_name(&fixorigin);
+	CHECK(dns_name_fromtext(origin, &buffer, dns_rootname,
+			        ISC_FALSE, NULL));
+	CHECK(dns_zone_setorigin(zone, origin));
+	CHECK(dns_zone_setdbtype(zone, 1, (const char * const *) dbtype));
+	CHECK(dns_zone_setfile(zone, filename));
+
+	DE_CONST(classname, region.base);
+	region.length = strlen(classname);
+	CHECK(dns_rdataclass_fromtext(&rdclass, &region));
+
+	dns_zone_setclass(zone, rdclass);
+	dns_zone_setoption(zone, zone_options, ISC_TRUE);
+	dns_zone_setoption(zone, DNS_ZONEOPT_NOMERGE, nomerge);
+
+	CHECK(dns_zone_load(zone));
+	if (zonep != NULL){
+		*zonep = zone;
+		zone = NULL;
+	}
+
+ cleanup:
+	if (zone != NULL)
+		dns_zone_detach(&zone);
+	return (result);
+}
+
+isc_result_t
+dump_zone(const char *zonename, dns_zone_t *zone, const char *filename)
+{
+	isc_result_t result;
+	FILE *output = stdout;
+
+	if (debug) {
+		if (filename != NULL)
+			fprintf(stderr, "dumping \"%s\" to \"%s\"\n",
+				zonename, filename);
+		else
+			fprintf(stderr, "dumping \"%s\"\n", zonename);
+	}
+
+	if (filename != NULL) {
+		result = isc_stdio_open(filename, "w+", &output);
+
+		if (result != ISC_R_SUCCESS) {
+			fprintf(stderr, "could not open output "
+				"file \"%s\" for writing\n", filename);
+			return (ISC_R_FAILURE);
+		}
+	}
+
+	result = dns_zone_fulldumptostream(zone, output);
+
+	if (filename != NULL)
+		(void)isc_stdio_close(output);
+
+	return (result);
+}
diff --git a/bin/check/check-tool.h b/bin/check/check-tool.h
index 3e0dfd5b..105cd258 100644
--- a/bin/check/check-tool.h
+++ b/bin/check/check-tool.h
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
+ * Copyright (C) 2000-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: check-tool.h,v 1.2.2.1 2004/03/09 06:09:09 marka Exp $ */
+/* $Id: check-tool.h,v 1.2.12.5 2004/03/08 04:04:13 marka Exp $ */
 
 #ifndef CHECK_TOOL_H
 #define CHECK_TOOL_H
@@ -23,12 +23,24 @@
 #include <isc/lang.h>
 
 #include <isc/types.h>
+#include <dns/types.h>
 
 ISC_LANG_BEGINDECLS
 
 isc_result_t
 setup_logging(isc_mem_t *mctx, isc_log_t **logp);
 
+isc_result_t
+load_zone(isc_mem_t *mctx, const char *zonename, const char *filename,
+	  const char *classname, dns_zone_t **zonep);
+
+isc_result_t
+dump_zone(const char *zonename, dns_zone_t *zone, const char *filename);
+
+extern int debug;
+extern isc_boolean_t nomerge;
+extern unsigned int zone_options;
+
 ISC_LANG_ENDDECLS
 
 #endif
diff --git a/bin/check/named-checkconf.8 b/bin/check/named-checkconf.8
index 0ea2761f..1166de90 100644
--- a/bin/check/named-checkconf.8
+++ b/bin/check/named-checkconf.8
@@ -1,78 +1,59 @@
-.\" Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
-.\" Copyright (C) 2000-2002 Internet Software Consortium.
-.\" 
+.\" Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2000-2002  Internet Software Consortium.
+.\"
 .\" Permission to use, copy, modify, and distribute this software for any
 .\" purpose with or without fee is hereby granted, provided that the above
 .\" copyright notice and this permission notice appear in all copies.
-.\" 
+.\"
 .\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
 .\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+.\" AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
 .\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
 .\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: named-checkconf.8,v 1.11.2.10 2007/06/20 02:25:45 marka Exp $
-.\"
-.hy 0
-.ad l
-.\"     Title: named\-checkconf
-.\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
-.\"      Date: June 14, 2000
-.\"    Manual: BIND9
-.\"    Source: BIND9
+.\" $Id: named-checkconf.8,v 1.11.12.3 2004/03/08 04:04:13 marka Exp $
 .\"
-.TH "NAMED\-CHECKCONF" "8" "June 14, 2000" "BIND9" "BIND9"
-.\" disable hyphenation
-.nh
-.\" disable justification (adjust text to left margin only)
-.ad l
-.SH "NAME"
-named\-checkconf \- named configuration file syntax checking tool
-.SH "SYNOPSIS"
-.HP 16
-\fBnamed\-checkconf\fR [\fB\-v\fR] [\fB\-t\ \fR\fB\fIdirectory\fR\fR] {filename}
+.TH "NAMED-CHECKCONF" "8" "June 14, 2000" "BIND9" ""
+.SH NAME
+named-checkconf \- named configuration file syntax checking tool
+.SH SYNOPSIS
+.sp
+\fBnamed-checkconf\fR [ \fB-v\fR ]  [ \fB-j\fR ]  [ \fB-t \fIdirectory\fB\fR ]  \fBfilename\fR [ \fB-z\fR ] 
 .SH "DESCRIPTION"
 .PP
-\fBnamed\-checkconf\fR
-checks the syntax, but not the semantics, of a named configuration file.
+\fBnamed-checkconf\fR checks the syntax, but not
+the semantics, of a named configuration file.
 .SH "OPTIONS"
-.PP
-\-t \fIdirectory\fR
-.RS 4
-Chroot to
-\fIdirectory\fR
-so that include directives in the configuration file are processed as if run by a similarly chrooted named.
-.RE
-.PP
-\-v
-.RS 4
-Print the version of the
-\fBnamed\-checkconf\fR
+.TP
+\fB-t \fIdirectory\fB\fR
+chroot to \fIdirectory\fR so that include
+directives in the configuration file are processed as if
+run by a similarly chrooted named.
+.TP
+\fB-v\fR
+Print the version of the \fBnamed-checkconf\fR
 program and exit.
-.RE
-.PP
-filename
-.RS 4
-The name of the configuration file to be checked. If not specified, it defaults to
-\fI/etc/named.conf\fR.
-.RE
+.TP
+\fB-z\fR
+Perform a check load the master zonefiles found in
+\fInamed.conf\fR.
+.TP
+\fB-j\fR
+When loading a zonefile read the journal if it exists.
+.TP
+\fBfilename\fR
+The name of the configuration file to be checked. If not
+specified, it defaults to \fI/etc/named.conf\fR.
 .SH "RETURN VALUES"
 .PP
-\fBnamed\-checkconf\fR
-returns an exit status of 1 if errors were detected and 0 otherwise.
+\fBnamed-checkconf\fR returns an exit status of 1 if
+errors were detected and 0 otherwise.
 .SH "SEE ALSO"
 .PP
 \fBnamed\fR(8),
-\fBnamed\-checkzone\fR(8),
-BIND 9 Administrator Reference Manual.
+\fIBIND 9 Administrator Reference Manual\fR.
 .SH "AUTHOR"
 .PP
-Internet Systems Consortium
-.SH "COPYRIGHT"
-Copyright \(co 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
-.br
-Copyright \(co 2000\-2002 Internet Software Consortium.
-.br
+Internet Software Consortium
diff --git a/bin/check/named-checkconf.c b/bin/check/named-checkconf.c
index 16e6609c..88a7299b 100644
--- a/bin/check/named-checkconf.c
+++ b/bin/check/named-checkconf.c
@@ -1,6 +1,6 @@
 /*
- * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named-checkconf.c,v 1.12.2.3 2006/03/02 00:37:17 marka Exp $ */
+/* $Id: named-checkconf.c,v 1.12.12.7 2004/03/08 09:04:14 marka Exp $ */
 
 #include <config.h>
 
@@ -31,23 +31,35 @@
 #include <isc/string.h>
 #include <isc/util.h>
 
-#include <isccfg/cfg.h>
-#include <isccfg/check.h>
+#include <isccfg/namedconf.h>
+
+#include <bind9/check.h>
+
+#include <dns/log.h>
+#include <dns/result.h>
 
 #include "check-tool.h"
 
 isc_log_t *logc = NULL;
 
+#define CHECK(r)\
+	do { \
+		result = (r); \
+		if (result != ISC_R_SUCCESS) \
+			goto cleanup; \
+	} while (0)
+
 static void
 usage(void) {
-        fprintf(stderr, "usage: named-checkconf [-v] [-t directory] [named.conf]\n");
+        fprintf(stderr, "usage: named-checkconf [-j] [-v] [-z] [-t directory] "
+		"[named.conf]\n");
         exit(1);
 }
 
 static isc_result_t
-directory_callback(const char *clausename, const cfg_obj_t *obj, void *arg) {
+directory_callback(const char *clausename, cfg_obj_t *obj, void *arg) {
 	isc_result_t result;
-	const char *directory;
+	char *directory;
 
 	REQUIRE(strcasecmp("directory", clausename) == 0);
 
@@ -61,7 +73,7 @@ directory_callback(const char *clausename, const cfg_obj_t *obj, void *arg) {
 	result = isc_dir_chdir(directory);
 	if (result != ISC_R_SUCCESS) {
 		cfg_obj_log(obj, logc, ISC_LOG_ERROR,
-			    "change directory to '%s' failed: %s",
+			    "change directory to '%s' failed: %s\n",
 			    directory, isc_result_totext(result));
 		return (result);
 	}
@@ -69,6 +81,119 @@ directory_callback(const char *clausename, const cfg_obj_t *obj, void *arg) {
 	return (ISC_R_SUCCESS);
 }
 
+static isc_result_t
+configure_zone(const char *vclass, const char *view, cfg_obj_t *zconfig,
+	       isc_mem_t *mctx)
+{
+	isc_result_t result;
+	const char *zclass;
+	const char *zname;
+	const char *zfile;
+	cfg_obj_t *zoptions = NULL;
+	cfg_obj_t *classobj = NULL;
+	cfg_obj_t *typeobj = NULL;
+	cfg_obj_t *fileobj = NULL;
+	cfg_obj_t *dbobj = NULL;
+
+	zname = cfg_obj_asstring(cfg_tuple_get(zconfig, "name"));
+	classobj = cfg_tuple_get(zconfig, "class");
+        if (!cfg_obj_isstring(classobj))
+                zclass = vclass;
+        else
+		zclass = cfg_obj_asstring(classobj);
+	zoptions = cfg_tuple_get(zconfig, "options");
+	cfg_map_get(zoptions, "type", &typeobj);
+	if (typeobj == NULL)
+		return (ISC_R_FAILURE);
+	if (strcasecmp(cfg_obj_asstring(typeobj), "master") != 0)
+		return (ISC_R_SUCCESS);
+        cfg_map_get(zoptions, "database", &dbobj);
+        if (dbobj != NULL)
+                return (ISC_R_SUCCESS);
+	cfg_map_get(zoptions, "file", &fileobj);
+	if (fileobj == NULL)
+		return (ISC_R_FAILURE);
+	zfile = cfg_obj_asstring(fileobj);
+	result = load_zone(mctx, zname, zfile, zclass, NULL);
+	if (result != ISC_R_SUCCESS)
+		fprintf(stderr, "%s/%s/%s: %s\n", view, zname, zclass,
+			dns_result_totext(result));
+	return(result);
+}
+
+static isc_result_t
+configure_view(const char *vclass, const char *view, cfg_obj_t *config,
+	       cfg_obj_t *vconfig, isc_mem_t *mctx)
+{
+	cfg_listelt_t *element;
+	cfg_obj_t *voptions;
+	cfg_obj_t *zonelist;
+	isc_result_t result = ISC_R_SUCCESS;
+	isc_result_t tresult;
+
+	voptions = NULL;
+	if (vconfig != NULL)
+		voptions = cfg_tuple_get(vconfig, "options");
+
+	zonelist = NULL;
+	if (voptions != NULL)
+		(void)cfg_map_get(voptions, "zone", &zonelist);
+	else
+		(void)cfg_map_get(config, "zone", &zonelist);
+
+	for (element = cfg_list_first(zonelist);
+	     element != NULL;
+	     element = cfg_list_next(element))
+	{
+		cfg_obj_t *zconfig = cfg_listelt_value(element);
+		tresult = configure_zone(vclass, view, zconfig, mctx);
+		if (tresult != ISC_R_SUCCESS)
+			result = tresult;
+	}
+	return (result);
+}
+
+
+static isc_result_t
+load_zones_fromconfig(cfg_obj_t *config, isc_mem_t *mctx) {
+	cfg_listelt_t *element;
+	cfg_obj_t *classobj;
+	cfg_obj_t *views;
+	cfg_obj_t *vconfig;
+	const char *vclass;
+	isc_result_t result = ISC_R_SUCCESS;
+	isc_result_t tresult;
+
+	views = NULL;
+
+	(void)cfg_map_get(config, "view", &views);
+	for (element = cfg_list_first(views);
+	     element != NULL;
+	     element = cfg_list_next(element))
+	{
+		const char *vname;
+
+		vclass = "IN";
+		vconfig = cfg_listelt_value(element);
+		if (vconfig != NULL) {
+			classobj = cfg_tuple_get(vconfig, "class");
+			if (cfg_obj_isstring(classobj))
+				vclass = cfg_obj_asstring(classobj);
+		}
+		vname = cfg_obj_asstring(cfg_tuple_get(vconfig, "name"));
+		tresult = configure_view(vclass, vname, config, vconfig, mctx);
+		if (tresult != ISC_R_SUCCESS)
+			result = tresult;
+	}
+
+	if (views == NULL) {
+		tresult = configure_view("IN", "_default", config, NULL, mctx);
+		if (tresult != ISC_R_SUCCESS)
+			result = tresult;
+	}
+	return (result);
+}
+
 int
 main(int argc, char **argv) {
 	int c;
@@ -78,9 +203,18 @@ main(int argc, char **argv) {
 	isc_mem_t *mctx = NULL;
 	isc_result_t result;
 	int exit_status = 0;
-
-	while ((c = isc_commandline_parse(argc, argv, "t:v")) != EOF) {
+	isc_boolean_t load_zones = ISC_FALSE;
+	
+	while ((c = isc_commandline_parse(argc, argv, "djt:vz")) != EOF) {
 		switch (c) {
+		case 'd':
+			debug++;
+			break;
+
+		case 'j':
+			nomerge = ISC_FALSE;
+			break;
+
 		case 't':
 			result = isc_dir_chroot(isc_commandline_argument);
 			if (result != ISC_R_SUCCESS) {
@@ -100,6 +234,10 @@ main(int argc, char **argv) {
 			printf(VERSION "\n");
 			exit(0);
 
+		case 'z':
+			load_zones = ISC_TRUE;
+			break;
+
 		default:
 			usage();
 		}
@@ -114,6 +252,8 @@ main(int argc, char **argv) {
 
 	RUNTIME_CHECK(setup_logging(mctx, &logc) == ISC_R_SUCCESS);
 
+	dns_result_register();
+
 	RUNTIME_CHECK(cfg_parser_create(mctx, logc, &parser) == ISC_R_SUCCESS);
 
 	cfg_parser_setcallback(parser, directory_callback, NULL);
@@ -122,10 +262,18 @@ main(int argc, char **argv) {
 	    ISC_R_SUCCESS)
 		exit(1);
 
-	result = cfg_check_namedconf(config, logc, mctx);
+	result = bind9_check_namedconf(config, logc, mctx);
 	if (result != ISC_R_SUCCESS)
 		exit_status = 1;
 
+	if (result == ISC_R_SUCCESS && load_zones) {
+		dns_log_init(logc);
+                dns_log_setcontext(logc);
+		result = load_zones_fromconfig(config, mctx);
+		if (result != ISC_R_SUCCESS)
+			exit_status = 1;
+	}
+
 	cfg_obj_destroy(parser, &config);
 
 	cfg_parser_destroy(&parser);
diff --git a/bin/check/named-checkconf.docbook b/bin/check/named-checkconf.docbook
index a5897711..468f9269 100644
--- a/bin/check/named-checkconf.docbook
+++ b/bin/check/named-checkconf.docbook
@@ -1,9 +1,7 @@
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
-               "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
-	       [<!ENTITY mdash "&#8212;">]>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
 <!--
- - Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000-2002  Internet Software Consortium.
+ - Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2001, 2002  Internet Software Consortium.
  -
  - Permission to use, copy, modify, and distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
@@ -18,7 +16,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: named-checkconf.docbook,v 1.3.2.9 2007/06/19 07:52:23 marka Exp $ -->
+<!-- $Id: named-checkconf.docbook,v 1.3.2.1.8.4 2004/03/08 04:04:13 marka Exp $ -->
 
 <refentry>
   <refentryinfo>
@@ -31,21 +29,6 @@
     <refmiscinfo>BIND9</refmiscinfo>
   </refmeta>
 
-  <docinfo>
-    <copyright>
-      <year>2004</year>
-      <year>2005</year>
-      <year>2007</year>
-      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
-    </copyright>
-    <copyright>
-      <year>2000</year>
-      <year>2001</year>
-      <year>2002</year>
-      <holder>Internet Software Consortium.</holder>
-    </copyright>
-  </docinfo>
-
   <refnamediv>
     <refname><application>named-checkconf</application></refname>
     <refpurpose>named configuration file syntax checking tool</refpurpose>
@@ -55,8 +38,10 @@
     <cmdsynopsis>
       <command>named-checkconf</command>
       <arg><option>-v</option></arg>
+      <arg><option>-j</option></arg>
       <arg><option>-t <replaceable class="parameter">directory</replaceable></option></arg>
       <arg choice="req">filename</arg>
+      <arg><option>-z</option></arg>
     </cmdsynopsis>
   </refsynopsisdiv>
 
@@ -76,7 +61,7 @@
         <term>-t <replaceable class="parameter">directory</replaceable></term>
 	<listitem>
 	  <para>
-	      Chroot to <filename>directory</filename> so that include
+	      chroot to <filename>directory</filename> so that include
 	      directives in the configuration file are processed as if
 	      run by a similarly chrooted named.
 	  </para>
@@ -94,6 +79,25 @@
       </varlistentry>
 
       <varlistentry>
+        <term>-z</term>
+	<listitem>
+	  <para>
+	      Perform a check load the master zonefiles found in
+	      <filename>named.conf</filename>.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-j</term>
+	<listitem>
+	  <para>
+	      When loading a zonefile read the journal if it exists.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
         <term>filename</term>
 	<listitem>
 	  <para>
@@ -112,7 +116,6 @@
     <para>
         <command>named-checkconf</command> returns an exit status of 1 if
 	errors were detected and 0 otherwise.
-    </para>
   </refsect1>
 
   <refsect1>
@@ -122,9 +125,6 @@
         <refentrytitle>named</refentrytitle>
 	<manvolnum>8</manvolnum>
       </citerefentry>,
-      <citerefentry>
-        <refentrytitle>named-checkzone</refentrytitle><manvolnum>8</manvolnum>
-      </citerefentry>,
       <citetitle>BIND 9 Administrator Reference Manual</citetitle>.
     </para>
   </refsect1>
@@ -132,7 +132,7 @@
   <refsect1>
     <title>AUTHOR</title>
     <para>
-        <corpauthor>Internet Systems Consortium</corpauthor>
+        <corpauthor>Internet Software Consortium</corpauthor>
     </para>
   </refsect1>
 
diff --git a/bin/check/named-checkconf.html b/bin/check/named-checkconf.html
index 0e81f621..f4de0b29 100644
--- a/bin/check/named-checkconf.html
+++ b/bin/check/named-checkconf.html
@@ -1,84 +1,220 @@
 <!--
- - Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000-2002 Internet Software Consortium.
- - 
+ - Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2001, 2002  Internet Software Consortium.
+ -
  - Permission to use, copy, modify, and distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
  - copyright notice and this permission notice appear in all copies.
- - 
+ -
  - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
  - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
  - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
  - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: named-checkconf.html,v 1.5.2.19 2007/06/20 02:25:45 marka Exp $ -->
-<html>
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>named-checkconf</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2476275"></a><div class="titlepage"></div>
-<div class="refnamediv">
-<h2>Name</h2>
-<p><span class="application">named-checkconf</span> &#8212; named configuration file syntax checking tool</p>
-</div>
-<div class="refsynopsisdiv">
-<h2>Synopsis</h2>
-<div class="cmdsynopsis"><p><code class="command">named-checkconf</code>  [<code class="option">-v</code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] {filename}</p></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543363"></a><h2>DESCRIPTION</h2>
-<p>
-        <span><strong class="command">named-checkconf</strong></span> checks the syntax, but not
+
+<!-- $Id: named-checkconf.html,v 1.5.2.1.4.3 2004/03/08 04:04:13 marka Exp $ -->
+
+<HTML
+><HEAD
+><TITLE
+>named-checkconf</TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.73
+"></HEAD
+><BODY
+CLASS="REFENTRY"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><H1
+><A
+NAME="AEN1"
+><SPAN
+CLASS="APPLICATION"
+>named-checkconf</SPAN
+></A
+></H1
+><DIV
+CLASS="REFNAMEDIV"
+><A
+NAME="AEN9"
+></A
+><H2
+>Name</H2
+><SPAN
+CLASS="APPLICATION"
+>named-checkconf</SPAN
+>&nbsp;--&nbsp;named configuration file syntax checking tool</DIV
+><DIV
+CLASS="REFSYNOPSISDIV"
+><A
+NAME="AEN13"
+></A
+><H2
+>Synopsis</H2
+><P
+><B
+CLASS="COMMAND"
+>named-checkconf</B
+>  [<TT
+CLASS="OPTION"
+>-v</TT
+>] [<TT
+CLASS="OPTION"
+>-j</TT
+>] [<TT
+CLASS="OPTION"
+>-t <TT
+CLASS="REPLACEABLE"
+><I
+>directory</I
+></TT
+></TT
+>] {filename} [<TT
+CLASS="OPTION"
+>-z</TT
+>]</P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN26"
+></A
+><H2
+>DESCRIPTION</H2
+><P
+>        <B
+CLASS="COMMAND"
+>named-checkconf</B
+> checks the syntax, but not
 	the semantics, of a named configuration file.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543376"></a><h2>OPTIONS</h2>
-<div class="variablelist"><dl>
-<dt><span class="term">-t <em class="replaceable"><code>directory</code></em></span></dt>
-<dd><p>
-	      Chroot to <code class="filename">directory</code> so that include
+    </P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN30"
+></A
+><H2
+>OPTIONS</H2
+><P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+>-t <TT
+CLASS="REPLACEABLE"
+><I
+>directory</I
+></TT
+></DT
+><DD
+><P
+>	      chroot to <TT
+CLASS="FILENAME"
+>directory</TT
+> so that include
 	      directives in the configuration file are processed as if
 	      run by a similarly chrooted named.
-	  </p></dd>
-<dt><span class="term">-v</span></dt>
-<dd><p>
-	      Print the version of the <span><strong class="command">named-checkconf</strong></span>
+	  </P
+></DD
+><DT
+>-v</DT
+><DD
+><P
+>	      Print the version of the <B
+CLASS="COMMAND"
+>named-checkconf</B
+>
 	      program and exit.
-	  </p></dd>
-<dt><span class="term">filename</span></dt>
-<dd><p>
-	       The name of the configuration file to be checked.  If not
-	       specified, it defaults to <code class="filename">/etc/named.conf</code>.
-	  </p></dd>
-</dl></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543438"></a><h2>RETURN VALUES</h2>
-<p>
-        <span><strong class="command">named-checkconf</strong></span> returns an exit status of 1 if
+	  </P
+></DD
+><DT
+>-z</DT
+><DD
+><P
+>	      Perform a check load the master zonefiles found in
+	      <TT
+CLASS="FILENAME"
+>named.conf</TT
+>.
+	  </P
+></DD
+><DT
+>-j</DT
+><DD
+><P
+>	      When loading a zonefile read the journal if it exists.
+	  </P
+></DD
+><DT
+>filename</DT
+><DD
+><P
+>	       The name of the configuration file to be checked.  If not
+	       specified, it defaults to <TT
+CLASS="FILENAME"
+>/etc/named.conf</TT
+>.
+	  </P
+></DD
+></DL
+></DIV
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN58"
+></A
+><H2
+>RETURN VALUES</H2
+><P
+>        <B
+CLASS="COMMAND"
+>named-checkconf</B
+> returns an exit status of 1 if
 	errors were detected and 0 otherwise.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543451"></a><h2>SEE ALSO</h2>
-<p>
-      <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
-      <span class="citerefentry"><span class="refentrytitle">named-checkzone</span>(8)</span>,
-      <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543483"></a><h2>AUTHOR</h2>
-<p>
-        <span class="corpauthor">Internet Systems Consortium</span>
-    </p>
-</div>
-</div></body>
-</html>
+  </P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN62"
+></A
+><H2
+>SEE ALSO</H2
+><P
+>      <SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>named</SPAN
+>(8)</SPAN
+>,
+      <I
+CLASS="CITETITLE"
+>BIND 9 Administrator Reference Manual</I
+>.
+    </P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN69"
+></A
+><H2
+>AUTHOR</H2
+><P
+>        Internet Software Consortium
+    </P
+></DIV
+></BODY
+></HTML
+>
diff --git a/bin/check/named-checkzone.8 b/bin/check/named-checkzone.8
index 875f834c..bdf2e14f 100644
--- a/bin/check/named-checkzone.8
+++ b/bin/check/named-checkzone.8
@@ -1,100 +1,94 @@
-.\" Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
-.\" Copyright (C) 2000-2002 Internet Software Consortium.
-.\" 
+.\" Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2000-2002  Internet Software Consortium.
+.\"
 .\" Permission to use, copy, modify, and distribute this software for any
 .\" purpose with or without fee is hereby granted, provided that the above
 .\" copyright notice and this permission notice appear in all copies.
-.\" 
+.\"
 .\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
 .\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+.\" AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
 .\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
 .\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: named-checkzone.8,v 1.11.2.10 2007/06/20 02:25:45 marka Exp $
-.\"
-.hy 0
-.ad l
-.\"     Title: named\-checkzone
-.\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
-.\"      Date: June 13, 2000
-.\"    Manual: BIND9
-.\"    Source: BIND9
+.\" $Id: named-checkzone.8,v 1.11.2.1.8.3 2004/03/08 04:04:14 marka Exp $
 .\"
-.TH "NAMED\-CHECKZONE" "8" "June 13, 2000" "BIND9" "BIND9"
-.\" disable hyphenation
-.nh
-.\" disable justification (adjust text to left margin only)
-.ad l
-.SH "NAME"
-named\-checkzone \- zone file validity checking tool
-.SH "SYNOPSIS"
-.HP 16
-\fBnamed\-checkzone\fR [\fB\-d\fR] [\fB\-j\fR] [\fB\-q\fR] [\fB\-v\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] {zonename} {filename}
+.TH "NAMED-CHECKZONE" "8" "June 13, 2000" "BIND9" ""
+.SH NAME
+named-checkzone \- zone file validity checking tool
+.SH SYNOPSIS
+.sp
+\fBnamed-checkzone\fR [ \fB-d\fR ]  [ \fB-j\fR ]  [ \fB-q\fR ]  [ \fB-v\fR ]  [ \fB-c \fIclass\fB\fR ]  [ \fB-k \fImode\fB\fR ]  [ \fB-n \fImode\fB\fR ]  [ \fB-o \fIfilename\fB\fR ]  [ \fB-t \fIdirectory\fB\fR ]  [ \fB-w \fIdirectory\fB\fR ]  [ \fB-D\fR ]  \fBzonename\fR \fBfilename\fR
 .SH "DESCRIPTION"
 .PP
-\fBnamed\-checkzone\fR
-checks the syntax and integrity of a zone file. It performs the same checks as
-\fBnamed\fR
+\fBnamed-checkzone\fR checks the syntax and integrity of
+a zone file. It performs the same checks as \fBnamed\fR
 does when loading a zone. This makes
-\fBnamed\-checkzone\fR
-useful for checking zone files before configuring them into a name server.
+\fBnamed-checkzone\fR useful for checking zone
+files before configuring them into a name server.
 .SH "OPTIONS"
-.PP
-\-d
-.RS 4
+.TP
+\fB-d\fR
 Enable debugging.
-.RE
-.PP
-\-q
-.RS 4
-Quiet mode \- exit code only.
-.RE
-.PP
-\-v
-.RS 4
-Print the version of the
-\fBnamed\-checkzone\fR
+.TP
+\fB-q\fR
+Quiet mode - exit code only.
+.TP
+\fB-v\fR
+Print the version of the \fBnamed-checkzone\fR
 program and exit.
-.RE
-.PP
-\-j
-.RS 4
+.TP
+\fB-j\fR
 When loading the zone file read the journal if it exists.
-.RE
-.PP
-\-c \fIclass\fR
-.RS 4
+.TP
+\fB-c \fIclass\fB\fR
 Specify the class of the zone. If not specified "IN" is assumed.
-.RE
-.PP
-zonename
-.RS 4
+.TP
+\fB-k \fImode\fB\fR
+Perform \fB"check-name"\fR checks with the specified failure mode.
+Possible modes are \fB"fail"\fR,
+\fB"warn"\fR (default) and
+\fB"ignore"\fR.
+.TP
+\fB-n \fImode\fB\fR
+Specify whether NS records should be checked to see if they
+are addresses. Possible modes are \fB"fail"\fR,
+\fB"warn"\fR (default) and
+\fB"ignore"\fR.
+.TP
+\fB-o \fIfilename\fB\fR
+Write zone output to \fIdirectory\fR.
+.TP
+\fB-t \fIdirectory\fB\fR
+chroot to \fIdirectory\fR so that include
+directives in the configuration file are processed as if
+run by a similarly chrooted named.
+.TP
+\fB-w \fIdirectory\fB\fR
+chdir to \fIdirectory\fR so that relative
+filenames in master file $INCLUDE directives work. This
+is similar to the directory clause in
+\fInamed.conf\fR.
+.TP
+\fB-D\fR
+Dump zone file in canonical format.
+.TP
+\fBzonename\fR
 The domain name of the zone being checked.
-.RE
-.PP
-filename
-.RS 4
+.TP
+\fBfilename\fR
 The name of the zone file.
-.RE
 .SH "RETURN VALUES"
 .PP
-\fBnamed\-checkzone\fR
-returns an exit status of 1 if errors were detected and 0 otherwise.
+\fBnamed-checkzone\fR returns an exit status of 1 if
+errors were detected and 0 otherwise.
 .SH "SEE ALSO"
 .PP
 \fBnamed\fR(8),
-\fBnamed\-checkconf\fR(8),
-RFC 1035,
-BIND 9 Administrator Reference Manual.
+\fIRFC 1035\fR,
+\fIBIND 9 Administrator Reference Manual\fR.
 .SH "AUTHOR"
 .PP
-Internet Systems Consortium
-.SH "COPYRIGHT"
-Copyright \(co 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
-.br
-Copyright \(co 2000\-2002 Internet Software Consortium.
-.br
+Internet Software Consortium
diff --git a/bin/check/named-checkzone.c b/bin/check/named-checkzone.c
index 48d7c1bc..d023bd68 100644
--- a/bin/check/named-checkzone.c
+++ b/bin/check/named-checkzone.c
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2002  Internet Software Consortium.
+ * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named-checkzone.c,v 1.13.2.5 2004/10/25 01:45:25 marka Exp $ */
+/* $Id: named-checkzone.c,v 1.13.2.3.8.9 2004/03/06 10:21:11 marka Exp $ */
 
 #include <config.h>
 
@@ -23,8 +23,7 @@
 
 #include <isc/app.h>
 #include <isc/commandline.h>
-#include <isc/entropy.h>
-#include <isc/hash.h>
+#include <isc/dir.h>
 #include <isc/log.h>
 #include <isc/mem.h>
 #include <isc/socket.h>
@@ -43,14 +42,12 @@
 
 #include "check-tool.h"
 
-static int debug = 0;
-isc_boolean_t nomerge = ISC_TRUE;
 static int quiet = 0;
 static isc_mem_t *mctx = NULL;
-static isc_entropy_t *ectx = NULL;
 dns_zone_t *zone = NULL;
 dns_zonetype_t zonetype = dns_zone_master;
-static const char *dbtype[] = { "rbt" };
+static int dumpzone = 0;
+static const char *output_filename;
 
 #define ERRRET(result, function) \
 	do { \
@@ -65,58 +62,11 @@ static const char *dbtype[] = { "rbt" };
 static void
 usage(void) {
 	fprintf(stderr,
-		"usage: named-checkzone [-djqv] [-c class] zonename filename \n");
+		"usage: named-checkzone [-djqvD] [-c class] [-o output] "
+		"[-t directory] [-w directory] [-k option] zonename filename\n");
 	exit(1);
 }
 
-static isc_result_t
-setup(char *zonename, char *filename, char *classname) {
-	isc_result_t result;
-	dns_rdataclass_t rdclass;
-	isc_textregion_t region;
-	isc_buffer_t buffer;
-	dns_fixedname_t fixorigin;
-	dns_name_t *origin;
-
-	if (debug)
-		fprintf(stderr, "loading \"%s\" from \"%s\" class \"%s\"\n",
-			zonename, filename, classname);
-	result = dns_zone_create(&zone, mctx);
-	ERRRET(result, "dns_zone_new");
-
-	dns_zone_settype(zone, zonetype);
-
-	isc_buffer_init(&buffer, zonename, strlen(zonename));
-	isc_buffer_add(&buffer, strlen(zonename));
-	dns_fixedname_init(&fixorigin);
-	result = dns_name_fromtext(dns_fixedname_name(&fixorigin),
-			  	   &buffer, dns_rootname, ISC_FALSE, NULL);
-	ERRRET(result, "dns_name_fromtext");
-	origin = dns_fixedname_name(&fixorigin);
-
-	result = dns_zone_setorigin(zone, origin);
-	ERRRET(result, "dns_zone_setorigin");
-
-	result = dns_zone_setdbtype(zone, 1, (const char * const *) dbtype);
-	ERRRET(result, "dns_zone_setdatabase");
-
-	result = dns_zone_setfile(zone, filename);
-	ERRRET(result, "dns_zone_setdatabase");
-
-	region.base = classname;
-	region.length = strlen(classname);
-	result = dns_rdataclass_fromtext(&rdclass, &region);
-	ERRRET(result, "dns_rdataclass_fromtext");
-
-	dns_zone_setclass(zone, rdclass);
-	dns_zone_setoption(zone, DNS_ZONEOPT_MANYERRORS, ISC_TRUE);
-	dns_zone_setoption(zone, DNS_ZONEOPT_NOMERGE, nomerge);
-
-	result = dns_zone_load(zone);
-
-	return (result);
-}
-
 static void
 destroy(void) {
 	if (zone != NULL)
@@ -132,12 +82,14 @@ main(int argc, char **argv) {
 	isc_result_t result;
 	char classname_in[] = "IN";
 	char *classname = classname_in;
+	const char *workdir = NULL;
 
-	while ((c = isc_commandline_parse(argc, argv, "c:djqsv")) != EOF) {
+	while ((c = isc_commandline_parse(argc, argv, "c:dijk:n:qst:o:vw:D")) != EOF) {
 		switch (c) {
 		case 'c':
 			classname = isc_commandline_argument;
 			break;
+
 		case 'd':
 			debug++;
 			break;
@@ -145,17 +97,79 @@ main(int argc, char **argv) {
 		case 'j':
 			nomerge = ISC_FALSE;
 			break;
+
+		case 'n':
+			if (!strcmp(isc_commandline_argument, "ignore"))
+				zone_options &= ~(DNS_ZONEOPT_CHECKNS|
+						  DNS_ZONEOPT_FATALNS);
+			else if (!strcmp(isc_commandline_argument, "warn")) {
+				zone_options |= DNS_ZONEOPT_CHECKNS;
+				zone_options &= ~DNS_ZONEOPT_FATALNS;
+			} else if (!strcmp(isc_commandline_argument, "fail"))
+				zone_options |= DNS_ZONEOPT_CHECKNS|
+					        DNS_ZONEOPT_FATALNS;
+			break;
+
+		case 'k':
+			if (!strcmp(isc_commandline_argument, "check-names")) {
+				zone_options |= DNS_ZONEOPT_CHECKNAMES;
+			} else if (!strcmp(isc_commandline_argument,
+					   "check-names-fail")) {
+				zone_options |= DNS_ZONEOPT_CHECKNAMES |
+						DNS_ZONEOPT_CHECKNAMESFAIL;
+			}
+			break;
+
 		case 'q':
 			quiet++;
 			break;
+
+		case 't':
+			result = isc_dir_chroot(isc_commandline_argument);
+			if (result != ISC_R_SUCCESS) {
+				fprintf(stderr, "isc_dir_chroot: %s: %s\n",
+					isc_commandline_argument,
+					isc_result_totext(result));
+				exit(1);
+			}
+			result = isc_dir_chdir("/");
+			if (result != ISC_R_SUCCESS) {
+				fprintf(stderr, "isc_dir_chdir: %s\n",
+					isc_result_totext(result));
+				exit(1);
+			}
+			break;
+
+		case 'o':
+			output_filename = isc_commandline_argument;
+			break;
+
 		case 'v':
 			printf(VERSION "\n");
 			exit(0);
+
+		case 'w':
+			workdir = isc_commandline_argument;
+			break;
+
+		case 'D':
+			dumpzone++;
+			break;
+
 		default:
 			usage();
 		}
 	}
 
+	if (workdir != NULL) {
+		result = isc_dir_chdir(workdir);
+		if (result != ISC_R_SUCCESS) {
+			fprintf(stderr, "isc_dir_chdir: %s: %s\n",
+				workdir, isc_result_totext(result));
+			exit(1);
+		}
+	}
+
 	if (isc_commandline_index + 2 > argc)
 		usage();
 
@@ -165,22 +179,22 @@ main(int argc, char **argv) {
 		dns_log_init(lctx);
 		dns_log_setcontext(lctx);
 	}
-	RUNTIME_CHECK(isc_entropy_create(mctx, &ectx) == ISC_R_SUCCESS);
-	RUNTIME_CHECK(isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE)
-		      == ISC_R_SUCCESS);
 
 	dns_result_register();
 
 	origin = argv[isc_commandline_index++];
 	filename = argv[isc_commandline_index++];
-	result = setup(origin, filename, classname);
+	result = load_zone(mctx, origin, filename, classname, &zone);
+
+	if (result == ISC_R_SUCCESS && dumpzone) {
+		result = dump_zone(origin, zone, output_filename);
+	}
+
 	if (!quiet && result == ISC_R_SUCCESS)
 		fprintf(stdout, "OK\n");
 	destroy();
 	if (lctx != NULL)
 		isc_log_destroy(&lctx);
-	isc_hash_destroy();
-	isc_entropy_detach(&ectx);
 	isc_mem_destroy(&mctx);
 	return ((result == ISC_R_SUCCESS) ? 0 : 1);
 }
diff --git a/bin/check/named-checkzone.docbook b/bin/check/named-checkzone.docbook
index 0652ac3a..a31612cf 100644
--- a/bin/check/named-checkzone.docbook
+++ b/bin/check/named-checkzone.docbook
@@ -1,9 +1,7 @@
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
-               "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
-	       [<!ENTITY mdash "&#8212;">]>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
 <!--
- - Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000-2002  Internet Software Consortium.
+ - Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2001, 2002  Internet Software Consortium.
  -
  - Permission to use, copy, modify, and distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
@@ -18,7 +16,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: named-checkzone.docbook,v 1.3.2.9 2007/06/19 07:52:23 marka Exp $ -->
+<!-- $Id: named-checkzone.docbook,v 1.3.2.2.8.6 2004/03/08 04:04:14 marka Exp $ -->
 
 <refentry>
   <refentryinfo>
@@ -31,21 +29,6 @@
     <refmiscinfo>BIND9</refmiscinfo>
   </refmeta>
 
-  <docinfo>
-    <copyright>
-      <year>2004</year>
-      <year>2005</year>
-      <year>2007</year>
-      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
-    </copyright>
-    <copyright>
-      <year>2000</year>
-      <year>2001</year>
-      <year>2002</year>
-      <holder>Internet Software Consortium.</holder>
-    </copyright>
-  </docinfo>
-
   <refnamediv>
     <refname><application>named-checkzone</application></refname>
     <refpurpose>zone file validity checking tool</refpurpose>
@@ -59,6 +42,12 @@
       <arg><option>-q</option></arg>
       <arg><option>-v</option></arg>
       <arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
+      <arg><option>-k <replaceable class="parameter">mode</replaceable></option></arg>
+      <arg><option>-n <replaceable class="parameter">mode</replaceable></option></arg>
+      <arg><option>-o <replaceable class="parameter">filename</replaceable></option></arg>
+      <arg><option>-t <replaceable class="parameter">directory</replaceable></option></arg>
+      <arg><option>-w <replaceable class="parameter">directory</replaceable></option></arg>
+      <arg><option>-D</option></arg>
       <arg choice="req">zonename</arg>
       <arg choice="req">filename</arg>
     </cmdsynopsis>
@@ -114,7 +103,6 @@
               When loading the zone file read the journal if it exists.
           </para>   
         </listitem>
-      </varlistentry>
 
       <varlistentry>
         <term>-c <replaceable class="parameter">class</replaceable></term>
@@ -126,6 +114,71 @@
       </varlistentry>
 
       <varlistentry>
+        <term>-k <replaceable class="parameter">mode</replaceable></term>
+	<listitem>
+	  <para>
+	      Perform <command>"check-name"</command> checks with the specified failure mode.
+	      Possible modes are <command>"fail"</command>,
+	      <command>"warn"</command> (default) and
+	      <command>"ignore"</command>.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-n <replaceable class="parameter">mode</replaceable></term>
+	<listitem>
+	  <para>
+	      Specify whether NS records should be checked to see if they
+	      are addresses.  Possible modes are <command>"fail"</command>,
+	      <command>"warn"</command> (default) and
+	      <command>"ignore"</command>.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-o <replaceable class="parameter">filename</replaceable></term>
+        <listitem>
+          <para>
+	      Write zone output to <filename>directory</filename>.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-t <replaceable class="parameter">directory</replaceable></term>
+        <listitem>
+          <para>
+              chroot to <filename>directory</filename> so that include
+              directives in the configuration file are processed as if
+              run by a similarly chrooted named.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-w <replaceable class="parameter">directory</replaceable></term>
+        <listitem>
+          <para>
+              chdir to <filename>directory</filename> so that relative
+	      filenames in master file $INCLUDE directives work.  This
+	      is similar to the directory clause in
+	      <filename>named.conf</filename>.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-D</term>
+	<listitem>
+	  <para>
+	      Dump zone file in canonical format.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
         <term>zonename</term>
 	<listitem>
 	  <para>
@@ -152,7 +205,6 @@
     <para>
         <command>named-checkzone</command> returns an exit status of 1 if
 	errors were detected and 0 otherwise.
-    </para>
   </refsect1>
 
   <refsect1>
@@ -162,9 +214,6 @@
         <refentrytitle>named</refentrytitle>
 	<manvolnum>8</manvolnum>
       </citerefentry>,
-      <citerefentry>
-        <refentrytitle>named-checkconf</refentrytitle><manvolnum>8</manvolnum>  
-      </citerefentry>,
       <citetitle>RFC 1035</citetitle>,
       <citetitle>BIND 9 Administrator Reference Manual</citetitle>.
     </para>
@@ -173,7 +222,7 @@
   <refsect1>
     <title>AUTHOR</title>
     <para>
-        <corpauthor>Internet Systems Consortium</corpauthor>
+        <corpauthor>Internet Software Consortium</corpauthor>
     </para>
   </refsect1>
 
diff --git a/bin/check/named-checkzone.html b/bin/check/named-checkzone.html
index 8bb2cb5c..5939050e 100644
--- a/bin/check/named-checkzone.html
+++ b/bin/check/named-checkzone.html
@@ -1,101 +1,391 @@
 <!--
- - Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000-2002 Internet Software Consortium.
- - 
+ - Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2001, 2002  Internet Software Consortium.
+ -
  - Permission to use, copy, modify, and distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
  - copyright notice and this permission notice appear in all copies.
- - 
+ -
  - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
  - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
  - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
  - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: named-checkzone.html,v 1.5.2.18 2007/06/20 02:25:45 marka Exp $ -->
-<html>
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>named-checkzone</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2476275"></a><div class="titlepage"></div>
-<div class="refnamediv">
-<h2>Name</h2>
-<p><span class="application">named-checkzone</span> &#8212; zone file validity checking tool</p>
-</div>
-<div class="refsynopsisdiv">
-<h2>Synopsis</h2>
-<div class="cmdsynopsis"><p><code class="command">named-checkzone</code>  [<code class="option">-d</code>] [<code class="option">-j</code>] [<code class="option">-q</code>] [<code class="option">-v</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] {zonename} {filename}</p></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543381"></a><h2>DESCRIPTION</h2>
-<p>
-        <span><strong class="command">named-checkzone</strong></span> checks the syntax and integrity of
-	a zone file.  It performs the same checks as <span><strong class="command">named</strong></span>
+
+<!-- $Id: named-checkzone.html,v 1.5.2.2.4.3 2004/03/08 04:04:14 marka Exp $ -->
+
+<HTML
+><HEAD
+><TITLE
+>named-checkzone</TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.73
+"></HEAD
+><BODY
+CLASS="REFENTRY"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><H1
+><A
+NAME="AEN1"
+><SPAN
+CLASS="APPLICATION"
+>named-checkzone</SPAN
+></A
+></H1
+><DIV
+CLASS="REFNAMEDIV"
+><A
+NAME="AEN9"
+></A
+><H2
+>Name</H2
+><SPAN
+CLASS="APPLICATION"
+>named-checkzone</SPAN
+>&nbsp;--&nbsp;zone file validity checking tool</DIV
+><DIV
+CLASS="REFSYNOPSISDIV"
+><A
+NAME="AEN13"
+></A
+><H2
+>Synopsis</H2
+><P
+><B
+CLASS="COMMAND"
+>named-checkzone</B
+>  [<TT
+CLASS="OPTION"
+>-d</TT
+>] [<TT
+CLASS="OPTION"
+>-j</TT
+>] [<TT
+CLASS="OPTION"
+>-q</TT
+>] [<TT
+CLASS="OPTION"
+>-v</TT
+>] [<TT
+CLASS="OPTION"
+>-c <TT
+CLASS="REPLACEABLE"
+><I
+>class</I
+></TT
+></TT
+>] [<TT
+CLASS="OPTION"
+>-k <TT
+CLASS="REPLACEABLE"
+><I
+>mode</I
+></TT
+></TT
+>] [<TT
+CLASS="OPTION"
+>-n <TT
+CLASS="REPLACEABLE"
+><I
+>mode</I
+></TT
+></TT
+>] [<TT
+CLASS="OPTION"
+>-o <TT
+CLASS="REPLACEABLE"
+><I
+>filename</I
+></TT
+></TT
+>] [<TT
+CLASS="OPTION"
+>-t <TT
+CLASS="REPLACEABLE"
+><I
+>directory</I
+></TT
+></TT
+>] [<TT
+CLASS="OPTION"
+>-w <TT
+CLASS="REPLACEABLE"
+><I
+>directory</I
+></TT
+></TT
+>] [<TT
+CLASS="OPTION"
+>-D</TT
+>] {zonename} {filename}</P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN46"
+></A
+><H2
+>DESCRIPTION</H2
+><P
+>        <B
+CLASS="COMMAND"
+>named-checkzone</B
+> checks the syntax and integrity of
+	a zone file.  It performs the same checks as <B
+CLASS="COMMAND"
+>named</B
+>
 	does when loading a zone.  This makes
-	<span><strong class="command">named-checkzone</strong></span> useful for checking zone
+	<B
+CLASS="COMMAND"
+>named-checkzone</B
+> useful for checking zone
 	files before configuring them into a name server.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543401"></a><h2>OPTIONS</h2>
-<div class="variablelist"><dl>
-<dt><span class="term">-d</span></dt>
-<dd><p>
-	      Enable debugging.
-	  </p></dd>
-<dt><span class="term">-q</span></dt>
-<dd><p>
-	      Quiet mode - exit code only.
-	  </p></dd>
-<dt><span class="term">-v</span></dt>
-<dd><p>
-	      Print the version of the <span><strong class="command">named-checkzone</strong></span>
+    </P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN52"
+></A
+><H2
+>OPTIONS</H2
+><P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+>-d</DT
+><DD
+><P
+>	      Enable debugging.
+	  </P
+></DD
+><DT
+>-q</DT
+><DD
+><P
+>	      Quiet mode - exit code only.
+	  </P
+></DD
+><DT
+>-v</DT
+><DD
+><P
+>	      Print the version of the <B
+CLASS="COMMAND"
+>named-checkzone</B
+>
 	      program and exit.
-	  </p></dd>
-<dt><span class="term">-j</span></dt>
-<dd><p>
-              When loading the zone file read the journal if it exists.
-          </p></dd>
-<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
-<dd><p>
-	      Specify the class of the zone.  If not specified "IN" is assumed.
-	  </p></dd>
-<dt><span class="term">zonename</span></dt>
-<dd><p>
-	       The domain name of the zone being checked.
-	  </p></dd>
-<dt><span class="term">filename</span></dt>
-<dd><p>
-	       The name of the zone file.
-	  </p></dd>
-</dl></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543512"></a><h2>RETURN VALUES</h2>
-<p>
-        <span><strong class="command">named-checkzone</strong></span> returns an exit status of 1 if
+	  </P
+></DD
+><DT
+>-j</DT
+><DD
+><P
+>              When loading the zone file read the journal if it exists.
+          </P
+></DD
+><DT
+>-c <TT
+CLASS="REPLACEABLE"
+><I
+>class</I
+></TT
+></DT
+><DD
+><P
+>	      Specify the class of the zone.  If not specified "IN" is assumed.
+	  </P
+></DD
+><DT
+>-k <TT
+CLASS="REPLACEABLE"
+><I
+>mode</I
+></TT
+></DT
+><DD
+><P
+>	      Perform <B
+CLASS="COMMAND"
+>"check-name"</B
+> checks with the specified failure mode.
+	      Possible modes are <B
+CLASS="COMMAND"
+>"fail"</B
+>,
+	      <B
+CLASS="COMMAND"
+>"warn"</B
+> (default) and
+	      <B
+CLASS="COMMAND"
+>"ignore"</B
+>.
+	  </P
+></DD
+><DT
+>-n <TT
+CLASS="REPLACEABLE"
+><I
+>mode</I
+></TT
+></DT
+><DD
+><P
+>	      Specify whether NS records should be checked to see if they
+	      are addresses.  Possible modes are <B
+CLASS="COMMAND"
+>"fail"</B
+>,
+	      <B
+CLASS="COMMAND"
+>"warn"</B
+> (default) and
+	      <B
+CLASS="COMMAND"
+>"ignore"</B
+>.
+	  </P
+></DD
+><DT
+>-o <TT
+CLASS="REPLACEABLE"
+><I
+>filename</I
+></TT
+></DT
+><DD
+><P
+>	      Write zone output to <TT
+CLASS="FILENAME"
+>directory</TT
+>.
+          </P
+></DD
+><DT
+>-t <TT
+CLASS="REPLACEABLE"
+><I
+>directory</I
+></TT
+></DT
+><DD
+><P
+>              chroot to <TT
+CLASS="FILENAME"
+>directory</TT
+> so that include
+              directives in the configuration file are processed as if
+              run by a similarly chrooted named.
+          </P
+></DD
+><DT
+>-w <TT
+CLASS="REPLACEABLE"
+><I
+>directory</I
+></TT
+></DT
+><DD
+><P
+>              chdir to <TT
+CLASS="FILENAME"
+>directory</TT
+> so that relative
+	      filenames in master file $INCLUDE directives work.  This
+	      is similar to the directory clause in
+	      <TT
+CLASS="FILENAME"
+>named.conf</TT
+>.
+          </P
+></DD
+><DT
+>-D</DT
+><DD
+><P
+>	      Dump zone file in canonical format.
+	  </P
+></DD
+><DT
+>zonename</DT
+><DD
+><P
+>	       The domain name of the zone being checked.
+	  </P
+></DD
+><DT
+>filename</DT
+><DD
+><P
+>	       The name of the zone file.
+	  </P
+></DD
+></DL
+></DIV
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN125"
+></A
+><H2
+>RETURN VALUES</H2
+><P
+>        <B
+CLASS="COMMAND"
+>named-checkzone</B
+> returns an exit status of 1 if
 	errors were detected and 0 otherwise.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543525"></a><h2>SEE ALSO</h2>
-<p>
-      <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
-      <span class="citerefentry"><span class="refentrytitle">named-checkconf</span>(8)</span>,
-      <em class="citetitle">RFC 1035</em>,
-      <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543560"></a><h2>AUTHOR</h2>
-<p>
-        <span class="corpauthor">Internet Systems Consortium</span>
-    </p>
-</div>
-</div></body>
-</html>
+  </P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN129"
+></A
+><H2
+>SEE ALSO</H2
+><P
+>      <SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>named</SPAN
+>(8)</SPAN
+>,
+      <I
+CLASS="CITETITLE"
+>RFC 1035</I
+>,
+      <I
+CLASS="CITETITLE"
+>BIND 9 Administrator Reference Manual</I
+>.
+    </P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN137"
+></A
+><H2
+>AUTHOR</H2
+><P
+>        Internet Software Consortium
+    </P
+></DIV
+></BODY
+></HTML
+>
diff --git a/bin/check/win32/checktool.dsp b/bin/check/win32/checktool.dsp
deleted file mode 100644
index 772e4230..00000000
--- a/bin/check/win32/checktool.dsp
+++ /dev/null
@@ -1,113 +0,0 @@
-# Microsoft Developer Studio Project File - Name="checktool" - Package Owner=<4>

-# Microsoft Developer Studio Generated Build File, Format Version 6.00

-# ** DO NOT EDIT **

-

-# TARGTYPE "Win32 (x86) Static-Link Library" 0x0104

-

-CFG=checktool - Win32 Debug

-!MESSAGE This is not a valid makefile. To build this project using NMAKE,

-!MESSAGE use the Export Makefile command and run

-!MESSAGE 

-!MESSAGE NMAKE /f "checktool.mak".

-!MESSAGE 

-!MESSAGE You can specify a configuration when running NMAKE

-!MESSAGE by defining the macro CFG on the command line. For example:

-!MESSAGE 

-!MESSAGE NMAKE /f "checktool.mak" CFG="checktool - Win32 Debug"

-!MESSAGE 

-!MESSAGE Possible choices for configuration are:

-!MESSAGE 

-!MESSAGE "checktool - Win32 Release" (based on "Win32 (x86) Static-Link Library")

-!MESSAGE "checktool - Win32 Debug" (based on "Win32 (x86) Static-Link Library")

-!MESSAGE 

-

-# Begin Project

-# PROP AllowPerConfigDependencies 0

-# PROP Scc_ProjName ""

-# PROP Scc_LocalPath ""

-CPP=cl.exe

-MTL=midl.exe

-RSC=rc.exe

-

-!IF  "$(CFG)" == "checktool - Win32 Release"

-

-# PROP BASE Use_MFC 0

-# PROP BASE Use_Debug_Libraries 0

-# PROP BASE Output_Dir "Release"

-# PROP BASE Intermediate_Dir "Release"

-# PROP BASE Target_Dir ""

-# PROP Use_MFC 0

-# PROP Use_Debug_Libraries 0

-# PROP Output_Dir "Release"

-# PROP Intermediate_Dir "Release"

-# PROP Ignore_Export_Lib 0

-# PROP Target_Dir ""

-# ADD BASE CPP /nologo /MT /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /YX /FD /c

-# ADD CPP /nologo /MD /W3 /GX /O2 /I "./" /I "../../../" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/include" /D "NDEBUG" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /YX /FD /c /Fdchecktool

-# SUBTRACT CPP /X

-# ADD BASE MTL /nologo /D "NDEBUG" /mktyplib203 /win32

-# ADD MTL /nologo /D "NDEBUG" /mktyplib203 /win32

-# ADD BASE RSC /l 0x409 /d "NDEBUG"

-# ADD RSC /l 0x409 /d "NDEBUG"

-BSC32=bscmake.exe

-# ADD BASE BSC32 /nologo

-# ADD BSC32 /nologo

-LINK32=link.exe

-# ADD BASE LINK32 

-# ADD LINK32 /out:"Release/checktool.lib"

-

-!ELSEIF  "$(CFG)" == "checktool - Win32 Debug"

-

-# PROP BASE Use_MFC 0

-# PROP BASE Use_Debug_Libraries 1

-# PROP BASE Output_Dir "Debug"

-# PROP BASE Intermediate_Dir "Debug"

-# PROP BASE Target_Dir ""

-# PROP Use_MFC 0

-# PROP Use_Debug_Libraries 1

-# PROP Output_Dir "Debug"

-# PROP Intermediate_Dir "Debug"

-# PROP Ignore_Export_Lib 0

-# PROP Target_Dir ""

-# ADD BASE CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /D "_MBCS" /YX /FD /GZ /c

-# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../../../" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/include" /D "_DEBUG" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /FR /YX /FD /GZ /c /Fdchecktool

-# SUBTRACT CPP /X

-# ADD BASE MTL /nologo /D "_DEBUG" /mktyplib203 /win32

-# ADD MTL /nologo /D "_DEBUG" /mktyplib203 /win32

-# ADD BASE RSC /l 0x409 /d "_DEBUG"

-# ADD RSC /l 0x409 /d "_DEBUG"

-BSC32=bscmake.exe

-# ADD BASE BSC32 /nologo

-# ADD BSC32 /nologo

-LINK32=link.exe

-# ADD BASE LINK32 

-# ADD LINK32 /debug out:"Debug/checktool.lib"

-

-!ENDIF 

-

-# Begin Target

-

-# Name "checktool - Win32 Release"

-# Name "checktool - Win32 Debug"

-# Begin Group "Source Files"

-

-# PROP Default_Filter "cpp;c;cxx;rc;def;r;odl;idl;hpj;bat"

-# End Group

-# Begin Group "Header Files"

-

-# PROP Default_Filter "h;hpp;hxx;hm;inl"

-# End Group

-# Begin Group "Resource Files"

-

-# PROP Default_Filter "ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe"

-# End Group

-# Begin Group "Main Dns Lib"

-

-# PROP Default_Filter "c"

-# Begin Source File

-

-SOURCE=..\check-tool.c

-# End Source File

-# End Group

-# End Target

-# End Project

diff --git a/bin/check/win32/checktool.dsw b/bin/check/win32/checktool.dsw
deleted file mode 100644
index bb139e77..00000000
--- a/bin/check/win32/checktool.dsw
+++ /dev/null
@@ -1,29 +0,0 @@
-Microsoft Developer Studio Workspace File, Format Version 6.00

-# WARNING: DO NOT EDIT OR DELETE THIS WORKSPACE FILE!

-

-###############################################################################

-

-Project: "checktool"=".\checktool.dsp" - Package Owner=<4>

-

-Package=<5>

-{{{

-}}}

-

-Package=<4>

-{{{

-}}}

-

-###############################################################################

-

-Global:

-

-Package=<5>

-{{{

-}}}

-

-Package=<3>

-{{{

-}}}

-

-###############################################################################

-

diff --git a/bin/check/win32/namedcheckconf.dsp b/bin/check/win32/namedcheckconf.dsp
index d2a22dd9..21a22d58 100644
--- a/bin/check/win32/namedcheckconf.dsp
+++ b/bin/check/win32/namedcheckconf.dsp
@@ -1,107 +1,111 @@
-# Microsoft Developer Studio Project File - Name="namedcheckconf" - Package Owner=<4>

-# Microsoft Developer Studio Generated Build File, Format Version 6.00

-# ** DO NOT EDIT **

-

-# TARGTYPE "Win32 (x86) Console Application" 0x0103

-

-CFG=namedcheckconf - Win32 Debug

-!MESSAGE This is not a valid makefile. To build this project using NMAKE,

-!MESSAGE use the Export Makefile command and run

-!MESSAGE 

-!MESSAGE NMAKE /f "namedcheckconf.mak".

-!MESSAGE 

-!MESSAGE You can specify a configuration when running NMAKE

-!MESSAGE by defining the macro CFG on the command line. For example:

-!MESSAGE 

-!MESSAGE NMAKE /f "namedcheckconf.mak" CFG="namedcheckconf - Win32 Debug"

-!MESSAGE 

-!MESSAGE Possible choices for configuration are:

-!MESSAGE 

-!MESSAGE "namedcheckconf - Win32 Release" (based on "Win32 (x86) Console Application")

-!MESSAGE "namedcheckconf - Win32 Debug" (based on "Win32 (x86) Console Application")

-!MESSAGE 

-

-# Begin Project

-# PROP AllowPerConfigDependencies 0

-# PROP Scc_ProjName ""

-# PROP Scc_LocalPath ""

-CPP=cl.exe

-RSC=rc.exe

-

-!IF  "$(CFG)" == "namedcheckconf - Win32 Release"

-

-# PROP BASE Use_MFC 0

-# PROP BASE Use_Debug_Libraries 0

-# PROP BASE Output_Dir "Release"

-# PROP BASE Intermediate_Dir "Release"

-# PROP BASE Target_Dir ""

-# PROP Use_MFC 0

-# PROP Use_Debug_Libraries 0

-# PROP Output_Dir "Release"

-# PROP Intermediate_Dir "Release"

-# PROP Ignore_Export_Lib 0

-# PROP Target_Dir ""

-# ADD BASE CPP /nologo /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /c

-# ADD CPP /nologo /MD /W3 /GX /O2 /I "./" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isccfg/include" /D "NDEBUG" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /D "__STDC__" /FR /YX /FD /c

-# ADD BASE RSC /l 0x409 /d "NDEBUG"

-# ADD RSC /l 0x409 /d "NDEBUG"

-BSC32=bscmake.exe

-# ADD BASE BSC32 /nologo

-# ADD BSC32 /nologo

-LINK32=link.exe

-# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /machine:I386

-# ADD LINK32 user32.lib advapi32.lib ws2_32.lib Release/checktool.lib ../../../lib/isc/win32/Release/libisc.lib ../../../lib/isccfg/win32/Release/libisccfg.lib /nologo /subsystem:console /machine:I386 /out:"../../../Build/Release/named-checkconf.exe"

-

-!ELSEIF  "$(CFG)" == "namedcheckconf - Win32 Debug"

-

-# PROP BASE Use_MFC 0

-# PROP BASE Use_Debug_Libraries 1

-# PROP BASE Output_Dir "Debug"

-# PROP BASE Intermediate_Dir "Debug"

-# PROP BASE Target_Dir ""

-# PROP Use_MFC 0

-# PROP Use_Debug_Libraries 1

-# PROP Output_Dir "Debug"

-# PROP Intermediate_Dir "Debug"

-# PROP Ignore_Export_Lib 0

-# PROP Target_Dir ""

-# ADD BASE CPP /nologo /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /GZ /c

-# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isccfg/include" /D "_DEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /FR /FD /GZ /c

-# SUBTRACT CPP /X /YX

-# ADD BASE RSC /l 0x409 /d "_DEBUG"

-# ADD RSC /l 0x409 /d "_DEBUG"

-BSC32=bscmake.exe

-# ADD BASE BSC32 /nologo

-# ADD BSC32 /nologo

-LINK32=link.exe

-# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /debug /machine:I386 /pdbtype:sept

-# ADD LINK32 user32.lib advapi32.lib ws2_32.lib Debug/checktool.lib ../../../lib/isc/win32/Debug/libisc.lib ../../../lib/isccfg/win32/Debug/libisccfg.lib /nologo /subsystem:console /debug /machine:I386 /out:"../../../Build/Debug/named-checkconf.exe" /pdbtype:sept

-

-!ENDIF 

-

-# Begin Target

-

-# Name "namedcheckconf - Win32 Release"

-# Name "namedcheckconf - Win32 Debug"

-# Begin Group "Source Files"

-

-# PROP Default_Filter "cpp;c;cxx;rc;def;r;odl;idl;hpj;bat"

-# Begin Source File

-

-SOURCE="..\named-checkconf.c"

-# End Source File

-# End Group

-# Begin Group "Header Files"

-

-# PROP Default_Filter "h;hpp;hxx;hm;inl"

-# Begin Source File

-

-SOURCE="..\check-tool.h"

-# End Source File

-# End Group

-# Begin Group "Resource Files"

-

-# PROP Default_Filter "ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe"

-# End Group

-# End Target

-# End Project

+# Microsoft Developer Studio Project File - Name="namedcheckconf" - Package Owner=<4>
+# Microsoft Developer Studio Generated Build File, Format Version 6.00
+# ** DO NOT EDIT **
+
+# TARGTYPE "Win32 (x86) Console Application" 0x0103
+
+CFG=namedcheckconf - Win32 Debug
+!MESSAGE This is not a valid makefile. To build this project using NMAKE,
+!MESSAGE use the Export Makefile command and run
+!MESSAGE 
+!MESSAGE NMAKE /f "namedcheckconf.mak".
+!MESSAGE 
+!MESSAGE You can specify a configuration when running NMAKE
+!MESSAGE by defining the macro CFG on the command line. For example:
+!MESSAGE 
+!MESSAGE NMAKE /f "namedcheckconf.mak" CFG="namedcheckconf - Win32 Debug"
+!MESSAGE 
+!MESSAGE Possible choices for configuration are:
+!MESSAGE 
+!MESSAGE "namedcheckconf - Win32 Release" (based on "Win32 (x86) Console Application")
+!MESSAGE "namedcheckconf - Win32 Debug" (based on "Win32 (x86) Console Application")
+!MESSAGE 
+
+# Begin Project
+# PROP AllowPerConfigDependencies 0
+# PROP Scc_ProjName ""
+# PROP Scc_LocalPath ""
+CPP=cl.exe
+RSC=rc.exe
+
+!IF  "$(CFG)" == "namedcheckconf - Win32 Release"
+
+# PROP BASE Use_MFC 0
+# PROP BASE Use_Debug_Libraries 0
+# PROP BASE Output_Dir "Release"
+# PROP BASE Intermediate_Dir "Release"
+# PROP BASE Target_Dir ""
+# PROP Use_MFC 0
+# PROP Use_Debug_Libraries 0
+# PROP Output_Dir "Release"
+# PROP Intermediate_Dir "Release"
+# PROP Ignore_Export_Lib 0
+# PROP Target_Dir ""
+# ADD BASE CPP /nologo /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /c
+# ADD CPP /nologo /MT /W3 /GX /O2 /I "./" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/include" /I "../../../lib/isccfg/include" /I "../../../lib/bind9/include" /D "NDEBUG" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /D "__STDC__" /FR /YX /FD /c
+# ADD BASE RSC /l 0x409 /d "NDEBUG"
+# ADD RSC /l 0x409 /d "NDEBUG"
+BSC32=bscmake.exe
+# ADD BASE BSC32 /nologo
+# ADD BSC32 /nologo
+LINK32=link.exe
+# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /machine:I386
+# ADD LINK32 user32.lib advapi32.lib ws2_32.lib ../../../lib/isc/win32/Release/libisc.lib  ../../../lib/dns/win32/Release/libdns.lib ../../../lib/isccfg/win32/Release/libisccfg.lib ../../../lib/bind9/win32/Release/libbind9.lib /nologo /subsystem:console /machine:I386 /out:"../../../Build/Release/named-checkconf.exe"
+
+!ELSEIF  "$(CFG)" == "namedcheckconf - Win32 Debug"
+
+# PROP BASE Use_MFC 0
+# PROP BASE Use_Debug_Libraries 1
+# PROP BASE Output_Dir "Debug"
+# PROP BASE Intermediate_Dir "Debug"
+# PROP BASE Target_Dir ""
+# PROP Use_MFC 0
+# PROP Use_Debug_Libraries 1
+# PROP Output_Dir "Debug"
+# PROP Intermediate_Dir "Debug"
+# PROP Ignore_Export_Lib 0
+# PROP Target_Dir ""
+# ADD BASE CPP /nologo /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /GZ /c
+# ADD CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /I "./" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/include" /I "../../../lib/isccfg/include" /I "../../../lib/bind9/include" /D "_DEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /FR /FD /GZ /c
+# SUBTRACT CPP /X /YX
+# ADD BASE RSC /l 0x409 /d "_DEBUG"
+# ADD RSC /l 0x409 /d "_DEBUG"
+BSC32=bscmake.exe
+# ADD BASE BSC32 /nologo
+# ADD BSC32 /nologo
+LINK32=link.exe
+# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /debug /machine:I386 /pdbtype:sept
+# ADD LINK32 user32.lib advapi32.lib ws2_32.lib ../../../lib/isc/win32/Debug/libisc.lib  ../../../lib/dns/win32/Debug/libdns.lib ../../../lib/isccfg/win32/Debug/libisccfg.lib ../../../lib/bind9/win32/Debug/libbind9.lib ../../../lib/bind9/win32/Debug/libbind9.lib /nologo /subsystem:console /debug /machine:I386 /out:"../../../Build/Debug/named-checkconf.exe" /pdbtype:sept
+
+!ENDIF 
+
+# Begin Target
+
+# Name "namedcheckconf - Win32 Release"
+# Name "namedcheckconf - Win32 Debug"
+# Begin Group "Source Files"
+
+# PROP Default_Filter "cpp;c;cxx;rc;def;r;odl;idl;hpj;bat"
+# Begin Source File
+
+SOURCE="..\check-tool.c"
+# End Source File
+# Begin Source File
+
+SOURCE="..\named-checkconf.c"
+# End Source File
+# End Group
+# Begin Group "Header Files"
+
+# PROP Default_Filter "h;hpp;hxx;hm;inl"
+# Begin Source File
+
+SOURCE="..\check-tool.h"
+# End Source File
+# End Group
+# Begin Group "Resource Files"
+
+# PROP Default_Filter "ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe"
+# End Group
+# End Target
+# End Project
diff --git a/bin/check/win32/namedcheckconf.dsw b/bin/check/win32/namedcheckconf.dsw
index d7b794f9..7433eeb2 100644
--- a/bin/check/win32/namedcheckconf.dsw
+++ b/bin/check/win32/namedcheckconf.dsw
@@ -1,29 +1,29 @@
-Microsoft Developer Studio Workspace File, Format Version 6.00

-# WARNING: DO NOT EDIT OR DELETE THIS WORKSPACE FILE!

-

-###############################################################################

-

-Project: "namedcheckconf"=".\namedcheckconf.dsp" - Package Owner=<4>

-

-Package=<5>

-{{{

-}}}

-

-Package=<4>

-{{{

-}}}

-

-###############################################################################

-

-Global:

-

-Package=<5>

-{{{

-}}}

-

-Package=<3>

-{{{

-}}}

-

-###############################################################################

-

+Microsoft Developer Studio Workspace File, Format Version 6.00
+# WARNING: DO NOT EDIT OR DELETE THIS WORKSPACE FILE!
+
+###############################################################################
+
+Project: "namedcheckconf"=".\namedcheckconf.dsp" - Package Owner=<4>
+
+Package=<5>
+{{{
+}}}
+
+Package=<4>
+{{{
+}}}
+
+###############################################################################
+
+Global:
+
+Package=<5>
+{{{
+}}}
+
+Package=<3>
+{{{
+}}}
+
+###############################################################################
+
diff --git a/bin/check/win32/namedcheckconf.mak b/bin/check/win32/namedcheckconf.mak
index 2ecc72bc..b430a880 100644
--- a/bin/check/win32/namedcheckconf.mak
+++ b/bin/check/win32/namedcheckconf.mak
@@ -1,331 +1,289 @@
-# Microsoft Developer Studio Generated NMAKE File, Based on namedcheckconf.dsp

-!IF "$(CFG)" == ""

-CFG=namedcheckconf - Win32 Debug

-!MESSAGE No configuration specified. Defaulting to namedcheckconf - Win32 Debug.

-!ENDIF 

-

-!IF "$(CFG)" != "namedcheckconf - Win32 Release" && "$(CFG)" != "namedcheckconf - Win32 Debug"

-!MESSAGE Invalid configuration "$(CFG)" specified.

-!MESSAGE You can specify a configuration when running NMAKE

-!MESSAGE by defining the macro CFG on the command line. For example:

-!MESSAGE 

-!MESSAGE NMAKE /f "namedcheckconf.mak" CFG="namedcheckconf - Win32 Debug"

-!MESSAGE 

-!MESSAGE Possible choices for configuration are:

-!MESSAGE 

-!MESSAGE "namedcheckconf - Win32 Release" (based on "Win32 (x86) Console Application")

-!MESSAGE "namedcheckconf - Win32 Debug" (based on "Win32 (x86) Console Application")

-!MESSAGE 

-!ERROR An invalid configuration is specified.

-!ENDIF 

-

-!IF "$(OS)" == "Windows_NT"

-NULL=

-!ELSE 

-NULL=nul

-!ENDIF 

-

-!IF  "$(CFG)" == "namedcheckconf - Win32 Release"

-_VC_MANIFEST_INC=0

-_VC_MANIFEST_BASENAME=__VC80

-!ELSE

-_VC_MANIFEST_INC=1

-_VC_MANIFEST_BASENAME=__VC80.Debug

-!ENDIF

-

-####################################################

-# Specifying name of temporary resource file used only in incremental builds:

-

-!if "$(_VC_MANIFEST_INC)" == "1"

-_VC_MANIFEST_AUTO_RES=$(_VC_MANIFEST_BASENAME).auto.res

-!else

-_VC_MANIFEST_AUTO_RES=

-!endif

-

-####################################################

-# _VC_MANIFEST_EMBED_EXE - command to embed manifest in EXE:

-

-!if "$(_VC_MANIFEST_INC)" == "1"

-

-#MT_SPECIAL_RETURN=1090650113

-#MT_SPECIAL_SWITCH=-notify_resource_update

-MT_SPECIAL_RETURN=0

-MT_SPECIAL_SWITCH=

-_VC_MANIFEST_EMBED_EXE= \

-if exist $@.manifest mt.exe -manifest $@.manifest -out:$(_VC_MANIFEST_BASENAME).auto.manifest $(MT_SPECIAL_SWITCH) & \

-if "%ERRORLEVEL%" == "$(MT_SPECIAL_RETURN)" \

-rc /r $(_VC_MANIFEST_BASENAME).auto.rc & \

-link $** /out:$@ $(LFLAGS)

-

-!else

-

-_VC_MANIFEST_EMBED_EXE= \

-if exist $@.manifest mt.exe -manifest $@.manifest -outputresource:$@;1

-

-!endif

-

-####################################################

-# _VC_MANIFEST_EMBED_DLL - command to embed manifest in DLL:

-

-!if "$(_VC_MANIFEST_INC)" == "1"

-

-#MT_SPECIAL_RETURN=1090650113

-#MT_SPECIAL_SWITCH=-notify_resource_update

-MT_SPECIAL_RETURN=0

-MT_SPECIAL_SWITCH=

-_VC_MANIFEST_EMBED_EXE= \

-if exist $@.manifest mt.exe -manifest $@.manifest -out:$(_VC_MANIFEST_BASENAME).auto.manifest $(MT_SPECIAL_SWITCH) & \

-if "%ERRORLEVEL%" == "$(MT_SPECIAL_RETURN)" \

-rc /r $(_VC_MANIFEST_BASENAME).auto.rc & \

-link $** /out:$@ $(LFLAGS)

-

-!else

-

-_VC_MANIFEST_EMBED_EXE= \

-if exist $@.manifest mt.exe -manifest $@.manifest -outputresource:$@;2

-

-!endif

-####################################################

-# _VC_MANIFEST_CLEAN - command to clean resources files generated temporarily:

-

-!if "$(_VC_MANIFEST_INC)" == "1"

-

-_VC_MANIFEST_CLEAN=-del $(_VC_MANIFEST_BASENAME).auto.res \

-    $(_VC_MANIFEST_BASENAME).auto.rc \

-    $(_VC_MANIFEST_BASENAME).auto.manifest

-

-!else

-

-_VC_MANIFEST_CLEAN=

-

-!endif

-

-!IF  "$(CFG)" == "namedcheckconf - Win32 Release"

-

-OUTDIR=.\Release

-INTDIR=.\Release

-# Begin Custom Macros

-OutDir=.\Release

-# End Custom Macros

-

-ALL : "..\..\..\Build\Release\named-checkconf.exe" "$(OUTDIR)\namedcheckconf.bsc"

-

-

-CLEAN :

-	-@erase "$(INTDIR)\check-tool.obj"

-	-@erase "$(INTDIR)\check-tool.sbr"

-	-@erase "$(INTDIR)\named-checkconf.obj"

-	-@erase "$(INTDIR)\named-checkconf.sbr"

-	-@erase "$(INTDIR)\vc60.idb"

-	-@erase "$(OUTDIR)\namedcheckconf.bsc"

-	-@erase "..\..\..\Build\Release\named-checkconf.exe"

-	-@$(_VC_MANIFEST_CLEAN)

-

-"$(OUTDIR)" :

-    if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"

-

-CPP=cl.exe

-CPP_PROJ=/nologo /MD /W3 /GX /O2 /I "./" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isccfg/include" /D "NDEBUG" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /D "__STDC__" /FR"$(INTDIR)\\" /Fp"$(INTDIR)\namedcheckconf.pch" /YX /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c 

-

-.c{$(INTDIR)}.obj::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.cpp{$(INTDIR)}.obj::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.cxx{$(INTDIR)}.obj::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.c{$(INTDIR)}.sbr::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.cpp{$(INTDIR)}.sbr::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.cxx{$(INTDIR)}.sbr::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-RSC=rc.exe

-BSC32=bscmake.exe

-BSC32_FLAGS=/nologo /o"$(OUTDIR)\namedcheckconf.bsc" 

-BSC32_SBRS= \

-	"$(INTDIR)\check-tool.sbr" \

-	"$(INTDIR)\named-checkconf.sbr"

-

-"$(OUTDIR)\namedcheckconf.bsc" : "$(OUTDIR)" $(BSC32_SBRS)

-    $(BSC32) @<<

-  $(BSC32_FLAGS) $(BSC32_SBRS)

-<<

-

-LINK32=link.exe

-LINK32_FLAGS=user32.lib advapi32.lib ws2_32.lib ../../../lib/isc/win32/Release/libisc.lib ../../../lib/isccfg/win32/Release/libisccfg.lib /nologo /subsystem:console /incremental:no /pdb:"$(OUTDIR)\named-checkconf.pdb" /machine:I386 /out:"../../../Build/Release/named-checkconf.exe" 

-LINK32_OBJS= \

-	"$(INTDIR)\check-tool.obj" \

-	"$(INTDIR)\named-checkconf.obj"

-

-"..\..\..\Build\Release\named-checkconf.exe" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)

-    $(LINK32) @<<

-  $(LINK32_FLAGS) $(LINK32_OBJS)

-<<

-    $(_VC_MANIFEST_EMBED_EXE)

-

-!ELSEIF  "$(CFG)" == "namedcheckconf - Win32 Debug"

-

-OUTDIR=.\Debug

-INTDIR=.\Debug

-# Begin Custom Macros

-OutDir=.\Debug

-# End Custom Macros

-

-ALL : "..\..\..\Build\Debug\named-checkconf.exe" "$(OUTDIR)\namedcheckconf.bsc"

-

-

-CLEAN :

-	-@erase "$(INTDIR)\check-tool.obj"

-	-@erase "$(INTDIR)\check-tool.sbr"

-	-@erase "$(INTDIR)\named-checkconf.obj"

-	-@erase "$(INTDIR)\named-checkconf.sbr"

-	-@erase "$(INTDIR)\vc60.idb"

-	-@erase "$(INTDIR)\vc60.pdb"

-	-@erase "$(OUTDIR)\named-checkconf.pdb"

-	-@erase "$(OUTDIR)\namedcheckconf.bsc"

-	-@erase "..\..\..\Build\Debug\named-checkconf.exe"

-	-@erase "..\..\..\Build\Debug\named-checkconf.ilk"

-	-@$(_VC_MANIFEST_CLEAN)

-

-"$(OUTDIR)" :

-    if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"

-

-CPP=cl.exe

-CPP_PROJ=/nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isccfg/include" /D "_DEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /FR"$(INTDIR)\\" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c 

-

-.c{$(INTDIR)}.obj::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.cpp{$(INTDIR)}.obj::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.cxx{$(INTDIR)}.obj::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.c{$(INTDIR)}.sbr::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.cpp{$(INTDIR)}.sbr::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.cxx{$(INTDIR)}.sbr::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-RSC=rc.exe

-BSC32=bscmake.exe

-BSC32_FLAGS=/nologo /o"$(OUTDIR)\namedcheckconf.bsc" 

-BSC32_SBRS= \

-	"$(INTDIR)\check-tool.sbr" \

-	"$(INTDIR)\named-checkconf.sbr"

-

-"$(OUTDIR)\namedcheckconf.bsc" : "$(OUTDIR)" $(BSC32_SBRS)

-    $(BSC32) @<<

-  $(BSC32_FLAGS) $(BSC32_SBRS)

-<<

-

-LINK32=link.exe

-LINK32_FLAGS=user32.lib advapi32.lib ws2_32.lib ../../../lib/isc/win32/Debug/libisc.lib ../../../lib/isccfg/win32/Debug/libisccfg.lib /nologo /subsystem:console /incremental:yes /pdb:"$(OUTDIR)\named-checkconf.pdb" /debug /machine:I386 /out:"../../../Build/Debug/named-checkconf.exe" /pdbtype:sept 

-LINK32_OBJS= \

-	"$(INTDIR)\check-tool.obj" \

-	"$(INTDIR)\named-checkconf.obj"

-

-"..\..\..\Build\Debug\named-checkconf.exe" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)

-    $(LINK32) @<<

-  $(LINK32_FLAGS) $(LINK32_OBJS)

-<<

-    $(_VC_MANIFEST_EMBED_EXE)

-

-!ENDIF 

-

-

-!IF "$(NO_EXTERNAL_DEPS)" != "1"

-!IF EXISTS("namedcheckconf.dep")

-!INCLUDE "namedcheckconf.dep"

-!ELSE 

-!MESSAGE Warning: cannot find "namedcheckconf.dep"

-!ENDIF 

-!ENDIF 

-

-

-!IF "$(CFG)" == "namedcheckconf - Win32 Release" || "$(CFG)" == "namedcheckconf - Win32 Debug"

-SOURCE="..\check-tool.c"

-

-"$(INTDIR)\check-tool.obj"	"$(INTDIR)\check-tool.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-SOURCE="..\named-checkconf.c"

-

-"$(INTDIR)\named-checkconf.obj"	"$(INTDIR)\named-checkconf.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-

-!ENDIF 

-

-####################################################

-# Commands to generate initial empty manifest file and the RC file

-# that references it, and for generating the .res file:

-

-$(_VC_MANIFEST_BASENAME).auto.res : $(_VC_MANIFEST_BASENAME).auto.rc

-

-$(_VC_MANIFEST_BASENAME).auto.rc : $(_VC_MANIFEST_BASENAME).auto.manifest

-    type <<$@

-#include <winuser.h>

-1RT_MANIFEST"$(_VC_MANIFEST_BASENAME).auto.manifest"

-<< KEEP

-

-$(_VC_MANIFEST_BASENAME).auto.manifest :

-    type <<$@

-<?xml version='1.0' encoding='UTF-8' standalone='yes'?>

-<assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'>

-</assembly>

-<< KEEP

-####################################################

-# Commands to generate initial empty manifest file and the RC file

-# that references it, and for generating the .res file:

-

-$(_VC_MANIFEST_BASENAME).auto.res : $(_VC_MANIFEST_BASENAME).auto.rc

-

-$(_VC_MANIFEST_BASENAME).auto.rc : $(_VC_MANIFEST_BASENAME).auto.manifest

-    type <<$@

-#include <winuser.h>

-1RT_MANIFEST"$(_VC_MANIFEST_BASENAME).auto.manifest"

-<< KEEP

-

-$(_VC_MANIFEST_BASENAME).auto.manifest :

-    type <<$@

-<?xml version='1.0' encoding='UTF-8' standalone='yes'?>

-<assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'>

-</assembly>

-<< KEEP

+# Microsoft Developer Studio Generated NMAKE File, Based on namedcheckconf.dsp
+!IF "$(CFG)" == ""
+CFG=namedcheckconf - Win32 Debug
+!MESSAGE No configuration specified. Defaulting to namedcheckconf - Win32 Debug.
+!ENDIF 
+
+!IF "$(CFG)" != "namedcheckconf - Win32 Release" && "$(CFG)" != "namedcheckconf - Win32 Debug"
+!MESSAGE Invalid configuration "$(CFG)" specified.
+!MESSAGE You can specify a configuration when running NMAKE
+!MESSAGE by defining the macro CFG on the command line. For example:
+!MESSAGE 
+!MESSAGE NMAKE /f "namedcheckconf.mak" CFG="namedcheckconf - Win32 Debug"
+!MESSAGE 
+!MESSAGE Possible choices for configuration are:
+!MESSAGE 
+!MESSAGE "namedcheckconf - Win32 Release" (based on "Win32 (x86) Console Application")
+!MESSAGE "namedcheckconf - Win32 Debug" (based on "Win32 (x86) Console Application")
+!MESSAGE 
+!ERROR An invalid configuration is specified.
+!ENDIF 
+
+!IF "$(OS)" == "Windows_NT"
+NULL=
+!ELSE 
+NULL=nul
+!ENDIF 
+
+CPP=cl.exe
+RSC=rc.exe
+
+!IF  "$(CFG)" == "namedcheckconf - Win32 Release"
+
+OUTDIR=.\Release
+INTDIR=.\Release
+# Begin Custom Macros
+OutDir=.\Release
+# End Custom Macros
+
+!IF "$(RECURSE)" == "0" 
+
+ALL : "..\..\..\Build\Release\named-checkconf.exe" "$(OUTDIR)\namedcheckconf.bsc"
+
+!ELSE 
+
+ALL : "libdns - Win32 Release" "libisccfg - Win32 Release" "libisc - Win32 Release" "..\..\..\Build\Release\named-checkconf.exe" "$(OUTDIR)\namedcheckconf.bsc"
+
+!ENDIF 
+
+!IF "$(RECURSE)" == "1" 
+CLEAN :"libisc - Win32 ReleaseCLEAN" "libisccfg - Win32 ReleaseCLEAN" "libdns - Win32 ReleaseCLEAN" 
+!ELSE 
+CLEAN :
+!ENDIF 
+	-@erase "$(INTDIR)\check-tool.obj"
+	-@erase "$(INTDIR)\check-tool.sbr"
+	-@erase "$(INTDIR)\named-checkconf.obj"
+	-@erase "$(INTDIR)\named-checkconf.sbr"
+	-@erase "$(INTDIR)\vc60.idb"
+	-@erase "$(OUTDIR)\namedcheckconf.bsc"
+	-@erase "..\..\..\Build\Release\named-checkconf.exe"
+
+"$(OUTDIR)" :
+    if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
+
+CPP_PROJ=/nologo /MT /W3 /GX /O2 /I "./" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/include" /I "../../../lib/isccfg/include" /I "../../../lib/bind9/include" /D "NDEBUG" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /D "__STDC__" /FR"$(INTDIR)\\" /Fp"$(INTDIR)\namedcheckconf.pch" /YX /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c 
+BSC32=bscmake.exe
+BSC32_FLAGS=/nologo /o"$(OUTDIR)\namedcheckconf.bsc" 
+BSC32_SBRS= \
+	"$(INTDIR)\check-tool.sbr" \
+	"$(INTDIR)\named-checkconf.sbr"
+
+"$(OUTDIR)\namedcheckconf.bsc" : "$(OUTDIR)" $(BSC32_SBRS)
+    $(BSC32) @<<
+  $(BSC32_FLAGS) $(BSC32_SBRS)
+<<
+
+LINK32=link.exe
+LINK32_FLAGS=user32.lib advapi32.lib ws2_32.lib ../../../lib/isc/win32/Release/libisc.lib  ../../../lib/dns/win32/Release/libdns.lib ../../../lib/isccfg/win32/Release/libisccfg.lib ../../../lib/bind9/win32/Release/libbind9.lib /nologo /subsystem:console /incremental:no /pdb:"$(OUTDIR)\named-checkconf.pdb" /machine:I386 /out:"../../../Build/Release/named-checkconf.exe" 
+LINK32_OBJS= \
+	"$(INTDIR)\check-tool.obj" \
+	"$(INTDIR)\named-checkconf.obj" \
+	"..\..\..\lib\isc\win32\Release\libisc.lib" \
+	"..\..\..\lib\isccfg\win32\Release\libisccfg.lib" \
+	"..\..\..\lib\dns\win32\Release\libdns.lib"
+
+"..\..\..\Build\Release\named-checkconf.exe" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)
+    $(LINK32) @<<
+  $(LINK32_FLAGS) $(LINK32_OBJS)
+<<
+
+!ELSEIF  "$(CFG)" == "namedcheckconf - Win32 Debug"
+
+OUTDIR=.\Debug
+INTDIR=.\Debug
+# Begin Custom Macros
+OutDir=.\Debug
+# End Custom Macros
+
+!IF "$(RECURSE)" == "0" 
+
+ALL : "..\..\..\Build\Debug\named-checkconf.exe" "$(OUTDIR)\namedcheckconf.bsc"
+
+!ELSE 
+
+ALL : "libdns - Win32 Debug" "libisccfg - Win32 Debug" "libisc - Win32 Debug" "..\..\..\Build\Debug\named-checkconf.exe" "$(OUTDIR)\namedcheckconf.bsc"
+
+!ENDIF 
+
+!IF "$(RECURSE)" == "1" 
+CLEAN :"libisc - Win32 DebugCLEAN" "libisccfg - Win32 DebugCLEAN" "libdns - Win32 DebugCLEAN" 
+!ELSE 
+CLEAN :
+!ENDIF 
+	-@erase "$(INTDIR)\check-tool.obj"
+	-@erase "$(INTDIR)\check-tool.sbr"
+	-@erase "$(INTDIR)\named-checkconf.obj"
+	-@erase "$(INTDIR)\named-checkconf.sbr"
+	-@erase "$(INTDIR)\vc60.idb"
+	-@erase "$(INTDIR)\vc60.pdb"
+	-@erase "$(OUTDIR)\named-checkconf.pdb"
+	-@erase "$(OUTDIR)\namedcheckconf.bsc"
+	-@erase "..\..\..\Build\Debug\named-checkconf.exe"
+	-@erase "..\..\..\Build\Debug\named-checkconf.ilk"
+
+"$(OUTDIR)" :
+    if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
+
+CPP_PROJ=/nologo /MTd /W3 /Gm /GX /ZI /Od /I "./" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/include" /I "../../../lib/isccfg/include" /I "../../../lib/bind9/include" /D "_DEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /FR"$(INTDIR)\\" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c 
+BSC32=bscmake.exe
+BSC32_FLAGS=/nologo /o"$(OUTDIR)\namedcheckconf.bsc" 
+BSC32_SBRS= \
+	"$(INTDIR)\check-tool.sbr" \
+	"$(INTDIR)\named-checkconf.sbr"
+
+"$(OUTDIR)\namedcheckconf.bsc" : "$(OUTDIR)" $(BSC32_SBRS)
+    $(BSC32) @<<
+  $(BSC32_FLAGS) $(BSC32_SBRS)
+<<
+
+LINK32=link.exe
+LINK32_FLAGS=user32.lib advapi32.lib ws2_32.lib ../../../lib/isc/win32/Debug/libisc.lib  ../../../lib/dns/win32/Debug/libdns.lib ../../../lib/isccfg/win32/Debug/libisccfg.lib ../../../lib/bind9/win32/Debug/libbind9.lib ../../../lib/bind9/win32/Debug/libbind9.lib /nologo /subsystem:console /incremental:yes /pdb:"$(OUTDIR)\named-checkconf.pdb" /debug /machine:I386 /out:"../../../Build/Debug/named-checkconf.exe" /pdbtype:sept 
+LINK32_OBJS= \
+	"$(INTDIR)\check-tool.obj" \
+	"$(INTDIR)\named-checkconf.obj" \
+	"..\..\..\lib\isc\win32\Debug\libisc.lib" \
+	"..\..\..\lib\isccfg\win32\Debug\libisccfg.lib" \
+	"..\..\..\lib\dns\win32\Debug\libdns.lib"
+
+"..\..\..\Build\Debug\named-checkconf.exe" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)
+    $(LINK32) @<<
+  $(LINK32_FLAGS) $(LINK32_OBJS)
+<<
+
+!ENDIF 
+
+.c{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cpp{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cxx{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.c{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cpp{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cxx{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+
+!IF "$(NO_EXTERNAL_DEPS)" != "1"
+!IF EXISTS("namedcheckconf.dep")
+!INCLUDE "namedcheckconf.dep"
+!ELSE 
+!MESSAGE Warning: cannot find "namedcheckconf.dep"
+!ENDIF 
+!ENDIF 
+
+
+!IF "$(CFG)" == "namedcheckconf - Win32 Release" || "$(CFG)" == "namedcheckconf - Win32 Debug"
+SOURCE="..\check-tool.c"
+
+"$(INTDIR)\check-tool.obj"	"$(INTDIR)\check-tool.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+SOURCE="..\named-checkconf.c"
+
+"$(INTDIR)\named-checkconf.obj"	"$(INTDIR)\named-checkconf.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!IF  "$(CFG)" == "namedcheckconf - Win32 Release"
+
+"libisc - Win32 Release" : 
+   cd "..\..\..\lib\isc\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\libisc.mak" CFG="libisc - Win32 Release" 
+   cd "..\..\..\bin\check\win32"
+
+"libisc - Win32 ReleaseCLEAN" : 
+   cd "..\..\..\lib\isc\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\libisc.mak" CFG="libisc - Win32 Release" RECURSE=1 CLEAN 
+   cd "..\..\..\bin\check\win32"
+
+!ELSEIF  "$(CFG)" == "namedcheckconf - Win32 Debug"
+
+"libisc - Win32 Debug" : 
+   cd "..\..\..\lib\isc\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\libisc.mak" CFG="libisc - Win32 Debug" 
+   cd "..\..\..\bin\check\win32"
+
+"libisc - Win32 DebugCLEAN" : 
+   cd "..\..\..\lib\isc\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\libisc.mak" CFG="libisc - Win32 Debug" RECURSE=1 CLEAN 
+   cd "..\..\..\bin\check\win32"
+
+!ENDIF 
+
+!IF  "$(CFG)" == "namedcheckconf - Win32 Release"
+
+"libisccfg - Win32 Release" : 
+   cd "..\..\..\lib\isccfg\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\libisccfg.mak" CFG="libisccfg - Win32 Release" 
+   cd "..\..\..\bin\check\win32"
+
+"libisccfg - Win32 ReleaseCLEAN" : 
+   cd "..\..\..\lib\isccfg\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\libisccfg.mak" CFG="libisccfg - Win32 Release" RECURSE=1 CLEAN 
+   cd "..\..\..\bin\check\win32"
+
+!ELSEIF  "$(CFG)" == "namedcheckconf - Win32 Debug"
+
+"libisccfg - Win32 Debug" : 
+   cd "..\..\..\lib\isccfg\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\libisccfg.mak" CFG="libisccfg - Win32 Debug" 
+   cd "..\..\..\bin\check\win32"
+
+"libisccfg - Win32 DebugCLEAN" : 
+   cd "..\..\..\lib\isccfg\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\libisccfg.mak" CFG="libisccfg - Win32 Debug" RECURSE=1 CLEAN 
+   cd "..\..\..\bin\check\win32"
+
+!ENDIF 
+
+!IF  "$(CFG)" == "namedcheckconf - Win32 Release"
+
+"libdns - Win32 Release" : 
+   cd "..\..\..\lib\dns\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\libdns.mak" CFG="libdns - Win32 Release" 
+   cd "..\..\..\bin\check\win32"
+
+"libdns - Win32 ReleaseCLEAN" : 
+   cd "..\..\..\lib\dns\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\libdns.mak" CFG="libdns - Win32 Release" RECURSE=1 CLEAN 
+   cd "..\..\..\bin\check\win32"
+
+!ELSEIF  "$(CFG)" == "namedcheckconf - Win32 Debug"
+
+"libdns - Win32 Debug" : 
+   cd "..\..\..\lib\dns\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\libdns.mak" CFG="libdns - Win32 Debug" 
+   cd "..\..\..\bin\check\win32"
+
+"libdns - Win32 DebugCLEAN" : 
+   cd "..\..\..\lib\dns\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\libdns.mak" CFG="libdns - Win32 Debug" RECURSE=1 CLEAN 
+   cd "..\..\..\bin\check\win32"
+
+!ENDIF 
+
+
+!ENDIF 
+
diff --git a/bin/check/win32/namedcheckzone.dsp b/bin/check/win32/namedcheckzone.dsp
index e72be16c..daec74a8 100644
--- a/bin/check/win32/namedcheckzone.dsp
+++ b/bin/check/win32/namedcheckzone.dsp
@@ -1,107 +1,112 @@
-# Microsoft Developer Studio Project File - Name="namedcheckzone" - Package Owner=<4>

-# Microsoft Developer Studio Generated Build File, Format Version 6.00

-# ** DO NOT EDIT **

-

-# TARGTYPE "Win32 (x86) Console Application" 0x0103

-

-CFG=namedcheckzone - Win32 Debug

-!MESSAGE This is not a valid makefile. To build this project using NMAKE,

-!MESSAGE use the Export Makefile command and run

-!MESSAGE 

-!MESSAGE NMAKE /f "namedcheckzone.mak".

-!MESSAGE 

-!MESSAGE You can specify a configuration when running NMAKE

-!MESSAGE by defining the macro CFG on the command line. For example:

-!MESSAGE 

-!MESSAGE NMAKE /f "namedcheckzone.mak" CFG="namedcheckzone - Win32 Debug"

-!MESSAGE 

-!MESSAGE Possible choices for configuration are:

-!MESSAGE 

-!MESSAGE "namedcheckzone - Win32 Release" (based on "Win32 (x86) Console Application")

-!MESSAGE "namedcheckzone - Win32 Debug" (based on "Win32 (x86) Console Application")

-!MESSAGE 

-

-# Begin Project

-# PROP AllowPerConfigDependencies 0

-# PROP Scc_ProjName ""

-# PROP Scc_LocalPath ""

-CPP=cl.exe

-RSC=rc.exe

-

-!IF  "$(CFG)" == "namedcheckzone - Win32 Release"

-

-# PROP BASE Use_MFC 0

-# PROP BASE Use_Debug_Libraries 0

-# PROP BASE Output_Dir "Release"

-# PROP BASE Intermediate_Dir "Release"

-# PROP BASE Target_Dir ""

-# PROP Use_MFC 0

-# PROP Use_Debug_Libraries 0

-# PROP Output_Dir "Release"

-# PROP Intermediate_Dir "Release"

-# PROP Ignore_Export_Lib 0

-# PROP Target_Dir ""

-# ADD BASE CPP /nologo /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /c

-# ADD CPP /nologo /MD /W3 /GX /O2 /I "./" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/include" /D "NDEBUG" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /D "__STDC__" /FR /YX /FD /c

-# ADD BASE RSC /l 0x409 /d "NDEBUG"

-# ADD RSC /l 0x409 /d "NDEBUG"

-BSC32=bscmake.exe

-# ADD BASE BSC32 /nologo

-# ADD BSC32 /nologo

-LINK32=link.exe

-# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /machine:I386

-# ADD LINK32 user32.lib advapi32.lib ws2_32.lib Release/checktool.lib ../../../lib/isc/win32/Release/libisc.lib ../../../lib/dns/win32/Release/libdns.lib /nologo /subsystem:console /machine:I386 /out:"../../../Build/Release/named-checkzone.exe"

-

-!ELSEIF  "$(CFG)" == "namedcheckzone - Win32 Debug"

-

-# PROP BASE Use_MFC 0

-# PROP BASE Use_Debug_Libraries 1

-# PROP BASE Output_Dir "Debug"

-# PROP BASE Intermediate_Dir "Debug"

-# PROP BASE Target_Dir ""

-# PROP Use_MFC 0

-# PROP Use_Debug_Libraries 1

-# PROP Output_Dir "Debug"

-# PROP Intermediate_Dir "Debug"

-# PROP Ignore_Export_Lib 0

-# PROP Target_Dir ""

-# ADD BASE CPP /nologo /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /GZ /c

-# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/include" /D "_DEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /FR /FD /GZ /c

-# SUBTRACT CPP /X /YX

-# ADD BASE RSC /l 0x409 /d "_DEBUG"

-# ADD RSC /l 0x409 /d "_DEBUG"

-BSC32=bscmake.exe

-# ADD BASE BSC32 /nologo

-# ADD BSC32 /nologo

-LINK32=link.exe

-# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /debug /machine:I386 /pdbtype:sept

-# ADD LINK32 user32.lib advapi32.lib ws2_32.lib Debug/checktool.lib ../../../lib/isc/win32/Debug/libisc.lib ../../../lib/dns/win32/Debug/libdns.lib /nologo /subsystem:console /debug /machine:I386 /out:"../../../Build/Debug/named-checkzone.exe" /pdbtype:sept

-

-!ENDIF 

-

-# Begin Target

-

-# Name "namedcheckzone - Win32 Release"

-# Name "namedcheckzone - Win32 Debug"

-# Begin Group "Source Files"

-

-# PROP Default_Filter "cpp;c;cxx;rc;def;r;odl;idl;hpj;bat"

-# Begin Source File

-

-SOURCE="..\named-checkzone.c"

-# End Source File

-# End Group

-# Begin Group "Header Files"

-

-# PROP Default_Filter "h;hpp;hxx;hm;inl"

-# Begin Source File

-

-SOURCE="..\check-tool.h"

-# End Source File

-# End Group

-# Begin Group "Resource Files"

-

-# PROP Default_Filter "ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe"

-# End Group

-# End Target

-# End Project

+# Microsoft Developer Studio Project File - Name="namedcheckzone" - Package Owner=<4>
+# Microsoft Developer Studio Generated Build File, Format Version 6.00
+# ** DO NOT EDIT **
+
+# TARGTYPE "Win32 (x86) Console Application" 0x0103
+
+CFG=namedcheckzone - Win32 Debug
+!MESSAGE This is not a valid makefile. To build this project using NMAKE,
+!MESSAGE use the Export Makefile command and run
+!MESSAGE 
+!MESSAGE NMAKE /f "namedcheckzone.mak".
+!MESSAGE 
+!MESSAGE You can specify a configuration when running NMAKE
+!MESSAGE by defining the macro CFG on the command line. For example:
+!MESSAGE 
+!MESSAGE NMAKE /f "namedcheckzone.mak" CFG="namedcheckzone - Win32 Debug"
+!MESSAGE 
+!MESSAGE Possible choices for configuration are:
+!MESSAGE 
+!MESSAGE "namedcheckzone - Win32 Release" (based on "Win32 (x86) Console Application")
+!MESSAGE "namedcheckzone - Win32 Debug" (based on "Win32 (x86) Console Application")
+!MESSAGE 
+
+# Begin Project
+# PROP AllowPerConfigDependencies 0
+# PROP Scc_ProjName ""
+# PROP Scc_LocalPath ""
+CPP=cl.exe
+RSC=rc.exe
+
+!IF  "$(CFG)" == "namedcheckzone - Win32 Release"
+
+# PROP BASE Use_MFC 0
+# PROP BASE Use_Debug_Libraries 0
+# PROP BASE Output_Dir "Release"
+# PROP BASE Intermediate_Dir "Release"
+# PROP BASE Target_Dir ""
+# PROP Use_MFC 0
+# PROP Use_Debug_Libraries 0
+# PROP Output_Dir "Release"
+# PROP Intermediate_Dir "Release"
+# PROP Ignore_Export_Lib 0
+# PROP Target_Dir ""
+# ADD BASE CPP /nologo /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /c
+# ADD CPP /nologo /MT /W3 /GX /O2 /I "./" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/include" /D "NDEBUG" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /D "__STDC__" /YX /FD /c
+# SUBTRACT CPP /Fr
+# ADD BASE RSC /l 0x409 /d "NDEBUG"
+# ADD RSC /l 0x409 /d "NDEBUG"
+BSC32=bscmake.exe
+# ADD BASE BSC32 /nologo
+# ADD BSC32 /nologo
+LINK32=link.exe
+# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /machine:I386
+# ADD LINK32 user32.lib advapi32.lib ws2_32.lib ../../../lib/isc/win32/Release/libisc.lib ../../../lib/dns/win32/Release/libdns.lib /nologo /subsystem:console /machine:I386 /out:"../../../Build/Release/named-checkzone.exe"
+
+!ELSEIF  "$(CFG)" == "namedcheckzone - Win32 Debug"
+
+# PROP BASE Use_MFC 0
+# PROP BASE Use_Debug_Libraries 1
+# PROP BASE Output_Dir "Debug"
+# PROP BASE Intermediate_Dir "Debug"
+# PROP BASE Target_Dir ""
+# PROP Use_MFC 0
+# PROP Use_Debug_Libraries 1
+# PROP Output_Dir "Debug"
+# PROP Intermediate_Dir "Debug"
+# PROP Ignore_Export_Lib 0
+# PROP Target_Dir ""
+# ADD BASE CPP /nologo /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /GZ /c
+# ADD CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /I "./" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/include" /D "_DEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /FR /FD /GZ /c
+# SUBTRACT CPP /X /YX
+# ADD BASE RSC /l 0x409 /d "_DEBUG"
+# ADD RSC /l 0x409 /d "_DEBUG"
+BSC32=bscmake.exe
+# ADD BASE BSC32 /nologo
+# ADD BSC32 /nologo
+LINK32=link.exe
+# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /debug /machine:I386 /pdbtype:sept
+# ADD LINK32 user32.lib advapi32.lib ws2_32.lib ../../../lib/isc/win32/Debug/libisc.lib ../../../lib/dns/win32/Debug/libdns.lib /nologo /subsystem:console /debug /machine:I386 /out:"../../../Build/Debug/named-checkzone.exe" /pdbtype:sept
+
+!ENDIF 
+
+# Begin Target
+
+# Name "namedcheckzone - Win32 Release"
+# Name "namedcheckzone - Win32 Debug"
+# Begin Group "Source Files"
+
+# PROP Default_Filter "cpp;c;cxx;rc;def;r;odl;idl;hpj;bat"
+# Begin Source File
+
+SOURCE="..\check-tool.c"
+# End Source File
+# Begin Source File
+
+SOURCE="..\named-checkzone.c"
+# End Source File
+# End Group
+# Begin Group "Header Files"
+
+# PROP Default_Filter "h;hpp;hxx;hm;inl"
+# Begin Source File
+
+SOURCE="..\check-tool.h"
+# End Source File
+# End Group
+# Begin Group "Resource Files"
+
+# PROP Default_Filter "ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe"
+# End Group
+# End Target
+# End Project
diff --git a/bin/check/win32/namedcheckzone.dsw b/bin/check/win32/namedcheckzone.dsw
index d723eb5a..68cb1ac1 100644
--- a/bin/check/win32/namedcheckzone.dsw
+++ b/bin/check/win32/namedcheckzone.dsw
@@ -1,29 +1,29 @@
-Microsoft Developer Studio Workspace File, Format Version 6.00

-# WARNING: DO NOT EDIT OR DELETE THIS WORKSPACE FILE!

-

-###############################################################################

-

-Project: "namedcheckzone"=".\namedcheckzone.dsp" - Package Owner=<4>

-

-Package=<5>

-{{{

-}}}

-

-Package=<4>

-{{{

-}}}

-

-###############################################################################

-

-Global:

-

-Package=<5>

-{{{

-}}}

-

-Package=<3>

-{{{

-}}}

-

-###############################################################################

-

+Microsoft Developer Studio Workspace File, Format Version 6.00
+# WARNING: DO NOT EDIT OR DELETE THIS WORKSPACE FILE!
+
+###############################################################################
+
+Project: "namedcheckzone"=".\namedcheckzone.dsp" - Package Owner=<4>
+
+Package=<5>
+{{{
+}}}
+
+Package=<4>
+{{{
+}}}
+
+###############################################################################
+
+Global:
+
+Package=<5>
+{{{
+}}}
+
+Package=<3>
+{{{
+}}}
+
+###############################################################################
+
diff --git a/bin/check/win32/namedcheckzone.mak b/bin/check/win32/namedcheckzone.mak
index 0c0ba165..d532f749 100644
--- a/bin/check/win32/namedcheckzone.mak
+++ b/bin/check/win32/namedcheckzone.mak
@@ -1,313 +1,305 @@
-# Microsoft Developer Studio Generated NMAKE File, Based on namedcheckzone.dsp

-!IF "$(CFG)" == ""

-CFG=namedcheckzone - Win32 Debug

-!MESSAGE No configuration specified. Defaulting to namedcheckzone - Win32 Debug.

-!ENDIF 

-

-!IF "$(CFG)" != "namedcheckzone - Win32 Release" && "$(CFG)" != "namedcheckzone - Win32 Debug"

-!MESSAGE Invalid configuration "$(CFG)" specified.

-!MESSAGE You can specify a configuration when running NMAKE

-!MESSAGE by defining the macro CFG on the command line. For example:

-!MESSAGE 

-!MESSAGE NMAKE /f "namedcheckzone.mak" CFG="namedcheckzone - Win32 Debug"

-!MESSAGE 

-!MESSAGE Possible choices for configuration are:

-!MESSAGE 

-!MESSAGE "namedcheckzone - Win32 Release" (based on "Win32 (x86) Console Application")

-!MESSAGE "namedcheckzone - Win32 Debug" (based on "Win32 (x86) Console Application")

-!MESSAGE 

-!ERROR An invalid configuration is specified.

-!ENDIF 

-

-!IF "$(OS)" == "Windows_NT"

-NULL=

-!ELSE 

-NULL=nul

-!ENDIF 

-

-!IF  "$(CFG)" == "namedcheckzone - Win32 Release"

-_VC_MANIFEST_INC=0

-_VC_MANIFEST_BASENAME=__VC80

-!ELSE

-_VC_MANIFEST_INC=1

-_VC_MANIFEST_BASENAME=__VC80.Debug

-!ENDIF

-

-####################################################

-# Specifying name of temporary resource file used only in incremental builds:

-

-!if "$(_VC_MANIFEST_INC)" == "1"

-_VC_MANIFEST_AUTO_RES=$(_VC_MANIFEST_BASENAME).auto.res

-!else

-_VC_MANIFEST_AUTO_RES=

-!endif

-

-####################################################

-# _VC_MANIFEST_EMBED_EXE - command to embed manifest in EXE:

-

-!if "$(_VC_MANIFEST_INC)" == "1"

-

-#MT_SPECIAL_RETURN=1090650113

-#MT_SPECIAL_SWITCH=-notify_resource_update

-MT_SPECIAL_RETURN=0

-MT_SPECIAL_SWITCH=

-_VC_MANIFEST_EMBED_EXE= \

-if exist $@.manifest mt.exe -manifest $@.manifest -out:$(_VC_MANIFEST_BASENAME).auto.manifest $(MT_SPECIAL_SWITCH) & \

-if "%ERRORLEVEL%" == "$(MT_SPECIAL_RETURN)" \

-rc /r $(_VC_MANIFEST_BASENAME).auto.rc & \

-link $** /out:$@ $(LFLAGS)

-

-!else

-

-_VC_MANIFEST_EMBED_EXE= \

-if exist $@.manifest mt.exe -manifest $@.manifest -outputresource:$@;1

-

-!endif

-

-####################################################

-# _VC_MANIFEST_EMBED_DLL - command to embed manifest in DLL:

-

-!if "$(_VC_MANIFEST_INC)" == "1"

-

-#MT_SPECIAL_RETURN=1090650113

-#MT_SPECIAL_SWITCH=-notify_resource_update

-MT_SPECIAL_RETURN=0

-MT_SPECIAL_SWITCH=

-_VC_MANIFEST_EMBED_EXE= \

-if exist $@.manifest mt.exe -manifest $@.manifest -out:$(_VC_MANIFEST_BASENAME).auto.manifest $(MT_SPECIAL_SWITCH) & \

-if "%ERRORLEVEL%" == "$(MT_SPECIAL_RETURN)" \

-rc /r $(_VC_MANIFEST_BASENAME).auto.rc & \

-link $** /out:$@ $(LFLAGS)

-

-!else

-

-_VC_MANIFEST_EMBED_EXE= \

-if exist $@.manifest mt.exe -manifest $@.manifest -outputresource:$@;2

-

-!endif

-####################################################

-# _VC_MANIFEST_CLEAN - command to clean resources files generated temporarily:

-

-!if "$(_VC_MANIFEST_INC)" == "1"

-

-_VC_MANIFEST_CLEAN=-del $(_VC_MANIFEST_BASENAME).auto.res \

-    $(_VC_MANIFEST_BASENAME).auto.rc \

-    $(_VC_MANIFEST_BASENAME).auto.manifest

-

-!else

-

-_VC_MANIFEST_CLEAN=

-

-!endif

-

-!IF  "$(CFG)" == "namedcheckzone - Win32 Release"

-

-OUTDIR=.\Release

-INTDIR=.\Release

-# Begin Custom Macros

-OutDir=.\Release

-# End Custom Macros

-

-ALL : "..\..\..\Build\Release\named-checkzone.exe" "$(OUTDIR)\namedcheckzone.bsc"

-

-

-CLEAN :

-	-@erase "$(INTDIR)\check-tool.obj"

-	-@erase "$(INTDIR)\check-tool.sbr"

-	-@erase "$(INTDIR)\named-checkzone.obj"

-	-@erase "$(INTDIR)\named-checkzone.sbr"

-	-@erase "$(INTDIR)\vc60.idb"

-	-@erase "$(OUTDIR)\namedcheckzone.bsc"

-	-@erase "..\..\..\Build\Release\named-checkzone.exe"

-	-@$(_VC_MANIFEST_CLEAN)

-

-"$(OUTDIR)" :

-    if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"

-

-CPP=cl.exe

-CPP_PROJ=/nologo /MD /W3 /GX /O2 /I "./" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/include" /D "NDEBUG" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /D "__STDC__" /FR"$(INTDIR)\\" /Fp"$(INTDIR)\namedcheckzone.pch" /YX /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c 

-

-.c{$(INTDIR)}.obj::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.cpp{$(INTDIR)}.obj::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.cxx{$(INTDIR)}.obj::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.c{$(INTDIR)}.sbr::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.cpp{$(INTDIR)}.sbr::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.cxx{$(INTDIR)}.sbr::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-RSC=rc.exe

-BSC32=bscmake.exe

-BSC32_FLAGS=/nologo /o"$(OUTDIR)\namedcheckzone.bsc" 

-BSC32_SBRS= \

-	"$(INTDIR)\check-tool.sbr" \

-	"$(INTDIR)\named-checkzone.sbr"

-

-"$(OUTDIR)\namedcheckzone.bsc" : "$(OUTDIR)" $(BSC32_SBRS)

-    $(BSC32) @<<

-  $(BSC32_FLAGS) $(BSC32_SBRS)

-<<

-

-LINK32=link.exe

-LINK32_FLAGS=user32.lib advapi32.lib ws2_32.lib ../../../lib/isc/win32/Release/libisc.lib ../../../lib/dns/win32/Release/libdns.lib /nologo /subsystem:console /incremental:no /pdb:"$(OUTDIR)\named-checkzone.pdb" /machine:I386 /out:"../../../Build/Release/named-checkzone.exe" 

-LINK32_OBJS= \

-	"$(INTDIR)\check-tool.obj" \

-	"$(INTDIR)\named-checkzone.obj"

-

-"..\..\..\Build\Release\named-checkzone.exe" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)

-    $(LINK32) @<<

-  $(LINK32_FLAGS) $(LINK32_OBJS)

-<<

-    $(_VC_MANIFEST_EMBED_EXE)

-

-!ELSEIF  "$(CFG)" == "namedcheckzone - Win32 Debug"

-

-OUTDIR=.\Debug

-INTDIR=.\Debug

-# Begin Custom Macros

-OutDir=.\Debug

-# End Custom Macros

-

-ALL : "..\..\..\Build\Debug\named-checkzone.exe" "$(OUTDIR)\namedcheckzone.bsc"

-

-

-CLEAN :

-	-@erase "$(INTDIR)\check-tool.obj"

-	-@erase "$(INTDIR)\check-tool.sbr"

-	-@erase "$(INTDIR)\named-checkzone.obj"

-	-@erase "$(INTDIR)\named-checkzone.sbr"

-	-@erase "$(INTDIR)\vc60.idb"

-	-@erase "$(INTDIR)\vc60.pdb"

-	-@erase "$(OUTDIR)\named-checkzone.pdb"

-	-@erase "$(OUTDIR)\namedcheckzone.bsc"

-	-@erase "..\..\..\Build\Debug\named-checkzone.exe"

-	-@erase "..\..\..\Build\Debug\named-checkzone.ilk"

-	-@$(_VC_MANIFEST_CLEAN)

-

-"$(OUTDIR)" :

-    if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"

-

-CPP=cl.exe

-CPP_PROJ=/nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/include" /D "_DEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /FR"$(INTDIR)\\" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c 

-

-.c{$(INTDIR)}.obj::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.cpp{$(INTDIR)}.obj::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.cxx{$(INTDIR)}.obj::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.c{$(INTDIR)}.sbr::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.cpp{$(INTDIR)}.sbr::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.cxx{$(INTDIR)}.sbr::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-RSC=rc.exe

-BSC32=bscmake.exe

-BSC32_FLAGS=/nologo /o"$(OUTDIR)\namedcheckzone.bsc" 

-BSC32_SBRS= \

-	"$(INTDIR)\check-tool.sbr" \

-	"$(INTDIR)\named-checkzone.sbr"

-

-"$(OUTDIR)\namedcheckzone.bsc" : "$(OUTDIR)" $(BSC32_SBRS)

-    $(BSC32) @<<

-  $(BSC32_FLAGS) $(BSC32_SBRS)

-<<

-

-LINK32=link.exe

-LINK32_FLAGS=user32.lib advapi32.lib ws2_32.lib ../../../lib/isc/win32/Debug/libisc.lib ../../../lib/dns/win32/Debug/libdns.lib /nologo /subsystem:console /incremental:yes /pdb:"$(OUTDIR)\named-checkzone.pdb" /debug /machine:I386 /out:"../../../Build/Debug/named-checkzone.exe" /pdbtype:sept 

-LINK32_OBJS= \

-	"$(INTDIR)\check-tool.obj" \

-	"$(INTDIR)\named-checkzone.obj"

-

-"..\..\..\Build\Debug\named-checkzone.exe" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)

-    $(LINK32) @<<

-  $(LINK32_FLAGS) $(LINK32_OBJS)

-<<

-    $(_VC_MANIFEST_EMBED_EXE)

-

-!ENDIF 

-

-

-!IF "$(NO_EXTERNAL_DEPS)" != "1"

-!IF EXISTS("namedcheckzone.dep")

-!INCLUDE "namedcheckzone.dep"

-!ELSE 

-!MESSAGE Warning: cannot find "namedcheckzone.dep"

-!ENDIF 

-!ENDIF 

-

-

-!IF "$(CFG)" == "namedcheckzone - Win32 Release" || "$(CFG)" == "namedcheckzone - Win32 Debug"

-SOURCE="..\check-tool.c"

-

-"$(INTDIR)\check-tool.obj"	"$(INTDIR)\check-tool.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-SOURCE="..\named-checkzone.c"

-

-"$(INTDIR)\named-checkzone.obj"	"$(INTDIR)\named-checkzone.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-

-!ENDIF 

-

-####################################################

-# Commands to generate initial empty manifest file and the RC file

-# that references it, and for generating the .res file:

-

-$(_VC_MANIFEST_BASENAME).auto.res : $(_VC_MANIFEST_BASENAME).auto.rc

-

-$(_VC_MANIFEST_BASENAME).auto.rc : $(_VC_MANIFEST_BASENAME).auto.manifest

-    type <<$@

-#include <winuser.h>

-1RT_MANIFEST"$(_VC_MANIFEST_BASENAME).auto.manifest"

-<< KEEP

-

-$(_VC_MANIFEST_BASENAME).auto.manifest :

-    type <<$@

-<?xml version='1.0' encoding='UTF-8' standalone='yes'?>

-<assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'>

-</assembly>

-<< KEEP

+# Microsoft Developer Studio Generated NMAKE File, Based on namedcheckzone.dsp
+!IF "$(CFG)" == ""
+CFG=namedcheckzone - Win32 Debug
+!MESSAGE No configuration specified. Defaulting to namedcheckzone - Win32 Debug.
+!ENDIF 
+
+!IF "$(CFG)" != "namedcheckzone - Win32 Release" && "$(CFG)" != "namedcheckzone - Win32 Debug"
+!MESSAGE Invalid configuration "$(CFG)" specified.
+!MESSAGE You can specify a configuration when running NMAKE
+!MESSAGE by defining the macro CFG on the command line. For example:
+!MESSAGE 
+!MESSAGE NMAKE /f "namedcheckzone.mak" CFG="namedcheckzone - Win32 Debug"
+!MESSAGE 
+!MESSAGE Possible choices for configuration are:
+!MESSAGE 
+!MESSAGE "namedcheckzone - Win32 Release" (based on "Win32 (x86) Console Application")
+!MESSAGE "namedcheckzone - Win32 Debug" (based on "Win32 (x86) Console Application")
+!MESSAGE 
+!ERROR An invalid configuration is specified.
+!ENDIF 
+
+!IF "$(OS)" == "Windows_NT"
+NULL=
+!ELSE 
+NULL=nul
+!ENDIF 
+
+!IF  "$(CFG)" == "namedcheckzone - Win32 Release"
+
+OUTDIR=.\Release
+INTDIR=.\Release
+
+!IF "$(RECURSE)" == "0" 
+
+ALL : "..\..\..\Build\Release\named-checkzone.exe"
+
+!ELSE 
+
+ALL : "libisc - Win32 Release" "libdns - Win32 Release" "..\..\..\Build\Release\named-checkzone.exe"
+
+!ENDIF 
+
+!IF "$(RECURSE)" == "1" 
+CLEAN :"libdns - Win32 ReleaseCLEAN" "libisc - Win32 ReleaseCLEAN" 
+!ELSE 
+CLEAN :
+!ENDIF 
+	-@erase "$(INTDIR)\check-tool.obj"
+	-@erase "$(INTDIR)\named-checkzone.obj"
+	-@erase "$(INTDIR)\vc60.idb"
+	-@erase "..\..\..\Build\Release\named-checkzone.exe"
+
+"$(OUTDIR)" :
+    if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
+
+CPP=cl.exe
+CPP_PROJ=/nologo /MT /W3 /GX /O2 /I "./" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/include" /D "NDEBUG" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /D "__STDC__" /Fp"$(INTDIR)\namedcheckzone.pch" /YX /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c 
+
+.c{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cpp{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cxx{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.c{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cpp{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cxx{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+RSC=rc.exe
+BSC32=bscmake.exe
+BSC32_FLAGS=/nologo /o"$(OUTDIR)\namedcheckzone.bsc" 
+BSC32_SBRS= \
+	
+LINK32=link.exe
+LINK32_FLAGS=user32.lib advapi32.lib ws2_32.lib ../../../lib/isc/win32/Release/libisc.lib ../../../lib/dns/win32/Release/libdns.lib /nologo /subsystem:console /incremental:no /pdb:"$(OUTDIR)\named-checkzone.pdb" /machine:I386 /out:"../../../Build/Release/named-checkzone.exe" 
+LINK32_OBJS= \
+	"$(INTDIR)\check-tool.obj" \
+	"$(INTDIR)\named-checkzone.obj" \
+	"..\..\..\lib\dns\win32\Release\libdns.lib" \
+	"..\..\..\lib\isc\win32\Release\libisc.lib"
+
+"..\..\..\Build\Release\named-checkzone.exe" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)
+    $(LINK32) @<<
+  $(LINK32_FLAGS) $(LINK32_OBJS)
+<<
+
+!ELSEIF  "$(CFG)" == "namedcheckzone - Win32 Debug"
+
+OUTDIR=.\Debug
+INTDIR=.\Debug
+# Begin Custom Macros
+OutDir=.\Debug
+# End Custom Macros
+
+!IF "$(RECURSE)" == "0" 
+
+ALL : "..\..\..\Build\Debug\named-checkzone.exe" "$(OUTDIR)\namedcheckzone.bsc"
+
+!ELSE 
+
+ALL : "libisc - Win32 Debug" "libdns - Win32 Debug" "..\..\..\Build\Debug\named-checkzone.exe" "$(OUTDIR)\namedcheckzone.bsc"
+
+!ENDIF 
+
+!IF "$(RECURSE)" == "1" 
+CLEAN :"libdns - Win32 DebugCLEAN" "libisc - Win32 DebugCLEAN" 
+!ELSE 
+CLEAN :
+!ENDIF 
+	-@erase "$(INTDIR)\check-tool.obj"
+	-@erase "$(INTDIR)\check-tool.sbr"
+	-@erase "$(INTDIR)\named-checkzone.obj"
+	-@erase "$(INTDIR)\named-checkzone.sbr"
+	-@erase "$(INTDIR)\vc60.idb"
+	-@erase "$(INTDIR)\vc60.pdb"
+	-@erase "$(OUTDIR)\named-checkzone.pdb"
+	-@erase "$(OUTDIR)\namedcheckzone.bsc"
+	-@erase "..\..\..\Build\Debug\named-checkzone.exe"
+	-@erase "..\..\..\Build\Debug\named-checkzone.ilk"
+
+"$(OUTDIR)" :
+    if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
+
+CPP=cl.exe
+CPP_PROJ=/nologo /MTd /W3 /Gm /GX /ZI /Od /I "./" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/include" /D "_DEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /FR"$(INTDIR)\\" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c 
+
+.c{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cpp{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cxx{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.c{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cpp{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cxx{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+RSC=rc.exe
+BSC32=bscmake.exe
+BSC32_FLAGS=/nologo /o"$(OUTDIR)\namedcheckzone.bsc" 
+BSC32_SBRS= \
+	"$(INTDIR)\check-tool.sbr" \
+	"$(INTDIR)\named-checkzone.sbr"
+
+"$(OUTDIR)\namedcheckzone.bsc" : "$(OUTDIR)" $(BSC32_SBRS)
+    $(BSC32) @<<
+  $(BSC32_FLAGS) $(BSC32_SBRS)
+<<
+
+LINK32=link.exe
+LINK32_FLAGS=user32.lib advapi32.lib ws2_32.lib ../../../lib/isc/win32/Debug/libisc.lib ../../../lib/dns/win32/Debug/libdns.lib /nologo /subsystem:console /incremental:yes /pdb:"$(OUTDIR)\named-checkzone.pdb" /debug /machine:I386 /out:"../../../Build/Debug/named-checkzone.exe" /pdbtype:sept 
+LINK32_OBJS= \
+	"$(INTDIR)\check-tool.obj" \
+	"$(INTDIR)\named-checkzone.obj" \
+	"..\..\..\lib\dns\win32\Debug\libdns.lib" \
+	"..\..\..\lib\isc\win32\Debug\libisc.lib"
+
+"..\..\..\Build\Debug\named-checkzone.exe" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)
+    $(LINK32) @<<
+  $(LINK32_FLAGS) $(LINK32_OBJS)
+<<
+
+!ENDIF 
+
+
+!IF "$(NO_EXTERNAL_DEPS)" != "1"
+!IF EXISTS("namedcheckzone.dep")
+!INCLUDE "namedcheckzone.dep"
+!ELSE 
+!MESSAGE Warning: cannot find "namedcheckzone.dep"
+!ENDIF 
+!ENDIF 
+
+
+!IF "$(CFG)" == "namedcheckzone - Win32 Release" || "$(CFG)" == "namedcheckzone - Win32 Debug"
+SOURCE="..\check-tool.c"
+
+!IF  "$(CFG)" == "namedcheckzone - Win32 Release"
+
+
+"$(INTDIR)\check-tool.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "namedcheckzone - Win32 Debug"
+
+
+"$(INTDIR)\check-tool.obj"	"$(INTDIR)\check-tool.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE="..\named-checkzone.c"
+
+!IF  "$(CFG)" == "namedcheckzone - Win32 Release"
+
+
+"$(INTDIR)\named-checkzone.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "namedcheckzone - Win32 Debug"
+
+
+"$(INTDIR)\named-checkzone.obj"	"$(INTDIR)\named-checkzone.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+!IF  "$(CFG)" == "namedcheckzone - Win32 Release"
+
+"libdns - Win32 Release" : 
+   cd "..\..\..\lib\dns\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\libdns.mak" CFG="libdns - Win32 Release" 
+   cd "..\..\..\bin\check\win32"
+
+"libdns - Win32 ReleaseCLEAN" : 
+   cd "..\..\..\lib\dns\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\libdns.mak" CFG="libdns - Win32 Release" RECURSE=1 CLEAN 
+   cd "..\..\..\bin\check\win32"
+
+!ELSEIF  "$(CFG)" == "namedcheckzone - Win32 Debug"
+
+"libdns - Win32 Debug" : 
+   cd "..\..\..\lib\dns\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\libdns.mak" CFG="libdns - Win32 Debug" 
+   cd "..\..\..\bin\check\win32"
+
+"libdns - Win32 DebugCLEAN" : 
+   cd "..\..\..\lib\dns\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\libdns.mak" CFG="libdns - Win32 Debug" RECURSE=1 CLEAN 
+   cd "..\..\..\bin\check\win32"
+
+!ENDIF 
+
+!IF  "$(CFG)" == "namedcheckzone - Win32 Release"
+
+"libisc - Win32 Release" : 
+   cd "..\..\..\lib\isc\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\libisc.mak" CFG="libisc - Win32 Release" 
+   cd "..\..\..\bin\check\win32"
+
+"libisc - Win32 ReleaseCLEAN" : 
+   cd "..\..\..\lib\isc\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\libisc.mak" CFG="libisc - Win32 Release" RECURSE=1 CLEAN 
+   cd "..\..\..\bin\check\win32"
+
+!ELSEIF  "$(CFG)" == "namedcheckzone - Win32 Debug"
+
+"libisc - Win32 Debug" : 
+   cd "..\..\..\lib\isc\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\libisc.mak" CFG="libisc - Win32 Debug" 
+   cd "..\..\..\bin\check\win32"
+
+"libisc - Win32 DebugCLEAN" : 
+   cd "..\..\..\lib\isc\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\libisc.mak" CFG="libisc - Win32 Debug" RECURSE=1 CLEAN 
+   cd "..\..\..\bin\check\win32"
+
+!ENDIF 
+
+
+!ENDIF 
+
diff --git a/bin/dig/Makefile.in b/bin/dig/Makefile.in
index c5d8130e..5ce4c2b6 100644
--- a/bin/dig/Makefile.in
+++ b/bin/dig/Makefile.in
@@ -1,5 +1,5 @@
 # Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 2000, 2001  Internet Software Consortium.
+# Copyright (C) 2000-2002  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.25.2.4 2004/08/18 23:22:52 marka Exp $
+# $Id: Makefile.in,v 1.25.12.10 2004/04/13 05:47:32 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
@@ -21,26 +21,35 @@ top_srcdir =	@top_srcdir@
 
 @BIND9_VERSION@
 
-@BIND9_INCLUDES@
+@BIND9_MAKE_INCLUDES@
 
-CINCLUDES =	-I${srcdir}/include ${DNS_INCLUDES} ${ISC_INCLUDES}
+CINCLUDES =	-I${srcdir}/include ${DNS_INCLUDES} ${BIND9_INCLUDES} \
+		${ISC_INCLUDES} ${LWRES_INCLUDES}
 
 CDEFINES =	-DVERSION=\"${VERSION}\"
 CWARNINGS =
 
-DNSLIBS =	../../lib/dns/libdns.@A@ @DNS_OPENSSL_LIBS@ @DNS_GSSAPI_LIBS@
+ISCCFGLIBS =	../../lib/isccfg/libisccfg.@A@
+DNSLIBS =	../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
+BIND9LIBS =	../../lib/bind9/libbind9.@A@
 ISCLIBS =	../../lib/isc/libisc.@A@
+LWRESLIBS =	../../lib/lwres/liblwres.@A@
 
+ISCCFGDEPLIBS =	../../lib/isccfg/libisccfg.@A@
 DNSDEPLIBS =	../../lib/dns/libdns.@A@
+BIND9DEPLIBS =	../../lib/bind9/libbind9.@A@
 ISCDEPLIBS =	../../lib/isc/libisc.@A@
+LWRESDEPLIBS =	../../lib/lwres/liblwres.@A@
 
-DEPLIBS =	${DNSDEPLIBS} ${ISCDEPLIBS}
+DEPLIBS =	${DNSDEPLIBS} ${BIND9DEPLIBS} ${ISCDEPLIBS} ${ISCCFGDEPLIBS} \
+		${LWRESDEPLIBS}
 
-LIBS =		${DNSLIBS} ${ISCLIBS} @LIBS@
+LIBS =		${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} ${ISCLIBS} \
+		${ISCCFGLIBS} @LIBS@
 
 SUBDIRS =
 
-TARGETS =	dig host nslookup
+TARGETS =	dig@EXEEXT@ host@EXEEXT@ nslookup@EXEEXT@
 
 OBJS =		dig.@O@ dighost.@O@ host.@O@ nslookup.@O@
 
@@ -48,22 +57,25 @@ UOBJS =
 
 SRCS =		dig.c dighost.c host.c nslookup.c
 
-MANPAGES =	dig.1 host.1 nslookup.1
+MANPAGES =	dig.1 host.1
 
-HTMLPAGES =	dig.html host.html nslookup.html
+HTMLPAGES =	dig.html host.html
 
 MANOBJS =	${MANPAGES} ${HTMLPAGES}
 
 @BIND9_MAKE_RULES@
 
-dig: dig.@O@ dighost.@O@ ${UOBJS} ${DEPLIBS}
-	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ dig.@O@ dighost.@O@ ${UOBJS} ${LIBS}
+dig@EXEEXT@: dig.@O@ dighost.@O@ ${UOBJS} ${DEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} -o $@ \
+	dig.@O@ dighost.@O@ ${UOBJS} ${LIBS}
 
-host: host.@O@ dighost.@O@ ${UOBJS} ${DEPLIBS}
-	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ host.@O@ dighost.@O@ ${UOBJS} ${LIBS}
+host@EXEEXT@: host.@O@ dighost.@O@ ${UOBJS} ${DEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} -o $@ \
+	host.@O@ dighost.@O@ ${UOBJS} ${LIBS}
 
-nslookup: nslookup.@O@ dighost.@O@ ${UOBJS} ${DEPLIBS}
-	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ nslookup.@O@ dighost.@O@ ${UOBJS} ${LIBS}
+nslookup@EXEEXT@: nslookup.@O@ dighost.@O@ ${UOBJS} ${DEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} -o $@ \
+	nslookup.@O@ dighost.@O@ ${UOBJS} ${LIBS}
 
 doc man:: ${MANOBJS}
 
@@ -77,8 +89,13 @@ installdirs:
 	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${bindir}
 	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man1
 
-install:: dig host nslookup installdirs
-	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} dig ${DESTDIR}${bindir}
-	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} host ${DESTDIR}${bindir}
-	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} nslookup ${DESTDIR}${bindir}
-	for m in ${MANPAGES}; do ${INSTALL_DATA} ${srcdir}/$$m ${DESTDIR}${mandir}/man1; done
+install:: dig@EXEEXT@ host@EXEEXT@ nslookup@EXEEXT@ installdirs
+	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} \
+		dig@EXEEXT@ ${DESTDIR}${bindir}
+	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} \
+		host@EXEEXT@ ${DESTDIR}${bindir}
+	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} \
+		nslookup@EXEEXT@ ${DESTDIR}${bindir}
+	for m in ${MANPAGES}; do \
+		${INSTALL_DATA} ${srcdir}/$$m ${DESTDIR}${mandir}/man1; \
+		done
diff --git a/bin/dig/dig.1 b/bin/dig/dig.1
index 39bf92da..8c2eb51e 100644
--- a/bin/dig/dig.1
+++ b/bin/dig/dig.1
@@ -1,447 +1,387 @@
-.\" Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
-.\" Copyright (C) 2000, 2001, 2003 Internet Software Consortium.
-.\" 
+.\" Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2000-2003  Internet Software Consortium.
+.\"
 .\" Permission to use, copy, modify, and distribute this software for any
 .\" purpose with or without fee is hereby granted, provided that the above
 .\" copyright notice and this permission notice appear in all copies.
-.\" 
+.\"
 .\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
 .\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+.\" AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
 .\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
 .\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: dig.1,v 1.14.2.17 2007/05/16 06:57:45 marka Exp $
+.\" $Id: dig.1,v 1.14.2.4.2.5 2004/04/13 04:11:03 marka Exp $
 .\"
-.hy 0
-.ad l
-.\"     Title: dig
-.\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
-.\"      Date: Jun 30, 2000
-.\"    Manual: BIND9
-.\"    Source: BIND9
-.\"
-.TH "DIG" "1" "Jun 30, 2000" "BIND9" "BIND9"
-.\" disable hyphenation
-.nh
-.\" disable justification (adjust text to left margin only)
-.ad l
-.SH "NAME"
+.TH "DIG" "1" "Jun 30, 2000" "BIND9" ""
+.SH NAME
 dig \- DNS lookup utility
-.SH "SYNOPSIS"
-.HP 4
-\fBdig\fR [@server] [\fB\-b\ \fR\fB\fIaddress\fR\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-f\ \fR\fB\fIfilename\fR\fR] [\fB\-k\ \fR\fB\fIfilename\fR\fR] [\fB\-p\ \fR\fB\fIport#\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-x\ \fR\fB\fIaddr\fR\fR] [\fB\-y\ \fR\fB\fIname:key\fR\fR] [name] [type] [class] [queryopt...]
-.HP 4
-\fBdig\fR [\fB\-h\fR]
-.HP 4
-\fBdig\fR [global\-queryopt...] [query...]
+.SH SYNOPSIS
+.sp
+\fBdig\fR [ \fB@server\fR ]  [ \fB-b \fIaddress\fB\fR ]  [ \fB-c \fIclass\fB\fR ]  [ \fB-f \fIfilename\fB\fR ]  [ \fB-k \fIfilename\fB\fR ]  [ \fB-p \fIport#\fB\fR ]  [ \fB-t \fItype\fB\fR ]  [ \fB-x \fIaddr\fB\fR ]  [ \fB-y \fIname:key\fB\fR ]  [ \fB-4\fR ]  [ \fB-6\fR ]  [ \fBname\fR ]  [ \fBtype\fR ]  [ \fBclass\fR ]  [ \fBqueryopt\fR\fI...\fR ] 
+.sp
+\fBdig\fR [ \fB-h\fR ] 
+.sp
+\fBdig\fR [ \fBglobal-queryopt\fR\fI...\fR ]  [ \fBquery\fR\fI...\fR ] 
 .SH "DESCRIPTION"
 .PP
-\fBdig\fR
-(domain information groper) is a flexible tool for interrogating DNS name servers. It performs DNS lookups and displays the answers that are returned from the name server(s) that were queried. Most DNS administrators use
-\fBdig\fR
-to troubleshoot DNS problems because of its flexibility, ease of use and clarity of output. Other lookup tools tend to have less functionality than
-\fBdig\fR.
-.PP
-Although
-\fBdig\fR
-is normally used with command\-line arguments, it also has a batch mode of operation for reading lookup requests from a file. A brief summary of its command\-line arguments and options is printed when the
-\fB\-h\fR
-option is given. Unlike earlier versions, the BIND 9 implementation of
-\fBdig\fR
-allows multiple lookups to be issued from the command line.
+\fBdig\fR (domain information groper) is a flexible tool
+for interrogating DNS name servers. It performs DNS lookups and
+displays the answers that are returned from the name server(s) that
+were queried. Most DNS administrators use \fBdig\fR to
+troubleshoot DNS problems because of its flexibility, ease of use and
+clarity of output. Other lookup tools tend to have less functionality
+than \fBdig\fR.
+.PP
+Although \fBdig\fR is normally used with command-line
+arguments, it also has a batch mode of operation for reading lookup
+requests from a file. A brief summary of its command-line arguments
+and options is printed when the \fB-h\fR option is given.
+Unlike earlier versions, the BIND9 implementation of
+\fBdig\fR allows multiple lookups to be issued from the
+command line.
 .PP
 Unless it is told to query a specific name server,
-\fBdig\fR
-will try each of the servers listed in
+\fBdig\fR will try each of the servers listed in
 \fI/etc/resolv.conf\fR.
 .PP
-When no command line arguments or options are given, will perform an NS query for "." (the root).
-.PP
-It is possible to set per user defaults for
-\fBdig\fR
-via
-\fI${HOME}/.digrc\fR. This file is read and any options in it are applied before the command line arguments.
+When no command line arguments or options are given, will perform an
+NS query for "." (the root).
 .PP
-The IN and CH class names overlap with the IN and CH top level domains names. Either use the
-\fB\-t\fR
-and
-\fB\-c\fR
-options to specify the type and class or use "IN." and "CH." when looking up these top level domains.
+It is possible to set per-user defaults for \fBdig\fR via
+\fI${HOME}/.digrc\fR. This file is read and any options in it
+are applied before the command line arguments.
 .SH "SIMPLE USAGE"
 .PP
-A typical invocation of
-\fBdig\fR
-looks like:
+A typical invocation of \fBdig\fR looks like:
 .sp
-.RS 4
 .nf
  dig @server name type 
-.fi
-.RE
 .sp
+.fi
 where:
-.PP
+.TP
 \fBserver\fR
-.RS 4
-is the name or IP address of the name server to query. This can be an IPv4 address in dotted\-decimal notation or an IPv6 address in colon\-delimited notation. When the supplied
-\fIserver\fR
-argument is a hostname,
-\fBdig\fR
-resolves that name before querying that name server. If no
-\fIserver\fR
-argument is provided,
-\fBdig\fR
-consults
-\fI/etc/resolv.conf\fR
-and queries the name servers listed there. The reply from the name server that responds is displayed.
-.RE
-.PP
+is the name or IP address of the name server to query. This can be an IPv4
+address in dotted-decimal notation or an IPv6
+address in colon-delimited notation. When the supplied
+\fIserver\fR argument is a hostname,
+\fBdig\fR resolves that name before querying that name
+server. If no \fIserver\fR argument is provided,
+\fBdig\fR consults \fI/etc/resolv.conf\fR
+and queries the name servers listed there. The reply from the name
+server that responds is displayed.
+.TP
 \fBname\fR
-.RS 4
 is the name of the resource record that is to be looked up.
-.RE
-.PP
+.TP
 \fBtype\fR
-.RS 4
-indicates what type of query is required \(em ANY, A, MX, SIG, etc.
-\fItype\fR
-can be any valid query type. If no
-\fItype\fR
-argument is supplied,
-\fBdig\fR
-will perform a lookup for an A record.
-.RE
+indicates what type of query is required \(em
+ANY, A, MX, SIG, etc.
+\fItype\fR can be any valid query type. If no
+\fItype\fR argument is supplied,
+\fBdig\fR will perform a lookup for an A record.
 .SH "OPTIONS"
 .PP
-The
-\fB\-b\fR
-option sets the source IP address of the query to
-\fIaddress\fR. This must be a valid address on one of the host's network interfaces.
+The \fB-b\fR option sets the source IP address of the query
+to \fIaddress\fR. This must be a valid address on
+one of the host's network interfaces or "0.0.0.0" or "::". An optional port
+may be specified by appending "#<port>"
 .PP
 The default query class (IN for internet) is overridden by the
-\fB\-c\fR
-option.
-\fIclass\fR
-is any valid class, such as HS for Hesiod records or CH for Chaosnet records.
-.PP
-The
-\fB\-f\fR
-option makes
-\fBdig \fR
-operate in batch mode by reading a list of lookup requests to process from the file
-\fIfilename\fR. The file contains a number of queries, one per line. Each entry in the file should be organized in the same way they would be presented as queries to
-\fBdig\fR
-using the command\-line interface.
-.PP
-If a non\-standard port number is to be queried, the
-\fB\-p\fR
-option is used.
-\fIport#\fR
-is the port number that
-\fBdig\fR
-will send its queries instead of the standard DNS port number 53. This option would be used to test a name server that has been configured to listen for queries on a non\-standard port number.
-.PP
-The
-\fB\-t\fR
-option sets the query type to
-\fItype\fR. It can be any valid query type which is supported in BIND 9. The default query type is "A", unless the
-\fB\-x\fR
-option is supplied to indicate a reverse lookup. A zone transfer can be requested by specifying a type of AXFR. When an incremental zone transfer (IXFR) is required,
-\fItype\fR
-is set to
-ixfr=N. The incremental zone transfer will contain the changes made to the zone since the serial number in the zone's SOA record was
+\fB-c\fR option. \fIclass\fR is any valid
+class, such as HS for Hesiod records or CH for CHAOSNET records.
+.PP
+The \fB-f\fR option makes \fBdig \fR operate
+in batch mode by reading a list of lookup requests to process from the
+file \fIfilename\fR. The file contains a number of
+queries, one per line. Each entry in the file should be organised in
+the same way they would be presented as queries to
+\fBdig\fR using the command-line interface.
+.PP
+If a non-standard port number is to be queried, the
+\fB-p\fR option is used. \fIport#\fR is
+the port number that \fBdig\fR will send its queries
+instead of the standard DNS port number 53. This option would be used
+to test a name server that has been configured to listen for queries
+on a non-standard port number.
+.PP
+The \fB-4\fR option forces \fBdig\fR to only
+use IPv4 query transport. The \fB-6\fR option forces
+\fBdig\fR to only use IPv6 query transport.
+.PP
+The \fB-t\fR option sets the query type to
+\fItype\fR. It can be any valid query type which is
+supported in BIND9. The default query type "A", unless the
+\fB-x\fR option is supplied to indicate a reverse lookup.
+A zone transfer can be requested by specifying a type of AXFR. When
+an incremental zone transfer (IXFR) is required,
+\fItype\fR is set to ixfr=N.
+The incremental zone transfer will contain the changes made to the zone
+since the serial number in the zone's SOA record was
 \fIN\fR.
 .PP
-Reverse lookups \(em mapping addresses to names \(em are simplified by the
-\fB\-x\fR
-option.
-\fIaddr\fR
-is an IPv4 address in dotted\-decimal notation, or a colon\-delimited IPv6 address. When this option is used, there is no need to provide the
-\fIname\fR,
-\fIclass\fR
-and
-\fItype\fR
-arguments.
-\fBdig\fR
+Reverse lookups - mapping addresses to names - are simplified by the
+\fB-x\fR option. \fIaddr\fR is an IPv4
+address in dotted-decimal notation, or a colon-delimited IPv6 address.
+When this option is used, there is no need to provide the
+\fIname\fR, \fIclass\fR and
+\fItype\fR arguments. \fBdig\fR
 automatically performs a lookup for a name like
-11.12.13.10.in\-addr.arpa
-and sets the query type and class to PTR and IN respectively. By default, IPv6 addresses are looked up using the IP6.ARPA domain and binary labels as defined in RFC2874. To use the older RFC1886 method using the IP6.INT domain and "nibble" labels, specify the
-\fB\-n\fR
-(nibble) option.
-.PP
-To sign the DNS queries sent by
-\fBdig\fR
-and their responses using transaction signatures (TSIG), specify a TSIG key file using the
-\fB\-k\fR
-option. You can also specify the TSIG key itself on the command line using the
-\fB\-y\fR
-option;
-\fIname\fR
-is the name of the TSIG key and
-\fIkey\fR
-is the actual key. The key is a base\-64 encoded string, typically generated by
-\fBdnssec\-keygen\fR(8). Caution should be taken when using the
-\fB\-y\fR
-option on multi\-user systems as the key can be visible in the output from
-\fBps\fR(1 )
-or in the shell's history file. When using TSIG authentication with
-\fBdig\fR, the name server that is queried needs to know the key and algorithm that is being used. In BIND, this is done by providing appropriate
-\fBkey\fR
-and
-\fBserver\fR
-statements in
+11.12.13.10.in-addr.arpa and sets the query type and
+class to PTR and IN respectively. By default, IPv6 addresses are
+looked up using nibble format under the IP6.ARPA domain.
+To use the older RFC1886 method using the IP6.INT domain 
+specify the \fB-i\fR option. Bit string labels (RFC2874)
+are now experimental and are not attempted.
+.PP
+To sign the DNS queries sent by \fBdig\fR and their
+responses using transaction signatures (TSIG), specify a TSIG key file
+using the \fB-k\fR option. You can also specify the TSIG
+key itself on the command line using the \fB-y\fR option;
+\fIname\fR is the name of the TSIG key and
+\fIkey\fR is the actual key. The key is a base-64
+encoded string, typically generated by \fBdnssec-keygen\fR(8).
+Caution should be taken when using the \fB-y\fR option on
+multi-user systems as the key can be visible in the output from
+\fBps\fR(1) or in the shell's history file. When
+using TSIG authentication with \fBdig\fR, the name
+server that is queried needs to know the key and algorithm that is
+being used. In BIND, this is done by providing appropriate
+\fBkey\fR and \fBserver\fR statements in
 \fInamed.conf\fR.
 .SH "QUERY OPTIONS"
 .PP
-\fBdig\fR
-provides a number of query options which affect the way in which lookups are made and the results displayed. Some of these set or reset flag bits in the query header, some determine which sections of the answer get printed, and others determine the timeout and retry strategies.
-.PP
-Each query option is identified by a keyword preceded by a plus sign (+). Some keywords set or reset an option. These may be preceded by the string
-no
-to negate the meaning of that keyword. Other keywords assign values to options like the timeout interval. They have the form
-\fB+keyword=value\fR. The query options are:
-.PP
+\fBdig\fR provides a number of query options which affect
+the way in which lookups are made and the results displayed. Some of
+these set or reset flag bits in the query header, some determine which
+sections of the answer get printed, and others determine the timeout
+and retry strategies.
+.PP
+Each query option is identified by a keyword preceded by a plus sign
+(+). Some keywords set or reset an option. These may be preceded
+by the string no to negate the meaning of that keyword. Other
+keywords assign values to options like the timeout interval. They
+have the form \fB+keyword=value\fR.
+The query options are:
+.TP
 \fB+[no]tcp\fR
-.RS 4
-Use [do not use] TCP when querying name servers. The default behavior is to use UDP unless an AXFR or IXFR query is requested, in which case a TCP connection is used.
-.RE
-.PP
+Use [do not use] TCP when querying name servers. The default
+behaviour is to use UDP unless an AXFR or IXFR query is requested, in
+which case a TCP connection is used.
+.TP
 \fB+[no]vc\fR
-.RS 4
-Use [do not use] TCP when querying name servers. This alternate syntax to
-\fI+[no]tcp\fR
-is provided for backwards compatibility. The "vc" stands for "virtual circuit".
-.RE
-.PP
+Use [do not use] TCP when querying name servers. This alternate
+syntax to \fI+[no]tcp\fR is provided for backwards
+compatibility. The "vc" stands for "virtual circuit".
+.TP
 \fB+[no]ignore\fR
-.RS 4
-Ignore truncation in UDP responses instead of retrying with TCP. By default, TCP retries are performed.
-.RE
-.PP
+Ignore truncation in UDP responses instead of retrying with TCP. By
+default, TCP retries are performed.
+.TP
 \fB+domain=somename\fR
-.RS 4
 Set the search list to contain the single domain
 \fIsomename\fR, as if specified in a
-\fBdomain\fR
-directive in
-\fI/etc/resolv.conf\fR, and enable search list processing as if the
-\fI+search\fR
-option were given.
-.RE
-.PP
+\fBdomain\fR directive in
+\fI/etc/resolv.conf\fR, and enable search list
+processing as if the \fI+search\fR option were given.
+.TP
 \fB+[no]search\fR
-.RS 4
-Use [do not use] the search list defined by the searchlist or domain directive in
-\fIresolv.conf\fR
-(if any). The search list is not used by default.
-.RE
-.PP
+Use [do not use] the search list defined by the searchlist or domain
+directive in \fIresolv.conf\fR (if any).
+The search list is not used by default.
+.TP
 \fB+[no]defname\fR
-.RS 4
-Deprecated, treated as a synonym for
-\fI+[no]search\fR
-.RE
-.PP
+Deprecated, treated as a synonym for \fI+[no]search\fR
+.TP
 \fB+[no]aaonly\fR
-.RS 4
-This option does nothing. It is provided for compatibility with old versions of
-\fBdig\fR
-where it set an unimplemented resolver flag.
-.RE
-.PP
+This option does nothing. It is provided for compatibility with old
+versions of \fBdig\fR where it set an unimplemented
+resolver flag.
+.TP
 \fB+[no]adflag\fR
-.RS 4
-Set [do not set] the AD (authentic data) bit in the query. The AD bit currently has a standard meaning only in responses, not in queries, but the ability to set the bit in the query is provided for completeness.
-.RE
-.PP
+Set [do not set] the AD (authentic data) bit in the query. The AD bit
+currently has a standard meaning only in responses, not in queries,
+but the ability to set the bit in the query is provided for
+completeness.
+.TP
 \fB+[no]cdflag\fR
-.RS 4
-Set [do not set] the CD (checking disabled) bit in the query. This requests the server to not perform DNSSEC validation of responses.
-.RE
-.PP
+Set [do not set] the CD (checking disabled) bit in the query. This
+requests the server to not perform DNSSEC validation of responses.
+.TP
+\fB+[no]cl\fR
+Display [do not display] the CLASS when printing the record.
+.TP
+\fB+[no]ttlid\fR
+Display [do not display] the TTL when printing the record.
+.TP
 \fB+[no]recurse\fR
-.RS 4
-Toggle the setting of the RD (recursion desired) bit in the query. This bit is set by default, which means
-\fBdig\fR
-normally sends recursive queries. Recursion is automatically disabled when the
-\fI+nssearch\fR
-or
-\fI+trace\fR
-query options are used.
-.RE
-.PP
+Toggle the setting of the RD (recursion desired) bit in the query.
+This bit is set by default, which means \fBdig\fR
+normally sends recursive queries. Recursion is automatically disabled
+when the \fI+nssearch\fR or
+\fI+trace\fR query options are used.
+.TP
 \fB+[no]nssearch\fR
-.RS 4
-When this option is set,
-\fBdig\fR
-attempts to find the authoritative name servers for the zone containing the name being looked up and display the SOA record that each name server has for the zone.
-.RE
-.PP
+When this option is set, \fBdig\fR attempts to find the
+authoritative name servers for the zone containing the name being
+looked up and display the SOA record that each name server has for the
+zone.
+.TP
 \fB+[no]trace\fR
-.RS 4
-Toggle tracing of the delegation path from the root name servers for the name being looked up. Tracing is disabled by default. When tracing is enabled,
-\fBdig\fR
-makes iterative queries to resolve the name being looked up. It will follow referrals from the root servers, showing the answer from each server that was used to resolve the lookup.
-.RE
-.PP
+Toggle tracing of the delegation path from the root name servers for
+the name being looked up. Tracing is disabled by default. When
+tracing is enabled, \fBdig\fR makes iterative queries to
+resolve the name being looked up. It will follow referrals from the
+root servers, showing the answer from each server that was used to
+resolve the lookup.
+.TP
 \fB+[no]cmd\fR
-.RS 4
-Toggles the printing of the initial comment in the output identifying the version of
-\fBdig\fR
-and the query options that have been applied. This comment is printed by default.
-.RE
-.PP
+toggles the printing of the initial comment in the output identifying
+the version of \fBdig\fR and the query options that have
+been applied. This comment is printed by default.
+.TP
 \fB+[no]short\fR
-.RS 4
-Provide a terse answer. The default is to print the answer in a verbose form.
-.RE
-.PP
+Provide a terse answer. The default is to print the answer in a
+verbose form.
+.TP
 \fB+[no]identify\fR
-.RS 4
-Show [or do not show] the IP address and port number that supplied the answer when the
-\fI+short\fR
-option is enabled. If short form answers are requested, the default is not to show the source address and port number of the server that provided the answer.
-.RE
-.PP
+Show [or do not show] the IP address and port number that supplied the
+answer when the \fI+short\fR option is enabled. If
+short form answers are requested, the default is not to show the
+source address and port number of the server that provided the answer.
+.TP
 \fB+[no]comments\fR
-.RS 4
-Toggle the display of comment lines in the output. The default is to print comments.
-.RE
-.PP
+Toggle the display of comment lines in the output. The default is to
+print comments.
+.TP
 \fB+[no]stats\fR
-.RS 4
-This query option toggles the printing of statistics: when the query was made, the size of the reply and so on. The default behavior is to print the query statistics.
-.RE
-.PP
+This query option toggles the printing of statistics: when the query
+was made, the size of the reply and so on. The default behaviour is
+to print the query statistics.
+.TP
 \fB+[no]qr\fR
-.RS 4
-Print [do not print] the query as it is sent. By default, the query is not printed.
-.RE
-.PP
+Print [do not print] the query as it is sent.
+By default, the query is not printed.
+.TP
 \fB+[no]question\fR
-.RS 4
-Print [do not print] the question section of a query when an answer is returned. The default is to print the question section as a comment.
-.RE
-.PP
+Print [do not print] the question section of a query when an answer is
+returned. The default is to print the question section as a comment.
+.TP
 \fB+[no]answer\fR
-.RS 4
-Display [do not display] the answer section of a reply. The default is to display it.
-.RE
-.PP
+Display [do not display] the answer section of a reply. The default
+is to display it.
+.TP
 \fB+[no]authority\fR
-.RS 4
-Display [do not display] the authority section of a reply. The default is to display it.
-.RE
-.PP
+Display [do not display] the authority section of a reply. The
+default is to display it.
+.TP
 \fB+[no]additional\fR
-.RS 4
-Display [do not display] the additional section of a reply. The default is to display it.
-.RE
-.PP
+Display [do not display] the additional section of a reply.
+The default is to display it.
+.TP
 \fB+[no]all\fR
-.RS 4
 Set or clear all display flags.
-.RE
-.PP
+.TP
 \fB+time=T\fR
-.RS 4
 Sets the timeout for a query to
-\fIT\fR
-seconds. The default timeout is 5 seconds. An attempt to set
-\fIT\fR
-to less than 1 will result in a query timeout of 1 second being applied.
-.RE
-.PP
+\fIT\fR seconds. The default time out is 5 seconds.
+An attempt to set \fIT\fR to less than 1 will result
+in a query timeout of 1 second being applied.
+.TP
 \fB+tries=T\fR
-.RS 4
+Sets the number of times to try UDP queries to server to
+\fIT\fR instead of the default, 3. If
+\fIT\fR is less than or equal to zero, the number of
+tries is silently rounded up to 1.
+.TP
+\fB+retry=T\fR
 Sets the number of times to retry UDP queries to server to
-\fIT\fR
-instead of the default, 3. If
-\fIT\fR
-is less than or equal to zero, the number of retries is silently rounded up to 1.
-.RE
-.PP
+\fIT\fR instead of the default, 2. Unlike
+\fI+tries\fR, this does not include the initial
+query.
+.TP
 \fB+ndots=D\fR
-.RS 4
 Set the number of dots that have to appear in
-\fIname\fR
-to
-\fID\fR
-for it to be considered absolute. The default value is that defined using the ndots statement in
-\fI/etc/resolv.conf\fR, or 1 if no ndots statement is present. Names with fewer dots are interpreted as relative names and will be searched for in the domains listed in the
-\fBsearch\fR
-or
-\fBdomain\fR
-directive in
+\fIname\fR to \fID\fR for it to be
+considered absolute. The default value is that defined using the
+ndots statement in \fI/etc/resolv.conf\fR, or 1 if no
+ndots statement is present. Names with fewer dots are interpreted as
+relative names and will be searched for in the domains listed in the
+\fBsearch\fR or \fBdomain\fR directive in
 \fI/etc/resolv.conf\fR.
-.RE
-.PP
+.TP
 \fB+bufsize=B\fR
-.RS 4
 Set the UDP message buffer size advertised using EDNS0 to
-\fIB\fR
-bytes. The maximum and minimum sizes of this buffer are 65535 and 0 respectively. Values outside this range are rounded up or down appropriately.
-.RE
-.PP
+\fIB\fR bytes. The maximum and minimum sizes of this
+buffer are 65535 and 0 respectively. Values outside this range are
+rounded up or down appropriately.
+.TP
 \fB+[no]multiline\fR
-.RS 4
-Print records like the SOA records in a verbose multi\-line format with human\-readable comments. The default is to print each record on a single line, to facilitate machine parsing of the
-\fBdig\fR
-output.
-.RE
-.PP
+Print records like the SOA records in a verbose multi-line
+format with human-readable comments. The default is to print
+each record on a single line, to facilitate machine parsing 
+of the \fBdig\fR output.
+.TP
 \fB+[no]fail\fR
-.RS 4
-Do not try the next server if you receive a SERVFAIL. The default is to not try the next server which is the reverse of normal stub resolver behavior.
-.RE
-.PP
+Do not try the next server if you receive a SERVFAIL. The default is
+to not try the next server which is the reverse of normal stub resolver
+behaviour.
+.TP
 \fB+[no]besteffort\fR
-.RS 4
-Attempt to display the contents of messages which are malformed. The default is to not display malformed answers.
-.RE
-.PP
+Attempt to display the contents of messages which are malformed.
+The default is to not display malformed answers.
+.TP
 \fB+[no]dnssec\fR
-.RS 4
-Requests DNSSEC records be sent by setting the DNSSEC OK bit (DO) in the OPT record in the additional section of the query.
-.RE
+Requests DNSSEC records be sent by setting the DNSSEC OK bit (DO)
+in the OPT record in the additional section of the query.
+.TP
+\fB+[no]sigchase\fR
+Chase DNSSEC signature chains. Requires dig be compiled with
+-DDIG_SIGCHASE.
+.TP
+\fB+trusted-key=####\fR
+Specify a trusted key to be used with \fB+sigchase\fR.
+Requires dig be compiled with -DDIG_SIGCHASE.
+.TP
+\fB+[no]topdown\fR
+When chasing DNSSEC signature chains perform a top down validation.
+Requires dig be compiled with -DDIG_SIGCHASE.
 .SH "MULTIPLE QUERIES"
 .PP
-The BIND 9 implementation of
-\fBdig \fR
-supports specifying multiple queries on the command line (in addition to supporting the
-\fB\-f\fR
-batch file option). Each of those queries can be supplied with its own set of flags, options and query options.
-.PP
-In this case, each
-\fIquery\fR
-argument represent an individual query in the command\-line syntax described above. Each consists of any of the standard options and flags, the name to be looked up, an optional query type and class and any query options that should be applied to that query.
-.PP
-A global set of query options, which should be applied to all queries, can also be supplied. These global query options must precede the first tuple of name, class, type, options, flags, and query options supplied on the command line. Any global query options (except the
-\fB+[no]cmd\fR
-option) can be overridden by a query\-specific set of query options. For example:
+The BIND 9 implementation of \fBdig \fR supports
+specifying multiple queries on the command line (in addition to
+supporting the \fB-f\fR batch file option). Each of those
+queries can be supplied with its own set of flags, options and query
+options.
+.PP
+In this case, each \fIquery\fR argument represent an
+individual query in the command-line syntax described above. Each
+consists of any of the standard options and flags, the name to be
+looked up, an optional query type and class and any query options that
+should be applied to that query.
+.PP
+A global set of query options, which should be applied to all queries,
+can also be supplied. These global query options must precede the
+first tuple of name, class, type, options, flags, and query options
+supplied on the command line. Any global query options (except
+the \fB+[no]cmd\fR option) can be
+overridden by a query-specific set of query options. For example:
 .sp
-.RS 4
 .nf
-dig +qr www.isc.org any \-x 127.0.0.1 isc.org ns +noqr
-.fi
-.RE
+dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
 .sp
-shows how
-\fBdig\fR
-could be used from the command line to make three lookups: an ANY query for
-www.isc.org, a reverse lookup of 127.0.0.1 and a query for the NS records of
-isc.org. A global query option of
-\fI+qr\fR
-is applied, so that
-\fBdig\fR
-shows the initial query it made for each lookup. The final query has a local query option of
-\fI+noqr\fR
-which means that
-\fBdig\fR
+.fi
+shows how \fBdig\fR could be used from the command line
+to make three lookups: an ANY query for www.isc.org, a
+reverse lookup of 127.0.0.1 and a query for the NS records of
+isc.org.
+A global query option of \fI+qr\fR is applied, so
+that \fBdig\fR shows the initial query it made for each
+lookup. The final query has a local query option of
+\fI+noqr\fR which means that \fBdig\fR
 will not print the initial query when it looks up the NS records for
 isc.org.
 .SH "FILES"
@@ -453,13 +393,8 @@ isc.org.
 .PP
 \fBhost\fR(1),
 \fBnamed\fR(8),
-\fBdnssec\-keygen\fR(8),
-RFC1035.
+\fBdnssec-keygen\fR(8),
+\fIRFC1035\fR.
 .SH "BUGS"
 .PP
-There are probably too many query options.
-.SH "COPYRIGHT"
-Copyright \(co 2004\-2007 Internet Systems Consortium, Inc. ("ISC")
-.br
-Copyright \(co 2000, 2001, 2003 Internet Software Consortium.
-.br
+There are probably too many query options. 
diff --git a/bin/dig/dig.c b/bin/dig/dig.c
index 95a23fa9..fecfb9f6 100644
--- a/bin/dig/dig.c
+++ b/bin/dig/dig.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dig.c,v 1.157.2.24 2007/04/24 23:45:24 tbox Exp $ */
+/* $Id: dig.c,v 1.157.2.13.2.15 2004/04/13 03:00:05 marka Exp $ */
 
 #include <config.h>
 #include <stdlib.h>
@@ -24,6 +24,7 @@
 
 #include <isc/app.h>
 #include <isc/netaddr.h>
+#include <isc/parseint.h>
 #include <isc/print.h>
 #include <isc/string.h>
 #include <isc/util.h>
@@ -40,8 +41,21 @@
 #include <dns/rdataclass.h>
 #include <dns/result.h>
 
+#ifdef DIG_SIGCHASE
+#ifndef DIG_SIGCHASE_BU
+#define DIG_SIGCHASE_BU 1
+#endif
+#ifndef DIG_SIGCHASE_TD
+#define DIG_SIGCHASE_TD 1
+#endif
+#endif
+
 #include <dig/dig.h>
 
+extern ISC_LIST(dig_lookup_t) lookup_list;
+extern dig_serverlist_t server_list;
+extern ISC_LIST(dig_searchlist_t) search_list;
+
 #define ADD_STRING(b, s) { 				\
 	if (strlen(s) >= isc_buffer_availablelength(b)) \
  		return (ISC_R_NOSPACE); 		\
@@ -49,20 +63,41 @@
 		isc_buffer_putstr(b, s); 		\
 }
 
-#define DIG_MAX_ADDRESSES 20
 
+extern isc_boolean_t have_ipv4, have_ipv6, specified_source,
+	usesearch, qr;
+extern in_port_t port;
+extern unsigned int timeout;
+extern isc_mem_t *mctx;
+extern dns_messageid_t id;
+extern int sendcount;
+extern int ndots;
+extern int lookup_counter;
+extern int exitcode;
+extern isc_sockaddr_t bind_address;
+extern char keynametext[MXNAME];
+extern char keyfile[MXNAME];
+extern char keysecret[MXNAME];
+#ifdef DIG_SIGCHASE
+extern char trustedkey[MXNAME];
+#endif
+extern dns_tsigkey_t *key;
+extern isc_boolean_t validated;
+extern isc_taskmgr_t *taskmgr;
+extern isc_task_t *global_task;
+extern isc_boolean_t free_now;
 dig_lookup_t *default_lookup = NULL;
 
+extern isc_boolean_t debugging, memdebugging;
 static char *batchname = NULL;
 static FILE *batchfp = NULL;
 static char *argv0;
-static int addresscount = 0;
 
 static char domainopt[DNS_NAME_MAXTEXT];
 
 static isc_boolean_t short_form = ISC_FALSE, printcmd = ISC_TRUE,
 	ip6_int = ISC_FALSE, plusquest = ISC_FALSE, pluscomm = ISC_FALSE,
-	multiline = ISC_FALSE;
+	multiline = ISC_FALSE, nottl = ISC_FALSE, noclass = ISC_FALSE;
 
 static const char *opcodetext[] = {
 	"QUERY",
@@ -103,6 +138,8 @@ static const char *rcodetext[] = {
 	"BADVERS"
 };
 
+extern char *progname;
+
 static void
 print_usage(FILE *fp) {
 	fputs(
@@ -120,6 +157,11 @@ usage(void) {
 }
 
 static void
+version(void) {
+	fputs("DiG " VERSION "\n", stderr);
+}
+
+static void
 help(void) {
 	print_usage(stdout);
 	fputs(
@@ -137,11 +179,14 @@ help(void) {
 "                 -c class            (specify query class)\n"
 "                 -k keyfile          (specify tsig key file)\n"
 "                 -y name:key         (specify named base64 tsig key)\n"
+"                 -4                  (use IPv4 query transport only)\n"
+"                 -6                  (use IPv6 query transport only)\n"
 "        d-opt    is of the form +keyword[=value], where keyword is:\n"
 "                 +[no]vc             (TCP mode)\n"
 "                 +[no]tcp            (TCP mode, alternate syntax)\n"
 "                 +time=###           (Set query timeout) [5]\n"
 "                 +tries=###          (Set number of UDP attempts) [3]\n"
+"                 +retry=###          (Set number of UDP retries) [2]\n"
 "                 +domain=###         (Set default domainname)\n"
 "                 +bufsize=###        (Set EDNS0 Max UDP packet size)\n"
 "                 +ndots=###          (Set NDOTS value)\n"
@@ -155,6 +200,7 @@ help(void) {
 "                 +[no]aaonly         (Set AA flag in query)\n"
 "                 +[no]adflag         (Set AD flag in query)\n"
 "                 +[no]cdflag         (Set CD flag in query)\n"
+"                 +[no]cl             (Control display of class in records)\n"
 "                 +[no]cmd            (Control display of command line)\n"
 "                 +[no]comments       (Control display of comment lines)\n"
 "                 +[no]question       (Control display of question)\n"
@@ -164,15 +210,25 @@ help(void) {
 "                 +[no]stats          (Control display of statistics)\n"
 "                 +[no]short          (Disable everything except short\n"
 "                                      form of answer)\n"
+"                 +[no]ttlid          (Control display of ttls in records)\n"
 "                 +[no]all            (Set or clear all display flags)\n"
 "                 +[no]qr             (Print question before sending)\n"
 "                 +[no]nssearch       (Search all authoritative nameservers)\n"
 "                 +[no]identify       (ID responders in short answers)\n"
 "                 +[no]trace          (Trace delegation down from root)\n"
 "                 +[no]dnssec         (Request DNSSEC records)\n"
+#ifdef DIG_SIGCHASE
+"                 +[no]sigchase       (Chase DNSSEC signatures)\n"
+"                 +trusted-key=####   (Trusted Key when chasing DNSSEC sigs)\n"
+#if DIG_SIGCHASE_TD
+"                 +[no]topdown        (Do DNSSEC validation top down mode)\n"
+#endif
+#endif
 "                 +[no]multiline      (Print records in an expanded format)\n"
 "        global d-opts and servers (before host name) affect all queries.\n"
-"        local d-opts and servers (after host name) affect only that lookup.\n",
+"        local d-opts and servers (after host name) affect only that lookup.\n"
+"        -h                           (print help and exit)\n"
+"        -v                           (print version and exit)\n",
 	stdout);
 }
 
@@ -183,14 +239,12 @@ void
 received(int bytes, isc_sockaddr_t *from, dig_query_t *query) {
 	isc_uint64_t diff;
 	isc_time_t now;
-	isc_result_t result;
 	time_t tnow;
 	char fromtext[ISC_SOCKADDR_FORMATSIZE];
 
 	isc_sockaddr_format(from, fromtext, sizeof(fromtext));
 
-	result = isc_time_now(&now);
-	check_result(result, "isc_time_now");
+	TIME_NOW(&now);
 
 	if (query->lookup->stats && !short_form) {
 		diff = isc_time_microdiff(&now, &query->time_sent);
@@ -199,8 +253,8 @@ received(int bytes, isc_sockaddr_t *from, dig_query_t *query) {
 		time(&tnow);
 		printf(";; WHEN: %s", ctime(&tnow));
 		if (query->lookup->doing_xfr) {
-			printf(";; XFR size: %d records\n",
-			       query->rr_count);
+			printf(";; XFR size: %u records (messages %u)\n",
+			       query->rr_count, query->msg_count);
 		} else {
 			printf(";; MSG SIZE  rcvd: %d\n", bytes);
 
@@ -252,9 +306,7 @@ say_message(dns_rdata_t *rdata, dig_query_t *query, isc_buffer_t *buf) {
 	result = dns_rdata_totext(rdata, NULL, buf);
 	check_result(result, "dns_rdata_totext");
 	if (query->lookup->identify) {
-		result = isc_time_now(&now);
-		if (result != ISC_R_SUCCESS)
-			return (result);
+		TIME_NOW(&now);
 		diff = isc_time_microdiff(&now, &query->time_sent);
 		ADD_STRING(buf, " from server ");
 		ADD_STRING(buf, query->servname);
@@ -317,6 +369,51 @@ short_answer(dns_message_t *msg, dns_messagetextflag_t flags,
 
 	return (ISC_R_SUCCESS);
 }
+#ifdef DIG_SIGCHASE
+isc_result_t
+printrdataset(dns_name_t *owner_name, dns_rdataset_t *rdataset,
+	      isc_buffer_t *target)
+{
+	isc_result_t result;
+	dns_master_style_t *style = NULL;
+	unsigned int styleflags = 0;
+
+	if (rdataset == NULL || owner_name == NULL || target == NULL)
+		return(ISC_FALSE);
+
+	styleflags |= DNS_STYLEFLAG_REL_OWNER;
+	if (nottl)
+		styleflags |= DNS_STYLEFLAG_NO_TTL;
+	if (noclass)
+		styleflags |= DNS_STYLEFLAG_NO_CLASS;
+	if (multiline) {
+		styleflags |= DNS_STYLEFLAG_OMIT_OWNER;
+		styleflags |= DNS_STYLEFLAG_OMIT_CLASS;
+		styleflags |= DNS_STYLEFLAG_REL_DATA;
+		styleflags |= DNS_STYLEFLAG_OMIT_TTL;
+		styleflags |= DNS_STYLEFLAG_TTL;
+		styleflags |= DNS_STYLEFLAG_MULTILINE;
+		styleflags |= DNS_STYLEFLAG_COMMENT;
+	}
+	if (multiline || (nottl && noclass))
+		result = dns_master_stylecreate(&style, styleflags,
+						24, 24, 24, 32, 80, 8, mctx);
+	else if (nottl || noclass)
+		result = dns_master_stylecreate(&style, styleflags,
+						24, 24, 32, 40, 80, 8, mctx);
+	else 
+		result = dns_master_stylecreate(&style, styleflags,
+						24, 32, 40, 48, 80, 8, mctx);
+	check_result(result, "dns_master_stylecreate");
+
+	result = dns_master_rdatasettotext(owner_name, rdataset, style, target);
+
+	if (style != NULL)
+		dns_master_styledestroy(&style, mctx);
+  
+	return(result);
+}
+#endif
 
 /*
  * Callback from dighost.c to print the reply from a server
@@ -327,12 +424,33 @@ printmessage(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers) {
 	dns_messagetextflag_t flags;
 	isc_buffer_t *buf = NULL;
 	unsigned int len = OUTPUTBUF;
-	const dns_master_style_t *style;
-
-	if (multiline)
-		style = &dns_master_style_default;
-	else
-		style = &dns_master_style_debug;
+	dns_master_style_t *style = NULL;
+	unsigned int styleflags = 0;
+
+	styleflags |= DNS_STYLEFLAG_REL_OWNER;
+	if (nottl)
+		styleflags |= DNS_STYLEFLAG_NO_TTL;
+	if (noclass)
+		styleflags |= DNS_STYLEFLAG_NO_CLASS;
+	if (multiline) {
+		styleflags |= DNS_STYLEFLAG_OMIT_OWNER;
+		styleflags |= DNS_STYLEFLAG_OMIT_CLASS;
+		styleflags |= DNS_STYLEFLAG_REL_DATA;
+		styleflags |= DNS_STYLEFLAG_OMIT_TTL;
+		styleflags |= DNS_STYLEFLAG_TTL;
+		styleflags |= DNS_STYLEFLAG_MULTILINE;
+		styleflags |= DNS_STYLEFLAG_COMMENT;
+	}
+	if (multiline || (nottl && noclass))
+		result = dns_master_stylecreate(&style, styleflags,
+						24, 24, 24, 32, 80, 8, mctx);
+	else if (nottl || noclass)
+		result = dns_master_stylecreate(&style, styleflags,
+						24, 24, 32, 40, 80, 8, mctx);
+	else 
+		result = dns_master_stylecreate(&style, styleflags,
+						24, 32, 40, 48, 80, 8, mctx);
+	check_result(result, "dns_master_stylecreate");
 
 	if (query->lookup->cmdline[0] != 0) {
 		if (!short_form)
@@ -396,8 +514,7 @@ printmessage(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers) {
 
 repopulate_buffer:
 
-	if (query->lookup->comments && headers && !short_form)
-	{
+	if (query->lookup->comments && headers && !short_form) {
 		result = dns_message_pseudosectiontotext(msg,
 			 DNS_PSEUDOSECTION_OPT,
 			 style, flags, buf);
@@ -409,7 +526,7 @@ buftoosmall:
 			if (result == ISC_R_SUCCESS)
 				goto repopulate_buffer;
 			else
-				return (result);
+				goto cleanup;
 		}
 		check_result(result,
 		     "dns_message_pseudosectiontotext");
@@ -481,13 +598,16 @@ buftoosmall:
 			}
 		}
 	}
-
 	if (headers && query->lookup->comments && !short_form)
 		printf("\n");
 
 	printf("%.*s", (int)isc_buffer_usedlength(buf),
 	       (char *)isc_buffer_base(buf));
 	isc_buffer_free(&buf);
+
+cleanup:
+	if (style != NULL)
+		dns_master_styledestroy(&style, mctx);
 	return (result);
 }
 
@@ -516,17 +636,8 @@ printgreeting(int argc, char **argv, dig_lookup_t *lookup) {
 		remaining = sizeof(lookup->cmdline) -
 			    strlen(lookup->cmdline) - 1;
 		strncat(lookup->cmdline, "\n", remaining);
-		if (first && addresscount != 0) {
-			snprintf(append, sizeof(append),
-				 "; (%d server%s found)\n",
-				 addresscount,
-				 addresscount > 1 ? "s" : "");
-			remaining = sizeof(lookup->cmdline) -
-				    strlen(lookup->cmdline) - 1;
-			strncat(lookup->cmdline, append, remaining);
-		}
 		if (first) {
-			snprintf(append, sizeof (append), 
+			snprintf(append, sizeof(append), 
 				 ";; global options: %s %s\n",
 			       short_form ? "short_form" : "",
 			       printcmd ? "printcmd" : "");
@@ -538,16 +649,52 @@ printgreeting(int argc, char **argv, dig_lookup_t *lookup) {
 	}
 }
 
+/*
+ * Reorder an argument list so that server names all come at the end.
+ * This is a bit of a hack, to allow batch-mode processing to properly
+ * handle the server options.
+ */
+static void
+reorder_args(int argc, char *argv[]) {
+	int i, j;
+	char *ptr;
+	int end;
+
+	debug("reorder_args()");
+	end = argc - 1;
+	while (argv[end][0] == '@') {
+		end--;
+		if (end == 0)
+			return;
+	}
+	debug("arg[end]=%s", argv[end]);
+	for (i = 1; i < end - 1; i++) {
+		if (argv[i][0] == '@') {
+			debug("arg[%d]=%s", i, argv[i]);
+			ptr = argv[i];
+			for (j = i + 1; j < end; j++) {
+				debug("Moving %s to %d", argv[j], j - 1);
+				argv[j - 1] = argv[j];
+			}
+			debug("moving %s to end, %d", ptr, end - 1);
+			argv[end - 1] = ptr;
+			end--;
+			if (end < 1)
+				return;
+		}
+	}
+}
+
 static isc_uint32_t
 parse_uint(char *arg, const char *desc, isc_uint32_t max) {
-	char *endp;
+	isc_result_t result;
 	isc_uint32_t tmp;
 
-	tmp = strtoul(arg, &endp, 10);
-	if (*endp != '\0')
-		fatal("%s '%s' must be numeric", desc, arg);
-	if (tmp > max)
-		fatal("%s '%s' out of range", desc, arg);
+	result = isc_parse_uint32(&tmp, arg, 10);
+	if (result == ISC_R_SUCCESS && tmp > max)
+		result = ISC_R_RANGE;
+	if (result != ISC_R_SUCCESS)
+		fatal("%s '%s': %s", desc, arg, isc_result_totext(result));
 	return (tmp);
 }
 
@@ -565,32 +712,53 @@ plus_option(char *option, isc_boolean_t is_batchfile,
 	char option_store[256];
 	char *cmd, *value, *ptr;
 	isc_boolean_t state = ISC_TRUE;
+#ifdef DIG_SIGCHASE
+	size_t n;
+#endif
 
 	strncpy(option_store, option, sizeof(option_store));
 	option_store[sizeof(option_store)-1]=0;
 	ptr = option_store;
-	cmd=next_token(&ptr,"=");
+	cmd = next_token(&ptr,"=");
 	if (cmd == NULL) {
-		printf(";; Invalid option %s\n",option_store);
+		printf(";; Invalid option %s\n", option_store);
 		return;
 	}
-	value=ptr;
-	if (strncasecmp(cmd,"no",2)==0) {
+	value = ptr;
+	if (strncasecmp(cmd, "no", 2)==0) {
 		cmd += 2;
 		state = ISC_FALSE;
 	}
+
+#define FULLCHECK(A) \
+	do { \
+		size_t _l = strlen(cmd); \
+		if (_l >= sizeof(A) || strncasecmp(cmd, A, _l) != 0) \
+			goto invalid_option; \
+	} while (0)
+#define FULLCHECK2(A, B) \
+	do { \
+		size_t _l = strlen(cmd); \
+		if ((_l >= sizeof(A) || strncasecmp(cmd, A, _l) != 0) && \
+		    (_l >= sizeof(B) || strncasecmp(cmd, B, _l) != 0)) \
+			goto invalid_option; \
+	} while (0)
+
 	switch (cmd[0]) {
 	case 'a':
 		switch (cmd[1]) {
 		case 'a': /* aaflag */
+			FULLCHECK("aaflag");
 			lookup->aaonly = state;
 			break;
 		case 'd': 
 			switch (cmd[2]) {
 			case 'd': /* additional */
+				FULLCHECK("additional");
 				lookup->section_additional = state;
 				break;
 			case 'f': /* adflag */
+				FULLCHECK("adflag");
 				lookup->adflag = state;
 				break;
 			default:
@@ -598,6 +766,7 @@ plus_option(char *option, isc_boolean_t is_batchfile,
 			}
 			break;
 		case 'l': /* all */
+			FULLCHECK("all");
 			lookup->section_question = state;
 			lookup->section_authority = state;
 			lookup->section_answer = state;
@@ -607,9 +776,11 @@ plus_option(char *option, isc_boolean_t is_batchfile,
 			printcmd = state;
 			break;
 		case 'n': /* answer */
+			FULLCHECK("answer");
 			lookup->section_answer = state;
 			break;
 		case 'u': /* authority */
+			FULLCHECK("authority");
 			lookup->section_authority = state;
 			break;
 		default:
@@ -619,9 +790,11 @@ plus_option(char *option, isc_boolean_t is_batchfile,
 	case 'b':
 		switch (cmd[1]) {
 		case 'e':/* besteffort */
+			FULLCHECK("besteffort");
 			lookup->besteffort = state;
 			break;
 		case 'u':/* bufsize */
+			FULLCHECK("bufsize");
 			if (value == NULL)
 				goto need_value;
 			if (!state)
@@ -636,12 +809,19 @@ plus_option(char *option, isc_boolean_t is_batchfile,
 	case 'c':
 		switch (cmd[1]) {
 		case 'd':/* cdflag */
+			FULLCHECK("cdflag");
 			lookup->cdflag = state;
 			break;
+		case 'l': /* cl */
+			FULLCHECK("cl");
+			noclass = !state;
+			break;
 		case 'm': /* cmd */
+			FULLCHECK("cmd");
 			printcmd = state;
 			break;
 		case 'o': /* comments */
+			FULLCHECK("comments");
 			lookup->comments = state;
 			if (lookup == default_lookup)
 				pluscomm = state;
@@ -653,12 +833,15 @@ plus_option(char *option, isc_boolean_t is_batchfile,
 	case 'd':
 		switch (cmd[1]) {
 		case 'e': /* defname */
+			FULLCHECK("defname");
 			usesearch = state;
 			break;
 		case 'n': /* dnssec */	
+			FULLCHECK("dnssec");
 			lookup->dnssec = state;
 			break;
 		case 'o': /* domain */	
+			FULLCHECK("domain");
 			if (value == NULL)
 				goto need_value;
 			if (!state)
@@ -671,24 +854,29 @@ plus_option(char *option, isc_boolean_t is_batchfile,
 		}
 		break;
 	case 'f': /* fail */
+		FULLCHECK("fail");
 		lookup->servfail_stops = state;
 		break;
 	case 'i':
 		switch (cmd[1]) {
 		case 'd': /* identify */
+			FULLCHECK("identify");
 			lookup->identify = state;
 			break;
 		case 'g': /* ignore */
 		default: /* Inherets default for compatibility */
+			FULLCHECK("ignore");
 			lookup->ignore = ISC_TRUE;
 		}
 		break;
 	case 'm': /* multiline */
+		FULLCHECK("multiline");
 		multiline = state;
 		break;
 	case 'n':
 		switch (cmd[1]) {
 		case 'd': /* ndots */
+			FULLCHECK("ndots");
 			if (value == NULL)
 				goto need_value;
 			if (!state)
@@ -696,10 +884,11 @@ plus_option(char *option, isc_boolean_t is_batchfile,
 			ndots = parse_uint(value, "ndots", MAXNDOTS);
 			break;
 		case 's': /* nssearch */
+			FULLCHECK("nssearch");
 			lookup->ns_search_only = state;
 			if (state) {
 				lookup->trace_root = ISC_TRUE;
-				lookup->recurse = ISC_TRUE;
+				lookup->recurse = ISC_FALSE;
 				lookup->identify = ISC_TRUE;
 				lookup->stats = ISC_FALSE;
 				lookup->comments = ISC_FALSE;
@@ -718,9 +907,11 @@ plus_option(char *option, isc_boolean_t is_batchfile,
 	case 'q': 
 		switch (cmd[1]) {
 		case 'r': /* qr */
+			FULLCHECK("qr");
 			qr = state;
 			break;
 		case 'u': /* question */
+			FULLCHECK("question");
 			lookup->section_question = state;
 			if (lookup == default_lookup)
 				plusquest = state;
@@ -729,15 +920,40 @@ plus_option(char *option, isc_boolean_t is_batchfile,
 			goto invalid_option;
 		}
 		break;
-	case 'r': /* recurse */
-		lookup->recurse = state;
+	case 'r':
+		switch (cmd[1]) {
+		case 'e':
+			switch (cmd[2]) {
+			case 'c': /* recurse */
+				FULLCHECK("recurse");
+				lookup->recurse = state;
+				break;
+			case 't': /* retry / retries */
+				FULLCHECK2("retry", "retries");
+				if (value == NULL)
+					goto need_value;
+				if (!state)
+					goto invalid_option;
+				lookup->retries = parse_uint(value, "retries",
+						       MAXTRIES - 1);
+				lookup->retries++;
+				break;
+			default:
+				goto invalid_option;
+			}
+			break;
+		default:
+			goto invalid_option;
+		}
 		break;
 	case 's':
 		switch (cmd[1]) {
 		case 'e': /* search */
+			FULLCHECK("search");
 			usesearch = state;
 			break;
 		case 'h': /* short */
+			FULLCHECK("short");
 			short_form = state;
 			if (state) {
 				printcmd = ISC_FALSE;
@@ -749,7 +965,16 @@ plus_option(char *option, isc_boolean_t is_batchfile,
 				lookup->stats = ISC_FALSE;
 			}
 			break;
+#ifdef DIG_SIGCHASE
+		case 'i': /* sigchase */
+		        FULLCHECK("sigchase");
+			lookup->sigchase = state;
+			if (lookup->sigchase)
+				lookup->dnssec = ISC_TRUE;
+			break;	
+#endif
 		case 't': /* stats */
+			FULLCHECK("stats");
 			lookup->stats = state;
 			break;
 		default:
@@ -759,10 +984,12 @@ plus_option(char *option, isc_boolean_t is_batchfile,
 	case 't':
 		switch (cmd[1]) {
 		case 'c': /* tcp */
+			FULLCHECK("tcp");
 			if (!is_batchfile)
 				lookup->tcp_mode = state;
 			break;
 		case 'i': /* timeout */
+			FULLCHECK("timeout");
 			if (value == NULL)
 				goto need_value;
 			if (!state)
@@ -771,9 +998,16 @@ plus_option(char *option, isc_boolean_t is_batchfile,
 			if (timeout == 0)
 				timeout = 1;
 			break;
+#if DIG_SIGCHASE_TD
+		case 'o': /* topdown */	
+			FULLCHECK("topdown");
+			lookup->do_topdown = state;
+			break;
+#endif
 		case 'r':
 			switch (cmd[2]) {
 			case 'a': /* trace */
+				FULLCHECK("trace");
 				lookup->trace = state;
 				lookup->trace_root = state;
 				if (state) {
@@ -783,28 +1017,46 @@ plus_option(char *option, isc_boolean_t is_batchfile,
 					lookup->stats = ISC_FALSE;
 					lookup->section_additional = ISC_FALSE;
 					lookup->section_authority = ISC_TRUE;
-					lookup->section_question = ISC_FALSE;
+				lookup->section_question = ISC_FALSE;
 				}
 				break;
 			case 'i': /* tries */
+				FULLCHECK("tries");
 				if (value == NULL)
 					goto need_value;
 				if (!state)
 					goto invalid_option;
-				lookup->retries = parse_uint(value, "retries",
-						       MAXTRIES);
+				lookup->retries = parse_uint(value, "tries",
+							     MAXTRIES);
 				if (lookup->retries == 0)
 					lookup->retries = 1;
 				break;
+#ifdef DIG_SIGCHASE
+			case 'u': /* trusted-key */
+			  	if (value == NULL) 
+					goto need_value;
+				if (!state)
+					goto invalid_option;
+				n = strlcpy(trustedkey, ptr,
+					    sizeof(trustedkey));
+				if (n >= sizeof(trustedkey))
+					fatal("trusted key too large");
+				break;
+#endif
 			default:
 				goto invalid_option;
 			}
 			break;
+		case 't': /* ttlid */
+			FULLCHECK("ttlid");
+			nottl = !state;
+			break;
 		default:
 			goto invalid_option;
 		}
 		break;
 	case 'v':
+		FULLCHECK("vc");
 		if (!is_batchfile)
 			lookup->tcp_mode = state;
 		break;
@@ -823,8 +1075,9 @@ plus_option(char *option, isc_boolean_t is_batchfile,
  */
 static isc_boolean_t
 dash_option(char *option, char *next, dig_lookup_t **lookup,
- 	    isc_boolean_t *open_type_class, isc_boolean_t *need_clone,
- 	    int argc, char **argv, isc_boolean_t *firstarg)
+	    isc_boolean_t *open_type_class,
+		isc_boolean_t *firstarg,
+		int argc, char **argv)
 {
 	char cmd, *value, *ptr;
 	isc_result_t result;
@@ -835,6 +1088,8 @@ dash_option(char *option, char *next, dig_lookup_t **lookup,
 	char textname[MXNAME];
 	struct in_addr in4;
 	struct in6_addr in6;
+	in_port_t srcport;
+	char *hash;
 
 	cmd = option[0];
 	if (strlen(option) > 1U) {
@@ -861,17 +1116,48 @@ dash_option(char *option, char *next, dig_lookup_t **lookup,
 	case 'n':
 		/* deprecated */
 		return (ISC_FALSE);
+	case '4':
+		if (have_ipv4) {
+			isc_net_disableipv6();
+			have_ipv6 = ISC_FALSE;
+		} else
+			fatal("can't find IPv4 networking");
+		return (ISC_FALSE);
+	case '6':
+		if (have_ipv6) {
+			isc_net_disableipv4();
+			have_ipv4 = ISC_FALSE;
+		} else
+			fatal("can't find IPv6 networking");
+		return (ISC_FALSE);
+	case 'v':
+		version();
+		exit(0);
+		break;
 	}
 	if (value == NULL)
 		goto invalid_option;
 	switch (cmd) {
 	case 'b':
+		hash = strchr(value, '#');
+		if (hash != NULL) {
+			srcport = (in_port_t)
+			  	parse_uint(hash + 1,
+					   "port number", MAXPORT);
+			*hash = '\0';
+		} else
+			srcport = 0;
 		if (have_ipv6 && inet_pton(AF_INET6, value, &in6) == 1)
-			isc_sockaddr_fromin6(&bind_address, &in6, 0);
+			isc_sockaddr_fromin6(&bind_address, &in6, srcport);
 		else if (have_ipv4 && inet_pton(AF_INET, value, &in4) == 1)
-			isc_sockaddr_fromin(&bind_address, &in4, 0);
-		else
+			isc_sockaddr_fromin(&bind_address, &in4, srcport);
+		else {
+			if (hash != NULL)
+				*hash = '#';
 			fatal("invalid address %s", value);
+		}
+		if (hash != NULL)
+			*hash = '#';
 		specified_source = ISC_TRUE;
 		return (value_from_next);
 	case 'c':
@@ -912,8 +1198,7 @@ dash_option(char *option, char *next, dig_lookup_t **lookup,
 			result = dns_rdatatype_fromtext(&rdtype,
 						(isc_textregion_t *)&tr);
 			if (result == ISC_R_SUCCESS &&
-			    rdtype == dns_rdatatype_ixfr)
-			{
+			    rdtype == dns_rdatatype_ixfr) {
 				result = DNS_R_UNKNOWN;
 			}
 		}
@@ -958,12 +1243,9 @@ dash_option(char *option, char *next, dig_lookup_t **lookup,
 		keysecret[sizeof(keysecret)-1]=0;
 		return (value_from_next);
 	case 'x':
- 		if (*need_clone)
- 			*lookup = clone_lookup(default_lookup, ISC_TRUE);
- 		*need_clone = ISC_TRUE;
-		if (get_reverse(textname, value, ip6_int, ISC_FALSE)
-		    == ISC_R_SUCCESS)
-		{
+		*lookup = clone_lookup(default_lookup, ISC_TRUE);
+		if (get_reverse(textname, sizeof(textname), value,
+				ip6_int, ISC_FALSE) == ISC_R_SUCCESS) {
 			strncpy((*lookup)->textname, textname,
 				sizeof((*lookup)->textname));
 			debug("looking up %s", (*lookup)->textname);
@@ -975,7 +1257,7 @@ dash_option(char *option, char *next, dig_lookup_t **lookup,
 			if (!(*lookup)->rdclassset)
 				(*lookup)->rdclass = dns_rdataclass_in;
 			(*lookup)->new_search = ISC_TRUE;
-			if (*firstarg) {
+			if (*lookup && *firstarg) {
 				printgreeting(argc, argv, *lookup);
 				*firstarg = ISC_FALSE;
 			}
@@ -1020,34 +1302,12 @@ preparse_args(int argc, char **argv) {
 
 
 static void
-getaddresses(dig_lookup_t *lookup, const char *host) {
-	isc_result_t result;
-	isc_sockaddr_t sockaddrs[DIG_MAX_ADDRESSES];
-	isc_netaddr_t netaddr;
-	int count, i;
-	dig_server_t *srv;
-	char tmp[ISC_NETADDR_FORMATSIZE];
-
-	result = get_addresses(host, 0, sockaddrs, DIG_MAX_ADDRESSES, &count);   
-	if (result != ISC_R_SUCCESS)
-		fatal("couldn't get address for '%s': %s",
-		      host, isc_result_totext(result));
-
-	for (i = 0; i < count; i++) {
-		isc_netaddr_fromsockaddr(&netaddr, &sockaddrs[i]);
-		isc_netaddr_format(&netaddr, tmp, sizeof(tmp));
-		srv = make_server(tmp, host);
-		ISC_LIST_APPEND(lookup->my_server_list, srv, link);
-	}
-	addresscount = count;
-}
-
-static void
 parse_args(isc_boolean_t is_batchfile, isc_boolean_t config_only,
 	   int argc, char **argv) {
 	isc_result_t result;
 	isc_textregion_t tr;
 	isc_boolean_t firstarg = ISC_TRUE;
+	dig_server_t *srv = NULL;
 	dig_lookup_t *lookup = NULL;
 	dns_rdatatype_t rdtype;
 	dns_rdataclass_t rdclass;
@@ -1062,8 +1322,6 @@ parse_args(isc_boolean_t is_batchfile, isc_boolean_t config_only,
 	char rcfile[256];
 #endif
 	char *input;
-	int i;
-	isc_boolean_t need_clone = ISC_TRUE;
 
 	/*
 	 * The semantics for parsing the args is a bit complex; if
@@ -1083,14 +1341,17 @@ parse_args(isc_boolean_t is_batchfile, isc_boolean_t config_only,
 
 #ifndef NOPOSIX
 		/*
-		 * Treat .digrc as a special batchfile
+		 * Treat ${HOME}/.digrc as a special batchfile
 		 */
+		INSIST(batchfp == NULL);
 		homedir = getenv("HOME");
-		if (homedir != NULL)
-			snprintf(rcfile, sizeof(rcfile), "%s/.digrc", homedir);
-		else
-			strcpy(rcfile, ".digrc");
-		batchfp = fopen(rcfile, "r");
+		if (homedir != NULL) {
+			unsigned int n;
+			n = snprintf(rcfile, sizeof(rcfile), "%s/.digrc",
+			             homedir);
+			if (n < sizeof(rcfile))
+				batchfp = fopen(rcfile, "r");
+		}
 		if (batchfp != NULL) {
 			while (fgets(batchline, sizeof(batchline),
 				     batchfp) != 0) {
@@ -1101,15 +1362,14 @@ parse_args(isc_boolean_t is_batchfile, isc_boolean_t config_only,
 				while ((bargv[bargc] != NULL) &&
 				       (bargc < 62)) {
 					bargc++;
-					bargv[bargc] = next_token(&input, " \t\r\n");
+					bargv[bargc] =
+						next_token(&input, " \t\r\n");
 				}
 
 				bargv[0] = argv[0];
 				argv0 = argv[0];
 
-				for(i = 0; i < bargc; i++)
-					debug(".digrc argv %d: %s",
-					      i, bargv[i]);
+				reorder_args(bargc, (char **)bargv);
 				parse_args(ISC_TRUE, ISC_TRUE, bargc,
 					   (char **)bargv);
 			}
@@ -1118,12 +1378,7 @@ parse_args(isc_boolean_t is_batchfile, isc_boolean_t config_only,
 #endif
 	}
 
-	if (is_batchfile && !config_only) {
-		/* Processing '-f batchfile'. */
-		lookup = clone_lookup(default_lookup, ISC_TRUE);
-		need_clone = ISC_FALSE;
-	} else
-		lookup = default_lookup;
+	lookup = default_lookup;
 
 	rc = argc;
 	rv = argv;
@@ -1132,7 +1387,9 @@ parse_args(isc_boolean_t is_batchfile, isc_boolean_t config_only,
 		if (strncmp(rv[0], "%", 1) == 0)
 			break;
 		if (strncmp(rv[0], "@", 1) == 0) {
-			getaddresses(lookup, &rv[0][1]);
+			srv = make_server(&rv[0][1]);
+			ISC_LIST_APPEND(lookup->my_server_list,
+					srv, link);
 		} else if (rv[0][0] == '+') {
 			plus_option(&rv[0][1], is_batchfile,
 				    lookup);
@@ -1140,16 +1397,14 @@ parse_args(isc_boolean_t is_batchfile, isc_boolean_t config_only,
 			if (rc <= 1) {
 				if (dash_option(&rv[0][1], NULL,
 						&lookup, &open_type_class,
- 						&need_clone, argc, argv,
-                                                &firstarg)) {
+						&firstarg, argc, argv)) {
 					rc--;
 					rv++;
 				}
 			} else {
 				if (dash_option(&rv[0][1], rv[1],
 						&lookup, &open_type_class,
- 						&need_clone, argc, argv,
-                                                &firstarg)) {
+						&firstarg, argc, argv)) {
 					rc--;
 					rv++;
 				}
@@ -1159,17 +1414,16 @@ parse_args(isc_boolean_t is_batchfile, isc_boolean_t config_only,
 			 * Anything which isn't an option
 			 */
 			if (open_type_class) {
-				if (strncasecmp(rv[0], "ixfr=", 5) == 0) {
+				if (strncmp(rv[0], "ixfr=", 5) == 0) {
 					rdtype = dns_rdatatype_ixfr;
 					result = ISC_R_SUCCESS;
 				} else {
 					tr.base = rv[0];
 					tr.length = strlen(rv[0]);
 					result = dns_rdatatype_fromtext(&rdtype,
-						     	(isc_textregion_t *)&tr);
+					     	(isc_textregion_t *)&tr);
 					if (result == ISC_R_SUCCESS &&
-					    rdtype == dns_rdatatype_ixfr)
-					{
+					    rdtype == dns_rdatatype_ixfr) {
 						result = DNS_R_UNKNOWN;
 						fprintf(stderr, ";; Warning, "
 							"ixfr requires a "
@@ -1177,28 +1431,30 @@ parse_args(isc_boolean_t is_batchfile, isc_boolean_t config_only,
 						continue;
 					}
 				}
-				if (result == ISC_R_SUCCESS)
-				{
+				if (result == ISC_R_SUCCESS) {
 					if (lookup->rdtypeset) {
 						fprintf(stderr, ";; Warning, "
 							"extra type option\n");
 					}
 					if (rdtype == dns_rdatatype_ixfr) {
-						lookup->rdtype = dns_rdatatype_ixfr;
+						lookup->rdtype =
+							dns_rdatatype_ixfr;
 						lookup->rdtypeset = ISC_TRUE;
 						lookup->ixfr_serial =
 							parse_uint(&rv[0][5],
 							  	"serial number",
 							  	MAXSERIAL);
-						lookup->section_question = plusquest;
+						lookup->section_question =
+							plusquest;
 						lookup->comments = pluscomm;
 					} else {
 						lookup->rdtype = rdtype;
 						lookup->rdtypeset = ISC_TRUE;
-						if (rdtype == dns_rdatatype_axfr) {
-							lookup->section_question =
+						if (rdtype ==
+						    dns_rdatatype_axfr) {
+						    lookup->section_question =
 								plusquest;
-							lookup->comments = pluscomm;
+						    lookup->comments = pluscomm;
 						}
 						lookup->ixfr_serial = ISC_FALSE;
 					}
@@ -1216,29 +1472,25 @@ parse_args(isc_boolean_t is_batchfile, isc_boolean_t config_only,
 					continue;
 				}
 			}
-
 			if (!config_only) {
-				if (need_clone)
-					lookup = clone_lookup(default_lookup,
-								      ISC_TRUE);
-				need_clone = ISC_TRUE;
+				lookup = clone_lookup(default_lookup,
+						      ISC_TRUE);
+				if (firstarg) {
+					printgreeting(argc, argv, lookup);
+					firstarg = ISC_FALSE;
+				}
 				strncpy(lookup->textname, rv[0], 
 					sizeof(lookup->textname));
 				lookup->textname[sizeof(lookup->textname)-1]=0;
 				lookup->trace_root = ISC_TF(lookup->trace  ||
 						     lookup->ns_search_only);
 				lookup->new_search = ISC_TRUE;
-				if (firstarg) {
-					printgreeting(argc, argv, lookup);
-					firstarg = ISC_FALSE;
-				}
 				ISC_LIST_APPEND(lookup_list, lookup, link);
 				debug("looking up %s", lookup->textname);
 			}
 			/* XXX Error message */
 		}
 	}
-
 	/*
 	 * If we have a batchfile, seed the lookup list with the
 	 * first entry, then trust the callback in dighost_shutdown
@@ -1253,7 +1505,7 @@ parse_args(isc_boolean_t is_batchfile, isc_boolean_t config_only,
 			perror(batchname);
 			if (exitcode < 8)
 				exitcode = 8;
-			fatal("Couldn't open specified batch file");
+			fatal("couldn't open specified batch file");
 		}
 		/* XXX Remove code dup from shutdown code */
 	next_line:
@@ -1273,20 +1525,15 @@ parse_args(isc_boolean_t is_batchfile, isc_boolean_t config_only,
 			bargv[0] = argv[0];
 			argv0 = argv[0];
 
-			for(i = 0; i < bargc; i++)
-				debug("batch argv %d: %s", i, bargv[i]);
+			reorder_args(bargc, (char **)bargv);
 			parse_args(ISC_TRUE, ISC_FALSE, bargc, (char **)bargv);
-			return;
 		}
-		return;
 	}
 	/*
 	 * If no lookup specified, search for root
 	 */
 	if ((lookup_list.head == NULL) && !config_only) {
-		if (need_clone)
-			lookup = clone_lookup(default_lookup, ISC_TRUE);
-		need_clone = ISC_TRUE;
+		lookup = clone_lookup(default_lookup, ISC_TRUE);
 		lookup->trace_root = ISC_TF(lookup->trace ||
 					    lookup->ns_search_only);
 		lookup->new_search = ISC_TRUE;
@@ -1299,8 +1546,6 @@ parse_args(isc_boolean_t is_batchfile, isc_boolean_t config_only,
 		}
 		ISC_LIST_APPEND(lookup_list, lookup, link);
 	}
-	if (!need_clone)
-		destroy_lookup(lookup);
 }
 
 /*
@@ -1314,14 +1559,13 @@ dighost_shutdown(void) {
 	int bargc;
 	char *bargv[16];
 	char *input;
-	int i;
+
 
 	if (batchname == NULL) {
 		isc_app_shutdown();
 		return;
 	}
 
-	fflush(stdout);
 	if (feof(batchfp)) {
 		batchname = NULL;
 		isc_app_shutdown();
@@ -1342,8 +1586,7 @@ dighost_shutdown(void) {
 
 		bargv[0] = argv0;
 
-		for(i = 0; i < bargc; i++)
-			debug("batch argv %d: %s", i, bargv[i]);
+		reorder_args(bargc, (char **)bargv);
 		parse_args(ISC_TRUE, ISC_FALSE, bargc, (char **)bargv);
 		start_lookup();
 	} else {
@@ -1358,6 +1601,7 @@ dighost_shutdown(void) {
 int
 main(int argc, char **argv) {
 	isc_result_t result;
+	dig_server_t *s, *s2;
 
 	ISC_LIST_INIT(lookup_list);
 	ISC_LIST_INIT(server_list);
@@ -1378,12 +1622,24 @@ main(int argc, char **argv) {
 	result = isc_app_onrun(mctx, global_task, onrun_callback, NULL);
 	check_result(result, "isc_app_onrun");
 	isc_app_run();
-	destroy_lookup(default_lookup);
+	s = ISC_LIST_HEAD(default_lookup->my_server_list);
+	while (s != NULL) {
+		debug("freeing server %p belonging to %p",
+		      s, default_lookup);
+		s2 = s;
+		s = ISC_LIST_NEXT(s, link);
+		ISC_LIST_DEQUEUE(default_lookup->my_server_list, s2, link);
+		isc_mem_free(mctx, s2);
+	}
+	isc_mem_free(mctx, default_lookup);
 	if (batchname != NULL) {
 		if (batchfp != stdin)
 			fclose(batchfp);
 		batchname = NULL;
 	}
+#ifdef DIG_SIGCHASE
+	clean_trustedkey();
+#endif
 	cancel_all();
 	destroy_libs();
 	isc_app_finish();
diff --git a/bin/dig/dig.docbook b/bin/dig/dig.docbook
index 591417c7..d083f21f 100644
--- a/bin/dig/dig.docbook
+++ b/bin/dig/dig.docbook
@@ -1,9 +1,7 @@
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
-               "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
-	       [<!ENTITY mdash "&#8212;">]>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
 <!--
- - Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
+ - Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2003  Internet Software Consortium.
  -
  - Permission to use, copy, modify, and distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
@@ -18,7 +16,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: dig.docbook,v 1.4.2.18 2007/05/16 02:07:44 marka Exp $ -->
+<!-- $Id: dig.docbook,v 1.4.2.7.4.8 2004/04/13 03:00:05 marka Exp $ -->
 
 <refentry>
 
@@ -32,22 +30,6 @@
 <refmiscinfo>BIND9</refmiscinfo>
 </refmeta>
 
-  <docinfo>
-    <copyright>
-      <year>2004</year>
-      <year>2005</year>
-      <year>2006</year>
-      <year>2007</year>
-      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
-    </copyright>
-    <copyright>
-      <year>2000</year>
-      <year>2001</year>
-      <year>2003</year>
-      <holder>Internet Software Consortium.</holder>
-    </copyright>
-  </docinfo>
-
 <refnamediv>
 <refname>dig</refname>
 <refpurpose>DNS lookup utility</refpurpose>
@@ -56,7 +38,7 @@
 <refsynopsisdiv>
 <cmdsynopsis>
 <command>dig</command>
-<arg choice="opt">@server</arg>
+<arg choice=opt>@server</arg>
 <arg><option>-b <replaceable class="parameter">address</replaceable></option></arg>
 <arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
 <arg><option>-f <replaceable class="parameter">filename</replaceable></option></arg>
@@ -65,10 +47,12 @@
 <arg><option>-t <replaceable class="parameter">type</replaceable></option></arg>
 <arg><option>-x <replaceable class="parameter">addr</replaceable></option></arg>
 <arg><option>-y <replaceable class="parameter">name:key</replaceable></option></arg>
-<arg choice="opt">name</arg>
-<arg choice="opt">type</arg>
-<arg choice="opt">class</arg>
-<arg choice="opt" rep="repeat">queryopt</arg>
+<arg><option>-4</option></arg>
+<arg><option>-6</option></arg>
+<arg choice=opt>name</arg>
+<arg choice=opt>type</arg>
+<arg choice=opt>class</arg>
+<arg choice=opt rep=repeat>queryopt</arg>
 </cmdsynopsis>
 
 <cmdsynopsis>
@@ -78,8 +62,8 @@
 
 <cmdsynopsis>
 <command>dig</command>
-<arg choice="opt" rep="repeat">global-queryopt</arg>
-<arg choice="opt" rep="repeat">query</arg>
+<arg choice=opt rep=repeat>global-queryopt</arg>
+<arg choice=opt rep=repeat>query</arg>
 </cmdsynopsis>
 </refsynopsisdiv>
 
@@ -100,7 +84,7 @@ Although <command>dig</command> is normally used with command-line
 arguments, it also has a batch mode of operation for reading lookup
 requests from a file.  A brief summary of its command-line arguments
 and options is printed when the <option>-h</option> option is given.
-Unlike earlier versions, the BIND 9 implementation of
+Unlike earlier versions, the BIND9 implementation of
 <command>dig</command> allows multiple lookups to be issued from the
 command line.
 </para>
@@ -117,18 +101,11 @@ NS query for "." (the root).
 </para>
 
 <para>
-It is possible to set per user defaults for <command>dig</command> via
+It is possible to set per-user defaults for <command>dig</command> via
 <filename>${HOME}/.digrc</filename>.  This file is read and any options in it
 are applied before the command line arguments.
 </para>
 
-     <para>
-       The IN and CH class names overlap with the IN and CH top level
-       domains names.  Either use the <option>-t</option> and
-       <option>-c</option> options to specify the type and class or
-       use "IN." and "CH." when looking up these top level domains.
-     </para>
-
 </refsect1>
 
 <refsect1>
@@ -178,20 +155,21 @@ ANY, A, MX, SIG, etc.
 <para>
 The <option>-b</option> option sets the source IP address of the query
 to <parameter>address</parameter>.  This must be a valid address on
-one of the host's network interfaces.
+one of the host's network interfaces or "0.0.0.0" or "::".  An optional port
+may be specified by appending "#&lt;port&gt;"
 </para>
 
 <para>
 The default query class (IN for internet) is overridden by the
 <option>-c</option> option.  <parameter>class</parameter> is any valid
-class, such as HS for Hesiod records or CH for Chaosnet records.
+class, such as HS for Hesiod records or CH for CHAOSNET records.
 </para>
 
 <para>
 The <option>-f</option> option makes <command>dig </command> operate
 in batch mode by reading a list of lookup requests to process from the
 file <parameter>filename</parameter>.  The file contains a number of
-queries, one per line.  Each entry in the file should be organized in
+queries, one per line.  Each entry in the file should be organised in
 the same way they would be presented as queries to
 <command>dig</command> using the command-line interface.
 </para>
@@ -206,9 +184,15 @@ on a non-standard port number.
 </para>
 
 <para>
+The <option>-4</option> option forces <command>dig</command> to only
+use IPv4 query transport.  The <option>-6</option> option forces
+<command>dig</command> to only use IPv6 query transport.
+</para>
+
+<para>
 The <option>-t</option> option sets the query type to
 <parameter>type</parameter>.  It can be any valid query type which is
-supported in BIND 9.  The default query type is "A", unless the
+supported in BIND9.  The default query type "A", unless the
 <option>-x</option> option is supplied to indicate a reverse lookup.
 A zone transfer can be requested by specifying a type of AXFR.  When
 an incremental zone transfer (IXFR) is required,
@@ -219,7 +203,7 @@ since the serial number in the zone's SOA record was
 </para>
 
 <para>
-Reverse lookups &mdash; mapping addresses to names &mdash; are simplified by the
+Reverse lookups - mapping addresses to names - are simplified by the
 <option>-x</option> option.  <parameter>addr</parameter> is an IPv4
 address in dotted-decimal notation, or a colon-delimited IPv6 address.
 When this option is used, there is no need to provide the
@@ -228,9 +212,10 @@ When this option is used, there is no need to provide the
 automatically performs a lookup for a name like
 <literal>11.12.13.10.in-addr.arpa</literal> and sets the query type and
 class to PTR and IN respectively.  By default, IPv6 addresses are
-looked up using the IP6.ARPA domain and binary labels as defined in
-RFC2874.  To use the older RFC1886 method using the IP6.INT domain and
-"nibble" labels, specify the <option>-n</option> (nibble) option.
+looked up using nibble format under the IP6.ARPA domain.
+To use the older RFC1886 method using the IP6.INT domain 
+specify the <option>-i</option> option.  Bit string labels (RFC2874)
+are now experimental and are not attempted.
 </para>
 
 <para>
@@ -281,7 +266,7 @@ The query options are:
 <varlistentry><term><option>+[no]tcp</option></term>
 <listitem><para>
 Use [do not use] TCP when querying name servers.  The default
-behavior is to use UDP unless an AXFR or IXFR query is requested, in
+behaviour is to use UDP unless an AXFR or IXFR query is requested, in
 which case a TCP connection is used.
 </para></listitem></varlistentry>
 
@@ -340,6 +325,16 @@ Set [do not set] the CD (checking disabled) bit in the query.  This
 requests the server to not perform DNSSEC validation of responses.
 </para></listitem></varlistentry>
 
+<varlistentry><term><option>+[no]cl</option></term>
+<listitem><para>
+Display [do not display] the CLASS when printing the record.
+</para></listitem></varlistentry>
+
+<varlistentry><term><option>+[no]ttlid</option></term>
+<listitem><para>
+Display [do not display] the TTL when printing the record.
+</para></listitem></varlistentry>
+
 <varlistentry><term><option>+[no]recurse</option></term>
 <listitem><para>
 Toggle the setting of the RD (recursion desired) bit in the query.
@@ -369,7 +364,7 @@ resolve the lookup.
 
 <varlistentry><term><option>+[no]cmd</option></term>
 <listitem><para>
-Toggles the printing of the initial comment in the output identifying
+toggles the printing of the initial comment in the output identifying
 the version of <command>dig</command> and the query options that have
 been applied.  This comment is printed by default.
 </para></listitem></varlistentry>
@@ -397,7 +392,7 @@ print comments.
 <varlistentry><term><option>+[no]stats</option></term>
 <listitem><para>
 This query option toggles the printing of statistics: when the query
-was made, the size of the reply and so on.  The default behavior is
+was made, the size of the reply and so on.  The default behaviour is
 to print the query statistics.
 </para></listitem></varlistentry>
 
@@ -440,17 +435,25 @@ Set or clear all display flags.
 <listitem><para>
 
 Sets the timeout for a query to
-<parameter>T</parameter> seconds.  The default timeout is 5 seconds.
+<parameter>T</parameter> seconds.  The default time out is 5 seconds.
 An attempt to set <parameter>T</parameter> to less than 1 will result
 in a query timeout of 1 second being applied.
 </para></listitem></varlistentry>
 
 <varlistentry><term><option>+tries=T</option></term>
 <listitem><para>
-Sets the number of times to retry UDP queries to server to
+Sets the number of times to try UDP queries to server to
 <parameter>T</parameter> instead of the default, 3.  If
 <parameter>T</parameter> is less than or equal to zero, the number of
-retries is silently rounded up to 1.
+tries is silently rounded up to 1.
+</para></listitem></varlistentry>
+
+<varlistentry><term><option>+retry=T</option></term>
+<listitem><para>
+Sets the number of times to retry UDP queries to server to
+<parameter>T</parameter> instead of the default, 2.  Unlike
+<parameter>+tries</parameter>, this does not include the initial
+query.
 </para></listitem></varlistentry>
 
 <varlistentry><term><option>+ndots=D</option></term>
@@ -480,30 +483,46 @@ Print records like the SOA records in a verbose multi-line
 format with human-readable comments.  The default is to print
 each record on a single line, to facilitate machine parsing 
 of the <command>dig</command> output.
-</para>
-</listitem></varlistentry>
+</para></listitem></varlistentry>
 
 <varlistentry><term><option>+[no]fail</option></term>
 <listitem><para>
 Do not try the next server if you receive a SERVFAIL.  The default is
 to not try the next server which is the reverse of normal stub resolver
-behavior.
-</para>
+behaviour.
+</para></listitem></varlistentry>
 
-</listitem></varlistentry>
 <varlistentry><term><option>+[no]besteffort</option></term>
 <listitem><para>
 Attempt to display the contents of messages which are malformed.
 The default is to not display malformed answers.
-</para>
+</para></listitem></varlistentry>
 
-</listitem></varlistentry>
 <varlistentry><term><option>+[no]dnssec</option></term>
 <listitem><para>
 Requests DNSSEC records be sent by setting the DNSSEC OK bit (DO)
 in the OPT record in the additional section of the query.
-</para>
-</listitem></varlistentry>
+</para></listitem></varlistentry>
+
+<varlistentry><term><option>+[no]sigchase</option></term>
+<listitem><para>
+Chase DNSSEC signature chains.  Requires dig be compiled with
+-DDIG_SIGCHASE.
+</para></listitem></varlistentry>
+
+<varlistentry><term><option>+trusted-key=####</option></term>
+<listitem><para>
+Specify a trusted key to be used with <option>+sigchase</option>.
+Requires dig be compiled with -DDIG_SIGCHASE.
+</para></listitem></varlistentry>
+
+<varlistentry><term><option>+[no]topdown</option></term>
+<listitem><para>
+When chasing DNSSEC signature chains perform a top down validation.
+Requires dig be compiled with -DDIG_SIGCHASE.
+</para></listitem></varlistentry>
+
+
 
 </variablelist>
 
diff --git a/bin/dig/dig.html b/bin/dig/dig.html
index 9f2e995b..8f67df1f 100644
--- a/bin/dig/dig.html
+++ b/bin/dig/dig.html
@@ -1,470 +1,1255 @@
 <!--
- - Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000, 2001, 2003 Internet Software Consortium.
- - 
+ - Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2003  Internet Software Consortium.
+ -
  - Permission to use, copy, modify, and distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
  - copyright notice and this permission notice appear in all copies.
- - 
+ -
  - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
  - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
  - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
  - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: dig.html,v 1.6.2.23 2007/05/16 06:57:45 marka Exp $ -->
-<html>
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>dig</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2476275"></a><div class="titlepage"></div>
-<div class="refnamediv">
-<h2>Name</h2>
-<p>dig &#8212; DNS lookup utility</p>
-</div>
-<div class="refsynopsisdiv">
-<h2>Synopsis</h2>
-<div class="cmdsynopsis"><p><code class="command">dig</code>  [@server] [<code class="option">-b <em class="replaceable"><code>address</code></em></code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-f <em class="replaceable"><code>filename</code></em></code>] [<code class="option">-k <em class="replaceable"><code>filename</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port#</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-x <em class="replaceable"><code>addr</code></em></code>] [<code class="option">-y <em class="replaceable"><code>name:key</code></em></code>] [name] [type] [class] [queryopt...]</p></div>
-<div class="cmdsynopsis"><p><code class="command">dig</code>  [<code class="option">-h</code>]</p></div>
-<div class="cmdsynopsis"><p><code class="command">dig</code>  [global-queryopt...] [query...]</p></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543474"></a><h2>DESCRIPTION</h2>
-<p>
-<span><strong class="command">dig</strong></span> (domain information groper) is a flexible tool
+
+<!-- $Id: dig.html,v 1.6.2.4.2.5 2004/04/13 04:11:03 marka Exp $ -->
+
+<HTML
+><HEAD
+><TITLE
+>dig</TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.73
+"></HEAD
+><BODY
+CLASS="REFENTRY"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><H1
+><A
+NAME="AEN1"
+>dig</A
+></H1
+><DIV
+CLASS="REFNAMEDIV"
+><A
+NAME="AEN8"
+></A
+><H2
+>Name</H2
+>dig&nbsp;--&nbsp;DNS lookup utility</DIV
+><DIV
+CLASS="REFSYNOPSISDIV"
+><A
+NAME="AEN11"
+></A
+><H2
+>Synopsis</H2
+><P
+><B
+CLASS="COMMAND"
+>dig</B
+>  [@server] [<TT
+CLASS="OPTION"
+>-b <TT
+CLASS="REPLACEABLE"
+><I
+>address</I
+></TT
+></TT
+>] [<TT
+CLASS="OPTION"
+>-c <TT
+CLASS="REPLACEABLE"
+><I
+>class</I
+></TT
+></TT
+>] [<TT
+CLASS="OPTION"
+>-f <TT
+CLASS="REPLACEABLE"
+><I
+>filename</I
+></TT
+></TT
+>] [<TT
+CLASS="OPTION"
+>-k <TT
+CLASS="REPLACEABLE"
+><I
+>filename</I
+></TT
+></TT
+>] [<TT
+CLASS="OPTION"
+>-p <TT
+CLASS="REPLACEABLE"
+><I
+>port#</I
+></TT
+></TT
+>] [<TT
+CLASS="OPTION"
+>-t <TT
+CLASS="REPLACEABLE"
+><I
+>type</I
+></TT
+></TT
+>] [<TT
+CLASS="OPTION"
+>-x <TT
+CLASS="REPLACEABLE"
+><I
+>addr</I
+></TT
+></TT
+>] [<TT
+CLASS="OPTION"
+>-y <TT
+CLASS="REPLACEABLE"
+><I
+>name:key</I
+></TT
+></TT
+>] [<TT
+CLASS="OPTION"
+>-4</TT
+>] [<TT
+CLASS="OPTION"
+>-6</TT
+>] [name] [type] [class] [queryopt...]</P
+><P
+><B
+CLASS="COMMAND"
+>dig</B
+>  [<TT
+CLASS="OPTION"
+>-h</TT
+>]</P
+><P
+><B
+CLASS="COMMAND"
+>dig</B
+>  [global-queryopt...] [query...]</P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN55"
+></A
+><H2
+>DESCRIPTION</H2
+><P
+><B
+CLASS="COMMAND"
+>dig</B
+> (domain information groper) is a flexible tool
 for interrogating DNS name servers.  It performs DNS lookups and
 displays the answers that are returned from the name server(s) that
-were queried.  Most DNS administrators use <span><strong class="command">dig</strong></span> to
+were queried.  Most DNS administrators use <B
+CLASS="COMMAND"
+>dig</B
+> to
 troubleshoot DNS problems because of its flexibility, ease of use and
 clarity of output.  Other lookup tools tend to have less functionality
-than <span><strong class="command">dig</strong></span>.
-</p>
-<p>
-Although <span><strong class="command">dig</strong></span> is normally used with command-line
+than <B
+CLASS="COMMAND"
+>dig</B
+>.</P
+><P
+>Although <B
+CLASS="COMMAND"
+>dig</B
+> is normally used with command-line
 arguments, it also has a batch mode of operation for reading lookup
 requests from a file.  A brief summary of its command-line arguments
-and options is printed when the <code class="option">-h</code> option is given.
-Unlike earlier versions, the BIND 9 implementation of
-<span><strong class="command">dig</strong></span> allows multiple lookups to be issued from the
-command line.
-</p>
-<p>
-Unless it is told to query a specific name server,
-<span><strong class="command">dig</strong></span> will try each of the servers listed in
-<code class="filename">/etc/resolv.conf</code>.
-</p>
-<p>
-When no command line arguments or options are given, will perform an
-NS query for "." (the root).
-</p>
-<p>
-It is possible to set per user defaults for <span><strong class="command">dig</strong></span> via
-<code class="filename">${HOME}/.digrc</code>.  This file is read and any options in it
-are applied before the command line arguments.
-</p>
-<p>
-       The IN and CH class names overlap with the IN and CH top level
-       domains names.  Either use the <code class="option">-t</code> and
-       <code class="option">-c</code> options to specify the type and class or
-       use "IN." and "CH." when looking up these top level domains.
-     </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543542"></a><h2>SIMPLE USAGE</h2>
-<p>
-A typical invocation of <span><strong class="command">dig</strong></span> looks like:
-</p>
-<pre class="programlisting"> dig @server name type </pre>
-<p> where:
+and options is printed when the <TT
+CLASS="OPTION"
+>-h</TT
+> option is given.
+Unlike earlier versions, the BIND9 implementation of
+<B
+CLASS="COMMAND"
+>dig</B
+> allows multiple lookups to be issued from the
+command line.</P
+><P
+>Unless it is told to query a specific name server,
+<B
+CLASS="COMMAND"
+>dig</B
+> will try each of the servers listed in
+<TT
+CLASS="FILENAME"
+>/etc/resolv.conf</TT
+>.</P
+><P
+>When no command line arguments or options are given, will perform an
+NS query for "." (the root).</P
+><P
+>It is possible to set per-user defaults for <B
+CLASS="COMMAND"
+>dig</B
+> via
+<TT
+CLASS="FILENAME"
+>${HOME}/.digrc</TT
+>.  This file is read and any options in it
+are applied before the command line arguments.</P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN72"
+></A
+><H2
+>SIMPLE USAGE</H2
+><P
+>A typical invocation of <B
+CLASS="COMMAND"
+>dig</B
+> looks like:
+<PRE
+CLASS="PROGRAMLISTING"
+> dig @server name type </PRE
+> where:
 
-</p>
-<div class="variablelist"><dl>
-<dt><span class="term"><code class="constant">server</code></span></dt>
-<dd><p>
-is the name or IP address of the name server to query.  This can be an IPv4
+<P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+><TT
+CLASS="CONSTANT"
+>server</TT
+></DT
+><DD
+><P
+>is the name or IP address of the name server to query.  This can be an IPv4
 address in dotted-decimal notation or an IPv6
 address in colon-delimited notation.  When the supplied
-<em class="parameter"><code>server</code></em> argument is a hostname,
-<span><strong class="command">dig</strong></span> resolves that name before querying that name
-server.  If no <em class="parameter"><code>server</code></em> argument is provided,
-<span><strong class="command">dig</strong></span> consults <code class="filename">/etc/resolv.conf</code>
+<TT
+CLASS="PARAMETER"
+><I
+>server</I
+></TT
+> argument is a hostname,
+<B
+CLASS="COMMAND"
+>dig</B
+> resolves that name before querying that name
+server.  If no <TT
+CLASS="PARAMETER"
+><I
+>server</I
+></TT
+> argument is provided,
+<B
+CLASS="COMMAND"
+>dig</B
+> consults <TT
+CLASS="FILENAME"
+>/etc/resolv.conf</TT
+>
 and queries the name servers listed there.  The reply from the name
-server that responds is displayed.
-</p></dd>
-<dt><span class="term"><code class="constant">name</code></span></dt>
-<dd><p>
-is the name of the resource record that is to be looked up.
-</p></dd>
-<dt><span class="term"><code class="constant">type</code></span></dt>
-<dd><p>
-indicates what type of query is required &#8212;
+server that responds is displayed.</P
+></DD
+><DT
+><TT
+CLASS="CONSTANT"
+>name</TT
+></DT
+><DD
+><P
+>is the name of the resource record that is to be looked up.</P
+></DD
+><DT
+><TT
+CLASS="CONSTANT"
+>type</TT
+></DT
+><DD
+><P
+>indicates what type of query is required &mdash;
 ANY, A, MX, SIG, etc.
-<em class="parameter"><code>type</code></em> can be any valid query type.  If no
-<em class="parameter"><code>type</code></em> argument is supplied,
-<span><strong class="command">dig</strong></span> will perform a lookup for an A record.
-</p></dd>
-</dl></div>
-<p>
-</p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543621"></a><h2>OPTIONS</h2>
-<p>
-The <code class="option">-b</code> option sets the source IP address of the query
-to <em class="parameter"><code>address</code></em>.  This must be a valid address on
-one of the host's network interfaces.
-</p>
-<p>
-The default query class (IN for internet) is overridden by the
-<code class="option">-c</code> option.  <em class="parameter"><code>class</code></em> is any valid
-class, such as HS for Hesiod records or CH for Chaosnet records.
-</p>
-<p>
-The <code class="option">-f</code> option makes <span><strong class="command">dig </strong></span> operate
+<TT
+CLASS="PARAMETER"
+><I
+>type</I
+></TT
+> can be any valid query type.  If no
+<TT
+CLASS="PARAMETER"
+><I
+>type</I
+></TT
+> argument is supplied,
+<B
+CLASS="COMMAND"
+>dig</B
+> will perform a lookup for an A record.</P
+></DD
+></DL
+></DIV
+></P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN101"
+></A
+><H2
+>OPTIONS</H2
+><P
+>The <TT
+CLASS="OPTION"
+>-b</TT
+> option sets the source IP address of the query
+to <TT
+CLASS="PARAMETER"
+><I
+>address</I
+></TT
+>.  This must be a valid address on
+one of the host's network interfaces or "0.0.0.0" or "::".  An optional port
+may be specified by appending "#&lt;port&gt;"</P
+><P
+>The default query class (IN for internet) is overridden by the
+<TT
+CLASS="OPTION"
+>-c</TT
+> option.  <TT
+CLASS="PARAMETER"
+><I
+>class</I
+></TT
+> is any valid
+class, such as HS for Hesiod records or CH for CHAOSNET records.</P
+><P
+>The <TT
+CLASS="OPTION"
+>-f</TT
+> option makes <B
+CLASS="COMMAND"
+>dig </B
+> operate
 in batch mode by reading a list of lookup requests to process from the
-file <em class="parameter"><code>filename</code></em>.  The file contains a number of
-queries, one per line.  Each entry in the file should be organized in
+file <TT
+CLASS="PARAMETER"
+><I
+>filename</I
+></TT
+>.  The file contains a number of
+queries, one per line.  Each entry in the file should be organised in
 the same way they would be presented as queries to
-<span><strong class="command">dig</strong></span> using the command-line interface.
-</p>
-<p>
-If a non-standard port number is to be queried, the
-<code class="option">-p</code> option is used.  <em class="parameter"><code>port#</code></em> is
-the port number that <span><strong class="command">dig</strong></span> will send its queries
+<B
+CLASS="COMMAND"
+>dig</B
+> using the command-line interface.</P
+><P
+>If a non-standard port number is to be queried, the
+<TT
+CLASS="OPTION"
+>-p</TT
+> option is used.  <TT
+CLASS="PARAMETER"
+><I
+>port#</I
+></TT
+> is
+the port number that <B
+CLASS="COMMAND"
+>dig</B
+> will send its queries
 instead of the standard DNS port number 53.  This option would be used
 to test a name server that has been configured to listen for queries
-on a non-standard port number.
-</p>
-<p>
-The <code class="option">-t</code> option sets the query type to
-<em class="parameter"><code>type</code></em>.  It can be any valid query type which is
-supported in BIND 9.  The default query type is "A", unless the
-<code class="option">-x</code> option is supplied to indicate a reverse lookup.
+on a non-standard port number.</P
+><P
+>The <TT
+CLASS="OPTION"
+>-4</TT
+> option forces <B
+CLASS="COMMAND"
+>dig</B
+> to only
+use IPv4 query transport.  The <TT
+CLASS="OPTION"
+>-6</TT
+> option forces
+<B
+CLASS="COMMAND"
+>dig</B
+> to only use IPv6 query transport.</P
+><P
+>The <TT
+CLASS="OPTION"
+>-t</TT
+> option sets the query type to
+<TT
+CLASS="PARAMETER"
+><I
+>type</I
+></TT
+>.  It can be any valid query type which is
+supported in BIND9.  The default query type "A", unless the
+<TT
+CLASS="OPTION"
+>-x</TT
+> option is supplied to indicate a reverse lookup.
 A zone transfer can be requested by specifying a type of AXFR.  When
 an incremental zone transfer (IXFR) is required,
-<em class="parameter"><code>type</code></em> is set to <code class="literal">ixfr=N</code>.
+<TT
+CLASS="PARAMETER"
+><I
+>type</I
+></TT
+> is set to <TT
+CLASS="LITERAL"
+>ixfr=N</TT
+>.
 The incremental zone transfer will contain the changes made to the zone
 since the serial number in the zone's SOA record was
-<em class="parameter"><code>N</code></em>.
-</p>
-<p>
-Reverse lookups &#8212; mapping addresses to names &#8212; are simplified by the
-<code class="option">-x</code> option.  <em class="parameter"><code>addr</code></em> is an IPv4
+<TT
+CLASS="PARAMETER"
+><I
+>N</I
+></TT
+>.</P
+><P
+>Reverse lookups - mapping addresses to names - are simplified by the
+<TT
+CLASS="OPTION"
+>-x</TT
+> option.  <TT
+CLASS="PARAMETER"
+><I
+>addr</I
+></TT
+> is an IPv4
 address in dotted-decimal notation, or a colon-delimited IPv6 address.
 When this option is used, there is no need to provide the
-<em class="parameter"><code>name</code></em>, <em class="parameter"><code>class</code></em> and
-<em class="parameter"><code>type</code></em> arguments.  <span><strong class="command">dig</strong></span>
+<TT
+CLASS="PARAMETER"
+><I
+>name</I
+></TT
+>, <TT
+CLASS="PARAMETER"
+><I
+>class</I
+></TT
+> and
+<TT
+CLASS="PARAMETER"
+><I
+>type</I
+></TT
+> arguments.  <B
+CLASS="COMMAND"
+>dig</B
+>
 automatically performs a lookup for a name like
-<code class="literal">11.12.13.10.in-addr.arpa</code> and sets the query type and
+<TT
+CLASS="LITERAL"
+>11.12.13.10.in-addr.arpa</TT
+> and sets the query type and
 class to PTR and IN respectively.  By default, IPv6 addresses are
-looked up using the IP6.ARPA domain and binary labels as defined in
-RFC2874.  To use the older RFC1886 method using the IP6.INT domain and
-"nibble" labels, specify the <code class="option">-n</code> (nibble) option.
-</p>
-<p>
-To sign the DNS queries sent by <span><strong class="command">dig</strong></span> and their
+looked up using nibble format under the IP6.ARPA domain.
+To use the older RFC1886 method using the IP6.INT domain 
+specify the <TT
+CLASS="OPTION"
+>-i</TT
+> option.  Bit string labels (RFC2874)
+are now experimental and are not attempted.</P
+><P
+>To sign the DNS queries sent by <B
+CLASS="COMMAND"
+>dig</B
+> and their
 responses using transaction signatures (TSIG), specify a TSIG key file
-using the <code class="option">-k</code> option.  You can also specify the TSIG
-key itself on the command line using the <code class="option">-y</code> option;
-<em class="parameter"><code>name</code></em> is the name of the TSIG key and
-<em class="parameter"><code>key</code></em> is the actual key.  The key is a base-64
-encoded string, typically generated by <span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>.
+using the <TT
+CLASS="OPTION"
+>-k</TT
+> option.  You can also specify the TSIG
+key itself on the command line using the <TT
+CLASS="OPTION"
+>-y</TT
+> option;
+<TT
+CLASS="PARAMETER"
+><I
+>name</I
+></TT
+> is the name of the TSIG key and
+<TT
+CLASS="PARAMETER"
+><I
+>key</I
+></TT
+> is the actual key.  The key is a base-64
+encoded string, typically generated by <SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>dnssec-keygen</SPAN
+>(8)</SPAN
+>.
 
-Caution should be taken when using the <code class="option">-y</code> option on
+Caution should be taken when using the <TT
+CLASS="OPTION"
+>-y</TT
+> option on
 multi-user systems as the key can be visible in the output from
-<span class="citerefentry"><span class="refentrytitle">ps</span>(1
-)</span> or in the shell's history file.  When
-using TSIG authentication with <span><strong class="command">dig</strong></span>, the name
+<SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>ps</SPAN
+>(1)</SPAN
+> or in the shell's history file.  When
+using TSIG authentication with <B
+CLASS="COMMAND"
+>dig</B
+>, the name
 server that is queried needs to know the key and algorithm that is
 being used.  In BIND, this is done by providing appropriate
-<span><strong class="command">key</strong></span> and <span><strong class="command">server</strong></span> statements in
-<code class="filename">named.conf</code>.
-</p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543786"></a><h2>QUERY OPTIONS</h2>
-<p>
-<span><strong class="command">dig</strong></span> provides a number of query options which affect
+<B
+CLASS="COMMAND"
+>key</B
+> and <B
+CLASS="COMMAND"
+>server</B
+> statements in
+<TT
+CLASS="FILENAME"
+>named.conf</TT
+>.</P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN156"
+></A
+><H2
+>QUERY OPTIONS</H2
+><P
+><B
+CLASS="COMMAND"
+>dig</B
+> provides a number of query options which affect
 the way in which lookups are made and the results displayed.  Some of
 these set or reset flag bits in the query header, some determine which
 sections of the answer get printed, and others determine the timeout
-and retry strategies.
-</p>
-<p>
-Each query option is identified by a keyword preceded by a plus sign
-(<code class="literal">+</code>).  Some keywords set or reset an option.  These may be preceded
-by the string <code class="literal">no</code> to negate the meaning of that keyword.  Other
+and retry strategies.</P
+><P
+>Each query option is identified by a keyword preceded by a plus sign
+(<TT
+CLASS="LITERAL"
+>+</TT
+>).  Some keywords set or reset an option.  These may be preceded
+by the string <TT
+CLASS="LITERAL"
+>no</TT
+> to negate the meaning of that keyword.  Other
 keywords assign values to options like the timeout interval.  They
-have the form <code class="option">+keyword=value</code>.
+have the form <TT
+CLASS="OPTION"
+>+keyword=value</TT
+>.
 The query options are:
 
-</p>
-<div class="variablelist"><dl>
-<dt><span class="term"><code class="option">+[no]tcp</code></span></dt>
-<dd><p>
-Use [do not use] TCP when querying name servers.  The default
-behavior is to use UDP unless an AXFR or IXFR query is requested, in
-which case a TCP connection is used.
-</p></dd>
-<dt><span class="term"><code class="option">+[no]vc</code></span></dt>
-<dd><p>
-Use [do not use] TCP when querying name servers.  This alternate
-syntax to <em class="parameter"><code>+[no]tcp</code></em> is provided for backwards
-compatibility.  The "vc" stands for "virtual circuit".
-</p></dd>
-<dt><span class="term"><code class="option">+[no]ignore</code></span></dt>
-<dd><p>
-Ignore truncation in UDP responses instead of retrying with TCP.  By
-default, TCP retries are performed.
-</p></dd>
-<dt><span class="term"><code class="option">+domain=somename</code></span></dt>
-<dd><p>
-Set the search list to contain the single domain
-<em class="parameter"><code>somename</code></em>, as if specified in a
-<span><strong class="command">domain</strong></span> directive in
-<code class="filename">/etc/resolv.conf</code>, and enable search list
-processing as if the <em class="parameter"><code>+search</code></em> option were given.
-</p></dd>
-<dt><span class="term"><code class="option">+[no]search</code></span></dt>
-<dd><p>
-Use [do not use] the search list defined by the searchlist or domain
-directive in <code class="filename">resolv.conf</code> (if any).
-The search list is not used by default.
-</p></dd>
-<dt><span class="term"><code class="option">+[no]defname</code></span></dt>
-<dd><p>
-Deprecated, treated as a synonym for <em class="parameter"><code>+[no]search</code></em>
-</p></dd>
-<dt><span class="term"><code class="option">+[no]aaonly</code></span></dt>
-<dd><p>
-This option does nothing.  It is provided for compatibility with old
-versions of <span><strong class="command">dig</strong></span> where it set an unimplemented
-resolver flag.
-</p></dd>
-<dt><span class="term"><code class="option">+[no]adflag</code></span></dt>
-<dd><p>
-Set [do not set] the AD (authentic data) bit in the query.  The AD bit
+<P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+><TT
+CLASS="OPTION"
+>+[no]tcp</TT
+></DT
+><DD
+><P
+>Use [do not use] TCP when querying name servers.  The default
+behaviour is to use UDP unless an AXFR or IXFR query is requested, in
+which case a TCP connection is used.</P
+></DD
+><DT
+><TT
+CLASS="OPTION"
+>+[no]vc</TT
+></DT
+><DD
+><P
+>Use [do not use] TCP when querying name servers.  This alternate
+syntax to <TT
+CLASS="PARAMETER"
+><I
+>+[no]tcp</I
+></TT
+> is provided for backwards
+compatibility.  The "vc" stands for "virtual circuit".</P
+></DD
+><DT
+><TT
+CLASS="OPTION"
+>+[no]ignore</TT
+></DT
+><DD
+><P
+>Ignore truncation in UDP responses instead of retrying with TCP.  By
+default, TCP retries are performed.</P
+></DD
+><DT
+><TT
+CLASS="OPTION"
+>+domain=somename</TT
+></DT
+><DD
+><P
+>Set the search list to contain the single domain
+<TT
+CLASS="PARAMETER"
+><I
+>somename</I
+></TT
+>, as if specified in a
+<B
+CLASS="COMMAND"
+>domain</B
+> directive in
+<TT
+CLASS="FILENAME"
+>/etc/resolv.conf</TT
+>, and enable search list
+processing as if the <TT
+CLASS="PARAMETER"
+><I
+>+search</I
+></TT
+> option were given.</P
+></DD
+><DT
+><TT
+CLASS="OPTION"
+>+[no]search</TT
+></DT
+><DD
+><P
+>Use [do not use] the search list defined by the searchlist or domain
+directive in <TT
+CLASS="FILENAME"
+>resolv.conf</TT
+> (if any).
+The search list is not used by default.</P
+></DD
+><DT
+><TT
+CLASS="OPTION"
+>+[no]defname</TT
+></DT
+><DD
+><P
+>Deprecated, treated as a synonym for <TT
+CLASS="PARAMETER"
+><I
+>+[no]search</I
+></TT
+></P
+></DD
+><DT
+><TT
+CLASS="OPTION"
+>+[no]aaonly</TT
+></DT
+><DD
+><P
+>This option does nothing.  It is provided for compatibility with old
+versions of <B
+CLASS="COMMAND"
+>dig</B
+> where it set an unimplemented
+resolver flag.</P
+></DD
+><DT
+><TT
+CLASS="OPTION"
+>+[no]adflag</TT
+></DT
+><DD
+><P
+>Set [do not set] the AD (authentic data) bit in the query.  The AD bit
 currently has a standard meaning only in responses, not in queries,
 but the ability to set the bit in the query is provided for
-completeness.
-</p></dd>
-<dt><span class="term"><code class="option">+[no]cdflag</code></span></dt>
-<dd><p>
-Set [do not set] the CD (checking disabled) bit in the query.  This
-requests the server to not perform DNSSEC validation of responses.
-</p></dd>
-<dt><span class="term"><code class="option">+[no]recurse</code></span></dt>
-<dd><p>
-Toggle the setting of the RD (recursion desired) bit in the query.
-This bit is set by default, which means <span><strong class="command">dig</strong></span>
+completeness.</P
+></DD
+><DT
+><TT
+CLASS="OPTION"
+>+[no]cdflag</TT
+></DT
+><DD
+><P
+>Set [do not set] the CD (checking disabled) bit in the query.  This
+requests the server to not perform DNSSEC validation of responses.</P
+></DD
+><DT
+><TT
+CLASS="OPTION"
+>+[no]cl</TT
+></DT
+><DD
+><P
+>Display [do not display] the CLASS when printing the record.</P
+></DD
+><DT
+><TT
+CLASS="OPTION"
+>+[no]ttlid</TT
+></DT
+><DD
+><P
+>Display [do not display] the TTL when printing the record.</P
+></DD
+><DT
+><TT
+CLASS="OPTION"
+>+[no]recurse</TT
+></DT
+><DD
+><P
+>Toggle the setting of the RD (recursion desired) bit in the query.
+This bit is set by default, which means <B
+CLASS="COMMAND"
+>dig</B
+>
 normally sends recursive queries.  Recursion is automatically disabled
-when the <em class="parameter"><code>+nssearch</code></em> or
-<em class="parameter"><code>+trace</code></em> query options are used.
-</p></dd>
-<dt><span class="term"><code class="option">+[no]nssearch</code></span></dt>
-<dd><p>
-When this option is set, <span><strong class="command">dig</strong></span> attempts to find the
+when the <TT
+CLASS="PARAMETER"
+><I
+>+nssearch</I
+></TT
+> or
+<TT
+CLASS="PARAMETER"
+><I
+>+trace</I
+></TT
+> query options are used.</P
+></DD
+><DT
+><TT
+CLASS="OPTION"
+>+[no]nssearch</TT
+></DT
+><DD
+><P
+>When this option is set, <B
+CLASS="COMMAND"
+>dig</B
+> attempts to find the
 authoritative name servers for the zone containing the name being
 looked up and display the SOA record that each name server has for the
-zone.
-</p></dd>
-<dt><span class="term"><code class="option">+[no]trace</code></span></dt>
-<dd><p>
-Toggle tracing of the delegation path from the root name servers for
+zone.</P
+></DD
+><DT
+><TT
+CLASS="OPTION"
+>+[no]trace</TT
+></DT
+><DD
+><P
+>Toggle tracing of the delegation path from the root name servers for
 the name being looked up.  Tracing is disabled by default.  When
-tracing is enabled, <span><strong class="command">dig</strong></span> makes iterative queries to
+tracing is enabled, <B
+CLASS="COMMAND"
+>dig</B
+> makes iterative queries to
 resolve the name being looked up.  It will follow referrals from the
 root servers, showing the answer from each server that was used to
-resolve the lookup.
-</p></dd>
-<dt><span class="term"><code class="option">+[no]cmd</code></span></dt>
-<dd><p>
-Toggles the printing of the initial comment in the output identifying
-the version of <span><strong class="command">dig</strong></span> and the query options that have
-been applied.  This comment is printed by default.
-</p></dd>
-<dt><span class="term"><code class="option">+[no]short</code></span></dt>
-<dd><p>
-Provide a terse answer.  The default is to print the answer in a
-verbose form.
-</p></dd>
-<dt><span class="term"><code class="option">+[no]identify</code></span></dt>
-<dd><p>
-Show [or do not show] the IP address and port number that supplied the
-answer when the <em class="parameter"><code>+short</code></em> option is enabled.  If
+resolve the lookup.</P
+></DD
+><DT
+><TT
+CLASS="OPTION"
+>+[no]cmd</TT
+></DT
+><DD
+><P
+>toggles the printing of the initial comment in the output identifying
+the version of <B
+CLASS="COMMAND"
+>dig</B
+> and the query options that have
+been applied.  This comment is printed by default.</P
+></DD
+><DT
+><TT
+CLASS="OPTION"
+>+[no]short</TT
+></DT
+><DD
+><P
+>Provide a terse answer.  The default is to print the answer in a
+verbose form.</P
+></DD
+><DT
+><TT
+CLASS="OPTION"
+>+[no]identify</TT
+></DT
+><DD
+><P
+>Show [or do not show] the IP address and port number that supplied the
+answer when the <TT
+CLASS="PARAMETER"
+><I
+>+short</I
+></TT
+> option is enabled.  If
 short form answers are requested, the default is not to show the
-source address and port number of the server that provided the answer.
-</p></dd>
-<dt><span class="term"><code class="option">+[no]comments</code></span></dt>
-<dd><p>
-Toggle the display of comment lines in the output.  The default is to
-print comments.
-</p></dd>
-<dt><span class="term"><code class="option">+[no]stats</code></span></dt>
-<dd><p>
-This query option toggles the printing of statistics: when the query
-was made, the size of the reply and so on.  The default behavior is
-to print the query statistics.
-</p></dd>
-<dt><span class="term"><code class="option">+[no]qr</code></span></dt>
-<dd><p>
-Print [do not print] the query as it is sent.
-By default, the query is not printed.
-</p></dd>
-<dt><span class="term"><code class="option">+[no]question</code></span></dt>
-<dd><p>
-Print [do not print] the question section of a query when an answer is
-returned.  The default is to print the question section as a comment.
-</p></dd>
-<dt><span class="term"><code class="option">+[no]answer</code></span></dt>
-<dd><p>
-Display [do not display] the answer section of a reply.  The default
-is to display it.
-</p></dd>
-<dt><span class="term"><code class="option">+[no]authority</code></span></dt>
-<dd><p>
-Display [do not display] the authority section of a reply.  The
-default is to display it.
-</p></dd>
-<dt><span class="term"><code class="option">+[no]additional</code></span></dt>
-<dd><p>
-Display [do not display] the additional section of a reply.
-The default is to display it.
-</p></dd>
-<dt><span class="term"><code class="option">+[no]all</code></span></dt>
-<dd><p>
-Set or clear all display flags.
-</p></dd>
-<dt><span class="term"><code class="option">+time=T</code></span></dt>
-<dd><p>
-
-Sets the timeout for a query to
-<em class="parameter"><code>T</code></em> seconds.  The default timeout is 5 seconds.
-An attempt to set <em class="parameter"><code>T</code></em> to less than 1 will result
-in a query timeout of 1 second being applied.
-</p></dd>
-<dt><span class="term"><code class="option">+tries=T</code></span></dt>
-<dd><p>
-Sets the number of times to retry UDP queries to server to
-<em class="parameter"><code>T</code></em> instead of the default, 3.  If
-<em class="parameter"><code>T</code></em> is less than or equal to zero, the number of
-retries is silently rounded up to 1.
-</p></dd>
-<dt><span class="term"><code class="option">+ndots=D</code></span></dt>
-<dd><p>
-Set the number of dots that have to appear in
-<em class="parameter"><code>name</code></em> to <em class="parameter"><code>D</code></em> for it to be
+source address and port number of the server that provided the answer.</P
+></DD
+><DT
+><TT
+CLASS="OPTION"
+>+[no]comments</TT
+></DT
+><DD
+><P
+>Toggle the display of comment lines in the output.  The default is to
+print comments.</P
+></DD
+><DT
+><TT
+CLASS="OPTION"
+>+[no]stats</TT
+></DT
+><DD
+><P
+>This query option toggles the printing of statistics: when the query
+was made, the size of the reply and so on.  The default behaviour is
+to print the query statistics.</P
+></DD
+><DT
+><TT
+CLASS="OPTION"
+>+[no]qr</TT
+></DT
+><DD
+><P
+>Print [do not print] the query as it is sent.
+By default, the query is not printed.</P
+></DD
+><DT
+><TT
+CLASS="OPTION"
+>+[no]question</TT
+></DT
+><DD
+><P
+>Print [do not print] the question section of a query when an answer is
+returned.  The default is to print the question section as a comment.</P
+></DD
+><DT
+><TT
+CLASS="OPTION"
+>+[no]answer</TT
+></DT
+><DD
+><P
+>Display [do not display] the answer section of a reply.  The default
+is to display it.</P
+></DD
+><DT
+><TT
+CLASS="OPTION"
+>+[no]authority</TT
+></DT
+><DD
+><P
+>Display [do not display] the authority section of a reply.  The
+default is to display it.</P
+></DD
+><DT
+><TT
+CLASS="OPTION"
+>+[no]additional</TT
+></DT
+><DD
+><P
+>Display [do not display] the additional section of a reply.
+The default is to display it.</P
+></DD
+><DT
+><TT
+CLASS="OPTION"
+>+[no]all</TT
+></DT
+><DD
+><P
+>Set or clear all display flags.</P
+></DD
+><DT
+><TT
+CLASS="OPTION"
+>+time=T</TT
+></DT
+><DD
+><P
+>&#13;Sets the timeout for a query to
+<TT
+CLASS="PARAMETER"
+><I
+>T</I
+></TT
+> seconds.  The default time out is 5 seconds.
+An attempt to set <TT
+CLASS="PARAMETER"
+><I
+>T</I
+></TT
+> to less than 1 will result
+in a query timeout of 1 second being applied.</P
+></DD
+><DT
+><TT
+CLASS="OPTION"
+>+tries=T</TT
+></DT
+><DD
+><P
+>Sets the number of times to try UDP queries to server to
+<TT
+CLASS="PARAMETER"
+><I
+>T</I
+></TT
+> instead of the default, 3.  If
+<TT
+CLASS="PARAMETER"
+><I
+>T</I
+></TT
+> is less than or equal to zero, the number of
+tries is silently rounded up to 1.</P
+></DD
+><DT
+><TT
+CLASS="OPTION"
+>+retry=T</TT
+></DT
+><DD
+><P
+>Sets the number of times to retry UDP queries to server to
+<TT
+CLASS="PARAMETER"
+><I
+>T</I
+></TT
+> instead of the default, 2.  Unlike
+<TT
+CLASS="PARAMETER"
+><I
+>+tries</I
+></TT
+>, this does not include the initial
+query.</P
+></DD
+><DT
+><TT
+CLASS="OPTION"
+>+ndots=D</TT
+></DT
+><DD
+><P
+>Set the number of dots that have to appear in
+<TT
+CLASS="PARAMETER"
+><I
+>name</I
+></TT
+> to <TT
+CLASS="PARAMETER"
+><I
+>D</I
+></TT
+> for it to be
 considered absolute.  The default value is that defined using the
-ndots statement in <code class="filename">/etc/resolv.conf</code>, or 1 if no
+ndots statement in <TT
+CLASS="FILENAME"
+>/etc/resolv.conf</TT
+>, or 1 if no
 ndots statement is present.  Names with fewer dots are interpreted as
 relative names and will be searched for in the domains listed in the
-<code class="option">search</code> or <code class="option">domain</code> directive in
-<code class="filename">/etc/resolv.conf</code>.
-</p></dd>
-<dt><span class="term"><code class="option">+bufsize=B</code></span></dt>
-<dd><p>
-Set the UDP message buffer size advertised using EDNS0 to
-<em class="parameter"><code>B</code></em> bytes.  The maximum and minimum sizes of this
+<TT
+CLASS="OPTION"
+>search</TT
+> or <TT
+CLASS="OPTION"
+>domain</TT
+> directive in
+<TT
+CLASS="FILENAME"
+>/etc/resolv.conf</TT
+>.</P
+></DD
+><DT
+><TT
+CLASS="OPTION"
+>+bufsize=B</TT
+></DT
+><DD
+><P
+>Set the UDP message buffer size advertised using EDNS0 to
+<TT
+CLASS="PARAMETER"
+><I
+>B</I
+></TT
+> bytes.  The maximum and minimum sizes of this
 buffer are 65535 and 0 respectively.  Values outside this range are
-rounded up or down appropriately.
-</p></dd>
-<dt><span class="term"><code class="option">+[no]multiline</code></span></dt>
-<dd><p>
-Print records like the SOA records in a verbose multi-line
+rounded up or down appropriately.</P
+></DD
+><DT
+><TT
+CLASS="OPTION"
+>+[no]multiline</TT
+></DT
+><DD
+><P
+>Print records like the SOA records in a verbose multi-line
 format with human-readable comments.  The default is to print
 each record on a single line, to facilitate machine parsing 
-of the <span><strong class="command">dig</strong></span> output.
-</p></dd>
-<dt><span class="term"><code class="option">+[no]fail</code></span></dt>
-<dd><p>
-Do not try the next server if you receive a SERVFAIL.  The default is
+of the <B
+CLASS="COMMAND"
+>dig</B
+> output.</P
+></DD
+><DT
+><TT
+CLASS="OPTION"
+>+[no]fail</TT
+></DT
+><DD
+><P
+>Do not try the next server if you receive a SERVFAIL.  The default is
 to not try the next server which is the reverse of normal stub resolver
-behavior.
-</p></dd>
-<dt><span class="term"><code class="option">+[no]besteffort</code></span></dt>
-<dd><p>
-Attempt to display the contents of messages which are malformed.
-The default is to not display malformed answers.
-</p></dd>
-<dt><span class="term"><code class="option">+[no]dnssec</code></span></dt>
-<dd><p>
-Requests DNSSEC records be sent by setting the DNSSEC OK bit (DO)
-in the OPT record in the additional section of the query.
-</p></dd>
-</dl></div>
-<p>
-
-</p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2544354"></a><h2>MULTIPLE QUERIES</h2>
-<p>
-The BIND 9 implementation of <span><strong class="command">dig </strong></span> supports
+behaviour.</P
+></DD
+><DT
+><TT
+CLASS="OPTION"
+>+[no]besteffort</TT
+></DT
+><DD
+><P
+>Attempt to display the contents of messages which are malformed.
+The default is to not display malformed answers.</P
+></DD
+><DT
+><TT
+CLASS="OPTION"
+>+[no]dnssec</TT
+></DT
+><DD
+><P
+>Requests DNSSEC records be sent by setting the DNSSEC OK bit (DO)
+in the OPT record in the additional section of the query.</P
+></DD
+><DT
+><TT
+CLASS="OPTION"
+>+[no]sigchase</TT
+></DT
+><DD
+><P
+>Chase DNSSEC signature chains.  Requires dig be compiled with
+-DDIG_SIGCHASE.</P
+></DD
+><DT
+><TT
+CLASS="OPTION"
+>+trusted-key=####</TT
+></DT
+><DD
+><P
+>Specify a trusted key to be used with <TT
+CLASS="OPTION"
+>+sigchase</TT
+>.
+Requires dig be compiled with -DDIG_SIGCHASE.</P
+></DD
+><DT
+><TT
+CLASS="OPTION"
+>+[no]topdown</TT
+></DT
+><DD
+><P
+>When chasing DNSSEC signature chains perform a top down validation.
+Requires dig be compiled with -DDIG_SIGCHASE.</P
+></DD
+></DL
+></DIV
+>&#13;</P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN380"
+></A
+><H2
+>MULTIPLE QUERIES</H2
+><P
+>The BIND 9 implementation of <B
+CLASS="COMMAND"
+>dig </B
+> supports
 specifying multiple queries on the command line (in addition to
-supporting the <code class="option">-f</code> batch file option).  Each of those
+supporting the <TT
+CLASS="OPTION"
+>-f</TT
+> batch file option).  Each of those
 queries can be supplied with its own set of flags, options and query
-options.
-</p>
-<p>
-In this case, each <em class="parameter"><code>query</code></em> argument represent an
+options.</P
+><P
+>In this case, each <TT
+CLASS="PARAMETER"
+><I
+>query</I
+></TT
+> argument represent an
 individual query in the command-line syntax described above.  Each
 consists of any of the standard options and flags, the name to be
 looked up, an optional query type and class and any query options that
-should be applied to that query.
-</p>
-<p>
-A global set of query options, which should be applied to all queries,
+should be applied to that query.</P
+><P
+>A global set of query options, which should be applied to all queries,
 can also be supplied.  These global query options must precede the
 first tuple of name, class, type, options, flags, and query options
 supplied on the command line.  Any global query options (except
-the <code class="option">+[no]cmd</code> option) can be
+the <TT
+CLASS="OPTION"
+>+[no]cmd</TT
+> option) can be
 overridden by a query-specific set of query options.  For example:
-</p>
-<pre class="programlisting">
-dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
-</pre>
-<p>
-shows how <span><strong class="command">dig</strong></span> could be used from the command line
-to make three lookups: an ANY query for <code class="literal">www.isc.org</code>, a
+<PRE
+CLASS="PROGRAMLISTING"
+>dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr</PRE
+>
+shows how <B
+CLASS="COMMAND"
+>dig</B
+> could be used from the command line
+to make three lookups: an ANY query for <TT
+CLASS="LITERAL"
+>www.isc.org</TT
+>, a
 reverse lookup of 127.0.0.1 and a query for the NS records of
-<code class="literal">isc.org</code>.
+<TT
+CLASS="LITERAL"
+>isc.org</TT
+>.
 
-A global query option of <em class="parameter"><code>+qr</code></em> is applied, so
-that <span><strong class="command">dig</strong></span> shows the initial query it made for each
+A global query option of <TT
+CLASS="PARAMETER"
+><I
+>+qr</I
+></TT
+> is applied, so
+that <B
+CLASS="COMMAND"
+>dig</B
+> shows the initial query it made for each
 lookup.  The final query has a local query option of
-<em class="parameter"><code>+noqr</code></em> which means that <span><strong class="command">dig</strong></span>
+<TT
+CLASS="PARAMETER"
+><I
+>+noqr</I
+></TT
+> which means that <B
+CLASS="COMMAND"
+>dig</B
+>
 will not print the initial query when it looks up the NS records for
-<code class="literal">isc.org</code>.
-</p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2544481"></a><h2>FILES</h2>
-<p>
-<code class="filename">/etc/resolv.conf</code>
-</p>
-<p>
-<code class="filename">${HOME}/.digrc</code>
-</p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2544500"></a><h2>SEE ALSO</h2>
-<p>
-<span class="citerefentry"><span class="refentrytitle">host</span>(1)</span>,
-<span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
-<span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
-<em class="citetitle">RFC1035</em>.
-</p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2544606"></a><h2>BUGS </h2>
-<p>
-There are probably too many query options. 
-</p>
-</div>
-</div></body>
-</html>
+<TT
+CLASS="LITERAL"
+>isc.org</TT
+>.</P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN398"
+></A
+><H2
+>FILES</H2
+><P
+><TT
+CLASS="FILENAME"
+>/etc/resolv.conf</TT
+></P
+><P
+><TT
+CLASS="FILENAME"
+>${HOME}/.digrc</TT
+></P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN404"
+></A
+><H2
+>SEE ALSO</H2
+><P
+><SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>host</SPAN
+>(1)</SPAN
+>,
+<SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>named</SPAN
+>(8)</SPAN
+>,
+<SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>dnssec-keygen</SPAN
+>(8)</SPAN
+>,
+<I
+CLASS="CITETITLE"
+>RFC1035</I
+>.</P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN417"
+></A
+><H2
+>BUGS </H2
+><P
+>There are probably too many query options. </P
+></DIV
+></BODY
+></HTML
+>
diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c
index a9ad9c68..d5e75a69 100644
--- a/bin/dig/dighost.c
+++ b/bin/dig/dighost.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dighost.c,v 1.221.2.38 2007/04/24 07:46:40 each Exp $ */
+/* $Id: dighost.c,v 1.221.2.19.2.11 2004/04/13 03:00:06 marka Exp $ */
 
 /*
  * Notice to programmers:  Do not use this code as an example of how to
@@ -32,7 +32,24 @@
 #include <string.h>
 #include <limits.h>
 
+#ifdef DIG_SIGCHASE
+#ifndef DIG_SIGCHASE_BU
+#define DIG_SIGCHASE_BU 1
+#endif
+#ifndef DIG_SIGCHASE_TD
+#define DIG_SIGCHASE_TD 1
+#endif
+#endif 
+
 #include <dns/byaddr.h>
+#ifdef DIG_SIGCHASE
+#include <dns/dnssec.h>
+#include <dns/ds.h>
+#include <dns/nsec.h>
+#include <isc/file.h>
+#include <isc/random.h>
+#include <ctype.h>
+#endif
 #include <dns/fixedname.h>
 #include <dns/message.h>
 #include <dns/name.h>
@@ -50,10 +67,11 @@
 #include <isc/app.h>
 #include <isc/base64.h>
 #include <isc/entropy.h>
-#include <isc/file.h>
 #include <isc/lang.h>
 #include <isc/netaddr.h>
+#ifdef DIG_SIGCHASE
 #include <isc/netdb.h>
+#endif
 #include <isc/print.h>
 #include <isc/random.h>
 #include <isc/result.h>
@@ -63,25 +81,27 @@
 #include <isc/types.h>
 #include <isc/util.h>
 
+#include <lwres/lwres.h>
+#include <lwres/net.h>
+
+#include <bind9/getaddresses.h>
+
 #include <dig/dig.h>
 
-#ifdef HAVE_ADDRINFO
-#ifdef HAVE_GETADDRINFO
-#ifdef HAVE_GAISTRERROR
-#define USE_GETADDRINFO
-#endif
-#endif
+#if ! defined(NS_INADDRSZ)
+#define NS_INADDRSZ	 4
 #endif
 
-#ifndef USE_GETADDRINFO
-#ifndef ISC_PLATFORM_NONSTDHERRNO
-extern int h_errno;
-#endif
+#if ! defined(NS_IN6ADDRSZ)
+#define NS_IN6ADDRSZ	16
 #endif
 
-dig_lookuplist_t lookup_list;
+static lwres_context_t *lwctx = NULL;
+static lwres_conf_t *lwconf;
+
+ISC_LIST(dig_lookup_t) lookup_list;
 dig_serverlist_t server_list;
-dig_searchlistlist_t search_list;
+ISC_LIST(dig_searchlist_t) search_list;
 
 isc_boolean_t
 	have_ipv4 = ISC_FALSE,
@@ -105,7 +125,7 @@ int sendcount = 0;
 int recvcount = 0;
 int sockcount = 0;
 int ndots = -1;
-int tries = 2;
+int tries = 3;
 int lookup_counter = 0;
 
 /*
@@ -133,6 +153,152 @@ char *progname = NULL;
 isc_mutex_t lookup_lock;
 dig_lookup_t *current_lookup = NULL;
 
+#ifdef DIG_SIGCHASE
+
+isc_result_t      get_trusted_key(isc_mem_t *mctx);
+dns_rdataset_t *  sigchase_scanname(dns_rdatatype_t type,
+				    dns_rdatatype_t covers,
+				    isc_boolean_t *lookedup,
+				    dns_name_t *rdata_name);
+dns_rdataset_t *  chase_scanname_section(dns_message_t *msg,
+					 dns_name_t *name,
+					 dns_rdatatype_t type,
+					 dns_rdatatype_t covers,
+					 int section);
+isc_result_t      advanced_rrsearch(dns_rdataset_t **rdataset,
+				    dns_name_t *name,
+				    dns_rdatatype_t type,
+				    dns_rdatatype_t covers,
+				    isc_boolean_t *lookedup);
+isc_result_t      sigchase_verify_sig_key(dns_name_t *name,
+					  dns_rdataset_t *rdataset,
+					  dst_key_t* dnsseckey,
+					  dns_rdataset_t *sigrdataset,
+					  isc_mem_t *mctx);
+isc_result_t      sigchase_verify_sig(dns_name_t *name,
+				      dns_rdataset_t *rdataset,
+				      dns_rdataset_t *keyrdataset,
+				      dns_rdataset_t *sigrdataset,
+				      isc_mem_t *mctx);
+isc_result_t      sigchase_verify_ds(dns_name_t *name,
+				     dns_rdataset_t *keyrdataset,
+				     dns_rdataset_t *dsrdataset,
+				     isc_mem_t *mctx);
+void              sigchase(dns_message_t *msg);
+void              print_rdata(dns_rdata_t *rdata, isc_mem_t *mctx);
+void              print_rdataset(dns_name_t *name,
+				 dns_rdataset_t *rdataset, isc_mem_t *mctx);
+void              dup_name(dns_name_t *source, dns_name_t* target,
+			   isc_mem_t *mctx);
+void              dump_database(void);
+void              dump_database_section(dns_message_t *msg, int section);
+dns_rdataset_t *  search_type(dns_name_t *name, dns_rdatatype_t type,
+			      dns_rdatatype_t covers);
+isc_result_t      contains_trusted_key(dns_name_t *name,
+				       dns_rdataset_t *rdataset,
+				       dns_rdataset_t *sigrdataset,
+				       isc_mem_t *mctx);
+void              print_type(dns_rdatatype_t type);
+isc_result_t      prove_nx_domain(dns_message_t * msg,
+				  dns_name_t * name,
+				  dns_name_t * rdata_name,
+				  dns_rdataset_t ** rdataset,
+				  dns_rdataset_t ** sigrdataset);
+isc_result_t      prove_nx_type(dns_message_t * msg, dns_name_t *name,
+				dns_rdataset_t *nsec,
+				dns_rdataclass_t class,
+				dns_rdatatype_t type,
+				dns_name_t * rdata_name,
+				dns_rdataset_t ** rdataset,
+				dns_rdataset_t ** sigrdataset);
+isc_result_t      prove_nx(dns_message_t * msg, dns_name_t * name,
+			   dns_rdataclass_t class,
+			   dns_rdatatype_t type,
+			   dns_name_t * rdata_name,
+			   dns_rdataset_t ** rdataset,
+			   dns_rdataset_t ** sigrdataset);
+isc_result_t      nameFromString( const char *str, dns_name_t *p_ret );
+int               inf_name(dns_name_t * name1, dns_name_t * name2);
+isc_result_t      opentmpkey(isc_mem_t *mctx, const char *file,
+			     char **tempp, FILE **fp);
+isc_result_t      removetmpkey(isc_mem_t *mctx, const char *file);
+void              clean_trustedkey(void );
+void              insert_trustedkey(dst_key_t  * key);
+#if DIG_SIGCHASE_BU
+isc_result_t      getneededrr(dns_message_t *msg);
+void              sigchase_bottom_up(dns_message_t *msg);
+void              sigchase_bu(dns_message_t *msg);
+#endif
+#if DIG_SIGCHASE_TD
+isc_result_t      initialization(dns_name_t *name);
+isc_result_t      prepare_lookup(dns_name_t *name);
+isc_result_t      grandfather_pb_test(dns_name_t * zone_name,
+				      dns_rdataset_t *sigrdataset);
+isc_result_t      child_of_zone(dns_name_t *name,
+				dns_name_t *zone_name,
+				dns_name_t *child_name);
+void              sigchase_td(dns_message_t *msg);
+#endif
+char trustedkey[MXNAME] = "";
+
+dns_rdataset_t * chase_rdataset = NULL;
+dns_rdataset_t * chase_sigrdataset = NULL;
+dns_rdataset_t * chase_dsrdataset = NULL;
+dns_rdataset_t * chase_sigdsrdataset = NULL;
+dns_rdataset_t * chase_keyrdataset = NULL;
+dns_rdataset_t * chase_sigkeyrdataset = NULL;
+dns_rdataset_t * chase_nsrdataset = NULL;
+
+dns_name_t  chase_name; /* the query name */
+#if DIG_SIGCHASE_TD
+/*
+ * the current name is the parent name when we follow delegation
+ */
+dns_name_t  chase_current_name; 
+/*
+ * the child name is used for delegation (NS DS responses in AUTHORITY section)
+ */
+dns_name_t  chase_authority_name;
+#endif
+#if DIG_SIGCHASE_BU
+dns_name_t  chase_signame;
+#endif
+
+
+isc_boolean_t chase_siglookedup = ISC_FALSE;
+isc_boolean_t chase_keylookedup = ISC_FALSE;
+isc_boolean_t chase_sigkeylookedup = ISC_FALSE;
+isc_boolean_t chase_dslookedup = ISC_FALSE;
+isc_boolean_t chase_sigdslookedup = ISC_FALSE;
+#if DIG_SIGCHASE_TD
+isc_boolean_t chase_nslookedup = ISC_FALSE;
+isc_boolean_t chase_lookedup = ISC_FALSE;
+
+
+isc_boolean_t delegation_follow = ISC_FALSE;
+isc_boolean_t grandfather_pb = ISC_FALSE;
+isc_boolean_t have_response = ISC_FALSE;
+isc_boolean_t have_delegation_ns = ISC_FALSE;
+dns_message_t * error_message = NULL;
+#endif
+
+isc_boolean_t dsvalidating = ISC_FALSE;
+isc_boolean_t chase_name_dup  = ISC_FALSE;
+
+ISC_LIST(dig_message_t) chase_message_list;
+ISC_LIST(dig_message_t) chase_message_list2;
+
+
+#define MAX_TRUSTED_KEY 5
+typedef struct struct_trusted_key_list {
+  dst_key_t * key[MAX_TRUSTED_KEY];
+  int nb_tk;
+} struct_tk_list;
+
+struct_tk_list  tk_list = { {NULL, NULL, NULL, NULL, NULL}, 0};
+
+#endif
+
 /*
  * Apply and clear locks at the event level in global task.
  * Can I get rid of these using shutdown events?  XXX
@@ -155,14 +321,22 @@ static void
 recv_done(isc_task_t *task, isc_event_t *event);
 
 static void
-send_udp(dig_query_t *query);
-
-static void
 connect_timeout(isc_task_t *task, isc_event_t *event);
 
 static void
 launch_next_query(dig_query_t *query, isc_boolean_t include_question);
 
+
+static void *
+mem_alloc(void *arg, size_t size) {
+	return (isc_mem_get(arg, size));
+}
+
+static void
+mem_free(void *arg, void *mem, size_t size) {
+	isc_mem_put(arg, mem, size);
+}
+
 char *
 next_token(char **stringp, const char *delim) {
 	char *res;
@@ -239,7 +413,7 @@ reverse_octets(const char *in, char **p, char *end) {
 }
 
 isc_result_t
-get_reverse(char *reverse, char *value, isc_boolean_t ip6_int,
+get_reverse(char *reverse, size_t len, char *value, isc_boolean_t ip6_int,
 	    isc_boolean_t strict)
 {
 	int r;
@@ -252,7 +426,7 @@ get_reverse(char *reverse, char *value, isc_boolean_t ip6_int,
 		/* This is a valid IPv6 address. */
 		dns_fixedname_t fname;
 		dns_name_t *name;
-		unsigned int options = DNS_BYADDROPT_IPV6NIBBLE;
+		unsigned int options = 0;
 
 		if (ip6_int)
 			options |= DNS_BYADDROPT_IPV6INT;
@@ -261,7 +435,7 @@ get_reverse(char *reverse, char *value, isc_boolean_t ip6_int,
 		result = dns_byaddr_createptrname2(&addr, options, name);
 		if (result != ISC_R_SUCCESS)
 			return (result);
-		dns_name_format(name, reverse, MXNAME);
+		dns_name_format(name, reverse, len);
 		return (ISC_R_SUCCESS);
 	} else {
 		/*
@@ -273,7 +447,7 @@ get_reverse(char *reverse, char *value, isc_boolean_t ip6_int,
 		 * and such.
 		 */
 		char *p = reverse;
-		char *end = reverse + MXNAME;
+		char *end = reverse + len;
 		if (strict && inet_pton(AF_INET, value, &addr.type.in) != 1)
 			return (DNS_R_BADDOTTEDQUAD);
 		result = reverse_octets(value, &p, end);
@@ -322,15 +496,13 @@ check_result(isc_result_t result, const char *msg) {
 	}
 }
 
-#define DIG_MAX_ADDRESSES 20
-
 /*
  * Create a server structure, which is part of the lookup structure.
  * This is little more than a linked list of servers to query in hopes
  * of finding the answer the user is looking for
  */
 dig_server_t *
-make_server(const char *servname, const char *userarg) {
+make_server(const char *servname) {
 	dig_server_t *srv;
 
 	REQUIRE(servname != NULL);
@@ -338,16 +510,52 @@ make_server(const char *servname, const char *userarg) {
 	debug("make_server(%s)", servname);
 	srv = isc_mem_allocate(mctx, sizeof(struct dig_server));
 	if (srv == NULL)
-		fatal("Memory allocation failure in %s:%d",
+		fatal("memory allocation failure in %s:%d",
 		      __FILE__, __LINE__);
 	strncpy(srv->servername, servname, MXNAME);
-	strncpy(srv->userarg, userarg, MXNAME);
 	srv->servername[MXNAME-1] = 0;
-	srv->userarg[MXNAME-1] = 0;
 	ISC_LINK_INIT(srv, link);
 	return (srv);
 }
+static int
+addr2af(int lwresaddrtype)
+{
+	int af = 0;
 
+	switch (lwresaddrtype) {
+	case LWRES_ADDRTYPE_V4:
+		af = AF_INET;
+		break;
+
+	case LWRES_ADDRTYPE_V6:
+		af = AF_INET6;
+		break;
+	}
+
+	return (af);
+}
+/*
+ * Create a copy of the server list from the lwres configuration structure.
+ * The dest list must have already had ISC_LIST_INIT applied.
+ */
+static void
+copy_server_list(lwres_conf_t *confdata, dig_serverlist_t *dest) {
+	dig_server_t *newsrv;
+	char tmp[sizeof("ffff:ffff:ffff:ffff:ffff:ffff:255.255.255.255")];
+	int af;
+	int i;
+
+	debug("copy_server_list()");
+	for (i = 0; i < confdata->nsnext; i++) {
+		af = addr2af(confdata->nameservers[i].family);
+
+		lwres_net_ntop(af, confdata->nameservers[i].address,
+				   tmp, sizeof(tmp));
+		newsrv = make_server(tmp);
+		ISC_LINK_INIT(newsrv, link);
+		ISC_LIST_ENQUEUE(*dest, newsrv, link);
+	}
+}
 void
 flush_server_list(void) {
 	dig_server_t *s, *ps;
@@ -361,35 +569,47 @@ flush_server_list(void) {
 		isc_mem_free(mctx, ps);
 	}
 }
-
 void
 set_nameserver(char *opt) {
-	isc_result_t result;
-	isc_sockaddr_t sockaddrs[DIG_MAX_ADDRESSES];
-	isc_netaddr_t netaddr;
-	int count, i;
 	dig_server_t *srv;
-	char tmp[ISC_NETADDR_FORMATSIZE];
 
 	if (opt == NULL)
 		return;
 
-	result = get_addresses(opt, 0, sockaddrs, DIG_MAX_ADDRESSES, &count);
-	if (result != ISC_R_SUCCESS)
-		fatal("couldn't get address for '%s': %s",
-		      opt, isc_result_totext(result));
+	flush_server_list();
+	srv = make_server(opt);
+	if (srv == NULL)
+		fatal("memory allocation failure");
+	ISC_LIST_INITANDAPPEND(server_list, srv, link);
+}
 
-      flush_server_list();
+static isc_result_t
+add_nameserver(lwres_conf_t *confdata, const char *addr, int af) {
+
+	int i = confdata->nsnext;
 
-      for (i = 0; i < count; i++) {
-	    isc_netaddr_fromsockaddr(&netaddr, &sockaddrs[i]);
-	    isc_netaddr_format(&netaddr, tmp, sizeof(tmp));
-	    srv = make_server(tmp, opt);
-	    if (srv == NULL)
-		  fatal("memory allocation failure");
-	    ISC_LIST_APPEND(server_list, srv, link);
-      }
-}          
+	if (confdata->nsnext >= LWRES_CONFMAXNAMESERVERS)
+		return (ISC_R_FAILURE);
+
+	switch (af) {
+	case AF_INET:
+		confdata->nameservers[i].family = LWRES_ADDRTYPE_V4;
+		confdata->nameservers[i].length = NS_INADDRSZ;
+		break;
+	case AF_INET6:
+		confdata->nameservers[i].family = LWRES_ADDRTYPE_V6;
+		confdata->nameservers[i].length = NS_IN6ADDRSZ;
+		break;
+	default:
+		return (ISC_R_FAILURE);
+	}
+
+	if (lwres_net_pton(af, addr, &confdata->nameservers[i].address) == 1) {
+		confdata->nsnext++;
+		return (ISC_R_SUCCESS);
+	}
+	return (ISC_R_FAILURE);
+}
 
 /*
  * Produce a cloned server list.  The dest list must have already had
@@ -402,7 +622,7 @@ clone_server_list(dig_serverlist_t src, dig_serverlist_t *dest) {
 	debug("clone_server_list()");
 	srv = ISC_LIST_HEAD(src);
 	while (srv != NULL) {
-		newsrv = make_server(srv->servername, srv->userarg);
+		newsrv = make_server(srv->servername);
 		ISC_LINK_INIT(newsrv, link);
 		ISC_LIST_ENQUEUE(*dest, newsrv, link);
 		srv = ISC_LIST_NEXT(srv, link);
@@ -425,7 +645,7 @@ make_empty_lookup(void) {
 
 	looknew = isc_mem_allocate(mctx, sizeof(struct dig_lookup));
 	if (looknew == NULL)
-		fatal("Memory allocation failure in %s:%d",
+		fatal("memory allocation failure in %s:%d",
 		       __FILE__, __LINE__);
 	looknew->pending = ISC_TRUE;
 	looknew->textname[0] = 0;
@@ -452,6 +672,18 @@ make_empty_lookup(void) {
 	looknew->servfail_stops = ISC_TRUE;
 	looknew->besteffort = ISC_TRUE;
 	looknew->dnssec = ISC_FALSE;
+#ifdef DIG_SIGCHASE
+	looknew->sigchase = ISC_FALSE;
+#if DIG_SIGCHASE_TD
+	looknew->do_topdown =  ISC_FALSE;
+	looknew->trace_root_sigchase = ISC_FALSE;
+	looknew->rdtype_sigchaseset = ISC_FALSE;
+	looknew->rdtype_sigchase = dns_rdatatype_any;
+	looknew->qrdtype_sigchase = dns_rdatatype_any;
+	looknew->rdclass_sigchase = dns_rdataclass_in;
+	looknew->rdclass_sigchaseset  = ISC_FALSE;
+#endif
+#endif
 	looknew->udpsize = 0;
 	looknew->recurse = ISC_TRUE;
 	looknew->aaonly = ISC_FALSE;
@@ -472,8 +704,6 @@ make_empty_lookup(void) {
 	looknew->section_authority = ISC_TRUE;
 	looknew->section_additional = ISC_TRUE;
 	looknew->new_search = ISC_FALSE;
-	looknew->done_as_is = ISC_FALSE;
-	looknew->need_search = ISC_FALSE;
 	ISC_LINK_INIT(looknew, link);
 	ISC_LIST_INIT(looknew->q);
 	ISC_LIST_INIT(looknew->my_server_list);
@@ -498,6 +728,9 @@ clone_lookup(dig_lookup_t *lookold, isc_boolean_t servers) {
 	looknew = make_empty_lookup();
 	INSIST(looknew != NULL);
 	strncpy(looknew->textname, lookold->textname, MXNAME);
+#if DIG_SIGCHASE_TD
+	strncpy(looknew->textnamesigchase, lookold->textnamesigchase, MXNAME);
+#endif
 	strncpy(looknew->cmdline, lookold->cmdline, MXNAME);
 	looknew->textname[MXNAME-1] = 0;
 	looknew->rdtype = lookold->rdtype;
@@ -515,6 +748,18 @@ clone_lookup(dig_lookup_t *lookold, isc_boolean_t servers) {
 	looknew->servfail_stops = lookold->servfail_stops;
 	looknew->besteffort = lookold->besteffort;
 	looknew->dnssec = lookold->dnssec;
+#ifdef DIG_SIGCHASE
+	looknew->sigchase = lookold->sigchase;
+#if DIG_SIGCHASE_TD
+	looknew->do_topdown =  lookold->do_topdown;
+	looknew->trace_root_sigchase = lookold->trace_root_sigchase;
+	looknew->rdtype_sigchaseset =  lookold->rdtype_sigchaseset;
+	looknew->rdtype_sigchase = lookold->rdtype_sigchase;
+	looknew->qrdtype_sigchase = lookold->qrdtype_sigchase;
+	looknew->rdclass_sigchase = lookold->rdclass_sigchase;
+	looknew->rdclass_sigchaseset = lookold->rdclass_sigchaseset;
+#endif
+#endif
 	looknew->udpsize = lookold->udpsize;
 	looknew->recurse = lookold->recurse;
 	looknew->aaonly = lookold->aaonly;
@@ -530,8 +775,6 @@ clone_lookup(dig_lookup_t *lookold, isc_boolean_t servers) {
 	looknew->section_additional = lookold->section_additional;
 	looknew->retries = lookold->retries;
 	looknew->tsigctx = NULL;
-	looknew->need_search = lookold->need_search;
-	looknew->done_as_is = lookold->done_as_is;
 
 	if (servers)
 		clone_server_list(lookold->my_server_list,
@@ -555,7 +798,7 @@ requeue_lookup(dig_lookup_t *lookold, isc_boolean_t servers) {
 
 	lookup_counter++;
 	if (lookup_counter > LOOKUP_LIMIT)
-		fatal("Too many lookups");
+		fatal("too many lookups");
 
 	looknew = clone_lookup(lookold, servers);
 	INSIST(looknew != NULL);
@@ -586,7 +829,7 @@ setup_text_key(void) {
 	secretsize = strlen(keysecret) * 3 / 4;
 	secretstore = isc_mem_allocate(mctx, secretsize);
 	if (secretstore == NULL)
-		fatal("Memory allocation failure in %s:%d",
+		fatal("memory allocation failure in %s:%d",
 		      __FILE__, __LINE__);
 	isc_buffer_init(&secretbuf, secretstore, secretsize);
 	result = isc_base64_decodestring(keysecret, &secretbuf);
@@ -649,7 +892,7 @@ make_searchlist_entry(char *domain) {
 	dig_searchlist_t *search;
 	search = isc_mem_allocate(mctx, sizeof(*search));
 	if (search == NULL)
-		fatal("Memory allocation failure in %s:%d",
+		fatal("memory allocation failure in %s:%d",
 		      __FILE__, __LINE__);
 	strncpy(search->origin, domain, MXNAME);
 	search->origin[MXNAME-1] = 0;
@@ -657,91 +900,79 @@ make_searchlist_entry(char *domain) {
 	return (search);
 }
 
+static void
+create_search_list(lwres_conf_t *confdata) {
+	int i;
+	dig_searchlist_t *search;
+
+	debug("create_search_list()");
+	ISC_LIST_INIT(search_list);
+
+	for (i = 0; i < confdata->searchnxt; i++) {
+		search = make_searchlist_entry(confdata->search[i]);
+		ISC_LIST_APPEND(search_list, search, link);
+	}
+}
+
 /*
  * Setup the system as a whole, reading key information and resolv.conf
  * settings.
  */
 void
 setup_system(void) {
-	char rcinput[MXNAME];
-	FILE *fp;
-	char *ptr;
-	dig_server_t *srv;
-	dig_searchlist_t *search, *domain = NULL;
-	isc_boolean_t get_servers;
-	char *input;
+	dig_searchlist_t *domain = NULL;
+	lwres_result_t lwresult;
 
 	debug("setup_system()");
 
-	free_now = ISC_FALSE;
-	get_servers = ISC_TF(server_list.head == NULL);
-	fp = fopen(RESOLV_CONF, "r");
-	/* XXX Use lwres resolv.conf reader */
-	if (fp == NULL)
-		goto no_file;
-
-	while (fgets(rcinput, MXNAME, fp) != 0) {
-		input = rcinput;
-		ptr = next_token(&input, " \t\r\n");
-		if (ptr != NULL) {
-			if (get_servers &&
-			    strcasecmp(ptr, "nameserver") == 0) {
-				debug("got a nameserver line");
-				ptr = next_token(&input, " \t\r\n");
-				if (ptr != NULL) {
-					srv = make_server(ptr, ptr);
-					ISC_LIST_APPEND(server_list, srv, link);
-				}
-			} else if (strcasecmp(ptr, "options") == 0) {
-				ptr = next_token(&input, " \t\r\n");
-				if (ptr != NULL) {
-					if (strncasecmp(ptr, "ndots:", 6) == 0
-					    && ndots == -1)
-					{
-						ndots = atoi(&ptr[6]);
-						debug("ndots is %d.", ndots);
-					}
-				}
-			} else if (strcasecmp(ptr, "search") == 0){
-				while ((ptr = next_token(&input, " \t\r\n"))
-				       != NULL) {
-					debug("adding search %s", ptr);
-					search = make_searchlist_entry(ptr);
-					ISC_LIST_INITANDAPPEND(search_list,
-							       search, link);
-				}
-			} else if (strcasecmp(ptr, "domain") == 0) {
-				while ((ptr = next_token(&input, " \t\r\n"))
-				       != NULL) {
-					if (domain != NULL)
-						isc_mem_free(mctx, domain);
-					domain = make_searchlist_entry(ptr);
-				}
-			}
+	lwresult = lwres_context_create(&lwctx, mctx, mem_alloc, mem_free, 1);
+	if (lwresult != LWRES_R_SUCCESS)
+		fatal("lwres_context_create failed");
+
+	(void)lwres_conf_parse(lwctx, RESOLV_CONF);
+	lwconf = lwres_conf_get(lwctx);
+
+	/* Make the search list */
+	if (lwconf->searchnxt > 0)
+		create_search_list(lwconf);
+	else {
+		/* No search list. Use the domain name if any */
+		if (lwconf->domainname != NULL) {
+			domain = make_searchlist_entry(lwconf->domainname);
+			ISC_LIST_INITANDAPPEND(search_list, domain, link);
+			domain  = NULL;
 		}
 	}
-	fclose(fp);
- no_file:
-
-	if (ISC_LIST_EMPTY(search_list) && domain != NULL) {
-		ISC_LIST_INITANDAPPEND(search_list, domain, link);
-		domain = NULL;
+			
+	ndots = lwconf->ndots;
+	debug("ndots is %d.", ndots);
+
+	/* If we don't find a nameserver fall back to localhost */
+	if (lwconf->nsnext == 0) {
+		if (have_ipv4) {
+			lwresult = add_nameserver(lwconf, "127.0.0.1", AF_INET);
+			if (lwresult != ISC_R_SUCCESS)
+				fatal("add_nameserver failed");
+		}
+		if (have_ipv6) {
+			lwresult = add_nameserver(lwconf, "::1", AF_INET6);
+			if (lwresult != ISC_R_SUCCESS)
+				fatal("add_nameserver failed");
+		}
 	}
-	if (domain != NULL)
-		isc_mem_free(mctx, domain);
-	
-	if (ndots == -1)
-		ndots = 1;
 
-	if (server_list.head == NULL) {
-		srv = make_server("127.0.0.1", "127.0.0.1");
-		ISC_LIST_APPEND(server_list, srv, link);
-	}
+	if (ISC_LIST_EMPTY(server_list))
+		copy_server_list(lwconf, &server_list);
 
 	if (keyfile[0] != 0)
 		setup_file_key();
 	else if (keysecret[0] != 0)
 		setup_text_key();
+#ifdef DIG_SIGCHASE
+	/* Setup the list of messages for +sigchase */
+        ISC_LIST_INIT(chase_message_list);
+#endif
+
 }
 
 static void
@@ -932,10 +1163,7 @@ clear_query(dig_query_t *query) {
 	isc_mempool_put(commctx, query->recvspace);
 	isc_buffer_invalidate(&query->recvbuf);
 	isc_buffer_invalidate(&query->lengthbuf);
-	if (query->waiting_senddone)
-		query->pending_free = ISC_TRUE;
-	else
-		isc_mem_free(mctx, query);
+	isc_mem_free(mctx, query);
 }
 
 /*
@@ -945,7 +1173,9 @@ clear_query(dig_query_t *query) {
  */
 static isc_boolean_t
 try_clear_lookup(dig_lookup_t *lookup) {
+	dig_server_t *s;
 	dig_query_t *q;
+	void *ptr;
 
 	REQUIRE(lookup != NULL);
 
@@ -959,24 +1189,14 @@ try_clear_lookup(dig_lookup_t *lookup) {
 				       q->servname);
 				q = ISC_LIST_NEXT(q, link);
 			}
+			return (ISC_FALSE);
 		}
-		return (ISC_FALSE);
 	}
-
 	/*
 	 * At this point, we know there are no queries on the lookup,
 	 * so can make it go away also.
 	 */
-	destroy_lookup(lookup);
-	return (ISC_TRUE);
-}
-
-void
-destroy_lookup(dig_lookup_t *lookup) {
-	dig_server_t *s;
-	void *ptr;
-
-	debug("destroy");
+	debug("cleared");
 	s = ISC_LIST_HEAD(lookup->my_server_list);
 	while (s != NULL) {
 		debug("freeing server %p belonging to %p",
@@ -1002,8 +1222,10 @@ destroy_lookup(dig_lookup_t *lookup) {
 		dst_context_destroy(&lookup->tsigctx);
 
 	isc_mem_free(mctx, lookup);
+	return (ISC_TRUE);
 }
 
+
 /*
  * If we can, start the next lookup in the queue running.
  * This assumes that the lookup on the head of the queue hasn't been
@@ -1028,6 +1250,94 @@ start_lookup(void) {
 	 */
 	if (current_lookup != NULL) {
 		ISC_LIST_DEQUEUE(lookup_list, current_lookup, link);
+#if DIG_SIGCHASE_TD
+		if (current_lookup->do_topdown &&
+		    !current_lookup->rdtype_sigchaseset) {
+			dst_key_t * trustedkey = NULL;
+			isc_buffer_t *b = NULL;
+			isc_region_t r;
+			isc_result_t result;
+			dns_name_t query_name;
+			dns_name_t * key_name;
+			int i;
+
+			result = get_trusted_key(mctx);
+			if (result != ISC_R_SUCCESS) {
+				printf("\n;; No trusted key, "
+				       "+sigchase option is disabled\n");
+				current_lookup->sigchase = ISC_FALSE;
+				goto novalidation;
+			}
+			result = nameFromString(current_lookup->textname,
+						&query_name);
+			check_result(result, "nameFromString");
+
+			for (i = 0; i< tk_list.nb_tk; i++) {
+				key_name = dst_key_name(tk_list.key[i]);
+		      
+				if (dns_name_issubdomain(&query_name,
+							 key_name) == ISC_TRUE)
+					trustedkey = tk_list.key[i];
+				/*
+				 * Verifier que la temp est bien la plus basse
+				 * WARNING
+				 */
+			}
+			if (trustedkey == NULL) {
+				printf("\n;; The queried zone: ");
+				dns_name_print(&query_name, stdout);
+				printf(" isn't a subdomain of any Trusted Keys"
+				       ": +sigchase option is disable\n");
+				current_lookup->sigchase = ISC_FALSE;
+				dns_name_free(&query_name, mctx);
+				goto novalidation;
+			}
+			dns_name_free(&query_name, mctx);
+
+		    
+			current_lookup->rdtype_sigchase
+			  	= current_lookup->rdtype;
+			current_lookup->rdtype_sigchaseset
+			  	= current_lookup->rdtypeset;
+			current_lookup->rdtype = dns_rdatatype_ns;
+		      
+		 
+			current_lookup->qrdtype_sigchase
+				= current_lookup->qrdtype;
+			current_lookup->qrdtype = dns_rdatatype_ns;
+		   
+			current_lookup->rdclass_sigchase
+				= current_lookup->rdclass;
+			current_lookup->rdclass_sigchaseset
+				= current_lookup->rdclassset;
+			current_lookup->rdclass = dns_rdataclass_in;
+		
+
+			strncpy(current_lookup->textnamesigchase,
+				current_lookup->textname, MXNAME);
+
+			current_lookup->trace_root_sigchase = ISC_TRUE;
+		    
+			result = isc_buffer_allocate(mctx, &b, BUFSIZE);
+			check_result(result, "isc_buffer_allocate");
+			result = dns_name_totext(dst_key_name(trustedkey),
+						 ISC_FALSE, b);
+			check_result(result, "dns_name_totext");
+			isc_buffer_usedregion(b, &r);
+			r.base[r.length] = '\0';
+			strncpy(current_lookup->textname, (char*)r.base,
+				MXNAME);
+			isc_buffer_free(&b);
+
+			result = nameFromString(current_lookup
+						->textnamesigchase,
+						&chase_name);
+			check_result(result, "nameFromString");
+
+			dns_name_init(&chase_authority_name, NULL);
+		}
+	novalidation:
+#endif
 		setup_lookup(current_lookup);
 		do_lookup(current_lookup);
 	} else {
@@ -1080,18 +1390,10 @@ followup_lookup(dns_message_t *msg, dig_query_t *query, dns_section_t section)
 	
 	for (result = dns_message_firstname(msg, section);
 	     result == ISC_R_SUCCESS;
-	     result = dns_message_nextname(msg, section))
-	{
+	     result = dns_message_nextname(msg, section)) {
 		name = NULL;
 		dns_message_currentname(msg, section, &name);
 
-		if (section == DNS_SECTION_AUTHORITY) {
-			rdataset = NULL;
-			result = dns_message_findtype(name, dns_rdatatype_soa,
-						      0, &rdataset);
-			if (result == ISC_R_SUCCESS)
-				return (0);
-		}
 		rdataset = NULL;
 		result = dns_message_findtype(name, dns_rdatatype_ns, 0,
 					      &rdataset);
@@ -1102,8 +1404,7 @@ followup_lookup(dns_message_t *msg, dig_query_t *query, dns_section_t section)
 
 		for (result = dns_rdataset_first(rdataset);
 		     result == ISC_R_SUCCESS;
-		     result = dns_rdataset_next(rdataset))
-		{
+		     result = dns_rdataset_next(rdataset)) {
 			char namestr[DNS_NAME_FORMATSIZE];
 			dns_rdata_ns_t ns;
 
@@ -1136,10 +1437,8 @@ followup_lookup(dns_message_t *msg, dig_query_t *query, dns_section_t section)
 				lookup->ns_search_only =
 					query->lookup->ns_search_only;
 				lookup->trace_root = ISC_FALSE;
-				if (lookup->ns_search_only)
-					lookup->recurse = ISC_FALSE;
 			}
-			srv = make_server(namestr, namestr);
+			srv = make_server(namestr);
 			debug("adding server %s", srv->servername);
 			ISC_LIST_APPEND(lookup->my_server_list, srv, link);
 			dns_rdata_reset(&rdata);
@@ -1163,7 +1462,6 @@ followup_lookup(dns_message_t *msg, dig_query_t *query, dns_section_t section)
 static isc_boolean_t
 next_origin(dns_message_t *msg, dig_query_t *query) {
 	dig_lookup_t *lookup;
-	dig_searchlist_t *search;
 
 	UNUSED(msg);
 
@@ -1178,22 +1476,13 @@ next_origin(dns_message_t *msg, dig_query_t *query) {
 		 * about finding the next entry.
 		 */
 		return (ISC_FALSE);
-	if (query->lookup->origin == NULL && !query->lookup->need_search)
+	if (query->lookup->origin == NULL)
 		/*
 		 * Then we just did rootorg; there's nothing left.
 		 */
 		return (ISC_FALSE);
-	if (query->lookup->origin == NULL && query->lookup->need_search) {
-		lookup = requeue_lookup(query->lookup, ISC_TRUE);
-		lookup->origin = ISC_LIST_HEAD(search_list);
-		lookup->need_search = ISC_FALSE;
-	} else {
-		search = ISC_LIST_NEXT(query->lookup->origin, link);
-		if (search == NULL && query->lookup->done_as_is)
-			return (ISC_FALSE);
-		lookup = requeue_lookup(query->lookup, ISC_TRUE);
-		lookup->origin = search;
-	}
+	lookup = requeue_lookup(query->lookup, ISC_TRUE);
+	lookup->origin = ISC_LIST_NEXT(query->lookup->origin, link);
 	cancel_lookup(query->lookup);
 	return (ISC_TRUE);
 }
@@ -1315,17 +1604,12 @@ setup_lookup(dig_lookup_t *lookup) {
 	 * take the first entry in the searchlist iff either usesearch
 	 * is TRUE or we got a domain line in the resolv.conf file.
 	 */
-	if (lookup->new_search) {
-		if ((count_dots(lookup->textname) >= ndots) || !usesearch) {
-			lookup->origin = NULL; /* Force abs lookup */
-			lookup->done_as_is = ISC_TRUE;
-			lookup->need_search = usesearch;
-		} else if (lookup->origin == NULL && usesearch) {
-			lookup->origin = ISC_LIST_HEAD(search_list);
-			lookup->need_search = ISC_FALSE;
-		}
+	/* XXX New search here? */
+	if ((count_dots(lookup->textname) >= ndots) || !usesearch)
+		lookup->origin = NULL; /* Force abs lookup */
+	else if (lookup->origin == NULL && lookup->new_search && usesearch) {
+		lookup->origin = ISC_LIST_HEAD(search_list);
 	}
-
 	if (lookup->origin != NULL) {
 		debug("trying origin %s", lookup->origin->origin);
 		result = dns_message_gettempname(lookup->sendmsg,
@@ -1468,9 +1752,9 @@ setup_lookup(dig_lookup_t *lookup) {
 	check_result(result, "dns_compress_init");
 
 	debug("starting to render the message");
-	isc_buffer_init(&lookup->renderbuf, lookup->sendspace, COMMSIZE);
+	isc_buffer_init(&lookup->sendbuf, lookup->sendspace, COMMSIZE);
 	result = dns_message_renderbegin(lookup->sendmsg, &cctx,
-					 &lookup->renderbuf);
+					 &lookup->sendbuf);
 	check_result(result, "dns_message_renderbegin");
 	if (lookup->udpsize > 0 || lookup->dnssec) {
 		if (lookup->udpsize == 0)
@@ -1493,7 +1777,7 @@ setup_lookup(dig_lookup_t *lookup) {
 	/*
 	 * Force TCP mode if the request is larger than 512 bytes.
 	 */
-	if (isc_buffer_usedlength(&lookup->renderbuf) > 512)
+	if (isc_buffer_usedlength(&lookup->sendbuf) > 512)
 		lookup->tcp_mode = ISC_TRUE;
 
 	lookup->pending = ISC_FALSE;
@@ -1503,14 +1787,12 @@ setup_lookup(dig_lookup_t *lookup) {
 	     serv = ISC_LIST_NEXT(serv, link)) {
 		query = isc_mem_allocate(mctx, sizeof(dig_query_t));
 		if (query == NULL)
-			fatal("Memory allocation failure in %s:%d",
+			fatal("memory allocation failure in %s:%d",
 			      __FILE__, __LINE__);
 		debug("create query %p linked to lookup %p",
 		       query, lookup);
 		query->lookup = lookup;
 		query->waiting_connect = ISC_FALSE;
-		query->waiting_senddone = ISC_FALSE;
-		query->pending_free = ISC_FALSE;
 		query->recv_made = ISC_FALSE;
 		query->first_pass = ISC_TRUE;
 		query->first_soa_rcvd = ISC_FALSE;
@@ -1520,8 +1802,8 @@ setup_lookup(dig_lookup_t *lookup) {
 		query->first_rr_serial = 0;
 		query->second_rr_serial = 0;
 		query->servname = serv->servername;
-		query->userarg = serv->userarg;
 		query->rr_count = 0;
+		query->msg_count = 0;
 		ISC_LINK_INIT(query, link);
 		ISC_LIST_INIT(query->recvlist);
 		ISC_LIST_INIT(query->lengthlist);
@@ -1533,7 +1815,6 @@ setup_lookup(dig_lookup_t *lookup) {
 		isc_buffer_init(&query->recvbuf, query->recvspace, COMMSIZE);
 		isc_buffer_init(&query->lengthbuf, query->lengthspace, 2);
 		isc_buffer_init(&query->slbuf, query->slspace, 2);
-		query->sendbuf = lookup->renderbuf;
 
 		ISC_LINK_INIT(query, link);
 		ISC_LIST_ENQUEUE(lookup->q, query, link);
@@ -1551,43 +1832,18 @@ setup_lookup(dig_lookup_t *lookup) {
  */
 static void
 send_done(isc_task_t *_task, isc_event_t *event) {
-	isc_socketevent_t *sevent = (isc_socketevent_t *)event;
-	isc_buffer_t *b = NULL;
-	dig_query_t *query, *next;
-	dig_lookup_t *l;
-
 	REQUIRE(event->ev_type == ISC_SOCKEVENT_SENDDONE);
 
 	UNUSED(_task);
 
 	LOCK_LOOKUP;
 
+	isc_event_free(&event);
+
 	debug("send_done()");
 	sendcount--;
 	debug("sendcount=%d", sendcount);
 	INSIST(sendcount >= 0);
-
-	for  (b = ISC_LIST_HEAD(sevent->bufferlist);
-	      b != NULL;
-	      b = ISC_LIST_HEAD(sevent->bufferlist)) 
-		ISC_LIST_DEQUEUE(sevent->bufferlist, b, link);
-
-	query = event->ev_arg;
-	query->waiting_senddone = ISC_FALSE;
-	l = query->lookup;
-
-	if (l->ns_search_only && !l->trace_root) {
-		debug("sending next, since searching");
-		next = ISC_LIST_NEXT(query, link);
-		if (next != NULL)
-			send_udp(next);
-	}
-
-	isc_event_free(&event);
-
-	if (query->pending_free)
-		isc_mem_free(mctx, query);
-
 	check_if_done();
 	UNLOCK_LOOKUP;
 }
@@ -1696,7 +1952,7 @@ send_tcp_connect(dig_query_t *query) {
 	INSIST(query->sock == NULL);
 	result = isc_socket_create(socketmgr,
 				   isc_sockaddr_pf(&query->sockaddr),
-				   isc_sockettype_tcp, &query->sock) ;
+				   isc_sockettype_tcp, &query->sock);
 	check_result(result, "isc_socket_create");
 	sockcount++;
 	debug("sockcount=%d", sockcount);
@@ -1735,6 +1991,7 @@ send_tcp_connect(dig_query_t *query) {
 static void
 send_udp(dig_query_t *query) {
 	dig_lookup_t *l = NULL;
+	dig_query_t *next;
 	isc_result_t result;
 
 	debug("send_udp(%p)", query);
@@ -1780,17 +2037,27 @@ send_udp(dig_query_t *query) {
 		debug("recvcount=%d", recvcount);
 	}
 	ISC_LIST_INIT(query->sendlist);
-	ISC_LIST_ENQUEUE(query->sendlist, &query->sendbuf, link);
+	ISC_LINK_INIT(&l->sendbuf, link);
+	ISC_LIST_ENQUEUE(query->sendlist, &l->sendbuf,
+			 link);
 	debug("sending a request");
-	result = isc_time_now(&query->time_sent);
-	check_result(result, "isc_time_now");
+	TIME_NOW(&query->time_sent);
 	INSIST(query->sock != NULL);
-	query->waiting_senddone = ISC_TRUE;
 	result = isc_socket_sendtov(query->sock, &query->sendlist,
 				    global_task, send_done, query,
 				    &query->sockaddr, NULL);
 	check_result(result, "isc_socket_sendtov");
 	sendcount++;
+	/*
+	 * If we're at the endgame of a nameserver search, we need to
+	 * immediately bring up all the queries.  Do it here.
+	 */
+	if (l->ns_search_only && !l->trace_root) {
+		debug("sending next, since searching");
+		next = ISC_LIST_NEXT(query, link);
+		if (next != NULL)
+			send_udp(next);
+	}
 }
 
 /*
@@ -1800,8 +2067,8 @@ send_udp(dig_query_t *query) {
  */
 static void
 connect_timeout(isc_task_t *task, isc_event_t *event) {
-	dig_lookup_t *l=NULL;
-	dig_query_t *query=NULL, *cq;
+	dig_lookup_t *l = NULL, *n;
+	dig_query_t *query = NULL, *cq;
 
 	UNUSED(task);
 	REQUIRE(event->ev_type == ISC_TIMEREVENT_IDLE);
@@ -1836,7 +2103,7 @@ connect_timeout(isc_task_t *task, isc_event_t *event) {
 			debug("making new TCP request, %d tries left",
 			      l->retries);
 			l->retries--;
-			requeue_lookup(l, ISC_TRUE);
+			n = requeue_lookup(l, ISC_TRUE);
 			cancel_lookup(l);
 			check_next_lookup(l);
 		}
@@ -1879,10 +2146,6 @@ tcp_length_done(isc_task_t *task, isc_event_t *event) {
 	recvcount--;
 	INSIST(recvcount >= 0);
 
-	b = ISC_LIST_HEAD(sevent->bufferlist);
-	INSIST(b ==  &query->lengthbuf);
-	ISC_LIST_DEQUEUE(sevent->bufferlist, b, link);
-
 	if (sevent->result == ISC_R_CANCELED) {
 		isc_event_free(&event);
 		l = query->lookup;
@@ -1908,6 +2171,8 @@ tcp_length_done(isc_task_t *task, isc_event_t *event) {
 		UNLOCK_LOOKUP;
 		return;
 	}
+	b = ISC_LIST_HEAD(sevent->bufferlist);
+	ISC_LIST_DEQUEUE(sevent->bufferlist, &query->lengthbuf, link);
 	length = isc_buffer_getuint16(b);
 	if (length == 0) {
 		isc_event_free(&event);
@@ -1965,12 +2230,16 @@ launch_next_query(dig_query_t *query, isc_boolean_t include_question) {
 
 	isc_buffer_clear(&query->slbuf);
 	isc_buffer_clear(&query->lengthbuf);
-	isc_buffer_putuint16(&query->slbuf, (isc_uint16_t) query->sendbuf.used);
+	isc_buffer_putuint16(&query->slbuf,
+			     (isc_uint16_t) query->lookup->sendbuf.used);
 	ISC_LIST_INIT(query->sendlist);
 	ISC_LINK_INIT(&query->slbuf, link);
 	ISC_LIST_ENQUEUE(query->sendlist, &query->slbuf, link);
-	if (include_question)
-		ISC_LIST_ENQUEUE(query->sendlist, &query->sendbuf, link);
+	if (include_question) {
+		ISC_LINK_INIT(&query->lookup->sendbuf, link);
+		ISC_LIST_ENQUEUE(query->sendlist, &query->lookup->sendbuf,
+				 link);
+	}
 	ISC_LINK_INIT(&query->lengthbuf, link);
 	ISC_LIST_ENQUEUE(query->lengthlist, &query->lengthbuf, link);
 
@@ -1978,12 +2247,10 @@ launch_next_query(dig_query_t *query, isc_boolean_t include_question) {
 				  global_task, tcp_length_done, query);
 	check_result(result, "isc_socket_recvv");
 	recvcount++;
-	debug("recvcount=%d",recvcount);
+	debug("recvcount=%d", recvcount);
 	if (!query->first_soa_rcvd) {
 		debug("sending a request in launch_next_query");
-		result = isc_time_now(&query->time_sent);
-		check_result(result, "isc_time_now");
-		query->waiting_senddone = ISC_TRUE;
+		TIME_NOW(&query->time_sent);
 		result = isc_socket_sendv(query->sock, &query->sendlist,
 					  global_task, send_done, query);
 		check_result(result, "isc_socket_sendv");
@@ -2105,6 +2372,7 @@ check_for_more_data(dig_query_t *query, dns_message_t *msg,
 	 * an SOA rr.
 	 */
 
+	query->msg_count++;
 	result = dns_message_firstname(msg, DNS_SECTION_ANSWER);
 	if (result != ISC_R_SUCCESS) {
 		puts("; Transfer failed.");
@@ -2231,6 +2499,10 @@ recv_done(isc_task_t *task, isc_event_t *event) {
 	dig_query_t *query = NULL;
 	isc_buffer_t *b = NULL;
 	dns_message_t *msg = NULL;
+#ifdef DIG_SIGCHASE
+	dig_message_t *chase_msg = NULL;
+	dig_message_t *chase_msg2 = NULL;
+#endif
 	isc_result_t result;
 	dig_lookup_t *n, *l;
 	isc_boolean_t docancel = ISC_FALSE;
@@ -2238,6 +2510,13 @@ recv_done(isc_task_t *task, isc_event_t *event) {
 	unsigned int parseflags;
 	dns_messageid_t id;
 	unsigned int msgflags;
+#ifdef DIG_SIGCHASE
+	isc_result_t do_sigchase = ISC_FALSE;
+
+	dns_message_t *msg_temp = NULL;
+	isc_region_t r;
+	isc_buffer_t *buf = NULL;
+#endif
 
 	UNUSED(task);
 	INSIST(!free_now);
@@ -2257,10 +2536,6 @@ recv_done(isc_task_t *task, isc_event_t *event) {
 	REQUIRE(event->ev_type == ISC_SOCKEVENT_RECVDONE);
 	sevent = (isc_socketevent_t *)event;
 
-	b = ISC_LIST_HEAD(sevent->bufferlist);
-	INSIST(b == &query->recvbuf);
-	ISC_LIST_DEQUEUE(sevent->bufferlist, &query->recvbuf, link);
-
 	if ((l->tcp_mode) && (l->timer != NULL))
 		isc_timer_touch(l->timer);
 	if ((!l->pending && !l->ns_search_only) || cancel_now) {
@@ -2294,6 +2569,9 @@ recv_done(isc_task_t *task, isc_event_t *event) {
 		return;
 	}
 
+	b = ISC_LIST_HEAD(sevent->bufferlist);
+	ISC_LIST_DEQUEUE(sevent->bufferlist, &query->recvbuf, link);
+
 	if (!l->tcp_mode &&
 	    !isc_sockaddr_equal(&sevent->address, &query->sockaddr)) {
 		char buf1[ISC_SOCKADDR_FORMATSIZE];
@@ -2324,7 +2602,7 @@ recv_done(isc_task_t *task, isc_event_t *event) {
 		}
 	}
 
-	result = dns_message_peekheader(b, &id, &msgflags);
+ 	result = dns_message_peekheader(b, &id, &msgflags);
 	if (result != ISC_R_SUCCESS || l->sendmsg->id != id) {
 		match = ISC_FALSE;
 		if (l->tcp_mode) {
@@ -2341,7 +2619,8 @@ recv_done(isc_task_t *task, isc_event_t *event) {
 					fail = ISC_FALSE;
 				query->warn_id = ISC_FALSE;
 			} else
-				printf(";; ERROR: short (< header size) message\n");
+				printf(";; ERROR: short "
+				       "(< header size) message\n");
 			if (fail) {
 				isc_event_free(&event);
 				clear_query(query);
@@ -2354,7 +2633,8 @@ recv_done(isc_task_t *task, isc_event_t *event) {
 			printf(";; Warning: ID mismatch: "
 			       "expected ID %u, got %u\n", l->sendmsg->id, id);
 		else
-			printf(";; Warning: short (< header size) message received\n");
+			printf(";; Warning: short "
+			       "(< header size) message received\n");
 	}
 
 	if (!match) {
@@ -2393,6 +2673,14 @@ recv_done(isc_task_t *task, isc_event_t *event) {
 
 	debug("before parse starts");
 	parseflags = DNS_MESSAGEPARSE_PRESERVEORDER;
+#ifdef DIG_SIGCHASE
+	if (!l->sigchase) {
+		do_sigchase = ISC_FALSE;
+	} else {
+		parseflags = 0;
+		do_sigchase = ISC_TRUE;
+	}
+#endif
 	if (l->besteffort) {
 		parseflags |= DNS_MESSAGEPARSE_BESTEFFORT;
 		parseflags |= DNS_MESSAGEPARSE_IGNORETRUNCATION;
@@ -2416,8 +2704,7 @@ recv_done(isc_task_t *task, isc_event_t *event) {
 		return;
 	}
 	if ((msg->flags & DNS_MESSAGEFLAG_TC) != 0
-	    && !l->ignore && !l->tcp_mode)
-	{
+	    && !l->ignore && !l->tcp_mode) {
 		printf(";; Truncated, retrying in TCP mode.\n");
 		n = requeue_lookup(l, ISC_TRUE);
 		n->tcp_mode = ISC_TRUE;
@@ -2511,25 +2798,33 @@ recv_done(isc_task_t *task, isc_event_t *event) {
 	}
 
 	if (!l->doing_xfr || l->xfr_q == query) {
-		if (msg->rcode != dns_rcode_noerror &&
-		    (l->origin != NULL || l->need_search)) {
+#ifdef DIG_SIGCHASE
+		int count = 0;
+#endif
+		if (msg->rcode != dns_rcode_noerror && l->origin != NULL) {
 			if (!next_origin(msg, query)) {
 				printmessage(query, msg, ISC_TRUE);
 				received(b->used, &sevent->address, query);
 			}
 		} else if (!l->trace && !l->ns_search_only) {
-			printmessage(query, msg, ISC_TRUE);
+#ifdef DIG_SIGCHASE
+			if (!do_sigchase)
+#endif
+				printmessage(query, msg, ISC_TRUE);
 		} else if (l->trace) {
 			int n = 0;
+#ifdef DIG_SIGCHASE
+			count = msg->counts[DNS_SECTION_ANSWER];
+#else
 			int count = msg->counts[DNS_SECTION_ANSWER];
+#endif
 
 			debug("in TRACE code");
 			if (!l->ns_search_only)
 				printmessage(query, msg, ISC_TRUE);
 
 			l->rdtype = l->qrdtype;
-			if (l->trace_root || (l->ns_search_only && count > 0))
-			{
+			if (l->trace_root || (l->ns_search_only && count > 0)) {
 				if (!l->trace_root)
 					l->rdtype = dns_rdatatype_soa;
 				n = followup_lookup(msg, query,
@@ -2556,9 +2851,56 @@ recv_done(isc_task_t *task, isc_event_t *event) {
 					docancel = ISC_TRUE;
 				l->trace_root = ISC_FALSE;
 			} else
+#ifdef DIG_SIGCHASE
+				if (!do_sigchase)
+#endif
 				printmessage(query, msg, ISC_TRUE);
 		} 
+#ifdef DIG_SIGCHASE
+		if ( do_sigchase) {	     
+			chase_msg = isc_mem_allocate(mctx,
+						     sizeof(dig_message_t));
+			if (chase_msg == NULL) {
+				fatal("Memory allocation failure in %s:%d",
+				      __FILE__, __LINE__);
+			}
+			ISC_LIST_APPEND(chase_message_list, chase_msg, link);
+			if (dns_message_create(mctx, DNS_MESSAGE_INTENTPARSE,
+					       &msg_temp) != ISC_R_SUCCESS) {
+				fatal("dns_message_create in %s:%d",
+				      __FILE__, __LINE__);
+			}
+	 
+			isc_buffer_usedregion(b, &r);
+			result = isc_buffer_allocate(mctx, &buf, r.length);
+	   
+			check_result(result, "isc_buffer_allocate");
+			result =  isc_buffer_copyregion(buf, &r);
+			check_result(result, "isc_buffer_copyregion");
+	   
+			result =  dns_message_parse(msg_temp, buf, 0);
+ 
+			isc_buffer_free(&buf);
+			chase_msg->msg = msg_temp;
+
+			chase_msg2 = isc_mem_allocate(mctx,
+						      sizeof(dig_message_t));
+			if (chase_msg2 == NULL) {
+				fatal("Memory allocation failure in %s:%d",
+				      __FILE__, __LINE__);
+			}
+			ISC_LIST_APPEND(chase_message_list2, chase_msg2, link);
+			chase_msg2->msg = msg;
+		}
+#endif
+	
+	}
+       
+#ifdef DIG_SIGCHASE
+	if (l->sigchase && ISC_LIST_EMPTY(lookup_list) ) {   
+		sigchase(msg_temp);
 	}
+#endif
 
 	if (l->pending)
 		debug("still pending.");
@@ -2579,21 +2921,37 @@ recv_done(isc_task_t *task, isc_event_t *event) {
 			check_next_lookup(l);
 		}
 	} else {
-		if (msg->rcode == dns_rcode_noerror || l->origin == NULL)
-			received(b->used, &sevent->address, query);
+
+		if (msg->rcode == dns_rcode_noerror || l->origin == NULL) {
+
+#ifdef DIG_SIGCHASE
+			if (!l->sigchase)
+#endif
+				received(b->used, &sevent->address, query);
+		}
+
 		if (!query->lookup->ns_search_only)
 			query->lookup->pending = ISC_FALSE;
 		if (!query->lookup->ns_search_only ||
-		    query->lookup->trace_root || docancel)
-		{
-			dns_message_destroy(&msg);
+		    query->lookup->trace_root || docancel) {
+#ifdef DIG_SIGCHASE
+			if (!do_sigchase)
+#endif
+				dns_message_destroy(&msg);
+
 			cancel_lookup(l);
 		}
 		clear_query(query);
 		check_next_lookup(l);
 	}
-	if (msg != NULL)
-		dns_message_destroy(&msg);
+	if (msg != NULL) {
+#ifdef DIG_SIGCHASE
+		if (do_sigchase)
+			msg = NULL;
+		else
+#endif
+			dns_message_destroy(&msg);
+	}
 	isc_event_free(&event);
 	UNLOCK_LOOKUP;
 }
@@ -2608,159 +2966,15 @@ get_address(char *host, in_port_t port, isc_sockaddr_t *sockaddr) {
 	int count;
 	isc_result_t result;
 
-	result = get_addresses(host, port, sockaddr, 1, &count);
+	isc_app_block();
+	result = bind9_getaddresses(host, port, sockaddr, 1, &count);
+	isc_app_unblock();
 	if (result != ISC_R_SUCCESS)
 		fatal("couldn't get address for '%s': %s",
 		      host, isc_result_totext(result));
 	INSIST(count == 1);
 }
 
-isc_result_t
-get_addresses(const char *hostname, in_port_t port,
-	     isc_sockaddr_t *addrs, int addrsize, int *addrcount)
-{
-	struct in_addr in4;
-	struct in6_addr in6;
-	isc_boolean_t have_ipv4, have_ipv6;
-	int i;
-
-#ifdef USE_GETADDRINFO
-	struct addrinfo *ai = NULL, *tmpai, hints;
-	int result;
-#else
-	struct hostent *he;
-#endif
-
-	REQUIRE(hostname != NULL);
-	REQUIRE(addrs != NULL);
-	REQUIRE(addrcount != NULL);
-	REQUIRE(addrsize > 0);
-
-	have_ipv4 = ISC_TF(isc_net_probeipv4() == ISC_R_SUCCESS);
-	have_ipv6 = ISC_TF(isc_net_probeipv6() == ISC_R_SUCCESS);
-
-	/*
-	 * Try IPv4, then IPv6.  In order to handle the extended format
-	 * for IPv6 scoped addresses (address%scope_ID), we'll use a local
-	 * working buffer of 128 bytes.  The length is an ad-hoc value, but
-	 * should be enough for this purpose; the buffer can contain a string
-	 * of at least 80 bytes for scope_ID in addition to any IPv6 numeric
-	 * addresses (up to 46 bytes), the delimiter character and the
-	 * terminating NULL character.
-	 */
-	if (inet_pton(AF_INET, hostname, &in4) == 1) {
-		if (have_ipv4)
-			isc_sockaddr_fromin(&addrs[0], &in4, port);
-		else
-			isc_sockaddr_v6fromin(&addrs[0], &in4, port);
-		*addrcount = 1;
-		return (ISC_R_SUCCESS);
-	} else if (inet_pton(AF_INET6, hostname, &in6) == 1) {
-
-		if (!have_ipv6)
-			return (ISC_R_FAMILYNOSUPPORT);
-		isc_sockaddr_fromin6(&addrs[0], &in6, port);
-		*addrcount = 1;
-		return (ISC_R_SUCCESS);
-	}
-#ifdef USE_GETADDRINFO
-	memset(&hints, 0, sizeof(hints));
-	if (!have_ipv6)
-		hints.ai_family = PF_INET;
-	else if (!have_ipv4)
-		hints.ai_family = PF_INET6;
-	else {
-		hints.ai_family = PF_UNSPEC;
-#ifdef AI_ADDRCONFIG
-		hints.ai_flags = AI_ADDRCONFIG;
-#endif
-	}
-	hints.ai_socktype = SOCK_STREAM;
-#ifdef AI_ADDRCONFIG
-	again:
-#endif
-	result = getaddrinfo(hostname, NULL, &hints, &ai);
-	switch (result) {
-	case 0:
-		break;
-	case EAI_NONAME:
-#if defined(EAI_NODATA) && (EAI_NODATA != EAI_NONAME)
-	case EAI_NODATA:
-#endif
-		return (ISC_R_NOTFOUND);
-#ifdef AI_ADDRCONFIG
-	case EAI_BADFLAGS:
-		if ((hints.ai_flags & AI_ADDRCONFIG) != 0) {
-			hints.ai_flags &= ~AI_ADDRCONFIG;
-			goto again;
-		}
-#endif
-	default:
-		return (ISC_R_FAILURE);
-	}
-	for (tmpai = ai, i = 0;
-		tmpai != NULL && i < addrsize;
-		tmpai = tmpai->ai_next)
-	{
-		if (tmpai->ai_family != AF_INET &&
-		    tmpai->ai_family != AF_INET6)
-			continue;
-		if (tmpai->ai_family == AF_INET) {
-			struct sockaddr_in *sin;
-			sin = (struct sockaddr_in *)tmpai->ai_addr;
-			isc_sockaddr_fromin(&addrs[i], &sin->sin_addr, port);
-		} else {
-			struct sockaddr_in6 *sin6;
-			sin6 = (struct sockaddr_in6 *)tmpai->ai_addr;
-			isc_sockaddr_fromin6(&addrs[i], &sin6->sin6_addr,
-					     port);
-		}
-		i++;
-
-	}
-	freeaddrinfo(ai);
-	*addrcount = i;
-#else
-	he = gethostbyname(hostname);
-	if (he == NULL) {
-		switch (h_errno) {
-		case HOST_NOT_FOUND:
-#ifdef NO_DATA
-		case NO_DATA:
-#endif
-#if defined(NO_ADDRESS) && (!defined(NO_DATA) || (NO_DATA != NO_ADDRESS))
-		case NO_ADDRESS:
-#endif
-			return (ISC_R_NOTFOUND);
-		default:
-			return (ISC_R_FAILURE);
-		}
-	}
-	if (he->h_addrtype != AF_INET && he->h_addrtype != AF_INET6)
-		return (ISC_R_NOTFOUND);
-	for (i = 0; i < addrsize; i++) {
-		if (he->h_addrtype == AF_INET) {
-			struct in_addr *inp;
-			inp = (struct in_addr *)(he->h_addr_list[i]);
-			if (inp == NULL)
-				break;
-			isc_sockaddr_fromin(&addrs[i], inp, port);
-		} else {
-			struct in6_addr *in6p;
-			in6p = (struct in6_addr *)(he->h_addr_list[i]);
-			if (in6p == NULL)
-				break;
-			isc_sockaddr_fromin6(&addrs[i], in6p, port);
-		}
-	}
-	*addrcount = i;
-#endif
-	if (*addrcount == 0)
-		return (ISC_R_NOTFOUND);
-	else
-		return (ISC_R_SUCCESS);
-}
-
 /*
  * Initiate either a TCP or UDP lookup
  */
@@ -2840,8 +3054,10 @@ cancel_all(void) {
  */
 void
 destroy_libs(void) {
-	void *ptr;
-	dig_server_t *s;
+#ifdef DIG_SIGCHASE 
+	void * ptr;
+	dig_message_t *chase_msg;
+#endif
 
 	debug("destroy_libs()");
 	if (global_task != NULL) {
@@ -2867,13 +3083,11 @@ destroy_libs(void) {
 
 	free_now = ISC_TRUE;
 
-	s = ISC_LIST_HEAD(server_list);
-	while (s != NULL) {
-		debug("freeing global server %p", s);
-		ptr = s;
-		s = ISC_LIST_NEXT(s, link);
-		isc_mem_free(mctx, ptr);
-	}
+	lwres_conf_clear(lwctx);
+	lwres_context_destroy(&lwctx);
+
+	flush_server_list();
+
 	clear_searchlist();
 	if (commctx != NULL) {
 		debug("freeing commctx");
@@ -2906,8 +3120,1945 @@ destroy_libs(void) {
 
 	UNLOCK_LOOKUP;
 	DESTROYLOCK(&lookup_lock);
+#ifdef DIG_SIGCHASE
+
+	debug("Destroy the messages kept for sigchase");
+	/* Destroy the messages kept for sigchase */
+       	chase_msg = ISC_LIST_HEAD(chase_message_list);
+
+	while (chase_msg != NULL) {
+		INSIST(chase_msg->msg != NULL);
+		dns_message_destroy(&(chase_msg->msg));
+		ptr = chase_msg;
+		chase_msg = ISC_LIST_NEXT(chase_msg, link);
+		isc_mem_free(mctx, ptr);
+	}
+
+	chase_msg = ISC_LIST_HEAD(chase_message_list2);
+
+	while (chase_msg != NULL) {
+		INSIST(chase_msg->msg != NULL);
+		dns_message_destroy(&(chase_msg->msg));
+		ptr = chase_msg;
+		chase_msg = ISC_LIST_NEXT(chase_msg, link);
+		isc_mem_free(mctx, ptr);
+	}
+
+	debug("Destroy memory");
+	
+#endif
 	if (memdebugging != 0)
 		isc_mem_stats(mctx, stderr);
 	if (mctx != NULL)
 		isc_mem_destroy(&mctx);
 }
+
+ 
+
+
+#ifdef DIG_SIGCHASE
+void
+print_type(dns_rdatatype_t type)
+{
+	isc_buffer_t * b = NULL;
+	isc_result_t result;
+	isc_region_t r;
+  
+	result = isc_buffer_allocate(mctx, &b, 4000);
+	check_result(result, "isc_buffer_allocate");
+
+	result = dns_rdatatype_totext(type, b);
+	check_result(result, "print_type");
+  
+	isc_buffer_usedregion(b, &r);
+	r.base[r.length] = '\0';
+  
+	printf("%s", r.base);
+
+	isc_buffer_free(&b);
+}
+
+
+void
+dump_database_section( dns_message_t *msg, int section)
+{
+	dns_name_t *msg_name=NULL;
+ 
+	dns_rdataset_t *rdataset;
+
+	do {
+		dns_message_currentname(msg, section, &msg_name);
+    
+		for (rdataset = ISC_LIST_HEAD(msg_name->list); rdataset != NULL;
+		     rdataset = ISC_LIST_NEXT(rdataset, link)) {	
+			dns_name_print(msg_name, stdout);
+			printf("\n");
+			print_rdataset(msg_name, rdataset, mctx);
+			printf("end\n");
+		}
+		msg_name = NULL;
+	} while ( dns_message_nextname(msg, section) == ISC_R_SUCCESS);
+}
+
+
+void dump_database(void)
+{
+	dig_message_t * msg;
+
+	for (msg = ISC_LIST_HEAD(chase_message_list);  msg != NULL;
+	     msg = ISC_LIST_NEXT(msg, link)) {
+		if (dns_message_firstname(msg->msg, DNS_SECTION_ANSWER)
+		    == ISC_R_SUCCESS) 
+			dump_database_section(msg->msg, DNS_SECTION_ANSWER);
+       
+		if (dns_message_firstname(msg->msg, DNS_SECTION_AUTHORITY)
+		    == ISC_R_SUCCESS) 
+			dump_database_section(msg->msg, DNS_SECTION_AUTHORITY);
+	
+		if (dns_message_firstname(msg->msg, DNS_SECTION_ADDITIONAL)
+		    == ISC_R_SUCCESS) 
+			dump_database_section(msg->msg, DNS_SECTION_ADDITIONAL);
+	}
+}
+
+
+dns_rdataset_t *  search_type(dns_name_t *name,
+			      dns_rdatatype_t type,
+			      dns_rdatatype_t covers)
+{
+	dns_rdataset_t *rdataset;
+	dns_rdata_sig_t siginfo;
+	dns_rdata_t sigrdata;
+	isc_result_t result;
+
+	for (rdataset = ISC_LIST_HEAD(name->list); rdataset != NULL;
+	     rdataset = ISC_LIST_NEXT(rdataset, link)) {
+		if (type == dns_rdatatype_any) {
+			if (rdataset->type != dns_rdatatype_rrsig)
+				return rdataset;
+		} 
+		else if ((type == dns_rdatatype_rrsig) &&
+			 (rdataset->type == dns_rdatatype_rrsig)) {
+			dns_rdata_init(&sigrdata);
+			result = dns_rdataset_first(rdataset);
+			check_result(result, "empty rdataset");
+			dns_rdataset_current(rdataset, &sigrdata);
+			result = dns_rdata_tostruct(&sigrdata, &siginfo, NULL);
+			check_result(result, "sigrdata tostruct siginfo");
+
+			if ((siginfo.covered == covers) ||
+			    (covers == dns_rdatatype_any)) {
+				dns_rdata_reset(&sigrdata);
+				dns_rdata_freestruct(&siginfo);	
+				return rdataset;
+			}
+			dns_rdata_reset(&sigrdata);
+			dns_rdata_freestruct(&siginfo);
+		} 
+		else if (rdataset->type == type)
+			return rdataset;
+	}
+	return NULL;
+}
+
+dns_rdataset_t *
+chase_scanname_section(dns_message_t *msg,
+		       dns_name_t *name,
+		       dns_rdatatype_t type,
+		       dns_rdatatype_t covers,
+		       int section)
+{
+	dns_rdataset_t *rdataset;
+	dns_name_t *msg_name = NULL;
+  
+	do {
+		dns_message_currentname(msg, section, &msg_name);
+		if (dns_name_compare(msg_name, name) == 0) {
+			rdataset = search_type(msg_name, type, covers);
+			if ( rdataset != NULL)
+				return rdataset;
+		}
+		msg_name = NULL;
+	} while ( dns_message_nextname(msg, section) == ISC_R_SUCCESS);
+  
+	return(NULL);
+}
+
+
+dns_rdataset_t *
+chase_scanname(dns_name_t *name, dns_rdatatype_t type, dns_rdatatype_t covers)
+{
+	dns_rdataset_t *rdataset = NULL;
+	dig_message_t * msg;
+ 
+	for (msg = ISC_LIST_HEAD(chase_message_list2);  msg != NULL;
+	     msg = ISC_LIST_NEXT(msg, link)) {
+		if (dns_message_firstname(msg->msg, DNS_SECTION_ANSWER)
+		    == ISC_R_SUCCESS)
+			rdataset = chase_scanname_section(msg->msg, name,
+							  type, covers,
+							  DNS_SECTION_ANSWER);
+			if (rdataset != NULL)
+				return rdataset;
+		if (dns_message_firstname(msg->msg, DNS_SECTION_AUTHORITY)
+		    == ISC_R_SUCCESS)
+			rdataset =
+				chase_scanname_section(msg->msg, name,
+						       type, covers,
+						       DNS_SECTION_AUTHORITY);
+			if (rdataset != NULL)
+				return rdataset;
+		if (dns_message_firstname(msg->msg, DNS_SECTION_ADDITIONAL)
+		    == ISC_R_SUCCESS)
+			rdataset =
+				chase_scanname_section(msg->msg, name, type,
+						       covers,
+						       DNS_SECTION_ADDITIONAL);
+			if (rdataset != NULL)
+				return rdataset;
+	}
+
+	return NULL;
+}
+
+dns_rdataset_t *
+sigchase_scanname(dns_rdatatype_t type, dns_rdatatype_t covers,
+		  isc_boolean_t * lookedup,
+		  dns_name_t *rdata_name )
+{
+	dig_lookup_t *lookup;
+	isc_buffer_t *b = NULL;
+	isc_region_t r;
+	isc_result_t result;
+	dns_rdataset_t * temp;
+	dns_rdatatype_t querytype;
+
+	if ((temp=chase_scanname(rdata_name, type, covers))!=NULL) {
+		return(temp);
+	}
+
+	if (*lookedup == ISC_TRUE) {
+		return(NULL);
+	}
+
+	lookup = clone_lookup(current_lookup, ISC_TRUE);
+	lookup->trace_root = ISC_FALSE;
+	lookup->new_search = ISC_TRUE;
+  
+	result = isc_buffer_allocate(mctx, &b, BUFSIZE);
+	check_result(result, "isc_buffer_allocate");
+	result = dns_name_totext(rdata_name, ISC_FALSE, b);
+	check_result(result, "dns_name_totext");
+	isc_buffer_usedregion(b, &r);
+	r.base[r.length] = '\0';
+	strcpy(lookup->textname, (char*)r.base);
+	isc_buffer_free(&b);
+
+	if (type ==  dns_rdatatype_rrsig)
+		querytype = covers;
+	else
+		querytype = type;
+	if (querytype == 0 || querytype == 255) {
+		printf("Error in the queried type: %d\n", querytype);
+		return(NULL);
+	}
+
+	lookup->rdtype = querytype;
+	lookup->rdtypeset = ISC_TRUE;
+	lookup->qrdtype = querytype;
+	*lookedup = ISC_TRUE;
+
+	ISC_LIST_APPEND(lookup_list, lookup, link);
+	printf("\n\nLaunch a query to find a RRset of type ");
+	print_type(type);
+	printf(" for zone: %s\n", lookup->textname);
+	return(NULL);
+}
+
+void
+insert_trustedkey(dst_key_t  * key)
+{
+	if (key == NULL)
+		return;
+	if (tk_list.nb_tk >= MAX_TRUSTED_KEY)
+		return;
+
+	tk_list.key[tk_list.nb_tk++] = key;
+	return;   
+}
+
+void
+clean_trustedkey()
+{
+	int i = 0;
+
+	for (i= 0; i < MAX_TRUSTED_KEY; i++) {
+		if (tk_list.key[i] != NULL) {
+			dst_key_free(&tk_list.key[i]);
+			tk_list.key[i] = NULL;
+		}
+		else
+			break;
+	}
+	tk_list.nb_tk = 0;
+	return;
+}
+
+char alphnum[] =
+	"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
+
+isc_result_t
+removetmpkey(isc_mem_t *mctx, const char *file) 
+{
+	char *tempnamekey = NULL;
+	int tempnamekeylen;
+	isc_result_t result;
+  
+	tempnamekeylen = strlen(file)+10;
+  
+	tempnamekey = isc_mem_allocate(mctx, tempnamekeylen);
+	if (tempnamekey == NULL)
+		return (ISC_R_NOMEMORY);
+
+	memset(tempnamekey, 0, tempnamekeylen);
+ 
+	strcat(tempnamekey, file);
+	strcat(tempnamekey,".key");
+	isc_file_remove(tempnamekey);
+
+	result = isc_file_remove(tempnamekey);
+	isc_mem_free(mctx, tempnamekey);
+	return(result);
+}
+
+isc_result_t
+opentmpkey(isc_mem_t *mctx, const char *file, char **tempp, FILE **fp) {
+        FILE *f = NULL;
+        isc_result_t result;
+        char *tempname = NULL;
+	char *tempnamekey = NULL;
+        int tempnamelen;
+	int tempnamekeylen;
+	char *x;
+	char *cp;
+	isc_uint32_t which;
+
+	while (1) {
+		tempnamelen = strlen(file) + 20;
+		tempname = isc_mem_allocate(mctx, tempnamelen);
+		if (tempname == NULL)
+			return (ISC_R_NOMEMORY);
+		memset(tempname, 0, tempnamelen);
+
+		result = isc_file_mktemplate(file, tempname, tempnamelen);
+		if (result != ISC_R_SUCCESS)
+			goto cleanup;
+
+		cp = tempname;
+		while (*cp != '\0')
+			cp++;
+		if (cp == tempname) {
+			isc_mem_free(mctx, tempname);
+			return (ISC_R_FAILURE);
+		}
+	    
+		x = cp--;
+		while (cp >= tempname && *cp == 'X') {
+			isc_random_get(&which);
+			*cp = alphnum[which % (sizeof(alphnum) - 1)];
+			x = cp--;
+		}
+ 
+		tempnamekeylen = tempnamelen+5;
+		tempnamekey = isc_mem_allocate(mctx, tempnamekeylen);
+		if (tempnamekey == NULL)
+			return (ISC_R_NOMEMORY);
+	
+		memset(tempnamekey, 0, tempnamekeylen);
+		strncpy(tempnamekey, tempname, tempnamelen);
+		strcat(tempnamekey ,".key");
+
+	   
+		if (isc_file_exists(tempnamekey)) {
+			isc_mem_free(mctx, tempnamekey);
+			isc_mem_free(mctx, tempname);
+			continue;
+		}
+
+		if ((f = fopen(tempnamekey, "w")) == NULL) {
+			printf("get_trusted_key(): trusted key not found %s\n",
+			       tempnamekey);
+			return ISC_R_FAILURE;
+		}
+		break;
+	}
+	isc_mem_free(mctx, tempnamekey);
+        *tempp = tempname;
+        *fp = f;
+        return (ISC_R_SUCCESS);
+
+ cleanup:
+        isc_mem_free(mctx, tempname);
+	
+        return (result);
+}
+
+
+isc_result_t
+get_trusted_key(isc_mem_t *mctx)
+{
+	isc_result_t result;
+	const char * filename = NULL;
+	char * filetemp =NULL;
+	char buf[1500];
+	FILE *fp , *fptemp;
+	dst_key_t  * key = NULL;
+ 
+	result  = isc_file_exists(trustedkey);
+	if (result !=  ISC_TRUE) {
+		result  = isc_file_exists("/etc/trusted-key.key");
+		if (result !=  ISC_TRUE) {
+			result  = isc_file_exists("./trusted-key.key");
+			if (result !=  ISC_TRUE)
+				return ISC_R_FAILURE;
+			else
+				filename = "./trusted-key.key";
+		}
+		else
+			filename = "/etc/trusted-key.key";
+	}
+	else
+		filename = trustedkey;
+
+	if (filename == NULL) {
+		printf("No trusted key\n");
+		return ISC_R_FAILURE;
+	}
+
+	if ((fp = fopen(filename, "r")) == NULL) {
+		printf("get_trusted_key(): trusted key not found %s\n",
+		       filename);
+		return ISC_R_FAILURE;
+	}
+	while (fgets(buf, 1500, fp) != NULL) {
+		result = opentmpkey(mctx,"tmp_file", &filetemp, &fptemp);
+		if (result != ISC_R_SUCCESS) {
+			fclose(fp);
+			return ISC_R_FAILURE;
+		}
+		if (fputs(buf, fptemp)<0) {
+			fclose(fp);
+			fclose(fptemp);
+			return ISC_R_FAILURE;
+		}
+		fclose(fptemp);
+		result = dst_key_fromnamedfile(filetemp, DST_TYPE_PUBLIC,
+					       mctx, &key);
+		removetmpkey(mctx, filetemp);
+		isc_mem_free(mctx, filetemp);
+		if (result !=  ISC_R_SUCCESS ) {
+			fclose(fp);
+			return ISC_R_FAILURE;
+		}
+		insert_trustedkey(key);
+#if 0
+		dst_key_tofile(key, DST_TYPE_PUBLIC,"/tmp");
+#endif
+		key = NULL;
+	}
+	return ISC_R_SUCCESS;
+}
+
+
+isc_result_t
+nameFromString( const char *str, dns_name_t *p_ret )
+{
+	int len = strlen(str);
+	int ret;
+	isc_buffer_t buffer;
+	dns_fixedname_t fixedname;
+	REQUIRE( p_ret);
+	REQUIRE( str != NULL );
+
+	isc_buffer_init( &buffer, str, len );
+	isc_buffer_add( &buffer, len );
+
+	dns_fixedname_init(&fixedname);
+	ret = dns_name_fromtext( dns_fixedname_name(&fixedname), &buffer,
+				 dns_rootname, ISC_TRUE, NULL);
+	if ( ret != ISC_R_SUCCESS ) return ret;
+
+	dns_name_init(p_ret, NULL );
+  
+	ret = dns_name_dup( dns_fixedname_name(&fixedname), mctx, p_ret );
+	return ret;
+} 
+
+
+#if DIG_SIGCHASE_TD
+isc_result_t 
+prepare_lookup(dns_name_t *name)
+{
+	isc_result_t    result;
+	dig_lookup_t  * lookup = NULL;
+	dig_server_t *s;
+	void *ptr;
+
+	lookup = clone_lookup(current_lookup, ISC_TRUE);
+	lookup->trace_root = ISC_FALSE;
+	lookup->new_search = ISC_TRUE;
+	lookup->trace_root_sigchase = ISC_FALSE;
+
+	strncpy(lookup->textname, lookup->textnamesigchase, MXNAME);
+
+	lookup->rdtype = lookup->rdtype_sigchase;
+	lookup->rdtypeset = ISC_TRUE;
+	lookup->qrdtype = lookup->qrdtype_sigchase;
+
+  
+   
+	s = ISC_LIST_HEAD(lookup->my_server_list);
+	while (s != NULL) {
+		debug("freeing server %p belonging to %p",
+		      s, lookup);
+		ptr = s;
+		s = ISC_LIST_NEXT(s, link);
+		ISC_LIST_DEQUEUE(lookup->my_server_list,
+				 (dig_server_t *)ptr, link);
+		isc_mem_free(mctx, ptr);
+	}
+  
+
+	for (result = dns_rdataset_first(chase_nsrdataset);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(chase_nsrdataset)) {
+		char namestr[DNS_NAME_FORMATSIZE];
+		dns_rdata_ns_t ns;
+		dns_rdata_t rdata = DNS_RDATA_INIT;
+		dig_server_t * srv = NULL;
+#define  __FOLLOW_GLUE__
+#ifdef __FOLLOW_GLUE__
+		isc_buffer_t * b = NULL;
+		isc_result_t result;
+		isc_region_t r;
+		dns_rdataset_t * rdataset =NULL;
+		isc_boolean_t   true = ISC_TRUE;
+#endif
+
+		memset(namestr, 0, DNS_NAME_FORMATSIZE);
+
+		dns_rdataset_current(chase_nsrdataset, &rdata);
+
+		(void)dns_rdata_tostruct(&rdata, &ns, NULL);
+      
+     
+      
+#ifdef __FOLLOW_GLUE__
+      
+		result = advanced_rrsearch(&rdataset, &ns.name,
+					   dns_rdatatype_aaaa,
+					   dns_rdatatype_any, &true);
+		if (result == ISC_R_SUCCESS) {
+			for (result = dns_rdataset_first(rdataset);
+			     result == ISC_R_SUCCESS;
+			     result = dns_rdataset_next(rdataset)) {
+				dns_rdata_t aaaa = DNS_RDATA_INIT;
+				dns_rdataset_current(rdataset, &aaaa);
+
+				result = isc_buffer_allocate(mctx, &b, 80);
+				check_result(result, "isc_buffer_allocate");
+
+				dns_rdata_totext(&aaaa, &ns.name, b);
+				isc_buffer_usedregion(b, &r);
+				r.base[r.length] = '\0';
+				strncpy(namestr, (char*)r.base,
+					DNS_NAME_FORMATSIZE);
+				isc_buffer_free(&b);
+				dns_rdata_reset(&aaaa);
+
+
+				srv = make_server(namestr);
+	     
+				ISC_LIST_APPEND(lookup->my_server_list,
+						srv, link);
+			}
+		}
+      
+		rdataset = NULL;
+		result = advanced_rrsearch(&rdataset, &ns.name, dns_rdatatype_a,
+					   dns_rdatatype_any, &true);
+		if (result == ISC_R_SUCCESS) {
+			for (result = dns_rdataset_first(rdataset);
+			     result == ISC_R_SUCCESS;
+			     result = dns_rdataset_next(rdataset)) {
+				dns_rdata_t a = DNS_RDATA_INIT;
+				dns_rdataset_current(rdataset, &a);
+
+				result = isc_buffer_allocate(mctx, &b, 80);
+				check_result(result, "isc_buffer_allocate");
+
+				dns_rdata_totext(&a, &ns.name, b);
+				isc_buffer_usedregion(b, &r);
+				r.base[r.length] = '\0';
+				strncpy(namestr, (char*)r.base,
+					DNS_NAME_FORMATSIZE);
+				isc_buffer_free(&b);
+				dns_rdata_reset(&a);
+				printf("ns name: %s\n", namestr);
+      
+
+				srv = make_server(namestr);
+	     
+				ISC_LIST_APPEND(lookup->my_server_list,
+						srv, link);
+			}
+		}
+#else
+       
+		dns_name_format(&ns.name, namestr, sizeof(namestr));
+		printf("ns name: ");
+		dns_name_print(&ns.name, stdout);
+		printf("\n");
+		srv = make_server(namestr);
+	     
+		ISC_LIST_APPEND(lookup->my_server_list, srv, link);
+
+#endif 
+		dns_rdata_freestruct(&ns);
+		dns_rdata_reset(&rdata);
+      
+	}
+
+	ISC_LIST_APPEND(lookup_list, lookup, link);
+	printf("\nLaunch a query to find a RRset of type ");
+	print_type(lookup->rdtype);
+	printf(" for zone: %s", lookup->textname);
+	printf(" with nameservers:");
+	printf("\n");
+	print_rdataset(name, chase_nsrdataset, mctx);
+	return ISC_R_SUCCESS;
+}
+
+
+isc_result_t
+child_of_zone(dns_name_t * name, dns_name_t * zone_name,
+	      dns_name_t * child_name)
+{
+	dns_namereln_t name_reln;
+	int orderp;
+	unsigned int nlabelsp;
+
+	name_reln = dns_name_fullcompare(name, zone_name, &orderp, &nlabelsp);
+	if ( (name_reln != dns_namereln_subdomain) ||
+	     (dns_name_countlabels(name) <=
+	      dns_name_countlabels(zone_name) +1)) {
+		printf("\n;; ERROR : ");
+		dns_name_print(name, stdout);
+		printf(" is not a subdomain of: ");
+		dns_name_print(zone_name, stdout);
+		printf(" FAILED\n\n");
+		return ISC_R_FAILURE;
+	}
+
+	dns_name_getlabelsequence(name,
+				  dns_name_countlabels(name) -
+				  dns_name_countlabels(zone_name) -1,
+				  dns_name_countlabels(zone_name) +1,
+				  child_name);
+	return ISC_R_SUCCESS;
+}
+
+isc_result_t
+grandfather_pb_test(dns_name_t * zone_name, dns_rdataset_t  * sigrdataset)
+{
+	isc_result_t result;
+	dns_rdata_t sigrdata;
+	dns_rdata_sig_t siginfo;
+
+	result = dns_rdataset_first(sigrdataset);
+	check_result(result, "empty RRSIG dataset");
+	dns_rdata_init(&sigrdata);
+  
+	do {
+		dns_rdataset_current(sigrdataset, &sigrdata);
+    
+		result = dns_rdata_tostruct(&sigrdata, &siginfo, NULL);
+		check_result(result, "sigrdata tostruct siginfo");
+ 
+		if (dns_name_compare(&siginfo.signer, zone_name) == 0) {
+			dns_rdata_freestruct(&siginfo);
+			dns_rdata_reset(&sigrdata);
+			return ISC_R_SUCCESS;
+		}
+
+		dns_rdata_freestruct(&siginfo);
+ 
+	} while (dns_rdataset_next(chase_sigkeyrdataset) == ISC_R_SUCCESS);
+
+	dns_rdata_reset(&sigrdata);
+
+	return ISC_R_FAILURE;
+}
+
+
+isc_result_t
+initialization(dns_name_t * name)
+{
+	isc_result_t   result;
+	isc_boolean_t  true = ISC_TRUE;
+
+	chase_nsrdataset = NULL;
+	result = advanced_rrsearch(&chase_nsrdataset, name, dns_rdatatype_ns,
+				   dns_rdatatype_any, &true);
+	if (result != ISC_R_SUCCESS) {
+		printf("\n;; NS RRset is missing to continue validation:"
+		       " FAILED\n\n");
+		return ISC_R_FAILURE;
+	}
+	INSIST(chase_nsrdataset != NULL);
+	prepare_lookup(name);
+
+	dup_name(name, &chase_current_name, mctx);
+
+	return ISC_R_SUCCESS;
+}
+#endif 
+
+void
+print_rdataset(dns_name_t * name, dns_rdataset_t *rdataset, isc_mem_t *mctx)
+{
+	isc_buffer_t * b = NULL;
+	isc_result_t result;
+	isc_region_t r;
+
+	result = isc_buffer_allocate(mctx, &b, 9000);
+	check_result(result, "isc_buffer_allocate");
+
+	printrdataset(name, rdataset, b);
+
+	isc_buffer_usedregion(b, &r);
+	r.base[r.length] = '\0';
+
+
+	printf("%s\n", r.base);
+
+	isc_buffer_free(&b);
+}
+
+
+void 
+dup_name(dns_name_t *source, dns_name_t* target, isc_mem_t *mctx)
+{
+	isc_result_t result; 
+ 
+	dns_name_init(target, NULL);
+	result = dns_name_dup(source, mctx, target);
+	check_result(result, "dns_name_dup");
+}
+
+/*
+ *
+ * take a DNSKEY RRset and the RRSIG RRset corresponding in parameter
+ * return ISC_R_SUCCESS if the DNSKEY RRset contains a trusted_key
+ * 			and the RRset is valid
+ * return ISC_R_NOTFOUND if not contains trusted key
+ 			or if the RRset isn't valid
+ * return ISC_R_FAILURE if problem
+ *
+ */
+isc_result_t
+contains_trusted_key(dns_name_t *name, dns_rdataset_t *rdataset,
+		     dns_rdataset_t *sigrdataset,
+		     isc_mem_t *mctx)
+{
+	isc_result_t result;
+	dns_rdata_t rdata;
+	dst_key_t * trustedKey = NULL;
+	dst_key_t * dnsseckey = NULL;
+	int i;
+  
+	if (name == NULL || rdataset == NULL) {
+		return ISC_R_FAILURE;
+	}
+
+	result = dns_rdataset_first(rdataset);
+	check_result(result, "empty rdataset");
+	dns_rdata_init(&rdata);
+
+	do {
+		dns_rdataset_current(rdataset, &rdata);
+		INSIST(rdata.type == dns_rdatatype_dnskey);
+  	  
+		result = dns_dnssec_keyfromrdata(name, &rdata,
+						 mctx, &dnsseckey);
+		check_result(result, "dns_dnssec_keyfromrdata");
+
+    
+		for (i = 0; i< tk_list.nb_tk; i++) {
+			if (dst_key_compare(tk_list.key[i], dnsseckey)
+			    == ISC_TRUE) {
+				dns_rdata_reset(&rdata);
+	
+				printf(";; Ok, find a Trusted Key in the "
+				       "DNSKEY RRset: %d\n",
+				       dst_key_id(dnsseckey));
+				if (sigchase_verify_sig_key(name, rdataset,
+							    dnsseckey,
+							    sigrdataset,
+							    mctx)
+				    == ISC_R_SUCCESS) {
+					dst_key_free(&dnsseckey);
+					dnsseckey = NULL;
+					return  ISC_R_SUCCESS;
+				}
+			}
+		}
+ 
+		dns_rdata_reset(&rdata);
+		if (dnsseckey != NULL)
+			dst_key_free(&dnsseckey);
+	} while (dns_rdataset_next(rdataset) == ISC_R_SUCCESS);
+
+	if (trustedKey != NULL)
+		dst_key_free(&trustedKey);
+	trustedKey = NULL;
+  
+	return ISC_R_NOTFOUND;
+}
+
+isc_result_t
+sigchase_verify_sig(dns_name_t *name, dns_rdataset_t *rdataset,
+		    dns_rdataset_t *keyrdataset,
+		    dns_rdataset_t *sigrdataset,
+		    isc_mem_t *mctx)
+{
+	isc_result_t result;
+	dns_rdata_t keyrdata;
+	dst_key_t * dnsseckey = NULL;
+
+	result = dns_rdataset_first(keyrdataset);
+	check_result(result, "empty DNSKEY dataset");
+	dns_rdata_init(&keyrdata);
+
+	do {
+		dns_rdataset_current(keyrdataset, &keyrdata);
+		INSIST(keyrdata.type == dns_rdatatype_dnskey);
+  	  
+		result = dns_dnssec_keyfromrdata(name, &keyrdata,
+						 mctx, &dnsseckey);
+		check_result(result, "dns_dnssec_keyfromrdata");
+
+		result = sigchase_verify_sig_key(name, rdataset, dnsseckey,
+						 sigrdataset, mctx);
+		if (result == ISC_R_SUCCESS) {
+			dns_rdata_reset(&keyrdata);
+			dst_key_free(&dnsseckey);
+			return(ISC_R_SUCCESS);
+		}
+		dst_key_free(&dnsseckey);
+	} while (dns_rdataset_next(chase_keyrdataset) == ISC_R_SUCCESS);
+  
+	dns_rdata_reset(&keyrdata);
+  
+	return ISC_R_NOTFOUND;
+}
+
+isc_result_t
+sigchase_verify_sig_key(dns_name_t *name, dns_rdataset_t *rdataset,
+			dst_key_t* dnsseckey,
+			dns_rdataset_t *sigrdataset, isc_mem_t *mctx)
+{
+	isc_result_t result;
+	dns_rdata_t sigrdata;
+	dns_rdata_sig_t siginfo;
+
+	result = dns_rdataset_first(sigrdataset);
+	check_result(result, "empty RRSIG dataset");
+	dns_rdata_init(&sigrdata);
+    
+	do {
+		dns_rdataset_current(sigrdataset, &sigrdata);
+
+		result = dns_rdata_tostruct(&sigrdata, &siginfo, NULL);
+		check_result(result, "sigrdata tostruct siginfo");
+ 
+		/*
+		 * Test if the id of the DNSKEY is
+		 * the id of the DNSKEY signer's
+		 */
+		if (siginfo.keyid == dst_key_id(dnsseckey)) {
+    
+			result = dns_rdataset_first(rdataset);
+			check_result(result, "empty DS dataset");
+    
+			result = dns_dnssec_verify(name, rdataset, dnsseckey,
+						   ISC_FALSE, mctx, &sigrdata);
+
+			printf(";; VERIFYING ");
+			print_type(rdataset->type);
+			printf(" RRset for ");
+			dns_name_print(name, stdout);
+			printf(" with DNSKEY:%d: %s\n", dst_key_id(dnsseckey),
+			       isc_result_totext(result));
+	 
+			if (result == ISC_R_SUCCESS) {
+				dns_rdata_reset(&sigrdata);
+				return result;
+			}
+		}
+		dns_rdata_freestruct(&siginfo);
+ 
+	} while (dns_rdataset_next(chase_sigkeyrdataset) == ISC_R_SUCCESS);
+
+	dns_rdata_reset(&sigrdata);
+
+	return ISC_R_NOTFOUND;
+}
+
+
+isc_result_t
+sigchase_verify_ds(dns_name_t *name, dns_rdataset_t *keyrdataset,
+		   dns_rdataset_t *dsrdataset, isc_mem_t *mctx)
+{
+	isc_result_t result;
+	dns_rdata_t keyrdata;
+	dns_rdata_t newdsrdata;
+	dns_rdata_t dsrdata;
+	dns_rdata_ds_t dsinfo;
+	dst_key_t* dnsseckey = NULL;
+	unsigned char dsbuf[DNS_DS_BUFFERSIZE];
+
+	result = dns_rdataset_first(dsrdataset);
+	check_result(result, "empty DSset dataset");
+	dns_rdata_init(&dsrdata);
+	do {
+		dns_rdataset_current(dsrdataset, &dsrdata);
+    
+		result = dns_rdata_tostruct(&dsrdata, &dsinfo, NULL);
+		check_result(result, "dns_rdata_tostruct  for DS");
+    
+		result = dns_rdataset_first(keyrdataset);
+		check_result(result, "empty KEY dataset");
+		dns_rdata_init(&keyrdata);	  
+
+		do {
+			dns_rdataset_current(keyrdataset, &keyrdata);
+			INSIST(keyrdata.type == dns_rdatatype_dnskey);
+  	  
+			result = dns_dnssec_keyfromrdata(name, &keyrdata,
+							 mctx, &dnsseckey);
+			check_result(result, "dns_dnssec_keyfromrdata");
+
+			/*
+			 * Test if the id of the DNSKEY is the
+			 * id of DNSKEY referenced by the DS
+			 */
+			if (dsinfo.key_tag == dst_key_id(dnsseckey)) {
+				dns_rdata_init(&newdsrdata);
+
+				result = dns_ds_buildrdata(name, &keyrdata,
+							   dsinfo.digest_type,
+							   dsbuf, &newdsrdata);
+				dns_rdata_freestruct(&dsinfo);  
+
+				if (result != ISC_R_SUCCESS) {
+					dns_rdata_reset(&keyrdata);
+					dns_rdata_reset(&newdsrdata);
+					dns_rdata_reset(&dsrdata);
+					dst_key_free(&dnsseckey);
+					dns_rdata_freestruct(&dsinfo);  
+					printf("Oops: impossible to build"
+					       " new DS rdata\n");
+					return result;
+				}
+	
+	
+				if (dns_rdata_compare(&dsrdata,
+						      &newdsrdata) == 0) {
+					printf(";; OK a DS valids a DNSKEY"
+					       " in the RRset\n");
+					printf(";; Now verify that this"
+					       " DNSKEY validates the "
+					       "DNSKEY RRset\n");
+	       
+					result = sigchase_verify_sig_key(name,
+							 keyrdataset,
+							 dnsseckey,
+							 chase_sigkeyrdataset,
+							 mctx);
+					if (result ==  ISC_R_SUCCESS) {
+						dns_rdata_reset(&keyrdata);
+						dns_rdata_reset(&newdsrdata);
+						dns_rdata_reset(&dsrdata);
+						dst_key_free(&dnsseckey);
+		 
+						return result;
+					}
+				} 
+				else {
+					printf(";; This DS is NOT the DS for"
+					       " the chasing KEY: FAILED\n");
+				}
+
+				dns_rdata_reset(&newdsrdata);
+			}
+			dst_key_free(&dnsseckey);
+			dnsseckey = NULL;
+		} while (dns_rdataset_next(chase_keyrdataset) == ISC_R_SUCCESS);
+		dns_rdata_reset(&keyrdata);
+ 
+	} while (dns_rdataset_next(chase_dsrdataset) == ISC_R_SUCCESS);
+#if 0
+	dns_rdata_reset(&dsrdata); WARNING
+#endif
+ 
+	return ISC_R_NOTFOUND;
+}
+
+/*
+ *
+ * take a pointer on a rdataset in parameter and try to resolv it.
+ * the searched rrset is a rrset on 'name' with type 'type'
+ * (and if the type is a rrsig the signature cover 'covers').
+ * the lookedup is to known if you have already done the query on the net.
+ * ISC_R_SUCCESS: if we found the rrset
+ * ISC_R_NOTFOUND: we do not found the rrset in cache
+ * and we do a query on the net
+ * ISC_R_FAILURE: rrset not found 
+ */
+isc_result_t
+advanced_rrsearch(dns_rdataset_t **rdataset, dns_name_t * name,
+		  dns_rdatatype_t type,
+		  dns_rdatatype_t covers,
+		  isc_boolean_t *lookedup)
+{ 
+	isc_boolean_t  tmplookedup;
+
+	INSIST(rdataset != NULL);
+
+	if (*rdataset != NULL)
+		return(ISC_R_SUCCESS);
+
+	tmplookedup = *lookedup;
+	if ((*rdataset = sigchase_scanname(type, covers,
+					   lookedup, name)) == NULL) {
+		if (tmplookedup)
+			return (ISC_R_FAILURE);
+		return (ISC_R_NOTFOUND);
+	}
+	*lookedup = ISC_FALSE;
+	return(ISC_R_SUCCESS);
+}
+
+
+
+#if DIG_SIGCHASE_TD
+void
+sigchase_td(dns_message_t * msg)
+{
+	isc_result_t    result;
+	dns_name_t    * name = NULL;
+	isc_boolean_t   have_answer = ISC_FALSE;
+ 
+	isc_boolean_t   true = ISC_TRUE;
+
+	if ((result = dns_message_firstname(msg, DNS_SECTION_ANSWER))
+	    == ISC_R_SUCCESS) {
+		dns_message_currentname(msg, DNS_SECTION_ANSWER, &name);
+		if (current_lookup->trace_root_sigchase) {
+			initialization(name);
+			return;
+		}
+		have_answer = true;
+	}
+	else {
+		if (!current_lookup->trace_root_sigchase) {
+			result = dns_message_firstname(msg,
+						       DNS_SECTION_AUTHORITY);
+			if (result == ISC_R_SUCCESS)
+				dns_message_currentname(msg,
+							DNS_SECTION_AUTHORITY,
+							&name);
+			chase_nsrdataset
+				= chase_scanname_section(msg, name,
+							 dns_rdatatype_ns,
+							 dns_rdatatype_any,
+							 DNS_SECTION_AUTHORITY);
+			dup_name(name, &chase_authority_name, mctx);
+			if (chase_nsrdataset != NULL) {
+				have_delegation_ns = ISC_TRUE;
+				printf("no response but there is a delegation"
+				       " in authority section:");
+				dns_name_print(name, stdout);
+				printf("\n");
+			}
+			else {
+				printf("no response and no delegation in "
+				       "authority section but a reference"
+				       " to: ");
+				dns_name_print(name, stdout);
+				printf("\n");
+				error_message = msg;
+			}
+		}
+		else {
+			printf(";; NO ANSWERS: %s\n",
+			       isc_result_totext(result));
+			dns_name_free(&chase_name, mctx);
+			clean_trustedkey();
+			return;
+		}
+	}
+
+   
+	if (have_answer) {
+		chase_rdataset
+			= chase_scanname_section(msg, &chase_name,
+						 current_lookup
+						 ->rdtype_sigchase,
+						 dns_rdatatype_any,
+						 DNS_SECTION_ANSWER);
+		if (chase_rdataset != NULL)
+			have_response = ISC_TRUE;
+	}
+
+	result = advanced_rrsearch(&chase_keyrdataset,
+				   &chase_current_name,
+				   dns_rdatatype_dnskey,
+				   dns_rdatatype_any,
+				   &chase_keylookedup);
+	if (result == ISC_R_FAILURE) {
+		printf("\n;; DNSKEY is missing to continue validation:"
+		       " FAILED\n\n");
+		goto cleanandgo;
+	}
+	if (result == ISC_R_NOTFOUND)
+		return;
+	INSIST(chase_keyrdataset != NULL);
+	printf("\n;; DNSKEYset:\n");
+	print_rdataset(&chase_current_name , chase_keyrdataset, mctx);
+
+
+	result = advanced_rrsearch(&chase_sigkeyrdataset,
+				   &chase_current_name,
+				   dns_rdatatype_rrsig,
+				   dns_rdatatype_dnskey,
+				   &chase_sigkeylookedup);
+	if (result == ISC_R_FAILURE) {
+		printf("\n;; RRSIG of DNSKEY is missing to continue validation:"
+		       " FAILED\n\n");
+		goto cleanandgo;
+	}
+	if (result == ISC_R_NOTFOUND)
+		return;
+	INSIST(chase_sigkeyrdataset != NULL);
+	printf("\n;; RRSIG of the DNSKEYset:\n");
+	print_rdataset(&chase_current_name , chase_sigkeyrdataset, mctx);
+
+
+	if (!chase_dslookedup && !chase_nslookedup) {
+		if (!delegation_follow) {
+			result = contains_trusted_key(&chase_current_name,
+						      chase_keyrdataset,
+						      chase_sigkeyrdataset,
+						      mctx);
+		} 
+		else {
+			INSIST(chase_dsrdataset != NULL);
+			INSIST(chase_sigdsrdataset != NULL);
+			result = sigchase_verify_ds(&chase_current_name,
+						    chase_keyrdataset,
+						    chase_dsrdataset,
+						    mctx);
+		}
+      
+		if (result != ISC_R_SUCCESS) {
+			printf("\n;; chain of trust can't be validated:"
+			       " FAILED\n\n");
+			goto cleanandgo;
+		}
+		else {
+			chase_dsrdataset = NULL;
+			chase_sigdsrdataset = NULL;
+		}
+	}
+
+	if (have_response || (!have_delegation_ns && !have_response)) {
+		/* test if it's a grand father case */
+
+		if (have_response) {
+			result = advanced_rrsearch(&chase_sigrdataset,
+						   &chase_name,
+						   dns_rdatatype_rrsig,
+						   current_lookup
+						   ->rdtype_sigchase,
+						   &true);
+			if (result == ISC_R_FAILURE) {
+				printf("\n;; RRset is missing to continue"
+				       " validation SHOULD NOT APPEND:"
+				       " FAILED\n\n");
+				goto cleanandgo;
+			}
+	 
+		}
+		else {
+			result = advanced_rrsearch(&chase_sigrdataset,
+						   &chase_authority_name,
+						   dns_rdatatype_rrsig,
+						   dns_rdatatype_any,
+						   &true);
+			if (result == ISC_R_FAILURE) {
+				printf("\n;; RRSIG is missing  to continue"
+				       " validation SHOULD NOT APPEND:"
+				       " FAILED\n\n");
+				goto cleanandgo;
+			}
+		}
+		result =  grandfather_pb_test(&chase_current_name,
+					      chase_sigrdataset);
+		if (result != ISC_R_SUCCESS) {
+			dns_name_t tmp_name;
+
+			printf("\n;; We are in a Grand Father Problem:"
+			       " See 2.2.1 in RFC 3568\n");
+			chase_rdataset = NULL;
+			chase_sigrdataset = NULL;
+			have_response = ISC_FALSE;
+			have_delegation_ns = ISC_FALSE;
+	  
+			dns_name_init(&tmp_name, NULL);
+			result = child_of_zone(&chase_name, &chase_current_name,
+					       &tmp_name);
+			if (chase_authority_name.labels != 0)
+				dns_name_free( &chase_authority_name, mctx);
+			dup_name(&tmp_name, &chase_authority_name, mctx);
+			printf(";; and we try to continue chain of trust"
+			       " validation of the zone: ");
+			dns_name_print(&chase_authority_name, stdout);
+			printf("\n");
+			have_delegation_ns = ISC_TRUE;
+		}
+		else {
+			if (have_response)
+				goto finalstep;
+			else
+				chase_sigrdataset = NULL;
+		}
+	}
+
+	if (have_delegation_ns) {
+		chase_nsrdataset = NULL;
+		result = advanced_rrsearch(&chase_nsrdataset,
+					   &chase_authority_name,
+					   dns_rdatatype_ns,
+					   dns_rdatatype_any,
+					   &chase_nslookedup);
+		if (result == ISC_R_FAILURE) {
+			printf("\n;;NSset is missing to continue validation:"
+			       " FAILED\n\n");
+			goto cleanandgo;
+		}
+		if (result == ISC_R_NOTFOUND) {
+			return;
+		}
+		INSIST(chase_nsrdataset != NULL);
+  
+		result = advanced_rrsearch(&chase_dsrdataset,
+					   &chase_authority_name,
+					   dns_rdatatype_ds,
+					   dns_rdatatype_any,
+					   &chase_dslookedup);
+		if (result == ISC_R_FAILURE) {
+			printf("\n;; DSset is missing to continue validation:"
+			       " FAILED\n\n");
+			goto cleanandgo;
+		}
+		if (result == ISC_R_NOTFOUND)
+			return;
+		INSIST(chase_dsrdataset != NULL);
+		printf("\n;; DSset:\n");
+		print_rdataset(&chase_authority_name , chase_dsrdataset, mctx);
+
+		result = advanced_rrsearch(&chase_sigdsrdataset,
+					   &chase_authority_name,
+					   dns_rdatatype_rrsig,
+					   dns_rdatatype_ds,
+					   &true);
+		if (result != ISC_R_SUCCESS) {
+			printf("\n;; DSset is missing to continue validation:"
+			       " FAILED\n\n");
+			goto cleanandgo;
+		}
+		printf("\n;; RRSIGset of DSset\n");
+		print_rdataset(&chase_authority_name,
+			       chase_sigdsrdataset, mctx);
+		INSIST(chase_sigdsrdataset != NULL);
+
+		result = sigchase_verify_sig(&chase_authority_name,
+					     chase_dsrdataset,
+					     chase_keyrdataset,
+					     chase_sigdsrdataset, mctx);
+		if (result != ISC_R_SUCCESS) {
+			printf("\n;; Impossible to verify the DSset:"
+			       " FAILED\n\n");
+			goto cleanandgo;
+		}
+		chase_keyrdataset = NULL;
+		chase_sigkeyrdataset = NULL;
+    
+ 
+		prepare_lookup(&chase_authority_name);
+	
+		have_response = ISC_FALSE;
+		have_delegation_ns = ISC_FALSE;
+		delegation_follow = ISC_TRUE;
+		error_message = NULL;
+		dns_name_free(&chase_current_name, mctx);
+		dup_name(&chase_authority_name, &chase_current_name, mctx);
+		dns_name_free(&chase_authority_name, mctx);
+		return;
+	}
+
+  
+	if (error_message != NULL) {
+		dns_rdataset_t * rdataset;
+		dns_rdataset_t * sigrdataset;
+		dns_name_t       rdata_name;
+		isc_result_t     ret = ISC_R_FAILURE;
+
+		result = prove_nx(error_message, &chase_name,
+				  current_lookup->rdclass_sigchase,
+				  current_lookup->rdtype_sigchase, &rdata_name,
+				  &rdataset, &sigrdataset);
+		if (&rdata_name == NULL || rdataset == NULL ||
+		    sigrdataset == NULL) {
+			printf("\n;; Impossible to verify the non-existence,"
+			       " the NSEC RRset can't be validated:"
+			       " FAILED\n\n");
+			goto cleanandgo;
+		}
+		ret = sigchase_verify_sig(&rdata_name, rdataset,
+					  chase_keyrdataset,
+					  sigrdataset, mctx);
+		if (ret != ISC_R_SUCCESS) {
+			dns_name_free(&rdata_name, mctx);
+			printf("\n;; Impossible to verify the NSEC RR to prove"
+			       " the non-existence : FAILED\n\n");
+			goto cleanandgo;
+		}
+		dns_name_free(&rdata_name, mctx);
+		if (result != ISC_R_SUCCESS) {
+			printf("\n;; Impossible to verify the non-existence:"
+			       " FAILED\n\n");
+			goto cleanandgo;
+		}
+		else {
+			printf("\n;; OK the query doesn't have response but"
+			       " we have validate this fact : SUCCESS\n\n");
+			goto cleanandgo;
+		}
+	}
+
+ cleanandgo:
+	printf(";; cleanandgo \n");
+	dns_name_free(&chase_name, mctx);
+	if (chase_current_name.labels != 0)
+		dns_name_free(&chase_current_name, mctx);
+	if (chase_authority_name.labels != 0)
+		dns_name_free(&chase_authority_name, mctx);
+	clean_trustedkey();
+	return;
+
+	finalstep :
+		result = advanced_rrsearch(&chase_rdataset, &chase_name,
+					   current_lookup->rdtype_sigchase,
+					   dns_rdatatype_any ,
+					   &true);
+	if (result == ISC_R_FAILURE) {
+		printf("\n;; RRsig of RRset is missing to continue validation"
+		       " SHOULD NOT APPEND: FAILED\n\n");
+		goto cleanandgo;
+	}
+	result = sigchase_verify_sig(&chase_name, chase_rdataset,
+				     chase_keyrdataset,
+				     chase_sigrdataset, mctx);
+	if (result != ISC_R_SUCCESS) {
+		printf("\n;; Impossible to verify the RRset : FAILED\n\n");
+		/*
+		  printf("RRset:\n");
+		  print_rdataset(&chase_name , chase_rdataset, mctx);
+		  printf("DNSKEYset:\n");
+		  print_rdataset(&chase_name , chase_keyrdataset, mctx);
+		  printf("RRSIG of RRset:\n");
+		  print_rdataset(&chase_name , chase_sigrdataset, mctx);
+		  printf("\n");
+		*/
+		goto cleanandgo;
+	}
+	else {
+		printf("\n;; The Answer:\n");
+		print_rdataset(&chase_name , chase_rdataset, mctx);
+
+		printf("\n;; FINISH : we have validate the DNSSEC chain"
+		       " of trust: SUCCESS\n\n");
+		goto cleanandgo;
+	}
+}
+
+#endif 
+
+
+#if DIG_SIGCHASE_BU
+
+isc_result_t
+getneededrr(dns_message_t *msg)
+{
+	isc_result_t result;
+	dns_name_t *name = NULL;
+	dns_rdata_t sigrdata;
+	dns_rdata_sig_t siginfo;
+	isc_boolean_t   true = ISC_TRUE;
+
+	if ((result = dns_message_firstname(msg, DNS_SECTION_ANSWER))
+	    != ISC_R_SUCCESS) {
+		printf(";; NO ANSWERS: %s\n", isc_result_totext(result));
+    
+		if (chase_name.ndata == NULL) {
+			return ISC_R_ADDRNOTAVAIL;
+		}
+	}
+	else {
+		dns_message_currentname(msg, DNS_SECTION_ANSWER, &name);
+	}
+
+	/* What do we chase? */
+	if (chase_rdataset == NULL) {
+		result = advanced_rrsearch(&chase_rdataset, name,
+					   dns_rdatatype_any,
+					   dns_rdatatype_any, &true);
+		if (result != ISC_R_SUCCESS) {
+			printf("\n;; No Answers: Validation FAILED\n\n");
+			return ISC_R_NOTFOUND;
+		}
+		dup_name(name, &chase_name, mctx);
+		printf(";; RRset to chase:\n");
+		print_rdataset(&chase_name, chase_rdataset, mctx);
+	}
+	INSIST(chase_rdataset != NULL);
+
+
+	if (chase_sigrdataset == NULL) {
+		result = advanced_rrsearch(&chase_sigrdataset, name,
+					   dns_rdatatype_rrsig,
+					   chase_rdataset->type,
+					   &chase_siglookedup);
+		if (result == ISC_R_FAILURE) {
+			printf("\n;; RRSIG is missing for continue validation:"
+			       " FAILED\n\n");
+			if (chase_name.ndata != NULL)
+				dns_name_free(&chase_name, mctx);
+			return ISC_R_NOTFOUND;
+		}
+		if (result == ISC_R_NOTFOUND) {
+			return(ISC_R_NOTFOUND);
+		}
+		printf("\n;; RRSIG of the RRset to chase:\n");
+		print_rdataset(&chase_name, chase_sigrdataset, mctx);
+	}
+	INSIST(chase_sigrdataset != NULL);
+
+ 
+	/* first find the DNSKEY name */
+	result = dns_rdataset_first(chase_sigrdataset);
+	check_result(result, "empty RRSIG dataset");
+	dns_rdata_init(&sigrdata);
+	dns_rdataset_current(chase_sigrdataset, &sigrdata);
+	result = dns_rdata_tostruct(&sigrdata, &siginfo, NULL);
+	check_result(result, "sigrdata tostruct siginfo");
+	dup_name(&siginfo.signer, &chase_signame, mctx);
+	dns_rdata_freestruct(&siginfo);
+	dns_rdata_reset(&sigrdata);
+ 
+	/* Do we have a key?  */
+	if (chase_keyrdataset == NULL) {
+		result = advanced_rrsearch(&chase_keyrdataset,
+					   &chase_signame,
+					   dns_rdatatype_dnskey,
+					   dns_rdatatype_any,
+					   &chase_keylookedup);
+		if (result == ISC_R_FAILURE) {
+			printf("\n;; DNSKEY is missing to continue validation:"
+			       " FAILED\n\n");
+			dns_name_free(&chase_signame, mctx);
+			if (chase_name.ndata != NULL)
+				dns_name_free(&chase_name, mctx);
+			return ISC_R_NOTFOUND;
+		}
+		if (result == ISC_R_NOTFOUND) {
+			dns_name_free(&chase_signame, mctx);
+			return(ISC_R_NOTFOUND);
+		}
+		printf("\n;; DNSKEYset that signs the RRset to chase:\n");
+		print_rdataset(&chase_signame, chase_keyrdataset, mctx);
+	}
+	INSIST(chase_keyrdataset != NULL);
+
+	if (chase_sigkeyrdataset == NULL) {
+		result = advanced_rrsearch(&chase_sigkeyrdataset,
+					   &chase_signame,
+					   dns_rdatatype_rrsig,
+					   dns_rdatatype_dnskey,
+					   &chase_sigkeylookedup);
+		if (result == ISC_R_FAILURE) {
+			printf("\n;; RRSIG for DNSKEY  is missing  to continue"
+			       " validation : FAILED\n\n");
+			dns_name_free(&chase_signame, mctx);
+			if (chase_name.ndata != NULL)
+				dns_name_free(&chase_name, mctx);
+			return ISC_R_NOTFOUND;
+		}
+		if (result == ISC_R_NOTFOUND) {
+			dns_name_free(&chase_signame, mctx);
+			return(ISC_R_NOTFOUND);
+		}
+		printf("\n;; RRSIG of the DNSKEYset that signs the "
+		       "RRset to chase:\n");
+		print_rdataset(&chase_signame, chase_sigkeyrdataset, mctx);
+	}
+	INSIST(chase_sigkeyrdataset != NULL);
+
+
+	if (chase_dsrdataset == NULL) {
+		result = advanced_rrsearch(&chase_dsrdataset, &chase_signame,
+					   dns_rdatatype_ds,
+					   dns_rdatatype_any,
+		&chase_dslookedup);
+		if (result == ISC_R_FAILURE) {
+			printf("\n;; WARNING There is no DS for the zone: ");
+			dns_name_print(&chase_signame, stdout);
+			printf("\n");
+		}
+		if (result == ISC_R_NOTFOUND) {
+			dns_name_free(&chase_signame, mctx);
+			return(ISC_R_NOTFOUND);
+		}
+		if (chase_dsrdataset != NULL) {
+			printf("\n;; DSset of the DNSKEYset\n");
+			print_rdataset(&chase_signame, chase_dsrdataset, mctx);
+		}
+	}
+ 
+	if (chase_dsrdataset != NULL) {
+		/*
+		 * if there is no RRSIG of DS,
+		 * we don't want to search on the network
+		 */
+		result = advanced_rrsearch(&chase_sigdsrdataset,
+					   &chase_signame,
+					   dns_rdatatype_rrsig,
+					   dns_rdatatype_ds, &true);
+		if (result == ISC_R_FAILURE) {
+			printf(";; WARNING : NO RRSIG DS : RRSIG DS"
+			       " should come with DS\n");
+			/*
+			 * We continue even the DS couldn't be validated,
+			 * because the DNSKEY could be a Trusted Key.
+			 */
+			chase_dsrdataset = NULL;
+		}
+		else {
+			printf("\n;; RRSIG of the DSset of the DNSKEYset\n");
+			print_rdataset(&chase_signame, chase_sigdsrdataset,
+				       mctx);
+		}
+	}
+	return(1);
+}
+
+
+
+void
+sigchase_bu(dns_message_t *msg)
+{
+	isc_result_t result;
+	int ret;
+
+	if (tk_list.nb_tk == 0) {
+		result = get_trusted_key(mctx);
+		if (result != ISC_R_SUCCESS) {
+			printf("No trusted keys present\n");
+			return;
+		}
+	}
+
+  
+	ret = getneededrr(msg);
+	if (ret == ISC_R_NOTFOUND)
+		return;
+
+	if (ret == ISC_R_ADDRNOTAVAIL) {
+		/* We have no response */
+		dns_rdataset_t * rdataset;
+		dns_rdataset_t * sigrdataset;
+		dns_name_t       rdata_name;
+		dns_name_t       query_name;
+
+
+		nameFromString(current_lookup->textname, &query_name);
+   
+		result = prove_nx(msg, &query_name, current_lookup->rdclass,
+				  current_lookup->rdtype, &rdata_name,
+				  &rdataset, &sigrdataset);
+		dns_name_free(&query_name, mctx);
+		if (&rdata_name == NULL || rdataset == NULL ||
+		    sigrdataset == NULL) {
+			printf("\n;; Impossible to verify the Non-existence,"
+			       " the NSEC RRset can't be validated: "
+			       "FAILED\n\n");
+			clean_trustedkey();
+			return;
+		}
+
+		if (result != ISC_R_SUCCESS) {
+			printf("\n No Answers and impossible to prove the"
+			       " unsecurity : Validation FAILED\n\n");
+			clean_trustedkey();
+			return;
+		}
+		printf(";; An NSEC prove the non-existence of a answers,"
+		       " Now we want validate this NSEC\n");
+	
+		dup_name(&rdata_name, &chase_name, mctx);
+		dns_name_free(&rdata_name, mctx);
+		chase_rdataset =  rdataset;
+		chase_sigrdataset = sigrdataset;
+		chase_keyrdataset = NULL;
+		chase_sigkeyrdataset = NULL;
+		chase_dsrdataset = NULL;
+		chase_sigdsrdataset = NULL;
+		chase_siglookedup = ISC_FALSE;
+		chase_keylookedup = ISC_FALSE;
+		chase_dslookedup = ISC_FALSE;
+		chase_sigdslookedup = ISC_FALSE;
+		sigchase(msg);
+		clean_trustedkey();
+		return;
+	}
+  
+
+	printf("\n\n\n;; WE HAVE MATERIAL, WE NOW DO VALIDATION\n");
+
+	result = sigchase_verify_sig(&chase_name, chase_rdataset,
+				     chase_keyrdataset,
+				     chase_sigrdataset, mctx);
+	if (result != ISC_R_SUCCESS) {
+		dns_name_free(&chase_name, mctx);
+		dns_name_free(&chase_signame, mctx);
+		printf(";; No DNSKEY is valid to check the RRSIG"
+		       " of the RRset: FAILED\n");
+		clean_trustedkey();
+		return;
+	}
+	printf(";; OK We found DNSKEY (or more) to validate the RRset\n");
+
+	result = contains_trusted_key(&chase_signame, chase_keyrdataset,
+				      chase_sigkeyrdataset, mctx);
+	if (result ==  ISC_R_SUCCESS) {
+		dns_name_free(&chase_name, mctx);
+		dns_name_free(&chase_signame, mctx);
+		printf("\n;; Ok this DNSKEY is a Trusted Key,"
+		       " DNSSEC validation is ok: SUCCESS\n\n");
+		clean_trustedkey();
+		return;
+	}
+
+	printf(";; Now, we are going to validate this DNSKEY by the DS\n");
+
+	if (chase_dsrdataset == NULL) {
+		dns_name_free(&chase_name, mctx);
+		dns_name_free(&chase_signame, mctx);
+		printf(";; the DNSKEY isn't trusted-key and there isn't"
+		       " DS to validate the DNSKEY: FAILED\n");
+		clean_trustedkey();
+		return;
+	}
+
+	result =  sigchase_verify_ds(&chase_signame, chase_keyrdataset,
+				     chase_dsrdataset, mctx);
+	if (result !=  ISC_R_SUCCESS) {
+		dns_name_free(&chase_signame, mctx);
+		dns_name_free(&chase_name, mctx);
+		printf(";; ERROR no DS validates a DNSKEY in the"
+		       " DNSKEY RRset: FAILED\n");
+		clean_trustedkey();
+		return;
+	} 
+	else
+		printf(";; OK this DNSKEY (validated by the DS) validates"
+		       " the RRset of the DNSKEYs, thus the DNSKEY validates"
+		       " the RRset\n");
+	INSIST(chase_sigdsrdataset != NULL);
+
+	dns_name_free(&chase_name, mctx);
+	dup_name(&chase_signame, &chase_name, mctx);
+	dns_name_free(&chase_signame, mctx);
+	chase_rdataset = chase_dsrdataset;
+	chase_sigrdataset = chase_sigdsrdataset;
+	chase_keyrdataset = NULL;
+	chase_sigkeyrdataset = NULL;
+	chase_dsrdataset = NULL;
+	chase_sigdsrdataset = NULL;
+	chase_siglookedup = chase_keylookedup = ISC_FALSE;
+	chase_dslookedup = chase_sigdslookedup = ISC_FALSE;
+ 
+	printf(";; Now, we want to validate the DS :  recursive call\n");
+	sigchase(msg);
+	return;
+}
+#endif
+
+void
+sigchase(dns_message_t * msg)
+{
+#if DIG_SIGCHASE_TD
+	if (current_lookup->do_topdown) {
+		sigchase_td(msg);
+		return;
+	}
+#endif
+#if DIG_SIGCHASE_BU
+	sigchase_bu(msg);
+	return;
+#endif
+}
+
+
+/*
+ * return 1  if name1  <  name2
+ *        0  if name1  == name2
+ *        -1 if name1  >  name2
+ *    and -2 if problem
+ */
+int
+inf_name(dns_name_t * name1, dns_name_t * name2)
+{
+	dns_label_t  label1;
+	dns_label_t  label2;
+	unsigned int nblabel1;
+	unsigned int nblabel2;
+	int min_lum_label;
+	int i;
+	int ret = -2;
+
+	nblabel1 = dns_name_countlabels(name1);
+	nblabel2 = dns_name_countlabels(name2);
+
+	if (nblabel1 >= nblabel2)
+		min_lum_label = nblabel2;
+	else
+		min_lum_label = nblabel1;
+
+
+	for (i=1 ; i < min_lum_label; i++) {
+		dns_name_getlabel(name1, nblabel1 -1  - i, &label1);
+		dns_name_getlabel(name2, nblabel2 -1  - i, &label2);
+		if ((ret = isc_region_compare(&label1, &label2)) != 0) {
+			if (ret <0 )
+				return -1;
+			else if (ret >0 )
+				return 1;
+		}
+	}
+	if (nblabel1 == nblabel2)
+		return 0;
+
+	if (nblabel1 < nblabel2)
+		return -1;
+	else
+		return 1;
+}
+
+/**
+ *
+ *
+ *
+ */
+isc_result_t
+prove_nx_domain(dns_message_t *msg,
+		dns_name_t *name,
+		dns_name_t *rdata_name,
+		dns_rdataset_t ** rdataset,
+		dns_rdataset_t **sigrdataset)
+{
+	isc_result_t      ret = ISC_R_FAILURE;
+	isc_result_t      result = ISC_R_NOTFOUND;
+	dns_rdataset_t  * nsecset = NULL;
+	dns_rdataset_t  * signsecset = NULL ;
+	dns_rdata_t       nsec = DNS_RDATA_INIT;
+	dns_name_t      * nsecname = NULL;
+	dns_rdata_nsec_t  nsecstruct;
+  
+	if ((result = dns_message_firstname(msg, DNS_SECTION_AUTHORITY))
+	    != ISC_R_SUCCESS) {
+		printf(";; nothing in authority section : impossible to"
+		       " validate the non-existence : FAILED\n");
+		return(ISC_R_FAILURE);
+	}
+ 
+	do {
+		dns_message_currentname(msg, DNS_SECTION_AUTHORITY, &nsecname);
+		nsecset = search_type(nsecname, dns_rdatatype_nsec,
+				      dns_rdatatype_any);
+		if (nsecset == NULL)
+			continue;
+
+		printf("There is a NSEC for this zone in the"
+		       " AUTHORITY section:\n");
+		print_rdataset(nsecname, nsecset, mctx);
+
+		for (result = dns_rdataset_first(nsecset);
+		     result == ISC_R_SUCCESS;
+		     result = dns_rdataset_next(nsecset)) {
+			dns_rdataset_current(nsecset, &nsec);
+
+
+			signsecset
+				= chase_scanname_section(msg, nsecname,
+						 dns_rdatatype_rrsig,
+						 dns_rdatatype_nsec,
+						 DNS_SECTION_AUTHORITY);
+			if (signsecset == NULL) {
+				printf(";; no RRSIG NSEC in authority section:"
+				       " impossible to validate the "
+				       "non-existence: FAILED\n");
+				return(ISC_R_FAILURE);
+			}
+
+			ret = dns_rdata_tostruct(&nsec, &nsecstruct, NULL);
+			check_result(ret,"dns_rdata_tostruct");
+
+			if ((inf_name(nsecname, &nsecstruct.next) == 1 &&
+			     inf_name(name, &nsecstruct.next) == 1) ||
+			    (inf_name(name, nsecname) == 1 &&
+			     inf_name(&nsecstruct.next, name) == 1)) {
+				dns_rdata_freestruct(&nsecstruct);
+				*rdataset = nsecset;
+				*sigrdataset = signsecset;
+				dup_name(nsecname, rdata_name, mctx);
+		
+				return ISC_R_SUCCESS;
+			}
+
+			dns_rdata_freestruct(&nsecstruct);
+		}
+		nsecname = NULL;
+	} while (dns_message_nextname(msg, DNS_SECTION_AUTHORITY)
+		 == ISC_R_SUCCESS);
+
+	*rdataset = NULL;
+	*sigrdataset =  NULL;
+	rdata_name = NULL;
+	return(ISC_R_FAILURE);
+}
+
+/**
+ *
+ *
+ *
+ *
+ *
+ */
+isc_result_t
+prove_nx_type(dns_message_t * msg,
+	      dns_name_t *name,
+	      dns_rdataset_t *nsecset,
+	      dns_rdataclass_t class,
+	      dns_rdatatype_t type,
+	      dns_name_t * rdata_name,
+	      dns_rdataset_t ** rdataset,
+	      dns_rdataset_t ** sigrdataset)
+{
+	isc_result_t       ret;
+	dns_rdataset_t   * signsecset;
+	dns_rdata_t        nsec = DNS_RDATA_INIT;
+
+	UNUSED(class);
+	UNUSED(rdata_name);
+  
+	ret = dns_rdataset_first(nsecset);
+	check_result(ret,"dns_rdataset_first");
+	
+	dns_rdataset_current(nsecset, &nsec);
+  
+	ret = dns_nsec_typepresent(&nsec, type);
+	if (ret == ISC_R_SUCCESS)
+		printf("OK the NSEC said that the type doesn't exist \n");
+
+	signsecset = chase_scanname_section(msg, name,
+					    dns_rdatatype_rrsig,
+					    dns_rdatatype_nsec,
+					    DNS_SECTION_AUTHORITY);
+	if (signsecset == NULL) {
+		printf("There isn't RRSIG NSEC for the zone \n");
+		return ISC_R_FAILURE;
+	}
+	*rdataset = nsecset;
+	*sigrdataset = signsecset;
+
+	return (ret);
+}
+
+/**
+ *
+ *
+ *
+ *
+ */
+isc_result_t
+prove_nx(dns_message_t * msg,
+	 dns_name_t * name,
+	 dns_rdataclass_t class,
+	 dns_rdatatype_t type,
+	 dns_name_t * rdata_name,
+	 dns_rdataset_t ** rdataset,
+	 dns_rdataset_t ** sigrdataset)
+{
+	isc_result_t ret;
+	dns_rdataset_t * nsecset = NULL;
+  
+
+	printf("We want to prove the non-existance of a type of rdata %d"
+	       " or of the zone: \n", type);
+
+	if ((ret = dns_message_firstname(msg, DNS_SECTION_AUTHORITY))
+	    != ISC_R_SUCCESS) {
+		printf(";; nothing in authority section : impossible to"
+		       " validate the non-existence : FAILED\n");
+		return(ISC_R_FAILURE);
+	}
+
+	nsecset = chase_scanname_section(msg, name, dns_rdatatype_nsec,
+					 dns_rdatatype_any,
+					 DNS_SECTION_AUTHORITY);
+	if (nsecset != NULL) {
+		printf("We have a NSEC for this zone :OK\n");
+		ret = prove_nx_type(msg, name, nsecset, class,
+				    type, rdata_name, rdataset,
+				    sigrdataset);
+		if (ret != ISC_R_SUCCESS) {
+			printf("prove_nx: ERROR type exist\n");
+			return(ret);
+		} else {
+			printf("prove_nx: OK type does not exist\n");
+			return(ISC_R_SUCCESS);
+		}
+	} else {
+		printf("there is no NSEC for this zone: validating "
+		       "that the zone doesn't exist\n");
+		ret = prove_nx_domain(msg, name, rdata_name,
+				      rdataset, sigrdataset);
+		return(ret);
+	}
+	/* Never get here */ 
+}
+#endif
diff --git a/bin/dig/host.1 b/bin/dig/host.1
index 556573fe..c93ab184 100644
--- a/bin/dig/host.1
+++ b/bin/dig/host.1
@@ -1,172 +1,132 @@
-.\" Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
-.\" Copyright (C) 2000-2003 Internet Software Consortium.
-.\" 
+.\" Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2000-2002  Internet Software Consortium.
+.\"
 .\" Permission to use, copy, modify, and distribute this software for any
 .\" purpose with or without fee is hereby granted, provided that the above
 .\" copyright notice and this permission notice appear in all copies.
-.\" 
+.\"
 .\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
 .\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+.\" AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
 .\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
 .\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: host.1,v 1.11.2.9 2007/05/09 03:32:21 marka Exp $
-.\"
-.hy 0
-.ad l
-.\"     Title: host
-.\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
-.\"      Date: Jun 30, 2000
-.\"    Manual: BIND9
-.\"    Source: BIND9
+.\" $Id: host.1,v 1.11.2.1.4.4 2004/04/13 04:11:03 marka Exp $
 .\"
-.TH "HOST" "1" "Jun 30, 2000" "BIND9" "BIND9"
-.\" disable hyphenation
-.nh
-.\" disable justification (adjust text to left margin only)
-.ad l
-.SH "NAME"
+.TH "HOST" "1" "Jun 30, 2000" "BIND9" ""
+.SH NAME
 host \- DNS lookup utility
-.SH "SYNOPSIS"
-.HP 5
-\fBhost\fR [\fB\-aCdlnrTwv\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-N\ \fR\fB\fIndots\fR\fR] [\fB\-R\ \fR\fB\fInumber\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-W\ \fR\fB\fIwait\fR\fR] {name} [server]
+.SH SYNOPSIS
+.sp
+\fBhost\fR [ \fB-aCdlnrTwv\fR ]  [ \fB-c \fIclass\fB\fR ]  [ \fB-N \fIndots\fB\fR ]  [ \fB-R \fInumber\fB\fR ]  [ \fB-t \fItype\fB\fR ]  [ \fB-W \fIwait\fB\fR ]  [ \fB-4\fR ]  [ \fB-6\fR ]  \fBname\fR [ \fBserver\fR ] 
 .SH "DESCRIPTION"
 .PP
 \fBhost\fR
-is a simple utility for performing DNS lookups. It is normally used to convert names to IP addresses and vice versa. When no arguments or options are given,
+is a simple utility for performing DNS lookups.
+It is normally used to convert names to IP addresses and vice versa.
+When no arguments or options are given,
 \fBhost\fR
 prints a short summary of its command line arguments and options.
 .PP
-\fIname\fR
-is the domain name that is to be looked up. It can also be a dotted\-decimal IPv4 address or a colon\-delimited IPv6 address, in which case
-\fBhost\fR
-will by default perform a reverse lookup for that address.
-\fIserver\fR
-is an optional argument which is either the name or IP address of the name server that
-\fBhost\fR
+\fIname\fR is the domain name that is to be looked
+up. It can also be a dotted-decimal IPv4 address or a colon-delimited
+IPv6 address, in which case \fBhost\fR will by default
+perform a reverse lookup for that address.
+\fIserver\fR is an optional argument which is either
+the name or IP address of the name server that \fBhost\fR
 should query instead of the server or servers listed in
 \fI/etc/resolv.conf\fR.
 .PP
-The
-\fB\-a\fR
-(all) option is equivalent to setting the
-\fB\-v\fR
-option and asking
-\fBhost\fR
-to make a query of type ANY.
+The \fB-a\fR (all) option is equivalent to setting the
+\fB-v\fR option and asking \fBhost\fR to make
+a query of type ANY.
 .PP
-When the
-\fB\-C\fR
-option is used,
-\fBhost\fR
+When the \fB-C\fR option is used, \fBhost\fR
 will attempt to display the SOA records for zone
-\fIname\fR
-from all the listed authoritative name servers for that zone. The list of name servers is defined by the NS records that are found for the zone.
-.PP
-The
-\fB\-c\fR
-option instructs to make a DNS query of class
-\fIclass\fR. This can be used to lookup Hesiod or Chaosnet class resource records. The default class is IN (Internet).
-.PP
-Verbose output is generated by
-\fBhost\fR
-when the
-\fB\-d\fR
-or
-\fB\-v\fR
-option is used. The two options are equivalent. They have been provided for backwards compatibility. In previous versions, the
-\fB\-d\fR
-option switched on debugging traces and
-\fB\-v\fR
-enabled verbose output.
-.PP
-List mode is selected by the
-\fB\-l\fR
-option. This makes
-\fBhost\fR
-perform a zone transfer for zone
-\fIname\fR. The argument is provided for compatibility with older implementations. This option is equivalent to making a query of type AXFR.
-.PP
-The
-\fB\-n\fR
-option specifies that reverse lookups of IPv6 addresses should use the IP6.INT domain and "nibble" labels as defined in RFC1886. The default is to use IP6.ARPA and binary labels as defined in RFC2874.
-.PP
-The
-\fB\-N\fR
-option sets the number of dots that have to be in
-\fIname\fR
-for it to be considered absolute. The default value is that defined using the ndots statement in
-\fI/etc/resolv.conf\fR, or 1 if no ndots statement is present. Names with fewer dots are interpreted as relative names and will be searched for in the domains listed in the
-\fBsearch\fR
-or
-\fBdomain\fR
-directive in
+\fIname\fR from all the listed authoritative name
+servers for that zone. The list of name servers is defined by the NS
+records that are found for the zone.
+.PP
+The \fB-c\fR option instructs to make a DNS query of class
+\fIclass\fR. This can be used to lookup Hesiod or
+Chaosnet class resource records. The default class is IN (Internet).
+.PP
+Verbose output is generated by \fBhost\fR when the
+\fB-d\fR or \fB-v\fR option is used. The two
+options are equivalent. They have been provided for backwards
+compatibility. In previous versions, the \fB-d\fR option
+switched on debugging traces and \fB-v\fR enabled verbose
+output.
+.PP
+List mode is selected by the \fB-l\fR option. This makes
+\fBhost\fR perform a zone transfer for zone
+\fIname\fR. Transfer the zone printing out the NS, PTR
+and address records (A/AAAA). If combined with \fB-a\fR
+all records will be printed. 
+.PP
+The \fB-i\fR
+option specifies that reverse lookups of IPv6 addresses should
+use the IP6.INT domain as defined in RFC1886.
+The default is to use IP6.ARPA.
+.PP
+The \fB-N\fR option sets the number of dots that have to be
+in \fIname\fR for it to be considered absolute. The
+default value is that defined using the ndots statement in
+\fI/etc/resolv.conf\fR, or 1 if no ndots statement is
+present. Names with fewer dots are interpreted as relative names and
+will be searched for in the domains listed in the \fBsearch\fR
+or \fBdomain\fR directive in
 \fI/etc/resolv.conf\fR.
 .PP
 The number of UDP retries for a lookup can be changed with the
-\fB\-R\fR
-option.
-\fInumber\fR
-indicates how many times
-\fBhost\fR
-will repeat a query that does not get answered. The default number of retries is 1. If
-\fInumber\fR
-is negative or zero, the number of retries will default to 1.
-.PP
-Non\-recursive queries can be made via the
-\fB\-r\fR
-option. Setting this option clears the
-\fBRD\fR
-\(em recursion desired \(em bit in the query which
-\fBhost\fR
-makes. This should mean that the name server receiving the query will not attempt to resolve
-\fIname\fR. The
-\fB\-r\fR
-option enables
-\fBhost\fR
-to mimic the behavior of a name server by making non\-recursive queries and expecting to receive answers to those queries that are usually referrals to other name servers.
-.PP
-By default
-\fBhost\fR
-uses UDP when making queries. The
-\fB\-T\fR
-option makes it use a TCP connection when querying the name server. TCP will be automatically selected for queries that require it, such as zone transfer (AXFR) requests.
-.PP
-The
-\fB\-t\fR
-option is used to select the query type.
-\fItype\fR
-can be any recognized query type: CNAME, NS, SOA, SIG, KEY, AXFR, etc. When no query type is specified,
-\fBhost\fR
-automatically selects an appropriate query type. By default it looks for A records, but if the
-\fB\-C\fR
-option was given, queries will be made for SOA records, and if
-\fIname\fR
-is a dotted\-decimal IPv4 address or colon\-delimited IPv6 address,
-\fBhost\fR
-will query for PTR records.
+\fB-R\fR option. \fInumber\fR indicates
+how many times \fBhost\fR will repeat a query that does
+not get answered. The default number of retries is 1. If
+\fInumber\fR is negative or zero, the number of
+retries will default to 1.
+.PP
+Non-recursive queries can be made via the \fB-r\fR option.
+Setting this option clears the \fBRD\fR \(em recursion
+desired \(em bit in the query which \fBhost\fR makes.
+This should mean that the name server receiving the query will not
+attempt to resolve \fIname\fR. The
+\fB-r\fR option enables \fBhost\fR to mimic
+the behaviour of a name server by making non-recursive queries and
+expecting to receive answers to those queries that are usually
+referrals to other name servers.
+.PP
+By default \fBhost\fR uses UDP when making queries. The
+\fB-T\fR option makes it use a TCP connection when querying
+the name server. TCP will be automatically selected for queries that
+require it, such as zone transfer (AXFR) requests.
+.PP
+The \fB-4\fR option forces \fBhost\fR to only
+use IPv4 query transport. The \fB-6\fR option forces
+\fBhost\fR to only use IPv6 query transport.
+.PP
+The \fB-t\fR option is used to select the query type.
+\fItype\fR can be any recognised query type: CNAME,
+NS, SOA, SIG, KEY, AXFR, etc. When no query type is specified,
+\fBhost\fR automatically selects an appropriate query
+type. By default it looks for A records, but if the
+\fB-C\fR option was given, queries will be made for SOA
+records, and if \fIname\fR is a dotted-decimal IPv4
+address or colon-delimited IPv6 address, \fBhost\fR will
+query for PTR records. If a query type of IXFR is chosen the starting
+serial number can be specified by appending an equal followed by the
+starting serial number (e.g. -t IXFR=12345678).
 .PP
 The time to wait for a reply can be controlled through the
-\fB\-W\fR
-and
-\fB\-w\fR
-options. The
-\fB\-W\fR
-option makes
-\fBhost\fR
-wait for
-\fIwait\fR
-seconds. If
-\fIwait\fR
+\fB-W\fR and \fB-w\fR options. The
+\fB-W\fR option makes \fBhost\fR wait for
+\fIwait\fR seconds. If \fIwait\fR
 is less than one, the wait interval is set to one second. When the
-\fB\-w\fR
-option is used,
-\fBhost\fR
-will effectively wait forever for a reply. The time to wait for a response will be set to the number of seconds given by the hardware's maximum value for an integer quantity.
+\fB-w\fR option is used, \fBhost\fR will
+effectively wait forever for a reply. The time to wait for a response
+will be set to the number of seconds given by the hardware's maximum
+value for an integer quantity.
 .SH "FILES"
 .PP
 \fI/etc/resolv.conf\fR
@@ -174,8 +134,3 @@ will effectively wait forever for a reply. The time to wait for a response will
 .PP
 \fBdig\fR(1),
 \fBnamed\fR(8).
-.SH "COPYRIGHT"
-Copyright \(co 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
-.br
-Copyright \(co 2000\-2003 Internet Software Consortium.
-.br
diff --git a/bin/dig/host.c b/bin/dig/host.c
index c61da3e9..53d78128 100644
--- a/bin/dig/host.c
+++ b/bin/dig/host.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,18 +15,19 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: host.c,v 1.76.2.12 2007/04/24 23:45:24 tbox Exp $ */
+/* $Id: host.c,v 1.76.2.5.2.9 2004/04/13 03:00:06 marka Exp $ */
 
 #include <config.h>
-#include <stdlib.h>
 #include <limits.h>
 
 #include <isc/app.h>
 #include <isc/commandline.h>
 #include <isc/netaddr.h>
+#include <isc/print.h>
 #include <isc/string.h>
 #include <isc/util.h>
 #include <isc/task.h>
+#include <isc/stdlib.h>
 
 #include <dns/byaddr.h>
 #include <dns/fixedname.h>
@@ -39,7 +40,24 @@
 
 #include <dig/dig.h>
 
+extern ISC_LIST(dig_lookup_t) lookup_list;
+extern dig_serverlist_t server_list;
+extern ISC_LIST(dig_searchlist_t) search_list;
+
+extern isc_boolean_t have_ipv4, have_ipv6;
+extern isc_boolean_t usesearch;
+extern isc_boolean_t debugging;
+extern unsigned int timeout;
+extern isc_mem_t *mctx;
+extern int ndots;
+extern int tries;
+extern char *progname;
+extern isc_task_t *global_task;
+extern int fatalexit;
+
 static isc_boolean_t short_form = ISC_TRUE, listed_server = ISC_FALSE;
+static isc_boolean_t default_lookups = ISC_TRUE;
+static int seen_error = -1;
 static isc_boolean_t list_addresses = ISC_TRUE;
 static dns_rdatatype_t list_type = dns_rdatatype_a;
 
@@ -82,123 +100,40 @@ static const char *rcodetext[] = {
 	"BADVERS"
 };
 
-static const char *rtypetext[] = {
-	"zero",				/* 0 */
-	"has address",			/* 1 */
-	"name server",			/* 2 */
-	"MD",				/* 3 */
-	"MF",				/* 4 */
-	"is an alias for",		/* 5 */
-	"SOA",				/* 6 */
-	"MB",				/* 7 */
-	"MG",				/* 8 */
-	"MR",				/* 9 */
-	"NULL",				/* 10 */
-	"has well known services",	/* 11 */
-	"domain name pointer",		/* 12 */
-	"host information",		/* 13 */
-	"MINFO",			/* 14 */
-	"mail is handled by",	       	/* 15 */
-	"text",				/* 16 */
-	"RP",				/* 17 */
-	"AFSDB",			/* 18 */
-	"x25 address",			/* 19 */
-	"isdn address",			/* 20 */
-	"RT",				/* 21 */
-	"NSAP",				/* 22 */
-	"NSAP_PTR",			/* 23 */
-	"has signature",		/* 24 */
-	"has key",			/* 25 */
-	"PX",				/* 26 */
-	"GPOS",				/* 27 */
-	"has AAAA address",		/* 28 */
-	"LOC",				/* 29 */
-	"has next record",		/* 30 */
-	"EID",				/* 31 */
-	"NIMLOC",			/* 32 */
-	"SRV",				/* 33 */
-	"ATMA",				/* 34 */
-	"NAPTR",			/* 35 */
-	"KX",				/* 36 */
-	"CERT",				/* 37 */
-	"has v6 address",		/* 38 */
-	"DNAME",			/* 39 */
-	"has optional information",	/* 41 */
-	"has 42 record",       		/* 42 */
-	"has 43 record",       		/* 43 */
-	"has 44 record",       		/* 44 */
-	"has 45 record",       		/* 45 */
-	"has 46 record",       		/* 46 */
-	"has 47 record",       		/* 47 */
-	"has 48 record",       		/* 48 */
-	"has 49 record",       		/* 49 */
-	"has 50 record",       		/* 50 */
-	"has 51 record",       		/* 51 */
-	"has 52 record",       		/* 52 */
-	"has 53 record",       		/* 53 */
-	"has 54 record",       		/* 54 */
-	"has 55 record",       		/* 55 */
-	"has 56 record",       		/* 56 */
-	"has 57 record",       		/* 57 */
-	"has 58 record",       		/* 58 */
-	"has 59 record",       		/* 59 */
-	"has 60 record",       		/* 60 */
-	"has 61 record",       		/* 61 */
-	"has 62 record",       		/* 62 */
-	"has 63 record",       		/* 63 */
-	"has 64 record",       		/* 64 */
-	"has 65 record",       		/* 65 */
-	"has 66 record",       		/* 66 */
-	"has 67 record",       		/* 67 */
-	"has 68 record",       		/* 68 */
-	"has 69 record",       		/* 69 */
-	"has 70 record",       		/* 70 */
-	"has 71 record",       		/* 71 */
-	"has 72 record",       		/* 72 */
-	"has 73 record",       		/* 73 */
-	"has 74 record",       		/* 74 */
-	"has 75 record",       		/* 75 */
-	"has 76 record",       		/* 76 */
-	"has 77 record",       		/* 77 */
-	"has 78 record",       		/* 78 */
-	"has 79 record",       		/* 79 */
-	"has 80 record",       		/* 80 */
-	"has 81 record",       		/* 81 */
-	"has 82 record",       		/* 82 */
-	"has 83 record",       		/* 83 */
-	"has 84 record",       		/* 84 */
-	"has 85 record",       		/* 85 */
-	"has 86 record",       		/* 86 */
-	"has 87 record",       		/* 87 */
-	"has 88 record",       		/* 88 */
-	"has 89 record",       		/* 89 */
-	"has 90 record",       		/* 90 */
-	"has 91 record",       		/* 91 */
-	"has 92 record",       		/* 92 */
-	"has 93 record",       		/* 93 */
-	"has 94 record",       		/* 94 */
-	"has 95 record",       		/* 95 */
-	"has 96 record",       		/* 96 */
-	"has 97 record",       		/* 97 */
-	"has 98 record",       		/* 98 */
-	"has 99 record",       		/* 99 */
-	"UINFO",			/* 100 */
-	"UID",				/* 101 */
-	"GID",				/* 102 */
-	"UNSPEC"};			/* 103 */
+struct rtype {
+	unsigned int type;
+	const char *text;
+};
 
+struct rtype rtypes[] = {
+	{ 1, 	"has address" },
+	{ 2, 	"name server" },
+	{ 5, 	"is an alias for" },
+	{ 11,	"has well known services" },
+	{ 12,	"domain name pointer" },
+	{ 13,	"host information" },
+	{ 15,	"mail is handled by" },
+	{ 16,	"descriptive text" },
+	{ 19,	"x25 address" },
+	{ 20,	"ISDN address" },
+	{ 24,	"has signature" },
+	{ 25,	"has key" },
+	{ 28,	"has IPv6 address" },
+	{ 29,	"location" },
+	{ 0, NULL }
+};
 
 static void
 show_usage(void) {
 	fputs(
-"Usage: host [-aCdlrTwv] [-c class] [-n] [-N ndots] [-t type] [-W time]\n"
+"Usage: host [-aCdlriTwv] [-c class] [-N ndots] [-t type] [-W time]\n"
 "            [-R number] hostname [server]\n"
-"       -a is equivalent to -v -t ANY\n"
+"       -a is equivalent to -v -t *\n"
 "       -c specifies query class for non-IN data\n"
 "       -C compares SOA records on authoritative nameservers\n"
 "       -d is equivalent to -v\n"
 "       -l lists all hosts in a domain, using AXFR\n"
-"       -i Use the old IN6.INT form of IPv6 reverse lookup\n"
+"       -i IP6.INT reverse lookups\n"
 "       -N changes the number of dots allowed before root lookup is done\n"
 "       -r disables recursive processing\n"
 "       -R specifies number of retries for UDP packets\n"
@@ -206,7 +141,9 @@ show_usage(void) {
 "       -T enables TCP/IP mode\n"
 "       -v enables verbose output\n"
 "       -w specifies to wait forever for a reply\n"
-"       -W specifies how long to wait for a reply\n", stderr);
+"       -W specifies how long to wait for a reply\n"
+"       -4 use IPv4 query transport only\n"
+"       -6 use IPv6 query transport only\n", stderr);
 	exit(1);
 }
 
@@ -216,17 +153,14 @@ dighost_shutdown(void) {
 }
 
 void
-received(int bytes, isc_sockaddr_t *from, dig_query_t *query)
-{
+received(int bytes, isc_sockaddr_t *from, dig_query_t *query) {
 	isc_time_t now;
-	isc_result_t result;
 	int diff;
 
 	if (!short_form) {
 		char fromtext[ISC_SOCKADDR_FORMATSIZE];
 		isc_sockaddr_format(from, fromtext, sizeof(fromtext));
-		result = isc_time_now(&now);
-		check_result(result, "isc_time_now");
+		TIME_NOW(&now);
 		diff = (int) isc_time_microdiff(&now, &query->time_sent);
 		printf("Received %u bytes from %s in %d ms\n",
 		       bytes, fromtext, diff/1000);
@@ -275,8 +209,18 @@ say_message(dns_name_t *name, const char *msg, dns_rdata_t *rdata,
 	printf("\n");
 	isc_buffer_free(&b);
 }
-
-
+#ifdef DIG_SIGCHASE
+/* Just for compatibility : not use in host program */
+isc_result_t
+printrdataset(dns_name_t *owner_name, dns_rdataset_t *rdataset,
+	      isc_buffer_t *target)
+{
+  UNUSED(owner_name);
+  UNUSED(rdataset);
+  UNUSED(target);
+  return(ISC_FALSE);
+}
+#endif
 static isc_result_t
 printsection(dns_message_t *msg, dns_section_t sectionid,
 	     const char *section_name, isc_boolean_t headers,
@@ -292,7 +236,6 @@ printsection(dns_message_t *msg, dns_section_t sectionid,
 	char t[4096];
 	isc_boolean_t first;
 	isc_boolean_t no_rdata;
-	const char *rtt;
 
 	if (sectionid == DNS_SECTION_QUESTION)
 		no_rdata = ISC_TRUE;
@@ -350,15 +293,27 @@ printsection(dns_message_t *msg, dns_section_t sectionid,
 			} else {
 				loopresult = dns_rdataset_first(rdataset);
 				while (loopresult == ISC_R_SUCCESS) {
+					struct rtype *t;
+					const char *rtt;
+					char typebuf[DNS_RDATATYPE_FORMATSIZE];
+					char typebuf2[DNS_RDATATYPE_FORMATSIZE
+						     + 20];
 					dns_rdataset_current(rdataset, &rdata);
-					if (rdata.type <= 103)
-						rtt = rtypetext[rdata.type];
-					else if (rdata.type == 249)
-						rtt = "key";
-					else if (rdata.type == 250)
-						rtt = "signature";
-					else
-						rtt = "unknown";
+
+					for (t = rtypes; t->text != NULL; t++) {
+						if (t->type == rdata.type) {
+							rtt = t->text;
+							goto found;
+						}
+					}
+
+					dns_rdatatype_format(rdata.type,
+							     typebuf,
+							     sizeof(typebuf));
+					snprintf(typebuf2, sizeof(typebuf2),
+						 "has %s record", typebuf);
+					rtt = typebuf2;
+				found:
 					say_message(print_name, rtt,
 						    &rdata, query);
 					dns_rdata_reset(&rdata);
@@ -417,14 +372,21 @@ printmessage(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers) {
 	dns_rdataset_t *opt, *tsig = NULL;
 	dns_name_t *tsigname;
 	isc_result_t result = ISC_R_SUCCESS;
+	int force_error;
 
 	UNUSED(headers);
 
+	/*
+	 * We get called multiple times.
+	 * Preserve any existing error status.
+	 */
+	force_error = (seen_error == 1) ? 1 : 0;
+	seen_error = 1;
 	if (listed_server) {
 		char sockstr[ISC_SOCKADDR_FORMATSIZE];
 
 		printf("Using domain server:\n");
-		printf("Name: %s\n", query->userarg);
+		printf("Name: %s\n", query->servname);
 		isc_sockaddr_format(&query->sockaddr, sockstr,
 				    sizeof(sockstr));
 		printf("Address: %s\n", sockstr);
@@ -434,12 +396,42 @@ printmessage(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers) {
 	if (msg->rcode != 0) {
 		char namestr[DNS_NAME_FORMATSIZE];
 		dns_name_format(query->lookup->name, namestr, sizeof(namestr));
-		printf("Host %s not found: %d(%s)\n",
-		       (msg->rcode != dns_rcode_nxdomain) ? namestr :
-		       query->lookup->textname, msg->rcode,
-		       rcodetext[msg->rcode]);
+		printf("Host %s not found: %d(%s)\n", namestr,
+		       msg->rcode, rcodetext[msg->rcode]);
 		return (ISC_R_SUCCESS);
 	}
+
+	if (default_lookups && query->lookup->rdtype == dns_rdatatype_a) {
+		char namestr[DNS_NAME_FORMATSIZE];
+		dig_lookup_t *lookup;
+
+		/* Add AAAA and MX lookups. */
+
+		dns_name_format(query->lookup->name, namestr, sizeof(namestr));
+		lookup = clone_lookup(query->lookup, ISC_FALSE);
+		if (lookup != NULL) {
+			strncpy(lookup->textname, namestr,
+				sizeof(lookup->textname));
+			lookup->textname[sizeof(lookup->textname)-1] = 0;
+			lookup->rdtype = dns_rdatatype_aaaa;
+                        lookup->rdtypeset = ISC_TRUE;
+			lookup->origin = NULL;
+			lookup->retries = tries;
+			ISC_LIST_APPEND(lookup_list, lookup, link);
+		}
+		lookup = clone_lookup(query->lookup, ISC_FALSE);
+		if (lookup != NULL) {
+			strncpy(lookup->textname, namestr,
+				sizeof(lookup->textname));
+			lookup->textname[sizeof(lookup->textname)-1] = 0;
+			lookup->rdtype = dns_rdatatype_mx;
+                        lookup->rdtypeset = ISC_TRUE;
+			lookup->origin = NULL;
+			lookup->retries = tries;
+			ISC_LIST_APPEND(lookup_list, lookup, link);
+		}
+	}
+
 	if (!short_form) {
 		printf(";; ->>HEADER<<- opcode: %s, status: %s, id: %u\n",
 		       opcodetext[msg->opcode], rcodetext[msg->rcode],
@@ -532,6 +524,16 @@ printmessage(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers) {
 	if (!short_form)
 		printf("\n");
 
+	if (short_form && !default_lookups &&
+	    ISC_LIST_EMPTY(msg->sections[DNS_SECTION_ANSWER])) {
+		char namestr[DNS_NAME_FORMATSIZE];
+		char typestr[DNS_RDATATYPE_FORMATSIZE];
+		dns_name_format(query->lookup->name, namestr, sizeof(namestr));
+		dns_rdatatype_format(query->lookup->rdtype, typestr,
+				     sizeof(typestr));
+		printf("%s has no %s record\n", namestr, typestr);
+	}
+	seen_error = force_error;
 	return (result);
 }
 
@@ -545,12 +547,13 @@ parse_args(isc_boolean_t is_batchfile, int argc, char **argv) {
 	isc_result_t result = ISC_R_SUCCESS;
 	dns_rdatatype_t rdtype;
 	dns_rdataclass_t rdclass;
+	isc_uint32_t serial = 0;
 
 	UNUSED(is_batchfile);
 
 	lookup = make_empty_lookup();
 
-	while ((c = isc_commandline_parse(argc, argv, "ilvwrdt:c:aTCN:R:W:Dn"))
+	while ((c = isc_commandline_parse(argc, argv, "lvwrdt:c:aTCN:R:W:Dni46"))
 	       != EOF) {
 		switch (c) {
 		case 'l':
@@ -567,24 +570,37 @@ parse_args(isc_boolean_t is_batchfile, int argc, char **argv) {
 			lookup->recurse = ISC_FALSE;
 			break;
 		case 't':
-			tr.base = isc_commandline_argument;
-			tr.length = strlen(isc_commandline_argument);
-			result = dns_rdatatype_fromtext(&rdtype,
+			if (strncasecmp(isc_commandline_argument,
+					"ixfr=", 5) == 0) {
+				rdtype = dns_rdatatype_ixfr;
+				/* XXXMPA add error checking */
+				serial = strtoul(isc_commandline_argument + 5,
+						 NULL, 10);
+				result = ISC_R_SUCCESS;
+			} else {
+				tr.base = isc_commandline_argument;
+				tr.length = strlen(isc_commandline_argument);
+				result = dns_rdatatype_fromtext(&rdtype,
 						   (isc_textregion_t *)&tr);
+			}
 
 			if (result != ISC_R_SUCCESS) {
 				fatalexit = 2;
 				fatal("invalid type: %s\n",
 				      isc_commandline_argument);
-			} 
+			}
 			if (!lookup->rdtypeset ||
 			    lookup->rdtype != dns_rdatatype_axfr)
 				lookup->rdtype = rdtype;
+			lookup->rdtypeset = ISC_TRUE;
 			if (rdtype == dns_rdatatype_axfr) {
 				/* -l -t any -v */
 				list_type = dns_rdatatype_any;
 				short_form = ISC_FALSE;
 				lookup->tcp_mode = ISC_TRUE;
+			} else if (rdtype == dns_rdatatype_ixfr) {
+				lookup->ixfr_serial = serial;
+				list_type = rdtype;
 			} else
 				list_type = rdtype;
 			list_addresses = ISC_FALSE;
@@ -603,6 +619,7 @@ parse_args(isc_boolean_t is_batchfile, int argc, char **argv) {
 				lookup->rdclass = rdclass;
 				lookup->rdclassset = ISC_TRUE;
 			}
+			default_lookups = ISC_FALSE;
 			break;
 		case 'a':
 			if (!lookup->rdtypeset ||
@@ -612,11 +629,13 @@ parse_args(isc_boolean_t is_batchfile, int argc, char **argv) {
 			list_addresses = ISC_FALSE;
 			lookup->rdtypeset = ISC_TRUE;
 			short_form = ISC_FALSE;
+			default_lookups = ISC_FALSE;
 			break;
 		case 'i':
 			lookup->ip6_int = ISC_TRUE;
 			break;
 		case 'n':
+			/* deprecated */
 			break;
 		case 'w':
 			/*
@@ -631,9 +650,9 @@ parse_args(isc_boolean_t is_batchfile, int argc, char **argv) {
 				timeout = 1;
 			break;
 		case 'R':
-			tries = atoi(isc_commandline_argument);
-			if (tries < 1)
-				tries = 1;
+			tries = atoi(isc_commandline_argument) + 1;
+			if (tries < 2)
+				tries = 2;
 			break;
 		case 'T':
 			lookup->tcp_mode = ISC_TRUE;
@@ -647,6 +666,7 @@ parse_args(isc_boolean_t is_batchfile, int argc, char **argv) {
 			lookup->ns_search_only = ISC_TRUE;
 			lookup->trace_root = ISC_TRUE;
 			lookup->identify_previous_line = ISC_TRUE;
+			default_lookups = ISC_FALSE;
 			break;
 		case 'N':
 			debug("setting NDOTS to %s",
@@ -656,11 +676,28 @@ parse_args(isc_boolean_t is_batchfile, int argc, char **argv) {
 		case 'D':
 			debugging = ISC_TRUE;
 			break;
+		case '4':
+			if (have_ipv4) {
+				isc_net_disableipv6();
+				have_ipv6 = ISC_FALSE;
+			} else
+				fatal("can't find IPv4 networking");
+			break;
+		case '6':
+			if (have_ipv6) {
+				isc_net_disableipv4();
+				have_ipv4 = ISC_FALSE;
+			} else
+				fatal("can't find IPv6 networking");
+			break;
 		}
 	}
-	if (isc_commandline_index >= argc) {
+
+	lookup->retries = tries;
+
+	if (isc_commandline_index >= argc)
 		show_usage();
-	}
+
 	strncpy(hostname, argv[isc_commandline_index], sizeof(hostname));
 	hostname[sizeof(hostname)-1]=0;
 	if (argc > isc_commandline_index + 1) {
@@ -670,12 +707,13 @@ parse_args(isc_boolean_t is_batchfile, int argc, char **argv) {
 	}
 
 	lookup->pending = ISC_FALSE;
-	if (get_reverse(store, hostname, lookup->ip6_int, ISC_TRUE)			     == ISC_R_SUCCESS)
-	{
+	if (get_reverse(store, sizeof(store), hostname,
+			lookup->ip6_int, ISC_TRUE) == ISC_R_SUCCESS) {
 		strncpy(lookup->textname, store, sizeof(lookup->textname));
 		lookup->textname[sizeof(lookup->textname)-1] = 0;
 		lookup->rdtype = dns_rdatatype_ptr;
 		lookup->rdtypeset = ISC_TRUE;
+		default_lookups = ISC_FALSE;
 	} else {
 		strncpy(lookup->textname, hostname, sizeof(lookup->textname));
 		lookup->textname[sizeof(lookup->textname)-1]=0;
@@ -690,6 +728,8 @@ int
 main(int argc, char **argv) {
 	isc_result_t result;
 
+	tries = 2;
+
 	ISC_LIST_INIT(lookup_list);
 	ISC_LIST_INIT(server_list);
 	ISC_LIST_INIT(search_list);
@@ -709,6 +749,6 @@ main(int argc, char **argv) {
 	cancel_all();
 	destroy_libs();
 	isc_app_finish();
-	return (0);
+	return ((seen_error == 0) ? 0 : 1);
 }
 
diff --git a/bin/dig/host.docbook b/bin/dig/host.docbook
index 4fbf2d43..561f7c43 100644
--- a/bin/dig/host.docbook
+++ b/bin/dig/host.docbook
@@ -1,9 +1,7 @@
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
-               "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
-	       [<!ENTITY mdash "&#8212;">]>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
 <!--
- - Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000-2003  Internet Software Consortium.
+ - Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2002  Internet Software Consortium.
  -
  - Permission to use, copy, modify, and distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
@@ -18,7 +16,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: host.docbook,v 1.2.2.8 2007/05/09 02:11:44 marka Exp $ -->
+<!-- $Id: host.docbook,v 1.2.2.2.4.5 2004/04/13 01:26:26 marka Exp $ -->
 
 <refentry>
 
@@ -32,22 +30,6 @@
 <refmiscinfo>BIND9</refmiscinfo>
 </refmeta>
 
-  <docinfo>
-    <copyright>
-      <year>2004</year>
-      <year>2005</year>
-      <year>2007</year>
-      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
-    </copyright>
-    <copyright>
-      <year>2000</year>
-      <year>2001</year>
-      <year>2002</year>
-      <year>2003</year>
-      <holder>Internet Software Consortium.</holder>
-    </copyright>
-  </docinfo>
-
 <refnamediv>
 <refname>host</refname>
 <refpurpose>DNS lookup utility</refpurpose>
@@ -62,8 +44,10 @@
   <arg><option>-R <replaceable class="parameter">number</replaceable></option></arg>
   <arg><option>-t <replaceable class="parameter">type</replaceable></option></arg>
   <arg><option>-W <replaceable class="parameter">wait</replaceable></option></arg>
-  <arg choice="req">name</arg>
-  <arg choice="opt">server</arg>
+  <arg><option>-4</option></arg>
+  <arg><option>-6</option></arg>
+  <arg choice=req>name</arg>
+  <arg choice=opt>server</arg>
 </cmdsynopsis>
 </refsynopsisdiv>
 
@@ -121,16 +105,16 @@ output.
 <para>
 List mode is selected by the <option>-l</option> option.  This makes
 <command>host</command> perform a zone transfer for zone
-<parameter>name</parameter>.  The argument is provided for
-compatibility with older implementations.  This option is equivalent
-to making a query of type AXFR.
+<parameter>name</parameter>.  Transfer the zone printing out the NS, PTR
+and address records (A/AAAA).  If combined with <option>-a</option>
+all records will be printed.  
 </para>
 
 <para>
-The <option>-n</option>
+The <option>-i</option>
 option specifies that reverse lookups of IPv6 addresses should
-use the IP6.INT domain and "nibble" labels as defined in RFC1886.
-The default is to use IP6.ARPA and binary labels as defined in RFC2874.
+use the IP6.INT domain as defined in RFC1886.
+The default is to use IP6.ARPA.
 </para>
 
 <para>
@@ -160,7 +144,7 @@ desired &mdash; bit in the query which <command>host</command> makes.
 This should mean that the name server receiving the query will not
 attempt to resolve <parameter>name</parameter>.  The
 <option>-r</option> option enables <command>host</command> to mimic
-the behavior of a name server by making non-recursive queries and
+the behaviour of a name server by making non-recursive queries and
 expecting to receive answers to those queries that are usually
 referrals to other name servers.
 </para>
@@ -173,15 +157,23 @@ require it, such as zone transfer (AXFR) requests.
 </para>
 
 <para>
+The <option>-4</option> option forces <command>host</command> to only
+use IPv4 query transport.  The <option>-6</option> option forces
+<command>host</command> to only use IPv6 query transport.
+</para>
+
+<para>
 The <option>-t</option> option is used to select the query type.
-<parameter>type</parameter> can be any recognized query type: CNAME,
+<parameter>type</parameter> can be any recognised query type: CNAME,
 NS, SOA, SIG, KEY, AXFR, etc.  When no query type is specified,
 <command>host</command> automatically selects an appropriate query
 type.  By default it looks for A records, but if the
 <option>-C</option> option was given, queries will be made for SOA
 records, and if <parameter>name</parameter> is a dotted-decimal IPv4
 address or colon-delimited IPv6 address, <command>host</command> will
-query for PTR records.
+query for PTR records.  If a query type of IXFR is chosen the starting
+serial number can be specified by appending an equal followed by the
+starting serial number (e.g. -t IXFR=12345678).
 </para>
 
 <para>
diff --git a/bin/dig/host.html b/bin/dig/host.html
index 77070cbd..e7a1bbf4 100644
--- a/bin/dig/host.html
+++ b/bin/dig/host.html
@@ -1,164 +1,470 @@
 <!--
- - Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000-2003 Internet Software Consortium.
- - 
+ - Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2002  Internet Software Consortium.
+ -
  - Permission to use, copy, modify, and distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
  - copyright notice and this permission notice appear in all copies.
- - 
+ -
  - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
  - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
  - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
  - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: host.html,v 1.4.2.16 2007/05/09 03:32:21 marka Exp $ -->
-<html>
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>host</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2476275"></a><div class="titlepage"></div>
-<div class="refnamediv">
-<h2>Name</h2>
-<p>host &#8212; DNS lookup utility</p>
-</div>
-<div class="refsynopsisdiv">
-<h2>Synopsis</h2>
-<div class="cmdsynopsis"><p><code class="command">host</code>  [<code class="option">-aCdlnrTwv</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-N <em class="replaceable"><code>ndots</code></em></code>] [<code class="option">-R <em class="replaceable"><code>number</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-W <em class="replaceable"><code>wait</code></em></code>] {name} [server]</p></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543402"></a><h2>DESCRIPTION</h2>
-<p>
-<span><strong class="command">host</strong></span>
+
+<!-- $Id: host.html,v 1.4.2.1.4.5 2004/04/13 04:11:04 marka Exp $ -->
+
+<HTML
+><HEAD
+><TITLE
+>host</TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.73
+"></HEAD
+><BODY
+CLASS="REFENTRY"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><H1
+><A
+NAME="AEN1"
+>host</A
+></H1
+><DIV
+CLASS="REFNAMEDIV"
+><A
+NAME="AEN8"
+></A
+><H2
+>Name</H2
+>host&nbsp;--&nbsp;DNS lookup utility</DIV
+><DIV
+CLASS="REFSYNOPSISDIV"
+><A
+NAME="AEN11"
+></A
+><H2
+>Synopsis</H2
+><P
+><B
+CLASS="COMMAND"
+>host</B
+>  [<TT
+CLASS="OPTION"
+>-aCdlnrTwv</TT
+>] [<TT
+CLASS="OPTION"
+>-c <TT
+CLASS="REPLACEABLE"
+><I
+>class</I
+></TT
+></TT
+>] [<TT
+CLASS="OPTION"
+>-N <TT
+CLASS="REPLACEABLE"
+><I
+>ndots</I
+></TT
+></TT
+>] [<TT
+CLASS="OPTION"
+>-R <TT
+CLASS="REPLACEABLE"
+><I
+>number</I
+></TT
+></TT
+>] [<TT
+CLASS="OPTION"
+>-t <TT
+CLASS="REPLACEABLE"
+><I
+>type</I
+></TT
+></TT
+>] [<TT
+CLASS="OPTION"
+>-W <TT
+CLASS="REPLACEABLE"
+><I
+>wait</I
+></TT
+></TT
+>] [<TT
+CLASS="OPTION"
+>-4</TT
+>] [<TT
+CLASS="OPTION"
+>-6</TT
+>] {name} [server]</P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN37"
+></A
+><H2
+>DESCRIPTION</H2
+><P
+><B
+CLASS="COMMAND"
+>host</B
+>
 is a simple utility for performing DNS lookups.
 It is normally used to convert names to IP addresses and vice versa.
 When no arguments or options are given,
-<span><strong class="command">host</strong></span>
-prints a short summary of its command line arguments and options.
-</p>
-<p>
-<em class="parameter"><code>name</code></em> is the domain name that is to be looked
+<B
+CLASS="COMMAND"
+>host</B
+>
+prints a short summary of its command line arguments and options.</P
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>name</I
+></TT
+> is the domain name that is to be looked
 up.  It can also be a dotted-decimal IPv4 address or a colon-delimited
-IPv6 address, in which case <span><strong class="command">host</strong></span> will by default
+IPv6 address, in which case <B
+CLASS="COMMAND"
+>host</B
+> will by default
 perform a reverse lookup for that address.
-<em class="parameter"><code>server</code></em> is an optional argument which is either
-the name or IP address of the name server that <span><strong class="command">host</strong></span>
+<TT
+CLASS="PARAMETER"
+><I
+>server</I
+></TT
+> is an optional argument which is either
+the name or IP address of the name server that <B
+CLASS="COMMAND"
+>host</B
+>
 should query instead of the server or servers listed in
-<code class="filename">/etc/resolv.conf</code>.
-</p>
-<p>
-The <code class="option">-a</code> (all) option is equivalent to setting the
-<code class="option">-v</code> option and asking <span><strong class="command">host</strong></span> to make
-a query of type ANY.
-</p>
-<p>
-When the <code class="option">-C</code> option is used, <span><strong class="command">host</strong></span>
+<TT
+CLASS="FILENAME"
+>/etc/resolv.conf</TT
+>.</P
+><P
+>The <TT
+CLASS="OPTION"
+>-a</TT
+> (all) option is equivalent to setting the
+<TT
+CLASS="OPTION"
+>-v</TT
+> option and asking <B
+CLASS="COMMAND"
+>host</B
+> to make
+a query of type ANY.</P
+><P
+>When the <TT
+CLASS="OPTION"
+>-C</TT
+> option is used, <B
+CLASS="COMMAND"
+>host</B
+>
 will attempt to display the SOA records for zone
-<em class="parameter"><code>name</code></em> from all the listed authoritative name
+<TT
+CLASS="PARAMETER"
+><I
+>name</I
+></TT
+> from all the listed authoritative name
 servers for that zone.  The list of name servers is defined by the NS
-records that are found for the zone.
-</p>
-<p>
-The <code class="option">-c</code> option instructs to make a DNS query of class
-<em class="parameter"><code>class</code></em>.  This can be used to lookup Hesiod or
-Chaosnet class resource records.  The default class is IN (Internet).
-</p>
-<p>
-Verbose output is generated by <span><strong class="command">host</strong></span> when the
-<code class="option">-d</code> or <code class="option">-v</code> option is used.  The two
+records that are found for the zone.</P
+><P
+>The <TT
+CLASS="OPTION"
+>-c</TT
+> option instructs to make a DNS query of class
+<TT
+CLASS="PARAMETER"
+><I
+>class</I
+></TT
+>.  This can be used to lookup Hesiod or
+Chaosnet class resource records.  The default class is IN (Internet).</P
+><P
+>Verbose output is generated by <B
+CLASS="COMMAND"
+>host</B
+> when the
+<TT
+CLASS="OPTION"
+>-d</TT
+> or <TT
+CLASS="OPTION"
+>-v</TT
+> option is used.  The two
 options are equivalent.  They have been provided for backwards
-compatibility.  In previous versions, the <code class="option">-d</code> option
-switched on debugging traces and <code class="option">-v</code> enabled verbose
-output.
-</p>
-<p>
-List mode is selected by the <code class="option">-l</code> option.  This makes
-<span><strong class="command">host</strong></span> perform a zone transfer for zone
-<em class="parameter"><code>name</code></em>.  The argument is provided for
-compatibility with older implementations.  This option is equivalent
-to making a query of type AXFR.
-</p>
-<p>
-The <code class="option">-n</code>
+compatibility.  In previous versions, the <TT
+CLASS="OPTION"
+>-d</TT
+> option
+switched on debugging traces and <TT
+CLASS="OPTION"
+>-v</TT
+> enabled verbose
+output.</P
+><P
+>List mode is selected by the <TT
+CLASS="OPTION"
+>-l</TT
+> option.  This makes
+<B
+CLASS="COMMAND"
+>host</B
+> perform a zone transfer for zone
+<TT
+CLASS="PARAMETER"
+><I
+>name</I
+></TT
+>.  Transfer the zone printing out the NS, PTR
+and address records (A/AAAA).  If combined with <TT
+CLASS="OPTION"
+>-a</TT
+>
+all records will be printed.  </P
+><P
+>The <TT
+CLASS="OPTION"
+>-i</TT
+>
 option specifies that reverse lookups of IPv6 addresses should
-use the IP6.INT domain and "nibble" labels as defined in RFC1886.
-The default is to use IP6.ARPA and binary labels as defined in RFC2874.
-</p>
-<p>
-The <code class="option">-N</code> option sets the number of dots that have to be
-in <em class="parameter"><code>name</code></em> for it to be considered absolute.  The
+use the IP6.INT domain as defined in RFC1886.
+The default is to use IP6.ARPA.</P
+><P
+>The <TT
+CLASS="OPTION"
+>-N</TT
+> option sets the number of dots that have to be
+in <TT
+CLASS="PARAMETER"
+><I
+>name</I
+></TT
+> for it to be considered absolute.  The
 default value is that defined using the ndots statement in
-<code class="filename">/etc/resolv.conf</code>, or 1 if no ndots statement is
+<TT
+CLASS="FILENAME"
+>/etc/resolv.conf</TT
+>, or 1 if no ndots statement is
 present.  Names with fewer dots are interpreted as relative names and
-will be searched for in the domains listed in the <span class="type">search</span>
-or <span class="type">domain</span> directive in
-<code class="filename">/etc/resolv.conf</code>.
-</p>
-<p>
-The number of UDP retries for a lookup can be changed with the
-<code class="option">-R</code> option.  <em class="parameter"><code>number</code></em> indicates
-how many times <span><strong class="command">host</strong></span> will repeat a query that does
+will be searched for in the domains listed in the <SPAN
+CLASS="TYPE"
+>search</SPAN
+>
+or <SPAN
+CLASS="TYPE"
+>domain</SPAN
+> directive in
+<TT
+CLASS="FILENAME"
+>/etc/resolv.conf</TT
+>.</P
+><P
+>The number of UDP retries for a lookup can be changed with the
+<TT
+CLASS="OPTION"
+>-R</TT
+> option.  <TT
+CLASS="PARAMETER"
+><I
+>number</I
+></TT
+> indicates
+how many times <B
+CLASS="COMMAND"
+>host</B
+> will repeat a query that does
 not get answered.  The default number of retries is 1.  If
-<em class="parameter"><code>number</code></em> is negative or zero, the number of
-retries will default to 1.
-</p>
-<p>
-Non-recursive queries can be made via the <code class="option">-r</code> option.
-Setting this option clears the <span class="type">RD</span> &#8212; recursion
-desired &#8212; bit in the query which <span><strong class="command">host</strong></span> makes.
+<TT
+CLASS="PARAMETER"
+><I
+>number</I
+></TT
+> is negative or zero, the number of
+retries will default to 1.</P
+><P
+>Non-recursive queries can be made via the <TT
+CLASS="OPTION"
+>-r</TT
+> option.
+Setting this option clears the <SPAN
+CLASS="TYPE"
+>RD</SPAN
+> &mdash; recursion
+desired &mdash; bit in the query which <B
+CLASS="COMMAND"
+>host</B
+> makes.
 This should mean that the name server receiving the query will not
-attempt to resolve <em class="parameter"><code>name</code></em>.  The
-<code class="option">-r</code> option enables <span><strong class="command">host</strong></span> to mimic
-the behavior of a name server by making non-recursive queries and
+attempt to resolve <TT
+CLASS="PARAMETER"
+><I
+>name</I
+></TT
+>.  The
+<TT
+CLASS="OPTION"
+>-r</TT
+> option enables <B
+CLASS="COMMAND"
+>host</B
+> to mimic
+the behaviour of a name server by making non-recursive queries and
 expecting to receive answers to those queries that are usually
-referrals to other name servers.
-</p>
-<p>
-By default <span><strong class="command">host</strong></span> uses UDP when making queries.  The
-<code class="option">-T</code> option makes it use a TCP connection when querying
+referrals to other name servers.</P
+><P
+>By default <B
+CLASS="COMMAND"
+>host</B
+> uses UDP when making queries.  The
+<TT
+CLASS="OPTION"
+>-T</TT
+> option makes it use a TCP connection when querying
 the name server.  TCP will be automatically selected for queries that
-require it, such as zone transfer (AXFR) requests.
-</p>
-<p>
-The <code class="option">-t</code> option is used to select the query type.
-<em class="parameter"><code>type</code></em> can be any recognized query type: CNAME,
+require it, such as zone transfer (AXFR) requests.</P
+><P
+>The <TT
+CLASS="OPTION"
+>-4</TT
+> option forces <B
+CLASS="COMMAND"
+>host</B
+> to only
+use IPv4 query transport.  The <TT
+CLASS="OPTION"
+>-6</TT
+> option forces
+<B
+CLASS="COMMAND"
+>host</B
+> to only use IPv6 query transport.</P
+><P
+>The <TT
+CLASS="OPTION"
+>-t</TT
+> option is used to select the query type.
+<TT
+CLASS="PARAMETER"
+><I
+>type</I
+></TT
+> can be any recognised query type: CNAME,
 NS, SOA, SIG, KEY, AXFR, etc.  When no query type is specified,
-<span><strong class="command">host</strong></span> automatically selects an appropriate query
+<B
+CLASS="COMMAND"
+>host</B
+> automatically selects an appropriate query
 type.  By default it looks for A records, but if the
-<code class="option">-C</code> option was given, queries will be made for SOA
-records, and if <em class="parameter"><code>name</code></em> is a dotted-decimal IPv4
-address or colon-delimited IPv6 address, <span><strong class="command">host</strong></span> will
-query for PTR records.
-</p>
-<p>
-The time to wait for a reply can be controlled through the
-<code class="option">-W</code> and <code class="option">-w</code> options.  The
-<code class="option">-W</code> option makes <span><strong class="command">host</strong></span> wait for
-<em class="parameter"><code>wait</code></em> seconds.  If <em class="parameter"><code>wait</code></em>
+<TT
+CLASS="OPTION"
+>-C</TT
+> option was given, queries will be made for SOA
+records, and if <TT
+CLASS="PARAMETER"
+><I
+>name</I
+></TT
+> is a dotted-decimal IPv4
+address or colon-delimited IPv6 address, <B
+CLASS="COMMAND"
+>host</B
+> will
+query for PTR records.  If a query type of IXFR is chosen the starting
+serial number can be specified by appending an equal followed by the
+starting serial number (e.g. -t IXFR=12345678).</P
+><P
+>The time to wait for a reply can be controlled through the
+<TT
+CLASS="OPTION"
+>-W</TT
+> and <TT
+CLASS="OPTION"
+>-w</TT
+> options.  The
+<TT
+CLASS="OPTION"
+>-W</TT
+> option makes <B
+CLASS="COMMAND"
+>host</B
+> wait for
+<TT
+CLASS="PARAMETER"
+><I
+>wait</I
+></TT
+> seconds.  If <TT
+CLASS="PARAMETER"
+><I
+>wait</I
+></TT
+>
 is less than one, the wait interval is set to one second.  When the
-<code class="option">-w</code> option is used, <span><strong class="command">host</strong></span> will
+<TT
+CLASS="OPTION"
+>-w</TT
+> option is used, <B
+CLASS="COMMAND"
+>host</B
+> will
 effectively wait forever for a reply.  The time to wait for a response
 will be set to the number of seconds given by the hardware's maximum
-value for an integer quantity.
-</p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543651"></a><h2>FILES</h2>
-<p>
-<code class="filename">/etc/resolv.conf</code>
-</p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543664"></a><h2>SEE ALSO</h2>
-<p>
-<span class="citerefentry"><span class="refentrytitle">dig</span>(1)</span>,
-<span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>.
-</p>
-</div>
-</div></body>
-</html>
+value for an integer quantity.</P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN115"
+></A
+><H2
+>FILES</H2
+><P
+><TT
+CLASS="FILENAME"
+>/etc/resolv.conf</TT
+></P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN119"
+></A
+><H2
+>SEE ALSO</H2
+><P
+><SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>dig</SPAN
+>(1)</SPAN
+>,
+<SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>named</SPAN
+>(8)</SPAN
+>.</P
+></DIV
+></BODY
+></HTML
+>
diff --git a/bin/dig/include/dig/dig.h b/bin/dig/include/dig/dig.h
index bdf93e99..15562af4 100644
--- a/bin/dig/include/dig/dig.h
+++ b/bin/dig/include/dig/dig.h
@@ -1,6 +1,6 @@
 /*
- * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dig.h,v 1.71.2.18 2007/04/24 23:45:25 tbox Exp $ */
+/* $Id: dig.h,v 1.71.2.6.2.5 2004/04/13 03:00:07 marka Exp $ */
 
 #ifndef DIG_H
 #define DIG_H
@@ -35,7 +35,7 @@
 #include <isc/sockaddr.h>
 #include <isc/socket.h>
 
-#define MXSERV 20
+#define MXSERV 6
 #define MXNAME (DNS_NAME_MAXTEXT+1)
 #define MXRD 32
 #define BUFSIZE 512
@@ -66,11 +66,22 @@
  * in a tight loop of constant lookups.  It's value is arbitrary.
  */
 
+#define ROOTNS 1
+/*
+ * Set the number of root servers to ask for information when running in
+ * trace mode.
+ * XXXMWS -- trace mode is currently semi-broken, and this number *MUST*
+ * be 1.
+ */
+
 ISC_LANG_BEGINDECLS
 
 typedef struct dig_lookup dig_lookup_t;
 typedef struct dig_query dig_query_t;
 typedef struct dig_server dig_server_t;
+#ifdef DIG_SIGCHASE
+typedef struct dig_message dig_message_t;
+#endif
 typedef ISC_LIST(dig_server_t) dig_serverlist_t;
 typedef struct dig_searchlist dig_searchlist_t;
 
@@ -100,14 +111,29 @@ struct dig_lookup {
 		section_additional,
 		servfail_stops,
 		new_search,
-		need_search,
-		done_as_is,
 		besteffort,
 		dnssec;
+#ifdef DIG_SIGCHASE
+isc_boolean_t	sigchase;
+#if DIG_SIGCHASE_TD
+ 	isc_boolean_t do_topdown,
+	        trace_root_sigchase,
+	        rdtype_sigchaseset,
+	        rdclass_sigchaseset;
+	/* Name we are going to validate RRset */
+  	char textnamesigchase[MXNAME];
+#endif
+#endif
+	
 	char textname[MXNAME]; /* Name we're going to be looking up */
 	char cmdline[MXNAME];
 	dns_rdatatype_t rdtype;
 	dns_rdatatype_t qrdtype;
+#if DIG_SIGCHASE_TD
+        dns_rdatatype_t rdtype_sigchase;
+        dns_rdatatype_t qrdtype_sigchase;
+        dns_rdataclass_t rdclass_sigchase;
+#endif
 	dns_rdataclass_t rdclass;
 	isc_boolean_t rdtypeset;
 	isc_boolean_t rdclassset;
@@ -115,7 +141,7 @@ struct dig_lookup {
 	char onamespace[BUFSIZE];
 	isc_buffer_t namebuf;
 	isc_buffer_t onamebuf;
-	isc_buffer_t renderbuf;
+	isc_buffer_t sendbuf;
 	char *sendspace;
 	dns_name_t *name;
 	isc_timer_t *timer;
@@ -142,8 +168,6 @@ struct dig_lookup {
 struct dig_query {
 	dig_lookup_t *lookup;
 	isc_boolean_t waiting_connect,
-		pending_free,
-		waiting_senddone,
 		first_pass,
 		first_soa_rcvd,
 		second_rr_rcvd,
@@ -152,9 +176,9 @@ struct dig_query {
 		warn_id;
 	isc_uint32_t first_rr_serial;
 	isc_uint32_t second_rr_serial;
+	isc_uint32_t msg_count;
 	isc_uint32_t rr_count;
 	char *servname;
-	char *userarg;
 	isc_bufferlist_t sendlist,
 		recvlist,
 		lengthlist;
@@ -168,12 +192,10 @@ struct dig_query {
 	ISC_LINK(dig_query_t) link;
 	isc_sockaddr_t sockaddr;
 	isc_time_t time_sent;
-	isc_buffer_t sendbuf;
 };
 
 struct dig_server {
 	char servername[MXNAME];
-	char userarg[MXNAME];
 	ISC_LINK(dig_server_t) link;
 };
 
@@ -181,43 +203,12 @@ struct dig_searchlist {
 	char origin[MXNAME];
 	ISC_LINK(dig_searchlist_t) link;
 };
-
-typedef ISC_LIST(dig_searchlist_t) dig_searchlistlist_t;
-typedef ISC_LIST(dig_lookup_t) dig_lookuplist_t;
-
-/*
- * Externals from dighost.c
- */
-
-extern dig_lookuplist_t lookup_list;
-extern dig_serverlist_t server_list;
-extern dig_searchlistlist_t search_list;
-
-extern isc_boolean_t have_ipv4, have_ipv6, specified_source,
-        usesearch, qr;
-extern in_port_t port;
-extern unsigned int timeout;
-extern isc_mem_t *mctx;
-extern dns_messageid_t id;
-extern int sendcount;
-extern int ndots;
-extern int tries;  
-extern int lookup_counter;
-extern int exitcode;
-extern isc_sockaddr_t bind_address;
-extern char keynametext[MXNAME];
-extern char keyfile[MXNAME];
-extern char keysecret[MXNAME];
-extern dns_tsigkey_t *key;
-extern isc_boolean_t validated;
-extern isc_taskmgr_t *taskmgr;
-extern isc_task_t *global_task;
-extern isc_boolean_t free_now;
-extern isc_boolean_t debugging, memdebugging;
-
-extern char *progname;
-extern int fatalexit;
-
+#ifdef DIG_SIGCHASE
+struct dig_message {
+	        dns_message_t *msg;
+		ISC_LINK(dig_message_t) link;
+};
+#endif
 /*
  * Routines in dighost.c.
  */
@@ -225,11 +216,7 @@ void
 get_address(char *host, in_port_t port, isc_sockaddr_t *sockaddr);
 
 isc_result_t
-get_addresses(const char *hostname, in_port_t port,
-             isc_sockaddr_t *addrs, int addrsize, int *addrcount);
-
-isc_result_t
-get_reverse(char *reverse, char *value, isc_boolean_t ip6int,
+get_reverse(char *reverse, size_t len, char *value, isc_boolean_t ip6_int,
 	    isc_boolean_t strict);
 
 void
@@ -245,9 +232,6 @@ void
 setup_lookup(dig_lookup_t *lookup);
 
 void
-destroy_lookup(dig_lookup_t *lookup);
-
-void
 do_lookup(dig_lookup_t *lookup);
 
 void
@@ -271,18 +255,18 @@ requeue_lookup(dig_lookup_t *lookold, isc_boolean_t servers);
 dig_lookup_t *
 make_empty_lookup(void);
 
+dig_lookup_t *
+clone_lookup(dig_lookup_t *lookold, isc_boolean_t servers);
+
+dig_server_t *
+make_server(const char *servname);
+
 void
 flush_server_list(void);
 
 void
 set_nameserver(char *opt);
 
-dig_lookup_t *
-clone_lookup(dig_lookup_t *lookold, isc_boolean_t servers);
-
-dig_server_t *
-make_server(const char *servname, const char *userarg);
-
 void
 clone_server_list(dig_serverlist_t src,
 		  dig_serverlist_t *dest);
@@ -296,9 +280,19 @@ destroy_libs(void);
 void
 set_search_domain(char *domain);
 
+#ifdef DIG_SIGCHASE
+void
+clean_trustedkey(void);
+#endif
+
 /*
  * Routines to be defined in dig.c, host.c, and nslookup.c.
  */
+#ifdef DIG_SIGCHASE
+isc_result_t
+printrdataset(dns_name_t *owner_name, dns_rdataset_t *rdataset,
+	      isc_buffer_t *target);
+#endif
 
 isc_result_t
 printmessage(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers);
@@ -323,6 +317,14 @@ dighost_shutdown(void);
 char *
 next_token(char **stringp, const char *delim);
 
+#ifdef DIG_SIGCHASE
+/* Chasing functions */
+dns_rdataset_t *
+chase_scanname(dns_name_t *name, dns_rdatatype_t type, dns_rdatatype_t covers);
+void
+chase_sig(dns_message_t *msg);
+#endif
+
 ISC_LANG_ENDDECLS
 
 #endif
diff --git a/bin/dig/nslookup.1 b/bin/dig/nslookup.1
deleted file mode 100644
index 68a1a1d5..00000000
--- a/bin/dig/nslookup.1
+++ /dev/null
@@ -1,245 +0,0 @@
-.\" Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
-.\" 
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\" 
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-.\" PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" $Id: nslookup.1,v 1.1.4.12 2007/05/16 06:57:45 marka Exp $
-.\"
-.hy 0
-.ad l
-.\"     Title: nslookup
-.\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
-.\"      Date: Jun 30, 2000
-.\"    Manual: BIND9
-.\"    Source: BIND9
-.\"
-.TH "NSLOOKUP" "1" "Jun 30, 2000" "BIND9" "BIND9"
-.\" disable hyphenation
-.nh
-.\" disable justification (adjust text to left margin only)
-.ad l
-.SH "NAME"
-nslookup \- query Internet name servers interactively
-.SH "SYNOPSIS"
-.HP 9
-\fBnslookup\fR [\fB\-option\fR] [name\ |\ \-] [server]
-.SH "DESCRIPTION"
-.PP
-\fBNslookup\fR
-is a program to query Internet domain name servers.
-\fBNslookup\fR
-has two modes: interactive and non\-interactive. Interactive mode allows the user to query name servers for information about various hosts and domains or to print a list of hosts in a domain. Non\-interactive mode is used to print just the name and requested information for a host or domain.
-.SH "ARGUMENTS"
-.PP
-Interactive mode is entered in the following cases:
-.TP 4
-1.
-when no arguments are given (the default name server will be used)
-.TP 4
-2.
-when the first argument is a hyphen (\-) and the second argument is the host name or Internet address of a name server.
-.sp
-.RE
-.PP
-Non\-interactive mode is used when the name or Internet address of the host to be looked up is given as the first argument. The optional second argument specifies the host name or address of a name server.
-.PP
-Options can also be specified on the command line if they precede the arguments and are prefixed with a hyphen. For example, to change the default query type to host information, and the initial timeout to 10 seconds, type:
-.sp .RS 4 .nf nslookup \-query=hinfo \-timeout=10 .fi .RE
-.SH "INTERACTIVE COMMANDS"
-.PP
-\fBhost\fR [server]
-.RS 4
-Look up information for host using the current default server or using server, if specified. If host is an Internet address and the query type is A or PTR, the name of the host is returned. If host is a name and does not have a trailing period, the search list is used to qualify the name.
-.sp
-To look up a host not in the current domain, append a period to the name.
-.RE
-.PP
-\fBserver\fR \fIdomain\fR
-.RS 4
-.RE
-.PP
-\fBlserver\fR \fIdomain\fR
-.RS 4
-Change the default server to
-\fIdomain\fR;
-\fBlserver\fR
-uses the initial server to look up information about
-\fIdomain\fR, while
-\fBserver\fR
-uses the current default server. If an authoritative answer can't be found, the names of servers that might have the answer are returned.
-.RE
-.PP
-\fBroot\fR
-.RS 4
-not implemented
-.RE
-.PP
-\fBfinger\fR
-.RS 4
-not implemented
-.RE
-.PP
-\fBls\fR
-.RS 4
-not implemented
-.RE
-.PP
-\fBview\fR
-.RS 4
-not implemented
-.RE
-.PP
-\fBhelp\fR
-.RS 4
-not implemented
-.RE
-.PP
-\fB?\fR
-.RS 4
-not implemented
-.RE
-.PP
-\fBexit\fR
-.RS 4
-Exits the program.
-.RE
-.PP
-\fBset\fR \fIkeyword\fR\fI[=value]\fR
-.RS 4
-This command is used to change state information that affects the lookups. Valid keywords are:
-.RS 4
-.PP
-\fBall\fR
-.RS 4
-Prints the current values of the frequently used options to
-\fBset\fR. Information about the current default server and host is also printed.
-.RE
-.PP
-\fBclass=\fR\fIvalue\fR
-.RS 4
-Change the query class to one of:
-.RS 4
-.PP
-\fBIN\fR
-.RS 4
-the Internet class
-.RE
-.PP
-\fBCH\fR
-.RS 4
-the Chaos class
-.RE
-.PP
-\fBHS\fR
-.RS 4
-the Hesiod class
-.RE
-.PP
-\fBANY\fR
-.RS 4
-wildcard
-.RE
-.RE
-.IP "" 4
-The class specifies the protocol group of the information.
-.sp
-(Default = IN; abbreviation = cl)
-.RE
-.PP
-\fB\fI[no]\fR\fR\fBdebug\fR
-.RS 4
-Turn on or off the display of the full response packet and any intermediate response packets when searching.
-.sp
-(Default = nodebug; abbreviation =
-[no]deb)
-.RE
-.PP
-\fB\fI[no]\fR\fR\fBd2\fR
-.RS 4
-Turn debugging mode on or off. This displays more about what nslookup is doing.
-.sp
-(Default = nod2)
-.RE
-.PP
-\fBdomain=\fR\fIname\fR
-.RS 4
-Sets the search list to
-\fIname\fR.
-.RE
-.PP
-\fB\fI[no]\fR\fR\fBsearch\fR
-.RS 4
-If the lookup request contains at least one period but doesn't end with a trailing period, append the domain names in the domain search list to the request until an answer is received.
-.sp
-(Default = search)
-.RE
-.PP
-\fBport=\fR\fIvalue\fR
-.RS 4
-Change the default TCP/UDP name server port to
-\fIvalue\fR.
-.sp
-(Default = 53; abbreviation = po)
-.RE
-.PP
-\fBquerytype=\fR\fIvalue\fR
-.RS 4
-.RE
-.PP
-\fBtype=\fR\fIvalue\fR
-.RS 4
-Change the type of the information query.
-.sp
-(Default = A; abbreviations = q, ty)
-.RE
-.PP
-\fB\fI[no]\fR\fR\fBrecurse\fR
-.RS 4
-Tell the name server to query other servers if it does not have the information.
-.sp
-(Default = recurse; abbreviation = [no]rec)
-.RE
-.PP
-\fBretry=\fR\fInumber\fR
-.RS 4
-Set the number of retries to number.
-.RE
-.PP
-\fBtimeout=\fR\fInumber\fR
-.RS 4
-Change the initial timeout interval for waiting for a reply to number seconds.
-.RE
-.PP
-\fB\fI[no]\fR\fR\fBvc\fR
-.RS 4
-Always use a virtual circuit when sending requests to the server.
-.sp
-(Default = novc)
-.RE
-.RE
-.IP "" 4
-.RE
-.SH "FILES"
-.PP
-\fI/etc/resolv.conf\fR
-.SH "SEE ALSO"
-.PP
-\fBdig\fR(1),
-\fBhost\fR(1),
-\fBnamed\fR(8).
-.SH "AUTHOR"
-.PP
-Andrew Cherenson
-.SH "COPYRIGHT"
-Copyright \(co 2004\-2007 Internet Systems Consortium, Inc. ("ISC")
-.br
diff --git a/bin/dig/nslookup.c b/bin/dig/nslookup.c
index 7bad0f38..a06b9e33 100644
--- a/bin/dig/nslookup.c
+++ b/bin/dig/nslookup.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: nslookup.c,v 1.90.2.15 2007/04/24 23:45:24 tbox Exp $ */
+/* $Id: nslookup.c,v 1.90.2.4.2.4 2004/04/13 03:00:06 marka Exp $ */
 
 #include <config.h>
 
@@ -25,6 +25,7 @@
 #include <isc/buffer.h>
 #include <isc/commandline.h>
 #include <isc/event.h>
+#include <isc/parseint.h>
 #include <isc/string.h>
 #include <isc/timer.h>
 #include <isc/util.h>
@@ -41,10 +42,32 @@
 #include <dns/rdatatype.h>
 #include <dns/byaddr.h>
 
+#ifdef DIG_SIGCHASE
+#ifndef DIG_SIGCHASE_BU
+#define DIG_SIGCHASE_BU 1
+#endif
+#ifndef DIG_SIGCHASE_TD
+#define DIG_SIGCHASE_TD 1
+#endif
+#endif
+
 #include <dig/dig.h>
 
+extern ISC_LIST(dig_lookup_t) lookup_list;
+extern dig_serverlist_t server_list;
+extern ISC_LIST(dig_searchlist_t) search_list;
+
+extern isc_boolean_t usesearch, debugging;
+extern in_port_t port;
+extern unsigned int timeout;
+extern isc_mem_t *mctx;
+extern int tries;
+extern int lookup_counter;
+extern isc_task_t *global_task;
+extern char *progname;
+
 static isc_boolean_t short_form = ISC_TRUE,
-	tcpmode = ISC_FALSE,
+	tcpmode = ISC_FALSE, deprecation_msg = ISC_TRUE,
 	identify = ISC_FALSE, stats = ISC_TRUE,
 	comments = ISC_TRUE, section_question = ISC_TRUE,
 	section_answer = ISC_TRUE, section_authority = ISC_TRUE,
@@ -119,7 +142,8 @@ static const char *rtypetext[] = {
 	"v6 address = ",		/* 38 */
 	"dname = ",			/* 39 */
 	"rtype_40 = ",			/* 40 */
-	"optional = "};			/* 41 */
+	"optional = "			/* 41 */
+};
 
 #define N_KNOWN_RRTYPES (sizeof(rtypetext) / sizeof(rtypetext[0]))
 
@@ -174,7 +198,18 @@ printa(dns_rdata_t *rdata) {
 	printf("Address: %.*s\n", (int)isc_buffer_usedlength(&b),
 	       (char *)isc_buffer_base(&b));
 }
-
+#ifdef DIG_SIGCHASE
+/* Just for compatibility : not use in host program */
+isc_result_t
+printrdataset(dns_name_t *owner_name, dns_rdataset_t *rdataset,
+	      isc_buffer_t *target)
+{
+	UNUSED(owner_name);
+	UNUSED(rdataset);
+	UNUSED(target);
+	return(ISC_FALSE);
+}
+#endif
 static void
 printrdata(dns_rdata_t *rdata) {
 	isc_result_t result;
@@ -376,7 +411,7 @@ printmessage(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers) {
 	debug("printmessage()");
 
 	isc_sockaddr_format(&query->sockaddr, servtext, sizeof(servtext));
-	printf("Server:\t\t%s\n", query->userarg);
+	printf("Server:\t\t%s\n", query->servname);
 	printf("Address:\t%s\n", servtext);
 	
 	puts("");
@@ -396,9 +431,8 @@ printmessage(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers) {
 		char nametext[DNS_NAME_FORMATSIZE];
 		dns_name_format(query->lookup->name,
 				nametext, sizeof(nametext));
-		printf("** server can't find %s: %s\n",
-		       (msg->rcode != dns_rcode_nxdomain) ? nametext :
-		       query->lookup->textname, rcodetext[msg->rcode]);
+		printf("** server can't find %s: %s\n", nametext,
+		       rcodetext[msg->rcode]);
 		debug("returning with rcode == 0");
 		return (ISC_R_SUCCESS);
 	}
@@ -436,7 +470,7 @@ show_settings(isc_boolean_t full, isc_boolean_t serv_only) {
 		get_address(srv->servername, port, &sockaddr);
 		isc_sockaddr_format(&sockaddr, sockstr, sizeof(sockstr));
 		printf("Default server: %s\nAddress: %s\n",
-			srv->userarg, sockstr);
+			srv->servername, sockstr);
 		if (!full)
 			return;
 		srv = ISC_LIST_NEXT(srv, link);
@@ -504,7 +538,46 @@ safecpy(char *dest, char *src, int size) {
 	strncpy(dest, src, size);
 	dest[size-1] = 0;
 }
-	
+
+static isc_result_t
+parse_uint(isc_uint32_t *uip, const char *value, isc_uint32_t max,
+	   const char *desc) {
+	isc_uint32_t n;
+	isc_result_t result = isc_parse_uint32(&n, value, 10);
+	if (result == ISC_R_SUCCESS && n > max)
+		result = ISC_R_RANGE;
+	if (result != ISC_R_SUCCESS) {
+		printf("invalid %s '%s': %s\n", desc,
+		       value, isc_result_totext(result));
+		return result;
+	}
+	*uip = n;
+	return (ISC_R_SUCCESS);
+}
+
+static void
+set_port(const char *value) {
+	isc_uint32_t n;
+	isc_result_t result = parse_uint(&n, value, 65535, "port");
+	if (result == ISC_R_SUCCESS)
+		port = (isc_uint16_t) n;
+}
+
+static void
+set_timeout(const char *value) {
+	isc_uint32_t n;
+	isc_result_t result = parse_uint(&n, value, UINT_MAX, "timeout");
+	if (result == ISC_R_SUCCESS)
+		timeout = n;
+}
+
+static void
+set_tries(const char *value) {
+	isc_uint32_t n;
+	isc_result_t result = parse_uint(&n, value, INT_MAX, "tries");
+	if (result == ISC_R_SUCCESS)
+		tries = n;
+}
 
 static void
 setoption(char *opt) {
@@ -543,21 +616,21 @@ setoption(char *opt) {
 		set_search_domain(domainopt);
 		usesearch = ISC_TRUE;
 	} else if (strncasecmp(opt, "port=", 5) == 0) {
-		port = atoi(&opt[5]);
+		set_port(&opt[5]);
 	} else if (strncasecmp(opt, "po=", 3) == 0) {
-		port = atoi(&opt[3]);
+		set_port(&opt[3]);
 	} else if (strncasecmp(opt, "timeout=", 8) == 0) {
-		timeout = atoi(&opt[8]);
+		set_timeout(&opt[8]);
 	} else if (strncasecmp(opt, "t=", 2) == 0) {
-		timeout = atoi(&opt[2]);
+		set_timeout(&opt[2]);
  	} else if (strncasecmp(opt, "rec", 3) == 0) {
 		recurse = ISC_TRUE;
 	} else if (strncasecmp(opt, "norec", 5) == 0) {
 		recurse = ISC_FALSE;
 	} else if (strncasecmp(opt, "retry=", 6) == 0) {
-		tries = atoi(&opt[6]);
+		set_tries(&opt[6]);
 	} else if (strncasecmp(opt, "ret=", 4) == 0) {
-		tries = atoi(&opt[4]);
+		set_tries(&opt[4]);
  	} else if (strncasecmp(opt, "def", 3) == 0) {
 		usesearch = ISC_TRUE;
 	} else if (strncasecmp(opt, "nodef", 5) == 0) {
@@ -574,12 +647,12 @@ setoption(char *opt) {
 		debugging = ISC_TRUE;
 	} else if (strncasecmp(opt, "nod2", 4) == 0) {
 		debugging = ISC_FALSE;
-	} else if (strncasecmp(opt, "search",3) == 0) {
+	} else if (strncasecmp(opt, "search", 3) == 0) {
 		usesearch = ISC_TRUE;
-	} else if (strncasecmp(opt, "nosearch",5) == 0) {
+	} else if (strncasecmp(opt, "nosearch", 5) == 0) {
 		usesearch = ISC_FALSE;
-	} else if (strncasecmp(opt, "sil",3) == 0) {
-		/* deprecation_msg = ISC_FALSE; */
+	} else if (strncasecmp(opt, "sil", 3) == 0) {
+		deprecation_msg = ISC_FALSE;
 	} else {
 		printf("*** Invalid option: %s\n", opt);	
 	}
@@ -610,9 +683,8 @@ addlookup(char *opt) {
 		rdclass = dns_rdataclass_in;
 	}
 	lookup = make_empty_lookup();
-	if (get_reverse(store, opt, lookup->ip6_int, ISC_TRUE)
-	    == ISC_R_SUCCESS)
-	{
+	if (get_reverse(store, sizeof(store), opt, lookup->ip6_int, ISC_TRUE)
+	    == ISC_R_SUCCESS) {
 		safecpy(lookup->textname, store, sizeof(lookup->textname));
 		lookup->rdtype = dns_rdatatype_ptr;
 		lookup->rdtypeset = ISC_TRUE;
@@ -653,12 +725,10 @@ get_next_command(void) {
 	char *ptr, *arg;
 	char *input;
 
-	fflush(stdout);
 	buf = isc_mem_allocate(mctx, COMMSIZE);
 	if (buf == NULL)
 		fatal("memory allocation failure");
 	fputs("> ", stderr);
-	fflush(stderr);
 	isc_app_block();
 	ptr = fgets(buf, COMMSIZE, stdin);
 	isc_app_unblock();
@@ -676,23 +746,19 @@ get_next_command(void) {
 		setoption(arg);
 	else if ((strcasecmp(ptr, "server") == 0) ||
 		 (strcasecmp(ptr, "lserver") == 0)) {
-		isc_app_block();
 		set_nameserver(arg);
-		isc_app_unblock();
 		show_settings(ISC_TRUE, ISC_TRUE);
 	} else if (strcasecmp(ptr, "exit") == 0) {
 		in_use = ISC_FALSE;
 		goto cleanup;
 	} else if (strcasecmp(ptr, "help") == 0 ||
-		   strcasecmp(ptr, "?") == 0)
-	{
+		   strcasecmp(ptr, "?") == 0) {
 		printf("The '%s' command is not yet implemented.\n", ptr);
 		goto cleanup;
 	} else if (strcasecmp(ptr, "finger") == 0 ||
 		   strcasecmp(ptr, "root") == 0 ||
 		   strcasecmp(ptr, "ls") == 0 ||
-		   strcasecmp(ptr, "view") == 0)
-	{
+		   strcasecmp(ptr, "view") == 0) {
 		printf("The '%s' command is not implemented.\n", ptr);
 		goto cleanup;
 	} else
@@ -804,6 +870,12 @@ main(int argc, char **argv) {
 
 	parse_args(argc, argv);
 
+	if (deprecation_msg) {
+		fputs(
+"Note:  nslookup is deprecated and may be removed from future releases.\n"
+"Consider using the `dig' or `host' programs instead.  Run nslookup with\n"
+"the `-sil[ent]' option to prevent this message from appearing.\n", stderr);
+	}
 	setup_system();
 	if (domainopt[0] != '\0')
 		set_search_domain(domainopt);
diff --git a/bin/dig/nslookup.docbook b/bin/dig/nslookup.docbook
deleted file mode 100644
index ce3b78db..00000000
--- a/bin/dig/nslookup.docbook
+++ /dev/null
@@ -1,330 +0,0 @@
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
-               "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
-	       [<!ENTITY mdash "&#8212;">]>
-<!--
- - Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
- -
- - Permission to use, copy, modify, and distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- -
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-
-<!-- $Id: nslookup.docbook,v 1.3.4.12 2007/05/16 02:07:44 marka Exp $ -->
-
-<!--
- - Copyright (c) 1985, 1989
- -    The Regents of the University of California.  All rights reserved.
- - 
- - Redistribution and use in source and binary forms, with or without
- - modification, are permitted provided that the following conditions
- - are met:
- - 1. Redistributions of source code must retain the above copyright
- -    notice, this list of conditions and the following disclaimer.
- - 2. Redistributions in binary form must reproduce the above copyright
- -    notice, this list of conditions and the following disclaimer in the
- -    documentation and/or other materials provided with the distribution.
- - 3. All advertising materials mentioning features or use of this software
- -    must display the following acknowledgement:
- -     This product includes software developed by the University of
- -     California, Berkeley and its contributors.
- - 4. Neither the name of the University nor the names of its contributors
- -    may be used to endorse or promote products derived from this software
- -    without specific prior written permission.
- - 
- - THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
- - ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- - IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- - ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
- - FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- - DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- - OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- - HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- - LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- - OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- - SUCH DAMAGE.
--->
-
-<refentry>
-
-<refentryinfo>
-<date>Jun 30, 2000</date>
-</refentryinfo>
-
-<refmeta>
-<refentrytitle>nslookup</refentrytitle>
-<manvolnum>1</manvolnum>
-<refmiscinfo>BIND9</refmiscinfo>
-</refmeta>
-
-  <docinfo>
-    <copyright>
-      <year>2004</year>
-      <year>2005</year>
-      <year>2006</year>
-      <year>2007</year>
-      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
-    </copyright>
-  </docinfo>
-
-<refnamediv>
-<refname>nslookup</refname>
-<refpurpose>query Internet name servers interactively</refpurpose>
-</refnamediv>
-
-<refsynopsisdiv>
-<cmdsynopsis>
-  <command>nslookup</command>
-  <arg><option>-option</option></arg>
-  <arg choice="opt">name | -</arg>
-  <arg choice="opt">server</arg>
-</cmdsynopsis>
-</refsynopsisdiv>
-
-<refsect1>
-<title>DESCRIPTION</title>
-<para>
-<command>Nslookup</command>
-is a program to query Internet domain name servers.  <command>Nslookup</command>
-has two modes: interactive and non-interactive.  Interactive mode allows
-the user to query name servers for information about various hosts and
-domains or to print a list of hosts in a domain.  Non-interactive mode is
-used to print just the name and requested information for a host or
-domain.
-</para>
-</refsect1>
-
-<refsect1>
-<title>ARGUMENTS</title>
-<para>
-Interactive mode is entered in the following cases:
-<orderedlist numeration="loweralpha">
-<listitem>
-<para>
-when no arguments are given (the default name server will be used)
-</para>
-</listitem>
-<listitem>
-<para>
-when the first argument is a hyphen (-) and the second argument is
-the host name or Internet address of a name server.
-</para>
-</listitem>
-</orderedlist>
-</para>
-
-<para>
-Non-interactive mode is used when the name or Internet address of the
-host to be looked up is given as the first argument. The optional second
-argument specifies the host name or address of a name server.
-</para>
-
-<para>
-Options can also be specified on the command line if they precede the
-arguments and are prefixed with a hyphen.  For example, to
-change the default query type to host information, and the initial timeout to 10 seconds, type:
-<informalexample>
-<programlisting>
-nslookup -query=hinfo  -timeout=10
-</programlisting>
-</informalexample>
-</para>
-
-</refsect1>
-
-<refsect1>
-<title>INTERACTIVE COMMANDS</title>
-<variablelist>
-<varlistentry><term><constant>host</constant> <optional>server</optional></term>
-<listitem><para>
-Look up information for host using the current default server or
-using server, if specified.  If host is an Internet address and
-the query type is A or PTR, the name of the host is returned.
-If host is a name and does not have a trailing period, the
-search list is used to qualify the name.
-</para>
-
-<para>
-To look up a host not in the current domain, append a period to
-the name.
-</para></listitem></varlistentry>
-
-<varlistentry><term><constant>server</constant> <replaceable class="parameter">domain</replaceable></term>
-<listitem><para></para></listitem></varlistentry>
-<varlistentry><term><constant>lserver</constant> <replaceable class="parameter">domain</replaceable></term>
-<listitem><para>
-Change the default server to <replaceable>domain</replaceable>; <constant>lserver</constant> uses the initial
-server to look up information about <replaceable>domain</replaceable>, while <constant>server</constant> uses
-the current default server.  If an authoritative answer can't be
-found, the names of servers that might have the answer are
-returned.
-</para></listitem></varlistentry>
-
-<varlistentry><term><constant>root</constant></term>
-<listitem><para>not implemented</para></listitem></varlistentry>
-
-<varlistentry><term><constant>finger</constant></term>
-<listitem><para>not implemented</para></listitem></varlistentry>
-
-<varlistentry><term><constant>ls</constant></term>
-<listitem><para>not implemented</para></listitem></varlistentry>
-
-<varlistentry><term><constant>view</constant></term>
-<listitem><para>not implemented</para></listitem></varlistentry>
-
-<varlistentry><term><constant>help</constant></term>
-<listitem><para>not implemented</para></listitem></varlistentry>
-
-<varlistentry><term><constant>?</constant></term>
-<listitem><para>not implemented</para></listitem></varlistentry>
-
-<varlistentry><term><constant>exit</constant></term>
-<listitem><para>Exits the program.</para></listitem></varlistentry>
-
-<varlistentry><term><constant>set</constant> <replaceable>keyword<optional>=value</optional></replaceable></term>
-<listitem><para>This command is used to change state information that affects
-the lookups.  Valid keywords are:
- <variablelist>
-  <varlistentry><term><constant>all</constant></term>
-  <listitem>
-  <para>Prints the current values of the frequently used
-  options to <command>set</command>.  Information about the  current default
-  server and host is also printed.
-  </para>
-  </listitem>
-  </varlistentry>
-
-  <varlistentry><term><constant>class=</constant><replaceable>value</replaceable></term>
-  <listitem><para>
-   Change the query class to one of:
-   <variablelist>
-    <varlistentry><term><constant>IN</constant></term>
-    <listitem><para>the Internet class</para></listitem></varlistentry>
-    <varlistentry><term><constant>CH</constant></term>
-    <listitem><para>the Chaos class</para></listitem></varlistentry>
-    <varlistentry><term><constant>HS</constant></term>
-    <listitem><para>the Hesiod class</para></listitem></varlistentry>
-    <varlistentry><term><constant>ANY</constant></term>
-    <listitem><para>wildcard</para></listitem></varlistentry>
-   </variablelist>
-   The class specifies the protocol group of the information.
-   </para><para>
-   (Default = IN; abbreviation = cl)
-   </para></listitem>
-  </varlistentry>
-
-  <varlistentry><term><constant><replaceable><optional>no</optional></replaceable>debug</constant></term>
-  <listitem><para>
-		    Turn on or off the display of the full response packet and
-		    any intermediate response packets when searching.
-  </para><para>
-  (Default = nodebug; abbreviation = <optional>no</optional>deb)
-  </para></listitem></varlistentry>
-
-  <varlistentry><term><constant><replaceable><optional>no</optional></replaceable>d2</constant></term>
-  <listitem><para>
-		    Turn debugging mode on or off.  This displays more about
-		    what nslookup is doing.
-  </para><para>
-  (Default = nod2)
-  </para></listitem></varlistentry>
-
-  <varlistentry><term><constant>domain=</constant><replaceable>name</replaceable></term>
-  <listitem><para>
-  Sets the search list to <replaceable>name</replaceable>.
-  </para></listitem></varlistentry>
-
-  <varlistentry><term><constant><replaceable><optional>no</optional></replaceable>search</constant></term>
-  <listitem><para>
-  If the lookup request contains at least one period but
-  doesn't end with a trailing period, append the domain
-  names in the domain search list to the request until an
-  answer is received.
-  </para><para>
-  (Default = search)
-  </para></listitem></varlistentry>
-
-  <varlistentry><term><constant>port=</constant><replaceable>value</replaceable></term>
-  <listitem><para>
-  Change the default TCP/UDP name server port to <replaceable>value</replaceable>.
-  </para><para>
-  (Default = 53; abbreviation = po)
-  </para></listitem></varlistentry>
-
-  <varlistentry><term><constant>querytype=</constant><replaceable>value</replaceable></term>
-  <listitem><para></para></listitem></varlistentry>
-
-  <varlistentry><term><constant>type=</constant><replaceable>value</replaceable></term>
-  <listitem><para>
-  Change the type of the information query.
-  </para><para>
-  (Default = A; abbreviations = q, ty)
-  </para></listitem></varlistentry>
-
-  <varlistentry><term><constant><replaceable><optional>no</optional></replaceable>recurse</constant></term>
-  <listitem><para>
-  Tell the name server to query other servers if it does not have the
-  information.
-  </para><para>
-  (Default = recurse; abbreviation = [no]rec)
-  </para></listitem></varlistentry>
-
-  <varlistentry><term><constant>retry=</constant><replaceable>number</replaceable></term>
-  <listitem><para>
-  Set the number of retries to number.
-  </para></listitem></varlistentry>
-
-  <varlistentry><term><constant>timeout=</constant><replaceable>number</replaceable></term>
-  <listitem><para>
-  Change the initial timeout interval for waiting for a
-  reply to number seconds.
-  </para></listitem></varlistentry>
-
-  <varlistentry><term><constant><replaceable><optional>no</optional></replaceable>vc</constant></term>
-  <listitem><para>
-  Always use a virtual circuit when sending requests to the server.
-  </para><para>
-  (Default = novc)
-  </para></listitem></varlistentry>
-
-  </variablelist>
-</para></listitem></varlistentry>
-</variablelist>
-</refsect1>
-
-<refsect1>
-<title>FILES</title>
-<para>
-<filename>/etc/resolv.conf</filename>
-</para>
-</refsect1>
-
-<refsect1>
-<title>SEE ALSO</title>
-<para>
-<citerefentry>
-<refentrytitle>dig</refentrytitle><manvolnum>1</manvolnum>
-</citerefentry>,
-<citerefentry>
-<refentrytitle>host</refentrytitle><manvolnum>1</manvolnum>
-</citerefentry>,
-<citerefentry>
-<refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
-</citerefentry>.
-</para>
-</refsect1>
-
-<refsect1>
-<title>Author</title>
-<para>
-Andrew Cherenson
-</para>
-</refsect1>
-</refentry>
diff --git a/bin/dig/nslookup.html b/bin/dig/nslookup.html
deleted file mode 100644
index 75996403..00000000
--- a/bin/dig/nslookup.html
+++ /dev/null
@@ -1,262 +0,0 @@
-<!--
- - Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
- - 
- - Permission to use, copy, modify, and distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- - 
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-<!-- $Id: nslookup.html,v 1.1.4.19 2007/05/16 06:57:45 marka Exp $ -->
-<html>
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>nslookup</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2476276"></a><div class="titlepage"></div>
-<div class="refnamediv">
-<h2>Name</h2>
-<p>nslookup &#8212; query Internet name servers interactively</p>
-</div>
-<div class="refsynopsisdiv">
-<h2>Synopsis</h2>
-<div class="cmdsynopsis"><p><code class="command">nslookup</code>  [<code class="option">-option</code>] [name | -] [server]</p></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543346"></a><h2>DESCRIPTION</h2>
-<p>
-<span><strong class="command">Nslookup</strong></span>
-is a program to query Internet domain name servers.  <span><strong class="command">Nslookup</strong></span>
-has two modes: interactive and non-interactive.  Interactive mode allows
-the user to query name servers for information about various hosts and
-domains or to print a list of hosts in a domain.  Non-interactive mode is
-used to print just the name and requested information for a host or
-domain.
-</p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543363"></a><h2>ARGUMENTS</h2>
-<p>
-Interactive mode is entered in the following cases:
-</p>
-<div class="orderedlist"><ol type="a">
-<li><p>
-when no arguments are given (the default name server will be used)
-</p></li>
-<li><p>
-when the first argument is a hyphen (-) and the second argument is
-the host name or Internet address of a name server.
-</p></li>
-</ol></div>
-<p>
-</p>
-<p>
-Non-interactive mode is used when the name or Internet address of the
-host to be looked up is given as the first argument. The optional second
-argument specifies the host name or address of a name server.
-</p>
-<p>
-Options can also be specified on the command line if they precede the
-arguments and are prefixed with a hyphen.  For example, to
-change the default query type to host information, and the initial timeout to 10 seconds, type:
-</p>
-<div class="informalexample"><pre class="programlisting">
-nslookup -query=hinfo  -timeout=10
-</pre></div>
-<p>
-</p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543405"></a><h2>INTERACTIVE COMMANDS</h2>
-<div class="variablelist"><dl>
-<dt><span class="term"><code class="constant">host</code> [<span class="optional">server</span>]</span></dt>
-<dd>
-<p>
-Look up information for host using the current default server or
-using server, if specified.  If host is an Internet address and
-the query type is A or PTR, the name of the host is returned.
-If host is a name and does not have a trailing period, the
-search list is used to qualify the name.
-</p>
-<p>
-To look up a host not in the current domain, append a period to
-the name.
-</p>
-</dd>
-<dt><span class="term"><code class="constant">server</code> <em class="replaceable"><code>domain</code></em></span></dt>
-<dd><p></p></dd>
-<dt><span class="term"><code class="constant">lserver</code> <em class="replaceable"><code>domain</code></em></span></dt>
-<dd><p>
-Change the default server to <em class="replaceable"><code>domain</code></em>; <code class="constant">lserver</code> uses the initial
-server to look up information about <em class="replaceable"><code>domain</code></em>, while <code class="constant">server</code> uses
-the current default server.  If an authoritative answer can't be
-found, the names of servers that might have the answer are
-returned.
-</p></dd>
-<dt><span class="term"><code class="constant">root</code></span></dt>
-<dd><p>not implemented</p></dd>
-<dt><span class="term"><code class="constant">finger</code></span></dt>
-<dd><p>not implemented</p></dd>
-<dt><span class="term"><code class="constant">ls</code></span></dt>
-<dd><p>not implemented</p></dd>
-<dt><span class="term"><code class="constant">view</code></span></dt>
-<dd><p>not implemented</p></dd>
-<dt><span class="term"><code class="constant">help</code></span></dt>
-<dd><p>not implemented</p></dd>
-<dt><span class="term"><code class="constant">?</code></span></dt>
-<dd><p>not implemented</p></dd>
-<dt><span class="term"><code class="constant">exit</code></span></dt>
-<dd><p>Exits the program.</p></dd>
-<dt><span class="term"><code class="constant">set</code> <em class="replaceable"><code>keyword[<span class="optional">=value</span>]</code></em></span></dt>
-<dd>
-<p>This command is used to change state information that affects
-the lookups.  Valid keywords are:
- </p>
-<div class="variablelist"><dl>
-<dt><span class="term"><code class="constant">all</code></span></dt>
-<dd><p>Prints the current values of the frequently used
-  options to <span><strong class="command">set</strong></span>.  Information about the  current default
-  server and host is also printed.
-  </p></dd>
-<dt><span class="term"><code class="constant">class=</code><em class="replaceable"><code>value</code></em></span></dt>
-<dd>
-<p>
-   Change the query class to one of:
-   </p>
-<div class="variablelist"><dl>
-<dt><span class="term"><code class="constant">IN</code></span></dt>
-<dd><p>the Internet class</p></dd>
-<dt><span class="term"><code class="constant">CH</code></span></dt>
-<dd><p>the Chaos class</p></dd>
-<dt><span class="term"><code class="constant">HS</code></span></dt>
-<dd><p>the Hesiod class</p></dd>
-<dt><span class="term"><code class="constant">ANY</code></span></dt>
-<dd><p>wildcard</p></dd>
-</dl></div>
-<p>
-   The class specifies the protocol group of the information.
-   </p>
-<p>
-   (Default = IN; abbreviation = cl)
-   </p>
-</dd>
-<dt><span class="term"><code class="constant"><em class="replaceable"><code>[<span class="optional">no</span>]</code></em>debug</code></span></dt>
-<dd>
-<p>
-		    Turn on or off the display of the full response packet and
-		    any intermediate response packets when searching.
-  </p>
-<p>
-  (Default = nodebug; abbreviation = [<span class="optional">no</span>]deb)
-  </p>
-</dd>
-<dt><span class="term"><code class="constant"><em class="replaceable"><code>[<span class="optional">no</span>]</code></em>d2</code></span></dt>
-<dd>
-<p>
-		    Turn debugging mode on or off.  This displays more about
-		    what nslookup is doing.
-  </p>
-<p>
-  (Default = nod2)
-  </p>
-</dd>
-<dt><span class="term"><code class="constant">domain=</code><em class="replaceable"><code>name</code></em></span></dt>
-<dd><p>
-  Sets the search list to <em class="replaceable"><code>name</code></em>.
-  </p></dd>
-<dt><span class="term"><code class="constant"><em class="replaceable"><code>[<span class="optional">no</span>]</code></em>search</code></span></dt>
-<dd>
-<p>
-  If the lookup request contains at least one period but
-  doesn't end with a trailing period, append the domain
-  names in the domain search list to the request until an
-  answer is received.
-  </p>
-<p>
-  (Default = search)
-  </p>
-</dd>
-<dt><span class="term"><code class="constant">port=</code><em class="replaceable"><code>value</code></em></span></dt>
-<dd>
-<p>
-  Change the default TCP/UDP name server port to <em class="replaceable"><code>value</code></em>.
-  </p>
-<p>
-  (Default = 53; abbreviation = po)
-  </p>
-</dd>
-<dt><span class="term"><code class="constant">querytype=</code><em class="replaceable"><code>value</code></em></span></dt>
-<dd><p></p></dd>
-<dt><span class="term"><code class="constant">type=</code><em class="replaceable"><code>value</code></em></span></dt>
-<dd>
-<p>
-  Change the type of the information query.
-  </p>
-<p>
-  (Default = A; abbreviations = q, ty)
-  </p>
-</dd>
-<dt><span class="term"><code class="constant"><em class="replaceable"><code>[<span class="optional">no</span>]</code></em>recurse</code></span></dt>
-<dd>
-<p>
-  Tell the name server to query other servers if it does not have the
-  information.
-  </p>
-<p>
-  (Default = recurse; abbreviation = [no]rec)
-  </p>
-</dd>
-<dt><span class="term"><code class="constant">retry=</code><em class="replaceable"><code>number</code></em></span></dt>
-<dd><p>
-  Set the number of retries to number.
-  </p></dd>
-<dt><span class="term"><code class="constant">timeout=</code><em class="replaceable"><code>number</code></em></span></dt>
-<dd><p>
-  Change the initial timeout interval for waiting for a
-  reply to number seconds.
-  </p></dd>
-<dt><span class="term"><code class="constant"><em class="replaceable"><code>[<span class="optional">no</span>]</code></em>vc</code></span></dt>
-<dd>
-<p>
-  Always use a virtual circuit when sending requests to the server.
-  </p>
-<p>
-  (Default = novc)
-  </p>
-</dd>
-</dl></div>
-<p>
-</p>
-</dd>
-</dl></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543797"></a><h2>FILES</h2>
-<p>
-<code class="filename">/etc/resolv.conf</code>
-</p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543810"></a><h2>SEE ALSO</h2>
-<p>
-<span class="citerefentry"><span class="refentrytitle">dig</span>(1)</span>,
-<span class="citerefentry"><span class="refentrytitle">host</span>(1)</span>,
-<span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>.
-</p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543845"></a><h2>Author</h2>
-<p>
-Andrew Cherenson
-</p>
-</div>
-</div></body>
-</html>
diff --git a/bin/dig/win32/dig.dsp b/bin/dig/win32/dig.dsp
index 2280fbec..db736d02 100644
--- a/bin/dig/win32/dig.dsp
+++ b/bin/dig/win32/dig.dsp
@@ -1,103 +1,111 @@
-# Microsoft Developer Studio Project File - Name="dig" - Package Owner=<4>

-# Microsoft Developer Studio Generated Build File, Format Version 6.00

-# ** DO NOT EDIT **

-

-# TARGTYPE "Win32 (x86) Console Application" 0x0103

-

-CFG=dig - Win32 Debug

-!MESSAGE This is not a valid makefile. To build this project using NMAKE,

-!MESSAGE use the Export Makefile command and run

-!MESSAGE 

-!MESSAGE NMAKE /f "dig.mak".

-!MESSAGE 

-!MESSAGE You can specify a configuration when running NMAKE

-!MESSAGE by defining the macro CFG on the command line. For example:

-!MESSAGE 

-!MESSAGE NMAKE /f "dig.mak" CFG="dig - Win32 Debug"

-!MESSAGE 

-!MESSAGE Possible choices for configuration are:

-!MESSAGE 

-!MESSAGE "dig - Win32 Release" (based on "Win32 (x86) Console Application")

-!MESSAGE "dig - Win32 Debug" (based on "Win32 (x86) Console Application")

-!MESSAGE 

-

-# Begin Project

-# PROP AllowPerConfigDependencies 0

-# PROP Scc_ProjName ""

-# PROP Scc_LocalPath ""

-CPP=cl.exe

-RSC=rc.exe

-

-!IF  "$(CFG)" == "dig - Win32 Release"

-

-# PROP BASE Use_MFC 0

-# PROP BASE Use_Debug_Libraries 0

-# PROP BASE Output_Dir "Release"

-# PROP BASE Intermediate_Dir "Release"

-# PROP BASE Target_Dir ""

-# PROP Use_MFC 0

-# PROP Use_Debug_Libraries 0

-# PROP Output_Dir "Release"

-# PROP Intermediate_Dir "Release"

-# PROP Ignore_Export_Lib 0

-# PROP Target_Dir ""

-# ADD BASE CPP /nologo /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /c

-# ADD CPP /nologo /MD /W3 /GX /O2 /I "./" /I "../include" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/include" /D "WIN32" /D "__STDC__" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /c

-# ADD BASE RSC /l 0x409 /d "NDEBUG"

-# ADD RSC /l 0x409 /d "NDEBUG"

-BSC32=bscmake.exe

-# ADD BASE BSC32 /nologo

-# ADD BSC32 /nologo

-LINK32=link.exe

-# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /machine:I386

-# ADD LINK32 user32.lib advapi32.lib ws2_32.lib Release/dighost.lib ../../../lib/isc/win32/Release/libisc.lib ../../../lib/dns/win32/Release/libdns.lib /nologo /subsystem:console /machine:I386 /out:"../../../Build/Release/dig.exe"

-

-!ELSEIF  "$(CFG)" == "dig - Win32 Debug"

-

-# PROP BASE Use_MFC 0

-# PROP BASE Use_Debug_Libraries 1

-# PROP BASE Output_Dir "Debug"

-# PROP BASE Intermediate_Dir "Debug"

-# PROP BASE Target_Dir ""

-# PROP Use_MFC 0

-# PROP Use_Debug_Libraries 1

-# PROP Output_Dir "Debug"

-# PROP Intermediate_Dir "Debug"

-# PROP Ignore_Export_Lib 0

-# PROP Target_Dir ""

-# ADD BASE CPP /nologo /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /GZ /c

-# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../include" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/include" /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /FR /FD /GZ /c

-# SUBTRACT CPP /X /u /YX

-# ADD BASE RSC /l 0x409 /d "_DEBUG"

-# ADD RSC /l 0x409 /d "_DEBUG"

-BSC32=bscmake.exe

-# ADD BASE BSC32 /nologo

-# ADD BSC32 /nologo

-LINK32=link.exe

-# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /debug /machine:I386 /pdbtype:sept

-# ADD LINK32 user32.lib advapi32.lib ws2_32.lib Debug/dighost.lib ../../../lib/isc/win32/Debug/libisc.lib ../../../lib/dns/win32/Debug/libdns.lib /nologo /subsystem:console /debug /machine:I386 /out:"../../../Build/Debug/dig.exe" /pdbtype:sept

-

-!ENDIF 

-

-# Begin Target

-

-# Name "dig - Win32 Release"

-# Name "dig - Win32 Debug"

-# Begin Group "Source Files"

-

-# PROP Default_Filter "cpp;c;cxx;rc;def;r;odl;idl;hpj;bat"

-# Begin Source File

-

-SOURCE=..\dig.c

-# End Source File

-# End Group

-# Begin Group "Header Files"

-

-# PROP Default_Filter "h;hpp;hxx;hm;inl"

-# End Group

-# Begin Group "Resource Files"

-

-# PROP Default_Filter "ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe"

-# End Group

-# End Target

-# End Project

+# Microsoft Developer Studio Project File - Name="dig" - Package Owner=<4>
+# Microsoft Developer Studio Generated Build File, Format Version 6.00
+# ** DO NOT EDIT **
+
+# TARGTYPE "Win32 (x86) Console Application" 0x0103
+
+CFG=dig - Win32 Debug
+!MESSAGE This is not a valid makefile. To build this project using NMAKE,
+!MESSAGE use the Export Makefile command and run
+!MESSAGE 
+!MESSAGE NMAKE /f "dig.mak".
+!MESSAGE 
+!MESSAGE You can specify a configuration when running NMAKE
+!MESSAGE by defining the macro CFG on the command line. For example:
+!MESSAGE 
+!MESSAGE NMAKE /f "dig.mak" CFG="dig - Win32 Debug"
+!MESSAGE 
+!MESSAGE Possible choices for configuration are:
+!MESSAGE 
+!MESSAGE "dig - Win32 Release" (based on "Win32 (x86) Console Application")
+!MESSAGE "dig - Win32 Debug" (based on "Win32 (x86) Console Application")
+!MESSAGE 
+
+# Begin Project
+# PROP AllowPerConfigDependencies 0
+# PROP Scc_ProjName ""
+# PROP Scc_LocalPath ""
+CPP=cl.exe
+RSC=rc.exe
+
+!IF  "$(CFG)" == "dig - Win32 Release"
+
+# PROP BASE Use_MFC 0
+# PROP BASE Use_Debug_Libraries 0
+# PROP BASE Output_Dir "Release"
+# PROP BASE Intermediate_Dir "Release"
+# PROP BASE Target_Dir ""
+# PROP Use_MFC 0
+# PROP Use_Debug_Libraries 0
+# PROP Output_Dir "Release"
+# PROP Intermediate_Dir "Release"
+# PROP Ignore_Export_Lib 0
+# PROP Target_Dir ""
+# ADD BASE CPP /nologo /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /c
+# ADD CPP /nologo /MT /W3 /GX /O2 /I "./" /I "../include" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/include" /I "../../../lib/dns/sec/dst/include" /I "../../../lib/bind9/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /D "WIN32" /D "__STDC__" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /c
+# ADD BASE RSC /l 0x409 /d "NDEBUG"
+# ADD RSC /l 0x409 /d "NDEBUG"
+BSC32=bscmake.exe
+# ADD BASE BSC32 /nologo
+# ADD BSC32 /nologo
+LINK32=link.exe
+# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /machine:I386
+# ADD LINK32 user32.lib advapi32.lib ws2_32.lib ../../../lib/isc/win32/Release/libisc.lib ../../../lib/dns/win32/Release/libdns.lib ../../../lib/bind9/win32/Release/libbind9.lib ../../../lib/lwres/win32/Release/liblwres.lib /nologo /subsystem:console /machine:I386 /out:"../../../Build/Release/dig.exe"
+
+!ELSEIF  "$(CFG)" == "dig - Win32 Debug"
+
+# PROP BASE Use_MFC 0
+# PROP BASE Use_Debug_Libraries 1
+# PROP BASE Output_Dir "Debug"
+# PROP BASE Intermediate_Dir "Debug"
+# PROP BASE Target_Dir ""
+# PROP Use_MFC 0
+# PROP Use_Debug_Libraries 1
+# PROP Output_Dir "Debug"
+# PROP Intermediate_Dir "Debug"
+# PROP Ignore_Export_Lib 0
+# PROP Target_Dir ""
+# ADD BASE CPP /nologo /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /GZ /c
+# ADD CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /I "./" /I "../include" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/include" /I "../../../lib/dns/sec/dst/include" /I "../../../lib/bind9/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /FR /FD /GZ /c
+# SUBTRACT CPP /X /u /YX
+# ADD BASE RSC /l 0x409 /d "_DEBUG"
+# ADD RSC /l 0x409 /d "_DEBUG"
+BSC32=bscmake.exe
+# ADD BASE BSC32 /nologo
+# ADD BSC32 /nologo
+LINK32=link.exe
+# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /debug /machine:I386 /pdbtype:sept
+# ADD LINK32 user32.lib advapi32.lib ws2_32.lib ../../../lib/isc/win32/Debug/libisc.lib ../../../lib/dns/win32/Debug/libdns.lib ../../../lib/bind9/win32/Debug/libbind9.lib ../../../lib/lwres/win32/Debug/liblwres.lib /nologo /subsystem:console /debug /machine:I386 /out:"../../../Build/Debug/dig.exe" /pdbtype:sept
+
+!ENDIF 
+
+# Begin Target
+
+# Name "dig - Win32 Release"
+# Name "dig - Win32 Debug"
+# Begin Group "Source Files"
+
+# PROP Default_Filter "cpp;c;cxx;rc;def;r;odl;idl;hpj;bat"
+# Begin Source File
+
+SOURCE=..\dig.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\dighost.c
+# End Source File
+# End Group
+# Begin Group "Header Files"
+
+# PROP Default_Filter "h;hpp;hxx;hm;inl"
+# Begin Source File
+
+SOURCE=..\include\dig\dig.h
+# End Source File
+# End Group
+# Begin Group "Resource Files"
+
+# PROP Default_Filter "ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe"
+# End Group
+# End Target
+# End Project
diff --git a/bin/dig/win32/dig.dsw b/bin/dig/win32/dig.dsw
index ae9c5489..bccc2677 100644
--- a/bin/dig/win32/dig.dsw
+++ b/bin/dig/win32/dig.dsw
@@ -1,29 +1,29 @@
-Microsoft Developer Studio Workspace File, Format Version 6.00

-# WARNING: DO NOT EDIT OR DELETE THIS WORKSPACE FILE!

-

-###############################################################################

-

-Project: "dig"=".\dig.dsp" - Package Owner=<4>

-

-Package=<5>

-{{{

-}}}

-

-Package=<4>

-{{{

-}}}

-

-###############################################################################

-

-Global:

-

-Package=<5>

-{{{

-}}}

-

-Package=<3>

-{{{

-}}}

-

-###############################################################################

-

+Microsoft Developer Studio Workspace File, Format Version 6.00
+# WARNING: DO NOT EDIT OR DELETE THIS WORKSPACE FILE!
+
+###############################################################################
+
+Project: "dig"=".\dig.dsp" - Package Owner=<4>
+
+Package=<5>
+{{{
+}}}
+
+Package=<4>
+{{{
+}}}
+
+###############################################################################
+
+Global:
+
+Package=<5>
+{{{
+}}}
+
+Package=<3>
+{{{
+}}}
+
+###############################################################################
+
diff --git a/bin/dig/win32/dig.mak b/bin/dig/win32/dig.mak
index 24bfad17..d7d22d31 100644
--- a/bin/dig/win32/dig.mak
+++ b/bin/dig/win32/dig.mak
@@ -1,324 +1,328 @@
-# Microsoft Developer Studio Generated NMAKE File, Based on dig.dsp

-!IF "$(CFG)" == ""

-CFG=dig - Win32 Debug

-!MESSAGE No configuration specified. Defaulting to dig - Win32 Debug.

-!ENDIF 

-

-!IF "$(CFG)" != "dig - Win32 Release" && "$(CFG)" != "dig - Win32 Debug"

-!MESSAGE Invalid configuration "$(CFG)" specified.

-!MESSAGE You can specify a configuration when running NMAKE

-!MESSAGE by defining the macro CFG on the command line. For example:

-!MESSAGE 

-!MESSAGE NMAKE /f "dig.mak" CFG="dig - Win32 Debug"

-!MESSAGE 

-!MESSAGE Possible choices for configuration are:

-!MESSAGE 

-!MESSAGE "dig - Win32 Release" (based on "Win32 (x86) Console Application")

-!MESSAGE "dig - Win32 Debug" (based on "Win32 (x86) Console Application")

-!MESSAGE 

-!ERROR An invalid configuration is specified.

-!ENDIF 

-

-!IF "$(OS)" == "Windows_NT"

-NULL=

-!ELSE 

-NULL=nul

-!ENDIF 

-

-!IF  "$(CFG)" == "dig - Win32 Release"

-_VC_MANIFEST_INC=0

-_VC_MANIFEST_BASENAME=__VC80

-!ELSE

-_VC_MANIFEST_INC=1

-_VC_MANIFEST_BASENAME=__VC80.Debug

-!ENDIF

-

-####################################################

-# Specifying name of temporary resource file used only in incremental builds:

-

-!if "$(_VC_MANIFEST_INC)" == "1"

-_VC_MANIFEST_AUTO_RES=$(_VC_MANIFEST_BASENAME).auto.res

-!else

-_VC_MANIFEST_AUTO_RES=

-!endif

-

-####################################################

-# _VC_MANIFEST_EMBED_EXE - command to embed manifest in EXE:

-

-!if "$(_VC_MANIFEST_INC)" == "1"

-

-#MT_SPECIAL_RETURN=1090650113

-#MT_SPECIAL_SWITCH=-notify_resource_update

-MT_SPECIAL_RETURN=0

-MT_SPECIAL_SWITCH=

-_VC_MANIFEST_EMBED_EXE= \

-if exist $@.manifest mt.exe -manifest $@.manifest -out:$(_VC_MANIFEST_BASENAME).auto.manifest $(MT_SPECIAL_SWITCH) & \

-if "%ERRORLEVEL%" == "$(MT_SPECIAL_RETURN)" \

-rc /r $(_VC_MANIFEST_BASENAME).auto.rc & \

-link $** /out:$@ $(LFLAGS)

-

-!else

-

-_VC_MANIFEST_EMBED_EXE= \

-if exist $@.manifest mt.exe -manifest $@.manifest -outputresource:$@;1

-

-!endif

-

-####################################################

-# _VC_MANIFEST_EMBED_DLL - command to embed manifest in DLL:

-

-!if "$(_VC_MANIFEST_INC)" == "1"

-

-#MT_SPECIAL_RETURN=1090650113

-#MT_SPECIAL_SWITCH=-notify_resource_update

-MT_SPECIAL_RETURN=0

-MT_SPECIAL_SWITCH=

-_VC_MANIFEST_EMBED_EXE= \

-if exist $@.manifest mt.exe -manifest $@.manifest -out:$(_VC_MANIFEST_BASENAME).auto.manifest $(MT_SPECIAL_SWITCH) & \

-if "%ERRORLEVEL%" == "$(MT_SPECIAL_RETURN)" \

-rc /r $(_VC_MANIFEST_BASENAME).auto.rc & \

-link $** /out:$@ $(LFLAGS)

-

-!else

-

-_VC_MANIFEST_EMBED_EXE= \

-if exist $@.manifest mt.exe -manifest $@.manifest -outputresource:$@;2

-

-!endif

-####################################################

-# _VC_MANIFEST_CLEAN - command to clean resources files generated temporarily:

-

-!if "$(_VC_MANIFEST_INC)" == "1"

-

-_VC_MANIFEST_CLEAN=-del $(_VC_MANIFEST_BASENAME).auto.res \

-    $(_VC_MANIFEST_BASENAME).auto.rc \

-    $(_VC_MANIFEST_BASENAME).auto.manifest

-

-!else

-

-_VC_MANIFEST_CLEAN=

-

-!endif

-

-!IF  "$(CFG)" == "dig - Win32 Release"

-

-OUTDIR=.\Release

-INTDIR=.\Release

-

-ALL : "..\..\..\Build\Release\dig.exe"

-

-

-CLEAN :

-	-@erase "$(INTDIR)\dig.obj"

-	-@erase "$(INTDIR)\dighost.obj"

-	-@erase "$(INTDIR)\vc60.idb"

-	-@erase "..\..\..\Build\Release\dig.exe"

-	-@$(_VC_MANIFEST_CLEAN)

-

-"$(OUTDIR)" :

-    if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"

-

-CPP=cl.exe

-CPP_PROJ=/nologo /MD /W3 /GX /O2 /I "./" /I "../include" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/include" /D "WIN32" /D "__STDC__" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /Fp"$(INTDIR)\dig.pch" /YX /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c 

-

-.c{$(INTDIR)}.obj::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.cpp{$(INTDIR)}.obj::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.cxx{$(INTDIR)}.obj::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.c{$(INTDIR)}.sbr::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.cpp{$(INTDIR)}.sbr::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.cxx{$(INTDIR)}.sbr::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-RSC=rc.exe

-BSC32=bscmake.exe

-BSC32_FLAGS=/nologo /o"$(OUTDIR)\dig.bsc" 

-BSC32_SBRS= \

-	

-LINK32=link.exe

-LINK32_FLAGS=user32.lib advapi32.lib ws2_32.lib ../../../lib/isc/win32/Release/libisc.lib ../../../lib/dns/win32/Release/libdns.lib /nologo /subsystem:console /incremental:no /pdb:"$(OUTDIR)\dig.pdb" /machine:I386 /out:"../../../Build/Release/dig.exe" 

-LINK32_OBJS= \

-	"$(INTDIR)\dig.obj" \

-	"$(INTDIR)\dighost.obj"

-

-"..\..\..\Build\Release\dig.exe" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)

-    $(LINK32) @<<

-  $(LINK32_FLAGS) $(LINK32_OBJS)

-<<

-    $(_VC_MANIFEST_EMBED_EXE)

-

-!ELSEIF  "$(CFG)" == "dig - Win32 Debug"

-

-OUTDIR=.\Debug

-INTDIR=.\Debug

-# Begin Custom Macros

-OutDir=.\Debug

-# End Custom Macros

-

-ALL : "..\..\..\Build\Debug\dig.exe" "$(OUTDIR)\dig.bsc"

-

-

-CLEAN :

-	-@erase "$(INTDIR)\dig.obj"

-	-@erase "$(INTDIR)\dig.sbr"

-	-@erase "$(INTDIR)\dighost.obj"

-	-@erase "$(INTDIR)\dighost.sbr"

-	-@erase "$(INTDIR)\vc60.idb"

-	-@erase "$(INTDIR)\vc60.pdb"

-	-@erase "$(OUTDIR)\dig.bsc"

-	-@erase "$(OUTDIR)\dig.pdb"

-	-@erase "..\..\..\Build\Debug\dig.exe"

-	-@erase "..\..\..\Build\Debug\dig.ilk"

-	-@$(_VC_MANIFEST_CLEAN)

-

-"$(OUTDIR)" :

-    if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"

-

-CPP=cl.exe

-CPP_PROJ=/nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../include" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/include" /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /FR"$(INTDIR)\\" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c 

-

-.c{$(INTDIR)}.obj::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.cpp{$(INTDIR)}.obj::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.cxx{$(INTDIR)}.obj::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.c{$(INTDIR)}.sbr::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.cpp{$(INTDIR)}.sbr::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.cxx{$(INTDIR)}.sbr::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-RSC=rc.exe

-BSC32=bscmake.exe

-BSC32_FLAGS=/nologo /o"$(OUTDIR)\dig.bsc" 

-BSC32_SBRS= \

-	"$(INTDIR)\dig.sbr" \

-	"$(INTDIR)\dighost.sbr"

-

-"$(OUTDIR)\dig.bsc" : "$(OUTDIR)" $(BSC32_SBRS)

-    $(BSC32) @<<

-  $(BSC32_FLAGS) $(BSC32_SBRS)

-<<

-

-LINK32=link.exe

-LINK32_FLAGS=user32.lib advapi32.lib ws2_32.lib ../../../lib/isc/win32/Debug/libisc.lib ../../../lib/dns/win32/Debug/libdns.lib /nologo /subsystem:console /incremental:yes /pdb:"$(OUTDIR)\dig.pdb" /debug /machine:I386 /out:"../../../Build/Debug/dig.exe" /pdbtype:sept 

-LINK32_OBJS= \

-	"$(INTDIR)\dig.obj" \

-	"$(INTDIR)\dighost.obj"

-

-"..\..\..\Build\Debug\dig.exe" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)

-    $(LINK32) @<<

-  $(LINK32_FLAGS) $(LINK32_OBJS)

-<<

-    $(_VC_MANIFEST_EMBED_EXE)

-

-!ENDIF 

-

-

-!IF "$(NO_EXTERNAL_DEPS)" != "1"

-!IF EXISTS("dig.dep")

-!INCLUDE "dig.dep"

-!ELSE 

-!MESSAGE Warning: cannot find "dig.dep"

-!ENDIF 

-!ENDIF 

-

-

-!IF "$(CFG)" == "dig - Win32 Release" || "$(CFG)" == "dig - Win32 Debug"

-SOURCE=..\dig.c

-

-!IF  "$(CFG)" == "dig - Win32 Release"

-

-

-"$(INTDIR)\dig.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "dig - Win32 Debug"

-

-

-"$(INTDIR)\dig.obj"	"$(INTDIR)\dig.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-SOURCE=..\dighost.c

-

-!IF  "$(CFG)" == "dig - Win32 Release"

-

-

-"$(INTDIR)\dighost.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "dig - Win32 Debug"

-

-

-"$(INTDIR)\dighost.obj"	"$(INTDIR)\dighost.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-

-!ENDIF 

-

-####################################################

-# Commands to generate initial empty manifest file and the RC file

-# that references it, and for generating the .res file:

-

-$(_VC_MANIFEST_BASENAME).auto.res : $(_VC_MANIFEST_BASENAME).auto.rc

-

-$(_VC_MANIFEST_BASENAME).auto.rc : $(_VC_MANIFEST_BASENAME).auto.manifest

-    type <<$@

-#include <winuser.h>

-1RT_MANIFEST"$(_VC_MANIFEST_BASENAME).auto.manifest"

-<< KEEP

-

-$(_VC_MANIFEST_BASENAME).auto.manifest :

-    type <<$@

-<?xml version='1.0' encoding='UTF-8' standalone='yes'?>

-<assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'>

-</assembly>

-<< KEEP

+# Microsoft Developer Studio Generated NMAKE File, Based on dig.dsp
+!IF "$(CFG)" == ""
+CFG=dig - Win32 Debug
+!MESSAGE No configuration specified. Defaulting to dig - Win32 Debug.
+!ENDIF 
+
+!IF "$(CFG)" != "dig - Win32 Release" && "$(CFG)" != "dig - Win32 Debug"
+!MESSAGE Invalid configuration "$(CFG)" specified.
+!MESSAGE You can specify a configuration when running NMAKE
+!MESSAGE by defining the macro CFG on the command line. For example:
+!MESSAGE 
+!MESSAGE NMAKE /f "dig.mak" CFG="dig - Win32 Debug"
+!MESSAGE 
+!MESSAGE Possible choices for configuration are:
+!MESSAGE 
+!MESSAGE "dig - Win32 Release" (based on "Win32 (x86) Console Application")
+!MESSAGE "dig - Win32 Debug" (based on "Win32 (x86) Console Application")
+!MESSAGE 
+!ERROR An invalid configuration is specified.
+!ENDIF 
+
+!IF "$(OS)" == "Windows_NT"
+NULL=
+!ELSE 
+NULL=nul
+!ENDIF 
+
+CPP=cl.exe
+RSC=rc.exe
+
+!IF  "$(CFG)" == "dig - Win32 Release"
+
+OUTDIR=.\Release
+INTDIR=.\Release
+
+!IF "$(RECURSE)" == "0" 
+
+ALL : "..\..\..\Build\Release\dig.exe"
+
+!ELSE 
+
+ALL : "liblwres - Win32 Release" "libbind9 - Win32 Release" "libisc - Win32 Release" "libdns - Win32 Release" "..\..\..\Build\Release\dig.exe"
+
+!ENDIF 
+
+!IF "$(RECURSE)" == "1" 
+CLEAN :"libdns - Win32 ReleaseCLEAN" "libisc - Win32 ReleaseCLEAN" "libbind9 - Win32 ReleaseCLEAN" "liblwres - Win32 ReleaseCLEAN" 
+!ELSE 
+CLEAN :
+!ENDIF 
+	-@erase "$(INTDIR)\dig.obj"
+	-@erase "$(INTDIR)\dighost.obj"
+	-@erase "$(INTDIR)\vc60.idb"
+	-@erase "..\..\..\Build\Release\dig.exe"
+
+"$(OUTDIR)" :
+    if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
+
+CPP_PROJ=/nologo /MT /W3 /GX /O2 /I "./" /I "../include" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/include" /I "../../../lib/dns/sec/dst/include" /I "../../../lib/bind9/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /D "WIN32" /D "__STDC__" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /Fp"$(INTDIR)\dig.pch" /YX /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c 
+BSC32=bscmake.exe
+BSC32_FLAGS=/nologo /o"$(OUTDIR)\dig.bsc" 
+BSC32_SBRS= \
+	
+LINK32=link.exe
+LINK32_FLAGS=user32.lib advapi32.lib ws2_32.lib ../../../lib/isc/win32/Release/libisc.lib ../../../lib/dns/win32/Release/libdns.lib ../../../lib/bind9/win32/Release/libbind9.lib ../../../lib/lwres/win32/Release/liblwres.lib /nologo /subsystem:console /incremental:no /pdb:"$(OUTDIR)\dig.pdb" /machine:I386 /out:"../../../Build/Release/dig.exe" 
+LINK32_OBJS= \
+	"$(INTDIR)\dig.obj" \
+	"$(INTDIR)\dighost.obj" \
+	"..\..\..\lib\dns\win32\Release\libdns.lib" \
+	"..\..\..\lib\isc\win32\Release\libisc.lib" \
+	"..\..\..\lib\bind9\win32\Release\libbind9.lib" \
+	"..\..\..\lib\lwres\win32\Release\liblwres.lib"
+
+"..\..\..\Build\Release\dig.exe" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)
+    $(LINK32) @<<
+  $(LINK32_FLAGS) $(LINK32_OBJS)
+<<
+
+!ELSEIF  "$(CFG)" == "dig - Win32 Debug"
+
+OUTDIR=.\Debug
+INTDIR=.\Debug
+# Begin Custom Macros
+OutDir=.\Debug
+# End Custom Macros
+
+!IF "$(RECURSE)" == "0" 
+
+ALL : "..\..\..\Build\Debug\dig.exe" "$(OUTDIR)\dig.bsc"
+
+!ELSE 
+
+ALL : "liblwres - Win32 Debug" "libbind9 - Win32 Debug" "libisc - Win32 Debug" "libdns - Win32 Debug" "..\..\..\Build\Debug\dig.exe" "$(OUTDIR)\dig.bsc"
+
+!ENDIF 
+
+!IF "$(RECURSE)" == "1" 
+CLEAN :"libdns - Win32 DebugCLEAN" "libisc - Win32 DebugCLEAN" "libbind9 - Win32 DebugCLEAN" "liblwres - Win32 DebugCLEAN" 
+!ELSE 
+CLEAN :
+!ENDIF 
+	-@erase "$(INTDIR)\dig.obj"
+	-@erase "$(INTDIR)\dig.sbr"
+	-@erase "$(INTDIR)\dighost.obj"
+	-@erase "$(INTDIR)\dighost.sbr"
+	-@erase "$(INTDIR)\vc60.idb"
+	-@erase "$(INTDIR)\vc60.pdb"
+	-@erase "$(OUTDIR)\dig.bsc"
+	-@erase "$(OUTDIR)\dig.pdb"
+	-@erase "..\..\..\Build\Debug\dig.exe"
+	-@erase "..\..\..\Build\Debug\dig.ilk"
+
+"$(OUTDIR)" :
+    if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
+
+CPP_PROJ=/nologo /MTd /W3 /Gm /GX /ZI /Od /I "./" /I "../include" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/include" /I "../../../lib/dns/sec/dst/include" /I "../../../lib/bind9/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /FR"$(INTDIR)\\" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c 
+BSC32=bscmake.exe
+BSC32_FLAGS=/nologo /o"$(OUTDIR)\dig.bsc" 
+BSC32_SBRS= \
+	"$(INTDIR)\dig.sbr" \
+	"$(INTDIR)\dighost.sbr"
+
+"$(OUTDIR)\dig.bsc" : "$(OUTDIR)" $(BSC32_SBRS)
+    $(BSC32) @<<
+  $(BSC32_FLAGS) $(BSC32_SBRS)
+<<
+
+LINK32=link.exe
+LINK32_FLAGS=user32.lib advapi32.lib ws2_32.lib ../../../lib/isc/win32/Debug/libisc.lib ../../../lib/dns/win32/Debug/libdns.lib ../../../lib/bind9/win32/Debug/libbind9.lib ../../../lib/lwres/win32/Debug/liblwres.lib /nologo /subsystem:console /incremental:yes /pdb:"$(OUTDIR)\dig.pdb" /debug /machine:I386 /out:"../../../Build/Debug/dig.exe" /pdbtype:sept 
+LINK32_OBJS= \
+	"$(INTDIR)\dig.obj" \
+	"$(INTDIR)\dighost.obj" \
+	"..\..\..\lib\dns\win32\Debug\libdns.lib" \
+	"..\..\..\lib\isc\win32\Debug\libisc.lib" \
+	"..\..\..\lib\bind9\win32\Debug\libbind9.lib" \
+	"..\..\..\lib\lwres\win32\Debug\liblwres.lib"
+
+"..\..\..\Build\Debug\dig.exe" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)
+    $(LINK32) @<<
+  $(LINK32_FLAGS) $(LINK32_OBJS)
+<<
+
+!ENDIF 
+
+.c{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cpp{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cxx{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.c{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cpp{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cxx{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+
+!IF "$(NO_EXTERNAL_DEPS)" != "1"
+!IF EXISTS("dig.dep")
+!INCLUDE "dig.dep"
+!ELSE 
+!MESSAGE Warning: cannot find "dig.dep"
+!ENDIF 
+!ENDIF 
+
+
+!IF "$(CFG)" == "dig - Win32 Release" || "$(CFG)" == "dig - Win32 Debug"
+SOURCE=..\dig.c
+
+!IF  "$(CFG)" == "dig - Win32 Release"
+
+
+"$(INTDIR)\dig.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "dig - Win32 Debug"
+
+
+"$(INTDIR)\dig.obj"	"$(INTDIR)\dig.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\dighost.c
+
+!IF  "$(CFG)" == "dig - Win32 Release"
+
+
+"$(INTDIR)\dighost.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "dig - Win32 Debug"
+
+
+"$(INTDIR)\dighost.obj"	"$(INTDIR)\dighost.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+!IF  "$(CFG)" == "dig - Win32 Release"
+
+"libdns - Win32 Release" : 
+   cd "..\..\..\lib\dns\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\libdns.mak" CFG="libdns - Win32 Release" 
+   cd "..\..\..\bin\dig\win32"
+
+"libdns - Win32 ReleaseCLEAN" : 
+   cd "..\..\..\lib\dns\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\libdns.mak" CFG="libdns - Win32 Release" RECURSE=1 CLEAN 
+   cd "..\..\..\bin\dig\win32"
+
+!ELSEIF  "$(CFG)" == "dig - Win32 Debug"
+
+"libdns - Win32 Debug" : 
+   cd "..\..\..\lib\dns\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\libdns.mak" CFG="libdns - Win32 Debug" 
+   cd "..\..\..\bin\dig\win32"
+
+"libdns - Win32 DebugCLEAN" : 
+   cd "..\..\..\lib\dns\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\libdns.mak" CFG="libdns - Win32 Debug" RECURSE=1 CLEAN 
+   cd "..\..\..\bin\dig\win32"
+
+!ENDIF 
+
+!IF  "$(CFG)" == "dig - Win32 Release"
+
+"libisc - Win32 Release" : 
+   cd "..\..\..\lib\isc\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\libisc.mak" CFG="libisc - Win32 Release" 
+   cd "..\..\..\bin\dig\win32"
+
+"libisc - Win32 ReleaseCLEAN" : 
+   cd "..\..\..\lib\isc\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\libisc.mak" CFG="libisc - Win32 Release" RECURSE=1 CLEAN 
+   cd "..\..\..\bin\dig\win32"
+
+!ELSEIF  "$(CFG)" == "dig - Win32 Debug"
+
+"libisc - Win32 Debug" : 
+   cd "..\..\..\lib\isc\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\libisc.mak" CFG="libisc - Win32 Debug" 
+   cd "..\..\..\bin\dig\win32"
+
+"libisc - Win32 DebugCLEAN" : 
+   cd "..\..\..\lib\isc\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\libisc.mak" CFG="libisc - Win32 Debug" RECURSE=1 CLEAN 
+   cd "..\..\..\bin\dig\win32"
+
+!ENDIF 
+
+!IF  "$(CFG)" == "dig - Win32 Release"
+
+"libbind9 - Win32 Release" : 
+   cd "..\..\..\lib\bind9\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\libbind9.mak" CFG="libbind9 - Win32 Release" 
+   cd "..\..\..\bin\dig\win32"
+
+"libbind9 - Win32 ReleaseCLEAN" : 
+   cd "..\..\..\lib\bind9\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\libbind9.mak" CFG="libbind9 - Win32 Release" RECURSE=1 CLEAN 
+   cd "..\..\..\bin\dig\win32"
+
+!ELSEIF  "$(CFG)" == "dig - Win32 Debug"
+
+"libbind9 - Win32 Debug" : 
+   cd "..\..\..\lib\bind9\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\libbind9.mak" CFG="libbind9 - Win32 Debug" 
+   cd "..\..\..\bin\dig\win32"
+
+"libbind9 - Win32 DebugCLEAN" : 
+   cd "..\..\..\lib\bind9\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\libbind9.mak" CFG="libbind9 - Win32 Debug" RECURSE=1 CLEAN 
+   cd "..\..\..\bin\dig\win32"
+
+!ENDIF 
+
+!IF  "$(CFG)" == "dig - Win32 Release"
+
+"liblwres - Win32 Release" : 
+   cd "..\..\..\lib\lwres\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\liblwres.mak" CFG="liblwres - Win32 Release" 
+   cd "..\..\..\bin\dig\win32"
+
+"liblwres - Win32 ReleaseCLEAN" : 
+   cd "..\..\..\lib\lwres\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\liblwres.mak" CFG="liblwres - Win32 Release" RECURSE=1 CLEAN 
+   cd "..\..\..\bin\dig\win32"
+
+!ELSEIF  "$(CFG)" == "dig - Win32 Debug"
+
+"liblwres - Win32 Debug" : 
+   cd "..\..\..\lib\lwres\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\liblwres.mak" CFG="liblwres - Win32 Debug" 
+   cd "..\..\..\bin\dig\win32"
+
+"liblwres - Win32 DebugCLEAN" : 
+   cd "..\..\..\lib\lwres\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\liblwres.mak" CFG="liblwres - Win32 Debug" RECURSE=1 CLEAN 
+   cd "..\..\..\bin\dig\win32"
+
+!ENDIF 
+
+
+!ENDIF 
+
diff --git a/bin/dig/win32/dighost.dsp b/bin/dig/win32/dighost.dsp
deleted file mode 100644
index 29089511..00000000
--- a/bin/dig/win32/dighost.dsp
+++ /dev/null
@@ -1,113 +0,0 @@
-# Microsoft Developer Studio Project File - Name="dighost" - Package Owner=<4>

-# Microsoft Developer Studio Generated Build File, Format Version 6.00

-# ** DO NOT EDIT **

-

-# TARGTYPE "Win32 (x86) Static-Link Library" 0x0104

-

-CFG=dighost - Win32 Debug

-!MESSAGE This is not a valid makefile. To build this project using NMAKE,

-!MESSAGE use the Export Makefile command and run

-!MESSAGE 

-!MESSAGE NMAKE /f "dighost.mak".

-!MESSAGE 

-!MESSAGE You can specify a configuration when running NMAKE

-!MESSAGE by defining the macro CFG on the command line. For example:

-!MESSAGE 

-!MESSAGE NMAKE /f "dighost.mak" CFG="dighost - Win32 Debug"

-!MESSAGE 

-!MESSAGE Possible choices for configuration are:

-!MESSAGE 

-!MESSAGE "dighost - Win32 Release" (based on "Win32 (x86) Static-Link Library")

-!MESSAGE "dighost - Win32 Debug" (based on "Win32 (x86) Static-Link Library")

-!MESSAGE 

-

-# Begin Project

-# PROP AllowPerConfigDependencies 0

-# PROP Scc_ProjName ""

-# PROP Scc_LocalPath ""

-CPP=cl.exe

-MTL=midl.exe

-RSC=rc.exe

-

-!IF  "$(CFG)" == "dighost - Win32 Release"

-

-# PROP BASE Use_MFC 0

-# PROP BASE Use_Debug_Libraries 0

-# PROP BASE Output_Dir "Release"

-# PROP BASE Intermediate_Dir "Release"

-# PROP BASE Target_Dir ""

-# PROP Use_MFC 0

-# PROP Use_Debug_Libraries 0

-# PROP Output_Dir "Release"

-# PROP Intermediate_Dir "Release"

-# PROP Ignore_Export_Lib 0

-# PROP Target_Dir ""

-# ADD BASE CPP /nologo /MT /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /YX /FD /c

-# ADD CPP /nologo /MD /W3 /GX /O2 /I "./" /I "../../../" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/include" /D "NDEBUG" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /YX /FD /c /Fddighost

-# SUBTRACT CPP /X

-# ADD BASE MTL /nologo /D "NDEBUG" /mktyplib203 /win32

-# ADD MTL /nologo /D "NDEBUG" /mktyplib203 /win32

-# ADD BASE RSC /l 0x409 /d "NDEBUG"

-# ADD RSC /l 0x409 /d "NDEBUG"

-BSC32=bscmake.exe

-# ADD BASE BSC32 /nologo

-# ADD BSC32 /nologo

-LINK32=link.exe

-# ADD BASE LINK32 

-# ADD LINK32 /out:"Release/dighost.lib"

-

-!ELSEIF  "$(CFG)" == "dighost - Win32 Debug"

-

-# PROP BASE Use_MFC 0

-# PROP BASE Use_Debug_Libraries 1

-# PROP BASE Output_Dir "Debug"

-# PROP BASE Intermediate_Dir "Debug"

-# PROP BASE Target_Dir ""

-# PROP Use_MFC 0

-# PROP Use_Debug_Libraries 1

-# PROP Output_Dir "Debug"

-# PROP Intermediate_Dir "Debug"

-# PROP Ignore_Export_Lib 0

-# PROP Target_Dir ""

-# ADD BASE CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /D "_MBCS" /YX /FD /GZ /c

-# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../../../" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/include" /D "_DEBUG" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /FR /YX /FD /GZ /c /Fddighost

-# SUBTRACT CPP /X

-# ADD BASE MTL /nologo /D "_DEBUG" /mktyplib203 /win32

-# ADD MTL /nologo /D "_DEBUG" /mktyplib203 /win32

-# ADD BASE RSC /l 0x409 /d "_DEBUG"

-# ADD RSC /l 0x409 /d "_DEBUG"

-BSC32=bscmake.exe

-# ADD BASE BSC32 /nologo

-# ADD BSC32 /nologo

-LINK32=link.exe

-# ADD BASE LINK32 

-# ADD LINK32 /debug out:"Debug/dighost.lib"

-

-!ENDIF 

-

-# Begin Target

-

-# Name "dighost - Win32 Release"

-# Name "dighost - Win32 Debug"

-# Begin Group "Source Files"

-

-# PROP Default_Filter "cpp;c;cxx;rc;def;r;odl;idl;hpj;bat"

-# End Group

-# Begin Group "Header Files"

-

-# PROP Default_Filter "h;hpp;hxx;hm;inl"

-# End Group

-# Begin Group "Resource Files"

-

-# PROP Default_Filter "ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe"

-# End Group

-# Begin Group "Main Dns Lib"

-

-# PROP Default_Filter "c"

-# Begin Source File

-

-SOURCE=..\dighost.c

-# End Source File

-# End Group

-# End Target

-# End Project

diff --git a/bin/dig/win32/host.dsp b/bin/dig/win32/host.dsp
index fcbd2577..a20120a6 100644
--- a/bin/dig/win32/host.dsp
+++ b/bin/dig/win32/host.dsp
@@ -1,103 +1,107 @@
-# Microsoft Developer Studio Project File - Name="host" - Package Owner=<4>

-# Microsoft Developer Studio Generated Build File, Format Version 6.00

-# ** DO NOT EDIT **

-

-# TARGTYPE "Win32 (x86) Console Application" 0x0103

-

-CFG=host - Win32 Debug

-!MESSAGE This is not a valid makefile. To build this project using NMAKE,

-!MESSAGE use the Export Makefile command and run

-!MESSAGE 

-!MESSAGE NMAKE /f "host.mak".

-!MESSAGE 

-!MESSAGE You can specify a configuration when running NMAKE

-!MESSAGE by defining the macro CFG on the command line. For example:

-!MESSAGE 

-!MESSAGE NMAKE /f "host.mak" CFG="host - Win32 Debug"

-!MESSAGE 

-!MESSAGE Possible choices for configuration are:

-!MESSAGE 

-!MESSAGE "host - Win32 Release" (based on "Win32 (x86) Console Application")

-!MESSAGE "host - Win32 Debug" (based on "Win32 (x86) Console Application")

-!MESSAGE 

-

-# Begin Project

-# PROP AllowPerConfigDependencies 0

-# PROP Scc_ProjName ""

-# PROP Scc_LocalPath ""

-CPP=cl.exe

-RSC=rc.exe

-

-!IF  "$(CFG)" == "host - Win32 Release"

-

-# PROP BASE Use_MFC 0

-# PROP BASE Use_Debug_Libraries 0

-# PROP BASE Output_Dir "Release"

-# PROP BASE Intermediate_Dir "Release"

-# PROP BASE Target_Dir ""

-# PROP Use_MFC 0

-# PROP Use_Debug_Libraries 0

-# PROP Output_Dir "Release"

-# PROP Intermediate_Dir "Release"

-# PROP Ignore_Export_Lib 0

-# PROP Target_Dir ""

-# ADD BASE CPP /nologo /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /c

-# ADD CPP /nologo /MD /W3 /GX /O2 /I "./" /I "../include" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/include" /D "WIN32" /D "__STDC__" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /c

-# ADD BASE RSC /l 0x409 /d "NDEBUG"

-# ADD RSC /l 0x409 /d "NDEBUG"

-BSC32=bscmake.exe

-# ADD BASE BSC32 /nologo

-# ADD BSC32 /nologo

-LINK32=link.exe

-# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /machine:I386

-# ADD LINK32 user32.lib advapi32.lib ws2_32.lib Release/dighost.lib ../../../lib/isc/win32/Release/libisc.lib ../../../lib/dns/win32/Release/libdns.lib /nologo /subsystem:console /machine:I386 /out:"../../../Build/Release/host.exe"

-

-!ELSEIF  "$(CFG)" == "host - Win32 Debug"

-

-# PROP BASE Use_MFC 0

-# PROP BASE Use_Debug_Libraries 1

-# PROP BASE Output_Dir "Debug"

-# PROP BASE Intermediate_Dir "Debug"

-# PROP BASE Target_Dir ""

-# PROP Use_MFC 0

-# PROP Use_Debug_Libraries 1

-# PROP Output_Dir "Debug"

-# PROP Intermediate_Dir "Debug"

-# PROP Ignore_Export_Lib 0

-# PROP Target_Dir ""

-# ADD BASE CPP /nologo /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /GZ /c

-# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../include" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/include" /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /FR /FD /GZ /c

-# SUBTRACT CPP /X /u /YX

-# ADD BASE RSC /l 0x409 /d "_DEBUG"

-# ADD RSC /l 0x409 /d "_DEBUG"

-BSC32=bscmake.exe

-# ADD BASE BSC32 /nologo

-# ADD BSC32 /nologo

-LINK32=link.exe

-# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /debug /machine:I386 /pdbtype:sept

-# ADD LINK32 user32.lib advapi32.lib ws2_32.lib Debug/dighost.lib ../../../lib/isc/win32/Debug/libisc.lib ../../../lib/dns/win32/Debug/libdns.lib /nologo /subsystem:console /debug /machine:I386 /out:"../../../Build/Debug/host.exe" /pdbtype:sept

-

-!ENDIF 

-

-# Begin Target

-

-# Name "host - Win32 Release"

-# Name "host - Win32 Debug"

-# Begin Group "Source Files"

-

-# PROP Default_Filter "cpp;c;cxx;rc;def;r;odl;idl;hpj;bat"

-# Begin Source File

-

-SOURCE=..\host.c

-# End Source File

-# End Group

-# Begin Group "Header Files"

-

-# PROP Default_Filter "h;hpp;hxx;hm;inl"

-# End Group

-# Begin Group "Resource Files"

-

-# PROP Default_Filter "ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe"

-# End Group

-# End Target

-# End Project

+# Microsoft Developer Studio Project File - Name="host" - Package Owner=<4>
+# Microsoft Developer Studio Generated Build File, Format Version 6.00
+# ** DO NOT EDIT **
+
+# TARGTYPE "Win32 (x86) Console Application" 0x0103
+
+CFG=host - Win32 Debug
+!MESSAGE This is not a valid makefile. To build this project using NMAKE,
+!MESSAGE use the Export Makefile command and run
+!MESSAGE 
+!MESSAGE NMAKE /f "host.mak".
+!MESSAGE 
+!MESSAGE You can specify a configuration when running NMAKE
+!MESSAGE by defining the macro CFG on the command line. For example:
+!MESSAGE 
+!MESSAGE NMAKE /f "host.mak" CFG="host - Win32 Debug"
+!MESSAGE 
+!MESSAGE Possible choices for configuration are:
+!MESSAGE 
+!MESSAGE "host - Win32 Release" (based on "Win32 (x86) Console Application")
+!MESSAGE "host - Win32 Debug" (based on "Win32 (x86) Console Application")
+!MESSAGE 
+
+# Begin Project
+# PROP AllowPerConfigDependencies 0
+# PROP Scc_ProjName ""
+# PROP Scc_LocalPath ""
+CPP=cl.exe
+RSC=rc.exe
+
+!IF  "$(CFG)" == "host - Win32 Release"
+
+# PROP BASE Use_MFC 0
+# PROP BASE Use_Debug_Libraries 0
+# PROP BASE Output_Dir "Release"
+# PROP BASE Intermediate_Dir "Release"
+# PROP BASE Target_Dir ""
+# PROP Use_MFC 0
+# PROP Use_Debug_Libraries 0
+# PROP Output_Dir "Release"
+# PROP Intermediate_Dir "Release"
+# PROP Ignore_Export_Lib 0
+# PROP Target_Dir ""
+# ADD BASE CPP /nologo /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /c
+# ADD CPP /nologo /MT /W3 /GX /O2 /I "./" /I "../include" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/include" /I "../../../lib/dns/sec/dst/include" /I "../../../lib/bind9/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /D "WIN32" /D "__STDC__" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /c
+# ADD BASE RSC /l 0x409 /d "NDEBUG"
+# ADD RSC /l 0x409 /d "NDEBUG"
+BSC32=bscmake.exe
+# ADD BASE BSC32 /nologo
+# ADD BSC32 /nologo
+LINK32=link.exe
+# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /machine:I386
+# ADD LINK32 user32.lib advapi32.lib ws2_32.lib ../../../lib/isc/win32/Release/libisc.lib ../../../lib/dns/win32/Release/libdns.lib ../../../lib/bind9/win32/Release/libbind9.lib  ../../../lib/lwres/win32/Release/liblwres.lib /nologo /subsystem:console /machine:I386 /out:"../../../Build/Release/host.exe"
+
+!ELSEIF  "$(CFG)" == "host - Win32 Debug"
+
+# PROP BASE Use_MFC 0
+# PROP BASE Use_Debug_Libraries 1
+# PROP BASE Output_Dir "Debug"
+# PROP BASE Intermediate_Dir "Debug"
+# PROP BASE Target_Dir ""
+# PROP Use_MFC 0
+# PROP Use_Debug_Libraries 1
+# PROP Output_Dir "Debug"
+# PROP Intermediate_Dir "Debug"
+# PROP Ignore_Export_Lib 0
+# PROP Target_Dir ""
+# ADD BASE CPP /nologo /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /GZ /c
+# ADD CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /I "./" /I "../include" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/include" /I "../../../lib/dns/sec/dst/include" /I "../../../lib/bind9/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /FR /FD /GZ /c
+# SUBTRACT CPP /X /u /YX
+# ADD BASE RSC /l 0x409 /d "_DEBUG"
+# ADD RSC /l 0x409 /d "_DEBUG"
+BSC32=bscmake.exe
+# ADD BASE BSC32 /nologo
+# ADD BSC32 /nologo
+LINK32=link.exe
+# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /debug /machine:I386 /pdbtype:sept
+# ADD LINK32 user32.lib advapi32.lib ws2_32.lib ../../../lib/isc/win32/Debug/libisc.lib ../../../lib/dns/win32/Debug/libdns.lib ../../../lib/bind9/win32/Debug/libbind9.lib  ../../../lib/lwres/win32/Debug/liblwres.lib /nologo /subsystem:console /debug /machine:I386 /out:"../../../Build/Debug/host.exe" /pdbtype:sept
+
+!ENDIF 
+
+# Begin Target
+
+# Name "host - Win32 Release"
+# Name "host - Win32 Debug"
+# Begin Group "Source Files"
+
+# PROP Default_Filter "cpp;c;cxx;rc;def;r;odl;idl;hpj;bat"
+# Begin Source File
+
+SOURCE=..\dighost.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\host.c
+# End Source File
+# End Group
+# Begin Group "Header Files"
+
+# PROP Default_Filter "h;hpp;hxx;hm;inl"
+# End Group
+# Begin Group "Resource Files"
+
+# PROP Default_Filter "ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe"
+# End Group
+# End Target
+# End Project
diff --git a/bin/dig/win32/host.dsw b/bin/dig/win32/host.dsw
index e566e780..5a217b30 100644
--- a/bin/dig/win32/host.dsw
+++ b/bin/dig/win32/host.dsw
@@ -1,29 +1,29 @@
-Microsoft Developer Studio Workspace File, Format Version 6.00

-# WARNING: DO NOT EDIT OR DELETE THIS WORKSPACE FILE!

-

-###############################################################################

-

-Project: "host"=".\host.dsp" - Package Owner=<4>

-

-Package=<5>

-{{{

-}}}

-

-Package=<4>

-{{{

-}}}

-

-###############################################################################

-

-Global:

-

-Package=<5>

-{{{

-}}}

-

-Package=<3>

-{{{

-}}}

-

-###############################################################################

-

+Microsoft Developer Studio Workspace File, Format Version 6.00
+# WARNING: DO NOT EDIT OR DELETE THIS WORKSPACE FILE!
+
+###############################################################################
+
+Project: "host"=".\host.dsp" - Package Owner=<4>
+
+Package=<5>
+{{{
+}}}
+
+Package=<4>
+{{{
+}}}
+
+###############################################################################
+
+Global:
+
+Package=<5>
+{{{
+}}}
+
+Package=<3>
+{{{
+}}}
+
+###############################################################################
+
diff --git a/bin/dig/win32/host.mak b/bin/dig/win32/host.mak
index eb0a12e4..7f3cc62a 100644
--- a/bin/dig/win32/host.mak
+++ b/bin/dig/win32/host.mak
@@ -1,324 +1,328 @@
-# Microsoft Developer Studio Generated NMAKE File, Based on host.dsp

-!IF "$(CFG)" == ""

-CFG=host - Win32 Debug

-!MESSAGE No configuration specified. Defaulting to host - Win32 Debug.

-!ENDIF 

-

-!IF "$(CFG)" != "host - Win32 Release" && "$(CFG)" != "host - Win32 Debug"

-!MESSAGE Invalid configuration "$(CFG)" specified.

-!MESSAGE You can specify a configuration when running NMAKE

-!MESSAGE by defining the macro CFG on the command line. For example:

-!MESSAGE 

-!MESSAGE NMAKE /f "host.mak" CFG="host - Win32 Debug"

-!MESSAGE 

-!MESSAGE Possible choices for configuration are:

-!MESSAGE 

-!MESSAGE "host - Win32 Release" (based on "Win32 (x86) Console Application")

-!MESSAGE "host - Win32 Debug" (based on "Win32 (x86) Console Application")

-!MESSAGE 

-!ERROR An invalid configuration is specified.

-!ENDIF 

-

-!IF "$(OS)" == "Windows_NT"

-NULL=

-!ELSE 

-NULL=nul

-!ENDIF 

-

-!IF  "$(CFG)" == "host - Win32 Release"

-_VC_MANIFEST_INC=0

-_VC_MANIFEST_BASENAME=__VC80

-!ELSE

-_VC_MANIFEST_INC=1

-_VC_MANIFEST_BASENAME=__VC80.Debug

-!ENDIF

-

-####################################################

-# Specifying name of temporary resource file used only in incremental builds:

-

-!if "$(_VC_MANIFEST_INC)" == "1"

-_VC_MANIFEST_AUTO_RES=$(_VC_MANIFEST_BASENAME).auto.res

-!else

-_VC_MANIFEST_AUTO_RES=

-!endif

-

-####################################################

-# _VC_MANIFEST_EMBED_EXE - command to embed manifest in EXE:

-

-!if "$(_VC_MANIFEST_INC)" == "1"

-

-#MT_SPECIAL_RETURN=1090650113

-#MT_SPECIAL_SWITCH=-notify_resource_update

-MT_SPECIAL_RETURN=0

-MT_SPECIAL_SWITCH=

-_VC_MANIFEST_EMBED_EXE= \

-if exist $@.manifest mt.exe -manifest $@.manifest -out:$(_VC_MANIFEST_BASENAME).auto.manifest $(MT_SPECIAL_SWITCH) & \

-if "%ERRORLEVEL%" == "$(MT_SPECIAL_RETURN)" \

-rc /r $(_VC_MANIFEST_BASENAME).auto.rc & \

-link $** /out:$@ $(LFLAGS)

-

-!else

-

-_VC_MANIFEST_EMBED_EXE= \

-if exist $@.manifest mt.exe -manifest $@.manifest -outputresource:$@;1

-

-!endif

-

-####################################################

-# _VC_MANIFEST_EMBED_DLL - command to embed manifest in DLL:

-

-!if "$(_VC_MANIFEST_INC)" == "1"

-

-#MT_SPECIAL_RETURN=1090650113

-#MT_SPECIAL_SWITCH=-notify_resource_update

-MT_SPECIAL_RETURN=0

-MT_SPECIAL_SWITCH=

-_VC_MANIFEST_EMBED_EXE= \

-if exist $@.manifest mt.exe -manifest $@.manifest -out:$(_VC_MANIFEST_BASENAME).auto.manifest $(MT_SPECIAL_SWITCH) & \

-if "%ERRORLEVEL%" == "$(MT_SPECIAL_RETURN)" \

-rc /r $(_VC_MANIFEST_BASENAME).auto.rc & \

-link $** /out:$@ $(LFLAGS)

-

-!else

-

-_VC_MANIFEST_EMBED_EXE= \

-if exist $@.manifest mt.exe -manifest $@.manifest -outputresource:$@;2

-

-!endif

-####################################################

-# _VC_MANIFEST_CLEAN - command to clean resources files generated temporarily:

-

-!if "$(_VC_MANIFEST_INC)" == "1"

-

-_VC_MANIFEST_CLEAN=-del $(_VC_MANIFEST_BASENAME).auto.res \

-    $(_VC_MANIFEST_BASENAME).auto.rc \

-    $(_VC_MANIFEST_BASENAME).auto.manifest

-

-!else

-

-_VC_MANIFEST_CLEAN=

-

-!endif

-

-!IF  "$(CFG)" == "host - Win32 Release"

-

-OUTDIR=.\Release

-INTDIR=.\Release

-

-ALL : "..\..\..\Build\Release\host.exe"

-

-

-CLEAN :

-	-@erase "$(INTDIR)\dighost.obj"

-	-@erase "$(INTDIR)\host.obj"

-	-@erase "$(INTDIR)\vc60.idb"

-	-@erase "..\..\..\Build\Release\host.exe"

-	-@$(_VC_MANIFEST_CLEAN)

-

-"$(OUTDIR)" :

-    if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"

-

-CPP=cl.exe

-CPP_PROJ=/nologo /MD /W3 /GX /O2 /I "./" /I "../include" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/include" /D "WIN32" /D "__STDC__" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /Fp"$(INTDIR)\host.pch" /YX /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c 

-

-.c{$(INTDIR)}.obj::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.cpp{$(INTDIR)}.obj::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.cxx{$(INTDIR)}.obj::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.c{$(INTDIR)}.sbr::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.cpp{$(INTDIR)}.sbr::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.cxx{$(INTDIR)}.sbr::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-RSC=rc.exe

-BSC32=bscmake.exe

-BSC32_FLAGS=/nologo /o"$(OUTDIR)\host.bsc" 

-BSC32_SBRS= \

-	

-LINK32=link.exe

-LINK32_FLAGS=user32.lib advapi32.lib ws2_32.lib ../../../lib/isc/win32/Release/libisc.lib ../../../lib/dns/win32/Release/libdns.lib /nologo /subsystem:console /incremental:no /pdb:"$(OUTDIR)\host.pdb" /machine:I386 /out:"../../../Build/Release/host.exe" 

-LINK32_OBJS= \

-	"$(INTDIR)\dighost.obj" \

-	"$(INTDIR)\host.obj"

-

-"..\..\..\Build\Release\host.exe" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)

-    $(LINK32) @<<

-  $(LINK32_FLAGS) $(LINK32_OBJS)

-<<

-    $(_VC_MANIFEST_EMBED_EXE)

-

-!ELSEIF  "$(CFG)" == "host - Win32 Debug"

-

-OUTDIR=.\Debug

-INTDIR=.\Debug

-# Begin Custom Macros

-OutDir=.\Debug

-# End Custom Macros

-

-ALL : "..\..\..\Build\Debug\host.exe" "$(OUTDIR)\host.bsc"

-

-

-CLEAN :

-	-@erase "$(INTDIR)\dighost.obj"

-	-@erase "$(INTDIR)\dighost.sbr"

-	-@erase "$(INTDIR)\host.obj"

-	-@erase "$(INTDIR)\host.sbr"

-	-@erase "$(INTDIR)\vc60.idb"

-	-@erase "$(INTDIR)\vc60.pdb"

-	-@erase "$(OUTDIR)\host.bsc"

-	-@erase "$(OUTDIR)\host.pdb"

-	-@erase "..\..\..\Build\Debug\host.exe"

-	-@erase "..\..\..\Build\Debug\host.ilk"

-	-@$(_VC_MANIFEST_CLEAN)

-

-"$(OUTDIR)" :

-    if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"

-

-CPP=cl.exe

-CPP_PROJ=/nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../include" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/include" /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /FR"$(INTDIR)\\" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c 

-

-.c{$(INTDIR)}.obj::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.cpp{$(INTDIR)}.obj::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.cxx{$(INTDIR)}.obj::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.c{$(INTDIR)}.sbr::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.cpp{$(INTDIR)}.sbr::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.cxx{$(INTDIR)}.sbr::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-RSC=rc.exe

-BSC32=bscmake.exe

-BSC32_FLAGS=/nologo /o"$(OUTDIR)\host.bsc" 

-BSC32_SBRS= \

-	"$(INTDIR)\dighost.sbr" \

-	"$(INTDIR)\host.sbr"

-

-"$(OUTDIR)\host.bsc" : "$(OUTDIR)" $(BSC32_SBRS)

-    $(BSC32) @<<

-  $(BSC32_FLAGS) $(BSC32_SBRS)

-<<

-

-LINK32=link.exe

-LINK32_FLAGS=user32.lib advapi32.lib ws2_32.lib ../../../lib/isc/win32/Debug/libisc.lib ../../../lib/dns/win32/Debug/libdns.lib /nologo /subsystem:console /incremental:yes /pdb:"$(OUTDIR)\host.pdb" /debug /machine:I386 /out:"../../../Build/Debug/host.exe" /pdbtype:sept 

-LINK32_OBJS= \

-	"$(INTDIR)\dighost.obj" \

-	"$(INTDIR)\host.obj"

-

-"..\..\..\Build\Debug\host.exe" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)

-    $(LINK32) @<<

-  $(LINK32_FLAGS) $(LINK32_OBJS)

-<<

-    $(_VC_MANIFEST_EMBED_EXE)

-

-!ENDIF 

-

-

-!IF "$(NO_EXTERNAL_DEPS)" != "1"

-!IF EXISTS("host.dep")

-!INCLUDE "host.dep"

-!ELSE 

-!MESSAGE Warning: cannot find "host.dep"

-!ENDIF 

-!ENDIF 

-

-

-!IF "$(CFG)" == "host - Win32 Release" || "$(CFG)" == "host - Win32 Debug"

-SOURCE=..\dighost.c

-

-!IF  "$(CFG)" == "host - Win32 Release"

-

-

-"$(INTDIR)\dighost.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "host - Win32 Debug"

-

-

-"$(INTDIR)\dighost.obj"	"$(INTDIR)\dighost.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-SOURCE=..\host.c

-

-!IF  "$(CFG)" == "host - Win32 Release"

-

-

-"$(INTDIR)\host.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "host - Win32 Debug"

-

-

-"$(INTDIR)\host.obj"	"$(INTDIR)\host.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-

-!ENDIF 

-

-####################################################

-# Commands to generate initial empty manifest file and the RC file

-# that references it, and for generating the .res file:

-

-$(_VC_MANIFEST_BASENAME).auto.res : $(_VC_MANIFEST_BASENAME).auto.rc

-

-$(_VC_MANIFEST_BASENAME).auto.rc : $(_VC_MANIFEST_BASENAME).auto.manifest

-    type <<$@

-#include <winuser.h>

-1RT_MANIFEST"$(_VC_MANIFEST_BASENAME).auto.manifest"

-<< KEEP

-

-$(_VC_MANIFEST_BASENAME).auto.manifest :

-    type <<$@

-<?xml version='1.0' encoding='UTF-8' standalone='yes'?>

-<assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'>

-</assembly>

-<< KEEP

+# Microsoft Developer Studio Generated NMAKE File, Based on host.dsp
+!IF "$(CFG)" == ""
+CFG=host - Win32 Debug
+!MESSAGE No configuration specified. Defaulting to host - Win32 Debug.
+!ENDIF 
+
+!IF "$(CFG)" != "host - Win32 Release" && "$(CFG)" != "host - Win32 Debug"
+!MESSAGE Invalid configuration "$(CFG)" specified.
+!MESSAGE You can specify a configuration when running NMAKE
+!MESSAGE by defining the macro CFG on the command line. For example:
+!MESSAGE 
+!MESSAGE NMAKE /f "host.mak" CFG="host - Win32 Debug"
+!MESSAGE 
+!MESSAGE Possible choices for configuration are:
+!MESSAGE 
+!MESSAGE "host - Win32 Release" (based on "Win32 (x86) Console Application")
+!MESSAGE "host - Win32 Debug" (based on "Win32 (x86) Console Application")
+!MESSAGE 
+!ERROR An invalid configuration is specified.
+!ENDIF 
+
+!IF "$(OS)" == "Windows_NT"
+NULL=
+!ELSE 
+NULL=nul
+!ENDIF 
+
+CPP=cl.exe
+RSC=rc.exe
+
+!IF  "$(CFG)" == "host - Win32 Release"
+
+OUTDIR=.\Release
+INTDIR=.\Release
+
+!IF "$(RECURSE)" == "0" 
+
+ALL : "..\..\..\Build\Release\host.exe"
+
+!ELSE 
+
+ALL : "liblwres - Win32 Release" "libbind9 - Win32 Release" "libisc - Win32 Release" "libdns - Win32 Release" "..\..\..\Build\Release\host.exe"
+
+!ENDIF 
+
+!IF "$(RECURSE)" == "1" 
+CLEAN :"libdns - Win32 ReleaseCLEAN" "libisc - Win32 ReleaseCLEAN" "libbind9 - Win32 ReleaseCLEAN" "liblwres - Win32 ReleaseCLEAN" 
+!ELSE 
+CLEAN :
+!ENDIF 
+	-@erase "$(INTDIR)\dighost.obj"
+	-@erase "$(INTDIR)\host.obj"
+	-@erase "$(INTDIR)\vc60.idb"
+	-@erase "..\..\..\Build\Release\host.exe"
+
+"$(OUTDIR)" :
+    if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
+
+CPP_PROJ=/nologo /MT /W3 /GX /O2 /I "./" /I "../include" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/include" /I "../../../lib/dns/sec/dst/include" /I "../../../lib/bind9/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /D "WIN32" /D "__STDC__" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /Fp"$(INTDIR)\host.pch" /YX /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c 
+BSC32=bscmake.exe
+BSC32_FLAGS=/nologo /o"$(OUTDIR)\host.bsc" 
+BSC32_SBRS= \
+	
+LINK32=link.exe
+LINK32_FLAGS=user32.lib advapi32.lib ws2_32.lib ../../../lib/isc/win32/Release/libisc.lib ../../../lib/dns/win32/Release/libdns.lib ../../../lib/bind9/win32/Release/libbind9.lib  ../../../lib/lwres/win32/Release/liblwres.lib /nologo /subsystem:console /incremental:no /pdb:"$(OUTDIR)\host.pdb" /machine:I386 /out:"../../../Build/Release/host.exe" 
+LINK32_OBJS= \
+	"$(INTDIR)\dighost.obj" \
+	"$(INTDIR)\host.obj" \
+	"..\..\..\lib\dns\win32\Release\libdns.lib" \
+	"..\..\..\lib\isc\win32\Release\libisc.lib" \
+	"..\..\..\lib\bind9\win32\Release\libbind9.lib" \
+	"..\..\..\lib\lwres\win32\Release\liblwres.lib"
+
+"..\..\..\Build\Release\host.exe" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)
+    $(LINK32) @<<
+  $(LINK32_FLAGS) $(LINK32_OBJS)
+<<
+
+!ELSEIF  "$(CFG)" == "host - Win32 Debug"
+
+OUTDIR=.\Debug
+INTDIR=.\Debug
+# Begin Custom Macros
+OutDir=.\Debug
+# End Custom Macros
+
+!IF "$(RECURSE)" == "0" 
+
+ALL : "..\..\..\Build\Debug\host.exe" "$(OUTDIR)\host.bsc"
+
+!ELSE 
+
+ALL : "liblwres - Win32 Debug" "libbind9 - Win32 Debug" "libisc - Win32 Debug" "libdns - Win32 Debug" "..\..\..\Build\Debug\host.exe" "$(OUTDIR)\host.bsc"
+
+!ENDIF 
+
+!IF "$(RECURSE)" == "1" 
+CLEAN :"libdns - Win32 DebugCLEAN" "libisc - Win32 DebugCLEAN" "libbind9 - Win32 DebugCLEAN" "liblwres - Win32 DebugCLEAN" 
+!ELSE 
+CLEAN :
+!ENDIF 
+	-@erase "$(INTDIR)\dighost.obj"
+	-@erase "$(INTDIR)\dighost.sbr"
+	-@erase "$(INTDIR)\host.obj"
+	-@erase "$(INTDIR)\host.sbr"
+	-@erase "$(INTDIR)\vc60.idb"
+	-@erase "$(INTDIR)\vc60.pdb"
+	-@erase "$(OUTDIR)\host.bsc"
+	-@erase "$(OUTDIR)\host.pdb"
+	-@erase "..\..\..\Build\Debug\host.exe"
+	-@erase "..\..\..\Build\Debug\host.ilk"
+
+"$(OUTDIR)" :
+    if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
+
+CPP_PROJ=/nologo /MTd /W3 /Gm /GX /ZI /Od /I "./" /I "../include" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/include" /I "../../../lib/dns/sec/dst/include" /I "../../../lib/bind9/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /FR"$(INTDIR)\\" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c 
+BSC32=bscmake.exe
+BSC32_FLAGS=/nologo /o"$(OUTDIR)\host.bsc" 
+BSC32_SBRS= \
+	"$(INTDIR)\dighost.sbr" \
+	"$(INTDIR)\host.sbr"
+
+"$(OUTDIR)\host.bsc" : "$(OUTDIR)" $(BSC32_SBRS)
+    $(BSC32) @<<
+  $(BSC32_FLAGS) $(BSC32_SBRS)
+<<
+
+LINK32=link.exe
+LINK32_FLAGS=user32.lib advapi32.lib ws2_32.lib ../../../lib/isc/win32/Debug/libisc.lib ../../../lib/dns/win32/Debug/libdns.lib ../../../lib/bind9/win32/Debug/libbind9.lib  ../../../lib/lwres/win32/Debug/liblwres.lib /nologo /subsystem:console /incremental:yes /pdb:"$(OUTDIR)\host.pdb" /debug /machine:I386 /out:"../../../Build/Debug/host.exe" /pdbtype:sept 
+LINK32_OBJS= \
+	"$(INTDIR)\dighost.obj" \
+	"$(INTDIR)\host.obj" \
+	"..\..\..\lib\dns\win32\Debug\libdns.lib" \
+	"..\..\..\lib\isc\win32\Debug\libisc.lib" \
+	"..\..\..\lib\bind9\win32\Debug\libbind9.lib" \
+	"..\..\..\lib\lwres\win32\Debug\liblwres.lib"
+
+"..\..\..\Build\Debug\host.exe" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)
+    $(LINK32) @<<
+  $(LINK32_FLAGS) $(LINK32_OBJS)
+<<
+
+!ENDIF 
+
+.c{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cpp{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cxx{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.c{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cpp{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cxx{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+
+!IF "$(NO_EXTERNAL_DEPS)" != "1"
+!IF EXISTS("host.dep")
+!INCLUDE "host.dep"
+!ELSE 
+!MESSAGE Warning: cannot find "host.dep"
+!ENDIF 
+!ENDIF 
+
+
+!IF "$(CFG)" == "host - Win32 Release" || "$(CFG)" == "host - Win32 Debug"
+SOURCE=..\dighost.c
+
+!IF  "$(CFG)" == "host - Win32 Release"
+
+
+"$(INTDIR)\dighost.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "host - Win32 Debug"
+
+
+"$(INTDIR)\dighost.obj"	"$(INTDIR)\dighost.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\host.c
+
+!IF  "$(CFG)" == "host - Win32 Release"
+
+
+"$(INTDIR)\host.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "host - Win32 Debug"
+
+
+"$(INTDIR)\host.obj"	"$(INTDIR)\host.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+!IF  "$(CFG)" == "host - Win32 Release"
+
+"libdns - Win32 Release" : 
+   cd "..\..\..\lib\dns\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\libdns.mak" CFG="libdns - Win32 Release" 
+   cd "..\..\..\bin\dig\win32"
+
+"libdns - Win32 ReleaseCLEAN" : 
+   cd "..\..\..\lib\dns\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\libdns.mak" CFG="libdns - Win32 Release" RECURSE=1 CLEAN 
+   cd "..\..\..\bin\dig\win32"
+
+!ELSEIF  "$(CFG)" == "host - Win32 Debug"
+
+"libdns - Win32 Debug" : 
+   cd "..\..\..\lib\dns\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\libdns.mak" CFG="libdns - Win32 Debug" 
+   cd "..\..\..\bin\dig\win32"
+
+"libdns - Win32 DebugCLEAN" : 
+   cd "..\..\..\lib\dns\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\libdns.mak" CFG="libdns - Win32 Debug" RECURSE=1 CLEAN 
+   cd "..\..\..\bin\dig\win32"
+
+!ENDIF 
+
+!IF  "$(CFG)" == "host - Win32 Release"
+
+"libisc - Win32 Release" : 
+   cd "..\..\..\lib\isc\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\libisc.mak" CFG="libisc - Win32 Release" 
+   cd "..\..\..\bin\dig\win32"
+
+"libisc - Win32 ReleaseCLEAN" : 
+   cd "..\..\..\lib\isc\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\libisc.mak" CFG="libisc - Win32 Release" RECURSE=1 CLEAN 
+   cd "..\..\..\bin\dig\win32"
+
+!ELSEIF  "$(CFG)" == "host - Win32 Debug"
+
+"libisc - Win32 Debug" : 
+   cd "..\..\..\lib\isc\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\libisc.mak" CFG="libisc - Win32 Debug" 
+   cd "..\..\..\bin\dig\win32"
+
+"libisc - Win32 DebugCLEAN" : 
+   cd "..\..\..\lib\isc\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\libisc.mak" CFG="libisc - Win32 Debug" RECURSE=1 CLEAN 
+   cd "..\..\..\bin\dig\win32"
+
+!ENDIF 
+
+!IF  "$(CFG)" == "host - Win32 Release"
+
+"libbind9 - Win32 Release" : 
+   cd "..\..\..\lib\bind9\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\libbind9.mak" CFG="libbind9 - Win32 Release" 
+   cd "..\..\..\bin\dig\win32"
+
+"libbind9 - Win32 ReleaseCLEAN" : 
+   cd "..\..\..\lib\bind9\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\libbind9.mak" CFG="libbind9 - Win32 Release" RECURSE=1 CLEAN 
+   cd "..\..\..\bin\dig\win32"
+
+!ELSEIF  "$(CFG)" == "host - Win32 Debug"
+
+"libbind9 - Win32 Debug" : 
+   cd "..\..\..\lib\bind9\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\libbind9.mak" CFG="libbind9 - Win32 Debug" 
+   cd "..\..\..\bin\dig\win32"
+
+"libbind9 - Win32 DebugCLEAN" : 
+   cd "..\..\..\lib\bind9\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\libbind9.mak" CFG="libbind9 - Win32 Debug" RECURSE=1 CLEAN 
+   cd "..\..\..\bin\dig\win32"
+
+!ENDIF 
+
+!IF  "$(CFG)" == "host - Win32 Release"
+
+"liblwres - Win32 Release" : 
+   cd "..\..\..\lib\lwres\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\liblwres.mak" CFG="liblwres - Win32 Release" 
+   cd "..\..\..\bin\dig\win32"
+
+"liblwres - Win32 ReleaseCLEAN" : 
+   cd "..\..\..\lib\lwres\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\liblwres.mak" CFG="liblwres - Win32 Release" RECURSE=1 CLEAN 
+   cd "..\..\..\bin\dig\win32"
+
+!ELSEIF  "$(CFG)" == "host - Win32 Debug"
+
+"liblwres - Win32 Debug" : 
+   cd "..\..\..\lib\lwres\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\liblwres.mak" CFG="liblwres - Win32 Debug" 
+   cd "..\..\..\bin\dig\win32"
+
+"liblwres - Win32 DebugCLEAN" : 
+   cd "..\..\..\lib\lwres\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\liblwres.mak" CFG="liblwres - Win32 Debug" RECURSE=1 CLEAN 
+   cd "..\..\..\bin\dig\win32"
+
+!ENDIF 
+
+
+!ENDIF 
+
diff --git a/bin/dig/win32/nslookup.dsp b/bin/dig/win32/nslookup.dsp
index f4d151d5..ad7b9d9d 100644
--- a/bin/dig/win32/nslookup.dsp
+++ b/bin/dig/win32/nslookup.dsp
@@ -1,103 +1,107 @@
-# Microsoft Developer Studio Project File - Name="nslookup" - Package Owner=<4>

-# Microsoft Developer Studio Generated Build File, Format Version 6.00

-# ** DO NOT EDIT **

-

-# TARGTYPE "Win32 (x86) Console Application" 0x0103

-

-CFG=nslookup - Win32 Debug

-!MESSAGE This is not a valid makefile. To build this project using NMAKE,

-!MESSAGE use the Export Makefile command and run

-!MESSAGE 

-!MESSAGE NMAKE /f "nslookup.mak".

-!MESSAGE 

-!MESSAGE You can specify a configuration when running NMAKE

-!MESSAGE by defining the macro CFG on the command line. For example:

-!MESSAGE 

-!MESSAGE NMAKE /f "nslookup.mak" CFG="nslookup - Win32 Debug"

-!MESSAGE 

-!MESSAGE Possible choices for configuration are:

-!MESSAGE 

-!MESSAGE "nslookup - Win32 Release" (based on "Win32 (x86) Console Application")

-!MESSAGE "nslookup - Win32 Debug" (based on "Win32 (x86) Console Application")

-!MESSAGE 

-

-# Begin Project

-# PROP AllowPerConfigDependencies 0

-# PROP Scc_ProjName ""

-# PROP Scc_LocalPath ""

-CPP=cl.exe

-RSC=rc.exe

-

-!IF  "$(CFG)" == "nslookup - Win32 Release"

-

-# PROP BASE Use_MFC 0

-# PROP BASE Use_Debug_Libraries 0

-# PROP BASE Output_Dir "Release"

-# PROP BASE Intermediate_Dir "Release"

-# PROP BASE Target_Dir ""

-# PROP Use_MFC 0

-# PROP Use_Debug_Libraries 0

-# PROP Output_Dir "Release"

-# PROP Intermediate_Dir "Release"

-# PROP Ignore_Export_Lib 0

-# PROP Target_Dir ""

-# ADD BASE CPP /nologo /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /c

-# ADD CPP /nologo /MD /W3 /GX /O2 /I "./" /I "../include" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/include" /D "WIN32" /D "__STDC__" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /c

-# ADD BASE RSC /l 0x409 /d "NDEBUG"

-# ADD RSC /l 0x409 /d "NDEBUG"

-BSC32=bscmake.exe

-# ADD BASE BSC32 /nologo

-# ADD BSC32 /nologo

-LINK32=link.exe

-# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /machine:I386

-# ADD LINK32 user32.lib advapi32.lib ws2_32.lib Release/dighost.lib ../../../lib/isc/win32/Release/libisc.lib ../../../lib/dns/win32/Release/libdns.lib /nologo /subsystem:console /machine:I386 /out:"../../../Build/Release/nslookup.exe"

-

-!ELSEIF  "$(CFG)" == "nslookup - Win32 Debug"

-

-# PROP BASE Use_MFC 0

-# PROP BASE Use_Debug_Libraries 1

-# PROP BASE Output_Dir "Debug"

-# PROP BASE Intermediate_Dir "Debug"

-# PROP BASE Target_Dir ""

-# PROP Use_MFC 0

-# PROP Use_Debug_Libraries 1

-# PROP Output_Dir "Debug"

-# PROP Intermediate_Dir "Debug"

-# PROP Ignore_Export_Lib 0

-# PROP Target_Dir ""

-# ADD BASE CPP /nologo /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /GZ /c

-# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../include" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/include" /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /FR /FD /GZ /c

-# SUBTRACT CPP /X /u /YX

-# ADD BASE RSC /l 0x409 /d "_DEBUG"

-# ADD RSC /l 0x409 /d "_DEBUG"

-BSC32=bscmake.exe

-# ADD BASE BSC32 /nologo

-# ADD BSC32 /nologo

-LINK32=link.exe

-# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /debug /machine:I386 /pdbtype:sept

-# ADD LINK32 user32.lib advapi32.lib ws2_32.lib Debug/dighost.lib ../../../lib/isc/win32/Debug/libisc.lib ../../../lib/dns/win32/Debug/libdns.lib /nologo /subsystem:console /debug /machine:I386 /out:"../../../Build/Debug/nslookup.exe" /pdbtype:sept

-

-!ENDIF 

-

-# Begin Target

-

-# Name "nslookup - Win32 Release"

-# Name "nslookup - Win32 Debug"

-# Begin Group "Source Files"

-

-# PROP Default_Filter "cpp;c;cxx;rc;def;r;odl;idl;hpj;bat"

-# Begin Source File

-

-SOURCE=..\nslookup.c

-# End Source File

-# End Group

-# Begin Group "Header Files"

-

-# PROP Default_Filter "h;hpp;hxx;hm;inl"

-# End Group

-# Begin Group "Resource Files"

-

-# PROP Default_Filter "ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe"

-# End Group

-# End Target

-# End Project

+# Microsoft Developer Studio Project File - Name="nslookup" - Package Owner=<4>
+# Microsoft Developer Studio Generated Build File, Format Version 6.00
+# ** DO NOT EDIT **
+
+# TARGTYPE "Win32 (x86) Console Application" 0x0103
+
+CFG=nslookup - Win32 Debug
+!MESSAGE This is not a valid makefile. To build this project using NMAKE,
+!MESSAGE use the Export Makefile command and run
+!MESSAGE 
+!MESSAGE NMAKE /f "nslookup.mak".
+!MESSAGE 
+!MESSAGE You can specify a configuration when running NMAKE
+!MESSAGE by defining the macro CFG on the command line. For example:
+!MESSAGE 
+!MESSAGE NMAKE /f "nslookup.mak" CFG="nslookup - Win32 Debug"
+!MESSAGE 
+!MESSAGE Possible choices for configuration are:
+!MESSAGE 
+!MESSAGE "nslookup - Win32 Release" (based on "Win32 (x86) Console Application")
+!MESSAGE "nslookup - Win32 Debug" (based on "Win32 (x86) Console Application")
+!MESSAGE 
+
+# Begin Project
+# PROP AllowPerConfigDependencies 0
+# PROP Scc_ProjName ""
+# PROP Scc_LocalPath ""
+CPP=cl.exe
+RSC=rc.exe
+
+!IF  "$(CFG)" == "nslookup - Win32 Release"
+
+# PROP BASE Use_MFC 0
+# PROP BASE Use_Debug_Libraries 0
+# PROP BASE Output_Dir "Release"
+# PROP BASE Intermediate_Dir "Release"
+# PROP BASE Target_Dir ""
+# PROP Use_MFC 0
+# PROP Use_Debug_Libraries 0
+# PROP Output_Dir "Release"
+# PROP Intermediate_Dir "Release"
+# PROP Ignore_Export_Lib 0
+# PROP Target_Dir ""
+# ADD BASE CPP /nologo /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /c
+# ADD CPP /nologo /MT /W3 /GX /O2 /I "./" /I "../include" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/include" /I "../../../lib/dns/sec/dst/include" /I "../../../lib/bind9/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /D "WIN32" /D "__STDC__" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /c
+# ADD BASE RSC /l 0x409 /d "NDEBUG"
+# ADD RSC /l 0x409 /d "NDEBUG"
+BSC32=bscmake.exe
+# ADD BASE BSC32 /nologo
+# ADD BSC32 /nologo
+LINK32=link.exe
+# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /machine:I386
+# ADD LINK32 user32.lib advapi32.lib ws2_32.lib ../../../lib/isc/win32/Release/libisc.lib ../../../lib/dns/win32/Release/libdns.lib ../../../lib/bind9/win32/Release/libbind9.lib  ../../../lib/lwres/win32/Release/liblwres.lib /nologo /subsystem:console /machine:I386 /out:"../../../Build/Release/nslookup.exe"
+
+!ELSEIF  "$(CFG)" == "nslookup - Win32 Debug"
+
+# PROP BASE Use_MFC 0
+# PROP BASE Use_Debug_Libraries 1
+# PROP BASE Output_Dir "Debug"
+# PROP BASE Intermediate_Dir "Debug"
+# PROP BASE Target_Dir ""
+# PROP Use_MFC 0
+# PROP Use_Debug_Libraries 1
+# PROP Output_Dir "Debug"
+# PROP Intermediate_Dir "Debug"
+# PROP Ignore_Export_Lib 0
+# PROP Target_Dir ""
+# ADD BASE CPP /nologo /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /GZ /c
+# ADD CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /I "./" /I "../include" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/include" /I "../../../lib/dns/sec/dst/include" /I "../../../lib/bind9/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /FR /FD /GZ /c
+# SUBTRACT CPP /X /u /YX
+# ADD BASE RSC /l 0x409 /d "_DEBUG"
+# ADD RSC /l 0x409 /d "_DEBUG"
+BSC32=bscmake.exe
+# ADD BASE BSC32 /nologo
+# ADD BSC32 /nologo
+LINK32=link.exe
+# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /debug /machine:I386 /pdbtype:sept
+# ADD LINK32 user32.lib advapi32.lib ws2_32.lib ../../../lib/isc/win32/Debug/libisc.lib ../../../lib/dns/win32/Debug/libdns.lib ../../../lib/bind9/win32/Debug/libbind9.lib  ../../../lib/lwres/win32/Debug/liblwres.lib /nologo /subsystem:console /debug /machine:I386 /out:"../../../Build/Debug/nslookup.exe" /pdbtype:sept
+
+!ENDIF 
+
+# Begin Target
+
+# Name "nslookup - Win32 Release"
+# Name "nslookup - Win32 Debug"
+# Begin Group "Source Files"
+
+# PROP Default_Filter "cpp;c;cxx;rc;def;r;odl;idl;hpj;bat"
+# Begin Source File
+
+SOURCE=..\dighost.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\nslookup.c
+# End Source File
+# End Group
+# Begin Group "Header Files"
+
+# PROP Default_Filter "h;hpp;hxx;hm;inl"
+# End Group
+# Begin Group "Resource Files"
+
+# PROP Default_Filter "ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe"
+# End Group
+# End Target
+# End Project
diff --git a/bin/dig/win32/nslookup.dsw b/bin/dig/win32/nslookup.dsw
index 0ff8c660..7ffdc8e9 100644
--- a/bin/dig/win32/nslookup.dsw
+++ b/bin/dig/win32/nslookup.dsw
@@ -1,29 +1,29 @@
-Microsoft Developer Studio Workspace File, Format Version 6.00

-# WARNING: DO NOT EDIT OR DELETE THIS WORKSPACE FILE!

-

-###############################################################################

-

-Project: "nslookup"=".\nslookup.dsp" - Package Owner=<4>

-

-Package=<5>

-{{{

-}}}

-

-Package=<4>

-{{{

-}}}

-

-###############################################################################

-

-Global:

-

-Package=<5>

-{{{

-}}}

-

-Package=<3>

-{{{

-}}}

-

-###############################################################################

-

+Microsoft Developer Studio Workspace File, Format Version 6.00
+# WARNING: DO NOT EDIT OR DELETE THIS WORKSPACE FILE!
+
+###############################################################################
+
+Project: "nslookup"=".\nslookup.dsp" - Package Owner=<4>
+
+Package=<5>
+{{{
+}}}
+
+Package=<4>
+{{{
+}}}
+
+###############################################################################
+
+Global:
+
+Package=<5>
+{{{
+}}}
+
+Package=<3>
+{{{
+}}}
+
+###############################################################################
+
diff --git a/bin/dig/win32/nslookup.mak b/bin/dig/win32/nslookup.mak
index 3b63166c..00c69b6d 100644
--- a/bin/dig/win32/nslookup.mak
+++ b/bin/dig/win32/nslookup.mak
@@ -1,324 +1,328 @@
-# Microsoft Developer Studio Generated NMAKE File, Based on nslookup.dsp

-!IF "$(CFG)" == ""

-CFG=nslookup - Win32 Debug

-!MESSAGE No configuration specified. Defaulting to nslookup - Win32 Debug.

-!ENDIF 

-

-!IF "$(CFG)" != "nslookup - Win32 Release" && "$(CFG)" != "nslookup - Win32 Debug"

-!MESSAGE Invalid configuration "$(CFG)" specified.

-!MESSAGE You can specify a configuration when running NMAKE

-!MESSAGE by defining the macro CFG on the command line. For example:

-!MESSAGE 

-!MESSAGE NMAKE /f "nslookup.mak" CFG="nslookup - Win32 Debug"

-!MESSAGE 

-!MESSAGE Possible choices for configuration are:

-!MESSAGE 

-!MESSAGE "nslookup - Win32 Release" (based on "Win32 (x86) Console Application")

-!MESSAGE "nslookup - Win32 Debug" (based on "Win32 (x86) Console Application")

-!MESSAGE 

-!ERROR An invalid configuration is specified.

-!ENDIF 

-

-!IF "$(OS)" == "Windows_NT"

-NULL=

-!ELSE 

-NULL=nul

-!ENDIF 

-

-!IF  "$(CFG)" == "nslookup - Win32 Release"

-_VC_MANIFEST_INC=0

-_VC_MANIFEST_BASENAME=__VC80

-!ELSE

-_VC_MANIFEST_INC=1

-_VC_MANIFEST_BASENAME=__VC80.Debug

-!ENDIF

-

-####################################################

-# Specifying name of temporary resource file used only in incremental builds:

-

-!if "$(_VC_MANIFEST_INC)" == "1"

-_VC_MANIFEST_AUTO_RES=$(_VC_MANIFEST_BASENAME).auto.res

-!else

-_VC_MANIFEST_AUTO_RES=

-!endif

-

-####################################################

-# _VC_MANIFEST_EMBED_EXE - command to embed manifest in EXE:

-

-!if "$(_VC_MANIFEST_INC)" == "1"

-

-#MT_SPECIAL_RETURN=1090650113

-#MT_SPECIAL_SWITCH=-notify_resource_update

-MT_SPECIAL_RETURN=0

-MT_SPECIAL_SWITCH=

-_VC_MANIFEST_EMBED_EXE= \

-if exist $@.manifest mt.exe -manifest $@.manifest -out:$(_VC_MANIFEST_BASENAME).auto.manifest $(MT_SPECIAL_SWITCH) & \

-if "%ERRORLEVEL%" == "$(MT_SPECIAL_RETURN)" \

-rc /r $(_VC_MANIFEST_BASENAME).auto.rc & \

-link $** /out:$@ $(LFLAGS)

-

-!else

-

-_VC_MANIFEST_EMBED_EXE= \

-if exist $@.manifest mt.exe -manifest $@.manifest -outputresource:$@;1

-

-!endif

-

-####################################################

-# _VC_MANIFEST_EMBED_DLL - command to embed manifest in DLL:

-

-!if "$(_VC_MANIFEST_INC)" == "1"

-

-#MT_SPECIAL_RETURN=1090650113

-#MT_SPECIAL_SWITCH=-notify_resource_update

-MT_SPECIAL_RETURN=0

-MT_SPECIAL_SWITCH=

-_VC_MANIFEST_EMBED_EXE= \

-if exist $@.manifest mt.exe -manifest $@.manifest -out:$(_VC_MANIFEST_BASENAME).auto.manifest $(MT_SPECIAL_SWITCH) & \

-if "%ERRORLEVEL%" == "$(MT_SPECIAL_RETURN)" \

-rc /r $(_VC_MANIFEST_BASENAME).auto.rc & \

-link $** /out:$@ $(LFLAGS)

-

-!else

-

-_VC_MANIFEST_EMBED_EXE= \

-if exist $@.manifest mt.exe -manifest $@.manifest -outputresource:$@;2

-

-!endif

-####################################################

-# _VC_MANIFEST_CLEAN - command to clean resources files generated temporarily:

-

-!if "$(_VC_MANIFEST_INC)" == "1"

-

-_VC_MANIFEST_CLEAN=-del $(_VC_MANIFEST_BASENAME).auto.res \

-    $(_VC_MANIFEST_BASENAME).auto.rc \

-    $(_VC_MANIFEST_BASENAME).auto.manifest

-

-!else

-

-_VC_MANIFEST_CLEAN=

-

-!endif

-

-!IF  "$(CFG)" == "nslookup - Win32 Release"

-

-OUTDIR=.\Release

-INTDIR=.\Release

-

-ALL : "..\..\..\Build\Release\nslookup.exe"

-

-

-CLEAN :

-	-@erase "$(INTDIR)\dighost.obj"

-	-@erase "$(INTDIR)\nslookup.obj"

-	-@erase "$(INTDIR)\vc60.idb"

-	-@erase "..\..\..\Build\Release\nslookup.exe"

-	-@$(_VC_MANIFEST_CLEAN)

-

-"$(OUTDIR)" :

-    if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"

-

-CPP=cl.exe

-CPP_PROJ=/nologo /MD /W3 /GX /O2 /I "./" /I "../include" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/include" /D "WIN32" /D "__STDC__" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /Fp"$(INTDIR)\nslookup.pch" /YX /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c 

-

-.c{$(INTDIR)}.obj::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.cpp{$(INTDIR)}.obj::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.cxx{$(INTDIR)}.obj::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.c{$(INTDIR)}.sbr::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.cpp{$(INTDIR)}.sbr::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.cxx{$(INTDIR)}.sbr::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-RSC=rc.exe

-BSC32=bscmake.exe

-BSC32_FLAGS=/nologo /o"$(OUTDIR)\nslookup.bsc" 

-BSC32_SBRS= \

-	

-LINK32=link.exe

-LINK32_FLAGS=user32.lib advapi32.lib ws2_32.lib ../../../lib/isc/win32/Release/libisc.lib ../../../lib/dns/win32/Release/libdns.lib /nologo /subsystem:console /incremental:no /pdb:"$(OUTDIR)\nslookup.pdb" /machine:I386 /out:"../../../Build/Release/nslookup.exe" 

-LINK32_OBJS= \

-	"$(INTDIR)\dighost.obj" \

-	"$(INTDIR)\nslookup.obj"

-

-"..\..\..\Build\Release\nslookup.exe" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)

-    $(LINK32) @<<

-  $(LINK32_FLAGS) $(LINK32_OBJS)

-<<

-    $(_VC_MANIFEST_EMBED_EXE)

-

-!ELSEIF  "$(CFG)" == "nslookup - Win32 Debug"

-

-OUTDIR=.\Debug

-INTDIR=.\Debug

-# Begin Custom Macros

-OutDir=.\Debug

-# End Custom Macros

-

-ALL : "..\..\..\Build\Debug\nslookup.exe" "$(OUTDIR)\nslookup.bsc"

-

-

-CLEAN :

-	-@erase "$(INTDIR)\dighost.obj"

-	-@erase "$(INTDIR)\dighost.sbr"

-	-@erase "$(INTDIR)\nslookup.obj"

-	-@erase "$(INTDIR)\nslookup.sbr"

-	-@erase "$(INTDIR)\vc60.idb"

-	-@erase "$(INTDIR)\vc60.pdb"

-	-@erase "$(OUTDIR)\nslookup.bsc"

-	-@erase "$(OUTDIR)\nslookup.pdb"

-	-@erase "..\..\..\Build\Debug\nslookup.exe"

-	-@erase "..\..\..\Build\Debug\nslookup.ilk"

-	-@$(_VC_MANIFEST_CLEAN)

-

-"$(OUTDIR)" :

-    if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"

-

-CPP=cl.exe

-CPP_PROJ=/nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../include" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/include" /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /FR"$(INTDIR)\\" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c 

-

-.c{$(INTDIR)}.obj::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.cpp{$(INTDIR)}.obj::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.cxx{$(INTDIR)}.obj::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.c{$(INTDIR)}.sbr::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.cpp{$(INTDIR)}.sbr::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.cxx{$(INTDIR)}.sbr::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-RSC=rc.exe

-BSC32=bscmake.exe

-BSC32_FLAGS=/nologo /o"$(OUTDIR)\nslookup.bsc" 

-BSC32_SBRS= \

-	"$(INTDIR)\dighost.sbr" \

-	"$(INTDIR)\nslookup.sbr"

-

-"$(OUTDIR)\nslookup.bsc" : "$(OUTDIR)" $(BSC32_SBRS)

-    $(BSC32) @<<

-  $(BSC32_FLAGS) $(BSC32_SBRS)

-<<

-

-LINK32=link.exe

-LINK32_FLAGS=user32.lib advapi32.lib ws2_32.lib ../../../lib/isc/win32/Debug/libisc.lib ../../../lib/dns/win32/Debug/libdns.lib /nologo /subsystem:console /incremental:yes /pdb:"$(OUTDIR)\nslookup.pdb" /debug /machine:I386 /out:"../../../Build/Debug/nslookup.exe" /pdbtype:sept 

-LINK32_OBJS= \

-	"$(INTDIR)\dighost.obj" \

-	"$(INTDIR)\nslookup.obj"

-

-"..\..\..\Build\Debug\nslookup.exe" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)

-    $(LINK32) @<<

-  $(LINK32_FLAGS) $(LINK32_OBJS)

-<<

-    $(_VC_MANIFEST_EMBED_EXE)

-

-!ENDIF 

-

-

-!IF "$(NO_EXTERNAL_DEPS)" != "1"

-!IF EXISTS("nslookup.dep")

-!INCLUDE "nslookup.dep"

-!ELSE 

-!MESSAGE Warning: cannot find "nslookup.dep"

-!ENDIF 

-!ENDIF 

-

-

-!IF "$(CFG)" == "nslookup - Win32 Release" || "$(CFG)" == "nslookup - Win32 Debug"

-SOURCE=..\dighost.c

-

-!IF  "$(CFG)" == "nslookup - Win32 Release"

-

-

-"$(INTDIR)\dighost.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "nslookup - Win32 Debug"

-

-

-"$(INTDIR)\dighost.obj"	"$(INTDIR)\dighost.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-SOURCE=..\nslookup.c

-

-!IF  "$(CFG)" == "nslookup - Win32 Release"

-

-

-"$(INTDIR)\nslookup.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "nslookup - Win32 Debug"

-

-

-"$(INTDIR)\nslookup.obj"	"$(INTDIR)\nslookup.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-

-!ENDIF 

-

-####################################################

-# Commands to generate initial empty manifest file and the RC file

-# that references it, and for generating the .res file:

-

-$(_VC_MANIFEST_BASENAME).auto.res : $(_VC_MANIFEST_BASENAME).auto.rc

-

-$(_VC_MANIFEST_BASENAME).auto.rc : $(_VC_MANIFEST_BASENAME).auto.manifest

-    type <<$@

-#include <winuser.h>

-1RT_MANIFEST"$(_VC_MANIFEST_BASENAME).auto.manifest"

-<< KEEP

-

-$(_VC_MANIFEST_BASENAME).auto.manifest :

-    type <<$@

-<?xml version='1.0' encoding='UTF-8' standalone='yes'?>

-<assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'>

-</assembly>

-<< KEEP

+# Microsoft Developer Studio Generated NMAKE File, Based on nslookup.dsp
+!IF "$(CFG)" == ""
+CFG=nslookup - Win32 Debug
+!MESSAGE No configuration specified. Defaulting to nslookup - Win32 Debug.
+!ENDIF 
+
+!IF "$(CFG)" != "nslookup - Win32 Release" && "$(CFG)" != "nslookup - Win32 Debug"
+!MESSAGE Invalid configuration "$(CFG)" specified.
+!MESSAGE You can specify a configuration when running NMAKE
+!MESSAGE by defining the macro CFG on the command line. For example:
+!MESSAGE 
+!MESSAGE NMAKE /f "nslookup.mak" CFG="nslookup - Win32 Debug"
+!MESSAGE 
+!MESSAGE Possible choices for configuration are:
+!MESSAGE 
+!MESSAGE "nslookup - Win32 Release" (based on "Win32 (x86) Console Application")
+!MESSAGE "nslookup - Win32 Debug" (based on "Win32 (x86) Console Application")
+!MESSAGE 
+!ERROR An invalid configuration is specified.
+!ENDIF 
+
+!IF "$(OS)" == "Windows_NT"
+NULL=
+!ELSE 
+NULL=nul
+!ENDIF 
+
+CPP=cl.exe
+RSC=rc.exe
+
+!IF  "$(CFG)" == "nslookup - Win32 Release"
+
+OUTDIR=.\Release
+INTDIR=.\Release
+
+!IF "$(RECURSE)" == "0" 
+
+ALL : "..\..\..\Build\Release\nslookup.exe"
+
+!ELSE 
+
+ALL : "liblwres - Win32 Release" "libbind9 - Win32 Release" "libisc - Win32 Release" "libdns - Win32 Release" "..\..\..\Build\Release\nslookup.exe"
+
+!ENDIF 
+
+!IF "$(RECURSE)" == "1" 
+CLEAN :"libdns - Win32 ReleaseCLEAN" "libisc - Win32 ReleaseCLEAN" "libbind9 - Win32 ReleaseCLEAN" "liblwres - Win32 ReleaseCLEAN" 
+!ELSE 
+CLEAN :
+!ENDIF 
+	-@erase "$(INTDIR)\dighost.obj"
+	-@erase "$(INTDIR)\nslookup.obj"
+	-@erase "$(INTDIR)\vc60.idb"
+	-@erase "..\..\..\Build\Release\nslookup.exe"
+
+"$(OUTDIR)" :
+    if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
+
+CPP_PROJ=/nologo /MT /W3 /GX /O2 /I "./" /I "../include" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/include" /I "../../../lib/dns/sec/dst/include" /I "../../../lib/bind9/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /D "WIN32" /D "__STDC__" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /Fp"$(INTDIR)\nslookup.pch" /YX /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c 
+BSC32=bscmake.exe
+BSC32_FLAGS=/nologo /o"$(OUTDIR)\nslookup.bsc" 
+BSC32_SBRS= \
+	
+LINK32=link.exe
+LINK32_FLAGS=user32.lib advapi32.lib ws2_32.lib ../../../lib/isc/win32/Release/libisc.lib ../../../lib/dns/win32/Release/libdns.lib ../../../lib/bind9/win32/Release/libbind9.lib  ../../../lib/lwres/win32/Release/liblwres.lib /nologo /subsystem:console /incremental:no /pdb:"$(OUTDIR)\nslookup.pdb" /machine:I386 /out:"../../../Build/Release/nslookup.exe" 
+LINK32_OBJS= \
+	"$(INTDIR)\dighost.obj" \
+	"$(INTDIR)\nslookup.obj" \
+	"..\..\..\lib\dns\win32\Release\libdns.lib" \
+	"..\..\..\lib\isc\win32\Release\libisc.lib" \
+	"..\..\..\lib\bind9\win32\Release\libbind9.lib" \
+	"..\..\..\lib\lwres\win32\Release\liblwres.lib"
+
+"..\..\..\Build\Release\nslookup.exe" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)
+    $(LINK32) @<<
+  $(LINK32_FLAGS) $(LINK32_OBJS)
+<<
+
+!ELSEIF  "$(CFG)" == "nslookup - Win32 Debug"
+
+OUTDIR=.\Debug
+INTDIR=.\Debug
+# Begin Custom Macros
+OutDir=.\Debug
+# End Custom Macros
+
+!IF "$(RECURSE)" == "0" 
+
+ALL : "..\..\..\Build\Debug\nslookup.exe" "$(OUTDIR)\nslookup.bsc"
+
+!ELSE 
+
+ALL : "liblwres - Win32 Debug" "libbind9 - Win32 Debug" "libisc - Win32 Debug" "libdns - Win32 Debug" "..\..\..\Build\Debug\nslookup.exe" "$(OUTDIR)\nslookup.bsc"
+
+!ENDIF 
+
+!IF "$(RECURSE)" == "1" 
+CLEAN :"libdns - Win32 DebugCLEAN" "libisc - Win32 DebugCLEAN" "libbind9 - Win32 DebugCLEAN" "liblwres - Win32 DebugCLEAN" 
+!ELSE 
+CLEAN :
+!ENDIF 
+	-@erase "$(INTDIR)\dighost.obj"
+	-@erase "$(INTDIR)\dighost.sbr"
+	-@erase "$(INTDIR)\nslookup.obj"
+	-@erase "$(INTDIR)\nslookup.sbr"
+	-@erase "$(INTDIR)\vc60.idb"
+	-@erase "$(INTDIR)\vc60.pdb"
+	-@erase "$(OUTDIR)\nslookup.bsc"
+	-@erase "$(OUTDIR)\nslookup.pdb"
+	-@erase "..\..\..\Build\Debug\nslookup.exe"
+	-@erase "..\..\..\Build\Debug\nslookup.ilk"
+
+"$(OUTDIR)" :
+    if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
+
+CPP_PROJ=/nologo /MTd /W3 /Gm /GX /ZI /Od /I "./" /I "../include" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/include" /I "../../../lib/dns/sec/dst/include" /I "../../../lib/bind9/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /FR"$(INTDIR)\\" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c 
+BSC32=bscmake.exe
+BSC32_FLAGS=/nologo /o"$(OUTDIR)\nslookup.bsc" 
+BSC32_SBRS= \
+	"$(INTDIR)\dighost.sbr" \
+	"$(INTDIR)\nslookup.sbr"
+
+"$(OUTDIR)\nslookup.bsc" : "$(OUTDIR)" $(BSC32_SBRS)
+    $(BSC32) @<<
+  $(BSC32_FLAGS) $(BSC32_SBRS)
+<<
+
+LINK32=link.exe
+LINK32_FLAGS=user32.lib advapi32.lib ws2_32.lib ../../../lib/isc/win32/Debug/libisc.lib ../../../lib/dns/win32/Debug/libdns.lib ../../../lib/bind9/win32/Debug/libbind9.lib  ../../../lib/lwres/win32/Debug/liblwres.lib /nologo /subsystem:console /incremental:yes /pdb:"$(OUTDIR)\nslookup.pdb" /debug /machine:I386 /out:"../../../Build/Debug/nslookup.exe" /pdbtype:sept 
+LINK32_OBJS= \
+	"$(INTDIR)\dighost.obj" \
+	"$(INTDIR)\nslookup.obj" \
+	"..\..\..\lib\dns\win32\Debug\libdns.lib" \
+	"..\..\..\lib\isc\win32\Debug\libisc.lib" \
+	"..\..\..\lib\bind9\win32\Debug\libbind9.lib" \
+	"..\..\..\lib\lwres\win32\Debug\liblwres.lib"
+
+"..\..\..\Build\Debug\nslookup.exe" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)
+    $(LINK32) @<<
+  $(LINK32_FLAGS) $(LINK32_OBJS)
+<<
+
+!ENDIF 
+
+.c{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cpp{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cxx{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.c{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cpp{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cxx{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+
+!IF "$(NO_EXTERNAL_DEPS)" != "1"
+!IF EXISTS("nslookup.dep")
+!INCLUDE "nslookup.dep"
+!ELSE 
+!MESSAGE Warning: cannot find "nslookup.dep"
+!ENDIF 
+!ENDIF 
+
+
+!IF "$(CFG)" == "nslookup - Win32 Release" || "$(CFG)" == "nslookup - Win32 Debug"
+SOURCE=..\dighost.c
+
+!IF  "$(CFG)" == "nslookup - Win32 Release"
+
+
+"$(INTDIR)\dighost.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "nslookup - Win32 Debug"
+
+
+"$(INTDIR)\dighost.obj"	"$(INTDIR)\dighost.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\nslookup.c
+
+!IF  "$(CFG)" == "nslookup - Win32 Release"
+
+
+"$(INTDIR)\nslookup.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "nslookup - Win32 Debug"
+
+
+"$(INTDIR)\nslookup.obj"	"$(INTDIR)\nslookup.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+!IF  "$(CFG)" == "nslookup - Win32 Release"
+
+"libdns - Win32 Release" : 
+   cd "..\..\..\lib\dns\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\libdns.mak" CFG="libdns - Win32 Release" 
+   cd "..\..\..\bin\dig\win32"
+
+"libdns - Win32 ReleaseCLEAN" : 
+   cd "..\..\..\lib\dns\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\libdns.mak" CFG="libdns - Win32 Release" RECURSE=1 CLEAN 
+   cd "..\..\..\bin\dig\win32"
+
+!ELSEIF  "$(CFG)" == "nslookup - Win32 Debug"
+
+"libdns - Win32 Debug" : 
+   cd "..\..\..\lib\dns\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\libdns.mak" CFG="libdns - Win32 Debug" 
+   cd "..\..\..\bin\dig\win32"
+
+"libdns - Win32 DebugCLEAN" : 
+   cd "..\..\..\lib\dns\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\libdns.mak" CFG="libdns - Win32 Debug" RECURSE=1 CLEAN 
+   cd "..\..\..\bin\dig\win32"
+
+!ENDIF 
+
+!IF  "$(CFG)" == "nslookup - Win32 Release"
+
+"libisc - Win32 Release" : 
+   cd "..\..\..\lib\isc\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\libisc.mak" CFG="libisc - Win32 Release" 
+   cd "..\..\..\bin\dig\win32"
+
+"libisc - Win32 ReleaseCLEAN" : 
+   cd "..\..\..\lib\isc\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\libisc.mak" CFG="libisc - Win32 Release" RECURSE=1 CLEAN 
+   cd "..\..\..\bin\dig\win32"
+
+!ELSEIF  "$(CFG)" == "nslookup - Win32 Debug"
+
+"libisc - Win32 Debug" : 
+   cd "..\..\..\lib\isc\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\libisc.mak" CFG="libisc - Win32 Debug" 
+   cd "..\..\..\bin\dig\win32"
+
+"libisc - Win32 DebugCLEAN" : 
+   cd "..\..\..\lib\isc\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\libisc.mak" CFG="libisc - Win32 Debug" RECURSE=1 CLEAN 
+   cd "..\..\..\bin\dig\win32"
+
+!ENDIF 
+
+!IF  "$(CFG)" == "nslookup - Win32 Release"
+
+"libbind9 - Win32 Release" : 
+   cd "..\..\..\lib\bind9\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\libbind9.mak" CFG="libbind9 - Win32 Release" 
+   cd "..\..\..\bin\dig\win32"
+
+"libbind9 - Win32 ReleaseCLEAN" : 
+   cd "..\..\..\lib\bind9\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\libbind9.mak" CFG="libbind9 - Win32 Release" RECURSE=1 CLEAN 
+   cd "..\..\..\bin\dig\win32"
+
+!ELSEIF  "$(CFG)" == "nslookup - Win32 Debug"
+
+"libbind9 - Win32 Debug" : 
+   cd "..\..\..\lib\bind9\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\libbind9.mak" CFG="libbind9 - Win32 Debug" 
+   cd "..\..\..\bin\dig\win32"
+
+"libbind9 - Win32 DebugCLEAN" : 
+   cd "..\..\..\lib\bind9\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\libbind9.mak" CFG="libbind9 - Win32 Debug" RECURSE=1 CLEAN 
+   cd "..\..\..\bin\dig\win32"
+
+!ENDIF 
+
+!IF  "$(CFG)" == "nslookup - Win32 Release"
+
+"liblwres - Win32 Release" : 
+   cd "..\..\..\lib\lwres\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\liblwres.mak" CFG="liblwres - Win32 Release" 
+   cd "..\..\..\bin\dig\win32"
+
+"liblwres - Win32 ReleaseCLEAN" : 
+   cd "..\..\..\lib\lwres\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\liblwres.mak" CFG="liblwres - Win32 Release" RECURSE=1 CLEAN 
+   cd "..\..\..\bin\dig\win32"
+
+!ELSEIF  "$(CFG)" == "nslookup - Win32 Debug"
+
+"liblwres - Win32 Debug" : 
+   cd "..\..\..\lib\lwres\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\liblwres.mak" CFG="liblwres - Win32 Debug" 
+   cd "..\..\..\bin\dig\win32"
+
+"liblwres - Win32 DebugCLEAN" : 
+   cd "..\..\..\lib\lwres\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\liblwres.mak" CFG="liblwres - Win32 Debug" RECURSE=1 CLEAN 
+   cd "..\..\..\bin\dig\win32"
+
+!ENDIF 
+
+
+!ENDIF 
+
diff --git a/bin/dnssec/Makefile.in b/bin/dnssec/Makefile.in
index e5f7cd14..091c603f 100644
--- a/bin/dnssec/Makefile.in
+++ b/bin/dnssec/Makefile.in
@@ -1,5 +1,5 @@
-# Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 2000, 2001  Internet Software Consortium.
+# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2000-2002  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.19.2.5 2005/05/02 00:25:33 marka Exp $
+# $Id: Makefile.in,v 1.19.12.8 2004/03/08 04:04:16 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
@@ -21,14 +21,14 @@ top_srcdir =	@top_srcdir@
 
 @BIND9_VERSION@
 
-@BIND9_INCLUDES@
+@BIND9_MAKE_INCLUDES@
 
 CINCLUDES =	${DNS_INCLUDES} ${ISC_INCLUDES}
 
-CDEFINES =
+CDEFINES =	-DVERSION=\"${VERSION}\" 
 CWARNINGS =
 
-DNSLIBS =	../../lib/dns/libdns.@A@ @DNS_OPENSSL_LIBS@ @DNS_GSSAPI_LIBS@
+DNSLIBS =	../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
 ISCLIBS =	../../lib/isc/libisc.@A@
 
 DNSDEPLIBS =	../../lib/dns/libdns.@A@
@@ -39,46 +39,30 @@ DEPLIBS =	${DNSDEPLIBS} ${ISCDEPLIBS}
 LIBS =		${DNSLIBS} ${ISCLIBS} @LIBS@
 
 # Alphabetically
-TARGETS =	dnssec-keygen \
-		dnssec-makekeyset \
-		dnssec-signkey \
-		dnssec-signzone
+TARGETS =	dnssec-keygen@EXEEXT@ dnssec-signzone@EXEEXT@
 
 OBJS =		dnssectool.@O@
 
-SRCS =		dnssec-keygen.c dnssec-makekeyset.c \
-		dnssec-signkey.c dnssec-signzone.c \
-		dnssectool.c
+SRCS =		dnssec-keygen.c dnssec-signzone.c dnssectool.c
 
-MANPAGES =	dnssec-keygen.8 \
-		dnssec-makekeyset.8 \
-		dnssec-signkey.8 \
-		dnssec-signzone.8
+MANPAGES =	dnssec-keygen.8 dnssec-signzone.8
 
-HTMLPAGES =	dnssec-keygen.html \
-		dnssec-makekeyset.html \
-		dnssec-signkey.html \
-		dnssec-signzone.html
+HTMLPAGES =	dnssec-keygen.html dnssec-signzone.html
 
 MANOBJS =	${MANPAGES} ${HTMLPAGES}
 
 @BIND9_MAKE_RULES@
 
-dnssec-keygen: dnssec-keygen.@O@ ${OBJS} ${DEPLIBS}
-	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ dnssec-keygen.@O@ ${OBJS} ${LIBS}
-
-dnssec-makekeyset: dnssec-makekeyset.@O@ ${OBJS} ${DEPLIBS}
-	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ dnssec-makekeyset.@O@ ${OBJS} ${LIBS}
-
-dnssec-signkey: dnssec-signkey.@O@ ${OBJS} ${DEPLIBS}
-	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ dnssec-signkey.@O@ ${OBJS} ${LIBS}
+dnssec-keygen@EXEEXT@: dnssec-keygen.@O@ ${OBJS} ${DEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} -o $@ \
+	dnssec-keygen.@O@ ${OBJS} ${LIBS}
 
 dnssec-signzone.@O@: dnssec-signzone.c
-	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} -DVERSION=\"${VERSION}\" \
-		-c ${srcdir}/dnssec-signzone.c
+	${LIBTOOL_MODE_COMPILE} ${PURIFY} ${CC} ${ALL_CFLAGS} -c $<
 
-dnssec-signzone: dnssec-signzone.@O@ ${OBJS} ${DEPLIBS}
-	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ dnssec-signzone.@O@ ${OBJS} ${LIBS}
+dnssec-signzone@EXEEXT@: dnssec-signzone.@O@ ${OBJS} ${DEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} -o $@ \
+	dnssec-signzone.@O@ ${OBJS} ${LIBS}
 
 doc man:: ${MANOBJS}
 
diff --git a/bin/dnssec/dnssec-keygen.8 b/bin/dnssec/dnssec-keygen.8
index 3b466265..fd4e5680 100644
--- a/bin/dnssec/dnssec-keygen.8
+++ b/bin/dnssec/dnssec-keygen.8
@@ -1,191 +1,171 @@
-.\" Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
-.\" Copyright (C) 2000, 2001 Internet Software Consortium.
-.\" 
+.\" Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2000-2003  Internet Software Consortium.
+.\"
 .\" Permission to use, copy, modify, and distribute this software for any
 .\" purpose with or without fee is hereby granted, provided that the above
 .\" copyright notice and this permission notice appear in all copies.
-.\" 
+.\"
 .\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
 .\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+.\" AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
 .\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
 .\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: dnssec-keygen.8,v 1.19.2.9 2007/05/09 03:32:21 marka Exp $
-.\"
-.hy 0
-.ad l
-.\"     Title: dnssec\-keygen
-.\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
-.\"      Date: June 30, 2000
-.\"    Manual: BIND9
-.\"    Source: BIND9
+.\" $Id: dnssec-keygen.8,v 1.19.12.3 2004/03/08 04:04:16 marka Exp $
 .\"
-.TH "DNSSEC\-KEYGEN" "8" "June 30, 2000" "BIND9" "BIND9"
-.\" disable hyphenation
-.nh
-.\" disable justification (adjust text to left margin only)
-.ad l
-.SH "NAME"
-dnssec\-keygen \- DNSSEC key generation tool
-.SH "SYNOPSIS"
-.HP 14
-\fBdnssec\-keygen\fR {\-a\ \fIalgorithm\fR} {\-b\ \fIkeysize\fR} {\-n\ \fInametype\fR} [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-e\fR] [\fB\-g\ \fR\fB\fIgenerator\fR\fR] [\fB\-h\fR] [\fB\-p\ \fR\fB\fIprotocol\fR\fR] [\fB\-r\ \fR\fB\fIrandomdev\fR\fR] [\fB\-s\ \fR\fB\fIstrength\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] {name}
+.TH "DNSSEC-KEYGEN" "8" "June 30, 2000" "BIND9" ""
+.SH NAME
+dnssec-keygen \- DNSSEC key generation tool
+.SH SYNOPSIS
+.sp
+\fBdnssec-keygen\fR \fB-a \fIalgorithm\fB\fR \fB-b \fIkeysize\fB\fR \fB-n \fInametype\fB\fR [ \fB-c \fIclass\fB\fR ]  [ \fB-e\fR ]  [ \fB-f \fIflag\fB\fR ]  [ \fB-g \fIgenerator\fB\fR ]  [ \fB-h\fR ]  [ \fB-p \fIprotocol\fB\fR ]  [ \fB-r \fIrandomdev\fB\fR ]  [ \fB-s \fIstrength\fB\fR ]  [ \fB-t \fItype\fB\fR ]  [ \fB-v \fIlevel\fB\fR ]  \fBname\fR
 .SH "DESCRIPTION"
 .PP
-\fBdnssec\-keygen\fR
-generates keys for DNSSEC (Secure DNS), as defined in RFC 2535. It can also generate keys for use with TSIG (Transaction Signatures), as defined in RFC 2845.
+\fBdnssec-keygen\fR generates keys for DNSSEC
+(Secure DNS), as defined in RFC 2535. It can also generate
+keys for use with TSIG (Transaction Signatures), as
+defined in RFC 2845.
 .SH "OPTIONS"
-.PP
-\-a \fIalgorithm\fR
-.RS 4
+.TP
+\fB-a \fIalgorithm\fB\fR
 Selects the cryptographic algorithm. The value of
-\fBalgorithm\fR
-must be one of RSAMD5 or RSA, DSA, DH (Diffie Hellman), or HMAC\-MD5. These values are case insensitive.
-.sp
-Note that for DNSSEC, DSA is a mandatory to implement algorithm, and RSA is recommended. For TSIG, HMAC\-MD5 is mandatory.
-.RE
-.PP
-\-b \fIkeysize\fR
-.RS 4
-Specifies the number of bits in the key. The choice of key size depends on the algorithm used. RSA keys must be between 512 and 2048 bits. Diffie Hellman keys must be between 128 and 4096 bits. DSA keys must be between 512 and 1024 bits and an exact multiple of 64. HMAC\-MD5 keys must be between 1 and 512 bits.
-.RE
-.PP
-\-n \fInametype\fR
-.RS 4
+\fBalgorithm\fR must be one of RSAMD5 or RSA,
+DSA, DH (Diffie Hellman), or HMAC-MD5. These values
+are case insensitive.
+
+Note that for DNSSEC, DSA is a mandatory to implement algorithm,
+and RSA is recommended. For TSIG, HMAC-MD5 is mandatory.
+.TP
+\fB-b \fIkeysize\fB\fR
+Specifies the number of bits in the key. The choice of key
+size depends on the algorithm used. RSA keys must be between
+512 and 2048 bits. Diffie Hellman keys must be between
+128 and 4096 bits. DSA keys must be between 512 and 1024
+bits and an exact multiple of 64. HMAC-MD5 keys must be
+between 1 and 512 bits.
+.TP
+\fB-n \fInametype\fB\fR
 Specifies the owner type of the key. The value of
-\fBnametype\fR
-must either be ZONE (for a DNSSEC zone key), HOST or ENTITY (for a key associated with a host), or USER (for a key associated with a user). These values are case insensitive.
-.RE
-.PP
-\-c \fIclass\fR
-.RS 4
-Indicates that the DNS record containing the key should have the specified class. If not specified, class IN is used.
-.RE
-.PP
-\-e
-.RS 4
+\fBnametype\fR must either be ZONE (for a DNSSEC
+zone key), HOST or ENTITY (for a key associated with a host),
+or USER (for a key associated with a user). These values are
+case insensitive.
+.TP
+\fB-c \fIclass\fB\fR
+Indicates that the DNS record containing the key should have
+the specified class. If not specified, class IN is used.
+.TP
+\fB-e\fR
 If generating an RSA key, use a large exponent.
-.RE
-.PP
-\-g \fIgenerator\fR
-.RS 4
-If generating a Diffie Hellman key, use this generator. Allowed values are 2 and 5. If no generator is specified, a known prime from RFC 2539 will be used if possible; otherwise the default is 2.
-.RE
-.PP
-\-h
-.RS 4
+.TP
+\fB-f \fIflag\fB\fR
+Set the specified flag in the flag field of the key record.
+The only recognized flag is KSK (Key Signing Key).
+.TP
+\fB-g \fIgenerator\fB\fR
+If generating a Diffie Hellman key, use this generator.
+Allowed values are 2 and 5. If no generator
+is specified, a known prime from RFC 2539 will be used
+if possible; otherwise the default is 2.
+.TP
+\fB-h\fR
 Prints a short summary of the options and arguments to
-\fBdnssec\-keygen\fR.
-.RE
-.PP
-\-p \fIprotocol\fR
-.RS 4
-Sets the protocol value for the generated key. The protocol is a number between 0 and 255. The default is 2 (email) for keys of type USER and 3 (DNSSEC) for all other key types. Other possible values for this argument are listed in RFC 2535 and its successors.
-.RE
-.PP
-\-r \fIrandomdev\fR
-.RS 4
-Specifies the source of randomness. If the operating system does not provide a
-\fI/dev/random\fR
-or equivalent device, the default source of randomness is keyboard input.
-\fIrandomdev\fR
-specifies the name of a character device or file containing random data to be used instead of the default. The special value
-\fIkeyboard\fR
-indicates that keyboard input should be used.
-.RE
-.PP
-\-s \fIstrength\fR
-.RS 4
-Specifies the strength value of the key. The strength is a number between 0 and 15, and currently has no defined purpose in DNSSEC.
-.RE
-.PP
-\-t \fItype\fR
-.RS 4
-Indicates the use of the key.
-\fBtype\fR
-must be one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default is AUTHCONF. AUTH refers to the ability to authenticate data, and CONF the ability to encrypt data.
-.RE
-.PP
-\-v \fIlevel\fR
-.RS 4
+\fBdnssec-keygen\fR.
+.TP
+\fB-p \fIprotocol\fB\fR
+Sets the protocol value for the generated key. The protocol
+is a number between 0 and 255. The default is 3 (DNSSEC).
+Other possible values for this argument are listed in
+RFC 2535 and its successors.
+.TP
+\fB-r \fIrandomdev\fB\fR
+Specifies the source of randomness. If the operating
+system does not provide a \fI/dev/random\fR
+or equivalent device, the default source of randomness
+is keyboard input. \fIrandomdev\fR specifies
+the name of a character device or file containing random
+data to be used instead of the default. The special value
+\fIkeyboard\fR indicates that keyboard
+input should be used.
+.TP
+\fB-s \fIstrength\fB\fR
+Specifies the strength value of the key. The strength is
+a number between 0 and 15, and currently has no defined
+purpose in DNSSEC.
+.TP
+\fB-t \fItype\fB\fR
+Indicates the use of the key. \fBtype\fR must be
+one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default
+is AUTHCONF. AUTH refers to the ability to authenticate
+data, and CONF the ability to encrypt data.
+.TP
+\fB-v \fIlevel\fB\fR
 Sets the debugging level.
-.RE
 .SH "GENERATED KEYS"
 .PP
-When
-\fBdnssec\-keygen\fR
-completes successfully, it prints a string of the form
-\fIKnnnn.+aaa+iiiii\fR
-to the standard output. This is an identification string for the key it has generated. These strings can be used as arguments to
-\fBdnssec\-makekeyset\fR.
-.TP 4
+When \fBdnssec-keygen\fR completes successfully,
+it prints a string of the form \fIKnnnn.+aaa+iiiii\fR
+to the standard output. This is an identification string for
+the key it has generated. These strings can be used as arguments
+to \fBdnssec-makekeyset\fR.
+.TP 0.2i
 \(bu
-\fInnnn\fR
-is the key name.
-.TP 4
+\fInnnn\fR is the key name.
+.TP 0.2i
 \(bu
-\fIaaa\fR
-is the numeric representation of the algorithm.
-.TP 4
+\fIaaa\fR is the numeric representation of the
+algorithm.
+.TP 0.2i
 \(bu
-\fIiiiii\fR
-is the key identifier (or footprint).
+\fIiiiii\fR is the key identifier (or footprint).
 .PP
-\fBdnssec\-keygen\fR
-creates two files, with names based on the printed string.
-\fIKnnnn.+aaa+iiiii.key\fR
+\fBdnssec-keygen\fR creates two file, with names based
+on the printed string. \fIKnnnn.+aaa+iiiii.key\fR
 contains the public key, and
-\fIKnnnn.+aaa+iiiii.private\fR
-contains the private key.
-.PP
-The
-\fI.key\fR
-file contains a DNS KEY record that can be inserted into a zone file (directly or with a $INCLUDE statement).
-.PP
-The
-\fI.private\fR
-file contains algorithm\-specific fields. For obvious security reasons, this file does not have general read permission.
-.PP
-Both
-\fI.key\fR
-and
-\fI.private\fR
-files are generated for symmetric encryption algorithms such as HMAC\-MD5, even though the public and private key are equivalent.
+\fIKnnnn.+aaa+iiiii.private\fR contains the private
+key.
+.PP
+.PP
+The \fI.key\fR file contains a DNS KEY record that
+can be inserted into a zone file (directly or with a $INCLUDE
+statement).
+.PP
+.PP
+The \fI.private\fR file contains algorithm specific
+fields. For obvious security reasons, this file does not have
+general read permission.
+.PP
+.PP
+Both \fI.key\fR and \fI.private\fR
+files are generated for symmetric encryption algorithm such as
+HMAC-MD5, even though the public and private key are equivalent.
+.PP
 .SH "EXAMPLE"
 .PP
-To generate a 768\-bit DSA key for the domain
-\fBexample.com\fR, the following command would be issued:
+To generate a 768-bit DSA key for the domain
+\fBexample.com\fR, the following command would be
+issued:
 .PP
-\fBdnssec\-keygen \-a DSA \-b 768 \-n ZONE example.com\fR
+\fBdnssec-keygen -a DSA -b 768 -n ZONE example.com\fR
 .PP
 The command would print a string of the form:
 .PP
 \fBKexample.com.+003+26160\fR
 .PP
-In this example,
-\fBdnssec\-keygen\fR
-creates the files
-\fIKexample.com.+003+26160.key\fR
-and
-\fIKexample.com.+003+26160.private\fR.
+In this example, \fBdnssec-keygen\fR creates
+the files \fIKexample.com.+003+26160.key\fR and
+\fIKexample.com.+003+26160.private\fR
 .SH "SEE ALSO"
 .PP
-\fBdnssec\-makekeyset\fR(8),
-\fBdnssec\-signkey\fR(8),
-\fBdnssec\-signzone\fR(8),
-BIND 9 Administrator Reference Manual,
-RFC 2535,
-RFC 2845,
-RFC 2539.
+\fBdnssec-makekeyset\fR(8),
+\fBdnssec-signkey\fR(8),
+\fBdnssec-signzone\fR(8),
+\fIBIND 9 Administrator Reference Manual\fR,
+\fIRFC 2535\fR,
+\fIRFC 2845\fR,
+\fIRFC 2539\fR.
 .SH "AUTHOR"
 .PP
-Internet Systems Consortium
-.SH "COPYRIGHT"
-Copyright \(co 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
-.br
-Copyright \(co 2000, 2001 Internet Software Consortium.
-.br
+Internet Software Consortium
diff --git a/bin/dnssec/dnssec-keygen.c b/bin/dnssec/dnssec-keygen.c
index 924474dc..f1e5c142 100644
--- a/bin/dnssec/dnssec-keygen.c
+++ b/bin/dnssec/dnssec-keygen.c
@@ -1,6 +1,6 @@
 /*
- * Portions Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Portions Copyright (C) 1999-2001  Internet Software Consortium.
+ * Portions Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2000-2003  Internet Software Consortium.
  * Portions Copyright (C) 1995-2000 by Network Associates, Inc.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -16,7 +16,7 @@
  * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssec-keygen.c,v 1.48.2.4 2007/01/18 00:06:02 marka Exp $ */
+/* $Id: dnssec-keygen.c,v 1.48.2.1.10.10 2004/03/10 02:55:50 marka Exp $ */
 
 #include <config.h>
 
@@ -47,6 +47,8 @@
 const char *program = "dnssec-keygen";
 int verbose;
 
+static const char *algs = "RSA | RSAMD5 | DH | DSA | RSASHA1 | HMAC-MD5";
+
 static isc_boolean_t
 dsa_size_ok(int size) {
 	return (ISC_TF(size >= 512 && size <= 1024 && size % 64 == 0));
@@ -57,28 +59,33 @@ usage(void) {
 	fprintf(stderr, "Usage:\n");
 	fprintf(stderr, "    %s -a alg -b bits -n type [options] name\n\n",
 		program);
+	fprintf(stderr, "Version: %s\n", VERSION);
 	fprintf(stderr, "Required options:\n");
-	fprintf(stderr, "    -a algorithm: RSA | RSAMD5 | DH | DSA | HMAC-MD5"
-		"\n");
+	fprintf(stderr, "    -a algorithm: %s\n", algs);
 	fprintf(stderr, "    -b key size, in bits:\n");
-	fprintf(stderr, "        RSA:\t\t[512..%d]\n", MAX_RSA);
+	fprintf(stderr, "        RSAMD5:\t\t[512..%d]\n", MAX_RSA);
+	fprintf(stderr, "        RSASHA1:\t\t[512..%d]\n", MAX_RSA);
 	fprintf(stderr, "        DH:\t\t[128..4096]\n");
 	fprintf(stderr, "        DSA:\t\t[512..1024] and divisible by 64\n");
 	fprintf(stderr, "        HMAC-MD5:\t[1..512]\n");
 	fprintf(stderr, "    -n nametype: ZONE | HOST | ENTITY | USER\n");
 	fprintf(stderr, "    name: owner of the key\n");
 	fprintf(stderr, "Other options:\n");
-	fprintf(stderr, "    -c class (default: IN)\n");
-	fprintf(stderr, "    -e use large exponent (RSA only)\n");
-	fprintf(stderr, "    -g use specified generator (DH only)\n");
-	fprintf(stderr, "    -t type: AUTHCONF | NOAUTHCONF | NOAUTH | NOCONF "
-	       "(default: AUTHCONF)\n");
-	fprintf(stderr, "    -p protocol value "
-	       "(default: 2 [email] for USER, 3 [dnssec] otherwise)\n");
-	fprintf(stderr, "    -s strength value this key signs DNS records "
-		"with (default: 0)\n");
-	fprintf(stderr, "    -r randomdev (a file containing random data)\n");
-	fprintf(stderr, "    -v verbose level\n");
+	fprintf(stderr, "    -c <class> (default: IN)\n");
+	fprintf(stderr, "    -e use large exponent (RSAMD5/RSASHA1 only)\n");
+	fprintf(stderr, "    -f keyflag: KSK\n");
+	fprintf(stderr, "    -g <generator> use specified generator "
+		"(DH only)\n");
+	fprintf(stderr, "    -t <type>: "
+		"AUTHCONF | NOAUTHCONF | NOAUTH | NOCONF "
+		"(default: AUTHCONF)\n");
+	fprintf(stderr, "    -p <protocol>: "
+	       "default: 3 [dnssec]\n");
+	fprintf(stderr, "    -s <strength> strength value this key signs DNS "
+		"records with (default: 0)\n");
+	fprintf(stderr, "    -r <randomdev>: a file containing random data\n");
+	fprintf(stderr, "    -v <verbose level>\n");
+	fprintf(stderr, "    -k : generate a TYPE=KEY key\n");
 	fprintf(stderr, "Output:\n");
 	fprintf(stderr, "     K<name>+<alg>+<id>.key, "
 		"K<name>+<alg>+<id>.private\n");
@@ -90,8 +97,7 @@ int
 main(int argc, char **argv) {
 	char		*algname = NULL, *nametype = NULL, *type = NULL;
 	char		*classname = NULL;
-	char		*randomfile = NULL;
-	char		*prog, *endp;
+	char		*endp;
 	dst_key_t	*key = NULL, *oldkey;
 	dns_fixedname_t	fname;
 	dns_name_t	*name;
@@ -108,23 +114,17 @@ main(int argc, char **argv) {
 	isc_log_t	*log = NULL;
 	isc_entropy_t	*ectx = NULL;
 	dns_rdataclass_t rdclass;
-
-	RUNTIME_CHECK(isc_mem_create(0, 0, &mctx) == ISC_R_SUCCESS);
-
-	if ((prog = strrchr(argv[0],'/')) == NULL)
-		prog = isc_mem_strdup(mctx, argv[0]);
-	else
-		prog = isc_mem_strdup(mctx, ++prog);
-	if (prog == NULL)
-		fatal("out of memory");
+	int		options = DST_TYPE_PRIVATE | DST_TYPE_PUBLIC;
 
 	if (argc == 1)
 		usage();
 
+	RUNTIME_CHECK(isc_mem_create(0, 0, &mctx) == ISC_R_SUCCESS);
+
 	dns_result_register();
 
 	while ((ch = isc_commandline_parse(argc, argv,
-					   "a:b:c:eg:n:t:p:s:hr:v:")) != -1)
+					   "a:b:c:ef:g:kn:t:p:s:r:v:h")) != -1)
 	{
 	    switch (ch) {
 		case 'a':
@@ -141,21 +141,27 @@ main(int argc, char **argv) {
 		case 'e':
 			rsa_exp = 1;
 			break;
+		case 'f':
+			if (strcasecmp(isc_commandline_argument, "KSK") == 0)
+				flags |= DNS_KEYFLAG_KSK;
+			else
+				fatal("unknown flag '%s'",
+				      isc_commandline_argument);
+			break;
 		case 'g':
 			generator = strtol(isc_commandline_argument,
 					   &endp, 10);
 			if (*endp != '\0' || generator <= 0)
 				fatal("-g requires a positive number");
 			break;
+		case 'k':
+			options |= DST_TYPE_KEY;
+			break;
 		case 'n':
 			nametype = isc_commandline_argument;
-			if (nametype == NULL)
-				fatal("out of memory");
 			break;
 		case 't':
 			type = isc_commandline_argument;
-			if (type == NULL)
-				fatal("out of memory");
 			break;
 		case 'p':
 			protocol = strtol(isc_commandline_argument, &endp, 10);
@@ -171,7 +177,7 @@ main(int argc, char **argv) {
 				      "[0..15]");
 			break;
 		case 'r':
-			randomfile = isc_commandline_argument;
+			setup_entropy(mctx, isc_commandline_argument, &ectx);
 			break;
 		case 'v':
 			endp = NULL;
@@ -189,7 +195,8 @@ main(int argc, char **argv) {
 		}
 	}
 
-	setup_entropy(mctx, randomfile, &ectx);
+	if (ectx == NULL)
+		setup_entropy(mctx, NULL, &ectx);
 	ret = dst_lib_init(mctx, ectx,
 			   ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY);
 	if (ret != ISC_R_SUCCESS)
@@ -204,9 +211,7 @@ main(int argc, char **argv) {
 
 	if (algname == NULL)
 		fatal("no algorithm was specified");
-	if (strcasecmp(algname, "RSA") == 0)
-		alg = DNS_KEYALG_RSA;
-	else if (strcasecmp(algname, "HMAC-MD5") == 0)
+	if (strcasecmp(algname, "HMAC-MD5") == 0)
 		alg = DST_ALG_HMACMD5;
 	else {
 		r.base = algname;
@@ -236,7 +241,8 @@ main(int argc, char **argv) {
 		fatal("key size not specified (-b option)");
 
 	switch (alg) {
-	case DNS_KEYALG_RSA:
+	case DNS_KEYALG_RSAMD5:
+	case DNS_KEYALG_RSASHA1:
 		if (size != 0 && (size < 512 || size > MAX_RSA))
 			fatal("RSA key size %d out of range", size);
 		break;
@@ -246,7 +252,7 @@ main(int argc, char **argv) {
 		break;
 	case DNS_KEYALG_DSA:
 		if (size != 0 && !dsa_size_ok(size))
-			fatal("Invalid DSS key size: %d", size);
+			fatal("invalid DSS key size: %d", size);
 		break;
 	case DST_ALG_HMACMD5:
 		if (size < 1 || size > 512)
@@ -254,11 +260,12 @@ main(int argc, char **argv) {
 		break;
 	}
 
-	if (alg != DNS_KEYALG_RSA && rsa_exp != 0)
-		fatal("specified RSA exponent without RSA");
+	if (!(alg == DNS_KEYALG_RSAMD5 || alg == DNS_KEYALG_RSASHA1) &&
+	    rsa_exp != 0)
+		fatal("specified RSA exponent for a non-RSA key");
 
 	if (alg != DNS_KEYALG_DH && generator != 0)
-		fatal("specified DH generator without DH");
+		fatal("specified DH generator for a non-DH key");
 
 	if (nametype == NULL)
 		fatal("no nametype specified");
@@ -272,31 +279,25 @@ main(int argc, char **argv) {
 	else
 		fatal("invalid nametype %s", nametype);
 
-	if (classname != NULL) {
-		r.base = classname;
-		r.length = strlen(classname);
-		ret = dns_rdataclass_fromtext(&rdclass, &r);
-		if (ret != ISC_R_SUCCESS)
-			fatal("unknown class %s",classname);
-	} else 
-		rdclass = dns_rdataclass_in;
+	rdclass = strtoclass(classname);
 
 	flags |= signatory;
 
-	if (protocol == -1) {
-		if ((flags & DNS_KEYFLAG_OWNERMASK) == DNS_KEYOWNER_USER)
-			protocol = DNS_KEYPROTO_EMAIL;
-		else
-			protocol = DNS_KEYPROTO_DNSSEC;
-	}
+	if (protocol == -1)
+		protocol = DNS_KEYPROTO_DNSSEC;
 
 	if ((flags & DNS_KEYFLAG_TYPEMASK) == DNS_KEYTYPE_NOKEY) {
 		if (size > 0)
-			fatal("Specified null key with non-zero size");
+			fatal("specified null key with non-zero size");
 		if ((flags & DNS_KEYFLAG_SIGNATORYMASK) != 0)
-			fatal("Specified null key with signing authority");
+			fatal("specified null key with signing authority");
 	}
 
+	if ((flags & DNS_KEYFLAG_OWNERMASK) == DNS_KEYOWNER_ZONE &&
+	    (alg == DNS_KEYALG_DH || alg == DST_ALG_HMACMD5))
+		fatal("a key with algorithm '%s' cannot be a zone key",
+		      algname);
+
 	dns_fixedname_init(&fname);
 	name = dns_fixedname_name(&fname);
 	isc_buffer_init(&buf, argv[isc_commandline_index],
@@ -304,11 +305,12 @@ main(int argc, char **argv) {
 	isc_buffer_add(&buf, strlen(argv[isc_commandline_index]));
 	ret = dns_name_fromtext(name, &buf, dns_rootname, ISC_FALSE, NULL);
 	if (ret != ISC_R_SUCCESS)
-		fatal("Invalid key name %s: %s", argv[isc_commandline_index],
+		fatal("invalid key name %s: %s", argv[isc_commandline_index],
 		      isc_result_totext(ret));
 
 	switch(alg) {
-	case DNS_KEYALG_RSA:
+	case DNS_KEYALG_RSAMD5:
+	case DNS_KEYALG_RSASHA1:
 		param = rsa_exp;
 		break;
 	case DNS_KEYALG_DH:
@@ -337,8 +339,8 @@ main(int argc, char **argv) {
 		if (ret != ISC_R_SUCCESS) {
 			char namestr[DNS_NAME_FORMATSIZE];
 			char algstr[ALG_FORMATSIZE];
-			dns_name_format(name, namestr, sizeof namestr);
-			alg_format(alg, algstr, sizeof algstr);
+			dns_name_format(name, namestr, sizeof(namestr));
+			alg_format(alg, algstr, sizeof(algstr));
 			fatal("failed to generate key %s/%s: %s\n",
 			      namestr, algstr, isc_result_totext(ret));
 			exit(-1);
@@ -377,10 +379,10 @@ main(int argc, char **argv) {
 		fatal("cannot generate a null key when a key with id 0 "
 		      "already exists");
 
-	ret = dst_key_tofile(key, DST_TYPE_PUBLIC | DST_TYPE_PRIVATE, NULL);
+	ret = dst_key_tofile(key, options, NULL);
 	if (ret != ISC_R_SUCCESS) {
 		char keystr[KEY_FORMATSIZE];
-		key_format(key, keystr, sizeof keystr);
+		key_format(key, keystr, sizeof(keystr));
 		fatal("failed to write key %s: %s\n", keystr,
 		      isc_result_totext(ret));
 	}
@@ -388,7 +390,6 @@ main(int argc, char **argv) {
 	isc_buffer_clear(&buf);
 	ret = dst_key_buildfilename(key, 0, NULL, &buf);
 	printf("%s\n", filename);
-	isc_mem_free(mctx, prog);
 	dst_key_free(&key);
 
 	cleanup_logging(&log);
diff --git a/bin/dnssec/dnssec-keygen.docbook b/bin/dnssec/dnssec-keygen.docbook
index ea8611cc..548c3b15 100644
--- a/bin/dnssec/dnssec-keygen.docbook
+++ b/bin/dnssec/dnssec-keygen.docbook
@@ -1,9 +1,7 @@
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
-               "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
-	       [<!ENTITY mdash "&#8212;">]>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
 <!--
- - Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000, 2001  Internet Software Consortium.
+ - Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2001-2003  Internet Software Consortium.
  -
  - Permission to use, copy, modify, and distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
@@ -18,7 +16,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: dnssec-keygen.docbook,v 1.3.2.7 2007/05/09 02:11:44 marka Exp $ -->
+<!-- $Id: dnssec-keygen.docbook,v 1.3.12.4 2004/03/08 04:04:16 marka Exp $ -->
 
 <refentry>
   <refentryinfo>
@@ -31,20 +29,6 @@
     <refmiscinfo>BIND9</refmiscinfo>
   </refmeta>
 
-  <docinfo>
-    <copyright>
-      <year>2004</year>
-      <year>2005</year>
-      <year>2007</year>
-      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
-    </copyright>
-    <copyright>
-      <year>2000</year>
-      <year>2001</year>
-      <holder>Internet Software Consortium.</holder>
-    </copyright>
-  </docinfo>
-
   <refnamediv>
     <refname><application>dnssec-keygen</application></refname>
     <refpurpose>DNSSEC key generation tool</refpurpose>
@@ -58,6 +42,7 @@
       <arg choice="req">-n <replaceable class="parameter">nametype</replaceable></arg>
       <arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
       <arg><option>-e</option></arg>
+      <arg><option>-f <replaceable class="parameter">flag</replaceable></option></arg>
       <arg><option>-g <replaceable class="parameter">generator</replaceable></option></arg>
       <arg><option>-h</option></arg>
       <arg><option>-p <replaceable class="parameter">protocol</replaceable></option></arg>
@@ -146,6 +131,16 @@
       </varlistentry>
 
       <varlistentry>
+        <term>-f <replaceable class="parameter">flag</replaceable></term>
+	<listitem>
+	  <para>
+		Set the specified flag in the flag field of the key record.
+		The only recognized flag is KSK (Key Signing Key).
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
         <term>-g <replaceable class="parameter">generator</replaceable></term>
 	<listitem>
 	  <para>
@@ -172,8 +167,7 @@
 	<listitem>
 	  <para>
 	       Sets the protocol value for the generated key.  The protocol
-	       is a number between 0 and 255.  The default is 2 (email) for
-	       keys of type USER and 3 (DNSSEC) for all other key types.
+	       is a number between 0 and 255.  The default is 3 (DNSSEC).
 	       Other possible values for this argument are listed in
 	       RFC 2535 and its successors.
 	  </para>
@@ -259,7 +253,7 @@
       </listitem>
     </itemizedlist>
     <para>
-        <command>dnssec-keygen</command> creates two files, with names based
+        <command>dnssec-keygen</command> creates two file, with names based
 	on the printed string.  <filename>Knnnn.+aaa+iiiii.key</filename>
 	contains the public key, and
 	<filename>Knnnn.+aaa+iiiii.private</filename> contains the private
@@ -271,13 +265,13 @@
 	statement).
     </para>
     <para>
-        The <filename>.private</filename> file contains algorithm-specific
+        The <filename>.private</filename> file contains algorithm specific
 	fields.  For obvious security reasons, this file does not have
 	general read permission.
     </para>
     <para>
         Both <filename>.key</filename> and <filename>.private</filename>
-	files are generated for symmetric encryption algorithms such as
+	files are generated for symmetric encryption algorithm such as
 	HMAC-MD5, even though the public and private key are equivalent.
     </para>
   </refsect1>
@@ -301,7 +295,7 @@
     <para>
         In this example, <command>dnssec-keygen</command> creates
 	the files <filename>Kexample.com.+003+26160.key</filename> and
-	<filename>Kexample.com.+003+26160.private</filename>.
+	<filename>Kexample.com.+003+26160.private</filename>
     </para>
   </refsect1>
 
@@ -330,7 +324,7 @@
   <refsect1>
     <title>AUTHOR</title>
     <para>
-        <corpauthor>Internet Systems Consortium</corpauthor>
+        <corpauthor>Internet Software Consortium</corpauthor>
     </para>
   </refsect1>
 
diff --git a/bin/dnssec/dnssec-keygen.html b/bin/dnssec/dnssec-keygen.html
index 11b98646..b90939d9 100644
--- a/bin/dnssec/dnssec-keygen.html
+++ b/bin/dnssec/dnssec-keygen.html
@@ -1,220 +1,595 @@
 <!--
- - Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000, 2001 Internet Software Consortium.
- - 
+ - Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2001-2003  Internet Software Consortium.
+ -
  - Permission to use, copy, modify, and distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
  - copyright notice and this permission notice appear in all copies.
- - 
+ -
  - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
  - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
  - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
  - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: dnssec-keygen.html,v 1.5.2.16 2007/05/09 03:32:21 marka Exp $ -->
-<html>
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>dnssec-keygen</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2476275"></a><div class="titlepage"></div>
-<div class="refnamediv">
-<h2>Name</h2>
-<p><span class="application">dnssec-keygen</span> &#8212; DNSSEC key generation tool</p>
-</div>
-<div class="refsynopsisdiv">
-<h2>Synopsis</h2>
-<div class="cmdsynopsis"><p><code class="command">dnssec-keygen</code>  {-a <em class="replaceable"><code>algorithm</code></em>} {-b <em class="replaceable"><code>keysize</code></em>} {-n <em class="replaceable"><code>nametype</code></em>} [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-e</code>] [<code class="option">-g <em class="replaceable"><code>generator</code></em></code>] [<code class="option">-h</code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-s <em class="replaceable"><code>strength</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] {name}</p></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543443"></a><h2>DESCRIPTION</h2>
-<p>
-        <span><strong class="command">dnssec-keygen</strong></span> generates keys for DNSSEC
+
+<!-- $Id: dnssec-keygen.html,v 1.5.2.1.4.3 2004/03/08 04:04:17 marka Exp $ -->
+
+<HTML
+><HEAD
+><TITLE
+>dnssec-keygen</TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.73
+"></HEAD
+><BODY
+CLASS="REFENTRY"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><H1
+><A
+NAME="AEN1"
+><SPAN
+CLASS="APPLICATION"
+>dnssec-keygen</SPAN
+></A
+></H1
+><DIV
+CLASS="REFNAMEDIV"
+><A
+NAME="AEN9"
+></A
+><H2
+>Name</H2
+><SPAN
+CLASS="APPLICATION"
+>dnssec-keygen</SPAN
+>&nbsp;--&nbsp;DNSSEC key generation tool</DIV
+><DIV
+CLASS="REFSYNOPSISDIV"
+><A
+NAME="AEN13"
+></A
+><H2
+>Synopsis</H2
+><P
+><B
+CLASS="COMMAND"
+>dnssec-keygen</B
+>  {-a <TT
+CLASS="REPLACEABLE"
+><I
+>algorithm</I
+></TT
+>} {-b <TT
+CLASS="REPLACEABLE"
+><I
+>keysize</I
+></TT
+>} {-n <TT
+CLASS="REPLACEABLE"
+><I
+>nametype</I
+></TT
+>} [<TT
+CLASS="OPTION"
+>-c <TT
+CLASS="REPLACEABLE"
+><I
+>class</I
+></TT
+></TT
+>] [<TT
+CLASS="OPTION"
+>-e</TT
+>] [<TT
+CLASS="OPTION"
+>-f <TT
+CLASS="REPLACEABLE"
+><I
+>flag</I
+></TT
+></TT
+>] [<TT
+CLASS="OPTION"
+>-g <TT
+CLASS="REPLACEABLE"
+><I
+>generator</I
+></TT
+></TT
+>] [<TT
+CLASS="OPTION"
+>-h</TT
+>] [<TT
+CLASS="OPTION"
+>-p <TT
+CLASS="REPLACEABLE"
+><I
+>protocol</I
+></TT
+></TT
+>] [<TT
+CLASS="OPTION"
+>-r <TT
+CLASS="REPLACEABLE"
+><I
+>randomdev</I
+></TT
+></TT
+>] [<TT
+CLASS="OPTION"
+>-s <TT
+CLASS="REPLACEABLE"
+><I
+>strength</I
+></TT
+></TT
+>] [<TT
+CLASS="OPTION"
+>-t <TT
+CLASS="REPLACEABLE"
+><I
+>type</I
+></TT
+></TT
+>] [<TT
+CLASS="OPTION"
+>-v <TT
+CLASS="REPLACEABLE"
+><I
+>level</I
+></TT
+></TT
+>] {name}</P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN51"
+></A
+><H2
+>DESCRIPTION</H2
+><P
+>        <B
+CLASS="COMMAND"
+>dnssec-keygen</B
+> generates keys for DNSSEC
 	(Secure DNS), as defined in RFC 2535.  It can also generate
 	keys for use with TSIG (Transaction Signatures), as
 	defined in RFC 2845.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543456"></a><h2>OPTIONS</h2>
-<div class="variablelist"><dl>
-<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
-<dd>
-<p>
-	      Selects the cryptographic algorithm.  The value of
-	      <code class="option">algorithm</code> must be one of RSAMD5 or RSA,
+    </P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN55"
+></A
+><H2
+>OPTIONS</H2
+><P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+>-a <TT
+CLASS="REPLACEABLE"
+><I
+>algorithm</I
+></TT
+></DT
+><DD
+><P
+>	      Selects the cryptographic algorithm.  The value of
+	      <TT
+CLASS="OPTION"
+>algorithm</TT
+> must be one of RSAMD5 or RSA,
 	      DSA, DH (Diffie Hellman), or HMAC-MD5.  These values
 	      are case insensitive.
-	  </p>
-<p>
-	      Note that for DNSSEC, DSA is a mandatory to implement algorithm,
+	  </P
+><P
+>	      Note that for DNSSEC, DSA is a mandatory to implement algorithm,
 	      and RSA is recommended.  For TSIG, HMAC-MD5 is mandatory.
-	  </p>
-</dd>
-<dt><span class="term">-b <em class="replaceable"><code>keysize</code></em></span></dt>
-<dd><p>
-	       Specifies the number of bits in the key.  The choice of key
+	  </P
+></DD
+><DT
+>-b <TT
+CLASS="REPLACEABLE"
+><I
+>keysize</I
+></TT
+></DT
+><DD
+><P
+>	       Specifies the number of bits in the key.  The choice of key
 	       size depends on the algorithm used.  RSA keys must be between
 	       512 and 2048 bits.  Diffie Hellman keys must be between
 	       128 and 4096 bits.  DSA keys must be between 512 and 1024
 	       bits and an exact multiple of 64.  HMAC-MD5 keys must be
 	       between 1 and 512 bits.
-	  </p></dd>
-<dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
-<dd><p>
-	       Specifies the owner type of the key.  The value of
-	       <code class="option">nametype</code> must either be ZONE (for a DNSSEC
+	  </P
+></DD
+><DT
+>-n <TT
+CLASS="REPLACEABLE"
+><I
+>nametype</I
+></TT
+></DT
+><DD
+><P
+>	       Specifies the owner type of the key.  The value of
+	       <TT
+CLASS="OPTION"
+>nametype</TT
+> must either be ZONE (for a DNSSEC
 	       zone key), HOST or ENTITY (for a key associated with a host),
 	       or USER (for a key associated with a user).  These values are
 	       case insensitive.
-	  </p></dd>
-<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
-<dd><p>
-	       Indicates that the DNS record containing the key should have
+	  </P
+></DD
+><DT
+>-c <TT
+CLASS="REPLACEABLE"
+><I
+>class</I
+></TT
+></DT
+><DD
+><P
+>	       Indicates that the DNS record containing the key should have
 	       the specified class.  If not specified, class IN is used.
-	  </p></dd>
-<dt><span class="term">-e</span></dt>
-<dd><p>
-	       If generating an RSA key, use a large exponent.
-	  </p></dd>
-<dt><span class="term">-g <em class="replaceable"><code>generator</code></em></span></dt>
-<dd><p>
-	       If generating a Diffie Hellman key, use this generator.
+	  </P
+></DD
+><DT
+>-e</DT
+><DD
+><P
+>	       If generating an RSA key, use a large exponent.
+	  </P
+></DD
+><DT
+>-f <TT
+CLASS="REPLACEABLE"
+><I
+>flag</I
+></TT
+></DT
+><DD
+><P
+>		Set the specified flag in the flag field of the key record.
+		The only recognized flag is KSK (Key Signing Key).
+	  </P
+></DD
+><DT
+>-g <TT
+CLASS="REPLACEABLE"
+><I
+>generator</I
+></TT
+></DT
+><DD
+><P
+>	       If generating a Diffie Hellman key, use this generator.
 	       Allowed values are 2 and 5.  If no generator
 	       is specified, a known prime from RFC 2539 will be used
 	       if possible; otherwise the default is 2.
-	  </p></dd>
-<dt><span class="term">-h</span></dt>
-<dd><p>
-	       Prints a short summary of the options and arguments to
-	       <span><strong class="command">dnssec-keygen</strong></span>.
-	  </p></dd>
-<dt><span class="term">-p <em class="replaceable"><code>protocol</code></em></span></dt>
-<dd><p>
-	       Sets the protocol value for the generated key.  The protocol
-	       is a number between 0 and 255.  The default is 2 (email) for
-	       keys of type USER and 3 (DNSSEC) for all other key types.
+	  </P
+></DD
+><DT
+>-h</DT
+><DD
+><P
+>	       Prints a short summary of the options and arguments to
+	       <B
+CLASS="COMMAND"
+>dnssec-keygen</B
+>.
+	  </P
+></DD
+><DT
+>-p <TT
+CLASS="REPLACEABLE"
+><I
+>protocol</I
+></TT
+></DT
+><DD
+><P
+>	       Sets the protocol value for the generated key.  The protocol
+	       is a number between 0 and 255.  The default is 3 (DNSSEC).
 	       Other possible values for this argument are listed in
 	       RFC 2535 and its successors.
-	  </p></dd>
-<dt><span class="term">-r <em class="replaceable"><code>randomdev</code></em></span></dt>
-<dd><p>
-	       Specifies the source of randomness.  If the operating
-	       system does not provide a <code class="filename">/dev/random</code>
+	  </P
+></DD
+><DT
+>-r <TT
+CLASS="REPLACEABLE"
+><I
+>randomdev</I
+></TT
+></DT
+><DD
+><P
+>	       Specifies the source of randomness.  If the operating
+	       system does not provide a <TT
+CLASS="FILENAME"
+>/dev/random</TT
+>
 	       or equivalent device, the default source of randomness
-	       is keyboard input.  <code class="filename">randomdev</code> specifies
+	       is keyboard input.  <TT
+CLASS="FILENAME"
+>randomdev</TT
+> specifies
 	       the name of a character device or file containing random
 	       data to be used instead of the default.  The special value
-	       <code class="filename">keyboard</code> indicates that keyboard
+	       <TT
+CLASS="FILENAME"
+>keyboard</TT
+> indicates that keyboard
 	       input should be used.
-	  </p></dd>
-<dt><span class="term">-s <em class="replaceable"><code>strength</code></em></span></dt>
-<dd><p>
-	       Specifies the strength value of the key.  The strength is
+	  </P
+></DD
+><DT
+>-s <TT
+CLASS="REPLACEABLE"
+><I
+>strength</I
+></TT
+></DT
+><DD
+><P
+>	       Specifies the strength value of the key.  The strength is
 	       a number between 0 and 15, and currently has no defined
 	       purpose in DNSSEC.
-	  </p></dd>
-<dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
-<dd><p>
-	       Indicates the use of the key.  <code class="option">type</code> must be
+	  </P
+></DD
+><DT
+>-t <TT
+CLASS="REPLACEABLE"
+><I
+>type</I
+></TT
+></DT
+><DD
+><P
+>	       Indicates the use of the key.  <TT
+CLASS="OPTION"
+>type</TT
+> must be
 	       one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF.  The default
 	       is AUTHCONF.  AUTH refers to the ability to authenticate
 	       data, and CONF the ability to encrypt data.
-	  </p></dd>
-<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
-<dd><p>
-	       Sets the debugging level.
-	  </p></dd>
-</dl></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543691"></a><h2>GENERATED KEYS</h2>
-<p>
-        When <span><strong class="command">dnssec-keygen</strong></span> completes successfully,
-	it prints a string of the form <code class="filename">Knnnn.+aaa+iiiii</code>
+	  </P
+></DD
+><DT
+>-v <TT
+CLASS="REPLACEABLE"
+><I
+>level</I
+></TT
+></DT
+><DD
+><P
+>	       Sets the debugging level.
+	  </P
+></DD
+></DL
+></DIV
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN129"
+></A
+><H2
+>GENERATED KEYS</H2
+><P
+>        When <B
+CLASS="COMMAND"
+>dnssec-keygen</B
+> completes successfully,
+	it prints a string of the form <TT
+CLASS="FILENAME"
+>Knnnn.+aaa+iiiii</TT
+>
 	to the standard output.  This is an identification string for
 	the key it has generated.  These strings can be used as arguments
-	to <span><strong class="command">dnssec-makekeyset</strong></span>.
-    </p>
-<div class="itemizedlist"><ul type="disc">
-<li><p>
-          <code class="filename">nnnn</code> is the key name.
-        </p></li>
-<li><p>
-          <code class="filename">aaa</code> is the numeric representation of the
+	to <B
+CLASS="COMMAND"
+>dnssec-makekeyset</B
+>.
+    </P
+><P
+></P
+><UL
+><LI
+><P
+>          <TT
+CLASS="FILENAME"
+>nnnn</TT
+> is the key name.
+        </P
+></LI
+><LI
+><P
+>          <TT
+CLASS="FILENAME"
+>aaa</TT
+> is the numeric representation of the
           algorithm.
-        </p></li>
-<li><p>
-          <code class="filename">iiiii</code> is the key identifier (or footprint).
-        </p></li>
-</ul></div>
-<p>
-        <span><strong class="command">dnssec-keygen</strong></span> creates two files, with names based
-	on the printed string.  <code class="filename">Knnnn.+aaa+iiiii.key</code>
+        </P
+></LI
+><LI
+><P
+>          <TT
+CLASS="FILENAME"
+>iiiii</TT
+> is the key identifier (or footprint).
+        </P
+></LI
+></UL
+><P
+>        <B
+CLASS="COMMAND"
+>dnssec-keygen</B
+> creates two file, with names based
+	on the printed string.  <TT
+CLASS="FILENAME"
+>Knnnn.+aaa+iiiii.key</TT
+>
 	contains the public key, and
-	<code class="filename">Knnnn.+aaa+iiiii.private</code> contains the private
+	<TT
+CLASS="FILENAME"
+>Knnnn.+aaa+iiiii.private</TT
+> contains the private
 	key.
-    </p>
-<p>
-        The <code class="filename">.key</code> file contains a DNS KEY record that
+    </P
+><P
+>        The <TT
+CLASS="FILENAME"
+>.key</TT
+> file contains a DNS KEY record that
 	can be inserted into a zone file (directly or with a $INCLUDE
 	statement).
-    </p>
-<p>
-        The <code class="filename">.private</code> file contains algorithm-specific
+    </P
+><P
+>        The <TT
+CLASS="FILENAME"
+>.private</TT
+> file contains algorithm specific
 	fields.  For obvious security reasons, this file does not have
 	general read permission.
-    </p>
-<p>
-        Both <code class="filename">.key</code> and <code class="filename">.private</code>
-	files are generated for symmetric encryption algorithms such as
+    </P
+><P
+>        Both <TT
+CLASS="FILENAME"
+>.key</TT
+> and <TT
+CLASS="FILENAME"
+>.private</TT
+>
+	files are generated for symmetric encryption algorithm such as
 	HMAC-MD5, even though the public and private key are equivalent.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543783"></a><h2>EXAMPLE</h2>
-<p>
-        To generate a 768-bit DSA key for the domain
-	<strong class="userinput"><code>example.com</code></strong>, the following command would be
+    </P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN156"
+></A
+><H2
+>EXAMPLE</H2
+><P
+>        To generate a 768-bit DSA key for the domain
+	<TT
+CLASS="USERINPUT"
+><B
+>example.com</B
+></TT
+>, the following command would be
 	issued:
-    </p>
-<p>
-        <strong class="userinput"><code>dnssec-keygen -a DSA -b 768 -n ZONE example.com</code></strong>
-    </p>
-<p>
-        The command would print a string of the form:
-    </p>
-<p>
-        <strong class="userinput"><code>Kexample.com.+003+26160</code></strong>
-    </p>
-<p>
-        In this example, <span><strong class="command">dnssec-keygen</strong></span> creates
-	the files <code class="filename">Kexample.com.+003+26160.key</code> and
-	<code class="filename">Kexample.com.+003+26160.private</code>.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543829"></a><h2>SEE ALSO</h2>
-<p>
-      <span class="citerefentry"><span class="refentrytitle">dnssec-makekeyset</span>(8)</span>,
-      <span class="citerefentry"><span class="refentrytitle">dnssec-signkey</span>(8)</span>,
-      <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
-      <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
-      <em class="citetitle">RFC 2535</em>,
-      <em class="citetitle">RFC 2845</em>,
-      <em class="citetitle">RFC 2539</em>.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543881"></a><h2>AUTHOR</h2>
-<p>
-        <span class="corpauthor">Internet Systems Consortium</span>
-    </p>
-</div>
-</div></body>
-</html>
+    </P
+><P
+>        <TT
+CLASS="USERINPUT"
+><B
+>dnssec-keygen -a DSA -b 768 -n ZONE example.com</B
+></TT
+>
+    </P
+><P
+>        The command would print a string of the form:
+    </P
+><P
+>        <TT
+CLASS="USERINPUT"
+><B
+>Kexample.com.+003+26160</B
+></TT
+>
+    </P
+><P
+>        In this example, <B
+CLASS="COMMAND"
+>dnssec-keygen</B
+> creates
+	the files <TT
+CLASS="FILENAME"
+>Kexample.com.+003+26160.key</TT
+> and
+	<TT
+CLASS="FILENAME"
+>Kexample.com.+003+26160.private</TT
+>
+    </P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN169"
+></A
+><H2
+>SEE ALSO</H2
+><P
+>      <SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>dnssec-makekeyset</SPAN
+>(8)</SPAN
+>,
+      <SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>dnssec-signkey</SPAN
+>(8)</SPAN
+>,
+      <SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>dnssec-signzone</SPAN
+>(8)</SPAN
+>,
+      <I
+CLASS="CITETITLE"
+>BIND 9 Administrator Reference Manual</I
+>,
+      <I
+CLASS="CITETITLE"
+>RFC 2535</I
+>,
+      <I
+CLASS="CITETITLE"
+>RFC 2845</I
+>,
+      <I
+CLASS="CITETITLE"
+>RFC 2539</I
+>.
+    </P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN185"
+></A
+><H2
+>AUTHOR</H2
+><P
+>        Internet Software Consortium
+    </P
+></DIV
+></BODY
+></HTML
+>
diff --git a/bin/dnssec/dnssec-makekeyset.8 b/bin/dnssec/dnssec-makekeyset.8
index 903c077e..0189b31e 100644
--- a/bin/dnssec/dnssec-makekeyset.8
+++ b/bin/dnssec/dnssec-makekeyset.8
@@ -1,141 +1,113 @@
-.\" Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
-.\" Copyright (C) 2000, 2001, 2003 Internet Software Consortium.
-.\" 
+.\" Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
+.\"
 .\" Permission to use, copy, modify, and distribute this software for any
 .\" purpose with or without fee is hereby granted, provided that the above
 .\" copyright notice and this permission notice appear in all copies.
-.\" 
+.\"
 .\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
 .\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+.\" AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
 .\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
 .\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: dnssec-makekeyset.8,v 1.16.2.9 2006/12/12 01:42:53 marka Exp $
-.\"
-.hy 0
-.ad l
-.\"     Title: dnssec\-makekeyset
-.\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
-.\"      Date: June 30, 2000
-.\"    Manual: BIND9
-.\"    Source: BIND9
+.\" $Id: dnssec-makekeyset.8,v 1.16.2.2.4.1 2004/03/06 07:41:39 marka Exp $
 .\"
-.TH "DNSSEC\-MAKEKEYSET" "8" "June 30, 2000" "BIND9" "BIND9"
-.\" disable hyphenation
-.nh
-.\" disable justification (adjust text to left margin only)
-.ad l
-.SH "NAME"
-dnssec\-makekeyset \- DNSSEC zone signing tool
-.SH "SYNOPSIS"
-.HP 18
-\fBdnssec\-makekeyset\fR [\fB\-a\fR] [\fB\-s\ \fR\fB\fIstart\-time\fR\fR] [\fB\-e\ \fR\fB\fIend\-time\fR\fR] [\fB\-h\fR] [\fB\-p\fR] [\fB\-r\ \fR\fB\fIrandomdev\fR\fR] [\fB\-t\fR\fIttl\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] {key...}
+.TH "DNSSEC-MAKEKEYSET" "8" "June 30, 2000" "BIND9" ""
+.SH NAME
+dnssec-makekeyset \- DNSSEC zone signing tool
+.SH SYNOPSIS
+.sp
+\fBdnssec-makekeyset\fR [ \fB-a\fR ]  [ \fB-s \fIstart-time\fB\fR ]  [ \fB-e \fIend-time\fB\fR ]  [ \fB-h\fR ]  [ \fB-p\fR ]  [ \fB-r \fIrandomdev\fB\fR ]  [ \fB-t\fIttl\fB\fR ]  [ \fB-v \fIlevel\fB\fR ]  \fBkey\fR\fI...\fR
 .SH "DESCRIPTION"
 .PP
-\fBdnssec\-makekeyset\fR
-generates a key set from one or more keys created by
-\fBdnssec\-keygen\fR. It creates a file containing a KEY record for each key, and self\-signs the key set with each zone key. The output file is of the form
-\fIkeyset\-nnnn.\fR, where
-\fInnnn\fR
+\fBdnssec-makekeyset\fR generates a key set from one
+or more keys created by \fBdnssec-keygen\fR. It creates
+a file containing a KEY record for each key, and self-signs the key
+set with each zone key. The output file is of the form
+\fIkeyset-nnnn.\fR, where \fInnnn\fR
 is the zone name.
 .SH "OPTIONS"
-.PP
-\-a
-.RS 4
+.TP
+\fB-a\fR
 Verify all generated signatures.
-.RE
-.PP
-\-s \fIstart\-time\fR
-.RS 4
-Specify the date and time when the generated SIG records become valid. This can be either an absolute or relative time. An absolute start time is indicated by a number in YYYYMMDDHHMMSS notation; 20000530144500 denotes 14:45:00 UTC on May 30th, 2000. A relative start time is indicated by +N, which is N seconds from the current time. If no
-\fBstart\-time\fR
-is specified, the current time is used.
-.RE
-.PP
-\-e \fIend\-time\fR
-.RS 4
-Specify the date and time when the generated SIG records expire. As with
-\fBstart\-time\fR, an absolute time is indicated in YYYYMMDDHHMMSS notation. A time relative to the start time is indicated with +N, which is N seconds from the start time. A time relative to the current time is indicated with now+N. If no
-\fBend\-time\fR
-is specified, 30 days from the start time is used as a default.
-.RE
-.PP
-\-h
-.RS 4
+.TP
+\fB-s \fIstart-time\fB\fR
+Specify the date and time when the generated SIG records
+become valid. This can be either an absolute or relative
+time. An absolute start time is indicated by a number
+in YYYYMMDDHHMMSS notation; 20000530144500 denotes
+14:45:00 UTC on May 30th, 2000. A relative start time is
+indicated by +N, which is N seconds from the current time.
+If no \fBstart-time\fR is specified, the current
+time is used.
+.TP
+\fB-e \fIend-time\fB\fR
+Specify the date and time when the generated SIG records
+expire. As with \fBstart-time\fR, an absolute
+time is indicated in YYYYMMDDHHMMSS notation. A time relative
+to the start time is indicated with +N, which is N seconds from
+the start time. A time relative to the current time is
+indicated with now+N. If no \fBend-time\fR is
+specified, 30 days from the start time is used as a default.
+.TP
+\fB-h\fR
 Prints a short summary of the options and arguments to
-\fBdnssec\-makekeyset\fR.
-.RE
-.PP
-\-p
-.RS 4
-Use pseudo\-random data when signing the zone. This is faster, but less secure, than using real random data. This option may be useful when signing large zones or when the entropy source is limited.
-.RE
-.PP
-\-r \fIrandomdev\fR
-.RS 4
-Specifies the source of randomness. If the operating system does not provide a
-\fI/dev/random\fR
-or equivalent device, the default source of randomness is keyboard input.
-\fIrandomdev\fR
-specifies the name of a character device or file containing random data to be used instead of the default. The special value
-\fIkeyboard\fR
-indicates that keyboard input should be used.
-.RE
-.PP
-\-t \fIttl\fR
-.RS 4
-Specify the TTL (time to live) of the KEY and SIG records. The default is 3600 seconds.
-.RE
-.PP
-\-v \fIlevel\fR
-.RS 4
+\fBdnssec-makekeyset\fR.
+.TP
+\fB-p\fR
+Use pseudo-random data when signing the zone. This is faster,
+but less secure, than using real random data. This option
+may be useful when signing large zones or when the entropy
+source is limited.
+.TP
+\fB-r \fIrandomdev\fB\fR
+Specifies the source of randomness. If the operating
+system does not provide a \fI/dev/random\fR
+or equivalent device, the default source of randomness
+is keyboard input. \fIrandomdev\fR specifies
+the name of a character device or file containing random
+data to be used instead of the default. The special value
+\fIkeyboard\fR indicates that keyboard
+input should be used.
+.TP
+\fB-t \fIttl\fB\fR
+Specify the TTL (time to live) of the KEY and SIG records.
+The default is 3600 seconds.
+.TP
+\fB-v \fIlevel\fB\fR
 Sets the debugging level.
-.RE
-.PP
-key
-.RS 4
-The list of keys to be included in the keyset file. These keys are expressed in the form
-\fIKnnnn.+aaa+iiiii\fR
-as generated by
-\fBdnssec\-keygen\fR.
-.RE
+.TP
+\fBkey\fR
+The list of keys to be included in the keyset file. These keys
+are expressed in the form \fIKnnnn.+aaa+iiiii\fR
+as generated by \fBdnssec-keygen\fR.
 .SH "EXAMPLE"
 .PP
 The following command generates a keyset containing the DSA key for
-\fBexample.com\fR
-generated in the
-\fBdnssec\-keygen\fR
-man page.
+\fBexample.com\fR generated in the
+\fBdnssec-keygen\fR man page.
 .PP
-\fBdnssec\-makekeyset \-t 86400 \-s 20000701120000 \-e +2592000 Kexample.com.+003+26160\fR
+\fBdnssec-makekeyset -t 86400 -s 20000701120000 -e +2592000 Kexample.com.+003+26160\fR
 .PP
-In this example,
-\fBdnssec\-makekeyset\fR
-creates the file
-\fIkeyset\-example.com.\fR. This file contains the specified key and a self\-generated signature.
+In this example, \fBdnssec-makekeyset\fR creates
+the file \fIkeyset-example.com.\fR. This file
+contains the specified key and a self-generated signature.
 .PP
-The DNS administrator for
-\fBexample.com\fR
-could send
-\fIkeyset\-example.com.\fR
-to the DNS administrator for
-\fB.com\fR
-for signing, if the .com zone is DNSSEC\-aware and the administrators of the two zones have some mechanism for authenticating each other and exchanging the keys and signatures securely.
+The DNS administrator for \fBexample.com\fR could
+send \fIkeyset-example.com.\fR to the DNS
+administrator for \fB.com\fR for signing, if the
+\&.com zone is DNSSEC-aware and the administrators of the two zones
+have some mechanism for authenticating each other and exchanging
+the keys and signatures securely.
 .SH "SEE ALSO"
 .PP
-\fBdnssec\-keygen\fR(8),
-\fBdnssec\-signkey\fR(8),
-BIND 9 Administrator Reference Manual,
-RFC 2535.
+\fBdnssec-keygen\fR(8),
+\fBdnssec-signkey\fR(8),
+\fIBIND 9 Administrator Reference Manual\fR,
+\fIRFC 2535\fR.
 .SH "AUTHOR"
 .PP
-Internet Systems Consortium
-.SH "COPYRIGHT"
-Copyright \(co 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
-.br
-Copyright \(co 2000, 2001, 2003 Internet Software Consortium.
-.br
+Internet Software Consortium
diff --git a/bin/dnssec/dnssec-makekeyset.c b/bin/dnssec/dnssec-makekeyset.c
index a9bee68a..09e6d3cb 100644
--- a/bin/dnssec/dnssec-makekeyset.c
+++ b/bin/dnssec/dnssec-makekeyset.c
@@ -1,6 +1,6 @@
 /*
- * Portions Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
- * Portions Copyright (C) 2000, 2001  Internet Software Consortium.
+ * Portions Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2000-2003  Internet Software Consortium.
  * Portions Copyright (C) 1995-2000 by Network Associates, Inc.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -16,7 +16,7 @@
  * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssec-makekeyset.c,v 1.52.2.4 2005/06/08 00:12:17 marka Exp $ */
+/* $Id: dnssec-makekeyset.c,v 1.52.2.1.10.6 2004/03/08 04:04:17 marka Exp $ */
 
 #include <config.h>
 
@@ -24,17 +24,16 @@
 
 #include <isc/commandline.h>
 #include <isc/entropy.h>
-#include <isc/hash.h>
 #include <isc/mem.h>
 #include <isc/string.h>
 #include <isc/util.h>
 
 #include <dns/db.h>
+#include <dns/diff.h>
 #include <dns/dnssec.h>
 #include <dns/fixedname.h>
 #include <dns/log.h>
 #include <dns/rdata.h>
-#include <dns/rdatalist.h>
 #include <dns/rdataset.h>
 #include <dns/result.h>
 #include <dns/secalg.h>
@@ -44,8 +43,6 @@
 
 #include "dnssectool.h"
 
-#define BUFSIZE 2048
-
 const char *program = "dnssec-makekeyset";
 int verbose;
 
@@ -71,6 +68,8 @@ usage(void) {
 
 	fprintf(stderr, "\n");
 
+	fprintf(stderr, "Version: %s\n", VERSION);
+
 	fprintf(stderr, "Options: (default value in parenthesis) \n");
 	fprintf(stderr, "\t-a\n");
 	fprintf(stderr, "\t\tverify generated signatures\n");
@@ -112,42 +111,29 @@ zonekey_on_list(dst_key_t *key) {
 	return (ISC_FALSE);
 }
 
-static isc_boolean_t
-rdata_on_list(dns_rdata_t *rdata, dns_rdatalist_t *list) {
-	dns_rdata_t *trdata;
-	for (trdata = ISC_LIST_HEAD(list->rdata);
-	     trdata != NULL;
-	     trdata = ISC_LIST_NEXT(trdata, link))
-	{
-		if (dns_rdata_compare(trdata, rdata) == 0)
-			return (ISC_TRUE);
-	}
-	return (ISC_FALSE);
-}
-
 int
 main(int argc, char *argv[]) {
 	int i, ch;
 	char *startstr = NULL, *endstr = NULL;
-	char *randomfile = NULL;
 	dns_fixedname_t fdomain;
 	dns_name_t *domain = NULL;
 	char *output = NULL;
 	char *endp;
-	unsigned char *data;
+	unsigned char data[65536];
 	dns_db_t *db;
-	dns_dbnode_t *node;
 	dns_dbversion_t *version;
+	dns_diff_t diff;
+	dns_difftuple_t *tuple;
+	dns_fixedname_t tname;
 	dst_key_t *key = NULL;
-	dns_rdata_t *rdata;
-	dns_rdatalist_t rdatalist, sigrdatalist;
-	dns_rdataset_t rdataset, sigrdataset;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_rdataset_t rdataset;
+	dns_rdataclass_t rdclass;
 	isc_result_t result;
 	isc_buffer_t b;
 	isc_region_t r;
 	isc_log_t *log = NULL;
 	keynode_t *keynode;
-	dns_name_t *savedname = NULL;
 	unsigned int eflags;
 	isc_boolean_t pseudorandom = ISC_FALSE;
 	isc_boolean_t tryverify = ISC_FALSE;
@@ -181,7 +167,7 @@ main(int argc, char *argv[]) {
 			break;
 
 		case 'r':
-			randomfile = isc_commandline_argument;
+			setup_entropy(mctx, isc_commandline_argument, &ectx);
 			break;
 
 		case 'v':
@@ -208,18 +194,14 @@ main(int argc, char *argv[]) {
 	if (argc < 1)
 		usage();
 
-	setup_entropy(mctx, randomfile, &ectx);
+	if (ectx == NULL)
+		setup_entropy(mctx, NULL, &ectx);
 	eflags = ISC_ENTROPY_BLOCKING;
 	if (!pseudorandom)
 		eflags |= ISC_ENTROPY_GOODONLY;
-
-	result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE);
-	if (result != ISC_R_SUCCESS)
-		fatal("could not create hash context");
-
 	result = dst_lib_init(mctx, ectx, eflags);
 	if (result != ISC_R_SUCCESS)
-		fatal("could not initialize dst: %s",
+		fatal("could not initialize dst: %s", 
 		      isc_result_totext(result));
 
 	isc_stdtime_get(&now);
@@ -242,11 +224,8 @@ main(int argc, char *argv[]) {
 
 	setup_logging(verbose, mctx, &log);
 
-	dns_rdatalist_init(&rdatalist);
-	rdatalist.rdclass = 0;
-	rdatalist.type = dns_rdatatype_key;
-	rdatalist.covers = 0;
-	rdatalist.ttl = ttl;
+	dns_diff_init(mctx, &diff);
+	rdclass = 0;
 
 	ISC_LIST_INIT(keylist);
 
@@ -260,48 +239,36 @@ main(int argc, char *argv[]) {
 		if (result != ISC_R_SUCCESS)
 			fatal("error loading key from %s: %s", argv[i],
 			      isc_result_totext(result));
-		if (rdatalist.rdclass == 0)
-			rdatalist.rdclass = dst_key_class(key);
+		if (rdclass == 0)
+			rdclass = dst_key_class(key);
 
-		isc_buffer_init(&namebuf, namestr, sizeof namestr);
+		isc_buffer_init(&namebuf, namestr, sizeof(namestr));
 		result = dns_name_tofilenametext(dst_key_name(key),
 						 ISC_FALSE,
 						 &namebuf);
 		check_result(result, "dns_name_tofilenametext");
 		isc_buffer_putuint8(&namebuf, 0);
-		
-		if (savedname == NULL) {
-			savedname = isc_mem_get(mctx, sizeof(dns_name_t));
-			if (savedname == NULL)
-				fatal("out of memory");
-			dns_name_init(savedname, NULL);
-			result = dns_name_dup(dst_key_name(key), mctx,
-					      savedname);
-			if (result != ISC_R_SUCCESS)
-				fatal("out of memory");
-		} else {
-			char savednamestr[DNS_NAME_FORMATSIZE];
-			dns_name_format(savedname, savednamestr,
-					sizeof savednamestr);
-			if (!dns_name_equal(savedname, dst_key_name(key)) != 0)
-				fatal("all keys must have the same owner - %s "
-				      "and %s do not match",
-				      savednamestr, namestr);
+
+		if (domain == NULL) {
+			dns_fixedname_init(&fdomain);
+			domain = dns_fixedname_name(&fdomain);
+			dns_name_copy(dst_key_name(key), domain, NULL);
+		} else if (!dns_name_equal(domain, dst_key_name(key))) {
+			char str[DNS_NAME_FORMATSIZE];
+			dns_name_format(domain, str, sizeof(str));
+			fatal("all keys must have the same owner - %s "
+			      "and %s do not match", str, namestr);
 		}
+
 		if (output == NULL) {
 			output = isc_mem_allocate(mctx,
 						  strlen("keyset-") +
 						  strlen(namestr) + 1);
 			if (output == NULL)
 				fatal("out of memory");
-			strcpy(output, "keyset-");
-			strcat(output, namestr);
-		}
-		if (domain == NULL) {
-			dns_fixedname_init(&fdomain);
-			domain = dns_fixedname_name(&fdomain);
-			dns_name_copy(dst_key_name(key), domain, NULL);
+			sprintf(output, "keyset-%s", namestr);
 		}
+
 		if (dst_key_iszonekey(key)) {
 			dst_key_t *zonekey = NULL;
 			result = dst_key_fromnamedfile(argv[i],
@@ -312,8 +279,7 @@ main(int argc, char *argv[]) {
 				fatal("failed to read private key %s: %s",
 				      argv[i], isc_result_totext(result));
 			if (!zonekey_on_list(zonekey)) {
-				keynode = isc_mem_get(mctx,
-						      sizeof (keynode_t));
+				keynode = isc_mem_get(mctx, sizeof(keynode_t));
 				if (keynode == NULL)
 					fatal("out of memory");
 				keynode->key = zonekey;
@@ -321,39 +287,41 @@ main(int argc, char *argv[]) {
 			} else
 				dst_key_free(&zonekey);
 		}
-		rdata = isc_mem_get(mctx, sizeof(dns_rdata_t));
-		if (rdata == NULL)
-			fatal("out of memory");
-		dns_rdata_init(rdata);
-		data = isc_mem_get(mctx, BUFSIZE);
-		if (data == NULL)
-			fatal("out of memory");
-		isc_buffer_init(&b, data, BUFSIZE);
+		dns_rdata_reset(&rdata);
+		isc_buffer_init(&b, data, sizeof(data));
 		result = dst_key_todns(key, &b);
+		dst_key_free(&key);
 		if (result != ISC_R_SUCCESS)
 			fatal("failed to convert key %s to a DNS KEY: %s",
 			      argv[i], isc_result_totext(result));
 		isc_buffer_usedregion(&b, &r);
-		dns_rdata_fromregion(rdata, rdatalist.rdclass,
-				     dns_rdatatype_key, &r);
-		if (!rdata_on_list(rdata, &rdatalist))
-			ISC_LIST_APPEND(rdatalist.rdata, rdata, link);
-		else {
-			isc_mem_put(mctx, data, BUFSIZE);
-			isc_mem_put(mctx, rdata, sizeof *rdata);
-		}
-		dst_key_free(&key);
+		dns_rdata_fromregion(&rdata, rdclass, dns_rdatatype_dnskey, &r);
+		tuple = NULL;
+		result = dns_difftuple_create(mctx, DNS_DIFFOP_ADD,
+					      domain, ttl, &rdata, &tuple);
+		check_result(result, "dns_difftuple_create");
+		dns_diff_append(&diff, &tuple);
 	}
 
-	dns_rdataset_init(&rdataset);
-	result = dns_rdatalist_tordataset(&rdatalist, &rdataset);
-	check_result(result, "dns_rdatalist_tordataset()");
+	db = NULL;
+	result = dns_db_create(mctx, "rbt", dns_rootname, dns_dbtype_zone,
+			       rdclass, 0, NULL, &db);
+	if (result != ISC_R_SUCCESS)
+		fatal("failed to create a database");
+
+	version = NULL;
+	dns_db_newversion(db, &version);
 
-	dns_rdatalist_init(&sigrdatalist);
-	sigrdatalist.rdclass = rdatalist.rdclass;
-	sigrdatalist.type = dns_rdatatype_sig;
-	sigrdatalist.covers = dns_rdatatype_key;
-	sigrdatalist.ttl = ttl;
+	result = dns_diff_apply(&diff, db, version);
+	check_result(result, "dns_diff_apply");
+	dns_diff_clear(&diff);
+
+	dns_fixedname_init(&tname);
+	dns_rdataset_init(&rdataset);
+	result = dns_db_find(db, domain, version, dns_rdatatype_dnskey, 0, 0,
+			     NULL, dns_fixedname_name(&tname), &rdataset,
+			     NULL);
+	check_result(result, "dns_db_find");
 
 	if (ISC_LIST_EMPTY(keylist))
 		fprintf(stderr,
@@ -363,69 +331,48 @@ main(int argc, char *argv[]) {
 	     keynode != NULL;
 	     keynode = ISC_LIST_NEXT(keynode, link))
 	{
-		rdata = isc_mem_get(mctx, sizeof(dns_rdata_t));
-		if (rdata == NULL)
-			fatal("out of memory");
-		dns_rdata_init(rdata);
-		data = isc_mem_get(mctx, BUFSIZE);
-		if (data == NULL)
-			fatal("out of memory");
-		isc_buffer_init(&b, data, BUFSIZE);
+		dns_rdata_reset(&rdata);
+		isc_buffer_init(&b, data, sizeof(data));
 		result = dns_dnssec_sign(domain, &rdataset, keynode->key,
 					 &starttime, &endtime, mctx, &b,
-					 rdata);
+					 &rdata);
 		isc_entropy_stopcallbacksources(ectx);
 		if (result != ISC_R_SUCCESS) {
 			char keystr[KEY_FORMATSIZE];
-			key_format(keynode->key, keystr, sizeof keystr);
+			key_format(keynode->key, keystr, sizeof(keystr));
 			fatal("failed to sign keyset with key %s: %s",
 			      keystr, isc_result_totext(result));
 		}
 		if (tryverify) {
 			result = dns_dnssec_verify(domain, &rdataset,
 						   keynode->key, ISC_TRUE,
-						   mctx, rdata);
+						   mctx, &rdata);
 			if (result != ISC_R_SUCCESS) {
 				char keystr[KEY_FORMATSIZE];
-				key_format(keynode->key, keystr, sizeof keystr);
+				key_format(keynode->key, keystr, sizeof(keystr));
 				fatal("signature from key '%s' failed to "
 				      "verify: %s",
 				      keystr, isc_result_totext(result));
 			}
 		}
-		ISC_LIST_APPEND(sigrdatalist.rdata, rdata, link);
-		dns_rdataset_init(&sigrdataset);
-		result = dns_rdatalist_tordataset(&sigrdatalist, &sigrdataset);
-		check_result(result, "dns_rdatalist_tordataset()");
+		tuple = NULL;
+		result = dns_difftuple_create(mctx, DNS_DIFFOP_ADD,
+					      domain, ttl, &rdata, &tuple);
+		check_result(result, "dns_difftuple_create");
+		dns_diff_append(&diff, &tuple);
 	}
 
-	db = NULL;
-	result = dns_db_create(mctx, "rbt", dns_rootname, dns_dbtype_zone,
-			       rdataset.rdclass, 0, NULL, &db);
-	if (result != ISC_R_SUCCESS) {
-		char domainstr[DNS_NAME_FORMATSIZE];
-		dns_name_format(domain, domainstr, sizeof domainstr);
-		fatal("failed to create a database for %s", domainstr);
-	}
+	result = dns_diff_apply(&diff, db, version);
+	check_result(result, "dns_diff_apply");
+	dns_diff_clear(&diff);
 
-	version = NULL;
-	dns_db_newversion(db, &version);
-
-	node = NULL;
-	result = dns_db_findnode(db, domain, ISC_TRUE, &node);
-	check_result(result, "dns_db_findnode()");
-
-	dns_db_addrdataset(db, node, version, 0, &rdataset, 0, NULL);
-	if (!ISC_LIST_EMPTY(keylist))
-		dns_db_addrdataset(db, node, version, 0, &sigrdataset, 0,
-				   NULL);
+	dns_rdataset_disassociate(&rdataset);
 
-	dns_db_detachnode(db, &node);
 	dns_db_closeversion(db, &version, ISC_TRUE);
 	result = dns_db_dump(db, version, output);
 	if (result != ISC_R_SUCCESS) {
 		char domainstr[DNS_NAME_FORMATSIZE];
-		dns_name_format(domain, domainstr, sizeof domainstr);
+		dns_name_format(domain, domainstr, sizeof(domainstr));
 		fatal("failed to write database for %s to %s",
 		      domainstr, output);
 	}
@@ -434,20 +381,6 @@ main(int argc, char *argv[]) {
 
 	dns_db_detach(&db);
 
-	dns_rdataset_disassociate(&rdataset);
-	while (!ISC_LIST_EMPTY(rdatalist.rdata)) {
-		rdata = ISC_LIST_HEAD(rdatalist.rdata);
-		ISC_LIST_UNLINK(rdatalist.rdata, rdata, link);
-		isc_mem_put(mctx, rdata->data, BUFSIZE);
-		isc_mem_put(mctx, rdata, sizeof *rdata);
-	}
-	while (!ISC_LIST_EMPTY(sigrdatalist.rdata)) {
-		rdata = ISC_LIST_HEAD(sigrdatalist.rdata);
-		ISC_LIST_UNLINK(sigrdatalist.rdata, rdata, link);
-		isc_mem_put(mctx, rdata->data, BUFSIZE);
-		isc_mem_put(mctx, rdata, sizeof *rdata);
-	}
-
 	while (!ISC_LIST_EMPTY(keylist)) {
 		keynode = ISC_LIST_HEAD(keylist);
 		ISC_LIST_UNLINK(keylist, keynode, link);
@@ -455,13 +388,7 @@ main(int argc, char *argv[]) {
 		isc_mem_put(mctx, keynode, sizeof(keynode_t));
 	}
 
-	if (savedname != NULL) {
-		dns_name_free(savedname, mctx);
-		isc_mem_put(mctx, savedname, sizeof(dns_name_t));
-	}
-
 	cleanup_logging(&log);
-	isc_hash_destroy();
 	cleanup_entropy(&ectx);
 
 	isc_mem_free(mctx, output);
diff --git a/bin/dnssec/dnssec-makekeyset.docbook b/bin/dnssec/dnssec-makekeyset.docbook
index 5a187625..2e1734a2 100644
--- a/bin/dnssec/dnssec-makekeyset.docbook
+++ b/bin/dnssec/dnssec-makekeyset.docbook
@@ -1,9 +1,7 @@
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.0//EN"
-               "http://www.oasis-open.org/docbook/xml/4.0/docbookx.dtd"
-	       [<!ENTITY mdash "&#8212;">]>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
 <!--
- - Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
+ - Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2001, 2003  Internet Software Consortium.
  -
  - Permission to use, copy, modify, and distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
@@ -18,7 +16,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: dnssec-makekeyset.docbook,v 1.2.2.7 2005/05/12 21:35:07 sra Exp $ -->
+<!-- $Id: dnssec-makekeyset.docbook,v 1.2.2.3.4.1 2004/03/06 10:21:15 marka Exp $ -->
 
 <refentry>
   <refentryinfo>
@@ -31,20 +29,6 @@
     <refmiscinfo>BIND9</refmiscinfo>
   </refmeta>
 
-  <docinfo>
-    <copyright>
-      <year>2004</year>
-      <year>2005</year>
-      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
-    </copyright>
-    <copyright>
-      <year>2000</year>
-      <year>2001</year>
-      <year>2003</year>
-      <holder>Internet Software Consortium.</holder>
-    </copyright>
-  </docinfo>
-
   <refnamediv>
     <refname><application>dnssec-makekeyset</application></refname>
     <refpurpose>DNSSEC zone signing tool</refpurpose>
@@ -236,7 +220,7 @@
   <refsect1>
     <title>AUTHOR</title>
     <para>
-        <corpauthor>Internet Systems Consortium</corpauthor>
+        <corpauthor>Internet Software Consortium</corpauthor>
     </para>
   </refsect1>
 
diff --git a/bin/dnssec/dnssec-makekeyset.html b/bin/dnssec/dnssec-makekeyset.html
index 4ca22cda..48f1d4a5 100644
--- a/bin/dnssec/dnssec-makekeyset.html
+++ b/bin/dnssec/dnssec-makekeyset.html
@@ -1,153 +1,407 @@
 <!--
- - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000, 2001, 2003 Internet Software Consortium.
- - 
+ - Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2001, 2003  Internet Software Consortium.
+ -
  - Permission to use, copy, modify, and distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
  - copyright notice and this permission notice appear in all copies.
- - 
+ -
  - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
  - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
  - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
  - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: dnssec-makekeyset.html,v 1.4.2.16 2007/01/26 23:26:58 marka Exp $ -->
-<html>
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>dnssec-makekeyset</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2476275"></a><div class="titlepage"></div>
-<div class="refnamediv">
-<h2>Name</h2>
-<p><span class="application">dnssec-makekeyset</span> &#8212; DNSSEC zone signing tool</p>
-</div>
-<div class="refsynopsisdiv">
-<h2>Synopsis</h2>
-<div class="cmdsynopsis"><p><code class="command">dnssec-makekeyset</code>  [<code class="option">-a</code>] [<code class="option">-s <em class="replaceable"><code>start-time</code></em></code>] [<code class="option">-e <em class="replaceable"><code>end-time</code></em></code>] [<code class="option">-h</code>] [<code class="option">-p</code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-t</code><em class="replaceable"><code>ttl</code></em>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] {key...}</p></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543403"></a><h2>DESCRIPTION</h2>
-<p>
-        <span><strong class="command">dnssec-makekeyset</strong></span> generates a key set from one
-	or more keys created by <span><strong class="command">dnssec-keygen</strong></span>.  It creates
+
+<!-- $Id: dnssec-makekeyset.html,v 1.4.2.2.4.1 2004/03/06 10:21:15 marka Exp $ -->
+
+<HTML
+><HEAD
+><TITLE
+>dnssec-makekeyset</TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.73
+"></HEAD
+><BODY
+CLASS="REFENTRY"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><H1
+><A
+NAME="AEN1"
+><SPAN
+CLASS="APPLICATION"
+>dnssec-makekeyset</SPAN
+></A
+></H1
+><DIV
+CLASS="REFNAMEDIV"
+><A
+NAME="AEN9"
+></A
+><H2
+>Name</H2
+><SPAN
+CLASS="APPLICATION"
+>dnssec-makekeyset</SPAN
+>&nbsp;--&nbsp;DNSSEC zone signing tool</DIV
+><DIV
+CLASS="REFSYNOPSISDIV"
+><A
+NAME="AEN13"
+></A
+><H2
+>Synopsis</H2
+><P
+><B
+CLASS="COMMAND"
+>dnssec-makekeyset</B
+>  [<TT
+CLASS="OPTION"
+>-a</TT
+>] [<TT
+CLASS="OPTION"
+>-s <TT
+CLASS="REPLACEABLE"
+><I
+>start-time</I
+></TT
+></TT
+>] [<TT
+CLASS="OPTION"
+>-e <TT
+CLASS="REPLACEABLE"
+><I
+>end-time</I
+></TT
+></TT
+>] [<TT
+CLASS="OPTION"
+>-h</TT
+>] [<TT
+CLASS="OPTION"
+>-p</TT
+>] [<TT
+CLASS="OPTION"
+>-r <TT
+CLASS="REPLACEABLE"
+><I
+>randomdev</I
+></TT
+></TT
+>] [<TT
+CLASS="OPTION"
+>-t</TT
+><TT
+CLASS="REPLACEABLE"
+><I
+>ttl</I
+></TT
+>] [<TT
+CLASS="OPTION"
+>-v <TT
+CLASS="REPLACEABLE"
+><I
+>level</I
+></TT
+></TT
+>] {key...}</P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN38"
+></A
+><H2
+>DESCRIPTION</H2
+><P
+>        <B
+CLASS="COMMAND"
+>dnssec-makekeyset</B
+> generates a key set from one
+	or more keys created by <B
+CLASS="COMMAND"
+>dnssec-keygen</B
+>.  It creates
 	a file containing a KEY record for each key, and self-signs the key
 	set with each zone key.  The output file is of the form
-	<code class="filename">keyset-nnnn.</code>, where <code class="filename">nnnn</code>
+	<TT
+CLASS="FILENAME"
+>keyset-nnnn.</TT
+>, where <TT
+CLASS="FILENAME"
+>nnnn</TT
+>
 	is the zone name.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543427"></a><h2>OPTIONS</h2>
-<div class="variablelist"><dl>
-<dt><span class="term">-a</span></dt>
-<dd><p>
-	      Verify all generated signatures.
-	  </p></dd>
-<dt><span class="term">-s <em class="replaceable"><code>start-time</code></em></span></dt>
-<dd><p>
-	       Specify the date and time when the generated SIG records
+    </P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN45"
+></A
+><H2
+>OPTIONS</H2
+><P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+>-a</DT
+><DD
+><P
+>	      Verify all generated signatures.
+	  </P
+></DD
+><DT
+>-s <TT
+CLASS="REPLACEABLE"
+><I
+>start-time</I
+></TT
+></DT
+><DD
+><P
+>	       Specify the date and time when the generated SIG records
 	       become valid.  This can be either an absolute or relative
 	       time.  An absolute start time is indicated by a number
 	       in YYYYMMDDHHMMSS notation; 20000530144500 denotes
 	       14:45:00 UTC on May 30th, 2000.  A relative start time is
 	       indicated by +N, which is N seconds from the current time.
-	       If no <code class="option">start-time</code> is specified, the current
+	       If no <TT
+CLASS="OPTION"
+>start-time</TT
+> is specified, the current
 	       time is used.
-	  </p></dd>
-<dt><span class="term">-e <em class="replaceable"><code>end-time</code></em></span></dt>
-<dd><p>
-	       Specify the date and time when the generated SIG records
-	       expire.  As with <code class="option">start-time</code>, an absolute
+	  </P
+></DD
+><DT
+>-e <TT
+CLASS="REPLACEABLE"
+><I
+>end-time</I
+></TT
+></DT
+><DD
+><P
+>	       Specify the date and time when the generated SIG records
+	       expire.  As with <TT
+CLASS="OPTION"
+>start-time</TT
+>, an absolute
 	       time is indicated in YYYYMMDDHHMMSS notation.  A time relative
 	       to the start time is indicated with +N, which is N seconds from
 	       the start time.  A time relative to the current time is
-	       indicated with now+N.  If no <code class="option">end-time</code> is
+	       indicated with now+N.  If no <TT
+CLASS="OPTION"
+>end-time</TT
+> is
 	       specified, 30 days from the start time is used as a default.
-	  </p></dd>
-<dt><span class="term">-h</span></dt>
-<dd><p>
-	       Prints a short summary of the options and arguments to
-	       <span><strong class="command">dnssec-makekeyset</strong></span>.
-	  </p></dd>
-<dt><span class="term">-p</span></dt>
-<dd><p>
-	       Use pseudo-random data when signing the zone.  This is faster,
+	  </P
+></DD
+><DT
+>-h</DT
+><DD
+><P
+>	       Prints a short summary of the options and arguments to
+	       <B
+CLASS="COMMAND"
+>dnssec-makekeyset</B
+>.
+	  </P
+></DD
+><DT
+>-p</DT
+><DD
+><P
+>	       Use pseudo-random data when signing the zone.  This is faster,
 	       but less secure, than using real random data.  This option
 	       may be useful when signing large zones or when the entropy
 	       source is limited.
-	  </p></dd>
-<dt><span class="term">-r <em class="replaceable"><code>randomdev</code></em></span></dt>
-<dd><p>
-	       Specifies the source of randomness.  If the operating
-	       system does not provide a <code class="filename">/dev/random</code>
+	  </P
+></DD
+><DT
+>-r <TT
+CLASS="REPLACEABLE"
+><I
+>randomdev</I
+></TT
+></DT
+><DD
+><P
+>	       Specifies the source of randomness.  If the operating
+	       system does not provide a <TT
+CLASS="FILENAME"
+>/dev/random</TT
+>
 	       or equivalent device, the default source of randomness
-	       is keyboard input.  <code class="filename">randomdev</code> specifies
+	       is keyboard input.  <TT
+CLASS="FILENAME"
+>randomdev</TT
+> specifies
 	       the name of a character device or file containing random
 	       data to be used instead of the default.  The special value
-	       <code class="filename">keyboard</code> indicates that keyboard
+	       <TT
+CLASS="FILENAME"
+>keyboard</TT
+> indicates that keyboard
 	       input should be used.
-	  </p></dd>
-<dt><span class="term">-t <em class="replaceable"><code>ttl</code></em></span></dt>
-<dd><p>
-	       Specify the TTL (time to live) of the KEY and SIG records.
+	  </P
+></DD
+><DT
+>-t <TT
+CLASS="REPLACEABLE"
+><I
+>ttl</I
+></TT
+></DT
+><DD
+><P
+>	       Specify the TTL (time to live) of the KEY and SIG records.
 	       The default is 3600 seconds.
-	  </p></dd>
-<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
-<dd><p>
-	       Sets the debugging level.
-	  </p></dd>
-<dt><span class="term">key</span></dt>
-<dd><p>
-	       The list of keys to be included in the keyset file.  These keys
-	       are expressed in the form <code class="filename">Knnnn.+aaa+iiiii</code>
-	       as generated by <span><strong class="command">dnssec-keygen</strong></span>.
-	  </p></dd>
-</dl></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543606"></a><h2>EXAMPLE</h2>
-<p>
-        The following command generates a keyset containing the DSA key for
-	<strong class="userinput"><code>example.com</code></strong> generated in the
-	<span><strong class="command">dnssec-keygen</strong></span> man page.
-    </p>
-<p>
-        <strong class="userinput"><code>dnssec-makekeyset -t 86400 -s 20000701120000 -e +2592000 Kexample.com.+003+26160</code></strong>
-    </p>
-<p>
-        In this example, <span><strong class="command">dnssec-makekeyset</strong></span> creates
-	the file <code class="filename">keyset-example.com.</code>.  This file
+	  </P
+></DD
+><DT
+>-v <TT
+CLASS="REPLACEABLE"
+><I
+>level</I
+></TT
+></DT
+><DD
+><P
+>	       Sets the debugging level.
+	  </P
+></DD
+><DT
+>key</DT
+><DD
+><P
+>	       The list of keys to be included in the keyset file.  These keys
+	       are expressed in the form <TT
+CLASS="FILENAME"
+>Knnnn.+aaa+iiiii</TT
+>
+	       as generated by <B
+CLASS="COMMAND"
+>dnssec-keygen</B
+>.
+	  </P
+></DD
+></DL
+></DIV
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN98"
+></A
+><H2
+>EXAMPLE</H2
+><P
+>        The following command generates a keyset containing the DSA key for
+	<TT
+CLASS="USERINPUT"
+><B
+>example.com</B
+></TT
+> generated in the
+	<B
+CLASS="COMMAND"
+>dnssec-keygen</B
+> man page.
+    </P
+><P
+>        <TT
+CLASS="USERINPUT"
+><B
+>dnssec-makekeyset -t 86400 -s 20000701120000 -e +2592000 Kexample.com.+003+26160</B
+></TT
+>
+    </P
+><P
+>        In this example, <B
+CLASS="COMMAND"
+>dnssec-makekeyset</B
+> creates
+	the file <TT
+CLASS="FILENAME"
+>keyset-example.com.</TT
+>.  This file
 	contains the specified key and a self-generated signature.
-    </p>
-<p>
-        The DNS administrator for <strong class="userinput"><code>example.com</code></strong> could
-	send <code class="filename">keyset-example.com.</code> to the DNS
-	administrator for <strong class="userinput"><code>.com</code></strong> for signing, if the
+    </P
+><P
+>        The DNS administrator for <TT
+CLASS="USERINPUT"
+><B
+>example.com</B
+></TT
+> could
+	send <TT
+CLASS="FILENAME"
+>keyset-example.com.</TT
+> to the DNS
+	administrator for <TT
+CLASS="USERINPUT"
+><B
+>.com</B
+></TT
+> for signing, if the
 	.com zone is DNSSEC-aware and the administrators of the two zones
 	have some mechanism for authenticating each other and exchanging
 	the keys and signatures securely.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543652"></a><h2>SEE ALSO</h2>
-<p>
-      <span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
-      <span class="citerefentry"><span class="refentrytitle">dnssec-signkey</span>(8)</span>,
-      <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
-      <em class="citetitle">RFC 2535</em>.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543688"></a><h2>AUTHOR</h2>
-<p>
-        <span class="corpauthor">Internet Systems Consortium</span>
-    </p>
-</div>
-</div></body>
-</html>
+    </P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN112"
+></A
+><H2
+>SEE ALSO</H2
+><P
+>      <SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>dnssec-keygen</SPAN
+>(8)</SPAN
+>,
+      <SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>dnssec-signkey</SPAN
+>(8)</SPAN
+>,
+      <I
+CLASS="CITETITLE"
+>BIND 9 Administrator Reference Manual</I
+>,
+      <I
+CLASS="CITETITLE"
+>RFC 2535</I
+>.
+    </P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN123"
+></A
+><H2
+>AUTHOR</H2
+><P
+>        Internet Software Consortium
+    </P
+></DIV
+></BODY
+></HTML
+>
diff --git a/bin/dnssec/dnssec-signkey.8 b/bin/dnssec/dnssec-signkey.8
index e5f011b2..ea2818bd 100644
--- a/bin/dnssec/dnssec-signkey.8
+++ b/bin/dnssec/dnssec-signkey.8
@@ -1,143 +1,108 @@
-.\" Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
-.\" Copyright (C) 2000, 2001, 2003 Internet Software Consortium.
-.\" 
+.\" Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
+.\"
 .\" Permission to use, copy, modify, and distribute this software for any
 .\" purpose with or without fee is hereby granted, provided that the above
 .\" copyright notice and this permission notice appear in all copies.
-.\" 
+.\"
 .\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
 .\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+.\" AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
 .\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
 .\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: dnssec-signkey.8,v 1.18.2.8 2006/12/12 01:42:53 marka Exp $
+.\" $Id: dnssec-signkey.8,v 1.18.2.1.4.1 2004/03/06 07:41:39 marka Exp $
 .\"
-.hy 0
-.ad l
-.\"     Title: dnssec\-signkey
-.\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
-.\"      Date: June 30, 2000
-.\"    Manual: BIND9
-.\"    Source: BIND9
-.\"
-.TH "DNSSEC\-SIGNKEY" "8" "June 30, 2000" "BIND9" "BIND9"
-.\" disable hyphenation
-.nh
-.\" disable justification (adjust text to left margin only)
-.ad l
-.SH "NAME"
-dnssec\-signkey \- DNSSEC key set signing tool
-.SH "SYNOPSIS"
-.HP 15
-\fBdnssec\-signkey\fR [\fB\-a\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-s\ \fR\fB\fIstart\-time\fR\fR] [\fB\-e\ \fR\fB\fIend\-time\fR\fR] [\fB\-h\fR] [\fB\-p\fR] [\fB\-r\ \fR\fB\fIrandomdev\fR\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] {keyset} {key...}
+.TH "DNSSEC-SIGNKEY" "8" "June 30, 2000" "BIND9" ""
+.SH NAME
+dnssec-signkey \- DNSSEC key set signing tool
+.SH SYNOPSIS
+.sp
+\fBdnssec-signkey\fR [ \fB-a\fR ]  [ \fB-c \fIclass\fB\fR ]  [ \fB-s \fIstart-time\fB\fR ]  [ \fB-e \fIend-time\fB\fR ]  [ \fB-h\fR ]  [ \fB-p\fR ]  [ \fB-r \fIrandomdev\fB\fR ]  [ \fB-v \fIlevel\fB\fR ]  \fBkeyset\fR \fBkey\fR\fI...\fR
 .SH "DESCRIPTION"
 .PP
-\fBdnssec\-signkey\fR
-signs a keyset. Typically the keyset will be for a child zone, and will have been generated by
-\fBdnssec\-makekeyset\fR. The child zone's keyset is signed with the zone keys for its parent zone. The output file is of the form
-\fIsignedkey\-nnnn.\fR, where
-\fInnnn\fR
-is the zone name.
+\fBdnssec-signkey\fR signs a keyset. Typically
+the keyset will be for a child zone, and will have been generated
+by \fBdnssec-makekeyset\fR. The child zone's keyset
+is signed with the zone keys for its parent zone. The output file
+is of the form \fIsignedkey-nnnn.\fR, where
+\fInnnn\fR is the zone name.
 .SH "OPTIONS"
-.PP
-\-a
-.RS 4
+.TP
+\fB-a\fR
 Verify all generated signatures.
-.RE
-.PP
-\-c \fIclass\fR
-.RS 4
+.TP
+\fB-c \fIclass\fB\fR
 Specifies the DNS class of the key sets.
-.RE
-.PP
-\-s \fIstart\-time\fR
-.RS 4
-Specify the date and time when the generated SIG records become valid. This can be either an absolute or relative time. An absolute start time is indicated by a number in YYYYMMDDHHMMSS notation; 20000530144500 denotes 14:45:00 UTC on May 30th, 2000. A relative start time is indicated by +N, which is N seconds from the current time. If no
-\fBstart\-time\fR
-is specified, the current time is used.
-.RE
-.PP
-\-e \fIend\-time\fR
-.RS 4
-Specify the date and time when the generated SIG records expire. As with
-\fBstart\-time\fR, an absolute time is indicated in YYYYMMDDHHMMSS notation. A time relative to the start time is indicated with +N, which is N seconds from the start time. A time relative to the current time is indicated with now+N. If no
-\fBend\-time\fR
-is specified, 30 days from the start time is used as a default.
-.RE
-.PP
-\-h
-.RS 4
+.TP
+\fB-s \fIstart-time\fB\fR
+Specify the date and time when the generated SIG records
+become valid. This can be either an absolute or relative
+time. An absolute start time is indicated by a number
+in YYYYMMDDHHMMSS notation; 20000530144500 denotes
+14:45:00 UTC on May 30th, 2000. A relative start time is
+indicated by +N, which is N seconds from the current time.
+If no \fBstart-time\fR is specified, the current
+time is used.
+.TP
+\fB-e \fIend-time\fB\fR
+Specify the date and time when the generated SIG records
+expire. As with \fBstart-time\fR, an absolute
+time is indicated in YYYYMMDDHHMMSS notation. A time relative
+to the start time is indicated with +N, which is N seconds from
+the start time. A time relative to the current time is
+indicated with now+N. If no \fBend-time\fR is
+specified, 30 days from the start time is used as a default.
+.TP
+\fB-h\fR
 Prints a short summary of the options and arguments to
-\fBdnssec\-signkey\fR.
-.RE
-.PP
-\-p
-.RS 4
-Use pseudo\-random data when signing the zone. This is faster, but less secure, than using real random data. This option may be useful when signing large zones or when the entropy source is limited.
-.RE
-.PP
-\-r \fIrandomdev\fR
-.RS 4
-Specifies the source of randomness. If the operating system does not provide a
-\fI/dev/random\fR
-or equivalent device, the default source of randomness is keyboard input.
-\fIrandomdev\fR
-specifies the name of a character device or file containing random data to be used instead of the default. The special value
-\fIkeyboard\fR
-indicates that keyboard input should be used.
-.RE
-.PP
-\-v \fIlevel\fR
-.RS 4
+\fBdnssec-signkey\fR.
+.TP
+\fB-p\fR
+Use pseudo-random data when signing the zone. This is faster,
+but less secure, than using real random data. This option
+may be useful when signing large zones or when the entropy
+source is limited.
+.TP
+\fB-r \fIrandomdev\fB\fR
+Specifies the source of randomness. If the operating
+system does not provide a \fI/dev/random\fR
+or equivalent device, the default source of randomness
+is keyboard input. \fIrandomdev\fR specifies
+the name of a character device or file containing random
+data to be used instead of the default. The special value
+\fIkeyboard\fR indicates that keyboard
+input should be used.
+.TP
+\fB-v \fIlevel\fB\fR
 Sets the debugging level.
-.RE
-.PP
-keyset
-.RS 4
+.TP
+\fBkeyset\fR
 The file containing the child's keyset.
-.RE
-.PP
-key
-.RS 4
+.TP
+\fBkey\fR
 The keys used to sign the child's keyset.
-.RE
 .SH "EXAMPLE"
 .PP
-The DNS administrator for a DNSSEC\-aware
-\fB.com\fR
+The DNS administrator for a DNSSEC-aware \fB.com\fR
 zone would use the following command to sign the
-\fIkeyset\fR
-file for
-\fBexample.com\fR
-created by
-\fBdnssec\-makekeyset\fR
-with a key generated by
-\fBdnssec\-keygen\fR:
+\fIkeyset\fR file for \fBexample.com\fR
+created by \fBdnssec-makekeyset\fR with a key generated
+by \fBdnssec-keygen\fR:
 .PP
-\fBdnssec\-signkey keyset\-example.com. Kcom.+003+51944\fR
+\fBdnssec-signkey keyset-example.com. Kcom.+003+51944\fR
 .PP
-In this example,
-\fBdnssec\-signkey\fR
-creates the file
-\fIsignedkey\-example.com.\fR, which contains the
-\fBexample.com\fR
-keys and the signatures by the
-\fB.com\fR
-keys.
+In this example, \fBdnssec-signkey\fR creates
+the file \fIsignedkey-example.com.\fR, which
+contains the \fBexample.com\fR keys and the
+signatures by the \fB.com\fR keys.
 .SH "SEE ALSO"
 .PP
-\fBdnssec\-keygen\fR(8),
-\fBdnssec\-makekeyset\fR(8),
-\fBdnssec\-signzone\fR(8).
+\fBdnssec-keygen\fR(8),
+\fBdnssec-makekeyset\fR(8),
+\fBdnssec-signzone\fR(8).
 .SH "AUTHOR"
 .PP
-Internet Systems Consortium
-.SH "COPYRIGHT"
-Copyright \(co 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
-.br
-Copyright \(co 2000, 2001, 2003 Internet Software Consortium.
-.br
+Internet Software Consortium
diff --git a/bin/dnssec/dnssec-signkey.c b/bin/dnssec/dnssec-signkey.c
index c685e3bc..88b67a20 100644
--- a/bin/dnssec/dnssec-signkey.c
+++ b/bin/dnssec/dnssec-signkey.c
@@ -1,6 +1,6 @@
 /*
- * Portions Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
- * Portions Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
+ * Portions Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2000-2003  Internet Software Consortium.
  * Portions Copyright (C) 1995-2000 by Network Associates, Inc.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -16,7 +16,7 @@
  * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssec-signkey.c,v 1.50.2.6 2005/06/08 00:12:17 marka Exp $ */
+/* $Id: dnssec-signkey.c,v 1.50.2.2.2.6 2004/03/08 04:04:17 marka Exp $ */
 
 #include <config.h>
 
@@ -25,18 +25,17 @@
 #include <isc/string.h>
 #include <isc/commandline.h>
 #include <isc/entropy.h>
-#include <isc/hash.h>
 #include <isc/mem.h>
 #include <isc/util.h>
 
 #include <dns/db.h>
 #include <dns/dbiterator.h>
+#include <dns/diff.h>
 #include <dns/dnssec.h>
 #include <dns/fixedname.h>
 #include <dns/log.h>
 #include <dns/rdata.h>
 #include <dns/rdataclass.h>
-#include <dns/rdatalist.h>
 #include <dns/rdataset.h>
 #include <dns/rdatasetiter.h>
 #include <dns/rdatastruct.h>
@@ -50,8 +49,6 @@
 const char *program = "dnssec-signkey";
 int verbose;
 
-#define BUFSIZE 2048
-
 typedef struct keynode keynode_t;
 struct keynode {
 	dst_key_t *key;
@@ -73,6 +70,8 @@ usage(void) {
 
 	fprintf(stderr, "\n");
 
+	fprintf(stderr, "Version: %s\n", VERSION);
+
 	fprintf(stderr, "Options: (default value in parenthesis) \n");
 	fprintf(stderr, "\t-a\n");
 	fprintf(stderr, "\t\tverify generated signatures\n");
@@ -119,9 +118,11 @@ loadkeys(dns_name_t *name, dns_rdataset_t *rdataset) {
 		result = dns_dnssec_keyfromrdata(name, &rdata, mctx, &key);
 		if (result != ISC_R_SUCCESS)
 			continue;
-		if (!dst_key_iszonekey(key))
+		if (!dst_key_iszonekey(key)) {
+			dst_key_free(&key);
 			continue;
-		keynode = isc_mem_get(mctx, sizeof (keynode_t));
+		}
+		keynode = isc_mem_get(mctx, sizeof(keynode_t));
 		if (keynode == NULL)
 			fatal("out of memory");
 		keynode->key = key;
@@ -133,7 +134,7 @@ loadkeys(dns_name_t *name, dns_rdataset_t *rdataset) {
 }
 
 static dst_key_t *
-findkey(dns_rdata_sig_t *sig) {
+findkey(dns_rdata_rrsig_t *sig) {
 	keynode_t *keynode;
 	for (keynode = ISC_LIST_HEAD(keylist);
 	     keynode != NULL;
@@ -158,28 +159,28 @@ main(int argc, char *argv[]) {
 	dns_name_t *domain;
 	char *output = NULL;
 	char *endp;
-	unsigned char *data;
-	char *randomfile = NULL;
+	unsigned char data[65536];
 	dns_db_t *db;
 	dns_dbnode_t *node;
 	dns_dbversion_t *version;
+	dns_diff_t diff;
+	dns_difftuple_t *tuple;
 	dns_dbiterator_t *dbiter;
 	dns_rdatasetiter_t *rdsiter;
 	dst_key_t *key = NULL;
-	dns_rdata_t *rdata;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
 	dns_rdata_t sigrdata = DNS_RDATA_INIT;
-	dns_rdatalist_t sigrdatalist;
-	dns_rdataset_t rdataset, sigrdataset, newsigrdataset;
-	dns_rdata_sig_t sig;
+	dns_rdataset_t rdataset, sigrdataset;
+	dns_rdata_rrsig_t sig;
 	isc_result_t result;
 	isc_buffer_t b;
-	isc_textregion_t tr;
 	isc_log_t *log = NULL;
 	keynode_t *keynode;
 	isc_boolean_t pseudorandom = ISC_FALSE;
 	unsigned int eflags;
 	dns_rdataclass_t rdclass;
-	static isc_boolean_t tryverify = ISC_FALSE;
+	isc_boolean_t tryverify = ISC_FALSE;
+	isc_boolean_t settime = ISC_FALSE;
 
 	result = isc_mem_create(0, 0, &mctx);
 	check_result(result, "isc_mem_create()");
@@ -209,7 +210,7 @@ main(int argc, char *argv[]) {
 			break;
 
 		case 'r':
-			randomfile = isc_commandline_argument;
+			setup_entropy(mctx, isc_commandline_argument, &ectx);
 			break;
 
 		case 'v':
@@ -232,24 +233,13 @@ main(int argc, char *argv[]) {
 	if (argc < 2)
 		usage();
 
-	if (classname != NULL) {
-		tr.base = classname;
-		tr.length = strlen(classname);
-		result = dns_rdataclass_fromtext(&rdclass, &tr);
-		if (result != ISC_R_SUCCESS)
-			fatal("unknown class %s",classname);
-	} else
-		rdclass = dns_rdataclass_in;
+	rdclass = strtoclass(classname);
 
-	setup_entropy(mctx, randomfile, &ectx);
+	if (ectx == NULL)
+		setup_entropy(mctx, NULL, &ectx);
 	eflags = ISC_ENTROPY_BLOCKING;
 	if (!pseudorandom)
 		eflags |= ISC_ENTROPY_GOODONLY;
-
-	result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE);
-	if (result != ISC_R_SUCCESS)
-		fatal("could not create hash context");
-
 	result = dst_lib_init(mctx, ectx, eflags);
 	if (result != ISC_R_SUCCESS)
 		fatal("could not initialize dst: %s", 
@@ -261,6 +251,12 @@ main(int argc, char *argv[]) {
 	    !(startstr == NULL && endstr == NULL))
 		fatal("if -s or -e is specified, both must be");
 
+	if (startstr != NULL) {
+		starttime = strtotime(startstr, now, now);
+		endtime = strtotime(endstr, now, starttime);
+		settime = ISC_TRUE;
+	}
+
 	setup_logging(verbose, mctx, &log);
 
 	if (strlen(argv[0]) < 8U || strncmp(argv[0], "keyset-", 7) != 0)
@@ -311,25 +307,26 @@ main(int argc, char *argv[]) {
 				  strlen("signedkey-") + strlen(tdomain) + 1);
 	if (output == NULL)
 		fatal("out of memory");
-	strcpy(output, "signedkey-");
-	strcat(output, tdomain);
+	sprintf(output, "signedkey-%s", tdomain);
 
 	version = NULL;
 	dns_db_newversion(db, &version);
 
 	dns_rdataset_init(&rdataset);
 	dns_rdataset_init(&sigrdataset);
-	result = dns_db_findrdataset(db, node, version, dns_rdatatype_key, 0,
+	result = dns_db_findrdataset(db, node, version, dns_rdatatype_dnskey, 0,
 				     0, &rdataset, &sigrdataset);
 	if (result != ISC_R_SUCCESS) {
 		char domainstr[DNS_NAME_FORMATSIZE];
-		dns_name_format(domain, domainstr, sizeof domainstr);
+		dns_name_format(domain, domainstr, sizeof(domainstr));
 		fatal("failed to find rdataset '%s KEY': %s",
 		      domainstr, isc_result_totext(result));
 	}
 
 	loadkeys(domain, &rdataset);
 
+	dns_diff_init(mctx, &diff);
+
 	if (!dns_rdataset_isassociated(&sigrdataset))
 		fatal("no SIG KEY set present");
 
@@ -344,47 +341,29 @@ main(int argc, char *argv[]) {
 					   ISC_TRUE, mctx, &sigrdata);
 		if (result != ISC_R_SUCCESS) {
 			char keystr[KEY_FORMATSIZE];
-			key_format(key, keystr, sizeof keystr);
+			key_format(key, keystr, sizeof(keystr));
 			fatal("signature by key '%s' did not verify: %s",
 			      keystr, isc_result_totext(result));
 		}
-		dns_rdata_reset(&sigrdata);
+		if (!settime) {
+			starttime = sig.timesigned;
+			endtime = sig.timeexpire;
+			settime = ISC_TRUE;
+		}
 		dns_rdata_freestruct(&sig);
+		dns_rdata_reset(&sigrdata);
 		result = dns_rdataset_next(&sigrdataset);
 	} while (result == ISC_R_SUCCESS);
 
-	if (startstr != NULL) {
-		starttime = strtotime(startstr, now, now);
-		endtime = strtotime(endstr, now, starttime);
-	} else {
-		starttime = sig.timesigned;
-		endtime = sig.timeexpire;
-	}
-
-
 	for (keynode = ISC_LIST_HEAD(keylist);
 	     keynode != NULL;
 	     keynode = ISC_LIST_NEXT(keynode, link))
 		if (!keynode->verified)
-			fatal("Not all zone keys self signed the key set");
-
-	result = dns_rdataset_first(&sigrdataset);
-	check_result(result, "dns_rdataset_first()");
-	dns_rdataset_current(&sigrdataset, &sigrdata);
-	result = dns_rdata_tostruct(&sigrdata, &sig, mctx);
-	check_result(result, "dns_rdata_tostruct()");
-
-	dns_rdataset_disassociate(&sigrdataset);
+			fatal("not all zone keys self signed the key set");
 
 	argc -= 1;
 	argv += 1;
 
-	dns_rdatalist_init(&sigrdatalist);
-	sigrdatalist.rdclass = rdataset.rdclass;
-	sigrdatalist.type = dns_rdatatype_sig;
-	sigrdatalist.covers = dns_rdatatype_key;
-	sigrdatalist.ttl = rdataset.ttl;
-
 	for (i = 0; i < argc; i++) {
 		key = NULL;
 		result = dst_key_fromnamedfile(argv[i],
@@ -395,45 +374,45 @@ main(int argc, char *argv[]) {
 			fatal("failed to read key %s from disk: %s",
 			      argv[i], isc_result_totext(result));
 
-		rdata = isc_mem_get(mctx, sizeof(dns_rdata_t));
-		if (rdata == NULL)
-			fatal("out of memory");
-		dns_rdata_init(rdata);
-		data = isc_mem_get(mctx, BUFSIZE);
-		if (data == NULL)
-			fatal("out of memory");
-		isc_buffer_init(&b, data, BUFSIZE);
+		dns_rdata_reset(&rdata);
+		isc_buffer_init(&b, data, sizeof(data));
 		result = dns_dnssec_sign(domain, &rdataset, key,
 					 &starttime, &endtime,
-					 mctx, &b, rdata);
+					 mctx, &b, &rdata);
 		isc_entropy_stopcallbacksources(ectx);
 		if (result != ISC_R_SUCCESS) {
 			char keystr[KEY_FORMATSIZE];
-			key_format(key, keystr, sizeof keystr);
+			key_format(key, keystr, sizeof(keystr));
 			fatal("key '%s' failed to sign data: %s",
 			      keystr, isc_result_totext(result));
 		}
 		if (tryverify) {
 			result = dns_dnssec_verify(domain, &rdataset, key,
-						   ISC_TRUE, mctx, rdata);
+						   ISC_TRUE, mctx, &rdata);
 			if (result != ISC_R_SUCCESS) {
 				char keystr[KEY_FORMATSIZE];
-				key_format(key, keystr, sizeof keystr);
+				key_format(key, keystr, sizeof(keystr));
 				fatal("signature from key '%s' failed to "
 				      "verify: %s",
 				      keystr, isc_result_totext(result));
 			}
 		}
-		ISC_LIST_APPEND(sigrdatalist.rdata, rdata, link);
+		tuple = NULL;
+		result = dns_difftuple_create(mctx, DNS_DIFFOP_ADD,
+					      domain, rdataset.ttl,
+					      &rdata, &tuple);
+		check_result(result, "dns_difftuple_create");
+		dns_diff_append(&diff, &tuple);
 		dst_key_free(&key);
 	}
 
-	dns_rdataset_init(&newsigrdataset);
-	result = dns_rdatalist_tordataset(&sigrdatalist, &newsigrdataset);
-	check_result (result, "dns_rdatalist_tordataset()");
+	result = dns_db_deleterdataset(db, node, version, dns_rdatatype_rrsig,
+				       dns_rdatatype_dnskey);
+	check_result(result, "dns_db_deleterdataset");
 
-	dns_db_addrdataset(db, node, version, 0, &newsigrdataset, 0, NULL);
-	check_result (result, "dns_db_addrdataset()");
+	result = dns_diff_apply(&diff, db, version);
+	check_result(result, "dns_diff_apply");
+	dns_diff_clear(&diff);
 
 	dns_db_detachnode(db, &node);
 	dns_db_closeversion(db, &version, ISC_TRUE);
@@ -445,16 +424,7 @@ main(int argc, char *argv[]) {
 	printf("%s\n", output);
 
 	dns_rdataset_disassociate(&rdataset);
-	dns_rdataset_disassociate(&newsigrdataset);
-
-	dns_rdata_freestruct(&sig);
-
-	while (!ISC_LIST_EMPTY(sigrdatalist.rdata)) {
-		rdata = ISC_LIST_HEAD(sigrdatalist.rdata);
-		ISC_LIST_UNLINK(sigrdatalist.rdata, rdata, link);
-		isc_mem_put(mctx, rdata->data, BUFSIZE);
-		isc_mem_put(mctx, rdata, sizeof *rdata);
-	}
+	dns_rdataset_disassociate(&sigrdataset);
 
 	dns_db_detach(&db);
 
@@ -468,7 +438,6 @@ main(int argc, char *argv[]) {
 	cleanup_logging(&log);
 
 	isc_mem_free(mctx, output);
-	isc_hash_destroy();
 	cleanup_entropy(&ectx);
 	dst_lib_destroy();
 	if (verbose > 10)
diff --git a/bin/dnssec/dnssec-signkey.docbook b/bin/dnssec/dnssec-signkey.docbook
index 6afdd66e..9ce94a1c 100644
--- a/bin/dnssec/dnssec-signkey.docbook
+++ b/bin/dnssec/dnssec-signkey.docbook
@@ -1,9 +1,7 @@
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.0//EN"
-               "http://www.oasis-open.org/docbook/xml/4.0/docbookx.dtd"
-	       [<!ENTITY mdash "&#8212;">]>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
 <!--
- - Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
+ - Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2001, 2003  Internet Software Consortium.
  -
  - Permission to use, copy, modify, and distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
@@ -18,7 +16,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: dnssec-signkey.docbook,v 1.2.2.6 2005/05/12 21:35:08 sra Exp $ -->
+<!-- $Id: dnssec-signkey.docbook,v 1.2.2.2.4.1 2004/03/06 10:21:15 marka Exp $ -->
 
 <refentry>
   <refentryinfo>
@@ -31,20 +29,6 @@
     <refmiscinfo>BIND9</refmiscinfo>
   </refmeta>
 
-  <docinfo>
-    <copyright>
-      <year>2004</year>
-      <year>2005</year>
-      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
-    </copyright>
-    <copyright>
-      <year>2000</year>
-      <year>2001</year>
-      <year>2003</year>
-      <holder>Internet Software Consortium.</holder>
-    </copyright>
-  </docinfo>
-
   <refnamediv>
     <refname><application>dnssec-signkey</application></refname>
     <refpurpose>DNSSEC key set signing tool</refpurpose>
@@ -240,7 +224,7 @@
   <refsect1>
     <title>AUTHOR</title>
     <para>
-        <corpauthor>Internet Systems Consortium</corpauthor>
+        <corpauthor>Internet Software Consortium</corpauthor>
     </para>
   </refsect1>
 
diff --git a/bin/dnssec/dnssec-signkey.html b/bin/dnssec/dnssec-signkey.html
index 4f18f70b..8cbf1fc7 100644
--- a/bin/dnssec/dnssec-signkey.html
+++ b/bin/dnssec/dnssec-signkey.html
@@ -1,148 +1,407 @@
 <!--
- - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000, 2001, 2003 Internet Software Consortium.
- - 
+ - Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2001, 2003  Internet Software Consortium.
+ -
  - Permission to use, copy, modify, and distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
  - copyright notice and this permission notice appear in all copies.
- - 
+ -
  - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
  - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
  - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
  - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: dnssec-signkey.html,v 1.4.2.15 2007/01/26 23:26:58 marka Exp $ -->
-<html>
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>dnssec-signkey</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2476275"></a><div class="titlepage"></div>
-<div class="refnamediv">
-<h2>Name</h2>
-<p><span class="application">dnssec-signkey</span> &#8212; DNSSEC key set signing tool</p>
-</div>
-<div class="refsynopsisdiv">
-<h2>Synopsis</h2>
-<div class="cmdsynopsis"><p><code class="command">dnssec-signkey</code>  [<code class="option">-a</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-s <em class="replaceable"><code>start-time</code></em></code>] [<code class="option">-e <em class="replaceable"><code>end-time</code></em></code>] [<code class="option">-h</code>] [<code class="option">-p</code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] {keyset} {key...}</p></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543409"></a><h2>DESCRIPTION</h2>
-<p>
-        <span><strong class="command">dnssec-signkey</strong></span> signs a keyset.  Typically
+
+<!-- $Id: dnssec-signkey.html,v 1.4.2.1.4.1 2004/03/06 10:21:15 marka Exp $ -->
+
+<HTML
+><HEAD
+><TITLE
+>dnssec-signkey</TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.73
+"></HEAD
+><BODY
+CLASS="REFENTRY"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><H1
+><A
+NAME="AEN1"
+><SPAN
+CLASS="APPLICATION"
+>dnssec-signkey</SPAN
+></A
+></H1
+><DIV
+CLASS="REFNAMEDIV"
+><A
+NAME="AEN9"
+></A
+><H2
+>Name</H2
+><SPAN
+CLASS="APPLICATION"
+>dnssec-signkey</SPAN
+>&nbsp;--&nbsp;DNSSEC key set signing tool</DIV
+><DIV
+CLASS="REFSYNOPSISDIV"
+><A
+NAME="AEN13"
+></A
+><H2
+>Synopsis</H2
+><P
+><B
+CLASS="COMMAND"
+>dnssec-signkey</B
+>  [<TT
+CLASS="OPTION"
+>-a</TT
+>] [<TT
+CLASS="OPTION"
+>-c <TT
+CLASS="REPLACEABLE"
+><I
+>class</I
+></TT
+></TT
+>] [<TT
+CLASS="OPTION"
+>-s <TT
+CLASS="REPLACEABLE"
+><I
+>start-time</I
+></TT
+></TT
+>] [<TT
+CLASS="OPTION"
+>-e <TT
+CLASS="REPLACEABLE"
+><I
+>end-time</I
+></TT
+></TT
+>] [<TT
+CLASS="OPTION"
+>-h</TT
+>] [<TT
+CLASS="OPTION"
+>-p</TT
+>] [<TT
+CLASS="OPTION"
+>-r <TT
+CLASS="REPLACEABLE"
+><I
+>randomdev</I
+></TT
+></TT
+>] [<TT
+CLASS="OPTION"
+>-v <TT
+CLASS="REPLACEABLE"
+><I
+>level</I
+></TT
+></TT
+>] {keyset} {key...}</P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN39"
+></A
+><H2
+>DESCRIPTION</H2
+><P
+>        <B
+CLASS="COMMAND"
+>dnssec-signkey</B
+> signs a keyset.  Typically
 	the keyset will be for a child zone, and will have been generated
-	by <span><strong class="command">dnssec-makekeyset</strong></span>.  The child zone's keyset
+	by <B
+CLASS="COMMAND"
+>dnssec-makekeyset</B
+>.  The child zone's keyset
 	is signed with the zone keys for its parent zone.  The output file
-	is of the form <code class="filename">signedkey-nnnn.</code>, where
-	<code class="filename">nnnn</code> is the zone name.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543431"></a><h2>OPTIONS</h2>
-<div class="variablelist"><dl>
-<dt><span class="term">-a</span></dt>
-<dd><p>
-	      Verify all generated signatures.
-	  </p></dd>
-<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
-<dd><p>
-	       Specifies the DNS class of the key sets.
-	  </p></dd>
-<dt><span class="term">-s <em class="replaceable"><code>start-time</code></em></span></dt>
-<dd><p>
-	       Specify the date and time when the generated SIG records
+	is of the form <TT
+CLASS="FILENAME"
+>signedkey-nnnn.</TT
+>, where
+	<TT
+CLASS="FILENAME"
+>nnnn</TT
+> is the zone name.
+    </P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN46"
+></A
+><H2
+>OPTIONS</H2
+><P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+>-a</DT
+><DD
+><P
+>	      Verify all generated signatures.
+	  </P
+></DD
+><DT
+>-c <TT
+CLASS="REPLACEABLE"
+><I
+>class</I
+></TT
+></DT
+><DD
+><P
+>	       Specifies the DNS class of the key sets.
+	  </P
+></DD
+><DT
+>-s <TT
+CLASS="REPLACEABLE"
+><I
+>start-time</I
+></TT
+></DT
+><DD
+><P
+>	       Specify the date and time when the generated SIG records
 	       become valid.  This can be either an absolute or relative
 	       time.  An absolute start time is indicated by a number
 	       in YYYYMMDDHHMMSS notation; 20000530144500 denotes
 	       14:45:00 UTC on May 30th, 2000.  A relative start time is
 	       indicated by +N, which is N seconds from the current time.
-	       If no <code class="option">start-time</code> is specified, the current
+	       If no <TT
+CLASS="OPTION"
+>start-time</TT
+> is specified, the current
 	       time is used.
-	  </p></dd>
-<dt><span class="term">-e <em class="replaceable"><code>end-time</code></em></span></dt>
-<dd><p>
-	       Specify the date and time when the generated SIG records
-	       expire.  As with <code class="option">start-time</code>, an absolute
+	  </P
+></DD
+><DT
+>-e <TT
+CLASS="REPLACEABLE"
+><I
+>end-time</I
+></TT
+></DT
+><DD
+><P
+>	       Specify the date and time when the generated SIG records
+	       expire.  As with <TT
+CLASS="OPTION"
+>start-time</TT
+>, an absolute
 	       time is indicated in YYYYMMDDHHMMSS notation.  A time relative
 	       to the start time is indicated with +N, which is N seconds from
 	       the start time.  A time relative to the current time is
-	       indicated with now+N.  If no <code class="option">end-time</code> is
+	       indicated with now+N.  If no <TT
+CLASS="OPTION"
+>end-time</TT
+> is
 	       specified, 30 days from the start time is used as a default.
-	  </p></dd>
-<dt><span class="term">-h</span></dt>
-<dd><p>
-	       Prints a short summary of the options and arguments to
-	       <span><strong class="command">dnssec-signkey</strong></span>.
-	  </p></dd>
-<dt><span class="term">-p</span></dt>
-<dd><p>
-	       Use pseudo-random data when signing the zone.  This is faster,
+	  </P
+></DD
+><DT
+>-h</DT
+><DD
+><P
+>	       Prints a short summary of the options and arguments to
+	       <B
+CLASS="COMMAND"
+>dnssec-signkey</B
+>.
+	  </P
+></DD
+><DT
+>-p</DT
+><DD
+><P
+>	       Use pseudo-random data when signing the zone.  This is faster,
 	       but less secure, than using real random data.  This option
 	       may be useful when signing large zones or when the entropy
 	       source is limited.
-	  </p></dd>
-<dt><span class="term">-r <em class="replaceable"><code>randomdev</code></em></span></dt>
-<dd><p>
-	       Specifies the source of randomness.  If the operating
-	       system does not provide a <code class="filename">/dev/random</code>
+	  </P
+></DD
+><DT
+>-r <TT
+CLASS="REPLACEABLE"
+><I
+>randomdev</I
+></TT
+></DT
+><DD
+><P
+>	       Specifies the source of randomness.  If the operating
+	       system does not provide a <TT
+CLASS="FILENAME"
+>/dev/random</TT
+>
 	       or equivalent device, the default source of randomness
-	       is keyboard input.  <code class="filename">randomdev</code> specifies
+	       is keyboard input.  <TT
+CLASS="FILENAME"
+>randomdev</TT
+> specifies
 	       the name of a character device or file containing random
 	       data to be used instead of the default.  The special value
-	       <code class="filename">keyboard</code> indicates that keyboard
+	       <TT
+CLASS="FILENAME"
+>keyboard</TT
+> indicates that keyboard
 	       input should be used.
-	  </p></dd>
-<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
-<dd><p>
-	       Sets the debugging level.
-	  </p></dd>
-<dt><span class="term">keyset</span></dt>
-<dd><p>
-	        The file containing the child's keyset.
-	  </p></dd>
-<dt><span class="term">key</span></dt>
-<dd><p>
-	        The keys used to sign the child's keyset.
-	  </p></dd>
-</dl></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543620"></a><h2>EXAMPLE</h2>
-<p>
-        The DNS administrator for a DNSSEC-aware <strong class="userinput"><code>.com</code></strong>
+	  </P
+></DD
+><DT
+>-v <TT
+CLASS="REPLACEABLE"
+><I
+>level</I
+></TT
+></DT
+><DD
+><P
+>	       Sets the debugging level.
+	  </P
+></DD
+><DT
+>keyset</DT
+><DD
+><P
+>	        The file containing the child's keyset.
+	  </P
+></DD
+><DT
+>key</DT
+><DD
+><P
+>	        The keys used to sign the child's keyset.
+	  </P
+></DD
+></DL
+></DIV
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN101"
+></A
+><H2
+>EXAMPLE</H2
+><P
+>        The DNS administrator for a DNSSEC-aware <TT
+CLASS="USERINPUT"
+><B
+>.com</B
+></TT
+>
 	zone would use the following command to sign the
-	<code class="filename">keyset</code> file for <strong class="userinput"><code>example.com</code></strong>
-	created by <span><strong class="command">dnssec-makekeyset</strong></span> with a key generated
-	by <span><strong class="command">dnssec-keygen</strong></span>:
-    </p>
-<p>
-        <strong class="userinput"><code>dnssec-signkey keyset-example.com. Kcom.+003+51944</code></strong>
-    </p>
-<p>
-        In this example, <span><strong class="command">dnssec-signkey</strong></span> creates
-	the file <code class="filename">signedkey-example.com.</code>, which
-	contains the <strong class="userinput"><code>example.com</code></strong> keys and the
-	signatures by the <strong class="userinput"><code>.com</code></strong> keys.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543672"></a><h2>SEE ALSO</h2>
-<p>
-      <span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
-      <span class="citerefentry"><span class="refentrytitle">dnssec-makekeyset</span>(8)</span>,
-      <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543710"></a><h2>AUTHOR</h2>
-<p>
-        <span class="corpauthor">Internet Systems Consortium</span>
-    </p>
-</div>
-</div></body>
-</html>
+	<TT
+CLASS="FILENAME"
+>keyset</TT
+> file for <TT
+CLASS="USERINPUT"
+><B
+>example.com</B
+></TT
+>
+	created by <B
+CLASS="COMMAND"
+>dnssec-makekeyset</B
+> with a key generated
+	by <B
+CLASS="COMMAND"
+>dnssec-keygen</B
+>:
+    </P
+><P
+>        <TT
+CLASS="USERINPUT"
+><B
+>dnssec-signkey keyset-example.com. Kcom.+003+51944</B
+></TT
+>
+    </P
+><P
+>        In this example, <B
+CLASS="COMMAND"
+>dnssec-signkey</B
+> creates
+	the file <TT
+CLASS="FILENAME"
+>signedkey-example.com.</TT
+>, which
+	contains the <TT
+CLASS="USERINPUT"
+><B
+>example.com</B
+></TT
+> keys and the
+	signatures by the <TT
+CLASS="USERINPUT"
+><B
+>.com</B
+></TT
+> keys.
+    </P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN116"
+></A
+><H2
+>SEE ALSO</H2
+><P
+>      <SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>dnssec-keygen</SPAN
+>(8)</SPAN
+>,
+      <SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>dnssec-makekeyset</SPAN
+>(8)</SPAN
+>,
+      <SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>dnssec-signzone</SPAN
+>(8)</SPAN
+>.
+    </P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN128"
+></A
+><H2
+>AUTHOR</H2
+><P
+>        Internet Software Consortium
+    </P
+></DIV
+></BODY
+></HTML
+>
diff --git a/bin/dnssec/dnssec-signzone.8 b/bin/dnssec/dnssec-signzone.8
index ebf83bc6..0f1a44ce 100644
--- a/bin/dnssec/dnssec-signzone.8
+++ b/bin/dnssec/dnssec-signzone.8
@@ -1,188 +1,170 @@
-.\" Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
-.\" Copyright (C) 2000, 2001, 2003 Internet Software Consortium.
-.\" 
+.\" Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2000-2003  Internet Software Consortium.
+.\"
 .\" Permission to use, copy, modify, and distribute this software for any
 .\" purpose with or without fee is hereby granted, provided that the above
 .\" copyright notice and this permission notice appear in all copies.
-.\" 
+.\"
 .\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
 .\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+.\" AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
 .\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
 .\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: dnssec-signzone.8,v 1.23.2.12 2007/05/09 03:32:21 marka Exp $
-.\"
-.hy 0
-.ad l
-.\"     Title: dnssec\-signzone
-.\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
-.\"      Date: June 30, 2000
-.\"    Manual: BIND9
-.\"    Source: BIND9
+.\" $Id: dnssec-signzone.8,v 1.23.2.1.4.4 2004/03/15 01:02:42 marka Exp $
 .\"
-.TH "DNSSEC\-SIGNZONE" "8" "June 30, 2000" "BIND9" "BIND9"
-.\" disable hyphenation
-.nh
-.\" disable justification (adjust text to left margin only)
-.ad l
-.SH "NAME"
-dnssec\-signzone \- DNSSEC zone signing tool
-.SH "SYNOPSIS"
-.HP 16
-\fBdnssec\-signzone\fR [\fB\-a\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-d\ \fR\fB\fIdirectory\fR\fR] [\fB\-s\ \fR\fB\fIstart\-time\fR\fR] [\fB\-e\ \fR\fB\fIend\-time\fR\fR] [\fB\-f\ \fR\fB\fIoutput\-file\fR\fR] [\fB\-h\fR] [\fB\-i\ \fR\fB\fIinterval\fR\fR] [\fB\-n\ \fR\fB\fInthreads\fR\fR] [\fB\-o\ \fR\fB\fIorigin\fR\fR] [\fB\-p\fR] [\fB\-r\ \fR\fB\fIrandomdev\fR\fR] [\fB\-t\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] {zonefile} [key...]
+.TH "DNSSEC-SIGNZONE" "8" "June 30, 2000" "BIND9" ""
+.SH NAME
+dnssec-signzone \- DNSSEC zone signing tool
+.SH SYNOPSIS
+.sp
+\fBdnssec-signzone\fR [ \fB-a\fR ]  [ \fB-c \fIclass\fB\fR ]  [ \fB-d \fIdirectory\fB\fR ]  [ \fB-e \fIend-time\fB\fR ]  [ \fB-f \fIoutput-file\fB\fR ]  [ \fB-g\fR ]  [ \fB-h\fR ]  [ \fB-k \fIkey\fB\fR ]  [ \fB-l \fIdomain\fB\fR ]  [ \fB-i \fIinterval\fB\fR ]  [ \fB-n \fInthreads\fB\fR ]  [ \fB-o \fIorigin\fB\fR ]  [ \fB-p\fR ]  [ \fB-r \fIrandomdev\fB\fR ]  [ \fB-s \fIstart-time\fB\fR ]  [ \fB-t\fR ]  [ \fB-v \fIlevel\fB\fR ]  [ \fB-z\fR ]  \fBzonefile\fR [ \fBkey\fR\fI...\fR ] 
 .SH "DESCRIPTION"
 .PP
-\fBdnssec\-signzone\fR
-signs a zone. It generates NXT and SIG records and produces a signed version of the zone. If there is a
-\fIsignedkey\fR
-file from the zone's parent, the parent's signatures will be incorporated into the generated signed zone file. The security status of delegations from the signed zone (that is, whether the child zones are secure or not) is determined by the presence or absence of a
-\fIsignedkey\fR
-file for each child zone.
+\fBdnssec-signzone\fR signs a zone. It generates NSEC
+and RRSIG records and produces a signed version of the zone. If there
+is a \fIsignedkey\fR file from the zone's parent,
+the parent's signatures will be incorporated into the generated
+signed zone file. The security status of delegations from the
+signed zone (that is, whether the child zones are secure or not) is
+determined by the presence or absence of a
+\fIsignedkey\fR file for each child zone.
 .SH "OPTIONS"
-.PP
-\-a
-.RS 4
+.TP
+\fB-a\fR
 Verify all generated signatures.
-.RE
-.PP
-\-c \fIclass\fR
-.RS 4
+.TP
+\fB-c \fIclass\fB\fR
 Specifies the DNS class of the zone.
-.RE
-.PP
-\-d \fIdirectory\fR
-.RS 4
-Look for
-\fIsignedkey\fR
-files in
-\fBdirectory\fR
-as the directory
-.RE
-.PP
-\-s \fIstart\-time\fR
-.RS 4
-Specify the date and time when the generated SIG records become valid. This can be either an absolute or relative time. An absolute start time is indicated by a number in YYYYMMDDHHMMSS notation; 20000530144500 denotes 14:45:00 UTC on May 30th, 2000. A relative start time is indicated by +N, which is N seconds from the current time. If no
-\fBstart\-time\fR
-is specified, the current time is used.
-.RE
-.PP
-\-e \fIend\-time\fR
-.RS 4
-Specify the date and time when the generated SIG records expire. As with
-\fBstart\-time\fR, an absolute time is indicated in YYYYMMDDHHMMSS notation. A time relative to the start time is indicated with +N, which is N seconds from the start time. A time relative to the current time is indicated with now+N. If no
-\fBend\-time\fR
-is specified, 30 days from the start time is used as a default.
-.RE
-.PP
-\-f \fIoutput\-file\fR
-.RS 4
-The name of the output file containing the signed zone. The default is to append
-\fI.signed\fR
-to the input filename.
-.RE
-.PP
-\-h
-.RS 4
+.TP
+\fB-k \fIkey\fB\fR
+Treat specified key as a key signing key ignoring any
+key flags. This option may be specified multiple times.
+.TP
+\fB-l \fIdomain\fB\fR
+Generate a DLV set in addition to the key (DNSKEY) and DS sets.
+The domain is appended to the name of the records.
+.TP
+\fB-d \fIdirectory\fB\fR
+Look for \fIsignedkey\fR files in
+\fBdirectory\fR as the directory 
+.TP
+\fB-g\fR
+Generate DS records for child zones from keyset files.
+Existing DS records will be removed.
+.TP
+\fB-s \fIstart-time\fB\fR
+Specify the date and time when the generated RRSIG records
+become valid. This can be either an absolute or relative
+time. An absolute start time is indicated by a number
+in YYYYMMDDHHMMSS notation; 20000530144500 denotes
+14:45:00 UTC on May 30th, 2000. A relative start time is
+indicated by +N, which is N seconds from the current time.
+If no \fBstart-time\fR is specified, the current
+time minus 1 hour (to allow for clock skew) is used.
+.TP
+\fB-e \fIend-time\fB\fR
+Specify the date and time when the generated RRSIG records
+expire. As with \fBstart-time\fR, an absolute
+time is indicated in YYYYMMDDHHMMSS notation. A time relative
+to the start time is indicated with +N, which is N seconds from
+the start time. A time relative to the current time is
+indicated with now+N. If no \fBend-time\fR is
+specified, 30 days from the start time is used as a default.
+.TP
+\fB-f \fIoutput-file\fB\fR
+The name of the output file containing the signed zone. The
+default is to append \fI.signed\fR to the
+input file.
+.TP
+\fB-h\fR
 Prints a short summary of the options and arguments to
-\fBdnssec\-signzone\fR.
-.RE
-.PP
-\-i \fIinterval\fR
-.RS 4
-When a previously\-signed zone is passed as input, records may be resigned. The
-\fBinterval\fR
-option specifies the cycle interval as an offset from the current time (in seconds). If a SIG record expires after the cycle interval, it is retained. Otherwise, it is considered to be expiring soon, and it will be replaced.
-.sp
-The default cycle interval is one quarter of the difference between the signature end and start times. So if neither
-\fBend\-time\fR
-or
-\fBstart\-time\fR
-are specified,
-\fBdnssec\-signzone\fR
-generates signatures that are valid for 30 days, with a cycle interval of 7.5 days. Therefore, if any existing SIG records are due to expire in less than 7.5 days, they would be replaced.
-.RE
-.PP
-\-n \fIncpus\fR
-.RS 4
-Specifies the number of threads to use. By default, one thread is started for each detected CPU.
-.RE
-.PP
-\-o \fIorigin\fR
-.RS 4
-The zone origin. If not specified, the name of the zone file is assumed to be the origin.
-.RE
-.PP
-\-p
-.RS 4
-Use pseudo\-random data when signing the zone. This is faster, but less secure, than using real random data. This option may be useful when signing large zones or when the entropy source is limited.
-.RE
-.PP
-\-r \fIrandomdev\fR
-.RS 4
-Specifies the source of randomness. If the operating system does not provide a
-\fI/dev/random\fR
-or equivalent device, the default source of randomness is keyboard input.
-\fIrandomdev\fR
-specifies the name of a character device or file containing random data to be used instead of the default. The special value
-\fIkeyboard\fR
-indicates that keyboard input should be used.
-.RE
-.PP
-\-t
-.RS 4
+\fBdnssec-signzone\fR.
+.TP
+\fB-i \fIinterval\fB\fR
+When a previously signed zone is passed as input, records
+may be resigned. The \fBinterval\fR option
+specifies the cycle interval as an offset from the current
+time (in seconds). If a RRSIG record expires after the
+cycle interval, it is retained. Otherwise, it is considered
+to be expiring soon, and it will be replaced.
+
+The default cycle interval is one quarter of the difference
+between the signature end and start times. So if neither
+\fBend-time\fR or \fBstart-time\fR
+are specified, \fBdnssec-signzone\fR generates
+signatures that are valid for 30 days, with a cycle
+interval of 7.5 days. Therefore, if any existing RRSIG records
+are due to expire in less than 7.5 days, they would be
+replaced.
+.TP
+\fB-n \fIncpus\fB\fR
+Specifies the number of threads to use. By default, one
+thread is started for each detected CPU.
+.TP
+\fB-o \fIorigin\fB\fR
+The zone origin. If not specified, the name of the zone file
+is assumed to be the origin.
+.TP
+\fB-p\fR
+Use pseudo-random data when signing the zone. This is faster,
+but less secure, than using real random data. This option
+may be useful when signing large zones or when the entropy
+source is limited.
+.TP
+\fB-r \fIrandomdev\fB\fR
+Specifies the source of randomness. If the operating
+system does not provide a \fI/dev/random\fR
+or equivalent device, the default source of randomness
+is keyboard input. \fIrandomdev\fR specifies
+the name of a character device or file containing random
+data to be used instead of the default. The special value
+\fIkeyboard\fR indicates that keyboard
+input should be used.
+.TP
+\fB-t\fR
 Print statistics at completion.
-.RE
-.PP
-\-v \fIlevel\fR
-.RS 4
+.TP
+\fB-v \fIlevel\fB\fR
 Sets the debugging level.
-.RE
-.PP
-zonefile
-.RS 4
+.TP
+\fB-z\fR
+Ignore KSK flag on key when determining what to sign.
+.TP
+\fBzonefile\fR
 The file containing the zone to be signed.
-.RE
-.PP
-key
-.RS 4
-Specify which keys should be used to sign the zone. If no keys are specified, then the zone will be examined for DNSKEY records at the zone apex. If these are found and there are matching private keys, in the current directory, then these will be used for signing.
-.RE
+Sets the debugging level.
+.TP
+\fBkey\fR
+The keys used to sign the zone. If no keys are specified, the
+default all zone keys that have private key files in the
+current directory.
 .SH "EXAMPLE"
 .PP
-The following command signs the
-\fBexample.com\fR
-zone with the DSA key generated in the
-\fBdnssec\-keygen\fR
+The following command signs the \fBexample.com\fR
+zone with the DSA key generated in the \fBdnssec-keygen\fR
 man page. The zone's keys must be in the zone. If there are
-\fIsignedkey\fR
-files associated with this zone or any child zones, they must be in the current directory.
-\fBexample.com\fR, the following command would be issued:
+\fIsignedkey\fR files associated with this zone
+or any child zones, they must be in the current directory.
+\fBexample.com\fR, the following command would be
+issued:
 .PP
-\fBdnssec\-signzone \-o example.com db.example.com Kexample.com.+003+26160\fR
+\fBdnssec-signzone -o example.com db.example.com Kexample.com.+003+26160\fR
 .PP
 The command would print a string of the form:
 .PP
-In this example,
-\fBdnssec\-signzone\fR
-creates the file
-\fIdb.example.com.signed\fR. This file should be referenced in a zone statement in a
-\fInamed.conf\fR
-file.
+In this example, \fBdnssec-signzone\fR creates
+the file \fIdb.example.com.signed\fR. This file
+should be referenced in a zone statement in a
+\fInamed.conf\fR file.
 .SH "SEE ALSO"
 .PP
-\fBdnssec\-keygen\fR(8),
-\fBdnssec\-signkey\fR(8),
-BIND 9 Administrator Reference Manual,
-RFC 2535.
+\fBdnssec-keygen\fR(8),
+\fBdnssec-signkey\fR(8),
+\fIBIND 9 Administrator Reference Manual\fR,
+\fIRFC 2535\fR.
 .SH "AUTHOR"
 .PP
-Internet Systems Consortium
-.SH "COPYRIGHT"
-Copyright \(co 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
-.br
-Copyright \(co 2000, 2001, 2003 Internet Software Consortium.
-.br
+Internet Software Consortium
diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c
index c7b16834..8213ec29 100644
--- a/bin/dnssec/dnssec-signzone.c
+++ b/bin/dnssec/dnssec-signzone.c
@@ -1,6 +1,6 @@
 /*
- * Portions Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
- * Portions Copyright (C) 1999-2001, 2003  Internet Software Consortium.
+ * Portions Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 1999-2003  Internet Software Consortium.
  * Portions Copyright (C) 1995-2000 by Network Associates, Inc.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -16,7 +16,7 @@
  * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssec-signzone.c,v 1.139.2.9 2005/10/14 01:37:48 marka Exp $ */
+/* $Id: dnssec-signzone.c,v 1.139.2.2.4.11 2004/03/10 02:55:51 marka Exp $ */
 
 #include <config.h>
 
@@ -28,10 +28,10 @@
 #include <isc/entropy.h>
 #include <isc/event.h>
 #include <isc/file.h>
-#include <isc/hash.h>
 #include <isc/mem.h>
 #include <isc/mutex.h>
 #include <isc/os.h>
+#include <isc/serial.h>
 #include <isc/stdio.h>
 #include <isc/string.h>
 #include <isc/task.h>
@@ -42,12 +42,13 @@
 #include <dns/dbiterator.h>
 #include <dns/diff.h>
 #include <dns/dnssec.h>
+#include <dns/ds.h>
 #include <dns/fixedname.h>
 #include <dns/keyvalues.h>
 #include <dns/log.h>
 #include <dns/master.h>
 #include <dns/masterdump.h>
-#include <dns/nxt.h>
+#include <dns/nsec.h>
 #include <dns/rdata.h>
 #include <dns/rdataset.h>
 #include <dns/rdataclass.h>
@@ -55,11 +56,9 @@
 #include <dns/rdatastruct.h>
 #include <dns/rdatatype.h>
 #include <dns/result.h>
-#include <dns/secalg.h>
 #include <dns/time.h>
 
 #include <dst/dst.h>
-#include <dst/result.h>
 
 #include "dnssectool.h"
 
@@ -67,12 +66,15 @@ const char *program = "dnssec-signzone";
 int verbose;
 
 #define BUFSIZE 2048
+#define MAXDSKEYS 8
 
 typedef struct signer_key_struct signer_key_t;
 
 struct signer_key_struct {
 	dst_key_t *key;
-	isc_boolean_t isdefault;
+	isc_boolean_t issigningkey;
+	isc_boolean_t isdsk;
+	isc_boolean_t isksk;
 	unsigned int position;
 	ISC_LINK(signer_key_t) link;
 };
@@ -85,7 +87,6 @@ typedef struct signer_event sevent_t;
 struct signer_event {
 	ISC_EVENT_COMMON(sevent_t);
 	dns_fixedname_t *fname;
-	dns_fixedname_t *fnextname;
 	dns_dbnode_t *node;
 };
 
@@ -109,15 +110,19 @@ static isc_taskmgr_t *taskmgr = NULL;
 static dns_db_t *gdb;			/* The database */
 static dns_dbversion_t *gversion;	/* The database version */
 static dns_dbiterator_t *gdbiter;	/* The database iterator */
+static dns_rdataclass_t gclass;		/* The class */
 static dns_name_t *gorigin;		/* The database origin */
-static dns_dbnode_t *gnode = NULL;	/* The "current" database node */
-static dns_name_t *lastzonecut;
 static isc_task_t *master = NULL;
 static unsigned int ntasks = 0;
 static isc_boolean_t shuttingdown = ISC_FALSE, finished = ISC_FALSE;
 static unsigned int assigned = 0, completed = 0;
 static isc_boolean_t nokeys = ISC_FALSE;
 static isc_boolean_t removefile = ISC_FALSE;
+static isc_boolean_t generateds = ISC_FALSE;
+static isc_boolean_t ignoreksk = ISC_FALSE;
+static dns_name_t *dlv = NULL;
+static dns_fixedname_t dlv_fixed;
+static dns_master_style_t *dsstyle = NULL;
 
 #define INCSTAT(counter)		\
 	if (printstats) {		\
@@ -143,15 +148,63 @@ set_bit(unsigned char *array, unsigned int index, unsigned int bit) {
 		array[index / 8] &= (~mask & 0xFF);
 }
 
+static void
+dumpnode(dns_name_t *name, dns_dbnode_t *node) {
+	isc_result_t result;
+
+	result = dns_master_dumpnodetostream(mctx, gdb, gversion, node, name,
+					     masterstyle, fp);
+	check_result(result, "dns_master_dumpnodetostream");
+}
+
+static void
+dumpdb(dns_db_t *db) {
+	dns_dbiterator_t *dbiter = NULL;
+	dns_dbnode_t *node;
+	dns_fixedname_t fname;
+	dns_name_t *name;
+	isc_result_t result;
+
+	dbiter = NULL;
+	result = dns_db_createiterator(db, ISC_FALSE, &dbiter);
+	check_result(result, "dns_db_createiterator()");
+
+	dns_fixedname_init(&fname);
+	name = dns_fixedname_name(&fname);
+	node = NULL;
+
+	for (result = dns_dbiterator_first(dbiter);
+	     result == ISC_R_SUCCESS;
+	     result = dns_dbiterator_next(dbiter))
+	{
+		result = dns_dbiterator_current(dbiter, &node, name);
+		check_result(result, "dns_dbiterator_current()");
+		dumpnode(name, node);
+		dns_db_detachnode(db, &node);
+	}
+	if (result != ISC_R_NOMORE)
+		fatal("iterating database: %s", isc_result_totext(result));
+
+	dns_dbiterator_destroy(&dbiter);
+}
+
 static signer_key_t *
-newkeystruct(dst_key_t *dstkey, isc_boolean_t isdefault) {
+newkeystruct(dst_key_t *dstkey, isc_boolean_t signwithkey) {
 	signer_key_t *key;
 
 	key = isc_mem_get(mctx, sizeof(signer_key_t));
 	if (key == NULL)
 		fatal("out of memory");
 	key->key = dstkey;
-	key->isdefault = isdefault;
+	if ((dst_key_flags(dstkey) & DNS_KEYFLAG_KSK) != 0) {
+		key->issigningkey = signwithkey;
+		key->isksk = ISC_TRUE;
+		key->isdsk = ISC_FALSE;
+	} else {
+		key->issigningkey = signwithkey;
+		key->isksk = ISC_FALSE;
+		key->isdsk = ISC_TRUE;
+	}
 	key->position = keycount++;
 	ISC_LINK_INIT(key, link);
 	return (key);
@@ -168,7 +221,7 @@ signwithkey(dns_name_t *name, dns_rdataset_t *rdataset, dns_rdata_t *rdata,
 	isc_entropy_stopcallbacksources(ectx);
 	if (result != ISC_R_SUCCESS) {
 		char keystr[KEY_FORMATSIZE];
-		key_format(key, keystr, sizeof keystr);
+		key_format(key, keystr, sizeof(keystr));
 		fatal("key '%s' failed to sign data: %s",
 		      keystr, isc_result_totext(result));
 	}
@@ -189,7 +242,7 @@ signwithkey(dns_name_t *name, dns_rdataset_t *rdataset, dns_rdata_t *rdata,
 
 static inline isc_boolean_t
 issigningkey(signer_key_t *key) {
-	return (key->isdefault);
+	return (key->issigningkey);
 }
 
 static inline isc_boolean_t
@@ -203,7 +256,7 @@ iszonekey(signer_key_t *key) {
  * that we've loaded already, and then see if there's a key on disk.
  */
 static signer_key_t *
-keythatsigned(dns_rdata_sig_t *sig) {
+keythatsigned(dns_rdata_rrsig_t *sig) {
 	isc_result_t result;
 	dst_key_t *pubkey = NULL, *privkey = NULL;
 	signer_key_t *key;
@@ -247,7 +300,7 @@ expecttofindkey(dns_name_t *name) {
 	char namestr[DNS_NAME_FORMATSIZE];
 
 	dns_fixedname_init(&fname);
-	result = dns_db_find(gdb, name, gversion, dns_rdatatype_key, options,
+	result = dns_db_find(gdb, name, gversion, dns_rdatatype_dnskey, options,
 			     0, NULL, dns_fixedname_name(&fname), NULL, NULL);
 	switch (result) {
 	case ISC_R_SUCCESS:
@@ -259,7 +312,7 @@ expecttofindkey(dns_name_t *name) {
 	case DNS_R_DNAME:
 		return (ISC_FALSE);
 	}
-	dns_name_format(name, namestr, sizeof namestr);
+	dns_name_format(name, namestr, sizeof(namestr));
 	fatal("failure looking for '%s KEY' in database: %s",
 	      namestr, isc_result_totext(result));
 	return (ISC_FALSE); /* removes a warning */
@@ -291,7 +344,7 @@ signset(dns_diff_t *diff, dns_dbnode_t *node, dns_name_t *name,
 {
 	dns_rdataset_t sigset;
 	dns_rdata_t sigrdata = DNS_RDATA_INIT;
-	dns_rdata_sig_t sig;
+	dns_rdata_rrsig_t sig;
 	signer_key_t *key;
 	isc_result_t result;
 	isc_boolean_t nosigs = ISC_FALSE;
@@ -304,13 +357,13 @@ signset(dns_diff_t *diff, dns_dbnode_t *node, dns_name_t *name,
 	char typestr[TYPE_FORMATSIZE];
 	char sigstr[SIG_FORMATSIZE];
 
-	dns_name_format(name, namestr, sizeof namestr);
-	type_format(set->type, typestr, sizeof typestr);
+	dns_name_format(name, namestr, sizeof(namestr));
+	type_format(set->type, typestr, sizeof(typestr));
 
 	ttl = ISC_MIN(set->ttl, endtime - starttime);
 
 	dns_rdataset_init(&sigset);
-	result = dns_db_findrdataset(gdb, node, gversion, dns_rdatatype_sig,
+	result = dns_db_findrdataset(gdb, node, gversion, dns_rdatatype_rrsig,
 				     set->type, 0, &sigset, NULL);
 	if (result == ISC_R_NOTFOUND) {
 		result = ISC_R_SUCCESS;
@@ -347,13 +400,16 @@ signset(dns_diff_t *diff, dns_dbnode_t *node, dns_name_t *name,
 		result = dns_rdata_tostruct(&sigrdata, &sig, NULL);
 		check_result(result, "dns_rdata_tostruct");
 
-		expired = ISC_TF(now + cycle > sig.timeexpire);
-		future = ISC_TF(now < sig.timesigned);
+		future = isc_serial_lt(now, sig.timesigned);
 
 		key = keythatsigned(&sig);
-		sig_format(&sig, sigstr, sizeof sigstr);
+		sig_format(&sig, sigstr, sizeof(sigstr));
+		if (key != NULL && issigningkey(key))
+			expired = isc_serial_gt(now + cycle, sig.timeexpire);
+		else
+			expired = isc_serial_gt(now, sig.timeexpire);
 
-		if (sig.timesigned > sig.timeexpire) {
+		if (isc_serial_gt(sig.timesigned, sig.timeexpire)) {
 			/* sig is dropped and not replaced */
 			vbprintf(2, "\tsig by %s dropped - "
 				 "invalid validity period\n",
@@ -425,7 +481,7 @@ signset(dns_diff_t *diff, dns_dbnode_t *node, dns_name_t *name,
 			unsigned char array[BUFSIZE];
 			char keystr[KEY_FORMATSIZE];
 
-			key_format(key->key, keystr, sizeof keystr);
+			key_format(key->key, keystr, sizeof(keystr));
 			vbprintf(1, "\tresigning with key %s\n", keystr);
 			isc_buffer_init(&b, array, sizeof(array));
 			signwithkey(name, set, &trdata, key->key, &b);
@@ -449,62 +505,42 @@ signset(dns_diff_t *diff, dns_dbnode_t *node, dns_name_t *name,
 	if (dns_rdataset_isassociated(&sigset))
 		dns_rdataset_disassociate(&sigset);
 
-	key = ISC_LIST_HEAD(keylist);
-	while (key != NULL) {
-		if (key->isdefault && !nowsignedby[key->position]) {
-			isc_buffer_t b;
-			dns_rdata_t trdata = DNS_RDATA_INIT;
-			unsigned char array[BUFSIZE];
-			char keystr[KEY_FORMATSIZE];
+	for (key = ISC_LIST_HEAD(keylist);
+	     key != NULL;
+	     key = ISC_LIST_NEXT(key, link))
+	{
+		isc_buffer_t b;
+		dns_rdata_t trdata;
+		unsigned char array[BUFSIZE];
+		char keystr[KEY_FORMATSIZE];
 
-			key_format(key->key, keystr, sizeof keystr);
-			vbprintf(1, "\tsigning with key %s\n", keystr);
-			isc_buffer_init(&b, array, sizeof(array));
-			signwithkey(name, set, &trdata, key->key, &b);
-			tuple = NULL;
-			result = dns_difftuple_create(mctx, DNS_DIFFOP_ADD,
-						      name, ttl, &trdata,
-						      &tuple);
-			check_result(result, "dns_difftuple_create");
-			dns_diff_append(diff, &tuple);
-		}
-		key = ISC_LIST_NEXT(key, link);
+		if (nowsignedby[key->position])
+			continue;
+
+		if (!key->issigningkey)
+			continue;
+		if (!(ignoreksk || key->isdsk ||
+		      (key->isksk &&
+		       set->type == dns_rdatatype_dnskey &&
+		       dns_name_equal(name, gorigin))))
+			continue;
+
+		key_format(key->key, keystr, sizeof(keystr));
+		vbprintf(1, "\tsigning with key %s\n", keystr);
+		dns_rdata_init(&trdata);
+		isc_buffer_init(&b, array, sizeof(array));
+		signwithkey(name, set, &trdata, key->key, &b);
+		tuple = NULL;
+		result = dns_difftuple_create(mctx, DNS_DIFFOP_ADD, name,
+					      ttl, &trdata, &tuple);
+		check_result(result, "dns_difftuple_create");
+		dns_diff_append(diff, &tuple);
 	}
 
 	isc_mem_put(mctx, wassignedby, arraysize * sizeof(isc_boolean_t));
 	isc_mem_put(mctx, nowsignedby, arraysize * sizeof(isc_boolean_t));
 }
 
-/* Determine if a KEY set contains a null key */
-static isc_boolean_t
-hasnullkey(dns_rdataset_t *rdataset) {
-	isc_result_t result;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	isc_boolean_t found = ISC_FALSE;
-
-	result = dns_rdataset_first(rdataset);
-	while (result == ISC_R_SUCCESS) {
-		dst_key_t *key = NULL;
-
-		dns_rdata_reset(&rdata);
-		dns_rdataset_current(rdataset, &rdata);
-		result = dns_dnssec_keyfromrdata(dns_rootname,
-						 &rdata, mctx, &key);
-		if (result != ISC_R_SUCCESS)
-			fatal("could not convert KEY into internal format: %s",
-			      isc_result_totext(result));
-		if (dst_key_isnullkey(key))
-			found = ISC_TRUE;
-		dst_key_free(&key);
-		if (found == ISC_TRUE)
-			return (ISC_TRUE);
-		result = dns_rdataset_next(rdataset);
-	}
-	if (result != ISC_R_NOMORE)
-		fatal("failure looking for null keys");
-	return (ISC_FALSE);
-}
-
 static void
 opendb(const char *prefix, dns_name_t *name, dns_rdataclass_t rdclass,
        dns_db_t **dbp)
@@ -524,7 +560,7 @@ opendb(const char *prefix, dns_name_t *name, dns_rdataclass_t rdclass,
 	check_result(result, "dns_name_tofilenametext()");
 	if (isc_buffer_availablelength(&b) == 0) {
 		char namestr[DNS_NAME_FORMATSIZE];
-		dns_name_format(name, namestr, sizeof namestr);
+		dns_name_format(name, namestr, sizeof(namestr));
 		fatal("name '%s' is too long", namestr);
 	}
 	isc_buffer_putuint8(&b, 0);
@@ -539,242 +575,185 @@ opendb(const char *prefix, dns_name_t *name, dns_rdataclass_t rdclass,
 }
 
 /*
- * Looks for signatures of the zone keys by the parent, and imports them
- * if found.
+ * Loads the key set for a child zone, if there is one, and builds DS records.
  */
-static void
-importparentsig(dns_diff_t *diff, dns_name_t *name, dns_rdataset_t *set) {
-	dns_db_t *newdb = NULL;
-	dns_dbnode_t *newnode = NULL;
-	dns_rdataset_t newset, sigset;
-	dns_rdata_t rdata = DNS_RDATA_INIT, newrdata = DNS_RDATA_INIT;
+static isc_result_t
+loadds(dns_name_t *name, isc_uint32_t ttl, dns_rdataset_t *dsset) {
+	dns_db_t *db = NULL;
+	dns_dbversion_t *ver = NULL;
+	dns_dbnode_t *node = NULL;
 	isc_result_t result;
+	dns_rdataset_t keyset;
+	dns_rdata_t key, ds;
+	unsigned char dsbuf[DNS_DS_BUFFERSIZE];
+	dns_diff_t diff;
+	dns_difftuple_t *tuple = NULL;
 
-	dns_rdataset_init(&newset);
-	dns_rdataset_init(&sigset);
-
-	opendb("signedkey-", name, dns_db_class(gdb), &newdb);
-	if (newdb == NULL)
-		return;
-
-	result = dns_db_findnode(newdb, name, ISC_FALSE, &newnode);
-	if (result != ISC_R_SUCCESS)
-		goto failure;
-	result = dns_db_findrdataset(newdb, newnode, NULL, dns_rdatatype_key,
-				     0, 0, &newset, &sigset);
-	if (result != ISC_R_SUCCESS)
-		goto failure;
-
-	if (!dns_rdataset_isassociated(&newset) ||
-	    !dns_rdataset_isassociated(&sigset))
-		goto failure;
+	opendb("keyset-", name, gclass, &db);
+	if (db == NULL)
+		return (ISC_R_NOTFOUND);
 
-	if (dns_rdataset_count(set) != dns_rdataset_count(&newset)) {
-		result = DNS_R_BADDB;
-		goto failure;
+	result = dns_db_findnode(db, name, ISC_FALSE, &node);
+	if (result != ISC_R_SUCCESS) {
+		dns_db_detach(&db);
+		return (DNS_R_BADDB);
 	}
-
-	result = dns_rdataset_first(set);
-	check_result(result, "dns_rdataset_first()");
-	for (; result == ISC_R_SUCCESS; result = dns_rdataset_next(set)) {
-		dns_rdataset_current(set, &rdata);
-		result = dns_rdataset_first(&newset);
-		check_result(result, "dns_rdataset_first()");
-		for (;
-		     result == ISC_R_SUCCESS;
-		     result = dns_rdataset_next(&newset))
-		{
-			dns_rdataset_current(&newset, &newrdata);
-			if (dns_rdata_compare(&rdata, &newrdata) == 0)
-				break;
-			dns_rdata_reset(&newrdata);
-		}
-		dns_rdata_reset(&newrdata);
-		dns_rdata_reset(&rdata);
-		if (result != ISC_R_SUCCESS)
-			break;
+	dns_rdataset_init(&keyset);
+	result = dns_db_findrdataset(db, node, NULL, dns_rdatatype_dnskey, 0, 0,
+				     &keyset, NULL);
+	if (result != ISC_R_SUCCESS) {
+		dns_db_detachnode(db, &node);
+		dns_db_detach(&db);
+		return (result);
 	}
-	if (result != ISC_R_NOMORE)
-		goto failure;
 
-	vbprintf(2, "found the parent's signature of our zone key\n");
+	vbprintf(2, "found KEY records\n");
 
-	result = dns_rdataset_first(&sigset);
-	while (result == ISC_R_SUCCESS) {
-		dns_difftuple_t *tuple = NULL;
+	result = dns_db_newversion(db, &ver);
+	check_result(result, "dns_db_newversion");
 
-		dns_rdataset_current(&sigset, &rdata);
-		result = dns_difftuple_create(mctx, DNS_DIFFOP_ADD, name, 
-					      sigset.ttl, &rdata, &tuple);
+	dns_diff_init(mctx, &diff);
+
+	for (result = dns_rdataset_first(&keyset);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(&keyset))
+	{
+		dns_rdata_init(&key);
+		dns_rdata_init(&ds);
+		dns_rdataset_current(&keyset, &key);
+		result = dns_ds_buildrdata(name, &key, DNS_DSDIGEST_SHA1,
+					   dsbuf, &ds);
+		check_result(result, "dns_ds_buildrdata");
+
+		result = dns_difftuple_create(mctx, DNS_DIFFOP_ADD, name,
+					      ttl, &ds, &tuple);
 		check_result(result, "dns_difftuple_create");
-		dns_diff_append(diff, &tuple);
-		result = dns_rdataset_next(&sigset);
-		dns_rdata_reset(&rdata);
+		dns_diff_append(&diff, &tuple);
 	}
-	if (result == ISC_R_NOMORE)
-		result = ISC_R_SUCCESS;
-
- failure:
-	if (dns_rdataset_isassociated(&newset))
-		dns_rdataset_disassociate(&newset);
-	if (dns_rdataset_isassociated(&sigset))
-		dns_rdataset_disassociate(&sigset);
-	if (newnode != NULL)
-		dns_db_detachnode(newdb, &newnode);
-	if (newdb != NULL)
-		dns_db_detach(&newdb);
-	if (result != ISC_R_SUCCESS)
-		fatal("zone signedkey file is invalid or does not match zone");
-}
-
-/*
- * Looks for our signatures of child keys.  If present, inform the caller.
- */
-static isc_boolean_t
-haschildkey(dns_name_t *name) {
-	dns_db_t *newdb = NULL;
-	dns_dbnode_t *newnode = NULL;
-	dns_rdataset_t set, sigset;
-	dns_rdata_t sigrdata = DNS_RDATA_INIT;
-	isc_result_t result;
-	isc_boolean_t found = ISC_FALSE;
-	dns_rdata_sig_t sig;
-	signer_key_t *key;
-
-	dns_rdataset_init(&set);
-	dns_rdataset_init(&sigset);
-
-	opendb("signedkey-", name, dns_db_class(gdb), &newdb);
-	if (newdb == NULL)
-		return (ISC_FALSE);
-
-	result = dns_db_findnode(newdb, name, ISC_FALSE, &newnode);
-	if (result != ISC_R_SUCCESS)
-		goto failure;
-	result = dns_db_findrdataset(newdb, newnode, NULL, dns_rdatatype_key,
-				     0, 0, &set, &sigset);
-	if (result != ISC_R_SUCCESS)
-		goto failure;
-
-	if (!dns_rdataset_isassociated(&set) ||
-	    !dns_rdataset_isassociated(&sigset))
-		goto failure;
+	result = dns_diff_apply(&diff, db, ver);
+	check_result(result, "dns_diff_apply");
+	dns_diff_clear(&diff);
 
-	result = dns_rdataset_first(&sigset);
-	check_result(result, "dns_rdataset_first()");
-	dns_rdata_init(&sigrdata);
-	for (; result == ISC_R_SUCCESS; result = dns_rdataset_next(&sigset)) {
-		dns_rdataset_current(&sigset, &sigrdata);
-		result = dns_rdata_tostruct(&sigrdata, &sig, NULL);
-		if (result != ISC_R_SUCCESS)
-			goto failure;
-		key = keythatsigned(&sig);
-		dns_rdata_freestruct(&sig);
-		if (key == NULL) {
-			char namestr[DNS_NAME_FORMATSIZE];
-			dns_name_format(name, namestr, sizeof namestr);
-			fprintf(stderr,
-				"creating KEY from signedkey file for %s: "
-				"%s\n",
-				namestr, isc_result_totext(result));
-			goto failure;
-		}
-		result = dns_dnssec_verify(name, &set, key->key,
-					   ISC_FALSE, mctx, &sigrdata);
-		if (result == ISC_R_SUCCESS) {
-			found = ISC_TRUE;
-			break;
-		} else {
-			char namestr[DNS_NAME_FORMATSIZE];
-			dns_name_format(name, namestr, sizeof namestr);
-			fprintf(stderr,
-				"verifying SIG in signedkey file for %s: %s\n",
-				namestr, isc_result_totext(result));
-		}
-		dns_rdata_reset(&sigrdata);
-	}
+	dns_db_closeversion(db, &ver, ISC_TRUE);
 
- failure:
-	if (dns_rdataset_isassociated(&set))
-		dns_rdataset_disassociate(&set);
-	if (dns_rdataset_isassociated(&sigset))
-		dns_rdataset_disassociate(&sigset);
-	if (newnode != NULL)
-		dns_db_detachnode(newdb, &newnode);
-	if (newdb != NULL)
-		dns_db_detach(&newdb);
+	result = dns_db_findrdataset(db, node, NULL, dns_rdatatype_ds, 0, 0,
+				     dsset, NULL);
+	check_result(result, "dns_db_findrdataset");
 
-	return (found);
+	dns_rdataset_disassociate(&keyset);
+	dns_db_detachnode(db, &node);
+	dns_db_detach(&db);
+	return (result);
 }
 
-/*
- * There probably should be a dns_nxt_setbit, but it can get complicated if
- * the length of the bit set needs to be increased.  In this case, since the
- * NXT bit is set and both SIG and KEY are less than NXT, the easy way works.
- */
-static void
-nxt_setbit(dns_rdataset_t *rdataset, dns_rdatatype_t type) {
+static isc_boolean_t
+nsec_setbit(dns_name_t *name, dns_rdataset_t *rdataset, dns_rdatatype_t type,
+	   unsigned int val)
+{
 	isc_result_t result;
 	dns_rdata_t rdata = DNS_RDATA_INIT;
-	dns_rdata_nxt_t nxt;
+	dns_rdata_nsec_t nsec;
+	unsigned int newlen;
+	unsigned char bitmap[8192 + 512];
+	unsigned char nsecdata[8192 + 512 + DNS_NAME_MAXWIRE];
+	isc_boolean_t answer = ISC_FALSE;
+	unsigned int i, len, window;
+	int octet;
 
 	result = dns_rdataset_first(rdataset);
 	check_result(result, "dns_rdataset_first()");
 	dns_rdataset_current(rdataset, &rdata);
-	result = dns_rdata_tostruct(&rdata, &nxt, NULL);
+	result = dns_rdata_tostruct(&rdata, &nsec, NULL);
 	check_result(result, "dns_rdata_tostruct");
-	set_bit(nxt.typebits, type, 1);
-	dns_rdata_freestruct(&nxt);
-}
 
-static void
-createnullkey(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name,
-	      dns_ttl_t ttl)
-{
-	unsigned char keydata[4];
-	dns_rdata_t keyrdata = DNS_RDATA_INIT;
-	dns_rdata_key_t key;
-	dns_diff_t diff;
-	dns_difftuple_t *tuple = NULL;
-	isc_buffer_t b;
-	isc_result_t result;
-	char namestr[DNS_NAME_FORMATSIZE];
+	INSIST(nsec.len <= sizeof(bitmap));
 
-	dns_name_format(name, namestr, sizeof namestr);
-	vbprintf(2, "adding null key at %s\n", namestr);
-
-	key.common.rdclass = dns_db_class(db);
-	key.common.rdtype = dns_rdatatype_key;
-	ISC_LINK_INIT(&key.common, link);
-	key.mctx = NULL;
-	key.flags = DNS_KEYTYPE_NOKEY | DNS_KEYOWNER_ZONE;
-	key.protocol = DNS_KEYPROTO_DNSSEC;
-	key.algorithm = DNS_KEYALG_DSA;
-	key.datalen = 0;
-	key.data = NULL;
-	isc_buffer_init(&b, keydata, sizeof keydata);
-	result = dns_rdata_fromstruct(&keyrdata, dns_db_class(db),
-				      dns_rdatatype_key, &key, &b);
-	if (result != ISC_R_SUCCESS)
-		fatal("failed to build null key");
+	newlen = 0;
 
-	dns_diff_init(mctx, &diff);
+	memset(bitmap, 0, sizeof(bitmap));
+	for (i = 0; i < nsec.len; i += len) {
+		INSIST(i + 2 <= nsec.len);
+		window = nsec.typebits[i];
+		len = nsec.typebits[i+1];
+		i += 2;
+		INSIST(len > 0 && len <= 32);
+		INSIST(i + len <= nsec.len);
+		memmove(&bitmap[window * 32 + 512], &nsec.typebits[i], len);
+	}
+	set_bit(bitmap + 512, type, val);
+	for (window = 0; window < 256; window++) {
+		for (octet = 31; octet >= 0; octet--)
+			if (bitmap[window * 32 + 512 + octet] != 0)
+				break;
+		if (octet < 0)
+			continue;
+		bitmap[newlen] = window;
+		bitmap[newlen + 1] = octet + 1;
+		newlen += 2;
+		/*
+		 * Overlapping move.
+		 */
+		memmove(&bitmap[newlen], &bitmap[window * 32 + 512], octet + 1);
+		newlen += octet + 1;
+	}
+	if (newlen != nsec.len ||
+	    memcmp(nsec.typebits, bitmap, newlen) != 0) {
+		dns_rdata_t newrdata = DNS_RDATA_INIT;
+		isc_buffer_t b;
+		dns_diff_t diff;
+		dns_difftuple_t *tuple = NULL;
 
-	result = dns_difftuple_create(mctx, DNS_DIFFOP_ADD, name, ttl,
-				      &keyrdata, &tuple);
-	check_result(result, "dns_difftuple_create");
+		dns_diff_init(mctx, &diff);
+		result = dns_difftuple_create(mctx, DNS_DIFFOP_DEL, name,
+					      rdataset->ttl, &rdata, &tuple);
+		check_result(result, "dns_difftuple_create");
+		dns_diff_append(&diff, &tuple);
+
+		nsec.typebits = bitmap;
+		nsec.len = newlen;
+		isc_buffer_init(&b, nsecdata, sizeof(nsecdata));
+		result = dns_rdata_fromstruct(&newrdata, rdata.rdclass,
+					      dns_rdatatype_nsec, &nsec,
+					      &b);
+		check_result(result, "dns_rdata_fromstruct");
+
+		result = dns_difftuple_create(mctx, DNS_DIFFOP_ADD,
+					      name, rdataset->ttl,
+					      &newrdata, &tuple);
+		check_result(result, "dns_difftuple_create");
+		dns_diff_append(&diff, &tuple);
+		result = dns_diff_apply(&diff, gdb, gversion);
+		check_result(result, "dns_difftuple_apply");
+		dns_diff_clear(&diff);
+		answer = ISC_TRUE;
+	}
+	dns_rdata_freestruct(&nsec);
+	return (answer);
+}
 
-	dns_diff_append(&diff, &tuple);
+static isc_boolean_t
+delegation(dns_name_t *name, dns_dbnode_t *node, isc_uint32_t *ttlp) {
+	dns_rdataset_t nsset;
+	isc_result_t result;
 
-	result = dns_diff_apply(&diff, db, version);
-	check_result(result, "dns_diff_apply");
+	if (dns_name_equal(name, gorigin))
+		return (ISC_FALSE);
 
-	dns_diff_clear(&diff);
+	dns_rdataset_init(&nsset);
+	result = dns_db_findrdataset(gdb, node, gversion, dns_rdatatype_ns,
+				     0, 0, &nsset, NULL);
+	if (dns_rdataset_isassociated(&nsset)) {
+		if (ttlp != NULL)
+			*ttlp = nsset.ttl;
+		dns_rdataset_disassociate(&nsset);
+	}
+
+	return (ISC_TF(result == ISC_R_SUCCESS));
 }
 
 /*
  * Signs all records at a name.  This mostly just signs each set individually,
- * but also adds the SIG bit to any NXTs generated earlier, deals with
+ * but also adds the SIG bit to any NSECs generated earlier, deals with
  * parent/child KEY signatures, and handles other exceptional cases.
  */
 static void
@@ -783,96 +762,95 @@ signname(dns_dbnode_t *node, dns_name_t *name) {
 	dns_rdataset_t rdataset;
 	dns_rdatasetiter_t *rdsiter;
 	isc_boolean_t isdelegation = ISC_FALSE;
-	isc_boolean_t childkey = ISC_FALSE;
-	static int warnwild = 0;
+	isc_boolean_t hasds = ISC_FALSE;
 	isc_boolean_t atorigin;
-	isc_boolean_t neednullkey = ISC_FALSE;
+	isc_boolean_t changed = ISC_FALSE;
 	dns_diff_t diff;
+	char namestr[DNS_NAME_FORMATSIZE];
+	isc_uint32_t nsttl = 0;
 
-	if (dns_name_iswildcard(name)) {
-		char namestr[DNS_NAME_FORMATSIZE];
-		dns_name_format(name, namestr, sizeof namestr);
-		if (warnwild++ == 0) {
-			fprintf(stderr, "%s: warning: BIND 9 doesn't properly "
-				"handle wildcards in secure zones:\n",
-				program);
-			fprintf(stderr, "\t- wildcard nonexistence proof is "
-				"not generated by the server\n");
-			fprintf(stderr, "\t- wildcard nonexistence proof is "
-				"not required by the resolver\n");
-		}
-		fprintf(stderr, "%s: warning: wildcard name seen: %s\n",
-			program, namestr);
-	}
+	dns_name_format(name, namestr, sizeof(namestr));
 
 	atorigin = dns_name_equal(name, gorigin);
 
 	/*
-	 * If this is not the origin, determine if it's a delegation point.
+	 * Determine if this is a delegation point.
 	 */
-	if (!atorigin) {
-		dns_rdataset_t nsset;
-
-		dns_rdataset_init(&nsset);
-		result = dns_db_findrdataset(gdb, node, gversion,
-					     dns_rdatatype_ns, 0, 0, &nsset,
-					     NULL);
-		/* Is this a delegation point? */
-		if (result == ISC_R_SUCCESS) {
-			isdelegation = ISC_TRUE;
-			dns_rdataset_disassociate(&nsset);
-		}
-	}
+	if (delegation(name, node, &nsttl))
+		isdelegation = ISC_TRUE;
 
 	/*
-	 * If this is a delegation point, determine if we need to generate
-	 * a null key.
+	 * If this is a delegation point, look for a DS set.
 	 */
 	if (isdelegation) {
-		dns_rdataset_t keyset;
-		dns_ttl_t nullkeyttl;
+		dns_rdataset_t dsset;
+		dns_rdataset_t sigdsset;
 
-		childkey = haschildkey(name);
-		neednullkey = ISC_TRUE;
-		nullkeyttl = zonettl;
-
-		dns_rdataset_init(&keyset);
+		dns_rdataset_init(&dsset);
+		dns_rdataset_init(&sigdsset);
 		result = dns_db_findrdataset(gdb, node, gversion,
-					     dns_rdatatype_key, 0, 0, &keyset,
-					     NULL);
-		if (result == ISC_R_SUCCESS && childkey) {
-			char namestr[DNS_NAME_FORMATSIZE];
-			dns_name_format(name, namestr, sizeof namestr);
-			if (hasnullkey(&keyset)) {
-				fatal("%s has both a signedkey file and "
-				      "null keys in the zone.  Aborting.",
-				      namestr);
-			}
-			vbprintf(2, "child key for %s found\n", namestr);
-			neednullkey = ISC_FALSE;
-			dns_rdataset_disassociate(&keyset);
-		}
-		else if (result == ISC_R_SUCCESS) {
-			if (hasnullkey(&keyset))
-				neednullkey = ISC_FALSE;
-			nullkeyttl = keyset.ttl;
-			dns_rdataset_disassociate(&keyset);
-		} else if (childkey) {
-			char namestr[DNS_NAME_FORMATSIZE];
-			dns_name_format(name, namestr, sizeof namestr);
-			vbprintf(2, "child key for %s found\n", namestr);
-			neednullkey = ISC_FALSE;
+					     dns_rdatatype_ds,
+					     0, 0, &dsset, &sigdsset);
+		if (result == ISC_R_SUCCESS) {
+			dns_rdataset_disassociate(&dsset);
+			if (generateds) {
+				result = dns_db_deleterdataset(gdb, node,
+							       gversion,
+							       dns_rdatatype_ds,
+							       0);
+				check_result(result, "dns_db_deleterdataset");
+			} else
+				hasds = ISC_TRUE;
 		}
+		if (generateds) {
+			result = loadds(name, nsttl, &dsset);
+			if (result == ISC_R_SUCCESS) {
+				result = dns_db_addrdataset(gdb, node,
+							    gversion, 0,
+							    &dsset, 0, NULL);
+				check_result(result, "dns_db_addrdataset");
+				hasds = ISC_TRUE;
+				dns_rdataset_disassociate(&dsset);
+				if (dns_rdataset_isassociated(&sigdsset))
+					dns_rdataset_disassociate(&sigdsset);
+			} else if (dns_rdataset_isassociated(&sigdsset)) {
+				result = dns_db_deleterdataset(gdb, node,
+							       gversion,
+							       dns_rdatatype_rrsig,
+							       dns_rdatatype_ds);
+				check_result(result, "dns_db_deleterdataset");
+				dns_rdataset_disassociate(&sigdsset);
+			}
+		} else if (dns_rdataset_isassociated(&sigdsset))
+			dns_rdataset_disassociate(&sigdsset);
+	}
 
-		if (neednullkey)
-			createnullkey(gdb, gversion, name, nullkeyttl);
+	/*
+	 * Make sure that NSEC bits are appropriately set.
+	 */
+	dns_rdataset_init(&rdataset);
+	RUNTIME_CHECK(dns_db_findrdataset(gdb, node, gversion,
+					  dns_rdatatype_nsec, 0, 0, &rdataset,
+					  NULL) == ISC_R_SUCCESS);
+	if (!nokeys)
+		changed = nsec_setbit(name, &rdataset, dns_rdatatype_rrsig, 1);
+	if (changed) {
+		dns_rdataset_disassociate(&rdataset);
+		RUNTIME_CHECK(dns_db_findrdataset(gdb, node, gversion,
+						  dns_rdatatype_nsec, 0, 0,
+						  &rdataset,
+						  NULL) == ISC_R_SUCCESS);
 	}
+	if (hasds)
+		(void)nsec_setbit(name, &rdataset, dns_rdatatype_ds, 1);
+	else
+		(void)nsec_setbit(name, &rdataset, dns_rdatatype_ds, 0);
+	dns_rdataset_disassociate(&rdataset);
 
 	/*
 	 * Now iterate through the rdatasets.
 	 */
 	dns_diff_init(mctx, &diff);
-	dns_rdataset_init(&rdataset);
 	rdsiter = NULL;
 	result = dns_db_allrdatasets(gdb, node, gversion, 0, &rdsiter);
 	check_result(result, "dns_db_allrdatasets()");
@@ -881,33 +859,30 @@ signname(dns_dbnode_t *node, dns_name_t *name) {
 		dns_rdatasetiter_current(rdsiter, &rdataset);
 
 		/* If this is a SIG set, skip it. */
-		if (rdataset.type == dns_rdatatype_sig)
-			goto skip;
-
-		/*
-		 * If this is a KEY set at the apex, look for a signedkey file.
-		 */
-		if (atorigin && rdataset.type == dns_rdatatype_key) {
-			importparentsig(&diff, name, &rdataset);
+		if (rdataset.type == dns_rdatatype_rrsig)
 			goto skip;
-		}
 
 		/*
 		 * If this name is a delegation point, skip all records
-		 * except an NXT set a KEY set containing a null key.
+		 * except NSEC and DS sets.  Otherwise check that there
+		 * isn't a DS record.
 		 */
 		if (isdelegation) {
-			if (!(rdataset.type == dns_rdatatype_nxt ||
-			      (rdataset.type == dns_rdatatype_key &&
-			       hasnullkey(&rdataset))))
+			if (rdataset.type != dns_rdatatype_nsec &&
+			    rdataset.type != dns_rdatatype_ds)
 				goto skip;
-		}
-
-		if (rdataset.type == dns_rdatatype_nxt) {
-			if (!nokeys)
-				nxt_setbit(&rdataset, dns_rdatatype_sig);
-			if (neednullkey)
-				nxt_setbit(&rdataset, dns_rdatatype_key);
+#if 0
+		/*
+	 	 * The current draft allows DS not at a zone cut.
+		 * This is a bad idea.  Update once the RFC is published.
+		 * XXXMPA.
+		 */
+		} else if (rdataset.type == dns_rdatatype_ds) {
+			char namebuf[DNS_NAME_FORMATSIZE];
+			dns_name_format(name, namebuf, sizeof(namebuf));
+			fatal("'%s': found DS RRset without NS RRset\n",
+			      namebuf);
+#endif
 		}
 
 		signset(&diff, node, name, &rdataset);
@@ -916,21 +891,17 @@ signname(dns_dbnode_t *node, dns_name_t *name) {
 		dns_rdataset_disassociate(&rdataset);
 		result = dns_rdatasetiter_next(rdsiter);
 	}
-	if (result != ISC_R_NOMORE) {
-		char namestr[DNS_NAME_FORMATSIZE];
-		dns_name_format(name, namestr, sizeof namestr);
+	if (result != ISC_R_NOMORE)
 		fatal("rdataset iteration for name '%s' failed: %s",
 		      namestr, isc_result_totext(result));
-	}
+
 	dns_rdatasetiter_destroy(&rdsiter);
 
-	result = dns_diff_apply(&diff, gdb, gversion);
-	if (result != ISC_R_SUCCESS) {
-		char namestr[DNS_NAME_FORMATSIZE];
-		dns_name_format(name, namestr, sizeof namestr);
+	result = dns_diff_applysilently(&diff, gdb, gversion);
+	if (result != ISC_R_SUCCESS)
 		fatal("failed to add SIGs at node '%s': %s",
 		      namestr, isc_result_totext(result));
-	}
+
 	dns_diff_clear(&diff);
 }
 
@@ -948,7 +919,7 @@ active_node(dns_dbnode_t *node) {
 	result = dns_rdatasetiter_first(rdsiter);
 	while (result == ISC_R_SUCCESS) {
 		dns_rdatasetiter_current(rdsiter, &rdataset);
-		if (rdataset.type != dns_rdatatype_nxt)
+		if (rdataset.type != dns_rdatatype_nsec)
 			active = ISC_TRUE;
 		dns_rdataset_disassociate(&rdataset);
 		if (!active)
@@ -963,10 +934,10 @@ active_node(dns_dbnode_t *node) {
 
 	if (!active) {
 		/*
-		 * Make sure there is no NXT record for this node.
+		 * Make sure there is no NSEC record for this node.
 		 */
 		result = dns_db_deleterdataset(gdb, node, gversion,
-					       dns_rdatatype_nxt, 0);
+					       dns_rdatatype_nsec, 0);
 		if (result == DNS_R_UNCHANGED)
 			result = ISC_R_SUCCESS;
 		check_result(result, "dns_db_deleterdataset");
@@ -975,51 +946,6 @@ active_node(dns_dbnode_t *node) {
 	return (active);
 }
 
-static inline isc_result_t
-next_active(dns_name_t *name, dns_dbnode_t **nodep) {
-	isc_result_t result;
-	isc_boolean_t active;
-
-	do {
-		active = ISC_FALSE;
-		result = dns_dbiterator_current(gdbiter, nodep, name);
-		if (result == ISC_R_SUCCESS) {
-			active = active_node(*nodep);
-			if (!active) {
-				dns_db_detachnode(gdb, nodep);
-				result = dns_dbiterator_next(gdbiter);
-			}
-		}
-	} while (result == ISC_R_SUCCESS && !active);
-
-	return (result);
-}
-
-static inline isc_result_t
-next_nonglue(dns_name_t *name, dns_dbnode_t **nodep, dns_name_t *origin,
-	     dns_name_t *lastcut)
-{
-	isc_result_t result;
-
-	do {
-		result = next_active(name, nodep);
-		if (result == ISC_R_SUCCESS) {
-			if (dns_name_issubdomain(name, origin) &&
-			    (lastcut == NULL ||
-			     !dns_name_issubdomain(name, lastcut)))
-				return (ISC_R_SUCCESS);
-			result = dns_master_dumpnodetostream(mctx, gdb,
-							     gversion,
-							     *nodep, name,
-							     masterstyle, fp);
-			check_result(result, "dns_master_dumpnodetostream");
-			dns_db_detachnode(gdb, nodep);
-			result = dns_dbiterator_next(gdbiter);
-		}
-	} while (result == ISC_R_SUCCESS);
-	return (result);
-}
-
 /*
  * Extracts the TTL from the SOA.
  */
@@ -1030,19 +956,24 @@ soattl(void) {
 	dns_name_t *name;
 	isc_result_t result;
 	dns_ttl_t ttl;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_rdata_soa_t soa;
 
 	dns_fixedname_init(&fname);
 	name = dns_fixedname_name(&fname);
 	dns_rdataset_init(&soaset);
 	result = dns_db_find(gdb, gorigin, gversion, dns_rdatatype_soa,
 			     0, 0, NULL, name, &soaset, NULL);
-	if (result != ISC_R_SUCCESS) {
-		char namestr[DNS_NAME_FORMATSIZE];
-		dns_name_format(name, namestr, sizeof namestr);
-		fatal("failed to find '%s SOA' in the zone: %s",
-		      namestr, isc_result_totext(result));
-	}
-	ttl = soaset.ttl;
+	if (result != ISC_R_SUCCESS)
+		fatal("failed to find an SOA at the zone apex: %s",
+		      isc_result_totext(result));
+
+	result = dns_rdataset_first(&soaset);
+	check_result(result, "dns_rdataset_first");
+	dns_rdataset_current(&soaset, &rdata);
+	result = dns_rdata_tostruct(&rdata, &soa, NULL);
+	check_result(result, "dns_rdata_tostruct");
+	ttl = soa.minimum;
 	dns_rdataset_disassociate(&soaset);
 	return (ttl);
 }
@@ -1064,7 +995,7 @@ cleannode(dns_db_t *db, dns_dbversion_t *version, dns_dbnode_t *node) {
 		isc_boolean_t destroy = ISC_FALSE;
 		dns_rdatatype_t covers = 0;
 		dns_rdatasetiter_current(rdsiter, &set);
-		if (set.type == dns_rdatatype_sig) {
+		if (set.type == dns_rdatatype_rrsig) {
 			covers = set.covers;
 			destroy = ISC_TRUE;
 		}
@@ -1072,7 +1003,7 @@ cleannode(dns_db_t *db, dns_dbversion_t *version, dns_dbnode_t *node) {
 		result = dns_rdatasetiter_next(rdsiter);
 		if (destroy) {
 			dresult = dns_db_deleterdataset(db, node, version,
-							dns_rdatatype_sig,
+							dns_rdatatype_rrsig,
 							covers);
 			check_result(dresult, "dns_db_deleterdataset");
 		}
@@ -1096,11 +1027,6 @@ presign(void) {
 
 	result = dns_dbiterator_first(gdbiter);
 	check_result(result, "dns_dbiterator_first()");
-
-	lastzonecut = NULL;
-
-	zonettl = soattl();
-
 }
 
 /*
@@ -1108,129 +1034,75 @@ presign(void) {
  */
 static void
 postsign(void) {
-	if (lastzonecut != NULL) {
-		dns_name_free(lastzonecut, mctx);
-		isc_mem_put(mctx, lastzonecut, sizeof(dns_name_t));
-	}
 	dns_dbiterator_destroy(&gdbiter);
 }
 
 /*
- * Find the next name to nxtify & sign
- */
-static isc_result_t
-getnextname(dns_name_t *name, dns_name_t *nextname, dns_dbnode_t **nodep) {
-	isc_result_t result;
-	dns_dbnode_t *nextnode, *curnode;
-
-	LOCK(&namelock);
-
-	if (shuttingdown || finished) {
-		result = ISC_R_NOMORE;
-		if (gnode != NULL)
-			dns_db_detachnode(gdb, &gnode);
-		goto out;
-	}
-
-	if (gnode == NULL) {
-		dns_fixedname_t ftname;
-		dns_name_t *tname;
-
-		dns_fixedname_init(&ftname);
-		tname = dns_fixedname_name(&ftname);
-
-		result = next_nonglue(tname, &gnode, gorigin, lastzonecut);
-		if (result != ISC_R_SUCCESS)
-			fatal("failed to iterate through the zone");
-	}
-
-	nextnode = NULL;
-	curnode = NULL;
-	dns_dbiterator_current(gdbiter, &curnode, name);
-	if (!dns_name_equal(name, gorigin)) {
-		dns_rdatasetiter_t *rdsiter = NULL;
-		dns_rdataset_t set;
-
-		dns_rdataset_init(&set);
-		result = dns_db_allrdatasets(gdb, curnode, gversion, 0,
-					     &rdsiter);
-		check_result(result, "dns_db_allrdatasets");
-		result = dns_rdatasetiter_first(rdsiter);
-		while (result == ISC_R_SUCCESS) {
-			dns_rdatasetiter_current(rdsiter, &set);
-			if (set.type == dns_rdatatype_ns) {
-				dns_rdataset_disassociate(&set);
-				break;
-			}
-			dns_rdataset_disassociate(&set);
-			result = dns_rdatasetiter_next(rdsiter);
-		}
-		if (result != ISC_R_SUCCESS && result != ISC_R_NOMORE)
-			fatal("rdataset iteration failed: %s",
-			      isc_result_totext(result));
-		if (result == ISC_R_SUCCESS) {
-			if (lastzonecut != NULL)
-				dns_name_free(lastzonecut, mctx);
-			else {
-				lastzonecut = isc_mem_get(mctx,
-							  sizeof(dns_name_t));
-				if (lastzonecut == NULL)
-					fatal("out of memory");
-			}
-			dns_name_init(lastzonecut, NULL);
-			result = dns_name_dup(name, mctx, lastzonecut);
-			check_result(result, "dns_name_dup()");
-		}
-		dns_rdatasetiter_destroy(&rdsiter);
-	}
-	result = dns_dbiterator_next(gdbiter);
-	if (result == ISC_R_SUCCESS)
-		result = next_nonglue(nextname, &nextnode, gorigin,
-				      lastzonecut);
-	if (result == ISC_R_NOMORE) {
-		dns_name_clone(gorigin, nextname);
-		finished = ISC_TRUE;
-		result = ISC_R_SUCCESS;
-	} else if (result != ISC_R_SUCCESS)
-		fatal("iterating through the database failed: %s",
-		      isc_result_totext(result));
-	dns_db_detachnode(gdb, &curnode);
-
-	*nodep = gnode;
-	gnode = nextnode;
-
- out:
-	UNLOCK(&namelock);
-	return (result);
-}
-
-/*
  * Assigns a node to a worker thread.  This is protected by the master task's
  * lock.
  */
 static void
 assignwork(isc_task_t *task, isc_task_t *worker) {
-	dns_fixedname_t *fname, *fnextname;
+	dns_fixedname_t *fname;
+	dns_name_t *name;
 	dns_dbnode_t *node;
 	sevent_t *sevent;
+	dns_rdataset_t nsec;
+	isc_boolean_t found;
 	isc_result_t result;
 
+	if (shuttingdown)
+		return;
+
+	if (finished) {
+		if (assigned == completed) {
+			isc_task_detach(&task);
+			isc_app_shutdown();
+		}
+		return;
+	}
+
 	fname = isc_mem_get(mctx, sizeof(dns_fixedname_t));
-	fnextname = isc_mem_get(mctx, sizeof(dns_fixedname_t));
-	if (fname == NULL || fnextname == NULL)
+	if (fname == NULL)
 		fatal("out of memory");
 	dns_fixedname_init(fname);
-	dns_fixedname_init(fnextname);
+	name = dns_fixedname_name(fname);
 	node = NULL;
-	result = getnextname(dns_fixedname_name(fname),
-			     dns_fixedname_name(fnextname), &node);
-	if (result == ISC_R_NOMORE) {
-		isc_mem_put(mctx, fname, sizeof(dns_fixedname_t));
-		isc_mem_put(mctx, fnextname, sizeof(dns_fixedname_t));
+	found = ISC_FALSE;
+	LOCK(&namelock);
+	while (!found) {
+		result = dns_dbiterator_current(gdbiter, &node, name);
+		if (result != ISC_R_SUCCESS)
+			fatal("failure iterating database: %s",
+			      isc_result_totext(result));
+		dns_rdataset_init(&nsec);
+		result = dns_db_findrdataset(gdb, node, gversion,
+					     dns_rdatatype_nsec, 0, 0,
+					     &nsec, NULL);
+		if (result == ISC_R_SUCCESS)
+			found = ISC_TRUE;
+		else
+			dumpnode(name, node);
+		if (dns_rdataset_isassociated(&nsec))
+			dns_rdataset_disassociate(&nsec);
+		if (!found)
+			dns_db_detachnode(gdb, &node);
+
+		result = dns_dbiterator_next(gdbiter);
+		if (result == ISC_R_NOMORE) {
+			finished = ISC_TRUE;
+			break;
+		} else if (result != ISC_R_SUCCESS)
+			fatal("failure iterating database: %s",
+			      isc_result_totext(result));
+	}
+	UNLOCK(&namelock);
+	if (!found) {
 		if (assigned == completed) {
 			isc_task_detach(&task);
 			isc_app_shutdown();
 		}
+		isc_mem_put(mctx, fname, sizeof(dns_fixedname_t));
 		return;
 	}
 	sevent = (sevent_t *)
@@ -1241,8 +1113,7 @@ assignwork(isc_task_t *task, isc_task_t *worker) {
 
 	sevent->node = node;
 	sevent->fname = fname;
-	sevent->fnextname = fnextname;
-	isc_task_send(worker, ISC_EVENT_PTR(&sevent));
+	isc_task_send(worker, (isc_event_t **) (void*) &sevent);
 	assigned++;
 }
 
@@ -1263,17 +1134,12 @@ startworker(isc_task_t *task, isc_event_t *event) {
  */
 static void
 writenode(isc_task_t *task, isc_event_t *event) {
-	isc_result_t result;
 	isc_task_t *worker;
 	sevent_t *sevent = (sevent_t *)event;
 
 	completed++;
 	worker = (isc_task_t *)event->ev_sender;
-	result = dns_master_dumpnodetostream(mctx, gdb, gversion,
-					     sevent->node,
-					     dns_fixedname_name(sevent->fname),
-					     masterstyle, fp);
-	check_result(result, "dns_master_dumpnodetostream");
+	dumpnode(dns_fixedname_name(sevent->fname), sevent->node);
 	cleannode(gdb, gversion, sevent->node);
 	dns_db_detachnode(gdb, &sevent->node);
 	isc_mem_put(mctx, sevent->fname, sizeof(dns_fixedname_t));
@@ -1282,25 +1148,19 @@ writenode(isc_task_t *task, isc_event_t *event) {
 }
 
 /*
- *  Sign and nxtify a database node.
+ *  Sign a database node.
  */
 static void
 sign(isc_task_t *task, isc_event_t *event) {
-	dns_fixedname_t *fname, *fnextname;
+	dns_fixedname_t *fname;
 	dns_dbnode_t *node;
 	sevent_t *sevent, *wevent;
-	isc_result_t result;
 
 	sevent = (sevent_t *)event;
 	node = sevent->node;
 	fname = sevent->fname;
-	fnextname = sevent->fnextname;
 	isc_event_free(&event);
 
-	result = dns_nxt_build(gdb, gversion, node,
-			       dns_fixedname_name(fnextname), zonettl);
-	check_result(result, "dns_nxt_build()");
-	isc_mem_put(mctx, fnextname, sizeof(dns_fixedname_t));
 	signname(node, dns_fixedname_name(fname));
 	wevent = (sevent_t *)
 		 isc_event_allocate(mctx, task, SIGNER_EVENT_WRITE,
@@ -1309,7 +1169,82 @@ sign(isc_task_t *task, isc_event_t *event) {
 		fatal("failed to allocate event\n");
 	wevent->node = node;
 	wevent->fname = fname;
-	isc_task_send(master, ISC_EVENT_PTR(&wevent));
+	isc_task_send(master, (isc_event_t **) (void*) &wevent);
+}
+
+/*
+ * Generate NSEC records for the zone.
+ */
+static void
+nsecify(void) {
+	dns_dbiterator_t *dbiter = NULL;
+	dns_dbnode_t *node = NULL, *nextnode = NULL;
+	dns_fixedname_t fname, fnextname, fzonecut;
+	dns_name_t *name, *nextname, *zonecut;
+	isc_boolean_t done = ISC_FALSE;
+	isc_result_t result;
+
+	dns_fixedname_init(&fname);
+	name = dns_fixedname_name(&fname);
+	dns_fixedname_init(&fnextname);
+	nextname = dns_fixedname_name(&fnextname);
+	dns_fixedname_init(&fzonecut);
+	zonecut = NULL;
+
+	result = dns_db_createiterator(gdb, ISC_FALSE, &dbiter);
+	check_result(result, "dns_db_createiterator()");
+
+	result = dns_dbiterator_first(dbiter);
+	check_result(result, "dns_dbiterator_first()");
+
+	while (!done) {
+		dns_dbiterator_current(dbiter, &node, name);
+		if (delegation(name, node, NULL)) {
+			zonecut = dns_fixedname_name(&fzonecut);
+			dns_name_copy(name, zonecut, NULL);
+		}
+		result = dns_dbiterator_next(dbiter);
+		nextnode = NULL;
+		while (result == ISC_R_SUCCESS) {
+			isc_boolean_t active = ISC_FALSE;
+			result = dns_dbiterator_current(dbiter, &nextnode,
+							nextname);
+			if (result != ISC_R_SUCCESS)
+				break;
+			active = active_node(nextnode);
+			if (!active) {
+				dns_db_detachnode(gdb, &nextnode);
+				result = dns_dbiterator_next(dbiter);
+				continue;
+			}
+			if (result != ISC_R_SUCCESS) {
+				dns_db_detachnode(gdb, &nextnode);
+				break;
+			}
+			if (!dns_name_issubdomain(nextname, gorigin) ||
+			    (zonecut != NULL &&
+			     dns_name_issubdomain(nextname, zonecut)))
+			{
+				dns_db_detachnode(gdb, &nextnode);
+				result = dns_dbiterator_next(dbiter);
+				continue;
+			}
+			dns_db_detachnode(gdb, &nextnode);
+			break;
+		}
+		if (result == ISC_R_NOMORE) {
+			dns_name_clone(gorigin, nextname);
+			done = ISC_TRUE;
+		} else if (result != ISC_R_SUCCESS)
+			fatal("iterating through the database failed: %s",
+			      isc_result_totext(result));
+		result = dns_nsec_build(gdb, gversion, node, nextname,
+					zonettl);
+		check_result(result, "dns_nsec_build()");
+		dns_db_detachnode(gdb, &node);
+	}
+
+	dns_dbiterator_destroy(&dbiter);
 }
 
 /*
@@ -1376,7 +1311,7 @@ loadzonekeys(dns_db_t *db) {
 	for (i = 0; i < nkeys; i++) {
 		signer_key_t *key;
 
-		key = newkeystruct(keys[i], ISC_FALSE);
+		key = newkeystruct(keys[i], ISC_TRUE);
 		ISC_LIST_APPEND(keylist, key, link);
 	}
 	dns_db_detachnode(db, &node);
@@ -1405,13 +1340,14 @@ loadzonepubkeys(dns_db_t *db) {
 
 	dns_rdataset_init(&rdataset);
 	result = dns_db_findrdataset(db, node, currentversion,
-				     dns_rdatatype_key, 0, 0, &rdataset, NULL);
+				     dns_rdatatype_dnskey, 0, 0, &rdataset, NULL);
 	if (result != ISC_R_SUCCESS)
 		fatal("failed to find keys at the zone apex: %s",
 		      isc_result_totext(result));
 	result = dns_rdataset_first(&rdataset);
 	check_result(result, "dns_rdataset_first");
 	while (result == ISC_R_SUCCESS) {
+		pubkey = NULL;
 		dns_rdata_reset(&rdata);
 		dns_rdataset_current(&rdataset, &rdata);
 		result = dns_dnssec_keyfromrdata(gorigin, &rdata, mctx,
@@ -1434,6 +1370,176 @@ loadzonepubkeys(dns_db_t *db) {
 }
 
 static void
+warnifallksk(dns_db_t *db) {
+	dns_dbversion_t *currentversion = NULL;
+	dns_dbnode_t *node = NULL;
+	dns_rdataset_t rdataset;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dst_key_t *pubkey;
+	isc_result_t result;
+	dns_rdata_key_t key;
+	isc_boolean_t have_non_ksk = ISC_FALSE;
+
+	dns_db_currentversion(db, &currentversion);
+
+	result = dns_db_findnode(db, gorigin, ISC_FALSE, &node);
+	if (result != ISC_R_SUCCESS)
+		fatal("failed to find the zone's origin: %s",
+		      isc_result_totext(result));
+
+	dns_rdataset_init(&rdataset);
+	result = dns_db_findrdataset(db, node, currentversion,
+				     dns_rdatatype_dnskey, 0, 0, &rdataset, NULL);
+	if (result != ISC_R_SUCCESS)
+		fatal("failed to find keys at the zone apex: %s",
+		      isc_result_totext(result));
+	result = dns_rdataset_first(&rdataset);
+	check_result(result, "dns_rdataset_first");
+	while (result == ISC_R_SUCCESS) {
+		pubkey = NULL;
+		dns_rdata_reset(&rdata);
+		dns_rdataset_current(&rdataset, &rdata);
+		result = dns_rdata_tostruct(&rdata, &key, NULL);
+		check_result(result, "dns_rdata_tostruct");
+		if ((key.flags & DNS_KEYFLAG_KSK) == 0) {
+			have_non_ksk = ISC_TRUE;
+			result = ISC_R_NOMORE;
+		} else
+			result = dns_rdataset_next(&rdataset);
+	}
+	dns_rdataset_disassociate(&rdataset);
+	dns_db_detachnode(db, &node);
+	dns_db_closeversion(db, &currentversion, ISC_FALSE);
+	if (!have_non_ksk && !ignoreksk)
+		fprintf(stderr,
+	 "%s: warning: No non-KSK key found. Supply non-KSK key or use '-z'.\n",
+			program);
+}
+
+static void
+writeset(const char *prefix, dns_rdatatype_t type) {
+	char *filename;
+	char namestr[DNS_NAME_FORMATSIZE];
+	dns_db_t *db = NULL;
+	dns_dbversion_t *version = NULL;
+	dns_diff_t diff;
+	dns_difftuple_t *tuple = NULL;
+	dns_fixedname_t fixed;
+	dns_name_t *name;
+	dns_rdata_t rdata, ds;
+	isc_boolean_t have_ksk = ISC_FALSE;
+	isc_boolean_t have_non_ksk = ISC_FALSE;
+	isc_buffer_t b;
+	isc_buffer_t namebuf;
+	isc_region_t r;
+	isc_result_t result;
+	signer_key_t *key;
+	unsigned char dsbuf[DNS_DS_BUFFERSIZE];
+	unsigned char keybuf[DST_KEY_MAXSIZE];
+	unsigned int filenamelen;
+	const dns_master_style_t *style = 
+		(type == dns_rdatatype_dnskey) ? masterstyle : dsstyle;
+
+	isc_buffer_init(&namebuf, namestr, sizeof(namestr));
+	result = dns_name_tofilenametext(gorigin, ISC_FALSE, &namebuf);
+	check_result(result, "dns_name_tofilenametext");
+	isc_buffer_putuint8(&namebuf, 0);
+	filenamelen = strlen(prefix) + strlen(namestr);
+	if (directory != NULL)
+		filenamelen += strlen(directory) + 1;
+	filename = isc_mem_get(mctx, filenamelen + 1);
+	if (filename == NULL)
+		fatal("out of memory");
+	if (directory != NULL)
+		sprintf(filename, "%s/", directory);
+	else
+		filename[0] = 0;
+	strcat(filename, prefix);
+	strcat(filename, namestr);
+
+	dns_diff_init(mctx, &diff);
+
+	for (key = ISC_LIST_HEAD(keylist);
+	     key != NULL;
+	     key = ISC_LIST_NEXT(key, link))
+		if (!key->isksk) {
+			have_non_ksk = ISC_TRUE;
+			break;
+		}
+
+	for (key = ISC_LIST_HEAD(keylist);
+	     key != NULL;
+	     key = ISC_LIST_NEXT(key, link))
+		if (key->isksk) {
+			have_ksk = ISC_TRUE;
+			break;
+		}
+
+	if (type == dns_rdatatype_dlv) {
+		dns_name_t tname;
+		unsigned int labels;
+
+		dns_name_init(&tname, NULL);
+		dns_fixedname_init(&fixed);
+		name = dns_fixedname_name(&fixed);
+		labels = dns_name_countlabels(gorigin);
+		dns_name_getlabelsequence(gorigin, 0, labels - 1, &tname);
+		result = dns_name_concatenate(&tname, dlv, name, NULL);
+		check_result(result, "dns_name_concatenate");
+	} else
+		name = gorigin;
+
+	for (key = ISC_LIST_HEAD(keylist);
+	     key != NULL;
+	     key = ISC_LIST_NEXT(key, link))
+	{
+		if (have_ksk && have_non_ksk && !key->isksk)
+			continue;
+		dns_rdata_init(&rdata);
+		dns_rdata_init(&ds);
+		isc_buffer_init(&b, keybuf, sizeof(keybuf));
+		result = dst_key_todns(key->key, &b);
+		check_result(result, "dst_key_todns");
+		isc_buffer_usedregion(&b, &r);
+		dns_rdata_fromregion(&rdata, gclass, dns_rdatatype_dnskey, &r);
+		if (type != dns_rdatatype_dnskey) {
+			result = dns_ds_buildrdata(gorigin, &rdata,
+						   DNS_DSDIGEST_SHA1,
+						   dsbuf, &ds);
+			check_result(result, "dns_ds_buildrdata");
+			if (type == dns_rdatatype_dlv)
+				ds.type = dns_rdatatype_dlv;
+			result = dns_difftuple_create(mctx, DNS_DIFFOP_ADD,
+						      name, 0, &ds, &tuple);
+		} else
+			result = dns_difftuple_create(mctx, DNS_DIFFOP_ADD,
+						      gorigin, zonettl,
+						      &rdata, &tuple);
+		check_result(result, "dns_difftuple_create");
+		dns_diff_append(&diff, &tuple);
+	}
+
+	result = dns_db_create(mctx, "rbt", dns_rootname, dns_dbtype_zone,
+			       gclass, 0, NULL, &db);
+	check_result(result, "dns_db_create");
+
+	result = dns_db_newversion(db, &version);
+	check_result(result, "dns_db_newversion");
+
+	result = dns_diff_apply(&diff, db, version);
+	check_result(result, "dns_diff_apply");
+	dns_diff_clear(&diff);
+
+	result = dns_master_dump(mctx, db, version, style, filename);
+	check_result(result, "dns_master_dump");
+
+	isc_mem_put(mctx, filename, filenamelen + 1);
+
+	dns_db_closeversion(db, &version, ISC_FALSE);
+	dns_db_detach(&db);
+}
+
+static void
 print_time(FILE *fp) {
 	time_t currenttime;
 
@@ -1453,13 +1559,17 @@ usage(void) {
 
 	fprintf(stderr, "\n");
 
+	fprintf(stderr, "Version: %s\n", VERSION);
+
 	fprintf(stderr, "Options: (default value in parenthesis) \n");
 	fprintf(stderr, "\t-c class (IN)\n");
 	fprintf(stderr, "\t-d directory\n");
-	fprintf(stderr, "\t\tdirectory to find signedkey files (.)\n");
-	fprintf(stderr, "\t-s [YYYYMMDDHHMMSS|+offset]:\n");
-	fprintf(stderr, "\t\tSIG start time - absolute|offset (now)\n");
-	fprintf(stderr, "\t-e [YYYYMMDDHHMMSS|+offset|\"now\"+offset]:\n");
+	fprintf(stderr, "\t\tdirectory to find keyset files (.)\n");
+	fprintf(stderr, "\t-g:\t");
+	fprintf(stderr, "generate DS records from keyset files\n");
+	fprintf(stderr, "\t-s YYYYMMDDHHMMSS|+offset:\n");
+	fprintf(stderr, "\t\tSIG start time - absolute|offset (now - 1 hour)\n");
+	fprintf(stderr, "\t-e YYYYMMDDHHMMSS|+offset|\"now\"+offset]:\n");
 	fprintf(stderr, "\t\tSIG end time  - absolute|from start|from now "
 				"(now + 30 days)\n");
 	fprintf(stderr, "\t-i interval:\n");
@@ -1480,22 +1590,14 @@ usage(void) {
 	fprintf(stderr, "\t-t:\t");
 	fprintf(stderr, "print statistics\n");
 	fprintf(stderr, "\t-n ncpus (number of cpus present)\n");
+	fprintf(stderr, "\t-k key_signing_key\n");
+	fprintf(stderr, "\t-l lookasidezone\n");
 
 	fprintf(stderr, "\n");
 
 	fprintf(stderr, "Signing Keys: ");
 	fprintf(stderr, "(default: all zone keys that have private keys)\n");
 	fprintf(stderr, "\tkeyfile (Kname+alg+tag)\n");
-#ifndef ISC_RFC2535
-	fprintf(stderr,
-"WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING\n"
-"WARNING                                                         WARNING\n"
-"WARNING This version of dnssec-signzone produces zones that are WARNING\n"
-"WARNING incompatible with the forthcoming DS based DNSSEC       WARNING\n"
-"WARNING standard.                                               WARNING\n"
-"WARNING                                                         WARNING\n"
-"WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING\n");
-#endif
 	exit(0);
 }
 
@@ -1505,12 +1607,38 @@ removetempfile(void) {
 		isc_file_remove(tempfile);
 }
 
+static void
+print_stats(isc_time_t *timer_start, isc_time_t *timer_finish) {
+	isc_uint64_t runtime_us;   /* Runtime in microseconds */
+	isc_uint64_t runtime_ms;   /* Runtime in milliseconds */
+	isc_uint64_t sig_ms;	   /* Signatures per millisecond */
+
+	runtime_us = isc_time_microdiff(timer_finish, timer_start);
+
+	printf("Signatures generated:               %10d\n", nsigned);
+	printf("Signatures retained:                %10d\n", nretained);
+	printf("Signatures dropped:                 %10d\n", ndropped);
+	printf("Signatures successfully verified:   %10d\n", nverified);
+	printf("Signatures unsuccessfully verified: %10d\n", nverifyfailed);
+	runtime_ms = runtime_us / 1000;
+	printf("Runtime in seconds:                %7u.%03u\n", 
+	       (unsigned int) (runtime_ms / 1000), 
+	       (unsigned int) (runtime_ms % 1000));
+	if (runtime_us > 0) {
+		sig_ms = ((isc_uint64_t)nsigned * 1000000000) / runtime_us;
+		printf("Signatures per second:             %7u.%03u\n",
+		       (unsigned int) sig_ms / 1000, 
+		       (unsigned int) sig_ms % 1000);
+	}
+}
+
 int
 main(int argc, char *argv[]) {
 	int i, ch;
 	char *startstr = NULL, *endstr = NULL, *classname = NULL;
 	char *origin = NULL, *file = NULL, *output = NULL;
-	char *randomfile = NULL;
+	char *dskeyfile[MAXDSKEYS];
+	int ndskeys = 0;
 	char *endp;
 	isc_time_t timer_start, timer_finish;
 	signer_key_t *key;
@@ -1521,8 +1649,11 @@ main(int argc, char *argv[]) {
 	isc_boolean_t free_output = ISC_FALSE;
 	int tempfilelen;
 	dns_rdataclass_t rdclass;
-	isc_textregion_t r;
+	dns_db_t *udb = NULL;
 	isc_task_t **tasks = NULL;
+	isc_buffer_t b;
+	int len;
+
 	masterstyle = &dns_master_style_explicitttl;
 
 	check_result(isc_app_start(), "isc_app_start");
@@ -1534,21 +1665,38 @@ main(int argc, char *argv[]) {
 	dns_result_register();
 
 	while ((ch = isc_commandline_parse(argc, argv,
-					   "c:s:e:i:v:o:f:ahpr:td:n:"))
+					   "ac:d:e:f:ghi:k:l:n:o:pr:s:Stv:z"))
 	       != -1) {
 		switch (ch) {
+		case 'a':
+			tryverify = ISC_TRUE;
+			break;
+
 		case 'c':
 			classname = isc_commandline_argument;
 			break;
 
-		case 's':
-			startstr = isc_commandline_argument;
+		case 'd':
+			directory = isc_commandline_argument;
 			break;
 
 		case 'e':
 			endstr = isc_commandline_argument;
 			break;
 
+		case 'f':
+			output = isc_commandline_argument;
+			break;
+
+		case 'g':
+			generateds = ISC_TRUE;
+			break;
+
+		case 'h':
+		default:
+			usage();
+			break;
+
 		case 'i':
 			endp = NULL;
 			cycle = strtol(isc_commandline_argument, &endp, 0);
@@ -1557,75 +1705,76 @@ main(int argc, char *argv[]) {
 				      "positive");
 			break;
 
-		case 'p':
-			pseudorandom = ISC_TRUE;
+		case 'l': 
+			dns_fixedname_init(&dlv_fixed);
+			len = strlen(isc_commandline_argument);
+			isc_buffer_init(&b, isc_commandline_argument, len);
+			isc_buffer_add(&b, len);
+
+			dns_fixedname_init(&dlv_fixed);
+			dlv = dns_fixedname_name(&dlv_fixed);
+			result = dns_name_fromtext(dlv, &b, dns_rootname,
+						   ISC_FALSE, NULL);
+			check_result(result, "dns_name_fromtext(dlv)");
 			break;
 
-		case 'r':
-			randomfile = isc_commandline_argument;
+		case 'k':
+			if (ndskeys == MAXDSKEYS)
+				fatal("too many key-signing keys specified");
+			dskeyfile[ndskeys++] = isc_commandline_argument;
 			break;
 
-		case 'v':
+		case 'n':
 			endp = NULL;
-			verbose = strtol(isc_commandline_argument, &endp, 0);
-			if (*endp != '\0')
-				fatal("verbose level must be numeric");
+			ntasks = strtol(isc_commandline_argument, &endp, 0);
+			if (*endp != '\0' || ntasks > ISC_INT32_MAX)
+				fatal("number of cpus must be numeric");
 			break;
 
 		case 'o':
 			origin = isc_commandline_argument;
 			break;
 
-		case 'f':
-			output = isc_commandline_argument;
+		case 'p':
+			pseudorandom = ISC_TRUE;
 			break;
 
-		case 'a':
-			tryverify = ISC_TRUE;
+		case 'r':
+			setup_entropy(mctx, isc_commandline_argument, &ectx);
 			break;
 
-		case 't':
-			printstats = ISC_TRUE;
+		case 's':
+			startstr = isc_commandline_argument;
 			break;
 
-		case 'd':
-			directory = isc_commandline_argument;
+		case 'S':
+			/* This is intentionally undocumented */
+			/* -S: simple output style */
+			masterstyle = &dns_master_style_simple;
 			break;
 
-		case 'n':
-			endp = NULL;
-			ntasks = strtol(isc_commandline_argument, &endp, 0);
-			if (*endp != '\0' || ntasks > ISC_INT32_MAX)
-				fatal("number of cpus must be numeric");
+		case 't':
+			printstats = ISC_TRUE;
 			break;
 
-		case 'h':
-		default:
-			usage();
+		case 'v':
+			endp = NULL;
+			verbose = strtol(isc_commandline_argument, &endp, 0);
+			if (*endp != '\0')
+				fatal("verbose level must be numeric");
+			break;
 
+		case 'z':
+			ignoreksk = ISC_TRUE;
+			break;
 		}
 	}
 
-#ifndef ISC_RFC2535
-	fprintf(stderr,
-"WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING\n"
-"WARNING                                                         WARNING\n"
-"WARNING This version of dnssec-signzone produces zones that are WARNING\n"
-"WARNING incompatible with the forth coming DS based DNSSEC      WARNING\n"
-"WARNING standard.                                               WARNING\n"
-"WARNING                                                         WARNING\n"
-"WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING\n");
-#endif
-
-	setup_entropy(mctx, randomfile, &ectx);
+	if (ectx == NULL)
+		setup_entropy(mctx, NULL, &ectx);
 	eflags = ISC_ENTROPY_BLOCKING;
 	if (!pseudorandom)
 		eflags |= ISC_ENTROPY_GOODONLY;
-
-	result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE);
-	if (result != ISC_R_SUCCESS)
-		fatal("could not create hash context");
-
 	result = dst_lib_init(mctx, ectx, eflags);
 	if (result != ISC_R_SUCCESS)
 		fatal("could not initialize dst");
@@ -1635,7 +1784,7 @@ main(int argc, char *argv[]) {
 	if (startstr != NULL)
 		starttime = strtotime(startstr, now, now);
 	else
-		starttime = now;
+		starttime = now - 3600;  /* Allow for some clock skew. */
 
 	if (endstr != NULL)
 		endtime = strtotime(endstr, now, starttime);
@@ -1649,15 +1798,7 @@ main(int argc, char *argv[]) {
 		ntasks = isc_os_ncpus();
 	vbprintf(4, "using %d cpus\n", ntasks);
 
-
-	if (classname != NULL) {
-		r.base = classname;
-		r.length = strlen(classname);
-		result = dns_rdataclass_fromtext(&rdclass, &r);
-		if (result != ISC_R_SUCCESS)
-			fatal("unknown class %s",classname);
-	} else
-		rdclass = dns_rdataclass_in;
+	rdclass = strtoclass(classname);
 
 	setup_logging(verbose, mctx, &log);
 
@@ -1672,6 +1813,9 @@ main(int argc, char *argv[]) {
 	argc -= 1;
 	argv += 1;
 
+	if (origin == NULL)
+		origin = file;
+
 	if (output == NULL) {
 		free_output = ISC_TRUE;
 		output = isc_mem_allocate(mctx,
@@ -1681,26 +1825,22 @@ main(int argc, char *argv[]) {
 		sprintf(output, "%s.signed", file);
 	}
 
-	if (origin == NULL)
-		origin = file;
+	result = dns_master_stylecreate(&dsstyle,  DNS_STYLEFLAG_NO_TTL,
+					0, 24, 0, 0, 0, 8, mctx);
+	check_result(result, "dns_master_stylecreate");
+					
 
 	gdb = NULL;
-	isc_time_now(&timer_start);
+	TIME_NOW(&timer_start);
 	loadzone(file, origin, rdclass, &gdb);
 	gorigin = dns_db_origin(gdb);
+	gclass = dns_db_class(gdb);
+	zonettl = soattl();
 
 	ISC_LIST_INIT(keylist);
 
 	if (argc == 0) {
-		signer_key_t *key;
-
 		loadzonekeys(gdb);
-
-		key = ISC_LIST_HEAD(keylist);
-		while (key != NULL) {
-			key->isdefault = ISC_TRUE;
-			key = ISC_LIST_NEXT(key, link);
-		}
 	} else {
 		for (i = 0; i < argc; i++) {
 			dst_key_t *newkey = NULL;
@@ -1710,7 +1850,7 @@ main(int argc, char *argv[]) {
 						       DST_TYPE_PRIVATE,
 						       mctx, &newkey);
 			if (result != ISC_R_SUCCESS)
-				fatal("cannot load key %s: %s", argv[i],
+				fatal("cannot load key %s: %s", argv[i], 
 				      isc_result_totext(result)); 
 
 			key = ISC_LIST_HEAD(keylist);
@@ -1721,7 +1861,6 @@ main(int argc, char *argv[]) {
 				    dns_name_equal(dst_key_name(dkey),
 					    	   dst_key_name(newkey)))
 				{
-					key->isdefault = ISC_TRUE;
 					if (!dst_key_isprivate(dkey))
 						fatal("cannot sign zone with "
 						      "non-private key %s",
@@ -1740,16 +1879,66 @@ main(int argc, char *argv[]) {
 		loadzonepubkeys(gdb);
 	}
 
+	for (i = 0; i < ndskeys; i++) {
+		dst_key_t *newkey = NULL;
+
+		result = dst_key_fromnamedfile(dskeyfile[i],
+					       DST_TYPE_PUBLIC |
+					       DST_TYPE_PRIVATE,
+					       mctx, &newkey);
+		if (result != ISC_R_SUCCESS)
+			fatal("cannot load key %s: %s", dskeyfile[i],
+			      isc_result_totext(result)); 
+
+		key = ISC_LIST_HEAD(keylist);
+		while (key != NULL) {
+			dst_key_t *dkey = key->key;
+			if (dst_key_id(dkey) == dst_key_id(newkey) &&
+			    dst_key_alg(dkey) == dst_key_alg(newkey) &&
+			    dns_name_equal(dst_key_name(dkey),
+				    	   dst_key_name(newkey)))
+			{
+				/* Override key flags. */
+				key->issigningkey = ISC_TRUE;
+				key->isksk = ISC_TRUE;
+				key->isdsk = ISC_FALSE;
+				dst_key_free(&dkey);
+				key->key = newkey;
+				break;
+			}
+			key = ISC_LIST_NEXT(key, link);
+		}
+		if (key == NULL) {
+			/* Override key flags. */
+			key = newkeystruct(newkey, ISC_TRUE);
+			key->isksk = ISC_TRUE;
+			key->isdsk = ISC_FALSE;
+			ISC_LIST_APPEND(keylist, key, link);
+		}
+	}
+
 	if (ISC_LIST_EMPTY(keylist)) {
 		fprintf(stderr, "%s: warning: No keys specified or found\n",
 			program);
 		nokeys = ISC_TRUE;
 	}
 
+	warnifallksk(gdb);
+
 	gversion = NULL;
 	result = dns_db_newversion(gdb, &gversion);
 	check_result(result, "dns_db_newversion()");
 
+	nsecify();
+
+	if (!nokeys) {
+		writeset("keyset-", dns_rdatatype_dnskey);
+		writeset("dsset-", dns_rdatatype_ds);
+		if (dlv != NULL) {
+			writeset("dlvset-", dns_rdatatype_dlv);
+		}
+	}
+
 	tempfilelen = strlen(output) + 20;
 	tempfile = isc_mem_get(mctx, tempfilelen);
 	if (tempfile == NULL)
@@ -1809,6 +1998,11 @@ main(int argc, char *argv[]) {
 	isc_mem_put(mctx, tasks, ntasks * sizeof(isc_task_t *));
 	postsign();
 
+	if (udb != NULL) {
+		dumpdb(udb);
+		dns_db_detach(&udb);
+	}
+
 	result = isc_stdio_close(fp);
 	check_result(result, "isc_stdio_close");
 	removefile = ISC_FALSE;
@@ -1825,7 +2019,6 @@ main(int argc, char *argv[]) {
 	printf("%s\n", output);
 
 	dns_db_closeversion(gdb, &gversion, ISC_FALSE);
-
 	dns_db_detach(&gdb);
 
 	while (!ISC_LIST_EMPTY(keylist)) {
@@ -1840,9 +2033,10 @@ main(int argc, char *argv[]) {
 	if (free_output)
 		isc_mem_free(mctx, output);
 
+	dns_master_styledestroy(&dsstyle, mctx);
+
 	cleanup_logging(&log);
 	dst_lib_destroy();
-	isc_hash_destroy();
 	cleanup_entropy(&ectx);
 	if (verbose > 10)
 		isc_mem_stats(mctx, stdout);
@@ -1851,35 +2045,8 @@ main(int argc, char *argv[]) {
 	(void) isc_app_finish();
 
 	if (printstats) {
-		isc_uint64_t runtime_us;   /* Runtime in microseconds */
-		isc_uint64_t runtime_ms;   /* Runtime in milliseconds */
-		isc_uint64_t sig_ms;	   /* Signatures per millisecond */
-
-		isc_time_now(&timer_finish);
-
-		runtime_us = isc_time_microdiff(&timer_finish, &timer_start);
-
-		printf("Signatures generated:               %10d\n",
-		       nsigned);
-		printf("Signatures retained:                %10d\n",
-		       nretained);
-		printf("Signatures dropped:                 %10d\n",
-		       ndropped);
-		printf("Signatures successfully verified:   %10d\n",
-		       nverified);
-		printf("Signatures unsuccessfully verified: %10d\n",
-		       nverifyfailed);
-		runtime_ms = runtime_us / 1000;
-		printf("Runtime in seconds:                %7u.%03u\n", 
-		       (unsigned int) (runtime_ms / 1000), 
-		       (unsigned int) (runtime_ms % 1000));
-		if (runtime_us > 0) {
-			sig_ms = ((isc_uint64_t)nsigned * 1000000000) /
-				 runtime_us;
-			printf("Signatures per second:             %7u.%03u\n",
-			       (unsigned int) sig_ms / 1000, 
-			       (unsigned int) sig_ms % 1000);
-		}
+		TIME_NOW(&timer_finish);
+		print_stats(&timer_start, &timer_finish);
 	}
 
 	return (0);
diff --git a/bin/dnssec/dnssec-signzone.docbook b/bin/dnssec/dnssec-signzone.docbook
index e490d90a..5c12c4e8 100644
--- a/bin/dnssec/dnssec-signzone.docbook
+++ b/bin/dnssec/dnssec-signzone.docbook
@@ -1,9 +1,7 @@
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
-               "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
-	       [<!ENTITY mdash "&#8212;">]>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
 <!--
- - Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
+ - Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2001-2003  Internet Software Consortium.
  -
  - Permission to use, copy, modify, and distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
@@ -18,7 +16,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: dnssec-signzone.docbook,v 1.2.2.11 2007/05/09 02:11:44 marka Exp $ -->
+<!-- $Id: dnssec-signzone.docbook,v 1.2.2.2.4.6 2004/03/10 02:55:51 marka Exp $ -->
 
 <refentry>
   <refentryinfo>
@@ -31,21 +29,6 @@
     <refmiscinfo>BIND9</refmiscinfo>
   </refmeta>
 
-  <docinfo>
-    <copyright>
-      <year>2004</year>
-      <year>2005</year>
-      <year>2007</year>
-      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
-    </copyright>
-    <copyright>
-      <year>2000</year>
-      <year>2001</year>
-      <year>2003</year>
-      <holder>Internet Software Consortium.</holder>
-    </copyright>
-  </docinfo>
-
   <refnamediv>
     <refname><application>dnssec-signzone</application></refname>
     <refpurpose>DNSSEC zone signing tool</refpurpose>
@@ -57,17 +40,21 @@
       <arg><option>-a</option></arg>
       <arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
       <arg><option>-d <replaceable class="parameter">directory</replaceable></option></arg>
-      <arg><option>-s <replaceable class="parameter">start-time</replaceable></option></arg>
       <arg><option>-e <replaceable class="parameter">end-time</replaceable></option></arg>
       <arg><option>-f <replaceable class="parameter">output-file</replaceable></option></arg>
+      <arg><option>-g</option></arg>
       <arg><option>-h</option></arg>
+      <arg><option>-k <replaceable class="parameter">key</replaceable></option></arg>
+      <arg><option>-l <replaceable class="parameter">domain</replaceable></option></arg>
       <arg><option>-i <replaceable class="parameter">interval</replaceable></option></arg>
       <arg><option>-n <replaceable class="parameter">nthreads</replaceable></option></arg>
       <arg><option>-o <replaceable class="parameter">origin</replaceable></option></arg>
       <arg><option>-p</option></arg>
       <arg><option>-r <replaceable class="parameter">randomdev</replaceable></option></arg>
+      <arg><option>-s <replaceable class="parameter">start-time</replaceable></option></arg>
       <arg><option>-t</option></arg>
       <arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
+      <arg><option>-z</option></arg>
       <arg choice="req">zonefile</arg>
       <arg rep="repeat">key</arg>
     </cmdsynopsis>
@@ -76,8 +63,8 @@
   <refsect1>
     <title>DESCRIPTION</title>
     <para>
-        <command>dnssec-signzone</command> signs a zone.  It generates NXT
-	and SIG records and produces a signed version of the zone.  If there
+        <command>dnssec-signzone</command> signs a zone.  It generates NSEC
+	and RRSIG records and produces a signed version of the zone.  If there
 	is a <filename>signedkey</filename> file from the zone's parent,
 	the parent's signatures will be incorporated into the generated
 	signed zone file.  The security status of delegations from the
@@ -110,6 +97,26 @@
       </varlistentry>
 
       <varlistentry>
+        <term>-k <replaceable class="parameter">key</replaceable></term>
+	<listitem>
+	  <para>
+	       Treat specified key as a key signing key ignoring any
+	       key flags.  This option may be specified multiple times.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-l <replaceable class="parameter">domain</replaceable></term>
+	<listitem>
+	  <para>
+		Generate a DLV set in addition to the key (DNSKEY) and DS sets.
+		The domain is appended to the name of the records.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
         <term>-d <replaceable class="parameter">directory</replaceable></term>
 	<listitem>
 	  <para>
@@ -120,17 +127,27 @@
       </varlistentry>
 
       <varlistentry>
+        <term>-g</term>
+	<listitem>
+	  <para>
+		Generate DS records for child zones from keyset files.
+		Existing DS records will be removed.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
         <term>-s <replaceable class="parameter">start-time</replaceable></term>
 	<listitem>
 	  <para>
-	       Specify the date and time when the generated SIG records
+	       Specify the date and time when the generated RRSIG records
 	       become valid.  This can be either an absolute or relative
 	       time.  An absolute start time is indicated by a number
 	       in YYYYMMDDHHMMSS notation; 20000530144500 denotes
 	       14:45:00 UTC on May 30th, 2000.  A relative start time is
 	       indicated by +N, which is N seconds from the current time.
 	       If no <option>start-time</option> is specified, the current
-	       time is used.
+	       time minus 1 hour (to allow for clock skew) is used.
 	  </para>
 	</listitem>
       </varlistentry>
@@ -139,7 +156,7 @@
         <term>-e <replaceable class="parameter">end-time</replaceable></term>
 	<listitem>
 	  <para>
-	       Specify the date and time when the generated SIG records
+	       Specify the date and time when the generated RRSIG records
 	       expire.  As with <option>start-time</option>, an absolute
 	       time is indicated in YYYYMMDDHHMMSS notation.  A time relative
 	       to the start time is indicated with +N, which is N seconds from
@@ -156,7 +173,7 @@
 	  <para>
 	       The name of the output file containing the signed zone.  The
 	       default is to append <filename>.signed</filename> to the
-	       input filename.
+	       input file.
 	  </para>
 	</listitem>
       </varlistentry>
@@ -175,10 +192,10 @@
         <term>-i <replaceable class="parameter">interval</replaceable></term>
 	<listitem>
 	  <para>
-	       When a previously-signed zone is passed as input, records
+	       When a previously signed zone is passed as input, records
 	       may be resigned.  The <option>interval</option> option
 	       specifies the cycle interval as an offset from the current
-	       time (in seconds).  If a SIG record expires after the
+	       time (in seconds).  If a RRSIG record expires after the
 	       cycle interval, it is retained.  Otherwise, it is considered
 	       to be expiring soon, and it will be replaced.
 	  </para>
@@ -188,7 +205,7 @@
 	       <option>end-time</option> or <option>start-time</option>
 	       are specified, <command>dnssec-signzone</command> generates
 	       signatures that are valid for 30 days, with a cycle
-	       interval of 7.5 days.  Therefore, if any existing SIG records
+	       interval of 7.5 days.  Therefore, if any existing RRSIG records
 	       are due to expire in less than 7.5 days, they would be
 	       replaced.
 	  </para>
@@ -262,10 +279,20 @@
       </varlistentry>
 
       <varlistentry>
+        <term>-z</term>
+	<listitem>
+	  <para>
+	       Ignore KSK flag on key when determining what to sign.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
         <term>zonefile</term>
 	<listitem>
 	  <para>
 	       The file containing the zone to be signed.
+	       Sets the debugging level.
 	  </para>
 	</listitem>
       </varlistentry>
@@ -274,11 +301,9 @@
         <term>key</term>
 	<listitem>
 	  <para>
-	    Specify which keys should be used to sign the zone.  If
-	    no keys are specified, then the zone will be examined
-	    for DNSKEY records at the zone apex.  If these are found and
-	    there are matching private keys, in the current directory,
-	    then these will be used for signing.
+	       The keys used to sign the zone.  If no keys are specified, the
+	       default all zone keys that have private key files in the
+	       current directory.
 	  </para>
 	</listitem>
       </varlistentry>
@@ -330,7 +355,7 @@
   <refsect1>
     <title>AUTHOR</title>
     <para>
-        <corpauthor>Internet Systems Consortium</corpauthor>
+        <corpauthor>Internet Software Consortium</corpauthor>
     </para>
   </refsect1>
 
diff --git a/bin/dnssec/dnssec-signzone.html b/bin/dnssec/dnssec-signzone.html
index 100c2b21..9c2e96f4 100644
--- a/bin/dnssec/dnssec-signzone.html
+++ b/bin/dnssec/dnssec-signzone.html
@@ -1,206 +1,619 @@
 <!--
- - Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000, 2001, 2003 Internet Software Consortium.
- - 
+ - Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2001-2003  Internet Software Consortium.
+ -
  - Permission to use, copy, modify, and distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
  - copyright notice and this permission notice appear in all copies.
- - 
+ -
  - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
  - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
  - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
  - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: dnssec-signzone.html,v 1.4.2.18 2007/05/09 03:32:21 marka Exp $ -->
-<html>
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>dnssec-signzone</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2476275"></a><div class="titlepage"></div>
-<div class="refnamediv">
-<h2>Name</h2>
-<p><span class="application">dnssec-signzone</span> &#8212; DNSSEC zone signing tool</p>
-</div>
-<div class="refsynopsisdiv">
-<h2>Synopsis</h2>
-<div class="cmdsynopsis"><p><code class="command">dnssec-signzone</code>  [<code class="option">-a</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-d <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-s <em class="replaceable"><code>start-time</code></em></code>] [<code class="option">-e <em class="replaceable"><code>end-time</code></em></code>] [<code class="option">-f <em class="replaceable"><code>output-file</code></em></code>] [<code class="option">-h</code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-n <em class="replaceable"><code>nthreads</code></em></code>] [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>] [<code class="option">-p</code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-t</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] {zonefile} [key...]</p></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543457"></a><h2>DESCRIPTION</h2>
-<p>
-        <span><strong class="command">dnssec-signzone</strong></span> signs a zone.  It generates NXT
-	and SIG records and produces a signed version of the zone.  If there
-	is a <code class="filename">signedkey</code> file from the zone's parent,
+
+<!-- $Id: dnssec-signzone.html,v 1.4.2.1.4.4 2004/03/15 01:02:42 marka Exp $ -->
+
+<HTML
+><HEAD
+><TITLE
+>dnssec-signzone</TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.73
+"></HEAD
+><BODY
+CLASS="REFENTRY"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><H1
+><A
+NAME="AEN1"
+><SPAN
+CLASS="APPLICATION"
+>dnssec-signzone</SPAN
+></A
+></H1
+><DIV
+CLASS="REFNAMEDIV"
+><A
+NAME="AEN9"
+></A
+><H2
+>Name</H2
+><SPAN
+CLASS="APPLICATION"
+>dnssec-signzone</SPAN
+>&nbsp;--&nbsp;DNSSEC zone signing tool</DIV
+><DIV
+CLASS="REFSYNOPSISDIV"
+><A
+NAME="AEN13"
+></A
+><H2
+>Synopsis</H2
+><P
+><B
+CLASS="COMMAND"
+>dnssec-signzone</B
+>  [<TT
+CLASS="OPTION"
+>-a</TT
+>] [<TT
+CLASS="OPTION"
+>-c <TT
+CLASS="REPLACEABLE"
+><I
+>class</I
+></TT
+></TT
+>] [<TT
+CLASS="OPTION"
+>-d <TT
+CLASS="REPLACEABLE"
+><I
+>directory</I
+></TT
+></TT
+>] [<TT
+CLASS="OPTION"
+>-e <TT
+CLASS="REPLACEABLE"
+><I
+>end-time</I
+></TT
+></TT
+>] [<TT
+CLASS="OPTION"
+>-f <TT
+CLASS="REPLACEABLE"
+><I
+>output-file</I
+></TT
+></TT
+>] [<TT
+CLASS="OPTION"
+>-g</TT
+>] [<TT
+CLASS="OPTION"
+>-h</TT
+>] [<TT
+CLASS="OPTION"
+>-k <TT
+CLASS="REPLACEABLE"
+><I
+>key</I
+></TT
+></TT
+>] [<TT
+CLASS="OPTION"
+>-l <TT
+CLASS="REPLACEABLE"
+><I
+>domain</I
+></TT
+></TT
+>] [<TT
+CLASS="OPTION"
+>-i <TT
+CLASS="REPLACEABLE"
+><I
+>interval</I
+></TT
+></TT
+>] [<TT
+CLASS="OPTION"
+>-n <TT
+CLASS="REPLACEABLE"
+><I
+>nthreads</I
+></TT
+></TT
+>] [<TT
+CLASS="OPTION"
+>-o <TT
+CLASS="REPLACEABLE"
+><I
+>origin</I
+></TT
+></TT
+>] [<TT
+CLASS="OPTION"
+>-p</TT
+>] [<TT
+CLASS="OPTION"
+>-r <TT
+CLASS="REPLACEABLE"
+><I
+>randomdev</I
+></TT
+></TT
+>] [<TT
+CLASS="OPTION"
+>-s <TT
+CLASS="REPLACEABLE"
+><I
+>start-time</I
+></TT
+></TT
+>] [<TT
+CLASS="OPTION"
+>-t</TT
+>] [<TT
+CLASS="OPTION"
+>-v <TT
+CLASS="REPLACEABLE"
+><I
+>level</I
+></TT
+></TT
+>] [<TT
+CLASS="OPTION"
+>-z</TT
+>] {zonefile} [key...]</P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN66"
+></A
+><H2
+>DESCRIPTION</H2
+><P
+>        <B
+CLASS="COMMAND"
+>dnssec-signzone</B
+> signs a zone.  It generates NSEC
+	and RRSIG records and produces a signed version of the zone.  If there
+	is a <TT
+CLASS="FILENAME"
+>signedkey</TT
+> file from the zone's parent,
 	the parent's signatures will be incorporated into the generated
 	signed zone file.  The security status of delegations from the
         signed zone (that is, whether the child zones are secure or not) is
         determined by the presence or absence of a
-	<code class="filename">signedkey</code> file for each child zone.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543476"></a><h2>OPTIONS</h2>
-<div class="variablelist"><dl>
-<dt><span class="term">-a</span></dt>
-<dd><p>
-	      Verify all generated signatures.
-	  </p></dd>
-<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
-<dd><p>
-	       Specifies the DNS class of the zone.
-	  </p></dd>
-<dt><span class="term">-d <em class="replaceable"><code>directory</code></em></span></dt>
-<dd><p>
-	       Look for <code class="filename">signedkey</code> files in
-	       <code class="option">directory</code> as the directory 
-	  </p></dd>
-<dt><span class="term">-s <em class="replaceable"><code>start-time</code></em></span></dt>
-<dd><p>
-	       Specify the date and time when the generated SIG records
+	<TT
+CLASS="FILENAME"
+>signedkey</TT
+> file for each child zone.
+    </P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN72"
+></A
+><H2
+>OPTIONS</H2
+><P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+>-a</DT
+><DD
+><P
+>	      Verify all generated signatures.
+	  </P
+></DD
+><DT
+>-c <TT
+CLASS="REPLACEABLE"
+><I
+>class</I
+></TT
+></DT
+><DD
+><P
+>	       Specifies the DNS class of the zone.
+	  </P
+></DD
+><DT
+>-k <TT
+CLASS="REPLACEABLE"
+><I
+>key</I
+></TT
+></DT
+><DD
+><P
+>	       Treat specified key as a key signing key ignoring any
+	       key flags.  This option may be specified multiple times.
+	  </P
+></DD
+><DT
+>-l <TT
+CLASS="REPLACEABLE"
+><I
+>domain</I
+></TT
+></DT
+><DD
+><P
+>		Generate a DLV set in addition to the key (DNSKEY) and DS sets.
+		The domain is appended to the name of the records.
+	  </P
+></DD
+><DT
+>-d <TT
+CLASS="REPLACEABLE"
+><I
+>directory</I
+></TT
+></DT
+><DD
+><P
+>	       Look for <TT
+CLASS="FILENAME"
+>signedkey</TT
+> files in
+	       <TT
+CLASS="OPTION"
+>directory</TT
+> as the directory 
+	  </P
+></DD
+><DT
+>-g</DT
+><DD
+><P
+>		Generate DS records for child zones from keyset files.
+		Existing DS records will be removed.
+	  </P
+></DD
+><DT
+>-s <TT
+CLASS="REPLACEABLE"
+><I
+>start-time</I
+></TT
+></DT
+><DD
+><P
+>	       Specify the date and time when the generated RRSIG records
 	       become valid.  This can be either an absolute or relative
 	       time.  An absolute start time is indicated by a number
 	       in YYYYMMDDHHMMSS notation; 20000530144500 denotes
 	       14:45:00 UTC on May 30th, 2000.  A relative start time is
 	       indicated by +N, which is N seconds from the current time.
-	       If no <code class="option">start-time</code> is specified, the current
-	       time is used.
-	  </p></dd>
-<dt><span class="term">-e <em class="replaceable"><code>end-time</code></em></span></dt>
-<dd><p>
-	       Specify the date and time when the generated SIG records
-	       expire.  As with <code class="option">start-time</code>, an absolute
+	       If no <TT
+CLASS="OPTION"
+>start-time</TT
+> is specified, the current
+	       time minus 1 hour (to allow for clock skew) is used.
+	  </P
+></DD
+><DT
+>-e <TT
+CLASS="REPLACEABLE"
+><I
+>end-time</I
+></TT
+></DT
+><DD
+><P
+>	       Specify the date and time when the generated RRSIG records
+	       expire.  As with <TT
+CLASS="OPTION"
+>start-time</TT
+>, an absolute
 	       time is indicated in YYYYMMDDHHMMSS notation.  A time relative
 	       to the start time is indicated with +N, which is N seconds from
 	       the start time.  A time relative to the current time is
-	       indicated with now+N.  If no <code class="option">end-time</code> is
+	       indicated with now+N.  If no <TT
+CLASS="OPTION"
+>end-time</TT
+> is
 	       specified, 30 days from the start time is used as a default.
-	  </p></dd>
-<dt><span class="term">-f <em class="replaceable"><code>output-file</code></em></span></dt>
-<dd><p>
-	       The name of the output file containing the signed zone.  The
-	       default is to append <code class="filename">.signed</code> to the
-	       input filename.
-	  </p></dd>
-<dt><span class="term">-h</span></dt>
-<dd><p>
-	       Prints a short summary of the options and arguments to
-	       <span><strong class="command">dnssec-signzone</strong></span>.
-	  </p></dd>
-<dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt>
-<dd>
-<p>
-	       When a previously-signed zone is passed as input, records
-	       may be resigned.  The <code class="option">interval</code> option
+	  </P
+></DD
+><DT
+>-f <TT
+CLASS="REPLACEABLE"
+><I
+>output-file</I
+></TT
+></DT
+><DD
+><P
+>	       The name of the output file containing the signed zone.  The
+	       default is to append <TT
+CLASS="FILENAME"
+>.signed</TT
+> to the
+	       input file.
+	  </P
+></DD
+><DT
+>-h</DT
+><DD
+><P
+>	       Prints a short summary of the options and arguments to
+	       <B
+CLASS="COMMAND"
+>dnssec-signzone</B
+>.
+	  </P
+></DD
+><DT
+>-i <TT
+CLASS="REPLACEABLE"
+><I
+>interval</I
+></TT
+></DT
+><DD
+><P
+>	       When a previously signed zone is passed as input, records
+	       may be resigned.  The <TT
+CLASS="OPTION"
+>interval</TT
+> option
 	       specifies the cycle interval as an offset from the current
-	       time (in seconds).  If a SIG record expires after the
+	       time (in seconds).  If a RRSIG record expires after the
 	       cycle interval, it is retained.  Otherwise, it is considered
 	       to be expiring soon, and it will be replaced.
-	  </p>
-<p>
-	       The default cycle interval is one quarter of the difference
+	  </P
+><P
+>	       The default cycle interval is one quarter of the difference
 	       between the signature end and start times.  So if neither
-	       <code class="option">end-time</code> or <code class="option">start-time</code>
-	       are specified, <span><strong class="command">dnssec-signzone</strong></span> generates
+	       <TT
+CLASS="OPTION"
+>end-time</TT
+> or <TT
+CLASS="OPTION"
+>start-time</TT
+>
+	       are specified, <B
+CLASS="COMMAND"
+>dnssec-signzone</B
+> generates
 	       signatures that are valid for 30 days, with a cycle
-	       interval of 7.5 days.  Therefore, if any existing SIG records
+	       interval of 7.5 days.  Therefore, if any existing RRSIG records
 	       are due to expire in less than 7.5 days, they would be
 	       replaced.
-	  </p>
-</dd>
-<dt><span class="term">-n <em class="replaceable"><code>ncpus</code></em></span></dt>
-<dd><p>
-	       Specifies the number of threads to use.  By default, one
+	  </P
+></DD
+><DT
+>-n <TT
+CLASS="REPLACEABLE"
+><I
+>ncpus</I
+></TT
+></DT
+><DD
+><P
+>	       Specifies the number of threads to use.  By default, one
 	       thread is started for each detected CPU.
-	  </p></dd>
-<dt><span class="term">-o <em class="replaceable"><code>origin</code></em></span></dt>
-<dd><p>
-	       The zone origin.  If not specified, the name of the zone file
+	  </P
+></DD
+><DT
+>-o <TT
+CLASS="REPLACEABLE"
+><I
+>origin</I
+></TT
+></DT
+><DD
+><P
+>	       The zone origin.  If not specified, the name of the zone file
 	       is assumed to be the origin.
-	  </p></dd>
-<dt><span class="term">-p</span></dt>
-<dd><p>
-	       Use pseudo-random data when signing the zone.  This is faster,
+	  </P
+></DD
+><DT
+>-p</DT
+><DD
+><P
+>	       Use pseudo-random data when signing the zone.  This is faster,
 	       but less secure, than using real random data.  This option
 	       may be useful when signing large zones or when the entropy
 	       source is limited.
-	  </p></dd>
-<dt><span class="term">-r <em class="replaceable"><code>randomdev</code></em></span></dt>
-<dd><p>
-	       Specifies the source of randomness.  If the operating
-	       system does not provide a <code class="filename">/dev/random</code>
+	  </P
+></DD
+><DT
+>-r <TT
+CLASS="REPLACEABLE"
+><I
+>randomdev</I
+></TT
+></DT
+><DD
+><P
+>	       Specifies the source of randomness.  If the operating
+	       system does not provide a <TT
+CLASS="FILENAME"
+>/dev/random</TT
+>
 	       or equivalent device, the default source of randomness
-	       is keyboard input.  <code class="filename">randomdev</code> specifies
+	       is keyboard input.  <TT
+CLASS="FILENAME"
+>randomdev</TT
+> specifies
 	       the name of a character device or file containing random
 	       data to be used instead of the default.  The special value
-	       <code class="filename">keyboard</code> indicates that keyboard
+	       <TT
+CLASS="FILENAME"
+>keyboard</TT
+> indicates that keyboard
 	       input should be used.
-	  </p></dd>
-<dt><span class="term">-t</span></dt>
-<dd><p>
-	       Print statistics at completion.
-	  </p></dd>
-<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
-<dd><p>
+	  </P
+></DD
+><DT
+>-t</DT
+><DD
+><P
+>	       Print statistics at completion.
+	  </P
+></DD
+><DT
+>-v <TT
+CLASS="REPLACEABLE"
+><I
+>level</I
+></TT
+></DT
+><DD
+><P
+>	       Sets the debugging level.
+	  </P
+></DD
+><DT
+>-z</DT
+><DD
+><P
+>	       Ignore KSK flag on key when determining what to sign.
+	  </P
+></DD
+><DT
+>zonefile</DT
+><DD
+><P
+>	       The file containing the zone to be signed.
 	       Sets the debugging level.
-	  </p></dd>
-<dt><span class="term">zonefile</span></dt>
-<dd><p>
-	       The file containing the zone to be signed.
-	  </p></dd>
-<dt><span class="term">key</span></dt>
-<dd><p>
-	    Specify which keys should be used to sign the zone.  If
-	    no keys are specified, then the zone will be examined
-	    for DNSKEY records at the zone apex.  If these are found and
-	    there are matching private keys, in the current directory,
-	    then these will be used for signing.
-	  </p></dd>
-</dl></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543858"></a><h2>EXAMPLE</h2>
-<p>
-        The following command signs the <strong class="userinput"><code>example.com</code></strong>
-	zone with the DSA key generated in the <span><strong class="command">dnssec-keygen</strong></span>
+	  </P
+></DD
+><DT
+>key</DT
+><DD
+><P
+>	       The keys used to sign the zone.  If no keys are specified, the
+	       default all zone keys that have private key files in the
+	       current directory.
+	  </P
+></DD
+></DL
+></DIV
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN182"
+></A
+><H2
+>EXAMPLE</H2
+><P
+>        The following command signs the <TT
+CLASS="USERINPUT"
+><B
+>example.com</B
+></TT
+>
+	zone with the DSA key generated in the <B
+CLASS="COMMAND"
+>dnssec-keygen</B
+>
 	man page.  The zone's keys must be in the zone.  If there are
-	<code class="filename">signedkey</code> files associated with this zone
+	<TT
+CLASS="FILENAME"
+>signedkey</TT
+> files associated with this zone
 	or any child zones, they must be in the current directory.
-	<strong class="userinput"><code>example.com</code></strong>, the following command would be
+	<TT
+CLASS="USERINPUT"
+><B
+>example.com</B
+></TT
+>, the following command would be
 	issued:
-    </p>
-<p>
-        <strong class="userinput"><code>dnssec-signzone -o example.com db.example.com Kexample.com.+003+26160</code></strong>
-    </p>
-<p>
-        The command would print a string of the form:
-    </p>
-<p>
-        In this example, <span><strong class="command">dnssec-signzone</strong></span> creates
-	the file <code class="filename">db.example.com.signed</code>.  This file
+    </P
+><P
+>        <TT
+CLASS="USERINPUT"
+><B
+>dnssec-signzone -o example.com db.example.com Kexample.com.+003+26160</B
+></TT
+>
+    </P
+><P
+>        The command would print a string of the form:
+    </P
+><P
+>        In this example, <B
+CLASS="COMMAND"
+>dnssec-signzone</B
+> creates
+	the file <TT
+CLASS="FILENAME"
+>db.example.com.signed</TT
+>.  This file
 	should be referenced in a zone statement in a
-	<code class="filename">named.conf</code> file.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543908"></a><h2>SEE ALSO</h2>
-<p>
-      <span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
-      <span class="citerefentry"><span class="refentrytitle">dnssec-signkey</span>(8)</span>,
-      <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
-      <em class="citetitle">RFC 2535</em>.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543944"></a><h2>AUTHOR</h2>
-<p>
-        <span class="corpauthor">Internet Systems Consortium</span>
-    </p>
-</div>
-</div></body>
-</html>
+	<TT
+CLASS="FILENAME"
+>named.conf</TT
+> file.
+    </P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN196"
+></A
+><H2
+>SEE ALSO</H2
+><P
+>      <SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>dnssec-keygen</SPAN
+>(8)</SPAN
+>,
+      <SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>dnssec-signkey</SPAN
+>(8)</SPAN
+>,
+      <I
+CLASS="CITETITLE"
+>BIND 9 Administrator Reference Manual</I
+>,
+      <I
+CLASS="CITETITLE"
+>RFC 2535</I
+>.
+    </P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN207"
+></A
+><H2
+>AUTHOR</H2
+><P
+>        Internet Software Consortium
+    </P
+></DIV
+></BODY
+></HTML
+>
diff --git a/bin/dnssec/dnssectool.c b/bin/dnssec/dnssectool.c
index b26ad4ff..1b84de8f 100644
--- a/bin/dnssec/dnssectool.c
+++ b/bin/dnssec/dnssectool.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssectool.c,v 1.31.2.7 2005/07/02 02:42:29 marka Exp $ */
+/* $Id: dnssectool.c,v 1.31.2.3.2.4 2004/03/08 02:07:38 marka Exp $ */
 
 #include <config.h>
 
@@ -23,6 +23,8 @@
 
 #include <isc/buffer.h>
 #include <isc/entropy.h>
+#include <isc/list.h>
+#include <isc/mem.h>
 #include <isc/string.h>
 #include <isc/time.h>
 #include <isc/util.h>
@@ -31,6 +33,7 @@
 #include <dns/log.h>
 #include <dns/name.h>
 #include <dns/rdatastruct.h>
+#include <dns/rdataclass.h>
 #include <dns/rdatatype.h>
 #include <dns/result.h>
 #include <dns/secalg.h>
@@ -41,7 +44,15 @@
 extern int verbose;
 extern const char *program;
 
-static isc_entropysource_t *source = NULL;
+typedef struct entropysource entropysource_t;
+
+struct entropysource {
+	isc_entropysource_t *source;
+	isc_mem_t *mctx;
+	ISC_LINK(entropysource_t) link;
+};
+
+static ISC_LIST(entropysource_t) sources;
 static fatalcallback_t *fatalcallback = NULL;
 
 void
@@ -107,12 +118,12 @@ alg_format(const dns_secalg_t alg, char *cp, unsigned int size) {
 }
 
 void
-sig_format(dns_rdata_sig_t *sig, char *cp, unsigned int size) {
+sig_format(dns_rdata_rrsig_t *sig, char *cp, unsigned int size) {
 	char namestr[DNS_NAME_FORMATSIZE];
 	char algstr[DNS_NAME_FORMATSIZE];
 
-	dns_name_format(&sig->signer, namestr, sizeof namestr);
-	alg_format(sig->algorithm, algstr, sizeof algstr);
+	dns_name_format(&sig->signer, namestr, sizeof(namestr));
+	alg_format(sig->algorithm, algstr, sizeof(algstr));
 	snprintf(cp, size, "%s/%s/%d", namestr, algstr, sig->keyid);
 }
 
@@ -121,8 +132,8 @@ key_format(const dst_key_t *key, char *cp, unsigned int size) {
 	char namestr[DNS_NAME_FORMATSIZE];
 	char algstr[DNS_NAME_FORMATSIZE];
 
-	dns_name_format(dst_key_name(key), namestr, sizeof namestr);
-	alg_format((dns_secalg_t) dst_key_alg(key), algstr, sizeof algstr);
+	dns_name_format(dst_key_name(key), namestr, sizeof(namestr));
+	alg_format((dns_secalg_t) dst_key_alg(key), algstr, sizeof(algstr));
 	snprintf(cp, size, "%s/%s/%d", namestr, algstr, dst_key_id(key));
 }
 
@@ -134,8 +145,6 @@ setup_logging(int verbose, isc_mem_t *mctx, isc_log_t **logp) {
 	isc_log_t *log = NULL;
 	int level;
 
-	if (verbose < 0)
-		verbose = 0;
 	switch (verbose) {
 	case 0:
 		/*
@@ -200,6 +209,8 @@ cleanup_logging(isc_log_t **logp) {
 void
 setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) {
 	isc_result_t result;
+	isc_entropysource_t *source = NULL;
+	entropysource_t *elt;
 	int usekeyboard = ISC_ENTROPY_KEYBOARDMAYBE;
 
 	REQUIRE(ectx != NULL);
@@ -208,6 +219,7 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) {
 		result = isc_entropy_create(mctx, ectx);
 		if (result != ISC_R_SUCCESS)
 			fatal("could not create entropy object");
+		ISC_LIST_INIT(sources);
 	}
 
 	if (randomfile != NULL && strcmp(randomfile, "keyboard") == 0) {
@@ -221,17 +233,32 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) {
 	if (result != ISC_R_SUCCESS)
 		fatal("could not initialize entropy source: %s",
 		      isc_result_totext(result));
+
+	if (source != NULL) {
+		elt = isc_mem_get(mctx, sizeof(*elt));
+		if (elt == NULL)
+			fatal("out of memory");
+		elt->source = source;
+		elt->mctx = mctx;
+		ISC_LINK_INIT(elt, link);
+		ISC_LIST_APPEND(sources, elt, link);
+	}
 }
 
 void
 cleanup_entropy(isc_entropy_t **ectx) {
-	if (source != NULL)
-		isc_entropy_destroysource(&source);
+	entropysource_t *source;
+	while (!ISC_LIST_EMPTY(sources)) {
+		source = ISC_LIST_HEAD(sources);
+		ISC_LIST_UNLINK(sources, source, link);
+		isc_entropy_destroysource(&source->source);
+		isc_mem_put(source->mctx, source, sizeof(*source));
+	}
 	isc_entropy_detach(ectx);
 }
 
 isc_stdtime_t
-strtotime(char *str, isc_int64_t now, isc_int64_t base) {
+strtotime(const char *str, isc_int64_t now, isc_int64_t base) {
 	isc_int64_t val, offset;
 	isc_result_t result;
 	char *endp;
@@ -260,3 +287,19 @@ strtotime(char *str, isc_int64_t now, isc_int64_t base) {
 
 	return ((isc_stdtime_t) val);
 }
+
+dns_rdataclass_t
+strtoclass(const char *str) {
+	isc_textregion_t r;
+	dns_rdataclass_t rdclass;
+	isc_result_t ret;
+
+	if (str == NULL)
+		return dns_rdataclass_in;
+	DE_CONST(str, r.base);
+	r.length = strlen(str);
+	ret = dns_rdataclass_fromtext(&rdclass, &r);
+	if (ret != ISC_R_SUCCESS)
+		fatal("unknown class %s", str);
+	return (rdclass);
+}
diff --git a/bin/dnssec/dnssectool.h b/bin/dnssec/dnssectool.h
index 1d760d48..0d179503 100644
--- a/bin/dnssec/dnssectool.h
+++ b/bin/dnssec/dnssectool.h
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
+ * Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssectool.h,v 1.15.2.1 2004/03/09 06:09:16 marka Exp $ */
+/* $Id: dnssectool.h,v 1.15.12.3 2004/03/08 04:04:18 marka Exp $ */
 
 #ifndef DNSSECTOOL_H
 #define DNSSECTOOL_H 1
@@ -48,7 +48,7 @@ alg_format(const dns_secalg_t alg, char *cp, unsigned int size);
 #define ALG_FORMATSIZE 10
 
 void
-sig_format(dns_rdata_sig_t *sig, char *cp, unsigned int size);
+sig_format(dns_rdata_rrsig_t *sig, char *cp, unsigned int size);
 #define SIG_FORMATSIZE (DNS_NAME_FORMATSIZE + ALG_FORMATSIZE + sizeof("65535"))
 
 void
@@ -68,6 +68,9 @@ void
 cleanup_entropy(isc_entropy_t **ectx);
 
 isc_stdtime_t
-strtotime(char *str, isc_int64_t now, isc_int64_t base);
+strtotime(const char *str, isc_int64_t now, isc_int64_t base);
+
+dns_rdataclass_t
+strtoclass(const char *str);
 
 #endif /* DNSSEC_DNSSECTOOL_H */
diff --git a/bin/dnssec/win32/dnssectool.dsp b/bin/dnssec/win32/dnssectool.dsp
deleted file mode 100644
index ebc4b11c..00000000
--- a/bin/dnssec/win32/dnssectool.dsp
+++ /dev/null
@@ -1,113 +0,0 @@
-# Microsoft Developer Studio Project File - Name="dnssectool" - Package Owner=<4>

-# Microsoft Developer Studio Generated Build File, Format Version 6.00

-# ** DO NOT EDIT **

-

-# TARGTYPE "Win32 (x86) Static-Link Library" 0x0104

-

-CFG=dnssectool - Win32 Debug

-!MESSAGE This is not a valid makefile. To build this project using NMAKE,

-!MESSAGE use the Export Makefile command and run

-!MESSAGE 

-!MESSAGE NMAKE /f "dnssectool.mak".

-!MESSAGE 

-!MESSAGE You can specify a configuration when running NMAKE

-!MESSAGE by defining the macro CFG on the command line. For example:

-!MESSAGE 

-!MESSAGE NMAKE /f "dnssectool.mak" CFG="dnssectool - Win32 Debug"

-!MESSAGE 

-!MESSAGE Possible choices for configuration are:

-!MESSAGE 

-!MESSAGE "dnssectool - Win32 Release" (based on "Win32 (x86) Static-Link Library")

-!MESSAGE "dnssectool - Win32 Debug" (based on "Win32 (x86) Static-Link Library")

-!MESSAGE 

-

-# Begin Project

-# PROP AllowPerConfigDependencies 0

-# PROP Scc_ProjName ""

-# PROP Scc_LocalPath ""

-CPP=cl.exe

-MTL=midl.exe

-RSC=rc.exe

-

-!IF  "$(CFG)" == "dnssectool - Win32 Release"

-

-# PROP BASE Use_MFC 0

-# PROP BASE Use_Debug_Libraries 0

-# PROP BASE Output_Dir "Release"

-# PROP BASE Intermediate_Dir "Release"

-# PROP BASE Target_Dir ""

-# PROP Use_MFC 0

-# PROP Use_Debug_Libraries 0

-# PROP Output_Dir "Release"

-# PROP Intermediate_Dir "Release"

-# PROP Ignore_Export_Lib 0

-# PROP Target_Dir ""

-# ADD BASE CPP /nologo /MT /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /YX /FD /c

-# ADD CPP /nologo /MD /W3 /GX /O2 /I "./" /I "../../../" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/include" /D "NDEBUG" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /YX /FD /c /Fddnssectool

-# SUBTRACT CPP /X

-# ADD BASE MTL /nologo /D "NDEBUG" /mktyplib203 /win32

-# ADD MTL /nologo /D "NDEBUG" /mktyplib203 /win32

-# ADD BASE RSC /l 0x409 /d "NDEBUG"

-# ADD RSC /l 0x409 /d "NDEBUG"

-BSC32=bscmake.exe

-# ADD BASE BSC32 /nologo

-# ADD BSC32 /nologo

-LINK32=link.exe

-# ADD BASE LINK32 

-# ADD LINK32 /out:"Release/dnssectool.lib"

-

-!ELSEIF  "$(CFG)" == "dnssectool - Win32 Debug"

-

-# PROP BASE Use_MFC 0

-# PROP BASE Use_Debug_Libraries 1

-# PROP BASE Output_Dir "Debug"

-# PROP BASE Intermediate_Dir "Debug"

-# PROP BASE Target_Dir ""

-# PROP Use_MFC 0

-# PROP Use_Debug_Libraries 1

-# PROP Output_Dir "Debug"

-# PROP Intermediate_Dir "Debug"

-# PROP Ignore_Export_Lib 0

-# PROP Target_Dir ""

-# ADD BASE CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /D "_MBCS" /YX /FD /GZ /c

-# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../../../" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/include" /D "_DEBUG" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /FR /YX /FD /GZ /c /Fddnssectool

-# SUBTRACT CPP /X

-# ADD BASE MTL /nologo /D "_DEBUG" /mktyplib203 /win32

-# ADD MTL /nologo /D "_DEBUG" /mktyplib203 /win32

-# ADD BASE RSC /l 0x409 /d "_DEBUG"

-# ADD RSC /l 0x409 /d "_DEBUG"

-BSC32=bscmake.exe

-# ADD BASE BSC32 /nologo

-# ADD BSC32 /nologo

-LINK32=link.exe

-# ADD BASE LINK32 

-# ADD LINK32 /debug out:"Debug/dnssectool.lib"

-

-!ENDIF 

-

-# Begin Target

-

-# Name "dnssectool - Win32 Release"

-# Name "dnssectool - Win32 Debug"

-# Begin Group "Source Files"

-

-# PROP Default_Filter "cpp;c;cxx;rc;def;r;odl;idl;hpj;bat"

-# End Group

-# Begin Group "Header Files"

-

-# PROP Default_Filter "h;hpp;hxx;hm;inl"

-# End Group

-# Begin Group "Resource Files"

-

-# PROP Default_Filter "ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe"

-# End Group

-# Begin Group "Main Dns Lib"

-

-# PROP Default_Filter "c"

-# Begin Source File

-

-SOURCE=..\dnssectool.c

-# End Source File

-# End Group

-# End Target

-# End Project

diff --git a/bin/dnssec/win32/dnssectool.dsw b/bin/dnssec/win32/dnssectool.dsw
deleted file mode 100644
index 10494418..00000000
--- a/bin/dnssec/win32/dnssectool.dsw
+++ /dev/null
@@ -1,29 +0,0 @@
-Microsoft Developer Studio Workspace File, Format Version 6.00

-# WARNING: DO NOT EDIT OR DELETE THIS WORKSPACE FILE!

-

-###############################################################################

-

-Project: "dighost"=".\dnssectool.dsp" - Package Owner=<4>

-

-Package=<5>

-{{{

-}}}

-

-Package=<4>

-{{{

-}}}

-

-###############################################################################

-

-Global:

-

-Package=<5>

-{{{

-}}}

-

-Package=<3>

-{{{

-}}}

-

-###############################################################################

-

diff --git a/bin/dnssec/win32/keygen.dsp b/bin/dnssec/win32/keygen.dsp
index a67b5d7a..f27b42d8 100644
--- a/bin/dnssec/win32/keygen.dsp
+++ b/bin/dnssec/win32/keygen.dsp
@@ -1,103 +1,107 @@
-# Microsoft Developer Studio Project File - Name="keygen" - Package Owner=<4>

-# Microsoft Developer Studio Generated Build File, Format Version 6.00

-# ** DO NOT EDIT **

-

-# TARGTYPE "Win32 (x86) Console Application" 0x0103

-

-CFG=keygen - Win32 Debug

-!MESSAGE This is not a valid makefile. To build this project using NMAKE,

-!MESSAGE use the Export Makefile command and run

-!MESSAGE 

-!MESSAGE NMAKE /f "keygen.mak".

-!MESSAGE 

-!MESSAGE You can specify a configuration when running NMAKE

-!MESSAGE by defining the macro CFG on the command line. For example:

-!MESSAGE 

-!MESSAGE NMAKE /f "keygen.mak" CFG="keygen - Win32 Debug"

-!MESSAGE 

-!MESSAGE Possible choices for configuration are:

-!MESSAGE 

-!MESSAGE "keygen - Win32 Release" (based on "Win32 (x86) Console Application")

-!MESSAGE "keygen - Win32 Debug" (based on "Win32 (x86) Console Application")

-!MESSAGE 

-

-# Begin Project

-# PROP AllowPerConfigDependencies 0

-# PROP Scc_ProjName ""

-# PROP Scc_LocalPath ""

-CPP=cl.exe

-RSC=rc.exe

-

-!IF  "$(CFG)" == "keygen - Win32 Release"

-

-# PROP BASE Use_MFC 0

-# PROP BASE Use_Debug_Libraries 0

-# PROP BASE Output_Dir "Release"

-# PROP BASE Intermediate_Dir "Release"

-# PROP BASE Target_Dir ""

-# PROP Use_MFC 0

-# PROP Use_Debug_Libraries 0

-# PROP Output_Dir "Release"

-# PROP Intermediate_Dir "Release"

-# PROP Ignore_Export_Lib 0

-# PROP Target_Dir ""

-# ADD BASE CPP /nologo /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /c

-# ADD CPP /nologo /MD /W3 /GX /O2 /I "./" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/include" /D "NDEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /YX /FD /c

-# ADD BASE RSC /l 0x409 /d "NDEBUG"

-# ADD RSC /l 0x409 /d "NDEBUG"

-BSC32=bscmake.exe

-# ADD BASE BSC32 /nologo

-# ADD BSC32 /nologo

-LINK32=link.exe

-# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /machine:I386

-# ADD LINK32 user32.lib advapi32.lib Release/dnssectool.lib ../../../lib/isc/win32/Release/libisc.lib ../../../lib/dns/win32/Release/libdns.lib /nologo /subsystem:console /machine:I386 /out:"../../../Build/Release/dnssec-keygen.exe"

-

-!ELSEIF  "$(CFG)" == "keygen - Win32 Debug"

-

-# PROP BASE Use_MFC 0

-# PROP BASE Use_Debug_Libraries 1

-# PROP BASE Output_Dir "Debug"

-# PROP BASE Intermediate_Dir "Debug"

-# PROP BASE Target_Dir ""

-# PROP Use_MFC 0

-# PROP Use_Debug_Libraries 1

-# PROP Output_Dir "Debug"

-# PROP Intermediate_Dir "Debug"

-# PROP Ignore_Export_Lib 0

-# PROP Target_Dir ""

-# ADD BASE CPP /nologo /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /GZ /c

-# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/include" /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" /FR /FD /GZ /c

-# SUBTRACT CPP /X /YX

-# ADD BASE RSC /l 0x409 /d "_DEBUG"

-# ADD RSC /l 0x409 /d "_DEBUG"

-BSC32=bscmake.exe

-# ADD BASE BSC32 /nologo

-# ADD BSC32 /nologo

-LINK32=link.exe

-# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /debug /machine:I386 /pdbtype:sept

-# ADD LINK32 user32.lib advapi32.lib Debug/dnssectool.lib ../../../lib/isc/win32/Debug/libisc.lib ../../../lib/dns/win32/Debug/libdns.lib /nologo /subsystem:console /debug /machine:I386 /out:"../../../Build/Debug/dnssec-keygen.exe" /pdbtype:sept

-

-!ENDIF 

-

-# Begin Target

-

-# Name "keygen - Win32 Release"

-# Name "keygen - Win32 Debug"

-# Begin Group "Source Files"

-

-# PROP Default_Filter "cpp;c;cxx;rc;def;r;odl;idl;hpj;bat"

-# Begin Source File

-

-SOURCE="..\dnssec-keygen.c"

-# End Source File

-# End Group

-# Begin Group "Header Files"

-

-# PROP Default_Filter "h;hpp;hxx;hm;inl"

-# End Group

-# Begin Group "Resource Files"

-

-# PROP Default_Filter "ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe"

-# End Group

-# End Target

-# End Project

+# Microsoft Developer Studio Project File - Name="keygen" - Package Owner=<4>
+# Microsoft Developer Studio Generated Build File, Format Version 6.00
+# ** DO NOT EDIT **
+
+# TARGTYPE "Win32 (x86) Console Application" 0x0103
+
+CFG=keygen - Win32 Debug
+!MESSAGE This is not a valid makefile. To build this project using NMAKE,
+!MESSAGE use the Export Makefile command and run
+!MESSAGE 
+!MESSAGE NMAKE /f "keygen.mak".
+!MESSAGE 
+!MESSAGE You can specify a configuration when running NMAKE
+!MESSAGE by defining the macro CFG on the command line. For example:
+!MESSAGE 
+!MESSAGE NMAKE /f "keygen.mak" CFG="keygen - Win32 Debug"
+!MESSAGE 
+!MESSAGE Possible choices for configuration are:
+!MESSAGE 
+!MESSAGE "keygen - Win32 Release" (based on "Win32 (x86) Console Application")
+!MESSAGE "keygen - Win32 Debug" (based on "Win32 (x86) Console Application")
+!MESSAGE 
+
+# Begin Project
+# PROP AllowPerConfigDependencies 0
+# PROP Scc_ProjName ""
+# PROP Scc_LocalPath ""
+CPP=cl.exe
+RSC=rc.exe
+
+!IF  "$(CFG)" == "keygen - Win32 Release"
+
+# PROP BASE Use_MFC 0
+# PROP BASE Use_Debug_Libraries 0
+# PROP BASE Output_Dir "Release"
+# PROP BASE Intermediate_Dir "Release"
+# PROP BASE Target_Dir ""
+# PROP Use_MFC 0
+# PROP Use_Debug_Libraries 0
+# PROP Output_Dir "Release"
+# PROP Intermediate_Dir "Release"
+# PROP Ignore_Export_Lib 0
+# PROP Target_Dir ""
+# ADD BASE CPP /nologo /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /c
+# ADD CPP /nologo /MT /W3 /GX /O2 /I "./" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/include" /I "../../../lib/dns/sec/dst/include" /D "NDEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /YX /FD /c
+# ADD BASE RSC /l 0x409 /d "NDEBUG"
+# ADD RSC /l 0x409 /d "NDEBUG"
+BSC32=bscmake.exe
+# ADD BASE BSC32 /nologo
+# ADD BSC32 /nologo
+LINK32=link.exe
+# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /machine:I386
+# ADD LINK32 user32.lib advapi32.lib ../../../lib/isc/win32/Release/libisc.lib ../../../lib/dns/win32/Release/libdns.lib /nologo /subsystem:console /machine:I386 /out:"../../../Build/Release/dnssec-keygen.exe"
+
+!ELSEIF  "$(CFG)" == "keygen - Win32 Debug"
+
+# PROP BASE Use_MFC 0
+# PROP BASE Use_Debug_Libraries 1
+# PROP BASE Output_Dir "Debug"
+# PROP BASE Intermediate_Dir "Debug"
+# PROP BASE Target_Dir ""
+# PROP Use_MFC 0
+# PROP Use_Debug_Libraries 1
+# PROP Output_Dir "Debug"
+# PROP Intermediate_Dir "Debug"
+# PROP Ignore_Export_Lib 0
+# PROP Target_Dir ""
+# ADD BASE CPP /nologo /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /GZ /c
+# ADD CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /I "./" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/include" /I "../../../lib/dns/sec/dst/include" /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" /FR /FD /GZ /c
+# SUBTRACT CPP /X /YX
+# ADD BASE RSC /l 0x409 /d "_DEBUG"
+# ADD RSC /l 0x409 /d "_DEBUG"
+BSC32=bscmake.exe
+# ADD BASE BSC32 /nologo
+# ADD BSC32 /nologo
+LINK32=link.exe
+# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /debug /machine:I386 /pdbtype:sept
+# ADD LINK32 user32.lib advapi32.lib ../../../lib/isc/win32/Debug/libisc.lib ../../../lib/dns/win32/Debug/libdns.lib /nologo /subsystem:console /debug /machine:I386 /out:"../../../Build/Debug/dnssec-keygen.exe" /pdbtype:sept
+
+!ENDIF 
+
+# Begin Target
+
+# Name "keygen - Win32 Release"
+# Name "keygen - Win32 Debug"
+# Begin Group "Source Files"
+
+# PROP Default_Filter "cpp;c;cxx;rc;def;r;odl;idl;hpj;bat"
+# Begin Source File
+
+SOURCE="..\dnssec-keygen.c"
+# End Source File
+# Begin Source File
+
+SOURCE=..\dnssectool.c
+# End Source File
+# End Group
+# Begin Group "Header Files"
+
+# PROP Default_Filter "h;hpp;hxx;hm;inl"
+# End Group
+# Begin Group "Resource Files"
+
+# PROP Default_Filter "ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe"
+# End Group
+# End Target
+# End Project
diff --git a/bin/dnssec/win32/keygen.dsw b/bin/dnssec/win32/keygen.dsw
index f9886513..bdd633e4 100644
--- a/bin/dnssec/win32/keygen.dsw
+++ b/bin/dnssec/win32/keygen.dsw
@@ -1,29 +1,29 @@
-Microsoft Developer Studio Workspace File, Format Version 6.00

-# WARNING: DO NOT EDIT OR DELETE THIS WORKSPACE FILE!

-

-###############################################################################

-

-Project: "keygen"=".\keygen.dsp" - Package Owner=<4>

-

-Package=<5>

-{{{

-}}}

-

-Package=<4>

-{{{

-}}}

-

-###############################################################################

-

-Global:

-

-Package=<5>

-{{{

-}}}

-

-Package=<3>

-{{{

-}}}

-

-###############################################################################

-

+Microsoft Developer Studio Workspace File, Format Version 6.00
+# WARNING: DO NOT EDIT OR DELETE THIS WORKSPACE FILE!
+
+###############################################################################
+
+Project: "keygen"=".\keygen.dsp" - Package Owner=<4>
+
+Package=<5>
+{{{
+}}}
+
+Package=<4>
+{{{
+}}}
+
+###############################################################################
+
+Global:
+
+Package=<5>
+{{{
+}}}
+
+Package=<3>
+{{{
+}}}
+
+###############################################################################
+
diff --git a/bin/dnssec/win32/keygen.mak b/bin/dnssec/win32/keygen.mak
index b2ad7f4a..7cd0dc19 100644
--- a/bin/dnssec/win32/keygen.mak
+++ b/bin/dnssec/win32/keygen.mak
@@ -1,324 +1,227 @@
-# Microsoft Developer Studio Generated NMAKE File, Based on keygen.dsp

-!IF "$(CFG)" == ""

-CFG=keygen - Win32 Debug

-!MESSAGE No configuration specified. Defaulting to keygen - Win32 Debug.

-!ENDIF 

-

-!IF "$(CFG)" != "keygen - Win32 Release" && "$(CFG)" != "keygen - Win32 Debug"

-!MESSAGE Invalid configuration "$(CFG)" specified.

-!MESSAGE You can specify a configuration when running NMAKE

-!MESSAGE by defining the macro CFG on the command line. For example:

-!MESSAGE 

-!MESSAGE NMAKE /f "keygen.mak" CFG="keygen - Win32 Debug"

-!MESSAGE 

-!MESSAGE Possible choices for configuration are:

-!MESSAGE 

-!MESSAGE "keygen - Win32 Release" (based on "Win32 (x86) Console Application")

-!MESSAGE "keygen - Win32 Debug" (based on "Win32 (x86) Console Application")

-!MESSAGE 

-!ERROR An invalid configuration is specified.

-!ENDIF 

-

-!IF "$(OS)" == "Windows_NT"

-NULL=

-!ELSE 

-NULL=nul

-!ENDIF 

-

-!IF  "$(CFG)" == "keygen - Win32 Release"

-_VC_MANIFEST_INC=0

-_VC_MANIFEST_BASENAME=__VC80

-!ELSE

-_VC_MANIFEST_INC=1

-_VC_MANIFEST_BASENAME=__VC80.Debug

-!ENDIF

-

-####################################################

-# Specifying name of temporary resource file used only in incremental builds:

-

-!if "$(_VC_MANIFEST_INC)" == "1"

-_VC_MANIFEST_AUTO_RES=$(_VC_MANIFEST_BASENAME).auto.res

-!else

-_VC_MANIFEST_AUTO_RES=

-!endif

-

-####################################################

-# _VC_MANIFEST_EMBED_EXE - command to embed manifest in EXE:

-

-!if "$(_VC_MANIFEST_INC)" == "1"

-

-#MT_SPECIAL_RETURN=1090650113

-#MT_SPECIAL_SWITCH=-notify_resource_update

-MT_SPECIAL_RETURN=0

-MT_SPECIAL_SWITCH=

-_VC_MANIFEST_EMBED_EXE= \

-if exist $@.manifest mt.exe -manifest $@.manifest -out:$(_VC_MANIFEST_BASENAME).auto.manifest $(MT_SPECIAL_SWITCH) & \

-if "%ERRORLEVEL%" == "$(MT_SPECIAL_RETURN)" \

-rc /r $(_VC_MANIFEST_BASENAME).auto.rc & \

-link $** /out:$@ $(LFLAGS)

-

-!else

-

-_VC_MANIFEST_EMBED_EXE= \

-if exist $@.manifest mt.exe -manifest $@.manifest -outputresource:$@;1

-

-!endif

-

-####################################################

-# _VC_MANIFEST_EMBED_DLL - command to embed manifest in DLL:

-

-!if "$(_VC_MANIFEST_INC)" == "1"

-

-#MT_SPECIAL_RETURN=1090650113

-#MT_SPECIAL_SWITCH=-notify_resource_update

-MT_SPECIAL_RETURN=0

-MT_SPECIAL_SWITCH=

-_VC_MANIFEST_EMBED_EXE= \

-if exist $@.manifest mt.exe -manifest $@.manifest -out:$(_VC_MANIFEST_BASENAME).auto.manifest $(MT_SPECIAL_SWITCH) & \

-if "%ERRORLEVEL%" == "$(MT_SPECIAL_RETURN)" \

-rc /r $(_VC_MANIFEST_BASENAME).auto.rc & \

-link $** /out:$@ $(LFLAGS)

-

-!else

-

-_VC_MANIFEST_EMBED_EXE= \

-if exist $@.manifest mt.exe -manifest $@.manifest -outputresource:$@;2

-

-!endif

-####################################################

-# _VC_MANIFEST_CLEAN - command to clean resources files generated temporarily:

-

-!if "$(_VC_MANIFEST_INC)" == "1"

-

-_VC_MANIFEST_CLEAN=-del $(_VC_MANIFEST_BASENAME).auto.res \

-    $(_VC_MANIFEST_BASENAME).auto.rc \

-    $(_VC_MANIFEST_BASENAME).auto.manifest

-

-!else

-

-_VC_MANIFEST_CLEAN=

-

-!endif

-

-!IF  "$(CFG)" == "keygen - Win32 Release"

-

-OUTDIR=.\Release

-INTDIR=.\Release

-

-ALL : "..\..\..\Build\Release\dnssec-keygen.exe"

-

-

-CLEAN :

-	-@erase "$(INTDIR)\dnssec-keygen.obj"

-	-@erase "$(INTDIR)\dnssectool.obj"

-	-@erase "$(INTDIR)\vc60.idb"

-	-@erase "..\..\..\Build\Release\dnssec-keygen.exe"

-	-@$(_VC_MANIFEST_CLEAN)

-

-"$(OUTDIR)" :

-    if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"

-

-CPP=cl.exe

-CPP_PROJ=/nologo /MD /W3 /GX /O2 /I "./" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/include" /D "NDEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /Fp"$(INTDIR)\keygen.pch" /YX /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c 

-

-.c{$(INTDIR)}.obj::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.cpp{$(INTDIR)}.obj::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.cxx{$(INTDIR)}.obj::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.c{$(INTDIR)}.sbr::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.cpp{$(INTDIR)}.sbr::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.cxx{$(INTDIR)}.sbr::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-RSC=rc.exe

-BSC32=bscmake.exe

-BSC32_FLAGS=/nologo /o"$(OUTDIR)\keygen.bsc" 

-BSC32_SBRS= \

-	

-LINK32=link.exe

-LINK32_FLAGS=user32.lib advapi32.lib ../../../lib/isc/win32/Release/libisc.lib ../../../lib/dns/win32/Release/libdns.lib /nologo /subsystem:console /incremental:no /pdb:"$(OUTDIR)\dnssec-keygen.pdb" /machine:I386 /out:"../../../Build/Release/dnssec-keygen.exe" 

-LINK32_OBJS= \

-	"$(INTDIR)\dnssec-keygen.obj" \

-	"$(INTDIR)\dnssectool.obj"

-

-"..\..\..\Build\Release\dnssec-keygen.exe" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)

-    $(LINK32) @<<

-  $(LINK32_FLAGS) $(LINK32_OBJS)

-<<

-    $(_VC_MANIFEST_EMBED_EXE)

-

-!ELSEIF  "$(CFG)" == "keygen - Win32 Debug"

-

-OUTDIR=.\Debug

-INTDIR=.\Debug

-# Begin Custom Macros

-OutDir=.\Debug

-# End Custom Macros

-

-ALL : "..\..\..\Build\Debug\dnssec-keygen.exe" "$(OUTDIR)\keygen.bsc"

-

-

-CLEAN :

-	-@erase "$(INTDIR)\dnssec-keygen.obj"

-	-@erase "$(INTDIR)\dnssec-keygen.sbr"

-	-@erase "$(INTDIR)\dnssectool.obj"

-	-@erase "$(INTDIR)\dnssectool.sbr"

-	-@erase "$(INTDIR)\vc60.idb"

-	-@erase "$(INTDIR)\vc60.pdb"

-	-@erase "$(OUTDIR)\dnssec-keygen.pdb"

-	-@erase "$(OUTDIR)\keygen.bsc"

-	-@erase "..\..\..\Build\Debug\dnssec-keygen.exe"

-	-@erase "..\..\..\Build\Debug\dnssec-keygen.ilk"

-	-@$(_VC_MANIFEST_CLEAN)

-

-"$(OUTDIR)" :

-    if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"

-

-CPP=cl.exe

-CPP_PROJ=/nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/include" /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" /FR"$(INTDIR)\\" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c 

-

-.c{$(INTDIR)}.obj::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.cpp{$(INTDIR)}.obj::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.cxx{$(INTDIR)}.obj::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.c{$(INTDIR)}.sbr::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.cpp{$(INTDIR)}.sbr::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.cxx{$(INTDIR)}.sbr::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-RSC=rc.exe

-BSC32=bscmake.exe

-BSC32_FLAGS=/nologo /o"$(OUTDIR)\keygen.bsc" 

-BSC32_SBRS= \

-	"$(INTDIR)\dnssec-keygen.sbr" \

-	"$(INTDIR)\dnssectool.sbr"

-

-"$(OUTDIR)\keygen.bsc" : "$(OUTDIR)" $(BSC32_SBRS)

-    $(BSC32) @<<

-  $(BSC32_FLAGS) $(BSC32_SBRS)

-<<

-

-LINK32=link.exe

-LINK32_FLAGS=user32.lib advapi32.lib ../../../lib/isc/win32/Debug/libisc.lib ../../../lib/dns/win32/Debug/libdns.lib /nologo /subsystem:console /incremental:yes /pdb:"$(OUTDIR)\dnssec-keygen.pdb" /debug /machine:I386 /out:"../../../Build/Debug/dnssec-keygen.exe" /pdbtype:sept 

-LINK32_OBJS= \

-	"$(INTDIR)\dnssec-keygen.obj" \

-	"$(INTDIR)\dnssectool.obj"

-

-"..\..\..\Build\Debug\dnssec-keygen.exe" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)

-    $(LINK32) @<<

-  $(LINK32_FLAGS) $(LINK32_OBJS)

-<<

-    $(_VC_MANIFEST_EMBED_EXE)

-

-!ENDIF 

-

-

-!IF "$(NO_EXTERNAL_DEPS)" != "1"

-!IF EXISTS("keygen.dep")

-!INCLUDE "keygen.dep"

-!ELSE 

-!MESSAGE Warning: cannot find "keygen.dep"

-!ENDIF 

-!ENDIF 

-

-

-!IF "$(CFG)" == "keygen - Win32 Release" || "$(CFG)" == "keygen - Win32 Debug"

-SOURCE="..\dnssec-keygen.c"

-

-!IF  "$(CFG)" == "keygen - Win32 Release"

-

-

-"$(INTDIR)\dnssec-keygen.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "keygen - Win32 Debug"

-

-

-"$(INTDIR)\dnssec-keygen.obj"	"$(INTDIR)\dnssec-keygen.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-SOURCE=..\dnssectool.c

-

-!IF  "$(CFG)" == "keygen - Win32 Release"

-

-

-"$(INTDIR)\dnssectool.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "keygen - Win32 Debug"

-

-

-"$(INTDIR)\dnssectool.obj"	"$(INTDIR)\dnssectool.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-

-!ENDIF 

-

-####################################################

-# Commands to generate initial empty manifest file and the RC file

-# that references it, and for generating the .res file:

-

-$(_VC_MANIFEST_BASENAME).auto.res : $(_VC_MANIFEST_BASENAME).auto.rc

-

-$(_VC_MANIFEST_BASENAME).auto.rc : $(_VC_MANIFEST_BASENAME).auto.manifest

-    type <<$@

-#include <winuser.h>

-1RT_MANIFEST"$(_VC_MANIFEST_BASENAME).auto.manifest"

-<< KEEP

-

-$(_VC_MANIFEST_BASENAME).auto.manifest :

-    type <<$@

-<?xml version='1.0' encoding='UTF-8' standalone='yes'?>

-<assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'>

-</assembly>

-<< KEEP

+# Microsoft Developer Studio Generated NMAKE File, Based on keygen.dsp
+!IF "$(CFG)" == ""
+CFG=keygen - Win32 Debug
+!MESSAGE No configuration specified. Defaulting to keygen - Win32 Debug.
+!ENDIF 
+
+!IF "$(CFG)" != "keygen - Win32 Release" && "$(CFG)" != "keygen - Win32 Debug"
+!MESSAGE Invalid configuration "$(CFG)" specified.
+!MESSAGE You can specify a configuration when running NMAKE
+!MESSAGE by defining the macro CFG on the command line. For example:
+!MESSAGE 
+!MESSAGE NMAKE /f "keygen.mak" CFG="keygen - Win32 Debug"
+!MESSAGE 
+!MESSAGE Possible choices for configuration are:
+!MESSAGE 
+!MESSAGE "keygen - Win32 Release" (based on "Win32 (x86) Console Application")
+!MESSAGE "keygen - Win32 Debug" (based on "Win32 (x86) Console Application")
+!MESSAGE 
+!ERROR An invalid configuration is specified.
+!ENDIF 
+
+!IF "$(OS)" == "Windows_NT"
+NULL=
+!ELSE 
+NULL=nul
+!ENDIF 
+
+!IF  "$(CFG)" == "keygen - Win32 Release"
+
+OUTDIR=.\Release
+INTDIR=.\Release
+
+ALL : "..\..\..\Build\Release\dnssec-keygen.exe"
+
+
+CLEAN :
+	-@erase "$(INTDIR)\dnssec-keygen.obj"
+	-@erase "$(INTDIR)\dnssectool.obj"
+	-@erase "$(INTDIR)\vc60.idb"
+	-@erase "..\..\..\Build\Release\dnssec-keygen.exe"
+
+"$(OUTDIR)" :
+    if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
+
+CPP=cl.exe
+CPP_PROJ=/nologo /MT /W3 /GX /O2 /I "./" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/include" /I "../../../lib/dns/sec/dst/include" /D "NDEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /Fp"$(INTDIR)\keygen.pch" /YX /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c 
+
+.c{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cpp{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cxx{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.c{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cpp{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cxx{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+RSC=rc.exe
+BSC32=bscmake.exe
+BSC32_FLAGS=/nologo /o"$(OUTDIR)\keygen.bsc" 
+BSC32_SBRS= \
+	
+LINK32=link.exe
+LINK32_FLAGS=user32.lib advapi32.lib ../../../lib/isc/win32/Release/libisc.lib ../../../lib/dns/win32/Release/libdns.lib /nologo /subsystem:console /incremental:no /pdb:"$(OUTDIR)\dnssec-keygen.pdb" /machine:I386 /out:"../../../Build/Release/dnssec-keygen.exe" 
+LINK32_OBJS= \
+	"$(INTDIR)\dnssec-keygen.obj" \
+	"$(INTDIR)\dnssectool.obj"
+
+"..\..\..\Build\Release\dnssec-keygen.exe" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)
+    $(LINK32) @<<
+  $(LINK32_FLAGS) $(LINK32_OBJS)
+<<
+
+!ELSEIF  "$(CFG)" == "keygen - Win32 Debug"
+
+OUTDIR=.\Debug
+INTDIR=.\Debug
+# Begin Custom Macros
+OutDir=.\Debug
+# End Custom Macros
+
+ALL : "..\..\..\Build\Debug\dnssec-keygen.exe" "$(OUTDIR)\keygen.bsc"
+
+
+CLEAN :
+	-@erase "$(INTDIR)\dnssec-keygen.obj"
+	-@erase "$(INTDIR)\dnssec-keygen.sbr"
+	-@erase "$(INTDIR)\dnssectool.obj"
+	-@erase "$(INTDIR)\dnssectool.sbr"
+	-@erase "$(INTDIR)\vc60.idb"
+	-@erase "$(INTDIR)\vc60.pdb"
+	-@erase "$(OUTDIR)\dnssec-keygen.pdb"
+	-@erase "$(OUTDIR)\keygen.bsc"
+	-@erase "..\..\..\Build\Debug\dnssec-keygen.exe"
+	-@erase "..\..\..\Build\Debug\dnssec-keygen.ilk"
+
+"$(OUTDIR)" :
+    if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
+
+CPP=cl.exe
+CPP_PROJ=/nologo /MTd /W3 /Gm /GX /ZI /Od /I "./" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/include" /I "../../../lib/dns/sec/dst/include" /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" /FR"$(INTDIR)\\" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c 
+
+.c{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cpp{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cxx{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.c{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cpp{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cxx{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+RSC=rc.exe
+BSC32=bscmake.exe
+BSC32_FLAGS=/nologo /o"$(OUTDIR)\keygen.bsc" 
+BSC32_SBRS= \
+	"$(INTDIR)\dnssec-keygen.sbr" \
+	"$(INTDIR)\dnssectool.sbr"
+
+"$(OUTDIR)\keygen.bsc" : "$(OUTDIR)" $(BSC32_SBRS)
+    $(BSC32) @<<
+  $(BSC32_FLAGS) $(BSC32_SBRS)
+<<
+
+LINK32=link.exe
+LINK32_FLAGS=user32.lib advapi32.lib ../../../lib/isc/win32/Debug/libisc.lib ../../../lib/dns/win32/Debug/libdns.lib /nologo /subsystem:console /incremental:yes /pdb:"$(OUTDIR)\dnssec-keygen.pdb" /debug /machine:I386 /out:"../../../Build/Debug/dnssec-keygen.exe" /pdbtype:sept 
+LINK32_OBJS= \
+	"$(INTDIR)\dnssec-keygen.obj" \
+	"$(INTDIR)\dnssectool.obj"
+
+"..\..\..\Build\Debug\dnssec-keygen.exe" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)
+    $(LINK32) @<<
+  $(LINK32_FLAGS) $(LINK32_OBJS)
+<<
+
+!ENDIF 
+
+
+!IF "$(NO_EXTERNAL_DEPS)" != "1"
+!IF EXISTS("keygen.dep")
+!INCLUDE "keygen.dep"
+!ELSE 
+!MESSAGE Warning: cannot find "keygen.dep"
+!ENDIF 
+!ENDIF 
+
+
+!IF "$(CFG)" == "keygen - Win32 Release" || "$(CFG)" == "keygen - Win32 Debug"
+SOURCE="..\dnssec-keygen.c"
+
+!IF  "$(CFG)" == "keygen - Win32 Release"
+
+
+"$(INTDIR)\dnssec-keygen.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "keygen - Win32 Debug"
+
+
+"$(INTDIR)\dnssec-keygen.obj"	"$(INTDIR)\dnssec-keygen.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\dnssectool.c
+
+!IF  "$(CFG)" == "keygen - Win32 Release"
+
+
+"$(INTDIR)\dnssectool.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "keygen - Win32 Debug"
+
+
+"$(INTDIR)\dnssectool.obj"	"$(INTDIR)\dnssectool.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+
+!ENDIF 
+
diff --git a/bin/dnssec/win32/makekeyset.dsp b/bin/dnssec/win32/makekeyset.dsp
index 59d37994..718db781 100644
--- a/bin/dnssec/win32/makekeyset.dsp
+++ b/bin/dnssec/win32/makekeyset.dsp
@@ -1,103 +1,107 @@
-# Microsoft Developer Studio Project File - Name="makekeyset" - Package Owner=<4>

-# Microsoft Developer Studio Generated Build File, Format Version 6.00

-# ** DO NOT EDIT **

-

-# TARGTYPE "Win32 (x86) Console Application" 0x0103

-

-CFG=makekeyset - Win32 Debug

-!MESSAGE This is not a valid makefile. To build this project using NMAKE,

-!MESSAGE use the Export Makefile command and run

-!MESSAGE 

-!MESSAGE NMAKE /f "makekeyset.mak".

-!MESSAGE 

-!MESSAGE You can specify a configuration when running NMAKE

-!MESSAGE by defining the macro CFG on the command line. For example:

-!MESSAGE 

-!MESSAGE NMAKE /f "makekeyset.mak" CFG="makekeyset - Win32 Debug"

-!MESSAGE 

-!MESSAGE Possible choices for configuration are:

-!MESSAGE 

-!MESSAGE "makekeyset - Win32 Release" (based on "Win32 (x86) Console Application")

-!MESSAGE "makekeyset - Win32 Debug" (based on "Win32 (x86) Console Application")

-!MESSAGE 

-

-# Begin Project

-# PROP AllowPerConfigDependencies 0

-# PROP Scc_ProjName ""

-# PROP Scc_LocalPath ""

-CPP=cl.exe

-RSC=rc.exe

-

-!IF  "$(CFG)" == "makekeyset - Win32 Release"

-

-# PROP BASE Use_MFC 0

-# PROP BASE Use_Debug_Libraries 0

-# PROP BASE Output_Dir "Release"

-# PROP BASE Intermediate_Dir "Release"

-# PROP BASE Target_Dir ""

-# PROP Use_MFC 0

-# PROP Use_Debug_Libraries 0

-# PROP Output_Dir "Release"

-# PROP Intermediate_Dir "Release"

-# PROP Ignore_Export_Lib 0

-# PROP Target_Dir ""

-# ADD BASE CPP /nologo /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /c

-# ADD CPP /nologo /MD /W3 /GX /O2 /I "./" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/include" /D "NDEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /YX /FD /c

-# ADD BASE RSC /l 0x409 /d "NDEBUG"

-# ADD RSC /l 0x409 /d "NDEBUG"

-BSC32=bscmake.exe

-# ADD BASE BSC32 /nologo

-# ADD BSC32 /nologo

-LINK32=link.exe

-# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /machine:I386

-# ADD LINK32 user32.lib advapi32.lib Release/dnssectool.lib ../../../lib/isc/win32/Release/libisc.lib ../../../lib/dns/win32/Release/libdns.lib /nologo /subsystem:console /machine:I386 /out:"../../../Build/Release/dnssec-makekeyset.exe"

-

-!ELSEIF  "$(CFG)" == "makekeyset - Win32 Debug"

-

-# PROP BASE Use_MFC 0

-# PROP BASE Use_Debug_Libraries 1

-# PROP BASE Output_Dir "Debug"

-# PROP BASE Intermediate_Dir "Debug"

-# PROP BASE Target_Dir ""

-# PROP Use_MFC 0

-# PROP Use_Debug_Libraries 1

-# PROP Output_Dir "Debug"

-# PROP Intermediate_Dir "Debug"

-# PROP Ignore_Export_Lib 0

-# PROP Target_Dir ""

-# ADD BASE CPP /nologo /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /GZ /c

-# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/include" /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" /FR /FD /GZ /c

-# SUBTRACT CPP /X /YX

-# ADD BASE RSC /l 0x409 /d "_DEBUG"

-# ADD RSC /l 0x409 /d "_DEBUG"

-BSC32=bscmake.exe

-# ADD BASE BSC32 /nologo

-# ADD BSC32 /nologo

-LINK32=link.exe

-# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /debug /machine:I386 /pdbtype:sept

-# ADD LINK32 user32.lib advapi32.lib Debug/dnssectool.lib ../../../lib/isc/win32/Debug/libisc.lib ../../../lib/dns/win32/Debug/libdns.lib /nologo /subsystem:console /debug /machine:I386 /out:"../../../Build/Debug/dnssec-makekeyset.exe" /pdbtype:sept

-

-!ENDIF 

-

-# Begin Target

-

-# Name "makekeyset - Win32 Release"

-# Name "makekeyset - Win32 Debug"

-# Begin Group "Source Files"

-

-# PROP Default_Filter "cpp;c;cxx;rc;def;r;odl;idl;hpj;bat"

-# Begin Source File

-

-SOURCE="..\dnssec-makekeyset.c"

-# End Source File

-# End Group

-# Begin Group "Header Files"

-

-# PROP Default_Filter "h;hpp;hxx;hm;inl"

-# End Group

-# Begin Group "Resource Files"

-

-# PROP Default_Filter "ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe"

-# End Group

-# End Target

-# End Project

+# Microsoft Developer Studio Project File - Name="makekeyset" - Package Owner=<4>
+# Microsoft Developer Studio Generated Build File, Format Version 6.00
+# ** DO NOT EDIT **
+
+# TARGTYPE "Win32 (x86) Console Application" 0x0103
+
+CFG=makekeyset - Win32 Debug
+!MESSAGE This is not a valid makefile. To build this project using NMAKE,
+!MESSAGE use the Export Makefile command and run
+!MESSAGE 
+!MESSAGE NMAKE /f "makekeyset.mak".
+!MESSAGE 
+!MESSAGE You can specify a configuration when running NMAKE
+!MESSAGE by defining the macro CFG on the command line. For example:
+!MESSAGE 
+!MESSAGE NMAKE /f "makekeyset.mak" CFG="makekeyset - Win32 Debug"
+!MESSAGE 
+!MESSAGE Possible choices for configuration are:
+!MESSAGE 
+!MESSAGE "makekeyset - Win32 Release" (based on "Win32 (x86) Console Application")
+!MESSAGE "makekeyset - Win32 Debug" (based on "Win32 (x86) Console Application")
+!MESSAGE 
+
+# Begin Project
+# PROP AllowPerConfigDependencies 0
+# PROP Scc_ProjName ""
+# PROP Scc_LocalPath ""
+CPP=cl.exe
+RSC=rc.exe
+
+!IF  "$(CFG)" == "makekeyset - Win32 Release"
+
+# PROP BASE Use_MFC 0
+# PROP BASE Use_Debug_Libraries 0
+# PROP BASE Output_Dir "Release"
+# PROP BASE Intermediate_Dir "Release"
+# PROP BASE Target_Dir ""
+# PROP Use_MFC 0
+# PROP Use_Debug_Libraries 0
+# PROP Output_Dir "Release"
+# PROP Intermediate_Dir "Release"
+# PROP Ignore_Export_Lib 0
+# PROP Target_Dir ""
+# ADD BASE CPP /nologo /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /c
+# ADD CPP /nologo /MT /W3 /GX /O2 /I "./" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/include" /I "../../../lib/dns/sec/dst/include" /D "NDEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /YX /FD /c
+# ADD BASE RSC /l 0x409 /d "NDEBUG"
+# ADD RSC /l 0x409 /d "NDEBUG"
+BSC32=bscmake.exe
+# ADD BASE BSC32 /nologo
+# ADD BSC32 /nologo
+LINK32=link.exe
+# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /machine:I386
+# ADD LINK32 user32.lib advapi32.lib ../../../lib/isc/win32/Release/libisc.lib ../../../lib/dns/win32/Release/libdns.lib /nologo /subsystem:console /machine:I386 /out:"../../../Build/Release/dnssec-makekeyset.exe"
+
+!ELSEIF  "$(CFG)" == "makekeyset - Win32 Debug"
+
+# PROP BASE Use_MFC 0
+# PROP BASE Use_Debug_Libraries 1
+# PROP BASE Output_Dir "Debug"
+# PROP BASE Intermediate_Dir "Debug"
+# PROP BASE Target_Dir ""
+# PROP Use_MFC 0
+# PROP Use_Debug_Libraries 1
+# PROP Output_Dir "Debug"
+# PROP Intermediate_Dir "Debug"
+# PROP Ignore_Export_Lib 0
+# PROP Target_Dir ""
+# ADD BASE CPP /nologo /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /GZ /c
+# ADD CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /I "./" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/include" /I "../../../lib/dns/sec/dst/include" /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" /FR /FD /GZ /c
+# SUBTRACT CPP /X /YX
+# ADD BASE RSC /l 0x409 /d "_DEBUG"
+# ADD RSC /l 0x409 /d "_DEBUG"
+BSC32=bscmake.exe
+# ADD BASE BSC32 /nologo
+# ADD BSC32 /nologo
+LINK32=link.exe
+# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /debug /machine:I386 /pdbtype:sept
+# ADD LINK32 user32.lib advapi32.lib ../../../lib/isc/win32/Debug/libisc.lib ../../../lib/dns/win32/Debug/libdns.lib /nologo /subsystem:console /debug /machine:I386 /out:"../../../Build/Debug/dnssec-makekeyset.exe" /pdbtype:sept
+
+!ENDIF 
+
+# Begin Target
+
+# Name "makekeyset - Win32 Release"
+# Name "makekeyset - Win32 Debug"
+# Begin Group "Source Files"
+
+# PROP Default_Filter "cpp;c;cxx;rc;def;r;odl;idl;hpj;bat"
+# Begin Source File
+
+SOURCE="..\dnssec-makekeyset.c"
+# End Source File
+# Begin Source File
+
+SOURCE=..\dnssectool.c
+# End Source File
+# End Group
+# Begin Group "Header Files"
+
+# PROP Default_Filter "h;hpp;hxx;hm;inl"
+# End Group
+# Begin Group "Resource Files"
+
+# PROP Default_Filter "ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe"
+# End Group
+# End Target
+# End Project
diff --git a/bin/dnssec/win32/makekeyset.dsw b/bin/dnssec/win32/makekeyset.dsw
index b534b9b8..c829ce00 100644
--- a/bin/dnssec/win32/makekeyset.dsw
+++ b/bin/dnssec/win32/makekeyset.dsw
@@ -1,29 +1,29 @@
-Microsoft Developer Studio Workspace File, Format Version 6.00

-# WARNING: DO NOT EDIT OR DELETE THIS WORKSPACE FILE!

-

-###############################################################################

-

-Project: "makekeyset"=".\makekeyset.dsp" - Package Owner=<4>

-

-Package=<5>

-{{{

-}}}

-

-Package=<4>

-{{{

-}}}

-

-###############################################################################

-

-Global:

-

-Package=<5>

-{{{

-}}}

-

-Package=<3>

-{{{

-}}}

-

-###############################################################################

-

+Microsoft Developer Studio Workspace File, Format Version 6.00
+# WARNING: DO NOT EDIT OR DELETE THIS WORKSPACE FILE!
+
+###############################################################################
+
+Project: "makekeyset"=".\makekeyset.dsp" - Package Owner=<4>
+
+Package=<5>
+{{{
+}}}
+
+Package=<4>
+{{{
+}}}
+
+###############################################################################
+
+Global:
+
+Package=<5>
+{{{
+}}}
+
+Package=<3>
+{{{
+}}}
+
+###############################################################################
+
diff --git a/bin/dnssec/win32/makekeyset.mak b/bin/dnssec/win32/makekeyset.mak
index 6b387fb1..c73753ce 100644
--- a/bin/dnssec/win32/makekeyset.mak
+++ b/bin/dnssec/win32/makekeyset.mak
@@ -1,343 +1,227 @@
-# Microsoft Developer Studio Generated NMAKE File, Based on makekeyset.dsp

-!IF "$(CFG)" == ""

-CFG=makekeyset - Win32 Debug

-!MESSAGE No configuration specified. Defaulting to makekeyset - Win32 Debug.

-!ENDIF 

-

-!IF "$(CFG)" != "makekeyset - Win32 Release" && "$(CFG)" != "makekeyset - Win32 Debug"

-!MESSAGE Invalid configuration "$(CFG)" specified.

-!MESSAGE You can specify a configuration when running NMAKE

-!MESSAGE by defining the macro CFG on the command line. For example:

-!MESSAGE 

-!MESSAGE NMAKE /f "makekeyset.mak" CFG="makekeyset - Win32 Debug"

-!MESSAGE 

-!MESSAGE Possible choices for configuration are:

-!MESSAGE 

-!MESSAGE "makekeyset - Win32 Release" (based on "Win32 (x86) Console Application")

-!MESSAGE "makekeyset - Win32 Debug" (based on "Win32 (x86) Console Application")

-!MESSAGE 

-!ERROR An invalid configuration is specified.

-!ENDIF 

-

-!IF "$(OS)" == "Windows_NT"

-NULL=

-!ELSE 

-NULL=nul

-!ENDIF 

-

-!IF  "$(CFG)" == "makekeyset - Win32 Release"

-_VC_MANIFEST_INC=0

-_VC_MANIFEST_BASENAME=__VC80

-!ELSE

-_VC_MANIFEST_INC=1

-_VC_MANIFEST_BASENAME=__VC80.Debug

-!ENDIF

-

-####################################################

-# Specifying name of temporary resource file used only in incremental builds:

-

-!if "$(_VC_MANIFEST_INC)" == "1"

-_VC_MANIFEST_AUTO_RES=$(_VC_MANIFEST_BASENAME).auto.res

-!else

-_VC_MANIFEST_AUTO_RES=

-!endif

-

-####################################################

-# _VC_MANIFEST_EMBED_EXE - command to embed manifest in EXE:

-

-!if "$(_VC_MANIFEST_INC)" == "1"

-

-#MT_SPECIAL_RETURN=1090650113

-#MT_SPECIAL_SWITCH=-notify_resource_update

-MT_SPECIAL_RETURN=0

-MT_SPECIAL_SWITCH=

-_VC_MANIFEST_EMBED_EXE= \

-if exist $@.manifest mt.exe -manifest $@.manifest -out:$(_VC_MANIFEST_BASENAME).auto.manifest $(MT_SPECIAL_SWITCH) & \

-if "%ERRORLEVEL%" == "$(MT_SPECIAL_RETURN)" \

-rc /r $(_VC_MANIFEST_BASENAME).auto.rc & \

-link $** /out:$@ $(LFLAGS)

-

-!else

-

-_VC_MANIFEST_EMBED_EXE= \

-if exist $@.manifest mt.exe -manifest $@.manifest -outputresource:$@;1

-

-!endif

-

-####################################################

-# _VC_MANIFEST_EMBED_DLL - command to embed manifest in DLL:

-

-!if "$(_VC_MANIFEST_INC)" == "1"

-

-#MT_SPECIAL_RETURN=1090650113

-#MT_SPECIAL_SWITCH=-notify_resource_update

-MT_SPECIAL_RETURN=0

-MT_SPECIAL_SWITCH=

-_VC_MANIFEST_EMBED_EXE= \

-if exist $@.manifest mt.exe -manifest $@.manifest -out:$(_VC_MANIFEST_BASENAME).auto.manifest $(MT_SPECIAL_SWITCH) & \

-if "%ERRORLEVEL%" == "$(MT_SPECIAL_RETURN)" \

-rc /r $(_VC_MANIFEST_BASENAME).auto.rc & \

-link $** /out:$@ $(LFLAGS)

-

-!else

-

-_VC_MANIFEST_EMBED_EXE= \

-if exist $@.manifest mt.exe -manifest $@.manifest -outputresource:$@;2

-

-!endif

-####################################################

-# _VC_MANIFEST_CLEAN - command to clean resources files generated temporarily:

-

-!if "$(_VC_MANIFEST_INC)" == "1"

-

-_VC_MANIFEST_CLEAN=-del $(_VC_MANIFEST_BASENAME).auto.res \

-    $(_VC_MANIFEST_BASENAME).auto.rc \

-    $(_VC_MANIFEST_BASENAME).auto.manifest

-

-!else

-

-_VC_MANIFEST_CLEAN=

-

-!endif

-

-!IF  "$(CFG)" == "makekeyset - Win32 Release"

-

-OUTDIR=.\Release

-INTDIR=.\Release

-

-ALL : "..\..\..\Build\Release\dnssec-makekeyset.exe"

-

-

-CLEAN :

-	-@erase "$(INTDIR)\dnssec-makekeyset.obj"

-	-@erase "$(INTDIR)\dnssectool.obj"

-	-@erase "$(INTDIR)\vc60.idb"

-	-@erase "..\..\..\Build\Release\dnssec-makekeyset.exe"

-	-@$(_VC_MANIFEST_CLEAN)

-

-"$(OUTDIR)" :

-    if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"

-

-CPP=cl.exe

-CPP_PROJ=/nologo /MD /W3 /GX /O2 /I "./" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/include" /D "NDEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /Fp"$(INTDIR)\makekeyset.pch" /YX /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c 

-

-.c{$(INTDIR)}.obj::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.cpp{$(INTDIR)}.obj::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.cxx{$(INTDIR)}.obj::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.c{$(INTDIR)}.sbr::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.cpp{$(INTDIR)}.sbr::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.cxx{$(INTDIR)}.sbr::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-RSC=rc.exe

-BSC32=bscmake.exe

-BSC32_FLAGS=/nologo /o"$(OUTDIR)\makekeyset.bsc" 

-BSC32_SBRS= \

-	

-LINK32=link.exe

-LINK32_FLAGS=user32.lib advapi32.lib ../../../lib/isc/win32/Release/libisc.lib ../../../lib/dns/win32/Release/libdns.lib /nologo /subsystem:console /incremental:no /pdb:"$(OUTDIR)\dnssec-makekeyset.pdb" /machine:I386 /out:"../../../Build/Release/dnssec-makekeyset.exe" 

-LINK32_OBJS= \

-	"$(INTDIR)\dnssec-makekeyset.obj" \

-	"$(INTDIR)\dnssectool.obj"

-

-"..\..\..\Build\Release\dnssec-makekeyset.exe" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)

-    $(LINK32) @<<

-  $(LINK32_FLAGS) $(LINK32_OBJS)

-<<

-  $(_VC_MANIFEST_EMBED_EXE)

-

-!ELSEIF  "$(CFG)" == "makekeyset - Win32 Debug"

-

-OUTDIR=.\Debug

-INTDIR=.\Debug

-# Begin Custom Macros

-OutDir=.\Debug

-# End Custom Macros

-

-ALL : "..\..\..\Build\Debug\dnssec-makekeyset.exe" "$(OUTDIR)\makekeyset.bsc"

-

-

-CLEAN :

-	-@erase "$(INTDIR)\dnssec-makekeyset.obj"

-	-@erase "$(INTDIR)\dnssec-makekeyset.sbr"

-	-@erase "$(INTDIR)\dnssectool.obj"

-	-@erase "$(INTDIR)\dnssectool.sbr"

-	-@erase "$(INTDIR)\vc60.idb"

-	-@erase "$(INTDIR)\vc60.pdb"

-	-@erase "$(OUTDIR)\dnssec-makekeyset.pdb"

-	-@erase "$(OUTDIR)\makekeyset.bsc"

-	-@erase "..\..\..\Build\Debug\dnssec-makekeyset.exe"

-	-@erase "..\..\..\Build\Debug\dnssec-makekeyset.ilk"

-	-@$(_VC_MANIFEST_CLEAN)

-

-"$(OUTDIR)" :

-    if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"

-

-CPP=cl.exe

-CPP_PROJ=/nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/include" /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" /FR"$(INTDIR)\\" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c 

-

-.c{$(INTDIR)}.obj::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.cpp{$(INTDIR)}.obj::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.cxx{$(INTDIR)}.obj::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.c{$(INTDIR)}.sbr::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.cpp{$(INTDIR)}.sbr::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.cxx{$(INTDIR)}.sbr::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-RSC=rc.exe

-BSC32=bscmake.exe

-BSC32_FLAGS=/nologo /o"$(OUTDIR)\makekeyset.bsc" 

-BSC32_SBRS= \

-	"$(INTDIR)\dnssec-makekeyset.sbr" \

-	"$(INTDIR)\dnssectool.sbr"

-

-"$(OUTDIR)\makekeyset.bsc" : "$(OUTDIR)" $(BSC32_SBRS)

-    $(BSC32) @<<

-  $(BSC32_FLAGS) $(BSC32_SBRS)

-<<

-

-LINK32=link.exe

-LINK32_FLAGS=user32.lib advapi32.lib ../../../lib/isc/win32/Debug/libisc.lib ../../../lib/dns/win32/Debug/libdns.lib /nologo /subsystem:console /incremental:yes /pdb:"$(OUTDIR)\dnssec-makekeyset.pdb" /debug /machine:I386 /out:"../../../Build/Debug/dnssec-makekeyset.exe" /pdbtype:sept 

-LINK32_OBJS= \

-	"$(INTDIR)\dnssec-makekeyset.obj" \

-	"$(INTDIR)\dnssectool.obj"

-

-"..\..\..\Build\Debug\dnssec-makekeyset.exe" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)

-    $(LINK32) @<<

-  $(LINK32_FLAGS) $(LINK32_OBJS)

-<<

-  $(_VC_MANIFEST_EMBED_EXE)

-

-!ENDIF 

-

-

-!IF "$(NO_EXTERNAL_DEPS)" != "1"

-!IF EXISTS("makekeyset.dep")

-!INCLUDE "makekeyset.dep"

-!ELSE 

-!MESSAGE Warning: cannot find "makekeyset.dep"

-!ENDIF 

-!ENDIF 

-

-

-!IF "$(CFG)" == "makekeyset - Win32 Release" || "$(CFG)" == "makekeyset - Win32 Debug"

-SOURCE="..\dnssec-makekeyset.c"

-

-!IF  "$(CFG)" == "makekeyset - Win32 Release"

-

-

-"$(INTDIR)\dnssec-makekeyset.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "makekeyset - Win32 Debug"

-

-

-"$(INTDIR)\dnssec-makekeyset.obj"	"$(INTDIR)\dnssec-makekeyset.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-SOURCE=..\dnssectool.c

-

-!IF  "$(CFG)" == "makekeyset - Win32 Release"

-

-

-"$(INTDIR)\dnssectool.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "makekeyset - Win32 Debug"

-

-

-"$(INTDIR)\dnssectool.obj"	"$(INTDIR)\dnssectool.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-

-!ENDIF 

-

-####################################################

-# Commands to generate initial empty manifest file and the RC file

-# that references it, and for generating the .res file:

-

-$(_VC_MANIFEST_BASENAME).auto.res : $(_VC_MANIFEST_BASENAME).auto.rc

-

-$(_VC_MANIFEST_BASENAME).auto.rc : $(_VC_MANIFEST_BASENAME).auto.manifest

-    type <<$@

-#include <winuser.h>

-1RT_MANIFEST"$(_VC_MANIFEST_BASENAME).auto.manifest"

-<< KEEP

-

-$(_VC_MANIFEST_BASENAME).auto.manifest :

-    type <<$@

-<?xml version='1.0' encoding='UTF-8' standalone='yes'?>

-<assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'>

-</assembly>

-<< KEEP

-####################################################

-# Commands to generate initial empty manifest file and the RC file

-# that references it, and for generating the .res file:

-

-$(_VC_MANIFEST_BASENAME).auto.res : $(_VC_MANIFEST_BASENAME).auto.rc

-

-$(_VC_MANIFEST_BASENAME).auto.rc : $(_VC_MANIFEST_BASENAME).auto.manifest

-    type <<$@

-#include <winuser.h>

-1RT_MANIFEST"$(_VC_MANIFEST_BASENAME).auto.manifest"

-<< KEEP

-

-$(_VC_MANIFEST_BASENAME).auto.manifest :

-    type <<$@

-<?xml version='1.0' encoding='UTF-8' standalone='yes'?>

-<assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'>

-</assembly>

-<< KEEP

-

+# Microsoft Developer Studio Generated NMAKE File, Based on makekeyset.dsp
+!IF "$(CFG)" == ""
+CFG=makekeyset - Win32 Debug
+!MESSAGE No configuration specified. Defaulting to makekeyset - Win32 Debug.
+!ENDIF 
+
+!IF "$(CFG)" != "makekeyset - Win32 Release" && "$(CFG)" != "makekeyset - Win32 Debug"
+!MESSAGE Invalid configuration "$(CFG)" specified.
+!MESSAGE You can specify a configuration when running NMAKE
+!MESSAGE by defining the macro CFG on the command line. For example:
+!MESSAGE 
+!MESSAGE NMAKE /f "makekeyset.mak" CFG="makekeyset - Win32 Debug"
+!MESSAGE 
+!MESSAGE Possible choices for configuration are:
+!MESSAGE 
+!MESSAGE "makekeyset - Win32 Release" (based on "Win32 (x86) Console Application")
+!MESSAGE "makekeyset - Win32 Debug" (based on "Win32 (x86) Console Application")
+!MESSAGE 
+!ERROR An invalid configuration is specified.
+!ENDIF 
+
+!IF "$(OS)" == "Windows_NT"
+NULL=
+!ELSE 
+NULL=nul
+!ENDIF 
+
+!IF  "$(CFG)" == "makekeyset - Win32 Release"
+
+OUTDIR=.\Release
+INTDIR=.\Release
+
+ALL : "..\..\..\Build\Release\dnssec-makekeyset.exe"
+
+
+CLEAN :
+	-@erase "$(INTDIR)\dnssec-makekeyset.obj"
+	-@erase "$(INTDIR)\dnssectool.obj"
+	-@erase "$(INTDIR)\vc60.idb"
+	-@erase "..\..\..\Build\Release\dnssec-makekeyset.exe"
+
+"$(OUTDIR)" :
+    if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
+
+CPP=cl.exe
+CPP_PROJ=/nologo /MT /W3 /GX /O2 /I "./" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/include" /I "../../../lib/dns/sec/dst/include" /D "NDEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /Fp"$(INTDIR)\makekeyset.pch" /YX /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c 
+
+.c{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cpp{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cxx{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.c{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cpp{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cxx{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+RSC=rc.exe
+BSC32=bscmake.exe
+BSC32_FLAGS=/nologo /o"$(OUTDIR)\makekeyset.bsc" 
+BSC32_SBRS= \
+	
+LINK32=link.exe
+LINK32_FLAGS=user32.lib advapi32.lib ../../../lib/isc/win32/Release/libisc.lib ../../../lib/dns/win32/Release/libdns.lib /nologo /subsystem:console /incremental:no /pdb:"$(OUTDIR)\dnssec-makekeyset.pdb" /machine:I386 /out:"../../../Build/Release/dnssec-makekeyset.exe" 
+LINK32_OBJS= \
+	"$(INTDIR)\dnssec-makekeyset.obj" \
+	"$(INTDIR)\dnssectool.obj"
+
+"..\..\..\Build\Release\dnssec-makekeyset.exe" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)
+    $(LINK32) @<<
+  $(LINK32_FLAGS) $(LINK32_OBJS)
+<<
+
+!ELSEIF  "$(CFG)" == "makekeyset - Win32 Debug"
+
+OUTDIR=.\Debug
+INTDIR=.\Debug
+# Begin Custom Macros
+OutDir=.\Debug
+# End Custom Macros
+
+ALL : "..\..\..\Build\Debug\dnssec-makekeyset.exe" "$(OUTDIR)\makekeyset.bsc"
+
+
+CLEAN :
+	-@erase "$(INTDIR)\dnssec-makekeyset.obj"
+	-@erase "$(INTDIR)\dnssec-makekeyset.sbr"
+	-@erase "$(INTDIR)\dnssectool.obj"
+	-@erase "$(INTDIR)\dnssectool.sbr"
+	-@erase "$(INTDIR)\vc60.idb"
+	-@erase "$(INTDIR)\vc60.pdb"
+	-@erase "$(OUTDIR)\dnssec-makekeyset.pdb"
+	-@erase "$(OUTDIR)\makekeyset.bsc"
+	-@erase "..\..\..\Build\Debug\dnssec-makekeyset.exe"
+	-@erase "..\..\..\Build\Debug\dnssec-makekeyset.ilk"
+
+"$(OUTDIR)" :
+    if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
+
+CPP=cl.exe
+CPP_PROJ=/nologo /MTd /W3 /Gm /GX /ZI /Od /I "./" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/include" /I "../../../lib/dns/sec/dst/include" /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" /FR"$(INTDIR)\\" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c 
+
+.c{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cpp{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cxx{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.c{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cpp{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cxx{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+RSC=rc.exe
+BSC32=bscmake.exe
+BSC32_FLAGS=/nologo /o"$(OUTDIR)\makekeyset.bsc" 
+BSC32_SBRS= \
+	"$(INTDIR)\dnssec-makekeyset.sbr" \
+	"$(INTDIR)\dnssectool.sbr"
+
+"$(OUTDIR)\makekeyset.bsc" : "$(OUTDIR)" $(BSC32_SBRS)
+    $(BSC32) @<<
+  $(BSC32_FLAGS) $(BSC32_SBRS)
+<<
+
+LINK32=link.exe
+LINK32_FLAGS=user32.lib advapi32.lib ../../../lib/isc/win32/Debug/libisc.lib ../../../lib/dns/win32/Debug/libdns.lib /nologo /subsystem:console /incremental:yes /pdb:"$(OUTDIR)\dnssec-makekeyset.pdb" /debug /machine:I386 /out:"../../../Build/Debug/dnssec-makekeyset.exe" /pdbtype:sept 
+LINK32_OBJS= \
+	"$(INTDIR)\dnssec-makekeyset.obj" \
+	"$(INTDIR)\dnssectool.obj"
+
+"..\..\..\Build\Debug\dnssec-makekeyset.exe" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)
+    $(LINK32) @<<
+  $(LINK32_FLAGS) $(LINK32_OBJS)
+<<
+
+!ENDIF 
+
+
+!IF "$(NO_EXTERNAL_DEPS)" != "1"
+!IF EXISTS("makekeyset.dep")
+!INCLUDE "makekeyset.dep"
+!ELSE 
+!MESSAGE Warning: cannot find "makekeyset.dep"
+!ENDIF 
+!ENDIF 
+
+
+!IF "$(CFG)" == "makekeyset - Win32 Release" || "$(CFG)" == "makekeyset - Win32 Debug"
+SOURCE="..\dnssec-makekeyset.c"
+
+!IF  "$(CFG)" == "makekeyset - Win32 Release"
+
+
+"$(INTDIR)\dnssec-makekeyset.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "makekeyset - Win32 Debug"
+
+
+"$(INTDIR)\dnssec-makekeyset.obj"	"$(INTDIR)\dnssec-makekeyset.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\dnssectool.c
+
+!IF  "$(CFG)" == "makekeyset - Win32 Release"
+
+
+"$(INTDIR)\dnssectool.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "makekeyset - Win32 Debug"
+
+
+"$(INTDIR)\dnssectool.obj"	"$(INTDIR)\dnssectool.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+
+!ENDIF 
+
diff --git a/bin/dnssec/win32/nsupdate.dsp b/bin/dnssec/win32/nsupdate.dsp
index f8fde836..fc16c018 100644
--- a/bin/dnssec/win32/nsupdate.dsp
+++ b/bin/dnssec/win32/nsupdate.dsp
@@ -1,103 +1,103 @@
-# Microsoft Developer Studio Project File - Name="nsupdate" - Package Owner=<4>

-# Microsoft Developer Studio Generated Build File, Format Version 6.00

-# ** DO NOT EDIT **

-

-# TARGTYPE "Win32 (x86) Console Application" 0x0103

-

-CFG=nsupdate - Win32 Debug

-!MESSAGE This is not a valid makefile. To build this project using NMAKE,

-!MESSAGE use the Export Makefile command and run

-!MESSAGE 

-!MESSAGE NMAKE /f "nsupdate.mak".

-!MESSAGE 

-!MESSAGE You can specify a configuration when running NMAKE

-!MESSAGE by defining the macro CFG on the command line. For example:

-!MESSAGE 

-!MESSAGE NMAKE /f "nsupdate.mak" CFG="nsupdate - Win32 Debug"

-!MESSAGE 

-!MESSAGE Possible choices for configuration are:

-!MESSAGE 

-!MESSAGE "nsupdate - Win32 Release" (based on "Win32 (x86) Console Application")

-!MESSAGE "nsupdate - Win32 Debug" (based on "Win32 (x86) Console Application")

-!MESSAGE 

-

-# Begin Project

-# PROP AllowPerConfigDependencies 0

-# PROP Scc_ProjName ""

-# PROP Scc_LocalPath ""

-CPP=cl.exe

-RSC=rc.exe

-

-!IF  "$(CFG)" == "nsupdate - Win32 Release"

-

-# PROP BASE Use_MFC 0

-# PROP BASE Use_Debug_Libraries 0

-# PROP BASE Output_Dir "Release"

-# PROP BASE Intermediate_Dir "Release"

-# PROP BASE Target_Dir ""

-# PROP Use_MFC 0

-# PROP Use_Debug_Libraries 0

-# PROP Output_Dir "Release"

-# PROP Intermediate_Dir "Release"

-# PROP Ignore_Export_Lib 0

-# PROP Target_Dir ""

-# ADD BASE CPP /nologo /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /c

-# ADD CPP /nologo /MD /W3 /GX /O2 /I "./" /I "../include" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /I "../../../lib/lwres/win32/include/lwres" /I "../../../lib/dns/include" /D "WIN32" /D "__STDC__" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /c

-# ADD BASE RSC /l 0x409 /d "NDEBUG"

-# ADD RSC /l 0x409 /d "NDEBUG"

-BSC32=bscmake.exe

-# ADD BASE BSC32 /nologo

-# ADD BSC32 /nologo

-LINK32=link.exe

-# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /machine:I386

-# ADD LINK32 ../../../lib/isc/win32/Release/libisc.lib ../../../lib/dns/win32/Release/libdns.lib ../../../lib/lwres/win32/Release/liblwres.lib user32.lib advapi32.lib ws2_32.lib /nologo /subsystem:console /machine:I386 /out:"../../../Build/Release/nsupdate.exe"

-

-!ELSEIF  "$(CFG)" == "nsupdate - Win32 Debug"

-

-# PROP BASE Use_MFC 0

-# PROP BASE Use_Debug_Libraries 1

-# PROP BASE Output_Dir "Debug"

-# PROP BASE Intermediate_Dir "Debug"

-# PROP BASE Target_Dir ""

-# PROP Use_MFC 0

-# PROP Use_Debug_Libraries 1

-# PROP Output_Dir "Debug"

-# PROP Intermediate_Dir "Debug"

-# PROP Ignore_Export_Lib 0

-# PROP Target_Dir ""

-# ADD BASE CPP /nologo /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /GZ /c

-# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../include" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /I "../../../lib/lwres/win32/include/lwres" /I "../../../lib/dns/include" /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /FR /FD /GZ /c

-# SUBTRACT CPP /X /u /YX

-# ADD BASE RSC /l 0x409 /d "_DEBUG"

-# ADD RSC /l 0x409 /d "_DEBUG"

-BSC32=bscmake.exe

-# ADD BASE BSC32 /nologo

-# ADD BSC32 /nologo

-LINK32=link.exe

-# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /debug /machine:I386 /pdbtype:sept

-# ADD LINK32 ../../../lib/isc/win32/Debug/libisc.lib ../../../lib/dns/win32/Debug/libdns.lib ../../../lib/lwres/win32/Debug/liblwres.lib user32.lib advapi32.lib ws2_32.lib /nologo /subsystem:console /debug /machine:I386 /out:"../../../Build/Debug/nsupdate.exe" /pdbtype:sept

-

-!ENDIF 

-

-# Begin Target

-

-# Name "nsupdate - Win32 Release"

-# Name "nsupdate - Win32 Debug"

-# Begin Group "Source Files"

-

-# PROP Default_Filter "cpp;c;cxx;rc;def;r;odl;idl;hpj;bat"

-# Begin Source File

-

-SOURCE=..\nsupdate.c

-# End Source File

-# End Group

-# Begin Group "Header Files"

-

-# PROP Default_Filter "h;hpp;hxx;hm;inl"

-# End Group

-# Begin Group "Resource Files"

-

-# PROP Default_Filter "ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe"

-# End Group

-# End Target

-# End Project

+# Microsoft Developer Studio Project File - Name="nsupdate" - Package Owner=<4>
+# Microsoft Developer Studio Generated Build File, Format Version 6.00
+# ** DO NOT EDIT **
+
+# TARGTYPE "Win32 (x86) Console Application" 0x0103
+
+CFG=nsupdate - Win32 Debug
+!MESSAGE This is not a valid makefile. To build this project using NMAKE,
+!MESSAGE use the Export Makefile command and run
+!MESSAGE 
+!MESSAGE NMAKE /f "nsupdate.mak".
+!MESSAGE 
+!MESSAGE You can specify a configuration when running NMAKE
+!MESSAGE by defining the macro CFG on the command line. For example:
+!MESSAGE 
+!MESSAGE NMAKE /f "nsupdate.mak" CFG="nsupdate - Win32 Debug"
+!MESSAGE 
+!MESSAGE Possible choices for configuration are:
+!MESSAGE 
+!MESSAGE "nsupdate - Win32 Release" (based on "Win32 (x86) Console Application")
+!MESSAGE "nsupdate - Win32 Debug" (based on "Win32 (x86) Console Application")
+!MESSAGE 
+
+# Begin Project
+# PROP AllowPerConfigDependencies 0
+# PROP Scc_ProjName ""
+# PROP Scc_LocalPath ""
+CPP=cl.exe
+RSC=rc.exe
+
+!IF  "$(CFG)" == "nsupdate - Win32 Release"
+
+# PROP BASE Use_MFC 0
+# PROP BASE Use_Debug_Libraries 0
+# PROP BASE Output_Dir "Release"
+# PROP BASE Intermediate_Dir "Release"
+# PROP BASE Target_Dir ""
+# PROP Use_MFC 0
+# PROP Use_Debug_Libraries 0
+# PROP Output_Dir "Release"
+# PROP Intermediate_Dir "Release"
+# PROP Ignore_Export_Lib 0
+# PROP Target_Dir ""
+# ADD BASE CPP /nologo /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /c
+# ADD CPP /nologo /MT /W3 /GX /O2 /I "./" /I "../include" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /I "../../../lib/lwres/win32/include/lwres" /I "../../../lib/dns/include" /I "../../../lib/dns/sec/dst/include" /D "WIN32" /D "__STDC__" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /c
+# ADD BASE RSC /l 0x409 /d "NDEBUG"
+# ADD RSC /l 0x409 /d "NDEBUG"
+BSC32=bscmake.exe
+# ADD BASE BSC32 /nologo
+# ADD BSC32 /nologo
+LINK32=link.exe
+# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /machine:I386
+# ADD LINK32 ../../../lib/isc/win32/Release/libisc.lib ../../../lib/dns/win32/Release/libdns.lib ../../../lib/lwres/win32/Release/liblwres.lib user32.lib advapi32.lib ws2_32.lib /nologo /subsystem:console /machine:I386 /out:"../../../Build/Release/nsupdate.exe"
+
+!ELSEIF  "$(CFG)" == "nsupdate - Win32 Debug"
+
+# PROP BASE Use_MFC 0
+# PROP BASE Use_Debug_Libraries 1
+# PROP BASE Output_Dir "Debug"
+# PROP BASE Intermediate_Dir "Debug"
+# PROP BASE Target_Dir ""
+# PROP Use_MFC 0
+# PROP Use_Debug_Libraries 1
+# PROP Output_Dir "Debug"
+# PROP Intermediate_Dir "Debug"
+# PROP Ignore_Export_Lib 0
+# PROP Target_Dir ""
+# ADD BASE CPP /nologo /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /GZ /c
+# ADD CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /I "./" /I "../include" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /I "../../../lib/lwres/win32/include/lwres" /I "../../../lib/dns/include" /I "../../../lib/dns/sec/dst/include" /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /FR /FD /GZ /c
+# SUBTRACT CPP /X /u /YX
+# ADD BASE RSC /l 0x409 /d "_DEBUG"
+# ADD RSC /l 0x409 /d "_DEBUG"
+BSC32=bscmake.exe
+# ADD BASE BSC32 /nologo
+# ADD BSC32 /nologo
+LINK32=link.exe
+# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /debug /machine:I386 /pdbtype:sept
+# ADD LINK32 ../../../lib/isc/win32/Debug/libisc.lib ../../../lib/dns/win32/Debug/libdns.lib ../../../lib/lwres/win32/Debug/liblwres.lib user32.lib advapi32.lib ws2_32.lib /nologo /subsystem:console /debug /machine:I386 /out:"../../../Build/Debug/nsupdate.exe" /pdbtype:sept
+
+!ENDIF 
+
+# Begin Target
+
+# Name "nsupdate - Win32 Release"
+# Name "nsupdate - Win32 Debug"
+# Begin Group "Source Files"
+
+# PROP Default_Filter "cpp;c;cxx;rc;def;r;odl;idl;hpj;bat"
+# Begin Source File
+
+SOURCE=..\nsupdate.c
+# End Source File
+# End Group
+# Begin Group "Header Files"
+
+# PROP Default_Filter "h;hpp;hxx;hm;inl"
+# End Group
+# Begin Group "Resource Files"
+
+# PROP Default_Filter "ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe"
+# End Group
+# End Target
+# End Project
diff --git a/bin/dnssec/win32/nsupdate.dsw b/bin/dnssec/win32/nsupdate.dsw
index 5f0ac362..e3b77722 100644
--- a/bin/dnssec/win32/nsupdate.dsw
+++ b/bin/dnssec/win32/nsupdate.dsw
@@ -1,29 +1,29 @@
-Microsoft Developer Studio Workspace File, Format Version 6.00

-# WARNING: DO NOT EDIT OR DELETE THIS WORKSPACE FILE!

-

-###############################################################################

-

-Project: "nsupdate"=".\nsupdate.dsp" - Package Owner=<4>

-

-Package=<5>

-{{{

-}}}

-

-Package=<4>

-{{{

-}}}

-

-###############################################################################

-

-Global:

-

-Package=<5>

-{{{

-}}}

-

-Package=<3>

-{{{

-}}}

-

-###############################################################################

-

+Microsoft Developer Studio Workspace File, Format Version 6.00
+# WARNING: DO NOT EDIT OR DELETE THIS WORKSPACE FILE!
+
+###############################################################################
+
+Project: "nsupdate"=".\nsupdate.dsp" - Package Owner=<4>
+
+Package=<5>
+{{{
+}}}
+
+Package=<4>
+{{{
+}}}
+
+###############################################################################
+
+Global:
+
+Package=<5>
+{{{
+}}}
+
+Package=<3>
+{{{
+}}}
+
+###############################################################################
+
diff --git a/bin/dnssec/win32/signkey.dsp b/bin/dnssec/win32/signkey.dsp
index 3e065688..411fb6ac 100644
--- a/bin/dnssec/win32/signkey.dsp
+++ b/bin/dnssec/win32/signkey.dsp
@@ -1,103 +1,107 @@
-# Microsoft Developer Studio Project File - Name="signkey" - Package Owner=<4>

-# Microsoft Developer Studio Generated Build File, Format Version 6.00

-# ** DO NOT EDIT **

-

-# TARGTYPE "Win32 (x86) Console Application" 0x0103

-

-CFG=signkey - Win32 Debug

-!MESSAGE This is not a valid makefile. To build this project using NMAKE,

-!MESSAGE use the Export Makefile command and run

-!MESSAGE 

-!MESSAGE NMAKE /f "signkey.mak".

-!MESSAGE 

-!MESSAGE You can specify a configuration when running NMAKE

-!MESSAGE by defining the macro CFG on the command line. For example:

-!MESSAGE 

-!MESSAGE NMAKE /f "signkey.mak" CFG="signkey - Win32 Debug"

-!MESSAGE 

-!MESSAGE Possible choices for configuration are:

-!MESSAGE 

-!MESSAGE "signkey - Win32 Release" (based on "Win32 (x86) Console Application")

-!MESSAGE "signkey - Win32 Debug" (based on "Win32 (x86) Console Application")

-!MESSAGE 

-

-# Begin Project

-# PROP AllowPerConfigDependencies 0

-# PROP Scc_ProjName ""

-# PROP Scc_LocalPath ""

-CPP=cl.exe

-RSC=rc.exe

-

-!IF  "$(CFG)" == "signkey - Win32 Release"

-

-# PROP BASE Use_MFC 0

-# PROP BASE Use_Debug_Libraries 0

-# PROP BASE Output_Dir "Release"

-# PROP BASE Intermediate_Dir "Release"

-# PROP BASE Target_Dir ""

-# PROP Use_MFC 0

-# PROP Use_Debug_Libraries 0

-# PROP Output_Dir "Release"

-# PROP Intermediate_Dir "Release"

-# PROP Ignore_Export_Lib 0

-# PROP Target_Dir ""

-# ADD BASE CPP /nologo /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /c

-# ADD CPP /nologo /MD /W3 /GX /O2 /I "./" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/include" /D "NDEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /YX /FD /c

-# ADD BASE RSC /l 0x409 /d "NDEBUG"

-# ADD RSC /l 0x409 /d "NDEBUG"

-BSC32=bscmake.exe

-# ADD BASE BSC32 /nologo

-# ADD BSC32 /nologo

-LINK32=link.exe

-# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /machine:I386

-# ADD LINK32 user32.lib advapi32.lib Release/dnssectool.lib ../../../lib/isc/win32/Release/libisc.lib ../../../lib/dns/win32/Release/libdns.lib /nologo /subsystem:console /machine:I386 /out:"../../../Build/Release/dnssec-signkey.exe"

-

-!ELSEIF  "$(CFG)" == "signkey - Win32 Debug"

-

-# PROP BASE Use_MFC 0

-# PROP BASE Use_Debug_Libraries 1

-# PROP BASE Output_Dir "Debug"

-# PROP BASE Intermediate_Dir "Debug"

-# PROP BASE Target_Dir ""

-# PROP Use_MFC 0

-# PROP Use_Debug_Libraries 1

-# PROP Output_Dir "Debug"

-# PROP Intermediate_Dir "Debug"

-# PROP Ignore_Export_Lib 0

-# PROP Target_Dir ""

-# ADD BASE CPP /nologo /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /GZ /c

-# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/include" /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" /FR /FD /GZ /c

-# SUBTRACT CPP /X /YX

-# ADD BASE RSC /l 0x409 /d "_DEBUG"

-# ADD RSC /l 0x409 /d "_DEBUG"

-BSC32=bscmake.exe

-# ADD BASE BSC32 /nologo

-# ADD BSC32 /nologo

-LINK32=link.exe

-# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /debug /machine:I386 /pdbtype:sept

-# ADD LINK32 user32.lib advapi32.lib Debug/dnssectool.lib ../../../lib/isc/win32/Debug/libisc.lib ../../../lib/dns/win32/Debug/libdns.lib /nologo /subsystem:console /debug /machine:I386 /out:"../../../Build/Debug/dnssec-signkey.exe" /pdbtype:sept

-

-!ENDIF 

-

-# Begin Target

-

-# Name "signkey - Win32 Release"

-# Name "signkey - Win32 Debug"

-# Begin Group "Source Files"

-

-# PROP Default_Filter "cpp;c;cxx;rc;def;r;odl;idl;hpj;bat"

-# Begin Source File

-

-SOURCE="..\dnssec-signkey.c"

-# End Source File

-# End Group

-# Begin Group "Header Files"

-

-# PROP Default_Filter "h;hpp;hxx;hm;inl"

-# End Group

-# Begin Group "Resource Files"

-

-# PROP Default_Filter "ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe"

-# End Group

-# End Target

-# End Project

+# Microsoft Developer Studio Project File - Name="signkey" - Package Owner=<4>
+# Microsoft Developer Studio Generated Build File, Format Version 6.00
+# ** DO NOT EDIT **
+
+# TARGTYPE "Win32 (x86) Console Application" 0x0103
+
+CFG=signkey - Win32 Debug
+!MESSAGE This is not a valid makefile. To build this project using NMAKE,
+!MESSAGE use the Export Makefile command and run
+!MESSAGE 
+!MESSAGE NMAKE /f "signkey.mak".
+!MESSAGE 
+!MESSAGE You can specify a configuration when running NMAKE
+!MESSAGE by defining the macro CFG on the command line. For example:
+!MESSAGE 
+!MESSAGE NMAKE /f "signkey.mak" CFG="signkey - Win32 Debug"
+!MESSAGE 
+!MESSAGE Possible choices for configuration are:
+!MESSAGE 
+!MESSAGE "signkey - Win32 Release" (based on "Win32 (x86) Console Application")
+!MESSAGE "signkey - Win32 Debug" (based on "Win32 (x86) Console Application")
+!MESSAGE 
+
+# Begin Project
+# PROP AllowPerConfigDependencies 0
+# PROP Scc_ProjName ""
+# PROP Scc_LocalPath ""
+CPP=cl.exe
+RSC=rc.exe
+
+!IF  "$(CFG)" == "signkey - Win32 Release"
+
+# PROP BASE Use_MFC 0
+# PROP BASE Use_Debug_Libraries 0
+# PROP BASE Output_Dir "Release"
+# PROP BASE Intermediate_Dir "Release"
+# PROP BASE Target_Dir ""
+# PROP Use_MFC 0
+# PROP Use_Debug_Libraries 0
+# PROP Output_Dir "Release"
+# PROP Intermediate_Dir "Release"
+# PROP Ignore_Export_Lib 0
+# PROP Target_Dir ""
+# ADD BASE CPP /nologo /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /c
+# ADD CPP /nologo /MT /W3 /GX /O2 /I "./" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/include" /I "../../../lib/dns/sec/dst/include" /D "NDEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /YX /FD /c
+# ADD BASE RSC /l 0x409 /d "NDEBUG"
+# ADD RSC /l 0x409 /d "NDEBUG"
+BSC32=bscmake.exe
+# ADD BASE BSC32 /nologo
+# ADD BSC32 /nologo
+LINK32=link.exe
+# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /machine:I386
+# ADD LINK32 user32.lib advapi32.lib ../../../lib/isc/win32/Release/libisc.lib ../../../lib/dns/win32/Release/libdns.lib /nologo /subsystem:console /machine:I386 /out:"../../../Build/Release/dnssec-signkey.exe"
+
+!ELSEIF  "$(CFG)" == "signkey - Win32 Debug"
+
+# PROP BASE Use_MFC 0
+# PROP BASE Use_Debug_Libraries 1
+# PROP BASE Output_Dir "Debug"
+# PROP BASE Intermediate_Dir "Debug"
+# PROP BASE Target_Dir ""
+# PROP Use_MFC 0
+# PROP Use_Debug_Libraries 1
+# PROP Output_Dir "Debug"
+# PROP Intermediate_Dir "Debug"
+# PROP Ignore_Export_Lib 0
+# PROP Target_Dir ""
+# ADD BASE CPP /nologo /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /GZ /c
+# ADD CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /I "./" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/include" /I "../../../lib/dns/sec/dst/include" /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" /FR /FD /GZ /c
+# SUBTRACT CPP /X /YX
+# ADD BASE RSC /l 0x409 /d "_DEBUG"
+# ADD RSC /l 0x409 /d "_DEBUG"
+BSC32=bscmake.exe
+# ADD BASE BSC32 /nologo
+# ADD BSC32 /nologo
+LINK32=link.exe
+# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /debug /machine:I386 /pdbtype:sept
+# ADD LINK32 user32.lib advapi32.lib ../../../lib/isc/win32/Debug/libisc.lib ../../../lib/dns/win32/Debug/libdns.lib /nologo /subsystem:console /debug /machine:I386 /out:"../../../Build/Debug/dnssec-signkey.exe" /pdbtype:sept
+
+!ENDIF 
+
+# Begin Target
+
+# Name "signkey - Win32 Release"
+# Name "signkey - Win32 Debug"
+# Begin Group "Source Files"
+
+# PROP Default_Filter "cpp;c;cxx;rc;def;r;odl;idl;hpj;bat"
+# Begin Source File
+
+SOURCE="..\dnssec-signkey.c"
+# End Source File
+# Begin Source File
+
+SOURCE=..\dnssectool.c
+# End Source File
+# End Group
+# Begin Group "Header Files"
+
+# PROP Default_Filter "h;hpp;hxx;hm;inl"
+# End Group
+# Begin Group "Resource Files"
+
+# PROP Default_Filter "ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe"
+# End Group
+# End Target
+# End Project
diff --git a/bin/dnssec/win32/signkey.dsw b/bin/dnssec/win32/signkey.dsw
index 15952b7e..b4a3fc8a 100644
--- a/bin/dnssec/win32/signkey.dsw
+++ b/bin/dnssec/win32/signkey.dsw
@@ -1,29 +1,29 @@
-Microsoft Developer Studio Workspace File, Format Version 6.00

-# WARNING: DO NOT EDIT OR DELETE THIS WORKSPACE FILE!

-

-###############################################################################

-

-Project: "signkey"=".\signkey.dsp" - Package Owner=<4>

-

-Package=<5>

-{{{

-}}}

-

-Package=<4>

-{{{

-}}}

-

-###############################################################################

-

-Global:

-

-Package=<5>

-{{{

-}}}

-

-Package=<3>

-{{{

-}}}

-

-###############################################################################

-

+Microsoft Developer Studio Workspace File, Format Version 6.00
+# WARNING: DO NOT EDIT OR DELETE THIS WORKSPACE FILE!
+
+###############################################################################
+
+Project: "signkey"=".\signkey.dsp" - Package Owner=<4>
+
+Package=<5>
+{{{
+}}}
+
+Package=<4>
+{{{
+}}}
+
+###############################################################################
+
+Global:
+
+Package=<5>
+{{{
+}}}
+
+Package=<3>
+{{{
+}}}
+
+###############################################################################
+
diff --git a/bin/dnssec/win32/signkey.mak b/bin/dnssec/win32/signkey.mak
index 2c82d3c9..02db29df 100644
--- a/bin/dnssec/win32/signkey.mak
+++ b/bin/dnssec/win32/signkey.mak
@@ -1,342 +1,227 @@
-# Microsoft Developer Studio Generated NMAKE File, Based on signkey.dsp

-!IF "$(CFG)" == ""

-CFG=signkey - Win32 Debug

-!MESSAGE No configuration specified. Defaulting to signkey - Win32 Debug.

-!ENDIF 

-

-!IF "$(CFG)" != "signkey - Win32 Release" && "$(CFG)" != "signkey - Win32 Debug"

-!MESSAGE Invalid configuration "$(CFG)" specified.

-!MESSAGE You can specify a configuration when running NMAKE

-!MESSAGE by defining the macro CFG on the command line. For example:

-!MESSAGE 

-!MESSAGE NMAKE /f "signkey.mak" CFG="signkey - Win32 Debug"

-!MESSAGE 

-!MESSAGE Possible choices for configuration are:

-!MESSAGE 

-!MESSAGE "signkey - Win32 Release" (based on "Win32 (x86) Console Application")

-!MESSAGE "signkey - Win32 Debug" (based on "Win32 (x86) Console Application")

-!MESSAGE 

-!ERROR An invalid configuration is specified.

-!ENDIF 

-

-!IF "$(OS)" == "Windows_NT"

-NULL=

-!ELSE 

-NULL=nul

-!ENDIF 

-

-!IF  "$(CFG)" == "signkey - Win32 Release"

-_VC_MANIFEST_INC=0

-_VC_MANIFEST_BASENAME=__VC80

-!ELSE

-_VC_MANIFEST_INC=1

-_VC_MANIFEST_BASENAME=__VC80.Debug

-!ENDIF

-

-####################################################

-# Specifying name of temporary resource file used only in incremental builds:

-

-!if "$(_VC_MANIFEST_INC)" == "1"

-_VC_MANIFEST_AUTO_RES=$(_VC_MANIFEST_BASENAME).auto.res

-!else

-_VC_MANIFEST_AUTO_RES=

-!endif

-

-####################################################

-# _VC_MANIFEST_EMBED_EXE - command to embed manifest in EXE:

-

-!if "$(_VC_MANIFEST_INC)" == "1"

-

-#MT_SPECIAL_RETURN=1090650113

-#MT_SPECIAL_SWITCH=-notify_resource_update

-MT_SPECIAL_RETURN=0

-MT_SPECIAL_SWITCH=

-_VC_MANIFEST_EMBED_EXE= \

-if exist $@.manifest mt.exe -manifest $@.manifest -out:$(_VC_MANIFEST_BASENAME).auto.manifest $(MT_SPECIAL_SWITCH) & \

-if "%ERRORLEVEL%" == "$(MT_SPECIAL_RETURN)" \

-rc /r $(_VC_MANIFEST_BASENAME).auto.rc & \

-link $** /out:$@ $(LFLAGS)

-

-!else

-

-_VC_MANIFEST_EMBED_EXE= \

-if exist $@.manifest mt.exe -manifest $@.manifest -outputresource:$@;1

-

-!endif

-

-####################################################

-# _VC_MANIFEST_EMBED_DLL - command to embed manifest in DLL:

-

-!if "$(_VC_MANIFEST_INC)" == "1"

-

-#MT_SPECIAL_RETURN=1090650113

-#MT_SPECIAL_SWITCH=-notify_resource_update

-MT_SPECIAL_RETURN=0

-MT_SPECIAL_SWITCH=

-_VC_MANIFEST_EMBED_EXE= \

-if exist $@.manifest mt.exe -manifest $@.manifest -out:$(_VC_MANIFEST_BASENAME).auto.manifest $(MT_SPECIAL_SWITCH) & \

-if "%ERRORLEVEL%" == "$(MT_SPECIAL_RETURN)" \

-rc /r $(_VC_MANIFEST_BASENAME).auto.rc & \

-link $** /out:$@ $(LFLAGS)

-

-!else

-

-_VC_MANIFEST_EMBED_EXE= \

-if exist $@.manifest mt.exe -manifest $@.manifest -outputresource:$@;2

-

-!endif

-####################################################

-# _VC_MANIFEST_CLEAN - command to clean resources files generated temporarily:

-

-!if "$(_VC_MANIFEST_INC)" == "1"

-

-_VC_MANIFEST_CLEAN=-del $(_VC_MANIFEST_BASENAME).auto.res \

-    $(_VC_MANIFEST_BASENAME).auto.rc \

-    $(_VC_MANIFEST_BASENAME).auto.manifest

-

-!else

-

-_VC_MANIFEST_CLEAN=

-

-!endif

-

-!IF  "$(CFG)" == "signkey - Win32 Release"

-

-OUTDIR=.\Release

-INTDIR=.\Release

-

-ALL : "..\..\..\Build\Release\dnssec-signkey.exe"

-

-

-CLEAN :

-	-@erase "$(INTDIR)\dnssec-signkey.obj"

-	-@erase "$(INTDIR)\dnssectool.obj"

-	-@erase "$(INTDIR)\vc60.idb"

-	-@erase "..\..\..\Build\Release\dnssec-signkey.exe"

-	-@$(_VC_MANIFEST_CLEAN)

-

-"$(OUTDIR)" :

-    if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"

-

-CPP=cl.exe

-CPP_PROJ=/nologo /MD /W3 /GX /O2 /I "./" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/include" /D "NDEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /Fp"$(INTDIR)\signkey.pch" /YX /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c 

-

-.c{$(INTDIR)}.obj::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.cpp{$(INTDIR)}.obj::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.cxx{$(INTDIR)}.obj::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.c{$(INTDIR)}.sbr::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.cpp{$(INTDIR)}.sbr::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.cxx{$(INTDIR)}.sbr::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-RSC=rc.exe

-BSC32=bscmake.exe

-BSC32_FLAGS=/nologo /o"$(OUTDIR)\signkey.bsc" 

-BSC32_SBRS= \

-	

-LINK32=link.exe

-LINK32_FLAGS=user32.lib advapi32.lib ../../../lib/isc/win32/Release/libisc.lib ../../../lib/dns/win32/Release/libdns.lib /nologo /subsystem:console /incremental:no /pdb:"$(OUTDIR)\dnssec-signkey.pdb" /machine:I386 /out:"../../../Build/Release/dnssec-signkey.exe" 

-LINK32_OBJS= \

-	"$(INTDIR)\dnssec-signkey.obj" \

-	"$(INTDIR)\dnssectool.obj"

-

-"..\..\..\Build\Release\dnssec-signkey.exe" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)

-    $(LINK32) @<<

-  $(LINK32_FLAGS) $(LINK32_OBJS)

-<<

-  $(_VC_MANIFEST_EMBED_EXE)

-

-!ELSEIF  "$(CFG)" == "signkey - Win32 Debug"

-

-OUTDIR=.\Debug

-INTDIR=.\Debug

-# Begin Custom Macros

-OutDir=.\Debug

-# End Custom Macros

-

-ALL : "..\..\..\Build\Debug\dnssec-signkey.exe" "$(OUTDIR)\signkey.bsc"

-

-

-CLEAN :

-	-@erase "$(INTDIR)\dnssec-signkey.obj"

-	-@erase "$(INTDIR)\dnssec-signkey.sbr"

-	-@erase "$(INTDIR)\dnssectool.obj"

-	-@erase "$(INTDIR)\dnssectool.sbr"

-	-@erase "$(INTDIR)\vc60.idb"

-	-@erase "$(INTDIR)\vc60.pdb"

-	-@erase "$(OUTDIR)\dnssec-signkey.pdb"

-	-@erase "$(OUTDIR)\signkey.bsc"

-	-@erase "..\..\..\Build\Debug\dnssec-signkey.exe"

-	-@erase "..\..\..\Build\Debug\dnssec-signkey.ilk"

-	-@$(_VC_MANIFEST_CLEAN)

-

-"$(OUTDIR)" :

-    if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"

-

-CPP=cl.exe

-CPP_PROJ=/nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/include" /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" /FR"$(INTDIR)\\" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c 

-

-.c{$(INTDIR)}.obj::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.cpp{$(INTDIR)}.obj::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.cxx{$(INTDIR)}.obj::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.c{$(INTDIR)}.sbr::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.cpp{$(INTDIR)}.sbr::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.cxx{$(INTDIR)}.sbr::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-RSC=rc.exe

-BSC32=bscmake.exe

-BSC32_FLAGS=/nologo /o"$(OUTDIR)\signkey.bsc" 

-BSC32_SBRS= \

-	"$(INTDIR)\dnssec-signkey.sbr" \

-	"$(INTDIR)\dnssectool.sbr"

-

-"$(OUTDIR)\signkey.bsc" : "$(OUTDIR)" $(BSC32_SBRS)

-    $(BSC32) @<<

-  $(BSC32_FLAGS) $(BSC32_SBRS)

-<<

-

-LINK32=link.exe

-LINK32_FLAGS=user32.lib advapi32.lib ../../../lib/isc/win32/Debug/libisc.lib ../../../lib/dns/win32/Debug/libdns.lib /nologo /subsystem:console /incremental:yes /pdb:"$(OUTDIR)\dnssec-signkey.pdb" /debug /machine:I386 /out:"../../../Build/Debug/dnssec-signkey.exe" /pdbtype:sept 

-LINK32_OBJS= \

-	"$(INTDIR)\dnssec-signkey.obj" \

-	"$(INTDIR)\dnssectool.obj"

-

-"..\..\..\Build\Debug\dnssec-signkey.exe" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)

-    $(LINK32) @<<

-  $(LINK32_FLAGS) $(LINK32_OBJS)

-<<

-  $(_VC_MANIFEST_EMBED_EXE)

-

-!ENDIF 

-

-

-!IF "$(NO_EXTERNAL_DEPS)" != "1"

-!IF EXISTS("signkey.dep")

-!INCLUDE "signkey.dep"

-!ELSE 

-!MESSAGE Warning: cannot find "signkey.dep"

-!ENDIF 

-!ENDIF 

-

-

-!IF "$(CFG)" == "signkey - Win32 Release" || "$(CFG)" == "signkey - Win32 Debug"

-SOURCE="..\dnssec-signkey.c"

-

-!IF  "$(CFG)" == "signkey - Win32 Release"

-

-

-"$(INTDIR)\dnssec-signkey.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "signkey - Win32 Debug"

-

-

-"$(INTDIR)\dnssec-signkey.obj"	"$(INTDIR)\dnssec-signkey.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-SOURCE=..\dnssectool.c

-

-!IF  "$(CFG)" == "signkey - Win32 Release"

-

-

-"$(INTDIR)\dnssectool.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "signkey - Win32 Debug"

-

-

-"$(INTDIR)\dnssectool.obj"	"$(INTDIR)\dnssectool.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-

-!ENDIF 

-

-####################################################

-# Commands to generate initial empty manifest file and the RC file

-# that references it, and for generating the .res file:

-

-$(_VC_MANIFEST_BASENAME).auto.res : $(_VC_MANIFEST_BASENAME).auto.rc

-

-$(_VC_MANIFEST_BASENAME).auto.rc : $(_VC_MANIFEST_BASENAME).auto.manifest

-    type <<$@

-#include <winuser.h>

-1RT_MANIFEST"$(_VC_MANIFEST_BASENAME).auto.manifest"

-<< KEEP

-

-$(_VC_MANIFEST_BASENAME).auto.manifest :

-    type <<$@

-<?xml version='1.0' encoding='UTF-8' standalone='yes'?>

-<assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'>

-</assembly>

-<< KEEP

-####################################################

-# Commands to generate initial empty manifest file and the RC file

-# that references it, and for generating the .res file:

-

-$(_VC_MANIFEST_BASENAME).auto.res : $(_VC_MANIFEST_BASENAME).auto.rc

-

-$(_VC_MANIFEST_BASENAME).auto.rc : $(_VC_MANIFEST_BASENAME).auto.manifest

-    type <<$@

-#include <winuser.h>

-1RT_MANIFEST"$(_VC_MANIFEST_BASENAME).auto.manifest"

-<< KEEP

-

-$(_VC_MANIFEST_BASENAME).auto.manifest :

-    type <<$@

-<?xml version='1.0' encoding='UTF-8' standalone='yes'?>

-<assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'>

-</assembly>

-<< KEEP

+# Microsoft Developer Studio Generated NMAKE File, Based on signkey.dsp
+!IF "$(CFG)" == ""
+CFG=signkey - Win32 Debug
+!MESSAGE No configuration specified. Defaulting to signkey - Win32 Debug.
+!ENDIF 
+
+!IF "$(CFG)" != "signkey - Win32 Release" && "$(CFG)" != "signkey - Win32 Debug"
+!MESSAGE Invalid configuration "$(CFG)" specified.
+!MESSAGE You can specify a configuration when running NMAKE
+!MESSAGE by defining the macro CFG on the command line. For example:
+!MESSAGE 
+!MESSAGE NMAKE /f "signkey.mak" CFG="signkey - Win32 Debug"
+!MESSAGE 
+!MESSAGE Possible choices for configuration are:
+!MESSAGE 
+!MESSAGE "signkey - Win32 Release" (based on "Win32 (x86) Console Application")
+!MESSAGE "signkey - Win32 Debug" (based on "Win32 (x86) Console Application")
+!MESSAGE 
+!ERROR An invalid configuration is specified.
+!ENDIF 
+
+!IF "$(OS)" == "Windows_NT"
+NULL=
+!ELSE 
+NULL=nul
+!ENDIF 
+
+!IF  "$(CFG)" == "signkey - Win32 Release"
+
+OUTDIR=.\Release
+INTDIR=.\Release
+
+ALL : "..\..\..\Build\Release\dnssec-signkey.exe"
+
+
+CLEAN :
+	-@erase "$(INTDIR)\dnssec-signkey.obj"
+	-@erase "$(INTDIR)\dnssectool.obj"
+	-@erase "$(INTDIR)\vc60.idb"
+	-@erase "..\..\..\Build\Release\dnssec-signkey.exe"
+
+"$(OUTDIR)" :
+    if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
+
+CPP=cl.exe
+CPP_PROJ=/nologo /MT /W3 /GX /O2 /I "./" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/include" /I "../../../lib/dns/sec/dst/include" /D "NDEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /Fp"$(INTDIR)\signkey.pch" /YX /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c 
+
+.c{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cpp{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cxx{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.c{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cpp{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cxx{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+RSC=rc.exe
+BSC32=bscmake.exe
+BSC32_FLAGS=/nologo /o"$(OUTDIR)\signkey.bsc" 
+BSC32_SBRS= \
+	
+LINK32=link.exe
+LINK32_FLAGS=user32.lib advapi32.lib ../../../lib/isc/win32/Release/libisc.lib ../../../lib/dns/win32/Release/libdns.lib /nologo /subsystem:console /incremental:no /pdb:"$(OUTDIR)\dnssec-signkey.pdb" /machine:I386 /out:"../../../Build/Release/dnssec-signkey.exe" 
+LINK32_OBJS= \
+	"$(INTDIR)\dnssec-signkey.obj" \
+	"$(INTDIR)\dnssectool.obj"
+
+"..\..\..\Build\Release\dnssec-signkey.exe" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)
+    $(LINK32) @<<
+  $(LINK32_FLAGS) $(LINK32_OBJS)
+<<
+
+!ELSEIF  "$(CFG)" == "signkey - Win32 Debug"
+
+OUTDIR=.\Debug
+INTDIR=.\Debug
+# Begin Custom Macros
+OutDir=.\Debug
+# End Custom Macros
+
+ALL : "..\..\..\Build\Debug\dnssec-signkey.exe" "$(OUTDIR)\signkey.bsc"
+
+
+CLEAN :
+	-@erase "$(INTDIR)\dnssec-signkey.obj"
+	-@erase "$(INTDIR)\dnssec-signkey.sbr"
+	-@erase "$(INTDIR)\dnssectool.obj"
+	-@erase "$(INTDIR)\dnssectool.sbr"
+	-@erase "$(INTDIR)\vc60.idb"
+	-@erase "$(INTDIR)\vc60.pdb"
+	-@erase "$(OUTDIR)\dnssec-signkey.pdb"
+	-@erase "$(OUTDIR)\signkey.bsc"
+	-@erase "..\..\..\Build\Debug\dnssec-signkey.exe"
+	-@erase "..\..\..\Build\Debug\dnssec-signkey.ilk"
+
+"$(OUTDIR)" :
+    if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
+
+CPP=cl.exe
+CPP_PROJ=/nologo /MTd /W3 /Gm /GX /ZI /Od /I "./" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/include" /I "../../../lib/dns/sec/dst/include" /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" /FR"$(INTDIR)\\" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c 
+
+.c{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cpp{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cxx{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.c{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cpp{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cxx{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+RSC=rc.exe
+BSC32=bscmake.exe
+BSC32_FLAGS=/nologo /o"$(OUTDIR)\signkey.bsc" 
+BSC32_SBRS= \
+	"$(INTDIR)\dnssec-signkey.sbr" \
+	"$(INTDIR)\dnssectool.sbr"
+
+"$(OUTDIR)\signkey.bsc" : "$(OUTDIR)" $(BSC32_SBRS)
+    $(BSC32) @<<
+  $(BSC32_FLAGS) $(BSC32_SBRS)
+<<
+
+LINK32=link.exe
+LINK32_FLAGS=user32.lib advapi32.lib ../../../lib/isc/win32/Debug/libisc.lib ../../../lib/dns/win32/Debug/libdns.lib /nologo /subsystem:console /incremental:yes /pdb:"$(OUTDIR)\dnssec-signkey.pdb" /debug /machine:I386 /out:"../../../Build/Debug/dnssec-signkey.exe" /pdbtype:sept 
+LINK32_OBJS= \
+	"$(INTDIR)\dnssec-signkey.obj" \
+	"$(INTDIR)\dnssectool.obj"
+
+"..\..\..\Build\Debug\dnssec-signkey.exe" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)
+    $(LINK32) @<<
+  $(LINK32_FLAGS) $(LINK32_OBJS)
+<<
+
+!ENDIF 
+
+
+!IF "$(NO_EXTERNAL_DEPS)" != "1"
+!IF EXISTS("signkey.dep")
+!INCLUDE "signkey.dep"
+!ELSE 
+!MESSAGE Warning: cannot find "signkey.dep"
+!ENDIF 
+!ENDIF 
+
+
+!IF "$(CFG)" == "signkey - Win32 Release" || "$(CFG)" == "signkey - Win32 Debug"
+SOURCE="..\dnssec-signkey.c"
+
+!IF  "$(CFG)" == "signkey - Win32 Release"
+
+
+"$(INTDIR)\dnssec-signkey.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "signkey - Win32 Debug"
+
+
+"$(INTDIR)\dnssec-signkey.obj"	"$(INTDIR)\dnssec-signkey.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\dnssectool.c
+
+!IF  "$(CFG)" == "signkey - Win32 Release"
+
+
+"$(INTDIR)\dnssectool.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "signkey - Win32 Debug"
+
+
+"$(INTDIR)\dnssectool.obj"	"$(INTDIR)\dnssectool.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+
+!ENDIF 
+
diff --git a/bin/dnssec/win32/signzone.dsp b/bin/dnssec/win32/signzone.dsp
index d0e9fb60..e5aa3d32 100644
--- a/bin/dnssec/win32/signzone.dsp
+++ b/bin/dnssec/win32/signzone.dsp
@@ -1,104 +1,107 @@
-# Microsoft Developer Studio Project File - Name="signzone" - Package Owner=<4>

-# Microsoft Developer Studio Generated Build File, Format Version 6.00

-# ** DO NOT EDIT **

-

-# TARGTYPE "Win32 (x86) Console Application" 0x0103

-

-CFG=signzone - Win32 Debug

-!MESSAGE This is not a valid makefile. To build this project using NMAKE,

-!MESSAGE use the Export Makefile command and run

-!MESSAGE 

-!MESSAGE NMAKE /f "signzone.mak".

-!MESSAGE 

-!MESSAGE You can specify a configuration when running NMAKE

-!MESSAGE by defining the macro CFG on the command line. For example:

-!MESSAGE 

-!MESSAGE NMAKE /f "signzone.mak" CFG="signzone - Win32 Debug"

-!MESSAGE 

-!MESSAGE Possible choices for configuration are:

-!MESSAGE 

-!MESSAGE "signzone - Win32 Release" (based on "Win32 (x86) Console Application")

-!MESSAGE "signzone - Win32 Debug" (based on "Win32 (x86) Console Application")

-!MESSAGE 

-

-# Begin Project

-# PROP AllowPerConfigDependencies 0

-# PROP Scc_ProjName ""

-# PROP Scc_LocalPath ""

-CPP=cl.exe

-RSC=rc.exe

-

-!IF  "$(CFG)" == "signzone - Win32 Release"

-

-# PROP BASE Use_MFC 0

-# PROP BASE Use_Debug_Libraries 0

-# PROP BASE Output_Dir "Release"

-# PROP BASE Intermediate_Dir "Release"

-# PROP BASE Target_Dir ""

-# PROP Use_MFC 0

-# PROP Use_Debug_Libraries 0

-# PROP Output_Dir "Release"

-# PROP Intermediate_Dir "Release"

-# PROP Ignore_Export_Lib 0

-# PROP Target_Dir ""

-# ADD BASE CPP /nologo /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /c

-# ADD CPP /nologo /MD /W3 /GX /O2 /I "./" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/include" /D "NDEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /YX /FD /c

-# ADD BASE RSC /l 0x409 /d "NDEBUG"

-# ADD RSC /l 0x409 /d "NDEBUG"

-BSC32=bscmake.exe

-# ADD BASE BSC32 /nologo

-# ADD BSC32 /nologo

-LINK32=link.exe

-# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /machine:I386

-# ADD LINK32 user32.lib advapi32.lib Release/dnssectool.lib ../../../lib/isc/win32/Release/libisc.lib ../../../lib/dns/win32/Release/libdns.lib /nologo /subsystem:console /machine:I386 /out:"../../../Build/Release/dnssec-signzone.exe"

-

-!ELSEIF  "$(CFG)" == "signzone - Win32 Debug"

-

-# PROP BASE Use_MFC 0

-# PROP BASE Use_Debug_Libraries 1

-# PROP BASE Output_Dir "Debug"

-# PROP BASE Intermediate_Dir "Debug"

-# PROP BASE Target_Dir ""

-# PROP Use_MFC 0

-# PROP Use_Debug_Libraries 1

-# PROP Output_Dir "Debug"

-# PROP Intermediate_Dir "Debug"

-# PROP Ignore_Export_Lib 0

-# PROP Target_Dir ""

-# ADD BASE CPP /nologo /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /GZ /c

-# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/include" /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" /FR /FD /GZ /c

-# SUBTRACT CPP /X /YX

-# ADD BASE RSC /l 0x409 /d "_DEBUG"

-# ADD RSC /l 0x409 /d "_DEBUG"

-BSC32=bscmake.exe

-# ADD BASE BSC32 /nologo

-# ADD BSC32 /nologo

-LINK32=link.exe

-# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /debug /machine:I386 /pdbtype:sept

-# ADD LINK32 user32.lib advapi32.lib Debug/dnssectool.lib ../../../lib/isc/win32/Debug/libisc.lib ../../../lib/dns/win32/Debug/libdns.lib /nologo /subsystem:console /debug /machine:I386 /out:"../../../Build/Debug/dnssec-signzone.exe" /pdbtype:sept

-

-!ENDIF 

-

-# Begin Target

-

-# Name "signzone - Win32 Release"

-# Name "signzone - Win32 Debug"

-# Begin Group "Source Files"

-

-# PROP Default_Filter "cpp;c;cxx;rc;def;r;odl;idl;hpj;bat"

-# Begin Source File

-

-SOURCE="..\dnssec-signzone.c"

-# End Source File

-# End Source File

-# End Group

-# Begin Group "Header Files"

-

-# PROP Default_Filter "h;hpp;hxx;hm;inl"

-# End Group

-# Begin Group "Resource Files"

-

-# PROP Default_Filter "ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe"

-# End Group

-# End Target

-# End Project

+# Microsoft Developer Studio Project File - Name="signzone" - Package Owner=<4>
+# Microsoft Developer Studio Generated Build File, Format Version 6.00
+# ** DO NOT EDIT **
+
+# TARGTYPE "Win32 (x86) Console Application" 0x0103
+
+CFG=signzone - Win32 Debug
+!MESSAGE This is not a valid makefile. To build this project using NMAKE,
+!MESSAGE use the Export Makefile command and run
+!MESSAGE 
+!MESSAGE NMAKE /f "signzone.mak".
+!MESSAGE 
+!MESSAGE You can specify a configuration when running NMAKE
+!MESSAGE by defining the macro CFG on the command line. For example:
+!MESSAGE 
+!MESSAGE NMAKE /f "signzone.mak" CFG="signzone - Win32 Debug"
+!MESSAGE 
+!MESSAGE Possible choices for configuration are:
+!MESSAGE 
+!MESSAGE "signzone - Win32 Release" (based on "Win32 (x86) Console Application")
+!MESSAGE "signzone - Win32 Debug" (based on "Win32 (x86) Console Application")
+!MESSAGE 
+
+# Begin Project
+# PROP AllowPerConfigDependencies 0
+# PROP Scc_ProjName ""
+# PROP Scc_LocalPath ""
+CPP=cl.exe
+RSC=rc.exe
+
+!IF  "$(CFG)" == "signzone - Win32 Release"
+
+# PROP BASE Use_MFC 0
+# PROP BASE Use_Debug_Libraries 0
+# PROP BASE Output_Dir "Release"
+# PROP BASE Intermediate_Dir "Release"
+# PROP BASE Target_Dir ""
+# PROP Use_MFC 0
+# PROP Use_Debug_Libraries 0
+# PROP Output_Dir "Release"
+# PROP Intermediate_Dir "Release"
+# PROP Ignore_Export_Lib 0
+# PROP Target_Dir ""
+# ADD BASE CPP /nologo /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /c
+# ADD CPP /nologo /MT /W3 /GX /O2 /I "./" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/include" /I "../../../lib/dns/sec/dst/include" /D "NDEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /YX /FD /c
+# ADD BASE RSC /l 0x409 /d "NDEBUG"
+# ADD RSC /l 0x409 /d "NDEBUG"
+BSC32=bscmake.exe
+# ADD BASE BSC32 /nologo
+# ADD BSC32 /nologo
+LINK32=link.exe
+# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /machine:I386
+# ADD LINK32 user32.lib advapi32.lib ../../../lib/isc/win32/Release/libisc.lib ../../../lib/dns/win32/Release/libdns.lib /nologo /subsystem:console /machine:I386 /out:"../../../Build/Release/dnssec-signzone.exe"
+
+!ELSEIF  "$(CFG)" == "signzone - Win32 Debug"
+
+# PROP BASE Use_MFC 0
+# PROP BASE Use_Debug_Libraries 1
+# PROP BASE Output_Dir "Debug"
+# PROP BASE Intermediate_Dir "Debug"
+# PROP BASE Target_Dir ""
+# PROP Use_MFC 0
+# PROP Use_Debug_Libraries 1
+# PROP Output_Dir "Debug"
+# PROP Intermediate_Dir "Debug"
+# PROP Ignore_Export_Lib 0
+# PROP Target_Dir ""
+# ADD BASE CPP /nologo /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /GZ /c
+# ADD CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /I "./" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/include" /I "../../../lib/dns/sec/dst/include" /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" /FR /FD /GZ /c
+# SUBTRACT CPP /X /YX
+# ADD BASE RSC /l 0x409 /d "_DEBUG"
+# ADD RSC /l 0x409 /d "_DEBUG"
+BSC32=bscmake.exe
+# ADD BASE BSC32 /nologo
+# ADD BSC32 /nologo
+LINK32=link.exe
+# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /debug /machine:I386 /pdbtype:sept
+# ADD LINK32 user32.lib advapi32.lib ../../../lib/isc/win32/Debug/libisc.lib ../../../lib/dns/win32/Debug/libdns.lib /nologo /subsystem:console /debug /machine:I386 /out:"../../../Build/Debug/dnssec-signzone.exe" /pdbtype:sept
+
+!ENDIF 
+
+# Begin Target
+
+# Name "signzone - Win32 Release"
+# Name "signzone - Win32 Debug"
+# Begin Group "Source Files"
+
+# PROP Default_Filter "cpp;c;cxx;rc;def;r;odl;idl;hpj;bat"
+# Begin Source File
+
+SOURCE="..\dnssec-signzone.c"
+# End Source File
+# Begin Source File
+
+SOURCE=..\dnssectool.c
+# End Source File
+# End Group
+# Begin Group "Header Files"
+
+# PROP Default_Filter "h;hpp;hxx;hm;inl"
+# End Group
+# Begin Group "Resource Files"
+
+# PROP Default_Filter "ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe"
+# End Group
+# End Target
+# End Project
diff --git a/bin/dnssec/win32/signzone.dsw b/bin/dnssec/win32/signzone.dsw
index f3314b9e..67f5647f 100644
--- a/bin/dnssec/win32/signzone.dsw
+++ b/bin/dnssec/win32/signzone.dsw
@@ -1,29 +1,29 @@
-Microsoft Developer Studio Workspace File, Format Version 6.00

-# WARNING: DO NOT EDIT OR DELETE THIS WORKSPACE FILE!

-

-###############################################################################

-

-Project: "signzone"=".\signzone.dsp" - Package Owner=<4>

-

-Package=<5>

-{{{

-}}}

-

-Package=<4>

-{{{

-}}}

-

-###############################################################################

-

-Global:

-

-Package=<5>

-{{{

-}}}

-

-Package=<3>

-{{{

-}}}

-

-###############################################################################

-

+Microsoft Developer Studio Workspace File, Format Version 6.00
+# WARNING: DO NOT EDIT OR DELETE THIS WORKSPACE FILE!
+
+###############################################################################
+
+Project: "signzone"=".\signzone.dsp" - Package Owner=<4>
+
+Package=<5>
+{{{
+}}}
+
+Package=<4>
+{{{
+}}}
+
+###############################################################################
+
+Global:
+
+Package=<5>
+{{{
+}}}
+
+Package=<3>
+{{{
+}}}
+
+###############################################################################
+
diff --git a/bin/dnssec/win32/signzone.mak b/bin/dnssec/win32/signzone.mak
index 84f9425b..19e604e1 100644
--- a/bin/dnssec/win32/signzone.mak
+++ b/bin/dnssec/win32/signzone.mak
@@ -1,324 +1,227 @@
-# Microsoft Developer Studio Generated NMAKE File, Based on signzone.dsp

-!IF "$(CFG)" == ""

-CFG=signzone - Win32 Debug

-!MESSAGE No configuration specified. Defaulting to signzone - Win32 Debug.

-!ENDIF 

-

-!IF "$(CFG)" != "signzone - Win32 Release" && "$(CFG)" != "signzone - Win32 Debug"

-!MESSAGE Invalid configuration "$(CFG)" specified.

-!MESSAGE You can specify a configuration when running NMAKE

-!MESSAGE by defining the macro CFG on the command line. For example:

-!MESSAGE 

-!MESSAGE NMAKE /f "signzone.mak" CFG="signzone - Win32 Debug"

-!MESSAGE 

-!MESSAGE Possible choices for configuration are:

-!MESSAGE 

-!MESSAGE "signzone - Win32 Release" (based on "Win32 (x86) Console Application")

-!MESSAGE "signzone - Win32 Debug" (based on "Win32 (x86) Console Application")

-!MESSAGE 

-!ERROR An invalid configuration is specified.

-!ENDIF 

-

-!IF "$(OS)" == "Windows_NT"

-NULL=

-!ELSE 

-NULL=nul

-!ENDIF 

-

-!IF  "$(CFG)" == "signzone - Win32 Release"

-_VC_MANIFEST_INC=0

-_VC_MANIFEST_BASENAME=__VC80

-!ELSE

-_VC_MANIFEST_INC=1

-_VC_MANIFEST_BASENAME=__VC80.Debug

-!ENDIF

-

-####################################################

-# Specifying name of temporary resource file used only in incremental builds:

-

-!if "$(_VC_MANIFEST_INC)" == "1"

-_VC_MANIFEST_AUTO_RES=$(_VC_MANIFEST_BASENAME).auto.res

-!else

-_VC_MANIFEST_AUTO_RES=

-!endif

-

-####################################################

-# _VC_MANIFEST_EMBED_EXE - command to embed manifest in EXE:

-

-!if "$(_VC_MANIFEST_INC)" == "1"

-

-#MT_SPECIAL_RETURN=1090650113

-#MT_SPECIAL_SWITCH=-notify_resource_update

-MT_SPECIAL_RETURN=0

-MT_SPECIAL_SWITCH=

-_VC_MANIFEST_EMBED_EXE= \

-if exist $@.manifest mt.exe -manifest $@.manifest -out:$(_VC_MANIFEST_BASENAME).auto.manifest $(MT_SPECIAL_SWITCH) & \

-if "%ERRORLEVEL%" == "$(MT_SPECIAL_RETURN)" \

-rc /r $(_VC_MANIFEST_BASENAME).auto.rc & \

-link $** /out:$@ $(LFLAGS)

-

-!else

-

-_VC_MANIFEST_EMBED_EXE= \

-if exist $@.manifest mt.exe -manifest $@.manifest -outputresource:$@;1

-

-!endif

-

-####################################################

-# _VC_MANIFEST_EMBED_DLL - command to embed manifest in DLL:

-

-!if "$(_VC_MANIFEST_INC)" == "1"

-

-#MT_SPECIAL_RETURN=1090650113

-#MT_SPECIAL_SWITCH=-notify_resource_update

-MT_SPECIAL_RETURN=0

-MT_SPECIAL_SWITCH=

-_VC_MANIFEST_EMBED_EXE= \

-if exist $@.manifest mt.exe -manifest $@.manifest -out:$(_VC_MANIFEST_BASENAME).auto.manifest $(MT_SPECIAL_SWITCH) & \

-if "%ERRORLEVEL%" == "$(MT_SPECIAL_RETURN)" \

-rc /r $(_VC_MANIFEST_BASENAME).auto.rc & \

-link $** /out:$@ $(LFLAGS)

-

-!else

-

-_VC_MANIFEST_EMBED_EXE= \

-if exist $@.manifest mt.exe -manifest $@.manifest -outputresource:$@;2

-

-!endif

-####################################################

-# _VC_MANIFEST_CLEAN - command to clean resources files generated temporarily:

-

-!if "$(_VC_MANIFEST_INC)" == "1"

-

-_VC_MANIFEST_CLEAN=-del $(_VC_MANIFEST_BASENAME).auto.res \

-    $(_VC_MANIFEST_BASENAME).auto.rc \

-    $(_VC_MANIFEST_BASENAME).auto.manifest

-

-!else

-

-_VC_MANIFEST_CLEAN=

-

-!endif

-

-!IF  "$(CFG)" == "signzone - Win32 Release"

-

-OUTDIR=.\Release

-INTDIR=.\Release

-

-ALL : "..\..\..\Build\Release\dnssec-signzone.exe"

-

-

-CLEAN :

-	-@erase "$(INTDIR)\dnssec-signzone.obj"

-	-@erase "$(INTDIR)\dnssectool.obj"

-	-@erase "$(INTDIR)\vc60.idb"

-	-@erase "..\..\..\Build\Release\dnssec-signzone.exe"

-	-@$(_VC_MANIFEST_CLEAN)

-

-"$(OUTDIR)" :

-    if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"

-

-CPP=cl.exe

-CPP_PROJ=/nologo /MD /W3 /GX /O2 /I "./" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/include" /D "NDEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /Fp"$(INTDIR)\signzone.pch" /YX /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c 

-

-.c{$(INTDIR)}.obj::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.cpp{$(INTDIR)}.obj::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.cxx{$(INTDIR)}.obj::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.c{$(INTDIR)}.sbr::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.cpp{$(INTDIR)}.sbr::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.cxx{$(INTDIR)}.sbr::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-RSC=rc.exe

-BSC32=bscmake.exe

-BSC32_FLAGS=/nologo /o"$(OUTDIR)\signzone.bsc" 

-BSC32_SBRS= \

-	

-LINK32=link.exe

-LINK32_FLAGS=user32.lib advapi32.lib ../../../lib/isc/win32/Release/libisc.lib ../../../lib/dns/win32/Release/libdns.lib /nologo /subsystem:console /incremental:no /pdb:"$(OUTDIR)\dnssec-signzone.pdb" /machine:I386 /out:"../../../Build/Release/dnssec-signzone.exe" 

-LINK32_OBJS= \

-	"$(INTDIR)\dnssec-signzone.obj" \

-	"$(INTDIR)\dnssectool.obj"

-

-"..\..\..\Build\Release\dnssec-signzone.exe" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)

-    $(LINK32) @<<

-  $(LINK32_FLAGS) $(LINK32_OBJS)

-<<

-    $(_VC_MANIFEST_EMBED_EXE)

-

-!ELSEIF  "$(CFG)" == "signzone - Win32 Debug"

-

-OUTDIR=.\Debug

-INTDIR=.\Debug

-# Begin Custom Macros

-OutDir=.\Debug

-# End Custom Macros

-

-ALL : "..\..\..\Build\Debug\dnssec-signzone.exe" "$(OUTDIR)\signzone.bsc"

-

-

-CLEAN :

-	-@erase "$(INTDIR)\dnssec-signzone.obj"

-	-@erase "$(INTDIR)\dnssec-signzone.sbr"

-	-@erase "$(INTDIR)\dnssectool.obj"

-	-@erase "$(INTDIR)\dnssectool.sbr"

-	-@erase "$(INTDIR)\vc60.idb"

-	-@erase "$(INTDIR)\vc60.pdb"

-	-@erase "$(OUTDIR)\dnssec-signzone.pdb"

-	-@erase "$(OUTDIR)\signzone.bsc"

-	-@erase "..\..\..\Build\Debug\dnssec-signzone.exe"

-	-@erase "..\..\..\Build\Debug\dnssec-signzone.ilk"

-	-@$(_VC_MANIFEST_CLEAN)

-

-"$(OUTDIR)" :

-    if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"

-

-CPP=cl.exe

-CPP_PROJ=/nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/include" /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" /FR"$(INTDIR)\\" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c 

-

-.c{$(INTDIR)}.obj::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.cpp{$(INTDIR)}.obj::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.cxx{$(INTDIR)}.obj::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.c{$(INTDIR)}.sbr::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.cpp{$(INTDIR)}.sbr::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.cxx{$(INTDIR)}.sbr::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-RSC=rc.exe

-BSC32=bscmake.exe

-BSC32_FLAGS=/nologo /o"$(OUTDIR)\signzone.bsc" 

-BSC32_SBRS= \

-	"$(INTDIR)\dnssec-signzone.sbr" \

-	"$(INTDIR)\dnssectool.sbr"

-

-"$(OUTDIR)\signzone.bsc" : "$(OUTDIR)" $(BSC32_SBRS)

-    $(BSC32) @<<

-  $(BSC32_FLAGS) $(BSC32_SBRS)

-<<

-

-LINK32=link.exe

-LINK32_FLAGS=user32.lib advapi32.lib ../../../lib/isc/win32/Debug/libisc.lib ../../../lib/dns/win32/Debug/libdns.lib /nologo /subsystem:console /incremental:yes /pdb:"$(OUTDIR)\dnssec-signzone.pdb" /debug /machine:I386 /out:"../../../Build/Debug/dnssec-signzone.exe" /pdbtype:sept 

-LINK32_OBJS= \

-	"$(INTDIR)\dnssec-signzone.obj" \

-	"$(INTDIR)\dnssectool.obj"

-

-"..\..\..\Build\Debug\dnssec-signzone.exe" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)

-    $(LINK32) @<<

-  $(LINK32_FLAGS) $(LINK32_OBJS)

-<<

-    $(_VC_MANIFEST_EMBED_EXE)

-

-!ENDIF 

-

-

-!IF "$(NO_EXTERNAL_DEPS)" != "1"

-!IF EXISTS("signzone.dep")

-!INCLUDE "signzone.dep"

-!ELSE 

-!MESSAGE Warning: cannot find "signzone.dep"

-!ENDIF 

-!ENDIF 

-

-

-!IF "$(CFG)" == "signzone - Win32 Release" || "$(CFG)" == "signzone - Win32 Debug"

-SOURCE="..\dnssec-signzone.c"

-

-!IF  "$(CFG)" == "signzone - Win32 Release"

-

-

-"$(INTDIR)\dnssec-signzone.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "signzone - Win32 Debug"

-

-

-"$(INTDIR)\dnssec-signzone.obj"	"$(INTDIR)\dnssec-signzone.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-SOURCE=..\dnssectool.c

-

-!IF  "$(CFG)" == "signzone - Win32 Release"

-

-

-"$(INTDIR)\dnssectool.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "signzone - Win32 Debug"

-

-

-"$(INTDIR)\dnssectool.obj"	"$(INTDIR)\dnssectool.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-

-!ENDIF 

-

-####################################################

-# Commands to generate initial empty manifest file and the RC file

-# that references it, and for generating the .res file:

-

-$(_VC_MANIFEST_BASENAME).auto.res : $(_VC_MANIFEST_BASENAME).auto.rc

-

-$(_VC_MANIFEST_BASENAME).auto.rc : $(_VC_MANIFEST_BASENAME).auto.manifest

-    type <<$@

-#include <winuser.h>

-1RT_MANIFEST"$(_VC_MANIFEST_BASENAME).auto.manifest"

-<< KEEP

-

-$(_VC_MANIFEST_BASENAME).auto.manifest :

-    type <<$@

-<?xml version='1.0' encoding='UTF-8' standalone='yes'?>

-<assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'>

-</assembly>

-<< KEEP

+# Microsoft Developer Studio Generated NMAKE File, Based on signzone.dsp
+!IF "$(CFG)" == ""
+CFG=signzone - Win32 Debug
+!MESSAGE No configuration specified. Defaulting to signzone - Win32 Debug.
+!ENDIF 
+
+!IF "$(CFG)" != "signzone - Win32 Release" && "$(CFG)" != "signzone - Win32 Debug"
+!MESSAGE Invalid configuration "$(CFG)" specified.
+!MESSAGE You can specify a configuration when running NMAKE
+!MESSAGE by defining the macro CFG on the command line. For example:
+!MESSAGE 
+!MESSAGE NMAKE /f "signzone.mak" CFG="signzone - Win32 Debug"
+!MESSAGE 
+!MESSAGE Possible choices for configuration are:
+!MESSAGE 
+!MESSAGE "signzone - Win32 Release" (based on "Win32 (x86) Console Application")
+!MESSAGE "signzone - Win32 Debug" (based on "Win32 (x86) Console Application")
+!MESSAGE 
+!ERROR An invalid configuration is specified.
+!ENDIF 
+
+!IF "$(OS)" == "Windows_NT"
+NULL=
+!ELSE 
+NULL=nul
+!ENDIF 
+
+!IF  "$(CFG)" == "signzone - Win32 Release"
+
+OUTDIR=.\Release
+INTDIR=.\Release
+
+ALL : "..\..\..\Build\Release\dnssec-signzone.exe"
+
+
+CLEAN :
+	-@erase "$(INTDIR)\dnssec-signzone.obj"
+	-@erase "$(INTDIR)\dnssectool.obj"
+	-@erase "$(INTDIR)\vc60.idb"
+	-@erase "..\..\..\Build\Release\dnssec-signzone.exe"
+
+"$(OUTDIR)" :
+    if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
+
+CPP=cl.exe
+CPP_PROJ=/nologo /MT /W3 /GX /O2 /I "./" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/include" /I "../../../lib/dns/sec/dst/include" /D "NDEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /Fp"$(INTDIR)\signzone.pch" /YX /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c 
+
+.c{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cpp{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cxx{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.c{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cpp{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cxx{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+RSC=rc.exe
+BSC32=bscmake.exe
+BSC32_FLAGS=/nologo /o"$(OUTDIR)\signzone.bsc" 
+BSC32_SBRS= \
+	
+LINK32=link.exe
+LINK32_FLAGS=user32.lib advapi32.lib ../../../lib/isc/win32/Release/libisc.lib ../../../lib/dns/win32/Release/libdns.lib /nologo /subsystem:console /incremental:no /pdb:"$(OUTDIR)\dnssec-signzone.pdb" /machine:I386 /out:"../../../Build/Release/dnssec-signzone.exe" 
+LINK32_OBJS= \
+	"$(INTDIR)\dnssec-signzone.obj" \
+	"$(INTDIR)\dnssectool.obj"
+
+"..\..\..\Build\Release\dnssec-signzone.exe" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)
+    $(LINK32) @<<
+  $(LINK32_FLAGS) $(LINK32_OBJS)
+<<
+
+!ELSEIF  "$(CFG)" == "signzone - Win32 Debug"
+
+OUTDIR=.\Debug
+INTDIR=.\Debug
+# Begin Custom Macros
+OutDir=.\Debug
+# End Custom Macros
+
+ALL : "..\..\..\Build\Debug\dnssec-signzone.exe" "$(OUTDIR)\signzone.bsc"
+
+
+CLEAN :
+	-@erase "$(INTDIR)\dnssec-signzone.obj"
+	-@erase "$(INTDIR)\dnssec-signzone.sbr"
+	-@erase "$(INTDIR)\dnssectool.obj"
+	-@erase "$(INTDIR)\dnssectool.sbr"
+	-@erase "$(INTDIR)\vc60.idb"
+	-@erase "$(INTDIR)\vc60.pdb"
+	-@erase "$(OUTDIR)\dnssec-signzone.pdb"
+	-@erase "$(OUTDIR)\signzone.bsc"
+	-@erase "..\..\..\Build\Debug\dnssec-signzone.exe"
+	-@erase "..\..\..\Build\Debug\dnssec-signzone.ilk"
+
+"$(OUTDIR)" :
+    if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
+
+CPP=cl.exe
+CPP_PROJ=/nologo /MTd /W3 /Gm /GX /ZI /Od /I "./" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/include" /I "../../../lib/dns/sec/dst/include" /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" /FR"$(INTDIR)\\" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c 
+
+.c{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cpp{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cxx{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.c{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cpp{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cxx{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+RSC=rc.exe
+BSC32=bscmake.exe
+BSC32_FLAGS=/nologo /o"$(OUTDIR)\signzone.bsc" 
+BSC32_SBRS= \
+	"$(INTDIR)\dnssec-signzone.sbr" \
+	"$(INTDIR)\dnssectool.sbr"
+
+"$(OUTDIR)\signzone.bsc" : "$(OUTDIR)" $(BSC32_SBRS)
+    $(BSC32) @<<
+  $(BSC32_FLAGS) $(BSC32_SBRS)
+<<
+
+LINK32=link.exe
+LINK32_FLAGS=user32.lib advapi32.lib ../../../lib/isc/win32/Debug/libisc.lib ../../../lib/dns/win32/Debug/libdns.lib /nologo /subsystem:console /incremental:yes /pdb:"$(OUTDIR)\dnssec-signzone.pdb" /debug /machine:I386 /out:"../../../Build/Debug/dnssec-signzone.exe" /pdbtype:sept 
+LINK32_OBJS= \
+	"$(INTDIR)\dnssec-signzone.obj" \
+	"$(INTDIR)\dnssectool.obj"
+
+"..\..\..\Build\Debug\dnssec-signzone.exe" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)
+    $(LINK32) @<<
+  $(LINK32_FLAGS) $(LINK32_OBJS)
+<<
+
+!ENDIF 
+
+
+!IF "$(NO_EXTERNAL_DEPS)" != "1"
+!IF EXISTS("signzone.dep")
+!INCLUDE "signzone.dep"
+!ELSE 
+!MESSAGE Warning: cannot find "signzone.dep"
+!ENDIF 
+!ENDIF 
+
+
+!IF "$(CFG)" == "signzone - Win32 Release" || "$(CFG)" == "signzone - Win32 Debug"
+SOURCE="..\dnssec-signzone.c"
+
+!IF  "$(CFG)" == "signzone - Win32 Release"
+
+
+"$(INTDIR)\dnssec-signzone.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "signzone - Win32 Debug"
+
+
+"$(INTDIR)\dnssec-signzone.obj"	"$(INTDIR)\dnssec-signzone.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\dnssectool.c
+
+!IF  "$(CFG)" == "signzone - Win32 Release"
+
+
+"$(INTDIR)\dnssectool.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "signzone - Win32 Debug"
+
+
+"$(INTDIR)\dnssectool.obj"	"$(INTDIR)\dnssectool.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+
+!ENDIF 
+
diff --git a/bin/named/Makefile.in b/bin/named/Makefile.in
index 333ce085..9e125c24 100644
--- a/bin/named/Makefile.in
+++ b/bin/named/Makefile.in
@@ -1,5 +1,5 @@
 # Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 1998-2001  Internet Software Consortium.
+# Copyright (C) 1998-2002  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.74.2.5 2004/09/06 21:42:06 marka Exp $
+# $Id: Makefile.in,v 1.74.12.7 2004/03/08 04:04:18 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
@@ -21,7 +21,7 @@ top_srcdir =	@top_srcdir@
 
 @BIND9_VERSION@
 
-@BIND9_INCLUDES@
+@BIND9_MAKE_INCLUDES@
 
 #
 # Add database drivers here.
@@ -32,36 +32,39 @@ DBDRIVER_INCLUDES =
 DBDRIVER_LIBS =
 
 CINCLUDES =	-I${srcdir}/include -I${srcdir}/unix/include \
-		${LWRES_INCLUDES} ${DNS_INCLUDES} \
+		${LWRES_INCLUDES} ${DNS_INCLUDES} ${BIND9_INCLUDES} \
 		${ISCCFG_INCLUDES} ${ISCCC_INCLUDES} ${ISC_INCLUDES} \
 		${DBDRIVER_INCLUDES}
 
 CDEFINES =
 CWARNINGS =
 
-DNSLIBS =	../../lib/dns/libdns.@A@ @DNS_OPENSSL_LIBS@ @DNS_GSSAPI_LIBS@
+DNSLIBS =	../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
 ISCCFGLIBS =	../../lib/isccfg/libisccfg.@A@
 ISCCCLIBS =	../../lib/isccc/libisccc.@A@
 ISCLIBS =	../../lib/isc/libisc.@A@
 LWRESLIBS =	../../lib/lwres/liblwres.@A@
+BIND9LIBS =	../../lib/bind9/libbind9.@A@
 
 DNSDEPLIBS =	../../lib/dns/libdns.@A@
 ISCCFGDEPLIBS =	../../lib/isccfg/libisccfg.@A@
 ISCCCDEPLIBS =	../../lib/isccc/libisccc.@A@
 ISCDEPLIBS =	../../lib/isc/libisc.@A@
 LWRESDEPLIBS =	../../lib/lwres/liblwres.@A@
+BIND9DEPLIBS =	../../lib/bind9/libbind9.@A@
 
-DEPLIBS =	${LWRESDEPLIBS} ${DNSDEPLIBS} \
+DEPLIBS =	${LWRESDEPLIBS} ${DNSDEPLIBS} ${BIND9DEPLIBS} \
 		${ISCCFGDEPLIBS} ${ISCCCDEPLIBS} ${ISCDEPLIBS}
 
-LIBS =		${LWRESLIBS} ${DNSLIBS} \
+LIBS =		${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} \
 		${ISCCFGLIBS} ${ISCCCLIBS} ${ISCLIBS} ${DBDRIVER_LIBS} @LIBS@
 
 SUBDIRS =	unix
 
-TARGETS =	named lwresd
+TARGETS =	named@EXEEXT@ lwresd@EXEEXT@
 
-OBJS =		aclconf.@O@ client.@O@ config.@O@ control.@O@ controlconf.@O@ interfacemgr.@O@ \
+OBJS =		aclconf.@O@ builtin.@O@ client.@O@ config.@O@ control.@O@ \
+		controlconf.@O@ interfacemgr.@O@ \
 		listenlist.@O@ log.@O@ logconf.@O@ main.@O@ notify.@O@ \
 		query.@O@ server.@O@ sortlist.@O@ \
 		tkeyconf.@O@ tsigconf.@O@ update.@O@ xfrout.@O@ \
@@ -72,7 +75,8 @@ OBJS =		aclconf.@O@ client.@O@ config.@O@ control.@O@ controlconf.@O@ interfacem
 
 UOBJS =		unix/os.@O@
 
-SRCS =		aclconf.c client.c config.c control.c controlconf.c interfacemgr.c \
+SRCS =		aclconf.c builtin.c client.c config.c control.c \
+		controlconf.c interfacemgr.c \
 		listenlist.c log.c logconf.c main.c notify.c \
 		query.c server.c sortlist.c \
 		tkeyconf.c tsigconf.c update.c xfrout.c \
@@ -81,30 +85,33 @@ SRCS =		aclconf.c client.c config.c control.c controlconf.c interfacemgr.c \
 		lwdgnba.c lwdgrbn.c lwdnoop.c lwsearch.c \
 		$(DBDRIVER_SRCS)
 
-MANPAGES =	named.8 lwresd.8 named.conf.5
+MANPAGES =	named.8 lwresd.8
 
-HTMLPAGES =	named.html lwresd.html named.conf.html
+HTMLPAGES =	named.html lwresd.html
 
 MANOBJS =	${MANPAGES} ${HTMLPAGES}
 
 @BIND9_MAKE_RULES@
 
 main.@O@: main.c
-	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} -DVERSION=\"${VERSION}\" \
+	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
+		-DVERSION=\"${VERSION}\" \
 		-DNS_LOCALSTATEDIR=\"${localstatedir}\" \
 		-DNS_SYSCONFDIR=\"${sysconfdir}\" -c ${srcdir}/main.c
 
 config.@O@: config.c
-	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} -DVERSION=\"${VERSION}\" \
+	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
+		-DVERSION=\"${VERSION}\" \
 		-DNS_LOCALSTATEDIR=\"${localstatedir}\" \
 		-c ${srcdir}/config.c
 
-named: ${OBJS} ${UOBJS} ${DEPLIBS}
-	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ ${OBJS} ${UOBJS} ${LIBS}
+named@EXEEXT@: ${OBJS} ${UOBJS} ${DEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} -o $@ \
+	${OBJS} ${UOBJS} ${LIBS}
 
-lwresd: named
-	rm -f lwresd
-	@LN@ named lwresd
+lwresd@EXEEXT@: named@EXEEXT@
+	rm -f lwresd@EXEEXT@
+	@LN@ named@EXEEXT@ lwresd@EXEEXT@
 
 doc man:: ${MANOBJS}
 
@@ -112,16 +119,13 @@ docclean manclean maintainer-clean::
 	rm -f ${MANOBJS}
 
 clean distclean maintainer-clean::
-	rm -f ${TARGETS}
+	rm -f ${TARGETS} ${OBJS}
 
 installdirs:
 	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir}
-	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man5
 	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8
 
-install:: named lwresd installdirs
-	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named ${DESTDIR}${sbindir}
-	(cd ${DESTDIR}${sbindir}; rm -f lwresd; @LN@ named lwresd)
-	${INSTALL_DATA} ${srcdir}/named.8 ${DESTDIR}${mandir}/man8
-	${INSTALL_DATA} ${srcdir}/lwresd.8 ${DESTDIR}${mandir}/man8
-	${INSTALL_DATA} ${srcdir}/named.conf.5 ${DESTDIR}${mandir}/man5
+install:: named@EXEEXT@ lwresd@EXEEXT@ installdirs
+	${LIBTOO_MODE_INSTALL} ${INSTALL_PROGRAM} named@EXEEXT@ ${DESTDIR}${sbindir}
+	(cd ${DESTDIR}${sbindir}; rm -f lwresd@EXEEXT@; @LN@ named@EXEEXT@ lwresd@EXEEXT@)
+	for m in ${MANPAGES}; do ${INSTALL_DATA} ${srcdir}/$$m ${DESTDIR}${mandir}/man8; done
diff --git a/bin/named/aclconf.c b/bin/named/aclconf.c
index 48a1659c..ef36c568 100644
--- a/bin/named/aclconf.c
+++ b/bin/named/aclconf.c
@@ -1,6 +1,6 @@
 /*
- * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: aclconf.c,v 1.27.2.5 2006/03/02 00:37:17 marka Exp $ */
+/* $Id: aclconf.c,v 1.27.12.3 2004/03/08 04:04:18 marka Exp $ */
 
 #include <config.h>
 
@@ -23,14 +23,14 @@
 #include <isc/string.h>		/* Required for HP/UX (and others?) */
 #include <isc/util.h>
 
+#include <isccfg/namedconf.h>
+
 #include <dns/acl.h>
 #include <dns/fixedname.h>
 #include <dns/log.h>
 
 #include <named/aclconf.h>
 
-#define LOOP_MAGIC ISC_MAGIC('L','O','O','P')
-
 void
 ns_aclconfctx_init(ns_aclconfctx_t *ctx) {
 	ISC_LIST_INIT(ctx->named_acl_cache);
@@ -52,10 +52,10 @@ ns_aclconfctx_destroy(ns_aclconfctx_t *ctx) {
  * Find the definition of the named acl whose name is "name".
  */
 static isc_result_t
-get_acl_def(const cfg_obj_t *cctx, const char *name, const cfg_obj_t **ret) {
+get_acl_def(cfg_obj_t *cctx, char *name, cfg_obj_t **ret) {
 	isc_result_t result;
-	const cfg_obj_t *acls = NULL;
-	const cfg_listelt_t *elt;
+	cfg_obj_t *acls = NULL;
+	cfg_listelt_t *elt;
 	
 	result = cfg_map_get(cctx, "acl", &acls);
 	if (result != ISC_R_SUCCESS)
@@ -63,7 +63,7 @@ get_acl_def(const cfg_obj_t *cctx, const char *name, const cfg_obj_t **ret) {
 	for (elt = cfg_list_first(acls);
 	     elt != NULL;
 	     elt = cfg_list_next(elt)) {
-		const cfg_obj_t *acl = cfg_listelt_value(elt);
+		cfg_obj_t *acl = cfg_listelt_value(elt);
 		const char *aclname = cfg_obj_asstring(cfg_tuple_get(acl, "name"));
 		if (strcasecmp(aclname, name) == 0) {
 			*ret = cfg_tuple_get(acl, "value");
@@ -74,15 +74,14 @@ get_acl_def(const cfg_obj_t *cctx, const char *name, const cfg_obj_t **ret) {
 }
 
 static isc_result_t
-convert_named_acl(const cfg_obj_t *nameobj, const cfg_obj_t *cctx,
+convert_named_acl(cfg_obj_t *nameobj, cfg_obj_t *cctx,
 		  ns_aclconfctx_t *ctx, isc_mem_t *mctx,
 		  dns_acl_t **target)
 {
 	isc_result_t result;
-	const cfg_obj_t *cacl = NULL;
+	cfg_obj_t *cacl = NULL;
 	dns_acl_t *dacl;
-	dns_acl_t loop;
-	const char *aclname = cfg_obj_asstring(nameobj);
+	char *aclname = cfg_obj_asstring(nameobj);
 
 	/* Look for an already-converted version. */
 	for (dacl = ISC_LIST_HEAD(ctx->named_acl_cache);
@@ -90,11 +89,6 @@ convert_named_acl(const cfg_obj_t *nameobj, const cfg_obj_t *cctx,
 	     dacl = ISC_LIST_NEXT(dacl, nextincache))
 	{
 		if (strcasecmp(aclname, dacl->name) == 0) {
-			if (ISC_MAGIC_VALID(dacl, LOOP_MAGIC)) {
-				cfg_obj_log(nameobj, dns_lctx, ISC_LOG_ERROR,
-					    "acl loop detected: %s", aclname);
-				return (ISC_R_FAILURE);
-			}
 			dns_acl_attach(dacl, target);
 			return (ISC_R_SUCCESS);
 		}
@@ -106,18 +100,7 @@ convert_named_acl(const cfg_obj_t *nameobj, const cfg_obj_t *cctx,
 			    "undefined ACL '%s'", aclname);
 		return (result);
 	}
-	/*
-	 * Add a loop detection element.
-	 */
-	memset(&loop, 0, sizeof(loop));
-	ISC_LINK_INIT(&loop, nextincache);
-	DE_CONST(aclname, loop.name);
-	loop.magic = LOOP_MAGIC;
-	ISC_LIST_APPEND(ctx->named_acl_cache, &loop, nextincache);
 	result = ns_acl_fromconfig(cacl, cctx, ctx, mctx, &dacl);
-	ISC_LIST_UNLINK(ctx->named_acl_cache, &loop, nextincache);
-	loop.magic = 0;
-	loop.name = NULL;
 	if (result != ISC_R_SUCCESS)
 		return (result);
 	dacl->name = isc_mem_strdup(dacl->mctx, aclname);
@@ -129,7 +112,7 @@ convert_named_acl(const cfg_obj_t *nameobj, const cfg_obj_t *cctx,
 }
 
 static isc_result_t
-convert_keyname(const cfg_obj_t *keyobj, isc_mem_t *mctx, dns_name_t *dnsname) {
+convert_keyname(cfg_obj_t *keyobj, isc_mem_t *mctx, dns_name_t *dnsname) {
 	isc_result_t result;
 	isc_buffer_t buf;
 	dns_fixedname_t fixname;
@@ -152,8 +135,8 @@ convert_keyname(const cfg_obj_t *keyobj, isc_mem_t *mctx, dns_name_t *dnsname) {
 }
 
 isc_result_t
-ns_acl_fromconfig(const cfg_obj_t *caml,
-		  const cfg_obj_t *cctx,
+ns_acl_fromconfig(cfg_obj_t *caml,
+		  cfg_obj_t *cctx,
 		  ns_aclconfctx_t *ctx,
 		  isc_mem_t *mctx,
 		  dns_acl_t **target)
@@ -162,7 +145,7 @@ ns_acl_fromconfig(const cfg_obj_t *caml,
 	unsigned int count;
 	dns_acl_t *dacl = NULL;
 	dns_aclelement_t *de;
-	const cfg_listelt_t *elt;
+	cfg_listelt_t *elt;
 
 	REQUIRE(target != NULL && *target == NULL);
 
@@ -181,7 +164,7 @@ ns_acl_fromconfig(const cfg_obj_t *caml,
 	     elt != NULL;
 	     elt = cfg_list_next(elt))
 	{
-		const cfg_obj_t *ce = cfg_listelt_value(elt);
+		cfg_obj_t *ce = cfg_listelt_value(elt);
 		if (cfg_obj_istuple(ce)) {
 			/* This must be a negated element. */
 			ce = cfg_tuple_get(ce, "value");
@@ -213,7 +196,7 @@ ns_acl_fromconfig(const cfg_obj_t *caml,
 				goto cleanup;
 		} else if (cfg_obj_isstring(ce)) {
 			/* ACL name */
-			const char *name = cfg_obj_asstring(ce);
+			char *name = cfg_obj_asstring(ce);
 			if (strcasecmp(name, "localhost") == 0) {
 				de->type = dns_aclelementtype_localhost;
 			} else if (strcasecmp(name, "localnets") == 0) {
diff --git a/bin/named/builtin.c b/bin/named/builtin.c
new file mode 100644
index 00000000..af4d7a3f
--- /dev/null
+++ b/bin/named/builtin.c
@@ -0,0 +1,228 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2001-2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: builtin.c,v 1.4.106.4 2004/03/08 04:04:18 marka Exp $ */
+
+/*
+ * The built-in "version", "hostname", "id" and "authors" databases.
+ */
+
+#include <config.h>
+
+#include <string.h>
+#include <stdio.h>
+
+#include <isc/print.h>
+#include <isc/result.h>
+#include <isc/util.h>
+
+#include <dns/sdb.h>
+#include <dns/result.h>
+
+#include <named/builtin.h>
+#include <named/globals.h>
+#include <named/server.h>
+#include <named/os.h>
+
+typedef struct builtin builtin_t;
+
+static isc_result_t do_version_lookup(dns_sdblookup_t *lookup);
+static isc_result_t do_hostname_lookup(dns_sdblookup_t *lookup);
+static isc_result_t do_authors_lookup(dns_sdblookup_t *lookup);
+static isc_result_t do_id_lookup(dns_sdblookup_t *lookup);
+
+/*
+ * We can't use function pointers as the db_data directly
+ * because ANSI C does not guarantee that function pointers
+ * can safely be cast to void pointers and back.
+ */
+
+struct builtin {
+	isc_result_t (*do_lookup)(dns_sdblookup_t *lookup);
+};
+
+static builtin_t version_builtin = { do_version_lookup };
+static builtin_t hostname_builtin = { do_hostname_lookup };
+static builtin_t authors_builtin = { do_authors_lookup };
+static builtin_t id_builtin = { do_id_lookup };
+
+static dns_sdbimplementation_t *builtin_impl;
+
+static isc_result_t
+builtin_lookup(const char *zone, const char *name, void *dbdata,
+	       dns_sdblookup_t *lookup)
+{
+	builtin_t *b = (builtin_t *) dbdata;
+
+	UNUSED(zone);
+
+	if (strcmp(name, "@") == 0)
+		return (b->do_lookup(lookup));
+	else
+		return (ISC_R_NOTFOUND);
+}
+
+static isc_result_t
+put_txt(dns_sdblookup_t *lookup, const char *text) {
+	unsigned char buf[256];
+	unsigned int len = strlen(text);
+	if (len > 255)
+		len = 255; /* Silently truncate */
+	buf[0] = len;
+	memcpy(&buf[1], text, len);
+	return (dns_sdb_putrdata(lookup, dns_rdatatype_txt, 0, buf, len + 1));
+}
+
+static isc_result_t
+do_version_lookup(dns_sdblookup_t *lookup) {
+	if (ns_g_server->version_set) {	
+		if (ns_g_server->version == NULL)
+			return (ISC_R_SUCCESS);
+		else
+			return (put_txt(lookup, ns_g_server->version));
+	} else {
+		return (put_txt(lookup, ns_g_version));
+	}
+}
+
+static isc_result_t
+do_hostname_lookup(dns_sdblookup_t *lookup) {
+	if (ns_g_server->hostname_set) {
+		if (ns_g_server->hostname == NULL)
+			return (ISC_R_SUCCESS);
+		else
+			return (put_txt(lookup, ns_g_server->hostname));
+	} else {
+		char buf[256];
+		isc_result_t result = ns_os_gethostname(buf, sizeof(buf));
+		if (result != ISC_R_SUCCESS)
+			return (result);
+		return (put_txt(lookup, buf));
+	}
+}
+
+static isc_result_t
+do_authors_lookup(dns_sdblookup_t *lookup) {
+	isc_result_t result;
+	const char **p;
+	static const char *authors[] = {
+		"Mark Andrews",
+		"James Brister",
+		"Ben Cottrell",
+		"Michael Graff",
+		"Andreas Gustafsson",
+		"Bob Halley",
+		"David Lawrence",
+		"Danny Mayer",
+		"Damien Neil",
+		"Matt Nelson",
+		"Michael Sawyer",
+		"Brian Wellington",
+		NULL
+	};
+
+	/*
+	 * If a version string is specified, disable the authors.bind zone.
+	 */
+	if (ns_g_server->version_set)
+		return (ISC_R_SUCCESS);
+
+	for (p = authors; *p != NULL; p++) {
+		result = put_txt(lookup, *p);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+	}
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+do_id_lookup(dns_sdblookup_t *lookup) {
+
+	if (ns_g_server->server_usehostname) {
+		char buf[256];
+		isc_result_t result = ns_os_gethostname(buf, sizeof(buf));
+		if (result != ISC_R_SUCCESS)
+			return (result);
+		return (put_txt(lookup, buf));
+	}
+
+	if (ns_g_server->server_id == NULL)
+		return (ISC_R_SUCCESS);
+	else
+		return (put_txt(lookup, ns_g_server->server_id));
+}
+
+static isc_result_t
+builtin_authority(const char *zone, void *dbdata, dns_sdblookup_t *lookup) {
+	isc_result_t result;
+
+	UNUSED(zone);
+	UNUSED(dbdata);
+
+	result = dns_sdb_putsoa(lookup, "@", "hostmaster", 0);
+	if (result != ISC_R_SUCCESS)
+		return (ISC_R_FAILURE);
+	result = dns_sdb_putrr(lookup, "ns", 0, "@");
+	if (result != ISC_R_SUCCESS)
+		return (ISC_R_FAILURE);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+builtin_create(const char *zone, int argc, char **argv,
+	       void *driverdata, void **dbdata)
+{
+	UNUSED(zone);
+	UNUSED(driverdata);
+	if (argc != 1)
+		return (DNS_R_SYNTAX);
+	if (strcmp(argv[0], "version") == 0)
+		*dbdata = &version_builtin;
+	else if (strcmp(argv[0], "hostname") == 0)
+		*dbdata = &hostname_builtin;
+	else if (strcmp(argv[0], "authors") == 0)
+		*dbdata = &authors_builtin;
+	else if (strcmp(argv[0], "id") == 0)
+		*dbdata = &id_builtin;
+	else
+		return (ISC_R_NOTIMPLEMENTED);
+	return (ISC_R_SUCCESS);
+}
+
+static dns_sdbmethods_t builtin_methods = {
+	builtin_lookup,
+	builtin_authority,
+	NULL,		/* allnodes */
+	builtin_create,
+	NULL		/* destroy */
+};
+
+isc_result_t
+ns_builtin_init(void) {
+	RUNTIME_CHECK(dns_sdb_register("_builtin", &builtin_methods, NULL,
+				       DNS_SDBFLAG_RELATIVEOWNER |
+				       DNS_SDBFLAG_RELATIVERDATA,
+				       ns_g_mctx, &builtin_impl)
+		      == ISC_R_SUCCESS);
+	return (ISC_R_SUCCESS);
+}
+
+void
+ns_builtin_deinit(void) {
+	dns_sdb_unregister(&builtin_impl);
+}
diff --git a/bin/named/client.c b/bin/named/client.c
index e91203f5..4aec8d82 100644
--- a/bin/named/client.c
+++ b/bin/named/client.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: client.c,v 1.176.2.28 2007/06/26 04:24:52 marka Exp $ */
+/* $Id: client.c,v 1.176.2.13.4.20 2004/03/08 21:06:21 marka Exp $ */
 
 #include <config.h>
 
@@ -34,6 +34,7 @@
 #include <dns/events.h>
 #include <dns/message.h>
 #include <dns/rcode.h>
+#include <dns/resolver.h>
 #include <dns/rdata.h>
 #include <dns/rdataclass.h>
 #include <dns/rdatalist.h>
@@ -96,6 +97,7 @@ struct ns_clientmgr {
 	/* Locked by lock. */
 	isc_boolean_t			exiting;
 	client_list_t			active; 	/* Active clients */
+	client_list_t			recursing; 	/* Recursing clients */
 	client_list_t 			inactive;	/* To be recycled */
 };
 
@@ -151,7 +153,7 @@ struct ns_clientmgr {
 #define NS_CLIENTSTATE_WORKING  4
 /*
  * The client object has received a request and is working
- * on it.  It has a view, and it may  have any of a non-reset OPT,
+ * on it.  It has a view, and it may have any of a non-reset OPT,
  * recursion quota, and an outstanding write request.
  */
 
@@ -162,12 +164,6 @@ struct ns_clientmgr {
  * Must be greater than any valid state.
  */
 
-/*
- * Enable ns_client_dropport() by default.
- */
-#ifndef NS_CLIENT_DROPPORT
-#define NS_CLIENT_DROPPORT 1
-#endif
 
 static void client_read(ns_client_t *client);
 static void client_accept(ns_client_t *client);
@@ -181,6 +177,27 @@ static void client_request(isc_task_t *task, isc_event_t *event);
 static void ns_client_dumpmessage(ns_client_t *client, const char *reason);
 
 void
+ns_client_recursing(ns_client_t *client, isc_boolean_t killoldest) {
+	ns_client_t *oldest;
+	REQUIRE(NS_CLIENT_VALID(client));
+
+	LOCK(&client->manager->lock);
+	if (killoldest) {
+		oldest = ISC_LIST_HEAD(client->manager->recursing);
+		if (oldest != NULL) {
+			ns_query_cancel(oldest);
+			ISC_LIST_UNLINK(*oldest->list, oldest, link);
+			ISC_LIST_APPEND(client->manager->active, oldest, link);
+			oldest->list = &client->manager->active;
+		}
+	}
+	ISC_LIST_UNLINK(*client->list, client, link);
+	ISC_LIST_APPEND(client->manager->recursing, client, link);
+	client->list = &client->manager->recursing;
+	UNLOCK(&client->manager->lock);
+}
+
+void
 ns_client_settimeout(ns_client_t *client, unsigned int seconds) {
 	isc_result_t result;
 	isc_interval_t interval;
@@ -225,20 +242,13 @@ exit_check(ns_client_t *client) {
 	 *  - The client does not detach from the view until references is zero
 	 *  - references does not go to zero until the resolver has shut down
 	 *
-	 * Keep the view attached until any outstanding updates complete.
 	 */
-	if (client->nupdates == 0 && 
-	    client->newstate == NS_CLIENTSTATE_FREED && client->view != NULL)
+	if (client->newstate == NS_CLIENTSTATE_FREED && client->view != NULL)
 		dns_view_detach(&client->view);
 
 	if (client->state == NS_CLIENTSTATE_WORKING) {
 		INSIST(client->newstate <= NS_CLIENTSTATE_READING);
 		/*
-		 * Let the update processing complete.
-		 */
-		if (client->nupdates > 0)
-			return (ISC_TRUE);
-		/*
 		 * We are trying to abort request processing.
 		 */
 		if (client->nsends > 0) {
@@ -302,9 +312,9 @@ exit_check(ns_client_t *client) {
 			isc_quota_detach(&client->tcpquota);
 
 		if (client->timerset) {
-			(void) isc_timer_reset(client->timer,
-					       isc_timertype_inactive,
-					       NULL, NULL, ISC_TRUE);
+			(void)isc_timer_reset(client->timer,
+					      isc_timertype_inactive,
+					      NULL, NULL, ISC_TRUE);
 			client->timerset = ISC_FALSE;
 		}
 
@@ -437,7 +447,8 @@ exit_check(ns_client_t *client) {
 			client->list = NULL;
 			if (manager->exiting &&
 			    ISC_LIST_EMPTY(manager->active) &&
-			    ISC_LIST_EMPTY(manager->inactive))
+			    ISC_LIST_EMPTY(manager->inactive) &&
+			    ISC_LIST_EMPTY(manager->recursing))
 				destroy_manager = manager;
 		}
 		/*
@@ -526,14 +537,12 @@ client_shutdown(isc_task_t *task, isc_event_t *event) {
 	(void)exit_check(client);
 }
 
-
 static void
 ns_client_endrequest(ns_client_t *client) {
 	INSIST(client->naccepts == 0);
 	INSIST(client->nreads == 0);
 	INSIST(client->nsends == 0);
 	INSIST(client->nrecvs == 0);
-	INSIST(client->nupdates == 0);
 	INSIST(client->state == NS_CLIENTSTATE_WORKING);
 
 	CTRACE("endrequest");
@@ -626,7 +635,7 @@ ns_client_next(ns_client_t *client, isc_result_t result) {
 
 	if (client->newstate > newstate)
 		client->newstate = newstate;
-	(void) exit_check(client);
+	(void)exit_check(client);
 }
 
 
@@ -756,7 +765,8 @@ client_sendpkg(ns_client_t *client, isc_buffer_t *buffer) {
 		sockflags |= ISC_SOCKFLAG_NORETRY;
 	}
 
-	if ((client->attributes & NS_CLIENTATTR_PKTINFO) != 0)
+	if ((client->attributes & NS_CLIENTATTR_PKTINFO) != 0 &&
+	    (client->attributes & NS_CLIENTATTR_MULTICAST) == 0)
 		pktinfo = &client->pktinfo;
 	else
 		pktinfo = NULL;
@@ -834,6 +844,8 @@ ns_client_send(ns_client_t *client) {
 	dns_compress_t cctx;
 	isc_boolean_t cleanup_cctx = ISC_FALSE;
 	unsigned char sendbuf[SEND_BUFFER_SIZE];
+	unsigned int dnssec_opts;
+	unsigned int preferred_glue;
 
 	REQUIRE(NS_CLIENT_VALID(client));
 
@@ -842,6 +854,19 @@ ns_client_send(ns_client_t *client) {
 	if ((client->attributes & NS_CLIENTATTR_RA) != 0)
 		client->message->flags |= DNS_MESSAGEFLAG_RA;
 
+	if ((client->attributes & NS_CLIENTATTR_WANTDNSSEC) != 0)
+		dnssec_opts = 0;
+	else
+		dnssec_opts = DNS_MESSAGERENDER_OMITDNSSEC;
+
+	preferred_glue = 0;
+	if (client->view != NULL) {
+		if (client->view->preferred_glue == dns_rdatatype_a)
+			preferred_glue = DNS_MESSAGERENDER_PREFER_A;
+		else if (client->view->preferred_glue == dns_rdatatype_aaaa)
+			preferred_glue = DNS_MESSAGERENDER_PREFER_AAAA;
+	}
+
 	/*
 	 * XXXRTH  The following doesn't deal with TCP buffer resizing.
 	 */
@@ -877,7 +902,8 @@ ns_client_send(ns_client_t *client) {
 		goto done;
 	result = dns_message_rendersection(client->message,
 					   DNS_SECTION_ANSWER,
-					   DNS_MESSAGERENDER_PARTIAL);
+					   DNS_MESSAGERENDER_PARTIAL |
+					   dnssec_opts);
 	if (result == ISC_R_NOSPACE) {
 		client->message->flags |= DNS_MESSAGEFLAG_TC;
 		goto renderend;
@@ -886,7 +912,8 @@ ns_client_send(ns_client_t *client) {
 		goto done;
 	result = dns_message_rendersection(client->message,
 					   DNS_SECTION_AUTHORITY,
-					   DNS_MESSAGERENDER_PARTIAL);
+					   DNS_MESSAGERENDER_PARTIAL |
+					   dnssec_opts);
 	if (result == ISC_R_NOSPACE) {
 		client->message->flags |= DNS_MESSAGEFLAG_TC;
 		goto renderend;
@@ -894,7 +921,8 @@ ns_client_send(ns_client_t *client) {
 	if (result != ISC_R_SUCCESS)
 		goto done;
 	result = dns_message_rendersection(client->message,
-					   DNS_SECTION_ADDITIONAL, 0);
+					   DNS_SECTION_ADDITIONAL,
+					   preferred_glue | dnssec_opts);
 	if (result != ISC_R_SUCCESS && result != ISC_R_NOSPACE)
 		goto done;
  renderend:
@@ -930,34 +958,6 @@ ns_client_send(ns_client_t *client) {
 	ns_client_next(client, result);
 }
 
-#if NS_CLIENT_DROPPORT
-#define DROPPORT_NO		0
-#define DROPPORT_REQUEST	1
-#define DROPPORT_RESPONSE	2
-/*%
- * ns_client_dropport determines if certain requests / responses
- * should be dropped based on the port number.
- *
- * Returns:
- * \li	0:	Don't drop.
- * \li	1:	Drop request.
- * \li	2:	Drop (error) response.
- */
-static int
-ns_client_dropport(in_port_t port) {
-	switch (port) {
-	case 7: /* echo */
-	case 13: /* daytime */
-	case 19: /* chargen */
-	case 37: /* time */
-		return (DROPPORT_REQUEST);
-	case 464: /* kpasswd */
-		return (DROPPORT_RESPONSE);
-	}
-	return (DROPPORT_NO);
-}
-#endif
-
 void
 ns_client_error(ns_client_t *client, isc_result_t result) {
 	dns_rcode_t rcode;
@@ -970,28 +970,6 @@ ns_client_error(ns_client_t *client, isc_result_t result) {
 	message = client->message;
 	rcode = dns_result_torcode(result);
 
-#if NS_CLIENT_DROPPORT
-	/*
-	 * Don't send FORMERR to ports on the drop port list.
-	 */
-	if (rcode == dns_rcode_formerr &&
-	    ns_client_dropport(isc_sockaddr_getport(&client->peeraddr)) !=
-	    DROPPORT_NO) {
-		char buf[64];
-		isc_buffer_t b;
-
-		isc_buffer_init(&b, buf, sizeof(buf) - 1);
-		if (dns_rcode_totext(rcode, &b) != ISC_R_SUCCESS)
-			isc_buffer_putstr(&b, "UNKNOWN RCODE");
-		ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
-			      NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(10),
-			      "dropped error (%.*s) response: suspicious port",
-			      (int)isc_buffer_usedlength(&b), buf);
-		ns_client_next(client, ISC_R_SUCCESS);
-		return;
-	}
-#endif
-
 	/*
 	 * Message may be an in-progress reply that we had trouble
 	 * with, in which case QR will be set.  We need to clear QR before
@@ -1052,6 +1030,9 @@ client_addopt(ns_client_t *client) {
 	dns_rdatalist_t *rdatalist;
 	dns_rdata_t *rdata;
 	isc_result_t result;
+	dns_view_t *view;
+	dns_resolver_t *resolver;
+	isc_uint16_t udpsize;
 
 	REQUIRE(client->opt == NULL);	/* XXXRTH free old. */
 
@@ -1075,19 +1056,21 @@ client_addopt(ns_client_t *client) {
 	/*
 	 * Set the maximum UDP buffer size.
 	 */
-	rdatalist->rdclass = RECV_BUFFER_SIZE;
+	view = client->view;
+	resolver = (view != NULL) ? view->resolver : NULL;
+	if (resolver != NULL)
+		udpsize = dns_resolver_getudpsize(resolver);
+	else
+		udpsize = ns_g_udpsize;
+	rdatalist->rdclass = udpsize;
 
 	/*
-	 * Set EXTENDED-RCODE, VERSION, and Z to 0.
+	 * Set EXTENDED-RCODE, VERSION and Z to 0.
 	 */
-#ifdef ISC_RFC2535
 	rdatalist->ttl = (client->extflags & DNS_MESSAGEEXTFLAG_REPLYPRESERVE);
-#else
-	rdatalist->ttl = 0;
-#endif
 
 	/*
-	 * No EDNS options in the default case.
+	 * No ENDS options in the default case.
 	 */
 	rdata->data = NULL;
 	rdata->length = 0;
@@ -1097,7 +1080,8 @@ client_addopt(ns_client_t *client) {
 
 	ISC_LIST_INIT(rdatalist->rdata);
 	ISC_LIST_APPEND(rdatalist->rdata, rdata, link);
-	dns_rdatalist_tordataset(rdatalist, rdataset);
+	RUNTIME_CHECK(dns_rdatalist_tordataset(rdatalist, rdataset)
+		      == ISC_R_SUCCESS);
 
 	client->opt = rdataset;
 
@@ -1105,13 +1089,13 @@ client_addopt(ns_client_t *client) {
 }
 
 static inline isc_boolean_t
-allowed(isc_netaddr_t *addr, dns_acl_t *acl) {
+allowed(isc_netaddr_t *addr, dns_name_t *signer, dns_acl_t *acl) {
 	int match;
 	isc_result_t result;
 
 	if (acl == NULL)
 		return (ISC_TRUE);
-	result = dns_acl_match(addr, NULL, acl, &ns_g_server->aclenv,
+	result = dns_acl_match(addr, signer, acl, &ns_g_server->aclenv,
 			       &match, NULL);
 	if (result == ISC_R_SUCCESS && match > 0)
 		return (ISC_TRUE);
@@ -1127,7 +1111,7 @@ client_request(isc_task_t *task, isc_event_t *event) {
 	ns_client_t *client;
 	isc_socketevent_t *sevent;
 	isc_result_t result;
-	isc_result_t sigresult;
+	isc_result_t sigresult = ISC_R_SUCCESS;
 	isc_buffer_t *buffer;
 	isc_buffer_t tbuffer;
 	dns_view_t *view;
@@ -1145,8 +1129,6 @@ client_request(isc_task_t *task, isc_event_t *event) {
 	REQUIRE(NS_CLIENT_VALID(client));
 	REQUIRE(task == client->task);
 
-	UNUSED(task);
-
 	INSIST(client->recursionquota == NULL);
 
 	INSIST(client->state ==
@@ -1190,7 +1172,7 @@ client_request(isc_task_t *task, isc_event_t *event) {
 		goto cleanup;
 	client->state = client->newstate = NS_CLIENTSTATE_WORKING;
 
-	isc_stdtime_get(&client->requesttime);
+	isc_task_getcurrenttime(task, &client->requesttime);
 	client->now = client->requesttime;
 
 	if (result != ISC_R_SUCCESS) {
@@ -1212,17 +1194,6 @@ client_request(isc_task_t *task, isc_event_t *event) {
 
 	isc_netaddr_fromsockaddr(&netaddr, &client->peeraddr);
 
-#if NS_CLIENT_DROPPORT
-	if (ns_client_dropport(isc_sockaddr_getport(&client->peeraddr)) ==
-	    DROPPORT_REQUEST) {
-		ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
-			      NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(10),
-			      "dropped request: suspicious port");
-		ns_client_next(client, ISC_R_SUCCESS);
-		goto cleanup;
-	}
-#endif
-
 	ns_client_log(client, NS_LOGCATEGORY_CLIENT,
 		      NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(3),
 		      "%s request",
@@ -1248,12 +1219,15 @@ client_request(isc_task_t *task, isc_event_t *event) {
 		}
 	}
 
+	/*
+	 * Silently drop multicast requests for the present.
+	 * XXXMPA look at when/if mDNS spec stabilizes.
+	 */
 	if ((client->attributes & NS_CLIENTATTR_MULTICAST) != 0) {
 		ns_client_log(client, NS_LOGCATEGORY_CLIENT,
 			      NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(2),
-			      "multicast request");
+			      "dropping multicast request");
 		ns_client_next(client, DNS_R_REFUSED);
-		goto cleanup;
 	}
 
 	result = dns_message_peekheader(buffer, &id, &flags);
@@ -1284,14 +1258,6 @@ client_request(isc_task_t *task, isc_event_t *event) {
 	}
 
 	/*
-	 * Hash the incoming request here as it is after
-	 * dns_dispatch_importrecv().
-	 */
-	dns_dispatch_hash(&client->now, sizeof(client->now));
-	dns_dispatch_hash(isc_buffer_base(buffer),
-			  isc_buffer_usedlength(buffer));
-
-	/*
 	 * It's a request.  Parse it.
 	 */
 	result = dns_message_parse(client->message, buffer, 0);
@@ -1318,6 +1284,10 @@ client_request(isc_task_t *task, isc_event_t *event) {
 
 	client->message->rcode = dns_rcode_noerror;
 
+	/* RFC1123 section 6.1.3.2 */
+	if ((client->attributes & NS_CLIENTATTR_MULTICAST) != 0)
+		client->message->flags &= ~DNS_MESSAGEFLAG_RD;
+
 	/*
 	 * Deal with EDNS.
 	 */
@@ -1352,7 +1322,7 @@ client_request(isc_task_t *task, isc_event_t *event) {
 		}
 
 		/*
-		 * Do we understand this version of EDNS?
+		 * Do we understand this version of ENDS?
 		 *
 		 * XXXRTH need library support for this!
 		 */
@@ -1374,36 +1344,31 @@ client_request(isc_task_t *task, isc_event_t *event) {
 	}
 
 	/*
-	 * Determine the destination address.  For TCP/IPv6, we get this from
-	 * the receiving socket.  For UDP/IPv6, we get it from the pktinfo
-	 * structure (if supported).  For IPv4, we have to do with
+	 * Determine the destination address.  For IPv6, we get this from the
+	 * pktinfo structure (if supported).  For IPv4, we have to make do with
 	 * the address of the interface where the request was received.
 	 */
 	if (client->interface->addr.type.sa.sa_family == AF_INET6) {
-		result = ISC_R_FAILURE;
-
-		if (TCP_CLIENT(client)) {
-			isc_sockaddr_t destsockaddr;
+		if ((client->attributes & NS_CLIENTATTR_PKTINFO) != 0) {
+			isc_uint32_t zone = 0;
 
-			result = isc_socket_getsockname(client->tcpsocket,
-							&destsockaddr);
-			if (result == ISC_R_SUCCESS)
-				isc_netaddr_fromsockaddr(&destaddr,
-							 &destsockaddr);
-		}
-		if (result != ISC_R_SUCCESS &&
-		    (client->attributes & NS_CLIENTATTR_PKTINFO) != 0) {
-			isc_netaddr_fromin6(&destaddr, &client->pktinfo.ipi6_addr);
-			result = ISC_R_SUCCESS;
-		}
-		if (result != ISC_R_SUCCESS) {
-			UNEXPECTED_ERROR(__FILE__, __LINE__,
-					 "failed to get request's "
-					 "destination: %s",
-					 isc_result_totext(result));
-			ns_client_next(client, ISC_R_SUCCESS);
-			goto cleanup;
-		}
+			/*
+			 * XXXJT technically, we should convert the receiving
+			 * interface ID to a proper scope zone ID.  However,
+			 * due to the fact there is no standard API for this,
+			 * we only handle link-local addresses and use the
+			 * interface index as link ID.  Despite the assumption,
+			 * it should cover most typical cases.
+			 */
+			if (IN6_IS_ADDR_LINKLOCAL(&client->pktinfo.ipi6_addr))
+				zone = (isc_uint32_t)client->pktinfo.ipi6_ifindex;
+
+			isc_netaddr_fromin6(&destaddr,
+					    &client->pktinfo.ipi6_addr);
+			isc_netaddr_setzone(&destaddr, zone);
+						      
+		} else
+			isc_netaddr_any6(&destaddr);
 	} else {
 		isc_netaddr_fromsockaddr(&destaddr, &client->interface->addr);
 	}
@@ -1417,10 +1382,16 @@ client_request(isc_task_t *task, isc_event_t *event) {
 		if (client->message->rdclass == view->rdclass ||
 		    client->message->rdclass == dns_rdataclass_any)
 		{
-			if (allowed(&netaddr, view->matchclients) &&
-			    allowed(&destaddr, view->matchdestinations) &&
-			    !((flags & DNS_MESSAGEFLAG_RD) == 0 &&
-			      view->matchrecursiveonly))
+			dns_name_t *tsig = NULL;
+			sigresult = dns_message_rechecksig(client->message,
+							   view);
+			if (sigresult == ISC_R_SUCCESS)
+				tsig = client->message->tsigname;
+				
+			if (allowed(&netaddr, tsig, view->matchclients) &&
+			    allowed(&destaddr, tsig, view->matchdestinations) &&
+			    !((client->message->flags & DNS_MESSAGEFLAG_RD)
+			      == 0 && view->matchrecursiveonly))
 			{
 				dns_view_attach(view, &client->view);
 				break;
@@ -1438,6 +1409,9 @@ client_request(isc_task_t *task, isc_event_t *event) {
 		 */
 		isc_buffer_t b;
 		isc_region_t *r;
+
+		dns_message_resetsig(client->message);
+
 		r = dns_message_getrawmessage(client->message);
 		isc_buffer_init(&b, r->base, r->length);
 		isc_buffer_add(&b, r->length);
@@ -1463,7 +1437,6 @@ client_request(isc_task_t *task, isc_event_t *event) {
 	 * not.  We do not log the lack of a signature unless we are
 	 * debugging.
 	 */
-	sigresult = dns_message_checksig(client->message, client->view);
 	client->signer = NULL;
 	dns_name_init(&client->signername, NULL);
 	result = dns_message_signer(client->message, &client->signername);
@@ -1481,11 +1454,29 @@ client_request(isc_task_t *task, isc_event_t *event) {
 			      NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(3),
 			      "request is signed by a nonauthoritative key");
 	} else {
+		char tsigrcode[64];
+		isc_buffer_t b;
+		dns_name_t *name = NULL;
+
+		isc_buffer_init(&b, tsigrcode, sizeof(tsigrcode) - 1);
+		RUNTIME_CHECK(dns_tsigrcode_totext(client->message->tsigstatus,
+						   &b) == ISC_R_SUCCESS);
+		tsigrcode[isc_buffer_usedlength(&b)] = '\0';
 		/* There is a signature, but it is bad. */
-		ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
-			      NS_LOGMODULE_CLIENT, ISC_LOG_ERROR,
-			      "request has invalid signature: %s",
-			      isc_result_totext(result));
+		if (dns_message_gettsig(client->message, &name) != NULL) {
+			char namebuf[DNS_NAME_FORMATSIZE];
+			dns_name_format(name, namebuf, sizeof(namebuf));
+			ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
+				      NS_LOGMODULE_CLIENT, ISC_LOG_ERROR,
+				      "request has invalid signature: "
+				      "TSIG %s: %s (%s)", namebuf,
+				      isc_result_totext(result), tsigrcode);
+		} else {
+			ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
+				      NS_LOGMODULE_CLIENT, ISC_LOG_ERROR,
+				      "request has invalid signature: %s (%s)",
+				      isc_result_totext(result), tsigrcode);
+		}
 		/*
 		 * Accept update messages signed by unknown keys so that
 		 * update forwarding works transparently through slaves
@@ -1507,17 +1498,17 @@ client_request(isc_task_t *task, isc_event_t *event) {
 	ra = ISC_FALSE;
 	if (client->view->resolver != NULL &&
 	    client->view->recursion == ISC_TRUE &&
-	    /* XXX this will log too much too early */
-	    ns_client_checkacl(client, "recursion available:",
-			       client->view->recursionacl,
-			       ISC_TRUE, ISC_LOG_DEBUG(1)) == ISC_R_SUCCESS &&
-	    ns_client_checkaclsilent(client, client->view->queryacl,
+	    ns_client_checkaclsilent(client, client->view->recursionacl,
 				     ISC_TRUE) == ISC_R_SUCCESS)
 		ra = ISC_TRUE;
 
 	if (ra == ISC_TRUE)
 		client->attributes |= NS_CLIENTATTR_RA;
 
+	ns_client_log(client, DNS_LOGCATEGORY_SECURITY, NS_LOGMODULE_CLIENT,
+		      ISC_LOG_DEBUG(3), ra ? "recursion available" :
+		      			     "recursion not available");
+
 	/*
 	 * Dispatch the request.
 	 */
@@ -1575,11 +1566,12 @@ client_timeout(isc_task_t *task, isc_event_t *event) {
 
 	if (client->newstate > NS_CLIENTSTATE_READY)
 		client->newstate = NS_CLIENTSTATE_READY;
-	(void) exit_check(client);
+	(void)exit_check(client);
 }
 
 static isc_result_t
-client_create(ns_clientmgr_t *manager, ns_client_t **clientp) {
+client_create(ns_clientmgr_t *manager, ns_client_t **clientp)
+{
 	ns_client_t *client;
 	isc_result_t result;
 
@@ -1593,7 +1585,7 @@ client_create(ns_clientmgr_t *manager, ns_client_t **clientp) {
 
 	REQUIRE(clientp != NULL && *clientp == NULL);
 
-	client = isc_mem_get(manager->mctx, sizeof *client);
+	client = isc_mem_get(manager->mctx, sizeof(*client));
 	if (client == NULL)
 		return (ISC_R_NOMEMORY);
 
@@ -1654,7 +1646,6 @@ client_create(ns_clientmgr_t *manager, ns_client_t **clientp) {
 	client->nreads = 0;
 	client->nsends = 0;
 	client->nrecvs = 0;
-	client->nupdates = 0;
 	client->nctls = 0;
 	client->references = 0;
 	client->attributes = 0;
@@ -1733,7 +1724,7 @@ client_create(ns_clientmgr_t *manager, ns_client_t **clientp) {
 	isc_task_detach(&client->task);
 
  cleanup_client:
-	isc_mem_put(manager->mctx, client, sizeof *client);
+	isc_mem_put(manager->mctx, client, sizeof(*client));
 
 	return (result);
 }
@@ -1796,8 +1787,8 @@ client_newconn(isc_task_t *task, isc_event_t *event) {
 		client->state = NS_CLIENTSTATE_READING;
 		INSIST(client->recursionquota == NULL);
 
-		(void) isc_socket_getpeername(client->tcpsocket,
-					      &client->peeraddr);
+		(void)isc_socket_getpeername(client->tcpsocket,
+					     &client->peeraddr);
 		client->peeraddr_valid = ISC_TRUE;
 		ns_client_log(client, NS_LOGCATEGORY_CLIENT,
 			   NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(3),
@@ -1913,11 +1904,11 @@ client_udprecv(ns_client_t *client) {
 				  client->task, client->recvevent, 0);
 	if (result != ISC_R_SUCCESS) {
 		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "isc_socket_recv2() failed: %s",
+				 "isc_socket_recv() failed: %s",
 				 isc_result_totext(result));
 		/*
 		 * This cannot happen in the current implementation, since
-		 * isc_socket_recv2() cannot fail if flags == 0A
+		 * isc_socket_recv2() cannot fail if flags == 0.
 		 *
 		 * If this does fail, we just go idle.
 		 */
@@ -1949,7 +1940,7 @@ ns_client_detach(ns_client_t **clientp) {
 	ns_client_log(client, NS_LOGCATEGORY_CLIENT,
 		      NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(10),
 		      "ns_client_detach: ref = %d", client->references);
-	(void) exit_check(client);
+	(void)exit_check(client);
 }
 
 isc_boolean_t
@@ -1988,12 +1979,13 @@ static void
 clientmgr_destroy(ns_clientmgr_t *manager) {
 	REQUIRE(ISC_LIST_EMPTY(manager->active));
 	REQUIRE(ISC_LIST_EMPTY(manager->inactive));
+	REQUIRE(ISC_LIST_EMPTY(manager->recursing));
 
 	MTRACE("clientmgr_destroy");
 
 	DESTROYLOCK(&manager->lock);
 	manager->magic = 0;
-	isc_mem_put(manager->mctx, manager, sizeof *manager);
+	isc_mem_put(manager->mctx, manager, sizeof(*manager));
 }
 
 isc_result_t
@@ -2003,7 +1995,7 @@ ns_clientmgr_create(isc_mem_t *mctx, isc_taskmgr_t *taskmgr,
 	ns_clientmgr_t *manager;
 	isc_result_t result;
 
-	manager = isc_mem_get(mctx, sizeof *manager);
+	manager = isc_mem_get(mctx, sizeof(*manager));
 	if (manager == NULL)
 		return (ISC_R_NOMEMORY);
 
@@ -2017,6 +2009,7 @@ ns_clientmgr_create(isc_mem_t *mctx, isc_taskmgr_t *taskmgr,
 	manager->exiting = ISC_FALSE;
 	ISC_LIST_INIT(manager->active);
 	ISC_LIST_INIT(manager->inactive);
+	ISC_LIST_INIT(manager->recursing);
 	manager->magic = MANAGER_MAGIC;
 
 	MTRACE("create");
@@ -2026,7 +2019,7 @@ ns_clientmgr_create(isc_mem_t *mctx, isc_taskmgr_t *taskmgr,
 	return (ISC_R_SUCCESS);
 
  cleanup_manager:
-	isc_mem_put(manager->mctx, manager, sizeof *manager);
+	isc_mem_put(manager->mctx, manager, sizeof(*manager));
 
 	return (result);
 }
@@ -2047,6 +2040,11 @@ ns_clientmgr_destroy(ns_clientmgr_t **managerp) {
 
 	manager->exiting = ISC_TRUE;
 
+	for (client = ISC_LIST_HEAD(manager->recursing);
+	     client != NULL;
+	     client = ISC_LIST_NEXT(client, link))
+		isc_task_shutdown(client->task);
+
 	for (client = ISC_LIST_HEAD(manager->active);
 	     client != NULL;
 	     client = ISC_LIST_NEXT(client, link))
@@ -2058,7 +2056,8 @@ ns_clientmgr_destroy(ns_clientmgr_t **managerp) {
 		isc_task_shutdown(client->task);
 
 	if (ISC_LIST_EMPTY(manager->active) &&
-	    ISC_LIST_EMPTY(manager->inactive))
+	    ISC_LIST_EMPTY(manager->inactive) &&
+	    ISC_LIST_EMPTY(manager->recursing))
 		need_destroy = ISC_TRUE;
 
 	UNLOCK(&manager->lock);
@@ -2211,23 +2210,25 @@ ns_client_name(ns_client_t *client, char *peerbuf, size_t len) {
 		snprintf(peerbuf, len, "@%p", client);
 }
 
-static void
-ns_client_logv(ns_client_t *client, isc_logcategory_t *category,
-	   isc_logmodule_t *module, int level, const char *fmt, va_list ap)
-     ISC_FORMAT_PRINTF(5, 0);
-
-static void
+void
 ns_client_logv(ns_client_t *client, isc_logcategory_t *category,
 	   isc_logmodule_t *module, int level, const char *fmt, va_list ap)
 {
 	char msgbuf[2048];
 	char peerbuf[ISC_SOCKADDR_FORMATSIZE];
+	const char *name = "";
+	const char *sep = "";
 
 	vsnprintf(msgbuf, sizeof(msgbuf), fmt, ap);
-	ns_client_name(client, peerbuf, sizeof peerbuf);
+	ns_client_name(client, peerbuf, sizeof(peerbuf));
+	if (client->view != NULL && strcmp(client->view->name, "_bind") != 0 &&
+	    strcmp(client->view->name, "_default") != 0) {
+		name = client->view->name;
+		sep = ": view ";
+	}
 
 	isc_log_write(ns_g_lctx, category, module, level,
-		      "client %s: %s", peerbuf, msgbuf);
+		      "client %s%s%s: %s", peerbuf, sep, name, msgbuf);
 }
 
 void
@@ -2245,15 +2246,18 @@ ns_client_log(ns_client_t *client, isc_logcategory_t *category,
 }
 
 void
-ns_client_aclmsg(const char *msg, dns_name_t *name, dns_rdataclass_t rdclass,
-		 char *buf, size_t len) 
+ns_client_aclmsg(const char *msg, dns_name_t *name, dns_rdatatype_t type,
+		 dns_rdataclass_t rdclass, char *buf, size_t len) 
 {
         char namebuf[DNS_NAME_FORMATSIZE];
+        char typebuf[DNS_RDATATYPE_FORMATSIZE];
         char classbuf[DNS_RDATACLASS_FORMATSIZE];
 
         dns_name_format(name, namebuf, sizeof(namebuf));
+        dns_rdatatype_format(type, typebuf, sizeof(typebuf));
         dns_rdataclass_format(rdclass, classbuf, sizeof(classbuf));
-        (void)snprintf(buf, len, "%s '%s/%s'", msg, namebuf, classbuf);
+        (void)snprintf(buf, len, "%s '%s/%s/%s'", msg, namebuf, typebuf,
+		       classbuf);
 }
 
 static void
@@ -2290,3 +2294,34 @@ ns_client_dumpmessage(ns_client_t *client, const char *reason) {
 	if (buf != NULL)
 		isc_mem_put(client->mctx, buf, len);
 }
+
+void
+ns_client_dumprecursing(FILE *f, ns_clientmgr_t *manager) {
+	ns_client_t *client;
+	char namebuf[DNS_NAME_FORMATSIZE];
+	char peerbuf[ISC_SOCKADDR_FORMATSIZE];
+	const char *name;
+	const char *sep;
+
+	REQUIRE(VALID_MANAGER(manager));
+	      
+	LOCK(&manager->lock);
+	client = ISC_LIST_HEAD(manager->recursing);
+	while (client != NULL) {
+		ns_client_name(client, peerbuf, sizeof(peerbuf));
+		if (client->view != NULL &&
+		    strcmp(client->view->name, "_bind") != 0 &&
+		    strcmp(client->view->name, "_default") != 0) {
+			name = client->view->name;
+			sep = ": view ";
+		} else {
+			name = "";
+			sep = "";
+		}
+		dns_name_format(client->query.qname, namebuf, sizeof(namebuf));
+		fprintf(f, "; client %s%s%s: '%s' requesttime %d\n",
+			peerbuf, sep, name, namebuf, client->requesttime);
+		client = ISC_LIST_NEXT(client, link);
+	}
+	UNLOCK(&manager->lock);
+}
diff --git a/bin/named/config.c b/bin/named/config.c
index b8e639fe..f28b00a6 100644
--- a/bin/named/config.c
+++ b/bin/named/config.c
@@ -1,6 +1,6 @@
 /*
- * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2001, 2002  Internet Software Consortium.
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2001-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: config.c,v 1.11.2.9 2006/03/01 01:34:04 marka Exp $ */
+/* $Id: config.c,v 1.11.2.4.8.25 2004/03/11 05:58:40 marka Exp $ */
 
 #include <config.h>
 
@@ -30,11 +30,12 @@
 #include <isc/sockaddr.h>
 #include <isc/util.h>
 
-#include <isccfg/cfg.h>
+#include <isccfg/namedconf.h>
 
 #include <dns/fixedname.h>
 #include <dns/name.h>
 #include <dns/rdataclass.h>
+#include <dns/rdatatype.h>
 #include <dns/tsig.h>
 #include <dns/zone.h>
 
@@ -43,17 +44,14 @@
 
 static char defaultconf[] = "\
 options {\n\
-#	blackhole {none;};\n"
-#ifndef WIN32
-"	coresize default;\n\
+#	blackhole {none;};\n\
+	coresize default;\n\
 	datasize default;\n\
-	files default;\n\
-	stacksize default;\n"
-#endif
-"	deallocate-on-exit true;\n\
+	deallocate-on-exit true;\n\
 #	directory <none>\n\
 	dump-file \"named_dump.db\";\n\
 	fake-iquery no;\n\
+	files default;\n\
 	has-old-clients false;\n\
 	heartbeat-interval 60;\n\
 	host-statistics no;\n\
@@ -66,6 +64,7 @@ options {\n\
 #	named-xfer <obsolete>;\n\
 #	pid-file \"" NS_LOCALSTATEDIR "/named.pid\"; /* or /lwresd.pid */\n\
 	port 53;\n\
+	recursing-file \"named.recursing\";\n\
 "
 #ifdef PATH_RANDOMDEV
 "\
@@ -77,9 +76,12 @@ options {\n\
 	rrset-order {order cyclic;};\n\
 	serial-queries 20;\n\
 	serial-query-rate 20;\n\
+	server-id none;\n\
+	stacksize default;\n\
 	statistics-file \"named.stats\";\n\
 	statistics-interval 60;\n\
 	tcp-clients 100;\n\
+	tcp-listen-queue 3;\n\
 #	tkey-dhkey <none>\n\
 #	tkey-gssapi-credential <none>\n\
 #	tkey-domain <none>\n\
@@ -89,13 +91,13 @@ options {\n\
 	treat-cr-as-space true;\n\
 	use-id-pool true;\n\
 	use-ixfr true;\n\
-	version \""VERSION"\";\n\
+	edns-udp-size 4096;\n\
 \n\
 	/* view */\n\
 	allow-notify {none;};\n\
 	allow-update-forwarding {none;};\n\
 	allow-recursion {any;};\n\
-	allow-v6-synthesis {none;};\n\
+#	allow-v6-synthesis <obsolete>;\n\
 #	sortlist <none>\n\
 #	topology <none>\n\
 	auth-nxdomain false;\n\
@@ -118,11 +120,13 @@ options {\n\
 	max-cache-ttl 604800; /* 1 week */\n\
 	transfer-format many-answers;\n\
 	max-cache-size 0;\n\
-	check-names master ignore;\n\
-	check-names slave ignore;\n\
+	check-names master fail;\n\
+	check-names slave warn;\n\
 	check-names response ignore;\n\
-\n\
-	/* zone */\n\
+	dnssec-enable no; /* Make yes for 9.4. */ \n\
+"
+
+"	/* zone */\n\
 	allow-query {any;};\n\
 	allow-transfer {any;};\n\
 	notify yes;\n\
@@ -134,6 +138,8 @@ options {\n\
 #	max-ixfr-log-size <obsolete>\n\
 	transfer-source *;\n\
 	transfer-source-v6 *;\n\
+	alt-transfer-source *;\n\
+	alt-transfer-source-v6 *;\n\
 	max-transfer-time-in 120;\n\
 	max-transfer-time-out 120;\n\
 	max-transfer-idle-in 60;\n\
@@ -142,9 +148,40 @@ options {\n\
 	min-retry-time 500;\n\
 	max-refresh-time 2419200; /* 4 weeks */\n\
 	min-refresh-time 300;\n\
+	multi-master no;\n\
 	sig-validity-interval 30; /* days */\n\
 	zone-statistics false;\n\
-};";
+	max-journal-size unlimited;\n\
+	ixfr-from-differences false;\n\
+};\n\
+"
+
+"#\n\
+#  Zones in the \"_bind\" view are NOT counted is the count of zones.\n\
+#\n\
+view \"_bind\" chaos {\n\
+	recursion no;\n\
+\n\
+	zone \"version.bind\" chaos {\n\
+		type master;\n\
+		database \"_builtin version\";\n\
+	};\n\
+\n\
+	zone \"hostname.bind\" chaos {\n\
+		type master;\n\
+		database \"_builtin hostname\";\n\
+	};\n\
+\n\
+	zone \"authors.bind\" chaos {\n\
+		type master;\n\
+		database \"_builtin authors\";\n\
+	};\n\
+	zone \"id.server\" chaos {\n\
+		type master;\n\
+		database \"_builtin id\";\n\
+	};\n\
+};\n\
+";
 
 isc_result_t
 ns_config_parsedefaults(cfg_parser_t *parser, cfg_obj_t **conf) {
@@ -156,10 +193,10 @@ ns_config_parsedefaults(cfg_parser_t *parser, cfg_obj_t **conf) {
 }
 
 isc_result_t
-ns_config_get(const cfg_obj_t **maps, const char* name, const cfg_obj_t **obj) {
+ns_config_get(cfg_obj_t **maps, const char* name, cfg_obj_t **obj) {
 	int i;
 
-	for (i = 0; ; i++) {
+	for (i = 0;; i++) {
 		if (maps[i] == NULL)
 			return (ISC_R_NOTFOUND);
 		if (cfg_map_get(maps[i], name, obj) == ISC_R_SUCCESS)
@@ -168,8 +205,8 @@ ns_config_get(const cfg_obj_t **maps, const char* name, const cfg_obj_t **obj) {
 }
 
 int
-ns_config_listcount(const cfg_obj_t *list) {
-	const cfg_listelt_t *e;
+ns_config_listcount(cfg_obj_t *list) {
+	cfg_listelt_t *e;
 	int i = 0;
 
 	for (e = cfg_list_first(list); e != NULL; e = cfg_list_next(e))
@@ -179,9 +216,9 @@ ns_config_listcount(const cfg_obj_t *list) {
 }
 
 isc_result_t
-ns_config_getclass(const cfg_obj_t *classobj, dns_rdataclass_t defclass,
+ns_config_getclass(cfg_obj_t *classobj, dns_rdataclass_t defclass,
 		   dns_rdataclass_t *classp) {
-	const char *str;
+	char *str;
 	isc_textregion_t r;
 	isc_result_t result;
 
@@ -190,7 +227,7 @@ ns_config_getclass(const cfg_obj_t *classobj, dns_rdataclass_t defclass,
 		return (ISC_R_SUCCESS);
 	}
 	str = cfg_obj_asstring(classobj);
-	DE_CONST(str, r.base);
+	r.base = str;
 	r.length = strlen(str);
 	result = dns_rdataclass_fromtext(classp, &r);
 	if (result != ISC_R_SUCCESS)
@@ -199,10 +236,31 @@ ns_config_getclass(const cfg_obj_t *classobj, dns_rdataclass_t defclass,
 	return (result);
 }
 
+isc_result_t
+ns_config_gettype(cfg_obj_t *typeobj, dns_rdatatype_t deftype,
+		   dns_rdatatype_t *typep) {
+	char *str;
+	isc_textregion_t r;
+	isc_result_t result;
+
+	if (!cfg_obj_isstring(typeobj)) {
+		*typep = deftype;
+		return (ISC_R_SUCCESS);
+	}
+	str = cfg_obj_asstring(typeobj);
+	r.base = str;
+	r.length = strlen(str);
+	result = dns_rdatatype_fromtext(typep, &r);
+	if (result != ISC_R_SUCCESS)
+		cfg_obj_log(typeobj, ns_g_lctx, ISC_LOG_ERROR,
+			    "unknown type '%s'", str);
+	return (result);
+}
+
 dns_zonetype_t
-ns_config_getzonetype(const cfg_obj_t *zonetypeobj) {
+ns_config_getzonetype(cfg_obj_t *zonetypeobj) {
 	dns_zonetype_t ztype = dns_zone_none;
-	const char *str;
+	char *str;
 
 	str = cfg_obj_asstring(zonetypeobj);
 	if (strcasecmp(str, "master") == 0)
@@ -217,19 +275,20 @@ ns_config_getzonetype(const cfg_obj_t *zonetypeobj) {
 }
 
 isc_result_t
-ns_config_getiplist(const cfg_obj_t *config, const cfg_obj_t *list,
+ns_config_getiplist(cfg_obj_t *config, cfg_obj_t *list,
 		    in_port_t defport, isc_mem_t *mctx,
 		    isc_sockaddr_t **addrsp, isc_uint32_t *countp)
 {
 	int count, i = 0;
-	const cfg_obj_t *addrlist;
-	const cfg_obj_t *portobj;
-	const cfg_listelt_t *element;
+	cfg_obj_t *addrlist;
+	cfg_obj_t *portobj;
+	cfg_listelt_t *element;
 	isc_sockaddr_t *addrs;
 	in_port_t port;
 	isc_result_t result;
 
 	INSIST(addrsp != NULL && *addrsp == NULL);
+	INSIST(countp != NULL);
 
 	addrlist = cfg_tuple_get(list, "addresses");
 	count = ns_config_listcount(addrlist);
@@ -282,73 +341,197 @@ ns_config_putiplist(isc_mem_t *mctx, isc_sockaddr_t **addrsp,
 	*addrsp = NULL;
 }
 
+static isc_result_t
+get_masters_def(cfg_obj_t *cctx, char *name, cfg_obj_t **ret) {
+	isc_result_t result;
+	cfg_obj_t *masters = NULL;
+	cfg_listelt_t *elt;
+
+	result = cfg_map_get(cctx, "masters", &masters);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	for (elt = cfg_list_first(masters);
+	     elt != NULL;
+	     elt = cfg_list_next(elt)) {
+		cfg_obj_t *list;
+		const char *listname;
+
+		list = cfg_listelt_value(elt);
+		listname = cfg_obj_asstring(cfg_tuple_get(list, "name"));
+
+		if (strcasecmp(listname, name) == 0) {
+			*ret = list;
+			return (ISC_R_SUCCESS);
+		}
+	}
+	return (ISC_R_NOTFOUND);
+}
+
 isc_result_t
-ns_config_getipandkeylist(const cfg_obj_t *config, const cfg_obj_t *list,
-			  isc_mem_t *mctx, isc_sockaddr_t **addrsp,
-			  dns_name_t ***keysp, isc_uint32_t *countp)
+ns_config_getipandkeylist(cfg_obj_t *config, cfg_obj_t *list, isc_mem_t *mctx,
+			  isc_sockaddr_t **addrsp, dns_name_t ***keysp,
+			  isc_uint32_t *countp)
 {
-	isc_uint32_t count, i = 0;
+	isc_uint32_t addrcount = 0, keycount = 0, i = 0;
+	isc_uint32_t listcount = 0, l = 0, j;
+	isc_uint32_t stackcount = 0, pushed = 0;
 	isc_result_t result;
-	const cfg_listelt_t *element;
-	const cfg_obj_t *addrlist;
-	const cfg_obj_t *portobj;
+	cfg_listelt_t *element;
+	cfg_obj_t *addrlist;
+	cfg_obj_t *portobj;
 	in_port_t port;
 	dns_fixedname_t fname;
 	isc_sockaddr_t *addrs = NULL;
 	dns_name_t **keys = NULL;
+	char **lists = NULL;
+	struct {
+		cfg_listelt_t *element;
+		in_port_t port;
+	} *stack = NULL;
 
-	INSIST(addrsp != NULL && *addrsp == NULL);
+	REQUIRE(addrsp != NULL && *addrsp == NULL);
+	REQUIRE(keysp != NULL && *keysp == NULL);
+	REQUIRE(countp != NULL);
 
+ newlist:
 	addrlist = cfg_tuple_get(list, "addresses");
-	count = ns_config_listcount(addrlist);
-
 	portobj = cfg_tuple_get(list, "port");
 	if (cfg_obj_isuint32(portobj)) {
 		isc_uint32_t val = cfg_obj_asuint32(portobj);
 		if (val > ISC_UINT16_MAX) {
 			cfg_obj_log(portobj, ns_g_lctx, ISC_LOG_ERROR,
 				    "port '%u' out of range", val);
-			result = ISC_R_RANGE;
-			goto cleanup;
+			return (ISC_R_RANGE);
 		}
 		port = (in_port_t) val;
 	} else {
 		result = ns_config_getport(config, &port);
 		if (result != ISC_R_SUCCESS)
-			goto cleanup;
+			return (result);
 	}
 
 	result = ISC_R_NOMEMORY;
 
-	addrs = isc_mem_get(mctx, count * sizeof(isc_sockaddr_t));
-	if (addrs == NULL)
-		goto cleanup;
-
-	keys = isc_mem_get(mctx, count * sizeof(dns_name_t *));
-	if (keys == NULL)
-		goto cleanup;
-
-	for (element = cfg_list_first(addrlist);
+	element = cfg_list_first(addrlist);
+ resume:
+	for ( ;
 	     element != NULL;
-	     element = cfg_list_next(element), i++)
+	     element = cfg_list_next(element))
 	{
-		const cfg_obj_t *addr;
-		const cfg_obj_t *key;
-		const char *keystr;
+		cfg_obj_t *addr;
+		cfg_obj_t *key;
+		char *keystr;
 		isc_buffer_t b;
 
-		INSIST(i < count);
-
-		addr = cfg_tuple_get(cfg_listelt_value(element), "sockaddr");
+		addr = cfg_tuple_get(cfg_listelt_value(element),
+				     "masterselement");
 		key = cfg_tuple_get(cfg_listelt_value(element), "key");
 
+		if (!cfg_obj_issockaddr(addr)) {
+			char *listname = cfg_obj_asstring(addr);
+			isc_result_t tresult;
+
+			/* Grow lists? */
+			if (listcount == l) {
+				void * new;
+				isc_uint32_t newlen = listcount + 16;
+				size_t newsize, oldsize;
+
+				newsize = newlen * sizeof(*lists);
+				oldsize = listcount * sizeof(*lists);
+				new = isc_mem_get(mctx, newsize);
+				if (new == NULL)
+					goto cleanup;
+				if (listcount != 0) {
+					memcpy(new, lists, oldsize);
+					isc_mem_put(mctx, lists, oldsize);
+				}
+				lists = new;
+				listcount = newlen;
+			}
+			/* Seen? */
+			for (j = 0; j < l; j++)
+				if (strcasecmp(lists[j], listname) == 0)
+					break;
+			if (j < l)
+				continue;
+			tresult = get_masters_def(config, listname, &list);
+			if (tresult == ISC_R_NOTFOUND) {
+				cfg_obj_log(addr, ns_g_lctx, ISC_LOG_ERROR,
+                                    "masters \"%s\" not found", listname);
+
+				result = tresult;
+				goto cleanup;
+			}
+			if (tresult != ISC_R_SUCCESS)
+				goto cleanup;
+			lists[l++] = listname;
+			/* Grow stack? */
+			if (stackcount == pushed) {
+				void * new;
+				isc_uint32_t newlen = stackcount + 16;
+				size_t newsize, oldsize;
+
+				newsize = newlen * sizeof(*stack);
+				oldsize = stackcount * sizeof(*stack);
+				new = isc_mem_get(mctx, newsize);
+				if (new == NULL)
+					goto cleanup;
+				if (stackcount != 0) {
+					memcpy(new, stack, oldsize);
+					isc_mem_put(mctx, stack, oldsize);
+				}
+				stack = new;
+				stackcount = newlen;
+			}
+			/*
+			 * We want to resume processing this list on the
+			 * next element.
+			 */
+			stack[pushed].element = cfg_list_next(element);
+			stack[pushed].port = port;
+			pushed++;
+			goto newlist;
+		}
+
+		if (i == addrcount) {
+			void * new;
+			isc_uint32_t newlen = addrcount + 16;
+			size_t newsize, oldsize;
+
+			newsize = newlen * sizeof(isc_sockaddr_t);
+			oldsize = addrcount * sizeof(isc_sockaddr_t);
+			new = isc_mem_get(mctx, newsize);
+			if (new == NULL)
+				goto cleanup;
+			if (addrcount != 0) {
+				memcpy(new, addrs, oldsize);
+				isc_mem_put(mctx, addrs, oldsize);
+			}
+			addrs = new;
+			addrcount = newlen;
+
+			newsize = newlen * sizeof(dns_name_t *);
+			oldsize = keycount * sizeof(dns_name_t *);
+			new = isc_mem_get(mctx, newsize);
+			if (new == NULL)
+				goto cleanup;
+			if (keycount != 0) {
+				memcpy(new, keys, newsize);
+				isc_mem_put(mctx, keys, newsize);
+			}
+			keys = new;
+			keycount = newlen;
+		}
+
 		addrs[i] = *cfg_obj_assockaddr(addr);
 		if (isc_sockaddr_getport(&addrs[i]) == 0)
 			isc_sockaddr_setport(&addrs[i], port);
-
 		keys[i] = NULL;
-		if (!cfg_obj_isstring(key))
+		if (!cfg_obj_isstring(key)) {
+			i++;
 			continue;
+		}
 		keys[i] = isc_mem_get(mctx, sizeof(dns_name_t));
 		if (keys[i] == NULL)
 			goto cleanup;
@@ -366,29 +549,75 @@ ns_config_getipandkeylist(const cfg_obj_t *config, const cfg_obj_t *list,
 				      keys[i]);
 		if (result != ISC_R_SUCCESS)
 			goto cleanup;
+		i++;
 	}
-	INSIST(i == count);
+	if (pushed != 0) {
+		pushed--;
+		element = stack[pushed].element;
+		port = stack[pushed].port;
+		goto resume;
+	}
+	if (i < addrcount) {
+		void * new;
+		size_t newsize, oldsize;
+
+		newsize = i * sizeof(isc_sockaddr_t);
+		oldsize = addrcount * sizeof(isc_sockaddr_t);
+		if (i != 0) {
+			new = isc_mem_get(mctx, newsize);
+			if (new == NULL)
+				goto cleanup;
+			memcpy(new, addrs, newsize);
+			isc_mem_put(mctx, addrs, oldsize);
+		} else
+			new = NULL;
+		addrs = new;
+		addrcount = i;
+
+		newsize = i * sizeof(dns_name_t *);
+		oldsize = keycount * sizeof(dns_name_t *);
+		if (i != 0) {
+			new = isc_mem_get(mctx, newsize);
+			if (new == NULL)
+				goto cleanup;
+			memcpy(new, keys,  newsize);
+			isc_mem_put(mctx, keys, oldsize);
+		} else
+			new = NULL;
+		keys = new;
+		keycount = i;
+	}
+
+	if (lists != NULL)
+		isc_mem_put(mctx, lists, listcount * sizeof(*lists));
+	if (stack != NULL)
+		isc_mem_put(mctx, stack, stackcount * sizeof(*stack));
+	
+	INSIST(keycount == addrcount);
 
 	*addrsp = addrs;
 	*keysp = keys;
-	*countp = count;
+	*countp = addrcount;
 
 	return (ISC_R_SUCCESS);
 
  cleanup:
 	if (addrs != NULL)
-		isc_mem_put(mctx, addrs, count * sizeof(isc_sockaddr_t));
+		isc_mem_put(mctx, addrs, addrcount * sizeof(isc_sockaddr_t));
 	if (keys != NULL) {
-		unsigned int j;
-		for (j = 0 ; j <= i; j++) {
+		for (j = 0; j <= i; j++) {
 			if (keys[j] == NULL)
 				continue;
 			if (dns_name_dynamic(keys[j]))
 				dns_name_free(keys[j], mctx);
 			isc_mem_put(mctx, keys[j], sizeof(dns_name_t));
 		}
-		isc_mem_put(mctx, keys, count * sizeof(dns_name_t *));
+		isc_mem_put(mctx, keys, keycount * sizeof(dns_name_t *));
 	}
+	if (lists != NULL)
+		isc_mem_put(mctx, lists, listcount * sizeof(*lists));
+	if (stack != NULL)
+		isc_mem_put(mctx, stack, stackcount * sizeof(*stack));
 	return (result);
 }
 
@@ -415,14 +644,14 @@ ns_config_putipandkeylist(isc_mem_t *mctx, isc_sockaddr_t **addrsp,
 }
 
 isc_result_t
-ns_config_getport(const cfg_obj_t *config, in_port_t *portp) {
-	const cfg_obj_t *maps[3];
-	const cfg_obj_t *options = NULL;
-	const cfg_obj_t *portobj = NULL;
+ns_config_getport(cfg_obj_t *config, in_port_t *portp) {
+	cfg_obj_t *maps[3];
+	cfg_obj_t *options = NULL;
+	cfg_obj_t *portobj = NULL;
 	isc_result_t result;
 	int i;
 
-	cfg_map_get(config, "options", &options);
+	(void)cfg_map_get(config, "options", &options);
 	i = 0;
 	if (options != NULL)
 		maps[i++] = options;
diff --git a/bin/named/control.c b/bin/named/control.c
index 996111c7..89e36bd4 100644
--- a/bin/named/control.c
+++ b/bin/named/control.c
@@ -1,6 +1,6 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2001, 2003  Internet Software Consortium.
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2001-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: control.c,v 1.7.2.6 2005/04/07 02:22:08 marka Exp $ */
+/* $Id: control.c,v 1.7.2.2.2.10 2004/03/22 01:52:22 marka Exp $ */
 
 #include <config.h>
 
@@ -24,6 +24,7 @@
 #include <isc/app.h>
 #include <isc/event.h>
 #include <isc/mem.h>
+#include <isc/timer.h>
 #include <isc/util.h>
 
 #include <dns/result.h>
@@ -34,10 +35,8 @@
 
 #include <named/control.h>
 #include <named/log.h>
+#include <named/os.h>
 #include <named/server.h>
-#ifdef HAVE_LIBSCF
-#include <named/ns_smf_globals.h>
-#endif
 
 static isc_boolean_t
 command_compare(const char *text, const char *command) {
@@ -59,9 +58,6 @@ ns_control_docommand(isccc_sexpr_t *message, isc_buffer_t *text) {
 	isccc_sexpr_t *data;
 	char *command;
 	isc_result_t result;
-#ifdef HAVE_LIBSCF
-	char *instance = NULL;
-#endif
 
 	data = isccc_alist_lookup(message, "_data");
 	if (data == NULL) {
@@ -88,65 +84,21 @@ ns_control_docommand(isccc_sexpr_t *message, isc_buffer_t *text) {
 	 * Compare the 'command' parameter against all known control commands.
 	 */
 	if (command_compare(command, NS_COMMAND_RELOAD)) {
-		result = ns_server_reloadcommand(ns_g_server, command);
+		result = ns_server_reloadcommand(ns_g_server, command, text);
 	} else if (command_compare(command, NS_COMMAND_RECONFIG)) {
 		result = ns_server_reconfigcommand(ns_g_server, command);
 	} else if (command_compare(command, NS_COMMAND_REFRESH)) {
-		result = ns_server_refreshcommand(ns_g_server, command);
+		result = ns_server_refreshcommand(ns_g_server, command, text);
+	} else if (command_compare(command, NS_COMMAND_RETRANSFER)) {
+		result = ns_server_retransfercommand(ns_g_server, command);
 	} else if (command_compare(command, NS_COMMAND_HALT)) {
-#ifdef HAVE_LIBSCF
-		/*
-		 * If we are managed by smf(5), AND in chroot, then
-		 * we cannot connect to the smf repository, so just
-		 * return with an appropriate message back to rndc.
-		 */
-		if (ns_smf_got_instance == 1 && ns_smf_chroot == 1) {
-			result = ns_smf_add_message(text);
-			return (result);
-		}
-		/*
-		 * If we are managed by smf(5) but not in chroot,
-		 * try to disable ourselves the smf way.
-		 */
-		if (ns_smf_got_instance == 1 && ns_smf_chroot == 0) {
-			result = ns_smf_get_instance(&instance, 1, ns_g_mctx);
-			if (result == ISC_R_SUCCESS && instance != NULL) {
-				ns_server_flushonshutdown(ns_g_server,
-					ISC_FALSE);
-				result = ns_smf_disable(instance);
-			}
-			if (instance != NULL)
-				isc_mem_free(ns_g_mctx, instance);
-			return (result);
-		}
-		/*
-		 * If ns_smf_got_instance = 0, ns_smf_chroot
-		 * is not relevant and we fall through to
-		 * isc_app_shutdown below.
-		 */
-#endif
 		ns_server_flushonshutdown(ns_g_server, ISC_FALSE);
+		ns_os_shutdownmsg(command, text);
 		isc_app_shutdown();
 		result = ISC_R_SUCCESS;
 	} else if (command_compare(command, NS_COMMAND_STOP)) {
-#ifdef HAVE_LIBSCF
-		if (ns_smf_got_instance == 1 && ns_smf_chroot == 1) {
-			result = ns_smf_add_message(text);
-			return (result);
-		}
-		if (ns_smf_got_instance == 1 && ns_smf_chroot == 0) {
-			result = ns_smf_get_instance(&instance, 1, ns_g_mctx);
-			if (result == ISC_R_SUCCESS && instance != NULL) {
-				ns_server_flushonshutdown(ns_g_server,
-					ISC_TRUE);
-				result = ns_smf_disable(instance);
-			}
-			if (instance != NULL)
-				isc_mem_free(ns_g_mctx, instance);
-			return (result);
-		}
-#endif
 		ns_server_flushonshutdown(ns_g_server, ISC_TRUE);
+		ns_os_shutdownmsg(command, text);
 		isc_app_shutdown();
 		result = ISC_R_SUCCESS;
 	} else if (command_compare(command, NS_COMMAND_DUMPSTATS)) {
@@ -154,7 +106,7 @@ ns_control_docommand(isccc_sexpr_t *message, isc_buffer_t *text) {
 	} else if (command_compare(command, NS_COMMAND_QUERYLOG)) {
 		result = ns_server_togglequerylog(ns_g_server);
 	} else if (command_compare(command, NS_COMMAND_DUMPDB)) {
-		ns_server_dumpdb(ns_g_server);
+		ns_server_dumpdb(ns_g_server, command);
 		result = ISC_R_SUCCESS;
 	} else if (command_compare(command, NS_COMMAND_TRACE)) {
 		result = ns_server_setdebuglevel(ns_g_server, command);
@@ -164,8 +116,16 @@ ns_control_docommand(isccc_sexpr_t *message, isc_buffer_t *text) {
 		result = ISC_R_SUCCESS;
 	} else if (command_compare(command, NS_COMMAND_FLUSH)) {
 		result = ns_server_flushcache(ns_g_server, command);
+	} else if (command_compare(command, NS_COMMAND_FLUSHNAME)) {
+		result = ns_server_flushname(ns_g_server, command);
 	} else if (command_compare(command, NS_COMMAND_STATUS)) {
 		result = ns_server_status(ns_g_server, text);
+	} else if (command_compare(command, NS_COMMAND_FREEZE)) {
+		result = ns_server_freeze(ns_g_server, ISC_TRUE, command);
+	} else if (command_compare(command, NS_COMMAND_UNFREEZE)) {
+		result = ns_server_freeze(ns_g_server, ISC_FALSE, command);
+	} else if (command_compare(command, NS_COMMAND_RECURSING)) {
+		result = ns_server_dumprecursing(ns_g_server);
 	} else if (command_compare(command, NS_COMMAND_NULL)) {
 		result = ISC_R_SUCCESS;
 	} else {
diff --git a/bin/named/controlconf.c b/bin/named/controlconf.c
index f8d8c800..5b87fb9c 100644
--- a/bin/named/controlconf.c
+++ b/bin/named/controlconf.c
@@ -1,6 +1,6 @@
 /*
- * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2001, 2003  Internet Software Consortium.
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2001-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,29 +15,26 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: controlconf.c,v 1.28.2.15 2006/12/07 04:52:57 marka Exp $ */
+/* $Id: controlconf.c,v 1.28.2.9.2.6 2004/03/08 09:04:14 marka Exp $ */
 
 #include <config.h>
 
 #include <isc/base64.h>
 #include <isc/buffer.h>
 #include <isc/event.h>
-#include <isc/file.h>
-#include <isc/fsaccess.h>
 #include <isc/mem.h>
 #include <isc/net.h>
 #include <isc/netaddr.h>
-#include <isc/print.h>
 #include <isc/random.h>
 #include <isc/result.h>
-#include <isc/stdio.h>
 #include <isc/stdtime.h>
 #include <isc/string.h>
 #include <isc/timer.h>
 #include <isc/util.h>
 
-#include <isccfg/cfg.h>
-#include <isccfg/check.h>
+#include <isccfg/namedconf.h>
+
+#include <bind9/check.h>
 
 #include <isccc/alist.h>
 #include <isccc/cc.h>
@@ -48,11 +45,8 @@
 #include <isccc/symtab.h>
 #include <isccc/util.h>
 
-#include <dns/keyvalues.h>
 #include <dns/result.h>
 
-#include <dst/dst.h>
-
 #include <named/config.h>
 #include <named/control.h>
 #include <named/log.h>
@@ -362,9 +356,6 @@ control_recvmessage(isc_task_t *task, isc_event_t *event) {
 	{
 		ccregion.rstart = isc_buffer_base(&conn->ccmsg.buffer);
 		ccregion.rend = isc_buffer_used(&conn->ccmsg.buffer);
-		if (secret.rstart != NULL)
-			isc_mem_put(listener->mctx, secret.rstart,
-				    REGION_SIZE(secret));
 		secret.rstart = isc_mem_get(listener->mctx, key->secret.length);
 		if (secret.rstart == NULL)
 			goto cleanup;
@@ -380,6 +371,8 @@ control_recvmessage(isc_task_t *task, isc_event_t *event) {
 			 */
 			if (request != NULL)
 				isccc_sexpr_free(&request);
+			isc_mem_put(listener->mctx, secret.rstart,
+				    REGION_SIZE(secret));
 		} else {
 			log_invalid(&conn->ccmsg, result);
 			goto cleanup;
@@ -656,12 +649,10 @@ ns_controls_shutdown(ns_controls_t *controls) {
 }
 
 static isc_result_t
-cfgkeylist_find(const cfg_obj_t *keylist, const char *keyname,
-	        const cfg_obj_t **objp)
-{
-	const cfg_listelt_t *element;
+cfgkeylist_find(cfg_obj_t *keylist, const char *keyname, cfg_obj_t **objp) {
+	cfg_listelt_t *element;
 	const char *str;
-	const cfg_obj_t *obj;
+	cfg_obj_t *obj;
 
 	for (element = cfg_list_first(keylist);
 	     element != NULL;
@@ -680,14 +671,14 @@ cfgkeylist_find(const cfg_obj_t *keylist, const char *keyname,
 }
 
 static isc_result_t
-controlkeylist_fromcfg(const cfg_obj_t *keylist, isc_mem_t *mctx,
+controlkeylist_fromcfg(cfg_obj_t *keylist, isc_mem_t *mctx,
 		       controlkeylist_t *keyids)
 {
-	const cfg_listelt_t *element;
+	cfg_listelt_t *element;
 	char *newstr = NULL;
 	const char *str;
-	const cfg_obj_t *obj;
-	controlkey_t *key;
+	cfg_obj_t *obj;
+	controlkey_t *key = NULL;
 
 	for (element = cfg_list_first(keylist);
 	     element != NULL;
@@ -706,6 +697,7 @@ controlkeylist_fromcfg(const cfg_obj_t *keylist, isc_mem_t *mctx,
 		key->secret.length = 0;
 		ISC_LINK_INIT(key, link);
 		ISC_LIST_APPEND(*keyids, key, link);
+		key = NULL;
 		newstr = NULL;
 	}
 	return (ISC_R_SUCCESS);
@@ -713,16 +705,18 @@ controlkeylist_fromcfg(const cfg_obj_t *keylist, isc_mem_t *mctx,
  cleanup:
 	if (newstr != NULL)
 		isc_mem_free(mctx, newstr);
+	if (key != NULL)
+		isc_mem_put(mctx, key, sizeof(*key));
 	free_controlkeylist(keyids, mctx);
 	return (ISC_R_NOMEMORY);
 }
 
 static void
-register_keys(const cfg_obj_t *control, const cfg_obj_t *keylist,
+register_keys(cfg_obj_t *control, cfg_obj_t *keylist,
 	      controlkeylist_t *keyids, isc_mem_t *mctx, const char *socktext)
 {
 	controlkey_t *keyid, *next;
-	const cfg_obj_t *keydef;
+	cfg_obj_t *keydef;
 	char secret[1024];
 	isc_buffer_t b;
 	isc_result_t result;
@@ -742,10 +736,10 @@ register_keys(const cfg_obj_t *control, const cfg_obj_t *keylist,
 			ISC_LIST_UNLINK(*keyids, keyid, link);
 			free_controlkey(keyid, mctx);
 		} else {
-			const cfg_obj_t *algobj = NULL;
-			const cfg_obj_t *secretobj = NULL;
-			const char *algstr = NULL;
-			const char *secretstr = NULL;
+			cfg_obj_t *algobj = NULL;
+			cfg_obj_t *secretobj = NULL;
+			char *algstr = NULL;
+			char *secretstr = NULL;
 
 			(void)cfg_map_get(keydef, "algorithm", &algobj);
 			(void)cfg_map_get(keydef, "secret", &secretobj);
@@ -811,11 +805,11 @@ get_rndckey(isc_mem_t *mctx, controlkeylist_t *keyids) {
 	isc_result_t result;
 	cfg_parser_t *pctx = NULL;
 	cfg_obj_t *config = NULL;
-	const cfg_obj_t *key = NULL;
-	const cfg_obj_t *algobj = NULL;
-	const cfg_obj_t *secretobj = NULL;
-	const char *algstr = NULL;
-	const char *secretstr = NULL;
+	cfg_obj_t *key = NULL;
+	cfg_obj_t *algobj = NULL;
+	cfg_obj_t *secretobj = NULL;
+	char *algstr = NULL;
+	char *secretstr = NULL;
 	controlkey_t *keyid = NULL;
 	char secret[1024];
 	isc_buffer_t b;
@@ -835,7 +829,7 @@ get_rndckey(isc_mem_t *mctx, controlkeylist_t *keyids) {
 	if (keyid->keyname == NULL) 
 		CHECK(ISC_R_NOMEMORY);
 
-	CHECK(cfg_check_key(key, ns_g_lctx));
+	CHECK(bind9_check_key(key, ns_g_lctx));
 
 	(void)cfg_map_get(key, "algorithm", &algobj);
 	(void)cfg_map_get(key, "secret", &secretobj);
@@ -894,13 +888,12 @@ get_rndckey(isc_mem_t *mctx, controlkeylist_t *keyids) {
  * valid or both are NULL.
  */
 static void
-get_key_info(const cfg_obj_t *config, const cfg_obj_t *control,
-	     const cfg_obj_t **global_keylistp,
-	     const cfg_obj_t **control_keylistp)
+get_key_info(cfg_obj_t *config, cfg_obj_t *control,
+	     cfg_obj_t **global_keylistp, cfg_obj_t **control_keylistp)
 {
 	isc_result_t result;
-	const cfg_obj_t *control_keylist = NULL;
-	const cfg_obj_t *global_keylist = NULL;
+	cfg_obj_t *control_keylist = NULL;
+	cfg_obj_t *global_keylist = NULL;
 
 	REQUIRE(global_keylistp != NULL && *global_keylistp == NULL);
 	REQUIRE(control_keylistp != NULL && *control_keylistp == NULL);
@@ -919,15 +912,15 @@ get_key_info(const cfg_obj_t *config, const cfg_obj_t *control,
 }
 
 static void
-update_listener(ns_controls_t *cp, controllistener_t **listenerp,
-		const cfg_obj_t *control, const cfg_obj_t *config,
-		isc_sockaddr_t *addr, ns_aclconfctx_t *aclconfctx,
-		const char *socktext)
+update_listener(ns_controls_t *cp,
+		controllistener_t **listenerp, cfg_obj_t *control,
+		cfg_obj_t *config, isc_sockaddr_t *addr,
+		ns_aclconfctx_t *aclconfctx, const char *socktext)
 {
 	controllistener_t *listener;
-	const cfg_obj_t *allow;
-	const cfg_obj_t *global_keylist = NULL;
-	const cfg_obj_t *control_keylist = NULL;
+	cfg_obj_t *allow;
+	cfg_obj_t *global_keylist = NULL;
+	cfg_obj_t *control_keylist = NULL;
 	dns_acl_t *new_acl = NULL;
 	controlkeylist_t keys;
 	isc_result_t result = ISC_R_SUCCESS;
@@ -984,25 +977,18 @@ update_listener(ns_controls_t *cp, controllistener_t **listenerp,
 		result = get_rndckey(listener->mctx, &listener->keys);
 	}
 
-	if (result != ISC_R_SUCCESS && global_keylist != NULL) {
+	if (result != ISC_R_SUCCESS && global_keylist != NULL)
 		/*
 		 * This message might be a little misleading since the
 		 * "new keys" might in fact be identical to the old ones,
 		 * but tracking whether they are identical just for the
 		 * sake of avoiding this message would be too much trouble.
 		 */
-		if (control != NULL)
-			cfg_obj_log(control, ns_g_lctx, ISC_LOG_WARNING,
-				    "couldn't install new keys for "
-				    "command channel %s: %s",
-				    socktext, isc_result_totext(result));
-		else
-			isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-				      NS_LOGMODULE_CONTROL, ISC_LOG_WARNING,
-				      "couldn't install new keys for "
-				      "command channel %s: %s",
-				      socktext, isc_result_totext(result));
-	}
+		cfg_obj_log(control, ns_g_lctx, ISC_LOG_WARNING,
+			    "couldn't install new keys for "
+			    "command channel %s: %s",
+			    socktext, isc_result_totext(result));
+
 
 	/*
 	 * Now, keep the old access list unless a new one can be made.
@@ -1019,33 +1005,26 @@ update_listener(ns_controls_t *cp, controllistener_t **listenerp,
 		dns_acl_detach(&listener->acl);
 		dns_acl_attach(new_acl, &listener->acl);
 		dns_acl_detach(&new_acl);
+	} else
 		/* XXXDCL say the old acl is still used? */
-	} else if (control != NULL)
 		cfg_obj_log(control, ns_g_lctx, ISC_LOG_WARNING,
 			    "couldn't install new acl for "
 			    "command channel %s: %s",
 			    socktext, isc_result_totext(result));
-	else
-		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-			      NS_LOGMODULE_CONTROL, ISC_LOG_WARNING,
-			      "couldn't install new acl for "
-			      "command channel %s: %s",
-			      socktext, isc_result_totext(result));
 
 	*listenerp = listener;
 }
 
 static void
 add_listener(ns_controls_t *cp, controllistener_t **listenerp,
-	     const cfg_obj_t *control, const cfg_obj_t *config,
-	     isc_sockaddr_t *addr, ns_aclconfctx_t *aclconfctx,
-	     const char *socktext)
+	     cfg_obj_t *control, cfg_obj_t *config, isc_sockaddr_t *addr,
+	     ns_aclconfctx_t *aclconfctx, const char *socktext)
 {
 	isc_mem_t *mctx = cp->server->mctx;
 	controllistener_t *listener;
-	const cfg_obj_t *allow;
-	const cfg_obj_t *global_keylist = NULL;
-	const cfg_obj_t *control_keylist = NULL;
+	cfg_obj_t *allow;
+	cfg_obj_t *global_keylist = NULL;
+	cfg_obj_t *control_keylist = NULL;
 	dns_acl_t *new_acl = NULL;
 	isc_result_t result = ISC_R_SUCCESS;
 
@@ -1156,13 +1135,13 @@ add_listener(ns_controls_t *cp, controllistener_t **listenerp,
 }
 
 isc_result_t
-ns_controls_configure(ns_controls_t *cp, const cfg_obj_t *config,
+ns_controls_configure(ns_controls_t *cp, cfg_obj_t *config,
 		      ns_aclconfctx_t *aclconfctx)
 {
 	controllistener_t *listener;
 	controllistenerlist_t new_listeners;
-	const cfg_obj_t *controlslist = NULL;
-	const cfg_listelt_t *element, *element2;
+	cfg_obj_t *controlslist = NULL;
+	cfg_listelt_t *element, *element2;
 	char socktext[ISC_SOCKADDR_FORMATSIZE];
 
 	ISC_LIST_INIT(new_listeners);
@@ -1184,8 +1163,8 @@ ns_controls_configure(ns_controls_t *cp, const cfg_obj_t *config,
 		for (element = cfg_list_first(controlslist);
 		     element != NULL;
 		     element = cfg_list_next(element)) {
-			const cfg_obj_t *controls;
-			const cfg_obj_t *inetcontrols = NULL;
+			cfg_obj_t *controls;
+			cfg_obj_t *inetcontrols = NULL;
 
 			controls = cfg_listelt_value(element);
 			(void)cfg_map_get(controls, "inet", &inetcontrols);
@@ -1195,9 +1174,9 @@ ns_controls_configure(ns_controls_t *cp, const cfg_obj_t *config,
 			for (element2 = cfg_list_first(inetcontrols);
 			     element2 != NULL;
 			     element2 = cfg_list_next(element2)) {
-				const cfg_obj_t *control;
-				const cfg_obj_t *obj;
-				isc_sockaddr_t addr;
+				cfg_obj_t *control;
+				cfg_obj_t *obj;
+				isc_sockaddr_t *addr;
 
 				/*
 				 * The parser handles BIND 8 configuration file
@@ -1210,12 +1189,12 @@ ns_controls_configure(ns_controls_t *cp, const cfg_obj_t *config,
 				control = cfg_listelt_value(element2);
 
 				obj = cfg_tuple_get(control, "address");
-				addr = *cfg_obj_assockaddr(obj);
-				if (isc_sockaddr_getport(&addr) == 0)
-					isc_sockaddr_setport(&addr,
+				addr = cfg_obj_assockaddr(obj);
+				if (isc_sockaddr_getport(addr) == 0)
+					isc_sockaddr_setport(addr,
 							     NS_CONTROL_PORT);
 
-				isc_sockaddr_format(&addr, socktext,
+				isc_sockaddr_format(addr, socktext,
 						    sizeof(socktext));
 
 				isc_log_write(ns_g_lctx,
@@ -1226,7 +1205,7 @@ ns_controls_configure(ns_controls_t *cp, const cfg_obj_t *config,
 					      socktext);
 
 				update_listener(cp, &listener, control, config,
-						&addr, aclconfctx, socktext);
+						addr, aclconfctx, socktext);
 
 				if (listener != NULL)
 					/*
@@ -1240,7 +1219,7 @@ ns_controls_configure(ns_controls_t *cp, const cfg_obj_t *config,
 					 * This is a new listener.
 					 */
 					add_listener(cp, &listener, control,
-						     config, &addr, aclconfctx,
+						     config, addr, aclconfctx,
 						     socktext);
 
 				if (listener != NULL)
diff --git a/bin/named/include/named/aclconf.h b/bin/named/include/named/aclconf.h
index 5613c1c8..81265727 100644
--- a/bin/named/include/named/aclconf.h
+++ b/bin/named/include/named/aclconf.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: aclconf.h,v 1.12.2.3 2006/03/02 00:37:17 marka Exp $ */
+/* $Id: aclconf.h,v 1.12.208.1 2004/03/06 10:21:23 marka Exp $ */
 
 #ifndef NS_ACLCONF_H
 #define NS_ACLCONF_H 1
@@ -49,8 +49,8 @@ ns_aclconfctx_destroy(ns_aclconfctx_t *ctx);
  */
 
 isc_result_t
-ns_acl_fromconfig(const cfg_obj_t *caml,
-		  const cfg_obj_t *cctx,
+ns_acl_fromconfig(cfg_obj_t *caml,
+		  cfg_obj_t *cctx,
 		  ns_aclconfctx_t *ctx,
 		  isc_mem_t *mctx,
 		  dns_acl_t **target);
diff --git a/lib/bind/port/sunos/include/paths.h b/bin/named/include/named/builtin.h
index 28936030..15564bf3 100644
--- a/lib/bind/port/sunos/include/paths.h
+++ b/bin/named/include/named/builtin.h
@@ -1,5 +1,6 @@
 /*
- * Copyright (C) 2007  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +15,15 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: paths.h,v 1.1.2.2 2007/05/16 23:45:25 tbox Exp $ */
+/* $Id: builtin.h,v 1.1.204.3 2004/03/08 04:04:20 marka Exp $ */
 
-#define _PATH_DEVNULL "/dev/null"
+#ifndef NAMED_BUILTIN_H
+#define NAMED_BUILTIN_H 1
 
+#include <isc/types.h>
+
+isc_result_t ns_builtin_init(void);
+
+void ns_builtin_deinit(void);
+
+#endif /* NAMED_BUILTIN_H */
diff --git a/bin/named/include/named/client.h b/bin/named/include/named/client.h
index 3589c5b2..25e2105c 100644
--- a/bin/named/include/named/client.h
+++ b/bin/named/include/named/client.h
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
+ * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: client.h,v 1.60.2.4 2004/07/23 02:57:01 marka Exp $ */
+/* $Id: client.h,v 1.60.2.2.10.7 2004/03/08 04:04:20 marka Exp $ */
 
 #ifndef NAMED_CLIENT_H
 #define NAMED_CLIENT_H 1
@@ -68,10 +68,13 @@
 #include <isc/stdtime.h>
 #include <isc/quota.h>
 
+#include <dns/fixedname.h>
 #include <dns/name.h>
-#include <dns/types.h>
+#include <dns/rdataclass.h>
+#include <dns/rdatatype.h>
 #include <dns/tcpmsg.h>
-#include <dns/fixedname.h>
+#include <dns/types.h>
+
 #include <named/types.h>
 #include <named/query.h>
 
@@ -91,7 +94,6 @@ struct ns_client {
 	int			nreads;
 	int			nsends;
 	int			nrecvs;
-	int			nupdates;
 	int			nctls;
 	int			references;
 	unsigned int		attributes;
@@ -154,6 +156,8 @@ struct ns_client {
 #define NS_CLIENTATTR_RA		0x02 /* Client gets recusive service */
 #define NS_CLIENTATTR_PKTINFO		0x04 /* pktinfo is valid */
 #define NS_CLIENTATTR_MULTICAST		0x08 /* recv'd from multicast */
+#define NS_CLIENTATTR_WANTDNSSEC	0x10 /* include dnssec records */
+
 
 /***
  *** Functions
@@ -305,7 +309,28 @@ ns_client_log(ns_client_t *client, isc_logcategory_t *category,
 	      const char *fmt, ...) ISC_FORMAT_PRINTF(5, 6);
 
 void
-ns_client_aclmsg(const char *msg, dns_name_t *name, dns_rdataclass_t rdclass,
-                 char *buf, size_t len);
+ns_client_logv(ns_client_t *client, isc_logcategory_t *category,
+	       isc_logmodule_t *module, int level, const char *fmt, va_list ap) ISC_FORMAT_PRINTF(5, 0);
+
+void
+ns_client_aclmsg(const char *msg, dns_name_t *name, dns_rdatatype_t type,
+		 dns_rdataclass_t rdclass, char *buf, size_t len);
+
+#define NS_CLIENT_ACLMSGSIZE(x) \
+	(DNS_NAME_FORMATSIZE + DNS_RDATATYPE_FORMATSIZE + \
+	 DNS_RDATACLASS_FORMATSIZE + sizeof(x) + sizeof("'/'"))
+
+void
+ns_client_recursing(ns_client_t *client, isc_boolean_t killoldest);
+/*
+ * Add client to end of recursing list.  If 'killoldest' is true
+ * kill the oldest recursive client (list head). 
+ */
+
+void
+ns_client_dumprecursing(FILE *f, ns_clientmgr_t *manager);
+/*
+ * Dump the outstanding recursive queries to 'f'.
+ */
 
 #endif /* NAMED_CLIENT_H */
diff --git a/bin/named/include/named/config.h b/bin/named/include/named/config.h
index e451d879..d70379f8 100644
--- a/bin/named/include/named/config.h
+++ b/bin/named/include/named/config.h
@@ -1,6 +1,6 @@
 /*
- * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2001  Internet Software Consortium.
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2001, 2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: config.h,v 1.4.2.3 2006/03/02 00:37:17 marka Exp $ */
+/* $Id: config.h,v 1.4.12.3 2004/03/08 04:04:20 marka Exp $ */
 
 #ifndef NAMED_CONFIG_H
 #define NAMED_CONFIG_H 1
@@ -29,20 +29,24 @@ isc_result_t
 ns_config_parsedefaults(cfg_parser_t *parser, cfg_obj_t **conf);
 
 isc_result_t
-ns_config_get(const cfg_obj_t **maps, const char* name, const cfg_obj_t **obj);
+ns_config_get(cfg_obj_t **maps, const char* name, cfg_obj_t **obj);
 
 int
-ns_config_listcount(const cfg_obj_t *list);
+ns_config_listcount(cfg_obj_t *list);
 
 isc_result_t
-ns_config_getclass(const cfg_obj_t *classobj, dns_rdataclass_t defclass,
+ns_config_getclass(cfg_obj_t *classobj, dns_rdataclass_t defclass,
 		   dns_rdataclass_t *classp);
 
+isc_result_t
+ns_config_gettype(cfg_obj_t *typeobj, dns_rdatatype_t deftype,
+		  dns_rdatatype_t *typep);
+
 dns_zonetype_t
-ns_config_getzonetype(const cfg_obj_t *zonetypeobj);
+ns_config_getzonetype(cfg_obj_t *zonetypeobj);
 
 isc_result_t
-ns_config_getiplist(const cfg_obj_t *config, const cfg_obj_t *list,
+ns_config_getiplist(cfg_obj_t *config, cfg_obj_t *list,
 		    in_port_t defport, isc_mem_t *mctx,
 		    isc_sockaddr_t **addrsp, isc_uint32_t *countp);
 
@@ -51,16 +55,16 @@ ns_config_putiplist(isc_mem_t *mctx, isc_sockaddr_t **addrsp,
 		    isc_uint32_t count);
 
 isc_result_t
-ns_config_getipandkeylist(const cfg_obj_t *config, const cfg_obj_t *list,
-			  isc_mem_t *mctx, isc_sockaddr_t **addrsp,
-			  dns_name_t ***keys, isc_uint32_t *countp);
+ns_config_getipandkeylist(cfg_obj_t *config, cfg_obj_t *list, isc_mem_t *mctx,
+			  isc_sockaddr_t **addrsp, dns_name_t ***keys,
+			  isc_uint32_t *countp);
 
 void
 ns_config_putipandkeylist(isc_mem_t *mctx, isc_sockaddr_t **addrsp,
 			  dns_name_t ***keys, isc_uint32_t count);
 
 isc_result_t
-ns_config_getport(const cfg_obj_t *config, in_port_t *portp);
+ns_config_getport(cfg_obj_t *config, in_port_t *portp);
 
 isc_result_t
 ns_config_getkeyalgorithm(const char *str, dns_name_t **name);
diff --git a/bin/named/include/named/control.h b/bin/named/include/named/control.h
index 8a22ec2b..b8d95d8b 100644
--- a/bin/named/include/named/control.h
+++ b/bin/named/include/named/control.h
@@ -1,6 +1,6 @@
 /*
- * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2001, 2003  Internet Software Consortium.
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2001-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: control.h,v 1.6.2.5 2006/03/02 00:37:17 marka Exp $ */
+/* $Id: control.h,v 1.6.2.2.2.6 2004/03/08 04:04:20 marka Exp $ */
 
 #ifndef NAMED_CONTROL_H
 #define NAMED_CONTROL_H 1
@@ -36,13 +36,18 @@
 #define NS_COMMAND_RELOAD	"reload"
 #define NS_COMMAND_RECONFIG	"reconfig"
 #define NS_COMMAND_REFRESH	"refresh"
+#define NS_COMMAND_RETRANSFER	"retransfer"
 #define NS_COMMAND_DUMPSTATS	"stats"
 #define NS_COMMAND_QUERYLOG	"querylog"
 #define NS_COMMAND_DUMPDB	"dumpdb"
 #define NS_COMMAND_TRACE	"trace"
 #define NS_COMMAND_NOTRACE	"notrace"
 #define NS_COMMAND_FLUSH	"flush"
+#define NS_COMMAND_FLUSHNAME	"flushname"
 #define NS_COMMAND_STATUS	"status"
+#define NS_COMMAND_FREEZE	"freeze"
+#define NS_COMMAND_UNFREEZE	"unfreeze"
+#define NS_COMMAND_RECURSING	"recursing"
 #define NS_COMMAND_NULL		"null"
 
 isc_result_t
@@ -61,7 +66,7 @@ ns_controls_destroy(ns_controls_t **ctrlsp);
  */
 
 isc_result_t
-ns_controls_configure(ns_controls_t *controls, const cfg_obj_t *config,
+ns_controls_configure(ns_controls_t *controls, cfg_obj_t *config,
 		      ns_aclconfctx_t *aclconfctx);
 /*
  * Configure zero or more command channels into 'controls'
diff --git a/bin/named/include/named/globals.h b/bin/named/include/named/globals.h
index fe072b63..2cc85483 100644
--- a/bin/named/include/named/globals.h
+++ b/bin/named/include/named/globals.h
@@ -1,6 +1,6 @@
 /*
- * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: globals.h,v 1.59.2.3 2006/03/02 00:37:17 marka Exp $ */
+/* $Id: globals.h,v 1.59.68.5 2004/03/08 04:04:20 marka Exp $ */
 
 #ifndef NAMED_GLOBALS_H
 #define NAMED_GLOBALS_H 1
@@ -45,6 +45,8 @@ EXTERN unsigned int		ns_g_cpus		INIT(0);
 EXTERN isc_taskmgr_t *		ns_g_taskmgr		INIT(NULL);
 EXTERN dns_dispatchmgr_t *	ns_g_dispatchmgr	INIT(NULL);
 EXTERN isc_entropy_t *		ns_g_entropy		INIT(NULL);
+EXTERN isc_entropy_t *		ns_g_fallbackentropy	INIT(NULL);
+
 /*
  * XXXRTH  We're going to want multiple timer managers eventually.  One
  *         for really short timers, another for client timers, and one
@@ -73,7 +75,7 @@ EXTERN unsigned int		ns_g_debuglevel		INIT(0);
  * Current configuration information.
  */
 EXTERN cfg_obj_t *		ns_g_config		INIT(NULL);
-EXTERN const cfg_obj_t *	ns_g_defaults		INIT(NULL);
+EXTERN cfg_obj_t *		ns_g_defaults		INIT(NULL);
 EXTERN const char *		ns_g_conffile		INIT(NS_SYSCONFDIR
 							     "/named.conf");
 EXTERN const char *		ns_g_keyfile		INIT(NS_SYSCONFDIR
@@ -84,6 +86,7 @@ EXTERN const char *		lwresd_g_resolvconffile	INIT("/etc"
 							     "/resolv.conf");
 EXTERN isc_boolean_t		ns_g_conffileset	INIT(ISC_FALSE);
 EXTERN isc_boolean_t		lwresd_g_useresolvconf	INIT(ISC_FALSE);
+EXTERN isc_uint16_t		ns_g_udpsize		INIT(4096);
 
 /*
  * Initial resource limits.
@@ -107,6 +110,8 @@ EXTERN const char *		lwresd_g_defaultpidfile INIT(NS_LOCALSTATEDIR
 							    "/run/lwresd.pid");
 EXTERN const char *		ns_g_username		INIT(NULL);
 
+EXTERN int			ns_g_listen		INIT(3);
+
 #undef EXTERN
 #undef INIT
 
diff --git a/bin/named/include/named/interfacemgr.h b/bin/named/include/named/interfacemgr.h
index f0e33999..1ac7b6a0 100644
--- a/bin/named/include/named/interfacemgr.h
+++ b/bin/named/include/named/interfacemgr.h
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
+ * Copyright (C) 1999-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: interfacemgr.h,v 1.23.2.1 2004/03/09 06:09:21 marka Exp $ */
+/* $Id: interfacemgr.h,v 1.23.24.6 2004/03/08 04:04:20 marka Exp $ */
 
 #ifndef NAMED_INTERFACEMGR_H
 #define NAMED_INTERFACEMGR_H 1
@@ -121,6 +121,20 @@ ns_interfacemgr_scan(ns_interfacemgr_t *mgr, isc_boolean_t verbose);
  */
 
 void
+ns_interfacemgr_adjust(ns_interfacemgr_t *mgr, ns_listenlist_t *list,
+		       isc_boolean_t verbose);
+/*
+ * Similar to ns_interfacemgr_scan(), but this function also tries to see the
+ * need for an explicit listen-on when a list element in 'list' is going to
+ * override an already-listening a wildcard interface.
+ *
+ * This function does not update localhost and localnets ACLs.
+ *
+ * This should be called once on server startup, after configuring views and
+ * zones.
+ */
+
+void
 ns_interfacemgr_setlistenon4(ns_interfacemgr_t *mgr, ns_listenlist_t *value);
 /*
  * Set the IPv4 "listen-on" list of 'mgr' to 'value'.
@@ -150,4 +164,7 @@ ns_interface_shutdown(ns_interface_t *ifp);
  * May safely be called multiple times.
  */
 
+void
+ns_interfacemgr_dumprecursing(FILE *f, ns_interfacemgr_t *mgr);
+
 #endif /* NAMED_INTERFACEMGR_H */
diff --git a/bin/named/include/named/listenlist.h b/bin/named/include/named/listenlist.h
index af30de0d..31e88939 100644
--- a/bin/named/include/named/listenlist.h
+++ b/bin/named/include/named/listenlist.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: listenlist.h,v 1.10.2.1 2004/03/09 06:09:21 marka Exp $ */
+/* $Id: listenlist.h,v 1.10.208.1 2004/03/06 10:21:24 marka Exp $ */
 
 #ifndef NAMED_LISTENLIST_H
 #define NAMED_LISTENLIST_H 1
diff --git a/bin/named/include/named/log.h b/bin/named/include/named/log.h
index f9b250a8..e8ad1ca1 100644
--- a/bin/named/include/named/log.h
+++ b/bin/named/include/named/log.h
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
+ * Copyright (C) 1999-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: log.h,v 1.19.2.1 2004/03/09 06:09:22 marka Exp $ */
+/* $Id: log.h,v 1.19.12.3 2004/03/08 04:04:21 marka Exp $ */
 
 #ifndef NAMED_LOG_H
 #define NAMED_LOG_H 1
@@ -33,6 +33,7 @@
 #define NS_LOGCATEGORY_UPDATE		(&ns_g_categories[3])
 #define NS_LOGCATEGORY_QUERIES		(&ns_g_categories[4])
 #define NS_LOGCATEGORY_UNMATCHED	(&ns_g_categories[5])
+#define NS_LOGCATEGORY_UPDATE_SECURITY	(&ns_g_categories[6])
 
 /*
  * Backwards compatibility.
diff --git a/bin/named/include/named/logconf.h b/bin/named/include/named/logconf.h
index 71a31311..a6f7450c 100644
--- a/bin/named/include/named/logconf.h
+++ b/bin/named/include/named/logconf.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: logconf.h,v 1.10.2.3 2006/03/02 00:37:17 marka Exp $ */
+/* $Id: logconf.h,v 1.10.208.1 2004/03/06 10:21:24 marka Exp $ */
 
 #ifndef NAMED_LOGCONF_H
 #define NAMED_LOGCONF_H 1
@@ -23,7 +23,7 @@
 #include <isc/log.h>
 
 isc_result_t
-ns_log_configure(isc_logconfig_t *logconf, const cfg_obj_t *logstmt);
+ns_log_configure(isc_logconfig_t *logconf, cfg_obj_t *logstmt);
 /*
  * Set up the logging configuration in '*logconf' according to
  * the named.conf data in 'logstmt'.
diff --git a/bin/named/include/named/lwaddr.h b/bin/named/include/named/lwaddr.h
index ea7161ec..0aa66b78 100644
--- a/bin/named/include/named/lwaddr.h
+++ b/bin/named/include/named/lwaddr.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lwaddr.h,v 1.3.2.1 2004/03/09 06:09:22 marka Exp $ */
+/* $Id: lwaddr.h,v 1.3.208.1 2004/03/06 10:21:24 marka Exp $ */
 
 #include <lwres/lwres.h>
 #include <lwres/net.h>
diff --git a/bin/named/include/named/lwdclient.h b/bin/named/include/named/lwdclient.h
index 047f98aa..09d68ff0 100644
--- a/bin/named/include/named/lwdclient.h
+++ b/bin/named/include/named/lwdclient.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lwdclient.h,v 1.13.2.1 2004/03/09 06:09:22 marka Exp $ */
+/* $Id: lwdclient.h,v 1.13.208.1 2004/03/06 10:21:24 marka Exp $ */
 
 #ifndef NAMED_LWDCLIENT_H
 #define NAMED_LWDCLIENT_H 1
diff --git a/bin/named/include/named/lwresd.h b/bin/named/include/named/lwresd.h
index 9f3a9239..7ba857c0 100644
--- a/bin/named/include/named/lwresd.h
+++ b/bin/named/include/named/lwresd.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lwresd.h,v 1.12.2.3 2006/03/02 00:37:17 marka Exp $ */
+/* $Id: lwresd.h,v 1.12.208.1 2004/03/06 10:21:25 marka Exp $ */
 
 #ifndef NAMED_LWRESD_H
 #define NAMED_LWRESD_H 1
@@ -56,7 +56,7 @@ struct ns_lwreslistener {
  * Configure lwresd.
  */
 isc_result_t
-ns_lwresd_configure(isc_mem_t *mctx, const cfg_obj_t *config);
+ns_lwresd_configure(isc_mem_t *mctx, cfg_obj_t *config);
 
 isc_result_t
 ns_lwresd_parseeresolvconf(isc_mem_t *mctx, cfg_parser_t *pctx,
@@ -72,8 +72,7 @@ ns_lwresd_shutdown(void);
  * Manager functions
  */
 isc_result_t
-ns_lwdmanager_create(isc_mem_t *mctx, const cfg_obj_t *lwres,
-		      ns_lwresd_t **lwresdp);
+ns_lwdmanager_create(isc_mem_t *mctx, cfg_obj_t *lwres, ns_lwresd_t **lwresdp);
 
 void
 ns_lwdmanager_attach(ns_lwresd_t *source, ns_lwresd_t **targetp);
diff --git a/bin/named/include/named/lwsearch.h b/bin/named/include/named/lwsearch.h
index 9a7bb266..a864a89d 100644
--- a/bin/named/include/named/lwsearch.h
+++ b/bin/named/include/named/lwsearch.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lwsearch.h,v 1.4.2.1 2004/03/09 06:09:22 marka Exp $ */
+/* $Id: lwsearch.h,v 1.4.208.1 2004/03/06 10:21:25 marka Exp $ */
 
 #ifndef NAMED_LWSEARCH_H
 #define NAMED_LWSEARCH_H 1
diff --git a/bin/named/include/named/main.h b/bin/named/include/named/main.h
index 7c8d6cab..e37b5198 100644
--- a/bin/named/include/named/main.h
+++ b/bin/named/include/named/main.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: main.h,v 1.8.2.3 2004/03/09 06:09:22 marka Exp $ */
+/* $Id: main.h,v 1.8.2.2.8.4 2004/03/08 04:04:21 marka Exp $ */
 
 #ifndef NAMED_MAIN_H
 #define NAMED_MAIN_H 1
@@ -26,4 +26,7 @@ ns_main_earlyfatal(const char *format, ...) ISC_FORMAT_PRINTF(1, 2);
 void
 ns_main_earlywarning(const char *format, ...) ISC_FORMAT_PRINTF(1, 2);
 
+void
+ns_main_setmemstats(const char *);
+
 #endif /* NAMED_MAIN_H */
diff --git a/bin/named/include/named/notify.h b/bin/named/include/named/notify.h
index 69a1ac4b..3cb1d854 100644
--- a/bin/named/include/named/notify.h
+++ b/bin/named/include/named/notify.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: notify.h,v 1.9.2.1 2004/03/09 06:09:23 marka Exp $ */
+/* $Id: notify.h,v 1.9.208.1 2004/03/06 10:21:25 marka Exp $ */
 
 #ifndef NAMED_NOTIFY_H
 #define NAMED_NOTIFY_H 1
diff --git a/bin/named/include/named/query.h b/bin/named/include/named/query.h
index 4de0af36..6f348d53 100644
--- a/bin/named/include/named/query.h
+++ b/bin/named/include/named/query.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: query.h,v 1.28.2.4 2004/03/09 06:09:23 marka Exp $ */
+/* $Id: query.h,v 1.28.2.3.8.6 2004/03/08 04:04:21 marka Exp $ */
 
 #ifndef NAMED_QUERY_H
 #define NAMED_QUERY_H 1
@@ -25,7 +25,6 @@
 #include <isc/netaddr.h>
 
 #include <dns/types.h>
-#include <dns/a6.h>
 
 #include <named/types.h>
 
@@ -49,17 +48,11 @@ struct ns_query {
 	dns_zone_t *			authzone;
 	isc_boolean_t			authdbset;
 	isc_boolean_t			isreferral;
+	isc_mutex_t			fetchlock;
 	dns_fetch_t *			fetch;
-	dns_a6context_t			a6ctx;
 	isc_bufferlist_t		namebufs;
 	ISC_LIST(ns_dbversion_t)	activeversions;
 	ISC_LIST(ns_dbversion_t)	freeversions;
-	/*
-	 * Additional state used during IPv6 response synthesis only.
-	 */
-	struct {
-		isc_netaddr_t na;
-	} synth;
 };
 
 #define NS_QUERYATTR_RECURSIONOK	0x0001
@@ -71,7 +64,7 @@ struct ns_query {
 #define NS_QUERYATTR_QUERYOKVALID	0x0040
 #define NS_QUERYATTR_QUERYOK		0x0080
 #define NS_QUERYATTR_WANTRECURSION	0x0100
-#define NS_QUERYATTR_WANTDNSSEC		0x0200
+#define NS_QUERYATTR_SECURE		0x0200
 #define NS_QUERYATTR_NOAUTHORITY	0x0400
 #define NS_QUERYATTR_NOADDITIONAL	0x0800
 
@@ -84,4 +77,7 @@ ns_query_free(ns_client_t *client);
 void
 ns_query_start(ns_client_t *client);
 
+void
+ns_query_cancel(ns_client_t *client);
+
 #endif /* NAMED_QUERY_H */
diff --git a/bin/named/include/named/server.h b/bin/named/include/named/server.h
index f7b76b76..97eb2efc 100644
--- a/bin/named/include/named/server.h
+++ b/bin/named/include/named/server.h
@@ -1,6 +1,6 @@
 /*
- * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: server.h,v 1.58.2.5 2006/03/02 00:37:17 marka Exp $ */
+/* $Id: server.h,v 1.58.2.1.10.11 2004/03/08 04:04:21 marka Exp $ */
 
 #ifndef NAMED_SERVER_H
 #define NAMED_SERVER_H 1
@@ -49,6 +49,16 @@ struct ns_server {
 	isc_quota_t		tcpquota;
 	isc_quota_t		recursionquota;
 	dns_acl_t		*blackholeacl;
+	char *			statsfile;	/* Statistics file name */
+	char *			dumpfile;	/* Dump file name */
+	char *			recfile;	/* Recursive file name */
+	isc_boolean_t		version_set;	/* User has set version */
+	char *			version;	/* User-specified version */
+	isc_boolean_t		hostname_set;	/* User has set hostname */
+	char *			hostname;	/* User-specified hostname */
+	/* Use hostname for server id */
+	isc_boolean_t		server_usehostname;
+	char *			server_id;	/* User-specified server id */
 
         /*
 	 * Current ACL environment.  This defines the
@@ -76,15 +86,12 @@ struct ns_server {
 	isc_boolean_t		flushonshutdown;
 	isc_boolean_t		log_queries;	/* For BIND 8 compatibility */
 
-	char *			statsfile;	/* Statistics file name */
 	isc_uint64_t *		querystats;	/* Query statistics counters */
 
-	char *			dumpfile;	/* Dump file name */
-
 	ns_controls_t *		controls;	/* Control channels */
 	unsigned int		dispatchgen;
 	ns_dispatchlist_t	dispatches;
-
+						
 };
 
 #define NS_SERVER_MAGIC			ISC_MAGIC('S','V','E','R')
@@ -120,7 +127,7 @@ ns_server_flushonshutdown(ns_server_t *server, isc_boolean_t flush);
  */
 
 isc_result_t
-ns_server_reloadcommand(ns_server_t *server, char *args);
+ns_server_reloadcommand(ns_server_t *server, char *args, isc_buffer_t *text);
 /*
  * Act on a "reload" command from the command channel.
  */
@@ -132,12 +139,18 @@ ns_server_reconfigcommand(ns_server_t *server, char *args);
  */
 
 isc_result_t
-ns_server_refreshcommand(ns_server_t *server, char *args);
+ns_server_refreshcommand(ns_server_t *server, char *args, isc_buffer_t *text);
 /*
  * Act on a "refresh" command from the command channel.
  */
 
 isc_result_t
+ns_server_retransfercommand(ns_server_t *server, char *args);
+/*
+ * Act on a "retransfer" command from the command channel.
+ */
+
+isc_result_t
 ns_server_togglequerylog(ns_server_t *server);
 /*
  * Toggle logging of queries, as in BIND 8.
@@ -153,7 +166,7 @@ ns_server_dumpstats(ns_server_t *server);
  * Dump the current cache to the dump file.
  */
 isc_result_t
-ns_server_dumpdb(ns_server_t *server);
+ns_server_dumpdb(ns_server_t *server, char *args);
 
 /*
  * Change or increment the server debug level.
@@ -168,15 +181,33 @@ isc_result_t
 ns_server_flushcache(ns_server_t *server, char *args);
 
 /*
+ * Flush a particular name from the server's cache(s)
+ */
+isc_result_t
+ns_server_flushname(ns_server_t *server, char *args);
+
+/*
  * Report the server's status.
  */
 isc_result_t
 ns_server_status(ns_server_t *server, isc_buffer_t *text);
 
 /*
+ * Enable or disable updates for a zone.
+ */
+isc_result_t
+ns_server_freeze(ns_server_t *server, isc_boolean_t freeze, char *args);
+
+/*
+ * Dump the current recursive queries.
+ */
+isc_result_t
+ns_server_dumprecursing(ns_server_t *server);
+
+/*
  * Maintain a list of dispatches that require reserved ports.
  */
 void
-ns_add_reserved_dispatch(ns_server_t *server, const isc_sockaddr_t *addr);
+ns_add_reserved_dispatch(ns_server_t *server, isc_sockaddr_t *addr);
 
 #endif /* NAMED_SERVER_H */
diff --git a/bin/named/include/named/sortlist.h b/bin/named/include/named/sortlist.h
index 347ad91f..88a14938 100644
--- a/bin/named/include/named/sortlist.h
+++ b/bin/named/include/named/sortlist.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: sortlist.h,v 1.4.2.3 2006/03/02 00:37:17 marka Exp $ */
+/* $Id: sortlist.h,v 1.4.208.1 2004/03/06 10:21:26 marka Exp $ */
 
 #ifndef NAMED_SORTLIST_H
 #define NAMED_SORTLIST_H 1
@@ -28,7 +28,7 @@
  * Type for callback functions that rank addresses.
  */
 typedef int 
-(*dns_addressorderfunc_t)(const isc_netaddr_t *address, const void *arg);
+(*dns_addressorderfunc_t)(isc_netaddr_t *address, void *arg);
 
 /*
  * Return value type for setup_sortlist.
@@ -40,8 +40,7 @@ typedef enum {
 } ns_sortlisttype_t;
 
 ns_sortlisttype_t
-ns_sortlist_setup(dns_acl_t *acl, isc_netaddr_t *clientaddr,
-		  const void **argp);
+ns_sortlist_setup(dns_acl_t *acl, isc_netaddr_t *clientaddr, void **argp);
 /*
  * Find the sortlist statement in 'acl' that applies to 'clientaddr', if any.
  *
@@ -56,14 +55,14 @@ ns_sortlist_setup(dns_acl_t *acl, isc_netaddr_t *clientaddr,
  */
 
 int
-ns_sortlist_addrorder1(const isc_netaddr_t *addr, const void *arg);
+ns_sortlist_addrorder1(isc_netaddr_t *addr, void *arg);
 /*
  * Find the sort order of 'addr' in 'arg', the matching element
  * of a 1-element top-level sortlist statement.
  */
 
 int
-ns_sortlist_addrorder2(const isc_netaddr_t *addr, const void *arg);
+ns_sortlist_addrorder2(isc_netaddr_t *addr, void *arg);
 /*
  * Find the sort order of 'addr' in 'arg', a topology-like
  * ACL forming the second element in a 2-element top-level
@@ -73,7 +72,7 @@ ns_sortlist_addrorder2(const isc_netaddr_t *addr, const void *arg);
 void
 ns_sortlist_byaddrsetup(dns_acl_t *sortlist_acl, isc_netaddr_t *client_addr,
 			dns_addressorderfunc_t *orderp,
-			const void **argp);
+			void **argp);
 /*
  * Find the sortlist statement in 'acl' that applies to 'clientaddr', if any.
  * If a sortlist statement applies, return in '*orderp' a pointer to a function
diff --git a/bin/named/include/named/tkeyconf.h b/bin/named/include/named/tkeyconf.h
index 4e8b7e6b..e3710eae 100644
--- a/bin/named/include/named/tkeyconf.h
+++ b/bin/named/include/named/tkeyconf.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: tkeyconf.h,v 1.9.2.3 2006/03/02 00:37:17 marka Exp $ */
+/* $Id: tkeyconf.h,v 1.9.208.1 2004/03/06 10:21:26 marka Exp $ */
 
 #ifndef NS_TKEYCONF_H
 #define NS_TKEYCONF_H 1
@@ -28,8 +28,8 @@
 ISC_LANG_BEGINDECLS
 
 isc_result_t
-ns_tkeyctx_fromconfig(const cfg_obj_t *options, isc_mem_t *mctx,
-		      isc_entropy_t *ectx, dns_tkeyctx_t **tctxp);
+ns_tkeyctx_fromconfig(cfg_obj_t *options, isc_mem_t *mctx, isc_entropy_t *ectx,
+		      dns_tkeyctx_t **tctxp);
 /*
  * 	Create a TKEY context and configure it, including the default DH key
  *	and default domain, according to 'options'.
diff --git a/bin/named/include/named/tsigconf.h b/bin/named/include/named/tsigconf.h
index 567d7b98..ef4161de 100644
--- a/bin/named/include/named/tsigconf.h
+++ b/bin/named/include/named/tsigconf.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: tsigconf.h,v 1.9.2.3 2006/03/02 00:37:17 marka Exp $ */
+/* $Id: tsigconf.h,v 1.9.208.1 2004/03/06 10:21:26 marka Exp $ */
 
 #ifndef NS_TSIGCONF_H
 #define NS_TSIGCONF_H 1
@@ -26,7 +26,7 @@
 ISC_LANG_BEGINDECLS
 
 isc_result_t
-ns_tsigkeyring_fromconfig(const cfg_obj_t *config, const cfg_obj_t *vconfig,
+ns_tsigkeyring_fromconfig(cfg_obj_t *config, cfg_obj_t *vconfig,
 			  isc_mem_t *mctx, dns_tsig_keyring_t **ringp);
 /*
  * Create a TSIG key ring and configure it according to the 'key'
diff --git a/bin/named/include/named/types.h b/bin/named/include/named/types.h
index f35c4c18..eb44c53b 100644
--- a/bin/named/include/named/types.h
+++ b/bin/named/include/named/types.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: types.h,v 1.19.2.2 2004/03/09 06:09:23 marka Exp $ */
+/* $Id: types.h,v 1.19.208.2 2004/03/06 10:21:26 marka Exp $ */
 
 #ifndef NAMED_TYPES_H
 #define NAMED_TYPES_H 1
diff --git a/bin/named/include/named/update.h b/bin/named/include/named/update.h
index e340d3cf..4c97235c 100644
--- a/bin/named/include/named/update.h
+++ b/bin/named/include/named/update.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: update.h,v 1.8.2.1 2004/03/09 06:09:23 marka Exp $ */
+/* $Id: update.h,v 1.8.208.1 2004/03/06 10:21:26 marka Exp $ */
 
 #ifndef NAMED_UPDATE_H
 #define NAMED_UPDATE_H 1
diff --git a/bin/named/include/named/xfrout.h b/bin/named/include/named/xfrout.h
index 08638d49..e96ff31d 100644
--- a/bin/named/include/named/xfrout.h
+++ b/bin/named/include/named/xfrout.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: xfrout.h,v 1.7.2.1 2004/03/09 06:09:23 marka Exp $ */
+/* $Id: xfrout.h,v 1.7.208.1 2004/03/06 10:21:27 marka Exp $ */
 
 #ifndef NAMED_XFROUT_H
 #define NAMED_XFROUT_H 1
diff --git a/bin/named/include/named/zoneconf.h b/bin/named/include/named/zoneconf.h
index ec1f06ba..3b8f200d 100644
--- a/bin/named/include/named/zoneconf.h
+++ b/bin/named/include/named/zoneconf.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: zoneconf.h,v 1.16.2.5 2006/03/02 00:37:17 marka Exp $ */
+/* $Id: zoneconf.h,v 1.16.2.2.8.1 2004/03/06 10:21:27 marka Exp $ */
 
 #ifndef NS_ZONECONF_H
 #define NS_ZONECONF_H 1
@@ -30,9 +30,8 @@
 ISC_LANG_BEGINDECLS
 
 isc_result_t
-ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
-		  const cfg_obj_t *zconfig, ns_aclconfctx_t *ac,
-		  dns_zone_t *zone);
+ns_zone_configure(cfg_obj_t *config, cfg_obj_t *vconfig, cfg_obj_t *zconfig,
+		  ns_aclconfctx_t *ac, dns_zone_t *zone);
 /*
  * Configure or reconfigure a zone according to the named.conf
  * data in 'cctx' and 'czone'.
@@ -49,7 +48,7 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
  */
 
 isc_boolean_t
-ns_zone_reusable(dns_zone_t *zone, const cfg_obj_t *zconfig);
+ns_zone_reusable(dns_zone_t *zone, cfg_obj_t *zconfig);
 /*
  * If 'zone' can be safely reconfigured according to the configuration
  * data in 'zconfig', return ISC_TRUE.  If the configuration data is so
diff --git a/bin/named/interfacemgr.c b/bin/named/interfacemgr.c
index c1e68453..f2e7afa8 100644
--- a/bin/named/interfacemgr.c
+++ b/bin/named/interfacemgr.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: interfacemgr.c,v 1.59.2.9 2006/01/04 23:50:16 marka Exp $ */
+/* $Id: interfacemgr.c,v 1.59.2.5.8.13 2004/03/08 09:04:14 marka Exp $ */
 
 #include <config.h>
 
@@ -119,7 +119,7 @@ ns_interfacemgr_destroy(ns_interfacemgr_t *mgr) {
 	ns_listenlist_detach(&mgr->listenon6);
 	DESTROYLOCK(&mgr->lock);
 	mgr->magic = 0;
-	isc_mem_put(mgr->mctx, mgr, sizeof *mgr);
+	isc_mem_put(mgr->mctx, mgr, sizeof(*mgr));
 }
 
 dns_aclenv_t *
@@ -294,6 +294,9 @@ ns_interface_accepttcp(ns_interface_t *ifp) {
 				 isc_result_totext(result));
 		goto tcp_socket_failure;
 	}
+#ifndef ISC_ALLOW_MAPPED
+	isc_socket_ipv6only(ifp->tcpsocket, ISC_TRUE);
+#endif
 	result = isc_socket_bind(ifp->tcpsocket, &ifp->addr);
 	if (result != ISC_R_SUCCESS) {
 		isc_log_write(IFMGR_COMMON_LOGARGS, ISC_LOG_ERROR,
@@ -301,7 +304,7 @@ ns_interface_accepttcp(ns_interface_t *ifp) {
 				 isc_result_totext(result));
 		goto tcp_bind_failure;
 	}
-	result = isc_socket_listen(ifp->tcpsocket, 3);
+	result = isc_socket_listen(ifp->tcpsocket, ns_g_listen);
 	if (result != ISC_R_SUCCESS) {
 		isc_log_write(IFMGR_COMMON_LOGARGS, ISC_LOG_ERROR,
 				 "listening on TCP socket: %s",
@@ -309,6 +312,12 @@ ns_interface_accepttcp(ns_interface_t *ifp) {
 		goto tcp_listen_failure;
 	}
 
+	/* 
+	 * If/when there a multiple filters listen to the
+	 * result.
+	 */
+	(void)isc_socket_filter(ifp->tcpsocket, "dataready");
+
 	result = ns_clientmgr_createclients(ifp->clientmgr,
 					    ifp->ntcptarget, ifp,
 					    ISC_TRUE);
@@ -330,7 +339,8 @@ ns_interface_accepttcp(ns_interface_t *ifp) {
 
 static isc_result_t
 ns_interface_setup(ns_interfacemgr_t *mgr, isc_sockaddr_t *addr,
-		   const char *name, ns_interface_t **ifpret)
+		   const char *name, ns_interface_t **ifpret,
+		   isc_boolean_t accept_tcp)
 {
 	isc_result_t result;
 	ns_interface_t *ifp = NULL;
@@ -344,15 +354,17 @@ ns_interface_setup(ns_interfacemgr_t *mgr, isc_sockaddr_t *addr,
 	if (result != ISC_R_SUCCESS)
 		goto cleanup_interface;
 
-	result = ns_interface_accepttcp(ifp);
-	if (result != ISC_R_SUCCESS) {
-		/*
-		 * XXXRTH We don't currently have a way to easily stop dispatch
-		 * service, so we currently return ISC_R_SUCCESS (the UDP stuff
-		 * will work even if TCP creation failed).  This will be fixed
-		 * later.
-		 */
-		result = ISC_R_SUCCESS;
+	if (accept_tcp == ISC_TRUE) {
+		result = ns_interface_accepttcp(ifp);
+		if (result != ISC_R_SUCCESS) {
+			/*
+			 * XXXRTH We don't currently have a way to easily stop
+			 * dispatch service, so we return currently return
+			 * ISC_R_SUCCESS (the UDP stuff will work even if TCP
+			 * creation failed).  This will be fixed later.
+			 */
+			result = ISC_R_SUCCESS;
+		}
 	}
 	*ifpret = ifp;
 	return (ISC_R_SUCCESS);
@@ -469,73 +481,210 @@ clearacl(isc_mem_t *mctx, dns_acl_t **aclp) {
 	return (ISC_R_SUCCESS);
 }
 
+static isc_boolean_t
+listenon_is_ip6_any(ns_listenelt_t *elt) {
+	if (elt->acl->length != 1)
+		return (ISC_FALSE);
+	if (elt->acl->elements[0].negative == ISC_FALSE &&
+	    elt->acl->elements[0].type == dns_aclelementtype_any)
+		return (ISC_TRUE);  /* listen-on-v6 { any; } */
+	return (ISC_FALSE); /* All others */
+}
+
 static isc_result_t
-do_ipv4(ns_interfacemgr_t *mgr) {
+setup_locals(ns_interfacemgr_t *mgr, isc_interface_t *interface) {
+	isc_result_t result;
+	dns_aclelement_t elt;
+	unsigned int family;
+	unsigned int prefixlen;
+
+	family = interface->address.family;
+	
+	elt.type = dns_aclelementtype_ipprefix;
+	elt.negative = ISC_FALSE;
+	elt.u.ip_prefix.address = interface->address;
+	elt.u.ip_prefix.prefixlen = (family == AF_INET) ? 32 : 128;
+	result = dns_acl_appendelement(mgr->aclenv.localhost, &elt);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	result = isc_netaddr_masktoprefixlen(&interface->netmask,
+					     &prefixlen);
+
+	/* Non contigious netmasks not allowed by IPv6 arch. */
+	if (result != ISC_R_SUCCESS && family == AF_INET6)
+		return (result);
+
+	if (result != ISC_R_SUCCESS) {
+		isc_log_write(IFMGR_COMMON_LOGARGS,
+			      ISC_LOG_WARNING,
+			      "omitting IPv4 interface %s from "
+			      "localnets ACL: %s",
+			      interface->name,
+			      isc_result_totext(result));
+	} else {
+		elt.u.ip_prefix.prefixlen = prefixlen;
+		if (dns_acl_elementmatch(mgr->aclenv.localnets, &elt,
+					 NULL) == ISC_R_NOTFOUND) {
+			result = dns_acl_appendelement(mgr->aclenv.localnets,
+						       &elt);
+			if (result != ISC_R_SUCCESS)
+				return (result);
+		}
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+do_scan(ns_interfacemgr_t *mgr, ns_listenlist_t *ext_listen,
+	isc_boolean_t verbose)
+{
 	isc_interfaceiter_t *iter = NULL;
+	isc_boolean_t scan_ipv4 = ISC_FALSE;
+	isc_boolean_t scan_ipv6 = ISC_FALSE;
+	isc_boolean_t adjusting = ISC_FALSE;
+	isc_boolean_t ipv6only = ISC_TRUE;
 	isc_result_t result;
+	isc_netaddr_t zero_address, zero_address6;
+	ns_listenelt_t *le;
+	isc_sockaddr_t listen_addr;
+	ns_interface_t *ifp;
+	isc_boolean_t log_explicit = ISC_FALSE;
+
+	if (ext_listen != NULL)
+		adjusting = ISC_TRUE;
+
+	if (isc_net_probeipv6() == ISC_R_SUCCESS)
+		scan_ipv6 = ISC_TRUE;
+#ifdef WANT_IPV6
+	else
+		isc_log_write(IFMGR_COMMON_LOGARGS,
+			      verbose ? ISC_LOG_INFO : ISC_LOG_DEBUG(1),
+			      "no IPv6 interfaces found");
+#endif
+
+	if (isc_net_probeipv4() == ISC_R_SUCCESS)
+		scan_ipv4 = ISC_TRUE;
+	else
+		isc_log_write(IFMGR_COMMON_LOGARGS,
+			      verbose ? ISC_LOG_INFO : ISC_LOG_DEBUG(1),
+			      "no IPv4 interfaces found");
+
+	/*
+	 * A special, but typical case; listen-on-v6 { any; }.
+	 * When we can make the socket IPv6-only, open a single wildcard
+	 * socket for IPv6 communication.  Otherwise, make separate socket
+	 * for each IPv6 address in order to avoid accepting IPv4 packets
+	 * as the form of mapped addresses unintentionally unless explicitly
+	 * allowed.
+	 */
+#ifndef ISC_ALLOW_MAPPED
+	if (scan_ipv6 == ISC_TRUE &&
+	    isc_net_probe_ipv6only() != ISC_R_SUCCESS) {
+		ipv6only = ISC_FALSE;
+		log_explicit = ISC_TRUE;
+	}
+#endif
+	if (scan_ipv6 == ISC_TRUE && ipv6only) {
+		for (le = ISC_LIST_HEAD(mgr->listenon6->elts);
+		    le != NULL;
+		    le = ISC_LIST_NEXT(le, link)) {
+			struct in6_addr in6a;
+
+			if (!listenon_is_ip6_any(le))
+				continue;
+
+			in6a = in6addr_any;
+			isc_sockaddr_fromin6(&listen_addr, &in6a, le->port);
+
+			ifp = find_matching_interface(mgr, &listen_addr);
+			if (ifp != NULL) {
+				ifp->generation = mgr->generation;
+			} else {
+				isc_log_write(IFMGR_COMMON_LOGARGS,
+					      ISC_LOG_INFO,
+					      "listening on IPv6 "
+					      "interfaces, port %u",
+					      le->port);
+				result = ns_interface_setup(mgr, &listen_addr,
+							    "<any>", &ifp,
+							    ISC_TRUE);
+				if (result != ISC_R_SUCCESS)
+					isc_log_write(IFMGR_COMMON_LOGARGS,
+						      ISC_LOG_ERROR,
+						      "listening on all IPv6 "
+						      "interfaces failed");
+				/* Continue. */
+			}
+		}
+	}
+
+	isc_netaddr_any(&zero_address);
+	isc_netaddr_any6(&zero_address6);
 
 	result = isc_interfaceiter_create(mgr->mctx, &iter);
 	if (result != ISC_R_SUCCESS)
 		return (result);
 
-	result = clearacl(mgr->mctx, &mgr->aclenv.localhost);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup_iter;
-	result = clearacl(mgr->mctx, &mgr->aclenv.localnets);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup_iter;
+	if (adjusting == ISC_FALSE) {
+		result = clearacl(mgr->mctx, &mgr->aclenv.localhost);
+		if (result != ISC_R_SUCCESS)
+			goto cleanup_iter;
+		result = clearacl(mgr->mctx, &mgr->aclenv.localnets);
+		if (result != ISC_R_SUCCESS)
+			goto cleanup_iter;
+	}
 
 	for (result = isc_interfaceiter_first(iter);
 	     result == ISC_R_SUCCESS;
 	     result = isc_interfaceiter_next(iter))
 	{
-		ns_interface_t *ifp;
 		isc_interface_t interface;
-		ns_listenelt_t *le;
-		dns_aclelement_t elt;
-		unsigned int prefixlen;
+		ns_listenlist_t *ll;
+		unsigned int family; 
 
 		result = isc_interfaceiter_current(iter, &interface);
 		if (result != ISC_R_SUCCESS)
 			break;
 
-		if (interface.address.family != AF_INET)
+		family = interface.address.family;
+		if (family != AF_INET && family != AF_INET6)
 			continue;
-
-		if ((interface.flags & INTERFACE_F_UP) == 0)
+		if (scan_ipv4 == ISC_FALSE && family == AF_INET)
+			continue;
+		if (scan_ipv6 == ISC_FALSE && family == AF_INET6)
 			continue;
 
-		elt.type = dns_aclelementtype_ipprefix;
-		elt.negative = ISC_FALSE;
-		elt.u.ip_prefix.address = interface.address;
-		elt.u.ip_prefix.prefixlen = 32;
-		result = dns_acl_appendelement(mgr->aclenv.localhost, &elt);
-		if (result != ISC_R_SUCCESS)
-			goto ignore_interface;
+		/*
+		 * Test for the address being nonzero rather than testing
+		 * INTERFACE_F_UP, because on some systems the latter
+		 * follows the media state and we could end up ignoring
+		 * the interface for an entire rescan interval due to
+		 * a temporary media glitch at rescan time.
+		 */
+		if (family == AF_INET &&
+		    isc_netaddr_equal(&interface.address, &zero_address)) {
+			continue;
+		}
+		if (family == AF_INET6 &&
+		    isc_netaddr_equal(&interface.address, &zero_address6)) {
+			continue;
+		}
 
-		result = isc_netaddr_masktoprefixlen(&interface.netmask,
-						     &prefixlen);
-		if (result != ISC_R_SUCCESS) {
-			isc_log_write(IFMGR_COMMON_LOGARGS,
-				      ISC_LOG_WARNING,
-				      "omitting IPv4 interface %s from "
-				      "localnets ACL: %s",
-				      interface.name,
-				      isc_result_totext(result));
-		} else {
-			elt.u.ip_prefix.prefixlen = prefixlen;
-			/* XXX suppress duplicates */
-			result = dns_acl_appendelement(mgr->aclenv.localnets,
-						       &elt);
+		if (adjusting == ISC_FALSE) {
+			result = setup_locals(mgr, &interface);
 			if (result != ISC_R_SUCCESS)
 				goto ignore_interface;
 		}
 
-		for (le = ISC_LIST_HEAD(mgr->listenon4->elts);
+		ll = (family == AF_INET) ? mgr->listenon4 : mgr->listenon6;
+		for (le = ISC_LIST_HEAD(ll->elts);
 		     le != NULL;
 		     le = ISC_LIST_NEXT(le, link))
 		{
 			int match;
+			isc_boolean_t ipv6_wildcard = ISC_FALSE;
 			isc_netaddr_t listen_netaddr;
 			isc_sockaddr_t listen_sockaddr;
 
@@ -543,8 +692,15 @@ do_ipv4(ns_interfacemgr_t *mgr) {
 			 * Construct a socket address for this IP/port
 			 * combination.
 			 */
-			isc_netaddr_fromin(&listen_netaddr,
-					   &interface.address.type.in);
+			if (family == AF_INET) {
+				isc_netaddr_fromin(&listen_netaddr,
+						   &interface.address.type.in);
+			} else {
+				isc_netaddr_fromin6(&listen_netaddr,
+						    &interface.address.type.in6);
+				isc_netaddr_setzone(&listen_netaddr,
+						    interface.address.zone);
+			}
 			isc_sockaddr_fromnetaddr(&listen_sockaddr,
 						 &listen_netaddr,
 						 le->port);
@@ -553,33 +709,97 @@ do_ipv4(ns_interfacemgr_t *mgr) {
 			 * See if the address matches the listen-on statement;
 			 * if not, ignore the interface.
 			 */
-			(void)dns_acl_match(&listen_netaddr, NULL, le->acl,
-					    &mgr->aclenv, &match, NULL);
+			result = dns_acl_match(&listen_netaddr, NULL,
+					       le->acl, &mgr->aclenv,
+					       &match, NULL);
 			if (match <= 0)
 				continue;
 
+			/*
+			 * The case of "any" IPv6 address will require
+			 * special considerations later, so remember it.
+			 */
+			if (family == AF_INET6 && ipv6only &&
+			    listenon_is_ip6_any(le))
+				ipv6_wildcard = ISC_TRUE;
+
+			/*
+			 * When adjusting interfaces with extra a listening
+			 * list, see if the address matches the extra list.
+			 * If it does, and is also covered by a wildcard
+			 * interface, we need to listen on the address
+			 * explicitly.
+			 */
+			if (adjusting == ISC_TRUE) {
+				ns_listenelt_t *ele;
+
+				match = 0;
+				for (ele = ISC_LIST_HEAD(ext_listen->elts);
+				     ele != NULL;
+				     ele = ISC_LIST_NEXT(ele, link)) {
+					dns_acl_match(&listen_netaddr, NULL,
+						      ele->acl, NULL,
+						      &match, NULL);
+					if (match > 0 && ele->port == le->port)
+						break;
+					else
+						match = 0;
+				}
+				if (ipv6_wildcard == ISC_TRUE && match == 0)
+					continue;
+			}
+
 			ifp = find_matching_interface(mgr, &listen_sockaddr);
 			if (ifp != NULL) {
 				ifp->generation = mgr->generation;
 			} else {
 				char sabuf[ISC_SOCKADDR_FORMATSIZE];
+
+				if (adjusting == ISC_FALSE &&
+				    ipv6_wildcard == ISC_TRUE)
+					continue;
+
+				if (log_explicit && family == AF_INET6 &&
+				    !adjusting) {
+					isc_log_write(IFMGR_COMMON_LOGARGS,
+						      verbose ? ISC_LOG_INFO :
+							      ISC_LOG_DEBUG(1),
+						      "IPv6-only option is not"
+						      " available; explicitly"
+						      " binding to all IPv6"
+						      " addresses.");
+					log_explicit = ISC_FALSE;
+				}
 				isc_sockaddr_format(&listen_sockaddr,
 						    sabuf, sizeof(sabuf));
 				isc_log_write(IFMGR_COMMON_LOGARGS,
 					      ISC_LOG_INFO,
-					      "listening on IPv4 interface "
-					      "%s, %s", interface.name, sabuf);
+					      "%s"
+					      "listening on %s interface "
+					      "%s, %s",
+					      (adjusting == ISC_TRUE) ?
+					      "additionally " : "",
+					      (family == AF_INET) ?
+					      "IPv4" : "IPv6",
+					      interface.name, sabuf);
 
 				result = ns_interface_setup(mgr,
 							    &listen_sockaddr,
 							    interface.name,
-							    &ifp);
+							    &ifp,
+							    (adjusting == ISC_TRUE) ?
+							    ISC_FALSE :
+							    ISC_TRUE);
+
 				if (result != ISC_R_SUCCESS) {
 					isc_log_write(IFMGR_COMMON_LOGARGS,
-						 ISC_LOG_ERROR,
-						 "creating IPv4 interface %s "
-						 "failed; interface ignored",
-						 interface.name);
+						      ISC_LOG_ERROR,
+						      "creating %s interface "
+						      "%s failed; interface "
+						      "ignored",
+						      (family == AF_INET) ?
+						      "IPv4" : "IPv6",
+						      interface.name);
 				}
 				/* Continue. */
 			}
@@ -590,13 +810,14 @@ do_ipv4(ns_interfacemgr_t *mgr) {
 	ignore_interface:
 		isc_log_write(IFMGR_COMMON_LOGARGS,
 			      ISC_LOG_ERROR,
-			      "ignoring IPv4 interface %s: %s",
+			      "ignoring %s interface %s: %s",
+			      (family == AF_INET) ? "IPv4" : "IPv6",
 			      interface.name, isc_result_totext(result));
 		continue;
 	}
 	if (result != ISC_R_NOMORE)
 		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "IPv4: interface iteration failed: %s",
+				 "interface iteration failed: %s",
 				 isc_result_totext(result));
 	else 
 		result = ISC_R_SUCCESS;
@@ -605,100 +826,18 @@ do_ipv4(ns_interfacemgr_t *mgr) {
 	return (result);
 }
 
-static isc_boolean_t
-listenon_is_ip6_none(ns_listenelt_t *elt) {
-	if (elt->acl->length == 0)
-		return (ISC_TRUE); /* listen-on-v6 { } */
-	if (elt->acl->length > 1)
-		return (ISC_FALSE);  /* listen-on-v6 { ...; ...; } */
-	if (elt->acl->elements[0].negative == ISC_TRUE &&
-	    elt->acl->elements[0].type == dns_aclelementtype_any)
-		return (ISC_TRUE);  /* listen-on-v6 { none; } */
-	return (ISC_FALSE); /* All others */
-}
-
-static isc_boolean_t
-listenon_is_ip6_any(ns_listenelt_t *elt) {
-	if (elt->acl->length != 1)
-		return (ISC_FALSE);
-	if (elt->acl->elements[0].negative == ISC_FALSE &&
-	    elt->acl->elements[0].type == dns_aclelementtype_any)
-		return (ISC_TRUE);  /* listen-on-v6 { any; } */
-	return (ISC_FALSE); /* All others */
-}
-
-static isc_result_t
-do_ipv6(ns_interfacemgr_t *mgr) {
-	isc_result_t result;
-	ns_interface_t *ifp;
-	isc_sockaddr_t listen_addr;
-	struct in6_addr in6a;
-	ns_listenelt_t *le;
-
-	for (le = ISC_LIST_HEAD(mgr->listenon6->elts);
-	     le != NULL;
-	     le = ISC_LIST_NEXT(le, link))
-	{
-		if (listenon_is_ip6_none(le))
-			continue;
-		if (! listenon_is_ip6_any(le)) {
-			isc_log_write(IFMGR_COMMON_LOGARGS,
-				      ISC_LOG_ERROR,
-				      "bad IPv6 listen-on list: "
-				      "must be 'any' or 'none'");
-			return (ISC_R_FAILURE);
-		}
-
-		in6a = in6addr_any;
-		isc_sockaddr_fromin6(&listen_addr, &in6a, le->port);
-
-		ifp = find_matching_interface(mgr, &listen_addr);
-		if (ifp != NULL) {
-			ifp->generation = mgr->generation;
-		} else {
-			isc_log_write(IFMGR_COMMON_LOGARGS, ISC_LOG_INFO,
-				      "listening on IPv6 interfaces, port %u",
-				      le->port);
-			result = ns_interface_setup(mgr, &listen_addr,
-						    "<any>", &ifp);
-			if (result != ISC_R_SUCCESS) {
-				isc_log_write(IFMGR_COMMON_LOGARGS,
-					      ISC_LOG_ERROR,
-					      "listening on IPv6 interfaces "
-					      "failed");
-				/* Continue. */
-			}
-		}
-	}
-	return (ISC_R_SUCCESS);
-}
-
-void
-ns_interfacemgr_scan(ns_interfacemgr_t *mgr, isc_boolean_t verbose) {
+static void
+ns_interfacemgr_scan0(ns_interfacemgr_t *mgr, ns_listenlist_t *ext_listen,
+		      isc_boolean_t verbose)
+{
 	isc_boolean_t purge = ISC_TRUE;
 
 	REQUIRE(NS_INTERFACEMGR_VALID(mgr));
 
 	mgr->generation++;	/* Increment the generation count. */
 
-	if (isc_net_probeipv6() == ISC_R_SUCCESS) {
-		if (do_ipv6(mgr) != ISC_R_SUCCESS)
-			purge = ISC_FALSE;
-	}
-#ifdef WANT_IPV6
-	else
-		isc_log_write(IFMGR_COMMON_LOGARGS,
-			      verbose ? ISC_LOG_INFO : ISC_LOG_DEBUG(1),
-			      "no IPv6 interfaces found");
-#endif
-
-	if (isc_net_probeipv4() == ISC_R_SUCCESS) {
-		if (do_ipv4(mgr) != ISC_R_SUCCESS)
-			purge = ISC_FALSE;
-	} else
-		isc_log_write(IFMGR_COMMON_LOGARGS,
-			      verbose ? ISC_LOG_INFO : ISC_LOG_DEBUG(1),
-			      "no IPv4 interfaces found");
+	if (do_scan(mgr, ext_listen, verbose) != ISC_R_SUCCESS)
+		purge = ISC_FALSE;
 
 	/*
 	 * Now go through the interface list and delete anything that
@@ -714,9 +853,23 @@ ns_interfacemgr_scan(ns_interfacemgr_t *mgr, isc_boolean_t verbose) {
 	 * we're in lwresd-only mode, in which case that is to 
 	 * be expected.
 	 */
-	if (ISC_LIST_EMPTY(mgr->interfaces) && ! ns_g_lwresdonly)
+	if (ext_listen == NULL &&
+	    ISC_LIST_EMPTY(mgr->interfaces) && ! ns_g_lwresdonly) {
 		isc_log_write(IFMGR_COMMON_LOGARGS, ISC_LOG_WARNING,
 			      "not listening on any interfaces");
+	}
+}
+
+void
+ns_interfacemgr_scan(ns_interfacemgr_t *mgr, isc_boolean_t verbose) {
+	ns_interfacemgr_scan0(mgr, NULL, verbose);
+}
+
+void
+ns_interfacemgr_adjust(ns_interfacemgr_t *mgr, ns_listenlist_t *list,
+		       isc_boolean_t verbose)
+{
+	ns_interfacemgr_scan0(mgr, list, verbose);
 }
 
 void
@@ -735,3 +888,16 @@ ns_interfacemgr_setlistenon6(ns_interfacemgr_t *mgr, ns_listenlist_t *value) {
 	UNLOCK(&mgr->lock);
 }
 
+void
+ns_interfacemgr_dumprecursing(FILE *f, ns_interfacemgr_t *mgr) {
+	ns_interface_t *interface;
+
+	LOCK(&mgr->lock);
+	interface = ISC_LIST_HEAD(mgr->interfaces);
+	while (interface != NULL) {
+		if (interface->clientmgr != NULL)
+			ns_client_dumprecursing(f, interface->clientmgr);
+		interface = ISC_LIST_NEXT(interface, link);
+	}
+	UNLOCK(&mgr->lock);
+}
diff --git a/bin/named/listenlist.c b/bin/named/listenlist.c
index dbc24cb5..bba164f0 100644
--- a/bin/named/listenlist.c
+++ b/bin/named/listenlist.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: listenlist.c,v 1.9.2.1 2004/03/09 06:09:18 marka Exp $ */
+/* $Id: listenlist.c,v 1.9.208.1 2004/03/06 10:21:18 marka Exp $ */
 
 #include <config.h>
 
diff --git a/bin/named/log.c b/bin/named/log.c
index 6cd92b96..31af4bdd 100644
--- a/bin/named/log.c
+++ b/bin/named/log.c
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
+ * Copyright (C) 1999-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: log.c,v 1.33.2.2 2004/03/09 06:09:18 marka Exp $ */
+/* $Id: log.c,v 1.33.2.1.10.4 2004/03/08 09:04:14 marka Exp $ */
 
 #include <config.h>
 
@@ -25,6 +25,10 @@
 
 #include <named/log.h>
 
+#ifndef ISC_FACILITY
+#define ISC_FACILITY LOG_DAEMON
+#endif
+
 /*
  * When adding a new category, be sure to add the appropriate
  * #define to <named/log.h>.
@@ -36,6 +40,7 @@ static isc_logcategory_t categories[] = {
 	{ "update",	 		0 },
 	{ "queries",	 		0 },
 	{ "unmatched",	 		0 },
+	{ "update-security",		0 },
 	{ NULL, 			0 }
 };
 
@@ -126,6 +131,15 @@ ns_log_setdefaultchannels(isc_logconfig_t *lcfg) {
 			goto cleanup;
 	}
 
+#if ISC_FACILITY != LOG_DAEMON
+	destination.facility = ISC_FACILITY;
+	result = isc_log_createchannel(lcfg, "default_syslog",
+				       ISC_LOG_TOSYSLOG, ISC_LOG_INFO,
+				       &destination, 0);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+#endif
+
 	/*
 	 * Set the initial debug level.
 	 */
diff --git a/bin/named/logconf.c b/bin/named/logconf.c
index 3129757c..596d4016 100644
--- a/bin/named/logconf.c
+++ b/bin/named/logconf.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: logconf.c,v 1.30.2.7 2006/03/02 00:37:17 marka Exp $ */
+/* $Id: logconf.c,v 1.30.2.3.10.2 2004/03/06 10:21:18 marka Exp $ */
 
 #include <config.h>
 
@@ -41,13 +41,13 @@
  * in 'ccat' and add it to 'lctx'.
  */
 static isc_result_t
-category_fromconf(const cfg_obj_t *ccat, isc_logconfig_t *lctx) {
+category_fromconf(cfg_obj_t *ccat, isc_logconfig_t *lctx) {
 	isc_result_t result;
 	const char *catname;
 	isc_logcategory_t *category;
 	isc_logmodule_t *module;
-	const cfg_obj_t *destinations = NULL;
-	const cfg_listelt_t *element = NULL;
+	cfg_obj_t *destinations = NULL;
+	cfg_listelt_t *element = NULL;
 
 	catname = cfg_obj_asstring(cfg_tuple_get(ccat, "name"));
 	category = isc_log_categorybyname(ns_g_lctx, catname);
@@ -68,8 +68,8 @@ category_fromconf(const cfg_obj_t *ccat, isc_logconfig_t *lctx) {
 	     element != NULL;
 	     element = cfg_list_next(element))
 	{
-		const cfg_obj_t *channel = cfg_listelt_value(element);
-		const char *channelname = cfg_obj_asstring(channel);
+		cfg_obj_t *channel = cfg_listelt_value(element);
+		char *channelname = cfg_obj_asstring(channel);
 
 		result = isc_log_usechannel(lctx, channelname, category,
 					    module);
@@ -89,18 +89,18 @@ category_fromconf(const cfg_obj_t *ccat, isc_logconfig_t *lctx) {
  * in 'cchan' and add it to 'lctx'.
  */
 static isc_result_t
-channel_fromconf(const cfg_obj_t *channel, isc_logconfig_t *lctx) {
+channel_fromconf(cfg_obj_t *channel, isc_logconfig_t *lctx) {
 	isc_result_t result;
 	isc_logdestination_t dest;
 	unsigned int type;
 	unsigned int flags = 0;
 	int level;
 	const char *channelname;
-	const cfg_obj_t *fileobj = NULL;
-	const cfg_obj_t *syslogobj = NULL;
-	const cfg_obj_t *nullobj = NULL;
-	const cfg_obj_t *stderrobj = NULL;
-	const cfg_obj_t *severity = NULL;
+	cfg_obj_t *fileobj = NULL;
+	cfg_obj_t *syslogobj = NULL;
+	cfg_obj_t *nullobj = NULL;
+	cfg_obj_t *stderrobj = NULL;
+	cfg_obj_t *severity = NULL;
 	int i;
 
 	channelname = cfg_obj_asstring(cfg_map_getname(channel));
@@ -130,10 +130,9 @@ channel_fromconf(const cfg_obj_t *channel, isc_logconfig_t *lctx) {
 	type = ISC_LOG_TONULL;
 	
 	if (fileobj != NULL) {
-		const cfg_obj_t *pathobj = cfg_tuple_get(fileobj, "file");
-		const cfg_obj_t *sizeobj = cfg_tuple_get(fileobj, "size");
-		const cfg_obj_t *versionsobj =
-				 cfg_tuple_get(fileobj, "versions");
+		cfg_obj_t *pathobj = cfg_tuple_get(fileobj, "file");
+		cfg_obj_t *sizeobj = cfg_tuple_get(fileobj, "size");
+		cfg_obj_t *versionsobj = cfg_tuple_get(fileobj, "versions");
 		isc_int32_t versions = ISC_LOG_ROLLNEVER;
 		isc_offset_t size = 0;
 
@@ -158,7 +157,7 @@ channel_fromconf(const cfg_obj_t *channel, isc_logconfig_t *lctx) {
 		type = ISC_LOG_TOSYSLOG;
 
 		if (cfg_obj_isstring(syslogobj)) {
-			const char *facilitystr = cfg_obj_asstring(syslogobj);
+			char *facilitystr = cfg_obj_asstring(syslogobj);
 			(void)isc_syslog_facilityfromstring(facilitystr,
 							    &facility);
 		}
@@ -175,9 +174,9 @@ channel_fromconf(const cfg_obj_t *channel, isc_logconfig_t *lctx) {
 	 * Munge flags.
 	 */
 	{
-		const cfg_obj_t *printcat = NULL;
-		const cfg_obj_t *printsev = NULL;
-		const cfg_obj_t *printtime = NULL;
+		cfg_obj_t *printcat = NULL;
+		cfg_obj_t *printsev = NULL;
+		cfg_obj_t *printtime = NULL;
 
 		(void)cfg_map_get(channel, "print-category", &printcat);
 		(void)cfg_map_get(channel, "print-severity", &printsev);
@@ -194,7 +193,7 @@ channel_fromconf(const cfg_obj_t *channel, isc_logconfig_t *lctx) {
 	level = ISC_LOG_INFO;
 	if (cfg_map_get(channel, "severity", &severity) == ISC_R_SUCCESS) {
 		if (cfg_obj_isstring(severity)) {
-			const char *str = cfg_obj_asstring(severity);
+			char *str = cfg_obj_asstring(severity);
 			if (strcasecmp(str, "critical") == 0)
 				level = ISC_LOG_CRITICAL;
 			else if (strcasecmp(str, "error") == 0)
@@ -243,14 +242,13 @@ channel_fromconf(const cfg_obj_t *channel, isc_logconfig_t *lctx) {
 }
 
 isc_result_t
-ns_log_configure(isc_logconfig_t *logconf, const cfg_obj_t *logstmt) {
+ns_log_configure(isc_logconfig_t *logconf, cfg_obj_t *logstmt) {
 	isc_result_t result;
-	const cfg_obj_t *channels = NULL;
-	const cfg_obj_t *categories = NULL;
-	const cfg_listelt_t *element;
+	cfg_obj_t *channels = NULL;
+	cfg_obj_t *categories = NULL;
+	cfg_listelt_t *element;
 	isc_boolean_t default_set = ISC_FALSE;
 	isc_boolean_t unmatched_set = ISC_FALSE;
-	const cfg_obj_t *catname;
 
 	CHECK(ns_log_setdefaultchannels(logconf));
 
@@ -259,7 +257,7 @@ ns_log_configure(isc_logconfig_t *logconf, const cfg_obj_t *logstmt) {
 	     element != NULL;
 	     element = cfg_list_next(element))
 	{
-		const cfg_obj_t *channel = cfg_listelt_value(element);
+		cfg_obj_t *channel = cfg_listelt_value(element);
 		CHECK(channel_fromconf(channel, logconf));
 	}
 
@@ -268,15 +266,15 @@ ns_log_configure(isc_logconfig_t *logconf, const cfg_obj_t *logstmt) {
 	     element != NULL;
 	     element = cfg_list_next(element))
 	{
-		const cfg_obj_t *category = cfg_listelt_value(element);
+		cfg_obj_t *category = cfg_listelt_value(element);
 		CHECK(category_fromconf(category, logconf));
 		if (!default_set) {
-			catname = cfg_tuple_get(category, "name");
+			cfg_obj_t *catname = cfg_tuple_get(category, "name");
 			if (strcmp(cfg_obj_asstring(catname), "default") == 0)
 				default_set = ISC_TRUE;
 		}
 		if (!unmatched_set) {
-			catname = cfg_tuple_get(category, "name");
+			cfg_obj_t *catname = cfg_tuple_get(category, "name");
 			if (strcmp(cfg_obj_asstring(catname), "unmatched") == 0)
 				unmatched_set = ISC_TRUE;
 		}
diff --git a/bin/named/lwaddr.c b/bin/named/lwaddr.c
index 54415498..1bd8d828 100644
--- a/bin/named/lwaddr.c
+++ b/bin/named/lwaddr.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lwaddr.c,v 1.3.2.1 2004/03/09 06:09:18 marka Exp $ */
+/* $Id: lwaddr.c,v 1.3.208.1 2004/03/06 10:21:18 marka Exp $ */
 
 #include <config.h>
 
diff --git a/bin/named/lwdclient.c b/bin/named/lwdclient.c
index 67c3a883..7975a499 100644
--- a/bin/named/lwdclient.c
+++ b/bin/named/lwdclient.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lwdclient.c,v 1.13.2.1 2004/03/09 06:09:18 marka Exp $ */
+/* $Id: lwdclient.c,v 1.13.12.5 2004/03/08 09:04:15 marka Exp $ */
 
 #include <config.h>
 
@@ -29,6 +29,7 @@
 #include <dns/log.h>
 
 #include <named/types.h>
+#include <named/log.h>
 #include <named/lwresd.h>
 #include <named/lwdclient.h>
 
@@ -81,7 +82,7 @@ ns_lwdclientmgr_create(ns_lwreslistener_t *listener, unsigned int nclients,
 	    != ISC_R_SUCCESS)
 		goto errout;
 
-	for (i = 0 ; i < nclients ; i++) {
+	for (i = 0; i < nclients; i++) {
 		client = isc_mem_get(lwresd->mctx, sizeof(ns_lwdclient_t));
 		if (client != NULL) {
 			ns_lwdclient_log(50, "created client %p, manager %p",
@@ -116,7 +117,7 @@ ns_lwdclientmgr_create(ns_lwreslistener_t *listener, unsigned int nclients,
 	client = ISC_LIST_HEAD(cm->idle);
 	while (client != NULL) {
 		ISC_LIST_UNLINK(cm->idle, client, link);
-		isc_mem_put(lwresd->mctx, client, sizeof (*client));
+		isc_mem_put(lwresd->mctx, client, sizeof(*client));
 		client = ISC_LIST_HEAD(cm->idle);
 	}
 
@@ -126,7 +127,7 @@ ns_lwdclientmgr_create(ns_lwreslistener_t *listener, unsigned int nclients,
 	if (cm->lwctx != NULL)
 		lwres_context_destroy(&cm->lwctx);
 
-	isc_mem_put(lwresd->mctx, cm, sizeof (*cm));
+	isc_mem_put(lwresd->mctx, cm, sizeof(*cm));
 	return (result);
 }
 
@@ -148,7 +149,7 @@ lwdclientmgr_destroy(ns_lwdclientmgr_t *cm) {
 		ns_lwdclient_log(50, "destroying client %p, manager %p",
 				 client, cm);
 		ISC_LIST_UNLINK(cm->idle, client, link);
-		isc_mem_put(cm->mctx, client, sizeof (*client));
+		isc_mem_put(cm->mctx, client, sizeof(*client));
 		client = ISC_LIST_HEAD(cm->idle);
 	}
 
@@ -163,7 +164,7 @@ lwdclientmgr_destroy(ns_lwdclientmgr_t *cm) {
 	listener = cm->listener;
 	ns_lwreslistener_unlinkcm(listener, cm);
 	ns_lwdclient_log(50, "destroying manager %p", cm);
-	isc_mem_put(cm->mctx, cm, sizeof (*cm));
+	isc_mem_put(cm->mctx, cm, sizeof(*cm));
 	ns_lwreslistener_detach(&listener);
 }
 
@@ -211,6 +212,7 @@ process_request(ns_lwdclient_t *client) {
 
 void
 ns_lwdclient_recv(isc_task_t *task, isc_event_t *ev) {
+	isc_result_t result;
 	ns_lwdclient_t *client = ev->ev_arg;
 	ns_lwdclientmgr_t *cm = client->clientmgr;
 	isc_socketevent_t *dev = (isc_socketevent_t *)ev;
@@ -250,7 +252,13 @@ ns_lwdclient_recv(isc_task_t *task, isc_event_t *ev) {
 	isc_event_free(&ev);
 	dev = NULL;
 
-	ns_lwdclient_startrecv(cm);
+	result = ns_lwdclient_startrecv(cm);
+	if (result != ISC_R_SUCCESS)
+		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+			      NS_LOGMODULE_LWRESD, ISC_LOG_ERROR,
+			      "could not start lwres "
+			      "client handler: %s",
+			      isc_result_totext(result));
 
 	process_request(client);
 }
@@ -329,7 +337,7 @@ lwdclientmgr_shutdown_callback(isc_task_t *task, isc_event_t *ev) {
 		ns_lwdclient_log(50, "destroying client %p, manager %p",
 				 client, cm);
 		ISC_LIST_UNLINK(cm->idle, client, link);
-		isc_mem_put(cm->mctx, client, sizeof (*client));
+		isc_mem_put(cm->mctx, client, sizeof(*client));
 		client = ISC_LIST_HEAD(cm->idle);
 	}
 
@@ -366,6 +374,7 @@ lwdclientmgr_shutdown_callback(isc_task_t *task, isc_event_t *ev) {
 void
 ns_lwdclient_stateidle(ns_lwdclient_t *client) {
 	ns_lwdclientmgr_t *cm;
+	isc_result_t result;
 
 	cm = client->clientmgr;
 
@@ -380,7 +389,13 @@ ns_lwdclient_stateidle(ns_lwdclient_t *client) {
 
 	NS_LWDCLIENT_SETIDLE(client);
 
-	ns_lwdclient_startrecv(cm);
+	result = ns_lwdclient_startrecv(cm);
+	if (result != ISC_R_SUCCESS)
+		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+			      NS_LOGMODULE_LWRESD, ISC_LOG_ERROR,
+			      "could not start lwres "
+			      "client handler: %s",
+			      isc_result_totext(result));
 }
 
 void
diff --git a/bin/named/lwderror.c b/bin/named/lwderror.c
index 6a4c15b5..51cecf0a 100644
--- a/bin/named/lwderror.c
+++ b/bin/named/lwderror.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lwderror.c,v 1.7.2.1 2004/03/09 06:09:18 marka Exp $ */
+/* $Id: lwderror.c,v 1.7.208.1 2004/03/06 10:21:18 marka Exp $ */
 
 #include <config.h>
 
diff --git a/bin/named/lwdgabn.c b/bin/named/lwdgabn.c
index 3c1e993a..030a77ae 100644
--- a/bin/named/lwdgabn.c
+++ b/bin/named/lwdgabn.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lwdgabn.c,v 1.13.2.3 2006/03/02 00:37:17 marka Exp $ */
+/* $Id: lwdgabn.c,v 1.13.12.3 2004/03/08 04:04:19 marka Exp $ */
 
 #include <config.h>
 
@@ -120,7 +120,7 @@ sort_addresses(ns_lwdclient_t *client) {
 	rankedaddress *addrs;
 	isc_netaddr_t remote;
 	dns_addressorderfunc_t order;
-	const void *arg;
+	void *arg;
 	ns_lwresd_t *lwresd = client->clientmgr->listener->manager;
 	unsigned int i;
 	isc_result_t result;
@@ -546,11 +546,11 @@ init_gabn(ns_lwdclient_t *client) {
 	 * Initialize the real name and alias arrays in the reply we're
 	 * going to build up.
 	 */
-	for (i = 0 ; i < LWRES_MAX_ALIASES ; i++) {
+	for (i = 0; i < LWRES_MAX_ALIASES; i++) {
 		client->aliases[i] = NULL;
 		client->aliaslen[i] = 0;
 	}
-	for (i = 0 ; i < LWRES_MAX_ADDRS ; i++) {
+	for (i = 0; i < LWRES_MAX_ADDRS; i++) {
 		client->addrs[i].family = 0;
 		client->addrs[i].length = 0;
 		memset(client->addrs[i].address, 0, LWRES_ADDR_MAXLEN);
diff --git a/bin/named/lwdgnba.c b/bin/named/lwdgnba.c
index 4d3fe967..21ef804a 100644
--- a/bin/named/lwdgnba.c
+++ b/bin/named/lwdgnba.c
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
+ * Copyright (C) 2000-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lwdgnba.c,v 1.13.2.3 2004/03/09 06:09:18 marka Exp $ */
+/* $Id: lwdgnba.c,v 1.13.2.1.2.5 2004/03/08 04:04:19 marka Exp $ */
 
 #include <config.h>
 
@@ -67,7 +67,7 @@ byaddr_done(isc_task_t *task, isc_event_t *event) {
 		bevent = NULL;
 
 		if (client->na.family != AF_INET6 ||
-		    (client->options & DNS_BYADDROPT_IPV6NIBBLE) == 0) {
+		    (client->options & DNS_BYADDROPT_IPV6INT) != 0) {
 			if (result == DNS_R_NCACHENXDOMAIN ||
 			    result == DNS_R_NCACHENXRRSET ||
 			    result == DNS_R_NXDOMAIN ||
@@ -80,12 +80,10 @@ byaddr_done(isc_task_t *task, isc_event_t *event) {
 		}
 
 		/*
-		 * Fall back to IP6.INT nibble then IP6.ARPA bitstring.
+		 * Fall back to ip6.int reverse if the default ip6.arpa
+		 * fails.
 		 */
-		if ((client->options & DNS_BYADDROPT_IPV6INT) == 0)
-			client->options |= DNS_BYADDROPT_IPV6INT;
-		else
-			client->options &= ~DNS_BYADDROPT_IPV6NIBBLE;
+		client->options |= DNS_BYADDROPT_IPV6INT;
 
 		start_byaddr(client);
 		return;
@@ -182,11 +180,11 @@ init_gnba(ns_lwdclient_t *client) {
 	 * Initialize the real name and alias arrays in the reply we're
 	 * going to build up.
 	 */
-	for (i = 0 ; i < LWRES_MAX_ALIASES ; i++) {
+	for (i = 0; i < LWRES_MAX_ALIASES; i++) {
 		client->aliases[i] = NULL;
 		client->aliaslen[i] = 0;
 	}
-	for (i = 0 ; i < LWRES_MAX_ADDRS ; i++) {
+	for (i = 0; i < LWRES_MAX_ADDRS; i++) {
 		client->addrs[i].family = 0;
 		client->addrs[i].length = 0;
 		memset(client->addrs[i].address, 0, LWRES_ADDR_MAXLEN);
@@ -223,10 +221,7 @@ ns_lwdclient_processgnba(ns_lwdclient_t *client, lwres_buffer_t *b) {
 	if (req->addr.address == NULL)
 		goto out;
 
-	/*
-	 * Start with IP6.ARPA NIBBLE lookups.
-	 */
-	client->options = DNS_BYADDROPT_IPV6NIBBLE;
+	client->options = 0;
 	if (req->addr.family == LWRES_ADDRTYPE_V4) {
 		client->na.family = AF_INET;
 		if (req->addr.length != 4)
@@ -255,6 +250,7 @@ ns_lwdclient_processgnba(ns_lwdclient_t *client, lwres_buffer_t *b) {
 	 * going to build up.
 	 */
 	init_gnba(client);
+	client->options = 0;
 
 	/*
 	 * Start the find.
diff --git a/bin/named/lwdgrbn.c b/bin/named/lwdgrbn.c
index 7f0b043e..66522653 100644
--- a/bin/named/lwdgrbn.c
+++ b/bin/named/lwdgrbn.c
@@ -1,6 +1,6 @@
 /*
- * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lwdgrbn.c,v 1.11.2.4 2006/12/07 04:52:57 marka Exp $ */
+/* $Id: lwdgrbn.c,v 1.11.208.3 2004/03/08 04:04:19 marka Exp $ */
 
 #include <config.h>
 
@@ -100,7 +100,7 @@ iterate_node(lwres_grbnresponse_t *grbn, dns_db_t *db, dns_dbnode_t *node,
 		dns_rdataset_init(&set);
 		dns_rdatasetiter_current(iter, &set);
 
-		if (set.type != dns_rdatatype_sig) {
+		if (set.type != dns_rdatatype_rrsig) {
 			dns_rdataset_disassociate(&set);
 			continue;
 		}
@@ -183,6 +183,8 @@ iterate_node(lwres_grbnresponse_t *grbn, dns_db_t *db, dns_dbnode_t *node,
 		isc_mem_put(mctx, oldlens, oldsize * sizeof(*oldlens));
 	if (newrdatas != NULL)
 		isc_mem_put(mctx, newrdatas, used * sizeof(*oldrdatas));
+	if (newlens != NULL)
+		isc_mem_put(mctx, newlens, used * sizeof(*oldlens));
 	return (result);
 }
 
@@ -356,7 +358,7 @@ lookup_done(isc_task_t *task, isc_event_t *event) {
 	client->sendlength = r.length;
 	result = ns_lwdclient_sendreply(client, &r);
 	if (result != ISC_R_SUCCESS)
-		goto out2;
+		goto out;
 
 	NS_LWDCLIENT_SETSEND(client);
 
@@ -376,7 +378,7 @@ lookup_done(isc_task_t *task, isc_event_t *event) {
 	if (grbn->siglen != NULL)
 		isc_mem_put(cm->mctx, grbn->siglen,
 			    grbn->nsigs * sizeof(lwres_uint16_t));
- out2:
+
 	if (client->lookup != NULL)
 		dns_lookup_destroy(&client->lookup);
 	if (lwb.base != NULL)
diff --git a/bin/named/lwdnoop.c b/bin/named/lwdnoop.c
index cfaea205..30d95ee8 100644
--- a/bin/named/lwdnoop.c
+++ b/bin/named/lwdnoop.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lwdnoop.c,v 1.6.2.1 2004/03/09 06:09:18 marka Exp $ */
+/* $Id: lwdnoop.c,v 1.6.208.1 2004/03/06 10:21:19 marka Exp $ */
 
 #include <config.h>
 
diff --git a/bin/named/lwresd.8 b/bin/named/lwresd.8
index cd948fcb..6ae18bd2 100644
--- a/bin/named/lwresd.8
+++ b/bin/named/lwresd.8
@@ -1,186 +1,135 @@
-.\" Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
-.\" Copyright (C) 2000, 2001 Internet Software Consortium.
-.\" 
+.\" Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2000, 2001  Internet Software Consortium.
+.\"
 .\" Permission to use, copy, modify, and distribute this software for any
 .\" purpose with or without fee is hereby granted, provided that the above
 .\" copyright notice and this permission notice appear in all copies.
-.\" 
+.\"
 .\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
 .\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+.\" AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
 .\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
 .\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: lwresd.8,v 1.13.2.10 2007/05/16 06:57:45 marka Exp $
-.\"
-.hy 0
-.ad l
-.\"     Title: lwresd
-.\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
-.\"      Date: June 30, 2000
-.\"    Manual: BIND9
-.\"    Source: BIND9
+.\" $Id: lwresd.8,v 1.13.208.1 2004/03/06 07:41:39 marka Exp $
 .\"
-.TH "LWRESD" "8" "June 30, 2000" "BIND9" "BIND9"
-.\" disable hyphenation
-.nh
-.\" disable justification (adjust text to left margin only)
-.ad l
-.SH "NAME"
+.TH "LWRESD" "8" "June 30, 2000" "BIND9" ""
+.SH NAME
 lwresd \- lightweight resolver daemon
-.SH "SYNOPSIS"
-.HP 7
-\fBlwresd\fR [\fB\-c\ \fR\fB\fIconfig\-file\fR\fR] [\fB\-C\ \fR\fB\fIconfig\-file\fR\fR] [\fB\-d\ \fR\fB\fIdebug\-level\fR\fR] [\fB\-f\fR] [\fB\-g\fR] [\fB\-i\ \fR\fB\fIpid\-file\fR\fR] [\fB\-n\ \fR\fB\fI#cpus\fR\fR] [\fB\-P\ \fR\fB\fIport\fR\fR] [\fB\-p\ \fR\fB\fIport\fR\fR] [\fB\-s\fR] [\fB\-t\ \fR\fB\fIdirectory\fR\fR] [\fB\-u\ \fR\fB\fIuser\fR\fR] [\fB\-v\fR]
+.SH SYNOPSIS
+.sp
+\fBlwresd\fR [ \fB-C \fIconfig-file\fB\fR ]  [ \fB-d \fIdebug-level\fB\fR ]  [ \fB-f\fR ]  [ \fB-g\fR ]  [ \fB-i \fIpid-file\fB\fR ]  [ \fB-n \fI#cpus\fB\fR ]  [ \fB-P \fIport\fB\fR ]  [ \fB-p \fIport\fB\fR ]  [ \fB-s\fR ]  [ \fB-t \fIdirectory\fB\fR ]  [ \fB-u \fIuser\fB\fR ]  [ \fB-v\fR ] 
 .SH "DESCRIPTION"
 .PP
-\fBlwresd\fR
-is the daemon providing name lookup services to clients that use the BIND 9 lightweight resolver library. It is essentially a stripped\-down, caching\-only name server that answers queries using the BIND 9 lightweight resolver protocol rather than the DNS protocol.
-.PP
-\fBlwresd\fR
-listens for resolver queries on a UDP port on the IPv4 loopback interface, 127.0.0.1. This means that
-\fBlwresd\fR
-can only be used by processes running on the local machine. By default UDP port number 921 is used for lightweight resolver requests and responses.
-.PP
-Incoming lightweight resolver requests are decoded by the server which then resolves them using the DNS protocol. When the DNS lookup completes,
-\fBlwresd\fR
-encodes the answers in the lightweight resolver format and returns them to the client that made the request.
-.PP
-If
-\fI/etc/resolv.conf\fR
-contains any
-\fBnameserver\fR
-entries,
-\fBlwresd\fR
-sends recursive DNS queries to those servers. This is similar to the use of forwarders in a caching name server. If no
-\fBnameserver\fR
-entries are present, or if forwarding fails,
-\fBlwresd\fR
-resolves the queries autonomously starting at the root name servers, using a built\-in list of root server hints.
+\fBlwresd\fR is the daemon providing name lookup
+services to clients that use the BIND 9 lightweight resolver
+library. It is essentially a stripped-down, caching-only name
+server that answers queries using the BIND 9 lightweight
+resolver protocol rather than the DNS protocol.
+.PP
+\fBlwresd\fR listens for resolver queries on a
+UDP port on the IPv4 loopback interface, 127.0.0.1. This
+means that \fBlwresd\fR can only be used by
+processes running on the local machine. By default UDP port
+number 921 is used for lightweight resolver requests and
+responses.
+.PP
+Incoming lightweight resolver requests are decoded by the
+server which then resolves them using the DNS protocol. When
+the DNS lookup completes, \fBlwresd\fR encodes
+the answers in the lightweight resolver format and returns
+them to the client that made the request.
+.PP
+If \fI/etc/resolv.conf\fR contains any
+\fBnameserver\fR entries, \fBlwresd\fR
+sends recursive DNS queries to those servers. This is similar
+to the use of forwarders in a caching name server. If no
+\fBnameserver\fR entries are present, or if
+forwarding fails, \fBlwresd\fR resolves the
+queries autonomously starting at the root name servers, using
+a built-in list of root server hints.
 .SH "OPTIONS"
-.PP
-\-c \fIconfig\-file\fR
-.RS 4
-Use
-\fIconfig\-file\fR
-as the configuration file instead of the default,
-\fI/etc/lwresd.conf\fR.
-<term>\-c</term>
-can not be used with
-<term>\-C</term>.
-.RE
-.PP
-\-C \fIconfig\-file\fR
-.RS 4
-Use
-\fIconfig\-file\fR
-as the configuration file instead of the default,
+.TP
+\fB-C \fIconfig-file\fB\fR
+Use \fIconfig-file\fR as the
+configuration file instead of the default,
 \fI/etc/resolv.conf\fR.
-<term>\-C</term>
-can not be used with
-<term>\-c</term>.
-.RE
-.PP
-\-d \fIdebug\-level\fR
-.RS 4
-Set the daemon's debug level to
-\fIdebug\-level\fR. Debugging traces from
-\fBlwresd\fR
-become more verbose as the debug level increases.
-.RE
-.PP
-\-f
-.RS 4
+.TP
+\fB-d \fIdebug-level\fB\fR
+Set the daemon's debug level to \fIdebug-level\fR.
+Debugging traces from \fBlwresd\fR become
+more verbose as the debug level increases.
+.TP
+\fB-f\fR
 Run the server in the foreground (i.e. do not daemonize).
-.RE
-.PP
-\-g
-.RS 4
-Run the server in the foreground and force all logging to
-\fIstderr\fR.
-.RE
-.PP
-\-i \fIpid\-file\fR
-.RS 4
-Use
-\fIpid\-file\fR
-as the PID file instead of the default,
-\fI/var/run/lwresd.pid\fR.
-.RE
-.PP
-\-n \fI#cpus\fR
-.RS 4
-Create
-\fI#cpus\fR
-worker threads to take advantage of multiple CPUs. If not specified,
-\fBlwresd\fR
-will try to determine the number of CPUs present and create one thread per CPU. If it is unable to determine the number of CPUs, a single worker thread will be created.
-.RE
-.PP
-\-P \fIport\fR
-.RS 4
+.TP
+\fB-g\fR
+Run the server in the foreground and force all logging
+to \fIstderr\fR.
+.TP
+\fB-n \fI#cpus\fB\fR
+Create \fI#cpus\fR worker threads
+to take advantage of multiple CPUs. If not specified,
+\fBlwresd\fR will try to determine the
+number of CPUs present and create one thread per CPU.
+If it is unable to determine the number of CPUs, a
+single worker thread will be created.
+.TP
+\fB-P \fIport\fB\fR
 Listen for lightweight resolver queries on port
-\fIport\fR. If not specified, the default is port 921.
-.RE
-.PP
-\-p \fIport\fR
-.RS 4
-Send DNS lookups to port
-\fIport\fR. If not specified, the default is port 53. This provides a way of testing the lightweight resolver daemon with a name server that listens for queries on a non\-standard port number.
-.RE
-.PP
-\-s
-.RS 4
-Write memory usage statistics to
-\fIstdout\fR
+\fIport\fR. If
+not specified, the default is port 921.
+.TP
+\fB-p \fIport\fB\fR
+Send DNS lookups to port \fIport\fR. If not
+specified, the default is port 53. This provides a
+way of testing the lightweight resolver daemon with a
+name server that listens for queries on a non-standard
+port number.
+.TP
+\fB-s\fR
+Write memory usage statistics to \fIstdout\fR
 on exit.
+.sp
 .RS
 .B "Note:"
-This option is mainly of interest to BIND 9 developers and may be removed or changed in a future release.
-.RE
-.RE
-.PP
-\-t \fIdirectory\fR
-.RS 4
-\fBChroot\fR
-to
-\fIdirectory\fR
-after processing the command line arguments, but before reading the configuration file.
+This option is mainly of interest to BIND 9 developers
+and may be removed or changed in a future release.
+.RE
+.sp
+.TP
+\fB-t \fIdirectory\fB\fR
+\fBchroot()\fR to \fIdirectory\fR after
+processing the command line arguments, but before
+reading the configuration file.
+.sp
 .RS
 .B "Warning:"
 This option should be used in conjunction with the
-\fB\-u\fR
-option, as chrooting a process running as root doesn't enhance security on most systems; the way
-\fBchroot(2)\fR
-is defined allows a process with root privileges to escape a chroot jail.
-.RE
-.RE
-.PP
-\-u \fIuser\fR
-.RS 4
-\fBSetuid\fR
-to
-\fIuser\fR
-after completing privileged operations, such as creating sockets that listen on privileged ports.
-.RE
-.PP
-\-v
-.RS 4
+\fB-u\fR option, as chrooting a process
+running as root doesn't enhance security on most
+systems; the way \fBchroot()\fR is
+defined allows a process with root privileges to
+escape a chroot jail.
+.RE
+.sp
+.TP
+\fB-u \fIuser\fB\fR
+\fBsetuid()\fR to \fIuser\fR after completing
+privileged operations, such as creating sockets that
+listen on privileged ports.
+.TP
+\fB-v\fR
 Report the version number and exit.
-.RE
 .SH "FILES"
-.PP
-\fI/etc/resolv.conf\fR
-.RS 4
+.TP
+\fB\fI/etc/resolv.conf\fB\fR
 The default configuration file.
-.RE
-.PP
-\fI/var/run/lwresd.pid\fR
-.RS 4
-The default process\-id file.
-.RE
+.TP
+\fB\fI/var/run/lwresd.pid\fB\fR
+The default process-id file.
 .SH "SEE ALSO"
 .PP
 \fBnamed\fR(8),
@@ -188,9 +137,4 @@ The default process\-id file.
 \fBresolver\fR(5).
 .SH "AUTHOR"
 .PP
-Internet Systems Consortium
-.SH "COPYRIGHT"
-Copyright \(co 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
-.br
-Copyright \(co 2000, 2001 Internet Software Consortium.
-.br
+Internet Software Consortium
diff --git a/bin/named/lwresd.c b/bin/named/lwresd.c
index 5b904572..9da41681 100644
--- a/bin/named/lwresd.c
+++ b/bin/named/lwresd.c
@@ -1,6 +1,6 @@
 /*
- * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lwresd.c,v 1.37.2.6 2006/03/01 01:34:05 marka Exp $ */
+/* $Id: lwresd.c,v 1.37.2.2.2.5 2004/03/08 04:04:19 marka Exp $ */
 
 /*
  * Main program for the Lightweight Resolver Daemon.
@@ -38,7 +38,7 @@
 #include <isc/task.h>
 #include <isc/util.h>
 
-#include <isccfg/cfg.h>
+#include <isccfg/namedconf.h>
 
 #include <dns/log.h>
 #include <dns/result.h>
@@ -152,7 +152,7 @@ ns_lwresd_parseeresolvconf(isc_mem_t *mctx, cfg_parser_t *pctx,
 	if (lwc->nsnext > 0) {
 		CHECK(buffer_putstr(&b, "\tforwarders {\n"));
 
-		for (i = 0 ; i < lwc->nsnext ; i++) {
+		for (i = 0; i < lwc->nsnext; i++) {
 			CHECK(lwaddr_sockaddr_fromlwresaddr(
 							&sa,
 							&lwc->nameservers[i],
@@ -173,7 +173,7 @@ ns_lwresd_parseeresolvconf(isc_mem_t *mctx, cfg_parser_t *pctx,
 		CHECK(buffer_putstr(&b, "\t\t{\n"));
 		CHECK(buffer_putstr(&b, "\t\t\tany;\n"));
 		CHECK(buffer_putstr(&b, "\t\t\t{\n"));
-		for (i = 0 ; i < lwc->sortlistnxt; i++) {
+		for (i = 0; i < lwc->sortlistnxt; i++) {
 			lwres_addr_t *lwaddr = &lwc->sortlist[i].addr;
 			lwres_addr_t *lwmask = &lwc->sortlist[i].mask;
 			unsigned int mask;
@@ -245,7 +245,7 @@ ns_lwresd_parseeresolvconf(isc_mem_t *mctx, cfg_parser_t *pctx,
 	if (lwc->lwnext > 0) {
 		CHECK(buffer_putstr(&b, "\tlisten-on {\n"));
 
-		for (i = 0 ; i < lwc->lwnext ; i++) {
+		for (i = 0; i < lwc->lwnext; i++) {
 			CHECK(lwaddr_sockaddr_fromlwresaddr(&sa,
 							    &lwc->lwservers[i],
 							    0));
@@ -285,14 +285,14 @@ ns_lwresd_parseeresolvconf(isc_mem_t *mctx, cfg_parser_t *pctx,
  * Handle lwresd manager objects
  */
 isc_result_t
-ns_lwdmanager_create(isc_mem_t *mctx, const cfg_obj_t *lwres,
+ns_lwdmanager_create(isc_mem_t *mctx, cfg_obj_t *lwres,
 		     ns_lwresd_t **lwresdp)
 {
 	ns_lwresd_t *lwresd;
 	const char *vname;
 	dns_rdataclass_t vclass;
-	const cfg_obj_t *obj, *viewobj, *searchobj;
-	const cfg_listelt_t *element;
+	cfg_obj_t *obj, *viewobj, *searchobj;
+	cfg_listelt_t *element;
 	isc_result_t result;
 
 	INSIST(lwresdp != NULL && *lwresdp == NULL);
@@ -341,7 +341,7 @@ ns_lwdmanager_create(isc_mem_t *mctx, const cfg_obj_t *lwres,
 	}
 
 	searchobj = NULL;
-	cfg_map_get(lwres, "search", &searchobj);
+	(void)cfg_map_get(lwres, "search", &searchobj);
 	if (searchobj != NULL) {
 		lwresd->search = NULL;
 		result = ns_lwsearchlist_create(lwresd->mctx,
@@ -356,8 +356,8 @@ ns_lwdmanager_create(isc_mem_t *mctx, const cfg_obj_t *lwres,
 		     element != NULL;
 		     element = cfg_list_next(element))
 		{
-			const cfg_obj_t *search;
-			const char *searchstr;
+			cfg_obj_t *search;
+			char *searchstr;
 			isc_buffer_t namebuf;
 			dns_fixedname_t fname;
 			dns_name_t *name;
@@ -407,7 +407,6 @@ ns_lwdmanager_create(isc_mem_t *mctx, const cfg_obj_t *lwres,
 		ns_lwsearchlist_detach(&lwresd->search);
 	if (lwresd->mctx != NULL)
 		isc_mem_detach(&lwresd->mctx);
-	isc_mem_put(mctx, lwresd, sizeof(ns_lwresd_t));
 	return (result);
 }
 
@@ -603,7 +602,7 @@ listener_startclients(ns_lwreslistener_t *listener) {
 	 * Create the client managers.
 	 */
 	result = ISC_R_SUCCESS;
-	for (i = 0 ; i < NTASKS && result == ISC_R_SUCCESS; i++)
+	for (i = 0; i < NTASKS && result == ISC_R_SUCCESS; i++)
 		result = ns_lwdclientmgr_create(listener, NRECVS,
 						ns_g_taskmgr);
 
@@ -619,7 +618,13 @@ listener_startclients(ns_lwreslistener_t *listener) {
 	LOCK(&listener->lock);
 	cm = ISC_LIST_HEAD(listener->cmgrs);
 	while (cm != NULL) {
-		ns_lwdclient_startrecv(cm);
+		result = ns_lwdclient_startrecv(cm);
+		if (result != ISC_R_SUCCESS)
+			isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+				      NS_LOGMODULE_LWRESD, ISC_LOG_ERROR,
+				      "could not start lwres "
+				      "client handler: %s",
+				      isc_result_totext(result));
 		cm = ISC_LIST_NEXT(cm, link);
 	}
 	UNLOCK(&listener->lock);
@@ -739,11 +744,11 @@ configure_listener(isc_sockaddr_t *address, ns_lwresd_t *lwresd,
 }
 
 isc_result_t
-ns_lwresd_configure(isc_mem_t *mctx, const cfg_obj_t *config) {
-	const cfg_obj_t *lwreslist = NULL;
-	const cfg_obj_t *lwres = NULL;
-	const cfg_obj_t *listenerslist = NULL;
-	const cfg_listelt_t *element = NULL;
+ns_lwresd_configure(isc_mem_t *mctx, cfg_obj_t *config) {
+	cfg_obj_t *lwreslist = NULL;
+	cfg_obj_t *lwres = NULL;
+	cfg_obj_t *listenerslist = NULL;
+	cfg_listelt_t *element = NULL;
 	ns_lwreslistener_t *listener;
 	ns_lwreslistenerlist_t newlisteners;
 	isc_result_t result;
@@ -786,7 +791,7 @@ ns_lwresd_configure(isc_mem_t *mctx, const cfg_obj_t *config) {
 			port = LWRES_UDP_PORT;
 
 		listenerslist = NULL;
-		cfg_map_get(lwres, "listen-on", &listenerslist);
+		(void)cfg_map_get(lwres, "listen-on", &listenerslist);
 		if (listenerslist == NULL) {
 			struct in_addr localhost;
 			isc_sockaddr_t address;
diff --git a/bin/named/lwresd.docbook b/bin/named/lwresd.docbook
index 3bdea272..a552ad9d 100644
--- a/bin/named/lwresd.docbook
+++ b/bin/named/lwresd.docbook
@@ -1,8 +1,6 @@
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
-	       "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
-	       [<!ENTITY mdash "&#8212;">]>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
 <!--
- - Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000, 2001  Internet Software Consortium.
  -
  - Permission to use, copy, modify, and distribute this software for any
@@ -18,7 +16,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: lwresd.docbook,v 1.6.2.8 2007/05/16 02:07:45 marka Exp $ -->
+<!-- $Id: lwresd.docbook,v 1.6.208.1 2004/03/06 10:21:20 marka Exp $ -->
 
 <refentry>
   <refentryinfo>
@@ -31,20 +29,6 @@
     <refmiscinfo>BIND9</refmiscinfo>
   </refmeta>
 
-  <docinfo>
-    <copyright>
-      <year>2004</year>
-      <year>2005</year>
-      <year>2007</year>
-      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
-    </copyright>
-    <copyright>
-      <year>2000</year>
-      <year>2001</year>
-      <holder>Internet Software Consortium.</holder>
-    </copyright>
-  </docinfo>
-
   <refnamediv>
     <refname><application>lwresd</application></refname>
     <refpurpose>lightweight resolver daemon</refpurpose>
@@ -53,7 +37,6 @@
   <refsynopsisdiv>
     <cmdsynopsis>
       <command>lwresd</command>
-      <arg><option>-c <replaceable class="parameter">config-file</replaceable></option></arg>
       <arg><option>-C <replaceable class="parameter">config-file</replaceable></option></arg>
       <arg><option>-d <replaceable class="parameter">debug-level</replaceable></option></arg>
       <arg><option>-f</option></arg>
@@ -110,27 +93,14 @@
 
     <variablelist>
       <varlistentry>
-	<term>-c <replaceable class="parameter">config-file</replaceable></term>
-	<listitem>
-	  <para>
-	    Use <replaceable class="parameter">config-file</replaceable> as the
-	    configuration file instead of the default,
-	    <filename>/etc/lwresd.conf</filename>.
-	    <!-- Should this be an absolute path name? -->
-	    <term>-c</term> can not be used with <term>-C</term>.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
 	<term>-C <replaceable class="parameter">config-file</replaceable></term>
 	<listitem>
 	  <para>
-	    Use <replaceable class="parameter">config-file</replaceable> as the
-	    configuration file instead of the default,
-	    <filename>/etc/resolv.conf</filename>.
-	    <term>-C</term> can not be used with <term>-c</term>.
-	  </para>
+		Use <replaceable
+		class="parameter">config-file</replaceable> as the
+		configuration file instead of the default,
+		<filename>/etc/resolv.conf</filename>.
+          </para>
 	</listitem>
       </varlistentry>
 
@@ -142,7 +112,7 @@
 		class="parameter">debug-level</replaceable>.
 		Debugging traces from <command>lwresd</command> become
 		more verbose as the debug level increases.
-	  </para>
+          </para>
 	</listitem>
       </varlistentry>
 
@@ -151,7 +121,7 @@
 	<listitem>
 	  <para>
 		Run the server in the foreground (i.e. do not daemonize).
-	  </para>
+          </para>
 	</listitem>
       </varlistentry>
 
@@ -161,22 +131,11 @@
 	  <para>
 		Run the server in the foreground and force all logging
 		to <filename>stderr</filename>.
-	  </para>
+          </para>
 	</listitem>
       </varlistentry>
 
       <varlistentry>
-	 <term>-i <replaceable class="parameter">pid-file</replaceable></term>
-	 <listitem>
-	   <para>
-	     Use <replaceable class="parameter">pid-file</replaceable> as the
-	     PID file instead of the default,
-	     <filename>/var/run/lwresd.pid</filename>.
-	   </para>
-	 </listitem>
-       </varlistentry>
-
-      <varlistentry>
 	<term>-n <replaceable class="parameter">#cpus</replaceable></term>
 	<listitem>
 	  <para>
@@ -187,7 +146,7 @@
 		number of CPUs present and create one thread per CPU.
 		If it is unable to determine the number of CPUs, a
 		single worker thread will be created.
-	  </para>
+          </para>
 	</listitem>
       </varlistentry>
 
@@ -198,7 +157,7 @@
 		Listen for lightweight resolver queries on port
 		<replaceable class="parameter">port</replaceable>.  If
 		not specified, the default is port 921.
-	  </para>
+          </para>
 	</listitem>
       </varlistentry>
 
@@ -212,7 +171,7 @@
 		way of testing the lightweight resolver daemon with a
 		name server that listens for queries on a non-standard
 		port number.
-	  </para>
+          </para>
 	</listitem>
       </varlistentry>
 
@@ -222,7 +181,7 @@
 	  <para>
 		Write memory usage statistics to <filename>stdout</filename>
 		on exit.
-	  </para>
+          </para>
 	  <note>
 	    <para>
 		This option is mainly of interest to BIND 9 developers
@@ -236,17 +195,17 @@
 	<term>-t <replaceable class="parameter">directory</replaceable></term>
 	<listitem>
 	  <para>
-		<function>Chroot</function> to <replaceable
+		<function>chroot()</function> to <replaceable
 		class="parameter">directory</replaceable> after
 		processing the command line arguments, but before
 		reading the configuration file.
-	  </para>
+          </para>
 	  <warning>
 	    <para>
 		This option should be used in conjunction with the
 		<option>-u</option> option, as chrooting a process
 		running as root doesn't enhance security on most
-		systems; the way <function>chroot(2)</function> is
+		systems; the way <function>chroot()</function> is
 		defined allows a process with root privileges to
 		escape a chroot jail.
 	    </para>
@@ -258,11 +217,11 @@
 	<term>-u <replaceable class="parameter">user</replaceable></term>
 	<listitem>
 	  <para>
-		<function>Setuid</function> to <replaceable
+		<function>setuid()</function> to <replaceable
 		class="parameter">user</replaceable> after completing
 		privileged operations, such as creating sockets that
 		listen on privileged ports.
-	  </para>
+          </para>
 	</listitem>
       </varlistentry>
 
@@ -271,7 +230,7 @@
 	<listitem>
 	  <para>
 		Report the version number and exit.
-	  </para>
+          </para>
 	</listitem>
       </varlistentry>
 
@@ -289,7 +248,7 @@
 	<listitem>
 	  <para>
 		The default configuration file.
-	  </para>
+          </para>
 	</listitem>
       </varlistentry>
 
@@ -298,7 +257,7 @@
 	<listitem>
 	  <para>
 		The default process-id file.
-	  </para>
+          </para>
 	</listitem>
       </varlistentry>
 
@@ -312,22 +271,22 @@
 	<citerefentry>
 	  <refentrytitle>named</refentrytitle>
 	  <manvolnum>8</manvolnum>
-	</citerefentry>,
+        </citerefentry>,
 	<citerefentry>
 	  <refentrytitle>lwres</refentrytitle>
 	  <manvolnum>3</manvolnum>
-	</citerefentry>,
+        </citerefentry>,
 	<citerefentry>
 	  <refentrytitle>resolver</refentrytitle>
 	  <manvolnum>5</manvolnum>
-	</citerefentry>.
+        </citerefentry>.
     </para>
   </refsect1>
 
   <refsect1>
     <title>AUTHOR</title>
     <para>
-	<corpauthor>Internet Systems Consortium</corpauthor>
+	<corpauthor>Internet Software Consortium</corpauthor>
     </para>
   </refsect1>
 
diff --git a/bin/named/lwresd.html b/bin/named/lwresd.html
index 40b4cf30..fd084080 100644
--- a/bin/named/lwresd.html
+++ b/bin/named/lwresd.html
@@ -1,204 +1,541 @@
 <!--
- - Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000, 2001 Internet Software Consortium.
- - 
+ - Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000, 2001  Internet Software Consortium.
+ -
  - Permission to use, copy, modify, and distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
  - copyright notice and this permission notice appear in all copies.
- - 
+ -
  - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
  - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
  - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
  - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: lwresd.html,v 1.4.2.17 2007/05/16 06:57:45 marka Exp $ -->
-<html>
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>lwresd</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2476275"></a><div class="titlepage"></div>
-<div class="refnamediv">
-<h2>Name</h2>
-<p><span class="application">lwresd</span> &#8212; lightweight resolver daemon</p>
-</div>
-<div class="refsynopsisdiv">
-<h2>Synopsis</h2>
-<div class="cmdsynopsis"><p><code class="command">lwresd</code>  [<code class="option">-c <em class="replaceable"><code>config-file</code></em></code>] [<code class="option">-C <em class="replaceable"><code>config-file</code></em></code>] [<code class="option">-d <em class="replaceable"><code>debug-level</code></em></code>] [<code class="option">-f</code>] [<code class="option">-g</code>] [<code class="option">-i <em class="replaceable"><code>pid-file</code></em></code>] [<code class="option">-n <em class="replaceable"><code>#cpus</code></em></code>] [<code class="option">-P <em class="replaceable"><code>port</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port</code></em></code>] [<code class="option">-s</code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-u <em class="replaceable"><code>user</code></em></code>] [<code class="option">-v</code>]</p></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543434"></a><h2>DESCRIPTION</h2>
-<p>
-	<span><strong class="command">lwresd</strong></span> is the daemon providing name lookup
+
+<!-- $Id: lwresd.html,v 1.4.2.1.4.1 2004/03/06 10:21:20 marka Exp $ -->
+
+<HTML
+><HEAD
+><TITLE
+>lwresd</TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.73
+"></HEAD
+><BODY
+CLASS="REFENTRY"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><H1
+><A
+NAME="AEN1"
+><SPAN
+CLASS="APPLICATION"
+>lwresd</SPAN
+></A
+></H1
+><DIV
+CLASS="REFNAMEDIV"
+><A
+NAME="AEN9"
+></A
+><H2
+>Name</H2
+><SPAN
+CLASS="APPLICATION"
+>lwresd</SPAN
+>&nbsp;--&nbsp;lightweight resolver daemon</DIV
+><DIV
+CLASS="REFSYNOPSISDIV"
+><A
+NAME="AEN13"
+></A
+><H2
+>Synopsis</H2
+><P
+><B
+CLASS="COMMAND"
+>lwresd</B
+>  [<TT
+CLASS="OPTION"
+>-C <TT
+CLASS="REPLACEABLE"
+><I
+>config-file</I
+></TT
+></TT
+>] [<TT
+CLASS="OPTION"
+>-d <TT
+CLASS="REPLACEABLE"
+><I
+>debug-level</I
+></TT
+></TT
+>] [<TT
+CLASS="OPTION"
+>-f</TT
+>] [<TT
+CLASS="OPTION"
+>-g</TT
+>] [<TT
+CLASS="OPTION"
+>-i <TT
+CLASS="REPLACEABLE"
+><I
+>pid-file</I
+></TT
+></TT
+>] [<TT
+CLASS="OPTION"
+>-n <TT
+CLASS="REPLACEABLE"
+><I
+>#cpus</I
+></TT
+></TT
+>] [<TT
+CLASS="OPTION"
+>-P <TT
+CLASS="REPLACEABLE"
+><I
+>port</I
+></TT
+></TT
+>] [<TT
+CLASS="OPTION"
+>-p <TT
+CLASS="REPLACEABLE"
+><I
+>port</I
+></TT
+></TT
+>] [<TT
+CLASS="OPTION"
+>-s</TT
+>] [<TT
+CLASS="OPTION"
+>-t <TT
+CLASS="REPLACEABLE"
+><I
+>directory</I
+></TT
+></TT
+>] [<TT
+CLASS="OPTION"
+>-u <TT
+CLASS="REPLACEABLE"
+><I
+>user</I
+></TT
+></TT
+>] [<TT
+CLASS="OPTION"
+>-v</TT
+>]</P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN48"
+></A
+><H2
+>DESCRIPTION</H2
+><P
+>	<B
+CLASS="COMMAND"
+>lwresd</B
+> is the daemon providing name lookup
 	services to clients that use the BIND 9 lightweight resolver
 	library.  It is essentially a stripped-down, caching-only name
 	server that answers queries using the BIND 9 lightweight
 	resolver protocol rather than the DNS protocol.
-    </p>
-<p>
-	<span><strong class="command">lwresd</strong></span> listens for resolver queries on a
+    </P
+><P
+>	<B
+CLASS="COMMAND"
+>lwresd</B
+> listens for resolver queries on a
 	UDP port on the IPv4 loopback interface, 127.0.0.1.  This
-	means that <span><strong class="command">lwresd</strong></span> can only be used by
+	means that <B
+CLASS="COMMAND"
+>lwresd</B
+> can only be used by
 	processes running on the local machine.  By default UDP port
 	number 921 is used for lightweight resolver requests and
 	responses.
-    </p>
-<p>
-	Incoming lightweight resolver requests are decoded by the
+    </P
+><P
+>	Incoming lightweight resolver requests are decoded by the
 	server which then resolves them using the DNS protocol.  When
-	the DNS lookup completes, <span><strong class="command">lwresd</strong></span> encodes
+	the DNS lookup completes, <B
+CLASS="COMMAND"
+>lwresd</B
+> encodes
 	the answers in the lightweight resolver format and returns
 	them to the client that made the request.
-    </p>
-<p>
-	If <code class="filename">/etc/resolv.conf</code> contains any
-	<code class="option">nameserver</code> entries, <span><strong class="command">lwresd</strong></span>
+    </P
+><P
+>	If <TT
+CLASS="FILENAME"
+>/etc/resolv.conf</TT
+> contains any
+	<TT
+CLASS="OPTION"
+>nameserver</TT
+> entries, <B
+CLASS="COMMAND"
+>lwresd</B
+>
 	sends recursive DNS queries to those servers.  This is similar
 	to the use of forwarders in a caching name server.  If no
-	<code class="option">nameserver</code> entries are present, or if
-	forwarding fails, <span><strong class="command">lwresd</strong></span> resolves the
+	<TT
+CLASS="OPTION"
+>nameserver</TT
+> entries are present, or if
+	forwarding fails, <B
+CLASS="COMMAND"
+>lwresd</B
+> resolves the
 	queries autonomously starting at the root name servers, using
 	a built-in list of root server hints.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543483"></a><h2>OPTIONS</h2>
-<div class="variablelist"><dl>
-<dt><span class="term">-c <em class="replaceable"><code>config-file</code></em></span></dt>
-<dd><p>
-	    Use <em class="replaceable"><code>config-file</code></em> as the
-	    configuration file instead of the default,
-	    <code class="filename">/etc/lwresd.conf</code>.
-	    
-	    <font color="red">&lt;term&gt;-c&lt;/term&gt;</font> can not be used with <font color="red">&lt;term&gt;-C&lt;/term&gt;</font>.
-	  </p></dd>
-<dt><span class="term">-C <em class="replaceable"><code>config-file</code></em></span></dt>
-<dd><p>
-	    Use <em class="replaceable"><code>config-file</code></em> as the
-	    configuration file instead of the default,
-	    <code class="filename">/etc/resolv.conf</code>.
-	    <font color="red">&lt;term&gt;-C&lt;/term&gt;</font> can not be used with <font color="red">&lt;term&gt;-c&lt;/term&gt;</font>.
-	  </p></dd>
-<dt><span class="term">-d <em class="replaceable"><code>debug-level</code></em></span></dt>
-<dd><p>
-		Set the daemon's debug level to <em class="replaceable"><code>debug-level</code></em>.
-		Debugging traces from <span><strong class="command">lwresd</strong></span> become
+    </P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN63"
+></A
+><H2
+>OPTIONS</H2
+><P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+>-C <TT
+CLASS="REPLACEABLE"
+><I
+>config-file</I
+></TT
+></DT
+><DD
+><P
+>		Use <TT
+CLASS="REPLACEABLE"
+><I
+>config-file</I
+></TT
+> as the
+		configuration file instead of the default,
+		<TT
+CLASS="FILENAME"
+>/etc/resolv.conf</TT
+>.
+          </P
+></DD
+><DT
+>-d <TT
+CLASS="REPLACEABLE"
+><I
+>debug-level</I
+></TT
+></DT
+><DD
+><P
+>		Set the daemon's debug level to <TT
+CLASS="REPLACEABLE"
+><I
+>debug-level</I
+></TT
+>.
+		Debugging traces from <B
+CLASS="COMMAND"
+>lwresd</B
+> become
 		more verbose as the debug level increases.
-	  </p></dd>
-<dt><span class="term">-f</span></dt>
-<dd><p>
-		Run the server in the foreground (i.e. do not daemonize).
-	  </p></dd>
-<dt><span class="term">-g</span></dt>
-<dd><p>
-		Run the server in the foreground and force all logging
-		to <code class="filename">stderr</code>.
-	  </p></dd>
-<dt><span class="term">-i <em class="replaceable"><code>pid-file</code></em></span></dt>
-<dd><p>
-	     Use <em class="replaceable"><code>pid-file</code></em> as the
-	     PID file instead of the default,
-	     <code class="filename">/var/run/lwresd.pid</code>.
-	   </p></dd>
-<dt><span class="term">-n <em class="replaceable"><code>#cpus</code></em></span></dt>
-<dd><p>
-		Create <em class="replaceable"><code>#cpus</code></em> worker threads
+          </P
+></DD
+><DT
+>-f</DT
+><DD
+><P
+>		Run the server in the foreground (i.e. do not daemonize).
+          </P
+></DD
+><DT
+>-g</DT
+><DD
+><P
+>		Run the server in the foreground and force all logging
+		to <TT
+CLASS="FILENAME"
+>stderr</TT
+>.
+          </P
+></DD
+><DT
+>-n <TT
+CLASS="REPLACEABLE"
+><I
+>#cpus</I
+></TT
+></DT
+><DD
+><P
+>		Create <TT
+CLASS="REPLACEABLE"
+><I
+>#cpus</I
+></TT
+> worker threads
 		to take advantage of multiple CPUs.  If not specified,
-		<span><strong class="command">lwresd</strong></span> will try to determine the
+		<B
+CLASS="COMMAND"
+>lwresd</B
+> will try to determine the
 		number of CPUs present and create one thread per CPU.
 		If it is unable to determine the number of CPUs, a
 		single worker thread will be created.
-	  </p></dd>
-<dt><span class="term">-P <em class="replaceable"><code>port</code></em></span></dt>
-<dd><p>
-		Listen for lightweight resolver queries on port
-		<em class="replaceable"><code>port</code></em>.  If
+          </P
+></DD
+><DT
+>-P <TT
+CLASS="REPLACEABLE"
+><I
+>port</I
+></TT
+></DT
+><DD
+><P
+>		Listen for lightweight resolver queries on port
+		<TT
+CLASS="REPLACEABLE"
+><I
+>port</I
+></TT
+>.  If
 		not specified, the default is port 921.
-	  </p></dd>
-<dt><span class="term">-p <em class="replaceable"><code>port</code></em></span></dt>
-<dd><p>
-		Send DNS lookups to port <em class="replaceable"><code>port</code></em>.  If not
+          </P
+></DD
+><DT
+>-p <TT
+CLASS="REPLACEABLE"
+><I
+>port</I
+></TT
+></DT
+><DD
+><P
+>		Send DNS lookups to port <TT
+CLASS="REPLACEABLE"
+><I
+>port</I
+></TT
+>.  If not
 		specified, the default is port 53.  This provides a
 		way of testing the lightweight resolver daemon with a
 		name server that listens for queries on a non-standard
 		port number.
-	  </p></dd>
-<dt><span class="term">-s</span></dt>
-<dd>
-<p>
-		Write memory usage statistics to <code class="filename">stdout</code>
+          </P
+></DD
+><DT
+>-s</DT
+><DD
+><P
+>		Write memory usage statistics to <TT
+CLASS="FILENAME"
+>stdout</TT
+>
 		on exit.
-	  </p>
-<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
-<h3 class="title">Note</h3>
-<p>
-		This option is mainly of interest to BIND 9 developers
+          </P
+><DIV
+CLASS="NOTE"
+><BLOCKQUOTE
+CLASS="NOTE"
+><P
+><B
+>Note: </B
+>		This option is mainly of interest to BIND 9 developers
 		and may be removed or changed in a future release.
-	    </p>
-</div>
-</dd>
-<dt><span class="term">-t <em class="replaceable"><code>directory</code></em></span></dt>
-<dd>
-<p>
-		<code class="function">Chroot</code> to <em class="replaceable"><code>directory</code></em> after
+	    </P
+></BLOCKQUOTE
+></DIV
+></DD
+><DT
+>-t <TT
+CLASS="REPLACEABLE"
+><I
+>directory</I
+></TT
+></DT
+><DD
+><P
+>		<TT
+CLASS="FUNCTION"
+>chroot()</TT
+> to <TT
+CLASS="REPLACEABLE"
+><I
+>directory</I
+></TT
+> after
 		processing the command line arguments, but before
 		reading the configuration file.
-	  </p>
-<div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;">
-<h3 class="title">Warning</h3>
-<p>
-		This option should be used in conjunction with the
-		<code class="option">-u</code> option, as chrooting a process
+          </P
+><DIV
+CLASS="WARNING"
+><P
+></P
+><TABLE
+CLASS="WARNING"
+BORDER="1"
+WIDTH="90%"
+><TR
+><TD
+ALIGN="CENTER"
+><B
+>Warning</B
+></TD
+></TR
+><TR
+><TD
+ALIGN="LEFT"
+><P
+>		This option should be used in conjunction with the
+		<TT
+CLASS="OPTION"
+>-u</TT
+> option, as chrooting a process
 		running as root doesn't enhance security on most
-		systems; the way <code class="function">chroot(2)</code> is
+		systems; the way <TT
+CLASS="FUNCTION"
+>chroot()</TT
+> is
 		defined allows a process with root privileges to
 		escape a chroot jail.
-	    </p>
-</div>
-</dd>
-<dt><span class="term">-u <em class="replaceable"><code>user</code></em></span></dt>
-<dd><p>
-		<code class="function">Setuid</code> to <em class="replaceable"><code>user</code></em> after completing
+	    </P
+></TD
+></TR
+></TABLE
+></DIV
+></DD
+><DT
+>-u <TT
+CLASS="REPLACEABLE"
+><I
+>user</I
+></TT
+></DT
+><DD
+><P
+>		<TT
+CLASS="FUNCTION"
+>setuid()</TT
+> to <TT
+CLASS="REPLACEABLE"
+><I
+>user</I
+></TT
+> after completing
 		privileged operations, such as creating sockets that
 		listen on privileged ports.
-	  </p></dd>
-<dt><span class="term">-v</span></dt>
-<dd><p>
-		Report the version number and exit.
-	  </p></dd>
-</dl></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543821"></a><h2>FILES</h2>
-<div class="variablelist"><dl>
-<dt><span class="term"><code class="filename">/etc/resolv.conf</code></span></dt>
-<dd><p>
-		The default configuration file.
-	  </p></dd>
-<dt><span class="term"><code class="filename">/var/run/lwresd.pid</code></span></dt>
-<dd><p>
-		The default process-id file.
-	  </p></dd>
-</dl></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543861"></a><h2>SEE ALSO</h2>
-<p>
-	<span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
-	<span class="citerefentry"><span class="refentrytitle">lwres</span>(3)</span>,
-	<span class="citerefentry"><span class="refentrytitle">resolver</span>(5)</span>.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543899"></a><h2>AUTHOR</h2>
-<p>
-	<span class="corpauthor">Internet Systems Consortium</span>
-    </p>
-</div>
-</div></body>
-</html>
+          </P
+></DD
+><DT
+>-v</DT
+><DD
+><P
+>		Report the version number and exit.
+          </P
+></DD
+></DL
+></DIV
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN137"
+></A
+><H2
+>FILES</H2
+><P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+><TT
+CLASS="FILENAME"
+>/etc/resolv.conf</TT
+></DT
+><DD
+><P
+>		The default configuration file.
+          </P
+></DD
+><DT
+><TT
+CLASS="FILENAME"
+>/var/run/lwresd.pid</TT
+></DT
+><DD
+><P
+>		The default process-id file.
+          </P
+></DD
+></DL
+></DIV
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN150"
+></A
+><H2
+>SEE ALSO</H2
+><P
+>	<SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>named</SPAN
+>(8)</SPAN
+>,
+	<SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>lwres</SPAN
+>(3)</SPAN
+>,
+	<SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>resolver</SPAN
+>(5)</SPAN
+>.
+    </P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN162"
+></A
+><H2
+>AUTHOR</H2
+><P
+>	Internet Software Consortium
+    </P
+></DIV
+></BODY
+></HTML
+>
diff --git a/bin/named/lwsearch.c b/bin/named/lwsearch.c
index 433f40e2..8b9ea526 100644
--- a/bin/named/lwsearch.c
+++ b/bin/named/lwsearch.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lwsearch.c,v 1.7.2.1 2004/03/09 06:09:19 marka Exp $ */
+/* $Id: lwsearch.c,v 1.7.208.1 2004/03/06 10:21:20 marka Exp $ */
 
 #include <config.h>
 
diff --git a/bin/named/main.c b/bin/named/main.c
index cf9f75ac..3d728f42 100644
--- a/bin/named/main.c
+++ b/bin/named/main.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: main.c,v 1.119.2.17 2006/01/06 00:01:41 marka Exp $ */
+/* $Id: main.c,v 1.119.2.3.2.13 2004/03/15 12:27:47 marka Exp $ */
 
 #include <config.h>
 
@@ -32,6 +32,7 @@
 #include <isc/os.h>
 #include <isc/platform.h>
 #include <isc/resource.h>
+#include <isc/stdio.h>
 #include <isc/task.h>
 #include <isc/timer.h>
 #include <isc/util.h>
@@ -51,6 +52,7 @@
  */
 #define NS_MAIN 1
 
+#include <named/builtin.h>
 #include <named/control.h>
 #include <named/globals.h>	/* Explicit, though named/log.h includes it. */
 #include <named/interfacemgr.h>
@@ -59,9 +61,6 @@
 #include <named/server.h>
 #include <named/lwresd.h>
 #include <named/main.h>
-#ifdef HAVE_LIBSCF
-#include <named/ns_smf_globals.h>
-#endif
 
 /*
  * Include header files for database drivers here.
@@ -71,8 +70,7 @@
 static isc_boolean_t	want_stats = ISC_FALSE;
 static char		program_name[ISC_DIR_NAMEMAX] = "named";
 static char		absolute_conffile[ISC_DIR_PATHMAX];
-static char		saved_command_line[512];
-static char		version[512];
+static char    		saved_command_line[512];
 
 void
 ns_main_earlywarning(const char *format, ...) {
@@ -218,11 +216,12 @@ library_unexpected_error(const char *file, int line, const char *format,
 static void
 lwresd_usage(void) {
 	fprintf(stderr,
-		"usage: lwresd [-c conffile | -C resolvconffile] "
-		"[-d debuglevel] [-f|-g]\n"
-		"              [-n number_of_cpus] [-p port]"
+		"usage: lwresd [-4|-6] [-c conffile | -C resolvconffile] "
+		"[-d debuglevel]\n"
+		"              [-f|-g] [-n number_of_cpus] [-p port] "
 		"[-P listen-port] [-s]\n"
-		"              [-t chrootdir] [-u username] [-i pidfile]\n");
+		"              [-t chrootdir] [-u username] [-i pidfile]\n"
+		"              [-m {usage|trace|record}]\n");
 }
 
 static void
@@ -232,9 +231,10 @@ usage(void) {
 		return;
 	}
 	fprintf(stderr,
-		"usage: named [-c conffile] [-d debuglevel] "
+		"usage: named [-4|-6] [-c conffile] [-d debuglevel] "
 		"[-f|-g] [-n number_of_cpus]\n"
-		"             [-p port] [-s] [-t chrootdir] [-u username]\n");
+		"             [-p port] [-s] [-t chrootdir] [-u username]\n"
+		"             [-m {usage|trace|record}]\n");
 }
 
 static void
@@ -295,18 +295,67 @@ parse_int(char *arg, const char *desc) {
 	return (tmp);
 }
 
+static struct flag_def {
+	const char *name;
+	unsigned int value;
+} mem_debug_flags[] = {
+	{ "trace",  ISC_MEM_DEBUGTRACE },
+	{ "record", ISC_MEM_DEBUGRECORD },
+	{ "usage", ISC_MEM_DEBUGUSAGE },
+	{ NULL, 0 }
+};
+
+static void
+set_flags(const char *arg, struct flag_def *defs, unsigned int *ret) {
+	for (;;) {
+		const struct flag_def *def;
+		const char *end = strchr(arg, ',');
+		if (end == NULL)
+			end = arg + strlen(arg);
+		for (def = defs; def->name != NULL; def++) {
+			if (end - arg == (int)strlen(def->name) &&
+			    memcmp(arg, def->name, end - arg) == 0) {
+				*ret |= def->value;
+				goto found;
+			}
+		}
+		ns_main_earlyfatal("unrecognized flag '%.*s'", end - arg, arg);
+	 found:
+		if (*end == '\0')
+			break;
+		arg = end + 1;
+	}
+}
+
 static void
 parse_command_line(int argc, char *argv[]) {
 	int ch;
 	int port;
+	isc_boolean_t disable6 = ISC_FALSE;
+	isc_boolean_t disable4 = ISC_FALSE;
 
 	save_command_line(argc, argv);
 
 	isc_commandline_errprint = ISC_FALSE;
 	while ((ch = isc_commandline_parse(argc, argv,
-					   "c:C:d:fgi:ln:N:p:P:st:u:vx:")) !=
-	       -1) {
+			           "46c:C:d:fgi:lm:n:N:p:P:st:u:vx:")) != -1) {
 		switch (ch) {
+		case '4':
+			if (disable4)
+				ns_main_earlyfatal("cannot specify -4 and -6");
+			if (isc_net_probeipv4() != ISC_R_SUCCESS)
+				ns_main_earlyfatal("IPv4 not supported by OS");
+			isc_net_disableipv6();
+			disable6 = ISC_TRUE;
+			break;
+		case '6':
+			if (disable6)
+				ns_main_earlyfatal("cannot specify -4 and -6");
+			if (isc_net_probeipv6() != ISC_R_SUCCESS)
+				ns_main_earlyfatal("IPv6 not supported by OS");
+			isc_net_disableipv4();
+			disable4 = ISC_TRUE;
+			break;
 		case 'c':
 			ns_g_conffile = isc_commandline_argument;
 			lwresd_g_conffile = isc_commandline_argument;
@@ -338,6 +387,10 @@ parse_command_line(int argc, char *argv[]) {
 		case 'l':
 			ns_g_lwresdonly = ISC_TRUE;
 			break;
+		case 'm':
+			set_flags(isc_commandline_argument, mem_debug_flags,
+				  &isc_mem_debugging);
+			break;
 		case 'N': /* Deprecated. */
 		case 'n':
 			ns_g_cpus = parse_int(isc_commandline_argument,
@@ -390,27 +443,30 @@ parse_command_line(int argc, char *argv[]) {
 		usage();
 		ns_main_earlyfatal("extra command line arguments");
 	}
-
-	
 }
 
 static isc_result_t
 create_managers(void) {
 	isc_result_t result;
+#ifdef ISC_PLATFORM_USETHREADS
+	unsigned int cpus_detected;
+#endif
 
 #ifdef ISC_PLATFORM_USETHREADS
+	cpus_detected = isc_os_ncpus();
 	if (ns_g_cpus == 0)
-		ns_g_cpus = isc_os_ncpus();
+		ns_g_cpus = cpus_detected;
+	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER,
+		      ISC_LOG_INFO, "found %u CPU%s, using %u worker thread%s",
+		      cpus_detected, cpus_detected == 1 ? "" : "s",
+		      ns_g_cpus, ns_g_cpus == 1 ? "" : "s");
 #else
 	ns_g_cpus = 1;
 #endif
-	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER,
-		      ISC_LOG_INFO, "using %u CPU%s",
-		      ns_g_cpus, ns_g_cpus == 1 ? "" : "s");
 	result = isc_taskmgr_create(ns_g_mctx, ns_g_cpus, 0, &ns_g_taskmgr);
 	if (result != ISC_R_SUCCESS) {
 		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "isc_taskmgr_create() failed: %s",
+				 "ns_taskmgr_create() failed: %s",
 				 isc_result_totext(result));
 		return (ISC_R_UNEXPECTED);
 	}
@@ -418,7 +474,7 @@ create_managers(void) {
 	result = isc_timermgr_create(ns_g_mctx, &ns_g_timermgr);
 	if (result != ISC_R_SUCCESS) {
 		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "isc_timermgr_create() failed: %s",
+				 "ns_timermgr_create() failed: %s",
 				 isc_result_totext(result));
 		return (ISC_R_UNEXPECTED);
 	}
@@ -455,6 +511,9 @@ destroy_managers(void) {
 	ns_lwresd_shutdown();
 
 	isc_entropy_detach(&ns_g_entropy);
+	if (ns_g_fallbackentropy != NULL)
+		isc_entropy_detach(&ns_g_fallbackentropy);
+
 	/*
 	 * isc_taskmgr_destroy() will block until all tasks have exited,
 	 */
@@ -473,9 +532,6 @@ destroy_managers(void) {
 static void
 setup(void) {
 	isc_result_t result;
-#ifdef HAVE_LIBSCF
-	char *instance = NULL;
-#endif
 
 	/*
 	 * Get the user and group information before changing the root
@@ -491,17 +547,28 @@ setup(void) {
 
 	ns_os_opendevnull();
 
-#ifdef HAVE_LIBSCF
-	/* Check if named is under smf control, before chroot. */
-	result = ns_smf_get_instance(&instance, 0, ns_g_mctx);
-	/* We don't care about instance, just check if we got one. */
-	if (result == ISC_R_SUCCESS)
-		ns_smf_got_instance = 1;
-	else
-		ns_smf_got_instance = 0;
-	if (instance != NULL)
-		isc_mem_free(ns_g_mctx, instance);
-#endif /* HAVE_LIBSCF */
+#ifdef PATH_RANDOMDEV
+	/*
+	 * Initialize system's random device as fallback entropy source
+	 * if running chroot'ed.
+	 */
+	if (ns_g_chrootdir != NULL) {
+		result = isc_entropy_create(ns_g_mctx, &ns_g_fallbackentropy);
+		if (result != ISC_R_SUCCESS)
+			ns_main_earlyfatal("isc_entropy_create() failed: %s",
+					   isc_result_totext(result));
+
+		result = isc_entropy_createfilesource(ns_g_fallbackentropy,
+						      PATH_RANDOMDEV);
+		if (result != ISC_R_SUCCESS) {
+			ns_main_earlywarning("could not open pre-chroot "
+					     "entropy source %s: %s",
+					     PATH_RANDOMDEV,
+					     isc_result_totext(result));
+			isc_entropy_detach(&ns_g_fallbackentropy);
+		}
+	}
+#endif
 
 	ns_os_chroot(ns_g_chrootdir);
 
@@ -530,15 +597,6 @@ setup(void) {
 	if (!ns_g_foreground)
 		ns_os_daemonize();
 
-	/*
-	 * We call isc_app_start() here as some versions of FreeBSD's fork()
-	 * destroys all the signal handling it sets up.
-	 */
-	result = isc_app_start();
-	if (result != ISC_R_SUCCESS)
-		ns_main_earlyfatal("isc_app_start() failed: %s",
-				   isc_result_totext(result));
-
 	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN,
 		      ISC_LOG_NOTICE, "starting BIND %s%s", ns_g_version,
 		      saved_command_line);
@@ -575,6 +633,8 @@ setup(void) {
 		ns_main_earlyfatal("create_managers() failed: %s",
 				   isc_result_totext(result));
 
+	ns_builtin_init();
+
 	/*
 	 * Add calls to register sdb drivers here.
 	 */
@@ -589,6 +649,8 @@ cleanup(void) {
 
 	ns_server_destroy(&ns_g_server);
 
+	ns_builtin_deinit();
+
 	/*
 	 * Add calls to unregister sdb drivers here.
 	 */
@@ -599,84 +661,29 @@ cleanup(void) {
 	ns_log_shutdown();
 }
 
-#ifdef HAVE_LIBSCF
-/*
- * Get FMRI for the named process.
- */
-isc_result_t
-ns_smf_get_instance(char **ins_name, int debug, isc_mem_t *mctx) {
-	scf_handle_t *h = NULL;
-	int namelen;
-	char *instance;
-
-	REQUIRE(ins_name != NULL && *ins_name == NULL);
-
-	if ((h = scf_handle_create(SCF_VERSION)) == NULL) {
-		if (debug)
-			UNEXPECTED_ERROR(__FILE__, __LINE__,
-					 "scf_handle_create() failed: %s",
-			 		 scf_strerror(scf_error()));
-		return (ISC_R_FAILURE);
-	}
-
-	if (scf_handle_bind(h) == -1) {
-		if (debug)
-			UNEXPECTED_ERROR(__FILE__, __LINE__,
-					 "scf_handle_bind() failed: %s",
-					 scf_strerror(scf_error()));
-		scf_handle_destroy(h);
-		return (ISC_R_FAILURE);
-	}
-
-	if ((namelen = scf_myname(h, NULL, 0)) == -1) {
-		if (debug)
-			UNEXPECTED_ERROR(__FILE__, __LINE__,
-					 "scf_myname() failed: %s",
-					 scf_strerror(scf_error()));
-		scf_handle_destroy(h);
-		return (ISC_R_FAILURE);
-	}
+static char *memstats = NULL;
 
-	if ((instance = isc_mem_allocate(mctx, namelen + 1)) == NULL) {
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "ns_smf_get_instance memory "
-				 "allocation failed: %s",
-				 isc_result_totext(ISC_R_NOMEMORY));
-		scf_handle_destroy(h);
-		return (ISC_R_FAILURE);
-	}
+void
+ns_main_setmemstats(const char *filename) {
+	/*
+	 * Caller has to ensure locking.
+	 */
 
-	if (scf_myname(h, instance, namelen + 1) == -1) {
-		if (debug)
-			UNEXPECTED_ERROR(__FILE__, __LINE__,
-					 "scf_myname() failed: %s",
-					 scf_strerror(scf_error()));
-		scf_handle_destroy(h);
-		isc_mem_free(mctx, instance);
-		return (ISC_R_FAILURE);
+	if (memstats != NULL) {
+		free(memstats);
+		memstats = NULL;
 	}
-
-	scf_handle_destroy(h);
-	*ins_name = instance;
-	return (ISC_R_SUCCESS);
+	if (filename == NULL)
+		return;
+	memstats = malloc(strlen(filename) + 1);
+	if (memstats)
+		strcpy(memstats, filename);
 }
-#endif /* HAVE_LIBSCF */
 
 int
 main(int argc, char *argv[]) {
 	isc_result_t result;
 
-	/*
-	 * Record version in core image.
-	 * strings named.core | grep "named version:"
-	 */
-#ifdef __DATE__
-	strncat(version, "named version: BIND " VERSION " (" __DATE__ ")", 
-		sizeof(version));
-#else
-	strncat(version, "named version: BIND " VERSION, sizeof(version));
-#endif
-	version[sizeof(version) - 1] = '\0';
 	result = isc_file_progname(*argv, program_name, sizeof(program_name));
 	if (result != ISC_R_SUCCESS)
 		ns_main_earlyfatal("program name too long");
@@ -690,9 +697,9 @@ main(int argc, char *argv[]) {
 
 	ns_os_init(program_name);
 
-	result = isc_mem_create(0, 0, &ns_g_mctx);
+	result = isc_app_start();
 	if (result != ISC_R_SUCCESS)
-		ns_main_earlyfatal("isc_mem_create() failed: %s",
+		ns_main_earlyfatal("isc_app_start() failed: %s",
 				   isc_result_totext(result));
 
 	dns_result_register();
@@ -701,6 +708,23 @@ main(int argc, char *argv[]) {
 
 	parse_command_line(argc, argv);
 
+	/*
+	 * Warn about common configuration error.
+	 */
+	if (ns_g_chrootdir != NULL) {
+		int len = strlen(ns_g_chrootdir);
+		if (strncmp(ns_g_chrootdir, ns_g_conffile, len) == 0 &&
+		    (ns_g_conffile[len] == '/' || ns_g_conffile[len] == '\\'))
+			ns_main_earlywarning("config filename (-c %s) contains "
+					     "chroot path (-t %s)",
+					     ns_g_conffile, ns_g_chrootdir);
+	}
+
+	result = isc_mem_create(0, 0, &ns_g_mctx);
+	if (result != ISC_R_SUCCESS)
+		ns_main_earlyfatal("isc_mem_create() failed: %s",
+				   isc_result_totext(result));
+
 	setup();
 
 	/*
@@ -729,8 +753,19 @@ main(int argc, char *argv[]) {
 		isc_mem_stats(ns_g_mctx, stdout);
 		isc_mutex_stats(stdout);
 	}
+	if (memstats != NULL) {
+		FILE *fp = NULL;
+		result = isc_stdio_open(memstats, "w", &fp);
+		if (result == ISC_R_SUCCESS) {
+			isc_mem_stats(ns_g_mctx, fp);
+			isc_mutex_stats(fp);
+			isc_stdio_close(fp);
+		}
+	}
 	isc_mem_destroy(&ns_g_mctx);
 
+	ns_main_setmemstats(NULL);
+
 	isc_app_finish();
 
 	ns_os_closedevnull();
diff --git a/bin/named/named.8 b/bin/named/named.8
index 88954a16..1fed2906 100644
--- a/bin/named/named.8
+++ b/bin/named/named.8
@@ -1,209 +1,177 @@
-.\" Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
-.\" Copyright (C) 2000, 2001 Internet Software Consortium.
-.\" 
+.\" Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
+.\"
 .\" Permission to use, copy, modify, and distribute this software for any
 .\" purpose with or without fee is hereby granted, provided that the above
 .\" copyright notice and this permission notice appear in all copies.
-.\" 
+.\"
 .\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
 .\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+.\" AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
 .\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
 .\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: named.8,v 1.17.2.12 2007/06/20 02:25:45 marka Exp $
-.\"
-.hy 0
-.ad l
-.\"     Title: named
-.\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
-.\"      Date: June 30, 2000
-.\"    Manual: BIND9
-.\"    Source: BIND9
+.\" $Id: named.8,v 1.17.208.2 2004/03/06 07:41:39 marka Exp $
 .\"
-.TH "NAMED" "8" "June 30, 2000" "BIND9" "BIND9"
-.\" disable hyphenation
-.nh
-.\" disable justification (adjust text to left margin only)
-.ad l
-.SH "NAME"
+.TH "NAMED" "8" "June 30, 2000" "BIND9" ""
+.SH NAME
 named \- Internet domain name server
-.SH "SYNOPSIS"
-.HP 6
-\fBnamed\fR [\fB\-c\ \fR\fB\fIconfig\-file\fR\fR] [\fB\-d\ \fR\fB\fIdebug\-level\fR\fR] [\fB\-f\fR] [\fB\-g\fR] [\fB\-n\ \fR\fB\fI#cpus\fR\fR] [\fB\-p\ \fR\fB\fIport\fR\fR] [\fB\-s\fR] [\fB\-t\ \fR\fB\fIdirectory\fR\fR] [\fB\-u\ \fR\fB\fIuser\fR\fR] [\fB\-v\fR] [\fB\-x\ \fR\fB\fIcache\-file\fR\fR]
+.SH SYNOPSIS
+.sp
+\fBnamed\fR [ \fB-4\fR ]  [ \fB-6\fR ]  [ \fB-c \fIconfig-file\fB\fR ]  [ \fB-d \fIdebug-level\fB\fR ]  [ \fB-f\fR ]  [ \fB-g\fR ]  [ \fB-n \fI#cpus\fB\fR ]  [ \fB-p \fIport\fB\fR ]  [ \fB-s\fR ]  [ \fB-t \fIdirectory\fB\fR ]  [ \fB-u \fIuser\fB\fR ]  [ \fB-v\fR ]  [ \fB-x \fIcache-file\fB\fR ] 
 .SH "DESCRIPTION"
 .PP
-\fBnamed\fR
-is a Domain Name System (DNS) server, part of the BIND 9 distribution from ISC. For more information on the DNS, see RFCs 1033, 1034, and 1035.
+\fBnamed\fR is a Domain Name System (DNS) server,
+part of the BIND 9 distribution from ISC. For more
+information on the DNS, see RFCs 1033, 1034, and 1035.
 .PP
-When invoked without arguments,
-\fBnamed\fR
-will read the default configuration file
-\fI/etc/named.conf\fR, read any initial data, and listen for queries.
+When invoked without arguments, \fBnamed\fR will
+read the default configuration file
+\fI/etc/named.conf\fR, read any initial
+data, and listen for queries.
 .SH "OPTIONS"
-.PP
-\-c \fIconfig\-file\fR
-.RS 4
-Use
-\fIconfig\-file\fR
-as the configuration file instead of the default,
-\fI/etc/named.conf\fR. To ensure that reloading the configuration file continues to work after the server has changed its working directory due to to a possible
-\fBdirectory\fR
-option in the configuration file,
-\fIconfig\-file\fR
-should be an absolute pathname.
-.RE
-.PP
-\-d \fIdebug\-level\fR
-.RS 4
-Set the daemon's debug level to
-\fIdebug\-level\fR. Debugging traces from
-\fBnamed\fR
-become more verbose as the debug level increases.
-.RE
-.PP
-\-f
-.RS 4
+.TP
+\fB-4\fR
+Use IPv4 only even if the host machine is capable of IPv6.
+\fB-4\fR and \fB-6\fR are mutually
+exclusive.
+.TP
+\fB-6\fR
+Use IPv6 only even if the host machine is capable of IPv4.
+\fB-4\fR and \fB-6\fR are mutually
+exclusive.
+.TP
+\fB-c \fIconfig-file\fB\fR
+Use \fIconfig-file\fR as the
+configuration file instead of the default,
+\fI/etc/named.conf\fR. To
+ensure that reloading the configuration file continues
+to work after the server has changed its working
+directory due to to a possible
+\fBdirectory\fR option in the configuration
+file, \fIconfig-file\fR should be
+an absolute pathname.
+.TP
+\fB-d \fIdebug-level\fB\fR
+Set the daemon's debug level to \fIdebug-level\fR.
+Debugging traces from \fBnamed\fR become
+more verbose as the debug level increases.
+.TP
+\fB-f\fR
 Run the server in the foreground (i.e. do not daemonize).
-.RE
-.PP
-\-g
-.RS 4
-Run the server in the foreground and force all logging to
-\fIstderr\fR.
-.RE
-.PP
-\-n \fI#cpus\fR
-.RS 4
-Create
-\fI#cpus\fR
-worker threads to take advantage of multiple CPUs. If not specified,
-\fBnamed\fR
-will try to determine the number of CPUs present and create one thread per CPU. If it is unable to determine the number of CPUs, a single worker thread will be created.
-.RE
-.PP
-\-p \fIport\fR
-.RS 4
-Listen for queries on port
-\fIport\fR. If not specified, the default is port 53.
-.RE
-.PP
-\-s
-.RS 4
-Write memory usage statistics to
-\fIstdout\fR
-on exit.
+.TP
+\fB-g\fR
+Run the server in the foreground and force all logging
+to \fIstderr\fR.
+.TP
+\fB-n \fI#cpus\fB\fR
+Create \fI#cpus\fR worker threads
+to take advantage of multiple CPUs. If not specified,
+\fBnamed\fR will try to determine the
+number of CPUs present and create one thread per CPU.
+If it is unable to determine the number of CPUs, a
+single worker thread will be created.
+.TP
+\fB-p \fIport\fB\fR
+Listen for queries on port \fIport\fR. If not
+specified, the default is port 53.
+.TP
+\fB-s\fR
+Write memory usage statistics to \fIstdout\fR on exit.
+.sp
 .RS
 .B "Note:"
-This option is mainly of interest to BIND 9 developers and may be removed or changed in a future release.
-.RE
-.RE
-.PP
-\-t \fIdirectory\fR
-.RS 4
-\fBChroot\fR
-to
-\fIdirectory\fR
-after processing the command line arguments, but before reading the configuration file.
+This option is mainly of interest to BIND 9 developers
+and may be removed or changed in a future release.
+.RE
+.sp
+.TP
+\fB-t \fIdirectory\fB\fR
+\fBchroot()\fR to \fIdirectory\fR after
+processing the command line arguments, but before
+reading the configuration file.
+.sp
 .RS
 .B "Warning:"
 This option should be used in conjunction with the
-\fB\-u\fR
-option, as chrooting a process running as root doesn't enhance security on most systems; the way
-\fBchroot(2)\fR
-is defined allows a process with root privileges to escape a chroot jail.
-.RE
-.RE
-.PP
-\-u \fIuser\fR
-.RS 4
-\fBSetuid\fR
-to
-\fIuser\fR
-after completing privileged operations, such as creating sockets that listen on privileged ports.
+\fB-u\fR option, as chrooting a process
+running as root doesn't enhance security on most
+systems; the way \fBchroot()\fR is
+defined allows a process with root privileges to
+escape a chroot jail.
+.RE
+.sp
+.TP
+\fB-u \fIuser\fB\fR
+\fBsetuid()\fR to \fIuser\fR after completing
+privileged operations, such as creating sockets that
+listen on privileged ports.
+.sp
 .RS
 .B "Note:"
-On Linux,
-\fBnamed\fR
-uses the kernel's capability mechanism to drop all root privileges except the ability to
-\fBbind(2)\fR
-to a privileged port and set process resource limits. Unfortunately, this means that the
-\fB\-u\fR
-option only works when
-\fBnamed\fR
-is run on kernel 2.2.18 or later, or kernel 2.3.99\-pre3 or later, since previous kernels did not allow privileges to be retained after
-\fBsetuid(2)\fR.
-.RE
-.RE
-.PP
-\-v
-.RS 4
+On Linux, \fBnamed\fR uses the kernel's
+capability mechanism to drop all root privileges
+except the ability to \fBbind()\fR to a
+privileged port and set process resource limits.
+Unfortunately, this means that the \fB-u\fR
+option only works when \fBnamed\fR is run
+on kernel 2.2.18 or later, or kernel 2.3.99-pre3 or
+later, since previous kernels did not allow privileges
+to be retained after \fBsetuid()\fR.
+.RE
+.sp
+.TP
+\fB-v\fR
 Report the version number and exit.
-.RE
-.PP
-\-x \fIcache\-file\fR
-.RS 4
-Load data from
-\fIcache\-file\fR
-into the cache of the default view.
+.TP
+\fB-x \fIcache-file\fB\fR
+Load data from \fIcache-file\fR into the
+cache of the default view.
+.sp
 .RS
 .B "Warning:"
-This option must not be used. It is only of interest to BIND 9 developers and may be removed or changed in a future release.
-.RE
+This option must not be used. It is only of interest
+to BIND 9 developers and may be removed or changed in a
+future release.
 .RE
+.sp
 .SH "SIGNALS"
 .PP
-In routine operation, signals should not be used to control the nameserver;
-\fBrndc\fR
-should be used instead.
-.PP
-SIGHUP
-.RS 4
+In routine operation, signals should not be used to control
+the nameserver; \fBrndc\fR should be used
+instead.
+.TP
+\fBSIGHUP\fR
 Force a reload of the server.
-.RE
-.PP
-SIGINT, SIGTERM
-.RS 4
+.TP
+\fBSIGINT, SIGTERM\fR
 Shut down the server.
-.RE
 .PP
 The result of sending any other signals to the server is undefined.
+.PP
 .SH "CONFIGURATION"
 .PP
-The
-\fBnamed\fR
-configuration file is too complex to describe in detail here. A complete description is provided in the
-BIND 9 Administrator Reference Manual.
+The \fBnamed\fR configuration file is too complex
+to describe in detail here. A complete description is
+provided in the \fIBIND 9 Administrator Reference
+Manual\fR.
 .SH "FILES"
-.PP
-\fI/etc/named.conf\fR
-.RS 4
+.TP
+\fB\fI/etc/named.conf\fB\fR
 The default configuration file.
-.RE
-.PP
-\fI/var/run/named.pid\fR
-.RS 4
-The default process\-id file.
-.RE
+.TP
+\fB\fI/var/run/named.pid\fB\fR
+The default process-id file.
 .SH "SEE ALSO"
 .PP
-RFC 1033,
-RFC 1034,
-RFC 1035,
-\fBnamed\-checkconf\fR(8),
-\fBnamed\-checkzone\fR(8),
+\fIRFC 1033\fR,
+\fIRFC 1034\fR,
+\fIRFC 1035\fR,
 \fBrndc\fR(8),
 \fBlwresd\fR(8),
-\fBnamed.conf\fR(5),
-BIND 9 Administrator Reference Manual.
+\fIBIND 9 Administrator Reference Manual\fR.
 .SH "AUTHOR"
 .PP
-Internet Systems Consortium
-.SH "COPYRIGHT"
-Copyright \(co 2004\-2007 Internet Systems Consortium, Inc. ("ISC")
-.br
-Copyright \(co 2000, 2001 Internet Software Consortium.
-.br
+Internet Software Consortium
diff --git a/bin/named/named.conf.5 b/bin/named/named.conf.5
deleted file mode 100644
index aec94a4f..00000000
--- a/bin/named/named.conf.5
+++ /dev/null
@@ -1,400 +0,0 @@
-.\" Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
-.\" 
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\" 
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-.\" PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" $Id: named.conf.5,v 1.1.6.15 2007/06/20 02:25:45 marka Exp $
-.\"
-.hy 0
-.ad l
-.\"     Title: \fInamed.conf\fR
-.\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
-.\"      Date: Aug 13, 2004
-.\"    Manual: BIND9
-.\"    Source: BIND9
-.\"
-.TH "\fINAMED.CONF\fR" "5" "Aug 13, 2004" "BIND9" "BIND9"
-.\" disable hyphenation
-.nh
-.\" disable justification (adjust text to left margin only)
-.ad l
-.SH "NAME"
-named.conf \- configuration file for named
-.SH "SYNOPSIS"
-.HP 11
-\fBnamed.conf\fR
-.SH "DESCRIPTION"
-.PP
-\fInamed.conf\fR
-is the configuration file for
-\fBnamed\fR. Statements are enclosed in braces and terminated with a semi\-colon. Clauses in the statements are also semi\-colon terminated. The usual comment styles are supported:
-.PP
-C style: /* */
-.PP
-C++ style: // to end of line
-.PP
-Unix style: # to end of line
-.SH "ACL"
-.sp
-.RS 4
-.nf
-acl \fIstring\fR { \fIaddress_match_element\fR; ... };
-.fi
-.RE
-.SH "KEY"
-.sp
-.RS 4
-.nf
-key \fIdomain_name\fR {
-	algorithm \fIstring\fR;
-	secret \fIstring\fR;
-};
-.fi
-.RE
-.SH "SERVER"
-.sp
-.RS 4
-.nf
-server ( \fIipv4_address\fR | \fIipv6_address\fR ) {
-	bogus \fIboolean\fR;
-	edns \fIboolean\fR;
-	provide\-ixfr \fIboolean\fR;
-	request\-ixfr \fIboolean\fR;
-	keys \fIserver_key\fR;
-	transfers \fIinteger\fR;
-	transfer\-format ( many\-answers | one\-answer );
-	transfer\-source ( \fIipv4_address\fR | * )
-		[ port ( \fIinteger\fR | * ) ];
-	transfer\-source\-v6 ( \fIipv6_address\fR | * )
-		[ port ( \fIinteger\fR | * ) ];
-	support\-ixfr \fIboolean\fR; // obsolete
-};
-.fi
-.RE
-.SH "TRUSTED\-KEYS"
-.sp
-.RS 4
-.nf
-trusted\-keys {
-	\fIdomain_name\fR \fIflags\fR \fIprotocol\fR \fIalgorithm\fR \fIkey\fR; ... 
-};
-.fi
-.RE
-.SH "CONTROLS"
-.sp
-.RS 4
-.nf
-controls {
-	inet ( \fIipv4_address\fR | \fIipv6_address\fR | * )
-		[ port ( \fIinteger\fR | * ) ]
-		allow { \fIaddress_match_element\fR; ... }
-		[ keys { \fIstring\fR; ... } ];
-	unix \fIunsupported\fR; // not implemented
-};
-.fi
-.RE
-.SH "LOGGING"
-.sp
-.RS 4
-.nf
-logging {
-	channel \fIstring\fR {
-		file \fIlog_file\fR;
-		syslog \fIoptional_facility\fR;
-		null;
-		stderr;
-		severity \fIlog_severity\fR;
-		print\-time \fIboolean\fR;
-		print\-severity \fIboolean\fR;
-		print\-category \fIboolean\fR;
-	};
-	category \fIstring\fR { \fIstring\fR; ... };
-};
-.fi
-.RE
-.SH "LWRES"
-.sp
-.RS 4
-.nf
-lwres {
-	listen\-on [ port \fIinteger\fR ] {
-		( \fIipv4_address\fR | \fIipv6_address\fR ) [ port \fIinteger\fR ]; ...
-	};
-	view \fIstring\fR \fIoptional_class\fR;
-	search { \fIstring\fR; ... };
-	ndots \fIinteger\fR;
-};
-.fi
-.RE
-.SH "OPTIONS"
-.sp
-.RS 4
-.nf
-options {
-	blackhole { \fIaddress_match_element\fR; ... };
-	coresize \fIsize\fR;
-	datasize \fIsize\fR;
-	directory \fIquoted_string\fR;
-	cache\-file \fIquoted_string\fR; // test option
-	dump\-file \fIquoted_string\fR;
-	files \fIsize\fR;
-	heartbeat\-interval \fIinteger\fR;
-	host\-statistics \fIboolean\fR; // not implemented
-	host\-statistics\-max \fInumber\fR; // not implemented
-	interface\-interval \fIinteger\fR;
-	listen\-on [ port \fIinteger\fR ] { \fIaddress_match_element\fR; ... };
-	listen\-on\-v6 [ port \fIinteger\fR ] { \fIaddress_match_element\fR; ... };
-	match\-mapped\-addresses \fIboolean\fR;
-	memstatistics\-file \fIquoted_string\fR; // not implemented
-	pid\-file \fIquoted_string\fR;
-	port \fIinteger\fR;
-	random\-device \fIquoted_string\fR;
-	recursive\-clients \fIinteger\fR;
-	serial\-query\-rate \fIinteger\fR;
-	stacksize \fIsize\fR;
-	statistics\-file \fIquoted_string\fR;
-	statistics\-interval \fIinteger\fR; // not yet implemented
-	tcp\-clients \fIinteger\fR;
-	tkey\-dhkey \fIquoted_string\fR \fIinteger\fR;
-	tkey\-gssapi\-credential \fIquoted_string\fR;
-	tkey\-domain \fIquoted_string\fR;
-	transfers\-per\-ns \fIinteger\fR;
-	transfers\-in \fIinteger\fR;
-	transfers\-out \fIinteger\fR;
-	use\-ixfr \fIboolean\fR;
-	version \fIquoted_string\fR;
-	allow\-recursion { \fIaddress_match_element\fR; ... };
-	sortlist { \fIaddress_match_element\fR; ... };
-	topology { \fIaddress_match_element\fR; ... }; // not implemented
-	auth\-nxdomain \fIboolean\fR; // default changed
-	minimal\-responses \fIboolean\fR;
-	recursion \fIboolean\fR;
-	rrset\-order {
-		[ class \fIstring\fR ] [ type \fIstring\fR ]
-		[ name \fIquoted_string\fR ] \fIstring\fR \fIstring\fR; ...
-	}; // not implemented
-	provide\-ixfr \fIboolean\fR;
-	request\-ixfr \fIboolean\fR;
-	rfc2308\-type1 \fIboolean\fR; // not yet implemented
-	additional\-from\-auth \fIboolean\fR;
-	additional\-from\-cache \fIboolean\fR;
-	query\-source [ address ( \fIipv4_address\fR | * ) ] [ port ( \fIinteger\fR | * ) ];
-	query\-source\-v6 [ address ( \fIipv6_address\fR | * ) ] [ port ( \fIinteger\fR | * ) ];
-	cleaning\-interval \fIinteger\fR;
-	min\-roots \fIinteger\fR; // not implemented
-	lame\-ttl \fIinteger\fR;
-	max\-ncache\-ttl \fIinteger\fR;
-	max\-cache\-ttl \fIinteger\fR;
-	transfer\-format ( many\-answers | one\-answer );
-	max\-cache\-size \fIsize_no_default\fR;
-	check\-names ( master | slave | response )
-		( fail | warn | ignore ); // not implemented
-	cache\-file \fIquoted_string\fR;
-	root\-delegation\-only [ exclude { \fIquoted_string\fR; ... } ];
-	dialup \fIdialuptype\fR;
-	allow\-query { \fIaddress_match_element\fR; ... };
-	allow\-transfer { \fIaddress_match_element\fR; ... };
-	allow\-update\-forwarding { \fIaddress_match_element\fR; ... };
-	notify \fInotifytype\fR;
-	notify\-source ( \fIipv4_address\fR | * ) [ port ( \fIinteger\fR | * ) ];
-	notify\-source\-v6 ( \fIipv6_address\fR | * ) [ port ( \fIinteger\fR | * ) ];
-	also\-notify [ port \fIinteger\fR ] { ( \fIipv4_address\fR | \fIipv6_address\fR )
-		[ port \fIinteger\fR ]; ... };
-	allow\-notify { \fIaddress_match_element\fR; ... };
-	forward ( first | only );
-	forwarders [ port \fIinteger\fR ] {
-		( \fIipv4_address\fR | \fIipv6_address\fR ) [ port \fIinteger\fR ]; ...
-	};
-	max\-transfer\-time\-in \fIinteger\fR;
-	max\-transfer\-time\-out \fIinteger\fR;
-	max\-transfer\-idle\-in \fIinteger\fR;
-	max\-transfer\-idle\-out \fIinteger\fR;
-	max\-retry\-time \fIinteger\fR;
-	min\-retry\-time \fIinteger\fR;
-	max\-refresh\-time \fIinteger\fR;
-	min\-refresh\-time \fIinteger\fR;
-	sig\-validity\-interval \fIinteger\fR;
-	transfer\-source ( \fIipv4_address\fR | * )
-		[ port ( \fIinteger\fR | * ) ];
-	transfer\-source\-v6 ( \fIipv6_address\fR | * )
-		[ port ( \fIinteger\fR | * ) ];
-	zone\-statistics \fIboolean\fR;
-	allow\-v6\-synthesis { \fIaddress_match_element\fR; ... };
-	deallocate\-on\-exit \fIboolean\fR; // obsolete
-	fake\-iquery \fIboolean\fR; // obsolete
-	fetch\-glue \fIboolean\fR; // obsolete
-	has\-old\-clients \fIboolean\fR; // obsolete
-	maintain\-ixfr\-base \fIboolean\fR; // obsolete
-	max\-ixfr\-log\-size \fIsize\fR; // obsolete
-	multiple\-cnames \fIboolean\fR; // obsolete
-	named\-xfer \fIquoted_string\fR; // obsolete
-	serial\-queries \fIinteger\fR; // obsolete
-	treat\-cr\-as\-space \fIboolean\fR; // obsolete
-	use\-id\-pool \fIboolean\fR; // obsolete
-};
-.fi
-.RE
-.SH "VIEW"
-.sp
-.RS 4
-.nf
-view \fIstring\fR \fIoptional_class\fR {
-	match\-clients { \fIaddress_match_element\fR; ... };
-	match\-destinations { \fIaddress_match_element\fR; ... };
-	match\-recursive\-only \fIboolean\fR;
-	key \fIstring\fR {
-		algorithm \fIstring\fR;
-		secret \fIstring\fR;
-	};
-	zone \fIstring\fR \fIoptional_class\fR {
-		...
-	};
-	server ( \fIipv4_address\fR | \fIipv6_address\fR ) {
-		...
-	};
-	trusted\-keys {
-		\fIstring\fR \fIinteger\fR \fIinteger\fR \fIinteger\fR \fIquoted_string\fR; ...
-	};
-	allow\-recursion { \fIaddress_match_element\fR; ... };
-	sortlist { \fIaddress_match_element\fR; ... };
-	topology { \fIaddress_match_element\fR; ... }; // not implemented
-	auth\-nxdomain \fIboolean\fR; // default changed
-	minimal\-responses \fIboolean\fR;
-	recursion \fIboolean\fR;
-	rrset\-order {
-		[ class \fIstring\fR ] [ type \fIstring\fR ]
-		[ name \fIquoted_string\fR ] \fIstring\fR \fIstring\fR; ...
-	}; // not implemented
-	provide\-ixfr \fIboolean\fR;
-	request\-ixfr \fIboolean\fR;
-	rfc2308\-type1 \fIboolean\fR; // not yet implemented
-	additional\-from\-auth \fIboolean\fR;
-	additional\-from\-cache \fIboolean\fR;
-	query\-source [ address ( \fIipv4_address\fR | * ) ] [ port ( \fIinteger\fR | * ) ];
-	query\-source\-v6 [ address ( \fIipv6_address\fR | * ) ] [ port ( \fIinteger\fR | * ) ];
-	cleaning\-interval \fIinteger\fR;
-	min\-roots \fIinteger\fR; // not implemented
-	lame\-ttl \fIinteger\fR;
-	max\-ncache\-ttl \fIinteger\fR;
-	max\-cache\-ttl \fIinteger\fR;
-	transfer\-format ( many\-answers | one\-answer );
-	max\-cache\-size \fIsize_no_default\fR;
-	check\-names ( master | slave | response )
-		( fail | warn | ignore );
-	cache\-file \fIquoted_string\fR;
-	suppress\-initial\-notify \fIboolean\fR; // not yet implemented
-	root\-delegation\-only [ exclude { \fIquoted_string\fR; ... } ];
-	dialup \fIdialuptype\fR;
-	allow\-query { \fIaddress_match_element\fR; ... };
-	allow\-transfer { \fIaddress_match_element\fR; ... };
-	allow\-update\-forwarding { \fIaddress_match_element\fR; ... };
-	notify \fInotifytype\fR;
-	notify\-source ( \fIipv4_address\fR | * ) [ port ( \fIinteger\fR | * ) ];
-	notify\-source\-v6 ( \fIipv6_address\fR | * ) [ port ( \fIinteger\fR | * ) ];
-	also\-notify [ port \fIinteger\fR ] { ( \fIipv4_address\fR | \fIipv6_address\fR )
-		[ port \fIinteger\fR ]; ... };
-	allow\-notify { \fIaddress_match_element\fR; ... };
-	forward ( first | only );
-	forwarders [ port \fIinteger\fR ] {
-		( \fIipv4_address\fR | \fIipv6_address\fR ) [ port \fIinteger\fR ]; ...
-	};
-	max\-transfer\-time\-in \fIinteger\fR;
-	max\-transfer\-time\-out \fIinteger\fR;
-	max\-transfer\-idle\-in \fIinteger\fR;
-	max\-transfer\-idle\-out \fIinteger\fR;
-	max\-retry\-time \fIinteger\fR;
-	min\-retry\-time \fIinteger\fR;
-	max\-refresh\-time \fIinteger\fR;
-	min\-refresh\-time \fIinteger\fR;
-	sig\-validity\-interval \fIinteger\fR;
-	transfer\-source ( \fIipv4_address\fR | * )
-		[ port ( \fIinteger\fR | * ) ];
-	transfer\-source\-v6 ( \fIipv6_address\fR | * )
-		[ port ( \fIinteger\fR | * ) ];
-	zone\-statistics \fIboolean\fR;
-	allow\-v6\-synthesis { \fIaddress_match_element\fR; ... }; // obsolete
-	fetch\-glue \fIboolean\fR; // obsolete
-	maintain\-ixfr\-base \fIboolean\fR; // obsolete
-	max\-ixfr\-log\-size \fIsize\fR; // obsolete
-};
-.fi
-.RE
-.SH "ZONE"
-.sp
-.RS 4
-.nf
-zone \fIstring\fR \fIoptional_class\fR {
-	type ( master | slave | stub | hint |
-		forward | delegation\-only );
-	file \fIquoted_string\fR;
-	masters [ port \fIinteger\fR ] {
-		( \fIipv4_address\fR [port \fIinteger\fR] |
-		\fIipv6_address\fR [ port \fIinteger\fR ] ) [ key \fIstring\fR ]; ...
-	};
-	database \fIstring\fR;
-	delegation\-only \fIboolean\fR;
-	check\-names ( fail | warn | ignore );
-	dialup \fIdialuptype\fR;
-	allow\-query { \fIaddress_match_element\fR; ... };
-	allow\-transfer { \fIaddress_match_element\fR; ... };
-	allow\-update { \fIaddress_match_element\fR; ... };
-	allow\-update\-forwarding { \fIaddress_match_element\fR; ... };
-	update\-policy {
-		( grant | deny ) \fIstring\fR
-		( name | subdomain | wildcard | self ) \fIstring\fR
-		\fIrrtypelist\fR; ...
-	};
-	notify \fInotifytype\fR;
-	notify\-source ( \fIipv4_address\fR | * ) [ port ( \fIinteger\fR | * ) ];
-	notify\-source\-v6 ( \fIipv6_address\fR | * ) [ port ( \fIinteger\fR | * ) ];
-	also\-notify [ port \fIinteger\fR ] { ( \fIipv4_address\fR | \fIipv6_address\fR )
-		[ port \fIinteger\fR ]; ... };
-	allow\-notify { \fIaddress_match_element\fR; ... };
-	forward ( first | only );
-	forwarders [ port \fIinteger\fR ] {
-		( \fIipv4_address\fR | \fIipv6_address\fR ) [ port \fIinteger\fR ]; ...
-	};
-	max\-transfer\-time\-in \fIinteger\fR;
-	max\-transfer\-time\-out \fIinteger\fR;
-	max\-transfer\-idle\-in \fIinteger\fR;
-	max\-transfer\-idle\-out \fIinteger\fR;
-	max\-retry\-time \fIinteger\fR;
-	min\-retry\-time \fIinteger\fR;
-	max\-refresh\-time \fIinteger\fR;
-	min\-refresh\-time \fIinteger\fR;
-	sig\-validity\-interval \fIinteger\fR;
-	transfer\-source ( \fIipv4_address\fR | * )
-		[ port ( \fIinteger\fR | * ) ];
-	transfer\-source\-v6 ( \fIipv6_address\fR | * )
-		[ port ( \fIinteger\fR | * ) ];
-	zone\-statistics \fIboolean\fR;
-	ixfr\-base \fIquoted_string\fR; // obsolete
-	ixfr\-tmp\-file \fIquoted_string\fR; // obsolete
-	maintain\-ixfr\-base \fIboolean\fR; // obsolete
-	max\-ixfr\-log\-size \fIsize\fR; // obsolete
-	pubkey \fIinteger\fR \fIinteger\fR \fIinteger\fR \fIquoted_string\fR; // obsolete
-};
-.fi
-.RE
-.SH "FILES"
-.PP
-\fI/etc/named.conf\fR
-.SH "SEE ALSO"
-.PP
-\fBnamed\fR(8),
-\fBnamed\-checkconf\fR(8),
-\fBrndc\fR(8),
-BIND 9 Administrator Reference Manual
-.SH "COPYRIGHT"
-Copyright \(co 2004\-2007 Internet Systems Consortium, Inc. ("ISC")
-.br
diff --git a/bin/named/named.conf.docbook b/bin/named/named.conf.docbook
deleted file mode 100644
index 1bc8a4d0..00000000
--- a/bin/named/named.conf.docbook
+++ /dev/null
@@ -1,476 +0,0 @@
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
-               "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
-	       [<!ENTITY mdash "&#8212;">]>
-<!--
- - Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
- -
- - Permission to use, copy, modify, and distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- -
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-
-<!-- $Id: named.conf.docbook,v 1.1.6.12 2007/06/19 07:52:23 marka Exp $ -->
-
-<refentry>
-  <refentryinfo>
-    <date>Aug 13, 2004</date>
-  </refentryinfo>
-
-  <refmeta>
-    <refentrytitle><filename>named.conf</filename></refentrytitle>
-    <manvolnum>5</manvolnum>
-    <refmiscinfo>BIND9</refmiscinfo>
-  </refmeta>
-
-  <docinfo>
-    <copyright>
-      <year>2004</year>
-      <year>2005</year>
-      <year>2006</year>
-      <year>2007</year>
-      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
-    </copyright>
-  </docinfo>
-
-  <refnamediv>
-    <refname><filename>named.conf</filename></refname>
-    <refpurpose>configuration file for named</refpurpose>
-  </refnamediv>
-
-  <refsynopsisdiv>
-    <cmdsynopsis>
-      <command>named.conf</command>
-    </cmdsynopsis>
-  </refsynopsisdiv>
-
-  <refsect1>
-    <title>DESCRIPTION</title>
-    <para>
-	<filename>named.conf</filename> is the configuration file for
-	<command>named</command>.  Statements are enclosed
-	in braces and terminated with a semi-colon.  Clauses in
-	the statements are also semi-colon terminated.  The usual
-	comment styles are supported:
-    </para>
-    <para>
-	C style: /* */
-    </para>
-    <para>
-	C++ style: // to end of line
-    </para>
-    <para>
-	Unix style: # to end of line
-    </para>
-  </refsect1>
-
-<refsect1>
-<title>ACL</title>
-<literallayout>
-acl <replaceable>string</replaceable> { <replaceable>address_match_element</replaceable>; ... };
-
-</literallayout>
-</refsect1>
-
-<refsect1>
-<title>KEY</title>
-<literallayout>
-key <replaceable>domain_name</replaceable> {
-	algorithm <replaceable>string</replaceable>;
-	secret <replaceable>string</replaceable>;
-};
-</literallayout>
-</refsect1>
-
-<refsect1>
-<title>SERVER</title>
-<literallayout>
-server ( <replaceable>ipv4_address</replaceable> | <replaceable>ipv6_address</replaceable> ) {
-	bogus <replaceable>boolean</replaceable>;
-	edns <replaceable>boolean</replaceable>;
-	provide-ixfr <replaceable>boolean</replaceable>;
-	request-ixfr <replaceable>boolean</replaceable>;
-	keys <replaceable>server_key</replaceable>;
-	transfers <replaceable>integer</replaceable>;
-	transfer-format ( many-answers | one-answer );
-	transfer-source ( <replaceable>ipv4_address</replaceable> | * )
-		<optional> port ( <replaceable>integer</replaceable> | * ) </optional>;
-	transfer-source-v6 ( <replaceable>ipv6_address</replaceable> | * )
-		<optional> port ( <replaceable>integer</replaceable> | * ) </optional>;
-
-	support-ixfr <replaceable>boolean</replaceable>; // obsolete
-};
-</literallayout>
-</refsect1>
-
-<refsect1>
-<title>TRUSTED-KEYS</title>
-<literallayout>
-trusted-keys {
-	<replaceable>domain_name</replaceable> <replaceable>flags</replaceable> <replaceable>protocol</replaceable> <replaceable>algorithm</replaceable> <replaceable>key</replaceable>; ... 
-};
-</literallayout>
-</refsect1>
-
-<refsect1>
-<title>CONTROLS</title>
-<literallayout>
-controls {
-	inet ( <replaceable>ipv4_address</replaceable> | <replaceable>ipv6_address</replaceable> | * )
-		<optional> port ( <replaceable>integer</replaceable> | * ) </optional>
-		allow { <replaceable>address_match_element</replaceable>; ... }
-		<optional> keys { <replaceable>string</replaceable>; ... } </optional>;
-	unix <replaceable>unsupported</replaceable>; // not implemented
-};
-</literallayout>
-</refsect1>
-
-<refsect1>
-<title>LOGGING</title>
-<literallayout>
-logging {
-	channel <replaceable>string</replaceable> {
-		file <replaceable>log_file</replaceable>;
-		syslog <replaceable>optional_facility</replaceable>;
-		null;
-		stderr;
-		severity <replaceable>log_severity</replaceable>;
-		print-time <replaceable>boolean</replaceable>;
-		print-severity <replaceable>boolean</replaceable>;
-		print-category <replaceable>boolean</replaceable>;
-	};
-	category <replaceable>string</replaceable> { <replaceable>string</replaceable>; ... };
-};
-</literallayout>
-</refsect1>
-
-<refsect1>
-<title>LWRES</title>
-<literallayout>
-lwres {
-	listen-on <optional> port <replaceable>integer</replaceable> </optional> {
-		( <replaceable>ipv4_address</replaceable> | <replaceable>ipv6_address</replaceable> ) <optional> port <replaceable>integer</replaceable> </optional>; ...
-	};
-	view <replaceable>string</replaceable> <replaceable>optional_class</replaceable>;
-	search { <replaceable>string</replaceable>; ... };
-	ndots <replaceable>integer</replaceable>;
-};
-</literallayout>
-</refsect1>
-
-<refsect1>
-<title>OPTIONS</title>
-<literallayout>
-options {
-	blackhole { <replaceable>address_match_element</replaceable>; ... };
-	coresize <replaceable>size</replaceable>;
-	datasize <replaceable>size</replaceable>;
-	directory <replaceable>quoted_string</replaceable>;
-	cache-file <replaceable>quoted_string</replaceable>; // test option
-	dump-file <replaceable>quoted_string</replaceable>;
-	files <replaceable>size</replaceable>;
-	heartbeat-interval <replaceable>integer</replaceable>;
-	host-statistics <replaceable>boolean</replaceable>; // not implemented
-	host-statistics-max <replaceable>number</replaceable>; // not implemented
-	interface-interval <replaceable>integer</replaceable>;
-	listen-on <optional> port <replaceable>integer</replaceable> </optional> { <replaceable>address_match_element</replaceable>; ... };
-	listen-on-v6 <optional> port <replaceable>integer</replaceable> </optional> { <replaceable>address_match_element</replaceable>; ... };
-	match-mapped-addresses <replaceable>boolean</replaceable>;
-	memstatistics-file <replaceable>quoted_string</replaceable>; // not implemented
-	pid-file <replaceable>quoted_string</replaceable>;
-	port <replaceable>integer</replaceable>;
-	random-device <replaceable>quoted_string</replaceable>;
-	recursive-clients <replaceable>integer</replaceable>;
-	serial-query-rate <replaceable>integer</replaceable>;
-	stacksize <replaceable>size</replaceable>;
-	statistics-file <replaceable>quoted_string</replaceable>;
-	statistics-interval <replaceable>integer</replaceable>; // not yet implemented
-	tcp-clients <replaceable>integer</replaceable>;
-	tkey-dhkey <replaceable>quoted_string</replaceable> <replaceable>integer</replaceable>;
-	tkey-gssapi-credential <replaceable>quoted_string</replaceable>;
-	tkey-domain <replaceable>quoted_string</replaceable>;
-	transfers-per-ns <replaceable>integer</replaceable>;
-	transfers-in <replaceable>integer</replaceable>;
-	transfers-out <replaceable>integer</replaceable>;
-	use-ixfr <replaceable>boolean</replaceable>;
-	version <replaceable>quoted_string</replaceable>;
-	allow-recursion { <replaceable>address_match_element</replaceable>; ... };
-	sortlist { <replaceable>address_match_element</replaceable>; ... };
-	topology { <replaceable>address_match_element</replaceable>; ... }; // not implemented
-	auth-nxdomain <replaceable>boolean</replaceable>; // default changed
-	minimal-responses <replaceable>boolean</replaceable>;
-	recursion <replaceable>boolean</replaceable>;
-	rrset-order {
-		<optional> class <replaceable>string</replaceable> </optional> <optional> type <replaceable>string</replaceable> </optional>
-		<optional> name <replaceable>quoted_string</replaceable> </optional> <replaceable>string</replaceable> <replaceable>string</replaceable>; ...
-	}; // not implemented
-	provide-ixfr <replaceable>boolean</replaceable>;
-	request-ixfr <replaceable>boolean</replaceable>;
-	rfc2308-type1 <replaceable>boolean</replaceable>; // not yet implemented
-	additional-from-auth <replaceable>boolean</replaceable>;
-	additional-from-cache <replaceable>boolean</replaceable>;
-	query-source <optional> address ( <replaceable>ipv4_address</replaceable> | * ) </optional> <optional> port ( <replaceable>integer</replaceable> | * ) </optional>;
-	query-source-v6 <optional> address ( <replaceable>ipv6_address</replaceable> | * ) </optional> <optional> port ( <replaceable>integer</replaceable> | * ) </optional>;
-	cleaning-interval <replaceable>integer</replaceable>;
-	min-roots <replaceable>integer</replaceable>; // not implemented
-	lame-ttl <replaceable>integer</replaceable>;
-	max-ncache-ttl <replaceable>integer</replaceable>;
-	max-cache-ttl <replaceable>integer</replaceable>;
-	transfer-format ( many-answers | one-answer );
-	max-cache-size <replaceable>size_no_default</replaceable>;
-	check-names ( master | slave | response )
-		( fail | warn | ignore ); // not implemented
-	cache-file <replaceable>quoted_string</replaceable>;
-	root-delegation-only <optional> exclude { <replaceable>quoted_string</replaceable>; ... } </optional>;
-
-	dialup <replaceable>dialuptype</replaceable>;
-
-	allow-query { <replaceable>address_match_element</replaceable>; ... };
-	allow-transfer { <replaceable>address_match_element</replaceable>; ... };
-	allow-update-forwarding { <replaceable>address_match_element</replaceable>; ... };
-
-	notify <replaceable>notifytype</replaceable>;
-	notify-source ( <replaceable>ipv4_address</replaceable> | * ) <optional> port ( <replaceable>integer</replaceable> | * ) </optional>;
-	notify-source-v6 ( <replaceable>ipv6_address</replaceable> | * ) <optional> port ( <replaceable>integer</replaceable> | * ) </optional>;
-	also-notify <optional> port <replaceable>integer</replaceable> </optional> { ( <replaceable>ipv4_address</replaceable> | <replaceable>ipv6_address</replaceable> )
-		<optional> port <replaceable>integer</replaceable> </optional>; ... };
-	allow-notify { <replaceable>address_match_element</replaceable>; ... };
-
-	forward ( first | only );
-	forwarders <optional> port <replaceable>integer</replaceable> </optional> {
-		( <replaceable>ipv4_address</replaceable> | <replaceable>ipv6_address</replaceable> ) <optional> port <replaceable>integer</replaceable> </optional>; ...
-	};
-
-	max-transfer-time-in <replaceable>integer</replaceable>;
-	max-transfer-time-out <replaceable>integer</replaceable>;
-	max-transfer-idle-in <replaceable>integer</replaceable>;
-	max-transfer-idle-out <replaceable>integer</replaceable>;
-	max-retry-time <replaceable>integer</replaceable>;
-	min-retry-time <replaceable>integer</replaceable>;
-	max-refresh-time <replaceable>integer</replaceable>;
-	min-refresh-time <replaceable>integer</replaceable>;
-	sig-validity-interval <replaceable>integer</replaceable>;
-
-	transfer-source ( <replaceable>ipv4_address</replaceable> | * )
-		<optional> port ( <replaceable>integer</replaceable> | * ) </optional>;
-	transfer-source-v6 ( <replaceable>ipv6_address</replaceable> | * )
-		<optional> port ( <replaceable>integer</replaceable> | * ) </optional>;
-
-	zone-statistics <replaceable>boolean</replaceable>;
-
-	allow-v6-synthesis { <replaceable>address_match_element</replaceable>; ... };
-	deallocate-on-exit <replaceable>boolean</replaceable>; // obsolete
-	fake-iquery <replaceable>boolean</replaceable>; // obsolete
-	fetch-glue <replaceable>boolean</replaceable>; // obsolete
-	has-old-clients <replaceable>boolean</replaceable>; // obsolete
-	maintain-ixfr-base <replaceable>boolean</replaceable>; // obsolete
-	max-ixfr-log-size <replaceable>size</replaceable>; // obsolete
-	multiple-cnames <replaceable>boolean</replaceable>; // obsolete
-	named-xfer <replaceable>quoted_string</replaceable>; // obsolete
-	serial-queries <replaceable>integer</replaceable>; // obsolete
-	treat-cr-as-space <replaceable>boolean</replaceable>; // obsolete
-	use-id-pool <replaceable>boolean</replaceable>; // obsolete
-};
-</literallayout>
-</refsect1>
-
-<refsect1>
-<title>VIEW</title>
-<literallayout>
-view <replaceable>string</replaceable> <replaceable>optional_class</replaceable> {
-	match-clients { <replaceable>address_match_element</replaceable>; ... };
-	match-destinations { <replaceable>address_match_element</replaceable>; ... };
-	match-recursive-only <replaceable>boolean</replaceable>;
-
-	key <replaceable>string</replaceable> {
-		algorithm <replaceable>string</replaceable>;
-		secret <replaceable>string</replaceable>;
-	};
-
-	zone <replaceable>string</replaceable> <replaceable>optional_class</replaceable> {
-		...
-	};
-
-	server ( <replaceable>ipv4_address</replaceable> | <replaceable>ipv6_address</replaceable> ) {
-		...
-	};
-
-	trusted-keys {
-		<replaceable>string</replaceable> <replaceable>integer</replaceable> <replaceable>integer</replaceable> <replaceable>integer</replaceable> <replaceable>quoted_string</replaceable>; ...
-	};
-
-	allow-recursion { <replaceable>address_match_element</replaceable>; ... };
-	sortlist { <replaceable>address_match_element</replaceable>; ... };
-	topology { <replaceable>address_match_element</replaceable>; ... }; // not implemented
-	auth-nxdomain <replaceable>boolean</replaceable>; // default changed
-	minimal-responses <replaceable>boolean</replaceable>;
-	recursion <replaceable>boolean</replaceable>;
-	rrset-order {
-		<optional> class <replaceable>string</replaceable> </optional> <optional> type <replaceable>string</replaceable> </optional>
-		<optional> name <replaceable>quoted_string</replaceable> </optional> <replaceable>string</replaceable> <replaceable>string</replaceable>; ...
-	}; // not implemented
-	provide-ixfr <replaceable>boolean</replaceable>;
-	request-ixfr <replaceable>boolean</replaceable>;
-	rfc2308-type1 <replaceable>boolean</replaceable>; // not yet implemented
-	additional-from-auth <replaceable>boolean</replaceable>;
-	additional-from-cache <replaceable>boolean</replaceable>;
-	query-source <optional> address ( <replaceable>ipv4_address</replaceable> | * ) </optional> <optional> port ( <replaceable>integer</replaceable> | * ) </optional>;
-	query-source-v6 <optional> address ( <replaceable>ipv6_address</replaceable> | * ) </optional> <optional> port ( <replaceable>integer</replaceable> | * ) </optional>;
-	cleaning-interval <replaceable>integer</replaceable>;
-	min-roots <replaceable>integer</replaceable>; // not implemented
-	lame-ttl <replaceable>integer</replaceable>;
-	max-ncache-ttl <replaceable>integer</replaceable>;
-	max-cache-ttl <replaceable>integer</replaceable>;
-	transfer-format ( many-answers | one-answer );
-	max-cache-size <replaceable>size_no_default</replaceable>;
-	check-names ( master | slave | response )
-		( fail | warn | ignore );
-	cache-file <replaceable>quoted_string</replaceable>;
-	suppress-initial-notify <replaceable>boolean</replaceable>; // not yet implemented
-	root-delegation-only <optional> exclude { <replaceable>quoted_string</replaceable>; ... } </optional>;
-
-	dialup <replaceable>dialuptype</replaceable>;
-
-	allow-query { <replaceable>address_match_element</replaceable>; ... };
-	allow-transfer { <replaceable>address_match_element</replaceable>; ... };
-	allow-update-forwarding { <replaceable>address_match_element</replaceable>; ... };
-
-	notify <replaceable>notifytype</replaceable>;
-	notify-source ( <replaceable>ipv4_address</replaceable> | * ) <optional> port ( <replaceable>integer</replaceable> | * ) </optional>;
-	notify-source-v6 ( <replaceable>ipv6_address</replaceable> | * ) <optional> port ( <replaceable>integer</replaceable> | * ) </optional>;
-	also-notify <optional> port <replaceable>integer</replaceable> </optional> { ( <replaceable>ipv4_address</replaceable> | <replaceable>ipv6_address</replaceable> )
-		<optional> port <replaceable>integer</replaceable> </optional>; ... };
-	allow-notify { <replaceable>address_match_element</replaceable>; ... };
-
-	forward ( first | only );
-	forwarders <optional> port <replaceable>integer</replaceable> </optional> {
-		( <replaceable>ipv4_address</replaceable> | <replaceable>ipv6_address</replaceable> ) <optional> port <replaceable>integer</replaceable> </optional>; ...
-	};
-
-	max-transfer-time-in <replaceable>integer</replaceable>;
-	max-transfer-time-out <replaceable>integer</replaceable>;
-	max-transfer-idle-in <replaceable>integer</replaceable>;
-	max-transfer-idle-out <replaceable>integer</replaceable>;
-	max-retry-time <replaceable>integer</replaceable>;
-	min-retry-time <replaceable>integer</replaceable>;
-	max-refresh-time <replaceable>integer</replaceable>;
-	min-refresh-time <replaceable>integer</replaceable>;
-	sig-validity-interval <replaceable>integer</replaceable>;
-
-	transfer-source ( <replaceable>ipv4_address</replaceable> | * )
-		<optional> port ( <replaceable>integer</replaceable> | * ) </optional>;
-	transfer-source-v6 ( <replaceable>ipv6_address</replaceable> | * )
-		<optional> port ( <replaceable>integer</replaceable> | * ) </optional>;
-
-	zone-statistics <replaceable>boolean</replaceable>;
-
-	allow-v6-synthesis { <replaceable>address_match_element</replaceable>; ... }; // obsolete
-	fetch-glue <replaceable>boolean</replaceable>; // obsolete
-	maintain-ixfr-base <replaceable>boolean</replaceable>; // obsolete
-	max-ixfr-log-size <replaceable>size</replaceable>; // obsolete
-};
-</literallayout>
-</refsect1>
-
-<refsect1>
-<title>ZONE</title>
-<literallayout>
-zone <replaceable>string</replaceable> <replaceable>optional_class</replaceable> {
-	type ( master | slave | stub | hint |
-		forward | delegation-only );
-	file <replaceable>quoted_string</replaceable>;
-
-	masters <optional> port <replaceable>integer</replaceable> </optional> {
-		( <replaceable>ipv4_address</replaceable> <optional>port <replaceable>integer</replaceable></optional> |
-		<replaceable>ipv6_address</replaceable> <optional> port <replaceable>integer</replaceable> </optional> ) <optional> key <replaceable>string</replaceable> </optional>; ...
-	};
-
-	database <replaceable>string</replaceable>;
-	delegation-only <replaceable>boolean</replaceable>;
-	check-names ( fail | warn | ignore );
-	dialup <replaceable>dialuptype</replaceable>;
-
-	allow-query { <replaceable>address_match_element</replaceable>; ... };
-	allow-transfer { <replaceable>address_match_element</replaceable>; ... };
-	allow-update { <replaceable>address_match_element</replaceable>; ... };
-	allow-update-forwarding { <replaceable>address_match_element</replaceable>; ... };
-	update-policy {
-		( grant | deny ) <replaceable>string</replaceable>
-		( name | subdomain | wildcard | self ) <replaceable>string</replaceable>
-		<replaceable>rrtypelist</replaceable>; ...
-	};
-
-	notify <replaceable>notifytype</replaceable>;
-	notify-source ( <replaceable>ipv4_address</replaceable> | * ) <optional> port ( <replaceable>integer</replaceable> | * ) </optional>;
-	notify-source-v6 ( <replaceable>ipv6_address</replaceable> | * ) <optional> port ( <replaceable>integer</replaceable> | * ) </optional>;
-	also-notify <optional> port <replaceable>integer</replaceable> </optional> { ( <replaceable>ipv4_address</replaceable> | <replaceable>ipv6_address</replaceable> )
-		<optional> port <replaceable>integer</replaceable> </optional>; ... };
-	allow-notify { <replaceable>address_match_element</replaceable>; ... };
-
-	forward ( first | only );
-	forwarders <optional> port <replaceable>integer</replaceable> </optional> {
-		( <replaceable>ipv4_address</replaceable> | <replaceable>ipv6_address</replaceable> ) <optional> port <replaceable>integer</replaceable> </optional>; ...
-	};
-
-	max-transfer-time-in <replaceable>integer</replaceable>;
-	max-transfer-time-out <replaceable>integer</replaceable>;
-	max-transfer-idle-in <replaceable>integer</replaceable>;
-	max-transfer-idle-out <replaceable>integer</replaceable>;
-	max-retry-time <replaceable>integer</replaceable>;
-	min-retry-time <replaceable>integer</replaceable>;
-	max-refresh-time <replaceable>integer</replaceable>;
-	min-refresh-time <replaceable>integer</replaceable>;
-	sig-validity-interval <replaceable>integer</replaceable>;
-
-	transfer-source ( <replaceable>ipv4_address</replaceable> | * )
-		<optional> port ( <replaceable>integer</replaceable> | * ) </optional>;
-	transfer-source-v6 ( <replaceable>ipv6_address</replaceable> | * )
-		<optional> port ( <replaceable>integer</replaceable> | * ) </optional>;
-
-	zone-statistics <replaceable>boolean</replaceable>;
-
-	ixfr-base <replaceable>quoted_string</replaceable>; // obsolete
-	ixfr-tmp-file <replaceable>quoted_string</replaceable>; // obsolete
-	maintain-ixfr-base <replaceable>boolean</replaceable>; // obsolete
-	max-ixfr-log-size <replaceable>size</replaceable>; // obsolete
-	pubkey <replaceable>integer</replaceable> <replaceable>integer</replaceable> <replaceable>integer</replaceable> <replaceable>quoted_string</replaceable>; // obsolete
-};
-</literallayout>
-</refsect1>
-
-<refsect1>
-<title>FILES</title>
-<para>
-<filename>/etc/named.conf</filename>
-</para>
-</refsect1>
-
-    <refsect1>
-      <title>SEE ALSO</title>
-      <para>
-	<citerefentry>
-	  <refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
-	</citerefentry>,
-	<citerefentry>
-	  <refentrytitle>named-checkconf</refentrytitle><manvolnum>8</manvolnum>
-	</citerefentry>,
-	<citerefentry>
-	  <refentrytitle>rndc</refentrytitle><manvolnum>8</manvolnum>
-	</citerefentry>,
-	<citetitle>BIND 9 Administrator Reference Manual</citetitle>
-      </para>
-    </refsect1>
-
-</refentry>
-<!--
- - Local variables:
- - mode: sgml
- - End:
--->
diff --git a/bin/named/named.conf.html b/bin/named/named.conf.html
deleted file mode 100644
index 1ee06a5b..00000000
--- a/bin/named/named.conf.html
+++ /dev/null
@@ -1,432 +0,0 @@
-<!--
- - Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
- - 
- - Permission to use, copy, modify, and distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- - 
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-<!-- $Id: named.conf.html,v 1.1.6.21 2007/06/20 02:25:45 marka Exp $ -->
-<html>
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>named.conf</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2476275"></a><div class="titlepage"></div>
-<div class="refnamediv">
-<h2>Name</h2>
-<p><code class="filename">named.conf</code> &#8212; configuration file for named</p>
-</div>
-<div class="refsynopsisdiv">
-<h2>Synopsis</h2>
-<div class="cmdsynopsis"><p><code class="command">named.conf</code> </p></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543330"></a><h2>DESCRIPTION</h2>
-<p>
-	<code class="filename">named.conf</code> is the configuration file for
-	<span><strong class="command">named</strong></span>.  Statements are enclosed
-	in braces and terminated with a semi-colon.  Clauses in
-	the statements are also semi-colon terminated.  The usual
-	comment styles are supported:
-    </p>
-<p>
-	C style: /* */
-    </p>
-<p>
-	C++ style: // to end of line
-    </p>
-<p>
-	Unix style: # to end of line
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543358"></a><h2>ACL</h2>
-<div class="literallayout"><p><br>
-acl <em class="replaceable"><code>string</code></em> { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-<br>
-</p></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543374"></a><h2>KEY</h2>
-<div class="literallayout"><p><br>
-key <em class="replaceable"><code>domain_name</code></em> {<br>
-	algorithm <em class="replaceable"><code>string</code></em>;<br>
-	secret <em class="replaceable"><code>string</code></em>;<br>
-};<br>
-</p></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543394"></a><h2>SERVER</h2>
-<div class="literallayout"><p><br>
-server ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> ) {<br>
-	bogus <em class="replaceable"><code>boolean</code></em>;<br>
-	edns <em class="replaceable"><code>boolean</code></em>;<br>
-	provide-ixfr <em class="replaceable"><code>boolean</code></em>;<br>
-	request-ixfr <em class="replaceable"><code>boolean</code></em>;<br>
-	keys <em class="replaceable"><code>server_key</code></em>;<br>
-	transfers <em class="replaceable"><code>integer</code></em>;<br>
-	transfer-format ( many-answers | one-answer );<br>
-	transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * )<br>
-		[<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-	transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * )<br>
-		[<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-<br>
-	support-ixfr <em class="replaceable"><code>boolean</code></em>; // obsolete<br>
-};<br>
-</p></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543451"></a><h2>TRUSTED-KEYS</h2>
-<div class="literallayout"><p><br>
-trusted-keys {<br>
-	<em class="replaceable"><code>domain_name</code></em> <em class="replaceable"><code>flags</code></em> <em class="replaceable"><code>protocol</code></em> <em class="replaceable"><code>algorithm</code></em> <em class="replaceable"><code>key</code></em>; ... <br>
-};<br>
-</p></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543477"></a><h2>CONTROLS</h2>
-<div class="literallayout"><p><br>
-controls {<br>
-	inet ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> | * )<br>
-		[<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>]<br>
-		allow { <em class="replaceable"><code>address_match_element</code></em>; ... }<br>
-		[<span class="optional"> keys { <em class="replaceable"><code>string</code></em>; ... } </span>];<br>
-	unix <em class="replaceable"><code>unsupported</code></em>; // not implemented<br>
-};<br>
-</p></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543512"></a><h2>LOGGING</h2>
-<div class="literallayout"><p><br>
-logging {<br>
-	channel <em class="replaceable"><code>string</code></em> {<br>
-		file <em class="replaceable"><code>log_file</code></em>;<br>
-		syslog <em class="replaceable"><code>optional_facility</code></em>;<br>
-		null;<br>
-		stderr;<br>
-		severity <em class="replaceable"><code>log_severity</code></em>;<br>
-		print-time <em class="replaceable"><code>boolean</code></em>;<br>
-		print-severity <em class="replaceable"><code>boolean</code></em>;<br>
-		print-category <em class="replaceable"><code>boolean</code></em>;<br>
-	};<br>
-	category <em class="replaceable"><code>string</code></em> { <em class="replaceable"><code>string</code></em>; ... };<br>
-};<br>
-</p></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543550"></a><h2>LWRES</h2>
-<div class="literallayout"><p><br>
-lwres {<br>
-	listen-on [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] {<br>
-		( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> ) [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>]; ...<br>
-	};<br>
-	view <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>optional_class</code></em>;<br>
-	search { <em class="replaceable"><code>string</code></em>; ... };<br>
-	ndots <em class="replaceable"><code>integer</code></em>;<br>
-};<br>
-</p></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543592"></a><h2>OPTIONS</h2>
-<div class="literallayout"><p><br>
-options {<br>
-	blackhole { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	coresize <em class="replaceable"><code>size</code></em>;<br>
-	datasize <em class="replaceable"><code>size</code></em>;<br>
-	directory <em class="replaceable"><code>quoted_string</code></em>;<br>
-	cache-file <em class="replaceable"><code>quoted_string</code></em>; // test option<br>
-	dump-file <em class="replaceable"><code>quoted_string</code></em>;<br>
-	files <em class="replaceable"><code>size</code></em>;<br>
-	heartbeat-interval <em class="replaceable"><code>integer</code></em>;<br>
-	host-statistics <em class="replaceable"><code>boolean</code></em>; // not implemented<br>
-	host-statistics-max <em class="replaceable"><code>number</code></em>; // not implemented<br>
-	interface-interval <em class="replaceable"><code>integer</code></em>;<br>
-	listen-on [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	listen-on-v6 [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	match-mapped-addresses <em class="replaceable"><code>boolean</code></em>;<br>
-	memstatistics-file <em class="replaceable"><code>quoted_string</code></em>; // not implemented<br>
-	pid-file <em class="replaceable"><code>quoted_string</code></em>;<br>
-	port <em class="replaceable"><code>integer</code></em>;<br>
-	random-device <em class="replaceable"><code>quoted_string</code></em>;<br>
-	recursive-clients <em class="replaceable"><code>integer</code></em>;<br>
-	serial-query-rate <em class="replaceable"><code>integer</code></em>;<br>
-	stacksize <em class="replaceable"><code>size</code></em>;<br>
-	statistics-file <em class="replaceable"><code>quoted_string</code></em>;<br>
-	statistics-interval <em class="replaceable"><code>integer</code></em>; // not yet implemented<br>
-	tcp-clients <em class="replaceable"><code>integer</code></em>;<br>
-	tkey-dhkey <em class="replaceable"><code>quoted_string</code></em> <em class="replaceable"><code>integer</code></em>;<br>
-	tkey-gssapi-credential <em class="replaceable"><code>quoted_string</code></em>;<br>
-	tkey-domain <em class="replaceable"><code>quoted_string</code></em>;<br>
-	transfers-per-ns <em class="replaceable"><code>integer</code></em>;<br>
-	transfers-in <em class="replaceable"><code>integer</code></em>;<br>
-	transfers-out <em class="replaceable"><code>integer</code></em>;<br>
-	use-ixfr <em class="replaceable"><code>boolean</code></em>;<br>
-	version <em class="replaceable"><code>quoted_string</code></em>;<br>
-	allow-recursion { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	sortlist { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	topology { <em class="replaceable"><code>address_match_element</code></em>; ... }; // not implemented<br>
-	auth-nxdomain <em class="replaceable"><code>boolean</code></em>; // default changed<br>
-	minimal-responses <em class="replaceable"><code>boolean</code></em>;<br>
-	recursion <em class="replaceable"><code>boolean</code></em>;<br>
-	rrset-order {<br>
-		[<span class="optional"> class <em class="replaceable"><code>string</code></em> </span>] [<span class="optional"> type <em class="replaceable"><code>string</code></em> </span>]<br>
-		[<span class="optional"> name <em class="replaceable"><code>quoted_string</code></em> </span>] <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>string</code></em>; ...<br>
-	}; // not implemented<br>
-	provide-ixfr <em class="replaceable"><code>boolean</code></em>;<br>
-	request-ixfr <em class="replaceable"><code>boolean</code></em>;<br>
-	rfc2308-type1 <em class="replaceable"><code>boolean</code></em>; // not yet implemented<br>
-	additional-from-auth <em class="replaceable"><code>boolean</code></em>;<br>
-	additional-from-cache <em class="replaceable"><code>boolean</code></em>;<br>
-	query-source [<span class="optional"> address ( <em class="replaceable"><code>ipv4_address</code></em> | * ) </span>] [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-	query-source-v6 [<span class="optional"> address ( <em class="replaceable"><code>ipv6_address</code></em> | * ) </span>] [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-	cleaning-interval <em class="replaceable"><code>integer</code></em>;<br>
-	min-roots <em class="replaceable"><code>integer</code></em>; // not implemented<br>
-	lame-ttl <em class="replaceable"><code>integer</code></em>;<br>
-	max-ncache-ttl <em class="replaceable"><code>integer</code></em>;<br>
-	max-cache-ttl <em class="replaceable"><code>integer</code></em>;<br>
-	transfer-format ( many-answers | one-answer );<br>
-	max-cache-size <em class="replaceable"><code>size_no_default</code></em>;<br>
-	check-names ( master | slave | response )<br>
-		( fail | warn | ignore ); // not implemented<br>
-	cache-file <em class="replaceable"><code>quoted_string</code></em>;<br>
-	root-delegation-only [<span class="optional"> exclude { <em class="replaceable"><code>quoted_string</code></em>; ... } </span>];<br>
-<br>
-	dialup <em class="replaceable"><code>dialuptype</code></em>;<br>
-<br>
-	allow-query { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	allow-transfer { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	allow-update-forwarding { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-<br>
-	notify <em class="replaceable"><code>notifytype</code></em>;<br>
-	notify-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-	notify-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-	also-notify [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] { ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> )<br>
-		[<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>]; ... };<br>
-	allow-notify { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-<br>
-	forward ( first | only );<br>
-	forwarders [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] {<br>
-		( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> ) [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>]; ...<br>
-	};<br>
-<br>
-	max-transfer-time-in <em class="replaceable"><code>integer</code></em>;<br>
-	max-transfer-time-out <em class="replaceable"><code>integer</code></em>;<br>
-	max-transfer-idle-in <em class="replaceable"><code>integer</code></em>;<br>
-	max-transfer-idle-out <em class="replaceable"><code>integer</code></em>;<br>
-	max-retry-time <em class="replaceable"><code>integer</code></em>;<br>
-	min-retry-time <em class="replaceable"><code>integer</code></em>;<br>
-	max-refresh-time <em class="replaceable"><code>integer</code></em>;<br>
-	min-refresh-time <em class="replaceable"><code>integer</code></em>;<br>
-	sig-validity-interval <em class="replaceable"><code>integer</code></em>;<br>
-<br>
-	transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * )<br>
-		[<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-	transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * )<br>
-		[<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-<br>
-	zone-statistics <em class="replaceable"><code>boolean</code></em>;<br>
-<br>
-	allow-v6-synthesis { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	deallocate-on-exit <em class="replaceable"><code>boolean</code></em>; // obsolete<br>
-	fake-iquery <em class="replaceable"><code>boolean</code></em>; // obsolete<br>
-	fetch-glue <em class="replaceable"><code>boolean</code></em>; // obsolete<br>
-	has-old-clients <em class="replaceable"><code>boolean</code></em>; // obsolete<br>
-	maintain-ixfr-base <em class="replaceable"><code>boolean</code></em>; // obsolete<br>
-	max-ixfr-log-size <em class="replaceable"><code>size</code></em>; // obsolete<br>
-	multiple-cnames <em class="replaceable"><code>boolean</code></em>; // obsolete<br>
-	named-xfer <em class="replaceable"><code>quoted_string</code></em>; // obsolete<br>
-	serial-queries <em class="replaceable"><code>integer</code></em>; // obsolete<br>
-	treat-cr-as-space <em class="replaceable"><code>boolean</code></em>; // obsolete<br>
-	use-id-pool <em class="replaceable"><code>boolean</code></em>; // obsolete<br>
-};<br>
-</p></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2544085"></a><h2>VIEW</h2>
-<div class="literallayout"><p><br>
-view <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>optional_class</code></em> {<br>
-	match-clients { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	match-destinations { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	match-recursive-only <em class="replaceable"><code>boolean</code></em>;<br>
-<br>
-	key <em class="replaceable"><code>string</code></em> {<br>
-		algorithm <em class="replaceable"><code>string</code></em>;<br>
-		secret <em class="replaceable"><code>string</code></em>;<br>
-	};<br>
-<br>
-	zone <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>optional_class</code></em> {<br>
-		...<br>
-	};<br>
-<br>
-	server ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> ) {<br>
-		...<br>
-	};<br>
-<br>
-	trusted-keys {<br>
-		<em class="replaceable"><code>string</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>quoted_string</code></em>; ...<br>
-	};<br>
-<br>
-	allow-recursion { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	sortlist { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	topology { <em class="replaceable"><code>address_match_element</code></em>; ... }; // not implemented<br>
-	auth-nxdomain <em class="replaceable"><code>boolean</code></em>; // default changed<br>
-	minimal-responses <em class="replaceable"><code>boolean</code></em>;<br>
-	recursion <em class="replaceable"><code>boolean</code></em>;<br>
-	rrset-order {<br>
-		[<span class="optional"> class <em class="replaceable"><code>string</code></em> </span>] [<span class="optional"> type <em class="replaceable"><code>string</code></em> </span>]<br>
-		[<span class="optional"> name <em class="replaceable"><code>quoted_string</code></em> </span>] <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>string</code></em>; ...<br>
-	}; // not implemented<br>
-	provide-ixfr <em class="replaceable"><code>boolean</code></em>;<br>
-	request-ixfr <em class="replaceable"><code>boolean</code></em>;<br>
-	rfc2308-type1 <em class="replaceable"><code>boolean</code></em>; // not yet implemented<br>
-	additional-from-auth <em class="replaceable"><code>boolean</code></em>;<br>
-	additional-from-cache <em class="replaceable"><code>boolean</code></em>;<br>
-	query-source [<span class="optional"> address ( <em class="replaceable"><code>ipv4_address</code></em> | * ) </span>] [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-	query-source-v6 [<span class="optional"> address ( <em class="replaceable"><code>ipv6_address</code></em> | * ) </span>] [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-	cleaning-interval <em class="replaceable"><code>integer</code></em>;<br>
-	min-roots <em class="replaceable"><code>integer</code></em>; // not implemented<br>
-	lame-ttl <em class="replaceable"><code>integer</code></em>;<br>
-	max-ncache-ttl <em class="replaceable"><code>integer</code></em>;<br>
-	max-cache-ttl <em class="replaceable"><code>integer</code></em>;<br>
-	transfer-format ( many-answers | one-answer );<br>
-	max-cache-size <em class="replaceable"><code>size_no_default</code></em>;<br>
-	check-names ( master | slave | response )<br>
-		( fail | warn | ignore );<br>
-	cache-file <em class="replaceable"><code>quoted_string</code></em>;<br>
-	suppress-initial-notify <em class="replaceable"><code>boolean</code></em>; // not yet implemented<br>
-	root-delegation-only [<span class="optional"> exclude { <em class="replaceable"><code>quoted_string</code></em>; ... } </span>];<br>
-<br>
-	dialup <em class="replaceable"><code>dialuptype</code></em>;<br>
-<br>
-	allow-query { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	allow-transfer { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	allow-update-forwarding { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-<br>
-	notify <em class="replaceable"><code>notifytype</code></em>;<br>
-	notify-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-	notify-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-	also-notify [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] { ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> )<br>
-		[<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>]; ... };<br>
-	allow-notify { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-<br>
-	forward ( first | only );<br>
-	forwarders [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] {<br>
-		( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> ) [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>]; ...<br>
-	};<br>
-<br>
-	max-transfer-time-in <em class="replaceable"><code>integer</code></em>;<br>
-	max-transfer-time-out <em class="replaceable"><code>integer</code></em>;<br>
-	max-transfer-idle-in <em class="replaceable"><code>integer</code></em>;<br>
-	max-transfer-idle-out <em class="replaceable"><code>integer</code></em>;<br>
-	max-retry-time <em class="replaceable"><code>integer</code></em>;<br>
-	min-retry-time <em class="replaceable"><code>integer</code></em>;<br>
-	max-refresh-time <em class="replaceable"><code>integer</code></em>;<br>
-	min-refresh-time <em class="replaceable"><code>integer</code></em>;<br>
-	sig-validity-interval <em class="replaceable"><code>integer</code></em>;<br>
-<br>
-	transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * )<br>
-		[<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-	transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * )<br>
-		[<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-<br>
-	zone-statistics <em class="replaceable"><code>boolean</code></em>;<br>
-<br>
-	allow-v6-synthesis { <em class="replaceable"><code>address_match_element</code></em>; ... }; // obsolete<br>
-	fetch-glue <em class="replaceable"><code>boolean</code></em>; // obsolete<br>
-	maintain-ixfr-base <em class="replaceable"><code>boolean</code></em>; // obsolete<br>
-	max-ixfr-log-size <em class="replaceable"><code>size</code></em>; // obsolete<br>
-};<br>
-</p></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2544489"></a><h2>ZONE</h2>
-<div class="literallayout"><p><br>
-zone <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>optional_class</code></em> {<br>
-	type ( master | slave | stub | hint |<br>
-		forward | delegation-only );<br>
-	file <em class="replaceable"><code>quoted_string</code></em>;<br>
-<br>
-	masters [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] {<br>
-		( <em class="replaceable"><code>ipv4_address</code></em> [<span class="optional">port <em class="replaceable"><code>integer</code></em></span>] |<br>
-		<em class="replaceable"><code>ipv6_address</code></em> [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] ) [<span class="optional"> key <em class="replaceable"><code>string</code></em> </span>]; ...<br>
-	};<br>
-<br>
-	database <em class="replaceable"><code>string</code></em>;<br>
-	delegation-only <em class="replaceable"><code>boolean</code></em>;<br>
-	check-names ( fail | warn | ignore );<br>
-	dialup <em class="replaceable"><code>dialuptype</code></em>;<br>
-<br>
-	allow-query { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	allow-transfer { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	allow-update { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	allow-update-forwarding { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	update-policy {<br>
-		( grant | deny ) <em class="replaceable"><code>string</code></em><br>
-		( name | subdomain | wildcard | self ) <em class="replaceable"><code>string</code></em><br>
-		<em class="replaceable"><code>rrtypelist</code></em>; ...<br>
-	};<br>
-<br>
-	notify <em class="replaceable"><code>notifytype</code></em>;<br>
-	notify-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-	notify-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-	also-notify [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] { ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> )<br>
-		[<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>]; ... };<br>
-	allow-notify { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-<br>
-	forward ( first | only );<br>
-	forwarders [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] {<br>
-		( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> ) [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>]; ...<br>
-	};<br>
-<br>
-	max-transfer-time-in <em class="replaceable"><code>integer</code></em>;<br>
-	max-transfer-time-out <em class="replaceable"><code>integer</code></em>;<br>
-	max-transfer-idle-in <em class="replaceable"><code>integer</code></em>;<br>
-	max-transfer-idle-out <em class="replaceable"><code>integer</code></em>;<br>
-	max-retry-time <em class="replaceable"><code>integer</code></em>;<br>
-	min-retry-time <em class="replaceable"><code>integer</code></em>;<br>
-	max-refresh-time <em class="replaceable"><code>integer</code></em>;<br>
-	min-refresh-time <em class="replaceable"><code>integer</code></em>;<br>
-	sig-validity-interval <em class="replaceable"><code>integer</code></em>;<br>
-<br>
-	transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * )<br>
-		[<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-	transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * )<br>
-		[<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-<br>
-	zone-statistics <em class="replaceable"><code>boolean</code></em>;<br>
-<br>
-	ixfr-base <em class="replaceable"><code>quoted_string</code></em>; // obsolete<br>
-	ixfr-tmp-file <em class="replaceable"><code>quoted_string</code></em>; // obsolete<br>
-	maintain-ixfr-base <em class="replaceable"><code>boolean</code></em>; // obsolete<br>
-	max-ixfr-log-size <em class="replaceable"><code>size</code></em>; // obsolete<br>
-	pubkey <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>quoted_string</code></em>; // obsolete<br>
-};<br>
-</p></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2544789"></a><h2>FILES</h2>
-<p>
-<code class="filename">/etc/named.conf</code>
-</p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2544802"></a><h2>SEE ALSO</h2>
-<p>
-	<span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
-	<span class="citerefentry"><span class="refentrytitle">named-checkconf</span>(8)</span>,
-	<span class="citerefentry"><span class="refentrytitle">rndc</span>(8)</span>,
-	<em class="citetitle">BIND 9 Administrator Reference Manual</em>
-      </p>
-</div>
-</div></body>
-</html>
diff --git a/bin/named/named.docbook b/bin/named/named.docbook
index 3a3486ef..df5c1fee 100644
--- a/bin/named/named.docbook
+++ b/bin/named/named.docbook
@@ -1,9 +1,7 @@
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
-               "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
-	       [<!ENTITY mdash "&#8212;">]>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
 <!--
- - Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000, 2001  Internet Software Consortium.
+ - Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
  -
  - Permission to use, copy, modify, and distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
@@ -18,7 +16,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: named.docbook,v 1.5.2.10 2007/06/19 07:52:23 marka Exp $ -->
+<!-- $Id: named.docbook,v 1.5.98.2 2004/03/06 10:21:20 marka Exp $ -->
 
 <refentry>
   <refentryinfo>
@@ -31,21 +29,6 @@
     <refmiscinfo>BIND9</refmiscinfo>
   </refmeta>
 
-  <docinfo>
-    <copyright>
-      <year>2004</year>
-      <year>2005</year>
-      <year>2006</year>
-      <year>2007</year>
-      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
-    </copyright>
-    <copyright>
-      <year>2000</year>
-      <year>2001</year>
-      <holder>Internet Software Consortium.</holder>
-    </copyright>
-  </docinfo>
-
   <refnamediv>
     <refname><application>named</application></refname>
     <refpurpose>Internet domain name server</refpurpose>
@@ -54,6 +37,8 @@
   <refsynopsisdiv>
     <cmdsynopsis>
       <command>named</command>
+      <arg><option>-4</option></arg>
+      <arg><option>-6</option></arg>
       <arg><option>-c <replaceable class="parameter">config-file</replaceable></option></arg>
       <arg><option>-d <replaceable class="parameter">debug-level</replaceable></option></arg>
       <arg><option>-f</option></arg>
@@ -88,6 +73,27 @@
 
     <variablelist>
       <varlistentry>
+	<term>-4</term>
+	<listitem>
+	  <para>
+		Use IPv4 only even if the host machine is capable of IPv6.
+		<option>-4</option> and <option>-6</option> are mutually
+		exclusive.
+          </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-6</term>
+	<listitem>
+	  <para>
+		Use IPv6 only even if the host machine is capable of IPv4.
+		<option>-4</option> and <option>-6</option> are mutually
+		exclusive.
+          </para>
+	</listitem>
+      </varlistentry>
+      <varlistentry>
 	<term>-c <replaceable class="parameter">config-file</replaceable></term>
 	<listitem>
 	  <para>
@@ -182,7 +188,7 @@
 	<term>-t <replaceable class="parameter">directory</replaceable></term>
 	<listitem>
 	  <para>
-		<function>Chroot</function> to <replaceable
+		<function>chroot()</function> to <replaceable
 		class="parameter">directory</replaceable> after
 		processing the command line arguments, but before
 		reading the configuration file.
@@ -192,7 +198,7 @@
 		This option should be used in conjunction with the
 		<option>-u</option> option, as chrooting a process
 		running as root doesn't enhance security on most
-		systems; the way <function>chroot(2)</function> is
+		systems; the way <function>chroot()</function> is
 		defined allows a process with root privileges to
 		escape a chroot jail.
 	    </para>
@@ -204,7 +210,7 @@
 	<term>-u <replaceable class="parameter">user</replaceable></term>
 	<listitem>
 	  <para>
-		<function>Setuid</function> to <replaceable
+		<function>setuid()</function> to <replaceable
 		class="parameter">user</replaceable> after completing
 		privileged operations, such as creating sockets that
 		listen on privileged ports.
@@ -213,13 +219,13 @@
 	    <para>
 		On Linux, <command>named</command> uses the kernel's
 		capability mechanism to drop all root privileges
-		except the ability to <function>bind(2)</function> to a
+		except the ability to <function>bind()</function> to a
 		privileged port and set process resource limits.
 		Unfortunately, this means that the <option>-u</option>
 		option only works when <command>named</command> is run
 		on kernel 2.2.18 or later, or kernel 2.3.99-pre3 or
 		later, since previous kernels did not allow privileges
-		to be retained after <function>setuid(2)</function>.
+		to be retained after <function>setuid()</function>.
 	    </para>
 	  </note>
 	</listitem>
@@ -336,14 +342,6 @@
 	<citetitle>RFC 1034</citetitle>,
 	<citetitle>RFC 1035</citetitle>,
 	<citerefentry>
-	  <refentrytitle>named-checkconf</refentrytitle>
-	  <manvolnum>8</manvolnum>
-	</citerefentry>,
-	<citerefentry>
-	  <refentrytitle>named-checkzone</refentrytitle>
-	  <manvolnum>8</manvolnum>
-	</citerefentry>,
-	<citerefentry>
 	  <refentrytitle>rndc</refentrytitle>
 	  <manvolnum>8</manvolnum>
         </citerefentry>,
@@ -351,10 +349,6 @@
 	  <refentrytitle>lwresd</refentrytitle>
 	  <manvolnum>8</manvolnum>
         </citerefentry>,
-	<citerefentry>
-	  <refentrytitle>named.conf</refentrytitle>
-	  <manvolnum>5</manvolnum>
-	</citerefentry>,
 	<citetitle>BIND 9 Administrator Reference Manual</citetitle>.
     </para>
   </refsect1>
@@ -362,7 +356,7 @@
   <refsect1>
     <title>AUTHOR</title>
     <para>
-	<corpauthor>Internet Systems Consortium</corpauthor>
+	<corpauthor>Internet Software Consortium</corpauthor>
     </para>
   </refsect1>
 
diff --git a/bin/named/named.html b/bin/named/named.html
index 18c37fec..1d4c72ee 100644
--- a/bin/named/named.html
+++ b/bin/named/named.html
@@ -1,231 +1,669 @@
 <!--
- - Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000, 2001 Internet Software Consortium.
- - 
+ - Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
+ -
  - Permission to use, copy, modify, and distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
  - copyright notice and this permission notice appear in all copies.
- - 
+ -
  - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
  - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
  - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
  - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: named.html,v 1.4.2.20 2007/06/20 02:25:45 marka Exp $ -->
-<html>
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>named</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2476275"></a><div class="titlepage"></div>
-<div class="refnamediv">
-<h2>Name</h2>
-<p><span class="application">named</span> &#8212; Internet domain name server</p>
-</div>
-<div class="refsynopsisdiv">
-<h2>Synopsis</h2>
-<div class="cmdsynopsis"><p><code class="command">named</code>  [<code class="option">-c <em class="replaceable"><code>config-file</code></em></code>] [<code class="option">-d <em class="replaceable"><code>debug-level</code></em></code>] [<code class="option">-f</code>] [<code class="option">-g</code>] [<code class="option">-n <em class="replaceable"><code>#cpus</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port</code></em></code>] [<code class="option">-s</code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-u <em class="replaceable"><code>user</code></em></code>] [<code class="option">-v</code>] [<code class="option">-x <em class="replaceable"><code>cache-file</code></em></code>]</p></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543420"></a><h2>DESCRIPTION</h2>
-<p>
-	<span><strong class="command">named</strong></span> is a Domain Name System (DNS) server,
+
+<!-- $Id: named.html,v 1.4.2.1.4.2 2004/03/06 10:21:20 marka Exp $ -->
+
+<HTML
+><HEAD
+><TITLE
+>named</TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.73
+"></HEAD
+><BODY
+CLASS="REFENTRY"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><H1
+><A
+NAME="AEN1"
+><SPAN
+CLASS="APPLICATION"
+>named</SPAN
+></A
+></H1
+><DIV
+CLASS="REFNAMEDIV"
+><A
+NAME="AEN9"
+></A
+><H2
+>Name</H2
+><SPAN
+CLASS="APPLICATION"
+>named</SPAN
+>&nbsp;--&nbsp;Internet domain name server</DIV
+><DIV
+CLASS="REFSYNOPSISDIV"
+><A
+NAME="AEN13"
+></A
+><H2
+>Synopsis</H2
+><P
+><B
+CLASS="COMMAND"
+>named</B
+>  [<TT
+CLASS="OPTION"
+>-4</TT
+>] [<TT
+CLASS="OPTION"
+>-6</TT
+>] [<TT
+CLASS="OPTION"
+>-c <TT
+CLASS="REPLACEABLE"
+><I
+>config-file</I
+></TT
+></TT
+>] [<TT
+CLASS="OPTION"
+>-d <TT
+CLASS="REPLACEABLE"
+><I
+>debug-level</I
+></TT
+></TT
+>] [<TT
+CLASS="OPTION"
+>-f</TT
+>] [<TT
+CLASS="OPTION"
+>-g</TT
+>] [<TT
+CLASS="OPTION"
+>-n <TT
+CLASS="REPLACEABLE"
+><I
+>#cpus</I
+></TT
+></TT
+>] [<TT
+CLASS="OPTION"
+>-p <TT
+CLASS="REPLACEABLE"
+><I
+>port</I
+></TT
+></TT
+>] [<TT
+CLASS="OPTION"
+>-s</TT
+>] [<TT
+CLASS="OPTION"
+>-t <TT
+CLASS="REPLACEABLE"
+><I
+>directory</I
+></TT
+></TT
+>] [<TT
+CLASS="OPTION"
+>-u <TT
+CLASS="REPLACEABLE"
+><I
+>user</I
+></TT
+></TT
+>] [<TT
+CLASS="OPTION"
+>-v</TT
+>] [<TT
+CLASS="OPTION"
+>-x <TT
+CLASS="REPLACEABLE"
+><I
+>cache-file</I
+></TT
+></TT
+>]</P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN49"
+></A
+><H2
+>DESCRIPTION</H2
+><P
+>	<B
+CLASS="COMMAND"
+>named</B
+> is a Domain Name System (DNS) server,
 	part of the BIND 9 distribution from ISC.  For more
 	information on the DNS, see RFCs 1033, 1034, and 1035.
-    </p>
-<p>
-	When invoked without arguments, <span><strong class="command">named</strong></span> will
+    </P
+><P
+>	When invoked without arguments, <B
+CLASS="COMMAND"
+>named</B
+> will
 	read the default configuration file
-	<code class="filename">/etc/named.conf</code>, read any initial
+	<TT
+CLASS="FILENAME"
+>/etc/named.conf</TT
+>, read any initial
 	data, and listen for queries.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543446"></a><h2>OPTIONS</h2>
-<div class="variablelist"><dl>
-<dt><span class="term">-c <em class="replaceable"><code>config-file</code></em></span></dt>
-<dd><p>
-		Use <em class="replaceable"><code>config-file</code></em> as the
+    </P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN56"
+></A
+><H2
+>OPTIONS</H2
+><P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+>-4</DT
+><DD
+><P
+>		Use IPv4 only even if the host machine is capable of IPv6.
+		<TT
+CLASS="OPTION"
+>-4</TT
+> and <TT
+CLASS="OPTION"
+>-6</TT
+> are mutually
+		exclusive.
+          </P
+></DD
+><DT
+>-6</DT
+><DD
+><P
+>		Use IPv6 only even if the host machine is capable of IPv4.
+		<TT
+CLASS="OPTION"
+>-4</TT
+> and <TT
+CLASS="OPTION"
+>-6</TT
+> are mutually
+		exclusive.
+          </P
+></DD
+><DT
+>-c <TT
+CLASS="REPLACEABLE"
+><I
+>config-file</I
+></TT
+></DT
+><DD
+><P
+>		Use <TT
+CLASS="REPLACEABLE"
+><I
+>config-file</I
+></TT
+> as the
 		configuration file instead of the default,
-		<code class="filename">/etc/named.conf</code>.  To
+		<TT
+CLASS="FILENAME"
+>/etc/named.conf</TT
+>.  To
 		ensure that reloading the configuration file continues
 		to work after the server has changed its working
 		directory due to to a possible
-		<code class="option">directory</code> option in the configuration
-		file, <em class="replaceable"><code>config-file</code></em> should be
+		<TT
+CLASS="OPTION"
+>directory</TT
+> option in the configuration
+		file, <TT
+CLASS="REPLACEABLE"
+><I
+>config-file</I
+></TT
+> should be
 		an absolute pathname.
-          </p></dd>
-<dt><span class="term">-d <em class="replaceable"><code>debug-level</code></em></span></dt>
-<dd><p>
-		Set the daemon's debug level to <em class="replaceable"><code>debug-level</code></em>.
-		Debugging traces from <span><strong class="command">named</strong></span> become
+          </P
+></DD
+><DT
+>-d <TT
+CLASS="REPLACEABLE"
+><I
+>debug-level</I
+></TT
+></DT
+><DD
+><P
+>		Set the daemon's debug level to <TT
+CLASS="REPLACEABLE"
+><I
+>debug-level</I
+></TT
+>.
+		Debugging traces from <B
+CLASS="COMMAND"
+>named</B
+> become
 		more verbose as the debug level increases.
-          </p></dd>
-<dt><span class="term">-f</span></dt>
-<dd><p>
-		Run the server in the foreground (i.e. do not daemonize).
-          </p></dd>
-<dt><span class="term">-g</span></dt>
-<dd><p>
-		Run the server in the foreground and force all logging
-		to <code class="filename">stderr</code>.
-          </p></dd>
-<dt><span class="term">-n <em class="replaceable"><code>#cpus</code></em></span></dt>
-<dd><p>
-		Create <em class="replaceable"><code>#cpus</code></em> worker threads
+          </P
+></DD
+><DT
+>-f</DT
+><DD
+><P
+>		Run the server in the foreground (i.e. do not daemonize).
+          </P
+></DD
+><DT
+>-g</DT
+><DD
+><P
+>		Run the server in the foreground and force all logging
+		to <TT
+CLASS="FILENAME"
+>stderr</TT
+>.
+          </P
+></DD
+><DT
+>-n <TT
+CLASS="REPLACEABLE"
+><I
+>#cpus</I
+></TT
+></DT
+><DD
+><P
+>		Create <TT
+CLASS="REPLACEABLE"
+><I
+>#cpus</I
+></TT
+> worker threads
 		to take advantage of multiple CPUs.  If not specified,
-		<span><strong class="command">named</strong></span> will try to determine the
+		<B
+CLASS="COMMAND"
+>named</B
+> will try to determine the
 		number of CPUs present and create one thread per CPU.
 		If it is unable to determine the number of CPUs, a
 		single worker thread will be created.
-          </p></dd>
-<dt><span class="term">-p <em class="replaceable"><code>port</code></em></span></dt>
-<dd><p>
-		Listen for queries on port <em class="replaceable"><code>port</code></em>.  If not
+          </P
+></DD
+><DT
+>-p <TT
+CLASS="REPLACEABLE"
+><I
+>port</I
+></TT
+></DT
+><DD
+><P
+>		Listen for queries on port <TT
+CLASS="REPLACEABLE"
+><I
+>port</I
+></TT
+>.  If not
 		specified, the default is port 53.
-          </p></dd>
-<dt><span class="term">-s</span></dt>
-<dd>
-<p>
-		Write memory usage statistics to <code class="filename">stdout</code> on exit.
-          </p>
-<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
-<h3 class="title">Note</h3>
-<p>
-		This option is mainly of interest to BIND 9 developers
+          </P
+></DD
+><DT
+>-s</DT
+><DD
+><P
+>		Write memory usage statistics to <TT
+CLASS="FILENAME"
+>stdout</TT
+> on exit.
+          </P
+><DIV
+CLASS="NOTE"
+><BLOCKQUOTE
+CLASS="NOTE"
+><P
+><B
+>Note: </B
+>		This option is mainly of interest to BIND 9 developers
 		and may be removed or changed in a future release.
-	    </p>
-</div>
-</dd>
-<dt><span class="term">-t <em class="replaceable"><code>directory</code></em></span></dt>
-<dd>
-<p>
-		<code class="function">Chroot</code> to <em class="replaceable"><code>directory</code></em> after
+	    </P
+></BLOCKQUOTE
+></DIV
+></DD
+><DT
+>-t <TT
+CLASS="REPLACEABLE"
+><I
+>directory</I
+></TT
+></DT
+><DD
+><P
+>		<TT
+CLASS="FUNCTION"
+>chroot()</TT
+> to <TT
+CLASS="REPLACEABLE"
+><I
+>directory</I
+></TT
+> after
 		processing the command line arguments, but before
 		reading the configuration file.
-          </p>
-<div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;">
-<h3 class="title">Warning</h3>
-<p>
-		This option should be used in conjunction with the
-		<code class="option">-u</code> option, as chrooting a process
+          </P
+><DIV
+CLASS="WARNING"
+><P
+></P
+><TABLE
+CLASS="WARNING"
+BORDER="1"
+WIDTH="90%"
+><TR
+><TD
+ALIGN="CENTER"
+><B
+>Warning</B
+></TD
+></TR
+><TR
+><TD
+ALIGN="LEFT"
+><P
+>		This option should be used in conjunction with the
+		<TT
+CLASS="OPTION"
+>-u</TT
+> option, as chrooting a process
 		running as root doesn't enhance security on most
-		systems; the way <code class="function">chroot(2)</code> is
+		systems; the way <TT
+CLASS="FUNCTION"
+>chroot()</TT
+> is
 		defined allows a process with root privileges to
 		escape a chroot jail.
-	    </p>
-</div>
-</dd>
-<dt><span class="term">-u <em class="replaceable"><code>user</code></em></span></dt>
-<dd>
-<p>
-		<code class="function">Setuid</code> to <em class="replaceable"><code>user</code></em> after completing
+	    </P
+></TD
+></TR
+></TABLE
+></DIV
+></DD
+><DT
+>-u <TT
+CLASS="REPLACEABLE"
+><I
+>user</I
+></TT
+></DT
+><DD
+><P
+>		<TT
+CLASS="FUNCTION"
+>setuid()</TT
+> to <TT
+CLASS="REPLACEABLE"
+><I
+>user</I
+></TT
+> after completing
 		privileged operations, such as creating sockets that
 		listen on privileged ports.
-          </p>
-<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
-<h3 class="title">Note</h3>
-<p>
-		On Linux, <span><strong class="command">named</strong></span> uses the kernel's
+          </P
+><DIV
+CLASS="NOTE"
+><BLOCKQUOTE
+CLASS="NOTE"
+><P
+><B
+>Note: </B
+>		On Linux, <B
+CLASS="COMMAND"
+>named</B
+> uses the kernel's
 		capability mechanism to drop all root privileges
-		except the ability to <code class="function">bind(2)</code> to a
+		except the ability to <TT
+CLASS="FUNCTION"
+>bind()</TT
+> to a
 		privileged port and set process resource limits.
-		Unfortunately, this means that the <code class="option">-u</code>
-		option only works when <span><strong class="command">named</strong></span> is run
+		Unfortunately, this means that the <TT
+CLASS="OPTION"
+>-u</TT
+>
+		option only works when <B
+CLASS="COMMAND"
+>named</B
+> is run
 		on kernel 2.2.18 or later, or kernel 2.3.99-pre3 or
 		later, since previous kernels did not allow privileges
-		to be retained after <code class="function">setuid(2)</code>.
-	    </p>
-</div>
-</dd>
-<dt><span class="term">-v</span></dt>
-<dd><p>
-		Report the version number and exit.
-          </p></dd>
-<dt><span class="term">-x <em class="replaceable"><code>cache-file</code></em></span></dt>
-<dd>
-<p>
-		Load data from <em class="replaceable"><code>cache-file</code></em> into the
+		to be retained after <TT
+CLASS="FUNCTION"
+>setuid()</TT
+>.
+	    </P
+></BLOCKQUOTE
+></DIV
+></DD
+><DT
+>-v</DT
+><DD
+><P
+>		Report the version number and exit.
+          </P
+></DD
+><DT
+>-x <TT
+CLASS="REPLACEABLE"
+><I
+>cache-file</I
+></TT
+></DT
+><DD
+><P
+>		Load data from <TT
+CLASS="REPLACEABLE"
+><I
+>cache-file</I
+></TT
+> into the
 		cache of the default view.
-          </p>
-<div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;">
-<h3 class="title">Warning</h3>
-<p>
-		This option must not be used.  It is only of interest
+          </P
+><DIV
+CLASS="WARNING"
+><P
+></P
+><TABLE
+CLASS="WARNING"
+BORDER="1"
+WIDTH="90%"
+><TR
+><TD
+ALIGN="CENTER"
+><B
+>Warning</B
+></TD
+></TR
+><TR
+><TD
+ALIGN="LEFT"
+><P
+>		This option must not be used.  It is only of interest
 		to BIND 9 developers and may be removed or changed in a
 		future release.
-	    </p>
-</div>
-</dd>
-</dl></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543754"></a><h2>SIGNALS</h2>
-<p>
-	In routine operation, signals should not be used to control
-	the nameserver; <span><strong class="command">rndc</strong></span> should be used
+	    </P
+></TD
+></TR
+></TABLE
+></DIV
+></DD
+></DL
+></DIV
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN153"
+></A
+><H2
+>SIGNALS</H2
+><P
+>	In routine operation, signals should not be used to control
+	the nameserver; <B
+CLASS="COMMAND"
+>rndc</B
+> should be used
 	instead.
-    </p>
-<div class="variablelist"><dl>
-<dt><span class="term">SIGHUP</span></dt>
-<dd><p>
-		Force a reload of the server.
-          </p></dd>
-<dt><span class="term">SIGINT, SIGTERM</span></dt>
-<dd><p>
-		Shut down the server.
-          </p></dd>
-</dl></div>
-<p>
-	The result of sending any other signals to the server is undefined.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543801"></a><h2>CONFIGURATION</h2>
-<p>
-	The <span><strong class="command">named</strong></span> configuration file is too complex
+    </P
+><P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+>SIGHUP</DT
+><DD
+><P
+>		Force a reload of the server.
+          </P
+></DD
+><DT
+>SIGINT, SIGTERM</DT
+><DD
+><P
+>		Shut down the server.
+          </P
+></DD
+></DL
+></DIV
+><P
+>	The result of sending any other signals to the server is undefined.
+    </P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN167"
+></A
+><H2
+>CONFIGURATION</H2
+><P
+>	The <B
+CLASS="COMMAND"
+>named</B
+> configuration file is too complex
 	to describe in detail here.  A complete description is
-	provided in the <em class="citetitle">BIND 9 Administrator Reference
-	Manual</em>.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543818"></a><h2>FILES</h2>
-<div class="variablelist"><dl>
-<dt><span class="term"><code class="filename">/etc/named.conf</code></span></dt>
-<dd><p>
-		The default configuration file.
-          </p></dd>
-<dt><span class="term"><code class="filename">/var/run/named.pid</code></span></dt>
-<dd><p>
-		The default process-id file.
-          </p></dd>
-</dl></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543858"></a><h2>SEE ALSO</h2>
-<p>
-	<em class="citetitle">RFC 1033</em>,
-	<em class="citetitle">RFC 1034</em>,
-	<em class="citetitle">RFC 1035</em>,
-	<span class="citerefentry"><span class="refentrytitle">named-checkconf</span>(8)</span>,
-	<span class="citerefentry"><span class="refentrytitle">named-checkzone</span>(8)</span>,
-	<span class="citerefentry"><span class="refentrytitle">rndc</span>(8)</span>,
-	<span class="citerefentry"><span class="refentrytitle">lwresd</span>(8)</span>,
-	<span class="citerefentry"><span class="refentrytitle">named.conf</span>(5)</span>,
-	<em class="citetitle">BIND 9 Administrator Reference Manual</em>.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543929"></a><h2>AUTHOR</h2>
-<p>
-	<span class="corpauthor">Internet Systems Consortium</span>
-    </p>
-</div>
-</div></body>
-</html>
+	provided in the <I
+CLASS="CITETITLE"
+>BIND 9 Administrator Reference
+	Manual</I
+>.
+    </P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN172"
+></A
+><H2
+>FILES</H2
+><P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+><TT
+CLASS="FILENAME"
+>/etc/named.conf</TT
+></DT
+><DD
+><P
+>		The default configuration file.
+          </P
+></DD
+><DT
+><TT
+CLASS="FILENAME"
+>/var/run/named.pid</TT
+></DT
+><DD
+><P
+>		The default process-id file.
+          </P
+></DD
+></DL
+></DIV
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN185"
+></A
+><H2
+>SEE ALSO</H2
+><P
+>	<I
+CLASS="CITETITLE"
+>RFC 1033</I
+>,
+	<I
+CLASS="CITETITLE"
+>RFC 1034</I
+>,
+	<I
+CLASS="CITETITLE"
+>RFC 1035</I
+>,
+	<SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>rndc</SPAN
+>(8)</SPAN
+>,
+	<SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>lwresd</SPAN
+>(8)</SPAN
+>,
+	<I
+CLASS="CITETITLE"
+>BIND 9 Administrator Reference Manual</I
+>.
+    </P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN198"
+></A
+><H2
+>AUTHOR</H2
+><P
+>	Internet Software Consortium
+    </P
+></DIV
+></BODY
+></HTML
+>
diff --git a/bin/named/notify.c b/bin/named/notify.c
index 3d23c08b..9f469192 100644
--- a/bin/named/notify.c
+++ b/bin/named/notify.c
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
+ * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: notify.c,v 1.24.2.3 2004/03/09 06:09:19 marka Exp $ */
+/* $Id: notify.c,v 1.24.2.2.2.6 2004/03/08 04:04:19 marka Exp $ */
 
 #include <config.h>
 
@@ -36,11 +36,11 @@
  */
 
 static void
-notify_log(int level, const char *fmt, ...) {
+notify_log(ns_client_t *client, int level, const char *fmt, ...) {
 	va_list ap;
 
 	va_start(ap, fmt);
-	isc_log_vwrite(ns_g_lctx, DNS_LOGCATEGORY_NOTIFY, NS_LOGMODULE_NOTIFY,
+	ns_client_logv(client, DNS_LOGCATEGORY_NOTIFY, NS_LOGMODULE_NOTIFY,
 		       level, fmt, ap);
 	va_end(ap);
 }
@@ -76,14 +76,17 @@ ns_notify_start(ns_client_t *client) {
 	dns_name_t *zonename;
 	dns_rdataset_t *zone_rdataset;
 	dns_zone_t *zone = NULL;
-	char str[DNS_NAME_FORMATSIZE];
+	char namebuf[DNS_NAME_FORMATSIZE];
+	char tsigbuf[DNS_NAME_FORMATSIZE + sizeof(": TSIG ''")];
+	dns_name_t *tsigname;
 
 	/*
 	 * Interpret the question section.
 	 */
 	result = dns_message_firstname(request, DNS_SECTION_QUESTION);
 	if (result != ISC_R_SUCCESS) {
-		notify_log(ISC_LOG_INFO, "notify question section empty");
+		notify_log(client, ISC_LOG_NOTICE,
+			   "notify question section empty");
 		goto formerr;
 	}
 
@@ -94,7 +97,7 @@ ns_notify_start(ns_client_t *client) {
 	dns_message_currentname(request, DNS_SECTION_QUESTION, &zonename);
 	zone_rdataset = ISC_LIST_HEAD(zonename->list);
 	if (ISC_LIST_NEXT(zone_rdataset, link) != NULL) {
-		notify_log(ISC_LOG_INFO,
+		notify_log(client, ISC_LOG_NOTICE,
 			   "notify question section contains multiple RRs");
 		goto formerr;
 	}
@@ -102,29 +105,36 @@ ns_notify_start(ns_client_t *client) {
 	/* The zone section must have exactly one name. */
 	result = dns_message_nextname(request, DNS_SECTION_ZONE);
 	if (result != ISC_R_NOMORE) {
-		notify_log(ISC_LOG_INFO,
+		notify_log(client, ISC_LOG_NOTICE,
 			   "notify question section contains multiple RRs");
-		goto failure;
+		goto formerr;
 	}
 
 	/* The one rdataset must be an SOA. */
 	if (zone_rdataset->type != dns_rdatatype_soa) {
-		notify_log(ISC_LOG_INFO,
+		notify_log(client, ISC_LOG_NOTICE,
 			   "notify question section contains no SOA");
 		goto formerr;
 	}
 
-	dns_name_format(zonename, str, sizeof(str));
+	tsigname = NULL;
+	if (dns_message_gettsig(request, &tsigname) != NULL) {
+		dns_name_format(tsigname, namebuf, sizeof(namebuf));
+		snprintf(tsigbuf, sizeof(tsigbuf), ": TSIG '%s'", namebuf);
+	} else
+		tsigbuf[0] = '\0';
+	dns_name_format(zonename, namebuf, sizeof(namebuf));
 	result = dns_zt_find(client->view->zonetable, zonename, 0, NULL,
 			     &zone);
 	if (result != ISC_R_SUCCESS)
 		goto notauth;
 
-	switch(dns_zone_gettype(zone)) {
+	switch (dns_zone_gettype(zone)) {
 	case dns_zone_master:
 	case dns_zone_slave:
 	case dns_zone_stub:	/* Allow dialup passive to work. */
-		notify_log(ISC_LOG_INFO, "received notify for zone '%s'", str);
+		notify_log(client, ISC_LOG_INFO,
+			   "received notify for zone '%s'%s", namebuf, tsigbuf);
 		respond(client, dns_zone_notifyreceive(zone,
 			ns_client_getsockaddr(client), request));
 		break;
@@ -135,9 +145,9 @@ ns_notify_start(ns_client_t *client) {
 	return;
 
  notauth:
-	notify_log(ISC_LOG_INFO,
-		   "received notify for zone '%s': not authoritative",
-		   str);
+	notify_log(client, ISC_LOG_NOTICE,
+		   "received notify for zone '%s'%s: not authoritative",
+		   namebuf, tsigbuf);
 	result = DNS_R_NOTAUTH;
 	goto failure;
 
diff --git a/bin/named/query.c b/bin/named/query.c
index 11ff7323..de01ddbf 100644
--- a/bin/named/query.c
+++ b/bin/named/query.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: query.c,v 1.198.2.30 2007/04/30 23:45:27 tbox Exp $ */
+/* $Id: query.c,v 1.198.2.13.4.26 2004/03/10 02:55:52 marka Exp $ */
 
 #include <config.h>
 
@@ -29,6 +29,7 @@
 #include <dns/db.h>
 #include <dns/events.h>
 #include <dns/message.h>
+#include <dns/order.h>
 #include <dns/rdata.h>
 #include <dns/rdataclass.h>
 #include <dns/rdatalist.h>
@@ -62,12 +63,14 @@
 				  NS_QUERYATTR_CACHEGLUEOK) != 0)
 #define WANTRECURSION(c)	(((c)->query.attributes & \
 				  NS_QUERYATTR_WANTRECURSION) != 0)
-#define WANTDNSSEC(c)		(((c)->query.attributes & \
-				  NS_QUERYATTR_WANTDNSSEC) != 0)
+#define WANTDNSSEC(c)		(((c)->attributes & \
+				  NS_CLIENTATTR_WANTDNSSEC) != 0)
 #define NOAUTHORITY(c)		(((c)->query.attributes & \
 				  NS_QUERYATTR_NOAUTHORITY) != 0)
 #define NOADDITIONAL(c)		(((c)->query.attributes & \
 				  NS_QUERYATTR_NOADDITIONAL) != 0)
+#define SECURE(c)		(((c)->query.attributes & \
+				  NS_QUERYATTR_SECURE) != 0)
 
 #if 0
 #define CTRACE(m)       isc_log_write(ns_g_lctx, \
@@ -87,65 +90,18 @@
 
 #define DNS_GETDB_NOEXACT 0x01U
 #define DNS_GETDB_NOLOG 0x02U
-
-static unsigned char ip6int_ndata[] = "\003ip6\003int";
-static unsigned char ip6int_offsets[] = { 0, 4, 8 };
-
-static dns_name_t ip6int_name = {
-	DNS_NAME_MAGIC,
-	ip6int_ndata, 9, 3,
-	DNS_NAMEATTR_READONLY | DNS_NAMEATTR_ABSOLUTE,
-	ip6int_offsets, NULL,
-	{(void *)-1, (void *)-1},
-	{NULL, NULL}
-};
-
-static isc_result_t
-query_simplefind(void *arg, dns_name_t *name, dns_rdatatype_t type,
-		 isc_stdtime_t now,
-		 dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset);
-
-static inline void
-query_adda6rrset(void *arg, dns_name_t *name, dns_rdataset_t *rdataset,
-		      dns_rdataset_t *sigrdataset);
+#define DNS_GETDB_PARTIAL 0x04U
 
 static void
 query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype);
 
-static void
-synth_fwd_start(ns_client_t *client);
-
-static void
-synth_fwd_startfind(ns_client_t *client);
-
-static void
-synth_fwd_respond(ns_client_t *client, dns_adbfind_t *find);
-
-static void
-synth_fwd_finddone(isc_task_t *task, isc_event_t *ev);
-
-static void
-synth_finish(ns_client_t *client, isc_result_t result);
-
-static void
-synth_rev_start(ns_client_t *client);
-
-static void
-synth_rev_byaddrdone_arpa(isc_task_t *task, isc_event_t *event);
-
-static void
-synth_rev_byaddrdone_int(isc_task_t *task, isc_event_t *event);
-
-static void
-synth_rev_respond(ns_client_t *client, dns_byaddrevent_t *bevent);
-
 /*
  * Increment query statistics counters.
  */
 static inline void
 inc_stats(ns_client_t *client, dns_statscounter_t counter) {
 	dns_zone_t *zone = client->query.authzone;
-	
+
 	REQUIRE(counter < DNS_STATS_NCOUNTERS);
 
 	ns_g_server->querystats[counter]++;
@@ -205,10 +161,43 @@ query_maybeputqname(ns_client_t *client) {
 }
 
 static inline void
+query_freefreeversions(ns_client_t *client, isc_boolean_t everything) {
+	ns_dbversion_t *dbversion, *dbversion_next;
+	unsigned int i;
+
+	for (dbversion = ISC_LIST_HEAD(client->query.freeversions), i = 0;
+	     dbversion != NULL;
+	     dbversion = dbversion_next, i++)
+	{
+		dbversion_next = ISC_LIST_NEXT(dbversion, link);
+		/*
+		 * If we're not freeing everything, we keep the first three
+		 * dbversions structures around.
+		 */
+		if (i > 3 || everything) {
+			ISC_LIST_UNLINK(client->query.freeversions, dbversion,
+					link);
+			isc_mem_put(client->mctx, dbversion,
+				    sizeof(*dbversion));
+		}
+	}
+}
+
+void
+ns_query_cancel(ns_client_t *client) {
+	LOCK(&client->query.fetchlock);
+	if (client->query.fetch != NULL) {
+		dns_resolver_cancelfetch(client->query.fetch);
+
+		client->query.fetch = NULL;
+	}
+	UNLOCK(&client->query.fetchlock);
+}
+
+static inline void
 query_reset(ns_client_t *client, isc_boolean_t everything) {
 	isc_buffer_t *dbuf, *dbuf_next;
 	ns_dbversion_t *dbversion, *dbversion_next;
-	unsigned int i;
 
 	/*
 	 * Reset the query state of a client to its default state.
@@ -217,11 +206,7 @@ query_reset(ns_client_t *client, isc_boolean_t everything) {
 	/*
 	 * Cancel the fetch if it's running.
 	 */
-	if (client->query.fetch != NULL) {
-		dns_resolver_cancelfetch(client->query.fetch);
-
-		client->query.fetch = NULL;
-	}
+	ns_query_cancel(client);
 
 	/*
 	 * Cleanup any active versions.
@@ -243,24 +228,7 @@ query_reset(ns_client_t *client, isc_boolean_t everything) {
 	if (client->query.authzone != NULL)
 		dns_zone_detach(&client->query.authzone);
 
-	/*
-	 * Clean up free versions.
-	 */
-	for (dbversion = ISC_LIST_HEAD(client->query.freeversions), i = 0;
-	     dbversion != NULL;
-	     dbversion = dbversion_next, i++) {
-		dbversion_next = ISC_LIST_NEXT(dbversion, link);
-		/*
-		 * If we're not freeing everything, we keep the first three
-		 * dbversions structures around.
-		 */
-		if (i > 3 || everything) {
-			ISC_LIST_UNLINK(client->query.freeversions, dbversion,
-					link);
-			isc_mem_put(client->mctx, dbversion,
-				    sizeof *dbversion);
-		}
-	}
+	query_freefreeversions(client, everything);
 
 	for (dbuf = ISC_LIST_HEAD(client->query.namebufs);
 	     dbuf != NULL;
@@ -275,7 +243,8 @@ query_reset(ns_client_t *client, isc_boolean_t everything) {
 	query_maybeputqname(client);
 
 	client->query.attributes = (NS_QUERYATTR_RECURSIONOK |
-				    NS_QUERYATTR_CACHEOK);
+				    NS_QUERYATTR_CACHEOK |
+				    NS_QUERYATTR_SECURE);
 	client->query.restarts = 0;
 	client->query.timerset = ISC_FALSE;
 	client->query.origqname = NULL;
@@ -461,7 +430,7 @@ query_newdbversion(ns_client_t *client, unsigned int n) {
 	ns_dbversion_t *dbversion;
 
 	for (i = 0; i < n; i++) {
-		dbversion = isc_mem_get(client->mctx, sizeof *dbversion);
+		dbversion = isc_mem_get(client->mctx, sizeof(*dbversion));
 		if (dbversion != NULL) {
 			dbversion->db = NULL;
 			dbversion->version = NULL;
@@ -509,6 +478,9 @@ ns_query_init(ns_client_t *client) {
 	client->query.restarts = 0;
 	client->query.timerset = ISC_FALSE;
 	client->query.qname = NULL;
+	result = isc_mutex_init(&client->query.fetchlock);
+	if (result != ISC_R_SUCCESS)
+		return (result);
 	client->query.fetch = NULL;
 	client->query.authdb = NULL;
 	client->query.authzone = NULL;
@@ -516,11 +488,15 @@ ns_query_init(ns_client_t *client) {
 	client->query.isreferral = ISC_FALSE;	
 	query_reset(client, ISC_FALSE);
 	result = query_newdbversion(client, 3);
-	if (result != ISC_R_SUCCESS)
+	if (result != ISC_R_SUCCESS) {
+		DESTROYLOCK(&client->query.fetchlock);
 		return (result);
-	dns_a6_init(&client->query.a6ctx, query_simplefind, query_adda6rrset,
-		    NULL, NULL, client);
-	return (query_newnamebuf(client));
+	}
+	result = query_newnamebuf(client);
+	if (result != ISC_R_SUCCESS)
+		query_freefreeversions(client, ISC_TRUE);
+
+	return (result);
 }
 
 static inline ns_dbversion_t *
@@ -562,8 +538,9 @@ query_findversion(ns_client_t *client, dns_db_t *db,
 }
 
 static inline isc_result_t
-query_getzonedb(ns_client_t *client, dns_name_t *name, unsigned int options,
-		dns_zone_t **zonep, dns_db_t **dbp, dns_dbversion_t **versionp)
+query_getzonedb(ns_client_t *client, dns_name_t *name, dns_rdatatype_t qtype,
+		unsigned int options, dns_zone_t **zonep, dns_db_t **dbp,
+		dns_dbversion_t **versionp)
 {
 	isc_result_t result;
 	isc_boolean_t check_acl, new_zone;
@@ -572,6 +549,7 @@ query_getzonedb(ns_client_t *client, dns_name_t *name, unsigned int options,
 	unsigned int ztoptions;
 	dns_zone_t *zone = NULL;
 	dns_db_t *db = NULL;
+	isc_boolean_t partial = ISC_FALSE;
 
 	REQUIRE(zonep != NULL && *zonep == NULL);
 	REQUIRE(dbp != NULL && *dbp == NULL);
@@ -584,6 +562,8 @@ query_getzonedb(ns_client_t *client, dns_name_t *name, unsigned int options,
 
 	result = dns_zt_find(client->view->zonetable, name, ztoptions, NULL,
 			     &zone);
+	if (result == DNS_R_PARTIALMATCH)
+		partial = ISC_TRUE;
 	if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH)
 		result = dns_zone_getdb(zone, &db);
 
@@ -656,13 +636,12 @@ query_getzonedb(ns_client_t *client, dns_name_t *name, unsigned int options,
 
 		result = ns_client_checkaclsilent(client, queryacl, ISC_TRUE);
 		if (log) {
-			char msg[DNS_NAME_FORMATSIZE + DNS_RDATACLASS_FORMATSIZE
-				+ sizeof "query '/'"];
+			char msg[NS_CLIENT_ACLMSGSIZE("query")];
 			if (result == ISC_R_SUCCESS) {
 				if (isc_log_wouldlog(ns_g_lctx,
 						     ISC_LOG_DEBUG(3)))
 				{
-					ns_client_aclmsg("query", name,
+					ns_client_aclmsg("query", name, qtype,
 							 client->view->rdclass,
 							 msg, sizeof(msg));
 					ns_client_log(client,
@@ -671,8 +650,8 @@ query_getzonedb(ns_client_t *client, dns_name_t *name, unsigned int options,
 						      ISC_LOG_DEBUG(3),
 						      "%s approved", msg);
 				}
-			} else {
-				ns_client_aclmsg("query", name,
+		    	} else {
+				ns_client_aclmsg("query", name, qtype,
 						 client->view->rdclass,
 						 msg, sizeof(msg));
 				ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
@@ -715,6 +694,8 @@ query_getzonedb(ns_client_t *client, dns_name_t *name, unsigned int options,
 	*dbp = db;
 	*versionp = dbversion->version;
 
+	if (partial && (options & DNS_GETDB_PARTIAL) != 0)
+		return (DNS_R_PARTIALMATCH);
 	return (ISC_R_SUCCESS);
 
  refuse:
@@ -729,7 +710,8 @@ query_getzonedb(ns_client_t *client, dns_name_t *name, unsigned int options,
 }
 
 static inline isc_result_t
-query_getcachedb(ns_client_t *client, dns_db_t **dbp, unsigned int options)
+query_getcachedb(ns_client_t *client, dns_name_t *name, dns_rdatatype_t qtype,
+		 dns_db_t **dbp, unsigned int options)
 {
 	isc_result_t result;
 	isc_boolean_t check_acl;
@@ -768,12 +750,11 @@ query_getcachedb(ns_client_t *client, dns_db_t **dbp, unsigned int options)
 
 	if (check_acl) {
 		isc_boolean_t log = ISC_TF((options & DNS_GETDB_NOLOG) == 0);
+		char msg[NS_CLIENT_ACLMSGSIZE("query (cache)")];
 		
-		result = ns_client_checkacl(client, "query (cache)",
-					    client->view->queryacl,
-					    ISC_TRUE,
-					    log ? ISC_LOG_INFO :
-						  ISC_LOG_DEBUG(3));
+		result = ns_client_checkaclsilent(client,
+						  client->view->queryacl,
+						  ISC_TRUE);
 		if (result == ISC_R_SUCCESS) {
 			/*
 			 * We were allowed by the default
@@ -782,6 +763,25 @@ query_getcachedb(ns_client_t *client, dns_db_t **dbp, unsigned int options)
 			 */
 			client->query.attributes |=
 				NS_QUERYATTR_QUERYOK;
+			if (log && isc_log_wouldlog(ns_g_lctx,
+						     ISC_LOG_DEBUG(3)))
+			{
+				ns_client_aclmsg("query (cache)", name, qtype,
+						 client->view->rdclass,
+						 msg, sizeof(msg));
+				ns_client_log(client,
+					      DNS_LOGCATEGORY_SECURITY,
+					      NS_LOGMODULE_QUERY,
+					      ISC_LOG_DEBUG(3),
+					      "%s approved", msg);
+			}
+		} else if (log) {
+			ns_client_aclmsg("query (cache)", name, qtype,
+					 client->view->rdclass, msg,
+					 sizeof(msg));
+			ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
+				      NS_LOGMODULE_QUERY, ISC_LOG_INFO,
+				      "%s denied", msg);
 		}
 		/*
 		 * We've now evaluated the view's query ACL, and
@@ -811,155 +811,23 @@ query_getcachedb(ns_client_t *client, dns_db_t **dbp, unsigned int options)
 
 
 static inline isc_result_t
-query_getdb(ns_client_t *client, dns_name_t *name, unsigned int options,
-	    dns_zone_t **zonep, dns_db_t **dbp, dns_dbversion_t **versionp,
-	    isc_boolean_t *is_zonep)
+query_getdb(ns_client_t *client, dns_name_t *name, dns_rdatatype_t qtype,
+	    unsigned int options, dns_zone_t **zonep, dns_db_t **dbp,
+	    dns_dbversion_t **versionp, isc_boolean_t *is_zonep)
 {
 	isc_result_t result;
 
-	result = query_getzonedb(client, name, options, zonep, dbp, versionp);
+	result = query_getzonedb(client, name, qtype, options,
+				 zonep, dbp, versionp);
 	if (result == ISC_R_SUCCESS) {
 		*is_zonep = ISC_TRUE;
 	} else if (result == ISC_R_NOTFOUND) {
-		result = query_getcachedb(client, dbp, options);
+		result = query_getcachedb(client, name, qtype, dbp, options);
 		*is_zonep = ISC_FALSE;
 	}
 	return (result);
 }
 
-static isc_result_t
-query_simplefind(void *arg, dns_name_t *name, dns_rdatatype_t type,
-		 isc_stdtime_t now,
-		 dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset)
-{
-	ns_client_t *client = arg;
-	isc_result_t result;
-	dns_fixedname_t foundname;
-	dns_db_t *db;
-	dns_dbversion_t *version;
-	unsigned int dboptions;
-	isc_boolean_t is_zone;
-	dns_rdataset_t zrdataset, zsigrdataset;
-	dns_zone_t *zone;
-
-	REQUIRE(NS_CLIENT_VALID(client));
-	REQUIRE(rdataset != NULL);
-
-	dns_rdataset_init(&zrdataset);
-	if (sigrdataset != NULL)
-		dns_rdataset_init(&zsigrdataset);
-
-	/*
-	 * Find a database to answer the query.
-	 */
-	zone = NULL;
-	db = NULL;
-	version = NULL;
-	result = query_getdb(client, name, 0, &zone, &db, &version, &is_zone);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-
- db_find:
-	/*
-	 * Now look for an answer in the database.
-	 */
-	dns_fixedname_init(&foundname);
-	dboptions = client->query.dboptions;
-	if (db == client->query.gluedb || (!is_zone && CACHEGLUEOK(client)))
-		dboptions |= DNS_DBFIND_GLUEOK;
-	result = dns_db_find(db, name, version, type, dboptions,
-			     now, NULL, dns_fixedname_name(&foundname),
-			     rdataset, sigrdataset);
-	if (result == DNS_R_DELEGATION ||
-	    result == ISC_R_NOTFOUND) {
-		if (dns_rdataset_isassociated(rdataset))
-			dns_rdataset_disassociate(rdataset);
-		if (sigrdataset != NULL &&
-		    dns_rdataset_isassociated(sigrdataset))
-			dns_rdataset_disassociate(sigrdataset);
-		if (is_zone) {
-			if (USECACHE(client)) {
-				/*
-				 * Either the answer is in the cache, or we
-				 * don't know it.
-				 */
-				is_zone = ISC_FALSE;
-				version = NULL;
-				dns_db_detach(&db);
-				dns_db_attach(client->view->cachedb, &db);
-				goto db_find;
-			}
-		} else {
-			/*
-			 * We don't have the data in the cache.  If we've got
-			 * glue from the zone, use it.
-			 */
-			if (dns_rdataset_isassociated(&zrdataset)) {
-				dns_rdataset_clone(&zrdataset, rdataset);
-				if (sigrdataset != NULL &&
-				    dns_rdataset_isassociated(&zsigrdataset))
-					dns_rdataset_clone(&zsigrdataset,
-							   sigrdataset);
-				result = ISC_R_SUCCESS;
-				goto cleanup;
-			}
-		}
-		/*
-		 * We don't know the answer.
-		 */
-		result = ISC_R_NOTFOUND;
-	} else if (result == DNS_R_GLUE) {
-		if (USECACHE(client) && RECURSIONOK(client)) {
-			/*
-			 * We found an answer, but the cache may be better.
-			 * Remember what we've got and go look in the cache.
-			 */
-			is_zone = ISC_FALSE;
-			version = NULL;
-			dns_rdataset_clone(rdataset, &zrdataset);
-			dns_rdataset_disassociate(rdataset);
-			if (sigrdataset != NULL &&
-			    dns_rdataset_isassociated(sigrdataset))
-			{
-				dns_rdataset_clone(sigrdataset, &zsigrdataset);
-				dns_rdataset_disassociate(sigrdataset);
-			}
-			dns_db_detach(&db);
-			dns_db_attach(client->view->cachedb, &db);
-			goto db_find;
-		}
-		/*
-		 * Otherwise, the glue is the best answer.
-		 */
-		result = ISC_R_SUCCESS;
-	} else if (result != ISC_R_SUCCESS) {
-		if (dns_rdataset_isassociated(rdataset))
-			dns_rdataset_disassociate(rdataset);
-		if (sigrdataset != NULL &&
-		    dns_rdataset_isassociated(sigrdataset))
-			dns_rdataset_disassociate(sigrdataset);
-		result = ISC_R_NOTFOUND;
-	}
-	/*
-	 * If we get here, the result is ISC_R_SUCCESS, and we found the
-	 * answer we were looking for in the zone.
-	 */
-
- cleanup:
-	if (dns_rdataset_isassociated(&zrdataset)) {
-		dns_rdataset_disassociate(&zrdataset);
-		if (sigrdataset != NULL &&
-		    dns_rdataset_isassociated(&zsigrdataset))
-			dns_rdataset_disassociate(&zsigrdataset);
-	}
-	if (db != NULL)
-		dns_db_detach(&db);
-	if (zone != NULL)
-		dns_zone_detach(&zone);
-
-	return (result);
-}
-
 static inline isc_boolean_t
 query_isduplicate(ns_client_t *client, dns_name_t *name,
 		  dns_rdatatype_t type, dns_name_t **mnamep)
@@ -1012,7 +880,7 @@ query_addadditional(void *arg, dns_name_t *name, dns_rdatatype_t qtype) {
 	dns_dbnode_t *node;
 	dns_db_t *db;
 	dns_name_t *fname, *mname;
-	dns_rdataset_t *rdataset, *sigrdataset, *a6rdataset, *trdataset;
+	dns_rdataset_t *rdataset, *sigrdataset, *trdataset;
 	isc_buffer_t *dbuf;
 	isc_buffer_t b;
 	dns_dbversion_t *version;
@@ -1035,7 +903,6 @@ query_addadditional(void *arg, dns_name_t *name, dns_rdatatype_t qtype) {
 	fname = NULL;
 	rdataset = NULL;
 	sigrdataset = NULL;
-	a6rdataset = NULL;
 	trdataset = NULL;
 	db = NULL;
 	version = NULL;
@@ -1075,7 +942,7 @@ query_addadditional(void *arg, dns_name_t *name, dns_rdatatype_t qtype) {
 	 * Look for a zone database that might contain authoritative
 	 * additional data.
 	 */
-	result = query_getzonedb(client, name, DNS_GETDB_NOLOG,
+	result = query_getzonedb(client, name, qtype, DNS_GETDB_NOLOG,
 				 &zone, &db, &version);
 	if (result != ISC_R_SUCCESS)
 		goto try_cache;
@@ -1108,7 +975,7 @@ query_addadditional(void *arg, dns_name_t *name, dns_rdatatype_t qtype) {
 	 */
 
  try_cache:
-	result = query_getcachedb(client, &db, DNS_GETDB_NOLOG);
+	result = query_getcachedb(client, name, qtype, &db, DNS_GETDB_NOLOG);
 	if (result != ISC_R_SUCCESS)
 		/*
 		 * Most likely the client isn't allowed to query the cache.
@@ -1202,7 +1069,7 @@ query_addadditional(void *arg, dns_name_t *name, dns_rdatatype_t qtype) {
 
 	if (qtype == dns_rdatatype_a) {
 		/*
-		 * We now go looking for A, A6, and AAAA records, along with
+		 * We now go looking for A and AAAA records, along with
 		 * their signatures.
 		 *
 		 * XXXRTH  This code could be more efficient.
@@ -1269,49 +1136,6 @@ query_addadditional(void *arg, dns_name_t *name, dns_rdatatype_t qtype) {
 			}
 		}
 		result = dns_db_findrdataset(db, node, version,
-					     dns_rdatatype_a6, 0,
-					     client->now, rdataset,
-					     sigrdataset);
-		if (result == DNS_R_NCACHENXDOMAIN)
-			goto addname;
-		if (result == DNS_R_NCACHENXRRSET) {
-			dns_rdataset_disassociate(rdataset);
-			INSIST(sigrdataset == NULL ||
-			       ! dns_rdataset_isassociated(sigrdataset));
-		}
-		if (result == ISC_R_SUCCESS) {
-			mname = NULL;
-			if (!query_isduplicate(client, fname,
-					       dns_rdatatype_a6, &mname)) {
-				if (mname != NULL) {
-					query_releasename(client, &fname);
-					fname = mname;
-				} else
-					need_addname = ISC_TRUE;
-				a6rdataset = rdataset;
-				ISC_LIST_APPEND(fname->list, rdataset, link);
-				added_something = ISC_TRUE;
-				if (sigrdataset != NULL &&
-				    dns_rdataset_isassociated(sigrdataset))
-				{
-					ISC_LIST_APPEND(fname->list,
-							sigrdataset, link);
-					sigrdataset =
-						query_newrdataset(client);
-				}
-				rdataset = query_newrdataset(client);
-				if (rdataset == NULL)
-					goto addname;
-				if (WANTDNSSEC(client) && sigrdataset == NULL)
-					goto addname;
-			} else {
-				dns_rdataset_disassociate(rdataset);
-				if (sigrdataset != NULL &&
-				    dns_rdataset_isassociated(sigrdataset))
-					dns_rdataset_disassociate(sigrdataset);
-			}
-		}
-		result = dns_db_findrdataset(db, node, version,
 					     dns_rdatatype_aaaa, 0,
 					     client->now, rdataset,
 					     sigrdataset);
@@ -1378,16 +1202,13 @@ query_addadditional(void *arg, dns_name_t *name, dns_rdatatype_t qtype) {
 		/*
 		 * RFC 2535 section 3.5 says that when A or AAAA records are
 		 * retrieved as additional data, any KEY RRs for the owner name
-		 * should be added to the additional data section.  Note: we
-		 * do NOT include A6 in the list of types with such treatment
-		 * in additional data because we'd have to do it for each A6
-		 * in the A6 chain.
+		 * should be added to the additional data section.
 		 *
 		 * XXXRTH  We should lower the priority here.  Alternatively,
 		 * we could raise the priority of glue records.
 		 */
-		eresult = query_addadditional(client, name, dns_rdatatype_key);
-	} else if (type == dns_rdatatype_srv && trdataset != NULL) {
+		eresult = query_addadditional(client, name, dns_rdatatype_dnskey);
+ 	} else if (type == dns_rdatatype_srv && trdataset != NULL) {
 		/*
 		 * If we're adding SRV records to the additional data
 		 * section, it's helpful if we add the SRV additional data
@@ -1398,16 +1219,6 @@ query_addadditional(void *arg, dns_name_t *name, dns_rdatatype_t qtype) {
 						      client);
 	}
 
-	/*
-	 * If we added an A6 rdataset, we should also add everything we
-	 * know about the A6 chains.  We wait until now to do this so that
-	 * they'll come after any additional data added above.
-	 */
-	if (a6rdataset != NULL) {
-		dns_a6_reset(&client->query.a6ctx);
-		dns_a6_foreach(&client->query.a6ctx, a6rdataset, client->now);
-	}
-
  cleanup:
 	CTRACE("query_addadditional: cleanup");
 	query_putrdataset(client, &rdataset);
@@ -1426,86 +1237,6 @@ query_addadditional(void *arg, dns_name_t *name, dns_rdatatype_t qtype) {
 	return (eresult);
 }
 
-static void
-query_adda6rrset(void *arg, dns_name_t *name, dns_rdataset_t *rdataset,
-		      dns_rdataset_t *sigrdataset)
-{
-	ns_client_t *client = arg;
-	dns_rdataset_t *crdataset, *csigrdataset;
-	isc_buffer_t b, *dbuf;
-	dns_name_t *fname, *mname;
-
-	/*
-	 * Add an rrset to the additional data section.
-	 */
-
-	REQUIRE(NS_CLIENT_VALID(client));
-	REQUIRE(rdataset->type == dns_rdatatype_a6);
-
-	/*
-	 * Get some resources...
-	 */
-	fname = NULL;
-	crdataset = NULL;
-	csigrdataset = NULL;
-	dbuf = query_getnamebuf(client);
-	if (dbuf == NULL)
-		goto cleanup;
-	fname = query_newname(client, dbuf, &b);
-	crdataset = query_newrdataset(client);
-	if (fname == NULL || crdataset == NULL)
-		goto cleanup;
-	if (sigrdataset != NULL) {
-		csigrdataset = query_newrdataset(client);
-		if (csigrdataset == NULL)
-			goto cleanup;
-	}
-
-	if (dns_name_copy(name, fname, NULL) != ISC_R_SUCCESS)
-		goto cleanup;
-	dns_rdataset_clone(rdataset, crdataset);
-	if (sigrdataset != NULL && dns_rdataset_isassociated(sigrdataset))
-		dns_rdataset_clone(sigrdataset, csigrdataset);
-
-	mname = NULL;
-	if (query_isduplicate(client, fname, crdataset->type, &mname))
-		goto cleanup;
-	if (mname != NULL) {
-		query_releasename(client, &fname);
-		fname = mname;
-	} else {
-		query_keepname(client, fname, dbuf);
-		dns_message_addname(client->message, fname,
-				    DNS_SECTION_ADDITIONAL);
-	}
-
-	ISC_LIST_APPEND(fname->list, crdataset, link);
-	crdataset = NULL;
-	/*
-	 * Note: we only add SIGs if we've added the type they cover, so
-	 * we do not need to check if the SIG rdataset is already in the
-	 * response.
-	 */
-	if (sigrdataset != NULL && dns_rdataset_isassociated(csigrdataset)) {
-		ISC_LIST_APPEND(fname->list, csigrdataset, link);
-		csigrdataset = NULL;
-	}
-
-	fname = NULL;
-
-	/*
-	 * In spite of RFC 2535 section 3.5, we don't currently try to add
-	 * KEY RRs for the A6 records.  It's just too much work.
-	 */
-
- cleanup:
-	query_putrdataset(client, &crdataset);
-	if (sigrdataset != NULL)
-		query_putrdataset(client, &csigrdataset);
-	if (fname != NULL)
-		query_releasename(client, &fname);
-}
-
 static inline void
 query_addrdataset(ns_client_t *client, dns_name_t *fname,
 		  dns_rdataset_t *rdataset)
@@ -1521,22 +1252,20 @@ query_addrdataset(ns_client_t *client, dns_name_t *fname,
 
 	ISC_LIST_APPEND(fname->list, rdataset, link);
 
+	if (client->view->order != NULL)
+		rdataset->attributes |= dns_order_find(client->view->order,
+						       fname, rdataset->type,
+						       rdataset->rdclass);
 	if (NOADDITIONAL(client))
 		return;
 
 	/*
 	 * Add additional data.
 	 *
-	 * We don't care if dns_a6_foreach or dns_rdataset_additionaldata()
-	 * fail.
+	 * We don't care if dns_rdataset_additionaldata() fails.
 	 */
-	if (type == dns_rdatatype_a6) {
-		dns_a6_reset(&client->query.a6ctx);
-		(void)dns_a6_foreach(&client->query.a6ctx, rdataset,
-				     client->now);
-	} else
-		(void)dns_rdataset_additionaldata(rdataset,
-						  query_addadditional, client);
+	(void)dns_rdataset_additionaldata(rdataset,
+					  query_addadditional, client);
 	/*
 	 * RFC 2535 section 3.5 says that when NS, SOA, A, or AAAA records
 	 * are retrieved, any KEY RRs for the owner name should be added
@@ -1551,7 +1280,7 @@ query_addrdataset(ns_client_t *client, dns_name_t *fname,
 		 * XXXRTH  We should lower the priority here.  Alternatively,
 		 * we could raise the priority of glue records.
 		 */
-		(void)query_addadditional(client, fname, dns_rdatatype_key);
+		(void)query_addadditional(client, fname, dns_rdatatype_dnskey);
 	}
 	CTRACE("query_addrdataset: done");
 }
@@ -1611,6 +1340,10 @@ query_addrrset(ns_client_t *client, dns_name_t **namep,
 			query_releasename(client, namep);
 	}
 
+	if (rdataset->trust != dns_trust_secure &&
+	    (section == DNS_SECTION_ANSWER ||
+	     section == DNS_SECTION_AUTHORITY))
+		client->query.attributes &= ~NS_QUERYATTR_SECURE;
 	/*
 	 * Note: we only add SIGs if we've added the type they cover, so
 	 * we do not need to check if the SIG rdataset is already in the
@@ -1690,7 +1423,9 @@ query_addsoa(ns_client_t *client, dns_db_t *db, isc_boolean_t zero_ttl) {
 		result = dns_rdataset_first(rdataset);
 		RUNTIME_CHECK(result == ISC_R_SUCCESS);
 		dns_rdataset_current(rdataset, &rdata);
-		dns_rdata_tostruct(&rdata, &soa, NULL);
+		result = dns_rdata_tostruct(&rdata, &soa, NULL);
+		if (result != ISC_R_SUCCESS)
+			goto cleanup;
 
 		if (zero_ttl) {
 			rdataset->ttl = 0;
@@ -1812,7 +1547,7 @@ query_addns(ns_client_t *client, dns_db_t *db) {
 
 static inline isc_result_t
 query_addcnamelike(ns_client_t *client, dns_name_t *qname, dns_name_t *tname,
-		   dns_ttl_t ttl, dns_name_t **anamep, dns_rdatatype_t type)
+		   dns_trust_t trust, dns_name_t **anamep, dns_rdatatype_t type)
 {
 	dns_rdataset_t *rdataset;
 	dns_rdatalist_t *rdatalist;
@@ -1848,7 +1583,7 @@ query_addcnamelike(ns_client_t *client, dns_name_t *qname, dns_name_t *tname,
 	rdatalist->type = type;
 	rdatalist->covers = 0;
 	rdatalist->rdclass = client->message->rdclass;
-	rdatalist->ttl = ttl;
+	rdatalist->ttl = 0;
 
 	dns_name_toregion(tname, &r);
 	rdata->data = r.base;
@@ -1858,7 +1593,9 @@ query_addcnamelike(ns_client_t *client, dns_name_t *qname, dns_name_t *tname,
 
 	ISC_LIST_INIT(rdatalist->rdata);
 	ISC_LIST_APPEND(rdatalist->rdata, rdata, link);
-	dns_rdatalist_tordataset(rdatalist, rdataset);
+	RUNTIME_CHECK(dns_rdatalist_tordataset(rdatalist, rdataset)
+		      == ISC_R_SUCCESS);
+	rdataset->trust = trust;
 
 	query_addrrset(client, anamep, &rdataset, NULL, NULL,
 		       DNS_SECTION_ANSWER);
@@ -1903,8 +1640,8 @@ query_addbestns(ns_client_t *client) {
 	/*
 	 * Find the right database.
 	 */
-	result = query_getdb(client, client->query.qname, 0, &zone, &db,
-			     &version, &is_zone);
+	result = query_getdb(client, client->query.qname, dns_rdatatype_ns, 0,
+			     &zone, &db, &version, &is_zone);
 	if (result != ISC_R_SUCCESS)
 		goto cleanup;
 
@@ -2000,6 +1737,11 @@ query_addbestns(ns_client_t *client) {
 	     (sigrdataset != NULL && sigrdataset->trust == dns_trust_pending)))
 		goto cleanup;
 
+	if (WANTDNSSEC(client) && SECURE(client) &&
+	    (rdataset->trust == dns_trust_glue ||
+	     (sigrdataset != NULL && sigrdataset->trust == dns_trust_glue)))
+		goto cleanup;
+
 	query_addrrset(client, &fname, &rdataset, &sigrdataset, dbuf,
 		       DNS_SECTION_AUTHORITY);
 
@@ -2027,6 +1769,241 @@ query_addbestns(ns_client_t *client) {
 }
 
 static void
+query_addds(ns_client_t *client, dns_db_t *db, dns_dbnode_t *node) {
+	dns_name_t *rname;
+	dns_rdataset_t *rdataset, *sigrdataset;
+	isc_result_t result;
+
+	CTRACE("query_addds");
+	rname = NULL;
+	rdataset = NULL;
+	sigrdataset = NULL;
+
+	/*
+	 * We'll need some resources...
+	 */
+	rdataset = query_newrdataset(client);
+	sigrdataset = query_newrdataset(client);
+	if (rdataset == NULL || sigrdataset == NULL)
+		return;
+
+	/*
+	 * Look for the DS record, which may or may not be present.
+	 */
+	result = dns_db_findrdataset(db, node, NULL, dns_rdatatype_ds, 0,
+				     client->now, rdataset, sigrdataset);
+	/*
+	 * If we didn't find it, look for an NSEC. */
+	if (result == ISC_R_NOTFOUND)
+		result = dns_db_findrdataset(db, node, NULL,
+					     dns_rdatatype_nsec, 0, client->now,
+					     rdataset, sigrdataset);
+	if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND)
+		goto cleanup;
+	if (!dns_rdataset_isassociated(rdataset) ||
+	    !dns_rdataset_isassociated(sigrdataset))
+		goto cleanup;
+
+	/*
+	 * We've already added the NS record, so if the name's not there,
+	 * we have other problems.  Use this name rather than calling
+	 * query_addrrset().
+	 */
+	result = dns_message_firstname(client->message, DNS_SECTION_AUTHORITY);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	rname = NULL;
+	dns_message_currentname(client->message, DNS_SECTION_AUTHORITY,
+				&rname);
+	result = dns_message_findtype(rname, dns_rdatatype_ns, 0, NULL);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	ISC_LIST_APPEND(rname->list, rdataset, link);
+	ISC_LIST_APPEND(rname->list, sigrdataset, link);
+	rdataset = NULL;
+	sigrdataset = NULL;
+
+ cleanup:
+	if (rdataset != NULL)
+		query_putrdataset(client, &rdataset);
+	if (sigrdataset != NULL)
+		query_putrdataset(client, &sigrdataset);
+}
+
+static void
+query_addwildcardproof(ns_client_t *client, dns_db_t *db,
+		       dns_name_t *name, isc_boolean_t ispositive)
+{
+	isc_buffer_t *dbuf, b;
+	dns_name_t *fname;
+	dns_rdataset_t *rdataset, *sigrdataset;
+	dns_fixedname_t tfixed;
+	dns_name_t *tname;
+	dns_dbnode_t *node;
+	unsigned int options;
+	unsigned int olabels, nlabels, i;
+	isc_boolean_t done;
+	isc_result_t result;
+
+	CTRACE("query_addwildcardproof");
+	fname = NULL;
+	rdataset = NULL;
+	sigrdataset = NULL;
+	node = NULL;
+
+	options = client->query.dboptions | DNS_DBFIND_NOWILD;
+
+	if (ispositive) {
+		/*
+		 * We'll need some resources...
+		 */
+		dbuf = query_getnamebuf(client);
+		if (dbuf == NULL)
+			goto cleanup;
+		fname = query_newname(client, dbuf, &b);
+		rdataset = query_newrdataset(client);
+		sigrdataset = query_newrdataset(client);
+		if (fname == NULL || rdataset == NULL || sigrdataset == NULL)
+			goto cleanup;
+
+		result = dns_db_find(db, name, NULL,
+				     dns_rdatatype_nsec, options, 0, &node,
+				     fname, rdataset, sigrdataset);
+		if (node != NULL)
+			dns_db_detachnode(db, &node);
+		if (result == DNS_R_NXDOMAIN)
+			query_addrrset(client, &fname, &rdataset, &sigrdataset,
+				       dbuf, DNS_SECTION_AUTHORITY);
+		if (rdataset != NULL)
+			query_putrdataset(client, &rdataset);
+		if (sigrdataset != NULL)
+			query_putrdataset(client, &sigrdataset);
+		if (fname != NULL)
+			query_releasename(client, &fname);
+	}
+
+	olabels = dns_name_countlabels(dns_db_origin(db));
+	nlabels = dns_name_countlabels(name);
+	done = ISC_FALSE;
+
+	for (i = nlabels - 1; i >= olabels && !done; i--) {
+		/*
+		 * We'll need some resources...
+		 */
+		dbuf = query_getnamebuf(client);
+		if (dbuf == NULL)
+			goto cleanup;
+		fname = query_newname(client, dbuf, &b);
+		rdataset = query_newrdataset(client);
+		sigrdataset = query_newrdataset(client);
+		if (fname == NULL || rdataset == NULL || sigrdataset == NULL)
+			goto cleanup;
+
+		dns_fixedname_init(&tfixed);
+		tname = dns_fixedname_name(&tfixed);
+		dns_name_split(name, i, NULL, tname);
+		result = dns_name_concatenate(dns_wildcardname, tname, tname,
+					      NULL);
+		if (result != ISC_R_SUCCESS)
+			continue;
+
+		result = dns_db_find(db, tname, NULL, dns_rdatatype_nsec,
+				     client->query.dboptions, 0, &node,
+				     fname, rdataset, sigrdataset);
+		if (node != NULL)
+			dns_db_detachnode(db, &node);
+		/*
+		 * If this returns success, we've found the wildcard for a
+		 * successful answer, so we're done.
+		 */
+		if (result == ISC_R_SUCCESS && ispositive)
+			break;
+		if (result == DNS_R_NXDOMAIN || result == DNS_R_EMPTYNAME) {
+			if (!ispositive &&
+			    dns_name_issubdomain(name, fname))
+				done = ISC_TRUE;
+			query_addrrset(client, &fname, &rdataset, &sigrdataset,
+				       dbuf, DNS_SECTION_AUTHORITY);
+		}
+		if (rdataset != NULL)
+			query_putrdataset(client, &rdataset);
+		if (sigrdataset != NULL)
+			query_putrdataset(client, &sigrdataset);
+		if (fname != NULL)
+			query_releasename(client, &fname);
+	}
+ cleanup:
+	if (rdataset != NULL)
+		query_putrdataset(client, &rdataset);
+	if (sigrdataset != NULL)
+		query_putrdataset(client, &sigrdataset);
+	if (fname != NULL)
+		query_releasename(client, &fname);
+}
+
+static void
+query_addnxrrsetnsec(ns_client_t *client, dns_db_t *db, dns_name_t **namep,
+		    dns_rdataset_t **rdatasetp, dns_rdataset_t **sigrdatasetp)
+{
+	dns_name_t *name;
+	dns_rdataset_t *sigrdataset;
+	dns_rdata_t sigrdata;
+	dns_rdata_rrsig_t sig;
+	unsigned int labels;
+	isc_buffer_t *dbuf, b;
+	dns_name_t *fname;
+	isc_result_t result;
+
+	name = *namep;
+	if ((name->attributes & DNS_NAMEATTR_WILDCARD) == 0) {
+		query_addrrset(client, namep, rdatasetp, sigrdatasetp,
+			       NULL, DNS_SECTION_AUTHORITY);
+		return;
+	}
+
+	if (sigrdatasetp == NULL)
+		return;
+	sigrdataset = *sigrdatasetp;
+	if (sigrdataset == NULL || !dns_rdataset_isassociated(sigrdataset))
+		return;
+	result = dns_rdataset_first(sigrdataset);
+	if (result != ISC_R_SUCCESS)
+		return;
+	dns_rdata_init(&sigrdata);
+	dns_rdataset_current(sigrdataset, &sigrdata);
+	result = dns_rdata_tostruct(&sigrdata, &sig, NULL);
+	if (result != ISC_R_SUCCESS)
+		return;
+
+	labels = dns_name_countlabels(name);
+	if ((unsigned int)sig.labels + 1 >= labels)
+		return;
+
+	/* XXX */
+	query_addwildcardproof(client, db,
+			       client->query.qname,
+			       ISC_TRUE);
+
+	/*
+	 * We'll need some resources...
+	 */
+	dbuf = query_getnamebuf(client);
+	if (dbuf == NULL)
+		return;
+	fname = query_newname(client, dbuf, &b);
+	if (fname == NULL)
+		return;
+	dns_name_split(name, sig.labels + 1, NULL, fname);
+	/* This will succeed, since we've stripped labels. */
+	RUNTIME_CHECK(dns_name_concatenate(dns_wildcardname, fname, fname,
+					   NULL) == ISC_R_SUCCESS);
+	query_addrrset(client, &fname, rdatasetp, sigrdatasetp,
+		       dbuf, DNS_SECTION_AUTHORITY);
+}
+
+static void
 query_resume(isc_task_t *task, isc_event_t *event) {
 	dns_fetchevent_t *devent = (dns_fetchevent_t *)event;
 	ns_client_t *client;
@@ -2044,7 +2021,8 @@ query_resume(isc_task_t *task, isc_event_t *event) {
 	REQUIRE(task == client->task);
 	REQUIRE(RECURSING(client));
 
-	if (devent->fetch != NULL) {
+	LOCK(&client->query.fetchlock);
+	if (client->query.fetch != NULL) {
 		/*
 		 * This is the fetch we've been waiting for.
 		 */
@@ -2062,6 +2040,7 @@ query_resume(isc_task_t *task, isc_event_t *event) {
 		 */
 		fetch_cancelled = ISC_TRUE;
 	}
+	UNLOCK(&client->query.fetchlock);
 	INSIST(client->query.fetch == NULL);
 
 	client->query.attributes &= ~NS_QUERYATTR_RECURSING;
@@ -2081,7 +2060,10 @@ query_resume(isc_task_t *task, isc_event_t *event) {
 		if (devent->sigrdataset != NULL)
 			query_putrdataset(client, &devent->sigrdataset);
 		isc_event_free(&event);
-		query_next(client, ISC_R_CANCELED);
+		if (fetch_cancelled)
+			query_error(client, DNS_R_SERVFAIL);
+		else
+			query_next(client, ISC_R_CANCELED);
 		/*
 		 * This may destroy the client.
 		 */
@@ -2111,25 +2093,33 @@ query_recurse(ns_client_t *client, dns_rdatatype_t qtype, dns_name_t *qdomain,
 	 * connection was accepted (if allowed by the TCP quota).
 	 */
 	if (client->recursionquota == NULL) {
+		isc_boolean_t killoldest = ISC_FALSE;
 		result = isc_quota_attach(&ns_g_server->recursionquota,
 					  &client->recursionquota);
+		if (result == ISC_R_SOFTQUOTA) {
+			ns_client_log(client, NS_LOGCATEGORY_CLIENT,
+				      NS_LOGMODULE_QUERY, ISC_LOG_WARNING,
+				      "recursive-clients limit exceeded, "
+				      "aborting oldest query");
+			killoldest = ISC_TRUE;
+			result = ISC_R_SUCCESS;
+		}
+		if (dns_resolver_nrunning(client->view->resolver) >
+		    (unsigned int)ns_g_server->recursionquota.max)
+			result = ISC_R_QUOTA;
 		if (result == ISC_R_SUCCESS && !client->mortal &&
 		    (client->attributes & NS_CLIENTATTR_TCP) == 0)
 			result = ns_client_replace(client);
 		if (result != ISC_R_SUCCESS) {
-			static isc_stdtime_t last = 0;
-			isc_stdtime_t now;
-			isc_stdtime_get(&now);
-			if (now != last) {
-				last = now;
-				ns_client_log(client, NS_LOGCATEGORY_CLIENT,
-					      NS_LOGMODULE_QUERY,
-					      ISC_LOG_WARNING,
-					      "no more recursive clients: %s",
-					      isc_result_totext(result));
-			}
+			ns_client_log(client, NS_LOGCATEGORY_CLIENT,
+				      NS_LOGMODULE_QUERY, ISC_LOG_WARNING,
+				      "no more recursive clients: %s",
+				      isc_result_totext(result));
+			if (client->recursionquota != NULL)
+				isc_quota_detach(&client->recursionquota);
 			return (result);
 		}
+		ns_client_recursing(client, killoldest);
 	}
 
 	/*
@@ -2176,98 +2166,6 @@ query_recurse(ns_client_t *client, dns_rdatatype_t qtype, dns_name_t *qdomain,
 	return (result);
 }
 
-static inline isc_result_t
-query_findparentkey(ns_client_t *client, dns_name_t *name,
-		    dns_zone_t **zonep, dns_db_t **dbp,
-		    dns_dbversion_t **versionp, dns_dbnode_t **nodep,
-		    dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset)
-{
-	dns_db_t *pdb;
-	dns_dbnode_t *pnode;
-	dns_dbversion_t *pversion;
-	dns_rdataset_t prdataset, psigrdataset;
-	dns_rdataset_t *psigrdatasetp;
-	isc_result_t result;
-	dns_zone_t *pzone;
-	isc_boolean_t is_zone;
-	dns_fixedname_t pfoundname;
-
-	/*
-	 * 'name' is at a zone cut.  Try to find a KEY for 'name' in
-	 * the deepest ancestor zone of 'name' (if any).  If it exists,
-	 * update *zonep, *dbp, *nodep, rdataset, and sigrdataset and
-	 * return ISC_R_SUCCESS.  If not, leave them alone and return a
-	 * non-success status.
-	 */
-
-	pzone = NULL;
-	pdb = NULL;
-	pnode = NULL;
-	pversion = NULL;
-	dns_rdataset_init(&prdataset);
-	if (sigrdataset != NULL)
-		dns_rdataset_init(&psigrdataset);
-	is_zone = ISC_FALSE;
-	dns_fixedname_init(&pfoundname);
-
-	result = query_getdb(client, name, DNS_GETDB_NOEXACT,
-			     &pzone, &pdb, &pversion, &is_zone);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-	if (!is_zone) {
-		result = ISC_R_FAILURE;
-		goto cleanup;
-	}
-
-	if (sigrdataset != NULL)
-		psigrdatasetp = &psigrdataset;
-	else
-		psigrdatasetp = NULL;
-	result = dns_db_find(pdb, name, pversion, dns_rdatatype_key,
-			     client->query.dboptions,
-			     client->now, &pnode,
-			     dns_fixedname_name(&pfoundname),
-			     &prdataset, psigrdatasetp);
-	if (result == ISC_R_SUCCESS) {
-		if (dns_rdataset_isassociated(rdataset))
-			dns_rdataset_disassociate(rdataset);
-		dns_rdataset_clone(&prdataset, rdataset);
-		if (sigrdataset != NULL) {
-			if (dns_rdataset_isassociated(sigrdataset))
-				dns_rdataset_disassociate(sigrdataset);
-			if (dns_rdataset_isassociated(&psigrdataset))
-				dns_rdataset_clone(&psigrdataset, sigrdataset);
-		}
-		if (*nodep != NULL)
-			dns_db_detachnode(*dbp, nodep);
-		*nodep = pnode;
-		pnode = NULL;
-		*versionp = pversion;
-		if (*dbp != NULL)
-			dns_db_detach(dbp);
-		*dbp = pdb;
-		pdb = NULL;
-		if (*zonep != NULL)
-			dns_zone_detach(zonep);
-		*zonep = pzone;
-		pzone = NULL;
-	}
-
- cleanup:
-	if (dns_rdataset_isassociated(&prdataset))
-		dns_rdataset_disassociate(&prdataset);
-	if (sigrdataset != NULL && dns_rdataset_isassociated(&psigrdataset))
-		dns_rdataset_disassociate(&psigrdataset);
-	if (pnode != NULL)
-		dns_db_detachnode(pdb, &pnode);
-	if (pdb != NULL)
-		dns_db_detach(&pdb);
-	if (pzone != NULL)
-		dns_zone_detach(&pzone);
-
-	return (result);
-}
-
 #define MAX_RESTARTS 16
 
 #define QUERY_ERROR(r) \
@@ -2285,7 +2183,7 @@ do { \
  *	ISC_R_NOTIMPLEMENTED	The rdata is not a known address type.
  */
 static isc_result_t
-rdata_tonetaddr(const dns_rdata_t *rdata, isc_netaddr_t *netaddr) {
+rdata_tonetaddr(dns_rdata_t *rdata, isc_netaddr_t *netaddr) {
 	struct in_addr ina;
 	struct in6_addr in6a;
 	
@@ -2311,7 +2209,7 @@ rdata_tonetaddr(const dns_rdata_t *rdata, isc_netaddr_t *netaddr) {
  * sortlist statement.
  */
 static int
-query_sortlist_order_2element(const dns_rdata_t *rdata, const void *arg) {
+query_sortlist_order_2element(dns_rdata_t *rdata, void *arg) {
 	isc_netaddr_t netaddr;
 
 	if (rdata_tonetaddr(rdata, &netaddr) != ISC_R_SUCCESS)
@@ -2324,7 +2222,7 @@ query_sortlist_order_2element(const dns_rdata_t *rdata, const void *arg) {
  * of a 1-element top-level sortlist statement.
  */
 static int
-query_sortlist_order_1element(const dns_rdata_t *rdata, const void *arg) {
+query_sortlist_order_1element(dns_rdata_t *rdata, void *arg) {
 	isc_netaddr_t netaddr;
 
 	if (rdata_tonetaddr(rdata, &netaddr) != ISC_R_SUCCESS)
@@ -2340,7 +2238,7 @@ static void
 setup_query_sortlist(ns_client_t *client) {
 	isc_netaddr_t netaddr;
 	dns_rdatasetorderfunc_t order = NULL;
-	const void *order_arg = NULL;
+	void *order_arg = NULL;
 	
 	isc_netaddr_fromsockaddr(&netaddr, &client->peeraddr);
 	switch (ns_sortlist_setup(client->view->sortlist,
@@ -2361,32 +2259,41 @@ setup_query_sortlist(ns_client_t *client) {
 	dns_message_setsortorder(client->message, order, order_arg);
 }
 
-static inline void
-answer_in_glue(ns_client_t *client, dns_rdatatype_t qtype) {
-	dns_name_t *name;
-	dns_message_t *msg;
-	dns_section_t section = DNS_SECTION_ADDITIONAL;
-	dns_rdataset_t *rdataset = NULL;
-
-	msg = client->message;
-	for (name = ISC_LIST_HEAD(msg->sections[section]);
-	     name != NULL;
-	     name = ISC_LIST_NEXT(name, link))
-		if (dns_name_equal(name, client->query.qname)) {
-			for (rdataset = ISC_LIST_HEAD(name->list);
-			     rdataset != NULL;
-			     rdataset = ISC_LIST_NEXT(rdataset, link))
-				if (rdataset->type == qtype)
-					break;
-			break;
-		}
-	if (rdataset != NULL) {
-		ISC_LIST_UNLINK(msg->sections[section], name, link);
-		ISC_LIST_PREPEND(msg->sections[section], name, link);
-		ISC_LIST_UNLINK(name->list, rdataset, link);
-		ISC_LIST_PREPEND(name->list, rdataset, link);
-		rdataset->attributes |= DNS_RDATASETATTR_REQUIREDGLUE;
-	}
+static void
+query_addnoqnameproof(ns_client_t *client, dns_rdataset_t *rdataset) {
+	isc_buffer_t *dbuf, b;
+	dns_name_t *fname;
+	dns_rdataset_t *nsec, *nsecsig;
+	isc_result_t result = ISC_R_NOMEMORY;
+
+	CTRACE("query_addnoqnameproof");
+
+	fname = NULL;
+	nsec = NULL;
+	nsecsig = NULL;
+
+	dbuf = query_getnamebuf(client);
+	if (dbuf == NULL)
+		goto cleanup;
+	fname = query_newname(client, dbuf, &b);
+	nsec = query_newrdataset(client);
+	nsecsig = query_newrdataset(client);
+	if (fname == NULL || nsec == NULL || nsecsig == NULL)
+		goto cleanup;
+
+	result = dns_rdataset_getnoqname(rdataset, fname, nsec, nsecsig);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+	query_addrrset(client, &fname, &nsec, &nsecsig, dbuf,
+		       DNS_SECTION_AUTHORITY);
+
+ cleanup:
+	if (nsec != NULL)
+                query_putrdataset(client, &nsec);
+        if (nsecsig != NULL)
+                query_putrdataset(client, &nsecsig);
+        if (fname != NULL)
+                query_releasename(client, &fname);
 }
 
 /*
@@ -2395,7 +2302,8 @@ answer_in_glue(ns_client_t *client, dns_rdatatype_t qtype) {
  * is ignored.  Otherwise, 'qtype' is the query type.
  */
 static void
-query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) {
+query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
+{
 	dns_db_t *db, *zdb;
 	dns_dbnode_t *node;
 	dns_rdatatype_t type;
@@ -2405,20 +2313,22 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 	dns_rdataset_t **sigrdatasetp;
 	dns_rdata_t rdata = DNS_RDATA_INIT;
 	dns_rdatasetiter_t *rdsiter;
-	isc_boolean_t want_restart, authoritative, is_zone;
-	unsigned int n, nlabels, nbits;
+	isc_boolean_t want_restart, authoritative, is_zone, need_wildcardproof;
+	unsigned int n, nlabels;
 	dns_namereln_t namereln;
 	int order;
 	isc_buffer_t *dbuf;
 	isc_buffer_t b;
 	isc_result_t result, eresult;
 	dns_fixedname_t fixed;
+	dns_fixedname_t wildcardname;
 	dns_dbversion_t *version;
 	dns_zone_t *zone;
 	dns_rdata_cname_t cname;
 	dns_rdata_dname_t dname;
 	unsigned int options;
 	isc_boolean_t empty_wild;
+	dns_rdataset_t *noqname;
 
 	CTRACE("query_find");
 
@@ -2441,6 +2351,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 	zdb = NULL;
 	version = NULL;
 	zone = NULL;
+	need_wildcardproof = ISC_FALSE;
 	empty_wild = ISC_FALSE;
 	options = 0;
 
@@ -2455,7 +2366,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 		is_zone = ISC_FALSE;
 
 		qtype = event->qtype;
-		if (qtype == dns_rdatatype_sig)
+		if (qtype == dns_rdatatype_rrsig)
 			type = dns_rdatatype_any;
 		else
 			type = qtype;
@@ -2496,7 +2407,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 	/*
 	 * If it's a SIG query, we'll iterate the node.
 	 */
-	if (qtype == dns_rdatatype_sig)
+	if (qtype == dns_rdatatype_rrsig)
 		type = dns_rdatatype_any;
 	else
 		type = qtype;
@@ -2506,18 +2417,74 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 	want_restart = ISC_FALSE;
 	authoritative = ISC_FALSE;
 	version = NULL;
+	need_wildcardproof = ISC_FALSE;
+
+	if (client->view->checknames &&
+	    !dns_rdata_checkowner(client->query.qname,
+				  client->message->rdclass,
+				  qtype, ISC_FALSE)) {
+		char namebuf[DNS_NAME_FORMATSIZE];
+		char typename[DNS_RDATATYPE_FORMATSIZE];
+		char classname[DNS_RDATACLASS_FORMATSIZE];
+
+		dns_name_format(client->query.qname, namebuf, sizeof(namebuf));
+		dns_rdatatype_format(qtype, typename, sizeof(typename));
+		dns_rdataclass_format(client->message->rdclass, classname,
+				      sizeof(classname));
+		ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
+			      NS_LOGMODULE_QUERY, ISC_LOG_ERROR,
+			      "check-names failure %s/%s/%s", namebuf,
+			      typename, classname);
+		QUERY_ERROR(DNS_R_REFUSED);
+		goto cleanup;
+	}
 
 	/*
 	 * First we must find the right database.
 	 */
-	options &= DNS_GETDB_NOLOG; /* Preserve DNS_GETDB_NOLOG. */
-	result = query_getdb(client, client->query.qname, options, &zone, &db,
-			     &version, &is_zone);
+	options = 0;
+	if (dns_rdatatype_atparent(qtype) &&
+	    !dns_name_equal(client->query.qname, dns_rootname))
+		options |= DNS_GETDB_NOEXACT;
+	result = query_getdb(client, client->query.qname, qtype, options,
+			     &zone, &db, &version, &is_zone);
+	if ((result != ISC_R_SUCCESS || !is_zone) && !RECURSIONOK(client) &&
+	    (options & DNS_GETDB_NOEXACT) != 0 && qtype == dns_rdatatype_ds) {
+		/*
+		 * Look to see if we are authoritative for the
+		 * child zone if the query type is DS.
+		 */
+		dns_db_t *tdb = NULL;
+		dns_zone_t *tzone = NULL;
+		dns_dbversion_t *tversion = NULL;
+		isc_result_t tresult;
+
+		tresult = query_getzonedb(client, client->query.qname, qtype,
+					 DNS_GETDB_PARTIAL, &tzone, &tdb,
+					 &tversion);
+		if (tresult == ISC_R_SUCCESS) {
+			options &= ~DNS_GETDB_NOEXACT;
+			query_putrdataset(client, &rdataset);
+			if (db != NULL)
+				dns_db_detach(&db);
+			if (zone != NULL)
+				dns_zone_detach(&zone);
+			version = tversion;
+			db = tdb;
+			zone = tzone;
+			is_zone = ISC_TRUE;
+			result = ISC_R_SUCCESS;
+		} else {
+			if (tdb != NULL)
+				dns_db_detach(&tdb);
+			if (tzone != NULL)
+				dns_zone_detach(&tzone);
+		}
+	}
 	if (result != ISC_R_SUCCESS) {
-		if (result == DNS_R_REFUSED) {
-			if (!PARTIALANSWER(client))
-				QUERY_ERROR(DNS_R_REFUSED);
-		} else
+		if (result == DNS_R_REFUSED)
+			QUERY_ERROR(DNS_R_REFUSED);
+		else
 			QUERY_ERROR(DNS_R_SERVFAIL);
 		goto cleanup;
 	}
@@ -2564,63 +2531,6 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 			     client->query.dboptions, client->now,
 			     &node, fname, rdataset, sigrdataset);
 
-	/*
-	 * We interrupt our normal query processing to bring you this special
-	 * case...
-	 *
-	 * RFC 2535 (DNSSEC), section 2.3.4, discusses various special
-	 * cases that can occur at delegation points.
-	 *
-	 * One of these cases is that the NULL KEY for an unsecure zone
-	 * may occur in the delegating zone instead of in the delegated zone.
-	 * If we're authoritative for both zones, we need to look for the
-	 * key in the delegator if we didn't find it in the delegatee.  If
-	 * we didn't do this, a client doing DNSSEC validation could fail
-	 * because it couldn't get the NULL KEY.
-	 */
-	if (type == dns_rdatatype_key &&
-	    is_zone &&
-	    result == DNS_R_NXRRSET &&
-	    !dns_db_issecure(db) &&
-	    dns_name_equal(client->query.qname, dns_db_origin(db))) {
-		/*
-		 * We're looking for a KEY at the top of an unsecure zone,
-		 * and we didn't find it.
-		 */
-		result = query_findparentkey(client, client->query.qname,
-					     &zone, &db, &version, &node,
-					     rdataset, sigrdataset);
-		if (result == ISC_R_SUCCESS) {
-			/*
-			 * We found the parent KEY.
-			 *
-			 * zone, db, version, node, rdataset, and sigrdataset
-			 * have all been updated to refer to the parent's
-			 * data.  We will resume query processing as if
-			 * we had looked for the KEY in the parent zone in
-			 * the first place.
-			 *
-			 * We need to set fname correctly.  We do this here
-			 * instead of in query_findparentkey() because
-			 * dns_name_copy() can fail (though it shouldn't
-			 * ever do so since we should have enough space).
-			 */
-			result = dns_name_copy(client->query.qname,
-					       fname, NULL);
-			if (result != ISC_R_SUCCESS) {
-				QUERY_ERROR(DNS_R_SERVFAIL);
-				goto cleanup;
-			}
-		} else {
-			/*
-			 * We couldn't find the KEY in a parent zone.
-			 * Continue with processing of the original
-			 * results of dns_db_find().
-			 */
-			result = DNS_R_NXRRSET;
-		}
-	}
-
  resume:
 	CTRACE("query_find: resume");
 	switch (result) {
@@ -2698,6 +2608,48 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 		authoritative = ISC_FALSE;
 		if (is_zone) {
 			/*
+			 * Look to see if we are authoritative for the
+			 * child zone if the query type is DS.
+			 */
+			if (!RECURSIONOK(client) &&
+			    (options & DNS_GETDB_NOEXACT) != 0 &&
+			    qtype == dns_rdatatype_ds) {
+				dns_db_t *tdb = NULL;
+				dns_zone_t *tzone = NULL;
+				dns_dbversion_t *tversion = NULL;
+				result = query_getzonedb(client,
+							 client->query.qname,
+							 qtype,
+							 DNS_GETDB_PARTIAL,
+							 &tzone, &tdb,
+							 &tversion);
+				if (result == ISC_R_SUCCESS) {
+					options &= ~DNS_GETDB_NOEXACT;
+					query_putrdataset(client, &rdataset);
+					if (sigrdataset != NULL)
+						query_putrdataset(client,
+								  &sigrdataset);
+					if (fname != NULL)
+						query_releasename(client,
+								  &fname);
+					if (node != NULL)
+						dns_db_detachnode(db, &node);
+					if (db != NULL)
+						dns_db_detach(&db);
+					if (zone != NULL)
+						dns_zone_detach(&zone);
+					version = tversion;
+					db = tdb;
+					zone = tzone;
+					authoritative = ISC_TRUE;
+					goto db_find;
+				}
+				if (tdb != NULL)
+					dns_db_detach(&tdb);
+				if (tzone != NULL)
+					dns_zone_detach(&tzone);
+			}
+			/*
 			 * We're authoritative for an ancestor of QNAME.
 			 */
 			if (!USECACHE(client) || !RECURSIONOK(client)) {
@@ -2734,6 +2686,8 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 					       &rdataset, sigrdatasetp,
 					       dbuf, DNS_SECTION_AUTHORITY);
 				client->query.gluedb = NULL;
+				if (WANTDNSSEC(client) && dns_db_issecure(db))
+					query_addds(client, db, node);
 			} else {
 				/*
 				 * We might have a better answer or delegation
@@ -2796,7 +2750,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 				/*
 				 * Recurse!
 				 */
-				if (type == dns_rdatatype_key)
+				if (dns_rdatatype_atparent(type))
 					result = query_recurse(client, qtype,
 							       NULL, NULL);
 				else
@@ -2833,6 +2787,8 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 				client->query.gluedb = NULL;
 				client->query.attributes &=
 					~NS_QUERYATTR_CACHEGLUEOK;
+				if (WANTDNSSEC(client))
+					query_addds(client, db, node);
 			}
 		}
 		goto cleanup;
@@ -2843,7 +2799,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 		INSIST(is_zone);
 		if (dns_rdataset_isassociated(rdataset)) {
 			/*
-			 * If we've got a NXT record, we need to save the
+			 * If we've got a NSEC record, we need to save the
 			 * name now because we're going call query_addsoa()
 			 * below, and it needs to use the name buffer.
 			 */
@@ -2865,13 +2821,12 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 			goto cleanup;
 		}
 		/*
-		 * Add NXT record if we found one.
+		 * Add NSEC record if we found one.
 		 */
-		if (dns_rdataset_isassociated(rdataset)) {
-			if (WANTDNSSEC(client))
-				query_addrrset(client, &fname, &rdataset,
-					       &sigrdataset,
-					       NULL, DNS_SECTION_AUTHORITY);
+		if (WANTDNSSEC(client)) {
+			if (dns_rdataset_isassociated(rdataset))
+				query_addnxrrsetnsec(client, db, &fname,
+						    &rdataset, &sigrdataset);
 		}
 		goto cleanup;
 	case DNS_R_EMPTYWILD:
@@ -2881,7 +2836,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 		INSIST(is_zone);
 		if (dns_rdataset_isassociated(rdataset)) {
 			/*
-			 * If we've got a NXT record, we need to save the
+			 * If we've got a NSEC record, we need to save the
 			 * name now because we're going call query_addsoa()
 			 * below, and it needs to use the name buffer.
 			 */
@@ -2897,7 +2852,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 		/*
 		 * Add SOA.  If the query was for a SOA record force the
 		 * ttl to zero so that it is possible for clients to find
-		 * the containing zone of an arbitrary name with a stub
+		 * the containing zone of a arbitary name with a stub
 		 * resolver and not have it cached.
 		 */
 		if (qtype == dns_rdatatype_soa)
@@ -2909,13 +2864,17 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 			goto cleanup;
 		}
 		/*
-		 * Add NXT record if we found one.
+		 * Add NSEC record if we found one.
 		 */
 		if (dns_rdataset_isassociated(rdataset)) {
-			if (WANTDNSSEC(client))
+			if (WANTDNSSEC(client)) {
 				query_addrrset(client, &fname, &rdataset,
 					       &sigrdataset,
 					       NULL, DNS_SECTION_AUTHORITY);
+				query_addwildcardproof(client, db,
+						       client->query.qname,
+						       ISC_FALSE);
+			}
 		}
 		/*
 		 * Set message rcode.
@@ -2959,8 +2918,23 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 			sigrdatasetp = &sigrdataset;
 		else
 			sigrdatasetp = NULL;
+		if (WANTDNSSEC(client) &&
+		    (fname->attributes & DNS_NAMEATTR_WILDCARD) != 0)
+		{
+			dns_fixedname_init(&wildcardname);
+			dns_name_copy(fname, dns_fixedname_name(&wildcardname),
+				      NULL);
+			need_wildcardproof = ISC_TRUE;
+		}
+		if ((rdataset->attributes & DNS_RDATASETATTR_NOQNAME) != 0 &&
+		     WANTDNSSEC(client))
+			noqname = rdataset;
+		else
+			noqname = NULL;
 		query_addrrset(client, &fname, &rdataset, sigrdatasetp, dbuf,
 			       DNS_SECTION_ANSWER);
+		if (noqname != NULL)
+			query_addnoqnameproof(client, noqname);
 		/*
 		 * We set the PARTIALANSWER attribute so that if anything goes
 		 * wrong later on, we'll return what we've got so far.
@@ -2997,8 +2971,6 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 		query_maybeputqname(client);
 		client->query.qname = tname;
 		want_restart = ISC_TRUE;
-		if (!WANTRECURSION(client))
-			options |= DNS_GETDB_NOLOG;
 		goto addauth;
 	case DNS_R_DNAME:
 		/*
@@ -3007,7 +2979,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 		 * we're going to have to split qname later on.
 		 */
 		namereln = dns_name_fullcompare(client->query.qname, fname,
-						&order, &nlabels, &nbits);
+						&order, &nlabels);
 		INSIST(namereln == dns_namereln_subdomain);
 		/*
 		 * Keep a copy of the rdataset.  We have to do this because
@@ -3022,6 +2994,14 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 			sigrdatasetp = &sigrdataset;
 		else
 			sigrdatasetp = NULL;
+		if (WANTDNSSEC(client) &&
+		    (fname->attributes & DNS_NAMEATTR_WILDCARD) != 0)
+		{
+			dns_fixedname_init(&wildcardname);
+			dns_name_copy(fname, dns_fixedname_name(&wildcardname),
+				      NULL);
+			need_wildcardproof = ISC_TRUE;
+		}
 		query_addrrset(client, &fname, &rdataset, sigrdatasetp, dbuf,
 			       DNS_SECTION_ANSWER);
 		/*
@@ -3056,12 +3036,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 		 */
 		dns_fixedname_init(&fixed);
 		prefix = dns_fixedname_name(&fixed);
-		result = dns_name_split(client->query.qname, nlabels, nbits,
-					prefix, NULL);
-		if (result != ISC_R_SUCCESS) {
-			dns_message_puttempname(client->message, &tname);
-			goto cleanup;
-		}
+		dns_name_split(client->query.qname, nlabels, prefix, NULL);
 		INSIST(fname == NULL);
 		dbuf = query_getnamebuf(client);
 		if (dbuf == NULL) {
@@ -3101,8 +3076,9 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 		 * since the synthesized CNAME is NOT in the zone.
 		 */
 		dns_name_init(tname, NULL);
-		query_addcnamelike(client, client->query.qname, fname,
-				   0, &tname, dns_rdatatype_cname);
+		(void)query_addcnamelike(client, client->query.qname, fname,
+					 trdataset->trust, &tname,
+					 dns_rdatatype_cname);
 		if (tname != NULL)
 			dns_message_puttempname(client->message, &tname);
 		/*
@@ -3112,8 +3088,6 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 		client->query.qname = fname;
 		fname = NULL;
 		want_restart = ISC_TRUE;
-		if (!WANTRECURSION(client))
-			options |= DNS_GETDB_NOLOG;
 		goto addauth;
 	default:
 		/*
@@ -3123,6 +3097,14 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 		goto cleanup;
 	}
 
+	if (WANTDNSSEC(client) &&
+	    (fname->attributes & DNS_NAMEATTR_WILDCARD) != 0)
+	{
+		dns_fixedname_init(&wildcardname);
+		dns_name_copy(fname, dns_fixedname_name(&wildcardname), NULL);
+		need_wildcardproof = ISC_TRUE;
+	}
+
 	if (type == dns_rdatatype_any) {
 		/*
 		 * XXXRTH  Need to handle zonecuts with special case
@@ -3184,7 +3166,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 			/*
 			 * We didn't match any rdatasets.
 			 */
-			if (qtype == dns_rdatatype_sig &&
+			if (qtype == dns_rdatatype_rrsig &&
 			    result == ISC_R_NOMORE) {
 				/*
 				 * XXXRTH  If this is a secure zone and we
@@ -3192,21 +3174,6 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 				 * an error unless we were searching for
 				 * glue.  Ugh.
 				 */
-				if (!is_zone) {
-					authoritative = ISC_FALSE;
-					dns_rdatasetiter_destroy(&rdsiter);
-					if (RECURSIONOK(client)) {
-						result = query_recurse(client,
-								       qtype,
-								       NULL,
-								       NULL);
-						if (result == ISC_R_SUCCESS)
-						    client->query.attributes |=
-							NS_QUERYATTR_RECURSING;
-						else
-						    QUERY_ERROR(DNS_R_SERVFAIL);					}
-					goto addauth;
-				}
 				/*
 				 * We were searching for SIG records in
 				 * a nonsecure zone.  Send a "no error,
@@ -3239,15 +3206,15 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 			sigrdatasetp = &sigrdataset;
 		else
 			sigrdatasetp = NULL;
-		/*  
-		 * BIND 8 priming queries need the additional section.
-		 */
-		if (is_zone && qtype == dns_rdatatype_ns &&
-		    dns_name_equal(client->query.qname, dns_rootname))
-			client->query.attributes &= ~NS_QUERYATTR_NOADDITIONAL;
-
+		if ((rdataset->attributes & DNS_RDATASETATTR_NOQNAME) != 0 &&
+		     WANTDNSSEC(client))
+			noqname = rdataset;
+		else
+			noqname = NULL;
 		query_addrrset(client, &fname, &rdataset, sigrdatasetp, dbuf,
 			       DNS_SECTION_ANSWER);
+		if (noqname != NULL)
+			query_addnoqnameproof(client, noqname);
 		/*
 		 * We shouldn't ever fail to add 'rdataset'
 		 * because it's already in the answer.
@@ -3261,14 +3228,13 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 	 * Add NS records to the authority section (if we haven't already
 	 * added them to the answer section).
 	 */
-	if (!want_restart && !NOAUTHORITY(client)
-	    ) {
+	if (!want_restart && !NOAUTHORITY(client)) {
 		if (is_zone) {
 			if (!((qtype == dns_rdatatype_ns ||
 			       qtype == dns_rdatatype_any) &&
 			      dns_name_equal(client->query.qname,
 					     dns_db_origin(db))))
-				query_addns(client, db);
+				(void)query_addns(client, db);
 		} else if (qtype != dns_rdatatype_ns) {
 			if (fname != NULL)
 				query_releasename(client, &fname);
@@ -3276,6 +3242,14 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 		}
 	}
 
+	/*
+	 * Add NSEC records to the authority section if they're needed for
+	 * DNSSEC wildcard proofs.
+	 */
+	if (need_wildcardproof && dns_db_issecure(db))
+		query_addwildcardproof(client, db,
+				       dns_fixedname_name(&wildcardname),
+				       ISC_TRUE);
  cleanup:
 	CTRACE("query_find: cleanup");
 	/*
@@ -3302,7 +3276,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 		dns_db_detach(&zdb);
 	}
 	if (event != NULL)
-		isc_event_free(ISC_EVENT_PTR(&event));
+		isc_event_free((isc_event_t **) (void*)&event);
 
 	/*
 	 * AA bit.
@@ -3341,16 +3315,6 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 		 */
 		setup_query_sortlist(client);
 
-		/*
-		 * If this is a referral and the answer to the question
-		 * is in the glue sort it to the start of the additional
-		 * section.
-		 */
-		if (client->message->counts[DNS_SECTION_ANSWER] == 0 &&
-		    client->message->rcode == dns_rcode_noerror &&
-		    (qtype == dns_rdatatype_a || qtype == dns_rdatatype_aaaa))
-			answer_in_glue(client, qtype);
-
 		if (client->message->rcode == dns_rcode_nxdomain &&
 		    client->view->auth_nxdomain == ISC_TRUE)
 			client->message->flags |= DNS_MESSAGEFLAG_AA;
@@ -3379,7 +3343,10 @@ log_query(ns_client_t *client) {
 	dns_rdatatype_format(rdataset->type, typename, sizeof(typename));
 
 	ns_client_log(client, NS_LOGCATEGORY_QUERIES, NS_LOGMODULE_QUERY,
-		      level, "query: %s %s %s", namebuf, classname, typename);
+		      level, "query: %s %s %s %s%s%s", namebuf, classname,
+		      typename, WANTRECURSION(client) ? "+" : "-",
+		      (client->signer != NULL) ? "S": "",
+		      (client->opt != NULL) ? "E" : "");
 }
 
 void
@@ -3397,14 +3364,19 @@ ns_query_start(ns_client_t *client) {
 	 */
 	client->next = query_next_callback;
 
+	/*
+	 * Behave as if we don't support DNSSEC if not enabled.
+	 */
+	if (!client->view->enablednssec) {
+		message->flags &= ~DNS_MESSAGEFLAG_CD;
+		client->extflags &= ~DNS_MESSAGEEXTFLAG_DO;
+	}
+
 	if ((message->flags & DNS_MESSAGEFLAG_RD) != 0)
 		client->query.attributes |= NS_QUERYATTR_WANTRECURSION;
 	
-#ifdef ISC_RFC2535
-	if ((client->extflags & DNS_MESSAGEEXTFLAG_DO) != 0 ||
-	    (message->flags & DNS_MESSAGEFLAG_AD) != 0)
-		client->query.attributes |= NS_QUERYATTR_WANTDNSSEC;
-#endif
+	if ((client->extflags & DNS_MESSAGEEXTFLAG_DO) != 0)
+		client->attributes |= NS_CLIENTATTR_WANTDNSSEC;
 	
 	if (client->view->minimalresponses)
 		client->query.attributes |= (NS_QUERYATTR_NOAUTHORITY |
@@ -3503,13 +3475,20 @@ ns_query_start(ns_client_t *client) {
 	 * to return data before validation has completed.
 	 */
 	if (message->flags & DNS_MESSAGEFLAG_CD ||
-	    qtype == dns_rdatatype_sig)
+	    qtype == dns_rdatatype_rrsig)
 	{
 		client->query.dboptions |= DNS_DBFIND_PENDINGOK;
 		client->query.fetchoptions |= DNS_FETCHOPT_NOVALIDATE;
 	}
 
 	/*
+	 * Allow glue NS records to be added to the authority section
+	 * if the answer is secure.
+	 */
+	if (message->flags & DNS_MESSAGEFLAG_CD)
+		client->query.attributes &= ~NS_QUERYATTR_SECURE;
+
+	/*
 	 * This is an ordinary query.
 	 */
 	result = dns_message_reply(message, ISC_TRUE);
@@ -3528,447 +3507,10 @@ ns_query_start(ns_client_t *client) {
 	 * Set AD.  We must clear it if we add non-validated data to a
 	 * response.
 	 */
-	if (WANTDNSSEC(client))
+	if (client->view->enablednssec)
 		message->flags |= DNS_MESSAGEFLAG_AD;
 
-	/*
-	 * Synthesize IPv6 responses if appropriate.
-	 */
-	if (RECURSIONOK(client) &&
-	    (qtype == dns_rdatatype_aaaa || qtype == dns_rdatatype_ptr) &&
-	    client->message->rdclass == dns_rdataclass_in &&
-	    ns_client_checkacl(client, "v6 synthesis",
-			       client->view->v6synthesisacl,
-			       ISC_FALSE, ISC_LOG_DEBUG(9)) == ISC_R_SUCCESS)
-	{
-		if (qtype == dns_rdatatype_aaaa) {
-			qclient = NULL;
-			ns_client_attach(client, &qclient);
-			synth_fwd_start(qclient);
-			return;
-		} else {
-			INSIST(qtype == dns_rdatatype_ptr);
-			 /* Must be 32 nibbles + "ip6" + "int" + root */
-			if (dns_name_countlabels(client->query.qname) == 32 + 3 &&
-			    dns_name_issubdomain(client->query.qname, &ip6int_name)) {
-				qclient = NULL;
-				ns_client_attach(client, &qclient);
-				synth_rev_start(qclient);
-				return;
-			}
-		}
-	}
-
 	qclient = NULL;
 	ns_client_attach(client, &qclient);
 	query_find(qclient, NULL, qtype);
 }
-
-/*
- * Generate a synthetic IPv6 forward mapping response for the current
- * query of 'client'.
- */
-static void
-synth_fwd_start(ns_client_t *client) {
-	ns_client_log(client, NS_LOGCATEGORY_CLIENT, NS_LOGMODULE_QUERY,
-		      ISC_LOG_DEBUG(5), "generating synthetic AAAA response");
-
-	synth_fwd_startfind(client);
-}
-
-/*
- * Start an ADB find to get addresses, or more addresses, for 
- * a synthetic IPv6 forward mapping response.
- */
-static void
-synth_fwd_startfind(ns_client_t *client) {
-	dns_adbfind_t *find = NULL;
-	isc_result_t result;
-	dns_fixedname_t target_fixed;
-	dns_name_t *target;
-
-	dns_fixedname_init(&target_fixed);
-	target = dns_fixedname_name(&target_fixed);
-
- find_again:
-	result = dns_adb_createfind(client->view->adb, client->task,
-			    synth_fwd_finddone, client, client->query.qname,
-			    dns_rootname, 
-			    DNS_ADBFIND_WANTEVENT | DNS_ADBFIND_RETURNLAME |
-			    DNS_ADBFIND_INET6, client->now,
-			    target, 0, &find);
-
-	ns_client_log(client, NS_LOGCATEGORY_CLIENT, NS_LOGMODULE_QUERY,
-		      ISC_LOG_DEBUG(5), "find returned %s",
-		      isc_result_totext(result));
-
-	if (result == DNS_R_ALIAS) {
-		dns_name_t *ptarget = NULL;
-		dns_name_t *tname = NULL;
-		isc_buffer_t *dbuf;
-		isc_buffer_t b;
-
-		/*
-		 * Make a persistent copy of the 'target' name data in 'ptarget';
-		 * it will become the new query name.
-		 */
-		dbuf = query_getnamebuf(client);
-		if (dbuf == NULL)
-			goto fail;
-		ptarget = query_newname(client, dbuf, &b);
-		if (ptarget == NULL)
-			goto fail;
-		dns_name_copy(target, ptarget, NULL);
-		
-		dns_adb_destroyfind(&find);
-
-		/*
-		 * Get another temporary name 'tname' for insertion into the
-		 * response message.
-		 */
-		result = dns_message_gettempname(client->message, &tname);
-		if (result != ISC_R_SUCCESS)
-			goto fail;
-		dns_name_init(tname, NULL);
-		result = query_addcnamelike(client, client->query.qname,
-					    ptarget, 0 /* XXX ttl */, &tname,
-					    dns_rdatatype_cname);
-		if (tname != NULL)
-			dns_message_puttempname(client->message, &tname);
-		if (result != ISC_R_SUCCESS)
-			goto fail;
-
-		query_maybeputqname(client);
-		client->query.qname = ptarget;
-		query_keepname(client, ptarget, dbuf);
-		ptarget = NULL;
-		if (client->query.restarts < MAX_RESTARTS) {
-			client->query.restarts++;
-			goto find_again;
-		} else {
-			/*
-			 * Probably a CNAME loop.  Reply with partial
-			 * CNAME chain.
-			 */
-			result = ISC_R_SUCCESS;
-			goto done;
-		}
-	} else if (result != ISC_R_SUCCESS) {
-		if (find != NULL)
-			dns_adb_destroyfind(&find);
-		goto fail;
-	}
-
-	if ((find->options & DNS_ADBFIND_WANTEVENT) != 0) {
-		ns_client_log(client, NS_LOGCATEGORY_CLIENT, NS_LOGMODULE_QUERY,
-			      ISC_LOG_DEBUG(5), "find will send event");
-	} else {
-		synth_fwd_respond(client, find);
-		dns_adb_destroyfind(&find);
-	}
-	return;
-
- fail:
-	result = DNS_R_SERVFAIL;
- done:
-	synth_finish(client, result);
-}
-
-/*
- * Handle an ADB finddone event generated as part of synthetic IPv6
- * forward mapping processing.
- */
-static void
-synth_fwd_finddone(isc_task_t *task, isc_event_t *ev) {
-	ns_client_t *client = ev->ev_arg;
-	dns_adbfind_t *find = ev->ev_sender;
-	isc_eventtype_t evtype = ev->ev_type;
-
-	UNUSED(task);
-
-	ns_client_log(client, NS_LOGCATEGORY_CLIENT, NS_LOGMODULE_QUERY,
-		      ISC_LOG_DEBUG(5), "got find event");
-
-	if (evtype == DNS_EVENT_ADBNOMOREADDRESSES)
-		synth_fwd_respond(client, find);
-	else if (evtype == DNS_EVENT_ADBMOREADDRESSES)
-		synth_fwd_startfind(client);
-	else
-		synth_finish(client, DNS_R_SERVFAIL);
-
-	isc_event_free(&ev);
-	dns_adb_destroyfind(&find);
-	
-}
-
-/*
- * Generate a synthetic IPv6 forward mapping response based on
- * a completed ADB lookup.
- */
-static void
-synth_fwd_respond(ns_client_t *client, dns_adbfind_t *find) {
-	dns_adbaddrinfo_t *ai;
-	dns_name_t *tname = NULL;
-	dns_rdataset_t *rdataset = NULL;
-	dns_rdatalist_t *rdatalist = NULL;
-	isc_result_t result;
-
-	result = dns_message_gettempname(client->message, &tname);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-	dns_name_init(tname, NULL);
-		
-	result = dns_message_gettemprdatalist(client->message, &rdatalist);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-	
-	result = dns_message_gettemprdataset(client->message, &rdataset);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-	dns_rdataset_init(rdataset);
-
-	ISC_LIST_INIT(rdatalist->rdata);
-
-	rdatalist->type = dns_rdatatype_aaaa;
-	rdatalist->covers = 0;
-	rdatalist->rdclass = client->message->rdclass;
-	rdatalist->ttl = 0;
-
-	dns_name_clone(client->query.qname, tname);
-	
-	for (ai = ISC_LIST_HEAD(find->list);
-	     ai != NULL;
-	     ai = ISC_LIST_NEXT(ai, publink)) {
-		dns_rdata_t *rdata = NULL;
-		
-		struct sockaddr_in6 *sin6 = &ai->sockaddr.type.sin6;
-		/*
-		 * Could it be useful to return IPv4 addresses as A records?
-		 */
-		if (sin6->sin6_family != AF_INET6)
-			continue;
-
-		result = dns_message_gettemprdata(client->message, &rdata);
-		if (result != ISC_R_SUCCESS)
-			goto cleanup;
-
-		rdata->data = (unsigned char *) &sin6->sin6_addr;
-		rdata->length = 16;
-		rdata->rdclass = client->message->rdclass;
-		rdata->type = dns_rdatatype_aaaa;
-		ISC_LIST_APPEND(rdatalist->rdata, rdata, link);
-	}
-
-	dns_rdatalist_tordataset(rdatalist, rdataset);
-
-	query_addrrset(client, &tname, &rdataset, NULL, NULL,
-		       DNS_SECTION_ANSWER);
-
- cleanup:
-	if (tname != NULL)
-		dns_message_puttempname(client->message, &tname);
-
-	if (rdataset != NULL) {
-		if (dns_rdataset_isassociated(rdataset))
-			dns_rdataset_disassociate(rdataset);
-		dns_message_puttemprdataset(client->message, &rdataset);
-	}
-
-	synth_finish(client, result);
-}
-
-/*
- * Finish synthetic IPv6 forward mapping processing.
- */
-static void
-synth_finish(ns_client_t *client, isc_result_t result) {
-	if (result == ISC_R_SUCCESS)
-		query_send(client);
-	else
-		query_error(client, result);
-	ns_client_detach(&client);	
-}
-
-static signed char ascii2hex[256] = {
-	-1, -1, -1, -1, -1, -1, -1, -1,	-1, -1, -1, -1, -1, -1, -1, -1,
-	-1, -1, -1, -1, -1, -1, -1, -1,	-1, -1, -1, -1, -1, -1, -1, -1,
-	-1, -1, -1, -1, -1, -1, -1, -1,	-1, -1, -1, -1, -1, -1, -1, -1,
-	 0,  1,  2,  3,  4,  5,  6,  7,  8,  9, -1, -1, -1, -1, -1, -1,
-	-1, 10, 11, 12, 13, 14, 15, -1,	-1, -1, -1, -1, -1, -1, -1, -1,
-	-1, -1, -1, -1, -1, -1, -1, -1,	-1, -1, -1, -1, -1, -1, -1, -1,
-	-1, 10, 11, 12, 13, 14, 15, -1,	-1, -1, -1, -1, -1, -1, -1, -1,
-	-1, -1, -1, -1, -1, -1, -1, -1,	-1, -1, -1, -1, -1, -1, -1, -1,
-	-1, -1, -1, -1, -1, -1, -1, -1,	-1, -1, -1, -1, -1, -1, -1, -1,
-	-1, -1, -1, -1, -1, -1, -1, -1,	-1, -1, -1, -1, -1, -1, -1, -1,
-	-1, -1, -1, -1, -1, -1, -1, -1,	-1, -1, -1, -1, -1, -1, -1, -1,
-	-1, -1, -1, -1, -1, -1, -1, -1,	-1, -1, -1, -1, -1, -1, -1, -1,
-	-1, -1, -1, -1, -1, -1, -1, -1,	-1, -1, -1, -1, -1, -1, -1, -1,
-	-1, -1, -1, -1, -1, -1, -1, -1,	-1, -1, -1, -1, -1, -1, -1, -1,
-	-1, -1, -1, -1, -1, -1, -1, -1,	-1, -1, -1, -1, -1, -1, -1, -1,
-	-1, -1, -1, -1, -1, -1, -1, -1,	-1, -1, -1, -1, -1, -1, -1, -1
-};
-
-/*
- * Convert label 'i' of 'name' into its hexadecimal value, storing it
- * in '*hexp'.  If the label is not a valid hex nibble, return ISC_R_FAILURE.
- */
-static isc_result_t
-label2hex(dns_name_t *name, int i, int *hexp) {
-	isc_region_t label;
-	int hexval;
-	dns_name_getlabel(name, i, &label);
-	if (label.length != 2 || label.base[0] != '\001')
-		return (ISC_R_FAILURE);
-	hexval = ascii2hex[label.base[1]];
-	if (hexval == -1)
-		return (ISC_R_FAILURE);
-	*hexp = hexval;
-	return (ISC_R_SUCCESS);
-}
-
-/*
- * Convert the ip6.int name 'name' into the corresponding IPv6 address
- * in 'na'. 
- */
-static isc_result_t
-nibbles2netaddr(dns_name_t *name, isc_netaddr_t *na) {
-	isc_result_t result;
-	struct in6_addr ina6;
-	unsigned char *addrdata = (unsigned char *) &ina6;
-	int i;
-
-	for (i = 0; i < 16; i++) {
-		int hex0, hex1;
-		result = label2hex(name, 2 * i, &hex0);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-		result = label2hex(name, 2 * i + 1, &hex1);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-		addrdata[15-i] = (hex1 << 4) | hex0;
-	}
-	isc_netaddr_fromin6(na, &ina6);
-	return (ISC_R_SUCCESS);
-}
-
-/*
- * Generate a synthetic IPv6 reverse mapping response for the current
- * query of 'client'.
- */
-static void
-synth_rev_start(ns_client_t *client) {
-	isc_result_t result;
-	dns_byaddr_t *byaddr_dummy = NULL;
-	
-	ns_client_log(client, NS_LOGCATEGORY_CLIENT, NS_LOGMODULE_QUERY,
-		      ISC_LOG_DEBUG(5), "generating synthetic PTR response");
-
-	result = nibbles2netaddr(client->query.qname, &client->query.synth.na);
-	if (result != ISC_R_SUCCESS) {
-		result = DNS_R_NXDOMAIN;
-		goto cleanup;
-	}
-
-	/* Try IP6.ARPA first. */
-	result = dns_byaddr_create(client->mctx,
-				   &client->query.synth.na,
-				   client->view,
-				   DNS_BYADDROPT_IPV6NIBBLE,
-				   client->task,
-				   synth_rev_byaddrdone_arpa,
-				   client, &byaddr_dummy);
-	if (result == ISC_R_SUCCESS)
-		return; /* Wait for completion event. */
- cleanup:
-	synth_finish(client, result);
-}
-
-static void
-synth_rev_byaddrdone_arpa(isc_task_t *task, isc_event_t *event) {
-	isc_result_t result;
-	dns_byaddrevent_t *bevent = (dns_byaddrevent_t *)event;
-	ns_client_t *client = event->ev_arg;
-	dns_byaddr_t *byaddr = event->ev_sender;
-	dns_byaddr_t *byaddr_dummy = NULL;	
-
-	UNUSED(task);
-
-	if (bevent->result == ISC_R_SUCCESS) {
-		synth_rev_respond(client, bevent);
-	} else {
-		/* Try IP6.INT next. */
-		result = dns_byaddr_create(client->mctx,
-					   &client->query.synth.na,
-					   client->view,
-					   DNS_BYADDROPT_IPV6NIBBLE|
-					   DNS_BYADDROPT_IPV6INT,
-					   client->task,
-					   synth_rev_byaddrdone_int,
-					   client, &byaddr_dummy);
-		if (result != ISC_R_SUCCESS)
-			synth_finish(client, result);
-	}
-	dns_byaddr_destroy(&byaddr);
-	isc_event_free(&event);
-}
-
-static void
-synth_rev_byaddrdone_int(isc_task_t *task, isc_event_t *event) {
-	dns_byaddrevent_t *bevent = (dns_byaddrevent_t *)event;
-	ns_client_t *client = event->ev_arg;
-	dns_byaddr_t *byaddr = event->ev_sender;
-	
-	UNUSED(task);
-
-	if (bevent->result == ISC_R_SUCCESS) {
-		synth_rev_respond(client, bevent);
-	} else if (bevent->result == DNS_R_NCACHENXDOMAIN ||
-		   bevent->result == DNS_R_NCACHENXRRSET ||
-		   bevent->result == DNS_R_NXDOMAIN ||
-		   bevent->result == DNS_R_NXRRSET) {
-		/*
-		 * We could give a NOERROR/NODATA response instead
-		 * in some cases, but since there may be any combination
-		 * of NXDOMAIN and NXRRSET results from the IP6.INT
-		 * and IP6.ARPA lookups, it could still be wrong with
-		 * respect to one or the other.
-		 */
-		synth_finish(client, DNS_R_NXDOMAIN);
-	} else {
-		synth_finish(client, bevent->result);
-	}
-	isc_event_free(&event);
-	dns_byaddr_destroy(&byaddr);	
-}
-
-static void
-synth_rev_respond(ns_client_t *client, dns_byaddrevent_t *bevent) {
-	isc_result_t result = ISC_R_SUCCESS;
-	dns_name_t *name;
-
-	for (name = ISC_LIST_HEAD(bevent->names);
-	     name != NULL;
-	     name = ISC_LIST_NEXT(name, link))
-	{
-		dns_name_t *tname = NULL;
-		
-		/*
-		 * Get a temporary name 'tname' for insertion into the
-		 * response message.
-		 */
-		result = dns_message_gettempname(client->message, &tname);
-		if (result != ISC_R_SUCCESS)
-			goto fail;
-		dns_name_init(tname, NULL);
-
-		result = query_addcnamelike(client, client->query.qname,
-					    name, 0 /* XXX ttl */,
-					    &tname, dns_rdatatype_ptr);
-		if (tname != NULL)
-			dns_message_puttempname(client->message, &tname);
-		if (result != ISC_R_SUCCESS)
-			goto fail;
-	}
- fail:
-	synth_finish(client, result);		
-}
diff --git a/bin/named/server.c b/bin/named/server.c
index 20e7d472..a4e7b96e 100644
--- a/bin/named/server.c
+++ b/bin/named/server.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: server.c,v 1.339.2.40 2007/04/03 23:42:54 tbox Exp $ */
+/* $Id: server.c,v 1.339.2.15.2.49 2004/04/10 05:02:53 marka Exp $ */
 
 #include <config.h>
 
@@ -28,6 +28,7 @@
 #include <isc/file.h>
 #include <isc/hash.h>
 #include <isc/lex.h>
+#include <isc/parseint.h>
 #include <isc/print.h>
 #include <isc/resource.h>
 #include <isc/stdio.h>
@@ -36,9 +37,11 @@
 #include <isc/timer.h>
 #include <isc/util.h>
 
-#include <isccfg/cfg.h>
-#include <isccfg/check.h>
+#include <isccfg/namedconf.h>
 
+#include <bind9/check.h>
+
+#include <dns/adb.h>
 #include <dns/cache.h>
 #include <dns/db.h>
 #include <dns/dispatch.h>
@@ -46,11 +49,16 @@
 #include <dns/journal.h>
 #include <dns/keytable.h>
 #include <dns/master.h>
+#include <dns/masterdump.h>
+#include <dns/order.h>
 #include <dns/peer.h>
+#include <dns/portlist.h>
 #include <dns/rdataclass.h>
+#include <dns/rdataset.h>
 #include <dns/rdatastruct.h>
 #include <dns/resolver.h>
 #include <dns/rootns.h>
+#include <dns/secalg.h>
 #include <dns/stats.h>
 #include <dns/tkey.h>
 #include <dns/view.h>
@@ -67,15 +75,12 @@
 #include <named/log.h>
 #include <named/logconf.h>
 #include <named/lwresd.h>
+#include <named/main.h>
 #include <named/os.h>
 #include <named/server.h>
 #include <named/tkeyconf.h>
 #include <named/tsigconf.h>
 #include <named/zoneconf.h>
-#ifdef HAVE_LIBSCF
-#include <named/ns_smf_globals.h>
-#include <stdlib.h>
-#endif
 
 /*
  * Check an operation for failure.  Assumes that the function
@@ -99,6 +104,19 @@
 		}						  \
 	} while (0)						  \
 
+#define CHECKMF(op, msg, file) \
+	do { result = (op); 				  	  \
+	       if (result != ISC_R_SUCCESS) {			  \
+			isc_log_write(ns_g_lctx,		  \
+				      NS_LOGCATEGORY_GENERAL,	  \
+				      NS_LOGMODULE_SERVER,	  \
+				      ISC_LOG_ERROR,		  \
+				      "%s '%s': %s", msg, file,	  \
+				      isc_result_totext(result)); \
+			goto cleanup;				  \
+		}						  \
+	} while (0)						  \
+
 #define CHECKFATAL(op, msg) \
 	do { result = (op); 				  	  \
 	       if (result != ISC_R_SUCCESS)			  \
@@ -112,6 +130,32 @@ struct ns_dispatch {
 	ISC_LINK(struct ns_dispatch)	link;
 };
 
+struct dumpcontext {
+	isc_mem_t			*mctx;
+	isc_boolean_t			dumpcache;
+	isc_boolean_t			dumpzones;
+	FILE				*fp;
+	ISC_LIST(struct viewlistentry)	viewlist;
+	struct viewlistentry		*view;
+	struct zonelistentry		*zone;
+	dns_dumpctx_t			*mdctx;
+	dns_db_t			*db;
+	dns_db_t			*cache;
+	isc_task_t			*task;
+	dns_dbversion_t			*version;
+};
+
+struct viewlistentry {
+	dns_view_t			*view;
+	ISC_LINK(struct viewlistentry)	link;
+	ISC_LIST(struct zonelistentry)	zonelist;
+};
+
+struct zonelistentry {
+	dns_zone_t			*zone;
+	ISC_LINK(struct zonelistentry)	link;
+};
+
 static void
 fatal(const char *msg, isc_result_t result);
 
@@ -119,21 +163,25 @@ static void
 ns_server_reload(isc_task_t *task, isc_event_t *event);
 
 static isc_result_t
-ns_listenelt_fromconfig(const cfg_obj_t *listener, const cfg_obj_t *config,
+ns_listenelt_fromconfig(cfg_obj_t *listener, cfg_obj_t *config,
 			ns_aclconfctx_t *actx,
 			isc_mem_t *mctx, ns_listenelt_t **target);
 static isc_result_t
-ns_listenlist_fromconfig(const cfg_obj_t *listenlist, const cfg_obj_t *config,
+ns_listenlist_fromconfig(cfg_obj_t *listenlist, cfg_obj_t *config,
 			 ns_aclconfctx_t *actx,
 			 isc_mem_t *mctx, ns_listenlist_t **target);
 
 static isc_result_t
-configure_forward(const cfg_obj_t *config, dns_view_t *view, dns_name_t *origin,
-		  const cfg_obj_t *forwarders, const cfg_obj_t *forwardtype);
+configure_forward(cfg_obj_t *config, dns_view_t *view, dns_name_t *origin,
+		  cfg_obj_t *forwarders, cfg_obj_t *forwardtype);
 
 static isc_result_t
-configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig,
-	       const cfg_obj_t *vconfig, isc_mem_t *mctx, dns_view_t *view,
+configure_alternates(cfg_obj_t *config, dns_view_t *view,
+		     cfg_obj_t *alternates);
+
+static isc_result_t
+configure_zone(cfg_obj_t *config, cfg_obj_t *zconfig, cfg_obj_t *vconfig,
+	       isc_mem_t *mctx, dns_view_t *view,
 	       ns_aclconfctx_t *aclconf);
 
 static void
@@ -145,13 +193,13 @@ end_reserved_dispatches(ns_server_t *server, isc_boolean_t all);
  * (for a global default).
  */
 static isc_result_t
-configure_view_acl(const cfg_obj_t *vconfig, const cfg_obj_t *config,
+configure_view_acl(cfg_obj_t *vconfig, cfg_obj_t *config,
 		   const char *aclname, ns_aclconfctx_t *actx,
 		   isc_mem_t *mctx, dns_acl_t **aclp)
 {
 	isc_result_t result;
-	const cfg_obj_t *maps[3];
-	const cfg_obj_t *aclobj = NULL;
+	cfg_obj_t *maps[3];
+	cfg_obj_t *aclobj = NULL;
 	int i = 0;
 
 	if (*aclp != NULL)
@@ -159,14 +207,14 @@ configure_view_acl(const cfg_obj_t *vconfig, const cfg_obj_t *config,
 	if (vconfig != NULL)
 		maps[i++] = cfg_tuple_get(vconfig, "options");
 	if (config != NULL) {
-		const cfg_obj_t *options = NULL;
-		cfg_map_get(config, "options", &options);
+		cfg_obj_t *options = NULL;
+		(void)cfg_map_get(config, "options", &options);
 		if (options != NULL)
 			maps[i++] = options;
 	}
 	maps[i] = NULL;
 
-	(void)ns_config_get(maps, aclname, &aclobj);
+	result = ns_config_get(maps, aclname, &aclobj);
 	if (aclobj == NULL)
 		/*
 		 * No value available.  *aclp == NULL.
@@ -178,15 +226,14 @@ configure_view_acl(const cfg_obj_t *vconfig, const cfg_obj_t *config,
 	return (result);
 }
 
-#ifdef ISC_RFC2535
 static isc_result_t
-configure_view_dnsseckey(const cfg_obj_t *vconfig, const cfg_obj_t *key,
+configure_view_dnsseckey(cfg_obj_t *vconfig, cfg_obj_t *key,
 			 dns_keytable_t *keytable, isc_mem_t *mctx)
 {
 	dns_rdataclass_t viewclass;
-	dns_rdata_key_t keystruct;
+	dns_rdata_dnskey_t keystruct;
 	isc_uint32_t flags, proto, alg;
-	const char *keystr, *keynamestr;
+	char *keystr, *keynamestr;
 	unsigned char keydata[4096];
 	isc_buffer_t keydatabuf;
 	unsigned char rrdata[4096];
@@ -207,12 +254,12 @@ configure_view_dnsseckey(const cfg_obj_t *vconfig, const cfg_obj_t *key,
 	if (vconfig == NULL)
 		viewclass = dns_rdataclass_in;
 	else {
-		const cfg_obj_t *classobj = cfg_tuple_get(vconfig, "class");
+		cfg_obj_t *classobj = cfg_tuple_get(vconfig, "class");
 		CHECK(ns_config_getclass(classobj, dns_rdataclass_in,
 					 &viewclass));
 	}
 	keystruct.common.rdclass = viewclass;
-	keystruct.common.rdtype = dns_rdatatype_key;
+	keystruct.common.rdtype = dns_rdatatype_dnskey;
 	/*
 	 * The key data in keystruct is not dynamically allocated.
 	 */
@@ -239,12 +286,6 @@ configure_view_dnsseckey(const cfg_obj_t *vconfig, const cfg_obj_t *key,
 	keystruct.datalen = r.length;
 	keystruct.data = r.base;
 
-	if (keystruct.algorithm == DST_ALG_RSAMD5 &&
-	    r.length > 1 && r.base[0] == 1 && r.base[1] == 3)
-		cfg_obj_log(key, ns_g_lctx, ISC_LOG_WARNING,
-			    "trusted key '%s' has a weak exponent",
-			    keynamestr);
-
 	CHECK(dns_rdata_fromstruct(NULL,
 				   keystruct.common.rdclass,
 				   keystruct.common.rdtype,
@@ -280,7 +321,6 @@ configure_view_dnsseckey(const cfg_obj_t *vconfig, const cfg_obj_t *key,
 
 	return (result);
 }
-#endif
 
 /*
  * Configure DNSSEC keys for a view.  Currently used only for
@@ -290,25 +330,19 @@ configure_view_dnsseckey(const cfg_obj_t *vconfig, const cfg_obj_t *key,
  * from 'vconfig' and 'config'.  The variable to be configured is '*target'.
  */
 static isc_result_t
-configure_view_dnsseckeys(const cfg_obj_t *vconfig, const cfg_obj_t *config,
+configure_view_dnsseckeys(cfg_obj_t *vconfig, cfg_obj_t *config,
 			  isc_mem_t *mctx, dns_keytable_t **target)
 {
 	isc_result_t result;
-#ifdef ISC_RFC2535
-	const cfg_obj_t *keys = NULL;
-	const cfg_obj_t *voptions = NULL;
-	const cfg_listelt_t *element, *element2;
-	const cfg_obj_t *keylist;
-	const cfg_obj_t *key;
-#endif
+	cfg_obj_t *keys = NULL;
+	cfg_obj_t *voptions = NULL;
+	cfg_listelt_t *element, *element2;
+	cfg_obj_t *keylist;
+	cfg_obj_t *key;
 	dns_keytable_t *keytable = NULL;
 
 	CHECK(dns_keytable_create(mctx, &keytable));
 
-#ifndef ISC_RFC2535
-	UNUSED(vconfig);
-	UNUSED(config);
-#else
 	if (vconfig != NULL)
 		voptions = cfg_tuple_get(vconfig, "options");
 
@@ -332,7 +366,7 @@ configure_view_dnsseckeys(const cfg_obj_t *vconfig, const cfg_obj_t *config,
 						       keytable, mctx));
 		}
 	}
-#endif
+
 	dns_keytable_detach(target);
 	*target = keytable; /* Transfer ownership. */
 	keytable = NULL;
@@ -347,14 +381,14 @@ configure_view_dnsseckeys(const cfg_obj_t *vconfig, const cfg_obj_t *config,
  * Get a dispatch appropriate for the resolver of a given view.
  */
 static isc_result_t
-get_view_querysource_dispatch(const cfg_obj_t **maps,
+get_view_querysource_dispatch(cfg_obj_t **maps,
 			      int af, dns_dispatch_t **dispatchp)
 {
 	isc_result_t result;
 	dns_dispatch_t *disp;
 	isc_sockaddr_t sa;
 	unsigned int attrs, attrmask;
-	const cfg_obj_t *obj = NULL;
+	cfg_obj_t *obj = NULL;
 
 	/*
 	 * Make compiler happy.
@@ -365,6 +399,7 @@ get_view_querysource_dispatch(const cfg_obj_t **maps,
 	case AF_INET:
 		result = ns_config_get(maps, "query-source", &obj);
 		INSIST(result == ISC_R_SUCCESS);
+
 		break;
 	case AF_INET6:
 		result = ns_config_get(maps, "query-source-v6", &obj);
@@ -445,12 +480,62 @@ get_view_querysource_dispatch(const cfg_obj_t **maps,
 }
 
 static isc_result_t
-configure_peer(const cfg_obj_t *cpeer, isc_mem_t *mctx, dns_peer_t **peerp) {
-	const isc_sockaddr_t *sa;
+configure_order(dns_order_t *order, cfg_obj_t *ent) {
+	dns_rdataclass_t rdclass;
+	dns_rdatatype_t rdtype;
+	cfg_obj_t *obj;
+	dns_fixedname_t fixed;
+	unsigned int mode = 0;
+	const char *str;
+	isc_buffer_t b;
+	isc_result_t result;
+
+	result = ns_config_getclass(cfg_tuple_get(ent, "class"),
+				    dns_rdataclass_any, &rdclass);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	result = ns_config_gettype(cfg_tuple_get(ent, "type"),
+				   dns_rdatatype_any, &rdtype);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	obj = cfg_tuple_get(ent, "name");
+	if (cfg_obj_isstring(obj)) 
+		str = cfg_obj_asstring(obj);
+	else
+		str = "*";
+	isc_buffer_init(&b, str, strlen(str));
+	isc_buffer_add(&b, strlen(str));
+	dns_fixedname_init(&fixed);
+	result = dns_name_fromtext(dns_fixedname_name(&fixed), &b,
+				  dns_rootname, ISC_FALSE, NULL);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	obj = cfg_tuple_get(ent, "ordering");
+	INSIST(cfg_obj_isstring(obj));
+	str = cfg_obj_asstring(obj);
+	if (!strcasecmp(str, "fixed"))
+		mode = DNS_RDATASETATTR_FIXEDORDER;
+	else if (!strcasecmp(str, "random"))
+		mode = DNS_RDATASETATTR_RANDOMIZE;
+	else if (!strcasecmp(str, "cyclic"))
+		mode = 0;
+	else
+		INSIST(0);
+
+	return (dns_order_add(order, dns_fixedname_name(&fixed),
+			      rdtype, rdclass, mode));
+}
+
+static isc_result_t
+configure_peer(cfg_obj_t *cpeer, isc_mem_t *mctx, dns_peer_t **peerp) {
+	isc_sockaddr_t *sa;
 	isc_netaddr_t na;
 	dns_peer_t *peer;
-	const cfg_obj_t *obj;
-	const char *str;
+	cfg_obj_t *obj;
+	char *str;
 	isc_result_t result;
 
 	sa = cfg_obj_assockaddr(cfg_map_getname(cpeer));
@@ -464,36 +549,38 @@ configure_peer(const cfg_obj_t *cpeer, isc_mem_t *mctx, dns_peer_t **peerp) {
 	obj = NULL;
 	(void)cfg_map_get(cpeer, "bogus", &obj);
 	if (obj != NULL)
-		dns_peer_setbogus(peer, cfg_obj_asboolean(obj));
+		CHECK(dns_peer_setbogus(peer, cfg_obj_asboolean(obj)));
 
 	obj = NULL;
 	(void)cfg_map_get(cpeer, "provide-ixfr", &obj);
 	if (obj != NULL)
-		dns_peer_setprovideixfr(peer, cfg_obj_asboolean(obj));
+		CHECK(dns_peer_setprovideixfr(peer, cfg_obj_asboolean(obj)));
 
 	obj = NULL;
 	(void)cfg_map_get(cpeer, "request-ixfr", &obj);
 	if (obj != NULL)
-		dns_peer_setrequestixfr(peer, cfg_obj_asboolean(obj));
+		CHECK(dns_peer_setrequestixfr(peer, cfg_obj_asboolean(obj)));
 
 	obj = NULL;
 	(void)cfg_map_get(cpeer, "edns", &obj);
 	if (obj != NULL)
-		dns_peer_setsupportedns(peer, cfg_obj_asboolean(obj));
+		CHECK(dns_peer_setsupportedns(peer, cfg_obj_asboolean(obj)));
 
 	obj = NULL;
 	(void)cfg_map_get(cpeer, "transfers", &obj);
 	if (obj != NULL)
-		dns_peer_settransfers(peer, cfg_obj_asuint32(obj));
+		CHECK(dns_peer_settransfers(peer, cfg_obj_asuint32(obj)));
 
 	obj = NULL;
 	(void)cfg_map_get(cpeer, "transfer-format", &obj);
 	if (obj != NULL) {
 		str = cfg_obj_asstring(obj);
 		if (strcasecmp(str, "many-answers") == 0)
-			dns_peer_settransferformat(peer, dns_many_answers);
+			CHECK(dns_peer_settransferformat(peer,
+							 dns_many_answers));
 		else if (strcasecmp(str, "one-answer") == 0)
-			dns_peer_settransferformat(peer, dns_one_answer);
+			CHECK(dns_peer_settransferformat(peer,
+							 dns_one_answer));
 		else
 			INSIST(0);
 	}
@@ -505,6 +592,18 @@ configure_peer(const cfg_obj_t *cpeer, isc_mem_t *mctx, dns_peer_t **peerp) {
 		if (result != ISC_R_SUCCESS)
 			goto cleanup;
 	}
+
+	obj = NULL;
+	if (isc_sockaddr_pf(sa) == AF_INET)
+		(void)cfg_map_get(cpeer, "transfer-source", &obj);
+	else
+		(void)cfg_map_get(cpeer, "transfer-source-v6", &obj);
+	if (obj != NULL) {
+		result = dns_peer_settransfersource(peer,
+						    cfg_obj_assockaddr(obj));
+		if (result != ISC_R_SUCCESS)
+			goto cleanup;
+	}
 	*peerp = peer;
 	return (ISC_R_SUCCESS);
 
@@ -513,6 +612,52 @@ configure_peer(const cfg_obj_t *cpeer, isc_mem_t *mctx, dns_peer_t **peerp) {
 	return (result);
 }
 
+static isc_result_t
+disable_algorithms(cfg_obj_t *disabled, dns_resolver_t *resolver) {
+	isc_result_t result;
+	cfg_obj_t *algorithms;
+	cfg_listelt_t *element;
+	const char *str;
+	dns_fixedname_t fixed;
+	dns_name_t *name;
+	isc_buffer_t b;
+
+	dns_fixedname_init(&fixed);
+	name = dns_fixedname_name(&fixed);
+	str = cfg_obj_asstring(cfg_tuple_get(disabled, "name"));
+	isc_buffer_init(&b, str, strlen(str));
+	isc_buffer_add(&b, strlen(str));
+	CHECK(dns_name_fromtext(name, &b, dns_rootname, ISC_FALSE, NULL));
+
+	algorithms = cfg_tuple_get(disabled, "algorithms");
+	for (element = cfg_list_first(algorithms);
+	     element != NULL;
+	     element = cfg_list_next(element))
+	{
+		isc_textregion_t r;
+		dns_secalg_t alg;
+
+		r.base = cfg_obj_asstring(cfg_listelt_value(element));
+		r.length = strlen(r.base);
+
+		result = dns_secalg_fromtext(&alg, &r);
+		if (result != ISC_R_SUCCESS) {
+			isc_uint8_t ui;
+			result = isc_parse_uint8(&ui, r.base, 10);
+			alg = ui;
+		}
+		if (result != ISC_R_SUCCESS) {
+			cfg_obj_log(cfg_listelt_value(element),
+				    ns_g_lctx, ISC_LOG_ERROR,
+				    "invalid algorithm");
+			CHECK(result);
+		}
+		CHECK(dns_resolver_disable_algorithm(resolver, name, alg));
+	}
+ cleanup:
+	return (result);
+}
+
 /*
  * Configure 'view' according to 'vconfig', taking defaults from 'config'
  * where values are missing in 'vconfig'.
@@ -521,22 +666,25 @@ configure_peer(const cfg_obj_t *cpeer, isc_mem_t *mctx, dns_peer_t **peerp) {
  * global defaults in 'config' used exclusively.
  */
 static isc_result_t
-configure_view(dns_view_t *view, const cfg_obj_t *config,
-	       const cfg_obj_t *vconfig, isc_mem_t *mctx,
-	       ns_aclconfctx_t *actx)
+configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig,
+	       isc_mem_t *mctx, ns_aclconfctx_t *actx,
+	       isc_boolean_t need_hints)
 {
-	const cfg_obj_t *maps[4];
-	const cfg_obj_t *cfgmaps[3];
-	const cfg_obj_t *options = NULL;
-	const cfg_obj_t *voptions = NULL;
-	const cfg_obj_t *forwardtype;
-	const cfg_obj_t *forwarders;
-	const cfg_obj_t *zonelist;
-	const cfg_obj_t *obj;
-	const cfg_listelt_t *element;
+	cfg_obj_t *maps[4];
+	cfg_obj_t *cfgmaps[3];
+	cfg_obj_t *options = NULL;
+	cfg_obj_t *voptions = NULL;
+	cfg_obj_t *forwardtype;
+	cfg_obj_t *forwarders;
+	cfg_obj_t *alternates;
+	cfg_obj_t *zonelist;
+	cfg_obj_t *disabled;
+	cfg_obj_t *obj;
+	cfg_listelt_t *element;
 	in_port_t port;
 	dns_cache_t *cache = NULL;
 	isc_result_t result;
+	isc_uint32_t max_adb_size;
 	isc_uint32_t max_cache_size;
 	isc_uint32_t lame_ttl;
 	dns_tsig_keyring_t *ring;
@@ -547,13 +695,16 @@ configure_view(dns_view_t *view, const cfg_obj_t *config,
 	isc_boolean_t reused_cache = ISC_FALSE;
 	int i;
 	const char *str;
+	dns_order_t *order = NULL;
+	isc_uint32_t udpsize;
+	unsigned int check = 0;
 
 	REQUIRE(DNS_VIEW_VALID(view));
 
 	cmctx = NULL;
 
 	if (config != NULL)
-		cfg_map_get(config, "options", &options);
+		(void)cfg_map_get(config, "options", &options);
 
 	i = 0;
 	if (vconfig != NULL) {
@@ -572,7 +723,6 @@ configure_view(dns_view_t *view, const cfg_obj_t *config,
 		cfgmaps[i++] = config;
 	cfgmaps[i] = NULL;
 
-
 	/*
 	 * Set the view's port number for outgoing queries.
 	 */
@@ -591,7 +741,7 @@ configure_view(dns_view_t *view, const cfg_obj_t *config,
 	     element != NULL;
 	     element = cfg_list_next(element))
 	{
-		const cfg_obj_t *zconfig = cfg_listelt_value(element);
+		cfg_obj_t *zconfig = cfg_listelt_value(element);
 		CHECK(configure_zone(config, zconfig, vconfig, mctx, view,
 				     actx));
 	}
@@ -635,8 +785,8 @@ configure_view(dns_view_t *view, const cfg_obj_t *config,
 	 */
 	obj = NULL;
 	result = ns_config_get(maps, "cache-file", &obj);
-	if (result == ISC_R_SUCCESS) {
-		dns_cache_setfilename(cache, cfg_obj_asstring(obj));
+	if (result == ISC_R_SUCCESS && strcmp(view->name, "_bind") != 0) {
+		CHECK(dns_cache_setfilename(cache, cfg_obj_asstring(obj)));
 		if (!reused_cache)
 			CHECK(dns_cache_load(cache));
 	}
@@ -671,6 +821,38 @@ configure_view(dns_view_t *view, const cfg_obj_t *config,
 	dns_cache_detach(&cache);
 
 	/*
+	 * Check-names.
+	 */
+	obj = NULL;
+	str = "";
+	result = ns_config_get(maps, "check-names", &obj);
+	INSIST(result == ISC_R_SUCCESS);
+	for (element = cfg_list_first(obj);
+	     element != NULL;
+	     element = cfg_list_next(element)) {
+		cfg_obj_t *value, *type;
+		value = cfg_listelt_value(element);
+		type = cfg_tuple_get(value, "type");
+		if (strcasecmp(cfg_obj_asstring(type), "response") == 0) {
+			str = cfg_obj_asstring(cfg_tuple_get(value, "mode"));
+			break;
+		}
+	}
+
+        if (strcasecmp(str, "fail") == 0) {
+                check = DNS_RESOLVER_CHECKNAMES |
+			DNS_RESOLVER_CHECKNAMESFAIL;
+		view->checknames = ISC_TRUE;
+        } else if (strcasecmp(str, "warn") == 0) {
+                check = DNS_RESOLVER_CHECKNAMES;
+		view->checknames = ISC_FALSE;
+        } else if (strcasecmp(str, "ignore") == 0) {
+		check = 0;
+		view->checknames = ISC_FALSE;
+	} else
+                INSIST(0);
+
+	/*
 	 * Resolver.
 	 *
 	 * XXXRTH  Hardwired number of tasks.
@@ -686,10 +868,21 @@ configure_view(dns_view_t *view, const cfg_obj_t *config,
 	}
 	CHECK(dns_view_createresolver(view, ns_g_taskmgr, 31,
 				      ns_g_socketmgr, ns_g_timermgr,
-				      0, ns_g_dispatchmgr,
+				      check, ns_g_dispatchmgr,
 				      dispatch4, dispatch6));
 
 	/*
+	 * Set the ADB cache size to 1/8th of the max-cache-size.
+	 */
+	max_adb_size = 0;
+	if (max_cache_size != 0) {
+		max_adb_size = max_cache_size / 8;
+		if (max_adb_size == 0)
+			max_adb_size = 1;	/* Force minimum. */
+	}
+	dns_adb_setadbsize(view->adb, max_adb_size);
+
+	/*
 	 * Set resolver's lame-ttl.
 	 */
 	obj = NULL;
@@ -701,6 +894,33 @@ configure_view(dns_view_t *view, const cfg_obj_t *config,
 	dns_resolver_setlamettl(view->resolver, lame_ttl);
 	
 	/*
+	 * Set the resolver's EDNS UDP size.
+	 */
+	obj = NULL;
+	result = ns_config_get(maps, "edns-udp-size", &obj);
+	INSIST(result == ISC_R_SUCCESS);
+	udpsize = cfg_obj_asuint32(obj);
+	if (udpsize < 512)
+		udpsize = 512;
+	if (udpsize > 4096)
+		udpsize = 4096;
+	dns_resolver_setudpsize(view->resolver, udpsize);
+	
+	/*
+	 * Set supported DNSSEC algorithms.
+	 */
+	dns_resolver_reset_algorithms(view->resolver);
+	disabled = NULL;
+	(void)ns_config_get(maps, "disable-algorithms", &disabled);
+	if (disabled != NULL) {
+		for (element = cfg_list_first(disabled);
+		     element != NULL;
+		     element = cfg_list_next(element))
+			CHECK(disable_algorithms(cfg_listelt_value(element),
+						 view->resolver));
+	}
+
+	/*
 	 * A global or view "forwarders" option, if present,
 	 * creates an entry for "." in the forwarding table.
 	 */
@@ -713,6 +933,14 @@ configure_view(dns_view_t *view, const cfg_obj_t *config,
 					forwarders, forwardtype));
 
 	/*
+	 * Dual Stack Servers.
+	 */
+	alternates = NULL;
+	(void)ns_config_get(maps, "dual-stack-servers", &alternates);
+	if (alternates != NULL)
+		CHECK(configure_alternates(config, view, alternates));
+
+	/*
 	 * We have default hints for class IN if we need them.
 	 */
 	if (view->rdclass == dns_rdataclass_in && view->hints == NULL)
@@ -722,20 +950,21 @@ configure_view(dns_view_t *view, const cfg_obj_t *config,
 	 * If we still have no hints, this is a non-IN view with no
 	 * "hints zone" configured.  Issue a warning, except if this
 	 * is a root server.  Root servers never need to consult 
-	 * their hints, so it's no point requireing users to configure
+	 * their hints, so it's no point requiring users to configure
 	 * them.
 	 */
 	if (view->hints == NULL) {
 		dns_zone_t *rootzone = NULL;
-		dns_view_findzone(view, dns_rootname, &rootzone);
+		(void)dns_view_findzone(view, dns_rootname, &rootzone);
 		if (rootzone != NULL) {
 			dns_zone_detach(&rootzone);
-		} else {
+			need_hints = ISC_FALSE;
+		}
+		if (need_hints)
 			isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
 				      NS_LOGMODULE_SERVER, ISC_LOG_WARNING,
 				      "no root hints for view '%s'",
 				      view->name);
-		}
 	}
 
 	/*
@@ -749,8 +978,8 @@ configure_view(dns_view_t *view, const cfg_obj_t *config,
 	 * Configure the view's peer list.
 	 */
 	{
-		const cfg_obj_t *peers = NULL;
-		const cfg_listelt_t *element;
+		cfg_obj_t *peers = NULL;
+		cfg_listelt_t *element;
 		dns_peerlist_t *newpeers = NULL;
 
 		(void)ns_config_get(cfgmaps, "server", &peers);
@@ -759,7 +988,7 @@ configure_view(dns_view_t *view, const cfg_obj_t *config,
 		     element != NULL;
 		     element = cfg_list_next(element))
 		{
-			const cfg_obj_t *cpeer = cfg_listelt_value(element);
+			cfg_obj_t *cpeer = cfg_listelt_value(element);
 			dns_peer_t *peer;
 
 			CHECK(configure_peer(cpeer, mctx, &peer));
@@ -771,6 +1000,28 @@ configure_view(dns_view_t *view, const cfg_obj_t *config,
 	}
 
 	/*
+	 *	Configure the views rrset-order.
+	 */
+	{
+		cfg_obj_t *rrsetorder = NULL;
+		cfg_listelt_t *element;
+
+		(void)ns_config_get(maps, "rrset-order", &rrsetorder);
+		CHECK(dns_order_create(mctx, &order));
+		for (element = cfg_list_first(rrsetorder);
+		     element != NULL;
+		     element = cfg_list_next(element))
+		{
+			cfg_obj_t *ent = cfg_listelt_value(element);
+
+			CHECK(configure_order(order, ent));
+		}
+		if (view->order != NULL)
+			dns_order_detach(&view->order);
+		dns_order_attach(order, &view->order);
+		dns_order_detach(&order);
+	}
+	/*
 	 * Copy the aclenv object.
 	 */
 	dns_aclenv_copy(&view->aclenv, &ns_g_server->aclenv);
@@ -787,7 +1038,7 @@ configure_view(dns_view_t *view, const cfg_obj_t *config,
 	 * Configure the "match-recursive-only" option.
 	 */
 	obj = NULL;
-	(void)ns_config_get(maps, "match-recursive-only", &obj);
+	(void) ns_config_get(maps, "match-recursive-only", &obj);
 	if (obj != NULL && cfg_obj_asboolean(obj))
 		view->matchrecursiveonly = ISC_TRUE;
 	else
@@ -855,9 +1106,6 @@ configure_view(dns_view_t *view, const cfg_obj_t *config,
 		CHECK(configure_view_acl(vconfig, config, "allow-recursion",
 					 actx, ns_g_mctx, &view->recursionacl));
 
-	CHECK(configure_view_acl(vconfig, config, "allow-v6-synthesis",
-				 actx, ns_g_mctx, &view->v6synthesisacl));
-
 	/*
 	 * Warning if both "recursion no;" and allow-recursion are active
 	 * except for "allow-recursion { none; };".
@@ -892,13 +1140,33 @@ configure_view(dns_view_t *view, const cfg_obj_t *config,
 	result = ns_config_get(maps, "provide-ixfr", &obj);
 	INSIST(result == ISC_R_SUCCESS);
 	view->provideixfr = cfg_obj_asboolean(obj);
+			
+	obj = NULL;
+	result = ns_config_get(maps, "dnssec-enable", &obj);
+	INSIST(result == ISC_R_SUCCESS);
+	view->enablednssec = cfg_obj_asboolean(obj);
+
+	obj = NULL;
+	result = ns_config_get(maps, "dnssec-lookaside", &obj);
+	if (result == ISC_R_SUCCESS) {
+		const char *dlv;
+		isc_buffer_t b;
+		dlv = cfg_obj_asstring(obj);
+		isc_buffer_init(&b, dlv, strlen(dlv));
+		isc_buffer_add(&b, strlen(dlv));
+		CHECK(dns_name_fromtext(dns_fixedname_name(&view->dlv_fixed),
+					&b, dns_rootname, ISC_TRUE, NULL));
+		view->dlv = dns_fixedname_name(&view->dlv_fixed);
+	} else
+		view->dlv = NULL;
 
 	/*
 	 * For now, there is only one kind of trusted keys, the
 	 * "security roots".
 	 */
-	CHECK(configure_view_dnsseckeys(vconfig, config, mctx,
-				  &view->secroots));
+	if (view->enablednssec)
+		CHECK(configure_view_dnsseckeys(vconfig, config, mctx,
+					        &view->secroots));
 
 	obj = NULL;
 	result = ns_config_get(maps, "max-cache-ttl", &obj);
@@ -913,6 +1181,19 @@ configure_view(dns_view_t *view, const cfg_obj_t *config,
 		view->maxncachettl = 7 * 24 * 3600;
 
 	obj = NULL;
+	result = ns_config_get(maps, "preferred-glue", &obj);
+	if (result == ISC_R_SUCCESS) {
+		str = cfg_obj_asstring(obj);
+		if (strcasecmp(str, "a") == 0)
+			view->preferred_glue = dns_rdatatype_a;
+		else if (strcasecmp(str, "aaaa") == 0)
+			view->preferred_glue = dns_rdatatype_aaaa;
+		else
+			view->preferred_glue = 0;
+        } else
+		view->preferred_glue = 0;
+
+	obj = NULL;
 	result = ns_config_get(maps, "root-delegation-only", &obj);
 	if (result == ISC_R_SUCCESS) {
 		dns_view_setrootdelonly(view, ISC_TRUE);
@@ -920,8 +1201,8 @@ configure_view(dns_view_t *view, const cfg_obj_t *config,
 			dns_fixedname_t fixed;
 			dns_name_t *name;
 			isc_buffer_t b;
-			const char *str;
-			const cfg_obj_t *exclude;
+			char *str;
+			cfg_obj_t *exclude;
 
 			dns_fixedname_init(&fixed);
 			name = dns_fixedname_name(&fixed);
@@ -948,6 +1229,8 @@ configure_view(dns_view_t *view, const cfg_obj_t *config,
 		dns_dispatch_detach(&dispatch4);
 	if (dispatch6 != NULL)
 		dns_dispatch_detach(&dispatch6);
+	if (order != NULL)
+		dns_order_detach(&order);
 	if (cmctx != NULL)
 		isc_mem_detach(&cmctx);
 
@@ -957,301 +1240,113 @@ configure_view(dns_view_t *view, const cfg_obj_t *config,
 	return (result);
 }
 
-/*
- * Create the special view that handles queries under "bind. CH".
- */
-static isc_result_t
-create_bind_view(dns_view_t **viewp) {
-	isc_result_t result;
-	dns_view_t *view = NULL;
-
-	REQUIRE(viewp != NULL && *viewp == NULL);
-
-	CHECK(dns_view_create(ns_g_mctx, dns_rdataclass_ch, "_bind", &view));
-
-	/* Transfer ownership. */
-	*viewp = view;
-	view = NULL;
-
-	result = ISC_R_SUCCESS;
-
- cleanup:
-	if (view != NULL)
-		dns_view_detach(&view);
-
-	return (result);
-}
-
-/*
- * Create the zone that handles queries for "version.bind. CH".   The
- * version string is returned either from the "version" configuration
- * option or the global defaults.
- */
 static isc_result_t
-create_version_zone(const cfg_obj_t **maps, dns_zonemgr_t *zmgr,
-		    dns_view_t *view)
-{
+configure_hints(dns_view_t *view, const char *filename) {
 	isc_result_t result;
-	dns_db_t *db = NULL;
-	dns_zone_t *zone = NULL;
-	dns_dbversion_t *dbver = NULL;
-	dns_difftuple_t *tuple = NULL;
-	dns_diff_t diff;
-	const char *versiontext;
-	unsigned char buf[256];
-	isc_region_t r;
-	size_t len;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	static const unsigned char origindata[] = "\007version\004bind";
-	static const unsigned char soadata[] = "\007version\004bind\0"
-					 "\012hostmaster\007version\004bind\0"
-					 "\0\0\0\001"	/* serial */
-					 "\0\0\0\0"	/* refresh */
-					 "\0\0\0\0"	/* retry */
-					 "\0\0\0\0"	/* expire */
-					 "\0\0\0\0";	/* minimum */
-	dns_name_t origin;
-	const cfg_obj_t *obj = NULL;
-	dns_acl_t *acl = NULL;
-
-	dns_diff_init(ns_g_mctx, &diff);
-
-	dns_name_init(&origin, NULL);
-	DE_CONST(origindata, r.base);
-	r.length = sizeof(origindata);
-	dns_name_fromregion(&origin, &r);
-
-	result = ns_config_get(maps, "version", &obj);
-	INSIST(result == ISC_R_SUCCESS);
-	versiontext = cfg_obj_asstring(obj);
-	len = strlen(versiontext);
-	if (len > 255U)
-		len = 255; /* Silently truncate. */
-	buf[0] = len;
-	memcpy(buf + 1, versiontext, len);
-
-	CHECK(dns_zone_create(&zone, ns_g_mctx));
-	CHECK(dns_zone_setorigin(zone, &origin));
-	dns_zone_settype(zone, dns_zone_master);
-	dns_zone_setclass(zone, dns_rdataclass_ch);
-	/* Transfers don't work so deny them. */
-	CHECK(dns_acl_none(ns_g_mctx, &acl));
-	dns_zone_setxfracl(zone, acl);
-	dns_acl_detach(&acl);
-	dns_zone_setview(zone, view);
-
-	CHECK(dns_zonemgr_managezone(zmgr, zone));
-
-	CHECK(dns_db_create(ns_g_mctx, "rbt", &origin, dns_dbtype_zone,
-			    dns_rdataclass_ch, 0, NULL, &db));
-
-	CHECK(dns_db_newversion(db, &dbver));
-
-	/* SOA record. */
-	tuple = NULL;
-	DE_CONST(soadata, r.base);
-	r.length = sizeof(soadata) - 1;
-	dns_rdata_fromregion(&rdata, dns_rdataclass_ch, dns_rdatatype_soa, &r);
-	CHECK(dns_difftuple_create(ns_g_mctx, DNS_DIFFOP_ADD, &origin,
-				   0, &rdata, &tuple));
-	dns_diff_append(&diff, &tuple);
-	dns_rdata_reset(&rdata);
-
-	/* NS record. */
-	tuple = NULL;
-	DE_CONST(origindata, r.base);
-	r.length = sizeof(origindata);
-	dns_rdata_fromregion(&rdata, dns_rdataclass_ch, dns_rdatatype_ns, &r);
-	CHECK(dns_difftuple_create(ns_g_mctx, DNS_DIFFOP_ADD, &origin,
-				   0, &rdata, &tuple));
-	dns_diff_append(&diff, &tuple);
-	dns_rdata_reset(&rdata);
-
-	/* TXT record. */
-	tuple = NULL;
-	r.base = buf;
-	r.length = 1 + len;
-	dns_rdata_fromregion(&rdata, dns_rdataclass_ch, dns_rdatatype_txt, &r);
-	CHECK(dns_difftuple_create(ns_g_mctx, DNS_DIFFOP_ADD, &origin,
-				   0, &rdata, &tuple));
-	dns_diff_append(&diff, &tuple);
-
-	CHECK(dns_diff_apply(&diff, db, dbver));
-
-	dns_db_closeversion(db, &dbver, ISC_TRUE);
-
-	CHECK(dns_zone_replacedb(zone, db, ISC_FALSE));
-
-	CHECK(dns_view_addzone(view, zone));
-			
-	result = ISC_R_SUCCESS;
+	dns_db_t *db;
 
- cleanup:
-	if (zone != NULL)
-		dns_zone_detach(&zone);
-	if (dbver != NULL)
-		dns_db_closeversion(db, &dbver, ISC_FALSE);
-	if (db != NULL)
+	db = NULL;
+	result = dns_rootns_create(view->mctx, view->rdclass, filename, &db);
+	if (result == ISC_R_SUCCESS) {
+		dns_view_sethints(view, db);
 		dns_db_detach(&db);
-	dns_diff_clear(&diff);
+	}
 
 	return (result);
 }
 
-/*
- * Create the special zone that handles queries for "authors.bind. CH".
- * The strings returned list the BIND 9 authors.
- */
 static isc_result_t
-create_authors_zone(const cfg_obj_t *options, dns_zonemgr_t *zmgr,
-		    dns_view_t *view)
+configure_alternates(cfg_obj_t *config, dns_view_t *view,
+		     cfg_obj_t *alternates)
 {
-	isc_result_t result;
-	dns_db_t *db = NULL;
-	dns_zone_t *zone = NULL;
-	dns_dbversion_t *dbver = NULL;
-	dns_difftuple_t *tuple;
-	dns_diff_t diff;
-	isc_region_t r;
-	isc_region_t cr;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	static const unsigned char origindata[] = "\007authors\004bind";
-	static const unsigned char soadata[] = "\007authors\004bind\0"
-					 "\012hostmaster\007authors\004bind\0"
-					 "\0\0\0\001"	/* serial */
-					 "\0\0\0\0"	/* refresh */
-					 "\0\0\0\0"	/* retry */
-					 "\0\0\0\0"	/* expire */
-					 "\0\0\0\0";	/* minimum */
-	dns_name_t origin;
-	int i;
-	static const char *authors[] = {
-		"\014Mark Andrews",
-		"\015James Brister",
-		"\014Ben Cottrell",
-		"\015Michael Graff",
-		"\022Andreas Gustafsson",
-		"\012Bob Halley",
-		"\016David Lawrence",
-		"\013Danny Mayer",
-		"\013Damien Neil",
-		"\013Matt Nelson",
-		"\016Michael Sawyer",
-		"\020Brian Wellington",
-		NULL,
-	};
-	const cfg_obj_t *obj = NULL;
-	dns_acl_t *acl = NULL;
-
-	/*
-	 * If a version string is specified, disable the authors.bind zone.
-	 */
-	if (options != NULL &&
-	    cfg_map_get(options, "version", &obj) == ISC_R_SUCCESS)
-		return (ISC_R_SUCCESS);
+	cfg_obj_t *portobj;
+	cfg_obj_t *addresses;
+	cfg_listelt_t *element;
+	isc_result_t result = ISC_R_SUCCESS;
+	in_port_t port;
 
-	dns_diff_init(ns_g_mctx, &diff);
-
-	dns_name_init(&origin, NULL);
-	DE_CONST(origindata, r.base);
-	r.length = sizeof(origindata);
-	dns_name_fromregion(&origin, &r);
-
-	CHECK(dns_zone_create(&zone, ns_g_mctx));
-	CHECK(dns_zone_setorigin(zone, &origin));
-	dns_zone_settype(zone, dns_zone_master);
-	dns_zone_setclass(zone, dns_rdataclass_ch);
-	/* Transfers don't work so deny them. */
-	CHECK(dns_acl_none(ns_g_mctx, &acl));
-	dns_zone_setxfracl(zone, acl);
-	dns_acl_detach(&acl);
-	dns_zone_setview(zone, view);
-
-	CHECK(dns_zonemgr_managezone(zmgr, zone));
-
-	CHECK(dns_db_create(ns_g_mctx, "rbt", &origin, dns_dbtype_zone,
-			    dns_rdataclass_ch, 0, NULL, &db));
-
-	CHECK(dns_db_newversion(db, &dbver));
-
-	/* SOA record. */
-	tuple = NULL;
-	DE_CONST(soadata, r.base);
-	r.length = sizeof(soadata) - 1;
-	dns_rdata_fromregion(&rdata, dns_rdataclass_ch, dns_rdatatype_soa, &r);
-	CHECK(dns_difftuple_create(ns_g_mctx, DNS_DIFFOP_ADD, &origin,
-				   0, &rdata, &tuple));
-	dns_diff_append(&diff, &tuple);
-	dns_rdata_reset(&rdata);
-
-	/* NS record. */
-	tuple = NULL;
-	DE_CONST(origindata, r.base);
-	r.length = sizeof(origindata);
-	dns_rdata_fromregion(&rdata, dns_rdataclass_ch, dns_rdatatype_ns, &r);
-	CHECK(dns_difftuple_create(ns_g_mctx, DNS_DIFFOP_ADD, &origin,
-				   0, &rdata, &tuple));
-	dns_diff_append(&diff, &tuple);
-	dns_rdata_reset(&rdata);
-
-	/* TXT records. */
-	for (i = 0; authors[i] != NULL; i++) {
-		DE_CONST(authors[i], cr.base);
-		cr.length = strlen(authors[i]);
-		INSIST(cr.length == cr.base[0] + 1U);
-		dns_rdata_fromregion(&rdata, dns_rdataclass_ch,
-				     dns_rdatatype_txt, &cr);
-		tuple = NULL;
-		CHECK(dns_difftuple_create(ns_g_mctx, DNS_DIFFOP_ADD, &origin,
-					   0, &rdata, &tuple));
-		dns_diff_append(&diff, &tuple);
-		dns_rdata_reset(&rdata);
-	}
-
-	CHECK(dns_diff_apply(&diff, db, dbver));
-
-	dns_db_closeversion(db, &dbver, ISC_TRUE);
-
-	CHECK(dns_zone_replacedb(zone, db, ISC_FALSE));
+	/*
+	 * Determine which port to send requests to.
+	 */
+	if (ns_g_lwresdonly && ns_g_port != 0)
+		port = ns_g_port;
+	else
+		CHECKM(ns_config_getport(config, &port), "port");
 
-	CHECK(dns_view_addzone(view, zone));
+	if (alternates != NULL) {
+		portobj = cfg_tuple_get(alternates, "port");
+		if (cfg_obj_isuint32(portobj)) {
+			isc_uint32_t val = cfg_obj_asuint32(portobj);
+			if (val > ISC_UINT16_MAX) {
+				cfg_obj_log(portobj, ns_g_lctx, ISC_LOG_ERROR,
+					    "port '%u' out of range", val);
+				return (ISC_R_RANGE);
+			}
+			port = (in_port_t) val;
+		}
+	}
 
-	result = ISC_R_SUCCESS;
+	addresses = NULL;
+	if (alternates != NULL)
+		addresses = cfg_tuple_get(alternates, "addresses");
 
- cleanup:
-	if (zone != NULL)
-		dns_zone_detach(&zone);
-	if (dbver != NULL)
-		dns_db_closeversion(db, &dbver, ISC_FALSE);
-	if (db != NULL)
-		dns_db_detach(&db);
-	dns_diff_clear(&diff);
+	for (element = cfg_list_first(addresses);
+	     element != NULL;
+	     element = cfg_list_next(element))
+	{
+		cfg_obj_t *alternate = cfg_listelt_value(element);
+		isc_sockaddr_t sa;
 
-	return (result);
-}
+		if (!cfg_obj_issockaddr(alternate)) {
+			dns_fixedname_t fixed;
+			dns_name_t *name;
+			char *str = cfg_obj_asstring(cfg_tuple_get(alternate,
+								   "name"));
+			isc_buffer_t buffer;
+			in_port_t myport = port;
 
-static isc_result_t
-configure_hints(dns_view_t *view, const char *filename) {
-	isc_result_t result;
-	dns_db_t *db;
+			isc_buffer_init(&buffer, str, strlen(str));
+			isc_buffer_add(&buffer, strlen(str));
+			dns_fixedname_init(&fixed);
+			name = dns_fixedname_name(&fixed);
+			CHECK(dns_name_fromtext(name, &buffer, dns_rootname,
+						ISC_FALSE, NULL));
+
+			portobj = cfg_tuple_get(alternates, "port");
+			if (cfg_obj_isuint32(portobj)) {
+				isc_uint32_t val = cfg_obj_asuint32(portobj);
+				if (val > ISC_UINT16_MAX) {
+					cfg_obj_log(portobj, ns_g_lctx,
+						    ISC_LOG_ERROR,
+						    "port '%u' out of range",
+						     val);
+					return (ISC_R_RANGE);
+				}
+				myport = (in_port_t) val;
+			}
+			CHECK(dns_resolver_addalternate(view->resolver, NULL,
+							name, myport));
+			continue;
+		}
 
-	db = NULL;
-	result = dns_rootns_create(view->mctx, view->rdclass, filename, &db);
-	if (result == ISC_R_SUCCESS) {
-		dns_view_sethints(view, db);
-		dns_db_detach(&db);
+		sa = *cfg_obj_assockaddr(alternate);
+		if (isc_sockaddr_getport(&sa) == 0)
+			isc_sockaddr_setport(&sa, port);
+		CHECK(dns_resolver_addalternate(view->resolver, &sa,
+						NULL, 0));
 	}
 
+ cleanup:
 	return (result);
 }
 
 static isc_result_t
-configure_forward(const cfg_obj_t *config, dns_view_t *view, dns_name_t *origin,
-		  const cfg_obj_t *forwarders, const cfg_obj_t *forwardtype)
+configure_forward(cfg_obj_t *config, dns_view_t *view, dns_name_t *origin,
+		  cfg_obj_t *forwarders, cfg_obj_t *forwardtype)
 {
-	const cfg_obj_t *portobj;
-	const cfg_obj_t *faddresses;
-	const cfg_listelt_t *element;
+	cfg_obj_t *portobj;
+	cfg_obj_t *faddresses;
+	cfg_listelt_t *element;
 	dns_fwdpolicy_t fwdpolicy = dns_fwdpolicy_none;
 	isc_sockaddrlist_t addresses;
 	isc_sockaddr_t *sa;
@@ -1289,7 +1384,7 @@ configure_forward(const cfg_obj_t *config, dns_view_t *view, dns_name_t *origin,
 	     element != NULL;
 	     element = cfg_list_next(element))
 	{
-		const cfg_obj_t *forwarder = cfg_listelt_value(element);
+		cfg_obj_t *forwarder = cfg_listelt_value(element);
 		sa = isc_mem_get(view->mctx, sizeof(isc_sockaddr_t));
 		if (sa == NULL) {
 			result = ISC_R_NOMEMORY;
@@ -1312,7 +1407,7 @@ configure_forward(const cfg_obj_t *config, dns_view_t *view, dns_name_t *origin,
 		if (forwardtype == NULL)
 			fwdpolicy = dns_fwdpolicy_first;
 		else {
-			const char *forwardstr = cfg_obj_asstring(forwardtype);
+			char *forwardstr = cfg_obj_asstring(forwardtype);
 			if (strcasecmp(forwardstr, "first") == 0)
 				fwdpolicy = dns_fwdpolicy_first;
 			else if (strcasecmp(forwardstr, "only") == 0)
@@ -1354,16 +1449,14 @@ configure_forward(const cfg_obj_t *config, dns_view_t *view, dns_name_t *origin,
  * The view created is attached to '*viewp'.
  */
 static isc_result_t
-create_view(const cfg_obj_t *vconfig, dns_viewlist_t *viewlist,
-	    dns_view_t **viewp)
-{
+create_view(cfg_obj_t *vconfig, dns_viewlist_t *viewlist, dns_view_t **viewp) {
 	isc_result_t result;
 	const char *viewname;
 	dns_rdataclass_t viewclass;
 	dns_view_t *view = NULL;
 
 	if (vconfig != NULL) {
-		const cfg_obj_t *classobj = NULL;
+		cfg_obj_t *classobj = NULL;
 
 		viewname = cfg_obj_asstring(cfg_tuple_get(vconfig, "name"));
 		classobj = cfg_tuple_get(vconfig, "class");
@@ -1393,19 +1486,19 @@ create_view(const cfg_obj_t *vconfig, dns_viewlist_t *viewlist,
  * Configure or reconfigure a zone.
  */
 static isc_result_t
-configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig,
-	       const cfg_obj_t *vconfig, isc_mem_t *mctx, dns_view_t *view,
+configure_zone(cfg_obj_t *config, cfg_obj_t *zconfig, cfg_obj_t *vconfig,
+	       isc_mem_t *mctx, dns_view_t *view,
 	       ns_aclconfctx_t *aclconf)
 {
 	dns_view_t *pview = NULL;	/* Production view */
 	dns_zone_t *zone = NULL;	/* New or reused zone */
 	dns_zone_t *dupzone = NULL;
-	const cfg_obj_t *options = NULL;
-	const cfg_obj_t *zoptions = NULL;
-	const cfg_obj_t *typeobj = NULL;
-	const cfg_obj_t *forwarders = NULL;
-	const cfg_obj_t *forwardtype = NULL;
-	const cfg_obj_t *only = NULL;
+	cfg_obj_t *options = NULL;
+	cfg_obj_t *zoptions = NULL;
+	cfg_obj_t *typeobj = NULL;
+	cfg_obj_t *forwarders = NULL;
+	cfg_obj_t *forwardtype = NULL;
+	cfg_obj_t *only = NULL;
 	isc_result_t result;
 	isc_result_t tresult;
 	isc_buffer_t buffer;
@@ -1462,7 +1555,7 @@ configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig,
 	 * configure it and return.
 	 */
 	if (strcasecmp(ztypestr, "hint") == 0) {
-		const cfg_obj_t *fileobj = NULL;
+		cfg_obj_t *fileobj = NULL;
 		if (cfg_map_get(zoptions, "file", &fileobj) != ISC_R_SUCCESS) {
 			isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
 				      NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
@@ -1472,7 +1565,7 @@ configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig,
 			goto cleanup;
 		}
 		if (dns_name_equal(origin, dns_rootname)) {
-			const char *hintsfile = cfg_obj_asstring(fileobj);
+			char *hintsfile = cfg_obj_asstring(fileobj);
 
 			result = configure_hints(view, hintsfile);
 			if (result != ISC_R_SUCCESS) {
@@ -1534,6 +1627,8 @@ configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig,
 		/*
 		 * We already have this zone!
 		 */
+		cfg_obj_log(zconfig, ns_g_lctx, ISC_LOG_ERROR,
+			    "zone '%s' already exists", zname);
 		dns_zone_detach(&dupzone);
 		result = ISC_R_EXISTS;
 		goto cleanup;
@@ -1588,7 +1683,7 @@ configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig,
 	if (cfg_map_get(zoptions, "forwarders", &forwarders) == ISC_R_SUCCESS)
 	{
 		forwardtype = NULL;
-		cfg_map_get(zoptions, "forward", &forwardtype);
+		(void)cfg_map_get(zoptions, "forward", &forwardtype);
 		CHECK(configure_forward(config, view, origin, forwarders,
 					forwardtype));
 	}
@@ -1626,10 +1721,9 @@ configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig,
  * Configure a single server quota.
  */
 static void
-configure_server_quota(const cfg_obj_t **maps, const char *name,
-		       isc_quota_t *quota)
+configure_server_quota(cfg_obj_t **maps, const char *name, isc_quota_t *quota)
 {
-	const cfg_obj_t *obj = NULL;
+	cfg_obj_t *obj = NULL;
 	isc_result_t result;
 
 	result = ns_config_get(maps, name, &obj);
@@ -1642,9 +1736,9 @@ configure_server_quota(const cfg_obj_t **maps, const char *name,
  * parsed.  This can be extended to support other options if necessary.
  */
 static isc_result_t
-directory_callback(const char *clausename, const cfg_obj_t *obj, void *arg) {
+directory_callback(const char *clausename, cfg_obj_t *obj, void *arg) {
 	isc_result_t result;
-	const char *directory;
+	char *directory;
 
 	REQUIRE(strcasecmp("directory", clausename) == 0);
 
@@ -1687,6 +1781,130 @@ scan_interfaces(ns_server_t *server, isc_boolean_t verbose) {
 	server->aclenv.match_mapped = match_mapped;
 }
 
+static isc_result_t
+add_listenelt(isc_mem_t *mctx, ns_listenlist_t *list, isc_sockaddr_t *addr) {
+	ns_listenelt_t *lelt = NULL;
+	dns_acl_t *src_acl = NULL;
+	dns_aclelement_t aelt;
+	isc_result_t result;
+	isc_sockaddr_t any_sa6;
+
+	REQUIRE(isc_sockaddr_pf(addr) == AF_INET6);
+
+	isc_sockaddr_any6(&any_sa6);
+	if (!isc_sockaddr_equal(&any_sa6, addr)) {
+		aelt.type = dns_aclelementtype_ipprefix;
+		aelt.negative = ISC_FALSE;
+		aelt.u.ip_prefix.prefixlen = 128;
+		isc_netaddr_fromin6(&aelt.u.ip_prefix.address,
+				    &addr->type.sin6.sin6_addr);
+
+		result = dns_acl_create(mctx, 1, &src_acl);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+		result = dns_acl_appendelement(src_acl, &aelt);
+		if (result != ISC_R_SUCCESS)
+			goto clean;
+
+		result = ns_listenelt_create(mctx, isc_sockaddr_getport(addr),
+					     src_acl, &lelt);
+		if (result != ISC_R_SUCCESS)
+			goto clean;
+		ISC_LIST_APPEND(list->elts, lelt, link);
+	}
+
+	return (ISC_R_SUCCESS);
+
+ clean:
+	INSIST(lelt == NULL);
+	if (src_acl != NULL)
+		dns_acl_detach(&src_acl);
+
+	return (result);
+}
+
+/*
+ * Make a list of xxx-source addresses and call ns_interfacemgr_adjust()
+ * to update the listening interfaces accordingly.
+ * We currently only consider IPv6, because this only affects IPv6 wildcard
+ * sockets.
+ */
+static void
+adjust_interfaces(ns_server_t *server, isc_mem_t *mctx) {
+	isc_result_t result;
+	ns_listenlist_t *list = NULL;
+	dns_view_t *view;
+	dns_zone_t *zone, *next;
+	isc_sockaddr_t addr, *addrp;
+
+	result = ns_listenlist_create(mctx, &list);
+	if (result != ISC_R_SUCCESS)
+		return;
+
+	for (view = ISC_LIST_HEAD(server->viewlist);
+	     view != NULL;
+	     view = ISC_LIST_NEXT(view, link)) {
+		dns_dispatch_t *dispatch6;
+
+		dispatch6 = dns_resolver_dispatchv6(view->resolver);
+		INSIST(dispatch6 != NULL);
+		result = dns_dispatch_getlocaladdress(dispatch6, &addr);
+		if (result != ISC_R_SUCCESS)
+			goto fail;
+		result = add_listenelt(mctx, list, &addr);
+		if (result != ISC_R_SUCCESS)
+			goto fail;
+	}
+
+	zone = NULL;
+	for (result = dns_zone_first(server->zonemgr, &zone);
+	     result == ISC_R_SUCCESS;
+	     next = NULL, result = dns_zone_next(zone, &next), zone = next) {
+		dns_view_t *zoneview;
+
+		/*
+		 * At this point the zone list may contain a stale zone
+		 * just removed from the configuration.  To see the validity,
+		 * check if the corresponding view is in our current view list.
+		 */
+		zoneview = dns_zone_getview(zone);
+		INSIST(zoneview != NULL);
+		for (view = ISC_LIST_HEAD(server->viewlist);
+		     view != NULL && view != zoneview;
+		     view = ISC_LIST_NEXT(view, link))
+			;
+		if (view == NULL)
+			continue;
+
+		addrp = dns_zone_getnotifysrc6(zone);
+		result = add_listenelt(mctx, list, addrp);
+		if (result != ISC_R_SUCCESS)
+			goto fail;
+
+		addrp = dns_zone_getxfrsource6(zone);
+		result = add_listenelt(mctx, list, addrp);
+		if (result != ISC_R_SUCCESS)
+			goto fail;
+	}
+
+	ns_interfacemgr_adjust(server->interfacemgr, list, ISC_TRUE);
+	
+ clean:
+	ns_listenlist_detach(&list);
+	return;
+
+ fail:
+	/*
+	 * Even when we failed the procedure, most of other interfaces
+	 * should work correctly.  We therefore just warn it.
+	 */
+	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+		      NS_LOGMODULE_SERVER, ISC_LOG_WARNING,
+		      "could not adjust the listen-on list; "
+		      "some interfaces may not work");
+	goto clean;
+}
+
 /*
  * This event callback is invoked to do periodic network
  * interface scanning.
@@ -1705,7 +1923,7 @@ interface_timer_tick(isc_task_t *task, isc_event_t *event) {
 	result = isc_task_beginexclusive(server->task);
 	RUNTIME_CHECK(result == ISC_R_SUCCESS);
 	scan_interfaces(server, ISC_FALSE);
-	isc_task_endexclusive(server->task);	
+	isc_task_endexclusive(server->task);
 }
 
 static void
@@ -1722,43 +1940,49 @@ heartbeat_timer_tick(isc_task_t *task, isc_event_t *event) {
 	}
 }
 
+/*
+ * Replace the current value of '*field', a dynamically allocated
+ * string or NULL, with a dynamically allocated copy of the
+ * null-terminated string pointed to by 'value', or NULL.
+ */
 static isc_result_t
-setstatsfile(ns_server_t *server, const char *name) {
-	char *p;
+setstring(ns_server_t *server, char **field, const char *value) {
+	char *copy;
 
-	REQUIRE(name != NULL);
+	if (value != NULL) {
+		copy = isc_mem_strdup(server->mctx, value);
+		if (copy == NULL)
+			return (ISC_R_NOMEMORY);
+	} else {
+		copy = NULL;
+	}
 
-	p = isc_mem_strdup(server->mctx, name);
-	if (p == NULL)
-		return (ISC_R_NOMEMORY);
-	if (server->statsfile != NULL)
-		isc_mem_free(server->mctx, server->statsfile);
-	server->statsfile = p;
+	if (*field != NULL)
+		isc_mem_free(server->mctx, *field);
+
+	*field = copy;
 	return (ISC_R_SUCCESS);
-}
+}	
 
+/*
+ * Replace the current value of '*field', a dynamically allocated
+ * string or NULL, with another dynamically allocated string
+ * or NULL if whether 'obj' is a string or void value, respectively.
+ */
 static isc_result_t
-setdumpfile(ns_server_t *server, const char *name) {
-	char *p;
-
-	REQUIRE(name != NULL);
-
-	p = isc_mem_strdup(server->mctx, name);
-	if (p == NULL)
-		return (ISC_R_NOMEMORY);
-	if (server->dumpfile != NULL)
-		isc_mem_free(server->mctx, server->dumpfile);
-	server->dumpfile = p;
-	return (ISC_R_SUCCESS);
+setoptstring(ns_server_t *server, char **field, cfg_obj_t *obj) {
+	if (cfg_obj_isvoid(obj))
+		return (setstring(server, field, NULL));
+	else
+		return (setstring(server, field, cfg_obj_asstring(obj)));
 }
 
 static void
-set_limit(const cfg_obj_t **maps, const char *configname,
-	  const char *description, isc_resource_t resourceid,
-	  isc_resourcevalue_t defaultvalue)
+set_limit(cfg_obj_t **maps, const char *configname, const char *description,
+	  isc_resource_t resourceid, isc_resourcevalue_t defaultvalue)
 {
-	const cfg_obj_t *obj = NULL;
-	const char *resource;
+	cfg_obj_t *obj = NULL;
+	char *resource;
 	isc_resourcevalue_t value;
 	isc_result_t result;
 
@@ -1789,7 +2013,7 @@ set_limit(const cfg_obj_t **maps, const char *configname,
 		  ns_g_init ## resource)
 
 static void
-set_limits(const cfg_obj_t **maps) {
+set_limits(cfg_obj_t **maps) {
 	SETLIMIT("stacksize", stacksize, "stack size");
 	SETLIMIT("datasize", datasize, "data size");
 	SETLIMIT("coresize", coresize, "core size");
@@ -1797,17 +2021,39 @@ set_limits(const cfg_obj_t **maps) {
 }
 
 static isc_result_t
+portlist_fromconf(dns_portlist_t *portlist, unsigned int family,
+		  cfg_obj_t *ports)
+{
+	cfg_listelt_t *element;
+	isc_result_t result = ISC_R_SUCCESS;
+
+	for (element = cfg_list_first(ports);
+	     element != NULL;
+	     element = cfg_list_next(element)) {
+		cfg_obj_t *obj = cfg_listelt_value(element);
+		in_port_t port = cfg_obj_asuint32(obj);
+		
+		result = dns_portlist_add(portlist, family, port);
+		if (result != ISC_R_SUCCESS)
+			break;
+	}
+	return (result);
+}
+
+static isc_result_t
 load_configuration(const char *filename, ns_server_t *server,
 		   isc_boolean_t first_time)
 {
 	isc_result_t result;
 	cfg_parser_t *parser = NULL;
 	cfg_obj_t *config;
-	const cfg_obj_t *options;
-	const cfg_obj_t *views;
-	const cfg_obj_t *obj;
-	const cfg_obj_t *maps[3];
-	const cfg_listelt_t *element;
+	cfg_obj_t *options;
+	cfg_obj_t *views;
+	cfg_obj_t *obj;
+	cfg_obj_t *v4ports, *v6ports;
+	cfg_obj_t *maps[3];
+	cfg_obj_t *builtin_views;
+	cfg_listelt_t *element;
 	dns_view_t *view = NULL;
 	dns_view_t *view_next;
 	dns_viewlist_t viewlist;
@@ -1815,6 +2061,7 @@ load_configuration(const char *filename, ns_server_t *server,
 	ns_aclconfctx_t aclconfctx;
 	isc_uint32_t interface_interval;
 	isc_uint32_t heartbeat_interval;
+	isc_uint32_t udpsize;
 	in_port_t listen_port;
 	int i;
 
@@ -1878,7 +2125,7 @@ load_configuration(const char *filename, ns_server_t *server,
 	/*
 	 * Check the validity of the configuration.
 	 */
-	CHECK(cfg_check_namedconf(config, ns_g_lctx, ns_g_mctx));
+	CHECK(bind9_check_namedconf(config, ns_g_lctx, ns_g_mctx));
 
 	/*
 	 * Fill in the maps array, used for resolving defaults.
@@ -1915,6 +2162,38 @@ load_configuration(const char *filename, ns_server_t *server,
 	INSIST(result == ISC_R_SUCCESS);
 	server->aclenv.match_mapped = cfg_obj_asboolean(obj);
 
+	v4ports = NULL;
+	v6ports = NULL;
+	(void)ns_config_get(maps, "avoid-v4-udp-ports", &v4ports);
+	(void)ns_config_get(maps, "avoid-v6-udp-ports", &v6ports);
+	if (v4ports != NULL || v6ports != NULL) {
+		dns_portlist_t *portlist = NULL;
+		result = dns_portlist_create(ns_g_mctx, &portlist);
+		if (result == ISC_R_SUCCESS && v4ports != NULL)
+			result = portlist_fromconf(portlist, AF_INET, v4ports);
+		if (result == ISC_R_SUCCESS && v6ports != NULL)
+			portlist_fromconf(portlist, AF_INET6, v6ports);
+		if (result == ISC_R_SUCCESS)
+			dns_dispatchmgr_setblackportlist(ns_g_dispatchmgr, portlist);
+		if (portlist != NULL)
+			dns_portlist_detach(&portlist);
+		CHECK(result);
+	} else
+		dns_dispatchmgr_setblackportlist(ns_g_dispatchmgr, NULL);
+
+	/*
+	 * Set the EDNS UDP size when we don't match a view.
+	 */
+	obj = NULL;
+	result = ns_config_get(maps, "edns-udp-size", &obj);
+	INSIST(result == ISC_R_SUCCESS);
+	udpsize = cfg_obj_asuint32(obj);
+	if (udpsize < 512)
+		udpsize = 512;
+	if (udpsize > 4096)
+		udpsize = 4096;
+	ns_g_udpsize = udpsize;
+
 	/*
 	 * Configure the zone manager.
 	 */
@@ -1942,11 +2221,21 @@ load_configuration(const char *filename, ns_server_t *server,
 		CHECKM(ns_config_getport(config, &listen_port), "port");
 
 	/*
+	 * Find the listen queue depth.
+	 */
+	obj = NULL;
+	result = ns_config_get(maps, "tcp-listen-queue", &obj);
+	INSIST(result == ISC_R_SUCCESS);
+	ns_g_listen = cfg_obj_asuint32(obj);
+	if (ns_g_listen < 3)
+		ns_g_listen = 3;
+
+	/*
 	 * Configure the interface manager according to the "listen-on"
 	 * statement.
 	 */
 	{
-		const cfg_obj_t *clistenon = NULL;
+		cfg_obj_t *clistenon = NULL;
 		ns_listenlist_t *listenon = NULL;
 
 		clistenon = NULL;
@@ -1980,7 +2269,7 @@ load_configuration(const char *filename, ns_server_t *server,
 	 * Ditto for IPv6.
 	 */
 	{
-		const cfg_obj_t *clistenon = NULL;
+		cfg_obj_t *clistenon = NULL;
 		ns_listenlist_t *listenon = NULL;
 
 		if (options != NULL)
@@ -2022,14 +2311,15 @@ load_configuration(const char *filename, ns_server_t *server,
 	INSIST(result == ISC_R_SUCCESS);
 	interface_interval = cfg_obj_asuint32(obj) * 60;
 	if (interface_interval == 0) {
-		isc_timer_reset(server->interface_timer,
-				isc_timertype_inactive,
-				NULL, NULL, ISC_TRUE);
+		CHECK(isc_timer_reset(server->interface_timer,
+				      isc_timertype_inactive,
+				      NULL, NULL, ISC_TRUE));
 	} else if (server->interface_interval != interface_interval) {
 		isc_interval_t interval;
 		isc_interval_set(&interval, interface_interval, 0);
-		isc_timer_reset(server->interface_timer, isc_timertype_ticker,
-				NULL, &interval, ISC_FALSE);
+		CHECK(isc_timer_reset(server->interface_timer,
+				      isc_timertype_ticker,
+				      NULL, &interval, ISC_FALSE));
 	}
 	server->interface_interval = interface_interval;
 
@@ -2041,14 +2331,15 @@ load_configuration(const char *filename, ns_server_t *server,
 	INSIST(result == ISC_R_SUCCESS);
 	heartbeat_interval = cfg_obj_asuint32(obj) * 60;
 	if (heartbeat_interval == 0) {
-		isc_timer_reset(server->heartbeat_timer,
-				isc_timertype_inactive,
-				NULL, NULL, ISC_TRUE);
+		CHECK(isc_timer_reset(server->heartbeat_timer,
+				      isc_timertype_inactive,
+				      NULL, NULL, ISC_TRUE));
 	} else if (server->heartbeat_interval != heartbeat_interval) {
 		isc_interval_t interval;
 		isc_interval_set(&interval, heartbeat_interval, 0);
-		isc_timer_reset(server->heartbeat_timer, isc_timertype_ticker,
-				NULL, &interval, ISC_FALSE);
+		CHECK(isc_timer_reset(server->heartbeat_timer,
+				      isc_timertype_ticker,
+				      NULL, &interval, ISC_FALSE));
 	}
 	server->heartbeat_interval = heartbeat_interval;
 
@@ -2063,14 +2354,13 @@ load_configuration(const char *filename, ns_server_t *server,
 	     element != NULL;
 	     element = cfg_list_next(element))
 	{
-		const cfg_obj_t *vconfig;
-
+		cfg_obj_t *vconfig = cfg_listelt_value(element);
 		view = NULL;
-		vconfig = cfg_listelt_value(element);
+
 		CHECK(create_view(vconfig, &viewlist, &view));
 		INSIST(view != NULL);
 		CHECK(configure_view(view, config, vconfig,
-				     ns_g_mctx, &aclconfctx));
+				     ns_g_mctx, &aclconfctx, ISC_TRUE));
 		dns_view_freeze(view);
 		dns_view_detach(&view);
 	}
@@ -2088,22 +2378,30 @@ load_configuration(const char *filename, ns_server_t *server,
 		 */
 		CHECK(create_view(NULL, &viewlist, &view));
 		CHECK(configure_view(view, config, NULL, ns_g_mctx,
-				     &aclconfctx));
+				     &aclconfctx, ISC_TRUE));
 		dns_view_freeze(view);
 		dns_view_detach(&view);
 	}
 
 	/*
-	 * Create (or recreate) the internal _bind view.
+	 * Create (or recreate) the built-in views.  Currently
+	 * there is only one, the _bind view.
 	 */
-	CHECK(create_bind_view(&view));
-	CHECK(configure_view_acl(NULL, config, "allow-query",
-				 &aclconfctx, ns_g_mctx, &view->queryacl));
-	ISC_LIST_APPEND(viewlist, view, link);
-	CHECK(create_version_zone(maps, server->zonemgr, view));
-	CHECK(create_authors_zone(options, server->zonemgr, view));
-	dns_view_freeze(view);
-	view = NULL;
+	builtin_views = NULL;
+	RUNTIME_CHECK(cfg_map_get(ns_g_config, "view",
+				  &builtin_views) == ISC_R_SUCCESS);
+	for (element = cfg_list_first(builtin_views);
+	     element != NULL;
+	     element = cfg_list_next(element))
+	{
+		cfg_obj_t *vconfig = cfg_listelt_value(element);
+		CHECK(create_view(vconfig, &viewlist, &view));
+		CHECK(configure_view(view, config, vconfig, ns_g_mctx,
+				     &aclconfctx, ISC_FALSE));
+		dns_view_freeze(view);
+		dns_view_detach(&view);
+		view = NULL;
+	}
 
 	/*
 	 * Swap our new view list with the production one.
@@ -2161,6 +2459,23 @@ load_configuration(const char *filename, ns_server_t *server,
 					      "%s: %s",
 					      randomdev,
 					      isc_result_totext(result));
+#ifdef PATH_RANDOMDEV
+			if (ns_g_fallbackentropy != NULL) {
+				if (result != ISC_R_SUCCESS) {
+					isc_log_write(ns_g_lctx,
+						      NS_LOGCATEGORY_GENERAL,
+						      NS_LOGMODULE_SERVER,
+						      ISC_LOG_INFO,
+						      "using pre-chroot entropy source "
+						      "%s",
+						      PATH_RANDOMDEV);
+					isc_entropy_detach(&ns_g_entropy);
+					isc_entropy_attach(ns_g_fallbackentropy,
+							   &ns_g_entropy);
+				}
+				isc_entropy_detach(&ns_g_fallbackentropy);
+			}
+#endif
 		}
 	}
 
@@ -2183,7 +2498,7 @@ load_configuration(const char *filename, ns_server_t *server,
 			      "ignoring config file logging "
 			      "statement due to -g option");
 	} else {
-		const cfg_obj_t *logobj = NULL;
+		cfg_obj_t *logobj = NULL;
 		isc_logconfig_t *logc = NULL;
 
 		CHECKM(isc_logconfig_create(ns_g_lctx, &logc),
@@ -2222,46 +2537,112 @@ load_configuration(const char *filename, ns_server_t *server,
 	 * compatibility.
 	 */
 	if (first_time) {
-		const cfg_obj_t *logobj = NULL;
-		const cfg_obj_t *categories = NULL;
-		(void)cfg_map_get(config, "logging", &logobj);
-		if (logobj != NULL)
-			(void)cfg_map_get(logobj, "category", &categories);
-		if (categories != NULL) {
-			const cfg_listelt_t *element;
-			for (element = cfg_list_first(categories);
-			     element != NULL;
-			     element = cfg_list_next(element))
-			{
-				const cfg_obj_t *catobj;
-				const char *str;
-
-				obj = cfg_listelt_value(element);
-				catobj = cfg_tuple_get(obj, "name");
-				str = cfg_obj_asstring(catobj);
-				if (strcasecmp(str, "queries") == 0)
-					server->log_queries = ISC_TRUE;
+		cfg_obj_t *logobj = NULL;
+		cfg_obj_t *categories = NULL;
+
+		obj = NULL;
+		if (ns_config_get(maps, "querylog", &obj) == ISC_R_SUCCESS) {
+			server->log_queries = cfg_obj_asboolean(obj);
+		} else {
+
+			(void)cfg_map_get(config, "logging", &logobj);
+			if (logobj != NULL)
+				(void)cfg_map_get(logobj, "category",
+						  &categories);
+			if (categories != NULL) {
+				cfg_listelt_t *element;
+				for (element = cfg_list_first(categories);
+				     element != NULL;
+				     element = cfg_list_next(element))
+				{
+					cfg_obj_t *catobj;
+					char *str;
+
+					obj = cfg_listelt_value(element);
+					catobj = cfg_tuple_get(obj, "name");
+					str = cfg_obj_asstring(catobj);
+					if (strcasecmp(str, "queries") == 0)
+						server->log_queries = ISC_TRUE;
+				}
 			}
 		}
 	}
 
 	obj = NULL;
 	if (ns_config_get(maps, "pid-file", &obj) == ISC_R_SUCCESS)
-		ns_os_writepidfile(cfg_obj_asstring(obj), first_time);
+		if (cfg_obj_isvoid(obj))
+			ns_os_writepidfile(NULL, first_time);
+		else
+			ns_os_writepidfile(cfg_obj_asstring(obj), first_time);
 	else if (ns_g_lwresdonly)
 		ns_os_writepidfile(lwresd_g_defaultpidfile, first_time);
 	else
 		ns_os_writepidfile(ns_g_defaultpidfile, first_time);
+	
+	obj = NULL;
+	if (options != NULL &&
+	    cfg_map_get(options, "memstatistics-file", &obj) == ISC_R_SUCCESS)
+		ns_main_setmemstats(cfg_obj_asstring(obj));
+	else
+		ns_main_setmemstats(NULL);
 
 	obj = NULL;
 	result = ns_config_get(maps, "statistics-file", &obj);
 	INSIST(result == ISC_R_SUCCESS);
-	CHECKM(setstatsfile(server, cfg_obj_asstring(obj)), "strdup");
+	CHECKM(setstring(server, &server->statsfile, cfg_obj_asstring(obj)),
+	       "strdup");
 
 	obj = NULL;
 	result = ns_config_get(maps, "dump-file", &obj);
 	INSIST(result == ISC_R_SUCCESS);
-	CHECKM(setdumpfile(server, cfg_obj_asstring(obj)), "strdup");
+	CHECKM(setstring(server, &server->dumpfile, cfg_obj_asstring(obj)),
+	       "strdup");
+
+	obj = NULL;
+	result = ns_config_get(maps, "recursing-file", &obj);
+	INSIST(result == ISC_R_SUCCESS);
+	CHECKM(setstring(server, &server->recfile, cfg_obj_asstring(obj)),
+	       "strdup");
+
+	obj = NULL;
+	result = ns_config_get(maps, "version", &obj);
+	if (result == ISC_R_SUCCESS) {
+		CHECKM(setoptstring(server, &server->version, obj), "strdup");
+		server->version_set = ISC_TRUE;
+	} else {
+		server->version_set = ISC_FALSE;
+	}
+
+	obj = NULL;
+	result = ns_config_get(maps, "hostname", &obj);
+	if (result == ISC_R_SUCCESS) {
+		CHECKM(setoptstring(server, &server->hostname, obj), "strdup");
+		server->hostname_set = ISC_TRUE;
+	} else {
+		server->hostname_set = ISC_FALSE;
+	}
+
+	obj = NULL;
+	result = ns_config_get(maps, "server-id", &obj);
+	server->server_usehostname = ISC_FALSE;
+	if (result == ISC_R_SUCCESS && cfg_obj_isboolean(obj)) {
+		server->server_usehostname = ISC_TRUE;
+	} else if (result == ISC_R_SUCCESS) {
+		CHECKM(setoptstring(server, &server->server_id, obj), "strdup");
+	} else {
+		result = setoptstring(server, &server->server_id, NULL);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+	}
+
+	obj = NULL;
+	result = ns_config_get(maps, "flush-zones-on-shutdown", &obj);
+	if (result == ISC_R_SUCCESS) {
+		server->flushonshutdown = cfg_obj_asboolean(obj);
+	} else {
+		server->flushonshutdown = ISC_FALSE;
+	}
+
+	result = ISC_R_SUCCESS;
 
  cleanup:
 	ns_aclconfctx_destroy(&aclconfctx);
@@ -2289,6 +2670,13 @@ load_configuration(const char *filename, ns_server_t *server,
 
 	}
 
+	/*
+	 * Adjust the listening interfaces in accordance with the source
+	 * addresses specified in views and zones.
+	 */
+	if (isc_net_probeipv6() == ISC_R_SUCCESS)
+		adjust_interfaces(server, ns_g_mctx);
+
 	/* Relinquish exclusive access to configuration data. */
 	isc_task_endexclusive(server->task);
 
@@ -2350,7 +2738,7 @@ load_new_zones(ns_server_t *server, isc_boolean_t stop) {
 	 * so that we know when we need to force AXFR of
 	 * slave zones whose master files are missing.
 	 */
-	CHECK(dns_zonemgr_forcemaint(server->zonemgr));
+	dns_zonemgr_resumexfrs(server->zonemgr);
  cleanup:
 	isc_task_endexclusive(server->task);	
 	return (result);
@@ -2361,7 +2749,7 @@ run_server(isc_task_t *task, isc_event_t *event) {
 	isc_result_t result;
 	ns_server_t *server = (ns_server_t *)event->ev_arg;
 
-	INSIST(task == server->task);
+	UNUSED(task);
 
 	isc_event_free(&event);
 
@@ -2399,11 +2787,11 @@ run_server(isc_task_t *task, isc_event_t *event) {
 
 	isc_hash_init();
 
-	CHECKFATAL(load_zones(server, ISC_FALSE), "loading zones");
+	CHECKFATAL(load_zones(server, ISC_FALSE),
+		   "loading zones");
 
-	ns_os_started();
 	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER,
-		      ISC_LOG_NOTICE, "running");
+		      ISC_LOG_INFO, "running");
 }
 
 void 
@@ -2461,8 +2849,6 @@ shutdown_server(isc_task_t *task, isc_event_t *event) {
 	if (server->blackholeacl != NULL)
 		dns_acl_detach(&server->blackholeacl);
 
-	dns_db_detach(&server->in_roothints);
-
 	isc_task_endexclusive(server->task);
 
 	isc_task_detach(&server->task);
@@ -2489,6 +2875,7 @@ ns_server_create(isc_mem_t *mctx, ns_server_t **serverp) {
 	RUNTIME_CHECK(result == ISC_R_SUCCESS);
 	result = isc_quota_init(&server->recursionquota, 100);
 	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+	isc_quota_soft(&server->recursionquota, ISC_FALSE);
 
 	result = dns_aclenv_init(mctx, &server->aclenv);
 	RUNTIME_CHECK(result == ISC_R_SUCCESS);
@@ -2550,13 +2937,25 @@ ns_server_create(isc_mem_t *mctx, ns_server_t **serverp) {
 	CHECKFATAL(server->statsfile == NULL ? ISC_R_NOMEMORY : ISC_R_SUCCESS,
 		   "isc_mem_strdup");
 	server->querystats = NULL;
-	CHECKFATAL(dns_stats_alloccounters(ns_g_mctx, &server->querystats),
-		   "dns_stats_alloccounters");
 
 	server->dumpfile = isc_mem_strdup(server->mctx, "named_dump.db");
 	CHECKFATAL(server->dumpfile == NULL ? ISC_R_NOMEMORY : ISC_R_SUCCESS,
 		   "isc_mem_strdup");
 
+	server->recfile = isc_mem_strdup(server->mctx, "named.recursing");
+	CHECKFATAL(server->recfile == NULL ? ISC_R_NOMEMORY : ISC_R_SUCCESS,
+		   "isc_mem_strdup");
+
+	server->hostname_set = ISC_FALSE;
+	server->hostname = NULL;
+	server->version_set = ISC_FALSE;	
+	server->version = NULL;
+	server->server_usehostname = ISC_FALSE;
+	server->server_id = NULL;
+
+	CHECKFATAL(dns_stats_alloccounters(ns_g_mctx, &server->querystats),
+		   "dns_stats_alloccounters");
+
 	server->flushonshutdown = ISC_FALSE;
 	server->log_queries = ISC_FALSE;
 
@@ -2578,9 +2977,17 @@ ns_server_destroy(ns_server_t **serverp) {
 	ns_controls_destroy(&server->controls);
 
 	dns_stats_freecounters(server->mctx, &server->querystats);
-	isc_mem_free(server->mctx, server->statsfile);
 
+	isc_mem_free(server->mctx, server->statsfile);
 	isc_mem_free(server->mctx, server->dumpfile);
+	isc_mem_free(server->mctx, server->recfile);
+
+	if (server->version != NULL)
+		isc_mem_free(server->mctx, server->version);
+	if (server->hostname != NULL)
+		isc_mem_free(server->mctx, server->hostname);
+	if (server->server_id != NULL)
+		isc_mem_free(server->mctx, server->server_id);
 
 	dns_zonemgr_detach(&server->zonemgr);
 
@@ -2593,6 +3000,8 @@ ns_server_destroy(ns_server_t **serverp) {
 
 	INSIST(ISC_LIST_EMPTY(server->viewlist));
 
+	dns_db_detach(&server->in_roothints);
+
 	dns_aclenv_destroy(&server->aclenv);
 
 	isc_quota_destroy(&server->recursionquota);
@@ -2624,24 +3033,22 @@ start_reserved_dispatches(ns_server_t *server) {
 
 static void
 end_reserved_dispatches(ns_server_t *server, isc_boolean_t all) {
-	ns_dispatch_t *dispatch, *nextdispatch;
+	ns_dispatch_t *dispatch;
 
 	REQUIRE(NS_SERVER_VALID(server));
 
 	for (dispatch = ISC_LIST_HEAD(server->dispatches);
 	     dispatch != NULL;
-	     dispatch = nextdispatch) {
-		nextdispatch = ISC_LIST_NEXT(dispatch, link);
+	     dispatch = ISC_LIST_NEXT(dispatch, link)) {
 		if (!all && server->dispatchgen == dispatch-> dispatchgen)
 			continue;
-		ISC_LIST_UNLINK(server->dispatches, dispatch, link);
 		dns_dispatch_detach(&dispatch->dispatch);
 		isc_mem_put(server->mctx, dispatch, sizeof(*dispatch));
 	}
 }
 
 void
-ns_add_reserved_dispatch(ns_server_t *server, const isc_sockaddr_t *addr) {
+ns_add_reserved_dispatch(ns_server_t *server, isc_sockaddr_t *addr) {
 	ns_dispatch_t *dispatch;
 	in_port_t port;
 	char addrbuf[ISC_SOCKADDR_FORMATSIZE];
@@ -2722,7 +3129,8 @@ loadconfig(ns_server_t *server) {
 	start_reserved_dispatches(server);
 	result = load_configuration(ns_g_lwresdonly ?
 				    lwresd_g_conffile : ns_g_conffile,
-				    server, ISC_FALSE);
+				    server,
+				    ISC_FALSE);
 	if (result == ISC_R_SUCCESS)
 		end_reserved_dispatches(server, ISC_FALSE);
 	else
@@ -2733,7 +3141,7 @@ loadconfig(ns_server_t *server) {
 	return (result);
 }
 
-static void
+static isc_result_t
 reload(ns_server_t *server) {
 	isc_result_t result;
 	CHECK(loadconfig(server));
@@ -2745,7 +3153,8 @@ reload(ns_server_t *server) {
 			      "reloading zones failed: %s",
 			      isc_result_totext(result));
 	}
- cleanup: ;
+ cleanup:
+	return (result);
 }
 
 static void
@@ -2773,7 +3182,7 @@ ns_server_reload(isc_task_t *task, isc_event_t *event) {
 	INSIST(task = server->task);
 	UNUSED(task);
 
-	reload(server);
+	(void)reload(server);
 
 	LOCK(&server->reload_event_lock);
 	INSIST(server->reload_event == NULL);
@@ -2876,28 +3285,75 @@ zone_from_args(ns_server_t *server, char *args, dns_zone_t **zonep) {
 }
 
 /*
+ * Act on a "retransfer" command from the command channel.
+ */
+isc_result_t
+ns_server_retransfercommand(ns_server_t *server, char *args) {
+	isc_result_t result;
+	dns_zone_t *zone = NULL;
+	dns_zonetype_t type;
+	
+	result = zone_from_args(server, args, &zone);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	if (zone == NULL)
+		return (ISC_R_UNEXPECTEDEND);
+	type = dns_zone_gettype(zone);
+	if (type == dns_zone_slave || type == dns_zone_stub)
+		dns_zone_forcereload(zone);
+	else
+		result = ISC_R_NOTFOUND;
+	dns_zone_detach(&zone);
+	return (result);
+}	
+
+/*
  * Act on a "reload" command from the command channel.
  */
 isc_result_t
-ns_server_reloadcommand(ns_server_t *server, char *args) {
+ns_server_reloadcommand(ns_server_t *server, char *args, isc_buffer_t *text) {
 	isc_result_t result;
 	dns_zone_t *zone = NULL;
 	dns_zonetype_t type;
+	const char *msg = NULL;
 	
 	result = zone_from_args(server, args, &zone);
 	if (result != ISC_R_SUCCESS)
 		return (result);
 	if (zone == NULL) {
-		reload(server);
+		result = reload(server);
+		if (result == ISC_R_SUCCESS)
+			msg = "server reload successful";
 	} else {
 		type = dns_zone_gettype(zone);
-		if (type == dns_zone_slave || type == dns_zone_stub)
+		if (type == dns_zone_slave || type == dns_zone_stub) {
 			dns_zone_refresh(zone);
-		else
-			dns_zone_load(zone);
-		dns_zone_detach(&zone);
+			msg = "zone refresh queued";
+		} else {
+			result = dns_zone_load(zone);
+			dns_zone_detach(&zone);
+			switch (result) {	
+			case ISC_R_SUCCESS:
+				 msg = "zone reload successful";
+				 break;
+			case DNS_R_CONTINUE:
+				msg = "zone reload queued";
+				result = ISC_R_SUCCESS;
+				break;
+			case DNS_R_UPTODATE:
+				msg = "zone reload up-to-date";
+				result = ISC_R_SUCCESS;
+				break;
+			default:
+				/* failure message will be generated by rndc */
+				break;
+			}
+		}
 	}
-	return (ISC_R_SUCCESS);
+	if (msg != NULL && strlen(msg) < isc_buffer_availablelength(text))
+		isc_buffer_putmem(text, (const unsigned char *)msg,
+				  strlen(msg) + 1);
+	return (result);
 }	
 
 /*
@@ -2915,9 +3371,10 @@ ns_server_reconfigcommand(ns_server_t *server, char *args) {
  * Act on a "refresh" command from the command channel.
  */
 isc_result_t
-ns_server_refreshcommand(ns_server_t *server, char *args) {
+ns_server_refreshcommand(ns_server_t *server, char *args, isc_buffer_t *text) {
 	isc_result_t result;
 	dns_zone_t *zone = NULL;
+	const unsigned char msg[] = "zone refresh queued";
 
 	result = zone_from_args(server, args, &zone);
 	if (result != ISC_R_SUCCESS)
@@ -2927,6 +3384,8 @@ ns_server_refreshcommand(ns_server_t *server, char *args) {
 	
 	dns_zone_refresh(zone);
 	dns_zone_detach(&zone);
+	if (sizeof(msg) <= isc_buffer_availablelength(text))
+		isc_buffer_putmem(text, msg, sizeof(msg));
 
 	return (ISC_R_SUCCESS);
 }	
@@ -2943,12 +3402,12 @@ ns_server_togglequerylog(ns_server_t *server) {
 }
 
 static isc_result_t
-ns_listenlist_fromconfig(const cfg_obj_t *listenlist, const cfg_obj_t *config,
+ns_listenlist_fromconfig(cfg_obj_t *listenlist, cfg_obj_t *config,
 			 ns_aclconfctx_t *actx,
 			 isc_mem_t *mctx, ns_listenlist_t **target)
 {
 	isc_result_t result;
-	const cfg_listelt_t *element;
+	cfg_listelt_t *element;
 	ns_listenlist_t *dlist = NULL;
 
 	REQUIRE(target != NULL && *target == NULL);
@@ -2962,7 +3421,7 @@ ns_listenlist_fromconfig(const cfg_obj_t *listenlist, const cfg_obj_t *config,
 	     element = cfg_list_next(element))
 	{
 		ns_listenelt_t *delt = NULL;
-		const cfg_obj_t *listener = cfg_listelt_value(element);
+		cfg_obj_t *listener = cfg_listelt_value(element);
 		result = ns_listenelt_fromconfig(listener, config, actx,
 						 mctx, &delt);
 		if (result != ISC_R_SUCCESS)
@@ -2982,12 +3441,12 @@ ns_listenlist_fromconfig(const cfg_obj_t *listenlist, const cfg_obj_t *config,
  * data structure.
  */
 static isc_result_t
-ns_listenelt_fromconfig(const cfg_obj_t *listener, const cfg_obj_t *config,
+ns_listenelt_fromconfig(cfg_obj_t *listener, cfg_obj_t *config,
 			ns_aclconfctx_t *actx,
 			isc_mem_t *mctx, ns_listenelt_t **target)
 {
 	isc_result_t result;
-	const cfg_obj_t *portobj;
+	cfg_obj_t *portobj;
 	in_port_t port;
 	ns_listenelt_t *delt = NULL;
 	REQUIRE(target != NULL && *target == NULL);
@@ -3036,8 +3495,8 @@ ns_server_dumpstats(ns_server_t *server) {
 
 	isc_stdtime_get(&now);
 
-	CHECKM(isc_stdio_open(server->statsfile, "a", &fp),
-	       "could not open statistics dump file");
+	CHECKMF(isc_stdio_open(server->statsfile, "a", &fp),
+		"could not open statistics dump file", server->statsfile);
 	
 	ncounters = DNS_STATS_NCOUNTERS;
 	fprintf(fp, "+++ Statistics Dump +++ (%lu)\n", (unsigned long)now);
@@ -3086,26 +3545,265 @@ ns_server_dumpstats(ns_server_t *server) {
 	return (result);
 }
 
+static isc_result_t
+add_zone_tolist(dns_zone_t *zone, void *uap) {
+	struct dumpcontext *dctx = uap;
+	struct zonelistentry *zle;
+
+	zle = isc_mem_get(dctx->mctx, sizeof *zle);
+	if (zle ==  NULL)
+		return (ISC_R_NOMEMORY);
+	zle->zone = NULL;
+	dns_zone_attach(zone, &zle->zone);
+	ISC_LINK_INIT(zle, link);
+	ISC_LIST_APPEND(ISC_LIST_TAIL(dctx->viewlist)->zonelist, zle, link);
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+add_view_tolist(struct dumpcontext *dctx, dns_view_t *view) {
+	struct viewlistentry *vle;
+	isc_result_t result = ISC_R_SUCCESS;
+	
+	vle = isc_mem_get(dctx->mctx, sizeof *vle);
+	if (vle == NULL)
+		return (ISC_R_NOMEMORY);
+	vle->view = NULL;
+	dns_view_attach(view, &vle->view);
+	ISC_LINK_INIT(vle, link);
+	ISC_LIST_INIT(vle->zonelist);
+	ISC_LIST_APPEND(dctx->viewlist, vle, link);
+	if (dctx->dumpzones)
+		result = dns_zt_apply(view->zonetable, ISC_TRUE,
+				      add_zone_tolist, dctx);
+	return (result);
+}
+
+static void
+dumpcontext_destroy(struct dumpcontext *dctx) {
+	struct viewlistentry *vle;
+	struct zonelistentry *zle;
+
+	vle = ISC_LIST_HEAD(dctx->viewlist);
+	while (vle != NULL) {
+		ISC_LIST_UNLINK(dctx->viewlist, vle, link);
+		zle = ISC_LIST_HEAD(vle->zonelist);
+		while (zle != NULL) {
+			ISC_LIST_UNLINK(vle->zonelist, zle, link);
+			dns_zone_detach(&zle->zone);
+			isc_mem_put(dctx->mctx, zle, sizeof *zle);
+			zle = ISC_LIST_HEAD(vle->zonelist);
+		}
+		dns_view_detach(&vle->view);
+		isc_mem_put(dctx->mctx, vle, sizeof *vle);
+		vle = ISC_LIST_HEAD(dctx->viewlist);
+	}
+	if (dctx->version != NULL)
+		dns_db_closeversion(dctx->db, &dctx->version, ISC_FALSE);
+	if (dctx->db != NULL)
+		dns_db_detach(&dctx->db);
+	if (dctx->cache != NULL)
+		dns_db_detach(&dctx->cache);
+	if (dctx->task != NULL)
+		isc_task_detach(&dctx->task);
+	if (dctx->fp != NULL)
+		(void)isc_stdio_close(dctx->fp);
+	if (dctx->mdctx != NULL)
+		dns_dumpctx_detach(&dctx->mdctx);
+	isc_mem_put(dctx->mctx, dctx, sizeof *dctx);
+}
+
+static void
+dumpdone(void *arg, isc_result_t result) {
+	struct dumpcontext *dctx = arg;
+	char buf[1024+32];
+	const dns_master_style_t *style;
+	
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+	if (dctx->mdctx != NULL)
+		dns_dumpctx_detach(&dctx->mdctx);
+	if (dctx->view == NULL) {
+		dctx->view = ISC_LIST_HEAD(dctx->viewlist);
+		if (dctx->view == NULL)
+			goto done;
+		INSIST(dctx->zone == NULL);
+	}
+ nextview:
+	fprintf(dctx->fp, ";\n; Start view %s\n;\n", dctx->view->view->name);
+	if (dctx->zone == NULL && dctx->cache == NULL && dctx->dumpcache) {
+		style = &dns_master_style_cache;
+		/* start cache dump */
+		if (dctx->view->view->cachedb != NULL)
+			dns_db_attach(dctx->view->view->cachedb, &dctx->cache);
+		if (dctx->cache != NULL) {
+
+			fprintf(dctx->fp, ";\n; Cache dump of view '%s'\n;\n",
+				dctx->view->view->name);
+			result = dns_master_dumptostreaminc(dctx->mctx,
+							    dctx->cache, NULL,
+							    style, dctx->fp,
+							    dctx->task,
+							    dumpdone, dctx,
+							    &dctx->mdctx);
+			if (result == DNS_R_CONTINUE)
+				return;
+			if (result == ISC_R_NOTIMPLEMENTED)
+				fprintf(dctx->fp, "; %s\n",
+					dns_result_totext(result));
+			else if (result != ISC_R_SUCCESS)
+				goto cleanup;
+		}
+	}
+	if (dctx->cache != NULL) {
+		dns_adb_dump(dctx->view->view->adb, dctx->fp);
+		dns_db_detach(&dctx->cache);
+	}
+	if (dctx->dumpzones) {
+		style = &dns_master_style_full;
+ nextzone:
+		if (dctx->version != NULL)
+			dns_db_closeversion(dctx->db, &dctx->version,
+					    ISC_FALSE);
+		if (dctx->db != NULL)
+			dns_db_detach(&dctx->db);
+		if (dctx->zone == NULL)
+			dctx->zone = ISC_LIST_HEAD(dctx->view->zonelist);
+		else
+			dctx->zone = ISC_LIST_NEXT(dctx->zone, link);
+		if (dctx->zone != NULL) {
+			/* start zone dump */
+			dns_zone_name(dctx->zone->zone, buf, sizeof(buf));
+			fprintf(dctx->fp, ";\n; Zone dump of '%s'\n;\n", buf);
+			result = dns_zone_getdb(dctx->zone->zone, &dctx->db);
+			if (result != ISC_R_SUCCESS) {
+				fprintf(dctx->fp, "; %s\n",
+					dns_result_totext(result));
+				goto nextzone;
+			}
+			dns_db_currentversion(dctx->db, &dctx->version);
+			result = dns_master_dumptostreaminc(dctx->mctx,
+							    dctx->db,
+							    dctx->version,
+							    style, dctx->fp,
+							    dctx->task,
+							    dumpdone, dctx,
+							    &dctx->mdctx);
+			if (result == DNS_R_CONTINUE)
+				return;
+			if (result == ISC_R_NOTIMPLEMENTED)
+				fprintf(dctx->fp, "; %s\n",
+					dns_result_totext(result));
+			if (result != ISC_R_SUCCESS)
+				goto cleanup;
+		}
+	}
+	if (dctx->view != NULL)
+		dctx->view = ISC_LIST_NEXT(dctx->view, link);
+	if (dctx->view != NULL)
+		goto nextview;
+ done:
+	fprintf(dctx->fp, "; Dump complete\n");
+	result = isc_stdio_flush(dctx->fp);
+	if (result == ISC_R_SUCCESS)
+		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+			      NS_LOGMODULE_SERVER, ISC_LOG_INFO,
+			      "dumpdb complete");
+ cleanup:
+	if (result != ISC_R_SUCCESS)
+		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+			      NS_LOGMODULE_SERVER, ISC_LOG_INFO,
+			      "dumpdb failed: %s", dns_result_totext(result));
+	dumpcontext_destroy(dctx);
+}
+
+
 isc_result_t
-ns_server_dumpdb(ns_server_t *server) {
-	FILE *fp = NULL;
+ns_server_dumpdb(ns_server_t *server, char *args) {
+	struct dumpcontext *dctx = NULL;
 	dns_view_t *view;
 	isc_result_t result;
+	char *ptr;
+	const char *sep;
+
+	dctx = isc_mem_get(server->mctx, sizeof(*dctx));
+	if (dctx == NULL)
+		return (ISC_R_NOMEMORY);
+
+	dctx->mctx = server->mctx;
+	dctx->dumpcache = ISC_TRUE;
+	dctx->dumpzones = ISC_FALSE;
+	dctx->fp = NULL;
+	ISC_LIST_INIT(dctx->viewlist);
+	dctx->view = NULL;
+	dctx->zone = NULL;
+	dctx->cache = NULL;
+	dctx->mdctx = NULL;
+	dctx->db = NULL;
+	dctx->cache = NULL;
+	dctx->task = NULL;
+	dctx->version = NULL;
+	isc_task_attach(server->task, &dctx->task);
+
+	CHECKMF(isc_stdio_open(server->dumpfile, "w", &dctx->fp),
+		"could not open dump file", server->dumpfile);
+
+	/* Skip the command name. */
+	ptr = next_token(&args, " \t");
+	if (ptr == NULL)
+		return (ISC_R_UNEXPECTEDEND);
 
-	CHECKM(isc_stdio_open(server->dumpfile, "w", &fp),
-	       "could not open dump file");
+	sep = (args == NULL) ? "" : ": ";
+	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+		      NS_LOGMODULE_SERVER, ISC_LOG_INFO,
+		      "dumpdb started%s%s", sep, (args != NULL) ? args : "");
+
+	ptr = next_token(&args, " \t");
+	if (ptr != NULL && strcmp(ptr, "-all") == 0) {
+		dctx->dumpzones = ISC_TRUE;
+		dctx->dumpcache = ISC_TRUE;
+		ptr = next_token(&args, " \t");
+	} else if (ptr != NULL && strcmp(ptr, "-cache") == 0) {
+		dctx->dumpzones = ISC_FALSE;
+		dctx->dumpcache = ISC_TRUE;
+		ptr = next_token(&args, " \t");
+	} else if (ptr != NULL && strcmp(ptr, "-zones") == 0) {
+		dctx->dumpzones = ISC_TRUE;
+		dctx->dumpcache = ISC_FALSE;
+		ptr = next_token(&args, " \t");
+	} 
 
 	for (view = ISC_LIST_HEAD(server->viewlist);
 	     view != NULL;
 	     view = ISC_LIST_NEXT(view, link))
 	{
-		if (view->cachedb != NULL)
-			CHECKM(dns_view_dumpdbtostream(view, fp),
-			       "could not dump view databases");
+		if (ptr != NULL && strcmp(view->name, ptr) != 0)
+			continue;
+		CHECK(add_view_tolist(dctx, view));
 	}
+	dumpdone(dctx, ISC_R_SUCCESS);
+	return (ISC_R_SUCCESS);
+
+ cleanup:
+	if (dctx != NULL)
+		dumpcontext_destroy(dctx);
+	return (result);
+}
+
+isc_result_t
+ns_server_dumprecursing(ns_server_t *server) {
+	FILE *fp = NULL;
+	isc_result_t result;
+
+	CHECKMF(isc_stdio_open(server->recfile, "w", &fp),
+		"could not open dump file", server->recfile);
+	fprintf(fp,";\n; Recursing Queries\n;\n");
+	ns_interfacemgr_dumprecursing(fp, server->interfacemgr);
+	fprintf(fp, "; Dump complete\n");
+
  cleanup:
 	if (fp != NULL)
-		(void)isc_stdio_close(fp);
+		result = isc_stdio_close(fp);
 	return (result);
 }
 
@@ -3142,8 +3840,7 @@ isc_result_t
 ns_server_flushcache(ns_server_t *server, char *args) {
 	char *ptr, *viewname;
 	dns_view_t *view;
-	isc_boolean_t flushed;
-	isc_boolean_t found;
+	isc_boolean_t flushed = ISC_FALSE;
 	isc_result_t result;
 
 	/* Skip the command name. */
@@ -3156,63 +3853,77 @@ ns_server_flushcache(ns_server_t *server, char *args) {
 
 	result = isc_task_beginexclusive(server->task);
 	RUNTIME_CHECK(result == ISC_R_SUCCESS);
-	flushed = ISC_TRUE;
-	found = ISC_FALSE;
 	for (view = ISC_LIST_HEAD(server->viewlist);
 	     view != NULL;
 	     view = ISC_LIST_NEXT(view, link))
 	{
 		if (viewname != NULL && strcasecmp(viewname, view->name) != 0)
 			continue;
-		found = ISC_TRUE;
 		result = dns_view_flushcache(view);
 		if (result != ISC_R_SUCCESS)
-			flushed = ISC_FALSE;
+			goto out;
+		flushed = ISC_TRUE;
 	}
-	if (flushed && found) {
+	if (flushed)
 		result = ISC_R_SUCCESS;
-	} else {
-		if (!found)
-			result = ISC_R_NOTFOUND;
-		else
-			result = ISC_R_FAILURE;
-	}
+	else
+		result = ISC_R_FAILURE;
+ out:
 	isc_task_endexclusive(server->task);	
 	return (result);
 }
 
-#ifdef HAVE_LIBSCF
-/*
- * This function adds a message for rndc to echo if named
- * is managed by smf and is also running chroot.
- */
 isc_result_t
-ns_smf_add_message(isc_buffer_t *text) {
-	unsigned int n;
+ns_server_flushname(ns_server_t *server, char *args) {
+	char *ptr, *target, *viewname;
+	dns_view_t *view;
+	isc_boolean_t flushed = ISC_FALSE;
+	isc_result_t result;
+	isc_buffer_t b;
+	dns_fixedname_t fixed;
+	dns_name_t *name;
 
-	n = snprintf((char *)isc_buffer_used(text),
-		isc_buffer_availablelength(text),
-		"use svcadm(1M) to manage named");
-	if (n >= isc_buffer_availablelength(text))
-		return (ISC_R_NOSPACE);
-	isc_buffer_add(text, n);
-	return (ISC_R_SUCCESS);
-}
+	/* Skip the command name. */
+	ptr = next_token(&args, " \t");
+	if (ptr == NULL)
+		return (ISC_R_UNEXPECTEDEND);
 
-isc_result_t
-ns_smf_disable(const char *ins_name) {
+	/* Find the domain name to flush. */
+	target = next_token(&args, " \t");
+	if (target == NULL)
+		return (ISC_R_UNEXPECTEDEND);
 
-	if (ins_name == NULL)
-		return (ISC_R_UNEXPECTED);
-	if (smf_disable_instance(ins_name, 0) != 0) {
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-			"smf_disable_instance() failed: %s",
-			scf_strerror(scf_error()));
-		return (ISC_R_FAILURE);
+	isc_buffer_init(&b, target, strlen(target));
+	isc_buffer_add(&b, strlen(target));
+	dns_fixedname_init(&fixed);
+	name = dns_fixedname_name(&fixed);
+	result = dns_name_fromtext(name, &b, dns_rootname, ISC_FALSE, NULL);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	/* Look for the view name. */
+	viewname = next_token(&args, " \t");
+
+	result = isc_task_beginexclusive(server->task);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+	flushed = ISC_TRUE;
+	for (view = ISC_LIST_HEAD(server->viewlist);
+	     view != NULL;
+	     view = ISC_LIST_NEXT(view, link))
+	{
+		if (viewname != NULL && strcasecmp(viewname, view->name) != 0)
+			continue;
+		result = dns_view_flushname(view, name);
+		if (result != ISC_R_SUCCESS)
+			flushed = ISC_FALSE;
 	}
-	return (ISC_R_SUCCESS);
+	if (flushed)
+		result = ISC_R_SUCCESS;
+	else
+		result = ISC_R_FAILURE;
+	isc_task_endexclusive(server->task);	
+	return (result);
 }
-#endif /* HAVE_LIBSCF */
 
 isc_result_t
 ns_server_status(ns_server_t *server, isc_buffer_t *text) {
@@ -3234,11 +3945,87 @@ ns_server_status(ns_server_t *server, isc_buffer_t *text) {
 		     "xfers deferred: %u\n"
 		     "soa queries in progress: %u\n"
 		     "query logging is %s\n"
+		     "recursive clients: %d/%d\n"
+		     "tcp clients: %d/%d\n"
 		     "server is up and running",
 		     zonecount, ns_g_debuglevel, xferrunning, xferdeferred,
-		     soaqueries, server->log_queries ? "ON" : "OFF");
+		     soaqueries, server->log_queries ? "ON" : "OFF",
+		     server->recursionquota.used, server->recursionquota.max,
+		     server->tcpquota.used, server->tcpquota.max);
 	if (n >= isc_buffer_availablelength(text))
 		return (ISC_R_NOSPACE);
 	isc_buffer_add(text, n);
 	return (ISC_R_SUCCESS);
 }
+
+/*
+ * Act on a "freeze" or "unfreeze" command from the command channel.
+ */
+isc_result_t
+ns_server_freeze(ns_server_t *server, isc_boolean_t freeze, char *args) {
+	isc_result_t result;
+	dns_zone_t *zone = NULL;
+	dns_zonetype_t type;
+	char classstr[DNS_RDATACLASS_FORMATSIZE];
+	char zonename[DNS_NAME_FORMATSIZE];
+	dns_view_t *view;
+	char *journal;
+	const char *vname, *sep;
+	isc_boolean_t frozen;
+	
+	result = zone_from_args(server, args, &zone);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	if (zone == NULL)
+		return (ISC_R_UNEXPECTEDEND);
+	type = dns_zone_gettype(zone);
+	if (type != dns_zone_master) {
+		dns_zone_detach(&zone);
+		return (ISC_R_NOTFOUND);
+	}
+
+	frozen = dns_zone_getupdatedisabled(zone);
+	if (freeze) {
+		if (frozen)
+			result = DNS_R_FROZEN;
+		if (result == ISC_R_SUCCESS)
+			result = dns_zone_flush(zone);
+		if (result == ISC_R_SUCCESS) {
+			journal = dns_zone_getjournal(zone);
+			if (journal != NULL)
+				(void)isc_file_remove(journal);
+		}
+	} else {
+		if (frozen) {
+			result = dns_zone_load(zone);
+			if (result == DNS_R_CONTINUE ||
+			    result == DNS_R_UPTODATE)
+				result = ISC_R_SUCCESS;
+		}
+	}
+	if (result == ISC_R_SUCCESS)
+		dns_zone_setupdatedisabled(zone, freeze);
+
+	view = dns_zone_getview(zone);
+	if (strcmp(view->name, "_bind") == 0 ||
+	    strcmp(view->name, "_default") == 0)
+	{
+		vname = "";
+		sep = "";
+	} else {
+		vname = view->name;
+		sep = " ";
+	}
+	dns_rdataclass_format(dns_zone_getclass(zone), classstr,
+			      sizeof(classstr));
+	dns_name_format(dns_zone_getorigin(zone),
+			zonename, sizeof(zonename));
+	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+		      NS_LOGMODULE_SERVER, ISC_LOG_INFO,
+		      "%s zone '%s/%s'%s%s: %s",
+		      freeze ? "freezing" : "unfreezing",
+		      zonename, classstr, sep, vname,
+		      isc_result_totext(result));
+	dns_zone_detach(&zone);
+	return (result);
+}
diff --git a/bin/named/sortlist.c b/bin/named/sortlist.c
index b0e5cdf8..0098fe77 100644
--- a/bin/named/sortlist.c
+++ b/bin/named/sortlist.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: sortlist.c,v 1.5.2.3 2006/03/02 00:37:17 marka Exp $ */
+/* $Id: sortlist.c,v 1.5.12.4 2004/03/08 04:04:19 marka Exp $ */
 
 #include <config.h>
 
@@ -30,9 +30,7 @@
 #include <named/sortlist.h>
 
 ns_sortlisttype_t
-ns_sortlist_setup(dns_acl_t *acl, isc_netaddr_t *clientaddr,
-		  const void **argp)
-{
+ns_sortlist_setup(dns_acl_t *acl, isc_netaddr_t *clientaddr, void **argp) {
 	unsigned int i;
 
 	if (acl == NULL)
@@ -44,40 +42,58 @@ ns_sortlist_setup(dns_acl_t *acl, isc_netaddr_t *clientaddr,
 		 * in the sortlist (see ARM).
 		 */
 		dns_aclelement_t *e = &acl->elements[i];
-		const dns_aclelement_t *matchelt = NULL;
-		dns_acl_t *inner;
-
-		if (e->type != dns_aclelementtype_nestedacl)
-			goto dont_sort;
-
-		inner = e->u.nestedacl;
-
-		if (inner->length < 1 || inner->length > 2)
-			goto dont_sort;
-
-		if (inner->elements[0].negative)
-			goto dont_sort;
+		dns_aclelement_t *try_elt;
+		dns_aclelement_t *order_elt = NULL;
+		dns_aclelement_t *matched_elt = NULL;
+
+		if (e->type == dns_aclelementtype_nestedacl) {
+			dns_acl_t *inner = e->u.nestedacl;
+
+			if (inner->length < 1 || inner->length > 2)
+				goto dont_sort;
+			if (inner->elements[0].negative)
+				goto dont_sort;
+			try_elt = &inner->elements[0];
+			if (inner->length == 2)
+				order_elt = &inner->elements[1];
+		} else {
+			/*
+			 * BIND 8 allows bare elements at the top level
+			 * as an undocumented feature.
+			 */
+			try_elt = e;
+		}
 
-		if (dns_aclelement_match(clientaddr, NULL,
-					 &inner->elements[0],
+		if (dns_aclelement_match(clientaddr, NULL, try_elt,
 					 &ns_g_server->aclenv,
-					 &matchelt)) {
-			if (inner->length == 2) {
-				dns_aclelement_t *elt1 = &inner->elements[1];
-				if (elt1->type == dns_aclelementtype_nestedacl)
-					*argp = elt1->u.nestedacl;
-				else if (elt1->type == dns_aclelementtype_localhost &&
-					 ns_g_server->aclenv.localhost != NULL)
+					 &matched_elt)) {
+			if (order_elt != NULL) {
+				if (order_elt->type ==
+				    dns_aclelementtype_nestedacl) {
+					*argp = order_elt->u.nestedacl;
+					return (NS_SORTLISTTYPE_2ELEMENT);
+				} else if (order_elt->type ==
+					   dns_aclelementtype_localhost &&
+					   ns_g_server->aclenv.localhost != NULL) {
 					*argp = ns_g_server->aclenv.localhost;
-				else if (elt1->type == dns_aclelementtype_localnets &&
-					 ns_g_server->aclenv.localnets != NULL)
+					return (NS_SORTLISTTYPE_2ELEMENT);
+				} else if (order_elt->type ==
+					   dns_aclelementtype_localnets &&
+					   ns_g_server->aclenv.localnets != NULL) {
 					*argp = ns_g_server->aclenv.localnets;
-				else
-					goto dont_sort;
-				return (NS_SORTLISTTYPE_2ELEMENT);
+					return (NS_SORTLISTTYPE_2ELEMENT);
+				} else {
+					/*
+					 * BIND 8 allows a bare IP prefix as
+					 * the 2nd element of a 2-element
+					 * sortlist statement.
+					 */
+					*argp = order_elt;
+					return (NS_SORTLISTTYPE_1ELEMENT);
+				}
 			} else {
-				INSIST(matchelt != NULL);
-				*argp = matchelt;
+				INSIST(matched_elt != NULL);
+				*argp = matched_elt;
 				return (NS_SORTLISTTYPE_1ELEMENT);
 			}
 		}
@@ -90,8 +106,8 @@ ns_sortlist_setup(dns_acl_t *acl, isc_netaddr_t *clientaddr,
 }
 
 int
-ns_sortlist_addrorder2(const isc_netaddr_t *addr, const void *arg) {
-	const dns_acl_t *sortacl = (const dns_acl_t *) arg;
+ns_sortlist_addrorder2(isc_netaddr_t *addr, void *arg) {
+	dns_acl_t *sortacl = (dns_acl_t *) arg;
 	int match;
 
 	(void)dns_acl_match(addr, NULL, sortacl,
@@ -106,8 +122,8 @@ ns_sortlist_addrorder2(const isc_netaddr_t *addr, const void *arg) {
 }
 
 int
-ns_sortlist_addrorder1(const isc_netaddr_t *addr, const void *arg) {
-	const dns_aclelement_t *matchelt = (const dns_aclelement_t *) arg;
+ns_sortlist_addrorder1(isc_netaddr_t *addr, void *arg) {
+	dns_aclelement_t *matchelt = (dns_aclelement_t *) arg;
 	if (dns_aclelement_match(addr, NULL, matchelt,
 				 &ns_g_server->aclenv,
 				 NULL)) {
@@ -120,7 +136,7 @@ ns_sortlist_addrorder1(const isc_netaddr_t *addr, const void *arg) {
 void
 ns_sortlist_byaddrsetup(dns_acl_t *sortlist_acl, isc_netaddr_t *client_addr,
 		       dns_addressorderfunc_t *orderp,
-		       const void **argp)
+		       void **argp)
 {
 	ns_sortlisttype_t sortlisttype;
 
diff --git a/bin/named/tkeyconf.c b/bin/named/tkeyconf.c
index dc6b4a32..c4d9bf8a 100644
--- a/bin/named/tkeyconf.c
+++ b/bin/named/tkeyconf.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: tkeyconf.c,v 1.19.2.3 2006/03/02 00:37:17 marka Exp $ */
+/* $Id: tkeyconf.c,v 1.19.208.1 2004/03/06 10:21:21 marka Exp $ */
 
 #include <config.h>
 
@@ -42,17 +42,17 @@
 
 
 isc_result_t
-ns_tkeyctx_fromconfig(const cfg_obj_t *options, isc_mem_t *mctx,
-		      isc_entropy_t *ectx, dns_tkeyctx_t **tctxp)
+ns_tkeyctx_fromconfig(cfg_obj_t *options, isc_mem_t *mctx, isc_entropy_t *ectx,
+		       dns_tkeyctx_t **tctxp)
 {
 	isc_result_t result;
 	dns_tkeyctx_t *tctx = NULL;
-	const char *s;
+	char *s;
 	isc_uint32_t n;
 	dns_fixedname_t fname;
 	dns_name_t *name;
 	isc_buffer_t b;
-	const cfg_obj_t *obj;
+	cfg_obj_t *obj;
 
 	result = dns_tkeyctx_create(mctx, ectx, &tctx);
 	if (result != ISC_R_SUCCESS)
diff --git a/bin/named/tsigconf.c b/bin/named/tsigconf.c
index 61da4671..38524c37 100644
--- a/bin/named/tsigconf.c
+++ b/bin/named/tsigconf.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: tsigconf.c,v 1.21.2.3 2006/03/02 00:37:17 marka Exp $ */
+/* $Id: tsigconf.c,v 1.21.208.4 2004/03/08 04:04:19 marka Exp $ */
 
 #include <config.h>
 
@@ -35,12 +35,10 @@
 #include <named/tsigconf.h>
 
 static isc_result_t
-add_initial_keys(const cfg_obj_t *list, dns_tsig_keyring_t *ring,
-		 isc_mem_t *mctx)
-{
-	const cfg_listelt_t *element;
-	const cfg_obj_t *key = NULL;
-	const char *keyid = NULL;
+add_initial_keys(cfg_obj_t *list, dns_tsig_keyring_t *ring, isc_mem_t *mctx) {
+	cfg_listelt_t *element;
+	cfg_obj_t *key = NULL;
+	char *keyid = NULL;
 	unsigned char *secret = NULL;
 	int secretalloc = 0;
 	int secretlen = 0;
@@ -51,14 +49,14 @@ add_initial_keys(const cfg_obj_t *list, dns_tsig_keyring_t *ring,
 	     element != NULL;
 	     element = cfg_list_next(element))
 	{
-		const cfg_obj_t *algobj = NULL;
-		const cfg_obj_t *secretobj = NULL;
+		cfg_obj_t *algobj = NULL;
+		cfg_obj_t *secretobj = NULL;
 		dns_name_t keyname;
 		dns_name_t *alg;
-		const char *algstr;
+		char *algstr;
 		char keynamedata[1024];
 		isc_buffer_t keynamesrc, keynamebuf;
-		const char *secretstr;
+		char *secretstr;
 		isc_buffer_t secretbuf;
 
 		key = cfg_listelt_value(element);
@@ -131,11 +129,11 @@ add_initial_keys(const cfg_obj_t *list, dns_tsig_keyring_t *ring,
 }
 
 isc_result_t
-ns_tsigkeyring_fromconfig(const cfg_obj_t *config, const cfg_obj_t *vconfig,
+ns_tsigkeyring_fromconfig(cfg_obj_t *config, cfg_obj_t *vconfig,
 			  isc_mem_t *mctx, dns_tsig_keyring_t **ringp)
 {
-	const cfg_obj_t *maps[3];
-	const cfg_obj_t *keylist;
+	cfg_obj_t *maps[3];
+	cfg_obj_t *keylist;
 	dns_tsig_keyring_t *ring = NULL;
 	isc_result_t result;
 	int i;
diff --git a/bin/named/unix/Makefile.in b/bin/named/unix/Makefile.in
index 8c1d1dde..60ce9688 100644
--- a/bin/named/unix/Makefile.in
+++ b/bin/named/unix/Makefile.in
@@ -13,13 +13,13 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.6.2.1 2004/03/09 06:09:23 marka Exp $
+# $Id: Makefile.in,v 1.6.12.3 2004/03/08 09:04:15 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
 top_srcdir =	@top_srcdir@
 
-@BIND9_INCLUDES@
+@BIND9_MAKE_INCLUDES@
 
 CINCLUDES =	-I${srcdir}/include -I${srcdir}/../include \
 		${DNS_INCLUDES} ${ISC_INCLUDES}
diff --git a/bin/named/unix/include/named/os.h b/bin/named/unix/include/named/os.h
index 6f04b3c8..a9fbcb7b 100644
--- a/bin/named/unix/include/named/os.h
+++ b/bin/named/unix/include/named/os.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: os.h,v 1.14.2.6 2004/09/29 06:38:43 marka Exp $ */
+/* $Id: os.h,v 1.14.2.2.8.8 2004/03/08 04:04:21 marka Exp $ */
 
 #ifndef NS_OS_H
 #define NS_OS_H 1
@@ -52,10 +52,13 @@ ns_os_writepidfile(const char *filename, isc_boolean_t first_time);
 void
 ns_os_shutdown(void);
 
+isc_result_t
+ns_os_gethostname(char *buf, size_t len);
+
 void
-ns_os_tzset(void);
+ns_os_shutdownmsg(char *command, isc_buffer_t *text);
 
 void
-ns_os_started(void);
+ns_os_tzset(void);
 
 #endif /* NS_OS_H */
diff --git a/bin/named/unix/os.c b/bin/named/unix/os.c
index 264851ff..2931c704 100644
--- a/bin/named/unix/os.c
+++ b/bin/named/unix/os.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,12 +15,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: os.c,v 1.46.2.17 2006/02/03 23:51:36 marka Exp $ */
+/* $Id: os.c,v 1.46.2.4.8.14 2004/03/08 04:04:21 marka Exp $ */
 
 #include <config.h>
 #include <stdarg.h>
 
-#include <sys/types.h>  /* dev_t FreeBSD 2.1 */
+#include <sys/types.h>	/* dev_t FreeBSD 2.1 */
 #include <sys/stat.h>
 
 #include <ctype.h>
@@ -32,11 +32,9 @@
 #include <stdlib.h>
 #include <signal.h>
 #include <syslog.h>
-#ifdef HAVE_TZSET
-#include <time.h>
-#endif
 #include <unistd.h>
 
+#include <isc/buffer.h>
 #include <isc/file.h>
 #include <isc/print.h>
 #include <isc/result.h>
@@ -45,13 +43,14 @@
 
 #include <named/main.h>
 #include <named/os.h>
-#ifdef HAVE_LIBSCF
-#include <named/ns_smf_globals.h>
-#endif
 
 static char *pidfile = NULL;
 static int devnullfd = -1;
 
+#ifndef ISC_FACILITY
+#define ISC_FACILITY LOG_DAEMON
+#endif
+
 /*
  * If there's no <linux/capability.h>, we don't care about <sys/prctl.h>
  */
@@ -102,7 +101,6 @@ static pid_t mainpid = 0;
 
 static struct passwd *runas_pw = NULL;
 static isc_boolean_t done_setuid = ISC_FALSE;
-static int dfd[2] = { -1, -1 };
 
 #ifdef HAVE_LINUX_CAPABILITY_H
 
@@ -151,19 +149,16 @@ linux_setcaps(unsigned int caps) {
 	if ((getuid() != 0 && !non_root_caps) || non_root)
 		return;
 
-	memset(&caphead, 0, sizeof caphead);
+	memset(&caphead, 0, sizeof(caphead));
 	caphead.version = _LINUX_CAPABILITY_VERSION;
 	caphead.pid = 0;
-	memset(&cap, 0, sizeof cap);
+	memset(&cap, 0, sizeof(cap));
 	cap.effective = caps;
 	cap.permitted = caps;
-	cap.inheritable = 0;
+	cap.inheritable = caps;
 	if (syscall(SYS_capset, &caphead, &cap) < 0) {
 		isc__strerror(errno, strbuf, sizeof(strbuf));
-		ns_main_earlyfatal("capset failed: %s:"
-				   " please ensure that the capset kernel"
-				   " module is loaded.  see insmod(8)",
-				   strbuf);
+		ns_main_earlyfatal("capset failed: %s", strbuf);
 	}
 }
 
@@ -282,8 +277,7 @@ setup_syslog(const char *progname) {
 #ifdef LOG_NDELAY
 	options |= LOG_NDELAY;
 #endif
-
-	openlog(isc_file_basename(progname), options, LOG_DAEMON);
+	openlog(isc_file_basename(progname), options, ISC_FACILITY);
 }
 
 void
@@ -305,33 +299,13 @@ ns_os_daemonize(void) {
 	pid_t pid;
 	char strbuf[ISC_STRERRORSIZE];
 
-	if (pipe(dfd) == -1) {
-		isc__strerror(errno, strbuf, sizeof(strbuf));
-		ns_main_earlyfatal("pipe(): %s", strbuf);
-	}
-
 	pid = fork();
 	if (pid == -1) {
 		isc__strerror(errno, strbuf, sizeof(strbuf));
 		ns_main_earlyfatal("fork(): %s", strbuf);
 	}
-	if (pid != 0) {
-		int n;
-		/*
-		 * Wait for the child to finish loading for the first time.
-		 * This would be so much simpler if fork() worked once we
-	         * were multi-threaded.
-		 */
-		(void)close(dfd[1]);
-		do {
-			char buf;
-			n = read(dfd[0], &buf, 1);
-			if (n == 1)
-				_exit(0);
-		} while (n == -1 && errno == EINTR);
-		_exit(1);
-	}
-	(void)close(dfd[0]);
+	if (pid != 0)
+		_exit(0);
 
 	/*
 	 * We're the child.
@@ -373,20 +347,6 @@ ns_os_daemonize(void) {
 }
 
 void
-ns_os_started(void) {
-	char buf = 0;
-
-	/*
-	 * Signal to the parent that we stated successfully.
-	 */
-	if (dfd[0] != -1 && dfd[1] != -1) {
-		write(dfd[1], &buf, 1);
-		close(dfd[1]);
-		dfd[0] = dfd[1] = -1;
-	}
-}
-
-void
 ns_os_opendevnull(void) {
 	devnullfd = open("/dev/null", O_RDWR, 0);
 }
@@ -416,9 +376,6 @@ all_digits(const char *s) {
 void
 ns_os_chroot(const char *root) {
 	char strbuf[ISC_STRERRORSIZE];
-#ifdef HAVE_LIBSCF
-	ns_smf_chroot = 0;
-#endif
 	if (root != NULL) {
 		if (chroot(root) < 0) {
 			isc__strerror(errno, strbuf, sizeof(strbuf));
@@ -428,10 +385,6 @@ ns_os_chroot(const char *root) {
 			isc__strerror(errno, strbuf, sizeof(strbuf));
 			ns_main_earlyfatal("chdir(/): %s", strbuf);
 		}
-#ifdef HAVE_LIBSCF
-		/* Set ns_smf_chroot flag on successful chroot. */
-		ns_smf_chroot = 1;
-#endif
 	}
 }
 
@@ -470,14 +423,10 @@ ns_os_changeuser(void) {
 #ifdef HAVE_LINUXTHREADS
 #ifdef HAVE_LINUX_CAPABILITY_H
 	if (!non_root_caps)
-		ns_main_earlyfatal("-u with Linux threads not supported: "
-				   "requires kernel support for "
-				   "prctl(PR_SET_KEEPCAPS)");
-#else
-	ns_main_earlyfatal("-u with Linux threads not supported: "
-			   "no capabilities support or capabilities "
-			   "disabled at build time");
 #endif
+		ns_main_earlyfatal(
+		   "-u not supported on Linux kernels older than "
+		   "2.3.99-pre3 or 2.2.18 when using threads");
 #endif
 
 	if (setgid(runas_pw->pw_gid) < 0) {
@@ -493,13 +442,6 @@ ns_os_changeuser(void) {
 #if defined(HAVE_LINUX_CAPABILITY_H) && !defined(HAVE_LINUXTHREADS)
 	linux_minprivs();
 #endif
-#if defined(HAVE_SYS_PRCTL_H) && defined(PR_SET_DUMPABLE)
-	/*
-	 * Restore the ability of named to drop core after the setuid()
-	 * call has disabled it.
-	 */
-	prctl(PR_SET_DUMPABLE,1,0,0,0);
-#endif
 }
 
 void
@@ -567,6 +509,9 @@ ns_os_writepidfile(const char *filename, isc_boolean_t first_time) {
 
 	cleanup_pidfile();
 
+	if (filename == NULL)
+		return;
+
 	len = strlen(filename);
 	pidfile = malloc(len + 1);
 	if (pidfile == NULL) {
@@ -620,6 +565,60 @@ ns_os_shutdown(void) {
 	cleanup_pidfile();
 }
 
+isc_result_t
+ns_os_gethostname(char *buf, size_t len) {
+	int n;
+
+	n = gethostname(buf, len);
+	return ((n == 0) ? ISC_R_SUCCESS : ISC_R_FAILURE);
+}
+
+static char *
+next_token(char **stringp, const char *delim) {
+	char *res;
+
+	do {
+		res = strsep(stringp, delim);
+		if (res == NULL)
+			break;
+	} while (*res == '\0');
+	return (res);
+}
+
+void
+ns_os_shutdownmsg(char *command, isc_buffer_t *text) {
+	char *input, *ptr;
+	unsigned int n;
+	pid_t pid;
+
+	input = command;
+
+	/* Skip the command name. */
+	ptr = next_token(&input, " \t");
+	if (ptr == NULL)
+		return;
+
+	ptr = next_token(&input, " \t");
+	if (ptr == NULL)
+		return;
+	
+	if (strcmp(ptr, "-p") != 0)
+		return;
+
+#ifdef HAVE_LINUXTHREADS
+	pid = mainpid;
+#else
+	pid = getpid();
+#endif
+
+	n = snprintf((char *)isc_buffer_used(text),
+		     isc_buffer_availablelength(text),
+		     "pid: %d", pid);
+	/* Only send a message if it is complete. */
+	if (n < isc_buffer_availablelength(text))
+		isc_buffer_add(text, n);
+}
+
 void
 ns_os_tzset(void) {
 #ifdef HAVE_TZSET
diff --git a/bin/named/update.c b/bin/named/update.c
index e19972cb..bbce6800 100644
--- a/bin/named/update.c
+++ b/bin/named/update.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: update.c,v 1.88.2.19 2006/01/06 00:01:41 marka Exp $ */
+/* $Id: update.c,v 1.88.2.5.2.16 2004/03/08 21:06:21 marka Exp $ */
 
 #include <config.h>
 
@@ -32,11 +32,11 @@
 #include <dns/fixedname.h>
 #include <dns/journal.h>
 #include <dns/message.h>
-#include <dns/nxt.h>
+#include <dns/nsec.h>
 #include <dns/rdataclass.h>
 #include <dns/rdataset.h>
 #include <dns/rdatasetiter.h>
-#include <dns/rdatastruct.h>
+#include <dns/rdatatype.h>
 #include <dns/soa.h>
 #include <dns/ssu.h>
 #include <dns/view.h>
@@ -100,13 +100,65 @@
  */
 #define FAILC(code, msg) \
 	do {							\
+		const char *_what = "failed";			\
 		result = (code);				\
+		switch (result) {				\
+		case DNS_R_NXDOMAIN:				\
+		case DNS_R_YXDOMAIN:				\
+		case DNS_R_YXRRSET:				\
+		case DNS_R_NXRRSET:				\
+			_what = "unsuccessful";			\
+		}						\
 		update_log(client, zone, LOGLEVEL_PROTOCOL,   	\
-			      "update failed: %s (%s)",		\
+			      "update %s: %s (%s)", _what,	\
 		      	      msg, isc_result_totext(result));	\
 		if (result != ISC_R_SUCCESS) goto failure;	\
 	} while (0)
 
+#define FAILN(code, name, msg) \
+	do {								\
+		const char *_what = "failed";				\
+		result = (code);					\
+		switch (result) {					\
+		case DNS_R_NXDOMAIN:					\
+		case DNS_R_YXDOMAIN:					\
+		case DNS_R_YXRRSET:					\
+		case DNS_R_NXRRSET:					\
+			_what = "unsuccessful";				\
+		}							\
+		if (isc_log_wouldlog(ns_g_lctx, LOGLEVEL_PROTOCOL)) {	\
+			char _nbuf[DNS_NAME_FORMATSIZE];		\
+			dns_name_format(name, _nbuf, sizeof(_nbuf));	\
+			update_log(client, zone, LOGLEVEL_PROTOCOL,   	\
+				   "update %s: %s: %s (%s)", _what, _nbuf, \
+				   msg, isc_result_totext(result));	\
+		}							\
+		if (result != ISC_R_SUCCESS) goto failure;		\
+	} while (0)
+
+#define FAILNT(code, name, type, msg) \
+	do {								\
+		const char *_what = "failed";				\
+		result = (code);					\
+		switch (result) {					\
+		case DNS_R_NXDOMAIN:					\
+		case DNS_R_YXDOMAIN:					\
+		case DNS_R_YXRRSET:					\
+		case DNS_R_NXRRSET:					\
+			_what = "unsuccessful";				\
+		}							\
+		if (isc_log_wouldlog(ns_g_lctx, LOGLEVEL_PROTOCOL)) {	\
+			char _nbuf[DNS_NAME_FORMATSIZE];		\
+			char _tbuf[DNS_RDATATYPE_FORMATSIZE];		\
+			dns_name_format(name, _nbuf, sizeof(_nbuf));	\
+			dns_rdatatype_format(type, _tbuf, sizeof(_tbuf)); \
+			update_log(client, zone, LOGLEVEL_PROTOCOL,   	\
+				   "update %s: %s/%s: %s (%s)",		\
+				   _what, _nbuf, _tbuf, msg,		\
+				   isc_result_totext(result));		\
+		}							\
+		if (result != ISC_R_SUCCESS) goto failure;		\
+	} while (0)
 /*
  * Fail unconditionally and log as a server error.
  * The test against ISC_R_SUCCESS is there to keep the Solaris compiler
@@ -115,7 +167,7 @@
 #define FAILS(code, msg) \
 	do {							\
 		result = (code);				\
-		update_log(client, zone, LOGLEVEL_PROTOCOL,		\
+		update_log(client, zone, LOGLEVEL_PROTOCOL,	\
 			      "error: %s: %s", 			\
 			      msg, isc_result_totext(result));	\
 		if (result != ISC_R_SUCCESS) goto failure;	\
@@ -177,7 +229,7 @@ update_log(ns_client_t *client, dns_zone_t *zone,
 			      sizeof(classbuf));
 
 	va_start(ap, fmt);
-	vsnprintf(message, sizeof message, fmt, ap);
+	vsnprintf(message, sizeof(message), fmt, ap);
 	va_end(ap);
 
 	ns_client_log(client, NS_LOGCATEGORY_UPDATE, NS_LOGMODULE_UPDATE,
@@ -185,6 +237,33 @@ update_log(ns_client_t *client, dns_zone_t *zone,
 		      namebuf, classbuf, message);
 }
 
+static isc_result_t
+checkupdateacl(ns_client_t *client, dns_acl_t *acl, const char *message,
+	       dns_name_t *zonename)
+{
+	char namebuf[DNS_NAME_FORMATSIZE];
+	char classbuf[DNS_RDATACLASS_FORMATSIZE];
+	int level = ISC_LOG_ERROR;
+	const char *msg = "denied";
+	isc_result_t result;
+
+	result = ns_client_checkaclsilent(client, acl, ISC_FALSE);
+
+	if (result == ISC_R_SUCCESS) {
+		level = ISC_LOG_DEBUG(3);
+		msg = "approved";
+	}
+
+	dns_name_format(zonename, namebuf, sizeof(namebuf));
+	dns_rdataclass_format(client->view->rdclass, classbuf,
+			      sizeof(classbuf));
+
+	ns_client_log(client, NS_LOGCATEGORY_UPDATE_SECURITY,
+			      NS_LOGMODULE_UPDATE, level, "%s '%s/%s' %s",
+			      message, namebuf, classbuf, msg);
+	return (result);
+}
+
 /*
  * Update a single RR in version 'ver' of 'db' and log the
  * update in 'diff'.
@@ -619,12 +698,12 @@ ssu_checkrule(void *data, dns_rdataset_t *rrset) {
 	isc_boolean_t result;
 
 	/*
-	 * If we're deleting all records, it's ok to delete SIG and NXT even
+	 * If we're deleting all records, it's ok to delete RRSIG and NSEC even
 	 * if we're normally not allowed to.
 	 */
-	if (rrset->type == dns_rdatatype_sig ||
-	    rrset->type == dns_rdatatype_nxt)
-		return (ISC_R_SUCCESS);
+	if (rrset->type == dns_rdatatype_rrsig ||
+	    rrset->type == dns_rdatatype_nsec)
+		return (ISC_TRUE);
 	result = dns_ssutable_checkrules(ssuinfo->table, ssuinfo->signer,
 					 ssuinfo->name, rrset->type);
 	return (result == ISC_TRUE ? ISC_R_SUCCESS : ISC_R_FAILURE);
@@ -726,11 +805,13 @@ temp_order(const void *av, const void *bv) {
  *
  * Return ISC_R_SUCCESS if the prerequisites are satisfied,
  * rcode(dns_rcode_nxrrset) if not.
+ *
+ * 'temp' must be pre-sorted.
  */
 
 static isc_result_t
 temp_check(isc_mem_t *mctx, dns_diff_t *temp, dns_db_t *db,
-	   dns_dbversion_t *ver)
+	   dns_dbversion_t *ver, dns_name_t *tmpname, dns_rdatatype_t *typep)
 {
 	isc_result_t result;
 	dns_name_t *name;
@@ -738,18 +819,6 @@ temp_check(isc_mem_t *mctx, dns_diff_t *temp, dns_db_t *db,
 	dns_difftuple_t *t;
 	dns_diff_t trash;
 
-	/* Exit early if the list is empty (for efficiency only). */
-	if (ISC_LIST_HEAD(temp->tuples) == NULL)
-		return (ISC_R_SUCCESS);
-
-	/*
-	 * Sort the prerequisite records by owner name,
-	 * type, and rdata.
-	 */
-	result = dns_diff_sort(temp, temp_order);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
 	dns_diff_init(mctx, &trash);
 
 	/*
@@ -760,6 +829,8 @@ temp_check(isc_mem_t *mctx, dns_diff_t *temp, dns_db_t *db,
 	t = ISC_LIST_HEAD(temp->tuples);
 	while (t != NULL) {
 		name = &t->name;
+		(void)dns_name_copy(name, tmpname, NULL);
+		*typep = t->rdata.type;
 
 		/* A new unique name begins here. */
 		node = NULL;
@@ -778,8 +849,8 @@ temp_check(isc_mem_t *mctx, dns_diff_t *temp, dns_db_t *db,
  			dns_diff_t u_rrs; /* Update RRs with
 						this name and type */
 
-			type = t->rdata.type;
-			if (type == dns_rdatatype_sig)
+			*typep = type = t->rdata.type;
+			if (type == dns_rdatatype_rrsig)
 				covers = dns_rdata_covers(&t->rdata);
 			else
 				covers = 0;
@@ -888,27 +959,13 @@ typedef struct {
  */
 
 /*
- * Return true iff 'db_rr' is neither a SOA nor an NS RR nor
- * an SIG nor a NXT.
+ * Return true iff 'update_rr' is neither a SOA nor an NS RR.
  */
 static isc_boolean_t
 type_not_soa_nor_ns_p(dns_rdata_t *update_rr, dns_rdata_t *db_rr) {
 	UNUSED(update_rr);
 	return ((db_rr->type != dns_rdatatype_soa &&
-		 db_rr->type != dns_rdatatype_ns &&
-		 db_rr->type != dns_rdatatype_sig &&
-		 db_rr->type != dns_rdatatype_nxt) ?
-		ISC_TRUE : ISC_FALSE);
-}
-
-/*
- * Return true iff 'db_rr' is neither a SIG nor a NXT.
- */
-static isc_boolean_t
-type_not_dnssec(dns_rdata_t *update_rr, dns_rdata_t *db_rr) {
-	UNUSED(update_rr);
-	return ((db_rr->type != dns_rdatatype_sig &&
-		 db_rr->type != dns_rdatatype_nxt) ?
+		 db_rr->type != dns_rdatatype_ns) ?
 		ISC_TRUE : ISC_FALSE);
 }
 
@@ -940,7 +997,7 @@ rr_equal_p(dns_rdata_t *update_rr, dns_rdata_t *db_rr) {
  * Return true iff 'update_rr' should replace 'db_rr' according
  * to the special RFC2136 rules for CNAME, SOA, and WKS records.
  *
- * RFC2136 does not mention NXT or DNAME, but multiple NXTs or DNAMEs
+ * RFC2136 does not mention NSEC or DNAME, but multiple NSECs or DNAMEs
  * make little sense, so we replace those, too.
  */
 static isc_boolean_t
@@ -953,7 +1010,7 @@ replaces_p(dns_rdata_t *update_rr, dns_rdata_t *db_rr) {
 		return (ISC_TRUE);
 	if (db_rr->type == dns_rdatatype_soa)
 		return (ISC_TRUE);
-	if (db_rr->type == dns_rdatatype_nxt)
+	if (db_rr->type == dns_rdatatype_nsec)
 		return (ISC_TRUE);
 	if (db_rr->type == dns_rdatatype_wks) {
 		/*
@@ -1042,16 +1099,14 @@ add_rr_prepare_action(void *data, rr_t *rr) {
 	isc_result_t result = ISC_R_SUCCESS;	
 	add_rr_prepare_ctx_t *ctx = data;
 	dns_difftuple_t *tuple = NULL;
-	isc_boolean_t equal;
 
 	/*
 	 * If the update RR is a "duplicate" of the update RR,
 	 * the update should be silently ignored.
 	 */
-	equal = ISC_TF(dns_rdata_compare(&rr->rdata, ctx->update_rr) == 0);
-	if (equal && rr->ttl == ctx->update_rr_ttl) {
+	if (dns_rdata_compare(&rr->rdata, ctx->update_rr) == 0 &&
+	    rr->ttl == ctx->update_rr_ttl) {
 		ctx->ignore_add = ISC_TRUE;
-		return (ISC_R_SUCCESS);
 	}
 
 	/*
@@ -1079,14 +1134,12 @@ add_rr_prepare_action(void *data, rr_t *rr) {
 					   &rr->rdata,
 					   &tuple));
 		dns_diff_append(&ctx->del_diff, &tuple);
-		if (!equal) {
-			CHECK(dns_difftuple_create(ctx->add_diff.mctx,
-						   DNS_DIFFOP_ADD, ctx->name,
-						   ctx->update_rr_ttl,
-						   &rr->rdata,
-						   &tuple));
-			dns_diff_append(&ctx->add_diff, &tuple);
-		}
+		CHECK(dns_difftuple_create(ctx->add_diff.mctx,
+					   DNS_DIFFOP_ADD, ctx->name,
+					   ctx->update_rr_ttl,
+					   &rr->rdata,
+					   &tuple));
+		dns_diff_append(&ctx->add_diff, &tuple);
 	}
  failure:
 	return (result);
@@ -1219,7 +1272,7 @@ check_soa_increment(dns_db_t *db, dns_dbversion_t *ver,
 
 /**************************************************************************/
 /*
- * Incremental updating of NXTs and SIGs.
+ * Incremental updating of NSECs and RRSIGs.
  */
 
 #define MAXZONEKEYS 32	/* Maximum number of zone keys supported. */
@@ -1259,9 +1312,8 @@ namelist_append_subdomain(dns_db_t *db, dns_name_t *name, dns_diff_t *affected)
 	     result = dns_dbiterator_next(dbit))
 	{
 		dns_dbnode_t *node = NULL;
-		result = dns_dbiterator_current(dbit, &node, child);
+		CHECK(dns_dbiterator_current(dbit, &node, child));
 		dns_db_detachnode(db, &node);
-		CHECK(result);
 		if (! dns_name_issubdomain(child, name))
 			break;
 		CHECK(namelist_append_name(affected, child));
@@ -1277,20 +1329,20 @@ namelist_append_subdomain(dns_db_t *db, dns_name_t *name, dns_diff_t *affected)
 
 
 /*
- * Helper function for non_nxt_rrset_exists().
+ * Helper function for non_nsec_rrset_exists().
  */
 static isc_result_t
-is_non_nxt_action(void *data, dns_rdataset_t *rrset) {
+is_non_nsec_action(void *data, dns_rdataset_t *rrset) {
 	UNUSED(data);
-	if (!(rrset->type == dns_rdatatype_nxt ||
-	      (rrset->type == dns_rdatatype_sig &&
-	       rrset->covers == dns_rdatatype_nxt)))
+	if (!(rrset->type == dns_rdatatype_nsec ||
+	      (rrset->type == dns_rdatatype_rrsig &&
+	       rrset->covers == dns_rdatatype_nsec)))
 		return (ISC_R_EXISTS);
 	return (ISC_R_SUCCESS);
 }
 
 /*
- * Check whether there is an rrset other than a NXT or SIG NXT,
+ * Check whether there is an rrset other than a NSEC or RRSIG NSEC,
  * i.e., anything that justifies the continued existence of a name
  * after a secure update.
  *
@@ -1298,12 +1350,12 @@ is_non_nxt_action(void *data, dns_rdataset_t *rrset) {
  * Otherwise, set it to ISC_FALSE.
  */
 static isc_result_t
-non_nxt_rrset_exists(dns_db_t *db, dns_dbversion_t *ver,
+non_nsec_rrset_exists(dns_db_t *db, dns_dbversion_t *ver,
 		     dns_name_t *name, isc_boolean_t *exists)
 {
 	isc_result_t result;
 	result = foreach_rrset(db, ver, name,
-			       is_non_nxt_action, NULL);
+			       is_non_nsec_action, NULL);
 	RETURN_EXISTENCE_FLAG;
 }
 
@@ -1359,7 +1411,7 @@ is_glue(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
 		return (ISC_R_SUCCESS);
 	} else if (result == DNS_R_ZONECUT) {
 		/*
-		 * We are at the zonecut.  The name will have an NXT, but
+		 * We are at the zonecut.  The name will have an NSEC, but
 		 * non-delegation will be omitted from the type bit map.
 		 */
 		*flag = ISC_FALSE;
@@ -1373,18 +1425,19 @@ is_glue(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
 }
 
 /*
- * Find the next/previous name that has a NXT record.
+ * Find the next/previous name that has a NSEC record.
  * In other words, skip empty database nodes and names that
- * have had their NXTs removed because they are obscured by
+ * have had their NSECs removed because they are obscured by
  * a zone cut.
  */
 static isc_result_t
-next_active(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *oldname,
-     dns_name_t *newname, isc_boolean_t forward)
+next_active(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
+	    dns_dbversion_t *ver, dns_name_t *oldname, dns_name_t *newname,
+	    isc_boolean_t forward)
 {
 	isc_result_t result;
 	dns_dbiterator_t *dbit = NULL;
-	isc_boolean_t has_nxt;
+	isc_boolean_t has_nsec;
 	unsigned int wraps = 0;
 
 	CHECK(dns_db_createiterator(db, ISC_FALSE, &dbit));
@@ -1407,15 +1460,13 @@ next_active(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *oldname,
 				CHECK(dns_dbiterator_last(dbit));
 			wraps++;
 			if (wraps == 2) {
-				isc_log_write(ns_g_lctx, NS_LOGCATEGORY_UPDATE,
-					      NS_LOGMODULE_UPDATE,
-					      ISC_LOG_ERROR,
-					      "secure zone with no NXTs");
+				update_log(client, zone, ISC_LOG_ERROR,
+					   "secure zone with no NSECs");
 				result = DNS_R_BADZONE;
 				goto failure;
 			}
 		}
-		dns_dbiterator_current(dbit, &node, newname);
+		CHECK(dns_dbiterator_current(dbit, &node, newname));
 		dns_db_detachnode(db, &node);
 
 		/*
@@ -1426,9 +1477,9 @@ next_active(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *oldname,
 		 */
 		CHECK(dns_dbiterator_pause(dbit));
 		CHECK(rrset_exists(db, ver, newname,
-				   dns_rdatatype_nxt, 0, &has_nxt));
+				   dns_rdatatype_nsec, 0, &has_nsec));
 
-	} while (! has_nxt);
+	} while (! has_nsec);
  failure:
 	if (dbit != NULL)
 		dns_dbiterator_destroy(&dbit);
@@ -1437,16 +1488,16 @@ next_active(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *oldname,
 }
 
 /*
- * Add a NXT record for "name", recording the change in "diff".
- * The existing NXT is removed.
+ * Add a NSEC record for "name", recording the change in "diff".
+ * The existing NSEC is removed.
  */
 static isc_result_t
-add_nxt(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
-	dns_ttl_t nxtttl, dns_diff_t *diff)
+add_nsec(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
+	dns_dbversion_t *ver, dns_name_t *name, dns_diff_t *diff)
 {
 	isc_result_t result;
 	dns_dbnode_t *node = NULL;
-	unsigned char buffer[DNS_NXT_BUFFERSIZE];
+	unsigned char buffer[DNS_NSEC_BUFFERSIZE];
 	dns_rdata_t rdata = DNS_RDATA_INIT;
 	dns_difftuple_t *tuple = NULL;
 	dns_fixedname_t fixedname;
@@ -1456,28 +1507,29 @@ add_nxt(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
 	target = dns_fixedname_name(&fixedname);
 
 	/*
-	 * Find the successor name, aka NXT target.
+	 * Find the successor name, aka NSEC target.
 	 */
-	CHECK(next_active(db, ver, name, target, ISC_TRUE));
+	CHECK(next_active(client, zone, db, ver, name, target, ISC_TRUE));
 
 	/*
-	 * Create the NXT RDATA.
+	 * Create the NSEC RDATA.
 	 */
 	CHECK(dns_db_findnode(db, name, ISC_FALSE, &node));
 	dns_rdata_init(&rdata);
-	CHECK(dns_nxt_buildrdata(db, ver, node, target, buffer, &rdata));
+	CHECK(dns_nsec_buildrdata(db, ver, node, target, buffer, &rdata));
 	dns_db_detachnode(db, &node);
 
 	/*
-	 * Delete the old NXT and record the change.
+	 * Delete the old NSEC and record the change.
 	 */
-	CHECK(delete_if(true_p, db, ver, name, dns_rdatatype_nxt, 0,
+	CHECK(delete_if(true_p, db, ver, name, dns_rdatatype_nsec, 0,
 			NULL, diff));
 	/*
-	 * Add the new NXT and record the change.
+	 * Add the new NSEC and record the change.
 	 */
 	CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_ADD, name,
-				   nxtttl, &rdata, &tuple));
+				   3600,	/* XXXRTH */
+				   &rdata, &tuple));
 	CHECK(do_one_tuple(&tuple, db, ver, diff));
 	INSIST(tuple == NULL);
 
@@ -1488,10 +1540,10 @@ add_nxt(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
 }
 
 /*
- * Add a placeholder NXT record for "name", recording the change in "diff".
+ * Add a placeholder NSEC record for "name", recording the change in "diff".
  */
 static isc_result_t
-add_placeholder_nxt(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
+add_placeholder_nsec(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
 		    dns_diff_t *diff) {
 	isc_result_t result;
 	dns_difftuple_t *tuple = NULL;
@@ -1500,8 +1552,8 @@ add_placeholder_nxt(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
 	dns_rdata_t rdata = DNS_RDATA_INIT;
 
 	r.base = data;
-	r.length = sizeof data;
-	dns_rdata_fromregion(&rdata, dns_db_class(db), dns_rdatatype_nxt, &r);
+	r.length = sizeof(data);
+	dns_rdata_fromregion(&rdata, dns_db_class(db), dns_rdatatype_nsec, &r);
 	CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_ADD, name, 0,
 				   &rdata, &tuple));
 	CHECK(do_one_tuple(&tuple, db, ver, diff));
@@ -1510,14 +1562,16 @@ add_placeholder_nxt(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
 }
 
 static isc_result_t
-find_zone_keys(dns_db_t *db, dns_dbversion_t *ver, isc_mem_t *mctx,
-	       unsigned int maxkeys, dst_key_t **keys, unsigned int *nkeys)
+find_zone_keys(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
+	       isc_mem_t *mctx, unsigned int maxkeys,
+	       dst_key_t **keys, unsigned int *nkeys)
 {
 	isc_result_t result;
 	dns_dbnode_t *node = NULL;
+	const char *directory = dns_zone_getkeydirectory(zone);
 	CHECK(dns_db_findnode(db, dns_db_origin(db), ISC_FALSE, &node));
-	CHECK(dns_dnssec_findzonekeys(db, ver, node, dns_db_origin(db),
-				      mctx, maxkeys, keys, nkeys));
+	CHECK(dns_dnssec_findzonekeys2(db, ver, node, dns_db_origin(db),
+				       directory, mctx, maxkeys, keys, nkeys));
  failure:
 	if (node != NULL)
 		dns_db_detachnode(db, &node);
@@ -1525,7 +1579,7 @@ find_zone_keys(dns_db_t *db, dns_dbversion_t *ver, isc_mem_t *mctx,
 }
 
 /*
- * Add SIG records for an RRset, recording the change in "diff".
+ * Add RRSIG records for an RRset, recording the change in "diff".
  */
 static isc_result_t
 add_sigs(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
@@ -1552,12 +1606,12 @@ add_sigs(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
 	dns_db_detachnode(db, &node);
 
 	for (i = 0; i < nkeys; i++) {
-		/* Calculate the signature, creating a SIG RDATA. */
+		/* Calculate the signature, creating a RRSIG RDATA. */
 		CHECK(dns_dnssec_sign(name, &rdataset, keys[i],
 				      &inception, &expire,
 				      mctx, &buffer, &sig_rdata));
 
-		/* Update the database and journal with the SIG. */
+		/* Update the database and journal with the RRSIG. */
 		/* XXX inefficient - will cause dataset merging */
 		CHECK(update_one_rr(db, ver, diff, DNS_DIFFOP_ADD, name,
 				    rdataset.ttl, &sig_rdata));
@@ -1573,53 +1627,46 @@ add_sigs(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
 }
 
 /*
- * Update SIG and NXT records affected by an update.  The original
- * update, including the SOA serial update but exluding the SIG & NXT
+ * Update RRSIG and NSEC records affected by an update.  The original
+ * update, including the SOA serial update but exluding the RRSIG & NSEC
  * changes, is in "diff" and has already been applied to "newver" of "db".
  * The database version prior to the update is "oldver".
  *
- * The necessary SIG and NXT changes will be applied to "newver"
+ * The necessary RRSIG and NSEC changes will be applied to "newver"
  * and added (as a minimal diff) to "diff".
  *
- * The SIGs generated will be valid for 'sigvalidityinterval' seconds.
+ * The RRSIGs generated will be valid for 'sigvalidityinterval' seconds.
  */
 static isc_result_t
-update_signatures(isc_mem_t *mctx, dns_db_t *db, dns_dbversion_t *oldver,
-		  dns_dbversion_t *newver, dns_diff_t *diff,
-		  isc_uint32_t sigvalidityinterval)
+update_signatures(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
+		  dns_dbversion_t *oldver, dns_dbversion_t *newver,
+		  dns_diff_t *diff, isc_uint32_t sigvalidityinterval)
 {
 	isc_result_t result;
 	dns_difftuple_t *t;
 	dns_diff_t diffnames;
 	dns_diff_t affected;
 	dns_diff_t sig_diff;
-	dns_diff_t nxt_diff;
-	dns_diff_t nxt_mindiff;
+	dns_diff_t nsec_diff;
+	dns_diff_t nsec_mindiff;
 	isc_boolean_t flag;
 	dst_key_t *zone_keys[MAXZONEKEYS];
 	unsigned int nkeys = 0;
 	unsigned int i;
 	isc_stdtime_t now, inception, expire;
-	dns_ttl_t nxtttl;
-	dns_rdata_soa_t soa;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	dns_rdataset_t rdataset;
-	dns_dbnode_t *node = NULL;
 
-	dns_diff_init(mctx, &diffnames);
-	dns_diff_init(mctx, &affected);
+	dns_diff_init(client->mctx, &diffnames);
+	dns_diff_init(client->mctx, &affected);
 
-	dns_diff_init(mctx, &sig_diff);
-	dns_diff_init(mctx, &nxt_diff);
-	dns_diff_init(mctx, &nxt_mindiff);
+	dns_diff_init(client->mctx, &sig_diff);
+	dns_diff_init(client->mctx, &nsec_diff);
+	dns_diff_init(client->mctx, &nsec_mindiff);
 
-	result = find_zone_keys(db, newver, mctx,
+	result = find_zone_keys(zone, db, newver, client->mctx,
 				MAXZONEKEYS, zone_keys, &nkeys);
 	if (result != ISC_R_SUCCESS) {
-		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_UPDATE,
-			      NS_LOGMODULE_UPDATE, ISC_LOG_ERROR,
-			      "could not get zone keys for secure "
-			      "dynamic update");
+		update_log(client, zone, ISC_LOG_ERROR,
+			   "could not get zone keys for secure dynamic update");
 		goto failure;
 	}
 
@@ -1628,22 +1675,8 @@ update_signatures(isc_mem_t *mctx, dns_db_t *db, dns_dbversion_t *oldver,
 	expire = now + sigvalidityinterval;
 
 	/*
-	 * Get the NXT's TTL from the SOA MINIMUM field.
-	 */
-	CHECK(dns_db_findnode(db, dns_db_origin(db), ISC_FALSE, &node));
-	dns_rdataset_init(&rdataset);
-	CHECK(dns_db_findrdataset(db, node, newver, dns_rdatatype_soa, 0,
-                                  (isc_stdtime_t) 0, &rdataset, NULL));
-	CHECK(dns_rdataset_first(&rdataset));
-	dns_rdataset_current(&rdataset, &rdata);
-	CHECK(dns_rdata_tostruct(&rdata, &soa, NULL));
-	nxtttl = soa.minimum;
-	dns_rdataset_disassociate(&rdataset);
-	dns_db_detachnode(db, &node);
-
-	/*
 	 * Find all RRsets directly affected by the update, and
-	 * update their SIGs.  Also build a list of names affected
+	 * update their RRSIGs.  Also build a list of names affected
 	 * by the update in "diffnames".
 	 */
 	CHECK(dns_diff_sort(diff, temp_order));
@@ -1664,17 +1697,17 @@ update_signatures(isc_mem_t *mctx, dns_db_t *db, dns_dbversion_t *oldver,
 			 * affected by the update.
 			 */
 
-			/* Don't sign SIGs. */
-			if (type == dns_rdatatype_sig)
+			/* Don't sign RRSIGs. */
+			if (type == dns_rdatatype_rrsig)
 				goto skip;
 
 			/*
-			 * Delete all old SIGs covering this type, since they
+			 * Delete all old RRSIGs covering this type, since they
 			 * are all invalid when the signed RRset has changed.
 			 * We may not be able to recreate all of them - tough.
 			 */
 			CHECK(delete_if(true_p, db, newver, name,
-					dns_rdatatype_sig, type,
+					dns_rdatatype_rrsig, type,
 					NULL, &sig_diff));
 
 			/*
@@ -1685,7 +1718,8 @@ update_signatures(isc_mem_t *mctx, dns_db_t *db, dns_dbversion_t *oldver,
 			if (flag) {
 				CHECK(add_sigs(db, newver, name, type,
 					       &sig_diff, zone_keys, nkeys,
-					       mctx, inception, expire));
+					       client->mctx, inception,
+					       expire));
 			}
 		skip:
 			/* Skip any other updates to the same RRset. */
@@ -1698,12 +1732,12 @@ update_signatures(isc_mem_t *mctx, dns_db_t *db, dns_dbversion_t *oldver,
 		}
 	}
 
-	/* Remove orphaned NXTs and SIG NXTs. */
+	/* Remove orphaned NSECs and RRSIG NSECs. */
 	for (t = ISC_LIST_HEAD(diffnames.tuples);
 	     t != NULL;
 	     t = ISC_LIST_NEXT(t, link))
 	{
-		CHECK(non_nxt_rrset_exists(db, newver, &t->name, &flag));
+		CHECK(non_nsec_rrset_exists(db, newver, &t->name, &flag));
 		if (! flag) {
 			CHECK(delete_if(true_p, db, newver, &t->name,
 					dns_rdatatype_any, 0,
@@ -1713,7 +1747,7 @@ update_signatures(isc_mem_t *mctx, dns_db_t *db, dns_dbversion_t *oldver,
 
 	/*
 	 * When a name is created or deleted, its predecessor needs to
-	 * have its NXT updated.
+	 * have its NSEC updated.
 	 */
 	for (t = ISC_LIST_HEAD(diffnames.tuples);
 	     t != NULL;
@@ -1735,13 +1769,14 @@ update_signatures(isc_mem_t *mctx, dns_db_t *db, dns_dbversion_t *oldver,
 		 * Find the predecessor.
 		 * When names become obscured or unobscured in this update
 		 * transaction, we may find the wrong predecessor because
-		 * the NXTs have not yet been updated to reflect the delegation
+		 * the NSECs have not yet been updated to reflect the delegation
 		 * change.  This should not matter because in this case,
 		 * the correct predecessor is either the delegation node or
 		 * a newly unobscured node, and those nodes are on the
 		 * "affected" list in any case.
 		 */
-		CHECK(next_active(db, newver, &t->name, prevname, ISC_FALSE));
+		CHECK(next_active(client, zone, db, newver,
+				  &t->name, prevname, ISC_FALSE));
 		CHECK(namelist_append_name(&affected, prevname));
 	}
 
@@ -1769,7 +1804,7 @@ update_signatures(isc_mem_t *mctx, dns_db_t *db, dns_dbversion_t *oldver,
 			continue;
 		/*
 		 * There was a delegation change.  Mark all subdomains
-		 * of t->name as potentially needing a NXT update.
+		 * of t->name as potentially needing a NSEC update.
 		 */
 		CHECK(namelist_append_subdomain(db, &t->name, &affected));
 	}
@@ -1780,11 +1815,11 @@ update_signatures(isc_mem_t *mctx, dns_db_t *db, dns_dbversion_t *oldver,
 	CHECK(uniqify_name_list(&affected));
 
 	/*
-	 * Determine which names should have NXTs, and delete/create
-	 * NXTs to make it so.  We don't know the final NXT targets yet,
-	 * so we just create placeholder NXTs with arbitrary contents
+	 * Determine which names should have NSECs, and delete/create
+	 * NSECs to make it so.  We don't know the final NSEC targets yet,
+	 * so we just create placeholder NSECs with arbitrary contents
 	 * to indicate that their respective owner names should be part of
-	 * the NXT chain.
+	 * the NSEC chain.
 	 */
 	for (t = ISC_LIST_HEAD(affected.tuples);
 	     t != NULL;
@@ -1798,26 +1833,25 @@ update_signatures(isc_mem_t *mctx, dns_db_t *db, dns_dbversion_t *oldver,
 		if (flag) {
 			/*
 			 * This name is obscured.  Delete any
-			 * existing NXT record.
+			 * existing NSEC record.
 			 */
 			CHECK(delete_if(true_p, db, newver, &t->name,
-					dns_rdatatype_nxt, 0,
-					NULL, &nxt_diff));
+					dns_rdatatype_nsec, 0,
+					NULL, &nsec_diff));
 		} else {
 			/*
-			 * This name is not obscured.  It should have a NXT.
+			 * This name is not obscured.  It should have a NSEC.
 			 */
 			CHECK(rrset_exists(db, newver, &t->name,
-					   dns_rdatatype_nxt, 0, &flag));
-			if (! flag) {
-				add_placeholder_nxt(db, newver, &t->name,
-						    diff);
-			}
+					   dns_rdatatype_nsec, 0, &flag));
+			if (! flag)
+				CHECK(add_placeholder_nsec(db, newver, &t->name,
+							  diff));
 		}
 	}
 
 	/*
-	 * Now we know which names are part of the NXT chain.
+	 * Now we know which names are part of the NSEC chain.
 	 * Make them all point at their correct targets.
 	 */
 	for (t = ISC_LIST_HEAD(affected.tuples);
@@ -1825,52 +1859,52 @@ update_signatures(isc_mem_t *mctx, dns_db_t *db, dns_dbversion_t *oldver,
 	     t = ISC_LIST_NEXT(t, link))
 	{
 		CHECK(rrset_exists(db, newver, &t->name,
-				   dns_rdatatype_nxt, 0, &flag));
+				   dns_rdatatype_nsec, 0, &flag));
 		if (flag) {
 			/*
-			 * There is a NXT, but we don't know if it is correct.
+			 * There is a NSEC, but we don't know if it is correct.
 			 * Delete it and create a correct one to be sure.
 			 * If the update was unnecessary, the diff minimization
 			 * will take care of eliminating it from the journal,
 			 * IXFRs, etc.
 			 *
-			 * The SIG bit should always be set in the NXTs
-			 * we generate, because they will all get SIG NXTs.
+			 * The RRSIG bit should always be set in the NSECs
+			 * we generate, because they will all get RRSIG NSECs.
 			 * (XXX what if the zone keys are missing?).
-			 * Because the SIG NXTs have not necessarily been
+			 * Because the RRSIG NSECs have not necessarily been
 			 * created yet, the correctness of the bit mask relies
-			 * on the assumption that NXTs are only created if
+			 * on the assumption that NSECs are only created if
 			 * there is other data, and if there is other data,
-			 * there are other SIGs.
+			 * there are other RRSIGs.
 			 */
-			CHECK(add_nxt(db, newver, &t->name, nxtttl,
-				      &nxt_diff));
+			CHECK(add_nsec(client, zone, db, newver,
+				      &t->name, &nsec_diff));
 		}
 	}
 
 	/*
-	 * Minimize the set of NXT updates so that we don't
-	 * have to regenerate the SIG NXTs for NXTs that were
+	 * Minimize the set of NSEC updates so that we don't
+	 * have to regenerate the RRSIG NSECs for NSECs that were
 	 * replaced with identical ones.
 	 */
-	while ((t = ISC_LIST_HEAD(nxt_diff.tuples)) != NULL) {
-		ISC_LIST_UNLINK(nxt_diff.tuples, t, link);
-		dns_diff_appendminimal(&nxt_mindiff, &t);
+	while ((t = ISC_LIST_HEAD(nsec_diff.tuples)) != NULL) {
+		ISC_LIST_UNLINK(nsec_diff.tuples, t, link);
+		dns_diff_appendminimal(&nsec_mindiff, &t);
 	}
 
-	/* Update SIG NXTs. */
-	for (t = ISC_LIST_HEAD(nxt_mindiff.tuples);
+	/* Update RRSIG NSECs. */
+	for (t = ISC_LIST_HEAD(nsec_mindiff.tuples);
 	     t != NULL;
 	     t = ISC_LIST_NEXT(t, link))
 	{
 		if (t->op == DNS_DIFFOP_DEL) {
 			CHECK(delete_if(true_p, db, newver, &t->name,
-					dns_rdatatype_sig, dns_rdatatype_nxt,
+					dns_rdatatype_rrsig, dns_rdatatype_nsec,
 					NULL, &sig_diff));
 		} else if (t->op == DNS_DIFFOP_ADD) {
-			CHECK(add_sigs(db, newver, &t->name, dns_rdatatype_nxt,
-				       &sig_diff, zone_keys, nkeys, mctx,
-				       inception, expire));
+			CHECK(add_sigs(db, newver, &t->name, dns_rdatatype_nsec,
+				       &sig_diff, zone_keys, nkeys,
+				       client->mctx, inception, expire));
 		} else {
 			INSIST(0);
 		}
@@ -1881,19 +1915,19 @@ update_signatures(isc_mem_t *mctx, dns_db_t *db, dns_dbversion_t *oldver,
 		ISC_LIST_UNLINK(sig_diff.tuples, t, link);
 		dns_diff_appendminimal(diff, &t);
 	}
-	while ((t = ISC_LIST_HEAD(nxt_mindiff.tuples)) != NULL) {
-		ISC_LIST_UNLINK(nxt_mindiff.tuples, t, link);
+	while ((t = ISC_LIST_HEAD(nsec_mindiff.tuples)) != NULL) {
+		ISC_LIST_UNLINK(nsec_mindiff.tuples, t, link);
 		dns_diff_appendminimal(diff, &t);
 	}
 
 	INSIST(ISC_LIST_EMPTY(sig_diff.tuples));
-	INSIST(ISC_LIST_EMPTY(nxt_diff.tuples));
-	INSIST(ISC_LIST_EMPTY(nxt_mindiff.tuples));
+	INSIST(ISC_LIST_EMPTY(nsec_diff.tuples));
+	INSIST(ISC_LIST_EMPTY(nsec_mindiff.tuples));
 
  failure:
 	dns_diff_clear(&sig_diff);
-	dns_diff_clear(&nxt_diff);
-	dns_diff_clear(&nxt_mindiff);
+	dns_diff_clear(&nsec_diff);
+	dns_diff_clear(&nsec_mindiff);
 
 	dns_diff_clear(&affected);
 	dns_diff_clear(&diffnames);
@@ -1928,16 +1962,14 @@ send_update_event(ns_client_t *client, dns_zone_t *zone) {
 
 	evclient = NULL;
 	ns_client_attach(client, &evclient);
-	INSIST(client->nupdates == 0);
-	client->nupdates++;
 	event->ev_arg = evclient;
 
 	dns_zone_gettask(zone, &zonetask);
-	isc_task_send(zonetask, ISC_EVENT_PTR(&event));
+	isc_task_send(zonetask, (isc_event_t **) (void *)&event);
 
  failure:
 	if (event != NULL)
-		isc_event_free(ISC_EVENT_PTR(&event));
+		isc_event_free((isc_event_t **) (void *)&event);
 	return (result);
 }
 
@@ -2014,16 +2046,8 @@ ns_update_start(ns_client_t *client, isc_result_t sigresult) {
 		CHECK(send_update_event(client, zone));
 		break;
 	case dns_zone_slave:
-		if (dns_zone_getforwardacl(zone) == NULL) {
-			result = DNS_R_NOTIMP;
-			ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
-				      NS_LOGMODULE_CLIENT, ISC_LOG_ERROR,
-				      "update forwarding denied");
-			goto failure;
-		}
-		CHECK(ns_client_checkacl(client, "update forwarding",
-					 dns_zone_getforwardacl(zone),
-					 ISC_FALSE, ISC_LOG_ERROR));
+		CHECK(checkupdateacl(client, dns_zone_getforwardacl(zone),
+		      "update forwarding", zonename));
 		CHECK(send_forward_event(client, zone));
 		break;
 	default:
@@ -2043,6 +2067,41 @@ ns_update_start(ns_client_t *client, isc_result_t sigresult) {
 		dns_zone_detach(&zone);
 }
 
+/*
+ * DS records are not allowed to exist without corresponding NS records,
+ * draft-ietf-dnsext-delegation-signer-11.txt, 2.2 Protocol Change,
+ * "DS RRsets MUST NOT appear at non-delegation points or at a zone's apex".
+ */
+
+static isc_result_t
+remove_orphaned_ds(dns_db_t *db, dns_dbversion_t *newver, dns_diff_t *diff) {
+	isc_result_t result;
+	isc_boolean_t ns_exists, ds_exists;
+	dns_difftuple_t *t;
+
+	for (t = ISC_LIST_HEAD(diff->tuples);
+	     t != NULL;
+	     t = ISC_LIST_NEXT(t, link)) {
+		if (t->op != DNS_DIFFOP_DEL ||
+		    t->rdata.type != dns_rdatatype_ns)
+			continue;
+		CHECK(rrset_exists(db, newver, &t->name, dns_rdatatype_ns, 0,
+				   &ns_exists));
+		if (ns_exists)
+			continue;
+		CHECK(rrset_exists(db, newver, &t->name, dns_rdatatype_ds, 0,
+				   &ds_exists));
+		if (!ds_exists)
+			continue;
+		CHECK(delete_if(true_p, db, newver, &t->name,
+				dns_rdatatype_ds, 0, NULL, diff));
+	}
+	return (ISC_R_SUCCESS);
+
+ failure:
+	return (result);
+}
+
 static void
 update_action(isc_task_t *task, isc_event_t *event) {
 	update_event_t *uev = (update_event_t *) event;
@@ -2062,6 +2121,8 @@ update_action(isc_task_t *task, isc_event_t *event) {
 	dns_rdataclass_t zoneclass;
 	dns_name_t *zonename;
 	dns_ssutable_t *ssutable = NULL;
+	dns_fixedname_t tmpnamefixed;
+	dns_name_t *tmpname = NULL;
 
 	INSIST(event->ev_type == DNS_EVENT_UPDATE);
 
@@ -2096,7 +2157,7 @@ update_action(isc_task_t *task, isc_event_t *event) {
 			FAILC(DNS_R_FORMERR, "prerequisite TTL is not zero");
 
 		if (! dns_name_issubdomain(name, zonename))
-			FAILC(DNS_R_NOTZONE,
+			FAILN(DNS_R_NOTZONE, name,
 				"prerequisite name is out of zone");
 
 		if (update_class == dns_rdataclass_any) {
@@ -2107,7 +2168,7 @@ update_action(isc_task_t *task, isc_event_t *event) {
 			if (rdata.type == dns_rdatatype_any) {
 				CHECK(name_exists(db, ver, name, &flag));
 				if (! flag) {
-					FAILC(DNS_R_NXDOMAIN,
+					FAILN(DNS_R_NXDOMAIN, name,
 					      "'name in use' prerequisite "
 					      "not satisfied");
 				}
@@ -2116,7 +2177,7 @@ update_action(isc_task_t *task, isc_event_t *event) {
 						   rdata.type, covers, &flag));
 				if (! flag) {
 					/* RRset does not exist. */
-					FAILC(DNS_R_NXRRSET,
+					FAILNT(DNS_R_NXRRSET, name, rdata.type,
 					"'rrset exists (value independent)' "
 					"prerequisite not satisfied");
 				}
@@ -2129,7 +2190,7 @@ update_action(isc_task_t *task, isc_event_t *event) {
 			if (rdata.type == dns_rdatatype_any) {
 				CHECK(name_exists(db, ver, name, &flag));
 				if (flag) {
-					FAILC(DNS_R_YXDOMAIN,
+					FAILN(DNS_R_YXDOMAIN, name,
 					      "'name not in use' prerequisite "
 					      "not satisfied");
 				}
@@ -2138,9 +2199,9 @@ update_action(isc_task_t *task, isc_event_t *event) {
 						   rdata.type, covers, &flag));
 				if (flag) {
 					/* RRset exists. */
-					FAILC(DNS_R_YXRRSET,
-					      "'rrset does not exist' "
-					      "prerequisite not satisfied");
+					FAILNT(DNS_R_YXRRSET, name, rdata.type,
+					       "'rrset does not exist' "
+					       "prerequisite not satisfied");
 				}
 			}
 		} else if (update_class == zoneclass) {
@@ -2159,14 +2220,31 @@ update_action(isc_task_t *task, isc_event_t *event) {
 	if (result != ISC_R_NOMORE)
 		FAIL(result);
 
+
 	/*
 	 * Perform the final check of the "rrset exists (value dependent)"
 	 * prerequisites.
 	 */
-	result = temp_check(mctx, &temp, db, ver);
-	if (result != ISC_R_SUCCESS)
-		FAILC(result, "'RRset exists (value dependent)' "
-		      "prerequisite not satisfied");
+	if (ISC_LIST_HEAD(temp.tuples) != NULL) {
+		dns_rdatatype_t type;
+
+		/*
+		 * Sort the prerequisite records by owner name,
+		 * type, and rdata.
+		 */
+		result = dns_diff_sort(&temp, temp_order);
+		if (result != ISC_R_SUCCESS)
+			FAILC(result, "'RRset exists (value dependent)' "
+			      "prerequisite not satisfied");
+
+		dns_fixedname_init(&tmpnamefixed);
+		tmpname = dns_fixedname_name(&tmpnamefixed);
+		result = temp_check(mctx, &temp, db, ver, tmpname, &type);
+		if (result != ISC_R_SUCCESS)
+			FAILNT(result, tmpname, type,
+			       "'RRset exists (value dependent)' "
+			       "prerequisite not satisfied");
+	}
 
 	update_log(client, zone, LOGLEVEL_DEBUG,
 		   "prerequisites are OK");
@@ -2175,23 +2253,15 @@ update_action(isc_task_t *task, isc_event_t *event) {
 	 * Check Requestor's Permissions.  It seems a bit silly to do this
 	 * only after prerequisite testing, but that is what RFC2136 says.
 	 */
-	if (ssutable == NULL) {
-		char msg[DNS_RDATACLASS_FORMATSIZE + DNS_NAME_FORMATSIZE
-			 + sizeof("update '/'")];
-		ns_client_aclmsg("update", zonename, client->view->rdclass,
-                                 msg, sizeof(msg));
-		CHECK(ns_client_checkacl(client, msg,
-					 dns_zone_getupdateacl(zone),
-					 ISC_FALSE, ISC_LOG_ERROR));
-	} else if (client->signer == NULL) {
-		/* This gets us a free log message. */
-		char msg[DNS_RDATACLASS_FORMATSIZE + DNS_NAME_FORMATSIZE
-			 + sizeof("update '/'")];
-		ns_client_aclmsg("update", zonename, client->view->rdclass,
-                                 msg, sizeof(msg));
-		CHECK(ns_client_checkacl(client, msg, NULL, ISC_FALSE,
-					 ISC_LOG_ERROR));
-	}
+	result = ISC_R_SUCCESS;
+	if (ssutable == NULL)
+		CHECK(checkupdateacl(client, dns_zone_getupdateacl(zone),
+				     "update", zonename));
+	else if (client->signer == NULL)
+		CHECK(checkupdateacl(client, NULL, "update", zonename));
+	
+	if (dns_zone_getupdatedisabled(zone))
+		FAILC(DNS_R_REFUSED, "dynamic update temporarily disabled");
 
 	/*
 	 * Perform the Update Section Prescan.
@@ -2221,6 +2291,9 @@ update_action(isc_task_t *task, isc_event_t *event) {
 				FAILC(DNS_R_FORMERR,
 				      "meta-RR in update");
 			}
+			result = dns_zone_checknames(zone, name, &rdata);
+			if (result != ISC_R_SUCCESS)
+				FAIL(DNS_R_REFUSED);
 		} else if (update_class == dns_rdataclass_any) {
 			if (ttl != 0 || rdata.length != 0 ||
 			    (dns_rdatatype_ismeta(rdata.type) &&
@@ -2241,17 +2314,17 @@ update_action(isc_task_t *task, isc_event_t *event) {
 		/*
 		 * draft-ietf-dnsind-simple-secure-update-01 says
 		 * "Unlike traditional dynamic update, the client
-		 * is forbidden from updating NXT records."
+		 * is forbidden from updating NSEC records."
 		 */
 		if (dns_db_issecure(db)) {
-			if (rdata.type == dns_rdatatype_nxt) {
+			if (rdata.type == dns_rdatatype_nsec) {
 				FAILC(DNS_R_REFUSED,
-				      "explicit NXT updates are not allowed "
+				      "explicit NSEC updates are not allowed "
 				      "in secure zones");
 			}
-			else if (rdata.type == dns_rdatatype_sig) {
+			else if (rdata.type == dns_rdatatype_rrsig) {
 				FAILC(DNS_R_REFUSED,
-				      "explicit SIG updates are currently not "
+				      "explicit RRSIG updates are currently not "
 				      "supported in secure zones");
 			}
 		}
@@ -2296,6 +2369,28 @@ update_action(isc_task_t *task, isc_event_t *event) {
 			       &name, &rdata, &covers, &ttl, &update_class);
 
 		if (update_class == zoneclass) {
+
+			/*
+			 * RFC 1123 doesn't allow MF and MD in master zones.				 */
+			if (rdata.type == dns_rdatatype_md ||
+			    rdata.type == dns_rdatatype_mf) {
+				char typebuf[DNS_RDATATYPE_FORMATSIZE];
+
+				dns_rdatatype_format(rdata.type, typebuf,
+						     sizeof(typebuf));
+				update_log(client, zone, LOGLEVEL_PROTOCOL,
+					   "attempt to add %s ignored",
+					   typebuf);
+				continue;
+			}
+			if (rdata.type == dns_rdatatype_ns &&
+			    dns_name_iswildcard(name)) {
+				update_log(client, zone,
+					   LOGLEVEL_PROTOCOL,
+					   "attempt to add wildcard NS record"
+					   "ignored");
+				continue;
+			}
 			if (rdata.type == dns_rdatatype_cname) {
 				CHECK(cname_incompatible_rrset_exists(db, ver,
 								      name,
@@ -2346,9 +2441,19 @@ update_action(isc_task_t *task, isc_event_t *event) {
 				}
 				soa_serial_changed = ISC_TRUE;
 			}
-			
-			update_log(client, zone,
-				   LOGLEVEL_PROTOCOL, "adding an RR");
+
+			if (isc_log_wouldlog(ns_g_lctx, LOGLEVEL_PROTOCOL)) {
+				char namestr[DNS_NAME_FORMATSIZE];
+				char typestr[DNS_RDATATYPE_FORMATSIZE];
+				dns_name_format(name, namestr,
+						sizeof(namestr));
+				dns_rdatatype_format(rdata.type, typestr,
+						     sizeof(typestr));
+				update_log(client, zone,
+					   LOGLEVEL_PROTOCOL,
+					   "adding an RR at '%s' %s",
+					   namestr, typestr);
+			}
 
 			/* Prepare the affected RRset for the addition. */
 			{
@@ -2378,17 +2483,24 @@ update_action(isc_task_t *task, isc_event_t *event) {
 			}
 		} else if (update_class == dns_rdataclass_any) {
 			if (rdata.type == dns_rdatatype_any) {
-				update_log(client, zone,
-					   LOGLEVEL_PROTOCOL,
-					   "delete all rrsets from a name");
+				if (isc_log_wouldlog(ns_g_lctx,
+						     LOGLEVEL_PROTOCOL))
+				{
+					char namestr[DNS_NAME_FORMATSIZE];
+					dns_name_format(name, namestr,
+							sizeof(namestr));
+					update_log(client, zone,
+						   LOGLEVEL_PROTOCOL,
+						   "delete all rrsets from "
+						   "name '%s'", namestr);
+				}
 				if (dns_name_equal(name, zonename)) {
 					CHECK(delete_if(type_not_soa_nor_ns_p,
 							db, ver, name,
 							dns_rdatatype_any, 0,
 							&rdata, &diff));
 				} else {
-					CHECK(delete_if(type_not_dnssec,
-							db, ver, name,
+					CHECK(delete_if(true_p, db, ver, name,
 							dns_rdatatype_any, 0,
 							&rdata, &diff));
 				}
@@ -2401,9 +2513,21 @@ update_action(isc_task_t *task, isc_event_t *event) {
 					   "or NS records ignored");
 				continue;
 			} else {
-				update_log(client, zone,
-					   LOGLEVEL_PROTOCOL,
-					   "deleting an rrset");
+				if (isc_log_wouldlog(ns_g_lctx,
+						     LOGLEVEL_PROTOCOL))
+				{
+					char namestr[DNS_NAME_FORMATSIZE];
+					char typestr[DNS_RDATATYPE_FORMATSIZE];
+					dns_name_format(name, namestr,
+							sizeof(namestr));
+					dns_rdatatype_format(rdata.type,
+							     typestr,
+							     sizeof(typestr));
+					update_log(client, zone,
+						   LOGLEVEL_PROTOCOL,
+						   "deleting rrset at '%s' %s",
+						   namestr, typestr);
+				}
 				CHECK(delete_if(true_p, db, ver, name,
 						rdata.type, covers, &rdata,
 						&diff));
@@ -2448,7 +2572,7 @@ update_action(isc_task_t *task, isc_event_t *event) {
 
 	/*
 	 * If any changes were made, increment the SOA serial number,
-	 * update SIGs and NXTs (if zone is secure), and write the update
+	 * update RRSIGs and NSECs (if zone is secure), and write the update
 	 * to the journal.
 	 */
 	if (! ISC_LIST_EMPTY(diff.tuples)) {
@@ -2463,13 +2587,16 @@ update_action(isc_task_t *task, isc_event_t *event) {
 			CHECK(increment_soa_serial(db, ver, &diff, mctx));
 		}
 
+		CHECK(remove_orphaned_ds(db, ver, &diff));
+
 		if (dns_db_issecure(db)) {
-			result = update_signatures(mctx, db, oldver, ver,
-			   &diff, dns_zone_getsigvalidityinterval(zone));
+			result = update_signatures(client, zone, db, oldver,
+						   ver, &diff,
+					 dns_zone_getsigvalidityinterval(zone));
 			if (result != ISC_R_SUCCESS) {
 				update_log(client, zone,
 					   ISC_LOG_ERROR,
-					   "SIG/NXT update failed: %s",
+					   "RRSIG/NSEC update failed: %s",
 					   isc_result_totext(result));
 				goto failure;
 			}
@@ -2494,29 +2621,26 @@ update_action(isc_task_t *task, isc_event_t *event) {
 
 			dns_journal_destroy(&journal);
 		}
+	}
 
-		/*
-		 * XXXRTH  Just a note that this committing code will have
-		 *	   to change to handle databases that need two-phase
-		 *	   commit, but this isn't a priority.
-		 */
-		update_log(client, zone, LOGLEVEL_DEBUG,
-			   "committing update transaction");
-		dns_db_closeversion(db, &ver, ISC_TRUE);
+	/*
+	 * XXXRTH  Just a note that this committing code will have to change
+	 *         to handle databases that need two-phase commit, but this
+	 *	   isn't a priority.
+	 */
+	update_log(client, zone, LOGLEVEL_DEBUG,
+		   "committing update transaction");
+	dns_db_closeversion(db, &ver, ISC_TRUE);
 
-		/*
-		 * Mark the zone as dirty so that it will be written to disk.
-		 */
-		dns_zone_markdirty(zone);
+	/*
+	 * Mark the zone as dirty so that it will be written to disk.
+	 */
+	dns_zone_markdirty(zone);
 
-		/*
-		 * Notify slaves of the change we just made.
-		 */
-		dns_zone_notify(zone);
-	} else {
-		update_log(client, zone, LOGLEVEL_DEBUG, "redundant request");
-		dns_db_closeversion(db, &ver, ISC_TRUE);
-	}
+	/*
+	 * Notify slaves of the change we just made.
+	 */
+	dns_zone_notify(zone);
 	result = ISC_R_SUCCESS;
 	goto common;
 
@@ -2564,11 +2688,9 @@ updatedone_action(isc_task_t *task, isc_event_t *event) {
 	INSIST(event->ev_type == DNS_EVENT_UPDATEDONE);
 	INSIST(task == client->task);
 
-	INSIST(client->nupdates > 0);
-	client->nupdates--;
 	respond(client, uev->result);
-	isc_event_free(&event);
 	ns_client_detach(&client);
+	isc_event_free(&event);
 }
 
 /*
@@ -2581,11 +2703,9 @@ forward_fail(isc_task_t *task, isc_event_t *event) {
 
 	UNUSED(task);
 
-	INSIST(client->nupdates > 0);
-	client->nupdates--;
 	respond(client, DNS_R_SERVFAIL);
-	isc_event_free(&event);
 	ns_client_detach(&client);
+	isc_event_free(&event);
 }
 
 
@@ -2603,7 +2723,7 @@ forward_callback(void *arg, isc_result_t result, dns_message_t *answer) {
 		uev->ev_action = forward_done;
 		uev->answer = answer;
 	}
-	isc_task_send(client->task, ISC_EVENT_PTR(&uev));
+	isc_task_send(client->task, (isc_event_t **) (void *)&uev);
 }
 
 static void
@@ -2613,8 +2733,6 @@ forward_done(isc_task_t *task, isc_event_t *event) {
 
 	UNUSED(task);
 
-	INSIST(client->nupdates > 0);
-	client->nupdates--;
 	ns_client_sendraw(client, uev->answer);
 	dns_message_destroy(&uev->answer);
 	isc_event_free(&event);
@@ -2656,15 +2774,13 @@ send_forward_event(ns_client_t *client, dns_zone_t *zone) {
 
 	evclient = NULL;
 	ns_client_attach(client, &evclient);
-	INSIST(client->nupdates == 0);
-	client->nupdates++;
 	event->ev_arg = evclient;
 
 	dns_zone_gettask(zone, &zonetask);
-	isc_task_send(zonetask, ISC_EVENT_PTR(&event));
+	isc_task_send(zonetask, (isc_event_t **) (void *)&event);
 
  failure:
 	if (event != NULL)
-		isc_event_free(ISC_EVENT_PTR(&event));
+		isc_event_free((isc_event_t **) (void *)&event);
 	return (result);
 }
diff --git a/bin/named/win32/include/named/ntservice.h b/bin/named/win32/include/named/ntservice.h
index e576b5b2..56de2559 100644
--- a/bin/named/win32/include/named/ntservice.h
+++ b/bin/named/win32/include/named/ntservice.h
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
+ * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: ntservice.h,v 1.1.2.1 2004/03/09 06:09:24 marka Exp $ */
+/* $Id: ntservice.h,v 1.1.14.3 2004/03/08 04:04:22 marka Exp $ */
 
 #ifndef NTSERVICE_H
 #define NTSERVICE_H
@@ -31,4 +31,5 @@ void UpdateSCM(DWORD);
 void ServiceControl(DWORD dwCtrlCode);
 void 
 ntservice_shutdown();
-#endif
\ No newline at end of file
+BOOL ntservice_isservice();
+#endif
diff --git a/bin/named/win32/include/named/os.h b/bin/named/win32/include/named/os.h
index af2fe7fb..a66a3703 100644
--- a/bin/named/win32/include/named/os.h
+++ b/bin/named/win32/include/named/os.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: os.h,v 1.1.2.6 2004/09/29 06:38:44 marka Exp $ */
+/* $Id: os.h,v 1.1.2.2.8.9 2004/03/08 04:04:22 marka Exp $ */
 
 #ifndef NS_OS_H
 #define NS_OS_H 1
@@ -52,10 +52,13 @@ ns_os_writepidfile(const char *filename, isc_boolean_t first_time);
 void
 ns_os_shutdown(void);
 
+isc_result_t
+ns_os_gethostname(char *buf, size_t len);
+
 void
-ns_os_tzset(void);
+ns_os_shutdownmsg(char *command, isc_buffer_t *text);
 
 void
-ns_os_started(void);
+ns_os_tzset(void);
 
 #endif /* NS_OS_H */
diff --git a/bin/named/win32/named.dsp b/bin/named/win32/named.dsp
index e90c9b93..f5150bd1 100644
--- a/bin/named/win32/named.dsp
+++ b/bin/named/win32/named.dsp
@@ -1,323 +1,327 @@
-# Microsoft Developer Studio Project File - Name="named" - Package Owner=<4>

-# Microsoft Developer Studio Generated Build File, Format Version 6.00

-# ** DO NOT EDIT **

-

-# TARGTYPE "Win32 (x86) Console Application" 0x0103

-

-CFG=named - Win32 Debug

-!MESSAGE This is not a valid makefile. To build this project using NMAKE,

-!MESSAGE use the Export Makefile command and run

-!MESSAGE 

-!MESSAGE NMAKE /f "named.mak".

-!MESSAGE 

-!MESSAGE You can specify a configuration when running NMAKE

-!MESSAGE by defining the macro CFG on the command line. For example:

-!MESSAGE 

-!MESSAGE NMAKE /f "named.mak" CFG="named - Win32 Debug"

-!MESSAGE 

-!MESSAGE Possible choices for configuration are:

-!MESSAGE 

-!MESSAGE "named - Win32 Release" (based on "Win32 (x86) Console Application")

-!MESSAGE "named - Win32 Debug" (based on "Win32 (x86) Console Application")

-!MESSAGE 

-

-# Begin Project

-# PROP AllowPerConfigDependencies 0

-# PROP Scc_ProjName ""

-# PROP Scc_LocalPath ""

-CPP=cl.exe

-RSC=rc.exe

-

-!IF  "$(CFG)" == "named - Win32 Release"

-

-# PROP BASE Use_MFC 0

-# PROP BASE Use_Debug_Libraries 0

-# PROP BASE Output_Dir "Release"

-# PROP BASE Intermediate_Dir "Release"

-# PROP BASE Target_Dir ""

-# PROP Use_MFC 0

-# PROP Use_Debug_Libraries 0

-# PROP Output_Dir "Release"

-# PROP Intermediate_Dir "Release"

-# PROP Ignore_Export_Lib 0

-# PROP Target_Dir ""

-# ADD BASE CPP /nologo /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /c

-# ADD CPP /nologo /MD /W3 /GX /O2 /I "./" /I "../../../" /I "../win32/include" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/win32/include" /I "../../../lib/dns/include" /I "../../../lib/isccc/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /I "../../../lib/isccfg/include" /D "WIN32" /D "NDEBUG" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" /YX /FD /c

-# ADD BASE RSC /l 0x409 /d "NDEBUG"

-# ADD RSC /l 0x409 /d "NDEBUG"

-BSC32=bscmake.exe

-# ADD BASE BSC32 /nologo

-# ADD BSC32 /nologo

-LINK32=link.exe

-# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /machine:I386

-# ADD LINK32 user32.lib advapi32.lib kernel32.lib ws2_32.lib ../../../lib/isc/win32/Release/libisc.lib ../../../lib/dns/win32/Release/libdns.lib ../../../lib/isccc/win32/Release/libisccc.lib ../../../lib/lwres/win32/Release/liblwres.lib ../../../lib/isccfg/win32/Release/libisccfg.lib /nologo /subsystem:console /machine:I386 /out:"../../../Build/Release/named.exe"

-

-!ELSEIF  "$(CFG)" == "named - Win32 Debug"

-

-# PROP BASE Use_MFC 0

-# PROP BASE Use_Debug_Libraries 1

-# PROP BASE Output_Dir "Debug"

-# PROP BASE Intermediate_Dir "Debug"

-# PROP BASE Target_Dir ""

-# PROP Use_MFC 0

-# PROP Use_Debug_Libraries 1

-# PROP Output_Dir "Debug"

-# PROP Intermediate_Dir "Debug"

-# PROP Ignore_Export_Lib 0

-# PROP Target_Dir ""

-# ADD BASE CPP /nologo /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /GZ /c

-# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../../../" /I "../win32/include" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/win32/include" /I "../../../lib/dns/include" /I "../../../lib/isccc/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /I "../../../lib/isccfg/include" /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /D "i386" /FR /FD /GZ /c

-# SUBTRACT CPP /X /YX

-# ADD BASE RSC /l 0x409 /d "_DEBUG"

-# ADD RSC /l 0x409 /d "_DEBUG"

-BSC32=bscmake.exe

-# ADD BASE BSC32 /nologo

-# ADD BSC32 /nologo

-LINK32=link.exe

-# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /debug /machine:I386 /pdbtype:sept

-# ADD LINK32 user32.lib advapi32.lib kernel32.lib ws2_32.lib ../../../lib/isc/win32/Debug/libisc.lib ../../../lib/dns/win32/Debug/libdns.lib ../../../lib/isccc/win32/Debug/libisccc.lib ../../../lib/lwres/win32/Debug/liblwres.lib ../../../lib/isccfg/win32/Debug/libisccfg.lib /nologo /subsystem:console /map /debug /machine:I386 /out:"../../../Build/Debug/named.exe" /pdbtype:sept

-

-!ENDIF 

-

-# Begin Target

-

-# Name "named - Win32 Release"

-# Name "named - Win32 Debug"

-# Begin Group "Source Files"

-

-# PROP Default_Filter "cpp;c;cxx;rc;def;r;odl;idl;hpj;bat"

-# Begin Source File

-

-SOURCE=..\aclconf.c

-# End Source File

-# Begin Source File

-

-SOURCE=..\client.c

-# End Source File

-# Begin Source File

-

-SOURCE=..\config.c

-# End Source File

-# Begin Source File

-

-SOURCE=..\control.c

-# End Source File

-# Begin Source File

-

-SOURCE=..\controlconf.c

-# End Source File

-# Begin Source File

-

-SOURCE=..\interfacemgr.c

-# End Source File

-# Begin Source File

-

-SOURCE=..\listenlist.c

-# End Source File

-# Begin Source File

-

-SOURCE=..\log.c

-# End Source File

-# Begin Source File

-

-SOURCE=..\logconf.c

-# End Source File

-# Begin Source File

-

-SOURCE=..\lwaddr.c

-# End Source File

-# Begin Source File

-

-SOURCE=..\lwdclient.c

-# End Source File

-# Begin Source File

-

-SOURCE=..\lwderror.c

-# End Source File

-# Begin Source File

-

-SOURCE=..\lwdgabn.c

-# End Source File

-# Begin Source File

-

-SOURCE=..\lwdgnba.c

-# End Source File

-# Begin Source File

-

-SOURCE=..\lwdgrbn.c

-# End Source File

-# Begin Source File

-

-SOURCE=..\lwdnoop.c

-# End Source File

-# Begin Source File

-

-SOURCE=..\lwresd.c

-# End Source File

-# Begin Source File

-

-SOURCE=..\lwsearch.c

-# End Source File

-# Begin Source File

-

-SOURCE=..\main.c

-# End Source File

-# Begin Source File

-

-SOURCE=..\notify.c

-# End Source File

-# Begin Source File

-

-SOURCE=.\ntservice.c

-# End Source File

-# Begin Source File

-

-SOURCE=.\os.c

-# End Source File

-# Begin Source File

-

-SOURCE=..\query.c

-# End Source File

-# Begin Source File

-

-SOURCE=..\server.c

-# End Source File

-# Begin Source File

-

-SOURCE=..\sortlist.c

-# End Source File

-# Begin Source File

-

-SOURCE=..\tkeyconf.c

-# End Source File

-# Begin Source File

-

-SOURCE=..\tsigconf.c

-# End Source File

-# Begin Source File

-

-SOURCE=..\update.c

-# End Source File

-# Begin Source File

-

-SOURCE=..\xfrout.c

-# End Source File

-# Begin Source File

-

-SOURCE=..\zoneconf.c

-# End Source File

-# End Group

-# Begin Group "Header Files"

-

-# PROP Default_Filter "h;hpp;hxx;hm;inl"

-# Begin Source File

-

-SOURCE=..\include\named\aclconf.h

-# End Source File

-# Begin Source File

-

-SOURCE=..\include\named\client.h

-# End Source File

-# Begin Source File

-

-SOURCE=..\include\named\config.h

-# End Source File

-# Begin Source File

-

-SOURCE=..\include\named\globals.h

-# End Source File

-# Begin Source File

-

-SOURCE=..\include\named\interfacemgr.h

-# End Source File

-# Begin Source File

-

-SOURCE=..\include\named\listenlist.h

-# End Source File

-# Begin Source File

-

-SOURCE=..\include\named\log.h

-# End Source File

-# Begin Source File

-

-SOURCE=..\include\named\logconf.h

-# End Source File

-# Begin Source File

-

-SOURCE=..\include\named\lwaddr.h

-# End Source File

-# Begin Source File

-

-SOURCE=..\include\named\lwdclient.h

-# End Source File

-# Begin Source File

-

-SOURCE=..\include\named\lwresd.h

-# End Source File

-# Begin Source File

-

-SOURCE=..\include\named\lwsearch.h

-# End Source File

-# Begin Source File

-

-SOURCE=..\include\named\main.h

-# End Source File

-# Begin Source File

-

-SOURCE=..\include\named\notify.h

-# End Source File

-# Begin Source File

-

-SOURCE=.\include\named\ntservice.h

-# End Source File

-# Begin Source File

-

-SOURCE=..\include\named\omapi.h

-# End Source File

-# Begin Source File

-

-SOURCE=.\include\named\os.h

-# End Source File

-# Begin Source File

-

-SOURCE=..\include\named\query.h

-# End Source File

-# Begin Source File

-

-SOURCE=..\include\named\server.h

-# End Source File

-# Begin Source File

-

-SOURCE=..\include\named\sortlist.h

-# End Source File

-# Begin Source File

-

-SOURCE=..\include\named\tkeyconf.h

-# End Source File

-# Begin Source File

-

-SOURCE=..\include\named\tsigconf.h

-# End Source File

-# Begin Source File

-

-SOURCE=..\include\named\types.h

-# End Source File

-# Begin Source File

-

-SOURCE=..\include\named\update.h

-# End Source File

-# Begin Source File

-

-SOURCE=..\include\named\xfrout.h

-# End Source File

-# Begin Source File

-

-SOURCE=..\include\named\zoneconf.h

-# End Source File

-# End Group

-# Begin Group "Resource Files"

-

-# PROP Default_Filter "ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe"

-# End Group

-# End Target

-# End Project

+# Microsoft Developer Studio Project File - Name="named" - Package Owner=<4>
+# Microsoft Developer Studio Generated Build File, Format Version 6.00
+# ** DO NOT EDIT **
+
+# TARGTYPE "Win32 (x86) Console Application" 0x0103
+
+CFG=named - Win32 Debug
+!MESSAGE This is not a valid makefile. To build this project using NMAKE,
+!MESSAGE use the Export Makefile command and run
+!MESSAGE 
+!MESSAGE NMAKE /f "named.mak".
+!MESSAGE 
+!MESSAGE You can specify a configuration when running NMAKE
+!MESSAGE by defining the macro CFG on the command line. For example:
+!MESSAGE 
+!MESSAGE NMAKE /f "named.mak" CFG="named - Win32 Debug"
+!MESSAGE 
+!MESSAGE Possible choices for configuration are:
+!MESSAGE 
+!MESSAGE "named - Win32 Release" (based on "Win32 (x86) Console Application")
+!MESSAGE "named - Win32 Debug" (based on "Win32 (x86) Console Application")
+!MESSAGE 
+
+# Begin Project
+# PROP AllowPerConfigDependencies 0
+# PROP Scc_ProjName ""
+# PROP Scc_LocalPath ""
+CPP=cl.exe
+RSC=rc.exe
+
+!IF  "$(CFG)" == "named - Win32 Release"
+
+# PROP BASE Use_MFC 0
+# PROP BASE Use_Debug_Libraries 0
+# PROP BASE Output_Dir "Release"
+# PROP BASE Intermediate_Dir "Release"
+# PROP BASE Target_Dir ""
+# PROP Use_MFC 0
+# PROP Use_Debug_Libraries 0
+# PROP Output_Dir "Release"
+# PROP Intermediate_Dir "Release"
+# PROP Ignore_Export_Lib 0
+# PROP Target_Dir ""
+# ADD BASE CPP /nologo /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /c
+# ADD CPP /nologo /MD /W3 /GX /O2 /I "./" /I "../../../" /I "../win32/include" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/win32/include" /I "../../../lib/dns/include" /I "../../../lib/dns/sec/dst/include" /I "../../../lib/isccc/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /I "../../../lib/isccfg/include" /I "../../../lib/bind9/include" /D "WIN32" /D "NDEBUG" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" /YX /FD /c
+# ADD BASE RSC /l 0x409 /d "NDEBUG"
+# ADD RSC /l 0x409 /d "NDEBUG"
+BSC32=bscmake.exe
+# ADD BASE BSC32 /nologo
+# ADD BSC32 /nologo
+LINK32=link.exe
+# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /machine:I386
+# ADD LINK32 user32.lib advapi32.lib kernel32.lib ws2_32.lib ../../../lib/isc/win32/Release/libisc.lib ../../../lib/dns/win32/Release/libdns.lib ../../../lib/isccc/win32/Release/libisccc.lib ../../../lib/lwres/win32/Release/liblwres.lib ../../../lib/isccfg/win32/Release/libisccfg.lib ../../../lib/bind9/win32/Release/libbind9.lib /nologo /subsystem:console /machine:I386 /out:"../../../Build/Release/named.exe"
+
+!ELSEIF  "$(CFG)" == "named - Win32 Debug"
+
+# PROP BASE Use_MFC 0
+# PROP BASE Use_Debug_Libraries 1
+# PROP BASE Output_Dir "Debug"
+# PROP BASE Intermediate_Dir "Debug"
+# PROP BASE Target_Dir ""
+# PROP Use_MFC 0
+# PROP Use_Debug_Libraries 1
+# PROP Output_Dir "Debug"
+# PROP Intermediate_Dir "Debug"
+# PROP Ignore_Export_Lib 0
+# PROP Target_Dir ""
+# ADD BASE CPP /nologo /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /GZ /c
+# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../../../" /I "../win32/include" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/win32/include" /I "../../../lib/dns/include" /I "../../../lib/dns/sec/dst/include" /I "../../../lib/isccc/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /I "../../../lib/isccfg/include" /I "../../../lib/bind9/include" /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /D "i386" /FR /FD /GZ /c
+# SUBTRACT CPP /X /YX
+# ADD BASE RSC /l 0x409 /d "_DEBUG"
+# ADD RSC /l 0x409 /d "_DEBUG"
+BSC32=bscmake.exe
+# ADD BASE BSC32 /nologo
+# ADD BSC32 /nologo
+LINK32=link.exe
+# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /debug /machine:I386 /pdbtype:sept
+# ADD LINK32 user32.lib advapi32.lib kernel32.lib ws2_32.lib ../../../lib/isc/win32/Debug/libisc.lib ../../../lib/dns/win32/Debug/libdns.lib ../../../lib/isccc/win32/Debug/libisccc.lib ../../../lib/lwres/win32/Debug/liblwres.lib ../../../lib/isccfg/win32/Debug/libisccfg.lib ../../../lib/bind9/win32/Debug/libbind9.lib /nologo /subsystem:console /map /debug /machine:I386 /out:"../../../Build/Debug/named.exe" /pdbtype:sept
+
+!ENDIF 
+
+# Begin Target
+
+# Name "named - Win32 Release"
+# Name "named - Win32 Debug"
+# Begin Group "Source Files"
+
+# PROP Default_Filter "cpp;c;cxx;rc;def;r;odl;idl;hpj;bat"
+# Begin Source File
+
+SOURCE=..\aclconf.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\builtin.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\client.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\config.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\control.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\controlconf.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\interfacemgr.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\listenlist.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\log.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\logconf.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\lwaddr.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\lwdclient.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\lwderror.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\lwdgabn.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\lwdgnba.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\lwdgrbn.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\lwdnoop.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\lwresd.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\lwsearch.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\main.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\notify.c
+# End Source File
+# Begin Source File
+
+SOURCE=.\ntservice.c
+# End Source File
+# Begin Source File
+
+SOURCE=.\os.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\query.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\server.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\sortlist.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\tkeyconf.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\tsigconf.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\update.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\xfrout.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\zoneconf.c
+# End Source File
+# End Group
+# Begin Group "Header Files"
+
+# PROP Default_Filter "h;hpp;hxx;hm;inl"
+# Begin Source File
+
+SOURCE=..\include\named\aclconf.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\named\client.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\named\config.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\named\globals.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\named\interfacemgr.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\named\listenlist.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\named\log.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\named\logconf.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\named\lwaddr.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\named\lwdclient.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\named\lwresd.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\named\lwsearch.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\named\main.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\named\notify.h
+# End Source File
+# Begin Source File
+
+SOURCE=.\include\named\ntservice.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\named\omapi.h
+# End Source File
+# Begin Source File
+
+SOURCE=.\include\named\os.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\named\query.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\named\server.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\named\sortlist.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\named\tkeyconf.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\named\tsigconf.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\named\types.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\named\update.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\named\xfrout.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\named\zoneconf.h
+# End Source File
+# End Group
+# Begin Group "Resource Files"
+
+# PROP Default_Filter "ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe"
+# End Group
+# End Target
+# End Project
diff --git a/bin/named/win32/named.dsw b/bin/named/win32/named.dsw
index c2913efc..a1a4f340 100644
--- a/bin/named/win32/named.dsw
+++ b/bin/named/win32/named.dsw
@@ -1,29 +1,29 @@
-Microsoft Developer Studio Workspace File, Format Version 6.00

-# WARNING: DO NOT EDIT OR DELETE THIS WORKSPACE FILE!

-

-###############################################################################

-

-Project: "named"=".\named.dsp" - Package Owner=<4>

-

-Package=<5>

-{{{

-}}}

-

-Package=<4>

-{{{

-}}}

-

-###############################################################################

-

-Global:

-

-Package=<5>

-{{{

-}}}

-

-Package=<3>

-{{{

-}}}

-

-###############################################################################

-

+Microsoft Developer Studio Workspace File, Format Version 6.00
+# WARNING: DO NOT EDIT OR DELETE THIS WORKSPACE FILE!
+
+###############################################################################
+
+Project: "named"=".\named.dsp" - Package Owner=<4>
+
+Package=<5>
+{{{
+}}}
+
+Package=<4>
+{{{
+}}}
+
+###############################################################################
+
+Global:
+
+Package=<5>
+{{{
+}}}
+
+Package=<3>
+{{{
+}}}
+
+###############################################################################
+
diff --git a/bin/named/win32/named.mak b/bin/named/win32/named.mak
index 6fb9b986..9dab33f5 100644
--- a/bin/named/win32/named.mak
+++ b/bin/named/win32/named.mak
@@ -1,993 +1,1077 @@
-# Microsoft Developer Studio Generated NMAKE File, Based on named.dsp

-!IF "$(CFG)" == ""

-CFG=named - Win32 Debug

-!MESSAGE No configuration specified. Defaulting to named - Win32 Debug.

-!ENDIF 

-

-!IF "$(CFG)" != "named - Win32 Release" && "$(CFG)" != "named - Win32 Debug"

-!MESSAGE Invalid configuration "$(CFG)" specified.

-!MESSAGE You can specify a configuration when running NMAKE

-!MESSAGE by defining the macro CFG on the command line. For example:

-!MESSAGE 

-!MESSAGE NMAKE /f "named.mak" CFG="named - Win32 Debug"

-!MESSAGE 

-!MESSAGE Possible choices for configuration are:

-!MESSAGE 

-!MESSAGE "named - Win32 Release" (based on "Win32 (x86) Console Application")

-!MESSAGE "named - Win32 Debug" (based on "Win32 (x86) Console Application")

-!MESSAGE 

-!ERROR An invalid configuration is specified.

-!ENDIF 

-

-!IF "$(OS)" == "Windows_NT"

-NULL=

-!ELSE 

-NULL=nul

-!ENDIF 

-

-!IF  "$(CFG)" == "named - Win32 Release"

-_VC_MANIFEST_INC=0

-_VC_MANIFEST_BASENAME=__VC80

-!ELSE

-_VC_MANIFEST_INC=1

-_VC_MANIFEST_BASENAME=__VC80.Debug

-!ENDIF

-

-####################################################

-# Specifying name of temporary resource file used only in incremental builds:

-

-!if "$(_VC_MANIFEST_INC)" == "1"

-_VC_MANIFEST_AUTO_RES=$(_VC_MANIFEST_BASENAME).auto.res

-!else

-_VC_MANIFEST_AUTO_RES=

-!endif

-

-####################################################

-# _VC_MANIFEST_EMBED_EXE - command to embed manifest in EXE:

-

-!if "$(_VC_MANIFEST_INC)" == "1"

-

-#MT_SPECIAL_RETURN=1090650113

-#MT_SPECIAL_SWITCH=-notify_resource_update

-MT_SPECIAL_RETURN=0

-MT_SPECIAL_SWITCH=

-_VC_MANIFEST_EMBED_EXE= \

-if exist $@.manifest mt.exe -manifest $@.manifest -out:$(_VC_MANIFEST_BASENAME).auto.manifest $(MT_SPECIAL_SWITCH) & \

-if "%ERRORLEVEL%" == "$(MT_SPECIAL_RETURN)" \

-rc /r $(_VC_MANIFEST_BASENAME).auto.rc & \

-link $** /out:$@ $(LFLAGS)

-

-!else

-

-_VC_MANIFEST_EMBED_EXE= \

-if exist $@.manifest mt.exe -manifest $@.manifest -outputresource:$@;1

-

-!endif

-

-####################################################

-# _VC_MANIFEST_EMBED_DLL - command to embed manifest in DLL:

-

-!if "$(_VC_MANIFEST_INC)" == "1"

-

-#MT_SPECIAL_RETURN=1090650113

-#MT_SPECIAL_SWITCH=-notify_resource_update

-MT_SPECIAL_RETURN=0

-MT_SPECIAL_SWITCH=

-_VC_MANIFEST_EMBED_EXE= \

-if exist $@.manifest mt.exe -manifest $@.manifest -out:$(_VC_MANIFEST_BASENAME).auto.manifest $(MT_SPECIAL_SWITCH) & \

-if "%ERRORLEVEL%" == "$(MT_SPECIAL_RETURN)" \

-rc /r $(_VC_MANIFEST_BASENAME).auto.rc & \

-link $** /out:$@ $(LFLAGS)

-

-!else

-

-_VC_MANIFEST_EMBED_EXE= \

-if exist $@.manifest mt.exe -manifest $@.manifest -outputresource:$@;2

-

-!endif

-####################################################

-# _VC_MANIFEST_CLEAN - command to clean resources files generated temporarily:

-

-!if "$(_VC_MANIFEST_INC)" == "1"

-

-_VC_MANIFEST_CLEAN=-del $(_VC_MANIFEST_BASENAME).auto.res \

-    $(_VC_MANIFEST_BASENAME).auto.rc \

-    $(_VC_MANIFEST_BASENAME).auto.manifest

-

-!else

-

-_VC_MANIFEST_CLEAN=

-

-!endif

-

-!IF  "$(CFG)" == "named - Win32 Release"

-

-OUTDIR=.\Release

-INTDIR=.\Release

-

-ALL : "..\..\..\Build\Release\named.exe"

-

-

-CLEAN :

-	-@erase "$(INTDIR)\aclconf.obj"

-	-@erase "$(INTDIR)\client.obj"

-	-@erase "$(INTDIR)\config.obj"

-	-@erase "$(INTDIR)\control.obj"

-	-@erase "$(INTDIR)\controlconf.obj"

-	-@erase "$(INTDIR)\interfacemgr.obj"

-	-@erase "$(INTDIR)\listenlist.obj"

-	-@erase "$(INTDIR)\log.obj"

-	-@erase "$(INTDIR)\logconf.obj"

-	-@erase "$(INTDIR)\lwaddr.obj"

-	-@erase "$(INTDIR)\lwdclient.obj"

-	-@erase "$(INTDIR)\lwderror.obj"

-	-@erase "$(INTDIR)\lwdgabn.obj"

-	-@erase "$(INTDIR)\lwdgnba.obj"

-	-@erase "$(INTDIR)\lwdgrbn.obj"

-	-@erase "$(INTDIR)\lwdnoop.obj"

-	-@erase "$(INTDIR)\lwresd.obj"

-	-@erase "$(INTDIR)\lwsearch.obj"

-	-@erase "$(INTDIR)\main.obj"

-	-@erase "$(INTDIR)\notify.obj"

-	-@erase "$(INTDIR)\ntservice.obj"

-	-@erase "$(INTDIR)\os.obj"

-	-@erase "$(INTDIR)\query.obj"

-	-@erase "$(INTDIR)\server.obj"

-	-@erase "$(INTDIR)\sortlist.obj"

-	-@erase "$(INTDIR)\tkeyconf.obj"

-	-@erase "$(INTDIR)\tsigconf.obj"

-	-@erase "$(INTDIR)\update.obj"

-	-@erase "$(INTDIR)\vc60.idb"

-	-@erase "$(INTDIR)\xfrout.obj"

-	-@erase "$(INTDIR)\zoneconf.obj"

-	-@erase "..\..\..\Build\Release\named.exe"

-	-@$(_VC_MANIFEST_CLEAN)

-

-"$(OUTDIR)" :

-    if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"

-

-CPP=cl.exe

-CPP_PROJ=/nologo /MD /W3 /GX /O2 /I "./" /I "../../../" /I "../win32/include" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/win32/include" /I "../../../lib/dns/include" /I "../../../lib/isccc/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /I "../../../lib/isccfg/include" /D "WIN32" /D "NDEBUG" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" /Fp"$(INTDIR)\named.pch" /YX /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c 

-

-.c{$(INTDIR)}.obj::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.cpp{$(INTDIR)}.obj::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.cxx{$(INTDIR)}.obj::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.c{$(INTDIR)}.sbr::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.cpp{$(INTDIR)}.sbr::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.cxx{$(INTDIR)}.sbr::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-RSC=rc.exe

-BSC32=bscmake.exe

-BSC32_FLAGS=/nologo /o"$(OUTDIR)\named.bsc" 

-BSC32_SBRS= \

-	

-LINK32=link.exe

-LINK32_FLAGS=user32.lib advapi32.lib kernel32.lib ws2_32.lib ../../../lib/isc/win32/Release/libisc.lib ../../../lib/dns/win32/Release/libdns.lib ../../../lib/isccc/win32/Release/libisccc.lib ../../../lib/lwres/win32/Release/liblwres.lib ../../../lib/isccfg/win32/Release/libisccfg.lib /nologo /subsystem:console /incremental:no /pdb:"$(OUTDIR)\named.pdb" /machine:I386 /out:"../../../Build/Release/named.exe" 

-LINK32_OBJS= \

-	"$(INTDIR)\aclconf.obj" \

-	"$(INTDIR)\client.obj" \

-	"$(INTDIR)\config.obj" \

-	"$(INTDIR)\control.obj" \

-	"$(INTDIR)\controlconf.obj" \

-	"$(INTDIR)\interfacemgr.obj" \

-	"$(INTDIR)\listenlist.obj" \

-	"$(INTDIR)\log.obj" \

-	"$(INTDIR)\logconf.obj" \

-	"$(INTDIR)\lwaddr.obj" \

-	"$(INTDIR)\lwdclient.obj" \

-	"$(INTDIR)\lwderror.obj" \

-	"$(INTDIR)\lwdgabn.obj" \

-	"$(INTDIR)\lwdgnba.obj" \

-	"$(INTDIR)\lwdgrbn.obj" \

-	"$(INTDIR)\lwdnoop.obj" \

-	"$(INTDIR)\lwresd.obj" \

-	"$(INTDIR)\lwsearch.obj" \

-	"$(INTDIR)\main.obj" \

-	"$(INTDIR)\notify.obj" \

-	"$(INTDIR)\ntservice.obj" \

-	"$(INTDIR)\os.obj" \

-	"$(INTDIR)\query.obj" \

-	"$(INTDIR)\server.obj" \

-	"$(INTDIR)\sortlist.obj" \

-	"$(INTDIR)\tkeyconf.obj" \

-	"$(INTDIR)\tsigconf.obj" \

-	"$(INTDIR)\update.obj" \

-	"$(INTDIR)\xfrout.obj" \

-	"$(INTDIR)\zoneconf.obj"

-

-"..\..\..\Build\Release\named.exe" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)

-    $(LINK32) @<<

-  $(LINK32_FLAGS) $(LINK32_OBJS)

-<<

-    $(_VC_MANIFEST_EMBED_EXE)

-

-!ELSEIF  "$(CFG)" == "named - Win32 Debug"

-

-OUTDIR=.\Debug

-INTDIR=.\Debug

-# Begin Custom Macros

-OutDir=.\Debug

-# End Custom Macros

-

-ALL : "..\..\..\Build\Debug\named.exe" "$(OUTDIR)\named.bsc"

-

-

-CLEAN :

-	-@erase "$(INTDIR)\aclconf.obj"

-	-@erase "$(INTDIR)\aclconf.sbr"

-	-@erase "$(INTDIR)\client.obj"

-	-@erase "$(INTDIR)\client.sbr"

-	-@erase "$(INTDIR)\config.obj"

-	-@erase "$(INTDIR)\config.sbr"

-	-@erase "$(INTDIR)\control.obj"

-	-@erase "$(INTDIR)\control.sbr"

-	-@erase "$(INTDIR)\controlconf.obj"

-	-@erase "$(INTDIR)\controlconf.sbr"

-	-@erase "$(INTDIR)\interfacemgr.obj"

-	-@erase "$(INTDIR)\interfacemgr.sbr"

-	-@erase "$(INTDIR)\listenlist.obj"

-	-@erase "$(INTDIR)\listenlist.sbr"

-	-@erase "$(INTDIR)\log.obj"

-	-@erase "$(INTDIR)\log.sbr"

-	-@erase "$(INTDIR)\logconf.obj"

-	-@erase "$(INTDIR)\logconf.sbr"

-	-@erase "$(INTDIR)\lwaddr.obj"

-	-@erase "$(INTDIR)\lwaddr.sbr"

-	-@erase "$(INTDIR)\lwdclient.obj"

-	-@erase "$(INTDIR)\lwdclient.sbr"

-	-@erase "$(INTDIR)\lwderror.obj"

-	-@erase "$(INTDIR)\lwderror.sbr"

-	-@erase "$(INTDIR)\lwdgabn.obj"

-	-@erase "$(INTDIR)\lwdgabn.sbr"

-	-@erase "$(INTDIR)\lwdgnba.obj"

-	-@erase "$(INTDIR)\lwdgnba.sbr"

-	-@erase "$(INTDIR)\lwdgrbn.obj"

-	-@erase "$(INTDIR)\lwdgrbn.sbr"

-	-@erase "$(INTDIR)\lwdnoop.obj"

-	-@erase "$(INTDIR)\lwdnoop.sbr"

-	-@erase "$(INTDIR)\lwresd.obj"

-	-@erase "$(INTDIR)\lwresd.sbr"

-	-@erase "$(INTDIR)\lwsearch.obj"

-	-@erase "$(INTDIR)\lwsearch.sbr"

-	-@erase "$(INTDIR)\main.obj"

-	-@erase "$(INTDIR)\main.sbr"

-	-@erase "$(INTDIR)\notify.obj"

-	-@erase "$(INTDIR)\notify.sbr"

-	-@erase "$(INTDIR)\ntservice.obj"

-	-@erase "$(INTDIR)\ntservice.sbr"

-	-@erase "$(INTDIR)\os.obj"

-	-@erase "$(INTDIR)\os.sbr"

-	-@erase "$(INTDIR)\query.obj"

-	-@erase "$(INTDIR)\query.sbr"

-	-@erase "$(INTDIR)\server.obj"

-	-@erase "$(INTDIR)\server.sbr"

-	-@erase "$(INTDIR)\sortlist.obj"

-	-@erase "$(INTDIR)\sortlist.sbr"

-	-@erase "$(INTDIR)\tkeyconf.obj"

-	-@erase "$(INTDIR)\tkeyconf.sbr"

-	-@erase "$(INTDIR)\tsigconf.obj"

-	-@erase "$(INTDIR)\tsigconf.sbr"

-	-@erase "$(INTDIR)\update.obj"

-	-@erase "$(INTDIR)\update.sbr"

-	-@erase "$(INTDIR)\vc60.idb"

-	-@erase "$(INTDIR)\vc60.pdb"

-	-@erase "$(INTDIR)\xfrout.obj"

-	-@erase "$(INTDIR)\xfrout.sbr"

-	-@erase "$(INTDIR)\zoneconf.obj"

-	-@erase "$(INTDIR)\zoneconf.sbr"

-	-@erase "$(OUTDIR)\named.bsc"

-	-@erase "$(OUTDIR)\named.map"

-	-@erase "$(OUTDIR)\named.pdb"

-	-@erase "..\..\..\Build\Debug\named.exe"

-	-@erase "..\..\..\Build\Debug\named.ilk"

-	-@$(_VC_MANIFEST_CLEAN)

-

-"$(OUTDIR)" :

-    if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"

-

-CPP=cl.exe

-CPP_PROJ=/nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../../../" /I "../win32/include" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/win32/include" /I "../../../lib/dns/include" /I "../../../lib/isccc/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /I "../../../lib/isccfg/include" /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /D "i386" /FR"$(INTDIR)\\" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c 

-

-.c{$(INTDIR)}.obj::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.cpp{$(INTDIR)}.obj::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.cxx{$(INTDIR)}.obj::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.c{$(INTDIR)}.sbr::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.cpp{$(INTDIR)}.sbr::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.cxx{$(INTDIR)}.sbr::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-RSC=rc.exe

-BSC32=bscmake.exe

-BSC32_FLAGS=/nologo /o"$(OUTDIR)\named.bsc" 

-BSC32_SBRS= \

-	"$(INTDIR)\aclconf.sbr" \

-	"$(INTDIR)\client.sbr" \

-	"$(INTDIR)\config.sbr" \

-	"$(INTDIR)\control.sbr" \

-	"$(INTDIR)\controlconf.sbr" \

-	"$(INTDIR)\interfacemgr.sbr" \

-	"$(INTDIR)\listenlist.sbr" \

-	"$(INTDIR)\log.sbr" \

-	"$(INTDIR)\logconf.sbr" \

-	"$(INTDIR)\lwaddr.sbr" \

-	"$(INTDIR)\lwdclient.sbr" \

-	"$(INTDIR)\lwderror.sbr" \

-	"$(INTDIR)\lwdgabn.sbr" \

-	"$(INTDIR)\lwdgnba.sbr" \

-	"$(INTDIR)\lwdgrbn.sbr" \

-	"$(INTDIR)\lwdnoop.sbr" \

-	"$(INTDIR)\lwresd.sbr" \

-	"$(INTDIR)\lwsearch.sbr" \

-	"$(INTDIR)\main.sbr" \

-	"$(INTDIR)\notify.sbr" \

-	"$(INTDIR)\ntservice.sbr" \

-	"$(INTDIR)\os.sbr" \

-	"$(INTDIR)\query.sbr" \

-	"$(INTDIR)\server.sbr" \

-	"$(INTDIR)\sortlist.sbr" \

-	"$(INTDIR)\tkeyconf.sbr" \

-	"$(INTDIR)\tsigconf.sbr" \

-	"$(INTDIR)\update.sbr" \

-	"$(INTDIR)\xfrout.sbr" \

-	"$(INTDIR)\zoneconf.sbr"

-

-"$(OUTDIR)\named.bsc" : "$(OUTDIR)" $(BSC32_SBRS)

-    $(BSC32) @<<

-  $(BSC32_FLAGS) $(BSC32_SBRS)

-<<

-

-LINK32=link.exe

-LINK32_FLAGS=user32.lib advapi32.lib kernel32.lib ws2_32.lib ../../../lib/isc/win32/Debug/libisc.lib ../../../lib/dns/win32/Debug/libdns.lib ../../../lib/isccc/win32/Debug/libisccc.lib ../../../lib/lwres/win32/Debug/liblwres.lib ../../../lib/isccfg/win32/Debug/libisccfg.lib /nologo /subsystem:console /incremental:yes /pdb:"$(OUTDIR)\named.pdb" /map:"$(INTDIR)\named.map" /debug /machine:I386 /out:"../../../Build/Debug/named.exe" /pdbtype:sept 

-LINK32_OBJS= \

-	"$(INTDIR)\aclconf.obj" \

-	"$(INTDIR)\client.obj" \

-	"$(INTDIR)\config.obj" \

-	"$(INTDIR)\control.obj" \

-	"$(INTDIR)\controlconf.obj" \

-	"$(INTDIR)\interfacemgr.obj" \

-	"$(INTDIR)\listenlist.obj" \

-	"$(INTDIR)\log.obj" \

-	"$(INTDIR)\logconf.obj" \

-	"$(INTDIR)\lwaddr.obj" \

-	"$(INTDIR)\lwdclient.obj" \

-	"$(INTDIR)\lwderror.obj" \

-	"$(INTDIR)\lwdgabn.obj" \

-	"$(INTDIR)\lwdgnba.obj" \

-	"$(INTDIR)\lwdgrbn.obj" \

-	"$(INTDIR)\lwdnoop.obj" \

-	"$(INTDIR)\lwresd.obj" \

-	"$(INTDIR)\lwsearch.obj" \

-	"$(INTDIR)\main.obj" \

-	"$(INTDIR)\notify.obj" \

-	"$(INTDIR)\ntservice.obj" \

-	"$(INTDIR)\os.obj" \

-	"$(INTDIR)\query.obj" \

-	"$(INTDIR)\server.obj" \

-	"$(INTDIR)\sortlist.obj" \

-	"$(INTDIR)\tkeyconf.obj" \

-	"$(INTDIR)\tsigconf.obj" \

-	"$(INTDIR)\update.obj" \

-	"$(INTDIR)\xfrout.obj" \

-	"$(INTDIR)\zoneconf.obj"

-

-"..\..\..\Build\Debug\named.exe" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)

-    $(LINK32) @<<

-  $(LINK32_FLAGS) $(LINK32_OBJS)

-<<

-    $(_VC_MANIFEST_EMBED_EXE)

-

-!ENDIF 

-

-

-!IF "$(NO_EXTERNAL_DEPS)" != "1"

-!IF EXISTS("named.dep")

-!INCLUDE "named.dep"

-!ELSE 

-!MESSAGE Warning: cannot find "named.dep"

-!ENDIF 

-!ENDIF 

-

-

-!IF "$(CFG)" == "named - Win32 Release" || "$(CFG)" == "named - Win32 Debug"

-SOURCE=..\aclconf.c

-

-!IF  "$(CFG)" == "named - Win32 Release"

-

-

-"$(INTDIR)\aclconf.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "named - Win32 Debug"

-

-

-"$(INTDIR)\aclconf.obj"	"$(INTDIR)\aclconf.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-SOURCE=..\client.c

-

-!IF  "$(CFG)" == "named - Win32 Release"

-

-

-"$(INTDIR)\client.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "named - Win32 Debug"

-

-

-"$(INTDIR)\client.obj"	"$(INTDIR)\client.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-SOURCE=..\config.c

-

-!IF  "$(CFG)" == "named - Win32 Release"

-

-

-"$(INTDIR)\config.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "named - Win32 Debug"

-

-

-"$(INTDIR)\config.obj"	"$(INTDIR)\config.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-SOURCE=..\control.c

-

-!IF  "$(CFG)" == "named - Win32 Release"

-

-

-"$(INTDIR)\control.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "named - Win32 Debug"

-

-

-"$(INTDIR)\control.obj"	"$(INTDIR)\control.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-SOURCE=..\controlconf.c

-

-!IF  "$(CFG)" == "named - Win32 Release"

-

-

-"$(INTDIR)\controlconf.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "named - Win32 Debug"

-

-

-"$(INTDIR)\controlconf.obj"	"$(INTDIR)\controlconf.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-SOURCE=..\interfacemgr.c

-

-!IF  "$(CFG)" == "named - Win32 Release"

-

-

-"$(INTDIR)\interfacemgr.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "named - Win32 Debug"

-

-

-"$(INTDIR)\interfacemgr.obj"	"$(INTDIR)\interfacemgr.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-SOURCE=..\listenlist.c

-

-!IF  "$(CFG)" == "named - Win32 Release"

-

-

-"$(INTDIR)\listenlist.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "named - Win32 Debug"

-

-

-"$(INTDIR)\listenlist.obj"	"$(INTDIR)\listenlist.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-SOURCE=..\log.c

-

-!IF  "$(CFG)" == "named - Win32 Release"

-

-

-"$(INTDIR)\log.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "named - Win32 Debug"

-

-

-"$(INTDIR)\log.obj"	"$(INTDIR)\log.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-SOURCE=..\logconf.c

-

-!IF  "$(CFG)" == "named - Win32 Release"

-

-

-"$(INTDIR)\logconf.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "named - Win32 Debug"

-

-

-"$(INTDIR)\logconf.obj"	"$(INTDIR)\logconf.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-SOURCE=..\lwaddr.c

-

-!IF  "$(CFG)" == "named - Win32 Release"

-

-

-"$(INTDIR)\lwaddr.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "named - Win32 Debug"

-

-

-"$(INTDIR)\lwaddr.obj"	"$(INTDIR)\lwaddr.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-SOURCE=..\lwdclient.c

-

-!IF  "$(CFG)" == "named - Win32 Release"

-

-

-"$(INTDIR)\lwdclient.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "named - Win32 Debug"

-

-

-"$(INTDIR)\lwdclient.obj"	"$(INTDIR)\lwdclient.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-SOURCE=..\lwderror.c

-

-!IF  "$(CFG)" == "named - Win32 Release"

-

-

-"$(INTDIR)\lwderror.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "named - Win32 Debug"

-

-

-"$(INTDIR)\lwderror.obj"	"$(INTDIR)\lwderror.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-SOURCE=..\lwdgabn.c

-

-!IF  "$(CFG)" == "named - Win32 Release"

-

-

-"$(INTDIR)\lwdgabn.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "named - Win32 Debug"

-

-

-"$(INTDIR)\lwdgabn.obj"	"$(INTDIR)\lwdgabn.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-SOURCE=..\lwdgnba.c

-

-!IF  "$(CFG)" == "named - Win32 Release"

-

-

-"$(INTDIR)\lwdgnba.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "named - Win32 Debug"

-

-

-"$(INTDIR)\lwdgnba.obj"	"$(INTDIR)\lwdgnba.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-SOURCE=..\lwdgrbn.c

-

-!IF  "$(CFG)" == "named - Win32 Release"

-

-

-"$(INTDIR)\lwdgrbn.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "named - Win32 Debug"

-

-

-"$(INTDIR)\lwdgrbn.obj"	"$(INTDIR)\lwdgrbn.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-SOURCE=..\lwdnoop.c

-

-!IF  "$(CFG)" == "named - Win32 Release"

-

-

-"$(INTDIR)\lwdnoop.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "named - Win32 Debug"

-

-

-"$(INTDIR)\lwdnoop.obj"	"$(INTDIR)\lwdnoop.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-SOURCE=..\lwresd.c

-

-!IF  "$(CFG)" == "named - Win32 Release"

-

-

-"$(INTDIR)\lwresd.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "named - Win32 Debug"

-

-

-"$(INTDIR)\lwresd.obj"	"$(INTDIR)\lwresd.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-SOURCE=..\lwsearch.c

-

-!IF  "$(CFG)" == "named - Win32 Release"

-

-

-"$(INTDIR)\lwsearch.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "named - Win32 Debug"

-

-

-"$(INTDIR)\lwsearch.obj"	"$(INTDIR)\lwsearch.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-SOURCE=..\main.c

-

-!IF  "$(CFG)" == "named - Win32 Release"

-

-

-"$(INTDIR)\main.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "named - Win32 Debug"

-

-

-"$(INTDIR)\main.obj"	"$(INTDIR)\main.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-SOURCE=..\notify.c

-

-!IF  "$(CFG)" == "named - Win32 Release"

-

-

-"$(INTDIR)\notify.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "named - Win32 Debug"

-

-

-"$(INTDIR)\notify.obj"	"$(INTDIR)\notify.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-SOURCE=.\ntservice.c

-

-!IF  "$(CFG)" == "named - Win32 Release"

-

-

-"$(INTDIR)\ntservice.obj" : $(SOURCE) "$(INTDIR)"

-

-

-!ELSEIF  "$(CFG)" == "named - Win32 Debug"

-

-

-"$(INTDIR)\ntservice.obj"	"$(INTDIR)\ntservice.sbr" : $(SOURCE) "$(INTDIR)"

-

-

-!ENDIF 

-

-SOURCE=.\os.c

-

-!IF  "$(CFG)" == "named - Win32 Release"

-

-

-"$(INTDIR)\os.obj" : $(SOURCE) "$(INTDIR)"

-

-

-!ELSEIF  "$(CFG)" == "named - Win32 Debug"

-

-

-"$(INTDIR)\os.obj"	"$(INTDIR)\os.sbr" : $(SOURCE) "$(INTDIR)"

-

-

-!ENDIF 

-

-SOURCE=..\query.c

-

-!IF  "$(CFG)" == "named - Win32 Release"

-

-

-"$(INTDIR)\query.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "named - Win32 Debug"

-

-

-"$(INTDIR)\query.obj"	"$(INTDIR)\query.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-SOURCE=..\server.c

-

-!IF  "$(CFG)" == "named - Win32 Release"

-

-

-"$(INTDIR)\server.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "named - Win32 Debug"

-

-

-"$(INTDIR)\server.obj"	"$(INTDIR)\server.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-SOURCE=..\sortlist.c

-

-!IF  "$(CFG)" == "named - Win32 Release"

-

-

-"$(INTDIR)\sortlist.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "named - Win32 Debug"

-

-

-"$(INTDIR)\sortlist.obj"	"$(INTDIR)\sortlist.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-SOURCE=..\tkeyconf.c

-

-!IF  "$(CFG)" == "named - Win32 Release"

-

-

-"$(INTDIR)\tkeyconf.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "named - Win32 Debug"

-

-

-"$(INTDIR)\tkeyconf.obj"	"$(INTDIR)\tkeyconf.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-SOURCE=..\tsigconf.c

-

-!IF  "$(CFG)" == "named - Win32 Release"

-

-

-"$(INTDIR)\tsigconf.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "named - Win32 Debug"

-

-

-"$(INTDIR)\tsigconf.obj"	"$(INTDIR)\tsigconf.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-SOURCE=..\update.c

-

-!IF  "$(CFG)" == "named - Win32 Release"

-

-

-"$(INTDIR)\update.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "named - Win32 Debug"

-

-

-"$(INTDIR)\update.obj"	"$(INTDIR)\update.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-SOURCE=..\xfrout.c

-

-!IF  "$(CFG)" == "named - Win32 Release"

-

-

-"$(INTDIR)\xfrout.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "named - Win32 Debug"

-

-

-"$(INTDIR)\xfrout.obj"	"$(INTDIR)\xfrout.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-SOURCE=..\zoneconf.c

-

-!IF  "$(CFG)" == "named - Win32 Release"

-

-

-"$(INTDIR)\zoneconf.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "named - Win32 Debug"

-

-

-"$(INTDIR)\zoneconf.obj"	"$(INTDIR)\zoneconf.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-

-!ENDIF 

-

-####################################################

-# Commands to generate initial empty manifest file and the RC file

-# that references it, and for generating the .res file:

-

-$(_VC_MANIFEST_BASENAME).auto.res : $(_VC_MANIFEST_BASENAME).auto.rc

-

-$(_VC_MANIFEST_BASENAME).auto.rc : $(_VC_MANIFEST_BASENAME).auto.manifest

-    type <<$@

-#include <winuser.h>

-1RT_MANIFEST"$(_VC_MANIFEST_BASENAME).auto.manifest"

-<< KEEP

-

-$(_VC_MANIFEST_BASENAME).auto.manifest :

-    type <<$@

-<?xml version='1.0' encoding='UTF-8' standalone='yes'?>

-<assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'>

-</assembly>

-<< KEEP

+# Microsoft Developer Studio Generated NMAKE File, Based on named.dsp
+!IF "$(CFG)" == ""
+CFG=named - Win32 Debug
+!MESSAGE No configuration specified. Defaulting to named - Win32 Debug.
+!ENDIF 
+
+!IF "$(CFG)" != "named - Win32 Release" && "$(CFG)" != "named - Win32 Debug"
+!MESSAGE Invalid configuration "$(CFG)" specified.
+!MESSAGE You can specify a configuration when running NMAKE
+!MESSAGE by defining the macro CFG on the command line. For example:
+!MESSAGE 
+!MESSAGE NMAKE /f "named.mak" CFG="named - Win32 Debug"
+!MESSAGE 
+!MESSAGE Possible choices for configuration are:
+!MESSAGE 
+!MESSAGE "named - Win32 Release" (based on "Win32 (x86) Console Application")
+!MESSAGE "named - Win32 Debug" (based on "Win32 (x86) Console Application")
+!MESSAGE 
+!ERROR An invalid configuration is specified.
+!ENDIF 
+
+!IF "$(OS)" == "Windows_NT"
+NULL=
+!ELSE 
+NULL=nul
+!ENDIF 
+
+CPP=cl.exe
+RSC=rc.exe
+
+!IF  "$(CFG)" == "named - Win32 Release"
+
+OUTDIR=.\Release
+INTDIR=.\Release
+
+!IF "$(RECURSE)" == "0" 
+
+ALL : "..\..\..\Build\Release\named.exe"
+
+!ELSE 
+
+ALL : "libisccfg - Win32 Release" "libisccc - Win32 Release" "liblwres - Win32 Release" "libbind9 - Win32 Release" "libisc - Win32 Release" "libdns - Win32 Release" "..\..\..\Build\Release\named.exe"
+
+!ENDIF 
+
+!IF "$(RECURSE)" == "1" 
+CLEAN :"libdns - Win32 ReleaseCLEAN" "libisc - Win32 ReleaseCLEAN" "libbind9 - Win32 ReleaseCLEAN" "liblwres - Win32 ReleaseCLEAN" "libisccc - Win32 ReleaseCLEAN" "libisccfg - Win32 ReleaseCLEAN" 
+!ELSE 
+CLEAN :
+!ENDIF 
+	-@erase "$(INTDIR)\aclconf.obj"
+	-@erase "$(INTDIR)\builtin.obj"
+	-@erase "$(INTDIR)\client.obj"
+	-@erase "$(INTDIR)\config.obj"
+	-@erase "$(INTDIR)\control.obj"
+	-@erase "$(INTDIR)\controlconf.obj"
+	-@erase "$(INTDIR)\interfacemgr.obj"
+	-@erase "$(INTDIR)\listenlist.obj"
+	-@erase "$(INTDIR)\log.obj"
+	-@erase "$(INTDIR)\logconf.obj"
+	-@erase "$(INTDIR)\lwaddr.obj"
+	-@erase "$(INTDIR)\lwdclient.obj"
+	-@erase "$(INTDIR)\lwderror.obj"
+	-@erase "$(INTDIR)\lwdgabn.obj"
+	-@erase "$(INTDIR)\lwdgnba.obj"
+	-@erase "$(INTDIR)\lwdgrbn.obj"
+	-@erase "$(INTDIR)\lwdnoop.obj"
+	-@erase "$(INTDIR)\lwresd.obj"
+	-@erase "$(INTDIR)\lwsearch.obj"
+	-@erase "$(INTDIR)\main.obj"
+	-@erase "$(INTDIR)\notify.obj"
+	-@erase "$(INTDIR)\ntservice.obj"
+	-@erase "$(INTDIR)\os.obj"
+	-@erase "$(INTDIR)\query.obj"
+	-@erase "$(INTDIR)\server.obj"
+	-@erase "$(INTDIR)\sortlist.obj"
+	-@erase "$(INTDIR)\tkeyconf.obj"
+	-@erase "$(INTDIR)\tsigconf.obj"
+	-@erase "$(INTDIR)\update.obj"
+	-@erase "$(INTDIR)\vc60.idb"
+	-@erase "$(INTDIR)\xfrout.obj"
+	-@erase "$(INTDIR)\zoneconf.obj"
+	-@erase "..\..\..\Build\Release\named.exe"
+
+"$(OUTDIR)" :
+    if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
+
+CPP_PROJ=/nologo /MD /W3 /GX /O2 /I "./" /I "../../../" /I "../win32/include" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/win32/include" /I "../../../lib/dns/include" /I "../../../lib/dns/sec/dst/include" /I "../../../lib/isccc/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /I "../../../lib/isccfg/include" /I "../../../lib/bind9/include" /D "WIN32" /D "NDEBUG" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" /Fp"$(INTDIR)\named.pch" /YX /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c 
+BSC32=bscmake.exe
+BSC32_FLAGS=/nologo /o"$(OUTDIR)\named.bsc" 
+BSC32_SBRS= \
+	
+LINK32=link.exe
+LINK32_FLAGS=user32.lib advapi32.lib kernel32.lib ws2_32.lib ../../../lib/isc/win32/Release/libisc.lib ../../../lib/dns/win32/Release/libdns.lib ../../../lib/isccc/win32/Release/libisccc.lib ../../../lib/lwres/win32/Release/liblwres.lib ../../../lib/isccfg/win32/Release/libisccfg.lib ../../../lib/bind9/win32/Release/libbind9.lib /nologo /subsystem:console /incremental:no /pdb:"$(OUTDIR)\named.pdb" /machine:I386 /out:"../../../Build/Release/named.exe" 
+LINK32_OBJS= \
+	"$(INTDIR)\aclconf.obj" \
+	"$(INTDIR)\client.obj" \
+	"$(INTDIR)\config.obj" \
+	"$(INTDIR)\control.obj" \
+	"$(INTDIR)\controlconf.obj" \
+	"$(INTDIR)\interfacemgr.obj" \
+	"$(INTDIR)\listenlist.obj" \
+	"$(INTDIR)\log.obj" \
+	"$(INTDIR)\logconf.obj" \
+	"$(INTDIR)\lwaddr.obj" \
+	"$(INTDIR)\lwdclient.obj" \
+	"$(INTDIR)\lwderror.obj" \
+	"$(INTDIR)\lwdgabn.obj" \
+	"$(INTDIR)\lwdgnba.obj" \
+	"$(INTDIR)\lwdgrbn.obj" \
+	"$(INTDIR)\lwdnoop.obj" \
+	"$(INTDIR)\lwresd.obj" \
+	"$(INTDIR)\lwsearch.obj" \
+	"$(INTDIR)\main.obj" \
+	"$(INTDIR)\notify.obj" \
+	"$(INTDIR)\ntservice.obj" \
+	"$(INTDIR)\os.obj" \
+	"$(INTDIR)\query.obj" \
+	"$(INTDIR)\server.obj" \
+	"$(INTDIR)\sortlist.obj" \
+	"$(INTDIR)\tkeyconf.obj" \
+	"$(INTDIR)\tsigconf.obj" \
+	"$(INTDIR)\update.obj" \
+	"$(INTDIR)\xfrout.obj" \
+	"$(INTDIR)\zoneconf.obj" \
+	"$(INTDIR)\builtin.obj" \
+	"..\..\..\lib\dns\win32\Release\libdns.lib" \
+	"..\..\..\lib\isc\win32\Release\libisc.lib" \
+	"..\..\..\lib\bind9\win32\Release\libbind9.lib" \
+	"..\..\..\lib\lwres\win32\Release\liblwres.lib" \
+	"..\..\..\lib\isccc\win32\Release\libisccc.lib" \
+	"..\..\..\lib\isccfg\win32\Release\libisccfg.lib"
+
+"..\..\..\Build\Release\named.exe" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)
+    $(LINK32) @<<
+  $(LINK32_FLAGS) $(LINK32_OBJS)
+<<
+
+!ELSEIF  "$(CFG)" == "named - Win32 Debug"
+
+OUTDIR=.\Debug
+INTDIR=.\Debug
+# Begin Custom Macros
+OutDir=.\Debug
+# End Custom Macros
+
+!IF "$(RECURSE)" == "0" 
+
+ALL : "..\..\..\Build\Debug\named.exe" "$(OUTDIR)\named.bsc"
+
+!ELSE 
+
+ALL : "libisccfg - Win32 Debug" "libisccc - Win32 Debug" "liblwres - Win32 Debug" "libbind9 - Win32 Debug" "libisc - Win32 Debug" "libdns - Win32 Debug" "..\..\..\Build\Debug\named.exe" "$(OUTDIR)\named.bsc"
+
+!ENDIF 
+
+!IF "$(RECURSE)" == "1" 
+CLEAN :"libdns - Win32 DebugCLEAN" "libisc - Win32 DebugCLEAN" "libbind9 - Win32 DebugCLEAN" "liblwres - Win32 DebugCLEAN" "libisccc - Win32 DebugCLEAN" "libisccfg - Win32 DebugCLEAN" 
+!ELSE 
+CLEAN :
+!ENDIF 
+	-@erase "$(INTDIR)\aclconf.obj"
+	-@erase "$(INTDIR)\aclconf.sbr"
+	-@erase "$(INTDIR)\builtin.obj"
+	-@erase "$(INTDIR)\builtin.sbr"
+	-@erase "$(INTDIR)\client.obj"
+	-@erase "$(INTDIR)\client.sbr"
+	-@erase "$(INTDIR)\config.obj"
+	-@erase "$(INTDIR)\config.sbr"
+	-@erase "$(INTDIR)\control.obj"
+	-@erase "$(INTDIR)\control.sbr"
+	-@erase "$(INTDIR)\controlconf.obj"
+	-@erase "$(INTDIR)\controlconf.sbr"
+	-@erase "$(INTDIR)\interfacemgr.obj"
+	-@erase "$(INTDIR)\interfacemgr.sbr"
+	-@erase "$(INTDIR)\listenlist.obj"
+	-@erase "$(INTDIR)\listenlist.sbr"
+	-@erase "$(INTDIR)\log.obj"
+	-@erase "$(INTDIR)\log.sbr"
+	-@erase "$(INTDIR)\logconf.obj"
+	-@erase "$(INTDIR)\logconf.sbr"
+	-@erase "$(INTDIR)\lwaddr.obj"
+	-@erase "$(INTDIR)\lwaddr.sbr"
+	-@erase "$(INTDIR)\lwdclient.obj"
+	-@erase "$(INTDIR)\lwdclient.sbr"
+	-@erase "$(INTDIR)\lwderror.obj"
+	-@erase "$(INTDIR)\lwderror.sbr"
+	-@erase "$(INTDIR)\lwdgabn.obj"
+	-@erase "$(INTDIR)\lwdgabn.sbr"
+	-@erase "$(INTDIR)\lwdgnba.obj"
+	-@erase "$(INTDIR)\lwdgnba.sbr"
+	-@erase "$(INTDIR)\lwdgrbn.obj"
+	-@erase "$(INTDIR)\lwdgrbn.sbr"
+	-@erase "$(INTDIR)\lwdnoop.obj"
+	-@erase "$(INTDIR)\lwdnoop.sbr"
+	-@erase "$(INTDIR)\lwresd.obj"
+	-@erase "$(INTDIR)\lwresd.sbr"
+	-@erase "$(INTDIR)\lwsearch.obj"
+	-@erase "$(INTDIR)\lwsearch.sbr"
+	-@erase "$(INTDIR)\main.obj"
+	-@erase "$(INTDIR)\main.sbr"
+	-@erase "$(INTDIR)\notify.obj"
+	-@erase "$(INTDIR)\notify.sbr"
+	-@erase "$(INTDIR)\ntservice.obj"
+	-@erase "$(INTDIR)\ntservice.sbr"
+	-@erase "$(INTDIR)\os.obj"
+	-@erase "$(INTDIR)\os.sbr"
+	-@erase "$(INTDIR)\query.obj"
+	-@erase "$(INTDIR)\query.sbr"
+	-@erase "$(INTDIR)\server.obj"
+	-@erase "$(INTDIR)\server.sbr"
+	-@erase "$(INTDIR)\sortlist.obj"
+	-@erase "$(INTDIR)\sortlist.sbr"
+	-@erase "$(INTDIR)\tkeyconf.obj"
+	-@erase "$(INTDIR)\tkeyconf.sbr"
+	-@erase "$(INTDIR)\tsigconf.obj"
+	-@erase "$(INTDIR)\tsigconf.sbr"
+	-@erase "$(INTDIR)\update.obj"
+	-@erase "$(INTDIR)\update.sbr"
+	-@erase "$(INTDIR)\vc60.idb"
+	-@erase "$(INTDIR)\vc60.pdb"
+	-@erase "$(INTDIR)\xfrout.obj"
+	-@erase "$(INTDIR)\xfrout.sbr"
+	-@erase "$(INTDIR)\zoneconf.obj"
+	-@erase "$(INTDIR)\zoneconf.sbr"
+	-@erase "$(OUTDIR)\named.bsc"
+	-@erase "$(OUTDIR)\named.map"
+	-@erase "$(OUTDIR)\named.pdb"
+	-@erase "..\..\..\Build\Debug\named.exe"
+	-@erase "..\..\..\Build\Debug\named.ilk"
+
+"$(OUTDIR)" :
+    if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
+
+CPP_PROJ=/nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../../../" /I "../win32/include" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/win32/include" /I "../../../lib/dns/include" /I "../../../lib/dns/sec/dst/include" /I "../../../lib/isccc/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /I "../../../lib/isccfg/include" /I "../../../lib/bind9/include" /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /D "i386" /FR"$(INTDIR)\\" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c 
+BSC32=bscmake.exe
+BSC32_FLAGS=/nologo /o"$(OUTDIR)\named.bsc" 
+BSC32_SBRS= \
+	"$(INTDIR)\aclconf.sbr" \
+	"$(INTDIR)\client.sbr" \
+	"$(INTDIR)\config.sbr" \
+	"$(INTDIR)\control.sbr" \
+	"$(INTDIR)\controlconf.sbr" \
+	"$(INTDIR)\interfacemgr.sbr" \
+	"$(INTDIR)\listenlist.sbr" \
+	"$(INTDIR)\log.sbr" \
+	"$(INTDIR)\logconf.sbr" \
+	"$(INTDIR)\lwaddr.sbr" \
+	"$(INTDIR)\lwdclient.sbr" \
+	"$(INTDIR)\lwderror.sbr" \
+	"$(INTDIR)\lwdgabn.sbr" \
+	"$(INTDIR)\lwdgnba.sbr" \
+	"$(INTDIR)\lwdgrbn.sbr" \
+	"$(INTDIR)\lwdnoop.sbr" \
+	"$(INTDIR)\lwresd.sbr" \
+	"$(INTDIR)\lwsearch.sbr" \
+	"$(INTDIR)\main.sbr" \
+	"$(INTDIR)\notify.sbr" \
+	"$(INTDIR)\ntservice.sbr" \
+	"$(INTDIR)\os.sbr" \
+	"$(INTDIR)\query.sbr" \
+	"$(INTDIR)\server.sbr" \
+	"$(INTDIR)\sortlist.sbr" \
+	"$(INTDIR)\tkeyconf.sbr" \
+	"$(INTDIR)\tsigconf.sbr" \
+	"$(INTDIR)\update.sbr" \
+	"$(INTDIR)\xfrout.sbr" \
+	"$(INTDIR)\zoneconf.sbr" \
+	"$(INTDIR)\builtin.sbr"
+
+"$(OUTDIR)\named.bsc" : "$(OUTDIR)" $(BSC32_SBRS)
+    $(BSC32) @<<
+  $(BSC32_FLAGS) $(BSC32_SBRS)
+<<
+
+LINK32=link.exe
+LINK32_FLAGS=user32.lib advapi32.lib kernel32.lib ws2_32.lib ../../../lib/isc/win32/Debug/libisc.lib ../../../lib/dns/win32/Debug/libdns.lib ../../../lib/isccc/win32/Debug/libisccc.lib ../../../lib/lwres/win32/Debug/liblwres.lib ../../../lib/isccfg/win32/Debug/libisccfg.lib ../../../lib/bind9/win32/Debug/libbind9.lib /nologo /subsystem:console /incremental:yes /pdb:"$(OUTDIR)\named.pdb" /map:"$(INTDIR)\named.map" /debug /machine:I386 /out:"../../../Build/Debug/named.exe" /pdbtype:sept 
+LINK32_OBJS= \
+	"$(INTDIR)\aclconf.obj" \
+	"$(INTDIR)\client.obj" \
+	"$(INTDIR)\config.obj" \
+	"$(INTDIR)\control.obj" \
+	"$(INTDIR)\controlconf.obj" \
+	"$(INTDIR)\interfacemgr.obj" \
+	"$(INTDIR)\listenlist.obj" \
+	"$(INTDIR)\log.obj" \
+	"$(INTDIR)\logconf.obj" \
+	"$(INTDIR)\lwaddr.obj" \
+	"$(INTDIR)\lwdclient.obj" \
+	"$(INTDIR)\lwderror.obj" \
+	"$(INTDIR)\lwdgabn.obj" \
+	"$(INTDIR)\lwdgnba.obj" \
+	"$(INTDIR)\lwdgrbn.obj" \
+	"$(INTDIR)\lwdnoop.obj" \
+	"$(INTDIR)\lwresd.obj" \
+	"$(INTDIR)\lwsearch.obj" \
+	"$(INTDIR)\main.obj" \
+	"$(INTDIR)\notify.obj" \
+	"$(INTDIR)\ntservice.obj" \
+	"$(INTDIR)\os.obj" \
+	"$(INTDIR)\query.obj" \
+	"$(INTDIR)\server.obj" \
+	"$(INTDIR)\sortlist.obj" \
+	"$(INTDIR)\tkeyconf.obj" \
+	"$(INTDIR)\tsigconf.obj" \
+	"$(INTDIR)\update.obj" \
+	"$(INTDIR)\xfrout.obj" \
+	"$(INTDIR)\zoneconf.obj" \
+	"$(INTDIR)\builtin.obj" \
+	"..\..\..\lib\dns\win32\Debug\libdns.lib" \
+	"..\..\..\lib\isc\win32\Debug\libisc.lib" \
+	"..\..\..\lib\bind9\win32\Debug\libbind9.lib" \
+	"..\..\..\lib\lwres\win32\Debug\liblwres.lib" \
+	"..\..\..\lib\isccc\win32\Debug\libisccc.lib" \
+	"..\..\..\lib\isccfg\win32\Debug\libisccfg.lib"
+
+"..\..\..\Build\Debug\named.exe" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)
+    $(LINK32) @<<
+  $(LINK32_FLAGS) $(LINK32_OBJS)
+<<
+
+!ENDIF 
+
+.c{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cpp{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cxx{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.c{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cpp{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cxx{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+
+!IF "$(NO_EXTERNAL_DEPS)" != "1"
+!IF EXISTS("named.dep")
+!INCLUDE "named.dep"
+!ELSE 
+!MESSAGE Warning: cannot find "named.dep"
+!ENDIF 
+!ENDIF 
+
+
+!IF "$(CFG)" == "named - Win32 Release" || "$(CFG)" == "named - Win32 Debug"
+SOURCE=..\aclconf.c
+
+!IF  "$(CFG)" == "named - Win32 Release"
+
+
+"$(INTDIR)\aclconf.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "named - Win32 Debug"
+
+
+"$(INTDIR)\aclconf.obj"	"$(INTDIR)\aclconf.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\builtin.c
+
+!IF  "$(CFG)" == "named - Win32 Release"
+
+
+"$(INTDIR)\builtin.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "named - Win32 Debug"
+
+
+"$(INTDIR)\builtin.obj"	"$(INTDIR)\builtin.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\client.c
+
+!IF  "$(CFG)" == "named - Win32 Release"
+
+
+"$(INTDIR)\client.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "named - Win32 Debug"
+
+
+"$(INTDIR)\client.obj"	"$(INTDIR)\client.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\config.c
+
+!IF  "$(CFG)" == "named - Win32 Release"
+
+
+"$(INTDIR)\config.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "named - Win32 Debug"
+
+
+"$(INTDIR)\config.obj"	"$(INTDIR)\config.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\control.c
+
+!IF  "$(CFG)" == "named - Win32 Release"
+
+
+"$(INTDIR)\control.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "named - Win32 Debug"
+
+
+"$(INTDIR)\control.obj"	"$(INTDIR)\control.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\controlconf.c
+
+!IF  "$(CFG)" == "named - Win32 Release"
+
+
+"$(INTDIR)\controlconf.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "named - Win32 Debug"
+
+
+"$(INTDIR)\controlconf.obj"	"$(INTDIR)\controlconf.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\interfacemgr.c
+
+!IF  "$(CFG)" == "named - Win32 Release"
+
+
+"$(INTDIR)\interfacemgr.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "named - Win32 Debug"
+
+
+"$(INTDIR)\interfacemgr.obj"	"$(INTDIR)\interfacemgr.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\listenlist.c
+
+!IF  "$(CFG)" == "named - Win32 Release"
+
+
+"$(INTDIR)\listenlist.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "named - Win32 Debug"
+
+
+"$(INTDIR)\listenlist.obj"	"$(INTDIR)\listenlist.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\log.c
+
+!IF  "$(CFG)" == "named - Win32 Release"
+
+
+"$(INTDIR)\log.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "named - Win32 Debug"
+
+
+"$(INTDIR)\log.obj"	"$(INTDIR)\log.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\logconf.c
+
+!IF  "$(CFG)" == "named - Win32 Release"
+
+
+"$(INTDIR)\logconf.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "named - Win32 Debug"
+
+
+"$(INTDIR)\logconf.obj"	"$(INTDIR)\logconf.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\lwaddr.c
+
+!IF  "$(CFG)" == "named - Win32 Release"
+
+
+"$(INTDIR)\lwaddr.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "named - Win32 Debug"
+
+
+"$(INTDIR)\lwaddr.obj"	"$(INTDIR)\lwaddr.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\lwdclient.c
+
+!IF  "$(CFG)" == "named - Win32 Release"
+
+
+"$(INTDIR)\lwdclient.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "named - Win32 Debug"
+
+
+"$(INTDIR)\lwdclient.obj"	"$(INTDIR)\lwdclient.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\lwderror.c
+
+!IF  "$(CFG)" == "named - Win32 Release"
+
+
+"$(INTDIR)\lwderror.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "named - Win32 Debug"
+
+
+"$(INTDIR)\lwderror.obj"	"$(INTDIR)\lwderror.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\lwdgabn.c
+
+!IF  "$(CFG)" == "named - Win32 Release"
+
+
+"$(INTDIR)\lwdgabn.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "named - Win32 Debug"
+
+
+"$(INTDIR)\lwdgabn.obj"	"$(INTDIR)\lwdgabn.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\lwdgnba.c
+
+!IF  "$(CFG)" == "named - Win32 Release"
+
+
+"$(INTDIR)\lwdgnba.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "named - Win32 Debug"
+
+
+"$(INTDIR)\lwdgnba.obj"	"$(INTDIR)\lwdgnba.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\lwdgrbn.c
+
+!IF  "$(CFG)" == "named - Win32 Release"
+
+
+"$(INTDIR)\lwdgrbn.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "named - Win32 Debug"
+
+
+"$(INTDIR)\lwdgrbn.obj"	"$(INTDIR)\lwdgrbn.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\lwdnoop.c
+
+!IF  "$(CFG)" == "named - Win32 Release"
+
+
+"$(INTDIR)\lwdnoop.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "named - Win32 Debug"
+
+
+"$(INTDIR)\lwdnoop.obj"	"$(INTDIR)\lwdnoop.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\lwresd.c
+
+!IF  "$(CFG)" == "named - Win32 Release"
+
+
+"$(INTDIR)\lwresd.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "named - Win32 Debug"
+
+
+"$(INTDIR)\lwresd.obj"	"$(INTDIR)\lwresd.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\lwsearch.c
+
+!IF  "$(CFG)" == "named - Win32 Release"
+
+
+"$(INTDIR)\lwsearch.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "named - Win32 Debug"
+
+
+"$(INTDIR)\lwsearch.obj"	"$(INTDIR)\lwsearch.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\main.c
+
+!IF  "$(CFG)" == "named - Win32 Release"
+
+
+"$(INTDIR)\main.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "named - Win32 Debug"
+
+
+"$(INTDIR)\main.obj"	"$(INTDIR)\main.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\notify.c
+
+!IF  "$(CFG)" == "named - Win32 Release"
+
+
+"$(INTDIR)\notify.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "named - Win32 Debug"
+
+
+"$(INTDIR)\notify.obj"	"$(INTDIR)\notify.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=.\ntservice.c
+
+!IF  "$(CFG)" == "named - Win32 Release"
+
+
+"$(INTDIR)\ntservice.obj" : $(SOURCE) "$(INTDIR)"
+
+
+!ELSEIF  "$(CFG)" == "named - Win32 Debug"
+
+
+"$(INTDIR)\ntservice.obj"	"$(INTDIR)\ntservice.sbr" : $(SOURCE) "$(INTDIR)"
+
+
+!ENDIF 
+
+SOURCE=.\os.c
+
+!IF  "$(CFG)" == "named - Win32 Release"
+
+
+"$(INTDIR)\os.obj" : $(SOURCE) "$(INTDIR)"
+
+
+!ELSEIF  "$(CFG)" == "named - Win32 Debug"
+
+
+"$(INTDIR)\os.obj"	"$(INTDIR)\os.sbr" : $(SOURCE) "$(INTDIR)"
+
+
+!ENDIF 
+
+SOURCE=..\query.c
+
+!IF  "$(CFG)" == "named - Win32 Release"
+
+
+"$(INTDIR)\query.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "named - Win32 Debug"
+
+
+"$(INTDIR)\query.obj"	"$(INTDIR)\query.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\server.c
+
+!IF  "$(CFG)" == "named - Win32 Release"
+
+
+"$(INTDIR)\server.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "named - Win32 Debug"
+
+
+"$(INTDIR)\server.obj"	"$(INTDIR)\server.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\sortlist.c
+
+!IF  "$(CFG)" == "named - Win32 Release"
+
+
+"$(INTDIR)\sortlist.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "named - Win32 Debug"
+
+
+"$(INTDIR)\sortlist.obj"	"$(INTDIR)\sortlist.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\tkeyconf.c
+
+!IF  "$(CFG)" == "named - Win32 Release"
+
+
+"$(INTDIR)\tkeyconf.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "named - Win32 Debug"
+
+
+"$(INTDIR)\tkeyconf.obj"	"$(INTDIR)\tkeyconf.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\tsigconf.c
+
+!IF  "$(CFG)" == "named - Win32 Release"
+
+
+"$(INTDIR)\tsigconf.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "named - Win32 Debug"
+
+
+"$(INTDIR)\tsigconf.obj"	"$(INTDIR)\tsigconf.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\update.c
+
+!IF  "$(CFG)" == "named - Win32 Release"
+
+
+"$(INTDIR)\update.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "named - Win32 Debug"
+
+
+"$(INTDIR)\update.obj"	"$(INTDIR)\update.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\xfrout.c
+
+!IF  "$(CFG)" == "named - Win32 Release"
+
+
+"$(INTDIR)\xfrout.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "named - Win32 Debug"
+
+
+"$(INTDIR)\xfrout.obj"	"$(INTDIR)\xfrout.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\zoneconf.c
+
+!IF  "$(CFG)" == "named - Win32 Release"
+
+
+"$(INTDIR)\zoneconf.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "named - Win32 Debug"
+
+
+"$(INTDIR)\zoneconf.obj"	"$(INTDIR)\zoneconf.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+!IF  "$(CFG)" == "named - Win32 Release"
+
+"libdns - Win32 Release" : 
+   cd "..\..\..\lib\dns\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\libdns.mak" CFG="libdns - Win32 Release" 
+   cd "..\..\..\bin\named\win32"
+
+"libdns - Win32 ReleaseCLEAN" : 
+   cd "..\..\..\lib\dns\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\libdns.mak" CFG="libdns - Win32 Release" RECURSE=1 CLEAN 
+   cd "..\..\..\bin\named\win32"
+
+!ELSEIF  "$(CFG)" == "named - Win32 Debug"
+
+"libdns - Win32 Debug" : 
+   cd "..\..\..\lib\dns\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\libdns.mak" CFG="libdns - Win32 Debug" 
+   cd "..\..\..\bin\named\win32"
+
+"libdns - Win32 DebugCLEAN" : 
+   cd "..\..\..\lib\dns\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\libdns.mak" CFG="libdns - Win32 Debug" RECURSE=1 CLEAN 
+   cd "..\..\..\bin\named\win32"
+
+!ENDIF 
+
+!IF  "$(CFG)" == "named - Win32 Release"
+
+"libisc - Win32 Release" : 
+   cd "..\..\..\lib\isc\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\libisc.mak" CFG="libisc - Win32 Release" 
+   cd "..\..\..\bin\named\win32"
+
+"libisc - Win32 ReleaseCLEAN" : 
+   cd "..\..\..\lib\isc\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\libisc.mak" CFG="libisc - Win32 Release" RECURSE=1 CLEAN 
+   cd "..\..\..\bin\named\win32"
+
+!ELSEIF  "$(CFG)" == "named - Win32 Debug"
+
+"libisc - Win32 Debug" : 
+   cd "..\..\..\lib\isc\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\libisc.mak" CFG="libisc - Win32 Debug" 
+   cd "..\..\..\bin\named\win32"
+
+"libisc - Win32 DebugCLEAN" : 
+   cd "..\..\..\lib\isc\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\libisc.mak" CFG="libisc - Win32 Debug" RECURSE=1 CLEAN 
+   cd "..\..\..\bin\named\win32"
+
+!ENDIF 
+
+!IF  "$(CFG)" == "named - Win32 Release"
+
+"libbind9 - Win32 Release" : 
+   cd "..\..\..\lib\bind9\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\libbind9.mak" CFG="libbind9 - Win32 Release" 
+   cd "..\..\..\bin\named\win32"
+
+"libbind9 - Win32 ReleaseCLEAN" : 
+   cd "..\..\..\lib\bind9\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\libbind9.mak" CFG="libbind9 - Win32 Release" RECURSE=1 CLEAN 
+   cd "..\..\..\bin\named\win32"
+
+!ELSEIF  "$(CFG)" == "named - Win32 Debug"
+
+"libbind9 - Win32 Debug" : 
+   cd "..\..\..\lib\bind9\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\libbind9.mak" CFG="libbind9 - Win32 Debug" 
+   cd "..\..\..\bin\named\win32"
+
+"libbind9 - Win32 DebugCLEAN" : 
+   cd "..\..\..\lib\bind9\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\libbind9.mak" CFG="libbind9 - Win32 Debug" RECURSE=1 CLEAN 
+   cd "..\..\..\bin\named\win32"
+
+!ENDIF 
+
+!IF  "$(CFG)" == "named - Win32 Release"
+
+"liblwres - Win32 Release" : 
+   cd "..\..\..\lib\lwres\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\liblwres.mak" CFG="liblwres - Win32 Release" 
+   cd "..\..\..\bin\named\win32"
+
+"liblwres - Win32 ReleaseCLEAN" : 
+   cd "..\..\..\lib\lwres\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\liblwres.mak" CFG="liblwres - Win32 Release" RECURSE=1 CLEAN 
+   cd "..\..\..\bin\named\win32"
+
+!ELSEIF  "$(CFG)" == "named - Win32 Debug"
+
+"liblwres - Win32 Debug" : 
+   cd "..\..\..\lib\lwres\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\liblwres.mak" CFG="liblwres - Win32 Debug" 
+   cd "..\..\..\bin\named\win32"
+
+"liblwres - Win32 DebugCLEAN" : 
+   cd "..\..\..\lib\lwres\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\liblwres.mak" CFG="liblwres - Win32 Debug" RECURSE=1 CLEAN 
+   cd "..\..\..\bin\named\win32"
+
+!ENDIF 
+
+!IF  "$(CFG)" == "named - Win32 Release"
+
+"libisccc - Win32 Release" : 
+   cd "..\..\..\lib\isccc\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\libisccc.mak" CFG="libisccc - Win32 Release" 
+   cd "..\..\..\bin\named\win32"
+
+"libisccc - Win32 ReleaseCLEAN" : 
+   cd "..\..\..\lib\isccc\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\libisccc.mak" CFG="libisccc - Win32 Release" RECURSE=1 CLEAN 
+   cd "..\..\..\bin\named\win32"
+
+!ELSEIF  "$(CFG)" == "named - Win32 Debug"
+
+"libisccc - Win32 Debug" : 
+   cd "..\..\..\lib\isccc\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\libisccc.mak" CFG="libisccc - Win32 Debug" 
+   cd "..\..\..\bin\named\win32"
+
+"libisccc - Win32 DebugCLEAN" : 
+   cd "..\..\..\lib\isccc\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\libisccc.mak" CFG="libisccc - Win32 Debug" RECURSE=1 CLEAN 
+   cd "..\..\..\bin\named\win32"
+
+!ENDIF 
+
+!IF  "$(CFG)" == "named - Win32 Release"
+
+"libisccfg - Win32 Release" : 
+   cd "..\..\..\lib\isccfg\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\libisccfg.mak" CFG="libisccfg - Win32 Release" 
+   cd "..\..\..\bin\named\win32"
+
+"libisccfg - Win32 ReleaseCLEAN" : 
+   cd "..\..\..\lib\isccfg\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\libisccfg.mak" CFG="libisccfg - Win32 Release" RECURSE=1 CLEAN 
+   cd "..\..\..\bin\named\win32"
+
+!ELSEIF  "$(CFG)" == "named - Win32 Debug"
+
+"libisccfg - Win32 Debug" : 
+   cd "..\..\..\lib\isccfg\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\libisccfg.mak" CFG="libisccfg - Win32 Debug" 
+   cd "..\..\..\bin\named\win32"
+
+"libisccfg - Win32 DebugCLEAN" : 
+   cd "..\..\..\lib\isccfg\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\libisccfg.mak" CFG="libisccfg - Win32 Debug" RECURSE=1 CLEAN 
+   cd "..\..\..\bin\named\win32"
+
+!ENDIF 
+
+
+!ENDIF 
+
diff --git a/bin/named/win32/ntservice.c b/bin/named/win32/ntservice.c
index 8a1ce1c0..6344bb8b 100644
--- a/bin/named/win32/ntservice.c
+++ b/bin/named/win32/ntservice.c
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
+ * Copyright (C) 1999-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: ntservice.c,v 1.3.2.2 2004/03/09 06:09:24 marka Exp $ */
+/* $Id: ntservice.c,v 1.3.2.1.10.3 2004/03/08 04:04:22 marka Exp $ */
 
 #include <config.h>
 #include <stdio.h>
@@ -30,7 +30,7 @@
 
 /* Handle to SCM for updating service status */
 static SERVICE_STATUS_HANDLE hServiceStatus = 0;
-static int foreground = FALSE;
+static BOOL foreground = FALSE;
 static char ConsoleTitle[128];
 
 /*
@@ -122,7 +122,13 @@ void
 ntservice_shutdown() {
 	UpdateSCM(SERVICE_STOPPED);
 }
-
+/*
+ * Routine to check if this is a service or a foreground program
+ */
+BOOL
+ntservice_isservice() {
+	return(!foreground);
+}
 /* 
  * ServiceControl(): Handles requests from the SCM and passes them on
  * to named.
@@ -135,6 +141,7 @@ ServiceControl(DWORD dwCtrlCode) {
 		UpdateSCM(0);
 		break;
 
+        case SERVICE_CONTROL_SHUTDOWN:
         case SERVICE_CONTROL_STOP:
 		ns_server_flushonshutdown(ns_g_server, ISC_TRUE);
 		isc_app_shutdown();
diff --git a/bin/named/win32/os.c b/bin/named/win32/os.c
index e2968682..004f254c 100644
--- a/bin/named/win32/os.c
+++ b/bin/named/win32/os.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: os.c,v 1.5.2.7 2004/09/29 06:38:43 marka Exp $ */
+/* $Id: os.c,v 1.5.2.3.8.9 2004/03/08 04:04:22 marka Exp $ */
 
 #include <config.h>
 #include <stdarg.h>
@@ -33,11 +33,14 @@
 
 #include <isc/print.h>
 #include <isc/result.h>
+#include <isc/strerror.h>
 #include <isc/string.h>
-//#include <isc/ntfile.h>
 #include <isc/ntpaths.h>
+#include <isc/util.h>
+#include <isc/win32os.h>
 
 #include <named/main.h>
+#include <named/log.h>
 #include <named/os.h>
 #include <named/globals.h>
 #include <named/ntservice.h>
@@ -48,6 +51,9 @@ static int devnullfd = -1;
 
 static BOOL Initialized = FALSE;
 
+static char *version_error = 
+	"named requires Windows 2000 Service Pack 2 or later to run correctly";
+
 void
 ns_paths_init() {
 	if (!Initialized)
@@ -64,6 +70,22 @@ ns_paths_init() {
 	Initialized = TRUE;
 }
 
+/*
+ * Due to Knowledge base article Q263823 we need to make sure that
+ * Windows 2000 systems have Service Pack 2 or later installed and
+ * warn when it isn't.
+ */
+static void
+version_check(const char *progname) {
+
+	if(isc_win32os_majorversion() < 5)
+		return;	/* No problem with Version 4.0 */
+	if(isc_win32os_versioncheck(5, 0, 2, 0) < 0)
+		if (ntservice_isservice())
+			NTReportError(progname, version_error);
+		else 
+			fprintf(stderr, "%s\n", version_error);
+}
 
 static void
 setup_syslog(const char *progname) {
@@ -82,6 +104,7 @@ ns_os_init(const char *progname) {
 	ns_paths_init();
 	setup_syslog(progname);
 	ntservice_init();
+	version_check(progname);
 }
 
 void
@@ -174,6 +197,7 @@ ns_os_writepidfile(const char *filename, isc_boolean_t first_time) {
 	FILE *lockfile;
 	size_t len;
 	pid_t pid;
+	char strbuf[ISC_STRERRORSIZE];
 	void (*report)(const char *, ...);
 
 	/*
@@ -184,11 +208,13 @@ ns_os_writepidfile(const char *filename, isc_boolean_t first_time) {
 
 	cleanup_pidfile();
 
+	if (strcmp(filename, "none") == 0)
+		return;
 	len = strlen(filename);
 	pidfile = malloc(len + 1);
 	if (pidfile == NULL) {
-		(*report)("couldn't malloc '%s': %s", filename,
-			  strerror(errno));
+		isc__strerror(errno, strbuf, sizeof(strbuf));
+		(*report)("couldn't malloc '%s': %s", filename, strbuf);
 		return;
 	}
 	/* This is safe. */
@@ -196,16 +222,17 @@ ns_os_writepidfile(const char *filename, isc_boolean_t first_time) {
 
 	fd = safe_open(filename, ISC_FALSE);
 	if (fd < 0) {
-		(*report)("couldn't open pid file '%s': %s", filename,
-			  strerror(errno));
+		isc__strerror(errno, strbuf, sizeof(strbuf));
+		(*report)("couldn't open pid file '%s': %s", filename, strbuf);
 		free(pidfile);
 		pidfile = NULL;
 		return;
 	}
 	lockfile = fdopen(fd, "w");
 	if (lockfile == NULL) {
-		(*report)("could not fdopen() pid file '%s': %s", filename,
-			  strerror(errno));
+		isc__strerror(errno, strbuf, sizeof(strbuf));
+		(*report)("could not fdopen() pid file '%s': %s",
+			  filename, strbuf);
 		(void)close(fd);
 		cleanup_pidfile();
 		return;
@@ -235,14 +262,23 @@ ns_os_shutdown(void) {
 	ntservice_shutdown();	/* This MUST be the last thing done */
 }
 
+isc_result_t
+ns_os_gethostname(char *buf, size_t len) {
+	int n;
+
+	n = gethostname(buf, len);
+	return ((n == 0) ? ISC_R_SUCCESS : ISC_R_FAILURE);
+}
+
+void
+ns_os_shutdownmsg(char *command, isc_buffer_t *text) {
+	UNUSED(command);
+	UNUSED(text);
+}
+
 void
 ns_os_tzset(void) {
 #ifdef HAVE_TZSET
 	tzset();
 #endif
 }
-
-void
-ns_os_started(void) {
-}
-
diff --git a/bin/named/xfrout.c b/bin/named/xfrout.c
index 02341b5f..9fb2697a 100644
--- a/bin/named/xfrout.c
+++ b/bin/named/xfrout.c
@@ -1,6 +1,6 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: xfrout.c,v 1.101.2.10 2005/10/14 02:13:03 marka Exp $ */
+/* $Id: xfrout.c,v 1.101.2.5.2.10 2004/04/02 06:08:17 marka Exp $ */
 
 #include <config.h>
 
@@ -38,6 +38,7 @@
 #include <dns/result.h>
 #include <dns/soa.h>
 #include <dns/timer.h>
+#include <dns/tsig.h>
 #include <dns/view.h>
 #include <dns/zone.h>
 #include <dns/zt.h>
@@ -253,7 +254,7 @@ db_rr_iterator_next(db_rr_iterator_t *it) {
 
 static void
 db_rr_iterator_pause(db_rr_iterator_t *it) {
-	dns_dbiterator_pause(it->dbit);
+	RUNTIME_CHECK(dns_dbiterator_pause(it->dbit) == ISC_R_SUCCESS);
 }
 
 static void
@@ -735,7 +736,7 @@ compound_rrstream_first(rrstream_t *rs) {
 	do {
 		rrstream_t *curstream = s->components[s->state];
 		s->result = curstream->methods->first(curstream);
-	} while (s->result == ISC_R_NOMORE && s->state < 2) ;
+	} while (s->result == ISC_R_NOMORE && s->state < 2);
 	return (s->result);
 }
 
@@ -828,6 +829,7 @@ typedef struct {
 	isc_boolean_t		many_answers;
 	int			sends;		/* Send in progress */
 	isc_boolean_t		shuttingdown;
+	const char		*mnemonic;	/* Style of transfer */
 } xfrout_ctx_t;
 
 static isc_result_t
@@ -866,7 +868,7 @@ xfrout_log1(ns_client_t *client, dns_name_t *zonename,
 	    const char *fmt, ...) ISC_FORMAT_PRINTF(5, 6);
 
 static void
-xfrout_log(xfrout_ctx_t *xfr, int level, const char *fmt, ...)
+xfrout_log(xfrout_ctx_t *xfr, unsigned int level, const char *fmt, ...)
 	   ISC_FORMAT_PRINTF(3, 4);
 
 /**************************************************************************/
@@ -898,8 +900,8 @@ ns_xfr_start(ns_client_t *client, dns_rdatatype_t reqtype) {
 	dns_peer_t *peer = NULL;
 	isc_buffer_t *tsigbuf = NULL;
 	char *journalfile;
-	char msg[DNS_RDATACLASS_FORMATSIZE + DNS_NAME_FORMATSIZE
-		 + sizeof("zone transfer '/'")];
+	char msg[NS_CLIENT_ACLMSGSIZE("zone transfer")];
+	char keyname[DNS_NAME_FORMATSIZE];
 	isc_boolean_t is_poll = ISC_FALSE;
 
 	switch (reqtype) {
@@ -1019,7 +1021,7 @@ ns_xfr_start(ns_client_t *client, dns_rdatatype_t reqtype) {
 	/*
 	 * Decide whether to allow this transfer.
 	 */
-	ns_client_aclmsg("zone transfer", question_name,
+	ns_client_aclmsg("zone transfer", question_name, reqtype,
 			 client->view->rdclass, msg, sizeof(msg));
 	CHECK(ns_client_checkacl(client, msg,
 				 dns_zone_getxfracl(zone), ISC_TRUE,
@@ -1138,17 +1140,24 @@ ns_xfr_start(ns_client_t *client, dns_rdatatype_t reqtype) {
 				(format == dns_many_answers) ?
 					ISC_TRUE : ISC_FALSE,
 				&xfr));
+	xfr->mnemonic = mnemonic;
 	stream = NULL;
 	quota = NULL;
 
 	CHECK(xfr->stream->methods->first(xfr->stream));
 
+	if (xfr->tsigkey != NULL) {
+		dns_name_format(&xfr->tsigkey->name, keyname, sizeof(keyname));
+	} else
+		keyname[0] = '\0';
 	if (is_poll)
 		xfrout_log1(client, question_name, question_class,
-			    ISC_LOG_DEBUG(1), "IXFR poll up to date");
+			    ISC_LOG_DEBUG(1), "IXFR poll up to date%s%s",
+			    (xfr->tsigkey != NULL) ? ": TSIG " : "", keyname);
 	else
 		xfrout_log1(client, question_name, question_class,
-			    ISC_LOG_INFO, "%s started", mnemonic);
+			    ISC_LOG_INFO, "%s started%s%s", mnemonic,
+			    (xfr->tsigkey != NULL) ? ": TSIG " : "", keyname);
 
 	/*
 	 * Hand the context over to sendstream().  Set xfr to NULL;
@@ -1227,6 +1236,7 @@ xfrout_ctx_create(isc_mem_t *mctx, ns_client_t *client, unsigned int id,
 	xfr->many_answers = many_answers,
 	xfr->sends = 0;
 	xfr->shuttingdown = ISC_FALSE;
+	xfr->mnemonic = NULL;
 	xfr->buf.base = NULL;
 	xfr->buf.length = 0;
 	xfr->txmem = NULL;
@@ -1347,7 +1357,7 @@ sendstream(xfrout_ctx_t *xfr) {
 		msg->flags = DNS_MESSAGEFLAG_QR | DNS_MESSAGEFLAG_AA;
 		if ((xfr->client->attributes & NS_CLIENTATTR_RA) != 0)
 			msg->flags |= DNS_MESSAGEFLAG_RA;
-		dns_message_settsigkey(msg, xfr->tsigkey);
+		CHECK(dns_message_settsigkey(msg, xfr->tsigkey));
 		CHECK(dns_message_setquerytsig(msg, xfr->lasttsig));
 		if (xfr->lasttsig != NULL)
 			isc_buffer_free(&xfr->lasttsig);
@@ -1622,8 +1632,7 @@ xfrout_senddone(isc_task_t *task, isc_event_t *event) {
 		sendstream(xfr);
 	} else {
 		/* End of zone transfer stream. */
-		xfrout_log(xfr, ISC_LOG_DEBUG(6),
-			   "end of transfer");
+		xfrout_log(xfr, ISC_LOG_INFO, "%s ended", xfr->mnemonic);
 		ns_client_next(xfr->client, ISC_R_SUCCESS);
 		xfrout_ctx_destroy(&xfr);
 	}
@@ -1701,7 +1710,7 @@ xfrout_log1(ns_client_t *client, dns_name_t *zonename,
  * Logging function for use when there is a xfrout_ctx_t.
  */
 static void
-xfrout_log(xfrout_ctx_t *xfr, int level, const char *fmt, ...) {
+xfrout_log(xfrout_ctx_t *xfr, unsigned int level, const char *fmt, ...) {
 	va_list ap;
 	va_start(ap, fmt);
 	xfrout_logv(xfr->client, xfr->qname, xfr->qclass, level, fmt, ap);
diff --git a/bin/named/zoneconf.c b/bin/named/zoneconf.c
index 31b41cc9..23d478df 100644
--- a/bin/named/zoneconf.c
+++ b/bin/named/zoneconf.c
@@ -1,6 +1,6 @@
 /*
- * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,12 +15,14 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: zoneconf.c,v 1.87.2.12 2006/03/01 01:34:05 marka Exp $ */
+/* $Id: zoneconf.c,v 1.87.2.4.10.12 2004/03/08 04:04:20 marka Exp $ */
 
 #include <config.h>
 
 #include <isc/buffer.h>
+#include <isc/file.h>
 #include <isc/mem.h>
+#include <isc/print.h>
 #include <isc/string.h>		/* Required for HP/UX (and others?) */
 #include <isc/util.h>
 
@@ -30,6 +32,7 @@
 #include <dns/name.h>
 #include <dns/rdatatype.h>
 #include <dns/ssu.h>
+#include <dns/view.h>
 #include <dns/zone.h>
 
 #include <named/config.h>
@@ -52,15 +55,15 @@
  * Convenience function for configuring a single zone ACL.
  */
 static isc_result_t
-configure_zone_acl(const cfg_obj_t *zconfig, const cfg_obj_t *vconfig,
-		   const cfg_obj_t *config, const char *aclname,
-		   ns_aclconfctx_t *actx, dns_zone_t *zone, 
+configure_zone_acl(cfg_obj_t *zconfig, cfg_obj_t *vconfig, cfg_obj_t *config,
+		   const char *aclname, ns_aclconfctx_t *actx,
+		   dns_zone_t *zone, 
 		   void (*setzacl)(dns_zone_t *, dns_acl_t *),
 		   void (*clearzacl)(dns_zone_t *))
 {
 	isc_result_t result;
-	const cfg_obj_t *maps[4];
-	const cfg_obj_t *aclobj = NULL;
+	cfg_obj_t *maps[4];
+	cfg_obj_t *aclobj = NULL;
 	int i = 0;
 	dns_acl_t *dacl = NULL;
 
@@ -69,7 +72,7 @@ configure_zone_acl(const cfg_obj_t *zconfig, const cfg_obj_t *vconfig,
 	if (vconfig != NULL)
 		maps[i++] = cfg_tuple_get(vconfig, "options");
 	if (config != NULL) {
-		const cfg_obj_t *options = NULL;
+		cfg_obj_t *options = NULL;
 		(void)cfg_map_get(config, "options", &options);
 		if (options != NULL)
 			maps[i++] = options;
@@ -95,18 +98,16 @@ configure_zone_acl(const cfg_obj_t *zconfig, const cfg_obj_t *vconfig,
  * Parse the zone update-policy statement.
  */
 static isc_result_t
-configure_zone_ssutable(const cfg_obj_t *zconfig, dns_zone_t *zone) {
-	const cfg_obj_t *updatepolicy = NULL;
-	const cfg_listelt_t *element, *element2;
+configure_zone_ssutable(cfg_obj_t *zconfig, dns_zone_t *zone) {
+	cfg_obj_t *updatepolicy = NULL;
+	cfg_listelt_t *element, *element2;
 	dns_ssutable_t *table = NULL;
 	isc_mem_t *mctx = dns_zone_getmctx(zone);
 	isc_result_t result;
 
 	(void)cfg_map_get(zconfig, "update-policy", &updatepolicy);
-	if (updatepolicy == NULL) {
-		dns_zone_setssutable(zone, NULL);
+	if (updatepolicy == NULL)
 		return (ISC_R_SUCCESS);
-	}
 
 	result = dns_ssutable_create(mctx, &table);
 	if (result != ISC_R_SUCCESS)
@@ -116,13 +117,13 @@ configure_zone_ssutable(const cfg_obj_t *zconfig, dns_zone_t *zone) {
 	     element != NULL;
 	     element = cfg_list_next(element))
 	{
-		const cfg_obj_t *stmt = cfg_listelt_value(element);
-		const cfg_obj_t *mode = cfg_tuple_get(stmt, "mode");
-		const cfg_obj_t *identity = cfg_tuple_get(stmt, "identity");
-		const cfg_obj_t *matchtype = cfg_tuple_get(stmt, "matchtype");
-		const cfg_obj_t *dname = cfg_tuple_get(stmt, "name");
-		const cfg_obj_t *typelist = cfg_tuple_get(stmt, "types");
-		const char *str;
+		cfg_obj_t *stmt = cfg_listelt_value(element);
+		cfg_obj_t *mode = cfg_tuple_get(stmt, "mode");
+		cfg_obj_t *identity = cfg_tuple_get(stmt, "identity");
+		cfg_obj_t *matchtype = cfg_tuple_get(stmt, "matchtype");
+		cfg_obj_t *dname = cfg_tuple_get(stmt, "name");
+		cfg_obj_t *typelist = cfg_tuple_get(stmt, "types");
+		char *str;
 		isc_boolean_t grant = ISC_FALSE;
 		unsigned int mtype = DNS_SSUMATCHTYPE_NAME;
 		dns_fixedname_t fname, fident;
@@ -190,14 +191,14 @@ configure_zone_ssutable(const cfg_obj_t *zconfig, dns_zone_t *zone) {
 		     element2 != NULL;
 		     element2 = cfg_list_next(element2))
 		{
-			const cfg_obj_t *typeobj;
+			cfg_obj_t *typeobj;
 			isc_textregion_t r;
 
 			INSIST(i < n);
 
 			typeobj = cfg_listelt_value(element2);
 			str = cfg_obj_asstring(typeobj);
-			DE_CONST(str, r.base);
+			r.base = str;
 			r.length = strlen(str);
 
 			result = dns_rdatatype_fromtext(&types[i++], &r);
@@ -236,8 +237,8 @@ configure_zone_ssutable(const cfg_obj_t *zconfig, dns_zone_t *zone) {
  * Convert a config file zone type into a server zone type.
  */
 static inline dns_zonetype_t
-zonetype_fromconfig(const cfg_obj_t *map) {
-	const cfg_obj_t *obj = NULL;
+zonetype_fromconfig(cfg_obj_t *map) {
+	cfg_obj_t *obj = NULL;
 	isc_result_t result;
 
 	result = cfg_map_get(map, "type", &obj);
@@ -291,19 +292,53 @@ strtoargv(isc_mem_t *mctx, char *s, unsigned int *argcp, char ***argvp) {
 	return (strtoargvsub(mctx, s, argcp, argvp, 0));
 }
 
+static void
+checknames(dns_zonetype_t ztype, cfg_obj_t **maps, cfg_obj_t **objp) {
+	const char *zone = NULL;
+	cfg_listelt_t *element;
+	cfg_obj_t *type;
+	cfg_obj_t *value;
+	cfg_obj_t *check;
+	int i;
+
+	switch (ztype) {
+	case dns_zone_slave: zone = "slave"; break;
+	case dns_zone_master: zone = "master"; break;
+	default:
+		INSIST(0);
+	}
+	for (i = 0; maps[i] != NULL; i++) {
+		check = NULL;
+		cfg_map_get(maps[i], "check-names", &check);
+		if (check != NULL && !cfg_obj_islist(check)) {
+			*objp = check;
+			return;
+		}
+		for (element = cfg_list_first(check);
+		     element != NULL;
+		     element = cfg_list_next(element)) {
+			value = cfg_listelt_value(element);
+			type = cfg_tuple_get(value, "type");
+			if (strcasecmp(cfg_obj_asstring(type), zone) == 0) {
+				*objp = cfg_tuple_get(value, "mode");
+				return;
+			}
+		}
+	}
+}
+
 isc_result_t
-ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
-		  const cfg_obj_t *zconfig, ns_aclconfctx_t *ac,
-		  dns_zone_t *zone)
+ns_zone_configure(cfg_obj_t *config, cfg_obj_t *vconfig, cfg_obj_t *zconfig,
+		  ns_aclconfctx_t *ac, dns_zone_t *zone)
 {
 	isc_result_t result;
-	const char *zname;
+	char *zname;
 	dns_rdataclass_t zclass;
 	dns_rdataclass_t vclass;
-	const cfg_obj_t *maps[5];
-	const cfg_obj_t *zoptions = NULL;
-	const cfg_obj_t *options = NULL;
-	const cfg_obj_t *obj;
+	cfg_obj_t *maps[5];
+	cfg_obj_t *zoptions = NULL;
+	cfg_obj_t *options = NULL;
+	cfg_obj_t *obj;
 	const char *filename = NULL;
 	dns_notifytype_t notifytype = dns_notifytype_yes;
 	isc_sockaddr_t *addrs;
@@ -317,6 +352,11 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
 	dns_dialuptype_t dialup = dns_dialuptype_no;
 	dns_zonetype_t ztype;
 	int i;
+	isc_int32_t journal_size;
+	isc_boolean_t multi;
+	isc_boolean_t alt;
+	dns_view_t *view;
+	isc_boolean_t check = ISC_FALSE, fail = ISC_FALSE;
 
 	i = 0;
 	if (zconfig != NULL) {
@@ -355,30 +395,17 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
 	obj = NULL;
 	result = cfg_map_get(zoptions, "database", &obj);
 	if (result == ISC_R_SUCCESS)
-		cpval = isc_mem_strdup(mctx, cfg_obj_asstring(obj));
+		cpval = cfg_obj_asstring(obj);
 	else
 		cpval = default_dbtype;
-
-	if (cpval == NULL)
-		return(ISC_R_NOMEMORY);
-
-	result = strtoargv(mctx, cpval, &dbargc, &dbargv);
-	if (result != ISC_R_SUCCESS && cpval != default_dbtype) {
-		isc_mem_free(mctx, cpval);
-		return (result);
-	}
-
+	RETERR(strtoargv(mctx, cpval, &dbargc, &dbargv));
 	/*
 	 * ANSI C is strange here.  There is no logical reason why (char **)
 	 * cannot be promoted automatically to (const char * const *) by the
 	 * compiler w/o generating a warning.
 	 */
-	result = dns_zone_setdbtype(zone, dbargc, (const char * const *)dbargv);
+	RETERR(dns_zone_setdbtype(zone, dbargc, (const char * const *)dbargv));
 	isc_mem_put(mctx, dbargv, dbargc * sizeof(*dbargv));
-	if (cpval != default_dbtype)
-		isc_mem_free(mctx, cpval);
-	if (result != ISC_R_SUCCESS)
-		return (result);
 
 	obj = NULL;
 	result = cfg_map_get(zoptions, "file", &obj);
@@ -408,7 +435,7 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
 		else
 			dialup = dns_dialuptype_no;
 	} else {
-		const char *dialupstr = cfg_obj_asstring(obj);
+		char *dialupstr = cfg_obj_asstring(obj);
 		if (strcasecmp(dialupstr, "notify") == 0)
 			dialup = dns_dialuptype_notify;
 		else if (strcasecmp(dialupstr, "notify-passive") == 0)
@@ -425,7 +452,7 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
 	obj = NULL;
 	result = ns_config_get(maps, "zone-statistics", &obj);
 	INSIST(result == ISC_R_SUCCESS);
-	dns_zone_setstatistics(zone, cfg_obj_asboolean(obj));
+	RETERR(dns_zone_setstatistics(zone, cfg_obj_asboolean(obj)));
 
 	/*
 	 * Configure master functionality.  This applies
@@ -442,7 +469,7 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
 			else
 				notifytype = dns_notifytype_no;
 		} else {
-			const char *notifystr = cfg_obj_asstring(obj);
+			char *notifystr = cfg_obj_asstring(obj);
 			if (strcasecmp(notifystr, "explicit") == 0)
 				notifytype = dns_notifytype_explicit;
 			else
@@ -470,13 +497,13 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
 		obj = NULL;
 		result = ns_config_get(maps, "notify-source", &obj);
 		INSIST(result == ISC_R_SUCCESS);
-		dns_zone_setnotifysrc4(zone, cfg_obj_assockaddr(obj));
+		RETERR(dns_zone_setnotifysrc4(zone, cfg_obj_assockaddr(obj)));
 		ns_add_reserved_dispatch(ns_g_server, cfg_obj_assockaddr(obj));
 
 		obj = NULL;
 		result = ns_config_get(maps, "notify-source-v6", &obj);
 		INSIST(result == ISC_R_SUCCESS);
-		dns_zone_setnotifysrc6(zone, cfg_obj_assockaddr(obj));
+		RETERR(dns_zone_setnotifysrc6(zone, cfg_obj_assockaddr(obj)));
 		ns_add_reserved_dispatch(ns_g_server, cfg_obj_assockaddr(obj));
 
 		RETERR(configure_zone_acl(zconfig, vconfig, config,
@@ -493,6 +520,50 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
 		result = ns_config_get(maps, "max-transfer-idle-out", &obj);
 		INSIST(result == ISC_R_SUCCESS);
 		dns_zone_setidleout(zone, cfg_obj_asuint32(obj) * 60);
+
+		obj = NULL;
+		result =  ns_config_get(maps, "max-journal-size", &obj);
+		INSIST(result == ISC_R_SUCCESS);
+		dns_zone_setjournalsize(zone, -1);
+		if (cfg_obj_isstring(obj)) {
+			const char *str = cfg_obj_asstring(obj);
+			INSIST(strcasecmp(str, "unlimited") == 0);
+			journal_size = ISC_UINT32_MAX / 2;
+		} else {
+			isc_resourcevalue_t value;
+			value = cfg_obj_asuint64(obj);
+			if (value > ISC_UINT32_MAX / 2) {
+				cfg_obj_log(obj, ns_g_lctx,
+					    ISC_LOG_ERROR,
+					    "'max-journal-size "
+					    "%" ISC_PRINT_QUADFORMAT "d' "
+					    "is too large",
+					    value);
+				RETERR(ISC_R_RANGE);
+			}
+			journal_size = (isc_uint32_t)value;
+		}
+		dns_zone_setjournalsize(zone, journal_size);
+
+		obj = NULL;
+		result = ns_config_get(maps, "ixfr-from-differences", &obj);
+		INSIST(result == ISC_R_SUCCESS);
+		dns_zone_setoption(zone, DNS_ZONEOPT_IXFRFROMDIFFS,
+				   cfg_obj_asboolean(obj));
+
+		checknames(ztype, maps, &obj);
+		INSIST(obj != NULL);
+		if (strcasecmp(cfg_obj_asstring(obj), "warn") == 0) {
+			fail = ISC_FALSE;
+			check = ISC_TRUE;
+		} else if (strcasecmp(cfg_obj_asstring(obj), "fail") == 0) {
+			fail = check = ISC_TRUE;
+		} else if (strcasecmp(cfg_obj_asstring(obj), "ignore") == 0) {
+			fail = check = ISC_FALSE;
+		} else
+			INSIST(0);
+		dns_zone_setoption(zone, DNS_ZONEOPT_CHECKNAMES, check);
+		dns_zone_setoption(zone, DNS_ZONEOPT_CHECKNAMESFAIL, fail);
 	}
 
 	/*
@@ -521,6 +592,20 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
 		INSIST(result == ISC_R_SUCCESS);
 		dns_zone_setsigvalidityinterval(zone,
 						cfg_obj_asuint32(obj) * 86400);
+
+		obj = NULL;
+		result = ns_config_get(maps, "key-directory", &obj);
+		if (result == ISC_R_SUCCESS) {
+			filename = cfg_obj_asstring(obj);
+			if (!isc_file_isabsolute(filename)) {
+				cfg_obj_log(obj, ns_g_lctx, ISC_LOG_ERROR,
+					    "key-directory '%s' "
+					    "is not absolute", filename);
+				return (ISC_R_FAILURE);
+			}
+			RETERR(dns_zone_setkeydirectory(zone, filename));
+		}
+
 	} else if (ztype == dns_zone_slave) {
 		RETERR(configure_zone_acl(zconfig, vconfig, config,
 					  "allow-update-forwarding", ac, zone,
@@ -534,7 +619,6 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
 	switch (ztype) {
 	case dns_zone_slave:
 	case dns_zone_stub:
-		count = 0;
 		obj = NULL;
 		result = cfg_map_get(zoptions, "masters", &obj);
 		if (obj != NULL) {
@@ -551,6 +635,15 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
 			result = dns_zone_setmasters(zone, NULL, 0);
 		RETERR(result);
 
+		multi = ISC_FALSE;
+		if (count > 1) {
+			obj = NULL;
+			result = ns_config_get(maps, "multi-master", &obj);
+			INSIST(result == ISC_R_SUCCESS);
+			multi = cfg_obj_asboolean(obj);
+		}
+		dns_zone_setoption(zone, DNS_ZONEOPT_MULTIMASTER, multi);
+
 		obj = NULL;
 		result = ns_config_get(maps, "max-transfer-time-in", &obj);
 		INSIST(result == ISC_R_SUCCESS);
@@ -584,15 +677,41 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
 		obj = NULL;
 		result = ns_config_get(maps, "transfer-source", &obj);
 		INSIST(result == ISC_R_SUCCESS);
-		dns_zone_setxfrsource4(zone, cfg_obj_assockaddr(obj));
+		RETERR(dns_zone_setxfrsource4(zone, cfg_obj_assockaddr(obj)));
 		ns_add_reserved_dispatch(ns_g_server, cfg_obj_assockaddr(obj));
 
 		obj = NULL;
 		result = ns_config_get(maps, "transfer-source-v6", &obj);
 		INSIST(result == ISC_R_SUCCESS);
-		dns_zone_setxfrsource6(zone, cfg_obj_assockaddr(obj));
+		RETERR(dns_zone_setxfrsource6(zone, cfg_obj_assockaddr(obj)));
 		ns_add_reserved_dispatch(ns_g_server, cfg_obj_assockaddr(obj));
 
+		obj = NULL;
+		result = ns_config_get(maps, "alt-transfer-source", &obj);
+		INSIST(result == ISC_R_SUCCESS);
+		RETERR(dns_zone_setaltxfrsource4(zone, cfg_obj_assockaddr(obj)));
+
+		obj = NULL;
+		result = ns_config_get(maps, "alt-transfer-source-v6", &obj);
+		INSIST(result == ISC_R_SUCCESS);
+		RETERR(dns_zone_setaltxfrsource6(zone, cfg_obj_assockaddr(obj)));
+
+		obj = NULL;
+		(void)ns_config_get(maps, "use-alt-transfer-source", &obj);
+		if (obj == NULL) {
+			/*
+			 * Default off when views are in use otherwise
+			 * on for BIND 8 compatibility.
+			 */
+			view = dns_zone_getview(zone);
+			if (view != NULL && strcmp(view->name, "_default") == 0)
+				alt = ISC_TRUE;
+			else
+				alt = ISC_FALSE;
+		} else
+			alt = cfg_obj_asboolean(obj);
+		dns_zone_setoption(zone, DNS_ZONEOPT_USEALTXFRSRC, alt);
+
 		break;
 
 	default:
@@ -603,9 +722,9 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
 }
 
 isc_boolean_t
-ns_zone_reusable(dns_zone_t *zone, const cfg_obj_t *zconfig) {
-	const cfg_obj_t *zoptions = NULL;
-	const cfg_obj_t *obj = NULL;
+ns_zone_reusable(dns_zone_t *zone, cfg_obj_t *zconfig) {
+	cfg_obj_t *zoptions = NULL;
+	cfg_obj_t *obj = NULL;
 	const char *cfilename;
 	const char *zfilename;
 
diff --git a/bin/nsupdate/Makefile.in b/bin/nsupdate/Makefile.in
index 7cbf59e6..63dd35a0 100644
--- a/bin/nsupdate/Makefile.in
+++ b/bin/nsupdate/Makefile.in
@@ -1,5 +1,5 @@
 # Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 2000, 2001  Internet Software Consortium.
+# Copyright (C) 2000-2002  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.15.2.3 2004/07/20 07:00:10 marka Exp $
+# $Id: Makefile.in,v 1.15.12.9 2004/03/08 09:04:15 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
@@ -21,28 +21,33 @@ top_srcdir =	@top_srcdir@
 
 @BIND9_VERSION@
 
-@BIND9_INCLUDES@
+@BIND9_MAKE_INCLUDES@
 
-CINCLUDES =	${LWRES_INCLUDES} ${DNS_INCLUDES} ${ISC_INCLUDES}
+CINCLUDES =	${LWRES_INCLUDES} ${DNS_INCLUDES} ${BIND9_INCLUDES} \
+		${ISC_INCLUDES}
 
 CDEFINES =
 CWARNINGS =
 
 LWRESLIBS =	../../lib/lwres/liblwres.@A@
-DNSLIBS =	../../lib/dns/libdns.@A@ @DNS_OPENSSL_LIBS@ @DNS_GSSAPI_LIBS@
+DNSLIBS =	../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
+BIND9LIBS =	../../lib/bind9/libbind9.@A@
 ISCLIBS =	../../lib/isc/libisc.@A@
+ISCCFGLIBS =	../../lib/isccfg/libisccfg.@A@
 
 LWRESDEPLIBS =	../../lib/lwres/liblwres.@A@
 DNSDEPLIBS =	../../lib/dns/libdns.@A@
+BIND9DEPLIBS =	../../lib/bind9/libbind9.@A@
 ISCDEPLIBS =	../../lib/isc/libisc.@A@
+ISCCFGDEPLIBS =	../../lib/isccfg/libisccfg.@A@
 
-DEPLIBS =	${DNSDEPLIBS} ${ISCDEPLIBS}
+DEPLIBS =	${DNSDEPLIBS} ${BIND9DEPLIBS} ${ISCDEPLIBS} ${ISCCFGDEPLIBS}
 
-LIBS =		${LWRESLIBS} ${DNSLIBS} ${ISCLIBS} @LIBS@
+LIBS =		${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} ${ISCLIBS} ${ISCCFGLIBS} @LIBS@
 
 SUBDIRS =
 
-TARGETS =	nsupdate
+TARGETS =	nsupdate@EXEEXT@
 
 OBJS =		nsupdate.@O@
 
@@ -58,8 +63,8 @@ MANOBJS =	${MANPAGES} ${HTMLPAGES}
 
 @BIND9_MAKE_RULES@
 
-nsupdate: nsupdate.@O@ ${UOBJS} ${DEPLIBS}
-	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ nsupdate.@O@ ${UOBJS} ${LIBS}
+nsupdate@EXEEXT@: nsupdate.@O@ ${UOBJS} ${DEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} -o $@ nsupdate.@O@ ${UOBJS} ${LIBS}
 
 doc man:: ${MANOBJS}
 
@@ -73,6 +78,6 @@ installdirs:
 	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${bindir}
 	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8
 
-install:: nsupdate installdirs
-	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} nsupdate ${DESTDIR}${bindir}
+install:: nsupdate@EXEEXT@ installdirs
+	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} nsupdate@EXEEXT@ ${DESTDIR}${bindir}
 	${INSTALL_DATA} ${srcdir}/nsupdate.8 ${DESTDIR}${mandir}/man8
diff --git a/bin/nsupdate/nsupdate.8 b/bin/nsupdate/nsupdate.8
index 52f8ee87..7828db23 100644
--- a/bin/nsupdate/nsupdate.8
+++ b/bin/nsupdate/nsupdate.8
@@ -1,254 +1,295 @@
-.\" Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
-.\" Copyright (C) 2000, 2001, 2003 Internet Software Consortium.
-.\" 
+.\" Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2000-2003  Internet Software Consortium.
+.\"
 .\" Permission to use, copy, modify, and distribute this software for any
 .\" purpose with or without fee is hereby granted, provided that the above
 .\" copyright notice and this permission notice appear in all copies.
-.\" 
+.\"
 .\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
 .\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+.\" AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
 .\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
 .\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: nsupdate.8,v 1.24.2.12 2007/05/09 03:32:21 marka Exp $
-.\"
-.hy 0
-.ad l
-.\"     Title: nsupdate
-.\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
-.\"      Date: Jun 30, 2000
-.\"    Manual: BIND9
-.\"    Source: BIND9
+.\" $Id: nsupdate.8,v 1.24.2.2.2.5 2004/03/08 09:04:15 marka Exp $
 .\"
-.TH "NSUPDATE" "8" "Jun 30, 2000" "BIND9" "BIND9"
-.\" disable hyphenation
-.nh
-.\" disable justification (adjust text to left margin only)
-.ad l
-.SH "NAME"
+.TH "NSUPDATE" "8" "Jun 30, 2000" "BIND9" ""
+.SH NAME
 nsupdate \- Dynamic DNS update utility
-.SH "SYNOPSIS"
-.HP 9
-\fBnsupdate\fR [\fB\-d\fR] [[\fB\-y\ \fR\fB\fIkeyname:secret\fR\fR] | [\fB\-k\ \fR\fB\fIkeyfile\fR\fR]] [\fB\-v\fR] [filename]
+.SH SYNOPSIS
+.sp
+\fBnsupdate\fR [ \fB-d\fR ]  [ \fB [ -y \fIkeyname:secret\fB ]  [ -k \fIkeyfile\fB ] \fR ]  [ \fB-t \fItimeout\fB\fR ]  [ \fB-u \fIudptimeout\fB\fR ]  [ \fB-r \fIudpretries\fB\fR ]  [ \fB-v\fR ]  [ \fBfilename\fR ] 
 .SH "DESCRIPTION"
 .PP
 \fBnsupdate\fR
-is used to submit Dynamic DNS Update requests as defined in RFC2136 to a name server. This allows resource records to be added or removed from a zone without manually editing the zone file. A single update request can contain requests to add or remove more than one resource record.
+is used to submit Dynamic DNS Update requests as defined in RFC2136
+to a name server.
+This allows resource records to be added or removed from a zone
+without manually editing the zone file.
+A single update request can contain requests to add or remove more than one
+resource record.
 .PP
 Zones that are under dynamic control via
 \fBnsupdate\fR
-or a DHCP server should not be edited by hand. Manual edits could conflict with dynamic updates and cause data to be lost.
+or a DHCP server should not be edited by hand.
+Manual edits could
+conflict with dynamic updates and cause data to be lost.
 .PP
 The resource records that are dynamically added or removed with
 \fBnsupdate\fR
-have to be in the same zone. Requests are sent to the zone's master server. This is identified by the MNAME field of the zone's SOA record.
+have to be in the same zone.
+Requests are sent to the zone's master server.
+This is identified by the MNAME field of the zone's SOA record.
 .PP
 The
-\fB\-d\fR
+\fB-d\fR
 option makes
 \fBnsupdate\fR
-operate in debug mode. This provides tracing information about the update requests that are made and the replies received from the name server.
-.PP
-Transaction signatures can be used to authenticate the Dynamic DNS updates. These use the TSIG resource record type described in RFC2845. The signatures rely on a shared secret that should only be known to
-\fBnsupdate\fR
-and the name server. Currently, the only supported encryption algorithm for TSIG is HMAC\-MD5, which is defined in RFC 2104. Once other algorithms are defined for TSIG, applications will need to ensure they select the appropriate algorithm as well as the key when authenticating each other. For instance, suitable
+operate in debug mode.
+This provides tracing information about the update requests that are
+made and the replies received from the name server.
+.PP
+Transaction signatures can be used to authenticate the Dynamic DNS
+updates.
+These use the TSIG resource record type described in RFC2845 or the
+SIG(0) record described in RFC3535 and RFC2931.
+TSIG relies on a shared secret that should only be known to
+\fBnsupdate\fR and the name server.
+Currently, the only supported encryption algorithm for TSIG is
+HMAC-MD5, which is defined in RFC 2104.
+Once other algorithms are defined for TSIG, applications will need to
+ensure they select the appropriate algorithm as well as the key when
+authenticating each other.
+For instance suitable
 \fBkey\fR
 and
 \fBserver\fR
 statements would be added to
 \fI/etc/named.conf\fR
-so that the name server can associate the appropriate secret key and algorithm with the IP address of the client application that will be using TSIG authentication.
+so that the name server can associate the appropriate secret key
+and algorithm with the IP address of the
+client application that will be using TSIG authentication.
+SIG(0) uses public key cryptography. To use a SIG(0) key, the public
+key must be stored in a KEY record in a zone served by the name server.
 \fBnsupdate\fR
 does not read
 \fI/etc/named.conf\fR.
 .PP
 \fBnsupdate\fR
 uses the
-\fB\-y\fR
+\fB-y\fR
 or
-\fB\-k\fR
-option to provide the shared secret needed to generate a TSIG record for authenticating Dynamic DNS update requests. These options are mutually exclusive. With the
-\fB\-k\fR
+\fB-k\fR
+option (with an HMAC-MD5 key) to provide the shared secret needed to generate
+a TSIG record for authenticating Dynamic DNS update requests.
+These options are mutually exclusive.
+With the
+\fB-k\fR
 option,
 \fBnsupdate\fR
 reads the shared secret from the file
-\fIkeyfile\fR, whose name is of the form
-\fIK{name}.+157.+{random}.private\fR. For historical reasons, the file
+\fIkeyfile\fR,
+whose name is of the form 
+\fIK{name}.+157.+{random}.private\fR.
+For historical
+reasons, the file 
 \fIK{name}.+157.+{random}.key\fR
 must also be present. When the
-\fB\-y\fR
+\fB-y\fR
 option is used, a signature is generated from
 \fIkeyname:secret.\fR
 \fIkeyname\fR
-is the name of the key, and
+is the name of the key,
+and
 \fIsecret\fR
-is the base64 encoded shared secret. Use of the
-\fB\-y\fR
-option is discouraged because the shared secret is supplied as a command line argument in clear text. This may be visible in the output from
-\fBps\fR(1 )
+is the base64 encoded shared secret.
+Use of the
+\fB-y\fR
+option is discouraged because the shared secret is supplied as a command
+line argument in clear text.
+This may be visible in the output from
+\fBps\fR(1)
 or in a history file maintained by the user's shell.
 .PP
+The \fB-k\fR may also be used to specify a SIG(0) key used
+to authenticate Dynamic DNS update requests. In this case, the key
+specified is not an HMAC-MD5 key.
+.PP
 By default
 \fBnsupdate\fR
-uses UDP to send update requests to the name server. The
-\fB\-v\fR
+uses UDP to send update requests to the name server unless they are too
+large to fit in a UDP request in which case TCP will be used.
+The
+\fB-v\fR
 option makes
 \fBnsupdate\fR
-use a TCP connection. This may be preferable when a batch of update requests is made.
+use a TCP connection.
+This may be preferable when a batch of update requests is made.
+.PP
+The \fB-t\fR option sets the maximum time a update request can
+take before it is aborted. The default is 300 seconds. Zero can be used
+to disable the timeout.
+.PP
+The \fB-u\fR option sets the UDP retry interval. The default is
+3 seconds. If zero the interval will be computed from the timeout interval
+and number of UDP retries.
+.PP
+The \fB-r\fR option sets the number of UDP retries. The default is
+3. If zero only one update request will be made.
 .SH "INPUT FORMAT"
 .PP
 \fBnsupdate\fR
 reads input from
 \fIfilename\fR
-or standard input. Each command is supplied on exactly one line of input. Some commands are for administrative purposes. The others are either update instructions or prerequisite checks on the contents of the zone. These checks set conditions that some name or set of resource records (RRset) either exists or is absent from the zone. These conditions must be met if the entire update request is to succeed. Updates will be rejected if the tests for the prerequisite conditions fail.
-.PP
-Every update request consists of zero or more prerequisites and zero or more updates. This allows a suitably authenticated update request to proceed if some specified resource records are present or missing from the zone. A blank input line (or the
-\fBsend\fR
-command) causes the accumulated commands to be sent as one Dynamic DNS update request to the name server.
+or standard input.
+Each command is supplied on exactly one line of input.
+Some commands are for administrative purposes.
+The others are either update instructions or prerequisite checks on the
+contents of the zone.
+These checks set conditions that some name or set of
+resource records (RRset) either exists or is absent from the zone.
+These conditions must be met if the entire update request is to succeed.
+Updates will be rejected if the tests for the prerequisite conditions fail.
+.PP
+Every update request consists of zero or more prerequisites
+and zero or more updates.
+This allows a suitably authenticated update request to proceed if some
+specified resource records are present or missing from the zone.
+A blank input line (or the \fBsend\fR command) causes the
+accumulated commands to be sent as one Dynamic DNS update request to the
+name server.
 .PP
 The command formats and their meaning are as follows:
-.PP
-\fBserver\fR {servername} [port]
-.RS 4
+.TP
+\fBserver servername [ port ]\fR
 Sends all dynamic update requests to the name server
-\fIservername\fR. When no server statement is provided,
+\fIservername\fR.
+When no server statement is provided,
 \fBnsupdate\fR
-will send updates to the master server of the correct zone. The MNAME field of that zone's SOA record will identify the master server for that zone.
+will send updates to the master server of the correct zone.
+The MNAME field of that zone's SOA record will identify the master
+server for that zone.
 \fIport\fR
 is the port number on
 \fIservername\fR
-where the dynamic update requests get sent. If no port number is specified, the default DNS port number of 53 is used.
-.RE
-.PP
-\fBlocal\fR {address} [port]
-.RS 4
+where the dynamic update requests get sent.
+If no port number is specified, the default DNS port number of 53 is
+used.
+.TP
+\fBlocal address [ port ]\fR
 Sends all dynamic update requests using the local
-\fIaddress\fR. When no local statement is provided,
+\fIaddress\fR.
+When no local statement is provided,
 \fBnsupdate\fR
 will send updates using an address and port chosen by the system.
 \fIport\fR
-can additionally be used to make requests come from a specific port. If no port number is specified, the system will assign one.
-.RE
-.PP
-\fBzone\fR {zonename}
-.RS 4
+can additionally be used to make requests come from a specific port.
+If no port number is specified, the system will assign one.
+.TP
+\fBzone zonename\fR
 Specifies that all updates are to be made to the zone
-\fIzonename\fR. If no
+\fIzonename\fR.
+If no
 \fIzone\fR
 statement is provided,
 \fBnsupdate\fR
 will attempt determine the correct zone to update based on the rest of the input.
-.RE
-.PP
-\fBclass\fR {classname}
-.RS 4
-Specify the default class. If no
-\fIclass\fR
-is specified, the default class is
+.TP
+\fBclass classname\fR
+Specify the default class.
+If no \fIclass\fR is specified the default class is
 \fIIN\fR.
-.RE
-.PP
-\fBkey\fR {name} {secret}
-.RS 4
-Specifies that all updates are to be TSIG\-signed using the
-\fIkeyname\fR
-\fIkeysecret\fR
-pair. The
-\fBkey\fR
-command overrides any key specified on the command line via
-\fB\-y\fR
-or
-\fB\-k\fR.
-.RE
-.PP
-\fBprereq nxdomain\fR {domain\-name}
-.RS 4
+.TP
+\fBkey name secret\fR
+Specifies that all updates are to be TSIG signed using the
+\fIkeyname\fR \fIkeysecret\fR pair.
+The \fBkey\fR command
+overrides any key specified on the command line via
+\fB-y\fR or \fB-k\fR.
+.TP
+\fBprereq nxdomain domain-name\fR
 Requires that no resource record of any type exists with name
-\fIdomain\-name\fR.
-.RE
-.PP
-\fBprereq yxdomain\fR {domain\-name}
-.RS 4
+\fIdomain-name\fR.
+.TP
+\fBprereq yxdomain domain-name\fR
 Requires that
-\fIdomain\-name\fR
+\fIdomain-name\fR
 exists (has as at least one resource record, of any type).
-.RE
-.PP
-\fBprereq nxrrset\fR {domain\-name} [class] {type}
-.RS 4
+.TP
+\fBprereq nxrrset domain-name [ class ]  type\fR
 Requires that no resource record exists of the specified
 \fItype\fR,
 \fIclass\fR
 and
-\fIdomain\-name\fR. If
+\fIdomain-name\fR.
+If
 \fIclass\fR
 is omitted, IN (internet) is assumed.
-.RE
-.PP
-\fBprereq yxrrset\fR {domain\-name} [class] {type}
-.RS 4
+.TP
+\fBprereq yxrrset domain-name [ class ]  type\fR
 This requires that a resource record of the specified
 \fItype\fR,
 \fIclass\fR
 and
-\fIdomain\-name\fR
-must exist. If
+\fIdomain-name\fR
+must exist.
+If
 \fIclass\fR
 is omitted, IN (internet) is assumed.
-.RE
-.PP
-\fBprereq yxrrset\fR {domain\-name} [class] {type} {data...}
-.RS 4
+.TP
+\fBprereq yxrrset domain-name [ class ]  type data\fI...\fB\fR
 The
 \fIdata\fR
-from each set of prerequisites of this form sharing a common
+from each set of prerequisites of this form
+sharing a common
 \fItype\fR,
-\fIclass\fR, and
-\fIdomain\-name\fR
-are combined to form a set of RRs. This set of RRs must exactly match the set of RRs existing in the zone at the given
+\fIclass\fR,
+and 
+\fIdomain-name\fR
+are combined to form a set of RRs. This set of RRs must
+exactly match the set of RRs existing in the zone at the
+given 
 \fItype\fR,
-\fIclass\fR, and
-\fIdomain\-name\fR. The
+\fIclass\fR,
+and 
+\fIdomain-name\fR.
+The
 \fIdata\fR
-are written in the standard text representation of the resource record's RDATA.
-.RE
-.PP
-\fBupdate delete\fR {domain\-name} [ttl] [class] [type\ [data...]]
-.RS 4
+are written in the standard text representation of the resource record's
+RDATA.
+.TP
+\fBupdate delete domain-name [ ttl ]  [ class ]  [ type  [ data\fI...\fB ]  ]\fR
 Deletes any resource records named
-\fIdomain\-name\fR. If
+\fIdomain-name\fR.
+If
 \fItype\fR
 and
 \fIdata\fR
-is provided, only matching resource records will be removed. The internet class is assumed if
+is provided, only matching resource records will be removed.
+The internet class is assumed if
 \fIclass\fR
 is not supplied. The
 \fIttl\fR
 is ignored, and is only allowed for compatibility.
-.RE
-.PP
-\fBupdate add\fR {domain\-name} {ttl} [class] {type} {data...}
-.RS 4
+.TP
+\fBupdate add domain-name ttl [ class ]  type data\fI...\fB\fR
 Adds a new resource record with the specified
 \fIttl\fR,
 \fIclass\fR
 and
 \fIdata\fR.
-.RE
-.PP
+.TP
 \fBshow\fR
-.RS 4
-Displays the current message, containing all of the prerequisites and updates specified since the last send.
-.RE
-.PP
+Displays the current message, containing all of the prerequisites and
+updates specified since the last send.
+.TP
 \fBsend\fR
-.RS 4
 Sends the current message. This is equivalent to entering a blank line.
-.RE
+.TP
+\fBanswer\fR
+Displays the answer.
 .PP
 Lines beginning with a semicolon are comments and are ignored.
 .SH "EXAMPLES"
@@ -257,70 +298,72 @@ The examples below show how
 \fBnsupdate\fR
 could be used to insert and delete resource records from the
 \fBexample.com\fR
-zone. Notice that the input in each example contains a trailing blank line so that a group of commands are sent as one dynamic update request to the master name server for
+zone.
+Notice that the input in each example contains a trailing blank line so that
+a group of commands are sent as one dynamic update request to the
+master name server for
 \fBexample.com\fR.
 .sp
-.RS 4
 .nf
 # nsupdate
 > update delete oldhost.example.com A
 > update add newhost.example.com 86400 A 172.16.1.1
 > send
-.fi
-.RE
 .sp
+.fi
 .PP
 Any A records for
 \fBoldhost.example.com\fR
-are deleted. And an A record for
+are deleted.
+and an A record for
 \fBnewhost.example.com\fR
-with IP address 172.16.1.1 is added. The newly\-added record has a 1 day TTL (86400 seconds).
+it IP address 172.16.1.1 is added.
+The newly-added record has a 1 day TTL (86400 seconds)
 .sp
-.RS 4
 .nf
 # nsupdate
 > prereq nxdomain nickname.example.com
 > update add nickname.example.com 86400 CNAME somehost.example.com
 > send
-.fi
-.RE
 .sp
+.fi
 .PP
-The prerequisite condition gets the name server to check that there are no resource records of any type for
-\fBnickname.example.com\fR. If there are, the update request fails. If this name does not exist, a CNAME for it is added. This ensures that when the CNAME is added, it cannot conflict with the long\-standing rule in RFC1034 that a name must not exist as any other record type if it exists as a CNAME. (The rule has been updated for DNSSEC in RFC2535 to allow CNAMEs to have SIG, KEY and NXT records.)
+The prerequisite condition gets the name server to check that there
+are no resource records of any type for
+\fBnickname.example.com\fR.
+If there are, the update request fails.
+If this name does not exist, a CNAME for it is added.
+This ensures that when the CNAME is added, it cannot conflict with the
+long-standing rule in RFC1034 that a name must not exist as any other
+record type if it exists as a CNAME.
+(The rule has been updated for DNSSEC in RFC2535 to allow CNAMEs to have
+RRSIG, DNSKEY and NSEC records.)
 .SH "FILES"
-.PP
+.TP
 \fB/etc/resolv.conf\fR
-.RS 4
 used to identify default name server
-.RE
-.PP
+.TP
 \fBK{name}.+157.+{random}.key\fR
-.RS 4
-base\-64 encoding of HMAC\-MD5 key created by
-\fBdnssec\-keygen\fR(8).
-.RE
-.PP
+base-64 encoding of HMAC-MD5 key created by
+\fBdnssec-keygen\fR(8).
+.TP
 \fBK{name}.+157.+{random}.private\fR
-.RS 4
-base\-64 encoding of HMAC\-MD5 key created by
-\fBdnssec\-keygen\fR(8).
-.RE
+base-64 encoding of HMAC-MD5 key created by
+\fBdnssec-keygen\fR(8).
 .SH "SEE ALSO"
 .PP
-\fBRFC2136\fR(),
-\fBRFC3007\fR(),
-\fBRFC2104\fR(),
-\fBRFC2845\fR(),
-\fBRFC1034\fR(),
-\fBRFC2535\fR(),
+\fBRFC2136\fR,
+\fBRFC3007\fR,
+\fBRFC2104\fR,
+\fBRFC2845\fR,
+\fBRFC1034\fR,
+\fBRFC2535\fR,
+\fBRFC2931\fR,
 \fBnamed\fR(8),
-\fBdnssec\-keygen\fR(8).
+\fBdnssec-keygen\fR(8).
 .SH "BUGS"
 .PP
-The TSIG key is redundantly stored in two separate files. This is a consequence of nsupdate using the DST library for its cryptographic operations, and may change in future releases.
-.SH "COPYRIGHT"
-Copyright \(co 2004\-2007 Internet Systems Consortium, Inc. ("ISC")
-.br
-Copyright \(co 2000, 2001, 2003 Internet Software Consortium.
-.br
+The TSIG key is redundantly stored in two separate files.
+This is a consequence of nsupdate using the DST library
+for its cryptographic operations, and may change in future
+releases.
diff --git a/bin/nsupdate/nsupdate.c b/bin/nsupdate/nsupdate.c
index 8575eaed..655c115b 100644
--- a/bin/nsupdate/nsupdate.c
+++ b/bin/nsupdate/nsupdate.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,14 +15,13 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: nsupdate.c,v 1.103.2.31 2007/04/24 23:45:25 tbox Exp $ */
+/* $Id: nsupdate.c,v 1.103.2.15.2.14 2004/04/10 04:09:22 marka Exp $ */
 
 #include <config.h>
 
 #include <ctype.h>
 #include <errno.h>
 #include <limits.h>
-#include <netdb.h>
 #include <stdlib.h>
 #include <unistd.h>
 
@@ -35,6 +34,7 @@
 #include <isc/hash.h>
 #include <isc/lex.h>
 #include <isc/mem.h>
+#include <isc/parseint.h>
 #include <isc/region.h>
 #include <isc/sockaddr.h>
 #include <isc/socket.h>
@@ -47,6 +47,7 @@
 
 #include <dns/callbacks.h>
 #include <dns/dispatch.h>
+#include <dns/dnssec.h>
 #include <dns/events.h>
 #include <dns/fixedname.h>
 #include <dns/masterdump.h>
@@ -68,6 +69,8 @@
 #include <lwres/lwres.h>
 #include <lwres/net.h>
 
+#include <bind9/getaddresses.h>
+
 #ifdef HAVE_ADDRINFO
 #ifdef HAVE_GETADDRINFO
 #ifdef HAVE_GAISTRERROR
@@ -84,8 +87,6 @@ extern int h_errno;
 
 #define MAXCMD (4 * 1024)
 #define MAXWIRE (64 * 1024)
-#define NAMEBUF 512
-#define WORDLEN 512
 #define PACKETSIZE ((64 * 1024) - 1)
 #define INITTEXT (2 * 1024)
 #define MAXTEXT (128 * 1024)
@@ -117,7 +118,8 @@ static dns_dispatch_t *dispatchv6 = NULL;
 static dns_message_t *updatemsg = NULL;
 static dns_fixedname_t fuserzone;
 static dns_name_t *userzone = NULL;
-static dns_tsigkey_t *key = NULL;
+static dns_tsigkey_t *tsigkey = NULL;
+static dst_key_t *sig0key;
 static lwres_context_t *lwctx = NULL;
 static lwres_conf_t *lwconf;
 static isc_sockaddr_t *servers;
@@ -133,8 +135,12 @@ static isc_boolean_t interactive = ISC_TRUE;
 static isc_boolean_t seenerror = ISC_FALSE;
 static const dns_master_style_t *style;
 static int requests = 0;
+static unsigned int timeout = 300;
+static unsigned int udp_timeout = 3;
+static unsigned int udp_retries = 3;
 static dns_rdataclass_t defaultclass = dns_rdataclass_in;
 static dns_rdataclass_t zoneclass = dns_rdataclass_none;
+static dns_message_t *answer = NULL;
 
 typedef struct nsu_requestinfo {
 	dns_message_t *msg;
@@ -153,9 +159,6 @@ debug(const char *format, ...) ISC_FORMAT_PRINTF(1, 2);
 static void
 ddebug(const char *format, ...) ISC_FORMAT_PRINTF(1, 2);
 
-static void
-error(const char *format, ...) ISC_FORMAT_PRINTF(1, 2);
-
 #define STATUS_MORE	(isc_uint16_t)0
 #define STATUS_SEND	(isc_uint16_t)1
 #define STATUS_QUIT	(isc_uint16_t)2
@@ -190,16 +193,6 @@ fatal(const char *format, ...) {
 }
 
 static void
-error(const char *format, ...) {
-	va_list args;
-
-	va_start(args, format);
-	vfprintf(stderr, format, args);
-	va_end(args);
-	fprintf(stderr, "\n");
-}
-
-static void
 debug(const char *format, ...) {
 	va_list args;
 
@@ -337,7 +330,7 @@ setup_keystr(void) {
 	debug("keycreate");
 	result = dns_tsigkey_create(keyname, dns_tsig_hmacmd5_name,
 				    secret, secretlen, ISC_TRUE, NULL,
-				    0, 0, mctx, NULL, &key);
+				    0, 0, mctx, NULL, &tsigkey);
 	if (result != ISC_R_SUCCESS)
 		fprintf(stderr, "could not create key from %s: %s\n",
 			keystr, dns_result_totext(result));
@@ -360,16 +353,19 @@ setup_keyfile(void) {
 			keyfile, isc_result_totext(result));
 		return;
 	}
-	result = dns_tsigkey_createfromkey(dst_key_name(dstkey),
-					   dns_tsig_hmacmd5_name,
-					   dstkey, ISC_FALSE, NULL,
-					   0, 0, mctx, NULL, &key);
-	if (result != ISC_R_SUCCESS) {
-		fprintf(stderr, "could not create key from %s: %s\n",
-			keyfile, isc_result_totext(result));
-		dst_key_free(&dstkey);
-		return;
-	}
+	if (dst_key_alg(dstkey) == DST_ALG_HMACMD5) {
+		result = dns_tsigkey_createfromkey(dst_key_name(dstkey),
+						   dns_tsig_hmacmd5_name,
+						   dstkey, ISC_FALSE, NULL,
+						   0, 0, mctx, NULL, &tsigkey);
+		if (result != ISC_R_SUCCESS) {
+			fprintf(stderr, "could not create key from %s: %s\n",
+				keyfile, isc_result_totext(result));
+			dst_key_free(&dstkey);
+			return;
+		}
+	} else
+		sig0key = dstkey;
 }
 
 static void
@@ -382,9 +378,14 @@ doshutdown(void) {
 	if (localaddr != NULL)
 		isc_mem_put(mctx, localaddr, sizeof(isc_sockaddr_t));
 
-	if (key != NULL) {
-		ddebug("Freeing key");
-		dns_tsigkey_detach(&key);
+	if (tsigkey != NULL) {
+		ddebug("Freeing TSIG key");
+		dns_tsigkey_detach(&tsigkey);
+	}
+
+	if (sig0key != NULL) {
+		ddebug("Freeing SIG(0) key");
+		dst_key_free(&sig0key);
 	}
 
 	if (updatemsg != NULL)
@@ -573,74 +574,16 @@ setup_system(void) {
 
 static void
 get_address(char *host, in_port_t port, isc_sockaddr_t *sockaddr) {
-	struct in_addr in4;
-	struct in6_addr in6;
-#ifdef USE_GETADDRINFO
-	struct addrinfo *res = NULL, hints;
-	int result;
-#else
-	struct hostent *he;
-#endif
-
-	ddebug("get_address()");
+	int count;
+	isc_result_t result;
 
-	/*
-	 * Assume we have v4 if we don't have v6, since setup_libs
-	 * fatal()'s out if we don't have either.
-	 */
-	if (have_ipv6 && inet_pton(AF_INET6, host, &in6) == 1)
-		isc_sockaddr_fromin6(sockaddr, &in6, port);
-	else if (inet_pton(AF_INET, host, &in4) == 1)
-		isc_sockaddr_fromin(sockaddr, &in4, port);
-	else {
-#ifdef USE_GETADDRINFO
-		memset(&hints, 0, sizeof(hints));
-		if (!have_ipv6)
-			hints.ai_family = PF_INET;
-		else if (!have_ipv4)
-			hints.ai_family = PF_INET6;
-		else {
-			hints.ai_family = PF_UNSPEC;
-#ifdef AI_ADDRCONFIG
-			hints.ai_flags = AI_ADDRCONFIG;
-#endif
-		}
-		debug ("before getaddrinfo()");
-		isc_app_block();
-#ifdef AI_ADDRCONFIG
- again:
-#endif
-		result = getaddrinfo(host, NULL, &hints, &res);
-#ifdef AI_ADDRCONFIG
-		if (result == EAI_BADFLAGS &&
-		    (hints.ai_flags & AI_ADDRCONFIG) != 0) {
-			hints.ai_flags &= ~AI_ADDRCONFIG;
-			goto again;
-		}
-#endif
-		isc_app_unblock();
-		if (result != 0) {
-			fatal("couldn't find server '%s': %s",
-			      host, gai_strerror(result));
-		}
-		memcpy(&sockaddr->type.sa,res->ai_addr, res->ai_addrlen);
-		sockaddr->length = res->ai_addrlen;
-		isc_sockaddr_setport(sockaddr, port);
-		freeaddrinfo(res);
-#else
-		debug ("before gethostbyname()");
-		isc_app_block();
-		he = gethostbyname(host);
-		isc_app_unblock();
-		if (he == NULL)
-		     fatal("couldn't find server '%s' (h_errno=%d)",
-			   host, h_errno);
-		INSIST(he->h_addrtype == AF_INET);
-		isc_sockaddr_fromin(sockaddr,
-				    (struct in_addr *)(he->h_addr_list[0]),
-				    port);
-#endif
-	}
+	isc_app_block();
+	result = bind9_getaddresses(host, port, sockaddr, 1, &count);
+	isc_app_unblock();
+	if (result != ISC_R_SUCCESS)
+		fatal("couldn't get address for '%s': %s",
+		      host, isc_result_totext(result));
+	INSIST(count == 1);
 }
 
 static void
@@ -649,7 +592,8 @@ parse_args(int argc, char **argv) {
 	isc_result_t result;
 
 	debug("parse_args");
-	while ((ch = isc_commandline_parse(argc, argv, "dDMy:vk:")) != -1) {
+	while ((ch = isc_commandline_parse(argc, argv, "dDMy:vk:r:t:u:")) != -1)
+	{
 		switch (ch) {
 		case 'd':
 			debugging = ISC_TRUE;
@@ -674,6 +618,34 @@ parse_args(int argc, char **argv) {
 		case 'k':
 			keyfile = isc_commandline_argument;
 			break;
+		case 't':
+			result = isc_parse_uint32(&timeout,
+						  isc_commandline_argument, 10);
+			if (result != ISC_R_SUCCESS) {
+				fprintf(stderr, "bad timeout '%s'\n",						isc_commandline_argument);
+				exit(1);
+			}
+			if (timeout == 0)
+				timeout = ULONG_MAX;
+			break;
+		case 'u':
+			result = isc_parse_uint32(&udp_timeout,
+						  isc_commandline_argument, 10);
+			if (result != ISC_R_SUCCESS) {
+				fprintf(stderr, "bad udp timeout '%s'\n",						isc_commandline_argument);
+				exit(1);
+			}
+			if (udp_timeout == 0)
+				udp_timeout = ULONG_MAX;
+			break;
+		case 'r':
+			result = isc_parse_uint32(&udp_retries,
+						  isc_commandline_argument, 10);
+			if (result != ISC_R_SUCCESS) {
+				fprintf(stderr, "bad udp retries '%s'\n",						isc_commandline_argument);
+				exit(1);
+			}
+			break;
 		default:
 			fprintf(stderr, "%s: invalid argument -%c\n",
 				argv[0], ch);
@@ -721,7 +693,7 @@ parse_name(char **cmdlinep, dns_message_t *msg, dns_name_t **namep) {
 
 	result = dns_message_gettempname(msg, namep);
 	check_result(result, "dns_message_gettempname");
-	result = isc_buffer_allocate(mctx, &namebuf, NAMEBUF);
+	result = isc_buffer_allocate(mctx, &namebuf, DNS_NAME_MAXWIRE);
 	check_result(result, "isc_buffer_allocate");
 	dns_name_init(*namep, NULL);
 	dns_name_setbuffer(*namep, namebuf);
@@ -761,7 +733,7 @@ parse_rdata(char **cmdlinep, dns_rdataclass_t rdataclass,
 		result = isc_buffer_allocate(mctx, &buf, MAXWIRE);
 		check_result(result, "isc_buffer_allocate");
 		result = dns_rdata_fromtext(rdata, rdataclass, rdatatype, lex,
-					    dns_rootname, ISC_FALSE, mctx, buf,
+					    dns_rootname, 0, mctx, buf,
 					    &callbacks);
 		isc_lex_destroy(&lex);
 		if (result == ISC_R_SUCCESS) {
@@ -1063,11 +1035,11 @@ evaluate_key(char *cmdline) {
 	}
 	secretlen = isc_buffer_usedlength(&secretbuf);
 
-	if (key != NULL)
-		dns_tsigkey_detach(&key);
+	if (tsigkey != NULL)
+		dns_tsigkey_detach(&tsigkey);
 	result = dns_tsigkey_create(keyname, dns_tsig_hmacmd5_name,
-                                    secret, secretlen, ISC_TRUE, NULL, 0, 0,
-                                    mctx, NULL, &key);
+				    secret, secretlen, ISC_TRUE, NULL, 0, 0,
+				    mctx, NULL, &tsigkey);
 	isc_mem_free(mctx, secret);
 	if (result != ISC_R_SUCCESS) {
 		fprintf(stderr, "could not create key from %s %s: %s\n",
@@ -1141,7 +1113,7 @@ static isc_uint16_t
 update_addordelete(char *cmdline, isc_boolean_t isdelete) {
 	isc_result_t result;
 	dns_name_t *name = NULL;
-	unsigned long ttl;
+	isc_uint32_t ttl;
 	char *word;
 	dns_rdataclass_t rdataclass;
 	dns_rdatatype_t rdatatype;
@@ -1149,7 +1121,6 @@ update_addordelete(char *cmdline, isc_boolean_t isdelete) {
 	dns_rdatalist_t *rdatalist = NULL;
 	dns_rdataset_t *rdataset = NULL;
 	isc_textregion_t region;
-	char *endp;
 	isc_uint16_t retval;
 
 	ddebug("update_addordelete()");
@@ -1187,13 +1158,14 @@ update_addordelete(char *cmdline, isc_boolean_t isdelete) {
 			goto doneparsing;
 		}
 	}
-	ttl = strtoul(word, &endp, 10);
-	if (!isdigit((unsigned char)*word) || *endp != '\0') {
+	result = isc_parse_uint32(&ttl, word, 10);
+	if (result != ISC_R_SUCCESS) {
 		if (isdelete) {
 			ttl = 0;
 			goto parseclass;
 		} else {
-			fprintf(stderr, "ttl '%s' is not legal\n", word);
+			fprintf(stderr, "ttl '%s': %s\n", word,
+				isc_result_totext(result));
 			goto failure;
 		}
 	}
@@ -1370,10 +1342,8 @@ get_next_command(void) {
 	char *word;
 
 	ddebug("get_next_command()");
-	if (interactive) {
+	if (interactive)
 		fprintf(stdout, "> ");
-		fflush(stdout);
-	}
 	isc_app_block();
 	cmdline = fgets(cmdlinebuf, MAXCMD, input);
 	isc_app_unblock();
@@ -1407,6 +1377,11 @@ get_next_command(void) {
 		show_message(updatemsg);
 		return (STATUS_MORE);
 	}
+	if (strcasecmp(word, "answer") == 0) {
+		if (answer != NULL)
+			show_message(answer);
+		return (STATUS_MORE);
+	}
 	if (strcasecmp(word, "key") == 0)
 		return (evaluate_key(cmdline));
 	fprintf(stderr, "incorrect section name: %s\n", word);
@@ -1418,11 +1393,8 @@ user_interaction(void) {
 	isc_uint16_t result = STATUS_MORE;
 
 	ddebug("user_interaction()");
-	while ((result == STATUS_MORE) || (result == STATUS_SYNTAX)) {
+	while ((result == STATUS_MORE) || (result == STATUS_SYNTAX))
 		result = get_next_command();
-		if (!interactive && result == STATUS_SYNTAX)
-			fatal("syntax error");
-	}
 	if (result == STATUS_SEND)
 		return (ISC_TRUE);
 	return (ISC_FALSE);
@@ -1463,7 +1435,6 @@ static void
 update_completed(isc_task_t *task, isc_event_t *event) {
 	dns_requestevent_t *reqev = NULL;
 	isc_result_t result;
-	dns_message_t *rcvmsg = NULL;
 	dns_request_t *request;
 
 	UNUSED(task);
@@ -1490,9 +1461,9 @@ update_completed(isc_task_t *task, isc_event_t *event) {
 		goto done;
 	}
 
-	result = dns_message_create(mctx, DNS_MESSAGE_INTENTPARSE, &rcvmsg);
+	result = dns_message_create(mctx, DNS_MESSAGE_INTENTPARSE, &answer);
 	check_result(result, "dns_message_create");
-	result = dns_request_getresponse(request, rcvmsg,
+	result = dns_request_getresponse(request, answer,
 					 DNS_MESSAGEPARSE_PRESERVEORDER);
 	switch (result) {
 	case ISC_R_SUCCESS:
@@ -1510,7 +1481,7 @@ update_completed(isc_task_t *task, isc_event_t *event) {
 		check_result(result, "dns_request_getresponse");
 	}
 
-	if (rcvmsg->rcode != dns_rcode_noerror) {
+	if (answer->rcode != dns_rcode_noerror) {
 		seenerror = ISC_TRUE;
 		if (!debugging) {
 			char buf[64];
@@ -1518,9 +1489,9 @@ update_completed(isc_task_t *task, isc_event_t *event) {
 			dns_rdataset_t *rds;
 			
 			isc_buffer_init(&b, buf, sizeof(buf) - 1);
-			result = dns_rcode_totext(rcvmsg->rcode, &b);
+			result = dns_rcode_totext(answer->rcode, &b);
 			check_result(result, "dns_rcode_totext");
-			rds = dns_message_gettsig(rcvmsg, NULL);
+			rds = dns_message_gettsig(answer, NULL);
 			if (rds != NULL)
 				check_tsig_error(rds, &b);
 			fprintf(stderr, "update failed: %.*s\n",
@@ -1542,7 +1513,7 @@ update_completed(isc_task_t *task, isc_event_t *event) {
 				isc_buffer_free(&buf);
 			result = isc_buffer_allocate(mctx, &buf, bufsz);
 			check_result(result, "isc_buffer_allocate");
-			result = dns_message_totext(rcvmsg, style, 0, buf);
+			result = dns_message_totext(answer, style, 0, buf);
 			bufsz *= 2;
 		} while (result == ISC_R_NOSPACE);
 		check_result(result, "dns_message_totext");
@@ -1551,7 +1522,6 @@ update_completed(isc_task_t *task, isc_event_t *event) {
 			(char*)isc_buffer_base(buf));
 		isc_buffer_free(&buf);
 	}
-	dns_message_destroy(&rcvmsg);
  done:
 	dns_request_destroy(&request);
 	isc_event_free(&event);
@@ -1583,11 +1553,25 @@ send_update(dns_name_t *zonename, isc_sockaddr_t *master,
 
 	if (usevc)
 		options |= DNS_REQUESTOPT_TCP;
-	result = dns_request_createvia(requestmgr, updatemsg, srcaddr,
-				       master, options, key,
-				       FIND_TIMEOUT, global_task,
-				       update_completed, NULL, &request);
-	check_result(result, "dns_request_createvia");
+	if (tsigkey == NULL && sig0key != NULL) {
+		result = dns_message_setsig0key(updatemsg, sig0key);
+		check_result(result, "dns_message_setsig0key");
+	}
+	if (debugging) {
+		char addrbuf[ISC_SOCKADDR_FORMATSIZE];
+
+		isc_sockaddr_format(master, addrbuf, sizeof(addrbuf));
+		fprintf(stderr, "Sending update to %s\n", addrbuf);
+	}
+	result = dns_request_createvia3(requestmgr, updatemsg, srcaddr,
+					master, options, tsigkey, timeout,
+					udp_timeout, udp_retries, global_task,
+					update_completed, NULL, &request);
+	check_result(result, "dns_request_createvia3");
+
+	if (debugging)
+		show_message(updatemsg);
+
 	requests++;
 }
 
@@ -1610,8 +1594,6 @@ recvsoa(isc_task_t *task, isc_event_t *event) {
 	dns_message_t *soaquery = NULL;
 	isc_sockaddr_t *addr;
 	isc_boolean_t seencname = ISC_FALSE;
-	dns_name_t tname;
-	unsigned int nlabels;
 
 	UNUSED(task);
 
@@ -1649,16 +1631,14 @@ recvsoa(isc_task_t *task, isc_event_t *event) {
 		ddebug("Destroying request [%p]", request);
 		dns_request_destroy(&request);
 		dns_message_renderreset(soaquery);
-		dns_message_settsigkey(soaquery, NULL);
 		sendrequest(localaddr, &servers[ns_inuse], soaquery, &request);
 		isc_mem_put(mctx, reqinfo, sizeof(nsu_requestinfo_t));
 		isc_event_free(&event);
 		setzoneclass(dns_rdataclass_none);
 		return;
 	}
-
 	isc_mem_put(mctx, reqinfo, sizeof(nsu_requestinfo_t));
-	reqinfo = NULL;
+
 	isc_event_free(&event);
 	reqev = NULL;
 
@@ -1678,10 +1658,12 @@ recvsoa(isc_task_t *task, isc_event_t *event) {
 		reqinfo->addr = addr;
 		dns_message_renderreset(soaquery);
 		ddebug("retrying soa request without TSIG");
-		result = dns_request_createvia(requestmgr, soaquery,
-					       localaddr, addr, 0, NULL,
-					       FIND_TIMEOUT, global_task,
-					       recvsoa, reqinfo, &request);
+		result = dns_request_createvia3(requestmgr, soaquery,
+						localaddr, addr, 0, NULL,
+						FIND_TIMEOUT * 20,
+						FIND_TIMEOUT * 20, 3,
+						global_task, recvsoa, reqinfo,
+						&request);
 		check_result(result, "dns_request_createvia");
 		requests++;
 		return;
@@ -1715,26 +1697,14 @@ recvsoa(isc_task_t *task, isc_event_t *event) {
 	    rcvmsg->rcode != dns_rcode_nxdomain)
 		fatal("response to SOA query was unsuccessful");
 
-	if (userzone != NULL && rcvmsg->rcode == dns_rcode_nxdomain) {
-		char namebuf[DNS_NAME_FORMATSIZE];
-		dns_name_format(userzone, namebuf, sizeof(namebuf));
-		error("specified zone '%s' does not exist (NXDOMAIN)",
-		      namebuf);
-		dns_message_destroy(&rcvmsg);
-		dns_request_destroy(&request);
-		dns_message_destroy(&soaquery);
-		ddebug("Out of recvsoa");
-		done_update();
-		return;
-	}
-
  lookforsoa:
 	if (pass == 0)
 		section = DNS_SECTION_ANSWER;
 	else if (pass == 1)
 		section = DNS_SECTION_AUTHORITY;
-	else 
-		goto droplabel;
+	else
+		fatal("response to SOA query didn't contain an SOA");
+
 
 	result = dns_message_firstname(rcvmsg, section);
 	if (result != ISC_R_SUCCESS) {
@@ -1771,8 +1741,29 @@ recvsoa(isc_task_t *task, isc_event_t *event) {
 		goto lookforsoa;
 	}
 
-	if (seencname)
-		goto droplabel;
+	if (seencname) {
+		dns_name_t tname;
+		unsigned int nlabels;
+
+		result = dns_message_firstname(soaquery, DNS_SECTION_QUESTION);
+		INSIST(result == ISC_R_SUCCESS);
+		name = NULL;
+		dns_message_currentname(soaquery, DNS_SECTION_QUESTION, &name);
+		nlabels = dns_name_countlabels(name);
+		if (nlabels == 1)
+			fatal("could not find enclosing zone");
+		dns_name_init(&tname, NULL);
+		dns_name_getlabelsequence(name, 1, nlabels - 1, &tname);
+		dns_name_clone(&tname, name);
+		dns_request_destroy(&request);
+		dns_message_renderreset(soaquery);
+		if (userserver != NULL)
+			sendrequest(localaddr, userserver, soaquery, &request);
+		else
+			sendrequest(localaddr, &servers[ns_inuse], soaquery,
+				    &request);
+		goto out;
+	}
 
 	if (debugging) {
 		char namestr[DNS_NAME_FORMATSIZE];
@@ -1815,39 +1806,17 @@ recvsoa(isc_task_t *task, isc_event_t *event) {
 		get_address(serverstr, DNSDEFAULTPORT, &tempaddr);
 		serveraddr = &tempaddr;
 	}
-	dns_rdata_freestruct(&soa);
 
 	send_update(zonename, serveraddr, localaddr);
-	setzoneclass(dns_rdataclass_none);
 
 	dns_message_destroy(&soaquery);
 	dns_request_destroy(&request);
 
  out:
+	setzoneclass(dns_rdataclass_none);
+	dns_rdata_freestruct(&soa);
 	dns_message_destroy(&rcvmsg);
 	ddebug("Out of recvsoa");
-	return;
- 
- droplabel:
-	result = dns_message_firstname(soaquery, DNS_SECTION_QUESTION);
-	INSIST(result == ISC_R_SUCCESS);
-	name = NULL;
-	dns_message_currentname(soaquery, DNS_SECTION_QUESTION, &name);
-	nlabels = dns_name_countlabels(name);
-	if (nlabels == 1)
-		fatal("could not find enclosing zone");
-	dns_name_init(&tname, NULL);
-	dns_name_getlabelsequence(name, 1, nlabels - 1, &tname);
-	dns_name_clone(&tname, name);
-	dns_request_destroy(&request);
-	dns_message_renderreset(soaquery);
-	dns_message_settsigkey(soaquery, NULL);
-	if (userserver != NULL)
-		sendrequest(localaddr, userserver, soaquery, &request);
-	else
-		sendrequest(localaddr, &servers[ns_inuse], soaquery,
-			    &request);
-	goto out;
 }
 
 static void
@@ -1862,10 +1831,10 @@ sendrequest(isc_sockaddr_t *srcaddr, isc_sockaddr_t *destaddr,
 		fatal("out of memory");
 	reqinfo->msg = msg;
 	reqinfo->addr = destaddr;
-	result = dns_request_createvia(requestmgr, msg, srcaddr, destaddr, 0,
-				       (userserver != NULL) ? key : NULL,
-				       FIND_TIMEOUT, global_task,
-				       recvsoa, reqinfo, request);
+	result = dns_request_createvia3(requestmgr, msg, srcaddr, destaddr, 0,
+					(userserver != NULL) ? tsigkey : NULL,
+					FIND_TIMEOUT * 20, FIND_TIMEOUT, 3,
+					global_task, recvsoa, reqinfo, request);
 	check_result(result, "dns_request_createvia");
 	requests++;
 }
@@ -1878,10 +1847,17 @@ start_update(void) {
 	dns_request_t *request = NULL;
 	dns_message_t *soaquery = NULL;
 	dns_name_t *firstname;
-	dns_section_t section = DNS_SECTION_UPDATE;
 
 	ddebug("start_update()");
 
+	if (answer != NULL)
+		dns_message_destroy(&answer);
+	result = dns_message_firstname(updatemsg, DNS_SECTION_UPDATE);
+	if (result != ISC_R_SUCCESS) {
+		done_update();
+		return;
+	}
+
 	if (userzone != NULL && userserver != NULL) {
 		send_update(userzone, userserver, localaddr);
 		setzoneclass(dns_rdataclass_none);
@@ -1892,8 +1868,7 @@ start_update(void) {
 				    &soaquery);
 	check_result(result, "dns_message_create");
 
-	if (userserver == NULL)
-		soaquery->flags |= DNS_MESSAGEFLAG_RD;
+	soaquery->flags |= DNS_MESSAGEFLAG_RD;
 
 	result = dns_message_gettempname(soaquery, &name);
 	check_result(result, "dns_message_gettempname");
@@ -1903,24 +1878,10 @@ start_update(void) {
 
 	dns_rdataset_makequestion(rdataset, getzoneclass(), dns_rdatatype_soa);
 
-	if (userzone != NULL) {
-		dns_name_init(name, NULL);
-		dns_name_clone(userzone, name);
-	} else {
-		result = dns_message_firstname(updatemsg, section);
-		if (result == ISC_R_NOMORE) {
-			section = DNS_SECTION_PREREQUISITE;
-			result = dns_message_firstname(updatemsg, section);
-		}
-		if (result != ISC_R_SUCCESS) {
-			done_update();
-			return;
-		}
-		firstname = NULL;
-		dns_message_currentname(updatemsg, section, &firstname);
-		dns_name_init(name, NULL);
-		dns_name_clone(firstname, name);
-	}
+	firstname = NULL;
+	dns_message_currentname(updatemsg, DNS_SECTION_UPDATE, &firstname);
+	dns_name_init(name, NULL);
+	dns_name_clone(firstname, name);
 
 	ISC_LIST_INIT(name->list);
 	ISC_LIST_APPEND(name->list, rdataset, link);
@@ -1938,6 +1899,8 @@ static void
 cleanup(void) {
 	ddebug("cleanup()");
 
+	if (answer != NULL)
+		dns_message_destroy(&answer);
 	ddebug("Shutting down task manager");
 	isc_taskmgr_destroy(&taskmgr);
 
diff --git a/bin/nsupdate/nsupdate.docbook b/bin/nsupdate/nsupdate.docbook
index cb65d876..7d23333c 100644
--- a/bin/nsupdate/nsupdate.docbook
+++ b/bin/nsupdate/nsupdate.docbook
@@ -1,9 +1,7 @@
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
-               "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
-	       [<!ENTITY mdash "&#8212;">]>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
 <!--
- - Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
+ - Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2001-2003  Internet Software Consortium.
  -
  - Permission to use, copy, modify, and distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
@@ -18,7 +16,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: nsupdate.docbook,v 1.8.2.14 2007/05/09 02:11:44 marka Exp $ -->
+<!-- $Id: nsupdate.docbook,v 1.8.2.3.2.8 2004/03/08 04:04:23 marka Exp $ -->
 
 <refentry>
 <refentryinfo>
@@ -29,23 +27,6 @@
 <manvolnum>8</manvolnum>
 <refmiscinfo>BIND9</refmiscinfo>
 </refmeta>
-
-  <docinfo>
-    <copyright>
-      <year>2004</year>
-      <year>2005</year>
-      <year>2006</year>
-      <year>2007</year>
-      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
-    </copyright>
-    <copyright>
-      <year>2000</year>
-      <year>2001</year>
-      <year>2003</year>
-      <holder>Internet Software Consortium.</holder>
-    </copyright>
-  </docinfo>
-
 <refnamediv>
 <refname>nsupdate</refname>
 <refpurpose>Dynamic DNS update utility</refpurpose>
@@ -58,6 +39,9 @@
   <arg><option>-y <replaceable class="parameter">keyname:secret</replaceable></option></arg>
   <arg><option>-k <replaceable class="parameter">keyfile</replaceable></option></arg>
 </group>
+<arg><option>-t <replaceable class="parameter">timeout</replaceable></option></arg>
+<arg><option>-u <replaceable class="parameter">udptimeout</replaceable></option></arg>
+<arg><option>-r <replaceable class="parameter">udpretries</replaceable></option></arg>
 <arg><option>-v</option></arg>
 <arg>filename</arg>
 </cmdsynopsis>
@@ -100,16 +84,16 @@ made and the replies received from the name server.
 <para>
 Transaction signatures can be used to authenticate the Dynamic DNS
 updates.
-These use the TSIG resource record type described in RFC2845.
-The signatures rely on a shared secret that should only be known to
-<command>nsupdate</command>
-and the name server.
+These use the TSIG resource record type described in RFC2845 or the
+SIG(0) record described in RFC3535 and RFC2931.
+TSIG relies on a shared secret that should only be known to
+<command>nsupdate</command> and the name server.
 Currently, the only supported encryption algorithm for TSIG is
 HMAC-MD5, which is defined in RFC 2104.
 Once other algorithms are defined for TSIG, applications will need to
 ensure they select the appropriate algorithm as well as the key when
 authenticating each other.
-For instance, suitable
+For instance suitable
 <type>key</type>
 and
 <type>server</type>
@@ -118,6 +102,8 @@ statements would be added to
 so that the name server can associate the appropriate secret key
 and algorithm with the IP address of the
 client application that will be using TSIG authentication.
+SIG(0) uses public key cryptography.  To use a SIG(0) key, the public
+key must be stored in a KEY record in a zone served by the name server.
 <command>nsupdate</command>
 does not read
 <filename>/etc/named.conf</filename>.
@@ -128,8 +114,8 @@ uses the
 <option>-y</option>
 or
 <option>-k</option>
-option to provide the shared secret needed to generate a TSIG record
-for authenticating Dynamic DNS update requests.
+option (with an HMAC-MD5 key) to provide the shared secret needed to generate
+a TSIG record for authenticating Dynamic DNS update requests.
 These options are mutually exclusive.
 With the
 <option>-k</option>
@@ -163,9 +149,15 @@ This may be visible in the output from
 or in a history file maintained by the user's shell.
 </para>
 <para>
+The <option>-k</option> may also be used to specify a SIG(0) key used
+to authenticate Dynamic DNS update requests.  In this case, the key
+specified is not an HMAC-MD5 key.
+</para>
+<para>
 By default
 <command>nsupdate</command>
-uses UDP to send update requests to the name server.
+uses UDP to send update requests to the name server unless they are too
+large to fit in a UDP request in which case TCP will be used.
 The
 <option>-v</option>
 option makes
@@ -173,6 +165,17 @@ option makes
 use a TCP connection.
 This may be preferable when a batch of update requests is made.
 </para>
+<para>The <option>-t</option> option sets the maximum time a update request can
+take before it is aborted.  The default is 300 seconds.  Zero can be used
+to disable the timeout.
+</para>
+<para>The <option>-u</option> option sets the UDP retry interval.  The default is
+3 seconds.  If zero the interval will be computed from the timeout interval
+and number of UDP retries.
+</para>
+<para>The <option>-r</option> option sets the number of UDP retries. The default is
+3.  If zero only one update request will be made.
+</para>
 </refsect1>
 
 <refsect1>
@@ -204,9 +207,11 @@ name server.
 The command formats and their meaning are as follows:
 <variablelist>
 <varlistentry><term>
+<cmdsynopsis>
 <command>server</command>
 <arg choice="req">servername</arg>
 <arg choice="opt">port</arg>
+</cmdsynopsis>
 </term>
 <listitem>
 <para>
@@ -224,13 +229,13 @@ where the dynamic update requests get sent.
 If no port number is specified, the default DNS port number of 53 is
 used.
 </para>
-</listitem>
-</varlistentry>
 
 <varlistentry><term>
+<cmdsynopsis>
 <command>local</command>
 <arg choice="req">address</arg>
 <arg choice="opt">port</arg>
+</cmdsynopsis>
 </term>
 <listitem>
 <para>
@@ -243,13 +248,12 @@ will send updates using an address and port chosen by the system.
 <parameter>port</parameter>
 can additionally be used to make requests come from a specific port.
 If no port number is specified, the system will assign one.
-</para>
-</listitem>
-</varlistentry>
 
 <varlistentry><term>
+<cmdsynopsis>
 <command>zone</command>
 <arg choice="req">zonename</arg>
+</cmdsynopsis>
 </term>
 <listitem>
 <para>
@@ -265,26 +269,30 @@ will attempt determine the correct zone to update based on the rest of the input
 </varlistentry>
 
 <varlistentry><term>
+<cmdsynopsis>
 <command>class</command>
 <arg choice="req">classname</arg>
+</cmdsynopsis>
 </term>
 <listitem>
 <para>
 Specify the default class.
-If no <parameter>class</parameter> is specified, the default class is
+If no <parameter>class</parameter> is specified the default class is
 <parameter>IN</parameter>.
 </para>
 </listitem>
 </varlistentry>
 
 <varlistentry><term>
+<cmdsynopsis>
 <command>key</command>
 <arg choice="req">name</arg>
 <arg choice="req">secret</arg>
+</cmdsynopsis>
 </term>
 <listitem>
 <para>
-Specifies that all updates are to be TSIG-signed using the
+Specifies that all updates are to be TSIG signed using the
 <parameter>keyname</parameter> <parameter>keysecret</parameter> pair.
 The <command>key</command> command
 overrides any key specified on the command line via
@@ -294,8 +302,10 @@ overrides any key specified on the command line via
 </varlistentry>
 
 <varlistentry><term>
+<cmdsynopsis>
 <command>prereq nxdomain</command>
 <arg choice="req">domain-name</arg>
+</cmdsynopsis>
 </term>
 <listitem>
 <para>
@@ -307,8 +317,10 @@ Requires that no resource record of any type exists with name
 
 
 <varlistentry><term>
+<cmdsynopsis>
 <command>prereq yxdomain</command>
 <arg choice="req">domain-name</arg>
+</cmdsynopsis>
 </term>
 <listitem>
 <para>
@@ -320,10 +332,12 @@ exists (has as at least one resource record, of any type).
 </varlistentry>
 
 <varlistentry><term>
+<cmdsynopsis>
 <command>prereq nxrrset</command>
 <arg choice="req">domain-name</arg>
 <arg choice="opt">class</arg>
 <arg choice="req">type</arg>
+</cmdsynopsis>
 </term>
 <listitem>
 <para>
@@ -341,10 +355,12 @@ is omitted, IN (internet) is assumed.
 
 
 <varlistentry><term>
+<cmdsynopsis>
 <command>prereq yxrrset</command>
 <arg choice="req">domain-name</arg>
 <arg choice="opt">class</arg>
 <arg choice="req">type</arg>
+</cmdsynopsis>
 </term>
 <listitem>
 <para>
@@ -362,11 +378,13 @@ is omitted, IN (internet) is assumed.
 </varlistentry>
 
 <varlistentry><term>
+<cmdsynopsis>
 <command>prereq yxrrset</command>
 <arg choice="req">domain-name</arg>
 <arg choice="opt">class</arg>
 <arg choice="req">type</arg>
 <arg choice="req" rep="repeat">data</arg>
+</cmdsynopsis>
 </term>
 <listitem>
 <para>
@@ -394,11 +412,13 @@ RDATA.
 </varlistentry>
 
 <varlistentry><term>
+<cmdsynopsis>
 <command>update delete</command>
 <arg choice="req">domain-name</arg>
 <arg choice="opt">ttl</arg>
 <arg choice="opt">class</arg>
 <arg choice="opt">type <arg choice="opt" rep="repeat">data</arg></arg>
+</cmdsynopsis>
 </term>
 <listitem>
 <para>
@@ -419,12 +439,14 @@ is ignored, and is only allowed for compatibility.
 </varlistentry>
 
 <varlistentry><term>
+<cmdsynopsis>
 <command>update add</command>
 <arg choice="req">domain-name</arg>
 <arg choice="req">ttl</arg>
 <arg choice="opt">class</arg>
 <arg choice="req">type</arg>
 <arg choice="req" rep="repeat">data</arg>
+</cmdsynopsis>
 </term>
 <listitem>
 <para>
@@ -438,7 +460,9 @@ and
 </varlistentry>
 
 <varlistentry><term>
+<cmdsynopsis>
 <command>show</command>
+</cmdsynopsis>
 </term>
 <listitem>
 <para>
@@ -449,16 +473,28 @@ updates specified since the last send.
 </varlistentry>
 
 <varlistentry><term>
+<cmdsynopsis>
 <command>send</command>
+</cmdsynopsis>
 </term>
 <listitem>
 <para>
 Sends the current message.  This is equivalent to entering a blank line.
 </para>
 </listitem>
-</varlistentry>
-</variablelist>
+
+<varlistentry><term>
+<cmdsynopsis>
+<command>answer</command>
+</cmdsynopsis>
+</term>
+<listitem>
+<para>
+Displays the answer.
 </para>
+</listitem>
+
+</variablelist>
 
 <para>
 Lines beginning with a semicolon are comments and are ignored.
@@ -490,10 +526,10 @@ master name server for
 Any A records for
 <type>oldhost.example.com</type>
 are deleted.
-And an A record for
+and an A record for
 <type>newhost.example.com</type>
-with IP address 172.16.1.1 is added.
-The newly-added record has a 1 day TTL (86400 seconds).
+it IP address 172.16.1.1 is added.
+The newly-added record has a 1 day TTL (86400 seconds)
 <programlisting>
 # nsupdate
 > prereq nxdomain nickname.example.com
@@ -512,7 +548,7 @@ This ensures that when the CNAME is added, it cannot conflict with the
 long-standing rule in RFC1034 that a name must not exist as any other
 record type if it exists as a CNAME.
 (The rule has been updated for DNSSEC in RFC2535 to allow CNAMEs to have
-SIG, KEY and NXT records.)
+RRSIG, DNSKEY and NSEC records.)
 </para>
 </refsect1>
 
@@ -526,7 +562,6 @@ SIG, KEY and NXT records.)
 used to identify default name server
 </para>
 </listitem>
-</varlistentry>
 
 <varlistentry><term><constant>K{name}.+157.+{random}.key</constant></term>
 <listitem>
@@ -537,7 +572,6 @@ base-64 encoding of HMAC-MD5 key created by
 </citerefentry>.
 </para>
 </listitem>
-</varlistentry>
 
 <varlistentry><term><constant>K{name}.+157.+{random}.private</constant></term>
 <listitem>
@@ -548,7 +582,6 @@ base-64 encoding of HMAC-MD5 key created by
 </citerefentry>.
 </para>
 </listitem>
-</varlistentry>
 </variablelist>
 </refsect1>
 
@@ -574,12 +607,15 @@ base-64 encoding of HMAC-MD5 key created by
 <refentrytitle>RFC2535</refentrytitle>
 </citerefentry>,
 <citerefentry>
+<refentrytitle>RFC2931</refentrytitle>
+</citerefentry>,
+<citerefentry>
 <refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
 </citerefentry>,
 <citerefentry>
 <refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>
 </citerefentry>.
-</para>
+
 </refsect1>
 <refsect1>
 <title>BUGS</title>
diff --git a/bin/nsupdate/nsupdate.html b/bin/nsupdate/nsupdate.html
index e1224a6a..fe0e0cd3 100644
--- a/bin/nsupdate/nsupdate.html
+++ b/bin/nsupdate/nsupdate.html
@@ -1,151 +1,359 @@
 <!--
- - Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000, 2001, 2003 Internet Software Consortium.
- - 
+ - Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2001-2003  Internet Software Consortium.
+ -
  - Permission to use, copy, modify, and distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
  - copyright notice and this permission notice appear in all copies.
- - 
+ -
  - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
  - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
  - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
  - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: nsupdate.html,v 1.9.2.20 2007/05/09 03:32:21 marka Exp $ -->
-<html>
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>nsupdate</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2476275"></a><div class="titlepage"></div>
-<div class="refnamediv">
-<h2>Name</h2>
-<p>nsupdate &#8212; Dynamic DNS update utility</p>
-</div>
-<div class="refsynopsisdiv">
-<h2>Synopsis</h2>
-<div class="cmdsynopsis"><p><code class="command">nsupdate</code>  [<code class="option">-d</code>] [[<code class="option">-y <em class="replaceable"><code>keyname:secret</code></em></code>] |  [<code class="option">-k <em class="replaceable"><code>keyfile</code></em></code>]] [<code class="option">-v</code>] [filename]</p></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543377"></a><h2>DESCRIPTION</h2>
-<p>
-<span><strong class="command">nsupdate</strong></span>
+
+<!-- $Id: nsupdate.html,v 1.9.2.3.2.4 2004/03/08 04:04:23 marka Exp $ -->
+
+<HTML
+><HEAD
+><TITLE
+>nsupdate</TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.73
+"></HEAD
+><BODY
+CLASS="REFENTRY"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><H1
+><A
+NAME="AEN1"
+>nsupdate</A
+></H1
+><DIV
+CLASS="REFNAMEDIV"
+><A
+NAME="AEN8"
+></A
+><H2
+>Name</H2
+>nsupdate&nbsp;--&nbsp;Dynamic DNS update utility</DIV
+><DIV
+CLASS="REFSYNOPSISDIV"
+><A
+NAME="AEN11"
+></A
+><H2
+>Synopsis</H2
+><P
+><B
+CLASS="COMMAND"
+>nsupdate</B
+>  [<TT
+CLASS="OPTION"
+>-d</TT
+>] [<TT
+CLASS="OPTION"
+>-y <TT
+CLASS="REPLACEABLE"
+><I
+>keyname:secret</I
+></TT
+></TT
+> | <TT
+CLASS="OPTION"
+>-k <TT
+CLASS="REPLACEABLE"
+><I
+>keyfile</I
+></TT
+></TT
+>] [<TT
+CLASS="OPTION"
+>-t <TT
+CLASS="REPLACEABLE"
+><I
+>timeout</I
+></TT
+></TT
+>] [<TT
+CLASS="OPTION"
+>-u <TT
+CLASS="REPLACEABLE"
+><I
+>udptimeout</I
+></TT
+></TT
+>] [<TT
+CLASS="OPTION"
+>-r <TT
+CLASS="REPLACEABLE"
+><I
+>udpretries</I
+></TT
+></TT
+>] [<TT
+CLASS="OPTION"
+>-v</TT
+>] [filename]</P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN35"
+></A
+><H2
+>DESCRIPTION</H2
+><P
+><B
+CLASS="COMMAND"
+>nsupdate</B
+>
 is used to submit Dynamic DNS Update requests as defined in RFC2136
 to a name server.
 This allows resource records to be added or removed from a zone
 without manually editing the zone file.
 A single update request can contain requests to add or remove more than one
-resource record.
-</p>
-<p>
-Zones that are under dynamic control via
-<span><strong class="command">nsupdate</strong></span>
+resource record.</P
+><P
+>Zones that are under dynamic control via
+<B
+CLASS="COMMAND"
+>nsupdate</B
+>
 or a DHCP server should not be edited by hand.
 Manual edits could
-conflict with dynamic updates and cause data to be lost.
-</p>
-<p>
-The resource records that are dynamically added or removed with
-<span><strong class="command">nsupdate</strong></span>
+conflict with dynamic updates and cause data to be lost.</P
+><P
+>The resource records that are dynamically added or removed with
+<B
+CLASS="COMMAND"
+>nsupdate</B
+>
 have to be in the same zone.
 Requests are sent to the zone's master server.
-This is identified by the MNAME field of the zone's SOA record.
-</p>
-<p>
-The
-<code class="option">-d</code>
+This is identified by the MNAME field of the zone's SOA record.</P
+><P
+>The
+<TT
+CLASS="OPTION"
+>-d</TT
+>
 option makes
-<span><strong class="command">nsupdate</strong></span>
+<B
+CLASS="COMMAND"
+>nsupdate</B
+>
 operate in debug mode.
 This provides tracing information about the update requests that are
-made and the replies received from the name server.
-</p>
-<p>
-Transaction signatures can be used to authenticate the Dynamic DNS
+made and the replies received from the name server.</P
+><P
+>Transaction signatures can be used to authenticate the Dynamic DNS
 updates.
-These use the TSIG resource record type described in RFC2845.
-The signatures rely on a shared secret that should only be known to
-<span><strong class="command">nsupdate</strong></span>
-and the name server.
+These use the TSIG resource record type described in RFC2845 or the
+SIG(0) record described in RFC3535 and RFC2931.
+TSIG relies on a shared secret that should only be known to
+<B
+CLASS="COMMAND"
+>nsupdate</B
+> and the name server.
 Currently, the only supported encryption algorithm for TSIG is
 HMAC-MD5, which is defined in RFC 2104.
 Once other algorithms are defined for TSIG, applications will need to
 ensure they select the appropriate algorithm as well as the key when
 authenticating each other.
-For instance, suitable
-<span class="type">key</span>
+For instance suitable
+<SPAN
+CLASS="TYPE"
+>key</SPAN
+>
 and
-<span class="type">server</span>
+<SPAN
+CLASS="TYPE"
+>server</SPAN
+>
 statements would be added to
-<code class="filename">/etc/named.conf</code>
+<TT
+CLASS="FILENAME"
+>/etc/named.conf</TT
+>
 so that the name server can associate the appropriate secret key
 and algorithm with the IP address of the
 client application that will be using TSIG authentication.
-<span><strong class="command">nsupdate</strong></span>
+SIG(0) uses public key cryptography.  To use a SIG(0) key, the public
+key must be stored in a KEY record in a zone served by the name server.
+<B
+CLASS="COMMAND"
+>nsupdate</B
+>
 does not read
-<code class="filename">/etc/named.conf</code>.
-</p>
-<p>
-<span><strong class="command">nsupdate</strong></span>
+<TT
+CLASS="FILENAME"
+>/etc/named.conf</TT
+>.</P
+><P
+><B
+CLASS="COMMAND"
+>nsupdate</B
+>
 uses the
-<code class="option">-y</code>
+<TT
+CLASS="OPTION"
+>-y</TT
+>
 or
-<code class="option">-k</code>
-option to provide the shared secret needed to generate a TSIG record
-for authenticating Dynamic DNS update requests.
+<TT
+CLASS="OPTION"
+>-k</TT
+>
+option (with an HMAC-MD5 key) to provide the shared secret needed to generate
+a TSIG record for authenticating Dynamic DNS update requests.
 These options are mutually exclusive.
 With the
-<code class="option">-k</code>
+<TT
+CLASS="OPTION"
+>-k</TT
+>
 option,
-<span><strong class="command">nsupdate</strong></span>
+<B
+CLASS="COMMAND"
+>nsupdate</B
+>
 reads the shared secret from the file
-<em class="parameter"><code>keyfile</code></em>,
+<TT
+CLASS="PARAMETER"
+><I
+>keyfile</I
+></TT
+>,
 whose name is of the form 
-<code class="filename">K{name}.+157.+{random}.private</code>.
+<TT
+CLASS="FILENAME"
+>K{name}.+157.+{random}.private</TT
+>.
 For historical
 reasons, the file 
-<code class="filename">K{name}.+157.+{random}.key</code>
+<TT
+CLASS="FILENAME"
+>K{name}.+157.+{random}.key</TT
+>
 must also be present.  When the
-<code class="option">-y</code>
+<TT
+CLASS="OPTION"
+>-y</TT
+>
 option is used, a signature is generated from
-<em class="parameter"><code>keyname:secret.</code></em>
-<em class="parameter"><code>keyname</code></em>
+<TT
+CLASS="PARAMETER"
+><I
+>keyname:secret.</I
+></TT
+>
+<TT
+CLASS="PARAMETER"
+><I
+>keyname</I
+></TT
+>
 is the name of the key,
 and
-<em class="parameter"><code>secret</code></em>
+<TT
+CLASS="PARAMETER"
+><I
+>secret</I
+></TT
+>
 is the base64 encoded shared secret.
 Use of the
-<code class="option">-y</code>
+<TT
+CLASS="OPTION"
+>-y</TT
+>
 option is discouraged because the shared secret is supplied as a command
 line argument in clear text.
 This may be visible in the output from
-<span class="citerefentry"><span class="refentrytitle">ps</span>(1
-)</span>
-or in a history file maintained by the user's shell.
-</p>
-<p>
-By default
-<span><strong class="command">nsupdate</strong></span>
-uses UDP to send update requests to the name server.
+<SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>ps</SPAN
+>(1)</SPAN
+>
+or in a history file maintained by the user's shell.</P
+><P
+>The <TT
+CLASS="OPTION"
+>-k</TT
+> may also be used to specify a SIG(0) key used
+to authenticate Dynamic DNS update requests.  In this case, the key
+specified is not an HMAC-MD5 key.</P
+><P
+>By default
+<B
+CLASS="COMMAND"
+>nsupdate</B
+>
+uses UDP to send update requests to the name server unless they are too
+large to fit in a UDP request in which case TCP will be used.
 The
-<code class="option">-v</code>
+<TT
+CLASS="OPTION"
+>-v</TT
+>
 option makes
-<span><strong class="command">nsupdate</strong></span>
+<B
+CLASS="COMMAND"
+>nsupdate</B
+>
 use a TCP connection.
-This may be preferable when a batch of update requests is made.
-</p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543509"></a><h2>INPUT FORMAT</h2>
-<p>
-<span><strong class="command">nsupdate</strong></span>
+This may be preferable when a batch of update requests is made.</P
+><P
+>The <TT
+CLASS="OPTION"
+>-t</TT
+> option sets the maximum time a update request can
+take before it is aborted.  The default is 300 seconds.  Zero can be used
+to disable the timeout.</P
+><P
+>The <TT
+CLASS="OPTION"
+>-u</TT
+> option sets the UDP retry interval.  The default is
+3 seconds.  If zero the interval will be computed from the timeout interval
+and number of UDP retries.</P
+><P
+>The <TT
+CLASS="OPTION"
+>-r</TT
+> option sets the number of UDP retries. The default is
+3.  If zero only one update request will be made.</P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN82"
+></A
+><H2
+>INPUT FORMAT</H2
+><P
+><B
+CLASS="COMMAND"
+>nsupdate</B
+>
 reads input from
-<em class="parameter"><code>filename</code></em>
+<TT
+CLASS="PARAMETER"
+><I
+>filename</I
+></TT
+>
 or standard input.
 Each command is supplied on exactly one line of input.
 Some commands are for administrative purposes.
@@ -154,268 +362,545 @@ contents of the zone.
 These checks set conditions that some name or set of
 resource records (RRset) either exists or is absent from the zone.
 These conditions must be met if the entire update request is to succeed.
-Updates will be rejected if the tests for the prerequisite conditions fail.
-</p>
-<p>
-Every update request consists of zero or more prerequisites
+Updates will be rejected if the tests for the prerequisite conditions fail.</P
+><P
+>Every update request consists of zero or more prerequisites
 and zero or more updates.
 This allows a suitably authenticated update request to proceed if some
 specified resource records are present or missing from the zone.
-A blank input line (or the <span><strong class="command">send</strong></span> command) causes the
+A blank input line (or the <B
+CLASS="COMMAND"
+>send</B
+> command) causes the
 accumulated commands to be sent as one Dynamic DNS update request to the
-name server.
-</p>
-<p>
-The command formats and their meaning are as follows:
-</p>
-<div class="variablelist"><dl>
-<dt><span class="term">
-<span><strong class="command">server</strong></span>
- {servername}
- [port]
-</span></dt>
-<dd><p>
-Sends all dynamic update requests to the name server
-<em class="parameter"><code>servername</code></em>.
+name server.</P
+><P
+>The command formats and their meaning are as follows:
+<P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+><P
+><B
+CLASS="COMMAND"
+>server</B
+>  {servername} [port]</P
+></DT
+><DD
+><P
+>Sends all dynamic update requests to the name server
+<TT
+CLASS="PARAMETER"
+><I
+>servername</I
+></TT
+>.
 When no server statement is provided,
-<span><strong class="command">nsupdate</strong></span>
+<B
+CLASS="COMMAND"
+>nsupdate</B
+>
 will send updates to the master server of the correct zone.
 The MNAME field of that zone's SOA record will identify the master
 server for that zone.
-<em class="parameter"><code>port</code></em>
+<TT
+CLASS="PARAMETER"
+><I
+>port</I
+></TT
+>
 is the port number on
-<em class="parameter"><code>servername</code></em>
+<TT
+CLASS="PARAMETER"
+><I
+>servername</I
+></TT
+>
 where the dynamic update requests get sent.
 If no port number is specified, the default DNS port number of 53 is
-used.
-</p></dd>
-<dt><span class="term">
-<span><strong class="command">local</strong></span>
- {address}
- [port]
-</span></dt>
-<dd><p>
-Sends all dynamic update requests using the local
-<em class="parameter"><code>address</code></em>.
+used.</P
+></DD
+><DT
+><P
+><B
+CLASS="COMMAND"
+>local</B
+>  {address} [port]</P
+></DT
+><DD
+><P
+>Sends all dynamic update requests using the local
+<TT
+CLASS="PARAMETER"
+><I
+>address</I
+></TT
+>.
 
 When no local statement is provided,
-<span><strong class="command">nsupdate</strong></span>
+<B
+CLASS="COMMAND"
+>nsupdate</B
+>
 will send updates using an address and port chosen by the system.
-<em class="parameter"><code>port</code></em>
+<TT
+CLASS="PARAMETER"
+><I
+>port</I
+></TT
+>
 can additionally be used to make requests come from a specific port.
-If no port number is specified, the system will assign one.
-</p></dd>
-<dt><span class="term">
-<span><strong class="command">zone</strong></span>
- {zonename}
-</span></dt>
-<dd><p>
-Specifies that all updates are to be made to the zone
-<em class="parameter"><code>zonename</code></em>.
+If no port number is specified, the system will assign one.&#13;</P
+></DD
+><DT
+><P
+><B
+CLASS="COMMAND"
+>zone</B
+>  {zonename}</P
+></DT
+><DD
+><P
+>Specifies that all updates are to be made to the zone
+<TT
+CLASS="PARAMETER"
+><I
+>zonename</I
+></TT
+>.
 If no
-<em class="parameter"><code>zone</code></em>
+<TT
+CLASS="PARAMETER"
+><I
+>zone</I
+></TT
+>
 statement is provided,
-<span><strong class="command">nsupdate</strong></span>
-will attempt determine the correct zone to update based on the rest of the input.
-</p></dd>
-<dt><span class="term">
-<span><strong class="command">class</strong></span>
- {classname}
-</span></dt>
-<dd><p>
-Specify the default class.
-If no <em class="parameter"><code>class</code></em> is specified, the default class is
-<em class="parameter"><code>IN</code></em>.
-</p></dd>
-<dt><span class="term">
-<span><strong class="command">key</strong></span>
- {name}
- {secret}
-</span></dt>
-<dd><p>
-Specifies that all updates are to be TSIG-signed using the
-<em class="parameter"><code>keyname</code></em> <em class="parameter"><code>keysecret</code></em> pair.
-The <span><strong class="command">key</strong></span> command
+<B
+CLASS="COMMAND"
+>nsupdate</B
+>
+will attempt determine the correct zone to update based on the rest of the input.</P
+></DD
+><DT
+><P
+><B
+CLASS="COMMAND"
+>class</B
+>  {classname}</P
+></DT
+><DD
+><P
+>Specify the default class.
+If no <TT
+CLASS="PARAMETER"
+><I
+>class</I
+></TT
+> is specified the default class is
+<TT
+CLASS="PARAMETER"
+><I
+>IN</I
+></TT
+>.</P
+></DD
+><DT
+><P
+><B
+CLASS="COMMAND"
+>key</B
+>  {name} {secret}</P
+></DT
+><DD
+><P
+>Specifies that all updates are to be TSIG signed using the
+<TT
+CLASS="PARAMETER"
+><I
+>keyname</I
+></TT
+> <TT
+CLASS="PARAMETER"
+><I
+>keysecret</I
+></TT
+> pair.
+The <B
+CLASS="COMMAND"
+>key</B
+> command
 overrides any key specified on the command line via
-<code class="option">-y</code> or <code class="option">-k</code>.
-</p></dd>
-<dt><span class="term">
-<span><strong class="command">prereq nxdomain</strong></span>
- {domain-name}
-</span></dt>
-<dd><p>
-Requires that no resource record of any type exists with name
-<em class="parameter"><code>domain-name</code></em>.
-</p></dd>
-<dt><span class="term">
-<span><strong class="command">prereq yxdomain</strong></span>
- {domain-name}
-</span></dt>
-<dd><p>
-Requires that
-<em class="parameter"><code>domain-name</code></em>
-exists (has as at least one resource record, of any type).
-</p></dd>
-<dt><span class="term">
-<span><strong class="command">prereq nxrrset</strong></span>
- {domain-name}
- [class]
- {type}
-</span></dt>
-<dd><p>
-Requires that no resource record exists of the specified
-<em class="parameter"><code>type</code></em>,
-<em class="parameter"><code>class</code></em>
+<TT
+CLASS="OPTION"
+>-y</TT
+> or <TT
+CLASS="OPTION"
+>-k</TT
+>.</P
+></DD
+><DT
+><P
+><B
+CLASS="COMMAND"
+>prereq nxdomain</B
+>  {domain-name}</P
+></DT
+><DD
+><P
+>Requires that no resource record of any type exists with name
+<TT
+CLASS="PARAMETER"
+><I
+>domain-name</I
+></TT
+>.</P
+></DD
+><DT
+><P
+><B
+CLASS="COMMAND"
+>prereq yxdomain</B
+>  {domain-name}</P
+></DT
+><DD
+><P
+>Requires that
+<TT
+CLASS="PARAMETER"
+><I
+>domain-name</I
+></TT
+>
+exists (has as at least one resource record, of any type).</P
+></DD
+><DT
+><P
+><B
+CLASS="COMMAND"
+>prereq nxrrset</B
+>  {domain-name} [class] {type}</P
+></DT
+><DD
+><P
+>Requires that no resource record exists of the specified
+<TT
+CLASS="PARAMETER"
+><I
+>type</I
+></TT
+>,
+<TT
+CLASS="PARAMETER"
+><I
+>class</I
+></TT
+>
 and
-<em class="parameter"><code>domain-name</code></em>.
+<TT
+CLASS="PARAMETER"
+><I
+>domain-name</I
+></TT
+>.
 If
-<em class="parameter"><code>class</code></em>
-is omitted, IN (internet) is assumed.
-</p></dd>
-<dt><span class="term">
-<span><strong class="command">prereq yxrrset</strong></span>
- {domain-name}
- [class]
- {type}
-</span></dt>
-<dd><p>
-This requires that a resource record of the specified
-<em class="parameter"><code>type</code></em>,
-<em class="parameter"><code>class</code></em>
+<TT
+CLASS="PARAMETER"
+><I
+>class</I
+></TT
+>
+is omitted, IN (internet) is assumed.</P
+></DD
+><DT
+><P
+><B
+CLASS="COMMAND"
+>prereq yxrrset</B
+>  {domain-name} [class] {type}</P
+></DT
+><DD
+><P
+>This requires that a resource record of the specified
+<TT
+CLASS="PARAMETER"
+><I
+>type</I
+></TT
+>,
+<TT
+CLASS="PARAMETER"
+><I
+>class</I
+></TT
+>
 and
-<em class="parameter"><code>domain-name</code></em>
+<TT
+CLASS="PARAMETER"
+><I
+>domain-name</I
+></TT
+>
 must exist.
 If
-<em class="parameter"><code>class</code></em>
-is omitted, IN (internet) is assumed.
-</p></dd>
-<dt><span class="term">
-<span><strong class="command">prereq yxrrset</strong></span>
- {domain-name}
- [class]
- {type}
- {data...}
-</span></dt>
-<dd><p>
-The
-<em class="parameter"><code>data</code></em>
+<TT
+CLASS="PARAMETER"
+><I
+>class</I
+></TT
+>
+is omitted, IN (internet) is assumed.</P
+></DD
+><DT
+><P
+><B
+CLASS="COMMAND"
+>prereq yxrrset</B
+>  {domain-name} [class] {type} {data...}</P
+></DT
+><DD
+><P
+>The
+<TT
+CLASS="PARAMETER"
+><I
+>data</I
+></TT
+>
 from each set of prerequisites of this form
 sharing a common
-<em class="parameter"><code>type</code></em>,
-<em class="parameter"><code>class</code></em>,
+<TT
+CLASS="PARAMETER"
+><I
+>type</I
+></TT
+>,
+<TT
+CLASS="PARAMETER"
+><I
+>class</I
+></TT
+>,
 and 
-<em class="parameter"><code>domain-name</code></em>
+<TT
+CLASS="PARAMETER"
+><I
+>domain-name</I
+></TT
+>
 are combined to form a set of RRs.  This set of RRs must
 exactly match the set of RRs existing in the zone at the
 given 
-<em class="parameter"><code>type</code></em>,
-<em class="parameter"><code>class</code></em>,
+<TT
+CLASS="PARAMETER"
+><I
+>type</I
+></TT
+>,
+<TT
+CLASS="PARAMETER"
+><I
+>class</I
+></TT
+>,
 and 
-<em class="parameter"><code>domain-name</code></em>.
+<TT
+CLASS="PARAMETER"
+><I
+>domain-name</I
+></TT
+>.
 The
-<em class="parameter"><code>data</code></em>
+<TT
+CLASS="PARAMETER"
+><I
+>data</I
+></TT
+>
 are written in the standard text representation of the resource record's
-RDATA.
-</p></dd>
-<dt><span class="term">
-<span><strong class="command">update delete</strong></span>
- {domain-name}
- [ttl]
- [class]
- [type [data...]]
-</span></dt>
-<dd><p>
-Deletes any resource records named
-<em class="parameter"><code>domain-name</code></em>.
+RDATA.</P
+></DD
+><DT
+><P
+><B
+CLASS="COMMAND"
+>update delete</B
+>  {domain-name} [ttl] [class] [type  [data...]]</P
+></DT
+><DD
+><P
+>Deletes any resource records named
+<TT
+CLASS="PARAMETER"
+><I
+>domain-name</I
+></TT
+>.
 If
-<em class="parameter"><code>type</code></em>
+<TT
+CLASS="PARAMETER"
+><I
+>type</I
+></TT
+>
 and
-<em class="parameter"><code>data</code></em>
+<TT
+CLASS="PARAMETER"
+><I
+>data</I
+></TT
+>
 is provided, only matching resource records will be removed.
 The internet class is assumed if
-<em class="parameter"><code>class</code></em>
+<TT
+CLASS="PARAMETER"
+><I
+>class</I
+></TT
+>
 is not supplied.  The
-<em class="parameter"><code>ttl</code></em>
-is ignored, and is only allowed for compatibility.
-</p></dd>
-<dt><span class="term">
-<span><strong class="command">update add</strong></span>
- {domain-name}
- {ttl}
- [class]
- {type}
- {data...}
-</span></dt>
-<dd><p>
-Adds a new resource record with the specified
-<em class="parameter"><code>ttl</code></em>,
-<em class="parameter"><code>class</code></em>
+<TT
+CLASS="PARAMETER"
+><I
+>ttl</I
+></TT
+>
+is ignored, and is only allowed for compatibility.</P
+></DD
+><DT
+><P
+><B
+CLASS="COMMAND"
+>update add</B
+>  {domain-name} {ttl} [class] {type} {data...}</P
+></DT
+><DD
+><P
+>Adds a new resource record with the specified
+<TT
+CLASS="PARAMETER"
+><I
+>ttl</I
+></TT
+>,
+<TT
+CLASS="PARAMETER"
+><I
+>class</I
+></TT
+>
 and
-<em class="parameter"><code>data</code></em>.
-</p></dd>
-<dt><span class="term">
-<span><strong class="command">show</strong></span>
-</span></dt>
-<dd><p>
-Displays the current message, containing all of the prerequisites and
-updates specified since the last send.
-</p></dd>
-<dt><span class="term">
-<span><strong class="command">send</strong></span>
-</span></dt>
-<dd><p>
-Sends the current message.  This is equivalent to entering a blank line.
-</p></dd>
-</dl></div>
-<p>
-</p>
-<p>
-Lines beginning with a semicolon are comments and are ignored.
-</p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2544142"></a><h2>EXAMPLES</h2>
-<p>
-The examples below show how
-<span><strong class="command">nsupdate</strong></span>
+<TT
+CLASS="PARAMETER"
+><I
+>data</I
+></TT
+>.</P
+></DD
+><DT
+><P
+><B
+CLASS="COMMAND"
+>show</B
+> </P
+></DT
+><DD
+><P
+>Displays the current message, containing all of the prerequisites and
+updates specified since the last send.</P
+></DD
+><DT
+><P
+><B
+CLASS="COMMAND"
+>send</B
+> </P
+></DT
+><DD
+><P
+>Sends the current message.  This is equivalent to entering a blank line.</P
+></DD
+><DT
+><P
+><B
+CLASS="COMMAND"
+>answer</B
+> </P
+></DT
+><DD
+><P
+>Displays the answer.</P
+></DD
+></DL
+></DIV
+>&#13;</P
+><P
+>Lines beginning with a semicolon are comments and are ignored.</P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN255"
+></A
+><H2
+>EXAMPLES</H2
+><P
+>The examples below show how
+<B
+CLASS="COMMAND"
+>nsupdate</B
+>
 could be used to insert and delete resource records from the
-<span class="type">example.com</span>
+<SPAN
+CLASS="TYPE"
+>example.com</SPAN
+>
 zone.
 Notice that the input in each example contains a trailing blank line so that
 a group of commands are sent as one dynamic update request to the
 master name server for
-<span class="type">example.com</span>.
+<SPAN
+CLASS="TYPE"
+>example.com</SPAN
+>.
 
-</p>
-<pre class="programlisting">
-# nsupdate
-&gt; update delete oldhost.example.com A
-&gt; update add newhost.example.com 86400 A 172.16.1.1
-&gt; send
-</pre>
-<p>
-</p>
-<p>
-Any A records for
-<span class="type">oldhost.example.com</span>
+<PRE
+CLASS="PROGRAMLISTING"
+># nsupdate
+&#62; update delete oldhost.example.com A
+&#62; update add newhost.example.com 86400 A 172.16.1.1
+&#62; send</PRE
+></P
+><P
+>Any A records for
+<SPAN
+CLASS="TYPE"
+>oldhost.example.com</SPAN
+>
 are deleted.
-And an A record for
-<span class="type">newhost.example.com</span>
-with IP address 172.16.1.1 is added.
-The newly-added record has a 1 day TTL (86400 seconds).
-</p>
-<pre class="programlisting">
-# nsupdate
-&gt; prereq nxdomain nickname.example.com
-&gt; update add nickname.example.com 86400 CNAME somehost.example.com
-&gt; send
-</pre>
-<p>
-</p>
-<p>
-The prerequisite condition gets the name server to check that there
+and an A record for
+<SPAN
+CLASS="TYPE"
+>newhost.example.com</SPAN
+>
+it IP address 172.16.1.1 is added.
+The newly-added record has a 1 day TTL (86400 seconds)
+<PRE
+CLASS="PROGRAMLISTING"
+># nsupdate
+&#62; prereq nxdomain nickname.example.com
+&#62; update add nickname.example.com 86400 CNAME somehost.example.com
+&#62; send</PRE
+></P
+><P
+>The prerequisite condition gets the name server to check that there
 are no resource records of any type for
-<span class="type">nickname.example.com</span>.
+<SPAN
+CLASS="TYPE"
+>nickname.example.com</SPAN
+>.
 
 If there are, the update request fails.
 If this name does not exist, a CNAME for it is added.
@@ -423,49 +908,149 @@ This ensures that when the CNAME is added, it cannot conflict with the
 long-standing rule in RFC1034 that a name must not exist as any other
 record type if it exists as a CNAME.
 (The rule has been updated for DNSSEC in RFC2535 to allow CNAMEs to have
-SIG, KEY and NXT records.)
-</p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2544186"></a><h2>FILES</h2>
-<div class="variablelist"><dl>
-<dt><span class="term"><code class="constant">/etc/resolv.conf</code></span></dt>
-<dd><p>
-used to identify default name server
-</p></dd>
-<dt><span class="term"><code class="constant">K{name}.+157.+{random}.key</code></span></dt>
-<dd><p>
-base-64 encoding of HMAC-MD5 key created by
-<span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>.
-</p></dd>
-<dt><span class="term"><code class="constant">K{name}.+157.+{random}.private</code></span></dt>
-<dd><p>
-base-64 encoding of HMAC-MD5 key created by
-<span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>.
-</p></dd>
-</dl></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2544323"></a><h2>SEE ALSO</h2>
-<p>
-<span class="citerefentry"><span class="refentrytitle">RFC2136</span></span>,
-<span class="citerefentry"><span class="refentrytitle">RFC3007</span></span>,
-<span class="citerefentry"><span class="refentrytitle">RFC2104</span></span>,
-<span class="citerefentry"><span class="refentrytitle">RFC2845</span></span>,
-<span class="citerefentry"><span class="refentrytitle">RFC1034</span></span>,
-<span class="citerefentry"><span class="refentrytitle">RFC2535</span></span>,
-<span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
-<span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>.
-</p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2544388"></a><h2>BUGS</h2>
-<p>
-The TSIG key is redundantly stored in two separate files.
+RRSIG, DNSKEY and NSEC records.)</P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN268"
+></A
+><H2
+>FILES</H2
+><P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+><TT
+CLASS="CONSTANT"
+>/etc/resolv.conf</TT
+></DT
+><DD
+><P
+>used to identify default name server</P
+></DD
+><DT
+><TT
+CLASS="CONSTANT"
+>K{name}.+157.+{random}.key</TT
+></DT
+><DD
+><P
+>base-64 encoding of HMAC-MD5 key created by
+<SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>dnssec-keygen</SPAN
+>(8)</SPAN
+>.</P
+></DD
+><DT
+><TT
+CLASS="CONSTANT"
+>K{name}.+157.+{random}.private</TT
+></DT
+><DD
+><P
+>base-64 encoding of HMAC-MD5 key created by
+<SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>dnssec-keygen</SPAN
+>(8)</SPAN
+>.</P
+></DD
+></DL
+></DIV
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN292"
+></A
+><H2
+>SEE ALSO</H2
+><P
+><SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>RFC2136</SPAN
+></SPAN
+>,
+<SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>RFC3007</SPAN
+></SPAN
+>,
+<SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>RFC2104</SPAN
+></SPAN
+>,
+<SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>RFC2845</SPAN
+></SPAN
+>,
+<SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>RFC1034</SPAN
+></SPAN
+>,
+<SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>RFC2535</SPAN
+></SPAN
+>,
+<SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>RFC2931</SPAN
+></SPAN
+>,
+<SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>named</SPAN
+>(8)</SPAN
+>,
+<SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>dnssec-keygen</SPAN
+>(8)</SPAN
+>.&#13;</P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN315"
+></A
+><H2
+>BUGS</H2
+><P
+>The TSIG key is redundantly stored in two separate files.
 This is a consequence of nsupdate using the DST library
 for its cryptographic operations, and may change in future
-releases.
-</p>
-</div>
-</div></body>
-</html>
+releases.</P
+></DIV
+></BODY
+></HTML
+>
diff --git a/bin/nsupdate/win32/nsupdate.dsp b/bin/nsupdate/win32/nsupdate.dsp
index f8fde836..2f0836db 100644
--- a/bin/nsupdate/win32/nsupdate.dsp
+++ b/bin/nsupdate/win32/nsupdate.dsp
@@ -1,103 +1,103 @@
-# Microsoft Developer Studio Project File - Name="nsupdate" - Package Owner=<4>

-# Microsoft Developer Studio Generated Build File, Format Version 6.00

-# ** DO NOT EDIT **

-

-# TARGTYPE "Win32 (x86) Console Application" 0x0103

-

-CFG=nsupdate - Win32 Debug

-!MESSAGE This is not a valid makefile. To build this project using NMAKE,

-!MESSAGE use the Export Makefile command and run

-!MESSAGE 

-!MESSAGE NMAKE /f "nsupdate.mak".

-!MESSAGE 

-!MESSAGE You can specify a configuration when running NMAKE

-!MESSAGE by defining the macro CFG on the command line. For example:

-!MESSAGE 

-!MESSAGE NMAKE /f "nsupdate.mak" CFG="nsupdate - Win32 Debug"

-!MESSAGE 

-!MESSAGE Possible choices for configuration are:

-!MESSAGE 

-!MESSAGE "nsupdate - Win32 Release" (based on "Win32 (x86) Console Application")

-!MESSAGE "nsupdate - Win32 Debug" (based on "Win32 (x86) Console Application")

-!MESSAGE 

-

-# Begin Project

-# PROP AllowPerConfigDependencies 0

-# PROP Scc_ProjName ""

-# PROP Scc_LocalPath ""

-CPP=cl.exe

-RSC=rc.exe

-

-!IF  "$(CFG)" == "nsupdate - Win32 Release"

-

-# PROP BASE Use_MFC 0

-# PROP BASE Use_Debug_Libraries 0

-# PROP BASE Output_Dir "Release"

-# PROP BASE Intermediate_Dir "Release"

-# PROP BASE Target_Dir ""

-# PROP Use_MFC 0

-# PROP Use_Debug_Libraries 0

-# PROP Output_Dir "Release"

-# PROP Intermediate_Dir "Release"

-# PROP Ignore_Export_Lib 0

-# PROP Target_Dir ""

-# ADD BASE CPP /nologo /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /c

-# ADD CPP /nologo /MD /W3 /GX /O2 /I "./" /I "../include" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /I "../../../lib/lwres/win32/include/lwres" /I "../../../lib/dns/include" /D "WIN32" /D "__STDC__" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /c

-# ADD BASE RSC /l 0x409 /d "NDEBUG"

-# ADD RSC /l 0x409 /d "NDEBUG"

-BSC32=bscmake.exe

-# ADD BASE BSC32 /nologo

-# ADD BSC32 /nologo

-LINK32=link.exe

-# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /machine:I386

-# ADD LINK32 ../../../lib/isc/win32/Release/libisc.lib ../../../lib/dns/win32/Release/libdns.lib ../../../lib/lwres/win32/Release/liblwres.lib user32.lib advapi32.lib ws2_32.lib /nologo /subsystem:console /machine:I386 /out:"../../../Build/Release/nsupdate.exe"

-

-!ELSEIF  "$(CFG)" == "nsupdate - Win32 Debug"

-

-# PROP BASE Use_MFC 0

-# PROP BASE Use_Debug_Libraries 1

-# PROP BASE Output_Dir "Debug"

-# PROP BASE Intermediate_Dir "Debug"

-# PROP BASE Target_Dir ""

-# PROP Use_MFC 0

-# PROP Use_Debug_Libraries 1

-# PROP Output_Dir "Debug"

-# PROP Intermediate_Dir "Debug"

-# PROP Ignore_Export_Lib 0

-# PROP Target_Dir ""

-# ADD BASE CPP /nologo /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /GZ /c

-# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../include" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /I "../../../lib/lwres/win32/include/lwres" /I "../../../lib/dns/include" /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /FR /FD /GZ /c

-# SUBTRACT CPP /X /u /YX

-# ADD BASE RSC /l 0x409 /d "_DEBUG"

-# ADD RSC /l 0x409 /d "_DEBUG"

-BSC32=bscmake.exe

-# ADD BASE BSC32 /nologo

-# ADD BSC32 /nologo

-LINK32=link.exe

-# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /debug /machine:I386 /pdbtype:sept

-# ADD LINK32 ../../../lib/isc/win32/Debug/libisc.lib ../../../lib/dns/win32/Debug/libdns.lib ../../../lib/lwres/win32/Debug/liblwres.lib user32.lib advapi32.lib ws2_32.lib /nologo /subsystem:console /debug /machine:I386 /out:"../../../Build/Debug/nsupdate.exe" /pdbtype:sept

-

-!ENDIF 

-

-# Begin Target

-

-# Name "nsupdate - Win32 Release"

-# Name "nsupdate - Win32 Debug"

-# Begin Group "Source Files"

-

-# PROP Default_Filter "cpp;c;cxx;rc;def;r;odl;idl;hpj;bat"

-# Begin Source File

-

-SOURCE=..\nsupdate.c

-# End Source File

-# End Group

-# Begin Group "Header Files"

-

-# PROP Default_Filter "h;hpp;hxx;hm;inl"

-# End Group

-# Begin Group "Resource Files"

-

-# PROP Default_Filter "ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe"

-# End Group

-# End Target

-# End Project

+# Microsoft Developer Studio Project File - Name="nsupdate" - Package Owner=<4>
+# Microsoft Developer Studio Generated Build File, Format Version 6.00
+# ** DO NOT EDIT **
+
+# TARGTYPE "Win32 (x86) Console Application" 0x0103
+
+CFG=nsupdate - Win32 Debug
+!MESSAGE This is not a valid makefile. To build this project using NMAKE,
+!MESSAGE use the Export Makefile command and run
+!MESSAGE 
+!MESSAGE NMAKE /f "nsupdate.mak".
+!MESSAGE 
+!MESSAGE You can specify a configuration when running NMAKE
+!MESSAGE by defining the macro CFG on the command line. For example:
+!MESSAGE 
+!MESSAGE NMAKE /f "nsupdate.mak" CFG="nsupdate - Win32 Debug"
+!MESSAGE 
+!MESSAGE Possible choices for configuration are:
+!MESSAGE 
+!MESSAGE "nsupdate - Win32 Release" (based on "Win32 (x86) Console Application")
+!MESSAGE "nsupdate - Win32 Debug" (based on "Win32 (x86) Console Application")
+!MESSAGE 
+
+# Begin Project
+# PROP AllowPerConfigDependencies 0
+# PROP Scc_ProjName ""
+# PROP Scc_LocalPath ""
+CPP=cl.exe
+RSC=rc.exe
+
+!IF  "$(CFG)" == "nsupdate - Win32 Release"
+
+# PROP BASE Use_MFC 0
+# PROP BASE Use_Debug_Libraries 0
+# PROP BASE Output_Dir "Release"
+# PROP BASE Intermediate_Dir "Release"
+# PROP BASE Target_Dir ""
+# PROP Use_MFC 0
+# PROP Use_Debug_Libraries 0
+# PROP Output_Dir "Release"
+# PROP Intermediate_Dir "Release"
+# PROP Ignore_Export_Lib 0
+# PROP Target_Dir ""
+# ADD BASE CPP /nologo /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /c
+# ADD CPP /nologo /MT /W3 /GX /O2 /I "./" /I "../include" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /I "../../../lib/lwres/win32/include/lwres" /I "../../../lib/dns/include" /I "../../../lib/dns/sec/dst/include" /I "../../../lib/bind9/include" /D "WIN32" /D "__STDC__" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /c
+# ADD BASE RSC /l 0x409 /d "NDEBUG"
+# ADD RSC /l 0x409 /d "NDEBUG"
+BSC32=bscmake.exe
+# ADD BASE BSC32 /nologo
+# ADD BSC32 /nologo
+LINK32=link.exe
+# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /machine:I386
+# ADD LINK32 ../../../lib/isc/win32/Release/libisc.lib ../../../lib/dns/win32/Release/libdns.lib ../../../lib/lwres/win32/Release/liblwres.lib user32.lib advapi32.lib ws2_32.lib  ../../../lib/bind9/win32/Release/libbind9.lib /nologo /subsystem:console /machine:I386 /out:"../../../Build/Release/nsupdate.exe"
+
+!ELSEIF  "$(CFG)" == "nsupdate - Win32 Debug"
+
+# PROP BASE Use_MFC 0
+# PROP BASE Use_Debug_Libraries 1
+# PROP BASE Output_Dir "Debug"
+# PROP BASE Intermediate_Dir "Debug"
+# PROP BASE Target_Dir ""
+# PROP Use_MFC 0
+# PROP Use_Debug_Libraries 1
+# PROP Output_Dir "Debug"
+# PROP Intermediate_Dir "Debug"
+# PROP Ignore_Export_Lib 0
+# PROP Target_Dir ""
+# ADD BASE CPP /nologo /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /GZ /c
+# ADD CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /I "./" /I "../include" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /I "../../../lib/lwres/win32/include/lwres" /I "../../../lib/dns/include" /I "../../../lib/dns/sec/dst/include" /I "../../../lib/bind9/include" /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /FR /FD /GZ /c
+# SUBTRACT CPP /X /u /YX
+# ADD BASE RSC /l 0x409 /d "_DEBUG"
+# ADD RSC /l 0x409 /d "_DEBUG"
+BSC32=bscmake.exe
+# ADD BASE BSC32 /nologo
+# ADD BSC32 /nologo
+LINK32=link.exe
+# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /debug /machine:I386 /pdbtype:sept
+# ADD LINK32 ../../../lib/isc/win32/Debug/libisc.lib ../../../lib/dns/win32/Debug/libdns.lib ../../../lib/lwres/win32/Debug/liblwres.lib user32.lib advapi32.lib ws2_32.lib  ../../../lib/bind9/win32/Debug/libbind9.lib /nologo /subsystem:console /debug /machine:I386 /out:"../../../Build/Debug/nsupdate.exe" /pdbtype:sept
+
+!ENDIF 
+
+# Begin Target
+
+# Name "nsupdate - Win32 Release"
+# Name "nsupdate - Win32 Debug"
+# Begin Group "Source Files"
+
+# PROP Default_Filter "cpp;c;cxx;rc;def;r;odl;idl;hpj;bat"
+# Begin Source File
+
+SOURCE=..\nsupdate.c
+# End Source File
+# End Group
+# Begin Group "Header Files"
+
+# PROP Default_Filter "h;hpp;hxx;hm;inl"
+# End Group
+# Begin Group "Resource Files"
+
+# PROP Default_Filter "ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe"
+# End Group
+# End Target
+# End Project
diff --git a/bin/nsupdate/win32/nsupdate.dsw b/bin/nsupdate/win32/nsupdate.dsw
index 5f0ac362..e3b77722 100644
--- a/bin/nsupdate/win32/nsupdate.dsw
+++ b/bin/nsupdate/win32/nsupdate.dsw
@@ -1,29 +1,29 @@
-Microsoft Developer Studio Workspace File, Format Version 6.00

-# WARNING: DO NOT EDIT OR DELETE THIS WORKSPACE FILE!

-

-###############################################################################

-

-Project: "nsupdate"=".\nsupdate.dsp" - Package Owner=<4>

-

-Package=<5>

-{{{

-}}}

-

-Package=<4>

-{{{

-}}}

-

-###############################################################################

-

-Global:

-

-Package=<5>

-{{{

-}}}

-

-Package=<3>

-{{{

-}}}

-

-###############################################################################

-

+Microsoft Developer Studio Workspace File, Format Version 6.00
+# WARNING: DO NOT EDIT OR DELETE THIS WORKSPACE FILE!
+
+###############################################################################
+
+Project: "nsupdate"=".\nsupdate.dsp" - Package Owner=<4>
+
+Package=<5>
+{{{
+}}}
+
+Package=<4>
+{{{
+}}}
+
+###############################################################################
+
+Global:
+
+Package=<5>
+{{{
+}}}
+
+Package=<3>
+{{{
+}}}
+
+###############################################################################
+
diff --git a/bin/nsupdate/win32/nsupdate.mak b/bin/nsupdate/win32/nsupdate.mak
index 118d196b..80e39145 100644
--- a/bin/nsupdate/win32/nsupdate.mak
+++ b/bin/nsupdate/win32/nsupdate.mak
@@ -1,300 +1,276 @@
-# Microsoft Developer Studio Generated NMAKE File, Based on nsupdate.dsp

-!IF "$(CFG)" == ""

-CFG=nsupdate - Win32 Debug

-!MESSAGE No configuration specified. Defaulting to nsupdate - Win32 Debug.

-!ENDIF 

-

-!IF "$(CFG)" != "nsupdate - Win32 Release" && "$(CFG)" != "nsupdate - Win32 Debug"

-!MESSAGE Invalid configuration "$(CFG)" specified.

-!MESSAGE You can specify a configuration when running NMAKE

-!MESSAGE by defining the macro CFG on the command line. For example:

-!MESSAGE 

-!MESSAGE NMAKE /f "nsupdate.mak" CFG="nsupdate - Win32 Debug"

-!MESSAGE 

-!MESSAGE Possible choices for configuration are:

-!MESSAGE 

-!MESSAGE "nsupdate - Win32 Release" (based on "Win32 (x86) Console Application")

-!MESSAGE "nsupdate - Win32 Debug" (based on "Win32 (x86) Console Application")

-!MESSAGE 

-!ERROR An invalid configuration is specified.

-!ENDIF 

-

-!IF "$(OS)" == "Windows_NT"

-NULL=

-!ELSE 

-NULL=nul

-!ENDIF 

-

-!IF  "$(CFG)" == "nsupdate - Win32 Release"

-_VC_MANIFEST_INC=0

-_VC_MANIFEST_BASENAME=__VC80

-!ELSE

-_VC_MANIFEST_INC=1

-_VC_MANIFEST_BASENAME=__VC80.Debug

-!ENDIF

-

-####################################################

-# Specifying name of temporary resource file used only in incremental builds:

-

-!if "$(_VC_MANIFEST_INC)" == "1"

-_VC_MANIFEST_AUTO_RES=$(_VC_MANIFEST_BASENAME).auto.res

-!else

-_VC_MANIFEST_AUTO_RES=

-!endif

-

-####################################################

-# _VC_MANIFEST_EMBED_EXE - command to embed manifest in EXE:

-

-!if "$(_VC_MANIFEST_INC)" == "1"

-

-#MT_SPECIAL_RETURN=1090650113

-#MT_SPECIAL_SWITCH=-notify_resource_update

-MT_SPECIAL_RETURN=0

-MT_SPECIAL_SWITCH=

-_VC_MANIFEST_EMBED_EXE= \

-if exist $@.manifest mt.exe -manifest $@.manifest -out:$(_VC_MANIFEST_BASENAME).auto.manifest $(MT_SPECIAL_SWITCH) & \

-if "%ERRORLEVEL%" == "$(MT_SPECIAL_RETURN)" \

-rc /r $(_VC_MANIFEST_BASENAME).auto.rc & \

-link $** /out:$@ $(LFLAGS)

-

-!else

-

-_VC_MANIFEST_EMBED_EXE= \

-if exist $@.manifest mt.exe -manifest $@.manifest -outputresource:$@;1

-

-!endif

-

-####################################################

-# _VC_MANIFEST_EMBED_DLL - command to embed manifest in DLL:

-

-!if "$(_VC_MANIFEST_INC)" == "1"

-

-#MT_SPECIAL_RETURN=1090650113

-#MT_SPECIAL_SWITCH=-notify_resource_update

-MT_SPECIAL_RETURN=0

-MT_SPECIAL_SWITCH=

-_VC_MANIFEST_EMBED_EXE= \

-if exist $@.manifest mt.exe -manifest $@.manifest -out:$(_VC_MANIFEST_BASENAME).auto.manifest $(MT_SPECIAL_SWITCH) & \

-if "%ERRORLEVEL%" == "$(MT_SPECIAL_RETURN)" \

-rc /r $(_VC_MANIFEST_BASENAME).auto.rc & \

-link $** /out:$@ $(LFLAGS)

-

-!else

-

-_VC_MANIFEST_EMBED_EXE= \

-if exist $@.manifest mt.exe -manifest $@.manifest -outputresource:$@;2

-

-!endif

-####################################################

-# _VC_MANIFEST_CLEAN - command to clean resources files generated temporarily:

-

-!if "$(_VC_MANIFEST_INC)" == "1"

-

-_VC_MANIFEST_CLEAN=-del $(_VC_MANIFEST_BASENAME).auto.res \

-    $(_VC_MANIFEST_BASENAME).auto.rc \

-    $(_VC_MANIFEST_BASENAME).auto.manifest

-

-!else

-

-_VC_MANIFEST_CLEAN=

-

-!endif

-

-!IF  "$(CFG)" == "nsupdate - Win32 Release"

-

-OUTDIR=.\Release

-INTDIR=.\Release

-

-ALL : "..\..\..\Build\Release\nsupdate.exe"

-

-

-CLEAN :

-	-@erase "$(INTDIR)\nsupdate.obj"

-	-@erase "$(INTDIR)\vc60.idb"

-	-@erase "..\..\..\Build\Release\nsupdate.exe"

-	-@$(_VC_MANIFEST_CLEAN)

-

-"$(OUTDIR)" :

-    if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"

-

-CPP=cl.exe

-CPP_PROJ=/nologo /MD /W3 /GX /O2 /I "./" /I "../include" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /I "../../../lib/lwres/win32/include/lwres" /I "../../../lib/dns/include" /D "WIN32" /D "__STDC__" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /Fp"$(INTDIR)\nsupdate.pch" /YX /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c 

-

-.c{$(INTDIR)}.obj::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.cpp{$(INTDIR)}.obj::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.cxx{$(INTDIR)}.obj::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.c{$(INTDIR)}.sbr::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.cpp{$(INTDIR)}.sbr::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.cxx{$(INTDIR)}.sbr::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-RSC=rc.exe

-BSC32=bscmake.exe

-BSC32_FLAGS=/nologo /o"$(OUTDIR)\nsupdate.bsc" 

-BSC32_SBRS= \

-	

-LINK32=link.exe

-LINK32_FLAGS=../../../lib/isc/win32/Release/libisc.lib ../../../lib/dns/win32/Release/libdns.lib ../../../lib/lwres/win32/Release/liblwres.lib user32.lib advapi32.lib ws2_32.lib /nologo /subsystem:console /incremental:no /pdb:"$(OUTDIR)\nsupdate.pdb" /machine:I386 /out:"../../../Build/Release/nsupdate.exe" 

-LINK32_OBJS= \

-	"$(INTDIR)\nsupdate.obj"

-

-"..\..\..\Build\Release\nsupdate.exe" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)

-    $(LINK32) @<<

-  $(LINK32_FLAGS) $(LINK32_OBJS)

-<<

-    $(_VC_MANIFEST_EMBED_EXE)

-

-!ELSEIF  "$(CFG)" == "nsupdate - Win32 Debug"

-

-OUTDIR=.\Debug

-INTDIR=.\Debug

-# Begin Custom Macros

-OutDir=.\Debug

-# End Custom Macros

-

-ALL : "..\..\..\Build\Debug\nsupdate.exe" "$(OUTDIR)\nsupdate.bsc"

-

-

-CLEAN :

-	-@erase "$(INTDIR)\nsupdate.obj"

-	-@erase "$(INTDIR)\nsupdate.sbr"

-	-@erase "$(INTDIR)\vc60.idb"

-	-@erase "$(INTDIR)\vc60.pdb"

-	-@erase "$(OUTDIR)\nsupdate.bsc"

-	-@erase "$(OUTDIR)\nsupdate.pdb"

-	-@erase "..\..\..\Build\Debug\nsupdate.exe"

-	-@erase "..\..\..\Build\Debug\nsupdate.ilk"

-	-@$(_VC_MANIFEST_CLEAN)

-

-"$(OUTDIR)" :

-    if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"

-

-CPP=cl.exe

-CPP_PROJ=/nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../include" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /I "../../../lib/lwres/win32/include/lwres" /I "../../../lib/dns/include" /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /FR"$(INTDIR)\\" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c 

-

-.c{$(INTDIR)}.obj::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.cpp{$(INTDIR)}.obj::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.cxx{$(INTDIR)}.obj::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.c{$(INTDIR)}.sbr::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.cpp{$(INTDIR)}.sbr::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.cxx{$(INTDIR)}.sbr::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-RSC=rc.exe

-BSC32=bscmake.exe

-BSC32_FLAGS=/nologo /o"$(OUTDIR)\nsupdate.bsc" 

-BSC32_SBRS= \

-	"$(INTDIR)\nsupdate.sbr"

-

-"$(OUTDIR)\nsupdate.bsc" : "$(OUTDIR)" $(BSC32_SBRS)

-    $(BSC32) @<<

-  $(BSC32_FLAGS) $(BSC32_SBRS)

-<<

-

-LINK32=link.exe

-LINK32_FLAGS=../../../lib/isc/win32/Debug/libisc.lib ../../../lib/dns/win32/Debug/libdns.lib ../../../lib/lwres/win32/Debug/liblwres.lib user32.lib advapi32.lib ws2_32.lib /nologo /subsystem:console /incremental:yes /pdb:"$(OUTDIR)\nsupdate.pdb" /debug /machine:I386 /out:"../../../Build/Debug/nsupdate.exe" /pdbtype:sept 

-LINK32_OBJS= \

-	"$(INTDIR)\nsupdate.obj"

-

-"..\..\..\Build\Debug\nsupdate.exe" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)

-    $(LINK32) @<<

-  $(LINK32_FLAGS) $(LINK32_OBJS)

-<<

-    $(_VC_MANIFEST_EMBED_EXE)

-

-!ENDIF 

-

-

-!IF "$(NO_EXTERNAL_DEPS)" != "1"

-!IF EXISTS("nsupdate.dep")

-!INCLUDE "nsupdate.dep"

-!ELSE 

-!MESSAGE Warning: cannot find "nsupdate.dep"

-!ENDIF 

-!ENDIF 

-

-

-!IF "$(CFG)" == "nsupdate - Win32 Release" || "$(CFG)" == "nsupdate - Win32 Debug"

-SOURCE=..\nsupdate.c

-

-!IF  "$(CFG)" == "nsupdate - Win32 Release"

-

-

-"$(INTDIR)\nsupdate.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "nsupdate - Win32 Debug"

-

-

-"$(INTDIR)\nsupdate.obj"	"$(INTDIR)\nsupdate.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-

-!ENDIF 

-

-####################################################

-# Commands to generate initial empty manifest file and the RC file

-# that references it, and for generating the .res file:

-

-$(_VC_MANIFEST_BASENAME).auto.res : $(_VC_MANIFEST_BASENAME).auto.rc

-

-$(_VC_MANIFEST_BASENAME).auto.rc : $(_VC_MANIFEST_BASENAME).auto.manifest

-    type <<$@

-#include <winuser.h>

-1RT_MANIFEST"$(_VC_MANIFEST_BASENAME).auto.manifest"

-<< KEEP

-

-$(_VC_MANIFEST_BASENAME).auto.manifest :

-    type <<$@

-<?xml version='1.0' encoding='UTF-8' standalone='yes'?>

-<assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'>

-</assembly>

-<< KEEP

+# Microsoft Developer Studio Generated NMAKE File, Based on nsupdate.dsp
+!IF "$(CFG)" == ""
+CFG=nsupdate - Win32 Debug
+!MESSAGE No configuration specified. Defaulting to nsupdate - Win32 Debug.
+!ENDIF 
+
+!IF "$(CFG)" != "nsupdate - Win32 Release" && "$(CFG)" != "nsupdate - Win32 Debug"
+!MESSAGE Invalid configuration "$(CFG)" specified.
+!MESSAGE You can specify a configuration when running NMAKE
+!MESSAGE by defining the macro CFG on the command line. For example:
+!MESSAGE 
+!MESSAGE NMAKE /f "nsupdate.mak" CFG="nsupdate - Win32 Debug"
+!MESSAGE 
+!MESSAGE Possible choices for configuration are:
+!MESSAGE 
+!MESSAGE "nsupdate - Win32 Release" (based on "Win32 (x86) Console Application")
+!MESSAGE "nsupdate - Win32 Debug" (based on "Win32 (x86) Console Application")
+!MESSAGE 
+!ERROR An invalid configuration is specified.
+!ENDIF 
+
+!IF "$(OS)" == "Windows_NT"
+NULL=
+!ELSE 
+NULL=nul
+!ENDIF 
+
+CPP=cl.exe
+RSC=rc.exe
+
+!IF  "$(CFG)" == "nsupdate - Win32 Release"
+
+OUTDIR=.\Release
+INTDIR=.\Release
+
+!IF "$(RECURSE)" == "0" 
+
+ALL : "..\..\..\Build\Release\nsupdate.exe"
+
+!ELSE 
+
+ALL : "libbind9 - Win32 Release" "libisc - Win32 Release" "libdns - Win32 Release" "..\..\..\Build\Release\nsupdate.exe"
+
+!ENDIF 
+
+!IF "$(RECURSE)" == "1" 
+CLEAN :"libdns - Win32 ReleaseCLEAN" "libisc - Win32 ReleaseCLEAN" "libbind9 - Win32 ReleaseCLEAN" 
+!ELSE 
+CLEAN :
+!ENDIF 
+	-@erase "$(INTDIR)\nsupdate.obj"
+	-@erase "$(INTDIR)\vc60.idb"
+	-@erase "..\..\..\Build\Release\nsupdate.exe"
+
+"$(OUTDIR)" :
+    if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
+
+CPP_PROJ=/nologo /MT /W3 /GX /O2 /I "./" /I "../include" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /I "../../../lib/lwres/win32/include/lwres" /I "../../../lib/dns/include" /I "../../../lib/dns/sec/dst/include" /I "../../../lib/bind9/include" /D "WIN32" /D "__STDC__" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /Fp"$(INTDIR)\nsupdate.pch" /YX /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c 
+BSC32=bscmake.exe
+BSC32_FLAGS=/nologo /o"$(OUTDIR)\nsupdate.bsc" 
+BSC32_SBRS= \
+	
+LINK32=link.exe
+LINK32_FLAGS=../../../lib/isc/win32/Release/libisc.lib ../../../lib/dns/win32/Release/libdns.lib ../../../lib/lwres/win32/Release/liblwres.lib user32.lib advapi32.lib ws2_32.lib  ../../../lib/bind9/win32/Release/libbind9.lib /nologo /subsystem:console /incremental:no /pdb:"$(OUTDIR)\nsupdate.pdb" /machine:I386 /out:"../../../Build/Release/nsupdate.exe" 
+LINK32_OBJS= \
+	"$(INTDIR)\nsupdate.obj" \
+	"..\..\..\lib\dns\win32\Release\libdns.lib" \
+	"..\..\..\lib\isc\win32\Release\libisc.lib" \
+	"..\..\..\lib\bind9\win32\Release\libbind9.lib"
+
+"..\..\..\Build\Release\nsupdate.exe" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)
+    $(LINK32) @<<
+  $(LINK32_FLAGS) $(LINK32_OBJS)
+<<
+
+!ELSEIF  "$(CFG)" == "nsupdate - Win32 Debug"
+
+OUTDIR=.\Debug
+INTDIR=.\Debug
+# Begin Custom Macros
+OutDir=.\Debug
+# End Custom Macros
+
+!IF "$(RECURSE)" == "0" 
+
+ALL : "..\..\..\Build\Debug\nsupdate.exe" "$(OUTDIR)\nsupdate.bsc"
+
+!ELSE 
+
+ALL : "libbind9 - Win32 Debug" "libisc - Win32 Debug" "libdns - Win32 Debug" "..\..\..\Build\Debug\nsupdate.exe" "$(OUTDIR)\nsupdate.bsc"
+
+!ENDIF 
+
+!IF "$(RECURSE)" == "1" 
+CLEAN :"libdns - Win32 DebugCLEAN" "libisc - Win32 DebugCLEAN" "libbind9 - Win32 DebugCLEAN" 
+!ELSE 
+CLEAN :
+!ENDIF 
+	-@erase "$(INTDIR)\nsupdate.obj"
+	-@erase "$(INTDIR)\nsupdate.sbr"
+	-@erase "$(INTDIR)\vc60.idb"
+	-@erase "$(INTDIR)\vc60.pdb"
+	-@erase "$(OUTDIR)\nsupdate.bsc"
+	-@erase "$(OUTDIR)\nsupdate.pdb"
+	-@erase "..\..\..\Build\Debug\nsupdate.exe"
+	-@erase "..\..\..\Build\Debug\nsupdate.ilk"
+
+"$(OUTDIR)" :
+    if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
+
+CPP_PROJ=/nologo /MTd /W3 /Gm /GX /ZI /Od /I "./" /I "../include" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /I "../../../lib/lwres/win32/include/lwres" /I "../../../lib/dns/include" /I "../../../lib/dns/sec/dst/include" /I "../../../lib/bind9/include" /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /FR"$(INTDIR)\\" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c 
+BSC32=bscmake.exe
+BSC32_FLAGS=/nologo /o"$(OUTDIR)\nsupdate.bsc" 
+BSC32_SBRS= \
+	"$(INTDIR)\nsupdate.sbr"
+
+"$(OUTDIR)\nsupdate.bsc" : "$(OUTDIR)" $(BSC32_SBRS)
+    $(BSC32) @<<
+  $(BSC32_FLAGS) $(BSC32_SBRS)
+<<
+
+LINK32=link.exe
+LINK32_FLAGS=../../../lib/isc/win32/Debug/libisc.lib ../../../lib/dns/win32/Debug/libdns.lib ../../../lib/lwres/win32/Debug/liblwres.lib user32.lib advapi32.lib ws2_32.lib  ../../../lib/bind9/win32/Debug/libbind9.lib /nologo /subsystem:console /incremental:yes /pdb:"$(OUTDIR)\nsupdate.pdb" /debug /machine:I386 /out:"../../../Build/Debug/nsupdate.exe" /pdbtype:sept 
+LINK32_OBJS= \
+	"$(INTDIR)\nsupdate.obj" \
+	"..\..\..\lib\dns\win32\Debug\libdns.lib" \
+	"..\..\..\lib\isc\win32\Debug\libisc.lib" \
+	"..\..\..\lib\bind9\win32\Debug\libbind9.lib"
+
+"..\..\..\Build\Debug\nsupdate.exe" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)
+    $(LINK32) @<<
+  $(LINK32_FLAGS) $(LINK32_OBJS)
+<<
+
+!ENDIF 
+
+.c{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cpp{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cxx{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.c{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cpp{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cxx{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+
+!IF "$(NO_EXTERNAL_DEPS)" != "1"
+!IF EXISTS("nsupdate.dep")
+!INCLUDE "nsupdate.dep"
+!ELSE 
+!MESSAGE Warning: cannot find "nsupdate.dep"
+!ENDIF 
+!ENDIF 
+
+
+!IF "$(CFG)" == "nsupdate - Win32 Release" || "$(CFG)" == "nsupdate - Win32 Debug"
+SOURCE=..\nsupdate.c
+
+!IF  "$(CFG)" == "nsupdate - Win32 Release"
+
+
+"$(INTDIR)\nsupdate.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "nsupdate - Win32 Debug"
+
+
+"$(INTDIR)\nsupdate.obj"	"$(INTDIR)\nsupdate.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+!IF  "$(CFG)" == "nsupdate - Win32 Release"
+
+"libdns - Win32 Release" : 
+   cd "..\..\..\lib\dns\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\libdns.mak" CFG="libdns - Win32 Release" 
+   cd "..\..\..\bin\nsupdate\win32"
+
+"libdns - Win32 ReleaseCLEAN" : 
+   cd "..\..\..\lib\dns\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\libdns.mak" CFG="libdns - Win32 Release" RECURSE=1 CLEAN 
+   cd "..\..\..\bin\nsupdate\win32"
+
+!ELSEIF  "$(CFG)" == "nsupdate - Win32 Debug"
+
+"libdns - Win32 Debug" : 
+   cd "..\..\..\lib\dns\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\libdns.mak" CFG="libdns - Win32 Debug" 
+   cd "..\..\..\bin\nsupdate\win32"
+
+"libdns - Win32 DebugCLEAN" : 
+   cd "..\..\..\lib\dns\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\libdns.mak" CFG="libdns - Win32 Debug" RECURSE=1 CLEAN 
+   cd "..\..\..\bin\nsupdate\win32"
+
+!ENDIF 
+
+!IF  "$(CFG)" == "nsupdate - Win32 Release"
+
+"libisc - Win32 Release" : 
+   cd "..\..\..\lib\isc\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\libisc.mak" CFG="libisc - Win32 Release" 
+   cd "..\..\..\bin\nsupdate\win32"
+
+"libisc - Win32 ReleaseCLEAN" : 
+   cd "..\..\..\lib\isc\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\libisc.mak" CFG="libisc - Win32 Release" RECURSE=1 CLEAN 
+   cd "..\..\..\bin\nsupdate\win32"
+
+!ELSEIF  "$(CFG)" == "nsupdate - Win32 Debug"
+
+"libisc - Win32 Debug" : 
+   cd "..\..\..\lib\isc\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\libisc.mak" CFG="libisc - Win32 Debug" 
+   cd "..\..\..\bin\nsupdate\win32"
+
+"libisc - Win32 DebugCLEAN" : 
+   cd "..\..\..\lib\isc\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\libisc.mak" CFG="libisc - Win32 Debug" RECURSE=1 CLEAN 
+   cd "..\..\..\bin\nsupdate\win32"
+
+!ENDIF 
+
+!IF  "$(CFG)" == "nsupdate - Win32 Release"
+
+"libbind9 - Win32 Release" : 
+   cd "..\..\..\lib\bind9\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\libbind9.mak" CFG="libbind9 - Win32 Release" 
+   cd "..\..\..\bin\nsupdate\win32"
+
+"libbind9 - Win32 ReleaseCLEAN" : 
+   cd "..\..\..\lib\bind9\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\libbind9.mak" CFG="libbind9 - Win32 Release" RECURSE=1 CLEAN 
+   cd "..\..\..\bin\nsupdate\win32"
+
+!ELSEIF  "$(CFG)" == "nsupdate - Win32 Debug"
+
+"libbind9 - Win32 Debug" : 
+   cd "..\..\..\lib\bind9\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\libbind9.mak" CFG="libbind9 - Win32 Debug" 
+   cd "..\..\..\bin\nsupdate\win32"
+
+"libbind9 - Win32 DebugCLEAN" : 
+   cd "..\..\..\lib\bind9\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\libbind9.mak" CFG="libbind9 - Win32 Debug" RECURSE=1 CLEAN 
+   cd "..\..\..\bin\nsupdate\win32"
+
+!ENDIF 
+
+
+!ENDIF 
+
diff --git a/bin/rndc/Makefile.in b/bin/rndc/Makefile.in
index 0cb920db..44ba2885 100644
--- a/bin/rndc/Makefile.in
+++ b/bin/rndc/Makefile.in
@@ -1,4 +1,4 @@
-# Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 2000-2002  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and distribute this software for any
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.32.2.8 2007/01/19 00:55:48 marka Exp $
+# $Id: Makefile.in,v 1.32.2.3.8.7 2004/03/08 04:04:23 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
@@ -21,10 +21,10 @@ top_srcdir =	@top_srcdir@
 
 @BIND9_VERSION@
 
-@BIND9_INCLUDES@
+@BIND9_MAKE_INCLUDES@
 
 CINCLUDES = -I${srcdir}/include ${ISC_INCLUDES} ${ISCCC_INCLUDES} \
-	${ISCCFG_INCLUDES} ${DNS_INCLUDES}
+	${ISCCFG_INCLUDES} ${DNS_INCLUDES} ${BIND9_INCLUDES}
 
 CDEFINES =
 CWARNINGS =
@@ -32,24 +32,24 @@ CWARNINGS =
 ISCCFGLIBS =	../../lib/isccfg/libisccfg.@A@
 ISCCCLIBS =	../../lib/isccc/libisccc.@A@
 ISCLIBS =	../../lib/isc/libisc.@A@
-DNSLIBS =	../../lib/dns/libdns.@A@ @DNS_OPENSSL_LIBS@ @DNS_GSSAPI_LIBS@
+DNSLIBS =	../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
+BIND9LIBS =	../../lib/bind9/libbind9.@A@
 
 ISCCFGDEPLIBS =	../../lib/isccfg/libisccfg.@A@
 ISCCCDEPLIBS =	../../lib/isccc/libisccc.@A@
 ISCDEPLIBS =	../../lib/isc/libisc.@A@
 DNSDEPLIBS =	../../lib/dns/libdns.@A@
+BIND9DEPLIBS =	../../lib/bind9/libbind9.@A@
 
-RNDCLIBS =	${ISCCFGLIBS} ${DNSLIBS} ${ISCCCLIBS} ${ISCLIBS} @LIBS@
-RNDCDEPLIBS =	${ISCCFGDEPLIBS} ${DNSDEPLIBS} ${ISCCCDEPLIBS} ${ISCDEPLIBS}
+RNDCLIBS =	${ISCCFGLIBS} ${ISCCCLIBS} ${BIND9LIBS} ${DNSLIBS} ${ISCLIBS} @LIBS@
+RNDCDEPLIBS =	${ISCCFGDEPLIBS} ${ISCCCDEPLIBS} ${BIND9DEPLIBS} ${DNSDEPLIBS} ${ISCDEPLIBS}
 
 CONFLIBS =	${DNSLIBS} ${ISCLIBS} @LIBS@
 CONFDEPLIBS =	${DNSDEPLIBS} ${ISCDEPLIBS}
 
-SRCS=		rndc.c rndc-confgen.c
-
 SUBDIRS =	unix
 
-TARGETS =	rndc rndc-confgen
+TARGETS =	rndc@EXEEXT@ rndc-confgen@EXEEXT@
 
 MANPAGES =	rndc.8 rndc-confgen.8 rndc.conf.5
 
@@ -73,12 +73,12 @@ rndc-confgen.@O@: rndc-confgen.c
 		-DRNDC_KEYFILE=\"${sysconfdir}/rndc.key\" \
 		-c ${srcdir}/rndc-confgen.c
 
-rndc: rndc.@O@ util.@O@ ${RNDCDEPLIBS}
-	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ rndc.@O@ util.@O@ \
+rndc@EXEEXT@: rndc.@O@ util.@O@ ${RNDCDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} -o $@ rndc.@O@ util.@O@ \
 		${RNDCLIBS}
 
-rndc-confgen: rndc-confgen.@O@ util.@O@ ${UOBJS} ${CONFDEPLIBS} 
-	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ rndc-confgen.@O@ util.@O@ \
+rndc-confgen@EXEEXT@: rndc-confgen.@O@ util.@O@ ${UOBJS} ${CONFDEPLIBS} 
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} -o $@ rndc-confgen.@O@ util.@O@ \
 		${UOBJS} ${CONFLIBS}
 
 doc man:: ${MANOBJS}
@@ -91,9 +91,9 @@ installdirs:
 	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8
 	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man5
 
-install:: rndc installdirs
-	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} rndc ${DESTDIR}${sbindir}
-	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} rndc-confgen ${DESTDIR}${sbindir}
+install:: rndc@EXEEXT@ rndc-confgen@EXEEXT@ installdirs
+	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} rndc@EXEEXT@ ${DESTDIR}${sbindir}
+	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} rndc-confgen@EXEEXT@ ${DESTDIR}${sbindir}
 	${INSTALL_DATA} ${srcdir}/rndc.8 ${DESTDIR}${mandir}/man8
 	${INSTALL_DATA} ${srcdir}/rndc-confgen.8 ${DESTDIR}${mandir}/man8
 	${INSTALL_DATA} ${srcdir}/rndc.conf.5 ${DESTDIR}${mandir}/man5
diff --git a/bin/rndc/include/rndc/os.h b/bin/rndc/include/rndc/os.h
index 8e3d2e71..b5ade476 100644
--- a/bin/rndc/include/rndc/os.h
+++ b/bin/rndc/include/rndc/os.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: os.h,v 1.4.2.1 2004/03/09 06:09:28 marka Exp $ */
+/* $Id: os.h,v 1.4.206.1 2004/03/06 10:21:33 marka Exp $ */
 
 #ifndef RNDC_OS_H
 #define RNDC_OS_H 1
diff --git a/bin/rndc/rndc-confgen.8 b/bin/rndc/rndc-confgen.8
index 7311deaf..d3bd35e8 100644
--- a/bin/rndc/rndc-confgen.8
+++ b/bin/rndc/rndc-confgen.8
@@ -1,199 +1,140 @@
-.\" Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
-.\" Copyright (C) 2001-2003 Internet Software Consortium.
-.\" 
+.\" Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2001-2003  Internet Software Consortium.
+.\"
 .\" Permission to use, copy, modify, and distribute this software for any
 .\" purpose with or without fee is hereby granted, provided that the above
 .\" copyright notice and this permission notice appear in all copies.
-.\" 
+.\"
 .\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
 .\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+.\" AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
 .\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
 .\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: rndc-confgen.8,v 1.3.2.14 2007/01/30 00:10:37 marka Exp $
+.\" $Id: rndc-confgen.8,v 1.3.2.5.2.2 2004/03/06 07:41:40 marka Exp $
 .\"
-.hy 0
-.ad l
-.\"     Title: rndc\-confgen
-.\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
-.\"      Date: Aug 27, 2001
-.\"    Manual: BIND9
-.\"    Source: BIND9
-.\"
-.TH "RNDC\-CONFGEN" "8" "Aug 27, 2001" "BIND9" "BIND9"
-.\" disable hyphenation
-.nh
-.\" disable justification (adjust text to left margin only)
-.ad l
-.SH "NAME"
-rndc\-confgen \- rndc key generation tool
-.SH "SYNOPSIS"
-.HP 13
-\fBrndc\-confgen\fR [\fB\-a\fR] [\fB\-b\ \fR\fB\fIkeysize\fR\fR] [\fB\-c\ \fR\fB\fIkeyfile\fR\fR] [\fB\-h\fR] [\fB\-k\ \fR\fB\fIkeyname\fR\fR] [\fB\-p\ \fR\fB\fIport\fR\fR] [\fB\-r\ \fR\fB\fIrandomfile\fR\fR] [\fB\-s\ \fR\fB\fIaddress\fR\fR] [\fB\-t\ \fR\fB\fIchrootdir\fR\fR] [\fB\-u\ \fR\fB\fIuser\fR\fR]
+.TH "RNDC-CONFGEN" "8" "Aug 27, 2001" "BIND9" ""
+.SH NAME
+rndc-confgen \- rndc key generation tool
+.SH SYNOPSIS
+.sp
+\fBrndc-confgen\fR [ \fB-a\fR ]  [ \fB-b \fIkeysize\fB\fR ]  [ \fB-c \fIkeyfile\fB\fR ]  [ \fB-h\fR ]  [ \fB-k \fIkeyname\fB\fR ]  [ \fB-p \fIport\fB\fR ]  [ \fB-r \fIrandomfile\fB\fR ]  [ \fB-s \fIaddress\fB\fR ]  [ \fB-t \fIchrootdir\fB\fR ]  [ \fB-u \fIuser\fB\fR ] 
 .SH "DESCRIPTION"
 .PP
-\fBrndc\-confgen\fR
-generates configuration files for
-\fBrndc\fR. It can be used as a convenient alternative to writing the
-\fIrndc.conf\fR
-file and the corresponding
-\fBcontrols\fR
-and
-\fBkey\fR
-statements in
-\fInamed.conf\fR
-by hand. Alternatively, it can be run with the
-\fB\-a\fR
-option to set up a
-\fIrndc.key\fR
-file and avoid the need for a
-\fIrndc.conf\fR
-file and a
-\fBcontrols\fR
-statement altogether.
+\fBrndc-confgen\fR generates configuration files
+for \fBrndc\fR. It can be used as a
+convenient alternative to writing the
+\fIrndc.conf\fR file
+and the corresponding \fBcontrols\fR
+and \fBkey\fR
+statements in \fInamed.conf\fR by hand.
+Alternatively, it can be run with the \fB-a\fR
+option to set up a \fIrndc.key\fR file and
+avoid the need for a \fIrndc.conf\fR file
+and a \fBcontrols\fR statement altogether.
 .SH "OPTIONS"
-.PP
-\-a
-.RS 4
-Do automatic
-\fBrndc\fR
-configuration. This creates a file
-\fIrndc.key\fR
-in
-\fI/etc\fR
-(or whatever
-\fIsysconfdir\fR
-was specified as when
-BIND
-was built) that is read by both
-\fBrndc\fR
-and
-\fBnamed\fR
-on startup. The
-\fIrndc.key\fR
-file defines a default command channel and authentication key allowing
-\fBrndc\fR
-to communicate with
-\fBnamed\fR
-with no further configuration.
-.sp
-Running
-\fBrndc\-confgen \-a\fR
-allows BIND 9 and
-\fBrndc\fR
-to be used as drop\-in replacements for BIND 8 and
-\fBndc\fR, with no changes to the existing BIND 8
+.TP
+\fB-a\fR
+Do automatic \fBrndc\fR configuration.
+This creates a file \fIrndc.key\fR
+in \fI/etc\fR (or whatever
+sysconfdir
+was specified as when BIND was built)
+that is read by both \fBrndc\fR
+and \fBnamed\fR on startup. The
+\fIrndc.key\fR file defines a default
+command channel and authentication key allowing
+\fBrndc\fR to communicate with
+\fBnamed\fR on the local host
+with no further configuration. 
+
+Running \fBrndc-confgen -a\fR allows
+BIND 9 and \fBrndc\fR to be used as drop-in
+replacements for BIND 8 and \fBndc\fR,
+with no changes to the existing BIND 8
+\fInamed.conf\fR file.
+
+If a more elaborate configuration than that
+generated by \fBrndc-confgen -a\fR
+is required, for example if rndc is to be used remotely,
+you should run \fBrndc-confgen\fR without the
+\fB-a\fR option and set up a
+\fIrndc.conf\fR and
 \fInamed.conf\fR
-file.
-.RE
-.PP
-\-b \fIkeysize\fR
-.RS 4
-Specifies the size of the authentication key in bits. Must be between 1 and 512 bits; the default is 128.
-.RE
-.PP
-\-c \fIkeyfile\fR
-.RS 4
-Used with the
-\fB\-a\fR
-option to specify an alternate location for
-\fIrndc.key\fR.
-.RE
-.PP
-\-h
-.RS 4
+as directed.
+.TP
+\fB-b \fIkeysize\fB\fR
+Specifies the size of the authentication key in bits.
+Must be between 1 and 512 bits; the default is 128.
+.TP
+\fB-c \fIkeyfile\fB\fR
+Used with the \fB-a\fR option to specify
+an alternate location for \fIrndc.key\fR.
+.TP
+\fB-h\fR
 Prints a short summary of the options and arguments to
-\fBrndc\-confgen\fR.
-.RE
-.PP
-\-k \fIkeyname\fR
-.RS 4
-Specifies the key name of the rndc authentication key. This must be a valid domain name. The default is
-\fBrndc\-key\fR.
-.RE
-.PP
-\-p \fIport\fR
-.RS 4
-Specifies the command channel port where
-\fBnamed\fR
-listens for connections from
-\fBrndc\fR. The default is 953.
-.RE
-.PP
-\-r \fIrandomfile\fR
-.RS 4
-Specifies a source of random data for generating the authorization. If the operating system does not provide a
-\fI/dev/random\fR
-or equivalent device, the default source of randomness is keyboard input.
-\fIrandomdev\fR
-specifies the name of a character device or file containing random data to be used instead of the default. The special value
-\fIkeyboard\fR
-indicates that keyboard input should be used.
-.RE
-.PP
-\-s \fIaddress\fR
-.RS 4
-Specifies the IP address where
-\fBnamed\fR
+\fBrndc-confgen\fR.
+.TP
+\fB-k \fIkeyname\fB\fR
+Specifies the key name of the rndc authentication key.
+This must be a valid domain name.
+The default is rndc-key.
+.TP
+\fB-p \fIport\fB\fR
+Specifies the command channel port where \fBnamed\fR
+listens for connections from \fBrndc\fR.
+The default is 953.
+.TP
+\fB-r \fIrandomfile\fB\fR
+Specifies a source of random data for generating the
+authorization. If the operating
+system does not provide a \fI/dev/random\fR
+or equivalent device, the default source of randomness
+is keyboard input. \fIrandomdev\fR specifies
+the name of a character device or file containing random
+data to be used instead of the default. The special value
+\fIkeyboard\fR indicates that keyboard
+input should be used.
+.TP
+\fB-s \fIaddress\fB\fR
+Specifies the IP address where \fBnamed\fR
 listens for command channel connections from
-\fBrndc\fR. The default is the loopback address 127.0.0.1.
-.RE
-.PP
-\-t \fIchrootdir\fR
-.RS 4
-Used with the
-\fB\-a\fR
-option to specify a directory where
-\fBnamed\fR
-will run chrooted. An additional copy of the
-\fIrndc.key\fR
-will be written relative to this directory so that it will be found by the chrooted
-\fBnamed\fR.
-.RE
-.PP
-\-u \fIuser\fR
-.RS 4
-Used with the
-\fB\-a\fR
-option to set the owner of the
-\fIrndc.key\fR
-file generated. If
-\fB\-t\fR
-is also specified only the file in the chroot area has its owner changed.
-.RE
+\fBrndc\fR. The default is the loopback
+address 127.0.0.1.
+.TP
+\fB-t \fIchrootdir\fB\fR
+Used with the \fB-a\fR option to specify
+a directory where \fBnamed\fR will run
+chrooted. An additional copy of the \fIrndc.key\fR
+will be written relative to this directory so that
+it will be found by the chrooted \fBnamed\fR.
+.TP
+\fB-u \fIuser\fB\fR
+Used with the \fB-a\fR option to set the owner
+of the \fIrndc.key\fR file generated. If
+\fB-t\fR is also specified only the file in
+the chroot area has its owner changed.
 .SH "EXAMPLES"
 .PP
-To allow
-\fBrndc\fR
-to be used with no manual configuration, run
+To allow \fBrndc\fR to be used with
+no manual configuration, run
 .PP
-\fBrndc\-confgen \-a\fR
+\fBrndc-confgen -a\fR
 .PP
-To print a sample
-\fIrndc.conf\fR
-file and corresponding
-\fBcontrols\fR
-and
-\fBkey\fR
-statements to be manually inserted into
-\fInamed.conf\fR, run
+To print a sample \fIrndc.conf\fR file and
+corresponding \fBcontrols\fR and \fBkey\fR
+statements to be manually inserted into \fInamed.conf\fR,
+run
 .PP
-\fBrndc\-confgen\fR
+\fBrndc-confgen\fR
 .SH "SEE ALSO"
 .PP
 \fBrndc\fR(8),
 \fBrndc.conf\fR(5),
 \fBnamed\fR(8),
-BIND 9 Administrator Reference Manual.
+\fIBIND 9 Administrator Reference Manual\fR.
 .SH "AUTHOR"
 .PP
-Internet Systems Consortium
-.SH "COPYRIGHT"
-Copyright \(co 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
-.br
-Copyright \(co 2001\-2003 Internet Software Consortium.
-.br
+Internet Software Consortium
diff --git a/bin/rndc/rndc-confgen.c b/bin/rndc/rndc-confgen.c
index fc5dba66..ef0d4973 100644
--- a/bin/rndc/rndc-confgen.c
+++ b/bin/rndc/rndc-confgen.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rndc-confgen.c,v 1.9.2.8 2004/09/28 07:18:28 marka Exp $ */
+/* $Id: rndc-confgen.c,v 1.9.2.6.2.4 2004/03/06 10:21:31 marka Exp $ */
 
 #include <config.h>
 
@@ -105,6 +105,7 @@ write_key_file(const char *keyfile, const char *user,
 		fatal("write to %s failed\n", keyfile);
 	if (fclose(fd))
 		fatal("fclose(%s) failed\n", keyfile);
+	fprintf(stderr, "wrote key file \"%s\"\n", keyfile);
 }
 
 int
@@ -171,7 +172,7 @@ main(int argc, char **argv) {
 			keyname = isc_commandline_argument;
 			break;
 		case 'M':
-			isc_mem_debugging = 1;
+			isc_mem_debugging = ISC_MEM_DEBUGTRACE;
 			break;
 
 		case 'm':
@@ -272,8 +273,7 @@ main(int argc, char **argv) {
 			buf = isc_mem_get(mctx, len);
 			if (buf == NULL)
 				fatal("isc_mem_get(%d) failed\n", len);
-			snprintf(buf, len, "%s%s%s", chrootdir,
-				 (*keyfile != '/') ? "/" : "", keyfile);
+			snprintf(buf, len, "%s/%s", chrootdir, keyfile);
 			
 			write_key_file(buf, user, keyname, &key_txtbuffer);
 			isc_mem_put(mctx, buf, len);
diff --git a/bin/rndc/rndc-confgen.docbook b/bin/rndc/rndc-confgen.docbook
index 0b33fb72..5f82e7e1 100644
--- a/bin/rndc/rndc-confgen.docbook
+++ b/bin/rndc/rndc-confgen.docbook
@@ -1,9 +1,7 @@
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
-               "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
-	       [<!ENTITY mdash "&#8212;">]>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
 <!--
- - Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2001-2003  Internet Software Consortium.
+ - Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2001, 2003  Internet Software Consortium.
  -
  - Permission to use, copy, modify, and distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
@@ -18,7 +16,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: rndc-confgen.docbook,v 1.3.2.7 2007/01/29 23:57:17 marka Exp $ -->
+<!-- $Id: rndc-confgen.docbook,v 1.3.2.1.4.2 2004/03/06 10:21:32 marka Exp $ -->
 
 <refentry>
   <refentryinfo>
@@ -31,21 +29,6 @@
     <refmiscinfo>BIND9</refmiscinfo>
   </refmeta>
 
-  <docinfo>
-    <copyright>
-      <year>2004</year>
-      <year>2005</year>
-      <year>2007</year>
-      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
-    </copyright>
-    <copyright>
-      <year>2001</year>
-      <year>2002</year>
-      <year>2003</year>
-      <holder>Internet Software Consortium.</holder>
-    </copyright>
-  </docinfo>
-
   <refnamediv>
     <refname><application>rndc-confgen</application></refname>
     <refpurpose>rndc key generation tool</refpurpose>
@@ -103,7 +86,8 @@
 	      <filename>rndc.key</filename> file defines a default
               command channel and authentication key allowing
 	      <command>rndc</command> to communicate with
-	      <command>named</command> with no further configuration.
+	      <command>named</command> on the local host
+	      with no further configuration.  
 	  </para>
 	  <para>
 	      Running <command>rndc-confgen -a</command> allows
@@ -112,6 +96,16 @@
 	      with no changes to the existing BIND 8
 	      <filename>named.conf</filename> file.
 	  </para>
+          <para>
+	      If a more elaborate configuration than that
+	      generated by <command>rndc-confgen -a</command>
+	      is required, for example if rndc is to be used remotely,
+	      you should run <command>rndc-confgen</command> without the
+	      <command>-a</command> option and set up a
+	      <filename>rndc.conf</filename> and
+	      <filename>named.conf</filename>
+	      as directed.
+          </para>
 	</listitem>
       </varlistentry>
 
@@ -266,7 +260,7 @@
   <refsect1>
     <title>AUTHOR</title>
     <para>
-        <corpauthor>Internet Systems Consortium</corpauthor>
+        <corpauthor>Internet Software Consortium</corpauthor>
     </para>
   </refsect1>
 
diff --git a/bin/rndc/rndc-confgen.html b/bin/rndc/rndc-confgen.html
index 46086f71..09f3d51a 100644
--- a/bin/rndc/rndc-confgen.html
+++ b/bin/rndc/rndc-confgen.html
@@ -1,174 +1,574 @@
 <!--
- - Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2001-2003 Internet Software Consortium.
- - 
+ - Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2001-2003  Internet Software Consortium.
+ -
  - Permission to use, copy, modify, and distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
  - copyright notice and this permission notice appear in all copies.
- - 
+ -
  - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
  - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
  - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
  - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: rndc-confgen.html,v 1.3.2.21 2007/01/30 00:10:37 marka Exp $ -->
-<html>
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>rndc-confgen</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2476275"></a><div class="titlepage"></div>
-<div class="refnamediv">
-<h2>Name</h2>
-<p><span class="application">rndc-confgen</span> &#8212; rndc key generation tool</p>
-</div>
-<div class="refsynopsisdiv">
-<h2>Synopsis</h2>
-<div class="cmdsynopsis"><p><code class="command">rndc-confgen</code>  [<code class="option">-a</code>] [<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>] [<code class="option">-c <em class="replaceable"><code>keyfile</code></em></code>] [<code class="option">-h</code>] [<code class="option">-k <em class="replaceable"><code>keyname</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomfile</code></em></code>] [<code class="option">-s <em class="replaceable"><code>address</code></em></code>] [<code class="option">-t <em class="replaceable"><code>chrootdir</code></em></code>] [<code class="option">-u <em class="replaceable"><code>user</code></em></code>]</p></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543420"></a><h2>DESCRIPTION</h2>
-<p>
-        <span><strong class="command">rndc-confgen</strong></span> generates configuration files
-	for <span><strong class="command">rndc</strong></span>.  It can be used as a
+
+<!-- $Id: rndc-confgen.html,v 1.3.2.5.2.2 2004/03/06 10:21:32 marka Exp $ -->
+
+<HTML
+><HEAD
+><TITLE
+>rndc-confgen</TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.73
+"></HEAD
+><BODY
+CLASS="REFENTRY"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><H1
+><A
+NAME="AEN1"
+><SPAN
+CLASS="APPLICATION"
+>rndc-confgen</SPAN
+></A
+></H1
+><DIV
+CLASS="REFNAMEDIV"
+><A
+NAME="AEN9"
+></A
+><H2
+>Name</H2
+><SPAN
+CLASS="APPLICATION"
+>rndc-confgen</SPAN
+>&nbsp;--&nbsp;rndc key generation tool</DIV
+><DIV
+CLASS="REFSYNOPSISDIV"
+><A
+NAME="AEN13"
+></A
+><H2
+>Synopsis</H2
+><P
+><B
+CLASS="COMMAND"
+>rndc-confgen</B
+>  [<TT
+CLASS="OPTION"
+>-a</TT
+>] [<TT
+CLASS="OPTION"
+>-b <TT
+CLASS="REPLACEABLE"
+><I
+>keysize</I
+></TT
+></TT
+>] [<TT
+CLASS="OPTION"
+>-c <TT
+CLASS="REPLACEABLE"
+><I
+>keyfile</I
+></TT
+></TT
+>] [<TT
+CLASS="OPTION"
+>-h</TT
+>] [<TT
+CLASS="OPTION"
+>-k <TT
+CLASS="REPLACEABLE"
+><I
+>keyname</I
+></TT
+></TT
+>] [<TT
+CLASS="OPTION"
+>-p <TT
+CLASS="REPLACEABLE"
+><I
+>port</I
+></TT
+></TT
+>] [<TT
+CLASS="OPTION"
+>-r <TT
+CLASS="REPLACEABLE"
+><I
+>randomfile</I
+></TT
+></TT
+>] [<TT
+CLASS="OPTION"
+>-s <TT
+CLASS="REPLACEABLE"
+><I
+>address</I
+></TT
+></TT
+>] [<TT
+CLASS="OPTION"
+>-t <TT
+CLASS="REPLACEABLE"
+><I
+>chrootdir</I
+></TT
+></TT
+>] [<TT
+CLASS="OPTION"
+>-u <TT
+CLASS="REPLACEABLE"
+><I
+>user</I
+></TT
+></TT
+>]</P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN44"
+></A
+><H2
+>DESCRIPTION</H2
+><P
+>        <B
+CLASS="COMMAND"
+>rndc-confgen</B
+> generates configuration files
+	for <B
+CLASS="COMMAND"
+>rndc</B
+>.  It can be used as a
         convenient alternative to writing the
-        <code class="filename">rndc.conf</code> file
-        and the corresponding <span><strong class="command">controls</strong></span>
-        and <span><strong class="command">key</strong></span>
-	statements in <code class="filename">named.conf</code> by hand.
-        Alternatively, it can be run with the <span><strong class="command">-a</strong></span>
-        option to set up a <code class="filename">rndc.key</code> file and
-        avoid the need for a <code class="filename">rndc.conf</code> file
-        and a <span><strong class="command">controls</strong></span> statement altogether.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543466"></a><h2>OPTIONS</h2>
-<div class="variablelist"><dl>
-<dt><span class="term">-a</span></dt>
-<dd>
-<p>
-	      Do automatic <span><strong class="command">rndc</strong></span> configuration.
-	      This creates a file <code class="filename">rndc.key</code>
-	      in <code class="filename">/etc</code> (or whatever
-              <code class="varname">sysconfdir</code>
-	      was specified as when <acronym class="acronym">BIND</acronym> was built)
-              that is read by both <span><strong class="command">rndc</strong></span>
-              and <span><strong class="command">named</strong></span> on startup.  The
-	      <code class="filename">rndc.key</code> file defines a default
+        <TT
+CLASS="FILENAME"
+>rndc.conf</TT
+> file
+        and the corresponding <B
+CLASS="COMMAND"
+>controls</B
+>
+        and <B
+CLASS="COMMAND"
+>key</B
+>
+	statements in <TT
+CLASS="FILENAME"
+>named.conf</TT
+> by hand.
+        Alternatively, it can be run with the <B
+CLASS="COMMAND"
+>-a</B
+>
+        option to set up a <TT
+CLASS="FILENAME"
+>rndc.key</TT
+> file and
+        avoid the need for a <TT
+CLASS="FILENAME"
+>rndc.conf</TT
+> file
+        and a <B
+CLASS="COMMAND"
+>controls</B
+> statement altogether.
+    </P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN57"
+></A
+><H2
+>OPTIONS</H2
+><P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+>-a</DT
+><DD
+><P
+>	      Do automatic <B
+CLASS="COMMAND"
+>rndc</B
+> configuration.
+	      This creates a file <TT
+CLASS="FILENAME"
+>rndc.key</TT
+>
+	      in <TT
+CLASS="FILENAME"
+>/etc</TT
+> (or whatever
+              <TT
+CLASS="VARNAME"
+>sysconfdir</TT
+>
+	      was specified as when <SPAN
+CLASS="ACRONYM"
+>BIND</SPAN
+> was built)
+              that is read by both <B
+CLASS="COMMAND"
+>rndc</B
+>
+              and <B
+CLASS="COMMAND"
+>named</B
+> on startup.  The
+	      <TT
+CLASS="FILENAME"
+>rndc.key</TT
+> file defines a default
               command channel and authentication key allowing
-	      <span><strong class="command">rndc</strong></span> to communicate with
-	      <span><strong class="command">named</strong></span> with no further configuration.
-	  </p>
-<p>
-	      Running <span><strong class="command">rndc-confgen -a</strong></span> allows
-	      BIND 9 and <span><strong class="command">rndc</strong></span> to be used as drop-in
-	      replacements for BIND 8 and <span><strong class="command">ndc</strong></span>,
+	      <B
+CLASS="COMMAND"
+>rndc</B
+> to communicate with
+	      <B
+CLASS="COMMAND"
+>named</B
+> on the local host
+	      with no further configuration.  
+	  </P
+><P
+>	      Running <B
+CLASS="COMMAND"
+>rndc-confgen -a</B
+> allows
+	      BIND 9 and <B
+CLASS="COMMAND"
+>rndc</B
+> to be used as drop-in
+	      replacements for BIND 8 and <B
+CLASS="COMMAND"
+>ndc</B
+>,
 	      with no changes to the existing BIND 8
-	      <code class="filename">named.conf</code> file.
-	  </p>
-</dd>
-<dt><span class="term">-b <em class="replaceable"><code>keysize</code></em></span></dt>
-<dd><p>
-	       Specifies the size of the authentication key in bits.
+	      <TT
+CLASS="FILENAME"
+>named.conf</TT
+> file.
+	  </P
+><P
+>	      If a more elaborate configuration than that
+	      generated by <B
+CLASS="COMMAND"
+>rndc-confgen -a</B
+>
+	      is required, for example if rndc is to be used remotely,
+	      you should run <B
+CLASS="COMMAND"
+>rndc-confgen</B
+> without the
+	      <B
+CLASS="COMMAND"
+>-a</B
+> option and set up a
+	      <TT
+CLASS="FILENAME"
+>rndc.conf</TT
+> and
+	      <TT
+CLASS="FILENAME"
+>named.conf</TT
+>
+	      as directed.
+          </P
+></DD
+><DT
+>-b <TT
+CLASS="REPLACEABLE"
+><I
+>keysize</I
+></TT
+></DT
+><DD
+><P
+>	       Specifies the size of the authentication key in bits.
 	       Must be between 1 and 512 bits; the default is 128.
-	  </p></dd>
-<dt><span class="term">-c <em class="replaceable"><code>keyfile</code></em></span></dt>
-<dd><p>
-	       Used with the <span><strong class="command">-a</strong></span> option to specify
-	       an alternate location for <code class="filename">rndc.key</code>.
-	  </p></dd>
-<dt><span class="term">-h</span></dt>
-<dd><p>
-	       Prints a short summary of the options and arguments to
-	       <span><strong class="command">rndc-confgen</strong></span>.
-	  </p></dd>
-<dt><span class="term">-k <em class="replaceable"><code>keyname</code></em></span></dt>
-<dd><p>
-	       Specifies the key name of the rndc authentication key.
+	  </P
+></DD
+><DT
+>-c <TT
+CLASS="REPLACEABLE"
+><I
+>keyfile</I
+></TT
+></DT
+><DD
+><P
+>	       Used with the <B
+CLASS="COMMAND"
+>-a</B
+> option to specify
+	       an alternate location for <TT
+CLASS="FILENAME"
+>rndc.key</TT
+>.
+	  </P
+></DD
+><DT
+>-h</DT
+><DD
+><P
+>	       Prints a short summary of the options and arguments to
+	       <B
+CLASS="COMMAND"
+>rndc-confgen</B
+>.
+	  </P
+></DD
+><DT
+>-k <TT
+CLASS="REPLACEABLE"
+><I
+>keyname</I
+></TT
+></DT
+><DD
+><P
+>	       Specifies the key name of the rndc authentication key.
 	       This must be a valid domain name.
-	       The default is <code class="constant">rndc-key</code>.
-	  </p></dd>
-<dt><span class="term">-p <em class="replaceable"><code>port</code></em></span></dt>
-<dd><p>
-	       Specifies the command channel port where <span><strong class="command">named</strong></span>
-	       listens for connections from <span><strong class="command">rndc</strong></span>.
+	       The default is <TT
+CLASS="CONSTANT"
+>rndc-key</TT
+>.
+	  </P
+></DD
+><DT
+>-p <TT
+CLASS="REPLACEABLE"
+><I
+>port</I
+></TT
+></DT
+><DD
+><P
+>	       Specifies the command channel port where <B
+CLASS="COMMAND"
+>named</B
+>
+	       listens for connections from <B
+CLASS="COMMAND"
+>rndc</B
+>.
 	       The default is 953.
-	  </p></dd>
-<dt><span class="term">-r <em class="replaceable"><code>randomfile</code></em></span></dt>
-<dd><p>
-	       Specifies a source of random data for generating the
+	  </P
+></DD
+><DT
+>-r <TT
+CLASS="REPLACEABLE"
+><I
+>randomfile</I
+></TT
+></DT
+><DD
+><P
+>	       Specifies a source of random data for generating the
 	       authorization.  If the operating
-	       system does not provide a <code class="filename">/dev/random</code>
+	       system does not provide a <TT
+CLASS="FILENAME"
+>/dev/random</TT
+>
 	       or equivalent device, the default source of randomness
-	       is keyboard input.  <code class="filename">randomdev</code> specifies
+	       is keyboard input.  <TT
+CLASS="FILENAME"
+>randomdev</TT
+> specifies
 	       the name of a character device or file containing random
 	       data to be used instead of the default.  The special value
-	       <code class="filename">keyboard</code> indicates that keyboard
+	       <TT
+CLASS="FILENAME"
+>keyboard</TT
+> indicates that keyboard
 	       input should be used.
-	  </p></dd>
-<dt><span class="term">-s <em class="replaceable"><code>address</code></em></span></dt>
-<dd><p>
-	       Specifies the IP address where <span><strong class="command">named</strong></span>
+	  </P
+></DD
+><DT
+>-s <TT
+CLASS="REPLACEABLE"
+><I
+>address</I
+></TT
+></DT
+><DD
+><P
+>	       Specifies the IP address where <B
+CLASS="COMMAND"
+>named</B
+>
 	       listens for command channel connections from
-	       <span><strong class="command">rndc</strong></span>.  The default is the loopback
+	       <B
+CLASS="COMMAND"
+>rndc</B
+>.  The default is the loopback
 	       address 127.0.0.1.
-	  </p></dd>
-<dt><span class="term">-t <em class="replaceable"><code>chrootdir</code></em></span></dt>
-<dd><p>
-	       Used with the <span><strong class="command">-a</strong></span> option to specify
-	       a directory where <span><strong class="command">named</strong></span> will run
-	       chrooted.  An additional copy of the <code class="filename">rndc.key</code>
+	  </P
+></DD
+><DT
+>-t <TT
+CLASS="REPLACEABLE"
+><I
+>chrootdir</I
+></TT
+></DT
+><DD
+><P
+>	       Used with the <B
+CLASS="COMMAND"
+>-a</B
+> option to specify
+	       a directory where <B
+CLASS="COMMAND"
+>named</B
+> will run
+	       chrooted.  An additional copy of the <TT
+CLASS="FILENAME"
+>rndc.key</TT
+>
 	       will be written relative to this directory so that
-	       it will be found by the chrooted <span><strong class="command">named</strong></span>.
-	  </p></dd>
-<dt><span class="term">-u <em class="replaceable"><code>user</code></em></span></dt>
-<dd><p>
-	       Used with the <span><strong class="command">-a</strong></span> option to set the owner
-	       of the <code class="filename">rndc.key</code> file generated.  If
-	       <span><strong class="command">-t</strong></span> is also specified only the file in
+	       it will be found by the chrooted <B
+CLASS="COMMAND"
+>named</B
+>.
+	  </P
+></DD
+><DT
+>-u <TT
+CLASS="REPLACEABLE"
+><I
+>user</I
+></TT
+></DT
+><DD
+><P
+>	       Used with the <B
+CLASS="COMMAND"
+>-a</B
+> option to set the owner
+	       of the <TT
+CLASS="FILENAME"
+>rndc.key</TT
+> file generated.  If
+	       <B
+CLASS="COMMAND"
+>-t</B
+> is also specified only the file in
 	       the chroot area has its owner changed.
-	  </p></dd>
-</dl></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543761"></a><h2>EXAMPLES</h2>
-<p>
-        To allow <span><strong class="command">rndc</strong></span> to be used with
+	  </P
+></DD
+></DL
+></DIV
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN147"
+></A
+><H2
+>EXAMPLES</H2
+><P
+>        To allow <B
+CLASS="COMMAND"
+>rndc</B
+> to be used with
 	no manual configuration, run
-    </p>
-<p>
-        <strong class="userinput"><code>rndc-confgen -a</code></strong>
-    </p>
-<p>
-        To print a sample <code class="filename">rndc.conf</code> file and
-	corresponding <span><strong class="command">controls</strong></span> and <span><strong class="command">key</strong></span>
-	statements to be manually inserted into <code class="filename">named.conf</code>,
+    </P
+><P
+>        <TT
+CLASS="USERINPUT"
+><B
+>rndc-confgen -a</B
+></TT
+>
+    </P
+><P
+>        To print a sample <TT
+CLASS="FILENAME"
+>rndc.conf</TT
+> file and
+	corresponding <B
+CLASS="COMMAND"
+>controls</B
+> and <B
+CLASS="COMMAND"
+>key</B
+>
+	statements to be manually inserted into <TT
+CLASS="FILENAME"
+>named.conf</TT
+>,
 	run
-    </p>
-<p>
-        <strong class="userinput"><code>rndc-confgen</code></strong>
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543804"></a><h2>SEE ALSO</h2>
-<p>
-      <span class="citerefentry"><span class="refentrytitle">rndc</span>(8)</span>,
-      <span class="citerefentry"><span class="refentrytitle">rndc.conf</span>(5)</span>,
-      <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
-      <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543847"></a><h2>AUTHOR</h2>
-<p>
-        <span class="corpauthor">Internet Systems Consortium</span>
-    </p>
-</div>
-</div></body>
-</html>
+    </P
+><P
+>        <TT
+CLASS="USERINPUT"
+><B
+>rndc-confgen</B
+></TT
+>
+    </P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN160"
+></A
+><H2
+>SEE ALSO</H2
+><P
+>      <SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>rndc</SPAN
+>(8)</SPAN
+>,
+      <SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>rndc.conf</SPAN
+>(5)</SPAN
+>,
+      <SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>named</SPAN
+>(8)</SPAN
+>,
+      <I
+CLASS="CITETITLE"
+>BIND 9 Administrator Reference Manual</I
+>.
+    </P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN173"
+></A
+><H2
+>AUTHOR</H2
+><P
+>        Internet Software Consortium
+    </P
+></DIV
+></BODY
+></HTML
+>
diff --git a/bin/rndc/rndc.8 b/bin/rndc/rndc.8
index 87a573af..d57f5863 100644
--- a/bin/rndc/rndc.8
+++ b/bin/rndc/rndc.8
@@ -1,140 +1,118 @@
-.\" Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
-.\" Copyright (C) 2000, 2001 Internet Software Consortium.
-.\" 
+.\" Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2000, 2001  Internet Software Consortium.
+.\"
 .\" Permission to use, copy, modify, and distribute this software for any
 .\" purpose with or without fee is hereby granted, provided that the above
 .\" copyright notice and this permission notice appear in all copies.
-.\" 
+.\"
 .\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
 .\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+.\" AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
 .\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
 .\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: rndc.8,v 1.24.2.11 2007/06/20 02:25:45 marka Exp $
-.\"
-.hy 0
-.ad l
-.\"     Title: rndc
-.\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
-.\"      Date: June 30, 2000
-.\"    Manual: BIND9
-.\"    Source: BIND9
+.\" $Id: rndc.8,v 1.24.206.1 2004/03/06 07:41:40 marka Exp $
 .\"
-.TH "RNDC" "8" "June 30, 2000" "BIND9" "BIND9"
-.\" disable hyphenation
-.nh
-.\" disable justification (adjust text to left margin only)
-.ad l
-.SH "NAME"
+.TH "RNDC" "8" "June 30, 2000" "BIND9" ""
+.SH NAME
 rndc \- name server control utility
-.SH "SYNOPSIS"
-.HP 5
-\fBrndc\fR [\fB\-c\ \fR\fB\fIconfig\-file\fR\fR] [\fB\-k\ \fR\fB\fIkey\-file\fR\fR] [\fB\-s\ \fR\fB\fIserver\fR\fR] [\fB\-p\ \fR\fB\fIport\fR\fR] [\fB\-V\fR] [\fB\-y\ \fR\fB\fIkey_id\fR\fR] {command}
+.SH SYNOPSIS
+.sp
+\fBrndc\fR [ \fB-c \fIconfig-file\fB\fR ]  [ \fB-k \fIkey-file\fB\fR ]  [ \fB-s \fIserver\fB\fR ]  [ \fB-p \fIport\fB\fR ]  [ \fB-V\fR ]  [ \fB-y \fIkey_id\fB\fR ]  \fBcommand\fR
 .SH "DESCRIPTION"
 .PP
-\fBrndc\fR
-controls the operation of a name server. It supersedes the
-\fBndc\fR
-utility that was provided in old BIND releases. If
-\fBrndc\fR
-is invoked with no command line options or arguments, it prints a short summary of the supported commands and the available options and their arguments.
+\fBrndc\fR controls the operation of a name
+server. It supersedes the \fBndc\fR utility
+that was provided in old BIND releases. If
+\fBrndc\fR is invoked with no command line
+options or arguments, it prints a short summary of the
+supported commands and the available options and their
+arguments.
 .PP
-\fBrndc\fR
-communicates with the name server over a TCP connection, sending commands authenticated with digital signatures. In the current versions of
-\fBrndc\fR
-and
-\fBnamed\fR, the only supported authentication algorithm is HMAC\-MD5, which uses a shared secret on each end of the connection. This provides TSIG\-style authentication for the command request and the name server's response. All commands sent over the channel must be signed by a key_id known to the server.
+\fBrndc\fR communicates with the name server
+over a TCP connection, sending commands authenticated with
+digital signatures. In the current versions of
+\fBrndc\fR and \fBnamed\fR named
+the only supported authentication algorithm is HMAC-MD5,
+which uses a shared secret on each end of the connection.
+This provides TSIG-style authentication for the command
+request and the name server's response. All commands sent
+over the channel must be signed by a key_id known to the
+server.
 .PP
-\fBrndc\fR
-reads a configuration file to determine how to contact the name server and decide what algorithm and key it should use.
+\fBrndc\fR reads a configuration file to
+determine how to contact the name server and decide what
+algorithm and key it should use.
 .SH "OPTIONS"
-.PP
-\-c \fIconfig\-file\fR
-.RS 4
-Use
-\fIconfig\-file\fR
+.TP
+\fB-c \fIconfig-file\fB\fR
+Use \fIconfig-file\fR
 as the configuration file instead of the default,
 \fI/etc/rndc.conf\fR.
-.RE
-.PP
-\-k \fIkey\-file\fR
-.RS 4
-Use
-\fIkey\-file\fR
+.TP
+\fB-k \fIkey-file\fB\fR
+Use \fIkey-file\fR
 as the key file instead of the default,
 \fI/etc/rndc.key\fR. The key in
-\fI/etc/rndc.key\fR
-will be used to authenticate commands sent to the server if the
-\fIconfig\-file\fR
+\fI/etc/rndc.key\fR will be used to authenticate
+commands sent to the server if the \fIconfig-file\fR
 does not exist.
-.RE
-.PP
-\-s \fIserver\fR
-.RS 4
-\fIserver\fR
-is the name or address of the server which matches a server statement in the configuration file for
-\fBrndc\fR. If no server is supplied on the command line, the host named by the default\-server clause in the options statement of the
-\fBrndc\fR
-configuration file will be used.
-.RE
-.PP
-\-p \fIport\fR
-.RS 4
+.TP
+\fB-s \fIserver\fB\fR
+\fIserver\fR is
+the name or address of the server which matches a
+server statement in the configuration file for
+\fBrndc\fR. If no server is supplied on the
+command line, the host named by the default-server clause
+in the option statement of the configuration file will be
+used.
+.TP
+\fB-p \fIport\fB\fR
 Send commands to TCP port
-\fIport\fR
-instead of BIND 9's default control channel port, 953.
-.RE
-.PP
-\-V
-.RS 4
+\fIport\fR instead
+of BIND 9's default control channel port, 953.
+.TP
+\fB-V\fR
 Enable verbose logging.
-.RE
-.PP
-\-y \fIkey_id\fR
-.RS 4
-Use the key
-\fIkey_id\fR
+.TP
+\fB-y \fIkeyid\fB\fR
+Use the key \fIkeyid\fR
 from the configuration file.
-\fIkey_id\fR
-must be known by named with the same algorithm and secret string in order for control message validation to succeed. If no
-\fIkey_id\fR
-is specified,
-\fBrndc\fR
-will first look for a key clause in the server statement of the server being used, or if no server statement is present for that host, then the default\-key clause of the options statement. Note that the configuration file contains shared secrets which are used to send authenticated control commands to name servers. It should therefore not have general read or write access.
-.RE
+\fIkeyid\fR must be
+known by named with the same algorithm and secret string
+in order for control message validation to succeed.
+If no \fIkeyid\fR
+is specified, \fBrndc\fR will first look
+for a key clause in the server statement of the server
+being used, or if no server statement is present for that
+host, then the default-key clause of the options statement.
+Note that the configuration file contains shared secrets
+which are used to send authenticated control commands
+to name servers. It should therefore not have general read
+or write access.
+.PP
+For the complete set of commands supported by \fBrndc\fR,
+see the BIND 9 Administrator Reference Manual or run
+\fBrndc\fR without arguments to see its help message.
 .PP
-For the complete set of commands supported by
-\fBrndc\fR, see the BIND 9 Administrator Reference Manual or run
-\fBrndc\fR
-without arguments to see its help message.
 .SH "LIMITATIONS"
 .PP
-\fBrndc\fR
-does not yet support all the commands of the BIND 8
-\fBndc\fR
-utility.
+\fBrndc\fR does not yet support all the commands of
+the BIND 8 \fBndc\fR utility.
 .PP
 There is currently no way to provide the shared secret for a
-\fBkey_id\fR
-without using the configuration file.
+\fBkey_id\fR without using the configuration file.
 .PP
 Several error messages could be clearer.
 .SH "SEE ALSO"
 .PP
 \fBrndc.conf\fR(5),
 \fBnamed\fR(8),
-\fBnamed.conf\fR(5),
+\fBnamed.conf\fR(5)
 \fBndc\fR(8),
-BIND 9 Administrator Reference Manual.
+\fIBIND 9 Administrator Reference Manual\fR.
 .SH "AUTHOR"
 .PP
-Internet Systems Consortium
-.SH "COPYRIGHT"
-Copyright \(co 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
-.br
-Copyright \(co 2000, 2001 Internet Software Consortium.
-.br
+Internet Software Consortium
diff --git a/bin/rndc/rndc.c b/bin/rndc/rndc.c
index 0e80ac2e..9ea07ac0 100644
--- a/bin/rndc/rndc.c
+++ b/bin/rndc/rndc.c
@@ -1,6 +1,6 @@
 /*
- * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rndc.c,v 1.77.2.9 2006/08/04 03:03:19 marka Exp $ */
+/* $Id: rndc.c,v 1.77.2.5.2.12 2004/03/08 04:04:23 marka Exp $ */
 
 /*
  * Principal Author: DCL
@@ -31,7 +31,6 @@
 #include <isc/file.h>
 #include <isc/log.h>
 #include <isc/mem.h>
-#include <isc/netdb.h>
 #include <isc/random.h>
 #include <isc/socket.h>
 #include <isc/stdtime.h>
@@ -40,7 +39,7 @@
 #include <isc/thread.h>
 #include <isc/util.h>
 
-#include <isccfg/cfg.h>
+#include <isccfg/namedconf.h>
 
 #include <isccc/alist.h>
 #include <isccc/base64.h>
@@ -51,21 +50,11 @@
 #include <isccc/types.h>
 #include <isccc/util.h>
 
-#include "util.h"
+#include <bind9/getaddresses.h>
 
-#ifdef HAVE_ADDRINFO
-#ifdef HAVE_GETADDRINFO
-#ifdef HAVE_GAISTRERROR
-#define USE_GETADDRINFO
-#endif
-#endif
-#endif
+#include "util.h"
 
-#ifndef USE_GETADDRINFO
-#ifndef ISC_PLATFORM_NONSTDHERRNO
-extern int h_errno;
-#endif
-#endif
+#define SERVERADDRS 10
 
 char *progname;
 isc_boolean_t verbose;
@@ -74,6 +63,9 @@ static const char *admin_conffile;
 static const char *admin_keyfile;
 static const char *version = VERSION;
 static const char *servername = NULL;
+static isc_sockaddr_t serveraddrs[SERVERADDRS];
+static int nserveraddrs;
+static int currentaddr = 0;
 static unsigned int remoteport = 0;
 static isc_socketmgr_t *socketmgr = NULL;
 static unsigned char databuf[2048];
@@ -88,6 +80,8 @@ static char program[256];
 static isc_socket_t *sock = NULL;
 static isc_uint32_t serial;
 
+static void rndc_startconnect(isc_sockaddr_t *addr, isc_task_t *task);
+
 static void
 usage(int status) {
 	fprintf(stderr, "\
@@ -101,18 +95,31 @@ command is one of the following:\n\
 		Reload a single zone.\n\
   refresh zone [class [view]]\n\
 		Schedule immediate maintenance for a zone.\n\
+  retransfer zone [class [view]]\n\
+		Retransfer a single zone without checking serial number.\n\
+  freeze zone [class [view]]\n\
+  		Suspend updates to a dynamic zone.\n\
+  unfreeze zone [class [view]]\n\
+  		Enable updates to a frozen dynamic zone and reload it.\n\
   reconfig	Reload configuration file and new zones only.\n\
   stats		Write server statistics to the statistics file.\n\
   querylog	Toggle query logging.\n\
   dumpdb	Dump cache(s) to the dump file (named_dump.db).\n\
   stop		Save pending updates to master files and stop the server.\n\
+  stop -p	Save pending updates to master files and stop the server\n\
+		reporting process id.\n\
   halt		Stop the server without saving pending updates.\n\
+  halt -p	Stop the server without saving pending updates reporting\n\
+		process id.\n\
   trace		Increment debugging level by one.\n\
   trace level	Change the debugging level.\n\
   notrace	Set debugging level to 0.\n\
   flush 	Flushes all of the server's caches.\n\
   flush [view]	Flushes the server's cache for a view.\n\
+  flushname name [view]\n\
+		Flush the given name from the server's cache(s)\n\
   status	Display status of the server.\n\
+  recursing	Dump the queries that are currently recursing (named.recursing)\n\
   *restart	Restart the server.\n\
 \n\
 * == not yet implemented\n\
@@ -123,74 +130,17 @@ Version: %s\n",
 }
 
 static void
-get_address(const char *host, in_port_t port, isc_sockaddr_t *sockaddr) {
-	struct in_addr in4;
-	struct in6_addr in6;
-	isc_boolean_t have_ipv6;
-#ifdef USE_GETADDRINFO
-	struct addrinfo *res = NULL, hints;
-	int result;
-#else
-	struct hostent *he;
-#endif
-
-	have_ipv6 = ISC_TF(isc_net_probeipv6() == ISC_R_SUCCESS);
+get_addresses(const char *host, in_port_t port) {
+	isc_result_t result;
 
-	/*
-	 * Assume we have v4 if we don't have v6, since setup_libs
-	 * fatal()'s out if we don't have either.
-	 */
-	if (have_ipv6 && inet_pton(AF_INET6, host, &in6) == 1)
-		isc_sockaddr_fromin6(sockaddr, &in6, port);
-	else if (inet_pton(AF_INET, host, &in4) == 1)
-		isc_sockaddr_fromin(sockaddr, &in4, port);
-	else {
-#ifdef USE_GETADDRINFO
-		memset(&hints, 0, sizeof(hints));
-		if (!have_ipv6)
-			hints.ai_family = PF_INET;
-		else if (isc_net_probeipv4() != ISC_R_SUCCESS)
-			hints.ai_family = PF_INET6;
-		else {
-			hints.ai_family = PF_UNSPEC;
-#ifdef AI_ADDRCONFIG
-			hints.ai_flags = AI_ADDRCONFIG;
-#endif
-		}
-		hints.ai_socktype = SOCK_STREAM;
-		isc_app_block();
-#ifdef AI_ADDRCONFIG
- again:
-#endif
-		result = getaddrinfo(host, NULL, &hints, &res);
-#ifdef AI_ADDRCONFIG
-		if (result == EAI_BADFLAGS &&
-		    (hints.ai_flags & AI_ADDRCONFIG) != 0) {
-			hints.ai_flags &= ~AI_ADDRCONFIG;
-			goto again;
-		}
-#endif
-		isc_app_unblock();
-		if (result != 0)
-			fatal("Couldn't find server '%s': %s",
-			      host, gai_strerror(result));
-		memcpy(&sockaddr->type.sa, res->ai_addr, res->ai_addrlen);
-		sockaddr->length = res->ai_addrlen;
-		isc_sockaddr_setport(sockaddr, port);
-		freeaddrinfo(res);
-#else
-		isc_app_block();
-		he = gethostbyname(host);
-		isc_app_unblock();
-		if (he == NULL)
-			fatal("Couldn't find server '%s' (h_errno=%d)",
-			      host, h_errno);
-		INSIST(he->h_addrtype == AF_INET);
-		isc_sockaddr_fromin(sockaddr,
-				    (struct in_addr *)(he->h_addr_list[0]),
-				    port);
-#endif
-	}
+	isc_app_block();
+	result = bind9_getaddresses(servername, port,
+				    serveraddrs, SERVERADDRS, &nserveraddrs);
+	isc_app_unblock();
+	if (result != ISC_R_SUCCESS)
+		fatal("couldn't get address for '%s': %s",
+		      host, isc_result_totext(result));
+	INSIST(nserveraddrs > 0);
 }
 
 static void
@@ -203,11 +153,6 @@ rndc_senddone(isc_task_t *task, isc_event_t *event) {
 	if (sevent->result != ISC_R_SUCCESS)
 		fatal("send failed: %s", isc_result_totext(sevent->result));
 	isc_event_free(&event);
-	if (sends == 0 && recvs == 0) {
-		isc_socket_detach(&sock);
-		isc_task_shutdown(task);
-		RUNTIME_CHECK(isc_app_shutdown() == ISC_R_SUCCESS);
-	}
 }
 
 static void
@@ -258,11 +203,9 @@ rndc_recvdone(isc_task_t *task, isc_event_t *event) {
 
 	isc_event_free(&event);
 	isccc_sexpr_free(&response);
-	if (sends == 0 && recvs == 0) {
-		isc_socket_detach(&sock);
-		isc_task_shutdown(task);
-		RUNTIME_CHECK(isc_app_shutdown() == ISC_R_SUCCESS);
-	}
+	isc_socket_detach(&sock);
+	isc_task_shutdown(task);
+	RUNTIME_CHECK(isc_app_shutdown() == ISC_R_SUCCESS);
 }
 
 static void
@@ -356,8 +299,20 @@ rndc_connected(isc_task_t *task, isc_event_t *event) {
 
 	connects--;
 
-	if (sevent->result != ISC_R_SUCCESS)
-		fatal("connect failed: %s", isc_result_totext(sevent->result));
+	if (sevent->result != ISC_R_SUCCESS) {
+		if (sevent->result != ISC_R_CANCELED &&
+		    currentaddr < nserveraddrs)
+		{
+			notify("connection failed: %s",
+			       isc_result_totext(sevent->result));
+			isc_socket_detach(&sock);
+			isc_event_free(&event);
+			rndc_startconnect(&serveraddrs[currentaddr++], task);
+			return;
+		} else
+			fatal("connect failed: %s",
+			      isc_result_totext(sevent->result));
+	}
 
 	isc_stdtime_get(&now);
 	DO("create message", isccc_cc_createmessage(1, NULL, NULL, ++serial,
@@ -389,44 +344,50 @@ rndc_connected(isc_task_t *task, isc_event_t *event) {
 }
 
 static void
-rndc_start(isc_task_t *task, isc_event_t *event) {
-	isc_sockaddr_t addr;
+rndc_startconnect(isc_sockaddr_t *addr, isc_task_t *task) {
 	isc_result_t result;
-	char socktext[ISC_SOCKADDR_FORMATSIZE];
-
-	isc_event_free(&event);
 
-	get_address(servername, (in_port_t) remoteport, &addr);
+	char socktext[ISC_SOCKADDR_FORMATSIZE];
 
-	isc_sockaddr_format(&addr, socktext, sizeof(socktext));
+	isc_sockaddr_format(addr, socktext, sizeof(socktext));
 
 	notify("using server %s (%s)", servername, socktext);
 
 	DO("create socket", isc_socket_create(socketmgr,
-					      isc_sockaddr_pf(&addr),
+					      isc_sockaddr_pf(addr),
 					      isc_sockettype_tcp, &sock));
-	DO("connect", isc_socket_connect(sock, &addr, task, rndc_connected,
+	DO("connect", isc_socket_connect(sock, addr, task, rndc_connected,
 					 NULL));
 	connects++;
 }
 
 static void
+rndc_start(isc_task_t *task, isc_event_t *event) {
+	isc_event_free(&event);
+
+	get_addresses(servername, (in_port_t) remoteport);
+
+	currentaddr = 0;
+	rndc_startconnect(&serveraddrs[currentaddr++], task);
+}
+
+static void
 parse_config(isc_mem_t *mctx, isc_log_t *log, const char *keyname,
 	     cfg_parser_t **pctxp, cfg_obj_t **configp)
 {
 	isc_result_t result;
 	const char *conffile = admin_conffile;
-	const cfg_obj_t *defkey = NULL;
-	const cfg_obj_t *options = NULL;
-	const cfg_obj_t *servers = NULL;
-	const cfg_obj_t *server = NULL;
-	const cfg_obj_t *keys = NULL;
-	const cfg_obj_t *key = NULL;
-	const cfg_obj_t *defport = NULL;
-	const cfg_obj_t *secretobj = NULL;
-	const cfg_obj_t *algorithmobj = NULL;
+	cfg_obj_t *defkey = NULL;
+	cfg_obj_t *options = NULL;
+	cfg_obj_t *servers = NULL;
+	cfg_obj_t *server = NULL;
+	cfg_obj_t *keys = NULL;
+	cfg_obj_t *key = NULL;
+	cfg_obj_t *defport = NULL;
+	cfg_obj_t *secretobj = NULL;
+	cfg_obj_t *algorithmobj = NULL;
 	cfg_obj_t *config = NULL;
-	const cfg_listelt_t *elt;
+	cfg_listelt_t *elt;
 	const char *secretstr;
 	const char *algorithm;
 	static char secretarray[1024];
@@ -458,7 +419,7 @@ parse_config(isc_mem_t *mctx, isc_log_t *log, const char *keyname,
 	if (key_only && servername == NULL)
 		servername = "127.0.0.1";
 	else if (servername == NULL && options != NULL) {
-		const cfg_obj_t *defserverobj = NULL;
+		cfg_obj_t *defserverobj = NULL;
 		(void)cfg_map_get(options, "default-server", &defserverobj);
 		if (defserverobj != NULL)
 			servername = cfg_obj_asstring(defserverobj);
@@ -468,7 +429,7 @@ parse_config(isc_mem_t *mctx, isc_log_t *log, const char *keyname,
 		fatal("no server specified and no default");
 
 	if (!key_only) {
-		cfg_map_get(config, "server", &servers);
+		(void)cfg_map_get(config, "server", &servers);
 		if (servers != NULL) {
 			for (elt = cfg_list_first(servers);
 			     elt != NULL; 
@@ -544,7 +505,7 @@ parse_config(isc_mem_t *mctx, isc_log_t *log, const char *keyname,
 		if (server != NULL)
 			(void)cfg_map_get(server, "port", &defport);
 		if (defport == NULL && options != NULL)
-			cfg_map_get(options, "default-port", &defport);
+			(void)cfg_map_get(options, "default-port", &defport);
 	}
 	if (defport != NULL) {
 		remoteport = cfg_obj_asuint32(defport);
@@ -581,7 +542,9 @@ main(int argc, char **argv) {
 	admin_conffile = RNDC_CONFFILE;
 	admin_keyfile = RNDC_KEYFILE;
 
-	isc_app_start();
+	result = isc_app_start();
+	if (result != ISC_R_SUCCESS)
+		fatal("isc_app_start() failed: %s", isc_result_totext(result));
 
 	while ((ch = isc_commandline_parse(argc, argv, "c:k:Mmp:s:Vy:"))
 	       != -1) {
@@ -595,7 +558,7 @@ main(int argc, char **argv) {
 			break;
 
 		case 'M':
-			isc_mem_debugging = 1;
+			isc_mem_debugging = ISC_MEM_DEBUGTRACE;
 			break;
 
 		case 'm':
@@ -693,7 +656,9 @@ main(int argc, char **argv) {
 
 	DO("post event", isc_app_onrun(mctx, task, rndc_start, NULL));
 
-	isc_app_run();
+	result = isc_app_run();
+	if (result != ISC_R_SUCCESS)
+		fatal("isc_app_run() failed: %s", isc_result_totext(result));
 
 	if (connects > 0 || sends > 0 || recvs > 0)
 		isc_socket_cancel(sock, task, ISC_SOCKCANCEL_ALL);
diff --git a/bin/rndc/rndc.conf b/bin/rndc/rndc.conf
index 69ffa501..1dc56074 100644
--- a/bin/rndc/rndc.conf
+++ b/bin/rndc/rndc.conf
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rndc.conf,v 1.7.2.1 2004/03/09 06:09:27 marka Exp $ */
+/* $Id: rndc.conf,v 1.7.206.1 2004/03/06 10:21:32 marka Exp $ */
 
 /*
  * Sample rndc configuration file.
diff --git a/bin/rndc/rndc.conf.5 b/bin/rndc/rndc.conf.5
index 5eb34685..47e71973 100644
--- a/bin/rndc/rndc.conf.5
+++ b/bin/rndc/rndc.conf.5
@@ -1,45 +1,35 @@
-.\" Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
-.\" Copyright (C) 2000, 2001 Internet Software Consortium.
-.\" 
+.\" Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2000, 2001  Internet Software Consortium.
+.\"
 .\" Permission to use, copy, modify, and distribute this software for any
 .\" purpose with or without fee is hereby granted, provided that the above
 .\" copyright notice and this permission notice appear in all copies.
-.\" 
+.\"
 .\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
 .\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+.\" AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
 .\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
 .\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: rndc.conf.5,v 1.21.2.9 2007/05/09 03:32:21 marka Exp $
-.\"
-.hy 0
-.ad l
-.\"     Title: \fIrndc.conf\fR
-.\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
-.\"      Date: June 30, 2000
-.\"    Manual: BIND9
-.\"    Source: BIND9
+.\" $Id: rndc.conf.5,v 1.21.206.1 2004/03/06 07:41:40 marka Exp $
 .\"
-.TH "\fIRNDC.CONF\fR" "5" "June 30, 2000" "BIND9" "BIND9"
-.\" disable hyphenation
-.nh
-.\" disable justification (adjust text to left margin only)
-.ad l
-.SH "NAME"
+.TH "RNDC.CONF" "5" "June 30, 2000" "BIND9" ""
+.SH NAME
 rndc.conf \- rndc configuration file
-.SH "SYNOPSIS"
-.HP 10
+.SH SYNOPSIS
+.sp
 \fBrndc.conf\fR
 .SH "DESCRIPTION"
 .PP
-\fIrndc.conf\fR
-is the configuration file for
-\fBrndc\fR, the BIND 9 name server control utility. This file has a similar structure and syntax to
-\fInamed.conf\fR. Statements are enclosed in braces and terminated with a semi\-colon. Clauses in the statements are also semi\-colon terminated. The usual comment styles are supported:
+\fIrndc.conf\fR is the configuration file
+for \fBrndc\fR, the BIND 9 name server control
+utility. This file has a similar structure and syntax to
+\fInamed.conf\fR. Statements are enclosed
+in braces and terminated with a semi-colon. Clauses in
+the statements are also semi-colon terminated. The usual
+comment styles are supported:
 .PP
 C style: /* */
 .PP
@@ -47,118 +37,106 @@ C++ style: // to end of line
 .PP
 Unix style: # to end of line
 .PP
-\fIrndc.conf\fR
-is much simpler than
-\fInamed.conf\fR. The file uses three statements: an options statement, a server statement and a key statement.
-.PP
-The
-\fBoptions\fR
-statement contains three clauses. The
-\fBdefault\-server\fR
-clause is followed by the name or address of a name server. This host will be used when no name server is given as an argument to
-\fBrndc\fR. The
-\fBdefault\-key\fR
-clause is followed by the name of a key which is identified by a
-\fBkey\fR
-statement. If no
-\fBkeyid\fR
-is provided on the rndc command line, and no
-\fBkey\fR
-clause is found in a matching
-\fBserver\fR
-statement, this default key will be used to authenticate the server's commands and responses. The
-\fBdefault\-port\fR
-clause is followed by the port to connect to on the remote name server. If no
-\fBport\fR
-option is provided on the rndc command line, and no
-\fBport\fR
-clause is found in a matching
-\fBserver\fR
-statement, this default port will be used to connect.
-.PP
-After the
-\fBserver\fR
-keyword, the server statement includes a string which is the hostname or address for a name server. The statement has two possible clauses:
-\fBkey\fR
-and
-\fBport\fR. The key name must match the name of a key statement in the file. The port number specifies the port to connect to.
-.PP
-The
-\fBkey\fR
-statement begins with an identifying string, the name of the key. The statement has two clauses.
-\fBalgorithm\fR
-identifies the encryption algorithm for
-\fBrndc\fR
-to use; currently only HMAC\-MD5 is supported. This is followed by a secret clause which contains the base\-64 encoding of the algorithm's encryption key. The base\-64 string is enclosed in double quotes.
-.PP
-There are two common ways to generate the base\-64 string for the secret. The BIND 9 program
-\fBrndc\-confgen\fR
-can be used to generate a random key, or the
-\fBmmencode\fR
-program, also known as
-\fBmimencode\fR, can be used to generate a base\-64 string from known input.
-\fBmmencode\fR
-does not ship with BIND 9 but is available on many systems. See the EXAMPLE section for sample command lines for each.
+\fIrndc.conf\fR is much simpler than
+\fInamed.conf\fR. The file uses three
+statements: an options statement, a server statement
+and a key statement.
+.PP
+The \fBoptions\fR statement contains three clauses.
+The \fBdefault-server\fR clause is followed by the
+name or address of a name server. This host will be used when
+no name server is given as an argument to
+\fBrndc\fR. The \fBdefault-key\fR
+clause is followed by the name of a key which is identified by
+a \fBkey\fR statement. If no
+\fBkeyid\fR is provided on the rndc command line,
+and no \fBkey\fR clause is found in a matching
+\fBserver\fR statement, this default key will be
+used to authenticate the server's commands and responses. The
+\fBdefault-port\fR clause is followed by the port
+to connect to on the remote name server. If no
+\fBport\fR option is provided on the rndc command
+line, and no \fBport\fR clause is found in a
+matching \fBserver\fR statement, this default port
+will be used to connect.
+.PP
+After the \fBserver\fR keyword, the server statement
+includes a string which is the hostname or address for a name
+server. The statement has two possible clauses:
+\fBkey\fR and \fBport\fR. The key name must
+match the name of a key statement in the file. The port number
+specifies the port to connect to.
+.PP
+The \fBkey\fR statement begins with an identifying
+string, the name of the key. The statement has two clauses.
+\fBalgorithm\fR identifies the encryption algorithm
+for \fBrndc\fR to use; currently only HMAC-MD5 is
+supported. This is followed by a secret clause which contains
+the base-64 encoding of the algorithm's encryption key. The
+base-64 string is enclosed in double quotes.
+.PP
+There are two common ways to generate the base-64 string for the
+secret. The BIND 9 program \fBrndc-confgen\fR can
+be used to generate a random key, or the
+\fBmmencode\fR program, also known as
+\fBmimencode\fR, can be used to generate a base-64
+string from known input. \fBmmencode\fR does not
+ship with BIND 9 but is available on many systems. See the
+EXAMPLE section for sample command lines for each.
 .SH "EXAMPLE"
 .sp
-.RS 4
 .nf
     options {
-        default\-server  localhost;
-        default\-key     samplekey;
+        default-server  localhost;
+        default-key     samplekey;
       };
+
       server localhost {
         key             samplekey;
       };
+
       key samplekey {
-        algorithm       hmac\-md5;
+        algorithm       hmac-md5;
         secret          "c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K";
       };
+    
+.sp
 .fi
-.RE
 .PP
-In the above example,
-\fBrndc\fR
-will by default use the server at localhost (127.0.0.1) and the key called samplekey. Commands to the localhost server will use the samplekey key, which must also be defined in the server's configuration file with the same name and secret. The key statement indicates that samplekey uses the HMAC\-MD5 algorithm and its secret clause contains the base\-64 encoding of the HMAC\-MD5 secret enclosed in double quotes.
+In the above example, \fBrndc\fR will by default use
+the server at localhost (127.0.0.1) and the key called samplekey.
+Commands to the localhost server will use the samplekey key, which
+must also be defined in the server's configuration file with the
+same name and secret. The key statement indicates that samplekey
+uses the HMAC-MD5 algorithm and its secret clause contains the
+base-64 encoding of the HMAC-MD5 secret enclosed in double quotes.
 .PP
-To generate a random secret with
-\fBrndc\-confgen\fR:
+To generate a random secret with \fBrndc-confgen\fR:
 .PP
-\fBrndc\-confgen\fR
+\fBrndc-confgen\fR
 .PP
-A complete
-\fIrndc.conf\fR
-file, including the randomly generated key, will be written to the standard output. Commented\-out
-\fBkey\fR
-and
-\fBcontrols\fR
-statements for
-\fInamed.conf\fR
-are also printed.
+A complete \fIrndc.conf\fR file, including the
+randomly generated key, will be written to the standard
+output. Commented out \fBkey\fR and
+\fBcontrols\fR statements for
+\fInamed.conf\fR are also printed.
 .PP
-To generate a base\-64 secret with
-\fBmmencode\fR:
+To generate a base-64 secret with \fBmmencode\fR:
 .PP
 \fBecho "known plaintext for a secret" | mmencode\fR
 .SH "NAME SERVER CONFIGURATION"
 .PP
-The name server must be configured to accept rndc connections and to recognize the key specified in the
-\fIrndc.conf\fR
-file, using the controls statement in
-\fInamed.conf\fR. See the sections on the
-\fBcontrols\fR
-statement in the BIND 9 Administrator Reference Manual for details.
+The name server must be configured to accept rndc connections and
+to recognize the key specified in the \fIrndc.conf\fR
+file, using the controls statement in \fInamed.conf\fR.
+See the sections on the \fBcontrols\fR statement in the
+BIND 9 Administrator Reference Manual for details.
 .SH "SEE ALSO"
 .PP
 \fBrndc\fR(8),
-\fBrndc\-confgen\fR(8),
+\fBrndc-confgen\fR(8),
 \fBmmencode\fR(1),
-BIND 9 Administrator Reference Manual.
+\fIBIND 9 Administrator Reference Manual\fR.
 .SH "AUTHOR"
 .PP
-Internet Systems Consortium
-.SH "COPYRIGHT"
-Copyright \(co 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
-.br
-Copyright \(co 2000, 2001 Internet Software Consortium.
-.br
+Internet Software Consortium
diff --git a/bin/rndc/rndc.conf.docbook b/bin/rndc/rndc.conf.docbook
index aca6b5bc..6ca7d461 100644
--- a/bin/rndc/rndc.conf.docbook
+++ b/bin/rndc/rndc.conf.docbook
@@ -1,9 +1,7 @@
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
-               "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
-	       [<!ENTITY mdash "&#8212;">]>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
 <!--
- - Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000, 2001  Internet Software Consortium.
+ - Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2001  Internet Software Consortium.
  -
  - Permission to use, copy, modify, and distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
@@ -18,7 +16,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: rndc.conf.docbook,v 1.4.2.7 2007/05/09 02:11:44 marka Exp $ -->
+<!-- $Id: rndc.conf.docbook,v 1.4.206.1 2004/03/06 10:21:32 marka Exp $ -->
 
 <refentry>
   <refentryinfo>
@@ -31,20 +29,6 @@
     <refmiscinfo>BIND9</refmiscinfo>
   </refmeta>
 
-  <docinfo>
-    <copyright>
-      <year>2004</year>
-      <year>2005</year>
-      <year>2007</year>
-      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
-    </copyright>
-    <copyright>
-      <year>2000</year>
-      <year>2001</year>
-      <holder>Internet Software Consortium.</holder>
-    </copyright>
-  </docinfo>
-
   <refnamediv>
     <refname><filename>rndc.conf</filename></refname>
     <refpurpose>rndc configuration file</refpurpose>
@@ -167,7 +151,7 @@
     <para>
         A complete <filename>rndc.conf</filename> file, including the
         randomly generated key, will be written to the standard
-        output.  Commented-out <option>key</option> and
+        output.  Commented out <option>key</option> and
         <option>controls</option> statements for
         <filename>named.conf</filename> are also printed.
     </para>
@@ -212,7 +196,7 @@
   <refsect1>
     <title>AUTHOR</title>
     <para>
-        <corpauthor>Internet Systems Consortium</corpauthor>
+        <corpauthor>Internet Software Consortium</corpauthor>
     </para>
   </refsect1>
 
diff --git a/bin/rndc/rndc.conf.html b/bin/rndc/rndc.conf.html
index c2a67e05..eb2fe25f 100644
--- a/bin/rndc/rndc.conf.html
+++ b/bin/rndc/rndc.conf.html
@@ -1,113 +1,238 @@
 <!--
- - Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000, 2001 Internet Software Consortium.
- - 
+ - Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2001  Internet Software Consortium.
+ -
  - Permission to use, copy, modify, and distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
  - copyright notice and this permission notice appear in all copies.
- - 
+ -
  - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
  - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
  - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
  - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: rndc.conf.html,v 1.5.2.18 2007/05/09 03:32:21 marka Exp $ -->
-<html>
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>rndc.conf</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2476275"></a><div class="titlepage"></div>
-<div class="refnamediv">
-<h2>Name</h2>
-<p><code class="filename">rndc.conf</code> &#8212; rndc configuration file</p>
-</div>
-<div class="refsynopsisdiv">
-<h2>Synopsis</h2>
-<div class="cmdsynopsis"><p><code class="command">rndc.conf</code> </p></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543339"></a><h2>DESCRIPTION</h2>
-<p>
-        <code class="filename">rndc.conf</code> is the configuration file
-	for <span><strong class="command">rndc</strong></span>, the BIND 9 name server control
+
+<!-- $Id: rndc.conf.html,v 1.5.2.1.4.1 2004/03/06 10:21:32 marka Exp $ -->
+
+<HTML
+><HEAD
+><TITLE
+>rndc.conf</TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.73
+"></HEAD
+><BODY
+CLASS="REFENTRY"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><H1
+><A
+NAME="AEN1"
+><TT
+CLASS="FILENAME"
+>rndc.conf</TT
+></A
+></H1
+><DIV
+CLASS="REFNAMEDIV"
+><A
+NAME="AEN9"
+></A
+><H2
+>Name</H2
+><TT
+CLASS="FILENAME"
+>rndc.conf</TT
+>&nbsp;--&nbsp;rndc configuration file</DIV
+><DIV
+CLASS="REFSYNOPSISDIV"
+><A
+NAME="AEN13"
+></A
+><H2
+>Synopsis</H2
+><P
+><B
+CLASS="COMMAND"
+>rndc.conf</B
+> </P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN16"
+></A
+><H2
+>DESCRIPTION</H2
+><P
+>        <TT
+CLASS="FILENAME"
+>rndc.conf</TT
+> is the configuration file
+	for <B
+CLASS="COMMAND"
+>rndc</B
+>, the BIND 9 name server control
 	utility.  This file has a similar structure and syntax to
-	<code class="filename">named.conf</code>.  Statements are enclosed
+	<TT
+CLASS="FILENAME"
+>named.conf</TT
+>.  Statements are enclosed
 	in braces and terminated with a semi-colon.  Clauses in
 	the statements are also semi-colon terminated.  The usual
 	comment styles are supported:
-    </p>
-<p>
-        C style: /* */
-    </p>
-<p>
-        C++ style: // to end of line
-    </p>
-<p>
-        Unix style: # to end of line
-    </p>
-<p>
-        <code class="filename">rndc.conf</code> is much simpler than
-	<code class="filename">named.conf</code>.  The file uses three
+    </P
+><P
+>        C style: /* */
+    </P
+><P
+>        C++ style: // to end of line
+    </P
+><P
+>        Unix style: # to end of line
+    </P
+><P
+>        <TT
+CLASS="FILENAME"
+>rndc.conf</TT
+> is much simpler than
+	<TT
+CLASS="FILENAME"
+>named.conf</TT
+>.  The file uses three
 	statements: an options statement, a server statement
 	and a key statement.
-    </p>
-<p>
-        The <code class="option">options</code> statement contains three clauses.
-	The <code class="option">default-server</code> clause is followed by the
+    </P
+><P
+>        The <TT
+CLASS="OPTION"
+>options</TT
+> statement contains three clauses.
+	The <TT
+CLASS="OPTION"
+>default-server</TT
+> clause is followed by the
 	name or address of a name server.  This host will be used when
 	no name server is given as an argument to
-	<span><strong class="command">rndc</strong></span>.  The <code class="option">default-key</code>
+	<B
+CLASS="COMMAND"
+>rndc</B
+>.  The <TT
+CLASS="OPTION"
+>default-key</TT
+>
 	clause is followed by the name of a key which is identified by
-	a <code class="option">key</code> statement.  If no
-	<code class="option">keyid</code> is provided on the rndc command line,
-	and no <code class="option">key</code> clause is found in a matching
-	<code class="option">server</code> statement, this default key will be
+	a <TT
+CLASS="OPTION"
+>key</TT
+> statement.  If no
+	<TT
+CLASS="OPTION"
+>keyid</TT
+> is provided on the rndc command line,
+	and no <TT
+CLASS="OPTION"
+>key</TT
+> clause is found in a matching
+	<TT
+CLASS="OPTION"
+>server</TT
+> statement, this default key will be
 	used to authenticate the server's commands and responses.  The
-	<code class="option">default-port</code> clause is followed by the port
+	<TT
+CLASS="OPTION"
+>default-port</TT
+> clause is followed by the port
 	to connect to on the remote name server.  If no
-	<code class="option">port</code> option is provided on the rndc command
-	line, and no <code class="option">port</code> clause is found in a
-	matching <code class="option">server</code> statement, this default port
+	<TT
+CLASS="OPTION"
+>port</TT
+> option is provided on the rndc command
+	line, and no <TT
+CLASS="OPTION"
+>port</TT
+> clause is found in a
+	matching <TT
+CLASS="OPTION"
+>server</TT
+> statement, this default port
 	will be used to connect.
-    </p>
-<p>
-        After the <code class="option">server</code> keyword, the server statement
+    </P
+><P
+>        After the <TT
+CLASS="OPTION"
+>server</TT
+> keyword, the server statement
 	includes a string which is the hostname or address for a name
 	server.  The statement has two possible clauses:
-	<code class="option">key</code> and <code class="option">port</code>. The key name must
+	<TT
+CLASS="OPTION"
+>key</TT
+> and <TT
+CLASS="OPTION"
+>port</TT
+>. The key name must
 	match the name of a key statement in the file.  The port number
 	specifies the port to connect to.
-    </p>
-<p>
-        The <code class="option">key</code> statement begins with an identifying
+    </P
+><P
+>        The <TT
+CLASS="OPTION"
+>key</TT
+> statement begins with an identifying
 	string, the name of the key.  The statement has two clauses.
-	<code class="option">algorithm</code> identifies the encryption algorithm
-	for <span><strong class="command">rndc</strong></span> to use; currently only HMAC-MD5 is
+	<TT
+CLASS="OPTION"
+>algorithm</TT
+> identifies the encryption algorithm
+	for <B
+CLASS="COMMAND"
+>rndc</B
+> to use; currently only HMAC-MD5 is
 	supported.  This is followed by a secret clause which contains
 	the base-64 encoding of the algorithm's encryption key.  The
 	base-64 string is enclosed in double quotes.
-    </p>
-<p>
-        There are two common ways to generate the base-64 string for the
-	secret.  The BIND 9 program <span><strong class="command">rndc-confgen</strong></span> can
+    </P
+><P
+>        There are two common ways to generate the base-64 string for the
+	secret.  The BIND 9 program <B
+CLASS="COMMAND"
+>rndc-confgen</B
+> can
 	be used to generate a random key, or the
-	<span><strong class="command">mmencode</strong></span> program, also known as
-	<span><strong class="command">mimencode</strong></span>, can be used to generate a base-64
-	string from known input.  <span><strong class="command">mmencode</strong></span> does not
+	<B
+CLASS="COMMAND"
+>mmencode</B
+> program, also known as
+	<B
+CLASS="COMMAND"
+>mimencode</B
+>, can be used to generate a base-64
+	string from known input.  <B
+CLASS="COMMAND"
+>mmencode</B
+> does not
 	ship with BIND 9 but is available on many systems.  See the
 	EXAMPLE section for sample command lines for each.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543474"></a><h2>EXAMPLE</h2>
-<pre class="programlisting">
-    options {
+    </P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN54"
+></A
+><H2
+>EXAMPLE</H2
+><PRE
+CLASS="PROGRAMLISTING"
+>    options {
         default-server  localhost;
         default-key     samplekey;
       };
@@ -120,60 +245,137 @@
         algorithm       hmac-md5;
         secret          "c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K";
       };
-    </pre>
-<p>
-        In the above example, <span><strong class="command">rndc</strong></span> will by default use
+    </PRE
+><P
+>        In the above example, <B
+CLASS="COMMAND"
+>rndc</B
+> will by default use
 	the server at localhost (127.0.0.1) and the key called samplekey.
 	Commands to the localhost server will use the samplekey key, which
 	must also be defined in the server's configuration file with the
 	same name and secret.  The key statement indicates that samplekey
 	uses the HMAC-MD5 algorithm and its secret clause contains the
 	base-64 encoding of the HMAC-MD5 secret enclosed in double quotes.
-    </p>
-<p>
-        To generate a random secret with <span><strong class="command">rndc-confgen</strong></span>:
-    </p>
-<p>
-        <strong class="userinput"><code>rndc-confgen</code></strong>
-    </p>
-<p>
-        A complete <code class="filename">rndc.conf</code> file, including the
+    </P
+><P
+>        To generate a random secret with <B
+CLASS="COMMAND"
+>rndc-confgen</B
+>:
+    </P
+><P
+>        <TT
+CLASS="USERINPUT"
+><B
+>rndc-confgen</B
+></TT
+>
+    </P
+><P
+>        A complete <TT
+CLASS="FILENAME"
+>rndc.conf</TT
+> file, including the
         randomly generated key, will be written to the standard
-        output.  Commented-out <code class="option">key</code> and
-        <code class="option">controls</code> statements for
-        <code class="filename">named.conf</code> are also printed.
-    </p>
-<p>
-        To generate a base-64 secret with <span><strong class="command">mmencode</strong></span>:
-    </p>
-<p>
-        <strong class="userinput"><code>echo "known plaintext for a secret" | mmencode</code></strong>
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543534"></a><h2>NAME SERVER CONFIGURATION</h2>
-<p>
-        The name server must be configured to accept rndc connections and
-	to recognize the key specified in the <code class="filename">rndc.conf</code>
-	file, using the controls statement in <code class="filename">named.conf</code>.
-	See the sections on the <code class="option">controls</code> statement in the
+        output.  Commented out <TT
+CLASS="OPTION"
+>key</TT
+> and
+        <TT
+CLASS="OPTION"
+>controls</TT
+> statements for
+        <TT
+CLASS="FILENAME"
+>named.conf</TT
+> are also printed.
+    </P
+><P
+>        To generate a base-64 secret with <B
+CLASS="COMMAND"
+>mmencode</B
+>:
+    </P
+><P
+>        <TT
+CLASS="USERINPUT"
+><B
+>echo "known plaintext for a secret" | mmencode</B
+></TT
+>
+    </P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN72"
+></A
+><H2
+>NAME SERVER CONFIGURATION</H2
+><P
+>        The name server must be configured to accept rndc connections and
+	to recognize the key specified in the <TT
+CLASS="FILENAME"
+>rndc.conf</TT
+>
+	file, using the controls statement in <TT
+CLASS="FILENAME"
+>named.conf</TT
+>.
+	See the sections on the <TT
+CLASS="OPTION"
+>controls</TT
+> statement in the
 	BIND 9 Administrator Reference Manual for details.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543555"></a><h2>SEE ALSO</h2>
-<p>
-      <span class="citerefentry"><span class="refentrytitle">rndc</span>(8)</span>,
-      <span class="citerefentry"><span class="refentrytitle">rndc-confgen</span>(8)</span>,
-      <span class="citerefentry"><span class="refentrytitle">mmencode</span>(1)</span>,
-      <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543597"></a><h2>AUTHOR</h2>
-<p>
-        <span class="corpauthor">Internet Systems Consortium</span>
-    </p>
-</div>
-</div></body>
-</html>
+    </P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN78"
+></A
+><H2
+>SEE ALSO</H2
+><P
+>      <SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>rndc</SPAN
+>(8)</SPAN
+>,
+      <SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>rndc-confgen</SPAN
+>(8)</SPAN
+>,
+      <SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>mmencode</SPAN
+>(1)</SPAN
+>,
+      <I
+CLASS="CITETITLE"
+>BIND 9 Administrator Reference Manual</I
+>.
+    </P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN91"
+></A
+><H2
+>AUTHOR</H2
+><P
+>        Internet Software Consortium
+    </P
+></DIV
+></BODY
+></HTML
+>
diff --git a/bin/rndc/rndc.docbook b/bin/rndc/rndc.docbook
index c34153d8..371aee96 100644
--- a/bin/rndc/rndc.docbook
+++ b/bin/rndc/rndc.docbook
@@ -1,9 +1,7 @@
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
-               "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
-	       [<!ENTITY mdash "&#8212;">]>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
 <!--
- - Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000, 2001  Internet Software Consortium.
+ - Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2001  Internet Software Consortium.
  -
  - Permission to use, copy, modify, and distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
@@ -18,7 +16,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: rndc.docbook,v 1.7.2.9 2007/06/19 07:52:23 marka Exp $ -->
+<!-- $Id: rndc.docbook,v 1.7.206.1 2004/03/06 10:21:32 marka Exp $ -->
 
 <refentry>
   <refentryinfo>
@@ -31,20 +29,6 @@
     <refmiscinfo>BIND9</refmiscinfo>
   </refmeta>
 
-  <docinfo>
-    <copyright>
-      <year>2004</year>
-      <year>2005</year>
-      <year>2007</year>
-      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
-    </copyright>
-    <copyright>
-      <year>2000</year>
-      <year>2001</year>
-      <holder>Internet Software Consortium.</holder>
-    </copyright>
-  </docinfo>
-
   <refnamediv>
     <refname><application>rndc</application></refname>
     <refpurpose>name server control utility</refpurpose>
@@ -78,7 +62,7 @@
         <command>rndc</command> communicates with the name server
 	over a TCP connection, sending commands authenticated with
 	digital signatures.  In the current versions of
-      <command>rndc</command> and <command>named</command>,
+	<command>rndc</command> and <command>named</command> named
         the only supported authentication algorithm is HMAC-MD5,
 	which uses a shared secret on each end of the connection.
 	This provides TSIG-style authentication for the command
@@ -125,13 +109,14 @@
       <varlistentry>
         <term>-s <replaceable class="parameter">server</replaceable></term>
 	<listitem>
-	  <para><replaceable class="parameter">server</replaceable> is
-	      the name or address of the server which matches a
-	      server statement in the configuration file for
-	      <command>rndc</command>.  If no server is supplied on the
-	      command line, the host named by the default-server clause
-	      in the options statement of the <command>rndc</command>
-	    configuration file will be used.
+	  <para>
+	       <replaceable class="parameter">server</replaceable> is
+	       the name or address of the server which matches a
+	       server statement in the configuration file for
+	       <command>rndc</command>.  If no server is supplied on the
+	       command line, the host named by the default-server clause
+	       in the option statement of the configuration file will be
+	       used.
 	  </para>
 	</listitem>
       </varlistentry>
@@ -157,15 +142,15 @@
       </varlistentry>
 
       <varlistentry>
-        <term>-y <replaceable class="parameter">key_id</replaceable></term>
+        <term>-y <replaceable class="parameter">keyid</replaceable></term>
 	<listitem>
 	  <para>
-	       Use the key <replaceable class="parameter">key_id</replaceable>
+	       Use the key <replaceable class="parameter">keyid</replaceable>
 	       from the configuration file.
-	       <replaceable class="parameter">key_id</replaceable> must be
+	       <replaceable class="parameter">keyid</replaceable> must be
 	       known by named with the same algorithm and secret string
 	       in order for control message validation to succeed.
-	       If no <replaceable class="parameter">key_id</replaceable>
+	       If no <replaceable class="parameter">keyid</replaceable>
 	       is specified, <command>rndc</command> will first look
 	       for a key clause in the server statement of the server
 	       being used, or if no server statement is present for that
@@ -217,7 +202,7 @@
       <citerefentry>
         <refentrytitle>named.conf</refentrytitle>
 	<manvolnum>5</manvolnum>
-      </citerefentry>,
+      </citerefentry>
       <citerefentry>
         <refentrytitle>ndc</refentrytitle>
 	<manvolnum>8</manvolnum>
@@ -229,7 +214,7 @@
   <refsect1>
     <title>AUTHOR</title>
     <para>
-        <corpauthor>Internet Systems Consortium</corpauthor>
+        <corpauthor>Internet Software Consortium</corpauthor>
     </para>
   </refsect1>
 
diff --git a/bin/rndc/rndc.html b/bin/rndc/rndc.html
index 1817a2d5..b1b61fcb 100644
--- a/bin/rndc/rndc.html
+++ b/bin/rndc/rndc.html
@@ -1,111 +1,320 @@
 <!--
- - Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000, 2001 Internet Software Consortium.
- - 
+ - Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2001  Internet Software Consortium.
+ -
  - Permission to use, copy, modify, and distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
  - copyright notice and this permission notice appear in all copies.
- - 
+ -
  - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
  - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
  - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
  - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: rndc.html,v 1.7.2.19 2007/06/20 02:25:45 marka Exp $ -->
-<html>
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>rndc</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2476275"></a><div class="titlepage"></div>
-<div class="refnamediv">
-<h2>Name</h2>
-<p><span class="application">rndc</span> &#8212; name server control utility</p>
-</div>
-<div class="refsynopsisdiv">
-<h2>Synopsis</h2>
-<div class="cmdsynopsis"><p><code class="command">rndc</code>  [<code class="option">-c <em class="replaceable"><code>config-file</code></em></code>] [<code class="option">-k <em class="replaceable"><code>key-file</code></em></code>] [<code class="option">-s <em class="replaceable"><code>server</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port</code></em></code>] [<code class="option">-V</code>] [<code class="option">-y <em class="replaceable"><code>key_id</code></em></code>] {command}</p></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543393"></a><h2>DESCRIPTION</h2>
-<p>
-        <span><strong class="command">rndc</strong></span> controls the operation of a name
-	server.  It supersedes the <span><strong class="command">ndc</strong></span> utility
+
+<!-- $Id: rndc.html,v 1.7.2.1.4.1 2004/03/06 10:21:32 marka Exp $ -->
+
+<HTML
+><HEAD
+><TITLE
+>rndc</TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.73
+"></HEAD
+><BODY
+CLASS="REFENTRY"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><H1
+><A
+NAME="AEN1"
+><SPAN
+CLASS="APPLICATION"
+>rndc</SPAN
+></A
+></H1
+><DIV
+CLASS="REFNAMEDIV"
+><A
+NAME="AEN9"
+></A
+><H2
+>Name</H2
+><SPAN
+CLASS="APPLICATION"
+>rndc</SPAN
+>&nbsp;--&nbsp;name server control utility</DIV
+><DIV
+CLASS="REFSYNOPSISDIV"
+><A
+NAME="AEN13"
+></A
+><H2
+>Synopsis</H2
+><P
+><B
+CLASS="COMMAND"
+>rndc</B
+>  [<TT
+CLASS="OPTION"
+>-c <TT
+CLASS="REPLACEABLE"
+><I
+>config-file</I
+></TT
+></TT
+>] [<TT
+CLASS="OPTION"
+>-k <TT
+CLASS="REPLACEABLE"
+><I
+>key-file</I
+></TT
+></TT
+>] [<TT
+CLASS="OPTION"
+>-s <TT
+CLASS="REPLACEABLE"
+><I
+>server</I
+></TT
+></TT
+>] [<TT
+CLASS="OPTION"
+>-p <TT
+CLASS="REPLACEABLE"
+><I
+>port</I
+></TT
+></TT
+>] [<TT
+CLASS="OPTION"
+>-V</TT
+>] [<TT
+CLASS="OPTION"
+>-y <TT
+CLASS="REPLACEABLE"
+><I
+>key_id</I
+></TT
+></TT
+>] {command}</P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN34"
+></A
+><H2
+>DESCRIPTION</H2
+><P
+>        <B
+CLASS="COMMAND"
+>rndc</B
+> controls the operation of a name
+	server.  It supersedes the <B
+CLASS="COMMAND"
+>ndc</B
+> utility
 	that was provided in old BIND releases.  If
-	<span><strong class="command">rndc</strong></span> is invoked with no command line
+	<B
+CLASS="COMMAND"
+>rndc</B
+> is invoked with no command line
 	options or arguments, it prints a short summary of the
 	supported commands and the available options and their
 	arguments.
-    </p>
-<p>
-        <span><strong class="command">rndc</strong></span> communicates with the name server
+    </P
+><P
+>        <B
+CLASS="COMMAND"
+>rndc</B
+> communicates with the name server
 	over a TCP connection, sending commands authenticated with
 	digital signatures.  In the current versions of
-      <span><strong class="command">rndc</strong></span> and <span><strong class="command">named</strong></span>,
+	<B
+CLASS="COMMAND"
+>rndc</B
+> and <B
+CLASS="COMMAND"
+>named</B
+> named
         the only supported authentication algorithm is HMAC-MD5,
 	which uses a shared secret on each end of the connection.
 	This provides TSIG-style authentication for the command
 	request and the name server's response.  All commands sent
 	over the channel must be signed by a key_id known to the
 	server.
-    </p>
-<p>
-        <span><strong class="command">rndc</strong></span> reads a configuration file to
+    </P
+><P
+>        <B
+CLASS="COMMAND"
+>rndc</B
+> reads a configuration file to
 	determine how to contact the name server and decide what
 	algorithm and key it should use.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543433"></a><h2>OPTIONS</h2>
-<div class="variablelist"><dl>
-<dt><span class="term">-c <em class="replaceable"><code>config-file</code></em></span></dt>
-<dd><p>
-	      Use <em class="replaceable"><code>config-file</code></em>
+    </P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN46"
+></A
+><H2
+>OPTIONS</H2
+><P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+>-c <TT
+CLASS="REPLACEABLE"
+><I
+>config-file</I
+></TT
+></DT
+><DD
+><P
+>	      Use <TT
+CLASS="REPLACEABLE"
+><I
+>config-file</I
+></TT
+>
 	      as the configuration file instead of the default,
-	      <code class="filename">/etc/rndc.conf</code>.
-	  </p></dd>
-<dt><span class="term">-k <em class="replaceable"><code>key-file</code></em></span></dt>
-<dd><p>
-	      Use <em class="replaceable"><code>key-file</code></em>
+	      <TT
+CLASS="FILENAME"
+>/etc/rndc.conf</TT
+>.
+	  </P
+></DD
+><DT
+>-k <TT
+CLASS="REPLACEABLE"
+><I
+>key-file</I
+></TT
+></DT
+><DD
+><P
+>	      Use <TT
+CLASS="REPLACEABLE"
+><I
+>key-file</I
+></TT
+>
 	      as the key file instead of the default,
-	      <code class="filename">/etc/rndc.key</code>.  The key in
-	      <code class="filename">/etc/rndc.key</code> will be used to authenticate
-	      commands sent to the server if the <em class="replaceable"><code>config-file</code></em>
+	      <TT
+CLASS="FILENAME"
+>/etc/rndc.key</TT
+>.  The key in
+	      <TT
+CLASS="FILENAME"
+>/etc/rndc.key</TT
+> will be used to authenticate
+	      commands sent to the server if the <TT
+CLASS="REPLACEABLE"
+><I
+>config-file</I
+></TT
+>
 	      does not exist.
-	  </p></dd>
-<dt><span class="term">-s <em class="replaceable"><code>server</code></em></span></dt>
-<dd><p><em class="replaceable"><code>server</code></em> is
-	      the name or address of the server which matches a
-	      server statement in the configuration file for
-	      <span><strong class="command">rndc</strong></span>.  If no server is supplied on the
-	      command line, the host named by the default-server clause
-	      in the options statement of the <span><strong class="command">rndc</strong></span>
-	    configuration file will be used.
-	  </p></dd>
-<dt><span class="term">-p <em class="replaceable"><code>port</code></em></span></dt>
-<dd><p>
-	       Send commands to TCP port
-	       <em class="replaceable"><code>port</code></em> instead
+	  </P
+></DD
+><DT
+>-s <TT
+CLASS="REPLACEABLE"
+><I
+>server</I
+></TT
+></DT
+><DD
+><P
+>	       <TT
+CLASS="REPLACEABLE"
+><I
+>server</I
+></TT
+> is
+	       the name or address of the server which matches a
+	       server statement in the configuration file for
+	       <B
+CLASS="COMMAND"
+>rndc</B
+>.  If no server is supplied on the
+	       command line, the host named by the default-server clause
+	       in the option statement of the configuration file will be
+	       used.
+	  </P
+></DD
+><DT
+>-p <TT
+CLASS="REPLACEABLE"
+><I
+>port</I
+></TT
+></DT
+><DD
+><P
+>	       Send commands to TCP port
+	       <TT
+CLASS="REPLACEABLE"
+><I
+>port</I
+></TT
+> instead
 	       of BIND 9's default control channel port, 953.
-	  </p></dd>
-<dt><span class="term">-V</span></dt>
-<dd><p>
-	       Enable verbose logging.
-	  </p></dd>
-<dt><span class="term">-y <em class="replaceable"><code>key_id</code></em></span></dt>
-<dd><p>
-	       Use the key <em class="replaceable"><code>key_id</code></em>
+	  </P
+></DD
+><DT
+>-V</DT
+><DD
+><P
+>	       Enable verbose logging.
+	  </P
+></DD
+><DT
+>-y <TT
+CLASS="REPLACEABLE"
+><I
+>keyid</I
+></TT
+></DT
+><DD
+><P
+>	       Use the key <TT
+CLASS="REPLACEABLE"
+><I
+>keyid</I
+></TT
+>
 	       from the configuration file.
-	       <em class="replaceable"><code>key_id</code></em> must be
+	       <TT
+CLASS="REPLACEABLE"
+><I
+>keyid</I
+></TT
+> must be
 	       known by named with the same algorithm and secret string
 	       in order for control message validation to succeed.
-	       If no <em class="replaceable"><code>key_id</code></em>
-	       is specified, <span><strong class="command">rndc</strong></span> will first look
+	       If no <TT
+CLASS="REPLACEABLE"
+><I
+>keyid</I
+></TT
+>
+	       is specified, <B
+CLASS="COMMAND"
+>rndc</B
+> will first look
 	       for a key clause in the server statement of the server
 	       being used, or if no server statement is present for that
 	       host, then the default-key clause of the options statement.
@@ -113,43 +322,103 @@
 	       which are used to send authenticated control commands
 	       to name servers.  It should therefore not have general read
 	       or write access.
-	  </p></dd>
-</dl></div>
-<p>
-      For the complete set of commands supported by <span><strong class="command">rndc</strong></span>,
+	  </P
+></DD
+></DL
+></DIV
+><P
+>      For the complete set of commands supported by <B
+CLASS="COMMAND"
+>rndc</B
+>,
       see the BIND 9 Administrator Reference Manual or run
-      <span><strong class="command">rndc</strong></span> without arguments to see its help message.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543619"></a><h2>LIMITATIONS</h2>
-<p>
-        <span><strong class="command">rndc</strong></span> does not yet support all the commands of
-	the BIND 8 <span><strong class="command">ndc</strong></span> utility.
-    </p>
-<p>
-        There is currently no way to provide the shared secret for a
-        <code class="option">key_id</code> without using the configuration file.
-    </p>
-<p>
-        Several error messages could be clearer.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543648"></a><h2>SEE ALSO</h2>
-<p>
-      <span class="citerefentry"><span class="refentrytitle">rndc.conf</span>(5)</span>,
-      <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
-      <span class="citerefentry"><span class="refentrytitle">named.conf</span>(5)</span>,
-      <span class="citerefentry"><span class="refentrytitle">ndc</span>(8)</span>,
-      <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543700"></a><h2>AUTHOR</h2>
-<p>
-        <span class="corpauthor">Internet Systems Consortium</span>
-    </p>
-</div>
-</div></body>
-</html>
+      <B
+CLASS="COMMAND"
+>rndc</B
+> without arguments to see its help message.
+    </P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN94"
+></A
+><H2
+>LIMITATIONS</H2
+><P
+>        <B
+CLASS="COMMAND"
+>rndc</B
+> does not yet support all the commands of
+	the BIND 8 <B
+CLASS="COMMAND"
+>ndc</B
+> utility.
+    </P
+><P
+>        There is currently no way to provide the shared secret for a
+        <TT
+CLASS="OPTION"
+>key_id</TT
+> without using the configuration file.
+    </P
+><P
+>        Several error messages could be clearer.
+    </P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN102"
+></A
+><H2
+>SEE ALSO</H2
+><P
+>      <SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>rndc.conf</SPAN
+>(5)</SPAN
+>,
+      <SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>named</SPAN
+>(8)</SPAN
+>,
+      <SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>named.conf</SPAN
+>(5)</SPAN
+>
+      <SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>ndc</SPAN
+>(8)</SPAN
+>,
+      <I
+CLASS="CITETITLE"
+>BIND 9 Administrator Reference Manual</I
+>.
+    </P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN118"
+></A
+><H2
+>AUTHOR</H2
+><P
+>        Internet Software Consortium
+    </P
+></DIV
+></BODY
+></HTML
+>
diff --git a/bin/rndc/unix/Makefile.in b/bin/rndc/unix/Makefile.in
index cd9434da..0409a188 100644
--- a/bin/rndc/unix/Makefile.in
+++ b/bin/rndc/unix/Makefile.in
@@ -13,13 +13,13 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.1.2.1 2004/03/09 06:09:28 marka Exp $
+# $Id: Makefile.in,v 1.1.12.3 2004/03/08 04:04:24 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
 top_srcdir =	@top_srcdir@
 
-@BIND9_INCLUDES@
+@BIND9_MAKE_INCLUDES@
 
 CINCLUDES =	-I${srcdir}/include -I${srcdir}/../include \
 		${DNS_INCLUDES} ${ISC_INCLUDES}
diff --git a/bin/rndc/unix/os.c b/bin/rndc/unix/os.c
index 2278bc23..1adfdee9 100644
--- a/bin/rndc/unix/os.c
+++ b/bin/rndc/unix/os.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: os.c,v 1.5.2.1 2004/03/09 06:09:28 marka Exp $ */
+/* $Id: os.c,v 1.5.206.1 2004/03/06 10:21:33 marka Exp $ */
 
 #include <config.h>
 
diff --git a/bin/rndc/util.c b/bin/rndc/util.c
index fe495d27..249cbe2a 100644
--- a/bin/rndc/util.c
+++ b/bin/rndc/util.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: util.c,v 1.2.2.1 2004/03/09 06:09:27 marka Exp $ */
+/* $Id: util.c,v 1.2.206.1 2004/03/06 10:21:32 marka Exp $ */
 
 #include <config.h>
 
diff --git a/bin/rndc/util.h b/bin/rndc/util.h
index 43d6cb23..3c19cd44 100644
--- a/bin/rndc/util.h
+++ b/bin/rndc/util.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: util.h,v 1.5.2.1 2004/03/09 06:09:27 marka Exp $ */
+/* $Id: util.h,v 1.5.206.1 2004/03/06 10:21:32 marka Exp $ */
 
 #ifndef RNDC_UTIL_H
 #define RNDC_UTIL_H 1
diff --git a/bin/rndc/win32/confgen.dsp b/bin/rndc/win32/confgen.dsp
index 71944983..f0050c37 100644
--- a/bin/rndc/win32/confgen.dsp
+++ b/bin/rndc/win32/confgen.dsp
@@ -1,111 +1,115 @@
-# Microsoft Developer Studio Project File - Name="rndcconfgen" - Package Owner=<4>

-# Microsoft Developer Studio Generated Build File, Format Version 6.00

-# ** DO NOT EDIT **

-

-# TARGTYPE "Win32 (x86) Console Application" 0x0103

-

-CFG=rndcconfgen - Win32 Debug

-!MESSAGE This is not a valid makefile. To build this project using NMAKE,

-!MESSAGE use the Export Makefile command and run

-!MESSAGE 

-!MESSAGE NMAKE /f "confgen.mak".

-!MESSAGE 

-!MESSAGE You can specify a configuration when running NMAKE

-!MESSAGE by defining the macro CFG on the command line. For example:

-!MESSAGE 

-!MESSAGE NMAKE /f "confgen.mak" CFG="rndcconfgen - Win32 Debug"

-!MESSAGE 

-!MESSAGE Possible choices for configuration are:

-!MESSAGE 

-!MESSAGE "rndcconfgen - Win32 Release" (based on "Win32 (x86) Console Application")

-!MESSAGE "rndcconfgen - Win32 Debug" (based on "Win32 (x86) Console Application")

-!MESSAGE 

-

-# Begin Project

-# PROP AllowPerConfigDependencies 0

-# PROP Scc_ProjName ""

-# PROP Scc_LocalPath ""

-CPP=cl.exe

-RSC=rc.exe

-

-!IF  "$(CFG)" == "rndcconfgen - Win32 Release"

-

-# PROP BASE Use_MFC 0

-# PROP BASE Use_Debug_Libraries 0

-# PROP BASE Output_Dir "Release"

-# PROP BASE Intermediate_Dir "Release"

-# PROP BASE Target_Dir ""

-# PROP Use_MFC 0

-# PROP Use_Debug_Libraries 0

-# PROP Output_Dir "Release"

-# PROP Intermediate_Dir "Release"

-# PROP Ignore_Export_Lib 0

-# PROP Target_Dir ""

-# ADD BASE CPP /nologo /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /c

-# ADD CPP /nologo /MD /W3 /GX /O2 /I "./" /I "../../../" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/win32/include" /I "../../../lib/dns/include" /I "../../../lib/isccc/include" /I "../../../lib/isccfg/include" /D "WIN32" /D "NDEBUG" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" /YX /FD /c

-# ADD BASE RSC /l 0x409 /d "NDEBUG"

-# ADD RSC /l 0x409 /d "NDEBUG"

-BSC32=bscmake.exe

-# ADD BASE BSC32 /nologo

-# ADD BSC32 /nologo

-LINK32=link.exe

-# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /machine:I386

-# ADD LINK32 user32.lib advapi32.lib ws2_32.lib Release/util.lib ../../../lib/isc/win32/Release/libisc.lib ../../../lib/dns/win32/Release/libdns.lib ../../../lib/isccfg/win32/Release/libisccfg.lib ../../../lib/isccc/win32/Release/libisccc.lib /nologo /subsystem:console /machine:I386 /out:"../../../Build/Release/rndc-confgen.exe"

-

-!ELSEIF  "$(CFG)" == "rndcconfgen - Win32 Debug"

-

-# PROP BASE Use_MFC 0

-# PROP BASE Use_Debug_Libraries 1

-# PROP BASE Output_Dir "Debug"

-# PROP BASE Intermediate_Dir "Debug"

-# PROP BASE Target_Dir ""

-# PROP Use_MFC 0

-# PROP Use_Debug_Libraries 1

-# PROP Output_Dir "Debug"

-# PROP Intermediate_Dir "Debug"

-# PROP Ignore_Export_Lib 0

-# PROP Target_Dir ""

-# ADD BASE CPP /nologo /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /GZ /c

-# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../../../" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/win32/include" /I "../../../lib/dns/include" /I "../../../lib/isccc/include" /I "../../../lib/isccfg/include" /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /FR /FD /GZ /c

-# SUBTRACT CPP /X /YX

-# ADD BASE RSC /l 0x409 /d "_DEBUG"

-# ADD RSC /l 0x409 /d "_DEBUG"

-BSC32=bscmake.exe

-# ADD BASE BSC32 /nologo

-# ADD BSC32 /nologo

-LINK32=link.exe

-# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /debug /machine:I386 /pdbtype:sept

-# ADD LINK32 user32.lib advapi32.lib ws2_32.lib Debug/util.lib ../../../lib/isc/win32/Debug/libisc.lib ../../../lib/dns/win32/Debug/libdns.lib ../../../lib/isccfg/win32/Debug/libisccfg.lib ../../../lib/isccc/win32/Debug/libisccc.lib /nologo /subsystem:console /debug /machine:I386 /out:"../../../Build/Debug/rndc-confgen.exe" /pdbtype:sept

-

-!ENDIF 

-

-# Begin Target

-

-# Name "rndcconfgen - Win32 Release"

-# Name "rndcconfgen - Win32 Debug"

-# Begin Group "Source Files"

-

-# PROP Default_Filter "cpp;c;cxx;rc;def;r;odl;idl;hpj;bat"

-# Begin Source File

-

-SOURCE=.\os.c

-# End Source File

-# Begin Source File

-

-SOURCE="..\rndc-confgen.c"

-# End Source File

-# End Group

-# Begin Group "Header Files"

-

-# PROP Default_Filter "h;hpp;hxx;hm;inl"

-# Begin Source File

-

-SOURCE=..\util.h

-# End Source File

-# End Group

-# Begin Group "Resource Files"

-

-# PROP Default_Filter "ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe"

-# End Group

-# End Target

-# End Project

+# Microsoft Developer Studio Project File - Name="rndcconfgen" - Package Owner=<4>
+# Microsoft Developer Studio Generated Build File, Format Version 6.00
+# ** DO NOT EDIT **
+
+# TARGTYPE "Win32 (x86) Console Application" 0x0103
+
+CFG=rndcconfgen - Win32 Debug
+!MESSAGE This is not a valid makefile. To build this project using NMAKE,
+!MESSAGE use the Export Makefile command and run
+!MESSAGE 
+!MESSAGE NMAKE /f "confgen.mak".
+!MESSAGE 
+!MESSAGE You can specify a configuration when running NMAKE
+!MESSAGE by defining the macro CFG on the command line. For example:
+!MESSAGE 
+!MESSAGE NMAKE /f "confgen.mak" CFG="rndcconfgen - Win32 Debug"
+!MESSAGE 
+!MESSAGE Possible choices for configuration are:
+!MESSAGE 
+!MESSAGE "rndcconfgen - Win32 Release" (based on "Win32 (x86) Console Application")
+!MESSAGE "rndcconfgen - Win32 Debug" (based on "Win32 (x86) Console Application")
+!MESSAGE 
+
+# Begin Project
+# PROP AllowPerConfigDependencies 0
+# PROP Scc_ProjName ""
+# PROP Scc_LocalPath ""
+CPP=cl.exe
+RSC=rc.exe
+
+!IF  "$(CFG)" == "rndcconfgen - Win32 Release"
+
+# PROP BASE Use_MFC 0
+# PROP BASE Use_Debug_Libraries 0
+# PROP BASE Output_Dir "Release"
+# PROP BASE Intermediate_Dir "Release"
+# PROP BASE Target_Dir ""
+# PROP Use_MFC 0
+# PROP Use_Debug_Libraries 0
+# PROP Output_Dir "Release"
+# PROP Intermediate_Dir "Release"
+# PROP Ignore_Export_Lib 0
+# PROP Target_Dir ""
+# ADD BASE CPP /nologo /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /c
+# ADD CPP /nologo /MT /W3 /GX /O2 /I "./" /I "../../../" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/win32/include" /I "../../../lib/dns/include" /I "../../../lib/dns/sec/dst/include" /I "../../../lib/isccc/include" /I "../../../lib/isccfg/include" /D "WIN32" /D "NDEBUG" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" /YX /FD /c
+# ADD BASE RSC /l 0x409 /d "NDEBUG"
+# ADD RSC /l 0x409 /d "NDEBUG"
+BSC32=bscmake.exe
+# ADD BASE BSC32 /nologo
+# ADD BSC32 /nologo
+LINK32=link.exe
+# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /machine:I386
+# ADD LINK32 user32.lib advapi32.lib ws2_32.lib ../../../lib/isc/win32/Release/libisc.lib ../../../lib/dns/win32/Release/libdns.lib ../../../lib/isccfg/win32/Release/libisccfg.lib ../../../lib/isccc/win32/Release/libisccc.lib /nologo /subsystem:console /machine:I386 /out:"../../../Build/Release/rndc-confgen.exe"
+
+!ELSEIF  "$(CFG)" == "rndcconfgen - Win32 Debug"
+
+# PROP BASE Use_MFC 0
+# PROP BASE Use_Debug_Libraries 1
+# PROP BASE Output_Dir "Debug"
+# PROP BASE Intermediate_Dir "Debug"
+# PROP BASE Target_Dir ""
+# PROP Use_MFC 0
+# PROP Use_Debug_Libraries 1
+# PROP Output_Dir "Debug"
+# PROP Intermediate_Dir "Debug"
+# PROP Ignore_Export_Lib 0
+# PROP Target_Dir ""
+# ADD BASE CPP /nologo /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /GZ /c
+# ADD CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /I "./" /I "../../../" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/win32/include" /I "../../../lib/dns/include" /I "../../../lib/dns/sec/dst/include" /I "../../../lib/isccc/include" /I "../../../lib/isccfg/include" /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /FR /FD /GZ /c
+# SUBTRACT CPP /X /YX
+# ADD BASE RSC /l 0x409 /d "_DEBUG"
+# ADD RSC /l 0x409 /d "_DEBUG"
+BSC32=bscmake.exe
+# ADD BASE BSC32 /nologo
+# ADD BSC32 /nologo
+LINK32=link.exe
+# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /debug /machine:I386 /pdbtype:sept
+# ADD LINK32 user32.lib advapi32.lib ws2_32.lib ../../../lib/isc/win32/Debug/libisc.lib ../../../lib/dns/win32/Debug/libdns.lib ../../../lib/isccfg/win32/Debug/libisccfg.lib ../../../lib/isccc/win32/Debug/libisccc.lib /nologo /subsystem:console /debug /machine:I386 /out:"../../../Build/Debug/rndc-confgen.exe" /pdbtype:sept
+
+!ENDIF 
+
+# Begin Target
+
+# Name "rndcconfgen - Win32 Release"
+# Name "rndcconfgen - Win32 Debug"
+# Begin Group "Source Files"
+
+# PROP Default_Filter "cpp;c;cxx;rc;def;r;odl;idl;hpj;bat"
+# Begin Source File
+
+SOURCE=.\os.c
+# End Source File
+# Begin Source File
+
+SOURCE="..\rndc-confgen.c"
+# End Source File
+# Begin Source File
+
+SOURCE=..\util.c
+# End Source File
+# End Group
+# Begin Group "Header Files"
+
+# PROP Default_Filter "h;hpp;hxx;hm;inl"
+# Begin Source File
+
+SOURCE=..\util.h
+# End Source File
+# End Group
+# Begin Group "Resource Files"
+
+# PROP Default_Filter "ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe"
+# End Group
+# End Target
+# End Project
diff --git a/bin/rndc/win32/confgen.dsw b/bin/rndc/win32/confgen.dsw
index 1b1f8884..126090eb 100644
--- a/bin/rndc/win32/confgen.dsw
+++ b/bin/rndc/win32/confgen.dsw
@@ -1,29 +1,29 @@
-Microsoft Developer Studio Workspace File, Format Version 6.00

-# WARNING: DO NOT EDIT OR DELETE THIS WORKSPACE FILE!

-

-###############################################################################

-

-Project: "confgen"=".\confgen.dsp" - Package Owner=<4>

-

-Package=<5>

-{{{

-}}}

-

-Package=<4>

-{{{

-}}}

-

-###############################################################################

-

-Global:

-

-Package=<5>

-{{{

-}}}

-

-Package=<3>

-{{{

-}}}

-

-###############################################################################

-

+Microsoft Developer Studio Workspace File, Format Version 6.00
+# WARNING: DO NOT EDIT OR DELETE THIS WORKSPACE FILE!
+
+###############################################################################
+
+Project: "confgen"=".\confgen.dsp" - Package Owner=<4>
+
+Package=<5>
+{{{
+}}}
+
+Package=<4>
+{{{
+}}}
+
+###############################################################################
+
+Global:
+
+Package=<5>
+{{{
+}}}
+
+Package=<3>
+{{{
+}}}
+
+###############################################################################
+
diff --git a/bin/rndc/win32/confgen.mak b/bin/rndc/win32/confgen.mak
index 55c6a8a7..043c0c45 100644
--- a/bin/rndc/win32/confgen.mak
+++ b/bin/rndc/win32/confgen.mak
@@ -1,313 +1,216 @@
-# Microsoft Developer Studio Generated NMAKE File, Based on confgen.dsp

-!IF "$(CFG)" == ""

-CFG=rndcconfgen - Win32 Debug

-!MESSAGE No configuration specified. Defaulting to rndcconfgen - Win32 Debug.

-!ENDIF 

-

-!IF "$(CFG)" != "rndcconfgen - Win32 Release" && "$(CFG)" != "rndcconfgen - Win32 Debug"

-!MESSAGE Invalid configuration "$(CFG)" specified.

-!MESSAGE You can specify a configuration when running NMAKE

-!MESSAGE by defining the macro CFG on the command line. For example:

-!MESSAGE 

-!MESSAGE NMAKE /f "confgen.mak" CFG="rndcconfgen - Win32 Debug"

-!MESSAGE 

-!MESSAGE Possible choices for configuration are:

-!MESSAGE 

-!MESSAGE "rndcconfgen - Win32 Release" (based on "Win32 (x86) Console Application")

-!MESSAGE "rndcconfgen - Win32 Debug" (based on "Win32 (x86) Console Application")

-!MESSAGE 

-!ERROR An invalid configuration is specified.

-!ENDIF 

-

-!IF "$(OS)" == "Windows_NT"

-NULL=

-!ELSE 

-NULL=nul

-!ENDIF 

-

-CPP=cl.exe

-RSC=rc.exe

-

-!IF  "$(CFG)" == "rndcconfgen - Win32 Release"

-_VC_MANIFEST_INC=0

-_VC_MANIFEST_BASENAME=__VC80

-!ELSE

-_VC_MANIFEST_INC=1

-_VC_MANIFEST_BASENAME=__VC80.Debug

-!ENDIF

-

-####################################################

-# Specifying name of temporary resource file used only in incremental builds:

-

-!if "$(_VC_MANIFEST_INC)" == "1"

-_VC_MANIFEST_AUTO_RES=$(_VC_MANIFEST_BASENAME).auto.res

-!else

-_VC_MANIFEST_AUTO_RES=

-!endif

-

-####################################################

-# _VC_MANIFEST_EMBED_EXE - command to embed manifest in EXE:

-

-!if "$(_VC_MANIFEST_INC)" == "1"

-

-#MT_SPECIAL_RETURN=1090650113

-#MT_SPECIAL_SWITCH=-notify_resource_update

-MT_SPECIAL_RETURN=0

-MT_SPECIAL_SWITCH=

-_VC_MANIFEST_EMBED_EXE= \

-if exist $@.manifest mt.exe -manifest $@.manifest -out:$(_VC_MANIFEST_BASENAME).auto.manifest $(MT_SPECIAL_SWITCH) & \

-if "%ERRORLEVEL%" == "$(MT_SPECIAL_RETURN)" \

-rc /r $(_VC_MANIFEST_BASENAME).auto.rc & \

-link $** /out:$@ $(LFLAGS)

-

-!else

-

-_VC_MANIFEST_EMBED_EXE= \

-if exist $@.manifest mt.exe -manifest $@.manifest -outputresource:$@;1

-

-!endif

-

-####################################################

-# _VC_MANIFEST_EMBED_DLL - command to embed manifest in DLL:

-

-!if "$(_VC_MANIFEST_INC)" == "1"

-

-#MT_SPECIAL_RETURN=1090650113

-#MT_SPECIAL_SWITCH=-notify_resource_update

-MT_SPECIAL_RETURN=0

-MT_SPECIAL_SWITCH=

-_VC_MANIFEST_EMBED_EXE= \

-if exist $@.manifest mt.exe -manifest $@.manifest -out:$(_VC_MANIFEST_BASENAME).auto.manifest $(MT_SPECIAL_SWITCH) & \

-if "%ERRORLEVEL%" == "$(MT_SPECIAL_RETURN)" \

-rc /r $(_VC_MANIFEST_BASENAME).auto.rc & \

-link $** /out:$@ $(LFLAGS)

-

-!else

-

-_VC_MANIFEST_EMBED_EXE= \

-if exist $@.manifest mt.exe -manifest $@.manifest -outputresource:$@;2

-

-!endif

-####################################################

-# _VC_MANIFEST_CLEAN - command to clean resources files generated temporarily:

-

-!if "$(_VC_MANIFEST_INC)" == "1"

-

-_VC_MANIFEST_CLEAN=-del $(_VC_MANIFEST_BASENAME).auto.res \

-    $(_VC_MANIFEST_BASENAME).auto.rc \

-    $(_VC_MANIFEST_BASENAME).auto.manifest

-

-!else

-

-_VC_MANIFEST_CLEAN=

-

-!endif

-

-!IF  "$(CFG)" == "rndcconfgen - Win32 Release"

-

-OUTDIR=.\Release

-INTDIR=.\Release

-

-ALL : "..\..\..\Build\Release\rndc-confgen.exe"

-

-

-CLEAN :

-	-@erase "$(INTDIR)\os.obj"

-	-@erase "$(INTDIR)\rndc-confgen.obj"

-	-@erase "$(INTDIR)\util.obj"

-	-@erase "$(INTDIR)\vc60.idb"

-	-@erase "..\..\..\Build\Release\rndc-confgen.exe"

-	-@$(_VC_MANIFEST_CLEAN)

-

-"$(OUTDIR)" :

-    if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"

-

-CPP_PROJ=/nologo /MD /W3 /GX /O2 /I "./" /I "../../../" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/win32/include" /I "../../../lib/dns/include" /I "../../../lib/isccc/include" /I "../../../lib/isccfg/include" /D "WIN32" /D "NDEBUG" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" /Fp"$(INTDIR)\confgen.pch" /YX /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c 

-BSC32=bscmake.exe

-BSC32_FLAGS=/nologo /o"$(OUTDIR)\confgen.bsc" 

-BSC32_SBRS= \

-	

-LINK32=link.exe

-LINK32_FLAGS=user32.lib advapi32.lib ws2_32.lib ../../../lib/isc/win32/Release/libisc.lib ../../../lib/dns/win32/Release/libdns.lib ../../../lib/isccfg/win32/Release/libisccfg.lib ../../../lib/isccc/win32/Release/libisccc.lib /nologo /subsystem:console /incremental:no /pdb:"$(OUTDIR)\rndc-confgen.pdb" /machine:I386 /out:"../../../Build/Release/rndc-confgen.exe" 

-LINK32_OBJS= \

-	"$(INTDIR)\os.obj" \

-	"$(INTDIR)\rndc-confgen.obj" \

-	"$(INTDIR)\util.obj"

-

-"..\..\..\Build\Release\rndc-confgen.exe" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)

-    $(LINK32) @<<

-  $(LINK32_FLAGS) $(LINK32_OBJS)

-<<

-    $(_VC_MANIFEST_EMBED_EXE)

-

-!ELSEIF  "$(CFG)" == "rndcconfgen - Win32 Debug"

-

-OUTDIR=.\Debug

-INTDIR=.\Debug

-# Begin Custom Macros

-OutDir=.\Debug

-# End Custom Macros

-

-ALL : "..\..\..\Build\Debug\rndc-confgen.exe" "$(OUTDIR)\confgen.bsc"

-

-

-CLEAN :

-	-@erase "$(INTDIR)\os.obj"

-	-@erase "$(INTDIR)\os.sbr"

-	-@erase "$(INTDIR)\rndc-confgen.obj"

-	-@erase "$(INTDIR)\rndc-confgen.sbr"

-	-@erase "$(INTDIR)\util.obj"

-	-@erase "$(INTDIR)\util.sbr"

-	-@erase "$(INTDIR)\vc60.idb"

-	-@erase "$(INTDIR)\vc60.pdb"

-	-@erase "$(OUTDIR)\confgen.bsc"

-	-@erase "$(OUTDIR)\rndc-confgen.pdb"

-	-@erase "..\..\..\Build\Debug\rndc-confgen.exe"

-	-@erase "..\..\..\Build\Debug\rndc-confgen.ilk"

-	-@$(_VC_MANIFEST_CLEAN)

-

-"$(OUTDIR)" :

-    if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"

-

-CPP_PROJ=/nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../../../" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/win32/include" /I "../../../lib/dns/include" /I "../../../lib/isccc/include" /I "../../../lib/isccfg/include" /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /FR"$(INTDIR)\\" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c 

-BSC32=bscmake.exe

-BSC32_FLAGS=/nologo /o"$(OUTDIR)\confgen.bsc" 

-BSC32_SBRS= \

-	"$(INTDIR)\os.sbr" \

-	"$(INTDIR)\rndc-confgen.sbr" \

-	"$(INTDIR)\util.sbr"

-

-"$(OUTDIR)\confgen.bsc" : "$(OUTDIR)" $(BSC32_SBRS)

-    $(BSC32) @<<

-  $(BSC32_FLAGS) $(BSC32_SBRS)

-<<

-

-LINK32=link.exe

-LINK32_FLAGS=user32.lib advapi32.lib ws2_32.lib ../../../lib/isc/win32/Debug/libisc.lib ../../../lib/dns/win32/Debug/libdns.lib ../../../lib/isccfg/win32/Debug/libisccfg.lib ../../../lib/isccc/win32/Debug/libisccc.lib /nologo /subsystem:console /incremental:yes /pdb:"$(OUTDIR)\rndc-confgen.pdb" /debug /machine:I386 /out:"../../../Build/Debug/rndc-confgen.exe" /pdbtype:sept 

-LINK32_OBJS= \

-	"$(INTDIR)\os.obj" \

-	"$(INTDIR)\rndc-confgen.obj" \

-	"$(INTDIR)\util.obj"

-

-"..\..\..\Build\Debug\rndc-confgen.exe" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)

-    $(LINK32) @<<

-  $(LINK32_FLAGS) $(LINK32_OBJS)

-<<

-    $(_VC_MANIFEST_EMBED_EXE)

-

-!ENDIF 

-

-.c{$(INTDIR)}.obj::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.cpp{$(INTDIR)}.obj::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.cxx{$(INTDIR)}.obj::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.c{$(INTDIR)}.sbr::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.cpp{$(INTDIR)}.sbr::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.cxx{$(INTDIR)}.sbr::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-

-!IF "$(NO_EXTERNAL_DEPS)" != "1"

-!IF EXISTS("confgen.dep")

-!INCLUDE "confgen.dep"

-!ELSE 

-!MESSAGE Warning: cannot find "confgen.dep"

-!ENDIF 

-!ENDIF 

-

-

-!IF "$(CFG)" == "rndcconfgen - Win32 Release" || "$(CFG)" == "rndcconfgen - Win32 Debug"

-SOURCE=.\os.c

-

-!IF  "$(CFG)" == "rndcconfgen - Win32 Release"

-

-

-"$(INTDIR)\os.obj" : $(SOURCE) "$(INTDIR)"

-

-

-!ELSEIF  "$(CFG)" == "rndcconfgen - Win32 Debug"

-

-

-"$(INTDIR)\os.obj"	"$(INTDIR)\os.sbr" : $(SOURCE) "$(INTDIR)"

-

-

-!ENDIF 

-

-SOURCE="..\rndc-confgen.c"

-

-!IF  "$(CFG)" == "rndcconfgen - Win32 Release"

-

-

-"$(INTDIR)\rndc-confgen.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "rndcconfgen - Win32 Debug"

-

-

-"$(INTDIR)\rndc-confgen.obj"	"$(INTDIR)\rndc-confgen.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-SOURCE=..\util.c

-

-!IF  "$(CFG)" == "rndcconfgen - Win32 Release"

-

-

-"$(INTDIR)\util.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "rndcconfgen - Win32 Debug"

-

-

-"$(INTDIR)\util.obj"	"$(INTDIR)\util.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-

-!ENDIF 

-

-####################################################

-# Commands to generate initial empty manifest file and the RC file

-# that references it, and for generating the .res file:

-

-$(_VC_MANIFEST_BASENAME).auto.res : $(_VC_MANIFEST_BASENAME).auto.rc

-

-$(_VC_MANIFEST_BASENAME).auto.rc : $(_VC_MANIFEST_BASENAME).auto.manifest

-    type <<$@

-#include <winuser.h>

-1RT_MANIFEST"$(_VC_MANIFEST_BASENAME).auto.manifest"

-<< KEEP

-

-$(_VC_MANIFEST_BASENAME).auto.manifest :

-    type <<$@

-<?xml version='1.0' encoding='UTF-8' standalone='yes'?>

-<assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'>

-</assembly>

-<< KEEP

+# Microsoft Developer Studio Generated NMAKE File, Based on confgen.dsp
+!IF "$(CFG)" == ""
+CFG=rndcconfgen - Win32 Debug
+!MESSAGE No configuration specified. Defaulting to rndcconfgen - Win32 Debug.
+!ENDIF 
+
+!IF "$(CFG)" != "rndcconfgen - Win32 Release" && "$(CFG)" != "rndcconfgen - Win32 Debug"
+!MESSAGE Invalid configuration "$(CFG)" specified.
+!MESSAGE You can specify a configuration when running NMAKE
+!MESSAGE by defining the macro CFG on the command line. For example:
+!MESSAGE 
+!MESSAGE NMAKE /f "confgen.mak" CFG="rndcconfgen - Win32 Debug"
+!MESSAGE 
+!MESSAGE Possible choices for configuration are:
+!MESSAGE 
+!MESSAGE "rndcconfgen - Win32 Release" (based on "Win32 (x86) Console Application")
+!MESSAGE "rndcconfgen - Win32 Debug" (based on "Win32 (x86) Console Application")
+!MESSAGE 
+!ERROR An invalid configuration is specified.
+!ENDIF 
+
+!IF "$(OS)" == "Windows_NT"
+NULL=
+!ELSE 
+NULL=nul
+!ENDIF 
+
+CPP=cl.exe
+RSC=rc.exe
+
+!IF  "$(CFG)" == "rndcconfgen - Win32 Release"
+
+OUTDIR=.\Release
+INTDIR=.\Release
+
+ALL : "..\..\..\Build\Release\rndc-confgen.exe"
+
+
+CLEAN :
+	-@erase "$(INTDIR)\os.obj"
+	-@erase "$(INTDIR)\rndc-confgen.obj"
+	-@erase "$(INTDIR)\util.obj"
+	-@erase "$(INTDIR)\vc60.idb"
+	-@erase "..\..\..\Build\Release\rndc-confgen.exe"
+
+"$(OUTDIR)" :
+    if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
+
+CPP_PROJ=/nologo /MT /W3 /GX /O2 /I "./" /I "../../../" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/win32/include" /I "../../../lib/dns/include" /I "../../../lib/dns/sec/dst/include" /I "../../../lib/isccc/include" /I "../../../lib/isccfg/include" /D "WIN32" /D "NDEBUG" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" /Fp"$(INTDIR)\confgen.pch" /YX /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c 
+BSC32=bscmake.exe
+BSC32_FLAGS=/nologo /o"$(OUTDIR)\confgen.bsc" 
+BSC32_SBRS= \
+	
+LINK32=link.exe
+LINK32_FLAGS=user32.lib advapi32.lib ws2_32.lib ../../../lib/isc/win32/Release/libisc.lib ../../../lib/dns/win32/Release/libdns.lib ../../../lib/isccfg/win32/Release/libisccfg.lib ../../../lib/isccc/win32/Release/libisccc.lib /nologo /subsystem:console /incremental:no /pdb:"$(OUTDIR)\rndc-confgen.pdb" /machine:I386 /out:"../../../Build/Release/rndc-confgen.exe" 
+LINK32_OBJS= \
+	"$(INTDIR)\os.obj" \
+	"$(INTDIR)\rndc-confgen.obj" \
+	"$(INTDIR)\util.obj"
+
+"..\..\..\Build\Release\rndc-confgen.exe" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)
+    $(LINK32) @<<
+  $(LINK32_FLAGS) $(LINK32_OBJS)
+<<
+
+!ELSEIF  "$(CFG)" == "rndcconfgen - Win32 Debug"
+
+OUTDIR=.\Debug
+INTDIR=.\Debug
+# Begin Custom Macros
+OutDir=.\Debug
+# End Custom Macros
+
+ALL : "..\..\..\Build\Debug\rndc-confgen.exe" "$(OUTDIR)\confgen.bsc"
+
+
+CLEAN :
+	-@erase "$(INTDIR)\os.obj"
+	-@erase "$(INTDIR)\os.sbr"
+	-@erase "$(INTDIR)\rndc-confgen.obj"
+	-@erase "$(INTDIR)\rndc-confgen.sbr"
+	-@erase "$(INTDIR)\util.obj"
+	-@erase "$(INTDIR)\util.sbr"
+	-@erase "$(INTDIR)\vc60.idb"
+	-@erase "$(INTDIR)\vc60.pdb"
+	-@erase "$(OUTDIR)\confgen.bsc"
+	-@erase "$(OUTDIR)\rndc-confgen.pdb"
+	-@erase "..\..\..\Build\Debug\rndc-confgen.exe"
+	-@erase "..\..\..\Build\Debug\rndc-confgen.ilk"
+
+"$(OUTDIR)" :
+    if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
+
+CPP_PROJ=/nologo /MTd /W3 /Gm /GX /ZI /Od /I "./" /I "../../../" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/win32/include" /I "../../../lib/dns/include" /I "../../../lib/dns/sec/dst/include" /I "../../../lib/isccc/include" /I "../../../lib/isccfg/include" /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /FR"$(INTDIR)\\" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c 
+BSC32=bscmake.exe
+BSC32_FLAGS=/nologo /o"$(OUTDIR)\confgen.bsc" 
+BSC32_SBRS= \
+	"$(INTDIR)\os.sbr" \
+	"$(INTDIR)\rndc-confgen.sbr" \
+	"$(INTDIR)\util.sbr"
+
+"$(OUTDIR)\confgen.bsc" : "$(OUTDIR)" $(BSC32_SBRS)
+    $(BSC32) @<<
+  $(BSC32_FLAGS) $(BSC32_SBRS)
+<<
+
+LINK32=link.exe
+LINK32_FLAGS=user32.lib advapi32.lib ws2_32.lib ../../../lib/isc/win32/Debug/libisc.lib ../../../lib/dns/win32/Debug/libdns.lib ../../../lib/isccfg/win32/Debug/libisccfg.lib ../../../lib/isccc/win32/Debug/libisccc.lib /nologo /subsystem:console /incremental:yes /pdb:"$(OUTDIR)\rndc-confgen.pdb" /debug /machine:I386 /out:"../../../Build/Debug/rndc-confgen.exe" /pdbtype:sept 
+LINK32_OBJS= \
+	"$(INTDIR)\os.obj" \
+	"$(INTDIR)\rndc-confgen.obj" \
+	"$(INTDIR)\util.obj"
+
+"..\..\..\Build\Debug\rndc-confgen.exe" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)
+    $(LINK32) @<<
+  $(LINK32_FLAGS) $(LINK32_OBJS)
+<<
+
+!ENDIF 
+
+.c{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cpp{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cxx{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.c{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cpp{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cxx{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+
+!IF "$(NO_EXTERNAL_DEPS)" != "1"
+!IF EXISTS("confgen.dep")
+!INCLUDE "confgen.dep"
+!ELSE 
+!MESSAGE Warning: cannot find "confgen.dep"
+!ENDIF 
+!ENDIF 
+
+
+!IF "$(CFG)" == "rndcconfgen - Win32 Release" || "$(CFG)" == "rndcconfgen - Win32 Debug"
+SOURCE=.\os.c
+
+!IF  "$(CFG)" == "rndcconfgen - Win32 Release"
+
+
+"$(INTDIR)\os.obj" : $(SOURCE) "$(INTDIR)"
+
+
+!ELSEIF  "$(CFG)" == "rndcconfgen - Win32 Debug"
+
+
+"$(INTDIR)\os.obj"	"$(INTDIR)\os.sbr" : $(SOURCE) "$(INTDIR)"
+
+
+!ENDIF 
+
+SOURCE="..\rndc-confgen.c"
+
+!IF  "$(CFG)" == "rndcconfgen - Win32 Release"
+
+
+"$(INTDIR)\rndc-confgen.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "rndcconfgen - Win32 Debug"
+
+
+"$(INTDIR)\rndc-confgen.obj"	"$(INTDIR)\rndc-confgen.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\util.c
+
+!IF  "$(CFG)" == "rndcconfgen - Win32 Release"
+
+
+"$(INTDIR)\util.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "rndcconfgen - Win32 Debug"
+
+
+"$(INTDIR)\util.obj"	"$(INTDIR)\util.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+
+!ENDIF 
+
diff --git a/bin/rndc/win32/os.c b/bin/rndc/win32/os.c
index 668a2408..c213aeec 100644
--- a/bin/rndc/win32/os.c
+++ b/bin/rndc/win32/os.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: os.c,v 1.2.2.1 2004/03/09 06:09:29 marka Exp $ */
+/* $Id: os.c,v 1.2.12.3 2004/03/08 04:04:24 marka Exp $ */
 
 #include <config.h>
 
@@ -26,6 +26,7 @@
 #include <sys/types.h>
 #include <errno.h>
 #include <stdio.h>
+#include <io.h>
 #include <sys/stat.h>
 
 int
diff --git a/bin/rndc/win32/rndc.dsp b/bin/rndc/win32/rndc.dsp
index 18c5165a..9b59a510 100644
--- a/bin/rndc/win32/rndc.dsp
+++ b/bin/rndc/win32/rndc.dsp
@@ -1,107 +1,111 @@
-# Microsoft Developer Studio Project File - Name="rndc" - Package Owner=<4>

-# Microsoft Developer Studio Generated Build File, Format Version 6.00

-# ** DO NOT EDIT **

-

-# TARGTYPE "Win32 (x86) Console Application" 0x0103

-

-CFG=rndc - Win32 Debug

-!MESSAGE This is not a valid makefile. To build this project using NMAKE,

-!MESSAGE use the Export Makefile command and run

-!MESSAGE 

-!MESSAGE NMAKE /f "rndc.mak".

-!MESSAGE 

-!MESSAGE You can specify a configuration when running NMAKE

-!MESSAGE by defining the macro CFG on the command line. For example:

-!MESSAGE 

-!MESSAGE NMAKE /f "rndc.mak" CFG="rndc - Win32 Debug"

-!MESSAGE 

-!MESSAGE Possible choices for configuration are:

-!MESSAGE 

-!MESSAGE "rndc - Win32 Release" (based on "Win32 (x86) Console Application")

-!MESSAGE "rndc - Win32 Debug" (based on "Win32 (x86) Console Application")

-!MESSAGE 

-

-# Begin Project

-# PROP AllowPerConfigDependencies 0

-# PROP Scc_ProjName ""

-# PROP Scc_LocalPath ""

-CPP=cl.exe

-RSC=rc.exe

-

-!IF  "$(CFG)" == "rndc - Win32 Release"

-

-# PROP BASE Use_MFC 0

-# PROP BASE Use_Debug_Libraries 0

-# PROP BASE Output_Dir "Release"

-# PROP BASE Intermediate_Dir "Release"

-# PROP BASE Target_Dir ""

-# PROP Use_MFC 0

-# PROP Use_Debug_Libraries 0

-# PROP Output_Dir "Release"

-# PROP Intermediate_Dir "Release"

-# PROP Ignore_Export_Lib 0

-# PROP Target_Dir ""

-# ADD BASE CPP /nologo /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /c

-# ADD CPP /nologo /MD /W3 /GX /O2 /I "./" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isccc/include" /I "../../../lib/isccfg/include" /D "WIN32" /D "NDEBUG" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" /YX /FD /c

-# ADD BASE RSC /l 0x409 /d "NDEBUG"

-# ADD RSC /l 0x409 /d "NDEBUG"

-BSC32=bscmake.exe

-# ADD BASE BSC32 /nologo

-# ADD BSC32 /nologo

-LINK32=link.exe

-# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /machine:I386

-# ADD LINK32 user32.lib advapi32.lib ws2_32.lib Release/util.lib ../../../lib/isc/win32/Release/libisc.lib ../../../lib/dns/win32/Release/libdns.lib ../../../lib/isccfg/win32/Release/libisccfg.lib ../../../lib/isccc/win32/Release/libisccc.lib /nologo /subsystem:console /machine:I386 /out:"../../../Build/Release/rndc.exe"

-

-!ELSEIF  "$(CFG)" == "rndc - Win32 Debug"

-

-# PROP BASE Use_MFC 0

-# PROP BASE Use_Debug_Libraries 1

-# PROP BASE Output_Dir "Debug"

-# PROP BASE Intermediate_Dir "Debug"

-# PROP BASE Target_Dir ""

-# PROP Use_MFC 0

-# PROP Use_Debug_Libraries 1

-# PROP Output_Dir "Debug"

-# PROP Intermediate_Dir "Debug"

-# PROP Ignore_Export_Lib 0

-# PROP Target_Dir ""

-# ADD BASE CPP /nologo /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /GZ /c

-# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isccc/include" /I "../../../lib/isccfg/include" /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /FR /FD /GZ /c

-# SUBTRACT CPP /X /YX

-# ADD BASE RSC /l 0x409 /d "_DEBUG"

-# ADD RSC /l 0x409 /d "_DEBUG"

-BSC32=bscmake.exe

-# ADD BASE BSC32 /nologo

-# ADD BSC32 /nologo

-LINK32=link.exe

-# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /debug /machine:I386 /pdbtype:sept

-# ADD LINK32 user32.lib advapi32.lib ws2_32.lib Debug/util.lib ../../../lib/isc/win32/Debug/libisc.lib ../../../lib/dns/win32/Debug/libdns.lib ../../../lib/isccfg/win32/Debug/libisccfg.lib ../../../lib/isccc/win32/Debug/libisccc.lib /nologo /subsystem:console /debug /machine:I386 /out:"../../../Build/Debug/rndc.exe" /pdbtype:sept

-

-!ENDIF 

-

-# Begin Target

-

-# Name "rndc - Win32 Release"

-# Name "rndc - Win32 Debug"

-# Begin Group "Source Files"

-

-# PROP Default_Filter "cpp;c;cxx;rc;def;r;odl;idl;hpj;bat"

-# Begin Source File

-

-SOURCE=..\rndc.c

-# End Source File

-# End Group

-# Begin Group "Header Files"

-

-# PROP Default_Filter "h;hpp;hxx;hm;inl"

-# Begin Source File

-

-SOURCE=..\util.h

-# End Source File

-# End Group

-# Begin Group "Resource Files"

-

-# PROP Default_Filter "ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe"

-# End Group

-# End Target

-# End Project

+# Microsoft Developer Studio Project File - Name="rndc" - Package Owner=<4>
+# Microsoft Developer Studio Generated Build File, Format Version 6.00
+# ** DO NOT EDIT **
+
+# TARGTYPE "Win32 (x86) Console Application" 0x0103
+
+CFG=rndc - Win32 Debug
+!MESSAGE This is not a valid makefile. To build this project using NMAKE,
+!MESSAGE use the Export Makefile command and run
+!MESSAGE 
+!MESSAGE NMAKE /f "rndc.mak".
+!MESSAGE 
+!MESSAGE You can specify a configuration when running NMAKE
+!MESSAGE by defining the macro CFG on the command line. For example:
+!MESSAGE 
+!MESSAGE NMAKE /f "rndc.mak" CFG="rndc - Win32 Debug"
+!MESSAGE 
+!MESSAGE Possible choices for configuration are:
+!MESSAGE 
+!MESSAGE "rndc - Win32 Release" (based on "Win32 (x86) Console Application")
+!MESSAGE "rndc - Win32 Debug" (based on "Win32 (x86) Console Application")
+!MESSAGE 
+
+# Begin Project
+# PROP AllowPerConfigDependencies 0
+# PROP Scc_ProjName ""
+# PROP Scc_LocalPath ""
+CPP=cl.exe
+RSC=rc.exe
+
+!IF  "$(CFG)" == "rndc - Win32 Release"
+
+# PROP BASE Use_MFC 0
+# PROP BASE Use_Debug_Libraries 0
+# PROP BASE Output_Dir "Release"
+# PROP BASE Intermediate_Dir "Release"
+# PROP BASE Target_Dir ""
+# PROP Use_MFC 0
+# PROP Use_Debug_Libraries 0
+# PROP Output_Dir "Release"
+# PROP Intermediate_Dir "Release"
+# PROP Ignore_Export_Lib 0
+# PROP Target_Dir ""
+# ADD BASE CPP /nologo /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /c
+# ADD CPP /nologo /MT /W3 /GX /O2 /I "./" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isccc/include" /I "../../../lib/isccfg/include" /I "../../../lib/bind9/include" /D "WIN32" /D "NDEBUG" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" /YX /FD /c
+# ADD BASE RSC /l 0x409 /d "NDEBUG"
+# ADD RSC /l 0x409 /d "NDEBUG"
+BSC32=bscmake.exe
+# ADD BASE BSC32 /nologo
+# ADD BSC32 /nologo
+LINK32=link.exe
+# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /machine:I386
+# ADD LINK32 user32.lib advapi32.lib ws2_32.lib ../../../lib/isc/win32/Release/libisc.lib ../../../lib/dns/win32/Release/libdns.lib ../../../lib/isccfg/win32/Release/libisccfg.lib ../../../lib/isccc/win32/Release/libisccc.lib  ../../../lib/bind9/win32/Release/libbind9.lib /nologo /subsystem:console /profile /machine:I386 /out:"../../../Build/Release/rndc.exe"
+
+!ELSEIF  "$(CFG)" == "rndc - Win32 Debug"
+
+# PROP BASE Use_MFC 0
+# PROP BASE Use_Debug_Libraries 1
+# PROP BASE Output_Dir "Debug"
+# PROP BASE Intermediate_Dir "Debug"
+# PROP BASE Target_Dir ""
+# PROP Use_MFC 0
+# PROP Use_Debug_Libraries 1
+# PROP Output_Dir "Debug"
+# PROP Intermediate_Dir "Debug"
+# PROP Ignore_Export_Lib 0
+# PROP Target_Dir ""
+# ADD BASE CPP /nologo /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /GZ /c
+# ADD CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /I "./" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isccc/include" /I "../../../lib/isccfg/include" /I "../../../lib/bind9/include" /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /FR /FD /GZ /c
+# SUBTRACT CPP /X /YX
+# ADD BASE RSC /l 0x409 /d "_DEBUG"
+# ADD RSC /l 0x409 /d "_DEBUG"
+BSC32=bscmake.exe
+# ADD BASE BSC32 /nologo
+# ADD BSC32 /nologo
+LINK32=link.exe
+# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /debug /machine:I386 /pdbtype:sept
+# ADD LINK32 user32.lib advapi32.lib ws2_32.lib ../../../lib/isc/win32/Debug/libisc.lib ../../../lib/dns/win32/Debug/libdns.lib ../../../lib/isccfg/win32/Debug/libisccfg.lib ../../../lib/isccc/win32/Debug/libisccc.lib  ../../../lib/bind9/win32/Debug/libbind9.lib /nologo /subsystem:console /debug /machine:I386 /out:"../../../Build/Debug/rndc.exe" /pdbtype:sept
+
+!ENDIF 
+
+# Begin Target
+
+# Name "rndc - Win32 Release"
+# Name "rndc - Win32 Debug"
+# Begin Group "Source Files"
+
+# PROP Default_Filter "cpp;c;cxx;rc;def;r;odl;idl;hpj;bat"
+# Begin Source File
+
+SOURCE=..\rndc.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\util.c
+# End Source File
+# End Group
+# Begin Group "Header Files"
+
+# PROP Default_Filter "h;hpp;hxx;hm;inl"
+# Begin Source File
+
+SOURCE=..\util.h
+# End Source File
+# End Group
+# Begin Group "Resource Files"
+
+# PROP Default_Filter "ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe"
+# End Group
+# End Target
+# End Project
diff --git a/bin/rndc/win32/rndc.dsw b/bin/rndc/win32/rndc.dsw
index 97d3e438..ceeaa8d3 100644
--- a/bin/rndc/win32/rndc.dsw
+++ b/bin/rndc/win32/rndc.dsw
@@ -1,29 +1,29 @@
-Microsoft Developer Studio Workspace File, Format Version 6.00

-# WARNING: DO NOT EDIT OR DELETE THIS WORKSPACE FILE!

-

-###############################################################################

-

-Project: "rndc"=".\rndc.dsp" - Package Owner=<4>

-

-Package=<5>

-{{{

-}}}

-

-Package=<4>

-{{{

-}}}

-

-###############################################################################

-

-Global:

-

-Package=<5>

-{{{

-}}}

-

-Package=<3>

-{{{

-}}}

-

-###############################################################################

-

+Microsoft Developer Studio Workspace File, Format Version 6.00
+# WARNING: DO NOT EDIT OR DELETE THIS WORKSPACE FILE!
+
+###############################################################################
+
+Project: "rndc"=".\rndc.dsp" - Package Owner=<4>
+
+Package=<5>
+{{{
+}}}
+
+Package=<4>
+{{{
+}}}
+
+###############################################################################
+
+Global:
+
+Package=<5>
+{{{
+}}}
+
+Package=<3>
+{{{
+}}}
+
+###############################################################################
+
diff --git a/bin/rndc/win32/rndc.mak b/bin/rndc/win32/rndc.mak
index 0b6ffb3e..c03697f6 100644
--- a/bin/rndc/win32/rndc.mak
+++ b/bin/rndc/win32/rndc.mak
@@ -1,324 +1,328 @@
-# Microsoft Developer Studio Generated NMAKE File, Based on rndc.dsp

-!IF "$(CFG)" == ""

-CFG=rndc - Win32 Debug

-!MESSAGE No configuration specified. Defaulting to rndc - Win32 Debug.

-!ENDIF 

-

-!IF "$(CFG)" != "rndc - Win32 Release" && "$(CFG)" != "rndc - Win32 Debug"

-!MESSAGE Invalid configuration "$(CFG)" specified.

-!MESSAGE You can specify a configuration when running NMAKE

-!MESSAGE by defining the macro CFG on the command line. For example:

-!MESSAGE 

-!MESSAGE NMAKE /f "rndc.mak" CFG="rndc - Win32 Debug"

-!MESSAGE 

-!MESSAGE Possible choices for configuration are:

-!MESSAGE 

-!MESSAGE "rndc - Win32 Release" (based on "Win32 (x86) Console Application")

-!MESSAGE "rndc - Win32 Debug" (based on "Win32 (x86) Console Application")

-!MESSAGE 

-!ERROR An invalid configuration is specified.

-!ENDIF 

-

-!IF "$(OS)" == "Windows_NT"

-NULL=

-!ELSE 

-NULL=nul

-!ENDIF 

-

-!IF  "$(CFG)" == "rndc - Win32 Release"

-_VC_MANIFEST_INC=0

-_VC_MANIFEST_BASENAME=__VC80

-!ELSE

-_VC_MANIFEST_INC=1

-_VC_MANIFEST_BASENAME=__VC80.Debug

-!ENDIF

-

-####################################################

-# Specifying name of temporary resource file used only in incremental builds:

-

-!if "$(_VC_MANIFEST_INC)" == "1"

-_VC_MANIFEST_AUTO_RES=$(_VC_MANIFEST_BASENAME).auto.res

-!else

-_VC_MANIFEST_AUTO_RES=

-!endif

-

-####################################################

-# _VC_MANIFEST_EMBED_EXE - command to embed manifest in EXE:

-

-!if "$(_VC_MANIFEST_INC)" == "1"

-

-#MT_SPECIAL_RETURN=1090650113

-#MT_SPECIAL_SWITCH=-notify_resource_update

-MT_SPECIAL_RETURN=0

-MT_SPECIAL_SWITCH=

-_VC_MANIFEST_EMBED_EXE= \

-if exist $@.manifest mt.exe -manifest $@.manifest -out:$(_VC_MANIFEST_BASENAME).auto.manifest $(MT_SPECIAL_SWITCH) & \

-if "%ERRORLEVEL%" == "$(MT_SPECIAL_RETURN)" \

-rc /r $(_VC_MANIFEST_BASENAME).auto.rc & \

-link $** /out:$@ $(LFLAGS)

-

-!else

-

-_VC_MANIFEST_EMBED_EXE= \

-if exist $@.manifest mt.exe -manifest $@.manifest -outputresource:$@;1

-

-!endif

-

-####################################################

-# _VC_MANIFEST_EMBED_DLL - command to embed manifest in DLL:

-

-!if "$(_VC_MANIFEST_INC)" == "1"

-

-#MT_SPECIAL_RETURN=1090650113

-#MT_SPECIAL_SWITCH=-notify_resource_update

-MT_SPECIAL_RETURN=0

-MT_SPECIAL_SWITCH=

-_VC_MANIFEST_EMBED_EXE= \

-if exist $@.manifest mt.exe -manifest $@.manifest -out:$(_VC_MANIFEST_BASENAME).auto.manifest $(MT_SPECIAL_SWITCH) & \

-if "%ERRORLEVEL%" == "$(MT_SPECIAL_RETURN)" \

-rc /r $(_VC_MANIFEST_BASENAME).auto.rc & \

-link $** /out:$@ $(LFLAGS)

-

-!else

-

-_VC_MANIFEST_EMBED_EXE= \

-if exist $@.manifest mt.exe -manifest $@.manifest -outputresource:$@;2

-

-!endif

-####################################################

-# _VC_MANIFEST_CLEAN - command to clean resources files generated temporarily:

-

-!if "$(_VC_MANIFEST_INC)" == "1"

-

-_VC_MANIFEST_CLEAN=-del $(_VC_MANIFEST_BASENAME).auto.res \

-    $(_VC_MANIFEST_BASENAME).auto.rc \

-    $(_VC_MANIFEST_BASENAME).auto.manifest

-

-!else

-

-_VC_MANIFEST_CLEAN=

-

-!endif

-

-!IF  "$(CFG)" == "rndc - Win32 Release"

-

-OUTDIR=.\Release

-INTDIR=.\Release

-

-ALL : "..\..\..\Build\Release\rndc.exe"

-

-

-CLEAN :

-	-@erase "$(INTDIR)\rndc.obj"

-	-@erase "$(INTDIR)\util.obj"

-	-@erase "$(INTDIR)\vc60.idb"

-	-@erase "..\..\..\Build\Release\rndc.exe"

-	-@$(_VC_MANIFEST_CLEAN)

-

-"$(OUTDIR)" :

-    if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"

-

-CPP=cl.exe

-CPP_PROJ=/nologo /MD /W3 /GX /O2 /I "./" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isccc/include" /I "../../../lib/isccfg/include" /D "WIN32" /D "NDEBUG" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" /Fp"$(INTDIR)\rndc.pch" /YX /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c 

-

-.c{$(INTDIR)}.obj::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.cpp{$(INTDIR)}.obj::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.cxx{$(INTDIR)}.obj::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.c{$(INTDIR)}.sbr::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.cpp{$(INTDIR)}.sbr::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.cxx{$(INTDIR)}.sbr::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-RSC=rc.exe

-BSC32=bscmake.exe

-BSC32_FLAGS=/nologo /o"$(OUTDIR)\rndc.bsc" 

-BSC32_SBRS= \

-	

-LINK32=link.exe

-LINK32_FLAGS=user32.lib advapi32.lib ws2_32.lib ../../../lib/isc/win32/Release/libisc.lib ../../../lib/dns/win32/Release/libdns.lib ../../../lib/isccfg/win32/Release/libisccfg.lib ../../../lib/isccc/win32/Release/libisccc.lib /nologo /subsystem:console /incremental:no /pdb:"$(OUTDIR)\rndc.pdb" /machine:I386 /out:"../../../Build/Release/rndc.exe" 

-LINK32_OBJS= \

-	"$(INTDIR)\rndc.obj" \

-	"$(INTDIR)\util.obj"

-

-"..\..\..\Build\Release\rndc.exe" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)

-    $(LINK32) @<<

-  $(LINK32_FLAGS) $(LINK32_OBJS)

-<<

-    $(_VC_MANIFEST_EMBED_EXE)

-

-!ELSEIF  "$(CFG)" == "rndc - Win32 Debug"

-

-OUTDIR=.\Debug

-INTDIR=.\Debug

-# Begin Custom Macros

-OutDir=.\Debug

-# End Custom Macros

-

-ALL : "..\..\..\Build\Debug\rndc.exe" "$(OUTDIR)\rndc.bsc"

-

-

-CLEAN :

-	-@erase "$(INTDIR)\rndc.obj"

-	-@erase "$(INTDIR)\rndc.sbr"

-	-@erase "$(INTDIR)\util.obj"

-	-@erase "$(INTDIR)\util.sbr"

-	-@erase "$(INTDIR)\vc60.idb"

-	-@erase "$(INTDIR)\vc60.pdb"

-	-@erase "$(OUTDIR)\rndc.bsc"

-	-@erase "$(OUTDIR)\rndc.pdb"

-	-@erase "..\..\..\Build\Debug\rndc.exe"

-	-@erase "..\..\..\Build\Debug\rndc.ilk"

-	-@$(_VC_MANIFEST_CLEAN)

-

-"$(OUTDIR)" :

-    if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"

-

-CPP=cl.exe

-CPP_PROJ=/nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isccc/include" /I "../../../lib/isccfg/include" /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /FR"$(INTDIR)\\" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c 

-

-.c{$(INTDIR)}.obj::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.cpp{$(INTDIR)}.obj::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.cxx{$(INTDIR)}.obj::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.c{$(INTDIR)}.sbr::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.cpp{$(INTDIR)}.sbr::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.cxx{$(INTDIR)}.sbr::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-RSC=rc.exe

-BSC32=bscmake.exe

-BSC32_FLAGS=/nologo /o"$(OUTDIR)\rndc.bsc" 

-BSC32_SBRS= \

-	"$(INTDIR)\rndc.sbr" \

-	"$(INTDIR)\util.sbr"

-

-"$(OUTDIR)\rndc.bsc" : "$(OUTDIR)" $(BSC32_SBRS)

-    $(BSC32) @<<

-  $(BSC32_FLAGS) $(BSC32_SBRS)

-<<

-

-LINK32=link.exe

-LINK32_FLAGS=user32.lib advapi32.lib ws2_32.lib ../../../lib/isc/win32/Debug/libisc.lib ../../../lib/dns/win32/Debug/libdns.lib ../../../lib/isccfg/win32/Debug/libisccfg.lib ../../../lib/isccc/win32/Debug/libisccc.lib /nologo /subsystem:console /incremental:yes /pdb:"$(OUTDIR)\rndc.pdb" /debug /machine:I386 /out:"../../../Build/Debug/rndc.exe" /pdbtype:sept 

-LINK32_OBJS= \

-	"$(INTDIR)\rndc.obj" \

-	"$(INTDIR)\util.obj"

-

-"..\..\..\Build\Debug\rndc.exe" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)

-    $(LINK32) @<<

-  $(LINK32_FLAGS) $(LINK32_OBJS)

-<<

-    $(_VC_MANIFEST_EMBED_EXE)

-

-!ENDIF 

-

-

-!IF "$(NO_EXTERNAL_DEPS)" != "1"

-!IF EXISTS("rndc.dep")

-!INCLUDE "rndc.dep"

-!ELSE 

-!MESSAGE Warning: cannot find "rndc.dep"

-!ENDIF 

-!ENDIF 

-

-

-!IF "$(CFG)" == "rndc - Win32 Release" || "$(CFG)" == "rndc - Win32 Debug"

-SOURCE=..\rndc.c

-

-!IF  "$(CFG)" == "rndc - Win32 Release"

-

-

-"$(INTDIR)\rndc.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "rndc - Win32 Debug"

-

-

-"$(INTDIR)\rndc.obj"	"$(INTDIR)\rndc.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-SOURCE=..\util.c

-

-!IF  "$(CFG)" == "rndc - Win32 Release"

-

-

-"$(INTDIR)\util.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "rndc - Win32 Debug"

-

-

-"$(INTDIR)\util.obj"	"$(INTDIR)\util.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-

-!ENDIF 

-

-####################################################

-# Commands to generate initial empty manifest file and the RC file

-# that references it, and for generating the .res file:

-

-$(_VC_MANIFEST_BASENAME).auto.res : $(_VC_MANIFEST_BASENAME).auto.rc

-

-$(_VC_MANIFEST_BASENAME).auto.rc : $(_VC_MANIFEST_BASENAME).auto.manifest

-    type <<$@

-#include <winuser.h>

-1RT_MANIFEST"$(_VC_MANIFEST_BASENAME).auto.manifest"

-<< KEEP

-

-$(_VC_MANIFEST_BASENAME).auto.manifest :

-    type <<$@

-<?xml version='1.0' encoding='UTF-8' standalone='yes'?>

-<assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'>

-</assembly>

-<< KEEP

+# Microsoft Developer Studio Generated NMAKE File, Based on rndc.dsp
+!IF "$(CFG)" == ""
+CFG=rndc - Win32 Debug
+!MESSAGE No configuration specified. Defaulting to rndc - Win32 Debug.
+!ENDIF 
+
+!IF "$(CFG)" != "rndc - Win32 Release" && "$(CFG)" != "rndc - Win32 Debug"
+!MESSAGE Invalid configuration "$(CFG)" specified.
+!MESSAGE You can specify a configuration when running NMAKE
+!MESSAGE by defining the macro CFG on the command line. For example:
+!MESSAGE 
+!MESSAGE NMAKE /f "rndc.mak" CFG="rndc - Win32 Debug"
+!MESSAGE 
+!MESSAGE Possible choices for configuration are:
+!MESSAGE 
+!MESSAGE "rndc - Win32 Release" (based on "Win32 (x86) Console Application")
+!MESSAGE "rndc - Win32 Debug" (based on "Win32 (x86) Console Application")
+!MESSAGE 
+!ERROR An invalid configuration is specified.
+!ENDIF 
+
+!IF "$(OS)" == "Windows_NT"
+NULL=
+!ELSE 
+NULL=nul
+!ENDIF 
+
+CPP=cl.exe
+RSC=rc.exe
+
+!IF  "$(CFG)" == "rndc - Win32 Release"
+
+OUTDIR=.\Release
+INTDIR=.\Release
+
+!IF "$(RECURSE)" == "0" 
+
+ALL : "..\..\..\Build\Release\rndc.exe"
+
+!ELSE 
+
+ALL : "libbind9 - Win32 Release" "libisccfg - Win32 Release" "libisccc - Win32 Release" "libisc - Win32 Release" "..\..\..\Build\Release\rndc.exe"
+
+!ENDIF 
+
+!IF "$(RECURSE)" == "1" 
+CLEAN :"libisc - Win32 ReleaseCLEAN" "libisccc - Win32 ReleaseCLEAN" "libisccfg - Win32 ReleaseCLEAN" "libbind9 - Win32 ReleaseCLEAN" 
+!ELSE 
+CLEAN :
+!ENDIF 
+	-@erase "$(INTDIR)\rndc.obj"
+	-@erase "$(INTDIR)\util.obj"
+	-@erase "$(INTDIR)\vc60.idb"
+	-@erase "..\..\..\Build\Release\rndc.exe"
+
+"$(OUTDIR)" :
+    if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
+
+CPP_PROJ=/nologo /MT /W3 /GX /O2 /I "./" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isccc/include" /I "../../../lib/isccfg/include" /I "../../../lib/bind9/include" /D "WIN32" /D "NDEBUG" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" /Fp"$(INTDIR)\rndc.pch" /YX /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c 
+BSC32=bscmake.exe
+BSC32_FLAGS=/nologo /o"$(OUTDIR)\rndc.bsc" 
+BSC32_SBRS= \
+	
+LINK32=link.exe
+LINK32_FLAGS=user32.lib advapi32.lib ws2_32.lib ../../../lib/isc/win32/Release/libisc.lib ../../../lib/dns/win32/Release/libdns.lib ../../../lib/isccfg/win32/Release/libisccfg.lib ../../../lib/isccc/win32/Release/libisccc.lib  ../../../lib/bind9/win32/Release/libbind9.lib /nologo /subsystem:console /profile /machine:I386 /out:"../../../Build/Release/rndc.exe" 
+LINK32_OBJS= \
+	"$(INTDIR)\rndc.obj" \
+	"$(INTDIR)\util.obj" \
+	"..\..\..\lib\isc\win32\Release\libisc.lib" \
+	"..\..\..\lib\isccc\win32\Release\libisccc.lib" \
+	"..\..\..\lib\isccfg\win32\Release\libisccfg.lib" \
+	"..\..\..\lib\bind9\win32\Release\libbind9.lib"
+
+"..\..\..\Build\Release\rndc.exe" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)
+    $(LINK32) @<<
+  $(LINK32_FLAGS) $(LINK32_OBJS)
+<<
+
+!ELSEIF  "$(CFG)" == "rndc - Win32 Debug"
+
+OUTDIR=.\Debug
+INTDIR=.\Debug
+# Begin Custom Macros
+OutDir=.\Debug
+# End Custom Macros
+
+!IF "$(RECURSE)" == "0" 
+
+ALL : "..\..\..\Build\Debug\rndc.exe" "$(OUTDIR)\rndc.bsc"
+
+!ELSE 
+
+ALL : "libbind9 - Win32 Debug" "libisccfg - Win32 Debug" "libisccc - Win32 Debug" "libisc - Win32 Debug" "..\..\..\Build\Debug\rndc.exe" "$(OUTDIR)\rndc.bsc"
+
+!ENDIF 
+
+!IF "$(RECURSE)" == "1" 
+CLEAN :"libisc - Win32 DebugCLEAN" "libisccc - Win32 DebugCLEAN" "libisccfg - Win32 DebugCLEAN" "libbind9 - Win32 DebugCLEAN" 
+!ELSE 
+CLEAN :
+!ENDIF 
+	-@erase "$(INTDIR)\rndc.obj"
+	-@erase "$(INTDIR)\rndc.sbr"
+	-@erase "$(INTDIR)\util.obj"
+	-@erase "$(INTDIR)\util.sbr"
+	-@erase "$(INTDIR)\vc60.idb"
+	-@erase "$(INTDIR)\vc60.pdb"
+	-@erase "$(OUTDIR)\rndc.bsc"
+	-@erase "$(OUTDIR)\rndc.pdb"
+	-@erase "..\..\..\Build\Debug\rndc.exe"
+	-@erase "..\..\..\Build\Debug\rndc.ilk"
+
+"$(OUTDIR)" :
+    if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
+
+CPP_PROJ=/nologo /MTd /W3 /Gm /GX /ZI /Od /I "./" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isccc/include" /I "../../../lib/isccfg/include" /I "../../../lib/bind9/include" /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /FR"$(INTDIR)\\" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c 
+BSC32=bscmake.exe
+BSC32_FLAGS=/nologo /o"$(OUTDIR)\rndc.bsc" 
+BSC32_SBRS= \
+	"$(INTDIR)\rndc.sbr" \
+	"$(INTDIR)\util.sbr"
+
+"$(OUTDIR)\rndc.bsc" : "$(OUTDIR)" $(BSC32_SBRS)
+    $(BSC32) @<<
+  $(BSC32_FLAGS) $(BSC32_SBRS)
+<<
+
+LINK32=link.exe
+LINK32_FLAGS=user32.lib advapi32.lib ws2_32.lib ../../../lib/isc/win32/Debug/libisc.lib ../../../lib/dns/win32/Debug/libdns.lib ../../../lib/isccfg/win32/Debug/libisccfg.lib ../../../lib/isccc/win32/Debug/libisccc.lib  ../../../lib/bind9/win32/Debug/libbind9.lib /nologo /subsystem:console /incremental:yes /pdb:"$(OUTDIR)\rndc.pdb" /debug /machine:I386 /out:"../../../Build/Debug/rndc.exe" /pdbtype:sept 
+LINK32_OBJS= \
+	"$(INTDIR)\rndc.obj" \
+	"$(INTDIR)\util.obj" \
+	"..\..\..\lib\isc\win32\Debug\libisc.lib" \
+	"..\..\..\lib\isccc\win32\Debug\libisccc.lib" \
+	"..\..\..\lib\isccfg\win32\Debug\libisccfg.lib" \
+	"..\..\..\lib\bind9\win32\Debug\libbind9.lib"
+
+"..\..\..\Build\Debug\rndc.exe" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)
+    $(LINK32) @<<
+  $(LINK32_FLAGS) $(LINK32_OBJS)
+<<
+
+!ENDIF 
+
+.c{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cpp{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cxx{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.c{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cpp{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cxx{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+
+!IF "$(NO_EXTERNAL_DEPS)" != "1"
+!IF EXISTS("rndc.dep")
+!INCLUDE "rndc.dep"
+!ELSE 
+!MESSAGE Warning: cannot find "rndc.dep"
+!ENDIF 
+!ENDIF 
+
+
+!IF "$(CFG)" == "rndc - Win32 Release" || "$(CFG)" == "rndc - Win32 Debug"
+SOURCE=..\rndc.c
+
+!IF  "$(CFG)" == "rndc - Win32 Release"
+
+
+"$(INTDIR)\rndc.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "rndc - Win32 Debug"
+
+
+"$(INTDIR)\rndc.obj"	"$(INTDIR)\rndc.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\util.c
+
+!IF  "$(CFG)" == "rndc - Win32 Release"
+
+
+"$(INTDIR)\util.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "rndc - Win32 Debug"
+
+
+"$(INTDIR)\util.obj"	"$(INTDIR)\util.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+!IF  "$(CFG)" == "rndc - Win32 Release"
+
+"libisc - Win32 Release" : 
+   cd "..\..\..\lib\isc\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\libisc.mak" CFG="libisc - Win32 Release" 
+   cd "..\..\..\bin\rndc\win32"
+
+"libisc - Win32 ReleaseCLEAN" : 
+   cd "..\..\..\lib\isc\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\libisc.mak" CFG="libisc - Win32 Release" RECURSE=1 CLEAN 
+   cd "..\..\..\bin\rndc\win32"
+
+!ELSEIF  "$(CFG)" == "rndc - Win32 Debug"
+
+"libisc - Win32 Debug" : 
+   cd "..\..\..\lib\isc\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\libisc.mak" CFG="libisc - Win32 Debug" 
+   cd "..\..\..\bin\rndc\win32"
+
+"libisc - Win32 DebugCLEAN" : 
+   cd "..\..\..\lib\isc\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\libisc.mak" CFG="libisc - Win32 Debug" RECURSE=1 CLEAN 
+   cd "..\..\..\bin\rndc\win32"
+
+!ENDIF 
+
+!IF  "$(CFG)" == "rndc - Win32 Release"
+
+"libisccc - Win32 Release" : 
+   cd "..\..\..\lib\isccc\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\libisccc.mak" CFG="libisccc - Win32 Release" 
+   cd "..\..\..\bin\rndc\win32"
+
+"libisccc - Win32 ReleaseCLEAN" : 
+   cd "..\..\..\lib\isccc\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\libisccc.mak" CFG="libisccc - Win32 Release" RECURSE=1 CLEAN 
+   cd "..\..\..\bin\rndc\win32"
+
+!ELSEIF  "$(CFG)" == "rndc - Win32 Debug"
+
+"libisccc - Win32 Debug" : 
+   cd "..\..\..\lib\isccc\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\libisccc.mak" CFG="libisccc - Win32 Debug" 
+   cd "..\..\..\bin\rndc\win32"
+
+"libisccc - Win32 DebugCLEAN" : 
+   cd "..\..\..\lib\isccc\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\libisccc.mak" CFG="libisccc - Win32 Debug" RECURSE=1 CLEAN 
+   cd "..\..\..\bin\rndc\win32"
+
+!ENDIF 
+
+!IF  "$(CFG)" == "rndc - Win32 Release"
+
+"libisccfg - Win32 Release" : 
+   cd "..\..\..\lib\isccfg\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\libisccfg.mak" CFG="libisccfg - Win32 Release" 
+   cd "..\..\..\bin\rndc\win32"
+
+"libisccfg - Win32 ReleaseCLEAN" : 
+   cd "..\..\..\lib\isccfg\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\libisccfg.mak" CFG="libisccfg - Win32 Release" RECURSE=1 CLEAN 
+   cd "..\..\..\bin\rndc\win32"
+
+!ELSEIF  "$(CFG)" == "rndc - Win32 Debug"
+
+"libisccfg - Win32 Debug" : 
+   cd "..\..\..\lib\isccfg\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\libisccfg.mak" CFG="libisccfg - Win32 Debug" 
+   cd "..\..\..\bin\rndc\win32"
+
+"libisccfg - Win32 DebugCLEAN" : 
+   cd "..\..\..\lib\isccfg\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\libisccfg.mak" CFG="libisccfg - Win32 Debug" RECURSE=1 CLEAN 
+   cd "..\..\..\bin\rndc\win32"
+
+!ENDIF 
+
+!IF  "$(CFG)" == "rndc - Win32 Release"
+
+"libbind9 - Win32 Release" : 
+   cd "..\..\..\lib\bind9\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\libbind9.mak" CFG="libbind9 - Win32 Release" 
+   cd "..\..\..\bin\rndc\win32"
+
+"libbind9 - Win32 ReleaseCLEAN" : 
+   cd "..\..\..\lib\bind9\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\libbind9.mak" CFG="libbind9 - Win32 Release" RECURSE=1 CLEAN 
+   cd "..\..\..\bin\rndc\win32"
+
+!ELSEIF  "$(CFG)" == "rndc - Win32 Debug"
+
+"libbind9 - Win32 Debug" : 
+   cd "..\..\..\lib\bind9\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\libbind9.mak" CFG="libbind9 - Win32 Debug" 
+   cd "..\..\..\bin\rndc\win32"
+
+"libbind9 - Win32 DebugCLEAN" : 
+   cd "..\..\..\lib\bind9\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\libbind9.mak" CFG="libbind9 - Win32 Debug" RECURSE=1 CLEAN 
+   cd "..\..\..\bin\rndc\win32"
+
+!ENDIF 
+
+
+!ENDIF 
+
diff --git a/bin/rndc/win32/rndcutil.dsp b/bin/rndc/win32/rndcutil.dsp
deleted file mode 100644
index 8827e090..00000000
--- a/bin/rndc/win32/rndcutil.dsp
+++ /dev/null
@@ -1,119 +0,0 @@
-# Microsoft Developer Studio Project File - Name="rndcutil" - Package Owner=<4>

-# Microsoft Developer Studio Generated Build File, Format Version 6.00

-# ** DO NOT EDIT **

-

-# TARGTYPE "Win32 (x86) Static-Link Library" 0x0104

-

-CFG=rndcutil - Win32 Debug

-!MESSAGE This is not a valid makefile. To build this project using NMAKE,

-!MESSAGE use the Export Makefile command and run

-!MESSAGE 

-!MESSAGE NMAKE /f "rndcutil.mak".

-!MESSAGE 

-!MESSAGE You can specify a configuration when running NMAKE

-!MESSAGE by defining the macro CFG on the command line. For example:

-!MESSAGE 

-!MESSAGE NMAKE /f "rndcutil.mak" CFG="rndcutil - Win32 Debug"

-!MESSAGE 

-!MESSAGE Possible choices for configuration are:

-!MESSAGE 

-!MESSAGE "rndcutil - Win32 Release" (based on "Win32 (x86) Static-Link Library")

-!MESSAGE "rndcutil - Win32 Debug" (based on "Win32 (x86) Static-Link Library")

-!MESSAGE 

-

-# Begin Project

-# PROP AllowPerConfigDependencies 0

-# PROP Scc_ProjName ""

-# PROP Scc_LocalPath ""

-CPP=cl.exe

-MTL=midl.exe

-RSC=rc.exe

-

-!IF  "$(CFG)" == "rndcutil - Win32 Release"

-

-# PROP BASE Use_MFC 0

-# PROP BASE Use_Debug_Libraries 0

-# PROP BASE Output_Dir "Release"

-# PROP BASE Intermediate_Dir "Release"

-# PROP BASE Target_Dir ""

-# PROP Use_MFC 0

-# PROP Use_Debug_Libraries 0

-# PROP Output_Dir "Release"

-# PROP Intermediate_Dir "Release"

-# PROP Ignore_Export_Lib 0

-# PROP Target_Dir ""

-# ADD BASE CPP /nologo /MT /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /YX /FD /c

-# ADD CPP /nologo /MD /W3 /GX /O2 /I "./" /I "../../../" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/include" /D "NDEBUG" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /YX /FD /c /Fdutil

-# SUBTRACT CPP /X

-# ADD BASE MTL /nologo /D "NDEBUG" /mktyplib203 /win32

-# ADD MTL /nologo /D "NDEBUG" /mktyplib203 /win32

-# ADD BASE RSC /l 0x409 /d "NDEBUG"

-# ADD RSC /l 0x409 /d "NDEBUG"

-BSC32=bscmake.exe

-# ADD BASE BSC32 /nologo

-# ADD BSC32 /nologo

-LINK32=link.exe

-# ADD BASE LINK32 

-# ADD LINK32 /out:"Release/util.lib"

-LIB32=lib.exe

-# ADD BASE LIB32

-# ADD LIB32 /out:"Release/util.lib"

-

-!ELSEIF  "$(CFG)" == "rndcutil - Win32 Debug"

-

-# PROP BASE Use_MFC 0

-# PROP BASE Use_Debug_Libraries 1

-# PROP BASE Output_Dir "Debug"

-# PROP BASE Intermediate_Dir "Debug"

-# PROP BASE Target_Dir ""

-# PROP Use_MFC 0

-# PROP Use_Debug_Libraries 1

-# PROP Output_Dir "Debug"

-# PROP Intermediate_Dir "Debug"

-# PROP Ignore_Export_Lib 0

-# PROP Target_Dir ""

-# ADD BASE CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /D "_MBCS" /YX /FD /GZ /c

-# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../../../" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/include" /D "_DEBUG" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /FR /YX /FD /GZ /c /Fdutil

-# SUBTRACT CPP /X

-# ADD BASE MTL /nologo /D "_DEBUG" /mktyplib203 /win32

-# ADD MTL /nologo /D "_DEBUG" /mktyplib203 /win32

-# ADD BASE RSC /l 0x409 /d "_DEBUG"

-# ADD RSC /l 0x409 /d "_DEBUG"

-BSC32=bscmake.exe

-# ADD BASE BSC32 /nologo

-# ADD BSC32 /nologo

-LINK32=link.exe

-# ADD BASE LINK32 

-# ADD LINK32 /debug /out:"Debug/util.lib"

-LIB32=lib.exe

-# ADD BASE LIB32

-# ADD LIB32 /out:"Debug/util.lib"

-

-!ENDIF 

-

-# Begin Target

-

-# Name "rndcutil - Win32 Release"

-# Name "rndcutil - Win32 Debug"

-# Begin Group "Source Files"

-

-# PROP Default_Filter "cpp;c;cxx;rc;def;r;odl;idl;hpj;bat"

-# End Group

-# Begin Group "Header Files"

-

-# PROP Default_Filter "h;hpp;hxx;hm;inl"

-# End Group

-# Begin Group "Resource Files"

-

-# PROP Default_Filter "ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe"

-# End Group

-# Begin Group "Main Dns Lib"

-

-# PROP Default_Filter "c"

-# Begin Source File

-

-SOURCE=..\util.c

-# End Source File

-# End Group

-# End Target

-# End Project

diff --git a/bin/rndc/win32/rndcutil.dsw b/bin/rndc/win32/rndcutil.dsw
deleted file mode 100644
index c6d981a4..00000000
--- a/bin/rndc/win32/rndcutil.dsw
+++ /dev/null
@@ -1,29 +0,0 @@
-Microsoft Developer Studio Workspace File, Format Version 6.00

-# WARNING: DO NOT EDIT OR DELETE THIS WORKSPACE FILE!

-

-###############################################################################

-

-Project: "rndcutil"=".\rndcutil.dsp" - Package Owner=<4>

-

-Package=<5>

-{{{

-}}}

-

-Package=<4>

-{{{

-}}}

-

-###############################################################################

-

-Global:

-

-Package=<5>

-{{{

-}}}

-

-Package=<3>

-{{{

-}}}

-

-###############################################################################

-

diff --git a/bin/tests/Makefile.in b/bin/tests/Makefile.in
index 3a8bfab3..8219db44 100644
--- a/bin/tests/Makefile.in
+++ b/bin/tests/Makefile.in
@@ -1,5 +1,5 @@
-# Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 1998-2002  Internet Software Consortium.
+# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 1998-2003  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
@@ -13,13 +13,13 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.113.2.6 2006/07/21 02:05:55 marka Exp $
+# $Id: Makefile.in,v 1.113.2.1.8.6 2004/03/08 02:07:41 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
 top_srcdir =	@top_srcdir@
 
-@BIND9_INCLUDES@
+@BIND9_MAKE_INCLUDES@
 
 CINCLUDES =	${DNS_INCLUDES} ${ISC_INCLUDES} ${ISCCFG_INCLUDES} \
 		${LWRES_INCLUDES} ${OMAPI_INCLUDES}
@@ -27,7 +27,7 @@ CINCLUDES =	${DNS_INCLUDES} ${ISC_INCLUDES} ${ISCCFG_INCLUDES} \
 CDEFINES =
 CWARNINGS =
 
-DNSLIBS =	../../lib/dns/libdns.@A@ @DNS_OPENSSL_LIBS@ @DNS_GSSAPI_LIBS@
+DNSLIBS =	../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
 ISCLIBS =	../../lib/isc/libisc.@A@
 ISCCFGLIBS = 	../../lib/isccfg/libisccfg.@A@
 LWRESLIBS =	../../lib/lwres/liblwres.@A@
@@ -46,48 +46,48 @@ SUBDIRS = db dst master mem names net rbt sockaddr tasks timers system
 # genrandom is needed by the system tests
 
 # Alphabetically
-TARGETS =	cfg_test \
-		genrandom
+TARGETS =	cfg_test@EXEEXT@ \
+		genrandom@EXEEXT@
 
 # All the other tests are optional and not built by default.
 
 # Alphabetically
-XTARGETS =	adb_test \
-		byaddr_test \
-		byname_test \
-		compress_test \
-		db_test \
-		entropy_test \
-		entropy2_test \
-		gxba_test \
-		gxbn_test \
-		hash_test \
-		fsaccess_test \
-		inter_test \
-		journalprint \
-		keyboard_test \
-		lex_test \
-		lfsr_test \
-		log_test \
-		lwres_test \
-		lwresconf_test \
-		master_test \
-		mempool_test \
-		name_test \
-		nxtify \
-		ratelimiter_test \
-		rbt_test \
-		rdata_test \
-		rwlock_test \
-		serial_test \
-		shutdown_test \
-		sig0_test \
-		sock_test \
-		sym_test \
-		task_test \
-		timer_test \
-		wire_test \
-		zone_test
+XTARGETS =	adb_test@EXEEXT@ \
+		byaddr_test@EXEEXT@ \
+		byname_test@EXEEXT@ \
+		compress_test@EXEEXT@ \
+		db_test@EXEEXT@ \
+		entropy_test@EXEEXT@ \
+		entropy2_test@EXEEXT@ \
+		gxba_test@EXEEXT@ \
+		gxbn_test@EXEEXT@ \
+		hash_test@EXEEXT@ \
+		fsaccess_test@EXEEXT@ \
+		inter_test@EXEEXT@ \
+		journalprint@EXEEXT@ \
+		keyboard_test@EXEEXT@ \
+		lex_test@EXEEXT@ \
+		lfsr_test@EXEEXT@ \
+		log_test@EXEEXT@ \
+		lwres_test@EXEEXT@ \
+		lwresconf_test@EXEEXT@ \
+		master_test@EXEEXT@ \
+		mempool_test@EXEEXT@ \
+		name_test@EXEEXT@ \
+		nsecify@EXEEXT@ \
+		ratelimiter_test@EXEEXT@ \
+		rbt_test@EXEEXT@ \
+		rdata_test@EXEEXT@ \
+		rwlock_test@EXEEXT@ \
+		serial_test@EXEEXT@ \
+		shutdown_test@EXEEXT@ \
+		sig0_test@EXEEXT@ \
+		sock_test@EXEEXT@ \
+		sym_test@EXEEXT@ \
+		task_test@EXEEXT@ \
+		timer_test@EXEEXT@ \
+		wire_test@EXEEXT@ \
+		zone_test@EXEEXT@
 
 # Alphabetically
 SRCS =		adb_test.c \
@@ -112,7 +112,7 @@ SRCS =		adb_test.c \
 		master_test.c \
 		mempool_test.c \
 		name_test.c \
-		nxtify.c \
+		nsecify.c \
 		printmsg.c \
 		ratelimiter_test.c \
 		rbt_test.c \
@@ -132,155 +132,155 @@ SRCS =		adb_test.c \
 
 all_tests: ${XTARGETS}
 
-genrandom: genrandom.@O@
-	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ genrandom.@O@ ${LIBS}
+genrandom@EXEEXT@: genrandom.@O@
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} -o $@ genrandom.@O@
 
-adb_test: adb_test.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
-	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ adb_test.@O@ \
+adb_test@EXEEXT@: adb_test.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} -o $@ adb_test.@O@ \
 		${DNSLIBS} ${ISCLIBS} ${LIBS}
 
-nxtify: nxtify.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
-	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ nxtify.@O@ \
+nsecify@EXEEXT@: nsecify.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} -o $@ nsecify.@O@ \
 		${DNSLIBS} ${ISCLIBS} ${LIBS}
 
-byaddr_test: byaddr_test.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
-	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ byaddr_test.@O@ \
+byaddr_test@EXEEXT@: byaddr_test.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} -o $@ byaddr_test.@O@ \
 		${DNSLIBS} ${ISCLIBS} ${LIBS}
 
-byname_test: byname_test.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
-	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ byname_test.@O@ \
+byname_test@EXEEXT@: byname_test.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} -o $@ byname_test.@O@ \
 		${DNSLIBS} ${ISCLIBS} ${LIBS}
 
-lex_test: lex_test.@O@ ${ISCDEPLIBS}
-	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ lex_test.@O@ \
+lex_test@EXEEXT@: lex_test.@O@ ${ISCDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} -o $@ lex_test.@O@ \
 		${ISCLIBS} ${LIBS}
 
-lfsr_test: lfsr_test.@O@ ${ISCDEPLIBS}
-	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ lfsr_test.@O@ \
+lfsr_test@EXEEXT@: lfsr_test.@O@ ${ISCDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} -o $@ lfsr_test.@O@ \
 		${ISCLIBS} ${LIBS}
 
-log_test: log_test.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
-	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ log_test.@O@ \
+log_test@EXEEXT@: log_test.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} -o $@ log_test.@O@ \
 		${DNSLIBS} ${ISCLIBS} ${LIBS}
 
-name_test: name_test.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
-	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ name_test.@O@ \
+name_test@EXEEXT@: name_test.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} -o $@ name_test.@O@ \
 		${DNSLIBS} ${ISCLIBS} ${LIBS}
 
-hash_test: hash_test.@O@ ${ISCDEPLIBS}
-	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ hash_test.@O@ \
+hash_test@EXEEXT@: hash_test.@O@ ${ISCDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} -o $@ hash_test.@O@ \
 		${ISCLIBS} ${LIBS}
 
-entropy_test: entropy_test.@O@ ${ISCDEPLIBS}
-	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ entropy_test.@O@ \
+entropy_test@EXEEXT@: entropy_test.@O@ ${ISCDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} -o $@ entropy_test.@O@ \
 		${ISCLIBS} ${LIBS}
 
-entropy2_test: entropy2_test.@O@ ${ISCDEPLIBS}
-	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ entropy2_test.@O@ \
+entropy2_test@EXEEXT@: entropy2_test.@O@ ${ISCDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} -o $@ entropy2_test.@O@ \
 		${ISCLIBS} ${LIBS}
 
-sock_test: sock_test.@O@ ${ISCDEPLIBS}
-	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ sock_test.@O@ \
+sock_test@EXEEXT@: sock_test.@O@ ${ISCDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} -o $@ sock_test.@O@ \
 		${ISCLIBS} ${LIBS}
 
-sym_test: sym_test.@O@ ${ISCDEPLIBS}
-	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ sym_test.@O@ \
+sym_test@EXEEXT@: sym_test.@O@ ${ISCDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} -o $@ sym_test.@O@ \
 		${ISCLIBS} ${LIBS}
 
-task_test: task_test.@O@ ${ISCDEPLIBS}
-	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ task_test.@O@ \
+task_test@EXEEXT@: task_test.@O@ ${ISCDEPLIBS}
+	${PURIFY} ${CC} ${CFLAGS} -o $@ task_test.@O@ \
 		${ISCLIBS} ${LIBS}
 
-shutdown_test: shutdown_test.@O@ ${ISCDEPLIBS}
-	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ shutdown_test.@O@ \
+shutdown_test@EXEEXT@: shutdown_test.@O@ ${ISCDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} -o $@ shutdown_test.@O@ \
 		${ISCLIBS} ${LIBS}
 
-timer_test: timer_test.@O@ ${ISCDEPLIBS}
-	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ timer_test.@O@ \
+timer_test@EXEEXT@: timer_test.@O@ ${ISCDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} -o $@ timer_test.@O@ \
 		${ISCLIBS} ${LIBS}
 
-ratelimiter_test: ratelimiter_test.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
-	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ ratelimiter_test.@O@ \
+ratelimiter_test@EXEEXT@: ratelimiter_test.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} -o $@ ratelimiter_test.@O@ \
 		${DNSLIBS} ${ISCLIBS} ${LIBS}
 
-rbt_test: rbt_test.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
-	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ rbt_test.@O@ \
+rbt_test@EXEEXT@: rbt_test.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} -o $@ rbt_test.@O@ \
 		${DNSLIBS} ${ISCLIBS} ${LIBS}
 
-rdata_test: rdata_test.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
-	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ rdata_test.@O@ \
+rdata_test@EXEEXT@: rdata_test.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} -o $@ rdata_test.@O@ \
 		${DNSLIBS} ${ISCLIBS} ${LIBS}
 
-rwlock_test: rwlock_test.@O@ ${ISCDEPLIBS}
-	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ rwlock_test.@O@ \
+rwlock_test@EXEEXT@: rwlock_test.@O@ ${ISCDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} -o $@ rwlock_test.@O@ \
 		${ISCLIBS} ${LIBS}
 
-wire_test: wire_test.@O@ printmsg.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
-	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ wire_test.@O@ printmsg.@O@ \
+wire_test@EXEEXT@: wire_test.@O@ printmsg.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} -o $@ wire_test.@O@ printmsg.@O@ \
 		${DNSLIBS} ${ISCLIBS} ${LIBS}
 
-master_test: master_test.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
-	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ master_test.@O@ \
+master_test@EXEEXT@: master_test.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} -o $@ master_test.@O@ \
 		${DNSLIBS} ${ISCLIBS} ${LIBS}
 
-db_test: db_test.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
-	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ db_test.@O@ \
+db_test@EXEEXT@: db_test.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} -o $@ db_test.@O@ \
 		${DNSLIBS} ${ISCLIBS} ${LIBS}
 
-compress_test: compress_test.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
-	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ compress_test.@O@ \
+compress_test@EXEEXT@: compress_test.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} -o $@ compress_test.@O@ \
 		${DNSLIBS} ${ISCLIBS} ${LIBS}
 
-mempool_test: mempool_test.@O@ ${ISCDEPLIBS}
-	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ mempool_test.@O@ \
+mempool_test@EXEEXT@: mempool_test.@O@ ${ISCDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} -o $@ mempool_test.@O@ \
 		${ISCLIBS} ${LIBS}
 
-serial_test: serial_test.@O@ ${ISCDEPLIBS}
-	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ serial_test.@O@ \
+serial_test@EXEEXT@: serial_test.@O@ ${ISCDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} -o $@ serial_test.@O@ \
 		${ISCLIBS} ${LIBS}
 
-zone_test: zone_test.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
-	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ zone_test.@O@ \
+zone_test@EXEEXT@: zone_test.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} -o $@ zone_test.@O@ \
 		${DNSLIBS} ${ISCLIBS} ${LIBS}
 
-fsaccess_test: fsaccess_test.@O@ ${ISCDEPLIBS}
-	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ fsaccess_test.@O@ \
+fsaccess_test@EXEEXT@: fsaccess_test.@O@ ${ISCDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} -o $@ fsaccess_test.@O@ \
 		${ISCLIBS} ${LIBS}
 
-inter_test: inter_test.@O@ ${ISCDEPLIBS}
-	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ inter_test.@O@ \
+inter_test@EXEEXT@: inter_test.@O@ ${ISCDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} -o $@ inter_test.@O@ \
 		${ISCLIBS} ${LIBS}
 
-keyboard_test: keyboard_test.@O@ ${ISCDEPLIBS}
-	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ keyboard_test.@O@ \
+keyboard_test@EXEEXT@: keyboard_test.@O@ ${ISCDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} -o $@ keyboard_test.@O@ \
 		${ISCLIBS} ${LIBS}
 
-lwresconf_test: lwresconf_test.@O@ ${ISCDEPLIBS} ${LWRESDEPLIBS}
-	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ lwresconf_test.@O@ \
+lwresconf_test@EXEEXT@: lwresconf_test.@O@ ${ISCDEPLIBS} ${LWRESDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} -o $@ lwresconf_test.@O@ \
 		${LWRESLIBS} ${ISCLIBS} ${LIBS}
 
-lwres_test: lwres_test.@O@ ${ISCDEPLIBS} ${LWRESDEPLIBS}
-	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ lwres_test.@O@ \
+lwres_test@EXEEXT@: lwres_test.@O@ ${ISCDEPLIBS} ${LWRESDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} -o $@ lwres_test.@O@ \
 		${LWRESLIBS} ${ISCLIBS} ${LIBS}
 
-gxbn_test: gxbn_test.@O@ ${LWRESDEPLIBS}
-	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ gxbn_test.@O@ \
+gxbn_test@EXEEXT@: gxbn_test.@O@ ${LWRESDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} -o $@ gxbn_test.@O@ \
 		${LWRESLIBS} ${ISCLIBS} ${LIBS}
 
-gxba_test: gxba_test.@O@ ${LWRESDEPLIBS}
-	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ gxba_test.@O@ \
+gxba_test@EXEEXT@: gxba_test.@O@ ${LWRESDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} -o $@ gxba_test.@O@ \
 		${LWRESLIBS} ${ISCLIBS} ${LIBS}
 
-sig0_test: sig0_test.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
-	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ sig0_test.@O@ \
+sig0_test@EXEEXT@: sig0_test.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} -o $@ sig0_test.@O@ \
 		${DNSLIBS} ${ISCLIBS} ${LIBS}
 
-journalprint: journalprint.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
-	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ journalprint.@O@ \
+journalprint@EXEEXT@: journalprint.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} -o $@ journalprint.@O@ \
 		${DNSLIBS} ${ISCLIBS} ${LIBS}
 
-cfg_test: cfg_test.@O@ ${ISCCFGDEPLIBS} ${DNSDEPLIBS} ${ISCDEPLIBS}
-	${LIBTOOL_MODE_LINK} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ cfg_test.@O@ \
+cfg_test@EXEEXT@: cfg_test.@O@ ${ISCCFGDEPLIBS} ${ISCDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${CC} ${CFLAGS} -o $@ cfg_test.@O@ \
 		${ISCCFGLIBS} ${DNSLIBS} ${ISCLIBS} ${LIBS}
 
 distclean::
@@ -290,6 +290,8 @@ clean distclean::
 	rm -f ${TARGETS} ${XTARGETS}
 	rm -f t_journal
 
+check: test
+
 test:
 	@for dir in $(SUBDIRS) ;\
 	do \
diff --git a/bin/tests/adb_test.c b/bin/tests/adb_test.c
index ade5090d..f7c0851e 100644
--- a/bin/tests/adb_test.c
+++ b/bin/tests/adb_test.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: adb_test.c,v 1.62.2.3 2005/06/26 23:12:56 marka Exp $ */
+/* $Id: adb_test.c,v 1.62.206.1 2004/03/06 10:21:34 marka Exp $ */
 
 #include <config.h>
 
@@ -25,11 +25,9 @@
 
 #include <isc/app.h>
 #include <isc/buffer.h>
-#include <isc/entropy.h>
-#include <isc/hash.h>
-#include <isc/socket.h>
 #include <isc/task.h>
 #include <isc/timer.h>
+#include <isc/socket.h>
 #include <isc/util.h>
 
 #include <dns/adb.h>
@@ -48,22 +46,21 @@ struct client {
 	dns_adbfind_t	       *find;
 };
 
-static isc_mem_t *mctx = NULL;
-static isc_entropy_t *ectx = NULL;
-static isc_mempool_t *cmp;
-static isc_log_t *lctx;
-static isc_logconfig_t *lcfg;
-static isc_taskmgr_t *taskmgr;
-static isc_socketmgr_t *socketmgr;
-static isc_timermgr_t *timermgr;
-static dns_dispatchmgr_t *dispatchmgr;
-static isc_task_t *t1, *t2;
-static dns_view_t *view;
-static dns_db_t *rootdb;
-static ISC_LIST(client_t) clients;
-static isc_mutex_t client_lock;
-static isc_stdtime_t now;
-static dns_adb_t *adb;
+isc_mem_t *mctx;
+isc_mempool_t *cmp;
+isc_log_t *lctx;
+isc_logconfig_t *lcfg;
+isc_taskmgr_t *taskmgr;
+isc_socketmgr_t *socketmgr;
+isc_timermgr_t *timermgr;
+dns_dispatchmgr_t *dispatchmgr;
+isc_task_t *t1, *t2;
+dns_view_t *view;
+dns_db_t *rootdb;
+ISC_LIST(client_t) clients;
+isc_mutex_t client_lock;
+isc_stdtime_t now;
+dns_adb_t *adb;
 
 static void
 check_result(isc_result_t result, const char *format, ...)
@@ -302,6 +299,7 @@ main(int argc, char **argv) {
 	/*
 	 * EVERYTHING needs a memory context.
 	 */
+	mctx = NULL;
 	RUNTIME_CHECK(isc_mem_create(0, 0, &mctx) == ISC_R_SUCCESS);
 
 	cmp = NULL;
@@ -309,11 +307,6 @@ main(int argc, char **argv) {
 		      == ISC_R_SUCCESS);
 	isc_mempool_setname(cmp, "adb test clients");
 
-	result = isc_entropy_create(mctx, &ectx);
-	check_result(result, "isc_entropy_create()");
-	result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE);
-	check_result(result, "isc_hash_create()");
-
 	result = isc_log_create(mctx, &lctx, &lcfg);
 	check_result(result, "isc_log_create()");
 	isc_log_setcontext(lctx);
@@ -421,9 +414,6 @@ main(int argc, char **argv) {
 
 	isc_log_destroy(&lctx);
 
-	isc_hash_destroy();
-	isc_entropy_detach(&ectx);
-
 	isc_mempool_destroy(&cmp);
 	isc_mem_stats(mctx, stdout);
 	isc_mem_destroy(&mctx);
diff --git a/bin/tests/b8t.mk b/bin/tests/b8t.mk
index 3ee0b2e3..f18e2e8c 100644
--- a/bin/tests/b8t.mk
+++ b/bin/tests/b8t.mk
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: b8t.mk,v 1.8.2.1 2004/03/09 06:09:29 marka Exp $
+# $Id: b8t.mk,v 1.8.206.1 2004/03/06 10:21:34 marka Exp $
 
 #
 # bind 8 multi-host make
diff --git a/bin/tests/b9t.mk b/bin/tests/b9t.mk
index e65f672f..ad8157aa 100644
--- a/bin/tests/b9t.mk
+++ b/bin/tests/b9t.mk
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: b9t.mk,v 1.10.2.1 2004/03/09 06:09:29 marka Exp $
+# $Id: b9t.mk,v 1.10.206.1 2004/03/06 10:21:34 marka Exp $
 
 #
 # makefile to configure, build and test bind9
diff --git a/bin/tests/byaddr_test.c b/bin/tests/byaddr_test.c
index 2eb9b092..e49efe4d 100644
--- a/bin/tests/byaddr_test.c
+++ b/bin/tests/byaddr_test.c
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
+ * Copyright (C) 2000-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: byaddr_test.c,v 1.22.2.1 2004/03/09 06:09:30 marka Exp $ */
+/* $Id: byaddr_test.c,v 1.22.22.3 2004/03/08 04:04:24 marka Exp $ */
 
 /*
  * Principal Author: Bob Halley
@@ -101,7 +101,9 @@ main(int argc, char *argv[]) {
 	while ((ch = isc_commandline_parse(argc, argv, "nvw:")) != -1) {
 		switch (ch) {
 		case 'n':
-			options |= DNS_BYADDROPT_IPV6NIBBLE;
+			/*
+			 * We only try nibbles, so do nothing for this option.
+			 */
 			break;
 		case 'v':
 			verbose = ISC_TRUE;
diff --git a/bin/tests/byname_test.c b/bin/tests/byname_test.c
index 08e96c07..f6071e82 100644
--- a/bin/tests/byname_test.c
+++ b/bin/tests/byname_test.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: byname_test.c,v 1.25.2.3 2005/06/26 23:12:56 marka Exp $ */
+/* $Id: byname_test.c,v 1.25.206.1 2004/03/06 10:21:35 marka Exp $ */
 
 /*
  * Principal Author: Bob Halley
@@ -28,8 +28,6 @@
 
 #include <isc/app.h>
 #include <isc/commandline.h>
-#include <isc/entropy.h>
-#include <isc/hash.h>
 #include <isc/netaddr.h>
 #include <isc/task.h>
 #include <isc/timer.h>
@@ -45,7 +43,6 @@
 #include <dns/result.h>
 
 static isc_mem_t *mctx = NULL;
-static isc_entropy_t *ectx = NULL;
 static isc_taskmgr_t *taskmgr;
 static dns_view_t *view = NULL;
 static dns_adbfind_t *find = NULL;
@@ -214,10 +211,6 @@ main(int argc, char *argv[]) {
 	mctx = NULL;
 	RUNTIME_CHECK(isc_mem_create(0, 0, &mctx) == ISC_R_SUCCESS);
 
-	RUNTIME_CHECK(isc_entropy_create(mctx, &ectx) == ISC_R_SUCCESS);
-	RUNTIME_CHECK(isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE)
-		      == ISC_R_SUCCESS);
-
 	while ((ch = isc_commandline_parse(argc, argv, "d:vw:")) != -1) {
 		switch (ch) {
 		case 'd':
@@ -362,9 +355,6 @@ main(int argc, char *argv[]) {
 
 	isc_log_destroy(&lctx);
 
-	isc_hash_destroy();
-	isc_entropy_detach(&ectx);
-
 	if (verbose)
 		isc_mem_stats(mctx, stdout);
 	isc_mem_destroy(&mctx);
diff --git a/bin/tests/cfg_test.c b/bin/tests/cfg_test.c
index 1bb8d3bf..a4bb5d3b 100644
--- a/bin/tests/cfg_test.c
+++ b/bin/tests/cfg_test.c
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2001  Internet Software Consortium.
+ * Copyright (C) 2001, 2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: cfg_test.c,v 1.11.2.2 2004/03/09 06:09:30 marka Exp $ */
+/* $Id: cfg_test.c,v 1.11.2.1.10.3 2004/03/08 04:04:24 marka Exp $ */
 
 #include <config.h>
 
@@ -26,7 +26,7 @@
 #include <isc/string.h>
 #include <isc/util.h>
 
-#include <isccfg/cfg.h>
+#include <isccfg/namedconf.h>
 
 #include <dns/log.h>
 
diff --git a/bin/tests/compress_test.c b/bin/tests/compress_test.c
index 5448f1d9..41df7ad0 100644
--- a/bin/tests/compress_test.c
+++ b/bin/tests/compress_test.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: compress_test.c,v 1.24.2.3 2006/02/26 23:49:47 marka Exp $ */
+/* $Id: compress_test.c,v 1.24.12.4 2004/03/08 04:04:25 marka Exp $ */
 
 #include <config.h>
 
@@ -72,42 +72,42 @@ main(int argc, char *argv[]) {
 
 	dns_name_init(&name1, NULL);
 	region.base = plain1;
-	region.length = sizeof plain1;
+	region.length = sizeof(plain1);
 	dns_name_fromregion(&name1, &region);
 
 	dns_name_init(&name2, NULL);
 	region.base = plain2;
-	region.length = sizeof plain2;
+	region.length = sizeof(plain2);
 	dns_name_fromregion(&name2, &region);
 
 	dns_name_init(&name3, NULL);
 	region.base = plain3;
-	region.length = sizeof plain3;
+	region.length = sizeof(plain3);
 	dns_name_fromregion(&name3, &region);
 
-	test(DNS_COMPRESS_NONE, &name1, &name2, &name3, plain, sizeof plain);
+	test(DNS_COMPRESS_NONE, &name1, &name2, &name3, plain, sizeof(plain));
 	test(DNS_COMPRESS_GLOBAL14, &name1, &name2, &name3, plain,
-	     sizeof plain);
-	test(DNS_COMPRESS_ALL, &name1, &name2, &name3, plain, sizeof plain);
+	     sizeof(plain));
+	test(DNS_COMPRESS_ALL, &name1, &name2, &name3, plain, sizeof(plain));
 
 	dns_name_init(&name1, NULL);
 	region.base = bit1;
-	region.length = sizeof bit1;
+	region.length = sizeof(bit1);
 	dns_name_fromregion(&name1, &region);
 
 	dns_name_init(&name2, NULL);
 	region.base = bit2;
-	region.length = sizeof bit2;
+	region.length = sizeof(bit2);
 	dns_name_fromregion(&name2, &region);
 
 	dns_name_init(&name3, NULL);
 	region.base = bit3;
-	region.length = sizeof bit3;
+	region.length = sizeof(bit3);
 	dns_name_fromregion(&name3, &region);
 
-	test(DNS_COMPRESS_NONE, &name1, &name2, &name3, bit, sizeof bit);
-	test(DNS_COMPRESS_GLOBAL14, &name1, &name2, &name3, bit, sizeof bit);
-	test(DNS_COMPRESS_ALL, &name1, &name2, &name3, bit, sizeof bit);
+	test(DNS_COMPRESS_NONE, &name1, &name2, &name3, bit, sizeof(bit));
+	test(DNS_COMPRESS_GLOBAL14, &name1, &name2, &name3, bit, sizeof(bit));
+	test(DNS_COMPRESS_ALL, &name1, &name2, &name3, bit, sizeof(bit));
 
 	return (0);
 }
@@ -131,7 +131,7 @@ test(unsigned int allowed, dns_name_t *name1, dns_name_t *name2,
 		case DNS_COMPRESS_NONE: s = "DNS_COMPRESS_NONE"; break;
 		case DNS_COMPRESS_GLOBAL14: s = "DNS_COMPRESS_GLOBAL14"; break;
 		/* case DNS_COMPRESS_ALL: s = "DNS_COMPRESS_ALL"; break; */
-		default: s = "UNKNOWN"; break;
+		default: s = "UNKOWN"; break;
 		}
 		fprintf(stdout, "Allowed = %s\n", s);
 	}
@@ -158,7 +158,7 @@ test(unsigned int allowed, dns_name_t *name1, dns_name_t *name2,
 
 	if (raw) {
 		unsigned int i;
-		for (i = 0 ; i < source.used ; /* */ ) {
+		for (i = 0; i < source.used; /* */ ) {
 			fprintf(stdout, "%02x",
 				((unsigned char *)source.base)[i]);
 			if ((++i % 20) == 0)
@@ -195,7 +195,7 @@ test(unsigned int allowed, dns_name_t *name1, dns_name_t *name2,
 
 	if (raw) {
 		unsigned int i;
-		for (i = 0 ; i < target.used ; /* */ ) {
+		for (i = 0; i < target.used; /* */ ) {
 			fprintf(stdout, "%02x",
 				((unsigned char *)target.base)[i]);
 			if ((++i % 20) == 0)
diff --git a/bin/tests/db/Makefile.in b/bin/tests/db/Makefile.in
index 62d6b5c0..1571d08e 100644
--- a/bin/tests/db/Makefile.in
+++ b/bin/tests/db/Makefile.in
@@ -1,5 +1,5 @@
 # Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 1999-2001  Internet Software Consortium.
+# Copyright (C) 1999-2002  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
@@ -13,20 +13,20 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.21.2.3 2004/07/20 07:00:12 marka Exp $
+# $Id: Makefile.in,v 1.21.12.6 2004/03/08 04:04:28 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
 top_srcdir =	@top_srcdir@
 
-@BIND9_INCLUDES@
+@BIND9_MAKE_INCLUDES@
 
 CINCLUDES =	${TEST_INCLUDES} ${DNS_INCLUDES} ${ISC_INCLUDES}
 
 CDEFINES =
 CWARNINGS =
 
-DNSLIBS =	../../../lib/dns/libdns.@A@ @DNS_OPENSSL_LIBS@ @DNS_GSSAPI_LIBS@
+DNSLIBS =	../../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
 ISCLIBS =	../../../lib/isc/libisc.@A@
 
 DNSDEPLIBS =	../../../lib/dns/libdns.@A@
@@ -40,15 +40,15 @@ TLIB =		../../../lib/tests/libt_api.@A@
 
 SRCS =		t_db.c
 
-TARGETS =	t_db
+TARGETS =	t_db@EXEEXT@
 
 @BIND9_MAKE_RULES@
 
-t_db: t_db.@O@ ${DEPLIBS} ${TLIB}
-	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ t_db.@O@ ${TLIB} ${LIBS}
+t_db@EXEEXT@: t_db.@O@ ${DEPLIBS} ${TLIB}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} -o $@ t_db.@O@ ${TLIB} ${LIBS}
 
-test: t_db
-	-@./t_db -c @top_srcdir@/t_config -b @srcdir@ -a
+test: t_db@EXEEXT@
+	-@./t_db@EXEEXT@ -c @top_srcdir@/t_config -b @srcdir@ -a
 
 testhelp:
 	@./t_db -h
diff --git a/bin/tests/db/t_db.c b/bin/tests/db/t_db.c
index 6ba05aaf..0cbfcfea 100644
--- a/bin/tests/db/t_db.c
+++ b/bin/tests/db/t_db.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,15 +15,13 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: t_db.c,v 1.29.2.5 2006/01/04 23:50:16 marka Exp $ */
+/* $Id: t_db.c,v 1.29.206.2 2004/03/08 21:06:23 marka Exp $ */
 
 #include <config.h>
 
 #include <ctype.h>
 #include <stdlib.h>
 
-#include <isc/entropy.h>
-#include <isc/hash.h>
 #include <isc/mem.h>
 #include <isc/string.h>
 #include <isc/util.h>
@@ -106,7 +104,6 @@ t_dns_db_load(char **av) {
 	isc_result_t		dns_result;
 	isc_result_t		isc_result;
 	isc_mem_t		*mctx;
-	isc_entropy_t		*ectx;
 	dns_dbnode_t		*nodep;
 	isc_textregion_t	textregion;
 	isc_buffer_t		findname_buffer;
@@ -121,7 +118,6 @@ t_dns_db_load(char **av) {
 	result = T_UNRESOLVED;
 	db = NULL;
 	mctx = NULL;
-	ectx = NULL;
 	filename = T_ARG(0);
 	db_type = T_ARG(1);
 	origin = T_ARG(2);
@@ -144,27 +140,8 @@ t_dns_db_load(char **av) {
 		return(T_UNRESOLVED);
 	}
 
-	isc_result = isc_entropy_create(mctx, &ectx);
-	if (isc_result != ISC_R_SUCCESS) {
-		t_info("isc_entropy_create failed %s\n",
-				isc_result_totext(isc_result));
-		isc_mem_destroy(&mctx);
-		return(T_UNRESOLVED);
-	}
-
-	isc_result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE);
-	if (isc_result != ISC_R_SUCCESS) {
-		t_info("isc_hash_create failed %s\n",
-				isc_result_totext(isc_result));
-		isc_entropy_detach(&ectx);
-		isc_mem_destroy(&mctx);
-		return(T_UNRESOLVED);
-	}
-
 	dns_result = t_create(db_type, origin, class, model, mctx, &db);
 	if (dns_result != ISC_R_SUCCESS) {
-		isc_hash_destroy();
-		isc_entropy_detach(&ectx);
 		isc_mem_destroy(&mctx);
 		return(T_UNRESOLVED);
 	}
@@ -175,8 +152,6 @@ t_dns_db_load(char **av) {
 				dns_result_totext(dns_result),
 				dns_result_totext(exp_load_result));
 		dns_db_detach(&db);
-		isc_hash_destroy();
-		isc_entropy_detach(&ectx);
 		isc_mem_destroy(&mctx);
 		return(T_FAIL);
 	}
@@ -195,8 +170,6 @@ t_dns_db_load(char **av) {
 		t_info("dns_name_fromtext failed %s\n",
 			dns_result_totext(dns_result));
 		dns_db_detach(&db);
-		isc_hash_destroy();
-		isc_entropy_detach(&ectx);
 		isc_mem_destroy(&mctx);
 		return(T_UNRESOLVED);
 	}
@@ -209,8 +182,6 @@ t_dns_db_load(char **av) {
 				find_type,
 				dns_result_totext(dns_result));
 		dns_db_detach(&db);
-		isc_hash_destroy();
-		isc_entropy_detach(&ectx);
 		isc_mem_destroy(&mctx);
 		return(T_UNRESOLVED);
 	}
@@ -251,8 +222,6 @@ t_dns_db_load(char **av) {
 		dns_db_closeversion(db, &versionp, ISC_FALSE);
  cleanup_db:
 	dns_db_detach(&db);
-	isc_hash_destroy();
-	isc_entropy_detach(&ectx);
 	isc_mem_destroy(&mctx);
 	return(result);
 }
@@ -286,7 +255,6 @@ t_dns_db_zc_x(char *filename, char *db_type, char *origin, char *class,
 	isc_result_t		dns_result;
 	isc_result_t		isc_result;
 	isc_mem_t		*mctx;
-	isc_entropy_t		*ectx;
 	dns_rdataclass_t	rdataclass;
 	isc_textregion_t	textregion;
 	isc_buffer_t		origin_buffer;
@@ -296,7 +264,6 @@ t_dns_db_zc_x(char *filename, char *db_type, char *origin, char *class,
 
 	db = NULL;
 	mctx = NULL;
-	ectx = NULL;
 
 	t_info("testing using file %s\n", filename);
 
@@ -328,31 +295,12 @@ t_dns_db_zc_x(char *filename, char *db_type, char *origin, char *class,
 		return(T_UNRESOLVED);
 	}
 
-	isc_result = isc_entropy_create(mctx, &ectx);
-	if (isc_result != ISC_R_SUCCESS) {
-		t_info("isc_entropy_create failed %s\n",
-				isc_result_totext(isc_result));
-		isc_mem_destroy(&mctx);
-		return(T_UNRESOLVED);
-	}
-
-	isc_result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE);
-	if (isc_result != ISC_R_SUCCESS) {
-		t_info("isc_hash_create failed %s\n",
-				isc_result_totext(isc_result));
-		isc_entropy_detach(&ectx);
-		isc_mem_destroy(&mctx);
-		return(T_UNRESOLVED);
-	}
-
 	dns_result = dns_db_create(mctx, db_type,
 				   dns_fixedname_name(&dns_origin),
 				   dbtype, rdataclass, 0, NULL, &db);
 	if (dns_result != ISC_R_SUCCESS) {
 		t_info("dns_db_create failed %s\n",
 		       dns_result_totext(dns_result));
-		isc_hash_destroy();
-		isc_entropy_detach(&ectx);
 		isc_mem_destroy(&mctx);
 		return(T_UNRESOLVED);
 	}
@@ -370,8 +318,6 @@ t_dns_db_zc_x(char *filename, char *db_type, char *origin, char *class,
 	}
 
 	dns_db_detach(&db);
-	isc_hash_destroy();
-	isc_entropy_detach(&ectx);
 	isc_mem_destroy(&mctx);
 	return(result);
 }
@@ -403,10 +349,8 @@ test_dns_db_zc_x(const char *filename, dns_dbtype_t dbtype,
 			/*
 			 * Skip comment lines.
 			 */
-			if ((isspace((unsigned char)*p)) || (*p == '#')) {
-				(void)free(p);
+			if ((isspace((unsigned char)*p)) || (*p == '#'))
 				continue;
-			}
 
 			cnt = t_bustline(p, tokens);
 			if (cnt == 4) {
@@ -516,7 +460,6 @@ t_dns_db_origin(char **av) {
 	isc_result_t		dns_result;
 	isc_result_t		isc_result;
 	isc_mem_t		*mctx;
-	isc_entropy_t		*ectx;
 	dns_db_t		*db;
 	dns_fixedname_t		dns_origin;
 	dns_fixedname_t		dns_dborigin;
@@ -524,7 +467,7 @@ t_dns_db_origin(char **av) {
 
 	db = NULL;
 	mctx = NULL;
-	ectx = NULL;
+
 
 	filename = T_ARG(0);
 	origin = T_ARG(1);
@@ -539,29 +482,10 @@ t_dns_db_origin(char **av) {
 		return(T_UNRESOLVED);
 	}
 
-	isc_result = isc_entropy_create(mctx, &ectx);
-	if (isc_result != ISC_R_SUCCESS) {
-		t_info("isc_entropy_create failed %s\n",
-				isc_result_totext(isc_result));
-		isc_mem_destroy(&mctx);
-		return(T_UNRESOLVED);
-	}
-
-	isc_result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE);
-	if (isc_result != ISC_R_SUCCESS) {
-		t_info("isc_hash_create failed %s\n",
-				isc_result_totext(isc_result));
-		isc_entropy_detach(&ectx);
-		isc_mem_destroy(&mctx);
-		return(T_UNRESOLVED);
-	}
-
 	dns_result = t_create("rbt", origin, "in", "isc_true", mctx, &db);
 	if (dns_result != ISC_R_SUCCESS) {
 		t_info("t_create failed %s\n",
 			dns_result_totext(dns_result));
-		isc_hash_destroy();
-		isc_entropy_detach(&ectx);
 		isc_mem_destroy(&mctx);
 		return(T_UNRESOLVED);
 	}
@@ -577,8 +501,6 @@ t_dns_db_origin(char **av) {
 		t_info("dns_db_load failed %s\n",
 				dns_result_totext(dns_result));
 		dns_db_detach(&db);
-		isc_hash_destroy();
-		isc_entropy_detach(&ectx);
 		isc_mem_destroy(&mctx);
 		return(T_UNRESOLVED);
 	}
@@ -589,8 +511,6 @@ t_dns_db_origin(char **av) {
 		t_info("dns_name_fromtext failed %s\n",
 				dns_result_totext(dns_result));
 		dns_db_detach(&db);
-		isc_hash_destroy();
-		isc_entropy_detach(&ectx);
 		isc_mem_destroy(&mctx);
 		return(T_UNRESOLVED);
 	}
@@ -604,8 +524,6 @@ t_dns_db_origin(char **av) {
 	}
 
 	dns_db_detach(&db);
-	isc_hash_destroy();
-	isc_entropy_detach(&ectx);
 	isc_mem_destroy(&mctx);
 	return(result);
 
@@ -640,7 +558,6 @@ t_dns_db_class(char **av) {
 	isc_result_t		dns_result;
 	isc_result_t		isc_result;
 	isc_mem_t		*mctx;
-	isc_entropy_t		*ectx;
 	dns_db_t		*db;
 	dns_rdataclass_t	rdataclass;
 	dns_rdataclass_t	db_rdataclass;
@@ -650,7 +567,7 @@ t_dns_db_class(char **av) {
 	class = T_ARG(1);
 	db = NULL;
 	mctx = NULL;
-	ectx = NULL;
+
 
 	t_info("testing with database %s and class %s\n",
 			filename, class);
@@ -671,29 +588,10 @@ t_dns_db_class(char **av) {
 		return(T_UNRESOLVED);
 	}
 
-	isc_result = isc_entropy_create(mctx, &ectx);
-	if (isc_result != ISC_R_SUCCESS) {
-		t_info("isc_entropy_create failed %s\n",
-				isc_result_totext(isc_result));
-		isc_mem_destroy(&mctx);
-		return(T_UNRESOLVED);
-	}
-
-	isc_result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE);
-	if (isc_result != ISC_R_SUCCESS) {
-		t_info("isc_hash_create failed %s\n",
-				isc_result_totext(isc_result));
-		isc_entropy_detach(&ectx);
-		isc_mem_destroy(&mctx);
-		return(T_UNRESOLVED);
-	}
-
 	dns_result = t_create("rbt", ".", class, "isc_true", mctx, &db);
 	if (dns_result != ISC_R_SUCCESS) {
 		t_info("t_create failed %s\n",
 			dns_result_totext(dns_result));
-		isc_hash_destroy();
-		isc_entropy_detach(&ectx);
 		isc_mem_destroy(&mctx);
 		return(T_UNRESOLVED);
 	}
@@ -703,8 +601,6 @@ t_dns_db_class(char **av) {
 		t_info("dns_db_load failed %s\n",
 				dns_result_totext(dns_result));
 		dns_db_detach(&db);
-		isc_hash_destroy();
-		isc_entropy_detach(&ectx);
 		isc_mem_destroy(&mctx);
 		return(T_UNRESOLVED);
 	}
@@ -722,8 +618,6 @@ t_dns_db_class(char **av) {
 	}
 
 	dns_db_detach(&db);
-	isc_hash_destroy();
-	isc_entropy_detach(&ectx);
 	isc_mem_destroy(&mctx);
 	return(result);
 
@@ -758,7 +652,6 @@ t_dns_db_currentversion(char **av) {
 	isc_result_t		dns_result;
 	isc_result_t		isc_result;
 	isc_mem_t		*mctx;
-	isc_entropy_t		*ectx;
 	dns_dbnode_t		*nodep;
 	isc_textregion_t	textregion;
 	isc_buffer_t		findname_buffer;
@@ -780,7 +673,6 @@ t_dns_db_currentversion(char **av) {
 	findtype = T_ARG(6);
 	db = NULL;
 	mctx = NULL;
-	ectx = NULL;
 
 	t_info("testing using file %s and name %s\n", filename, findname);
 
@@ -791,27 +683,8 @@ t_dns_db_currentversion(char **av) {
 		return(T_UNRESOLVED);
 	}
 
-	isc_result = isc_entropy_create(mctx, &ectx);
-	if (isc_result != ISC_R_SUCCESS) {
-		t_info("isc_entropy_create failed %s\n",
-				isc_result_totext(isc_result));
-		isc_mem_destroy(&mctx);
-		return(T_UNRESOLVED);
-	}
-
-	isc_result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE);
-	if (isc_result != ISC_R_SUCCESS) {
-		t_info("isc_hash_create failed %s\n",
-				isc_result_totext(isc_result));
-		isc_entropy_detach(&ectx);
-		isc_mem_destroy(&mctx);
-		return(T_UNRESOLVED);
-	}
-
 	dns_result = t_create(db_type, origin, class, model, mctx, &db);
 	if (dns_result != ISC_R_SUCCESS) {
-		isc_hash_destroy();
-		isc_entropy_detach(&ectx);
 		isc_mem_destroy(&mctx);
 		return(T_UNRESOLVED);
 	}
@@ -821,8 +694,6 @@ t_dns_db_currentversion(char **av) {
 		t_info("dns_db_load returned %s\n",
 				dns_result_totext(dns_result));
 		dns_db_detach(&db);
-		isc_hash_destroy();
-		isc_entropy_detach(&ectx);
 		isc_mem_destroy(&mctx);
 		return(T_UNRESOLVED);
 	}
@@ -837,8 +708,6 @@ t_dns_db_currentversion(char **av) {
 		t_info("dns_name_fromtext failed %s\n",
 			dns_result_totext(dns_result));
 		dns_db_detach(&db);
-		isc_hash_destroy();
-		isc_entropy_detach(&ectx);
 		isc_mem_destroy(&mctx);
 		return(T_UNRESOLVED);
 	}
@@ -851,8 +720,6 @@ t_dns_db_currentversion(char **av) {
 				findtype,
 				dns_result_totext(dns_result));
 		dns_db_detach(&db);
-		isc_hash_destroy();
-		isc_entropy_detach(&ectx);
 		isc_mem_destroy(&mctx);
 		return(T_UNRESOLVED);
 	}
@@ -881,8 +748,6 @@ t_dns_db_currentversion(char **av) {
 		t_info("unable to find %s using current version\n", findname);
 		dns_db_closeversion(db, &cversionp, ISC_FALSE);
 		dns_db_detach(&db);
-		isc_hash_destroy();
-		isc_entropy_detach(&ectx);
 		isc_mem_destroy(&mctx);
 		return(T_UNRESOLVED);
 	}
@@ -905,8 +770,6 @@ t_dns_db_currentversion(char **av) {
 		dns_rdataset_disassociate(&rdataset);
 		dns_db_closeversion(db, &cversionp, ISC_FALSE);
 		dns_db_detach(&db);
-		isc_hash_destroy();
-		isc_entropy_detach(&ectx);
 		isc_mem_destroy(&mctx);
 		return(T_UNRESOLVED);
 	}
@@ -923,8 +786,6 @@ t_dns_db_currentversion(char **av) {
 		dns_db_closeversion(db, &nversionp, ISC_FALSE);
 		dns_db_closeversion(db, &cversionp, ISC_FALSE);
 		dns_db_detach(&db);
-		isc_hash_destroy();
-		isc_entropy_detach(&ectx);
 		isc_mem_destroy(&mctx);
 		return(T_UNRESOLVED);
 	}
@@ -955,8 +816,6 @@ t_dns_db_currentversion(char **av) {
 		dns_db_closeversion(db, &cversionp, ISC_FALSE);
 		dns_db_closeversion(db, &nversionp, ISC_FALSE);
 		dns_db_detach(&db);
-		isc_hash_destroy();
-		isc_entropy_detach(&ectx);
 		isc_mem_destroy(&mctx);
 		return(T_FAIL);
 	}
@@ -983,8 +842,6 @@ t_dns_db_currentversion(char **av) {
 		t_info("cound not find %s using current version\n", findname);
 		dns_db_closeversion(db, &cversionp, ISC_FALSE);
 		dns_db_detach(&db);
-		isc_hash_destroy();
-		isc_entropy_detach(&ectx);
 		isc_mem_destroy(&mctx);
 		result = T_FAIL;
 	}
@@ -994,8 +851,6 @@ t_dns_db_currentversion(char **av) {
 
 	dns_db_closeversion(db, &cversionp, ISC_FALSE);
 	dns_db_detach(&db);
-	isc_hash_destroy();
-	isc_entropy_detach(&ectx);
 	isc_mem_destroy(&mctx);
 
 	return(result);
@@ -1033,7 +888,6 @@ t_dns_db_newversion(char **av) {
 	isc_result_t		dns_result;
 	isc_result_t		isc_result;
 	isc_mem_t		*mctx;
-	isc_entropy_t		*ectx;
 	dns_dbnode_t		*nodep;
 	dns_dbnode_t		*found_nodep;
 	isc_textregion_t	textregion;
@@ -1061,7 +915,6 @@ t_dns_db_newversion(char **av) {
 	newtype = T_ARG(6);
 	db = NULL;
 	mctx = NULL;
-	ectx = NULL;
 
 	/*
 	 * Open a new version, add some data, commit it,
@@ -1078,27 +931,8 @@ t_dns_db_newversion(char **av) {
 		return(T_UNRESOLVED);
 	}
 
-	isc_result = isc_entropy_create(mctx, &ectx);
-	if (isc_result != ISC_R_SUCCESS) {
-		t_info("isc_entropy_create failed %s\n",
-				isc_result_totext(isc_result));
-		isc_mem_destroy(&mctx);
-		return(T_UNRESOLVED);
-	}
-
-	isc_result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE);
-	if (isc_result != ISC_R_SUCCESS) {
-		t_info("isc_hash_create failed %s\n",
-				isc_result_totext(isc_result));
-		isc_entropy_detach(&ectx);
-		isc_mem_destroy(&mctx);
-		return(T_UNRESOLVED);
-	}
-
 	dns_result = t_create(db_type, origin, class, model, mctx, &db);
 	if (dns_result != ISC_R_SUCCESS) {
-		isc_hash_destroy();
-		isc_entropy_detach(&ectx);
 		isc_mem_destroy(&mctx);
 		return(T_UNRESOLVED);
 	}
@@ -1108,8 +942,6 @@ t_dns_db_newversion(char **av) {
 		t_info("dns_db_load returned %s\n",
 				dns_result_totext(dns_result));
 		dns_db_detach(&db);
-		isc_hash_destroy();
-		isc_entropy_detach(&ectx);
 		isc_mem_destroy(&mctx);
 		return(T_UNRESOLVED);
 	}
@@ -1128,8 +960,6 @@ t_dns_db_newversion(char **av) {
 		t_info("dns_name_fromtext failed %s\n",
 			dns_result_totext(dns_result));
 		dns_db_detach(&db);
-		isc_hash_destroy();
-		isc_entropy_detach(&ectx);
 		isc_mem_destroy(&mctx);
 		return(T_UNRESOLVED);
 	}
@@ -1141,8 +971,6 @@ t_dns_db_newversion(char **av) {
 		t_info("dns_db_findnode failed %s\n",
 				dns_result_totext(dns_result));
 		dns_db_detach(&db);
-		isc_hash_destroy();
-		isc_entropy_detach(&ectx);
 		isc_mem_destroy(&mctx);
 		return(T_UNRESOLVED);
 	}
@@ -1161,8 +989,6 @@ t_dns_db_newversion(char **av) {
 				dns_result_totext(dns_result));
 		dns_db_detachnode(db, &nodep);
 		dns_db_detach(&db);
-		isc_hash_destroy();
-		isc_entropy_detach(&ectx);
 		isc_mem_destroy(&mctx);
 		return(T_UNRESOLVED);
 	}
@@ -1175,8 +1001,6 @@ t_dns_db_newversion(char **av) {
 				dns_result_totext(dns_result));
 		dns_db_detachnode(db, &nodep);
 		dns_db_detach(&db);
-		isc_hash_destroy();
-		isc_entropy_detach(&ectx);
 		isc_mem_destroy(&mctx);
 		return(T_UNRESOLVED);
 	}
@@ -1202,8 +1026,6 @@ t_dns_db_newversion(char **av) {
 				dns_result_totext(dns_result));
 		dns_db_detachnode(db, &nodep);
 		dns_db_detach(&db);
-		isc_hash_destroy();
-		isc_entropy_detach(&ectx);
 		isc_mem_destroy(&mctx);
 		return(T_UNRESOLVED);
 	}
@@ -1215,8 +1037,6 @@ t_dns_db_newversion(char **av) {
 				dns_result_totext(dns_result));
 		dns_db_detachnode(db, &nodep);
 		dns_db_detach(&db);
-		isc_hash_destroy();
-		isc_entropy_detach(&ectx);
 		isc_mem_destroy(&mctx);
 		return(T_UNRESOLVED);
 	}
@@ -1229,8 +1049,6 @@ t_dns_db_newversion(char **av) {
 		dns_db_closeversion(db, &nversionp, ISC_FALSE);
 		dns_db_detachnode(db, &nodep);
 		dns_db_detach(&db);
-		isc_hash_destroy();
-		isc_entropy_detach(&ectx);
 		isc_mem_destroy(&mctx);
 		return(T_UNRESOLVED);
 	}
@@ -1270,8 +1088,6 @@ t_dns_db_newversion(char **av) {
 		if (dns_rdataset_isassociated(&found_rdataset))
 			dns_rdataset_disassociate(&found_rdataset);
 		dns_db_detach(&db);
-		isc_hash_destroy();
-		isc_entropy_detach(&ectx);
 		isc_mem_destroy(&mctx);
 		return(T_FAIL);
 	}
@@ -1285,8 +1101,6 @@ t_dns_db_newversion(char **av) {
 			dns_rdataset_disassociate(&found_rdataset);
 		dns_db_closeversion(db, &nversionp, ISC_FALSE);
 		dns_db_detach(&db);
-		isc_hash_destroy();
-		isc_entropy_detach(&ectx);
 		isc_mem_destroy(&mctx);
 		return(T_FAIL);
 	}
@@ -1312,8 +1126,6 @@ t_dns_db_newversion(char **av) {
 		dns_rdataset_disassociate(&found_rdataset);
 	dns_db_detachnode(db, &found_nodep);
 	dns_db_detach(&db);
-	isc_hash_destroy();
-	isc_entropy_detach(&ectx);
 	isc_mem_destroy(&mctx);
 
 	return(result);
@@ -1354,7 +1166,6 @@ t_dns_db_closeversion_1(char **av) {
 	isc_result_t		dns_result;
 	isc_result_t		isc_result;
 	isc_mem_t		*mctx;
-	isc_entropy_t		*ectx;
 	dns_dbnode_t		*nodep;
 	isc_textregion_t	textregion;
 	isc_buffer_t		name_buffer;
@@ -1387,7 +1198,6 @@ t_dns_db_closeversion_1(char **av) {
 	result = T_UNRESOLVED;
 	db = NULL;
 	mctx = NULL;
-	ectx = NULL;
 
 	/*
 	 * Open a new version, add some data,
@@ -1404,27 +1214,8 @@ t_dns_db_closeversion_1(char **av) {
 		return(T_UNRESOLVED);
 	}
 
-	isc_result = isc_entropy_create(mctx, &ectx);
-	if (isc_result != ISC_R_SUCCESS) {
-		t_info("isc_entropy_create failed %s\n",
-				isc_result_totext(isc_result));
-		isc_mem_destroy(&mctx);
-		return(T_UNRESOLVED);
-	}
-
-	isc_result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE);
-	if (isc_result != ISC_R_SUCCESS) {
-		t_info("isc_hash_create failed %s\n",
-				isc_result_totext(isc_result));
-		isc_entropy_detach(&ectx);
-		isc_mem_destroy(&mctx);
-		return(T_UNRESOLVED);
-	}
-
 	dns_result = t_create(db_type, origin, class, model, mctx, &db);
 	if (dns_result != ISC_R_SUCCESS) {
-		isc_hash_destroy();
-		isc_entropy_detach(&ectx);
 		isc_mem_destroy(&mctx);
 		return(T_UNRESOLVED);
 	}
@@ -1434,8 +1225,6 @@ t_dns_db_closeversion_1(char **av) {
 		t_info("dns_db_load returned %s\n",
 				dns_result_totext(dns_result));
 		dns_db_detach(&db);
-		isc_hash_destroy();
-		isc_entropy_detach(&ectx);
 		isc_mem_destroy(&mctx);
 		return(T_UNRESOLVED);
 	}
@@ -1454,8 +1243,6 @@ t_dns_db_closeversion_1(char **av) {
 		t_info("dns_name_fromtext failed %s\n",
 			dns_result_totext(dns_result));
 		dns_db_detach(&db);
-		isc_hash_destroy();
-		isc_entropy_detach(&ectx);
 		isc_mem_destroy(&mctx);
 		return(T_UNRESOLVED);
 	}
@@ -1469,8 +1256,6 @@ t_dns_db_closeversion_1(char **av) {
 				dns_result_totext(dns_result));
 		dns_db_detachnode(db, &nodep);
 		dns_db_detach(&db);
-		isc_hash_destroy();
-		isc_entropy_detach(&ectx);
 		isc_mem_destroy(&mctx);
 		return(T_UNRESOLVED);
 	}
@@ -1482,8 +1267,6 @@ t_dns_db_closeversion_1(char **av) {
 		t_info("dns_db_findnode %s\n",
 				dns_result_totext(dns_result));
 		dns_db_detach(&db);
-		isc_hash_destroy();
-		isc_entropy_detach(&ectx);
 		isc_mem_destroy(&mctx);
 		return(T_UNRESOLVED);
 	}
@@ -1496,8 +1279,6 @@ t_dns_db_closeversion_1(char **av) {
 				dns_result_totext(dns_result));
 		dns_db_detachnode(db, &nodep);
 		dns_db_detach(&db);
-		isc_hash_destroy();
-		isc_entropy_detach(&ectx);
 		isc_mem_destroy(&mctx);
 		return(T_UNRESOLVED);
 	}
@@ -1510,8 +1291,6 @@ t_dns_db_closeversion_1(char **av) {
 		dns_db_closeversion(db, &nversionp, ISC_FALSE);
 		dns_db_detachnode(db, &nodep);
 		dns_db_detach(&db);
-		isc_hash_destroy();
-		isc_entropy_detach(&ectx);
 		isc_mem_destroy(&mctx);
 		return(T_UNRESOLVED);
 	}
@@ -1534,8 +1313,6 @@ t_dns_db_closeversion_1(char **av) {
 			dns_result_totext(dns_result));
 		dns_db_closeversion(db, &nversionp, ISC_FALSE);
 		dns_db_detach(&db);
-		isc_hash_destroy();
-		isc_entropy_detach(&ectx);
 		isc_mem_destroy(&mctx);
 		return(T_UNRESOLVED);
 	}
@@ -1547,8 +1324,6 @@ t_dns_db_closeversion_1(char **av) {
 				dns_result_totext(dns_result));
 		dns_db_closeversion(db, &nversionp, ISC_FALSE);
 		dns_db_detach(&db);
-		isc_hash_destroy();
-		isc_entropy_detach(&ectx);
 		isc_mem_destroy(&mctx);
 		return(T_UNRESOLVED);
 	}
@@ -1566,8 +1341,6 @@ t_dns_db_closeversion_1(char **av) {
 				dns_result_totext(dns_result));
 		dns_db_detachnode(db, &nodep);
 		dns_db_detach(&db);
-		isc_hash_destroy();
-		isc_entropy_detach(&ectx);
 		isc_mem_destroy(&mctx);
 		return(T_UNRESOLVED);
 	}
@@ -1580,8 +1353,6 @@ t_dns_db_closeversion_1(char **av) {
 				dns_result_totext(dns_result));
 		dns_db_detachnode(db, &nodep);
 		dns_db_detach(&db);
-		isc_hash_destroy();
-		isc_entropy_detach(&ectx);
 		isc_mem_destroy(&mctx);
 		return(T_UNRESOLVED);
 	}
@@ -1607,8 +1378,6 @@ t_dns_db_closeversion_1(char **av) {
 				dns_result_totext(dns_result));
 		dns_db_detachnode(db, &nodep);
 		dns_db_detach(&db);
-		isc_hash_destroy();
-		isc_entropy_detach(&ectx);
 		isc_mem_destroy(&mctx);
 		return(T_UNRESOLVED);
 	}
@@ -1621,8 +1390,6 @@ t_dns_db_closeversion_1(char **av) {
 		dns_db_closeversion(db, &nversionp, ISC_FALSE);
 		dns_db_detachnode(db, &nodep);
 		dns_db_detach(&db);
-		isc_hash_destroy();
-		isc_entropy_detach(&ectx);
 		isc_mem_destroy(&mctx);
 		return(T_UNRESOLVED);
 	}
@@ -1658,8 +1425,6 @@ t_dns_db_closeversion_1(char **av) {
 		if (dns_rdataset_isassociated(&found_rdataset))
 			dns_rdataset_disassociate(&found_rdataset);
 		dns_db_detach(&db);
-		isc_hash_destroy();
-		isc_entropy_detach(&ectx);
 		isc_mem_destroy(&mctx);
 		return(T_FAIL);
 	}
@@ -1673,8 +1438,6 @@ t_dns_db_closeversion_1(char **av) {
 			dns_rdataset_disassociate(&found_rdataset);
 		dns_db_closeversion(db, &cversionp, ISC_FALSE);
 		dns_db_detach(&db);
-		isc_hash_destroy();
-		isc_entropy_detach(&ectx);
 		isc_mem_destroy(&mctx);
 		return(T_FAIL);
 	}
@@ -1718,8 +1481,6 @@ t_dns_db_closeversion_1(char **av) {
 
 	dns_db_closeversion(db, &cversionp, ISC_FALSE);
 	dns_db_detach(&db);
-	isc_hash_destroy();
-	isc_entropy_detach(&ectx);
 	isc_mem_destroy(&mctx);
 
 	if (nfails == 0)
@@ -1766,7 +1527,6 @@ t_dns_db_closeversion_2(char **av) {
 	isc_result_t		dns_result;
 	isc_result_t		isc_result;
 	isc_mem_t		*mctx;
-	isc_entropy_t		*ectx;
 	dns_dbnode_t		*nodep;
 	isc_textregion_t	textregion;
 	isc_buffer_t		name_buffer;
@@ -1799,7 +1559,6 @@ t_dns_db_closeversion_2(char **av) {
 	result = T_UNRESOLVED;
 	db = NULL;
 	mctx = NULL;
-	ectx = NULL;
 
 	/*
 	 * Open a new version, add some data,
@@ -1816,27 +1575,8 @@ t_dns_db_closeversion_2(char **av) {
 		return(T_UNRESOLVED);
 	}
 
-	isc_result = isc_entropy_create(mctx, &ectx);
-	if (isc_result != ISC_R_SUCCESS) {
-		t_info("isc_entropy_create failed %s\n",
-				isc_result_totext(isc_result));
-		isc_mem_destroy(&mctx);
-		return(T_UNRESOLVED);
-	}
-
-	isc_result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE);
-	if (isc_result != ISC_R_SUCCESS) {
-		t_info("isc_hash_create failed %s\n",
-				isc_result_totext(isc_result));
-		isc_entropy_detach(&ectx);
-		isc_mem_destroy(&mctx);
-		return(T_UNRESOLVED);
-	}
-
 	dns_result = t_create(db_type, origin, class, model, mctx, &db);
 	if (dns_result != ISC_R_SUCCESS) {
-		isc_hash_destroy();
-		isc_entropy_detach(&ectx);
 		isc_mem_destroy(&mctx);
 		return(T_UNRESOLVED);
 	}
@@ -1846,8 +1586,6 @@ t_dns_db_closeversion_2(char **av) {
 		t_info("dns_db_load returned %s\n",
 				dns_result_totext(dns_result));
 		dns_db_detach(&db);
-		isc_hash_destroy();
-		isc_entropy_detach(&ectx);
 		isc_mem_destroy(&mctx);
 		return(T_UNRESOLVED);
 	}
@@ -1866,8 +1604,6 @@ t_dns_db_closeversion_2(char **av) {
 		t_info("dns_name_fromtext failed %s\n",
 			dns_result_totext(dns_result));
 		dns_db_detach(&db);
-		isc_hash_destroy();
-		isc_entropy_detach(&ectx);
 		isc_mem_destroy(&mctx);
 		return(T_UNRESOLVED);
 	}
@@ -1881,8 +1617,6 @@ t_dns_db_closeversion_2(char **av) {
 				dns_result_totext(dns_result));
 		dns_db_detachnode(db, &nodep);
 		dns_db_detach(&db);
-		isc_hash_destroy();
-		isc_entropy_detach(&ectx);
 		isc_mem_destroy(&mctx);
 		return(T_UNRESOLVED);
 	}
@@ -1894,8 +1628,6 @@ t_dns_db_closeversion_2(char **av) {
 		t_info("dns_db_findnode %s\n",
 				dns_result_totext(dns_result));
 		dns_db_detach(&db);
-		isc_hash_destroy();
-		isc_entropy_detach(&ectx);
 		isc_mem_destroy(&mctx);
 		return(T_UNRESOLVED);
 	}
@@ -1910,8 +1642,6 @@ t_dns_db_closeversion_2(char **av) {
 				dns_result_totext(dns_result));
 		dns_db_detachnode(db, &nodep);
 		dns_db_detach(&db);
-		isc_hash_destroy();
-		isc_entropy_detach(&ectx);
 		isc_mem_destroy(&mctx);
 		return(T_UNRESOLVED);
 	}
@@ -1924,8 +1654,6 @@ t_dns_db_closeversion_2(char **av) {
 		dns_db_closeversion(db, &nversionp, ISC_FALSE);
 		dns_db_detachnode(db, &nodep);
 		dns_db_detach(&db);
-		isc_hash_destroy();
-		isc_entropy_detach(&ectx);
 		isc_mem_destroy(&mctx);
 		return(T_UNRESOLVED);
 	}
@@ -1948,8 +1676,6 @@ t_dns_db_closeversion_2(char **av) {
 		       dns_result_totext(dns_result));
 		dns_db_closeversion(db, &nversionp, ISC_FALSE);
 		dns_db_detach(&db);
-		isc_hash_destroy();
-		isc_entropy_detach(&ectx);
 		isc_mem_destroy(&mctx);
 		return(T_UNRESOLVED);
 	}
@@ -1961,8 +1687,6 @@ t_dns_db_closeversion_2(char **av) {
 		       dns_result_totext(dns_result));
 		dns_db_closeversion(db, &nversionp, ISC_FALSE);
 		dns_db_detach(&db);
-		isc_hash_destroy();
-		isc_entropy_detach(&ectx);
 		isc_mem_destroy(&mctx);
 		return(T_UNRESOLVED);
 	}
@@ -1975,8 +1699,6 @@ t_dns_db_closeversion_2(char **av) {
 		       new_type, dns_result_totext(dns_result));
 		dns_db_detachnode(db, &nodep);
 		dns_db_detach(&db);
-		isc_hash_destroy();
-		isc_entropy_detach(&ectx);
 		isc_mem_destroy(&mctx);
 		return(T_UNRESOLVED);
 	}
@@ -1989,8 +1711,6 @@ t_dns_db_closeversion_2(char **av) {
 		       dns_result_totext(dns_result));
 		dns_db_detachnode(db, &nodep);
 		dns_db_detach(&db);
-		isc_hash_destroy();
-		isc_entropy_detach(&ectx);
 		isc_mem_destroy(&mctx);
 		return(T_UNRESOLVED);
 	}
@@ -2016,8 +1736,6 @@ t_dns_db_closeversion_2(char **av) {
 		       dns_result_totext(dns_result));
 		dns_db_detachnode(db, &nodep);
 		dns_db_detach(&db);
-		isc_hash_destroy();
-		isc_entropy_detach(&ectx);
 		isc_mem_destroy(&mctx);
 		return(T_UNRESOLVED);
 	}
@@ -2030,8 +1748,6 @@ t_dns_db_closeversion_2(char **av) {
 		dns_db_closeversion(db, &nversionp, ISC_FALSE);
 		dns_db_detachnode(db, &nodep);
 		dns_db_detach(&db);
-		isc_hash_destroy();
-		isc_entropy_detach(&ectx);
 		isc_mem_destroy(&mctx);
 		return(T_UNRESOLVED);
 	}
@@ -2063,8 +1779,6 @@ t_dns_db_closeversion_2(char **av) {
 		if (dns_rdataset_isassociated(&found_rdataset))
 			dns_rdataset_disassociate(&found_rdataset);
 		dns_db_detach(&db);
-		isc_hash_destroy();
-		isc_entropy_detach(&ectx);
 		isc_mem_destroy(&mctx);
 		return(T_FAIL);
 	}
@@ -2078,8 +1792,6 @@ t_dns_db_closeversion_2(char **av) {
 			dns_rdataset_disassociate(&found_rdataset);
 		dns_db_closeversion(db, &nversionp, ISC_FALSE);
 		dns_db_detach(&db);
-		isc_hash_destroy();
-		isc_entropy_detach(&ectx);
 		isc_mem_destroy(&mctx);
 		return(T_FAIL);
 	}
@@ -2159,8 +1871,6 @@ t_dns_db_closeversion_2(char **av) {
 		dns_db_detachnode(db, &nodep);
 		dns_db_closeversion(db, &cversionp, ISC_FALSE);
 		dns_db_detach(&db);
-		isc_hash_destroy();
-		isc_entropy_detach(&ectx);
 		isc_mem_destroy(&mctx);
 		return(T_FAIL);
 	}
@@ -2193,8 +1903,6 @@ t_dns_db_closeversion_2(char **av) {
 	dns_rdataset_disassociate(&found_rdataset);
 	dns_db_closeversion(db, &cversionp, ISC_FALSE);
 	dns_db_detach(&db);
-	isc_hash_destroy();
-	isc_entropy_detach(&ectx);
 	isc_mem_destroy(&mctx);
 
 	if (nfails == 0)
@@ -2238,7 +1946,6 @@ t_dns_db_expirenode(char **av) {
 	isc_result_t		exp_result;
 	isc_result_t		isc_result;
 	isc_mem_t		*mctx;
-	isc_entropy_t		*ectx;
 	dns_dbnode_t		*nodep;
 	isc_buffer_t		name_buffer;
 	dns_fixedname_t		dns_foundname;
@@ -2256,8 +1963,6 @@ t_dns_db_expirenode(char **av) {
 	node_xtime = T_ARG(5);
 	find_xtime = T_ARG(6);
 	exp_find_result = T_ARG(7);
-	mctx = NULL;
-	ectx = NULL;
 
 	result = T_UNRESOLVED;
 
@@ -2286,6 +1991,7 @@ t_dns_db_expirenode(char **av) {
 		return(T_UNRESOLVED);
 	}
 
+	mctx = NULL;
 	isc_result = isc_mem_create(0, 0, &mctx);
 	if (isc_result != ISC_R_SUCCESS) {
 		t_info("isc_mem_create failed %s\n",
@@ -2293,28 +1999,9 @@ t_dns_db_expirenode(char **av) {
 		return(T_UNRESOLVED);
 	}
 
-	isc_result = isc_entropy_create(mctx, &ectx);
-	if (isc_result != ISC_R_SUCCESS) {
-		t_info("isc_entropy_create failed %s\n",
-				isc_result_totext(isc_result));
-		isc_mem_destroy(&mctx);
-		return(T_UNRESOLVED);
-	}
-
-	isc_result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE);
-	if (isc_result != ISC_R_SUCCESS) {
-		t_info("isc_hash_create failed %s\n",
-				isc_result_totext(isc_result));
-		isc_entropy_detach(&ectx);
-		isc_mem_destroy(&mctx);
-		return(T_UNRESOLVED);
-	}
-
 	db = NULL;
 	dns_result = t_create(db_type, origin, class, "cache", mctx, &db);
 	if (dns_result != ISC_R_SUCCESS) {
-		isc_hash_destroy();
-		isc_entropy_detach(&ectx);
 		isc_mem_destroy(&mctx);
 		return(T_UNRESOLVED);
 	}
@@ -2324,8 +2011,6 @@ t_dns_db_expirenode(char **av) {
 		t_info("dns_db_load returned %s\n",
 		       dns_result_totext(dns_result));
 		dns_db_detach(&db);
-		isc_hash_destroy();
-		isc_entropy_detach(&ectx);
 		isc_mem_destroy(&mctx);
 		return(T_UNRESOLVED);
 	}
@@ -2340,8 +2025,6 @@ t_dns_db_expirenode(char **av) {
 	if (dns_result != ISC_R_SUCCESS) {
 		t_info("unable to find %s\n", existing_name);
 		dns_db_detach(&db);
-		isc_hash_destroy();
-		isc_entropy_detach(&ectx);
 		isc_mem_destroy(&mctx);
 		return(T_UNRESOLVED);
 	}
@@ -2358,8 +2041,6 @@ t_dns_db_expirenode(char **av) {
 		       dns_result_totext(dns_result));
 		dns_db_detachnode(db, &nodep);
 		dns_db_detach(&db);
-		isc_hash_destroy();
-		isc_entropy_detach(&ectx);
 		isc_mem_destroy(&mctx);
 		return(T_FAIL);
 	}
@@ -2403,8 +2084,6 @@ t_dns_db_expirenode(char **av) {
 
 
 	dns_db_detach(&db);
-	isc_hash_destroy();
-	isc_entropy_detach(&ectx);
 	isc_mem_destroy(&mctx);
 
 	return(result);
@@ -2442,7 +2121,6 @@ t_dns_db_findnode_1(char **av) {
 	isc_result_t		dns_result;
 	isc_result_t		isc_result;
 	isc_mem_t		*mctx;
-	isc_entropy_t		*ectx;
 	dns_dbnode_t		*nodep;
 	isc_buffer_t		name_buffer;
 	dns_rdataset_t		rdataset;
@@ -2463,7 +2141,6 @@ t_dns_db_findnode_1(char **av) {
 
 	db = NULL;
 	mctx = NULL;
-	ectx = NULL;
 	result = T_UNRESOLVED;
 
 	t_info("testing using file %s and name %s\n", filename, find_name);
@@ -2487,22 +2164,6 @@ t_dns_db_findnode_1(char **av) {
 		return(T_UNRESOLVED);
 	}
 
-	isc_result = isc_entropy_create(mctx, &ectx);
-	if (isc_result != ISC_R_SUCCESS) {
-		t_info("isc_entropy_create failed %s\n",
-				isc_result_totext(isc_result));
-		isc_mem_destroy(&mctx);
-		return(T_UNRESOLVED);
-	}
-
-	isc_result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE);
-	if (isc_result != ISC_R_SUCCESS) {
-		t_info("isc_hash_create failed %s\n",
-				isc_result_totext(isc_result));
-		isc_mem_destroy(&mctx);
-		return(T_UNRESOLVED);
-	}
-
 	dns_result = t_create(db_type, origin, class, model, mctx, &db);
 	if (dns_result != ISC_R_SUCCESS) {
 		isc_mem_destroy(&mctx);
@@ -2569,8 +2230,6 @@ t_dns_db_findnode_1(char **av) {
 	}
 
 	dns_db_detach(&db);
-	isc_hash_destroy();
-	isc_entropy_detach(&ectx);
 	isc_mem_destroy(&mctx);
 
 	return(result);
@@ -2607,7 +2266,6 @@ t_dns_db_findnode_2(char **av) {
 	isc_result_t		dns_result;
 	isc_result_t		isc_result;
 	isc_mem_t		*mctx;
-	isc_entropy_t		*ectx;
 	dns_dbnode_t		*nodep;
 	dns_dbnode_t		*newnodep;
 	isc_buffer_t		name_buffer;
@@ -2626,7 +2284,6 @@ t_dns_db_findnode_2(char **av) {
 	result = T_UNRESOLVED;
 	db = NULL;
 	mctx = NULL;
-	ectx = NULL;
 	nfails = 0;
 
 	t_info("testing using file %s and name %s\n", filename, newname);
@@ -2638,24 +2295,8 @@ t_dns_db_findnode_2(char **av) {
 		return(T_UNRESOLVED);
 	}
 
-	isc_result = isc_entropy_create(mctx, &ectx);
-	if (isc_result != ISC_R_SUCCESS) {
-		t_info("isc_entropy_create failed %s\n",
-				isc_result_totext(isc_result));
-		return(T_UNRESOLVED);
-	}
-
-	isc_result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE);
-	if (isc_result != ISC_R_SUCCESS) {
-		t_info("isc_hash_create failed %s\n",
-				isc_result_totext(isc_result));
-		return(T_UNRESOLVED);
-	}
-
 	dns_result = t_create(db_type, origin, class, model, mctx, &db);
 	if (dns_result != ISC_R_SUCCESS) {
-		isc_hash_destroy();
-		isc_entropy_detach(&ectx);
 		isc_mem_destroy(&mctx);
 		return(T_UNRESOLVED);
 	}
@@ -2665,8 +2306,6 @@ t_dns_db_findnode_2(char **av) {
 		t_info("dns_db_load returned %s\n",
 				dns_result_totext(dns_result));
 		dns_db_detach(&db);
-		isc_hash_destroy();
-		isc_entropy_detach(&ectx);
 		isc_mem_destroy(&mctx);
 		return(T_UNRESOLVED);
 	}
@@ -2692,8 +2331,6 @@ t_dns_db_findnode_2(char **av) {
 		       dns_result_totext(dns_result));
 		dns_db_detachnode(db, &nodep);
 		dns_db_detach(&db);
-		isc_hash_destroy();
-		isc_entropy_detach(&ectx);
 		isc_mem_destroy(&mctx);
 		return(T_UNRESOLVED);
 	}
@@ -2707,8 +2344,6 @@ t_dns_db_findnode_2(char **av) {
 		t_info("dns_db_findnode %s\n",
 				dns_result_totext(dns_result));
 		dns_db_detach(&db);
-		isc_hash_destroy();
-		isc_entropy_detach(&ectx);
 		isc_mem_destroy(&mctx);
 		return(T_FAIL);
 	}
@@ -2762,8 +2397,6 @@ t_dns_db_findnode_2(char **av) {
 	dns_db_detachnode(db, &nodep);
 	dns_db_closeversion(db, &cversionp, ISC_FALSE);
 	dns_db_detach(&db);
-	isc_hash_destroy();
-	isc_entropy_detach(&ectx);
 	isc_mem_destroy(&mctx);
 
 	if (nfails == 0)
@@ -2806,7 +2439,6 @@ t_dns_db_find_x(char **av) {
 	isc_stdtime_t		now;
 	isc_result_t		exp_result;
 	isc_mem_t		*mctx;
-	isc_entropy_t		*ectx;
 	dns_dbnode_t		*nodep;
 	isc_textregion_t	textregion;
 	isc_buffer_t		findname_buffer;
@@ -2830,7 +2462,6 @@ t_dns_db_find_x(char **av) {
 	expected_result = T_ARG(9);
 	db = NULL;
 	mctx = NULL;
-	ectx = NULL;
 	opts = 0;
 
 	t_info("testing using %s, name %s, type %s\n", dbfile, findname,
@@ -2843,27 +2474,8 @@ t_dns_db_find_x(char **av) {
 		return(T_UNRESOLVED);
 	}
 
-	isc_result = isc_entropy_create(mctx, &ectx);
-	if (isc_result != ISC_R_SUCCESS) {
-		t_info("isc_entropy_create failed %s\n",
-				isc_result_totext(isc_result));
-		isc_mem_destroy(&mctx);
-		return(T_UNRESOLVED);
-	}
-
-	isc_result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE);
-	if (isc_result != ISC_R_SUCCESS) {
-		t_info("isc_hash_create failed %s\n",
-				isc_result_totext(isc_result));
-		isc_entropy_detach(&ectx);
-		isc_mem_destroy(&mctx);
-		return(T_UNRESOLVED);
-	}
-
 	dns_result = t_create(dbtype, dborigin, dbclass, dbmodel, mctx, &db);
 	if (dns_result != ISC_R_SUCCESS) {
-		isc_hash_destroy();
-		isc_entropy_detach(&ectx);
 		isc_mem_destroy(&mctx);
 		return(T_UNRESOLVED);
 	}
@@ -2873,8 +2485,6 @@ t_dns_db_find_x(char **av) {
 		t_info("dns_db_load returned %s\n",
 				dns_result_totext(dns_result));
 		dns_db_detach(&db);
-		isc_hash_destroy();
-		isc_entropy_detach(&ectx);
 		isc_mem_destroy(&mctx);
 		return(T_UNRESOLVED);
 	}
@@ -2891,8 +2501,6 @@ t_dns_db_find_x(char **av) {
 		t_info("dns_name_fromtext failed %s\n",
 			dns_result_totext(dns_result));
 		dns_db_detach(&db);
-		isc_hash_destroy();
-		isc_entropy_detach(&ectx);
 		isc_mem_destroy(&mctx);
 		return(T_UNRESOLVED);
 	}
@@ -2905,8 +2513,6 @@ t_dns_db_find_x(char **av) {
 				findtype,
 				dns_result_totext(dns_result));
 		dns_db_detach(&db);
-		isc_hash_destroy();
-		isc_entropy_detach(&ectx);
 		isc_mem_destroy(&mctx);
 		return(T_UNRESOLVED);
 	}
@@ -2961,8 +2567,6 @@ t_dns_db_find_x(char **av) {
 	if (dns_db_iszone(db))
 		dns_db_closeversion(db, &cversionp, ISC_FALSE);
 	dns_db_detach(&db);
-	isc_hash_destroy();
-	isc_entropy_detach(&ectx);
 	isc_mem_destroy(&mctx);
 
 	return(result);
diff --git a/bin/tests/db_test.c b/bin/tests/db_test.c
index 6c4b170b..8afb3e6e 100644
--- a/bin/tests/db_test.c
+++ b/bin/tests/db_test.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: db_test.c,v 1.56.2.3 2005/03/17 03:59:30 marka Exp $ */
+/* $Id: db_test.c,v 1.56.12.4 2004/03/08 04:04:25 marka Exp $ */
 
 /*
  * Principal Author: Bob Halley
@@ -76,8 +76,8 @@ print_result(const char *message, isc_result_t result) {
 		message = "";
 	}
 	len = strlen(message);
-	printf("%s%sresult %08x: %s\n", message, (len == 0U) ? "" : " ",
-	       result, isc_result_totext(result));
+	printf("%s%sresult %08x: %s\n", message, (len == 0) ? "" : " ", result,
+	       isc_result_totext(result));
 }
 
 static void
@@ -248,7 +248,7 @@ load(const char *filename, const char *origintext, isc_boolean_t cache) {
 	dbinfo *dbi;
 	unsigned int i;
 
-	dbi = isc_mem_get(mctx, sizeof *dbi);
+	dbi = isc_mem_get(mctx, sizeof(*dbi));
 	if (dbi == NULL)
 		return (ISC_R_NOMEMORY);
 
@@ -281,7 +281,7 @@ load(const char *filename, const char *origintext, isc_boolean_t cache) {
 			       dns_rdataclass_in,
 			       0, NULL, &dbi->db);
 	if (result != ISC_R_SUCCESS) {
-		isc_mem_put(mctx, dbi, sizeof *dbi);
+		isc_mem_put(mctx, dbi, sizeof(*dbi));
 		return (result);
 	}
 
@@ -289,7 +289,7 @@ load(const char *filename, const char *origintext, isc_boolean_t cache) {
 	result = dns_db_load(dbi->db, filename);
 	if (result != ISC_R_SUCCESS && result != DNS_R_SEENINCLUDE) {
 		dns_db_detach(&dbi->db);
-		isc_mem_put(mctx, dbi, sizeof *dbi);
+		isc_mem_put(mctx, dbi, sizeof(*dbi));
 		return (result);
 	}
 	printf("loaded\n");
@@ -301,7 +301,7 @@ load(const char *filename, const char *origintext, isc_boolean_t cache) {
 	} else {
 		if (dns_dbtable_add(dbtable, dbi->db) != ISC_R_SUCCESS) {
 			dns_db_detach(&dbi->db);
-			isc_mem_put(mctx, dbi, sizeof *dbi);
+			isc_mem_put(mctx, dbi, sizeof(*dbi));
 			return (result);
 		}
 	}
@@ -325,7 +325,7 @@ unload_all(void) {
 		}
 		dns_db_detach(&dbi->db);
 		ISC_LIST_UNLINK(dbs, dbi, link);
-		isc_mem_put(mctx, dbi, sizeof *dbi);
+		isc_mem_put(mctx, dbi, sizeof(*dbi));
 	}
 }
 
@@ -466,18 +466,18 @@ main(int argc, char *argv[]) {
 	version = NULL;
 
 	if (time_lookups) {
-		(void)isc_time_now(&start);
+		TIME_NOW(&start);
 	}
 
 	while (!done) {
 		if (!quiet)
 			printf("\n");
-		if (fgets(s, sizeof s, stdin) == NULL) {
+		if (fgets(s, sizeof(s), stdin) == NULL) {
 			done = ISC_TRUE;
 			continue;
 		}
 		len = strlen(s);
-		if (len > 0U && s[len - 1] == '\n') {
+		if (len > 0 && s[len - 1] == '\n') {
 			s[len - 1] = '\0';
 			len--;
 		}
@@ -923,7 +923,7 @@ main(int argc, char *argv[]) {
 	if (time_lookups) {
 		isc_uint64_t usec;
 
-		(void)isc_time_now(&finish);
+		TIME_NOW(&finish);
 
 		usec = isc_time_microdiff(&finish, &start);
 
diff --git a/bin/tests/dst/Makefile.in b/bin/tests/dst/Makefile.in
index 4238027b..d3eb9e3c 100644
--- a/bin/tests/dst/Makefile.in
+++ b/bin/tests/dst/Makefile.in
@@ -1,5 +1,5 @@
 # Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 1999-2001  Internet Software Consortium.
+# Copyright (C) 1999-2002  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
@@ -13,20 +13,20 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.30.2.3 2004/07/20 07:00:13 marka Exp $
+# $Id: Makefile.in,v 1.30.12.6 2004/03/08 04:04:29 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
 top_srcdir =	@top_srcdir@
 
-@BIND9_INCLUDES@
+@BIND9_MAKE_INCLUDES@
 
 CINCLUDES =	${TEST_INCLUDES} ${DNS_INCLUDES} ${ISC_INCLUDES}
 
 CDEFINES =
 CWARNINGS =
 
-DNSLIBS =	../../../lib/dns/libdns.@A@ @DNS_OPENSSL_LIBS@ @DNS_GSSAPI_LIBS@
+DNSLIBS =	../../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
 ISCLIBS =	../../../lib/isc/libisc.@A@
 
 DNSDEPLIBS =	../../../lib/dns/libdns.@A@
@@ -38,21 +38,21 @@ LIBS =		${DNSLIBS} ${ISCLIBS} @LIBS@
 
 TLIB =		../../../lib/tests/libt_api.@A@
 
-TARGETS =	dst_test t_dst
+TARGETS =	dst_test@EXEEXT@ t_dst@EXEEXT@
 
 SRCS =		dst_test.c t_dst.c
 
 @BIND9_MAKE_RULES@
 
-dst_test: dst_test.@O@ ${DEPLIBS}
-	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ dst_test.@O@ ${LIBS}
+dst_test@EXEEXT@: dst_test.@O@ ${DEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} -o $@ dst_test.@O@ ${LIBS}
 
-t_dst: t_dst.@O@ ${DEPLIBS} ${TLIB}
-	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ t_dst.@O@  ${TLIB} ${LIBS}
+t_dst@EXEEXT@: t_dst.@O@ ${DEPLIBS} ${TLIB}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} -o $@ t_dst.@O@  ${TLIB} ${LIBS}
 
-test: t_dst
-	../genrandom 100 randomfile
-	-@ ./t_dst -b @srcdir@ -q 1800 -a
+test: t_dst@EXEEXT@
+	../genrandom@EXEEXT@ 100 randomfile
+	-@ ./t_dst@EXEEXT@ -b @srcdir@ -q 1800 -a
 
 clean distclean::
 	rm -f ${TARGETS} randomfile
diff --git a/bin/tests/dst/dst_test.c b/bin/tests/dst/dst_test.c
index 0e63e652..0a642cf7 100644
--- a/bin/tests/dst/dst_test.c
+++ b/bin/tests/dst/dst_test.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dst_test.c,v 1.37.2.3 2006/01/04 23:50:16 marka Exp $ */
+/* $Id: dst_test.c,v 1.37.206.1 2004/03/06 10:21:43 marka Exp $ */
 
 #include <config.h>
 
@@ -236,34 +236,23 @@ main(void) {
 	isc_buffer_t b;
 	dns_fixedname_t fname;
 	dns_name_t *name;
-	isc_result_t result;
 
-	result = isc_mem_create(0, 0, &mctx);
-	if (result != ISC_R_SUCCESS)
-		return (1);
+	isc_mem_create(0, 0, &mctx);
 
 	current = isc_mem_get(mctx, 256);
-	if (current == NULL)
-		return (1);
 	getcwd(current, 256);
 
 	dns_result_register();
 
-	result = isc_entropy_create(mctx, &ectx);
-	if (result != ISC_R_SUCCESS)
-		return (1);
-	result = isc_entropy_createfilesource(ectx, "randomfile");
-	if (result != ISC_R_SUCCESS)
-		return (1);
+	isc_entropy_create(mctx, &ectx);
+	isc_entropy_createfilesource(ectx, "randomfile");
 	dst_lib_init(mctx, ectx, ISC_ENTROPY_BLOCKING|ISC_ENTROPY_GOODONLY);
 
 	dns_fixedname_init(&fname);
 	name = dns_fixedname_name(&fname);
 	isc_buffer_init(&b, "test.", 5);
 	isc_buffer_add(&b, 5);
-	result = dns_name_fromtext(name, &b, NULL, ISC_FALSE, NULL);
-	if (result != ISC_R_SUCCESS)
-		return (1);
+	dns_name_fromtext(name, &b, NULL, ISC_FALSE, NULL);
 	io(name, 23616, DST_ALG_DSA, DST_TYPE_PRIVATE|DST_TYPE_PUBLIC, mctx);
 	io(name, 54622, DST_ALG_RSAMD5, DST_TYPE_PRIVATE|DST_TYPE_PUBLIC,
 	   mctx);
@@ -273,9 +262,7 @@ main(void) {
 
 	isc_buffer_init(&b, "dh.", 3);
 	isc_buffer_add(&b, 3);
-	result = dns_name_fromtext(name, &b, NULL, ISC_FALSE, NULL);
-	if (result != ISC_R_SUCCESS)
-		return (1);
+	dns_name_fromtext(name, &b, NULL, ISC_FALSE, NULL);
 	dh(name, 18602, name, 48957, mctx);
 
 	generate(DST_ALG_RSAMD5, mctx);
diff --git a/bin/tests/dst/t_dst.c b/bin/tests/dst/t_dst.c
index ff90b17e..f4279b23 100644
--- a/bin/tests/dst/t_dst.c
+++ b/bin/tests/dst/t_dst.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: t_dst.c,v 1.47.2.3 2006/01/04 23:50:16 marka Exp $ */
+/* $Id: t_dst.c,v 1.47.206.1 2004/03/06 10:21:43 marka Exp $ */
 
 #include <config.h>
 
@@ -405,13 +405,7 @@ t1(void) {
 	name = dns_fixedname_name(&fname);
 	isc_buffer_init(&b, "test.", 5);
 	isc_buffer_add(&b, 5);
-	isc_result = dns_name_fromtext(name, &b, NULL, ISC_FALSE, NULL);
-	if (isc_result != ISC_R_SUCCESS) {
-		t_info("dns_name_fromtext failed %s\n",
-		       isc_result_totext(isc_result));
-		t_result(T_UNRESOLVED);
-		return;
-	}
+	dns_name_fromtext(name, &b, NULL, ISC_FALSE, NULL);
 	io(name, 23616, DST_ALG_DSA, DST_TYPE_PRIVATE|DST_TYPE_PUBLIC,
 			mctx, ISC_R_SUCCESS, &nfails, &nprobs);
 	t_info("testing use of stored keys [2]\n");
@@ -427,13 +421,7 @@ t1(void) {
 
 	isc_buffer_init(&b, "dh.", 3);
 	isc_buffer_add(&b, 3);
-	isc_result = dns_name_fromtext(name, &b, NULL, ISC_FALSE, NULL);
-	if (isc_result != ISC_R_SUCCESS) {
-		t_info("dns_name_fromtext failed %s\n",
-		       isc_result_totext(isc_result));
-		t_result(T_UNRESOLVED);
-		return;
-	}
+	dns_name_fromtext(name, &b, NULL, ISC_FALSE, NULL);
 
 	dh(name, 18602, name, 48957, mctx, ISC_R_SUCCESS, &nfails, &nprobs);
 
@@ -686,14 +674,7 @@ t2_sigchk(char *datapath, char *sigpath, char *keyname,
 	name = dns_fixedname_name(&fname);
 	isc_buffer_init(&b, keyname, strlen(keyname));
 	isc_buffer_add(&b, strlen(keyname));
-	isc_result = dns_name_fromtext(name, &b, dns_rootname, ISC_FALSE, NULL);
-	if (isc_result != ISC_R_SUCCESS) {
-		t_info("dns_name_fromtext failed %s\n",
-			isc_result_totext(isc_result));
-		(void) free(data);
-		++*nprobs;
-		return;
-	}
+	dns_name_fromtext(name, &b, dns_rootname, ISC_FALSE, NULL);
 	isc_result = dst_key_fromfile(name, id, alg, type, NULL, mctx, &key);
 	if (isc_result != ISC_R_SUCCESS) {
 		t_info("dst_key_fromfile failed %s\n",
diff --git a/bin/tests/entropy2_test.c b/bin/tests/entropy2_test.c
index b08bc3ba..01a5a10f 100644
--- a/bin/tests/entropy2_test.c
+++ b/bin/tests/entropy2_test.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: entropy2_test.c,v 1.9.2.1 2004/03/09 06:09:30 marka Exp $ */
+/* $Id: entropy2_test.c,v 1.9.12.4 2004/03/08 04:04:25 marka Exp $ */
 
 #include <config.h>
 
@@ -38,7 +38,7 @@ hex_dump(const char *msg, void *data, unsigned int length) {
 	base = data;
 
         printf("DUMP of %d bytes:  %s\n\t", length, msg);
-        for (len = 0 ; len < length ; len++) {
+        for (len = 0; len < length; len++) {
                 if (len % 16 == 0 && !first)
 			printf("\n\t");
                 printf("%02x ", base[len]);
@@ -97,9 +97,7 @@ get(isc_entropysource_t *source, void *arg, isc_boolean_t blocking) {
 	if (result != ISC_R_SUCCESS)
 		return (result);
 
-	result = isc_time_now(&t);
-	if (result != ISC_R_SUCCESS)
-		return (result);
+	TIME_NOW(&t);
 
 	sample = isc_time_nanoseconds(&t);
 	extra = c;
diff --git a/bin/tests/entropy_test.c b/bin/tests/entropy_test.c
index 2de56ba9..c3b1bee6 100644
--- a/bin/tests/entropy_test.c
+++ b/bin/tests/entropy_test.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: entropy_test.c,v 1.16.2.1 2004/03/09 06:09:30 marka Exp $ */
+/* $Id: entropy_test.c,v 1.16.12.4 2004/03/08 09:04:16 marka Exp $ */
 
 #include <config.h>
 
@@ -36,7 +36,7 @@ hex_dump(const char *msg, void *data, unsigned int length) {
 	base = data;
 
         printf("DUMP of %d bytes:  %s\n\t", length, msg);
-        for (len = 0 ; len < length ; len++) {
+        for (len = 0; len < length; len++) {
                 if (len % 16 == 0 && !first)
 			printf("\n\t");
                 printf("%02x ", base[len]);
@@ -108,10 +108,10 @@ main(int argc, char **argv) {
 	flags = 0;
 	flags |= ISC_ENTROPY_GOODONLY;
 	flags |= ISC_ENTROPY_BLOCKING;
-	result = isc_entropy_getdata(ent, buffer, sizeof buffer, &returned,
+	result = isc_entropy_getdata(ent, buffer, sizeof(buffer), &returned,
 				     flags);
 	CHECK("good data only, blocking mode", result);
-	hex_dump("blocking mode data", buffer, sizeof buffer);
+	hex_dump("blocking mode data", buffer, sizeof(buffer));
 
 	{
 		isc_entropy_t *entcopy1 = NULL;
diff --git a/bin/tests/fsaccess_test.c b/bin/tests/fsaccess_test.c
index e3b40266..a5fb5fb7 100644
--- a/bin/tests/fsaccess_test.c
+++ b/bin/tests/fsaccess_test.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: fsaccess_test.c,v 1.8.2.1 2004/03/09 06:09:31 marka Exp $ */
+/* $Id: fsaccess_test.c,v 1.8.206.1 2004/03/06 10:21:36 marka Exp $ */
 
 #include <config.h>
 
diff --git a/bin/tests/genrandom.c b/bin/tests/genrandom.c
index 71d4dc7b..db5b4687 100644
--- a/bin/tests/genrandom.c
+++ b/bin/tests/genrandom.c
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
+ * Copyright (C) 2000-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,14 +15,15 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: genrandom.c,v 1.8.2.3 2004/03/09 06:09:31 marka Exp $ */
+/* $Id: genrandom.c,v 1.8.74.4 2004/03/08 04:04:25 marka Exp $ */
 
 #include <config.h>
 
 #include <stdio.h>
-#include <stdlib.h>
 #include <time.h>
 
+#include <isc/stdlib.h>
+
 int
 main(int argc, char **argv) {
 	unsigned int bytes;
diff --git a/bin/tests/gxba_test.c b/bin/tests/gxba_test.c
index edc0e6e4..4ccc1b8d 100644
--- a/bin/tests/gxba_test.c
+++ b/bin/tests/gxba_test.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: gxba_test.c,v 1.7.2.1 2004/03/09 06:09:31 marka Exp $ */
+/* $Id: gxba_test.c,v 1.7.12.3 2004/03/08 04:04:25 marka Exp $ */
 
 #include <config.h>
 
@@ -46,7 +46,7 @@ print_he(struct hostent *he, int error, const char *fun, const char *name) {
 		 i = 1;
 		 while (*c != NULL) {
 			char buf[128];
-			inet_ntop(he->h_addrtype, *c, buf, sizeof (buf));
+			inet_ntop(he->h_addrtype, *c, buf, sizeof(buf));
 			printf("\taddress[%d] = %s\n", i, buf);
 			c++;
 			i++;
diff --git a/bin/tests/gxbn_test.c b/bin/tests/gxbn_test.c
index 38574089..6d8db998 100644
--- a/bin/tests/gxbn_test.c
+++ b/bin/tests/gxbn_test.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: gxbn_test.c,v 1.10.2.1 2004/03/09 06:09:31 marka Exp $ */
+/* $Id: gxbn_test.c,v 1.10.12.3 2004/03/08 04:04:26 marka Exp $ */
 
 #include <config.h>
 
@@ -46,7 +46,7 @@ print_he(struct hostent *he, int error, const char *fun, const char *name) {
 		 i = 1;
 		 while (*c != NULL) {
 			char buf[128];
-			inet_ntop(he->h_addrtype, *c, buf, sizeof (buf));
+			inet_ntop(he->h_addrtype, *c, buf, sizeof(buf));
 			printf("\taddress[%d] = %s\n", i, buf);
 			c++;
 			i++;
diff --git a/bin/tests/hash_test.c b/bin/tests/hash_test.c
index d79a8ebd..3735aa9f 100644
--- a/bin/tests/hash_test.c
+++ b/bin/tests/hash_test.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: hash_test.c,v 1.8.2.5 2005/03/17 03:59:30 marka Exp $ */
+/* $Id: hash_test.c,v 1.8.12.3 2004/03/08 04:04:26 marka Exp $ */
 
 #include <config.h>
 
@@ -29,15 +29,15 @@
 #include <isc/string.h>
 
 static void
-print_digest(unsigned char *s, const char *hash, unsigned char *d,
+print_digest(char *s, const char *hash, unsigned char *d,
 	     unsigned int words)
 {
 	unsigned int i, j;
 
-	printf("hash (%s) %s:\n\t", hash, (char *)s);
-	for (i = 0 ; i < words ; i++) {
+	printf("hash (%s) %s:\n\t", hash, s);
+	for (i = 0; i < words; i++) {
 		printf(" ");
-		for (j = 0 ; j < 4 ; j++)
+		for (j = 0; j < 4; j++)
 			printf("%02x", d[i * 4 + j]);
 	}
 	printf("\n");
@@ -50,7 +50,7 @@ main(int argc, char **argv) {
 	isc_hmacmd5_t hmacmd5;
 	unsigned char digest[20];
 	unsigned char buffer[1024];
-	const char *s;
+	const unsigned char *s;
 	unsigned char key[20];
 
 	UNUSED(argc);
@@ -58,21 +58,21 @@ main(int argc, char **argv) {
 
 	s = "abc";
 	isc_sha1_init(&sha1);
-	memcpy(buffer, s, strlen(s));
+	strcpy(buffer, s);
 	isc_sha1_update(&sha1, buffer, strlen(s));
 	isc_sha1_final(&sha1, digest);
 	print_digest(buffer, "sha1", digest, 5);
 
 	s = "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq";
 	isc_sha1_init(&sha1);
-	memcpy(buffer, s, strlen(s));
+	strcpy(buffer, s);
 	isc_sha1_update(&sha1, buffer, strlen(s));
 	isc_sha1_final(&sha1, digest);
 	print_digest(buffer, "sha1", digest, 5);
 
 	s = "abc";
 	isc_md5_init(&md5);
-	memcpy(buffer, s, strlen(s));
+	strcpy(buffer, s);
 	isc_md5_update(&md5, buffer, strlen(s));
 	isc_md5_final(&md5, digest);
 	print_digest(buffer, "md5", digest, 4);
@@ -83,15 +83,15 @@ main(int argc, char **argv) {
 	s = "Hi There";
 	memset(key, 0x0b, 16);
 	isc_hmacmd5_init(&hmacmd5, key, 16);
-	memcpy(buffer, s, strlen(s));
+	strcpy(buffer, s);
 	isc_hmacmd5_update(&hmacmd5, buffer, strlen(s));
 	isc_hmacmd5_sign(&hmacmd5, digest);
 	print_digest(buffer, "hmacmd5", digest, 4);
 
 	s = "what do ya want for nothing?";
-	strcpy((char *)key, "Jefe");
+	strcpy(key, "Jefe");
 	isc_hmacmd5_init(&hmacmd5, key, 4);
-	memcpy(buffer, s, strlen(s));
+	strcpy(buffer, s);
 	isc_hmacmd5_update(&hmacmd5, buffer, strlen(s));
 	isc_hmacmd5_sign(&hmacmd5, digest);
 	print_digest(buffer, "hmacmd5", digest, 4);
@@ -103,7 +103,7 @@ main(int argc, char **argv) {
 	    "\335\335\335\335\335\335\335\335\335\335";
 	memset(key, 0xaa, 16);
 	isc_hmacmd5_init(&hmacmd5, key, 16);
-	memcpy(buffer, s, strlen(s));
+	strcpy(buffer, s);
 	isc_hmacmd5_update(&hmacmd5, buffer, strlen(s));
 	isc_hmacmd5_sign(&hmacmd5, digest);
 	print_digest(buffer, "hmacmd5", digest, 4);
diff --git a/bin/tests/headerdep_test.sh.in b/bin/tests/headerdep_test.sh.in
index f04076b4..09d1ffcb 100644
--- a/bin/tests/headerdep_test.sh.in
+++ b/bin/tests/headerdep_test.sh.in
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: headerdep_test.sh.in,v 1.5.2.1 2004/03/09 06:09:31 marka Exp $
+# $Id: headerdep_test.sh.in,v 1.5.206.1 2004/03/06 10:21:36 marka Exp $
 
 #
 # Check the installed bind9 headers to make sure that no header
diff --git a/bin/tests/inter_test.c b/bin/tests/inter_test.c
index 89beaed9..15bc1c87 100644
--- a/bin/tests/inter_test.c
+++ b/bin/tests/inter_test.c
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
+ * Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: inter_test.c,v 1.8.2.1 2004/03/09 06:09:31 marka Exp $ */
+/* $Id: inter_test.c,v 1.8.206.2 2004/03/06 10:21:36 marka Exp $ */
 
 #include <config.h>
 
@@ -54,7 +54,13 @@ main(int argc, char **argv) {
 		INSIST(ifdata.af == AF_INET || ifdata.af == AF_INET6);
 		res = inet_ntop(ifdata.af, &ifdata.address.type, buf,
 				sizeof(buf));
-		fprintf(stdout, "address = %s\n", res == NULL ? "BAD" : res);
+		if (ifdata.address.zone != 0)
+			fprintf(stdout, "address = %s (zone %u)\n",
+				res == NULL ? "BAD" : res,
+				ifdata.address.zone);
+		else
+			fprintf(stdout, "address = %s\n",
+				res == NULL ? "BAD" : res);
 		INSIST(ifdata.address.family == ifdata.af);
 		res = inet_ntop(ifdata.af, &ifdata.netmask.type, buf,
 				sizeof(buf));
diff --git a/bin/tests/journalprint.c b/bin/tests/journalprint.c
index af3469ff..1e7c6dfd 100644
--- a/bin/tests/journalprint.c
+++ b/bin/tests/journalprint.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,9 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: journalprint.c,v 1.3.2.7 2007/02/27 23:45:21 tbox Exp $ */
-
-#include <config.h>
+/* $Id: journalprint.c,v 1.3.206.1 2004/03/06 10:21:37 marka Exp $ */
 
 #include <isc/mem.h>
 #include <isc/util.h>
@@ -33,8 +31,8 @@ main(int argc, char **argv) {
 	isc_mem_t *mctx = NULL;
 
 	if (argc != 2) {
-		printf("usage: %s journal\n", argv[0]);
-		return(1);
+		printf("usage: %s journal", argv[0]);
+		exit(1);
 	}
 
 	file = argv[1];
@@ -43,5 +41,5 @@ main(int argc, char **argv) {
 
 	RUNTIME_CHECK(dns_journal_print(mctx, file, stdout) == ISC_R_SUCCESS);
 	isc_mem_detach(&mctx);
-	return(0);
+	exit(0);
 }
diff --git a/bin/tests/keyboard_test.c b/bin/tests/keyboard_test.c
index 66dff5f4..e8cb394c 100644
--- a/bin/tests/keyboard_test.c
+++ b/bin/tests/keyboard_test.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: keyboard_test.c,v 1.8.2.1 2004/03/09 06:09:32 marka Exp $ */
+/* $Id: keyboard_test.c,v 1.8.206.1 2004/03/06 10:21:37 marka Exp $ */
 
 #include <config.h>
 
diff --git a/bin/tests/lex_test.c b/bin/tests/lex_test.c
index 0e40a347..5b0b7e43 100644
--- a/bin/tests/lex_test.c
+++ b/bin/tests/lex_test.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lex_test.c,v 1.18.2.1 2004/03/09 06:09:32 marka Exp $ */
+/* $Id: lex_test.c,v 1.18.206.1 2004/03/06 10:21:37 marka Exp $ */
 
 #include <config.h>
 
diff --git a/bin/tests/lfsr_test.c b/bin/tests/lfsr_test.c
index 0eead650..92d1fde9 100644
--- a/bin/tests/lfsr_test.c
+++ b/bin/tests/lfsr_test.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lfsr_test.c,v 1.10.2.1 2004/03/09 06:09:32 marka Exp $ */
+/* $Id: lfsr_test.c,v 1.10.12.3 2004/03/08 04:04:26 marka Exp $ */
 
 #include <config.h>
 
@@ -39,12 +39,12 @@ main(int argc, char **argv) {
 	 * Verify that returned values are reproducable.
 	 */
 	isc_lfsr_init(&lfsr1, 0, 32, 0x80000057U, 0, NULL, NULL);
-	for (i = 0 ; i < 32 ; i++) {
+	for (i = 0; i < 32; i++) {
 		isc_lfsr_generate(&lfsr1, &state[i], 4);
 		printf("lfsr1:  state[%2d] = %08x\n", i, state[i]);
 	}
 	isc_lfsr_init(&lfsr1, 0, 32, 0x80000057U, 0, NULL, NULL);
-	for (i = 0 ; i < 32 ; i++) {
+	for (i = 0; i < 32; i++) {
 		isc_lfsr_generate(&lfsr1, &temp, 4);
 		if (state[i] != temp)
 			printf("lfsr1:  state[%2d] = %08x, "
@@ -56,13 +56,13 @@ main(int argc, char **argv) {
 	 * Now do the same with skipping.
 	 */
 	isc_lfsr_init(&lfsr1, 0, 32, 0x80000057U, 0, NULL, NULL);
-	for (i = 0 ; i < 32 ; i++) {
+	for (i = 0; i < 32; i++) {
 		isc_lfsr_generate(&lfsr1, &state[i], 4);
 		isc_lfsr_skip(&lfsr1, 32);
 		printf("lfsr1:  state[%2d] = %08x\n", i, state[i]);
 	}
 	isc_lfsr_init(&lfsr1, 0, 32, 0x80000057U, 0, NULL, NULL);
-	for (i = 0 ; i < 32 ; i++) {
+	for (i = 0; i < 32; i++) {
 		isc_lfsr_generate(&lfsr1, &temp, 4);
 		isc_lfsr_skip(&lfsr1, 32);
 		if (state[i] != temp)
@@ -77,12 +77,12 @@ main(int argc, char **argv) {
 	 *	x^16 + x^5 + x^3 + x^2 + 1
 	 */
 	isc_lfsr_init(&lfsr2, 0, 16, 0x00008016U, 0, NULL, NULL);
-	for (i = 0 ; i < 32 ; i++) {
+	for (i = 0; i < 32; i++) {
 		isc_lfsr_generate(&lfsr2, &state[i], 4);
 		printf("lfsr2:  state[%2d] = %08x\n", i, state[i]);
 	}
 	isc_lfsr_init(&lfsr2, 0, 16, 0x00008016U, 0, NULL, NULL);
-	for (i = 0 ; i < 32 ; i++) {
+	for (i = 0; i < 32; i++) {
 		isc_lfsr_generate(&lfsr2, &temp, 4);
 		if (state[i] != temp)
 			printf("lfsr2:  state[%2d] = %08x, "
diff --git a/bin/tests/log_test.c b/bin/tests/log_test.c
index a311a5e9..11314922 100644
--- a/bin/tests/log_test.c
+++ b/bin/tests/log_test.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: log_test.c,v 1.23.2.1 2004/03/09 06:09:32 marka Exp $ */
+/* $Id: log_test.c,v 1.23.206.1 2004/03/06 10:21:37 marka Exp $ */
 
 /* Principal Authors: DCL */
 
diff --git a/bin/tests/lwres_test.c b/bin/tests/lwres_test.c
index a055114c..6c6f7995 100644
--- a/bin/tests/lwres_test.c
+++ b/bin/tests/lwres_test.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lwres_test.c,v 1.25.2.3 2005/03/17 03:59:31 marka Exp $ */
+/* $Id: lwres_test.c,v 1.25.12.3 2004/03/08 04:04:26 marka Exp $ */
 
 #include <config.h>
 
@@ -47,7 +47,7 @@ hexdump(const char *msg, void *base, size_t len) {
 	p = base;
 	cnt = 0;
 
-	printf("*** %s (%lu bytes @ %p)\n", msg, (unsigned long)len, base);
+	printf("*** %s (%u bytes @ %p)\n", msg, len, base);
 
 	while (cnt < len) {
 		if (cnt % 16 == 0)
@@ -172,11 +172,11 @@ test_gabn(const char *target) {
 	printf("Returned real name: (%u, %s)\n",
 	       res->realnamelen, res->realname);
 	printf("%u aliases:\n", res->naliases);
-	for (i = 0 ; i < res->naliases ; i++)
+	for (i = 0; i < res->naliases; i++)
 		printf("\t(%u, %s)\n", res->aliaslen[i], res->aliases[i]);
 	printf("%u addresses:\n", res->naddrs);
 	addr = LWRES_LIST_HEAD(res->addrs);
-	for (i = 0 ; i < res->naddrs ; i++) {
+	for (i = 0; i < res->naddrs; i++) {
 		INSIST(addr != NULL);
 
 		if (addr->family == LWRES_ADDRTYPE_V4)
@@ -220,7 +220,7 @@ test_gnba(const char *target, lwres_uint32_t af) {
 	printf("Returned real name: (%u, %s)\n",
 	       res->realnamelen, res->realname);
 	printf("%u aliases:\n", res->naliases);
-	for (i = 0 ; i < res->naliases ; i++)
+	for (i = 0; i < res->naliases; i++)
 		printf("\t(%u, %s)\n", res->aliaslen[i], res->aliases[i]);
 
 	lwres_gnbaresponse_free(ctx, &res);
diff --git a/bin/tests/lwresconf_test.c b/bin/tests/lwresconf_test.c
index a7e97908..e36d023a 100644
--- a/bin/tests/lwresconf_test.c
+++ b/bin/tests/lwresconf_test.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lwresconf_test.c,v 1.10.2.1 2004/03/09 06:09:32 marka Exp $ */
+/* $Id: lwresconf_test.c,v 1.10.206.1 2004/03/06 10:21:38 marka Exp $ */
 
 #include <config.h>
 
diff --git a/bin/tests/master/Makefile.in b/bin/tests/master/Makefile.in
index ff78518e..79322267 100644
--- a/bin/tests/master/Makefile.in
+++ b/bin/tests/master/Makefile.in
@@ -1,5 +1,5 @@
 # Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 1999-2001  Internet Software Consortium.
+# Copyright (C) 1999-2002  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
@@ -13,13 +13,13 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.20.2.3 2004/07/20 07:00:13 marka Exp $
+# $Id: Makefile.in,v 1.20.12.6 2004/03/08 04:04:29 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
 top_srcdir =	@top_srcdir@
 
-@BIND9_INCLUDES@
+@BIND9_MAKE_INCLUDES@
 
 CINCLUDES =	${TEST_INCLUDES} ${DNS_INCLUDES} ${ISC_INCLUDES}
 
@@ -27,7 +27,7 @@ CDEFINES =
 CWARNINGS =
 
 # Note that we do not want to use libtool for libt_api
-DNSLIBS =	../../../lib/dns/libdns.@A@ @DNS_OPENSSL_LIBS@ @DNS_GSSAPI_LIBS@
+DNSLIBS =	../../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
 ISCLIBS =	../../../lib/isc/libisc.@A@
 
 DNSDEPLIBS =	../../../lib/dns/libdns.@A@
@@ -39,20 +39,20 @@ LIBS =		${DNSLIBS} ${ISCLIBS} @LIBS@
 
 TLIB =		../../../lib/tests/libt_api.@A@
 
-TARGETS =	t_master
+TARGETS =	t_master@EXEEXT@
 
 SRCS =		t_master.c
 
 @BIND9_MAKE_RULES@
 
-t_master: t_master.@O@ ${DEPLIBS} ${TLIB}
-	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ t_master.@O@ ${TLIB} ${LIBS}
+t_master@EXEEXT@: t_master.@O@ ${DEPLIBS} ${TLIB}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} -o $@ t_master.@O@ ${TLIB} ${LIBS}
 
-test: t_master
-	-@ ./t_master -c @top_srcdir@/t_config -b @srcdir@ -a
+test: t_master@EXEEXT@
+	-@ ./t_master@EXEEXT@ -c @top_srcdir@/t_config -b @srcdir@ -a
 
 testhelp:
-	@ ./t_master -h
+	@ ./t_master@EXEEXT@ -h
 
 clean distclean::
 	rm -f ${TARGETS}
diff --git a/bin/tests/master/master6.data b/bin/tests/master/master6.data
index 7441c59c..a9a37bbf 100644
--- a/bin/tests/master/master6.data
+++ b/bin/tests/master/master6.data
@@ -7,7 +7,7 @@ $TTL 1000
 				604800		;expiration
 				3600 )		;minimum
 
-secure1	3600 IN	 KEY (
+secure1	3600 IN	 DNSKEY (
 		FLAG2|FLAG4|FLAG5|NTYP3|FLAG8|FLAG9|FLAG10|FLAG11|SIG15
 		3 3
 		ArT0a8FtOZWEONG2YQVl9+RA34op30JPz4NPEroCxm2yImT2
@@ -19,7 +19,7 @@ secure1	3600 IN	 KEY (
 		/7YMt8VUkA8/8UCszBBT7XAJ3OFjiMO8mvxrZZFzvwJlPBQ1
 		oFq/TNZlSe+N )
 
-secure2	3600 in	 key (
+secure2	3600 in	 DNSKEY (
 		flag2|flag4|flag5|ntyp3|flag8|flag9|flag10|flag11|sig15
 		3 3
 		ArT0a8FtOZWEONG2YQVl9+RA34op30JPz4NPEroCxm2yImT2
diff --git a/bin/tests/master/master7.data b/bin/tests/master/master7.data
index deb5824b..2638b5d7 100644
--- a/bin/tests/master/master7.data
+++ b/bin/tests/master/master7.data
@@ -7,11 +7,11 @@ $TTL 1000
 				604800		;expiration
 				3600 )		;minimum
 
-secure1	3600 IN	 KEY (
+secure1	3600 IN	 DNSKEY (
 		NOKEY|FLAG2|FLAG4|FLAG5|NTYP3|FLAG8|FLAG9|FLAG10|FLAG11|SIG15
 		3 3 )
 
-secure2	3600 in	 key (
+secure2	3600 in	 DNSKEY (
 		nokey|flag2|flag4|flag5|ntyp3|flag8|flag9|flag10|flag11|sig15
 		3 3 )
 
diff --git a/bin/tests/master/t_master.c b/bin/tests/master/t_master.c
index abbee481..4bf4adab 100644
--- a/bin/tests/master/t_master.c
+++ b/bin/tests/master/t_master.c
@@ -1,6 +1,6 @@
 /*
- * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001  Internet Software Consortium.
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1998-2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: t_master.c,v 1.30.2.3 2006/01/04 23:50:17 marka Exp $ */
+/* $Id: t_master.c,v 1.30.206.3 2004/03/08 04:04:29 marka Exp $ */
 
 #include <config.h>
 
@@ -153,10 +153,8 @@ test_master_x(const char *filename) {
 			/*
 			 * Skip comment lines.
 			 */
-			if ((isspace(*p & 0xff)) || (*p == '#')) {
-				(void)free(p);
+			if ((isspace(*p & 0xff)) || (*p == '#'))
 				continue;
-			}
 
 			/*
 			 * Name of data file, origin, zclass, expected result.
@@ -239,7 +237,7 @@ t5() {
 }
 
 static const char *a6 =
-	"dns_master_loadfile understands KEY RR specifications "
+	"dns_master_loadfile understands DNSKEY RR specifications "
 	"containing key material";
 
 static void
@@ -253,7 +251,7 @@ t6() {
 }
 
 static const char *a7 =
-	"dns_master_loadfile understands KEY RR specifications "
+	"dns_master_loadfile understands DNSKEY RR specifications "
 	"containing no key material";
 
 static void
@@ -325,8 +323,8 @@ testspec_t	T_testlist[] = {
 	{	t3,	"DNS_NOOWNER"		},
 	{	t4,	"DNS_NOTTL"		},
 	{	t5,	"DNS_BADCLASS"		},
-	{	t6,	"KEY RR 1"		},
-	{	t7,	"KEY RR 2"		},
+	{	t6,	"DNSKEY RR 1"		},
+	{	t7,	"DNSKEY RR 2"		},
 	{	t8,	"$INCLUDE"		},
 	{	t9,	"$INCLUDE w/ DNS_BADCLASS"	},
 	{	t10,	"non empty blank lines"	},
diff --git a/bin/tests/master_test.c b/bin/tests/master_test.c
index b2b18ad0..be945cff 100644
--- a/bin/tests/master_test.c
+++ b/bin/tests/master_test.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: master_test.c,v 1.27.2.1 2004/03/09 06:09:32 marka Exp $ */
+/* $Id: master_test.c,v 1.27.206.1 2004/03/06 10:21:38 marka Exp $ */
 
 #include <config.h>
 
diff --git a/bin/tests/mem/Makefile.in b/bin/tests/mem/Makefile.in
index 80a647a9..47387fd3 100644
--- a/bin/tests/mem/Makefile.in
+++ b/bin/tests/mem/Makefile.in
@@ -1,5 +1,5 @@
 # Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 1998-2001  Internet Software Consortium.
+# Copyright (C) 1998-2002  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
@@ -13,13 +13,13 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.25.2.3 2004/07/20 07:00:14 marka Exp $
+# $Id: Makefile.in,v 1.25.12.6 2004/03/08 09:04:16 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
 top_srcdir =	@top_srcdir@
 
-@BIND9_INCLUDES@
+@BIND9_MAKE_INCLUDES@
 
 CINCLUDES =	${TEST_INCLUDES} ${ISC_INCLUDES}
 
@@ -36,20 +36,20 @@ DEPLIBS =	${TAPIDEPLIBS} ${ISCDEPLIBS}
 
 LIBS =		${TAPILIBS} ${ISCLIBS} @LIBS@
 
-TARGETS =	t_mem
+TARGETS =	t_mem@EXEEXT@
 
 SRCS =		t_mem.c
 
 @BIND9_MAKE_RULES@
 
-t_mem: t_mem.@O@ ${DEPLIBS}
-	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ t_mem.@O@ ${LIBS}
+t_mem@EXEEXT@: t_mem.@O@ ${DEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} -o $@ t_mem.@O@ ${LIBS}
 
-test: t_mem
-	-@./t_mem -b @srcdir@ -q 300 -a
+test: t_mem@EXEEXT@
+	-@./t_mem@EXEEXT@ -b @srcdir@ -q 300 -a
 
 testhelp:
-	@./t_mem -h
+	@./t_mem@EXEEXT@ -h
 
 clean distclean::
 	rm -f ${TARGETS}
diff --git a/bin/tests/mem/t_mem.c b/bin/tests/mem/t_mem.c
index dadfaa46..1fa69568 100644
--- a/bin/tests/mem/t_mem.c
+++ b/bin/tests/mem/t_mem.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: t_mem.c,v 1.9.2.1 2004/03/09 06:09:38 marka Exp $ */
+/* $Id: t_mem.c,v 1.9.12.3 2004/03/08 04:04:30 marka Exp $ */
 
 #include <config.h>
 
@@ -88,7 +88,7 @@ memtest(void) {
 	/*
 	 * Allocate MP1_MAXALLOC items from the pool.  This is our max.
 	 */
-	for (i = 0 ; i < MP1_MAXALLOC ; i++) {
+	for (i = 0; i < MP1_MAXALLOC; i++) {
 		items1[i] = isc_mempool_get(mp1);
 		if (items1[i] == NULL) {
 			t_info("isc_mempool_get unexpectedly failed\n");
@@ -110,7 +110,7 @@ memtest(void) {
 	 * the free list (which is our max).
 	 */
 
-	for (i = 0 ; i < 11 ; i++) {
+	for (i = 0; i < 11; i++) {
 		isc_mempool_put(mp1, items1[i]);
 		items1[i] = NULL;
 	}
@@ -143,15 +143,15 @@ memtest(void) {
 	isc_mempool_setfillcount(mp2, 25);
 
 	t_info("exercising the memory pool\n");
-	for (j = 0 ; j < 500000 ; j++) {
-		for (i = 0 ; i < 50 ; i++) {
+	for (j = 0; j < 500000; j++) {
+		for (i = 0; i < 50; i++) {
 			items2[i] = isc_mempool_get(mp2);
 			if (items2[i] == NULL) {
 				t_info("items2[%d] is unexpectedly null\n", i);
 				++nfails;
 			}
 		}
-		for (i = 0 ; i < 50 ; i++) {
+		for (i = 0; i < 50; i++) {
 			isc_mempool_put(mp2, items2[i]);
 			items2[i] = NULL;
 		}
@@ -162,7 +162,7 @@ memtest(void) {
 	/*
 	 * Free all the other items and blow away this pool.
 	 */
-	for (i = 11 ; i < MP1_MAXALLOC ; i++) {
+	for (i = 11; i < MP1_MAXALLOC; i++) {
 		isc_mempool_put(mp1, items1[i]);
 		items1[i] = NULL;
 	}
diff --git a/bin/tests/mempool_test.c b/bin/tests/mempool_test.c
index f1f87607..e40d155a 100644
--- a/bin/tests/mempool_test.c
+++ b/bin/tests/mempool_test.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: mempool_test.c,v 1.12.2.1 2004/03/09 06:09:33 marka Exp $ */
+/* $Id: mempool_test.c,v 1.12.12.4 2004/03/08 04:04:26 marka Exp $ */
 
 #include <config.h>
 
@@ -36,7 +36,7 @@ main(int argc, char *argv[]) {
 	UNUSED(argc);
 	UNUSED(argv);
 
-	isc_mem_debugging = 2;
+	isc_mem_debugging = ISC_MEM_DEBUGRECORD;
 
 	RUNTIME_CHECK(isc_mutex_init(&lock) == ISC_R_SUCCESS);
 
@@ -61,7 +61,7 @@ main(int argc, char *argv[]) {
 	/*
 	 * Allocate 30 items from the pool.  This is our max.
 	 */
-	for (i = 0 ; i < 30 ; i++) {
+	for (i = 0; i < 30; i++) {
 		items1[i] = isc_mempool_get(mp1);
 		RUNTIME_CHECK(items1[i] != NULL);
 	}
@@ -77,7 +77,7 @@ main(int argc, char *argv[]) {
 	 * the free list (which is our max).
 	 */
 
-	for (i = 0 ; i < 11 ; i++) {
+	for (i = 0; i < 11; i++) {
 		isc_mempool_put(mp1, items1[i]);
 		items1[i] = NULL;
 	}
@@ -93,12 +93,12 @@ main(int argc, char *argv[]) {
 	 */
 	isc_mempool_setfreemax(mp2, 25);
 	isc_mempool_setfillcount(mp2, 25);
-	for (j = 0 ; j < 5000 ; j++) {
-		for (i = 0 ; i < 50 ; i++) {
+	for (j = 0; j < 5000; j++) {
+		for (i = 0; i < 50; i++) {
 			items2[i] = isc_mempool_get(mp2);
 			RUNTIME_CHECK(items2[i] != NULL);
 		}
-		for (i = 0 ; i < 50 ; i++) {
+		for (i = 0; i < 50; i++) {
 			isc_mempool_put(mp2, items2[i]);
 			items2[i] = NULL;
 		}
@@ -107,7 +107,7 @@ main(int argc, char *argv[]) {
 	/*
 	 * Free all the other items and blow away this pool.
 	 */
-	for (i = 11 ; i < 30 ; i++) {
+	for (i = 11; i < 30; i++) {
 		isc_mempool_put(mp1, items1[i]);
 		items1[i] = NULL;
 	}
diff --git a/bin/tests/name_test.c b/bin/tests/name_test.c
index 3390fb54..bd9bfa69 100644
--- a/bin/tests/name_test.c
+++ b/bin/tests/name_test.c
@@ -1,6 +1,6 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001  Internet Software Consortium.
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1998-2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: name_test.c,v 1.33.2.3 2005/03/17 03:59:31 marka Exp $ */
+/* $Id: name_test.c,v 1.33.12.4 2004/04/13 03:24:40 marka Exp $ */
 
 #include <config.h>
 
@@ -83,7 +83,7 @@ main(int argc, char *argv[]) {
 	isc_boolean_t test_downcase = ISC_FALSE;
 	isc_boolean_t inplace = ISC_FALSE;
 	isc_boolean_t want_split = ISC_FALSE;
-	unsigned int depth, split_depth = 0;
+	unsigned int labels, split_label = 0;
 	dns_fixedname_t fprefix, fsuffix;
 	dns_name_t *prefix, *suffix;
 	int ch;
@@ -107,7 +107,7 @@ main(int argc, char *argv[]) {
 			break;
 		case 's':
 			want_split = ISC_TRUE;
-			split_depth = atoi(isc_commandline_argument);
+			split_label = atoi(isc_commandline_argument);
 			break;
 		case 'w':
 			check_wildcard = ISC_TRUE;
@@ -166,16 +166,16 @@ main(int argc, char *argv[]) {
 	dns_fixedname_init(&wname);
 	name = dns_fixedname_name(&wname);
 	dns_fixedname_init(&wname2);
-	while (fgets(s, sizeof s, stdin) != NULL) {
+	while (fgets(s, sizeof(s), stdin) != NULL) {
 		len = strlen(s);
-		if (len > 0U && s[len - 1] == '\n') {
+		if (len > 0 && s[len - 1] == '\n') {
 			s[len - 1] = '\0';
 			len--;
 		}
 		isc_buffer_init(&source, s, len);
 		isc_buffer_add(&source, len);
 
-		if (len > 0U)
+		if (len > 0)
 			result = dns_name_fromtext(name, &source, origin,
 						   downcase, NULL);
 		else {
@@ -292,11 +292,11 @@ main(int argc, char *argv[]) {
 
 		if (comp != NULL && dns_name_countlabels(name) > 0) {
 			int order;
-			unsigned int nlabels, nbits;
+			unsigned int nlabels;
 			dns_namereln_t namereln;
 
 			namereln = dns_name_fullcompare(name, comp, &order,
-							&nlabels, &nbits);
+							&nlabels);
 			if (!quiet) {
 				if (order < 0)
 					printf("<");
@@ -319,32 +319,25 @@ main(int argc, char *argv[]) {
 				}
 				if (namereln != dns_namereln_none &&
 				    namereln != dns_namereln_equal)
-					printf(", nlabels = %u, nbits = %u",
-					       nlabels, nbits);
+					printf(", nlabels = %u", nlabels);
 				printf("\n");
 			}
 			printf("dns_name_equal() returns %s\n",
 			       dns_name_equal(name, comp) ? "TRUE" : "FALSE");
 		}
 
-		depth = dns_name_depth(name);
-		if (want_split && split_depth < depth) {
+		labels = dns_name_countlabels(name);
+		if (want_split && split_label < labels) {
 			dns_fixedname_init(&fprefix);
 			prefix = dns_fixedname_name(&fprefix);
 			dns_fixedname_init(&fsuffix);
 			suffix = dns_fixedname_name(&fsuffix);
-			printf("splitting at depth %u: ", split_depth);
-			result = dns_name_splitatdepth(name, split_depth,
-						       prefix, suffix);
-			if (result == ISC_R_SUCCESS) {
-				printf("\n    prefix = ");
-				print_name(prefix);
-				printf("    suffix = ");
-				print_name(suffix);
-			} else {
-				printf("failed: %s\n",
-				       isc_result_totext(result));
-			}
+			printf("splitting at label %u: ", split_label);
+			dns_name_split(name, split_label, prefix, suffix);
+			printf("\n    prefix = ");
+			print_name(prefix);
+			printf("    suffix = ");
+			print_name(suffix);
 		}
 
 		if (concatenate) {
diff --git a/bin/tests/named.conf b/bin/tests/named.conf
index 2219d6b5..6bebb184 100644
--- a/bin/tests/named.conf
+++ b/bin/tests/named.conf
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named.conf,v 1.55.2.1 2004/03/09 06:09:33 marka Exp $ */
+/* $Id: named.conf,v 1.55.206.1 2004/03/06 10:21:38 marka Exp $ */
 
 /*
  * This is a worthless, nonrunnable example of a named.conf file that has
diff --git a/bin/tests/names/Makefile.in b/bin/tests/names/Makefile.in
index f7b67bc6..0776d1b3 100644
--- a/bin/tests/names/Makefile.in
+++ b/bin/tests/names/Makefile.in
@@ -1,5 +1,5 @@
 # Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 1999-2001  Internet Software Consortium.
+# Copyright (C) 1999-2002  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
@@ -13,13 +13,13 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.20.2.3 2004/07/20 07:00:14 marka Exp $
+# $Id: Makefile.in,v 1.20.12.6 2004/03/08 04:04:30 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
 top_srcdir =	@top_srcdir@
 
-@BIND9_INCLUDES@
+@BIND9_MAKE_INCLUDES@
 
 CINCLUDES =	${TEST_INCLUDES} ${DNS_INCLUDES} ${ISC_INCLUDES}
 
@@ -27,7 +27,7 @@ CDEFINES =
 CWARNINGS =
 
 # Note that we do not want to use libtool for libt_api
-DNSLIBS =	../../../lib/dns/libdns.@A@ @DNS_OPENSSL_LIBS@ @DNS_GSSAPI_LIBS@
+DNSLIBS =	../../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
 ISCLIBS =	../../../lib/isc/libisc.@A@
 
 DNSDEPLIBS =	../../../lib/dns/libdns.@A@
@@ -39,20 +39,20 @@ LIBS =		${DNSLIBS} ${ISCLIBS} @LIBS@
 
 TLIB =		../../../lib/tests/libt_api.@A@
 
-TARGETS =	t_names
+TARGETS =	t_names@EXEEXT@
 
 SRCS =		t_names.c
 
 @BIND9_MAKE_RULES@
 
-t_names: t_names.@O@ ${DEPLIBS} ${TLIB}
-	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ t_names.@O@ ${TLIB} ${LIBS}
+t_names@EXEEXT@: t_names.@O@ ${DEPLIBS} ${TLIB}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} -o $@ t_names.@O@ ${TLIB} ${LIBS}
 
-test: t_names
-	-@./t_names -c @top_srcdir@/t_config -b @srcdir@ -a
+test: t_names@EXEEXT@
+	-@./t_names@EXEEXT@ -c @top_srcdir@/t_config -b @srcdir@ -a
 
 testhelp:
-	@./t_names -h
+	@./t_names@EXEEXT@ -h
 
 clean distclean::
 	rm -f ${TARGETS}
diff --git a/bin/tests/names/dns_label_countbits_data b/bin/tests/names/dns_label_countbits_data
deleted file mode 100644
index 0888eff5..00000000
--- a/bin/tests/names/dns_label_countbits_data
+++ /dev/null
@@ -1,7 +0,0 @@
-#
-# format of file is <testname> <tab> <bitlabel_pos> <tab> <expected_bits>
-#
-\[x42/7]	0	7
-a.b.c.\[x42/7]	3	7
-\[o033/9]	0	9
-\[b01001/5]	0	5
diff --git a/bin/tests/names/dns_label_getbit_data b/bin/tests/names/dns_label_getbit_data
deleted file mode 100644
index 51240432..00000000
--- a/bin/tests/names/dns_label_getbit_data
+++ /dev/null
@@ -1,10 +0,0 @@
-#
-# format is:
-#	<testname> <tab> <labelpos> <tab> <bitpos> <tab> <expected value>
-#
-\[x42/7]	0	6	1
-a.b.c.\[x42/7]	3	5	0
-\[o033/9]	0	2	0
-\[o033/9]	0	3	0
-\[o033/9]	0	4	1
-\[b0101/4]	0	1	1
diff --git a/bin/tests/names/dns_name_countlabels_data b/bin/tests/names/dns_name_countlabels_data
index e5ce8dfd..f11c3873 100644
--- a/bin/tests/names/dns_name_countlabels_data
+++ b/bin/tests/names/dns_name_countlabels_data
@@ -8,6 +8,3 @@ c.d.	3
 a.b.c.d	4
 a.b.c	3
 .	1
-\[b1100110].b.\[xab].a	4
-\[b1100110].b.\[xab].a.	5
-\[b1100110].\[xa2].\[o031].a.	3
diff --git a/bin/tests/names/dns_name_fromregion_data b/bin/tests/names/dns_name_fromregion_data
index 64cf117c..32b42204 100644
--- a/bin/tests/names/dns_name_fromregion_data
+++ b/bin/tests/names/dns_name_fromregion_data
@@ -6,7 +6,6 @@
 #
 # and where: exp_nlabels and exp_nbits are not tested if < 0
 #
-#c.d.\[x31].abc.\[b110011]
 a.b.c.d.
 a.b.c.d.[A].[aaa.
 Ba\x\aa.b.c\[\[o\\.Z
diff --git a/bin/tests/names/dns_name_fromwire_8_data b/bin/tests/names/dns_name_fromwire_8_data
index 9ddd3f3d..744da071 100644
--- a/bin/tests/names/dns_name_fromwire_8_data
+++ b/bin/tests/names/dns_name_fromwire_8_data
@@ -1,5 +1,5 @@
 #
-# test data for dns_name_fromwire_9
+# test data for dns_name_fromwire_8
 # format:
 #	<msgfile> <testname_offset> <downcase>
 #	<dc_method> <exp_name> <exp_result>
@@ -27,4 +27,4 @@
 #		ISC_R_UNEXPECTEDEND
 #		DNS_R_TOOMANYHOPS
 #
-wire_test8.data	25	1	DNS_COMPRESS_ALL	vix.com.	ISC_R_NOSPACE
+wire_test8.data	383	1	DNS_COMPRESS_ALL	vix.com.	DNS_R_TOOMANYHOPS
diff --git a/bin/tests/names/dns_name_fromwire_9_data b/bin/tests/names/dns_name_fromwire_9_data
new file mode 100644
index 00000000..47c8a068
--- /dev/null
+++ b/bin/tests/names/dns_name_fromwire_9_data
@@ -0,0 +1,30 @@
+#
+# test data for dns_name_fromwire_9
+# format:
+#	<msgfile> <testname_offset> <downcase>
+#	<dc_method> <exp_name> <exp_result>
+#
+# where msgfile contains a DNS message in hex form
+#
+# and where testname_offset is the byte offset in this message of
+# the start of a name
+#
+# and where downcase is 1 or 0
+#
+# and where dc_method is one of
+#	DNS_COMPRESS_ALL
+#	DNS_COMPRESS_GLOBAL14
+#	DNS_COMPRESS_NONE
+#
+# and where exp_name is the expected name after any decompression
+# or case conversion
+#
+# and where exp_result may be one of
+#		ISC_R_NOSPACE
+#		DNS_R_BADLABELTYPE
+#		DNS_R_DISALLOWED
+#		DNS_R_BADPOINTER
+#		ISC_R_UNEXPECTEDEND
+#		DNS_R_TOOMANYHOPS
+#
+wire_test9.data	25	1	DNS_COMPRESS_ALL	vix.com.	ISC_R_NOSPACE
diff --git a/bin/tests/names/dns_name_hash_data b/bin/tests/names/dns_name_hash_data
index 879ec2d8..093ba45b 100644
--- a/bin/tests/names/dns_name_hash_data
+++ b/bin/tests/names/dns_name_hash_data
@@ -10,4 +10,3 @@
 #	case insensitive hash of testname2, otherwise cishm != 0
 #
 a.b.c.d	a.b.c.d.	0	0
-\[x42/7].A.	\[x42/7].a.	0	1
diff --git a/bin/tests/names/dns_name_isabsolute_data b/bin/tests/names/dns_name_isabsolute_data
index b387c7f3..a17c9b8a 100644
--- a/bin/tests/names/dns_name_isabsolute_data
+++ b/bin/tests/names/dns_name_isabsolute_data
@@ -3,6 +3,6 @@
 # format is:
 #	<testname> <tab> <expected value>
 #
-\[x42/7].	1
-a.b.c.\[x42/7]	0
-\[o033/9].z.	1
+x.	1
+a.b.c.d	0
+x.z.	1
diff --git a/bin/tests/names/dns_name_toregion_data b/bin/tests/names/dns_name_toregion_data
index 24d0d3ce..00c10f49 100644
--- a/bin/tests/names/dns_name_toregion_data
+++ b/bin/tests/names/dns_name_toregion_data
@@ -3,7 +3,6 @@
 # format:
 #	<test_name>
 #
-c.d.\[x31].abc.\[b110011]
 a.b.c.d.
 a.b.c.d.[A].[aaa.
 Ba\x\aa.b.c\[\[o\\.Z
diff --git a/bin/tests/names/t_names.c b/bin/tests/names/t_names.c
index d0ae0a9d..aae3d390 100644
--- a/bin/tests/names/t_names.c
+++ b/bin/tests/names/t_names.c
@@ -1,6 +1,6 @@
 /*
- * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2002  Internet Software Consortium.
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1998-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: t_names.c,v 1.32.2.6 2006/12/07 13:25:58 marka Exp $ */
+/* $Id: t_names.c,v 1.32.2.2.8.3 2004/03/08 21:06:23 marka Exp $ */
 
 #include <config.h>
 
@@ -36,10 +36,6 @@
 #define	BUFLEN		256
 #define	BIGBUFLEN	4096
 
-static const char *a1 =
-	"dns_label_countbits returns the number of "
-	"bits in a bitstring label";
-
 static char	*Tokens[MAXTOKS + 1];
 
 /*
@@ -356,171 +352,6 @@ dname_from_tname(char *name, dns_name_t *dns_name) {
 	return (result);
 }
 
-static int
-test_dns_label_countbits(char *test_name, int pos, int expected_bits) {
-	dns_label_t	label;
-	dns_name_t	dns_name;
-	int		bits;
-	int		rval;
-	isc_result_t	result;
-
-	rval = T_UNRESOLVED;
-	t_info("testing name %s, label %d\n", test_name, pos);
-
-	result = dname_from_tname(test_name, &dns_name);
-	if (result == ISC_R_SUCCESS) {
-		dns_name_getlabel(&dns_name, pos, &label);
-		bits = dns_label_countbits(&label);
-		if (bits == expected_bits)
-			rval = T_PASS;
-		else {
-			t_info("got %d, expected %d\n", bits, expected_bits);
-			rval = T_FAIL;
-		}
-	} else {
-		t_info("dname_from_tname %s failed, result = %s\n",
-				test_name, dns_result_totext(result));
-		rval = T_UNRESOLVED;
-	}
-	return (rval);
-}
-
-static void
-t_dns_label_countbits(void) {
-	FILE		*fp;
-	char		*p;
-	int		line;
-	int		cnt;
-	int		result;
-
-	result = T_UNRESOLVED;
-	t_assert("dns_label_countbits", 1, T_REQUIRED, a1);
-
-	fp = fopen("dns_label_countbits_data", "r");
-	if (fp != NULL) {
-		line = 0;
-		while ((p = t_fgetbs(fp)) != NULL) {
-
-			++line;
-
-			/*
-			 * Skip comment lines.
-			 */
-			if ((isspace((unsigned char)*p)) || (*p == '#')) {
-				(void)free(p);
-				continue;
-			}
-
-			/*
-			 * testname, labelpos, bitpos, expected val.
-			 */
-			cnt = bustline(p, Tokens);
-			if (cnt == 3) {
-				result = test_dns_label_countbits(Tokens[0],
-							      atoi(Tokens[1]),
-							      atoi(Tokens[2]));
-			} else {
-				t_info("bad datafile format at line %d\n",
-				       line);
-			}
-
-			(void)free(p);
-			t_result(result);
-		}
-		(void)fclose(fp);
-	} else {
-		t_info("Missing datafile dns_label_countbits_data\n");
-		t_result(result);
-	}
-}
-
-static const char *a2 =	"dns_label_getbit returns the n'th most significant "
-			"bit of a bitstring label";
-
-static int
-test_dns_label_getbit(char *test_name, int label_pos, int bit_pos,
-		      int expected_bitval)
-{
-	dns_label_t	label;
-	dns_name_t	dns_name;
-	int		bitval;
-	int		rval;
-	isc_result_t	result;
-
-	rval = T_UNRESOLVED;
-
-	t_info("testing name %s, label %d, bit %d\n",
-		test_name, label_pos, bit_pos);
-
-	result = dname_from_tname(test_name, &dns_name);
-	if (result == ISC_R_SUCCESS) {
-		dns_name_getlabel(&dns_name, label_pos, &label);
-		bitval = dns_label_getbit(&label, bit_pos);
-		if (bitval == expected_bitval)
-			rval = T_PASS;
-		else {
-			t_info("got %d, expected %d\n", bitval,
-					expected_bitval);
-			rval = T_FAIL;
-		}
-	} else {
-		t_info("dname_from_tname %s failed, result = %s\n",
-				test_name, dns_result_totext(result));
-		rval = T_UNRESOLVED;
-	}
-	return (rval);
-}
-
-static void
-t_dns_label_getbit(void) {
-	int	line;
-	int	cnt;
-	int	result;
-	char	*p;
-	FILE	*fp;
-
-	t_assert("dns_label_getbit", 1, T_REQUIRED, a2);
-
-	result = T_UNRESOLVED;
-	fp = fopen("dns_label_getbit_data", "r");
-	if (fp != NULL) {
-		line = 0;
-		while ((p = t_fgetbs(fp)) != NULL) {
-
-			++line;
-
-			/*
-			 * Skip comment lines.
-			 */
-			if ((isspace((unsigned char)*p)) || (*p == '#')) {
-				(void)free(p);
-				continue;
-			}
-
-			cnt = bustline(p, Tokens);
-			if (cnt == 4) {
-				/*
-				 * label, bitpos, expected value.
-				 */
-				result = test_dns_label_getbit(Tokens[0],
-							      atoi(Tokens[1]),
-							      atoi(Tokens[2]),
-							      atoi(Tokens[3]));
-			} else {
-				t_info("bad datafile format at line %d\n",
-						line);
-			}
-
-			(void)free(p);
-			t_result(result);
-		}
-		(void)fclose(fp);
-	} else {
-		t_info("Missing datafile dns_label_getbit_data\n");
-		t_result(result);
-	}
-}
-
 static const char *a3 =	"dns_name_init initializes 'name' to the empty name";
 
 static void
@@ -735,10 +566,8 @@ t_dns_name_isabsolute(void) {
 			/*
 			 * Skip comment lines.
 			 */
-			if ((isspace((unsigned char)*p)) || (*p == '#')) {
-				(void)free(p);
+			if ((isspace((unsigned char)*p)) || (*p == '#'))
 				continue;
-			}
 
 			cnt = bustline(p, Tokens);
 			if (cnt == 2) {
@@ -848,10 +677,8 @@ t_dns_name_hash(void) {
 			/*
 			 * Skip comment lines.
 			 */
-			if ((isspace((unsigned char)*p)) || (*p == '#')) {
-				(void)free(p);
+			if ((isspace((unsigned char)*p)) || (*p == '#'))
 				continue;
-			}
 
 			cnt = bustline(p, Tokens);
 			if (cnt == 4) {
@@ -883,7 +710,7 @@ t_dns_name_hash(void) {
 }
 
 static const char *a10 =
-		"dns_name_fullcompare(name1, name2, orderp, nlabelsp, nbitsp) "
+		"dns_name_fullcompare(name1, name2, orderp, nlabelsp) "
 		"returns the DNSSEC ordering relationship between name1 and "
 		"name2, sets orderp to -1 if name1 < name2, to 0 if "
 		"name1 == name2, or to 1 if name1 > name2, sets nlabelsp "
@@ -917,13 +744,12 @@ dns_namereln_to_text(dns_namereln_t reln) {
 static int
 test_dns_name_fullcompare(char *name1, char *name2,
 			  dns_namereln_t exp_dns_reln,
-			  int exp_order, int exp_nlabels, int exp_nbits)
+			  int exp_order, int exp_nlabels)
 {
 	int		result;
 	int		nfails;
 	int		order;
 	unsigned int	nlabels;
-	unsigned int	nbits;
 	dns_name_t	dns_name1;
 	dns_name_t	dns_name2;
 	isc_result_t	dns_result;
@@ -941,7 +767,7 @@ test_dns_name_fullcompare(char *name1, char *name2,
 		dns_result = dname_from_tname(name2, &dns_name2);
 		if (dns_result == ISC_R_SUCCESS) {
 			dns_reln = dns_name_fullcompare(&dns_name1, &dns_name2,
-					&order, &nlabels, &nbits);
+					&order, &nlabels);
 
 			if (dns_reln != exp_dns_reln) {
 				++nfails;
@@ -967,12 +793,6 @@ test_dns_name_fullcompare(char *name1, char *name2,
 				t_info("expecting %d labels, got %d\n",
 				       exp_nlabels, nlabels);
 			}
-			if ((exp_nbits >= 0) &&
-			    (nbits != (unsigned int)exp_nbits)) {
-				++nfails;
-				t_info("expecting %d bits, got %d\n",
-				       exp_nbits, nbits);
-			}
 			if (nfails == 0)
 				result = T_PASS;
 			else
@@ -1011,16 +831,14 @@ t_dns_name_fullcompare(void) {
 			/*
 			 * Skip comment lines.
 			 */
-			if ((isspace((unsigned char)*p)) || (*p == '#')) {
-				(void)free(p);
+			if ((isspace((unsigned char)*p)) || (*p == '#'))
 				continue;
-			}
 
 			cnt = bustline(p, Tokens);
 			if (cnt == 6) {
 				/*
 				 * name1, name2, exp_reln, exp_order,
-				 * exp_nlabels, exp_nbits
+				 * exp_nlabels
 				 */
 				if (!strcmp(Tokens[2], "none"))
 					reln = dns_namereln_none;
@@ -1042,8 +860,7 @@ t_dns_name_fullcompare(void) {
 						Tokens[1],
 						reln,
 						atoi(Tokens[3]),
-						atoi(Tokens[4]),
-						atoi(Tokens[5]));
+						atoi(Tokens[4]));
 			} else {
 				t_info("bad format at line %d\n", line);
 			}
@@ -1132,10 +949,8 @@ t_dns_name_compare(void) {
 			/*
 			 * Skip comment lines.
 			 */
-			if ((isspace((unsigned char)*p)) || (*p == '#')) {
-				(void)free(p);
+			if ((isspace((unsigned char)*p)) || (*p == '#'))
 				continue;
-			}
 
 			cnt = bustline(p, Tokens);
 			if (cnt == 3) {
@@ -1234,10 +1049,8 @@ t_dns_name_rdatacompare(void) {
 			/*
 			 * Skip comment lines.
 			 */
-			if ((isspace((unsigned char)*p)) || (*p == '#')) {
-				(void)free(p);
+			if ((isspace((unsigned char)*p)) || (*p == '#'))
 				continue;
-			}
 
 			cnt = bustline(p, Tokens);
 			if (cnt == 3) {
@@ -1332,10 +1145,8 @@ t_dns_name_issubdomain(void) {
 			/*
 			 * Skip comment lines.
 			 */
-			if ((isspace((unsigned char)*p)) || (*p == '#')) {
-				(void)free(p);
+			if ((isspace((unsigned char)*p)) || (*p == '#'))
 				continue;
-			}
 
 			cnt = bustline(p, Tokens);
 			if (cnt == 3) {
@@ -1415,10 +1226,8 @@ t_dns_name_countlabels(void) {
 			/*
 			 * Skip comment lines.
 			 */
-			if ((isspace((unsigned char)*p)) || (*p == '#')) {
-				(void)free(p);
+			if ((isspace((unsigned char)*p)) || (*p == '#'))
 				continue;
-			}
 
 			cnt = bustline(p, Tokens);
 			if (cnt == 2) {
@@ -1527,10 +1336,8 @@ t_dns_name_getlabel(void) {
 			/*
 			 * Skip comment lines.
 			 */
-			if ((isspace((unsigned char)*p)) || (*p == '#')) {
-				(void)free(p);
+			if ((isspace((unsigned char)*p)) || (*p == '#'))
 				continue;
-			}
 
 			cnt = bustline(p, Tokens);
 			if (cnt == 4) {
@@ -1657,10 +1464,8 @@ t_dns_name_getlabelsequence(void) {
 			/*
 			 * Skip comment lines.
 			 */
-			if ((isspace((unsigned char)*p)) || (*p == '#')) {
-				(void)free(p);
+			if ((isspace((unsigned char)*p)) || (*p == '#'))
 				continue;
-			}
 
 			cnt = bustline(p, Tokens);
 			if (cnt == 5) {
@@ -1696,7 +1501,6 @@ test_dns_name_fromregion(char *test_name) {
 	int		result;
 	int		order;
 	unsigned int	nlabels;
-	unsigned int	nbits;
 	isc_result_t	dns_result;
 	dns_name_t	dns_name1;
 	dns_name_t	dns_name2;
@@ -1715,7 +1519,7 @@ test_dns_name_fromregion(char *test_name) {
 		dns_name_init(&dns_name2, NULL);
 		dns_name_fromregion(&dns_name2, &region);
 		dns_namereln = dns_name_fullcompare(&dns_name1, &dns_name2,
-						    &order, &nlabels, &nbits);
+						    &order, &nlabels);
 		if (dns_namereln == dns_namereln_equal)
 			result = T_PASS;
 		else
@@ -1748,10 +1552,8 @@ t_dns_name_fromregion(void) {
 			/*
 			 * Skip comment lines.
 			 */
-			if ((isspace((unsigned char)*p)) || (*p == '#')) {
-				(void)free(p);
+			if ((isspace((unsigned char)*p)) || (*p == '#'))
 				continue;
-			}
 
 			cnt = bustline(p, Tokens);
 			if (cnt == 1) {
@@ -1798,10 +1600,8 @@ t_dns_name_toregion(void) {
 			/*
 			 * Skip comment lines.
 			 */
-			if ((isspace((unsigned char)*p)) || (*p == '#')) {
-				(void)free(p);
+			if ((isspace((unsigned char)*p)) || (*p == '#'))
 				continue;
-			}
 
 			cnt = bustline(p, Tokens);
 			if (cnt == 1) {
@@ -1838,7 +1638,6 @@ test_dns_name_fromtext(char *test_name1, char *test_name2, char *test_origin,
 	int		result;
 	int		order;
 	unsigned int	nlabels;
-	unsigned int	nbits;
 	unsigned char	junk1[BUFLEN];
 	unsigned char	junk2[BUFLEN];
 	unsigned char	junk3[BUFLEN];
@@ -1902,7 +1701,7 @@ test_dns_name_fromtext(char *test_name1, char *test_name2, char *test_origin,
 	}
 
 	dns_namereln = dns_name_fullcompare(&dns_name1, &dns_name2, &order,
-					    &nlabels, &nbits);
+					    &nlabels);
 
 	if (dns_namereln == dns_namereln_equal)
 		result = T_PASS;
@@ -1936,10 +1735,8 @@ t_dns_name_fromtext(void) {
 			/*
 			 * Skip comment lines.
 			 */
-			if ((isspace((unsigned char)*p)) || (*p == '#')) {
-				(void)free(p);
+			if ((isspace((unsigned char)*p)) || (*p == '#'))
 				continue;
-			}
 
 			cnt = bustline(p, Tokens);
 			if (cnt == 4) {
@@ -1980,7 +1777,6 @@ test_dns_name_totext(char *test_name, isc_boolean_t omit_final) {
 	int		len;
 	int		order;
 	unsigned int	nlabels;
-	unsigned int	nbits;
 	unsigned char	junk1[BUFLEN];
 	unsigned char	junk2[BUFLEN];
 	unsigned char	junk3[BUFLEN];
@@ -2040,7 +1836,7 @@ test_dns_name_totext(char *test_name, isc_boolean_t omit_final) {
 	}
 
 	dns_namereln = dns_name_fullcompare(&dns_name1, &dns_name2,
-					    &order, &nlabels, &nbits);
+					    &order, &nlabels);
 	if (dns_namereln == dns_namereln_equal)
 		result = T_PASS;
 	else {
@@ -2073,10 +1869,8 @@ t_dns_name_totext(void) {
 			/*
 			 * Skip comment lines.
 			 */
-			if ((isspace((unsigned char)*p)) || (*p == '#')) {
-				(void)free(p);
+			if ((isspace((unsigned char)*p)) || (*p == '#'))
 				continue;
-			}
 
 			cnt = bustline(p, Tokens);
 			if (cnt == 2) {
@@ -2139,6 +1933,10 @@ static const char *a48 =
 		"returns ISC_R_UNEXPECTEDEND";
 
 static const char *a49 =
+		"when there are too many compression pointers, "
+		"dns_name_fromwire() returns DNS_R_TOOMANYHOPS";
+
+static const char *a50 =
 		"when there is not enough space in target, "
 		"dns_name_fromwire(name, source, dcts, downcase, target) "
 		"returns ISC_R_NOSPACE";
@@ -2151,7 +1949,6 @@ test_dns_name_fromwire(char *datafile_name, int testname_offset, int downcase,
 	int			result;
 	int			order;
 	unsigned int		nlabels;
-	unsigned int		nbits;
 	int			len;
 	unsigned char		buf1[BIGBUFLEN];
 	char			buf2[BUFLEN];
@@ -2185,8 +1982,7 @@ test_dns_name_fromwire(char *datafile_name, int testname_offset, int downcase,
 		if (dns_result == ISC_R_SUCCESS) {
 			dns_namereln = dns_name_fullcompare(&dns_name1,
 							    &dns_name2,
-							    &order, &nlabels,
-							    &nbits);
+							    &order, &nlabels);
 			if (dns_namereln != dns_namereln_equal) {
 				t_info("dns_name_fullcompare  returned %s\n",
 				       dns_namereln_to_text(dns_namereln));
@@ -2232,10 +2028,8 @@ t_dns_name_fromwire_x(const char *testfile, size_t buflen) {
 			/*
 			 * Skip comment lines.
 			 */
-			if ((isspace((unsigned char)*p)) || (*p == '#')) {
-				(void)free(p);
+			if ((isspace((unsigned char)*p)) || (*p == '#'))
 				continue;
-			}
 
 			cnt = bustline(p, Tokens);
 			if (cnt == 6) {
@@ -2323,8 +2117,11 @@ t_dns_name_fromwire(void) {
 	t_assert("dns_name_fromwire", 7, T_REQUIRED, a48);
 	t_dns_name_fromwire_x("dns_name_fromwire_7_data", BUFLEN);
 
-	t_assert("dns_name_fromwire", 9, T_REQUIRED, a49);
-	t_dns_name_fromwire_x("dns_name_fromwire_8_data", 2);
+	t_assert("dns_name_fromwire", 8, T_REQUIRED, a49);
+	t_dns_name_fromwire_x("dns_name_fromwire_8_data", BUFLEN);
+
+	t_assert("dns_name_fromwire", 9, T_REQUIRED, a50);
+	t_dns_name_fromwire_x("dns_name_fromwire_9_data", 2);
 }
 
 
@@ -2424,10 +2221,8 @@ t_dns_name_towire_x(const char *testfile, size_t buflen) {
 			/*
 			 * Skip comment lines.
 			 */
-			if ((isspace((unsigned char)*p)) || (*p == '#')) {
-				(void)free(p);
+			if ((isspace((unsigned char)*p)) || (*p == '#'))
 				continue;
-			}
 
 			cnt = bustline(p, Tokens);
 			if (cnt == 5) {
@@ -2495,8 +2290,6 @@ t_dns_name_concatenate(void) {
 #endif
 
 testspec_t T_testlist[] = {
-	{	t_dns_label_countbits,		"dns_label_countbits"	},
-	{	t_dns_label_getbit,		"dns_label_getbit"	},
 	{	t_dns_name_init,		"dns_name_init"		},
 	{	t_dns_name_invalidate,		"dns_name_invalidate"	},
 	{	t_dns_name_setbuffer,		"dns_name_setbuffer"	},
diff --git a/bin/tests/names/wire_test9.data b/bin/tests/names/wire_test9.data
new file mode 100644
index 00000000..505134ac
--- /dev/null
+++ b/bin/tests/names/wire_test9.data
@@ -0,0 +1,13 @@
+#
+# a global14 compression pointer
+#
+000a85800001000300000003
+0376697803636f6d0000020001c00c00
+02000100000e10000b05697372763102
+7061c00cc00c0002000100000e100009
+066e732d657874c00cc00c0002000100
+000e10000e036e733104676e61630363
+6f6d00c0250001000100000e100004cc
+98b886c03c0001000100000e100004cc
+98b840c051000100010002a14a0004c6
+97f8f6
diff --git a/bin/tests/ndc.conf b/bin/tests/ndc.conf
index 4abb7bac..f424721e 100644
--- a/bin/tests/ndc.conf
+++ b/bin/tests/ndc.conf
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: ndc.conf,v 1.8.2.1 2004/03/09 06:09:33 marka Exp $ */
+/* $Id: ndc.conf,v 1.8.206.1 2004/03/06 10:21:38 marka Exp $ */
 
 options {
 	default-server  "velo.jab.fr" ;
diff --git a/bin/tests/ndc.conf-include b/bin/tests/ndc.conf-include
index 6551b51e..84e061e7 100644
--- a/bin/tests/ndc.conf-include
+++ b/bin/tests/ndc.conf-include
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: ndc.conf-include,v 1.3.2.1 2004/03/09 06:09:33 marka Exp $ */
+/* $Id: ndc.conf-include,v 1.3.206.1 2004/03/06 10:21:39 marka Exp $ */
 
 key "another-key" {
         algorithm "al-gore-rhythm";
diff --git a/bin/tests/net/Makefile.in b/bin/tests/net/Makefile.in
index bff2a92b..a4308449 100644
--- a/bin/tests/net/Makefile.in
+++ b/bin/tests/net/Makefile.in
@@ -1,5 +1,5 @@
 # Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 2000, 2001  Internet Software Consortium.
+# Copyright (C) 2000-2002  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
@@ -13,13 +13,13 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.9.2.3 2004/07/20 07:00:14 marka Exp $
+# $Id: Makefile.in,v 1.9.12.5 2004/03/08 04:04:30 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
 top_srcdir =	@top_srcdir@
 
-@BIND9_INCLUDES@
+@BIND9_MAKE_INCLUDES@
 
 CINCLUDES =	${TEST_INCLUDES} ${DNS_INCLUDES} ${ISC_INCLUDES}
 
@@ -34,7 +34,7 @@ DEPLIBS =	${ISCDEPLIBS}
 
 LIBS =		${ISCLIBS} @LIBS@
 
-TARGETS =	t_net
+TARGETS =	t_net@EXEEXT@
 
 SRCS =		driver.c netaddr_multicast.c sockaddr_multicast.c
 
@@ -42,11 +42,11 @@ OBJS =		driver.@O@ netaddr_multicast.@O@ sockaddr_multicast.@O@
 
 @BIND9_MAKE_RULES@
 
-t_net: ${OBJS} ${DEPLIBS} ${TLIB}
-	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ ${OBJS} ${TLIB} ${LIBS}
+t_net@EXEEXT@: ${OBJS} ${DEPLIBS} ${TLIB}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} -o $@ ${OBJS} ${TLIB} ${LIBS}
 
-test: t_net
-	-@./t_net
+test: t_net@EXEEXT@
+	-@./t_net@EXEEXT@
 
 clean distclean::
 	rm -f ${TARGETS}
diff --git a/bin/tests/net/driver.c b/bin/tests/net/driver.c
index 096d8add..7658f98c 100644
--- a/bin/tests/net/driver.c
+++ b/bin/tests/net/driver.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: driver.c,v 1.7.2.1 2004/03/09 06:09:39 marka Exp $ */
+/* $Id: driver.c,v 1.7.12.3 2004/03/08 04:04:31 marka Exp $ */
 
 #include <config.h>
 
@@ -87,7 +87,7 @@ main(int argc, char **argv) {
 	printf("S:%s:%s\n", SUITENAME, gettime());
 
 	n_failed = 0;
-	for (testno = 0 ; testno < NTESTS ; testno++) {
+	for (testno = 0; testno < NTESTS; testno++) {
 		test = &tests[testno];
 		printf("T:%s:%u:A\n", test->tag, testno + 1);
 		printf("A:%s\n", test->description);
diff --git a/bin/tests/net/driver.h b/bin/tests/net/driver.h
index b2d34f21..463b9630 100644
--- a/bin/tests/net/driver.h
+++ b/bin/tests/net/driver.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: driver.h,v 1.5.2.1 2004/03/09 06:09:39 marka Exp $ */
+/* $Id: driver.h,v 1.5.206.1 2004/03/06 10:21:45 marka Exp $ */
 
 /*
  * PASSED and FAILED mean the particular test passed or failed.
diff --git a/bin/tests/net/netaddr_multicast.c b/bin/tests/net/netaddr_multicast.c
index 51503ef8..47d5bd99 100644
--- a/bin/tests/net/netaddr_multicast.c
+++ b/bin/tests/net/netaddr_multicast.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: netaddr_multicast.c,v 1.8.2.1 2004/03/09 06:09:39 marka Exp $ */
+/* $Id: netaddr_multicast.c,v 1.8.12.3 2004/03/08 04:04:31 marka Exp $ */
 
 #include <config.h>
 
@@ -86,7 +86,7 @@ netaddr_multicast(void) {
 	isc_boolean_t tf;
 
 	n_fail = 0;
-	for (i = 0 ; i < NADDRS ; i++) {
+	for (i = 0; i < NADDRS; i++) {
 		addr = &addrs[i];
 		result = to_netaddr(addr, &na);
 		if (result != ISC_R_SUCCESS) {
diff --git a/bin/tests/net/sockaddr_multicast.c b/bin/tests/net/sockaddr_multicast.c
index 69921434..52d21cd4 100644
--- a/bin/tests/net/sockaddr_multicast.c
+++ b/bin/tests/net/sockaddr_multicast.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: sockaddr_multicast.c,v 1.5.2.1 2004/03/09 06:09:39 marka Exp $ */
+/* $Id: sockaddr_multicast.c,v 1.5.206.1 2004/03/06 10:21:45 marka Exp $ */
 
 #include <config.h>
 
diff --git a/bin/tests/net/testsuite.h b/bin/tests/net/testsuite.h
index 54f9ed8d..c93a36e1 100644
--- a/bin/tests/net/testsuite.h
+++ b/bin/tests/net/testsuite.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: testsuite.h,v 1.4.2.1 2004/03/09 06:09:39 marka Exp $ */
+/* $Id: testsuite.h,v 1.4.206.1 2004/03/06 10:21:45 marka Exp $ */
 
 #define SUITENAME "net"
 
diff --git a/bin/tests/nxtify.c b/bin/tests/nsecify.c
index 5b0eb1ec..b172f968 100644
--- a/bin/tests/nxtify.c
+++ b/bin/tests/nsecify.c
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
+ * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: nxtify.c,v 1.19.2.1 2004/03/09 06:09:33 marka Exp $ */
+/* $Id: nsecify.c,v 1.3.2.1 2004/03/08 02:07:41 marka Exp $ */
 
 #include <config.h>
 
@@ -27,7 +27,7 @@
 #include <dns/db.h>
 #include <dns/dbiterator.h>
 #include <dns/fixedname.h>
-#include <dns/nxt.h>
+#include <dns/nsec.h>
 #include <dns/rdataset.h>
 #include <dns/rdatasetiter.h>
 #include <dns/result.h>
@@ -63,7 +63,7 @@ active_node(dns_db_t *db, dns_dbversion_t *version, dns_dbnode_t *node) {
 	result = dns_rdatasetiter_first(rdsiter);
 	while (result == ISC_R_SUCCESS) {
 		dns_rdatasetiter_current(rdsiter, &rdataset);
-		if (rdataset.type != dns_rdatatype_nxt)
+		if (rdataset.type != dns_rdatatype_nsec)
 			active = ISC_TRUE;
 		dns_rdataset_disassociate(&rdataset);
 		if (!active)
@@ -77,10 +77,10 @@ active_node(dns_db_t *db, dns_dbversion_t *version, dns_dbnode_t *node) {
 
 	if (!active) {
 		/*
-		 * Make sure there is no NXT record for this node.
+		 * Make sure there is no NSEC record for this node.
 		 */
 		result = dns_db_deleterdataset(db, node, version,
-					       dns_rdatatype_nxt, 0);
+					       dns_rdatatype_nsec, 0);
 		if (result == DNS_R_UNCHANGED)
 			result = ISC_R_SUCCESS;
 		check_result(result, "dns_db_deleterdataset");
@@ -112,7 +112,7 @@ next_active(dns_db_t *db, dns_dbversion_t *version, dns_dbiterator_t *dbiter,
 }
 
 static void
-nxtify(char *filename) {
+nsecify(char *filename) {
 	isc_result_t result;
 	dns_db_t *db;
 	dns_dbversion_t *wversion;
@@ -172,7 +172,7 @@ nxtify(char *filename) {
 			target = NULL;	/* Make compiler happy. */
 			fatal("db iteration failed");
 		}
-		dns_nxt_build(db, wversion, node, target, 3600); /* XXX BEW */
+		dns_nsec_build(db, wversion, node, target, 3600); /* XXX BEW */
 		dns_db_detachnode(db, &node);
 		node = nextnode;
 	}
@@ -184,7 +184,7 @@ nxtify(char *filename) {
 	 */
 	dns_db_closeversion(db, &wversion, ISC_TRUE);
 	len = strlen(filename);
-	if (len + 4 + 1 > sizeof newfilename)
+	if (len + 4 + 1 > sizeof(newfilename))
 		fatal("filename too long");
 	sprintf(newfilename, "%s.new", filename);
 	result = dns_db_dump(db, NULL, newfilename);
@@ -206,7 +206,7 @@ main(int argc, char *argv[]) {
 	argv++;
 
 	for (i = 0; i < argc; i++)
-		nxtify(argv[i]);
+		nsecify(argv[i]);
 
 	/* isc_mem_stats(mctx, stdout); */
 	isc_mem_destroy(&mctx);
diff --git a/bin/tests/printmsg.c b/bin/tests/printmsg.c
index 0de44426..0b087818 100644
--- a/bin/tests/printmsg.c
+++ b/bin/tests/printmsg.c
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2002  Internet Software Consortium.
+ * Copyright (C) 1998-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: printmsg.c,v 1.25.2.3 2004/03/09 06:09:33 marka Exp $ */
+/* $Id: printmsg.c,v 1.25.2.2.8.2 2004/03/08 04:04:26 marka Exp $ */
 
 #include <config.h>
 
diff --git a/bin/tests/printmsg.h b/bin/tests/printmsg.h
index fc319f46..0f96ce07 100644
--- a/bin/tests/printmsg.h
+++ b/bin/tests/printmsg.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: printmsg.h,v 1.9.2.1 2004/03/09 06:09:34 marka Exp $ */
+/* $Id: printmsg.h,v 1.9.206.1 2004/03/06 10:21:39 marka Exp $ */
 
 #ifndef TEST_PRINTMSG_H
 #define TEST_PRINTMSG_H
diff --git a/bin/tests/ratelimiter_test.c b/bin/tests/ratelimiter_test.c
index b4d73b62..a2e93475 100644
--- a/bin/tests/ratelimiter_test.c
+++ b/bin/tests/ratelimiter_test.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: ratelimiter_test.c,v 1.15.2.1 2004/03/09 06:09:34 marka Exp $ */
+/* $Id: ratelimiter_test.c,v 1.15.206.1 2004/03/06 10:21:39 marka Exp $ */
 
 #include <config.h>
 
diff --git a/bin/tests/rbt/Makefile.in b/bin/tests/rbt/Makefile.in
index 07f946bd..0325a8ae 100644
--- a/bin/tests/rbt/Makefile.in
+++ b/bin/tests/rbt/Makefile.in
@@ -1,5 +1,5 @@
 # Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 1999-2001  Internet Software Consortium.
+# Copyright (C) 1999-2002  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
@@ -13,13 +13,13 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.20.2.3 2004/07/20 07:00:15 marka Exp $
+# $Id: Makefile.in,v 1.20.12.6 2004/03/08 04:04:31 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
 top_srcdir =	@top_srcdir@
 
-@BIND9_INCLUDES@
+@BIND9_MAKE_INCLUDES@
 
 CINCLUDES =	${TEST_INCLUDES} ${DNS_INCLUDES} ${ISC_INCLUDES}
 
@@ -27,7 +27,7 @@ CDEFINES =
 CWARNINGS =
 
 # Note that we do not want to use libtool for libt_api
-DNSLIBS =	../../../lib/dns/libdns.@A@ @DNS_OPENSSL_LIBS@ @DNS_GSSAPI_LIBS@
+DNSLIBS =	../../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
 ISCLIBS =	../../../lib/isc/libisc.@A@
 
 DNSDEPLIBS =	../../../lib/dns/libdns.@A@
@@ -39,20 +39,20 @@ LIBS =		${DNSLIBS} ${ISCLIBS} @LIBS@
 
 TLIB =		../../../lib/tests/libt_api.@A@
 
-TARGETS =	t_rbt
+TARGETS =	t_rbt@EXEEXT@
 
 SRCS =		t_rbt.c
 
 @BIND9_MAKE_RULES@
 
-t_rbt: t_rbt.@O@ ${DEPLIBS} ${TLIB}
-	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ t_rbt.@O@ ${TLIB} ${LIBS}
+t_rbt@EXEEXT@: t_rbt.@O@ ${DEPLIBS} ${TLIB}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} -o $@ t_rbt.@O@ ${TLIB} ${LIBS}
 
-test: t_rbt
-	-@./t_rbt -c @top_srcdir@/t_config -b @srcdir@ -a
+test: t_rbt@EXEEXT@
+	-@./t_rbt@EXEEXT@ -c @top_srcdir@/t_config -b @srcdir@ -a
 
 testhelp:
-	@./t_rbt -h
+	@./t_rbt@EXEEXT@ -h
 
 clean distclean::
 	rm -f ${TARGETS}
diff --git a/bin/tests/rbt/dns_rbt_addname_1_data b/bin/tests/rbt/dns_rbt_addname_1_data
index b7475ed6..89dca408 100644
--- a/bin/tests/rbt/dns_rbt_addname_1_data
+++ b/bin/tests/rbt/dns_rbt_addname_1_data
@@ -4,6 +4,3 @@
 # format is: <dbfile> <command> <testname> <exp_result>
 #
 dns_rbt.data	add	new.name	ISC_R_SUCCESS
-dns_rbt.data	add	\[x42/7].name	ISC_R_SUCCESS
-dns_rbt.data	add	\[b11011].name	ISC_R_SUCCESS
-dns_rbt.data	add	\[o033/9].name	ISC_R_SUCCESS
diff --git a/bin/tests/rbt/dns_rbt_bitstring.data b/bin/tests/rbt/dns_rbt_bitstring.data
index 34afb7b9..2b34cc63 100644
--- a/bin/tests/rbt/dns_rbt_bitstring.data
+++ b/bin/tests/rbt/dns_rbt_bitstring.data
@@ -1,12 +1,6 @@
 a.vix.com
 b.vix.com
 c.vix.com
-\[x42/7].vix.com
-a.\[x42/7].com
-a.vix.\[x42/7]
-\[b011011].vix.com
-a.\[b011011].com
-a.vix.\[b011011].com
 a.a.vix.com
 a.a.a.vix.com
 a.a.a.a.vix.com
diff --git a/bin/tests/rbt/dns_rbt_deletename_1_data b/bin/tests/rbt/dns_rbt_deletename_1_data
index 5a34481b..2e00e502 100644
--- a/bin/tests/rbt/dns_rbt_deletename_1_data
+++ b/bin/tests/rbt/dns_rbt_deletename_1_data
@@ -4,6 +4,3 @@
 # format is: <dbfile> <command> <testname> <exp_result>
 #
 dns_rbt.data	delete	a.vix.com	ISC_R_SUCCESS
-dns_rbt_bitstring.data	delete	\[x42/7].vix.com	ISC_R_SUCCESS
-dns_rbt_bitstring.data	delete	a.\[x42/7].com	ISC_R_SUCCESS
-dns_rbt_bitstring.data	delete	a.vix.\[x42/7]	ISC_R_SUCCESS
diff --git a/bin/tests/rbt/dns_rbt_deletename_2_data b/bin/tests/rbt/dns_rbt_deletename_2_data
index a3d195b2..0b1fdb7b 100644
--- a/bin/tests/rbt/dns_rbt_deletename_2_data
+++ b/bin/tests/rbt/dns_rbt_deletename_2_data
@@ -4,6 +4,3 @@
 # format is: <dbfile> <command> <testname> <exp_result>
 #
 dns_rbt.data	delete	new.name	ISC_R_NOTFOUND
-dns_rbt.data	delete	\[x42/7].vix.com	ISC_R_NOTFOUND
-dns_rbt.data	delete	a.\[x42/7].com	ISC_R_NOTFOUND
-dns_rbt.data	delete	a.vix.\[x42/7]	ISC_R_NOTFOUND
diff --git a/bin/tests/rbt/dns_rbt_findname_1_data b/bin/tests/rbt/dns_rbt_findname_1_data
index e478c675..2a3728dd 100644
--- a/bin/tests/rbt/dns_rbt_findname_1_data
+++ b/bin/tests/rbt/dns_rbt_findname_1_data
@@ -4,6 +4,3 @@
 # format is: <dbfile> <command> <testname> <exp_result>
 #
 dns_rbt.data	search	a.vix.com	ISC_R_SUCCESS
-dns_rbt_bitstring.data	search	\[x42/7].vix.com	ISC_R_SUCCESS
-dns_rbt_bitstring.data	search	a.\[x42/7].com	ISC_R_SUCCESS
-dns_rbt_bitstring.data	search	a.vix.\[x42/7]	ISC_R_SUCCESS
diff --git a/bin/tests/rbt/dns_rbt_findname_2_data b/bin/tests/rbt/dns_rbt_findname_2_data
index 7bf35406..eb3d467b 100644
--- a/bin/tests/rbt/dns_rbt_findname_2_data
+++ b/bin/tests/rbt/dns_rbt_findname_2_data
@@ -4,6 +4,3 @@
 # format is: <dbfile> <command> <testname> <exp_result>
 #
 dns_rbt.data	search	not.used.here	ISC_R_NOTFOUND
-dns_rbt.data	search	\[x42/7].vix.com	ISC_R_NOTFOUND
-dns_rbt.data	search	a.\[x42/7].com	ISC_R_NOTFOUND
-dns_rbt.data	search	a.vix.\[x42/7]	ISC_R_NOTFOUND
diff --git a/bin/tests/rbt/dns_rbt_findname_3_data b/bin/tests/rbt/dns_rbt_findname_3_data
index 71274db3..4ea2db30 100644
--- a/bin/tests/rbt/dns_rbt_findname_3_data
+++ b/bin/tests/rbt/dns_rbt_findname_3_data
@@ -4,4 +4,3 @@
 # format is: <dbfile> <command> <testname> <exp_result>
 #
 dns_rbt.data	search	a.b.vix.com	DNS_R_PARTIALMATCH
-dns_rbt_bitstring.data	search	b.a.\[x42/7].com	DNS_R_PARTIALMATCH
diff --git a/bin/tests/rbt/t_rbt.c b/bin/tests/rbt/t_rbt.c
index e4edf398..b90666a8 100644
--- a/bin/tests/rbt/t_rbt.c
+++ b/bin/tests/rbt/t_rbt.c
@@ -1,6 +1,6 @@
 /*
- * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001  Internet Software Consortium.
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1998-2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,17 +15,14 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: t_rbt.c,v 1.23.2.4 2006/01/04 23:50:17 marka Exp $ */
+/* $Id: t_rbt.c,v 1.23.206.3 2004/03/08 21:06:24 marka Exp $ */
 
 #include <config.h>
 
 #include <ctype.h>
 #include <stdlib.h>
 
-#include <isc/entropy.h>
 #include <isc/mem.h>
-#include <isc/util.h>
-#include <isc/hash.h>
 #include <isc/string.h>
 
 #include <dns/fixedname.h>
@@ -127,7 +124,6 @@ create_name(char *s, isc_mem_t *mctx, dns_name_t **dns_name) {
 	isc_result_t	result;
 	isc_buffer_t	source;
 	isc_buffer_t	target;
-	dns_name_t	*name;
 
 	nfails = 0;
 
@@ -142,26 +138,22 @@ create_name(char *s, isc_mem_t *mctx, dns_name_t **dns_name) {
 		 * The buffer for the actual name will immediately follow the
 		 * name structure.
 		 */
-		name = isc_mem_get(mctx, sizeof(*name) + DNSNAMELEN);
-		if (name == NULL) {
+		*dns_name = isc_mem_get(mctx, sizeof(**dns_name) + DNSNAMELEN);
+		if (*dns_name == NULL) {
 			t_info("isc_mem_get failed\n");
 			++nfails;
-		} else {
+		}
 
-			dns_name_init(name, NULL);
-			isc_buffer_init(&target, name + 1, DNSNAMELEN);
+		dns_name_init(*dns_name, NULL);
+		isc_buffer_init(&target, *dns_name + 1, DNSNAMELEN);
 
-			result = dns_name_fromtext(name, &source, dns_rootname,
-						   ISC_FALSE, &target);
+		result = dns_name_fromtext(*dns_name, &source, dns_rootname,
+					   ISC_FALSE, &target);
 
-			if (result != ISC_R_SUCCESS) {
-				++nfails;
-				t_info("dns_name_fromtext(%s) failed %s\n",
-				       s, dns_result_totext(result));
-				 isc_mem_put(mctx, name,
-					     sizeof(*name) + DNSNAMELEN);
-			} else
-				*dns_name = name;
+		if (result != ISC_R_SUCCESS) {
+			++nfails;
+			t_info("dns_name_fromtext(%s) failed %s\n",
+			       s, dns_result_totext(result));
 		}
 	} else {
 		++nfails;
@@ -187,17 +179,15 @@ t1_add(char *name, dns_rbt_t *rbt, isc_mem_t *mctx, isc_result_t *dns_result) {
 
 	nprobs = 0;
 	if (name && dns_result) {
-		if (create_name(name, mctx, &dns_name) == 0) {
+		*dns_result = create_name(name, mctx, &dns_name);
+		if (*dns_result == ISC_R_SUCCESS) {
 			if (T_debug)
 				t_info("dns_rbt_addname succeeded\n");
 			*dns_result = dns_rbt_addname(rbt, dns_name, dns_name);
-			if (*dns_result != ISC_R_SUCCESS) {
-				delete_name(dns_name, mctx);
-				t_info("dns_rbt_addname failed %s\n",
-		       		       dns_result_totext(*dns_result));
-				++nprobs;
-			}
 		} else {
+			t_info("dns_rbt_addname failed %s\n",
+		       			dns_result_totext(*dns_result));
+			delete_name(dns_name, mctx);
 			++nprobs;
 		}
 	} else {
@@ -215,7 +205,8 @@ t1_delete(char *name, dns_rbt_t *rbt, isc_mem_t *mctx,
 
 	nprobs = 0;
 	if (name && dns_result) {
-		if (create_name(name, mctx, &dns_name) == 0) {
+		*dns_result = create_name(name, mctx, &dns_name);
+		if (*dns_result == ISC_R_SUCCESS) {
 			*dns_result = dns_rbt_deletename(rbt, dns_name,
 							 ISC_FALSE);
 			delete_name(dns_name, mctx);
@@ -240,7 +231,8 @@ t1_search(char *name, dns_rbt_t *rbt, isc_mem_t *mctx,
 
 	nprobs = 0;
 	if (name && dns_result) {
-		if (create_name(name, mctx, &dns_searchname) == 0) {
+		*dns_result = create_name(name, mctx, &dns_searchname);
+		if (*dns_result == ISC_R_SUCCESS) {
 			dns_fixedname_init(&dns_fixedname);
 			dns_foundname = dns_fixedname_name(&dns_fixedname);
 			data = NULL;
@@ -286,7 +278,7 @@ rbt_init(char *filename, dns_rbt_t **rbt, isc_mem_t *mctx) {
 		 * Skip any comment lines.
 		 */
 		if ((*p == '#') || (*p == '\0') || (*p == ' ')) {
-			(void)free(p);
+			free(p);
 			continue;
 		}
 
@@ -316,7 +308,6 @@ test_rbt_gen(char *filename, char *command, char *testname,
 	isc_result_t	isc_result;
 	isc_result_t	dns_result;
 	isc_mem_t	*mctx;
-	isc_entropy_t	*ectx;
 	dns_name_t	*dns_name;
 
 	result = T_UNRESOLVED;
@@ -325,8 +316,6 @@ test_rbt_gen(char *filename, char *command, char *testname,
 		t_info("testing using name %s\n", testname);
 
 	mctx = NULL;
-	ectx = NULL;
-
 	isc_result = isc_mem_create(0, 0, &mctx);
 	if (isc_result != ISC_R_SUCCESS) {
 		t_info("isc_mem_create: %s: exiting\n",
@@ -334,29 +323,10 @@ test_rbt_gen(char *filename, char *command, char *testname,
 		return(T_UNRESOLVED);
 	}
 
-	isc_result = isc_entropy_create(mctx, &ectx);
-	if (isc_result != ISC_R_SUCCESS) {
-		t_info("isc_entropy_create: %s: exiting\n",
-		       dns_result_totext(isc_result));
-		isc_mem_destroy(&mctx);
-		return(T_UNRESOLVED);
-	}
-
-	isc_result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE);
-	if (isc_result != ISC_R_SUCCESS) {
-		t_info("isc_hash_create: %s: exiting\n",
-		       dns_result_totext(isc_result));
-		isc_entropy_detach(&ectx);
-		isc_mem_destroy(&mctx);
-		return(T_UNRESOLVED);
-	}
-
 	rbt = NULL;
 	if (rbt_init(filename, &rbt, mctx) != 0) {
 		if (strcmp(command, "create") == 0)
 			result = T_FAIL;
-		isc_hash_destroy();
-		isc_entropy_detach(&ectx);
 		isc_mem_destroy(&mctx);
 		return(result);
 	}
@@ -367,7 +337,8 @@ test_rbt_gen(char *filename, char *command, char *testname,
 	if (strcmp(command, "create") == 0) {
 		result = T_PASS;
 	} else if (strcmp(command, "add") == 0) {
-		if (create_name(testname, mctx, &dns_name) == 0) {
+		dns_result = create_name(testname, mctx, &dns_name);
+		if (dns_result == ISC_R_SUCCESS) {
 			dns_result = dns_rbt_addname(rbt, dns_name, dns_name);
 
 			if (dns_result != ISC_R_SUCCESS)
@@ -441,8 +412,6 @@ test_rbt_gen(char *filename, char *command, char *testname,
 	}
 
 	dns_rbt_destroy(&rbt);
-	isc_hash_destroy();
-	isc_entropy_detach(&ectx);
 	isc_mem_destroy(&mctx);
 	return(result);
 }
@@ -470,10 +439,8 @@ test_dns_rbt_x(const char *filename) {
 			/*
 			 * Skip comment lines.
 			 */
-			if ((isspace((unsigned char)*p)) || (*p == '#')) {
-				(void)free(p);
+			if ((isspace((unsigned char)*p)) || (*p == '#'))
 				continue;
-			}
 
 			/*
 			 * Name of db file, command, testname,
@@ -614,7 +581,6 @@ t9_walkchain(dns_rbtnodechain_t *chain, dns_rbt_t *rbt) {
 	int		cnt;
 	int		order;
 	unsigned int	nlabels;
-	unsigned int	nbits;
 	int		nprobs;
 	isc_result_t	dns_result;
 
@@ -701,7 +667,7 @@ t9_walkchain(dns_rbtnodechain_t *chain, dns_rbt_t *rbt) {
 			(void)dns_name_fullcompare(
 						dns_fixedname_name(&fullname1),
 						dns_fixedname_name(&fullname2),
-						&order, &nlabels, &nbits);
+						&order, &nlabels);
 
 			if (order >= 0) {
 			    t_info("unexpected order %s %s %s\n",
@@ -767,7 +733,6 @@ t_dns_rbtnodechain_init(char *dbfile, char *findname,
 	dns_rbtnode_t		*node;
 	dns_rbtnodechain_t	chain;
 	isc_mem_t		*mctx;
-	isc_entropy_t		*ectx;
 	isc_result_t		isc_result;
 	isc_result_t		dns_result;
 	dns_fixedname_t		dns_findname;
@@ -783,8 +748,6 @@ t_dns_rbtnodechain_init(char *dbfile, char *findname,
 
 	nfails = 0;
 	mctx = NULL;
-	ectx = NULL;
-
 	isc_result = isc_mem_create(0, 0, &mctx);
 	if (isc_result != ISC_R_SUCCESS) {
 		t_info("isc_mem_create failed %s\n",
@@ -792,30 +755,11 @@ t_dns_rbtnodechain_init(char *dbfile, char *findname,
 		return(result);
 	}
 
-	isc_result = isc_entropy_create(mctx, &ectx);
-	if (isc_result != ISC_R_SUCCESS) {
-		t_info("isc_entropy_create: %s: exiting\n",
-		       dns_result_totext(isc_result));
-		isc_mem_destroy(&mctx);
-		return(T_UNRESOLVED);
-	}
-
-	isc_result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE);
-	if (isc_result != ISC_R_SUCCESS) {
-		t_info("isc_hash_create: %s: exiting\n",
-		       dns_result_totext(isc_result));
-		isc_entropy_detach(&ectx);
-		isc_mem_destroy(&mctx);
-		return(T_UNRESOLVED);
-	}
-
 	dns_rbtnodechain_init(&chain, mctx);
 
 	rbt = NULL;
 	if (rbt_init(dbfile, &rbt, mctx)) {
 		t_info("rbt_init %s failed\n", dbfile);
-		isc_hash_destroy();
-		isc_entropy_detach(&ectx);
 		isc_mem_destroy(&mctx);
 		return(result);
 	}
@@ -953,8 +897,6 @@ t_dns_rbtnodechain_init(char *dbfile, char *findname,
 	dns_rbtnodechain_invalidate(&chain);
 	dns_rbt_destroy(&rbt);
 
-	isc_hash_destroy();
-	isc_entropy_detach(&ectx);
 	isc_mem_destroy(&mctx);
 
 	return(result);
@@ -983,10 +925,8 @@ test_dns_rbtnodechain_init(const char *filename) {
 			/*
 			 * Skip comment lines.
 			 */
-			if ((isspace((unsigned char)*p)) || (*p == '#')) {
-				(void)free(p);
+			if ((isspace((unsigned char)*p)) || (*p == '#'))
 				continue;
-			}
 
 			cnt = t_bustline(p, Tokens);
 			if (cnt == 10) {
@@ -1051,7 +991,6 @@ t_dns_rbtnodechain_first(char *dbfile, char *expected_firstname,
 	dns_rbt_t		*rbt;
 	dns_rbtnodechain_t	chain;
 	isc_mem_t		*mctx;
-	isc_entropy_t		*ectx;
 	isc_result_t		isc_result;
 	isc_result_t		dns_result;
 	dns_fixedname_t		dns_name;
@@ -1062,7 +1001,6 @@ t_dns_rbtnodechain_first(char *dbfile, char *expected_firstname,
 
 	nfails = 0;
 	mctx = NULL;
-	ectx = NULL;
 
 	dns_fixedname_init(&dns_name);
 	dns_fixedname_init(&dns_origin);
@@ -1074,30 +1012,11 @@ t_dns_rbtnodechain_first(char *dbfile, char *expected_firstname,
 		return(result);
 	}
 
-	isc_result = isc_entropy_create(mctx, &ectx);
-	if (isc_result != ISC_R_SUCCESS) {
-		t_info("isc_entropy_create: %s: exiting\n",
-		       dns_result_totext(isc_result));
-		isc_mem_destroy(&mctx);
-		return(T_UNRESOLVED);
-	}
-
-	isc_result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE);
-	if (isc_result != ISC_R_SUCCESS) {
-		t_info("isc_hash_create: %s: exiting\n",
-		       dns_result_totext(isc_result));
-		isc_entropy_detach(&ectx);
-		isc_mem_destroy(&mctx);
-		return(T_UNRESOLVED);
-	}
-
 	dns_rbtnodechain_init(&chain, mctx);
 
 	rbt = NULL;
 	if (rbt_init(dbfile, &rbt, mctx)) {
 		t_info("rbt_init %s failed\n", dbfile);
-		isc_hash_destroy();
-		isc_entropy_detach(&ectx);
 		isc_mem_destroy(&mctx);
 		return(result);
 	}
@@ -1143,8 +1062,6 @@ t_dns_rbtnodechain_first(char *dbfile, char *expected_firstname,
 	dns_rbtnodechain_invalidate(&chain);
 
 	dns_rbt_destroy(&rbt);
-	isc_hash_destroy();
-	isc_entropy_detach(&ectx);
 	isc_mem_destroy(&mctx);
 	return(result);
 }
@@ -1172,10 +1089,8 @@ test_dns_rbtnodechain_first(const char *filename) {
 			/*
 			 * Skip comment lines.
 			 */
-			if ((isspace((unsigned char)*p)) || (*p == '#')) {
-				(void)free(p);
+			if ((isspace((unsigned char)*p)) || (*p == '#'))
 				continue;
-			}
 
 			cnt = t_bustline(p, Tokens);
 			if (cnt == 5) {
@@ -1242,7 +1157,6 @@ t_dns_rbtnodechain_last(char *dbfile, char *expected_lastname,
 	dns_rbt_t		*rbt;
 	dns_rbtnodechain_t	chain;
 	isc_mem_t		*mctx;
-	isc_entropy_t		*ectx;
 	isc_result_t		isc_result;
 	isc_result_t		dns_result;
 	dns_fixedname_t		dns_name;
@@ -1253,7 +1167,6 @@ t_dns_rbtnodechain_last(char *dbfile, char *expected_lastname,
 
 	nfails = 0;
 	mctx = NULL;
-	ectx = NULL;
 
 	dns_fixedname_init(&dns_name);
 	dns_fixedname_init(&dns_origin);
@@ -1265,30 +1178,11 @@ t_dns_rbtnodechain_last(char *dbfile, char *expected_lastname,
 		return(result);
 	}
 
-	isc_result = isc_entropy_create(mctx, &ectx);
-	if (isc_result != ISC_R_SUCCESS) {
-		t_info("isc_entropy_create: %s: exiting\n",
-		       dns_result_totext(isc_result));
-		isc_mem_destroy(&mctx);
-		return(T_UNRESOLVED);
-	}
-
-	isc_result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE);
-	if (isc_result != ISC_R_SUCCESS) {
-		t_info("isc_hash_create: %s: exiting\n",
-		       dns_result_totext(isc_result));
-		isc_entropy_detach(&ectx);
-		isc_mem_destroy(&mctx);
-		return(T_UNRESOLVED);
-	}
-
 	dns_rbtnodechain_init(&chain, mctx);
 
 	rbt = NULL;
 	if (rbt_init(dbfile, &rbt, mctx)) {
 		t_info("rbt_init %s failed\n", dbfile);
-		isc_hash_destroy();
-		isc_entropy_detach(&ectx);
 		isc_mem_destroy(&mctx);
 		return(result);
 	}
@@ -1335,8 +1229,6 @@ t_dns_rbtnodechain_last(char *dbfile, char *expected_lastname,
 	dns_rbtnodechain_invalidate(&chain);
 	dns_rbt_destroy(&rbt);
 
-	isc_hash_destroy();
-	isc_entropy_detach(&ectx);
 	isc_mem_destroy(&mctx);
 
 	return(result);
@@ -1365,10 +1257,8 @@ test_dns_rbtnodechain_last(const char *filename) {
 			/*
 			 * Skip comment lines.
 			 */
-			if ((isspace((unsigned char)*p)) || (*p == '#')) {
-				(void)free(p);
+			if ((isspace((unsigned char)*p)) || (*p == '#'))
 				continue;
-			}
 
 			cnt = t_bustline(p, Tokens);
 			if (cnt == 5) {
@@ -1435,7 +1325,6 @@ t_dns_rbtnodechain_next(char *dbfile, char *findname,
 	dns_rbtnode_t		*node;
 	dns_rbtnodechain_t	chain;
 	isc_mem_t		*mctx;
-	isc_entropy_t		*ectx;
 	isc_result_t		isc_result;
 	isc_result_t		dns_result;
 	dns_fixedname_t		dns_findname;
@@ -1448,8 +1337,6 @@ t_dns_rbtnodechain_next(char *dbfile, char *findname,
 
 	nfails = 0;
 	mctx = NULL;
-	ectx = NULL;
-
 	isc_result = isc_mem_create(0, 0, &mctx);
 	if (isc_result != ISC_R_SUCCESS) {
 		t_info("isc_mem_create failed %s\n",
@@ -1457,30 +1344,11 @@ t_dns_rbtnodechain_next(char *dbfile, char *findname,
 		return(result);
 	}
 
-	isc_result = isc_entropy_create(mctx, &ectx);
-	if (isc_result != ISC_R_SUCCESS) {
-		t_info("isc_entropy_create: %s: exiting\n",
-		       dns_result_totext(isc_result));
-		isc_mem_destroy(&mctx);
-		return(T_UNRESOLVED);
-	}
-
-	isc_result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE);
-	if (isc_result != ISC_R_SUCCESS) {
-		t_info("isc_hash_create: %s: exiting\n",
-		       dns_result_totext(isc_result));
-		isc_entropy_detach(&ectx);
-		isc_mem_destroy(&mctx);
-		return(T_UNRESOLVED);
-	}
-
 	dns_rbtnodechain_init(&chain, mctx);
 
 	rbt = NULL;
 	if (rbt_init(dbfile, &rbt, mctx)) {
 		t_info("rbt_init %s failed\n", dbfile);
-		isc_hash_destroy();
-		isc_entropy_detach(&ectx);
 		isc_mem_destroy(&mctx);
 		return(result);
 	}
@@ -1543,8 +1411,6 @@ t_dns_rbtnodechain_next(char *dbfile, char *findname,
 	dns_rbtnodechain_invalidate(&chain);
 	dns_rbt_destroy(&rbt);
 
-	isc_hash_destroy();
-	isc_entropy_detach(&ectx);
 	isc_mem_destroy(&mctx);
 
 	return(result);
@@ -1573,10 +1439,8 @@ test_dns_rbtnodechain_next(const char *filename) {
 			/*
 			 * Skip comment lines.
 			 */
-			if ((isspace((unsigned char)*p)) || (*p == '#')) {
-				(void)free(p);
+			if ((isspace((unsigned char)*p)) || (*p == '#'))
 				continue;
-			}
 
 			cnt = t_bustline(p, Tokens);
 			if (cnt == 4) {
@@ -1642,7 +1506,6 @@ t_dns_rbtnodechain_prev(char *dbfile, char *findname, char *prevname,
 	dns_rbtnode_t		*node;
 	dns_rbtnodechain_t	chain;
 	isc_mem_t		*mctx;
-	isc_entropy_t		*ectx = NULL;
 	isc_result_t		isc_result;
 	isc_result_t		dns_result;
 	dns_fixedname_t		dns_findname;
@@ -1655,8 +1518,6 @@ t_dns_rbtnodechain_prev(char *dbfile, char *findname, char *prevname,
 
 	nfails = 0;
 	mctx = NULL;
-	ectx = NULL;
-
 	isc_result = isc_mem_create(0, 0, &mctx);
 	if (isc_result != ISC_R_SUCCESS) {
 		t_info("isc_mem_create failed %s\n",
@@ -1664,30 +1525,11 @@ t_dns_rbtnodechain_prev(char *dbfile, char *findname, char *prevname,
 		return(result);
 	}
 
-	isc_result = isc_entropy_create(mctx, &ectx);
-	if (isc_result != ISC_R_SUCCESS) {
-		t_info("isc_entropy_create: %s: exiting\n",
-		       dns_result_totext(isc_result));
-		isc_mem_destroy(&mctx);
-		return(T_UNRESOLVED);
-	}
-
-	isc_result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE);
-	if (isc_result != ISC_R_SUCCESS) {
-		t_info("isc_hash_create: %s: exiting\n",
-		       dns_result_totext(isc_result));
-		isc_entropy_detach(&ectx);
-		isc_mem_destroy(&mctx);
-		return(T_UNRESOLVED);
-	}
-
 	dns_rbtnodechain_init(&chain, mctx);
 
 	rbt = NULL;
 	if (rbt_init(dbfile, &rbt, mctx)) {
 		t_info("rbt_init %s failed\n", dbfile);
-		isc_hash_destroy();
-		isc_entropy_detach(&ectx);
 		isc_mem_destroy(&mctx);
 		return(result);
 	}
@@ -1750,8 +1592,6 @@ t_dns_rbtnodechain_prev(char *dbfile, char *findname, char *prevname,
 	dns_rbtnodechain_invalidate(&chain);
 	dns_rbt_destroy(&rbt);
 
-	isc_hash_destroy();
-	isc_entropy_detach(&ectx);
 	isc_mem_destroy(&mctx);
 
 	return(result);
@@ -1780,10 +1620,8 @@ test_dns_rbtnodechain_prev(const char *filename) {
 			/*
 			 * Skip comment lines.
 			 */
-			if ((isspace((unsigned char)*p)) || (*p == '#')) {
-				(void)free(p);
+			if ((isspace((unsigned char)*p)) || (*p == '#'))
 				continue;
-			}
 
 			cnt = t_bustline(p, Tokens);
 			if (cnt == 4) {
diff --git a/bin/tests/rbt_test.c b/bin/tests/rbt_test.c
index bdb1cacf..d8092d4c 100644
--- a/bin/tests/rbt_test.c
+++ b/bin/tests/rbt_test.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rbt_test.c,v 1.42.2.3 2005/03/17 03:59:31 marka Exp $ */
+/* $Id: rbt_test.c,v 1.42.12.3 2004/03/08 04:04:26 marka Exp $ */
 
 #include <config.h>
 
@@ -224,7 +224,7 @@ iterate(dns_rbt_t *rbt, isc_boolean_t forward) {
 		printf("start not found!\n");
 
 	else {
-		for (;;) {
+		while (1) {
 			if (result == DNS_R_NEWORIGIN) {
 				printf("  new origin: ");
 				print_name(origin);
@@ -292,7 +292,7 @@ main(int argc, char **argv) {
 	/*
 	 * So isc_mem_stats() can report any allocation leaks.
 	 */
-	isc_mem_debugging = 2;
+	isc_mem_debugging = ISC_MEM_DEBUGRECORD;
 
 	result = isc_mem_create(0, 0, &mctx);
 	if (result != ISC_R_SUCCESS) {
@@ -314,8 +314,8 @@ main(int argc, char **argv) {
 		length = strlen(buffer);
 
 		if (buffer[length - 1] != '\n') {
-			printf("line to long (%lu max), ignored\n",
-			       (unsigned long)sizeof(buffer) - 2);
+			printf("line to long (%d max), ignored\n",
+			       sizeof(buffer) - 2);
 			continue;
 		}
 
diff --git a/bin/tests/rbt_test.txt b/bin/tests/rbt_test.txt
index 2b6c4e95..1ae0b234 100644
--- a/bin/tests/rbt_test.txt
+++ b/bin/tests/rbt_test.txt
@@ -1,5 +1,5 @@
 # Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 1999-2001, 2003  Internet Software Consortium.
+# Copyright (C) 1999-2001  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: rbt_test.txt,v 1.13.2.3 2004/03/09 06:09:34 marka Exp $

+# $Id: rbt_test.txt,v 1.13.2.2.2.3 2004/03/08 04:04:26 marka Exp $

 

 add a.vix.com

 add b.vix.com

diff --git a/bin/tests/rdata_test.c b/bin/tests/rdata_test.c
index 1b877c36..9177de6a 100644
--- a/bin/tests/rdata_test.c
+++ b/bin/tests/rdata_test.c
@@ -1,6 +1,6 @@
 /*
- * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001  Internet Software Consortium.
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1998-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rdata_test.c,v 1.35.2.5 2006/02/26 23:49:47 marka Exp $ */
+/* $Id: rdata_test.c,v 1.35.12.7 2004/03/08 04:04:27 marka Exp $ */
 
 #include <config.h>
 
@@ -91,6 +91,19 @@ viastruct(dns_rdata_t *rdata, isc_mem_t *mctx,
 		result = ISC_R_NOTIMPLEMENTED;
 		break;
 	}
+	case dns_rdatatype_apl: {
+		switch (rdata->rdclass) {
+		case dns_rdataclass_in: {
+			dns_rdata_in_apl_t in_apl;
+			result = dns_rdata_tostruct(rdata, sp = &in_apl, NULL);
+			break;
+		}
+		default:
+			result = ISC_R_NOTIMPLEMENTED;
+			break;
+		}
+		break;
+	}
 	case dns_rdatatype_cert: {
 		dns_rdata_cert_t cert;
 		result = dns_rdata_tostruct(rdata, sp = &cert, NULL);
@@ -271,12 +284,27 @@ viastruct(dns_rdata_t *rdata, isc_mem_t *mctx,
 		result = dns_rdata_tostruct(rdata, sp = &x25, NULL);
 		break;
 	}
+	case dns_rdatatype_nsec: {
+		dns_rdata_nsec_t nsec;
+		result = dns_rdata_tostruct(rdata, sp = &nsec, NULL);
+		break;
+	}
+	case dns_rdatatype_rrsig: {
+		dns_rdata_rrsig_t rrsig;
+		result = dns_rdata_tostruct(rdata, sp = &rrsig, NULL);
+		break;
+	}
+	case dns_rdatatype_dnskey: {
+		dns_rdata_dnskey_t dnskey;
+		result = dns_rdata_tostruct(rdata, sp = &dnskey, NULL);
+		break;
+	}
 	default:
 		result = ISC_R_NOTIMPLEMENTED;
 		break;
 	}
 	if (result != ISC_R_SUCCESS)
-		fprintf(stdout, "viastruct: tostruct %d %d return %s\n",
+		fprintf(stdout, "viastruct: tostuct %d %d return %s\n",
 			rdata->type, rdata->rdclass,
 			dns_result_totext(result));
 	else
@@ -320,6 +348,19 @@ viastruct(dns_rdata_t *rdata, isc_mem_t *mctx,
 		result = ISC_R_NOTIMPLEMENTED;
 		break;
 	}
+	case dns_rdatatype_apl: {
+		switch (rdata->rdclass) {
+		case dns_rdataclass_in: {
+			dns_rdata_in_apl_t in_apl;
+			result = dns_rdata_tostruct(rdata, sp = &in_apl, mctx);
+			break;
+		}
+		default:
+			result = ISC_R_NOTIMPLEMENTED;
+			break;
+		}
+		break;
+	}
 	case dns_rdatatype_cert: {
 		dns_rdata_cert_t cert;
 		result = dns_rdata_tostruct(rdata, sp = &cert, mctx);
@@ -500,12 +541,27 @@ viastruct(dns_rdata_t *rdata, isc_mem_t *mctx,
 		result = dns_rdata_tostruct(rdata, sp = &x25, mctx);
 		break;
 	}
+	case dns_rdatatype_nsec: {
+		dns_rdata_nsec_t nsec;
+		result = dns_rdata_tostruct(rdata, sp = &nsec, mctx);
+		break;
+	}
+	case dns_rdatatype_rrsig: {
+		dns_rdata_rrsig_t rrsig;
+		result = dns_rdata_tostruct(rdata, sp = &rrsig, mctx);
+		break;
+	}
+	case dns_rdatatype_dnskey: {
+		dns_rdata_dnskey_t dnskey;
+		result = dns_rdata_tostruct(rdata, sp = &dnskey, mctx);
+		break;
+	}
 	default:
 		result = ISC_R_NOTIMPLEMENTED;
 		break;
 	}
 	if (result != ISC_R_SUCCESS)
-		fprintf(stdout, "viastruct: tostruct %d %d return %s\n",
+		fprintf(stdout, "viastruct: tostuct %d %d return %s\n",
 			rdata->type, rdata->rdclass,
 			dns_result_totext(result));
 	else {
@@ -516,7 +572,7 @@ viastruct(dns_rdata_t *rdata, isc_mem_t *mctx,
 		result = dns_rdata_fromstruct(rdata2, rdc, rdt, sp, b);
 		if (result != ISC_R_SUCCESS)
 			fprintf(stdout,
-				"viastruct: fromstruct %d %d return %s\n",
+				"viastruct: fromstuct %d %d return %s\n",
 				rdata->type, rdata->rdclass,
 				dns_result_totext(result));
 		else if (rdata->length != rdata2->length ||
@@ -578,6 +634,19 @@ viastruct(dns_rdata_t *rdata, isc_mem_t *mctx,
 		result = ISC_R_NOTIMPLEMENTED;
 		break;
 	}
+	case dns_rdatatype_apl: {
+		switch (rdata->rdclass) {
+		case dns_rdataclass_in: {
+			dns_rdata_in_apl_t in_apl;
+			result = dns_rdata_fromstruct(rdata, rdc, rdt, &in_apl,							      b);
+			break;
+		}
+		default:
+			result = ISC_R_NOTIMPLEMENTED;
+			break;
+		}
+		break;
+	}
 	case dns_rdatatype_cert: {
 		dns_rdata_cert_t cert;
 		result = dns_rdata_fromstruct(rdata2, rdc, rdt, &cert, b);
@@ -759,6 +828,21 @@ viastruct(dns_rdata_t *rdata, isc_mem_t *mctx,
 		result = dns_rdata_fromstruct(rdata2, rdc, rdt, &x25, b);
 		break;
 	}
+	case dns_rdatatype_nsec: {
+		dns_rdata_nsec_t nsec;
+		result = dns_rdata_fromstruct(rdata2, rdc, rdt, &nsec, b);
+		break;
+	}
+	case dns_rdatatype_rrsig: {
+		dns_rdata_rrsig_t rrsig;
+		result = dns_rdata_fromstruct(rdata2, rdc, rdt, &rrsig, b);
+		break;
+	}
+	case dns_rdatatype_dnskey: {
+		dns_rdata_dnskey_t dnskey;
+		result = dns_rdata_fromstruct(rdata2, rdc, rdt, &dnskey, b);
+		break;
+	}
 	default:
 		result = ISC_R_NOTIMPLEMENTED;
 		break;
@@ -836,7 +920,7 @@ main(int argc, char *argv[]) {
 		}
 	}
 
-	memset(&dctx, 0, sizeof dctx);
+	memset(&dctx, '0', sizeof(dctx));
 	dctx.allowed = DNS_COMPRESS_ALL;
 
 	RUNTIME_CHECK(isc_mem_create(0, 0, &mctx) == ISC_R_SUCCESS);
@@ -929,7 +1013,7 @@ main(int argc, char *argv[]) {
 		dns_rdata_init(&rdata);
 		isc_buffer_init(&dbuf, inbuf, sizeof(inbuf));
 		result = dns_rdata_fromtext(&rdata, class, type, lex,
-					    NULL, ISC_FALSE, mctx, &dbuf,
+					    NULL, 0, mctx, &dbuf,
 					    NULL);
 		if (result != ISC_R_SUCCESS) {
 			fprintf(stdout,
@@ -940,7 +1024,7 @@ main(int argc, char *argv[]) {
 		}
 		if (raw) {
 			unsigned int i;
-			for (i = 0 ; i < rdata.length ; /* */ ) {
+			for (i = 0; i < rdata.length; /* */ ) {
 				fprintf(stdout, "%02x", rdata.data[i]);
 				if ((++i % 20) == 0)
 					fputs("\n", stdout);
@@ -976,7 +1060,7 @@ main(int argc, char *argv[]) {
 			if (raw > 2) {
 				unsigned int i;
 				fputs("\n", stdout);
-				for (i = 0 ; i < (unsigned int)len ; /* */ ) {
+				for (i = 0; i < (unsigned int)len; /* */ ) {
 					fprintf(stdout, "%02x",
 				((unsigned char*)wbuf.base)[i + wbuf.current]);
 					if ((++i % 20) == 0)
@@ -1002,7 +1086,7 @@ main(int argc, char *argv[]) {
 			isc_buffer_init(&dbuf, inbuf, sizeof(inbuf));
 			dns_decompress_init(&dctx, -1, DNS_DECOMPRESS_ANY);
 			result = dns_rdata_fromwire(&rdata, class, type, &wbuf,
-						    &dctx, ISC_FALSE, &dbuf);
+						    &dctx, 0, &dbuf);
 			dns_decompress_invalidate(&dctx);
 			if (result != ISC_R_SUCCESS) {
 			fprintf(stdout,
@@ -1015,7 +1099,7 @@ main(int argc, char *argv[]) {
 		if (raw > 1) {
 			unsigned int i;
 			fputs("\n", stdout);
-			for (i = 0 ; i < rdata.length ; /* */ ) {
+			for (i = 0; i < rdata.length; /* */ ) {
 				fprintf(stdout, "%02x", rdata.data[i]);
 				if ((++i % 20) == 0)
 					fputs("\n", stdout);
diff --git a/bin/tests/resolv.conf.sample b/bin/tests/resolv.conf.sample
index 0775186f..d23d446f 100644
--- a/bin/tests/resolv.conf.sample
+++ b/bin/tests/resolv.conf.sample
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: resolv.conf.sample,v 1.8.2.1 2004/03/09 06:09:34 marka Exp $
+# $Id: resolv.conf.sample,v 1.8.206.1 2004/03/06 10:21:40 marka Exp $
 
 domain  jab.fr
 nameserver 194.150.1.2     ; ignore that
diff --git a/bin/tests/rwlock_test.c b/bin/tests/rwlock_test.c
index a09b2c9f..9508bd58 100644
--- a/bin/tests/rwlock_test.c
+++ b/bin/tests/rwlock_test.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rwlock_test.c,v 1.20.2.3 2005/03/17 03:59:31 marka Exp $ */
+/* $Id: rwlock_test.c,v 1.20.206.1 2004/03/06 10:21:40 marka Exp $ */
 
 #include <config.h>
 
@@ -135,7 +135,7 @@ main(int argc, char *argv[]) {
 	UNUSED(argc);
 	UNUSED(argv);
 	fprintf(stderr, "This test requires threads.\n");
-	return(1);
+	exit(1);
 }
 
 #endif
diff --git a/bin/tests/serial_test.c b/bin/tests/serial_test.c
index 63a9d267..1544fe75 100644
--- a/bin/tests/serial_test.c
+++ b/bin/tests/serial_test.c
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
+ * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,14 +15,14 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: serial_test.c,v 1.10.2.1 2004/03/09 06:09:34 marka Exp $ */
+/* $Id: serial_test.c,v 1.10.12.3 2004/03/06 10:21:40 marka Exp $ */
 
 #include <config.h>
 
 #include <stdio.h>
-#include <stdlib.h>
 
 #include <isc/serial.h>
+#include <isc/stdlib.h>
 
 int
 main() {
@@ -30,8 +30,8 @@ main() {
 	char buf[1024];
 	char *s, *e;
 
-	while (fgets(buf, sizeof buf, stdin) != NULL) {
-		buf[sizeof buf - 1] = '\0';
+	while (fgets(buf, sizeof(buf), stdin) != NULL) {
+		buf[sizeof(buf) - 1] = '\0';
 		s = buf;
 		a = strtoul(s, &e, 0);
 		if (s == e)
diff --git a/bin/tests/shutdown_test.c b/bin/tests/shutdown_test.c
index a0f1579e..389e26a9 100644
--- a/bin/tests/shutdown_test.c
+++ b/bin/tests/shutdown_test.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: shutdown_test.c,v 1.18.2.1 2004/03/09 06:09:35 marka Exp $ */
+/* $Id: shutdown_test.c,v 1.18.12.4 2004/03/08 04:04:27 marka Exp $ */
 
 #include <config.h>
 
@@ -79,7 +79,7 @@ shutdown_action(isc_task_t *task, isc_event_t *event) {
 		isc_timer_detach(&info->timer);
 		nevent = isc_event_allocate(info->mctx, info, T2_SHUTDOWNOK,
 					    t2_shutdown, &tasks[1],
-					    sizeof *event);
+					    sizeof(*event));
 		RUNTIME_CHECK(nevent != NULL);
 		info->exiting = ISC_TRUE;
 		isc_task_sendanddetach(&info->peer, &nevent);
@@ -94,8 +94,7 @@ foo_event(isc_task_t *task, isc_event_t *event) {
 }
 
 static void
-tick(isc_task_t *task, isc_event_t *event)
-{
+tick(isc_task_t *task, isc_event_t *event) {
 	t_info *info = event->ev_arg;
 	isc_event_t *nevent;
 
@@ -113,7 +112,7 @@ tick(isc_task_t *task, isc_event_t *event)
 			nevent = isc_event_allocate(info->mctx, info,
 						    T2_SHUTDOWNDONE,
 						    t1_shutdown, &tasks[0],
-						    sizeof *event);
+						    sizeof(*event));
 			RUNTIME_CHECK(nevent != NULL);
 			isc_task_send(info->peer, &nevent);
 			isc_task_detach(&info->peer);
@@ -123,7 +122,7 @@ tick(isc_task_t *task, isc_event_t *event)
 		nevent = isc_event_allocate(info->mctx, info,
 					    FOO_EVENT,
 					    foo_event, task,
-					    sizeof *event);
+					    sizeof(*event));
 		RUNTIME_CHECK(nevent != NULL);
 		isc_task_sendanddetach(&task, &nevent);
 	}
diff --git a/bin/tests/sig0_test.c b/bin/tests/sig0_test.c
index 9c68d6aa..d7525b64 100644
--- a/bin/tests/sig0_test.c
+++ b/bin/tests/sig0_test.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: sig0_test.c,v 1.9.2.3 2005/03/17 03:59:31 marka Exp $ */
+/* $Id: sig0_test.c,v 1.9.12.3 2004/03/08 04:04:27 marka Exp $ */
 
 #include <config.h>
 
@@ -68,7 +68,7 @@ isc_buffer_t qbuffer, rbuffer;
 isc_taskmgr_t *taskmgr;
 isc_entropy_t *ent = NULL;
 isc_task_t *task1;
-isc_log_t *lctx = NULL;
+isc_log_t *log = NULL;
 isc_logconfig_t *logconfig = NULL;
 isc_socket_t *s;
 isc_sockaddr_t address;
@@ -155,7 +155,7 @@ buildquery(void) {
 	CHECK("dns_message_gettempname", result);
 	isc_buffer_init(&namesrc, nametext, strlen(nametext));
 	isc_buffer_add(&namesrc, strlen(nametext));
-	isc_buffer_init(&namedst, namedata, sizeof namedata);
+	isc_buffer_init(&namedst, namedata, sizeof(namedata));
 	dns_name_init(qname, NULL);
 	result = dns_name_fromtext(qname, &namesrc, dns_rootname, ISC_FALSE,
 				   &namedst);
@@ -250,7 +250,7 @@ main(int argc, char *argv[]) {
 	socketmgr = NULL;
 	RUNTIME_CHECK(isc_socketmgr_create(mctx, &socketmgr) == ISC_R_SUCCESS);
 
-	RUNTIME_CHECK(isc_log_create(mctx, &lctx, &logconfig) == ISC_R_SUCCESS);
+	RUNTIME_CHECK(isc_log_create(mctx, &log, &logconfig) == ISC_R_SUCCESS);
 
 	s = NULL;
 	RUNTIME_CHECK(isc_socket_create(socketmgr, PF_INET,
@@ -291,7 +291,7 @@ main(int argc, char *argv[]) {
 
 	isc_entropy_detach(&ent);
 
-	isc_log_destroy(&lctx);
+	isc_log_destroy(&log);
 
 	if (verbose)
 		isc_mem_stats(mctx, stdout);
diff --git a/bin/tests/sock_test.c b/bin/tests/sock_test.c
index 32b0c1a8..d741392b 100644
--- a/bin/tests/sock_test.c
+++ b/bin/tests/sock_test.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: sock_test.c,v 1.47.2.1 2004/03/09 06:09:35 marka Exp $ */
+/* $Id: sock_test.c,v 1.47.12.3 2004/03/08 04:04:27 marka Exp $ */
 
 #include <config.h>
 
@@ -82,12 +82,12 @@ my_recv(isc_task_t *task, isc_event_t *event) {
 	       dev->n, dev->result);
 	if (dev->address.type.sa.sa_family == AF_INET6) {
 		inet_ntop(AF_INET6, &dev->address.type.sin6.sin6_addr,
-			  host, sizeof (host));
+			  host, sizeof(host));
 		printf("\tFrom: %s port %d\n", host,
 		       ntohs(dev->address.type.sin6.sin6_port));
 	} else {
 		inet_ntop(AF_INET, &dev->address.type.sin.sin_addr,
-			  host, sizeof (host));
+			  host, sizeof(host));
 		printf("\tFrom: %s port %d\n", host,
 		       ntohs(dev->address.type.sin.sin_port));
 	}
diff --git a/bin/tests/sockaddr/Makefile.in b/bin/tests/sockaddr/Makefile.in
index d582ea56..b1d83f5a 100644
--- a/bin/tests/sockaddr/Makefile.in
+++ b/bin/tests/sockaddr/Makefile.in
@@ -1,5 +1,5 @@
 # Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 1999-2001  Internet Software Consortium.
+# Copyright (C) 1999-2002  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
@@ -13,13 +13,13 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.14.2.3 2004/07/20 07:00:15 marka Exp $
+# $Id: Makefile.in,v 1.14.12.6 2004/03/08 09:04:16 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
 top_srcdir =	@top_srcdir@
 
-@BIND9_INCLUDES@
+@BIND9_MAKE_INCLUDES@
 
 CINCLUDES =	${TEST_INCLUDES} ${ISC_INCLUDES}
 
@@ -36,20 +36,20 @@ DEPLIBS =	${TAPIDEPLIBS} ${ISCDEPLIBS}
 
 LIBS =		${TAPILIBS} ${ISCLIBS} @LIBS@
 
-TARGETS =	t_sockaddr
+TARGETS =	t_sockaddr@EXEEXT@
 
 SRCS =		t_sockaddr.c
 
 @BIND9_MAKE_RULES@
 
-t_sockaddr: t_sockaddr.@O@ ${DEPLIBS}
-	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ t_sockaddr.@O@ ${LIBS}
+t_sockaddr@EXEEXT@: t_sockaddr.@O@ ${DEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} -o $@ t_sockaddr.@O@ ${LIBS}
 
-test: t_sockaddr
-	-@./t_sockaddr -b @srcdir@ -a
+test: t_sockaddr@EXEEXT@
+	-@./t_sockaddr@EXEEXT@ -b @srcdir@ -a
 
 testhelp:
-	@./t_sockaddr -h
+	@./t_sockaddr@EXEEXT@ -h
 
 clean distclean::
 	rm -f ${TARGETS}
diff --git a/bin/tests/sockaddr/t_sockaddr.c b/bin/tests/sockaddr/t_sockaddr.c
index 8e48b1ff..40b62dd1 100644
--- a/bin/tests/sockaddr/t_sockaddr.c
+++ b/bin/tests/sockaddr/t_sockaddr.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: t_sockaddr.c,v 1.11.2.1 2004/03/09 06:09:40 marka Exp $ */
+/* $Id: t_sockaddr.c,v 1.11.206.1 2004/03/06 10:21:46 marka Exp $ */
 
 #include <config.h>
 
diff --git a/bin/tests/sym_test.c b/bin/tests/sym_test.c
index 3b8a8fef..059dc14b 100644
--- a/bin/tests/sym_test.c
+++ b/bin/tests/sym_test.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: sym_test.c,v 1.22.2.3 2005/03/17 03:59:31 marka Exp $ */
+/* $Id: sym_test.c,v 1.22.12.3 2004/03/08 04:04:27 marka Exp $ */
 
 #include <config.h>
 
@@ -71,9 +71,9 @@ main(int argc, char *argv[]) {
 	RUNTIME_CHECK(isc_symtab_create(mctx, 691, undefine_action, NULL,
 					case_sensitive, &st) == ISC_R_SUCCESS);
 
-	while (fgets(s, sizeof s, stdin) != NULL) {
+	while (fgets(s, sizeof(s), stdin) != NULL) {
 		len = strlen(s);
-		if (len > 0U && s[len - 1] == '\n') {
+		if (len > 0 && s[len - 1] == '\n') {
 			s[len - 1] = '\0';
 			len--;
 		}
diff --git a/bin/tests/system/Makefile.in b/bin/tests/system/Makefile.in
index ae197525..10a934b9 100644
--- a/bin/tests/system/Makefile.in
+++ b/bin/tests/system/Makefile.in
@@ -13,13 +13,13 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.24.2.1 2004/03/09 06:09:40 marka Exp $
+# $Id: Makefile.in,v 1.24.12.4 2004/03/08 04:04:32 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
 top_srcdir =	@top_srcdir@
 
-@BIND9_INCLUDES@
+@BIND9_MAKE_INCLUDES@
 
 SUBDIRS =	lwresd tkey
 TARGETS =
@@ -29,6 +29,8 @@ TARGETS =
 # Running the scripts below is bypassed when a separate
 # build directory is used.
 
+check: test
+
 test: subdirs
 	if test -f ./runall.sh; then sh ./runall.sh; fi
 
diff --git a/bin/tests/system/README b/bin/tests/system/README
index 59fd47db..480fa7f0 100644
--- a/bin/tests/system/README
+++ b/bin/tests/system/README
@@ -1,3 +1,6 @@
+Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+Copyright (C) 2000, 2001  Internet Software Consortium.
+See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
 
 This is a simple test environment for running bind9 system tests
 involving multiple name servers.
@@ -48,4 +51,4 @@ The tests can be run individually like this:
 To run all the tests, just type "make test".
 
 
-$Id: README,v 1.9.4.2 2001/09/17 21:43:09 gson Exp $
+$Id: README,v 1.9.4.2.10.1 2004/03/08 04:04:32 marka Exp $
diff --git a/bin/tests/system/cacheclean/clean.sh b/bin/tests/system/cacheclean/clean.sh
index a3ead70a..6acc4535 100644
--- a/bin/tests/system/cacheclean/clean.sh
+++ b/bin/tests/system/cacheclean/clean.sh
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: clean.sh,v 1.2.2.1 2004/03/09 06:09:43 marka Exp $
+# $Id: clean.sh,v 1.2.206.1 2004/03/06 10:21:49 marka Exp $
 
 #
 # Clean up after cache cleaner tests.
diff --git a/bin/tests/system/cacheclean/ns1/example.db b/bin/tests/system/cacheclean/ns1/example.db
index af501073..ae123871 100644
--- a/bin/tests/system/cacheclean/ns1/example.db
+++ b/bin/tests/system/cacheclean/ns1/example.db
@@ -13,7 +13,7 @@
 ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 ; PERFORMANCE OF THIS SOFTWARE.
 
-; $Id: example.db,v 1.2.2.1 2004/03/09 06:09:44 marka Exp $
+; $Id: example.db,v 1.2.206.1 2004/03/06 10:21:49 marka Exp $
 
 $TTL 999999
 $ORIGIN .
diff --git a/bin/tests/system/cacheclean/ns1/named.conf b/bin/tests/system/cacheclean/ns1/named.conf
index 42f78344..46cc174e 100644
--- a/bin/tests/system/cacheclean/ns1/named.conf
+++ b/bin/tests/system/cacheclean/ns1/named.conf
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named.conf,v 1.2.2.2 2004/03/09 06:09:44 marka Exp $ */
+/* $Id: named.conf,v 1.2.206.2 2004/03/06 10:21:49 marka Exp $ */
 
 controls { /* empty */ };
 
diff --git a/bin/tests/system/cacheclean/ns2/named.conf b/bin/tests/system/cacheclean/ns2/named.conf
index 33115c18..772e22e1 100644
--- a/bin/tests/system/cacheclean/ns2/named.conf
+++ b/bin/tests/system/cacheclean/ns2/named.conf
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named.conf,v 1.2.2.2 2004/03/09 06:09:46 marka Exp $ */
+/* $Id: named.conf,v 1.2.206.2 2004/03/06 10:21:49 marka Exp $ */
 
 controls { /* empty */ };
 
diff --git a/bin/tests/system/cacheclean/tests.sh b/bin/tests/system/cacheclean/tests.sh
index 31999928..5fb3ffd2 100644
--- a/bin/tests/system/cacheclean/tests.sh
+++ b/bin/tests/system/cacheclean/tests.sh
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: tests.sh,v 1.2.2.1 2004/03/09 06:09:43 marka Exp $
+# $Id: tests.sh,v 1.2.206.1 2004/03/06 10:21:49 marka Exp $
 
 SYSTEMTESTTOP=..
 . $SYSTEMTESTTOP/conf.sh
diff --git a/bin/tests/system/checkconf/bad.conf b/bin/tests/system/checkconf/bad.conf
deleted file mode 100644
index c1490f3e..00000000
--- a/bin/tests/system/checkconf/bad.conf
+++ /dev/null
@@ -1,52 +0,0 @@
-/*
- * Copyright (C) 2005  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: bad.conf,v 1.2.6.1 2005/06/23 08:02:36 marka Exp $ */
-
-options {
-	avoid-v4-udp-ports { 100; }
-	avoid-v6-udp-ports { 100; };
-	blackhole { 10.0.0.0/8; };
-	coresize 1G;
-	datasize 100M;
-	deallocate-on-exit yes;
-	directory ".";
-	dump-file "named_dumpdb";
-	fake-iquery yes;
-	files 1000;
-	has-old-clients no;
-	heartbeat-interval 30;
-	host-statistics yes;
-	host-statistics-max 100;
-	hostname none;
-	interface-interval 30;
-	listen-on port 90 { any; };
-	listen-on port 100 { 127.0.0.1; };
-	listen-on-v6 port 53 { none; };
-	match-mapped-addresses yes;
-	memstatistics-file "named.memstats";
-	multiple-cnames no;
-	named-xfer "this is no longer needed";
-	pid-file none;
-	port 5300;
-	querylog yes;
-	recursing-file "named.recursing";
-	random-device "/dev/random";
-	recursive-clients 3000;
-	serial-queries 10;
-	serial-query-rate 100;
-	server-id none;
-};
diff --git a/bin/tests/system/checkconf/good.conf b/bin/tests/system/checkconf/good.conf
deleted file mode 100644
index 91976ae1..00000000
--- a/bin/tests/system/checkconf/good.conf
+++ /dev/null
@@ -1,49 +0,0 @@
-/*
- * Copyright (C) 2005  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: good.conf,v 1.2.6.1 2005/06/23 08:02:36 marka Exp $ */
-
-/*
- * This is just a random selection of configuration options.
- */
-
-options {
-	blackhole { 10.0.0.0/8; };
-	coresize 1G;
-	datasize 100M;
-	deallocate-on-exit yes;
-	directory ".";
-	dump-file "named_dumpdb";
-	fake-iquery yes;
-	files 1000;
-	has-old-clients no;
-	heartbeat-interval 30;
-	host-statistics yes;
-	host-statistics-max 100;
-	interface-interval 30;
-	listen-on port 90 { any; };
-	listen-on port 100 { 127.0.0.1; };
-	listen-on-v6 port 53 { none; };
-	match-mapped-addresses yes;
-	memstatistics-file "named.memstats";
-	multiple-cnames no;
-	named-xfer "this is no longer needed";
-	port 5300;
-	random-device "/dev/random";
-	recursive-clients 3000;
-	serial-queries 10;
-	serial-query-rate 100;
-};
diff --git a/bin/tests/system/checkconf/tests.sh b/bin/tests/system/checkconf/tests.sh
deleted file mode 100644
index 2908ce7f..00000000
--- a/bin/tests/system/checkconf/tests.sh
+++ /dev/null
@@ -1,37 +0,0 @@
-# Copyright (C) 2005  Internet Systems Consortium, Inc. ("ISC")
-#
-# Permission to use, copy, modify, and distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id: tests.sh,v 1.1.6.1 2005/06/23 08:02:36 marka Exp $
-
-SYSTEMTESTTOP=..
-. $SYSTEMTESTTOP/conf.sh
-
-status=0
-
-echo "I: checking that named-checkconf handles a known good config"
-
-ret=0
-$CHECKCONF good.conf > /dev/null 2>&1 || ret=1
-if [ $ret != 0 ]; then echo "I:failed"; fi
-status=`expr $status + $ret`
-
-echo "I: checking that named-checkconf handles a known bad config"
-
-ret=1
-$CHECKCONF bad.conf > /dev/null 2>&1 || ret=0
-if [ $ret != 0 ]; then echo "I:failed"; fi
-status=`expr $status + $ret`
-
-echo "I:exit status: $status"
-exit $status
diff --git a/bin/tests/system/checknames/clean.sh b/bin/tests/system/checknames/clean.sh
new file mode 100644
index 00000000..3ec7b716
--- /dev/null
+++ b/bin/tests/system/checknames/clean.sh
@@ -0,0 +1,23 @@
+#!/bin/sh
+#
+# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: clean.sh,v 1.2.2.3 2004/03/09 04:23:43 marka Exp $
+
+rm -f dig.out.ns?.test*
+rm -f nsupdate.out.test*
+rm -f ns1/*.example.db
+rm -f ns1/*.update.db
+rm -f ns1/*.update.db.jnl
diff --git a/bin/tests/system/checknames/ns1/fail.example.db.in b/bin/tests/system/checknames/ns1/fail.example.db.in
new file mode 100644
index 00000000..3d1ba6c0
--- /dev/null
+++ b/bin/tests/system/checknames/ns1/fail.example.db.in
@@ -0,0 +1,22 @@
+; Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: fail.example.db.in,v 1.2.2.2 2004/03/06 10:21:51 marka Exp $
+
+$TTL 300
+@	SOA ns1.fail.example. hostmaster.fail.example. (
+	    1 3600 1200 604800 3600 )
+	NS  ns1.fail.example.
+ns1.fail.example. A 10.53.0.1
+xx_xx.fail.example. A 127.0.0.1
diff --git a/bin/tests/system/checknames/ns1/fail.update.db.in b/bin/tests/system/checknames/ns1/fail.update.db.in
new file mode 100644
index 00000000..b11026f3
--- /dev/null
+++ b/bin/tests/system/checknames/ns1/fail.update.db.in
@@ -0,0 +1,21 @@
+; Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: fail.update.db.in,v 1.2.2.2 2004/03/06 10:21:51 marka Exp $
+
+$TTL 300
+@	SOA ns1.fail.update. hostmaster.fail.update. (
+	    1 3600 1200 604800 3600 )
+	NS  ns1.fail.update.
+ns1.fail.update. A 10.53.0.1
diff --git a/bin/tests/system/checknames/ns1/ignore.example.db.in b/bin/tests/system/checknames/ns1/ignore.example.db.in
new file mode 100644
index 00000000..cbf48357
--- /dev/null
+++ b/bin/tests/system/checknames/ns1/ignore.example.db.in
@@ -0,0 +1,23 @@
+; Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: ignore.example.db.in,v 1.2.2.2 2004/03/06 10:21:51 marka Exp $
+
+$TTL 300
+@	SOA ns1.ignore.example. hostmaster.ignore.example. (
+	    1 3600 1200 604800 3600 )
+	NS  ns1.ignore.example.
+ns1.ignore.example. A 10.53.0.1
+yy_yy.ignore.example. A 10.53.0.1
+mx.ignore.example. MX 10 zz_zz.ignore.example.
diff --git a/bin/tests/system/checknames/ns1/ignore.update.db.in b/bin/tests/system/checknames/ns1/ignore.update.db.in
new file mode 100644
index 00000000..2262ba3e
--- /dev/null
+++ b/bin/tests/system/checknames/ns1/ignore.update.db.in
@@ -0,0 +1,21 @@
+; Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: ignore.update.db.in,v 1.2.2.2 2004/03/06 10:21:51 marka Exp $
+
+$TTL 300
+@	SOA ns1.ignore.update. hostmaster.ignore.update. (
+	    1 3600 1200 604800 3600 )
+	NS  ns1.ignore.update.
+ns1.ignore.update. A 10.53.0.1
diff --git a/bin/tests/system/checknames/ns1/named.conf b/bin/tests/system/checknames/ns1/named.conf
new file mode 100644
index 00000000..1d6a63e2
--- /dev/null
+++ b/bin/tests/system/checknames/ns1/named.conf
@@ -0,0 +1,75 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: named.conf,v 1.2.2.3 2004/03/06 10:21:51 marka Exp $ */
+
+controls { /* empty */ };
+
+options {
+        query-source address 10.53.0.1;
+        notify-source 10.53.0.1;
+        transfer-source 10.53.0.1;
+        port 5300;
+        pid-file "named.pid";
+        listen-on { 10.53.0.1; };
+        listen-on-v6 { none; };
+        recursion no;
+        notify yes;
+};
+
+zone "." {
+	type master;
+	file "root.db";
+};
+
+zone "ignore.example" {
+	type master;
+	file "ignore.example.db";
+	check-names ignore;
+};
+
+zone "warn.example" {
+	type master;
+	file "warn.example.db";
+	check-names warn;
+};
+
+zone "fail.example" {
+	type master;
+	file "fail.example.db";
+	check-names fail;
+};
+
+zone "ignore.update" {
+	type master;
+	file "ignore.update.db";
+	allow-update { any; };
+	check-names ignore;
+};
+
+zone "warn.update" {
+	type master;
+	file "warn.update.db";
+	allow-update { any; };
+	check-names warn;
+};
+
+zone "fail.update" {
+	type master;
+	file "fail.update.db";
+	allow-update { any; };
+	check-names fail;
+};
diff --git a/bin/tests/system/checknames/ns1/root.db b/bin/tests/system/checknames/ns1/root.db
new file mode 100644
index 00000000..b96aed94
--- /dev/null
+++ b/bin/tests/system/checknames/ns1/root.db
@@ -0,0 +1,35 @@
+; Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: root.db,v 1.2.2.2 2004/03/06 10:21:52 marka Exp $
+
+$TTL 300
+@	SOA ns1. hostmaster.warn.example. (
+	    1 3600 1200 604800 3600 )
+	NS  ns1.
+ns1. A 10.53.0.1
+;
+ignore.example. NS ns1.ignore.example.
+ns1.ignore.example. A 10.53.0.1
+warn.example. NS ns1.warn.example.
+ns1.warn.example. A 10.53.0.1
+fail.example. NS ns1.fail.example.
+ns1.fail.example. A 10.53.0.1
+;
+ignore.update. NS ns1.ignore.update.
+ns1.ignore.update. A 10.53.0.1
+warn.update. NS ns1.warn.update.
+ns1.warn.update. A 10.53.0.1
+fail.update. NS ns1.fail.update.
+ns1.fail.update. A 10.53.0.1
diff --git a/bin/tests/system/checknames/ns1/warn.example.db.in b/bin/tests/system/checknames/ns1/warn.example.db.in
new file mode 100644
index 00000000..deeb602f
--- /dev/null
+++ b/bin/tests/system/checknames/ns1/warn.example.db.in
@@ -0,0 +1,22 @@
+; Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: warn.example.db.in,v 1.2.2.2 2004/03/06 10:21:52 marka Exp $
+
+$TTL 300
+@	SOA ns1.warn.example. hostmaster.warn.example. (
+	    1 3600 1200 604800 3600 )
+	NS  ns1.warn.example.
+ns1.warn.example. A 10.53.0.1
+xx_xx.warn.example. A 10.53.0.1
diff --git a/bin/tests/system/checknames/ns1/warn.update.db.in b/bin/tests/system/checknames/ns1/warn.update.db.in
new file mode 100644
index 00000000..ca7fda6f
--- /dev/null
+++ b/bin/tests/system/checknames/ns1/warn.update.db.in
@@ -0,0 +1,21 @@
+; Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: warn.update.db.in,v 1.2.2.2 2004/03/06 10:21:52 marka Exp $
+
+$TTL 300
+@	SOA ns1.warn.update. hostmaster.warn.update. (
+	    1 3600 1200 604800 3600 )
+	NS  ns1.warn.update.
+ns1.warn.update. A 10.53.0.1
diff --git a/bin/tests/system/checknames/ns2/named.conf b/bin/tests/system/checknames/ns2/named.conf
new file mode 100644
index 00000000..0070961e
--- /dev/null
+++ b/bin/tests/system/checknames/ns2/named.conf
@@ -0,0 +1,37 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: named.conf,v 1.2.2.3 2004/03/06 10:21:52 marka Exp $ */
+
+controls { /* empty */ };
+
+options {
+        query-source address 10.53.0.2;
+        notify-source 10.53.0.2;
+        transfer-source 10.53.0.2;
+        port 5300;
+        pid-file "named.pid";
+        listen-on { 10.53.0.2; };
+        listen-on-v6 { none; };
+        recursion yes;
+	check-names response warn;
+        notify yes;
+};
+
+zone "." {
+	type hint;
+	file "root.hints";
+};
diff --git a/bin/tests/system/checknames/ns2/root.hints b/bin/tests/system/checknames/ns2/root.hints
new file mode 100644
index 00000000..4f5921b1
--- /dev/null
+++ b/bin/tests/system/checknames/ns2/root.hints
@@ -0,0 +1,19 @@
+; Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: root.hints,v 1.2.2.2 2004/03/06 10:21:52 marka Exp $
+
+$TTL 300
+. NS  ns1.
+ns1. A 10.53.0.1
diff --git a/bin/tests/system/checknames/ns3/named.conf b/bin/tests/system/checknames/ns3/named.conf
new file mode 100644
index 00000000..a84ff3f1
--- /dev/null
+++ b/bin/tests/system/checknames/ns3/named.conf
@@ -0,0 +1,37 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: named.conf,v 1.2.2.3 2004/03/06 10:21:53 marka Exp $ */
+
+controls { /* empty */ };
+
+options {
+        query-source address 10.53.0.3;
+        notify-source 10.53.0.3;
+        transfer-source 10.53.0.3;
+        port 5300;
+        pid-file "named.pid";
+        listen-on { 10.53.0.3; };
+        listen-on-v6 { none; };
+        recursion yes;
+	check-names response fail;
+        notify yes;
+};
+
+zone "." {
+	type hint;
+	file "root.hints";
+};
diff --git a/bin/tests/system/checknames/ns3/root.hints b/bin/tests/system/checknames/ns3/root.hints
new file mode 100644
index 00000000..9043797e
--- /dev/null
+++ b/bin/tests/system/checknames/ns3/root.hints
@@ -0,0 +1,19 @@
+; Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: root.hints,v 1.2.2.2 2004/03/06 10:21:53 marka Exp $
+
+$TTL 300
+. NS  ns1.
+ns1. A 10.53.0.1
diff --git a/bin/tests/system/checknames/setup.sh b/bin/tests/system/checknames/setup.sh
new file mode 100644
index 00000000..11e0b2b6
--- /dev/null
+++ b/bin/tests/system/checknames/setup.sh
@@ -0,0 +1,23 @@
+# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: setup.sh,v 1.2.2.2 2004/03/06 10:21:50 marka Exp $
+
+cp ns1/ignore.example.db.in ns1/ignore.example.db
+cp ns1/warn.example.db.in ns1/warn.example.db
+cp ns1/fail.example.db.in ns1/fail.example.db
+
+cp ns1/ignore.update.db.in ns1/ignore.update.db
+cp ns1/warn.update.db.in ns1/warn.update.db
+cp ns1/fail.update.db.in ns1/fail.update.db
diff --git a/bin/tests/system/checknames/tests.sh b/bin/tests/system/checknames/tests.sh
new file mode 100644
index 00000000..f9a210da
--- /dev/null
+++ b/bin/tests/system/checknames/tests.sh
@@ -0,0 +1,134 @@
+#!/bin/sh
+#
+# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: tests.sh,v 1.2.2.2 2004/03/06 10:21:50 marka Exp $
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+status=0
+n=1
+
+DIGOPTS="+tcp +noadd +nosea +nostat +nocmd -p 5300"
+
+# Entry should exist.
+echo "I: check for failure from on zone load for 'check-names fail;' ($n)"
+ret=0
+$DIG $DIGOPTS fail.example. @10.53.0.1 a > dig.out.ns1.test$n || ret=1
+grep SERVFAIL dig.out.ns1.test$n > /dev/null || ret=1
+grep 'xx_xx.fail.example: bad owner name (check-names)' ns1/named.run > /dev/null || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+n=`expr $n + 1`
+
+# Entry should exist.
+echo "I: check for warnings from on zone load for 'check-names warn;' ($n)"
+ret=0
+grep 'xx_xx.warn.example: bad owner name (check-names)' ns1/named.run > /dev/null || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+n=`expr $n + 1`
+
+# Entry should not exist.
+echo "I: check for warnings from on zone load for 'check-names ignore;' ($n)"
+ret=1
+grep 'yy_yy.ignore.example: bad owner name (check-names)' ns1/named.run || ret=0
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+n=`expr $n + 1`
+
+# Entry should exist
+echo "I: check that 'check-names response warn;' works ($n)"
+ret=0
+$DIG $DIGOPTS yy_yy.ignore.example. @10.53.0.1 a > dig.out.ns1.test$n || ret=1
+$DIG $DIGOPTS yy_yy.ignore.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1
+$PERL ../digcomp.pl dig.out.ns1.test$n dig.out.ns2.test$n || ret=1
+grep "check-names warning yy_yy.ignore.example/A/IN" ns2/named.run > /dev/null || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+n=`expr $n + 1`
+
+# Entry should exist
+echo "I: check that 'check-names response (owner) fails;' works ($n)"
+ret=0
+$DIG $DIGOPTS yy_yy.ignore.example. @10.53.0.1 a > dig.out.ns1.test$n || ret=1
+$DIG $DIGOPTS yy_yy.ignore.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
+grep NOERROR dig.out.ns1.test$n > /dev/null || ret=1
+grep REFUSED dig.out.ns3.test$n > /dev/null || ret=1
+grep "check-names failure yy_yy.ignore.example/A/IN" ns3/named.run > /dev/null || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+n=`expr $n + 1`
+
+# Entry should exist
+echo "I: check that 'check-names response (rdata) fails;' works ($n)"
+ret=0
+$DIG $DIGOPTS mx.ignore.example. @10.53.0.1 MX > dig.out.ns1.test$n || ret=1
+$DIG $DIGOPTS mx.ignore.example. @10.53.0.3 MX > dig.out.ns3.test$n || ret=1
+grep NOERROR dig.out.ns1.test$n > /dev/null || ret=1
+grep SERVFAIL dig.out.ns3.test$n > /dev/null || ret=1
+grep "check-names failure mx.ignore.example/MX/IN" ns3/named.run > /dev/null || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+n=`expr $n + 1`
+
+echo "I: check that updates to 'check-names fail;' are rejected ($n)"
+ret=0
+not=1
+$NSUPDATE -d <<END> nsupdate.out.test$n 2>&1 || not=0
+server 10.53.0.1 5300
+update add xxx_xxx.fail.update. 600 A 10.10.10.1
+send
+END
+if [ $not != 0 ]; then ret=1; fi
+$DIG $DIGOPTS xxx_xxx.fail.update @10.53.0.1 A > dig.out.ns1.test$n || ret=1
+grep "xxx_xxx.fail.update/A: bad owner name (check-names)" ns1/named.run > /dev/null || ret=1
+grep NXDOMAIN dig.out.ns1.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+n=`expr $n + 1`
+
+echo "I: check that updates to 'check-names warn;' succeed and are logged ($n)"
+ret=0
+$NSUPDATE -d <<END> nsupdate.out.test$n  2>&1|| ret=1
+server 10.53.0.1 5300
+update add xxx_xxx.warn.update. 600 A 10.10.10.1
+send
+END
+$DIG $DIGOPTS xxx_xxx.warn.update @10.53.0.1 A > dig.out.ns1.test$n || ret=1
+grep "xxx_xxx.warn.update/A: bad owner name (check-names)" ns1/named.run > /dev/null || ret=1
+grep NOERROR dig.out.ns1.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+n=`expr $n + 1`
+
+echo "I: check that updates to 'check-names ignore;' succeed and are not logged ($n)"
+ret=0
+not=1
+$NSUPDATE -d <<END> nsupdate.out.test$n 2>&1 || ret=1
+server 10.53.0.1 5300
+update add xxx_xxx.ignore.update. 600 A 10.10.10.1
+send
+END
+grep "xxx_xxx.ignore.update/A.*(check-names)" ns1/named.run > /dev/null || not=0
+if [ $not != 0 ]; then ret=1; fi
+$DIG $DIGOPTS xxx_xxx.ignore.update @10.53.0.1 A > dig.out.ns1.test$n || ret=1
+grep NOERROR dig.out.ns1.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+n=`expr $n + 1`
+
+exit $status
diff --git a/bin/tests/system/cleanall.sh b/bin/tests/system/cleanall.sh
index 0910ae12..b7563b91 100644
--- a/bin/tests/system/cleanall.sh
+++ b/bin/tests/system/cleanall.sh
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: cleanall.sh,v 1.8.2.1 2004/03/09 06:09:40 marka Exp $
+# $Id: cleanall.sh,v 1.8.206.1 2004/03/06 10:21:47 marka Exp $
 
 #
 # Clean up after system tests.
diff --git a/bin/tests/system/common/controls.conf b/bin/tests/system/common/controls.conf
index 3e88c221..d63a9d35 100644
--- a/bin/tests/system/common/controls.conf
+++ b/bin/tests/system/common/controls.conf
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: controls.conf,v 1.3.2.1 2004/03/09 06:09:46 marka Exp $ */
+/* $Id: controls.conf,v 1.3.206.1 2004/03/06 10:21:53 marka Exp $ */
 
 key rndc_key {
         secret "1234abcd8765";
diff --git a/bin/tests/system/common/rndc.conf b/bin/tests/system/common/rndc.conf
index a7e1f42f..b918ba60 100644
--- a/bin/tests/system/common/rndc.conf
+++ b/bin/tests/system/common/rndc.conf
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rndc.conf,v 1.2.2.1 2004/03/09 06:09:46 marka Exp $ */
+/* $Id: rndc.conf,v 1.2.206.1 2004/03/06 10:21:54 marka Exp $ */
 
 options {
         default-key     "rndc_key";
diff --git a/bin/tests/system/common/root.hint b/bin/tests/system/common/root.hint
index b46b26da..2793249a 100644
--- a/bin/tests/system/common/root.hint
+++ b/bin/tests/system/common/root.hint
@@ -13,7 +13,7 @@
 ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 ; PERFORMANCE OF THIS SOFTWARE.
 
-; $Id: root.hint,v 1.2.2.1 2004/03/09 06:09:47 marka Exp $
+; $Id: root.hint,v 1.2.206.1 2004/03/06 10:21:54 marka Exp $
 
 $TTL 999999
 .			 IN NS	a.root-servers.nil.
diff --git a/bin/tests/system/conf.sh.in b/bin/tests/system/conf.sh.in
index 0c8a0e39..1a82ac47 100644
--- a/bin/tests/system/conf.sh.in
+++ b/bin/tests/system/conf.sh.in
@@ -1,7 +1,7 @@
 #!/bin/sh
 #
-# Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
+# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2000-2003  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: conf.sh.in,v 1.23.2.5 2005/06/24 00:02:40 marka Exp $
+# $Id: conf.sh.in,v 1.23.2.2.4.5 2004/03/08 04:04:32 marka Exp $
 
 #
 # Common configuration data for system tests, to be sourced into
@@ -37,21 +37,16 @@ RNDC=$TOP/bin/rndc/rndc
 NSUPDATE=$TOP/bin/nsupdate/nsupdate
 KEYGEN=$TOP/bin/dnssec/dnssec-keygen
 SIGNER=$TOP/bin/dnssec/dnssec-signzone
-KEYSIGNER=$TOP/bin/dnssec/dnssec-signkey
-KEYSETTOOL=$TOP/bin/dnssec/dnssec-makekeyset
-CHECKCONF=$TOP/bin/check/named-checkconf
 
 # The "stress" test is not run by default since it creates enough
 # load on the machine to make it unusable to other users.
-#
-# dnssec is missing from SUBDIRS as RFC 2535 support is disabled
-# 
-SUBDIRS="cacheclean checkconf forward glue ixfr limits lwresd \
+# v6synth
+SUBDIRS="cacheclean checknames dnssec forward glue ixfr limits lwresd \
     masterfile notify nsupdate resolver sortlist stub tkey \
-    unknown upforwd v6synth views xfer xferquota"
+    unknown upforwd views xfer xferquota"
 
 # PERL will be an empty string if no perl interpreter was found.
 PERL=@PERL@
 
 export NAMED LWRESD DIG NSUPDATE KEYGEN SIGNER KEYSIGNER KEYSETTOOL PERL \
-    SUBDIRS RNDC CHECKCONF
+    SUBDIRS RNDC
diff --git a/bin/tests/system/dialup/ns1/example.db b/bin/tests/system/dialup/ns1/example.db
index cb03b715..f49f293f 100644
--- a/bin/tests/system/dialup/ns1/example.db
+++ b/bin/tests/system/dialup/ns1/example.db
@@ -13,7 +13,7 @@
 ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 ; PERFORMANCE OF THIS SOFTWARE.
 
-; $Id: example.db,v 1.3.2.1 2004/03/09 06:09:48 marka Exp $
+; $Id: example.db,v 1.3.206.1 2004/03/06 10:21:55 marka Exp $
 
 @	3600	SOA	hostmaster.ns1 ns1 (
 			1 3600 1200 3600000 1200 )
diff --git a/bin/tests/system/dialup/ns1/named.conf b/bin/tests/system/dialup/ns1/named.conf
index f00e6951..10f7b118 100644
--- a/bin/tests/system/dialup/ns1/named.conf
+++ b/bin/tests/system/dialup/ns1/named.conf
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named.conf,v 1.4.2.2 2004/03/09 06:09:48 marka Exp $ */
+/* $Id: named.conf,v 1.4.206.2 2004/03/06 10:21:55 marka Exp $ */
 
 controls { /* empty */ };
 
diff --git a/bin/tests/system/dialup/ns1/root.db b/bin/tests/system/dialup/ns1/root.db
index 49ec489c..22d0d88d 100644
--- a/bin/tests/system/dialup/ns1/root.db
+++ b/bin/tests/system/dialup/ns1/root.db
@@ -13,7 +13,7 @@
 ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 ; PERFORMANCE OF THIS SOFTWARE.
 
-; $Id: root.db,v 1.3.2.1 2004/03/09 06:09:48 marka Exp $
+; $Id: root.db,v 1.3.206.1 2004/03/06 10:21:55 marka Exp $
 
 @	3600	SOA	hostmaster.ns1.example ns1.example (
 			1 3600 1200 3600000 1200 )
diff --git a/bin/tests/system/dialup/ns2/hint.db b/bin/tests/system/dialup/ns2/hint.db
index 982343e3..3cea834a 100644
--- a/bin/tests/system/dialup/ns2/hint.db
+++ b/bin/tests/system/dialup/ns2/hint.db
@@ -13,7 +13,7 @@
 ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 ; PERFORMANCE OF THIS SOFTWARE.
 
-; $Id: hint.db,v 1.3.2.1 2004/03/09 06:09:48 marka Exp $
+; $Id: hint.db,v 1.3.206.1 2004/03/06 10:21:55 marka Exp $
 
 .	1200	NS	ns1.example
 ns1.example	A	10.53.0.1
diff --git a/bin/tests/system/dialup/ns2/named.conf b/bin/tests/system/dialup/ns2/named.conf
index 2ae3294d..edffcb1f 100644
--- a/bin/tests/system/dialup/ns2/named.conf
+++ b/bin/tests/system/dialup/ns2/named.conf
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named.conf,v 1.4.2.2 2004/03/09 06:09:49 marka Exp $ */
+/* $Id: named.conf,v 1.4.206.2 2004/03/06 10:21:56 marka Exp $ */
 
 controls { /* empty */ };
 
diff --git a/bin/tests/system/dialup/ns3/hint.db b/bin/tests/system/dialup/ns3/hint.db
index 1205da1e..833927d8 100644
--- a/bin/tests/system/dialup/ns3/hint.db
+++ b/bin/tests/system/dialup/ns3/hint.db
@@ -13,7 +13,7 @@
 ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 ; PERFORMANCE OF THIS SOFTWARE.
 
-; $Id: hint.db,v 1.3.2.1 2004/03/09 06:09:49 marka Exp $
+; $Id: hint.db,v 1.3.206.1 2004/03/06 10:21:56 marka Exp $
 
 .	1200	NS	ns1.example
 ns1.example	A	10.53.0.1
diff --git a/bin/tests/system/dialup/ns3/named.conf b/bin/tests/system/dialup/ns3/named.conf
index 48c849e7..42e91876 100644
--- a/bin/tests/system/dialup/ns3/named.conf
+++ b/bin/tests/system/dialup/ns3/named.conf
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named.conf,v 1.4.2.2 2004/03/09 06:09:49 marka Exp $ */
+/* $Id: named.conf,v 1.4.206.2 2004/03/06 10:21:56 marka Exp $ */
 
 controls { /* empty */ };
 
diff --git a/bin/tests/system/dialup/setup.sh b/bin/tests/system/dialup/setup.sh
index 0e0ed3f8..637e8ecd 100644
--- a/bin/tests/system/dialup/setup.sh
+++ b/bin/tests/system/dialup/setup.sh
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: setup.sh,v 1.3.2.1 2004/03/09 06:09:47 marka Exp $
+# $Id: setup.sh,v 1.3.206.1 2004/03/06 10:21:54 marka Exp $
 
 rm -f ns2/example.bk
 rm -f ns3/example.bk
diff --git a/bin/tests/system/dialup/tests.sh b/bin/tests/system/dialup/tests.sh
index 305cbf39..f04b7635 100644
--- a/bin/tests/system/dialup/tests.sh
+++ b/bin/tests/system/dialup/tests.sh
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: tests.sh,v 1.3.2.1 2004/03/09 06:09:47 marka Exp $
+# $Id: tests.sh,v 1.3.206.1 2004/03/06 10:21:54 marka Exp $
 
 SYSTEMTESTTOP=..
 . $SYSTEMTESTTOP/conf.sh
diff --git a/bin/tests/system/digcomp.pl b/bin/tests/system/digcomp.pl
index 9e85950d..d0fc9f55 100644
--- a/bin/tests/system/digcomp.pl
+++ b/bin/tests/system/digcomp.pl
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: digcomp.pl,v 1.11.2.1 2004/03/09 06:09:41 marka Exp $
+# $Id: digcomp.pl,v 1.11.206.1 2004/03/06 10:21:47 marka Exp $
 
 # Compare two files, each with the output from dig, for differences.
 # Ignore "unimportant" differences, like ordering of NS lines, TTL's,
diff --git a/bin/tests/system/dnssec/README b/bin/tests/system/dnssec/README
index 68c9dd8a..e4bdad1b 100644
--- a/bin/tests/system/dnssec/README
+++ b/bin/tests/system/dnssec/README
@@ -1,8 +1,8 @@
 Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
-Copyright (C) 2000, 2001  Internet Software Consortium.
+Copyright (C) 2000-2002  Internet Software Consortium.
 See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
 
-$Id: README,v 1.5.2.1 2004/03/09 06:09:49 marka Exp $
+$Id: README,v 1.5.12.3 2004/03/08 04:04:33 marka Exp $
 
 The test setup for the DNSSEC tests has a secure root.
 
@@ -13,5 +13,5 @@ ns2 and ns3 are authoritative servers for the various test domains.
 ns4 is a caching-only server, configured with the correct trusted key
 for the root.
 
-ns4 is a caching-only server, configured with the an incorrect trusted
+ns5 is a caching-only server, configured with the an incorrect trusted
 key for the root.  It is used for testing failure cases.
diff --git a/bin/tests/system/dnssec/clean.sh b/bin/tests/system/dnssec/clean.sh
index b8f024f3..447073e4 100644
--- a/bin/tests/system/dnssec/clean.sh
+++ b/bin/tests/system/dnssec/clean.sh
@@ -1,7 +1,7 @@
 #!/bin/sh
 #
 # Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 2000, 2001  Internet Software Consortium.
+# Copyright (C) 2000-2002  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
@@ -15,12 +15,13 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: clean.sh,v 1.10.2.3 2004/09/07 04:19:30 marka Exp $
+# $Id: clean.sh,v 1.10.12.4 2004/03/10 01:05:51 marka Exp $
 
-rm -f */K* */keyset-* */dsset-* */dlvset-* */signedkey-* */*.signed */trusted.conf
+rm -f */K* */keyset-* */signedkey-* */*.signed */trusted.conf */tmp*
 rm -f ns1/root.db ns2/example.db ns3/secure.example.db
-rm -f ns3/unsecure.example.db ns3/bogus.example.db
+rm -f ns3/unsecure.example.db ns3/bogus.example.db ns3/keyless.example.db
+rm -f ns3/dynamic.example.db ns3/dynamic.example.db.signed.jnl
 rm -f */example.bk
 rm -f dig.out.*
 rm -f random.data
-rm -f ns2/dlv.db
+
diff --git a/bin/tests/system/dnssec/dnssec_update_test.pl b/bin/tests/system/dnssec/dnssec_update_test.pl
new file mode 100644
index 00000000..89a60dfd
--- /dev/null
+++ b/bin/tests/system/dnssec/dnssec_update_test.pl
@@ -0,0 +1,105 @@
+#!/usr/bin/perl
+#
+# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2002  Internet Software Consortium.
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+#
+# DNSSEC Dynamic update test suite.
+#
+# Usage:
+#
+#   perl update_test.pl [-s server] [-p port] zone
+#
+# The server defaults to 127.0.0.1.
+# The port defaults to 53.
+#
+# Installation notes:
+#
+# This program uses the Net::DNS::Resolver module.
+# You can install it by saying
+#
+#    perl -MCPAN -e "install Net::DNS"
+#
+# $Id: dnssec_update_test.pl,v 1.3.2.1 2004/03/08 02:07:44 marka Exp $
+#
+
+use Getopt::Std;
+use Net::DNS;
+use Net::DNS::Update;
+use Net::DNS::Resolver;
+
+$opt_s = "127.0.0.1";
+$opt_p = 53;
+
+getopt('s:p:');
+
+$res = new Net::DNS::Resolver;
+$res->nameservers($opt_s);
+$res->port($opt_p);
+$res->defnames(0); # Do not append default domain.
+
+@ARGV == 1 or die
+    "usage: perl update_test.pl [-s server] [-p port] zone\n";
+
+$zone = shift @ARGV;
+
+my $failures = 0;
+
+sub assert {
+    my ($cond, $explanation) = @_;
+    if (!$cond) {
+	print "I:Test Failed: $explanation ***\n";
+	$failures++
+    }
+}
+
+sub test {
+    my ($expected, @records) = @_;
+
+    my $update = new Net::DNS::Update("$zone");
+
+    foreach $rec (@records) {
+	$update->push(@$rec);
+    }
+
+    $reply = $res->send($update);
+
+    # Did it work?
+    if (defined $reply) {
+	my $rcode = $reply->header->rcode;
+        assert($rcode eq $expected, "expected $expected, got $rcode");
+    } else {
+	print "I:Update failed: ", $res->errorstring, "\n";
+    }
+}
+
+sub section {
+    my ($msg) = @_;
+    print "I:$msg\n";
+}
+
+section("Add a name");
+test("NOERROR", ["update", rr_add("a.$zone 300 A 73.80.65.49")]);
+
+section("Delete the name");
+test("NOERROR", ["update", rr_del("a.$zone")]);
+
+if ($failures) {
+    print "I:$failures tests failed.\n";
+} else {
+    print "I:All tests successful.\n";
+}
+
+exit $failures;
diff --git a/bin/tests/system/dnssec/ns1/named.conf b/bin/tests/system/dnssec/ns1/named.conf
index 640a0630..40d6aea0 100644
--- a/bin/tests/system/dnssec/ns1/named.conf
+++ b/bin/tests/system/dnssec/ns1/named.conf
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named.conf,v 1.16.2.2 2004/03/09 06:09:50 marka Exp $ */
+/* $Id: named.conf,v 1.16.206.4 2004/03/10 02:55:53 marka Exp $ */
 
 // NS1
 
@@ -31,6 +31,7 @@ options {
 	listen-on-v6 { none; };
 	recursion no;
 	notify yes;
+	dnssec-enable yes;
 };
 
 zone "." {
diff --git a/bin/tests/system/dnssec/ns1/root.db.in b/bin/tests/system/dnssec/ns1/root.db.in
index 4ce96912..3cc6b84e 100644
--- a/bin/tests/system/dnssec/ns1/root.db.in
+++ b/bin/tests/system/dnssec/ns1/root.db.in
@@ -13,7 +13,7 @@
 ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 ; PERFORMANCE OF THIS SOFTWARE.
 
-; $Id: root.db.in,v 1.6.2.1 2004/03/09 06:09:50 marka Exp $
+; $Id: root.db.in,v 1.6.206.2 2004/03/10 02:55:54 marka Exp $
 
 $TTL 300
 . 			IN SOA	gson.nominum.com. a.root.servers.nil. (
@@ -28,3 +28,5 @@ a.root-servers.nil.	A	10.53.0.1
 
 example.		NS	ns2.example.
 ns2.example.		A	10.53.0.2
+dlv.			NS	ns2.dlv.
+ns2.dlv.		A	10.53.0.2
diff --git a/bin/tests/system/dnssec/ns1/sign.sh b/bin/tests/system/dnssec/ns1/sign.sh
index 795a6bd5..c6c72eff 100644
--- a/bin/tests/system/dnssec/ns1/sign.sh
+++ b/bin/tests/system/dnssec/ns1/sign.sh
@@ -1,7 +1,7 @@
 #!/bin/sh
 #
 # Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 2000, 2001  Internet Software Consortium.
+# Copyright (C) 2000-2003  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: sign.sh,v 1.12.2.1 2004/03/09 06:09:50 marka Exp $
+# $Id: sign.sh,v 1.12.12.4 2004/03/10 02:55:54 marka Exp $
 
 SYSTEMTESTTOP=../..
 . $SYSTEMTESTTOP/conf.sh
@@ -26,21 +26,17 @@ zone=.
 infile=root.db.in
 zonefile=root.db
 
-keyname=`$KEYGEN -a RSA -b 768 -n zone -r $RANDFILE $zone`
-
 (cd ../ns2 && sh sign.sh )
 
 cp ../ns2/keyset-example. .
+cp ../ns2/keyset-dlv. .
 
-$KEYSIGNER -r $RANDFILE keyset-example. $keyname > /dev/null
-
-cat signedkey-example. >> ../ns2/example.db.signed
-
-$KEYSETTOOL -r $RANDFILE -t 3600 $keyname > /dev/null
+keyname=`$KEYGEN -r $RANDFILE -a RSA -b 768 -n zone $zone`
 
 cat $infile $keyname.key > $zonefile
 
-$SIGNER -r $RANDFILE -o $zone $zonefile > /dev/null
+echo $SIGNER -g -r $RANDFILE -o $zone $zonefile
+$SIGNER -g -r $RANDFILE -o $zone $zonefile > /dev/null
 
 # Configure the resolving server with a trusted key.
 
@@ -56,3 +52,4 @@ EOF
 cp trusted.conf ../ns2/trusted.conf
 cp trusted.conf ../ns3/trusted.conf
 cp trusted.conf ../ns4/trusted.conf
+cp trusted.conf ../ns6/trusted.conf
diff --git a/bin/tests/system/dnssec/ns2/dlv.db.in b/bin/tests/system/dnssec/ns2/dlv.db.in
new file mode 100644
index 00000000..7bf61eb6
--- /dev/null
+++ b/bin/tests/system/dnssec/ns2/dlv.db.in
@@ -0,0 +1,27 @@
+; Copyright (C) 2000-2002  Internet Software Consortium.
+;
+; Permission to use, copy, modify, and distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
+; DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
+; IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
+; INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
+; FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
+; NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
+; WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: dlv.db.in,v 1.1.4.1 2004/03/15 02:56:04 marka Exp $
+
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				2000042407 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns2
+ns2			A	10.53.0.2
diff --git a/bin/tests/system/dnssec/ns2/dst.example.db.in b/bin/tests/system/dnssec/ns2/dst.example.db.in
new file mode 100644
index 00000000..8a5e6e21
--- /dev/null
+++ b/bin/tests/system/dnssec/ns2/dst.example.db.in
@@ -0,0 +1,26 @@
+; Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: dst.example.db.in,v 1.2.2.1 2004/03/08 02:07:45 marka Exp $
+
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				2000042407 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns2.example.
+a			A	10.0.0.1
diff --git a/bin/tests/system/dnssec/ns2/example.db.in b/bin/tests/system/dnssec/ns2/example.db.in
index 0669048d..1167716e 100644
--- a/bin/tests/system/dnssec/ns2/example.db.in
+++ b/bin/tests/system/dnssec/ns2/example.db.in
@@ -1,5 +1,5 @@
 ; Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
-; Copyright (C) 2000, 2001  Internet Software Consortium.
+; Copyright (C) 2000-2002  Internet Software Consortium.
 ;
 ; Permission to use, copy, modify, and distribute this software for any
 ; purpose with or without fee is hereby granted, provided that the above
@@ -13,7 +13,7 @@
 ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 ; PERFORMANCE OF THIS SOFTWARE.
 
-; $Id: example.db.in,v 1.8.2.1 2004/03/09 06:09:51 marka Exp $
+; $Id: example.db.in,v 1.8.12.3 2004/03/08 04:04:34 marka Exp $
 
 $TTL 300	; 5 minutes
 @			IN SOA	mname1. . (
@@ -58,9 +58,17 @@ ns.secure		A	10.53.0.3
 insecure		NS	ns.insecure
 ns.insecure		A	10.53.0.3
 
-
 ; A secure subdomain we're going to inject bogus data into
 bogus			NS	ns.bogus
 ns.bogus		A	10.53.0.3
 
+; A dynamic secure subdomain
+dynamic			NS	dynamic
+dynamic			A	10.53.0.3
+
 z			A	10.0.0.26
+
+keyless			NS	ns.keyless
+ns.keyless		A	10.53.0.3
+
+*.wild			A	10.0.0.27
diff --git a/bin/tests/system/dnssec/ns2/insecure.secure.example.db b/bin/tests/system/dnssec/ns2/insecure.secure.example.db
index e23e4aec..c09c3bd3 100644
--- a/bin/tests/system/dnssec/ns2/insecure.secure.example.db
+++ b/bin/tests/system/dnssec/ns2/insecure.secure.example.db
@@ -13,7 +13,7 @@
 ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 ; PERFORMANCE OF THIS SOFTWARE.
 
-; $Id: insecure.secure.example.db,v 1.6.2.1 2004/03/09 06:09:51 marka Exp $
+; $Id: insecure.secure.example.db,v 1.6.206.1 2004/03/06 10:22:00 marka Exp $
 
 $TTL 300	; 5 minutes
 @			IN SOA	mname1. . (
diff --git a/bin/tests/system/dnssec/ns2/named.conf b/bin/tests/system/dnssec/ns2/named.conf
index 64aabb17..cb25f8bf 100644
--- a/bin/tests/system/dnssec/ns2/named.conf
+++ b/bin/tests/system/dnssec/ns2/named.conf
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
+ * Copyright (C) 2000-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named.conf,v 1.17.2.2 2004/03/09 06:09:51 marka Exp $ */
+/* $Id: named.conf,v 1.17.12.5 2004/03/10 02:55:54 marka Exp $ */
 
 // NS2
 
@@ -31,6 +31,7 @@ options {
 	listen-on-v6 { none; };
 	recursion no;
 	notify yes;
+	dnssec-enable yes;
 };
 
 zone "." {
@@ -38,6 +39,11 @@ zone "." {
 	file "../../common/root.hint";
 };
 
+zone "dlv" {
+	type master;
+	file "dlv.db.signed";
+};
+
 zone "example" {
 	type master;
 	file "example.db.signed";
@@ -56,5 +62,4 @@ zone "insecure.secure.example" {
 	allow-update { any; };
 };
 
-
 include "trusted.conf";
diff --git a/bin/tests/system/dnssec/ns2/private.secure.example.db.in b/bin/tests/system/dnssec/ns2/private.secure.example.db.in
index 567922d4..41378138 100644
--- a/bin/tests/system/dnssec/ns2/private.secure.example.db.in
+++ b/bin/tests/system/dnssec/ns2/private.secure.example.db.in
@@ -13,7 +13,7 @@
 ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 ; PERFORMANCE OF THIS SOFTWARE.
 
-; $Id: private.secure.example.db.in,v 1.6.2.1 2004/03/09 06:09:51 marka Exp $
+; $Id: private.secure.example.db.in,v 1.6.206.2 2004/03/08 02:07:45 marka Exp $
 
 $TTL 300	; 5 minutes
 @			IN SOA	mname1. . (
@@ -30,3 +30,5 @@ a			A	10.0.0.1
 b			A	10.0.0.2
 d			A	10.0.0.4
 z			A	10.0.0.26
+private2secure-nxdomain	CNAME	r.example.
+*.wild			CNAME   s.example.
diff --git a/bin/tests/system/dnssec/ns2/sign.sh b/bin/tests/system/dnssec/ns2/sign.sh
index 5b25416b..b07b54fd 100644
--- a/bin/tests/system/dnssec/ns2/sign.sh
+++ b/bin/tests/system/dnssec/ns2/sign.sh
@@ -1,7 +1,7 @@
 #!/bin/sh
 #
 # Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 2000, 2001  Internet Software Consortium.
+# Copyright (C) 2000-2003  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: sign.sh,v 1.15.2.1 2004/03/09 06:09:51 marka Exp $
+# $Id: sign.sh,v 1.15.12.4 2004/03/10 02:55:54 marka Exp $
 
 SYSTEMTESTTOP=../..
 . $SYSTEMTESTTOP/conf.sh
@@ -26,34 +26,21 @@ zone=example.
 infile=example.db.in
 zonefile=example.db
 
-keyname=`$KEYGEN -r $RANDFILE -a RSA -b 768 -n zone $zone`
-
-# Have the child generate a zone key and pass it to us,
-# sign it, and pass it back
+# Have the child generate a zone key and pass it to us.
 
 ( cd ../ns3 && sh sign.sh )
 
-cp ../ns3/keyset-secure.example. .
-
-$KEYSIGNER -r $RANDFILE keyset-secure.example. $keyname > /dev/null
-
-# This will leave two copies of the child's zone key in the signed db file;
-# that shouldn't cause any problems.
-cat signedkey-secure.example. >>../ns3/secure.example.db.signed
-
-cp ../ns3/keyset-bogus.example. .
-
-$KEYSIGNER -r $RANDFILE keyset-bogus.example. $keyname > /dev/null
-
-# This will leave two copies of the child's zone key in the signed db file;
-# that shouldn't cause any problems.
-cat signedkey-bogus.example. >>../ns3/bogus.example.db.signed
+for subdomain in secure bogus dynamic keyless
+do
+	cp ../ns3/keyset-$subdomain.example. .
+done
 
-$KEYSETTOOL -r $RANDFILE -t 3600 $keyname > /dev/null
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone`
+keyname2=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone`
 
-cat $infile $keyname.key >$zonefile
+cat $infile $keyname1.key $keyname2.key >$zonefile
 
-$SIGNER -r $RANDFILE -o $zone $zonefile > /dev/null
+$SIGNER -g -r $RANDFILE -o $zone -k $keyname1 $zonefile $keyname2 > /dev/null
 
 # Sign the privately secure file
 
@@ -65,4 +52,17 @@ privkeyname=`$KEYGEN -r $RANDFILE -a RSA -b 768 -n zone $privzone`
 
 cat $privinfile $privkeyname.key >$privzonefile
 
-$SIGNER -r $RANDFILE -o $privzone $privzonefile > /dev/null
+$SIGNER -g -r $RANDFILE -o $privzone -l dlv $privzonefile > /dev/null
+
+# Sign the DLV secure zone.
+
+
+dlvzone=dlv.
+dlvinfile=dlv.db.in
+dlvzonefile=dlv.db
+
+dlvkeyname=`$KEYGEN -r $RANDFILE -a RSA -b 768 -n zone $dlvzone`
+
+cat $dlvinfile $dlvkeyname.key dlvset-$privzone > $dlvzonefile
+
+$SIGNER -g -r $RANDFILE -o $dlvzone $dlvzonefile > /dev/null
diff --git a/bin/tests/system/dnssec/ns3/bogus.example.db.in b/bin/tests/system/dnssec/ns3/bogus.example.db.in
index 948e0567..dc5060e4 100644
--- a/bin/tests/system/dnssec/ns3/bogus.example.db.in
+++ b/bin/tests/system/dnssec/ns3/bogus.example.db.in
@@ -13,7 +13,7 @@
 ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 ; PERFORMANCE OF THIS SOFTWARE.
 
-; $Id: bogus.example.db.in,v 1.6.2.1 2004/03/09 06:09:52 marka Exp $
+; $Id: bogus.example.db.in,v 1.6.206.1 2004/03/06 10:22:01 marka Exp $
 
 $TTL 300	; 5 minutes
 @			IN SOA	mname1. . (
diff --git a/bin/tests/system/dnssec/ns3/dynamic.example.db.in b/bin/tests/system/dnssec/ns3/dynamic.example.db.in
new file mode 100644
index 00000000..0f9e0594
--- /dev/null
+++ b/bin/tests/system/dnssec/ns3/dynamic.example.db.in
@@ -0,0 +1,31 @@
+; Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+; Copyright (C) 2002  Internet Software Consortium.
+;
+; Permission to use, copy, modify, and distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: dynamic.example.db.in,v 1.3.2.1 2004/03/08 02:07:46 marka Exp $
+
+; This has the NS and glue at the apex because testing RT #2399
+; requires we have only one name in the zone at a certain point
+; during the test.
+
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				2000042407 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+@			NS	@
+@			A	10.53.0.3
diff --git a/bin/tests/system/dnssec/ns3/insecure.example.db b/bin/tests/system/dnssec/ns3/insecure.example.db
index 8b5d1047..4930e28d 100644
--- a/bin/tests/system/dnssec/ns3/insecure.example.db
+++ b/bin/tests/system/dnssec/ns3/insecure.example.db
@@ -13,7 +13,7 @@
 ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 ; PERFORMANCE OF THIS SOFTWARE.
 
-; $Id: insecure.example.db,v 1.6.2.1 2004/03/09 06:09:52 marka Exp $
+; $Id: insecure.example.db,v 1.6.206.1 2004/03/06 10:22:01 marka Exp $
 
 $TTL 300	; 5 minutes
 @			IN SOA	mname1. . (
diff --git a/bin/tests/system/dnssec/ns3/keyless.example.db.in b/bin/tests/system/dnssec/ns3/keyless.example.db.in
new file mode 100644
index 00000000..a8920b03
--- /dev/null
+++ b/bin/tests/system/dnssec/ns3/keyless.example.db.in
@@ -0,0 +1,29 @@
+; Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+; Copyright (C) 2001, 2002  Internet Software Consortium.
+;
+; Permission to use, copy, modify, and distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: keyless.example.db.in,v 1.3.2.1 2004/03/08 02:07:46 marka Exp $
+
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				2000042407 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns
+ns			A	10.53.0.3
+
+a.b			A	10.0.0.1
diff --git a/bin/tests/system/dnssec/ns3/named.conf b/bin/tests/system/dnssec/ns3/named.conf
index 707c4c87..08499a18 100644
--- a/bin/tests/system/dnssec/ns3/named.conf
+++ b/bin/tests/system/dnssec/ns3/named.conf
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
+ * Copyright (C) 2000-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named.conf,v 1.18.2.2 2004/03/09 06:09:52 marka Exp $ */
+/* $Id: named.conf,v 1.18.12.5 2004/03/10 02:55:55 marka Exp $ */
 
 // NS3
 
@@ -31,6 +31,7 @@ options {
 	listen-on-v6 { none; };
 	recursion no;
 	notify yes;
+	dnssec-enable yes;
 };
 
 zone "." {
@@ -56,11 +57,21 @@ zone "bogus.example" {
 	allow-update { any; };
 };
 
+zone "dynamic.example" {
+	type master;
+	file "dynamic.example.db.signed";
+	allow-update { any; };
+};
+
 zone "insecure.example" {
 	type master;
 	file "insecure.example.db";
 	allow-update { any; };
 };
 
+zone "keyless.example" {
+	type master;
+	file "keyless.example.db.signed";
+};
 
 include "trusted.conf";
diff --git a/bin/tests/system/dnssec/ns3/secure.example.db.in b/bin/tests/system/dnssec/ns3/secure.example.db.in
index b1ce2b28..67540b0a 100644
--- a/bin/tests/system/dnssec/ns3/secure.example.db.in
+++ b/bin/tests/system/dnssec/ns3/secure.example.db.in
@@ -13,7 +13,7 @@
 ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 ; PERFORMANCE OF THIS SOFTWARE.
 
-; $Id: secure.example.db.in,v 1.8.2.1 2004/03/09 06:09:52 marka Exp $
+; $Id: secure.example.db.in,v 1.8.206.1 2004/03/06 10:22:02 marka Exp $
 
 $TTL 300	; 5 minutes
 @			IN SOA	mname1. . (
diff --git a/bin/tests/system/dnssec/ns3/sign.sh b/bin/tests/system/dnssec/ns3/sign.sh
index 7e2e2efd..b5b4debf 100644
--- a/bin/tests/system/dnssec/ns3/sign.sh
+++ b/bin/tests/system/dnssec/ns3/sign.sh
@@ -1,7 +1,7 @@
 #!/bin/sh
 #
 # Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 2000, 2001  Internet Software Consortium.
+# Copyright (C) 2000-2002  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: sign.sh,v 1.12.2.1 2004/03/09 06:09:52 marka Exp $
+# $Id: sign.sh,v 1.12.12.3 2004/03/08 04:04:35 marka Exp $
 
 RANDFILE=../random.data
 
@@ -23,9 +23,7 @@ zone=secure.example.
 infile=secure.example.db.in
 zonefile=secure.example.db
 
-keyname=`$KEYGEN -r $RANDFILE -a RSA -b 768 -n zone $zone`
-
-$KEYSETTOOL -r $RANDFILE -t 3600 $keyname.key > /dev/null
+keyname=`$KEYGEN -r $RANDFILE -a RSASHA1 -b 768 -n zone $zone`
 
 cat $infile $keyname.key >$zonefile
 
@@ -37,8 +35,33 @@ zonefile=bogus.example.db
 
 keyname=`$KEYGEN -r $RANDFILE -a RSA -b 768 -n zone $zone`
 
-$KEYSETTOOL -r $RANDFILE -t 3600 $keyname.key > /dev/null
+cat $infile $keyname.key >$zonefile
+
+$SIGNER -r $RANDFILE -o $zone $zonefile > /dev/null
+
+zone=dynamic.example.
+infile=dynamic.example.db.in
+zonefile=dynamic.example.db
+
+keyname=`$KEYGEN -r $RANDFILE -a RSA -b 768 -n zone $zone`
+
+cat $infile $keyname.key >$zonefile
+
+$SIGNER -r $RANDFILE -o $zone $zonefile > /dev/null
+
+zone=keyless.example.
+infile=keyless.example.db.in
+zonefile=keyless.example.db
+
+keyname=`$KEYGEN -r $RANDFILE -a RSA -b 768 -n zone $zone`
 
 cat $infile $keyname.key >$zonefile
 
 $SIGNER -r $RANDFILE -o $zone $zonefile > /dev/null
+
+# Change the signer field of the a.b.keyless.example SIG A
+# to point to a provably nonexistent KEY record.
+mv $zonefile.signed $zonefile.tmp
+<$zonefile.tmp perl -p -e 's/ keyless.example/ b.keyless.example/
+    if /^a.b.keyless.example/../NXT/;' >$zonefile.signed
+rm -f $zonefile.tmp
diff --git a/bin/tests/system/dnssec/ns4/named.conf b/bin/tests/system/dnssec/ns4/named.conf
index ffaa2a7c..f497fa3f 100644
--- a/bin/tests/system/dnssec/ns4/named.conf
+++ b/bin/tests/system/dnssec/ns4/named.conf
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named.conf,v 1.18.2.2 2004/03/09 06:09:52 marka Exp $ */
+/* $Id: named.conf,v 1.18.206.4 2004/03/10 02:55:55 marka Exp $ */
 
 // NS4
 
@@ -30,6 +30,7 @@ options {
 	listen-on { 10.53.0.4; };
 	listen-on-v6 { none; };
 	recursion yes;
+	dnssec-enable yes;
 };
 
 zone "." {
diff --git a/bin/tests/system/dnssec/ns5/named.conf b/bin/tests/system/dnssec/ns5/named.conf
index a4ab1f65..6ccbe8c9 100644
--- a/bin/tests/system/dnssec/ns5/named.conf
+++ b/bin/tests/system/dnssec/ns5/named.conf
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named.conf,v 1.16.2.2 2004/03/09 06:09:53 marka Exp $ */
+/* $Id: named.conf,v 1.16.206.4 2004/03/10 02:55:55 marka Exp $ */
 
 // NS5
 
@@ -30,6 +30,7 @@ options {
 	listen-on { 10.53.0.5; };
 	listen-on-v6 { none; };
 	recursion yes;
+	dnssec-enable yes;
 };
 
 zone "." {
diff --git a/bin/tests/system/dnssec/ns5/trusted.conf.bad b/bin/tests/system/dnssec/ns5/trusted.conf.bad
index 8ddcdc84..9dfc7590 100644
--- a/bin/tests/system/dnssec/ns5/trusted.conf.bad
+++ b/bin/tests/system/dnssec/ns5/trusted.conf.bad
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: trusted.conf.bad,v 1.6.2.1 2004/03/09 06:09:53 marka Exp $ */
+/* $Id: trusted.conf.bad,v 1.6.206.1 2004/03/06 10:22:03 marka Exp $ */
 
 trusted-keys {
     "." 256 3 1 "AQO6Cl+slAf+iuieDim9L3kujFHQD7s/IOj03ClMOpKYcTXtK4mRpuULVfvWxDi9Ew/gj0xLnnX7z9OJHIxLI+DSrAHd8Dm0XfBEAtVtJSn70GaPZgnLMw1rk5ap2DsEoWk=";
diff --git a/bin/tests/system/dnssec/ns6/named.conf b/bin/tests/system/dnssec/ns6/named.conf
new file mode 100644
index 00000000..6d87c783
--- /dev/null
+++ b/bin/tests/system/dnssec/ns6/named.conf
@@ -0,0 +1,43 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: named.conf,v 1.5.2.2 2004/03/10 02:55:55 marka Exp $ */
+
+// NS6
+
+controls { /* empty */ };
+
+options {
+	query-source address 10.53.0.6;
+	notify-source 10.53.0.6;
+	transfer-source 10.53.0.6;
+	port 5300;
+	pid-file "named.pid";
+	listen-on { 10.53.0.6; };
+	listen-on-v6 { none; };
+	recursion yes;
+	notify yes;
+	disable-algorithms . { DSA; };
+	dnssec-enable yes;
+	dnssec-lookaside dlv;
+};
+
+zone "." {
+	type hint;
+	file "../../common/root.hint";
+};
+
+include "trusted.conf";
diff --git a/bin/tests/system/dnssec/prereq.sh b/bin/tests/system/dnssec/prereq.sh
index 333a58dc..3ea13c92 100644
--- a/bin/tests/system/dnssec/prereq.sh
+++ b/bin/tests/system/dnssec/prereq.sh
@@ -15,11 +15,9 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: prereq.sh,v 1.3.2.4 2004/12/08 06:12:04 marka Exp $
+# $Id: prereq.sh,v 1.3.2.2.8.1 2004/03/06 10:21:57 marka Exp $
 
-../../genrandom 400 random.data
-
-if $KEYGEN -a RSA -b 512 -n zone -r random.data foo > /dev/null 2>&1
+if $KEYGEN -a RSA -b 512 -n zone -r $KEYGEN foo > /dev/null 2>&1
 then
     rm -f Kfoo*
 else
diff --git a/bin/tests/system/dnssec/setup.sh b/bin/tests/system/dnssec/setup.sh
index 2ae3698f..43b22fd0 100644
--- a/bin/tests/system/dnssec/setup.sh
+++ b/bin/tests/system/dnssec/setup.sh
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: setup.sh,v 1.10.2.2 2004/03/10 01:05:02 marka Exp $
+# $Id: setup.sh,v 1.10.206.2 2004/03/10 01:05:51 marka Exp $
 
 ../../genrandom 400 random.data
 
diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh
index 92d69c9c..951c1567 100644
--- a/bin/tests/system/dnssec/tests.sh
+++ b/bin/tests/system/dnssec/tests.sh
@@ -1,7 +1,7 @@
 #!/bin/sh
 #
 # Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 2000, 2001  Internet Software Consortium.
+# Copyright (C) 2000-2002  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: tests.sh,v 1.33.2.1 2004/03/09 06:09:50 marka Exp $
+# $Id: tests.sh,v 1.33.12.4 2004/03/10 02:55:53 marka Exp $
 
 SYSTEMTESTTOP=..
 . $SYSTEMTESTTOP/conf.sh
@@ -25,7 +25,7 @@ n=0
 
 rm -f dig.out.*
 
-DIGOPTS="+tcp +noadd +nosea +nostat +noquest +nocmd +dnssec -p 5300"
+DIGOPTS="+tcp +noadd +nosea +nostat +nocmd +dnssec -p 5300"
 
 # Check the example. domain
 
@@ -48,6 +48,16 @@ n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 
+echo "I:checking positive wildcard validation ($n)"
+ret=0
+$DIG $DIGOPTS a.wild.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1
+$DIG $DIGOPTS a.wild.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
+$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
 echo "I:checking negative validation ($n)"
 ret=0
 $DIG $DIGOPTS +noauth q.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1
@@ -58,12 +68,22 @@ n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 
+echo "I:checking negative wildcard validation ($n)"
+ret=0
+$DIG $DIGOPTS b.wild.example. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1
+$DIG $DIGOPTS b.wild.example. @10.53.0.4 txt > dig.out.ns4.test$n || ret=1
+$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
 # Check the insecure.example domain
 
 echo "I:checking 1-server insecurity proof ($n)"
 ret=0
-$DIG $DIGOPTS a.insecure.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
-$DIG $DIGOPTS a.insecure.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
+$DIG $DIGOPTS +noauth a.insecure.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
+$DIG $DIGOPTS +noauth a.insecure.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
 $PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
 grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
 # Note - this is looking for failure, hence the &&
@@ -72,6 +92,34 @@ n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 
+echo "I:checking 1-server negative insecurity proof ($n)"
+ret=0
+$DIG $DIGOPTS q.insecure.example. a @10.53.0.3 \
+	> dig.out.ns3.test$n || ret=1
+$DIG $DIGOPTS q.insecure.example. a @10.53.0.4 \
+	> dig.out.ns4.test$n || ret=1
+$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
+grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
+# Note - this is looking for failure, hence the &&
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:checking 1-server negative insecurity proof with SOA hack ($n)"
+ret=0
+$DIG $DIGOPTS r.insecure.example. soa @10.53.0.3 \
+	> dig.out.ns3.test$n || ret=1
+$DIG $DIGOPTS r.insecure.example. soa @10.53.0.4 \
+	> dig.out.ns4.test$n || ret=1
+$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
+grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
+# Note - this is looking for failure, hence the &&
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
 # Check the secure.example domain
 
 echo "I:checking multi-stage positive validation ($n)"
@@ -105,13 +153,37 @@ n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 
+echo "I:checking that negative validation fails with a misconfigured trusted key ($n)"
+ret=0
+$DIG $DIGOPTS example. ptr @10.53.0.5 > dig.out.ns5.test$n || ret=1
+grep "SERVFAIL" dig.out.ns5.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:checking that insecurity proofs fail with a misconfigured trusted key ($n)"
+ret=0
+$DIG $DIGOPTS a.insecure.example. a @10.53.0.5 > dig.out.ns5.test$n || ret=1
+grep "SERVFAIL" dig.out.ns5.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:checking that validation fails when key record is missing ($n)"
+ret=0
+$DIG $DIGOPTS a.b.keyless.example. a @10.53.0.4 > dig.out.ns4.test$n || ret=1
+grep "SERVFAIL" dig.out.ns4.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
 # Check the insecure.secure.example domain (insecurity proof)
 
 echo "I:checking 2-server insecurity proof ($n)"
 ret=0
-$DIG $DIGOPTS a.insecure.secure.example. @10.53.0.2 a \
+$DIG $DIGOPTS +noauth a.insecure.secure.example. @10.53.0.2 a \
 	> dig.out.ns2.test$n || ret=1
-$DIG $DIGOPTS a.insecure.secure.example. @10.53.0.4 a \
+$DIG $DIGOPTS +noauth a.insecure.secure.example. @10.53.0.4 a \
 	> dig.out.ns4.test$n || ret=1
 $PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
 grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
@@ -137,6 +209,20 @@ n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 
+echo "I:checking 2-server insecurity proof with a negative answer and SOA hack ($n)"
+ret=0
+$DIG $DIGOPTS r.insecure.secure.example. @10.53.0.2 soa > dig.out.ns2.test$n \
+	|| ret=1
+$DIG $DIGOPTS r.insecure.secure.example. @10.53.0.4 soa > dig.out.ns4.test$n \
+	|| ret=1
+$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
+grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
+# Note - this is looking for failure, hence the &&
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
 # Check that the query for a security root is successful and has ad set
 
 echo "I:checking security root query ($n)"
@@ -207,9 +293,9 @@ status=`expr $status + $ret`
 
 echo "I:checking cd bit on a negative insecurity proof ($n)"
 ret=0
-$DIG $DIGOPTS q.insecure.example. soa @10.53.0.4 \
+$DIG $DIGOPTS q.insecure.example. a @10.53.0.4 \
 	> dig.out.ns4.test$n || ret=1
-$DIG $DIGOPTS +cdflag q.insecure.example. soa @10.53.0.5 \
+$DIG $DIGOPTS +cdflag q.insecure.example. a @10.53.0.5 \
 	> dig.out.ns5.test$n || ret=1
 $PERL ../digcomp.pl dig.out.ns4.test$n dig.out.ns5.test$n || ret=1
 grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
@@ -288,5 +374,89 @@ n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 
+echo "I:checking that positive validation in a privately secure zone works ($n)"
+ret=0
+$DIG $DIGOPTS +noauth a.private.secure.example. a @10.53.0.2 \
+	> dig.out.ns2.test$n || ret=1
+$DIG $DIGOPTS +noauth a.private.secure.example. a @10.53.0.4 \
+	> dig.out.ns4.test$n || ret=1
+$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
+grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
+# Note - this is looking for failure, hence the &&
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:checking that negative validation in a privately secure zone works ($n)"
+ret=0
+$DIG $DIGOPTS +noauth q.private.secure.example. a @10.53.0.2 \
+	> dig.out.ns2.test$n || ret=1
+$DIG $DIGOPTS +noauth q.private.secure.example. a @10.53.0.4 \
+	> dig.out.ns4.test$n || ret=1
+$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
+grep "NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
+# Note - this is looking for failure, hence the &&
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:checking that lookups succeed after disabling a algorithm works ($n)"
+ret=0
+$DIG $DIGOPTS +noauth example. SOA @10.53.0.2 \
+	> dig.out.ns2.test$n || ret=1
+$DIG $DIGOPTS +noauth example. SOA @10.53.0.6 \
+	> dig.out.ns6.test$n || ret=1
+$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns6.test$n || ret=1
+# Note - this is looking for failure, hence the &&
+grep "flags:.*ad.*QUERY" dig.out.ns6.test$n > /dev/null && ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:checking privately secure to nxdomain works ($n)"
+ret=0
+$DIG $DIGOPTS +noauth private2secure-nxdomain.private.secure.example. SOA @10.53.0.2 \
+	> dig.out.ns2.test$n || ret=1
+$DIG $DIGOPTS +noauth private2secure-nxdomain.private.secure.example. SOA @10.53.0.4 \
+	> dig.out.ns4.test$n || ret=1
+$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
+# Note - this is looking for failure, hence the &&
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:checking privately secure wilcard to nxdomain works ($n)"
+ret=0
+$DIG $DIGOPTS +noauth a.wild.private.secure.example. SOA @10.53.0.2 \
+	> dig.out.ns2.test$n || ret=1
+$DIG $DIGOPTS +noauth a.wild.private.secure.example. SOA @10.53.0.4 \
+	> dig.out.ns4.test$n || ret=1
+$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
+# Note - this is looking for failure, hence the &&
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:checking dnssec-lookaside-validation works ($n)"
+ret=0
+$DIG $DIGOPTS private.secure.example. SOA @10.53.0.6 \
+	> dig.out.ns6.test$n || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns6.test$n > /dev/null || ret=1
+
+# Run a minimal update test if possible.  This is really just
+# a regression test for RT #2399; more tests should be added.
+
+if $PERL -e 'use Net::DNS;' 2>/dev/null
+then
+    echo "I:running DNSSEC update test"
+    $PERL dnssec_update_test.pl -s 10.53.0.3 -p 5300 dynamic.example. || status=1
+else
+    echo "I:The DNSSEC update test requires the Net::DNS library." >&2
+fi
+
 echo "I:exit status: $status"
 exit $status
diff --git a/bin/tests/system/forward/clean.sh b/bin/tests/system/forward/clean.sh
index 906e0c5c..991b8336 100644
--- a/bin/tests/system/forward/clean.sh
+++ b/bin/tests/system/forward/clean.sh
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: clean.sh,v 1.2.2.1 2004/03/09 06:09:53 marka Exp $
+# $Id: clean.sh,v 1.2.206.1 2004/03/06 10:22:03 marka Exp $
 
 #
 # Clean up after forward tests.
diff --git a/bin/tests/system/forward/ns1/example.db b/bin/tests/system/forward/ns1/example.db
index 9c3d298e..ebbc2aed 100644
--- a/bin/tests/system/forward/ns1/example.db
+++ b/bin/tests/system/forward/ns1/example.db
@@ -1,20 +1,3 @@
-; Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
-; Copyright (C) 2000, 2001  Internet Software Consortium.
-;
-; Permission to use, copy, modify, and distribute this software for any
-; purpose with or without fee is hereby granted, provided that the above
-; copyright notice and this permission notice appear in all copies.
-;
-; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-; AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-; PERFORMANCE OF THIS SOFTWARE.
-
-; $Id: example.db,v 1.1.6.1 2004/03/15 04:44:42 marka Exp $
-
 $TTL 300	; 5 minutes
 @			IN SOA	ns root (
 				2000082401 ; serial
diff --git a/bin/tests/system/forward/ns1/named.conf b/bin/tests/system/forward/ns1/named.conf
index db817050..785cf808 100644
--- a/bin/tests/system/forward/ns1/named.conf
+++ b/bin/tests/system/forward/ns1/named.conf
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named.conf,v 1.7.2.2 2004/03/09 06:09:54 marka Exp $ */
+/* $Id: named.conf,v 1.7.206.2 2004/03/06 10:22:04 marka Exp $ */
 
 controls { /* empty */ };
 
diff --git a/bin/tests/system/forward/ns1/root.db b/bin/tests/system/forward/ns1/root.db
index 5d8234ff..fe150630 100644
--- a/bin/tests/system/forward/ns1/root.db
+++ b/bin/tests/system/forward/ns1/root.db
@@ -13,7 +13,7 @@
 ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 ; PERFORMANCE OF THIS SOFTWARE.
 
-; $Id: root.db,v 1.1.6.1 2004/03/15 04:44:42 marka Exp $
+; $Id: root.db,v 1.1.214.1 2004/03/08 04:04:36 marka Exp $
 
 $TTL 300
 . 			IN SOA	gson.nominum.com. a.root.servers.nil. (
diff --git a/bin/tests/system/forward/ns2/example.db b/bin/tests/system/forward/ns2/example.db
index 62417b65..3a5f46c1 100644
--- a/bin/tests/system/forward/ns2/example.db
+++ b/bin/tests/system/forward/ns2/example.db
@@ -1,20 +1,3 @@
-; Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
-; Copyright (C) 2000, 2001  Internet Software Consortium.
-;
-; Permission to use, copy, modify, and distribute this software for any
-; purpose with or without fee is hereby granted, provided that the above
-; copyright notice and this permission notice appear in all copies.
-;
-; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-; AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-; PERFORMANCE OF THIS SOFTWARE.
-
-; $Id: example.db,v 1.1.6.1 2004/03/15 04:44:43 marka Exp $
-
 $TTL 300	; 5 minutes
 @			IN SOA	ns root (
 				2000082401 ; serial
diff --git a/bin/tests/system/forward/ns2/named.conf b/bin/tests/system/forward/ns2/named.conf
index a3db28b9..ba0441b8 100644
--- a/bin/tests/system/forward/ns2/named.conf
+++ b/bin/tests/system/forward/ns2/named.conf
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named.conf,v 1.7.2.2 2004/03/09 06:09:54 marka Exp $ */
+/* $Id: named.conf,v 1.7.206.2 2004/03/06 10:22:04 marka Exp $ */
 
 controls { /* empty */ };
 
diff --git a/bin/tests/system/forward/ns2/root.db b/bin/tests/system/forward/ns2/root.db
index 40c18f52..fe150630 100644
--- a/bin/tests/system/forward/ns2/root.db
+++ b/bin/tests/system/forward/ns2/root.db
@@ -13,7 +13,7 @@
 ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 ; PERFORMANCE OF THIS SOFTWARE.
 
-; $Id: root.db,v 1.1.6.1 2004/03/15 04:44:43 marka Exp $
+; $Id: root.db,v 1.1.214.1 2004/03/08 04:04:36 marka Exp $
 
 $TTL 300
 . 			IN SOA	gson.nominum.com. a.root.servers.nil. (
diff --git a/bin/tests/system/forward/ns3/named.conf b/bin/tests/system/forward/ns3/named.conf
index 4b7c7041..e4765e2e 100644
--- a/bin/tests/system/forward/ns3/named.conf
+++ b/bin/tests/system/forward/ns3/named.conf
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named.conf,v 1.7.2.2 2004/03/09 06:09:54 marka Exp $ */
+/* $Id: named.conf,v 1.7.206.2 2004/03/06 10:22:04 marka Exp $ */
 
 controls { /* empty */ };
 
diff --git a/bin/tests/system/forward/ns3/root.db b/bin/tests/system/forward/ns3/root.db
index 40c18f52..fe150630 100644
--- a/bin/tests/system/forward/ns3/root.db
+++ b/bin/tests/system/forward/ns3/root.db
@@ -13,7 +13,7 @@
 ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 ; PERFORMANCE OF THIS SOFTWARE.
 
-; $Id: root.db,v 1.1.6.1 2004/03/15 04:44:43 marka Exp $
+; $Id: root.db,v 1.1.214.1 2004/03/08 04:04:36 marka Exp $
 
 $TTL 300
 . 			IN SOA	gson.nominum.com. a.root.servers.nil. (
diff --git a/bin/tests/system/forward/ns4/named.conf b/bin/tests/system/forward/ns4/named.conf
index f71d7241..074d40dc 100644
--- a/bin/tests/system/forward/ns4/named.conf
+++ b/bin/tests/system/forward/ns4/named.conf
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named.conf,v 1.7.2.2 2004/03/09 06:09:55 marka Exp $ */
+/* $Id: named.conf,v 1.7.206.2 2004/03/06 10:22:05 marka Exp $ */
 
 controls { /* empty */ };
 
diff --git a/bin/tests/system/forward/ns4/root.db b/bin/tests/system/forward/ns4/root.db
index 40c18f52..17814444 100644
--- a/bin/tests/system/forward/ns4/root.db
+++ b/bin/tests/system/forward/ns4/root.db
@@ -13,7 +13,7 @@
 ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 ; PERFORMANCE OF THIS SOFTWARE.
 
-; $Id: root.db,v 1.1.6.1 2004/03/15 04:44:43 marka Exp $
+; $Id: root.db,v 1.1.214.1 2004/03/08 04:04:37 marka Exp $
 
 $TTL 300
 . 			IN SOA	gson.nominum.com. a.root.servers.nil. (
diff --git a/bin/tests/system/forward/tests.sh b/bin/tests/system/forward/tests.sh
index 1786a835..e6b8f9ae 100644
--- a/bin/tests/system/forward/tests.sh
+++ b/bin/tests/system/forward/tests.sh
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: tests.sh,v 1.4.2.1 2004/03/09 06:09:53 marka Exp $
+# $Id: tests.sh,v 1.4.206.1 2004/03/06 10:22:03 marka Exp $
 
 SYSTEMTESTTOP=..
 . $SYSTEMTESTTOP/conf.sh
diff --git a/bin/tests/system/genzone.sh b/bin/tests/system/genzone.sh
new file mode 100644
index 00000000..0c87b5d6
--- /dev/null
+++ b/bin/tests/system/genzone.sh
@@ -0,0 +1,267 @@
+#!/bin/sh
+#
+# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2001-2003  Internet Software Consortium.
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: genzone.sh,v 1.3.202.4 2004/03/08 04:04:33 marka Exp $
+
+#
+# Set up a test zone
+#
+# Usage: genzone.sh master-server-number slave-server-number...
+#
+# e.g., "genzone.sh 2 3 4" means ns2 is the master and ns3, ns4
+# are slaves.
+#
+
+master="$1"
+
+cat <<EOF
+\$TTL 3600
+
+@		86400	IN SOA	ns${master} hostmaster (
+					1397051952 ; "SER0"
+					5
+					5
+					1814400
+					3600 )
+EOF
+
+for n
+do
+	cat <<EOF
+@			NS	ns${n}
+ns${n}			A	10.53.0.${n}
+EOF
+done
+
+cat <<\EOF
+
+; type 1
+a01			A	0.0.0.0
+a02			A	255.255.255.255
+
+; type 2
+; see NS records at top of file
+
+; type 3
+; md01			MD	madname
+; 			MD	.
+
+; type 4
+; mf01			MF	madname
+; mf01			MF	.
+
+; type 5
+cname01			CNAME	cname-target.
+cname02			CNAME	cname-target
+cname03			CNAME	.
+
+; type 6
+; see SOA record at top of file
+
+; type 7
+mb01			MG	madname
+mb02			MG	.
+
+; type 8
+mg01			MG	mgmname
+mg02			MG	.
+
+; type 9
+mr01			MR	mrname
+mr02			MR	.
+
+; type 10
+; NULL RRs are not allowed in master files per RFC1035.
+;null01			NULL
+
+; type 11
+wks01			WKS	10.0.0.1 tcp telnet ftp 0 1 2
+wks02			WKS	10.0.0.1 udp domain 0 1 2
+wks03			WKS	10.0.0.2 tcp 65535
+
+; type 12
+ptr01			PTR	@
+
+; type 13
+hinfo01			HINFO	"Generic PC clone" "NetBSD-1.4"
+hinfo02			HINFO	PC NetBSD
+
+; type 14
+minfo01			MINFO	rmailbx emailbx
+minfo02			MINFO	. . 
+
+; type 15
+mx01			MX	10 mail
+mx02			MX	10 .
+
+; type 16
+txt01			TXT	"foo"
+txt02			TXT	"foo" "bar"
+txt03			TXT	foo
+txt04			TXT	foo bar
+txt05			TXT	"foo bar"
+txt06			TXT	"foo\032bar"
+txt07			TXT	foo\032bar
+txt08			TXT	"foo\010bar"
+txt09			TXT	foo\010bar
+txt10			TXT	foo\ bar
+txt11			TXT	"\"foo\""
+txt12			TXT	\"foo\"
+
+; type 17
+rp01			RP	mbox-dname txt-dname
+rp02			RP	. . 
+
+; type 18
+afsdb01			AFSDB	0 hostname
+afsdb02			AFSDB	65535 .
+
+; type 19
+x2501			X25	123456789
+;x2502			X25	"123456789"
+
+; type 20
+isdn01			ISDN	"isdn-address"
+isdn02			ISDN	"isdn-address" "subaddress"
+isdn03			ISDN	isdn-address
+isdn04			ISDN	isdn-address subaddress
+
+; type 21
+rt01			RT	0 intermediate-host
+rt02			RT	65535 .
+
+; type 22
+nsap01			NSAP	(
+	0x47.0005.80.005a00.0000.0001.e133.ffffff000161.00 )
+nsap02			NSAP	(
+	0x47.0005.80.005a00.0000.0001.e133.ffffff000161.00. )
+;nsap03			NSAP	0x
+
+; type 23
+nsap-ptr01		NSAP-PTR foo.
+nsap-ptr01		NSAP-PTR .
+
+; type 24
+;sig01			SIG	NXT 1 3 ( 3600 20000102030405
+;				19961211100908 2143 foo.nil. 
+;				MxFcby9k/yvedMfQgKzhH5er0Mu/vILz45I
+;				kskceFGgiWCn/GxHhai6VAuHAoNUz4YoU1t
+;				VfSCSqQYn6//11U6Nld80jEeC8aTrO+KKmCaY= )
+
+; type 25
+;key01			KEY	512 ( 255 1 AQMFD5raczCJHViKtLYhWGz8hMY
+;				9UGRuniJDBzC7w0aRyzWZriO6i2odGWWQVucZqKV
+;				sENW91IOW4vqudngPZsY3GvQ/xVA8/7pyFj6b7Esg
+;				a60zyGW6LFe9r8n6paHrlG5ojqf0BaqHT+8= )
+
+; type 26
+px01			PX	65535 foo. bar.
+px02			PX	65535 . .
+
+; type 27
+gpos01			GPOS    -22.6882 116.8652 250.0
+gpos02			GPOS    "" "" ""
+
+; type 29
+loc01			LOC	60 9 N 24 39 E 10 20 2000 20
+loc02			LOC 	60 09 00.000 N 24 39 00.000 E 10.00m 20.00m (
+				  2000.00m 20.00m )
+
+; type 30
+;nxt01			NXT	a.secure.nil. ( NS SOA MX RRSIG KEY LOC NXT )
+;nxt02			NXT	. NXT NSAP-PTR
+;nxt03			NXT	. 1
+;nxt04			NXT	. 127
+
+; type 33
+srv01			SRV 0 0 0 .
+srv02			SRV 65535 65535 65535  old-slow-box
+
+; type 35
+naptr01			NAPTR   0 0 "" "" "" . 
+naptr02			NAPTR   65535 65535 blurgh blorf blegh foo.
+naptr02			NAPTR   65535 65535 "blurgh" "blorf" "blegh" foo.
+
+; type 36
+kx01			KX	10 kdc
+kx02			KX	10 .
+
+; type 37
+cert01			CERT	65534 65535 254 ( 
+				MxFcby9k/yvedMfQgKzhH5er0Mu/vILz45I
+				kskceFGgiWCn/GxHhai6VAuHAoNUz4YoU1t
+				VfSCSqQYn6//11U6Nld80jEeC8aTrO+KKmCaY= )
+; type 38
+a601			A6	0 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
+a601			A6	64 ::ffff:ffff:ffff:ffff foo.
+a601			A6	127 ::1 foo.
+a601			A6	128 .
+
+; type 39
+dname01			DNAME	dname-target.
+dname02			DNAME	dname-target
+dname03			DNAME	.
+
+; type 41
+; OPT is a meta-type and should never occur in master files.
+
+; type 46
+rrsig01			RRSIG	NSEC 1 3 ( 3600 20000102030405
+				19961211100908 2143 foo.nil. 
+				MxFcby9k/yvedMfQgKzhH5er0Mu/vILz45I
+				kskceFGgiWCn/GxHhai6VAuHAoNUz4YoU1t
+				VfSCSqQYn6//11U6Nld80jEeC8aTrO+KKmCaY= )
+
+; type 47
+nsec01			NSEC	a.secure.nil. ( NS SOA MX RRSIG DNSKEY LOC NSEC )
+nsec02			NSEC	. NSEC NSAP-PTR
+nsec03			NSEC	. TYPE1
+nsec04			NSEC	. TYPE127
+
+; type 48
+dnskey01		DNSKEY	512 ( 255 1 AQMFD5raczCJHViKtLYhWGz8hMY
+				9UGRuniJDBzC7w0aRyzWZriO6i2odGWWQVucZqKV
+				sENW91IOW4vqudngPZsY3GvQ/xVA8/7pyFj6b7Esg
+				a60zyGW6LFe9r8n6paHrlG5ojqf0BaqHT+8= )
+
+; type 249
+; TKEY is a meta-type and should never occur in master files.
+; The text representation is not specified in the draft.
+; This example was written based on the bind9 RR parsing code.
+;tkey01			TKEY	928321914 928321915 (
+;				255		; algorithm
+;				65535 		; mode
+;				0		; error
+;				3 		; key size
+;				aaaa		; key data
+;				3 		; other size
+;				bbbb		; other data
+;				)
+;; A TKEY with empty "other data"
+;tkey02			TKEY	928321914 928321915 (
+;				255		; algorithm
+;				65535 		; mode
+;				0		; error
+;				3 		; key size
+;				aaaa		; key data
+;				0 		; other size
+;						; other data
+;				)
+
+; type 255
+; TSIG is a meta-type and should never occur in master files.
+EOF
diff --git a/bin/tests/system/glue/clean.sh b/bin/tests/system/glue/clean.sh
index 7b85b789..a6b33bf6 100644
--- a/bin/tests/system/glue/clean.sh
+++ b/bin/tests/system/glue/clean.sh
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: clean.sh,v 1.5.2.1 2004/03/09 06:09:55 marka Exp $
+# $Id: clean.sh,v 1.5.206.1 2004/03/06 10:22:05 marka Exp $
 
 #
 # Clean up after glue tests.
diff --git a/bin/tests/system/glue/ns1/cache.in b/bin/tests/system/glue/ns1/cache.in
index 2570cc5f..e6f04063 100644
--- a/bin/tests/system/glue/ns1/cache.in
+++ b/bin/tests/system/glue/ns1/cache.in
@@ -13,7 +13,7 @@
 ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 ; PERFORMANCE OF THIS SOFTWARE.
 
-; $Id: cache.in,v 1.1.2.1 2004/03/09 06:09:55 marka Exp $
+; $Id: cache.in,v 1.1.206.1 2004/03/06 10:22:05 marka Exp $
 
 ; Preloaded cache data for glue test
 
diff --git a/bin/tests/system/glue/ns1/mil.db b/bin/tests/system/glue/ns1/mil.db
index 6823515c..6b33519d 100644
--- a/bin/tests/system/glue/ns1/mil.db
+++ b/bin/tests/system/glue/ns1/mil.db
@@ -13,7 +13,7 @@
 ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 ; PERFORMANCE OF THIS SOFTWARE.
 
-; $Id: mil.db,v 1.5.2.1 2004/03/09 06:09:56 marka Exp $
+; $Id: mil.db,v 1.5.206.1 2004/03/06 10:22:06 marka Exp $
 
 $ORIGIN mil.
 $TTL 300
diff --git a/bin/tests/system/glue/ns1/named.conf b/bin/tests/system/glue/ns1/named.conf
index 1b692e60..e5dc8cde 100644
--- a/bin/tests/system/glue/ns1/named.conf
+++ b/bin/tests/system/glue/ns1/named.conf
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named.conf,v 1.8.2.2 2004/03/09 06:09:56 marka Exp $ */
+/* $Id: named.conf,v 1.8.206.2 2004/03/06 10:22:06 marka Exp $ */
 
 controls { /* empty */ };
 
diff --git a/bin/tests/system/glue/ns1/net.db b/bin/tests/system/glue/ns1/net.db
index c4759d88..94d1296b 100644
--- a/bin/tests/system/glue/ns1/net.db
+++ b/bin/tests/system/glue/ns1/net.db
@@ -13,7 +13,7 @@
 ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 ; PERFORMANCE OF THIS SOFTWARE.
 
-; $Id: net.db,v 1.5.2.1 2004/03/09 06:09:56 marka Exp $
+; $Id: net.db,v 1.5.206.1 2004/03/06 10:22:06 marka Exp $
 
 $ORIGIN net.
 $TTL 300
diff --git a/bin/tests/system/glue/ns1/root-servers.nil.db b/bin/tests/system/glue/ns1/root-servers.nil.db
index 76f45899..c4713552 100644
--- a/bin/tests/system/glue/ns1/root-servers.nil.db
+++ b/bin/tests/system/glue/ns1/root-servers.nil.db
@@ -13,7 +13,7 @@
 ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 ; PERFORMANCE OF THIS SOFTWARE.
 
-; $Id: root-servers.nil.db,v 1.4.2.1 2004/03/09 06:09:56 marka Exp $
+; $Id: root-servers.nil.db,v 1.4.206.1 2004/03/06 10:22:06 marka Exp $
 
 $TTL 300
 @			IN SOA	ns hostmaster (
diff --git a/bin/tests/system/glue/ns1/root.db b/bin/tests/system/glue/ns1/root.db
index a8a59db7..512994c4 100644
--- a/bin/tests/system/glue/ns1/root.db
+++ b/bin/tests/system/glue/ns1/root.db
@@ -13,7 +13,7 @@
 ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 ; PERFORMANCE OF THIS SOFTWARE.
 
-; $Id: root.db,v 1.4.2.1 2004/03/09 06:09:56 marka Exp $
+; $Id: root.db,v 1.4.206.1 2004/03/06 10:22:06 marka Exp $
 
 $TTL 300
 . 			IN SOA	gson.nominum.com. a.root.servers.nil. (
diff --git a/bin/tests/system/glue/setup.sh b/bin/tests/system/glue/setup.sh
index 1279bd6b..90295927 100644
--- a/bin/tests/system/glue/setup.sh
+++ b/bin/tests/system/glue/setup.sh
@@ -15,6 +15,6 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: setup.sh,v 1.2.2.2 2004/03/10 01:05:03 marka Exp $
+# $Id: setup.sh,v 1.2.206.2 2004/03/10 01:05:52 marka Exp $
 
 cd ns1 && cp -f cache.in cache
diff --git a/bin/tests/system/glue/tests.sh b/bin/tests/system/glue/tests.sh
index c8ac1e7a..c74873da 100644
--- a/bin/tests/system/glue/tests.sh
+++ b/bin/tests/system/glue/tests.sh
@@ -1,7 +1,7 @@
 #!/bin/sh
 #
 # Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 2000, 2001  Internet Software Consortium.
+# Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: tests.sh,v 1.5.2.1 2004/03/09 06:09:55 marka Exp $
+# $Id: tests.sh,v 1.5.206.2 2004/03/06 10:22:05 marka Exp $
 
 SYSTEMTESTTOP=..
 . $SYSTEMTESTTOP/conf.sh
@@ -34,7 +34,7 @@ echo "I:testing that we find glue A RRs we are authoritative for"
 $DIG +norec @10.53.0.1 -p 5300 foo.bar.xx. a >dig.out || status=1
 $PERL ../digcomp.pl xx.good dig.out || status=1
 
-echo "I:testing that we find glue A/AAAA/A6 RRs in the cache"
+echo "I:testing that we find glue A/AAAA RRs in the cache"
 $DIG +norec @10.53.0.1 -p 5300 foo.bar.yy. a >dig.out || status=1
 $PERL ../digcomp.pl yy.good dig.out || status=1
 
diff --git a/bin/tests/system/glue/yy.good b/bin/tests/system/glue/yy.good
index c4222fc9..fd97e3d4 100644
--- a/bin/tests/system/glue/yy.good
+++ b/bin/tests/system/glue/yy.good
@@ -13,6 +13,5 @@ yy.			172800	IN	NS	ns.zz.
 
 ;; ADDITIONAL SECTION:
 ns.zz.			3463	IN	A	10.0.0.1
-ns.zz.			86263	IN	A6	0 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
 ns.zz.			86263	IN	AAAA	10::1
 
diff --git a/bin/tests/system/ifconfig.sh b/bin/tests/system/ifconfig.sh
index 8b0ca9b1..fb79667c 100755..100644
--- a/bin/tests/system/ifconfig.sh
+++ b/bin/tests/system/ifconfig.sh
@@ -15,12 +15,30 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: ifconfig.sh,v 1.35.2.12 2004/10/05 03:18:53 marka Exp $
+# $Id: ifconfig.sh,v 1.35.2.8.2.5 2004/03/16 19:23:29 explorer Exp $
 
 #
 # Set up interface aliases for bind9 system tests.
 #
 
+config_guess=""
+for f in ./config.guess ../../../config.guess
+do
+	if test -f $f
+	then
+		config_guess=$f
+	fi
+done
+
+if test "X$config_guess" = "X"
+then
+	echo <<EOF >&2
+$0: must be run from the top level source directory or the
+bin/tests/system directory
+EOF
+	exit 1
+fi
+
 # If running on hp-ux, don't even try to run config.guess.
 # It will try to create a temporary file in the current directory,
 # which fails when running as root with the current directory
@@ -28,7 +46,7 @@
 
 case `uname -a` in
   *HP-UX*) sys=hpux ;;
-  *) sys=`../../../config.guess` ;;
+  *) sys=`sh $config_guess` ;;
 esac
 
 case "$2" in
@@ -39,7 +57,7 @@ esac
 case "$1" in
 
     start|up)
-	for ns in 1 2 3 4 5
+	for ns in 1 2 3 4 5 6
 	do
 		if test -n "$base"
 		then
@@ -54,9 +72,9 @@ case "$1" in
 		    *-sun-solaris2.[6-7])
 			ifconfig lo0:$int 10.53.0.$ns netmask 0xffffffff up
 			;;
-		    *-*-solaris2.[8-9]|*-*-solaris2.10)
-    			ifconfig lo0:$int plumb
-			ifconfig lo0:$int 10.53.0.$ns up
+		    *-*-solaris2.[8-9])
+    			/sbin/ifconfig lo0:$int plumb
+			/sbin/ifconfig lo0:$int 10.53.0.$ns up
 			;;
 		    *-*-linux*)
 			ifconfig lo:$int 10.53.0.$ns up netmask 255.255.255.0
@@ -76,10 +94,10 @@ case "$1" in
 		    *-sgi-irix6.*)
 			ifconfig lo0 alias 10.53.0.$ns
 			;;
-		    *-*-sysv5uw[7-8]*)
+		    *-*-sysv5uw7*|*-*-sysv*UnixWare*|*-*-sysv*OpenUNIX*)
 			ifconfig lo0 10.53.0.$ns alias netmask 0xffffffff
 			;;
-		    *-ibm-aix4.*|*-ibm-aix5.*)
+		    *-ibm-aix4.*)
 			ifconfig lo0 alias 10.53.0.$ns
 			;;
 		    hpux)
@@ -88,7 +106,7 @@ case "$1" in
 		    *-sco3.2v*)
 			ifconfig lo0 alias 10.53.0.$ns
 			;;
-		    *-darwin*)
+		    *-darwin5*)
 			ifconfig lo0 alias 10.53.0.$ns
 			;;
 	            *)
@@ -99,7 +117,7 @@ case "$1" in
 	;;
 
     stop|down)
-	for ns in 5 4 3 2 1
+	for ns in 6 5 4 3 2 1
 	do
 		if test -n "$base"
 		then
@@ -114,7 +132,7 @@ case "$1" in
 		    *-sun-solaris2.[6-7])
 			ifconfig lo0:$int 10.53.0.$ns down
 			;;
-		    *-*-solaris2.[8-9]|*-*-solaris2.10)
+		    *-*-solaris2.8)
 			ifconfig lo0:$int 10.53.0.$ns down
 			ifconfig lo0:$int 10.53.0.$ns unplumb
 			;;
@@ -136,10 +154,10 @@ case "$1" in
 		    *-sgi-irix6.*)
 			ifconfig lo0 -alias 10.53.0.$ns
 			;;
-		    *-*-sysv5uw[7-8]*)
+		    *-*-sysv5uw7*|*-*-sysv*UnixWare*|*-*-sysv*OpenUNIX*)
 			ifconfig lo0 -alias 10.53.0.$ns
 			;;
-		    *-ibm-aix4.*|*-ibm-aix5.*)
+		    *-ibm-aix4.*)
 			ifconfig lo0 delete 10.53.0.$ns
 			;;
 		    hpux)
@@ -148,7 +166,7 @@ case "$1" in
 		    *-sco3.2v*)
 			ifconfig lo0 -alias 10.53.0.$ns
 			;;
-		    *darwin*)
+		    *darwin5*)
 			ifconfig lo0 -alias 10.53.0.$ns
 			;;
 	            *)
diff --git a/bin/tests/system/ixfr/ans2/ans.pl b/bin/tests/system/ixfr/ans2/ans.pl
index d93f0e68..b082358b 100644
--- a/bin/tests/system/ixfr/ans2/ans.pl
+++ b/bin/tests/system/ixfr/ans2/ans.pl
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: ans.pl,v 1.2.2.1 2004/03/09 06:09:57 marka Exp $
+# $Id: ans.pl,v 1.2.206.1 2004/03/06 10:22:08 marka Exp $
 
 #
 # This is the name server from hell.  It provides canned
diff --git a/bin/tests/system/ixfr/clean.sh b/bin/tests/system/ixfr/clean.sh
index 1d367d3e..00d051cc 100644
--- a/bin/tests/system/ixfr/clean.sh
+++ b/bin/tests/system/ixfr/clean.sh
@@ -15,6 +15,6 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: clean.sh,v 1.2.2.1 2004/03/09 06:09:56 marka Exp $
+# $Id: clean.sh,v 1.2.206.1 2004/03/06 10:22:07 marka Exp $
 
 rm -f ns1/named.conf ns1/myftp.db
diff --git a/bin/tests/system/ixfr/prereq.sh b/bin/tests/system/ixfr/prereq.sh
index 96ffad2a..3d253610 100644
--- a/bin/tests/system/ixfr/prereq.sh
+++ b/bin/tests/system/ixfr/prereq.sh
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: prereq.sh,v 1.2.2.1 2004/03/09 06:09:57 marka Exp $
+# $Id: prereq.sh,v 1.2.206.1 2004/03/06 10:22:07 marka Exp $
 
 if $PERL -e 'use Net::DNS;' 2>/dev/null
 then
diff --git a/bin/tests/system/ixfr/setup.sh b/bin/tests/system/ixfr/setup.sh
index 5269e287..262ea9d4 100644
--- a/bin/tests/system/ixfr/setup.sh
+++ b/bin/tests/system/ixfr/setup.sh
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: setup.sh,v 1.1.2.1 2004/03/09 06:09:57 marka Exp $
+# $Id: setup.sh,v 1.1.206.1 2004/03/06 10:22:07 marka Exp $
 
 rm -f ns1/*.db ns1/*.jnl
 
diff --git a/bin/tests/system/ixfr/tests.sh b/bin/tests/system/ixfr/tests.sh
index 018ad892..6acf8f60 100644
--- a/bin/tests/system/ixfr/tests.sh
+++ b/bin/tests/system/ixfr/tests.sh
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: tests.sh,v 1.2.2.1 2004/03/09 06:09:57 marka Exp $
+# $Id: tests.sh,v 1.2.206.1 2004/03/06 10:22:07 marka Exp $
 
 SYSTEMTESTTOP=..
 . $SYSTEMTESTTOP/conf.sh
diff --git a/bin/tests/system/limits/clean.sh b/bin/tests/system/limits/clean.sh
index 09a5c519..bb6aa79d 100644
--- a/bin/tests/system/limits/clean.sh
+++ b/bin/tests/system/limits/clean.sh
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: clean.sh,v 1.7.2.1 2004/03/09 06:09:57 marka Exp $
+# $Id: clean.sh,v 1.7.206.1 2004/03/06 10:22:08 marka Exp $
 
 #
 # Clean up after limits tests.
diff --git a/bin/tests/system/limits/ns1/example.db b/bin/tests/system/limits/ns1/example.db
index 65201385..947423d0 100644
--- a/bin/tests/system/limits/ns1/example.db
+++ b/bin/tests/system/limits/ns1/example.db
@@ -13,7 +13,7 @@
 ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 ; PERFORMANCE OF THIS SOFTWARE.
 
-; $Id: example.db,v 1.7.2.1 2004/03/09 06:09:58 marka Exp $
+; $Id: example.db,v 1.7.206.1 2004/03/06 10:22:09 marka Exp $
 
 $TTL 300        ; 5 minutes
 @                 IN SOA  ns1.example. hostmaster.example. (
diff --git a/bin/tests/system/limits/ns1/named.conf b/bin/tests/system/limits/ns1/named.conf
index 8ca5ef59..534bb108 100644
--- a/bin/tests/system/limits/ns1/named.conf
+++ b/bin/tests/system/limits/ns1/named.conf
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named.conf,v 1.10.2.2 2004/03/09 06:09:58 marka Exp $ */
+/* $Id: named.conf,v 1.10.206.2 2004/03/06 10:22:09 marka Exp $ */
 
 controls { /* empty */ };
 
diff --git a/bin/tests/system/limits/ns1/root.db b/bin/tests/system/limits/ns1/root.db
index f43beda7..22b8893b 100644
--- a/bin/tests/system/limits/ns1/root.db
+++ b/bin/tests/system/limits/ns1/root.db
@@ -13,7 +13,7 @@
 ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 ; PERFORMANCE OF THIS SOFTWARE.
 
-; $Id: root.db,v 1.6.2.1 2004/03/09 06:09:58 marka Exp $
+; $Id: root.db,v 1.6.206.1 2004/03/06 10:22:09 marka Exp $
 
 $TTL 300
 . 			IN SOA	gson.nominum.com. a.root.servers.nil. (
diff --git a/bin/tests/system/limits/tests.sh b/bin/tests/system/limits/tests.sh
index 6f5da726..71a2c512 100644
--- a/bin/tests/system/limits/tests.sh
+++ b/bin/tests/system/limits/tests.sh
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: tests.sh,v 1.14.2.1 2004/03/09 06:09:58 marka Exp $
+# $Id: tests.sh,v 1.14.206.1 2004/03/06 10:22:08 marka Exp $
 
 SYSTEMTESTTOP=..
 . $SYSTEMTESTTOP/conf.sh
diff --git a/bin/tests/system/lwresd/Makefile.in b/bin/tests/system/lwresd/Makefile.in
index 21a82bda..0b8f80e1 100644
--- a/bin/tests/system/lwresd/Makefile.in
+++ b/bin/tests/system/lwresd/Makefile.in
@@ -1,5 +1,5 @@
 # Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 2000, 2001  Internet Software Consortium.
+# Copyright (C) 2000-2002  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.12.2.3 2004/07/20 07:00:16 marka Exp $
+# $Id: Makefile.in,v 1.12.12.5 2004/03/08 04:04:37 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
@@ -21,7 +21,7 @@ top_srcdir =	@top_srcdir@
 
 @BIND9_VERSION@
 
-@BIND9_INCLUDES@
+@BIND9_MAKE_INCLUDES@
 
 CINCLUDES =	${LWRES_INCLUDES} ${ISC_INCLUDES}
 
@@ -38,7 +38,7 @@ DEPLIBS =	${LWRESDEPLIBS} ${ISCDEPLIBS}
 
 LIBS =		${LWRESLIBS} ${ISCLIBS} @LIBS@
 
-TARGETS =	lwtest
+TARGETS =	lwtest@EXEEXT@
 
 OBJS =		lwtest.@O@
 
@@ -46,10 +46,10 @@ SRCS =		lwtest.c
 
 @BIND9_MAKE_RULES@
 
-all: lwtest
+all: lwtest@EXEEXT@
 
-lwtest: ${OBJS} ${DEPLIBS}
-	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ ${OBJS} ${LIBS}
+lwtest@EXEEXT@: ${OBJS} ${DEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} -o $@ ${OBJS} ${LIBS}
 
 clean distclean::
 	rm -f ${TARGETS}
diff --git a/bin/tests/system/lwresd/lwresd1/lwresd.conf b/bin/tests/system/lwresd/lwresd1/lwresd.conf
index 55b97f09..edcc1867 100644
--- a/bin/tests/system/lwresd/lwresd1/lwresd.conf
+++ b/bin/tests/system/lwresd/lwresd1/lwresd.conf
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lwresd.conf,v 1.4.2.2 2004/03/09 06:10:00 marka Exp $ */
+/* $Id: lwresd.conf,v 1.4.206.2 2004/03/06 10:22:11 marka Exp $ */
 
 controls { /* empty */ };
 
diff --git a/bin/tests/system/lwresd/lwresd1/resolv.conf b/bin/tests/system/lwresd/lwresd1/resolv.conf
index f1ee91f8..7b2ed3c4 100644
--- a/bin/tests/system/lwresd/lwresd1/resolv.conf
+++ b/bin/tests/system/lwresd/lwresd1/resolv.conf
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: resolv.conf,v 1.8.2.1 2004/03/09 06:10:00 marka Exp $
+# $Id: resolv.conf,v 1.8.206.1 2004/03/06 10:22:11 marka Exp $
 
 nameserver 10.53.0.1
 lwserver 10.53.0.1
diff --git a/bin/tests/system/lwresd/lwtest.c b/bin/tests/system/lwresd/lwtest.c
index 2692025b..c21dc018 100644
--- a/bin/tests/system/lwresd/lwtest.c
+++ b/bin/tests/system/lwresd/lwtest.c
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000-2003  Internet Software Consortium.
+ * Copyright (C) 2000-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lwtest.c,v 1.22.2.5 2004/03/09 06:09:59 marka Exp $ */
+/* $Id: lwtest.c,v 1.22.2.4.2.4 2004/03/08 04:04:37 marka Exp $ */
 
 #include <config.h>
 
@@ -695,11 +695,11 @@ main(void) {
 	test_gnba("10.10.10.17", LWRES_ADDRTYPE_V4, LWRES_R_NOTFOUND,
 		  NULL);
 	test_gnba("0123:4567:89ab:cdef:0123:4567:89ab:cdef",
-		  LWRES_ADDRTYPE_V6, LWRES_R_SUCCESS, "nibble.example");
+		  LWRES_ADDRTYPE_V6, LWRES_R_SUCCESS, "ip6.int.example");
 	test_gnba("0123:4567:89ab:cdef:0123:4567:89ab:cde0",
 		  LWRES_ADDRTYPE_V6, LWRES_R_NOTFOUND, NULL);
 	test_gnba("1123:4567:89ab:cdef:0123:4567:89ab:cdef",
-		  LWRES_ADDRTYPE_V6, LWRES_R_SUCCESS, "bitstring.example");
+		  LWRES_ADDRTYPE_V6, LWRES_R_SUCCESS, "ip6.arpa.example");
 	test_gnba("1123:4567:89ab:cdef:0123:4567:89ab:cde0",
 		  LWRES_ADDRTYPE_V6, LWRES_R_NOTFOUND, NULL);
 
@@ -728,16 +728,16 @@ main(void) {
 	test_gethostbyaddr("10.10.10.1", AF_INET, "ipv4.example");
 	test_gethostbyaddr("10.10.10.17", AF_INET, NULL);
 	test_gethostbyaddr("0123:4567:89ab:cdef:0123:4567:89ab:cdef",
-			   AF_INET6, "nibble.example");
+			   AF_INET6, "ip6.int.example");
 	test_gethostbyaddr("1123:4567:89ab:cdef:0123:4567:89ab:cdef",
-			   AF_INET6, "bitstring.example");
+			   AF_INET6, "ip6.arpa.example");
 
 	test_getipnodebyaddr("10.10.10.1", AF_INET, "ipv4.example");
 	test_getipnodebyaddr("10.10.10.17", AF_INET, NULL);
 	test_getipnodebyaddr("0123:4567:89ab:cdef:0123:4567:89ab:cdef",
-			     AF_INET6, "nibble.example");
+			     AF_INET6, "ip6.int.example");
 	test_getipnodebyaddr("1123:4567:89ab:cdef:0123:4567:89ab:cdef",
-			     AF_INET6, "bitstring.example");
+			     AF_INET6, "ip6.arpa.example");
 
 	test_getaddrinfo("a.example1.", AF_INET, 1, 1, "10.0.1.1");
 	test_getaddrinfo("a.example1.", AF_INET, 1, 0, "10.0.1.1");
@@ -751,27 +751,18 @@ main(void) {
 	test_getnameinfo("10.10.10.1", AF_INET, "ipv4.example");
 	test_getnameinfo("10.10.10.17", AF_INET, NULL);
 	test_getnameinfo("0123:4567:89ab:cdef:0123:4567:89ab:cdef",
-			 AF_INET6, "nibble.example");
+			 AF_INET6, "ip6.int.example");
 	test_getnameinfo("1123:4567:89ab:cdef:0123:4567:89ab:cdef",
-			 AF_INET6, "bitstring.example");
+			 AF_INET6, "ip6.arpa.example");
 	test_getnameinfo("1122:3344:5566:7788:99aa:bbcc:ddee:ff00",
 			 AF_INET6, "dname.example1");
 
-#ifdef ISC_RFC_2535
 	test_getrrsetbyname("a", 1, 1, 1, 0, 1);
 	test_getrrsetbyname("a.example1.", 1, 1, 1, 0, 1);
 	test_getrrsetbyname("e.example1.", 1, 1, 1, 1, 1);
 	test_getrrsetbyname("e.example1.", 1, 255, 1, 1, 0);
-	test_getrrsetbyname("e.example1.", 1, 24, 1, 0, 1);
+	test_getrrsetbyname("e.example1.", 1, 46, 1, 0, 1);
 	test_getrrsetbyname("", 1, 1, 0, 0, 0);
-#else
-	test_getrrsetbyname("a", 1, 1, 1, 0, 1);
-	test_getrrsetbyname("a.example1.", 1, 1, 1, 0, 1);
-	test_getrrsetbyname("e.example1.", 1, 1, 1, 0, 1);
-	test_getrrsetbyname("e.example1.", 1, 255, 1, 0, 0);
-	/* test_getrrsetbyname("e.example1.", 1, 24, 1, 0, 1); */
-	test_getrrsetbyname("", 1, 1, 0, 0, 0);
-#endif
 
 	if (fails == 0)
 		printf("I:ok\n");
diff --git a/bin/tests/system/lwresd/ns1/10.10.10.in-addr.arpa.db b/bin/tests/system/lwresd/ns1/10.10.10.in-addr.arpa.db
index f4e17d46..fa79dcfa 100644
--- a/bin/tests/system/lwresd/ns1/10.10.10.in-addr.arpa.db
+++ b/bin/tests/system/lwresd/ns1/10.10.10.in-addr.arpa.db
@@ -13,7 +13,7 @@
 ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 ; PERFORMANCE OF THIS SOFTWARE.
 
-; $Id: 10.10.10.in-addr.arpa.db,v 1.7.2.1 2004/03/09 06:10:00 marka Exp $
+; $Id: 10.10.10.in-addr.arpa.db,v 1.7.206.1 2004/03/06 10:22:11 marka Exp $
 
 $TTL 300	; 5 minutes
 @	IN SOA  mname1. . (
diff --git a/bin/tests/system/lwresd/ns1/example1.db b/bin/tests/system/lwresd/ns1/example1.db
index 6a390658..cb4b1b34 100644
--- a/bin/tests/system/lwresd/ns1/example1.db
+++ b/bin/tests/system/lwresd/ns1/example1.db
@@ -1,5 +1,5 @@
 ; Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
-; Copyright (C) 2000, 2001  Internet Software Consortium.
+; Copyright (C) 2000-2003  Internet Software Consortium.
 ;
 ; Permission to use, copy, modify, and distribute this software for any
 ; purpose with or without fee is hereby granted, provided that the above
@@ -13,11 +13,11 @@
 ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 ; PERFORMANCE OF THIS SOFTWARE.
 
-; $Id: example1.db,v 1.10.2.1 2004/03/09 06:10:00 marka Exp $
+; $Id: example1.db,v 1.10.22.6 2004/03/08 04:04:37 marka Exp $
 
 $TTL 300	; 5 minutes
 @			IN SOA	mname1. . (
-				2000062101 ; serial
+				2002082210 ; serial
 				20         ; refresh (20 seconds)
 				20         ; retry (20 seconds)
 				1814400    ; expire (3 weeks)
@@ -29,12 +29,10 @@ ns			A	10.53.0.1
 a			A	10.0.1.1
 a2			CNAME	a
 a3			CNAME	nowhere
-b			A6	64 ::ffff:ffff:ffff:ffff c
-c			A6	0 eeee:eeee:eeee:eeee::
-d			A6	64 ::ffff:ffff:ffff:ffff e
-\[x7788/16]		DNAME	net
-\[x99aabbccddeeff00/64].net	PTR	dname
+b			AAAA	eeee:eeee:eeee:eeee:ffff:ffff:ffff:ffff
+8.8.7.7			DNAME	net
+0.0.f.f.e.e.d.d.c.c.b.b.a.a.9.9.net PTR     dname
 e			A	10.0.1.1
-			SIG	A 1 1 300 20001202003412 (
+			RRSIG	A 1 1 300 20001202003412 (
 				20001102003412 1 example. abcd )
 
diff --git a/bin/tests/system/lwresd/ns1/example2.db b/bin/tests/system/lwresd/ns1/example2.db
index b3174ebf..9e5ca10e 100644
--- a/bin/tests/system/lwresd/ns1/example2.db
+++ b/bin/tests/system/lwresd/ns1/example2.db
@@ -1,5 +1,5 @@
 ; Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
-; Copyright (C) 2000, 2001  Internet Software Consortium.
+; Copyright (C) 2000-2002  Internet Software Consortium.
 ;
 ; Permission to use, copy, modify, and distribute this software for any
 ; purpose with or without fee is hereby granted, provided that the above
@@ -13,7 +13,7 @@
 ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 ; PERFORMANCE OF THIS SOFTWARE.
 
-; $Id: example2.db,v 1.6.2.1 2004/03/09 06:10:00 marka Exp $
+; $Id: example2.db,v 1.6.74.3 2004/03/08 04:04:37 marka Exp $
 
 $TTL 300	; 5 minutes
 @			IN SOA	mname1. . (
@@ -27,5 +27,4 @@ $TTL 300	; 5 minutes
 ns			A	10.53.0.1
 
 a			A	10.0.2.1
-b			A6	64 ::ffff:ffff:ffff:ffff c
-c			A6	0 eeee:eeee:eeee:eeee::
+b			AAAA	eeee:eeee:eeee:eeee:ffff:ffff:ffff:ffff
diff --git a/bin/tests/system/lwresd/ns1/ip6.arpa.db b/bin/tests/system/lwresd/ns1/ip6.arpa.db
index 1a9570ea..de3a9f7e 100644
--- a/bin/tests/system/lwresd/ns1/ip6.arpa.db
+++ b/bin/tests/system/lwresd/ns1/ip6.arpa.db
@@ -1,5 +1,5 @@
 ; Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
-; Copyright (C) 2000, 2001  Internet Software Consortium.
+; Copyright (C) 2000-2002  Internet Software Consortium.
 ;
 ; Permission to use, copy, modify, and distribute this software for any
 ; purpose with or without fee is hereby granted, provided that the above
@@ -13,11 +13,11 @@
 ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 ; PERFORMANCE OF THIS SOFTWARE.
 
-; $Id: ip6.arpa.db,v 1.7.2.1 2004/03/09 06:10:01 marka Exp $
+; $Id: ip6.arpa.db,v 1.7.22.3 2004/03/08 04:04:38 marka Exp $
 
 $TTL 300	; 5 minutes
 @	IN SOA  mname1. . (
-		2000062101	; serial
+		2002082300	; serial
 		20		; refresh (20 seconds)
 		20		; retry (20 seconds)
 		1814400		; expire (3 weeks)
@@ -26,5 +26,5 @@ $TTL 300	; 5 minutes
 	NS	ns
 ns	A	10.53.0.1
 
-\[x1123456789abcdef0123456789abcdef/128] PTR bitstring.example.
-\[x112233445566/48] DNAME example1.
+f.e.d.c.b.a.9.8.7.6.5.4.3.2.1.0.f.e.d.c.b.a.9.8.7.6.5.4.3.2.1.1 PTR ip6.arpa.example.
+6.6.5.5.4.4.3.3.2.2.1.1 DNAME example1.
diff --git a/bin/tests/system/lwresd/ns1/ip6.int.db b/bin/tests/system/lwresd/ns1/ip6.int.db
index fca712e1..8c0a01c6 100644
--- a/bin/tests/system/lwresd/ns1/ip6.int.db
+++ b/bin/tests/system/lwresd/ns1/ip6.int.db
@@ -1,5 +1,5 @@
 ; Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
-; Copyright (C) 2000, 2001  Internet Software Consortium.
+; Copyright (C) 2000-2002  Internet Software Consortium.
 ;
 ; Permission to use, copy, modify, and distribute this software for any
 ; purpose with or without fee is hereby granted, provided that the above
@@ -13,11 +13,11 @@
 ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 ; PERFORMANCE OF THIS SOFTWARE.
 
-; $Id: ip6.int.db,v 1.7.2.1 2004/03/09 06:10:01 marka Exp $
+; $Id: ip6.int.db,v 1.7.22.3 2004/03/08 04:04:38 marka Exp $
 
 $TTL 300	; 5 minutes
 @	IN SOA  mname1. . (
-		2000062001	; serial
+		2002082300	; serial
 		20		; refresh (20 seconds)
 		20		; retry (20 seconds)
 		1814400		; expire (3 weeks)
@@ -26,4 +26,4 @@ $TTL 300	; 5 minutes
 	NS	ns
 ns	A	10.53.0.1
 
-f.e.d.c.b.a.9.8.7.6.5.4.3.2.1.0.f.e.d.c.b.a.9.8.7.6.5.4.3.2.1.0	PTR nibble.example.
+f.e.d.c.b.a.9.8.7.6.5.4.3.2.1.0.f.e.d.c.b.a.9.8.7.6.5.4.3.2.1.0	PTR ip6.int.example.
diff --git a/bin/tests/system/lwresd/ns1/named.conf b/bin/tests/system/lwresd/ns1/named.conf
index e6d6709b..8ef6f6ab 100644
--- a/bin/tests/system/lwresd/ns1/named.conf
+++ b/bin/tests/system/lwresd/ns1/named.conf
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named.conf,v 1.11.2.2 2004/03/09 06:10:01 marka Exp $ */
+/* $Id: named.conf,v 1.11.206.4 2004/03/10 02:55:56 marka Exp $ */
 
 controls { /* empty */ };
 
@@ -29,6 +29,7 @@ options {
 	listen-on-v6 { none; };
 	recursion no;
 	notify no;
+	dnssec-enable yes;
 };
 
 zone "." {
diff --git a/bin/tests/system/lwresd/ns1/root.db b/bin/tests/system/lwresd/ns1/root.db
index fbbbae1a..fec74c46 100644
--- a/bin/tests/system/lwresd/ns1/root.db
+++ b/bin/tests/system/lwresd/ns1/root.db
@@ -13,7 +13,7 @@
 ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 ; PERFORMANCE OF THIS SOFTWARE.
 
-; $Id: root.db,v 1.6.2.1 2004/03/09 06:10:01 marka Exp $
+; $Id: root.db,v 1.6.206.1 2004/03/06 10:22:12 marka Exp $
 
 $TTL 300
 . 			IN SOA	gson.nominum.com. a.root.servers.nil. (
diff --git a/bin/tests/system/lwresd/resolv.conf b/bin/tests/system/lwresd/resolv.conf
index c0a79695..327ce2b3 100644
--- a/bin/tests/system/lwresd/resolv.conf
+++ b/bin/tests/system/lwresd/resolv.conf
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: resolv.conf,v 1.8.2.1 2004/03/09 06:09:59 marka Exp $
+# $Id: resolv.conf,v 1.8.206.1 2004/03/06 10:22:10 marka Exp $
 
 nameserver 10.53.0.1
 lwserver 10.53.0.1
diff --git a/bin/tests/system/lwresd/tests.sh b/bin/tests/system/lwresd/tests.sh
index d59e0dc3..2c265302 100644
--- a/bin/tests/system/lwresd/tests.sh
+++ b/bin/tests/system/lwresd/tests.sh
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: tests.sh,v 1.14.2.1 2004/03/09 06:09:59 marka Exp $
+# $Id: tests.sh,v 1.14.206.1 2004/03/06 10:22:10 marka Exp $
 
 SYSTEMTESTTOP=..
 . $SYSTEMTESTTOP/conf.sh
diff --git a/bin/tests/system/masterfile/clean.sh b/bin/tests/system/masterfile/clean.sh
index 05baa7d3..75559a77 100644
--- a/bin/tests/system/masterfile/clean.sh
+++ b/bin/tests/system/masterfile/clean.sh
@@ -15,6 +15,6 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: clean.sh,v 1.1.2.1 2004/03/09 06:10:01 marka Exp $
+# $Id: clean.sh,v 1.1.206.1 2004/03/06 10:22:13 marka Exp $
 
 rm -f dig.out
diff --git a/bin/tests/system/masterfile/ns1/include.db b/bin/tests/system/masterfile/ns1/include.db
index c46e5e03..ed4ed3e9 100644
--- a/bin/tests/system/masterfile/ns1/include.db
+++ b/bin/tests/system/masterfile/ns1/include.db
@@ -13,7 +13,7 @@
 ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 ; PERFORMANCE OF THIS SOFTWARE.
 
-; $Id: include.db,v 1.2.2.1 2004/03/09 06:10:02 marka Exp $
+; $Id: include.db,v 1.2.206.1 2004/03/06 10:22:13 marka Exp $
 
 ; Test $INCLUDE current domain name and origin semantics
 
diff --git a/bin/tests/system/masterfile/ns1/named.conf b/bin/tests/system/masterfile/ns1/named.conf
index 4510a7a5..a4a7cd2f 100644
--- a/bin/tests/system/masterfile/ns1/named.conf
+++ b/bin/tests/system/masterfile/ns1/named.conf
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named.conf,v 1.2.2.2 2004/03/09 06:10:02 marka Exp $ */
+/* $Id: named.conf,v 1.2.206.2 2004/03/06 10:22:13 marka Exp $ */
 
 controls { /* empty */ };
 
diff --git a/bin/tests/system/masterfile/ns1/sub.db b/bin/tests/system/masterfile/ns1/sub.db
index 54423beb..6d989bff 100644
--- a/bin/tests/system/masterfile/ns1/sub.db
+++ b/bin/tests/system/masterfile/ns1/sub.db
@@ -13,7 +13,7 @@
 ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 ; PERFORMANCE OF THIS SOFTWARE.
 
-; $Id: sub.db,v 1.2.2.1 2004/03/09 06:10:02 marka Exp $
+; $Id: sub.db,v 1.2.206.1 2004/03/06 10:22:14 marka Exp $
 
 a		A	10.0.1.1
 $ORIGIN foo
diff --git a/bin/tests/system/masterfile/ns1/ttl1.db b/bin/tests/system/masterfile/ns1/ttl1.db
index 1e7192e6..fd9012fd 100644
--- a/bin/tests/system/masterfile/ns1/ttl1.db
+++ b/bin/tests/system/masterfile/ns1/ttl1.db
@@ -13,7 +13,7 @@
 ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 ; PERFORMANCE OF THIS SOFTWARE.
 
-; $Id: ttl1.db,v 1.2.2.1 2004/03/09 06:10:02 marka Exp $
+; $Id: ttl1.db,v 1.2.206.1 2004/03/06 10:22:14 marka Exp $
 
 @			IN SOA	ns hostmaster (
 				1        ; serial
diff --git a/bin/tests/system/masterfile/ns1/ttl2.db b/bin/tests/system/masterfile/ns1/ttl2.db
index 9e1d97fa..20fb3ca0 100644
--- a/bin/tests/system/masterfile/ns1/ttl2.db
+++ b/bin/tests/system/masterfile/ns1/ttl2.db
@@ -13,7 +13,7 @@
 ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 ; PERFORMANCE OF THIS SOFTWARE.
 
-; $Id: ttl2.db,v 1.2.2.1 2004/03/09 06:10:02 marka Exp $
+; $Id: ttl2.db,v 1.2.206.1 2004/03/06 10:22:14 marka Exp $
 
 @		1	IN SOA	ns hostmaster (
 				1        ; serial
diff --git a/bin/tests/system/masterfile/tests.sh b/bin/tests/system/masterfile/tests.sh
index 2fae13ab..d8c7fe5e 100644
--- a/bin/tests/system/masterfile/tests.sh
+++ b/bin/tests/system/masterfile/tests.sh
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: tests.sh,v 1.2.2.1 2004/03/09 06:10:01 marka Exp $
+# $Id: tests.sh,v 1.2.206.1 2004/03/06 10:22:13 marka Exp $
 
 SYSTEMTESTTOP=..
 . $SYSTEMTESTTOP/conf.sh
diff --git a/bin/tests/system/notify/clean.sh b/bin/tests/system/notify/clean.sh
index c0b0e81c..8593b6ae 100644
--- a/bin/tests/system/notify/clean.sh
+++ b/bin/tests/system/notify/clean.sh
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: clean.sh,v 1.7.2.2 2004/03/10 01:05:03 marka Exp $
+# $Id: clean.sh,v 1.7.206.2 2004/03/10 01:05:52 marka Exp $
 
 #
 # Clean up after zone transfer tests.
diff --git a/bin/tests/system/notify/ns1/named.conf b/bin/tests/system/notify/ns1/named.conf
index 77c7f532..9a02f4f1 100644
--- a/bin/tests/system/notify/ns1/named.conf
+++ b/bin/tests/system/notify/ns1/named.conf
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named.conf,v 1.14.2.2 2004/03/09 06:10:03 marka Exp $ */
+/* $Id: named.conf,v 1.14.206.2 2004/03/06 10:22:15 marka Exp $ */
 
 controls { /* empty */ };
 
diff --git a/bin/tests/system/notify/ns1/root.db b/bin/tests/system/notify/ns1/root.db
index 89190e42..1f19427d 100644
--- a/bin/tests/system/notify/ns1/root.db
+++ b/bin/tests/system/notify/ns1/root.db
@@ -13,7 +13,7 @@
 ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 ; PERFORMANCE OF THIS SOFTWARE.
 
-; $Id: root.db,v 1.6.2.1 2004/03/09 06:10:03 marka Exp $
+; $Id: root.db,v 1.6.206.1 2004/03/06 10:22:15 marka Exp $
 
 $TTL 300
 . 			IN SOA	gson.nominum.com. a.root.servers.nil. (
diff --git a/bin/tests/system/notify/ns2/example1.db b/bin/tests/system/notify/ns2/example1.db
index 361fe48f..49690e53 100644
--- a/bin/tests/system/notify/ns2/example1.db
+++ b/bin/tests/system/notify/ns2/example1.db
@@ -1,5 +1,5 @@
 ; Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
-; Copyright (C) 2000, 2001  Internet Software Consortium.
+; Copyright (C) 2000-2002  Internet Software Consortium.
 ;
 ; Permission to use, copy, modify, and distribute this software for any
 ; purpose with or without fee is hereby granted, provided that the above
@@ -13,7 +13,7 @@
 ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 ; PERFORMANCE OF THIS SOFTWARE.
 
-; $Id: example1.db,v 1.7.2.1 2004/03/09 06:10:04 marka Exp $
+; $Id: example1.db,v 1.7.12.4 2004/03/08 04:04:41 marka Exp $
 
 $ORIGIN .
 $TTL 300	; 5 minutes
@@ -34,10 +34,7 @@ a			A	10.0.0.1
 $TTL 3600	; 1 hour
 a01			A	0.0.0.0
 a02			A	255.255.255.255
-a601			A6	0 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
-			A6	64 ::ffff:ffff:ffff:ffff foo.
-			A6	127 ::1 foo.
-			A6	128  .
+a601			AAAA	ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
 afsdb01			AFSDB	0 hostname
 afsdb02			AFSDB	65535 .
 $TTL 300	; 5 minutes
@@ -87,10 +84,6 @@ loc01			LOC	60 9 0.000 N 24 39 0.000 E 10.00m 20m 2000m 20m
 loc02			LOC	60 9 0.000 N 24 39 0.000 E 10.00m 20m 2000m 20m
 mb01			MG	madname
 mb02			MG	.
-md01			MD	madname
-			MD	.
-mf01			MF	madname
-			MF	.
 mg01			MG	mgmname
 mg02			MG	.
 minfo01			MINFO	rmailbx emailbx
diff --git a/bin/tests/system/notify/ns2/example2.db b/bin/tests/system/notify/ns2/example2.db
index e66c6ebb..c34737ba 100644
--- a/bin/tests/system/notify/ns2/example2.db
+++ b/bin/tests/system/notify/ns2/example2.db
@@ -1,5 +1,5 @@
 ; Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
-; Copyright (C) 2000, 2001  Internet Software Consortium.
+; Copyright (C) 2000-2002  Internet Software Consortium.
 ;
 ; Permission to use, copy, modify, and distribute this software for any
 ; purpose with or without fee is hereby granted, provided that the above
@@ -13,7 +13,7 @@
 ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 ; PERFORMANCE OF THIS SOFTWARE.
 
-; $Id: example2.db,v 1.7.2.1 2004/03/09 06:10:04 marka Exp $
+; $Id: example2.db,v 1.7.12.4 2004/03/08 04:04:41 marka Exp $
 
 $ORIGIN .
 $TTL 300	; 5 minutes
@@ -34,10 +34,7 @@ a			A	10.0.0.2
 $TTL 3600	; 1 hour
 a01			A	0.0.0.0
 a02			A	255.255.255.255
-a601			A6	0 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
-			A6	64 ::ffff:ffff:ffff:ffff foo.
-			A6	127 ::1 foo.
-			A6	128  .
+a601			AAAA	ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
 afsdb01			AFSDB	0 hostname
 afsdb02			AFSDB	65535 .
 $TTL 300	; 5 minutes
@@ -87,10 +84,6 @@ loc01			LOC	60 9 0.000 N 24 39 0.000 E 10.00m 20m 2000m 20m
 loc02			LOC	60 9 0.000 N 24 39 0.000 E 10.00m 20m 2000m 20m
 mb01			MG	madname
 mb02			MG	.
-md01			MD	madname
-			MD	.
-mf01			MF	madname
-			MF	.
 mg01			MG	mgmname
 mg02			MG	.
 minfo01			MINFO	rmailbx emailbx
diff --git a/bin/tests/system/notify/ns2/example3.db b/bin/tests/system/notify/ns2/example3.db
index d8363916..570e0a94 100644
--- a/bin/tests/system/notify/ns2/example3.db
+++ b/bin/tests/system/notify/ns2/example3.db
@@ -1,5 +1,5 @@
 ; Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
-; Copyright (C) 2000, 2001  Internet Software Consortium.
+; Copyright (C) 2000-2002  Internet Software Consortium.
 ;
 ; Permission to use, copy, modify, and distribute this software for any
 ; purpose with or without fee is hereby granted, provided that the above
@@ -13,7 +13,7 @@
 ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 ; PERFORMANCE OF THIS SOFTWARE.
 
-; $Id: example3.db,v 1.7.2.1 2004/03/09 06:10:04 marka Exp $
+; $Id: example3.db,v 1.7.12.4 2004/03/08 04:04:41 marka Exp $
 
 $ORIGIN .
 $TTL 300	; 5 minutes
@@ -34,10 +34,7 @@ a			A	10.0.0.3
 $TTL 3600	; 1 hour
 a01			A	0.0.0.0
 a02			A	255.255.255.255
-a601			A6	0 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
-			A6	64 ::ffff:ffff:ffff:ffff foo.
-			A6	127 ::1 foo.
-			A6	128  .
+a601			AAAA	ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
 afsdb01			AFSDB	0 hostname
 afsdb02			AFSDB	65535 .
 $TTL 300	; 5 minutes
@@ -87,10 +84,6 @@ loc01			LOC	60 9 0.000 N 24 39 0.000 E 10.00m 20m 2000m 20m
 loc02			LOC	60 9 0.000 N 24 39 0.000 E 10.00m 20m 2000m 20m
 mb01			MG	madname
 mb02			MG	.
-md01			MD	madname
-			MD	.
-mf01			MF	madname
-			MF	.
 mg01			MG	mgmname
 mg02			MG	.
 minfo01			MINFO	rmailbx emailbx
diff --git a/bin/tests/system/notify/ns2/example4.db b/bin/tests/system/notify/ns2/example4.db
index 86948794..132ee0ae 100644
--- a/bin/tests/system/notify/ns2/example4.db
+++ b/bin/tests/system/notify/ns2/example4.db
@@ -1,5 +1,5 @@
 ; Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
-; Copyright (C) 2000, 2001  Internet Software Consortium.
+; Copyright (C) 2000-2002  Internet Software Consortium.
 ;
 ; Permission to use, copy, modify, and distribute this software for any
 ; purpose with or without fee is hereby granted, provided that the above
@@ -13,7 +13,7 @@
 ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 ; PERFORMANCE OF THIS SOFTWARE.
 
-; $Id: example4.db,v 1.7.2.1 2004/03/09 06:10:04 marka Exp $
+; $Id: example4.db,v 1.7.12.4 2004/03/08 04:04:42 marka Exp $
 
 $ORIGIN .
 $TTL 300	; 5 minutes
@@ -34,10 +34,7 @@ a			A	10.0.0.4
 $TTL 3600	; 1 hour
 a01			A	0.0.0.0
 a02			A	255.255.255.255
-a601			A6	0 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
-			A6	64 ::ffff:ffff:ffff:ffff foo.
-			A6	127 ::1 foo.
-			A6	128  .
+a601			AAAA	ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
 afsdb01			AFSDB	0 hostname
 afsdb02			AFSDB	65535 .
 $TTL 300	; 5 minutes
@@ -87,10 +84,6 @@ loc01			LOC	60 9 0.000 N 24 39 0.000 E 10.00m 20m 2000m 20m
 loc02			LOC	60 9 0.000 N 24 39 0.000 E 10.00m 20m 2000m 20m
 mb01			MG	madname
 mb02			MG	.
-md01			MD	madname
-			MD	.
-mf01			MF	madname
-			MF	.
 mg01			MG	mgmname
 mg02			MG	.
 minfo01			MINFO	rmailbx emailbx
diff --git a/bin/tests/system/notify/ns2/named.conf b/bin/tests/system/notify/ns2/named.conf
index d0c87b92..1efe9626 100644
--- a/bin/tests/system/notify/ns2/named.conf
+++ b/bin/tests/system/notify/ns2/named.conf
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named.conf,v 1.16.2.2 2004/03/09 06:10:04 marka Exp $ */
+/* $Id: named.conf,v 1.16.206.2 2004/03/06 10:22:17 marka Exp $ */
 
 controls { /* empty */ };
 
diff --git a/bin/tests/system/notify/ns3/named.conf b/bin/tests/system/notify/ns3/named.conf
index 7cee1152..7e94c631 100644
--- a/bin/tests/system/notify/ns3/named.conf
+++ b/bin/tests/system/notify/ns3/named.conf
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named.conf,v 1.19.2.2 2004/03/09 06:10:05 marka Exp $ */
+/* $Id: named.conf,v 1.19.206.2 2004/03/06 10:22:17 marka Exp $ */
 
 controls { /* empty */ };
 
diff --git a/bin/tests/system/notify/setup.sh b/bin/tests/system/notify/setup.sh
index 62af36b6..07614b75 100644
--- a/bin/tests/system/notify/setup.sh
+++ b/bin/tests/system/notify/setup.sh
@@ -15,6 +15,6 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: setup.sh,v 1.6.2.2 2004/03/10 01:05:03 marka Exp $
+# $Id: setup.sh,v 1.6.206.2 2004/03/10 01:05:53 marka Exp $
 
 cp -f ns2/example1.db ns2/example.db
diff --git a/bin/tests/system/notify/tests.sh b/bin/tests/system/notify/tests.sh
index a39e2d0f..932c3e36 100644
--- a/bin/tests/system/notify/tests.sh
+++ b/bin/tests/system/notify/tests.sh
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: tests.sh,v 1.29.2.2 2004/03/10 01:05:03 marka Exp $
+# $Id: tests.sh,v 1.29.206.2 2004/03/10 01:05:53 marka Exp $
 
 SYSTEMTESTTOP=..
 . $SYSTEMTESTTOP/conf.sh
diff --git a/bin/tests/system/nsupdate/clean.sh b/bin/tests/system/nsupdate/clean.sh
index 28b55813..57619b18 100644
--- a/bin/tests/system/nsupdate/clean.sh
+++ b/bin/tests/system/nsupdate/clean.sh
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: clean.sh,v 1.7.2.2 2004/03/10 01:05:04 marka Exp $
+# $Id: clean.sh,v 1.7.206.2 2004/03/10 01:05:54 marka Exp $
 
 #
 # Clean up after zone transfer tests.
diff --git a/bin/tests/system/nsupdate/knowngood.ns1.after b/bin/tests/system/nsupdate/knowngood.ns1.after
index 41e9d6eb..0d815925 100644
--- a/bin/tests/system/nsupdate/knowngood.ns1.after
+++ b/bin/tests/system/nsupdate/knowngood.ns1.after
@@ -6,10 +6,7 @@ a.example.nil.		300	IN	TXT	"foo foo foo"
 a.example.nil.		300	IN	PTR	foo.net.
 a01.example.nil.	3600	IN	A	0.0.0.0
 a02.example.nil.	3600	IN	A	255.255.255.255
-a601.example.nil.	3600	IN	A6	0 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
-a601.example.nil.	3600	IN	A6	64 ::ffff:ffff:ffff:ffff foo.
-a601.example.nil.	3600	IN	A6	127 ::1 foo.
-a601.example.nil.	3600	IN	A6	128  .
+a601.example.nil.	3600	IN	AAAA	ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
 afsdb01.example.nil.	3600	IN	AFSDB	0 hostname.example.nil.
 afsdb02.example.nil.	3600	IN	AFSDB	65535 .
 b.example.nil.		300	IN	CNAME	foo.net.
@@ -46,10 +43,6 @@ loc01.example.nil.	3600	IN	LOC	60 9 0.000 N 24 39 0.000 E 10.00m 20m 2000m 20m
 loc02.example.nil.	3600	IN	LOC	60 9 0.000 N 24 39 0.000 E 10.00m 20m 2000m 20m
 mb01.example.nil.	3600	IN	MG	madname.example.nil.
 mb02.example.nil.	3600	IN	MG	.
-md01.example.nil.	3600	IN	MD	madname.example.nil.
-md01.example.nil.	3600	IN	MD	.
-mf01.example.nil.	3600	IN	MF	madname.example.nil.
-mf01.example.nil.	3600	IN	MF	.
 mg01.example.nil.	3600	IN	MG	mgmname.example.nil.
 mg02.example.nil.	3600	IN	MG	.
 minfo01.example.nil.	3600	IN	MINFO	rmailbx.example.nil. emailbx.example.nil.
diff --git a/bin/tests/system/nsupdate/knowngood.ns1.before b/bin/tests/system/nsupdate/knowngood.ns1.before
index 46c9c75a..3b0e30c3 100644
--- a/bin/tests/system/nsupdate/knowngood.ns1.before
+++ b/bin/tests/system/nsupdate/knowngood.ns1.before
@@ -6,10 +6,7 @@ a.example.nil.		300	IN	TXT	"foo foo foo"
 a.example.nil.		300	IN	PTR	foo.net.
 a01.example.nil.	3600	IN	A	0.0.0.0
 a02.example.nil.	3600	IN	A	255.255.255.255
-a601.example.nil.	3600	IN	A6	0 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
-a601.example.nil.	3600	IN	A6	64 ::ffff:ffff:ffff:ffff foo.
-a601.example.nil.	3600	IN	A6	127 ::1 foo.
-a601.example.nil.	3600	IN	A6	128  .
+a601.example.nil.	3600	IN	AAAA	ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
 afsdb01.example.nil.	3600	IN	AFSDB	0 hostname.example.nil.
 afsdb02.example.nil.	3600	IN	AFSDB	65535 .
 b.example.nil.		300	IN	CNAME	foo.net.
@@ -46,10 +43,6 @@ loc01.example.nil.	3600	IN	LOC	60 9 0.000 N 24 39 0.000 E 10.00m 20m 2000m 20m
 loc02.example.nil.	3600	IN	LOC	60 9 0.000 N 24 39 0.000 E 10.00m 20m 2000m 20m
 mb01.example.nil.	3600	IN	MG	madname.example.nil.
 mb02.example.nil.	3600	IN	MG	.
-md01.example.nil.	3600	IN	MD	madname.example.nil.
-md01.example.nil.	3600	IN	MD	.
-mf01.example.nil.	3600	IN	MF	madname.example.nil.
-mf01.example.nil.	3600	IN	MF	.
 mg01.example.nil.	3600	IN	MG	mgmname.example.nil.
 mg02.example.nil.	3600	IN	MG	.
 minfo01.example.nil.	3600	IN	MINFO	rmailbx.example.nil. emailbx.example.nil.
diff --git a/bin/tests/system/nsupdate/ns1/example1.db b/bin/tests/system/nsupdate/ns1/example1.db
index b1597c8a..f7b77a11 100644
--- a/bin/tests/system/nsupdate/ns1/example1.db
+++ b/bin/tests/system/nsupdate/ns1/example1.db
@@ -1,5 +1,5 @@
 ; Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
-; Copyright (C) 2000, 2001  Internet Software Consortium.
+; Copyright (C) 2000-2002  Internet Software Consortium.
 ;
 ; Permission to use, copy, modify, and distribute this software for any
 ; purpose with or without fee is hereby granted, provided that the above
@@ -13,7 +13,7 @@
 ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 ; PERFORMANCE OF THIS SOFTWARE.
 
-; $Id: example1.db,v 1.2.2.1 2004/03/09 06:10:05 marka Exp $
+; $Id: example1.db,v 1.2.12.4 2004/03/08 04:04:42 marka Exp $
 
 $ORIGIN .
 $TTL 300	; 5 minutes
@@ -36,10 +36,7 @@ a			TXT	"foo foo foo"
 $TTL 3600	; 1 hour
 a01			A	0.0.0.0
 a02			A	255.255.255.255
-a601			A6	0 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
-			A6	64 ::ffff:ffff:ffff:ffff foo.
-			A6	127 ::1 foo.
-			A6	128  .
+a601			AAAA	ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
 afsdb01			AFSDB	0 hostname
 afsdb02			AFSDB	65535 .
 $TTL 300	; 5 minutes
@@ -89,10 +86,6 @@ loc01			LOC	60 9 0.000 N 24 39 0.000 E 10.00m 20m 2000m 20m
 loc02			LOC	60 9 0.000 N 24 39 0.000 E 10.00m 20m 2000m 20m
 mb01			MG	madname
 mb02			MG	.
-md01			MD	madname
-			MD	.
-mf01			MF	madname
-			MF	.
 mg01			MG	mgmname
 mg02			MG	.
 minfo01			MINFO	rmailbx emailbx
diff --git a/bin/tests/system/nsupdate/ns1/named.conf b/bin/tests/system/nsupdate/ns1/named.conf
index bfe93608..7873cfd5 100644
--- a/bin/tests/system/nsupdate/ns1/named.conf
+++ b/bin/tests/system/nsupdate/ns1/named.conf
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named.conf,v 1.10.2.2 2004/03/09 06:10:06 marka Exp $ */
+/* $Id: named.conf,v 1.10.206.2 2004/03/06 10:22:18 marka Exp $ */
 
 controls { /* empty */ };
 
diff --git a/bin/tests/system/nsupdate/ns2/named.conf b/bin/tests/system/nsupdate/ns2/named.conf
index 3f7897d1..cd1a330e 100644
--- a/bin/tests/system/nsupdate/ns2/named.conf
+++ b/bin/tests/system/nsupdate/ns2/named.conf
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named.conf,v 1.9.2.2 2004/03/09 06:10:06 marka Exp $ */
+/* $Id: named.conf,v 1.9.206.2 2004/03/06 10:22:18 marka Exp $ */
 
 controls { /* empty */ };
 
diff --git a/bin/tests/system/nsupdate/setup.sh b/bin/tests/system/nsupdate/setup.sh
index 88faf680..7400a338 100644
--- a/bin/tests/system/nsupdate/setup.sh
+++ b/bin/tests/system/nsupdate/setup.sh
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: setup.sh,v 1.6.2.2 2004/03/10 01:05:04 marka Exp $
+# $Id: setup.sh,v 1.6.206.2 2004/03/10 01:05:54 marka Exp $
 
 #
 # jnl and database files MUST be removed before we start
diff --git a/bin/tests/system/nsupdate/tests.sh b/bin/tests/system/nsupdate/tests.sh
index b8d95a68..52871689 100644
--- a/bin/tests/system/nsupdate/tests.sh
+++ b/bin/tests/system/nsupdate/tests.sh
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: tests.sh,v 1.22.2.1 2004/03/09 06:10:05 marka Exp $
+# $Id: tests.sh,v 1.22.206.1 2004/03/06 10:22:18 marka Exp $
 
 SYSTEMTESTTOP=..
 . $SYSTEMTESTTOP/conf.sh
diff --git a/bin/tests/system/nsupdate/update_test.pl b/bin/tests/system/nsupdate/update_test.pl
index 1654657f..8ee30409 100644
--- a/bin/tests/system/nsupdate/update_test.pl
+++ b/bin/tests/system/nsupdate/update_test.pl
@@ -37,7 +37,7 @@
 #
 #    perl -MCPAN -e "install Net::DNS"
 #
-# $Id: update_test.pl,v 1.7.2.1 2004/03/09 06:10:05 marka Exp $
+# $Id: update_test.pl,v 1.7.206.1 2004/03/06 10:22:18 marka Exp $
 #
 
 use Getopt::Std;
diff --git a/bin/tests/system/resolver/ans2/ans.pl b/bin/tests/system/resolver/ans2/ans.pl
index b76153e7..a5c5d452 100644
--- a/bin/tests/system/resolver/ans2/ans.pl
+++ b/bin/tests/system/resolver/ans2/ans.pl
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: ans.pl,v 1.6.2.1 2004/03/09 06:10:09 marka Exp $
+# $Id: ans.pl,v 1.6.206.1 2004/03/06 10:22:22 marka Exp $
 
 #
 # Ad hoc name server
diff --git a/bin/tests/system/resolver/ans3/ans.pl b/bin/tests/system/resolver/ans3/ans.pl
index c30b28e3..dd069339 100644
--- a/bin/tests/system/resolver/ans3/ans.pl
+++ b/bin/tests/system/resolver/ans3/ans.pl
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: ans.pl,v 1.5.2.1 2004/03/09 06:10:10 marka Exp $
+# $Id: ans.pl,v 1.5.206.1 2004/03/06 10:22:23 marka Exp $
 
 #
 # Ad hoc name server
diff --git a/bin/tests/system/resolver/ns1/named.conf b/bin/tests/system/resolver/ns1/named.conf
index 6071d8ec..ffb113cd 100644
--- a/bin/tests/system/resolver/ns1/named.conf
+++ b/bin/tests/system/resolver/ns1/named.conf
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named.conf,v 1.8.2.2 2004/03/09 06:10:10 marka Exp $ */
+/* $Id: named.conf,v 1.8.206.2 2004/03/06 10:22:23 marka Exp $ */
 
 controls { /* empty */ };
 
diff --git a/bin/tests/system/resolver/ns1/root.hint b/bin/tests/system/resolver/ns1/root.hint
index e8d2f7ca..683d7e91 100644
--- a/bin/tests/system/resolver/ns1/root.hint
+++ b/bin/tests/system/resolver/ns1/root.hint
@@ -13,7 +13,7 @@
 ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 ; PERFORMANCE OF THIS SOFTWARE.
 
-; $Id: root.hint,v 1.4.2.1 2004/03/09 06:10:10 marka Exp $
+; $Id: root.hint,v 1.4.206.1 2004/03/06 10:22:23 marka Exp $
 
 $TTL 999999
 .			 IN NS	a.root-servers.nil.
diff --git a/bin/tests/system/resolver/prereq.sh b/bin/tests/system/resolver/prereq.sh
index 9fe53841..4494c1f5 100644
--- a/bin/tests/system/resolver/prereq.sh
+++ b/bin/tests/system/resolver/prereq.sh
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: prereq.sh,v 1.4.2.1 2004/03/09 06:10:09 marka Exp $
+# $Id: prereq.sh,v 1.4.206.1 2004/03/06 10:22:22 marka Exp $
 
 if $PERL -e 'use Net::DNS;' 2>/dev/null
 then
diff --git a/bin/tests/system/resolver/tests.sh b/bin/tests/system/resolver/tests.sh
index 14bf1d75..da11655f 100644
--- a/bin/tests/system/resolver/tests.sh
+++ b/bin/tests/system/resolver/tests.sh
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: tests.sh,v 1.6.2.1 2004/03/09 06:10:09 marka Exp $
+# $Id: tests.sh,v 1.6.206.1 2004/03/06 10:22:22 marka Exp $
 
 SYSTEMTESTTOP=..
 . $SYSTEMTESTTOP/conf.sh
diff --git a/bin/tests/system/run.sh b/bin/tests/system/run.sh
index 7064d2ba..1edfeac8 100644
--- a/bin/tests/system/run.sh
+++ b/bin/tests/system/run.sh
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: run.sh,v 1.38.2.1 2004/03/09 06:09:41 marka Exp $
+# $Id: run.sh,v 1.38.12.3 2004/03/08 04:04:33 marka Exp $
 
 #
 # Run a system test.
@@ -43,14 +43,14 @@ echo "A:System test $test" >&2
 
 if [ x$PERL = x ]
 then
-    echo "I:Perl not available.  Not trying system tests." >&2
+    echo "I:Perl not available.  Skipping test." >&2
     echo "R:UNTESTED" >&2
     echo "E:$test:`date`" >&2
     exit 0;
 fi
 
 $PERL testsock.pl || {
-    echo "I:Interfaces not set up.  Not trying system tests." >&2;
+    echo "I:Network interface aliases not set up.  Skipping test." >&2;
     echo "R:UNTESTED" >&2;
     echo "E:$test:`date`" >&2;
     exit 0;
diff --git a/bin/tests/system/runall.sh b/bin/tests/system/runall.sh
index 39ed78a4..ed613bb2 100644
--- a/bin/tests/system/runall.sh
+++ b/bin/tests/system/runall.sh
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: runall.sh,v 1.4.2.1 2004/03/09 06:09:41 marka Exp $
+# $Id: runall.sh,v 1.4.12.3 2004/03/08 04:04:33 marka Exp $
 
 #
 # Run all the system tests.
@@ -31,4 +31,16 @@ do
 	sh run.sh $d || status=1
 done
 
+$PERL testsock.pl || {
+    cat <<EOF >&2
+I:
+I:NOTE: Many of the tests were skipped because they require that
+I:      the IP addresses 10.53.0.1 through 10.53.0.5 are configured 
+I:	as alias addresses on the loopback interface.  Please run
+I:	"bin/tests/system/ifconfig.sh up" as root to configure them
+I:	and rerun the tests.
+EOF
+    exit 0;
+}
+
 exit $status
diff --git a/bin/tests/system/send.pl b/bin/tests/system/send.pl
index 91322d24..89d3f658 100644
--- a/bin/tests/system/send.pl
+++ b/bin/tests/system/send.pl
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: send.pl,v 1.2.2.1 2004/03/09 06:09:41 marka Exp $
+# $Id: send.pl,v 1.2.206.1 2004/03/06 10:21:48 marka Exp $
 
 #
 # Send a file to a given address and port using TCP.  Used for
diff --git a/bin/tests/system/setup.sh b/bin/tests/system/setup.sh
index 71456dcb..38aabb56 100644
--- a/bin/tests/system/setup.sh
+++ b/bin/tests/system/setup.sh
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: setup.sh,v 1.8.2.1 2004/03/09 06:09:42 marka Exp $
+# $Id: setup.sh,v 1.8.206.1 2004/03/06 10:21:48 marka Exp $
 
 #
 # Run a system test.
diff --git a/bin/tests/system/sortlist/clean.sh b/bin/tests/system/sortlist/clean.sh
index 7adcd7c6..782c6ef9 100644
--- a/bin/tests/system/sortlist/clean.sh
+++ b/bin/tests/system/sortlist/clean.sh
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: clean.sh,v 1.3.2.1 2004/03/09 06:10:11 marka Exp $
+# $Id: clean.sh,v 1.3.206.1 2004/03/06 10:22:24 marka Exp $
 
 rm -f *.dig *.good
 
diff --git a/bin/tests/system/sortlist/ns1/example.db b/bin/tests/system/sortlist/ns1/example.db
index cbfeaa94..40a8fd65 100644
--- a/bin/tests/system/sortlist/ns1/example.db
+++ b/bin/tests/system/sortlist/ns1/example.db
@@ -13,7 +13,7 @@
 ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 ; PERFORMANCE OF THIS SOFTWARE.
 
-; $Id: example.db,v 1.3.2.1 2004/03/09 06:10:12 marka Exp $
+; $Id: example.db,v 1.3.206.1 2004/03/06 10:22:24 marka Exp $
 
 $TTL 300	; 5 minutes
 @			IN SOA	ns2.example. hostmaster.example. (
diff --git a/bin/tests/system/sortlist/ns1/named.conf b/bin/tests/system/sortlist/ns1/named.conf
index 93b973b6..57f1402a 100644
--- a/bin/tests/system/sortlist/ns1/named.conf
+++ b/bin/tests/system/sortlist/ns1/named.conf
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named.conf,v 1.5.2.2 2004/03/09 06:10:12 marka Exp $ */
+/* $Id: named.conf,v 1.5.12.4 2004/03/08 09:04:17 marka Exp $ */
 
 controls { /* empty */ };
 
@@ -36,7 +36,9 @@ options {
 		    !1.1.1.4; !1.1.1.2; !1.1.1.3; !1.1.1.1; // sort these last,
 		    192.168.3/24;			    // this first
 		    { 192.168.2/24; 192.168.1/24; }; }; };  // and these next
-	    { { 10.53.0.2; 10.53.0.3; }; };		   // Prefer self
+	    { { 10.53.0.2; 10.53.0.3; }; };		    // Prefer self
+	    10.53.0.4;					    // BIND 8 compat
+	    { 10.53.0.5; 10.53.0.5; };    		    // BIND 8 compat
 	};
 };
 
diff --git a/bin/tests/system/sortlist/ns1/root.db b/bin/tests/system/sortlist/ns1/root.db
index 9a2e630f..f1562f27 100644
--- a/bin/tests/system/sortlist/ns1/root.db
+++ b/bin/tests/system/sortlist/ns1/root.db
@@ -13,7 +13,7 @@
 ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 ; PERFORMANCE OF THIS SOFTWARE.
 
-; $Id: root.db,v 1.2.2.1 2004/03/09 06:10:12 marka Exp $
+; $Id: root.db,v 1.2.206.1 2004/03/06 10:22:25 marka Exp $
 
 $TTL 300
 . 			IN SOA	gson.nominum.com. a.root.servers.nil. (
diff --git a/bin/tests/system/sortlist/tests.sh b/bin/tests/system/sortlist/tests.sh
index f79b2882..c711fa75 100644
--- a/bin/tests/system/sortlist/tests.sh
+++ b/bin/tests/system/sortlist/tests.sh
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: tests.sh,v 1.4.2.1 2004/03/09 06:10:11 marka Exp $
+# $Id: tests.sh,v 1.4.12.3 2004/03/08 04:04:44 marka Exp $
 
 SYSTEMTESTTOP=..
 . $SYSTEMTESTTOP/conf.sh
@@ -38,8 +38,8 @@ $DIG +tcp +noadd +nosea +nostat +noquest +noauth +nocomm +nocmd a.example. \
 # result RRs is significant.
 diff test1.dig test1.good || status=1
 
-echo "I:test 1-element sortlist statement"
-for n in 2 3
+echo "I:test 1-element sortlist statement and undocumented BIND 8 features"
+for n in 2 3 4 5
 do
 	cat <<EOF >test2.good
 b.example.		300	IN	A	10.53.0.$n
diff --git a/bin/tests/system/start.pl b/bin/tests/system/start.pl
index f2ddb29b..cf6bec05 100644
--- a/bin/tests/system/start.pl
+++ b/bin/tests/system/start.pl
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: start.pl,v 1.3.2.1 2004/03/09 06:09:42 marka Exp $
+# $Id: start.pl,v 1.3.206.2 2004/03/10 02:55:53 marka Exp $
 
 # Framework for starting test servers.
 # Based on the type of server specified, check for port availability, remove
@@ -129,7 +129,7 @@ sub start_server {
 		if ($options) {
 			$command .= "$options";
 		} else {
-			$command .= "-c named.conf -d 99 -g";
+			$command .= "-m record -c named.conf -d 99 -g";
 		}
 		$command .= " >named.run 2>&1 &";
 		$pid_file = "named.pid";
@@ -139,7 +139,7 @@ sub start_server {
 		if ($options) {
 			$command .= "$options";
 		} else {
-			$command .= "-C resolv.conf -d 99 -g -i lwresd.pid -P 9210 -p 5300";
+			$command .= "-m record -C resolv.conf -d 99 -g -i lwresd.pid -P 9210 -p 5300";
 		}
 		$command .= " >lwresd.run 2>&1 &";
 		$pid_file = "lwresd.pid";
diff --git a/bin/tests/system/start.sh b/bin/tests/system/start.sh
index f0ed12b4..49629cde 100644
--- a/bin/tests/system/start.sh
+++ b/bin/tests/system/start.sh
@@ -1,7 +1,7 @@
 #!/bin/sh
 #
-# Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 2000, 2001  Internet Software Consortium.
+# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2001  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: start.sh,v 1.38.2.3 2007/01/18 00:06:02 marka Exp $
+# $Id: start.sh,v 1.38.206.1 2004/03/06 10:21:48 marka Exp $
 
 . ./conf.sh
 $PERL start.pl "$@"
diff --git a/bin/tests/system/stop.pl b/bin/tests/system/stop.pl
index 9103a330..853a50cc 100644
--- a/bin/tests/system/stop.pl
+++ b/bin/tests/system/stop.pl
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: stop.pl,v 1.4.2.1 2004/03/09 06:09:42 marka Exp $
+# $Id: stop.pl,v 1.4.12.3 2004/03/08 04:04:33 marka Exp $
 
 # Framework for stopping test servers
 # Based on the type of server specified, signal the server to stop, wait
@@ -91,9 +91,9 @@ foreach my $server (@servers) {
 wait_for_servers(5, @servers);
 
 
-# Pass 3: SIGKILL
+# Pass 3: SIGABRT
 foreach my $server (@servers) {
-	stop_signal($server, "KILL");
+	stop_signal($server, "ABRT");
 }
 
 exit($errors ? 1 : 0);
@@ -157,7 +157,10 @@ sub stop_signal {
 	my $pid = read_pid($pid_file);
 	return unless defined($pid);
 
-	print "I:$server didn't die when sent a SIGTERM\n" if ($sig eq 'KILL');
+	if ($sig eq 'ABRT') {
+		print "I:$server didn't die when sent a SIGTERM\n";
+		$errors++;
+	}
 
 	my $result = kill $sig, $pid;
 	if (!$result) {
diff --git a/bin/tests/system/stop.sh b/bin/tests/system/stop.sh
index 0fd66049..d7ba07b3 100644
--- a/bin/tests/system/stop.sh
+++ b/bin/tests/system/stop.sh
@@ -1,7 +1,7 @@
 #!/bin/sh
 #
-# Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 2000, 2001  Internet Software Consortium.
+# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2001  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: stop.sh,v 1.21.2.3 2007/01/18 00:06:02 marka Exp $
+# $Id: stop.sh,v 1.21.206.1 2004/03/06 10:21:48 marka Exp $
 
 . ./conf.sh
 $PERL ./stop.pl "$@"
diff --git a/bin/tests/system/stress/clean.sh b/bin/tests/system/stress/clean.sh
index 7fa9cb86..4ba31cd2 100644
--- a/bin/tests/system/stress/clean.sh
+++ b/bin/tests/system/stress/clean.sh
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: clean.sh,v 1.2.2.1 2004/03/09 06:10:12 marka Exp $
+# $Id: clean.sh,v 1.2.206.1 2004/03/06 10:22:25 marka Exp $
 
 rm -f reload.pid
 
diff --git a/bin/tests/system/stress/ns1/named.conf b/bin/tests/system/stress/ns1/named.conf
index e1ccccff..e6d8aedb 100644
--- a/bin/tests/system/stress/ns1/named.conf
+++ b/bin/tests/system/stress/ns1/named.conf
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named.conf,v 1.2.2.2 2004/03/09 06:10:13 marka Exp $ */
+/* $Id: named.conf,v 1.2.206.2 2004/03/06 10:22:26 marka Exp $ */
 
 controls { /* empty */ };
 
diff --git a/bin/tests/system/stress/ns1/root.db b/bin/tests/system/stress/ns1/root.db
deleted file mode 100644
index 883c1c6b..00000000
--- a/bin/tests/system/stress/ns1/root.db
+++ /dev/null
@@ -1,57 +0,0 @@
-; Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
-; Copyright (C) 2000, 2001  Internet Software Consortium.
-;
-; Permission to use, copy, modify, and distribute this software for any
-; purpose with or without fee is hereby granted, provided that the above
-; copyright notice and this permission notice appear in all copies.
-;
-; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-; AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-; PERFORMANCE OF THIS SOFTWARE.
-
-; $Id: root.db,v 1.2.2.1 2004/03/09 06:10:13 marka Exp $
-
- 300
-.                       IN SOA  gson.nominum.com. a.root.servers.nil. (
-								       2000042100      ; serial
-								       600             ; refresh
-								       600             ; retry
-								       1200            ; expire
-								       600             ; minimum
-                                )
-.                       NS      a.root-servers.nil.
-a.root-servers.nil.     A       10.53.0.1
-zone000000.example.		NS	ns2.zone000000.example.
-ns2.zone000000.example.	A	10.53.0.2
-zone000000.example.		NS	ns3.zone000000.example.
-ns3.zone000000.example.	A	10.53.0.3
-zone000000.example.		NS	ns4.zone000000.example.
-ns4.zone000000.example.	A	10.53.0.4
-zone000001.example.		NS	ns2.zone000001.example.
-ns2.zone000001.example.	A	10.53.0.2
-zone000001.example.		NS	ns3.zone000001.example.
-ns3.zone000001.example.	A	10.53.0.3
-zone000001.example.		NS	ns4.zone000001.example.
-ns4.zone000001.example.	A	10.53.0.4
-zone000002.example.		NS	ns2.zone000002.example.
-ns2.zone000002.example.	A	10.53.0.2
-zone000002.example.		NS	ns3.zone000002.example.
-ns3.zone000002.example.	A	10.53.0.3
-zone000002.example.		NS	ns4.zone000002.example.
-ns4.zone000002.example.	A	10.53.0.4
-zone000003.example.		NS	ns2.zone000003.example.
-ns2.zone000003.example.	A	10.53.0.2
-zone000003.example.		NS	ns3.zone000003.example.
-ns3.zone000003.example.	A	10.53.0.3
-zone000003.example.		NS	ns4.zone000003.example.
-ns4.zone000003.example.	A	10.53.0.4
-zone000004.example.		NS	ns2.zone000004.example.
-ns2.zone000004.example.	A	10.53.0.2
-zone000004.example.		NS	ns3.zone000004.example.
-ns3.zone000004.example.	A	10.53.0.3
-zone000004.example.		NS	ns4.zone000004.example.
-ns4.zone000004.example.	A	10.53.0.4
diff --git a/bin/tests/system/stress/ns2/named.conf b/bin/tests/system/stress/ns2/named.conf
index df096a0e..0cc8b6f6 100644
--- a/bin/tests/system/stress/ns2/named.conf
+++ b/bin/tests/system/stress/ns2/named.conf
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named.conf,v 1.3.2.2 2004/03/09 06:10:13 marka Exp $ */
+/* $Id: named.conf,v 1.3.206.2 2004/03/06 10:22:26 marka Exp $ */
 
 controls { /* empty */ };
 
diff --git a/bin/tests/system/stress/ns3/named.conf b/bin/tests/system/stress/ns3/named.conf
index 79666f8c..29246122 100644
--- a/bin/tests/system/stress/ns3/named.conf
+++ b/bin/tests/system/stress/ns3/named.conf
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named.conf,v 1.3.2.2 2004/03/09 06:10:13 marka Exp $ */
+/* $Id: named.conf,v 1.3.206.2 2004/03/06 10:22:27 marka Exp $ */
 
 controls { /* empty */ };
 
diff --git a/bin/tests/system/stress/ns4/named.conf b/bin/tests/system/stress/ns4/named.conf
index 3407befe..b3cfeccb 100644
--- a/bin/tests/system/stress/ns4/named.conf
+++ b/bin/tests/system/stress/ns4/named.conf
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named.conf,v 1.3.2.2 2004/03/09 06:10:14 marka Exp $ */
+/* $Id: named.conf,v 1.3.206.2 2004/03/06 10:22:27 marka Exp $ */
 
 controls { /* empty */ };
 
diff --git a/bin/tests/system/stress/setup.pl b/bin/tests/system/stress/setup.pl
index cef1c01f..6c16c06a 100644
--- a/bin/tests/system/stress/setup.pl
+++ b/bin/tests/system/stress/setup.pl
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: setup.pl,v 1.2.2.1 2004/03/09 06:10:12 marka Exp $
+# $Id: setup.pl,v 1.2.12.3 2004/03/08 09:04:17 marka Exp $
 
 #
 # Set up test data for zone transfer quota tests.
@@ -33,13 +33,13 @@ my $rootdelegations =
     new FileHandle("ns1/root.db", "w") or die;
 
 print $rootdelegations <<END;
-$TTL 300
+\$TTL 300
 .                       IN SOA  gson.nominum.com. a.root.servers.nil. (
-								       2000042100      ; serial
-								       600             ; refresh
-								       600             ; retry
-								       1200            ; expire
-								       600             ; minimum
+					       2000042100      ; serial
+					       600             ; refresh
+					       600             ; retry
+					       1200            ; expire
+					       600             ; minimum
                                 )
 .                       NS      a.root-servers.nil.
 a.root-servers.nil.     A       10.53.0.1
diff --git a/bin/tests/system/stress/setup.sh b/bin/tests/system/stress/setup.sh
index b1da63ed..1867477a 100644
--- a/bin/tests/system/stress/setup.sh
+++ b/bin/tests/system/stress/setup.sh
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: setup.sh,v 1.2.2.1 2004/03/09 06:10:12 marka Exp $
+# $Id: setup.sh,v 1.2.206.1 2004/03/06 10:22:25 marka Exp $
 
 #
 # Set up test data for zone transfer quota tests.
diff --git a/bin/tests/system/stress/tests.sh b/bin/tests/system/stress/tests.sh
index 274e0bbb..494dbd9d 100644
--- a/bin/tests/system/stress/tests.sh
+++ b/bin/tests/system/stress/tests.sh
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: tests.sh,v 1.2.2.1 2004/03/09 06:10:12 marka Exp $
+# $Id: tests.sh,v 1.2.206.1 2004/03/06 10:22:25 marka Exp $
 
 SYSTEMTESTTOP=..
 . $SYSTEMTESTTOP/conf.sh
diff --git a/bin/tests/system/stress/update.pl b/bin/tests/system/stress/update.pl
index 8cf4df74..e0507f96 100644
--- a/bin/tests/system/stress/update.pl
+++ b/bin/tests/system/stress/update.pl
@@ -37,7 +37,7 @@
 #
 #    perl -MCPAN -e "install Net::DNS"
 #
-# $Id: update.pl,v 1.2.2.1 2004/03/09 06:10:12 marka Exp $
+# $Id: update.pl,v 1.2.206.1 2004/03/06 10:22:26 marka Exp $
 #
 
 use Getopt::Std;
diff --git a/bin/tests/system/stub/clean.sh b/bin/tests/system/stub/clean.sh
index 6173c969..299c871f 100644
--- a/bin/tests/system/stub/clean.sh
+++ b/bin/tests/system/stub/clean.sh
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: clean.sh,v 1.6.2.1 2004/03/09 06:10:14 marka Exp $
+# $Id: clean.sh,v 1.6.206.1 2004/03/06 10:22:28 marka Exp $
 
 #
 # Clean up after stub tests.
diff --git a/bin/tests/system/stub/ns1/named.conf b/bin/tests/system/stub/ns1/named.conf
index 26ef4150..04609dda 100644
--- a/bin/tests/system/stub/ns1/named.conf
+++ b/bin/tests/system/stub/ns1/named.conf
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named.conf,v 1.10.2.2 2004/03/09 06:10:15 marka Exp $ */
+/* $Id: named.conf,v 1.10.206.2 2004/03/06 10:22:30 marka Exp $ */
 
 controls { /* empty */ };
 
diff --git a/bin/tests/system/stub/ns1/root.db b/bin/tests/system/stub/ns1/root.db
index 4a4220b7..96104962 100644
--- a/bin/tests/system/stub/ns1/root.db
+++ b/bin/tests/system/stub/ns1/root.db
@@ -13,7 +13,7 @@
 ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 ; PERFORMANCE OF THIS SOFTWARE.
 
-; $Id: root.db,v 1.6.2.1 2004/03/09 06:10:15 marka Exp $
+; $Id: root.db,v 1.6.206.1 2004/03/06 10:22:30 marka Exp $
 
 $TTL 300
 . 			IN SOA	gson.nominum.com. a.root.servers.nil. (
diff --git a/bin/tests/system/stub/ns2/child.example.db b/bin/tests/system/stub/ns2/child.example.db
index c948ced0..0c98d8bd 100644
--- a/bin/tests/system/stub/ns2/child.example.db
+++ b/bin/tests/system/stub/ns2/child.example.db
@@ -13,7 +13,7 @@
 ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 ; PERFORMANCE OF THIS SOFTWARE.
 
-; $Id: child.example.db,v 1.6.2.1 2004/03/09 06:10:17 marka Exp $
+; $Id: child.example.db,v 1.6.206.1 2004/03/06 10:22:31 marka Exp $
 
 $TTL 300	; 5 minutes
 child.example.		IN SOA	ns2.child.example. hostmaster.child.example. (
diff --git a/bin/tests/system/stub/ns2/named.conf b/bin/tests/system/stub/ns2/named.conf
index fafbb330..10c459e9 100644
--- a/bin/tests/system/stub/ns2/named.conf
+++ b/bin/tests/system/stub/ns2/named.conf
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named.conf,v 1.10.2.2 2004/03/09 06:10:17 marka Exp $ */
+/* $Id: named.conf,v 1.10.206.2 2004/03/06 10:22:31 marka Exp $ */
 
 controls { /* empty */ };
 
diff --git a/bin/tests/system/stub/ns3/example.db b/bin/tests/system/stub/ns3/example.db
index 3f36c5fe..0a7f7707 100644
--- a/bin/tests/system/stub/ns3/example.db
+++ b/bin/tests/system/stub/ns3/example.db
@@ -13,7 +13,7 @@
 ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 ; PERFORMANCE OF THIS SOFTWARE.
 
-; $Id: example.db,v 1.6.2.1 2004/03/09 06:10:17 marka Exp $
+; $Id: example.db,v 1.6.206.1 2004/03/06 10:22:32 marka Exp $
 
 $ORIGIN .
 $TTL 300	; 5 minutes
diff --git a/bin/tests/system/stub/ns3/named.conf b/bin/tests/system/stub/ns3/named.conf
index b0895d4a..3a9cfa49 100644
--- a/bin/tests/system/stub/ns3/named.conf
+++ b/bin/tests/system/stub/ns3/named.conf
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named.conf,v 1.11.2.2 2004/03/09 06:10:17 marka Exp $ */
+/* $Id: named.conf,v 1.11.206.2 2004/03/06 10:22:32 marka Exp $ */
 
 controls { /* empty */ };
 
diff --git a/bin/tests/system/stub/tests.sh b/bin/tests/system/stub/tests.sh
index 75ee7be4..722aba25 100644
--- a/bin/tests/system/stub/tests.sh
+++ b/bin/tests/system/stub/tests.sh
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: tests.sh,v 1.11.2.1 2004/03/09 06:10:14 marka Exp $
+# $Id: tests.sh,v 1.11.206.1 2004/03/06 10:22:30 marka Exp $
 
 SYSTEMTESTTOP=..
 . $SYSTEMTESTTOP/conf.sh
diff --git a/bin/tests/system/testsock.pl b/bin/tests/system/testsock.pl
index 6973fd34..dc579e48 100644
--- a/bin/tests/system/testsock.pl
+++ b/bin/tests/system/testsock.pl
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: testsock.pl,v 1.13.2.1 2004/03/09 06:09:43 marka Exp $
+# $Id: testsock.pl,v 1.13.206.1 2004/03/06 10:21:48 marka Exp $
 
 # Test whether the interfaces on 10.53.0.* are up.
 
diff --git a/bin/tests/system/tkey/Makefile.in b/bin/tests/system/tkey/Makefile.in
index bfd5cd8a..1821667d 100644
--- a/bin/tests/system/tkey/Makefile.in
+++ b/bin/tests/system/tkey/Makefile.in
@@ -1,5 +1,5 @@
 # Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 2001  Internet Software Consortium.
+# Copyright (C) 2001, 2002  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.3.2.3 2004/07/20 07:00:16 marka Exp $
+# $Id: Makefile.in,v 1.3.12.6 2004/03/08 09:04:17 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
@@ -21,14 +21,14 @@ top_srcdir =	@top_srcdir@
 
 @BIND9_VERSION@
 
-@BIND9_INCLUDES@
+@BIND9_MAKE_INCLUDES@
 
 CINCLUDES =	${DNS_INCLUDES} ${ISC_INCLUDES}
 
 CDEFINES =
 CWARNINGS =
 
-DNSLIBS =	../../../../lib/dns/libdns.@A@ @DNS_OPENSSL_LIBS@ @DNS_GSSAPI_LIBS@
+DNSLIBS =	../../../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
 ISCLIBS =	../../../../lib/isc/libisc.@A@
 
 DNSDEPLIBS =	../../../../lib/dns/libdns.@A@
@@ -38,7 +38,7 @@ DEPLIBS =	${DNSDEPLIBS} ${ISCDEPLIBS}
 
 LIBS =		${DNSLIBS} ${ISCLIBS} @LIBS@
 
-TARGETS =	keycreate keydelete
+TARGETS =	keycreate@EXEEXT@ keydelete@EXEEXT@
 
 CREATEOBJS =	keycreate.@O@
 DELETEOBJS =	keydelete.@O@
@@ -47,13 +47,13 @@ SRCS =		keycreate.c keydelete.c
 
 @BIND9_MAKE_RULES@
 
-all: keycreate keydelete
+all: keycreate@EXEEXT@ keydelete@EXEEXT@
 
-keycreate: ${CREATEOBJS} ${DEPLIBS}
-	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ ${CREATEOBJS} ${LIBS}
+keycreate@EXEEXT@: ${CREATEOBJS} ${DEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} -o $@ ${CREATEOBJS} ${LIBS}
 
-keydelete: ${DELETEOBJS} ${DEPLIBS}
-	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ ${DELETEOBJS} ${LIBS}
+keydelete@EXEEXT@: ${DELETEOBJS} ${DEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} -o $@ ${DELETEOBJS} ${LIBS}
 
 clean distclean::
 	rm -f ${TARGETS}
diff --git a/bin/tests/system/tkey/clean.sh b/bin/tests/system/tkey/clean.sh
index 25cb0642..c93bb10e 100644
--- a/bin/tests/system/tkey/clean.sh
+++ b/bin/tests/system/tkey/clean.sh
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: clean.sh,v 1.2.2.1 2004/03/09 06:10:18 marka Exp $
+# $Id: clean.sh,v 1.2.206.1 2004/03/06 10:22:33 marka Exp $
 
 rm -f dig.out.* random.data ns1/named.conf
 rm -f K* ns1/K*
diff --git a/bin/tests/system/tkey/keycreate.c b/bin/tests/system/tkey/keycreate.c
index 78f15109..04f6437b 100644
--- a/bin/tests/system/tkey/keycreate.c
+++ b/bin/tests/system/tkey/keycreate.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: keycreate.c,v 1.7.2.4 2006/01/04 23:50:17 marka Exp $ */
+/* $Id: keycreate.c,v 1.7.12.4 2004/03/08 09:04:17 marka Exp $ */
 
 #include <config.h>
 
@@ -66,6 +66,7 @@ static dns_tsig_keyring_t *ring;
 static unsigned char noncedata[16];
 static isc_buffer_t nonce;
 static dns_requestmgr_t *requestmgr;
+static const char *ownername_str = ".";
 
 static void
 recvquery(isc_task_t *task, isc_event_t *event) {
@@ -133,6 +134,7 @@ sendquery(isc_task_t *task, isc_event_t *event) {
 	isc_region_t r;
 	isc_result_t result;
 	dns_fixedname_t keyname;
+	dns_fixedname_t ownername;	
 	isc_buffer_t namestr, keybuf;
 	unsigned char keydata[9];
 	dns_message_t *query;
@@ -141,9 +143,7 @@ sendquery(isc_task_t *task, isc_event_t *event) {
 
 	isc_event_free(&event);
 
-	result = ISC_R_FAILURE;
-	if (inet_pton(AF_INET, "10.53.0.1", &inaddr) != 1)
-		CHECK("inet_pton", result);
+	inet_pton(AF_INET, "10.53.0.1", &inaddr);
 	isc_sockaddr_fromin(&address, &inaddr, PORT);
 
 	dns_fixedname_init(&keyname);
@@ -153,6 +153,13 @@ sendquery(isc_task_t *task, isc_event_t *event) {
 				   NULL, ISC_FALSE, NULL);
 	CHECK("dns_name_fromtext", result);
 
+	dns_fixedname_init(&ownername);
+	isc_buffer_init(&namestr, ownername_str, strlen(ownername_str));
+	isc_buffer_add(&namestr, strlen(ownername_str));
+	result = dns_name_fromtext(dns_fixedname_name(&ownername), &namestr,
+				   NULL, ISC_FALSE, NULL);
+	CHECK("dns_name_fromtext", result);
+
 	isc_buffer_init(&keybuf, keydata, 9);
 	result = isc_base64_decodestring(keystr, &keybuf);
 	CHECK("isc_base64_decodestring", result);
@@ -172,7 +179,8 @@ sendquery(isc_task_t *task, isc_event_t *event) {
 	result = dns_message_create(mctx, DNS_MESSAGE_INTENTRENDER, &query);
 	CHECK("dns_message_create", result);
 
-	result = dns_tkey_builddhquery(query, ourkey, dns_rootname,
+	result = dns_tkey_builddhquery(query, ourkey,
+				       dns_fixedname_name(&ownername),
 				       DNS_TSIG_HMACMD5_NAME, &nonce, 3600);
 	CHECK("dns_tkey_builddhquery", result);
 
@@ -210,6 +218,9 @@ main(int argc, char *argv[]) {
 	}
 	ourkeyname = argv[1];
 
+	if (argc >= 3)
+		ownername_str = argv[2];
+
 	dns_result_register();
 
 	mctx = NULL;
diff --git a/bin/tests/system/tkey/keydelete.c b/bin/tests/system/tkey/keydelete.c
index 76ace52e..90f92166 100644
--- a/bin/tests/system/tkey/keydelete.c
+++ b/bin/tests/system/tkey/keydelete.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: keydelete.c,v 1.4.2.4 2006/01/04 23:50:17 marka Exp $ */
+/* $Id: keydelete.c,v 1.4.206.2 2004/03/08 02:07:49 marka Exp $ */
 
 #include <config.h>
 
@@ -118,9 +118,7 @@ sendquery(isc_task_t *task, isc_event_t *event) {
 
 	isc_event_free(&event);
 
-	result = ISC_R_FAILURE;
-	if (inet_pton(AF_INET, "10.53.0.1", &inaddr) != 1)
-		CHECK("inet_pton", result);
+	inet_pton(AF_INET, "10.53.0.1", &inaddr);
 	isc_sockaddr_fromin(&address, &inaddr, PORT);
 
 	query = NULL;
diff --git a/bin/tests/system/tkey/ns1/named.conf.in b/bin/tests/system/tkey/ns1/named.conf.in
index dab53842..ce555d03 100644
--- a/bin/tests/system/tkey/ns1/named.conf.in
+++ b/bin/tests/system/tkey/ns1/named.conf.in
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named.conf.in,v 1.2.2.2 2004/03/09 06:10:18 marka Exp $ */
+/* $Id: named.conf.in,v 1.2.206.2 2004/03/06 10:22:35 marka Exp $ */
 
 controls { /* empty */ };
 
diff --git a/bin/tests/system/tkey/ns1/setup.sh b/bin/tests/system/tkey/ns1/setup.sh
index d2f54a4b..ad1d0f14 100644
--- a/bin/tests/system/tkey/ns1/setup.sh
+++ b/bin/tests/system/tkey/ns1/setup.sh
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: setup.sh,v 1.2.2.3 2004/03/09 06:10:18 marka Exp $
+# $Id: setup.sh,v 1.2.2.2.10.1 2004/03/06 10:22:35 marka Exp $
 
 RANDFILE=../random.data
 
diff --git a/bin/tests/system/tkey/prereq.sh b/bin/tests/system/tkey/prereq.sh
index 35e7dcd2..75d251d1 100644
--- a/bin/tests/system/tkey/prereq.sh
+++ b/bin/tests/system/tkey/prereq.sh
@@ -15,11 +15,9 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: prereq.sh,v 1.4.2.2 2004/12/08 06:12:03 marka Exp $
+# $Id: prereq.sh,v 1.4.206.1 2004/03/06 10:22:34 marka Exp $
 
-../../genrandom 400 random.data
-
-if $KEYGEN -a RSA -b 512 -n zone -r random.data foo > /dev/null 2>&1
+if $KEYGEN -a RSA -b 512 -n zone -r $KEYGEN foo > /dev/null 2>&1
 then
     rm -f foo*
 else
diff --git a/bin/tests/system/tkey/setup.sh b/bin/tests/system/tkey/setup.sh
index 8fdb9239..59ed5885 100644
--- a/bin/tests/system/tkey/setup.sh
+++ b/bin/tests/system/tkey/setup.sh
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: setup.sh,v 1.2.2.1 2004/03/09 06:10:18 marka Exp $
+# $Id: setup.sh,v 1.2.206.1 2004/03/06 10:22:34 marka Exp $
 
 RANDFILE=random.data
 
diff --git a/bin/tests/system/tkey/tests.sh b/bin/tests/system/tkey/tests.sh
index 84c813a6..063f33fd 100644
--- a/bin/tests/system/tkey/tests.sh
+++ b/bin/tests/system/tkey/tests.sh
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: tests.sh,v 1.2.2.1 2004/03/09 06:10:18 marka Exp $
+# $Id: tests.sh,v 1.2.12.3 2004/03/08 09:04:17 marka Exp $
 
 SYSTEMTESTTOP=..
 . $SYSTEMTESTTOP/conf.sh
@@ -36,45 +36,48 @@ if [ $ret != 0 ]; then
 fi
 status=`expr $status + $ret`
 
-echo "I:creating new key"
-ret=0
-keyname=`./keycreate $dhkeyname` || ret=1
-if [ $ret != 0 ]; then
-	echo "I:failed"
-	echo "I:exit status: $status"
-	exit $status
-fi
-status=`expr $status + $ret`
+for owner in . foo.example.
+do
+	echo "I:creating new key using owner name \"$owner\""
+	ret=0
+	keyname=`./keycreate $dhkeyname $owner` || ret=1
+	if [ $ret != 0 ]; then
+		echo "I:failed"
+		echo "I:exit status: $status"
+		exit $status
+	fi
+	status=`expr $status + $ret`
 
-echo "I:checking the new key"
-ret=0
-$DIG $DIGOPTS . ns -k $keyname > dig.out.1 || ret=1
-grep "status: NOERROR" dig.out.1 > /dev/null || ret=1
-grep "TSIG.*hmac-md5.*NOERROR" dig.out.1 > /dev/null || ret=1
-grep "Some TSIG could not be validated" dig.out.1 > /dev/null && ret=1
-if [ $ret != 0 ]; then
-	echo "I:failed"
-fi
-status=`expr $status + $ret`
+	echo "I:checking the new key"
+	ret=0
+	$DIG $DIGOPTS . ns -k $keyname > dig.out.1 || ret=1
+	grep "status: NOERROR" dig.out.1 > /dev/null || ret=1
+	grep "TSIG.*hmac-md5.*NOERROR" dig.out.1 > /dev/null || ret=1
+	grep "Some TSIG could not be validated" dig.out.1 > /dev/null && ret=1
+	if [ $ret != 0 ]; then
+		echo "I:failed"
+	fi
+	status=`expr $status + $ret`
 
-echo "I:deleting new key"
-ret=0
-./keydelete $keyname || ret=1
-if [ $ret != 0 ]; then
-	echo "I:failed"
-fi
-status=`expr $status + $ret`
+	echo "I:deleting new key"
+	ret=0
+	./keydelete $keyname || ret=1
+	if [ $ret != 0 ]; then
+		echo "I:failed"
+	fi
+	status=`expr $status + $ret`
 
-echo "I:checking that new key has been deleted"
-ret=0
-$DIG $DIGOPTS . ns -k $keyname > dig.out.2 || ret=1
-grep "status: NOERROR" dig.out.2 > /dev/null && ret=1
-grep "TSIG.*hmac-md5.*NOERROR" dig.out.2 > /dev/null && ret=1
-grep "Some TSIG could not be validated" dig.out.2 > /dev/null || ret=1
-if [ $ret != 0 ]; then
-	echo "I:failed"
-fi
-status=`expr $status + $ret`
+	echo "I:checking that new key has been deleted"
+	ret=0
+	$DIG $DIGOPTS . ns -k $keyname > dig.out.2 || ret=1
+	grep "status: NOERROR" dig.out.2 > /dev/null && ret=1
+	grep "TSIG.*hmac-md5.*NOERROR" dig.out.2 > /dev/null && ret=1
+	grep "Some TSIG could not be validated" dig.out.2 > /dev/null || ret=1
+	if [ $ret != 0 ]; then
+		echo "I:failed"
+	fi
+	status=`expr $status + $ret`
+done
 
 echo "I:exit status: $status"
 exit $status
diff --git a/bin/tests/system/unknown/clean.sh b/bin/tests/system/unknown/clean.sh
index bfd6e00e..8a948205 100644
--- a/bin/tests/system/unknown/clean.sh
+++ b/bin/tests/system/unknown/clean.sh
@@ -15,6 +15,6 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: clean.sh,v 1.3.2.1 2004/03/09 06:10:19 marka Exp $
+# $Id: clean.sh,v 1.3.206.1 2004/03/06 10:22:35 marka Exp $
 
 rm -f dig.out
diff --git a/bin/tests/system/unknown/ns1/broken1.db b/bin/tests/system/unknown/ns1/broken1.db
index 7e3592ca..a0d704d8 100644
--- a/bin/tests/system/unknown/ns1/broken1.db
+++ b/bin/tests/system/unknown/ns1/broken1.db
@@ -13,7 +13,7 @@
 ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 ; PERFORMANCE OF THIS SOFTWARE.
 
-; $Id: broken1.db,v 1.2.2.1 2004/03/09 06:10:19 marka Exp $
+; $Id: broken1.db,v 1.2.206.1 2004/03/06 10:22:36 marka Exp $
 
 $TTL 300	; 5 minutes
 @			SOA	mname1. . (
diff --git a/bin/tests/system/unknown/ns1/broken2.db b/bin/tests/system/unknown/ns1/broken2.db
index 7cbb0966..220fad2b 100644
--- a/bin/tests/system/unknown/ns1/broken2.db
+++ b/bin/tests/system/unknown/ns1/broken2.db
@@ -13,7 +13,7 @@
 ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 ; PERFORMANCE OF THIS SOFTWARE.
 
-; $Id: broken2.db,v 1.2.2.1 2004/03/09 06:10:19 marka Exp $
+; $Id: broken2.db,v 1.2.206.1 2004/03/06 10:22:36 marka Exp $
 
 $TTL 300	; 5 minutes
 @			SOA	mname1. . (
diff --git a/bin/tests/system/unknown/ns1/broken3.db b/bin/tests/system/unknown/ns1/broken3.db
index 835de5b2..92d47198 100644
--- a/bin/tests/system/unknown/ns1/broken3.db
+++ b/bin/tests/system/unknown/ns1/broken3.db
@@ -13,7 +13,7 @@
 ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 ; PERFORMANCE OF THIS SOFTWARE.
 
-; $Id: broken3.db,v 1.2.2.1 2004/03/09 06:10:20 marka Exp $
+; $Id: broken3.db,v 1.2.206.1 2004/03/06 10:22:37 marka Exp $
 
 $TTL 300	; 5 minutes
 @			SOA	mname1. . (
diff --git a/bin/tests/system/unknown/ns1/broken4.db b/bin/tests/system/unknown/ns1/broken4.db
index 4a3d349f..e065bbc5 100644
--- a/bin/tests/system/unknown/ns1/broken4.db
+++ b/bin/tests/system/unknown/ns1/broken4.db
@@ -13,7 +13,7 @@
 ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 ; PERFORMANCE OF THIS SOFTWARE.
 
-; $Id: broken4.db,v 1.3.2.1 2004/03/09 06:10:20 marka Exp $
+; $Id: broken4.db,v 1.3.206.1 2004/03/06 10:22:37 marka Exp $
 
 $TTL 300	; 5 minutes
 @			SOA	mname1. . (
diff --git a/bin/tests/system/unknown/ns1/broken5.db b/bin/tests/system/unknown/ns1/broken5.db
index e6bb8d1d..bebbd7fa 100644
--- a/bin/tests/system/unknown/ns1/broken5.db
+++ b/bin/tests/system/unknown/ns1/broken5.db
@@ -13,7 +13,7 @@
 ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 ; PERFORMANCE OF THIS SOFTWARE.
 
-; $Id: broken5.db,v 1.2.2.1 2004/03/09 06:10:20 marka Exp $
+; $Id: broken5.db,v 1.2.206.1 2004/03/06 10:22:37 marka Exp $
 
 $TTL 300	; 5 minutes
 @			SOA	mname1. . (
diff --git a/bin/tests/system/unknown/ns1/class10.hints b/bin/tests/system/unknown/ns1/class10.hints
index 45d79680..deb1b39c 100644
--- a/bin/tests/system/unknown/ns1/class10.hints
+++ b/bin/tests/system/unknown/ns1/class10.hints
@@ -13,7 +13,7 @@
 ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 ; PERFORMANCE OF THIS SOFTWARE.
 
-; $Id: class10.hints,v 1.2.2.1 2004/03/09 06:10:20 marka Exp $
+; $Id: class10.hints,v 1.2.206.1 2004/03/06 10:22:37 marka Exp $
 
 $TTL 3600
 .	NS	ns.
diff --git a/bin/tests/system/unknown/ns1/example-class10.db b/bin/tests/system/unknown/ns1/example-class10.db
index d686ffa4..7b142d5f 100644
--- a/bin/tests/system/unknown/ns1/example-class10.db
+++ b/bin/tests/system/unknown/ns1/example-class10.db
@@ -13,7 +13,7 @@
 ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 ; PERFORMANCE OF THIS SOFTWARE.
 
-; $Id: example-class10.db,v 1.2.2.1 2004/03/09 06:10:20 marka Exp $
+; $Id: example-class10.db,v 1.2.206.1 2004/03/06 10:22:38 marka Exp $
 
 $TTL 300	; 5 minutes
 @			SOA	mname1. . (
diff --git a/bin/tests/system/unknown/ns1/example-in.db b/bin/tests/system/unknown/ns1/example-in.db
index 8dd58096..13faeaa4 100644
--- a/bin/tests/system/unknown/ns1/example-in.db
+++ b/bin/tests/system/unknown/ns1/example-in.db
@@ -13,7 +13,7 @@
 ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 ; PERFORMANCE OF THIS SOFTWARE.
 
-; $Id: example-in.db,v 1.4.2.1 2004/03/09 06:10:20 marka Exp $
+; $Id: example-in.db,v 1.4.206.1 2004/03/06 10:22:38 marka Exp $
 
 $TTL 300	; 5 minutes
 @			SOA	mname1. . (
diff --git a/bin/tests/system/unknown/ns1/named.conf b/bin/tests/system/unknown/ns1/named.conf
index 0daf9b55..a3801fd1 100644
--- a/bin/tests/system/unknown/ns1/named.conf
+++ b/bin/tests/system/unknown/ns1/named.conf
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named.conf,v 1.7.2.2 2004/03/09 06:10:20 marka Exp $ */
+/* $Id: named.conf,v 1.7.206.2 2004/03/06 10:22:38 marka Exp $ */
 
 controls { /* empty */ };
 
diff --git a/bin/tests/system/unknown/tests.sh b/bin/tests/system/unknown/tests.sh
index ba0195e3..1c799c54 100644
--- a/bin/tests/system/unknown/tests.sh
+++ b/bin/tests/system/unknown/tests.sh
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: tests.sh,v 1.7.2.1 2004/03/09 06:10:19 marka Exp $
+# $Id: tests.sh,v 1.7.206.1 2004/03/06 10:22:36 marka Exp $
 
 SYSTEMTESTTOP=..
 . $SYSTEMTESTTOP/conf.sh
diff --git a/bin/tests/system/upforwd/clean.sh b/bin/tests/system/upforwd/clean.sh
index 7530d42a..e795faaf 100644
--- a/bin/tests/system/upforwd/clean.sh
+++ b/bin/tests/system/upforwd/clean.sh
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: clean.sh,v 1.5.2.1 2004/03/09 06:10:20 marka Exp $
+# $Id: clean.sh,v 1.5.206.1 2004/03/06 10:22:38 marka Exp $
 
 #
 # Clean up after zone transfer tests.
diff --git a/bin/tests/system/upforwd/ns1/example1.db b/bin/tests/system/upforwd/ns1/example1.db
index 7ad891bc..cf9f4a96 100644
--- a/bin/tests/system/upforwd/ns1/example1.db
+++ b/bin/tests/system/upforwd/ns1/example1.db
@@ -13,7 +13,7 @@
 ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 ; PERFORMANCE OF THIS SOFTWARE.
 
-; $Id: example1.db,v 1.1.2.1 2004/03/09 06:10:21 marka Exp $
+; $Id: example1.db,v 1.1.206.1 2004/03/06 10:22:39 marka Exp $
 
 @	3600	SOA	n1.example. hostmaster.ns1.example. (
 			1 3600 1200 604800 7200 )
diff --git a/bin/tests/system/upforwd/ns1/named.conf b/bin/tests/system/upforwd/ns1/named.conf
index 812a1148..066461f8 100644
--- a/bin/tests/system/upforwd/ns1/named.conf
+++ b/bin/tests/system/upforwd/ns1/named.conf
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named.conf,v 1.6.2.2 2004/03/09 06:10:21 marka Exp $ */
+/* $Id: named.conf,v 1.6.206.2 2004/03/06 10:22:39 marka Exp $ */
 
 key "update.example." {
 	algorithm "hmac-md5";
diff --git a/bin/tests/system/upforwd/ns2/named.conf b/bin/tests/system/upforwd/ns2/named.conf
index 3865fa8a..fccff4ff 100644
--- a/bin/tests/system/upforwd/ns2/named.conf
+++ b/bin/tests/system/upforwd/ns2/named.conf
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named.conf,v 1.5.2.2 2004/03/09 06:10:21 marka Exp $ */
+/* $Id: named.conf,v 1.5.206.2 2004/03/06 10:22:40 marka Exp $ */
 
 controls { /* empty */ };
 
diff --git a/bin/tests/system/upforwd/ns3/named.conf b/bin/tests/system/upforwd/ns3/named.conf
index 6bbd9b7a..6d47e285 100644
--- a/bin/tests/system/upforwd/ns3/named.conf
+++ b/bin/tests/system/upforwd/ns3/named.conf
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named.conf,v 1.5.2.2 2004/03/09 06:10:22 marka Exp $ */
+/* $Id: named.conf,v 1.5.206.2 2004/03/06 10:22:40 marka Exp $ */
 
 controls { /* empty */ };
 
diff --git a/bin/tests/system/upforwd/setup.sh b/bin/tests/system/upforwd/setup.sh
index 76f9b369..fb61218d 100644
--- a/bin/tests/system/upforwd/setup.sh
+++ b/bin/tests/system/upforwd/setup.sh
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: setup.sh,v 1.4.2.2 2004/03/10 01:05:05 marka Exp $
+# $Id: setup.sh,v 1.4.206.2 2004/03/10 01:05:55 marka Exp $
 
 cp -f ns1/example1.db ns1/example.db
 rm -f ns1/example.db.jnl ns2/example.bk ns2/example.bk.jnl
diff --git a/bin/tests/system/upforwd/tests.sh b/bin/tests/system/upforwd/tests.sh
index 99793321..abab1855 100644
--- a/bin/tests/system/upforwd/tests.sh
+++ b/bin/tests/system/upforwd/tests.sh
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: tests.sh,v 1.7.2.1 2004/03/09 06:10:21 marka Exp $ 
+# $Id: tests.sh,v 1.7.206.1 2004/03/06 10:22:39 marka Exp $ 
 
 # ns1 = stealth master
 # ns2 = slave with update forwarding disabled; not currently used
diff --git a/bin/tests/system/v6synth/clean.sh b/bin/tests/system/v6synth/clean.sh
index 0ca82caa..aac47206 100644
--- a/bin/tests/system/v6synth/clean.sh
+++ b/bin/tests/system/v6synth/clean.sh
@@ -15,6 +15,6 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: clean.sh,v 1.1.2.1 2004/03/09 06:10:22 marka Exp $
+# $Id: clean.sh,v 1.1.206.1 2004/03/06 10:22:40 marka Exp $
 
 rm -f *.out
diff --git a/bin/tests/system/v6synth/ns1/named.conf b/bin/tests/system/v6synth/ns1/named.conf
index d212207f..6f648518 100644
--- a/bin/tests/system/v6synth/ns1/named.conf
+++ b/bin/tests/system/v6synth/ns1/named.conf
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named.conf,v 1.1.2.2 2004/03/09 06:10:22 marka Exp $ */
+/* $Id: named.conf,v 1.1.206.2 2004/03/06 10:22:41 marka Exp $ */
 
 controls { /* empty */ };
 
diff --git a/bin/tests/system/v6synth/ns1/root.db b/bin/tests/system/v6synth/ns1/root.db
index 0e3e3e7e..a1a6d78d 100644
--- a/bin/tests/system/v6synth/ns1/root.db
+++ b/bin/tests/system/v6synth/ns1/root.db
@@ -13,7 +13,7 @@
 ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 ; PERFORMANCE OF THIS SOFTWARE.
 
-; $Id: root.db,v 1.1.2.1 2004/03/09 06:10:23 marka Exp $
+; $Id: root.db,v 1.1.206.1 2004/03/06 10:22:41 marka Exp $
 
 $TTL 300
 . 			IN SOA	gson.nominum.com. a.root.servers.nil. (
diff --git a/bin/tests/system/v6synth/ns2/example.db b/bin/tests/system/v6synth/ns2/example.db
index 3f7c5a6a..60a0fad9 100644
--- a/bin/tests/system/v6synth/ns2/example.db
+++ b/bin/tests/system/v6synth/ns2/example.db
@@ -13,7 +13,7 @@
 ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 ; PERFORMANCE OF THIS SOFTWARE.
 
-; $Id: example.db,v 1.1.2.1 2004/03/09 06:10:23 marka Exp $
+; $Id: example.db,v 1.1.206.1 2004/03/06 10:22:42 marka Exp $
 
 $TTL 86400
 @                       IN SOA  ns2 hostmaster (
diff --git a/bin/tests/system/v6synth/ns2/ip6.arpa.db b/bin/tests/system/v6synth/ns2/ip6.arpa.db
index 369f24a5..663d3b83 100644
--- a/bin/tests/system/v6synth/ns2/ip6.arpa.db
+++ b/bin/tests/system/v6synth/ns2/ip6.arpa.db
@@ -1,5 +1,5 @@
 ; Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
-; Copyright (C) 2001  Internet Software Consortium.
+; Copyright (C) 2001, 2002  Internet Software Consortium.
 ;
 ; Permission to use, copy, modify, and distribute this software for any
 ; purpose with or without fee is hereby granted, provided that the above
@@ -13,7 +13,7 @@
 ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 ; PERFORMANCE OF THIS SOFTWARE.
 
-; $Id: ip6.arpa.db,v 1.1.2.2 2004/03/09 06:10:23 marka Exp $
+; $Id: ip6.arpa.db,v 1.1.22.3 2004/03/08 09:04:18 marka Exp $
 
 $TTL 86400
 @                       IN SOA  ns2 hostmaster (
@@ -21,4 +21,4 @@ $TTL 86400
                         NS      ns2.example.
 ns2.example.		A	10.53.0.2
 
-f.f.1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.6.5.4.3.2.1 PTR foo.
+f.f.1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.6.5.4.3.2.1	PTR foo.
diff --git a/bin/tests/system/v6synth/ns2/ip6.int.db b/bin/tests/system/v6synth/ns2/ip6.int.db
index 27f61681..4ab9ce34 100644
--- a/bin/tests/system/v6synth/ns2/ip6.int.db
+++ b/bin/tests/system/v6synth/ns2/ip6.int.db
@@ -13,7 +13,7 @@
 ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 ; PERFORMANCE OF THIS SOFTWARE.
 
-; $Id: ip6.int.db,v 1.1.2.1 2004/03/09 06:10:23 marka Exp $
+; $Id: ip6.int.db,v 1.1.206.1 2004/03/06 10:22:42 marka Exp $
 
 $TTL 86400
 @                       IN SOA  ns2 hostmaster (
diff --git a/bin/tests/system/v6synth/ns2/named.conf b/bin/tests/system/v6synth/ns2/named.conf
index 3f299c39..9e3703cd 100644
--- a/bin/tests/system/v6synth/ns2/named.conf
+++ b/bin/tests/system/v6synth/ns2/named.conf
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named.conf,v 1.1.2.2 2004/03/09 06:10:23 marka Exp $ */
+/* $Id: named.conf,v 1.1.206.2 2004/03/06 10:22:42 marka Exp $ */
 
 controls { /* empty */ };
 
diff --git a/bin/tests/system/v6synth/ns3/named.conf b/bin/tests/system/v6synth/ns3/named.conf
index 1cd47394..e7450053 100644
--- a/bin/tests/system/v6synth/ns3/named.conf
+++ b/bin/tests/system/v6synth/ns3/named.conf
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named.conf,v 1.1.2.2 2004/03/09 06:10:23 marka Exp $ */
+/* $Id: named.conf,v 1.1.206.2 2004/03/06 10:22:43 marka Exp $ */
 
 controls { /* empty */ };
 
diff --git a/bin/tests/system/v6synth/tests.sh b/bin/tests/system/v6synth/tests.sh
index f728af43..61275863 100644
--- a/bin/tests/system/v6synth/tests.sh
+++ b/bin/tests/system/v6synth/tests.sh
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: tests.sh,v 1.1.2.1 2004/03/09 06:10:22 marka Exp $
+# $Id: tests.sh,v 1.1.206.1 2004/03/06 10:22:41 marka Exp $
 
 SYSTEMTESTTOP=..
 . $SYSTEMTESTTOP/conf.sh
diff --git a/bin/tests/system/views/clean.sh b/bin/tests/system/views/clean.sh
index 650e8eea..2de375c9 100644
--- a/bin/tests/system/views/clean.sh
+++ b/bin/tests/system/views/clean.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 2000, 2001  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and distribute this software for any
@@ -15,12 +15,12 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: clean.sh,v 1.7.2.4 2005/09/13 00:34:27 marka Exp $
+# $Id: clean.sh,v 1.7.206.2 2004/03/10 01:05:55 marka Exp $
 
 #
 # Clean up after zone transfer tests.
 #
 
-rm -f ns3/example.bk dig.out.ns?.?
+rm -f ns3/example.bk dig.out.ns2 dig.out.ns3
 rm -f ns2/named.conf ns2/example.db ns3/named.conf ns3/internal.bk
 
diff --git a/bin/tests/system/views/ns1/named.conf b/bin/tests/system/views/ns1/named.conf
index a4b90bba..470d7b01 100644
--- a/bin/tests/system/views/ns1/named.conf
+++ b/bin/tests/system/views/ns1/named.conf
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named.conf,v 1.13.2.2 2004/03/09 06:10:24 marka Exp $ */
+/* $Id: named.conf,v 1.13.206.2 2004/03/06 10:22:44 marka Exp $ */
 
 controls { /* empty */ };
 
diff --git a/bin/tests/system/views/ns1/root.db b/bin/tests/system/views/ns1/root.db
index 4e6f37df..45d6ca61 100644
--- a/bin/tests/system/views/ns1/root.db
+++ b/bin/tests/system/views/ns1/root.db
@@ -13,7 +13,7 @@
 ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 ; PERFORMANCE OF THIS SOFTWARE.
 
-; $Id: root.db,v 1.6.2.1 2004/03/09 06:10:25 marka Exp $
+; $Id: root.db,v 1.6.206.1 2004/03/06 10:22:44 marka Exp $
 
 $TTL 300
 . 			IN SOA	gson.nominum.com. a.root.servers.nil. (
diff --git a/bin/tests/system/views/ns2/example1.db b/bin/tests/system/views/ns2/example1.db
index 72b8599b..db730a19 100644
--- a/bin/tests/system/views/ns2/example1.db
+++ b/bin/tests/system/views/ns2/example1.db
@@ -13,7 +13,7 @@
 ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 ; PERFORMANCE OF THIS SOFTWARE.
 
-; $Id: example1.db,v 1.6.2.1 2004/03/09 06:10:25 marka Exp $
+; $Id: example1.db,v 1.6.206.1 2004/03/06 10:22:44 marka Exp $
 
 $ORIGIN .
 $TTL 300	; 5 minutes
diff --git a/bin/tests/system/views/ns2/example2.db b/bin/tests/system/views/ns2/example2.db
index 76fc430e..a8a0d10d 100644
--- a/bin/tests/system/views/ns2/example2.db
+++ b/bin/tests/system/views/ns2/example2.db
@@ -13,7 +13,7 @@
 ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 ; PERFORMANCE OF THIS SOFTWARE.
 
-; $Id: example2.db,v 1.6.2.1 2004/03/09 06:10:25 marka Exp $
+; $Id: example2.db,v 1.6.206.1 2004/03/06 10:22:44 marka Exp $
 
 $ORIGIN .
 $TTL 300	; 5 minutes
diff --git a/bin/tests/system/views/ns2/internal.db b/bin/tests/system/views/ns2/internal.db
index 219e8a43..1e73b386 100644
--- a/bin/tests/system/views/ns2/internal.db
+++ b/bin/tests/system/views/ns2/internal.db
@@ -13,7 +13,7 @@
 ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 ; PERFORMANCE OF THIS SOFTWARE.
 
-; $Id: internal.db,v 1.6.2.1 2004/03/09 06:10:25 marka Exp $
+; $Id: internal.db,v 1.6.206.1 2004/03/06 10:22:45 marka Exp $
 
 $ORIGIN .
 $TTL 300	; 5 minutes
diff --git a/bin/tests/system/views/ns2/named1.conf b/bin/tests/system/views/ns2/named1.conf
index b4756cce..0c667ec7 100644
--- a/bin/tests/system/views/ns2/named1.conf
+++ b/bin/tests/system/views/ns2/named1.conf
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named1.conf,v 1.16.2.2 2004/03/09 06:10:25 marka Exp $ */
+/* $Id: named1.conf,v 1.16.206.2 2004/03/06 10:22:45 marka Exp $ */
 
 controls { /* empty */ };
 
diff --git a/bin/tests/system/views/ns2/named2.conf b/bin/tests/system/views/ns2/named2.conf
index cfa42f7f..b59d761e 100644
--- a/bin/tests/system/views/ns2/named2.conf
+++ b/bin/tests/system/views/ns2/named2.conf
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named2.conf,v 1.18.2.2 2004/03/09 06:10:26 marka Exp $ */
+/* $Id: named2.conf,v 1.18.206.2 2004/03/06 10:22:45 marka Exp $ */
 
 controls { /* empty */ };
 
diff --git a/bin/tests/system/views/ns3/internal.db b/bin/tests/system/views/ns3/internal.db
index 825b9b0e..0f58380a 100644
--- a/bin/tests/system/views/ns3/internal.db
+++ b/bin/tests/system/views/ns3/internal.db
@@ -13,7 +13,7 @@
 ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 ; PERFORMANCE OF THIS SOFTWARE.
 
-; $Id: internal.db,v 1.6.2.1 2004/03/09 06:10:26 marka Exp $
+; $Id: internal.db,v 1.6.206.1 2004/03/06 10:22:45 marka Exp $
 
 $ORIGIN .
 $TTL 300	; 5 minutes
diff --git a/bin/tests/system/views/ns3/named1.conf b/bin/tests/system/views/ns3/named1.conf
index 22490925..67b45498 100644
--- a/bin/tests/system/views/ns3/named1.conf
+++ b/bin/tests/system/views/ns3/named1.conf
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named1.conf,v 1.15.2.2 2004/03/09 06:10:26 marka Exp $ */
+/* $Id: named1.conf,v 1.15.206.2 2004/03/06 10:22:46 marka Exp $ */
 
 controls { /* empty */ };
 
diff --git a/bin/tests/system/views/ns3/named2.conf b/bin/tests/system/views/ns3/named2.conf
index bc16e080..ca1e30c7 100644
--- a/bin/tests/system/views/ns3/named2.conf
+++ b/bin/tests/system/views/ns3/named2.conf
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named2.conf,v 1.15.2.2 2004/03/09 06:10:26 marka Exp $ */
+/* $Id: named2.conf,v 1.15.206.2 2004/03/06 10:22:46 marka Exp $ */
 
 controls { /* empty */ };
 
diff --git a/bin/tests/system/views/setup.sh b/bin/tests/system/views/setup.sh
index 1eb59a9e..631540a5 100644
--- a/bin/tests/system/views/setup.sh
+++ b/bin/tests/system/views/setup.sh
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: setup.sh,v 1.6.2.2 2004/03/10 01:05:06 marka Exp $
+# $Id: setup.sh,v 1.6.206.2 2004/03/10 01:05:56 marka Exp $
 
 
 cp -f ns2/example1.db ns2/example.db
diff --git a/bin/tests/system/views/tests.sh b/bin/tests/system/views/tests.sh
index 707d32de..0f78b578 100644
--- a/bin/tests/system/views/tests.sh
+++ b/bin/tests/system/views/tests.sh
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: tests.sh,v 1.26.2.2 2004/03/10 01:05:06 marka Exp $
+# $Id: tests.sh,v 1.26.206.2 2004/03/10 01:05:56 marka Exp $
 
 SYSTEMTESTTOP=..
 . $SYSTEMTESTTOP/conf.sh
diff --git a/bin/tests/system/xfer/clean.sh b/bin/tests/system/xfer/clean.sh
index d9e9f39b..c31b2608 100644
--- a/bin/tests/system/xfer/clean.sh
+++ b/bin/tests/system/xfer/clean.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 2000, 2001  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and distribute this software for any
@@ -15,12 +15,12 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: clean.sh,v 1.9.2.4 2005/10/12 00:45:05 marka Exp $
+# $Id: clean.sh,v 1.9.12.3 2004/03/08 09:04:18 marka Exp $
 
 #
 # Clean up after zone transfer tests.
 #
 
-rm -f ns3/example.bk dig.out.ns2 dig.out.ns3
-rm -f ns2/example.db.jnl
+rm -f dig.out.ns2 dig.out.ns3
+rm -f ns2/example.db ns2/tsigzone.db ns2/example.db.jnl
 rm -f ns3/example.bk ns3/tsigzone.bk ns3/example.bk.jnl
diff --git a/bin/tests/system/xfer/dig1.good b/bin/tests/system/xfer/dig1.good
new file mode 100644
index 00000000..b7f3f791
--- /dev/null
+++ b/bin/tests/system/xfer/dig1.good
@@ -0,0 +1,80 @@
+example.		86400	IN	SOA	ns2.example. hostmaster.example. 1397051952 5 5 1814400 3600
+example.		3600	IN	NS	ns2.example.
+example.		3600	IN	NS	ns3.example.
+a01.example.		3600	IN	A	0.0.0.0
+a02.example.		3600	IN	A	255.255.255.255
+a601.example.		3600	IN	A6	0 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
+a601.example.		3600	IN	A6	64 ::ffff:ffff:ffff:ffff foo.
+a601.example.		3600	IN	A6	127 ::1 foo.
+a601.example.		3600	IN	A6	128  .
+afsdb01.example.	3600	IN	AFSDB	0 hostname.example.
+afsdb02.example.	3600	IN	AFSDB	65535 .
+cert01.example.		3600	IN	CERT	65534 65535 PRIVATEOID MxFcby9k/yvedMfQgKzhH5er0Mu/vILz45IkskceFGgiWCn/GxHhai6V AuHAoNUz4YoU1tVfSCSqQYn6//11U6Nld80jEeC8aTrO+KKmCaY=
+cname01.example.	3600	IN	CNAME	cname-target.
+cname02.example.	3600	IN	CNAME	cname-target.example.
+cname03.example.	3600	IN	CNAME	.
+dname01.example.	3600	IN	DNAME	dname-target.
+dname02.example.	3600	IN	DNAME	dname-target.example.
+dname03.example.	3600	IN	DNAME	.
+gpos01.example.		3600	IN	GPOS	"-22.6882" "116.8652" "250.0"
+gpos02.example.		3600	IN	GPOS	"" "" ""
+hinfo01.example.	3600	IN	HINFO	"Generic PC clone" "NetBSD-1.4"
+hinfo02.example.	3600	IN	HINFO	"PC" "NetBSD"
+isdn01.example.		3600	IN	ISDN	"isdn-address"
+isdn02.example.		3600	IN	ISDN	"isdn-address" "subaddress"
+isdn03.example.		3600	IN	ISDN	"isdn-address"
+isdn04.example.		3600	IN	ISDN	"isdn-address" "subaddress"
+dnskey01.example.	3600	IN	DNSKEY	512 255 1 AQMFD5raczCJHViKtLYhWGz8hMY9UGRuniJDBzC7w0aRyzWZriO6i2od GWWQVucZqKVsENW91IOW4vqudngPZsY3GvQ/xVA8/7pyFj6b7Esga60z yGW6LFe9r8n6paHrlG5ojqf0BaqHT+8=
+kx01.example.		3600	IN	KX	10 kdc.example.
+kx02.example.		3600	IN	KX	10 .
+loc01.example.		3600	IN	LOC	60 9 0.000 N 24 39 0.000 E 10.00m 20m 2000m 20m
+loc02.example.		3600	IN	LOC	60 9 0.000 N 24 39 0.000 E 10.00m 20m 2000m 20m
+mb01.example.		3600	IN	MG	madname.example.
+mb02.example.		3600	IN	MG	.
+mg01.example.		3600	IN	MG	mgmname.example.
+mg02.example.		3600	IN	MG	.
+minfo01.example.	3600	IN	MINFO	rmailbx.example. emailbx.example.
+minfo02.example.	3600	IN	MINFO	. .
+mr01.example.		3600	IN	MR	mrname.example.
+mr02.example.		3600	IN	MR	.
+mx01.example.		3600	IN	MX	10 mail.example.
+mx02.example.		3600	IN	MX	10 .
+naptr01.example.	3600	IN	NAPTR	0 0 "" "" "" .
+naptr02.example.	3600	IN	NAPTR	65535 65535 "blurgh" "blorf" "blegh" foo.
+ns2.example.		3600	IN	A	10.53.0.2
+ns3.example.		3600	IN	A	10.53.0.3
+nsap-ptr01.example.	3600	IN	NSAP-PTR .
+nsap-ptr01.example.	3600	IN	NSAP-PTR foo.
+nsap01.example.		3600	IN	NSAP	0x47000580005a0000000001e133ffffff00016100
+nsap02.example.		3600	IN	NSAP	0x47000580005a0000000001e133ffffff00016100
+nsec01.example.		3600	IN	NSEC	a.secure.nil. NS SOA MX LOC RRSIG NSEC DNSKEY
+nsec02.example.		3600	IN	NSEC	. NSAP-PTR NSEC
+nsec03.example.		3600	IN	NSEC	. A
+nsec04.example.		3600	IN	NSEC	. TYPE127
+ptr01.example.		3600	IN	PTR	example.
+px01.example.		3600	IN	PX	65535 foo. bar.
+px02.example.		3600	IN	PX	65535 . .
+rp01.example.		3600	IN	RP	mbox-dname.example. txt-dname.example.
+rp02.example.		3600	IN	RP	. .
+rt01.example.		3600	IN	RT	0 intermediate-host.example.
+rt02.example.		3600	IN	RT	65535 .
+rrsig01.example.		3600	IN	RRSIG	NSEC 1 3 3600 20000102030405 19961211100908 2143 foo.nil. MxFcby9k/yvedMfQgKzhH5er0Mu/vILz45IkskceFGgiWCn/GxHhai6V AuHAoNUz4YoU1tVfSCSqQYn6//11U6Nld80jEeC8aTrO+KKmCaY=
+srv01.example.		3600	IN	SRV	0 0 0 .
+srv02.example.		3600	IN	SRV	65535 65535 65535 old-slow-box.example.
+txt01.example.		3600	IN	TXT	"foo"
+txt02.example.		3600	IN	TXT	"foo" "bar"
+txt03.example.		3600	IN	TXT	"foo"
+txt04.example.		3600	IN	TXT	"foo" "bar"
+txt05.example.		3600	IN	TXT	"foo bar"
+txt06.example.		3600	IN	TXT	"foo bar"
+txt07.example.		3600	IN	TXT	"foo bar"
+txt08.example.		3600	IN	TXT	"foo\010bar"
+txt09.example.		3600	IN	TXT	"foo\010bar"
+txt10.example.		3600	IN	TXT	"foo bar"
+txt11.example.		3600	IN	TXT	"\"foo\""
+txt12.example.		3600	IN	TXT	"\"foo\""
+wks01.example.		3600	IN	WKS	10.0.0.1 6 0 1 2 21 23
+wks02.example.		3600	IN	WKS	10.0.0.1 17 0 1 2 53
+wks03.example.		3600	IN	WKS	10.0.0.2 6 65535
+x2501.example.		3600	IN	X25	"123456789"
+example.		86400	IN	SOA	ns2.example. hostmaster.example. 1397051952 5 5 1814400 3600
diff --git a/bin/tests/system/xfer/knowngood.dig.out b/bin/tests/system/xfer/dig2.good
index 199398a2..9f2cece6 100644
--- a/bin/tests/system/xfer/knowngood.dig.out
+++ b/bin/tests/system/xfer/dig2.good
@@ -1,10 +1,7 @@
-example.		300	IN	SOA	ns2.example. hostmaster.example. 2000042795 20 20 1814400 3600
-example.		300	IN	NS	ns2.example.
-example.		300	IN	NS	ns3.example.
-*.example.		300	IN	MX	10 mail.example.
-a.example.		300	IN	TXT	"foo foo foo"
-a.example.		300	IN	PTR	foo.net.
-a01.example.		3600	IN	A	0.0.0.0
+example.		86400	IN	SOA	ns2.example. hostmaster.example. 1397051953 5 5 1814400 3600
+example.		3600	IN	NS	ns2.example.
+example.		3600	IN	NS	ns3.example.
+a01.example.		3600	IN	A	0.0.0.1
 a02.example.		3600	IN	A	255.255.255.255
 a601.example.		3600	IN	A6	0 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
 a601.example.		3600	IN	A6	64 ::ffff:ffff:ffff:ffff foo.
@@ -12,25 +9,13 @@ a601.example.		3600	IN	A6	127 ::1 foo.
 a601.example.		3600	IN	A6	128  .
 afsdb01.example.	3600	IN	AFSDB	0 hostname.example.
 afsdb02.example.	3600	IN	AFSDB	65535 .
-b.example.		300	IN	CNAME	foo.net.
-c.example.		300	IN	A	73.80.65.49
 cert01.example.		3600	IN	CERT	65534 65535 PRIVATEOID MxFcby9k/yvedMfQgKzhH5er0Mu/vILz45IkskceFGgiWCn/GxHhai6V AuHAoNUz4YoU1tVfSCSqQYn6//11U6Nld80jEeC8aTrO+KKmCaY=
 cname01.example.	3600	IN	CNAME	cname-target.
 cname02.example.	3600	IN	CNAME	cname-target.example.
 cname03.example.	3600	IN	CNAME	.
-d.example.		300	IN	A	73.80.65.49
 dname01.example.	3600	IN	DNAME	dname-target.
 dname02.example.	3600	IN	DNAME	dname-target.example.
 dname03.example.	3600	IN	DNAME	.
-e.example.		300	IN	MX	10 mail.example.
-e.example.		300	IN	TXT	"one"
-e.example.		300	IN	TXT	"three"
-e.example.		300	IN	TXT	"two"
-e.example.		300	IN	A	73.80.65.49
-e.example.		300	IN	A	73.80.65.50
-e.example.		300	IN	A	73.80.65.52
-e.example.		300	IN	A	73.80.65.51
-f.example.		300	IN	A	73.80.65.52
 gpos01.example.		3600	IN	GPOS	"-22.6882" "116.8652" "250.0"
 gpos02.example.		3600	IN	GPOS	"" "" ""
 hinfo01.example.	3600	IN	HINFO	"Generic PC clone" "NetBSD-1.4"
@@ -39,17 +24,13 @@ isdn01.example.		3600	IN	ISDN	"isdn-address"
 isdn02.example.		3600	IN	ISDN	"isdn-address" "subaddress"
 isdn03.example.		3600	IN	ISDN	"isdn-address"
 isdn04.example.		3600	IN	ISDN	"isdn-address" "subaddress"
-key01.example.		3600	IN	KEY	512 255 1 AQMFD5raczCJHViKtLYhWGz8hMY9UGRuniJDBzC7w0aRyzWZriO6i2od GWWQVucZqKVsENW91IOW4vqudngPZsY3GvQ/xVA8/7pyFj6b7Esga60z yGW6LFe9r8n6paHrlG5ojqf0BaqHT+8=
+dnskey01.example.	3600	IN	DNSKEY	512 255 1 AQMFD5raczCJHViKtLYhWGz8hMY9UGRuniJDBzC7w0aRyzWZriO6i2od GWWQVucZqKVsENW91IOW4vqudngPZsY3GvQ/xVA8/7pyFj6b7Esga60z yGW6LFe9r8n6paHrlG5ojqf0BaqHT+8=
 kx01.example.		3600	IN	KX	10 kdc.example.
 kx02.example.		3600	IN	KX	10 .
 loc01.example.		3600	IN	LOC	60 9 0.000 N 24 39 0.000 E 10.00m 20m 2000m 20m
 loc02.example.		3600	IN	LOC	60 9 0.000 N 24 39 0.000 E 10.00m 20m 2000m 20m
 mb01.example.		3600	IN	MG	madname.example.
 mb02.example.		3600	IN	MG	.
-md01.example.		3600	IN	MD	madname.example.
-md01.example.		3600	IN	MD	.
-mf01.example.		3600	IN	MF	madname.example.
-mf01.example.		3600	IN	MF	.
 mg01.example.		3600	IN	MG	mgmname.example.
 mg02.example.		3600	IN	MG	.
 minfo01.example.	3600	IN	MINFO	rmailbx.example. emailbx.example.
@@ -60,16 +41,16 @@ mx01.example.		3600	IN	MX	10 mail.example.
 mx02.example.		3600	IN	MX	10 .
 naptr01.example.	3600	IN	NAPTR	0 0 "" "" "" .
 naptr02.example.	3600	IN	NAPTR	65535 65535 "blurgh" "blorf" "blegh" foo.
-ns2.example.		300	IN	A	10.53.0.2
-ns3.example.		300	IN	A	10.53.0.3
-nsap-ptr01.example.	3600	IN	NSAP-PTR foo.
+ns2.example.		3600	IN	A	10.53.0.2
+ns3.example.		3600	IN	A	10.53.0.3
 nsap-ptr01.example.	3600	IN	NSAP-PTR .
+nsap-ptr01.example.	3600	IN	NSAP-PTR foo.
 nsap01.example.		3600	IN	NSAP	0x47000580005a0000000001e133ffffff00016100
 nsap02.example.		3600	IN	NSAP	0x47000580005a0000000001e133ffffff00016100
-nxt01.example.		3600	IN	NXT	a.secure.example. NS SOA MX SIG KEY LOC NXT
-nxt02.example.		3600	IN	NXT	. NSAP-PTR NXT
-nxt03.example.		3600	IN	NXT	. A
-nxt04.example.		3600	IN	NXT	. 127
+nsec01.example.		3600	IN	NSEC	a.secure.nil. NS SOA MX LOC RRSIG NSEC DNSKEY
+nsec02.example.		3600	IN	NSEC	. NSAP-PTR NSEC
+nsec03.example.		3600	IN	NSEC	. A
+nsec04.example.		3600	IN	NSEC	. TYPE127
 ptr01.example.		3600	IN	PTR	example.
 px01.example.		3600	IN	PX	65535 foo. bar.
 px02.example.		3600	IN	PX	65535 . .
@@ -77,12 +58,9 @@ rp01.example.		3600	IN	RP	mbox-dname.example. txt-dname.example.
 rp02.example.		3600	IN	RP	. .
 rt01.example.		3600	IN	RT	0 intermediate-host.example.
 rt02.example.		3600	IN	RT	65535 .
-s.example.		300	IN	NS	ns.s.example.
-ns.s.example.		300	IN	A	73.80.65.49
-sig01.example.		3600	IN	SIG	NXT 1 3 3600 20000102030405 19961211100908 2143 foo.example. MxFcby9k/yvedMfQgKzhH5er0Mu/vILz45IkskceFGgiWCn/GxHhai6V AuHAoNUz4YoU1tVfSCSqQYn6//11U6Nld80jEeC8aTrO+KKmCaY=
+rrsig01.example.	3600	IN	RRSIG	NSEC 1 3 3600 20000102030405 19961211100908 2143 foo.nil. MxFcby9k/yvedMfQgKzhH5er0Mu/vILz45IkskceFGgiWCn/GxHhai6V AuHAoNUz4YoU1tVfSCSqQYn6//11U6Nld80jEeC8aTrO+KKmCaY=
 srv01.example.		3600	IN	SRV	0 0 0 .
-srv02.example.		3600	IN	SRV	65535 65535 65535 old-slow-box.example.com.
-t.example.		301	IN	A	73.80.65.49
+srv02.example.		3600	IN	SRV	65535 65535 65535 old-slow-box.example.
 txt01.example.		3600	IN	TXT	"foo"
 txt02.example.		3600	IN	TXT	"foo" "bar"
 txt03.example.		3600	IN	TXT	"foo"
@@ -95,11 +73,8 @@ txt09.example.		3600	IN	TXT	"foo\010bar"
 txt10.example.		3600	IN	TXT	"foo bar"
 txt11.example.		3600	IN	TXT	"\"foo\""
 txt12.example.		3600	IN	TXT	"\"foo\""
-u.example.		300	IN	TXT	"txt-not-in-nxt"
-a.u.example.		300	IN	A	73.80.65.49
-b.u.example.		300	IN	A	73.80.65.49
 wks01.example.		3600	IN	WKS	10.0.0.1 6 0 1 2 21 23
 wks02.example.		3600	IN	WKS	10.0.0.1 17 0 1 2 53
 wks03.example.		3600	IN	WKS	10.0.0.2 6 65535
 x2501.example.		3600	IN	X25	"123456789"
-example.		300	IN	SOA	ns2.example. hostmaster.example. 2000042795 20 20 1814400 3600
+example.		86400	IN	SOA	ns2.example. hostmaster.example. 1397051953 5 5 1814400 3600
diff --git a/bin/tests/system/xfer/ns1/named.conf b/bin/tests/system/xfer/ns1/named.conf
index db2ce154..41821b3e 100644
--- a/bin/tests/system/xfer/ns1/named.conf
+++ b/bin/tests/system/xfer/ns1/named.conf
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named.conf,v 1.14.2.2 2004/03/09 06:10:27 marka Exp $ */
+/* $Id: named.conf,v 1.14.206.2 2004/03/06 10:22:47 marka Exp $ */
 
 controls { /* empty */ };
 
diff --git a/bin/tests/system/xfer/ns1/root.db b/bin/tests/system/xfer/ns1/root.db
index 75b6474c..f6026214 100644
--- a/bin/tests/system/xfer/ns1/root.db
+++ b/bin/tests/system/xfer/ns1/root.db
@@ -13,7 +13,7 @@
 ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 ; PERFORMANCE OF THIS SOFTWARE.
 
-; $Id: root.db,v 1.6.2.1 2004/03/09 06:10:27 marka Exp $
+; $Id: root.db,v 1.6.12.3 2004/03/08 09:04:19 marka Exp $
 
 $TTL 300
 . 			IN SOA	gson.nominum.com. a.root.servers.nil. (
@@ -28,3 +28,6 @@ a.root-servers.nil.	A	10.53.0.1
 
 example.		NS	ns2.example.
 ns2.example.		A	10.53.0.2
+
+tsigzone.		NS	ns2.tsigzone.
+ns2.tsigzone.		A	10.53.0.2
diff --git a/bin/tests/system/xfer/ns2/example.db b/bin/tests/system/xfer/ns2/example.db
deleted file mode 100644
index 4d0975e1..00000000
--- a/bin/tests/system/xfer/ns2/example.db
+++ /dev/null
@@ -1,159 +0,0 @@
-; Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
-; Copyright (C) 2000, 2001  Internet Software Consortium.
-;
-; Permission to use, copy, modify, and distribute this software for any
-; purpose with or without fee is hereby granted, provided that the above
-; copyright notice and this permission notice appear in all copies.
-;
-; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-; AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-; PERFORMANCE OF THIS SOFTWARE.
-
-; $Id: example.db,v 1.7.2.1 2004/03/09 06:10:27 marka Exp $
-
-$ORIGIN .
-$TTL 300	; 5 minutes
-example			IN SOA	ns2.example. hostmaster.example. (
-				2000042795 ; serial
-				20         ; refresh (20 seconds)
-				20         ; retry (20 seconds)
-				1814400    ; expire (3 weeks)
-				3600       ; minimum (1 hour)
-				)
-example.		NS	ns2.example.
-ns2.example.		A	10.53.0.2
-example.		NS	ns3.example.
-ns3.example.		A	10.53.0.3
-
-$ORIGIN example.
-*			MX	10 mail
-a			TXT	"foo foo foo"
-			PTR	foo.net.
-$TTL 3600	; 1 hour
-a01			A	0.0.0.0
-a02			A	255.255.255.255
-a601			A6	0 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
-			A6	64 ::ffff:ffff:ffff:ffff foo.
-			A6	127 ::1 foo.
-			A6	128  .
-afsdb01			AFSDB	0 hostname
-afsdb02			AFSDB	65535 .
-$TTL 300	; 5 minutes
-b			CNAME	foo.net.
-c			A	73.80.65.49
-$TTL 3600	; 1 hour
-cert01			CERT	65534 65535 PRIVATEOID (
-				MxFcby9k/yvedMfQgKzhH5er0Mu/vILz45IkskceFGgi
-				WCn/GxHhai6VAuHAoNUz4YoU1tVfSCSqQYn6//11U6Nl
-				d80jEeC8aTrO+KKmCaY= )
-cname01			CNAME	cname-target.
-cname02			CNAME	cname-target
-cname03			CNAME	.
-$TTL 300	; 5 minutes
-d			A	73.80.65.49
-$TTL 3600	; 1 hour
-dname01			DNAME	dname-target.
-dname02			DNAME	dname-target
-dname03			DNAME	.
-$TTL 300	; 5 minutes
-e			MX	10 mail
-			TXT	"one"
-			TXT	"three"
-			TXT	"two"
-			A	73.80.65.49
-			A	73.80.65.50
-			A	73.80.65.52
-			A	73.80.65.51
-f			A	73.80.65.52
-$TTL 3600	; 1 hour
-gpos01			GPOS	"-22.6882" "116.8652" "250.0"
-gpos02			GPOS	"" "" ""
-hinfo01			HINFO	"Generic PC clone" "NetBSD-1.4"
-hinfo02			HINFO	"PC" "NetBSD"
-isdn01			ISDN	"isdn-address"
-isdn02			ISDN	"isdn-address" "subaddress"
-isdn03			ISDN	"isdn-address"
-isdn04			ISDN	"isdn-address" "subaddress"
-key01			KEY	512 255 1 (
-				AQMFD5raczCJHViKtLYhWGz8hMY9UGRuniJDBzC7w0aR
-				yzWZriO6i2odGWWQVucZqKVsENW91IOW4vqudngPZsY3
-				GvQ/xVA8/7pyFj6b7Esga60zyGW6LFe9r8n6paHrlG5o
-				jqf0BaqHT+8= )
-kx01			KX	10 kdc
-kx02			KX	10 .
-loc01			LOC	60 9 0.000 N 24 39 0.000 E 10.00m 20m 2000m 20m
-loc02			LOC	60 9 0.000 N 24 39 0.000 E 10.00m 20m 2000m 20m
-mb01			MG	madname
-mb02			MG	.
-md01			MD	madname
-			MD	.
-mf01			MF	madname
-			MF	.
-mg01			MG	mgmname
-mg02			MG	.
-minfo01			MINFO	rmailbx emailbx
-minfo02			MINFO	. .
-mr01			MR	mrname
-mr02			MR	.
-mx01			MX	10 mail
-mx02			MX	10 .
-naptr01			NAPTR	0 0 "" "" "" .
-naptr02			NAPTR	65535 65535 "blurgh" "blorf" "blegh" foo.
-nsap-ptr01		NSAP-PTR foo.
-			NSAP-PTR .
-nsap01			NSAP	0x47000580005a0000000001e133ffffff00016100
-nsap02			NSAP	0x47000580005a0000000001e133ffffff00016100
-nxt01			NXT	a.secure ( NS SOA MX SIG KEY LOC NXT )
-nxt02			NXT	. ( NSAP-PTR NXT )
-nxt03			NXT	. ( A )
-nxt04			NXT	. ( 127 )
-ptr01			PTR	example.
-px01			PX	65535 foo. bar.
-px02			PX	65535 . .
-rp01			RP	mbox-dname txt-dname
-rp02			RP	. .
-rt01			RT	0 intermediate-host
-rt02			RT	65535 .
-$TTL 300	; 5 minutes
-s			NS	ns.s
-$ORIGIN s.example.
-ns			A	73.80.65.49
-$ORIGIN example.
-$TTL 3600	; 1 hour
-sig01			SIG	NXT 1 3 3600 20000102030405 (
-				19961211100908 2143 foo
-				MxFcby9k/yvedMfQgKzhH5er0Mu/vILz45IkskceFGgi
-				WCn/GxHhai6VAuHAoNUz4YoU1tVfSCSqQYn6//11U6Nl
-				d80jEeC8aTrO+KKmCaY= )
-srv01			SRV	0 0 0 .
-srv02			SRV	65535 65535 65535 old-slow-box.example.com.
-$TTL 301	; 5 minutes 1 second
-t			A	73.80.65.49
-$TTL 3600	; 1 hour
-txt01			TXT	"foo"
-txt02			TXT	"foo" "bar"
-txt03			TXT	"foo"
-txt04			TXT	"foo" "bar"
-txt05			TXT	"foo bar"
-txt06			TXT	"foo bar"
-txt07			TXT	"foo bar"
-txt08			TXT	"foo\010bar"
-txt09			TXT	"foo\010bar"
-txt10			TXT	"foo bar"
-txt11			TXT	"\"foo\""
-txt12			TXT	"\"foo\""
-$TTL 300	; 5 minutes
-u			TXT	"txt-not-in-nxt"
-$ORIGIN u.example.
-a			A	73.80.65.49
-b			A	73.80.65.49
-$ORIGIN example.
-$TTL 3600	; 1 hour
-wks01			WKS	10.0.0.1 6 ( 0 1 2 21 23 )
-wks02			WKS	10.0.0.1 17 ( 0 1 2 53 )
-wks03			WKS	10.0.0.2 6 ( 65535 )
-x2501			X25	"123456789"
diff --git a/bin/tests/system/xfer/ns2/named.conf b/bin/tests/system/xfer/ns2/named.conf
index 33aa8c3a..00616ff3 100644
--- a/bin/tests/system/xfer/ns2/named.conf
+++ b/bin/tests/system/xfer/ns2/named.conf
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named.conf,v 1.15.2.2 2004/03/09 06:10:28 marka Exp $ */
+/* $Id: named.conf,v 1.15.12.4 2004/03/08 09:04:19 marka Exp $ */
 
 controls { /* empty */ };
 
@@ -29,8 +29,11 @@ options {
 	listen-on-v6 { none; };
 	recursion no;
 	notify yes;
+	ixfr-from-differences yes;
 };
 
+include "../../common/controls.conf";
+
 key tsigzone. {
         algorithm hmac-md5;
         secret "1234abcd8765";
@@ -44,7 +47,6 @@ zone "." {
 zone "example" {
 	type master;
 	file "example.db";
-	allow-update { any; };
 };
 
 zone "tsigzone" {
diff --git a/bin/tests/system/xfer/ns2/tsigzone.db b/bin/tests/system/xfer/ns2/tsigzone.db
deleted file mode 100644
index 82f09c39..00000000
--- a/bin/tests/system/xfer/ns2/tsigzone.db
+++ /dev/null
@@ -1,159 +0,0 @@
-; Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
-; Copyright (C) 2000, 2001  Internet Software Consortium.
-;
-; Permission to use, copy, modify, and distribute this software for any
-; purpose with or without fee is hereby granted, provided that the above
-; copyright notice and this permission notice appear in all copies.
-;
-; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-; AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-; PERFORMANCE OF THIS SOFTWARE.
-
-; $Id: tsigzone.db,v 1.6.2.1 2004/03/09 06:10:28 marka Exp $
-
-$ORIGIN .
-$TTL 300	; 5 minutes
-tsigzone			IN SOA	ns2.tsigzone. hostmaster.tsigzone. (
-				2000042795 ; serial
-				20         ; refresh (20 seconds)
-				20         ; retry (20 seconds)
-				1814400    ; expire (3 weeks)
-				3600       ; minimum (1 hour)
-				)
-tsigzone.		NS	ns2.tsigzone.
-ns2.tsigzone.		A	10.53.0.2
-tsigzone.		NS	ns3.tsigzone.
-ns3.tsigzone.		A	10.53.0.3
-
-$ORIGIN tsigzone.
-*			MX	10 mail
-a			TXT	"foo foo foo"
-			PTR	foo.net.
-$TTL 3600	; 1 hour
-a01			A	0.0.0.0
-a02			A	255.255.255.255
-a601			A6	0 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
-			A6	64 ::ffff:ffff:ffff:ffff foo.
-			A6	127 ::1 foo.
-			A6	128  .
-afsdb01			AFSDB	0 hostname
-afsdb02			AFSDB	65535 .
-$TTL 300	; 5 minutes
-b			CNAME	foo.net.
-c			A	73.80.65.49
-$TTL 3600	; 1 hour
-cert01			CERT	65534 65535 PRIVATEOID (
-				MxFcby9k/yvedMfQgKzhH5er0Mu/vILz45IkskceFGgi
-				WCn/GxHhai6VAuHAoNUz4YoU1tVfSCSqQYn6//11U6Nl
-				d80jEeC8aTrO+KKmCaY= )
-cname01			CNAME	cname-target.
-cname02			CNAME	cname-target
-cname03			CNAME	.
-$TTL 300	; 5 minutes
-d			A	73.80.65.49
-$TTL 3600	; 1 hour
-dname01			DNAME	dname-target.
-dname02			DNAME	dname-target
-dname03			DNAME	.
-$TTL 300	; 5 minutes
-e			MX	10 mail
-			TXT	"one"
-			TXT	"three"
-			TXT	"two"
-			A	73.80.65.49
-			A	73.80.65.50
-			A	73.80.65.52
-			A	73.80.65.51
-f			A	73.80.65.52
-$TTL 3600	; 1 hour
-gpos01			GPOS	"-22.6882" "116.8652" "250.0"
-gpos02			GPOS	"" "" ""
-hinfo01			HINFO	"Generic PC clone" "NetBSD-1.4"
-hinfo02			HINFO	"PC" "NetBSD"
-isdn01			ISDN	"isdn-address"
-isdn02			ISDN	"isdn-address" "subaddress"
-isdn03			ISDN	"isdn-address"
-isdn04			ISDN	"isdn-address" "subaddress"
-key01			KEY	512 255 1 (
-				AQMFD5raczCJHViKtLYhWGz8hMY9UGRuniJDBzC7w0aR
-				yzWZriO6i2odGWWQVucZqKVsENW91IOW4vqudngPZsY3
-				GvQ/xVA8/7pyFj6b7Esga60zyGW6LFe9r8n6paHrlG5o
-				jqf0BaqHT+8= )
-kx01			KX	10 kdc
-kx02			KX	10 .
-loc01			LOC	60 9 0.000 N 24 39 0.000 E 10.00m 20m 2000m 20m
-loc02			LOC	60 9 0.000 N 24 39 0.000 E 10.00m 20m 2000m 20m
-mb01			MG	madname
-mb02			MG	.
-md01			MD	madname
-			MD	.
-mf01			MF	madname
-			MF	.
-mg01			MG	mgmname
-mg02			MG	.
-minfo01			MINFO	rmailbx emailbx
-minfo02			MINFO	. .
-mr01			MR	mrname
-mr02			MR	.
-mx01			MX	10 mail
-mx02			MX	10 .
-naptr01			NAPTR	0 0 "" "" "" .
-naptr02			NAPTR	65535 65535 "blurgh" "blorf" "blegh" foo.
-nsap-ptr01		NSAP-PTR foo.
-			NSAP-PTR .
-nsap01			NSAP	0x47000580005a0000000001e133ffffff00016100
-nsap02			NSAP	0x47000580005a0000000001e133ffffff00016100
-nxt01			NXT	a.secure ( NS SOA MX SIG KEY LOC NXT )
-nxt02			NXT	. ( NSAP-PTR NXT )
-nxt03			NXT	. ( A )
-nxt04			NXT	. ( 127 )
-ptr01			PTR	tsigzone.
-px01			PX	65535 foo. bar.
-px02			PX	65535 . .
-rp01			RP	mbox-dname txt-dname
-rp02			RP	. .
-rt01			RT	0 intermediate-host
-rt02			RT	65535 .
-$TTL 300	; 5 minutes
-s			NS	ns.s
-$ORIGIN s.tsigzone.
-ns			A	73.80.65.49
-$ORIGIN tsigzone.
-$TTL 3600	; 1 hour
-sig01			SIG	NXT 1 3 3600 20000102030405 (
-				19961211100908 2143 foo
-				MxFcby9k/yvedMfQgKzhH5er0Mu/vILz45IkskceFGgi
-				WCn/GxHhai6VAuHAoNUz4YoU1tVfSCSqQYn6//11U6Nl
-				d80jEeC8aTrO+KKmCaY= )
-srv01			SRV	0 0 0 .
-srv02			SRV	65535 65535 65535 old-slow-box.tsigzone.com.
-$TTL 301	; 5 minutes 1 second
-t			A	73.80.65.49
-$TTL 3600	; 1 hour
-txt01			TXT	"foo"
-txt02			TXT	"foo" "bar"
-txt03			TXT	"foo"
-txt04			TXT	"foo" "bar"
-txt05			TXT	"foo bar"
-txt06			TXT	"foo bar"
-txt07			TXT	"foo bar"
-txt08			TXT	"foo\010bar"
-txt09			TXT	"foo\010bar"
-txt10			TXT	"foo bar"
-txt11			TXT	"\"foo\""
-txt12			TXT	"\"foo\""
-$TTL 300	; 5 minutes
-u			TXT	"txt-not-in-nxt"
-$ORIGIN u.tsigzone.
-a			A	73.80.65.49
-b			A	73.80.65.49
-$ORIGIN tsigzone.
-$TTL 3600	; 1 hour
-wks01			WKS	10.0.0.1 6 ( 0 1 2 21 23 )
-wks02			WKS	10.0.0.1 17 ( 0 1 2 53 )
-wks03			WKS	10.0.0.2 6 ( 65535 )
-x2501			X25	"123456789"
diff --git a/bin/tests/system/xfer/ns3/named.conf b/bin/tests/system/xfer/ns3/named.conf
index 39b3e860..9997c7dd 100644
--- a/bin/tests/system/xfer/ns3/named.conf
+++ b/bin/tests/system/xfer/ns3/named.conf
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named.conf,v 1.15.2.2 2004/03/09 06:10:28 marka Exp $ */
+/* $Id: named.conf,v 1.15.12.4 2004/03/08 09:04:19 marka Exp $ */
 
 controls { /* empty */ };
 
@@ -31,6 +31,15 @@ options {
 	notify yes;
 };
 
+key rndc_key {
+        secret "1234abcd8765";
+        algorithm hmac-md5;
+};
+
+controls {
+        inet 10.53.0.3 port 9953 allow { any; } keys { rndc_key; };
+};
+
 key tsigzone. {
         algorithm hmac-md5;
         secret "1234abcd8765";
diff --git a/bin/tests/system/xfer/setup.sh b/bin/tests/system/xfer/setup.sh
new file mode 100644
index 00000000..0deb4d96
--- /dev/null
+++ b/bin/tests/system/xfer/setup.sh
@@ -0,0 +1,21 @@
+#!/bin/sh
+#
+# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2001, 2002  Internet Software Consortium.
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: setup.sh,v 1.2.224.3 2004/03/08 09:04:18 marka Exp $
+
+sh ../genzone.sh 2 3 >ns2/example.db
+sh ../genzone.sh 2 3 >ns2/tsigzone.db
diff --git a/bin/tests/system/xfer/tests.sh b/bin/tests/system/xfer/tests.sh
index 66a61559..11f2d971 100644
--- a/bin/tests/system/xfer/tests.sh
+++ b/bin/tests/system/xfer/tests.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 2000, 2001  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: tests.sh,v 1.24.2.3 2005/11/03 00:02:53 marka Exp $
+# $Id: tests.sh,v 1.24.12.4 2004/03/08 09:04:18 marka Exp $
 
 SYSTEMTESTTOP=..
 . $SYSTEMTESTTOP/conf.sh
@@ -29,25 +29,13 @@ $DIG $DIGOPTS example. \
 	@10.53.0.2 axfr -p 5300 > dig.out.ns2 || status=1
 grep ";" dig.out.ns2
 
-#
-# Spin to allow the zone to tranfer.
-#
-for i in 1 2 3 4 5
-do
-tmp=0
 $DIG $DIGOPTS example. \
-	@10.53.0.3 axfr -p 5300 > dig.out.ns3 || tmp=1
-	grep ";" dig.out.ns3 > /dev/null
-	if test $? -ne 0 ; then break; fi
-	echo "I: plain zone re-transfer"
-	sleep 5
-done
-if test $tmp -eq 1 ; then status=1; fi
+	@10.53.0.3 axfr -p 5300 > dig.out.ns3 || status=1
 grep ";" dig.out.ns3
 
-$PERL ../digcomp.pl knowngood.dig.out dig.out.ns2 || status=1
+$PERL ../digcomp.pl dig1.good dig.out.ns2 || status=1
 
-$PERL ../digcomp.pl knowngood.dig.out dig.out.ns3 || status=1
+$PERL ../digcomp.pl dig1.good dig.out.ns3 || status=1
 
 echo "I:testing TSIG signed zone transfers"
 $DIG $DIGOPTS tsigzone. \
@@ -55,24 +43,36 @@ $DIG $DIGOPTS tsigzone. \
 	> dig.out.ns2 || status=1
 grep ";" dig.out.ns2
 
-#
-# Spin to allow the zone to tranfer.
-#
-for i in 1 2 3 4 5
-do
-tmp=0
 $DIG $DIGOPTS tsigzone. \
     	@10.53.0.3 axfr -y tsigzone.:1234abcd8765 -p 5300 \
-	> dig.out.ns3 || tmp=1
-	grep ";" dig.out.ns3 > /dev/null
-	if test $? -ne 0 ; then break; fi
-	echo "I: TSIG zone re-transfer"
-	sleep 5
-done
-if test $tmp -eq 1 ; then status=1; fi
+	> dig.out.ns3 || status=1
 grep ";" dig.out.ns3
 
 $PERL ../digcomp.pl dig.out.ns2 dig.out.ns3 || status=1
 
+echo "I:testing ixfr-from-differences"
+
+$PERL -i -p -e '
+	s/0\.0\.0\.0/0.0.0.1/;
+	s/1397051952/1397051953/
+' ns2/example.db
+
+$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /'
+
+sleep 5
+
+$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 reload 2>&1 | sed 's/^/I:ns3 /'
+
+sleep 5
+
+$DIG $DIGOPTS example. \
+	@10.53.0.3 axfr -p 5300 > dig.out.ns3 || status=1
+grep ";" dig.out.ns3
+
+$PERL ../digcomp.pl dig2.good dig.out.ns3 || status=1
+
+# ns3 has a journal iff it received an IXFR.
+test -f ns3/example.bk.jnl || status=1 
+
 echo "I:exit status: $status"
 exit $status
diff --git a/bin/tests/system/xferquota/clean.sh b/bin/tests/system/xferquota/clean.sh
index 0c5d2735..b1344091 100644
--- a/bin/tests/system/xferquota/clean.sh
+++ b/bin/tests/system/xferquota/clean.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 2000, 2001  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: clean.sh,v 1.8.2.4 2005/09/13 00:34:28 marka Exp $
+# $Id: clean.sh,v 1.8.206.2 2004/03/10 01:05:56 marka Exp $
 
 #
 # Clean up after zone transfer quota tests.
@@ -24,4 +24,3 @@
 rm -f ns1/zone*.example.db ns1/zones.conf
 rm -f ns2/zone*.example.bk ns2/zones.conf
 rm -f dig.out.* ns2/changing.bk
-rm -f ns1/changing.db
diff --git a/bin/tests/system/xferquota/ns1/changing1.db b/bin/tests/system/xferquota/ns1/changing1.db
index b4b5ac77..8262aea5 100644
--- a/bin/tests/system/xferquota/ns1/changing1.db
+++ b/bin/tests/system/xferquota/ns1/changing1.db
@@ -13,7 +13,7 @@
 ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 ; PERFORMANCE OF THIS SOFTWARE.
 
-; $Id: changing1.db,v 1.6.2.1 2004/03/09 06:10:29 marka Exp $
+; $Id: changing1.db,v 1.6.206.1 2004/03/06 10:22:49 marka Exp $
 
 $TTL	600
 
diff --git a/bin/tests/system/xferquota/ns1/changing2.db b/bin/tests/system/xferquota/ns1/changing2.db
index d563b6de..af18ead0 100644
--- a/bin/tests/system/xferquota/ns1/changing2.db
+++ b/bin/tests/system/xferquota/ns1/changing2.db
@@ -13,7 +13,7 @@
 ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 ; PERFORMANCE OF THIS SOFTWARE.
 
-; $Id: changing2.db,v 1.6.2.1 2004/03/09 06:10:29 marka Exp $
+; $Id: changing2.db,v 1.6.206.1 2004/03/06 10:22:50 marka Exp $
 
 $TTL	600
 
diff --git a/bin/tests/system/xferquota/ns1/named.conf b/bin/tests/system/xferquota/ns1/named.conf
index 4d321167..5b09c7fd 100644
--- a/bin/tests/system/xferquota/ns1/named.conf
+++ b/bin/tests/system/xferquota/ns1/named.conf
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named.conf,v 1.17.2.2 2004/03/09 06:10:29 marka Exp $ */
+/* $Id: named.conf,v 1.17.206.2 2004/03/06 10:22:50 marka Exp $ */
 
 controls { /* empty */ };
 
diff --git a/bin/tests/system/xferquota/ns1/root.db b/bin/tests/system/xferquota/ns1/root.db
index 1f2d5f87..11c3283d 100644
--- a/bin/tests/system/xferquota/ns1/root.db
+++ b/bin/tests/system/xferquota/ns1/root.db
@@ -13,7 +13,7 @@
 ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 ; PERFORMANCE OF THIS SOFTWARE.
 
-; $Id: root.db,v 1.7.2.1 2004/03/09 06:10:29 marka Exp $
+; $Id: root.db,v 1.7.206.1 2004/03/06 10:22:50 marka Exp $
 
 $TTL 300
 . 			IN SOA	gson.nominum.com. a.root.servers.nil. (
diff --git a/bin/tests/system/xferquota/ns2/example.db b/bin/tests/system/xferquota/ns2/example.db
index d780cc69..f1ba7dbf 100644
--- a/bin/tests/system/xferquota/ns2/example.db
+++ b/bin/tests/system/xferquota/ns2/example.db
@@ -1,5 +1,5 @@
 ; Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
-; Copyright (C) 2000, 2001  Internet Software Consortium.
+; Copyright (C) 2000-2003  Internet Software Consortium.
 ;
 ; Permission to use, copy, modify, and distribute this software for any
 ; purpose with or without fee is hereby granted, provided that the above
@@ -13,7 +13,7 @@
 ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 ; PERFORMANCE OF THIS SOFTWARE.
 
-; $Id: example.db,v 1.6.2.1 2004/03/09 06:10:30 marka Exp $
+; $Id: example.db,v 1.6.12.5 2004/03/08 09:04:20 marka Exp $
 
 $ORIGIN .
 $TTL 300	; 5 minutes
@@ -36,10 +36,7 @@ a			TXT	"foo foo foo"
 $TTL 3600	; 1 hour
 a01			A	0.0.0.0
 a02			A	255.255.255.255
-a601			A6	0 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
-			A6	64 ::ffff:ffff:ffff:ffff foo.
-			A6	127 ::1 foo.
-			A6	128  .
+a601			AAAA	ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
 afsdb01			AFSDB	0 hostname
 afsdb02			AFSDB	65535 .
 $TTL 300	; 5 minutes
@@ -78,7 +75,7 @@ isdn01			ISDN	"isdn-address"
 isdn02			ISDN	"isdn-address" "subaddress"
 isdn03			ISDN	"isdn-address"
 isdn04			ISDN	"isdn-address" "subaddress"
-key01			KEY	512 255 1 (
+dnskey01		DNSKEY	512 255 1 (
 				AQMFD5raczCJHViKtLYhWGz8hMY9UGRuniJDBzC7w0aR
 				yzWZriO6i2odGWWQVucZqKVsENW91IOW4vqudngPZsY3
 				GvQ/xVA8/7pyFj6b7Esga60zyGW6LFe9r8n6paHrlG5o
@@ -89,10 +86,6 @@ loc01			LOC	60 9 0.000 N 24 39 0.000 E 10.00m 20m 2000m 20m
 loc02			LOC	60 9 0.000 N 24 39 0.000 E 10.00m 20m 2000m 20m
 mb01			MG	madname
 mb02			MG	.
-md01			MD	madname
-			MD	.
-mf01			MF	madname
-			MF	.
 mg01			MG	mgmname
 mg02			MG	.
 minfo01			MINFO	rmailbx emailbx
@@ -107,10 +100,10 @@ nsap-ptr01		NSAP-PTR foo.
 			NSAP-PTR .
 nsap01			NSAP	0x47000580005a0000000001e133ffffff00016100
 nsap02			NSAP	0x47000580005a0000000001e133ffffff00016100
-nxt01			NXT	a.secure ( NS SOA MX SIG KEY LOC NXT )
-nxt02			NXT	. ( NSAP-PTR NXT )
-nxt03			NXT	. ( A )
-nxt04			NXT	. ( 127 )
+nsec01			NSEC	a.secure ( NS SOA MX RRSIG DNSKEY LOC NSEC )
+nsec02			NSEC	. ( NSAP-PTR NSEC )
+nsec03			NSEC	. ( A )
+nsec04			NSEC	. ( 127 )
 ptr01			PTR	example.
 px01			PX	65535 foo. bar.
 px02			PX	65535 . .
@@ -124,7 +117,7 @@ $ORIGIN s.example.
 ns			A	73.80.65.49
 $ORIGIN example.
 $TTL 3600	; 1 hour
-sig01			SIG	NXT 1 3 3600 20000102030405 (
+rrsig01			RRSIG	NSEC 1 3 3600 20000102030405 (
 				19961211100908 2143 foo
 				MxFcby9k/yvedMfQgKzhH5er0Mu/vILz45IkskceFGgi
 				WCn/GxHhai6VAuHAoNUz4YoU1tVfSCSqQYn6//11U6Nl
@@ -147,7 +140,7 @@ txt10			TXT	"foo bar"
 txt11			TXT	"\"foo\""
 txt12			TXT	"\"foo\""
 $TTL 300	; 5 minutes
-u			TXT	"txt-not-in-nxt"
+u			TXT	"txt-not-in-nsec"
 $ORIGIN u.example.
 a			A	73.80.65.49
 b			A	73.80.65.49
diff --git a/bin/tests/system/xferquota/ns2/named.conf b/bin/tests/system/xferquota/ns2/named.conf
index 45cd6d1e..26d7077f 100644
--- a/bin/tests/system/xferquota/ns2/named.conf
+++ b/bin/tests/system/xferquota/ns2/named.conf
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named.conf,v 1.17.2.2 2004/03/09 06:10:30 marka Exp $ */
+/* $Id: named.conf,v 1.17.206.2 2004/03/06 10:22:51 marka Exp $ */
 
 controls { /* empty */ };
 
diff --git a/bin/tests/system/xferquota/setup.pl b/bin/tests/system/xferquota/setup.pl
index 524478ef..7109508a 100644
--- a/bin/tests/system/xferquota/setup.pl
+++ b/bin/tests/system/xferquota/setup.pl
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: setup.pl,v 1.10.2.1 2004/03/09 06:10:28 marka Exp $
+# $Id: setup.pl,v 1.10.206.1 2004/03/06 10:22:49 marka Exp $
 
 #
 # Set up test data for zone transfer quota tests.
diff --git a/bin/tests/system/xferquota/setup.sh b/bin/tests/system/xferquota/setup.sh
index 9e574169..13d4e31a 100644
--- a/bin/tests/system/xferquota/setup.sh
+++ b/bin/tests/system/xferquota/setup.sh
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: setup.sh,v 1.11.2.2 2004/03/10 01:05:06 marka Exp $
+# $Id: setup.sh,v 1.11.206.2 2004/03/10 01:05:57 marka Exp $
 
 #
 # Set up test data for zone transfer quota tests.
diff --git a/bin/tests/system/xferquota/tests.sh b/bin/tests/system/xferquota/tests.sh
index 2e6b4ed1..514cf6f7 100644
--- a/bin/tests/system/xferquota/tests.sh
+++ b/bin/tests/system/xferquota/tests.sh
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: tests.sh,v 1.20.2.2 2004/03/10 01:05:06 marka Exp $
+# $Id: tests.sh,v 1.20.206.2 2004/03/10 01:05:57 marka Exp $
 
 SYSTEMTESTTOP=..
 . $SYSTEMTESTTOP/conf.sh
diff --git a/bin/tests/t_api.pl b/bin/tests/t_api.pl
index 09439601..e10d0bbc 100644
--- a/bin/tests/t_api.pl
+++ b/bin/tests/t_api.pl
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: t_api.pl,v 1.7.2.1 2004/03/09 06:09:35 marka Exp $
+# $Id: t_api.pl,v 1.7.206.1 2004/03/06 10:21:41 marka Exp $
 
 require "getopts.pl";
 
diff --git a/bin/tests/task_test.c b/bin/tests/task_test.c
index fe037d04..e2b67356 100644
--- a/bin/tests/task_test.c
+++ b/bin/tests/task_test.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: task_test.c,v 1.47.2.1 2004/03/09 06:09:35 marka Exp $ */
+/* $Id: task_test.c,v 1.47.12.3 2004/03/08 04:04:28 marka Exp $ */
 
 #include <config.h>
 
@@ -122,49 +122,49 @@ main(int argc, char *argv[]) {
 	 * program.
 	 */
 	event = isc_event_allocate(mctx, (void *)1, 1, my_callback, "1",
-				   sizeof *event);
+				   sizeof(*event));
 	isc_task_send(t1, &event);
 	event = isc_event_allocate(mctx, (void *)1, 1, my_callback, "1",
-				   sizeof *event);
+				   sizeof(*event));
 	isc_task_send(t1, &event);
 	event = isc_event_allocate(mctx, (void *)1, 1, my_callback, "1",
-				   sizeof *event);
+				   sizeof(*event));
 	isc_task_send(t1, &event);
 	event = isc_event_allocate(mctx, (void *)1, 1, my_callback, "1",
-				   sizeof *event);
+				   sizeof(*event));
 	isc_task_send(t1, &event);
 	event = isc_event_allocate(mctx, (void *)1, 1, my_callback, "1",
-				   sizeof *event);
+				   sizeof(*event));
 	isc_task_send(t1, &event);
 	event = isc_event_allocate(mctx, (void *)1, 1, my_callback, "1",
-				   sizeof *event);
+				   sizeof(*event));
 	isc_task_send(t1, &event);
 	event = isc_event_allocate(mctx, (void *)1, 1, my_callback, "1",
-				   sizeof *event);
+				   sizeof(*event));
 	isc_task_send(t1, &event);
 	event = isc_event_allocate(mctx, (void *)1, 1, my_callback, "1",
-				   sizeof *event);
+				   sizeof(*event));
 	isc_task_send(t1, &event);
 	event = isc_event_allocate(mctx, (void *)1, 1, my_callback, "1",
-				   sizeof *event);
+				   sizeof(*event));
 	isc_task_send(t1, &event);
 	event = isc_event_allocate(mctx, (void *)1, 1, my_callback, "2",
-				   sizeof *event);
+				   sizeof(*event));
 	isc_task_send(t2, &event);
 	event = isc_event_allocate(mctx, (void *)1, 1, my_callback, "3",
-				   sizeof *event);
+				   sizeof(*event));
 	isc_task_send(t3, &event);
 	event = isc_event_allocate(mctx, (void *)1, 1, my_callback, "4",
-				   sizeof *event);
+				   sizeof(*event));
 	isc_task_send(t4, &event);
 	event = isc_event_allocate(mctx, (void *)1, 1, my_callback, "2",
-				   sizeof *event);
+				   sizeof(*event));
 	isc_task_send(t2, &event);
 	event = isc_event_allocate(mctx, (void *)1, 1, my_callback, "3",
-				   sizeof *event);
+				   sizeof(*event));
 	isc_task_send(t3, &event);
 	event = isc_event_allocate(mctx, (void *)1, 1, my_callback, "4",
-				   sizeof *event);
+				   sizeof(*event));
 	isc_task_send(t4, &event);
 	isc_task_purgerange(t3,
 			    NULL,
diff --git a/bin/tests/tasks/Makefile.in b/bin/tests/tasks/Makefile.in
index baafff55..0fef8a27 100644
--- a/bin/tests/tasks/Makefile.in
+++ b/bin/tests/tasks/Makefile.in
@@ -1,5 +1,5 @@
 # Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 1998-2001  Internet Software Consortium.
+# Copyright (C) 1998-2002  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
@@ -13,13 +13,13 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.23.2.3 2004/07/20 07:00:16 marka Exp $
+# $Id: Makefile.in,v 1.23.12.5 2004/03/08 09:04:20 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
 top_srcdir =	@top_srcdir@
 
-@BIND9_INCLUDES@
+@BIND9_MAKE_INCLUDES@
 
 CINCLUDES =	${TEST_INCLUDES} ${ISC_INCLUDES}
 
@@ -36,20 +36,20 @@ DEPLIBS =	${TAPIDEPLIBS} ${ISCDEPLIBS}
 
 LIBS =		${TAPILIBS} ${ISCLIBS} @LIBS@
 
-TARGETS =	t_tasks
+TARGETS =	t_tasks@EXEEXT@
 
 SRCS =		t_tasks.c
 
 @BIND9_MAKE_RULES@
 
-t_tasks: t_tasks.@O@ ${DEPLIBS}
-	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ t_tasks.@O@ ${LIBS}
+t_tasks@EXEEXT@: t_tasks.@O@ ${DEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} -o $@ t_tasks.@O@ ${LIBS}
 
-test: t_tasks
-	-@./t_tasks -c @top_srcdir@/t_config -b @srcdir@ -a
+test: t_tasks@EXEEXT@
+	-@./t_tasks@EXEEXT@ -c @top_srcdir@/t_config -b @srcdir@ -a
 
 testhelp:
-	@./t_tasks -h
+	@./t_tasks@EXEEXT@ -h
 
 clean distclean::
 	rm -f ${TARGETS}
diff --git a/bin/tests/tasks/t_tasks.c b/bin/tests/tasks/t_tasks.c
index 1af9d306..00de5cee 100644
--- a/bin/tests/tasks/t_tasks.c
+++ b/bin/tests/tasks/t_tasks.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,15 +15,13 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: t_tasks.c,v 1.29.2.8 2006/01/04 23:50:17 marka Exp $ */
+/* $Id: t_tasks.c,v 1.29.12.4 2004/03/08 09:04:20 marka Exp $ */
 
 #include <config.h>
 
 #include <stdlib.h>
 #include <unistd.h>
-#ifdef HAVE_INTTYPES_H
-#include <inttypes.h> 	/* uintptr_t */
-#endif
+
 #include <isc/condition.h>
 #include <isc/mem.h>
 #include <isc/platform.h>
@@ -34,19 +32,16 @@
 
 #include <tests/t_api.h>
 
-
 #ifdef ISC_PLATFORM_USETHREADS
 isc_boolean_t threaded = ISC_TRUE;
 #else
 isc_boolean_t threaded = ISC_FALSE;
 #endif
 
-static int senders[4];
-
 static void
 require_threads(void) {
 	t_info("This test requires threads\n");
-	t_result(T_THREADONLY);
+	t_result(T_UNTESTED);
 	return;
 }
 
@@ -221,7 +216,7 @@ t_tasks1(void) {
 	 * program.
 	 */
 	event = isc_event_allocate(mctx, (void *)1, 1, t1_callback, "1",
-				   sizeof *event);
+				   sizeof(*event));
 	if (event == NULL) {
 		t_info("isc_event_allocate failed\n");
 		return(T_UNRESOLVED);
@@ -230,7 +225,7 @@ t_tasks1(void) {
 	isc_task_send(task1, &event);
 
 	event = isc_event_allocate(mctx, (void *)1, 1, t1_callback, "1",
-				   sizeof *event);
+				   sizeof(*event));
 	if (event == NULL) {
 		t_info("isc_event_allocate failed\n");
 		return(T_UNRESOLVED);
@@ -239,7 +234,7 @@ t_tasks1(void) {
 	isc_task_send(task1, &event);
 
 	event = isc_event_allocate(mctx, (void *)1, 1, t1_callback, "1",
-				   sizeof *event);
+				   sizeof(*event));
 	if (event == NULL) {
 		t_info("isc_event_allocate failed\n");
 		return(T_UNRESOLVED);
@@ -248,7 +243,7 @@ t_tasks1(void) {
 	isc_task_send(task1, &event);
 
 	event = isc_event_allocate(mctx, (void *)1, 1, t1_callback, "1",
-				   sizeof *event);
+				   sizeof(*event));
 	if (event == NULL) {
 		t_info("isc_event_allocate failed\n");
 		return(T_UNRESOLVED);
@@ -257,7 +252,7 @@ t_tasks1(void) {
 	isc_task_send(task1, &event);
 
 	event = isc_event_allocate(mctx, (void *)1, 1, t1_callback, "1",
-				   sizeof *event);
+				   sizeof(*event));
 	if (event == NULL) {
 		t_info("isc_event_allocate failed\n");
 		return(T_UNRESOLVED);
@@ -266,7 +261,7 @@ t_tasks1(void) {
 	isc_task_send(task1, &event);
 
 	event = isc_event_allocate(mctx, (void *)1, 1, t1_callback, "1",
-				   sizeof *event);
+				   sizeof(*event));
 	if (event == NULL) {
 		t_info("isc_event_allocate failed\n");
 		return(T_UNRESOLVED);
@@ -275,7 +270,7 @@ t_tasks1(void) {
 	isc_task_send(task1, &event);
 
 	event = isc_event_allocate(mctx, (void *)1, 1, t1_callback, "1",
-				   sizeof *event);
+				   sizeof(*event));
 	if (event == NULL) {
 		t_info("isc_event_allocate failed\n");
 		return(T_UNRESOLVED);
@@ -284,7 +279,7 @@ t_tasks1(void) {
 	isc_task_send(task1, &event);
 
 	event = isc_event_allocate(mctx, (void *)1, 1, t1_callback, "1",
-				   sizeof *event);
+				   sizeof(*event));
 	if (event == NULL) {
 		t_info("isc_event_allocate failed\n");
 		return(T_UNRESOLVED);
@@ -293,7 +288,7 @@ t_tasks1(void) {
 	isc_task_send(task1, &event);
 
 	event = isc_event_allocate(mctx, (void *)1, 1, t1_callback, "1",
-				   sizeof *event);
+				   sizeof(*event));
 	if (event == NULL) {
 		t_info("isc_event_allocate failed\n");
 		return(T_UNRESOLVED);
@@ -302,7 +297,7 @@ t_tasks1(void) {
 	isc_task_send(task1, &event);
 
 	event = isc_event_allocate(mctx, (void *)1, 1, t1_callback, "2",
-				   sizeof *event);
+				   sizeof(*event));
 	if (event == NULL) {
 		t_info("isc_event_allocate failed\n");
 		return(T_UNRESOLVED);
@@ -311,7 +306,7 @@ t_tasks1(void) {
 	isc_task_send(task2, &event);
 
 	event = isc_event_allocate(mctx, (void *)1, 1, t1_callback, "3",
-				   sizeof *event);
+				   sizeof(*event));
 	if (event == NULL) {
 		t_info("isc_event_allocate failed\n");
 		return(T_UNRESOLVED);
@@ -320,7 +315,7 @@ t_tasks1(void) {
 	isc_task_send(task3, &event);
 
 	event = isc_event_allocate(mctx, (void *)1, 1, t1_callback, "4",
-				   sizeof *event);
+				   sizeof(*event));
 	if (event == NULL) {
 		t_info("isc_event_allocate failed\n");
 		return(T_UNRESOLVED);
@@ -329,7 +324,7 @@ t_tasks1(void) {
 	isc_task_send(task4, &event);
 
 	event = isc_event_allocate(mctx, (void *)1, 1, t1_callback, "2",
-				   sizeof *event);
+				   sizeof(*event));
 	if (event == NULL) {
 		t_info("isc_event_allocate failed\n");
 		return(T_UNRESOLVED);
@@ -338,7 +333,7 @@ t_tasks1(void) {
 	isc_task_send(task2, &event);
 
 	event = isc_event_allocate(mctx, (void *)1, 1, t1_callback, "3",
-				   sizeof *event);
+				   sizeof(*event));
 	if (event == NULL) {
 		t_info("isc_event_allocate failed\n");
 		return(T_UNRESOLVED);
@@ -347,7 +342,7 @@ t_tasks1(void) {
 	isc_task_send(task3, &event);
 
 	event = isc_event_allocate(mctx, (void *)1, 1, t1_callback, "4",
-				   sizeof *event);
+				   sizeof(*event));
 	if (event == NULL) {
 		t_info("isc_event_allocate failed\n");
 		return(T_UNRESOLVED);
@@ -355,7 +350,7 @@ t_tasks1(void) {
 
 	isc_task_send(task4, &event);
 
-	isc_task_purge(task3, NULL, 0, 0);
+	(void)isc_task_purge(task3, NULL, 0, 0);
 
 	isc_task_detach(&task1);
 	isc_task_detach(&task2);
@@ -445,7 +440,7 @@ t2_callback(isc_task_t *task, isc_event_t *event) {
 
 	if (event->ev_arg) {
 
-		event->ev_arg = (void *)(((uintptr_t) event->ev_arg) - 1);
+		event->ev_arg = (void *)(((int) event->ev_arg) - 1);
 
 		/*
 		 * Create a new task and forward the message.
@@ -478,7 +473,7 @@ t2_callback(isc_task_t *task, isc_event_t *event) {
 
 static int
 t_tasks2(void) {
-	uintptr_t		ntasks;
+	int			ntasks;
 	int			result;
 	char			*p;
 	isc_event_t		*event;
@@ -505,13 +500,12 @@ t_tasks2(void) {
 		ntasks = atoi(p);
 	else
 		ntasks = T2_NTASKS;
-	if (ntasks == 0U) {
-		t_info("Bad config value for ISC_TASKS_MIN, %lu\n",
-		       (unsigned long)ntasks);
+	if (ntasks == 0) {
+		t_info("Bad config value for ISC_TASKS_MIN, %d\n", ntasks);
 		return(T_UNRESOLVED);
 	}
 
-	t_info("Testing with %lu tasks\n", (unsigned long)ntasks);
+	t_info("Testing with %d tasks\n", ntasks);
 
 	isc_result = isc_mutex_init(&T2_mx);
 	if (isc_result != ISC_R_SUCCESS) {
@@ -538,7 +532,7 @@ t_tasks2(void) {
 	}
 
 	T2_event = isc_event_allocate(T2_mctx, (void *)1, 1, t2_callback,
-					(void *)ntasks, sizeof *event);
+					(void *)ntasks, sizeof(*event));
 	if (T2_event == NULL) {
 		t_info("isc_event_allocate failed\n");
 		return(T_UNRESOLVED);
@@ -671,6 +665,7 @@ t_tasks3(void) {
 	unsigned int	workers;
 	isc_event_t	*event;
 	isc_result_t	isc_result;
+	void		*sender;
 	isc_eventtype_t	event_type;
 
 	T3_flag = 0;
@@ -679,6 +674,7 @@ t_tasks3(void) {
 	T3_nfails = 0;
 	T3_nprobs = 0;
 
+	sender = (void *) 1;
 	event_type = 3;
 
 	workers = 2;
@@ -742,15 +738,15 @@ t_tasks3(void) {
 	/*
 	 * This event causes the task to wait on T3_cv.
 	 */
-	event = isc_event_allocate(mctx, &senders[1], event_type, t3_event1,
-				   NULL, sizeof(*event));
+	event = isc_event_allocate(mctx, sender, event_type, t3_event1, NULL,
+				   sizeof(*event));
 	isc_task_send(task, &event);
 
 	/*
 	 * Now we fill up the task's event queue with some events.
 	 */
 	for (cnt = 0; cnt < T3_NEVENTS; ++cnt) {
-		event = isc_event_allocate(mctx, &senders[1], event_type,
+		event = isc_event_allocate(mctx, sender, event_type,
 					   t3_event2, NULL, sizeof(*event));
 		isc_task_send(task, &event);
 	}
@@ -890,6 +886,7 @@ t_tasks4(void) {
 	isc_task_t	*task;
 	unsigned int	workers;
 	isc_result_t	isc_result;
+	void		*sender;
 	isc_eventtype_t	event_type;
 	isc_event_t	*event;
 
@@ -898,6 +895,7 @@ t_tasks4(void) {
 	T4_flag = 0;
 
 	result = T_UNRESOLVED;
+	sender = (void *)1;
 	event_type = 4;
 
 	workers = 2;
@@ -967,8 +965,8 @@ t_tasks4(void) {
 	/*
 	 * This event causes the task to wait on T4_cv.
 	 */
-	event = isc_event_allocate(mctx, &senders[1], event_type, t4_event1,
-				   NULL, sizeof(*event));
+	event = isc_event_allocate(mctx, sender, event_type, t4_event1, NULL,
+				   sizeof(*event));
 	isc_task_send(task, &event);
 
 	isc_task_shutdown(task);
@@ -1087,6 +1085,7 @@ t_tasks7(void) {
 	isc_task_t	*task;
 	unsigned int	workers;
 	isc_result_t	isc_result;
+	void		*sender;
 	isc_eventtype_t	event_type;
 	isc_event_t	*event;
 	isc_time_t	now;
@@ -1098,6 +1097,7 @@ t_tasks7(void) {
 	T7_eflag = 0;
 
 	result = T_UNRESOLVED;
+	sender = (void *)1;
 	event_type = 7;
 
 	workers = 2;
@@ -1176,8 +1176,8 @@ t_tasks7(void) {
 		return(T_UNRESOLVED);
 	}
 
-	event = isc_event_allocate(mctx, &senders[1], event_type, t7_event1,
-				   NULL, sizeof(*event));
+	event = isc_event_allocate(mctx, sender, event_type, t7_event1, NULL,
+				   sizeof(*event));
 	isc_task_send(task, &event);
 
 	isc_task_shutdown(task);
@@ -1324,7 +1324,7 @@ t10_event2(isc_task_t *task, isc_event_t *event) {
 		       "NP" : "P");
 	}
 
-	if ((T10_purge_sender == NULL) ||
+	if ((T10_purge_sender == 0) ||
 	    (T10_purge_sender == event->ev_sender)) {
 		sender_match = 1;
 	}
@@ -1394,7 +1394,7 @@ t10_sde(isc_task_t *task, isc_event_t *event) {
 }
 
 static void
-t_taskpurge_x(int sender, int type, int tag, void *purge_sender,
+t_taskpurge_x(int sender, int type, int tag, int purge_sender,
 	      int purge_type_first, int purge_type_last, void *purge_tag,
 	      int exp_nevents, int *nfails, int *nprobs, int testrange)
 {
@@ -1419,7 +1419,7 @@ t_taskpurge_x(int sender, int type, int tag, void *purge_sender,
 	T10_startflag = 0;
 	T10_shutdownflag = 0;
 	T10_eventcnt = 0;
-	T10_purge_sender = purge_sender;
+	T10_purge_sender = (void *) purge_sender;
 	T10_purge_type_first = (isc_eventtype_t) purge_type_first;
 	T10_purge_type_last = (isc_eventtype_t) purge_type_last;
 	T10_purge_tag = purge_tag;
@@ -1515,12 +1515,12 @@ t_taskpurge_x(int sender, int type, int tag, void *purge_sender,
 			for (tag_cnt = 0; tag_cnt < T10_TAGCNT; ++tag_cnt) {
 				eventtab[event_cnt] =
 					isc_event_allocate(mctx,
-					    &senders[sender + sender_cnt],
+					    (void *)(sender + sender_cnt),
 					    (isc_eventtype_t)(type + type_cnt),
 					    t10_event2, NULL, sizeof(*event));
 
 				eventtab[event_cnt]->ev_tag =
-					(void *)((uintptr_t)tag + tag_cnt);
+					(void *)((int)tag + tag_cnt);
 
 				/*
 				 * Make all odd message non-purgable.
@@ -1544,7 +1544,7 @@ t_taskpurge_x(int sender, int type, int tag, void *purge_sender,
 		/*
 		 * We're testing isc_task_purge.
 		 */
-		nevents = isc_task_purge(task, purge_sender,
+		nevents = isc_task_purge(task, (void *)purge_sender,
 					(isc_eventtype_t)purge_type_first,
 					purge_tag);
 		if (nevents != exp_nevents) {
@@ -1557,7 +1557,7 @@ t_taskpurge_x(int sender, int type, int tag, void *purge_sender,
 		/*
 		 * We're testing isc_task_purgerange.
 		 */
-		nevents = isc_task_purgerange(task, purge_sender,
+		nevents = isc_task_purgerange(task, (void *)purge_sender,
 					     (isc_eventtype_t)purge_type_first,
 					     (isc_eventtype_t)purge_type_last,
 					     purge_tag);
@@ -1663,36 +1663,34 @@ t_tasks10(void) {
 	 * Try purging on a specific sender.
 	 */
 	t_info("testing purge on 2,4,8 expecting 1\n");
-	t_taskpurge_x(1, 4, 7, &senders[2], 4, 4, (void *)8, 1, &T10_nfails,
+	t_taskpurge_x(1, 4, 7, 2, 4, 4, (void *)8, 1, &T10_nfails,
 		      &T10_nprobs, 0);
 
 	/*
 	 * Try purging on all senders.
 	 */
 	t_info("testing purge on 0,4,8 expecting 3\n");
-	t_taskpurge_x(1, 4, 7, NULL, 4, 4, (void *)8, 3, &T10_nfails,
+	t_taskpurge_x(1, 4, 7, 0, 4, 4, (void *)8, 3, &T10_nfails,
 		      &T10_nprobs, 0);
 
 	/*
 	 * Try purging on all senders, specified type, all tags.
 	 */
 	t_info("testing purge on 0,4,0 expecting 15\n");
-	t_taskpurge_x(1, 4, 7, NULL, 4, 4, NULL, 15, &T10_nfails,
-		      &T10_nprobs, 0);
+	t_taskpurge_x(1, 4, 7, 0, 4, 4, NULL, 15, &T10_nfails, &T10_nprobs, 0);
 
 	/*
 	 * Try purging on a specified tag, no such type.
 	 */
 	t_info("testing purge on 0,99,8 expecting 0\n");
-	t_taskpurge_x(1, 4, 7, NULL, 99, 99, (void *)8, 0, &T10_nfails,
+	t_taskpurge_x(1, 4, 7, 0, 99, 99, (void *)8, 0, &T10_nfails,
 		      &T10_nprobs, 0);
 
 	/*
 	 * Try purging on specified sender, type, all tags.
 	 */
 	t_info("testing purge on 0,5,0 expecting 5\n");
-	t_taskpurge_x(1, 4, 7, &senders[3], 5, 5, NULL, 5, &T10_nfails,
-		      &T10_nprobs, 0);
+	t_taskpurge_x( 1, 4, 7, 3, 5, 5, NULL, 5, &T10_nfails, &T10_nprobs, 0);
 
 	result = T_UNRESOLVED;
 
@@ -2044,69 +2042,68 @@ t_tasks13(void) {
 	 * Try purging on a specific sender.
 	 */
 	t_info("testing purge on 2,4,8 expecting 1\n");
-	t_taskpurge_x(1, 4, 7, &senders[2], 4, 4, (void *)8, 1,
+	t_taskpurge_x(1, 4, 7, 2, 4, 4, (void *)8, 1,
 		      &T13_nfails, &T13_nprobs, 1);
 
 	/*
 	 * Try purging on all senders.
 	 */
 	t_info("testing purge on 0,4,8 expecting 3\n");
-	t_taskpurge_x(1, 4, 7, NULL, 4, 4, (void *)8, 3,
+	t_taskpurge_x(1, 4, 7, 0, 4, 4, (void *)8, 3,
 		      &T13_nfails, &T13_nprobs, 1);
 
 	/*
 	 * Try purging on all senders, specified type, all tags.
 	 */
 	t_info("testing purge on 0,4,0 expecting 15\n");
-	t_taskpurge_x(1, 4, 7, NULL, 4, 4, NULL, 15, &T13_nfails, &T13_nprobs, 1);
+	t_taskpurge_x(1, 4, 7, 0, 4, 4, NULL, 15, &T13_nfails, &T13_nprobs, 1);
 
 	/*
 	 * Try purging on a specified tag, no such type.
 	 */
 	t_info("testing purge on 0,99,8 expecting 0\n");
-	t_taskpurge_x(1, 4, 7, NULL, 99, 99, (void *)8, 0,
+	t_taskpurge_x(1, 4, 7, 0, 99, 99, (void *)8, 0,
 		      &T13_nfails, &T13_nprobs, 1);
 
 	/*
 	 * Try purging on specified sender, type, all tags.
 	 */
 	t_info("testing purge on 3,5,0 expecting 5\n");
-	t_taskpurge_x(1, 4, 7, &senders[3], 5, 5, 0, 5, &T13_nfails, &T13_nprobs, 1);
+	t_taskpurge_x(1, 4, 7, 3, 5, 5, 0, 5, &T13_nfails, &T13_nprobs, 1);
 
 	/*
 	 * Now let's try some ranges.
 	 */
 
 	t_info("testing purgerange on 2,4-5,8 expecting 2\n");
-	t_taskpurge_x(1, 4, 7, &senders[2], 4, 5, (void *)8, 1,
+	t_taskpurge_x(1, 4, 7, 2, 4, 5, (void *)8, 1,
 		      &T13_nfails, &T13_nprobs, 1);
 
 	/*
 	 * Try purging on all senders.
 	 */
 	t_info("testing purge on 0,4-5,8 expecting 5\n");
-	t_taskpurge_x(1, 4, 7, NULL, 4, 5, (void *)8, 5,
+	t_taskpurge_x(1, 4, 7, 0, 4, 5, (void *)8, 5,
 		      &T13_nfails, &T13_nprobs, 1);
 
 	/*
 	 * Try purging on all senders, specified type, all tags.
 	 */
 	t_info("testing purge on 0,5-6,0 expecting 28\n");
-	t_taskpurge_x(1, 4, 7, NULL, 5, 6, NULL, 28, &T13_nfails, &T13_nprobs, 1);
+	t_taskpurge_x(1, 4, 7, 0, 5, 6, NULL, 28, &T13_nfails, &T13_nprobs, 1);
 
 	/*
 	 * Try purging on a specified tag, no such type.
 	 */
 	t_info("testing purge on 0,99-101,8 expecting 0\n");
-	t_taskpurge_x(1, 4, 7, NULL, 99, 101, (void *)8, 0,
+	t_taskpurge_x(1, 4, 7, 0, 99, 101, (void *)8, 0,
 		      &T13_nfails, &T13_nprobs, 1);
 
 	/*
 	 * Try purging on specified sender, type, all tags.
 	 */
 	t_info("testing purge on 3,5-6,0 expecting 10\n");
-	t_taskpurge_x(1, 4, 7, &senders[3], 5, 6, NULL, 10, &T13_nfails,
-		      &T13_nprobs, 1);
+	t_taskpurge_x(1, 4, 7, 3, 5, 6, NULL, 10, &T13_nfails, &T13_nprobs, 1);
 
 	result = T_UNRESOLVED;
 
@@ -2131,7 +2128,6 @@ t13(void) {
 #define T14_NTASKS 10
 #define T14_EXCLTASK 6
 
-int t14_exclusiveerror = ISC_R_SUCCESS;
 int t14_error = 0;
 int t14_done = 0;
 
@@ -2141,18 +2137,13 @@ int t14_active[T14_NTASKS];
 
 static void
 t14_callback(isc_task_t *task, isc_event_t *event) {
-	int taskno = *(int *)(event->ev_arg);
-
+	int taskno = (int) event->ev_arg;
 
 	t_info("task enter %d\n", taskno);	
 	if (taskno == T14_EXCLTASK) {
 		int	i;
-		t14_exclusiveerror = isc_task_beginexclusive(task);
-		if (t14_exclusiveerror == ISC_R_SUCCESS)
-			t_info("task %d got exclusive access\n", taskno);
-		else
-			t_info("task %d failed to got exclusive access: %d\n",
-				taskno, t14_exclusiveerror);
+		isc_task_beginexclusive(task);
+		t_info("task %d got exclusive access\n", taskno);			
 		for (i = 0; i < T14_NTASKS; i++) {
    		        t_info("task %d state %d\n", i , t14_active[i]);
 			if (t14_active[i])
@@ -2167,7 +2158,6 @@ t14_callback(isc_task_t *task, isc_event_t *event) {
 	}
 	t_info("task exit %d\n", taskno);
 	if (t14_done) {
-		isc_mem_put(event->ev_destroy_arg, event->ev_arg, sizeof (int));
 		isc_event_free(&event);
 	} else {
 		isc_task_send(task, &event);
@@ -2224,7 +2214,6 @@ t_tasks14(void) {
 
 	for (i = 0; i < T14_NTASKS; i++) {
 		isc_event_t *event;
-		int *v;
 
 		isc_result = isc_task_create(manager, 0, &tasks[i]);
 		if (isc_result != ISC_R_SUCCESS) {
@@ -2232,18 +2221,9 @@ t_tasks14(void) {
 			return(T_FAIL);
 		}
 
-		v = isc_mem_get(mctx, sizeof *v);
-		if (v == NULL) {
-			isc_task_detach(&tasks[i]);
-			t_info("isc_mem_get failed\n");
-			return(T_FAIL);
-		}
-		*v = i;
-
 		event = isc_event_allocate(mctx, NULL, 1, t14_callback,
-					   v, sizeof *event);
+					   (void *)i, sizeof(*event));
 		if (event == NULL) {
-			isc_mem_put(mctx, v, sizeof *v);
 			t_info("isc_event_allocate failed\n");
 			return(T_UNRESOLVED);
 		}
@@ -2256,11 +2236,8 @@ t_tasks14(void) {
 
 	isc_taskmgr_destroy(&manager);
 
-	if (t14_exclusiveerror != ISC_R_SUCCESS || t14_error) {
-		if (t14_exclusiveerror != ISC_R_SUCCESS)
-			t_info("isc_task_beginexclusive() failed\n");
-		if (t14_error)
-			t_info("mutual access occurred\n");
+	if (t14_error) {
+		t_info("mutual access occurred\n");
 		return(T_FAIL);
 	}
 
diff --git a/bin/tests/timer_test.c b/bin/tests/timer_test.c
index 5a24966b..0df9ebac 100644
--- a/bin/tests/timer_test.c
+++ b/bin/tests/timer_test.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: timer_test.c,v 1.36.2.1 2004/03/09 06:09:35 marka Exp $ */
+/* $Id: timer_test.c,v 1.36.12.3 2004/03/08 04:04:28 marka Exp $ */
 
 #include <config.h>
 
@@ -130,7 +130,7 @@ main(int argc, char *argv[]) {
 	printf("task 2: %p\n", t2);
 	printf("task 3: %p\n", t3);
 
-	(void)isc_time_now(&now);
+	TIME_NOW(&now);
 
 	isc_interval_set(&interval, 2, 0);
 	RUNTIME_CHECK(isc_timer_create(timgr, isc_timertype_once, NULL,
diff --git a/bin/tests/timers/Makefile.in b/bin/tests/timers/Makefile.in
index a2b8f4e1..53b3f701 100644
--- a/bin/tests/timers/Makefile.in
+++ b/bin/tests/timers/Makefile.in
@@ -1,5 +1,5 @@
 # Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 1999-2001  Internet Software Consortium.
+# Copyright (C) 1999-2002  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
@@ -13,13 +13,13 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.21.2.3 2004/07/20 07:00:17 marka Exp $
+# $Id: Makefile.in,v 1.21.12.5 2004/03/08 09:04:20 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
 top_srcdir =	@top_srcdir@
 
-@BIND9_INCLUDES@
+@BIND9_MAKE_INCLUDES@
 
 CINCLUDES =	${TEST_INCLUDES} ${ISC_INCLUDES}
 
@@ -36,20 +36,20 @@ LIBS =		${ISCLIBS} @LIBS@
 
 TLIB =		../../../lib/tests/libt_api.@A@
 
-TARGETS =	t_timers
+TARGETS =	t_timers@EXEEXT@
 
 SRCS =		t_timers.c
 
 @BIND9_MAKE_RULES@
 
-t_timers: t_timers.@O@ ${DEPLIBS} ${TLIB}
-	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ t_timers.@O@ ${TLIB} ${LIBS}
+t_timers@EXEEXT@: t_timers.@O@ ${DEPLIBS} ${TLIB}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} -o $@ t_timers.@O@ ${TLIB} ${LIBS}
 
-test: t_timers
-	-@./t_timers -c @top_srcdir@/t_config -b @srcdir@ -q 60 -a
+test: t_timers@EXEEXT@
+	-@./t_timers@EXEEXT@ -c @top_srcdir@/t_config -b @srcdir@ -q 60 -a
 
 testhelp:
-	@./t_timers -h
+	@./t_timers@EXEEXT@ -h
 
 clean distclean::
 	rm -f ${TARGETS}
diff --git a/bin/tests/timers/t_timers.c b/bin/tests/timers/t_timers.c
index 4ab7f976..85b83be5 100644
--- a/bin/tests/timers/t_timers.c
+++ b/bin/tests/timers/t_timers.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: t_timers.c,v 1.22.2.2 2004/06/21 07:08:36 marka Exp $ */
+/* $Id: t_timers.c,v 1.22.206.1 2004/03/06 10:22:52 marka Exp $ */
 
 #include <config.h>
 
@@ -55,7 +55,7 @@ static	int		Tx_nanoseconds;
 static void
 require_threads(void) {
 	t_info("This test requires threads\n");
-	t_result(T_THREADONLY);
+	t_result(T_UNTESTED);
 	return;
 }
 
diff --git a/bin/tests/wire_test.c b/bin/tests/wire_test.c
index 9742db8b..82a44f1b 100644
--- a/bin/tests/wire_test.c
+++ b/bin/tests/wire_test.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: wire_test.c,v 1.60.2.4 2005/03/20 23:42:26 marka Exp $ */
+/* $Id: wire_test.c,v 1.60.12.5 2004/03/08 04:04:28 marka Exp $ */
 
 #include <config.h>
 
@@ -31,6 +31,14 @@
 
 #include "printmsg.h"
 
+int parseflags = 0;
+isc_mem_t *mctx;
+isc_boolean_t printmemstats = ISC_FALSE;
+isc_boolean_t dorender = ISC_FALSE;
+
+static void
+process_message(isc_buffer_t *source);
+
 static inline void
 CHECKRESULT(isc_result_t result, const char *msg) {
 	if (result != ISC_R_SUCCESS) {
@@ -75,13 +83,6 @@ main(int argc, char *argv[]) {
 	isc_boolean_t need_close = ISC_FALSE;
 	unsigned char b[64 * 1024];
 	char s[4000];
-	dns_message_t *message;
-	isc_result_t result;
-	dns_compress_t cctx;
-	isc_mem_t *mctx;
-	int parseflags = 0;
-	isc_boolean_t printmemstats = ISC_FALSE;
-	isc_boolean_t dorender = ISC_FALSE;
 	isc_boolean_t tcp = ISC_FALSE;
 	int ch;
 
@@ -125,7 +126,7 @@ main(int argc, char *argv[]) {
 		f = stdin;
 
 	bp = b;
-	while (fgets(s, sizeof s, f) != NULL) {
+	while (fgets(s, sizeof(s), f) != NULL) {
 		rp = s;
 		wp = s;
 		len = 0;
@@ -139,13 +140,13 @@ main(int argc, char *argv[]) {
 			}
 			rp++;
 		}
-		if (len == 0U)
+		if (len == 0)
 			break;
-		if (len % 2 != 0U) {
-			printf("bad input format: %lu\n", (unsigned long)len);
+		if (len % 2 != 0) {
+			printf("bad input format: %d\n", len);
 			exit(1);
 		}
-		if (len > (sizeof b) * 2) {
+		if (len > sizeof(b) * 2) {
 			printf("input too long\n");
 			exit(2);
 		}
@@ -162,18 +163,49 @@ main(int argc, char *argv[]) {
 		fclose(f);
 
 	if (tcp) {
-		isc_buffer_init(&source, b + 2, sizeof(b) - 2);
-		isc_buffer_add(&source, bp - b - 2);
+		unsigned char *p = b;
+		while (p < bp) {
+			unsigned int len;
+			
+			if (p + 2 > bp) {
+				printf("premature end of packet\n");
+				exit(1);
+			}
+			len = p[0] << 8 | p[1];
+
+			if (p + 2 + len > bp) {
+				printf("premature end of packet\n");
+				exit(1);
+			}
+			isc_buffer_init(&source, p + 2, len);
+			isc_buffer_add(&source, len);
+			process_message(&source);
+			p += 2 + len;
+		}
 	} else {
 		isc_buffer_init(&source, b, sizeof(b));
 		isc_buffer_add(&source, bp - b);
+		process_message(&source);
 	}
 
+	if (printmemstats)
+		isc_mem_stats(mctx, stdout);
+	isc_mem_destroy(&mctx);
+
+	return (0);
+}
+
+static void
+process_message(isc_buffer_t *source) {
+	dns_message_t *message;
+	isc_result_t result;
+	int i;
+
 	message = NULL;
 	result = dns_message_create(mctx, DNS_MESSAGE_INTENTPARSE, &message);
 	CHECKRESULT(result, "dns_message_create failed");
 
-	result = dns_message_parse(message, &source, parseflags);
+	result = dns_message_parse(message, source, parseflags);
 	if (result == DNS_R_RECOVERABLE)
 		result = ISC_R_SUCCESS;
 	CHECKRESULT(result, "dns_message_parse failed");
@@ -185,22 +217,26 @@ main(int argc, char *argv[]) {
 		isc_mem_stats(mctx, stdout);
 
 	if (dorender) {
+		unsigned char b2[64 * 1024];
+		isc_buffer_t buffer;
+		dns_compress_t cctx;
+
+		isc_buffer_init(&buffer, b2, sizeof(b2));
+
 		/*
 		 * XXXMLG
 		 * Changing this here is a hack, and should not be done in
 		 * reasonable application code, ever.
 	 	*/
 		message->from_to_wire = DNS_MESSAGE_INTENTRENDER;
-		memset(b, 0, sizeof(b));
-		isc_buffer_clear(&source);
 
-		for (n = 0 ; n < DNS_SECTION_MAX ; n++)
-			message->counts[n] = 0;  /* Another hack XXX */
+ 		for (i = 0; i < DNS_SECTION_MAX; i++)
+			message->counts[i] = 0;  /* Another hack XXX */
 
 		result = dns_compress_init(&cctx, -1, mctx);
 		CHECKRESULT(result, "dns_compress_init() failed");
 
-		result = dns_message_renderbegin(message, &cctx, &source);
+		result = dns_message_renderbegin(message, &cctx, &buffer);
 		CHECKRESULT(result, "dns_message_renderbegin() failed");
 
 		result = dns_message_rendersection(message,
@@ -238,18 +274,11 @@ main(int argc, char *argv[]) {
 					    &message);
 		CHECKRESULT(result, "dns_message_create failed");
 
-		result = dns_message_parse(message, &source, parseflags);
+		result = dns_message_parse(message, &buffer, parseflags);
 		CHECKRESULT(result, "dns_message_parse failed");
 
 		result = printmessage(message);
 		CHECKRESULT(result, "printmessage() failed");
 	}
-
 	dns_message_destroy(&message);
-
-	if (printmemstats)
-		isc_mem_stats(mctx, stdout);
-	isc_mem_destroy(&mctx);
-
-	return (0);
 }
diff --git a/bin/tests/zone_test.c b/bin/tests/zone_test.c
index ae0fdad5..f439cef9 100644
--- a/bin/tests/zone_test.c
+++ b/bin/tests/zone_test.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: zone_test.c,v 1.26.2.5 2005/03/17 03:59:31 marka Exp $ */
+/* $Id: zone_test.c,v 1.26.2.2.8.3 2004/03/08 04:04:28 marka Exp $ */
 
 #include <config.h>
 
@@ -120,7 +120,7 @@ setup(const char *zonename, const char *filename, const char *classname) {
 	region.base = classname;
 	region.length = strlen(classname);
 	result = dns_rdataclass_fromtext(&rdclass,
-					 (isc_textregion_t *)(void*)&region);
+					 (isc_textregion_t *)&region);
 	ERRRET(result, "dns_rdataclass_fromtext");
 
 	dns_zone_setclass(zone, rdclass);
@@ -184,7 +184,7 @@ query(void) {
 		FD_ZERO(&rfdset);
 		FD_SET(0, &rfdset);
 		select(1, &rfdset, NULL, NULL, NULL);
-		if (fgets(buf, sizeof buf, stdin) == NULL) {
+		if (fgets(buf, sizeof(buf), stdin) == NULL) {
 			fprintf(stdout, "\n");
 			break;
 		}
@@ -200,7 +200,7 @@ query(void) {
 			dns_zone_dumptostream(zone, stdout);
 			continue;
 		}
-		if (strlen(buf) == 0U)
+		if (strlen(buf) == 0)
 			continue;
 		dns_fixedname_init(&name);
 		isc_buffer_init(&buffer, buf, strlen(buf));
@@ -259,7 +259,7 @@ main(int argc, char **argv) {
 			filename = isc_commandline_argument;
 			break;
 		case 'm':
-			memset(&addr, 0, sizeof addr);
+			memset(&addr, 0, sizeof(addr));
 			addr.type.sin.sin_family = AF_INET;
 			inet_pton(AF_INET, isc_commandline_argument,
 				  &addr.type.sin.sin_addr);
diff --git a/bin/win32/BINDInstall/AccountInfo.cpp b/bin/win32/BINDInstall/AccountInfo.cpp
new file mode 100644
index 00000000..88a99a46
--- /dev/null
+++ b/bin/win32/BINDInstall/AccountInfo.cpp
@@ -0,0 +1,438 @@
+/*
+ * Portions Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2001, 2002  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: AccountInfo.cpp,v 1.5.224.3 2004/03/08 09:04:21 marka Exp $ */
+
+#ifndef UNICODE
+#define UNICODE
+#endif /* UNICODE */
+
+#include "stdafx.h"
+
+#include <windows.h>
+#include <lm.h>
+#include <ntsecapi.h>
+
+#include <isc/ntgroups.h>
+#include <isc/result.h>
+#include "AccountInfo.h"
+
+#define MAX_NAME_LENGTH 256
+
+NTSTATUS
+OpenPolicy(
+    LPWSTR ServerName,		/* machine to open policy on (Unicode) */
+    DWORD DesiredAccess,	/* desired access to policy */
+    PLSA_HANDLE PolicyHandle	/* resultant policy handle */
+    );
+
+BOOL
+GetAccountSid(
+    LPTSTR SystemName,		/* where to lookup account */
+    LPTSTR AccountName,		/* account of interest */
+    PSID *Sid			/* resultant buffer containing SID */
+    );
+
+NTSTATUS
+SetPrivilegeOnAccount(
+    LSA_HANDLE PolicyHandle,	/* open policy handle */
+    PSID AccountSid,		/* SID to grant privilege to */
+    LPWSTR PrivilegeName,	/* privilege to grant (Unicode) */
+    BOOL bEnable		/* enable or disable */
+    );
+
+NTSTATUS
+GetPrivilegesOnAccount(
+    LSA_HANDLE PolicyHandle,	/* open policy handle */
+    PSID AccountSid,		/* SID to grant privilege to */
+    wchar_t **PrivList,		/* Ptr to List of Privileges found */
+    unsigned int *PrivCount	/* total number of Privileges in list */
+    );
+
+NTSTATUS
+AddPrivilegeToAcccount(
+    LPTSTR AccountName,		/* Name of the account */
+    LPWSTR PrivilegeName	/* Privilege to Add */
+    );
+
+void
+InitLsaString(
+    PLSA_UNICODE_STRING LsaString,	/* destination */
+    LPWSTR String			/* source (Unicode) */
+    );
+
+void
+DisplayNtStatus(
+    LPSTR szAPI,		/* pointer to function name (ANSI) */
+    NTSTATUS Status		/* NTSTATUS error value */
+    );
+
+void
+DisplayWinError(
+    LPSTR szAPI,		/* pointer to function name (ANSI) */
+    DWORD WinError		/* DWORD WinError */
+    );
+
+#ifndef STATUS_SUCCESS
+#define STATUS_SUCCESS  ((NTSTATUS)0x00000000L)
+#endif
+
+/*
+ * Note that this code only retrieves the list of privileges of the
+ * requested account or group. However, all accounts belong to the
+ * Everyone group even though that group is not returned by the
+ * calls to get the groups to which that account belongs.
+ * The Everyone group has two privileges associated with it:
+ * SeChangeNotifyPrivilege and SeNetworkLogonRight
+ * It is not advisable to disable or remove these privileges
+ * from the group nor can the account be removed from the Everyone
+ * group
+ * The None group has no privileges associated with it and is the group
+ * to which an account belongs if it is associated with no group.
+ */
+
+int
+GetAccountPrivileges(char *name, wchar_t **PrivList, unsigned int *PrivCount,
+		     char **Accounts, unsigned int *totalAccounts,
+		     int maxAccounts) 
+{
+	LSA_HANDLE PolicyHandle;
+	TCHAR AccountName[256];		/* static account name buffer */
+	PSID pSid;
+	unsigned int i;
+	NTSTATUS Status;
+	isc_result_t istatus;
+	int iRetVal = RTN_ERROR;	/* assume error from main */
+
+	/*
+	 * Open the policy on the target machine.
+	 */
+	if ((Status = OpenPolicy(NULL,
+				 POLICY_LOOKUP_NAMES,
+				 &PolicyHandle)) != STATUS_SUCCESS)
+		return (RTN_ERROR);
+
+	/*
+	 * Let's see if the account exists. Return if not
+	 */
+	wsprintf(AccountName, TEXT("%hS"), name);
+	if (!GetAccountSid(NULL, AccountName, &pSid))
+		return (RTN_NOACCOUNT);
+	/*
+	 * Find out what groups the account belongs to
+	 */
+	istatus = isc_ntsecurity_getaccountgroups(name, Accounts, maxAccounts,
+						  totalAccounts);
+	if (istatus == ISC_R_NOMEMORY)
+		return (RTN_NOMEMORY);
+	else if (istatus != ISC_R_SUCCESS)
+		return (RTN_ERROR);
+
+	Accounts[*totalAccounts] = name; /* Add the account to the list */
+	(*totalAccounts)++;
+
+	/*
+	 * Loop through each Account to get the list of privileges
+	 */
+	for (i = 0; i < *totalAccounts; i++) {
+		wsprintf(AccountName, TEXT("%hS"), Accounts[i]);
+		 /* Obtain the SID of the user/group. */
+		if (!GetAccountSid(NULL, AccountName, &pSid))
+			continue;	/* Try the next one */
+		/* Get the Privileges allocated to this SID */ 
+	        if ((Status = GetPrivilegesOnAccount(PolicyHandle, pSid,
+			PrivList, PrivCount)) == STATUS_SUCCESS)
+		{
+			iRetVal=RTN_OK;
+			if (pSid != NULL)
+				HeapFree(GetProcessHeap(), 0, pSid);
+		} else {
+			if (pSid != NULL)
+				HeapFree(GetProcessHeap(), 0, pSid);
+			continue;	/* Try the next one */
+		}
+	}
+	/*
+	 * Close the policy handle.
+	 */
+	LsaClose(PolicyHandle);
+
+	(*totalAccounts)--;	/* Correct for the number of groups */
+	return iRetVal;
+}
+
+BOOL
+CreateServiceAccount(char *name, char *password) {
+	NTSTATUS retstat;
+	USER_INFO_1 ui;
+	DWORD dwLevel = 1;
+	DWORD dwError = 0;
+	NET_API_STATUS nStatus;
+
+	unsigned int namelen = strlen(name);
+	unsigned int passwdlen = strlen(password);
+	wchar_t AccountName[MAX_NAME_LENGTH];
+	wchar_t AccountPassword[MAX_NAME_LENGTH];
+
+	mbstowcs(AccountName, name, namelen + 1);
+	mbstowcs(AccountPassword, password, passwdlen + 1);
+
+	/*
+	 * Set up the USER_INFO_1 structure.
+	 * USER_PRIV_USER: name is required here when creating an account 
+	 * rather than an administrator or a guest.
+	 */
+
+	ui.usri1_name = (LPWSTR) &AccountName;
+	ui.usri1_password = (LPWSTR) &AccountPassword;
+	ui.usri1_priv = USER_PRIV_USER;
+	ui.usri1_home_dir = NULL;
+	ui.usri1_comment = L"ISC BIND Service Account";
+	ui.usri1_flags = UF_PASSWD_CANT_CHANGE | UF_DONT_EXPIRE_PASSWD |
+			 UF_SCRIPT;
+	ui.usri1_script_path = NULL;
+	/*
+	 * Call the NetUserAdd function, specifying level 1.
+	 */
+	nStatus = NetUserAdd(NULL, dwLevel, (LPBYTE)&ui, &dwError);
+
+	if (nStatus != NERR_Success)
+		return (FALSE);
+
+	retstat = AddPrivilegeToAcccount(name, SE_SERVICE_LOGON_PRIV);
+	return (TRUE);
+}
+
+NTSTATUS
+AddPrivilegeToAcccount(LPTSTR name, LPWSTR PrivilegeName) {
+	LSA_HANDLE PolicyHandle;
+	TCHAR AccountName[256];		/* static account name buffer */
+	PSID pSid;
+	NTSTATUS Status;
+	unsigned long err;
+
+	/*
+	 * Open the policy on the target machine.
+	 */
+	if ((Status = OpenPolicy(NULL, POLICY_ALL_ACCESS, &PolicyHandle))
+		!= STATUS_SUCCESS)
+		return (RTN_ERROR);
+
+	/*
+	 * Let's see if the account exists. Return if not
+	 */
+	wsprintf(AccountName, TEXT("%hS"), name);
+	if (!GetAccountSid(NULL, AccountName, &pSid))
+		return (RTN_NOACCOUNT);
+
+        err = LsaNtStatusToWinError(SetPrivilegeOnAccount(PolicyHandle,
+		pSid, PrivilegeName, TRUE));
+
+	LsaClose(PolicyHandle);
+	if (err == ERROR_SUCCESS)
+		return (RTN_OK);
+	else
+		return (err);
+}
+
+void
+InitLsaString(PLSA_UNICODE_STRING LsaString, LPWSTR String){
+	DWORD StringLength;
+
+	if (String == NULL) {
+		LsaString->Buffer = NULL;
+		LsaString->Length = 0;
+		LsaString->MaximumLength = 0;
+		return;
+	}
+
+	StringLength = wcslen(String);
+	LsaString->Buffer = String;
+	LsaString->Length = (USHORT) StringLength * sizeof(WCHAR);
+	LsaString->MaximumLength = (USHORT)(StringLength+1) * sizeof(WCHAR);
+}
+
+NTSTATUS
+OpenPolicy(LPWSTR ServerName, DWORD DesiredAccess, PLSA_HANDLE PolicyHandle){
+	LSA_OBJECT_ATTRIBUTES ObjectAttributes;
+	LSA_UNICODE_STRING ServerString;
+	PLSA_UNICODE_STRING Server = NULL;
+
+	/*
+	 * Always initialize the object attributes to all zeroes.
+	 */
+	ZeroMemory(&ObjectAttributes, sizeof(ObjectAttributes));
+
+	if (ServerName != NULL) {
+		/*
+		 * Make a LSA_UNICODE_STRING out of the LPWSTR passed in
+		 */
+		InitLsaString(&ServerString, ServerName);
+		Server = &ServerString;
+	}
+
+	/*
+	 * Attempt to open the policy.
+	 */
+	return (LsaOpenPolicy(Server, &ObjectAttributes, DesiredAccess,
+		PolicyHandle));
+}
+
+BOOL
+GetAccountSid(LPTSTR SystemName, LPTSTR AccountName, PSID *Sid) {
+	LPTSTR ReferencedDomain = NULL;
+	DWORD cbSid = 128;    /* initial allocation attempt */
+	DWORD cbReferencedDomain = 16; /* initial allocation size */
+	SID_NAME_USE peUse;
+	BOOL bSuccess = FALSE; /* assume this function will fail */
+
+	__try {
+		/*
+		 * initial memory allocations
+		 */
+		if ((*Sid = HeapAlloc(GetProcessHeap(), 0, cbSid)) == NULL)
+			__leave;
+
+		if ((ReferencedDomain = (LPTSTR) HeapAlloc(GetProcessHeap(), 0,
+				       cbReferencedDomain)) == NULL) __leave;
+
+		/*
+		 * Obtain the SID of the specified account on the specified system.
+		 */
+		while (!LookupAccountName(SystemName, AccountName, *Sid, &cbSid,
+					  ReferencedDomain, &cbReferencedDomain,
+					  &peUse))
+		{
+			if (GetLastError() == ERROR_INSUFFICIENT_BUFFER) {
+				/* reallocate memory */
+				if ((*Sid = HeapReAlloc(GetProcessHeap(), 0,
+					*Sid, cbSid)) == NULL) __leave;
+
+				if ((ReferencedDomain= (LPTSTR) HeapReAlloc(
+					GetProcessHeap(), 0, ReferencedDomain,
+					cbReferencedDomain)) == NULL)
+				__leave;
+			}
+			else 
+				__leave;
+		}
+		bSuccess = TRUE;
+	} /* finally */
+	__finally {
+
+		/* Cleanup and indicate failure, if appropriate. */
+
+		HeapFree(GetProcessHeap(), 0, ReferencedDomain);
+
+		if (!bSuccess) {
+			if (*Sid != NULL) {
+				HeapFree(GetProcessHeap(), 0, *Sid);
+				*Sid = NULL;
+			}
+		}
+
+	}
+
+	return (bSuccess);
+}
+
+NTSTATUS
+SetPrivilegeOnAccount(LSA_HANDLE PolicyHandle, PSID AccountSid,
+		      LPWSTR PrivilegeName, BOOL bEnable)
+{
+	LSA_UNICODE_STRING PrivilegeString;
+
+	/* Create a LSA_UNICODE_STRING for the privilege name. */
+	InitLsaString(&PrivilegeString, PrivilegeName);
+
+	/* grant or revoke the privilege, accordingly */
+	if (bEnable)
+		return (LsaAddAccountRights(PolicyHandle, AccountSid,
+			&PrivilegeString, 1));
+	else
+		return (LsaRemoveAccountRights(PolicyHandle, AccountSid,
+			FALSE, &PrivilegeString, 1));
+}
+
+NTSTATUS
+GetPrivilegesOnAccount(LSA_HANDLE PolicyHandle, PSID AccountSid,
+		       wchar_t **PrivList, unsigned int *PrivCount) 
+{
+	NTSTATUS Status;
+	LSA_UNICODE_STRING *UserRights;
+	ULONG CountOfRights;
+	unsigned int retlen = 0;
+	DWORD i, j;
+	int found;
+
+	Status = LsaEnumerateAccountRights(PolicyHandle, AccountSid,
+		&UserRights, &CountOfRights);
+	/* Only continue if there is something */
+	if (UserRights == NULL || Status != STATUS_SUCCESS)
+		return (Status);
+
+	for (i = 0; i < CountOfRights; i++) {
+		found = -1;
+		retlen = UserRights[i].Length/sizeof(wchar_t);
+		for (j = 0; j < *PrivCount; j++) {
+			found = wcsncmp(PrivList[j], UserRights[i].Buffer,
+					retlen);
+			if (found == 0)
+				break;
+		}
+		if (found != 0) {
+			PrivList[*PrivCount] = 
+			    (wchar_t *)malloc(UserRights[i].MaximumLength);
+			if (PrivList[*PrivCount] == NULL)
+				return (RTN_NOMEMORY);
+
+			wcsncpy(PrivList[*PrivCount], UserRights[i].Buffer,
+				retlen);
+			PrivList[*PrivCount][retlen] = L'\0';
+			(*PrivCount)++;
+		}
+
+	}
+
+	return (Status);
+}
+
+void
+DisplayNtStatus(LPSTR szAPI, NTSTATUS Status) {
+	/* Convert the NTSTATUS to Winerror. Then call DisplayWinError(). */
+	DisplayWinError(szAPI, LsaNtStatusToWinError(Status));
+}
+
+void
+DisplayWinError(LPSTR szAPI, DWORD WinError) {
+	LPSTR MessageBuffer;
+	DWORD dwBufferLength;
+
+	if (dwBufferLength=FormatMessageA(
+		FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_SYSTEM,
+		NULL, WinError, GetUserDefaultLangID(),
+		(LPSTR) &MessageBuffer, 0, NULL)){
+		DWORD dwBytesWritten; /* unused */
+
+		/* Output message string on stderr. */
+		WriteFile(GetStdHandle(STD_ERROR_HANDLE), MessageBuffer,
+			  dwBufferLength, &dwBytesWritten, NULL);
+
+		/* Free the buffer allocated by the system. */
+		LocalFree(MessageBuffer);
+	}
+}
diff --git a/bin/win32/BINDInstall/AccountInfo.h b/bin/win32/BINDInstall/AccountInfo.h
new file mode 100644
index 00000000..f3bf2c5c
--- /dev/null
+++ b/bin/win32/BINDInstall/AccountInfo.h
@@ -0,0 +1,48 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: AccountInfo.h,v 1.3.226.3 2004/03/08 09:04:21 marka Exp $ */
+
+
+#define RTN_OK		0
+#define RTN_NOACCOUNT	1
+#define RTN_NOMEMORY	2
+#define RTN_ERROR	10
+
+#define SE_SERVICE_LOGON_PRIV	L"SeServiceLogonRight"
+
+/*
+ * This routine retrieves the list of all Privileges associated with
+ * a given account as well as the groups to which it beongs
+ */
+int
+GetAccountPrivileges(
+	char *name,			/* Name of Account */
+	wchar_t **PrivList,		/* List of Privileges returned */
+	unsigned int *PrivCount,	/* Count of Privileges returned */
+	char **Groups,		/* List of Groups to which account belongs */
+	unsigned int *totalGroups,	/* Count of Groups returned */
+	int maxGroups		/* Maximum number of Groups to return */
+	);
+
+/*
+ * This routine creates an account with the given name which has just
+ * the logon service privilege and no membership of any groups,
+ * i.e. it's part of the None group.
+ */
+BOOL
+CreateServiceAccount(char *name, char *password);
diff --git a/bin/win32/BINDInstall/BINDInstall.cpp b/bin/win32/BINDInstall/BINDInstall.cpp
index e996df9e..eb591ca3 100644
--- a/bin/win32/BINDInstall/BINDInstall.cpp
+++ b/bin/win32/BINDInstall/BINDInstall.cpp
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: BINDInstall.cpp,v 1.3.2.2 2004/04/19 06:56:24 marka Exp $ */
+/* $Id: BINDInstall.cpp,v 1.3.206.1 2004/03/06 10:22:53 marka Exp $ */
 
 /*
  * Copyright (c) 1999-2000 by Nortel Networks Corporation
@@ -78,13 +78,12 @@ BOOL CBINDInstallApp::InitInstance()
 	// If you are not using these features and wish to reduce the size
 	//  of your final executable, you should remove from the following
 	//  the specific initialization routines you do not need.
-#if _MSC_VER < 1300
+
 #ifdef _AFXDLL
 	Enable3dControls();			// Call this when using MFC in a shared DLL
 #else
 	Enable3dControlsStatic();	// Call this when linking to MFC statically
 #endif
-#endif
 
 	CBINDInstallDlg dlg;
 	m_pMainWnd = &dlg;
diff --git a/bin/win32/BINDInstall/BINDInstall.dsp b/bin/win32/BINDInstall/BINDInstall.dsp
index ed1abbab..9f04b97b 100644
--- a/bin/win32/BINDInstall/BINDInstall.dsp
+++ b/bin/win32/BINDInstall/BINDInstall.dsp
@@ -1,204 +1,177 @@
-# Microsoft Developer Studio Project File - Name="BINDInstall" - Package Owner=<4>

-# Microsoft Developer Studio Generated Build File, Format Version 6.00

-# ** DO NOT EDIT **

-

-# TARGTYPE "Win32 (x86) Application" 0x0101

-

-CFG=BINDInstall - Win32 Debug

-!MESSAGE This is not a valid makefile. To build this project using NMAKE,

-!MESSAGE use the Export Makefile command and run

-!MESSAGE 

-!MESSAGE NMAKE /f "BINDInstall.mak".

-!MESSAGE 

-!MESSAGE You can specify a configuration when running NMAKE

-!MESSAGE by defining the macro CFG on the command line. For example:

-!MESSAGE 

-!MESSAGE NMAKE /f "BINDInstall.mak" CFG="BINDInstall - Win32 Debug"

-!MESSAGE 

-!MESSAGE Possible choices for configuration are:

-!MESSAGE 

-!MESSAGE "BINDInstall - Win32 Release" (based on "Win32 (x86) Application")

-!MESSAGE "BINDInstall - Win32 Debug" (based on "Win32 (x86) Application")

-!MESSAGE 

-

-# Begin Project

-# PROP AllowPerConfigDependencies 0

-# PROP Scc_ProjName ""

-# PROP Scc_LocalPath ""

-CPP=cl.exe

-MTL=midl.exe

-RSC=rc.exe

-

-!IF  "$(CFG)" == "BINDInstall - Win32 Release"

-

-# PROP BASE Use_MFC 5

-# PROP BASE Use_Debug_Libraries 0

-# PROP BASE Output_Dir "Release"

-# PROP BASE Intermediate_Dir "Release"

-# PROP BASE Target_Dir ""

-# PROP Use_MFC 6

-# PROP Use_Debug_Libraries 0

-# PROP Output_Dir "Release"

-# PROP Intermediate_Dir "Release"

-# PROP Ignore_Export_Lib 0

-# PROP Target_Dir ""

-# ADD BASE CPP /nologo /MT /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /Yu"stdafx.h" /FD /c

-# ADD CPP /nologo /MT /W3 /GX /O2 /I "..\include" /I "..\..\..\include" /I "..\..\named\win32\include" /I "..\..\..\lib\isc\win32\include" /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /D "_MBCS" /Yu"stdafx.h" /FD /c

-# ADD BASE MTL /nologo /D "NDEBUG" /mktyplib203 /win32

-# ADD MTL /nologo /D "NDEBUG" /mktyplib203 /win32

-# ADD BASE RSC /l 0x409 /d "NDEBUG"

-# ADD RSC /l 0x409 /d "NDEBUG"

-BSC32=bscmake.exe

-# ADD BASE BSC32 /nologo

-# ADD BSC32 /nologo

-LINK32=link.exe

-# ADD BASE LINK32 /nologo /subsystem:windows /machine:I386

-# ADD LINK32 version.lib /nologo /subsystem:windows /pdb:none /machine:I386 /out:"..\..\..\Build\Release\BINDInstall.exe"

-

-!ELSEIF  "$(CFG)" == "BINDInstall - Win32 Debug"

-

-# PROP BASE Use_MFC 5

-# PROP BASE Use_Debug_Libraries 1

-# PROP BASE Output_Dir "Debug"

-# PROP BASE Intermediate_Dir "Debug"

-# PROP BASE Target_Dir ""

-# PROP Use_MFC 6

-# PROP Use_Debug_Libraries 1

-# PROP Output_Dir "Debug"

-# PROP Intermediate_Dir "Debug"

-# PROP Ignore_Export_Lib 0

-# PROP Target_Dir ""

-# ADD BASE CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /Yu"stdafx.h" /FD /GZ /c

-# ADD CPP /nologo /MTd /W3 /Gm /GX /Zi /Od /I "..\include" /I "..\..\..\include" /I "..\..\named\win32\include" /I "..\..\..\lib\isc\win32\include" /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /D "_MBCS" /FR /Yu"stdafx.h" /FD /GZ /c

-# ADD BASE MTL /nologo /D "_DEBUG" /mktyplib203 /win32

-# ADD MTL /nologo /D "_DEBUG" /mktyplib203 /win32

-# ADD BASE RSC /l 0x409 /d "_DEBUG"

-# ADD RSC /l 0x409 /d "_DEBUG"

-BSC32=bscmake.exe

-# ADD BASE BSC32 /nologo

-# ADD BSC32 /nologo

-LINK32=link.exe

-# ADD BASE LINK32 /nologo /subsystem:windows /debug /machine:I386 /pdbtype:sept

-# ADD LINK32 version.lib /nologo /subsystem:windows /pdb:none /debug /machine:I386 /out:"..\..\..\Build\Debug\BINDInstall.exe"

-

-!ENDIF 

-

-# Begin Target

-

-# Name "BINDInstall - Win32 Release"

-# Name "BINDInstall - Win32 Debug"

-# Begin Group "Source Files"

-

-# PROP Default_Filter "cpp;c;cxx;rc;def;r;odl;idl;hpj;bat"

-# Begin Source File

-

-SOURCE=.\BINDInstall.cpp

-# End Source File

-# Begin Source File

-

-SOURCE=.\BINDInstallDlg.cpp

-# End Source File

-# Begin Source File

-

-SOURCE=.\DirBrowse.cpp

-# End Source File

-# Begin Source File

-

-SOURCE=.\StdAfx.cpp

-# ADD CPP /Yc"stdafx.h"

-# End Source File

-# Begin Source File

-

-SOURCE=.\VersionInfo.cpp

-# End Source File

-# End Group

-# Begin Group "Header Files"

-

-# PROP Default_Filter "h;hpp;hxx;hm;inl"

-# Begin Source File

-

-SOURCE=.\BINDInstall.h

-# End Source File

-# Begin Source File

-

-SOURCE=.\BINDInstallDlg.h

-# End Source File

-# Begin Source File

-

-SOURCE=.\DirBrowse.h

-# End Source File

-# Begin Source File

-

-SOURCE=.\Resource.h

-# End Source File

-# Begin Source File

-

-SOURCE=.\StdAfx.h

-# End Source File

-# Begin Source File

-

-SOURCE=.\VersionInfo.h

-# End Source File

-# End Group

-# Begin Group "Resource Files"

-

-# PROP Default_Filter "ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe"

-# Begin Source File

-

-SOURCE=.\res\BINDInstall.ico

-# End Source File

-# Begin Source File

-

-SOURCE=.\res\BINDInstall.rc2

-# End Source File

-# Begin Source File

-

-SOURCE=.\res\check.ico

-# End Source File

-# Begin Source File

-

-SOURCE=.\res\clock1.ico

-# End Source File

-# Begin Source File

-

-SOURCE=.\res\clock2.ico

-# End Source File

-# Begin Source File

-

-SOURCE=.\res\clock3.ico

-# End Source File

-# Begin Source File

-

-SOURCE=.\res\clock4.ico

-# End Source File

-# Begin Source File

-

-SOURCE=.\res\clock5.ico

-# End Source File

-# Begin Source File

-

-SOURCE=.\res\clock6.ico

-# End Source File

-# Begin Source File

-

-SOURCE=.\res\clock7.ico

-# End Source File

-# Begin Source File

-

-SOURCE=.\res\clock8.ico

-# End Source File

-# Begin Source File

-

-SOURCE=.\res\icon1.ico

-# End Source File

-# Begin Source File

-

-SOURCE=.\res\x.ico

-# End Source File

-# End Group

-# Begin Source File

-

-SOURCE=.\BINDInstall.rc

-# End Source File

-# End Target

-# End Project

+# Microsoft Developer Studio Project File - Name="BINDInstall" - Package Owner=<4>
+# Microsoft Developer Studio Generated Build File, Format Version 6.00
+# ** DO NOT EDIT **
+
+# TARGTYPE "Win32 (x86) Application" 0x0101
+
+CFG=BINDInstall - Win32 Debug
+!MESSAGE This is not a valid makefile. To build this project using NMAKE,
+!MESSAGE use the Export Makefile command and run
+!MESSAGE 
+!MESSAGE NMAKE /f "BINDInstall.mak".
+!MESSAGE 
+!MESSAGE You can specify a configuration when running NMAKE
+!MESSAGE by defining the macro CFG on the command line. For example:
+!MESSAGE 
+!MESSAGE NMAKE /f "BINDInstall.mak" CFG="BINDInstall - Win32 Debug"
+!MESSAGE 
+!MESSAGE Possible choices for configuration are:
+!MESSAGE 
+!MESSAGE "BINDInstall - Win32 Release" (based on "Win32 (x86) Application")
+!MESSAGE "BINDInstall - Win32 Debug" (based on "Win32 (x86) Application")
+!MESSAGE 
+
+# Begin Project
+# PROP AllowPerConfigDependencies 0
+# PROP Scc_ProjName ""
+# PROP Scc_LocalPath ""
+CPP=cl.exe
+MTL=midl.exe
+RSC=rc.exe
+
+!IF  "$(CFG)" == "BINDInstall - Win32 Release"
+
+# PROP BASE Use_MFC 5
+# PROP BASE Use_Debug_Libraries 0
+# PROP BASE Output_Dir "Release"
+# PROP BASE Intermediate_Dir "Release"
+# PROP BASE Target_Dir ""
+# PROP Use_MFC 6
+# PROP Use_Debug_Libraries 0
+# PROP Output_Dir "Release"
+# PROP Intermediate_Dir "Release"
+# PROP Ignore_Export_Lib 0
+# PROP Target_Dir ""
+# ADD BASE CPP /nologo /MT /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /Yu"stdafx.h" /FD /c
+# ADD CPP /nologo /MD /W3 /GX /O2 /I "..\include" /I "..\..\..\include" /I "..\..\named\win32\include" /I "..\..\..\lib\isc\win32\include" /I "..\..\..\lib\isc\include" /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /D "_MBCS" /D "_AFXDLL" /Yu"stdafx.h" /FD /TP /c
+# ADD BASE MTL /nologo /D "NDEBUG" /mktyplib203 /win32
+# ADD MTL /nologo /D "NDEBUG" /mktyplib203 /win32
+# ADD BASE RSC /l 0x409 /d "NDEBUG"
+# ADD RSC /l 0x409 /d "NDEBUG" /d "_AFXDLL"
+BSC32=bscmake.exe
+# ADD BASE BSC32 /nologo
+# ADD BSC32 /nologo
+LINK32=link.exe
+# ADD BASE LINK32 /nologo /subsystem:windows /machine:I386
+# ADD LINK32 version.lib netapi32.lib /nologo /subsystem:windows /pdb:none /machine:I386 /out:"..\..\..\Build\Release\BINDInstall.exe"
+
+!ELSEIF  "$(CFG)" == "BINDInstall - Win32 Debug"
+
+# PROP BASE Use_MFC 5
+# PROP BASE Use_Debug_Libraries 1
+# PROP BASE Output_Dir "Debug"
+# PROP BASE Intermediate_Dir "Debug"
+# PROP BASE Target_Dir ""
+# PROP Use_MFC 6
+# PROP Use_Debug_Libraries 1
+# PROP Output_Dir "Debug"
+# PROP Intermediate_Dir "Debug"
+# PROP Ignore_Export_Lib 0
+# PROP Target_Dir ""
+# ADD BASE CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /Yu"stdafx.h" /FD /GZ /c
+# ADD CPP /nologo /MDd /W3 /Gm /GX /Zi /Od /I "..\include" /I "..\..\..\include" /I "..\..\named\win32\include" /I "..\..\..\lib\isc\win32\include" /I "..\..\..\lib\isc\include" /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /D "_MBCS" /D "_AFXDLL" /FR /Yu"stdafx.h" /FD /TP /GZ /c
+# ADD BASE MTL /nologo /D "_DEBUG" /mktyplib203 /win32
+# ADD MTL /nologo /D "_DEBUG" /mktyplib203 /win32
+# ADD BASE RSC /l 0x409 /d "_DEBUG"
+# ADD RSC /l 0x409 /d "_DEBUG" /d "_AFXDLL"
+BSC32=bscmake.exe
+# ADD BASE BSC32 /nologo
+# ADD BSC32 /nologo
+LINK32=link.exe
+# ADD BASE LINK32 /nologo /subsystem:windows /debug /machine:I386 /pdbtype:sept
+# ADD LINK32 version.lib netapi32.lib /nologo /subsystem:windows /pdb:none /debug /machine:I386 /out:"..\..\..\Build\Debug\BINDInstall.exe"
+
+!ENDIF 
+
+# Begin Target
+
+# Name "BINDInstall - Win32 Release"
+# Name "BINDInstall - Win32 Debug"
+# Begin Group "Source Files"
+
+# PROP Default_Filter "cpp;c;cxx;rc;def;r;odl;idl;hpj;bat"
+# Begin Source File
+
+SOURCE=.\AccountInfo.cpp
+# End Source File
+# Begin Source File
+
+SOURCE=.\BINDInstall.cpp
+# End Source File
+# Begin Source File
+
+SOURCE=.\BINDInstallDlg.cpp
+# End Source File
+# Begin Source File
+
+SOURCE=.\DirBrowse.cpp
+# End Source File
+# Begin Source File
+
+SOURCE=..\..\..\lib\isc\win32\ntgroups.c
+# SUBTRACT CPP /YX /Yc /Yu
+# End Source File
+# Begin Source File
+
+SOURCE=.\StdAfx.cpp
+# ADD CPP /Yc"stdafx.h"
+# End Source File
+# Begin Source File
+
+SOURCE=.\VersionInfo.cpp
+# End Source File
+# End Group
+# Begin Group "Header Files"
+
+# PROP Default_Filter "h;hpp;hxx;hm;inl"
+# Begin Source File
+
+SOURCE=.\Accountinfo.h
+# End Source File
+# Begin Source File
+
+SOURCE=.\BINDInstall.h
+# End Source File
+# Begin Source File
+
+SOURCE=.\BINDInstallDlg.h
+# End Source File
+# Begin Source File
+
+SOURCE=.\DirBrowse.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\..\..\lib\isc\win32\include\isc\ntgroups.h
+# End Source File
+# Begin Source File
+
+SOURCE=.\Resource.h
+# End Source File
+# Begin Source File
+
+SOURCE=.\StdAfx.h
+# End Source File
+# Begin Source File
+
+SOURCE=.\VersionInfo.h
+# End Source File
+# End Group
+# Begin Group "Resource Files"
+
+# PROP Default_Filter "ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe"
+# Begin Source File
+
+SOURCE=.\res\BINDInstall.ico
+# End Source File
+# Begin Source File
+
+SOURCE=.\res\BINDInstall.rc2
+# End Source File
+# End Group
+# Begin Source File
+
+SOURCE=.\BINDInstall.rc
+# End Source File
+# End Target
+# End Project
diff --git a/bin/win32/BINDInstall/BINDInstall.dsw b/bin/win32/BINDInstall/BINDInstall.dsw
index c949bc7b..d16a45cc 100644
--- a/bin/win32/BINDInstall/BINDInstall.dsw
+++ b/bin/win32/BINDInstall/BINDInstall.dsw
@@ -1,29 +1,29 @@
-Microsoft Developer Studio Workspace File, Format Version 6.00

-# WARNING: DO NOT EDIT OR DELETE THIS WORKSPACE FILE!

-

-###############################################################################

-

-Project: "BINDInstall"=.\BINDInstall.dsp - Package Owner=<4>

-

-Package=<5>

-{{{

-}}}

-

-Package=<4>

-{{{

-}}}

-

-###############################################################################

-

-Global:

-

-Package=<5>

-{{{

-}}}

-

-Package=<3>

-{{{

-}}}

-

-###############################################################################

-

+Microsoft Developer Studio Workspace File, Format Version 6.00
+# WARNING: DO NOT EDIT OR DELETE THIS WORKSPACE FILE!
+
+###############################################################################
+
+Project: "BINDInstall"=.\BINDInstall.dsp - Package Owner=<4>
+
+Package=<5>
+{{{
+}}}
+
+Package=<4>
+{{{
+}}}
+
+###############################################################################
+
+Global:
+
+Package=<5>
+{{{
+}}}
+
+Package=<3>
+{{{
+}}}
+
+###############################################################################
+
diff --git a/bin/win32/BINDInstall/BINDInstall.h b/bin/win32/BINDInstall/BINDInstall.h
index 0958e914..ecc6afb2 100644
--- a/bin/win32/BINDInstall/BINDInstall.h
+++ b/bin/win32/BINDInstall/BINDInstall.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: BINDInstall.h,v 1.3.2.1 2004/03/09 06:10:31 marka Exp $ */
+/* $Id: BINDInstall.h,v 1.3.206.1 2004/03/06 10:22:53 marka Exp $ */
 
 /*
  * Copyright (c) 1999-2000 by Nortel Networks Corporation
diff --git a/bin/win32/BINDInstall/BINDInstall.mak b/bin/win32/BINDInstall/BINDInstall.mak
index 330953a0..f479a243 100644
--- a/bin/win32/BINDInstall/BINDInstall.mak
+++ b/bin/win32/BINDInstall/BINDInstall.mak
@@ -1,410 +1,331 @@
-# Microsoft Developer Studio Generated NMAKE File, Based on BINDInstall.dsp

-!IF "$(CFG)" == ""

-CFG=BINDInstall - Win32 Debug

-!MESSAGE No configuration specified. Defaulting to BINDInstall - Win32 Debug.

-!ENDIF 

-

-!IF "$(CFG)" != "BINDInstall - Win32 Release" && "$(CFG)" != "BINDInstall - Win32 Debug"

-!MESSAGE Invalid configuration "$(CFG)" specified.

-!MESSAGE You can specify a configuration when running NMAKE

-!MESSAGE by defining the macro CFG on the command line. For example:

-!MESSAGE 

-!MESSAGE NMAKE /f "BINDInstall.mak" CFG="BINDInstall - Win32 Debug"

-!MESSAGE 

-!MESSAGE Possible choices for configuration are:

-!MESSAGE 

-!MESSAGE "BINDInstall - Win32 Release" (based on "Win32 (x86) Application")

-!MESSAGE "BINDInstall - Win32 Debug" (based on "Win32 (x86) Application")

-!MESSAGE 

-!ERROR An invalid configuration is specified.

-!ENDIF 

-

-!IF "$(OS)" == "Windows_NT"

-NULL=

-!ELSE 

-NULL=nul

-!ENDIF 

-

-!IF  "$(CFG)" == "BINDInstall - Win32 Release"

-_VC_MANIFEST_INC=0

-_VC_MANIFEST_BASENAME=__VC80

-!ELSE

-_VC_MANIFEST_INC=1

-_VC_MANIFEST_BASENAME=__VC80.Debug

-!ENDIF

-

-####################################################

-# Specifying name of temporary resource file used only in incremental builds:

-

-!if "$(_VC_MANIFEST_INC)" == "1"

-_VC_MANIFEST_AUTO_RES=$(_VC_MANIFEST_BASENAME).auto.res

-!else

-_VC_MANIFEST_AUTO_RES=

-!endif

-

-####################################################

-# _VC_MANIFEST_EMBED_EXE - command to embed manifest in EXE:

-

-!if "$(_VC_MANIFEST_INC)" == "1"

-

-#MT_SPECIAL_RETURN=1090650113

-#MT_SPECIAL_SWITCH=-notify_resource_update

-MT_SPECIAL_RETURN=0

-MT_SPECIAL_SWITCH=

-_VC_MANIFEST_EMBED_EXE= \

-if exist $@.manifest mt.exe -manifest $@.manifest -out:$(_VC_MANIFEST_BASENAME).auto.manifest $(MT_SPECIAL_SWITCH) & \

-if "%ERRORLEVEL%" == "$(MT_SPECIAL_RETURN)" \

-rc /r $(_VC_MANIFEST_BASENAME).auto.rc & \

-link $** /out:$@ $(LFLAGS)

-

-!else

-

-_VC_MANIFEST_EMBED_EXE= \

-if exist $@.manifest mt.exe -manifest $@.manifest -outputresource:$@;1

-

-!endif

-

-####################################################

-# _VC_MANIFEST_EMBED_DLL - command to embed manifest in DLL:

-

-!if "$(_VC_MANIFEST_INC)" == "1"

-

-#MT_SPECIAL_RETURN=1090650113

-#MT_SPECIAL_SWITCH=-notify_resource_update

-MT_SPECIAL_RETURN=0

-MT_SPECIAL_SWITCH=

-_VC_MANIFEST_EMBED_EXE= \

-if exist $@.manifest mt.exe -manifest $@.manifest -out:$(_VC_MANIFEST_BASENAME).auto.manifest $(MT_SPECIAL_SWITCH) & \

-if "%ERRORLEVEL%" == "$(MT_SPECIAL_RETURN)" \

-rc /r $(_VC_MANIFEST_BASENAME).auto.rc & \

-link $** /out:$@ $(LFLAGS)

-

-!else

-

-_VC_MANIFEST_EMBED_EXE= \

-if exist $@.manifest mt.exe -manifest $@.manifest -outputresource:$@;2

-

-!endif

-####################################################

-# _VC_MANIFEST_CLEAN - command to clean resources files generated temporarily:

-

-!if "$(_VC_MANIFEST_INC)" == "1"

-

-_VC_MANIFEST_CLEAN=-del $(_VC_MANIFEST_BASENAME).auto.res \

-    $(_VC_MANIFEST_BASENAME).auto.rc \

-    $(_VC_MANIFEST_BASENAME).auto.manifest

-

-!else

-

-_VC_MANIFEST_CLEAN=

-

-!endif

-

-!IF  "$(CFG)" == "BINDInstall - Win32 Release"

-

-OUTDIR=.\Release

-INTDIR=.\Release

-

-ALL : "..\..\..\Build\Release\BINDInstall.exe"

-

-

-CLEAN :

-	-@erase "$(INTDIR)\BINDInstall.obj"

-	-@erase "$(INTDIR)\BINDInstall.pch"

-	-@erase "$(INTDIR)\BINDInstall.res"

-	-@erase "$(INTDIR)\BINDInstallDlg.obj"

-	-@erase "$(INTDIR)\DirBrowse.obj"

-	-@erase "$(INTDIR)\StdAfx.obj"

-	-@erase "$(INTDIR)\vc60.idb"

-	-@erase "$(INTDIR)\VersionInfo.obj"

-	-@erase "..\..\..\Build\Release\BINDInstall.exe"

-	-@$(_VC_MANIFEST_CLEAN)

-

-"$(OUTDIR)" :

-    if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"

-

-CPP=cl.exe

-CPP_PROJ=/nologo /MT /W3 /GX /O2 /I "..\include" /I "..\..\..\include" /I "..\..\named\win32\include" /I "..\..\..\lib\isc\win32\include" /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /D "_MBCS" /Fp"$(INTDIR)\BINDInstall.pch" /Yu"stdafx.h" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c 

-

-.c{$(INTDIR)}.obj::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.cpp{$(INTDIR)}.obj::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.cxx{$(INTDIR)}.obj::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.c{$(INTDIR)}.sbr::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.cpp{$(INTDIR)}.sbr::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.cxx{$(INTDIR)}.sbr::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-MTL=midl.exe

-MTL_PROJ=/nologo /D "NDEBUG" /mktyplib203 /win32 

-RSC=rc.exe

-RSC_PROJ=/l 0x409 /fo"$(INTDIR)\BINDInstall.res" /d "NDEBUG"

-BSC32=bscmake.exe

-BSC32_FLAGS=/nologo /o"$(OUTDIR)\BINDInstall.bsc" 

-BSC32_SBRS= \

-	

-LINK32=link.exe

-LINK32_FLAGS=version.lib /nologo /subsystem:windows /pdb:none /machine:I386 /out:"..\..\..\Build\Release\BINDInstall.exe" 

-LINK32_OBJS= \

-	"$(INTDIR)\BINDInstall.obj" \

-	"$(INTDIR)\BINDInstallDlg.obj" \

-	"$(INTDIR)\DirBrowse.obj" \

-	"$(INTDIR)\StdAfx.obj" \

-	"$(INTDIR)\VersionInfo.obj" \

-	"$(INTDIR)\BINDInstall.res"

-

-"..\..\..\Build\Release\BINDInstall.exe" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)

-    $(LINK32) @<<

-  $(LINK32_FLAGS) $(LINK32_OBJS)

-<<

-    $(_VC_MANIFEST_EMBED_EXE)

-

-!ELSEIF  "$(CFG)" == "BINDInstall - Win32 Debug"

-

-OUTDIR=.\Debug

-INTDIR=.\Debug

-# Begin Custom Macros

-OutDir=.\Debug

-# End Custom Macros

-

-ALL : "..\..\..\Build\Debug\BINDInstall.exe" "$(OUTDIR)\BINDInstall.bsc"

-

-

-CLEAN :

-	-@erase "$(INTDIR)\BINDInstall.obj"

-	-@erase "$(INTDIR)\BINDInstall.pch"

-	-@erase "$(INTDIR)\BINDInstall.res"

-	-@erase "$(INTDIR)\BINDInstall.sbr"

-	-@erase "$(INTDIR)\BINDInstallDlg.obj"

-	-@erase "$(INTDIR)\BINDInstallDlg.sbr"

-	-@erase "$(INTDIR)\DirBrowse.obj"

-	-@erase "$(INTDIR)\DirBrowse.sbr"

-	-@erase "$(INTDIR)\StdAfx.obj"

-	-@erase "$(INTDIR)\StdAfx.sbr"

-	-@erase "$(INTDIR)\vc60.idb"

-	-@erase "$(INTDIR)\vc60.pdb"

-	-@erase "$(INTDIR)\VersionInfo.obj"

-	-@erase "$(INTDIR)\VersionInfo.sbr"

-	-@erase "$(OUTDIR)\BINDInstall.bsc"

-	-@erase "..\..\..\Build\Debug\BINDInstall.exe"

-	-@$(_VC_MANIFEST_CLEAN)

-

-"$(OUTDIR)" :

-    if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"

-

-CPP=cl.exe

-CPP_PROJ=/nologo /MTd /W3 /Gm /GX /Zi /Od /I "..\include" /I "..\..\..\include" /I "..\..\named\win32\include" /I "..\..\..\lib\isc\win32\include" /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /D "_MBCS" /FR"$(INTDIR)\\" /Fp"$(INTDIR)\BINDInstall.pch" /Yu"stdafx.h" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c 

-

-.c{$(INTDIR)}.obj::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.cpp{$(INTDIR)}.obj::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.cxx{$(INTDIR)}.obj::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.c{$(INTDIR)}.sbr::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.cpp{$(INTDIR)}.sbr::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.cxx{$(INTDIR)}.sbr::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-MTL=midl.exe

-MTL_PROJ=/nologo /D "_DEBUG" /mktyplib203 /win32 

-RSC=rc.exe

-RSC_PROJ=/l 0x409 /fo"$(INTDIR)\BINDInstall.res" /d "_DEBUG"

-BSC32=bscmake.exe

-BSC32_FLAGS=/nologo /o"$(OUTDIR)\BINDInstall.bsc" 

-BSC32_SBRS= \

-	"$(INTDIR)\BINDInstall.sbr" \

-	"$(INTDIR)\BINDInstallDlg.sbr" \

-	"$(INTDIR)\DirBrowse.sbr" \

-	"$(INTDIR)\StdAfx.sbr" \

-	"$(INTDIR)\VersionInfo.sbr"

-

-"$(OUTDIR)\BINDInstall.bsc" : "$(OUTDIR)" $(BSC32_SBRS)

-    $(BSC32) @<<

-  $(BSC32_FLAGS) $(BSC32_SBRS)

-<<

-

-LINK32=link.exe

-LINK32_FLAGS=version.lib /nologo /subsystem:windows /pdb:none /debug /machine:I386 /out:"..\..\..\Build\Debug\BINDInstall.exe" 

-LINK32_OBJS= \

-	"$(INTDIR)\BINDInstall.obj" \

-	"$(INTDIR)\BINDInstallDlg.obj" \

-	"$(INTDIR)\DirBrowse.obj" \

-	"$(INTDIR)\StdAfx.obj" \

-	"$(INTDIR)\VersionInfo.obj" \

-	"$(INTDIR)\BINDInstall.res"

-

-"..\..\..\Build\Debug\BINDInstall.exe" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)

-    $(LINK32) @<<

-  $(LINK32_FLAGS) $(LINK32_OBJS)

-<<

-    $(_VC_MANIFEST_EMBED_EXE)

-

-!ENDIF 

-

-

-!IF "$(NO_EXTERNAL_DEPS)" != "1"

-!IF EXISTS("BINDInstall.dep")

-!INCLUDE "BINDInstall.dep"

-!ELSE 

-!MESSAGE Warning: cannot find "BINDInstall.dep"

-!ENDIF 

-!ENDIF 

-

-

-!IF "$(CFG)" == "BINDInstall - Win32 Release" || "$(CFG)" == "BINDInstall - Win32 Debug"

-SOURCE=.\BINDInstall.cpp

-

-!IF  "$(CFG)" == "BINDInstall - Win32 Release"

-

-

-"$(INTDIR)\BINDInstall.obj" : $(SOURCE) "$(INTDIR)" "$(INTDIR)\BINDInstall.pch"

-

-

-!ELSEIF  "$(CFG)" == "BINDInstall - Win32 Debug"

-

-

-"$(INTDIR)\BINDInstall.obj"	"$(INTDIR)\BINDInstall.sbr" : $(SOURCE) "$(INTDIR)" "$(INTDIR)\BINDInstall.pch"

-

-

-!ENDIF 

-

-SOURCE=.\BINDInstallDlg.cpp

-

-!IF  "$(CFG)" == "BINDInstall - Win32 Release"

-

-

-"$(INTDIR)\BINDInstallDlg.obj" : $(SOURCE) "$(INTDIR)" "$(INTDIR)\BINDInstall.pch"

-

-

-!ELSEIF  "$(CFG)" == "BINDInstall - Win32 Debug"

-

-

-"$(INTDIR)\BINDInstallDlg.obj"	"$(INTDIR)\BINDInstallDlg.sbr" : $(SOURCE) "$(INTDIR)" "$(INTDIR)\BINDInstall.pch"

-

-

-!ENDIF 

-

-SOURCE=.\DirBrowse.cpp

-

-!IF  "$(CFG)" == "BINDInstall - Win32 Release"

-

-

-"$(INTDIR)\DirBrowse.obj" : $(SOURCE) "$(INTDIR)" "$(INTDIR)\BINDInstall.pch"

-

-

-!ELSEIF  "$(CFG)" == "BINDInstall - Win32 Debug"

-

-

-"$(INTDIR)\DirBrowse.obj"	"$(INTDIR)\DirBrowse.sbr" : $(SOURCE) "$(INTDIR)" "$(INTDIR)\BINDInstall.pch"

-

-

-!ENDIF 

-

-SOURCE=.\StdAfx.cpp

-

-!IF  "$(CFG)" == "BINDInstall - Win32 Release"

-

-CPP_SWITCHES=/nologo /MT /W3 /GX /O2 /I "..\include" /I "..\..\..\include" /I "..\..\named\win32\include" /I "..\..\..\lib\isc\win32\include" /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /D "_MBCS" /Fp"$(INTDIR)\BINDInstall.pch" /Yc"stdafx.h" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c 

-

-"$(INTDIR)\StdAfx.obj"	"$(INTDIR)\BINDInstall.pch" : $(SOURCE) "$(INTDIR)"

-	$(CPP) @<<

-  $(CPP_SWITCHES) $(SOURCE)

-<<

-

-

-!ELSEIF  "$(CFG)" == "BINDInstall - Win32 Debug"

-

-CPP_SWITCHES=/nologo /MTd /W3 /Gm /GX /Zi /Od /I "..\include" /I "..\..\..\include" /I "..\..\named\win32\include" /I "..\..\..\lib\isc\win32\include" /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /D "_MBCS" /FR"$(INTDIR)\\" /Fp"$(INTDIR)\BINDInstall.pch" /Yc"stdafx.h" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c 

-

-"$(INTDIR)\StdAfx.obj"	"$(INTDIR)\StdAfx.sbr"	"$(INTDIR)\BINDInstall.pch" : $(SOURCE) "$(INTDIR)"

-	$(CPP) @<<

-  $(CPP_SWITCHES) $(SOURCE)

-<<

-

-

-!ENDIF 

-

-SOURCE=.\VersionInfo.cpp

-

-!IF  "$(CFG)" == "BINDInstall - Win32 Release"

-

-

-"$(INTDIR)\VersionInfo.obj" : $(SOURCE) "$(INTDIR)" "$(INTDIR)\BINDInstall.pch"

-

-

-!ELSEIF  "$(CFG)" == "BINDInstall - Win32 Debug"

-

-

-"$(INTDIR)\VersionInfo.obj"	"$(INTDIR)\VersionInfo.sbr" : $(SOURCE) "$(INTDIR)" "$(INTDIR)\BINDInstall.pch"

-

-

-!ENDIF 

-

-SOURCE=.\BINDInstall.rc

-

-"$(INTDIR)\BINDInstall.res" : $(SOURCE) "$(INTDIR)"

-	$(RSC) $(RSC_PROJ) $(SOURCE)

-

-

-

-!ENDIF 

-

-####################################################

-# Commands to generate initial empty manifest file and the RC file

-# that references it, and for generating the .res file:

-

-$(_VC_MANIFEST_BASENAME).auto.res : $(_VC_MANIFEST_BASENAME).auto.rc

-

-$(_VC_MANIFEST_BASENAME).auto.rc : $(_VC_MANIFEST_BASENAME).auto.manifest

-    type <<$@

-#include <winuser.h>

-1RT_MANIFEST"$(_VC_MANIFEST_BASENAME).auto.manifest"

-<< KEEP

-

-$(_VC_MANIFEST_BASENAME).auto.manifest :

-    type <<$@

-<?xml version='1.0' encoding='UTF-8' standalone='yes'?>

-<assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'>

-</assembly>

-<< KEEP

+# Microsoft Developer Studio Generated NMAKE File, Based on BINDInstall.dsp
+!IF "$(CFG)" == ""
+CFG=BINDInstall - Win32 Debug
+!MESSAGE No configuration specified. Defaulting to BINDInstall - Win32 Debug.
+!ENDIF 
+
+!IF "$(CFG)" != "BINDInstall - Win32 Release" && "$(CFG)" != "BINDInstall - Win32 Debug"
+!MESSAGE Invalid configuration "$(CFG)" specified.
+!MESSAGE You can specify a configuration when running NMAKE
+!MESSAGE by defining the macro CFG on the command line. For example:
+!MESSAGE 
+!MESSAGE NMAKE /f "BINDInstall.mak" CFG="BINDInstall - Win32 Debug"
+!MESSAGE 
+!MESSAGE Possible choices for configuration are:
+!MESSAGE 
+!MESSAGE "BINDInstall - Win32 Release" (based on "Win32 (x86) Application")
+!MESSAGE "BINDInstall - Win32 Debug" (based on "Win32 (x86) Application")
+!MESSAGE 
+!ERROR An invalid configuration is specified.
+!ENDIF 
+
+!IF "$(OS)" == "Windows_NT"
+NULL=
+!ELSE 
+NULL=nul
+!ENDIF 
+
+CPP=cl.exe
+MTL=midl.exe
+RSC=rc.exe
+
+!IF  "$(CFG)" == "BINDInstall - Win32 Release"
+
+OUTDIR=.\Release
+INTDIR=.\Release
+
+ALL : "..\..\..\Build\Release\BINDInstall.exe"
+
+
+CLEAN :
+	-@erase "$(INTDIR)\AccountInfo.obj"
+	-@erase "$(INTDIR)\BINDInstall.obj"
+	-@erase "$(INTDIR)\BINDInstall.pch"
+	-@erase "$(INTDIR)\BINDInstall.res"
+	-@erase "$(INTDIR)\BINDInstallDlg.obj"
+	-@erase "$(INTDIR)\DirBrowse.obj"
+	-@erase "$(INTDIR)\ntgroups.obj"
+	-@erase "$(INTDIR)\StdAfx.obj"
+	-@erase "$(INTDIR)\vc60.idb"
+	-@erase "$(INTDIR)\VersionInfo.obj"
+	-@erase "..\..\..\Build\Release\BINDInstall.exe"
+
+"$(OUTDIR)" :
+    if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
+
+CPP_PROJ=/nologo /MD /W3 /GX /O2 /I "..\include" /I "..\..\..\include" /I "..\..\named\win32\include" /I "..\..\..\lib\isc\win32\include" /I "..\..\..\lib\isc\include" /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /D "_MBCS" /D "_AFXDLL" /Fp"$(INTDIR)\BINDInstall.pch" /Yu"stdafx.h" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /TP /c 
+MTL_PROJ=/nologo /D "NDEBUG" /mktyplib203 /win32 
+RSC_PROJ=/l 0x409 /fo"$(INTDIR)\BINDInstall.res" /d "NDEBUG" /d "_AFXDLL" 
+BSC32=bscmake.exe
+BSC32_FLAGS=/nologo /o"$(OUTDIR)\BINDInstall.bsc" 
+BSC32_SBRS= \
+	
+LINK32=link.exe
+LINK32_FLAGS=version.lib netapi32.lib /nologo /subsystem:windows /pdb:none /machine:I386 /out:"..\..\..\Build\Release\BINDInstall.exe" 
+LINK32_OBJS= \
+	"$(INTDIR)\AccountInfo.obj" \
+	"$(INTDIR)\BINDInstall.obj" \
+	"$(INTDIR)\BINDInstallDlg.obj" \
+	"$(INTDIR)\DirBrowse.obj" \
+	"$(INTDIR)\ntgroups.obj" \
+	"$(INTDIR)\StdAfx.obj" \
+	"$(INTDIR)\VersionInfo.obj" \
+	"$(INTDIR)\BINDInstall.res"
+
+"..\..\..\Build\Release\BINDInstall.exe" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)
+    $(LINK32) @<<
+  $(LINK32_FLAGS) $(LINK32_OBJS)
+<<
+
+!ELSEIF  "$(CFG)" == "BINDInstall - Win32 Debug"
+
+OUTDIR=.\Debug
+INTDIR=.\Debug
+# Begin Custom Macros
+OutDir=.\Debug
+# End Custom Macros
+
+ALL : "..\..\..\Build\Debug\BINDInstall.exe" "$(OUTDIR)\BINDInstall.bsc"
+
+
+CLEAN :
+	-@erase "$(INTDIR)\AccountInfo.obj"
+	-@erase "$(INTDIR)\AccountInfo.sbr"
+	-@erase "$(INTDIR)\BINDInstall.obj"
+	-@erase "$(INTDIR)\BINDInstall.pch"
+	-@erase "$(INTDIR)\BINDInstall.res"
+	-@erase "$(INTDIR)\BINDInstall.sbr"
+	-@erase "$(INTDIR)\BINDInstallDlg.obj"
+	-@erase "$(INTDIR)\BINDInstallDlg.sbr"
+	-@erase "$(INTDIR)\DirBrowse.obj"
+	-@erase "$(INTDIR)\DirBrowse.sbr"
+	-@erase "$(INTDIR)\ntgroups.obj"
+	-@erase "$(INTDIR)\ntgroups.sbr"
+	-@erase "$(INTDIR)\StdAfx.obj"
+	-@erase "$(INTDIR)\StdAfx.sbr"
+	-@erase "$(INTDIR)\vc60.idb"
+	-@erase "$(INTDIR)\vc60.pdb"
+	-@erase "$(INTDIR)\VersionInfo.obj"
+	-@erase "$(INTDIR)\VersionInfo.sbr"
+	-@erase "$(OUTDIR)\BINDInstall.bsc"
+	-@erase "..\..\..\Build\Debug\BINDInstall.exe"
+
+"$(OUTDIR)" :
+    if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
+
+CPP_PROJ=/nologo /MDd /W3 /Gm /GX /Zi /Od /I "..\include" /I "..\..\..\include" /I "..\..\named\win32\include" /I "..\..\..\lib\isc\win32\include" /I "..\..\..\lib\isc\include" /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /D "_MBCS" /D "_AFXDLL" /FR"$(INTDIR)\\" /Fp"$(INTDIR)\BINDInstall.pch" /Yu"stdafx.h" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /TP /GZ /c 
+MTL_PROJ=/nologo /D "_DEBUG" /mktyplib203 /win32 
+RSC_PROJ=/l 0x409 /fo"$(INTDIR)\BINDInstall.res" /d "_DEBUG" /d "_AFXDLL" 
+BSC32=bscmake.exe
+BSC32_FLAGS=/nologo /o"$(OUTDIR)\BINDInstall.bsc" 
+BSC32_SBRS= \
+	"$(INTDIR)\AccountInfo.sbr" \
+	"$(INTDIR)\BINDInstall.sbr" \
+	"$(INTDIR)\BINDInstallDlg.sbr" \
+	"$(INTDIR)\DirBrowse.sbr" \
+	"$(INTDIR)\ntgroups.sbr" \
+	"$(INTDIR)\StdAfx.sbr" \
+	"$(INTDIR)\VersionInfo.sbr"
+
+"$(OUTDIR)\BINDInstall.bsc" : "$(OUTDIR)" $(BSC32_SBRS)
+    $(BSC32) @<<
+  $(BSC32_FLAGS) $(BSC32_SBRS)
+<<
+
+LINK32=link.exe
+LINK32_FLAGS=version.lib netapi32.lib /nologo /subsystem:windows /pdb:none /debug /machine:I386 /out:"..\..\..\Build\Debug\BINDInstall.exe" 
+LINK32_OBJS= \
+	"$(INTDIR)\AccountInfo.obj" \
+	"$(INTDIR)\BINDInstall.obj" \
+	"$(INTDIR)\BINDInstallDlg.obj" \
+	"$(INTDIR)\DirBrowse.obj" \
+	"$(INTDIR)\ntgroups.obj" \
+	"$(INTDIR)\StdAfx.obj" \
+	"$(INTDIR)\VersionInfo.obj" \
+	"$(INTDIR)\BINDInstall.res"
+
+"..\..\..\Build\Debug\BINDInstall.exe" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)
+    $(LINK32) @<<
+  $(LINK32_FLAGS) $(LINK32_OBJS)
+<<
+
+!ENDIF 
+
+.c{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cpp{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cxx{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.c{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cpp{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cxx{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+
+!IF "$(NO_EXTERNAL_DEPS)" != "1"
+!IF EXISTS("BINDInstall.dep")
+!INCLUDE "BINDInstall.dep"
+!ELSE 
+!MESSAGE Warning: cannot find "BINDInstall.dep"
+!ENDIF 
+!ENDIF 
+
+
+!IF "$(CFG)" == "BINDInstall - Win32 Release" || "$(CFG)" == "BINDInstall - Win32 Debug"
+SOURCE=.\AccountInfo.cpp
+
+!IF  "$(CFG)" == "BINDInstall - Win32 Release"
+
+
+"$(INTDIR)\AccountInfo.obj" : $(SOURCE) "$(INTDIR)" "$(INTDIR)\BINDInstall.pch"
+
+
+!ELSEIF  "$(CFG)" == "BINDInstall - Win32 Debug"
+
+
+"$(INTDIR)\AccountInfo.obj"	"$(INTDIR)\AccountInfo.sbr" : $(SOURCE) "$(INTDIR)" "$(INTDIR)\BINDInstall.pch"
+
+
+!ENDIF 
+
+SOURCE=.\BINDInstall.cpp
+
+!IF  "$(CFG)" == "BINDInstall - Win32 Release"
+
+
+"$(INTDIR)\BINDInstall.obj" : $(SOURCE) "$(INTDIR)" "$(INTDIR)\BINDInstall.pch"
+
+
+!ELSEIF  "$(CFG)" == "BINDInstall - Win32 Debug"
+
+
+"$(INTDIR)\BINDInstall.obj"	"$(INTDIR)\BINDInstall.sbr" : $(SOURCE) "$(INTDIR)" "$(INTDIR)\BINDInstall.pch"
+
+
+!ENDIF 
+
+SOURCE=.\BINDInstallDlg.cpp
+
+!IF  "$(CFG)" == "BINDInstall - Win32 Release"
+
+
+"$(INTDIR)\BINDInstallDlg.obj" : $(SOURCE) "$(INTDIR)" "$(INTDIR)\BINDInstall.pch"
+
+
+!ELSEIF  "$(CFG)" == "BINDInstall - Win32 Debug"
+
+
+"$(INTDIR)\BINDInstallDlg.obj"	"$(INTDIR)\BINDInstallDlg.sbr" : $(SOURCE) "$(INTDIR)" "$(INTDIR)\BINDInstall.pch"
+
+
+!ENDIF 
+
+SOURCE=.\DirBrowse.cpp
+
+!IF  "$(CFG)" == "BINDInstall - Win32 Release"
+
+
+"$(INTDIR)\DirBrowse.obj" : $(SOURCE) "$(INTDIR)" "$(INTDIR)\BINDInstall.pch"
+
+
+!ELSEIF  "$(CFG)" == "BINDInstall - Win32 Debug"
+
+
+"$(INTDIR)\DirBrowse.obj"	"$(INTDIR)\DirBrowse.sbr" : $(SOURCE) "$(INTDIR)" "$(INTDIR)\BINDInstall.pch"
+
+
+!ENDIF 
+
+SOURCE=..\..\..\lib\isc\win32\ntgroups.c
+
+!IF  "$(CFG)" == "BINDInstall - Win32 Release"
+
+CPP_SWITCHES=/nologo /MD /W3 /GX /O2 /I "..\include" /I "..\..\..\include" /I "..\..\named\win32\include" /I "..\..\..\lib\isc\win32\include" /I "..\..\..\lib\isc\include" /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /D "_MBCS" /D "_AFXDLL" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /TP /c 
+
+"$(INTDIR)\ntgroups.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) @<<
+  $(CPP_SWITCHES) $(SOURCE)
+<<
+
+
+!ELSEIF  "$(CFG)" == "BINDInstall - Win32 Debug"
+
+CPP_SWITCHES=/nologo /MDd /W3 /Gm /GX /Zi /Od /I "..\include" /I "..\..\..\include" /I "..\..\named\win32\include" /I "..\..\..\lib\isc\win32\include" /I "..\..\..\lib\isc\include" /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /D "_MBCS" /D "_AFXDLL" /FR"$(INTDIR)\\" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /TP /GZ /c 
+
+"$(INTDIR)\ntgroups.obj"	"$(INTDIR)\ntgroups.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) @<<
+  $(CPP_SWITCHES) $(SOURCE)
+<<
+
+
+!ENDIF 
+
+SOURCE=.\StdAfx.cpp
+
+!IF  "$(CFG)" == "BINDInstall - Win32 Release"
+
+CPP_SWITCHES=/nologo /MD /W3 /GX /O2 /I "..\include" /I "..\..\..\include" /I "..\..\named\win32\include" /I "..\..\..\lib\isc\win32\include" /I "..\..\..\lib\isc\include" /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /D "_MBCS" /D "_AFXDLL" /Fp"$(INTDIR)\BINDInstall.pch" /Yc"stdafx.h" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /TP /c 
+
+"$(INTDIR)\StdAfx.obj"	"$(INTDIR)\BINDInstall.pch" : $(SOURCE) "$(INTDIR)"
+	$(CPP) @<<
+  $(CPP_SWITCHES) $(SOURCE)
+<<
+
+
+!ELSEIF  "$(CFG)" == "BINDInstall - Win32 Debug"
+
+CPP_SWITCHES=/nologo /MDd /W3 /Gm /GX /Zi /Od /I "..\include" /I "..\..\..\include" /I "..\..\named\win32\include" /I "..\..\..\lib\isc\win32\include" /I "..\..\..\lib\isc\include" /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /D "_MBCS" /D "_AFXDLL" /FR"$(INTDIR)\\" /Fp"$(INTDIR)\BINDInstall.pch" /Yc"stdafx.h" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /TP /GZ /c 
+
+"$(INTDIR)\StdAfx.obj"	"$(INTDIR)\StdAfx.sbr"	"$(INTDIR)\BINDInstall.pch" : $(SOURCE) "$(INTDIR)"
+	$(CPP) @<<
+  $(CPP_SWITCHES) $(SOURCE)
+<<
+
+
+!ENDIF 
+
+SOURCE=.\VersionInfo.cpp
+
+!IF  "$(CFG)" == "BINDInstall - Win32 Release"
+
+
+"$(INTDIR)\VersionInfo.obj" : $(SOURCE) "$(INTDIR)" "$(INTDIR)\BINDInstall.pch"
+
+
+!ELSEIF  "$(CFG)" == "BINDInstall - Win32 Debug"
+
+
+"$(INTDIR)\VersionInfo.obj"	"$(INTDIR)\VersionInfo.sbr" : $(SOURCE) "$(INTDIR)" "$(INTDIR)\BINDInstall.pch"
+
+
+!ENDIF 
+
+SOURCE=.\BINDInstall.rc
+
+"$(INTDIR)\BINDInstall.res" : $(SOURCE) "$(INTDIR)"
+	$(RSC) $(RSC_PROJ) $(SOURCE)
+
+
+
+!ENDIF 
+
diff --git a/bin/win32/BINDInstall/BINDInstall.rc b/bin/win32/BINDInstall/BINDInstall.rc
index fe29c97d..733591d3 100644
--- a/bin/win32/BINDInstall/BINDInstall.rc
+++ b/bin/win32/BINDInstall/BINDInstall.rc
@@ -73,39 +73,48 @@ IDR_MAINFRAME           ICON    DISCARDABLE     "res\\BINDInstall.ico"
 // Dialog
 //
 
-IDD_BINDINSTALL_DIALOG DIALOGEX 0, 0, 210, 234
+IDD_BINDINSTALL_DIALOG DIALOGEX 0, 0, 210, 301
 STYLE DS_MODALFRAME | DS_CENTER | WS_POPUP | WS_VISIBLE | WS_CAPTION | 
     WS_SYSMENU
 EXSTYLE WS_EX_APPWINDOW
 CAPTION "BIND 9 Installer"
 FONT 8, "MS Sans Serif"
 BEGIN
-    LTEXT           "Target Directory:",IDC_STATIC,7,69,54,8
-    EDITTEXT        IDC_TARGETDIR,7,82,196,14,ES_AUTOHSCROLL
-    GROUPBOX        "Progress",IDC_STATIC,7,157,196,70
-    RTEXT           "",IDC_COPY_TAG,10,191,84,8
-    LTEXT           "",IDC_COPY_FILE,100,191,97,8
-    RTEXT           "",IDC_SERVICE_TAG,10,202,84,8
-    LTEXT           "",IDC_REG_SERVICE,100,203,97,8
-    RTEXT           "",IDC_MESSAGE_TAG,10,213,84,8
+    EDITTEXT        IDC_TARGETDIR,7,62,196,14,ES_AUTOHSCROLL
+    EDITTEXT        IDC_ACCOUNT_NAME,7,94,196,14,ES_AUTOHSCROLL
+    EDITTEXT        IDC_ACCOUNT_PASSWORD,7,122,196,14,ES_PASSWORD | 
+                    ES_AUTOHSCROLL
+    EDITTEXT        IDC_ACCOUNT_PASSWORD_CONFIRM,7,151,196,14,ES_PASSWORD | 
+                    ES_AUTOHSCROLL
     DEFPUSHBUTTON   "&Install",IDC_INSTALL,153,7,50,14
-    LTEXT           "",IDC_REG_MESSAGE,100,214,97,8
-    RTEXT           "",IDC_DIR_TAG,10,180,84,8
     PUSHBUTTON      "E&xit",IDC_EXIT,153,39,50,14
     CONTROL         "&Automatic Startup",IDC_AUTO_START,"Button",
-                    BS_AUTOCHECKBOX | WS_TABSTOP,14,112,72,10
-    GROUPBOX        "Options",IDC_STATIC,7,102,196,49
+                    BS_AUTOCHECKBOX | WS_TABSTOP,14,190,72,10
+    CONTROL         "&Keep Config Files After Uninstall",IDC_KEEP_FILES,
+                    "Button",BS_AUTOCHECKBOX | WS_TABSTOP,14,200,116,10
+    CONTROL         "&Start BIND Service After Install",IDC_START,"Button",
+                    BS_AUTOCHECKBOX | WS_TABSTOP,14,210,113,10
     PUSHBUTTON      "&Uninstall",IDC_UNINSTALL,153,23,50,14
+    PUSHBUTTON      "Browse",IDC_BROWSE,7,22,50,14
+    LTEXT           "Target Directory:",IDC_STATIC,7,53,54,8
+    GROUPBOX        "Progress",IDC_STATIC,7,224,196,70
+    RTEXT           "",IDC_COPY_TAG,14,261,78,8
+    LTEXT           "",IDC_COPY_FILE,105,261,90,8
+    RTEXT           "",IDC_SERVICE_TAG,15,271,77,8
+    LTEXT           "",IDC_REG_SERVICE,105,271,89,8
+    RTEXT           "",IDC_MESSAGE_TAG,15,281,77,8
+    LTEXT           "",IDC_REG_MESSAGE,105,281,88,8
+    RTEXT           "",IDC_DIR_TAG,15,251,77,8
+    GROUPBOX        "Options",IDC_STATIC,7,172,196,49
     CTEXT           "Version Unknown",IDC_VERSION,7,7,61,10,SS_CENTERIMAGE | 
                     SS_SUNKEN
-    CONTROL         "&Keep Config Files After Uninstall",IDC_KEEP_FILES,
-                    "Button",BS_AUTOCHECKBOX | WS_TABSTOP,14,122,116,10
-    PUSHBUTTON      "Browse",IDC_BROWSE,7,22,50,14
-    RTEXT           "Current Operation:",IDC_CURRENT_TAG,36,166,58,8
-    LTEXT           "",IDC_CURRENT,100,166,97,8
-    LTEXT           "",IDC_CREATE_DIR,100,180,97,8
-    CONTROL         "&Start BIND Service After Install",IDC_START,"Button",
-                    BS_AUTOCHECKBOX | WS_TABSTOP,14,132,113,10
+    RTEXT           "Current Operation:",IDC_CURRENT_TAG,34,235,58,8
+    LTEXT           "",IDC_CURRENT,105,235,90,8
+    LTEXT           "",IDC_CREATE_DIR,105,251,88,8
+    LTEXT           "Service Account Name",IDC_STATIC,7,84,74,8
+    LTEXT           "Service Account Password",IDC_STATIC,7,112,86,8
+    LTEXT           "Confirm Service Account Password",IDC_STATIC,7,140,112,
+                    8
 END
 
 IDD_BROWSE DIALOG DISCARDABLE  0, 0, 227, 117
@@ -122,6 +131,15 @@ BEGIN
                     WS_VSCROLL | WS_TABSTOP
 END
 
+IDD_DIALOG1 DIALOG DISCARDABLE  0, 0, 186, 95
+STYLE DS_MODALFRAME | WS_POPUP | WS_CAPTION | WS_SYSMENU
+CAPTION "Dialog"
+FONT 8, "MS Sans Serif"
+BEGIN
+    DEFPUSHBUTTON   "OK",IDOK,129,7,50,14
+    PUSHBUTTON      "Cancel",IDCANCEL,129,24,50,14
+END
+
 
 #ifndef _MAC
 /////////////////////////////////////////////////////////////////////////////
@@ -130,8 +148,8 @@ END
 //
 
 VS_VERSION_INFO VERSIONINFO
- FILEVERSION 1,5,0,0
- PRODUCTVERSION 1,5,0,0
+ FILEVERSION 2,0,0,0
+ PRODUCTVERSION 2,0,0,0
  FILEFLAGSMASK 0x3fL
 #ifdef _DEBUG
  FILEFLAGS 0x1L
@@ -149,14 +167,14 @@ BEGIN
             VALUE "Comments", "\0"
             VALUE "CompanyName", "Internet Software Consortium\0"
             VALUE "FileDescription", "ISC BIND Install Utility\0"
-            VALUE "FileVersion", "1.5.0\0"
+            VALUE "FileVersion", "2.0.0\0"
             VALUE "InternalName", "BINDInstall\0"
             VALUE "LegalCopyright", "Copyright © 2000\0"
             VALUE "LegalTrademarks", "\0"
             VALUE "OriginalFilename", "BINDInstall.EXE\0"
             VALUE "PrivateBuild", "\0"
             VALUE "ProductName", "ISC BIND\0"
-            VALUE "ProductVersion", "9.2.0\0"
+            VALUE "ProductVersion", "9.3.0\0"
             VALUE "SpecialBuild", "\0"
         END
     END
@@ -181,8 +199,19 @@ BEGIN
     BEGIN
         LEFTMARGIN, 7
         RIGHTMARGIN, 203
+        VERTGUIDE, 14
+        VERTGUIDE, 92
+        VERTGUIDE, 105
         TOPMARGIN, 7
-        BOTTOMMARGIN, 227
+        BOTTOMMARGIN, 294
+        HORZGUIDE, 195
+        HORZGUIDE, 205
+        HORZGUIDE, 215
+        HORZGUIDE, 239
+        HORZGUIDE, 255
+        HORZGUIDE, 265
+        HORZGUIDE, 275
+        HORZGUIDE, 285
     END
 
     IDD_BROWSE, DIALOG
@@ -192,6 +221,14 @@ BEGIN
         TOPMARGIN, 7
         BOTTOMMARGIN, 110
     END
+
+    IDD_DIALOG1, DIALOG
+    BEGIN
+        LEFTMARGIN, 7
+        RIGHTMARGIN, 179
+        TOPMARGIN, 7
+        BOTTOMMARGIN, 88
+    END
 END
 #endif    // APSTUDIO_INVOKED
 
@@ -262,6 +299,12 @@ BEGIN
     IDS_NO_VERSION          "Version Unknown"
     IDS_EXISTING_NEWER      "%s\nThe existing version of this file is newer than the version being installed.\nDo you wish to overwrite the existing file?"
     IDS_FILE_BAD            "Could not retrieve version info for file %s.  Do you wish to continue?\n(Continuing may overwrite a newer version of the file) "
+    IDS_ERR_TOOPRIVED       "Chosen account has too many privileges. Do you wish to choose a different account name?"
+    IDS_ERR_BADACCOUNT      "Error Validating Account. Unable to install service using this account."
+    IDS_ERR_WRONGPRIV       "The wrong privilege: %s was detected.  Only the Service Logon Right privilege should be enabled for this account."
+    IDS_CREATEACCOUNT_FAILED "Unable to Create Account for the Service."
+    IDS_ERR_PASSWORD        "Passwords entered did not match. Please reenter password."
+    IDS_ERR_UPDATE_SERVICE  "Error updating service\n(%s)"
 END
 
 #endif    // English (U.S.) resources
diff --git a/bin/win32/BINDInstall/BINDInstallDlg.cpp b/bin/win32/BINDInstall/BINDInstallDlg.cpp
index c6fa6b65..a46bccad 100644
--- a/bin/win32/BINDInstall/BINDInstallDlg.cpp
+++ b/bin/win32/BINDInstall/BINDInstallDlg.cpp
@@ -1,6 +1,6 @@
 /*
- * Portions Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
- * Portions Copyright (C) 2001-2003  Internet Software Consortium.
+ * Portions Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: BINDInstallDlg.cpp,v 1.6.2.21 2007/06/27 01:52:19 marka Exp $ */
+/* $Id: BINDInstallDlg.cpp,v 1.6.2.6.2.6 2004/03/11 05:58:40 marka Exp $ */
 
 /*
  * Copyright (c) 1999-2000 by Nortel Networks Corporation
@@ -59,9 +59,14 @@
 #include <winsvc.h>
 #include <named/ntservice.h>
 #include <isc/bind_registry.h>
+#include <isc/ntgroups.h>
 #include <direct.h>
+#include "AccountInfo.h"
 #include "versioninfo.h"
 
+#define MAX_GROUPS	100
+#define MAX_PRIVS	 50
+
 #ifdef _DEBUG
 #define new DEBUG_NEW
 #undef THIS_FILE
@@ -87,8 +92,7 @@ _xexception::_xexception(UINT string, ...)
 	va_end(va);
 }
 
-typedef struct _filedata
-{
+typedef struct _filedata {
 	enum FileDestinations {TargetDir, BinDir, EtcDir, WinSystem};
 	enum FileImportance {Trivial, Normal, Critical};
 
@@ -109,21 +113,15 @@ const FileData installFiles[] =
 	{"msvcrt.dll", FileData::WinSystem, FileData::Critical, TRUE},
 #  endif
 #endif
-#if _MSC_VER < 1400
-#if _MSC_VER >= 1310
-	{"mfc71.dll", FileData::WinSystem, FileData::Critical, TRUE},
-	{"msvcr71.dll", FileData::WinSystem, FileData::Critical, TRUE},
-#elif _MSC_VER > 1200 && _MSC_VER < 1310
 	{"mfc70.dll", FileData::WinSystem, FileData::Critical, TRUE},
 	{"msvcr70.dll", FileData::WinSystem, FileData::Critical, TRUE},
-#endif
-#endif
-	{"bindevt.dll", FileData::BinDir, FileData::Normal, FALSE},
-	{"libisc.dll", FileData::BinDir, FileData::Critical, FALSE},
-	{"libisccfg.dll", FileData::BinDir, FileData::Critical, FALSE},
-	{"libisccc.dll", FileData::BinDir, FileData::Critical, FALSE},
-	{"libdns.dll", FileData::BinDir, FileData::Critical, FALSE},
-	{"liblwres.dll", FileData::BinDir, FileData::Critical, FALSE},
+	{"bindevt.dll", FileData::WinSystem, FileData::Normal, FALSE},
+	{"libbind9.dll", FileData::WinSystem, FileData::Critical, FALSE},
+	{"libisc.dll", FileData::WinSystem, FileData::Critical, FALSE},
+	{"libisccfg.dll", FileData::WinSystem, FileData::Critical, FALSE},
+	{"libisccc.dll", FileData::WinSystem, FileData::Critical, FALSE},
+	{"libdns.dll", FileData::WinSystem, FileData::Critical, FALSE},
+	{"liblwres.dll", FileData::WinSystem, FileData::Critical, FALSE},
 	{"libeay32.dll", FileData::BinDir, FileData::Critical, FALSE},
 	{"named.exe", FileData::BinDir, FileData::Critical, FALSE},
 	{"nsupdate.exe", FileData::BinDir, FileData::Normal, FALSE},
@@ -143,12 +141,12 @@ const FileData installFiles[] =
 	{NULL, -1, -1}
 };
 
+
 /////////////////////////////////////////////////////////////////////////////
 // CBINDInstallDlg dialog
 
 CBINDInstallDlg::CBINDInstallDlg(CWnd* pParent /*=NULL*/)
-	: CDialog(CBINDInstallDlg::IDD, pParent)
-{
+	: CDialog(CBINDInstallDlg::IDD, pParent) {
 	char buf[MAX_PATH];
 
 	//{{AFX_DATA_INIT(CBINDInstallDlg)
@@ -158,23 +156,36 @@ CBINDInstallDlg::CBINDInstallDlg(CWnd* pParent /*=NULL*/)
 	m_keepFiles = FALSE;
 	m_current = _T("");
 	m_startOnInstall = FALSE;
+	m_accountName = _T("");
+	m_accountPassword = _T("");
+	m_accountName = _T("");
 	//}}AFX_DATA_INIT
 	// Note that LoadIcon does not require a subsequent DestroyIcon in Win32
 	m_hIcon = AfxGetApp()->LoadIcon(IDR_MAINFRAME);
-	m_reboot = FALSE;
 
 	GetSystemDirectory(buf, MAX_PATH);
 	m_winSysDir = buf;
 	m_defaultDir = buf;
 	m_defaultDir += "\\dns";
+	m_installed = FALSE;
+	m_accountExists = FALSE;
+	m_accountUsed = FALSE;
+	m_serviceExists = TRUE;
+	GetCurrentServiceAccountName();
+	m_currentAccount = m_accountName;
+	if (m_accountName == "") {
+		m_accountName = "named";
+	}
 }
 
-void CBINDInstallDlg::DoDataExchange(CDataExchange* pDX)
-{
+void CBINDInstallDlg::DoDataExchange(CDataExchange* pDX) {
 	CDialog::DoDataExchange(pDX);
 	//{{AFX_DATA_MAP(CBINDInstallDlg)
 	DDX_Text(pDX, IDC_TARGETDIR, m_targetDir);
 	DDX_Text(pDX, IDC_VERSION, m_version);
+	DDX_Text(pDX, IDC_ACCOUNT_NAME, m_accountName);
+	DDX_Text(pDX, IDC_ACCOUNT_PASSWORD, m_accountPassword);
+	DDX_Text(pDX, IDC_ACCOUNT_PASSWORD_CONFIRM, m_accountPasswordConfirm);
 	DDX_Check(pDX, IDC_AUTO_START, m_autoStart);
 	DDX_Check(pDX, IDC_KEEP_FILES, m_keepFiles);
 	DDX_Text(pDX, IDC_CURRENT, m_current);
@@ -196,8 +207,7 @@ END_MESSAGE_MAP()
 /////////////////////////////////////////////////////////////////////////////
 // CBINDInstallDlg message handlers
 
-BOOL CBINDInstallDlg::OnInitDialog()
-{
+BOOL CBINDInstallDlg::OnInitDialog() {
 	CDialog::OnInitDialog();
 
 	// Set the icon for this dialog.  The framework does this automatically
@@ -215,7 +225,6 @@ BOOL CBINDInstallDlg::OnInitDialog()
 	dirname[index] = '\0';
 	CString Dirname(dirname);
 	m_currentDir = Dirname;
-
 	
 	CVersionInfo bindInst(filename);
 	if(bindInst.IsValid())
@@ -230,12 +239,14 @@ BOOL CBINDInstallDlg::OnInitDialog()
 	m_startOnInstall = CheckBINDService();
 
 	/* See if we are installed already */
-	if(RegOpenKeyEx(HKEY_LOCAL_MACHINE, BIND_SUBKEY, 0, KEY_READ, &hKey) == ERROR_SUCCESS)
-	{
+	if (RegOpenKeyEx(HKEY_LOCAL_MACHINE, BIND_SUBKEY, 0, KEY_READ, &hKey)
+			== ERROR_SUCCESS) {
+		m_installed = TRUE;
 		memset(buf, 0, MAX_PATH);
 		// Get the install directory
-		if(RegQueryValueEx(hKey, "InstallDir", NULL, NULL, (LPBYTE)buf, &dwBufLen) == ERROR_SUCCESS)
-			if(strcmp(buf, ""))
+		if (RegQueryValueEx(hKey, "InstallDir", NULL, NULL, (LPBYTE)buf,
+			&dwBufLen) == ERROR_SUCCESS)
+			if (strcmp(buf, ""))
 				m_defaultDir = buf;
 		
 		RegCloseKey(hKey);
@@ -248,17 +259,17 @@ BOOL CBINDInstallDlg::OnInitDialog()
 
 	UpdateData(FALSE);
 
-	return(TRUE);  // return(TRUE  unless you set the focus to a control
+	return (TRUE); /* return(TRUE) unless you set the focus to a control */
 }
 
-// If you add a minimize button to your dialog, you will need the code below
-//  to draw the icon.  For MFC applications using the document/view model,
-//  this is automatically done for you by the framework.
+/*
+ *  If you add a minimize button to your dialog, you will need the code below
+ *  to draw the icon.  For MFC applications using the document/view model,
+ *  this is automatically done for you by the framework.
+ */
 
-void CBINDInstallDlg::OnPaint() 
-{
-	if (IsIconic())
-	{
+void CBINDInstallDlg::OnPaint() {
+	if (IsIconic())	{
 		CPaintDC dc(this); // device context for painting
 
 		SendMessage(WM_ICONERASEBKGND, (WPARAM) dc.GetSafeHdc(), 0);
@@ -274,26 +285,22 @@ void CBINDInstallDlg::OnPaint()
 		// Draw the icon
 		dc.DrawIcon(x, y, m_hIcon);
 	}
-	else
-	{
+	else {
 		CDialog::OnPaint();
 	}
 }
 
 // The system calls this to obtain the cursor to display while the user drags
 //  the minimized window.
-HCURSOR CBINDInstallDlg::OnQueryDragIcon()
-{
+HCURSOR CBINDInstallDlg::OnQueryDragIcon() {
 	return((HCURSOR)m_hIcon);
 }
 
-void CBINDInstallDlg::OnBrowse() 
-{
+void CBINDInstallDlg::OnBrowse() {
 
 	CDirBrowse browse;
 
-	if(browse.DoModal() == IDOK)
-	{
+	if (browse.DoModal() == IDOK) 	{
 		//m_targetDir = browse.m_selectedDir;
 		UpdateData(FALSE);
 	}
@@ -302,44 +309,40 @@ void CBINDInstallDlg::OnBrowse()
 /*
  * User pressed the exit button
  */
-void CBINDInstallDlg::OnExit() 
-{
+void CBINDInstallDlg::OnExit() {
 	EndDialog(0);	
 }
 
 /*
  * User pressed the uninstall button.  Make it go.
  */
-void CBINDInstallDlg::OnUninstall() 
-{
+void CBINDInstallDlg::OnUninstall() {
 	UpdateData();	
 
-	if(MsgBox(IDS_UNINSTALL, MB_YESNO) == IDYES)
-	{
-		if(CheckBINDService())
+	if (MsgBox(IDS_UNINSTALL, MB_YESNO) == IDYES) {
+		if (CheckBINDService())
 			StopBINDService();
 
-		SC_HANDLE hSCManager = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS);
-		if(!hSCManager)
-		{
+		SC_HANDLE hSCManager = OpenSCManager(NULL, NULL,
+					SC_MANAGER_ALL_ACCESS);
+		if (!hSCManager) {
 			MsgBox(IDS_ERR_OPEN_SCM, GetErrMessage());
 			return;
 		}
 		
-		SC_HANDLE hService = OpenService(hSCManager, BIND_SERVICE_NAME, SERVICE_ALL_ACCESS);
-		if(!hService && GetLastError() != ERROR_SERVICE_DOES_NOT_EXIST)
-		{
+		SC_HANDLE hService = OpenService(hSCManager, BIND_SERVICE_NAME,
+					      SERVICE_ALL_ACCESS);
+		if (!hService && GetLastError() != ERROR_SERVICE_DOES_NOT_EXIST){
 			MsgBox(IDS_ERR_OPEN_SERVICE, GetErrMessage());
 			return;
 		}
 
 		SERVICE_STATUS ss;
 		QueryServiceStatus(hService, &ss);
-		if(ss.dwCurrentState == SERVICE_RUNNING)
-		{
-			BOOL rc = ControlService(hService, SERVICE_CONTROL_STOP, &ss);
-			if(rc == FALSE || ss.dwCurrentState != SERVICE_STOPPED)
-			{
+		if (ss.dwCurrentState == SERVICE_RUNNING) {
+			BOOL rc = ControlService(hService,
+					         SERVICE_CONTROL_STOP, &ss);
+			if (rc == FALSE || ss.dwCurrentState != SERVICE_STOPPED) {
 				MsgBox(IDS_ERR_STOP_SERVICE, GetErrMessage());
 				return;
 			}
@@ -356,7 +359,7 @@ void CBINDInstallDlg::OnUninstall()
 		UnregisterMessages(TRUE);
 		UnregisterService(TRUE);
 		DeleteFiles(TRUE);
-		if(m_keepFiles == FALSE)
+		if (m_keepFiles == FALSE)
 			RemoveDirs(TRUE);
 		else
 			GetDlgItem(IDC_CREATE_DIR)->SetWindowText("Not Removed");
@@ -377,49 +380,64 @@ void CBINDInstallDlg::OnUninstall()
 /*
  * User pressed the install button.  Make it go.
  */
-void CBINDInstallDlg::OnInstall() 
-{
+void CBINDInstallDlg::OnInstall() {
 	BOOL success = FALSE;
 
-	if(CheckBINDService())
+	if (CheckBINDService())
 		StopBINDService();
 
 	InstallTags();
 
 	UpdateData();
 
-	// Directories
+	/* Check that the Passwords entered match */ 
+	if (m_accountPassword != m_accountPasswordConfirm) {
+		MsgBox(IDS_ERR_PASSWORD);
+		return;
+	}
+
+	/* Check the entered account name */
+	if (ValidateServiceAccount() == FALSE)
+		return;
+
+
+	/* For Registration we need to know if account was changed */
+	if(m_accountName != m_currentAccount)
+		m_accountUsed = FALSE;
+
+	/* Directories */
 	m_etcDir = m_targetDir + "\\etc";
 	m_binDir = m_targetDir + "\\bin";
 
-	if(m_defaultDir != m_targetDir)
-	{
-		if(GetFileAttributes(m_targetDir) != 0xFFFFFFFF)
+	if (m_defaultDir != m_targetDir) {
+		if (GetFileAttributes(m_targetDir) != 0xFFFFFFFF)
 		{
-			int install = MsgBox(IDS_DIREXIST, MB_YESNO | MB_ICONQUESTION, m_targetDir);
-			if(install == IDNO)
+			int install = MsgBox(IDS_DIREXIST,
+					MB_YESNO | MB_ICONQUESTION, m_targetDir);
+			if (install == IDNO)
 				return;
 		}
-		else
-		{
-			int createDir = MsgBox(IDS_CREATEDIR, MB_YESNO | MB_ICONQUESTION, m_targetDir);
-			if(createDir == IDNO)
+		else {
+			int createDir = MsgBox(IDS_CREATEDIR,
+					MB_YESNO | MB_ICONQUESTION, m_targetDir);
+			if (createDir == IDNO)
 				return;
 		}
 	}
 
-#if _MSC_VER >= 1400
-	/*
-	 * Install Visual Studio libraries.  As per:
-	 * http://blogs.msdn.com/astebner/archive/2006/08/23/715755.aspx
-	 *
-	 * Vcredist_x86.exe /q:a /c:"msiexec /i vcredist.msi /qn /l*v %temp%\vcredist_x86.log"
-	*/
-	/*system(".\\Vcredist_x86.exe /q:a /c:\"msiexec /i vcredist.msi /qn /l*v %temp%\vcredist_x86.log\"");*/
-	system(".\\Vcredist_x86.exe");
-#endif
-	try
-	{
+	if (m_accountExists == FALSE) {
+		success = CreateServiceAccount(m_accountName.GetBuffer(30),
+						m_accountPassword.GetBuffer(30));
+		if (success == FALSE) {
+			MsgBox(IDS_CREATEACCOUNT_FAILED);
+			return;
+		}
+		m_accountExists = TRUE;
+	}
+
+	ProgramGroup();
+
+	try {
 		CreateDirs();
  		CopyFiles();
 		RegisterService();
@@ -429,42 +447,45 @@ void CBINDInstallDlg::OnInstall()
 
 		/* Create a new key for named */
 		SetCurrent(IDS_CREATE_KEY);
-		if(RegCreateKey(HKEY_LOCAL_MACHINE, BIND_SUBKEY, &hKey) == ERROR_SUCCESS)
-		{
+		if (RegCreateKey(HKEY_LOCAL_MACHINE, BIND_SUBKEY,
+			&hKey) == ERROR_SUCCESS) {
 			// Get the install directory
-			RegSetValueEx(hKey, "InstallDir", 0, REG_SZ, (LPBYTE)(LPCTSTR)m_targetDir, m_targetDir.GetLength());
+			RegSetValueEx(hKey, "InstallDir", 0, REG_SZ,
+					(LPBYTE)(LPCTSTR)m_targetDir,
+					m_targetDir.GetLength());
 			RegCloseKey(hKey);
 		}
 
 		
 		SetCurrent(IDS_ADD_REMOVE);
-		if(RegCreateKey(HKEY_LOCAL_MACHINE, BIND_UNINSTALL_SUBKEY,
-				&hKey) == ERROR_SUCCESS)
-		{
+		if (RegCreateKey(HKEY_LOCAL_MACHINE, BIND_UNINSTALL_SUBKEY,
+				&hKey) == ERROR_SUCCESS) {
+			char winDir[MAX_PATH];
 			CString buf(BIND_DISPLAY_NAME);
+			GetWindowsDirectory(winDir, MAX_PATH);
 
 			RegSetValueEx(hKey, "DisplayName", 0, REG_SZ,
-				      (LPBYTE)(LPCTSTR)buf, buf.GetLength());
+					(LPBYTE)(LPCTSTR)buf, buf.GetLength());
 
-			buf.Format("%s\\BINDInstall.exe", m_binDir);
+			buf.Format("%s\\BINDInstall.exe", winDir);
 			RegSetValueEx(hKey, "UninstallString", 0, REG_SZ,
-				      (LPBYTE)(LPCTSTR)buf, buf.GetLength());
+					(LPBYTE)(LPCTSTR)buf, buf.GetLength());
 			RegCloseKey(hKey);
 		}
 	
-		if(m_startOnInstall && !m_reboot)
+		ProgramGroup();
+		
+		if (m_startOnInstall)
 			StartBINDService();
 	}
-	catch(Exception e)
-	{
+	catch(Exception e) {
 		MessageBox(e.resString);
 		SetCurrent(IDS_CLEANUP);
 		FailedInstall();
 		MsgBox(IDS_FAIL);
 		return;
 	}
-	catch(DWORD dw)
-	{
+	catch(DWORD dw)	{
 		CString msg;
 		msg.Format("A fatal error occured\n(%s)", GetErrMessage(dw));
 		MessageBox(msg);
@@ -476,94 +497,88 @@ void CBINDInstallDlg::OnInstall()
 
 	SetCurrent(IDS_INSTALL_DONE);
 	MsgBox(IDS_SUCCESS);
-	if(m_reboot)
-	{
-		if(MsgBox(IDS_REBOOT, MB_YESNO) == IDYES)
-		{
-			InitiateSystemShutdown(NULL, NULL, 0, TRUE, TRUE);
-		}
-	}
 }
 
 /*
  * Methods to do the work
  */
-void CBINDInstallDlg::CreateDirs()
-{
+void CBINDInstallDlg::CreateDirs() {
 	/* s'OK if the directories already exist */
 	SetCurrent(IDS_CREATE_DIR, m_targetDir);
-	if(!CreateDirectory(m_targetDir, NULL) && GetLastError() != ERROR_ALREADY_EXISTS)
+	if (!CreateDirectory(m_targetDir, NULL) && GetLastError() != ERROR_ALREADY_EXISTS)
 		throw(Exception(IDS_ERR_CREATE_DIR, m_targetDir, GetErrMessage()));
 
 	SetCurrent(IDS_CREATE_DIR, m_etcDir);
-	if(!CreateDirectory(m_etcDir, NULL) && GetLastError() != ERROR_ALREADY_EXISTS)
+	if (!CreateDirectory(m_etcDir, NULL) && GetLastError() != ERROR_ALREADY_EXISTS)
 		throw(Exception(IDS_ERR_CREATE_DIR, m_etcDir, GetErrMessage()));
 
 	SetCurrent(IDS_CREATE_DIR, m_binDir);
-	if(!CreateDirectory(m_binDir, NULL) && GetLastError() != ERROR_ALREADY_EXISTS)
+	if (!CreateDirectory(m_binDir, NULL) && GetLastError() != ERROR_ALREADY_EXISTS)
 		throw(Exception(IDS_ERR_CREATE_DIR, m_binDir, GetErrMessage()));
 		
 	SetItemStatus(IDC_CREATE_DIR);
 }
 
-void CBINDInstallDlg::RemoveDirs(BOOL uninstall)
-{
-	if(!m_keepFiles)
-	{
+void CBINDInstallDlg::RemoveDirs(BOOL uninstall) {
+	if (!m_keepFiles) {
 		SetCurrent(IDS_REMOVE_DIR, m_binDir);
 		// Check for existence then remove if present
-		if(GetFileAttributes(m_binDir) != 0xFFFFFFFF)
+		if (GetFileAttributes(m_binDir) != 0xFFFFFFFF)
 			RemoveDirectory(m_binDir);
 
 		SetCurrent(IDS_REMOVE_DIR, m_etcDir);
-		if(GetFileAttributes(m_etcDir) != 0xFFFFFFFF)
+		if (GetFileAttributes(m_etcDir) != 0xFFFFFFFF)
 			RemoveDirectory(m_etcDir);
 
 		SetCurrent(IDS_REMOVE_DIR, m_targetDir);
-		if(GetFileAttributes(m_targetDir) != 0xFFFFFFFF)
+		if (GetFileAttributes(m_targetDir) != 0xFFFFFFFF)
 			RemoveDirectory(m_targetDir);
 	}
 
-	if(uninstall)
+	if (uninstall)
 		SetItemStatus(IDC_CREATE_DIR, TRUE);
 }
 
-void CBINDInstallDlg::CopyFiles()
-{
+void CBINDInstallDlg::CopyFiles() {
 	CString destFile;
 
-	for(int i = 0; installFiles[i].filename; i++)
-	{
+	for (int i = 0; installFiles[i].filename; i++) {
 		SetCurrent(IDS_COPY_FILE, installFiles[i].filename);
 
-		destFile = DestDir(installFiles[i].destination) + "\\" + installFiles[i].filename;
+		destFile = DestDir(installFiles[i].destination) + "\\" +
+				   installFiles[i].filename;
 		CString filespec = m_currentDir + "\\" + installFiles[i].filename;
-		CVersionInfo bindFile(destFile);		/* This file doesn't have to exist */
+		CVersionInfo bindFile(destFile);
 		
 		CVersionInfo origFile(filespec);
-		if(!origFile.IsValid() && installFiles[i].checkVer)
-		{
-			if(MsgBox(IDS_FILE_BAD, MB_YESNO, installFiles[i].filename) == IDNO)
-				throw(Exception(IDS_ERR_COPY_FILE, installFiles[i].filename, GetErrMessage()));
+		if (!origFile.IsValid() && installFiles[i].checkVer) {
+			if (MsgBox(IDS_FILE_BAD, MB_YESNO,
+				  installFiles[i].filename) == IDNO)
+				throw(Exception(IDS_ERR_COPY_FILE,
+					installFiles[i].filename,
+					GetErrMessage()));
 		}
 		
-		try
-		{
-/* Ignore Version checking.  We need to make sure that all files get copied regardless
-   of whether or not they are earlier or later versions since we cannot guarantee
-   that we have either backward or forward compatibility between versions.
-*/
+		try {
+/* 
+ * Ignore Version checking.  We need to make sure that all files get copied regardless
+ * of whether or not they are earlier or later versions since we cannot guarantee
+ * that we have either backward or forward compatibility between versions.
+ */
 			bindFile.CopyFileNoVersion(origFile);
 		}
-		catch(...)
-		{
-			if(installFiles[i].importance != FileData::Trivial)
-			{
-				if(installFiles[i].importance == FileData::Critical ||
-					MsgBox(IDS_ERR_NONCRIT_FILE, MB_YESNO, installFiles[i].filename, GetErrMessage()) == IDNO)
+		catch(...) {
+			if (installFiles[i].importance != FileData::Trivial) {
+				if (installFiles[i].importance == 
+					FileData::Critical ||
+					MsgBox(IDS_ERR_NONCRIT_FILE, MB_YESNO,
+					installFiles[i].filename,
+					GetErrMessage()) == IDNO)
 				{
 					SetItemStatus(IDC_COPY_FILE, FALSE);
-					throw(Exception(IDS_ERR_COPY_FILE, installFiles[i].filename, GetErrMessage()));
+					throw(Exception(IDS_ERR_COPY_FILE,
+						installFiles[i].filename,
+						GetErrMessage()));
 				}
 			}
 		}
@@ -572,25 +587,23 @@ void CBINDInstallDlg::CopyFiles()
 	SetItemStatus(IDC_COPY_FILE);
 }
 
-void CBINDInstallDlg::DeleteFiles(BOOL uninstall)
-{
+void CBINDInstallDlg::DeleteFiles(BOOL uninstall) {
 	CString destFile;
 
-	for(int i = 0; installFiles[i].filename; i++)
-	{
-		if(installFiles[i].checkVer)
+	for (int i = 0; installFiles[i].filename; i++) {
+		if (installFiles[i].checkVer)
 			continue;
 
-		destFile = DestDir(installFiles[i].destination) + "\\" + installFiles[i].filename;
+		destFile = DestDir(installFiles[i].destination) + "\\" +
+				   installFiles[i].filename;
 	
-		if(uninstall)
+		if (uninstall)
 			SetCurrent(IDS_DELETE_FILE, installFiles[i].filename);
 		
 		DeleteFile(destFile);
 	}
 
-	if(!m_keepFiles)
-	{
+	if (!m_keepFiles) {
 		WIN32_FIND_DATA findData;
 		CString file = m_etcDir + "\\*.*";
 		BOOL rc;
@@ -599,10 +612,9 @@ void CBINDInstallDlg::DeleteFiles(BOOL uninstall)
 		hFile = FindFirstFile(file, &findData);
 		rc = hFile != INVALID_HANDLE_VALUE;
 		
-		while(rc == TRUE)
-		{
-			if(strcmp(findData.cFileName, ".") && strcmp(findData.cFileName, ".."))
-			{
+		while (rc == TRUE) {
+			if (strcmp(findData.cFileName, ".") &&
+			    strcmp(findData.cFileName, "..")) {
 				file = m_etcDir + "\\" + findData.cFileName;
 				SetCurrent(IDS_DELETE_FILE, file);
 				DeleteFile(file);
@@ -612,23 +624,127 @@ void CBINDInstallDlg::DeleteFiles(BOOL uninstall)
 		FindClose(hFile);
 	}
 
-	if(uninstall)
+	if (uninstall)
 		SetItemStatus(IDC_COPY_FILE, TRUE);
 }	
 
+/*
+ * Get the service account name out of the registry, if any
+ */
+void
+CBINDInstallDlg::GetCurrentServiceAccountName() {
+	HKEY hKey;
+	BOOL keyFound = FALSE;
+	char accountName[MAX_PATH];
+	DWORD nameLen = MAX_PATH;
+	CString Tmp;
+	m_accountUsed = FALSE;
+
+	memset(accountName, 0, nameLen);
+	if (RegOpenKeyEx(HKEY_LOCAL_MACHINE, BIND_SERVICE_SUBKEY, 0, KEY_READ,
+		&hKey) == ERROR_SUCCESS) {
+		keyFound = TRUE;
+	}
+	else {
+		m_serviceExists = FALSE;
+	}
+	
+	if (keyFound == TRUE) {
+		/* Get the named service account, if one was specified */
+		if (RegQueryValueEx(hKey, "ObjectName", NULL, NULL,
+			(LPBYTE)accountName, &nameLen) != ERROR_SUCCESS)
+			keyFound = FALSE;
+	}
 
-void CBINDInstallDlg::RegisterService()
-{
+	RegCloseKey(hKey);
+	if(keyFound == FALSE)
+		m_accountName = "";
+	else {
+	/*
+	 * LocalSystem is not a regular account and is equivalent
+	 * to no account but with lots of privileges
+	 */
+		Tmp = accountName;
+		if (Tmp == ".\\LocalSystem")
+			m_accountName = "";
+		/* Found account strip any ".\" from it */
+		if (Tmp.Left(2) == ".\\") {
+			m_accountName = Tmp.Mid(2);
+			m_accountUsed = TRUE;
+		}
+	}
+}
+
+BOOL
+CBINDInstallDlg::ValidateServiceAccount() {
+	wchar_t *PrivList[MAX_PRIVS];
+	unsigned int PrivCount = 0;
+	char *Groups[MAX_GROUPS];
+	unsigned int totalGroups = 0;
+	int status;
+	char *name;
+
+	name = m_accountName.GetBuffer(30);
+
+	status = GetAccountPrivileges(name, PrivList, &PrivCount,
+		 Groups, &totalGroups, MAX_GROUPS);
+	if (status == RTN_NOACCOUNT) {
+		m_accountExists = FALSE;
+		/* We need to do this in case an account was previously used */
+		m_accountUsed = FALSE;
+		return (TRUE);
+	}
+	if (status != RTN_OK) {
+		MsgBox(IDS_ERR_BADACCOUNT);
+		return (FALSE);
+	}
+
+	m_accountExists = TRUE;
+	if (PrivCount > 1) {
+		if (MsgBox(IDS_ERR_TOOPRIVED, MB_YESNO) == IDYES)
+			return (FALSE);
+		else
+			return (TRUE);
+	}
+
+	/* See if we have the correct privilege */
+	if (wcscmp(PrivList[0], SE_SERVICE_LOGON_PRIV) != 0) {
+		MsgBox(IDS_ERR_WRONGPRIV, PrivList[0]);
+		return (FALSE);
+	}
+	return (TRUE);
+}
+
+void
+CBINDInstallDlg::RegisterService() {
 	SC_HANDLE hSCManager;
 	SC_HANDLE hService;
+	CString StartName = ".\\" + m_accountName;
+
+	/*
+	 * We need to change the service rather than create it
+	 * if the service already exists. Do nothing if we are already
+	 * using that account
+	 */
+	if(m_serviceExists == TRUE) {
+		if(m_accountUsed == FALSE) {
+			UpdateService();
+			SetItemStatus(IDC_REG_SERVICE);
+			return;
+		}
+		else {
+			SetItemStatus(IDC_REG_SERVICE);
+			return;
+		}
+	}
 
 	SetCurrent(IDS_OPEN_SCM);
 	hSCManager= OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS);
-	if(!hSCManager)
+	if (!hSCManager)
 		throw(Exception(IDS_ERR_OPEN_SCM, GetErrMessage()));
 
 	DWORD dwStart = SERVICE_DEMAND_START;
-	if(m_autoStart)
+	if (m_autoStart)
 		dwStart = SERVICE_AUTO_START;
 
 	DWORD dwServiceType = SERVICE_WIN32_OWN_PROCESS;
@@ -637,55 +753,103 @@ void CBINDInstallDlg::RegisterService()
 	namedLoc.Format("%s\\bin\\named.exe", m_targetDir);
 
 	SetCurrent(IDS_CREATE_SERVICE);
-	hService = CreateService(hSCManager, BIND_SERVICE_NAME, BIND_DISPLAY_NAME, SERVICE_ALL_ACCESS, dwServiceType, dwStart,
-		SERVICE_ERROR_NORMAL, namedLoc, NULL, NULL, NULL, NULL, NULL);	
+	hService = CreateService(hSCManager, BIND_SERVICE_NAME,
+		BIND_DISPLAY_NAME, SERVICE_ALL_ACCESS, dwServiceType, dwStart,
+		SERVICE_ERROR_NORMAL, namedLoc, NULL, NULL, NULL, StartName,
+		m_accountPassword);	
 	
-	if(!hService && GetLastError() != ERROR_SERVICE_EXISTS)
+	if (!hService && GetLastError() != ERROR_SERVICE_EXISTS)
 		throw(Exception(IDS_ERR_CREATE_SERVICE, GetErrMessage()));
 
-	if(hSCManager)
+	if (hService)
+		CloseServiceHandle(hService);
+
+	if (hSCManager)
 		CloseServiceHandle(hSCManager);
 
-	if(hService)
+	SetItemStatus(IDC_REG_SERVICE);
+}
+
+void
+CBINDInstallDlg::UpdateService() {
+	SC_HANDLE hSCManager;
+	SC_HANDLE hService;
+	CString StartName = ".\\" + m_accountName;
+
+	SetCurrent(IDS_OPEN_SCM);
+	hSCManager= OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS);
+	if (!hSCManager) {
+		MsgBox(IDS_ERR_OPEN_SCM, GetErrMessage());
+		return;
+	}
+
+	DWORD dwStart = SERVICE_DEMAND_START;
+	if (m_autoStart)
+		dwStart = SERVICE_AUTO_START;
+
+	DWORD dwServiceType = SERVICE_WIN32_OWN_PROCESS;
+
+	CString namedLoc;
+	namedLoc.Format("%s\\bin\\named.exe", m_targetDir);
+
+	SetCurrent(IDS_OPEN_SERVICE);
+	hService = OpenService(hSCManager, BIND_SERVICE_NAME,
+			       SERVICE_CHANGE_CONFIG);
+	if (!hService)
+	{
+		MsgBox(IDS_ERR_OPEN_SERVICE, GetErrMessage());
+		if (hSCManager)
+			CloseServiceHandle(hSCManager);
+		return;
+	}
+	else {
+		if (ChangeServiceConfig(hService, dwServiceType, dwStart,
+			SERVICE_ERROR_NORMAL, namedLoc, NULL, NULL, NULL,
+			StartName, m_accountPassword,BIND_DISPLAY_NAME)
+			!= TRUE) {
+			DWORD err = GetLastError();
+			MsgBox(IDS_ERR_UPDATE_SERVICE, GetErrMessage());
+		}
+	}
+
+	if (hService)
 		CloseServiceHandle(hService);
 
+	if (hSCManager)
+		CloseServiceHandle(hSCManager);
+
 	SetItemStatus(IDC_REG_SERVICE);
 }
 
-void CBINDInstallDlg::UnregisterService(BOOL uninstall)
-{
+void CBINDInstallDlg::UnregisterService(BOOL uninstall) {
 	BOOL rc = FALSE;
 	SC_HANDLE hSCManager;
 	SC_HANDLE hService;
 
-	while(1)
-	{
+	while(1) {
 		SetCurrent(IDS_OPEN_SCM);
 		hSCManager= OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS);
-		if(!hSCManager && uninstall == TRUE)
-		{
+		if (!hSCManager && uninstall == TRUE) {
 			MsgBox(IDS_ERR_OPEN_SCM, GetErrMessage());
 			break;
 		}
 
 		SetCurrent(IDS_OPEN_SERVICE);
-		hService = OpenService(hSCManager, BIND_SERVICE_NAME, STANDARD_RIGHTS_REQUIRED);
-		if(!hService && uninstall == TRUE)
+		hService = OpenService(hSCManager, BIND_SERVICE_NAME,
+				       STANDARD_RIGHTS_REQUIRED);
+		if (!hService && uninstall == TRUE)
 		{
-			if(GetLastError() != ERROR_SERVICE_DOES_NOT_EXIST)
-			{
+			if (GetLastError() != ERROR_SERVICE_DOES_NOT_EXIST) {
 				MsgBox(IDS_ERR_OPEN_SERVICE, GetErrMessage());
 				break;
 			}
 		}
-		else
-		{
+		else {
 			SetCurrent(IDS_REMOVE_SERVICE);
-			if(!DeleteService(hService) && uninstall == TRUE)
-			{
+			if (!DeleteService(hService) && uninstall == TRUE) {
 				DWORD err = GetLastError();
-				if(err != ERROR_SERVICE_MARKED_FOR_DELETE && err != ERROR_SERVICE_DOES_NOT_EXIST)
-				{
+				if (err != ERROR_SERVICE_MARKED_FOR_DELETE &&
+				   err != ERROR_SERVICE_DOES_NOT_EXIST) {
 					MsgBox(IDS_ERR_REMOVE_SERVICE, GetErrMessage());
 					break;
 				}
@@ -696,18 +860,17 @@ void CBINDInstallDlg::UnregisterService(BOOL uninstall)
 		break;
 	}
 
-	if(hSCManager)
-		CloseServiceHandle(hSCManager);
-
-	if(hService)
+	if (hService)
 		CloseServiceHandle(hService);
 
-	if(uninstall)
+	if (hSCManager)
+		CloseServiceHandle(hSCManager);
+
+	if (uninstall)
 		SetItemStatus(IDC_REG_SERVICE, rc);
 }
 
-void CBINDInstallDlg::RegisterMessages()
-{
+void CBINDInstallDlg::RegisterMessages() {
 	HKEY hKey;
 	DWORD dwData;
 	char pszMsgDLL[MAX_PATH], buf[MAX_PATH];
@@ -717,16 +880,19 @@ void CBINDInstallDlg::RegisterMessages()
 
 	SetCurrent(IDS_REGISTER_MESSAGES);
 	/* Create a new key for named */
-	if(RegCreateKey(HKEY_LOCAL_MACHINE, BIND_MESSAGE_SUBKEY, &hKey) != ERROR_SUCCESS)
+	if (RegCreateKey(HKEY_LOCAL_MACHINE, BIND_MESSAGE_SUBKEY, &hKey)
+		!= ERROR_SUCCESS)
 		throw(Exception(IDS_ERR_CREATE_KEY, GetErrMessage()));
 	
 	/* Add the Event-ID message-file name to the subkey. */
-	if(RegSetValueEx(hKey, "EventMessageFile", 0, REG_EXPAND_SZ, (LPBYTE)pszMsgDLL, strlen(pszMsgDLL) + 1) != ERROR_SUCCESS)
+	if (RegSetValueEx(hKey, "EventMessageFile", 0, REG_EXPAND_SZ,
+		(LPBYTE)pszMsgDLL, strlen(pszMsgDLL) + 1) != ERROR_SUCCESS)
 		throw(Exception(IDS_ERR_SET_VALUE, GetErrMessage()));
 
 	/* Set the supported types flags and addit to the subkey. */
 	dwData = EVENTLOG_ERROR_TYPE | EVENTLOG_WARNING_TYPE | EVENTLOG_INFORMATION_TYPE;
-	if(RegSetValueEx(hKey, "TypesSupported", 0, REG_DWORD, (LPBYTE)&dwData, sizeof(DWORD)) != ERROR_SUCCESS)
+	if (RegSetValueEx(hKey, "TypesSupported", 0, REG_DWORD,
+		(LPBYTE)&dwData, sizeof(DWORD)) != ERROR_SUCCESS)
 		throw(Exception(IDS_ERR_SET_VALUE, GetErrMessage()));
 
 	RegCloseKey(hKey);
@@ -734,38 +900,36 @@ void CBINDInstallDlg::RegisterMessages()
 	SetItemStatus(IDC_REG_MESSAGE);
 }
 
-void CBINDInstallDlg::UnregisterMessages(BOOL uninstall)
-{
+void CBINDInstallDlg::UnregisterMessages(BOOL uninstall) {
 	BOOL rc = FALSE;
 	HKEY hKey = NULL;
 
-	while(1)
-	{
+	while(1) {
 		SetCurrent(IDS_UNREGISTER_MESSAGES);
 		/* Open key for Application Event Log */
-		if(RegOpenKey(HKEY_LOCAL_MACHINE, EVENTLOG_APP_SUBKEY, &hKey) != ERROR_SUCCESS)
+		if (RegOpenKey(HKEY_LOCAL_MACHINE, EVENTLOG_APP_SUBKEY, &hKey)
+			!= ERROR_SUCCESS)
 			break;
 
 		/* Remove named from the list of messages sources */
-		if(RegDeleteKey(hKey, BIND_MESSAGE_NAME) != ERROR_SUCCESS)
+		if (RegDeleteKey(hKey, BIND_MESSAGE_NAME) != ERROR_SUCCESS)
 			break;
 		
 		rc = TRUE;
 		break;
 	}
 
-	if(hKey)
+	if (hKey)
 		RegCloseKey(hKey);
 
-	if(uninstall)
+	if (uninstall)
 		SetItemStatus(IDC_REG_MESSAGE, rc);
 }
 
 /*
  * Install failed - clean up quietly
  */
-void CBINDInstallDlg::FailedInstall()
-{
+void CBINDInstallDlg::FailedInstall() {
 	UnregisterMessages(FALSE);
 	UnregisterService(FALSE);
 	DeleteFiles(FALSE);
@@ -775,8 +939,7 @@ void CBINDInstallDlg::FailedInstall()
 /*
  * Set the checklist tags for install
  */
-void CBINDInstallDlg::InstallTags()
-{
+void CBINDInstallDlg::InstallTags() {
 	CString tag;
 	
 	tag.LoadString(IDS_INSTALL_FILE);
@@ -799,8 +962,7 @@ void CBINDInstallDlg::InstallTags()
 /*
  * Set the checklist tags for uninstall
  */
-void CBINDInstallDlg::UninstallTags()
-{
+void CBINDInstallDlg::UninstallTags() {
 	CString tag;
 	
 	tag.LoadString(IDS_UNINSTALL_FILES);
@@ -820,8 +982,7 @@ void CBINDInstallDlg::UninstallTags()
 	GetDlgItem(IDC_REG_MESSAGE)->SetWindowText("");
 }
 
-void CBINDInstallDlg::SetItemStatus(UINT nID, BOOL bSuccess)
-{
+void CBINDInstallDlg::SetItemStatus(UINT nID, BOOL bSuccess) {
 	GetDlgItem(nID)->SetWindowText(bSuccess == TRUE ? "Done" : "Failed");
 }
 
@@ -829,8 +990,7 @@ void CBINDInstallDlg::SetItemStatus(UINT nID, BOOL bSuccess)
 /*
  * Set the text in the current operation field - use a string table string
  */
-void CBINDInstallDlg::SetCurrent(int id, ...)
-{
+void CBINDInstallDlg::SetCurrent(int id, ...) {
 	CString format;
 	va_list va;
 	char buf[128];
@@ -849,21 +1009,19 @@ void CBINDInstallDlg::SetCurrent(int id, ...)
 /*
  * Stop the BIND service
  */
-void CBINDInstallDlg::StopBINDService()
-{
+void CBINDInstallDlg::StopBINDService() {
 	SERVICE_STATUS svcStatus;
 	
 	SetCurrent(IDS_STOP_SERVICE);
 
 	SC_HANDLE hSCManager = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS);
-	if(!hSCManager)
-	{
+	if (!hSCManager) {
 		MsgBox(IDS_ERR_OPEN_SCM, GetErrMessage());
 	}
 	
-	SC_HANDLE hBINDSvc = OpenService(hSCManager, BIND_SERVICE_NAME, SERVICE_ALL_ACCESS);
-	if(!hBINDSvc)
-	{
+	SC_HANDLE hBINDSvc = OpenService(hSCManager, BIND_SERVICE_NAME,
+				      SERVICE_ALL_ACCESS);
+	if (!hBINDSvc) {
 		MsgBox(IDS_ERR_OPEN_SERVICE, GetErrMessage());
 	}
 	
@@ -873,19 +1031,17 @@ void CBINDInstallDlg::StopBINDService()
 /*
  * Start the BIND service
  */
-void CBINDInstallDlg::StartBINDService()
-{
+void CBINDInstallDlg::StartBINDService() {
 	SetCurrent(IDS_START_SERVICE);
 
 	SC_HANDLE hSCManager = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS);
-	if(!hSCManager)
-	{
+	if (!hSCManager) {
 		MsgBox(IDS_ERR_OPEN_SCM, GetErrMessage());
 	}
 	
-	SC_HANDLE hBINDSvc = OpenService(hSCManager, BIND_SERVICE_NAME, SERVICE_ALL_ACCESS);
-	if(!hBINDSvc)
-	{
+	SC_HANDLE hBINDSvc = OpenService(hSCManager, BIND_SERVICE_NAME,
+				      SERVICE_ALL_ACCESS);
+	if (!hBINDSvc) {
 		MsgBox(IDS_ERR_OPEN_SERVICE, GetErrMessage());
 	}
 	BOOL rc = StartService(hBINDSvc, 0, NULL);
@@ -894,31 +1050,30 @@ void CBINDInstallDlg::StartBINDService()
 /*
  * Check to see if the BIND service is running or not
  */
-BOOL CBINDInstallDlg::CheckBINDService()
-{
+BOOL CBINDInstallDlg::CheckBINDService() {
 	SERVICE_STATUS svcStatus;
 
 	SC_HANDLE hSCManager = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS);
-	if(hSCManager)
-	{
-		SC_HANDLE hBINDSvc = OpenService(hSCManager, BIND_SERVICE_NAME, SERVICE_ALL_ACCESS);
-		if(hBINDSvc)
-		{
-			BOOL rc = ControlService(hBINDSvc, SERVICE_CONTROL_INTERROGATE, &svcStatus);
-			if(!rc)
+	if (hSCManager) {
+		SC_HANDLE hBINDSvc = OpenService(hSCManager, BIND_SERVICE_NAME,
+					      SERVICE_ALL_ACCESS);
+		if (hBINDSvc) {
+			BOOL rc = ControlService(hBINDSvc,
+				  SERVICE_CONTROL_INTERROGATE, &svcStatus);
+			if (!rc)
 				DWORD err = GetLastError();
 
-			return(svcStatus.dwCurrentState == SERVICE_RUNNING);
+			return (svcStatus.dwCurrentState == SERVICE_RUNNING);
 		}
 	}
-	return(FALSE);
+	return (FALSE);
 }
 
 /*
- * Display message boxes with variable args, using string table strings for the format specifiers 
+ * Display message boxes with variable args, using string table strings
+ * for the format specifiers 
  */
-int CBINDInstallDlg::MsgBox(int id, ...)
-{
+int CBINDInstallDlg::MsgBox(int id, ...) {
 	CString format;
 	va_list va;
 	char buf[BUFSIZ];
@@ -930,11 +1085,10 @@ int CBINDInstallDlg::MsgBox(int id, ...)
 	vsprintf(buf, format, va);
 	va_end(va);
 
-	return(MessageBox(buf));
+	return (MessageBox(buf));
 }
 
-int CBINDInstallDlg::MsgBox(int id, UINT type, ...)
-{
+int CBINDInstallDlg::MsgBox(int id, UINT type, ...) {
 	CString format;
 	va_list va;
 	char buf[BUFSIZ];
@@ -952,8 +1106,7 @@ int CBINDInstallDlg::MsgBox(int id, UINT type, ...)
 /*
  * Call GetLastError(), retrieve the message associated with the error
  */
-CString CBINDInstallDlg::GetErrMessage(DWORD err)
-{	
+CString CBINDInstallDlg::GetErrMessage(DWORD err) {	
 	LPVOID msgBuf;
 	static char buf[BUFSIZ];
 	
@@ -968,8 +1121,7 @@ CString CBINDInstallDlg::GetErrMessage(DWORD err)
 	return(buf);
 }
 
-void CBINDInstallDlg::ProgramGroup(BOOL create)
-{
+void CBINDInstallDlg::ProgramGroup(BOOL create) {
 	TCHAR path[MAX_PATH], commonPath[MAX_PATH], fileloc[MAX_PATH], linkpath[MAX_PATH];
 	HRESULT hres; 
 	IShellLink *psl = NULL; 
@@ -977,18 +1129,15 @@ void CBINDInstallDlg::ProgramGroup(BOOL create)
 	ITEMIDLIST *itemList = NULL;
 
 	HRESULT hr = SHGetMalloc(&pMalloc);
-	if(hr != NOERROR)
-	{
+	if (hr != NOERROR) {
 		MessageBox("Could not get a handle to Shell memory object");
 		return;
 	}
 
 	hr = SHGetSpecialFolderLocation(m_hWnd, CSIDL_COMMON_PROGRAMS, &itemList);
-	if(hr != NOERROR)
-	{
+	if (hr != NOERROR) {
 		MessageBox("Could not get a handle to the Common Programs folder");
-		if(itemList)
-		{
+		if (itemList) {
 			pMalloc->Free(itemList);
 		}
 		return;
@@ -997,8 +1146,7 @@ void CBINDInstallDlg::ProgramGroup(BOOL create)
 	hr = SHGetPathFromIDList(itemList, commonPath);
 	pMalloc->Free(itemList);
 
-	if(create)
-	{
+	if (create) {
 		sprintf(path, "%s\\ISC", commonPath);
 		CreateDirectory(path, NULL);
 		
@@ -1007,8 +1155,7 @@ void CBINDInstallDlg::ProgramGroup(BOOL create)
 
 		hres = CoInitialize(NULL);
 
-		if (SUCCEEDED(hres))
-		{ 
+		if (SUCCEEDED(hres)) { 
 			// Get a pointer to the IShellLink interface. 
 			hres = CoCreateInstance(CLSID_ShellLink, NULL, CLSCTX_INPROC_SERVER, IID_IShellLink, (LPVOID *)&psl); 
 			if (SUCCEEDED(hres))
@@ -1021,8 +1168,7 @@ void CBINDInstallDlg::ProgramGroup(BOOL create)
 				psl->SetDescription("BIND Control Panel"); 
 
 				hres = psl->QueryInterface(IID_IPersistFile, (void **)&ppf); 
-				if (SUCCEEDED(hres))
-				{ 
+				if (SUCCEEDED(hres)) { 
 					WCHAR wsz[MAX_PATH]; 
 
 					MultiByteToWideChar(CP_ACP, 0, linkpath, -1, wsz, MAX_PATH); 
@@ -1030,8 +1176,7 @@ void CBINDInstallDlg::ProgramGroup(BOOL create)
 					ppf->Release(); 
 				} 
 
-				if(GetFileAttributes("readme.txt") != -1)
-				{
+				if (GetFileAttributes("readme.txt") != -1) {
 					sprintf(fileloc, "%s\\Readme.txt", m_targetDir);
 					sprintf(linkpath, "%s\\Readme.lnk", path);
 
@@ -1039,8 +1184,7 @@ void CBINDInstallDlg::ProgramGroup(BOOL create)
 					psl->SetDescription("BIND Readme"); 
 
 					hres = psl->QueryInterface(IID_IPersistFile, (void **)&ppf); 
-					if (SUCCEEDED(hres))
-					{ 
+					if (SUCCEEDED(hres)) { 
 						WCHAR wsz[MAX_PATH]; 
 
 						MultiByteToWideChar(CP_ACP, 0, linkpath, -1, wsz, MAX_PATH); 
@@ -1053,8 +1197,7 @@ void CBINDInstallDlg::ProgramGroup(BOOL create)
 			CoUninitialize();
 		} 
 	}
-	else
-	{
+	else {
 		TCHAR filename[MAX_PATH];
 		WIN32_FIND_DATA fd;
 
@@ -1062,16 +1205,13 @@ void CBINDInstallDlg::ProgramGroup(BOOL create)
 
 		sprintf(filename, "%s\\*.*", path);
 		HANDLE hFind = FindFirstFile(filename, &fd);
-		if(hFind != INVALID_HANDLE_VALUE)
-		{
-			do
-			{
-				if(strcmp(fd.cFileName, ".") && strcmp(fd.cFileName, ".."))
-				{
+		if (hFind != INVALID_HANDLE_VALUE) {
+			do {
+				if (strcmp(fd.cFileName, ".") && strcmp(fd.cFileName, "..")) {
 					sprintf(filename, "%s\\%s", path, fd.cFileName);
 					DeleteFile(filename);
 				}
-			} while(FindNextFile(hFind, &fd));
+			} while (FindNextFile(hFind, &fd));
 			FindClose(hFind);
 		}
 		RemoveDirectory(path);
@@ -1080,10 +1220,8 @@ void CBINDInstallDlg::ProgramGroup(BOOL create)
 	}
 }
 
-CString CBINDInstallDlg::DestDir(int destination)
-{
-	switch(destination)
-	{
+CString CBINDInstallDlg::DestDir(int destination) {
+	switch(destination) {
 		case FileData::TargetDir:
 			return m_targetDir;
 		case FileData::BinDir:
diff --git a/bin/win32/BINDInstall/BINDInstallDlg.h b/bin/win32/BINDInstall/BINDInstallDlg.h
index 9f8915b4..dcb09ee7 100644
--- a/bin/win32/BINDInstall/BINDInstallDlg.h
+++ b/bin/win32/BINDInstall/BINDInstallDlg.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: BINDInstallDlg.h,v 1.3.2.1 2004/03/09 06:10:32 marka Exp $ */
+/* $Id: BINDInstallDlg.h,v 1.3.12.3 2004/03/08 09:04:21 marka Exp $ */
 
 /*
  * Copyright (c) 1999-2000 by Nortel Networks Corporation
@@ -72,6 +72,7 @@ protected:
 	void DeleteFiles(BOOL uninstall);
 
 	void RegisterService();
+	void UpdateService();
 	void UnregisterService(BOOL uninstall);
 
 	void RegisterMessages();
@@ -80,6 +81,8 @@ protected:
 	void FailedInstall();
 	void SetItemStatus(UINT nID, BOOL bSuccess = TRUE);
 
+	void GetCurrentServiceAccountName();
+	BOOL ValidateServiceAccount();
 protected:
 	CString DestDir(int destination);
 	int MsgBox(int id,  ...);
@@ -94,9 +97,16 @@ protected:
 	CString m_etcDir;
 	CString m_binDir;
 	CString m_winSysDir;
-	BOOL m_reboot;
+	BOOL m_installed;
 	CString m_currentDir;
-
+	BOOL	m_accountExists;
+	BOOL	m_accountUsed;
+	CString	m_currentAccount;
+	CString m_accountName;
+	CString m_accountPasswordConfirm;
+	CString m_accountPassword;
+	BOOL	m_serviceExists;
+ 
 	// Generated message map functions
 	//{{AFX_MSG(CBINDInstallDlg)
 	virtual BOOL OnInitDialog();
diff --git a/bin/win32/BINDInstall/DirBrowse.cpp b/bin/win32/BINDInstall/DirBrowse.cpp
index ba8354e8..c0862602 100644
--- a/bin/win32/BINDInstall/DirBrowse.cpp
+++ b/bin/win32/BINDInstall/DirBrowse.cpp
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: DirBrowse.cpp,v 1.3.2.1 2004/03/09 06:10:32 marka Exp $ */
+/* $Id: DirBrowse.cpp,v 1.3.206.1 2004/03/06 10:22:53 marka Exp $ */
 
 /*
  * Copyright (c) 1999-2000 by Nortel Networks Corporation
diff --git a/bin/win32/BINDInstall/DirBrowse.h b/bin/win32/BINDInstall/DirBrowse.h
index d01ec49b..d0a70c23 100644
--- a/bin/win32/BINDInstall/DirBrowse.h
+++ b/bin/win32/BINDInstall/DirBrowse.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: DirBrowse.h,v 1.3.2.1 2004/03/09 06:10:32 marka Exp $ */
+/* $Id: DirBrowse.h,v 1.3.206.1 2004/03/06 10:22:54 marka Exp $ */
 
 /*
  * Copyright (c) 1999-2000 by Nortel Networks Corporation
diff --git a/bin/win32/BINDInstall/StdAfx.h b/bin/win32/BINDInstall/StdAfx.h
index d5929bba..2607529c 100644
--- a/bin/win32/BINDInstall/StdAfx.h
+++ b/bin/win32/BINDInstall/StdAfx.h
@@ -3,10 +3,6 @@
 //      are changed infrequently
 //
 
-#ifndef _CRT_SECURE_NO_DEPRECATE
-#define _CRT_SECURE_NO_DEPRECATE 1
-#endif
-
 #if !defined(AFX_STDAFX_H__61537819_39FC_11D3_A97A_00105A12BD65__INCLUDED_)
 #define AFX_STDAFX_H__61537819_39FC_11D3_A97A_00105A12BD65__INCLUDED_
 
diff --git a/bin/win32/BINDInstall/resource.h b/bin/win32/BINDInstall/resource.h
index 02f6802d..fd142d32 100644
--- a/bin/win32/BINDInstall/resource.h
+++ b/bin/win32/BINDInstall/resource.h
@@ -50,11 +50,19 @@
 #define IDS_NO_VERSION                  49
 #define IDS_EXISTING_NEWER              50
 #define IDS_FILE_BAD                    51
+#define IDS_ERR_TOOPRIVED               52
+#define IDS_ERR_BADACCOUNT              53
+#define IDS_ERR_WRONGPRIV               54
+#define IDS_CREATEACCOUNT_FAILED        55
+#define IDS_ERR_PASSWORD                56
+#define IDS_ERR_UPDATE_SERVICE          57
 #define IDD_BINDINSTALL_DIALOG          102
 #define IDR_MAINFRAME                   128
 #define IDD_BROWSE                      129
 #define IDI_CHECK                       130
 #define IDI_X                           132
+#define IDC_CURSOR1                     142
+#define IDD_DIALOG1                     143
 #define IDC_TARGETDIR                   1001
 #define IDC_BROWSE                      1002
 #define IDC_DIRLIST                     1004
@@ -77,14 +85,17 @@
 #define IDC_DRIVES                      1021
 #define IDC_CURRENT                     1021
 #define IDC_START                       1022
+#define IDC_ACCOUNT_NAME                1030
+#define IDC_ACCOUNT_PASSWORD            1031
+#define IDC_ACCOUNT_PASSWORD_CONFIRM    1032
 
 // Next default values for new objects
 // 
 #ifdef APSTUDIO_INVOKED
 #ifndef APSTUDIO_READONLY_SYMBOLS
-#define _APS_NEXT_RESOURCE_VALUE        142
+#define _APS_NEXT_RESOURCE_VALUE        144
 #define _APS_NEXT_COMMAND_VALUE         32771
 #define _APS_NEXT_CONTROL_VALUE         1027
-#define _APS_NEXT_SYMED_VALUE           101
+#define _APS_NEXT_SYMED_VALUE           104
 #endif
 #endif
diff --git a/config.guess b/config.guess
index 7d0185e0..6e510829 100644
--- a/config.guess
+++ b/config.guess
@@ -1,9 +1,9 @@
 #! /bin/sh
 # Attempt to guess a canonical system name.
 #   Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999,
-#   2000, 2001, 2002, 2003, 2004 Free Software Foundation, Inc.
+#   2000, 2001, 2002, 2003 Free Software Foundation, Inc.
 
-timestamp='2004-09-07'
+timestamp='2004-01-24'
 
 # This file is free software; you can redistribute it and/or modify it
 # under the terms of the GNU General Public License as published by
@@ -53,7 +53,7 @@ version="\
 GNU config.guess ($timestamp)
 
 Originally written by Per Bothner.
-Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004
+Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001
 Free Software Foundation, Inc.
 
 This is free software; see the source for copying conditions.  There is NO
@@ -197,21 +197,15 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in
 	# CPU_TYPE-MANUFACTURER-OPERATING_SYSTEM is used.
 	echo "${machine}-${os}${release}"
 	exit 0 ;;
-    amd64:OpenBSD:*:*)
-	echo x86_64-unknown-openbsd${UNAME_RELEASE}
-	exit 0 ;;
     amiga:OpenBSD:*:*)
 	echo m68k-unknown-openbsd${UNAME_RELEASE}
 	exit 0 ;;
-    cats:OpenBSD:*:*)
-	echo arm-unknown-openbsd${UNAME_RELEASE}
+    arc:OpenBSD:*:*)
+	echo mipsel-unknown-openbsd${UNAME_RELEASE}
 	exit 0 ;;
     hp300:OpenBSD:*:*)
 	echo m68k-unknown-openbsd${UNAME_RELEASE}
 	exit 0 ;;
-    luna88k:OpenBSD:*:*)
-    	echo m88k-unknown-openbsd${UNAME_RELEASE}
-	exit 0 ;;
     mac68k:OpenBSD:*:*)
 	echo m68k-unknown-openbsd${UNAME_RELEASE}
 	exit 0 ;;
@@ -227,33 +221,28 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in
     mvmeppc:OpenBSD:*:*)
 	echo powerpc-unknown-openbsd${UNAME_RELEASE}
 	exit 0 ;;
+    pegasos:OpenBSD:*:*)
+	echo powerpc-unknown-openbsd${UNAME_RELEASE}
+	exit 0 ;;
+    pmax:OpenBSD:*:*)
+	echo mipsel-unknown-openbsd${UNAME_RELEASE}
+	exit 0 ;;
     sgi:OpenBSD:*:*)
-	echo mips64-unknown-openbsd${UNAME_RELEASE}
+	echo mipseb-unknown-openbsd${UNAME_RELEASE}
 	exit 0 ;;
     sun3:OpenBSD:*:*)
 	echo m68k-unknown-openbsd${UNAME_RELEASE}
 	exit 0 ;;
+    wgrisc:OpenBSD:*:*)
+	echo mipsel-unknown-openbsd${UNAME_RELEASE}
+	exit 0 ;;
     *:OpenBSD:*:*)
 	echo ${UNAME_MACHINE}-unknown-openbsd${UNAME_RELEASE}
 	exit 0 ;;
-    *:ekkoBSD:*:*)
-	echo ${UNAME_MACHINE}-unknown-ekkobsd${UNAME_RELEASE}
-	exit 0 ;;
-    macppc:MirBSD:*:*)
-	echo powerppc-unknown-mirbsd${UNAME_RELEASE}
-	exit 0 ;;
-    *:MirBSD:*:*)
-	echo ${UNAME_MACHINE}-unknown-mirbsd${UNAME_RELEASE}
-	exit 0 ;;
     alpha:OSF1:*:*)
-	case $UNAME_RELEASE in
-	*4.0)
+	if test $UNAME_RELEASE = "V4.0"; then
 		UNAME_RELEASE=`/usr/sbin/sizer -v | awk '{print $3}'`
-		;;
-	*5.*)
-	        UNAME_RELEASE=`/usr/sbin/sizer -v | awk '{print $4}'`
-		;;
-	esac
+	fi
 	# According to Compaq, /usr/sbin/psrinfo has been available on
 	# OSF/1 and Tru64 systems produced since 1995.  I hope that
 	# covers most systems running today.  This code pipes the CPU
@@ -291,12 +280,14 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in
 	    "EV7.9 (21364A)")
 		UNAME_MACHINE="alphaev79" ;;
 	esac
-	# A Pn.n version is a patched version.
 	# A Vn.n version is a released version.
 	# A Tn.n version is a released field test version.
 	# A Xn.n version is an unreleased experimental baselevel.
 	# 1.2 uses "1.2" for uname -r.
-	echo ${UNAME_MACHINE}-dec-osf`echo ${UNAME_RELEASE} | sed -e 's/^[PVTX]//' | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz'`
+	echo ${UNAME_MACHINE}-dec-osf`echo ${UNAME_RELEASE} | sed -e 's/^[VTX]//' | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz'`
+	exit 0 ;;
+    Alpha*:OpenVMS:*:*)
+	echo alpha-hp-vms
 	exit 0 ;;
     Alpha\ *:Windows_NT*:*)
 	# How do we know it's Interix rather than the generic POSIX subsystem?
@@ -752,7 +743,7 @@ EOF
 	echo sv1-cray-unicos${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/'
 	exit 0 ;;
     *:UNICOS/mp:*:*)
-	echo craynv-cray-unicosmp${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/'
+	echo nv1-cray-unicosmp${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/'
 	exit 0 ;;
     F30[01]:UNIX_System_V:*:* | F700:UNIX_System_V:*:*)
 	FUJITSU_PROC=`uname -m | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz'`
@@ -775,7 +766,21 @@ EOF
 	echo ${UNAME_MACHINE}-unknown-bsdi${UNAME_RELEASE}
 	exit 0 ;;
     *:FreeBSD:*:*)
-	echo ${UNAME_MACHINE}-unknown-freebsd`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'`
+	# Determine whether the default compiler uses glibc.
+	eval $set_cc_for_build
+	sed 's/^	//' << EOF >$dummy.c
+	#include <features.h>
+	#if __GLIBC__ >= 2
+	LIBC=gnu
+	#else
+	LIBC=
+	#endif
+EOF
+	eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep ^LIBC=`
+	# GNU/KFreeBSD systems have a "k" prefix to indicate we are using
+	# FreeBSD's kernel, but not the complete OS.
+	case ${LIBC} in gnu) kernel_only='k' ;; esac
+	echo ${UNAME_MACHINE}-unknown-${kernel_only}freebsd`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'`${LIBC:+-$LIBC}
 	exit 0 ;;
     i*:CYGWIN*:*)
 	echo ${UNAME_MACHINE}-pc-cygwin
@@ -824,18 +829,9 @@ EOF
     cris:Linux:*:*)
 	echo cris-axis-linux-gnu
 	exit 0 ;;
-    crisv32:Linux:*:*)
-	echo crisv32-axis-linux-gnu
-	exit 0 ;;
-    frv:Linux:*:*)
-    	echo frv-unknown-linux-gnu
-	exit 0 ;;
     ia64:Linux:*:*)
 	echo ${UNAME_MACHINE}-unknown-linux-gnu
 	exit 0 ;;
-    m32r*:Linux:*:*)
-	echo ${UNAME_MACHINE}-unknown-linux-gnu
-	exit 0 ;;
     m68*:Linux:*:*)
 	echo ${UNAME_MACHINE}-unknown-linux-gnu
 	exit 0 ;;
@@ -1076,9 +1072,9 @@ EOF
     M680?0:D-NIX:5.3:*)
 	echo m68k-diab-dnix
 	exit 0 ;;
-    M68*:*:R3V[5678]*:*)
+    M68*:*:R3V[567]*:*)
 	test -r /sysV68 && echo 'm68k-motorola-sysv' && exit 0 ;;
-    3[345]??:*:4.0:3.0 | 3[34]??A:*:4.0:3.0 | 3[34]??,*:*:4.0:3.0 | 3[34]??/*:*:4.0:3.0 | 4400:*:4.0:3.0 | 4850:*:4.0:3.0 | SKA40:*:4.0:3.0 | SDS2:*:4.0:3.0 | SHG2:*:4.0:3.0 | S7501*:*:4.0:3.0)
+    3[345]??:*:4.0:3.0 | 3[34]??A:*:4.0:3.0 | 3[34]??,*:*:4.0:3.0 | 3[34]??/*:*:4.0:3.0 | 4400:*:4.0:3.0 | 4850:*:4.0:3.0 | SKA40:*:4.0:3.0 | SDS2:*:4.0:3.0 | SHG2:*:4.0:3.0)
 	OS_REL=''
 	test -r /etc/.relid \
 	&& OS_REL=.`sed -n 's/[^ ]* [^ ]* \([0-9][0-9]\).*/\1/p' < /etc/.relid`
@@ -1176,10 +1172,9 @@ EOF
 	echo ${UNAME_MACHINE}-apple-rhapsody${UNAME_RELEASE}
 	exit 0 ;;
     *:Darwin:*:*)
-	UNAME_PROCESSOR=`uname -p` || UNAME_PROCESSOR=unknown
-	case $UNAME_PROCESSOR in
+	case `uname -p` in
 	    *86) UNAME_PROCESSOR=i686 ;;
-	    unknown) UNAME_PROCESSOR=powerpc ;;
+	    powerpc) UNAME_PROCESSOR=powerpc ;;
 	esac
 	echo ${UNAME_PROCESSOR}-apple-darwin${UNAME_RELEASE}
 	exit 0 ;;
@@ -1241,13 +1236,6 @@ EOF
     *:DragonFly:*:*)
 	echo ${UNAME_MACHINE}-unknown-dragonfly`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'`
 	exit 0 ;;
-    *:*VMS:*:*)
-    	UNAME_MACHINE=`(uname -p) 2>/dev/null`
-	case "${UNAME_MACHINE}" in
-	    A*) echo alpha-dec-vms && exit 0 ;;
-	    I*) echo ia64-dec-vms && exit 0 ;;
-	    V*) echo vax-dec-vms && exit 0 ;;
-	esac
 esac
 
 #echo '(No uname command or uname output not recognized.)' 1>&2
diff --git a/config.h.in b/config.h.in
index 1185487f..16964b5e 100644
--- a/config.h.in
+++ b/config.h.in
@@ -1,7 +1,7 @@
 /* config.h.in.  Generated from configure.in by autoheader.  */
 /*
  * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
+ * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -16,7 +16,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: config.h.in,v 1.47.2.25 2007/01/08 02:03:17 marka Exp $ */
+/* $Id: config.h.in,v 1.47.2.3.2.9 2004/03/14 23:55:14 marka Exp $ */
 
 /***
  *** This file is not to be included by any public header files, because
@@ -53,6 +53,9 @@
 /* define if catgets() is available */
 #undef HAVE_CATGETS
 
+/* define if getifaddrs() exists */
+#undef HAVE_GETIFADDRS
+
 /* define if you have the NET_RT_IFLIST sysctl variable and sys/sysctl.h */
 #undef HAVE_IFLIST_SYSCTL
 
@@ -131,18 +134,8 @@ int sigwait(const unsigned int *set, int *sig);
 /* define if you have strerror in the C library. */
 #undef HAVE_STRERROR
 
-/* Define to the length type used by the socket API (socklen_t, size_t, int). */
-#undef ISC_SOCKADDR_LEN_T
-
-/* Define if threads need PTHREAD_SCOPE_SYSTEM */
-#undef NEED_PTHREAD_SCOPE_SYSTEM
-
-/* Define if recvmsg() does not meet all of the BSD socket API specifications.
-   */
-#undef BROKEN_RECVMSG
-
-/* Define if you cannot bind() before connect() for TCP sockets. */
-#undef BROKEN_TCP_BIND_BEFORE_CONNECT
+/* Define if you are running under Compaq TruCluster..  */
+#undef HAVE_TRUCLUSTER
 
 /* Define to 1 if you have the <dlfcn.h> header file. */
 #undef HAVE_DLFCN_H
@@ -165,21 +158,18 @@ int sigwait(const unsigned int *set, int *sig);
 /* Define to 1 if you have the `pthread' library (-lpthread). */
 #undef HAVE_LIBPTHREAD
 
-/* Define to 1 if you have the `scf' library (-lscf). */
-#undef HAVE_LIBSCF
-
 /* Define to 1 if you have the `socket' library (-lsocket). */
 #undef HAVE_LIBSOCKET
 
-/* Define to 1 if you have the `thr' library (-lthr). */
-#undef HAVE_LIBTHR
-
 /* Define to 1 if you have the <linux/capability.h> header file. */
 #undef HAVE_LINUX_CAPABILITY_H
 
 /* Define to 1 if you have the <memory.h> header file. */
 #undef HAVE_MEMORY_H
 
+/* Define to 1 if you have the <net/if6.h> header file. */
+#undef HAVE_NET_IF6_H
+
 /* Define to 1 if you have the <stdint.h> header file. */
 #undef HAVE_STDINT_H
 
@@ -216,6 +206,9 @@ int sigwait(const unsigned int *set, int *sig);
 /* Define to 1 if you have the <sys/types.h> header file. */
 #undef HAVE_SYS_TYPES_H
 
+/* Define if running under Compaq TruCluster */
+#undef HAVE_TRUCLUSTER
+
 /* Define to 1 if you have the <unistd.h> header file. */
 #undef HAVE_UNISTD_H
 
@@ -234,20 +227,12 @@ int sigwait(const unsigned int *set, int *sig);
 /* Define to the version of this package. */
 #undef PACKAGE_VERSION
 
-/* Sets which flag to pass to open/fcntl to make non-blocking
-   (O_NDELAY/O_NONBLOCK). */
-#undef PORT_NONBLOCK
-
 /* Define to 1 if you have the ANSI C header files. */
 #undef STDC_HEADERS
 
 /* Define to 1 if you can safely include both <sys/time.h> and <time.h>. */
 #undef TIME_WITH_SYS_TIME
 
-/* Defined if you need to use ioctl(FIONBIO) instead a fcntl call to make
-   non-blocking. */
-#undef USE_FIONBIO_IOCTL
-
 /* Define to 1 if your processor stores words with the most significant byte
    first (like Motorola and SPARC, unlike Intel and VAX). */
 #undef WORDS_BIGENDIAN
@@ -266,6 +251,3 @@ int sigwait(const unsigned int *set, int *sig);
 
 /* Define to `int' if <sys/types.h> does not define. */
 #undef ssize_t
-
-/* Define to `unsigned long' if <sys/types.h> does not define. */
-#undef uintptr_t
diff --git a/config.h.win32 b/config.h.win32
index a6115ec4..07b84645 100644
--- a/config.h.win32
+++ b/config.h.win32
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: config.h.win32,v 1.6.2.8 2006/10/03 03:42:41 marka Exp $ */
+/* $Id: config.h.win32,v 1.6.12.3 2004/04/10 04:09:21 marka Exp $ */
 
 /*
  * win32 configuration file
@@ -39,16 +39,6 @@
 #define __STDC__ 1
 
 /*
- * Silence compiler warnings about using strcpy and friends.
- */
-#define _CRT_SECURE_NO_DEPRECATE 1
-
-/*
- * Use 32 bit time.
- */
-#define _USE_32BIT_TIME_T 1
-
-/*
  * Windows NT and 2K only
  */
 #define _WIN32_WINNT 0x0400
@@ -114,15 +104,6 @@
 /* Define if you have h_errno */
 #define HAVE_H_ERRNO
 
-/* Define if libcrypto has RSA_generate_key */
-#define HAVE_RSA_GENERATE_KEY
-
-/* Define if libcrypto has DSA_generate_parameters */
-#define HAVE_DSA_GENERATE_PARAMETERS
-
-/* Define if libcrypto has DH_generate_parameters */
-#define HAVE_DH_GENERATE_PARAMETERS
-
 #define S_IFMT   _S_IFMT         /* file type mask */
 #define S_IFDIR  _S_IFDIR        /* directory */
 #define S_IFCHR  _S_IFCHR        /* character special */
@@ -211,8 +192,7 @@ typedef long off_t;
 #define open	_open
 #define close	_close
 #define write	_write
-#include <io.h>
-#define isatty        _isatty
+#define isatty	_isatty
 
 #ifndef _WINSOCKAPI_
 #define _WINSOCKAPI_   /* Prevent inclusion of winsock.h in windows.h */
diff --git a/config.sub b/config.sub
index edb6b663..463186db 100644
--- a/config.sub
+++ b/config.sub
@@ -1,9 +1,9 @@
 #! /bin/sh
 # Configuration validation subroutine script.
 #   Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999,
-#   2000, 2001, 2002, 2003, 2004 Free Software Foundation, Inc.
+#   2000, 2001, 2002, 2003 Free Software Foundation, Inc.
 
-timestamp='2004-08-29'
+timestamp='2004-01-05'
 
 # This file is (in principle) common to ALL GNU software.
 # The presence of a machine in this file suggests that SOME GNU software
@@ -70,7 +70,7 @@ Report bugs and patches to <config-patches@gnu.org>."
 version="\
 GNU config.sub ($timestamp)
 
-Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004
+Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001
 Free Software Foundation, Inc.
 
 This is free software; see the source for copying conditions.  There is NO
@@ -145,7 +145,7 @@ case $os in
 	-convergent* | -ncr* | -news | -32* | -3600* | -3100* | -hitachi* |\
 	-c[123]* | -convex* | -sun | -crds | -omron* | -dg | -ultra | -tti* | \
 	-harris | -dolphin | -highlevel | -gould | -cbm | -ns | -masscomp | \
-	-apple | -axis | -knuth | -cray)
+	-apple | -axis)
 		os=
 		basic_machine=$1
 		;;
@@ -237,7 +237,7 @@ case $basic_machine in
 	| h8300 | h8500 | hppa | hppa1.[01] | hppa2.0 | hppa2.0[nw] | hppa64 \
 	| i370 | i860 | i960 | ia64 \
 	| ip2k | iq2000 \
-	| m32r | m32rle | m68000 | m68k | m88k | mcore \
+	| m32r | m68000 | m68k | m88k | mcore \
 	| mips | mipsbe | mipseb | mipsel | mipsle \
 	| mips16 \
 	| mips64 | mips64el \
@@ -262,7 +262,7 @@ case $basic_machine in
 	| pyramid \
 	| sh | sh[1234] | sh[23]e | sh[34]eb | shbe | shle | sh[1234]le | sh3ele \
 	| sh64 | sh64le \
-	| sparc | sparc64 | sparc86x | sparclet | sparclite | sparcv8 | sparcv9 | sparcv9b \
+	| sparc | sparc64 | sparc86x | sparclet | sparclite | sparcv9 | sparcv9b \
 	| strongarm \
 	| tahoe | thumb | tic4x | tic80 | tron \
 	| v850 | v850e \
@@ -300,7 +300,7 @@ case $basic_machine in
 	| avr-* \
 	| bs2000-* \
 	| c[123]* | c30-* | [cjt]90-* | c4x-* | c54x-* | c55x-* | c6x-* \
-	| clipper-* | craynv-* | cydra-* \
+	| clipper-* | cydra-* \
 	| d10v-* | d30v-* | dlx-* \
 	| elxsi-* \
 	| f30[01]-* | f700-* | fr30-* | frv-* | fx80-* \
@@ -308,7 +308,7 @@ case $basic_machine in
 	| hppa-* | hppa1.[01]-* | hppa2.0-* | hppa2.0[nw]-* | hppa64-* \
 	| i*86-* | i860-* | i960-* | ia64-* \
 	| ip2k-* | iq2000-* \
-	| m32r-* | m32rle-* \
+	| m32r-* \
 	| m68000-* | m680[012346]0-* | m68360-* | m683?2-* | m68k-* \
 	| m88110-* | m88k-* | mcore-* \
 	| mips-* | mipsbe-* | mipseb-* | mipsel-* | mipsle-* \
@@ -326,9 +326,8 @@ case $basic_machine in
 	| mipsisa64sb1-* | mipsisa64sb1el-* \
 	| mipsisa64sr71k-* | mipsisa64sr71kel-* \
 	| mipstx39-* | mipstx39el-* \
-	| mmix-* \
 	| msp430-* \
-	| none-* | np1-* | ns16k-* | ns32k-* \
+	| none-* | np1-* | nv1-* | ns16k-* | ns32k-* \
 	| orion-* \
 	| pdp10-* | pdp11-* | pj-* | pjl-* | pn-* | power-* \
 	| powerpc-* | powerpc64-* | powerpc64le-* | powerpcle-* | ppcbe-* \
@@ -337,7 +336,7 @@ case $basic_machine in
 	| sh-* | sh[1234]-* | sh[23]e-* | sh[34]eb-* | shbe-* \
 	| shle-* | sh[1234]le-* | sh3ele-* | sh64-* | sh64le-* \
 	| sparc-* | sparc64-* | sparc86x-* | sparclet-* | sparclite-* \
-	| sparcv8-* | sparcv9-* | sparcv9b-* | strongarm-* | sv1-* | sx?-* \
+	| sparcv9-* | sparcv9b-* | strongarm-* | sv1-* | sx?-* \
 	| tahoe-* | thumb-* \
 	| tic30-* | tic4x-* | tic54x-* | tic55x-* | tic6x-* | tic80-* \
 	| tron-* \
@@ -364,9 +363,6 @@ case $basic_machine in
 		basic_machine=a29k-amd
 		os=-udi
 		;;
-    	abacus)
-		basic_machine=abacus-unknown
-		;;
 	adobe68k)
 		basic_machine=m68010-adobe
 		os=-scout
@@ -446,27 +442,12 @@ case $basic_machine in
 		basic_machine=j90-cray
 		os=-unicos
 		;;
-	craynv)
-		basic_machine=craynv-cray
-		os=-unicosmp
-		;;
-	cr16c)
-		basic_machine=cr16c-unknown
-		os=-elf
-		;;
 	crds | unos)
 		basic_machine=m68k-crds
 		;;
-	crisv32 | crisv32-* | etraxfs*)
-		basic_machine=crisv32-axis
-		;;
 	cris | cris-* | etrax*)
 		basic_machine=cris-axis
 		;;
-	crx)
-		basic_machine=crx-unknown
-		os=-elf
-		;;
 	da30 | da30-*)
 		basic_machine=m68k-da30
 		;;
@@ -667,6 +648,10 @@ case $basic_machine in
 	mips3*)
 		basic_machine=`echo $basic_machine | sed -e 's/mips3/mips64/'`-unknown
 		;;
+	mmix*)
+		basic_machine=mmix-knuth
+		os=-mmixware
+		;;
 	monitor)
 		basic_machine=m68k-rom68k
 		os=-coff
@@ -747,6 +732,10 @@ case $basic_machine in
 	np1)
 		basic_machine=np1-gould
 		;;
+	nv1)
+		basic_machine=nv1-cray
+		os=-unicosmp
+		;;
 	nsr-tandem)
 		basic_machine=nsr-tandem
 		;;
@@ -1059,9 +1048,6 @@ case $basic_machine in
 	romp)
 		basic_machine=romp-ibm
 		;;
-	mmix)
-		basic_machine=mmix-knuth
-		;;
 	rs6000)
 		basic_machine=rs6000-ibm
 		;;
@@ -1084,7 +1070,7 @@ case $basic_machine in
 	sh64)
 		basic_machine=sh64-unknown
 		;;
-	sparc | sparcv8 | sparcv9 | sparcv9b)
+	sparc | sparcv9 | sparcv9b)
 		basic_machine=sparc-sun
 		;;
 	cydra)
@@ -1157,9 +1143,8 @@ case $os in
 	      | -aos* \
 	      | -nindy* | -vxsim* | -vxworks* | -ebmon* | -hms* | -mvs* \
 	      | -clix* | -riscos* | -uniplus* | -iris* | -rtu* | -xenix* \
-	      | -hiux* | -386bsd* | -knetbsd* | -mirbsd* | -netbsd* | -openbsd* \
-	      | -ekkobsd* | -kfreebsd* | -freebsd* | -riscix* | -lynxos* \
-	      | -bosx* | -nextstep* | -cxux* | -aout* | -elf* | -oabi* \
+	      | -hiux* | -386bsd* | -knetbsd* | -netbsd* | -openbsd* | -kfreebsd* | -freebsd* | -riscix* \
+	      | -lynxos* | -bosx* | -nextstep* | -cxux* | -aout* | -elf* | -oabi* \
 	      | -ptx* | -coff* | -ecoff* | -winnt* | -domain* | -vsta* \
 	      | -udi* | -eabi* | -lites* | -ieee* | -go32* | -aux* \
 	      | -chorusos* | -chorusrdb* \
@@ -1377,9 +1362,6 @@ case $basic_machine in
 	*-ibm)
 		os=-aix
 		;;
-    	*-knuth)
-		os=-mmixware
-		;;
 	*-wec)
 		os=-proelf
 		;;
diff --git a/config.threads.in b/config.threads.in
deleted file mode 100644
index c1c113b9..00000000
--- a/config.threads.in
+++ /dev/null
@@ -1,177 +0,0 @@
-#
-# Begin pthreads checking.
-#
-# First, decide whether to use multithreading or not.
-#
-# Enable multithreading by default on systems where it is known
-# to work well, and where debugging of multithreaded programs
-# is supported.
-#
-
-AC_MSG_CHECKING(whether to build with thread support)
-
-case $host in
-*-dec-osf*)
-	use_threads=true ;;
-[*-solaris2.[0-6]])
-	# Thread signals are broken on Solaris 2.6; they are sometimes
-	# delivered to the wrong thread.
-	use_threads=false ;;
-*-solaris*)
-	use_threads=true ;;
-*-ibm-aix*)
-	use_threads=true ;;
-*-hp-hpux10*)
-	use_threads=false ;;
-*-hp-hpux11*)
-	use_threads=true ;;
-*-sgi-irix*)
-	use_threads=true ;;
-*-sco-sysv*uw*|*-*-sysv*UnixWare*)
-        # UnixWare
-	use_threads=false ;;
-*-*-sysv*OpenUNIX*)
-        # UnixWare
-	use_threads=true ;;
-*-netbsd*)
-	if test -r /usr/lib/libpthread.so ; then
-	    use_threads=true
-	else
-	    # Socket I/O optimizations introduced in 9.2 expose a
-	    # bug in unproven-pthreads; see PR #12650
-	    use_threads=false
-	fi
-	;;
-*-openbsd*)
-	# OpenBSD users have reported that named dumps core on
-	# startup when built with threads.
-	use_threads=false ;;
-*-freebsd*)
-	use_threads=false ;;
-*-bsdi[234]*)
-	# Thread signals do not work reliably on some versions of BSD/OS.
-	use_threads=false ;;
-*-bsdi5*)
-	use_threads=true ;;
-*-linux*)
-   	# Threads are disabled on Linux by default because most
-	# Linux kernels produce unusable core dumps from multithreaded
-	# programs, and because of limitations in setuid().
-	use_threads=false ;;	
-*)
-	use_threads=false ;;
-esac
-
-AC_ARG_ENABLE(threads,
-	[  --enable-threads	enable multithreading])
-case "$enable_threads" in
-	yes)
-		use_threads=true
-		;;
-	no)
-		use_threads=false
-		;;
-	'')
-		# Use system-dependent default
-		;;
-	*)
-	    	AC_MSG_ERROR([--enable-threads takes yes or no])
-		;;
-esac
-
-if $use_threads
-then
-	AC_MSG_RESULT(yes)
-else
-	AC_MSG_RESULT(no)	
-fi
-
-if $use_threads
-then
-	#
-	# Search for / configure pthreads in a system-dependent fashion.
-	#
-	case "$host" in
-	  *-netbsd*)
-		# NetBSD has multiple pthreads implementations.	 The
-		# recommended one to use is "unproven-pthreads".  The
-		# older "mit-pthreads" may also work on some NetBSD
-		# versions.  The PTL2 thread library does not
-		# currently work with bind9, but can be chosen with
-		# the --with-ptl2 option for those who wish to
-		# experiment with it.
-		CC="gcc"
-		AC_MSG_CHECKING(which NetBSD thread library to use)
-
-		AC_ARG_WITH(ptl2,
-[  --with-ptl2		on NetBSD, use the ptl2 thread library (experimental)],
-		    use_ptl2="$withval", use_ptl2="no")
-
-		: ${LOCALBASE:=/usr/pkg}
-
-		if test "X$use_ptl2" = "Xyes"
-		then
-			AC_MSG_RESULT(PTL2)
-			AC_MSG_WARN(
-[linking with PTL2 is highly experimental and not expected to work])
-			CC=ptlgcc
-		else
-			if test -r /usr/lib/libpthread.so
-			then
-				AC_MSG_RESULT(native)
-				LIBS="-lpthread $LIBS"
-			else
-				if test ! -d $LOCALBASE/pthreads
-				then
-					AC_MSG_RESULT(none)
-					AC_MSG_ERROR("could not find thread libraries")
-				fi
-
-				if $use_threads
-				then
-					AC_MSG_RESULT(mit-pthreads/unproven-pthreads)
-					pkg="$LOCALBASE/pthreads"
-					lib1="-L$pkg/lib -Wl,-R$pkg/lib"
-					lib2="-lpthread -lm -lgcc -lpthread"
-					LIBS="$lib1 $lib2 $LIBS"
-					CPPFLAGS="$CPPFLAGS -I$pkg/include"
-					STD_CINCLUDES="$STD_CINCLUDES -I$pkg/include"
-				fi
-			fi
-		fi
-		;;
-		*-freebsd*)
-			# We don't want to set -lpthread as that break
-			# the ability to choose threads library at final
-			# link time and is not valid for all architectures.
-			
-			PTHREAD=
-			if test "X$GCC" = "Xyes"; then
-				saved_cc="$CC"
-				CC="$CC -pthread"
-				AC_MSG_CHECKING(for gcc -pthread support);
-				AC_TRY_LINK([#include <pthread.h>],
-					    [printf("%x\n", pthread_create);],
-					    PTHREAD="yes"
-					    AC_MSG_RESULT(yes),
-					    AC_MSG_RESULT(no))
-				CC="$saved_cc"
-			fi
-			if test "X$PTHREAD" != "Xyes"; then
-				AC_CHECK_LIB(pthread, pthread_create,,
-				AC_CHECK_LIB(thr, thread_create,,
-				AC_CHECK_LIB(c_r, pthread_create,,
-				AC_CHECK_LIB(c, pthread_create,,
-				AC_MSG_ERROR("could not find thread libraries")))))
-			fi
-			;;
-		*)
-			AC_CHECK_LIB(pthread, pthread_create,,
-				AC_CHECK_LIB(pthread, __pthread_create,,
-				AC_CHECK_LIB(pthread, __pthread_create_system,,
-				AC_CHECK_LIB(c_r, pthread_create,,
-				AC_CHECK_LIB(c, pthread_create,,
-				AC_MSG_ERROR("could not find thread libraries"))))))
-		;;
-	esac
-fi
diff --git a/configure b/configure
index bcede7b5..e4673815 100755
--- a/configure
+++ b/configure
@@ -1,5 +1,35 @@
 #! /bin/sh
-# From configure.in Revision: 1.294.2.74 .
+# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 1996-2003  Internet Software Consortium.
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+#
+# $Id: configure,v 1.284.2.19.2.19 2004/03/14 00:00:31 marka Exp $
+#
+# Portions Copyright (C) 1996-2001  Nominum, Inc.
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND NOMINUM DISCLAIMS ALL WARRANTIES
+# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL NOMINUM BE LIABLE FOR
+# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+# OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+# From configure.in Revision: 1.294.2.23.2.23 .
 # Guess values for system-dependent variables and create Makefiles.
 # Generated by GNU Autoconf 2.59.
 #
@@ -279,7 +309,7 @@ fi
 
 # The HP-UX ksh and POSIX shell print the target directory to stdout
 # if CDPATH is set.
-(unset CDPATH) >/dev/null 2>&1 && unset CDPATH
+if test "X${CDPATH+set}" = Xset; then CDPATH=:; export CDPATH; fi
 
 if test -z "$ECHO"; then
 if test "X${echo_test_string+set}" != Xset; then
@@ -465,8 +495,8 @@ ac_includes_default="\
 # include <unistd.h>
 #endif"
 
-ac_subst_vars='SHELL PATH_SEPARATOR PACKAGE_NAME PACKAGE_TARNAME PACKAGE_VERSION PACKAGE_STRING PACKAGE_BUGREPORT exec_prefix prefix program_transform_name bindir sbindir libexecdir datadir sysconfdir sharedstatedir localstatedir libdir includedir oldincludedir infodir mandir build_alias host_alias target_alias DEFS ECHO_C ECHO_N ECHO_T LIBS subdirs build build_cpu build_vendor build_os host host_cpu host_vendor host_os SET_MAKE RANLIB ac_ct_RANLIB INSTALL_PROGRAM INSTALL_SCRIPT INSTALL_DATA STD_CINCLUDES STD_CDEFINES STD_CWARNINGS CCOPT AR ARFLAGS LN ETAGS PERL CC CFLAGS LDFLAGS CPPFLAGS ac_ct_CC EXEEXT OBJEXT CPP EGREP ISC_SOCKADDR_LEN_T ISC_PLATFORM_HAVELONGLONG ISC_PLATFORM_NEEDSYSSELECTH LWRES_PLATFORM_NEEDSYSSELECTH DST_OPENSSL_INC DNS_OPENSSL_LIBS USE_OPENSSL USE_GSSAPI DST_GSSAPI_INC DNS_GSSAPI_LIBS ALWAYS_DEFINES ISC_PLATFORM_USETHREADS ISC_THREAD_DIR MKDEPCC MKDEPCFLAGS MKDEPPROG IRIX_DNSSEC_WARNINGS_HACK purify_path PURIFY LN_S ECHO ac_ct_AR STRIP ac_ct_STRIP CXX CXXFLAGS ac_ct_CXX CXXCPP F77 FFLAGS ac_ct_F77 LIBTOOL O A SA LIBTOOL_MKDEP_SED LIBTOOL_MODE_COMPILE LIBTOOL_MODE_INSTALL LIBTOOL_MODE_LINK LIBTOOL_ALLOW_UNDEFINED LIBTOOL_IN_MAIN LIBBIND ISC_PLATFORM_HAVEIPV6 LWRES_PLATFORM_HAVEIPV6 ISC_PLATFORM_NEEDNETINETIN6H LWRES_PLATFORM_NEEDNETINETIN6H ISC_PLATFORM_NEEDNETINET6IN6H LWRES_PLATFORM_NEEDNETINET6IN6H ISC_PLATFORM_HAVEINADDR6 LWRES_PLATFORM_HAVEINADDR6 ISC_PLATFORM_NEEDIN6ADDRANY LWRES_PLATFORM_NEEDIN6ADDRANY ISC_PLATFORM_NEEDIN6ADDRLOOPBACK LWRES_PLATFORM_NEEDIN6ADDRLOOPBACK ISC_PLATFORM_HAVEIN6PKTINFO ISC_PLATFORM_FIXIN6ISADDR ISC_IPV6_H ISC_IPV6_O ISC_ISCIPV6_O ISC_IPV6_C LWRES_HAVE_SIN6_SCOPE_ID BUILD_CC BUILD_CFLAGS BUILD_CPPFLAGS BUILD_LDFLAGS BUILD_LIBS ISC_PLATFORM_NEEDNTOP ISC_PLATFORM_NEEDPTON ISC_PLATFORM_NEEDATON ISC_PLATFORM_HAVESALEN LWRES_PLATFORM_HAVESALEN ISC_PLATFORM_MSGHDRFLAVOR ISC_PLATFORM_NEEDPORTT ISC_LWRES_NEEDADDRINFO ISC_LWRES_NEEDRRSETINFO ISC_LWRES_SETHOSTENTINT ISC_LWRES_ENDHOSTENTINT ISC_LWRES_GETNETBYADDRINADDR ISC_LWRES_SETNETENTINT ISC_LWRES_ENDNETENTINT ISC_LWRES_GETHOSTBYADDRVOID ISC_LWRES_NEEDHERRNO ISC_LWRES_GETIPNODEPROTO ISC_LWRES_GETADDRINFOPROTO ISC_LWRES_GETNAMEINFOPROTO ISC_PLATFORM_NEEDSTRSEP ISC_PLATFORM_NEEDVSNPRINTF LWRES_PLATFORM_NEEDVSNPRINTF ISC_EXTRA_OBJS ISC_EXTRA_SRCS ISC_PLATFORM_QUADFORMAT LWRES_PLATFORM_QUADFORMAT ISC_PLATFORM_RLIMITTYPE ISC_PLATFORM_USEDECLSPEC LWRES_PLATFORM_USEDECLSPEC ISC_PLATFORM_BRACEPTHREADONCEINIT LATEX PDFLATEX XSLTPROC XMLLINT XSLT_DOCBOOK_STYLE_HTML XSLT_DOCBOOK_STYLE_XHTML XSLT_DOCBOOK_STYLE_MAN XSLT_DOCBOOK_CHUNK_HTML XSLT_DOCBOOK_CHUNK_XHTML XSLT_DB2LATEX_STYLE XSLT_DB2LATEX_ADMONITIONS BIND9_TOP_BUILDDIR BIND9_ISC_BUILDINCLUDE BIND9_ISCCC_BUILDINCLUDE BIND9_ISCCFG_BUILDINCLUDE BIND9_DNS_BUILDINCLUDE BIND9_LWRES_BUILDINCLUDE BIND9_VERSION LIBOBJS LTLIBOBJS'
-ac_subst_files='BIND9_INCLUDES BIND9_MAKE_RULES LIBISC_API LIBISCCC_API LIBISCCFG_API LIBDNS_API LIBLWRES_API'
+ac_subst_vars='SHELL PATH_SEPARATOR PACKAGE_NAME PACKAGE_TARNAME PACKAGE_VERSION PACKAGE_STRING PACKAGE_BUGREPORT exec_prefix prefix program_transform_name bindir sbindir libexecdir datadir sysconfdir sharedstatedir localstatedir libdir includedir oldincludedir infodir mandir build_alias host_alias target_alias DEFS ECHO_C ECHO_N ECHO_T LIBS subdirs build build_cpu build_vendor build_os host host_cpu host_vendor host_os SET_MAKE RANLIB ac_ct_RANLIB INSTALL_PROGRAM INSTALL_SCRIPT INSTALL_DATA STD_CINCLUDES STD_CDEFINES STD_CWARNINGS CCOPT AR ARFLAGS LN ETAGS PERL CC CFLAGS LDFLAGS CPPFLAGS ac_ct_CC EXEEXT OBJEXT CPP EGREP ISC_PLATFORM_HAVELONGLONG ISC_PLATFORM_HAVELIFCONF ISC_PLATFORM_NEEDSYSSELECTH LWRES_PLATFORM_NEEDSYSSELECTH USE_OPENSSL DST_OPENSSL_INC USE_GSSAPI DST_GSSAPI_INC DNS_CRYPTO_LIBS ALWAYS_DEFINES ISC_PLATFORM_USETHREADS ISC_THREAD_DIR MKDEPCC MKDEPCFLAGS MKDEPPROG IRIX_DNSSEC_WARNINGS_HACK purify_path PURIFY LN_S ECHO ac_ct_AR STRIP ac_ct_STRIP CXX CXXFLAGS ac_ct_CXX CXXCPP F77 FFLAGS ac_ct_F77 LIBTOOL O A SA LIBTOOL_MKDEP_SED LIBTOOL_MODE_COMPILE LIBTOOL_MODE_INSTALL LIBTOOL_MODE_LINK LIBBIND ISC_PLATFORM_HAVEIPV6 LWRES_PLATFORM_HAVEIPV6 ISC_PLATFORM_NEEDNETINETIN6H LWRES_PLATFORM_NEEDNETINETIN6H ISC_PLATFORM_NEEDNETINET6IN6H LWRES_PLATFORM_NEEDNETINET6IN6H ISC_PLATFORM_HAVEINADDR6 LWRES_PLATFORM_HAVEINADDR6 ISC_PLATFORM_NEEDIN6ADDRANY LWRES_PLATFORM_NEEDIN6ADDRANY ISC_PLATFORM_NEEDIN6ADDRLOOPBACK LWRES_PLATFORM_NEEDIN6ADDRLOOPBACK ISC_PLATFORM_HAVEIN6PKTINFO ISC_PLATFORM_FIXIN6ISADDR ISC_IPV6_H ISC_IPV6_O ISC_ISCIPV6_O ISC_IPV6_C LWRES_HAVE_SIN6_SCOPE_ID ISC_PLATFORM_HAVESCOPEID ISC_PLATFORM_HAVEIF_LADDRREQ ISC_PLATFORM_HAVEIF_LADDRCONF ISC_PLATFORM_NEEDNTOP ISC_PLATFORM_NEEDPTON ISC_PLATFORM_NEEDATON ISC_PLATFORM_HAVESALEN LWRES_PLATFORM_HAVESALEN ISC_PLATFORM_MSGHDRFLAVOR ISC_PLATFORM_NEEDPORTT ISC_LWRES_NEEDADDRINFO ISC_LWRES_NEEDRRSETINFO ISC_LWRES_SETHOSTENTINT ISC_LWRES_ENDHOSTENTINT ISC_LWRES_GETNETBYADDRINADDR ISC_LWRES_SETNETENTINT ISC_LWRES_ENDNETENTINT ISC_LWRES_GETHOSTBYADDRVOID ISC_LWRES_NEEDHERRNO ISC_LWRES_GETIPNODEPROTO ISC_LWRES_GETADDRINFOPROTO ISC_LWRES_GETNAMEINFOPROTO ISC_PLATFORM_NEEDSTRSEP ISC_PLATFORM_NEEDMEMMOVE ISC_PLATFORM_NEEDSTRTOUL ISC_PLATFORM_NEEDSTRLCPY ISC_PLATFORM_NEEDSTRLCAT ISC_PLATFORM_NEEDSPRINTF ISC_PLATFORM_NEEDVSNPRINTF ISC_EXTRA_OBJS ISC_EXTRA_SRCS ISC_PLATFORM_QUADFORMAT ISC_PLATFORM_RLIMITTYPE ISC_PLATFORM_USEDECLSPEC LWRES_PLATFORM_USEDECLSPEC ISC_PLATFORM_BRACEPTHREADONCEINIT ISC_PLATFORM_HAVEIFNAMETOINDEX OPENJADE JADETEX PDFJADETEX SGMLCATALOG HTMLSTYLE PRINTSTYLE XMLDCL DOCBOOK2MANSPEC BIND9_TOP_BUILDDIR BIND9_ISC_BUILDINCLUDE BIND9_ISCCC_BUILDINCLUDE BIND9_ISCCFG_BUILDINCLUDE BIND9_DNS_BUILDINCLUDE BIND9_LWRES_BUILDINCLUDE BIND9_BIND9_BUILDINCLUDE BIND9_VERSION LIBOBJS LTLIBOBJS'
+ac_subst_files='BIND9_MAKE_INCLUDES BIND9_MAKE_RULES LIBISC_API LIBISCCC_API LIBISCCFG_API LIBDNS_API LIBBIND9_API LIBLWRES_API'
 
 # Initialize some variables set by options.
 ac_init_help=
@@ -1020,9 +1050,8 @@ if test -n "$ac_init_help"; then
 Optional Features:
   --disable-FEATURE       do not include FEATURE (same as --enable-FEATURE=no)
   --enable-FEATURE[=ARG]  include FEATURE [ARG=yes]
-  --enable-openssl-version-check
-                          Check OpenSSL Version [default=yes]
   --enable-threads	enable multithreading
+  --enable-largefile	  64-bit file support
   --enable-shared[=PKGS]
                           build shared libraries [default=yes]
   --enable-static[=PKGS]
@@ -1032,6 +1061,8 @@ Optional Features:
   --disable-libtool-lock  avoid locking (might break parallel builds)
   --enable-libbind		build libbind default=no
   --enable-ipv6		use IPv6 default=autodetect
+  --enable-getifaddrs    Enable the use of getifaddrs() [yes|no|glibc].
+             glibc: Use getifaddrs() in glibc if you know it supports IPv6.
   --disable-linux-caps	disable linux capabilities
 
 Optional Packages:
@@ -3002,6 +3033,17 @@ ac_compiler_gnu=$ac_cv_c_compiler_gnu
 
 
 #
+# gcc's optimiser is broken at -02 for ultrasparc
+#
+if test "$ac_env_CFLAGS_set" != set -a "X$GCC" = "Xyes"; then
+	case "$host" in
+	sparc-*)
+		CCFLAGS="-g -O1"
+		;;
+	esac
+fi
+
+#
 # OS dependent CC flags
 #
 case "$host" in
@@ -3449,7 +3491,8 @@ fi
 
 
 
-for ac_header in fcntl.h sys/time.h unistd.h sys/sockio.h sys/select.h sys/param.h sys/sysctl.h
+
+for ac_header in fcntl.h sys/time.h unistd.h sys/sockio.h sys/select.h sys/param.h sys/sysctl.h net/if6.h
 do
 as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh`
 echo "$as_me:$LINENO: checking for $ac_header" >&5
@@ -4062,9 +4105,9 @@ _ACEOF
 
 fi
 
-echo "$as_me:$LINENO: checking for uintptr_t" >&5
-echo $ECHO_N "checking for uintptr_t... $ECHO_C" >&6
-if test "${ac_cv_type_uintptr_t+set}" = set; then
+echo "$as_me:$LINENO: checking whether time.h and sys/time.h may both be included" >&5
+echo $ECHO_N "checking whether time.h and sys/time.h may both be included... $ECHO_C" >&6
+if test "${ac_cv_header_time+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   cat >conftest.$ac_ext <<_ACEOF
@@ -4073,14 +4116,15 @@ _ACEOF
 cat confdefs.h >>conftest.$ac_ext
 cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
-$ac_includes_default
+#include <sys/types.h>
+#include <sys/time.h>
+#include <time.h>
+
 int
 main ()
 {
-if ((uintptr_t *) 0)
-  return 0;
-if (sizeof (uintptr_t))
-  return 0;
+if ((struct tm *) 0)
+return 0;
   ;
   return 0;
 }
@@ -4107,50 +4151,38 @@ if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
   ac_status=$?
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); }; }; then
-  ac_cv_type_uintptr_t=yes
+  ac_cv_header_time=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_type_uintptr_t=no
+ac_cv_header_time=no
 fi
 rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_type_uintptr_t" >&5
-echo "${ECHO_T}$ac_cv_type_uintptr_t" >&6
-if test $ac_cv_type_uintptr_t = yes; then
-  :
-else
+echo "$as_me:$LINENO: result: $ac_cv_header_time" >&5
+echo "${ECHO_T}$ac_cv_header_time" >&6
+if test $ac_cv_header_time = yes; then
 
-cat >>confdefs.h <<_ACEOF
-#define uintptr_t unsigned long
+cat >>confdefs.h <<\_ACEOF
+#define TIME_WITH_SYS_TIME 1
 _ACEOF
 
 fi
 
-echo "$as_me:$LINENO: checking for socklen_t" >&5
-echo $ECHO_N "checking for socklen_t... $ECHO_C" >&6
-if test "${ac_cv_type_socklen_t+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  cat >conftest.$ac_ext <<_ACEOF
+echo "$as_me:$LINENO: checking for long long" >&5
+echo $ECHO_N "checking for long long... $ECHO_C" >&6
+cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
 cat confdefs.h >>conftest.$ac_ext
 cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
 
-#include <sys/types.h>
-#include <sys/socket.h>
-
-
 int
 main ()
 {
-if ((socklen_t *) 0)
-  return 0;
-if (sizeof (socklen_t))
-  return 0;
+long long i = 0; return (0);
   ;
   return 0;
 }
@@ -4177,24 +4209,25 @@ if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
   ac_status=$?
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); }; }; then
-  ac_cv_type_socklen_t=yes
+  echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6
+		ISC_PLATFORM_HAVELONGLONG="#define ISC_PLATFORM_HAVELONGLONG 1"
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_type_socklen_t=no
+echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6
+		ISC_PLATFORM_HAVELONGLONG="#undef ISC_PLATFORM_HAVELONGLONG"
 fi
 rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-fi
-echo "$as_me:$LINENO: result: $ac_cv_type_socklen_t" >&5
-echo "${ECHO_T}$ac_cv_type_socklen_t" >&6
-if test $ac_cv_type_socklen_t = yes; then
-  cat >>confdefs.h <<\_ACEOF
-#define ISC_SOCKADDR_LEN_T socklen_t
-_ACEOF
 
-else
 
+#
+# check if we have lifconf
+#
+echo "$as_me:$LINENO: checking for struct lifconf" >&5
+echo $ECHO_N "checking for struct lifconf... $ECHO_C" >&6
 cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
@@ -4204,134 +4237,16 @@ cat >>conftest.$ac_ext <<_ACEOF
 
 #include <sys/types.h>
 #include <sys/socket.h>
-int getsockname(int, struct sockaddr *, size_t *);
+#include <net/if.h>
 
 int
 main ()
 {
 
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  cat >>confdefs.h <<\_ACEOF
-#define ISC_SOCKADDR_LEN_T size_t
-_ACEOF
-
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-cat >>confdefs.h <<\_ACEOF
-#define ISC_SOCKADDR_LEN_T int
-_ACEOF
-
-fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-
-fi
+struct lifconf lifconf;
+lifconf.lifc_len = 0;
 
 
-echo "$as_me:$LINENO: checking whether time.h and sys/time.h may both be included" >&5
-echo $ECHO_N "checking whether time.h and sys/time.h may both be included... $ECHO_C" >&6
-if test "${ac_cv_header_time+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-#include <sys/types.h>
-#include <sys/time.h>
-#include <time.h>
-
-int
-main ()
-{
-if ((struct tm *) 0)
-return 0;
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_header_time=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-ac_cv_header_time=no
-fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-fi
-echo "$as_me:$LINENO: result: $ac_cv_header_time" >&5
-echo "${ECHO_T}$ac_cv_header_time" >&6
-if test $ac_cv_header_time = yes; then
-
-cat >>confdefs.h <<\_ACEOF
-#define TIME_WITH_SYS_TIME 1
-_ACEOF
-
-fi
-
-echo "$as_me:$LINENO: checking for long long" >&5
-echo $ECHO_N "checking for long long... $ECHO_C" >&6
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-int
-main ()
-{
-long long i = 0; return (0);
   ;
   return 0;
 }
@@ -4360,18 +4275,19 @@ if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
   (exit $ac_status); }; }; then
   echo "$as_me:$LINENO: result: yes" >&5
 echo "${ECHO_T}yes" >&6
-		ISC_PLATFORM_HAVELONGLONG="#define ISC_PLATFORM_HAVELONGLONG 1"
+		ISC_PLATFORM_HAVELIFCONF="#define ISC_PLATFORM_HAVELIFCONF 1"
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
 echo "$as_me:$LINENO: result: no" >&5
 echo "${ECHO_T}no" >&6
-		ISC_PLATFORM_HAVELONGLONG="#undef ISC_PLATFORM_HAVELONGLONG"
+		ISC_PLATFORM_HAVELIFCONF="#undef ISC_PLATFORM_HAVELIFCONF"
 fi
 rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
 
 
+
 #
 # check if we need to #include sys/select.h explicitly
 #
@@ -4697,7 +4613,6 @@ esac
 #
 # was --with-openssl specified?
 #
-OPENSSL_WARNING=
 echo "$as_me:$LINENO: checking for OpenSSL library" >&5
 echo $ECHO_N "checking for OpenSSL library... $ECHO_C" >&6
 
@@ -4720,7 +4635,7 @@ echo "${ECHO_T}no" >&6
 		if test "$use_openssl" = "yes"
 		then
 		    	# User did not specify a path - guess it
-			openssldirs="/usr /usr/local /usr/local/ssl /usr/pkg /usr/sfw"
+			openssldirs="/usr /usr/local /usr/local/ssl /usr/pkg"
 			for d in $openssldirs
 			do
 				if test -f $d/include/openssl/opensslv.h
@@ -4739,24 +4654,15 @@ echo "$as_me: error: OpenSSL was not found in any of $openssldirs; use --with-op
 			fi
 		fi
 		USE_OPENSSL='-DOPENSSL'
-		if test "$use_openssl" = "/usr"
-		then
-			DST_OPENSSL_INC=""
-			DNS_OPENSSL_LIBS="-lcrypto"
-		else
-			DST_OPENSSL_INC="-I$use_openssl/include"
-			case $host in
-			*-solaris*)
-				DNS_OPENSSL_LIBS="-L$use_openssl/lib -R$use_openssl/lib -lcrypto"
-				;;
-			*-hp-hpux*)
-				DNS_OPENSSL_LIBS="-L$use_openssl/lib -Wl,+b: -lcrypto"
-				;;
-			*)
-				DNS_OPENSSL_LIBS="-L$use_openssl/lib -lcrypto"
-				;;
-			esac
-		fi
+		DST_OPENSSL_INC="-I$use_openssl/include"
+		case $host in
+		*-solaris*)
+			DNS_OPENSSL_LIBS="-L$use_openssl/lib -R$use_openssl/lib -lcrypto"
+			;;
+		*)
+			DNS_OPENSSL_LIBS="-L$use_openssl/lib -lcrypto"
+			;;
+		esac
 		echo "$as_me:$LINENO: result: using openssl from $use_openssl/lib and $use_openssl/include" >&5
 echo "${ECHO_T}using openssl from $use_openssl/lib and $use_openssl/include" >&6
 
@@ -4925,14 +4831,103 @@ fi
 rm -f conftest.err conftest.$ac_objext \
       conftest$ac_exeext conftest.$ac_ext
 
-# Check whether --enable-openssl-version-check or --disable-openssl-version-check was given.
-if test "${enable_openssl_version_check+set}" = set; then
-  enableval="$enable_openssl_version_check"
+#
+#	OpenSSLDie is new with CERT CS-2002-23.  If we see it we have may
+#	have a patched library otherwise check that we are greater than
+#	the fixed versions
+#
+		echo "$as_me:$LINENO: checking for OpenSSLDie" >&5
+echo $ECHO_N "checking for OpenSSLDie... $ECHO_C" >&6
+if test "${ac_cv_func_OpenSSLDie+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+/* Define OpenSSLDie to an innocuous variant, in case <limits.h> declares OpenSSLDie.
+   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
+#define OpenSSLDie innocuous_OpenSSLDie
 
-fi;
-case "$enable_openssl_version_check" in
-yes|'')
-		echo "$as_me:$LINENO: checking OpenSSL library version" >&5
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char OpenSSLDie (); below.
+    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
+    <limits.h> exists even on freestanding compilers.  */
+
+#ifdef __STDC__
+# include <limits.h>
+#else
+# include <assert.h>
+#endif
+
+#undef OpenSSLDie
+
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+{
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char OpenSSLDie ();
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_OpenSSLDie) || defined (__stub___OpenSSLDie)
+choke me
+#else
+char (*f) () = OpenSSLDie;
+#endif
+#ifdef __cplusplus
+}
+#endif
+
+int
+main ()
+{
+return f != OpenSSLDie;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+  (eval $ac_link) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest$ac_exeext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  ac_cv_func_OpenSSLDie=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ac_cv_func_OpenSSLDie=no
+fi
+rm -f conftest.err conftest.$ac_objext \
+      conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:$LINENO: result: $ac_cv_func_OpenSSLDie" >&5
+echo "${ECHO_T}$ac_cv_func_OpenSSLDie" >&6
+if test $ac_cv_func_OpenSSLDie = yes; then
+  echo "$as_me:$LINENO: checking OpenSSL library version" >&5
 echo $ECHO_N "checking OpenSSL library version... $ECHO_C" >&6
 		if test "$cross_compiling" = yes; then
   echo "$as_me:$LINENO: result: assuming target platform has compatible version" >&5
@@ -4948,14 +4943,11 @@ cat >>conftest.$ac_ext <<_ACEOF
 #include <stdio.h>
 #include <openssl/opensslv.h>
 int main() {
-	if ((OPENSSL_VERSION_NUMBER >= 0x009070cfL &&
-	     OPENSSL_VERSION_NUMBER < 0x00908000L) ||
-	    OPENSSL_VERSION_NUMBER >= 0x0090804fL)
+        if (OPENSSL_VERSION_NUMBER >= 0x0090581fL)
                 return (0);
 	printf("\n\nFound   OPENSSL_VERSION_NUMBER %#010x\n",
 		OPENSSL_VERSION_NUMBER);
-	printf("Require OPENSSL_VERSION_NUMBER 0x009070cf or greater (0.9.7l)\n"
-	       "Require OPENSSL_VERSION_NUMBER 0x0090804f or greater (0.9.8d)\n\n");
+	printf("Require OPENSSL_VERSION_NUMBER 0x0090581f or greater\n\n");
         return (1);
 }
 
@@ -4981,17 +4973,72 @@ sed 's/^/| /' conftest.$ac_ext >&5
 ( exit $ac_status )
 echo "$as_me:$LINENO: result: not compatible" >&5
 echo "${ECHO_T}not compatible" >&6
-                 OPENSSL_WARNING=yes
+		 { { echo "$as_me:$LINENO: error: you need OpenSSL 0.9.5a or newer" >&5
+echo "$as_me: error: you need OpenSSL 0.9.5a or newer" >&2;}
+   { (exit 1); exit 1; }; }
+fi
+rm -f core *.core gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
+fi
 
+else
+  echo "$as_me:$LINENO: result: did not find fixes for CERT CA-2002-23" >&5
+echo "${ECHO_T}did not find fixes for CERT CA-2002-23" >&6
+		echo "$as_me:$LINENO: checking OpenSSL library version" >&5
+echo $ECHO_N "checking OpenSSL library version... $ECHO_C" >&6
+		if test "$cross_compiling" = yes; then
+  echo "$as_me:$LINENO: result: assuming target platform has compatible version" >&5
+echo "${ECHO_T}assuming target platform has compatible version" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+#include <stdio.h>
+#include <openssl/opensslv.h>
+int main() {
+        if ((OPENSSL_VERSION_NUMBER >= 0x0090605fL &&
+	     OPENSSL_VERSION_NUMBER < 0x009070000L) ||
+	     OPENSSL_VERSION_NUMBER >= 0x00907003L)
+                return (0);
+	printf("\n\nFound   OPENSSL_VERSION_NUMBER %#010x\n",
+		OPENSSL_VERSION_NUMBER);
+	printf("Require OPENSSL_VERSION_NUMBER 0x0090605f or greater (0.9.6e)\n"
+	       "Require OPENSSL_VERSION_NUMBER 0x00907003 or greater (0.9.7-beta2)\n\n");
+        return (1);
+}
+
+_ACEOF
+rm -f conftest$ac_exeext
+if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && { ac_try='./conftest$ac_exeext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  echo "$as_me:$LINENO: result: ok" >&5
+echo "${ECHO_T}ok" >&6
+else
+  echo "$as_me: program exited with status $ac_status" >&5
+echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+( exit $ac_status )
+echo "$as_me:$LINENO: result: not compatible" >&5
+echo "${ECHO_T}not compatible" >&6
+		 { { echo "$as_me:$LINENO: error: you need OpenSSL 0.9.6e/0.9.7-beta2 (or newer): CERT CA-2002-23" >&5
+echo "$as_me: error: you need OpenSSL 0.9.6e/0.9.7-beta2 (or newer): CERT CA-2002-23" >&2;}
+   { (exit 1); exit 1; }; }
 fi
 rm -f core *.core gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
 fi
-;;
-no)
-	echo "$as_me:$LINENO: result: Skipped OpenSSL version check" >&5
-echo "${ECHO_T}Skipped OpenSSL version check" >&6
-;;
-esac
+fi
 
 		CFLAGS="$saved_cflags"
 		LIBS="$saved_libs"
@@ -5005,7 +5052,7 @@ esac
 
 
 
-
+DNS_CRYPTO_LIBS="$DNS_CRYPTO_LIBS $DNS_OPENSSL_LIBS"
 
 #
 # was --with-gssapi specified?
@@ -5039,6 +5086,12 @@ DNS_GSSAPI_LIBS=''
 
 
 
+DNS_CRYPTO_LIBS="$DNS_CRYPTO_LIBS $DNS_GSSAPI_LIBS"
+
+#
+# Applications linking with libdns also need to link with these libraries.
+#
+
 
 
 #
@@ -5375,374 +5428,6 @@ echo "${ECHO_T}mit-pthreads/unproven-pthreads" >&6
 			fi
 		fi
 		;;
-		*-freebsd*)
-			# We don't want to set -lpthread as that break
-			# the ability to choose threads library at final
-			# link time and is not valid for all architectures.
-
-			PTHREAD=
-			if test "X$GCC" = "Xyes"; then
-				saved_cc="$CC"
-				CC="$CC -pthread"
-				echo "$as_me:$LINENO: checking for gcc -pthread support" >&5
-echo $ECHO_N "checking for gcc -pthread support... $ECHO_C" >&6;
-				cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-#include <pthread.h>
-int
-main ()
-{
-printf("%x\n", pthread_create);
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  PTHREAD="yes"
-					    echo "$as_me:$LINENO: result: yes" >&5
-echo "${ECHO_T}yes" >&6
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
-fi
-rm -f conftest.err conftest.$ac_objext \
-      conftest$ac_exeext conftest.$ac_ext
-				CC="$saved_cc"
-			fi
-			if test "X$PTHREAD" != "Xyes"; then
-
-echo "$as_me:$LINENO: checking for pthread_create in -lpthread" >&5
-echo $ECHO_N "checking for pthread_create in -lpthread... $ECHO_C" >&6
-if test "${ac_cv_lib_pthread_pthread_create+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  ac_check_lib_save_LIBS=$LIBS
-LIBS="-lpthread  $LIBS"
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-/* Override any gcc2 internal prototype to avoid an error.  */
-#ifdef __cplusplus
-extern "C"
-#endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
-char pthread_create ();
-int
-main ()
-{
-pthread_create ();
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_lib_pthread_pthread_create=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-ac_cv_lib_pthread_pthread_create=no
-fi
-rm -f conftest.err conftest.$ac_objext \
-      conftest$ac_exeext conftest.$ac_ext
-LIBS=$ac_check_lib_save_LIBS
-fi
-echo "$as_me:$LINENO: result: $ac_cv_lib_pthread_pthread_create" >&5
-echo "${ECHO_T}$ac_cv_lib_pthread_pthread_create" >&6
-if test $ac_cv_lib_pthread_pthread_create = yes; then
-  cat >>confdefs.h <<_ACEOF
-#define HAVE_LIBPTHREAD 1
-_ACEOF
-
-  LIBS="-lpthread $LIBS"
-
-else
-
-echo "$as_me:$LINENO: checking for thread_create in -lthr" >&5
-echo $ECHO_N "checking for thread_create in -lthr... $ECHO_C" >&6
-if test "${ac_cv_lib_thr_thread_create+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  ac_check_lib_save_LIBS=$LIBS
-LIBS="-lthr  $LIBS"
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-/* Override any gcc2 internal prototype to avoid an error.  */
-#ifdef __cplusplus
-extern "C"
-#endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
-char thread_create ();
-int
-main ()
-{
-thread_create ();
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_lib_thr_thread_create=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-ac_cv_lib_thr_thread_create=no
-fi
-rm -f conftest.err conftest.$ac_objext \
-      conftest$ac_exeext conftest.$ac_ext
-LIBS=$ac_check_lib_save_LIBS
-fi
-echo "$as_me:$LINENO: result: $ac_cv_lib_thr_thread_create" >&5
-echo "${ECHO_T}$ac_cv_lib_thr_thread_create" >&6
-if test $ac_cv_lib_thr_thread_create = yes; then
-  cat >>confdefs.h <<_ACEOF
-#define HAVE_LIBTHR 1
-_ACEOF
-
-  LIBS="-lthr $LIBS"
-
-else
-
-echo "$as_me:$LINENO: checking for pthread_create in -lc_r" >&5
-echo $ECHO_N "checking for pthread_create in -lc_r... $ECHO_C" >&6
-if test "${ac_cv_lib_c_r_pthread_create+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  ac_check_lib_save_LIBS=$LIBS
-LIBS="-lc_r  $LIBS"
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-/* Override any gcc2 internal prototype to avoid an error.  */
-#ifdef __cplusplus
-extern "C"
-#endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
-char pthread_create ();
-int
-main ()
-{
-pthread_create ();
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_lib_c_r_pthread_create=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-ac_cv_lib_c_r_pthread_create=no
-fi
-rm -f conftest.err conftest.$ac_objext \
-      conftest$ac_exeext conftest.$ac_ext
-LIBS=$ac_check_lib_save_LIBS
-fi
-echo "$as_me:$LINENO: result: $ac_cv_lib_c_r_pthread_create" >&5
-echo "${ECHO_T}$ac_cv_lib_c_r_pthread_create" >&6
-if test $ac_cv_lib_c_r_pthread_create = yes; then
-  cat >>confdefs.h <<_ACEOF
-#define HAVE_LIBC_R 1
-_ACEOF
-
-  LIBS="-lc_r $LIBS"
-
-else
-
-echo "$as_me:$LINENO: checking for pthread_create in -lc" >&5
-echo $ECHO_N "checking for pthread_create in -lc... $ECHO_C" >&6
-if test "${ac_cv_lib_c_pthread_create+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  ac_check_lib_save_LIBS=$LIBS
-LIBS="-lc  $LIBS"
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-/* Override any gcc2 internal prototype to avoid an error.  */
-#ifdef __cplusplus
-extern "C"
-#endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
-char pthread_create ();
-int
-main ()
-{
-pthread_create ();
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_lib_c_pthread_create=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-ac_cv_lib_c_pthread_create=no
-fi
-rm -f conftest.err conftest.$ac_objext \
-      conftest$ac_exeext conftest.$ac_ext
-LIBS=$ac_check_lib_save_LIBS
-fi
-echo "$as_me:$LINENO: result: $ac_cv_lib_c_pthread_create" >&5
-echo "${ECHO_T}$ac_cv_lib_c_pthread_create" >&6
-if test $ac_cv_lib_c_pthread_create = yes; then
-  cat >>confdefs.h <<_ACEOF
-#define HAVE_LIBC 1
-_ACEOF
-
-  LIBS="-lc $LIBS"
-
-else
-  { { echo "$as_me:$LINENO: error: \"could not find thread libraries\"" >&5
-echo "$as_me: error: \"could not find thread libraries\"" >&2;}
-   { (exit 1); exit 1; }; }
-fi
-
-fi
-
-fi
-
-fi
-
-			fi
-			;;
 		*)
 
 echo "$as_me:$LINENO: checking for pthread_create in -lpthread" >&5
@@ -6128,146 +5813,10 @@ fi
 
 if $use_threads
 then
-	if test "X$GCC" = "Xyes"; then
-		case "$host" in
-		*-freebsd*)
-			CC="$CC -pthread"
-			CCOPT="$CCOPT -pthread"
-			STD_CDEFINES="$STD_CDEFINES -D_THREAD_SAFE"
-			;;
-		*-openbsd*)
-			CC="$CC -pthread"
-			CCOPT="$CCOPT -pthread"
-			;;
-		*-solaris*)
-			LIBS="$LIBS -lthread"
-			;;
-		*-ibm-aix*)
-			STD_CDEFINES="$STD_CDEFINES -D_THREAD_SAFE"
-			;;
-		esac
-	else
-		case $host in
-		*-dec-osf*)
-			CC="$CC -pthread"
-			CCOPT="$CCOPT -pthread"
-			;;
-		*-solaris*)
-			CC="$CC -mt"
-			CCOPT="$CCOPT -mt"
-			;;
-		*-ibm-aix*)
-			STD_CDEFINES="$STD_CDEFINES -D_THREAD_SAFE"
-			;;
-		*-sco-sysv*uw*)
-			CC="$CC -Kthread"
-			CCOPT="$CCOPT -Kthread"
-			;;
-		esac
-	fi
-	ALWAYS_DEFINES="-D_REENTRANT"
-	ISC_PLATFORM_USETHREADS="#define ISC_PLATFORM_USETHREADS 1"
-	thread_dir=pthreads
 	#
 	# We'd like to use sigwait() too
 	#
-	echo "$as_me:$LINENO: checking for sigwait" >&5
-echo $ECHO_N "checking for sigwait... $ECHO_C" >&6
-if test "${ac_cv_func_sigwait+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-/* Define sigwait to an innocuous variant, in case <limits.h> declares sigwait.
-   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
-#define sigwait innocuous_sigwait
-
-/* System header to define __stub macros and hopefully few prototypes,
-    which can conflict with char sigwait (); below.
-    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
-    <limits.h> exists even on freestanding compilers.  */
-
-#ifdef __STDC__
-# include <limits.h>
-#else
-# include <assert.h>
-#endif
-
-#undef sigwait
-
-/* Override any gcc2 internal prototype to avoid an error.  */
-#ifdef __cplusplus
-extern "C"
-{
-#endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
-char sigwait ();
-/* The GNU C library defines this for functions which it implements
-    to always fail with ENOSYS.  Some functions are actually named
-    something starting with __ and the normal name is an alias.  */
-#if defined (__stub_sigwait) || defined (__stub___sigwait)
-choke me
-#else
-char (*f) () = sigwait;
-#endif
-#ifdef __cplusplus
-}
-#endif
-
-int
-main ()
-{
-return f != sigwait;
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_func_sigwait=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-ac_cv_func_sigwait=no
-fi
-rm -f conftest.err conftest.$ac_objext \
-      conftest$ac_exeext conftest.$ac_ext
-fi
-echo "$as_me:$LINENO: result: $ac_cv_func_sigwait" >&5
-echo "${ECHO_T}$ac_cv_func_sigwait" >&6
-if test $ac_cv_func_sigwait = yes; then
-  cat >>confdefs.h <<\_ACEOF
-#define HAVE_SIGWAIT 1
-_ACEOF
-
-else
-  echo "$as_me:$LINENO: checking for sigwait in -lc" >&5
+	echo "$as_me:$LINENO: checking for sigwait in -lc" >&5
 echo $ECHO_N "checking for sigwait in -lc... $ECHO_C" >&6
 if test "${ac_cv_lib_c_sigwait+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
@@ -6480,7 +6029,6 @@ fi
 
 fi
 
-fi
 
 fi
 
@@ -6760,21 +6308,6 @@ _ACEOF
 
 fi
 
-			case $host in
-			*-freebsd5.[012]|*-freebsd5.[012].*);;
-			*-freebsd5.[3456789]|*-freebsd5.[3456789].*)
-				cat >>confdefs.h <<\_ACEOF
-#define NEED_PTHREAD_SCOPE_SYSTEM 1
-_ACEOF
-
-				;;
-			*-freebsd6.*)
-				cat >>confdefs.h <<\_ACEOF
-#define NEED_PTHREAD_SCOPE_SYSTEM 1
-_ACEOF
-
-				;;
-			esac
 			;;
 		#
 		# BSDI 3.0 through 4.0.1 needs pthread_init() to be
@@ -6907,7 +6440,7 @@ fi
 		#
 		# UnixWare does things its own way.
 		#
-		*-sco-sysv*uw*)
+		*-sco-sysv*uw*|*-*-sysv*UnixWare*|*-*-sysv*OpenUNIX*)
 			cat >>confdefs.h <<\_ACEOF
 #define HAVE_UNIXWARE_SIGWAIT 1
 _ACEOF
@@ -7016,6 +6549,50 @@ _ACEOF
 fi
 
 
+	if test "X$GCC" = "Xyes"; then
+		case "$host" in
+		*-freebsd*)
+			CC="$CC -pthread"
+			CCOPT="$CCOPT -pthread"
+			STD_CDEFINES="$STD_CDEFINES -D_THREAD_SAFE"
+			;;
+		*-openbsd*)
+			CC="$CC -pthread"
+			CCOPT="$CCOPT -pthread"
+			;;
+		*-solaris*)
+			LIBS="$LIBS -lthread"
+			;;
+		*-ibm-aix*)
+			STD_CDEFINES="$STD_CDEFINES -D_THREAD_SAFE"
+			;;
+		esac
+	else
+		case $host in
+		*-dec-osf*)
+			CC="$CC -pthread"
+			CCOPT="$CCOPT -pthread"
+			;;
+		*-solaris*)
+			CC="$CC -mt"
+			CCOPT="$CCOPT -mt"
+			;;
+		*-ibm-aix*)
+			STD_CDEFINES="$STD_CDEFINES -D_THREAD_SAFE"
+			;;
+		*-sco-sysv*uw*|*-*-sysv*UnixWare*)
+			CC="$CC -Kthread"
+			CCOPT="$CCOPT -Kthread"
+			;;
+		*-*-sysv*OpenUNIX*)
+			CC="$CC -Kpthread"
+			CCOPT="$CCOPT -Kpthread"
+			;;
+		esac
+	fi
+	ALWAYS_DEFINES="-D_REENTRANT"
+	ISC_PLATFORM_USETHREADS="#define ISC_PLATFORM_USETHREADS 1"
+	thread_dir=pthreads
 else
 	ISC_PLATFORM_USETHREADS="#undef ISC_PLATFORM_USETHREADS"
 	thread_dir=nothreads
@@ -7024,85 +6601,8 @@ fi
 
 
 
-ISC_THREAD_DIR=$thread_dir
-
-
-#
-# In solaris 10, SMF can manage named service
-#
-
-echo "$as_me:$LINENO: checking for smf_enable_instance in -lscf" >&5
-echo $ECHO_N "checking for smf_enable_instance in -lscf... $ECHO_C" >&6
-if test "${ac_cv_lib_scf_smf_enable_instance+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  ac_check_lib_save_LIBS=$LIBS
-LIBS="-lscf  $LIBS"
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-/* Override any gcc2 internal prototype to avoid an error.  */
-#ifdef __cplusplus
-extern "C"
-#endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
-char smf_enable_instance ();
-int
-main ()
-{
-smf_enable_instance ();
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_lib_scf_smf_enable_instance=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-ac_cv_lib_scf_smf_enable_instance=no
-fi
-rm -f conftest.err conftest.$ac_objext \
-      conftest$ac_exeext conftest.$ac_ext
-LIBS=$ac_check_lib_save_LIBS
-fi
-echo "$as_me:$LINENO: result: $ac_cv_lib_scf_smf_enable_instance" >&5
-echo "${ECHO_T}$ac_cv_lib_scf_smf_enable_instance" >&6
-if test $ac_cv_lib_scf_smf_enable_instance = yes; then
-  cat >>confdefs.h <<_ACEOF
-#define HAVE_LIBSCF 1
-_ACEOF
-
-  LIBS="-lscf $LIBS"
 
-fi
+ISC_THREAD_DIR=$thread_dir
 
 
 #
@@ -7323,6 +6823,24 @@ fi
 #
 
 #
+# Large File
+#
+# Check whether --enable-largefile or --disable-largefile was given.
+if test "${enable_largefile+set}" = set; then
+  enableval="$enable_largefile"
+  want_largefile="yes"
+else
+  want_largefile="no"
+fi;
+case $want_largefile in
+	yes)
+		ALWAYS_DEFINES="$ALWAYS_DEFINES -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64"
+		;;
+	*)
+		;;
+esac
+
+#
 # Additional compiler settings.
 #
 MKDEPCC="$CC"
@@ -7330,70 +6848,7 @@ MKDEPCFLAGS="-M"
 IRIX_DNSSEC_WARNINGS_HACK=""
 
 if test "X$GCC" = "Xyes"; then
-	echo "$as_me:$LINENO: checking if \"$CC\" supports -fno-strict-aliasing" >&5
-echo $ECHO_N "checking if \"$CC\" supports -fno-strict-aliasing... $ECHO_C" >&6
-	SAVE_CFLAGS=$CFLAGS
-	CFLAGS=-fno-strict-aliasing
-	cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-int
-main ()
-{
-
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  FNOSTRICTALIASING=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-FNOSTRICTALIASING=no
-fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-	CFLAGS=$SAVE_CFLAGS
-	if test "$FNOSTRICTALIASING" = "yes"; then
-		echo "$as_me:$LINENO: result: yes" >&5
-echo "${ECHO_T}yes" >&6
-	STD_CWARNINGS="$STD_CWARNINGS -W -Wall -Wmissing-prototypes -Wcast-qual -Wwrite-strings -Wformat -Wpointer-arith -fno-strict-aliasing"
-	else
-		echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
-	STD_CWARNINGS="$STD_CWARNINGS -W -Wall -Wmissing-prototypes -Wcast-qual -Wwrite-strings -Wformat -Wpointer-arith"
-	fi
-	case "$host" in
-	*-hp-hpux*)
-		LDFLAGS="-Wl,+vnocompatwarnings $LDFLAGS"
-		;;
-	esac
+	STD_CWARNINGS="$STD_CWARNINGS -W -Wall -Wmissing-prototypes -Wcast-qual -Wwrite-strings -Wformat"
 else
 	case $host in
 	*-dec-osf*)
@@ -7413,11 +6868,11 @@ else
 			;;
 		*)
 			# Turn off the pointlessly noisy warnings.
-			STD_CWARNINGS="+w1 +W 474,530,2193,2236"
+			STD_CWARNINGS="+w1 +W 474,530"
 			;;
 		esac
 		CCOPT="$CCOPT -Ae -z"
-		LDFLAGS="-Wl,+vnocompatwarnings $LDFLAGS"
+		LIBS="-Wl,+vnocompatwarnings $LIBS"
 		MKDEPPROG='cc -Ae -E -Wp,-M >/dev/null 2>>$TMP'
 		;;
 	*-sgi-irix*)
@@ -7434,7 +6889,7 @@ else
 	*-solaris*)
 		MKDEPCFLAGS="-xM"
 		;;
-	*-sco-sysv*uw*)
+	*-sco-sysv*uw*|*-*-sysv*UnixWare*|*-*-sysv*OpenUNIX*)
                 # UnixWare
 		CC="$CC -w"
 		;;
@@ -7944,10 +7399,10 @@ for lt_ac_sed in $lt_ac_sed_list /usr/xpg4/bin/sed; do
     fi
   done
 done
+SED=$lt_cv_path_SED
 
 fi
 
-SED=$lt_cv_path_SED
 echo "$as_me:$LINENO: result: $SED" >&5
 echo "${ECHO_T}$SED" >&6
 
@@ -8073,15 +7528,6 @@ case $reload_flag in
 *) reload_flag=" $reload_flag" ;;
 esac
 reload_cmds='$LD$reload_flag -o $output$reload_objs'
-case $host_os in
-  darwin*)
-    if test "$GCC" = yes; then
-      reload_cmds='$CC -nostdlib ${wl}-r -o $output$reload_objs'
-    else
-      reload_cmds='$LD$reload_flag -o $output$reload_objs'
-    fi
-    ;;
-esac
 
 echo "$as_me:$LINENO: checking for BSD-compatible nm" >&5
 echo $ECHO_N "checking for BSD-compatible nm... $ECHO_C" >&6
@@ -8168,21 +7614,21 @@ beos*)
   lt_cv_deplibs_check_method=pass_all
   ;;
 
-bsdi[45]*)
+bsdi4*)
   lt_cv_deplibs_check_method='file_magic ELF [0-9][0-9]*-bit [ML]SB (shared object|dynamic lib)'
   lt_cv_file_magic_cmd='/usr/bin/file -L'
   lt_cv_file_magic_test_file=/shlib/libc.so
   ;;
 
 cygwin*)
-  # func_win32_libid is a shell function defined in ltmain.sh
+  # win32_libid is a shell function defined in ltmain.sh
   lt_cv_deplibs_check_method='file_magic ^x86 archive import|^x86 DLL'
-  lt_cv_file_magic_cmd='func_win32_libid'
+  lt_cv_file_magic_cmd='win32_libid'
   ;;
 
 mingw* | pw32*)
   # Base MSYS/MinGW do not provide the 'file' command needed by
-  # func_win32_libid shell function, so use a weaker test based on 'objdump'.
+  # win32_libid shell function, so use a weaker test based on 'objdump'.
   lt_cv_deplibs_check_method='file_magic file format pei*-i386(.*architecture: i386)?'
   lt_cv_file_magic_cmd='$OBJDUMP -f'
   ;;
@@ -8241,6 +7687,15 @@ irix5* | irix6* | nonstopux*)
 
 # This must be Linux ELF.
 linux*)
+  case $host_cpu in
+  alpha*|hppa*|i*86|ia64*|m68*|mips*|powerpc*|sparc*|s390*|sh*)
+    lt_cv_deplibs_check_method=pass_all ;;
+  *)
+    # glibc up to 2.1.1 does not perform some relocations on ARM
+    # this will be overridden with pass_all, but let us keep it just in case
+    lt_cv_deplibs_check_method='file_magic ELF [0-9][0-9]*-bit [LM]SB (shared object|dynamic lib )' ;;
+  esac
+  lt_cv_file_magic_test_file=`echo /lib/libc.so* /lib/libc-*.so`
   lt_cv_deplibs_check_method=pass_all
   ;;
 
@@ -8263,10 +7718,12 @@ nto-qnx*)
   ;;
 
 openbsd*)
+  lt_cv_file_magic_cmd=/usr/bin/file
+  lt_cv_file_magic_test_file=`echo /usr/lib/libc.so.*`
   if test -z "`echo __ELF__ | $CC -E - | grep __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then
-    lt_cv_deplibs_check_method='match_pattern /lib[^/]+(\.so\.[0-9]+\.[0-9]+|\.so|_pic\.a)$'
+    lt_cv_deplibs_check_method='file_magic ELF [0-9][0-9]*-bit [LM]SB shared object'
   else
-    lt_cv_deplibs_check_method='match_pattern /lib[^/]+(\.so\.[0-9]+\.[0-9]+|_pic\.a)$'
+    lt_cv_deplibs_check_method='file_magic OpenBSD.* shared library'
   fi
   ;;
 
@@ -8358,7 +7815,7 @@ ia64-*-hpux*)
   ;;
 *-*-irix6*)
   # Find out which ABI we are using.
-  echo '#line 8361 "configure"' > conftest.$ac_ext
+  echo '#line 7818 "configure"' > conftest.$ac_ext
   if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
   (eval $ac_compile) 2>&5
   ac_status=$?
@@ -9025,12 +8482,7 @@ ac_compile='$CXX -c $CXXFLAGS $CPPFLAGS conftest.$ac_ext >&5'
 ac_link='$CXX -o conftest$ac_exeext $CXXFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
 ac_compiler_gnu=$ac_cv_cxx_compiler_gnu
 
-
-
-if test -n "$CXX" && ( test "X$CXX" != "Xno" &&
-    ( (test "X$CXX" = "Xg++" && `g++ -v >/dev/null 2>&1` ) ||
-    (test "X$CXX" != "Xg++"))) ; then
-  ac_ext=cc
+ac_ext=cc
 ac_cpp='$CXXCPP $CPPFLAGS'
 ac_compile='$CXX -c $CXXFLAGS $CPPFLAGS conftest.$ac_ext >&5'
 ac_link='$CXX -o conftest$ac_exeext $CXXFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
@@ -9260,8 +8712,6 @@ ac_compile='$CXX -c $CXXFLAGS $CPPFLAGS conftest.$ac_ext >&5'
 ac_link='$CXX -o conftest$ac_exeext $CXXFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
 ac_compiler_gnu=$ac_cv_cxx_compiler_gnu
 
-fi
-
 
 ac_ext=f
 ac_compile='$F77 -c $FFLAGS conftest.$ac_ext >&5'
@@ -9355,7 +8805,7 @@ fi
 
 
 # Provide some information about the compiler.
-echo "$as_me:9358:" \
+echo "$as_me:8808:" \
      "checking for Fortran 77 compiler version" >&5
 ac_compiler=`set X $ac_compile; echo $2`
 { (eval echo "$as_me:$LINENO: \"$ac_compiler --version </dev/null >&5\"") >&5
@@ -9510,7 +8960,7 @@ if test "${lt_cv_sys_max_cmd_len+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
     i=0
-  teststring="ABCD"
+  testring="ABCD"
 
   case $build_os in
   msdosdjgpp*)
@@ -9545,34 +8995,20 @@ else
     lt_cv_sys_max_cmd_len=8192;
     ;;
 
-  netbsd* | freebsd* | openbsd* | darwin* )
-    # This has been around since 386BSD, at least.  Likely further.
-    if test -x /sbin/sysctl; then
-      lt_cv_sys_max_cmd_len=`/sbin/sysctl -n kern.argmax`
-    elif test -x /usr/sbin/sysctl; then
-      lt_cv_sys_max_cmd_len=`/usr/sbin/sysctl -n kern.argmax`
-    else
-      lt_cv_sys_max_cmd_len=65536 # usable default for *BSD
-    fi
-    # And add a safety zone
-    lt_cv_sys_max_cmd_len=`expr $lt_cv_sys_max_cmd_len \/ 4`
-    ;;
-
  *)
     # If test is not a shell built-in, we'll probably end up computing a
     # maximum length that is only half of the actual maximum length, but
     # we can't tell.
-    SHELL=${SHELL-${CONFIG_SHELL-/bin/sh}}
-    while (test "X"`$SHELL $0 --fallback-echo "X$teststring" 2>/dev/null` \
-	       = "XX$teststring") >/dev/null 2>&1 &&
-	    new_result=`expr "X$teststring" : ".*" 2>&1` &&
+    while (test "X"`$CONFIG_SHELL $0 --fallback-echo "X$testring" 2>/dev/null` \
+	       = "XX$testring") >/dev/null 2>&1 &&
+	    new_result=`expr "X$testring" : ".*" 2>&1` &&
 	    lt_cv_sys_max_cmd_len=$new_result &&
 	    test $i != 17 # 1/2 MB should be enough
     do
       i=`expr $i + 1`
-      teststring=$teststring$teststring
+      testring=$testring$testring
     done
-    teststring=
+    testring=
     # Add a significant safety factor because C++ compilers can tack on massive
     # amounts of additional arguments before passing them to the linker.
     # It appears as though 1/2 is a usable value.
@@ -9633,13 +9069,6 @@ hpux*) # Its linker distinguishes data from code symbols
   lt_cv_sys_global_symbol_to_cdecl="sed -n -e 's/^T .* \(.*\)$/extern int \1();/p' -e 's/^$symcode* .* \(.*\)$/extern char \1;/p'"
   lt_cv_sys_global_symbol_to_c_name_address="sed -n -e 's/^: \([^ ]*\) $/  {\\\"\1\\\", (lt_ptr) 0},/p' -e 's/^$symcode* \([^ ]*\) \([^ ]*\)$/  {\"\2\", (lt_ptr) \&\2},/p'"
   ;;
-linux*)
-  if test "$host_cpu" = ia64; then
-    symcode='[ABCDGIRSTW]'
-    lt_cv_sys_global_symbol_to_cdecl="sed -n -e 's/^T .* \(.*\)$/extern int \1();/p' -e 's/^$symcode* .* \(.*\)$/extern char \1;/p'"
-    lt_cv_sys_global_symbol_to_c_name_address="sed -n -e 's/^: \([^ ]*\) $/  {\\\"\1\\\", (lt_ptr) 0},/p' -e 's/^$symcode* \([^ ]*\) \([^ ]*\)$/  {\"\2\", (lt_ptr) \&\2},/p'"
-  fi
-  ;;
 irix* | nonstopux*)
   symcode='[BCDEGRST]'
   ;;
@@ -10139,8 +9568,6 @@ if test -n "$RANLIB"; then
   old_archive_cmds="$old_archive_cmds~\$RANLIB \$oldlib"
 fi
 
-cc_basename=`$echo X"$compiler" | $Xsed -e 's%^.*/%%'`
-
 # Only perform the check for file, if the check method requires it
 case $deplibs_check_method in
 file_magic*)
@@ -10416,11 +9843,11 @@ else
    -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:10419: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:9846: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:10423: \$? = $ac_status" >&5
+   echo "$as_me:9850: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings
@@ -10527,16 +9954,6 @@ echo $ECHO_N "checking for $compiler option to produce PIC... $ECHO_C" >&6
 	lt_prog_compiler_static='-bnso -bI:/lib/syscalls.exp'
       fi
       ;;
-      darwin*)
-        # PIC is the default on this platform
-        # Common symbols not allowed in MH_DYLIB files
-       case "$cc_basename" in
-         xlc*)
-         lt_prog_compiler_pic='-qnocommon'
-         lt_prog_compiler_wl='-Wl,'
-         ;;
-       esac
-       ;;
 
     mingw* | pw32* | os2*)
       # This hack is so that the source file can tell whether it is being
@@ -10659,11 +10076,11 @@ else
    -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:10662: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:10079: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:10666: \$? = $ac_status" >&5
+   echo "$as_me:10083: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings
@@ -10719,11 +10136,11 @@ else
    -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:10722: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:10139: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>out/conftest.err)
    ac_status=$?
    cat out/conftest.err >&5
-   echo "$as_me:10726: \$? = $ac_status" >&5
+   echo "$as_me:10143: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s out/conftest2.$ac_objext
    then
      # The compiler can only warn and ignore the option if not recognized
@@ -10935,7 +10352,7 @@ EOF
       ;;
 
   linux*)
-    if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
+    if $LD --help 2>&1 | egrep ': supported targets:.* elf' > /dev/null; then
         tmp_archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
 	archive_cmds="$tmp_archive_cmds"
       supports_anon_versioning=no
@@ -11223,7 +10640,7 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
       ld_shlibs=no
       ;;
 
-    bsdi[45]*)
+    bsdi4*)
       export_dynamic_flag_spec=-rdynamic
       ;;
 
@@ -11237,7 +10654,7 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
       # Tell ltmain to make .lib files, not .a files.
       libext=lib
       # Tell ltmain to make .dll files, not .so files.
-      shrext_cmds=".dll"
+      shrext=".dll"
       # FIXME: Setting linknames here is a bad hack.
       archive_cmds='$CC -o $lib $libobjs $compiler_flags `echo "$deplibs" | $SED -e '\''s/ -lc$//'\''` -link -dll~linknames='
       # The linker will automatically build a .lib file if we build a DLL.
@@ -11249,52 +10666,52 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
       ;;
 
     darwin* | rhapsody*)
+    if test "$GXX" = yes ; then
+      archive_cmds_need_lc=no
       case "$host_os" in
-        rhapsody* | darwin1.[012])
-         allow_undefined_flag='${wl}-undefined ${wl}suppress'
-         ;;
-       *) # Darwin 1.3 on
-         if test -z ${MACOSX_DEPLOYMENT_TARGET} ; then
-           allow_undefined_flag='${wl}-flat_namespace ${wl}-undefined ${wl}suppress'
-         else
-           case ${MACOSX_DEPLOYMENT_TARGET} in
-             10.[012])
-               allow_undefined_flag='${wl}-flat_namespace ${wl}-undefined ${wl}suppress'
-               ;;
-             10.*)
-               allow_undefined_flag='${wl}-undefined ${wl}dynamic_lookup'
-               ;;
-           esac
-         fi
-         ;;
+      rhapsody* | darwin1.[012])
+	allow_undefined_flag='-undefined suppress'
+	;;
+      *) # Darwin 1.3 on
+      if test -z ${MACOSX_DEPLOYMENT_TARGET} ; then
+      	allow_undefined_flag='-flat_namespace -undefined suppress'
+      else
+        case ${MACOSX_DEPLOYMENT_TARGET} in
+          10.[012])
+            allow_undefined_flag='-flat_namespace -undefined suppress'
+            ;;
+          10.*)
+            allow_undefined_flag='-undefined dynamic_lookup'
+            ;;
+        esac
+      fi
+	;;
       esac
-      archive_cmds_need_lc=no
+    	lt_int_apple_cc_single_mod=no
+    	output_verbose_link_cmd='echo'
+    	if $CC -dumpspecs 2>&1 | grep 'single_module' >/dev/null ; then
+    	  lt_int_apple_cc_single_mod=yes
+    	fi
+    	if test "X$lt_int_apple_cc_single_mod" = Xyes ; then
+    	  archive_cmds='$CC -dynamiclib -single_module $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags -install_name $rpath/$soname $verstring'
+    	else
+        archive_cmds='$CC -r ${wl}-bind_at_load -keep_private_externs -nostdlib -o ${lib}-master.o $libobjs~$CC -dynamiclib $allow_undefined_flag -o $lib ${lib}-master.o $deplibs $compiler_flags -install_name $rpath/$soname $verstring'
+      fi
+      module_cmds='$CC ${wl}-bind_at_load $allow_undefined_flag -o $lib -bundle $libobjs $deplibs$compiler_flags'
+      # Don't fix this by using the ld -exported_symbols_list flag, it doesn't exist in older darwin ld's
+        if test "X$lt_int_apple_cc_single_mod" = Xyes ; then
+          archive_expsym_cmds='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -dynamiclib -single_module $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags -install_name $rpath/$soname $verstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
+        else
+          archive_expsym_cmds='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -r ${wl}-bind_at_load -keep_private_externs -nostdlib -o ${lib}-master.o $libobjs~$CC -dynamiclib $allow_undefined_flag -o $lib ${lib}-master.o $deplibs $compiler_flags -install_name $rpath/$soname $verstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
+        fi
+          module_expsym_cmds='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC $allow_undefined_flag  -o $lib -bundle $libobjs $deplibs$compiler_flags~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
       hardcode_direct=no
       hardcode_automatic=yes
       hardcode_shlibpath_var=unsupported
-      whole_archive_flag_spec=''
+      whole_archive_flag_spec='-all_load $convenience'
       link_all_deplibs=yes
-    if test "$GCC" = yes ; then
-    	output_verbose_link_cmd='echo'
-        archive_cmds='$CC -dynamiclib $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags -install_name $rpath/$soname $verstring'
-      module_cmds='$CC $allow_undefined_flag -o $lib -bundle $libobjs $deplibs$compiler_flags'
-      # Don't fix this by using the ld -exported_symbols_list flag, it doesn't exist in older darwin ld's
-      archive_expsym_cmds='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -dynamiclib $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags -install_name $rpath/$soname $verstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
-      module_expsym_cmds='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC $allow_undefined_flag  -o $lib -bundle $libobjs $deplibs$compiler_flags~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
     else
-      case "$cc_basename" in
-        xlc*)
-         output_verbose_link_cmd='echo'
-         archive_cmds='$CC -qmkshrobj $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-install_name ${wl}`echo $rpath/$soname` $verstring'
-         module_cmds='$CC $allow_undefined_flag -o $lib -bundle $libobjs $deplibs$compiler_flags'
-          # Don't fix this by using the ld -exported_symbols_list flag, it doesn't exist in older darwin ld's
-         archive_expsym_cmds='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -qmkshrobj $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-install_name ${wl}$rpath/$soname $verstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
-          module_expsym_cmds='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC $allow_undefined_flag  -o $lib -bundle $libobjs $deplibs$compiler_flags~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
-          ;;
-       *)
-         ld_shlibs=no
-          ;;
-      esac
+      ld_shlibs=no
     fi
       ;;
 
@@ -11439,7 +10856,6 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
       hardcode_shlibpath_var=no
       if test -z "`echo __ELF__ | $CC -E - | grep __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then
 	archive_cmds='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags'
-	archive_expsym_cmds='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-retain-symbols-file,$export_symbols'
 	hardcode_libdir_flag_spec='${wl}-rpath,$libdir'
 	export_dynamic_flag_spec='${wl}-E'
       else
@@ -11694,7 +11110,7 @@ echo $ECHO_N "checking dynamic linker characteristics... $ECHO_C" >&6
 library_names_spec=
 libname_spec='lib$name'
 soname_spec=
-shrext_cmds=".so"
+shrext=".so"
 postinstall_cmds=
 postuninstall_cmds=
 finish_cmds=
@@ -11791,7 +11207,7 @@ beos*)
   shlibpath_var=LIBRARY_PATH
   ;;
 
-bsdi[45]*)
+bsdi4*)
   version_type=linux
   need_version=no
   library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
@@ -11807,7 +11223,7 @@ bsdi[45]*)
 
 cygwin* | mingw* | pw32*)
   version_type=windows
-  shrext_cmds=".dll"
+  shrext=".dll"
   need_version=no
   need_lib_prefix=no
 
@@ -11872,7 +11288,7 @@ darwin* | rhapsody*)
   soname_spec='${libname}${release}${major}$shared_ext'
   shlibpath_overrides_runpath=yes
   shlibpath_var=DYLD_LIBRARY_PATH
-  shrext_cmds='$(test .$module = .yes && echo .so || echo .dylib)'
+  shrext='$(test .$module = .yes && echo .so || echo .dylib)'
   # Apple's gcc prints 'gcc -print-search-dirs' doesn't operate the same.
   if test "$GCC" = yes; then
     sys_lib_search_path_spec=`$CC -print-search-dirs | tr "\n" "$PATH_SEPARATOR" | sed -e 's/libraries:/@libraries:/' | tr "@" "\n" | grep "^libraries:" | sed -e "s/^libraries://" -e "s,=/,/,g" -e "s,$PATH_SEPARATOR, ,g" -e "s,.*,& /lib /usr/lib /usr/local/lib,g"`
@@ -11955,7 +11371,7 @@ hpux9* | hpux10* | hpux11*)
   need_version=no
   case "$host_cpu" in
   ia64*)
-    shrext_cmds='.so'
+    shrext='.so'
     hardcode_into_libs=yes
     dynamic_linker="$host_os dld.so"
     shlibpath_var=LD_LIBRARY_PATH
@@ -11970,7 +11386,7 @@ hpux9* | hpux10* | hpux11*)
     sys_lib_dlsearch_path_spec=$sys_lib_search_path_spec
     ;;
    hppa*64*)
-     shrext_cmds='.sl'
+     shrext='.sl'
      hardcode_into_libs=yes
      dynamic_linker="$host_os dld.sl"
      shlibpath_var=LD_LIBRARY_PATH # How should we handle SHLIB_PATH
@@ -11981,7 +11397,7 @@ hpux9* | hpux10* | hpux11*)
      sys_lib_dlsearch_path_spec=$sys_lib_search_path_spec
      ;;
    *)
-    shrext_cmds='.sl'
+    shrext='.sl'
     dynamic_linker="$host_os dld.sl"
     shlibpath_var=SHLIB_PATH
     shlibpath_overrides_runpath=no # +s is required to enable SHLIB_PATH
@@ -12052,8 +11468,8 @@ linux*)
 
   # Append ld.so.conf contents to the search path
   if test -f /etc/ld.so.conf; then
-    lt_ld_extra=`$SED -e 's/:,\t/ /g;s/=^=*$//;s/=^= * / /g' /etc/ld.so.conf | tr '\n' ' '`
-    sys_lib_dlsearch_path_spec="/lib /usr/lib $lt_ld_extra"
+    ld_extra=`$SED -e 's/:,\t/ /g;s/=^=*$//;s/=^= * / /g' /etc/ld.so.conf`
+    sys_lib_dlsearch_path_spec="/lib /usr/lib $ld_extra"
   fi
 
   # We used to test for /lib/ld.so.1 and disable shared libraries on
@@ -12115,7 +11531,7 @@ nto-qnx*)
 openbsd*)
   version_type=sunos
   need_lib_prefix=no
-  need_version=no
+  need_version=yes
   library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${shared_ext}$versuffix'
   finish_cmds='PATH="\$PATH:/sbin" ldconfig -m $libdir'
   shlibpath_var=LD_LIBRARY_PATH
@@ -12135,7 +11551,7 @@ openbsd*)
 
 os2*)
   libname_spec='$name'
-  shrext_cmds=".dll"
+  shrext=".dll"
   need_lib_prefix=no
   library_names_spec='$libname${shared_ext} $libname.a'
   dynamic_linker='OS/2 ld.exe'
@@ -12237,8 +11653,8 @@ echo "$as_me:$LINENO: checking how to hardcode library paths into programs" >&5
 echo $ECHO_N "checking how to hardcode library paths into programs... $ECHO_C" >&6
 hardcode_action=
 if test -n "$hardcode_libdir_flag_spec" || \
-   test -n "$runpath_var" || \
-   test "X$hardcode_automatic" = "Xyes" ; then
+   test -n "$runpath_var " || \
+   test "X$hardcode_automatic"="Xyes" ; then
 
   # We can hardcode non-existant directories.
   if test "$hardcode_direct" != no &&
@@ -12904,7 +12320,7 @@ else
   lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
   lt_status=$lt_dlunknown
   cat > conftest.$ac_ext <<EOF
-#line 12907 "configure"
+#line 12323 "configure"
 #include "confdefs.h"
 
 #if HAVE_DLFCN_H
@@ -13002,7 +12418,7 @@ else
   lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
   lt_status=$lt_dlunknown
   cat > conftest.$ac_ext <<EOF
-#line 13005 "configure"
+#line 12421 "configure"
 #include "confdefs.h"
 
 #if HAVE_DLFCN_H
@@ -13106,7 +12522,7 @@ echo "${ECHO_T}$lt_cv_dlopen_self_static" >&6
 fi
 
 
-# Report which libraries types will actually be built
+# Report which librarie types wil actually be built
 echo "$as_me:$LINENO: checking if libtool supports shared libraries" >&5
 echo $ECHO_N "checking if libtool supports shared libraries... $ECHO_C" >&6
 echo "$as_me:$LINENO: result: $can_build_shared" >&5
@@ -13127,10 +12543,47 @@ aix3*)
   fi
   ;;
 
-aix4* | aix5*)
+aix4*)
   if test "$host_cpu" != ia64 && test "$aix_use_runtimelinking" = no ; then
     test "$enable_shared" = yes && enable_static=no
   fi
+  ;;
+  darwin* | rhapsody*)
+  if test "$GCC" = yes; then
+    archive_cmds_need_lc=no
+    case "$host_os" in
+    rhapsody* | darwin1.[012])
+      allow_undefined_flag='-undefined suppress'
+      ;;
+    *) # Darwin 1.3 on
+      if test -z ${MACOSX_DEPLOYMENT_TARGET} ; then
+      	allow_undefined_flag='-flat_namespace -undefined suppress'
+      else
+        case ${MACOSX_DEPLOYMENT_TARGET} in
+          10.[012])
+            allow_undefined_flag='-flat_namespace -undefined suppress'
+            ;;
+          10.*)
+            allow_undefined_flag='-undefined dynamic_lookup'
+            ;;
+        esac
+      fi
+      ;;
+    esac
+    output_verbose_link_cmd='echo'
+    archive_cmds='$CC -dynamiclib $allow_undefined_flag -o $lib $libobjs $deplibs$compiler_flags -install_name $rpath/$soname $verstring'
+    module_cmds='$CC $allow_undefined_flag -o $lib -bundle $libobjs $deplibs$compiler_flags'
+    # Don't fix this by using the ld -exported_symbols_list flag, it doesn't exist in older darwin ld's
+    archive_expsym_cmds='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -dynamiclib $allow_undefined_flag  -o $lib $libobjs $deplibs$compiler_flags -install_name $rpath/$soname $verstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
+    module_expsym_cmds='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC $allow_undefined_flag  -o $lib -bundle $libobjs $deplibs$compiler_flags~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
+    hardcode_direct=no
+    hardcode_automatic=yes
+    hardcode_shlibpath_var=unsupported
+    whole_archive_flag_spec='-all_load $convenience'
+    link_all_deplibs=yes
+  else
+    ld_shlibs=no
+  fi
     ;;
 esac
 echo "$as_me:$LINENO: result: $enable_shared" >&5
@@ -13275,7 +12728,7 @@ Xsed="$SED -e s/^X//"
 
 # The HP-UX ksh and POSIX shell print the target directory to stdout
 # if CDPATH is set.
-(unset CDPATH) >/dev/null 2>&1 && unset CDPATH
+if test "X\${CDPATH+set}" = Xset; then CDPATH=:; export CDPATH; fi
 
 # The names of the tagged configurations supported by this script.
 available_tags=
@@ -13366,7 +12819,7 @@ objext="$ac_objext"
 libext="$libext"
 
 # Shared library suffix (normally ".so").
-shrext_cmds='$shrext_cmds'
+shrext='$shrext'
 
 # Executable file suffix (normally "").
 exeext="$exeext"
@@ -13676,9 +13129,7 @@ echo "$as_me: error: tag name \"$tagname\" already exists" >&2;}
 
       case $tagname in
       CXX)
-	if test -n "$CXX" && ( test "X$CXX" != "Xno" &&
-	    ( (test "X$CXX" = "Xg++" && `g++ -v >/dev/null 2>&1` ) ||
-	    (test "X$CXX" != "Xg++"))) ; then
+	if test -n "$CXX" && test "X$CXX" != "Xno"; then
 	  ac_ext=cc
 ac_cpp='$CXXCPP $CPPFLAGS'
 ac_compile='$CXX -c $CXXFLAGS $CPPFLAGS conftest.$ac_ext >&5'
@@ -14153,7 +13604,6 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
     esac
     ;;
 
-
   cygwin* | mingw* | pw32*)
     # _LT_AC_TAGVAR(hardcode_libdir_flag_spec, CXX) is actually meaningless,
     # as there is no search path for DLLs.
@@ -14177,68 +13627,57 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
       ld_shlibs_CXX=no
     fi
   ;;
-      darwin* | rhapsody*)
-        case "$host_os" in
-        rhapsody* | darwin1.[012])
-         allow_undefined_flag_CXX='${wl}-undefined ${wl}suppress'
-         ;;
-       *) # Darwin 1.3 on
-         if test -z ${MACOSX_DEPLOYMENT_TARGET} ; then
-           allow_undefined_flag_CXX='${wl}-flat_namespace ${wl}-undefined ${wl}suppress'
-         else
-           case ${MACOSX_DEPLOYMENT_TARGET} in
-             10.[012])
-               allow_undefined_flag_CXX='${wl}-flat_namespace ${wl}-undefined ${wl}suppress'
-               ;;
-             10.*)
-               allow_undefined_flag_CXX='${wl}-undefined ${wl}dynamic_lookup'
-               ;;
-           esac
-         fi
-         ;;
-        esac
-      archive_cmds_need_lc_CXX=no
-      hardcode_direct_CXX=no
-      hardcode_automatic_CXX=yes
-      hardcode_shlibpath_var_CXX=unsupported
-      whole_archive_flag_spec_CXX=''
-      link_all_deplibs_CXX=yes
 
-    if test "$GXX" = yes ; then
-      lt_int_apple_cc_single_mod=no
-      output_verbose_link_cmd='echo'
-      if $CC -dumpspecs 2>&1 | $EGREP 'single_module' >/dev/null ; then
-       lt_int_apple_cc_single_mod=yes
-      fi
-      if test "X$lt_int_apple_cc_single_mod" = Xyes ; then
-       archive_cmds_CXX='$CC -dynamiclib -single_module $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags -install_name $rpath/$soname $verstring'
-      else
-          archive_cmds_CXX='$CC -r -keep_private_externs -nostdlib -o ${lib}-master.o $libobjs~$CC -dynamiclib $allow_undefined_flag -o $lib ${lib}-master.o $deplibs $compiler_flags -install_name $rpath/$soname $verstring'
-        fi
-        module_cmds_CXX='$CC $allow_undefined_flag -o $lib -bundle $libobjs $deplibs$compiler_flags'
-        # Don't fix this by using the ld -exported_symbols_list flag, it doesn't exist in older darwin ld's
-          if test "X$lt_int_apple_cc_single_mod" = Xyes ; then
-            archive_expsym_cmds_CXX='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -dynamiclib -single_module $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags -install_name $rpath/$soname $verstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
-          else
-            archive_expsym_cmds_CXX='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -r -keep_private_externs -nostdlib -o ${lib}-master.o $libobjs~$CC -dynamiclib $allow_undefined_flag -o $lib ${lib}-master.o $deplibs $compiler_flags -install_name $rpath/$soname $verstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
-          fi
-            module_expsym_cmds_CXX='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC $allow_undefined_flag  -o $lib -bundle $libobjs $deplibs$compiler_flags~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
+  darwin* | rhapsody*)
+  if test "$GXX" = yes; then
+    archive_cmds_need_lc_CXX=no
+    case "$host_os" in
+    rhapsody* | darwin1.[012])
+      allow_undefined_flag_CXX='-undefined suppress'
+      ;;
+    *) # Darwin 1.3 on
+      if test -z ${MACOSX_DEPLOYMENT_TARGET} ; then
+      	allow_undefined_flag_CXX='-flat_namespace -undefined suppress'
       else
-      case "$cc_basename" in
-        xlc*)
-         output_verbose_link_cmd='echo'
-          archive_cmds_CXX='$CC -qmkshrobj ${wl}-single_module $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-install_name ${wl}`echo $rpath/$soname` $verstring'
-          module_cmds_CXX='$CC $allow_undefined_flag -o $lib -bundle $libobjs $deplibs$compiler_flags'
-          # Don't fix this by using the ld -exported_symbols_list flag, it doesn't exist in older darwin ld's
-          archive_expsym_cmds_CXX='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -qmkshrobj ${wl}-single_module $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-install_name ${wl}$rpath/$soname $verstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
-          module_expsym_cmds_CXX='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC $allow_undefined_flag  -o $lib -bundle $libobjs $deplibs$compiler_flags~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
-          ;;
-       *)
-         ld_shlibs_CXX=no
-          ;;
-      esac
+        case ${MACOSX_DEPLOYMENT_TARGET} in
+          10.[012])
+            allow_undefined_flag_CXX='-flat_namespace -undefined suppress'
+            ;;
+          10.*)
+            allow_undefined_flag_CXX='-undefined dynamic_lookup'
+            ;;
+        esac
       fi
-        ;;
+      ;;
+    esac
+    lt_int_apple_cc_single_mod=no
+    output_verbose_link_cmd='echo'
+    if $CC -dumpspecs 2>&1 | grep 'single_module' >/dev/null ; then
+      lt_int_apple_cc_single_mod=yes
+    fi
+    if test "X$lt_int_apple_cc_single_mod" = Xyes ; then
+      archive_cmds_CXX='$CC -dynamiclib -single_module $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags -install_name $rpath/$soname $verstring'
+    else
+      archive_cmds_CXX='$CC -r ${wl}-bind_at_load -keep_private_externs -nostdlib -o ${lib}-master.o $libobjs~$CC -dynamiclib $allow_undefined_flag -o $lib ${lib}-master.o $deplibs $compiler_flags -install_name $rpath/$soname $verstring'
+    fi
+    module_cmds_CXX='$CC ${wl}-bind_at_load $allow_undefined_flag -o $lib -bundle $libobjs $deplibs$compiler_flags'
+
+    # Don't fix this by using the ld -exported_symbols_list flag, it doesn't exist in older darwin ld's
+    if test "X$lt_int_apple_cc_single_mod" = Xyes ; then
+      archive_expsym_cmds_CXX='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -dynamiclib -single_module $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags -install_name $rpath/$soname $verstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
+    else
+      archive_expsym_cmds_CXX='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -r ${wl}-bind_at_load -keep_private_externs -nostdlib -o ${lib}-master.o $libobjs~$CC -dynamiclib $allow_undefined_flag -o $lib ${lib}-master.o $deplibs $compiler_flags -install_name $rpath/$soname $verstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
+    fi
+    module_expsym_cmds_CXX='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC $allow_undefined_flag  -o $lib -bundle $libobjs $deplibs$compiler_flags~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
+    hardcode_direct_CXX=no
+    hardcode_automatic_CXX=yes
+    hardcode_shlibpath_var_CXX=unsupported
+    whole_archive_flag_spec_CXX='-all_load $convenience'
+    link_all_deplibs_CXX=yes
+  else
+    ld_shlibs_CXX=no
+  fi
+    ;;
 
   dgux*)
     case $cc_basename in
@@ -14295,7 +13734,7 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
       # explicitly linking system object files so we need to strip them
       # from the output so that they don't get included in the library
       # dependencies.
-      output_verbose_link_cmd='templist=`($CC -b $CFLAGS -v conftest.$objext 2>&1) | grep "-L"`; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; echo $list'
+      output_verbose_link_cmd='templist=`($CC -b $CFLAGS -v conftest.$objext 2>&1) | egrep "\-L"`; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; echo $list'
       ;;
     *)
       if test "$GXX" = yes; then
@@ -14444,20 +13883,9 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
       icpc)
 	# Intel C++
 	with_gnu_ld=yes
-	# version 8.0 and above of icpc choke on multiply defined symbols
-	# if we add $predep_objects and $postdep_objects, however 7.1 and
-	# earlier do not add the objects themselves.
-	case `$CC -V 2>&1` in
-	*"Version 7."*)
-  	  archive_cmds_CXX='$CC -shared $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname -o $lib'
-  	  archive_expsym_cmds_CXX='$CC -shared $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
-	  ;;
-	*)  # Version 8.0 or newer
-  	  archive_cmds_CXX='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
-  	archive_expsym_cmds_CXX='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
-	  ;;
-	esac
 	archive_cmds_need_lc_CXX=no
+	archive_cmds_CXX='$CC -shared $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname -o $lib'
+	archive_expsym_cmds_CXX='$CC -shared $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
 	hardcode_libdir_flag_spec_CXX='${wl}-rpath,$libdir'
 	export_dynamic_flag_spec_CXX='${wl}--export-dynamic'
 	whole_archive_flag_spec_CXX='${wl}--whole-archive$convenience ${wl}--no-whole-archive'
@@ -14514,22 +13942,6 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
     # Workaround some broken pre-1.5 toolchains
     output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | grep conftest.$objext | $SED -e "s:-lgcc -lc -lgcc::"'
     ;;
-  openbsd2*)
-    # C++ shared libraries are fairly broken
-    ld_shlibs_CXX=no
-    ;;
-  openbsd*)
-    hardcode_direct_CXX=yes
-    hardcode_shlibpath_var_CXX=no
-    archive_cmds_CXX='$CC -shared $pic_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -o $lib'
-    hardcode_libdir_flag_spec_CXX='${wl}-rpath,$libdir'
-    if test -z "`echo __ELF__ | $CC -E - | grep __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then
-      archive_expsym_cmds_CXX='$CC -shared $pic_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-retain-symbols-file,$export_symbols -o $lib'
-      export_dynamic_flag_spec_CXX='${wl}-E'
-      whole_archive_flag_spec_CXX="$wlarc"'--whole-archive$convenience '"$wlarc"'--no-whole-archive'
-    fi
-    output_verbose_link_cmd='echo'
-    ;;
   osf3*)
     case $cc_basename in
       KCC)
@@ -14989,16 +14401,6 @@ echo $ECHO_N "checking for $compiler option to produce PIC... $ECHO_C" >&6
 	  ;;
 	esac
 	;;
-       darwin*)
-         # PIC is the default on this platform
-         # Common symbols not allowed in MH_DYLIB files
-         case "$cc_basename" in
-           xlc*)
-           lt_prog_compiler_pic_CXX='-qnocommon'
-           lt_prog_compiler_wl_CXX='-Wl,'
-           ;;
-         esac
-       ;;
       dgux*)
 	case $cc_basename in
 	  ec++)
@@ -15199,11 +14601,11 @@ else
    -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:15202: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:14604: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:15206: \$? = $ac_status" >&5
+   echo "$as_me:14608: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings
@@ -15259,11 +14661,11 @@ else
    -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:15262: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:14664: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>out/conftest.err)
    ac_status=$?
    cat out/conftest.err >&5
-   echo "$as_me:15266: \$? = $ac_status" >&5
+   echo "$as_me:14668: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s out/conftest2.$ac_objext
    then
      # The compiler can only warn and ignore the option if not recognized
@@ -15410,7 +14812,7 @@ echo $ECHO_N "checking dynamic linker characteristics... $ECHO_C" >&6
 library_names_spec=
 libname_spec='lib$name'
 soname_spec=
-shrext_cmds=".so"
+shrext=".so"
 postinstall_cmds=
 postuninstall_cmds=
 finish_cmds=
@@ -15507,7 +14909,7 @@ beos*)
   shlibpath_var=LIBRARY_PATH
   ;;
 
-bsdi[45]*)
+bsdi4*)
   version_type=linux
   need_version=no
   library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
@@ -15523,7 +14925,7 @@ bsdi[45]*)
 
 cygwin* | mingw* | pw32*)
   version_type=windows
-  shrext_cmds=".dll"
+  shrext=".dll"
   need_version=no
   need_lib_prefix=no
 
@@ -15588,7 +14990,7 @@ darwin* | rhapsody*)
   soname_spec='${libname}${release}${major}$shared_ext'
   shlibpath_overrides_runpath=yes
   shlibpath_var=DYLD_LIBRARY_PATH
-  shrext_cmds='$(test .$module = .yes && echo .so || echo .dylib)'
+  shrext='$(test .$module = .yes && echo .so || echo .dylib)'
   # Apple's gcc prints 'gcc -print-search-dirs' doesn't operate the same.
   if test "$GCC" = yes; then
     sys_lib_search_path_spec=`$CC -print-search-dirs | tr "\n" "$PATH_SEPARATOR" | sed -e 's/libraries:/@libraries:/' | tr "@" "\n" | grep "^libraries:" | sed -e "s/^libraries://" -e "s,=/,/,g" -e "s,$PATH_SEPARATOR, ,g" -e "s,.*,& /lib /usr/lib /usr/local/lib,g"`
@@ -15671,7 +15073,7 @@ hpux9* | hpux10* | hpux11*)
   need_version=no
   case "$host_cpu" in
   ia64*)
-    shrext_cmds='.so'
+    shrext='.so'
     hardcode_into_libs=yes
     dynamic_linker="$host_os dld.so"
     shlibpath_var=LD_LIBRARY_PATH
@@ -15686,7 +15088,7 @@ hpux9* | hpux10* | hpux11*)
     sys_lib_dlsearch_path_spec=$sys_lib_search_path_spec
     ;;
    hppa*64*)
-     shrext_cmds='.sl'
+     shrext='.sl'
      hardcode_into_libs=yes
      dynamic_linker="$host_os dld.sl"
      shlibpath_var=LD_LIBRARY_PATH # How should we handle SHLIB_PATH
@@ -15697,7 +15099,7 @@ hpux9* | hpux10* | hpux11*)
      sys_lib_dlsearch_path_spec=$sys_lib_search_path_spec
      ;;
    *)
-    shrext_cmds='.sl'
+    shrext='.sl'
     dynamic_linker="$host_os dld.sl"
     shlibpath_var=SHLIB_PATH
     shlibpath_overrides_runpath=no # +s is required to enable SHLIB_PATH
@@ -15768,8 +15170,8 @@ linux*)
 
   # Append ld.so.conf contents to the search path
   if test -f /etc/ld.so.conf; then
-    lt_ld_extra=`$SED -e 's/:,\t/ /g;s/=^=*$//;s/=^= * / /g' /etc/ld.so.conf | tr '\n' ' '`
-    sys_lib_dlsearch_path_spec="/lib /usr/lib $lt_ld_extra"
+    ld_extra=`$SED -e 's/:,\t/ /g;s/=^=*$//;s/=^= * / /g' /etc/ld.so.conf`
+    sys_lib_dlsearch_path_spec="/lib /usr/lib $ld_extra"
   fi
 
   # We used to test for /lib/ld.so.1 and disable shared libraries on
@@ -15831,7 +15233,7 @@ nto-qnx*)
 openbsd*)
   version_type=sunos
   need_lib_prefix=no
-  need_version=no
+  need_version=yes
   library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${shared_ext}$versuffix'
   finish_cmds='PATH="\$PATH:/sbin" ldconfig -m $libdir'
   shlibpath_var=LD_LIBRARY_PATH
@@ -15851,7 +15253,7 @@ openbsd*)
 
 os2*)
   libname_spec='$name'
-  shrext_cmds=".dll"
+  shrext=".dll"
   need_lib_prefix=no
   library_names_spec='$libname${shared_ext} $libname.a'
   dynamic_linker='OS/2 ld.exe'
@@ -15953,8 +15355,8 @@ echo "$as_me:$LINENO: checking how to hardcode library paths into programs" >&5
 echo $ECHO_N "checking how to hardcode library paths into programs... $ECHO_C" >&6
 hardcode_action_CXX=
 if test -n "$hardcode_libdir_flag_spec_CXX" || \
-   test -n "$runpath_var_CXX" || \
-   test "X$hardcode_automatic_CXX" = "Xyes" ; then
+   test -n "$runpath_var CXX" || \
+   test "X$hardcode_automatic_CXX"="Xyes" ; then
 
   # We can hardcode non-existant directories.
   if test "$hardcode_direct_CXX" != no &&
@@ -16620,7 +16022,7 @@ else
   lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
   lt_status=$lt_dlunknown
   cat > conftest.$ac_ext <<EOF
-#line 16623 "configure"
+#line 16025 "configure"
 #include "confdefs.h"
 
 #if HAVE_DLFCN_H
@@ -16718,7 +16120,7 @@ else
   lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
   lt_status=$lt_dlunknown
   cat > conftest.$ac_ext <<EOF
-#line 16721 "configure"
+#line 16123 "configure"
 #include "confdefs.h"
 
 #if HAVE_DLFCN_H
@@ -16997,7 +16399,7 @@ objext="$ac_objext"
 libext="$libext"
 
 # Shared library suffix (normally ".so").
-shrext_cmds='$shrext_cmds'
+shrext='$shrext'
 
 # Executable file suffix (normally "").
 exeext="$exeext"
@@ -17319,7 +16721,7 @@ aix3*)
     postinstall_cmds='$RANLIB $lib'
   fi
   ;;
-aix4* | aix5*)
+aix4*)
   test "$enable_shared" = yes && enable_static=no
   ;;
 esac
@@ -17423,16 +16825,6 @@ echo $ECHO_N "checking for $compiler option to produce PIC... $ECHO_C" >&6
 	lt_prog_compiler_static_F77='-bnso -bI:/lib/syscalls.exp'
       fi
       ;;
-      darwin*)
-        # PIC is the default on this platform
-        # Common symbols not allowed in MH_DYLIB files
-       case "$cc_basename" in
-         xlc*)
-         lt_prog_compiler_pic_F77='-qnocommon'
-         lt_prog_compiler_wl_F77='-Wl,'
-         ;;
-       esac
-       ;;
 
     mingw* | pw32* | os2*)
       # This hack is so that the source file can tell whether it is being
@@ -17555,11 +16947,11 @@ else
    -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:17558: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:16950: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:17562: \$? = $ac_status" >&5
+   echo "$as_me:16954: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings
@@ -17615,11 +17007,11 @@ else
    -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:17618: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:17010: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>out/conftest.err)
    ac_status=$?
    cat out/conftest.err >&5
-   echo "$as_me:17622: \$? = $ac_status" >&5
+   echo "$as_me:17014: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s out/conftest2.$ac_objext
    then
      # The compiler can only warn and ignore the option if not recognized
@@ -17831,7 +17223,7 @@ EOF
       ;;
 
   linux*)
-    if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
+    if $LD --help 2>&1 | egrep ': supported targets:.* elf' > /dev/null; then
         tmp_archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
 	archive_cmds_F77="$tmp_archive_cmds"
       supports_anon_versioning=no
@@ -18099,7 +17491,7 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
       ld_shlibs_F77=no
       ;;
 
-    bsdi[45]*)
+    bsdi4*)
       export_dynamic_flag_spec_F77=-rdynamic
       ;;
 
@@ -18113,7 +17505,7 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
       # Tell ltmain to make .lib files, not .a files.
       libext=lib
       # Tell ltmain to make .dll files, not .so files.
-      shrext_cmds=".dll"
+      shrext=".dll"
       # FIXME: Setting linknames here is a bad hack.
       archive_cmds_F77='$CC -o $lib $libobjs $compiler_flags `echo "$deplibs" | $SED -e '\''s/ -lc$//'\''` -link -dll~linknames='
       # The linker will automatically build a .lib file if we build a DLL.
@@ -18125,52 +17517,52 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
       ;;
 
     darwin* | rhapsody*)
+    if test "$GXX" = yes ; then
+      archive_cmds_need_lc_F77=no
       case "$host_os" in
-        rhapsody* | darwin1.[012])
-         allow_undefined_flag_F77='${wl}-undefined ${wl}suppress'
-         ;;
-       *) # Darwin 1.3 on
-         if test -z ${MACOSX_DEPLOYMENT_TARGET} ; then
-           allow_undefined_flag_F77='${wl}-flat_namespace ${wl}-undefined ${wl}suppress'
-         else
-           case ${MACOSX_DEPLOYMENT_TARGET} in
-             10.[012])
-               allow_undefined_flag_F77='${wl}-flat_namespace ${wl}-undefined ${wl}suppress'
-               ;;
-             10.*)
-               allow_undefined_flag_F77='${wl}-undefined ${wl}dynamic_lookup'
-               ;;
-           esac
-         fi
-         ;;
+      rhapsody* | darwin1.[012])
+	allow_undefined_flag_F77='-undefined suppress'
+	;;
+      *) # Darwin 1.3 on
+      if test -z ${MACOSX_DEPLOYMENT_TARGET} ; then
+      	allow_undefined_flag_F77='-flat_namespace -undefined suppress'
+      else
+        case ${MACOSX_DEPLOYMENT_TARGET} in
+          10.[012])
+            allow_undefined_flag_F77='-flat_namespace -undefined suppress'
+            ;;
+          10.*)
+            allow_undefined_flag_F77='-undefined dynamic_lookup'
+            ;;
+        esac
+      fi
+	;;
       esac
-      archive_cmds_need_lc_F77=no
+    	lt_int_apple_cc_single_mod=no
+    	output_verbose_link_cmd='echo'
+    	if $CC -dumpspecs 2>&1 | grep 'single_module' >/dev/null ; then
+    	  lt_int_apple_cc_single_mod=yes
+    	fi
+    	if test "X$lt_int_apple_cc_single_mod" = Xyes ; then
+    	  archive_cmds_F77='$CC -dynamiclib -single_module $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags -install_name $rpath/$soname $verstring'
+    	else
+        archive_cmds_F77='$CC -r ${wl}-bind_at_load -keep_private_externs -nostdlib -o ${lib}-master.o $libobjs~$CC -dynamiclib $allow_undefined_flag -o $lib ${lib}-master.o $deplibs $compiler_flags -install_name $rpath/$soname $verstring'
+      fi
+      module_cmds_F77='$CC ${wl}-bind_at_load $allow_undefined_flag -o $lib -bundle $libobjs $deplibs$compiler_flags'
+      # Don't fix this by using the ld -exported_symbols_list flag, it doesn't exist in older darwin ld's
+        if test "X$lt_int_apple_cc_single_mod" = Xyes ; then
+          archive_expsym_cmds_F77='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -dynamiclib -single_module $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags -install_name $rpath/$soname $verstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
+        else
+          archive_expsym_cmds_F77='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -r ${wl}-bind_at_load -keep_private_externs -nostdlib -o ${lib}-master.o $libobjs~$CC -dynamiclib $allow_undefined_flag -o $lib ${lib}-master.o $deplibs $compiler_flags -install_name $rpath/$soname $verstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
+        fi
+          module_expsym_cmds_F77='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC $allow_undefined_flag  -o $lib -bundle $libobjs $deplibs$compiler_flags~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
       hardcode_direct_F77=no
       hardcode_automatic_F77=yes
       hardcode_shlibpath_var_F77=unsupported
-      whole_archive_flag_spec_F77=''
+      whole_archive_flag_spec_F77='-all_load $convenience'
       link_all_deplibs_F77=yes
-    if test "$GCC" = yes ; then
-    	output_verbose_link_cmd='echo'
-        archive_cmds_F77='$CC -dynamiclib $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags -install_name $rpath/$soname $verstring'
-      module_cmds_F77='$CC $allow_undefined_flag -o $lib -bundle $libobjs $deplibs$compiler_flags'
-      # Don't fix this by using the ld -exported_symbols_list flag, it doesn't exist in older darwin ld's
-      archive_expsym_cmds_F77='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -dynamiclib $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags -install_name $rpath/$soname $verstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
-      module_expsym_cmds_F77='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC $allow_undefined_flag  -o $lib -bundle $libobjs $deplibs$compiler_flags~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
     else
-      case "$cc_basename" in
-        xlc*)
-         output_verbose_link_cmd='echo'
-         archive_cmds_F77='$CC -qmkshrobj $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-install_name ${wl}`echo $rpath/$soname` $verstring'
-         module_cmds_F77='$CC $allow_undefined_flag -o $lib -bundle $libobjs $deplibs$compiler_flags'
-          # Don't fix this by using the ld -exported_symbols_list flag, it doesn't exist in older darwin ld's
-         archive_expsym_cmds_F77='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -qmkshrobj $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-install_name ${wl}$rpath/$soname $verstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
-          module_expsym_cmds_F77='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC $allow_undefined_flag  -o $lib -bundle $libobjs $deplibs$compiler_flags~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
-          ;;
-       *)
-         ld_shlibs_F77=no
-          ;;
-      esac
+      ld_shlibs_F77=no
     fi
       ;;
 
@@ -18315,7 +17707,6 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
       hardcode_shlibpath_var_F77=no
       if test -z "`echo __ELF__ | $CC -E - | grep __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then
 	archive_cmds_F77='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags'
-	archive_expsym_cmds_F77='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-retain-symbols-file,$export_symbols'
 	hardcode_libdir_flag_spec_F77='${wl}-rpath,$libdir'
 	export_dynamic_flag_spec_F77='${wl}-E'
       else
@@ -18570,7 +17961,7 @@ echo $ECHO_N "checking dynamic linker characteristics... $ECHO_C" >&6
 library_names_spec=
 libname_spec='lib$name'
 soname_spec=
-shrext_cmds=".so"
+shrext=".so"
 postinstall_cmds=
 postuninstall_cmds=
 finish_cmds=
@@ -18667,7 +18058,7 @@ beos*)
   shlibpath_var=LIBRARY_PATH
   ;;
 
-bsdi[45]*)
+bsdi4*)
   version_type=linux
   need_version=no
   library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
@@ -18683,7 +18074,7 @@ bsdi[45]*)
 
 cygwin* | mingw* | pw32*)
   version_type=windows
-  shrext_cmds=".dll"
+  shrext=".dll"
   need_version=no
   need_lib_prefix=no
 
@@ -18748,7 +18139,7 @@ darwin* | rhapsody*)
   soname_spec='${libname}${release}${major}$shared_ext'
   shlibpath_overrides_runpath=yes
   shlibpath_var=DYLD_LIBRARY_PATH
-  shrext_cmds='$(test .$module = .yes && echo .so || echo .dylib)'
+  shrext='$(test .$module = .yes && echo .so || echo .dylib)'
   # Apple's gcc prints 'gcc -print-search-dirs' doesn't operate the same.
   if test "$GCC" = yes; then
     sys_lib_search_path_spec=`$CC -print-search-dirs | tr "\n" "$PATH_SEPARATOR" | sed -e 's/libraries:/@libraries:/' | tr "@" "\n" | grep "^libraries:" | sed -e "s/^libraries://" -e "s,=/,/,g" -e "s,$PATH_SEPARATOR, ,g" -e "s,.*,& /lib /usr/lib /usr/local/lib,g"`
@@ -18831,7 +18222,7 @@ hpux9* | hpux10* | hpux11*)
   need_version=no
   case "$host_cpu" in
   ia64*)
-    shrext_cmds='.so'
+    shrext='.so'
     hardcode_into_libs=yes
     dynamic_linker="$host_os dld.so"
     shlibpath_var=LD_LIBRARY_PATH
@@ -18846,7 +18237,7 @@ hpux9* | hpux10* | hpux11*)
     sys_lib_dlsearch_path_spec=$sys_lib_search_path_spec
     ;;
    hppa*64*)
-     shrext_cmds='.sl'
+     shrext='.sl'
      hardcode_into_libs=yes
      dynamic_linker="$host_os dld.sl"
      shlibpath_var=LD_LIBRARY_PATH # How should we handle SHLIB_PATH
@@ -18857,7 +18248,7 @@ hpux9* | hpux10* | hpux11*)
      sys_lib_dlsearch_path_spec=$sys_lib_search_path_spec
      ;;
    *)
-    shrext_cmds='.sl'
+    shrext='.sl'
     dynamic_linker="$host_os dld.sl"
     shlibpath_var=SHLIB_PATH
     shlibpath_overrides_runpath=no # +s is required to enable SHLIB_PATH
@@ -18928,8 +18319,8 @@ linux*)
 
   # Append ld.so.conf contents to the search path
   if test -f /etc/ld.so.conf; then
-    lt_ld_extra=`$SED -e 's/:,\t/ /g;s/=^=*$//;s/=^= * / /g' /etc/ld.so.conf | tr '\n' ' '`
-    sys_lib_dlsearch_path_spec="/lib /usr/lib $lt_ld_extra"
+    ld_extra=`$SED -e 's/:,\t/ /g;s/=^=*$//;s/=^= * / /g' /etc/ld.so.conf`
+    sys_lib_dlsearch_path_spec="/lib /usr/lib $ld_extra"
   fi
 
   # We used to test for /lib/ld.so.1 and disable shared libraries on
@@ -18991,7 +18382,7 @@ nto-qnx*)
 openbsd*)
   version_type=sunos
   need_lib_prefix=no
-  need_version=no
+  need_version=yes
   library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${shared_ext}$versuffix'
   finish_cmds='PATH="\$PATH:/sbin" ldconfig -m $libdir'
   shlibpath_var=LD_LIBRARY_PATH
@@ -19011,7 +18402,7 @@ openbsd*)
 
 os2*)
   libname_spec='$name'
-  shrext_cmds=".dll"
+  shrext=".dll"
   need_lib_prefix=no
   library_names_spec='$libname${shared_ext} $libname.a'
   dynamic_linker='OS/2 ld.exe'
@@ -19113,8 +18504,8 @@ echo "$as_me:$LINENO: checking how to hardcode library paths into programs" >&5
 echo $ECHO_N "checking how to hardcode library paths into programs... $ECHO_C" >&6
 hardcode_action_F77=
 if test -n "$hardcode_libdir_flag_spec_F77" || \
-   test -n "$runpath_var_F77" || \
-   test "X$hardcode_automatic_F77" = "Xyes" ; then
+   test -n "$runpath_var F77" || \
+   test "X$hardcode_automatic_F77"="Xyes" ; then
 
   # We can hardcode non-existant directories.
   if test "$hardcode_direct_F77" != no &&
@@ -19352,7 +18743,7 @@ objext="$ac_objext"
 libext="$libext"
 
 # Shared library suffix (normally ".so").
-shrext_cmds='$shrext_cmds'
+shrext='$shrext'
 
 # Executable file suffix (normally "").
 exeext="$exeext"
@@ -19654,11 +19045,11 @@ else
    -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:19657: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:19048: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:19661: \$? = $ac_status" >&5
+   echo "$as_me:19052: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings
@@ -19765,16 +19156,6 @@ echo $ECHO_N "checking for $compiler option to produce PIC... $ECHO_C" >&6
 	lt_prog_compiler_static_GCJ='-bnso -bI:/lib/syscalls.exp'
       fi
       ;;
-      darwin*)
-        # PIC is the default on this platform
-        # Common symbols not allowed in MH_DYLIB files
-       case "$cc_basename" in
-         xlc*)
-         lt_prog_compiler_pic_GCJ='-qnocommon'
-         lt_prog_compiler_wl_GCJ='-Wl,'
-         ;;
-       esac
-       ;;
 
     mingw* | pw32* | os2*)
       # This hack is so that the source file can tell whether it is being
@@ -19897,11 +19278,11 @@ else
    -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:19900: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:19281: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:19904: \$? = $ac_status" >&5
+   echo "$as_me:19285: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings
@@ -19957,11 +19338,11 @@ else
    -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:19960: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:19341: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>out/conftest.err)
    ac_status=$?
    cat out/conftest.err >&5
-   echo "$as_me:19964: \$? = $ac_status" >&5
+   echo "$as_me:19345: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s out/conftest2.$ac_objext
    then
      # The compiler can only warn and ignore the option if not recognized
@@ -20173,7 +19554,7 @@ EOF
       ;;
 
   linux*)
-    if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
+    if $LD --help 2>&1 | egrep ': supported targets:.* elf' > /dev/null; then
         tmp_archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
 	archive_cmds_GCJ="$tmp_archive_cmds"
       supports_anon_versioning=no
@@ -20461,7 +19842,7 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
       ld_shlibs_GCJ=no
       ;;
 
-    bsdi[45]*)
+    bsdi4*)
       export_dynamic_flag_spec_GCJ=-rdynamic
       ;;
 
@@ -20475,7 +19856,7 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
       # Tell ltmain to make .lib files, not .a files.
       libext=lib
       # Tell ltmain to make .dll files, not .so files.
-      shrext_cmds=".dll"
+      shrext=".dll"
       # FIXME: Setting linknames here is a bad hack.
       archive_cmds_GCJ='$CC -o $lib $libobjs $compiler_flags `echo "$deplibs" | $SED -e '\''s/ -lc$//'\''` -link -dll~linknames='
       # The linker will automatically build a .lib file if we build a DLL.
@@ -20487,52 +19868,52 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
       ;;
 
     darwin* | rhapsody*)
+    if test "$GXX" = yes ; then
+      archive_cmds_need_lc_GCJ=no
       case "$host_os" in
-        rhapsody* | darwin1.[012])
-         allow_undefined_flag_GCJ='${wl}-undefined ${wl}suppress'
-         ;;
-       *) # Darwin 1.3 on
-         if test -z ${MACOSX_DEPLOYMENT_TARGET} ; then
-           allow_undefined_flag_GCJ='${wl}-flat_namespace ${wl}-undefined ${wl}suppress'
-         else
-           case ${MACOSX_DEPLOYMENT_TARGET} in
-             10.[012])
-               allow_undefined_flag_GCJ='${wl}-flat_namespace ${wl}-undefined ${wl}suppress'
-               ;;
-             10.*)
-               allow_undefined_flag_GCJ='${wl}-undefined ${wl}dynamic_lookup'
-               ;;
-           esac
-         fi
-         ;;
+      rhapsody* | darwin1.[012])
+	allow_undefined_flag_GCJ='-undefined suppress'
+	;;
+      *) # Darwin 1.3 on
+      if test -z ${MACOSX_DEPLOYMENT_TARGET} ; then
+      	allow_undefined_flag_GCJ='-flat_namespace -undefined suppress'
+      else
+        case ${MACOSX_DEPLOYMENT_TARGET} in
+          10.[012])
+            allow_undefined_flag_GCJ='-flat_namespace -undefined suppress'
+            ;;
+          10.*)
+            allow_undefined_flag_GCJ='-undefined dynamic_lookup'
+            ;;
+        esac
+      fi
+	;;
       esac
-      archive_cmds_need_lc_GCJ=no
+    	lt_int_apple_cc_single_mod=no
+    	output_verbose_link_cmd='echo'
+    	if $CC -dumpspecs 2>&1 | grep 'single_module' >/dev/null ; then
+    	  lt_int_apple_cc_single_mod=yes
+    	fi
+    	if test "X$lt_int_apple_cc_single_mod" = Xyes ; then
+    	  archive_cmds_GCJ='$CC -dynamiclib -single_module $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags -install_name $rpath/$soname $verstring'
+    	else
+        archive_cmds_GCJ='$CC -r ${wl}-bind_at_load -keep_private_externs -nostdlib -o ${lib}-master.o $libobjs~$CC -dynamiclib $allow_undefined_flag -o $lib ${lib}-master.o $deplibs $compiler_flags -install_name $rpath/$soname $verstring'
+      fi
+      module_cmds_GCJ='$CC ${wl}-bind_at_load $allow_undefined_flag -o $lib -bundle $libobjs $deplibs$compiler_flags'
+      # Don't fix this by using the ld -exported_symbols_list flag, it doesn't exist in older darwin ld's
+        if test "X$lt_int_apple_cc_single_mod" = Xyes ; then
+          archive_expsym_cmds_GCJ='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -dynamiclib -single_module $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags -install_name $rpath/$soname $verstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
+        else
+          archive_expsym_cmds_GCJ='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -r ${wl}-bind_at_load -keep_private_externs -nostdlib -o ${lib}-master.o $libobjs~$CC -dynamiclib $allow_undefined_flag -o $lib ${lib}-master.o $deplibs $compiler_flags -install_name $rpath/$soname $verstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
+        fi
+          module_expsym_cmds_GCJ='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC $allow_undefined_flag  -o $lib -bundle $libobjs $deplibs$compiler_flags~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
       hardcode_direct_GCJ=no
       hardcode_automatic_GCJ=yes
       hardcode_shlibpath_var_GCJ=unsupported
-      whole_archive_flag_spec_GCJ=''
+      whole_archive_flag_spec_GCJ='-all_load $convenience'
       link_all_deplibs_GCJ=yes
-    if test "$GCC" = yes ; then
-    	output_verbose_link_cmd='echo'
-        archive_cmds_GCJ='$CC -dynamiclib $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags -install_name $rpath/$soname $verstring'
-      module_cmds_GCJ='$CC $allow_undefined_flag -o $lib -bundle $libobjs $deplibs$compiler_flags'
-      # Don't fix this by using the ld -exported_symbols_list flag, it doesn't exist in older darwin ld's
-      archive_expsym_cmds_GCJ='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -dynamiclib $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags -install_name $rpath/$soname $verstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
-      module_expsym_cmds_GCJ='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC $allow_undefined_flag  -o $lib -bundle $libobjs $deplibs$compiler_flags~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
     else
-      case "$cc_basename" in
-        xlc*)
-         output_verbose_link_cmd='echo'
-         archive_cmds_GCJ='$CC -qmkshrobj $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-install_name ${wl}`echo $rpath/$soname` $verstring'
-         module_cmds_GCJ='$CC $allow_undefined_flag -o $lib -bundle $libobjs $deplibs$compiler_flags'
-          # Don't fix this by using the ld -exported_symbols_list flag, it doesn't exist in older darwin ld's
-         archive_expsym_cmds_GCJ='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -qmkshrobj $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-install_name ${wl}$rpath/$soname $verstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
-          module_expsym_cmds_GCJ='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC $allow_undefined_flag  -o $lib -bundle $libobjs $deplibs$compiler_flags~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
-          ;;
-       *)
-         ld_shlibs_GCJ=no
-          ;;
-      esac
+      ld_shlibs_GCJ=no
     fi
       ;;
 
@@ -20677,7 +20058,6 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
       hardcode_shlibpath_var_GCJ=no
       if test -z "`echo __ELF__ | $CC -E - | grep __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then
 	archive_cmds_GCJ='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags'
-	archive_expsym_cmds_GCJ='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-retain-symbols-file,$export_symbols'
 	hardcode_libdir_flag_spec_GCJ='${wl}-rpath,$libdir'
 	export_dynamic_flag_spec_GCJ='${wl}-E'
       else
@@ -20932,7 +20312,7 @@ echo $ECHO_N "checking dynamic linker characteristics... $ECHO_C" >&6
 library_names_spec=
 libname_spec='lib$name'
 soname_spec=
-shrext_cmds=".so"
+shrext=".so"
 postinstall_cmds=
 postuninstall_cmds=
 finish_cmds=
@@ -21029,7 +20409,7 @@ beos*)
   shlibpath_var=LIBRARY_PATH
   ;;
 
-bsdi[45]*)
+bsdi4*)
   version_type=linux
   need_version=no
   library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
@@ -21045,7 +20425,7 @@ bsdi[45]*)
 
 cygwin* | mingw* | pw32*)
   version_type=windows
-  shrext_cmds=".dll"
+  shrext=".dll"
   need_version=no
   need_lib_prefix=no
 
@@ -21110,7 +20490,7 @@ darwin* | rhapsody*)
   soname_spec='${libname}${release}${major}$shared_ext'
   shlibpath_overrides_runpath=yes
   shlibpath_var=DYLD_LIBRARY_PATH
-  shrext_cmds='$(test .$module = .yes && echo .so || echo .dylib)'
+  shrext='$(test .$module = .yes && echo .so || echo .dylib)'
   # Apple's gcc prints 'gcc -print-search-dirs' doesn't operate the same.
   if test "$GCC" = yes; then
     sys_lib_search_path_spec=`$CC -print-search-dirs | tr "\n" "$PATH_SEPARATOR" | sed -e 's/libraries:/@libraries:/' | tr "@" "\n" | grep "^libraries:" | sed -e "s/^libraries://" -e "s,=/,/,g" -e "s,$PATH_SEPARATOR, ,g" -e "s,.*,& /lib /usr/lib /usr/local/lib,g"`
@@ -21193,7 +20573,7 @@ hpux9* | hpux10* | hpux11*)
   need_version=no
   case "$host_cpu" in
   ia64*)
-    shrext_cmds='.so'
+    shrext='.so'
     hardcode_into_libs=yes
     dynamic_linker="$host_os dld.so"
     shlibpath_var=LD_LIBRARY_PATH
@@ -21208,7 +20588,7 @@ hpux9* | hpux10* | hpux11*)
     sys_lib_dlsearch_path_spec=$sys_lib_search_path_spec
     ;;
    hppa*64*)
-     shrext_cmds='.sl'
+     shrext='.sl'
      hardcode_into_libs=yes
      dynamic_linker="$host_os dld.sl"
      shlibpath_var=LD_LIBRARY_PATH # How should we handle SHLIB_PATH
@@ -21219,7 +20599,7 @@ hpux9* | hpux10* | hpux11*)
      sys_lib_dlsearch_path_spec=$sys_lib_search_path_spec
      ;;
    *)
-    shrext_cmds='.sl'
+    shrext='.sl'
     dynamic_linker="$host_os dld.sl"
     shlibpath_var=SHLIB_PATH
     shlibpath_overrides_runpath=no # +s is required to enable SHLIB_PATH
@@ -21290,8 +20670,8 @@ linux*)
 
   # Append ld.so.conf contents to the search path
   if test -f /etc/ld.so.conf; then
-    lt_ld_extra=`$SED -e 's/:,\t/ /g;s/=^=*$//;s/=^= * / /g' /etc/ld.so.conf | tr '\n' ' '`
-    sys_lib_dlsearch_path_spec="/lib /usr/lib $lt_ld_extra"
+    ld_extra=`$SED -e 's/:,\t/ /g;s/=^=*$//;s/=^= * / /g' /etc/ld.so.conf`
+    sys_lib_dlsearch_path_spec="/lib /usr/lib $ld_extra"
   fi
 
   # We used to test for /lib/ld.so.1 and disable shared libraries on
@@ -21353,7 +20733,7 @@ nto-qnx*)
 openbsd*)
   version_type=sunos
   need_lib_prefix=no
-  need_version=no
+  need_version=yes
   library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${shared_ext}$versuffix'
   finish_cmds='PATH="\$PATH:/sbin" ldconfig -m $libdir'
   shlibpath_var=LD_LIBRARY_PATH
@@ -21373,7 +20753,7 @@ openbsd*)
 
 os2*)
   libname_spec='$name'
-  shrext_cmds=".dll"
+  shrext=".dll"
   need_lib_prefix=no
   library_names_spec='$libname${shared_ext} $libname.a'
   dynamic_linker='OS/2 ld.exe'
@@ -21475,8 +20855,8 @@ echo "$as_me:$LINENO: checking how to hardcode library paths into programs" >&5
 echo $ECHO_N "checking how to hardcode library paths into programs... $ECHO_C" >&6
 hardcode_action_GCJ=
 if test -n "$hardcode_libdir_flag_spec_GCJ" || \
-   test -n "$runpath_var_GCJ" || \
-   test "X$hardcode_automatic_GCJ" = "Xyes" ; then
+   test -n "$runpath_var GCJ" || \
+   test "X$hardcode_automatic_GCJ"="Xyes" ; then
 
   # We can hardcode non-existant directories.
   if test "$hardcode_direct_GCJ" != no &&
@@ -22142,7 +21522,7 @@ else
   lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
   lt_status=$lt_dlunknown
   cat > conftest.$ac_ext <<EOF
-#line 22145 "configure"
+#line 21525 "configure"
 #include "confdefs.h"
 
 #if HAVE_DLFCN_H
@@ -22240,7 +21620,7 @@ else
   lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
   lt_status=$lt_dlunknown
   cat > conftest.$ac_ext <<EOF
-#line 22243 "configure"
+#line 21623 "configure"
 #include "confdefs.h"
 
 #if HAVE_DLFCN_H
@@ -22519,7 +21899,7 @@ objext="$ac_objext"
 libext="$libext"
 
 # Shared library suffix (normally ".so").
-shrext_cmds='$shrext_cmds'
+shrext='$shrext'
 
 # Executable file suffix (normally "").
 exeext="$exeext"
@@ -22964,7 +22344,7 @@ objext="$ac_objext"
 libext="$libext"
 
 # Shared library suffix (normally ".so").
-shrext_cmds='$shrext_cmds'
+shrext='$shrext'
 
 # Executable file suffix (normally "").
 exeext="$exeext"
@@ -23260,13 +22640,6 @@ LIBTOOL='$(SHELL) $(top_builddir)/libtool'
 		LIBTOOL_MODE_COMPILE='--mode=compile'
 		LIBTOOL_MODE_INSTALL='--mode=install'
 		LIBTOOL_MODE_LINK='--mode=link'
-		case "$host" in
-		*) LIBTOOL_ALLOW_UNDEFINED= ;;
-		esac
-		case "$host" in
-		*-ibm-aix*) LIBTOOL_IN_MAIN="-Wl,-bI:T_testlist.imp" ;;
-		*) LIBTOOL_IN_MAIN= ;;
-		esac;
 		;;
 	*)
 		O=o
@@ -23277,8 +22650,6 @@ LIBTOOL='$(SHELL) $(top_builddir)/libtool'
 		LIBTOOL_MODE_COMPILE=
 		LIBTOOL_MODE_INSTALL=
 		LIBTOOL_MODE_LINK=
-		LIBTOOL_ALLOW_UNDEFINED=
-		LIBTOOL_IN_MAIN=
 		;;
 esac
 
@@ -23296,8 +22667,6 @@ SA=a
 
 
 
-
-
 #
 # build libbind?
 #
@@ -23481,7 +22850,7 @@ esac
 # This is similar to the netinet6/in6.h issue.
 #
 case "$host" in
-*-sco-sysv*uw*)
+*-sco-sysv*uw*|*-*-sysv*UnixWare*|*-*-sysv*OpenUNIX*)
         # UnixWare
 	ISC_PLATFORM_NEEDNETINETIN6H="#define ISC_PLATFORM_NEEDNETINETIN6H 1"
 	LWRES_PLATFORM_NEEDNETINETIN6H="#define LWRES_PLATFORM_NEEDNETINETIN6H 1"
@@ -23737,6 +23106,7 @@ if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
   (exit $ac_status); }; }; then
   echo "$as_me:$LINENO: result: yes" >&5
 echo "${ECHO_T}yes" >&6
+			 ISC_PLATFORM_HAVESCOPEID="#define ISC_PLATFORM_HAVESCOPEID 1"
 			 result="#define LWRES_HAVE_SIN6_SCOPE_ID 1"
 else
   echo "$as_me: failed program was:" >&5
@@ -23744,6 +23114,7 @@ sed 's/^/| /' conftest.$ac_ext >&5
 
 echo "$as_me:$LINENO: result: no" >&5
 echo "${ECHO_T}no" >&6
+			 ISC_PLATFORM_HAVESCOPEID="#undef ISC_PLATFORM_HAVESCOPEID"
 			 result="#undef LWRES_HAVE_SIN6_SCOPE_ID"
 fi
 rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
@@ -23814,6 +23185,7 @@ rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
 		LWRES_PLATFORM_NEEDIN6ADDRANY="#undef LWRES_PLATFORM_NEEDIN6ADDRANY"
 		ISC_PLATFORM_HAVEIN6PKTINFO="#undef ISC_PLATFORM_HAVEIN6PKTINFO"
 		LWRES_HAVE_SIN6_SCOPE_ID="#define LWRES_HAVE_SIN6_SCOPE_ID 1"
+		ISC_PLATFORM_HAVESCOPEID="#define ISC_PLATFORM_HAVESCOPEID 1"
 		ISC_IPV6_H="ipv6.h"
 		ISC_IPV6_O="ipv6.$O"
 		ISC_ISCIPV6_O="unix/ipv6.$O"
@@ -23841,6 +23213,121 @@ esac
 
 
 
+
+echo "$as_me:$LINENO: checking for struct if_laddrreq" >&5
+echo $ECHO_N "checking for struct if_laddrreq... $ECHO_C" >&6
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+#include <sys/types.h>
+#include <net/if6.h>
+
+int
+main ()
+{
+ struct if_laddrreq a;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+  (eval $ac_link) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest$ac_exeext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6
+	ISC_PLATFORM_HAVEIF_LADDRREQ="#define ISC_PLATFORM_HAVEIF_LADDRREQ 1"
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6
+	ISC_PLATFORM_HAVEIF_LADDRREQ="#undef ISC_PLATFORM_HAVEIF_LADDRREQ"
+fi
+rm -f conftest.err conftest.$ac_objext \
+      conftest$ac_exeext conftest.$ac_ext
+
+
+echo "$as_me:$LINENO: checking for struct if_laddrconf" >&5
+echo $ECHO_N "checking for struct if_laddrconf... $ECHO_C" >&6
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+#include <sys/types.h>
+#include <net/if6.h>
+
+int
+main ()
+{
+ struct if_laddrconf a;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+  (eval $ac_link) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest$ac_exeext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6
+	ISC_PLATFORM_HAVEIF_LADDRCONF="#define ISC_PLATFORM_HAVEIF_LADDRCONF 1"
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6
+	ISC_PLATFORM_HAVEIF_LADDRCONF="#undef ISC_PLATFORM_HAVEIF_LADDRCONF"
+fi
+rm -f conftest.err conftest.$ac_objext \
+      conftest$ac_exeext conftest.$ac_ext
+
+
 #
 # Check for network functions that are often missing.  We do this
 # after the libtool checking, so we can put the right suffix on
@@ -23851,11 +23338,11 @@ esac
 echo "$as_me:$LINENO: checking for inet_ntop with IPv6 support" >&5
 echo $ECHO_N "checking for inet_ntop with IPv6 support... $ECHO_C" >&6
 if test "$cross_compiling" = yes; then
-  echo "$as_me:$LINENO: result: assuming inet_ntop needed" >&5
-echo "${ECHO_T}assuming inet_ntop needed" >&6
-        ISC_EXTRA_OBJS="$ISC_EXTRA_OBJS inet_ntop.$O"
-        ISC_EXTRA_SRCS="$ISC_EXTRA_SRCS inet_ntop.c"
-        ISC_PLATFORM_NEEDNTOP="#define ISC_PLATFORM_NEEDNTOP 1"
+  { { echo "$as_me:$LINENO: error: cannot run test program while cross compiling
+See \`config.log' for more details." >&5
+echo "$as_me: error: cannot run test program while cross compiling
+See \`config.log' for more details." >&2;}
+   { (exit 1); exit 1; }; }
 else
   cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
@@ -23900,29 +23387,6 @@ fi
 rm -f core *.core gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
 fi
 
-if test "$cross_compiling" = "yes"; then
-	if test -z "$BUILD_CC"; then
-		{ { echo "$as_me:$LINENO: error: BUILD_CC not set" >&5
-echo "$as_me: error: BUILD_CC not set" >&2;}
-   { (exit 1); exit 1; }; }
-	fi
-	BUILD_CFLAGS="$BUILD_CFLAGS"
-	BUILD_CPPFLAGS="$BUILD_CPPFLAGS"
-	BUILD_LDFLAGS="$BUILD_LDFLAGS"
-	BUILD_LIBS="$BUILD_LIBS"
-else
-	BUILD_CC="$CC"
-	BUILD_CFLAGS="$CFLAGS"
-	BUILD_CPPFLAGS="$CPPFLAGS $GEN_NEED_OPTARG"
-	BUILD_LDFLAGS="$LDFLAGS"
-	BUILD_LIBS="$LIBS"
-fi
-
-
-
-
-
-
 
 # On NetBSD 1.4.2 and maybe others, inet_pton() incorrectly accepts
 # addresses with less than four octets, like "1.2.3".  Also leading
@@ -25119,6 +24583,309 @@ fi
 
 
 
+# Check whether --enable-getifaddrs or --disable-getifaddrs was given.
+if test "${enable_getifaddrs+set}" = set; then
+  enableval="$enable_getifaddrs"
+  want_getifaddrs="$enableval"
+else
+  want_getifaddrs="yes"
+fi;
+
+case $want_getifaddrs in
+yes|glibc)
+#
+# Do we have getifaddrs() ?
+#
+case $host in
+*-linux*)
+	# Some recent versions of glibc support getifaddrs() which does not
+	# provide AF_INET6 addresses while the function provided by the USAGI
+	# project handles the AF_INET6 case correctly.  We need to avoid
+	# using the former but prefer the latter unless overridden by
+	# --enable-getifaddrs=glibc.
+	if $use_getifaddrs = glibc
+	then
+		echo "$as_me:$LINENO: checking for getifaddrs" >&5
+echo $ECHO_N "checking for getifaddrs... $ECHO_C" >&6
+if test "${ac_cv_func_getifaddrs+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+/* Define getifaddrs to an innocuous variant, in case <limits.h> declares getifaddrs.
+   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
+#define getifaddrs innocuous_getifaddrs
+
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char getifaddrs (); below.
+    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
+    <limits.h> exists even on freestanding compilers.  */
+
+#ifdef __STDC__
+# include <limits.h>
+#else
+# include <assert.h>
+#endif
+
+#undef getifaddrs
+
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+{
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char getifaddrs ();
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_getifaddrs) || defined (__stub___getifaddrs)
+choke me
+#else
+char (*f) () = getifaddrs;
+#endif
+#ifdef __cplusplus
+}
+#endif
+
+int
+main ()
+{
+return f != getifaddrs;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+  (eval $ac_link) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest$ac_exeext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  ac_cv_func_getifaddrs=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ac_cv_func_getifaddrs=no
+fi
+rm -f conftest.err conftest.$ac_objext \
+      conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:$LINENO: result: $ac_cv_func_getifaddrs" >&5
+echo "${ECHO_T}$ac_cv_func_getifaddrs" >&6
+if test $ac_cv_func_getifaddrs = yes; then
+  cat >>confdefs.h <<\_ACEOF
+#define HAVE_GETIFADDRS 1
+_ACEOF
+
+fi
+
+	else
+		save_LIBS="$LIBS"
+		LIBS="-L/usr/local/v6/lib $LIBS"
+		echo "$as_me:$LINENO: checking for getifaddrs in -linet6" >&5
+echo $ECHO_N "checking for getifaddrs in -linet6... $ECHO_C" >&6
+if test "${ac_cv_lib_inet6_getifaddrs+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-linet6  $LIBS"
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char getifaddrs ();
+int
+main ()
+{
+getifaddrs ();
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+  (eval $ac_link) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest$ac_exeext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  ac_cv_lib_inet6_getifaddrs=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ac_cv_lib_inet6_getifaddrs=no
+fi
+rm -f conftest.err conftest.$ac_objext \
+      conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+echo "$as_me:$LINENO: result: $ac_cv_lib_inet6_getifaddrs" >&5
+echo "${ECHO_T}$ac_cv_lib_inet6_getifaddrs" >&6
+if test $ac_cv_lib_inet6_getifaddrs = yes; then
+  LIBS="$LIBS -linet6"
+			cat >>confdefs.h <<\_ACEOF
+#define HAVE_GETIFADDRS 1
+_ACEOF
+
+else
+  LIBS=${save_LIBS}
+fi
+
+	fi
+	;;
+*)
+	echo "$as_me:$LINENO: checking for getifaddrs" >&5
+echo $ECHO_N "checking for getifaddrs... $ECHO_C" >&6
+if test "${ac_cv_func_getifaddrs+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+/* Define getifaddrs to an innocuous variant, in case <limits.h> declares getifaddrs.
+   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
+#define getifaddrs innocuous_getifaddrs
+
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char getifaddrs (); below.
+    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
+    <limits.h> exists even on freestanding compilers.  */
+
+#ifdef __STDC__
+# include <limits.h>
+#else
+# include <assert.h>
+#endif
+
+#undef getifaddrs
+
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+{
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char getifaddrs ();
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_getifaddrs) || defined (__stub___getifaddrs)
+choke me
+#else
+char (*f) () = getifaddrs;
+#endif
+#ifdef __cplusplus
+}
+#endif
+
+int
+main ()
+{
+return f != getifaddrs;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+  (eval $ac_link) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest$ac_exeext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  ac_cv_func_getifaddrs=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ac_cv_func_getifaddrs=no
+fi
+rm -f conftest.err conftest.$ac_objext \
+      conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:$LINENO: result: $ac_cv_func_getifaddrs" >&5
+echo "${ECHO_T}$ac_cv_func_getifaddrs" >&6
+if test $ac_cv_func_getifaddrs = yes; then
+  cat >>confdefs.h <<\_ACEOF
+#define HAVE_GETIFADDRS 1
+_ACEOF
+
+fi
+
+	;;
+esac
+;;
+no)
+;;
+esac
+
 #
 # Look for a sysctl call to get the list of network interfaces.
 #
@@ -25219,6 +24986,457 @@ fi
 rm -f conftest.err conftest.$ac_objext \
       conftest$ac_exeext conftest.$ac_ext
 
+
+echo "$as_me:$LINENO: checking for memmove" >&5
+echo $ECHO_N "checking for memmove... $ECHO_C" >&6
+if test "${ac_cv_func_memmove+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+/* Define memmove to an innocuous variant, in case <limits.h> declares memmove.
+   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
+#define memmove innocuous_memmove
+
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char memmove (); below.
+    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
+    <limits.h> exists even on freestanding compilers.  */
+
+#ifdef __STDC__
+# include <limits.h>
+#else
+# include <assert.h>
+#endif
+
+#undef memmove
+
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+{
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char memmove ();
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_memmove) || defined (__stub___memmove)
+choke me
+#else
+char (*f) () = memmove;
+#endif
+#ifdef __cplusplus
+}
+#endif
+
+int
+main ()
+{
+return f != memmove;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+  (eval $ac_link) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest$ac_exeext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  ac_cv_func_memmove=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ac_cv_func_memmove=no
+fi
+rm -f conftest.err conftest.$ac_objext \
+      conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:$LINENO: result: $ac_cv_func_memmove" >&5
+echo "${ECHO_T}$ac_cv_func_memmove" >&6
+if test $ac_cv_func_memmove = yes; then
+  ISC_PLATFORM_NEEDMEMMOVE="#undef ISC_PLATFORM_NEEDMEMMOVE"
+else
+  ISC_PLATFORM_NEEDMEMMOVE="#define ISC_PLATFORM_NEEDMEMMOVE 1"
+fi
+
+
+
+echo "$as_me:$LINENO: checking for strtoul" >&5
+echo $ECHO_N "checking for strtoul... $ECHO_C" >&6
+if test "${ac_cv_func_strtoul+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+/* Define strtoul to an innocuous variant, in case <limits.h> declares strtoul.
+   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
+#define strtoul innocuous_strtoul
+
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char strtoul (); below.
+    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
+    <limits.h> exists even on freestanding compilers.  */
+
+#ifdef __STDC__
+# include <limits.h>
+#else
+# include <assert.h>
+#endif
+
+#undef strtoul
+
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+{
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char strtoul ();
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_strtoul) || defined (__stub___strtoul)
+choke me
+#else
+char (*f) () = strtoul;
+#endif
+#ifdef __cplusplus
+}
+#endif
+
+int
+main ()
+{
+return f != strtoul;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+  (eval $ac_link) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest$ac_exeext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  ac_cv_func_strtoul=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ac_cv_func_strtoul=no
+fi
+rm -f conftest.err conftest.$ac_objext \
+      conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:$LINENO: result: $ac_cv_func_strtoul" >&5
+echo "${ECHO_T}$ac_cv_func_strtoul" >&6
+if test $ac_cv_func_strtoul = yes; then
+  ISC_PLATFORM_NEEDSTRTOUL="#undef ISC_PLATFORM_NEEDSTRTOUL"
+else
+  ISC_PLATFORM_NEEDSTRTOUL="#define ISC_PLATFORM_NEEDSTRTOUL 1"
+fi
+
+
+
+echo "$as_me:$LINENO: checking for strlcpy" >&5
+echo $ECHO_N "checking for strlcpy... $ECHO_C" >&6
+if test "${ac_cv_func_strlcpy+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+/* Define strlcpy to an innocuous variant, in case <limits.h> declares strlcpy.
+   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
+#define strlcpy innocuous_strlcpy
+
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char strlcpy (); below.
+    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
+    <limits.h> exists even on freestanding compilers.  */
+
+#ifdef __STDC__
+# include <limits.h>
+#else
+# include <assert.h>
+#endif
+
+#undef strlcpy
+
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+{
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char strlcpy ();
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_strlcpy) || defined (__stub___strlcpy)
+choke me
+#else
+char (*f) () = strlcpy;
+#endif
+#ifdef __cplusplus
+}
+#endif
+
+int
+main ()
+{
+return f != strlcpy;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+  (eval $ac_link) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest$ac_exeext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  ac_cv_func_strlcpy=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ac_cv_func_strlcpy=no
+fi
+rm -f conftest.err conftest.$ac_objext \
+      conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:$LINENO: result: $ac_cv_func_strlcpy" >&5
+echo "${ECHO_T}$ac_cv_func_strlcpy" >&6
+if test $ac_cv_func_strlcpy = yes; then
+  ISC_PLATFORM_NEEDSTRLCPY="#undef ISC_PLATFORM_NEEDSTRLCPY"
+else
+  ISC_PLATFORM_NEEDSTRLCPY="#define ISC_PLATFORM_NEEDSTRLCPY 1"
+fi
+
+
+
+echo "$as_me:$LINENO: checking for strlcat" >&5
+echo $ECHO_N "checking for strlcat... $ECHO_C" >&6
+if test "${ac_cv_func_strlcat+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+/* Define strlcat to an innocuous variant, in case <limits.h> declares strlcat.
+   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
+#define strlcat innocuous_strlcat
+
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char strlcat (); below.
+    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
+    <limits.h> exists even on freestanding compilers.  */
+
+#ifdef __STDC__
+# include <limits.h>
+#else
+# include <assert.h>
+#endif
+
+#undef strlcat
+
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+{
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char strlcat ();
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_strlcat) || defined (__stub___strlcat)
+choke me
+#else
+char (*f) () = strlcat;
+#endif
+#ifdef __cplusplus
+}
+#endif
+
+int
+main ()
+{
+return f != strlcat;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+  (eval $ac_link) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest$ac_exeext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  ac_cv_func_strlcat=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ac_cv_func_strlcat=no
+fi
+rm -f conftest.err conftest.$ac_objext \
+      conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:$LINENO: result: $ac_cv_func_strlcat" >&5
+echo "${ECHO_T}$ac_cv_func_strlcat" >&6
+if test $ac_cv_func_strlcat = yes; then
+  ISC_PLATFORM_NEEDSTRLCAT="#undef ISC_PLATFORM_NEEDSTRLCAT"
+else
+  ISC_PLATFORM_NEEDSTRLCAT="#define ISC_PLATFORM_NEEDSTRLCAT 1"
+fi
+
+
+
+ISC_PRINT_OBJS=
+ISC_PRINT_SRCS=
+echo "$as_me:$LINENO: checking sprintf" >&5
+echo $ECHO_N "checking sprintf... $ECHO_C" >&6
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+#include <stdio.h>
+
+int
+main ()
+{
+ char buf[2]; return(*sprintf(buf,"x"));
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest.$ac_objext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+
+ISC_PRINT_OBJS="print.$O"
+ISC_PRINT_SRCS="print.c"
+ISC_PLATFORM_NEEDSPRINTF="#define ISC_PLATFORM_NEEDSPRINTF"
+
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ISC_PLATFORM_NEEDSPRINTF="#undef ISC_PLATFORM_NEEDSPRINTF"
+
+fi
+rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+
 echo "$as_me:$LINENO: checking for vsnprintf" >&5
 echo $ECHO_N "checking for vsnprintf... $ECHO_C" >&6
 if test "${ac_cv_func_vsnprintf+set}" = set; then
@@ -25311,16 +25529,15 @@ echo "$as_me:$LINENO: result: $ac_cv_func_vsnprintf" >&5
 echo "${ECHO_T}$ac_cv_func_vsnprintf" >&6
 if test $ac_cv_func_vsnprintf = yes; then
   ISC_PLATFORM_NEEDVSNPRINTF="#undef ISC_PLATFORM_NEEDVSNPRINTF"
-	  LWRES_PLATFORM_NEEDVSNPRINTF="#undef LWRES_PLATFORM_NEEDVSNPRINTF"
 else
-  ISC_EXTRA_OBJS="$ISC_EXTRA_OBJS print.$O"
-	 ISC_EXTRA_SRCS="$ISC_EXTRA_SRCS print.c"
+  ISC_PRINT_OBJS="print.$O"
+	 ISC_PRINT_SRCS="print.c"
 	 ISC_PLATFORM_NEEDVSNPRINTF="#define ISC_PLATFORM_NEEDVSNPRINTF 1"
-	 LWRES_PLATFORM_NEEDVSNPRINTF="#define LWRES_PLATFORM_NEEDVSNPRINTF 1"
 fi
 
 
-
+ISC_EXTRA_OBJS="$ISC_EXTRA_OBJS $ISC_PRINT_OBJS"
+ISC_EXTRA_SRCS="$ISC_EXTRA_SRCS $ISC_PRINT_SRCS"
 
 echo "$as_me:$LINENO: checking for strerror" >&5
 echo $ECHO_N "checking for strerror... $ECHO_C" >&6
@@ -25423,18 +25640,12 @@ fi
 
 
 
-# Determine the printf format characters to use when printing
-# values of type isc_int64_t. This will normally be "ll", but where
-# the compiler treats "long long" as a alias for "long" and printf
-# doesn't know about "long long" use "l".  Hopefully the sprintf
-# will produce a inconsistant result in the later case.  If the compiler
-# fails due to seeing "%lld" we fall back to "l".
-#
-# Digital Unix 4.0 (gcc?) (long long) is 64 bits as is its long. It uses
-# %ld even for (long long)/
 #
-# Win32 uses "%I64d", but that's defined elsewhere since we don't use
-# configure on Win32.
+# Determine the printf format characters to use when printing
+# values of type isc_int64_t.  We make the assumption that platforms
+# where a "long long" is the same size as a "long" (e.g., Alpha/OSF1)
+# want "%ld" and everyone else can use "%lld".  Win32 uses "%I64d",
+# but that's defined elsewhere since we don't use configure on Win32.
 #
 echo "$as_me:$LINENO: checking printf format modifier for 64-bit integers" >&5
 echo $ECHO_N "checking printf format modifier for 64-bit integers... $ECHO_C" >&6
@@ -25442,7 +25653,6 @@ if test "$cross_compiling" = yes; then
   echo "$as_me:$LINENO: result: assuming target platform uses ll" >&5
 echo "${ECHO_T}assuming target platform uses ll" >&6
 	ISC_PLATFORM_QUADFORMAT='#define ISC_PLATFORM_QUADFORMAT "ll"'
-	LWRES_PLATFORM_QUADFORMAT='#define LWRES_PLATFORM_QUADFORMAT "ll"'
 else
   cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
@@ -25450,17 +25660,7 @@ _ACEOF
 cat confdefs.h >>conftest.$ac_ext
 cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
-
-#include <stdio.h>
-main() {
-	long long int j = 0;
-	char buf[100];
-	buf[0] = 0;
-	sprintf(buf, "%lld", j);
-	exit((sizeof(long long int) != sizeof(long int))? 0 :
-	     (strcmp(buf, "0") != 0));
-}
-
+main() { exit(!(sizeof(long long int) == sizeof(long int))); }
 _ACEOF
 rm -f conftest$ac_exeext
 if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
@@ -25473,26 +25673,23 @@ if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
   ac_status=$?
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); }; }; then
-  echo "$as_me:$LINENO: result: ll" >&5
-echo "${ECHO_T}ll" >&6
-	ISC_PLATFORM_QUADFORMAT='#define ISC_PLATFORM_QUADFORMAT "ll"'
-	LWRES_PLATFORM_QUADFORMAT='#define LWRES_PLATFORM_QUADFORMAT "ll"'
+  echo "$as_me:$LINENO: result: l" >&5
+echo "${ECHO_T}l" >&6
+	ISC_PLATFORM_QUADFORMAT='#define ISC_PLATFORM_QUADFORMAT "l"'
 else
   echo "$as_me: program exited with status $ac_status" >&5
 echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
 ( exit $ac_status )
-echo "$as_me:$LINENO: result: l" >&5
-echo "${ECHO_T}l" >&6
-	ISC_PLATFORM_QUADFORMAT='#define ISC_PLATFORM_QUADFORMAT "l"'
-	LWRES_PLATFORM_QUADFORMAT='#define LWRES_PLATFORM_QUADFORMAT "l"'
+echo "$as_me:$LINENO: result: ll" >&5
+echo "${ECHO_T}ll" >&6
+	ISC_PLATFORM_QUADFORMAT='#define ISC_PLATFORM_QUADFORMAT "ll"'
 fi
 rm -f core *.core gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
 fi
 
 
-
 #
 # Security Stuff
 #
@@ -26064,10 +26261,9 @@ echo "${ECHO_T}no" >&6
 echo "$as_me:$LINENO: checking type of rlim_cur" >&5
 echo $ECHO_N "checking type of rlim_cur... $ECHO_C" >&6
 if test "$cross_compiling" = yes; then
-
-ISC_PLATFORM_RLIMITTYPE="#define ISC_PLATFORM_RLIMITTYPE long long int"
-echo "$as_me:$LINENO: result: cannot determine type of rlim_cur when cross compiling - assuming long long int" >&5
-echo "${ECHO_T}cannot determine type of rlim_cur when cross compiling - assuming long long int" >&6
+  { { echo "$as_me:$LINENO: error: cannot determine type of rlim_cur when cross compiling - define rlim_t" >&5
+echo "$as_me: error: cannot determine type of rlim_cur when cross compiling - define rlim_t" >&2;}
+   { (exit 1); exit 1; }; }
 else
   cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
@@ -26198,17 +26394,179 @@ rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
 
 
 #
-# Some hosts need msg_namelen to match the size of the socket structure.
-# Some hosts don't set msg_namelen appropriately on return from recvmsg().
+# Compaq TruCluster requires more code for handling cluster IP aliases
 #
-case $host in
-*os2*|*hp-mpeix*)
+case "$host" in
+	*-dec-osf*)
+		echo "$as_me:$LINENO: checking for clua_getaliasaddress in -lclua" >&5
+echo $ECHO_N "checking for clua_getaliasaddress in -lclua... $ECHO_C" >&6
+if test "${ac_cv_lib_clua_clua_getaliasaddress+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-lclua  $LIBS"
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char clua_getaliasaddress ();
+int
+main ()
+{
+clua_getaliasaddress ();
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+  (eval $ac_link) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest$ac_exeext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  ac_cv_lib_clua_clua_getaliasaddress=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ac_cv_lib_clua_clua_getaliasaddress=no
+fi
+rm -f conftest.err conftest.$ac_objext \
+      conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+echo "$as_me:$LINENO: result: $ac_cv_lib_clua_clua_getaliasaddress" >&5
+echo "${ECHO_T}$ac_cv_lib_clua_clua_getaliasaddress" >&6
+if test $ac_cv_lib_clua_clua_getaliasaddress = yes; then
+  LIBS="-lclua $LIBS"
+fi
+
+		echo "$as_me:$LINENO: checking for clua_getaliasaddress" >&5
+echo $ECHO_N "checking for clua_getaliasaddress... $ECHO_C" >&6
+if test "${ac_cv_func_clua_getaliasaddress+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+/* Define clua_getaliasaddress to an innocuous variant, in case <limits.h> declares clua_getaliasaddress.
+   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
+#define clua_getaliasaddress innocuous_clua_getaliasaddress
+
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char clua_getaliasaddress (); below.
+    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
+    <limits.h> exists even on freestanding compilers.  */
+
+#ifdef __STDC__
+# include <limits.h>
+#else
+# include <assert.h>
+#endif
+
+#undef clua_getaliasaddress
+
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+{
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char clua_getaliasaddress ();
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_clua_getaliasaddress) || defined (__stub___clua_getaliasaddress)
+choke me
+#else
+char (*f) () = clua_getaliasaddress;
+#endif
+#ifdef __cplusplus
+}
+#endif
+
+int
+main ()
+{
+return f != clua_getaliasaddress;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+  (eval $ac_link) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest$ac_exeext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  ac_cv_func_clua_getaliasaddress=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ac_cv_func_clua_getaliasaddress=no
+fi
+rm -f conftest.err conftest.$ac_objext \
+      conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:$LINENO: result: $ac_cv_func_clua_getaliasaddress" >&5
+echo "${ECHO_T}$ac_cv_func_clua_getaliasaddress" >&6
+if test $ac_cv_func_clua_getaliasaddress = yes; then
 
 cat >>confdefs.h <<\_ACEOF
-#define BROKEN_RECVMSG 1
+#define HAVE_TRUCLUSTER 1
 _ACEOF
 
-	;;
+fi
+
+		;;
+	*)
+		;;
 esac
 
 #
@@ -26228,9 +26586,6 @@ LWRES_PLATFORM_USEDECLSPEC="#undef LWRES_PLATFORM_USEDECLSPEC"
 ISC_PLATFORM_BRACEPTHREADONCEINIT="#undef ISC_PLATFORM_BRACEPTHREADONCEINIT"
 
 case "$host" in
-	*-aix5.[123].*)
-		hack_shutup_pthreadonceinit=yes
-		;;
 	*-bsdi3.1*)
 		hack_shutup_sputaux=yes
 		;;
@@ -26238,15 +26593,12 @@ case "$host" in
 		hack_shutup_sigwait=yes
 		hack_shutup_sputaux=yes
 		;;
-	*-bsdi4[12]*)
+	*-bsdi4.[12]*)
 		hack_shutup_stdargcast=yes
 		;;
 	*-solaris2.[89])
 		hack_shutup_pthreadonceinit=yes
 		;;
-	*-solaris2.10)
-		hack_shutup_pthreadonceinit=yes
-		;;
 esac
 
 case "$hack_shutup_pthreadonceinit" in
@@ -26295,71 +26647,215 @@ _ACEOF
 esac
 
 #
-#  The following sets up how non-blocking i/o is established.
-#  Sunos, cygwin and solaris 2.x (x<5) require special handling.
+# Check for if_nametoindex() for IPv6 scoped addresses support
 #
-case "$host" in
-*-sunos*) cat >>confdefs.h <<\_ACEOF
-#define PORT_NONBLOCK O_NDELAY
-_ACEOF
-;;
-*-cygwin*) cat >>confdefs.h <<\_ACEOF
-#define PORT_NONBLOCK O_NDELAY
+echo "$as_me:$LINENO: checking for if_nametoindex" >&5
+echo $ECHO_N "checking for if_nametoindex... $ECHO_C" >&6
+if test "${ac_cv_func_if_nametoindex+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
 _ACEOF
-;;
-*-solaris2.[01234])
-	cat >>confdefs.h <<\_ACEOF
-#define PORT_NONBLOCK O_NONBLOCK
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+/* Define if_nametoindex to an innocuous variant, in case <limits.h> declares if_nametoindex.
+   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
+#define if_nametoindex innocuous_if_nametoindex
+
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char if_nametoindex (); below.
+    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
+    <limits.h> exists even on freestanding compilers.  */
+
+#ifdef __STDC__
+# include <limits.h>
+#else
+# include <assert.h>
+#endif
+
+#undef if_nametoindex
+
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+{
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char if_nametoindex ();
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_if_nametoindex) || defined (__stub___if_nametoindex)
+choke me
+#else
+char (*f) () = if_nametoindex;
+#endif
+#ifdef __cplusplus
+}
+#endif
+
+int
+main ()
+{
+return f != if_nametoindex;
+  ;
+  return 0;
+}
 _ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+  (eval $ac_link) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest$ac_exeext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  ac_cv_func_if_nametoindex=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
 
+ac_cv_func_if_nametoindex=no
+fi
+rm -f conftest.err conftest.$ac_objext \
+      conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:$LINENO: result: $ac_cv_func_if_nametoindex" >&5
+echo "${ECHO_T}$ac_cv_func_if_nametoindex" >&6
+if test $ac_cv_func_if_nametoindex = yes; then
+  ac_cv_have_if_nametoindex=yes
+else
+  ac_cv_have_if_nametoindex=no
+fi
 
-cat >>confdefs.h <<\_ACEOF
-#define USE_FIONBIO_IOCTL 1
+case $ac_cv_have_if_nametoindex in
+no)
+	case "$host" in
+  	*-hp-hpux*)
+  		echo "$as_me:$LINENO: checking for if_nametoindex in -lipv6" >&5
+echo $ECHO_N "checking for if_nametoindex in -lipv6... $ECHO_C" >&6
+if test "${ac_cv_lib_ipv6_if_nametoindex+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-lipv6  $LIBS"
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
 _ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
 
-	;;
-*)
-cat >>confdefs.h <<\_ACEOF
-#define PORT_NONBLOCK O_NONBLOCK
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char if_nametoindex ();
+int
+main ()
+{
+if_nametoindex ();
+  ;
+  return 0;
+}
 _ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+  (eval $ac_link) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest$ac_exeext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  ac_cv_lib_ipv6_if_nametoindex=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ac_cv_lib_ipv6_if_nametoindex=no
+fi
+rm -f conftest.err conftest.$ac_objext \
+      conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+echo "$as_me:$LINENO: result: $ac_cv_lib_ipv6_if_nametoindex" >&5
+echo "${ECHO_T}$ac_cv_lib_ipv6_if_nametoindex" >&6
+if test $ac_cv_lib_ipv6_if_nametoindex = yes; then
+  ac_cv_have_if_nametoindex=yes
+				LIBS="-lipv6 $LIBS"
+fi
 
+  	;;
+	esac
+esac
+case $ac_cv_have_if_nametoindex in
+yes)
+	ISC_PLATFORM_HAVEIFNAMETOINDEX="#define ISC_PLATFORM_HAVEIFNAMETOINDEX 1"
+	;;
+*)
+	ISC_PLATFORM_HAVEIFNAMETOINDEX="#undef ISC_PLATFORM_HAVEIFNAMETOINDEX"
 	;;
 esac
-#
-# Solaris 2.5.1 and earlier cannot bind() then connect() a TCP socket.
-# This prevents the source address being set.
-#
-case "$host" in
-*-solaris2.[012345]|*-solaris2.5.1)
 
-cat >>confdefs.h <<\_ACEOF
-#define BROKEN_TCP_BIND_BEFORE_CONNECT 1
-_ACEOF
 
-	;;
-esac
 #
 # The following sections deal with tools used for formatting
 # the documentation.  They are all optional, unless you are
 # a developer editing the documentation source.
 #
 
+# Directory trees where SGML files are commonly found.
+sgmltrees="/usr/pkg/share/sgml /usr/local/share/sgml /usr/share/sgml"
+
 #
-# Look for TeX.
+# Look for openjade.  Plain jade is no longer supported.
 #
 
-for ac_prog in latex
+for ac_prog in openjade
 do
   # Extract the first word of "$ac_prog", so it can be a program name with args.
 set dummy $ac_prog; ac_word=$2
 echo "$as_me:$LINENO: checking for $ac_word" >&5
 echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
-if test "${ac_cv_path_LATEX+set}" = set; then
+if test "${ac_cv_path_OPENJADE+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
-  case $LATEX in
+  case $OPENJADE in
   [\\/]* | ?:[\\/]*)
-  ac_cv_path_LATEX="$LATEX" # Let the user override the test with a path.
+  ac_cv_path_OPENJADE="$OPENJADE" # Let the user override the test with a path.
   ;;
   *)
   as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
@@ -26369,7 +26865,7 @@ do
   test -z "$as_dir" && as_dir=.
   for ac_exec_ext in '' $ac_executable_extensions; do
   if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
-    ac_cv_path_LATEX="$as_dir/$ac_word$ac_exec_ext"
+    ac_cv_path_OPENJADE="$as_dir/$ac_word$ac_exec_ext"
     echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
   fi
@@ -26379,34 +26875,38 @@ done
   ;;
 esac
 fi
-LATEX=$ac_cv_path_LATEX
+OPENJADE=$ac_cv_path_OPENJADE
 
-if test -n "$LATEX"; then
-  echo "$as_me:$LINENO: result: $LATEX" >&5
-echo "${ECHO_T}$LATEX" >&6
+if test -n "$OPENJADE"; then
+  echo "$as_me:$LINENO: result: $OPENJADE" >&5
+echo "${ECHO_T}$OPENJADE" >&6
 else
   echo "$as_me:$LINENO: result: no" >&5
 echo "${ECHO_T}no" >&6
 fi
 
-  test -n "$LATEX" && break
+  test -n "$OPENJADE" && break
 done
-test -n "$LATEX" || LATEX="latex"
+test -n "$OPENJADE" || OPENJADE="openjade"
 
 
 
-for ac_prog in pdflatex
+#
+# Look for TeX.
+#
+
+for ac_prog in jadetex
 do
   # Extract the first word of "$ac_prog", so it can be a program name with args.
 set dummy $ac_prog; ac_word=$2
 echo "$as_me:$LINENO: checking for $ac_word" >&5
 echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
-if test "${ac_cv_path_PDFLATEX+set}" = set; then
+if test "${ac_cv_path_JADETEX+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
-  case $PDFLATEX in
+  case $JADETEX in
   [\\/]* | ?:[\\/]*)
-  ac_cv_path_PDFLATEX="$PDFLATEX" # Let the user override the test with a path.
+  ac_cv_path_JADETEX="$JADETEX" # Let the user override the test with a path.
   ;;
   *)
   as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
@@ -26416,7 +26916,7 @@ do
   test -z "$as_dir" && as_dir=.
   for ac_exec_ext in '' $ac_executable_extensions; do
   if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
-    ac_cv_path_PDFLATEX="$as_dir/$ac_word$ac_exec_ext"
+    ac_cv_path_JADETEX="$as_dir/$ac_word$ac_exec_ext"
     echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
   fi
@@ -26426,36 +26926,34 @@ done
   ;;
 esac
 fi
-PDFLATEX=$ac_cv_path_PDFLATEX
+JADETEX=$ac_cv_path_JADETEX
 
-if test -n "$PDFLATEX"; then
-  echo "$as_me:$LINENO: result: $PDFLATEX" >&5
-echo "${ECHO_T}$PDFLATEX" >&6
+if test -n "$JADETEX"; then
+  echo "$as_me:$LINENO: result: $JADETEX" >&5
+echo "${ECHO_T}$JADETEX" >&6
 else
   echo "$as_me:$LINENO: result: no" >&5
 echo "${ECHO_T}no" >&6
 fi
 
-  test -n "$PDFLATEX" && break
+  test -n "$JADETEX" && break
 done
-test -n "$PDFLATEX" || PDFLATEX="pdflatex"
+test -n "$JADETEX" || JADETEX="jadetex"
 
 
 
-#
-# Look for xsltproc (libxslt)
-#
-
-# Extract the first word of "xsltproc", so it can be a program name with args.
-set dummy xsltproc; ac_word=$2
+for ac_prog in pdfjadetex
+do
+  # Extract the first word of "$ac_prog", so it can be a program name with args.
+set dummy $ac_prog; ac_word=$2
 echo "$as_me:$LINENO: checking for $ac_word" >&5
 echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
-if test "${ac_cv_path_XSLTPROC+set}" = set; then
+if test "${ac_cv_path_PDFJADETEX+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
-  case $XSLTPROC in
+  case $PDFJADETEX in
   [\\/]* | ?:[\\/]*)
-  ac_cv_path_XSLTPROC="$XSLTPROC" # Let the user override the test with a path.
+  ac_cv_path_PDFJADETEX="$PDFJADETEX" # Let the user override the test with a path.
   ;;
   *)
   as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
@@ -26465,72 +26963,29 @@ do
   test -z "$as_dir" && as_dir=.
   for ac_exec_ext in '' $ac_executable_extensions; do
   if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
-    ac_cv_path_XSLTPROC="$as_dir/$ac_word$ac_exec_ext"
+    ac_cv_path_PDFJADETEX="$as_dir/$ac_word$ac_exec_ext"
     echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
   fi
 done
 done
 
-  test -z "$ac_cv_path_XSLTPROC" && ac_cv_path_XSLTPROC="xsltproc"
   ;;
 esac
 fi
-XSLTPROC=$ac_cv_path_XSLTPROC
+PDFJADETEX=$ac_cv_path_PDFJADETEX
 
-if test -n "$XSLTPROC"; then
-  echo "$as_me:$LINENO: result: $XSLTPROC" >&5
-echo "${ECHO_T}$XSLTPROC" >&6
+if test -n "$PDFJADETEX"; then
+  echo "$as_me:$LINENO: result: $PDFJADETEX" >&5
+echo "${ECHO_T}$PDFJADETEX" >&6
 else
   echo "$as_me:$LINENO: result: no" >&5
 echo "${ECHO_T}no" >&6
 fi
 
-
-
-#
-# Look for xmllint (libxml2)
-#
-
-# Extract the first word of "xmllint", so it can be a program name with args.
-set dummy xmllint; ac_word=$2
-echo "$as_me:$LINENO: checking for $ac_word" >&5
-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
-if test "${ac_cv_path_XMLLINT+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  case $XMLLINT in
-  [\\/]* | ?:[\\/]*)
-  ac_cv_path_XMLLINT="$XMLLINT" # Let the user override the test with a path.
-  ;;
-  *)
-  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-for as_dir in $PATH
-do
-  IFS=$as_save_IFS
-  test -z "$as_dir" && as_dir=.
-  for ac_exec_ext in '' $ac_executable_extensions; do
-  if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
-    ac_cv_path_XMLLINT="$as_dir/$ac_word$ac_exec_ext"
-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
-    break 2
-  fi
-done
+  test -n "$PDFJADETEX" && break
 done
-
-  test -z "$ac_cv_path_XMLLINT" && ac_cv_path_XMLLINT="xmllint"
-  ;;
-esac
-fi
-XMLLINT=$ac_cv_path_XMLLINT
-
-if test -n "$XMLLINT"; then
-  echo "$as_me:$LINENO: result: $XMLLINT" >&5
-echo "${ECHO_T}$XMLLINT" >&6
-else
-  echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
-fi
+test -n "$PDFJADETEX" || PDFJADETEX="pdfjadetex"
 
 
 
@@ -26550,196 +27005,185 @@ fi
 
 
 #
-# Look for Docbook-XSL stylesheets.  Location probably varies by
-# system.  Guessing where it might be found, based on where SGML stuff
-# lives on some systems.  FreeBSD is the only one I'm sure of at the
-# moment.
+# Look for the SGML catalog.
+# Its location varies, so far we have seen:
 #
-
-docbook_xsl_trees="/usr/pkg/share/xsl /usr/local/share/xsl /usr/share/xsl"
-
+# 	NetBSD 	/usr/pkg/share/sgml/docbook/catalog
+# 	FreeBSD	/usr/local/share/sgml/docbook/catalog
+#	Linux	/usr/local/share/dsssl/docbook/catalog
+#		/usr/share/sgml/docbook/dsssl-stylesheets/catalog
 #
-# Look for stylesheets we need.
-#
-
-
-XSLT_DOCBOOK_STYLE_HTML=""
-echo "$as_me:$LINENO: checking for docbook/html/docbook.xsl" >&5
-echo $ECHO_N "checking for docbook/html/docbook.xsl... $ECHO_C" >&6
-for d in $docbook_xsl_trees
+catalogpath=""
+for d in $sgmltrees
 do
-	f=$d/docbook/html/docbook.xsl
-	if test -f $f
-	then
-		XSLT_DOCBOOK_STYLE_HTML=$f
-		echo "$as_me:$LINENO: result: $f" >&5
-echo "${ECHO_T}$f" >&6
-		break
-	fi
+	catalogpath="$catalogpath $d"
+	for s in docbook/dsssl-stylesheets
+	do
+		catalogpath="$catalogpath $d/$s"
+	done
 done
-if test "X$XSLT_DOCBOOK_STYLE_HTML" = "X"
-then
-	echo "$as_me:$LINENO: result: \"not found\"" >&5
-echo "${ECHO_T}\"not found\"" >&6;
-	XSLT_DOCBOOK_STYLE_HTML=docbook/html/docbook.xsl
-fi
-
-
 
-XSLT_DOCBOOK_STYLE_XHTML=""
-echo "$as_me:$LINENO: checking for docbook/xhtml/docbook.xsl" >&5
-echo $ECHO_N "checking for docbook/xhtml/docbook.xsl... $ECHO_C" >&6
-for d in $docbook_xsl_trees
+SGMLCATALOG=""
+echo "$as_me:$LINENO: checking for catalog" >&5
+echo $ECHO_N "checking for catalog... $ECHO_C" >&6
+for d in $catalogpath
 do
-	f=$d/docbook/xhtml/docbook.xsl
+	f=$d/catalog
 	if test -f $f
 	then
-		XSLT_DOCBOOK_STYLE_XHTML=$f
+		SGMLCATALOG=$f
 		echo "$as_me:$LINENO: result: $f" >&5
 echo "${ECHO_T}$f" >&6
 		break
 	fi
 done
-if test "X$XSLT_DOCBOOK_STYLE_XHTML" = "X"
+if test "X$SGMLCATALOG" = "X"
 then
 	echo "$as_me:$LINENO: result: \"not found\"" >&5
 echo "${ECHO_T}\"not found\"" >&6;
-	XSLT_DOCBOOK_STYLE_XHTML=docbook/xhtml/docbook.xsl
+	SGMLCATALOG=catalog
 fi
 
 
 
-XSLT_DOCBOOK_STYLE_MAN=""
-echo "$as_me:$LINENO: checking for docbook/manpages/docbook.xsl" >&5
-echo $ECHO_N "checking for docbook/manpages/docbook.xsl... $ECHO_C" >&6
-for d in $docbook_xsl_trees
+#
+# Look for the HTML stylesheet html/docbook.dsl, used for
+# formatting man pages in HTML.  Its location varies,
+# so far we have seen:
+#
+# 	NetBSD 	/usr/pkg/share/sgml/docbook/dsssl/modular/
+# 	FreeBSD	/usr/local/share/sgml/docbook/dsssl/modular/
+#	Linux	/usr/local/share/dsssl/docbook/
+#		/usr/share/sgml/docbook/dsssl-stylesheets/
+#
+# Ditto for the print stylesheet print/docbook.dsl.
+#
+
+stylepath=""
+for d in $sgmltrees
 do
-	f=$d/docbook/manpages/docbook.xsl
-	if test -f $f
-	then
-		XSLT_DOCBOOK_STYLE_MAN=$f
-		echo "$as_me:$LINENO: result: $f" >&5
-echo "${ECHO_T}$f" >&6
-		break
-	fi
+	for s in docbook/dsssl/modular dsssl/docbook docbook/dsssl-stylesheets
+	do
+		stylepath="$stylepath $d/$s"
+	done
 done
-if test "X$XSLT_DOCBOOK_STYLE_MAN" = "X"
-then
-	echo "$as_me:$LINENO: result: \"not found\"" >&5
-echo "${ECHO_T}\"not found\"" >&6;
-	XSLT_DOCBOOK_STYLE_MAN=docbook/manpages/docbook.xsl
-fi
-
-
 
-XSLT_DOCBOOK_CHUNK_HTML=""
-echo "$as_me:$LINENO: checking for docbook/html/chunk.xsl" >&5
-echo $ECHO_N "checking for docbook/html/chunk.xsl... $ECHO_C" >&6
-for d in $docbook_xsl_trees
+HTMLSTYLE=""
+echo "$as_me:$LINENO: checking for html/docbook.dsl" >&5
+echo $ECHO_N "checking for html/docbook.dsl... $ECHO_C" >&6
+for d in $stylepath
 do
-	f=$d/docbook/html/chunk.xsl
+	f=$d/html/docbook.dsl
 	if test -f $f
 	then
-		XSLT_DOCBOOK_CHUNK_HTML=$f
+		HTMLSTYLE=$f
 		echo "$as_me:$LINENO: result: $f" >&5
 echo "${ECHO_T}$f" >&6
 		break
 	fi
 done
-if test "X$XSLT_DOCBOOK_CHUNK_HTML" = "X"
+if test "X$HTMLSTYLE" = "X"
 then
 	echo "$as_me:$LINENO: result: \"not found\"" >&5
 echo "${ECHO_T}\"not found\"" >&6;
-	XSLT_DOCBOOK_CHUNK_HTML=docbook/html/chunk.xsl
+	HTMLSTYLE=html/docbook.dsl
 fi
 
 
 
-XSLT_DOCBOOK_CHUNK_XHTML=""
-echo "$as_me:$LINENO: checking for docbook/xhtml/chunk.xsl" >&5
-echo $ECHO_N "checking for docbook/xhtml/chunk.xsl... $ECHO_C" >&6
-for d in $docbook_xsl_trees
+PRINTSTYLE=""
+echo "$as_me:$LINENO: checking for print/docbook.dsl" >&5
+echo $ECHO_N "checking for print/docbook.dsl... $ECHO_C" >&6
+for d in $stylepath
 do
-	f=$d/docbook/xhtml/chunk.xsl
+	f=$d/print/docbook.dsl
 	if test -f $f
 	then
-		XSLT_DOCBOOK_CHUNK_XHTML=$f
+		PRINTSTYLE=$f
 		echo "$as_me:$LINENO: result: $f" >&5
 echo "${ECHO_T}$f" >&6
 		break
 	fi
 done
-if test "X$XSLT_DOCBOOK_CHUNK_XHTML" = "X"
+if test "X$PRINTSTYLE" = "X"
 then
 	echo "$as_me:$LINENO: result: \"not found\"" >&5
 echo "${ECHO_T}\"not found\"" >&6;
-	XSLT_DOCBOOK_CHUNK_XHTML=docbook/xhtml/chunk.xsl
+	PRINTSTYLE=print/docbook.dsl
 fi
 
 
 
 #
-# Same dance for db2latex
+# Look for XML declarations.
+# Its location varies, so far we have seen:
 #
-# No idea where this lives except on FreeBSD.
-#
-
-db2latex_xsl_trees="/usr/local/share"
-
-#
-# Look for stylesheets we need.
+# 	NetBSD 	/usr/pkg/share/sgml/docbook/dsssl/modular/dtds/decls/
+# 	FreeBSD	/usr/local/share/sgml/docbook/dsssl/modular/dtds/decls/
+#	Linux	/usr/local/share/dsssl/docbook/dtds/decls/
+#		/usr/share/sgml/docbook/dsssl-stylesheets/dtds/decls/
 #
 
+xmlpath=""
+for d in $sgmltrees
+do
+	for s in docbook/dsssl/modular dsssl/docbook docbook/dsssl-stylesheets
+	do
+		xmlpath="$xmlpath $d/$s"
+	done
+done
 
-XSLT_DB2LATEX_STYLE=""
-echo "$as_me:$LINENO: checking for db2latex/xsl/docbook.xsl" >&5
-echo $ECHO_N "checking for db2latex/xsl/docbook.xsl... $ECHO_C" >&6
-for d in $db2latex_xsl_trees
+XMLDCL=""
+echo "$as_me:$LINENO: checking for dtds/decls/xml.dcl" >&5
+echo $ECHO_N "checking for dtds/decls/xml.dcl... $ECHO_C" >&6
+for d in $xmlpath
 do
-	f=$d/db2latex/xsl/docbook.xsl
+	f=$d/dtds/decls/xml.dcl
 	if test -f $f
 	then
-		XSLT_DB2LATEX_STYLE=$f
+		XMLDCL=$f
 		echo "$as_me:$LINENO: result: $f" >&5
 echo "${ECHO_T}$f" >&6
 		break
 	fi
 done
-if test "X$XSLT_DB2LATEX_STYLE" = "X"
+if test "X$XMLDCL" = "X"
 then
 	echo "$as_me:$LINENO: result: \"not found\"" >&5
 echo "${ECHO_T}\"not found\"" >&6;
-	XSLT_DB2LATEX_STYLE=db2latex/xsl/docbook.xsl
+	XMLDCL=dtds/decls/xml.dcl
 fi
 
 
 
 #
-# Look for "admonition" image directory.  Can't use NOM_PATH_FILE()
-# because it's a directory, so just do the same things, inline.
+# Look for docbook2man-spec.pl
 #
 
-echo "$as_me:$LINENO: checking for db2latex/xsl/figures" >&5
-echo $ECHO_N "checking for db2latex/xsl/figures... $ECHO_C" >&6
-for d in $db2latex_xsl_trees
+
+DOCBOOK2MANSPEC=""
+echo "$as_me:$LINENO: checking for docbook2X/docbook2man-spec.pl" >&5
+echo $ECHO_N "checking for docbook2X/docbook2man-spec.pl... $ECHO_C" >&6
+for d in $sgmltrees
 do
-	dd=$d/db2latex/xsl/figures
-	if test -d $dd
+	f=$d/docbook2X/docbook2man-spec.pl
+	if test -f $f
 	then
-		XSLT_DB2LATEX_ADMONITIONS=$dd
-		echo "$as_me:$LINENO: result: $dd" >&5
-echo "${ECHO_T}$dd" >&6
+		DOCBOOK2MANSPEC=$f
+		echo "$as_me:$LINENO: result: $f" >&5
+echo "${ECHO_T}$f" >&6
 		break
 	fi
 done
-if test "X$XSLT_DB2LATEX_ADMONITIONS" = "X"
+if test "X$DOCBOOK2MANSPEC" = "X"
 then
-	echo "$as_me:$LINENO: result: not found" >&5
-echo "${ECHO_T}not found" >&6
-	XSLT_DB2LATEX_ADMONITIONS=db2latex/xsl/figures
+	echo "$as_me:$LINENO: result: \"not found\"" >&5
+echo "${ECHO_T}\"not found\"" >&6;
+	DOCBOOK2MANSPEC=docbook2X/docbook2man-spec.pl
 fi
 
 
+
 #
 # Substitutions
 #
@@ -26751,22 +27195,25 @@ BIND9_TOP_BUILDDIR=`pwd`
 
 
 
+
 if test "X$srcdir" != "X"; then
 	BIND9_ISC_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/isc/include"
 	BIND9_ISCCC_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/isccc/include"
 	BIND9_ISCCFG_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/isccfg/include"
 	BIND9_DNS_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/dns/include"
 	BIND9_LWRES_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/lwres/include"
+	BIND9_BIND9_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/bind9/include"
 else
 	BIND9_ISC_BUILDINCLUDE=""
 	BIND9_ISCCC_BUILDINCLUDE=""
 	BIND9_ISCCFG_BUILDINCLUDE=""
 	BIND9_DNS_BUILDINCLUDE=""
 	BIND9_LWRES_BUILDINCLUDE=""
+	BIND9_BIND9_BUILDINCLUDE=""
 fi
 
 
-BIND9_INCLUDES=$BIND9_TOP_BUILDDIR/make/includes
+BIND9_MAKE_INCLUDES=$BIND9_TOP_BUILDDIR/make/includes
 
 
 BIND9_MAKE_RULES=$BIND9_TOP_BUILDDIR/make/rules
@@ -26788,9 +27235,12 @@ LIBISCCFG_API=$srcdir/lib/isccfg/api
 LIBDNS_API=$srcdir/lib/dns/api
 
 
+LIBBIND9_API=$srcdir/lib/bind9/api
+
+
 LIBLWRES_API=$srcdir/lib/lwres/api
 
-                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          ac_config_files="$ac_config_files make/rules make/includes Makefile make/Makefile make/mkdep lib/Makefile lib/isc/Makefile lib/isc/include/Makefile lib/isc/include/isc/Makefile lib/isc/include/isc/platform.h lib/isc/unix/Makefile lib/isc/unix/include/Makefile lib/isc/unix/include/isc/Makefile lib/isc/nls/Makefile lib/isc/$thread_dir/Makefile lib/isc/$thread_dir/include/Makefile lib/isc/$thread_dir/include/isc/Makefile lib/isccc/Makefile lib/isccc/include/Makefile lib/isccc/include/isccc/Makefile lib/isccfg/Makefile lib/isccfg/include/Makefile lib/isccfg/include/isccfg/Makefile lib/dns/Makefile lib/dns/include/Makefile lib/dns/include/dns/Makefile lib/dns/include/dst/Makefile lib/lwres/Makefile lib/lwres/include/Makefile lib/lwres/include/lwres/Makefile lib/lwres/include/lwres/netdb.h lib/lwres/include/lwres/platform.h lib/lwres/man/Makefile lib/lwres/unix/Makefile lib/lwres/unix/include/Makefile lib/lwres/unix/include/lwres/Makefile lib/tests/Makefile lib/tests/include/Makefile lib/tests/include/tests/Makefile bin/Makefile bin/check/Makefile bin/named/Makefile bin/named/unix/Makefile bin/rndc/Makefile bin/rndc/unix/Makefile bin/dig/Makefile bin/nsupdate/Makefile bin/tests/Makefile bin/tests/names/Makefile bin/tests/master/Makefile bin/tests/rbt/Makefile bin/tests/db/Makefile bin/tests/tasks/Makefile bin/tests/timers/Makefile bin/tests/dst/Makefile bin/tests/mem/Makefile bin/tests/net/Makefile bin/tests/sockaddr/Makefile bin/tests/system/Makefile bin/tests/system/conf.sh bin/tests/system/lwresd/Makefile bin/tests/system/tkey/Makefile bin/tests/headerdep_test.sh bin/dnssec/Makefile doc/Makefile doc/arm/Makefile doc/misc/Makefile doc/xsl/Makefile isc-config.sh doc/xsl/isc-docbook-chunk.xsl doc/xsl/isc-docbook-html.xsl doc/xsl/isc-docbook-latex.xsl doc/xsl/isc-manpage.xsl"
+                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            ac_config_files="$ac_config_files make/rules make/includes Makefile make/Makefile make/mkdep lib/Makefile lib/isc/Makefile lib/isc/include/Makefile lib/isc/include/isc/Makefile lib/isc/include/isc/platform.h lib/isc/unix/Makefile lib/isc/unix/include/Makefile lib/isc/unix/include/isc/Makefile lib/isc/nls/Makefile lib/isc/$thread_dir/Makefile lib/isc/$thread_dir/include/Makefile lib/isc/$thread_dir/include/isc/Makefile lib/isccc/Makefile lib/isccc/include/Makefile lib/isccc/include/isccc/Makefile lib/isccfg/Makefile lib/isccfg/include/Makefile lib/isccfg/include/isccfg/Makefile lib/dns/Makefile lib/dns/include/Makefile lib/dns/include/dns/Makefile lib/dns/sec/Makefile lib/dns/sec/dst/Makefile lib/dns/sec/dst/include/Makefile lib/dns/sec/dst/include/dst/Makefile lib/bind9/Makefile lib/bind9/include/Makefile lib/bind9/include/bind9/Makefile lib/lwres/Makefile lib/lwres/include/Makefile lib/lwres/include/lwres/Makefile lib/lwres/include/lwres/netdb.h lib/lwres/include/lwres/platform.h lib/lwres/man/Makefile lib/lwres/unix/Makefile lib/lwres/unix/include/Makefile lib/lwres/unix/include/lwres/Makefile lib/tests/Makefile lib/tests/include/Makefile lib/tests/include/tests/Makefile bin/Makefile bin/check/Makefile bin/named/Makefile bin/named/unix/Makefile bin/rndc/Makefile bin/rndc/unix/Makefile bin/dig/Makefile bin/nsupdate/Makefile bin/tests/Makefile bin/tests/names/Makefile bin/tests/master/Makefile bin/tests/rbt/Makefile bin/tests/db/Makefile bin/tests/tasks/Makefile bin/tests/timers/Makefile bin/tests/dst/Makefile bin/tests/mem/Makefile bin/tests/net/Makefile bin/tests/sockaddr/Makefile bin/tests/system/Makefile bin/tests/system/conf.sh bin/tests/system/lwresd/Makefile bin/tests/system/tkey/Makefile bin/tests/headerdep_test.sh bin/dnssec/Makefile doc/Makefile doc/arm/Makefile doc/arm/nominum-docbook-html.dsl doc/arm/nominum-docbook-print.dsl doc/arm/validate.sh doc/misc/Makefile docutil/docbook2man-wrapper.sh isc-config.sh"
 cat >confcache <<\_ACEOF
 # This file is a shell script that caches the results of configure
 # tests run on this system so they can be shared between configure
@@ -27342,7 +27792,13 @@ do
   "lib/dns/Makefile" ) CONFIG_FILES="$CONFIG_FILES lib/dns/Makefile" ;;
   "lib/dns/include/Makefile" ) CONFIG_FILES="$CONFIG_FILES lib/dns/include/Makefile" ;;
   "lib/dns/include/dns/Makefile" ) CONFIG_FILES="$CONFIG_FILES lib/dns/include/dns/Makefile" ;;
-  "lib/dns/include/dst/Makefile" ) CONFIG_FILES="$CONFIG_FILES lib/dns/include/dst/Makefile" ;;
+  "lib/dns/sec/Makefile" ) CONFIG_FILES="$CONFIG_FILES lib/dns/sec/Makefile" ;;
+  "lib/dns/sec/dst/Makefile" ) CONFIG_FILES="$CONFIG_FILES lib/dns/sec/dst/Makefile" ;;
+  "lib/dns/sec/dst/include/Makefile" ) CONFIG_FILES="$CONFIG_FILES lib/dns/sec/dst/include/Makefile" ;;
+  "lib/dns/sec/dst/include/dst/Makefile" ) CONFIG_FILES="$CONFIG_FILES lib/dns/sec/dst/include/dst/Makefile" ;;
+  "lib/bind9/Makefile" ) CONFIG_FILES="$CONFIG_FILES lib/bind9/Makefile" ;;
+  "lib/bind9/include/Makefile" ) CONFIG_FILES="$CONFIG_FILES lib/bind9/include/Makefile" ;;
+  "lib/bind9/include/bind9/Makefile" ) CONFIG_FILES="$CONFIG_FILES lib/bind9/include/bind9/Makefile" ;;
   "lib/lwres/Makefile" ) CONFIG_FILES="$CONFIG_FILES lib/lwres/Makefile" ;;
   "lib/lwres/include/Makefile" ) CONFIG_FILES="$CONFIG_FILES lib/lwres/include/Makefile" ;;
   "lib/lwres/include/lwres/Makefile" ) CONFIG_FILES="$CONFIG_FILES lib/lwres/include/lwres/Makefile" ;;
@@ -27382,13 +27838,12 @@ do
   "bin/dnssec/Makefile" ) CONFIG_FILES="$CONFIG_FILES bin/dnssec/Makefile" ;;
   "doc/Makefile" ) CONFIG_FILES="$CONFIG_FILES doc/Makefile" ;;
   "doc/arm/Makefile" ) CONFIG_FILES="$CONFIG_FILES doc/arm/Makefile" ;;
+  "doc/arm/nominum-docbook-html.dsl" ) CONFIG_FILES="$CONFIG_FILES doc/arm/nominum-docbook-html.dsl" ;;
+  "doc/arm/nominum-docbook-print.dsl" ) CONFIG_FILES="$CONFIG_FILES doc/arm/nominum-docbook-print.dsl" ;;
+  "doc/arm/validate.sh" ) CONFIG_FILES="$CONFIG_FILES doc/arm/validate.sh" ;;
   "doc/misc/Makefile" ) CONFIG_FILES="$CONFIG_FILES doc/misc/Makefile" ;;
-  "doc/xsl/Makefile" ) CONFIG_FILES="$CONFIG_FILES doc/xsl/Makefile" ;;
+  "docutil/docbook2man-wrapper.sh" ) CONFIG_FILES="$CONFIG_FILES docutil/docbook2man-wrapper.sh" ;;
   "isc-config.sh" ) CONFIG_FILES="$CONFIG_FILES isc-config.sh" ;;
-  "doc/xsl/isc-docbook-chunk.xsl" ) CONFIG_FILES="$CONFIG_FILES doc/xsl/isc-docbook-chunk.xsl" ;;
-  "doc/xsl/isc-docbook-html.xsl" ) CONFIG_FILES="$CONFIG_FILES doc/xsl/isc-docbook-html.xsl" ;;
-  "doc/xsl/isc-docbook-latex.xsl" ) CONFIG_FILES="$CONFIG_FILES doc/xsl/isc-docbook-latex.xsl" ;;
-  "doc/xsl/isc-manpage.xsl" ) CONFIG_FILES="$CONFIG_FILES doc/xsl/isc-manpage.xsl" ;;
   "config.h" ) CONFIG_HEADERS="$CONFIG_HEADERS config.h" ;;
   *) { { echo "$as_me:$LINENO: error: invalid argument: $ac_config_target" >&5
 echo "$as_me: error: invalid argument: $ac_config_target" >&2;}
@@ -27507,16 +27962,15 @@ s,@EXEEXT@,$EXEEXT,;t t
 s,@OBJEXT@,$OBJEXT,;t t
 s,@CPP@,$CPP,;t t
 s,@EGREP@,$EGREP,;t t
-s,@ISC_SOCKADDR_LEN_T@,$ISC_SOCKADDR_LEN_T,;t t
 s,@ISC_PLATFORM_HAVELONGLONG@,$ISC_PLATFORM_HAVELONGLONG,;t t
+s,@ISC_PLATFORM_HAVELIFCONF@,$ISC_PLATFORM_HAVELIFCONF,;t t
 s,@ISC_PLATFORM_NEEDSYSSELECTH@,$ISC_PLATFORM_NEEDSYSSELECTH,;t t
 s,@LWRES_PLATFORM_NEEDSYSSELECTH@,$LWRES_PLATFORM_NEEDSYSSELECTH,;t t
-s,@DST_OPENSSL_INC@,$DST_OPENSSL_INC,;t t
-s,@DNS_OPENSSL_LIBS@,$DNS_OPENSSL_LIBS,;t t
 s,@USE_OPENSSL@,$USE_OPENSSL,;t t
+s,@DST_OPENSSL_INC@,$DST_OPENSSL_INC,;t t
 s,@USE_GSSAPI@,$USE_GSSAPI,;t t
 s,@DST_GSSAPI_INC@,$DST_GSSAPI_INC,;t t
-s,@DNS_GSSAPI_LIBS@,$DNS_GSSAPI_LIBS,;t t
+s,@DNS_CRYPTO_LIBS@,$DNS_CRYPTO_LIBS,;t t
 s,@ALWAYS_DEFINES@,$ALWAYS_DEFINES,;t t
 s,@ISC_PLATFORM_USETHREADS@,$ISC_PLATFORM_USETHREADS,;t t
 s,@ISC_THREAD_DIR@,$ISC_THREAD_DIR,;t t
@@ -27546,8 +28000,6 @@ s,@LIBTOOL_MKDEP_SED@,$LIBTOOL_MKDEP_SED,;t t
 s,@LIBTOOL_MODE_COMPILE@,$LIBTOOL_MODE_COMPILE,;t t
 s,@LIBTOOL_MODE_INSTALL@,$LIBTOOL_MODE_INSTALL,;t t
 s,@LIBTOOL_MODE_LINK@,$LIBTOOL_MODE_LINK,;t t
-s,@LIBTOOL_ALLOW_UNDEFINED@,$LIBTOOL_ALLOW_UNDEFINED,;t t
-s,@LIBTOOL_IN_MAIN@,$LIBTOOL_IN_MAIN,;t t
 s,@LIBBIND@,$LIBBIND,;t t
 s,@ISC_PLATFORM_HAVEIPV6@,$ISC_PLATFORM_HAVEIPV6,;t t
 s,@LWRES_PLATFORM_HAVEIPV6@,$LWRES_PLATFORM_HAVEIPV6,;t t
@@ -27568,11 +28020,9 @@ s,@ISC_IPV6_O@,$ISC_IPV6_O,;t t
 s,@ISC_ISCIPV6_O@,$ISC_ISCIPV6_O,;t t
 s,@ISC_IPV6_C@,$ISC_IPV6_C,;t t
 s,@LWRES_HAVE_SIN6_SCOPE_ID@,$LWRES_HAVE_SIN6_SCOPE_ID,;t t
-s,@BUILD_CC@,$BUILD_CC,;t t
-s,@BUILD_CFLAGS@,$BUILD_CFLAGS,;t t
-s,@BUILD_CPPFLAGS@,$BUILD_CPPFLAGS,;t t
-s,@BUILD_LDFLAGS@,$BUILD_LDFLAGS,;t t
-s,@BUILD_LIBS@,$BUILD_LIBS,;t t
+s,@ISC_PLATFORM_HAVESCOPEID@,$ISC_PLATFORM_HAVESCOPEID,;t t
+s,@ISC_PLATFORM_HAVEIF_LADDRREQ@,$ISC_PLATFORM_HAVEIF_LADDRREQ,;t t
+s,@ISC_PLATFORM_HAVEIF_LADDRCONF@,$ISC_PLATFORM_HAVEIF_LADDRCONF,;t t
 s,@ISC_PLATFORM_NEEDNTOP@,$ISC_PLATFORM_NEEDNTOP,;t t
 s,@ISC_PLATFORM_NEEDPTON@,$ISC_PLATFORM_NEEDPTON,;t t
 s,@ISC_PLATFORM_NEEDATON@,$ISC_PLATFORM_NEEDATON,;t t
@@ -27593,38 +28043,40 @@ s,@ISC_LWRES_GETIPNODEPROTO@,$ISC_LWRES_GETIPNODEPROTO,;t t
 s,@ISC_LWRES_GETADDRINFOPROTO@,$ISC_LWRES_GETADDRINFOPROTO,;t t
 s,@ISC_LWRES_GETNAMEINFOPROTO@,$ISC_LWRES_GETNAMEINFOPROTO,;t t
 s,@ISC_PLATFORM_NEEDSTRSEP@,$ISC_PLATFORM_NEEDSTRSEP,;t t
+s,@ISC_PLATFORM_NEEDMEMMOVE@,$ISC_PLATFORM_NEEDMEMMOVE,;t t
+s,@ISC_PLATFORM_NEEDSTRTOUL@,$ISC_PLATFORM_NEEDSTRTOUL,;t t
+s,@ISC_PLATFORM_NEEDSTRLCPY@,$ISC_PLATFORM_NEEDSTRLCPY,;t t
+s,@ISC_PLATFORM_NEEDSTRLCAT@,$ISC_PLATFORM_NEEDSTRLCAT,;t t
+s,@ISC_PLATFORM_NEEDSPRINTF@,$ISC_PLATFORM_NEEDSPRINTF,;t t
 s,@ISC_PLATFORM_NEEDVSNPRINTF@,$ISC_PLATFORM_NEEDVSNPRINTF,;t t
-s,@LWRES_PLATFORM_NEEDVSNPRINTF@,$LWRES_PLATFORM_NEEDVSNPRINTF,;t t
 s,@ISC_EXTRA_OBJS@,$ISC_EXTRA_OBJS,;t t
 s,@ISC_EXTRA_SRCS@,$ISC_EXTRA_SRCS,;t t
 s,@ISC_PLATFORM_QUADFORMAT@,$ISC_PLATFORM_QUADFORMAT,;t t
-s,@LWRES_PLATFORM_QUADFORMAT@,$LWRES_PLATFORM_QUADFORMAT,;t t
 s,@ISC_PLATFORM_RLIMITTYPE@,$ISC_PLATFORM_RLIMITTYPE,;t t
 s,@ISC_PLATFORM_USEDECLSPEC@,$ISC_PLATFORM_USEDECLSPEC,;t t
 s,@LWRES_PLATFORM_USEDECLSPEC@,$LWRES_PLATFORM_USEDECLSPEC,;t t
 s,@ISC_PLATFORM_BRACEPTHREADONCEINIT@,$ISC_PLATFORM_BRACEPTHREADONCEINIT,;t t
-s,@LATEX@,$LATEX,;t t
-s,@PDFLATEX@,$PDFLATEX,;t t
-s,@XSLTPROC@,$XSLTPROC,;t t
-s,@XMLLINT@,$XMLLINT,;t t
-s,@XSLT_DOCBOOK_STYLE_HTML@,$XSLT_DOCBOOK_STYLE_HTML,;t t
-s,@XSLT_DOCBOOK_STYLE_XHTML@,$XSLT_DOCBOOK_STYLE_XHTML,;t t
-s,@XSLT_DOCBOOK_STYLE_MAN@,$XSLT_DOCBOOK_STYLE_MAN,;t t
-s,@XSLT_DOCBOOK_CHUNK_HTML@,$XSLT_DOCBOOK_CHUNK_HTML,;t t
-s,@XSLT_DOCBOOK_CHUNK_XHTML@,$XSLT_DOCBOOK_CHUNK_XHTML,;t t
-s,@XSLT_DB2LATEX_STYLE@,$XSLT_DB2LATEX_STYLE,;t t
-s,@XSLT_DB2LATEX_ADMONITIONS@,$XSLT_DB2LATEX_ADMONITIONS,;t t
+s,@ISC_PLATFORM_HAVEIFNAMETOINDEX@,$ISC_PLATFORM_HAVEIFNAMETOINDEX,;t t
+s,@OPENJADE@,$OPENJADE,;t t
+s,@JADETEX@,$JADETEX,;t t
+s,@PDFJADETEX@,$PDFJADETEX,;t t
+s,@SGMLCATALOG@,$SGMLCATALOG,;t t
+s,@HTMLSTYLE@,$HTMLSTYLE,;t t
+s,@PRINTSTYLE@,$PRINTSTYLE,;t t
+s,@XMLDCL@,$XMLDCL,;t t
+s,@DOCBOOK2MANSPEC@,$DOCBOOK2MANSPEC,;t t
 s,@BIND9_TOP_BUILDDIR@,$BIND9_TOP_BUILDDIR,;t t
 s,@BIND9_ISC_BUILDINCLUDE@,$BIND9_ISC_BUILDINCLUDE,;t t
 s,@BIND9_ISCCC_BUILDINCLUDE@,$BIND9_ISCCC_BUILDINCLUDE,;t t
 s,@BIND9_ISCCFG_BUILDINCLUDE@,$BIND9_ISCCFG_BUILDINCLUDE,;t t
 s,@BIND9_DNS_BUILDINCLUDE@,$BIND9_DNS_BUILDINCLUDE,;t t
 s,@BIND9_LWRES_BUILDINCLUDE@,$BIND9_LWRES_BUILDINCLUDE,;t t
+s,@BIND9_BIND9_BUILDINCLUDE@,$BIND9_BIND9_BUILDINCLUDE,;t t
 s,@BIND9_VERSION@,$BIND9_VERSION,;t t
 s,@LIBOBJS@,$LIBOBJS,;t t
 s,@LTLIBOBJS@,$LTLIBOBJS,;t t
-/@BIND9_INCLUDES@/r $BIND9_INCLUDES
-s,@BIND9_INCLUDES@,,;t t
+/@BIND9_MAKE_INCLUDES@/r $BIND9_MAKE_INCLUDES
+s,@BIND9_MAKE_INCLUDES@,,;t t
 /@BIND9_MAKE_RULES@/r $BIND9_MAKE_RULES
 s,@BIND9_MAKE_RULES@,,;t t
 /@LIBISC_API@/r $LIBISC_API
@@ -27635,6 +28087,8 @@ s,@LIBISCCC_API@,,;t t
 s,@LIBISCCFG_API@,,;t t
 /@LIBDNS_API@/r $LIBDNS_API
 s,@LIBDNS_API@,,;t t
+/@LIBBIND9_API@/r $LIBBIND9_API
+s,@LIBBIND9_API@,,;t t
 /@LIBLWRES_API@/r $LIBLWRES_API
 s,@LIBLWRES_API@,,;t t
 CEOF
@@ -28307,30 +28761,6 @@ fi
 
 chmod a+x isc-config.sh
 
-if test "X$OPENSSL_WARNING" != "X"; then
-cat << \EOF
-WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
-WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
-WARNING                                                                 WARNING
-WARNING         Your OpenSSL crypto library may be vulnerable to        WARNING
-WARNING         one or more of the the following known security         WARNING
-WARNING         flaws:                                                  WARNING
-WARNING                                                                 WARNING
-WARNING         CAN-2002-0659, CAN-2006-4339, CVE-2006-2937 and         WARNING
-WARNING         CVE-2006-2940.                                          WARNING
-WARNING                                                                 WARNING
-WARNING         It is recommended that you upgrade to OpenSSL           WARNING
-WARNING         version 0.9.8d/0.9.7l (or greater).                     WARNING
-WARNING                                                                 WARNING
-WARNING         You can disable this warning by specifying:             WARNING
-WARNING                                                                 WARNING
-WARNING               --disable-openssl-version-check          	        WARNING
-WARNING                                                                 WARNING
-WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
-WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
-EOF
-fi
-
 # Tell Emacs to edit this file in shell mode.
 # Local Variables:
 # mode: sh
diff --git a/configure.in b/configure.in
index f8226767..188875f9 100644
--- a/configure.in
+++ b/configure.in
@@ -1,4 +1,4 @@
-# Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 1998-2003  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and distribute this software for any
@@ -13,7 +13,12 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-AC_REVISION($Revision: 1.294.2.75 $)
+dnl
+AC_DIVERT_PUSH(1)dnl
+esyscmd([sed "s/^/# /" COPYRIGHT])dnl
+AC_DIVERT_POP()dnl
+
+AC_REVISION($Revision: 1.294.2.23.2.23 $)
 
 AC_INIT(lib/dns/name.c)
 AC_PREREQ(2.13)
@@ -188,6 +193,17 @@ fi
 AC_PROG_CC
 
 #
+# gcc's optimiser is broken at -02 for ultrasparc
+#
+if test "$ac_env_CFLAGS_set" != set -a "X$GCC" = "Xyes"; then
+	case "$host" in
+	sparc-*)
+		CCFLAGS="-g -O1"
+		;;
+	esac
+fi
+
+#
 # OS dependent CC flags
 #
 case "$host" in
@@ -212,7 +228,7 @@ esac
 
 AC_HEADER_STDC
 
-AC_CHECK_HEADERS(fcntl.h sys/time.h unistd.h sys/sockio.h sys/select.h sys/param.h sys/sysctl.h,,,
+AC_CHECK_HEADERS(fcntl.h sys/time.h unistd.h sys/sockio.h sys/select.h sys/param.h sys/sysctl.h net/if6.h,,,
 [$ac_includes_default
 #ifdef HAVE_SYS_PARAM_H
 # include <sys/param.h>
@@ -245,24 +261,6 @@ AC_TRY_COMPILE(, [
 
 AC_TYPE_SIZE_T
 AC_CHECK_TYPE(ssize_t, int)
-AC_CHECK_TYPE(uintptr_t,unsigned long)
-AC_CHECK_TYPE(socklen_t,
-[AC_DEFINE(ISC_SOCKADDR_LEN_T, socklen_t)],
-[
-AC_TRY_COMPILE(
-[
-#include <sys/types.h>
-#include <sys/socket.h>
-int getsockname(int, struct sockaddr *, size_t *);
-],[],
-[AC_DEFINE(ISC_SOCKADDR_LEN_T, size_t)],
-[AC_DEFINE(ISC_SOCKADDR_LEN_T, int)])
-],
-[
-#include <sys/types.h>
-#include <sys/socket.h>
-])
-AC_SUBST(ISC_SOCKADDR_LEN_T)
 AC_HEADER_TIME
 AC_MSG_CHECKING(for long long)
 AC_TRY_COMPILE([],[long long i = 0; return (0);],
@@ -273,6 +271,27 @@ AC_TRY_COMPILE([],[long long i = 0; return (0);],
 AC_SUBST(ISC_PLATFORM_HAVELONGLONG)
 
 #
+# check if we have lifconf
+#
+AC_MSG_CHECKING(for struct lifconf)
+AC_TRY_COMPILE([
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <net/if.h>
+],
+[
+struct lifconf lifconf;
+lifconf.lifc_len = 0;
+]
+,
+	[AC_MSG_RESULT(yes)
+		ISC_PLATFORM_HAVELIFCONF="#define ISC_PLATFORM_HAVELIFCONF 1"],
+	[AC_MSG_RESULT(no)
+		ISC_PLATFORM_HAVELIFCONF="#undef ISC_PLATFORM_HAVELIFCONF"])
+AC_SUBST(ISC_PLATFORM_HAVELIFCONF)
+
+
+#
 # check if we need to #include sys/select.h explicitly
 #
 case $ac_cv_header_unistd_h in
@@ -320,7 +339,6 @@ AC_C_BIGENDIAN
 #
 # was --with-openssl specified?
 #
-OPENSSL_WARNING=
 AC_MSG_CHECKING(for OpenSSL library)
 AC_ARG_WITH(openssl,
 [  --with-openssl[=PATH]   Build with OpenSSL [yes|no|path].
@@ -337,7 +355,7 @@ case "$use_openssl" in
 		if test "$use_openssl" = "yes"
 		then
 		    	# User did not specify a path - guess it
-			openssldirs="/usr /usr/local /usr/local/ssl /usr/pkg /usr/sfw"
+			openssldirs="/usr /usr/local /usr/local/ssl /usr/pkg"
 			for d in $openssldirs
 			do
 				if test -f $d/include/openssl/opensslv.h
@@ -354,24 +372,15 @@ case "$use_openssl" in
 			fi
 		fi
 		USE_OPENSSL='-DOPENSSL'
-		if test "$use_openssl" = "/usr"
-		then
-			DST_OPENSSL_INC=""
-			DNS_OPENSSL_LIBS="-lcrypto"
-		else
-			DST_OPENSSL_INC="-I$use_openssl/include"
-			case $host in
-			*-solaris*)
-				DNS_OPENSSL_LIBS="-L$use_openssl/lib -R$use_openssl/lib -lcrypto"
-				;;
-			*-hp-hpux*)
-				DNS_OPENSSL_LIBS="-L$use_openssl/lib -Wl,+b: -lcrypto"
-				;;
-			*)
-				DNS_OPENSSL_LIBS="-L$use_openssl/lib -lcrypto"
-				;;
-			esac
-		fi
+		DST_OPENSSL_INC="-I$use_openssl/include"
+		case $host in
+		*-solaris*)
+			DNS_OPENSSL_LIBS="-L$use_openssl/lib -R$use_openssl/lib -lcrypto"
+			;;
+		*)
+			DNS_OPENSSL_LIBS="-L$use_openssl/lib -lcrypto"
+			;;
+		esac
 		AC_MSG_RESULT(using openssl from $use_openssl/lib and $use_openssl/include)
 
 		saved_cflags="$CFLAGS"
@@ -413,38 +422,51 @@ shared library configuration (e.g., LD_LIBRARY_PATH).)],
 		[AC_MSG_RESULT(assuming it does work on target platform)]
 		)
 		 
-AC_ARG_ENABLE(openssl-version-check,
-[AC_HELP_STRING([--enable-openssl-version-check],
-	[Check OpenSSL Version @<:@default=yes@:>@])])
-case "$enable_openssl_version_check" in
-yes|'')
+#
+#	OpenSSLDie is new with CERT CS-2002-23.  If we see it we have may
+#	have a patched library otherwise check that we are greater than
+#	the fixed versions
+#
+		AC_CHECK_FUNC(OpenSSLDie,
 		AC_MSG_CHECKING(OpenSSL library version)
 		AC_TRY_RUN([
 #include <stdio.h>
 #include <openssl/opensslv.h>
 int main() {
-	if ((OPENSSL_VERSION_NUMBER >= 0x009070cfL &&
-	     OPENSSL_VERSION_NUMBER < 0x00908000L) ||
-	    OPENSSL_VERSION_NUMBER >= 0x0090804fL)
+        if (OPENSSL_VERSION_NUMBER >= 0x0090581fL)
                 return (0);
 	printf("\n\nFound   OPENSSL_VERSION_NUMBER %#010x\n",
 		OPENSSL_VERSION_NUMBER);
-	printf("Require OPENSSL_VERSION_NUMBER 0x009070cf or greater (0.9.7l)\n"
-	       "Require OPENSSL_VERSION_NUMBER 0x0090804f or greater (0.9.8d)\n\n");
+	printf("Require OPENSSL_VERSION_NUMBER 0x0090581f or greater\n\n");
         return (1);
 }
-		],
+],
 	        [AC_MSG_RESULT(ok)],
 		[AC_MSG_RESULT(not compatible)
-                 OPENSSL_WARNING=yes
-		],
+		 AC_MSG_ERROR(you need OpenSSL 0.9.5a or newer)],
 		[AC_MSG_RESULT(assuming target platform has compatible version)])
-;;
-no)
-	AC_MSG_RESULT(Skipped OpenSSL version check)
-;;
-esac
-
+		,
+	        AC_MSG_RESULT(did not find fixes for CERT CA-2002-23)
+		AC_MSG_CHECKING(OpenSSL library version)
+		AC_TRY_RUN([
+#include <stdio.h>
+#include <openssl/opensslv.h>
+int main() {
+        if ((OPENSSL_VERSION_NUMBER >= 0x0090605fL &&
+	     OPENSSL_VERSION_NUMBER < 0x009070000L) ||
+	     OPENSSL_VERSION_NUMBER >= 0x00907003L)
+                return (0);
+	printf("\n\nFound   OPENSSL_VERSION_NUMBER %#010x\n",
+		OPENSSL_VERSION_NUMBER);
+	printf("Require OPENSSL_VERSION_NUMBER 0x0090605f or greater (0.9.6e)\n"
+	       "Require OPENSSL_VERSION_NUMBER 0x00907003 or greater (0.9.7-beta2)\n\n");
+        return (1);
+}
+],
+	        [AC_MSG_RESULT(ok)],
+		[AC_MSG_RESULT(not compatible)
+		 AC_MSG_ERROR(you need OpenSSL 0.9.6e/0.9.7-beta2 (or newer): CERT CA-2002-23)],
+		[AC_MSG_RESULT(assuming target platform has compatible version)]))
 		CFLAGS="$saved_cflags"
 		LIBS="$saved_libs"
 		;;
@@ -455,9 +477,9 @@ esac
 # it as needed) if it is found.
 #
 
-AC_SUBST(DST_OPENSSL_INC)
-AC_SUBST(DNS_OPENSSL_LIBS)
 AC_SUBST(USE_OPENSSL)
+AC_SUBST(DST_OPENSSL_INC)
+DNS_CRYPTO_LIBS="$DNS_CRYPTO_LIBS $DNS_OPENSSL_LIBS"
 
 #
 # was --with-gssapi specified?
@@ -491,7 +513,13 @@ DNS_GSSAPI_LIBS=''
 
 AC_SUBST(USE_GSSAPI)
 AC_SUBST(DST_GSSAPI_INC)
-AC_SUBST(DNS_GSSAPI_LIBS)
+DNS_CRYPTO_LIBS="$DNS_CRYPTO_LIBS $DNS_GSSAPI_LIBS"
+
+#
+# Applications linking with libdns also need to link with these libraries.
+#
+
+AC_SUBST(DNS_CRYPTO_LIBS)
 
 #
 # was --with-randomdev specified?
@@ -533,61 +561,171 @@ esac
 #
 AC_CHECK_FUNC(arc4random, AC_DEFINE(HAVE_ARC4RANDOM))
 
-sinclude(config.threads.in)dnl
+#
+# Begin pthreads checking.
+#
+# First, decide whether to use multithreading or not.
+#
+# Enable multithreading by default on systems where it is known
+# to work well, and where debugging of multithreaded programs
+# is supported.
+#
 
-if $use_threads
-then
-	if test "X$GCC" = "Xyes"; then
-		case "$host" in
-		*-freebsd*)
-			CC="$CC -pthread"
-			CCOPT="$CCOPT -pthread"
-			STD_CDEFINES="$STD_CDEFINES -D_THREAD_SAFE"
-			;;
-		*-openbsd*)
-			CC="$CC -pthread"
-			CCOPT="$CCOPT -pthread"
-			;;
-		*-solaris*)
-			LIBS="$LIBS -lthread"
-			;;
-		*-ibm-aix*)
-			STD_CDEFINES="$STD_CDEFINES -D_THREAD_SAFE"
-			;;
-		esac
+AC_MSG_CHECKING(whether to build with thread support)
+
+case $host in
+*-dec-osf*)
+	use_threads=true ;;
+[*-solaris2.[0-6]])
+	# Thread signals are broken on Solaris 2.6; they are sometimes
+	# delivered to the wrong thread.
+	use_threads=false ;;
+*-solaris*)
+	use_threads=true ;;
+*-ibm-aix*)
+	use_threads=true ;;
+*-hp-hpux10*)
+	use_threads=false ;;
+*-hp-hpux11*)
+	use_threads=true ;;
+*-sgi-irix*)
+	use_threads=true ;;
+*-sco-sysv*uw*|*-*-sysv*UnixWare*)
+        # UnixWare
+	use_threads=false ;;
+*-*-sysv*OpenUNIX*)
+        # UnixWare
+	use_threads=true ;;
+*-netbsd*)
+	if test -r /usr/lib/libpthread.so ; then
+	    use_threads=true
 	else
-		case $host in
-		*-dec-osf*)
-			CC="$CC -pthread"
-			CCOPT="$CCOPT -pthread"
-			;;
-		*-solaris*)
-			CC="$CC -mt"
-			CCOPT="$CCOPT -mt"
-			;;
-		*-ibm-aix*)
-			STD_CDEFINES="$STD_CDEFINES -D_THREAD_SAFE"
-			;;
-		*-sco-sysv*uw*)
-			CC="$CC -Kthread"
-			CCOPT="$CCOPT -Kthread"
-			;;
-		esac
+	    # Socket I/O optimizations introduced in 9.2 expose a
+	    # bug in unproven-pthreads; see PR #12650
+	    use_threads=false
 	fi
-	ALWAYS_DEFINES="-D_REENTRANT"
-	ISC_PLATFORM_USETHREADS="#define ISC_PLATFORM_USETHREADS 1"
-	thread_dir=pthreads
+	;;
+*-openbsd*)
+	# OpenBSD users have reported that named dumps core on
+	# startup when built with threads.
+	use_threads=false ;;
+*-freebsd*)
+	use_threads=false ;;
+*-bsdi[234]*)
+	# Thread signals do not work reliably on some versions of BSD/OS.
+	use_threads=false ;;
+*-bsdi5*)
+	use_threads=true ;;
+*-linux*)
+   	# Threads are disabled on Linux by default because most
+	# Linux kernels produce unusable core dumps from multithreaded
+	# programs, and because of limitations in setuid().
+	use_threads=false ;;	
+*)
+	use_threads=false ;;
+esac
+
+AC_ARG_ENABLE(threads,
+	[  --enable-threads	enable multithreading])
+case "$enable_threads" in
+	yes)
+		use_threads=true
+		;;
+	no)
+		use_threads=false
+		;;
+	'')
+		# Use system-dependent default
+		;;
+	*)
+	    	AC_MSG_ERROR([--enable-threads takes yes or no])
+		;;
+esac
+
+if $use_threads
+then
+	AC_MSG_RESULT(yes)
+else
+	AC_MSG_RESULT(no)	
+fi
+
+if $use_threads
+then
+	#
+	# Search for / configure pthreads in a system-dependent fashion.
+	#
+	case "$host" in
+	  *-netbsd*)
+		# NetBSD has multiple pthreads implementations.	 The
+		# recommended one to use is "unproven-pthreads".  The
+		# older "mit-pthreads" may also work on some NetBSD
+		# versions.  The PTL2 thread library does not
+		# currently work with bind9, but can be chosen with
+		# the --with-ptl2 option for those who wish to
+		# experiment with it.
+		CC="gcc"
+		AC_MSG_CHECKING(which NetBSD thread library to use)
+
+		AC_ARG_WITH(ptl2,
+[  --with-ptl2		on NetBSD, use the ptl2 thread library (experimental)],
+		    use_ptl2="$withval", use_ptl2="no")
+
+		: ${LOCALBASE:=/usr/pkg}
+
+		if test "X$use_ptl2" = "Xyes"
+		then
+			AC_MSG_RESULT(PTL2)
+			AC_MSG_WARN(
+[linking with PTL2 is highly experimental and not expected to work])
+			CC=ptlgcc
+		else
+			if test -r /usr/lib/libpthread.so
+			then
+				AC_MSG_RESULT(native)
+				LIBS="-lpthread $LIBS"
+			else
+				if test ! -d $LOCALBASE/pthreads
+				then
+					AC_MSG_RESULT(none)
+					AC_MSG_ERROR("could not find thread libraries")
+				fi
+
+				if $use_threads
+				then
+					AC_MSG_RESULT(mit-pthreads/unproven-pthreads)
+					pkg="$LOCALBASE/pthreads"
+					lib1="-L$pkg/lib -Wl,-R$pkg/lib"
+					lib2="-lpthread -lm -lgcc -lpthread"
+					LIBS="$lib1 $lib2 $LIBS"
+					CPPFLAGS="$CPPFLAGS -I$pkg/include"
+					STD_CINCLUDES="$STD_CINCLUDES -I$pkg/include"
+				fi
+			fi
+		fi
+		;;
+		*)
+			AC_CHECK_LIB(pthread, pthread_create,,
+				AC_CHECK_LIB(pthread, __pthread_create,,
+				AC_CHECK_LIB(pthread, __pthread_create_system,,
+				AC_CHECK_LIB(c_r, pthread_create,,
+				AC_CHECK_LIB(c, pthread_create,,
+				AC_MSG_ERROR("could not find thread libraries"))))))
+		;;
+	esac
+fi
+
+if $use_threads
+then
 	#
 	# We'd like to use sigwait() too
 	#
-	AC_CHECK_FUNC(sigwait,
-		      AC_DEFINE(HAVE_SIGWAIT),
-		      AC_CHECK_LIB(c, sigwait,
-		      AC_DEFINE(HAVE_SIGWAIT),
-		      AC_CHECK_LIB(pthread, sigwait,
-				   AC_DEFINE(HAVE_SIGWAIT),
-				   AC_CHECK_LIB(pthread, _Psigwait,
-					        AC_DEFINE(HAVE_SIGWAIT),))))
+	AC_CHECK_LIB(c, sigwait,
+		     AC_DEFINE(HAVE_SIGWAIT),
+		     AC_CHECK_LIB(pthread, sigwait,
+				  AC_DEFINE(HAVE_SIGWAIT),
+				  AC_CHECK_LIB(pthread, _Psigwait,
+					       AC_DEFINE(HAVE_SIGWAIT),))
+	)
 
 	AC_CHECK_FUNC(pthread_attr_getstacksize,
 		      AC_DEFINE(HAVE_PTHREAD_ATTR_GETSTACKSIZE),)
@@ -604,15 +742,6 @@ then
 		#
 		*-freebsd*)
 			AC_CHECK_LIB(c_r, sigwait, AC_DEFINE(HAVE_SIGWAIT),)
-			case $host in
-			*-freebsd5.[[012]]|*-freebsd5.[[012]].*);;
-			*-freebsd5.[[3456789]]|*-freebsd5.[[3456789]].*)
-				AC_DEFINE(NEED_PTHREAD_SCOPE_SYSTEM)
-				;;
-			*-freebsd6.*)
-				AC_DEFINE(NEED_PTHREAD_SCOPE_SYSTEM)
-				;;
-			esac
 			;;
 		#
 		# BSDI 3.0 through 4.0.1 needs pthread_init() to be
@@ -641,7 +770,7 @@ then
 		#
 		# UnixWare does things its own way.
 		#
-		*-sco-sysv*uw*)
+		*-sco-sysv*uw*|*-*-sysv*UnixWare*|*-*-sysv*OpenUNIX*)
 			AC_DEFINE(HAVE_UNIXWARE_SIGWAIT)
 			;;
 	esac
@@ -651,6 +780,50 @@ then
 	#
 	AC_CHECK_FUNC(sysconf, AC_DEFINE(HAVE_SYSCONF),)
 
+	if test "X$GCC" = "Xyes"; then
+		case "$host" in
+		*-freebsd*)
+			CC="$CC -pthread"
+			CCOPT="$CCOPT -pthread"
+			STD_CDEFINES="$STD_CDEFINES -D_THREAD_SAFE"
+			;;
+		*-openbsd*)
+			CC="$CC -pthread"
+			CCOPT="$CCOPT -pthread"
+			;;
+		*-solaris*)
+			LIBS="$LIBS -lthread"
+			;;
+		*-ibm-aix*)
+			STD_CDEFINES="$STD_CDEFINES -D_THREAD_SAFE"
+			;;
+		esac
+	else
+		case $host in
+		*-dec-osf*)
+			CC="$CC -pthread"
+			CCOPT="$CCOPT -pthread"
+			;;
+		*-solaris*)
+			CC="$CC -mt"
+			CCOPT="$CCOPT -mt"
+			;;
+		*-ibm-aix*)
+			STD_CDEFINES="$STD_CDEFINES -D_THREAD_SAFE"
+			;;
+		*-sco-sysv*uw*|*-*-sysv*UnixWare*)
+			CC="$CC -Kthread"
+			CCOPT="$CCOPT -Kthread"
+			;;
+		*-*-sysv*OpenUNIX*)
+			CC="$CC -Kpthread"
+			CCOPT="$CCOPT -Kpthread"
+			;;
+		esac
+	fi
+	ALWAYS_DEFINES="-D_REENTRANT"
+	ISC_PLATFORM_USETHREADS="#define ISC_PLATFORM_USETHREADS 1"
+	thread_dir=pthreads
 else
 	ISC_PLATFORM_USETHREADS="#undef ISC_PLATFORM_USETHREADS"
 	thread_dir=nothreads
@@ -659,15 +832,11 @@ fi
 
 AC_SUBST(ALWAYS_DEFINES)
 AC_SUBST(ISC_PLATFORM_USETHREADS)
+
 ISC_THREAD_DIR=$thread_dir
 AC_SUBST(ISC_THREAD_DIR)
 
 #
-# In solaris 10, SMF can manage named service
-#
-AC_CHECK_LIB(scf, smf_enable_instance)
-
-#
 # flockfile is usually provided by pthreads, but we may want to use it
 # even if compiled with --disable-threads.  getc_unlocked might also not
 # be defined.
@@ -690,6 +859,19 @@ fi
 #
 
 #
+# Large File
+#
+AC_ARG_ENABLE(largefile, [  --enable-largefile	  64-bit file support],
+	      want_largefile="yes", want_largefile="no")
+case $want_largefile in
+	yes)
+		ALWAYS_DEFINES="$ALWAYS_DEFINES -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64"
+		;;
+	*)
+		;;
+esac
+
+#
 # Additional compiler settings.
 #
 MKDEPCC="$CC"
@@ -697,23 +879,7 @@ MKDEPCFLAGS="-M"
 IRIX_DNSSEC_WARNINGS_HACK=""
 
 if test "X$GCC" = "Xyes"; then
-	AC_MSG_CHECKING(if "$CC" supports -fno-strict-aliasing)
-	SAVE_CFLAGS=$CFLAGS
-	CFLAGS=-fno-strict-aliasing
-	AC_TRY_COMPILE(,, [FNOSTRICTALIASING=yes],[FNOSTRICTALIASING=no])
-	CFLAGS=$SAVE_CFLAGS
-	if test "$FNOSTRICTALIASING" = "yes"; then
-		AC_MSG_RESULT(yes)
-	STD_CWARNINGS="$STD_CWARNINGS -W -Wall -Wmissing-prototypes -Wcast-qual -Wwrite-strings -Wformat -Wpointer-arith -fno-strict-aliasing"
-	else
-		AC_MSG_RESULT(no)
-	STD_CWARNINGS="$STD_CWARNINGS -W -Wall -Wmissing-prototypes -Wcast-qual -Wwrite-strings -Wformat -Wpointer-arith"
-	fi
-	case "$host" in
-	*-hp-hpux*)
-		LDFLAGS="-Wl,+vnocompatwarnings $LDFLAGS"
-		;;
-	esac
+	STD_CWARNINGS="$STD_CWARNINGS -W -Wall -Wmissing-prototypes -Wcast-qual -Wwrite-strings -Wformat"
 else
 	case $host in
 	*-dec-osf*)
@@ -733,11 +899,11 @@ else
 			;;
 		*)
 			# Turn off the pointlessly noisy warnings.
-			STD_CWARNINGS="+w1 +W 474,530,2193,2236"
+			STD_CWARNINGS="+w1 +W 474,530"
 			;;
 		esac
 		CCOPT="$CCOPT -Ae -z"
-		LDFLAGS="-Wl,+vnocompatwarnings $LDFLAGS"
+		LIBS="-Wl,+vnocompatwarnings $LIBS"
 		MKDEPPROG='cc -Ae -E -Wp,-M >/dev/null 2>>$TMP'
 		;;
 	*-sgi-irix*)
@@ -754,7 +920,7 @@ else
 	*-solaris*)
 		MKDEPCFLAGS="-xM"
 		;;
-	*-sco-sysv*uw*)
+	*-sco-sysv*uw*|*-*-sysv*UnixWare*|*-*-sysv*OpenUNIX*)
                 # UnixWare
 		CC="$CC -w"
 		;;
@@ -848,13 +1014,6 @@ case $use_libtool in
 		LIBTOOL_MODE_COMPILE='--mode=compile'
 		LIBTOOL_MODE_INSTALL='--mode=install'
 		LIBTOOL_MODE_LINK='--mode=link'
-		case "$host" in
-		*) LIBTOOL_ALLOW_UNDEFINED= ;;
-		esac
-		case "$host" in
-		*-ibm-aix*) LIBTOOL_IN_MAIN="-Wl,-bI:T_testlist.imp" ;;
-		*) LIBTOOL_IN_MAIN= ;;
-		esac;
 		;;
 	*)
 		O=o
@@ -865,8 +1024,6 @@ case $use_libtool in
 		LIBTOOL_MODE_COMPILE=
 		LIBTOOL_MODE_INSTALL=
 		LIBTOOL_MODE_LINK=
-		LIBTOOL_ALLOW_UNDEFINED=
-		LIBTOOL_IN_MAIN=
 		;;
 esac
 
@@ -883,8 +1040,6 @@ AC_SUBST(LIBTOOL_MKDEP_SED)
 AC_SUBST(LIBTOOL_MODE_COMPILE)
 AC_SUBST(LIBTOOL_MODE_INSTALL)
 AC_SUBST(LIBTOOL_MODE_LINK)
-AC_SUBST(LIBTOOL_ALLOW_UNDEFINED)
-AC_SUBST(LIBTOOL_IN_MAIN)
 
 #
 # build libbind?
@@ -1001,7 +1156,7 @@ changequote([, ])
 # This is similar to the netinet6/in6.h issue.
 #
 case "$host" in
-*-sco-sysv*uw*)
+*-sco-sysv*uw*|*-*-sysv*UnixWare*|*-*-sysv*OpenUNIX*)
         # UnixWare
 	ISC_PLATFORM_NEEDNETINETIN6H="#define ISC_PLATFORM_NEEDNETINETIN6H 1"
 	LWRES_PLATFORM_NEEDNETINETIN6H="#define LWRES_PLATFORM_NEEDNETINETIN6H 1"
@@ -1086,8 +1241,10 @@ $isc_netinet6in6_hack
 ],
 		[struct sockaddr_in6 xyzzy; xyzzy.sin6_scope_id = 0; return (0);],
 			[AC_MSG_RESULT(yes)
+			 ISC_PLATFORM_HAVESCOPEID="#define ISC_PLATFORM_HAVESCOPEID 1"
 			 result="#define LWRES_HAVE_SIN6_SCOPE_ID 1"],
 			[AC_MSG_RESULT(no)
+			 ISC_PLATFORM_HAVESCOPEID="#undef ISC_PLATFORM_HAVESCOPEID"
 			 result="#undef LWRES_HAVE_SIN6_SCOPE_ID"])
 		LWRES_HAVE_SIN6_SCOPE_ID="$result"
 
@@ -1112,6 +1269,7 @@ $isc_netinet6in6_hack
 		LWRES_PLATFORM_NEEDIN6ADDRANY="#undef LWRES_PLATFORM_NEEDIN6ADDRANY"
 		ISC_PLATFORM_HAVEIN6PKTINFO="#undef ISC_PLATFORM_HAVEIN6PKTINFO"
 		LWRES_HAVE_SIN6_SCOPE_ID="#define LWRES_HAVE_SIN6_SCOPE_ID 1"
+		ISC_PLATFORM_HAVESCOPEID="#define ISC_PLATFORM_HAVESCOPEID 1"
 		ISC_IPV6_H="ipv6.h"
 		ISC_IPV6_O="ipv6.$O"
 		ISC_ISCIPV6_O="unix/ipv6.$O"
@@ -1138,6 +1296,29 @@ AC_SUBST(ISC_IPV6_O)
 AC_SUBST(ISC_ISCIPV6_O)
 AC_SUBST(ISC_IPV6_C)
 AC_SUBST(LWRES_HAVE_SIN6_SCOPE_ID)
+AC_SUBST(ISC_PLATFORM_HAVESCOPEID)
+
+AC_MSG_CHECKING([for struct if_laddrreq])
+AC_TRY_LINK([
+#include <sys/types.h>
+#include <net/if6.h>
+],[ struct if_laddrreq a; ],
+	[AC_MSG_RESULT(yes)
+	ISC_PLATFORM_HAVEIF_LADDRREQ="#define ISC_PLATFORM_HAVEIF_LADDRREQ 1"],
+	[AC_MSG_RESULT(no)
+	ISC_PLATFORM_HAVEIF_LADDRREQ="#undef ISC_PLATFORM_HAVEIF_LADDRREQ"])
+AC_SUBST(ISC_PLATFORM_HAVEIF_LADDRREQ)
+
+AC_MSG_CHECKING([for struct if_laddrconf])
+AC_TRY_LINK([
+#include <sys/types.h>
+#include <net/if6.h>
+],[ struct if_laddrconf a; ],
+	[AC_MSG_RESULT(yes)
+	ISC_PLATFORM_HAVEIF_LADDRCONF="#define ISC_PLATFORM_HAVEIF_LADDRCONF 1"],
+	[AC_MSG_RESULT(no)
+	ISC_PLATFORM_HAVEIF_LADDRCONF="#undef ISC_PLATFORM_HAVEIF_LADDRCONF"])
+AC_SUBST(ISC_PLATFORM_HAVEIF_LADDRCONF)
 
 #
 # Check for network functions that are often missing.  We do this
@@ -1160,33 +1341,8 @@ char a[16],b[64]; return(inet_ntop(AF_INET6, a, b, sizeof(b)) == (char*)0);}],
         [AC_MSG_RESULT(no)
         ISC_EXTRA_OBJS="$ISC_EXTRA_OBJS inet_ntop.$O"
         ISC_EXTRA_SRCS="$ISC_EXTRA_SRCS inet_ntop.c"
-        ISC_PLATFORM_NEEDNTOP="#define ISC_PLATFORM_NEEDNTOP 1"],
-        [AC_MSG_RESULT(assuming inet_ntop needed)
-        ISC_EXTRA_OBJS="$ISC_EXTRA_OBJS inet_ntop.$O"
-        ISC_EXTRA_SRCS="$ISC_EXTRA_SRCS inet_ntop.c"
         ISC_PLATFORM_NEEDNTOP="#define ISC_PLATFORM_NEEDNTOP 1"])
 
-if test "$cross_compiling" = "yes"; then
-	if test -z "$BUILD_CC"; then
-		AC_ERROR([BUILD_CC not set])
-	fi
-	BUILD_CFLAGS="$BUILD_CFLAGS"
-	BUILD_CPPFLAGS="$BUILD_CPPFLAGS"
-	BUILD_LDFLAGS="$BUILD_LDFLAGS"
-	BUILD_LIBS="$BUILD_LIBS"
-else
-	BUILD_CC="$CC" 
-	BUILD_CFLAGS="$CFLAGS" 
-	BUILD_CPPFLAGS="$CPPFLAGS $GEN_NEED_OPTARG"
-	BUILD_LDFLAGS="$LDFLAGS"
-	BUILD_LIBS="$LIBS"
-fi
-
-AC_SUBST(BUILD_CC)
-AC_SUBST(BUILD_CFLAGS)
-AC_SUBST(BUILD_CPPFLAGS)
-AC_SUBST(BUILD_LDFLAGS)
-AC_SUBST(BUILD_LIBS)
 
 # On NetBSD 1.4.2 and maybe others, inet_pton() incorrectly accepts
 # addresses with less than four octets, like "1.2.3".  Also leading
@@ -1208,13 +1364,7 @@ main() { char a[16]; return (inet_pton(AF_INET, "1.2.3", a) == 1 ? 1 :
         ISC_EXTRA_SRCS="$ISC_EXTRA_SRCS inet_pton.c"
         ISC_PLATFORM_NEEDPTON="#define ISC_PLATFORM_NEEDPTON 1"],
 	[AC_MSG_RESULT(assuming target platform has working inet_pton)
-	ISC_PLATFORM_NEEDPTON="#undef ISC_PLATFORM_NEEDPTON"],
-        [AC_MSG_RESULT(assuming inet_pton needed)
-        ISC_EXTRA_OBJS="$ISC_EXTRA_OBJS inet_pton.$O"
-        ISC_EXTRA_SRCS="$ISC_EXTRA_SRCS inet_pton.c"
-        ISC_PLATFORM_NEEDPTON="#define ISC_PLATFORM_NEEDPTON 1"],
-        [AC_MSG_RESULT(assuming target platform has working inet_pton)
-        ISC_PLATFORM_NEEDPTON="#undef ISC_PLATFORM_NEEDPTON"])
+	ISC_PLATFORM_NEEDPTON="#undef ISC_PLATFORM_NEEDPTON"])
 
 AC_MSG_CHECKING([for inet_aton])
 AC_TRY_LINK([
@@ -1400,6 +1550,44 @@ AC_SUBST(ISC_LWRES_GETIPNODEPROTO)
 AC_SUBST(ISC_LWRES_GETADDRINFOPROTO)
 AC_SUBST(ISC_LWRES_GETNAMEINFOPROTO)
 
+AC_ARG_ENABLE(getifaddrs,
+[  --enable-getifaddrs    Enable the use of getifaddrs() [[yes|no|glibc]].
+             glibc: Use getifaddrs() in glibc if you know it supports IPv6.],
+    want_getifaddrs="$enableval",  want_getifaddrs="yes")
+
+case $want_getifaddrs in
+yes|glibc)
+#
+# Do we have getifaddrs() ?
+#
+case $host in
+*-linux*)
+	# Some recent versions of glibc support getifaddrs() which does not
+	# provide AF_INET6 addresses while the function provided by the USAGI
+	# project handles the AF_INET6 case correctly.  We need to avoid
+	# using the former but prefer the latter unless overridden by
+	# --enable-getifaddrs=glibc.
+	if $use_getifaddrs = glibc
+	then
+		AC_CHECK_FUNC(getifaddrs, AC_DEFINE(HAVE_GETIFADDRS))
+	else
+		save_LIBS="$LIBS"
+		LIBS="-L/usr/local/v6/lib $LIBS"
+		AC_CHECK_LIB(inet6, getifaddrs,
+			LIBS="$LIBS -linet6"
+			AC_DEFINE(HAVE_GETIFADDRS),
+			LIBS=${save_LIBS})
+	fi
+	;;
+*)
+	AC_CHECK_FUNC(getifaddrs, AC_DEFINE(HAVE_GETIFADDRS))
+	;;
+esac
+;;
+no)
+;;
+esac
+
 #
 # Look for a sysctl call to get the list of network interfaces.
 #
@@ -1434,58 +1622,74 @@ AC_MSG_CHECKING(for correctly declared strsep())
 AC_TRY_LINK([#include <string.h>], [char *sp; char *foo = strsep(&sp, ".");],
 	[AC_MSG_RESULT(yes); ISC_PLATFORM_NEEDSTRSEP="#undef ISC_PLATFORM_NEEDSTRSEP"],
 	[AC_MSG_RESULT(no); ISC_PLATFORM_NEEDSTRSEP="#define ISC_PLATFORM_NEEDSTRSEP 1"])
+AC_SUBST(ISC_PLATFORM_NEEDSTRSEP)
+
+AC_CHECK_FUNC(memmove,
+	[ISC_PLATFORM_NEEDMEMMOVE="#undef ISC_PLATFORM_NEEDMEMMOVE"],
+	[ISC_PLATFORM_NEEDMEMMOVE="#define ISC_PLATFORM_NEEDMEMMOVE 1"])
+AC_SUBST(ISC_PLATFORM_NEEDMEMMOVE)
+
+AC_CHECK_FUNC(strtoul,
+	[ISC_PLATFORM_NEEDSTRTOUL="#undef ISC_PLATFORM_NEEDSTRTOUL"],
+	[ISC_PLATFORM_NEEDSTRTOUL="#define ISC_PLATFORM_NEEDSTRTOUL 1"])
+AC_SUBST(ISC_PLATFORM_NEEDSTRTOUL)
+
+AC_CHECK_FUNC(strlcpy,
+	[ISC_PLATFORM_NEEDSTRLCPY="#undef ISC_PLATFORM_NEEDSTRLCPY"],
+	[ISC_PLATFORM_NEEDSTRLCPY="#define ISC_PLATFORM_NEEDSTRLCPY 1"])
+AC_SUBST(ISC_PLATFORM_NEEDSTRLCPY)
+
+AC_CHECK_FUNC(strlcat,
+	[ISC_PLATFORM_NEEDSTRLCAT="#undef ISC_PLATFORM_NEEDSTRLCAT"],
+	[ISC_PLATFORM_NEEDSTRLCAT="#define ISC_PLATFORM_NEEDSTRLCAT 1"])
+AC_SUBST(ISC_PLATFORM_NEEDSTRLCAT)
+
+ISC_PRINT_OBJS=
+ISC_PRINT_SRCS=
+AC_MSG_CHECKING(sprintf)
+AC_TRY_COMPILE([
+#include <stdio.h>
+],
+[ char buf[2]; return(*sprintf(buf,"x"));],
+[
+ISC_PRINT_OBJS="print.$O"
+ISC_PRINT_SRCS="print.c"
+ISC_PLATFORM_NEEDSPRINTF="#define ISC_PLATFORM_NEEDSPRINTF"
+],
+[ISC_PLATFORM_NEEDSPRINTF="#undef ISC_PLATFORM_NEEDSPRINTF"]
+)
+AC_SUBST(ISC_PLATFORM_NEEDSPRINTF)
 
 AC_CHECK_FUNC(vsnprintf,
-	[ISC_PLATFORM_NEEDVSNPRINTF="#undef ISC_PLATFORM_NEEDVSNPRINTF"
-	  LWRES_PLATFORM_NEEDVSNPRINTF="#undef LWRES_PLATFORM_NEEDVSNPRINTF"],
-	[ISC_EXTRA_OBJS="$ISC_EXTRA_OBJS print.$O"
-	 ISC_EXTRA_SRCS="$ISC_EXTRA_SRCS print.c"
-	 ISC_PLATFORM_NEEDVSNPRINTF="#define ISC_PLATFORM_NEEDVSNPRINTF 1"
-	 LWRES_PLATFORM_NEEDVSNPRINTF="#define LWRES_PLATFORM_NEEDVSNPRINTF 1"])
-AC_SUBST(ISC_PLATFORM_NEEDSTRSEP)
+	[ISC_PLATFORM_NEEDVSNPRINTF="#undef ISC_PLATFORM_NEEDVSNPRINTF"],
+	[ISC_PRINT_OBJS="print.$O"
+	 ISC_PRINT_SRCS="print.c"
+	 ISC_PLATFORM_NEEDVSNPRINTF="#define ISC_PLATFORM_NEEDVSNPRINTF 1"])
 AC_SUBST(ISC_PLATFORM_NEEDVSNPRINTF)
-AC_SUBST(LWRES_PLATFORM_NEEDVSNPRINTF)
+ISC_EXTRA_OBJS="$ISC_EXTRA_OBJS $ISC_PRINT_OBJS"
+ISC_EXTRA_SRCS="$ISC_EXTRA_SRCS $ISC_PRINT_SRCS"
+
 AC_CHECK_FUNC(strerror, AC_DEFINE(HAVE_STRERROR))
 
 AC_SUBST(ISC_EXTRA_OBJS)
 AC_SUBST(ISC_EXTRA_SRCS)
 
-# Determine the printf format characters to use when printing
-# values of type isc_int64_t. This will normally be "ll", but where
-# the compiler treats "long long" as a alias for "long" and printf
-# doesn't know about "long long" use "l".  Hopefully the sprintf
-# will produce a inconsistant result in the later case.  If the compiler
-# fails due to seeing "%lld" we fall back to "l".
 #
-# Digital Unix 4.0 (gcc?) (long long) is 64 bits as is its long. It uses
-# %ld even for (long long)/
-#
-# Win32 uses "%I64d", but that's defined elsewhere since we don't use
-# configure on Win32.
+# Determine the printf format characters to use when printing
+# values of type isc_int64_t.  We make the assumption that platforms
+# where a "long long" is the same size as a "long" (e.g., Alpha/OSF1)
+# want "%ld" and everyone else can use "%lld".  Win32 uses "%I64d",
+# but that's defined elsewhere since we don't use configure on Win32.
 #
 AC_MSG_CHECKING(printf format modifier for 64-bit integers)
-AC_TRY_RUN([
-#include <stdio.h>
-main() {
-	long long int j = 0;
-	char buf[100];
-	buf[0] = 0;
-	sprintf(buf, "%lld", j);
-	exit((sizeof(long long int) != sizeof(long int))? 0 :
-	     (strcmp(buf, "0") != 0));
-} 
-],
-	[AC_MSG_RESULT(ll)
-	ISC_PLATFORM_QUADFORMAT='#define ISC_PLATFORM_QUADFORMAT "ll"'
-	LWRES_PLATFORM_QUADFORMAT='#define LWRES_PLATFORM_QUADFORMAT "ll"'],
+AC_TRY_RUN([main() { exit(!(sizeof(long long int) == sizeof(long int))); }],
 	[AC_MSG_RESULT(l)
-	ISC_PLATFORM_QUADFORMAT='#define ISC_PLATFORM_QUADFORMAT "l"'
-	LWRES_PLATFORM_QUADFORMAT='#define LWRES_PLATFORM_QUADFORMAT "l"'],
+	ISC_PLATFORM_QUADFORMAT='#define ISC_PLATFORM_QUADFORMAT "l"'],
+	[AC_MSG_RESULT(ll)
+	ISC_PLATFORM_QUADFORMAT='#define ISC_PLATFORM_QUADFORMAT "ll"'],
 	[AC_MSG_RESULT(assuming target platform uses ll)
-	ISC_PLATFORM_QUADFORMAT='#define ISC_PLATFORM_QUADFORMAT "ll"'
-	LWRES_PLATFORM_QUADFORMAT='#define LWRES_PLATFORM_QUADFORMAT "ll"'])
+	ISC_PLATFORM_QUADFORMAT='#define ISC_PLATFORM_QUADFORMAT "ll"'])
 AC_SUBST(ISC_PLATFORM_QUADFORMAT)
-AC_SUBST(LWRES_PLATFORM_QUADFORMAT)
 
 #
 # Security Stuff
@@ -1547,21 +1751,22 @@ ISC_PLATFORM_RLIMITTYPE="#define ISC_PLATFORM_RLIMITTYPE long long int"],
 [AC_MSG_ERROR([unable to determine sizeof rlim_cur])
 ],[AC_MSG_ERROR(this cannot happen)])
 ],[AC_MSG_ERROR(this cannot happen)])
-],[
-ISC_PLATFORM_RLIMITTYPE="#define ISC_PLATFORM_RLIMITTYPE long long int"
-AC_MSG_RESULT(cannot determine type of rlim_cur when cross compiling - assuming long long int)])
+],[AC_MSG_ERROR(cannot determine type of rlim_cur when cross compiling - define rlim_t)])
 ])
 AC_SUBST(ISC_PLATFORM_RLIMITTYPE)
 
 #
-# Some hosts need msg_namelen to match the size of the socket structure.
-# Some hosts don't set msg_namelen appropriately on return from recvmsg().
+# Compaq TruCluster requires more code for handling cluster IP aliases
 #
-case $host in
-*os2*|*hp-mpeix*)
-	AC_DEFINE(BROKEN_RECVMSG, 1,
-		  [Define if recvmsg() does not meet all of the BSD socket API specifications.])
-	;;
+case "$host" in
+	*-dec-osf*)
+		AC_CHECK_LIB(clua, clua_getaliasaddress, LIBS="-lclua $LIBS")
+		AC_CHECK_FUNC(clua_getaliasaddress,
+				AC_DEFINE(HAVE_TRUCLUSTER, 1,
+					[Define if running under Compaq TruCluster]))
+		;;
+	*)
+		;;
 esac
 
 #
@@ -1581,9 +1786,6 @@ AC_SUBST(ISC_PLATFORM_BRACEPTHREADONCEINIT)
 ISC_PLATFORM_BRACEPTHREADONCEINIT="#undef ISC_PLATFORM_BRACEPTHREADONCEINIT"
 
 case "$host" in
-	*-aix5.[[123]].*)
-		hack_shutup_pthreadonceinit=yes
-		;;
 	*-bsdi3.1*)
 		hack_shutup_sputaux=yes
 		;;
@@ -1591,15 +1793,12 @@ case "$host" in
 		hack_shutup_sigwait=yes
 		hack_shutup_sputaux=yes
 		;;
-	[*-bsdi4[12]*])
+	[*-bsdi4.[12]*])
 		hack_shutup_stdargcast=yes
 		;;
 	[*-solaris2.[89]])
 		hack_shutup_pthreadonceinit=yes
 		;;
-	*-solaris2.10)
-		hack_shutup_pthreadonceinit=yes
-		;;
 esac
 
 case "$hack_shutup_pthreadonceinit" in
@@ -1639,60 +1838,55 @@ case "$hack_shutup_stdargcast" in
 esac
 
 #
-#  The following sets up how non-blocking i/o is established.
-#  Sunos, cygwin and solaris 2.x (x<5) require special handling.
+# Check for if_nametoindex() for IPv6 scoped addresses support
 #
-case "$host" in
-*-sunos*) AC_DEFINE(PORT_NONBLOCK, O_NDELAY);;
-*-cygwin*) AC_DEFINE(PORT_NONBLOCK, O_NDELAY);;
-*-solaris2.[[01234]])
-	AC_DEFINE(PORT_NONBLOCK, O_NONBLOCK)
-	AC_DEFINE(USE_FIONBIO_IOCTL, 1,
-		  [Defined if you need to use ioctl(FIONBIO) instead a fcntl call to make non-blocking.])
-	;;
-*) AC_DEFINE(PORT_NONBLOCK, O_NONBLOCK,
-	     [Sets which flag to pass to open/fcntl to make non-blocking (O_NDELAY/O_NONBLOCK).])
-	;;
+AC_CHECK_FUNC(if_nametoindex, ac_cv_have_if_nametoindex=yes,
+		ac_cv_have_if_nametoindex=no)
+case $ac_cv_have_if_nametoindex in
+no)
+	case "$host" in
+  	*-hp-hpux*)
+  		AC_CHECK_LIB(ipv6, if_nametoindex,
+				ac_cv_have_if_nametoindex=yes
+				LIBS="-lipv6 $LIBS",)
+  	;;
+	esac
 esac
-#
-# Solaris 2.5.1 and earlier cannot bind() then connect() a TCP socket.
-# This prevents the source address being set.
-#
-case "$host" in
-*-solaris2.[[012345]]|*-solaris2.5.1)
-	AC_DEFINE(BROKEN_TCP_BIND_BEFORE_CONNECT, 1,
-		  [Define if you cannot bind() before connect() for TCP sockets.])
+case $ac_cv_have_if_nametoindex in
+yes)
+	ISC_PLATFORM_HAVEIFNAMETOINDEX="#define ISC_PLATFORM_HAVEIFNAMETOINDEX 1"
+	;;
+*)
+	ISC_PLATFORM_HAVEIFNAMETOINDEX="#undef ISC_PLATFORM_HAVEIFNAMETOINDEX"
 	;;
 esac
+AC_SUBST(ISC_PLATFORM_HAVEIFNAMETOINDEX)
+
 #
 # The following sections deal with tools used for formatting
 # the documentation.  They are all optional, unless you are
 # a developer editing the documentation source.
 #
 
-#
-# Look for TeX.
-#
-
-AC_PATH_PROGS(LATEX, latex, latex)
-AC_SUBST(LATEX)
-
-AC_PATH_PROGS(PDFLATEX, pdflatex, pdflatex)
-AC_SUBST(PDFLATEX)
+# Directory trees where SGML files are commonly found.
+sgmltrees="/usr/pkg/share/sgml /usr/local/share/sgml /usr/share/sgml"
 
 #
-# Look for xsltproc (libxslt)
+# Look for openjade.  Plain jade is no longer supported.
 #
 
-AC_PATH_PROG(XSLTPROC, xsltproc, xsltproc)
-AC_SUBST(XSLTPROC)
+AC_PATH_PROGS(OPENJADE, openjade, openjade)
+AC_SUBST(OPENJADE)
 
 #
-# Look for xmllint (libxml2)
+# Look for TeX.
 #
 
-AC_PATH_PROG(XMLLINT, xmllint, xmllint)
-AC_SUBST(XMLLINT)
+AC_PATH_PROGS(JADETEX, jadetex, jadetex)
+AC_SUBST(JADETEX)
+
+AC_PATH_PROGS(PDFJADETEX, pdfjadetex, pdfjadetex)
+AC_SUBST(PDFJADETEX)
 
 #
 # Subroutine for searching for an ordinary file (e.g., a stylesheet)
@@ -1729,60 +1923,74 @@ AC_SUBST($1)
 ])
 
 #
-# Look for Docbook-XSL stylesheets.  Location probably varies by
-# system.  Guessing where it might be found, based on where SGML stuff
-# lives on some systems.  FreeBSD is the only one I'm sure of at the
-# moment.
+# Look for the SGML catalog.
+# Its location varies, so far we have seen:
 #
-
-docbook_xsl_trees="/usr/pkg/share/xsl /usr/local/share/xsl /usr/share/xsl"
-
+# 	NetBSD 	/usr/pkg/share/sgml/docbook/catalog
+# 	FreeBSD	/usr/local/share/sgml/docbook/catalog
+#	Linux	/usr/local/share/dsssl/docbook/catalog
+#		/usr/share/sgml/docbook/dsssl-stylesheets/catalog
 #
-# Look for stylesheets we need.
-#
-
-NOM_PATH_FILE(XSLT_DOCBOOK_STYLE_HTML, docbook/html/docbook.xsl, $docbook_xsl_trees)
-NOM_PATH_FILE(XSLT_DOCBOOK_STYLE_XHTML, docbook/xhtml/docbook.xsl, $docbook_xsl_trees)
-NOM_PATH_FILE(XSLT_DOCBOOK_STYLE_MAN, docbook/manpages/docbook.xsl, $docbook_xsl_trees)
-NOM_PATH_FILE(XSLT_DOCBOOK_CHUNK_HTML, docbook/html/chunk.xsl, $docbook_xsl_trees)
-NOM_PATH_FILE(XSLT_DOCBOOK_CHUNK_XHTML, docbook/xhtml/chunk.xsl, $docbook_xsl_trees)
+catalogpath=""
+for d in $sgmltrees 
+do
+	catalogpath="$catalogpath $d"
+	for s in docbook/dsssl-stylesheets
+	do
+		catalogpath="$catalogpath $d/$s"
+	done
+done
+NOM_PATH_FILE(SGMLCATALOG, catalog, $catalogpath)
 
 #
-# Same dance for db2latex
+# Look for the HTML stylesheet html/docbook.dsl, used for
+# formatting man pages in HTML.  Its location varies,
+# so far we have seen:
+#
+# 	NetBSD 	/usr/pkg/share/sgml/docbook/dsssl/modular/
+# 	FreeBSD	/usr/local/share/sgml/docbook/dsssl/modular/
+#	Linux	/usr/local/share/dsssl/docbook/
+#		/usr/share/sgml/docbook/dsssl-stylesheets/
 #
-# No idea where this lives except on FreeBSD.
+# Ditto for the print stylesheet print/docbook.dsl.
 #
 
-db2latex_xsl_trees="/usr/local/share"
+stylepath=""
+for d in $sgmltrees 
+do
+	for s in docbook/dsssl/modular dsssl/docbook docbook/dsssl-stylesheets
+	do
+		stylepath="$stylepath $d/$s"
+	done
+done
+NOM_PATH_FILE(HTMLSTYLE, html/docbook.dsl, $stylepath)
+NOM_PATH_FILE(PRINTSTYLE, print/docbook.dsl, $stylepath)
 
 #
-# Look for stylesheets we need.
+# Look for XML declarations.
+# Its location varies, so far we have seen:
+#
+# 	NetBSD 	/usr/pkg/share/sgml/docbook/dsssl/modular/dtds/decls/
+# 	FreeBSD	/usr/local/share/sgml/docbook/dsssl/modular/dtds/decls/
+#	Linux	/usr/local/share/dsssl/docbook/dtds/decls/
+#		/usr/share/sgml/docbook/dsssl-stylesheets/dtds/decls/
 #
 
-NOM_PATH_FILE(XSLT_DB2LATEX_STYLE, db2latex/xsl/docbook.xsl, $db2latex_xsl_trees)
+xmlpath=""
+for d in $sgmltrees 
+do
+	for s in docbook/dsssl/modular dsssl/docbook docbook/dsssl-stylesheets
+	do
+		xmlpath="$xmlpath $d/$s"
+	done
+done
+NOM_PATH_FILE(XMLDCL, dtds/decls/xml.dcl, $xmlpath)
 
 #
-# Look for "admonition" image directory.  Can't use NOM_PATH_FILE()
-# because it's a directory, so just do the same things, inline.
+# Look for docbook2man-spec.pl
 #
 
-AC_MSG_CHECKING(for db2latex/xsl/figures)
-for d in $db2latex_xsl_trees
-do
-	dd=$d/db2latex/xsl/figures
-	if test -d $dd
-	then
-		XSLT_DB2LATEX_ADMONITIONS=$dd
-		AC_MSG_RESULT($dd)
-		break
-	fi
-done
-if test "X$XSLT_DB2LATEX_ADMONITIONS" = "X"
-then
-	AC_MSG_RESULT(not found)
-	XSLT_DB2LATEX_ADMONITIONS=db2latex/xsl/figures
-fi
-AC_SUBST(XSLT_DB2LATEX_ADMONITIONS)
+NOM_PATH_FILE(DOCBOOK2MANSPEC, docbook2X/docbook2man-spec.pl, $sgmltrees)
 
 #
 # Substitutions
@@ -1795,22 +2003,25 @@ AC_SUBST(BIND9_ISCCC_BUILDINCLUDE)
 AC_SUBST(BIND9_ISCCFG_BUILDINCLUDE)
 AC_SUBST(BIND9_DNS_BUILDINCLUDE)
 AC_SUBST(BIND9_LWRES_BUILDINCLUDE)
+AC_SUBST(BIND9_BIND9_BUILDINCLUDE)
 if test "X$srcdir" != "X"; then
 	BIND9_ISC_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/isc/include"
 	BIND9_ISCCC_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/isccc/include"
 	BIND9_ISCCFG_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/isccfg/include"
 	BIND9_DNS_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/dns/include"
 	BIND9_LWRES_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/lwres/include"
+	BIND9_BIND9_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/bind9/include"
 else
 	BIND9_ISC_BUILDINCLUDE=""
 	BIND9_ISCCC_BUILDINCLUDE=""
 	BIND9_ISCCFG_BUILDINCLUDE=""
 	BIND9_DNS_BUILDINCLUDE=""
 	BIND9_LWRES_BUILDINCLUDE=""
+	BIND9_BIND9_BUILDINCLUDE=""
 fi
 
-AC_SUBST_FILE(BIND9_INCLUDES)
-BIND9_INCLUDES=$BIND9_TOP_BUILDDIR/make/includes
+AC_SUBST_FILE(BIND9_MAKE_INCLUDES)
+BIND9_MAKE_INCLUDES=$BIND9_TOP_BUILDDIR/make/includes
 
 AC_SUBST_FILE(BIND9_MAKE_RULES)
 BIND9_MAKE_RULES=$BIND9_TOP_BUILDDIR/make/rules
@@ -1831,6 +2042,9 @@ LIBISCCFG_API=$srcdir/lib/isccfg/api
 AC_SUBST_FILE(LIBDNS_API)
 LIBDNS_API=$srcdir/lib/dns/api
 
+AC_SUBST_FILE(LIBBIND9_API)
+LIBBIND9_API=$srcdir/lib/bind9/api
+
 AC_SUBST_FILE(LIBLWRES_API)
 LIBLWRES_API=$srcdir/lib/lwres/api
 
@@ -1861,7 +2075,13 @@ AC_OUTPUT(
 	lib/dns/Makefile
 	lib/dns/include/Makefile
 	lib/dns/include/dns/Makefile
-	lib/dns/include/dst/Makefile
+	lib/dns/sec/Makefile
+	lib/dns/sec/dst/Makefile
+	lib/dns/sec/dst/include/Makefile
+	lib/dns/sec/dst/include/dst/Makefile
+	lib/bind9/Makefile
+	lib/bind9/include/Makefile
+	lib/bind9/include/bind9/Makefile
 	lib/lwres/Makefile
 	lib/lwres/include/Makefile
 	lib/lwres/include/lwres/Makefile
@@ -1901,40 +2121,15 @@ AC_OUTPUT(
 	bin/dnssec/Makefile
 	doc/Makefile
 	doc/arm/Makefile
+	doc/arm/nominum-docbook-html.dsl
+	doc/arm/nominum-docbook-print.dsl
+	doc/arm/validate.sh
 	doc/misc/Makefile
-	doc/xsl/Makefile
+	docutil/docbook2man-wrapper.sh
 	isc-config.sh
-	doc/xsl/isc-docbook-chunk.xsl
-	doc/xsl/isc-docbook-html.xsl
-	doc/xsl/isc-docbook-latex.xsl
-	doc/xsl/isc-manpage.xsl
 )
 chmod a+x isc-config.sh
 
-if test "X$OPENSSL_WARNING" != "X"; then
-cat << \EOF
-WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
-WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
-WARNING                                                                 WARNING
-WARNING         Your OpenSSL crypto library may be vulnerable to        WARNING
-WARNING         one or more of the the following known security         WARNING
-WARNING         flaws:                                                  WARNING
-WARNING                                                                 WARNING
-WARNING         CAN-2002-0659, CAN-2006-4339, CVE-2006-2937 and         WARNING
-WARNING         CVE-2006-2940.                                          WARNING
-WARNING                                                                 WARNING
-WARNING         It is recommended that you upgrade to OpenSSL           WARNING
-WARNING         version 0.9.8d/0.9.7l (or greater).                     WARNING
-WARNING                                                                 WARNING
-WARNING         You can disable this warning by specifying:             WARNING
-WARNING                                                                 WARNING
-WARNING               --disable-openssl-version-check          	        WARNING
-WARNING                                                                 WARNING
-WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
-WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
-EOF
-fi
-
 # Tell Emacs to edit this file in shell mode.
 # Local Variables:
 # mode: sh
diff --git a/contrib/dbus/GetForwarders b/contrib/dbus/GetForwarders
deleted file mode 100755
index 838706d4..00000000
--- a/contrib/dbus/GetForwarders
+++ /dev/null
@@ -1,31 +0,0 @@
-#!/bin/bash
-#
-#  This script uses the named D-BUS support, which must be enabled in
-#  the running named with the named '-D' option, to get and print the
-#  list of forwarding zones in the running server.
-# 
-#  It accepts an optional <zone> first argument which is the DNS name 
-#  of the zone whose forwarders (if any) will be retrieved.
-#
-#  If no zone argument is specified, all forwarding zones will be listed.
-#
-#  Usage: GetForwarders [ <zone> ] 
-# 
-#  Copyright(C) Jason Vas Dias<jvdias@redhat.com> Red Hat Inc. 2005
-#
-#  This program is free software; you can redistribute it and/or modify
-#  it under the terms of the GNU General Public License as published by
-#  the Free Software Foundation at 
-#           http://www.fsf.org/licensing/licenses/gpl.txt
-#  and included in this software distribution as the "LICENSE" file.
-#
-#  This program is distributed in the hope that it will be useful,
-#  but WITHOUT ANY WARRANTY; without even the implied warranty of
-#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-#  GNU General Public License for more details.
-#
-zone=''
-if [ $# -gt 0 ]; then 
-   zone="string:$1";
-fi
-dbus-send --system --type=method_call --print-reply --reply-timeout=20000 --dest=com.redhat.named /com/redhat/named com.redhat.named.text.GetForwarders $zone;
diff --git a/contrib/dbus/INSTALL b/contrib/dbus/INSTALL
deleted file mode 100644
index 2ad526e9..00000000
--- a/contrib/dbus/INSTALL
+++ /dev/null
@@ -1,9 +0,0 @@
-To build named with D-BUS support, run
-# make
-in this directory.
-Then cd to the top-level BIND source directory,
-(../..), and 
-# ./configure ...; make
-After building, cd back to contrib/dbus and run:
-# make install
-as root to install the D-BUS configuration files. 
diff --git a/contrib/dbus/Makefile.9.3.2b1 b/contrib/dbus/Makefile.9.3.2b1
deleted file mode 100644
index 62850344..00000000
--- a/contrib/dbus/Makefile.9.3.2b1
+++ /dev/null
@@ -1,20 +0,0 @@
-# contrib/dbus/Makefile
-# 
-# This Makefile will install D-BUS support into the ISC BIND 9.3.2b1+ source,
-# necessary to support dynamic forwarding table management with D-BUS, for
-# Red Hat NetworkManager support.
-#
-# After running "make" in this directory, simply run make in the top level
-# BIND source directory, and D-BUS support will be enabled.
-#
-
-all:
-	echo 'Enabling D-BUS support...'
-	@ cp -fp dbus_mgr.c dbus_service.c ../../bin/named;
-	@ cp -fp dbus_mgr.h dbus_service.h ../../bin/named/include/named;
-	@ cp -fp README.DBUS ../../doc/misc
-	@ cd ../..; patch -s -p1 -b --suffix=.dbus < contrib/dbus/bind-9.3.2b1-dbus.patch
-
-install:
-	install -o root -g root -m 640 named-dbus-system.conf /etc/dbus-1/system.d/named.conf
-	install -o root -g root -m 640 named-dbus.service /usr/share/dbus-1/services/named.service
diff --git a/contrib/dbus/Makefile.9.3.3rc2 b/contrib/dbus/Makefile.9.3.3rc2
deleted file mode 100644
index 91a0ffe0..00000000
--- a/contrib/dbus/Makefile.9.3.3rc2
+++ /dev/null
@@ -1,20 +0,0 @@
-# contrib/dbus/Makefile
-# 
-# This Makefile will install D-BUS support into the ISC BIND 9.3.2b1+ source,
-# necessary to support dynamic forwarding table management with D-BUS, for
-# Red Hat NetworkManager support.
-#
-# After running "make" in this directory, simply run make in the top level
-# BIND source directory, and D-BUS support will be enabled.
-#
-
-all:
-	echo 'Enabling D-BUS support...'
-	@ cp -fp dbus_mgr.c dbus_service.c ../../bin/named;
-	@ cp -fp dbus_mgr.h dbus_service.h ../../bin/named/include/named;
-	@ cp -fp README.DBUS ../../doc/misc
-	@ cd ../..; patch -s -p1 -b --suffix=.dbus < contrib/dbus/bind-9.3.3rc2-dbus.patch
-
-install:
-	install -o root -g root -m 640 named-dbus-system.conf /etc/dbus-1/system.d/named.conf
-	install -o root -g root -m 640 named-dbus.service /usr/share/dbus-1/services/named.service
diff --git a/contrib/dbus/README.DBUS b/contrib/dbus/README.DBUS
deleted file mode 100644
index 8c5c73f8..00000000
--- a/contrib/dbus/README.DBUS
+++ /dev/null
@@ -1,259 +0,0 @@
-Dynamic Management of the ISC BIND named Forwarding Table with D-BUS
-
-    Jason Vas Dias<jvdias@redhat.com>, Red Hat Inc., May 2005
-
-
-Overview:
-
-  Red Hat has developed an extension to named that is enabled during
-  rpmbuild of the bind SRPM with the option --define 'WITH_DBUS=1', 
-  and at named runtime with the -D named option.
-
-  You can obtain the latest version of the source code for the BIND
-  D-BUS extensions from:
-  
-    http://people.redhat.com/~jvdias/bind-dbus/
-
-  The Red Hat BIND D-BUS extensions allow services such as Red Hat's 
-  NetworkManager and dhcdbd (the DHCP Client controller D-Bus daemon) 
-  to tell named which name servers to forward requests to dynamically, 
-  instead of only with the "forward" and "forwarders" named.conf options. 
- 
-  Dynamic forwarding table management allows named to be an effective
-  and efficient caching nameserver for configurations with multiple
-  wireless or VPN IP interfaces that are not always active, and whose
-  name service parameters are typically configured with DHCP.
-
-  Problems with trying to configure such systems automatically using 
-  only the libc resolver, causing conflicts over the contents of the
-  /etc/resolv.conf  file, are avoided; the resolv.conf file can contain 
-  only the users chosen search path and the single "nameserver 127.0.0.1"
-  entry.
-
-  named also provides a much more efficient, both in terms of caching
-  performance and resolving time, and much more feature rich DNS resolver 
-  than does the libc resolver library and nscd, and has the benefit of
-  existing improved IPv6 and DNSSEC support over glibc and nscd.
-
-Operation Guide for Developers:
- 
-  Programs can access named's dynamic forward table management services
-  using D-BUS, the "service messagebus" sysv-init service that is started
-  by default at boot (see the D-BUS documentation for details).
-
-  When named is started with the -D option (by adding -D to the $OPTIONS
-  variable in /etc/sysconfig/named), named provides two D-BUS methods:
-
-  These D-BUS names are common to all named D-BUS methods:
-  D-BUS Destination 	D-BUS Path		D-BUS interface	
-  ~~~~~~~~~~~~~~~~~     ~~~~~~~~~~      	~~~~~~~~~~~~~~~ 
-  com.redhat.named      /com/redhat/named	com.redhat.named
-  
-  D-BUS Members:
-  ~~~~~~~~~~~~~~
-
-  SetForwarders ( { [ string:<domain name>,
-  ~~~~~~~~~~~~~       [ ( uint32:<nameserver IPv4 address>
-	                | array of 4 bytes :  <nameserver IPv4 address>
-	                | array of 16 bytes :  <nameserver IPv6 address>
-                        | string: <nameserver dotted-quad IPv4 or RFC2374 IPv6 address>
-	                )			
-	                [ uint16: <nameserver port>, ] 
-		        [ uint8:  <forward policy>   ]
-	              ] 
-	            ]
-                  } , ...	          
-                )
-
-   SetForwarders will create or delete members of the forwarding table.
-
-   It accepts a list of tuples of up to 4 members: only the <domain name> 
-   is required.
-  
-   If ONLY the <domain name> is specified, the forwarding entry for 
-   EXACTLY that domain name is deleted if it exists.
-
-   Only a specification of at least one <nameserver IP address> is required to
-   create a forwarding entry. 
- 
-   The IP address can be IPv4: 
-	( 32-bit integer OR array of 4 bytes OR dotted-quad string )
-   Or IPv6:
-        ( array of 16 bytes 
-          OR  RFC 2373/4 ascii string of 8 ':' separate hex quads as supported by inet_pton(3)
-        )   
-
-   32 and 16-bit integer parameters MUST be given in network byte order; ie the IPv4 address
-   192.168.2.1 would be specified as uint32:16951488 on an i386 and port 53 would be uint16:13568.
-
-   There are an optional <port> 16-bit integer parameter, to specify the name server socket
-   address port associated with the preceding IP address, and a <forward policy> 
-   parameter, which sets the forward policy as follows:
-     0: "none" : never  forward to this nameserver for this domain.
-     1: "first": forward first to this server, and then search its authoritative data. 
-     2: "only" : always forward to this nameserver for this domain.
- 
-   If not specified, <port> will have the value 53, and <forward policy> will be "2": "only". 
-   named's default forward policy is "first" .
-
-   Creation of forwarding domains is not "exact", as is deletion, but is "inclusive":
-   creating forwarding entry for the '.' domain sets the default set of nameservers named
-   will query for ALL domains, and creating an entry for "redhat.com" creates a set of
-   nameservers to be queried for all names suffixed by "redhat.com." . If both are specified,
-   the "redhat.com" servers will be tried first, followed by the "." servers.   
-
-   Forwarding entries are ONLY created in the first DNS View that matches the "localhost" client
-   (127.0.0.1) and destination. The default view, which exists if no views have been specified
-   in named.conf, matches ALL clients and destinations. If the user has configured views, none
-   of which match the localhost client, then no forwarding will be dynamically configurable.
-   Users are also free to configure a view that matches the localhost, for which forwarding
-   will be dynamically configurable, and other views which do not match the localhost, so that
-   other, remote clients can be served that will not be subject to dynamic forwarding. So it
-   is a fully supported configuration that users can serve authoritative data to external
-   clients and still use named's forwarding features for their localhost resolver.
-    
-   SetForwarders returns uint32:0 on success or a DBUS_ERROR message on failure .
-  
-   
-  GetForwarders ( [ string:<domain name> ] )
-  ~~~~~~~~~~~~~
-   Using the default "com.redhat.named" interface, returns the EXACT forwarding entry for
-   <domain name> as binary D-BUS types; there is also a com.redhat.named.text interface 
-   supported by GetForwarders which returns all values as string: text .
- 
-   If a <domain name> is not specified, all forwarding table entries are dumped.
-
-   
-  Examples:
-  ~~~~~~~~
-  
-   Suppose we start out with the named.conf configuration:
-
-    
-   	options { ...
-		        forwarders { 172.16.80.118;  };
-                  ...
-	};
-
-	zone "redhat.com" {
-			forward only;
-			forwarders { 172.16.76.10; 172.16.52.28; };
-	};
-	
-   Using a "dbus-send" trivially modified to support uint16 parameters (!) :
-
-	$ dbus-send --system --type=method_call --print-reply --reply-timeout=20000 \
-		    --dest=com.redhat.named /com/redhat/named com.redhat.named.GetForwarders
-	method return sender=:1.367 -> dest=:1.368
-	 0 string "redhat.com"
-	 1 byte 2              
-	 2 uint32 172757164
-	 3 uint16 13568
-	 4 uint32 473174188
-	 5 uint16 13568
-	 6 string "."
-	 7 byte 1
-	 8 uint32 1984958636
-	 9 uint16 13568  
-
-	ie. GetForwarders always returns a list of tuples of 
-            ( <domain name>, <forward policy>, <ip address>, <port> )
-	
-  	If the "text" interface was specified:
-	
-	$ dbus-send --system --type=method_call --print-reply --reply-timeout=20000 \
-		    --dest=com.redhat.named /com/redhat/named com.redhat.named.text.GetForwarders
-	method return sender=:1.367 -> dest=:1.370
-	 0 string "redhat.com"
-	 1 string "only"
-	 2 string "172.16.76.10"
-	 3 string "53"
-	 4 string "172.16.52.28"
-	 5 string "53"
-	 6 string "."
-	 7 string "first"
-	 8 string "172.16.80.118"
-	 9 string "53"
-
-        So we could set the default nameserver for the root zone as follows:
-   	
-	$ dbus-send --system --type=method_call --print-reply --reply-timeout=20000 \
-		--dest=com.redhat.named /com/redhat/named com.redhat.named.SetForwarders \
-		string:'.' string:'192.33.14.30' string:'2001:503:231d::2:30'
-	method return sender=:1.367 -> dest=:1.371
-	 0 uint32 0
-	$ dbus-send --system --type=method_call --print-reply --reply-timeout=20000 \
-		--dest=com.redhat.named /com/redhat/named com.redhat.named.text.GetForwarders
-	method return sender=:1.367 -> dest=:1.372
-	 0 string "redhat.com"
-	 1 string "only"
-	 2 string "172.16.76.10"
-	 3 string "53"
-	 4 string "172.16.52.28"
-	 5 string "53"
-	 6 string "."
-	 7 string "only"
-	 8 string "192.33.14.30"
-	 9 string "53"
-	 10 string "2001:503:231d::2:30"
-	 11 string "53"
-
-   Using tcpdump one can verify that named will attempt to contact 192.33.14.30, then
-   2001:503:231d::2:30, for all zones not in redhat.com; for redhat.com zones, 172.16.76.10   
-   and 192.33.14.30 will be tried in that order.
-
-   If the D-BUS driver dbus-daemon should shut down, named will emit the syslog message:
-	 "D-BUS service disabled."
-   And will retry connecting to D-BUS every 10 seconds - once it has connected, the message:
-	 "D-BUS service enabled."
-   will be logged.
-	
-   NOTE: there are the "SetForwarders" and "GetForwarders" scripts in the contrib/dbus directory
-   of the BIND source code distribution which are wrappers around the dbus-send commands above.
-   Usage: SetForwarders [ -t first | only ] <zone> [ <server> [...<server>] ]  
-  	  GetForwarders [ <zone> ]
-         
-	
-  DHCP Integration
-  ~~~~~~~~~~~~~~~~
-
-   With the -D option, named will try to subscribe to dhcdbd, the DHCP Client D-BUS Daemon, to
-   be notified of DHCP "reason", "domain-name", "domain-name-server", "ip-address", and "subnet-mask" 
-   DHCP options when the dhclient program has received them from a DHCP server .
-
-   If it cannot subscribe to dhcdbd, named will emit the message :
-	 "D-BUS dhcdbd subscription disabled."
-   and will monitor D-BUS "NameOwnerChanged" messages for the appearance of a new owner
-   for "com.redhat.dhcp". When the name is owned, named will send a "com.redhat.dhcp.subscribe.binary"
-   message to dhcdbd to subscribe to the above options for all interfaces (provided by dhcdbd-1.5+),
-   and emit the log message:
-	 "D-BUS dhcdbd subscription enabled."
-
-   named will match on signals from the com.redhat.dhcp.subscribe.binary interface for those option
-   settings, and , when the last option is received (indicated by a "reason" of 15: END_OPTIONS), it
-   will configure the forwarding table .
-
-   For each whitespace separated member of "domain-name-servers", AND for the reverse IPv4 in-addr.arpa
-   class C or less domain of the ip-address masked by the subnet-mask, it will create a forwarding entry
-   to query each "domain-server" .
-	
-   To support CIDR-based reverse subnet forwarding, Views would have to be configured dynamically, a
-   possible future direction which is not yet implemented. (It would perhaps be easier to add a 
-   "match-queries" ACL to the forwarders table).
-          
-   When dhclient acquires a lease, named will configure forwarding, and emit the message:
-	  "D-BUS: dhclient for interface eth0 acquired new lease - creating forwarders."
-
-   When a lease expires or the interface is brought down (dhclient is stopped with dhcdbd), it
-   will revert any forwarding entries from the initial, static configuration that were modified
-   by the DHCP subscription to their initial values;  ie. if redhat.com had a forwarder configured
-   in named.conf, and then an DHCP session specified forwarders for redhat.com, when the DHCP
-   session ends the forwarders for redhat.com are reverted to their named.conf values; thus 
-   when all DHCP interfaces have released their leases, and if no SetForwarders commands were issued,
-   the forwarding configuration will be identical to that at named startup.
-
-
- To Do:
-   - Sending signals when any Forwarding entry is changed (easy to implement if it would be desirable).
-   - CIDR based reverse Forwarding 
-
diff --git a/contrib/dbus/SetForwarders b/contrib/dbus/SetForwarders
deleted file mode 100755
index 8ee4ce10..00000000
--- a/contrib/dbus/SetForwarders
+++ /dev/null
@@ -1,52 +0,0 @@
-#!/bin/bash
-#
-#  This script uses the named D-BUS support, which must be enabled in
-#  the running named with the named '-D' option, to set the forwarding zones
-#  in the running server.
-#  
-#  One zone argument is required, followed by any number of server IP (v4 or v6)
-#  addresses. If the server IP address list is empty, any forwarders for the zone
-#  will be removed.
-#
-#  Usage:
-#        SetForwarders [ -t <'first' | 'only'> ] <zone> [ <server IP> [...<server IP>] ] 
-#
-#  Copyright(C) Jason Vas Dias<jvdias@redhat.com> Red Hat Inc. 2005
-#
-#  This program is free software; you can redistribute it and/or modify
-#  it under the terms of the GNU General Public License as published by
-#  the Free Software Foundation at 
-#           http://www.fsf.org/licensing/licenses/gpl.txt
-#  and included in this software distribution as the "LICENSE" file.
-#
-#  This program is distributed in the hope that it will be useful,
-#  but WITHOUT ANY WARRANTY; without even the implied warranty of
-#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-#  GNU General Public License for more details.
-#
-usage() { echo "Usage: SetForwarders [ -t <'first' | 'only'> ] <zone> [ <server> [...<server>] ]"; }
-type=''
-if [ $# -eq 0 ]; then
-   usage;
-   exit 1;
-elif [ "$1" = "-t" ]; then
-   if [ $# -lt 2 ]; then
-      echo '-t option requires an argument.'
-      exit 1;
-   fi;
-   type=$2;
-   shift 2;
-fi;
-if [ $# -lt 1 ]; then
-   echo '<zone> first argument required.'
-   exit 1;
-fi; 
-zone='string:'"$1";
-shift;
-servers='';
-if [ $# -gt 0 ]; then
-  for svr in $*; do
-    servers="$servers string:$svr";
-  done
-fi;
-dbus-send --system --type=method_call --print-reply --reply-timeout=20000 --dest=com.redhat.named /com/redhat/named com.redhat.named.text.SetForwarders $zone $type $servers;
diff --git a/contrib/dbus/bind-9.3.2b1-dbus.patch b/contrib/dbus/bind-9.3.2b1-dbus.patch
deleted file mode 100644
index cdf50d68..00000000
--- a/contrib/dbus/bind-9.3.2b1-dbus.patch
+++ /dev/null
@@ -1,713 +0,0 @@
---- bind-9.3.2b1/lib/dns/rbt.c.dbus	2005-06-17 21:03:24.000000000 -0400
-+++ bind-9.3.2b1/lib/dns/rbt.c	2005-10-07 12:43:26.000000000 -0400
-@@ -2172,6 +2172,47 @@
- 	dns_rbt_printtree(rbt->root, NULL, 0);
- }
- 
-+static void
-+dns_rbt_traverse_tree(dns_rbtnode_t *root,  dns_rbt_traverse_callback_t cb, void *cb_arg1, void *cb_arg2 ) {
-+/*
-+ * This is used ONLY to traverse the forward table by dbus_mgr at the moment.
-+ * Since the forward table is not likely to be large, this can be recursive.
-+ */
-+	dns_name_t name;
-+	dns_offsets_t offsets;
-+	char buf[DNS_NAME_MAXWIRE];
-+	isc_buffer_t buffer;
-+
-+	if (root != NULL) {
-+
-+		if (DOWN(root)) 
-+			dns_rbt_traverse_tree(DOWN(root), cb, cb_arg1, cb_arg2);
-+
-+		if( LEFT(root) != NULL )
-+		        dns_rbt_traverse_tree(LEFT(root), cb, cb_arg1, cb_arg2);
-+
-+		if( RIGHT(root) != NULL )
-+		        dns_rbt_traverse_tree(RIGHT(root), cb, cb_arg1, cb_arg2);
-+
-+		if( DATA(root) == 0L )
-+		    return;
-+
-+		dns_name_init(&name, offsets);
-+		isc_buffer_init(&buffer, buf, DNS_NAME_MAXWIRE);
-+		dns_name_setbuffer( &name, &buffer);
-+		dns_rbt_fullnamefromnode(root, &name);
-+		
-+		(*cb)(&name, DATA(root), cb_arg1, cb_arg2);		
-+	} 
-+}
-+
-+void dns_rbt_traverse( dns_rbt_t *rbt, dns_rbt_traverse_callback_t cb, void *cb_arg1, void *cb_arg2  )
-+{
-+        REQUIRE(VALID_RBT(rbt));
-+
-+	dns_rbt_traverse_tree( rbt->root, cb, cb_arg1, cb_arg2 );       
-+}
-+
- /*
-  * Chain Functions
-  */
---- bind-9.3.2b1/lib/dns/forward.c.dbus	2005-03-16 22:58:30.000000000 -0500
-+++ bind-9.3.2b1/lib/dns/forward.c	2005-10-07 12:43:26.000000000 -0400
-@@ -200,3 +200,89 @@
- 	}
- 	isc_mem_put(fwdtable->mctx, forwarders, sizeof(dns_forwarders_t));
- }
-+
-+/***
-+ *** new D-BUS Dynamic Forwarding Zones functions:
-+ ***/
-+isc_result_t
-+dns_fwdtable_delete(dns_fwdtable_t *fwdtable, dns_name_t *name )
-+{
-+	isc_result_t result;
-+
-+	REQUIRE(VALID_FWDTABLE(fwdtable));
-+
-+	RWLOCK(&fwdtable->rwlock, isc_rwlocktype_write);
-+
-+	result = dns_rbt_deletename(fwdtable->table, name, ISC_FALSE);
-+
-+	RWUNLOCK(&fwdtable->rwlock, isc_rwlocktype_write);		    
-+
-+	return (result);
-+}
-+
-+isc_result_t
-+dns_fwdtable_find_closest(dns_fwdtable_t *fwdtable, 
-+			  dns_name_t *name, 
-+			  dns_name_t *foundname,
-+			  dns_forwarders_t **forwardersp)
-+{
-+	isc_result_t result;
-+
-+	REQUIRE(VALID_FWDTABLE(fwdtable));
-+	
-+	RWLOCK(&fwdtable->rwlock, isc_rwlocktype_read);
-+
-+	result = dns_rbt_findname(fwdtable->table, name, 0, foundname,
-+				  (void **)forwardersp);
-+	
-+	if(result == DNS_R_PARTIALMATCH)
-+	    result = ISC_R_SUCCESS;
-+
-+	RWUNLOCK(&fwdtable->rwlock, isc_rwlocktype_read);
-+
-+	return (result);
-+}
-+
-+isc_result_t
-+dns_fwdtable_find_exact(dns_fwdtable_t *fwdtable, dns_name_t *name,
-+		  dns_forwarders_t **forwardersp)
-+{
-+	isc_result_t result;
-+
-+	REQUIRE(VALID_FWDTABLE(fwdtable));
-+
-+	REQUIRE(forwardersp != 0L);
-+
-+	RWLOCK(&fwdtable->rwlock, isc_rwlocktype_read);
-+
-+	result = dns_rbt_findname(fwdtable->table, name, 0, NULL,
-+				  (void **)forwardersp);
-+	
-+	if( result != ISC_R_SUCCESS )
-+	    *forwardersp = 0L;
-+
-+	RWUNLOCK(&fwdtable->rwlock, isc_rwlocktype_read);
-+
-+	return (result);
-+}
-+
-+static 
-+void dns_fwdtable_traverse
-+(   
-+    dns_name_t *name,
-+    void *node_data,
-+    void *cbp,
-+    void *cb_arg
-+)
-+{
-+    dns_fwdtable_callback_t  cb = (dns_fwdtable_callback_t) cbp;
-+    
-+    (*cb)( name, node_data, cb_arg);
-+}
-+
-+void dns_fwdtable_foreach(dns_fwdtable_t *fwdtable, dns_fwdtable_callback_t cb, void *cb_arg )
-+{
-+    REQUIRE(VALID_FWDTABLE(fwdtable));
-+
-+    dns_rbt_traverse( fwdtable->table, dns_fwdtable_traverse, cb, cb_arg );
-+}
---- bind-9.3.2b1/lib/dns/include/dns/forward.h.dbus	2005-03-16 22:58:31.000000000 -0500
-+++ bind-9.3.2b1/lib/dns/include/dns/forward.h	2005-10-07 12:43:26.000000000 -0400
-@@ -98,6 +98,37 @@
-  * 	all memory associated with the forwarding table is freed.
-  */
- 
-+
-+/* These are ONLY used by dbus_mgr :
-+ */
-+
-+isc_result_t
-+dns_fwdtable_delete( dns_fwdtable_t *fwdtable, dns_name_t *name );
-+/* 
-+ * Removes an entry from the forwarding table.
-+ */
-+
-+isc_result_t
-+dns_fwdtable_find_exact(dns_fwdtable_t *fwdtable, dns_name_t *name,
-+		  dns_forwarders_t **forwardersp);
-+/*
-+ * Finds an exact match for "name" in the forwarding table.  
-+ */
-+
-+isc_result_t
-+dns_fwdtable_find_closest(dns_fwdtable_t *fwdtable, dns_name_t *name, dns_name_t *foundname,
-+		  dns_forwarders_t **forwardersp);
-+/*
-+ * Finds the closest match for "*name" in the forwarding table, returning  
-+ * the actual name matching in *name if different to *name passed in. 
-+ */
-+
-+typedef void (*dns_fwdtable_callback_t)( dns_name_t *, dns_forwarders_t *, void *);
-+void dns_fwdtable_foreach(dns_fwdtable_t *fwdtable, dns_fwdtable_callback_t cb, void * );
-+/* Invoke cb for each member of fwdtable 
-+ */
-+
-+
- ISC_LANG_ENDDECLS
- 
- #endif /* DNS_FORWARD_H */
---- bind-9.3.2b1/lib/dns/include/dns/rbt.h.dbus	2004-10-11 01:55:51.000000000 -0400
-+++ bind-9.3.2b1/lib/dns/include/dns/rbt.h	2005-10-07 12:43:26.000000000 -0400
-@@ -833,6 +833,17 @@
-  *	<something_else>	Any error result from dns_name_concatenate.
-  */
- 
-+
-+typedef void (*dns_rbt_traverse_callback_t)(  dns_name_t *name,
-+					      void *node_data,
-+					      void *cb_arg1,
-+					      void *cb_arg2);
-+
-+void dns_rbt_traverse( dns_rbt_t *rbt, dns_rbt_traverse_callback_t cb, void *cb_arg1, void *cb_arg2 );
-+/* tree traversal function (only used by D-BUS dynamic forwarding dbus_mgr at
-+ * the moment)
-+ */
-+
- ISC_LANG_ENDDECLS
- 
- #endif /* DNS_RBT_H */
---- bind-9.3.2b1/lib/isc/unix/socket.c.dbus	2005-08-25 00:32:55.000000000 -0400
-+++ bind-9.3.2b1/lib/isc/unix/socket.c	2005-10-07 13:40:03.000000000 -0400
-@@ -148,6 +148,11 @@
- 	ISC_LIST(isc_socketevent_t)		recv_list;
- 	ISC_LIST(isc_socket_newconnev_t)	accept_list;
- 	isc_socket_connev_t		       *connect_ev;
-+        
-+        /* these are used only by isc_sockettype_fd sockets:*/
-+        isc_socketevent_t      *read_ready_event;
-+        isc_socketevent_t      *write_ready_event;
-+        isc_socketevent_t      *selected_event;
- 
- 	/*
- 	 * Internal events.  Posted when a descriptor is readable or
-@@ -304,7 +309,7 @@
- 
- static void
- wakeup_socket(isc_socketmgr_t *manager, int fd, int msg) {
--	isc_socket_t *sock;
-+	isc_socket_t *sock=0L;
- 
- 	/*
- 	 * This is a wakeup on a socket.  If the socket is not in the
-@@ -1266,6 +1271,9 @@
- 	sock->connected = 0;
- 	sock->connecting = 0;
- 	sock->bound = 0;
-+	sock->read_ready_event = 0L;
-+	sock->write_ready_event = 0L;
-+	sock->selected_event = 0L;
- 
- 	/*
- 	 * initialize the lock
-@@ -1378,13 +1386,16 @@
- 	case isc_sockettype_tcp:
- 		sock->fd = socket(pf, SOCK_STREAM, IPPROTO_TCP);
- 		break;
-+
-+	case isc_sockettype_fd:
-+	        sock->fd = pf;
- 	}
- 
- #ifdef F_DUPFD
- 	/*
- 	 * Leave a space for stdio to work in.
- 	 */
--	if (sock->fd >= 0 && sock->fd < 20) {
-+	if ( (type != isc_sockettype_fd) && (sock->fd >= 0) && (sock->fd < 20) ) {
- 		int new, tmp;
- 		new = fcntl(sock->fd, F_DUPFD, 20);
- 		tmp = errno;
-@@ -1438,7 +1449,7 @@
- 		}
- 	}
- 
--	if (make_nonblock(sock->fd) != ISC_R_SUCCESS) {
-+	if ((type != isc_sockettype_fd) && (make_nonblock(sock->fd) != ISC_R_SUCCESS)) {
- 		(void)close(sock->fd);
- 		free_socket(&sock);
- 		return (ISC_R_UNEXPECTED);
-@@ -1706,6 +1717,38 @@
- 	isc_task_send(ev->ev_sender, (isc_event_t **)&iev);
- }
- 
-+static
-+isc_event_t *dispatch_read_ready(isc_socketmgr_t *manager, isc_socket_t *sock)
-+{
-+    isc_event_t *dev = (isc_event_t*)sock->read_ready_event, *ev;
-+    
-+    ev = isc_mem_get(manager->mctx, dev->ev_size);
-+    memcpy(ev,dev,dev->ev_size);
-+    ISC_LINK_INIT(ev,ev_link);
-+    isc_task_send(dev->ev_sender, &ev );
-+    return (isc_event_t *)sock->selected_event;
-+}
-+
-+static
-+isc_event_t *dispatch_write_ready(isc_socketmgr_t *manager,isc_socket_t *sock)
-+{
-+    isc_event_t *dev = (isc_event_t*)sock->write_ready_event, *ev;
-+    ev = isc_mem_get(manager->mctx, dev->ev_size);
-+    memcpy(ev,dev,dev->ev_size);
-+    ISC_LINK_INIT(ev,ev_link);
-+    isc_task_send(dev->ev_sender, &ev );
-+    return (isc_event_t *)sock->selected_event;
-+}
-+
-+static
-+void dispatch_selected(isc_socketmgr_t *manager, isc_event_t *dev)
-+{   isc_event_t *ev;
-+    ev = isc_mem_get(manager->mctx, dev->ev_size);
-+    memcpy(ev,dev,dev->ev_size);
-+    ISC_LINK_INIT(ev,ev_link);
-+    isc_task_send(dev->ev_sender, &ev );
-+}
-+
- /*
-  * Dequeue an item off the given socket's read queue, set the result code
-  * in the done event to the one provided, and send it to the task it was
-@@ -2113,6 +2156,7 @@
- 	int i;
- 	isc_socket_t *sock;
- 	isc_boolean_t unlock_sock;
-+	isc_event_t *sock_selected = 0L;
- 
- 	REQUIRE(maxfd <= (int)FD_SETSIZE);
- 
-@@ -2146,11 +2190,15 @@
- 			unlock_sock = ISC_TRUE;
- 			LOCK(&sock->lock);
- 			if (!SOCK_DEAD(sock)) {
-+			    if( sock->type != isc_sockettype_fd )
-+			    {
- 				if (sock->listener)
- 					dispatch_accept(sock);
- 				else
- 					dispatch_recv(sock);
--			}
-+			    }else			    
-+				sock_selected = dispatch_read_ready(manager,sock);
-+			}			    
- 			FD_CLR(i, &manager->read_fds);
- 		}
- 	check_write:
-@@ -2164,16 +2212,24 @@
- 				LOCK(&sock->lock);
- 			}
- 			if (!SOCK_DEAD(sock)) {
-+			    if( sock->type != isc_sockettype_fd )
-+			    {
- 				if (sock->connecting)
- 					dispatch_connect(sock);
- 				else
- 					dispatch_send(sock);
-+			    }else			   
-+				sock_selected =	dispatch_write_ready(manager,sock);
- 			}
- 			FD_CLR(i, &manager->write_fds);
- 		}
- 		if (unlock_sock)
- 			UNLOCK(&sock->lock);
- 	}
-+	if( sock_selected != 0L )
-+	{
-+	    dispatch_selected(manager, sock_selected);
-+	}
- }
- 
- #ifdef ISC_PLATFORM_USETHREADS
-@@ -2192,7 +2248,7 @@
- 	int cc;
- 	fd_set readfds;
- 	fd_set writefds;
--	int msg, fd;
-+	int msg, fd = -1;
- 	int maxfd;
- 	char strbuf[ISC_STRERRORSIZE];
- 
-@@ -3523,3 +3579,55 @@
- 	return (ISC_R_SUCCESS);
- }
- #endif /* ISC_PLATFORM_USETHREADS */
-+
-+isc_socketevent_t*
-+isc_socket_fd_handle_reads( isc_socket_t *sock, isc_socketevent_t *dev )
-+{    
-+    REQUIRE(VALID_SOCKET(sock));   
-+    if(dev != 0L) 
-+    {
-+	sock->references=1;
-+	sock->read_ready_event = dev;
-+	select_poke(sock->manager, sock->fd, SELECT_POKE_READ);
-+    }else
-+    {
-+	dev = sock->read_ready_event ;
-+	sock->read_ready_event = 0L ;
-+    }
-+    return dev;
-+}
-+
-+isc_socketevent_t*
-+isc_socket_fd_handle_writes( isc_socket_t *sock, isc_socketevent_t *dev )
-+{
-+    REQUIRE(VALID_SOCKET(sock));   
-+    if(dev != 0L) 
-+    {
-+	sock->references=1;
-+	sock->write_ready_event = dev;
-+	select_poke(sock->manager, sock->fd, SELECT_POKE_WRITE);    
-+    }else
-+    {
-+	dev = sock->write_ready_event;
-+	sock->write_ready_event = 0L;
-+    }
-+    return dev;
-+}
-+
-+isc_socketevent_t*
-+isc_socket_fd_handle_selected( isc_socket_t *sock, isc_socketevent_t *dev )
-+{
-+    REQUIRE(VALID_SOCKET(sock));
-+    if(dev != 0L) 
-+    {
-+	sock->references=1;
-+	sock->selected_event = dev;
-+    }else
-+    {
-+	dev = sock->selected_event;
-+	sock->selected_event = 0L;
-+	sock->references=0;
-+	destroy(&sock);
-+    }
-+    return dev;
-+}
---- bind-9.3.2b1/lib/isc/include/isc/socket.h.dbus	2004-03-08 04:04:53.000000000 -0500
-+++ bind-9.3.2b1/lib/isc/include/isc/socket.h	2005-10-07 12:43:26.000000000 -0400
-@@ -136,6 +136,10 @@
- #define ISC_SOCKEVENT_NEWCONN	(ISC_EVENTCLASS_SOCKET + 3)
- #define ISC_SOCKEVENT_CONNECT	(ISC_EVENTCLASS_SOCKET + 4)
- 
-+#define ISC_SOCKEVENT_READ_READY  (ISC_EVENTCLASS_SOCKET + 5)
-+#define ISC_SOCKEVENT_WRITE_READY (ISC_EVENTCLASS_SOCKET + 6)
-+#define ISC_SOCKEVENT_SELECTED    (ISC_EVENTCLASS_SOCKET + 7)
-+
- /*
-  * Internal events.
-  */
-@@ -144,7 +148,8 @@
- 
- typedef enum {
- 	isc_sockettype_udp = 1,
--	isc_sockettype_tcp = 2
-+	isc_sockettype_tcp = 2,
-+	isc_sockettype_fd  = 8
- } isc_sockettype_t;
- 
- /*
-@@ -699,6 +704,30 @@
-  *	'sock' is a valid socket.
-  */
- 
-+isc_socketevent_t*
-+isc_socket_fd_handle_reads( isc_socket_t *sock, isc_socketevent_t *dev );
-+/* register the "dev" event to be sent when the isc_sockettype_fd sock 
-+ * was select()-ed for read. If there is already an event registered, it
-+ * is returned, otherwise 0 is returned. If dev is 0, removes any existing
-+ * registered event.
-+ */
-+ 
-+isc_socketevent_t*
-+isc_socket_fd_handle_writes( isc_socket_t *sock, isc_socketevent_t *dev );
-+/* register the "dev" event to be sent when the isc_sockettype_fd sock 
-+ * was select()-ed for write. If there is already an event registered, it
-+ * is returned, otherwise 0 is returned. If dev is 0, removes any existing
-+ * registered event.
-+ */
-+
-+isc_socketevent_t*
-+isc_socket_fd_handle_selected( isc_socket_t *sock, isc_socketevent_t *dev );
-+/* register the "dev" event to be sent when ALL isc_sockettype_fd sockets 
-+ * have been select()-ed . If there is already an event registered, it
-+ * is returned, otherwise 0 is returned. If dev is 0, removes any existing
-+ * registered event.
-+ */
-+
- ISC_LANG_ENDDECLS
- 
- #endif /* ISC_SOCKET_H */
---- bind-9.3.2b1/bin/named/log.c.dbus	2005-05-24 19:58:17.000000000 -0400
-+++ bind-9.3.2b1/bin/named/log.c	2005-10-07 12:43:26.000000000 -0400
-@@ -41,6 +41,7 @@
- 	{ "queries",	 		0 },
- 	{ "unmatched",	 		0 },
- 	{ "update-security",		0 },
-+	{ "dbus",                       0 },
- 	{ NULL, 			0 }
- };
- 
-@@ -60,6 +61,7 @@
- 	{ "notify",	 		0 },
- 	{ "control",	 		0 },
- 	{ "lwresd",	 		0 },
-+	{ "dbus",                       0 },
- 	{ NULL, 			0 }
- };
- 
---- bind-9.3.2b1/bin/named/Makefile.in.dbus	2004-09-06 17:47:25.000000000 -0400
-+++ bind-9.3.2b1/bin/named/Makefile.in	2005-10-07 13:44:22.000000000 -0400
-@@ -35,7 +35,9 @@
- 		${LWRES_INCLUDES} ${DNS_INCLUDES} ${BIND9_INCLUDES} \
- 		${ISCCFG_INCLUDES} ${ISCCC_INCLUDES} ${ISC_INCLUDES} \
- 		${DBDRIVER_INCLUDES}
--
-+DBUS_ARCHDEP_LIBDIR ?= lib
-+DBUS_INCLUDES = \
-+	-I/usr/${DBUS_ARCHDEP_LIBDIR}/dbus-1.0/include -I/usr/include/dbus-1.0
- CDEFINES =
- CWARNINGS =
- 
-@@ -52,6 +54,7 @@
- ISCDEPLIBS =	../../lib/isc/libisc.@A@
- LWRESDEPLIBS =	../../lib/lwres/liblwres.@A@
- BIND9DEPLIBS =	../../lib/bind9/libbind9.@A@
-+DBUSLIBS=       -ldbus-1
- 
- DEPLIBS =	${LWRESDEPLIBS} ${DNSDEPLIBS} ${BIND9DEPLIBS} \
- 		${ISCCFGDEPLIBS} ${ISCCCDEPLIBS} ${ISCDEPLIBS}
-@@ -71,6 +74,7 @@
- 		zoneconf.@O@ \
- 		lwaddr.@O@ lwresd.@O@ lwdclient.@O@ lwderror.@O@ lwdgabn.@O@ \
- 		lwdgnba.@O@ lwdgrbn.@O@ lwdnoop.@O@ lwsearch.@O@ \
-+		dbus_service.@O@ dbus_mgr.@O@ \
- 		$(DBDRIVER_OBJS)
- 
- UOBJS =		unix/os.@O@
-@@ -83,6 +87,7 @@
- 		zoneconf.c \
- 		lwaddr.c lwresd.c lwdclient.c lwderror.c lwdgabn.c \
- 		lwdgnba.c lwdgrbn.c lwdnoop.c lwsearch.c \
-+	        dbus_service.c dbus_mgr.c \
- 		$(DBDRIVER_SRCS)
- 
- MANPAGES =	named.8 lwresd.8 named.conf.5
-@@ -105,9 +110,14 @@
- 		-DNS_LOCALSTATEDIR=\"${localstatedir}\" \
- 		-c ${srcdir}/config.c
- 
-+dbus_service.@O@: dbus_service.c
-+	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
-+	        ${DBUS_INCLUDES} \
-+		-c ${srcdir}/dbus_service.c
-+
- named@EXEEXT@: ${OBJS} ${UOBJS} ${DEPLIBS}
- 	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
--	${OBJS} ${UOBJS} ${LIBS}
-+	${OBJS} ${UOBJS} ${LIBS} ${DBUSLIBS}
- 
- lwresd@EXEEXT@: named@EXEEXT@
- 	rm -f lwresd@EXEEXT@
---- bind-9.3.2b1/bin/named/named.8.dbus	2005-05-12 22:43:20.000000000 -0400
-+++ bind-9.3.2b1/bin/named/named.8	2005-10-07 13:50:12.000000000 -0400
-@@ -41,7 +41,7 @@
- named \- Internet domain name server
- .SH "SYNOPSIS"
- .HP 6
--\fBnamed\fR [\fB\-4\fR] [\fB\-6\fR] [\fB\-c\ \fIconfig\-file\fR\fR] [\fB\-d\ \fIdebug\-level\fR\fR] [\fB\-f\fR] [\fB\-g\fR] [\fB\-n\ \fI#cpus\fR\fR] [\fB\-p\ \fIport\fR\fR] [\fB\-s\fR] [\fB\-t\ \fIdirectory\fR\fR] [\fB\-u\ \fIuser\fR\fR] [\fB\-v\fR] [\fB\-x\ \fIcache\-file\fR\fR]
-+\fBnamed\fR [\fB\-4\fR] [\fB\-6\fR] [\fB\-c\ \fIconfig\-file\fR\fR] [\fB\-d\ \fIdebug\-level\fR\fR] [\fB\-f\fR] [\fB\-g\fR] [\fB\-n\ \fI#cpus\fR\fR] [\fB\-p\ \fIport\fR\fR] [\fB\-s\fR] [\fB\-t\ \fIdirectory\fR\fR] [\fB\-u\ \fIuser\fR\fR] [\fB\-v\fR] [\fB\-x\ \fIcache\-file\fR\fR] [\fB\-D\fR]
- .SH "DESCRIPTION"
- .PP
- \fBnamed\fR is a Domain Name System (DNS) server, part of the BIND 9 distribution from ISC\&. For more information on the DNS, see RFCs 1033, 1034, and 1035\&.
-@@ -103,6 +103,13 @@
- .B "Warning:"
- This option must not be used\&. It is only of interest to BIND 9 developers and may be removed or changed in a future release\&.
- .RE
-+.sp
-+.TP
-+\fB\-D\fR
-+Enable dynamic management of the forwarding table with D-BUS
-+messages. This option is required for Red Hat NetworkManager
-+support. See doc/README.DBUS .
-+.sp
- .SH "SIGNALS"
- .PP
- In routine operation, signals should not be used to control the nameserver; \fBrndc\fR should be used instead\&.
-@@ -117,6 +124,7 @@
- .SH "CONFIGURATION"
- .PP
- The \fBnamed\fR configuration file is too complex to describe in detail here\&. A complete description is provided in the BIND 9 Administrator Reference Manual\&.
-+.PP
- .SH "FILES"
- .TP
- \fI/etc/named\&.conf\fR
---- bind-9.3.2b1/bin/named/main.c.dbus	2005-04-28 21:04:47.000000000 -0400
-+++ bind-9.3.2b1/bin/named/main.c	2005-10-07 12:43:26.000000000 -0400
-@@ -239,7 +239,8 @@
- 		"usage: named [-4|-6] [-c conffile] [-d debuglevel] "
- 		"[-f|-g] [-n number_of_cpus]\n"
- 		"             [-p port] [-s] [-t chrootdir] [-u username]\n"
--		"             [-m {usage|trace|record}]\n");
-+		"             [-m {usage|trace|record}]\n"
-+	        "             [-D ]\n");
- }
- 
- static void
-@@ -345,7 +346,7 @@
- 
- 	isc_commandline_errprint = ISC_FALSE;
- 	while ((ch = isc_commandline_parse(argc, argv,
--			           "46c:C:d:fgi:lm:n:N:p:P:st:u:vx:")) != -1) {
-+			           "46c:C:d:fgi:lm:n:N:p:P:st:u:vx:D")) != -1) {
- 		switch (ch) {
- 		case '4':
- 			if (disable4)
-@@ -434,6 +435,9 @@
- 		case 'v':
- 			printf("BIND %s\n", ns_g_version);
- 			exit(0);
-+		case 'D':
-+		        ns_g_dbus = 1;
-+			break;
- 		case '?':
- 			usage();
- 			ns_main_earlyfatal("unknown option '-%c'",
---- bind-9.3.2b1/bin/named/server.c.dbus	2005-07-26 22:53:15.000000000 -0400
-+++ bind-9.3.2b1/bin/named/server.c	2005-10-07 12:43:26.000000000 -0400
-@@ -86,6 +86,8 @@
- #include <stdlib.h>
- #endif
- 
-+#include <named/dbus_mgr.h>
-+
- /*
-  * Check an operation for failure.  Assumes that the function
-  * using it has a 'result' variable and a 'cleanup' label.
-@@ -1496,12 +1498,12 @@
- 	if (result != ISC_R_SUCCESS) {
- 		char namebuf[DNS_NAME_FORMATSIZE];
- 		dns_name_format(origin, namebuf, sizeof(namebuf));
--		cfg_obj_log(forwarders, ns_g_lctx, ISC_LOG_WARNING,
--			    "could not set up forwarding for domain '%s': %s",
-+		cfg_obj_log(forwarders, ns_g_lctx, ISC_LOG_NOTICE,
-+			    "setting up forwarding failed for domain '%s': %s",
- 			    namebuf, isc_result_totext(result));
- 		goto cleanup;
- 	}
--
-+		
- 	result = ISC_R_SUCCESS;
- 
-  cleanup:
-@@ -2873,6 +2875,20 @@
- 
- 	CHECKFATAL(load_zones(server, ISC_FALSE), "loading zones");
- 
-+	server->dbus_mgr = 0L;
-+	if( ns_g_dbus )	
-+	    if( dbus_mgr_create
-+	        (  ns_g_mctx, ns_g_taskmgr, ns_g_socketmgr, ns_g_timermgr,
-+		   &server->dbus_mgr
-+		) != ISC_R_SUCCESS
-+	      )
-+	    {
-+		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-+			      NS_LOGMODULE_SERVER, ISC_LOG_WARNING,
-+			      "dbus_mgr initialization failed. D-BUS service is disabled."
-+		             );
-+	    }
-+
- 	ns_os_started();
- 	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER,
- 		      ISC_LOG_NOTICE, "running");
-@@ -2935,6 +2951,9 @@
- 
- 	dns_db_detach(&server->in_roothints);
- 
-+	if( server->dbus_mgr != 0L )
-+	    dbus_mgr_shutdown(server->dbus_mgr);
-+
- 	isc_task_endexclusive(server->task);
- 
- 	isc_task_detach(&server->task);
---- bind-9.3.2b1/bin/named/include/named/globals.h.dbus	2004-03-07 23:04:20.000000000 -0500
-+++ bind-9.3.2b1/bin/named/include/named/globals.h	2005-10-07 13:47:36.000000000 -0400
-@@ -112,6 +112,8 @@
- 
- EXTERN int			ns_g_listen		INIT(3);
- 
-+EXTERN int                      ns_g_dbus               INIT(0);
-+
- #undef EXTERN
- #undef INIT
- 
---- bind-9.3.2b1/bin/named/include/named/server.h.dbus	2004-03-07 23:04:21.000000000 -0500
-+++ bind-9.3.2b1/bin/named/include/named/server.h	2005-10-07 12:43:26.000000000 -0400
-@@ -91,7 +91,8 @@
- 	ns_controls_t *		controls;	/* Control channels */
- 	unsigned int		dispatchgen;
- 	ns_dispatchlist_t	dispatches;
--						
-+
-+        ns_dbus_mgr_t *         dbus_mgr;
- };
- 
- #define NS_SERVER_MAGIC			ISC_MAGIC('S','V','E','R')
---- bind-9.3.2b1/bin/named/include/named/log.h.dbus	2004-03-07 23:04:21.000000000 -0500
-+++ bind-9.3.2b1/bin/named/include/named/log.h	2005-10-07 12:43:26.000000000 -0400
-@@ -34,6 +34,7 @@
- #define NS_LOGCATEGORY_QUERIES		(&ns_g_categories[4])
- #define NS_LOGCATEGORY_UNMATCHED	(&ns_g_categories[5])
- #define NS_LOGCATEGORY_UPDATE_SECURITY	(&ns_g_categories[6])
-+#define NS_LOGCATEGORY_DBUS      	(&ns_g_categories[7])
- 
- /*
-  * Backwards compatibility.
-@@ -51,6 +52,7 @@
- #define NS_LOGMODULE_NOTIFY		(&ns_g_modules[8])
- #define NS_LOGMODULE_CONTROL		(&ns_g_modules[9])
- #define NS_LOGMODULE_LWRESD		(&ns_g_modules[10])
-+#define NS_LOGMODULE_DBUS		(&ns_g_modules[11])
- 
- isc_result_t
- ns_log_init(isc_boolean_t safe);
---- bind-9.3.2b1/bin/named/include/named/types.h.dbus	2004-03-06 05:21:26.000000000 -0500
-+++ bind-9.3.2b1/bin/named/include/named/types.h	2005-10-07 12:43:26.000000000 -0400
-@@ -38,4 +38,6 @@
- typedef struct ns_dispatch		ns_dispatch_t;
- typedef ISC_LIST(ns_dispatch_t)		ns_dispatchlist_t;
- 
-+typedef struct ns_dbus_mgr              ns_dbus_mgr_t ;
-+
- #endif /* NAMED_TYPES_H */
diff --git a/contrib/dbus/bind-9.3.3rc2-dbus.patch b/contrib/dbus/bind-9.3.3rc2-dbus.patch
deleted file mode 100644
index 9048db71..00000000
--- a/contrib/dbus/bind-9.3.3rc2-dbus.patch
+++ /dev/null
@@ -1,778 +0,0 @@
---- bind-9.3.3rc2/lib/dns/forward.c.dbus	2005-03-17 04:58:30.000000000 +0100
-+++ bind-9.3.3rc2/lib/dns/forward.c	2006-09-18 10:08:37.000000000 +0200
-@@ -200,3 +200,89 @@
- 	}
- 	isc_mem_put(fwdtable->mctx, forwarders, sizeof(dns_forwarders_t));
- }
-+
-+/***
-+ *** new D-BUS Dynamic Forwarding Zones functions:
-+ ***/
-+isc_result_t
-+dns_fwdtable_delete(dns_fwdtable_t *fwdtable, dns_name_t *name )
-+{
-+	isc_result_t result;
-+
-+	REQUIRE(VALID_FWDTABLE(fwdtable));
-+
-+	RWLOCK(&fwdtable->rwlock, isc_rwlocktype_write);
-+
-+	result = dns_rbt_deletename(fwdtable->table, name, ISC_FALSE);
-+
-+	RWUNLOCK(&fwdtable->rwlock, isc_rwlocktype_write);		    
-+
-+	return (result);
-+}
-+
-+isc_result_t
-+dns_fwdtable_find_closest(dns_fwdtable_t *fwdtable, 
-+			  dns_name_t *name, 
-+			  dns_name_t *foundname,
-+			  dns_forwarders_t **forwardersp)
-+{
-+	isc_result_t result;
-+
-+	REQUIRE(VALID_FWDTABLE(fwdtable));
-+	
-+	RWLOCK(&fwdtable->rwlock, isc_rwlocktype_read);
-+
-+	result = dns_rbt_findname(fwdtable->table, name, 0, foundname,
-+				  (void **)forwardersp);
-+	
-+	if(result == DNS_R_PARTIALMATCH)
-+	    result = ISC_R_SUCCESS;
-+
-+	RWUNLOCK(&fwdtable->rwlock, isc_rwlocktype_read);
-+
-+	return (result);
-+}
-+
-+isc_result_t
-+dns_fwdtable_find_exact(dns_fwdtable_t *fwdtable, dns_name_t *name,
-+		  dns_forwarders_t **forwardersp)
-+{
-+	isc_result_t result;
-+
-+	REQUIRE(VALID_FWDTABLE(fwdtable));
-+
-+	REQUIRE(forwardersp != 0L);
-+
-+	RWLOCK(&fwdtable->rwlock, isc_rwlocktype_read);
-+
-+	result = dns_rbt_findname(fwdtable->table, name, 0, NULL,
-+				  (void **)forwardersp);
-+	
-+	if( result != ISC_R_SUCCESS )
-+	    *forwardersp = 0L;
-+
-+	RWUNLOCK(&fwdtable->rwlock, isc_rwlocktype_read);
-+
-+	return (result);
-+}
-+
-+static 
-+void dns_fwdtable_traverse
-+(   
-+    dns_name_t *name,
-+    void *node_data,
-+    void *cbp,
-+    void *cb_arg
-+)
-+{
-+    dns_fwdtable_callback_t  cb = (dns_fwdtable_callback_t) cbp;
-+    
-+    (*cb)( name, node_data, cb_arg);
-+}
-+
-+void dns_fwdtable_foreach(dns_fwdtable_t *fwdtable, dns_fwdtable_callback_t cb, void *cb_arg )
-+{
-+    REQUIRE(VALID_FWDTABLE(fwdtable));
-+
-+    dns_rbt_traverse( fwdtable->table, dns_fwdtable_traverse, cb, cb_arg );
-+}
---- bind-9.3.3rc2/lib/dns/include/dns/forward.h.dbus	2005-03-17 04:58:31.000000000 +0100
-+++ bind-9.3.3rc2/lib/dns/include/dns/forward.h	2006-09-18 10:08:37.000000000 +0200
-@@ -98,6 +98,37 @@
-  * 	all memory associated with the forwarding table is freed.
-  */
- 
-+
-+/* These are ONLY used by dbus_mgr :
-+ */
-+
-+isc_result_t
-+dns_fwdtable_delete( dns_fwdtable_t *fwdtable, dns_name_t *name );
-+/* 
-+ * Removes an entry from the forwarding table.
-+ */
-+
-+isc_result_t
-+dns_fwdtable_find_exact(dns_fwdtable_t *fwdtable, dns_name_t *name,
-+		  dns_forwarders_t **forwardersp);
-+/*
-+ * Finds an exact match for "name" in the forwarding table.  
-+ */
-+
-+isc_result_t
-+dns_fwdtable_find_closest(dns_fwdtable_t *fwdtable, dns_name_t *name, dns_name_t *foundname,
-+		  dns_forwarders_t **forwardersp);
-+/*
-+ * Finds the closest match for "*name" in the forwarding table, returning  
-+ * the actual name matching in *name if different to *name passed in. 
-+ */
-+
-+typedef void (*dns_fwdtable_callback_t)( dns_name_t *, dns_forwarders_t *, void *);
-+void dns_fwdtable_foreach(dns_fwdtable_t *fwdtable, dns_fwdtable_callback_t cb, void * );
-+/* Invoke cb for each member of fwdtable 
-+ */
-+
-+
- ISC_LANG_ENDDECLS
- 
- #endif /* DNS_FORWARD_H */
---- bind-9.3.3rc2/lib/dns/include/dns/rbt.h.dbus	2004-10-11 07:55:51.000000000 +0200
-+++ bind-9.3.3rc2/lib/dns/include/dns/rbt.h	2006-09-18 10:08:37.000000000 +0200
-@@ -833,6 +833,17 @@
-  *	<something_else>	Any error result from dns_name_concatenate.
-  */
- 
-+
-+typedef void (*dns_rbt_traverse_callback_t)(  dns_name_t *name,
-+					      void *node_data,
-+					      void *cb_arg1,
-+					      void *cb_arg2);
-+
-+void dns_rbt_traverse( dns_rbt_t *rbt, dns_rbt_traverse_callback_t cb, void *cb_arg1, void *cb_arg2 );
-+/* tree traversal function (only used by D-BUS dynamic forwarding dbus_mgr at
-+ * the moment)
-+ */
-+
- ISC_LANG_ENDDECLS
- 
- #endif /* DNS_RBT_H */
---- bind-9.3.3rc2/lib/dns/rbt.c.dbus	2005-06-18 03:03:24.000000000 +0200
-+++ bind-9.3.3rc2/lib/dns/rbt.c	2006-09-18 10:08:37.000000000 +0200
-@@ -2172,6 +2172,47 @@
- 	dns_rbt_printtree(rbt->root, NULL, 0);
- }
- 
-+static void
-+dns_rbt_traverse_tree(dns_rbtnode_t *root,  dns_rbt_traverse_callback_t cb, void *cb_arg1, void *cb_arg2 ) {
-+/*
-+ * This is used ONLY to traverse the forward table by dbus_mgr at the moment.
-+ * Since the forward table is not likely to be large, this can be recursive.
-+ */
-+	dns_name_t name;
-+	dns_offsets_t offsets;
-+	char buf[DNS_NAME_MAXWIRE];
-+	isc_buffer_t buffer;
-+
-+	if (root != NULL) {
-+
-+		if (DOWN(root)) 
-+			dns_rbt_traverse_tree(DOWN(root), cb, cb_arg1, cb_arg2);
-+
-+		if( LEFT(root) != NULL )
-+		        dns_rbt_traverse_tree(LEFT(root), cb, cb_arg1, cb_arg2);
-+
-+		if( RIGHT(root) != NULL )
-+		        dns_rbt_traverse_tree(RIGHT(root), cb, cb_arg1, cb_arg2);
-+
-+		if( DATA(root) == 0L )
-+		    return;
-+
-+		dns_name_init(&name, offsets);
-+		isc_buffer_init(&buffer, buf, DNS_NAME_MAXWIRE);
-+		dns_name_setbuffer( &name, &buffer);
-+		dns_rbt_fullnamefromnode(root, &name);
-+		
-+		(*cb)(&name, DATA(root), cb_arg1, cb_arg2);		
-+	} 
-+}
-+
-+void dns_rbt_traverse( dns_rbt_t *rbt, dns_rbt_traverse_callback_t cb, void *cb_arg1, void *cb_arg2  )
-+{
-+        REQUIRE(VALID_RBT(rbt));
-+
-+	dns_rbt_traverse_tree( rbt->root, cb, cb_arg1, cb_arg2 );       
-+}
-+
- /*
-  * Chain Functions
-  */
---- bind-9.3.3rc2/lib/isc/include/isc/socket.h.dbus	2004-03-08 10:04:53.000000000 +0100
-+++ bind-9.3.3rc2/lib/isc/include/isc/socket.h	2006-09-18 10:08:37.000000000 +0200
-@@ -136,6 +136,10 @@
- #define ISC_SOCKEVENT_NEWCONN	(ISC_EVENTCLASS_SOCKET + 3)
- #define ISC_SOCKEVENT_CONNECT	(ISC_EVENTCLASS_SOCKET + 4)
- 
-+#define ISC_SOCKEVENT_READ_READY  (ISC_EVENTCLASS_SOCKET + 5)
-+#define ISC_SOCKEVENT_WRITE_READY (ISC_EVENTCLASS_SOCKET + 6)
-+#define ISC_SOCKEVENT_SELECTED    (ISC_EVENTCLASS_SOCKET + 7)
-+
- /*
-  * Internal events.
-  */
-@@ -144,7 +148,8 @@
- 
- typedef enum {
- 	isc_sockettype_udp = 1,
--	isc_sockettype_tcp = 2
-+	isc_sockettype_tcp = 2,
-+	isc_sockettype_fd  = 8
- } isc_sockettype_t;
- 
- /*
-@@ -699,6 +704,30 @@
-  *	'sock' is a valid socket.
-  */
- 
-+isc_socketevent_t*
-+isc_socket_fd_handle_reads( isc_socket_t *sock, isc_socketevent_t *dev );
-+/* register the "dev" event to be sent when the isc_sockettype_fd sock 
-+ * was select()-ed for read. If there is already an event registered, it
-+ * is returned, otherwise 0 is returned. If dev is 0, removes any existing
-+ * registered event.
-+ */
-+ 
-+isc_socketevent_t*
-+isc_socket_fd_handle_writes( isc_socket_t *sock, isc_socketevent_t *dev );
-+/* register the "dev" event to be sent when the isc_sockettype_fd sock 
-+ * was select()-ed for write. If there is already an event registered, it
-+ * is returned, otherwise 0 is returned. If dev is 0, removes any existing
-+ * registered event.
-+ */
-+
-+isc_socketevent_t*
-+isc_socket_fd_handle_selected( isc_socket_t *sock, isc_socketevent_t *dev );
-+/* register the "dev" event to be sent when ALL isc_sockettype_fd sockets 
-+ * have been select()-ed . If there is already an event registered, it
-+ * is returned, otherwise 0 is returned. If dev is 0, removes any existing
-+ * registered event.
-+ */
-+
- ISC_LANG_ENDDECLS
- 
- #endif /* ISC_SOCKET_H */
---- bind-9.3.3rc2/lib/isc/unix/socket.c.dbus	2006-05-19 04:53:36.000000000 +0200
-+++ bind-9.3.3rc2/lib/isc/unix/socket.c	2006-09-18 10:08:37.000000000 +0200
-@@ -148,6 +148,11 @@
- 	ISC_LIST(isc_socketevent_t)		recv_list;
- 	ISC_LIST(isc_socket_newconnev_t)	accept_list;
- 	isc_socket_connev_t		       *connect_ev;
-+        
-+        /* these are used only by isc_sockettype_fd sockets:*/
-+        isc_socketevent_t      *read_ready_event;
-+        isc_socketevent_t      *write_ready_event;
-+        isc_socketevent_t      *selected_event;
- 
- 	/*
- 	 * Internal events.  Posted when a descriptor is readable or
-@@ -304,7 +309,7 @@
- 
- static void
- wakeup_socket(isc_socketmgr_t *manager, int fd, int msg) {
--	isc_socket_t *sock;
-+	isc_socket_t *sock=0L;
- 
- 	/*
- 	 * This is a wakeup on a socket.  If the socket is not in the
-@@ -1289,6 +1294,9 @@
- 	sock->connected = 0;
- 	sock->connecting = 0;
- 	sock->bound = 0;
-+	sock->read_ready_event = 0L;
-+	sock->write_ready_event = 0L;
-+	sock->selected_event = 0L;
- 
- 	/*
- 	 * initialize the lock
-@@ -1401,13 +1409,16 @@
- 	case isc_sockettype_tcp:
- 		sock->fd = socket(pf, SOCK_STREAM, IPPROTO_TCP);
- 		break;
-+
-+	case isc_sockettype_fd:
-+	        sock->fd = pf;
- 	}
- 
- #ifdef F_DUPFD
- 	/*
- 	 * Leave a space for stdio to work in.
- 	 */
--	if (sock->fd >= 0 && sock->fd < 20) {
-+	if ( (type != isc_sockettype_fd) && (sock->fd >= 0) && (sock->fd < 20) ) {
- 		int new, tmp;
- 		new = fcntl(sock->fd, F_DUPFD, 20);
- 		tmp = errno;
-@@ -1461,7 +1472,7 @@
- 		}
- 	}
- 
--	if (make_nonblock(sock->fd) != ISC_R_SUCCESS) {
-+	if ((type != isc_sockettype_fd) && (make_nonblock(sock->fd) != ISC_R_SUCCESS)) {
- 		(void)close(sock->fd);
- 		free_socket(&sock);
- 		return (ISC_R_UNEXPECTED);
-@@ -1729,6 +1740,38 @@
- 	isc_task_send(ev->ev_sender, (isc_event_t **)&iev);
- }
- 
-+static
-+isc_event_t *dispatch_read_ready(isc_socketmgr_t *manager, isc_socket_t *sock)
-+{
-+    isc_event_t *dev = (isc_event_t*)sock->read_ready_event, *ev;
-+    
-+    ev = isc_mem_get(manager->mctx, dev->ev_size);
-+    memcpy(ev,dev,dev->ev_size);
-+    ISC_LINK_INIT(ev,ev_link);
-+    isc_task_send(dev->ev_sender, &ev );
-+    return (isc_event_t *)sock->selected_event;
-+}
-+
-+static
-+isc_event_t *dispatch_write_ready(isc_socketmgr_t *manager,isc_socket_t *sock)
-+{
-+    isc_event_t *dev = (isc_event_t*)sock->write_ready_event, *ev;
-+    ev = isc_mem_get(manager->mctx, dev->ev_size);
-+    memcpy(ev,dev,dev->ev_size);
-+    ISC_LINK_INIT(ev,ev_link);
-+    isc_task_send(dev->ev_sender, &ev );
-+    return (isc_event_t *)sock->selected_event;
-+}
-+
-+static
-+void dispatch_selected(isc_socketmgr_t *manager, isc_event_t *dev)
-+{   isc_event_t *ev;
-+    ev = isc_mem_get(manager->mctx, dev->ev_size);
-+    memcpy(ev,dev,dev->ev_size);
-+    ISC_LINK_INIT(ev,ev_link);
-+    isc_task_send(dev->ev_sender, &ev );
-+}
-+
- /*
-  * Dequeue an item off the given socket's read queue, set the result code
-  * in the done event to the one provided, and send it to the task it was
-@@ -2136,6 +2179,7 @@
- 	int i;
- 	isc_socket_t *sock;
- 	isc_boolean_t unlock_sock;
-+	isc_event_t *sock_selected = 0L;
- 
- 	REQUIRE(maxfd <= (int)FD_SETSIZE);
- 
-@@ -2169,11 +2213,15 @@
- 			unlock_sock = ISC_TRUE;
- 			LOCK(&sock->lock);
- 			if (!SOCK_DEAD(sock)) {
-+			    if( sock->type != isc_sockettype_fd )
-+			    {
- 				if (sock->listener)
- 					dispatch_accept(sock);
- 				else
- 					dispatch_recv(sock);
--			}
-+			    }else			    
-+				sock_selected = dispatch_read_ready(manager,sock);
-+			}			    
- 			FD_CLR(i, &manager->read_fds);
- 		}
- 	check_write:
-@@ -2187,16 +2235,24 @@
- 				LOCK(&sock->lock);
- 			}
- 			if (!SOCK_DEAD(sock)) {
-+			    if( sock->type != isc_sockettype_fd )
-+			    {
- 				if (sock->connecting)
- 					dispatch_connect(sock);
- 				else
- 					dispatch_send(sock);
-+			    }else			   
-+				sock_selected =	dispatch_write_ready(manager,sock);
- 			}
- 			FD_CLR(i, &manager->write_fds);
- 		}
- 		if (unlock_sock)
- 			UNLOCK(&sock->lock);
- 	}
-+	if( sock_selected != 0L )
-+	{
-+	    dispatch_selected(manager, sock_selected);
-+	}
- }
- 
- #ifdef ISC_PLATFORM_USETHREADS
-@@ -2215,7 +2271,7 @@
- 	int cc;
- 	fd_set readfds;
- 	fd_set writefds;
--	int msg, fd;
-+	int msg, fd = -1;
- 	int maxfd;
- 	char strbuf[ISC_STRERRORSIZE];
- 
-@@ -3546,3 +3602,55 @@
- 	return (ISC_R_SUCCESS);
- }
- #endif /* ISC_PLATFORM_USETHREADS */
-+
-+isc_socketevent_t*
-+isc_socket_fd_handle_reads( isc_socket_t *sock, isc_socketevent_t *dev )
-+{    
-+    REQUIRE(VALID_SOCKET(sock));   
-+    if(dev != 0L) 
-+    {
-+	sock->references=1;
-+	sock->read_ready_event = dev;
-+	select_poke(sock->manager, sock->fd, SELECT_POKE_READ);
-+    }else
-+    {
-+	dev = sock->read_ready_event ;
-+	sock->read_ready_event = 0L ;
-+    }
-+    return dev;
-+}
-+
-+isc_socketevent_t*
-+isc_socket_fd_handle_writes( isc_socket_t *sock, isc_socketevent_t *dev )
-+{
-+    REQUIRE(VALID_SOCKET(sock));   
-+    if(dev != 0L) 
-+    {
-+	sock->references=1;
-+	sock->write_ready_event = dev;
-+	select_poke(sock->manager, sock->fd, SELECT_POKE_WRITE);    
-+    }else
-+    {
-+	dev = sock->write_ready_event;
-+	sock->write_ready_event = 0L;
-+    }
-+    return dev;
-+}
-+
-+isc_socketevent_t*
-+isc_socket_fd_handle_selected( isc_socket_t *sock, isc_socketevent_t *dev )
-+{
-+    REQUIRE(VALID_SOCKET(sock));
-+    if(dev != 0L) 
-+    {
-+	sock->references=1;
-+	sock->selected_event = dev;
-+    }else
-+    {
-+	dev = sock->selected_event;
-+	sock->selected_event = 0L;
-+	sock->references=0;
-+	destroy(&sock);
-+    }
-+    return dev;
-+}
---- bind-9.3.3rc2/bin/named/named.8.dbus	2006-06-29 15:02:30.000000000 +0200
-+++ bind-9.3.3rc2/bin/named/named.8	2006-09-18 10:08:37.000000000 +0200
-@@ -33,7 +33,7 @@
- named \- Internet domain name server
- .SH "SYNOPSIS"
- .HP 6
--\fBnamed\fR [\fB\-4\fR] [\fB\-6\fR] [\fB\-c\ \fR\fB\fIconfig\-file\fR\fR] [\fB\-d\ \fR\fB\fIdebug\-level\fR\fR] [\fB\-f\fR] [\fB\-g\fR] [\fB\-n\ \fR\fB\fI#cpus\fR\fR] [\fB\-p\ \fR\fB\fIport\fR\fR] [\fB\-s\fR] [\fB\-t\ \fR\fB\fIdirectory\fR\fR] [\fB\-u\ \fR\fB\fIuser\fR\fR] [\fB\-v\fR] [\fB\-x\ \fR\fB\fIcache\-file\fR\fR]
-+\fBnamed\fR [\fB\-4\fR] [\fB\-6\fR] [\fB\-c\ \fR\fB\fIconfig\-file\fR\fR] [\fB\-d\ \fR\fB\fIdebug\-level\fR\fR] [\fB\-f\fR] [\fB\-g\fR] [\fB\-n\ \fR\fB\fI#cpus\fR\fR] [\fB\-p\ \fR\fB\fIport\fR\fR] [\fB\-s\fR] [\fB\-t\ \fR\fB\fIdirectory\fR\fR] [\fB\-u\ \fR\fB\fIuser\fR\fR] [\fB\-v\fR] [\fB\-x\ \fR\fB\fIcache\-file\fR\fR] [\fB\-D\fR]
- .SH "DESCRIPTION"
- .PP
- \fBnamed\fR
-@@ -146,6 +146,13 @@
- .B "Warning:"
- This option must not be used. It is only of interest to BIND 9 developers and may be removed or changed in a future release.
- .RE
-+.sp
-+.TP
-+\fB\-D\fR
-+Enable dynamic management of the forwarding table with D-BUS
-+messages. This option is required for Red Hat NetworkManager
-+support. See doc/README.DBUS .
-+.sp
- .SH "SIGNALS"
- .PP
- In routine operation, signals should not be used to control the nameserver;
-@@ -165,6 +172,73 @@
- \fBnamed\fR
- configuration file is too complex to describe in detail here. A complete description is provided in the
- BIND 9 Administrator Reference Manual.
-+.PP
-+.SH "NOTES"
-+.PP
-+.TP
-+\fBRed Hat SELinux BIND Security Profile:\fR
-+.PP
-+By default, Red Hat ships BIND with the most secure SELinux policy
-+that will not prevent normal BIND operation and will prevent exploitation
-+of all known BIND security vulnerabilities . See the selinux(8) man page
-+for information about SElinux.
-+.PP
-+It is not necessary to run named in a chroot environment if the Red Hat
-+SELinux policy for named is enabled. When enabled, this policy is far
-+more secure than a chroot environment.
-+.PP
-+With this extra security comes some restrictions:
-+.br
-+By default, the SELinux policy does not allow named to write any master
-+zone database files. Only the root user may create files in the $ROOTDIR/var/named
-+zone database file directory (the options { "directory" } option), where
-+$ROOTDIR is set in /etc/sysconfig/named.
-+.br
-+The "named" group must be granted read privelege to 
-+these files in order for named to be enabled to read them. 
-+.br
-+Any file created in the zone database file directory is automatically assigned
-+the SELinux file context named_zone_t .
-+.br
-+By default, SELinux prevents any role from modifying named_zone_t files; this
-+means that files in the zone database directory cannot be modified by dynamic
-+DNS (DDNS) updates or zone transfers.
-+.br
-+The Red Hat BIND distribution and SELinux policy creates two directories where
-+named is allowed to create and modify files: $ROOTDIR/var/named/slaves and
-+$ROOTDIR/var/named/data. By placing files you want named to modify, such as
-+slave or DDNS updateable zone files and database / statistics dump files in 
-+these directories, named will work normally and no further operator action is
-+required. Files in these directories are automatically assigned the 'named_cache_t'
-+file context, which SELinux allows named to write.
-+.br
-+You can enable the named_t domain to write and create named_zone_t files by use
-+of the SELinux tunable boolean variable "named_write_master_zones", using the
-+setsebool(8) command or the system-config-security GUI . If you do this, you
-+must also set the ENABLE_ZONE_WRITE variable in /etc/sysconfig/named to 
-+1 / yes to set the ownership of files in the $ROOTDIR/var/named directory
-+to named:named in order for named to be allowed to write them. 
-+.PP
-+\fBRed Hat BIND named_sdb SDB support:\fR
-+.PP
-+Red Hat ships the bind-sdb RPM that provides the /usr/sbin/named_sdb program,
-+which is named compiled with the Simplified Database Backend modules that ISC
-+provides in the "contrib/sdb" directory.
-+.br
-+The SDB modules for LDAP, PostGreSQL and DirDB are compiled into named_sdb.
-+.br
-+To run named_sdb, set the ENABLE_SDB variable in /etc/sysconfig/named to 1 or "yes",
-+and then the "service named start" named initscript will run named_sdb instead
-+of named .
-+.br
-+See the documentation for the various SDB modules in /usr/share/doc/bind-sdb-*/ .
-+.PP
-+\fBRed Hat system-config-bind:\fR
-+.PP
-+Red Hat provides the system-config-bind GUI to configure named.conf and zone
-+database files. Run the "system-config-bind" command and access the manual
-+by selecting the Help menu.
-+.PP
- .SH "FILES"
- .TP 3n
- \fI/etc/named.conf\fR
---- bind-9.3.3rc2/bin/named/include/named/globals.h.dbus	2006-03-02 01:37:20.000000000 +0100
-+++ bind-9.3.3rc2/bin/named/include/named/globals.h	2006-09-18 10:08:37.000000000 +0200
-@@ -112,6 +112,8 @@
- 
- EXTERN int			ns_g_listen		INIT(3);
- 
-+EXTERN int                      ns_g_dbus               INIT(0);
-+
- #undef EXTERN
- #undef INIT
- 
---- bind-9.3.3rc2/bin/named/include/named/log.h.dbus	2004-03-08 05:04:21.000000000 +0100
-+++ bind-9.3.3rc2/bin/named/include/named/log.h	2006-09-18 10:08:37.000000000 +0200
-@@ -34,6 +34,7 @@
- #define NS_LOGCATEGORY_QUERIES		(&ns_g_categories[4])
- #define NS_LOGCATEGORY_UNMATCHED	(&ns_g_categories[5])
- #define NS_LOGCATEGORY_UPDATE_SECURITY	(&ns_g_categories[6])
-+#define NS_LOGCATEGORY_DBUS      	(&ns_g_categories[7])
- 
- /*
-  * Backwards compatibility.
-@@ -51,6 +52,7 @@
- #define NS_LOGMODULE_NOTIFY		(&ns_g_modules[8])
- #define NS_LOGMODULE_CONTROL		(&ns_g_modules[9])
- #define NS_LOGMODULE_LWRESD		(&ns_g_modules[10])
-+#define NS_LOGMODULE_DBUS		(&ns_g_modules[11])
- 
- isc_result_t
- ns_log_init(isc_boolean_t safe);
---- bind-9.3.3rc2/bin/named/include/named/server.h.dbus	2006-03-02 01:37:20.000000000 +0100
-+++ bind-9.3.3rc2/bin/named/include/named/server.h	2006-09-18 10:08:37.000000000 +0200
-@@ -91,7 +91,8 @@
- 	ns_controls_t *		controls;	/* Control channels */
- 	unsigned int		dispatchgen;
- 	ns_dispatchlist_t	dispatches;
--						
-+
-+        ns_dbus_mgr_t *         dbus_mgr;
- };
- 
- #define NS_SERVER_MAGIC			ISC_MAGIC('S','V','E','R')
---- bind-9.3.3rc2/bin/named/include/named/types.h.dbus	2004-03-06 11:21:26.000000000 +0100
-+++ bind-9.3.3rc2/bin/named/include/named/types.h	2006-09-18 10:08:37.000000000 +0200
-@@ -38,4 +38,6 @@
- typedef struct ns_dispatch		ns_dispatch_t;
- typedef ISC_LIST(ns_dispatch_t)		ns_dispatchlist_t;
- 
-+typedef struct ns_dbus_mgr              ns_dbus_mgr_t ;
-+
- #endif /* NAMED_TYPES_H */
---- bind-9.3.3rc2/bin/named/log.c.dbus	2005-05-25 01:58:17.000000000 +0200
-+++ bind-9.3.3rc2/bin/named/log.c	2006-09-18 10:08:37.000000000 +0200
-@@ -41,6 +41,7 @@
- 	{ "queries",	 		0 },
- 	{ "unmatched",	 		0 },
- 	{ "update-security",		0 },
-+	{ "dbus",                       0 },
- 	{ NULL, 			0 }
- };
- 
-@@ -60,6 +61,7 @@
- 	{ "notify",	 		0 },
- 	{ "control",	 		0 },
- 	{ "lwresd",	 		0 },
-+	{ "dbus",                       0 },
- 	{ NULL, 			0 }
- };
- 
---- bind-9.3.3rc2/bin/named/main.c.dbus	2006-01-06 01:01:42.000000000 +0100
-+++ bind-9.3.3rc2/bin/named/main.c	2006-09-18 10:08:37.000000000 +0200
-@@ -239,7 +239,8 @@
- 		"usage: named [-4|-6] [-c conffile] [-d debuglevel] "
- 		"[-f|-g] [-n number_of_cpus]\n"
- 		"             [-p port] [-s] [-t chrootdir] [-u username]\n"
--		"             [-m {usage|trace|record}]\n");
-+		"             [-m {usage|trace|record}]\n"
-+	        "             [-D ]\n");
- }
- 
- static void
-@@ -345,7 +346,7 @@
- 
- 	isc_commandline_errprint = ISC_FALSE;
- 	while ((ch = isc_commandline_parse(argc, argv,
--			           "46c:C:d:fgi:lm:n:N:p:P:st:u:vx:")) != -1) {
-+			           "46c:C:d:fgi:lm:n:N:p:P:st:u:vx:D")) != -1) {
- 		switch (ch) {
- 		case '4':
- 			if (disable4)
-@@ -434,6 +435,9 @@
- 		case 'v':
- 			printf("BIND %s\n", ns_g_version);
- 			exit(0);
-+		case 'D':
-+		        ns_g_dbus = 1;
-+			break;
- 		case '?':
- 			usage();
- 			ns_main_earlyfatal("unknown option '-%c'",
---- bind-9.3.3rc2/bin/named/server.c.dbus	2006-05-24 06:30:24.000000000 +0200
-+++ bind-9.3.3rc2/bin/named/server.c	2006-09-18 10:08:37.000000000 +0200
-@@ -86,6 +86,8 @@
- #include <stdlib.h>
- #endif
- 
-+#include <named/dbus_mgr.h>
-+
- /*
-  * Check an operation for failure.  Assumes that the function
-  * using it has a 'result' variable and a 'cleanup' label.
-@@ -1495,12 +1497,12 @@
- 	if (result != ISC_R_SUCCESS) {
- 		char namebuf[DNS_NAME_FORMATSIZE];
- 		dns_name_format(origin, namebuf, sizeof(namebuf));
--		cfg_obj_log(forwarders, ns_g_lctx, ISC_LOG_WARNING,
--			    "could not set up forwarding for domain '%s': %s",
-+		cfg_obj_log(forwarders, ns_g_lctx, ISC_LOG_NOTICE,
-+			    "setting up forwarding failed for domain '%s': %s",
- 			    namebuf, isc_result_totext(result));
- 		goto cleanup;
- 	}
--
-+		
- 	result = ISC_R_SUCCESS;
- 
-  cleanup:
-@@ -2875,6 +2877,20 @@
- 
- 	CHECKFATAL(load_zones(server, ISC_FALSE), "loading zones");
- 
-+	server->dbus_mgr = 0L;
-+	if( ns_g_dbus )	
-+	    if( dbus_mgr_create
-+	        (  ns_g_mctx, ns_g_taskmgr, ns_g_socketmgr, ns_g_timermgr,
-+		   &server->dbus_mgr
-+		) != ISC_R_SUCCESS
-+	      )
-+	    {
-+		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-+			      NS_LOGMODULE_SERVER, ISC_LOG_WARNING,
-+			      "dbus_mgr initialization failed. D-BUS service is disabled."
-+		             );
-+	    }
-+
- 	ns_os_started();
- 	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER,
- 		      ISC_LOG_NOTICE, "running");
-@@ -2937,6 +2953,9 @@
- 
- 	dns_db_detach(&server->in_roothints);
- 
-+	if( server->dbus_mgr != 0L )
-+	    dbus_mgr_shutdown(server->dbus_mgr);
-+
- 	isc_task_endexclusive(server->task);
- 
- 	isc_task_detach(&server->task);
---- bind-9.3.3rc2/bin/named/Makefile.in.dbus	2004-09-06 23:47:25.000000000 +0200
-+++ bind-9.3.3rc2/bin/named/Makefile.in	2006-09-18 10:10:58.000000000 +0200
-@@ -35,7 +35,8 @@
- 		${LWRES_INCLUDES} ${DNS_INCLUDES} ${BIND9_INCLUDES} \
- 		${ISCCFG_INCLUDES} ${ISCCC_INCLUDES} ${ISC_INCLUDES} \
- 		${DBDRIVER_INCLUDES}
--
-+DBUS_INCLUDES = \
-+	-I/usr/lib/dbus-1.0/include -I/usr/include/dbus-1.0
- CDEFINES =
- CWARNINGS =
- 
-@@ -52,6 +53,7 @@
- ISCDEPLIBS =	../../lib/isc/libisc.@A@
- LWRESDEPLIBS =	../../lib/lwres/liblwres.@A@
- BIND9DEPLIBS =	../../lib/bind9/libbind9.@A@
-+DBUSLIBS=       -ldbus-1
- 
- DEPLIBS =	${LWRESDEPLIBS} ${DNSDEPLIBS} ${BIND9DEPLIBS} \
- 		${ISCCFGDEPLIBS} ${ISCCCDEPLIBS} ${ISCDEPLIBS}
-@@ -71,6 +73,7 @@
- 		zoneconf.@O@ \
- 		lwaddr.@O@ lwresd.@O@ lwdclient.@O@ lwderror.@O@ lwdgabn.@O@ \
- 		lwdgnba.@O@ lwdgrbn.@O@ lwdnoop.@O@ lwsearch.@O@ \
-+	        dbus_service.@O@ dbus_mgr.@O@ \
- 		$(DBDRIVER_OBJS)
- 
- UOBJS =		unix/os.@O@
-@@ -83,6 +86,7 @@
- 		zoneconf.c \
- 		lwaddr.c lwresd.c lwdclient.c lwderror.c lwdgabn.c \
- 		lwdgnba.c lwdgrbn.c lwdnoop.c lwsearch.c \
-+	        dbus_service.c dbus_mgr.c \
- 		$(DBDRIVER_SRCS)
- 
- MANPAGES =	named.8 lwresd.8 named.conf.5
-@@ -105,9 +109,14 @@
- 		-DNS_LOCALSTATEDIR=\"${localstatedir}\" \
- 		-c ${srcdir}/config.c
- 
-+dbus_service.o: dbus_service.c
-+	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
-+	        ${DBUS_INCLUDES} \
-+		-c ${srcdir}/dbus_service.c
-+
- named@EXEEXT@: ${OBJS} ${UOBJS} ${DEPLIBS}
- 	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
--	${OBJS} ${UOBJS} ${LIBS}
-+	${OBJS} ${UOBJS} ${LIBS} ${DBUSLIBS}
- 
- lwresd@EXEEXT@: named@EXEEXT@
- 	rm -f lwresd@EXEEXT@
diff --git a/contrib/dbus/dbus_mgr.c b/contrib/dbus/dbus_mgr.c
deleted file mode 100644
index 71e1eacd..00000000
--- a/contrib/dbus/dbus_mgr.c
+++ /dev/null
@@ -1,2440 +0,0 @@
-/* dbus_mgr.c
- *
- *  named module to provide dynamic forwarding zones in 
- *  response to D-BUS dhcp events or commands.
- *
- *  Copyright(C) Jason Vas Dias, Red Hat Inc., 2005
- *  Modified by Adam Tkac, Red Hat Inc., 2007
- *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation at 
- *           http://www.fsf.org/licensing/licenses/gpl.txt
- *  and included in this software distribution as the "LICENSE" file.
- *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
- */
-#include <config.h>
-#include <isc/types.h>
-#include <isc/net.h>
-#include <isc/mem.h>
-#include <isc/magic.h>
-#include <isc/list.h>
-#include <isc/task.h>
-#include <isc/event.h>
-#include <isc/socket.h>
-#include <isc/timer.h>
-#include <isc/netaddr.h>
-#include <isc/sockaddr.h>
-#include <isc/buffer.h>
-#include <isc/log.h>
-
-#include <dns/name.h>
-#include <dns/acl.h>
-#include <dns/fixedname.h>
-#include <dns/view.h>
-#include <dns/forward.h>
-
-#include <named/types.h>
-#include <named/config.h>
-#include <named/server.h>
-#include <named/globals.h>
-#include <named/log.h>
-
-#include <named/dbus_service.h>
-#include <named/dbus_mgr.h>
-
-#include <string.h>
-#include <search.h>
-
-typedef void (*__free_fn_t) (void *__nodep);
-extern void tdestroy (void *__root, __free_fn_t __freefct);
-extern void free(void*);
-
-#ifdef ISC_USE_INTERNAL_MALLOC
-#  if  ISC_USE_INTERNAL_MALLOC
-#      error dbus_mgr cannot be used if ISC_USE_INTERNAL_MALLOC==1
-#  endif
-#endif
-
-#define DBUSMGR_DESTINATION  "com.redhat.named"
-#define DBUSMGR_OBJECT_PATH "/com/redhat/named"
-#define DBUSMGR_INTERFACE    "com.redhat.named"
-
-#define DBUSMGR_MAGIC	ISC_MAGIC('D', 'B', 'U', 'S')
-
-struct ns_dbus_mgr
-{
-    unsigned int        magic;
-    isc_mem_t         *	mctx;		/* Memory context. */
-    isc_taskmgr_t     * taskmgr;	/* Task manager.   */
-    isc_socketmgr_t   *	socketmgr;	/* Socket manager. */   
-    isc_timermgr_t    *	timermgr;	/* Timer manager.  */   
-    isc_task_t        * task;           /* task            */
-    isc_timer_t       * timer;          /* dbus_init retry */
-    void              * sockets;        /* dbus fd tree    */ 
-    void              * dhc_if;         /* dhcp interface tree */
-    void              * ifwdt;          /* initial forwarder tree */
-    char              * dhcdbd_name;    /* dhcdbd destination  */
-    DBUS_SVC            dbus;	        /* dbus handle */
-};
-
-typedef
-struct dbus_mgr_sock_s
-{
-    int fd;
-    struct ns_dbus_mgr *mgr;
-    isc_socket_t *sock;
-    isc_socketevent_t *ser;
-    isc_socketevent_t *sew;
-    isc_socketevent_t *sel;
-} DBusMgrSocket;
-
-typedef
-enum dhc_state_e
-{
-   DHC_NBI,         	/* no broadcast interfaces found */
-   DHC_PREINIT, 	/* configuration started   */
-   DHC_BOUND, 		/* lease obtained          */
-   DHC_RENEW, 		/* lease renewed           */
-   DHC_REBOOT,	        /* have valid lease, but now obtained a different one */
-   DHC_REBIND, 		/* new, different lease */
-   DHC_STOP,  		/* remove old lease */
-   DHC_MEDIUM, 		/* media selection begun */
-   DHC_TIMEOUT, 	/* timed out contacting DHCP server */
-   DHC_FAIL, 		/* all attempts to contact server timed out, sleeping */
-   DHC_EXPIRE, 		/* lease has expired, renewing */
-   DHC_RELEASE, 	/* releasing lease */
-   DHC_START,           /* sent when dhclient started OK */
-   DHC_ABEND,  		/* dhclient exited abnormally    */
-   DHC_END, 		/* dhclient exited normally      */
-   DHC_END_OPTIONS,     /* last option in subscription sent */
-   DHC_INVALID=255      
-} DHC_State;
-
-typedef ISC_LIST(dns_name_t) DNSNameList;
-
-typedef ISC_LIST(isc_sockaddr_t) SockAddrList;
-
-typedef struct dbm_fwdr_s
-{
-    dns_fwdpolicy_t fwdpolicy;
-    dns_name_t       dn;
-    SockAddrList     sa;
-    ISC_LINK( struct dbm_fwdr_s ) link;
-} DBusMgrInitialFwdr;
-
-typedef
-struct dhc_if_s
-{
-    char           *if_name;
-    DHC_State      dhc_state;
-    DHC_State      previous_state;
-    struct in_addr ip;
-    struct in_addr subnet_mask;
-    DNSNameList    dn;
-    SockAddrList   dns;
-} DHC_IF;
-
-static void 
-dbus_mgr_watch_handler( int fd, dbus_svc_WatchFlags flags, void *mgrp );
-
-static
-dbus_svc_HandlerResult 
-dbus_mgr_message_handler
-(  
-    DBusMsgHandlerArgs
-);
-
-static
-void dbus_mgr_close_socket( const void *p, const VISIT which, const int level);
-
-static
-void dbus_mgr_destroy_socket( void *p );
-
-static
-void dbus_mgr_free_dhc( void *p );
-
-static void
-dbus_mgr_watches_selected(isc_task_t *t, isc_event_t *ev);
-
-static isc_result_t
-dbus_mgr_init_dbus(ns_dbus_mgr_t *);
-
-static isc_result_t
-dbus_mgr_record_initial_fwdtable(ns_dbus_mgr_t *);
-
-static void
-dbus_mgr_free_initial_fwdtable(ns_dbus_mgr_t *);
-
-static 
-uint8_t dbus_mgr_subscribe_to_dhcdbd( ns_dbus_mgr_t * );
-
-static 
-void dbus_mgr_dbus_shutdown_handler ( ns_dbus_mgr_t * );
-
-static
-int dbus_mgr_log_err( const char *fmt, ...)
-{
-    va_list  va;
-    va_start(va, fmt);
-    isc_log_vwrite(ns_g_lctx,		  
-		   NS_LOGCATEGORY_DBUS,
-		   NS_LOGMODULE_DBUS,	
-		   ISC_LOG_NOTICE,
-		   fmt, va
-	          );
-    va_end(va);
-    return 0;
-}
-
-static
-int dbus_mgr_log_dbg( const char *fmt, ...)
-{
-    va_list  va;
-    va_start(va, fmt);
-    isc_log_vwrite(ns_g_lctx,		  
-		   NS_LOGCATEGORY_DBUS,
-		   NS_LOGMODULE_DBUS,	
-		   ISC_LOG_DEBUG(80),
-		   fmt, va
-	          );
-    va_end(va);
-    return 0;
-}
-
-static
-int dbus_mgr_log_info( const char *fmt, ...)
-{
-    va_list  va;
-    va_start(va, fmt);
-    isc_log_vwrite(ns_g_lctx,		  
-		   NS_LOGCATEGORY_DBUS,
-		   NS_LOGMODULE_DBUS,	
-		   ISC_LOG_DEBUG(1),
-		   fmt, va
-	          );
-    va_end(va);
-    return 0;
-}
-
-isc_result_t 
-dbus_mgr_create
-(   isc_mem_t *mctx, 
-    isc_taskmgr_t *taskmgr,
-    isc_socketmgr_t *socketmgr,
-    isc_timermgr_t *timermgr,
-    ns_dbus_mgr_t **dbus_mgr
-)
-{
-    isc_result_t result;
-    ns_dbus_mgr_t *mgr;
-    
-    *dbus_mgr = 0L; 
-
-    mgr = isc_mem_get(mctx, sizeof(*mgr));
-    if (mgr == NULL)
-	return (ISC_R_NOMEMORY);
-
-    mgr->magic = DBUSMGR_MAGIC;
-    mgr->mctx = mctx;
-    mgr->taskmgr = taskmgr;
-    mgr->socketmgr = socketmgr;
-    mgr->timermgr = timermgr;
-    mgr->task = 0L;
-    mgr->sockets = 0L;
-    mgr->timer = 0L;
-    mgr->dhc_if = 0L;
-    mgr->ifwdt = 0L;
-    mgr->dhcdbd_name = 0L;
-
-    if( (result = isc_task_create( taskmgr, 100, &(mgr->task)))
-        != ISC_R_SUCCESS
-      )	goto cleanup_mgr;
-    
-    isc_task_setname( mgr->task, "dbusmgr", mgr );
-
-    mgr->dbus = 0L;
-
-    if( (result = dbus_mgr_record_initial_fwdtable( mgr ))
-	!= ISC_R_SUCCESS
-      )	goto cleanup_mgr;
-
-    if( (result = dbus_mgr_init_dbus( mgr ))
-	!= ISC_R_SUCCESS 
-      )	goto cleanup_mgr;     
-
-    *dbus_mgr = mgr; 
-   
-    return ISC_R_SUCCESS;
-
- cleanup_mgr:
-    if( mgr->task != 0L )
-	isc_task_detach(&(mgr->task));
-    isc_mem_put(mctx, mgr, sizeof(*mgr));
-    return (result);
-}
-
-static isc_result_t
-dbus_mgr_init_dbus(ns_dbus_mgr_t * mgr)
-{
-    char destination[]=DBUSMGR_DESTINATION;
-    isc_result_t result;
-
-    if( mgr->sockets != 0L )
-    {
-	isc_task_purgerange(mgr->task, 0L, ISC_SOCKEVENT_READ_READY, ISC_SOCKEVENT_SELECTED, 0L);
-	twalk(mgr->sockets, dbus_mgr_close_socket);
-	tdestroy(mgr->sockets, dbus_mgr_destroy_socket);
-	mgr->sockets = 0L;
-    }
-
-    if( mgr->dbus != 0L )
-    {
-	dbus_svc_shutdown(mgr->dbus);
-	mgr->dbus = 0L;
-    }
-
-    result = dbus_svc_init(DBUS_PRIVATE_SYSTEM, destination, &mgr->dbus,
-					dbus_mgr_watch_handler, 0L, 0L, mgr);
-
-    if(result != ISC_R_SUCCESS)
-	goto cleanup;
-
-    if( mgr->dbus == 0L )
-    {
-	if( mgr->timer == 0L)
-	{
-	    isc_task_purgerange(mgr->task, 0L, ISC_SOCKEVENT_READ_READY, ISC_SOCKEVENT_SELECTED, 0L);
-	    if( mgr->sockets != 0L )
-	    {
-		twalk(mgr->sockets, dbus_mgr_close_socket);
-		tdestroy(mgr->sockets, dbus_mgr_destroy_socket);
-		mgr->sockets = 0L;
-	    }
-	    dbus_mgr_dbus_shutdown_handler (  mgr );
-	    return ISC_R_SUCCESS;
-	}
-	goto cleanup;
-    }
-
-    if( !dbus_svc_add_filter
-	( mgr->dbus, dbus_mgr_message_handler, mgr, 4,
-	  "type=signal,path=/org/freedesktop/DBus,member=NameOwnerChanged",
-	  "type=signal,path=/org/freedesktop/DBus/Local,member=Disconnected",
-	  "type=signal,interface=com.redhat.dhcp.subscribe.binary",
-	  "type=method_call,destination=com.redhat.named,path=/com/redhat/named" 	 
-	)
-      )
-    {
-	dbus_mgr_log_err( "dbus_svc_add_filter failed" );
-	goto cleanup;
-    }
-    
-    if( mgr->timer != 0L )
-    {
-	isc_timer_reset(mgr->timer,
-			isc_timertype_inactive,
-			NULL, NULL, ISC_TRUE
-	               );
-    }
-
-    if( !dbus_mgr_subscribe_to_dhcdbd( mgr ) )
-	dbus_mgr_log_err("D-BUS dhcdbd subscription disabled.");
-
-    dbus_mgr_log_err("D-BUS service enabled.");
-    return ISC_R_SUCCESS;
-
- cleanup:
-    isc_task_purgerange(mgr->task, 0L, ISC_SOCKEVENT_READ_READY, ISC_SOCKEVENT_SELECTED, 0L);
-    twalk(mgr->sockets, dbus_mgr_close_socket);
-    tdestroy(mgr->sockets, dbus_mgr_destroy_socket);
-    mgr->sockets = 0L;
-    if( mgr->dbus )
-    {
-	dbus_svc_shutdown(mgr->dbus);
-	mgr->dbus = 0L;
-    }
-    return ISC_R_FAILURE;
-}
-
-static 
-uint8_t dbus_mgr_subscribe_to_dhcdbd( ns_dbus_mgr_t *mgr )
-{
-    DBUS_SVC dbus = mgr->dbus;
-    char subs[1024], path[1024], 
-	dhcdbd_destination[]="com.redhat.dhcp", *ddp[1]={ &(dhcdbd_destination[0]) },
-	*dhcdbd_name=0L;
-    const char *options[] = { "reason", "ip-address", "subnet-mask", 
-			      "domain-name", "domain-name-servers" 
-                            };
-    dbus_svc_MessageHandle msg;
-    int i, n_opts = 5;
-
-    if( mgr->dhcdbd_name == 0L )
-    {
-	msg = dbus_svc_call
-	      ( dbus,
-		"org.freedesktop.DBus",
-		"/org/freedesktop/DBus",
-		"GetNameOwner",		
-		"org.freedesktop.DBus",
-		TYPE_STRING, &ddp,
-		TYPE_INVALID
-	       );
-	if( msg == 0L )	
-	    return 0;    
-
-	if( !dbus_svc_get_args(dbus, msg,
-			       TYPE_STRING, &(dhcdbd_name),
-			       TYPE_INVALID
-		              ) 
-	  )	return 0;
-
-	mgr->dhcdbd_name = isc_mem_get(mgr->mctx, strlen(dhcdbd_name) + 1);
-	if( mgr->dhcdbd_name == 0L )
-	    return 0;
-
-	strcpy(mgr->dhcdbd_name, dhcdbd_name);
-
-    }
-
-    sprintf(path,"/com/redhat/dhcp/subscribe");    
-    sprintf(subs,"com.redhat.dhcp.binary");
-
-    for(i = 0; i < n_opts; i++)
-    {
-	msg = dbus_svc_call
-	      ( dbus,
-		"com.redhat.dhcp",
-		path,
-		"binary",		
-		subs,		
-		TYPE_STRING, &(options[i]),
-		TYPE_INVALID
-	      );
-	if(msg == 0L)
-	    return 0;
-	if ( dbus_svc_message_type( msg ) == ERROR )
-	    return 0;
-    }
-    dbus_mgr_log_err("D-BUS dhcdbd subscription enabled.");
-    return 1;
-}
-
-void 
-dbus_mgr_shutdown
-(   ns_dbus_mgr_t *mgr
-)
-{
-    if( mgr->timer != 0L )
-	isc_timer_detach(&(mgr->timer));
-    if( mgr->dbus != 0L )
-    {
-	isc_task_purgerange(mgr->task, 0L, ISC_SOCKEVENT_READ_READY, ISC_SOCKEVENT_SELECTED, 0L);
-	if( mgr->sockets != 0L )
-	{
-	    twalk(mgr->sockets, dbus_mgr_close_socket);
-	    tdestroy(mgr->sockets, dbus_mgr_destroy_socket);
-	    mgr->sockets = 0L;
-	}
-	dbus_svc_shutdown(mgr->dbus);
-    }
-    if( mgr->dhc_if != 0L )
-	tdestroy(mgr->dhc_if, dbus_mgr_free_dhc);
-    if( mgr->dhcdbd_name != 0L )
-	isc_mem_put(mgr->mctx, mgr->dhcdbd_name, strlen(mgr->dhcdbd_name) + 1);
-    isc_task_detach(&(mgr->task));
-    dbus_mgr_free_initial_fwdtable(mgr);
-    isc_mem_put(mgr->mctx, mgr, sizeof(ns_dbus_mgr_t));
-}
-
-static 
-void dbus_mgr_restart_dbus(isc_task_t *t, isc_event_t *ev)
-{   
-    ns_dbus_mgr_t *mgr = (ns_dbus_mgr_t*)(ev->ev_arg) ;
-    t=t;    
-    isc_event_free(&ev);
-    dbus_mgr_log_dbg("attempting to connect to D-BUS");
-    dbus_mgr_init_dbus( mgr );
-}
-
-static
-void dbus_mgr_handle_dbus_shutdown_event(isc_task_t *t, isc_event_t *ev)
-{
-    ns_dbus_mgr_t *mgr = ev->ev_arg;
-    isc_time_t     tick={10,0};
-    isc_interval_t tock={10,0};
-    DBUS_SVC dbus = mgr->dbus;
-    t = t;
-
-    mgr->dbus = 0L;
-
-    isc_event_free(&ev);
-
-    if ( dbus != 0L )
-    {
-	isc_task_purgerange(mgr->task, 0L, ISC_SOCKEVENT_READ_READY, ISC_SOCKEVENT_SELECTED, 0L);
-	if( mgr->sockets != 0L )
-	{
-	    twalk(mgr->sockets, dbus_mgr_close_socket);
-	    tdestroy(mgr->sockets, dbus_mgr_destroy_socket);
-	    mgr->sockets = 0L;
-	}
-	dbus_svc_shutdown(dbus);    
-    }
-
-    dbus_mgr_log_err( "D-BUS service disabled." );
-
-    if( mgr->timer != 0L )
-    {
-	isc_timer_reset(mgr->timer,
-			isc_timertype_ticker,
-			&tick, &tock, ISC_TRUE
-	               );
-    }else
-    if( isc_timer_create
-	(   mgr->timermgr,
-	    isc_timertype_ticker,
-	    &tick, &tock,
-	    mgr->task,
-	    dbus_mgr_restart_dbus,
-	    mgr,
-	    &(mgr->timer)
-	) != ISC_R_SUCCESS
-      )
-    {
-	dbus_mgr_log_err( "D-BUS service cannot be restored." );
-    }
-}
-
-static 
-void dbus_mgr_dbus_shutdown_handler ( ns_dbus_mgr_t *mgr )
-{ 
-    isc_event_t *dbus_shutdown_event = 
-	isc_event_allocate
-	(   mgr->mctx, 
-	    mgr->task, 
-	    1,
-	    dbus_mgr_handle_dbus_shutdown_event,
-	    mgr,
-	    sizeof(isc_event_t)
-	 );
-    if( dbus_shutdown_event != 0L )
-    {
-	isc_task_purgerange(mgr->task, 0L, ISC_SOCKEVENT_READ_READY, ISC_SOCKEVENT_SELECTED, 0L);
-	isc_task_send( mgr->task, &dbus_shutdown_event );
-    }else
-	dbus_mgr_log_err("unable to allocate dbus shutdown event");
-}
-
-static
-dns_view_t *dbus_mgr_get_localhost_view(void)
-{
-    dns_view_t       *view;
-    isc_netaddr_t    localhost = { AF_INET, { { htonl( ( 127 << 24 ) | 1 ) } }, 0 };
-    int              match;
-
-    for (view = ISC_LIST_HEAD(ns_g_server->viewlist);
-	 view != NULL;
-	 view = ISC_LIST_NEXT(view, link)
-        )
-    {	
-	/* return first view matching "localhost" source and dest */
-
-	if(( (view->matchclients != 0L )   /* 0L: accept "any" */
-	   &&(( dns_acl_match( &localhost, 
-			     NULL, /* unsigned queries */
-			     view->matchclients,
-		  	     &(ns_g_server->aclenv),
-			     &match, 
-			     NULL  /* no match list */
-		            ) != ISC_R_SUCCESS
-	      ) || (match <= 0)
-	     )
-	    ) 
-	 ||( (view->matchdestinations != 0L )   /* 0L: accept "any" */
-	   &&(( dns_acl_match( &localhost, 
-			     NULL, /* unsigned queries */
-			     view->matchdestinations,
-		  	     &(ns_g_server->aclenv),
-			     &match, 
-			     NULL  /* no match list */
-		            ) != ISC_R_SUCCESS
-	      ) || (match <= 0)
-	     )
-	    )
-	  ) continue;	
-	
-	break;
-    }
-    return view;
-}
-
-static
-dns_fwdtable_t *dbus_mgr_get_fwdtable(void)
-{
-    dns_view_t *view = dbus_mgr_get_localhost_view();
-    if( view != 0L )
-	return view->fwdtable;
-    return 0L;
-}
-
-static
-dns_fwdtable_t *dbus_mgr_get_view_and_fwdtable( dns_view_t **viewp )
-{
-    *viewp = dbus_mgr_get_localhost_view();
-    if( *viewp != 0L )
-	return (*viewp)->fwdtable;
-    return 0L;
-}
-
-static int dbus_mgr_ifwdr_comparator( const void *p1, const void *p2 )
-{
-    char  n1buf[ DNS_NAME_FORMATSIZE ]="", *n1p=&(n1buf[0]),
-	  n2buf[ DNS_NAME_FORMATSIZE ]="", *n2p=&(n2buf[0]);
-    dns_name_t *dn1;
-    dns_name_t *dn2;
-    DE_CONST(&(((const DBusMgrInitialFwdr*)p1)->dn), dn1);
-    DE_CONST(&(((const DBusMgrInitialFwdr*)p2)->dn), dn2);
-    dns_name_format(dn1, n1p, DNS_NAME_FORMATSIZE );    
-    dns_name_format(dn2, n2p, DNS_NAME_FORMATSIZE );    
-    return strcmp(n1buf, n2buf);
-}
-
-static int dbus_mgr_dhc_if_comparator( const void *p1, const void *p2 );
-
-static void dbus_mgr_record_initial_forwarder( dns_name_t *name, dns_forwarders_t *fwdr, void *mp )
-{
-    ns_dbus_mgr_t *mgr = mp;
-    isc_sockaddr_t *sa, *nsa;
-    DBusMgrInitialFwdr *ifwdr;
- 
-    if( ISC_LIST_HEAD(fwdr->addrs) == 0L) 
-	return;
-
-    if( (ifwdr = isc_mem_get(mgr->mctx, sizeof(DBusMgrInitialFwdr))) == 0L)
-	return;
-
-    ifwdr->fwdpolicy = fwdr->fwdpolicy;
-
-    dns_name_init(&(ifwdr->dn), NULL);
-    if( dns_name_dupwithoffsets(name, mgr->mctx, &(ifwdr->dn)) != ISC_R_SUCCESS )
-	return;
-
-    ISC_LIST_INIT(ifwdr->sa);
-    
-    for( sa = ISC_LIST_HEAD(fwdr->addrs);
-	 sa != 0L;
-	 sa = ISC_LIST_NEXT(sa,link)
-       )
-    {
-	nsa = isc_mem_get(mgr->mctx, sizeof(isc_sockaddr_t));
-	if( nsa == 0L ) 
-	    return;
-	*nsa = *sa;
-	ISC_LINK_INIT(nsa, link);
-	ISC_LIST_APPEND(ifwdr->sa, nsa, link);
-    }
-    ISC_LINK_INIT(ifwdr, link);
-    tsearch( ifwdr, &(mgr->ifwdt), dbus_mgr_ifwdr_comparator);
-} 
-
-static isc_result_t
-dbus_mgr_record_initial_fwdtable( ns_dbus_mgr_t *mgr )
-{
-    dns_fwdtable_t *fwdtable = dbus_mgr_get_fwdtable();
-    
-    if( fwdtable == 0L )
-	return ISC_R_SUCCESS; /* no initial fwdtable */
-    dns_fwdtable_foreach( fwdtable, dbus_mgr_record_initial_forwarder, mgr);
-    return ISC_R_SUCCESS;
-}
-
-static void
-dbus_mgr_free_initial_forwarder( void *p )
-{
-   DBusMgrInitialFwdr *ifwdr = p;
-   isc_sockaddr_t *sa;
-
-   dns_name_free(&(ifwdr->dn), ns_g_mctx);
-   for( sa = ISC_LIST_HEAD( ifwdr->sa );
-	sa != 0L;
-	sa = ISC_LIST_HEAD( ifwdr->sa )
-      )
-   {
-       if( ISC_LINK_LINKED(sa, link) )
-	   ISC_LIST_UNLINK(ifwdr->sa, sa, link);
-       isc_mem_put(ns_g_mctx, sa, sizeof(isc_sockaddr_t));
-   }
-   isc_mem_put(ns_g_mctx, ifwdr, sizeof(DBusMgrInitialFwdr));
-}
-
-static void
-dbus_mgr_free_initial_fwdtable( ns_dbus_mgr_t *mgr )
-{
-    tdestroy(mgr->ifwdt, dbus_mgr_free_initial_forwarder);
-    mgr->ifwdt = 0L;
-}
-
-static void
-dbus_mgr_log_forwarders( const char *pfx, dns_name_t *name, SockAddrList *saList)
-{
-    isc_sockaddr_t   *sa;
-    char nameP[DNS_NAME_FORMATSIZE], addrP[128];
-    int s=0;
-    dns_name_format(name, nameP, DNS_NAME_FORMATSIZE );    
-    for( sa = ISC_LIST_HEAD(*saList);
-	 sa != 0L;
-	 sa = ISC_LIST_NEXT(sa,link)
-	)
-    {
-	isc_sockaddr_format(sa, addrP, 128);
-	dbus_mgr_log_info("%s zone %s server %d: %s", pfx, nameP, s++, addrP);
-    }		
-}
-
-static
-isc_result_t dbus_mgr_set_forwarders
-(   
-    ns_dbus_mgr_t *mgr,
-    DNSNameList *nameList,
-    SockAddrList *saList,
-    dns_fwdpolicy_t fwdpolicy
-)
-{
-    isc_result_t   result = ISC_R_SUCCESS;    
-    dns_fwdtable_t *fwdtable;
-    dns_view_t     *view=0L;
-    dns_name_t     *dnsName;
-    isc_sockaddr_t   *sa, *nsa;
-    dns_forwarders_t *fwdr=0L;
-
-    fwdtable = dbus_mgr_get_view_and_fwdtable(&view);
-
-    if( fwdtable == 0L )
-    {
-	if( ISC_LIST_HEAD(*saList) == 0L )
-	    return ISC_R_SUCCESS;/* deletion not required */
-
-	view = dbus_mgr_get_localhost_view();
-	if( view == 0L )
-	    return ISC_R_NOPERM; /* if configuration does not allow localhost clients,
-				  * then we really shouldn't be creating a forwarding table.
-				  */
-	result = isc_task_beginexclusive(mgr->task);
-
-	if( result == ISC_R_SUCCESS )
-	{
-	    result = dns_fwdtable_create( mgr->mctx, &(view->fwdtable) );
-
-	    isc_task_endexclusive(mgr->task);
-
-	    if( result != ISC_R_SUCCESS )
-		return result;
-
-	    if( view->fwdtable == 0L )
-		return ISC_R_NOMEMORY;
-
-	    if( isc_log_getdebuglevel(ns_g_lctx) >= 1 )
-		dbus_mgr_log_info("Created forwarder table.");
-	}
-    }
-	
-    for( dnsName = ISC_LIST_HEAD(*nameList);
-	 dnsName != NULL;
-	 dnsName = ISC_LIST_NEXT(dnsName,link)
-	)
-    {   	
-	fwdr = 0L;
-	if( ( dns_fwdtable_find_exact( fwdtable, dnsName, &fwdr ) != ISC_R_SUCCESS )
-	  ||( fwdr == 0L )
-	  )
-	{ 
-	    if( ISC_LIST_HEAD( *saList )  == 0L )
-		continue;
-	   /* no forwarders for name - add forwarders */
-
-	    result = isc_task_beginexclusive(mgr->task);
-
-	    if( result == ISC_R_SUCCESS )
-	    {
-		result = dns_fwdtable_add( fwdtable, dnsName, 
-					   (isc_sockaddrlist_t*)saList, 
-					   fwdpolicy
-					 ) ;
-
-		if( view != 0L )
-		    dns_view_flushcache( view );
-
-		isc_task_endexclusive(mgr->task);	
-
-		if( result != ISC_R_SUCCESS )
-		    return result;
-
-		if( isc_log_getdebuglevel(ns_g_lctx) >= 1 )
-		    dbus_mgr_log_forwarders("Created forwarder",dnsName, saList);
-	    }
-	    continue;
-	}
-
-	if( ISC_LIST_HEAD( *saList ) == 0L )
-	{ /* empty forwarders list - delete forwarder entry */
-
-	    if( isc_log_getdebuglevel(ns_g_lctx) >= 1 )
-		dbus_mgr_log_forwarders("Deleting forwarder", dnsName, (SockAddrList*)&(fwdr->addrs));
-
-	    result = isc_task_beginexclusive(mgr->task);
-	    if( result == ISC_R_SUCCESS )
-	    {
-		result = dns_fwdtable_delete( fwdtable, dnsName );
-
-		if( view != 0L )
-		    dns_view_flushcache( view );
-
-		isc_task_endexclusive(mgr->task);
-
-		if( result != ISC_R_SUCCESS )
-		    return result;	
-	    }
-	    continue;
-	}	
-
-	result = isc_task_beginexclusive(mgr->task);
-
-	if( result == ISC_R_SUCCESS )
-	{	 	   
-	    fwdr->fwdpolicy = fwdpolicy;
-
-	    if( isc_log_getdebuglevel(ns_g_lctx) >= 1 )
-		dbus_mgr_log_forwarders("Removing forwarder", dnsName, (SockAddrList*)&(fwdr->addrs));
-	    
-	    for( sa = ISC_LIST_HEAD(fwdr->addrs);
-		 sa != 0L ;
-		 sa = ISC_LIST_HEAD(fwdr->addrs)
-	       )
-	    {
-		if( ISC_LINK_LINKED(sa, link) )
-		    ISC_LIST_UNLINK(fwdr->addrs, sa, link);
-		isc_mem_put(mgr->mctx, sa, sizeof(isc_sockaddr_t));
-	    }
-
-	    ISC_LIST_INIT( fwdr->addrs );
-	    
-	    for( sa = ISC_LIST_HEAD(*saList);
-		 sa != 0L;
-		 sa = ISC_LIST_NEXT(sa,link)
-	       )
-	    {
-		nsa = isc_mem_get(mgr->mctx, sizeof(isc_sockaddr_t));
-		if( nsa == 0L )
-		{
-		    result = ISC_R_NOMEMORY;
-		    break;
-		}
-		*nsa = *sa;
-		ISC_LINK_INIT( nsa, link );
-		ISC_LIST_APPEND( fwdr->addrs, nsa, link );
-	    }	    
-
-	    if( view != 0L )
-		dns_view_flushcache( view );
-
-	    isc_task_endexclusive(mgr->task);
-
-	    if( isc_log_getdebuglevel(ns_g_lctx) >= 1 )
-		dbus_mgr_log_forwarders("Added forwarder", dnsName, (SockAddrList*)&(fwdr->addrs));
-
-	}else
-	    return result;
-
-    }
-    return (result);
-}
-
-static void
-dbus_mgr_get_name_list
-( 
-    ns_dbus_mgr_t *mgr,
-    char *domains, 
-    DNSNameList *nameList,
-    char *error_name,
-    char *error_message
-)
-{
-    char *name, *endName, *endp;
-    dns_fixedname_t *fixedname;
-    dns_name_t      *dnsName;
-    isc_buffer_t     buffer;
-    isc_result_t     result;
-    uint32_t total_length;
-    
-    total_length = strlen(domains);
-    endp = domains + total_length;
-
-    ISC_LIST_INIT( *nameList );
-
-    for( name =   domains + strspn(domains," \t\n"),
-	 endName = name + strcspn(name," \t\n");
-	 (name < endp) && (endName <= endp); 
-	 name =  endName + 1 + strspn(endName+1," \t\n"),
-	 endName = name + strcspn(name," \t\n")
-       )
-    {  /* name loop */
-	*endName = '\0';
-
-	isc_buffer_init( &buffer, name, endName - name );
-	isc_buffer_add(&buffer, endName - name);		
-	
-	fixedname = isc_mem_get( mgr->mctx, sizeof( dns_fixedname_t ));
-
-	dns_fixedname_init(fixedname);
-
-	dnsName = dns_fixedname_name(fixedname);
-
-	result= dns_name_fromtext
-	        (  dnsName, &buffer, ( *(endp-1) != '.') ? dns_rootname : NULL, ISC_FALSE, NULL
-		); 
-
-	if( result != ISC_R_SUCCESS )
-	{
-	    sprintf(error_name, "com.redhat.named.InvalidArgument");
-	    sprintf(error_message,"Invalid DNS name initial argument: %s", name);
-	    
-	    isc_mem_put( mgr->mctx, fixedname, sizeof( dns_fixedname_t ) );
-
-	    for( dnsName = ISC_LIST_HEAD( *nameList );
-		 (dnsName != 0L);
-		 dnsName = ISC_LIST_HEAD( *nameList )
-	       )
-	    {
-		if( ISC_LINK_LINKED(dnsName,link) )
-		    ISC_LIST_DEQUEUE( *nameList, dnsName, link );
-		isc_mem_put( mgr->mctx, dnsName, sizeof( dns_fixedname_t ) );
-	    }
-	    ISC_LIST_INIT(*nameList);
-	    return;
-	}
-	ISC_LINK_INIT(dnsName, link);
-	ISC_LIST_ENQUEUE( *nameList, dnsName, link );
-    }
-}
-
-static isc_result_t
-dbus_mgr_get_sa_list
-(
-    ns_dbus_mgr_t *mgr,
-    dbus_svc_MessageIterator iter,
-    SockAddrList *saList ,
-    uint8_t *fwdpolicy,
-    char *error_name,
-    char *error_message
-)
-{
-    DBUS_SVC dbus = mgr->dbus;
-    isc_sockaddr_t *nsSA=0L, *nsSA_Q=0L;
-    uint32_t argType = dbus_svc_message_next_arg_type( dbus, iter ), 
-	     length;    
-    isc_result_t result;
-    in_port_t port;
-    char *ip;
-    uint8_t *iparray=0L;
-
-    ISC_LIST_INIT(*saList);
-
-    if( argType == TYPE_INVALID ) 
-	return ISC_R_SUCCESS; /* address list "removal" */
-   
-    do
-    {
-	switch( argType )
-	{
-	case TYPE_UINT32:
-
-	    nsSA = isc_mem_get(mgr->mctx, sizeof(isc_sockaddr_t));
-	    if( nsSA != 0L )
-	    {
-		memset(nsSA,'\0', sizeof(isc_sockaddr_t));
-		nsSA_Q = nsSA;
-		dbus_svc_message_next_arg(dbus, iter, &(nsSA->type.sin.sin_addr.s_addr));	
-		nsSA->type.sa.sa_family = AF_INET;
-		nsSA->length = sizeof( nsSA->type.sin );
-	    }
-	    break;
-
-	case TYPE_ARRAY:
-
-	    argType = dbus_svc_message_element_type( dbus, iter );
-	    if( argType == TYPE_BYTE )
-	    {
-		iparray = 0L;
-		length = 0;
-
-		dbus_svc_message_get_elements(dbus, iter, &length, &iparray);
-		
-		if( iparray != 0L )
-		{
-		    if (length == sizeof( struct in_addr ))
-		    {
-			nsSA = isc_mem_get(mgr->mctx, sizeof(isc_sockaddr_t));
-			if( nsSA != 0L )
-			{
-			    memset(nsSA,'\0', sizeof(isc_sockaddr_t));
-			    nsSA_Q = nsSA;
-
-			    memcpy(&(nsSA->type.sin.sin_addr), iparray, sizeof( struct in_addr ));
-			    nsSA->type.sa.sa_family = AF_INET;
-			    nsSA->length = sizeof( nsSA->type.sin );
-			}
-		    }else
-		    if (length == sizeof( struct in6_addr ))
-		    {
-			nsSA = isc_mem_get(mgr->mctx, sizeof(isc_sockaddr_t));
-			if( nsSA != 0L )
-			{
-			    memset(nsSA,'\0', sizeof(isc_sockaddr_t));
-			    nsSA_Q = nsSA;
-			
-			    memcpy(&(nsSA->type.sin6.sin6_addr), iparray, sizeof( struct in6_addr ));
-			    nsSA->type.sa.sa_family = AF_INET6;
-			    nsSA->length = sizeof( nsSA->type.sin6 );
-			}
-		    }
-		}
-	    }
-	    break;
-
-	case TYPE_STRING:
-
-	    ip = 0L;
-	    dbus_svc_message_next_arg(dbus, iter, &(ip));	
-	    if( ip != 0L )
-	    {
-		length = strlen(ip);
-		if( strspn(ip, "0123456789.") == length )
-		{
-		    nsSA = isc_mem_get(mgr->mctx, sizeof(isc_sockaddr_t));
-		    if( nsSA != 0L) 
-		    {
-			memset(nsSA,'\0', sizeof(isc_sockaddr_t));
-			if( inet_pton( AF_INET, ip, &(nsSA->type.sin.sin_addr)) )
-			{
-			    nsSA->type.sa.sa_family = AF_INET;
-			    nsSA->length = sizeof(nsSA->type.sin);
-			    nsSA_Q = nsSA;
-			}
-		    }
-		}else
-		if( strspn(ip, "0123456789AaBbCcDdEeFf:.") == length)
-		{
-		    nsSA = isc_mem_get(mgr->mctx, sizeof(isc_sockaddr_t));
-		    if( nsSA != 0L )
-		    {
-			memset(nsSA,'\0', sizeof(isc_sockaddr_t));
-			if( inet_pton( AF_INET6, ip, &(nsSA->type.sin6.sin6_addr)) )
-			{
-			    nsSA->type.sa.sa_family = AF_INET6;
-			    nsSA->length = sizeof(nsSA->type.sin6);
-			    nsSA_Q = nsSA;
-			}
-		    }
-		}
-	    }
-	    break;
-	   
-	case TYPE_UINT16:
-	    
-	    if( (nsSA == 0L) || (nsSA->type.sa.sa_family == AF_UNSPEC) )
-		break;
-	    else
-	    if( nsSA->type.sa.sa_family == AF_INET )
-		dbus_svc_message_next_arg(dbus, iter, &(nsSA->type.sin.sin_port));
-	    else
-            if( nsSA->type.sa.sa_family == AF_INET6 )
-		dbus_svc_message_next_arg(dbus, iter, &(nsSA->type.sin6.sin6_port));
-	    break;
-
-	case TYPE_BYTE:
-
-	    dbus_svc_message_next_arg(dbus, iter, fwdpolicy);
-	    if(*fwdpolicy > dns_fwdpolicy_only)
-		*fwdpolicy =  dns_fwdpolicy_only;
-	    break;
-
-	default:
-
-	    if(nsSA != 0L) 
-		nsSA->type.sa.sa_family = AF_UNSPEC;
-	    sprintf(error_message,"Unhandled argument type: %c", argType);
-	    break;
-	}
-
-	if( (nsSA != 0L) 
-	  &&(nsSA->type.sa.sa_family == AF_UNSPEC)
-	  )
-	{
-	    sprintf(error_name, "com.redhat.named.InvalidArgument");
-	    if( error_message[0]=='\0')
-	    {
-		if( nsSA == 0L )
-		    sprintf(error_message,"Missing IP Address Name Server argument");
-		else
-		    sprintf(error_message,"Bad IP Address Name Server argument");
-	    }
-       	    if( nsSA != 0L )
-		isc_mem_put(mgr->mctx, nsSA, sizeof(isc_sockaddr_t));
-	    nsSA = 0L;
-	    for( nsSA = ISC_LIST_HEAD( *saList );
-		 (nsSA != 0L);
-		 nsSA = ISC_LIST_HEAD( *saList )
-	       )
-	    {
-		if(ISC_LINK_LINKED(nsSA, link))
-		    ISC_LIST_DEQUEUE( *saList, nsSA, link );
-		isc_mem_put( mgr->mctx, nsSA, sizeof( isc_sockaddr_t ) );
-	    }
-	    ISC_LIST_INIT(*saList);
-	    return ISC_R_FAILURE;
-	}
-
-	if( nsSA != 0L )
-	{
-	    if( nsSA->type.sin.sin_port == 0 )
-	    {
-		if( ns_g_port != 0L )
-		    nsSA->type.sin.sin_port = htons(ns_g_port);
-		else
-		{
-		    result = ns_config_getport(ns_g_config, &(port) );
-		    if( result != ISC_R_SUCCESS )
-			port = 53;
-		    nsSA->type.sin.sin_port = htons( port );
-		}
-	    }	
-	
-	    if( nsSA_Q != 0L )
-	    {
-		ISC_LINK_INIT(nsSA,link);
-		ISC_LIST_ENQUEUE(*saList, nsSA, link);
-		nsSA_Q = 0L;
-	    }
-	}
-
-	argType = dbus_svc_message_next_arg_type( dbus, iter );    
-
-    } while ( argType != TYPE_INVALID );
-
-    return ISC_R_SUCCESS;
-}
-
-static void
-dbus_mgr_handle_set_forwarders
-(
-    ns_dbus_mgr_t *mgr,
-    DBUS_SVC dbus, 
-    uint8_t  reply_expected,
-    uint32_t serial,        
-    const char *path,         
-    const char *member,         
-    const char *interface,
-    const char *sender,   
-    dbus_svc_MessageHandle msg
-)
-{
-    dbus_svc_MessageIterator iter;
-    char error_name[1024]="", error_message[1024]="", *domains=0L;
-    uint32_t       argType, new_serial;
-    DNSNameList nameList; 
-    dns_name_t     *dnsName;
-    SockAddrList  saList;    
-    isc_sockaddr_t *nsSA;
-    isc_result_t   result;
-    uint8_t fwdpolicy = dns_fwdpolicy_only;
-    
-    iter = dbus_svc_message_iterator_new( dbus, msg );
-
-    if( iter == 0L )
-    {
-	if( reply_expected )
-	{
-	    sprintf(error_name, "com.redhat.named.InvalidArguments");
-	    sprintf(error_message,"SetForwarders requires DNS name and nameservers arguments.");
-	    dbus_svc_send( dbus, ERROR, serial, &new_serial, sender, path, interface, member,
-			   TYPE_STRING, error_name, TYPE_STRING, error_message, TYPE_INVALID 
-		         );
-	}
-	return;
-    }
-    
-    argType = dbus_svc_message_next_arg_type( dbus, iter );
-
-    if( argType != TYPE_STRING )
-    {
-	if( reply_expected )
-	{
-	    sprintf(error_name, "com.redhat.named.InvalidArguments");
-	    sprintf(error_message,"SetForwarders requires DNS name string initial argument.");
-	    dbus_svc_send( dbus, ERROR, serial, &new_serial, sender, path, interface, member,
-			   TYPE_STRING, error_name, TYPE_STRING, error_message, TYPE_INVALID 
-		         );
-	}
-	return;
-    } 
-    
-    dbus_svc_message_next_arg( dbus, iter, &domains );
-
-    if( ( domains == 0L ) || (*domains == '\0') )
-    {
-	if( reply_expected )
-	{
-	    sprintf(error_name, "com.redhat.named.InvalidArguments");
-	    sprintf(error_message,"SetForwarders requires DNS name string initial argument.");
-	    dbus_svc_send( dbus, ERROR, serial, &new_serial, sender, path, interface, member,
-			   TYPE_STRING, error_name, TYPE_STRING, error_message, TYPE_INVALID 
-		         );
-	}
-	return;
-    }
-    
-    dbus_mgr_get_name_list( mgr, domains, &nameList, error_name, error_message );
-    
-    if( error_name[0] != '\0' )
-    {
-	if( reply_expected )
-	{
-	    dbus_svc_send( dbus, ERROR, serial, &new_serial, sender, path, interface, member,
-			   TYPE_STRING, error_name, TYPE_STRING, error_message, TYPE_INVALID 
-		         );
-	}
-	return;
-    }
-
-    if( ISC_LIST_HEAD( nameList ) == 0L )
-	return;	
-
-    result = dbus_mgr_get_sa_list( mgr, iter, &saList , &fwdpolicy, error_name, error_message );
-
-    if( result == ISC_R_SUCCESS )
-    {
-	result = dbus_mgr_set_forwarders( mgr, &nameList, &saList, fwdpolicy );
-
-	if( result != ISC_R_SUCCESS )
-	{
-	    if( reply_expected )
-	    {
-		sprintf(error_name, "com.redhat.named.Failure");
-		sprintf(error_message, isc_result_totext(result));
-		dbus_svc_send( dbus, ERROR, serial, &new_serial, sender, path, interface, member,
-			       TYPE_STRING, error_name, TYPE_STRING, error_message, TYPE_INVALID 
-		             );
-	    }
-	}else	
-	    if( reply_expected )
-		dbus_svc_send( dbus, RETURN, serial, &new_serial, sender, path, interface, member,
-		       TYPE_UINT32, &result, TYPE_INVALID
-	             );
-    }else
-    {
-	if( reply_expected )
-	{
-	    dbus_svc_send( dbus, ERROR, serial, &new_serial, sender, path, interface, member,
-			   TYPE_STRING, error_name, TYPE_STRING, error_message, TYPE_INVALID 
-		         );
-	}
-    }
-
-    for( dnsName = ISC_LIST_HEAD( nameList );
-	 (dnsName != 0L) ;
-	 dnsName = ISC_LIST_HEAD( nameList )
-	)
-    {
-	if( ISC_LINK_LINKED(dnsName,link) )
-	    ISC_LIST_DEQUEUE( nameList, dnsName, link );
-	isc_mem_put( mgr->mctx, dnsName, sizeof( dns_fixedname_t ) );
-    }
-
-    for( nsSA = ISC_LIST_HEAD(saList);
-	 (nsSA != 0L) ;
-	 nsSA = ISC_LIST_HEAD(saList)
-       )
-    {
-	if( ISC_LINK_LINKED(nsSA,link) )
-	    ISC_LIST_DEQUEUE( saList, nsSA, link );
-	isc_mem_put(mgr->mctx, nsSA, sizeof(isc_sockaddr_t));
-    }
-}
-
-static 
-int dbus_mgr_msg_append_dns_name
-(   DBUS_SVC dbus, 
-    dbus_svc_MessageHandle msg,
-    dns_name_t *name
-)
-{
-    char  nameBuf[ DNS_NAME_FORMATSIZE ]="", *nameP=&(nameBuf[0]);
-
-    dns_name_format(name, nameP, DNS_NAME_FORMATSIZE );    
-
-    if( *nameP == '\0' )
-	return 0;
-
-    return dbus_svc_message_append_args( dbus, msg, TYPE_STRING, &nameP, TYPE_INVALID ) > 0;
-}
-
-typedef enum dbmoi_e
-{
-    OUTPUT_BINARY,
-    OUTPUT_TEXT    
-}   DBusMgrOutputInterface;
-
-static 
-int dbus_mgr_msg_append_forwarders
-(   DBUS_SVC               dbus, 
-    dbus_svc_MessageHandle msg,
-    dns_forwarders_t      *fwdr,
-    DBusMgrOutputInterface outputType
-)
-{
-    isc_sockaddr_t *sa;
-    char policyBuf[16]="", *pbp[1]={&(policyBuf[0])}, addressBuf[64]="", *abp[1]={&(addressBuf[0])};
-    uint8_t *byteArray[1];
-
-    if( outputType == OUTPUT_BINARY )
-    {
-	if(!dbus_svc_message_append_args
-	   (   dbus, msg, 
-	       TYPE_BYTE, &(fwdr->fwdpolicy),
-	       TYPE_INVALID
-	   )
-	  ) return 0;
-    }else
-    if( outputType == OUTPUT_TEXT )
-    {
-	sprintf(policyBuf,"%s",
-		(fwdr->fwdpolicy == dns_fwdpolicy_none)
-		? "none"
-		:  (fwdr->fwdpolicy == dns_fwdpolicy_first)
-		   ? "first"
-		   : "only"
-	       );
-	if(!dbus_svc_message_append_args
-	   (   dbus, msg, 
-	       TYPE_STRING, pbp,
-	       TYPE_INVALID
-	   )
-	  ) return 0;
-    }else
-	return 0;
-
-    for( sa = ISC_LIST_HEAD(fwdr->addrs);
-	 sa != 0L;
-	 sa = ISC_LIST_NEXT(sa, link)
-	)
-    {
-	if( outputType == OUTPUT_BINARY )
-	{
-	    if( sa->type.sa.sa_family == AF_INET )
-	    {
-		if(!dbus_svc_message_append_args
-		   (   dbus, msg, 
-		       TYPE_UINT32, &(sa->type.sin.sin_addr.s_addr),
-		       TYPE_INVALID
-		   )
-		  ) return 0;
-		
-		if(!dbus_svc_message_append_args
-		   (   dbus, msg, 
-		       TYPE_UINT16, &(sa->type.sin.sin_port),
-		       TYPE_INVALID
-		   )
-		  ) return 0;
-	    }else
-	    if( sa->type.sa.sa_family == AF_INET6 )
-	    {
-		byteArray[0] = (uint8_t*)&(sa->type.sin6.sin6_addr);
-		if(!dbus_svc_message_append_args
-		   (   dbus, msg, 
-		       TYPE_ARRAY, TYPE_BYTE, &byteArray, sizeof(struct in6_addr),
-		       TYPE_INVALID
-		   )
-		  ) return 0;
-
-		if(!dbus_svc_message_append_args
-		   (   dbus, msg, 
-		       TYPE_UINT16, &(sa->type.sin6.sin6_port),
-		       TYPE_INVALID
-		   )
-		  ) return 0;
-	    }else
-		continue;
-	}else
-	if( outputType == OUTPUT_TEXT )
-	{
-	    if( sa->type.sa.sa_family == AF_INET )
-	    {
-		if( inet_ntop( AF_INET, &(sa->type.sin.sin_addr), addressBuf, sizeof(addressBuf)) == 0L )
-		    continue;
-		if(!dbus_svc_message_append_args
-		   (   dbus, msg, 
-		       TYPE_STRING, abp,
-		       TYPE_INVALID
-		   )
-		  ) return 0;
-		sprintf(addressBuf, "%hu", ntohs( sa->type.sin.sin_port ));
-		if(!dbus_svc_message_append_args
-		   (   dbus, msg, 
-		       TYPE_STRING, abp,
-		       TYPE_INVALID
-		   )
-		  ) return 0;
-	    }else
-	    if( sa->type.sa.sa_family == AF_INET6 )
-	    {
-		if( inet_ntop( AF_INET6, &(sa->type.sin6.sin6_addr), addressBuf, sizeof(addressBuf)) == 0L )
-		    continue;
-		if(!dbus_svc_message_append_args
-		   (   dbus, msg, 
-		       TYPE_STRING, abp,
-		       TYPE_INVALID
-		   )
-		  ) return 0;
-		sprintf(addressBuf, "%hu", ntohs( sa->type.sin6.sin6_port ));
-		if(!dbus_svc_message_append_args
-		   (   dbus, msg, 
-		       TYPE_STRING, abp,
-		       TYPE_INVALID
-		   )
-		  ) return 0;		
-	    }else
-		continue;
-	}else
-	    return 0;
-    }
-    return 1;
-}
-
-typedef struct dbm_m_s
-{
-    DBUS_SVC dbus;
-    dbus_svc_MessageHandle msg;
-    DBusMgrOutputInterface outputType;
-}   DBusMgrMsg;
-
-static
-void forwarders_to_msg( dns_name_t *name, dns_forwarders_t *fwdr, void *mp )
-{
-    DBusMgrMsg *m = mp;
-    
-    if( (fwdr == 0L) || (name == 0L) || (mp == 0L))
-	return;
-    dbus_mgr_msg_append_dns_name  ( m->dbus, m->msg, name );
-    dbus_mgr_msg_append_forwarders( m->dbus, m->msg, fwdr, m->outputType );    
-}
-
-static void
-dbus_mgr_handle_list_forwarders
-(
-    DBUS_SVC dbus, 
-    uint8_t  reply_expected,
-    uint32_t serial,        
-    const char *path,         
-    const char *member,         
-    const char *interface,
-    const char *sender,   
-    dbus_svc_MessageHandle msg
-)
-{
-    char error_name[1024], error_message[1024];
-    DBusMgrMsg m;
-    uint32_t new_serial;
-    dns_fwdtable_t *fwdtable = dbus_mgr_get_fwdtable();
-    DBusMgrOutputInterface outputType = OUTPUT_BINARY;
-    uint32_t length = strlen(interface);
-        
-    if( !reply_expected )
-	return;
-
-    if( (length > 4) && (strcmp(interface + (length - 4), "text")==0))
-	outputType = OUTPUT_TEXT;
-
-    if( fwdtable == 0L )
-    {	
-	sprintf(error_name,"com.redhat.dbus.Failure");
-	sprintf(error_message, "%s", isc_result_totext(ISC_R_NOPERM));
-	dbus_svc_send( dbus, ERROR, serial, &new_serial, sender, path, interface, member,
-		       TYPE_STRING, error_name, TYPE_STRING, error_message, TYPE_INVALID 
-	             );	    
-	return;
-    }
-
-    msg = dbus_svc_new_message( dbus, RETURN, serial, sender, path, interface, member);
-
-    m.dbus = dbus;
-    m.msg = msg;
-    m.outputType = outputType;
-
-    if( msg == 0L )
-    {
-	sprintf(error_name,"com.redhat.dbus.OutOfMemory");
-	sprintf(error_message,"out of memory");
-	dbus_svc_send( dbus, ERROR, serial, &new_serial, sender, path, interface, member,
-		       TYPE_STRING, error_name, TYPE_STRING, error_message, TYPE_INVALID 
-	             );	    
-    }
-    
-    dns_fwdtable_foreach( fwdtable, forwarders_to_msg, &m );
-
-    dbus_svc_send_message( dbus, msg, &new_serial );
-}
-
-static void
-dbus_mgr_handle_get_forwarders
-(
-    DBUS_SVC dbus, 
-    uint8_t  reply_expected,
-    uint32_t serial,        
-    const char *path,         
-    const char *member,         
-    const char *interface,
-    const char *sender,   
-    dbus_svc_MessageHandle msg
-)
-{
-    char error_name[1024], error_message[1024], *domain=0L;
-    isc_result_t    result;
-    dns_fixedname_t  fixedname;
-    dns_name_t       *dnsName;
-    isc_buffer_t     buffer;
-    uint32_t         length,  new_serial;
-    dns_fwdtable_t   *fwdtable;
-    dns_forwarders_t *fwdr=0L;
-    dns_name_t       *foundname;
-    dns_fixedname_t  fixedFoundName;
-    DBusMgrOutputInterface outputType = OUTPUT_BINARY;
-
-    if( !reply_expected )
-	return;
-
-    length = strlen(interface);
-
-    if( (length > 4) && (strcmp(interface + (length - 4), "text")==0))
-	outputType = OUTPUT_TEXT;
-
-    if( (!dbus_svc_get_args( dbus, msg, TYPE_STRING, &domain, TYPE_INVALID))
-      ||(domain == 0L)
-      ||(*domain == '\0')
-      )
-    {
-
-	sprintf(error_name,"com.redhat.dbus.InvalidArguments");
-	sprintf(error_message,"domain name argument expected");
-	dbus_svc_send( dbus, ERROR, serial, &new_serial, sender, path, interface, member,
-		       TYPE_STRING, error_name, TYPE_STRING, error_message, TYPE_INVALID 
-	             );	    
-	return;
-    }
-    
-    length = strlen( domain );
-
-    isc_buffer_init( &buffer, domain, length); 
-
-    isc_buffer_add(&buffer, length);		
-    
-    dns_fixedname_init(&fixedname);
-
-    dnsName = dns_fixedname_name(&fixedname);
-
-    result = dns_name_fromtext
-	     (  dnsName, &buffer, dns_rootname, ISC_FALSE, NULL
-	     ); 
-
-    if( result != ISC_R_SUCCESS )
-    {	
-	sprintf(error_name,"com.redhat.dbus.InvalidArguments");
-	sprintf(error_message,"invalid domain name argument: %s", domain);
-	dbus_svc_send( dbus, ERROR, serial, &new_serial, sender, path, interface, member,
-		       TYPE_STRING, error_name, TYPE_STRING, error_message, TYPE_INVALID 
-	             );	    
-	return;
-    }
-
-    msg = dbus_svc_new_message( dbus, RETURN, serial, sender, path, interface, member);
-    
-    if( msg == 0L )
-    {
-	sprintf(error_name,"com.redhat.dbus.OutOfMemory");
-	sprintf(error_message,"out of memory");
-	dbus_svc_send( dbus, ERROR, serial, &new_serial, sender, path, interface, member,
-		       TYPE_STRING, error_name, TYPE_STRING, error_message, TYPE_INVALID 
-	             );	
-	return;
-    }	
-    
-    fwdtable = dbus_mgr_get_fwdtable();
-
-    if( fwdtable == 0L )
-    {
-	sprintf(error_name,"com.redhat.dbus.Failure");
-	sprintf(error_message, "%s", isc_result_totext(ISC_R_NOPERM));
-	dbus_svc_send( dbus, ERROR, serial, &new_serial, sender, path, interface, member,
-		       TYPE_STRING, error_name, TYPE_STRING, error_message, TYPE_INVALID 
-	             );	    
-	return;
-    }
-
-    dns_fixedname_init(&fixedFoundName);
-    foundname = dns_fixedname_name(&fixedFoundName);
-	
-    if( ( dns_fwdtable_find_closest( fwdtable, dnsName, foundname, &fwdr ) == ISC_R_SUCCESS )
-      &&( fwdr != 0L )
-      )
-    {
-	if( (!dbus_mgr_msg_append_dns_name( dbus, msg, foundname ))
-	  ||(!dbus_mgr_msg_append_forwarders( dbus, msg, fwdr, outputType ))
-	  )
-	{
-	    sprintf(error_name,"com.redhat.dbus.OutOfMemory");
-	    sprintf(error_message,"out of memory");
-	    dbus_svc_send( dbus, ERROR, serial, &new_serial, sender, path, interface, member,
-			   TYPE_STRING, error_name, TYPE_STRING, error_message, TYPE_INVALID 
-		);	    
-	    return;
-	}	
-	
-    }else
-    {
-	result = ISC_R_NOTFOUND;
-	if( outputType == OUTPUT_BINARY )
-	{
-	    dbus_svc_message_append_args( dbus, msg, 
-					  TYPE_UINT32, &(result),
-					  TYPE_INVALID
-		                        ) ;
-	}else
-	{
-	    sprintf(error_name,"com.redhat.dbus.NotFound");
-	    sprintf(error_message,"Not Found");
-	    dbus_svc_send( dbus, ERROR, serial, &new_serial, sender, path, interface, member,
-			   TYPE_STRING, error_name, TYPE_STRING, error_message, TYPE_INVALID 
-		         );	   
-	    return;
-	}
-    }
-    dbus_svc_send_message( dbus, msg, &new_serial );
-}
-
-static void
-dbus_mgr_check_dhcdbd_state( ns_dbus_mgr_t *mgr, dbus_svc_MessageHandle msg )
-{
-    DBUS_SVC dbus = mgr->dbus;
-    char *name_owned = 0L,
-	 *old_owner = 0L,
-	 *new_owner = 0L;
-    
-    if( !dbus_svc_get_args( dbus, msg,
-			    TYPE_STRING, &name_owned,
-			    TYPE_STRING, &old_owner,
-			    TYPE_STRING, &new_owner,
-			    TYPE_INVALID
-	                  )
-      ) return;
-	
-    dbus_mgr_log_dbg("NameOwnerChanged: %s %s %s ( %s )", name_owned, old_owner, new_owner, mgr->dhcdbd_name);
-
-    if( (name_owned == 0L) || (new_owner == 0L) || (old_owner == 0L) )
-	return;
-
-    if( strcmp( name_owned, "com.redhat.dhcp" ) == 0 )
-    {
-	if( *new_owner == '\0' )
-	{
-	    isc_mem_put(mgr->mctx, mgr->dhcdbd_name, strlen(mgr->dhcdbd_name) + 1);
-	    mgr->dhcdbd_name = 0L;
-	    dbus_mgr_log_err("D-BUS dhcdbd subscription disabled.");
-	    return;
-	}
-	if( (mgr->dhcdbd_name == 0L) 
-	  ||( strcmp( mgr->dhcdbd_name, new_owner) != 0 )
-	  )
-	{
-	    if( mgr->dhcdbd_name != 0L )
-	    {
-		isc_mem_put(mgr->mctx, mgr->dhcdbd_name, strlen(mgr->dhcdbd_name)+1);
-		mgr->dhcdbd_name = 0L;
-	    }
-	    mgr->dhcdbd_name = isc_mem_get(mgr->mctx, strlen(new_owner) + 1);
-	    if( mgr->dhcdbd_name == 0L )
-		return;
-	    strcpy( mgr->dhcdbd_name, new_owner );
-	    dbus_mgr_subscribe_to_dhcdbd( mgr );
-	}
-    }else
-    if(  ( mgr->dhcdbd_name != 0L ) 
-      && ( strcmp(mgr->dhcdbd_name, name_owned) == 0L )
-      && ( *new_owner == '\0' )
-      ) 
-    {
-	isc_mem_put(mgr->mctx, mgr->dhcdbd_name, strlen(mgr->dhcdbd_name));
-	mgr->dhcdbd_name = 0L;
-	dbus_mgr_log_err("D-BUS dhcdbd subscription disabled.");
-    }
-}
-
-static int dbus_mgr_dhc_if_comparator( const void *p1, const void *p2 )
-{
-    return( strcmp( ((const DHC_IF*)p1)->if_name, ((const DHC_IF*)p2)->if_name) );
-}
-
-static 
-dns_name_t *dbus_mgr_if_reverse_ip_name
-(   ns_dbus_mgr_t *mgr,
-    struct in_addr ip_address, 
-    struct in_addr subnet_mask 
-)
-{
-    dns_name_t *dns_name =0L;
-    dns_fixedname_t *fixedname=0L;
-    char name [ DNS_NAME_FORMATSIZE ], *p;
-    uint32_t ip = (ntohl(ip_address.s_addr) & ntohl(subnet_mask.s_addr)), i;
-    isc_buffer_t buffer;
-    isc_result_t result;
-
-    if( (ip == 0) || (ip == 0xffffffff) )
-	return 0L;
-    
-    for(i = 8, p = name; (i < 32); i += 8)
-	if( ip & ( 0xff << i ) )
-	    p += sprintf(p, "%u.", (((ip & ( 0xff << i )) >> i ) & 0xff) );
-
-    if( p > name )
-    {
-	p += sprintf(p, "in-addr.arpa");
-	isc_buffer_init( &buffer, name, p - name );
-	isc_buffer_add(&buffer, p - name);		
-	
-	fixedname = isc_mem_get( mgr->mctx, sizeof( dns_fixedname_t ));
-
-	dns_fixedname_init(fixedname);
-
-	dns_name = dns_fixedname_name(fixedname);
-
-	result= dns_name_fromtext
-	        (  dns_name, &buffer, dns_rootname, ISC_FALSE, NULL
-		); 
-
-	ISC_LINK_INIT(dns_name, link);
-	if( result == ISC_R_SUCCESS )
-	    return dns_name;
-    }
-    return 0L;
-}
-
-static void
-dbus_mgr_free_dhc( void *p )
-{
-    DHC_IF *d_if = p;
-    dns_name_t *dn;
-    isc_sockaddr_t *sa;
-
-    isc_mem_put( ns_g_mctx, d_if->if_name, strlen(d_if->if_name) + 1);
-    for( sa = ISC_LIST_HEAD( d_if->dns );
-	 sa != NULL;
-	 sa = ISC_LIST_HEAD( d_if->dns )
-       )
-    {
-	if( ISC_LINK_LINKED( sa, link ) )
-	    ISC_LIST_UNLINK( d_if->dns, sa, link );
-	isc_mem_put(ns_g_mctx, sa, sizeof(isc_sockaddr_t));
-    }
-    for( dn = ISC_LIST_HEAD( d_if->dn );
-	 dn != NULL;
-	 dn = ISC_LIST_HEAD( d_if->dn )
-       )
-    {
-	if( ISC_LINK_LINKED( dn, link ) )
-	    ISC_LIST_UNLINK( d_if->dn, dn, link );
-	isc_mem_put( ns_g_mctx, dn, sizeof( dns_fixedname_t ) );
-    }
-    isc_mem_put( ns_g_mctx, d_if, sizeof(DHC_IF));    
-}
-
-static void
-dbus_mgr_handle_dhcdbd_message
-(
-    ns_dbus_mgr_t *mgr,
-    const char *path,
-    const char *member,
-    dbus_svc_MessageHandle msg
-)
-{
-    DBUS_SVC dbus = mgr->dbus;
-    DHC_IF *d_if, *const*d_ifpp, dif;
-    DHC_State dhc_state;
-    char *if_name, *opt_name, error_name[1024]="", error_message[1024]="";
-    uint8_t *value=0L;
-    uint32_t length;
-    isc_result_t result;
-    isc_sockaddr_t *sa = 0L;
-    dns_name_t *dn = 0L;
-    struct in_addr *ip;
-    in_port_t port;
-    char dnBuf[ DNS_NAME_FORMATSIZE ];
-    isc_buffer_t buffer;
-    DBusMgrInitialFwdr *ifwdr, *const*ifwdpp, ifwd;    
-    ISC_LIST(DBusMgrInitialFwdr) ifwdrList;
-    DNSNameList nameList;
-    dbus_mgr_log_dbg("Got dhcdbd message: %s %s %p", path, member, msg );
-
-    if( ( if_name = strrchr(path,'/') ) == 0L )
-    {
-	dbus_mgr_log_err("bad path in dhcdbd message:", path);
-	return;
-    }
-
-    ++if_name;
-    dif.if_name = if_name;
-
-    if( ((d_ifpp=tfind( &dif, &(mgr->dhc_if), dbus_mgr_dhc_if_comparator)) == 0L)
-      ||((d_if = *d_ifpp) == 0L)
-      )
-    {
-	d_if = isc_mem_get( mgr->mctx, sizeof(DHC_IF));
-	if( d_if == 0L )	  
-	{
-	    dbus_mgr_log_err("out of memory");
-	    return;
-	}
-	memset(d_if, '\0', sizeof(DHC_IF));
-	if((d_if->if_name =  isc_mem_get( mgr->mctx, strlen(if_name) + 1)) == 0L)
-	{
-	    dbus_mgr_log_err("out of memory");
-	    return;
-	}
-	strcpy(d_if->if_name, if_name);
-	d_if->dhc_state = DHC_INVALID;
-	d_if->previous_state = DHC_INVALID;
-	ISC_LIST_INIT( d_if->dn );
-	ISC_LIST_INIT( d_if->dns );
-	if( tsearch( d_if, &(mgr->dhc_if), dbus_mgr_dhc_if_comparator) == 0L )
-	{
-	    dbus_mgr_log_err("out of memory");
-	    return;
-	}
-    }
-
-    if( strcmp(member, "reason") == 0 )
-    {
-	if( (!dbus_svc_get_args( dbus, msg,
-				 TYPE_STRING, &opt_name,
-				 TYPE_ARRAY, TYPE_BYTE, &value, &length,
-				 TYPE_INVALID
-		               )
-	    )
-	  ||( value == 0L)
-	  ||( length != sizeof(uint32_t))
-	  ||( *((uint32_t*)value) > DHC_END_OPTIONS)
-	  )
-	{
-	    dbus_mgr_log_err("Invalid DHC reason value received from dhcdbd");
-	    return;
-	}
-	dhc_state = (DHC_State) *((uint32_t*)value);
-	dbus_mgr_log_dbg("reason: %d %d %d", dhc_state, d_if->dhc_state, d_if->previous_state);
-	switch( dhc_state )
-	{
-
-	case  DHC_END_OPTIONS:
-	    switch( d_if->dhc_state )
-	    {
-	    case  DHC_END_OPTIONS:
-		break;
-
-	    case  DHC_RENEW: 
-	    case  DHC_REBIND:		
-		if( ( d_if->previous_state != DHC_INVALID ) 
-		  &&( d_if->previous_state != DHC_RELEASE )
-		  ) break; 
-		    /* DHC_RENEW means the same lease parameters were obtained. 
-		     * Only do configuration if we started up with existing dhclient
-		     * which has now renewed - else we are already configured correctly.
-		     */
-		dbus_mgr_log_err("D-BUS: existing dhclient for interface %s RENEWed lease", if_name);
-
-	    case  DHC_REBOOT:
-	    case  DHC_BOUND:
-		d_if->previous_state = d_if->dhc_state;
-		d_if->dhc_state = DHC_BOUND;
-		if( (dn = dbus_mgr_if_reverse_ip_name(mgr, d_if->ip, d_if->subnet_mask )) != 0L )
-		{
-		    ISC_LIST_APPEND(d_if->dn, dn, link );
-		} 
-		if( ( ISC_LIST_HEAD( d_if->dn ) != NULL )
-		  &&( ISC_LIST_HEAD( d_if->dns ) != NULL )
-		  )
-		{
-		    dbus_mgr_log_err("D-BUS: dhclient for interface %s acquired new lease - creating forwarders.", 
-				     if_name
-			            );
-		    result = dbus_mgr_set_forwarders( mgr, &(d_if->dn), &(d_if->dns), dns_fwdpolicy_only );
-		    if( result != ISC_R_SUCCESS )
-		    {
-			dbus_mgr_log_err("D-BUS: forwarder configuration failed: %s", isc_result_totext(result));
-		    }
-		}
-		break;	  
-
-	    case  DHC_STOP:
-	    case  DHC_TIMEOUT:
-	    case  DHC_FAIL:
-	    case  DHC_EXPIRE:
-	    case  DHC_RELEASE:
-		d_if->previous_state = d_if->dhc_state;
-		d_if->dhc_state = DHC_RELEASE;
-		if( ISC_LIST_HEAD( d_if->dn ) != NULL )
-		{
-		    dbus_mgr_log_err("D-BUS: dhclient for interface %s released lease - removing forwarders.", 
-				     if_name);
-		    for( sa = ISC_LIST_HEAD( d_if->dns );
-			 sa != 0L;
-			 sa = ISC_LIST_HEAD( d_if->dns )
-		       )
-		    {
-			if( ISC_LINK_LINKED( sa, link ) )
-			    ISC_LIST_UNLINK( d_if->dns, sa, link );
-			isc_mem_put( mgr->mctx, sa, sizeof(isc_sockaddr_t));
-		    }
-		    ISC_LIST_INIT( d_if->dns );
-		    ISC_LIST_INIT( ifwdrList );
-
-		    for( dn = ISC_LIST_HEAD( d_if->dn );
-			 dn != 0L;
-			 dn = ISC_LIST_NEXT( dn, link )
-		       )
-		    {
-		        dns_name_init( &(ifwd.dn), NULL );
-			isc_buffer_init( &buffer, dnBuf, DNS_NAME_FORMATSIZE);
-			dns_name_setbuffer( &(ifwd.dn), &buffer);
-			dns_name_copy(dn, &(ifwd.dn), NULL);
-			if( ((ifwdpp = tfind(&ifwd, &(mgr->ifwdt), dbus_mgr_ifwdr_comparator)) != 0L )
-			  &&((ifwdr = *ifwdpp) != 0L)
-			  )
-			{
-			    ISC_LIST_APPEND( ifwdrList, ifwdr, link );
-			}			
-		    }
-		    
-		    result = dbus_mgr_set_forwarders( mgr, &(d_if->dn), &(d_if->dns), dns_fwdpolicy_none );
-		    if( result != ISC_R_SUCCESS )
-		    {
-			dbus_mgr_log_err("D-BUS: removal of forwarders failed: %s", isc_result_totext(result));
-		    }
-
-		    for( dn = ISC_LIST_HEAD( d_if->dn );
-			 dn != 0L;
-			 dn = ISC_LIST_HEAD( d_if->dn )
-		       )
-		    {
-			if( ISC_LINK_LINKED( dn, link ) )
-			    ISC_LIST_UNLINK( d_if->dn, dn, link );			
-			isc_mem_put( mgr->mctx, dn, sizeof( dns_fixedname_t ) );
-		    }
-		    ISC_LIST_INIT( d_if->dn );
-
-		    for( ifwdr = ISC_LIST_HEAD( ifwdrList );
-			 ifwdr != 0L;
-			 ifwdr = ISC_LIST_HEAD( ifwdrList )
-		       )
-		    {
-			if( ISC_LINK_LINKED( ifwdr, link ) )
-			    ISC_LIST_UNLINK( ifwdrList, ifwdr, link );
-			ISC_LINK_INIT(ifwdr, link);
-			ISC_LIST_INIT(nameList);
-			ISC_LINK_INIT(&(ifwdr->dn), link);
-			ISC_LIST_APPEND( nameList, &(ifwdr->dn), link );
-			result = dbus_mgr_set_forwarders( mgr, &nameList, 
-							  &(ifwdr->sa), 
-							  ifwdr->fwdpolicy 
-			                                );
-			if( result != ISC_R_SUCCESS )
-			{
-			    dbus_mgr_log_err("D-BUS: restore of forwarders failed: %s", isc_result_totext(result));
-			}			
-		    }
-		}
-
-	    case  DHC_ABEND:
-	    case  DHC_END:
-	    case  DHC_NBI:
-	    case  DHC_PREINIT:
-	    case  DHC_MEDIUM:
-	    case  DHC_START:
-	    case  DHC_INVALID:
-	    default:
-		break;
-	    }
-	    break;
-
-	case  DHC_BOUND:
-	case  DHC_REBOOT:
-	case  DHC_REBIND:	
-	case  DHC_RENEW:
-        case  DHC_STOP:
-        case  DHC_TIMEOUT:
-	case  DHC_FAIL:
-	case  DHC_EXPIRE:
-	case  DHC_RELEASE:
-		d_if->previous_state = d_if->dhc_state;
-		d_if->dhc_state = dhc_state;
-
-	case  DHC_ABEND:
-	case  DHC_END:
-	case  DHC_NBI:
-	case  DHC_PREINIT:
-	case  DHC_MEDIUM:
-	case  DHC_START:
-	case  DHC_INVALID:
-	default:
-	    break;
-	}	
-    }else
-    if( strcmp( member, "domain_name" ) == 0 )
-    {	
-	if( (!dbus_svc_get_args( dbus, msg,
-				 TYPE_STRING, &opt_name,
-				 TYPE_ARRAY, TYPE_BYTE, &value, &length,
-				 TYPE_INVALID
-		               )
-	    )
-	  ||( value == 0L)
-	  ||( length == 0)
-	  )
-	{
-	    dbus_mgr_log_err("Invalid domain_name value received from dhcdbd");
-	    return;	
-	}
-	dbus_mgr_log_dbg("domain-name %s", (char*)value);
-	dbus_mgr_get_name_list( mgr, (char*)value, &(d_if->dn), error_name, error_message );
-	if( ( error_message[0] != '\0' ) || (ISC_LIST_HEAD(d_if->dn) == 0L ))
-	{
-	    dbus_mgr_log_err("Bad domain_name value: %s", error_message );
-	}
-    }else
-    if( strcmp( member, "domain_name_servers") == 0 )
-    {
-	if( (!dbus_svc_get_args( dbus, msg,
-				 TYPE_STRING, &opt_name,
-				 TYPE_ARRAY, TYPE_BYTE, &value, &length,
-				 TYPE_INVALID
-		               )
-	    )
-	  ||( value == 0L)
-	  ||( length == 0)
-	  )
-	{
-	    dbus_mgr_log_err("Invalid domain_name_servers value received from dhcdbd");
-	    return;	
-	}	
-	for(ip = (struct in_addr*) value; ip < ((struct in_addr*)(value + length)); ip++)
-	{
-	    dbus_mgr_log_dbg("domain-name-servers: %s", inet_ntop(AF_INET, value, error_name, 16));
-	    sa = isc_mem_get(mgr->mctx, sizeof(isc_sockaddr_t));
-	    memset(sa, '\0', sizeof(isc_sockaddr_t));
-	    sa->type.sin.sin_addr = *ip;
-	    sa->type.sa.sa_family = AF_INET;
-	    sa->length = sizeof(sa->type.sin);
-	    result = ns_config_getport(ns_g_config, &(port) );
-	    if( result != ISC_R_SUCCESS )
-		port = 53;
-	    sa->type.sin.sin_port = htons( port );
-	    ISC_LIST_APPEND(d_if->dns, sa, link);
-	}
-    }else
-    if( strcmp(member, "ip_address") == 0)
-    {
-	if( (!dbus_svc_get_args( dbus, msg,
-				 TYPE_STRING, &opt_name,
-				 TYPE_ARRAY, TYPE_BYTE, &value, &length,
-				 TYPE_INVALID
-		               )
-	    )
-	  ||( value == 0L)
-	  ||( length != sizeof(struct in_addr) )
-	  )
-	{
-	    dbus_mgr_log_err("Invalid ip_address value received from dhcdbd");
-	    return;
-	}
-	dbus_mgr_log_dbg("ip-address: %s", inet_ntop(AF_INET, value, error_name, 16));
-	d_if->ip = *((struct in_addr*)value);
-    
-    }else
-    if( strcmp(member, "subnet_mask") == 0 )
-    {
-	if( (!dbus_svc_get_args( dbus, msg,
-				 TYPE_STRING, &opt_name,
-				 TYPE_ARRAY, TYPE_BYTE, &value, &length,
-				 TYPE_INVALID
-		               )
-	    )
-	  ||( value == 0L)
-	  ||( length != sizeof(struct in_addr) )
-	  )
-	{
-	    dbus_mgr_log_err("Invalid subnet_mask value received from dhcdbd");
-	    return;
-	}
-	dbus_mgr_log_dbg("subnet-mask: %s", inet_ntop(AF_INET, value, error_name, 16));
-	d_if->subnet_mask = *((struct in_addr*)value);
-    }
-}
-
-static
-dbus_svc_HandlerResult 
-dbus_mgr_message_handler
-(  
-    DBusMsgHandlerArgs
-)
-{
-    char error_name[1024], error_message[1024];
-    ns_dbus_mgr_t *mgr = object;
-    uint32_t new_serial;
-
-    if_suffix = prefix = suffix = prefixObject = 0L;
-
-    dbus_mgr_log_dbg("D-BUS message: %u %u %u %s %s %s %s %s %s",
-		     type, reply_expected, serial, destination, path, member, interface, sender, signature
-	            );
-
-    if (  ( type == SIGNAL )
-	&&( strcmp(path,"/org/freedesktop/DBus/Local") == 0 )
-       )
-    {
-	if( strcmp(member,"Disconnected") == 0 )
-	    dbus_mgr_dbus_shutdown_handler( mgr );
-    }else
-    if( ( type == SIGNAL )
-      &&( strcmp(path,"/org/freedesktop/DBus") == 0 )
-      &&(strcmp(member,"NameOwnerChanged") == 0)
-      &&(strcmp(signature, "sss") == 0)
-      )
-    {
-	dbus_mgr_check_dhcdbd_state( mgr, msg );
-    }else
-    if( ( type == SIGNAL ) 
-      &&( (sender != 0L) && (mgr->dhcdbd_name != 0L) && (strcmp(sender,mgr->dhcdbd_name)   == 0)) 
-      &&( strcmp(interface,"com.redhat.dhcp.subscribe.binary") == 0 )
-      )
-    {
-	dbus_mgr_handle_dhcdbd_message( mgr, path, member, msg );
-    }else
-    if( (type == CALL) 
-      &&( strcmp(destination, DBUSMGR_DESTINATION)==0)
-      &&( strcmp(path, DBUSMGR_OBJECT_PATH)==0)
-      )
-    {
-	if( strcmp(member, "SetForwarders") == 0 )
-	    dbus_mgr_handle_set_forwarders
-	    ( mgr, dbus, reply_expected, serial, path, member, interface, sender, msg );
-	else
-	if( strcmp(member, "GetForwarders") == 0 )
-	{
-	    if( *signature != '\0' )	   
-		dbus_mgr_handle_get_forwarders
-		( dbus, reply_expected, serial, path, member, interface, sender, msg );
-	    else       
-		dbus_mgr_handle_list_forwarders
-		( dbus, reply_expected, serial, path, member, interface, sender, msg );
-	}else
-	if( reply_expected )
-	{
-	    sprintf(error_name, "InvalidOperation");
-	    sprintf(error_message, "Unrecognized path / interface / member");
-	    dbus_svc_send( dbus, ERROR, serial, &new_serial, sender, path, interface, member,
-			   TYPE_STRING, error_name, TYPE_STRING, error_message, TYPE_INVALID 
-		);	    
-	}
-    }
-    return HANDLED;
-}
-
-static void
-dbus_mgr_read_watch_activated(isc_task_t *t, isc_event_t *ev)
-{
-    DBusMgrSocket *sfd = (DBusMgrSocket*)(ev->ev_arg);
-    t = t;
-    isc_mem_put(sfd->mgr->mctx, ev, ev->ev_size);
-    dbus_mgr_log_dbg("watch %d READ",sfd->fd);  
-    isc_socket_fd_handle_reads( sfd->sock, sfd->ser );
-    dbus_svc_handle_watch( sfd->mgr->dbus, sfd->fd, WATCH_ENABLE | WATCH_READ );
-}
-
-static void
-dbus_mgr_write_watch_activated(isc_task_t *t, isc_event_t *ev)
-{
-    DBusMgrSocket *sfd = (DBusMgrSocket*)(ev->ev_arg);
-    t = t;
-    isc_mem_put(sfd->mgr->mctx, ev, ev->ev_size);
-    dbus_mgr_log_dbg("watch %d WRITE",sfd->fd);
-    isc_socket_fd_handle_writes( sfd->sock, sfd->ser );
-    dbus_svc_handle_watch( sfd->mgr->dbus, sfd->fd, WATCH_ENABLE | WATCH_WRITE );    
-}
-
-static void
-dbus_mgr_watches_selected(isc_task_t *t, isc_event_t *ev)
-{
-    ns_dbus_mgr_t *mgr = (ns_dbus_mgr_t*)(ev->ev_arg);
-    t = t;
-    isc_mem_put(mgr->mctx, ev, ev->ev_size);
-    if( ( mgr->dbus == 0L ) || (mgr->sockets == 0L))
-    {
-	return;
-    }
-    dbus_mgr_log_dbg("watches selected");
-    dbus_svc_dispatch( mgr->dbus );
-    dbus_mgr_log_dbg("dispatch complete");
-}
-
-static int dbus_mgr_socket_comparator( const void *p1, const void *p2 )
-{
-    return( (   ((const DBusMgrSocket*)p1)->fd 
-	     == ((const DBusMgrSocket*)p2)->fd
-	    ) ? 0
-	      : (   ((const DBusMgrSocket*)p1)->fd 
-	          > ((const DBusMgrSocket*)p2)->fd
-	        ) ? 1
-	          : -1
-	  );
-}
-
-static void 
-dbus_mgr_watch_handler( int fd, dbus_svc_WatchFlags flags, void *mgrp )
-{
-    ns_dbus_mgr_t *mgr = mgrp;
-    DBusMgrSocket sockFd, *sfd=0L, *const*spp=0L;
-    isc_result_t  result=ISC_R_SUCCESS;
-    isc_socketevent_t *sev;
-    isc_event_t *pev[1];
-
-    if(mgr == 0L)
-	return;
-
-    if( (flags & 7) == WATCH_ERROR )
-	return;
-
-    sockFd.fd = fd;
-
-    dbus_mgr_log_dbg("watch handler: fd %d %d", fd, flags);
-
-    if( ((spp = tfind( &sockFd, &(mgr->sockets), dbus_mgr_socket_comparator) ) == 0L )
-      ||((sfd = *spp) == 0L )
-      )
-    {
-	if( ( flags & WATCH_ENABLE ) == 0 )
-	    return;
-
-	sfd = isc_mem_get(mgr->mctx, sizeof(DBusMgrSocket));
-	if( sfd == 0L )
-	{
-	    dbus_mgr_log_err("dbus_mgr: out of memory" );
-	    return;
-	}
-	sfd->fd = fd;
-	sfd->mgr = mgr;
-	sfd->ser = sfd->sew = sfd->sel = 0L;
-
-	if( tsearch(sfd, &(mgr->sockets), dbus_mgr_socket_comparator) == 0L )
-	{
-	    dbus_mgr_log_err("dbus_mgr: out of memory" );
-	    isc_mem_put(mgr->mctx, sfd, sizeof(DBusMgrSocket));
-	    return;
-	}
-	sfd->sock = 0L;
-	result = isc_socket_create( mgr->socketmgr, fd, isc_sockettype_fd, &(sfd->sock) );
-	if( result != ISC_R_SUCCESS )
-	{
-	    dbus_mgr_log_err("dbus_mgr: isc_socket_create failed: %s", 
-			     isc_result_totext(result)
-	                    );
-	    tdelete(sfd,  &(mgr->sockets), dbus_mgr_socket_comparator);
-	    isc_mem_put(mgr->mctx, sfd, sizeof(DBusMgrSocket));
-	    return;
-	}
-    }
-    
-    if( (flags & WATCH_ENABLE) == WATCH_ENABLE )
-    {
-	if( (flags & WATCH_READ) == WATCH_READ )
-	{
-	    if( sfd->ser == 0L )
-	    {
-		sfd->ser = (isc_socketevent_t *)
-		    isc_event_allocate
-		    (
-			mgr->mctx, mgr->task,
-			ISC_SOCKEVENT_READ_READY,
-			dbus_mgr_read_watch_activated,
-			sfd,
-			sizeof(isc_socketevent_t)
-		    );
-
-		if( sfd->ser == 0L )
-		{
-		    dbus_mgr_log_err("dbus_mgr: out of memory" );
-		    tdelete(sfd,  &(mgr->sockets), dbus_mgr_socket_comparator);
-		    isc_mem_put(mgr->mctx, sfd, sizeof(DBusMgrSocket));
-		    return;		    
-		}
-
-		sev = isc_socket_fd_handle_reads(sfd->sock, sfd->ser );
-
-	    }else
-	    {
-		sev = isc_socket_fd_handle_reads(sfd->sock, sfd->ser );
-	    }
-	}
-	if( (flags & WATCH_WRITE) == WATCH_WRITE )
-	{
-	    if( sfd->sew == 0L )
-	    {
-		sfd->sew = (isc_socketevent_t *)
-		    isc_event_allocate
-		    (
-			mgr->mctx, mgr->task,
-			ISC_SOCKEVENT_WRITE_READY,
-			dbus_mgr_write_watch_activated,
-			sfd,
-			sizeof(isc_socketevent_t)
-		    );
-		if( sfd->sew == 0L )
-		{
-		    dbus_mgr_log_err("dbus_mgr: out of memory" );
-		    tdelete(sfd,  &(mgr->sockets), dbus_mgr_socket_comparator);
-		    isc_mem_put(mgr->mctx, sfd, sizeof(DBusMgrSocket));
-		    return;		    
-		}
-		
-		sev = isc_socket_fd_handle_writes(sfd->sock, sfd->sew );
-		
-	    }else
-	    {
-		sev = isc_socket_fd_handle_writes(sfd->sock, sfd->sew );
-	    }
-	}
-	if( (sfd->ser != 0L) || (sfd->sew != 0L) )
-	{
-	    if( sfd->sel == 0L )
-	    {
-		sfd->sel = (isc_socketevent_t *)
-		    isc_event_allocate
-		    (
-			mgr->mctx, mgr->task,
-			ISC_SOCKEVENT_SELECTED,
-			dbus_mgr_watches_selected,
-			mgr,
-			sizeof(isc_socketevent_t)
-		    );
-		if( sfd->sel == 0L )
-		{
-		    dbus_mgr_log_err("dbus_mgr: out of memory" );
-		    tdelete(sfd,  &(mgr->sockets), dbus_mgr_socket_comparator);
-		    isc_mem_put(mgr->mctx, sfd, sizeof(DBusMgrSocket));
-		    return;		    
-		}
-		
-		sev = isc_socket_fd_handle_selected(sfd->sock, sfd->sel );
-		
-	    }else
-	    {
-		sev = isc_socket_fd_handle_selected(sfd->sock, sfd->sel);
-	    }
-	}
-    }else
-    {
-	dbus_mgr_log_dbg("watch %d disabled",fd);
-	if(flags & WATCH_READ)
-	{
-	    sev = isc_socket_fd_handle_reads( sfd->sock, 0L );
-	    if( sev != 0L )
-	    {
-		pev[0]=(isc_event_t*)sev;
-		isc_event_free(pev);
-	    }
-	    sfd->ser = 0L;
-	}
-
-	if( flags & WATCH_WRITE )
-	{
-	    sev = isc_socket_fd_handle_writes( sfd->sock, 0L );
-	    if( sev != 0L )
-	    {
-		pev[0]=(isc_event_t*)sev;
-		isc_event_free(pev);
-	    }
-	    sfd->sew = 0L;
-	}
-
-	if( (sfd->ser == 0L) && (sfd->sew == 0L) )
-	{
-	    sev = isc_socket_fd_handle_selected( sfd->sock, 0L );
-	    if( sev != 0L )
-	    {
-		pev[0]=(isc_event_t*)sev;
-		isc_event_free(pev);
-	    }
-	    sfd->sel = 0L;
-
-	    tdelete(sfd, &(mgr->sockets), dbus_mgr_socket_comparator);
-
-	    isc_mem_put(mgr->mctx, sfd,  sizeof(DBusMgrSocket));
-	}
-    }
-}
-
-static
-void dbus_mgr_close_socket( const void *p, const VISIT which, const int level)
-{
-    DBusMgrSocket *const*spp=p, *sfd;
-    isc_event_t *ev ;
-    int i =  level ? 0 :1;
-    i &= i;
-
-    if( (spp==0L) || ((sfd = *spp)==0L) 
-      ||((which != leaf) && (which != postorder))
-      ) return;
-   
-    if( sfd->ser != 0L )
-    {
-	ev = (isc_event_t *)isc_socket_fd_handle_reads(sfd->sock, 0);
-	if( ev != 0L )
-	    isc_event_free((isc_event_t **)&ev);
-	sfd->ser = 0L;
-    }
-
-    if( sfd->sew != 0L )
-    {
-	ev = (isc_event_t *)isc_socket_fd_handle_writes(sfd->sock, 0);
-	if( ev != 0L )
-	    isc_event_free((isc_event_t **)&ev);
-	sfd->sew = 0L;
-    }
-
-    if( sfd->sel != 0L )
-    {
-	ev = (isc_event_t *)isc_socket_fd_handle_selected(sfd->sock, 0);
-	if( ev != 0L )
-	    isc_event_free((isc_event_t **)&ev);
-	sfd->sel = 0L;
-	dbus_mgr_log_dbg("CLOSED socket %d", sfd->fd);
-    }
-}
-
-static
-void dbus_mgr_destroy_socket( void *p )
-{
-    DBusMgrSocket *sfd = p;
-
-    isc_mem_put( sfd->mgr->mctx, sfd, sizeof(DBusMgrSocket) );
-}
diff --git a/contrib/dbus/dbus_mgr.h b/contrib/dbus/dbus_mgr.h
deleted file mode 100644
index 78be0d09..00000000
--- a/contrib/dbus/dbus_mgr.h
+++ /dev/null
@@ -1,37 +0,0 @@
-/* dbus_mgr.h
- *
- *  named module to provide dynamic forwarding zones in 
- *  response to D-BUS dhcp events
- *
- *  Copyright(C) Jason Vas Dias, Red Hat Inc., 2005
- *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation at 
- *           http://www.fsf.org/licensing/licenses/gpl.txt
- *  and included in this software distribution as the "LICENSE" file.
- *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
- */
-
-extern isc_result_t 
-dbus_mgr_create
-(   isc_mem_t *mctx, 
-    isc_taskmgr_t *taskmgr,
-    isc_socketmgr_t *socketmgr,
-    isc_timermgr_t *timermgr,
-    ns_dbus_mgr_t **dbus_mgr
-);
-
-extern void 
-dbus_mgr_shutdown
-(   ns_dbus_mgr_t *dus_mgr_t
-);
-
-
-
-
-
diff --git a/contrib/dbus/dbus_service.c b/contrib/dbus/dbus_service.c
deleted file mode 100644
index 0ed903d0..00000000
--- a/contrib/dbus/dbus_service.c
+++ /dev/null
@@ -1,1158 +0,0 @@
-/*  dbus_service.c
- *
- *  D-BUS Service Utilities
- *  
- *  Provides MINIMAL utilities for construction of D-BUS "Services".
- *  
- *  Copyright(C) Jason Vas Dias, Red Hat Inc., 2005
- *  Modified by Adam Tkac, Red Hat Inc., 2007
- *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation at 
- *           http://www.fsf.org/licensing/licenses/gpl.txt
- *  and included in this software distribution as the "LICENSE" file.
- *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
- *
- */
-
-#include <sys/types.h>
-#include <unistd.h>
-#include <linux/limits.h>
-#include <sys/time.h>
-#include <sys/socket.h>
-#include <sys/select.h>
-#include <sys/wait.h>
-#include <sys/ioctl.h>
-#include <time.h>
-#include <signal.h>
-#include <syslog.h>
-#include <fcntl.h>
-#include <string.h>
-extern size_t strnlen(const char *s, size_t maxlen);
-#include <netinet/in.h>
-#include <arpa/inet.h>
-#include <netdb.h>
-#include <ifaddrs.h>
-#include <search.h>
-#include <getopt.h>
-typedef void (*__free_fn_t) (void *__nodep);
-extern void tdestroy (void *__root, __free_fn_t __freefct);
-#include <stdint.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <stdarg.h>
-#include <errno.h>
-#define  DBUS_API_SUBJECT_TO_CHANGE  "Very Annoying and Silly!"
-#include <dbus/dbus.h>
-
-#include <named/dbus_service.h>
-#include <isc/result.h>
-
-typedef struct dbcs_s
-{
-    DBusConnection *connection;
-    DBusDispatchStatus dispatchStatus;
-    uint32_t        status;
-    dbus_svc_WatchHandler wh;
-    void *          wh_arg;
-    const char    * unique_name;
-    dbus_svc_MessageHandler mh;
-    void          * def_mh_obj;
-    dbus_svc_MessageHandler mf;
-    void          * def_mf_obj;
-    dbus_svc_ShutdownHandler sh;
-    void          * sh_obj;  
-    dbus_svc_ErrorHandler eh;
-    dbus_svc_ErrorHandler dh;
-    /*{ glibc b-trees: */
-    void *          roots;
-    void *          timeouts;  
-    void *          watches;
-    void *          filters;
-    /*}*/
-    int             n; 
-    fd_set          r_fds;
-    fd_set          s_r_fds;
-    fd_set          w_fds;
-    fd_set          s_w_fds;
-    fd_set          e_fds;  
-    fd_set          s_e_fds;
-    DBusMessage     *currentMessage;
-    int             rejectMessage;
-} DBusConnectionState;
-
-typedef struct root_s
-{
-    char *path;    
-    char *if_prefix;
-    DBUS_SVC cs;
-    dbus_svc_MessageHandler mh;        
-    void *object;
-    void *tree;
-} Root;
-
-typedef struct mhn_s
-{
-    char *path;    
-    dbus_svc_MessageHandler mh;    
-    void *object;
-} MessageHandlerNode;
-
-typedef struct mfn_s
-{
-    DBusConnectionState *cs;
-    dbus_svc_MessageHandler mf;
-    void *obj;
-    int n_matches;
-    char **matches;
-} MessageFilterNode;
-
-typedef struct dbto_s
-{
-    DBusTimeout   *to;
-    DBusConnectionState *cs;
-    struct timeval tv;
-} DBusConnectionTimeout;
-
-static void no_free( void *p){ p=0; }
-
-static int ptr_key_comparator( const void *p1, const void *p2 )
-{
-    return
-	(  (p1 == p2) 
-	   ? 0
-	   :( (p1 > p2)
-	      ? 1
-	      : -1
-	    )
-	);
-}
-
-static DBusHandlerResult
-default_message_filter 
-(   DBusConnection     *connection,
-    DBusMessage        *message,
-    void               *p
-)
-{
-    DBusConnectionState *cs = p;
-    uint32_t type  =dbus_message_get_type( message ),
-	   serial  =dbus_message_get_serial( message );
-    uint8_t  reply =dbus_message_get_no_reply( message )==0;
-    const char 
-	*path =    dbus_message_get_path( message ),
-	*dest =    dbus_message_get_destination( message ),
-	*member =  dbus_message_get_member( message ),
-	*interface=dbus_message_get_interface( message ),
-	*sender   =dbus_message_get_sender( message ),
-	*signature=dbus_message_get_signature( message );
-    connection = connection;
-    if(cs->mf)
-	return
-	(*(cs->mf))( cs, type, reply, serial, dest, path, member, interface, 0L,
-		    sender, signature, message, 0L, 0L, 0L, cs->def_mf_obj
-	          ) ;
-    return HANDLED;
-}
-
-uint8_t
-dbus_svc_add_filter
-(  DBusConnectionState *cs, dbus_svc_MessageHandler mh, void *obj, int n_matches, ... )
-{
-    DBusError error;
-    va_list va;
-    char *m;
-
-    va_start(va, n_matches );
-    
-    cs->mf = mh;
-    cs->def_mf_obj = obj;
-
-    if ( ! dbus_connection_add_filter (cs->connection, default_message_filter, cs, NULL))
-    {
-	if( cs->eh != 0L ) (*(cs->eh))("dbus_svc_add_filter: dbus_connection_add_filter failed");
-	va_end(va);
-	return( 0 );
-    }
-
-    if( n_matches )
-    {
-	memset(&error,'\0',sizeof(DBusError));
-	dbus_error_init(&error);
-	while( n_matches-- )
-	{
-	    m = va_arg(va, char* ) ;
-
-	    dbus_bus_add_match(cs->connection, m, &error);
-
-	    if( dbus_error_is_set(&error))
-	    {
-		if( cs->eh != 0L ) (*(cs->eh))("dbus_svc_add_filter: dbus_bus_add_match failed for %s: %s %s",
-					       m, error.name, error.message
-		                              );
-		va_end(va);
-		return(0);
-	    }
-	}
-    }
-    return( 1 );
-}
-
-
-uint8_t
-dbus_svc_get_args_va(DBusConnectionState *cs, DBusMessage* msg, dbus_svc_DataType firstType, va_list va)
-{
-    DBusError error;
-    memset(&error,'\0',sizeof(DBusError));
-    dbus_error_init(&error);
-    if( (!dbus_message_get_args_valist(msg, &error, firstType, va)) || dbus_error_is_set(&error) )
-    {
-	if(  dbus_error_is_set(&error) )
-	{
-	    if( cs->eh != 0L ) (*(cs->eh))("dbus_svc_get_args failed: %s %s",error.name, error.message);
-	    dbus_error_free(&error);
-	}else
-	    if( cs->eh != 0L ) (*(cs->eh))("dbus_svc_get_args failed: dbus_message_get_args_valist failed");
-	return( 0 );
-    }
-    return( 1 );
-}
-
-uint8_t
-dbus_svc_get_args(DBusConnectionState *cs, DBusMessage* msg, dbus_svc_DataType firstType, ...)
-{
-    va_list va;
-    uint8_t r;
-    va_start(va, firstType);
-    r = dbus_svc_get_args_va( cs, msg, firstType, va);
-    va_end(va);
-    return r;
-}
-
-uint8_t 
-dbus_svc_send_va
-(  DBusConnectionState *cs,
-   dbus_svc_MessageType type,   
-   int32_t reply_serial,
-   uint32_t *new_serial,
-   const char *destination,
-   const char *path,
-   const char *interface,
-   const char *member,
-   dbus_svc_DataType firstType,
-   va_list va
-)
-{
-    DBusMessageIter iter;
-    char *e;
-    DBusMessage *msg = 
-	dbus_svc_new_message
-	(   cs,
-	    type,
-	    reply_serial,
-	    destination,
-	    path,
-	    interface,
-	    member
-	);
-
-    if(msg == 0L)
-    {
-	if( cs->eh != 0L ) (*(cs->eh))("dbus_svc_send: dbus_svc_new_message failed");
-	return 0;
-    }
-
-    if( type != DBUS_MESSAGE_TYPE_ERROR )
-    {
-	if( !dbus_message_append_args_valist( msg, firstType, va ) )
-	{
-	    if( cs->eh != 0L ) (*(cs->eh))("dbus_svc_send: dbus_message_append_args_valist failed");
-	    return 0;
-	}
-    }else
-    {
-	if( firstType == DBUS_TYPE_STRING )
-	{
-	    e = 0L;
-	    e = va_arg( va, char* );	    
-	    if( (e == 0L) ||  !dbus_message_set_error_name( msg, e ) )
-	    {
-		if( cs->eh != 0L ) (*(cs->eh))("dbus_svc_send: dbus_message_set_error_name failed");
-		return 0;
-	    }
-	    firstType = va_arg(va, int);
-	    if( firstType == DBUS_TYPE_STRING )
-	    {
-		e = 0L;
-		e =  va_arg( va, char* );
-		if( e == 0L )
-		{
-		    if( cs->eh != 0L ) (*(cs->eh))("dbus_svc_send: NULL error message");
-		    return 0;		    		    
-		}
-		dbus_message_iter_init_append (msg, &iter);		
-		if( !dbus_message_iter_append_basic 
-		    (&iter, DBUS_TYPE_STRING, &e)
-		  )
-		{
-		    if( cs->eh != 0L ) (*(cs->eh))("dbus_svc_send: dbus_message_iter_append_basic failed");
-		    return 0;		    		    
-		}
-	    }
-	}else
-	{
-	    if( cs->eh != 0L ) (*(cs->eh))("dbus_svc_send: unhandled type for error name: %c", firstType);
-	    return 0;	    
-	}
-    }
-
-    if( !dbus_connection_send(cs->connection, msg, new_serial) )
-    {
-	if( cs->eh != 0L ) (*(cs->eh))("dbus_svc_send: dbus_message_send failed");
-	return 0;
-    }
-    if( cs->dh != 0L ) (*(cs->dh))("Sending message");
-    dbus_connection_flush(cs->connection);
-    return 1;
-}
-
-uint8_t 
-dbus_svc_send
-(  DBusConnectionState *cs,
-   dbus_svc_MessageType type,
-   int32_t reply_serial,
-   uint32_t *new_serial,
-   const char *destination,
-   const char *path,
-   const char *interface,
-   const char *member,
-   dbus_svc_DataType firstType,
-   ...
-)
-{
-    uint8_t r;
-    va_list va;
-    va_start(va, firstType);
-    r = dbus_svc_send_va(cs, type, reply_serial, new_serial, destination, path,interface,member,firstType,va);
-    va_end(va);
-    return ( r ) ;
-}
-
-dbus_svc_MessageHandle
-dbus_svc_new_message
-( DBusConnectionState* cs,
-  dbus_svc_MessageType type,
-  int32_t reply_serial,
-  const char *destination,
-  const char *path,
-  const char *interface,
-  const char *member
-)
-{
-    DBusMessage *msg = dbus_message_new(type);
-    
-    if( msg == 0L)
-    {
-	if( cs->eh != 0L ) (*(cs->eh))("dbus_svc_new_message: dbus_message_set_reply_serial failed");
-	return 0;
-    }
-
-    if( reply_serial != -1 )
-    {
-	if( !dbus_message_set_reply_serial(msg,reply_serial) )
-	{
-	    if( cs->eh != 0L ) (*(cs->eh))("dbus_svc_new_message: dbus_message_set_reply_serial failed");
-	    return 0;
-	}    
-    }
-	    
-    if( (destination !=0L) && !dbus_message_set_destination(msg, destination) )
-    {
-	if( cs->eh != 0L ) (*(cs->eh))("dbus_svc_new_message: dbus_message_set_destination failed");
-	return 0;
-    }
-
-    if( !dbus_message_set_path(msg, path) )
-    {
-	if( cs->eh != 0L ) (*(cs->eh))("dbus_svc_new_message: dbus_message_set_path failed");
-	return 0;
-    }
-
-    if( ! dbus_message_set_interface(msg,interface) )
-    {
-	if( cs->eh != 0L ) (*(cs->eh))("dbus_svc_new_message: dbus_message_set_interface failed - %s", interface);
-	return 0;
-    }
-
-    if( !dbus_message_set_member(msg,member) )
-    {
-	if( cs->eh != 0L ) (*(cs->eh))("dbus_svc_new_message: dbus_message_set_member failed");
-	return 0;
-    }
-
-    return msg;    
-}
-
-extern uint8_t
-dbus_svc_send_message
-(
-    DBusConnectionState *cs, 
-    dbus_svc_MessageHandle msg, 
-    uint32_t *new_serial 
-)
-{
-    if( !dbus_connection_send(cs->connection, msg, new_serial) )
-    {
-	if( cs->eh != 0L ) (*(cs->eh))("dbus_svc_send: dbus_message_send failed");
-	return 0;
-    }
-    if( cs->dh != 0L ) (*(cs->dh))("Sending message");
-    dbus_connection_flush(cs->connection);   
-    return 1;
-}
-
-uint8_t
-dbus_svc_message_append_args(DBusConnectionState *cs, dbus_svc_MessageHandle msg, dbus_svc_DataType firstType, ...)
-{
-    va_list va;
-    va_start(va, firstType);
-    if( !dbus_message_append_args_valist( msg, firstType, va ) )
-    {
-	if( cs->eh != 0L ) (*(cs->eh))("dbus_svc_send: dbus_message_append_args failed");
-	return 0;	
-    }
-    va_end(va);
-    return ( 1 ) ;
-}
-
-dbus_svc_MessageHandle 
-dbus_svc_call
-( DBusConnectionState *cs,
-  const char *destination,
-  const char *path,
-  const char *member,
-  const char *interface,
-  dbus_svc_DataType firstType,
-  ... 
-)
-{
-    DBusMessage *message=0L, *reply=0L;
-    va_list va;
-    DBusError error;
-    int reply_timeout=20000;
-
-    va_start(va, firstType);
-
-    memset(&error,'\0',sizeof(DBusError));
-    dbus_error_init(&error);
-
-    if(( message = 
-	 dbus_message_new_method_call 
-	 (  destination,
-	    path,
-	    interface,
-	    member
-	 )
-       ) == 0L
-      )
-    {
-	if( cs->eh != 0L ) (*(cs->eh))("dbus_svc_call: dbus_message_new_method_call failed");
-	va_end(va);
-	return(0L);
-    };
-
-    if( !dbus_message_append_args_valist( message, firstType, va ) )
-    {
-	if( cs->eh != 0L ) (*(cs->eh))("dbus_svc_call: dbus_message_append_args_valist failed");
-	va_end(va);
-	return(0L);
-    }
-
-    if((reply = 
-	dbus_connection_send_with_reply_and_block 
-	(cs->connection,
-	 message, reply_timeout,
-	 &error
-	)
-       ) == 0L    
-      )
-    {
-	if( cs->eh != 0L ) (*(cs->eh))("dbus_svc_call: dbus_message_send_with_reply_and_block failed: %s %s",
-		    error.name, error.message
-	           );
-	va_end(va);
-	return(0L);
-    }
-    return reply;
-}
-
-dbus_svc_MessageIterator
-dbus_svc_message_iterator_new( DBusConnectionState *cs, DBusMessage *msg)
-{
-    DBusMessageIter *iter = malloc( sizeof(DBusMessageIter) );
-    void *p =cs;
-    p++;
-    if( iter != 0L )
-    {
-	if( !dbus_message_iter_init( msg, iter ))
-	{
-	    free( iter ) ;
-	    iter = 0L;
-	}
-    }
-    return iter;
-}
-
-uint32_t
-dbus_svc_message_next_arg_type( DBusConnectionState *cs, dbus_svc_MessageIterator iter )
-{
-    void *p =cs;
-    p++;
-    return dbus_message_iter_get_arg_type( iter );
-}
-
-void
-dbus_svc_message_next_arg( DBusConnectionState *cs, dbus_svc_MessageIterator iter, void *value )
-{
-    void *p =cs;
-    p++;
-    dbus_message_iter_get_basic( iter, value );
-    dbus_message_iter_next( iter );
-}
-
-uint32_t
-dbus_svc_message_element_type(DBusConnectionState *cs , dbus_svc_MessageIterator  iter)
-{
-    void *p =cs;
-    p++;
-    return dbus_message_iter_get_element_type(iter);
-}
-
-void
-dbus_svc_message_get_elements( DBusConnectionState *cs , dbus_svc_MessageIterator  iter, uint32_t *n, void *array )
-{
-    void *p =cs;
-    p++;
-    dbus_message_iter_get_fixed_array( iter, n, array);
-}
-
-void dbus_svc_message_iterator_free(  DBusConnectionState *cs, dbus_svc_MessageIterator iter )
-{
-    void *p =cs;
-    p++;
-    free( iter );
-}
-
-uint8_t dbus_svc_message_type(  DBusMessage *msg )
-{
-    return dbus_message_get_type( msg );
-}
-
-static DBusConnectionState *
-dbcs_new( DBusConnection *connection )
-{
-    DBusConnectionState *dbcs = (DBusConnectionState *) malloc( sizeof(DBusConnectionState) );
-    if ( dbcs )
-    {
-	memset( dbcs, '\0', sizeof( DBusConnectionState ));
-	dbcs->connection = connection;
-    }
-    return(dbcs);
-}
-
-static DBusConnectionTimeout *
-timeout_new( DBusTimeout *timeout )
-{
-    DBusConnectionTimeout *to = (DBusConnectionTimeout *) malloc ( sizeof(DBusConnectionTimeout) );
-    if( to != 0L )
-    {
-	to->to = timeout;
-	dbus_timeout_set_data(timeout, to, 0L);
-	if( dbus_timeout_get_enabled(timeout) )
-	    gettimeofday(&(to->tv),0L);
-	else
-	{
-	    to->tv.tv_sec = 0 ;
-	    to->tv.tv_usec = 0 ;
-	}	    
-    }
-    return( to );
-}
-
-static dbus_bool_t
-add_timeout( DBusTimeout *timeout, void *csp )
-{
-    DBusConnectionState   *cs = csp;
-    DBusConnectionTimeout *to = timeout_new(timeout);
-    if( cs->dh != 0L ) (*(cs->dh))("add_timeout: %d", dbus_timeout_get_interval(timeout));
-    to->cs = cs;
-    if ( to )
-    {
-	if( tsearch((void*)to, &(cs->timeouts), ptr_key_comparator) != 0L )
-	    return TRUE;
-    }
-    if( cs->eh != 0L ) (*(cs->eh))("add_timeout: out of memory");
-    return FALSE;
-}
-
-static void
-remove_timeout( DBusTimeout *timeout, void *csp )
-{
-    DBusConnectionState   *cs = csp;
-    DBusConnectionTimeout *to = dbus_timeout_get_data(timeout);
-    if( (to != 0L) && (to->to == timeout) )
-    {
-	if( cs->dh != 0L ) (*(cs->dh))("remove_timeout: %d", dbus_timeout_get_interval(to->to));
-	if( tdelete((const void*)to, &(cs->timeouts), ptr_key_comparator) != 0L )
-	{
-	    free(to);
-	}else
-	    if( cs->eh != 0L ) (*(cs->eh))("remove_timeout: can't happen?!?: timeout data %p not found", to);   	
-    }else
-	if( cs->eh != 0L ) (*(cs->eh))("remove_timeout: can't happen?!?: timeout %p did not record data %p %p", 
-		    timeout, to, ((to != 0L) ? to->to : 0L)
-	           );
-}
-
-static void
-toggle_timeout( DBusTimeout *timeout, void *csp )
-{
-    DBusConnectionState   *cs = csp;
-    DBusConnectionTimeout **top = tfind( (const void*) dbus_timeout_get_data(timeout), 
-				         &(cs->timeouts),
-				         ptr_key_comparator
-	                               ),
-	                   *to=0L;
-    if( (top != 0L) && ((to=*top) != 0L) && (to->to == timeout) )
-    {
-	if( cs->dh != 0L ) (*(cs->dh))("toggle_timeout: %d", dbus_timeout_get_interval(to->to));
-	if(  dbus_timeout_get_enabled(timeout) )
-	    gettimeofday(&(to->tv),0L);
-	else
-	{
-	    to->tv.tv_sec = 0 ;
-	    to->tv.tv_usec = 0 ;
-	}
-    }else
-	if( cs->eh != 0L ) (*(cs->eh))("toggle_timeout: can't happen?!?: timeout %p %s %p %p", timeout, 
-		    ((to==0L) ? "did not record data" : "not found"),
-		    to, ((to != 0L) ? to->to : 0L)
-	           );	
-}
-
-static void
-process_timeout( const void *p, const VISIT which, const int level)
-{
-    DBusConnectionState   *cs;
-    void * const *tpp = p;
-    DBusConnectionTimeout *to;
-    struct timeval tv;
-    float now, then, interval;
-    int l = level ? 1 : 0;
-    l=l;
-
-    gettimeofday(&tv,0L);
-    
-    if( (tpp != 0L) && (*tpp != 0L) && ((which == postorder) || (which == leaf)) ) 
-    {
-	to = (DBusConnectionTimeout*)*tpp;
-	cs = to->cs;
-	if ( !dbus_timeout_get_enabled(to->to) )
-	    return;
-	cs = dbus_timeout_get_data(to->to);
-	then = ((float)to->tv.tv_sec) + (((float)to->tv.tv_usec)  / 1000000.0);
-	if( then != 0.0 )
-	{
-	    interval = ((float)dbus_timeout_get_interval(to->to)) / 1000.0;
-	    now = ((float)tv.tv_sec) + (( (float)tv.tv_usec) /   1000000.0);
-	    if( (now - then) >= interval )
-	    {
-		if( cs->dh != 0L ) (*(cs->dh))("handle_timeout: %d - %f %f %f",  dbus_timeout_get_interval(to->to), then, now, interval);
-		dbus_timeout_handle( to->to );
-		to->tv=tv;
-	    }
-	}else
-	{
-	    to->tv = tv;
-	}
-    }
-}
-
-static void
-process_timeouts ( DBusConnectionState *cs )
-{
-    twalk( cs->timeouts, process_timeout );
-}
-
-static void 
-set_watch_fds( DBusWatch *watch, DBusConnectionState *cs )
-{
-    uint8_t flags = dbus_watch_get_flags(watch);
-    int fd = dbus_watch_get_fd(watch);
-
-    if ( cs->n <= fd )
-	cs->n = fd + 1;
-
-    if ( dbus_watch_get_enabled(watch) )
-    {
-	if ( flags & DBUS_WATCH_READABLE )
-	{
-	    FD_SET(fd , &(cs->r_fds));
-	    if( cs->wh != 0L )
-		(*(cs->wh))( fd, WATCH_ENABLE | WATCH_READ, cs->wh_arg ); 
-	}else	    
-	{
-	    FD_CLR(fd , &(cs->r_fds));
-	    if( cs->wh != 0L )
-		(*(cs->wh))( fd, WATCH_READ, cs->wh_arg ); 
-	}
-
-	if ( flags & DBUS_WATCH_WRITABLE )
-	{
-	    FD_SET(fd , &(cs->w_fds));
-	    if( cs->wh != 0L )
-		(*(cs->wh))( fd, WATCH_ENABLE | WATCH_WRITE, cs->wh_arg ); 	 
-	}else	    
-	{
-	    FD_CLR(fd , &(cs->w_fds));
-	    if( cs->wh != 0L )
-		(*(cs->wh))( fd, WATCH_WRITE, cs->wh_arg ); 	 
-	}
-	if ( flags & DBUS_WATCH_ERROR )
-	{
-	    FD_SET(fd , &(cs->e_fds));
-	    if( cs->wh != 0L )
-		(*(cs->wh))( fd, WATCH_ENABLE | WATCH_ERROR, cs->wh_arg ); 	
-	}else	    
-	{
-	    FD_CLR(fd , &(cs->e_fds));
-	    if( cs->wh != 0L )
-		(*(cs->wh))( fd, WATCH_ERROR, cs->wh_arg ); 	
-	}	
-    }else
-    {
-	if( FD_ISSET( fd, &(cs->r_fds)) )
-	    if( cs->wh != 0L )
-		(*(cs->wh))( fd, WATCH_READ, cs->wh_arg );
-	FD_CLR(fd , &(cs->r_fds));
-
-	if( FD_ISSET( fd, &(cs->w_fds)) )
-	    if( cs->wh != 0L )
-		(*(cs->wh))( fd, WATCH_WRITE, cs->wh_arg );	
-	FD_CLR(fd , &(cs->w_fds));
-	
-	if( FD_ISSET( fd, &(cs->e_fds)) )
-	    if( cs->wh != 0L )
-		(*(cs->wh))( fd, WATCH_ERROR, cs->wh_arg );
-	FD_CLR(fd , &(cs->e_fds));
-    }	
-}
-
-static dbus_bool_t
-add_watch ( DBusWatch *watch, void *csp )
-{    
-    DBusConnectionState *cs = csp;
-
-    dbus_watch_set_data(watch, cs, no_free );
-    if( cs->dh != 0L ) (*(cs->dh))("add_watch: %d", dbus_watch_get_fd(watch));
-    if( tsearch((const void*)watch,&(cs->watches),ptr_key_comparator) == 0L )
-    {
-	if( cs->eh != 0L ) (*(cs->eh))("add_watch: out of memory");
-	return FALSE;
-    }    
-    set_watch_fds(watch,cs);
-    return TRUE;
-}
-
-static void
-remove_watch ( DBusWatch *watch, void *csp )
-{
-    DBusConnectionState *cs = csp;
-    int  fd = dbus_watch_get_fd(watch);
-    if( tdelete((const void*)watch, &(cs->watches), ptr_key_comparator) == 0L )
-	if( cs->eh != 0L ) (*(cs->eh))("remove_watch: can't happen?!?: watch not found");
-    if( cs->dh != 0L ) (*(cs->dh))("remove_watch: %d", dbus_watch_get_fd(watch));
-    FD_CLR(fd , &(cs->r_fds));
-    FD_CLR(fd , &(cs->w_fds));
-    FD_CLR(fd , &(cs->e_fds));
-    if( cs->wh != 0L )
-	(*(cs->wh))(dbus_watch_get_fd(watch), WATCH_READ | WATCH_WRITE | WATCH_ERROR, cs->wh_arg );
-}
-
-static void
-toggle_watch ( DBusWatch *watch, void *csp )
-{
-    DBusConnectionState *cs = csp;    
-    if( cs->dh != 0L ) (*(cs->dh))("toggle_watch: %d", dbus_watch_get_fd(watch));
-    set_watch_fds(watch,cs);
-}
-
-static void
-process_watch( const void *p, const VISIT which, const int level)
-{
-    void * const *wpp=p;
-    DBusWatch *w;
-    int fd;
-    uint8_t flags;
-    DBusConnectionState *cs;
-    int l = level ? 1 : 0;
-    l=l;
-
-    if((wpp != 0L) && (*wpp != 0L) && ( (which == postorder) || (which == leaf) ) )
-    {
-	w = (DBusWatch*)*wpp;
-	cs = dbus_watch_get_data( w );
-	if( cs == 0 )
-	    return;
-	if( ! dbus_watch_get_enabled(w) )
-	    return;
-	fd = dbus_watch_get_fd( w );
-	flags = dbus_watch_get_flags( w );
-	if( cs->dh != 0L ) (*(cs->dh))("handle_watch: %d", dbus_watch_get_fd( w ));
-	if ( (flags & DBUS_WATCH_READABLE) && (FD_ISSET(fd, &(cs->s_r_fds))) )
-	    dbus_watch_handle(w, DBUS_WATCH_READABLE);
-	if ( (flags & DBUS_WATCH_WRITABLE) && (FD_ISSET(fd, &(cs->s_w_fds))) )
-	    dbus_watch_handle(w, DBUS_WATCH_READABLE);
-	if ( (flags & DBUS_WATCH_ERROR) && (FD_ISSET(fd, &(cs->s_e_fds))) )
-	    dbus_watch_handle(w, DBUS_WATCH_ERROR);
-    }
-} 
-
-static void
-process_watches ( DBusConnectionState *cs )
-{
-    twalk( cs->watches, process_watch );
-}
-
-void dbus_svc_handle_watch(  DBusConnectionState *cs, int fd, dbus_svc_WatchFlags action )
-{
-    switch( action & 7 )
-    {
-    case WATCH_READ:
-	FD_SET(fd, &(cs->s_r_fds));
-	break;
-
-    case WATCH_WRITE:
-	FD_SET(fd, &(cs->s_w_fds));
-	break;
-	
-    case WATCH_ERROR:
-	FD_SET(fd, &(cs->s_e_fds));
-	break;
-    }
-}
-
-static void
-dispatch_status
-(   DBusConnection *connection, 
-    DBusDispatchStatus new_status,
-    void *csp 
-)
-{
-    connection=connection;
-    DBusConnectionState *cs = csp;
-    cs->dispatchStatus = new_status;
-}
-
-void
-dbus_svc_main_loop( DBusConnectionState *cs, void (*idle_handler)(DBusConnectionState *) )
-{
-    struct timeval timeout={0,200000};
-    int n_fds;
-
-    while( cs->status != SHUTDOWN )
-    {
-	cs->s_r_fds = cs->r_fds;
-	cs->s_w_fds = cs->w_fds;
-	cs->s_e_fds = cs->e_fds;
-	
-	timeout.tv_sec = 0;
-	timeout.tv_usec= 200000;
-
-	if ( (n_fds = select(cs->n, &(cs->s_r_fds), &(cs->s_w_fds), &(cs->s_e_fds), &timeout)) < 0 )
-	{	    
-	    if (errno != EINTR) 
-	    {
-		if( cs->eh != 0L ) (*(cs->eh))( "select failed: %d : %s", errno, strerror(errno));
-	        return;
-	    }
-	}
-
-	if( n_fds > 0 )
-	    process_watches(cs);
-
-	process_timeouts(cs);
-
-	if ( cs->dispatchStatus != DBUS_DISPATCH_COMPLETE )
-	    dbus_connection_dispatch( cs->connection );
-
-	if( idle_handler != 0L )
-	    (*idle_handler)(cs);
-    }
-}
-
-void dbus_svc_dispatch(DBusConnectionState *cs)
-{
-    process_watches(cs);
-    
-    FD_ZERO(&(cs->s_r_fds));
-    FD_ZERO(&(cs->s_w_fds));
-    FD_ZERO(&(cs->s_e_fds));
-
-    process_timeouts(cs);
-
-    while ( cs->dispatchStatus != DBUS_DISPATCH_COMPLETE )
-	dbus_connection_dispatch( cs->connection );
-}
-
-void 
-dbus_svc_quit( DBusConnectionState *cs )
-{
-    cs->status = SHUTDOWN;
-}
-
-static isc_result_t
-connection_setup 
-(   DBusConnection *connection,
-    DBUS_SVC *dbus,
-    dbus_svc_WatchHandler wh, 
-    dbus_svc_ErrorHandler eh, 
-    dbus_svc_ErrorHandler dh,
-    void *wh_arg
-)
-{
-    *dbus = dbcs_new( connection );
-    
-    if ( *dbus == 0L )
-    {
-	if(eh)(*(eh))("connection_setup: out of memory");
-	goto fail;
-    }
-    (*dbus)->wh = wh;
-    (*dbus)->wh_arg = wh_arg;
-    (*dbus)->eh = eh;
-    (*dbus)->dh = dh;
-
-    if (!dbus_connection_set_watch_functions 
-	 (    (*dbus)->connection,
-	      add_watch,
-	      remove_watch,
-	      toggle_watch,
-	      *dbus,
-	      no_free
-	  )
-       )
-    {
-	if( (*dbus)->eh != 0L ) (*((*dbus)->eh))("connection_setup: dbus_connection_set_watch_functions failed");
-	goto fail; 
-    }
-      
-    if (!dbus_connection_set_timeout_functions 
-	 (    connection,
-	      add_timeout,
-	      remove_timeout,
-	      toggle_timeout,
-	      *dbus, 
-	      no_free
-	 )
-       )
-    {
-	if( (*dbus)->eh != 0L ) (*((*dbus)->eh))("connection_setup: dbus_connection_set_timeout_functions failed");
-	goto fail;
-    }
-
-    dbus_connection_set_dispatch_status_function 
-    (   connection, 
-	dispatch_status, 
-	*dbus, 
-	no_free
-    ); 
-
-    if (dbus_connection_get_dispatch_status (connection) != DBUS_DISPATCH_COMPLETE)
-	dbus_connection_ref(connection);    
-    
-    return ISC_R_SUCCESS;
-  
- fail:
-    if( *dbus != 0L )
-	free(*dbus);
-  
-    dbus_connection_set_dispatch_status_function (connection, NULL, NULL, NULL);
-    dbus_connection_set_watch_functions (connection, NULL, NULL, NULL, NULL, NULL);
-    dbus_connection_set_timeout_functions (connection, NULL, NULL, NULL, NULL, NULL);
-  
-    return ISC_R_FAILURE;
-}
-
-isc_result_t
-dbus_svc_init
-(
-    dbus_svc_DBUS_TYPE    bus,
-    char                  *name, 
-    DBUS_SVC		  *dbus,
-    dbus_svc_WatchHandler wh ,
-    dbus_svc_ErrorHandler eh ,
-    dbus_svc_ErrorHandler dh ,
-    void *wh_arg
-)
-{
-    DBusConnection       *connection;
-    DBusError            error;
-    char *session_bus_address=0L;
-
-    memset(&error,'\0',sizeof(DBusError));
-
-    dbus_error_init(&error);
-
-    switch( bus )
-    {
-	/* DBUS_PRIVATE_* bus types are the only type which allow reconnection if the dbus-daemon is restarted
-         */
-    case DBUS_PRIVATE_SYSTEM:
-       
-	if ( (connection = dbus_connection_open_private("unix:path=/var/run/dbus/system_bus_socket", &error)) == 0L )
-	{
-	    if(eh)(*eh)("dbus_svc_init failed: %s %s",error.name, error.message);
-	    return ISC_R_FAILURE;
-	}
-
-	if ( ! dbus_bus_register(connection,&error) )
-	{
-	    if(eh)(*eh)("dbus_bus_register failed: %s %s", error.name, error.message);
-	    dbus_connection_close(connection);
-	    free(connection);
-	    return ISC_R_FAILURE;
-	}
-	break;
-
-    case DBUS_PRIVATE_SESSION:
-	
-	session_bus_address = getenv("DBUS_SESSION_BUS_ADDRESS");
-	if ( session_bus_address == 0L )
-	{
-	    if(eh)(*eh)("dbus_svc_init failed: DBUS_SESSION_BUS_ADDRESS environment variable not set");
-	    return ISC_R_FAILURE;
-	}
-
-	if ( (connection = dbus_connection_open_private(session_bus_address, &error)) == 0L )
-	{
-	    if(eh)(*eh)("dbus_svc_init failed: %s %s",error.name, error.message);
-	    return ISC_R_FAILURE;
-	}
-
-	if ( ! dbus_bus_register(connection,&error) )
-	{
-	    if(eh)(*eh)("dbus_bus_register failed: %s %s", error.name, error.message);
-	    dbus_connection_close(connection);
-	    free(connection);
-	    return ISC_R_FAILURE;
-	}
-	break;
-
-    case DBUS_SYSTEM:
-    case DBUS_SESSION:
-
-	if ( (connection = dbus_bus_get (bus, &error)) == 0L )
-	{
-	    if(eh)(*eh)("dbus_svc_init failed: %s %s",error.name, error.message);
-	    return ISC_R_FAILURE;
-	}
-	break;
-
-    default:
-	if(eh)(*eh)("dbus_svc_init failed: unknown bus type %d", bus);
-	return ISC_R_FAILURE;
-    }
-    
-    dbus_connection_set_exit_on_disconnect(connection, FALSE);
-
-    if ( (connection_setup(connection, dbus, wh, eh, dh, wh_arg)) != ISC_R_SUCCESS)
-    {
-	if(eh)(*eh)("dbus_svc_init failed: connection_setup failed");
-	return ISC_R_FAILURE;
-    }
-
-    if( name == 0L )
-	return ISC_R_SUCCESS;
-    
-    (*dbus)->unique_name = dbus_bus_get_unique_name(connection);
-
-    switch
-	(   dbus_bus_request_name 
-	    (   connection, name, 
-#ifdef DBUS_NAME_FLAG_PROHIBIT_REPLACEMENT
-		DBUS_NAME_FLAG_PROHIBIT_REPLACEMENT ,
-#else
-		0 ,
-#endif
-		&error
-	    ) 
-	)
-    {   
-    case DBUS_REQUEST_NAME_REPLY_PRIMARY_OWNER:	
-	break;
-    case DBUS_REQUEST_NAME_REPLY_EXISTS:
-    case DBUS_REQUEST_NAME_REPLY_IN_QUEUE:
-    case DBUS_REQUEST_NAME_REPLY_ALREADY_OWNER:
-	if(eh)(*eh)("dbus_svc_init: dbus_bus_request_name failed:  Name already registered");
-	goto give_up;
-    default:
-	if(eh)(*eh)("dbus_svc_init: dbus_bus_request_name failed: %s %s", error.name, error.message);
-	goto give_up;
-    }
-    return ISC_R_SUCCESS;
-
- give_up:
-    dbus_connection_close( connection );
-    dbus_connection_unref( connection );
-    if( *dbus )
-    {
-	dbus_connection_set_dispatch_status_function (connection, NULL, NULL, NULL);
-	dbus_connection_set_watch_functions (connection, NULL, NULL, NULL, NULL, NULL);
-	dbus_connection_set_timeout_functions (connection, NULL, NULL, NULL, NULL, NULL);
-	free(*dbus);    
-    }
-    return ISC_R_FAILURE;
-}
-
-const char *dbus_svc_unique_name(DBusConnectionState *cs)
-{
-    return cs->unique_name;
-}
-
-void
-dbus_svc_shutdown ( DBusConnectionState *cs )                          
-{
-    if (!dbus_connection_set_watch_functions 
-	 (   cs->connection,
-	     NULL, NULL, NULL, NULL, NULL
-	 )
-       ) if( cs->eh != 0L ) (*(cs->eh))("connection_shutdown: dbus_connection_set_watch_functions: No Memory."
-                     "Setting watch functions to NULL failed."
-	            );
-  
-    if (!dbus_connection_set_timeout_functions 
-	 (   cs->connection,
-	     NULL, NULL, NULL, NULL, NULL
-	 )
-       ) if( cs->eh != 0L ) (*(cs->eh))("connection_shutdown: dbus_connection_set_timeout_functions: No Memory."
-		     "Setting timeout functions to NULL failed."
-	            );
-
-    dbus_connection_set_dispatch_status_function (cs->connection, NULL, NULL, NULL);
-    
-    tdestroy( cs->timeouts, free);
-    cs->timeouts=0L;
-    tdestroy( cs->watches, no_free);
-    cs->watches=0L;
-    
-    dbus_connection_close( cs->connection );
-    dbus_connection_unref( cs->connection );
-
-    free( cs );
-}
diff --git a/contrib/dbus/dbus_service.h b/contrib/dbus/dbus_service.h
deleted file mode 100644
index d8a21f18..00000000
--- a/contrib/dbus/dbus_service.h
+++ /dev/null
@@ -1,287 +0,0 @@
-/*  D-BUS Service Utilities
- *  
- *  Provides utilities for construction of D-BUS "Services"  
- *
- *  Copyright(C) Jason Vas Dias, Red Hat Inc., 2005
- *  Modified by Adam Tkac, Red Hat Inc., 2007
- *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation at 
- *           http://www.fsf.org/licensing/licenses/gpl.txt
- *  and included in this software distribution as the "LICENSE" file.
- *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
- * 
- */
-
-#ifndef D_BUS_SERVER_UTILITIES_H
-#define D_BUS_SERVER_UTILITIES_H
-
-#include <stdint.h>
-#include <stdarg.h>
-#include <isc/types.h>
-
-typedef struct dbcs_s* DBUS_SVC;
-
-typedef enum 
-{ HANDLED, NOT_HANDLED, HANDLED_NOW 
-} dbus_svc_HandlerResult;
-
-typedef enum 
-{  INVALID, CALL, RETURN, ERROR, SIGNAL 
-} dbus_svc_MessageType;
-
-typedef enum 
-{
-    DBUS_SESSION,
-    DBUS_SYSTEM, 
-    DBUS_STARTER,
-    DBUS_PRIVATE_SYSTEM,
-    DBUS_PRIVATE_SESSION
-} dbus_svc_DBUS_TYPE;
-
-typedef enum /* D-BUS Protocol Type Codes / Signature Chars */
-{
-   TYPE_INVALID  =   (int)'\0',
-   TYPE_BYTE     =   (int)'y',
-   TYPE_BOOLEAN  =   (int)'b',
-   TYPE_INT16    =   (int)'n',
-   TYPE_UINT16   =   (int)'q',
-   TYPE_INT32    =   (int)'i',
-   TYPE_UINT32   =   (int)'u',
-   TYPE_INT64    =   (int)'x',
-   TYPE_UINT64   =   (int)'t',
-   TYPE_DOUBLE   =   (int)'d',
-   TYPE_STRING   =   (int)'s',
-   TYPE_OBJECT_PATH =(int)'o',
-   TYPE_SIGNATURE=   (int)'g',
-   TYPE_ARRAY    =   (int)'a',
-   TYPE_VARIANT  =   (int)'v',
-   TYPE_STRUCT   =   (int)'r',
-   TYPE_DICT_ENTRY = (int)'e',
-   STRUCT_BEGIN  =   (int)'(',
-   STRUCT_END    =   (int)')',
-   DICT_ENTRY_BEGIN =(int)'{',
-   DICT_ENTRY_END   =(int)'}'
-} dbus_svc_DataType;
-
-typedef struct DBusMessage* dbus_svc_MessageHandle;
-
-typedef int 
-(*dbus_svc_ErrorHandler)
-( const char *errorFmt, ...
-); /* Error Handler function prototype - handle FATAL errors from D-BUS calls */
-
-typedef enum
-{
-    WATCH_ENABLE = 8,
-    WATCH_ERROR  = 4,
-    WATCH_WRITE  = 2,
-    WATCH_READ   = 1
-} dbus_svc_WatchFlags;
-
-typedef void (*dbus_svc_WatchHandler)( int, dbus_svc_WatchFlags, void *arg );
-
-typedef dbus_svc_HandlerResult 
-(*dbus_svc_MessageHandler)
-( DBUS_SVC dbus,
-  dbus_svc_MessageType type,
-  uint8_t  reply_expected,   /* 1 / 0 */
-  uint32_t serial,           /* serial number of message; needed to reply */
-  const char *destination,         /* D-BUS connection name / destination */
-  const char *path,                /* D-BUS Object Path */  
-  const char *member,              /* D-BUS Object Member */
-  const char *interface,           /* D-BUS Object interface */
-  const char *if_suffix,           /* remainder of interface prefixed by ifPrefix */
-  const char *sender,              /* Senders' connection destination */
-  const char *signature,           /* Signature String composed of Type Codes      */
-  dbus_svc_MessageHandle msg,/* Message pointer: call dbus_svc_get_args(msg,...) to get data */
-  const char *prefix,              /* If non-null, this is the root prefix for this sub-path message */ 
-  const char *suffix,              /* If non-null, this is the suffix of this sub-path message */
-  void *prefixObject,        /* If non-null, this is the object that was registered for the prefix */
-  void *object               /* If non-null, this is the object that was registered for the complete path */
-); /* Message Handler function prototype */
-
-#define DBusMsgHandlerArgs \
-  DBUS_SVC dbus, \
-  dbus_svc_MessageType type, \
-  uint8_t  reply_expected, \
-  uint32_t serial,         \
-  const char *destination,       \
-  const char *path,              \
-  const char *member,            \
-  const char *interface,         \
-  const char *if_suffix,         \
-  const char *sender,            \
-  const char *signature,         \
-  dbus_svc_MessageHandle msg, \
-  const char *prefix,            \
-  const char *suffix,            \
-  void *prefixObject,      \
-  void *object             
-
-#define SHUTDOWN 255
-
-extern isc_result_t dbus_svc_init
-( dbus_svc_DBUS_TYPE bus, 
-  char *name,                         /* name to register with D-BUS */
-  DBUS_SVC *dbus,                     /* dbus handle */
-  dbus_svc_WatchHandler wh,           /* optional handler for watch events */
-  dbus_svc_ErrorHandler eh,           /* optional error log message handler */
-  dbus_svc_ErrorHandler dh,           /* optional debug / info log message handler */
-  void *wh_arg                        /* optional watch handler arg */
-); 
-/*
- * Obtains connection to DBUS_BUS_STARTER and registers "name".
- * "eh" will be called for all errors from this server session.
- */
-
-/* EITHER :
- *        pass a NULL WatchHandler to dbus_svc_init and use dbus_svc_main_loop
- * OR:
- *        supply a valid WatchHandler, and call dbus_svc_handle_watch when 
- *        select() returns the watch fd as ready for the watch action, and
- *        call dbus_svc_dispatch when all watches have been handled.
- */        
-
-
-uint8_t
-dbus_svc_add_filter
-(  DBUS_SVC, dbus_svc_MessageHandler mh, void *obj, int n_matches, ... );
-/*
- * Registers SINGLE message handler to handle ALL messages, adding match rules
- */
-
-void  dbus_svc_main_loop( DBUS_SVC, void (*idle_handler)(DBUS_SVC) ); 
- 
-void  dbus_svc_handle_watch( DBUS_SVC, int watch_fd, dbus_svc_WatchFlags action);
-
-void  dbus_svc_dispatch( DBUS_SVC );
-
-/*
- * Enter message processing loop.
- * If "idle_handler" is non-null, it will be called once per iteration of loop.
- */
-
-const char *dbus_svc_unique_name( DBUS_SVC );
-/*
- * Returns connection "unique" (socket) name
- */
-
-void  dbus_svc_quit( DBUS_SVC );
-/*
- * Exit message processing loop
- */
-
-void  dbus_svc_shutdown( DBUS_SVC );
-/*
- * Close connections and clean up. 
- * DBUS_SVC pointer is invalid after this.
- */
-
-uint8_t
-dbus_svc_get_args( DBUS_SVC, dbus_svc_MessageHandle, dbus_svc_DataType, ... );
-/* get arguments from message  */
-
-uint8_t
-dbus_svc_get_args_va( DBUS_SVC, dbus_svc_MessageHandle, dbus_svc_DataType, va_list );
-/* get arguments from message  */
-
-
-typedef void (*dbus_svc_ShutdownHandler) ( DBUS_SVC, void * );
-uint8_t
-dbus_svc_add_shutdown_filter
-(
-    DBUS_SVC, dbus_svc_ShutdownHandler sh, void *obj 
-);
-/* Registers a filter for D-BUS shutdown event.
- * Cannot be used in conjunction with dbus_svc_add_message_filter.
- */
-
-uint8_t
-dbus_svc_remove_message_filter
-( DBUS_SVC, dbus_svc_MessageHandler mh);
-/* Unregisters the message filter */
-
-uint8_t 
-dbus_svc_send
-( DBUS_SVC,
-  dbus_svc_MessageType type,
-  int32_t reply_serial,
-  uint32_t *new_serial,
-  const char *destination,
-  const char *path,
-  const char *member,
-  const char *interface,
-  dbus_svc_DataType firstType,
-  ... /* pointer, { (dbus_svc_DataType, pointer )...} */ 
-); /* sends messages / replies to "destination" */
-
-uint8_t 
-dbus_svc_send_va
-( DBUS_SVC cs,
-  dbus_svc_MessageType type,
-  int32_t reply_serial,
-  uint32_t *new_serial,
-  const char *destination,
-  const char *path,
-  const char *member,
-  const char *interface,
-  dbus_svc_DataType firstType,
-  va_list va
-); /* sends messages / replies to "destination" */
-
-dbus_svc_MessageHandle
-dbus_svc_call
-( DBUS_SVC cs,
-  const char *destination,
-  const char *path,
-  const char *member,
-  const char *interface,
-  dbus_svc_DataType firstType,
-  ...
-); /* constructs message, sends it, returns reply */
-
-dbus_svc_MessageHandle
-dbus_svc_new_message
-( DBUS_SVC cs,
-  dbus_svc_MessageType type,
-  int32_t reply_serial,
-  const char *destination,
-  const char *path,
-  const char *interface,
-  const char *member
-);
-
-uint8_t
-dbus_svc_send_message(DBUS_SVC , dbus_svc_MessageHandle , uint32_t *  );
-
-uint8_t
-dbus_svc_message_append_args( DBUS_SVC , dbus_svc_MessageHandle, dbus_svc_DataType, ...);
-
-typedef struct DBusMessageIter *dbus_svc_MessageIterator;
-
-dbus_svc_MessageIterator
-dbus_svc_message_iterator_new( DBUS_SVC, dbus_svc_MessageHandle );
-
-uint32_t
-dbus_svc_message_next_arg_type( DBUS_SVC, dbus_svc_MessageIterator );
-
-void
-dbus_svc_message_next_arg( DBUS_SVC, dbus_svc_MessageIterator,  void * );
-
-uint32_t
-dbus_svc_message_element_type( DBUS_SVC, dbus_svc_MessageIterator );
-
-void
-dbus_svc_message_get_elements( DBUS_SVC, dbus_svc_MessageIterator, uint32_t *n, void *array );
-
-uint8_t dbus_svc_message_type( dbus_svc_MessageHandle );
-
-void dbus_svc_message_iterator_free(  DBUS_SVC, dbus_svc_MessageIterator  );
-
-#endif
diff --git a/contrib/dbus/named-dbus-system.conf b/contrib/dbus/named-dbus-system.conf
deleted file mode 100644
index 2cb99bdc..00000000
--- a/contrib/dbus/named-dbus-system.conf
+++ /dev/null
@@ -1,20 +0,0 @@
-<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
- "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
-<busconfig>
-    <servicedir>/usr/share/dbus-1/services</servicedir>
-    <policy user="named">
-            <allow own="com.redhat.named"/>
-            <allow send_interface="com.redhat.named"/>
-            <allow send_destination="com.redhat.named"/>
-    </policy>
-    <policy user="root">
-            <allow send_interface="com.redhat.named"/>
-            <allow send_destination="com.redhat.named"/>
-    </policy>
-    <policy context="default">
-            <deny own="com.redhat.named"/>
-            <deny send_destination="com.redhat.named"/>
-            <deny send_interface="com.redhat.named"/>
-    </policy>
-</busconfig>
-
diff --git a/contrib/dbus/named-dbus.service b/contrib/dbus/named-dbus.service
deleted file mode 100644
index ddf40e7d..00000000
--- a/contrib/dbus/named-dbus.service
+++ /dev/null
@@ -1,3 +0,0 @@
-[D-BUS Service]
-Name=com.redhat.named
-Exec=/usr/sbin/named
diff --git a/contrib/idn/idnkit-1.0-src/lib/Makefile.in b/contrib/idn/idnkit-1.0-src/lib/Makefile.in
index c21e8688..76f703ca 100644
--- a/contrib/idn/idnkit-1.0-src/lib/Makefile.in
+++ b/contrib/idn/idnkit-1.0-src/lib/Makefile.in
@@ -1,4 +1,4 @@
-# $Id: Makefile.in,v 1.1.1.1.10.1 2004/07/20 07:00:17 marka Exp $
+# $Id: Makefile.in,v 1.1.1.1 2003/06/04 00:25:47 marka Exp $
 # Copyright (c) 2000, 2002 Japan Network Information Center.
 # All rights reserved.
 #  
@@ -189,7 +189,7 @@ SAMPLES = idn.conf.sample idnalias.conf.sample
 	$(LIBTOOL) --mode=compile $(CC) $(CFLAGS) -c $<
 
 .c.to:
-	$(CC) -o $@ -DTEST $(CFLAGS) $(LDFLAGS) -c $<
+	$(CC) -o $@ -DTEST $(CFLAGS) -c $<
 
 all: all-localdir all-subdirs
 @LITEONLY_TRUE@all-localdir: $(LITELIB).la $(SAMPLES)
diff --git a/contrib/idn/idnkit-1.0-src/lib/tests/Makefile.in b/contrib/idn/idnkit-1.0-src/lib/tests/Makefile.in
index ef6577d1..ef73d032 100644
--- a/contrib/idn/idnkit-1.0-src/lib/tests/Makefile.in
+++ b/contrib/idn/idnkit-1.0-src/lib/tests/Makefile.in
@@ -1,4 +1,4 @@
-# $Id: Makefile.in,v 1.1.1.1.10.1 2004/07/20 07:00:17 marka Exp $
+# $Id: Makefile.in,v 1.1.1.1 2003/06/04 00:26:46 marka Exp $
 # Copyright (c) 2000, 2002 Japan Network Information Center.
 # All rights reserved.
 #  
@@ -300,5 +300,5 @@ testconfig.h: ../../include/config.h
 		../../include/config.h > testconfig.h
 
 iconvchk: iconvchk.c codeset.h
-	$(LIBTOOL) --mode=link $(CC) $(CFLAGS) $(LDFLAGS) -o $@ \
+	$(LIBTOOL) --mode=link $(CC) $(CFLAGS) -o $@ \
 		$(srcdir)/iconvchk.c $(IDNLIB) $(ICONVLIB)
diff --git a/contrib/idn/idnkit-1.0-src/patch/bind9/bind-9.2.5-patch b/contrib/idn/idnkit-1.0-src/patch/bind9/bind-9.2.5-patch
deleted file mode 100644
index 8741d950..00000000
--- a/contrib/idn/idnkit-1.0-src/patch/bind9/bind-9.2.5-patch
+++ /dev/null
@@ -1,1253 +0,0 @@
-IDN patch for bind-9.2.4
-========================
-
-
-This is a patch file for ISC BIND 9.2.4 to make it work with
-internationalized domain names.  With this patch you'll get IDN-aware
-dig/host/nslookup.
-
-To apply this patch, you should go to the top directory of the BIND
-distribution (where you see `README' file), then invoke `patch'
-command like this:
-
-	% patch -p0 < this-file
-
-Then follow the instructions described in `README.idnkit' to compile
-and install.
-
-
-Index: README.idnkit
---- /dev/null	Mon Dec 13 11:30:00 2004
-+++ README.idnkit	Mon Dec 13 11:17:27 2004
-@@ -0,0 +1,113 @@
-+
-+			BIND-9 IDN patch
-+
-+	       Japan Network Information Center (JPNIC)
-+
-+
-+* What is this patch for?
-+
-+This patch adds internationalized domain name (IDN) support to BIND-9.
-+You'll get internationalized version of dig/host/nslookup commands.
-+
-+    + internationalized dig/host/nslookup
-+	dig/host/nslookup accepts non-ASCII domain names in the local
-+	codeset (such as Shift JIS, Big5 or ISO8859-1) determined by
-+	the locale information.  The domain names are normalized and
-+	converted to the encoding on the DNS protocol, and sent to DNS
-+	servers.  The replies are converted back to the local codeset
-+	and displayed.
-+
-+
-+* Compilation & installation
-+
-+0. Prerequisite
-+
-+You have to build and install idnkit before building this patched version
-+of bind-9.
-+
-+1. Running configure script
-+
-+Run `configure' in the top directory.  See `README' for the
-+configuration options.
-+
-+This patch adds the following 4 options to `configure'.  You should
-+at least specify `--with-idn' option to enable IDN support.
-+
-+    --with-idn[=IDN_PREFIX]
-+	To enable IDN support, you have to specify `--with-idn' option.
-+	The argument IDN_PREFIX is the install prefix of idnkit.  If
-+	IDN_PREFIX is omitted, PREFIX (derived from `--prefix=PREFIX')
-+	is assumed.
-+
-+    --with-libiconv[=LIBICONV_PREFIX]
-+	Specify this option if idnkit you have installed links GNU
-+	libiconv.  The argument LIBICONV_PREFIX is install prefix of
-+	GNU libiconv.  If the argument is omitted, PREFIX (derived
-+	from `--prefix=PREFIX') is assumed.
-+
-+	`--with-libiconv' is shorthand option for GNU libiconv.
-+
-+	    --with-libiconv=/usr/local
-+
-+	This is equivalent to:
-+
-+	    --with-iconv='-L/usr/local/lib -R/usr/local/lib -liconv'
-+
-+	`--with-libiconv' assumes that your C compiler has `-R'
-+	option, and that the option adds the specified run-time path
-+	to an exacutable binary.  If `-R' option of your compiler has
-+	different meaning, or your compiler lacks the option, you
-+	should use `--with-iconv' option instead.  Binary command
-+	without run-time path information might be unexecutable.
-+	In that case, you would see an error message like:
-+
-+	    error in loading shared libraries: libiconv.so.2: cannot
-+	    open shared object file
-+
-+	If both `--with-libiconv' and `--with-iconv' options are
-+	specified, `--with-iconv' is prior to `--with-libiconv'.
-+
-+    --with-iconv=ICONV_LIBSPEC
-+	If your libc doens't provide iconv(), you need to specify the
-+	library containing iconv() with this option.  `ICONV_LIBSPEC'
-+	is the argument(s) to `cc' or `ld' to link the library, for
-+	example, `--with-iconv="-L/usr/local/lib -liconv"'.
-+	You don't need to specify the header file directory for "iconv.h"
-+	to the compiler, as it isn't included directly by bind-9 with
-+	this patch.
-+
-+    --with-idnlib=IDN_LIBSPEC
-+	With this option, you can explicitly specify the argument(s)
-+	to `cc' or `ld' to link the idnkit's library, `libidnkit'.  If
-+	this option is not specified, `-L${PREFIX}/lib -lidnkit' is
-+	assumed, where ${PREFIX} is the installation prefix specified
-+	with `--with-idn' option above.  You may need to use this
-+	option to specify extra argments, for example,
-+	`--with-idnlib="-L/usr/local/lib -R/usr/local/lib -lidnkit"'.
-+
-+Please consult `README' for other configuration options.
-+
-+Note that if you want to specify some extra header file directories,
-+you should use the environment variable STD_CINCLUDES instead of
-+CFLAGS, as described in README.
-+
-+2. Compilation and installation
-+
-+After running "configure", just do
-+
-+	make
-+	make install
-+
-+for compiling and installing.
-+
-+
-+* Contact information
-+
-+Please see http//www.nic.ad.jp/en/idn/ for the latest news
-+about idnkit and this patch.
-+
-+Bug reports and comments on this kit should be sent to
-+mdnkit-bugs@nic.ad.jp and idn-cmt@nic.ad.jp, respectively.
-+
-+
-+; $Id: bind-9.2.2-patch,v 1.1.1.1 2003/06/04 00:27:32 marka Exp $
-Index: configure
-===================================================================
-RCS file: /proj/cvs/prod/bind9/configure,v
-retrieving revision 1.284.2.39
-diff -U2 -r1.284.2.39 configure
---- configure	9 Dec 2004 03:20:03 -0000	1.284.2.39
-+++ configure	13 Dec 2004 00:31:36 -0000
-@@ -466,5 +466,5 @@
- #endif"
- 
--ac_subst_vars='SHELL PATH_SEPARATOR PACKAGE_NAME PACKAGE_TARNAME PACKAGE_VERSION PACKAGE_STRING PACKAGE_BUGREPORT exec_prefix prefix program_transform_name bindir sbindir libexecdir datadir sysconfdir sharedstatedir localstatedir libdir includedir oldincludedir infodir mandir build_alias host_alias target_alias DEFS ECHO_C ECHO_N ECHO_T LIBS subdirs build build_cpu build_vendor build_os host host_cpu host_vendor host_os SET_MAKE RANLIB ac_ct_RANLIB INSTALL_PROGRAM INSTALL_SCRIPT INSTALL_DATA STD_CINCLUDES STD_CDEFINES STD_CWARNINGS CCOPT AR ARFLAGS LN ETAGS PERL CC CFLAGS LDFLAGS CPPFLAGS ac_ct_CC EXEEXT OBJEXT CPP EGREP ISC_SOCKADDR_LEN_T ISC_PLATFORM_HAVELONGLONG ISC_PLATFORM_NEEDSYSSELECTH LWRES_PLATFORM_NEEDSYSSELECTH DST_OPENSSL_INC DNS_OPENSSL_LIBS USE_OPENSSL USE_GSSAPI DST_GSSAPI_INC DNS_GSSAPI_LIBS ALWAYS_DEFINES ISC_PLATFORM_USETHREADS ISC_THREAD_DIR MKDEPCC MKDEPCFLAGS MKDEPPROG IRIX_DNSSEC_WARNINGS_HACK purify_path PURIFY LN_S ECHO ac_ct_AR STRIP ac_ct_STRIP CXX CXXFLAGS ac_ct_CXX CXXCPP F77 FFLAGS ac_ct_F77 LIBTOOL O A SA LIBTOOL_MKDEP_SED LIBTOOL_MODE_COMPILE LIBTOOL_MODE_INSTALL LIBTOOL_MODE_LINK LIBTOOL_ALLOW_UNDEFINED LIBTOOL_IN_MAIN LIBBIND ISC_PLATFORM_HAVEIPV6 LWRES_PLATFORM_HAVEIPV6 ISC_PLATFORM_NEEDNETINETIN6H LWRES_PLATFORM_NEEDNETINETIN6H ISC_PLATFORM_NEEDNETINET6IN6H LWRES_PLATFORM_NEEDNETINET6IN6H ISC_PLATFORM_HAVEINADDR6 LWRES_PLATFORM_HAVEINADDR6 ISC_PLATFORM_NEEDIN6ADDRANY LWRES_PLATFORM_NEEDIN6ADDRANY ISC_PLATFORM_NEEDIN6ADDRLOOPBACK LWRES_PLATFORM_NEEDIN6ADDRLOOPBACK ISC_PLATFORM_HAVEIN6PKTINFO ISC_PLATFORM_FIXIN6ISADDR ISC_IPV6_H ISC_IPV6_O ISC_ISCIPV6_O ISC_IPV6_C LWRES_HAVE_SIN6_SCOPE_ID ISC_PLATFORM_NEEDNTOP ISC_PLATFORM_NEEDPTON ISC_PLATFORM_NEEDATON ISC_PLATFORM_HAVESALEN LWRES_PLATFORM_HAVESALEN ISC_PLATFORM_MSGHDRFLAVOR ISC_PLATFORM_NEEDPORTT ISC_LWRES_NEEDADDRINFO ISC_LWRES_NEEDRRSETINFO ISC_LWRES_SETHOSTENTINT ISC_LWRES_ENDHOSTENTINT ISC_LWRES_GETNETBYADDRINADDR ISC_LWRES_SETNETENTINT ISC_LWRES_ENDNETENTINT ISC_LWRES_GETHOSTBYADDRVOID ISC_LWRES_NEEDHERRNO ISC_LWRES_GETIPNODEPROTO ISC_LWRES_GETADDRINFOPROTO ISC_LWRES_GETNAMEINFOPROTO ISC_PLATFORM_NEEDSTRSEP ISC_PLATFORM_NEEDVSNPRINTF LWRES_PLATFORM_NEEDVSNPRINTF ISC_EXTRA_OBJS ISC_EXTRA_SRCS ISC_PLATFORM_QUADFORMAT ISC_PLATFORM_RLIMITTYPE ISC_PLATFORM_USEDECLSPEC LWRES_PLATFORM_USEDECLSPEC ISC_PLATFORM_BRACEPTHREADONCEINIT OPENJADE JADETEX PDFJADETEX SGMLCATALOG HTMLSTYLE PRINTSTYLE XMLDCL DOCBOOK2MANSPEC BIND9_TOP_BUILDDIR BIND9_ISC_BUILDINCLUDE BIND9_ISCCC_BUILDINCLUDE BIND9_ISCCFG_BUILDINCLUDE BIND9_DNS_BUILDINCLUDE BIND9_LWRES_BUILDINCLUDE BIND9_VERSION LIBOBJS LTLIBOBJS'
-+ac_subst_vars='SHELL PATH_SEPARATOR PACKAGE_NAME PACKAGE_TARNAME PACKAGE_VERSION PACKAGE_STRING PACKAGE_BUGREPORT exec_prefix prefix program_transform_name bindir sbindir libexecdir datadir sysconfdir sharedstatedir localstatedir libdir includedir oldincludedir infodir mandir build_alias host_alias target_alias DEFS ECHO_C ECHO_N ECHO_T LIBS subdirs build build_cpu build_vendor build_os host host_cpu host_vendor host_os SET_MAKE RANLIB ac_ct_RANLIB INSTALL_PROGRAM INSTALL_SCRIPT INSTALL_DATA STD_CINCLUDES STD_CDEFINES STD_CWARNINGS CCOPT AR ARFLAGS LN ETAGS PERL CC CFLAGS LDFLAGS CPPFLAGS ac_ct_CC EXEEXT OBJEXT CPP EGREP ISC_SOCKADDR_LEN_T ISC_PLATFORM_HAVELONGLONG ISC_PLATFORM_NEEDSYSSELECTH LWRES_PLATFORM_NEEDSYSSELECTH DST_OPENSSL_INC DNS_OPENSSL_LIBS USE_OPENSSL USE_GSSAPI DST_GSSAPI_INC DNS_GSSAPI_LIBS ALWAYS_DEFINES ISC_PLATFORM_USETHREADS ISC_THREAD_DIR MKDEPCC MKDEPCFLAGS MKDEPPROG IRIX_DNSSEC_WARNINGS_HACK purify_path PURIFY LN_S ECHO ac_ct_AR STRIP ac_ct_STRIP CXX CXXFLAGS ac_ct_CXX CXXCPP F77 FFLAGS ac_ct_F77 LIBTOOL O A SA LIBTOOL_MKDEP_SED LIBTOOL_MODE_COMPILE LIBTOOL_MODE_INSTALL LIBTOOL_MODE_LINK LIBTOOL_ALLOW_UNDEFINED LIBTOOL_IN_MAIN LIBBIND ISC_PLATFORM_HAVEIPV6 LWRES_PLATFORM_HAVEIPV6 ISC_PLATFORM_NEEDNETINETIN6H LWRES_PLATFORM_NEEDNETINETIN6H ISC_PLATFORM_NEEDNETINET6IN6H LWRES_PLATFORM_NEEDNETINET6IN6H ISC_PLATFORM_HAVEINADDR6 LWRES_PLATFORM_HAVEINADDR6 ISC_PLATFORM_NEEDIN6ADDRANY LWRES_PLATFORM_NEEDIN6ADDRANY ISC_PLATFORM_NEEDIN6ADDRLOOPBACK LWRES_PLATFORM_NEEDIN6ADDRLOOPBACK ISC_PLATFORM_HAVEIN6PKTINFO ISC_PLATFORM_FIXIN6ISADDR ISC_IPV6_H ISC_IPV6_O ISC_ISCIPV6_O ISC_IPV6_C LWRES_HAVE_SIN6_SCOPE_ID ISC_PLATFORM_NEEDNTOP ISC_PLATFORM_NEEDPTON ISC_PLATFORM_NEEDATON ISC_PLATFORM_HAVESALEN LWRES_PLATFORM_HAVESALEN ISC_PLATFORM_MSGHDRFLAVOR ISC_PLATFORM_NEEDPORTT ISC_LWRES_NEEDADDRINFO ISC_LWRES_NEEDRRSETINFO ISC_LWRES_SETHOSTENTINT ISC_LWRES_ENDHOSTENTINT ISC_LWRES_GETNETBYADDRINADDR ISC_LWRES_SETNETENTINT ISC_LWRES_ENDNETENTINT ISC_LWRES_GETHOSTBYADDRVOID ISC_LWRES_NEEDHERRNO ISC_LWRES_GETIPNODEPROTO ISC_LWRES_GETADDRINFOPROTO ISC_LWRES_GETNAMEINFOPROTO ISC_PLATFORM_NEEDSTRSEP ISC_PLATFORM_NEEDVSNPRINTF LWRES_PLATFORM_NEEDVSNPRINTF ISC_EXTRA_OBJS ISC_EXTRA_SRCS ISC_PLATFORM_QUADFORMAT ISC_PLATFORM_RLIMITTYPE ISC_PLATFORM_USEDECLSPEC LWRES_PLATFORM_USEDECLSPEC ISC_PLATFORM_BRACEPTHREADONCEINIT OPENJADE JADETEX PDFJADETEX SGMLCATALOG HTMLSTYLE PRINTSTYLE XMLDCL DOCBOOK2MANSPEC IDNLIBS BIND9_TOP_BUILDDIR BIND9_ISC_BUILDINCLUDE BIND9_ISCCC_BUILDINCLUDE BIND9_ISCCFG_BUILDINCLUDE BIND9_DNS_BUILDINCLUDE BIND9_LWRES_BUILDINCLUDE BIND9_VERSION LIBOBJS LTLIBOBJS'
- ac_subst_files='BIND9_INCLUDES BIND9_MAKE_RULES LIBISC_API LIBISCCC_API LIBISCCFG_API LIBDNS_API LIBLWRES_API'
- 
-@@ -1048,4 +1048,8 @@
-                           include additional configurations [automatic]
-   --with-kame=PATH	use Kame IPv6 default path /usr/local/v6
-+  --with-idn=MPREFIX   enable IDN support using idnkit default PREFIX
-+  --with-libiconv=IPREFIX   GNU libiconv are in IPREFIX default PREFIX
-+  --with-iconv=LIBSPEC   specify iconv library default -liconv
-+  --with-idnlib=ARG    specify libidnkit
- 
- Some influential environment variables:
-@@ -7896,5 +7900,5 @@
- *-*-irix6*)
-   # Find out which ABI we are using.
--  echo '#line 7898 "configure"' > conftest.$ac_ext
-+  echo '#line 7902 "configure"' > conftest.$ac_ext
-   if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-   (eval $ac_compile) 2>&5
-@@ -8893,5 +8897,5 @@
- 
- # Provide some information about the compiler.
--echo "$as_me:8895:" \
-+echo "$as_me:8899:" \
-      "checking for Fortran 77 compiler version" >&5
- ac_compiler=`set X $ac_compile; echo $2`
-@@ -9954,9 +9958,9 @@
-    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-    -e 's:$: $lt_compiler_flag:'`
--   (eval echo "\"\$as_me:9956: $lt_compile\"" >&5)
-+   (eval echo "\"\$as_me:9960: $lt_compile\"" >&5)
-    (eval "$lt_compile" 2>conftest.err)
-    ac_status=$?
-    cat conftest.err >&5
--   echo "$as_me:9960: \$? = $ac_status" >&5
-+   echo "$as_me:9964: \$? = $ac_status" >&5
-    if (exit $ac_status) && test -s "$ac_outfile"; then
-      # The compiler can only warn and ignore the option if not recognized
-@@ -10197,9 +10201,9 @@
-    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-    -e 's:$: $lt_compiler_flag:'`
--   (eval echo "\"\$as_me:10199: $lt_compile\"" >&5)
-+   (eval echo "\"\$as_me:10203: $lt_compile\"" >&5)
-    (eval "$lt_compile" 2>conftest.err)
-    ac_status=$?
-    cat conftest.err >&5
--   echo "$as_me:10203: \$? = $ac_status" >&5
-+   echo "$as_me:10207: \$? = $ac_status" >&5
-    if (exit $ac_status) && test -s "$ac_outfile"; then
-      # The compiler can only warn and ignore the option if not recognized
-@@ -10257,9 +10261,9 @@
-    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-    -e 's:$: $lt_compiler_flag:'`
--   (eval echo "\"\$as_me:10259: $lt_compile\"" >&5)
-+   (eval echo "\"\$as_me:10263: $lt_compile\"" >&5)
-    (eval "$lt_compile" 2>out/conftest.err)
-    ac_status=$?
-    cat out/conftest.err >&5
--   echo "$as_me:10263: \$? = $ac_status" >&5
-+   echo "$as_me:10267: \$? = $ac_status" >&5
-    if (exit $ac_status) && test -s out/conftest2.$ac_objext
-    then
-@@ -12442,5 +12446,5 @@
-   lt_status=$lt_dlunknown
-   cat > conftest.$ac_ext <<EOF
--#line 12444 "configure"
-+#line 12448 "configure"
- #include "confdefs.h"
- 
-@@ -12540,5 +12544,5 @@
-   lt_status=$lt_dlunknown
-   cat > conftest.$ac_ext <<EOF
--#line 12542 "configure"
-+#line 12546 "configure"
- #include "confdefs.h"
- 
-@@ -14737,9 +14741,9 @@
-    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-    -e 's:$: $lt_compiler_flag:'`
--   (eval echo "\"\$as_me:14739: $lt_compile\"" >&5)
-+   (eval echo "\"\$as_me:14743: $lt_compile\"" >&5)
-    (eval "$lt_compile" 2>conftest.err)
-    ac_status=$?
-    cat conftest.err >&5
--   echo "$as_me:14743: \$? = $ac_status" >&5
-+   echo "$as_me:14747: \$? = $ac_status" >&5
-    if (exit $ac_status) && test -s "$ac_outfile"; then
-      # The compiler can only warn and ignore the option if not recognized
-@@ -14797,9 +14801,9 @@
-    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-    -e 's:$: $lt_compiler_flag:'`
--   (eval echo "\"\$as_me:14799: $lt_compile\"" >&5)
-+   (eval echo "\"\$as_me:14803: $lt_compile\"" >&5)
-    (eval "$lt_compile" 2>out/conftest.err)
-    ac_status=$?
-    cat out/conftest.err >&5
--   echo "$as_me:14803: \$? = $ac_status" >&5
-+   echo "$as_me:14807: \$? = $ac_status" >&5
-    if (exit $ac_status) && test -s out/conftest2.$ac_objext
-    then
-@@ -16158,5 +16162,5 @@
-   lt_status=$lt_dlunknown
-   cat > conftest.$ac_ext <<EOF
--#line 16160 "configure"
-+#line 16164 "configure"
- #include "confdefs.h"
- 
-@@ -16256,5 +16260,5 @@
-   lt_status=$lt_dlunknown
-   cat > conftest.$ac_ext <<EOF
--#line 16258 "configure"
-+#line 16262 "configure"
- #include "confdefs.h"
- 
-@@ -17093,9 +17097,9 @@
-    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-    -e 's:$: $lt_compiler_flag:'`
--   (eval echo "\"\$as_me:17095: $lt_compile\"" >&5)
-+   (eval echo "\"\$as_me:17099: $lt_compile\"" >&5)
-    (eval "$lt_compile" 2>conftest.err)
-    ac_status=$?
-    cat conftest.err >&5
--   echo "$as_me:17099: \$? = $ac_status" >&5
-+   echo "$as_me:17103: \$? = $ac_status" >&5
-    if (exit $ac_status) && test -s "$ac_outfile"; then
-      # The compiler can only warn and ignore the option if not recognized
-@@ -17153,9 +17157,9 @@
-    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-    -e 's:$: $lt_compiler_flag:'`
--   (eval echo "\"\$as_me:17155: $lt_compile\"" >&5)
-+   (eval echo "\"\$as_me:17159: $lt_compile\"" >&5)
-    (eval "$lt_compile" 2>out/conftest.err)
-    ac_status=$?
-    cat out/conftest.err >&5
--   echo "$as_me:17159: \$? = $ac_status" >&5
-+   echo "$as_me:17163: \$? = $ac_status" >&5
-    if (exit $ac_status) && test -s out/conftest2.$ac_objext
-    then
-@@ -19192,9 +19196,9 @@
-    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-    -e 's:$: $lt_compiler_flag:'`
--   (eval echo "\"\$as_me:19194: $lt_compile\"" >&5)
-+   (eval echo "\"\$as_me:19198: $lt_compile\"" >&5)
-    (eval "$lt_compile" 2>conftest.err)
-    ac_status=$?
-    cat conftest.err >&5
--   echo "$as_me:19198: \$? = $ac_status" >&5
-+   echo "$as_me:19202: \$? = $ac_status" >&5
-    if (exit $ac_status) && test -s "$ac_outfile"; then
-      # The compiler can only warn and ignore the option if not recognized
-@@ -19435,9 +19439,9 @@
-    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-    -e 's:$: $lt_compiler_flag:'`
--   (eval echo "\"\$as_me:19437: $lt_compile\"" >&5)
-+   (eval echo "\"\$as_me:19441: $lt_compile\"" >&5)
-    (eval "$lt_compile" 2>conftest.err)
-    ac_status=$?
-    cat conftest.err >&5
--   echo "$as_me:19441: \$? = $ac_status" >&5
-+   echo "$as_me:19445: \$? = $ac_status" >&5
-    if (exit $ac_status) && test -s "$ac_outfile"; then
-      # The compiler can only warn and ignore the option if not recognized
-@@ -19495,9 +19499,9 @@
-    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-    -e 's:$: $lt_compiler_flag:'`
--   (eval echo "\"\$as_me:19497: $lt_compile\"" >&5)
-+   (eval echo "\"\$as_me:19501: $lt_compile\"" >&5)
-    (eval "$lt_compile" 2>out/conftest.err)
-    ac_status=$?
-    cat out/conftest.err >&5
--   echo "$as_me:19501: \$? = $ac_status" >&5
-+   echo "$as_me:19505: \$? = $ac_status" >&5
-    if (exit $ac_status) && test -s out/conftest2.$ac_objext
-    then
-@@ -21680,5 +21684,5 @@
-   lt_status=$lt_dlunknown
-   cat > conftest.$ac_ext <<EOF
--#line 21682 "configure"
-+#line 21686 "configure"
- #include "confdefs.h"
- 
-@@ -21778,5 +21782,5 @@
-   lt_status=$lt_dlunknown
-   cat > conftest.$ac_ext <<EOF
--#line 21780 "configure"
-+#line 21784 "configure"
- #include "confdefs.h"
- 
-@@ -26105,4 +26109,354 @@
- 
- #
-+# IDN support
-+#
-+
-+# Check whether --with-idn or --without-idn was given.
-+if test "${with_idn+set}" = set; then
-+  withval="$with_idn"
-+  use_idn="$withval"
-+else
-+  use_idn="no"
-+fi;
-+case "$use_idn" in
-+yes)
-+	if test X$prefix = XNONE ; then
-+		idn_path=/usr/local
-+	else
-+		idn_path=$prefix
-+	fi
-+	;;
-+no)
-+	;;
-+*)
-+	idn_path="$use_idn"
-+	;;
-+esac
-+
-+iconvinc=
-+iconvlib=
-+
-+# Check whether --with-libiconv or --without-libiconv was given.
-+if test "${with_libiconv+set}" = set; then
-+  withval="$with_libiconv"
-+  use_libiconv="$withval"
-+else
-+  use_libiconv="no"
-+fi;
-+case "$use_libiconv" in
-+yes)
-+	if test X$prefix = XNONE ; then
-+		iconvlib="-L/usr/local/lib -R/usr/local/lib -liconv"
-+	else
-+		iconvlib="-L$prefix/lib -R$prefix/lib -liconv"
-+	fi
-+	;;
-+no)
-+	iconvlib=
-+	;;
-+*)
-+	iconvlib="-L$use_libiconv/lib -R$use_libiconv/lib -liconv"
-+	;;
-+esac
-+
-+
-+# Check whether --with-iconv or --without-iconv was given.
-+if test "${with_iconv+set}" = set; then
-+  withval="$with_iconv"
-+  iconvlib="$withval"
-+fi;
-+case "$iconvlib" in
-+no)
-+	iconvlib=
-+	;;
-+yes)
-+	iconvlib=-liconv
-+	;;
-+esac
-+
-+
-+# Check whether --with-idnlib or --without-idnlib was given.
-+if test "${with_idnlib+set}" = set; then
-+  withval="$with_idnlib"
-+  idnlib="$withval"
-+else
-+  idnlib="no"
-+fi;
-+if test "$idnlib" = yes; then
-+	{ { echo "$as_me:$LINENO: error: You must specify ARG for --with-idnlib." >&5
-+echo "$as_me: error: You must specify ARG for --with-idnlib." >&2;}
-+   { (exit 1); exit 1; }; }
-+fi
-+
-+IDNLIBS=
-+if test "$use_idn" != no; then
-+
-+cat >>confdefs.h <<\_ACEOF
-+#define WITH_IDN 1
-+_ACEOF
-+
-+	STD_CINCLUDES="$STD_CINCLUDES -I$idn_path/include"
-+	if test "$idnlib" != no; then
-+		IDNLIBS="$idnlib $iconvlib"
-+	else
-+		IDNLIBS="-L$idn_path/lib -lidnkit $iconvlib"
-+	fi
-+fi
-+
-+
-+
-+for ac_header in locale.h
-+do
-+as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh`
-+if eval "test \"\${$as_ac_Header+set}\" = set"; then
-+  echo "$as_me:$LINENO: checking for $ac_header" >&5
-+echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6
-+if eval "test \"\${$as_ac_Header+set}\" = set"; then
-+  echo $ECHO_N "(cached) $ECHO_C" >&6
-+fi
-+echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_Header'}'`" >&5
-+echo "${ECHO_T}`eval echo '${'$as_ac_Header'}'`" >&6
-+else
-+  # Is the header compilable?
-+echo "$as_me:$LINENO: checking $ac_header usability" >&5
-+echo $ECHO_N "checking $ac_header usability... $ECHO_C" >&6
-+cat >conftest.$ac_ext <<_ACEOF
-+/* confdefs.h.  */
-+_ACEOF
-+cat confdefs.h >>conftest.$ac_ext
-+cat >>conftest.$ac_ext <<_ACEOF
-+/* end confdefs.h.  */
-+$ac_includes_default
-+#include <$ac_header>
-+_ACEOF
-+rm -f conftest.$ac_objext
-+if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-+  (eval $ac_compile) 2>conftest.er1
-+  ac_status=$?
-+  grep -v '^ *+' conftest.er1 >conftest.err
-+  rm -f conftest.er1
-+  cat conftest.err >&5
-+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-+  (exit $ac_status); } &&
-+	 { ac_try='test -z "$ac_c_werror_flag"
-+			 || test ! -s conftest.err'
-+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-+  (eval $ac_try) 2>&5
-+  ac_status=$?
-+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-+  (exit $ac_status); }; } &&
-+	 { ac_try='test -s conftest.$ac_objext'
-+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-+  (eval $ac_try) 2>&5
-+  ac_status=$?
-+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-+  (exit $ac_status); }; }; then
-+  ac_header_compiler=yes
-+else
-+  echo "$as_me: failed program was:" >&5
-+sed 's/^/| /' conftest.$ac_ext >&5
-+
-+ac_header_compiler=no
-+fi
-+rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-+echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
-+echo "${ECHO_T}$ac_header_compiler" >&6
-+
-+# Is the header present?
-+echo "$as_me:$LINENO: checking $ac_header presence" >&5
-+echo $ECHO_N "checking $ac_header presence... $ECHO_C" >&6
-+cat >conftest.$ac_ext <<_ACEOF
-+/* confdefs.h.  */
-+_ACEOF
-+cat confdefs.h >>conftest.$ac_ext
-+cat >>conftest.$ac_ext <<_ACEOF
-+/* end confdefs.h.  */
-+#include <$ac_header>
-+_ACEOF
-+if { (eval echo "$as_me:$LINENO: \"$ac_cpp conftest.$ac_ext\"") >&5
-+  (eval $ac_cpp conftest.$ac_ext) 2>conftest.er1
-+  ac_status=$?
-+  grep -v '^ *+' conftest.er1 >conftest.err
-+  rm -f conftest.er1
-+  cat conftest.err >&5
-+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-+  (exit $ac_status); } >/dev/null; then
-+  if test -s conftest.err; then
-+    ac_cpp_err=$ac_c_preproc_warn_flag
-+    ac_cpp_err=$ac_cpp_err$ac_c_werror_flag
-+  else
-+    ac_cpp_err=
-+  fi
-+else
-+  ac_cpp_err=yes
-+fi
-+if test -z "$ac_cpp_err"; then
-+  ac_header_preproc=yes
-+else
-+  echo "$as_me: failed program was:" >&5
-+sed 's/^/| /' conftest.$ac_ext >&5
-+
-+  ac_header_preproc=no
-+fi
-+rm -f conftest.err conftest.$ac_ext
-+echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
-+echo "${ECHO_T}$ac_header_preproc" >&6
-+
-+# So?  What about this header?
-+case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in
-+  yes:no: )
-+    { echo "$as_me:$LINENO: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&5
-+echo "$as_me: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&2;}
-+    { echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the compiler's result" >&5
-+echo "$as_me: WARNING: $ac_header: proceeding with the compiler's result" >&2;}
-+    ac_header_preproc=yes
-+    ;;
-+  no:yes:* )
-+    { echo "$as_me:$LINENO: WARNING: $ac_header: present but cannot be compiled" >&5
-+echo "$as_me: WARNING: $ac_header: present but cannot be compiled" >&2;}
-+    { echo "$as_me:$LINENO: WARNING: $ac_header:     check for missing prerequisite headers?" >&5
-+echo "$as_me: WARNING: $ac_header:     check for missing prerequisite headers?" >&2;}
-+    { echo "$as_me:$LINENO: WARNING: $ac_header: see the Autoconf documentation" >&5
-+echo "$as_me: WARNING: $ac_header: see the Autoconf documentation" >&2;}
-+    { echo "$as_me:$LINENO: WARNING: $ac_header:     section \"Present But Cannot Be Compiled\"" >&5
-+echo "$as_me: WARNING: $ac_header:     section \"Present But Cannot Be Compiled\"" >&2;}
-+    { echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the preprocessor's result" >&5
-+echo "$as_me: WARNING: $ac_header: proceeding with the preprocessor's result" >&2;}
-+    { echo "$as_me:$LINENO: WARNING: $ac_header: in the future, the compiler will take precedence" >&5
-+echo "$as_me: WARNING: $ac_header: in the future, the compiler will take precedence" >&2;}
-+    (
-+      cat <<\_ASBOX
-+## ------------------------------------------ ##
-+## Report this to the AC_PACKAGE_NAME lists.  ##
-+## ------------------------------------------ ##
-+_ASBOX
-+    ) |
-+      sed "s/^/$as_me: WARNING:     /" >&2
-+    ;;
-+esac
-+echo "$as_me:$LINENO: checking for $ac_header" >&5
-+echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6
-+if eval "test \"\${$as_ac_Header+set}\" = set"; then
-+  echo $ECHO_N "(cached) $ECHO_C" >&6
-+else
-+  eval "$as_ac_Header=\$ac_header_preproc"
-+fi
-+echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_Header'}'`" >&5
-+echo "${ECHO_T}`eval echo '${'$as_ac_Header'}'`" >&6
-+
-+fi
-+if test `eval echo '${'$as_ac_Header'}'` = yes; then
-+  cat >>confdefs.h <<_ACEOF
-+#define `echo "HAVE_$ac_header" | $as_tr_cpp` 1
-+_ACEOF
-+
-+fi
-+
-+done
-+
-+
-+for ac_func in setlocale
-+do
-+as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh`
-+echo "$as_me:$LINENO: checking for $ac_func" >&5
-+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
-+if eval "test \"\${$as_ac_var+set}\" = set"; then
-+  echo $ECHO_N "(cached) $ECHO_C" >&6
-+else
-+  cat >conftest.$ac_ext <<_ACEOF
-+/* confdefs.h.  */
-+_ACEOF
-+cat confdefs.h >>conftest.$ac_ext
-+cat >>conftest.$ac_ext <<_ACEOF
-+/* end confdefs.h.  */
-+/* Define $ac_func to an innocuous variant, in case <limits.h> declares $ac_func.
-+   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
-+#define $ac_func innocuous_$ac_func
-+
-+/* System header to define __stub macros and hopefully few prototypes,
-+    which can conflict with char $ac_func (); below.
-+    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
-+    <limits.h> exists even on freestanding compilers.  */
-+
-+#ifdef __STDC__
-+# include <limits.h>
-+#else
-+# include <assert.h>
-+#endif
-+
-+#undef $ac_func
-+
-+/* Override any gcc2 internal prototype to avoid an error.  */
-+#ifdef __cplusplus
-+extern "C"
-+{
-+#endif
-+/* We use char because int might match the return type of a gcc2
-+   builtin and then its argument prototype would still apply.  */
-+char $ac_func ();
-+/* The GNU C library defines this for functions which it implements
-+    to always fail with ENOSYS.  Some functions are actually named
-+    something starting with __ and the normal name is an alias.  */
-+#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
-+choke me
-+#else
-+char (*f) () = $ac_func;
-+#endif
-+#ifdef __cplusplus
-+}
-+#endif
-+
-+int
-+main ()
-+{
-+return f != $ac_func;
-+  ;
-+  return 0;
-+}
-+_ACEOF
-+rm -f conftest.$ac_objext conftest$ac_exeext
-+if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-+  (eval $ac_link) 2>conftest.er1
-+  ac_status=$?
-+  grep -v '^ *+' conftest.er1 >conftest.err
-+  rm -f conftest.er1
-+  cat conftest.err >&5
-+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-+  (exit $ac_status); } &&
-+	 { ac_try='test -z "$ac_c_werror_flag"
-+			 || test ! -s conftest.err'
-+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-+  (eval $ac_try) 2>&5
-+  ac_status=$?
-+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-+  (exit $ac_status); }; } &&
-+	 { ac_try='test -s conftest$ac_exeext'
-+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-+  (eval $ac_try) 2>&5
-+  ac_status=$?
-+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-+  (exit $ac_status); }; }; then
-+  eval "$as_ac_var=yes"
-+else
-+  echo "$as_me: failed program was:" >&5
-+sed 's/^/| /' conftest.$ac_ext >&5
-+
-+eval "$as_ac_var=no"
-+fi
-+rm -f conftest.err conftest.$ac_objext \
-+      conftest$ac_exeext conftest.$ac_ext
-+fi
-+echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_var'}'`" >&5
-+echo "${ECHO_T}`eval echo '${'$as_ac_var'}'`" >&6
-+if test `eval echo '${'$as_ac_var'}'` = yes; then
-+  cat >>confdefs.h <<_ACEOF
-+#define `echo "HAVE_$ac_func" | $as_tr_cpp` 1
-+_ACEOF
-+
-+fi
-+done
-+
-+
-+#
- # Substitutions
- #
-@@ -26968,4 +27322,5 @@
- s,@XMLDCL@,$XMLDCL,;t t
- s,@DOCBOOK2MANSPEC@,$DOCBOOK2MANSPEC,;t t
-+s,@IDNLIBS@,$IDNLIBS,;t t
- s,@BIND9_TOP_BUILDDIR@,$BIND9_TOP_BUILDDIR,;t t
- s,@BIND9_ISC_BUILDINCLUDE@,$BIND9_ISC_BUILDINCLUDE,;t t
-Index: configure.in
-===================================================================
-RCS file: /proj/cvs/prod/bind9/configure.in,v
-retrieving revision 1.294.2.42
-diff -U2 -r1.294.2.42 configure.in
---- configure.in	9 Dec 2004 03:18:05 -0000	1.294.2.42
-+++ configure.in	13 Dec 2004 00:31:40 -0000
-@@ -1824,4 +1824,80 @@
- 
- #
-+# IDN support
-+#
-+AC_ARG_WITH(idn,
-+	[  --with-idn[=MPREFIX]   enable IDN support using idnkit [default PREFIX]],
-+	use_idn="$withval", use_idn="no")
-+case "$use_idn" in
-+yes)
-+	if test X$prefix = XNONE ; then
-+		idn_path=/usr/local
-+	else
-+		idn_path=$prefix
-+	fi
-+	;;
-+no)
-+	;;
-+*)
-+	idn_path="$use_idn"
-+	;;
-+esac
-+
-+iconvinc=
-+iconvlib=
-+AC_ARG_WITH(libiconv,
-+	[  --with-libiconv[=IPREFIX]   GNU libiconv are in IPREFIX [default PREFIX]],
-+	use_libiconv="$withval", use_libiconv="no")
-+case "$use_libiconv" in
-+yes)
-+	if test X$prefix = XNONE ; then
-+		iconvlib="-L/usr/local/lib -R/usr/local/lib -liconv"
-+	else
-+		iconvlib="-L$prefix/lib -R$prefix/lib -liconv"
-+	fi
-+	;;
-+no)
-+	iconvlib=
-+	;;
-+*)
-+	iconvlib="-L$use_libiconv/lib -R$use_libiconv/lib -liconv"
-+	;;
-+esac
-+
-+AC_ARG_WITH(iconv,
-+	[  --with-iconv[=LIBSPEC]   specify iconv library [default -liconv]],
-+	iconvlib="$withval")
-+case "$iconvlib" in
-+no)
-+	iconvlib=
-+	;;
-+yes)
-+	iconvlib=-liconv
-+	;;
-+esac
-+
-+AC_ARG_WITH(idnlib,
-+	[  --with-idnlib=ARG    specify libidnkit],
-+	idnlib="$withval", idnlib="no")
-+if test "$idnlib" = yes; then
-+	AC_MSG_ERROR([You must specify ARG for --with-idnlib.])
-+fi
-+
-+IDNLIBS=
-+if test "$use_idn" != no; then
-+	AC_DEFINE(WITH_IDN, 1, [define if idnkit support is to be included.])
-+	STD_CINCLUDES="$STD_CINCLUDES -I$idn_path/include"
-+	if test "$idnlib" != no; then
-+		IDNLIBS="$idnlib $iconvlib"
-+	else
-+		IDNLIBS="-L$idn_path/lib -lidnkit $iconvlib"
-+	fi
-+fi
-+AC_SUBST(IDNLIBS)
-+
-+AC_CHECK_HEADERS(locale.h)
-+AC_CHECK_FUNCS(setlocale)
-+
-+#
- # Substitutions
- #
-Index: config.h.in
-===================================================================
-RCS file: /proj/cvs/prod/bind9/config.h.in,v
-retrieving revision 1.47.2.11
-diff -U2 -r1.47.2.11 config.h.in
---- config.h.in	4 Dec 2004 06:45:59 -0000	1.47.2.11
-+++ config.h.in	13 Dec 2004 00:31:41 -0000
-@@ -17,5 +17,5 @@
-  */
- 
--/* $Id: config.h.in,v 1.47.2.11 2004/12/04 06:45:59 marka Exp $ */
-+/* $Id: acconfig.h,v 1.35.2.10 2004/12/04 06:44:36 marka Exp $ */
- 
- /***
-@@ -168,7 +168,13 @@
- #undef HAVE_LINUX_CAPABILITY_H
- 
-+/* Define to 1 if you have the <locale.h> header file. */
-+#undef HAVE_LOCALE_H
-+
- /* Define to 1 if you have the <memory.h> header file. */
- #undef HAVE_MEMORY_H
- 
-+/* Define to 1 if you have the `setlocale' function. */
-+#undef HAVE_SETLOCALE
-+
- /* Define to 1 if you have the <stdint.h> header file. */
- #undef HAVE_STDINT_H
-@@ -230,4 +236,7 @@
- /* Define to 1 if you can safely include both <sys/time.h> and <time.h>. */
- #undef TIME_WITH_SYS_TIME
-+
-+/* define if idnkit support is to be included. */
-+#undef WITH_IDN
- 
- /* Define to 1 if your processor stores words with the most significant byte
-Index: bin/dig/Makefile.in
-===================================================================
-RCS file: /proj/cvs/prod/bind9/bin/dig/Makefile.in,v
-retrieving revision 1.25.2.4
-diff -U2 -r1.25.2.4 Makefile.in
---- bin/dig/Makefile.in	18 Aug 2004 23:22:52 -0000	1.25.2.4
-+++ bin/dig/Makefile.in	13 Dec 2004 00:31:41 -0000
-@@ -37,5 +37,5 @@
- DEPLIBS =	${DNSDEPLIBS} ${ISCDEPLIBS}
- 
--LIBS =		${DNSLIBS} ${ISCLIBS} @LIBS@
-+LIBS =		${DNSLIBS} ${ISCLIBS} @IDNLIBS@ @LIBS@
- 
- SUBDIRS =
-Index: bin/dig/dig.1
-===================================================================
-RCS file: /proj/cvs/prod/bind9/bin/dig/dig.1,v
-retrieving revision 1.14.2.6
-diff -U2 -r1.14.2.6 dig.1
---- bin/dig/dig.1	26 Aug 2004 02:25:52 -0000	1.14.2.6
-+++ bin/dig/dig.1	13 Dec 2004 00:31:42 -0000
-@@ -355,4 +355,15 @@
- will not print the initial query when it looks up the NS records for
- isc.org.
-+.SH "IDN SUPPORT"
-+.PP
-+If \fBdig\fR has been built with IDN (internationalized
-+domain name) support, it can accept and display non-ASCII domain names.
-+\fBdig\fR appropriately converts character encoding of
-+domain name before sending a request to DNS server or displaying a
-+reply from the server.
-+If you'd like to turn off the IDN support for some reason, defines
-+the \fBIDN_DISABLE\fR environment variable.
-+The IDN support is disabled if the the variable is set when 
-+\fBdig\fR runs.
- .SH "FILES"
- .PP
-Index: bin/dig/dig.docbook
-===================================================================
-RCS file: /proj/cvs/prod/bind9/bin/dig/dig.docbook,v
-retrieving revision 1.4.2.9
-diff -U2 -r1.4.2.9 dig.docbook
---- bin/dig/dig.docbook	26 Aug 2004 01:33:50 -0000	1.4.2.9
-+++ bin/dig/dig.docbook	13 Dec 2004 00:31:43 -0000
-@@ -530,4 +530,19 @@
- 
- <refsect1>
-+<title>IDN SUPPORT</title>
-+<para>
-+If <command>dig</command> has been built with IDN (internationalized
-+domain name) support, it can accept and display non-ASCII domain names.
-+<command>dig</command> appropriately converts character encoding of
-+domain name before sending a request to DNS server or displaying a
-+reply from the server.
-+If you'd like to turn off the IDN support for some reason, defines
-+the <envar>IDN_DISABLE</envar> environment variable.
-+The IDN support is disabled if the the variable is set when 
-+<command>dig</command> runs.
-+</para>
-+</refsect1>
-+
-+<refsect1>
- <title>FILES</title>
- <para>
-Index: bin/dig/dighost.c
-===================================================================
-RCS file: /proj/cvs/prod/bind9/bin/dig/dighost.c,v
-retrieving revision 1.221.2.24
-diff -U2 -r1.221.2.24 dighost.c
---- bin/dig/dighost.c	16 Sep 2004 05:00:38 -0000	1.221.2.24
-+++ bin/dig/dighost.c	13 Dec 2004 00:31:49 -0000
-@@ -33,4 +33,15 @@
- #include <limits.h>
- 
-+#ifdef HAVE_LOCALE_H
-+#include <locale.h>
-+#endif
-+
-+#ifdef WITH_IDN
-+#include <idn/result.h>
-+#include <idn/log.h>
-+#include <idn/resconf.h>
-+#include <idn/api.h>
-+#endif
-+
- #include <dns/byaddr.h>
- #include <dns/fixedname.h>
-@@ -133,4 +144,16 @@
- dig_lookup_t *current_lookup = NULL;
- 
-+#ifdef WITH_IDN
-+static void	      initialize_idn(void);
-+static isc_result_t   output_filter(isc_buffer_t *buffer,
-+				    unsigned int used_org,
-+				    isc_boolean_t absolute);
-+static idn_result_t   append_textname(char *name, const char *origin,
-+				      size_t namesize);
-+static void	      idn_check_result(idn_result_t r, const char *msg);
-+
-+#define MAXDLEN               256
-+#endif
-+
- /*
-  * Apply and clear locks at the event level in global task.
-@@ -731,4 +754,8 @@
- 	}
- 
-+#ifdef WITH_IDN
-+	initialize_idn();
-+#endif
-+
- 	if (keyfile[0] != 0)
- 		setup_file_key();
-@@ -1252,4 +1279,12 @@
- 	dns_compress_t cctx;
- 	char store[MXNAME];
-+#ifdef WITH_IDN
-+	idn_result_t mr;
-+	char utf8_textname[MXNAME], utf8_origin[MXNAME], idn_textname[MXNAME];
-+#endif
-+
-+#ifdef WITH_IDN
-+	dns_name_settotextfilter(output_filter);
-+#endif
- 
- 	REQUIRE(lookup != NULL);
-@@ -1280,4 +1315,15 @@
- 			sizeof(lookup->onamespace));
- 
-+#ifdef WITH_IDN
-+	/*
-+	 * We cannot convert `textname' and `origin' separately.
-+	 * `textname' doesn't contain TLD, but local mapping needs
-+	 * TLD.
-+	 */
-+	mr = idn_encodename(IDN_LOCALCONV | IDN_DELIMMAP, lookup->textname,
-+			    utf8_textname, sizeof(utf8_textname));
-+	idn_check_result(mr, "convert textname to UTF-8");
-+#endif
-+
- 	/*
- 	 * If the name has too many dots, force the origin to be NULL
-@@ -1288,4 +1334,11 @@
- 	 */
- 	/* XXX New search here? */
-+#ifdef WITH_IDN
-+	if ((count_dots(utf8_textname) >= ndots) || !usesearch)
-+		lookup->origin = NULL; /* Force abs lookup */
-+	else if (lookup->origin == NULL && lookup->new_search && usesearch) {
-+		lookup->origin = ISC_LIST_HEAD(search_list);
-+	}
-+#else
- 	if ((count_dots(lookup->textname) >= ndots) || !usesearch)
- 		lookup->origin = NULL; /* Force abs lookup */
-@@ -1293,5 +1346,27 @@
- 		lookup->origin = ISC_LIST_HEAD(search_list);
- 	}
-+#endif
-+
-+#ifdef WITH_IDN
- 	if (lookup->origin != NULL) {
-+		mr = idn_encodename(IDN_LOCALCONV | IDN_DELIMMAP,
-+				    lookup->origin->origin, utf8_origin,
-+				    sizeof(utf8_origin));
-+		idn_check_result(mr, "convert origin to UTF-8");
-+		mr = append_textname(utf8_textname, utf8_origin,
-+				     sizeof(utf8_textname));
-+		idn_check_result(mr, "append origin to textname");
-+	}
-+	mr = idn_encodename(IDN_LOCALMAP | IDN_NAMEPREP | IDN_ASCCHECK |
-+			    IDN_IDNCONV | IDN_LENCHECK, utf8_textname,
-+			    idn_textname, sizeof(idn_textname));
-+	idn_check_result(mr, "convert UTF-8 textname to IDN encoding");
-+#endif
-+
-+#ifdef WITH_IDN
-+	if (0) {
-+#else
-+	if (lookup->origin != NULL) {
-+#endif
- 		debug("trying origin %s", lookup->origin->origin);
- 		result = dns_message_gettempname(lookup->sendmsg,
-@@ -1338,4 +1413,13 @@
- 			dns_name_clone(dns_rootname, lookup->name);
- 		else {
-+#ifdef WITH_IDN
-+			len = strlen(idn_textname);
-+			isc_buffer_init(&b, idn_textname, len);
-+			isc_buffer_add(&b, len);
-+			result = dns_name_fromtext(lookup->name, &b,
-+						   dns_rootname,
-+						   ISC_FALSE,
-+						   &lookup->namebuf);
-+#else
- 			len = strlen(lookup->textname);
- 			isc_buffer_init(&b, lookup->textname, len);
-@@ -1345,4 +1429,5 @@
- 						   ISC_FALSE,
- 						   &lookup->namebuf);
-+#endif
- 		}
- 		if (result != ISC_R_SUCCESS) {
-@@ -2860,2 +2945,100 @@
- 		isc_mem_destroy(&mctx);
- }
-+
-+#ifdef WITH_IDN
-+static void
-+initialize_idn(void) {
-+	idn_result_t r;
-+
-+#ifdef HAVE_SETLOCALE
-+	/* Set locale */
-+	(void)setlocale(LC_ALL, "");
-+#endif
-+	/* Create configuration context. */
-+	r = idn_nameinit(1);
-+	if (r != idn_success)
-+		fatal("idn api initialization failed: %s",
-+		      idn_result_tostring(r));
-+
-+	/* Set domain name -> text post-conversion filter. */
-+	dns_name_settotextfilter(output_filter);
-+}
-+
-+static isc_result_t
-+output_filter(isc_buffer_t *buffer, unsigned int used_org,
-+	      isc_boolean_t absolute)
-+{
-+	char tmp1[MAXDLEN], tmp2[MAXDLEN];
-+	size_t fromlen, tolen;
-+	isc_boolean_t end_with_dot;
-+
-+	/*
-+	 * Copy contents of 'buffer' to 'tmp1', supply trailing dot
-+	 * if 'absolute' is true, and terminate with NUL.
-+	 */
-+	fromlen = isc_buffer_usedlength(buffer) - used_org;
-+	if (fromlen >= MAXDLEN)
-+		return (ISC_R_SUCCESS);
-+	memcpy(tmp1, (char *)isc_buffer_base(buffer) + used_org, fromlen);
-+	end_with_dot = (tmp1[fromlen - 1] == '.') ? ISC_TRUE : ISC_FALSE;
-+	if (absolute && !end_with_dot) {
-+		fromlen++;
-+		if (fromlen >= MAXDLEN)
-+			return (ISC_R_SUCCESS);
-+		tmp1[fromlen - 1] = '.';
-+	}
-+	tmp1[fromlen] = '\0';
-+
-+	/*
-+	 * Convert contents of 'tmp1' to local encoding.
-+	 */
-+	if (idn_decodename(IDN_DECODE_APP, tmp1, tmp2, MAXDLEN) != idn_success)
-+		return (ISC_R_SUCCESS);
-+	strcpy(tmp1, tmp2);
-+
-+	/*
-+	 * Copy the converted contents in 'tmp1' back to 'buffer'.
-+	 * If we have appended trailing dot, remove it.
-+	 */
-+	tolen = strlen(tmp1);
-+	if (absolute && !end_with_dot && tmp1[tolen - 1] == '.')
-+		tolen--;
-+
-+	if (isc_buffer_length(buffer) < used_org + tolen)
-+		return (ISC_R_NOSPACE);
-+
-+	isc_buffer_subtract(buffer, isc_buffer_usedlength(buffer) - used_org);
-+	memcpy(isc_buffer_used(buffer), tmp1, tolen);
-+	isc_buffer_add(buffer, tolen);
-+
-+	return (ISC_R_SUCCESS);
-+}
-+
-+static idn_result_t
-+append_textname(char *name, const char *origin, size_t namesize) {
-+	size_t namelen = strlen(name);
-+	size_t originlen = strlen(origin);
-+
-+	/* Already absolute? */
-+	if (namelen > 0 && name[namelen - 1] == '.')
-+		return idn_success;
-+
-+	/* Append dot and origin */
-+
-+	if (namelen + 1 + originlen >= namesize)
-+		return idn_buffer_overflow;
-+
-+	name[namelen++] = '.';
-+	(void)strcpy(name + namelen, origin);
-+	return idn_success;
-+}
-+
-+static void
-+idn_check_result(idn_result_t r, const char *msg) {
-+	if (r != idn_success) {
-+		exitcode = 1;
-+		fatal("%s: %s", msg, idn_result_tostring(r));
-+	}
-+}
-+
-+#endif /* WITH_IDN */
-Index: bin/dig/host.1
-===================================================================
-RCS file: /proj/cvs/prod/bind9/bin/dig/host.1,v
-retrieving revision 1.11.2.2
-diff -U2 -r1.11.2.2 host.1
---- bin/dig/host.1	15 Mar 2004 04:44:38 -0000	1.11.2.2
-+++ bin/dig/host.1	13 Dec 2004 00:31:49 -0000
-@@ -122,4 +122,15 @@
- will be set to the number of seconds given by the hardware's maximum
- value for an integer quantity.
-+.SH "IDN SUPPORT"
-+.PP
-+If \fBhost\fR has been built with IDN (internationalized
-+domain name) support, it can accept and display non-ASCII domain names.
-+\fBhost\fR appropriately converts character encoding of
-+domain name before sending a request to DNS server or displaying a
-+reply from the server.
-+If you'd like to turn off the IDN support for some reason, defines
-+the \fBIDN_DISABLE\fR environment variable.
-+The IDN support is disabled if the the variable is set when
-+\fBhost\fR runs.
- .SH "FILES"
- .PP
-Index: bin/dig/host.docbook
-===================================================================
-RCS file: /proj/cvs/prod/bind9/bin/dig/host.docbook,v
-retrieving revision 1.2.2.3
-diff -U2 -r1.2.2.3 host.docbook
---- bin/dig/host.docbook	9 Mar 2004 06:09:13 -0000	1.2.2.3
-+++ bin/dig/host.docbook	13 Dec 2004 00:31:50 -0000
-@@ -182,4 +182,19 @@
- 
- <refsect1>
-+<title>IDN SUPPORT</title>
-+<para>
-+If <command>host</command> has been built with IDN (internationalized
-+domain name) support, it can accept and display non-ASCII domain names.
-+<command>host</command> appropriately converts character encoding of
-+domain name before sending a request to DNS server or displaying a
-+reply from the server.
-+If you'd like to turn off the IDN support for some reason, defines
-+the <envar>IDN_DISABLE</envar> environment variable.
-+The IDN support is disabled if the the variable is set when
-+<command>host</command> runs.
-+</para>
-+</refsect1>
-+
-+<refsect1>
- <title>FILES</title>
- <para>
-Index: lib/dns/name.c
-===================================================================
-RCS file: /proj/cvs/prod/bind9/lib/dns/name.c,v
-retrieving revision 1.127.2.10
-diff -U2 -r1.127.2.10 name.c
---- lib/dns/name.c	1 Sep 2004 05:22:51 -0000	1.127.2.10
-+++ lib/dns/name.c	13 Dec 2004 00:31:56 -0000
-@@ -199,4 +199,11 @@
- dns_fullname_hash(dns_name_t *name, isc_boolean_t case_sensitive);
- 
-+#ifdef WITH_IDN
-+/*
-+ * dns_name_t to text post-conversion procedure.
-+ */
-+static dns_name_totextfilter_t totext_filter_proc = NULL;
-+#endif
-+
- static void
- set_offsets(const dns_name_t *name, unsigned char *offsets,
-@@ -1715,4 +1722,7 @@
- 	isc_boolean_t saw_root = ISC_FALSE;
- 	char num[4];
-+#ifdef WITH_IDN
-+	unsigned int oused = target->used;
-+#endif
- 
- 	/*
-@@ -1892,4 +1902,8 @@
- 	isc_buffer_add(target, tlen - trem);
- 
-+#ifdef WITH_IDN
-+	if (totext_filter_proc != NULL)
-+		return ((*totext_filter_proc)(target, oused, saw_root));
-+#endif
- 	return (ISC_R_SUCCESS);
- }
-@@ -3356,2 +3370,8 @@
- }
- 
-+#ifdef WITH_IDN
-+void
-+dns_name_settotextfilter(dns_name_totextfilter_t proc) {
-+	totext_filter_proc = proc;
-+}
-+#endif
-Index: lib/dns/include/dns/name.h
-===================================================================
-RCS file: /proj/cvs/prod/bind9/lib/dns/include/dns/name.h,v
-retrieving revision 1.95.2.9
-diff -U2 -r1.95.2.9 name.h
---- lib/dns/include/dns/name.h	8 Sep 2004 00:34:23 -0000	1.95.2.9
-+++ lib/dns/include/dns/name.h	13 Dec 2004 00:31:58 -0000
-@@ -220,4 +220,15 @@
- #define DNS_NAME_MAXWIRE 255
- 
-+#ifdef WITH_IDN
-+/*
-+ * Text output filter procedure.
-+ * 'target' is the buffer to be converted.  The region to be converted
-+ * is from 'buffer'->base + 'used_org' to the end of the used region.
-+ */
-+typedef isc_result_t (*dns_name_totextfilter_t)(isc_buffer_t *target,
-+						unsigned int used_org,
-+						isc_boolean_t absolute);
-+#endif
-+
- /***
-  *** Initialization
-@@ -1264,4 +1275,12 @@
-  *
-  */
-+
-+#ifdef WITH_IDN
-+void
-+dns_name_settotextfilter(dns_name_totextfilter_t proc);
-+/*
-+ * Call 'proc' at the end of dns_name_totext.
-+ */
-+#endif /* WITH_IDN */
- 
- #define DNS_NAME_FORMATSIZE (DNS_NAME_MAXTEXT + 1)
diff --git a/contrib/idn/idnkit-1.0-src/patch/bind9/bind-9.2.6-patch b/contrib/idn/idnkit-1.0-src/patch/bind9/bind-9.2.6-patch
deleted file mode 100644
index eb724f37..00000000
--- a/contrib/idn/idnkit-1.0-src/patch/bind9/bind-9.2.6-patch
+++ /dev/null
@@ -1,1267 +0,0 @@
-IDN patch for bind-9.2.6
-========================
-
-
-This is a patch file for ISC BIND 9.2.6 to make it work with
-internationalized domain names.  With this patch you'll get IDN-aware
-dig/host/nslookup.
-
-To apply this patch, you should go to the top directory of the BIND
-distribution (where you see `README' file), then invoke `patch'
-command like this:
-
-	% patch -p0 < this-file
-
-Then follow the instructions described in `README.idnkit' to compile
-and install.
-
-
-Index: README.idnkit
---- /dev/null	Fri Nov  4 12:11:19 2005
-+++ README.idnkit	Fri Nov  4 12:09:57 2005
-@@ -0,0 +1,113 @@
-+
-+			BIND-9 IDN patch
-+
-+	       Japan Network Information Center (JPNIC)
-+
-+
-+* What is this patch for?
-+
-+This patch adds internationalized domain name (IDN) support to BIND-9.
-+You'll get internationalized version of dig/host/nslookup commands.
-+
-+    + internationalized dig/host/nslookup
-+	dig/host/nslookup accepts non-ASCII domain names in the local
-+	codeset (such as Shift JIS, Big5 or ISO8859-1) determined by
-+	the locale information.  The domain names are normalized and
-+	converted to the encoding on the DNS protocol, and sent to DNS
-+	servers.  The replies are converted back to the local codeset
-+	and displayed.
-+
-+
-+* Compilation & installation
-+
-+0. Prerequisite
-+
-+You have to build and install idnkit before building this patched version
-+of bind-9.
-+
-+1. Running configure script
-+
-+Run `configure' in the top directory.  See `README' for the
-+configuration options.
-+
-+This patch adds the following 4 options to `configure'.  You should
-+at least specify `--with-idn' option to enable IDN support.
-+
-+    --with-idn[=IDN_PREFIX]
-+	To enable IDN support, you have to specify `--with-idn' option.
-+	The argument IDN_PREFIX is the install prefix of idnkit.  If
-+	IDN_PREFIX is omitted, PREFIX (derived from `--prefix=PREFIX')
-+	is assumed.
-+
-+    --with-libiconv[=LIBICONV_PREFIX]
-+	Specify this option if idnkit you have installed links GNU
-+	libiconv.  The argument LIBICONV_PREFIX is install prefix of
-+	GNU libiconv.  If the argument is omitted, PREFIX (derived
-+	from `--prefix=PREFIX') is assumed.
-+
-+	`--with-libiconv' is shorthand option for GNU libiconv.
-+
-+	    --with-libiconv=/usr/local
-+
-+	This is equivalent to:
-+
-+	    --with-iconv='-L/usr/local/lib -R/usr/local/lib -liconv'
-+
-+	`--with-libiconv' assumes that your C compiler has `-R'
-+	option, and that the option adds the specified run-time path
-+	to an exacutable binary.  If `-R' option of your compiler has
-+	different meaning, or your compiler lacks the option, you
-+	should use `--with-iconv' option instead.  Binary command
-+	without run-time path information might be unexecutable.
-+	In that case, you would see an error message like:
-+
-+	    error in loading shared libraries: libiconv.so.2: cannot
-+	    open shared object file
-+
-+	If both `--with-libiconv' and `--with-iconv' options are
-+	specified, `--with-iconv' is prior to `--with-libiconv'.
-+
-+    --with-iconv=ICONV_LIBSPEC
-+	If your libc doens't provide iconv(), you need to specify the
-+	library containing iconv() with this option.  `ICONV_LIBSPEC'
-+	is the argument(s) to `cc' or `ld' to link the library, for
-+	example, `--with-iconv="-L/usr/local/lib -liconv"'.
-+	You don't need to specify the header file directory for "iconv.h"
-+	to the compiler, as it isn't included directly by bind-9 with
-+	this patch.
-+
-+    --with-idnlib=IDN_LIBSPEC
-+	With this option, you can explicitly specify the argument(s)
-+	to `cc' or `ld' to link the idnkit's library, `libidnkit'.  If
-+	this option is not specified, `-L${PREFIX}/lib -lidnkit' is
-+	assumed, where ${PREFIX} is the installation prefix specified
-+	with `--with-idn' option above.  You may need to use this
-+	option to specify extra argments, for example,
-+	`--with-idnlib="-L/usr/local/lib -R/usr/local/lib -lidnkit"'.
-+
-+Please consult `README' for other configuration options.
-+
-+Note that if you want to specify some extra header file directories,
-+you should use the environment variable STD_CINCLUDES instead of
-+CFLAGS, as described in README.
-+
-+2. Compilation and installation
-+
-+After running "configure", just do
-+
-+	make
-+	make install
-+
-+for compiling and installing.
-+
-+
-+* Contact information
-+
-+Please see http//www.nic.ad.jp/en/idn/ for the latest news
-+about idnkit and this patch.
-+
-+Bug reports and comments on this kit should be sent to
-+mdnkit-bugs@nic.ad.jp and idn-cmt@nic.ad.jp, respectively.
-+
-+
-+; $Id: bind-9.2.2-patch,v 1.1.1.1 2003/06/04 00:27:32 marka Exp $
-Index: configure
-===================================================================
-RCS file: /proj/cvs/prod/bind9/configure,v
-retrieving revision 1.284.2.49
-diff -U2 -r1.284.2.49 configure
---- configure	20 Oct 2005 23:54:44 -0000	1.284.2.49
-+++ configure	4 Nov 2005 01:17:07 -0000
-@@ -466,5 +466,5 @@
- #endif"
- 
--ac_subst_vars='SHELL PATH_SEPARATOR PACKAGE_NAME PACKAGE_TARNAME PACKAGE_VERSION PACKAGE_STRING PACKAGE_BUGREPORT exec_prefix prefix program_transform_name bindir sbindir libexecdir datadir sysconfdir sharedstatedir localstatedir libdir includedir oldincludedir infodir mandir build_alias host_alias target_alias DEFS ECHO_C ECHO_N ECHO_T LIBS subdirs build build_cpu build_vendor build_os host host_cpu host_vendor host_os SET_MAKE RANLIB ac_ct_RANLIB INSTALL_PROGRAM INSTALL_SCRIPT INSTALL_DATA STD_CINCLUDES STD_CDEFINES STD_CWARNINGS CCOPT AR ARFLAGS LN ETAGS PERL CC CFLAGS LDFLAGS CPPFLAGS ac_ct_CC EXEEXT OBJEXT CPP EGREP ISC_SOCKADDR_LEN_T ISC_PLATFORM_HAVELONGLONG ISC_PLATFORM_NEEDSYSSELECTH LWRES_PLATFORM_NEEDSYSSELECTH DST_OPENSSL_INC DNS_OPENSSL_LIBS USE_OPENSSL USE_GSSAPI DST_GSSAPI_INC DNS_GSSAPI_LIBS ALWAYS_DEFINES ISC_PLATFORM_USETHREADS ISC_THREAD_DIR MKDEPCC MKDEPCFLAGS MKDEPPROG IRIX_DNSSEC_WARNINGS_HACK purify_path PURIFY LN_S ECHO ac_ct_AR STRIP ac_ct_STRIP CXX CXXFLAGS ac_ct_CXX CXXCPP F77 FFLAGS ac_ct_F77 LIBTOOL O A SA LIBTOOL_MKDEP_SED LIBTOOL_MODE_COMPILE LIBTOOL_MODE_INSTALL LIBTOOL_MODE_LINK LIBTOOL_ALLOW_UNDEFINED LIBTOOL_IN_MAIN LIBBIND ISC_PLATFORM_HAVEIPV6 LWRES_PLATFORM_HAVEIPV6 ISC_PLATFORM_NEEDNETINETIN6H LWRES_PLATFORM_NEEDNETINETIN6H ISC_PLATFORM_NEEDNETINET6IN6H LWRES_PLATFORM_NEEDNETINET6IN6H ISC_PLATFORM_HAVEINADDR6 LWRES_PLATFORM_HAVEINADDR6 ISC_PLATFORM_NEEDIN6ADDRANY LWRES_PLATFORM_NEEDIN6ADDRANY ISC_PLATFORM_NEEDIN6ADDRLOOPBACK LWRES_PLATFORM_NEEDIN6ADDRLOOPBACK ISC_PLATFORM_HAVEIN6PKTINFO ISC_PLATFORM_FIXIN6ISADDR ISC_IPV6_H ISC_IPV6_O ISC_ISCIPV6_O ISC_IPV6_C LWRES_HAVE_SIN6_SCOPE_ID ISC_PLATFORM_NEEDNTOP ISC_PLATFORM_NEEDPTON ISC_PLATFORM_NEEDATON ISC_PLATFORM_HAVESALEN LWRES_PLATFORM_HAVESALEN ISC_PLATFORM_MSGHDRFLAVOR ISC_PLATFORM_NEEDPORTT ISC_LWRES_NEEDADDRINFO ISC_LWRES_NEEDRRSETINFO ISC_LWRES_SETHOSTENTINT ISC_LWRES_ENDHOSTENTINT ISC_LWRES_GETNETBYADDRINADDR ISC_LWRES_SETNETENTINT ISC_LWRES_ENDNETENTINT ISC_LWRES_GETHOSTBYADDRVOID ISC_LWRES_NEEDHERRNO ISC_LWRES_GETIPNODEPROTO ISC_LWRES_GETADDRINFOPROTO ISC_LWRES_GETNAMEINFOPROTO ISC_PLATFORM_NEEDSTRSEP ISC_PLATFORM_NEEDVSNPRINTF LWRES_PLATFORM_NEEDVSNPRINTF ISC_EXTRA_OBJS ISC_EXTRA_SRCS ISC_PLATFORM_QUADFORMAT LWRES_PLATFORM_QUADFORMAT ISC_PLATFORM_RLIMITTYPE ISC_PLATFORM_USEDECLSPEC LWRES_PLATFORM_USEDECLSPEC ISC_PLATFORM_BRACEPTHREADONCEINIT LATEX PDFLATEX XSLTPROC XMLLINT XSLT_DOCBOOK_STYLE_HTML XSLT_DOCBOOK_STYLE_XHTML XSLT_DOCBOOK_STYLE_MAN XSLT_DOCBOOK_CHUNK_HTML XSLT_DOCBOOK_CHUNK_XHTML XSLT_DB2LATEX_STYLE XSLT_DB2LATEX_ADMONITIONS BIND9_TOP_BUILDDIR BIND9_ISC_BUILDINCLUDE BIND9_ISCCC_BUILDINCLUDE BIND9_ISCCFG_BUILDINCLUDE BIND9_DNS_BUILDINCLUDE BIND9_LWRES_BUILDINCLUDE BIND9_VERSION LIBOBJS LTLIBOBJS'
-+ac_subst_vars='SHELL PATH_SEPARATOR PACKAGE_NAME PACKAGE_TARNAME PACKAGE_VERSION PACKAGE_STRING PACKAGE_BUGREPORT exec_prefix prefix program_transform_name bindir sbindir libexecdir datadir sysconfdir sharedstatedir localstatedir libdir includedir oldincludedir infodir mandir build_alias host_alias target_alias DEFS ECHO_C ECHO_N ECHO_T LIBS subdirs build build_cpu build_vendor build_os host host_cpu host_vendor host_os SET_MAKE RANLIB ac_ct_RANLIB INSTALL_PROGRAM INSTALL_SCRIPT INSTALL_DATA STD_CINCLUDES STD_CDEFINES STD_CWARNINGS CCOPT AR ARFLAGS LN ETAGS PERL CC CFLAGS LDFLAGS CPPFLAGS ac_ct_CC EXEEXT OBJEXT CPP EGREP ISC_SOCKADDR_LEN_T ISC_PLATFORM_HAVELONGLONG ISC_PLATFORM_NEEDSYSSELECTH LWRES_PLATFORM_NEEDSYSSELECTH DST_OPENSSL_INC DNS_OPENSSL_LIBS USE_OPENSSL USE_GSSAPI DST_GSSAPI_INC DNS_GSSAPI_LIBS ALWAYS_DEFINES ISC_PLATFORM_USETHREADS ISC_THREAD_DIR MKDEPCC MKDEPCFLAGS MKDEPPROG IRIX_DNSSEC_WARNINGS_HACK purify_path PURIFY LN_S ECHO ac_ct_AR STRIP ac_ct_STRIP CXX CXXFLAGS ac_ct_CXX CXXCPP F77 FFLAGS ac_ct_F77 LIBTOOL O A SA LIBTOOL_MKDEP_SED LIBTOOL_MODE_COMPILE LIBTOOL_MODE_INSTALL LIBTOOL_MODE_LINK LIBTOOL_ALLOW_UNDEFINED LIBTOOL_IN_MAIN LIBBIND ISC_PLATFORM_HAVEIPV6 LWRES_PLATFORM_HAVEIPV6 ISC_PLATFORM_NEEDNETINETIN6H LWRES_PLATFORM_NEEDNETINETIN6H ISC_PLATFORM_NEEDNETINET6IN6H LWRES_PLATFORM_NEEDNETINET6IN6H ISC_PLATFORM_HAVEINADDR6 LWRES_PLATFORM_HAVEINADDR6 ISC_PLATFORM_NEEDIN6ADDRANY LWRES_PLATFORM_NEEDIN6ADDRANY ISC_PLATFORM_NEEDIN6ADDRLOOPBACK LWRES_PLATFORM_NEEDIN6ADDRLOOPBACK ISC_PLATFORM_HAVEIN6PKTINFO ISC_PLATFORM_FIXIN6ISADDR ISC_IPV6_H ISC_IPV6_O ISC_ISCIPV6_O ISC_IPV6_C LWRES_HAVE_SIN6_SCOPE_ID ISC_PLATFORM_NEEDNTOP ISC_PLATFORM_NEEDPTON ISC_PLATFORM_NEEDATON ISC_PLATFORM_HAVESALEN LWRES_PLATFORM_HAVESALEN ISC_PLATFORM_MSGHDRFLAVOR ISC_PLATFORM_NEEDPORTT ISC_LWRES_NEEDADDRINFO ISC_LWRES_NEEDRRSETINFO ISC_LWRES_SETHOSTENTINT ISC_LWRES_ENDHOSTENTINT ISC_LWRES_GETNETBYADDRINADDR ISC_LWRES_SETNETENTINT ISC_LWRES_ENDNETENTINT ISC_LWRES_GETHOSTBYADDRVOID ISC_LWRES_NEEDHERRNO ISC_LWRES_GETIPNODEPROTO ISC_LWRES_GETADDRINFOPROTO ISC_LWRES_GETNAMEINFOPROTO ISC_PLATFORM_NEEDSTRSEP ISC_PLATFORM_NEEDVSNPRINTF LWRES_PLATFORM_NEEDVSNPRINTF ISC_EXTRA_OBJS ISC_EXTRA_SRCS ISC_PLATFORM_QUADFORMAT LWRES_PLATFORM_QUADFORMAT ISC_PLATFORM_RLIMITTYPE ISC_PLATFORM_USEDECLSPEC LWRES_PLATFORM_USEDECLSPEC ISC_PLATFORM_BRACEPTHREADONCEINIT LATEX PDFLATEX XSLTPROC XMLLINT XSLT_DOCBOOK_STYLE_HTML XSLT_DOCBOOK_STYLE_XHTML XSLT_DOCBOOK_STYLE_MAN XSLT_DOCBOOK_CHUNK_HTML XSLT_DOCBOOK_CHUNK_XHTML XSLT_DB2LATEX_STYLE XSLT_DB2LATEX_ADMONITIONS IDNLIBS BIND9_TOP_BUILDDIR BIND9_ISC_BUILDINCLUDE BIND9_ISCCC_BUILDINCLUDE BIND9_ISCCFG_BUILDINCLUDE BIND9_DNS_BUILDINCLUDE BIND9_LWRES_BUILDINCLUDE BIND9_VERSION LIBOBJS LTLIBOBJS'
- ac_subst_files='BIND9_INCLUDES BIND9_MAKE_RULES LIBISC_API LIBISCCC_API LIBISCCFG_API LIBDNS_API LIBLWRES_API'
- 
-@@ -1048,4 +1048,8 @@
-                           include additional configurations [automatic]
-   --with-kame=PATH	use Kame IPv6 default path /usr/local/v6
-+  --with-idn=MPREFIX   enable IDN support using idnkit default PREFIX
-+  --with-libiconv=IPREFIX   GNU libiconv are in IPREFIX default PREFIX
-+  --with-iconv=LIBSPEC   specify iconv library default -liconv
-+  --with-idnlib=ARG    specify libidnkit
- 
- Some influential environment variables:
-@@ -7971,5 +7975,5 @@
- *-*-irix6*)
-   # Find out which ABI we are using.
--  echo '#line 7973 "configure"' > conftest.$ac_ext
-+  echo '#line 7977 "configure"' > conftest.$ac_ext
-   if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-   (eval $ac_compile) 2>&5
-@@ -8968,5 +8972,5 @@
- 
- # Provide some information about the compiler.
--echo "$as_me:8970:" \
-+echo "$as_me:8974:" \
-      "checking for Fortran 77 compiler version" >&5
- ac_compiler=`set X $ac_compile; echo $2`
-@@ -10029,9 +10033,9 @@
-    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-    -e 's:$: $lt_compiler_flag:'`
--   (eval echo "\"\$as_me:10031: $lt_compile\"" >&5)
-+   (eval echo "\"\$as_me:10035: $lt_compile\"" >&5)
-    (eval "$lt_compile" 2>conftest.err)
-    ac_status=$?
-    cat conftest.err >&5
--   echo "$as_me:10035: \$? = $ac_status" >&5
-+   echo "$as_me:10039: \$? = $ac_status" >&5
-    if (exit $ac_status) && test -s "$ac_outfile"; then
-      # The compiler can only warn and ignore the option if not recognized
-@@ -10272,9 +10276,9 @@
-    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-    -e 's:$: $lt_compiler_flag:'`
--   (eval echo "\"\$as_me:10274: $lt_compile\"" >&5)
-+   (eval echo "\"\$as_me:10278: $lt_compile\"" >&5)
-    (eval "$lt_compile" 2>conftest.err)
-    ac_status=$?
-    cat conftest.err >&5
--   echo "$as_me:10278: \$? = $ac_status" >&5
-+   echo "$as_me:10282: \$? = $ac_status" >&5
-    if (exit $ac_status) && test -s "$ac_outfile"; then
-      # The compiler can only warn and ignore the option if not recognized
-@@ -10332,9 +10336,9 @@
-    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-    -e 's:$: $lt_compiler_flag:'`
--   (eval echo "\"\$as_me:10334: $lt_compile\"" >&5)
-+   (eval echo "\"\$as_me:10338: $lt_compile\"" >&5)
-    (eval "$lt_compile" 2>out/conftest.err)
-    ac_status=$?
-    cat out/conftest.err >&5
--   echo "$as_me:10338: \$? = $ac_status" >&5
-+   echo "$as_me:10342: \$? = $ac_status" >&5
-    if (exit $ac_status) && test -s out/conftest2.$ac_objext
-    then
-@@ -12517,5 +12521,5 @@
-   lt_status=$lt_dlunknown
-   cat > conftest.$ac_ext <<EOF
--#line 12519 "configure"
-+#line 12523 "configure"
- #include "confdefs.h"
- 
-@@ -12615,5 +12619,5 @@
-   lt_status=$lt_dlunknown
-   cat > conftest.$ac_ext <<EOF
--#line 12617 "configure"
-+#line 12621 "configure"
- #include "confdefs.h"
- 
-@@ -14812,9 +14816,9 @@
-    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-    -e 's:$: $lt_compiler_flag:'`
--   (eval echo "\"\$as_me:14814: $lt_compile\"" >&5)
-+   (eval echo "\"\$as_me:14818: $lt_compile\"" >&5)
-    (eval "$lt_compile" 2>conftest.err)
-    ac_status=$?
-    cat conftest.err >&5
--   echo "$as_me:14818: \$? = $ac_status" >&5
-+   echo "$as_me:14822: \$? = $ac_status" >&5
-    if (exit $ac_status) && test -s "$ac_outfile"; then
-      # The compiler can only warn and ignore the option if not recognized
-@@ -14872,9 +14876,9 @@
-    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-    -e 's:$: $lt_compiler_flag:'`
--   (eval echo "\"\$as_me:14874: $lt_compile\"" >&5)
-+   (eval echo "\"\$as_me:14878: $lt_compile\"" >&5)
-    (eval "$lt_compile" 2>out/conftest.err)
-    ac_status=$?
-    cat out/conftest.err >&5
--   echo "$as_me:14878: \$? = $ac_status" >&5
-+   echo "$as_me:14882: \$? = $ac_status" >&5
-    if (exit $ac_status) && test -s out/conftest2.$ac_objext
-    then
-@@ -16233,5 +16237,5 @@
-   lt_status=$lt_dlunknown
-   cat > conftest.$ac_ext <<EOF
--#line 16235 "configure"
-+#line 16239 "configure"
- #include "confdefs.h"
- 
-@@ -16331,5 +16335,5 @@
-   lt_status=$lt_dlunknown
-   cat > conftest.$ac_ext <<EOF
--#line 16333 "configure"
-+#line 16337 "configure"
- #include "confdefs.h"
- 
-@@ -17168,9 +17172,9 @@
-    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-    -e 's:$: $lt_compiler_flag:'`
--   (eval echo "\"\$as_me:17170: $lt_compile\"" >&5)
-+   (eval echo "\"\$as_me:17174: $lt_compile\"" >&5)
-    (eval "$lt_compile" 2>conftest.err)
-    ac_status=$?
-    cat conftest.err >&5
--   echo "$as_me:17174: \$? = $ac_status" >&5
-+   echo "$as_me:17178: \$? = $ac_status" >&5
-    if (exit $ac_status) && test -s "$ac_outfile"; then
-      # The compiler can only warn and ignore the option if not recognized
-@@ -17228,9 +17232,9 @@
-    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-    -e 's:$: $lt_compiler_flag:'`
--   (eval echo "\"\$as_me:17230: $lt_compile\"" >&5)
-+   (eval echo "\"\$as_me:17234: $lt_compile\"" >&5)
-    (eval "$lt_compile" 2>out/conftest.err)
-    ac_status=$?
-    cat out/conftest.err >&5
--   echo "$as_me:17234: \$? = $ac_status" >&5
-+   echo "$as_me:17238: \$? = $ac_status" >&5
-    if (exit $ac_status) && test -s out/conftest2.$ac_objext
-    then
-@@ -19267,9 +19271,9 @@
-    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-    -e 's:$: $lt_compiler_flag:'`
--   (eval echo "\"\$as_me:19269: $lt_compile\"" >&5)
-+   (eval echo "\"\$as_me:19273: $lt_compile\"" >&5)
-    (eval "$lt_compile" 2>conftest.err)
-    ac_status=$?
-    cat conftest.err >&5
--   echo "$as_me:19273: \$? = $ac_status" >&5
-+   echo "$as_me:19277: \$? = $ac_status" >&5
-    if (exit $ac_status) && test -s "$ac_outfile"; then
-      # The compiler can only warn and ignore the option if not recognized
-@@ -19510,9 +19514,9 @@
-    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-    -e 's:$: $lt_compiler_flag:'`
--   (eval echo "\"\$as_me:19512: $lt_compile\"" >&5)
-+   (eval echo "\"\$as_me:19516: $lt_compile\"" >&5)
-    (eval "$lt_compile" 2>conftest.err)
-    ac_status=$?
-    cat conftest.err >&5
--   echo "$as_me:19516: \$? = $ac_status" >&5
-+   echo "$as_me:19520: \$? = $ac_status" >&5
-    if (exit $ac_status) && test -s "$ac_outfile"; then
-      # The compiler can only warn and ignore the option if not recognized
-@@ -19570,9 +19574,9 @@
-    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-    -e 's:$: $lt_compiler_flag:'`
--   (eval echo "\"\$as_me:19572: $lt_compile\"" >&5)
-+   (eval echo "\"\$as_me:19576: $lt_compile\"" >&5)
-    (eval "$lt_compile" 2>out/conftest.err)
-    ac_status=$?
-    cat out/conftest.err >&5
--   echo "$as_me:19576: \$? = $ac_status" >&5
-+   echo "$as_me:19580: \$? = $ac_status" >&5
-    if (exit $ac_status) && test -s out/conftest2.$ac_objext
-    then
-@@ -21755,5 +21759,5 @@
-   lt_status=$lt_dlunknown
-   cat > conftest.$ac_ext <<EOF
--#line 21757 "configure"
-+#line 21761 "configure"
- #include "confdefs.h"
- 
-@@ -21853,5 +21857,5 @@
-   lt_status=$lt_dlunknown
-   cat > conftest.$ac_ext <<EOF
--#line 21855 "configure"
-+#line 21859 "configure"
- #include "confdefs.h"
- 
-@@ -26301,4 +26305,354 @@
- 
- #
-+# IDN support
-+#
-+
-+# Check whether --with-idn or --without-idn was given.
-+if test "${with_idn+set}" = set; then
-+  withval="$with_idn"
-+  use_idn="$withval"
-+else
-+  use_idn="no"
-+fi;
-+case "$use_idn" in
-+yes)
-+	if test X$prefix = XNONE ; then
-+		idn_path=/usr/local
-+	else
-+		idn_path=$prefix
-+	fi
-+	;;
-+no)
-+	;;
-+*)
-+	idn_path="$use_idn"
-+	;;
-+esac
-+
-+iconvinc=
-+iconvlib=
-+
-+# Check whether --with-libiconv or --without-libiconv was given.
-+if test "${with_libiconv+set}" = set; then
-+  withval="$with_libiconv"
-+  use_libiconv="$withval"
-+else
-+  use_libiconv="no"
-+fi;
-+case "$use_libiconv" in
-+yes)
-+	if test X$prefix = XNONE ; then
-+		iconvlib="-L/usr/local/lib -R/usr/local/lib -liconv"
-+	else
-+		iconvlib="-L$prefix/lib -R$prefix/lib -liconv"
-+	fi
-+	;;
-+no)
-+	iconvlib=
-+	;;
-+*)
-+	iconvlib="-L$use_libiconv/lib -R$use_libiconv/lib -liconv"
-+	;;
-+esac
-+
-+
-+# Check whether --with-iconv or --without-iconv was given.
-+if test "${with_iconv+set}" = set; then
-+  withval="$with_iconv"
-+  iconvlib="$withval"
-+fi;
-+case "$iconvlib" in
-+no)
-+	iconvlib=
-+	;;
-+yes)
-+	iconvlib=-liconv
-+	;;
-+esac
-+
-+
-+# Check whether --with-idnlib or --without-idnlib was given.
-+if test "${with_idnlib+set}" = set; then
-+  withval="$with_idnlib"
-+  idnlib="$withval"
-+else
-+  idnlib="no"
-+fi;
-+if test "$idnlib" = yes; then
-+	{ { echo "$as_me:$LINENO: error: You must specify ARG for --with-idnlib." >&5
-+echo "$as_me: error: You must specify ARG for --with-idnlib." >&2;}
-+   { (exit 1); exit 1; }; }
-+fi
-+
-+IDNLIBS=
-+if test "$use_idn" != no; then
-+
-+cat >>confdefs.h <<\_ACEOF
-+#define WITH_IDN 1
-+_ACEOF
-+
-+	STD_CINCLUDES="$STD_CINCLUDES -I$idn_path/include"
-+	if test "$idnlib" != no; then
-+		IDNLIBS="$idnlib $iconvlib"
-+	else
-+		IDNLIBS="-L$idn_path/lib -lidnkit $iconvlib"
-+	fi
-+fi
-+
-+
-+
-+for ac_header in locale.h
-+do
-+as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh`
-+if eval "test \"\${$as_ac_Header+set}\" = set"; then
-+  echo "$as_me:$LINENO: checking for $ac_header" >&5
-+echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6
-+if eval "test \"\${$as_ac_Header+set}\" = set"; then
-+  echo $ECHO_N "(cached) $ECHO_C" >&6
-+fi
-+echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_Header'}'`" >&5
-+echo "${ECHO_T}`eval echo '${'$as_ac_Header'}'`" >&6
-+else
-+  # Is the header compilable?
-+echo "$as_me:$LINENO: checking $ac_header usability" >&5
-+echo $ECHO_N "checking $ac_header usability... $ECHO_C" >&6
-+cat >conftest.$ac_ext <<_ACEOF
-+/* confdefs.h.  */
-+_ACEOF
-+cat confdefs.h >>conftest.$ac_ext
-+cat >>conftest.$ac_ext <<_ACEOF
-+/* end confdefs.h.  */
-+$ac_includes_default
-+#include <$ac_header>
-+_ACEOF
-+rm -f conftest.$ac_objext
-+if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-+  (eval $ac_compile) 2>conftest.er1
-+  ac_status=$?
-+  grep -v '^ *+' conftest.er1 >conftest.err
-+  rm -f conftest.er1
-+  cat conftest.err >&5
-+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-+  (exit $ac_status); } &&
-+	 { ac_try='test -z "$ac_c_werror_flag"
-+			 || test ! -s conftest.err'
-+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-+  (eval $ac_try) 2>&5
-+  ac_status=$?
-+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-+  (exit $ac_status); }; } &&
-+	 { ac_try='test -s conftest.$ac_objext'
-+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-+  (eval $ac_try) 2>&5
-+  ac_status=$?
-+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-+  (exit $ac_status); }; }; then
-+  ac_header_compiler=yes
-+else
-+  echo "$as_me: failed program was:" >&5
-+sed 's/^/| /' conftest.$ac_ext >&5
-+
-+ac_header_compiler=no
-+fi
-+rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-+echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
-+echo "${ECHO_T}$ac_header_compiler" >&6
-+
-+# Is the header present?
-+echo "$as_me:$LINENO: checking $ac_header presence" >&5
-+echo $ECHO_N "checking $ac_header presence... $ECHO_C" >&6
-+cat >conftest.$ac_ext <<_ACEOF
-+/* confdefs.h.  */
-+_ACEOF
-+cat confdefs.h >>conftest.$ac_ext
-+cat >>conftest.$ac_ext <<_ACEOF
-+/* end confdefs.h.  */
-+#include <$ac_header>
-+_ACEOF
-+if { (eval echo "$as_me:$LINENO: \"$ac_cpp conftest.$ac_ext\"") >&5
-+  (eval $ac_cpp conftest.$ac_ext) 2>conftest.er1
-+  ac_status=$?
-+  grep -v '^ *+' conftest.er1 >conftest.err
-+  rm -f conftest.er1
-+  cat conftest.err >&5
-+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-+  (exit $ac_status); } >/dev/null; then
-+  if test -s conftest.err; then
-+    ac_cpp_err=$ac_c_preproc_warn_flag
-+    ac_cpp_err=$ac_cpp_err$ac_c_werror_flag
-+  else
-+    ac_cpp_err=
-+  fi
-+else
-+  ac_cpp_err=yes
-+fi
-+if test -z "$ac_cpp_err"; then
-+  ac_header_preproc=yes
-+else
-+  echo "$as_me: failed program was:" >&5
-+sed 's/^/| /' conftest.$ac_ext >&5
-+
-+  ac_header_preproc=no
-+fi
-+rm -f conftest.err conftest.$ac_ext
-+echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
-+echo "${ECHO_T}$ac_header_preproc" >&6
-+
-+# So?  What about this header?
-+case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in
-+  yes:no: )
-+    { echo "$as_me:$LINENO: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&5
-+echo "$as_me: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&2;}
-+    { echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the compiler's result" >&5
-+echo "$as_me: WARNING: $ac_header: proceeding with the compiler's result" >&2;}
-+    ac_header_preproc=yes
-+    ;;
-+  no:yes:* )
-+    { echo "$as_me:$LINENO: WARNING: $ac_header: present but cannot be compiled" >&5
-+echo "$as_me: WARNING: $ac_header: present but cannot be compiled" >&2;}
-+    { echo "$as_me:$LINENO: WARNING: $ac_header:     check for missing prerequisite headers?" >&5
-+echo "$as_me: WARNING: $ac_header:     check for missing prerequisite headers?" >&2;}
-+    { echo "$as_me:$LINENO: WARNING: $ac_header: see the Autoconf documentation" >&5
-+echo "$as_me: WARNING: $ac_header: see the Autoconf documentation" >&2;}
-+    { echo "$as_me:$LINENO: WARNING: $ac_header:     section \"Present But Cannot Be Compiled\"" >&5
-+echo "$as_me: WARNING: $ac_header:     section \"Present But Cannot Be Compiled\"" >&2;}
-+    { echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the preprocessor's result" >&5
-+echo "$as_me: WARNING: $ac_header: proceeding with the preprocessor's result" >&2;}
-+    { echo "$as_me:$LINENO: WARNING: $ac_header: in the future, the compiler will take precedence" >&5
-+echo "$as_me: WARNING: $ac_header: in the future, the compiler will take precedence" >&2;}
-+    (
-+      cat <<\_ASBOX
-+## ------------------------------------------ ##
-+## Report this to the AC_PACKAGE_NAME lists.  ##
-+## ------------------------------------------ ##
-+_ASBOX
-+    ) |
-+      sed "s/^/$as_me: WARNING:     /" >&2
-+    ;;
-+esac
-+echo "$as_me:$LINENO: checking for $ac_header" >&5
-+echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6
-+if eval "test \"\${$as_ac_Header+set}\" = set"; then
-+  echo $ECHO_N "(cached) $ECHO_C" >&6
-+else
-+  eval "$as_ac_Header=\$ac_header_preproc"
-+fi
-+echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_Header'}'`" >&5
-+echo "${ECHO_T}`eval echo '${'$as_ac_Header'}'`" >&6
-+
-+fi
-+if test `eval echo '${'$as_ac_Header'}'` = yes; then
-+  cat >>confdefs.h <<_ACEOF
-+#define `echo "HAVE_$ac_header" | $as_tr_cpp` 1
-+_ACEOF
-+
-+fi
-+
-+done
-+
-+
-+for ac_func in setlocale
-+do
-+as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh`
-+echo "$as_me:$LINENO: checking for $ac_func" >&5
-+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
-+if eval "test \"\${$as_ac_var+set}\" = set"; then
-+  echo $ECHO_N "(cached) $ECHO_C" >&6
-+else
-+  cat >conftest.$ac_ext <<_ACEOF
-+/* confdefs.h.  */
-+_ACEOF
-+cat confdefs.h >>conftest.$ac_ext
-+cat >>conftest.$ac_ext <<_ACEOF
-+/* end confdefs.h.  */
-+/* Define $ac_func to an innocuous variant, in case <limits.h> declares $ac_func.
-+   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
-+#define $ac_func innocuous_$ac_func
-+
-+/* System header to define __stub macros and hopefully few prototypes,
-+    which can conflict with char $ac_func (); below.
-+    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
-+    <limits.h> exists even on freestanding compilers.  */
-+
-+#ifdef __STDC__
-+# include <limits.h>
-+#else
-+# include <assert.h>
-+#endif
-+
-+#undef $ac_func
-+
-+/* Override any gcc2 internal prototype to avoid an error.  */
-+#ifdef __cplusplus
-+extern "C"
-+{
-+#endif
-+/* We use char because int might match the return type of a gcc2
-+   builtin and then its argument prototype would still apply.  */
-+char $ac_func ();
-+/* The GNU C library defines this for functions which it implements
-+    to always fail with ENOSYS.  Some functions are actually named
-+    something starting with __ and the normal name is an alias.  */
-+#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
-+choke me
-+#else
-+char (*f) () = $ac_func;
-+#endif
-+#ifdef __cplusplus
-+}
-+#endif
-+
-+int
-+main ()
-+{
-+return f != $ac_func;
-+  ;
-+  return 0;
-+}
-+_ACEOF
-+rm -f conftest.$ac_objext conftest$ac_exeext
-+if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-+  (eval $ac_link) 2>conftest.er1
-+  ac_status=$?
-+  grep -v '^ *+' conftest.er1 >conftest.err
-+  rm -f conftest.er1
-+  cat conftest.err >&5
-+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-+  (exit $ac_status); } &&
-+	 { ac_try='test -z "$ac_c_werror_flag"
-+			 || test ! -s conftest.err'
-+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-+  (eval $ac_try) 2>&5
-+  ac_status=$?
-+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-+  (exit $ac_status); }; } &&
-+	 { ac_try='test -s conftest$ac_exeext'
-+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-+  (eval $ac_try) 2>&5
-+  ac_status=$?
-+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-+  (exit $ac_status); }; }; then
-+  eval "$as_ac_var=yes"
-+else
-+  echo "$as_me: failed program was:" >&5
-+sed 's/^/| /' conftest.$ac_ext >&5
-+
-+eval "$as_ac_var=no"
-+fi
-+rm -f conftest.err conftest.$ac_objext \
-+      conftest$ac_exeext conftest.$ac_ext
-+fi
-+echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_var'}'`" >&5
-+echo "${ECHO_T}`eval echo '${'$as_ac_var'}'`" >&6
-+if test `eval echo '${'$as_ac_var'}'` = yes; then
-+  cat >>confdefs.h <<_ACEOF
-+#define `echo "HAVE_$ac_func" | $as_tr_cpp` 1
-+_ACEOF
-+
-+fi
-+done
-+
-+
-+#
- # Substitutions
- #
-@@ -27169,4 +27523,5 @@
- s,@XSLT_DB2LATEX_STYLE@,$XSLT_DB2LATEX_STYLE,;t t
- s,@XSLT_DB2LATEX_ADMONITIONS@,$XSLT_DB2LATEX_ADMONITIONS,;t t
-+s,@IDNLIBS@,$IDNLIBS,;t t
- s,@BIND9_TOP_BUILDDIR@,$BIND9_TOP_BUILDDIR,;t t
- s,@BIND9_ISC_BUILDINCLUDE@,$BIND9_ISC_BUILDINCLUDE,;t t
-Index: configure.in
-===================================================================
-RCS file: /proj/cvs/prod/bind9/configure.in,v
-retrieving revision 1.294.2.53
-diff -U2 -r1.294.2.53 configure.in
---- configure.in	20 Oct 2005 23:47:22 -0000	1.294.2.53
-+++ configure.in	4 Nov 2005 01:17:13 -0000
-@@ -1738,4 +1738,80 @@
- 
- #
-+# IDN support
-+#
-+AC_ARG_WITH(idn,
-+	[  --with-idn[=MPREFIX]   enable IDN support using idnkit [default PREFIX]],
-+	use_idn="$withval", use_idn="no")
-+case "$use_idn" in
-+yes)
-+	if test X$prefix = XNONE ; then
-+		idn_path=/usr/local
-+	else
-+		idn_path=$prefix
-+	fi
-+	;;
-+no)
-+	;;
-+*)
-+	idn_path="$use_idn"
-+	;;
-+esac
-+
-+iconvinc=
-+iconvlib=
-+AC_ARG_WITH(libiconv,
-+	[  --with-libiconv[=IPREFIX]   GNU libiconv are in IPREFIX [default PREFIX]],
-+	use_libiconv="$withval", use_libiconv="no")
-+case "$use_libiconv" in
-+yes)
-+	if test X$prefix = XNONE ; then
-+		iconvlib="-L/usr/local/lib -R/usr/local/lib -liconv"
-+	else
-+		iconvlib="-L$prefix/lib -R$prefix/lib -liconv"
-+	fi
-+	;;
-+no)
-+	iconvlib=
-+	;;
-+*)
-+	iconvlib="-L$use_libiconv/lib -R$use_libiconv/lib -liconv"
-+	;;
-+esac
-+
-+AC_ARG_WITH(iconv,
-+	[  --with-iconv[=LIBSPEC]   specify iconv library [default -liconv]],
-+	iconvlib="$withval")
-+case "$iconvlib" in
-+no)
-+	iconvlib=
-+	;;
-+yes)
-+	iconvlib=-liconv
-+	;;
-+esac
-+
-+AC_ARG_WITH(idnlib,
-+	[  --with-idnlib=ARG    specify libidnkit],
-+	idnlib="$withval", idnlib="no")
-+if test "$idnlib" = yes; then
-+	AC_MSG_ERROR([You must specify ARG for --with-idnlib.])
-+fi
-+
-+IDNLIBS=
-+if test "$use_idn" != no; then
-+	AC_DEFINE(WITH_IDN, 1, [define if idnkit support is to be included.])
-+	STD_CINCLUDES="$STD_CINCLUDES -I$idn_path/include"
-+	if test "$idnlib" != no; then
-+		IDNLIBS="$idnlib $iconvlib"
-+	else
-+		IDNLIBS="-L$idn_path/lib -lidnkit $iconvlib"
-+	fi
-+fi
-+AC_SUBST(IDNLIBS)
-+
-+AC_CHECK_HEADERS(locale.h)
-+AC_CHECK_FUNCS(setlocale)
-+
-+#
- # Substitutions
- #
-Index: config.h.in
-===================================================================
-RCS file: /proj/cvs/prod/bind9/config.h.in,v
-retrieving revision 1.47.2.17
-diff -U2 -r1.47.2.17 config.h.in
---- config.h.in	20 Oct 2005 23:54:43 -0000	1.47.2.17
-+++ config.h.in	4 Nov 2005 01:17:15 -0000
-@@ -17,5 +17,5 @@
-  */
- 
--/* $Id: config.h.in,v 1.47.2.17 2005/10/20 23:54:43 marka Exp $ */
-+/* $Id: acconfig.h,v 1.35.2.10 2004/12/04 06:44:36 marka Exp $ */
- 
- /***
-@@ -168,7 +168,13 @@
- #undef HAVE_LINUX_CAPABILITY_H
- 
-+/* Define to 1 if you have the <locale.h> header file. */
-+#undef HAVE_LOCALE_H
-+
- /* Define to 1 if you have the <memory.h> header file. */
- #undef HAVE_MEMORY_H
- 
-+/* Define to 1 if you have the `setlocale' function. */
-+#undef HAVE_SETLOCALE
-+
- /* Define to 1 if you have the <stdint.h> header file. */
- #undef HAVE_STDINT_H
-@@ -239,4 +245,7 @@
- #undef USE_FIONBIO_IOCTL
- 
-+/* define if idnkit support is to be included. */
-+#undef WITH_IDN
-+
- /* Define to 1 if your processor stores words with the most significant byte
-    first (like Motorola and SPARC, unlike Intel and VAX). */
-Index: bin/dig/Makefile.in
-===================================================================
-RCS file: /proj/cvs/prod/bind9/bin/dig/Makefile.in,v
-retrieving revision 1.25.2.4
-diff -U2 -r1.25.2.4 Makefile.in
---- bin/dig/Makefile.in	18 Aug 2004 23:22:52 -0000	1.25.2.4
-+++ bin/dig/Makefile.in	4 Nov 2005 01:17:16 -0000
-@@ -37,5 +37,5 @@
- DEPLIBS =	${DNSDEPLIBS} ${ISCDEPLIBS}
- 
--LIBS =		${DNSLIBS} ${ISCLIBS} @LIBS@
-+LIBS =		${DNSLIBS} ${ISCLIBS} @IDNLIBS@ @LIBS@
- 
- SUBDIRS =
-Index: bin/dig/dig.1
-===================================================================
-RCS file: /proj/cvs/prod/bind9/bin/dig/dig.1,v
-retrieving revision 1.14.2.9
-diff -U2 -r1.14.2.9 dig.1
---- bin/dig/dig.1	13 Oct 2005 02:23:26 -0000	1.14.2.9
-+++ bin/dig/dig.1	4 Nov 2005 01:17:17 -0000
-@@ -14,5 +14,5 @@
- .\" PERFORMANCE OF THIS SOFTWARE.
- .\"
--.\" $Id: dig.1,v 1.14.2.9 2005/10/13 02:23:26 marka Exp $
-+.\" $Id$
- .\"
- .hy 0
-@@ -364,4 +364,15 @@
- will not print the initial query when it looks up the NS records for
- isc.org.
-+.SH "IDN SUPPORT"
-+.PP
-+If
-+\fBdig\fR
-+has been built with IDN (internationalized domain name) support, it can accept and display non\-ASCII domain names.
-+\fBdig\fR
-+appropriately converts character encoding of domain name before sending a request to DNS server or displaying a reply from the server. If you'd like to turn off the IDN support for some reason, defines the
-+\fBIDN_DISABLE\fR
-+environment variable. The IDN support is disabled if the the variable is set when
-+\fBdig\fR
-+runs.
- .SH "FILES"
- .PP
-Index: bin/dig/dig.docbook
-===================================================================
-RCS file: /proj/cvs/prod/bind9/bin/dig/dig.docbook,v
-retrieving revision 1.4.2.11
-diff -U2 -r1.4.2.11 dig.docbook
---- bin/dig/dig.docbook	12 May 2005 21:35:06 -0000	1.4.2.11
-+++ bin/dig/dig.docbook	4 Nov 2005 01:17:19 -0000
-@@ -547,4 +547,19 @@
- 
- <refsect1>
-+<title>IDN SUPPORT</title>
-+<para>
-+If <command>dig</command> has been built with IDN (internationalized
-+domain name) support, it can accept and display non-ASCII domain names.
-+<command>dig</command> appropriately converts character encoding of
-+domain name before sending a request to DNS server or displaying a
-+reply from the server.
-+If you'd like to turn off the IDN support for some reason, defines
-+the <envar>IDN_DISABLE</envar> environment variable.
-+The IDN support is disabled if the the variable is set when
-+<command>dig</command> runs.
-+</para>
-+</refsect1>
-+
-+<refsect1>
- <title>FILES</title>
- <para>
-Index: bin/dig/dighost.c
-===================================================================
-RCS file: /proj/cvs/prod/bind9/bin/dig/dighost.c,v
-retrieving revision 1.221.2.29
-diff -U2 -r1.221.2.29 dighost.c
---- bin/dig/dighost.c	14 Oct 2005 01:37:48 -0000	1.221.2.29
-+++ bin/dig/dighost.c	4 Nov 2005 01:17:29 -0000
-@@ -33,4 +33,15 @@
- #include <limits.h>
- 
-+#ifdef HAVE_LOCALE_H
-+#include <locale.h>
-+#endif
-+
-+#ifdef WITH_IDN
-+#include <idn/result.h>
-+#include <idn/log.h>
-+#include <idn/resconf.h>
-+#include <idn/api.h>
-+#endif
-+
- #include <dns/byaddr.h>
- #include <dns/fixedname.h>
-@@ -134,4 +145,16 @@
- dig_lookup_t *current_lookup = NULL;
- 
-+#ifdef WITH_IDN
-+static void	      initialize_idn(void);
-+static isc_result_t   output_filter(isc_buffer_t *buffer,
-+				    unsigned int used_org,
-+				    isc_boolean_t absolute);
-+static idn_result_t   append_textname(char *name, const char *origin,
-+				      size_t namesize);
-+static void	      idn_check_result(idn_result_t r, const char *msg);
-+
-+#define MAXDLEN               256
-+#endif
-+
- /*
-  * Apply and clear locks at the event level in global task.
-@@ -732,4 +755,8 @@
- 	}
- 
-+#ifdef WITH_IDN
-+	initialize_idn();
-+#endif
-+
- 	if (keyfile[0] != 0)
- 		setup_file_key();
-@@ -1255,4 +1282,12 @@
- 	dns_compress_t cctx;
- 	char store[MXNAME];
-+#ifdef WITH_IDN
-+	idn_result_t mr;
-+	char utf8_textname[MXNAME], utf8_origin[MXNAME], idn_textname[MXNAME];
-+#endif
-+
-+#ifdef WITH_IDN
-+	dns_name_settotextfilter(output_filter);
-+#endif
- 
- 	REQUIRE(lookup != NULL);
-@@ -1283,4 +1318,15 @@
- 			sizeof(lookup->onamespace));
- 
-+#ifdef WITH_IDN
-+	/*
-+	 * We cannot convert `textname' and `origin' separately.
-+	 * `textname' doesn't contain TLD, but local mapping needs
-+	 * TLD.
-+	 */
-+	mr = idn_encodename(IDN_LOCALCONV | IDN_DELIMMAP, lookup->textname,
-+			    utf8_textname, sizeof(utf8_textname));
-+	idn_check_result(mr, "convert textname to UTF-8");
-+#endif
-+
- 	/*
- 	 * If the name has too many dots, force the origin to be NULL
-@@ -1291,4 +1337,11 @@
- 	 */
- 	/* XXX New search here? */
-+#ifdef WITH_IDN
-+	if ((count_dots(utf8_textname) >= ndots) || !usesearch)
-+		lookup->origin = NULL; /* Force abs lookup */
-+	else if (lookup->origin == NULL && lookup->new_search && usesearch) {
-+		lookup->origin = ISC_LIST_HEAD(search_list);
-+	}
-+#else
- 	if ((count_dots(lookup->textname) >= ndots) || !usesearch)
- 		lookup->origin = NULL; /* Force abs lookup */
-@@ -1296,5 +1349,27 @@
- 		lookup->origin = ISC_LIST_HEAD(search_list);
- 	}
-+#endif
-+
-+#ifdef WITH_IDN
- 	if (lookup->origin != NULL) {
-+		mr = idn_encodename(IDN_LOCALCONV | IDN_DELIMMAP,
-+				    lookup->origin->origin, utf8_origin,
-+				    sizeof(utf8_origin));
-+		idn_check_result(mr, "convert origin to UTF-8");
-+		mr = append_textname(utf8_textname, utf8_origin,
-+				     sizeof(utf8_textname));
-+		idn_check_result(mr, "append origin to textname");
-+	}
-+	mr = idn_encodename(IDN_LOCALMAP | IDN_NAMEPREP | IDN_ASCCHECK |
-+			    IDN_IDNCONV | IDN_LENCHECK, utf8_textname,
-+			    idn_textname, sizeof(idn_textname));
-+	idn_check_result(mr, "convert UTF-8 textname to IDN encoding");
-+#endif
-+
-+#ifdef WITH_IDN
-+	if (0) {
-+#else
-+	if (lookup->origin != NULL) {
-+#endif
- 		debug("trying origin %s", lookup->origin->origin);
- 		result = dns_message_gettempname(lookup->sendmsg,
-@@ -1341,4 +1416,13 @@
- 			dns_name_clone(dns_rootname, lookup->name);
- 		else {
-+#ifdef WITH_IDN
-+			len = strlen(idn_textname);
-+			isc_buffer_init(&b, idn_textname, len);
-+			isc_buffer_add(&b, len);
-+			result = dns_name_fromtext(lookup->name, &b,
-+						   dns_rootname,
-+						   ISC_FALSE,
-+						   &lookup->namebuf);
-+#else
- 			len = strlen(lookup->textname);
- 			isc_buffer_init(&b, lookup->textname, len);
-@@ -1348,4 +1432,5 @@
- 						   ISC_FALSE,
- 						   &lookup->namebuf);
-+#endif
- 		}
- 		if (result != ISC_R_SUCCESS) {
-@@ -2863,2 +2948,100 @@
- 		isc_mem_destroy(&mctx);
- }
-+
-+#ifdef WITH_IDN
-+static void
-+initialize_idn(void) {
-+	idn_result_t r;
-+
-+#ifdef HAVE_SETLOCALE
-+	/* Set locale */
-+	(void)setlocale(LC_ALL, "");
-+#endif
-+	/* Create configuration context. */
-+	r = idn_nameinit(1);
-+	if (r != idn_success)
-+		fatal("idn api initialization failed: %s",
-+		      idn_result_tostring(r));
-+
-+	/* Set domain name -> text post-conversion filter. */
-+	dns_name_settotextfilter(output_filter);
-+}
-+
-+static isc_result_t
-+output_filter(isc_buffer_t *buffer, unsigned int used_org,
-+	      isc_boolean_t absolute)
-+{
-+	char tmp1[MAXDLEN], tmp2[MAXDLEN];
-+	size_t fromlen, tolen;
-+	isc_boolean_t end_with_dot;
-+
-+	/*
-+	 * Copy contents of 'buffer' to 'tmp1', supply trailing dot
-+	 * if 'absolute' is true, and terminate with NUL.
-+	 */
-+	fromlen = isc_buffer_usedlength(buffer) - used_org;
-+	if (fromlen >= MAXDLEN)
-+		return (ISC_R_SUCCESS);
-+	memcpy(tmp1, (char *)isc_buffer_base(buffer) + used_org, fromlen);
-+	end_with_dot = (tmp1[fromlen - 1] == '.') ? ISC_TRUE : ISC_FALSE;
-+	if (absolute && !end_with_dot) {
-+		fromlen++;
-+		if (fromlen >= MAXDLEN)
-+			return (ISC_R_SUCCESS);
-+		tmp1[fromlen - 1] = '.';
-+	}
-+	tmp1[fromlen] = '\0';
-+
-+	/*
-+	 * Convert contents of 'tmp1' to local encoding.
-+	 */
-+	if (idn_decodename(IDN_DECODE_APP, tmp1, tmp2, MAXDLEN) != idn_success)
-+		return (ISC_R_SUCCESS);
-+	strcpy(tmp1, tmp2);
-+
-+	/*
-+	 * Copy the converted contents in 'tmp1' back to 'buffer'.
-+	 * If we have appended trailing dot, remove it.
-+	 */
-+	tolen = strlen(tmp1);
-+	if (absolute && !end_with_dot && tmp1[tolen - 1] == '.')
-+		tolen--;
-+
-+	if (isc_buffer_length(buffer) < used_org + tolen)
-+		return (ISC_R_NOSPACE);
-+
-+	isc_buffer_subtract(buffer, isc_buffer_usedlength(buffer) - used_org);
-+	memcpy(isc_buffer_used(buffer), tmp1, tolen);
-+	isc_buffer_add(buffer, tolen);
-+
-+	return (ISC_R_SUCCESS);
-+}
-+
-+static idn_result_t
-+append_textname(char *name, const char *origin, size_t namesize) {
-+	size_t namelen = strlen(name);
-+	size_t originlen = strlen(origin);
-+
-+	/* Already absolute? */
-+	if (namelen > 0 && name[namelen - 1] == '.')
-+		return idn_success;
-+
-+	/* Append dot and origin */
-+
-+	if (namelen + 1 + originlen >= namesize)
-+		return idn_buffer_overflow;
-+
-+	name[namelen++] = '.';
-+	(void)strcpy(name + namelen, origin);
-+	return idn_success;
-+}
-+
-+static void
-+idn_check_result(idn_result_t r, const char *msg) {
-+	if (r != idn_success) {
-+		exitcode = 1;
-+		fatal("%s: %s", msg, idn_result_tostring(r));
-+	}
-+}
-+
-+#endif /* WITH_IDN */
-Index: bin/dig/host.1
-===================================================================
-RCS file: /proj/cvs/prod/bind9/bin/dig/host.1,v
-retrieving revision 1.11.2.5
-diff -U2 -r1.11.2.5 host.1
---- bin/dig/host.1	13 Oct 2005 02:23:26 -0000	1.11.2.5
-+++ bin/dig/host.1	4 Nov 2005 01:17:32 -0000
-@@ -14,5 +14,5 @@
- .\" PERFORMANCE OF THIS SOFTWARE.
- .\"
--.\" $Id: host.1,v 1.11.2.5 2005/10/13 02:23:26 marka Exp $
-+.\" $Id$
- .\"
- .hy 0
-@@ -165,4 +165,15 @@
- \fBhost\fR
- will effectively wait forever for a reply. The time to wait for a response will be set to the number of seconds given by the hardware's maximum value for an integer quantity.
-+.SH "IDN SUPPORT"
-+.PP
-+If
-+\fBhost\fR
-+has been built with IDN (internationalized domain name) support, it can accept and display non\-ASCII domain names.
-+\fBhost\fR
-+appropriately converts character encoding of domain name before sending a request to DNS server or displaying a reply from the server. If you'd like to turn off the IDN support for some reason, defines the
-+\fBIDN_DISABLE\fR
-+environment variable. The IDN support is disabled if the the variable is set when
-+\fBhost\fR
-+runs.
- .SH "FILES"
- .PP
-Index: bin/dig/host.docbook
-===================================================================
-RCS file: /proj/cvs/prod/bind9/bin/dig/host.docbook,v
-retrieving revision 1.2.2.5
-diff -U2 -r1.2.2.5 host.docbook
---- bin/dig/host.docbook	12 May 2005 21:35:06 -0000	1.2.2.5
-+++ bin/dig/host.docbook	4 Nov 2005 01:17:32 -0000
-@@ -199,4 +199,19 @@
- 
- <refsect1>
-+<title>IDN SUPPORT</title>
-+<para>
-+If <command>host</command> has been built with IDN (internationalized
-+domain name) support, it can accept and display non-ASCII domain names.
-+<command>host</command> appropriately converts character encoding of
-+domain name before sending a request to DNS server or displaying a
-+reply from the server.
-+If you'd like to turn off the IDN support for some reason, defines
-+the <envar>IDN_DISABLE</envar> environment variable.
-+The IDN support is disabled if the the variable is set when
-+<command>host</command> runs.
-+</para>
-+</refsect1>
-+
-+<refsect1>
- <title>FILES</title>
- <para>
-Index: lib/dns/name.c
-===================================================================
-RCS file: /proj/cvs/prod/bind9/lib/dns/name.c,v
-retrieving revision 1.127.2.12
-diff -U2 -r1.127.2.12 name.c
---- lib/dns/name.c	23 Jul 2005 04:34:21 -0000	1.127.2.12
-+++ lib/dns/name.c	4 Nov 2005 01:17:45 -0000
-@@ -199,4 +199,11 @@
- dns_fullname_hash(dns_name_t *name, isc_boolean_t case_sensitive);
- 
-+#ifdef WITH_IDN
-+/*
-+ * dns_name_t to text post-conversion procedure.
-+ */
-+static dns_name_totextfilter_t totext_filter_proc = NULL;
-+#endif
-+
- static void
- set_offsets(const dns_name_t *name, unsigned char *offsets,
-@@ -1715,4 +1722,7 @@
- 	isc_boolean_t saw_root = ISC_FALSE;
- 	char num[4];
-+#ifdef WITH_IDN
-+	unsigned int oused = target->used;
-+#endif
- 
- 	/*
-@@ -1895,4 +1905,8 @@
- 	isc_buffer_add(target, tlen - trem);
- 
-+#ifdef WITH_IDN
-+	if (totext_filter_proc != NULL)
-+		return ((*totext_filter_proc)(target, oused, saw_root));
-+#endif
- 	return (ISC_R_SUCCESS);
- }
-@@ -3359,2 +3373,8 @@
- }
- 
-+#ifdef WITH_IDN
-+void
-+dns_name_settotextfilter(dns_name_totextfilter_t proc) {
-+	totext_filter_proc = proc;
-+}
-+#endif
-Index: lib/dns/include/dns/name.h
-===================================================================
-RCS file: /proj/cvs/prod/bind9/lib/dns/include/dns/name.h,v
-retrieving revision 1.95.2.9
-diff -U2 -r1.95.2.9 name.h
---- lib/dns/include/dns/name.h	8 Sep 2004 00:34:23 -0000	1.95.2.9
-+++ lib/dns/include/dns/name.h	4 Nov 2005 01:17:51 -0000
-@@ -220,4 +220,15 @@
- #define DNS_NAME_MAXWIRE 255
- 
-+#ifdef WITH_IDN
-+/*
-+ * Text output filter procedure.
-+ * 'target' is the buffer to be converted.  The region to be converted
-+ * is from 'buffer'->base + 'used_org' to the end of the used region.
-+ */
-+typedef isc_result_t (*dns_name_totextfilter_t)(isc_buffer_t *target,
-+						unsigned int used_org,
-+						isc_boolean_t absolute);
-+#endif
-+
- /***
-  *** Initialization
-@@ -1265,4 +1276,12 @@
-  */
- 
-+#ifdef WITH_IDN
-+void
-+dns_name_settotextfilter(dns_name_totextfilter_t proc);
-+/*
-+ * Call 'proc' at the end of dns_name_totext.
-+ */
-+#endif /* WITH_IDN */
-+
- #define DNS_NAME_FORMATSIZE (DNS_NAME_MAXTEXT + 1)
- /*
diff --git a/contrib/idn/idnkit-1.0-src/patch/bind9/bind-9.2.7-patch b/contrib/idn/idnkit-1.0-src/patch/bind9/bind-9.2.7-patch
deleted file mode 100644
index 5b421f9a..00000000
--- a/contrib/idn/idnkit-1.0-src/patch/bind9/bind-9.2.7-patch
+++ /dev/null
@@ -1,1255 +0,0 @@
-IDN patch for bind-9.2.7
-========================
-
-
-This is a patch file for ISC BIND 9.2.7 to make it work with
-internationalized domain names.  With this patch you'll get IDN-aware
-dig/host/nslookup.
-
-To apply this patch, you should go to the top directory of the BIND
-distribution (where you see `README' file), then invoke `patch'
-command like this:
-
-	% patch -p0 < this-file
-
-Then follow the instructions described in `README.idnkit' to compile
-and install.
-
-
-Index: README.idnkit
---- /dev/null	Tue Nov 28 14:07:04 2006
-+++ README.idnkit	Tue Nov 28 12:59:38 2006
-@@ -0,0 +1,113 @@
-+
-+			BIND-9 IDN patch
-+
-+	       Japan Network Information Center (JPNIC)
-+
-+
-+* What is this patch for?
-+
-+This patch adds internationalized domain name (IDN) support to BIND-9.
-+You'll get internationalized version of dig/host/nslookup commands.
-+
-+    + internationalized dig/host/nslookup
-+	dig/host/nslookup accepts non-ASCII domain names in the local
-+	codeset (such as Shift JIS, Big5 or ISO8859-1) determined by
-+	the locale information.  The domain names are normalized and
-+	converted to the encoding on the DNS protocol, and sent to DNS
-+	servers.  The replies are converted back to the local codeset
-+	and displayed.
-+
-+
-+* Compilation & installation
-+
-+0. Prerequisite
-+
-+You have to build and install idnkit before building this patched version
-+of bind-9.
-+
-+1. Running configure script
-+
-+Run `configure' in the top directory.  See `README' for the
-+configuration options.
-+
-+This patch adds the following 4 options to `configure'.  You should
-+at least specify `--with-idn' option to enable IDN support.
-+
-+    --with-idn[=IDN_PREFIX]
-+	To enable IDN support, you have to specify `--with-idn' option.
-+	The argument IDN_PREFIX is the install prefix of idnkit.  If
-+	IDN_PREFIX is omitted, PREFIX (derived from `--prefix=PREFIX')
-+	is assumed.
-+
-+    --with-libiconv[=LIBICONV_PREFIX]
-+	Specify this option if idnkit you have installed links GNU
-+	libiconv.  The argument LIBICONV_PREFIX is install prefix of
-+	GNU libiconv.  If the argument is omitted, PREFIX (derived
-+	from `--prefix=PREFIX') is assumed.
-+
-+	`--with-libiconv' is shorthand option for GNU libiconv.
-+
-+	    --with-libiconv=/usr/local
-+
-+	This is equivalent to:
-+
-+	    --with-iconv='-L/usr/local/lib -R/usr/local/lib -liconv'
-+
-+	`--with-libiconv' assumes that your C compiler has `-R'
-+	option, and that the option adds the specified run-time path
-+	to an exacutable binary.  If `-R' option of your compiler has
-+	different meaning, or your compiler lacks the option, you
-+	should use `--with-iconv' option instead.  Binary command
-+	without run-time path information might be unexecutable.
-+	In that case, you would see an error message like:
-+
-+	    error in loading shared libraries: libiconv.so.2: cannot
-+	    open shared object file
-+
-+	If both `--with-libiconv' and `--with-iconv' options are
-+	specified, `--with-iconv' is prior to `--with-libiconv'.
-+
-+    --with-iconv=ICONV_LIBSPEC
-+	If your libc doens't provide iconv(), you need to specify the
-+	library containing iconv() with this option.  `ICONV_LIBSPEC'
-+	is the argument(s) to `cc' or `ld' to link the library, for
-+	example, `--with-iconv="-L/usr/local/lib -liconv"'.
-+	You don't need to specify the header file directory for "iconv.h"
-+	to the compiler, as it isn't included directly by bind-9 with
-+	this patch.
-+
-+    --with-idnlib=IDN_LIBSPEC
-+	With this option, you can explicitly specify the argument(s)
-+	to `cc' or `ld' to link the idnkit's library, `libidnkit'.  If
-+	this option is not specified, `-L${PREFIX}/lib -lidnkit' is
-+	assumed, where ${PREFIX} is the installation prefix specified
-+	with `--with-idn' option above.  You may need to use this
-+	option to specify extra argments, for example,
-+	`--with-idnlib="-L/usr/local/lib -R/usr/local/lib -lidnkit"'.
-+
-+Please consult `README' for other configuration options.
-+
-+Note that if you want to specify some extra header file directories,
-+you should use the environment variable STD_CINCLUDES instead of
-+CFLAGS, as described in README.
-+
-+2. Compilation and installation
-+
-+After running "configure", just do
-+
-+	make
-+	make install
-+
-+for compiling and installing.
-+
-+
-+* Contact information
-+
-+Please see http//www.nic.ad.jp/en/idn/ for the latest news
-+about idnkit and this patch.
-+
-+Bug reports and comments on this kit should be sent to
-+mdnkit-bugs@nic.ad.jp and idn-cmt@nic.ad.jp, respectively.
-+
-+
-+; $Id: bind-9.2.2-patch,v 1.1.1.1 2003/06/04 00:27:32 marka Exp $
-Index: configure
-===================================================================
-RCS file: /proj/cvs/prod/bind9/configure,v
-retrieving revision 1.284.2.70
-diff -U2 -r1.284.2.70 configure
---- configure	10 Nov 2006 18:31:10 -0000	1.284.2.70
-+++ configure	28 Nov 2006 03:09:28 -0000
-@@ -466,5 +466,5 @@
- #endif"
- 
--ac_subst_vars='SHELL PATH_SEPARATOR PACKAGE_NAME PACKAGE_TARNAME PACKAGE_VERSION PACKAGE_STRING PACKAGE_BUGREPORT exec_prefix prefix program_transform_name bindir sbindir libexecdir datadir sysconfdir sharedstatedir localstatedir libdir includedir oldincludedir infodir mandir build_alias host_alias target_alias DEFS ECHO_C ECHO_N ECHO_T LIBS subdirs build build_cpu build_vendor build_os host host_cpu host_vendor host_os SET_MAKE RANLIB ac_ct_RANLIB INSTALL_PROGRAM INSTALL_SCRIPT INSTALL_DATA STD_CINCLUDES STD_CDEFINES STD_CWARNINGS CCOPT AR ARFLAGS LN ETAGS PERL CC CFLAGS LDFLAGS CPPFLAGS ac_ct_CC EXEEXT OBJEXT CPP EGREP ISC_SOCKADDR_LEN_T ISC_PLATFORM_HAVELONGLONG ISC_PLATFORM_NEEDSYSSELECTH LWRES_PLATFORM_NEEDSYSSELECTH DST_OPENSSL_INC DNS_OPENSSL_LIBS USE_OPENSSL USE_GSSAPI DST_GSSAPI_INC DNS_GSSAPI_LIBS ALWAYS_DEFINES ISC_PLATFORM_USETHREADS ISC_THREAD_DIR MKDEPCC MKDEPCFLAGS MKDEPPROG IRIX_DNSSEC_WARNINGS_HACK purify_path PURIFY LN_S ECHO ac_ct_AR STRIP ac_ct_STRIP CXX CXXFLAGS ac_ct_CXX CXXCPP F77 FFLAGS ac_ct_F77 LIBTOOL O A SA LIBTOOL_MKDEP_SED LIBTOOL_MODE_COMPILE LIBTOOL_MODE_INSTALL LIBTOOL_MODE_LINK LIBTOOL_ALLOW_UNDEFINED LIBTOOL_IN_MAIN LIBBIND ISC_PLATFORM_HAVEIPV6 LWRES_PLATFORM_HAVEIPV6 ISC_PLATFORM_NEEDNETINETIN6H LWRES_PLATFORM_NEEDNETINETIN6H ISC_PLATFORM_NEEDNETINET6IN6H LWRES_PLATFORM_NEEDNETINET6IN6H ISC_PLATFORM_HAVEINADDR6 LWRES_PLATFORM_HAVEINADDR6 ISC_PLATFORM_NEEDIN6ADDRANY LWRES_PLATFORM_NEEDIN6ADDRANY ISC_PLATFORM_NEEDIN6ADDRLOOPBACK LWRES_PLATFORM_NEEDIN6ADDRLOOPBACK ISC_PLATFORM_HAVEIN6PKTINFO ISC_PLATFORM_FIXIN6ISADDR ISC_IPV6_H ISC_IPV6_O ISC_ISCIPV6_O ISC_IPV6_C LWRES_HAVE_SIN6_SCOPE_ID BUILD_CC BUILD_CFLAGS BUILD_CPPFLAGS BUILD_LDFLAGS BUILD_LIBS ISC_PLATFORM_NEEDNTOP ISC_PLATFORM_NEEDPTON ISC_PLATFORM_NEEDATON ISC_PLATFORM_HAVESALEN LWRES_PLATFORM_HAVESALEN ISC_PLATFORM_MSGHDRFLAVOR ISC_PLATFORM_NEEDPORTT ISC_LWRES_NEEDADDRINFO ISC_LWRES_NEEDRRSETINFO ISC_LWRES_SETHOSTENTINT ISC_LWRES_ENDHOSTENTINT ISC_LWRES_GETNETBYADDRINADDR ISC_LWRES_SETNETENTINT ISC_LWRES_ENDNETENTINT ISC_LWRES_GETHOSTBYADDRVOID ISC_LWRES_NEEDHERRNO ISC_LWRES_GETIPNODEPROTO ISC_LWRES_GETADDRINFOPROTO ISC_LWRES_GETNAMEINFOPROTO ISC_PLATFORM_NEEDSTRSEP ISC_PLATFORM_NEEDVSNPRINTF LWRES_PLATFORM_NEEDVSNPRINTF ISC_EXTRA_OBJS ISC_EXTRA_SRCS ISC_PLATFORM_QUADFORMAT LWRES_PLATFORM_QUADFORMAT ISC_PLATFORM_RLIMITTYPE ISC_PLATFORM_USEDECLSPEC LWRES_PLATFORM_USEDECLSPEC ISC_PLATFORM_BRACEPTHREADONCEINIT LATEX PDFLATEX XSLTPROC XMLLINT XSLT_DOCBOOK_STYLE_HTML XSLT_DOCBOOK_STYLE_XHTML XSLT_DOCBOOK_STYLE_MAN XSLT_DOCBOOK_CHUNK_HTML XSLT_DOCBOOK_CHUNK_XHTML XSLT_DB2LATEX_STYLE XSLT_DB2LATEX_ADMONITIONS BIND9_TOP_BUILDDIR BIND9_ISC_BUILDINCLUDE BIND9_ISCCC_BUILDINCLUDE BIND9_ISCCFG_BUILDINCLUDE BIND9_DNS_BUILDINCLUDE BIND9_LWRES_BUILDINCLUDE BIND9_VERSION LIBOBJS LTLIBOBJS'
-+ac_subst_vars='SHELL PATH_SEPARATOR PACKAGE_NAME PACKAGE_TARNAME PACKAGE_VERSION PACKAGE_STRING PACKAGE_BUGREPORT exec_prefix prefix program_transform_name bindir sbindir libexecdir datadir sysconfdir sharedstatedir localstatedir libdir includedir oldincludedir infodir mandir build_alias host_alias target_alias DEFS ECHO_C ECHO_N ECHO_T LIBS subdirs build build_cpu build_vendor build_os host host_cpu host_vendor host_os SET_MAKE RANLIB ac_ct_RANLIB INSTALL_PROGRAM INSTALL_SCRIPT INSTALL_DATA STD_CINCLUDES STD_CDEFINES STD_CWARNINGS CCOPT AR ARFLAGS LN ETAGS PERL CC CFLAGS LDFLAGS CPPFLAGS ac_ct_CC EXEEXT OBJEXT CPP EGREP ISC_SOCKADDR_LEN_T ISC_PLATFORM_HAVELONGLONG ISC_PLATFORM_NEEDSYSSELECTH LWRES_PLATFORM_NEEDSYSSELECTH DST_OPENSSL_INC DNS_OPENSSL_LIBS USE_OPENSSL USE_GSSAPI DST_GSSAPI_INC DNS_GSSAPI_LIBS ALWAYS_DEFINES ISC_PLATFORM_USETHREADS ISC_THREAD_DIR MKDEPCC MKDEPCFLAGS MKDEPPROG IRIX_DNSSEC_WARNINGS_HACK purify_path PURIFY LN_S ECHO ac_ct_AR STRIP ac_ct_STRIP CXX CXXFLAGS ac_ct_CXX CXXCPP F77 FFLAGS ac_ct_F77 LIBTOOL O A SA LIBTOOL_MKDEP_SED LIBTOOL_MODE_COMPILE LIBTOOL_MODE_INSTALL LIBTOOL_MODE_LINK LIBTOOL_ALLOW_UNDEFINED LIBTOOL_IN_MAIN LIBBIND ISC_PLATFORM_HAVEIPV6 LWRES_PLATFORM_HAVEIPV6 ISC_PLATFORM_NEEDNETINETIN6H LWRES_PLATFORM_NEEDNETINETIN6H ISC_PLATFORM_NEEDNETINET6IN6H LWRES_PLATFORM_NEEDNETINET6IN6H ISC_PLATFORM_HAVEINADDR6 LWRES_PLATFORM_HAVEINADDR6 ISC_PLATFORM_NEEDIN6ADDRANY LWRES_PLATFORM_NEEDIN6ADDRANY ISC_PLATFORM_NEEDIN6ADDRLOOPBACK LWRES_PLATFORM_NEEDIN6ADDRLOOPBACK ISC_PLATFORM_HAVEIN6PKTINFO ISC_PLATFORM_FIXIN6ISADDR ISC_IPV6_H ISC_IPV6_O ISC_ISCIPV6_O ISC_IPV6_C LWRES_HAVE_SIN6_SCOPE_ID BUILD_CC BUILD_CFLAGS BUILD_CPPFLAGS BUILD_LDFLAGS BUILD_LIBS ISC_PLATFORM_NEEDNTOP ISC_PLATFORM_NEEDPTON ISC_PLATFORM_NEEDATON ISC_PLATFORM_HAVESALEN LWRES_PLATFORM_HAVESALEN ISC_PLATFORM_MSGHDRFLAVOR ISC_PLATFORM_NEEDPORTT ISC_LWRES_NEEDADDRINFO ISC_LWRES_NEEDRRSETINFO ISC_LWRES_SETHOSTENTINT ISC_LWRES_ENDHOSTENTINT ISC_LWRES_GETNETBYADDRINADDR ISC_LWRES_SETNETENTINT ISC_LWRES_ENDNETENTINT ISC_LWRES_GETHOSTBYADDRVOID ISC_LWRES_NEEDHERRNO ISC_LWRES_GETIPNODEPROTO ISC_LWRES_GETADDRINFOPROTO ISC_LWRES_GETNAMEINFOPROTO ISC_PLATFORM_NEEDSTRSEP ISC_PLATFORM_NEEDVSNPRINTF LWRES_PLATFORM_NEEDVSNPRINTF ISC_EXTRA_OBJS ISC_EXTRA_SRCS ISC_PLATFORM_QUADFORMAT LWRES_PLATFORM_QUADFORMAT ISC_PLATFORM_RLIMITTYPE ISC_PLATFORM_USEDECLSPEC LWRES_PLATFORM_USEDECLSPEC ISC_PLATFORM_BRACEPTHREADONCEINIT LATEX PDFLATEX XSLTPROC XMLLINT XSLT_DOCBOOK_STYLE_HTML XSLT_DOCBOOK_STYLE_XHTML XSLT_DOCBOOK_STYLE_MAN XSLT_DOCBOOK_CHUNK_HTML XSLT_DOCBOOK_CHUNK_XHTML XSLT_DB2LATEX_STYLE XSLT_DB2LATEX_ADMONITIONS IDNLIBS BIND9_TOP_BUILDDIR BIND9_ISC_BUILDINCLUDE BIND9_ISCCC_BUILDINCLUDE BIND9_ISCCFG_BUILDINCLUDE BIND9_DNS_BUILDINCLUDE BIND9_LWRES_BUILDINCLUDE BIND9_VERSION LIBOBJS LTLIBOBJS'
- ac_subst_files='BIND9_INCLUDES BIND9_MAKE_RULES LIBISC_API LIBISCCC_API LIBISCCFG_API LIBDNS_API LIBLWRES_API'
- 
-@@ -1050,4 +1050,8 @@
-                           include additional configurations [automatic]
-   --with-kame=PATH	use Kame IPv6 default path /usr/local/v6
-+  --with-idn=MPREFIX   enable IDN support using idnkit default PREFIX
-+  --with-libiconv=IPREFIX   GNU libiconv are in IPREFIX default PREFIX
-+  --with-iconv=LIBSPEC   specify iconv library default -liconv
-+  --with-idnlib=ARG    specify libidnkit
- 
- Some influential environment variables:
-@@ -8654,5 +8658,5 @@
- *-*-irix6*)
-   # Find out which ABI we are using.
--  echo '#line 8656 "configure"' > conftest.$ac_ext
-+  echo '#line 8660 "configure"' > conftest.$ac_ext
-   if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-   (eval $ac_compile) 2>&5
-@@ -9651,5 +9655,5 @@
- 
- # Provide some information about the compiler.
--echo "$as_me:9653:" \
-+echo "$as_me:9657:" \
-      "checking for Fortran 77 compiler version" >&5
- ac_compiler=`set X $ac_compile; echo $2`
-@@ -10712,9 +10716,9 @@
-    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-    -e 's:$: $lt_compiler_flag:'`
--   (eval echo "\"\$as_me:10714: $lt_compile\"" >&5)
-+   (eval echo "\"\$as_me:10718: $lt_compile\"" >&5)
-    (eval "$lt_compile" 2>conftest.err)
-    ac_status=$?
-    cat conftest.err >&5
--   echo "$as_me:10718: \$? = $ac_status" >&5
-+   echo "$as_me:10722: \$? = $ac_status" >&5
-    if (exit $ac_status) && test -s "$ac_outfile"; then
-      # The compiler can only warn and ignore the option if not recognized
-@@ -10955,9 +10959,9 @@
-    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-    -e 's:$: $lt_compiler_flag:'`
--   (eval echo "\"\$as_me:10957: $lt_compile\"" >&5)
-+   (eval echo "\"\$as_me:10961: $lt_compile\"" >&5)
-    (eval "$lt_compile" 2>conftest.err)
-    ac_status=$?
-    cat conftest.err >&5
--   echo "$as_me:10961: \$? = $ac_status" >&5
-+   echo "$as_me:10965: \$? = $ac_status" >&5
-    if (exit $ac_status) && test -s "$ac_outfile"; then
-      # The compiler can only warn and ignore the option if not recognized
-@@ -11015,9 +11019,9 @@
-    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-    -e 's:$: $lt_compiler_flag:'`
--   (eval echo "\"\$as_me:11017: $lt_compile\"" >&5)
-+   (eval echo "\"\$as_me:11021: $lt_compile\"" >&5)
-    (eval "$lt_compile" 2>out/conftest.err)
-    ac_status=$?
-    cat out/conftest.err >&5
--   echo "$as_me:11021: \$? = $ac_status" >&5
-+   echo "$as_me:11025: \$? = $ac_status" >&5
-    if (exit $ac_status) && test -s out/conftest2.$ac_objext
-    then
-@@ -13200,5 +13204,5 @@
-   lt_status=$lt_dlunknown
-   cat > conftest.$ac_ext <<EOF
--#line 13202 "configure"
-+#line 13206 "configure"
- #include "confdefs.h"
- 
-@@ -13298,5 +13302,5 @@
-   lt_status=$lt_dlunknown
-   cat > conftest.$ac_ext <<EOF
--#line 13300 "configure"
-+#line 13304 "configure"
- #include "confdefs.h"
- 
-@@ -15495,9 +15499,9 @@
-    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-    -e 's:$: $lt_compiler_flag:'`
--   (eval echo "\"\$as_me:15497: $lt_compile\"" >&5)
-+   (eval echo "\"\$as_me:15501: $lt_compile\"" >&5)
-    (eval "$lt_compile" 2>conftest.err)
-    ac_status=$?
-    cat conftest.err >&5
--   echo "$as_me:15501: \$? = $ac_status" >&5
-+   echo "$as_me:15505: \$? = $ac_status" >&5
-    if (exit $ac_status) && test -s "$ac_outfile"; then
-      # The compiler can only warn and ignore the option if not recognized
-@@ -15555,9 +15559,9 @@
-    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-    -e 's:$: $lt_compiler_flag:'`
--   (eval echo "\"\$as_me:15557: $lt_compile\"" >&5)
-+   (eval echo "\"\$as_me:15561: $lt_compile\"" >&5)
-    (eval "$lt_compile" 2>out/conftest.err)
-    ac_status=$?
-    cat out/conftest.err >&5
--   echo "$as_me:15561: \$? = $ac_status" >&5
-+   echo "$as_me:15565: \$? = $ac_status" >&5
-    if (exit $ac_status) && test -s out/conftest2.$ac_objext
-    then
-@@ -16916,5 +16920,5 @@
-   lt_status=$lt_dlunknown
-   cat > conftest.$ac_ext <<EOF
--#line 16918 "configure"
-+#line 16922 "configure"
- #include "confdefs.h"
- 
-@@ -17014,5 +17018,5 @@
-   lt_status=$lt_dlunknown
-   cat > conftest.$ac_ext <<EOF
--#line 17016 "configure"
-+#line 17020 "configure"
- #include "confdefs.h"
- 
-@@ -17851,9 +17855,9 @@
-    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-    -e 's:$: $lt_compiler_flag:'`
--   (eval echo "\"\$as_me:17853: $lt_compile\"" >&5)
-+   (eval echo "\"\$as_me:17857: $lt_compile\"" >&5)
-    (eval "$lt_compile" 2>conftest.err)
-    ac_status=$?
-    cat conftest.err >&5
--   echo "$as_me:17857: \$? = $ac_status" >&5
-+   echo "$as_me:17861: \$? = $ac_status" >&5
-    if (exit $ac_status) && test -s "$ac_outfile"; then
-      # The compiler can only warn and ignore the option if not recognized
-@@ -17911,9 +17915,9 @@
-    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-    -e 's:$: $lt_compiler_flag:'`
--   (eval echo "\"\$as_me:17913: $lt_compile\"" >&5)
-+   (eval echo "\"\$as_me:17917: $lt_compile\"" >&5)
-    (eval "$lt_compile" 2>out/conftest.err)
-    ac_status=$?
-    cat out/conftest.err >&5
--   echo "$as_me:17917: \$? = $ac_status" >&5
-+   echo "$as_me:17921: \$? = $ac_status" >&5
-    if (exit $ac_status) && test -s out/conftest2.$ac_objext
-    then
-@@ -19950,9 +19954,9 @@
-    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-    -e 's:$: $lt_compiler_flag:'`
--   (eval echo "\"\$as_me:19952: $lt_compile\"" >&5)
-+   (eval echo "\"\$as_me:19956: $lt_compile\"" >&5)
-    (eval "$lt_compile" 2>conftest.err)
-    ac_status=$?
-    cat conftest.err >&5
--   echo "$as_me:19956: \$? = $ac_status" >&5
-+   echo "$as_me:19960: \$? = $ac_status" >&5
-    if (exit $ac_status) && test -s "$ac_outfile"; then
-      # The compiler can only warn and ignore the option if not recognized
-@@ -20193,9 +20197,9 @@
-    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-    -e 's:$: $lt_compiler_flag:'`
--   (eval echo "\"\$as_me:20195: $lt_compile\"" >&5)
-+   (eval echo "\"\$as_me:20199: $lt_compile\"" >&5)
-    (eval "$lt_compile" 2>conftest.err)
-    ac_status=$?
-    cat conftest.err >&5
--   echo "$as_me:20199: \$? = $ac_status" >&5
-+   echo "$as_me:20203: \$? = $ac_status" >&5
-    if (exit $ac_status) && test -s "$ac_outfile"; then
-      # The compiler can only warn and ignore the option if not recognized
-@@ -20253,9 +20257,9 @@
-    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-    -e 's:$: $lt_compiler_flag:'`
--   (eval echo "\"\$as_me:20255: $lt_compile\"" >&5)
-+   (eval echo "\"\$as_me:20259: $lt_compile\"" >&5)
-    (eval "$lt_compile" 2>out/conftest.err)
-    ac_status=$?
-    cat out/conftest.err >&5
--   echo "$as_me:20259: \$? = $ac_status" >&5
-+   echo "$as_me:20263: \$? = $ac_status" >&5
-    if (exit $ac_status) && test -s out/conftest2.$ac_objext
-    then
-@@ -22438,5 +22442,5 @@
-   lt_status=$lt_dlunknown
-   cat > conftest.$ac_ext <<EOF
--#line 22440 "configure"
-+#line 22444 "configure"
- #include "confdefs.h"
- 
-@@ -22536,5 +22540,5 @@
-   lt_status=$lt_dlunknown
-   cat > conftest.$ac_ext <<EOF
--#line 22538 "configure"
-+#line 22542 "configure"
- #include "confdefs.h"
- 
-@@ -27037,4 +27041,354 @@
- 
- #
-+# IDN support
-+#
-+
-+# Check whether --with-idn or --without-idn was given.
-+if test "${with_idn+set}" = set; then
-+  withval="$with_idn"
-+  use_idn="$withval"
-+else
-+  use_idn="no"
-+fi;
-+case "$use_idn" in
-+yes)
-+	if test X$prefix = XNONE ; then
-+		idn_path=/usr/local
-+	else
-+		idn_path=$prefix
-+	fi
-+	;;
-+no)
-+	;;
-+*)
-+	idn_path="$use_idn"
-+	;;
-+esac
-+
-+iconvinc=
-+iconvlib=
-+
-+# Check whether --with-libiconv or --without-libiconv was given.
-+if test "${with_libiconv+set}" = set; then
-+  withval="$with_libiconv"
-+  use_libiconv="$withval"
-+else
-+  use_libiconv="no"
-+fi;
-+case "$use_libiconv" in
-+yes)
-+	if test X$prefix = XNONE ; then
-+		iconvlib="-L/usr/local/lib -R/usr/local/lib -liconv"
-+	else
-+		iconvlib="-L$prefix/lib -R$prefix/lib -liconv"
-+	fi
-+	;;
-+no)
-+	iconvlib=
-+	;;
-+*)
-+	iconvlib="-L$use_libiconv/lib -R$use_libiconv/lib -liconv"
-+	;;
-+esac
-+
-+
-+# Check whether --with-iconv or --without-iconv was given.
-+if test "${with_iconv+set}" = set; then
-+  withval="$with_iconv"
-+  iconvlib="$withval"
-+fi;
-+case "$iconvlib" in
-+no)
-+	iconvlib=
-+	;;
-+yes)
-+	iconvlib=-liconv
-+	;;
-+esac
-+
-+
-+# Check whether --with-idnlib or --without-idnlib was given.
-+if test "${with_idnlib+set}" = set; then
-+  withval="$with_idnlib"
-+  idnlib="$withval"
-+else
-+  idnlib="no"
-+fi;
-+if test "$idnlib" = yes; then
-+	{ { echo "$as_me:$LINENO: error: You must specify ARG for --with-idnlib." >&5
-+echo "$as_me: error: You must specify ARG for --with-idnlib." >&2;}
-+   { (exit 1); exit 1; }; }
-+fi
-+
-+IDNLIBS=
-+if test "$use_idn" != no; then
-+
-+cat >>confdefs.h <<\_ACEOF
-+#define WITH_IDN 1
-+_ACEOF
-+
-+	STD_CINCLUDES="$STD_CINCLUDES -I$idn_path/include"
-+	if test "$idnlib" != no; then
-+		IDNLIBS="$idnlib $iconvlib"
-+	else
-+		IDNLIBS="-L$idn_path/lib -lidnkit $iconvlib"
-+	fi
-+fi
-+
-+
-+
-+for ac_header in locale.h
-+do
-+as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh`
-+if eval "test \"\${$as_ac_Header+set}\" = set"; then
-+  echo "$as_me:$LINENO: checking for $ac_header" >&5
-+echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6
-+if eval "test \"\${$as_ac_Header+set}\" = set"; then
-+  echo $ECHO_N "(cached) $ECHO_C" >&6
-+fi
-+echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_Header'}'`" >&5
-+echo "${ECHO_T}`eval echo '${'$as_ac_Header'}'`" >&6
-+else
-+  # Is the header compilable?
-+echo "$as_me:$LINENO: checking $ac_header usability" >&5
-+echo $ECHO_N "checking $ac_header usability... $ECHO_C" >&6
-+cat >conftest.$ac_ext <<_ACEOF
-+/* confdefs.h.  */
-+_ACEOF
-+cat confdefs.h >>conftest.$ac_ext
-+cat >>conftest.$ac_ext <<_ACEOF
-+/* end confdefs.h.  */
-+$ac_includes_default
-+#include <$ac_header>
-+_ACEOF
-+rm -f conftest.$ac_objext
-+if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-+  (eval $ac_compile) 2>conftest.er1
-+  ac_status=$?
-+  grep -v '^ *+' conftest.er1 >conftest.err
-+  rm -f conftest.er1
-+  cat conftest.err >&5
-+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-+  (exit $ac_status); } &&
-+	 { ac_try='test -z "$ac_c_werror_flag"
-+			 || test ! -s conftest.err'
-+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-+  (eval $ac_try) 2>&5
-+  ac_status=$?
-+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-+  (exit $ac_status); }; } &&
-+	 { ac_try='test -s conftest.$ac_objext'
-+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-+  (eval $ac_try) 2>&5
-+  ac_status=$?
-+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-+  (exit $ac_status); }; }; then
-+  ac_header_compiler=yes
-+else
-+  echo "$as_me: failed program was:" >&5
-+sed 's/^/| /' conftest.$ac_ext >&5
-+
-+ac_header_compiler=no
-+fi
-+rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-+echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
-+echo "${ECHO_T}$ac_header_compiler" >&6
-+
-+# Is the header present?
-+echo "$as_me:$LINENO: checking $ac_header presence" >&5
-+echo $ECHO_N "checking $ac_header presence... $ECHO_C" >&6
-+cat >conftest.$ac_ext <<_ACEOF
-+/* confdefs.h.  */
-+_ACEOF
-+cat confdefs.h >>conftest.$ac_ext
-+cat >>conftest.$ac_ext <<_ACEOF
-+/* end confdefs.h.  */
-+#include <$ac_header>
-+_ACEOF
-+if { (eval echo "$as_me:$LINENO: \"$ac_cpp conftest.$ac_ext\"") >&5
-+  (eval $ac_cpp conftest.$ac_ext) 2>conftest.er1
-+  ac_status=$?
-+  grep -v '^ *+' conftest.er1 >conftest.err
-+  rm -f conftest.er1
-+  cat conftest.err >&5
-+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-+  (exit $ac_status); } >/dev/null; then
-+  if test -s conftest.err; then
-+    ac_cpp_err=$ac_c_preproc_warn_flag
-+    ac_cpp_err=$ac_cpp_err$ac_c_werror_flag
-+  else
-+    ac_cpp_err=
-+  fi
-+else
-+  ac_cpp_err=yes
-+fi
-+if test -z "$ac_cpp_err"; then
-+  ac_header_preproc=yes
-+else
-+  echo "$as_me: failed program was:" >&5
-+sed 's/^/| /' conftest.$ac_ext >&5
-+
-+  ac_header_preproc=no
-+fi
-+rm -f conftest.err conftest.$ac_ext
-+echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
-+echo "${ECHO_T}$ac_header_preproc" >&6
-+
-+# So?  What about this header?
-+case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in
-+  yes:no: )
-+    { echo "$as_me:$LINENO: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&5
-+echo "$as_me: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&2;}
-+    { echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the compiler's result" >&5
-+echo "$as_me: WARNING: $ac_header: proceeding with the compiler's result" >&2;}
-+    ac_header_preproc=yes
-+    ;;
-+  no:yes:* )
-+    { echo "$as_me:$LINENO: WARNING: $ac_header: present but cannot be compiled" >&5
-+echo "$as_me: WARNING: $ac_header: present but cannot be compiled" >&2;}
-+    { echo "$as_me:$LINENO: WARNING: $ac_header:     check for missing prerequisite headers?" >&5
-+echo "$as_me: WARNING: $ac_header:     check for missing prerequisite headers?" >&2;}
-+    { echo "$as_me:$LINENO: WARNING: $ac_header: see the Autoconf documentation" >&5
-+echo "$as_me: WARNING: $ac_header: see the Autoconf documentation" >&2;}
-+    { echo "$as_me:$LINENO: WARNING: $ac_header:     section \"Present But Cannot Be Compiled\"" >&5
-+echo "$as_me: WARNING: $ac_header:     section \"Present But Cannot Be Compiled\"" >&2;}
-+    { echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the preprocessor's result" >&5
-+echo "$as_me: WARNING: $ac_header: proceeding with the preprocessor's result" >&2;}
-+    { echo "$as_me:$LINENO: WARNING: $ac_header: in the future, the compiler will take precedence" >&5
-+echo "$as_me: WARNING: $ac_header: in the future, the compiler will take precedence" >&2;}
-+    (
-+      cat <<\_ASBOX
-+## ------------------------------------------ ##
-+## Report this to the AC_PACKAGE_NAME lists.  ##
-+## ------------------------------------------ ##
-+_ASBOX
-+    ) |
-+      sed "s/^/$as_me: WARNING:     /" >&2
-+    ;;
-+esac
-+echo "$as_me:$LINENO: checking for $ac_header" >&5
-+echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6
-+if eval "test \"\${$as_ac_Header+set}\" = set"; then
-+  echo $ECHO_N "(cached) $ECHO_C" >&6
-+else
-+  eval "$as_ac_Header=\$ac_header_preproc"
-+fi
-+echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_Header'}'`" >&5
-+echo "${ECHO_T}`eval echo '${'$as_ac_Header'}'`" >&6
-+
-+fi
-+if test `eval echo '${'$as_ac_Header'}'` = yes; then
-+  cat >>confdefs.h <<_ACEOF
-+#define `echo "HAVE_$ac_header" | $as_tr_cpp` 1
-+_ACEOF
-+
-+fi
-+
-+done
-+
-+
-+for ac_func in setlocale
-+do
-+as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh`
-+echo "$as_me:$LINENO: checking for $ac_func" >&5
-+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
-+if eval "test \"\${$as_ac_var+set}\" = set"; then
-+  echo $ECHO_N "(cached) $ECHO_C" >&6
-+else
-+  cat >conftest.$ac_ext <<_ACEOF
-+/* confdefs.h.  */
-+_ACEOF
-+cat confdefs.h >>conftest.$ac_ext
-+cat >>conftest.$ac_ext <<_ACEOF
-+/* end confdefs.h.  */
-+/* Define $ac_func to an innocuous variant, in case <limits.h> declares $ac_func.
-+   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
-+#define $ac_func innocuous_$ac_func
-+
-+/* System header to define __stub macros and hopefully few prototypes,
-+    which can conflict with char $ac_func (); below.
-+    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
-+    <limits.h> exists even on freestanding compilers.  */
-+
-+#ifdef __STDC__
-+# include <limits.h>
-+#else
-+# include <assert.h>
-+#endif
-+
-+#undef $ac_func
-+
-+/* Override any gcc2 internal prototype to avoid an error.  */
-+#ifdef __cplusplus
-+extern "C"
-+{
-+#endif
-+/* We use char because int might match the return type of a gcc2
-+   builtin and then its argument prototype would still apply.  */
-+char $ac_func ();
-+/* The GNU C library defines this for functions which it implements
-+    to always fail with ENOSYS.  Some functions are actually named
-+    something starting with __ and the normal name is an alias.  */
-+#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
-+choke me
-+#else
-+char (*f) () = $ac_func;
-+#endif
-+#ifdef __cplusplus
-+}
-+#endif
-+
-+int
-+main ()
-+{
-+return f != $ac_func;
-+  ;
-+  return 0;
-+}
-+_ACEOF
-+rm -f conftest.$ac_objext conftest$ac_exeext
-+if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-+  (eval $ac_link) 2>conftest.er1
-+  ac_status=$?
-+  grep -v '^ *+' conftest.er1 >conftest.err
-+  rm -f conftest.er1
-+  cat conftest.err >&5
-+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-+  (exit $ac_status); } &&
-+	 { ac_try='test -z "$ac_c_werror_flag"
-+			 || test ! -s conftest.err'
-+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-+  (eval $ac_try) 2>&5
-+  ac_status=$?
-+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-+  (exit $ac_status); }; } &&
-+	 { ac_try='test -s conftest$ac_exeext'
-+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-+  (eval $ac_try) 2>&5
-+  ac_status=$?
-+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-+  (exit $ac_status); }; }; then
-+  eval "$as_ac_var=yes"
-+else
-+  echo "$as_me: failed program was:" >&5
-+sed 's/^/| /' conftest.$ac_ext >&5
-+
-+eval "$as_ac_var=no"
-+fi
-+rm -f conftest.err conftest.$ac_objext \
-+      conftest$ac_exeext conftest.$ac_ext
-+fi
-+echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_var'}'`" >&5
-+echo "${ECHO_T}`eval echo '${'$as_ac_var'}'`" >&6
-+if test `eval echo '${'$as_ac_var'}'` = yes; then
-+  cat >>confdefs.h <<_ACEOF
-+#define `echo "HAVE_$ac_func" | $as_tr_cpp` 1
-+_ACEOF
-+
-+fi
-+done
-+
-+
-+#
- # Substitutions
- #
-@@ -27910,4 +28264,5 @@
- s,@XSLT_DB2LATEX_STYLE@,$XSLT_DB2LATEX_STYLE,;t t
- s,@XSLT_DB2LATEX_ADMONITIONS@,$XSLT_DB2LATEX_ADMONITIONS,;t t
-+s,@IDNLIBS@,$IDNLIBS,;t t
- s,@BIND9_TOP_BUILDDIR@,$BIND9_TOP_BUILDDIR,;t t
- s,@BIND9_ISC_BUILDINCLUDE@,$BIND9_ISC_BUILDINCLUDE,;t t
-Index: configure.in
-===================================================================
-RCS file: /proj/cvs/prod/bind9/configure.in,v
-retrieving revision 1.294.2.73
-diff -U2 -r1.294.2.73 configure.in
---- configure.in	10 Nov 2006 18:30:44 -0000	1.294.2.73
-+++ configure.in	28 Nov 2006 03:09:32 -0000
-@@ -1796,4 +1796,80 @@
- 
- #
-+# IDN support
-+#
-+AC_ARG_WITH(idn,
-+	[  --with-idn[=MPREFIX]   enable IDN support using idnkit [default PREFIX]],
-+	use_idn="$withval", use_idn="no")
-+case "$use_idn" in
-+yes)
-+	if test X$prefix = XNONE ; then
-+		idn_path=/usr/local
-+	else
-+		idn_path=$prefix
-+	fi
-+	;;
-+no)
-+	;;
-+*)
-+	idn_path="$use_idn"
-+	;;
-+esac
-+
-+iconvinc=
-+iconvlib=
-+AC_ARG_WITH(libiconv,
-+	[  --with-libiconv[=IPREFIX]   GNU libiconv are in IPREFIX [default PREFIX]],
-+	use_libiconv="$withval", use_libiconv="no")
-+case "$use_libiconv" in
-+yes)
-+	if test X$prefix = XNONE ; then
-+		iconvlib="-L/usr/local/lib -R/usr/local/lib -liconv"
-+	else
-+		iconvlib="-L$prefix/lib -R$prefix/lib -liconv"
-+	fi
-+	;;
-+no)
-+	iconvlib=
-+	;;
-+*)
-+	iconvlib="-L$use_libiconv/lib -R$use_libiconv/lib -liconv"
-+	;;
-+esac
-+
-+AC_ARG_WITH(iconv,
-+	[  --with-iconv[=LIBSPEC]   specify iconv library [default -liconv]],
-+	iconvlib="$withval")
-+case "$iconvlib" in
-+no)
-+	iconvlib=
-+	;;
-+yes)
-+	iconvlib=-liconv
-+	;;
-+esac
-+
-+AC_ARG_WITH(idnlib,
-+	[  --with-idnlib=ARG    specify libidnkit],
-+	idnlib="$withval", idnlib="no")
-+if test "$idnlib" = yes; then
-+	AC_MSG_ERROR([You must specify ARG for --with-idnlib.])
-+fi
-+
-+IDNLIBS=
-+if test "$use_idn" != no; then
-+	AC_DEFINE(WITH_IDN, 1, [define if idnkit support is to be included.])
-+	STD_CINCLUDES="$STD_CINCLUDES -I$idn_path/include"
-+	if test "$idnlib" != no; then
-+		IDNLIBS="$idnlib $iconvlib"
-+	else
-+		IDNLIBS="-L$idn_path/lib -lidnkit $iconvlib"
-+	fi
-+fi
-+AC_SUBST(IDNLIBS)
-+
-+AC_CHECK_HEADERS(locale.h)
-+AC_CHECK_FUNCS(setlocale)
-+
-+#
- # Substitutions
- #
-Index: config.h.in
-===================================================================
-RCS file: /proj/cvs/prod/bind9/config.h.in,v
-retrieving revision 1.47.2.24
-diff -U2 -r1.47.2.24 config.h.in
---- config.h.in	10 Aug 2006 02:07:08 -0000	1.47.2.24
-+++ config.h.in	28 Nov 2006 03:09:33 -0000
-@@ -17,5 +17,5 @@
-  */
- 
--/* $Id: config.h.in,v 1.47.2.24 2006/08/10 02:07:08 marka Exp $ */
-+/* $Id: acconfig.h,v 1.35.2.10 2004/12/04 06:44:36 marka Exp $ */
- 
- /***
-@@ -184,4 +184,7 @@
- #undef HAVE_LINUX_CAPABILITY_H
- 
-+/* Define to 1 if you have the <locale.h> header file. */
-+#undef HAVE_LOCALE_H
-+
- /* Define to 1 if you have the <memory.h> header file. */
- #undef HAVE_MEMORY_H
-@@ -190,4 +193,7 @@
- #undef HAVE_RSA_GENERATE_KEY
- 
-+/* Define to 1 if you have the `setlocale' function. */
-+#undef HAVE_SETLOCALE
-+
- /* Define to 1 if you have the <stdint.h> header file. */
- #undef HAVE_STDINT_H
-@@ -258,4 +264,7 @@
- #undef USE_FIONBIO_IOCTL
- 
-+/* define if idnkit support is to be included. */
-+#undef WITH_IDN
-+
- /* Define to 1 if your processor stores words with the most significant byte
-    first (like Motorola and SPARC, unlike Intel and VAX). */
-Index: bin/dig/Makefile.in
-===================================================================
-RCS file: /proj/cvs/prod/bind9/bin/dig/Makefile.in,v
-retrieving revision 1.25.2.4
-diff -U2 -r1.25.2.4 Makefile.in
---- bin/dig/Makefile.in	18 Aug 2004 23:22:52 -0000	1.25.2.4
-+++ bin/dig/Makefile.in	28 Nov 2006 03:09:33 -0000
-@@ -37,5 +37,5 @@
- DEPLIBS =	${DNSDEPLIBS} ${ISCDEPLIBS}
- 
--LIBS =		${DNSLIBS} ${ISCLIBS} @LIBS@
-+LIBS =		${DNSLIBS} ${ISCLIBS} @IDNLIBS@ @LIBS@
- 
- SUBDIRS =
-Index: bin/dig/dig.1
-===================================================================
-RCS file: /proj/cvs/prod/bind9/bin/dig/dig.1,v
-retrieving revision 1.14.2.10
-diff -U2 -r1.14.2.10 dig.1
---- bin/dig/dig.1	29 Jun 2006 13:02:05 -0000	1.14.2.10
-+++ bin/dig/dig.1	28 Nov 2006 03:09:35 -0000
-@@ -371,4 +371,15 @@
- will not print the initial query when it looks up the NS records for
- isc.org.
-+.SH "IDN SUPPORT"
-+.PP
-+If
-+\fBdig\fR
-+has been built with IDN (internationalized domain name) support, it can accept and display non\-ASCII domain names.
-+\fBdig\fR
-+appropriately converts character encoding of domain name before sending a request to DNS server or displaying a reply from the server. If you'd like to turn off the IDN support for some reason, defines the
-+\fBIDN_DISABLE\fR
-+environment variable. The IDN support is disabled if the the variable is set when
-+\fBdig\fR
-+runs.
- .SH "FILES"
- .PP
-Index: bin/dig/dig.docbook
-===================================================================
-RCS file: /proj/cvs/prod/bind9/bin/dig/dig.docbook,v
-retrieving revision 1.4.2.11
-diff -U2 -r1.4.2.11 dig.docbook
---- bin/dig/dig.docbook	12 May 2005 21:35:06 -0000	1.4.2.11
-+++ bin/dig/dig.docbook	28 Nov 2006 03:09:36 -0000
-@@ -547,4 +547,19 @@
- 
- <refsect1>
-+<title>IDN SUPPORT</title>
-+<para>
-+If <command>dig</command> has been built with IDN (internationalized
-+domain name) support, it can accept and display non-ASCII domain names.
-+<command>dig</command> appropriately converts character encoding of
-+domain name before sending a request to DNS server or displaying a
-+reply from the server.
-+If you'd like to turn off the IDN support for some reason, defines
-+the <envar>IDN_DISABLE</envar> environment variable.
-+The IDN support is disabled if the the variable is set when 
-+<command>dig</command> runs.
-+</para>
-+</refsect1>
-+
-+<refsect1>
- <title>FILES</title>
- <para>
-Index: bin/dig/dighost.c
-===================================================================
-RCS file: /proj/cvs/prod/bind9/bin/dig/dighost.c,v
-retrieving revision 1.221.2.33
-diff -U2 -r1.221.2.33 dighost.c
---- bin/dig/dighost.c	2 Oct 2006 03:14:14 -0000	1.221.2.33
-+++ bin/dig/dighost.c	28 Nov 2006 03:09:41 -0000
-@@ -33,4 +33,15 @@
- #include <limits.h>
- 
-+#ifdef HAVE_LOCALE_H
-+#include <locale.h>
-+#endif
-+
-+#ifdef WITH_IDN
-+#include <idn/result.h>
-+#include <idn/log.h>
-+#include <idn/resconf.h>
-+#include <idn/api.h>
-+#endif
-+
- #include <dns/byaddr.h>
- #include <dns/fixedname.h>
-@@ -134,4 +145,16 @@
- dig_lookup_t *current_lookup = NULL;
- 
-+#ifdef WITH_IDN
-+static void	      initialize_idn(void);
-+static isc_result_t   output_filter(isc_buffer_t *buffer,
-+				    unsigned int used_org,
-+				    isc_boolean_t absolute);
-+static idn_result_t   append_textname(char *name, const char *origin,
-+				      size_t namesize);
-+static void	      idn_check_result(idn_result_t r, const char *msg);
-+
-+#define MAXDLEN               256
-+#endif
-+
- /*
-  * Apply and clear locks at the event level in global task.
-@@ -737,4 +760,8 @@
- 	}
- 
-+#ifdef WITH_IDN
-+	initialize_idn();
-+#endif
-+
- 	if (keyfile[0] != 0)
- 		setup_file_key();
-@@ -1268,4 +1295,12 @@
- 	dns_compress_t cctx;
- 	char store[MXNAME];
-+#ifdef WITH_IDN
-+	idn_result_t mr;
-+	char utf8_textname[MXNAME], utf8_origin[MXNAME], idn_textname[MXNAME];
-+#endif
-+
-+#ifdef WITH_IDN
-+	dns_name_settotextfilter(output_filter);
-+#endif
- 
- 	REQUIRE(lookup != NULL);
-@@ -1296,4 +1331,15 @@
- 			sizeof(lookup->onamespace));
- 
-+#ifdef WITH_IDN
-+	/*
-+	 * We cannot convert `textname' and `origin' separately.
-+	 * `textname' doesn't contain TLD, but local mapping needs
-+	 * TLD.
-+	 */
-+	mr = idn_encodename(IDN_LOCALCONV | IDN_DELIMMAP, lookup->textname,
-+			    utf8_textname, sizeof(utf8_textname));
-+	idn_check_result(mr, "convert textname to UTF-8");
-+#endif
-+
- 	/*
- 	 * If the name has too many dots, force the origin to be NULL
-@@ -1304,4 +1350,11 @@
- 	 */
- 	/* XXX New search here? */
-+#ifdef WITH_IDN
-+	if ((count_dots(utf8_textname) >= ndots) || !usesearch)
-+		lookup->origin = NULL; /* Force abs lookup */
-+	else if (lookup->origin == NULL && lookup->new_search && usesearch) {
-+		lookup->origin = ISC_LIST_HEAD(search_list);
-+	}
-+#else
- 	if ((count_dots(lookup->textname) >= ndots) || !usesearch)
- 		lookup->origin = NULL; /* Force abs lookup */
-@@ -1309,5 +1362,27 @@
- 		lookup->origin = ISC_LIST_HEAD(search_list);
- 	}
-+#endif
-+
-+#ifdef WITH_IDN
- 	if (lookup->origin != NULL) {
-+		mr = idn_encodename(IDN_LOCALCONV | IDN_DELIMMAP,
-+				    lookup->origin->origin, utf8_origin,
-+				    sizeof(utf8_origin));
-+		idn_check_result(mr, "convert origin to UTF-8");
-+		mr = append_textname(utf8_textname, utf8_origin,
-+				     sizeof(utf8_textname));
-+		idn_check_result(mr, "append origin to textname");
-+	}
-+	mr = idn_encodename(IDN_LOCALMAP | IDN_NAMEPREP | IDN_ASCCHECK |
-+			    IDN_IDNCONV | IDN_LENCHECK, utf8_textname,
-+			    idn_textname, sizeof(idn_textname));
-+	idn_check_result(mr, "convert UTF-8 textname to IDN encoding");
-+#endif
-+
-+#ifdef WITH_IDN
-+	if (0) {
-+#else
-+	if (lookup->origin != NULL) {
-+#endif
- 		debug("trying origin %s", lookup->origin->origin);
- 		result = dns_message_gettempname(lookup->sendmsg,
-@@ -1354,4 +1429,13 @@
- 			dns_name_clone(dns_rootname, lookup->name);
- 		else {
-+#ifdef WITH_IDN
-+			len = strlen(idn_textname);
-+			isc_buffer_init(&b, idn_textname, len);
-+			isc_buffer_add(&b, len);
-+			result = dns_name_fromtext(lookup->name, &b,
-+						   dns_rootname,
-+						   ISC_FALSE,
-+						   &lookup->namebuf);
-+#else
- 			len = strlen(lookup->textname);
- 			isc_buffer_init(&b, lookup->textname, len);
-@@ -1361,4 +1445,5 @@
- 						   ISC_FALSE,
- 						   &lookup->namebuf);
-+#endif
- 		}
- 		if (result != ISC_R_SUCCESS) {
-@@ -2898,2 +2983,100 @@
- 		isc_mem_destroy(&mctx);
- }
-+
-+#ifdef WITH_IDN
-+static void
-+initialize_idn(void) {
-+	idn_result_t r;
-+
-+#ifdef HAVE_SETLOCALE
-+	/* Set locale */
-+	(void)setlocale(LC_ALL, "");
-+#endif
-+	/* Create configuration context. */
-+	r = idn_nameinit(1);
-+	if (r != idn_success)
-+		fatal("idn api initialization failed: %s",
-+		      idn_result_tostring(r));
-+
-+	/* Set domain name -> text post-conversion filter. */
-+	dns_name_settotextfilter(output_filter);
-+}
-+
-+static isc_result_t
-+output_filter(isc_buffer_t *buffer, unsigned int used_org,
-+	      isc_boolean_t absolute)
-+{
-+	char tmp1[MAXDLEN], tmp2[MAXDLEN];
-+	size_t fromlen, tolen;
-+	isc_boolean_t end_with_dot;
-+
-+	/*
-+	 * Copy contents of 'buffer' to 'tmp1', supply trailing dot
-+	 * if 'absolute' is true, and terminate with NUL.
-+	 */
-+	fromlen = isc_buffer_usedlength(buffer) - used_org;
-+	if (fromlen >= MAXDLEN)
-+		return (ISC_R_SUCCESS);
-+	memcpy(tmp1, (char *)isc_buffer_base(buffer) + used_org, fromlen);
-+	end_with_dot = (tmp1[fromlen - 1] == '.') ? ISC_TRUE : ISC_FALSE;
-+	if (absolute && !end_with_dot) {
-+		fromlen++;
-+		if (fromlen >= MAXDLEN)
-+			return (ISC_R_SUCCESS);
-+		tmp1[fromlen - 1] = '.';
-+	}
-+	tmp1[fromlen] = '\0';
-+
-+	/*
-+	 * Convert contents of 'tmp1' to local encoding.
-+	 */
-+	if (idn_decodename(IDN_DECODE_APP, tmp1, tmp2, MAXDLEN) != idn_success)
-+		return (ISC_R_SUCCESS);
-+	strcpy(tmp1, tmp2);
-+
-+	/*
-+	 * Copy the converted contents in 'tmp1' back to 'buffer'.
-+	 * If we have appended trailing dot, remove it.
-+	 */
-+	tolen = strlen(tmp1);
-+	if (absolute && !end_with_dot && tmp1[tolen - 1] == '.')
-+		tolen--;
-+
-+	if (isc_buffer_length(buffer) < used_org + tolen)
-+		return (ISC_R_NOSPACE);
-+
-+	isc_buffer_subtract(buffer, isc_buffer_usedlength(buffer) - used_org);
-+	memcpy(isc_buffer_used(buffer), tmp1, tolen);
-+	isc_buffer_add(buffer, tolen);
-+
-+	return (ISC_R_SUCCESS);
-+}
-+
-+static idn_result_t
-+append_textname(char *name, const char *origin, size_t namesize) {
-+	size_t namelen = strlen(name);
-+	size_t originlen = strlen(origin);
-+
-+	/* Already absolute? */
-+	if (namelen > 0 && name[namelen - 1] == '.')
-+		return idn_success;
-+
-+	/* Append dot and origin */
-+
-+	if (namelen + 1 + originlen >= namesize)
-+		return idn_buffer_overflow;
-+
-+	name[namelen++] = '.';
-+	(void)strcpy(name + namelen, origin);
-+	return idn_success;
-+}
-+
-+static void
-+idn_check_result(idn_result_t r, const char *msg) {
-+	if (r != idn_success) {
-+		exitcode = 1;
-+		fatal("%s: %s", msg, idn_result_tostring(r));
-+	}
-+}
-+
-+#endif /* WITH_IDN */
-Index: bin/dig/host.1
-===================================================================
-RCS file: /proj/cvs/prod/bind9/bin/dig/host.1,v
-retrieving revision 1.11.2.6
-diff -U2 -r1.11.2.6 host.1
---- bin/dig/host.1	29 Jun 2006 13:02:05 -0000	1.11.2.6
-+++ bin/dig/host.1	28 Nov 2006 03:09:42 -0000
-@@ -168,4 +168,15 @@
- \fBhost\fR
- will effectively wait forever for a reply. The time to wait for a response will be set to the number of seconds given by the hardware's maximum value for an integer quantity.
-+.SH "IDN SUPPORT"
-+.PP
-+If
-+\fBhost\fR
-+has been built with IDN (internationalized domain name) support, it can accept and display non\-ASCII domain names.
-+\fBhost\fR
-+appropriately converts character encoding of domain name before sending a request to DNS server or displaying a reply from the server. If you'd like to turn off the IDN support for some reason, defines the
-+\fBIDN_DISABLE\fR
-+environment variable. The IDN support is disabled if the the variable is set when
-+\fBhost\fR
-+runs.
- .SH "FILES"
- .PP
-Index: bin/dig/host.docbook
-===================================================================
-RCS file: /proj/cvs/prod/bind9/bin/dig/host.docbook,v
-retrieving revision 1.2.2.5
-diff -U2 -r1.2.2.5 host.docbook
---- bin/dig/host.docbook	12 May 2005 21:35:06 -0000	1.2.2.5
-+++ bin/dig/host.docbook	28 Nov 2006 03:09:42 -0000
-@@ -199,4 +199,19 @@
- 
- <refsect1>
-+<title>IDN SUPPORT</title>
-+<para>
-+If <command>host</command> has been built with IDN (internationalized
-+domain name) support, it can accept and display non-ASCII domain names.
-+<command>host</command> appropriately converts character encoding of
-+domain name before sending a request to DNS server or displaying a
-+reply from the server.
-+If you'd like to turn off the IDN support for some reason, defines
-+the <envar>IDN_DISABLE</envar> environment variable.
-+The IDN support is disabled if the the variable is set when
-+<command>host</command> runs.
-+</para>
-+</refsect1>
-+
-+<refsect1>
- <title>FILES</title>
- <para>
-Index: lib/dns/name.c
-===================================================================
-RCS file: /proj/cvs/prod/bind9/lib/dns/name.c,v
-retrieving revision 1.127.2.14
-diff -U2 -r1.127.2.14 name.c
---- lib/dns/name.c	2 Mar 2006 00:37:17 -0000	1.127.2.14
-+++ lib/dns/name.c	28 Nov 2006 03:09:47 -0000
-@@ -199,4 +199,11 @@
- dns_fullname_hash(dns_name_t *name, isc_boolean_t case_sensitive);
- 
-+#ifdef WITH_IDN
-+/*
-+ * dns_name_t to text post-conversion procedure.
-+ */
-+static dns_name_totextfilter_t totext_filter_proc = NULL;
-+#endif
-+
- static void
- set_offsets(const dns_name_t *name, unsigned char *offsets,
-@@ -1715,4 +1722,7 @@
- 	isc_boolean_t saw_root = ISC_FALSE;
- 	char num[4];
-+#ifdef WITH_IDN
-+	unsigned int oused = target->used;
-+#endif
- 
- 	/*
-@@ -1895,4 +1905,8 @@
- 	isc_buffer_add(target, tlen - trem);
- 
-+#ifdef WITH_IDN
-+	if (totext_filter_proc != NULL)
-+		return ((*totext_filter_proc)(target, oused, saw_root));
-+#endif
- 	return (ISC_R_SUCCESS);
- }
-@@ -3363,2 +3377,8 @@
- }
- 
-+#ifdef WITH_IDN
-+void
-+dns_name_settotextfilter(dns_name_totextfilter_t proc) {
-+	totext_filter_proc = proc;
-+}
-+#endif
-Index: lib/dns/include/dns/name.h
-===================================================================
-RCS file: /proj/cvs/prod/bind9/lib/dns/include/dns/name.h,v
-retrieving revision 1.95.2.11
-diff -U2 -r1.95.2.11 name.h
---- lib/dns/include/dns/name.h	2 Mar 2006 00:37:17 -0000	1.95.2.11
-+++ lib/dns/include/dns/name.h	28 Nov 2006 03:09:49 -0000
-@@ -220,4 +220,15 @@
- #define DNS_NAME_MAXWIRE 255
- 
-+#ifdef WITH_IDN
-+/*
-+ * Text output filter procedure.
-+ * 'target' is the buffer to be converted.  The region to be converted
-+ * is from 'buffer'->base + 'used_org' to the end of the used region.
-+ */
-+typedef isc_result_t (*dns_name_totextfilter_t)(isc_buffer_t *target,
-+						unsigned int used_org,
-+						isc_boolean_t absolute);
-+#endif
-+
- /***
-  *** Initialization
-@@ -1266,4 +1277,12 @@
-  */
- 
-+#ifdef WITH_IDN
-+void
-+dns_name_settotextfilter(dns_name_totextfilter_t proc);
-+/*
-+ * Call 'proc' at the end of dns_name_totext.
-+ */
-+#endif /* WITH_IDN */
-+
- #define DNS_NAME_FORMATSIZE (DNS_NAME_MAXTEXT + 1)
- /*
diff --git a/contrib/idn/idnkit-1.0-src/patch/bind9/bind-9.2.9-patch b/contrib/idn/idnkit-1.0-src/patch/bind9/bind-9.2.9-patch
deleted file mode 100644
index ca9bc9e4..00000000
--- a/contrib/idn/idnkit-1.0-src/patch/bind9/bind-9.2.9-patch
+++ /dev/null
@@ -1,1265 +0,0 @@
-IDN patch for bind-9.2.9
-========================
-
-
-This is a patch file for ISC BIND 9.2.9 to make it work with
-internationalized domain names.  With this patch you'll get IDN-aware
-dig/host/nslookup.
-
-To apply this patch, you should go to the top directory of the BIND
-distribution (where you see `README' file), then invoke `patch'
-command like this:
-
-	% patch -p0 < this-file
-
-Then follow the instructions described in `README.idnkit' to compile
-and install.
-
-
-Index: README.idnkit
---- /dev/null	2007-08-06 14:00:15.000000000 +1000
-+++ README.idnkit	2007-08-06 11:54:07.000000000 +1000
-@@ -0,0 +1,113 @@
-+
-+			BIND-9 IDN patch
-+
-+	       Japan Network Information Center (JPNIC)
-+
-+
-+* What is this patch for?
-+
-+This patch adds internationalized domain name (IDN) support to BIND-9.
-+You'll get internationalized version of dig/host/nslookup commands.
-+
-+    + internationalized dig/host/nslookup
-+	dig/host/nslookup accepts non-ASCII domain names in the local
-+	codeset (such as Shift JIS, Big5 or ISO8859-1) determined by
-+	the locale information.  The domain names are normalized and
-+	converted to the encoding on the DNS protocol, and sent to DNS
-+	servers.  The replies are converted back to the local codeset
-+	and displayed.
-+
-+
-+* Compilation & installation
-+
-+0. Prerequisite
-+
-+You have to build and install idnkit before building this patched version
-+of bind-9.
-+
-+1. Running configure script
-+
-+Run `configure' in the top directory.  See `README' for the
-+configuration options.
-+
-+This patch adds the following 4 options to `configure'.  You should
-+at least specify `--with-idn' option to enable IDN support.
-+
-+    --with-idn[=IDN_PREFIX]
-+	To enable IDN support, you have to specify `--with-idn' option.
-+	The argument IDN_PREFIX is the install prefix of idnkit.  If
-+	IDN_PREFIX is omitted, PREFIX (derived from `--prefix=PREFIX')
-+	is assumed.
-+
-+    --with-libiconv[=LIBICONV_PREFIX]
-+	Specify this option if idnkit you have installed links GNU
-+	libiconv.  The argument LIBICONV_PREFIX is install prefix of
-+	GNU libiconv.  If the argument is omitted, PREFIX (derived
-+	from `--prefix=PREFIX') is assumed.
-+
-+	`--with-libiconv' is shorthand option for GNU libiconv.
-+
-+	    --with-libiconv=/usr/local
-+
-+	This is equivalent to:
-+
-+	    --with-iconv='-L/usr/local/lib -R/usr/local/lib -liconv'
-+
-+	`--with-libiconv' assumes that your C compiler has `-R'
-+	option, and that the option adds the specified run-time path
-+	to an exacutable binary.  If `-R' option of your compiler has
-+	different meaning, or your compiler lacks the option, you
-+	should use `--with-iconv' option instead.  Binary command
-+	without run-time path information might be unexecutable.
-+	In that case, you would see an error message like:
-+
-+	    error in loading shared libraries: libiconv.so.2: cannot
-+	    open shared object file
-+
-+	If both `--with-libiconv' and `--with-iconv' options are
-+	specified, `--with-iconv' is prior to `--with-libiconv'.
-+
-+    --with-iconv=ICONV_LIBSPEC
-+	If your libc doens't provide iconv(), you need to specify the
-+	library containing iconv() with this option.  `ICONV_LIBSPEC'
-+	is the argument(s) to `cc' or `ld' to link the library, for
-+	example, `--with-iconv="-L/usr/local/lib -liconv"'.
-+	You don't need to specify the header file directory for "iconv.h"
-+	to the compiler, as it isn't included directly by bind-9 with
-+	this patch.
-+
-+    --with-idnlib=IDN_LIBSPEC
-+	With this option, you can explicitly specify the argument(s)
-+	to `cc' or `ld' to link the idnkit's library, `libidnkit'.  If
-+	this option is not specified, `-L${PREFIX}/lib -lidnkit' is
-+	assumed, where ${PREFIX} is the installation prefix specified
-+	with `--with-idn' option above.  You may need to use this
-+	option to specify extra argments, for example,
-+	`--with-idnlib="-L/usr/local/lib -R/usr/local/lib -lidnkit"'.
-+
-+Please consult `README' for other configuration options.
-+
-+Note that if you want to specify some extra header file directories,
-+you should use the environment variable STD_CINCLUDES instead of
-+CFLAGS, as described in README.
-+
-+2. Compilation and installation
-+
-+After running "configure", just do
-+
-+	make
-+	make install
-+
-+for compiling and installing.
-+
-+
-+* Contact information
-+
-+Please see http//www.nic.ad.jp/en/idn/ for the latest news
-+about idnkit and this patch.
-+
-+Bug reports and comments on this kit should be sent to
-+mdnkit-bugs@nic.ad.jp and idn-cmt@nic.ad.jp, respectively.
-+
-+
-+; $Id: bind-9.2.9-patch,v 1.1.2.2 2007/08/06 04:05:01 marka Exp $
-Index: configure
-===================================================================
-RCS file: /proj/cvs/prod/bind9/configure,v
-retrieving revision 1.284.2.71
-diff -U2 -r1.284.2.71 configure
---- configure	8 Jan 2007 02:03:17 -0000	1.284.2.71
-+++ configure	6 Aug 2007 04:01:56 -0000
-@@ -1,4 +1,4 @@
- #! /bin/sh
--# From configure.in Revision: 1.294.2.74 .
-+# From configure.in Revision: 1.294.2.75 .
- # Guess values for system-dependent variables and create Makefiles.
- # Generated by GNU Autoconf 2.59.
-@@ -466,5 +466,5 @@
- #endif"
- 
--ac_subst_vars='SHELL PATH_SEPARATOR PACKAGE_NAME PACKAGE_TARNAME PACKAGE_VERSION PACKAGE_STRING PACKAGE_BUGREPORT exec_prefix prefix program_transform_name bindir sbindir libexecdir datadir sysconfdir sharedstatedir localstatedir libdir includedir oldincludedir infodir mandir build_alias host_alias target_alias DEFS ECHO_C ECHO_N ECHO_T LIBS subdirs build build_cpu build_vendor build_os host host_cpu host_vendor host_os SET_MAKE RANLIB ac_ct_RANLIB INSTALL_PROGRAM INSTALL_SCRIPT INSTALL_DATA STD_CINCLUDES STD_CDEFINES STD_CWARNINGS CCOPT AR ARFLAGS LN ETAGS PERL CC CFLAGS LDFLAGS CPPFLAGS ac_ct_CC EXEEXT OBJEXT CPP EGREP ISC_SOCKADDR_LEN_T ISC_PLATFORM_HAVELONGLONG ISC_PLATFORM_NEEDSYSSELECTH LWRES_PLATFORM_NEEDSYSSELECTH DST_OPENSSL_INC DNS_OPENSSL_LIBS USE_OPENSSL USE_GSSAPI DST_GSSAPI_INC DNS_GSSAPI_LIBS ALWAYS_DEFINES ISC_PLATFORM_USETHREADS ISC_THREAD_DIR MKDEPCC MKDEPCFLAGS MKDEPPROG IRIX_DNSSEC_WARNINGS_HACK purify_path PURIFY LN_S ECHO ac_ct_AR STRIP ac_ct_STRIP CXX CXXFLAGS ac_ct_CXX CXXCPP F77 FFLAGS ac_ct_F77 LIBTOOL O A SA LIBTOOL_MKDEP_SED LIBTOOL_MODE_COMPILE LIBTOOL_MODE_INSTALL LIBTOOL_MODE_LINK LIBTOOL_ALLOW_UNDEFINED LIBTOOL_IN_MAIN LIBBIND ISC_PLATFORM_HAVEIPV6 LWRES_PLATFORM_HAVEIPV6 ISC_PLATFORM_NEEDNETINETIN6H LWRES_PLATFORM_NEEDNETINETIN6H ISC_PLATFORM_NEEDNETINET6IN6H LWRES_PLATFORM_NEEDNETINET6IN6H ISC_PLATFORM_HAVEINADDR6 LWRES_PLATFORM_HAVEINADDR6 ISC_PLATFORM_NEEDIN6ADDRANY LWRES_PLATFORM_NEEDIN6ADDRANY ISC_PLATFORM_NEEDIN6ADDRLOOPBACK LWRES_PLATFORM_NEEDIN6ADDRLOOPBACK ISC_PLATFORM_HAVEIN6PKTINFO ISC_PLATFORM_FIXIN6ISADDR ISC_IPV6_H ISC_IPV6_O ISC_ISCIPV6_O ISC_IPV6_C LWRES_HAVE_SIN6_SCOPE_ID BUILD_CC BUILD_CFLAGS BUILD_CPPFLAGS BUILD_LDFLAGS BUILD_LIBS ISC_PLATFORM_NEEDNTOP ISC_PLATFORM_NEEDPTON ISC_PLATFORM_NEEDATON ISC_PLATFORM_HAVESALEN LWRES_PLATFORM_HAVESALEN ISC_PLATFORM_MSGHDRFLAVOR ISC_PLATFORM_NEEDPORTT ISC_LWRES_NEEDADDRINFO ISC_LWRES_NEEDRRSETINFO ISC_LWRES_SETHOSTENTINT ISC_LWRES_ENDHOSTENTINT ISC_LWRES_GETNETBYADDRINADDR ISC_LWRES_SETNETENTINT ISC_LWRES_ENDNETENTINT ISC_LWRES_GETHOSTBYADDRVOID ISC_LWRES_NEEDHERRNO ISC_LWRES_GETIPNODEPROTO ISC_LWRES_GETADDRINFOPROTO ISC_LWRES_GETNAMEINFOPROTO ISC_PLATFORM_NEEDSTRSEP ISC_PLATFORM_NEEDVSNPRINTF LWRES_PLATFORM_NEEDVSNPRINTF ISC_EXTRA_OBJS ISC_EXTRA_SRCS ISC_PLATFORM_QUADFORMAT LWRES_PLATFORM_QUADFORMAT ISC_PLATFORM_RLIMITTYPE ISC_PLATFORM_USEDECLSPEC LWRES_PLATFORM_USEDECLSPEC ISC_PLATFORM_BRACEPTHREADONCEINIT LATEX PDFLATEX XSLTPROC XMLLINT XSLT_DOCBOOK_STYLE_HTML XSLT_DOCBOOK_STYLE_XHTML XSLT_DOCBOOK_STYLE_MAN XSLT_DOCBOOK_CHUNK_HTML XSLT_DOCBOOK_CHUNK_XHTML XSLT_DB2LATEX_STYLE XSLT_DB2LATEX_ADMONITIONS BIND9_TOP_BUILDDIR BIND9_ISC_BUILDINCLUDE BIND9_ISCCC_BUILDINCLUDE BIND9_ISCCFG_BUILDINCLUDE BIND9_DNS_BUILDINCLUDE BIND9_LWRES_BUILDINCLUDE BIND9_VERSION LIBOBJS LTLIBOBJS'
-+ac_subst_vars='SHELL PATH_SEPARATOR PACKAGE_NAME PACKAGE_TARNAME PACKAGE_VERSION PACKAGE_STRING PACKAGE_BUGREPORT exec_prefix prefix program_transform_name bindir sbindir libexecdir datadir sysconfdir sharedstatedir localstatedir libdir includedir oldincludedir infodir mandir build_alias host_alias target_alias DEFS ECHO_C ECHO_N ECHO_T LIBS subdirs build build_cpu build_vendor build_os host host_cpu host_vendor host_os SET_MAKE RANLIB ac_ct_RANLIB INSTALL_PROGRAM INSTALL_SCRIPT INSTALL_DATA STD_CINCLUDES STD_CDEFINES STD_CWARNINGS CCOPT AR ARFLAGS LN ETAGS PERL CC CFLAGS LDFLAGS CPPFLAGS ac_ct_CC EXEEXT OBJEXT CPP EGREP ISC_SOCKADDR_LEN_T ISC_PLATFORM_HAVELONGLONG ISC_PLATFORM_NEEDSYSSELECTH LWRES_PLATFORM_NEEDSYSSELECTH DST_OPENSSL_INC DNS_OPENSSL_LIBS USE_OPENSSL USE_GSSAPI DST_GSSAPI_INC DNS_GSSAPI_LIBS ALWAYS_DEFINES ISC_PLATFORM_USETHREADS ISC_THREAD_DIR MKDEPCC MKDEPCFLAGS MKDEPPROG IRIX_DNSSEC_WARNINGS_HACK purify_path PURIFY LN_S ECHO ac_ct_AR STRIP ac_ct_STRIP CXX CXXFLAGS ac_ct_CXX CXXCPP F77 FFLAGS ac_ct_F77 LIBTOOL O A SA LIBTOOL_MKDEP_SED LIBTOOL_MODE_COMPILE LIBTOOL_MODE_INSTALL LIBTOOL_MODE_LINK LIBTOOL_ALLOW_UNDEFINED LIBTOOL_IN_MAIN LIBBIND ISC_PLATFORM_HAVEIPV6 LWRES_PLATFORM_HAVEIPV6 ISC_PLATFORM_NEEDNETINETIN6H LWRES_PLATFORM_NEEDNETINETIN6H ISC_PLATFORM_NEEDNETINET6IN6H LWRES_PLATFORM_NEEDNETINET6IN6H ISC_PLATFORM_HAVEINADDR6 LWRES_PLATFORM_HAVEINADDR6 ISC_PLATFORM_NEEDIN6ADDRANY LWRES_PLATFORM_NEEDIN6ADDRANY ISC_PLATFORM_NEEDIN6ADDRLOOPBACK LWRES_PLATFORM_NEEDIN6ADDRLOOPBACK ISC_PLATFORM_HAVEIN6PKTINFO ISC_PLATFORM_FIXIN6ISADDR ISC_IPV6_H ISC_IPV6_O ISC_ISCIPV6_O ISC_IPV6_C LWRES_HAVE_SIN6_SCOPE_ID BUILD_CC BUILD_CFLAGS BUILD_CPPFLAGS BUILD_LDFLAGS BUILD_LIBS ISC_PLATFORM_NEEDNTOP ISC_PLATFORM_NEEDPTON ISC_PLATFORM_NEEDATON ISC_PLATFORM_HAVESALEN LWRES_PLATFORM_HAVESALEN ISC_PLATFORM_MSGHDRFLAVOR ISC_PLATFORM_NEEDPORTT ISC_LWRES_NEEDADDRINFO ISC_LWRES_NEEDRRSETINFO ISC_LWRES_SETHOSTENTINT ISC_LWRES_ENDHOSTENTINT ISC_LWRES_GETNETBYADDRINADDR ISC_LWRES_SETNETENTINT ISC_LWRES_ENDNETENTINT ISC_LWRES_GETHOSTBYADDRVOID ISC_LWRES_NEEDHERRNO ISC_LWRES_GETIPNODEPROTO ISC_LWRES_GETADDRINFOPROTO ISC_LWRES_GETNAMEINFOPROTO ISC_PLATFORM_NEEDSTRSEP ISC_PLATFORM_NEEDVSNPRINTF LWRES_PLATFORM_NEEDVSNPRINTF ISC_EXTRA_OBJS ISC_EXTRA_SRCS ISC_PLATFORM_QUADFORMAT LWRES_PLATFORM_QUADFORMAT ISC_PLATFORM_RLIMITTYPE ISC_PLATFORM_USEDECLSPEC LWRES_PLATFORM_USEDECLSPEC ISC_PLATFORM_BRACEPTHREADONCEINIT LATEX PDFLATEX XSLTPROC XMLLINT XSLT_DOCBOOK_STYLE_HTML XSLT_DOCBOOK_STYLE_XHTML XSLT_DOCBOOK_STYLE_MAN XSLT_DOCBOOK_CHUNK_HTML XSLT_DOCBOOK_CHUNK_XHTML XSLT_DB2LATEX_STYLE XSLT_DB2LATEX_ADMONITIONS IDNLIBS BIND9_TOP_BUILDDIR BIND9_ISC_BUILDINCLUDE BIND9_ISCCC_BUILDINCLUDE BIND9_ISCCFG_BUILDINCLUDE BIND9_DNS_BUILDINCLUDE BIND9_LWRES_BUILDINCLUDE BIND9_VERSION LIBOBJS LTLIBOBJS'
- ac_subst_files='BIND9_INCLUDES BIND9_MAKE_RULES LIBISC_API LIBISCCC_API LIBISCCFG_API LIBDNS_API LIBLWRES_API'
- 
-@@ -1050,4 +1050,8 @@
-                           include additional configurations [automatic]
-   --with-kame=PATH	use Kame IPv6 default path /usr/local/v6
-+  --with-idn=MPREFIX   enable IDN support using idnkit default PREFIX
-+  --with-libiconv=IPREFIX   GNU libiconv are in IPREFIX default PREFIX
-+  --with-iconv=LIBSPEC   specify iconv library default -liconv
-+  --with-idnlib=ARG    specify libidnkit
- 
- Some influential environment variables:
-@@ -8359,5 +8363,5 @@
- *-*-irix6*)
-   # Find out which ABI we are using.
--  echo '#line 8361 "configure"' > conftest.$ac_ext
-+  echo '#line 8365 "configure"' > conftest.$ac_ext
-   if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-   (eval $ac_compile) 2>&5
-@@ -9356,5 +9360,5 @@
- 
- # Provide some information about the compiler.
--echo "$as_me:9358:" \
-+echo "$as_me:9362:" \
-      "checking for Fortran 77 compiler version" >&5
- ac_compiler=`set X $ac_compile; echo $2`
-@@ -10417,9 +10421,9 @@
-    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-    -e 's:$: $lt_compiler_flag:'`
--   (eval echo "\"\$as_me:10419: $lt_compile\"" >&5)
-+   (eval echo "\"\$as_me:10423: $lt_compile\"" >&5)
-    (eval "$lt_compile" 2>conftest.err)
-    ac_status=$?
-    cat conftest.err >&5
--   echo "$as_me:10423: \$? = $ac_status" >&5
-+   echo "$as_me:10427: \$? = $ac_status" >&5
-    if (exit $ac_status) && test -s "$ac_outfile"; then
-      # The compiler can only warn and ignore the option if not recognized
-@@ -10660,9 +10664,9 @@
-    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-    -e 's:$: $lt_compiler_flag:'`
--   (eval echo "\"\$as_me:10662: $lt_compile\"" >&5)
-+   (eval echo "\"\$as_me:10666: $lt_compile\"" >&5)
-    (eval "$lt_compile" 2>conftest.err)
-    ac_status=$?
-    cat conftest.err >&5
--   echo "$as_me:10666: \$? = $ac_status" >&5
-+   echo "$as_me:10670: \$? = $ac_status" >&5
-    if (exit $ac_status) && test -s "$ac_outfile"; then
-      # The compiler can only warn and ignore the option if not recognized
-@@ -10720,9 +10724,9 @@
-    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-    -e 's:$: $lt_compiler_flag:'`
--   (eval echo "\"\$as_me:10722: $lt_compile\"" >&5)
-+   (eval echo "\"\$as_me:10726: $lt_compile\"" >&5)
-    (eval "$lt_compile" 2>out/conftest.err)
-    ac_status=$?
-    cat out/conftest.err >&5
--   echo "$as_me:10726: \$? = $ac_status" >&5
-+   echo "$as_me:10730: \$? = $ac_status" >&5
-    if (exit $ac_status) && test -s out/conftest2.$ac_objext
-    then
-@@ -12905,5 +12909,5 @@
-   lt_status=$lt_dlunknown
-   cat > conftest.$ac_ext <<EOF
--#line 12907 "configure"
-+#line 12911 "configure"
- #include "confdefs.h"
- 
-@@ -13003,5 +13007,5 @@
-   lt_status=$lt_dlunknown
-   cat > conftest.$ac_ext <<EOF
--#line 13005 "configure"
-+#line 13009 "configure"
- #include "confdefs.h"
- 
-@@ -15200,9 +15204,9 @@
-    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-    -e 's:$: $lt_compiler_flag:'`
--   (eval echo "\"\$as_me:15202: $lt_compile\"" >&5)
-+   (eval echo "\"\$as_me:15206: $lt_compile\"" >&5)
-    (eval "$lt_compile" 2>conftest.err)
-    ac_status=$?
-    cat conftest.err >&5
--   echo "$as_me:15206: \$? = $ac_status" >&5
-+   echo "$as_me:15210: \$? = $ac_status" >&5
-    if (exit $ac_status) && test -s "$ac_outfile"; then
-      # The compiler can only warn and ignore the option if not recognized
-@@ -15260,9 +15264,9 @@
-    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-    -e 's:$: $lt_compiler_flag:'`
--   (eval echo "\"\$as_me:15262: $lt_compile\"" >&5)
-+   (eval echo "\"\$as_me:15266: $lt_compile\"" >&5)
-    (eval "$lt_compile" 2>out/conftest.err)
-    ac_status=$?
-    cat out/conftest.err >&5
--   echo "$as_me:15266: \$? = $ac_status" >&5
-+   echo "$as_me:15270: \$? = $ac_status" >&5
-    if (exit $ac_status) && test -s out/conftest2.$ac_objext
-    then
-@@ -16621,5 +16625,5 @@
-   lt_status=$lt_dlunknown
-   cat > conftest.$ac_ext <<EOF
--#line 16623 "configure"
-+#line 16627 "configure"
- #include "confdefs.h"
- 
-@@ -16719,5 +16723,5 @@
-   lt_status=$lt_dlunknown
-   cat > conftest.$ac_ext <<EOF
--#line 16721 "configure"
-+#line 16725 "configure"
- #include "confdefs.h"
- 
-@@ -17556,9 +17560,9 @@
-    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-    -e 's:$: $lt_compiler_flag:'`
--   (eval echo "\"\$as_me:17558: $lt_compile\"" >&5)
-+   (eval echo "\"\$as_me:17562: $lt_compile\"" >&5)
-    (eval "$lt_compile" 2>conftest.err)
-    ac_status=$?
-    cat conftest.err >&5
--   echo "$as_me:17562: \$? = $ac_status" >&5
-+   echo "$as_me:17566: \$? = $ac_status" >&5
-    if (exit $ac_status) && test -s "$ac_outfile"; then
-      # The compiler can only warn and ignore the option if not recognized
-@@ -17616,9 +17620,9 @@
-    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-    -e 's:$: $lt_compiler_flag:'`
--   (eval echo "\"\$as_me:17618: $lt_compile\"" >&5)
-+   (eval echo "\"\$as_me:17622: $lt_compile\"" >&5)
-    (eval "$lt_compile" 2>out/conftest.err)
-    ac_status=$?
-    cat out/conftest.err >&5
--   echo "$as_me:17622: \$? = $ac_status" >&5
-+   echo "$as_me:17626: \$? = $ac_status" >&5
-    if (exit $ac_status) && test -s out/conftest2.$ac_objext
-    then
-@@ -19655,9 +19659,9 @@
-    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-    -e 's:$: $lt_compiler_flag:'`
--   (eval echo "\"\$as_me:19657: $lt_compile\"" >&5)
-+   (eval echo "\"\$as_me:19661: $lt_compile\"" >&5)
-    (eval "$lt_compile" 2>conftest.err)
-    ac_status=$?
-    cat conftest.err >&5
--   echo "$as_me:19661: \$? = $ac_status" >&5
-+   echo "$as_me:19665: \$? = $ac_status" >&5
-    if (exit $ac_status) && test -s "$ac_outfile"; then
-      # The compiler can only warn and ignore the option if not recognized
-@@ -19898,9 +19902,9 @@
-    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-    -e 's:$: $lt_compiler_flag:'`
--   (eval echo "\"\$as_me:19900: $lt_compile\"" >&5)
-+   (eval echo "\"\$as_me:19904: $lt_compile\"" >&5)
-    (eval "$lt_compile" 2>conftest.err)
-    ac_status=$?
-    cat conftest.err >&5
--   echo "$as_me:19904: \$? = $ac_status" >&5
-+   echo "$as_me:19908: \$? = $ac_status" >&5
-    if (exit $ac_status) && test -s "$ac_outfile"; then
-      # The compiler can only warn and ignore the option if not recognized
-@@ -19958,9 +19962,9 @@
-    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-    -e 's:$: $lt_compiler_flag:'`
--   (eval echo "\"\$as_me:19960: $lt_compile\"" >&5)
-+   (eval echo "\"\$as_me:19964: $lt_compile\"" >&5)
-    (eval "$lt_compile" 2>out/conftest.err)
-    ac_status=$?
-    cat out/conftest.err >&5
--   echo "$as_me:19964: \$? = $ac_status" >&5
-+   echo "$as_me:19968: \$? = $ac_status" >&5
-    if (exit $ac_status) && test -s out/conftest2.$ac_objext
-    then
-@@ -22143,5 +22147,5 @@
-   lt_status=$lt_dlunknown
-   cat > conftest.$ac_ext <<EOF
--#line 22145 "configure"
-+#line 22149 "configure"
- #include "confdefs.h"
- 
-@@ -22241,5 +22245,5 @@
-   lt_status=$lt_dlunknown
-   cat > conftest.$ac_ext <<EOF
--#line 22243 "configure"
-+#line 22247 "configure"
- #include "confdefs.h"
- 
-@@ -26742,4 +26746,354 @@
- 
- #
-+# IDN support
-+#
-+
-+# Check whether --with-idn or --without-idn was given.
-+if test "${with_idn+set}" = set; then
-+  withval="$with_idn"
-+  use_idn="$withval"
-+else
-+  use_idn="no"
-+fi;
-+case "$use_idn" in
-+yes)
-+	if test X$prefix = XNONE ; then
-+		idn_path=/usr/local
-+	else
-+		idn_path=$prefix
-+	fi
-+	;;
-+no)
-+	;;
-+*)
-+	idn_path="$use_idn"
-+	;;
-+esac
-+
-+iconvinc=
-+iconvlib=
-+
-+# Check whether --with-libiconv or --without-libiconv was given.
-+if test "${with_libiconv+set}" = set; then
-+  withval="$with_libiconv"
-+  use_libiconv="$withval"
-+else
-+  use_libiconv="no"
-+fi;
-+case "$use_libiconv" in
-+yes)
-+	if test X$prefix = XNONE ; then
-+		iconvlib="-L/usr/local/lib -R/usr/local/lib -liconv"
-+	else
-+		iconvlib="-L$prefix/lib -R$prefix/lib -liconv"
-+	fi
-+	;;
-+no)
-+	iconvlib=
-+	;;
-+*)
-+	iconvlib="-L$use_libiconv/lib -R$use_libiconv/lib -liconv"
-+	;;
-+esac
-+
-+
-+# Check whether --with-iconv or --without-iconv was given.
-+if test "${with_iconv+set}" = set; then
-+  withval="$with_iconv"
-+  iconvlib="$withval"
-+fi;
-+case "$iconvlib" in
-+no)
-+	iconvlib=
-+	;;
-+yes)
-+	iconvlib=-liconv
-+	;;
-+esac
-+
-+
-+# Check whether --with-idnlib or --without-idnlib was given.
-+if test "${with_idnlib+set}" = set; then
-+  withval="$with_idnlib"
-+  idnlib="$withval"
-+else
-+  idnlib="no"
-+fi;
-+if test "$idnlib" = yes; then
-+	{ { echo "$as_me:$LINENO: error: You must specify ARG for --with-idnlib." >&5
-+echo "$as_me: error: You must specify ARG for --with-idnlib." >&2;}
-+   { (exit 1); exit 1; }; }
-+fi
-+
-+IDNLIBS=
-+if test "$use_idn" != no; then
-+
-+cat >>confdefs.h <<\_ACEOF
-+#define WITH_IDN 1
-+_ACEOF
-+
-+	STD_CINCLUDES="$STD_CINCLUDES -I$idn_path/include"
-+	if test "$idnlib" != no; then
-+		IDNLIBS="$idnlib $iconvlib"
-+	else
-+		IDNLIBS="-L$idn_path/lib -lidnkit $iconvlib"
-+	fi
-+fi
-+
-+
-+
-+for ac_header in locale.h
-+do
-+as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh`
-+if eval "test \"\${$as_ac_Header+set}\" = set"; then
-+  echo "$as_me:$LINENO: checking for $ac_header" >&5
-+echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6
-+if eval "test \"\${$as_ac_Header+set}\" = set"; then
-+  echo $ECHO_N "(cached) $ECHO_C" >&6
-+fi
-+echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_Header'}'`" >&5
-+echo "${ECHO_T}`eval echo '${'$as_ac_Header'}'`" >&6
-+else
-+  # Is the header compilable?
-+echo "$as_me:$LINENO: checking $ac_header usability" >&5
-+echo $ECHO_N "checking $ac_header usability... $ECHO_C" >&6
-+cat >conftest.$ac_ext <<_ACEOF
-+/* confdefs.h.  */
-+_ACEOF
-+cat confdefs.h >>conftest.$ac_ext
-+cat >>conftest.$ac_ext <<_ACEOF
-+/* end confdefs.h.  */
-+$ac_includes_default
-+#include <$ac_header>
-+_ACEOF
-+rm -f conftest.$ac_objext
-+if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-+  (eval $ac_compile) 2>conftest.er1
-+  ac_status=$?
-+  grep -v '^ *+' conftest.er1 >conftest.err
-+  rm -f conftest.er1
-+  cat conftest.err >&5
-+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-+  (exit $ac_status); } &&
-+	 { ac_try='test -z "$ac_c_werror_flag"
-+			 || test ! -s conftest.err'
-+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-+  (eval $ac_try) 2>&5
-+  ac_status=$?
-+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-+  (exit $ac_status); }; } &&
-+	 { ac_try='test -s conftest.$ac_objext'
-+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-+  (eval $ac_try) 2>&5
-+  ac_status=$?
-+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-+  (exit $ac_status); }; }; then
-+  ac_header_compiler=yes
-+else
-+  echo "$as_me: failed program was:" >&5
-+sed 's/^/| /' conftest.$ac_ext >&5
-+
-+ac_header_compiler=no
-+fi
-+rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-+echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
-+echo "${ECHO_T}$ac_header_compiler" >&6
-+
-+# Is the header present?
-+echo "$as_me:$LINENO: checking $ac_header presence" >&5
-+echo $ECHO_N "checking $ac_header presence... $ECHO_C" >&6
-+cat >conftest.$ac_ext <<_ACEOF
-+/* confdefs.h.  */
-+_ACEOF
-+cat confdefs.h >>conftest.$ac_ext
-+cat >>conftest.$ac_ext <<_ACEOF
-+/* end confdefs.h.  */
-+#include <$ac_header>
-+_ACEOF
-+if { (eval echo "$as_me:$LINENO: \"$ac_cpp conftest.$ac_ext\"") >&5
-+  (eval $ac_cpp conftest.$ac_ext) 2>conftest.er1
-+  ac_status=$?
-+  grep -v '^ *+' conftest.er1 >conftest.err
-+  rm -f conftest.er1
-+  cat conftest.err >&5
-+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-+  (exit $ac_status); } >/dev/null; then
-+  if test -s conftest.err; then
-+    ac_cpp_err=$ac_c_preproc_warn_flag
-+    ac_cpp_err=$ac_cpp_err$ac_c_werror_flag
-+  else
-+    ac_cpp_err=
-+  fi
-+else
-+  ac_cpp_err=yes
-+fi
-+if test -z "$ac_cpp_err"; then
-+  ac_header_preproc=yes
-+else
-+  echo "$as_me: failed program was:" >&5
-+sed 's/^/| /' conftest.$ac_ext >&5
-+
-+  ac_header_preproc=no
-+fi
-+rm -f conftest.err conftest.$ac_ext
-+echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
-+echo "${ECHO_T}$ac_header_preproc" >&6
-+
-+# So?  What about this header?
-+case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in
-+  yes:no: )
-+    { echo "$as_me:$LINENO: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&5
-+echo "$as_me: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&2;}
-+    { echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the compiler's result" >&5
-+echo "$as_me: WARNING: $ac_header: proceeding with the compiler's result" >&2;}
-+    ac_header_preproc=yes
-+    ;;
-+  no:yes:* )
-+    { echo "$as_me:$LINENO: WARNING: $ac_header: present but cannot be compiled" >&5
-+echo "$as_me: WARNING: $ac_header: present but cannot be compiled" >&2;}
-+    { echo "$as_me:$LINENO: WARNING: $ac_header:     check for missing prerequisite headers?" >&5
-+echo "$as_me: WARNING: $ac_header:     check for missing prerequisite headers?" >&2;}
-+    { echo "$as_me:$LINENO: WARNING: $ac_header: see the Autoconf documentation" >&5
-+echo "$as_me: WARNING: $ac_header: see the Autoconf documentation" >&2;}
-+    { echo "$as_me:$LINENO: WARNING: $ac_header:     section \"Present But Cannot Be Compiled\"" >&5
-+echo "$as_me: WARNING: $ac_header:     section \"Present But Cannot Be Compiled\"" >&2;}
-+    { echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the preprocessor's result" >&5
-+echo "$as_me: WARNING: $ac_header: proceeding with the preprocessor's result" >&2;}
-+    { echo "$as_me:$LINENO: WARNING: $ac_header: in the future, the compiler will take precedence" >&5
-+echo "$as_me: WARNING: $ac_header: in the future, the compiler will take precedence" >&2;}
-+    (
-+      cat <<\_ASBOX
-+## ------------------------------------------ ##
-+## Report this to the AC_PACKAGE_NAME lists.  ##
-+## ------------------------------------------ ##
-+_ASBOX
-+    ) |
-+      sed "s/^/$as_me: WARNING:     /" >&2
-+    ;;
-+esac
-+echo "$as_me:$LINENO: checking for $ac_header" >&5
-+echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6
-+if eval "test \"\${$as_ac_Header+set}\" = set"; then
-+  echo $ECHO_N "(cached) $ECHO_C" >&6
-+else
-+  eval "$as_ac_Header=\$ac_header_preproc"
-+fi
-+echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_Header'}'`" >&5
-+echo "${ECHO_T}`eval echo '${'$as_ac_Header'}'`" >&6
-+
-+fi
-+if test `eval echo '${'$as_ac_Header'}'` = yes; then
-+  cat >>confdefs.h <<_ACEOF
-+#define `echo "HAVE_$ac_header" | $as_tr_cpp` 1
-+_ACEOF
-+
-+fi
-+
-+done
-+
-+
-+for ac_func in setlocale
-+do
-+as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh`
-+echo "$as_me:$LINENO: checking for $ac_func" >&5
-+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
-+if eval "test \"\${$as_ac_var+set}\" = set"; then
-+  echo $ECHO_N "(cached) $ECHO_C" >&6
-+else
-+  cat >conftest.$ac_ext <<_ACEOF
-+/* confdefs.h.  */
-+_ACEOF
-+cat confdefs.h >>conftest.$ac_ext
-+cat >>conftest.$ac_ext <<_ACEOF
-+/* end confdefs.h.  */
-+/* Define $ac_func to an innocuous variant, in case <limits.h> declares $ac_func.
-+   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
-+#define $ac_func innocuous_$ac_func
-+
-+/* System header to define __stub macros and hopefully few prototypes,
-+    which can conflict with char $ac_func (); below.
-+    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
-+    <limits.h> exists even on freestanding compilers.  */
-+
-+#ifdef __STDC__
-+# include <limits.h>
-+#else
-+# include <assert.h>
-+#endif
-+
-+#undef $ac_func
-+
-+/* Override any gcc2 internal prototype to avoid an error.  */
-+#ifdef __cplusplus
-+extern "C"
-+{
-+#endif
-+/* We use char because int might match the return type of a gcc2
-+   builtin and then its argument prototype would still apply.  */
-+char $ac_func ();
-+/* The GNU C library defines this for functions which it implements
-+    to always fail with ENOSYS.  Some functions are actually named
-+    something starting with __ and the normal name is an alias.  */
-+#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
-+choke me
-+#else
-+char (*f) () = $ac_func;
-+#endif
-+#ifdef __cplusplus
-+}
-+#endif
-+
-+int
-+main ()
-+{
-+return f != $ac_func;
-+  ;
-+  return 0;
-+}
-+_ACEOF
-+rm -f conftest.$ac_objext conftest$ac_exeext
-+if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-+  (eval $ac_link) 2>conftest.er1
-+  ac_status=$?
-+  grep -v '^ *+' conftest.er1 >conftest.err
-+  rm -f conftest.er1
-+  cat conftest.err >&5
-+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-+  (exit $ac_status); } &&
-+	 { ac_try='test -z "$ac_c_werror_flag"
-+			 || test ! -s conftest.err'
-+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-+  (eval $ac_try) 2>&5
-+  ac_status=$?
-+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-+  (exit $ac_status); }; } &&
-+	 { ac_try='test -s conftest$ac_exeext'
-+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-+  (eval $ac_try) 2>&5
-+  ac_status=$?
-+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-+  (exit $ac_status); }; }; then
-+  eval "$as_ac_var=yes"
-+else
-+  echo "$as_me: failed program was:" >&5
-+sed 's/^/| /' conftest.$ac_ext >&5
-+
-+eval "$as_ac_var=no"
-+fi
-+rm -f conftest.err conftest.$ac_objext \
-+      conftest$ac_exeext conftest.$ac_ext
-+fi
-+echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_var'}'`" >&5
-+echo "${ECHO_T}`eval echo '${'$as_ac_var'}'`" >&6
-+if test `eval echo '${'$as_ac_var'}'` = yes; then
-+  cat >>confdefs.h <<_ACEOF
-+#define `echo "HAVE_$ac_func" | $as_tr_cpp` 1
-+_ACEOF
-+
-+fi
-+done
-+
-+
-+#
- # Substitutions
- #
-@@ -27615,4 +27969,5 @@
- s,@XSLT_DB2LATEX_STYLE@,$XSLT_DB2LATEX_STYLE,;t t
- s,@XSLT_DB2LATEX_ADMONITIONS@,$XSLT_DB2LATEX_ADMONITIONS,;t t
-+s,@IDNLIBS@,$IDNLIBS,;t t
- s,@BIND9_TOP_BUILDDIR@,$BIND9_TOP_BUILDDIR,;t t
- s,@BIND9_ISC_BUILDINCLUDE@,$BIND9_ISC_BUILDINCLUDE,;t t
-Index: configure.in
-===================================================================
-RCS file: /proj/cvs/prod/bind9/configure.in,v
-retrieving revision 1.294.2.75
-diff -U2 -r1.294.2.75 configure.in
---- configure.in	8 Jan 2007 02:45:02 -0000	1.294.2.75
-+++ configure.in	6 Aug 2007 04:01:57 -0000
-@@ -1786,4 +1786,80 @@
- 
- #
-+# IDN support
-+#
-+AC_ARG_WITH(idn,
-+	[  --with-idn[=MPREFIX]   enable IDN support using idnkit [default PREFIX]],
-+	use_idn="$withval", use_idn="no")
-+case "$use_idn" in
-+yes)
-+	if test X$prefix = XNONE ; then
-+		idn_path=/usr/local
-+	else
-+		idn_path=$prefix
-+	fi
-+	;;
-+no)
-+	;;
-+*)
-+	idn_path="$use_idn"
-+	;;
-+esac
-+
-+iconvinc=
-+iconvlib=
-+AC_ARG_WITH(libiconv,
-+	[  --with-libiconv[=IPREFIX]   GNU libiconv are in IPREFIX [default PREFIX]],
-+	use_libiconv="$withval", use_libiconv="no")
-+case "$use_libiconv" in
-+yes)
-+	if test X$prefix = XNONE ; then
-+		iconvlib="-L/usr/local/lib -R/usr/local/lib -liconv"
-+	else
-+		iconvlib="-L$prefix/lib -R$prefix/lib -liconv"
-+	fi
-+	;;
-+no)
-+	iconvlib=
-+	;;
-+*)
-+	iconvlib="-L$use_libiconv/lib -R$use_libiconv/lib -liconv"
-+	;;
-+esac
-+
-+AC_ARG_WITH(iconv,
-+	[  --with-iconv[=LIBSPEC]   specify iconv library [default -liconv]],
-+	iconvlib="$withval")
-+case "$iconvlib" in
-+no)
-+	iconvlib=
-+	;;
-+yes)
-+	iconvlib=-liconv
-+	;;
-+esac
-+
-+AC_ARG_WITH(idnlib,
-+	[  --with-idnlib=ARG    specify libidnkit],
-+	idnlib="$withval", idnlib="no")
-+if test "$idnlib" = yes; then
-+	AC_MSG_ERROR([You must specify ARG for --with-idnlib.])
-+fi
-+
-+IDNLIBS=
-+if test "$use_idn" != no; then
-+	AC_DEFINE(WITH_IDN, 1, [define if idnkit support is to be included.])
-+	STD_CINCLUDES="$STD_CINCLUDES -I$idn_path/include"
-+	if test "$idnlib" != no; then
-+		IDNLIBS="$idnlib $iconvlib"
-+	else
-+		IDNLIBS="-L$idn_path/lib -lidnkit $iconvlib"
-+	fi
-+fi
-+AC_SUBST(IDNLIBS)
-+
-+AC_CHECK_HEADERS(locale.h)
-+AC_CHECK_FUNCS(setlocale)
-+
-+#
- # Substitutions
- #
-Index: config.h.in
-===================================================================
-RCS file: /proj/cvs/prod/bind9/config.h.in,v
-retrieving revision 1.47.2.25
-diff -U2 -r1.47.2.25 config.h.in
---- config.h.in	8 Jan 2007 02:03:17 -0000	1.47.2.25
-+++ config.h.in	6 Aug 2007 04:01:58 -0000
-@@ -17,5 +17,5 @@
-  */
- 
--/* $Id: bind-9.2.9-patch,v 1.1.2.2 2007/08/06 04:05:01 marka Exp $ */
-+/* $Id: bind-9.2.9-patch,v 1.1.2.2 2007/08/06 04:05:01 marka Exp $ */
- 
- /***
-@@ -178,7 +178,13 @@
- #undef HAVE_LINUX_CAPABILITY_H
- 
-+/* Define to 1 if you have the <locale.h> header file. */
-+#undef HAVE_LOCALE_H
-+
- /* Define to 1 if you have the <memory.h> header file. */
- #undef HAVE_MEMORY_H
- 
-+/* Define to 1 if you have the `setlocale' function. */
-+#undef HAVE_SETLOCALE
-+
- /* Define to 1 if you have the <stdint.h> header file. */
- #undef HAVE_STDINT_H
-@@ -249,4 +255,7 @@
- #undef USE_FIONBIO_IOCTL
- 
-+/* define if idnkit support is to be included. */
-+#undef WITH_IDN
-+
- /* Define to 1 if your processor stores words with the most significant byte
-    first (like Motorola and SPARC, unlike Intel and VAX). */
-Index: bin/dig/Makefile.in
-===================================================================
-RCS file: /proj/cvs/prod/bind9/bin/dig/Makefile.in,v
-retrieving revision 1.25.2.4
-diff -U2 -r1.25.2.4 Makefile.in
---- bin/dig/Makefile.in	18 Aug 2004 23:22:52 -0000	1.25.2.4
-+++ bin/dig/Makefile.in	6 Aug 2007 04:01:58 -0000
-@@ -37,5 +37,5 @@
- DEPLIBS =	${DNSDEPLIBS} ${ISCDEPLIBS}
- 
--LIBS =		${DNSLIBS} ${ISCLIBS} @LIBS@
-+LIBS =		${DNSLIBS} ${ISCLIBS} @IDNLIBS@ @LIBS@
- 
- SUBDIRS =
-Index: bin/dig/dig.1
-===================================================================
-RCS file: /proj/cvs/prod/bind9/bin/dig/dig.1,v
-retrieving revision 1.14.2.17
-diff -U2 -r1.14.2.17 dig.1
---- bin/dig/dig.1	16 May 2007 06:57:45 -0000	1.14.2.17
-+++ bin/dig/dig.1	6 Aug 2007 04:01:59 -0000
-@@ -445,4 +445,15 @@
- will not print the initial query when it looks up the NS records for
- isc.org.
-+.SH "IDN SUPPORT"
-+.PP
-+If
-+\fBdig\fR
-+has been built with IDN (internationalized domain name) support, it can accept and display non\-ASCII domain names.
-+\fBdig\fR
-+appropriately converts character encoding of domain name before sending a request to DNS server or displaying a reply from the server. If you'd like to turn off the IDN support for some reason, defines the
-+\fBIDN_DISABLE\fR
-+environment variable. The IDN support is disabled if the the variable is set when
-+\fBdig\fR
-+runs.
- .SH "FILES"
- .PP
-Index: bin/dig/dig.docbook
-===================================================================
-RCS file: /proj/cvs/prod/bind9/bin/dig/dig.docbook,v
-retrieving revision 1.4.2.18
-diff -U2 -r1.4.2.18 dig.docbook
---- bin/dig/dig.docbook	16 May 2007 02:07:44 -0000	1.4.2.18
-+++ bin/dig/dig.docbook	6 Aug 2007 04:01:59 -0000
-@@ -556,4 +556,19 @@
- 
- <refsect1>
-+<title>IDN SUPPORT</title>
-+<para>
-+If <command>dig</command> has been built with IDN (internationalized
-+domain name) support, it can accept and display non-ASCII domain names.
-+<command>dig</command> appropriately converts character encoding of
-+domain name before sending a request to DNS server or displaying a
-+reply from the server.
-+If you'd like to turn off the IDN support for some reason, defines
-+the <envar>IDN_DISABLE</envar> environment variable.
-+The IDN support is disabled if the the variable is set when 
-+<command>dig</command> runs.
-+</para>
-+</refsect1>
-+
-+<refsect1>
- <title>FILES</title>
- <para>
-Index: bin/dig/dighost.c
-===================================================================
-RCS file: /proj/cvs/prod/bind9/bin/dig/dighost.c,v
-retrieving revision 1.221.2.38
-diff -U2 -r1.221.2.38 dighost.c
---- bin/dig/dighost.c	24 Apr 2007 07:46:40 -0000	1.221.2.38
-+++ bin/dig/dighost.c	6 Aug 2007 04:02:02 -0000
-@@ -33,4 +33,15 @@
- #include <limits.h>
- 
-+#ifdef HAVE_LOCALE_H
-+#include <locale.h>
-+#endif
-+
-+#ifdef WITH_IDN
-+#include <idn/result.h>
-+#include <idn/log.h>
-+#include <idn/resconf.h>
-+#include <idn/api.h>
-+#endif
-+
- #include <dns/byaddr.h>
- #include <dns/fixedname.h>
-@@ -134,4 +145,16 @@
- dig_lookup_t *current_lookup = NULL;
- 
-+#ifdef WITH_IDN
-+static void	      initialize_idn(void);
-+static isc_result_t   output_filter(isc_buffer_t *buffer,
-+				    unsigned int used_org,
-+				    isc_boolean_t absolute);
-+static idn_result_t   append_textname(char *name, const char *origin,
-+				      size_t namesize);
-+static void	      idn_check_result(idn_result_t r, const char *msg);
-+
-+#define MAXDLEN               256
-+#endif
-+
- /*
-  * Apply and clear locks at the event level in global task.
-@@ -739,4 +762,8 @@
- 	}
- 
-+#ifdef WITH_IDN
-+	initialize_idn();
-+#endif
-+
- 	if (keyfile[0] != 0)
- 		setup_file_key();
-@@ -1281,4 +1308,12 @@
- 	dns_compress_t cctx;
- 	char store[MXNAME];
-+#ifdef WITH_IDN
-+	idn_result_t mr;
-+	char utf8_textname[MXNAME], utf8_origin[MXNAME], idn_textname[MXNAME];
-+#endif
-+
-+#ifdef WITH_IDN
-+	dns_name_settotextfilter(output_filter);
-+#endif
- 
- 	REQUIRE(lookup != NULL);
-@@ -1309,4 +1344,15 @@
- 			sizeof(lookup->onamespace));
- 
-+#ifdef WITH_IDN
-+	/*
-+	 * We cannot convert `textname' and `origin' separately.
-+	 * `textname' doesn't contain TLD, but local mapping needs
-+	 * TLD.
-+	 */
-+	mr = idn_encodename(IDN_LOCALCONV | IDN_DELIMMAP, lookup->textname,
-+			    utf8_textname, sizeof(utf8_textname));
-+	idn_check_result(mr, "convert textname to UTF-8");
-+#endif
-+
- 	/*
- 	 * If the name has too many dots, force the origin to be NULL
-@@ -1317,4 +1363,14 @@
- 	 */
- 	if (lookup->new_search) {
-+#ifdef WITH_IDN
-+		if ((count_dots(utf8_textname) >= ndots) || !usesearch) {
-+			lookup->origin = NULL; /* Force abs lookup */
-+			lookup->done_as_is = ISC_TRUE;
-+			lookup->need_search = usesearch;
-+		} else if (lookup->origin == NULL && usesearch) {
-+			lookup->origin = ISC_LIST_HEAD(search_list);
-+			lookup->need_search = ISC_FALSE;
-+		}
-+#else
- 		if ((count_dots(lookup->textname) >= ndots) || !usesearch) {
- 			lookup->origin = NULL; /* Force abs lookup */
-@@ -1325,6 +1381,22 @@
- 			lookup->need_search = ISC_FALSE;
- 		}
-+#endif
- 	}
- 
-+#ifdef WITH_IDN
-+	if (lookup->origin != NULL) {
-+		mr = idn_encodename(IDN_LOCALCONV | IDN_DELIMMAP,
-+				    lookup->origin->origin, utf8_origin,
-+				    sizeof(utf8_origin));
-+		idn_check_result(mr, "convert origin to UTF-8");
-+		mr = append_textname(utf8_textname, utf8_origin,
-+				     sizeof(utf8_textname));
-+		idn_check_result(mr, "append origin to textname");
-+	}
-+	mr = idn_encodename(IDN_LOCALMAP | IDN_NAMEPREP | IDN_ASCCHECK |
-+			    IDN_IDNCONV | IDN_LENCHECK, utf8_textname,
-+			    idn_textname, sizeof(idn_textname));
-+	idn_check_result(mr, "convert UTF-8 textname to IDN encoding");
-+#else
- 	if (lookup->origin != NULL) {
- 		debug("trying origin %s", lookup->origin->origin);
-@@ -1367,9 +1439,20 @@
- 		}
- 		dns_message_puttempname(lookup->sendmsg, &lookup->oname);
--	} else {
-+	} else
-+#endif
-+	{
- 		debug("using root origin");
- 		if (lookup->trace && lookup->trace_root)
- 			dns_name_clone(dns_rootname, lookup->name);
- 		else {
-+#ifdef WITH_IDN
-+			len = strlen(idn_textname);
-+			isc_buffer_init(&b, idn_textname, len);
-+			isc_buffer_add(&b, len);
-+			result = dns_name_fromtext(lookup->name, &b,
-+						   dns_rootname,
-+						   ISC_FALSE,
-+						   &lookup->namebuf);
-+#else
- 			len = strlen(lookup->textname);
- 			isc_buffer_init(&b, lookup->textname, len);
-@@ -1379,4 +1462,5 @@
- 						   ISC_FALSE,
- 						   &lookup->namebuf);
-+#endif
- 		}
- 		if (result != ISC_R_SUCCESS) {
-@@ -2912,2 +2996,100 @@
- 		isc_mem_destroy(&mctx);
- }
-+
-+#ifdef WITH_IDN
-+static void
-+initialize_idn(void) {
-+	idn_result_t r;
-+
-+#ifdef HAVE_SETLOCALE
-+	/* Set locale */
-+	(void)setlocale(LC_ALL, "");
-+#endif
-+	/* Create configuration context. */
-+	r = idn_nameinit(1);
-+	if (r != idn_success)
-+		fatal("idn api initialization failed: %s",
-+		      idn_result_tostring(r));
-+
-+	/* Set domain name -> text post-conversion filter. */
-+	dns_name_settotextfilter(output_filter);
-+}
-+
-+static isc_result_t
-+output_filter(isc_buffer_t *buffer, unsigned int used_org,
-+	      isc_boolean_t absolute)
-+{
-+	char tmp1[MAXDLEN], tmp2[MAXDLEN];
-+	size_t fromlen, tolen;
-+	isc_boolean_t end_with_dot;
-+
-+	/*
-+	 * Copy contents of 'buffer' to 'tmp1', supply trailing dot
-+	 * if 'absolute' is true, and terminate with NUL.
-+	 */
-+	fromlen = isc_buffer_usedlength(buffer) - used_org;
-+	if (fromlen >= MAXDLEN)
-+		return (ISC_R_SUCCESS);
-+	memcpy(tmp1, (char *)isc_buffer_base(buffer) + used_org, fromlen);
-+	end_with_dot = (tmp1[fromlen - 1] == '.') ? ISC_TRUE : ISC_FALSE;
-+	if (absolute && !end_with_dot) {
-+		fromlen++;
-+		if (fromlen >= MAXDLEN)
-+			return (ISC_R_SUCCESS);
-+		tmp1[fromlen - 1] = '.';
-+	}
-+	tmp1[fromlen] = '\0';
-+
-+	/*
-+	 * Convert contents of 'tmp1' to local encoding.
-+	 */
-+	if (idn_decodename(IDN_DECODE_APP, tmp1, tmp2, MAXDLEN) != idn_success)
-+		return (ISC_R_SUCCESS);
-+	strcpy(tmp1, tmp2);
-+
-+	/*
-+	 * Copy the converted contents in 'tmp1' back to 'buffer'.
-+	 * If we have appended trailing dot, remove it.
-+	 */
-+	tolen = strlen(tmp1);
-+	if (absolute && !end_with_dot && tmp1[tolen - 1] == '.')
-+		tolen--;
-+
-+	if (isc_buffer_length(buffer) < used_org + tolen)
-+		return (ISC_R_NOSPACE);
-+
-+	isc_buffer_subtract(buffer, isc_buffer_usedlength(buffer) - used_org);
-+	memcpy(isc_buffer_used(buffer), tmp1, tolen);
-+	isc_buffer_add(buffer, tolen);
-+
-+	return (ISC_R_SUCCESS);
-+}
-+
-+static idn_result_t
-+append_textname(char *name, const char *origin, size_t namesize) {
-+	size_t namelen = strlen(name);
-+	size_t originlen = strlen(origin);
-+
-+	/* Already absolute? */
-+	if (namelen > 0 && name[namelen - 1] == '.')
-+		return idn_success;
-+
-+	/* Append dot and origin */
-+
-+	if (namelen + 1 + originlen >= namesize)
-+		return idn_buffer_overflow;
-+
-+	name[namelen++] = '.';
-+	(void)strcpy(name + namelen, origin);
-+	return idn_success;
-+}
-+
-+static void
-+idn_check_result(idn_result_t r, const char *msg) {
-+	if (r != idn_success) {
-+		exitcode = 1;
-+		fatal("%s: %s", msg, idn_result_tostring(r));
-+	}
-+}
-+
-+#endif /* WITH_IDN */
-Index: bin/dig/host.1
-===================================================================
-RCS file: /proj/cvs/prod/bind9/bin/dig/host.1,v
-retrieving revision 1.11.2.9
-diff -U2 -r1.11.2.9 host.1
---- bin/dig/host.1	9 May 2007 03:32:21 -0000	1.11.2.9
-+++ bin/dig/host.1	6 Aug 2007 04:02:02 -0000
-@@ -168,4 +168,15 @@
- \fBhost\fR
- will effectively wait forever for a reply. The time to wait for a response will be set to the number of seconds given by the hardware's maximum value for an integer quantity.
-+.SH "IDN SUPPORT"
-+.PP
-+If
-+\fBhost\fR
-+has been built with IDN (internationalized domain name) support, it can accept and display non\-ASCII domain names.
-+\fBhost\fR
-+appropriately converts character encoding of domain name before sending a request to DNS server or displaying a reply from the server. If you'd like to turn off the IDN support for some reason, defines the
-+\fBIDN_DISABLE\fR
-+environment variable. The IDN support is disabled if the the variable is set when
-+\fBhost\fR
-+runs.
- .SH "FILES"
- .PP
-Index: bin/dig/host.docbook
-===================================================================
-RCS file: /proj/cvs/prod/bind9/bin/dig/host.docbook,v
-retrieving revision 1.2.2.8
-diff -U2 -r1.2.2.8 host.docbook
---- bin/dig/host.docbook	9 May 2007 02:11:44 -0000	1.2.2.8
-+++ bin/dig/host.docbook	6 Aug 2007 04:02:03 -0000
-@@ -200,4 +200,19 @@
- 
- <refsect1>
-+<title>IDN SUPPORT</title>
-+<para>
-+If <command>host</command> has been built with IDN (internationalized
-+domain name) support, it can accept and display non-ASCII domain names.
-+<command>host</command> appropriately converts character encoding of
-+domain name before sending a request to DNS server or displaying a
-+reply from the server.
-+If you'd like to turn off the IDN support for some reason, defines
-+the <envar>IDN_DISABLE</envar> environment variable.
-+The IDN support is disabled if the the variable is set when
-+<command>host</command> runs.
-+</para>
-+</refsect1>
-+
-+<refsect1>
- <title>FILES</title>
- <para>
-Index: lib/dns/name.c
-===================================================================
-RCS file: /proj/cvs/prod/bind9/lib/dns/name.c,v
-retrieving revision 1.127.2.15
-diff -U2 -r1.127.2.15 name.c
---- lib/dns/name.c	7 Dec 2006 07:02:47 -0000	1.127.2.15
-+++ lib/dns/name.c	6 Aug 2007 04:02:05 -0000
-@@ -199,4 +199,11 @@
- dns_fullname_hash(dns_name_t *name, isc_boolean_t case_sensitive);
- 
-+#ifdef WITH_IDN
-+/*
-+ * dns_name_t to text post-conversion procedure.
-+ */
-+static dns_name_totextfilter_t totext_filter_proc = NULL;
-+#endif
-+
- static void
- set_offsets(const dns_name_t *name, unsigned char *offsets,
-@@ -1715,4 +1722,7 @@
- 	isc_boolean_t saw_root = ISC_FALSE;
- 	char num[4];
-+#ifdef WITH_IDN
-+	unsigned int oused = target->used;
-+#endif
- 
- 	/*
-@@ -1895,4 +1905,8 @@
- 	isc_buffer_add(target, tlen - trem);
- 
-+#ifdef WITH_IDN
-+	if (totext_filter_proc != NULL)
-+		return ((*totext_filter_proc)(target, oused, saw_root));
-+#endif
- 	return (ISC_R_SUCCESS);
- }
-@@ -3361,2 +3375,8 @@
- }
- 
-+#ifdef WITH_IDN
-+void
-+dns_name_settotextfilter(dns_name_totextfilter_t proc) {
-+	totext_filter_proc = proc;
-+}
-+#endif
-Index: lib/dns/include/dns/name.h
-===================================================================
-RCS file: /proj/cvs/prod/bind9/lib/dns/include/dns/name.h,v
-retrieving revision 1.95.2.11
-diff -U2 -r1.95.2.11 name.h
---- lib/dns/include/dns/name.h	2 Mar 2006 00:37:17 -0000	1.95.2.11
-+++ lib/dns/include/dns/name.h	6 Aug 2007 04:02:06 -0000
-@@ -220,4 +220,15 @@
- #define DNS_NAME_MAXWIRE 255
- 
-+#ifdef WITH_IDN
-+/*
-+ * Text output filter procedure.
-+ * 'target' is the buffer to be converted.  The region to be converted
-+ * is from 'buffer'->base + 'used_org' to the end of the used region.
-+ */
-+typedef isc_result_t (*dns_name_totextfilter_t)(isc_buffer_t *target,
-+						unsigned int used_org,
-+						isc_boolean_t absolute);
-+#endif
-+
- /***
-  *** Initialization
-@@ -1266,4 +1277,12 @@
-  */
- 
-+#ifdef WITH_IDN
-+void
-+dns_name_settotextfilter(dns_name_totextfilter_t proc);
-+/*
-+ * Call 'proc' at the end of dns_name_totext.
-+ */
-+#endif /* WITH_IDN */
-+
- #define DNS_NAME_FORMATSIZE (DNS_NAME_MAXTEXT + 1)
- /*
diff --git a/contrib/idn/idnkit-1.0-src/patch/bind9/bind-9.2.4-patch b/contrib/idn/idnkit-1.0-src/patch/bind9/bind-9.3.0-patch
index 95f00168..12d544c5 100644
--- a/contrib/idn/idnkit-1.0-src/patch/bind9/bind-9.2.4-patch
+++ b/contrib/idn/idnkit-1.0-src/patch/bind9/bind-9.3.0-patch
@@ -1,8 +1,8 @@
-IDN patch for bind-9.2.4
+IDN patch for bind-9.3.0
 ========================
 
 
-This is a patch file for ISC BIND 9.2.4 to make it work with
+This is a patch file for ISC BIND 9.3.0 to make it work with
 internationalized domain names.  With this patch you'll get IDN-aware
 dig/host/nslookup.
 
@@ -10,15 +10,15 @@ To apply this patch, you should go to the top directory of the BIND
 distribution (where you see `README' file), then invoke `patch'
 command like this:
 
-	% patch -p0 < this-file
+        % patch -p0 < this-file
 
 Then follow the instructions described in `README.idnkit' to compile
 and install.
 
 
 Index: README.idnkit
---- /dev/null	Wed Sep  1 17:46:18 2004
-+++ README.idnkit	Wed Sep  1 17:33:56 2004
+--- /dev/null	Tue Apr 13 13:44:07 2004
++++ README.idnkit	Tue Apr 13 13:36:50 2004
 @@ -0,0 +1,113 @@
 +
 +			BIND-9 IDN patch
@@ -133,21 +133,66 @@ Index: README.idnkit
 +
 +
 +; $Id: bind-9.2.2-patch,v 1.1.1.1 2003/06/04 00:27:32 marka Exp $
+Index: config.h.in
+===================================================================
+RCS file: /proj/cvs/prod/bind9/config.h.in,v
+retrieving revision 1.47.2.3.2.9
+diff -U2 -r1.47.2.3.2.9 config.h.in
+--- config.h.in	14 Mar 2004 23:55:14 -0000	1.47.2.3.2.9
++++ config.h.in	13 Apr 2004 03:44:24 -0000
+@@ -17,5 +17,5 @@
+  */
+ 
+-/* $Id: config.h.in,v 1.47.2.3.2.9 2004/03/14 23:55:14 marka Exp $ */
++/* $Id: acconfig.h,v 1.35.2.4.2.7 2004/03/08 04:04:12 marka Exp $ */
+ 
+ /***
+@@ -165,4 +165,7 @@
+ #undef HAVE_LINUX_CAPABILITY_H
+ 
++/* Define to 1 if you have the <locale.h> header file. */
++#undef HAVE_LOCALE_H
++
+ /* Define to 1 if you have the <memory.h> header file. */
+ #undef HAVE_MEMORY_H
+@@ -171,4 +174,7 @@
+ #undef HAVE_NET_IF6_H
+ 
++/* Define to 1 if you have the `setlocale' function. */
++#undef HAVE_SETLOCALE
++
+ /* Define to 1 if you have the <stdint.h> header file. */
+ #undef HAVE_STDINT_H
+@@ -234,4 +240,7 @@
+ #undef TIME_WITH_SYS_TIME
+ 
++/* define if idnkit support is to be included. */
++#undef WITH_IDN
++
+ /* Define to 1 if your processor stores words with the most significant byte
+    first (like Motorola and SPARC, unlike Intel and VAX). */
 Index: configure
 ===================================================================
 RCS file: /proj/cvs/prod/bind9/configure,v
-retrieving revision 1.284.2.32
-diff -U2 -r1.284.2.32 configure
---- configure	1 Sep 2004 07:11:22 -0000	1.284.2.32
-+++ configure	1 Sep 2004 07:50:08 -0000
-@@ -466,5 +466,5 @@
+retrieving revision 1.284.2.19.2.19
+diff -U2 -r1.284.2.19.2.19 configure
+--- configure	14 Mar 2004 00:00:31 -0000	1.284.2.19.2.19
++++ configure	13 Apr 2004 03:45:28 -0000
+@@ -15,5 +15,5 @@
+ # PERFORMANCE OF THIS SOFTWARE.
+ #
+-# $Id: configure,v 1.284.2.19.2.19 2004/03/14 00:00:31 marka Exp $
++# $Id: COPYRIGHT,v 1.6.2.2.8.2 2004/03/08 04:04:12 marka Exp $
+ #
+ # Portions Copyright (C) 1996-2001  Nominum, Inc.
+@@ -496,5 +496,5 @@
  #endif"
  
--ac_subst_vars='SHELL PATH_SEPARATOR PACKAGE_NAME PACKAGE_TARNAME PACKAGE_VERSION PACKAGE_STRING PACKAGE_BUGREPORT exec_prefix prefix program_transform_name bindir sbindir libexecdir datadir sysconfdir sharedstatedir localstatedir libdir includedir oldincludedir infodir mandir build_alias host_alias target_alias DEFS ECHO_C ECHO_N ECHO_T LIBS subdirs build build_cpu build_vendor build_os host host_cpu host_vendor host_os SET_MAKE RANLIB ac_ct_RANLIB INSTALL_PROGRAM INSTALL_SCRIPT INSTALL_DATA STD_CINCLUDES STD_CDEFINES STD_CWARNINGS CCOPT AR ARFLAGS LN ETAGS PERL CC CFLAGS LDFLAGS CPPFLAGS ac_ct_CC EXEEXT OBJEXT CPP EGREP ISC_PLATFORM_HAVELONGLONG ISC_PLATFORM_NEEDSYSSELECTH LWRES_PLATFORM_NEEDSYSSELECTH DST_OPENSSL_INC DNS_OPENSSL_LIBS USE_OPENSSL USE_GSSAPI DST_GSSAPI_INC DNS_GSSAPI_LIBS ALWAYS_DEFINES ISC_PLATFORM_USETHREADS ISC_THREAD_DIR MKDEPCC MKDEPCFLAGS MKDEPPROG IRIX_DNSSEC_WARNINGS_HACK purify_path PURIFY LN_S ECHO ac_ct_AR STRIP ac_ct_STRIP CXX CXXFLAGS ac_ct_CXX CXXCPP F77 FFLAGS ac_ct_F77 LIBTOOL O A SA LIBTOOL_MKDEP_SED LIBTOOL_MODE_COMPILE LIBTOOL_MODE_INSTALL LIBTOOL_MODE_LINK LIBBIND ISC_PLATFORM_HAVEIPV6 LWRES_PLATFORM_HAVEIPV6 ISC_PLATFORM_NEEDNETINETIN6H LWRES_PLATFORM_NEEDNETINETIN6H ISC_PLATFORM_NEEDNETINET6IN6H LWRES_PLATFORM_NEEDNETINET6IN6H ISC_PLATFORM_HAVEINADDR6 LWRES_PLATFORM_HAVEINADDR6 ISC_PLATFORM_NEEDIN6ADDRANY LWRES_PLATFORM_NEEDIN6ADDRANY ISC_PLATFORM_NEEDIN6ADDRLOOPBACK LWRES_PLATFORM_NEEDIN6ADDRLOOPBACK ISC_PLATFORM_HAVEIN6PKTINFO ISC_PLATFORM_FIXIN6ISADDR ISC_IPV6_H ISC_IPV6_O ISC_ISCIPV6_O ISC_IPV6_C LWRES_HAVE_SIN6_SCOPE_ID ISC_PLATFORM_NEEDNTOP ISC_PLATFORM_NEEDPTON ISC_PLATFORM_NEEDATON ISC_PLATFORM_HAVESALEN LWRES_PLATFORM_HAVESALEN ISC_PLATFORM_MSGHDRFLAVOR ISC_PLATFORM_NEEDPORTT ISC_LWRES_NEEDADDRINFO ISC_LWRES_NEEDRRSETINFO ISC_LWRES_SETHOSTENTINT ISC_LWRES_ENDHOSTENTINT ISC_LWRES_GETNETBYADDRINADDR ISC_LWRES_SETNETENTINT ISC_LWRES_ENDNETENTINT ISC_LWRES_GETHOSTBYADDRVOID ISC_LWRES_NEEDHERRNO ISC_LWRES_GETIPNODEPROTO ISC_LWRES_GETADDRINFOPROTO ISC_LWRES_GETNAMEINFOPROTO ISC_PLATFORM_NEEDSTRSEP ISC_PLATFORM_NEEDVSNPRINTF LWRES_PLATFORM_NEEDVSNPRINTF ISC_EXTRA_OBJS ISC_EXTRA_SRCS ISC_PLATFORM_QUADFORMAT ISC_PLATFORM_RLIMITTYPE ISC_PLATFORM_USEDECLSPEC LWRES_PLATFORM_USEDECLSPEC ISC_PLATFORM_BRACEPTHREADONCEINIT OPENJADE JADETEX PDFJADETEX SGMLCATALOG HTMLSTYLE PRINTSTYLE XMLDCL DOCBOOK2MANSPEC BIND9_TOP_BUILDDIR BIND9_ISC_BUILDINCLUDE BIND9_ISCCC_BUILDINCLUDE BIND9_ISCCFG_BUILDINCLUDE BIND9_DNS_BUILDINCLUDE BIND9_LWRES_BUILDINCLUDE BIND9_VERSION LIBOBJS LTLIBOBJS'
-+ac_subst_vars='SHELL PATH_SEPARATOR PACKAGE_NAME PACKAGE_TARNAME PACKAGE_VERSION PACKAGE_STRING PACKAGE_BUGREPORT exec_prefix prefix program_transform_name bindir sbindir libexecdir datadir sysconfdir sharedstatedir localstatedir libdir includedir oldincludedir infodir mandir build_alias host_alias target_alias DEFS ECHO_C ECHO_N ECHO_T LIBS subdirs build build_cpu build_vendor build_os host host_cpu host_vendor host_os SET_MAKE RANLIB ac_ct_RANLIB INSTALL_PROGRAM INSTALL_SCRIPT INSTALL_DATA STD_CINCLUDES STD_CDEFINES STD_CWARNINGS CCOPT AR ARFLAGS LN ETAGS PERL CC CFLAGS LDFLAGS CPPFLAGS ac_ct_CC EXEEXT OBJEXT CPP EGREP ISC_PLATFORM_HAVELONGLONG ISC_PLATFORM_NEEDSYSSELECTH LWRES_PLATFORM_NEEDSYSSELECTH DST_OPENSSL_INC DNS_OPENSSL_LIBS USE_OPENSSL USE_GSSAPI DST_GSSAPI_INC DNS_GSSAPI_LIBS ALWAYS_DEFINES ISC_PLATFORM_USETHREADS ISC_THREAD_DIR MKDEPCC MKDEPCFLAGS MKDEPPROG IRIX_DNSSEC_WARNINGS_HACK purify_path PURIFY LN_S ECHO ac_ct_AR STRIP ac_ct_STRIP CXX CXXFLAGS ac_ct_CXX CXXCPP F77 FFLAGS ac_ct_F77 LIBTOOL O A SA LIBTOOL_MKDEP_SED LIBTOOL_MODE_COMPILE LIBTOOL_MODE_INSTALL LIBTOOL_MODE_LINK LIBBIND ISC_PLATFORM_HAVEIPV6 LWRES_PLATFORM_HAVEIPV6 ISC_PLATFORM_NEEDNETINETIN6H LWRES_PLATFORM_NEEDNETINETIN6H ISC_PLATFORM_NEEDNETINET6IN6H LWRES_PLATFORM_NEEDNETINET6IN6H ISC_PLATFORM_HAVEINADDR6 LWRES_PLATFORM_HAVEINADDR6 ISC_PLATFORM_NEEDIN6ADDRANY LWRES_PLATFORM_NEEDIN6ADDRANY ISC_PLATFORM_NEEDIN6ADDRLOOPBACK LWRES_PLATFORM_NEEDIN6ADDRLOOPBACK ISC_PLATFORM_HAVEIN6PKTINFO ISC_PLATFORM_FIXIN6ISADDR ISC_IPV6_H ISC_IPV6_O ISC_ISCIPV6_O ISC_IPV6_C LWRES_HAVE_SIN6_SCOPE_ID ISC_PLATFORM_NEEDNTOP ISC_PLATFORM_NEEDPTON ISC_PLATFORM_NEEDATON ISC_PLATFORM_HAVESALEN LWRES_PLATFORM_HAVESALEN ISC_PLATFORM_MSGHDRFLAVOR ISC_PLATFORM_NEEDPORTT ISC_LWRES_NEEDADDRINFO ISC_LWRES_NEEDRRSETINFO ISC_LWRES_SETHOSTENTINT ISC_LWRES_ENDHOSTENTINT ISC_LWRES_GETNETBYADDRINADDR ISC_LWRES_SETNETENTINT ISC_LWRES_ENDNETENTINT ISC_LWRES_GETHOSTBYADDRVOID ISC_LWRES_NEEDHERRNO ISC_LWRES_GETIPNODEPROTO ISC_LWRES_GETADDRINFOPROTO ISC_LWRES_GETNAMEINFOPROTO ISC_PLATFORM_NEEDSTRSEP ISC_PLATFORM_NEEDVSNPRINTF LWRES_PLATFORM_NEEDVSNPRINTF ISC_EXTRA_OBJS ISC_EXTRA_SRCS ISC_PLATFORM_QUADFORMAT ISC_PLATFORM_RLIMITTYPE ISC_PLATFORM_USEDECLSPEC LWRES_PLATFORM_USEDECLSPEC ISC_PLATFORM_BRACEPTHREADONCEINIT OPENJADE JADETEX PDFJADETEX SGMLCATALOG HTMLSTYLE PRINTSTYLE XMLDCL DOCBOOK2MANSPEC IDNLIBS BIND9_TOP_BUILDDIR BIND9_ISC_BUILDINCLUDE BIND9_ISCCC_BUILDINCLUDE BIND9_ISCCFG_BUILDINCLUDE BIND9_DNS_BUILDINCLUDE BIND9_LWRES_BUILDINCLUDE BIND9_VERSION LIBOBJS LTLIBOBJS'
- ac_subst_files='BIND9_INCLUDES BIND9_MAKE_RULES LIBISC_API LIBISCCC_API LIBISCCFG_API LIBDNS_API LIBLWRES_API'
+-ac_subst_vars='SHELL PATH_SEPARATOR PACKAGE_NAME PACKAGE_TARNAME PACKAGE_VERSION PACKAGE_STRING PACKAGE_BUGREPORT exec_prefix prefix program_transform_name bindir sbindir libexecdir datadir sysconfdir sharedstatedir localstatedir libdir includedir oldincludedir infodir mandir build_alias host_alias target_alias DEFS ECHO_C ECHO_N ECHO_T LIBS subdirs build build_cpu build_vendor build_os host host_cpu host_vendor host_os SET_MAKE RANLIB ac_ct_RANLIB INSTALL_PROGRAM INSTALL_SCRIPT INSTALL_DATA STD_CINCLUDES STD_CDEFINES STD_CWARNINGS CCOPT AR ARFLAGS LN ETAGS PERL CC CFLAGS LDFLAGS CPPFLAGS ac_ct_CC EXEEXT OBJEXT CPP EGREP ISC_PLATFORM_HAVELONGLONG ISC_PLATFORM_HAVELIFCONF ISC_PLATFORM_NEEDSYSSELECTH LWRES_PLATFORM_NEEDSYSSELECTH USE_OPENSSL DST_OPENSSL_INC USE_GSSAPI DST_GSSAPI_INC DNS_CRYPTO_LIBS ALWAYS_DEFINES ISC_PLATFORM_USETHREADS ISC_THREAD_DIR MKDEPCC MKDEPCFLAGS MKDEPPROG IRIX_DNSSEC_WARNINGS_HACK purify_path PURIFY LN_S ECHO ac_ct_AR STRIP ac_ct_STRIP CXX CXXFLAGS ac_ct_CXX CXXCPP F77 FFLAGS ac_ct_F77 LIBTOOL O A SA LIBTOOL_MKDEP_SED LIBTOOL_MODE_COMPILE LIBTOOL_MODE_INSTALL LIBTOOL_MODE_LINK LIBBIND ISC_PLATFORM_HAVEIPV6 LWRES_PLATFORM_HAVEIPV6 ISC_PLATFORM_NEEDNETINETIN6H LWRES_PLATFORM_NEEDNETINETIN6H ISC_PLATFORM_NEEDNETINET6IN6H LWRES_PLATFORM_NEEDNETINET6IN6H ISC_PLATFORM_HAVEINADDR6 LWRES_PLATFORM_HAVEINADDR6 ISC_PLATFORM_NEEDIN6ADDRANY LWRES_PLATFORM_NEEDIN6ADDRANY ISC_PLATFORM_NEEDIN6ADDRLOOPBACK LWRES_PLATFORM_NEEDIN6ADDRLOOPBACK ISC_PLATFORM_HAVEIN6PKTINFO ISC_PLATFORM_FIXIN6ISADDR ISC_IPV6_H ISC_IPV6_O ISC_ISCIPV6_O ISC_IPV6_C LWRES_HAVE_SIN6_SCOPE_ID ISC_PLATFORM_HAVESCOPEID ISC_PLATFORM_HAVEIF_LADDRREQ ISC_PLATFORM_HAVEIF_LADDRCONF ISC_PLATFORM_NEEDNTOP ISC_PLATFORM_NEEDPTON ISC_PLATFORM_NEEDATON ISC_PLATFORM_HAVESALEN LWRES_PLATFORM_HAVESALEN ISC_PLATFORM_MSGHDRFLAVOR ISC_PLATFORM_NEEDPORTT ISC_LWRES_NEEDADDRINFO ISC_LWRES_NEEDRRSETINFO ISC_LWRES_SETHOSTENTINT ISC_LWRES_ENDHOSTENTINT ISC_LWRES_GETNETBYADDRINADDR ISC_LWRES_SETNETENTINT ISC_LWRES_ENDNETENTINT ISC_LWRES_GETHOSTBYADDRVOID ISC_LWRES_NEEDHERRNO ISC_LWRES_GETIPNODEPROTO ISC_LWRES_GETADDRINFOPROTO ISC_LWRES_GETNAMEINFOPROTO ISC_PLATFORM_NEEDSTRSEP ISC_PLATFORM_NEEDMEMMOVE ISC_PLATFORM_NEEDSTRTOUL ISC_PLATFORM_NEEDSTRLCPY ISC_PLATFORM_NEEDSTRLCAT ISC_PLATFORM_NEEDSPRINTF ISC_PLATFORM_NEEDVSNPRINTF ISC_EXTRA_OBJS ISC_EXTRA_SRCS ISC_PLATFORM_QUADFORMAT ISC_PLATFORM_RLIMITTYPE ISC_PLATFORM_USEDECLSPEC LWRES_PLATFORM_USEDECLSPEC ISC_PLATFORM_BRACEPTHREADONCEINIT ISC_PLATFORM_HAVEIFNAMETOINDEX OPENJADE JADETEX PDFJADETEX SGMLCATALOG HTMLSTYLE PRINTSTYLE XMLDCL DOCBOOK2MANSPEC BIND9_TOP_BUILDDIR BIND9_ISC_BUILDINCLUDE BIND9_ISCCC_BUILDINCLUDE BIND9_ISCCFG_BUILDINCLUDE BIND9_DNS_BUILDINCLUDE BIND9_LWRES_BUILDINCLUDE BIND9_BIND9_BUILDINCLUDE BIND9_VERSION LIBOBJS LTLIBOBJS'
++ac_subst_vars='SHELL PATH_SEPARATOR PACKAGE_NAME PACKAGE_TARNAME PACKAGE_VERSION PACKAGE_STRING PACKAGE_BUGREPORT exec_prefix prefix program_transform_name bindir sbindir libexecdir datadir sysconfdir sharedstatedir localstatedir libdir includedir oldincludedir infodir mandir build_alias host_alias target_alias DEFS ECHO_C ECHO_N ECHO_T LIBS subdirs build build_cpu build_vendor build_os host host_cpu host_vendor host_os SET_MAKE RANLIB ac_ct_RANLIB INSTALL_PROGRAM INSTALL_SCRIPT INSTALL_DATA STD_CINCLUDES STD_CDEFINES STD_CWARNINGS CCOPT AR ARFLAGS LN ETAGS PERL CC CFLAGS LDFLAGS CPPFLAGS ac_ct_CC EXEEXT OBJEXT CPP EGREP ISC_PLATFORM_HAVELONGLONG ISC_PLATFORM_HAVELIFCONF ISC_PLATFORM_NEEDSYSSELECTH LWRES_PLATFORM_NEEDSYSSELECTH USE_OPENSSL DST_OPENSSL_INC USE_GSSAPI DST_GSSAPI_INC DNS_CRYPTO_LIBS ALWAYS_DEFINES ISC_PLATFORM_USETHREADS ISC_THREAD_DIR MKDEPCC MKDEPCFLAGS MKDEPPROG IRIX_DNSSEC_WARNINGS_HACK purify_path PURIFY LN_S ECHO ac_ct_AR STRIP ac_ct_STRIP CXX CXXFLAGS ac_ct_CXX CXXCPP F77 FFLAGS ac_ct_F77 LIBTOOL O A SA LIBTOOL_MKDEP_SED LIBTOOL_MODE_COMPILE LIBTOOL_MODE_INSTALL LIBTOOL_MODE_LINK LIBBIND ISC_PLATFORM_HAVEIPV6 LWRES_PLATFORM_HAVEIPV6 ISC_PLATFORM_NEEDNETINETIN6H LWRES_PLATFORM_NEEDNETINETIN6H ISC_PLATFORM_NEEDNETINET6IN6H LWRES_PLATFORM_NEEDNETINET6IN6H ISC_PLATFORM_HAVEINADDR6 LWRES_PLATFORM_HAVEINADDR6 ISC_PLATFORM_NEEDIN6ADDRANY LWRES_PLATFORM_NEEDIN6ADDRANY ISC_PLATFORM_NEEDIN6ADDRLOOPBACK LWRES_PLATFORM_NEEDIN6ADDRLOOPBACK ISC_PLATFORM_HAVEIN6PKTINFO ISC_PLATFORM_FIXIN6ISADDR ISC_IPV6_H ISC_IPV6_O ISC_ISCIPV6_O ISC_IPV6_C LWRES_HAVE_SIN6_SCOPE_ID ISC_PLATFORM_HAVESCOPEID ISC_PLATFORM_HAVEIF_LADDRREQ ISC_PLATFORM_HAVEIF_LADDRCONF ISC_PLATFORM_NEEDNTOP ISC_PLATFORM_NEEDPTON ISC_PLATFORM_NEEDATON ISC_PLATFORM_HAVESALEN LWRES_PLATFORM_HAVESALEN ISC_PLATFORM_MSGHDRFLAVOR ISC_PLATFORM_NEEDPORTT ISC_LWRES_NEEDADDRINFO ISC_LWRES_NEEDRRSETINFO ISC_LWRES_SETHOSTENTINT ISC_LWRES_ENDHOSTENTINT ISC_LWRES_GETNETBYADDRINADDR ISC_LWRES_SETNETENTINT ISC_LWRES_ENDNETENTINT ISC_LWRES_GETHOSTBYADDRVOID ISC_LWRES_NEEDHERRNO ISC_LWRES_GETIPNODEPROTO ISC_LWRES_GETADDRINFOPROTO ISC_LWRES_GETNAMEINFOPROTO ISC_PLATFORM_NEEDSTRSEP ISC_PLATFORM_NEEDMEMMOVE ISC_PLATFORM_NEEDSTRTOUL ISC_PLATFORM_NEEDSTRLCPY ISC_PLATFORM_NEEDSTRLCAT ISC_PLATFORM_NEEDSPRINTF ISC_PLATFORM_NEEDVSNPRINTF ISC_EXTRA_OBJS ISC_EXTRA_SRCS ISC_PLATFORM_QUADFORMAT ISC_PLATFORM_RLIMITTYPE ISC_PLATFORM_USEDECLSPEC LWRES_PLATFORM_USEDECLSPEC ISC_PLATFORM_BRACEPTHREADONCEINIT ISC_PLATFORM_HAVEIFNAMETOINDEX OPENJADE JADETEX PDFJADETEX SGMLCATALOG HTMLSTYLE PRINTSTYLE XMLDCL DOCBOOK2MANSPEC IDNLIBS BIND9_TOP_BUILDDIR BIND9_ISC_BUILDINCLUDE BIND9_ISCCC_BUILDINCLUDE BIND9_ISCCFG_BUILDINCLUDE BIND9_DNS_BUILDINCLUDE BIND9_LWRES_BUILDINCLUDE BIND9_BIND9_BUILDINCLUDE BIND9_VERSION LIBOBJS LTLIBOBJS'
+ ac_subst_files='BIND9_MAKE_INCLUDES BIND9_MAKE_RULES LIBISC_API LIBISCCC_API LIBISCCFG_API LIBDNS_API LIBBIND9_API LIBLWRES_API'
  
-@@ -1048,4 +1048,8 @@
+@@ -1081,4 +1081,8 @@
                            include additional configurations [automatic]
    --with-kame=PATH	use Kame IPv6 default path /usr/local/v6
 +  --with-idn=MPREFIX   enable IDN support using idnkit default PREFIX
@@ -156,183 +201,183 @@ diff -U2 -r1.284.2.32 configure
 +  --with-idnlib=ARG    specify libidnkit
  
  Some influential environment variables:
-@@ -7759,5 +7763,5 @@
+@@ -7816,5 +7820,5 @@
  *-*-irix6*)
    # Find out which ABI we are using.
--  echo '#line 7761 "configure"' > conftest.$ac_ext
-+  echo '#line 7765 "configure"' > conftest.$ac_ext
+-  echo '#line 7818 "configure"' > conftest.$ac_ext
++  echo '#line 7822 "configure"' > conftest.$ac_ext
    if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
    (eval $ac_compile) 2>&5
-@@ -8749,5 +8753,5 @@
+@@ -8806,5 +8810,5 @@
  
  # Provide some information about the compiler.
--echo "$as_me:8751:" \
-+echo "$as_me:8755:" \
+-echo "$as_me:8808:" \
++echo "$as_me:8812:" \
       "checking for Fortran 77 compiler version" >&5
  ac_compiler=`set X $ac_compile; echo $2`
-@@ -9787,9 +9791,9 @@
+@@ -9844,9 +9848,9 @@
     -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
     -e 's:$: $lt_compiler_flag:'`
--   (eval echo "\"\$as_me:9789: $lt_compile\"" >&5)
-+   (eval echo "\"\$as_me:9793: $lt_compile\"" >&5)
+-   (eval echo "\"\$as_me:9846: $lt_compile\"" >&5)
++   (eval echo "\"\$as_me:9850: $lt_compile\"" >&5)
     (eval "$lt_compile" 2>conftest.err)
     ac_status=$?
     cat conftest.err >&5
--   echo "$as_me:9793: \$? = $ac_status" >&5
-+   echo "$as_me:9797: \$? = $ac_status" >&5
+-   echo "$as_me:9850: \$? = $ac_status" >&5
++   echo "$as_me:9854: \$? = $ac_status" >&5
     if (exit $ac_status) && test -s "$ac_outfile"; then
       # The compiler can only warn and ignore the option if not recognized
-@@ -10020,9 +10024,9 @@
+@@ -10077,9 +10081,9 @@
     -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
     -e 's:$: $lt_compiler_flag:'`
--   (eval echo "\"\$as_me:10022: $lt_compile\"" >&5)
-+   (eval echo "\"\$as_me:10026: $lt_compile\"" >&5)
+-   (eval echo "\"\$as_me:10079: $lt_compile\"" >&5)
++   (eval echo "\"\$as_me:10083: $lt_compile\"" >&5)
     (eval "$lt_compile" 2>conftest.err)
     ac_status=$?
     cat conftest.err >&5
--   echo "$as_me:10026: \$? = $ac_status" >&5
-+   echo "$as_me:10030: \$? = $ac_status" >&5
+-   echo "$as_me:10083: \$? = $ac_status" >&5
++   echo "$as_me:10087: \$? = $ac_status" >&5
     if (exit $ac_status) && test -s "$ac_outfile"; then
       # The compiler can only warn and ignore the option if not recognized
-@@ -10080,9 +10084,9 @@
+@@ -10137,9 +10141,9 @@
     -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
     -e 's:$: $lt_compiler_flag:'`
--   (eval echo "\"\$as_me:10082: $lt_compile\"" >&5)
-+   (eval echo "\"\$as_me:10086: $lt_compile\"" >&5)
+-   (eval echo "\"\$as_me:10139: $lt_compile\"" >&5)
++   (eval echo "\"\$as_me:10143: $lt_compile\"" >&5)
     (eval "$lt_compile" 2>out/conftest.err)
     ac_status=$?
     cat out/conftest.err >&5
--   echo "$as_me:10086: \$? = $ac_status" >&5
-+   echo "$as_me:10090: \$? = $ac_status" >&5
+-   echo "$as_me:10143: \$? = $ac_status" >&5
++   echo "$as_me:10147: \$? = $ac_status" >&5
     if (exit $ac_status) && test -s out/conftest2.$ac_objext
     then
-@@ -12264,5 +12268,5 @@
+@@ -12321,5 +12325,5 @@
    lt_status=$lt_dlunknown
    cat > conftest.$ac_ext <<EOF
--#line 12266 "configure"
-+#line 12270 "configure"
+-#line 12323 "configure"
++#line 12327 "configure"
  #include "confdefs.h"
  
-@@ -12362,5 +12366,5 @@
+@@ -12419,5 +12423,5 @@
    lt_status=$lt_dlunknown
    cat > conftest.$ac_ext <<EOF
--#line 12364 "configure"
-+#line 12368 "configure"
+-#line 12421 "configure"
++#line 12425 "configure"
  #include "confdefs.h"
  
-@@ -14545,9 +14549,9 @@
+@@ -14602,9 +14606,9 @@
     -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
     -e 's:$: $lt_compiler_flag:'`
--   (eval echo "\"\$as_me:14547: $lt_compile\"" >&5)
-+   (eval echo "\"\$as_me:14551: $lt_compile\"" >&5)
+-   (eval echo "\"\$as_me:14604: $lt_compile\"" >&5)
++   (eval echo "\"\$as_me:14608: $lt_compile\"" >&5)
     (eval "$lt_compile" 2>conftest.err)
     ac_status=$?
     cat conftest.err >&5
--   echo "$as_me:14551: \$? = $ac_status" >&5
-+   echo "$as_me:14555: \$? = $ac_status" >&5
+-   echo "$as_me:14608: \$? = $ac_status" >&5
++   echo "$as_me:14612: \$? = $ac_status" >&5
     if (exit $ac_status) && test -s "$ac_outfile"; then
       # The compiler can only warn and ignore the option if not recognized
-@@ -14605,9 +14609,9 @@
+@@ -14662,9 +14666,9 @@
     -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
     -e 's:$: $lt_compiler_flag:'`
--   (eval echo "\"\$as_me:14607: $lt_compile\"" >&5)
-+   (eval echo "\"\$as_me:14611: $lt_compile\"" >&5)
+-   (eval echo "\"\$as_me:14664: $lt_compile\"" >&5)
++   (eval echo "\"\$as_me:14668: $lt_compile\"" >&5)
     (eval "$lt_compile" 2>out/conftest.err)
     ac_status=$?
     cat out/conftest.err >&5
--   echo "$as_me:14611: \$? = $ac_status" >&5
-+   echo "$as_me:14615: \$? = $ac_status" >&5
+-   echo "$as_me:14668: \$? = $ac_status" >&5
++   echo "$as_me:14672: \$? = $ac_status" >&5
     if (exit $ac_status) && test -s out/conftest2.$ac_objext
     then
-@@ -15966,5 +15970,5 @@
+@@ -16023,5 +16027,5 @@
    lt_status=$lt_dlunknown
    cat > conftest.$ac_ext <<EOF
--#line 15968 "configure"
-+#line 15972 "configure"
+-#line 16025 "configure"
++#line 16029 "configure"
  #include "confdefs.h"
  
-@@ -16064,5 +16068,5 @@
+@@ -16121,5 +16125,5 @@
    lt_status=$lt_dlunknown
    cat > conftest.$ac_ext <<EOF
--#line 16066 "configure"
-+#line 16070 "configure"
+-#line 16123 "configure"
++#line 16127 "configure"
  #include "confdefs.h"
  
-@@ -16891,9 +16895,9 @@
+@@ -16948,9 +16952,9 @@
     -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
     -e 's:$: $lt_compiler_flag:'`
--   (eval echo "\"\$as_me:16893: $lt_compile\"" >&5)
-+   (eval echo "\"\$as_me:16897: $lt_compile\"" >&5)
+-   (eval echo "\"\$as_me:16950: $lt_compile\"" >&5)
++   (eval echo "\"\$as_me:16954: $lt_compile\"" >&5)
     (eval "$lt_compile" 2>conftest.err)
     ac_status=$?
     cat conftest.err >&5
--   echo "$as_me:16897: \$? = $ac_status" >&5
-+   echo "$as_me:16901: \$? = $ac_status" >&5
+-   echo "$as_me:16954: \$? = $ac_status" >&5
++   echo "$as_me:16958: \$? = $ac_status" >&5
     if (exit $ac_status) && test -s "$ac_outfile"; then
       # The compiler can only warn and ignore the option if not recognized
-@@ -16951,9 +16955,9 @@
+@@ -17008,9 +17012,9 @@
     -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
     -e 's:$: $lt_compiler_flag:'`
--   (eval echo "\"\$as_me:16953: $lt_compile\"" >&5)
-+   (eval echo "\"\$as_me:16957: $lt_compile\"" >&5)
+-   (eval echo "\"\$as_me:17010: $lt_compile\"" >&5)
++   (eval echo "\"\$as_me:17014: $lt_compile\"" >&5)
     (eval "$lt_compile" 2>out/conftest.err)
     ac_status=$?
     cat out/conftest.err >&5
--   echo "$as_me:16957: \$? = $ac_status" >&5
-+   echo "$as_me:16961: \$? = $ac_status" >&5
+-   echo "$as_me:17014: \$? = $ac_status" >&5
++   echo "$as_me:17018: \$? = $ac_status" >&5
     if (exit $ac_status) && test -s out/conftest2.$ac_objext
     then
-@@ -18989,9 +18993,9 @@
+@@ -19046,9 +19050,9 @@
     -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
     -e 's:$: $lt_compiler_flag:'`
--   (eval echo "\"\$as_me:18991: $lt_compile\"" >&5)
-+   (eval echo "\"\$as_me:18995: $lt_compile\"" >&5)
+-   (eval echo "\"\$as_me:19048: $lt_compile\"" >&5)
++   (eval echo "\"\$as_me:19052: $lt_compile\"" >&5)
     (eval "$lt_compile" 2>conftest.err)
     ac_status=$?
     cat conftest.err >&5
--   echo "$as_me:18995: \$? = $ac_status" >&5
-+   echo "$as_me:18999: \$? = $ac_status" >&5
+-   echo "$as_me:19052: \$? = $ac_status" >&5
++   echo "$as_me:19056: \$? = $ac_status" >&5
     if (exit $ac_status) && test -s "$ac_outfile"; then
       # The compiler can only warn and ignore the option if not recognized
-@@ -19222,9 +19226,9 @@
+@@ -19279,9 +19283,9 @@
     -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
     -e 's:$: $lt_compiler_flag:'`
--   (eval echo "\"\$as_me:19224: $lt_compile\"" >&5)
-+   (eval echo "\"\$as_me:19228: $lt_compile\"" >&5)
+-   (eval echo "\"\$as_me:19281: $lt_compile\"" >&5)
++   (eval echo "\"\$as_me:19285: $lt_compile\"" >&5)
     (eval "$lt_compile" 2>conftest.err)
     ac_status=$?
     cat conftest.err >&5
--   echo "$as_me:19228: \$? = $ac_status" >&5
-+   echo "$as_me:19232: \$? = $ac_status" >&5
+-   echo "$as_me:19285: \$? = $ac_status" >&5
++   echo "$as_me:19289: \$? = $ac_status" >&5
     if (exit $ac_status) && test -s "$ac_outfile"; then
       # The compiler can only warn and ignore the option if not recognized
-@@ -19282,9 +19286,9 @@
+@@ -19339,9 +19343,9 @@
     -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
     -e 's:$: $lt_compiler_flag:'`
--   (eval echo "\"\$as_me:19284: $lt_compile\"" >&5)
-+   (eval echo "\"\$as_me:19288: $lt_compile\"" >&5)
+-   (eval echo "\"\$as_me:19341: $lt_compile\"" >&5)
++   (eval echo "\"\$as_me:19345: $lt_compile\"" >&5)
     (eval "$lt_compile" 2>out/conftest.err)
     ac_status=$?
     cat out/conftest.err >&5
--   echo "$as_me:19288: \$? = $ac_status" >&5
-+   echo "$as_me:19292: \$? = $ac_status" >&5
+-   echo "$as_me:19345: \$? = $ac_status" >&5
++   echo "$as_me:19349: \$? = $ac_status" >&5
     if (exit $ac_status) && test -s out/conftest2.$ac_objext
     then
-@@ -21466,5 +21470,5 @@
+@@ -21523,5 +21527,5 @@
    lt_status=$lt_dlunknown
    cat > conftest.$ac_ext <<EOF
--#line 21468 "configure"
-+#line 21472 "configure"
+-#line 21525 "configure"
++#line 21529 "configure"
  #include "confdefs.h"
  
-@@ -21564,5 +21568,5 @@
+@@ -21621,5 +21625,5 @@
    lt_status=$lt_dlunknown
    cat > conftest.$ac_ext <<EOF
--#line 21566 "configure"
-+#line 21570 "configure"
+-#line 21623 "configure"
++#line 21627 "configure"
  #include "confdefs.h"
  
-@@ -25877,4 +25881,354 @@
+@@ -27186,4 +27190,354 @@
  
  #
 +# IDN support
@@ -687,7 +732,7 @@ diff -U2 -r1.284.2.32 configure
 +#
  # Substitutions
  #
-@@ -26740,4 +27094,5 @@
+@@ -28066,4 +28420,5 @@
  s,@XMLDCL@,$XMLDCL,;t t
  s,@DOCBOOK2MANSPEC@,$DOCBOOK2MANSPEC,;t t
 +s,@IDNLIBS@,$IDNLIBS,;t t
@@ -696,11 +741,11 @@ diff -U2 -r1.284.2.32 configure
 Index: configure.in
 ===================================================================
 RCS file: /proj/cvs/prod/bind9/configure.in,v
-retrieving revision 1.294.2.35
-diff -U2 -r1.294.2.35 configure.in
---- configure.in	1 Sep 2004 07:08:33 -0000	1.294.2.35
-+++ configure.in	1 Sep 2004 07:50:15 -0000
-@@ -1783,4 +1783,80 @@
+retrieving revision 1.294.2.23.2.23
+diff -U2 -r1.294.2.23.2.23 configure.in
+--- configure.in	13 Mar 2004 23:59:10 -0000	1.294.2.23.2.23
++++ configure.in	13 Apr 2004 03:45:32 -0000
+@@ -1994,4 +1994,80 @@
  
  #
 +# IDN support
@@ -781,64 +826,28 @@ diff -U2 -r1.294.2.35 configure.in
 +#
  # Substitutions
  #
-Index: config.h.in
-===================================================================
-RCS file: /proj/cvs/prod/bind9/config.h.in,v
-retrieving revision 1.47.2.9
-diff -U2 -r1.47.2.9 config.h.in
---- config.h.in	1 Sep 2004 07:11:22 -0000	1.47.2.9
-+++ config.h.in	1 Sep 2004 07:50:16 -0000
-@@ -17,5 +17,5 @@
-  */
- 
--/* $Id: config.h.in,v 1.47.2.9 2004/09/01 07:11:22 marka Exp $ */
-+/* $Id: acconfig.h,v 1.35.2.8 2004/03/09 06:09:07 marka Exp $ */
- 
- /***
-@@ -162,7 +162,13 @@
- #undef HAVE_LINUX_CAPABILITY_H
- 
-+/* Define to 1 if you have the <locale.h> header file. */
-+#undef HAVE_LOCALE_H
-+
- /* Define to 1 if you have the <memory.h> header file. */
- #undef HAVE_MEMORY_H
- 
-+/* Define to 1 if you have the `setlocale' function. */
-+#undef HAVE_SETLOCALE
-+
- /* Define to 1 if you have the <stdint.h> header file. */
- #undef HAVE_STDINT_H
-@@ -224,4 +230,7 @@
- /* Define to 1 if you can safely include both <sys/time.h> and <time.h>. */
- #undef TIME_WITH_SYS_TIME
-+
-+/* define if idnkit support is to be included. */
-+#undef WITH_IDN
- 
- /* Define to 1 if your processor stores words with the most significant byte
 Index: bin/dig/Makefile.in
 ===================================================================
 RCS file: /proj/cvs/prod/bind9/bin/dig/Makefile.in,v
-retrieving revision 1.25.2.4
-diff -U2 -r1.25.2.4 Makefile.in
---- bin/dig/Makefile.in	18 Aug 2004 23:22:52 -0000	1.25.2.4
-+++ bin/dig/Makefile.in	1 Sep 2004 07:50:16 -0000
-@@ -37,5 +37,5 @@
- DEPLIBS =	${DNSDEPLIBS} ${ISCDEPLIBS}
+retrieving revision 1.25.12.9
+diff -U2 -r1.25.12.9 Makefile.in
+--- bin/dig/Makefile.in	13 Apr 2004 03:00:05 -0000	1.25.12.9
++++ bin/dig/Makefile.in	13 Apr 2004 03:45:33 -0000
+@@ -47,5 +47,5 @@
  
--LIBS =		${DNSLIBS} ${ISCLIBS} @LIBS@
-+LIBS =		${DNSLIBS} ${ISCLIBS} @IDNLIBS@ @LIBS@
+ LIBS =		${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} ${ISCLIBS} \
+-		${ISCCFGLIBS} @LIBS@
++		${ISCCFGLIBS} @IDNLIBS@ @LIBS@
  
  SUBDIRS =
 Index: bin/dig/dig.1
 ===================================================================
 RCS file: /proj/cvs/prod/bind9/bin/dig/dig.1,v
-retrieving revision 1.14.2.6
-diff -U2 -r1.14.2.6 dig.1
---- bin/dig/dig.1	26 Aug 2004 02:25:52 -0000	1.14.2.6
-+++ bin/dig/dig.1	1 Sep 2004 07:50:18 -0000
-@@ -355,4 +355,15 @@
+retrieving revision 1.14.2.4.2.4
+diff -U2 -r1.14.2.4.2.4 dig.1
+--- bin/dig/dig.1	8 Mar 2004 04:04:15 -0000	1.14.2.4.2.4
++++ bin/dig/dig.1	13 Apr 2004 03:45:34 -0000
+@@ -369,4 +369,15 @@
  will not print the initial query when it looks up the NS records for
  isc.org.
 +.SH "IDN SUPPORT"
@@ -857,11 +866,11 @@ diff -U2 -r1.14.2.6 dig.1
 Index: bin/dig/dig.docbook
 ===================================================================
 RCS file: /proj/cvs/prod/bind9/bin/dig/dig.docbook,v
-retrieving revision 1.4.2.9
-diff -U2 -r1.4.2.9 dig.docbook
---- bin/dig/dig.docbook	26 Aug 2004 01:33:50 -0000	1.4.2.9
-+++ bin/dig/dig.docbook	1 Sep 2004 07:50:20 -0000
-@@ -530,4 +530,19 @@
+retrieving revision 1.4.2.7.4.8
+diff -U2 -r1.4.2.7.4.8 dig.docbook
+--- bin/dig/dig.docbook	13 Apr 2004 03:00:05 -0000	1.4.2.7.4.8
++++ bin/dig/dig.docbook	13 Apr 2004 03:45:35 -0000
+@@ -575,4 +575,19 @@
  
  <refsect1>
 +<title>IDN SUPPORT</title>
@@ -884,12 +893,12 @@ diff -U2 -r1.4.2.9 dig.docbook
 Index: bin/dig/dighost.c
 ===================================================================
 RCS file: /proj/cvs/prod/bind9/bin/dig/dighost.c,v
-retrieving revision 1.221.2.22
-diff -U2 -r1.221.2.22 dighost.c
---- bin/dig/dighost.c	15 Apr 2004 06:53:18 -0000	1.221.2.22
-+++ bin/dig/dighost.c	1 Sep 2004 07:50:27 -0000
-@@ -33,4 +33,15 @@
- #include <limits.h>
+retrieving revision 1.221.2.19.2.11
+diff -U2 -r1.221.2.19.2.11 dighost.c
+--- bin/dig/dighost.c	13 Apr 2004 03:00:06 -0000	1.221.2.19.2.11
++++ bin/dig/dighost.c	13 Apr 2004 03:45:45 -0000
+@@ -42,4 +42,15 @@
+ #endif 
  
 +#ifdef HAVE_LOCALE_H
 +#include <locale.h>
@@ -903,9 +912,9 @@ diff -U2 -r1.221.2.22 dighost.c
 +#endif
 +
  #include <dns/byaddr.h>
- #include <dns/fixedname.h>
-@@ -133,4 +144,16 @@
- dig_lookup_t *current_lookup = NULL;
+ #ifdef DIG_SIGCHASE
+@@ -129,4 +140,16 @@
+ int lookup_counter = 0;
  
 +#ifdef WITH_IDN
 +static void	      initialize_idn(void);
@@ -920,9 +929,9 @@ diff -U2 -r1.221.2.22 dighost.c
 +#endif
 +
  /*
-  * Apply and clear locks at the event level in global task.
-@@ -684,4 +707,8 @@
- 	}
+  * Exit Codes:
+@@ -965,4 +988,8 @@
+ 		copy_server_list(lwconf, &server_list);
  
 +#ifdef WITH_IDN
 +	initialize_idn();
@@ -930,7 +939,7 @@ diff -U2 -r1.221.2.22 dighost.c
 +
  	if (keyfile[0] != 0)
  		setup_file_key();
-@@ -1198,4 +1225,12 @@
+@@ -1570,4 +1597,12 @@
  	dns_compress_t cctx;
  	char store[MXNAME];
 +#ifdef WITH_IDN
@@ -943,7 +952,7 @@ diff -U2 -r1.221.2.22 dighost.c
 +#endif
  
  	REQUIRE(lookup != NULL);
-@@ -1226,4 +1261,15 @@
+@@ -1598,4 +1633,15 @@
  			sizeof(lookup->onamespace));
  
 +#ifdef WITH_IDN
@@ -959,7 +968,7 @@ diff -U2 -r1.221.2.22 dighost.c
 +
  	/*
  	 * If the name has too many dots, force the origin to be NULL
-@@ -1234,4 +1280,11 @@
+@@ -1606,4 +1652,11 @@
  	 */
  	/* XXX New search here? */
 +#ifdef WITH_IDN
@@ -971,13 +980,13 @@ diff -U2 -r1.221.2.22 dighost.c
 +#else
  	if ((count_dots(lookup->textname) >= ndots) || !usesearch)
  		lookup->origin = NULL; /* Force abs lookup */
-@@ -1239,5 +1292,27 @@
+@@ -1611,5 +1664,27 @@
  		lookup->origin = ISC_LIST_HEAD(search_list);
  	}
 +#endif
 +
 +#ifdef WITH_IDN
- 	if (lookup->origin != NULL) {
++	if (lookup->origin != NULL) {
 +		mr = idn_encodename(IDN_LOCALCONV | IDN_DELIMMAP,
 +				    lookup->origin->origin, utf8_origin,
 +				    sizeof(utf8_origin));
@@ -995,11 +1004,11 @@ diff -U2 -r1.221.2.22 dighost.c
 +#ifdef WITH_IDN
 +	if (0) {
 +#else
-+	if (lookup->origin != NULL) {
+ 	if (lookup->origin != NULL) {
 +#endif
  		debug("trying origin %s", lookup->origin->origin);
  		result = dns_message_gettempname(lookup->sendmsg,
-@@ -1284,4 +1359,13 @@
+@@ -1656,4 +1731,13 @@
  			dns_name_clone(dns_rootname, lookup->name);
  		else {
 +#ifdef WITH_IDN
@@ -1013,16 +1022,15 @@ diff -U2 -r1.221.2.22 dighost.c
 +#else
  			len = strlen(lookup->textname);
  			isc_buffer_init(&b, lookup->textname, len);
-@@ -1291,4 +1375,5 @@
+@@ -1663,4 +1747,5 @@
  						   ISC_FALSE,
  						   &lookup->namebuf);
 +#endif
  		}
  		if (result != ISC_R_SUCCESS) {
-@@ -2722,2 +2807,100 @@
- 		isc_mem_destroy(&mctx);
+@@ -3154,4 +3239,102 @@
  }
-+
+ 
 +#ifdef WITH_IDN
 +static void
 +initialize_idn(void) {
@@ -1120,14 +1128,17 @@ diff -U2 -r1.221.2.22 dighost.c
 +}
 +
 +#endif /* WITH_IDN */
++
+  
+ 
 Index: bin/dig/host.1
 ===================================================================
 RCS file: /proj/cvs/prod/bind9/bin/dig/host.1,v
-retrieving revision 1.11.2.2
-diff -U2 -r1.11.2.2 host.1
---- bin/dig/host.1	15 Mar 2004 04:44:38 -0000	1.11.2.2
-+++ bin/dig/host.1	1 Sep 2004 07:50:28 -0000
-@@ -122,4 +122,15 @@
+retrieving revision 1.11.2.1.4.3
+diff -U2 -r1.11.2.1.4.3 host.1
+--- bin/dig/host.1	8 Mar 2004 04:04:15 -0000	1.11.2.1.4.3
++++ bin/dig/host.1	13 Apr 2004 03:45:45 -0000
+@@ -124,4 +124,15 @@
  will be set to the number of seconds given by the hardware's maximum
  value for an integer quantity.
 +.SH "IDN SUPPORT"
@@ -1146,11 +1157,11 @@ diff -U2 -r1.11.2.2 host.1
 Index: bin/dig/host.docbook
 ===================================================================
 RCS file: /proj/cvs/prod/bind9/bin/dig/host.docbook,v
-retrieving revision 1.2.2.3
-diff -U2 -r1.2.2.3 host.docbook
---- bin/dig/host.docbook	9 Mar 2004 06:09:13 -0000	1.2.2.3
-+++ bin/dig/host.docbook	1 Sep 2004 07:50:29 -0000
-@@ -182,4 +182,19 @@
+retrieving revision 1.2.2.2.4.5
+diff -U2 -r1.2.2.2.4.5 host.docbook
+--- bin/dig/host.docbook	13 Apr 2004 01:26:26 -0000	1.2.2.2.4.5
++++ bin/dig/host.docbook	13 Apr 2004 03:45:46 -0000
+@@ -192,4 +192,19 @@
  
  <refsect1>
 +<title>IDN SUPPORT</title>
@@ -1173,12 +1184,12 @@ diff -U2 -r1.2.2.3 host.docbook
 Index: lib/dns/name.c
 ===================================================================
 RCS file: /proj/cvs/prod/bind9/lib/dns/name.c,v
-retrieving revision 1.127.2.10
-diff -U2 -r1.127.2.10 name.c
---- lib/dns/name.c	1 Sep 2004 05:22:51 -0000	1.127.2.10
-+++ lib/dns/name.c	1 Sep 2004 07:50:40 -0000
-@@ -199,4 +199,11 @@
- dns_fullname_hash(dns_name_t *name, isc_boolean_t case_sensitive);
+retrieving revision 1.127.2.7.2.9
+diff -U2 -r1.127.2.7.2.9 name.c
+--- lib/dns/name.c	8 Mar 2004 21:06:26 -0000	1.127.2.7.2.9
++++ lib/dns/name.c	13 Apr 2004 03:45:50 -0000
+@@ -180,4 +180,11 @@
+ LIBDNS_EXTERNAL_DATA dns_name_t *dns_wildcardname = &wild;
  
 +#ifdef WITH_IDN
 +/*
@@ -1189,24 +1200,25 @@ diff -U2 -r1.127.2.10 name.c
 +
  static void
  set_offsets(const dns_name_t *name, unsigned char *offsets,
-@@ -1715,4 +1722,7 @@
+@@ -1193,4 +1200,7 @@
+ 	unsigned int labels;
  	isc_boolean_t saw_root = ISC_FALSE;
- 	char num[4];
 +#ifdef WITH_IDN
 +	unsigned int oused = target->used;
 +#endif
  
  	/*
-@@ -1892,4 +1902,8 @@
+@@ -1331,4 +1341,9 @@
  	isc_buffer_add(target, tlen - trem);
  
 +#ifdef WITH_IDN
 +	if (totext_filter_proc != NULL)
 +		return ((*totext_filter_proc)(target, oused, saw_root));
 +#endif
++
  	return (ISC_R_SUCCESS);
  }
-@@ -3356,2 +3370,8 @@
+@@ -2186,2 +2201,8 @@
  }
  
 +#ifdef WITH_IDN
@@ -1218,11 +1230,11 @@ diff -U2 -r1.127.2.10 name.c
 Index: lib/dns/include/dns/name.h
 ===================================================================
 RCS file: /proj/cvs/prod/bind9/lib/dns/include/dns/name.h,v
-retrieving revision 1.95.2.8
-diff -U2 -r1.95.2.8 name.h
---- lib/dns/include/dns/name.h	1 Sep 2004 05:22:51 -0000	1.95.2.8
-+++ lib/dns/include/dns/name.h	1 Sep 2004 07:50:42 -0000
-@@ -220,4 +220,15 @@
+retrieving revision 1.95.2.3.2.8
+diff -U2 -r1.95.2.3.2.8 name.h
+--- lib/dns/include/dns/name.h	16 Mar 2004 12:57:17 -0000	1.95.2.3.2.8
++++ lib/dns/include/dns/name.h	13 Apr 2004 03:45:52 -0000
+@@ -156,4 +156,15 @@
  #define DNS_NAME_MAXWIRE 255
  
 +#ifdef WITH_IDN
@@ -1238,10 +1250,9 @@ diff -U2 -r1.95.2.8 name.h
 +
  /***
   *** Initialization
-@@ -1264,4 +1275,12 @@
-  *
+@@ -1113,4 +1124,12 @@
   */
-+
+ 
 +#ifdef WITH_IDN
 +void
 +dns_name_settotextfilter(dns_name_totextfilter_t proc);
@@ -1249,5 +1260,6 @@ diff -U2 -r1.95.2.8 name.h
 + * Call 'proc' at the end of dns_name_totext.
 + */
 +#endif /* WITH_IDN */
- 
++
  #define DNS_NAME_FORMATSIZE (DNS_NAME_MAXTEXT + 1)
+ /*
diff --git a/contrib/named-bootconf/named-bootconf.sh b/contrib/named-bootconf/named-bootconf.sh
index d88f048d..0d9f72ae 100644
--- a/contrib/named-bootconf/named-bootconf.sh
+++ b/contrib/named-bootconf/named-bootconf.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Portions Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
+# Portions Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
 # Portions Copyright (C) 1999-2001  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: named-bootconf.sh,v 1.7.2.3 2006/10/03 23:50:49 marka Exp $
+# $Id: named-bootconf.sh,v 1.7.206.1 2004/03/06 13:16:11 marka Exp $
 
 # $NetBSD: named-bootconf.sh,v 1.5 1998/12/15 01:00:53 tron Exp $
 #
@@ -54,14 +54,9 @@
 # POSSIBILITY OF SUCH DAMAGE.
 
 if [ ${OPTIONFILE-X} = X ]; then
-	WORKDIR=/tmp/`date +%s`.$$
-	( umask 077 ; mkdir $WORKDIR ) || {
-		echo "unable to create work directory '$WORKDIR'" >&2 
-		exit 1
-	}
-	OPTIONFILE=$WORKDIR/options
-	ZONEFILE=$WORKDIR/zones
-	COMMENTFILE=$WORKDIR/comments
+	OPTIONFILE=/tmp/.options.`date +%s`.$$
+	ZONEFILE=/tmp/.zones.`date +%s`.$$
+	COMMENTFILE=/tmp/.comments.`date +%s`.$$
 	export OPTIONFILE ZONEFILE COMMENTFILE
 	touch $OPTIONFILE $ZONEFILE $COMMENTFILE
 	DUMP=1
@@ -308,7 +303,6 @@ if [ $DUMP -eq 1 ]; then
 	cat $ZONEFILE $COMMENTFILE
 
 	rm -f $OPTIONFILE $ZONEFILE $COMMENTFILE
-	rmdir $WORKDIR
 fi
 
 exit 0
diff --git a/contrib/nanny/nanny.pl b/contrib/nanny/nanny.pl
index d2484332..58f172fe 100644
--- a/contrib/nanny/nanny.pl
+++ b/contrib/nanny/nanny.pl
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: nanny.pl,v 1.8.2.1 2004/03/09 06:10:33 marka Exp $
+# $Id: nanny.pl,v 1.8.206.1 2004/03/06 13:16:12 marka Exp $
 
 # A simple nanny to make sure named stays running.
 
diff --git a/contrib/nslint-2.1a3/Makefile.in b/contrib/nslint-2.1a3/Makefile.in
index ea2ca422..5f21cc4f 100644
--- a/contrib/nslint-2.1a3/Makefile.in
+++ b/contrib/nslint-2.1a3/Makefile.in
@@ -17,7 +17,7 @@
 #  WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
 #  MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
 #
-# @(#) $Id: Makefile.in,v 1.1.2.1 2004/07/20 07:00:18 marka Exp $ (LBL)
+# @(#) $Id: Makefile.in,v 1.1 2001/12/21 04:12:02 marka Exp $ (LBL)
 
 #
 # Various configurable paths (remember to edit Makefile.in, not Makefile)
@@ -79,7 +79,7 @@ CLEANFILES = $(PROG) $(OBJ) $(GENSRC)
 
 $(PROG): $(OBJ)
 	@rm -f $@
-	$(CC) $(CFLAGS) $(LDFLAGS) -o $@ $(OBJ) $(LIBS)
+	$(CC) $(CFLAGS) -o $@ $(OBJ) $(LIBS)
 
 version.o: version.c
 version.c: $(srcdir)/VERSION
diff --git a/contrib/query-loc-0.3.0/ADDRESSES b/contrib/query-loc-0.3.0/ADDRESSES
deleted file mode 100644
index 48d6906f..00000000
--- a/contrib/query-loc-0.3.0/ADDRESSES
+++ /dev/null
@@ -1,18 +0,0 @@
-The following machines, at least today seem to have LOC
-records:
-
-*.cpod.fr (for instance www.cpod.fr)
-130.104.3.*
-195.202.193.*
-Melanie.Tolna.Net
-204.92.254.*
-mail.vitts.com
-alink.net
-caida.org
-ckdhr.com
-distributed.net (rc5stats.distributed.net)
-nikhef.nl
-yahoo.com
-nic.af
-
-$Id: ADDRESSES,v 1.1.6.1 2005/04/01 06:23:03 marka Exp $
diff --git a/contrib/query-loc-0.3.0/ALGO b/contrib/query-loc-0.3.0/ALGO
deleted file mode 100644
index 4695dc14..00000000
--- a/contrib/query-loc-0.3.0/ALGO
+++ /dev/null
@@ -1,48 +0,0 @@
-Just for info, can be out of date.
-
-
-RFC 1876, 5.2, specially 5.2.3
-
-Important points:
-
-- LOC RRs are always attached to a *name*.
-- we can have two (or more) RRs for one address, one more specific than the other
-
-main
- if (host is a name) 
-	getLOCbyname
- else # host is an IP address	
-	gethostbyaddr
-	if (name) 
-		getLOCbyname
-		# If there is none, do not search. We assume the above was sufficient	       # (But check 5.2.2)
-	else
-		getLOCbyaddress
-
-getLOCbyname (host) 
-	get LOC for host
-	if (it exists)
-		OK
-	else
-		get all A records of the name
-		foreach A record
-			getLOCbyaddress
-			OK at the first one found 
-				# we assume they are consistent
-		END
-
-getLOCbyaddress (address)
-	# May receive a mask. Otherwise, deduce it from the class
-	makeNetAddress
-	getLOCbynetwork
-
-getLOCbynetwork
-	get PTR and A for it
-	if (exist)
-		getLOCbyname
-	******* DIFFICULT : we have to manage a stack. See the code
-		makeNetAddress (level--)
-		getLOCbynetwork
-	else
-		END
-	
diff --git a/contrib/query-loc-0.3.0/INSTALL b/contrib/query-loc-0.3.0/INSTALL
deleted file mode 100644
index 9519aae3..00000000
--- a/contrib/query-loc-0.3.0/INSTALL
+++ /dev/null
@@ -1,9 +0,0 @@
-Type './configure', then 'make' and (as root if necessary) 'make
-install'.
-
-It requires a recent libresolv, with loc_ntoa, but use an alternative
-which I provide, if not found.
-
-Tested on Linux (i386 and Alpha), Solaris (Sparc) and Digital Unix (Alpha).
-
-$Id: INSTALL,v 1.1.6.1 2005/04/01 06:23:04 marka Exp $
diff --git a/contrib/query-loc-0.3.0/Makefile.in b/contrib/query-loc-0.3.0/Makefile.in
deleted file mode 100644
index c088a27e..00000000
--- a/contrib/query-loc-0.3.0/Makefile.in
+++ /dev/null
@@ -1,40 +0,0 @@
-# $Id: Makefile.in,v 1.1.6.1 2005/04/01 06:23:04 marka Exp $
-CC=@CC@
-CFLAGS=@CFLAGS@ 
-LIBS=@LIBS@
-DESTDIR=@prefix@
-BINDIR=@prefix@/bin
-MANDIR=@prefix@/share/man/man1
-DISTRIB= README INSTALL ALGO USAGE ADDRESSES Makefile.in configure configure.in config.h.in install-sh loc.h loc.c query-loc.c loc_ntoa.c query-loc.1
-OBJS=query-loc.o loc.o @LOC_NTOA@
-VERSION=`grep VERSION loc.h | cut -d ' ' -f 3 | sed s/\"//g`
-
-all: query-loc
-
-query-loc: $(OBJS)
-	$(CC) -o $@ $(OBJS) $(LIBS)
-
-%.o: %.c loc.h
-	$(CC) $(CFLAGS) -c $<
-
-clean:
-	rm -f *.o query-loc *~ 
-
-distclean: clean
-	rm -f config.h config.cache config.log config.status Makefile
-
-distrib: clean
-	./reconf
-	@(echo Query-Loc is version ${VERSION}; \
-	mkdir query-loc-${VERSION}; \
-	cp $(DISTRIB) query-loc-${VERSION};\
-	tar cvf query-loc-${VERSION}.tar query-loc-${VERSION}; \
-	rm -rf query-loc-${VERSION}; \
-	gzip -v -9 -f query-loc-${VERSION}.tar);
-
-install:
-	@INSTALL@ -m 0755 query-loc $(BINDIR)
-	if [ ! -d $(MANDIR) ]; then \
-		mkdir $(MANDIR); \
-	fi
-	@INSTALL@ -m 0644 query-loc.1 $(MANDIR)
diff --git a/contrib/query-loc-0.3.0/README b/contrib/query-loc-0.3.0/README
deleted file mode 100644
index 0c29d93f..00000000
--- a/contrib/query-loc-0.3.0/README
+++ /dev/null
@@ -1,20 +0,0 @@
-   query-loc: a program to retrieve and display the location
-   information in the DNS. 
-
-   It uses the algorithms described in
-   RFC 1876 (and RFC 1101 to get the network names).
-   You can find examples of networks wchich implement this scheme
-   in the ADDRESSES file.
-
-   It is under the General Public Licence (GPL, which
-   you can fetch from <http://www.gnu.org/copyleft/gpl.html>.
-
-   Copyright Stéphane Bortzmeyer <bortzmeyer@debian.org>, 1998.
-
-   Thanks to Paul Vixie for the RFC and its encouragements. Thanks
-   to Björn Augustsson  for the xtraceroute program 
-   <http://www.dtek.chalmers.se/~d3august/xt/>.
-
-$Id: README,v 1.1.6.1 2005/04/01 06:23:05 marka Exp $
-
-
diff --git a/contrib/query-loc-0.3.0/USAGE b/contrib/query-loc-0.3.0/USAGE
deleted file mode 100644
index 233d6ca1..00000000
--- a/contrib/query-loc-0.3.0/USAGE
+++ /dev/null
@@ -1,8 +0,0 @@
-query-loc [-v] [-d nnn] host-name-or-address
-
-Examples of hosts with LOCation info (quite uncommon, if you know more, 
-please tell me):
-
-- Everything in the 193.105.79.0 network, such as www.humanite.presse.fr
-- Everything in the 192.88.144 network, such as www.kei.com
-
diff --git a/contrib/query-loc-0.3.0/config.h.in b/contrib/query-loc-0.3.0/config.h.in
deleted file mode 100644
index d1120447..00000000
--- a/contrib/query-loc-0.3.0/config.h.in
+++ /dev/null
@@ -1,69 +0,0 @@
-/* config.h.in.  Generated from configure.in by autoheader.  */
-/* $Id: config.h.in,v 1.1.6.1 2005/04/01 06:23:05 marka Exp $ */
-
-
-/* Define to 1 if you have the <inttypes.h> header file. */
-#undef HAVE_INTTYPES_H
-
-/* Define to 1 if you have the `resolv' library (-lresolv). */
-#undef HAVE_LIBRESOLV
-
-/* Define to 1 if you have the <memory.h> header file. */
-#undef HAVE_MEMORY_H
-
-/* Define to 1 if you have the <stdint.h> header file. */
-#undef HAVE_STDINT_H
-
-/* Define to 1 if you have the <stdlib.h> header file. */
-#undef HAVE_STDLIB_H
-
-/* Define to 1 if you have the <strings.h> header file. */
-#undef HAVE_STRINGS_H
-
-/* Define to 1 if you have the <string.h> header file. */
-#undef HAVE_STRING_H
-
-/* Define to 1 if you have the <sys/stat.h> header file. */
-#undef HAVE_SYS_STAT_H
-
-/* Define to 1 if you have the <sys/types.h> header file. */
-#undef HAVE_SYS_TYPES_H
-
-/* Define to 1 if you have the <unistd.h> header file. */
-#undef HAVE_UNISTD_H
-
-/* Define to the address where bug reports for this package should be sent. */
-#undef PACKAGE_BUGREPORT
-
-/* Define to the full name of this package. */
-#undef PACKAGE_NAME
-
-/* Define to the full name and version of this package. */
-#undef PACKAGE_STRING
-
-/* Define to the one symbol short name of this package. */
-#undef PACKAGE_TARNAME
-
-/* Define to the version of this package. */
-#undef PACKAGE_VERSION
-
-/* The size of a `char', as computed by sizeof. */
-#undef SIZEOF_CHAR
-
-/* The size of a `int', as computed by sizeof. */
-#undef SIZEOF_INT
-
-/* The size of a `long', as computed by sizeof. */
-#undef SIZEOF_LONG
-
-/* The size of a `short', as computed by sizeof. */
-#undef SIZEOF_SHORT
-
-/* Define to 1 if you have the ANSI C header files. */
-#undef STDC_HEADERS
-
-/* Define to empty if `const' does not conform to ANSI C. */
-#undef const
-
-/* Is there a loc_ntoa on this system?  */
-#undef HAVE_LOC_NTOA
diff --git a/contrib/query-loc-0.3.0/configure b/contrib/query-loc-0.3.0/configure
deleted file mode 100755
index d77cf76c..00000000
--- a/contrib/query-loc-0.3.0/configure
+++ /dev/null
@@ -1,6436 +0,0 @@
-#! /bin/sh
-# Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.59.
-#
-# Copyright (C) 2003 Free Software Foundation, Inc.
-# This configure script is free software; the Free Software Foundation
-# gives unlimited permission to copy, distribute and modify it.
-## --------------------- ##
-## M4sh Initialization.  ##
-## --------------------- ##
-
-# Be Bourne compatible
-if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then
-  emulate sh
-  NULLCMD=:
-  # Zsh 3.x and 4.x performs word splitting on ${1+"$@"}, which
-  # is contrary to our usage.  Disable this feature.
-  alias -g '${1+"$@"}'='"$@"'
-elif test -n "${BASH_VERSION+set}" && (set -o posix) >/dev/null 2>&1; then
-  set -o posix
-fi
-DUALCASE=1; export DUALCASE # for MKS sh
-
-# Support unset when possible.
-if ( (MAIL=60; unset MAIL) || exit) >/dev/null 2>&1; then
-  as_unset=unset
-else
-  as_unset=false
-fi
-
-
-# Work around bugs in pre-3.0 UWIN ksh.
-$as_unset ENV MAIL MAILPATH
-PS1='$ '
-PS2='> '
-PS4='+ '
-
-# NLS nuisances.
-for as_var in \
-  LANG LANGUAGE LC_ADDRESS LC_ALL LC_COLLATE LC_CTYPE LC_IDENTIFICATION \
-  LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER \
-  LC_TELEPHONE LC_TIME
-do
-  if (set +x; test -z "`(eval $as_var=C; export $as_var) 2>&1`"); then
-    eval $as_var=C; export $as_var
-  else
-    $as_unset $as_var
-  fi
-done
-
-# Required to use basename.
-if expr a : '\(a\)' >/dev/null 2>&1; then
-  as_expr=expr
-else
-  as_expr=false
-fi
-
-if (basename /) >/dev/null 2>&1 && test "X`basename / 2>&1`" = "X/"; then
-  as_basename=basename
-else
-  as_basename=false
-fi
-
-
-# Name of the executable.
-as_me=`$as_basename "$0" ||
-$as_expr X/"$0" : '.*/\([^/][^/]*\)/*$' \| \
-	 X"$0" : 'X\(//\)$' \| \
-	 X"$0" : 'X\(/\)$' \| \
-	 .     : '\(.\)' 2>/dev/null ||
-echo X/"$0" |
-    sed '/^.*\/\([^/][^/]*\)\/*$/{ s//\1/; q; }
-  	  /^X\/\(\/\/\)$/{ s//\1/; q; }
-  	  /^X\/\(\/\).*/{ s//\1/; q; }
-  	  s/.*/./; q'`
-
-
-# PATH needs CR, and LINENO needs CR and PATH.
-# Avoid depending upon Character Ranges.
-as_cr_letters='abcdefghijklmnopqrstuvwxyz'
-as_cr_LETTERS='ABCDEFGHIJKLMNOPQRSTUVWXYZ'
-as_cr_Letters=$as_cr_letters$as_cr_LETTERS
-as_cr_digits='0123456789'
-as_cr_alnum=$as_cr_Letters$as_cr_digits
-
-# The user is always right.
-if test "${PATH_SEPARATOR+set}" != set; then
-  echo "#! /bin/sh" >conf$$.sh
-  echo  "exit 0"   >>conf$$.sh
-  chmod +x conf$$.sh
-  if (PATH="/nonexistent;."; conf$$.sh) >/dev/null 2>&1; then
-    PATH_SEPARATOR=';'
-  else
-    PATH_SEPARATOR=:
-  fi
-  rm -f conf$$.sh
-fi
-
-
-  as_lineno_1=$LINENO
-  as_lineno_2=$LINENO
-  as_lineno_3=`(expr $as_lineno_1 + 1) 2>/dev/null`
-  test "x$as_lineno_1" != "x$as_lineno_2" &&
-  test "x$as_lineno_3"  = "x$as_lineno_2"  || {
-  # Find who we are.  Look in the path if we contain no path at all
-  # relative or not.
-  case $0 in
-    *[\\/]* ) as_myself=$0 ;;
-    *) as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-for as_dir in $PATH
-do
-  IFS=$as_save_IFS
-  test -z "$as_dir" && as_dir=.
-  test -r "$as_dir/$0" && as_myself=$as_dir/$0 && break
-done
-
-       ;;
-  esac
-  # We did not find ourselves, most probably we were run as `sh COMMAND'
-  # in which case we are not to be found in the path.
-  if test "x$as_myself" = x; then
-    as_myself=$0
-  fi
-  if test ! -f "$as_myself"; then
-    { echo "$as_me: error: cannot find myself; rerun with an absolute path" >&2
-   { (exit 1); exit 1; }; }
-  fi
-  case $CONFIG_SHELL in
-  '')
-    as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-for as_dir in /bin$PATH_SEPARATOR/usr/bin$PATH_SEPARATOR$PATH
-do
-  IFS=$as_save_IFS
-  test -z "$as_dir" && as_dir=.
-  for as_base in sh bash ksh sh5; do
-	 case $as_dir in
-	 /*)
-	   if ("$as_dir/$as_base" -c '
-  as_lineno_1=$LINENO
-  as_lineno_2=$LINENO
-  as_lineno_3=`(expr $as_lineno_1 + 1) 2>/dev/null`
-  test "x$as_lineno_1" != "x$as_lineno_2" &&
-  test "x$as_lineno_3"  = "x$as_lineno_2" ') 2>/dev/null; then
-	     $as_unset BASH_ENV || test "${BASH_ENV+set}" != set || { BASH_ENV=; export BASH_ENV; }
-	     $as_unset ENV || test "${ENV+set}" != set || { ENV=; export ENV; }
-	     CONFIG_SHELL=$as_dir/$as_base
-	     export CONFIG_SHELL
-	     exec "$CONFIG_SHELL" "$0" ${1+"$@"}
-	   fi;;
-	 esac
-       done
-done
-;;
-  esac
-
-  # Create $as_me.lineno as a copy of $as_myself, but with $LINENO
-  # uniformly replaced by the line number.  The first 'sed' inserts a
-  # line-number line before each line; the second 'sed' does the real
-  # work.  The second script uses 'N' to pair each line-number line
-  # with the numbered line, and appends trailing '-' during
-  # substitution so that $LINENO is not a special case at line end.
-  # (Raja R Harinath suggested sed '=', and Paul Eggert wrote the
-  # second 'sed' script.  Blame Lee E. McMahon for sed's syntax.  :-)
-  sed '=' <$as_myself |
-    sed '
-      N
-      s,$,-,
-      : loop
-      s,^\(['$as_cr_digits']*\)\(.*\)[$]LINENO\([^'$as_cr_alnum'_]\),\1\2\1\3,
-      t loop
-      s,-$,,
-      s,^['$as_cr_digits']*\n,,
-    ' >$as_me.lineno &&
-  chmod +x $as_me.lineno ||
-    { echo "$as_me: error: cannot create $as_me.lineno; rerun with a POSIX shell" >&2
-   { (exit 1); exit 1; }; }
-
-  # Don't try to exec as it changes $[0], causing all sort of problems
-  # (the dirname of $[0] is not the place where we might find the
-  # original and so on.  Autoconf is especially sensible to this).
-  . ./$as_me.lineno
-  # Exit status is that of the last command.
-  exit
-}
-
-
-case `echo "testing\c"; echo 1,2,3`,`echo -n testing; echo 1,2,3` in
-  *c*,-n*) ECHO_N= ECHO_C='
-' ECHO_T='	' ;;
-  *c*,*  ) ECHO_N=-n ECHO_C= ECHO_T= ;;
-  *)       ECHO_N= ECHO_C='\c' ECHO_T= ;;
-esac
-
-if expr a : '\(a\)' >/dev/null 2>&1; then
-  as_expr=expr
-else
-  as_expr=false
-fi
-
-rm -f conf$$ conf$$.exe conf$$.file
-echo >conf$$.file
-if ln -s conf$$.file conf$$ 2>/dev/null; then
-  # We could just check for DJGPP; but this test a) works b) is more generic
-  # and c) will remain valid once DJGPP supports symlinks (DJGPP 2.04).
-  if test -f conf$$.exe; then
-    # Don't use ln at all; we don't have any links
-    as_ln_s='cp -p'
-  else
-    as_ln_s='ln -s'
-  fi
-elif ln conf$$.file conf$$ 2>/dev/null; then
-  as_ln_s=ln
-else
-  as_ln_s='cp -p'
-fi
-rm -f conf$$ conf$$.exe conf$$.file
-
-if mkdir -p . 2>/dev/null; then
-  as_mkdir_p=:
-else
-  test -d ./-p && rmdir ./-p
-  as_mkdir_p=false
-fi
-
-as_executable_p="test -f"
-
-# Sed expression to map a string onto a valid CPP name.
-as_tr_cpp="eval sed 'y%*$as_cr_letters%P$as_cr_LETTERS%;s%[^_$as_cr_alnum]%_%g'"
-
-# Sed expression to map a string onto a valid variable name.
-as_tr_sh="eval sed 'y%*+%pp%;s%[^_$as_cr_alnum]%_%g'"
-
-
-# IFS
-# We need space, tab and new line, in precisely that order.
-as_nl='
-'
-IFS=" 	$as_nl"
-
-# CDPATH.
-$as_unset CDPATH
-
-
-# Name of the host.
-# hostname on some systems (SVR3.2, Linux) returns a bogus exit status,
-# so uname gets run too.
-ac_hostname=`(hostname || uname -n) 2>/dev/null | sed 1q`
-
-exec 6>&1
-
-#
-# Initializations.
-#
-ac_default_prefix=/usr/local
-ac_config_libobj_dir=.
-cross_compiling=no
-subdirs=
-MFLAGS=
-MAKEFLAGS=
-SHELL=${CONFIG_SHELL-/bin/sh}
-
-# Maximum number of lines to put in a shell here document.
-# This variable seems obsolete.  It should probably be removed, and
-# only ac_max_sed_lines should be used.
-: ${ac_max_here_lines=38}
-
-# Identity of this package.
-PACKAGE_NAME=
-PACKAGE_TARNAME=
-PACKAGE_VERSION=
-PACKAGE_STRING=
-PACKAGE_BUGREPORT=
-
-ac_unique_file="query-loc.c"
-# Factoring default headers for most tests.
-ac_includes_default="\
-#include <stdio.h>
-#if HAVE_SYS_TYPES_H
-# include <sys/types.h>
-#endif
-#if HAVE_SYS_STAT_H
-# include <sys/stat.h>
-#endif
-#if STDC_HEADERS
-# include <stdlib.h>
-# include <stddef.h>
-#else
-# if HAVE_STDLIB_H
-#  include <stdlib.h>
-# endif
-#endif
-#if HAVE_STRING_H
-# if !STDC_HEADERS && HAVE_MEMORY_H
-#  include <memory.h>
-# endif
-# include <string.h>
-#endif
-#if HAVE_STRINGS_H
-# include <strings.h>
-#endif
-#if HAVE_INTTYPES_H
-# include <inttypes.h>
-#else
-# if HAVE_STDINT_H
-#  include <stdint.h>
-# endif
-#endif
-#if HAVE_UNISTD_H
-# include <unistd.h>
-#endif"
-
-ac_subst_vars='SHELL PATH_SEPARATOR PACKAGE_NAME PACKAGE_TARNAME PACKAGE_VERSION PACKAGE_STRING PACKAGE_BUGREPORT exec_prefix prefix program_transform_name bindir sbindir libexecdir datadir sysconfdir sharedstatedir localstatedir libdir includedir oldincludedir infodir mandir build_alias host_alias target_alias DEFS ECHO_C ECHO_N ECHO_T LIBS CC CFLAGS LDFLAGS CPPFLAGS ac_ct_CC EXEEXT OBJEXT INSTALL_PROGRAM INSTALL_SCRIPT INSTALL_DATA CPP EGREP LOC_NTOA LIBOBJS LTLIBOBJS'
-ac_subst_files=''
-
-# Initialize some variables set by options.
-ac_init_help=
-ac_init_version=false
-# The variables have the same names as the options, with
-# dashes changed to underlines.
-cache_file=/dev/null
-exec_prefix=NONE
-no_create=
-no_recursion=
-prefix=NONE
-program_prefix=NONE
-program_suffix=NONE
-program_transform_name=s,x,x,
-silent=
-site=
-srcdir=
-verbose=
-x_includes=NONE
-x_libraries=NONE
-
-# Installation directory options.
-# These are left unexpanded so users can "make install exec_prefix=/foo"
-# and all the variables that are supposed to be based on exec_prefix
-# by default will actually change.
-# Use braces instead of parens because sh, perl, etc. also accept them.
-bindir='${exec_prefix}/bin'
-sbindir='${exec_prefix}/sbin'
-libexecdir='${exec_prefix}/libexec'
-datadir='${prefix}/share'
-sysconfdir='${prefix}/etc'
-sharedstatedir='${prefix}/com'
-localstatedir='${prefix}/var'
-libdir='${exec_prefix}/lib'
-includedir='${prefix}/include'
-oldincludedir='/usr/include'
-infodir='${prefix}/info'
-mandir='${prefix}/man'
-
-ac_prev=
-for ac_option
-do
-  # If the previous option needs an argument, assign it.
-  if test -n "$ac_prev"; then
-    eval "$ac_prev=\$ac_option"
-    ac_prev=
-    continue
-  fi
-
-  ac_optarg=`expr "x$ac_option" : 'x[^=]*=\(.*\)'`
-
-  # Accept the important Cygnus configure options, so we can diagnose typos.
-
-  case $ac_option in
-
-  -bindir | --bindir | --bindi | --bind | --bin | --bi)
-    ac_prev=bindir ;;
-  -bindir=* | --bindir=* | --bindi=* | --bind=* | --bin=* | --bi=*)
-    bindir=$ac_optarg ;;
-
-  -build | --build | --buil | --bui | --bu)
-    ac_prev=build_alias ;;
-  -build=* | --build=* | --buil=* | --bui=* | --bu=*)
-    build_alias=$ac_optarg ;;
-
-  -cache-file | --cache-file | --cache-fil | --cache-fi \
-  | --cache-f | --cache- | --cache | --cach | --cac | --ca | --c)
-    ac_prev=cache_file ;;
-  -cache-file=* | --cache-file=* | --cache-fil=* | --cache-fi=* \
-  | --cache-f=* | --cache-=* | --cache=* | --cach=* | --cac=* | --ca=* | --c=*)
-    cache_file=$ac_optarg ;;
-
-  --config-cache | -C)
-    cache_file=config.cache ;;
-
-  -datadir | --datadir | --datadi | --datad | --data | --dat | --da)
-    ac_prev=datadir ;;
-  -datadir=* | --datadir=* | --datadi=* | --datad=* | --data=* | --dat=* \
-  | --da=*)
-    datadir=$ac_optarg ;;
-
-  -disable-* | --disable-*)
-    ac_feature=`expr "x$ac_option" : 'x-*disable-\(.*\)'`
-    # Reject names that are not valid shell variable names.
-    expr "x$ac_feature" : ".*[^-_$as_cr_alnum]" >/dev/null &&
-      { echo "$as_me: error: invalid feature name: $ac_feature" >&2
-   { (exit 1); exit 1; }; }
-    ac_feature=`echo $ac_feature | sed 's/-/_/g'`
-    eval "enable_$ac_feature=no" ;;
-
-  -enable-* | --enable-*)
-    ac_feature=`expr "x$ac_option" : 'x-*enable-\([^=]*\)'`
-    # Reject names that are not valid shell variable names.
-    expr "x$ac_feature" : ".*[^-_$as_cr_alnum]" >/dev/null &&
-      { echo "$as_me: error: invalid feature name: $ac_feature" >&2
-   { (exit 1); exit 1; }; }
-    ac_feature=`echo $ac_feature | sed 's/-/_/g'`
-    case $ac_option in
-      *=*) ac_optarg=`echo "$ac_optarg" | sed "s/'/'\\\\\\\\''/g"`;;
-      *) ac_optarg=yes ;;
-    esac
-    eval "enable_$ac_feature='$ac_optarg'" ;;
-
-  -exec-prefix | --exec_prefix | --exec-prefix | --exec-prefi \
-  | --exec-pref | --exec-pre | --exec-pr | --exec-p | --exec- \
-  | --exec | --exe | --ex)
-    ac_prev=exec_prefix ;;
-  -exec-prefix=* | --exec_prefix=* | --exec-prefix=* | --exec-prefi=* \
-  | --exec-pref=* | --exec-pre=* | --exec-pr=* | --exec-p=* | --exec-=* \
-  | --exec=* | --exe=* | --ex=*)
-    exec_prefix=$ac_optarg ;;
-
-  -gas | --gas | --ga | --g)
-    # Obsolete; use --with-gas.
-    with_gas=yes ;;
-
-  -help | --help | --hel | --he | -h)
-    ac_init_help=long ;;
-  -help=r* | --help=r* | --hel=r* | --he=r* | -hr*)
-    ac_init_help=recursive ;;
-  -help=s* | --help=s* | --hel=s* | --he=s* | -hs*)
-    ac_init_help=short ;;
-
-  -host | --host | --hos | --ho)
-    ac_prev=host_alias ;;
-  -host=* | --host=* | --hos=* | --ho=*)
-    host_alias=$ac_optarg ;;
-
-  -includedir | --includedir | --includedi | --included | --include \
-  | --includ | --inclu | --incl | --inc)
-    ac_prev=includedir ;;
-  -includedir=* | --includedir=* | --includedi=* | --included=* | --include=* \
-  | --includ=* | --inclu=* | --incl=* | --inc=*)
-    includedir=$ac_optarg ;;
-
-  -infodir | --infodir | --infodi | --infod | --info | --inf)
-    ac_prev=infodir ;;
-  -infodir=* | --infodir=* | --infodi=* | --infod=* | --info=* | --inf=*)
-    infodir=$ac_optarg ;;
-
-  -libdir | --libdir | --libdi | --libd)
-    ac_prev=libdir ;;
-  -libdir=* | --libdir=* | --libdi=* | --libd=*)
-    libdir=$ac_optarg ;;
-
-  -libexecdir | --libexecdir | --libexecdi | --libexecd | --libexec \
-  | --libexe | --libex | --libe)
-    ac_prev=libexecdir ;;
-  -libexecdir=* | --libexecdir=* | --libexecdi=* | --libexecd=* | --libexec=* \
-  | --libexe=* | --libex=* | --libe=*)
-    libexecdir=$ac_optarg ;;
-
-  -localstatedir | --localstatedir | --localstatedi | --localstated \
-  | --localstate | --localstat | --localsta | --localst \
-  | --locals | --local | --loca | --loc | --lo)
-    ac_prev=localstatedir ;;
-  -localstatedir=* | --localstatedir=* | --localstatedi=* | --localstated=* \
-  | --localstate=* | --localstat=* | --localsta=* | --localst=* \
-  | --locals=* | --local=* | --loca=* | --loc=* | --lo=*)
-    localstatedir=$ac_optarg ;;
-
-  -mandir | --mandir | --mandi | --mand | --man | --ma | --m)
-    ac_prev=mandir ;;
-  -mandir=* | --mandir=* | --mandi=* | --mand=* | --man=* | --ma=* | --m=*)
-    mandir=$ac_optarg ;;
-
-  -nfp | --nfp | --nf)
-    # Obsolete; use --without-fp.
-    with_fp=no ;;
-
-  -no-create | --no-create | --no-creat | --no-crea | --no-cre \
-  | --no-cr | --no-c | -n)
-    no_create=yes ;;
-
-  -no-recursion | --no-recursion | --no-recursio | --no-recursi \
-  | --no-recurs | --no-recur | --no-recu | --no-rec | --no-re | --no-r)
-    no_recursion=yes ;;
-
-  -oldincludedir | --oldincludedir | --oldincludedi | --oldincluded \
-  | --oldinclude | --oldinclud | --oldinclu | --oldincl | --oldinc \
-  | --oldin | --oldi | --old | --ol | --o)
-    ac_prev=oldincludedir ;;
-  -oldincludedir=* | --oldincludedir=* | --oldincludedi=* | --oldincluded=* \
-  | --oldinclude=* | --oldinclud=* | --oldinclu=* | --oldincl=* | --oldinc=* \
-  | --oldin=* | --oldi=* | --old=* | --ol=* | --o=*)
-    oldincludedir=$ac_optarg ;;
-
-  -prefix | --prefix | --prefi | --pref | --pre | --pr | --p)
-    ac_prev=prefix ;;
-  -prefix=* | --prefix=* | --prefi=* | --pref=* | --pre=* | --pr=* | --p=*)
-    prefix=$ac_optarg ;;
-
-  -program-prefix | --program-prefix | --program-prefi | --program-pref \
-  | --program-pre | --program-pr | --program-p)
-    ac_prev=program_prefix ;;
-  -program-prefix=* | --program-prefix=* | --program-prefi=* \
-  | --program-pref=* | --program-pre=* | --program-pr=* | --program-p=*)
-    program_prefix=$ac_optarg ;;
-
-  -program-suffix | --program-suffix | --program-suffi | --program-suff \
-  | --program-suf | --program-su | --program-s)
-    ac_prev=program_suffix ;;
-  -program-suffix=* | --program-suffix=* | --program-suffi=* \
-  | --program-suff=* | --program-suf=* | --program-su=* | --program-s=*)
-    program_suffix=$ac_optarg ;;
-
-  -program-transform-name | --program-transform-name \
-  | --program-transform-nam | --program-transform-na \
-  | --program-transform-n | --program-transform- \
-  | --program-transform | --program-transfor \
-  | --program-transfo | --program-transf \
-  | --program-trans | --program-tran \
-  | --progr-tra | --program-tr | --program-t)
-    ac_prev=program_transform_name ;;
-  -program-transform-name=* | --program-transform-name=* \
-  | --program-transform-nam=* | --program-transform-na=* \
-  | --program-transform-n=* | --program-transform-=* \
-  | --program-transform=* | --program-transfor=* \
-  | --program-transfo=* | --program-transf=* \
-  | --program-trans=* | --program-tran=* \
-  | --progr-tra=* | --program-tr=* | --program-t=*)
-    program_transform_name=$ac_optarg ;;
-
-  -q | -quiet | --quiet | --quie | --qui | --qu | --q \
-  | -silent | --silent | --silen | --sile | --sil)
-    silent=yes ;;
-
-  -sbindir | --sbindir | --sbindi | --sbind | --sbin | --sbi | --sb)
-    ac_prev=sbindir ;;
-  -sbindir=* | --sbindir=* | --sbindi=* | --sbind=* | --sbin=* \
-  | --sbi=* | --sb=*)
-    sbindir=$ac_optarg ;;
-
-  -sharedstatedir | --sharedstatedir | --sharedstatedi \
-  | --sharedstated | --sharedstate | --sharedstat | --sharedsta \
-  | --sharedst | --shareds | --shared | --share | --shar \
-  | --sha | --sh)
-    ac_prev=sharedstatedir ;;
-  -sharedstatedir=* | --sharedstatedir=* | --sharedstatedi=* \
-  | --sharedstated=* | --sharedstate=* | --sharedstat=* | --sharedsta=* \
-  | --sharedst=* | --shareds=* | --shared=* | --share=* | --shar=* \
-  | --sha=* | --sh=*)
-    sharedstatedir=$ac_optarg ;;
-
-  -site | --site | --sit)
-    ac_prev=site ;;
-  -site=* | --site=* | --sit=*)
-    site=$ac_optarg ;;
-
-  -srcdir | --srcdir | --srcdi | --srcd | --src | --sr)
-    ac_prev=srcdir ;;
-  -srcdir=* | --srcdir=* | --srcdi=* | --srcd=* | --src=* | --sr=*)
-    srcdir=$ac_optarg ;;
-
-  -sysconfdir | --sysconfdir | --sysconfdi | --sysconfd | --sysconf \
-  | --syscon | --sysco | --sysc | --sys | --sy)
-    ac_prev=sysconfdir ;;
-  -sysconfdir=* | --sysconfdir=* | --sysconfdi=* | --sysconfd=* | --sysconf=* \
-  | --syscon=* | --sysco=* | --sysc=* | --sys=* | --sy=*)
-    sysconfdir=$ac_optarg ;;
-
-  -target | --target | --targe | --targ | --tar | --ta | --t)
-    ac_prev=target_alias ;;
-  -target=* | --target=* | --targe=* | --targ=* | --tar=* | --ta=* | --t=*)
-    target_alias=$ac_optarg ;;
-
-  -v | -verbose | --verbose | --verbos | --verbo | --verb)
-    verbose=yes ;;
-
-  -version | --version | --versio | --versi | --vers | -V)
-    ac_init_version=: ;;
-
-  -with-* | --with-*)
-    ac_package=`expr "x$ac_option" : 'x-*with-\([^=]*\)'`
-    # Reject names that are not valid shell variable names.
-    expr "x$ac_package" : ".*[^-_$as_cr_alnum]" >/dev/null &&
-      { echo "$as_me: error: invalid package name: $ac_package" >&2
-   { (exit 1); exit 1; }; }
-    ac_package=`echo $ac_package| sed 's/-/_/g'`
-    case $ac_option in
-      *=*) ac_optarg=`echo "$ac_optarg" | sed "s/'/'\\\\\\\\''/g"`;;
-      *) ac_optarg=yes ;;
-    esac
-    eval "with_$ac_package='$ac_optarg'" ;;
-
-  -without-* | --without-*)
-    ac_package=`expr "x$ac_option" : 'x-*without-\(.*\)'`
-    # Reject names that are not valid shell variable names.
-    expr "x$ac_package" : ".*[^-_$as_cr_alnum]" >/dev/null &&
-      { echo "$as_me: error: invalid package name: $ac_package" >&2
-   { (exit 1); exit 1; }; }
-    ac_package=`echo $ac_package | sed 's/-/_/g'`
-    eval "with_$ac_package=no" ;;
-
-  --x)
-    # Obsolete; use --with-x.
-    with_x=yes ;;
-
-  -x-includes | --x-includes | --x-include | --x-includ | --x-inclu \
-  | --x-incl | --x-inc | --x-in | --x-i)
-    ac_prev=x_includes ;;
-  -x-includes=* | --x-includes=* | --x-include=* | --x-includ=* | --x-inclu=* \
-  | --x-incl=* | --x-inc=* | --x-in=* | --x-i=*)
-    x_includes=$ac_optarg ;;
-
-  -x-libraries | --x-libraries | --x-librarie | --x-librari \
-  | --x-librar | --x-libra | --x-libr | --x-lib | --x-li | --x-l)
-    ac_prev=x_libraries ;;
-  -x-libraries=* | --x-libraries=* | --x-librarie=* | --x-librari=* \
-  | --x-librar=* | --x-libra=* | --x-libr=* | --x-lib=* | --x-li=* | --x-l=*)
-    x_libraries=$ac_optarg ;;
-
-  -*) { echo "$as_me: error: unrecognized option: $ac_option
-Try \`$0 --help' for more information." >&2
-   { (exit 1); exit 1; }; }
-    ;;
-
-  *=*)
-    ac_envvar=`expr "x$ac_option" : 'x\([^=]*\)='`
-    # Reject names that are not valid shell variable names.
-    expr "x$ac_envvar" : ".*[^_$as_cr_alnum]" >/dev/null &&
-      { echo "$as_me: error: invalid variable name: $ac_envvar" >&2
-   { (exit 1); exit 1; }; }
-    ac_optarg=`echo "$ac_optarg" | sed "s/'/'\\\\\\\\''/g"`
-    eval "$ac_envvar='$ac_optarg'"
-    export $ac_envvar ;;
-
-  *)
-    # FIXME: should be removed in autoconf 3.0.
-    echo "$as_me: WARNING: you should use --build, --host, --target" >&2
-    expr "x$ac_option" : ".*[^-._$as_cr_alnum]" >/dev/null &&
-      echo "$as_me: WARNING: invalid host type: $ac_option" >&2
-    : ${build_alias=$ac_option} ${host_alias=$ac_option} ${target_alias=$ac_option}
-    ;;
-
-  esac
-done
-
-if test -n "$ac_prev"; then
-  ac_option=--`echo $ac_prev | sed 's/_/-/g'`
-  { echo "$as_me: error: missing argument to $ac_option" >&2
-   { (exit 1); exit 1; }; }
-fi
-
-# Be sure to have absolute paths.
-for ac_var in exec_prefix prefix
-do
-  eval ac_val=$`echo $ac_var`
-  case $ac_val in
-    [\\/$]* | ?:[\\/]* | NONE | '' ) ;;
-    *)  { echo "$as_me: error: expected an absolute directory name for --$ac_var: $ac_val" >&2
-   { (exit 1); exit 1; }; };;
-  esac
-done
-
-# Be sure to have absolute paths.
-for ac_var in bindir sbindir libexecdir datadir sysconfdir sharedstatedir \
-	      localstatedir libdir includedir oldincludedir infodir mandir
-do
-  eval ac_val=$`echo $ac_var`
-  case $ac_val in
-    [\\/$]* | ?:[\\/]* ) ;;
-    *)  { echo "$as_me: error: expected an absolute directory name for --$ac_var: $ac_val" >&2
-   { (exit 1); exit 1; }; };;
-  esac
-done
-
-# There might be people who depend on the old broken behavior: `$host'
-# used to hold the argument of --host etc.
-# FIXME: To remove some day.
-build=$build_alias
-host=$host_alias
-target=$target_alias
-
-# FIXME: To remove some day.
-if test "x$host_alias" != x; then
-  if test "x$build_alias" = x; then
-    cross_compiling=maybe
-    echo "$as_me: WARNING: If you wanted to set the --build type, don't use --host.
-    If a cross compiler is detected then cross compile mode will be used." >&2
-  elif test "x$build_alias" != "x$host_alias"; then
-    cross_compiling=yes
-  fi
-fi
-
-ac_tool_prefix=
-test -n "$host_alias" && ac_tool_prefix=$host_alias-
-
-test "$silent" = yes && exec 6>/dev/null
-
-
-# Find the source files, if location was not specified.
-if test -z "$srcdir"; then
-  ac_srcdir_defaulted=yes
-  # Try the directory containing this script, then its parent.
-  ac_confdir=`(dirname "$0") 2>/dev/null ||
-$as_expr X"$0" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
-	 X"$0" : 'X\(//\)[^/]' \| \
-	 X"$0" : 'X\(//\)$' \| \
-	 X"$0" : 'X\(/\)' \| \
-	 .     : '\(.\)' 2>/dev/null ||
-echo X"$0" |
-    sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ s//\1/; q; }
-  	  /^X\(\/\/\)[^/].*/{ s//\1/; q; }
-  	  /^X\(\/\/\)$/{ s//\1/; q; }
-  	  /^X\(\/\).*/{ s//\1/; q; }
-  	  s/.*/./; q'`
-  srcdir=$ac_confdir
-  if test ! -r $srcdir/$ac_unique_file; then
-    srcdir=..
-  fi
-else
-  ac_srcdir_defaulted=no
-fi
-if test ! -r $srcdir/$ac_unique_file; then
-  if test "$ac_srcdir_defaulted" = yes; then
-    { echo "$as_me: error: cannot find sources ($ac_unique_file) in $ac_confdir or .." >&2
-   { (exit 1); exit 1; }; }
-  else
-    { echo "$as_me: error: cannot find sources ($ac_unique_file) in $srcdir" >&2
-   { (exit 1); exit 1; }; }
-  fi
-fi
-(cd $srcdir && test -r ./$ac_unique_file) 2>/dev/null ||
-  { echo "$as_me: error: sources are in $srcdir, but \`cd $srcdir' does not work" >&2
-   { (exit 1); exit 1; }; }
-srcdir=`echo "$srcdir" | sed 's%\([^\\/]\)[\\/]*$%\1%'`
-ac_env_build_alias_set=${build_alias+set}
-ac_env_build_alias_value=$build_alias
-ac_cv_env_build_alias_set=${build_alias+set}
-ac_cv_env_build_alias_value=$build_alias
-ac_env_host_alias_set=${host_alias+set}
-ac_env_host_alias_value=$host_alias
-ac_cv_env_host_alias_set=${host_alias+set}
-ac_cv_env_host_alias_value=$host_alias
-ac_env_target_alias_set=${target_alias+set}
-ac_env_target_alias_value=$target_alias
-ac_cv_env_target_alias_set=${target_alias+set}
-ac_cv_env_target_alias_value=$target_alias
-ac_env_CC_set=${CC+set}
-ac_env_CC_value=$CC
-ac_cv_env_CC_set=${CC+set}
-ac_cv_env_CC_value=$CC
-ac_env_CFLAGS_set=${CFLAGS+set}
-ac_env_CFLAGS_value=$CFLAGS
-ac_cv_env_CFLAGS_set=${CFLAGS+set}
-ac_cv_env_CFLAGS_value=$CFLAGS
-ac_env_LDFLAGS_set=${LDFLAGS+set}
-ac_env_LDFLAGS_value=$LDFLAGS
-ac_cv_env_LDFLAGS_set=${LDFLAGS+set}
-ac_cv_env_LDFLAGS_value=$LDFLAGS
-ac_env_CPPFLAGS_set=${CPPFLAGS+set}
-ac_env_CPPFLAGS_value=$CPPFLAGS
-ac_cv_env_CPPFLAGS_set=${CPPFLAGS+set}
-ac_cv_env_CPPFLAGS_value=$CPPFLAGS
-ac_env_CPP_set=${CPP+set}
-ac_env_CPP_value=$CPP
-ac_cv_env_CPP_set=${CPP+set}
-ac_cv_env_CPP_value=$CPP
-
-#
-# Report the --help message.
-#
-if test "$ac_init_help" = "long"; then
-  # Omit some internal or obsolete options to make the list less imposing.
-  # This message is too long to be a string in the A/UX 3.1 sh.
-  cat <<_ACEOF
-\`configure' configures this package to adapt to many kinds of systems.
-
-Usage: $0 [OPTION]... [VAR=VALUE]...
-
-To assign environment variables (e.g., CC, CFLAGS...), specify them as
-VAR=VALUE.  See below for descriptions of some of the useful variables.
-
-Defaults for the options are specified in brackets.
-
-Configuration:
-  -h, --help              display this help and exit
-      --help=short        display options specific to this package
-      --help=recursive    display the short help of all the included packages
-  -V, --version           display version information and exit
-  -q, --quiet, --silent   do not print \`checking...' messages
-      --cache-file=FILE   cache test results in FILE [disabled]
-  -C, --config-cache      alias for \`--cache-file=config.cache'
-  -n, --no-create         do not create output files
-      --srcdir=DIR        find the sources in DIR [configure dir or \`..']
-
-_ACEOF
-
-  cat <<_ACEOF
-Installation directories:
-  --prefix=PREFIX         install architecture-independent files in PREFIX
-			  [$ac_default_prefix]
-  --exec-prefix=EPREFIX   install architecture-dependent files in EPREFIX
-			  [PREFIX]
-
-By default, \`make install' will install all the files in
-\`$ac_default_prefix/bin', \`$ac_default_prefix/lib' etc.  You can specify
-an installation prefix other than \`$ac_default_prefix' using \`--prefix',
-for instance \`--prefix=\$HOME'.
-
-For better control, use the options below.
-
-Fine tuning of the installation directories:
-  --bindir=DIR           user executables [EPREFIX/bin]
-  --sbindir=DIR          system admin executables [EPREFIX/sbin]
-  --libexecdir=DIR       program executables [EPREFIX/libexec]
-  --datadir=DIR          read-only architecture-independent data [PREFIX/share]
-  --sysconfdir=DIR       read-only single-machine data [PREFIX/etc]
-  --sharedstatedir=DIR   modifiable architecture-independent data [PREFIX/com]
-  --localstatedir=DIR    modifiable single-machine data [PREFIX/var]
-  --libdir=DIR           object code libraries [EPREFIX/lib]
-  --includedir=DIR       C header files [PREFIX/include]
-  --oldincludedir=DIR    C header files for non-gcc [/usr/include]
-  --infodir=DIR          info documentation [PREFIX/info]
-  --mandir=DIR           man documentation [PREFIX/man]
-_ACEOF
-
-  cat <<\_ACEOF
-_ACEOF
-fi
-
-if test -n "$ac_init_help"; then
-
-  cat <<\_ACEOF
-
-Some influential environment variables:
-  CC          C compiler command
-  CFLAGS      C compiler flags
-  LDFLAGS     linker flags, e.g. -L<lib dir> if you have libraries in a
-              nonstandard directory <lib dir>
-  CPPFLAGS    C/C++ preprocessor flags, e.g. -I<include dir> if you have
-              headers in a nonstandard directory <include dir>
-  CPP         C preprocessor
-
-Use these variables to override the choices made by `configure' or to help
-it to find libraries and programs with nonstandard names/locations.
-
-_ACEOF
-fi
-
-if test "$ac_init_help" = "recursive"; then
-  # If there are subdirs, report their specific --help.
-  ac_popdir=`pwd`
-  for ac_dir in : $ac_subdirs_all; do test "x$ac_dir" = x: && continue
-    test -d $ac_dir || continue
-    ac_builddir=.
-
-if test "$ac_dir" != .; then
-  ac_dir_suffix=/`echo "$ac_dir" | sed 's,^\.[\\/],,'`
-  # A "../" for each directory in $ac_dir_suffix.
-  ac_top_builddir=`echo "$ac_dir_suffix" | sed 's,/[^\\/]*,../,g'`
-else
-  ac_dir_suffix= ac_top_builddir=
-fi
-
-case $srcdir in
-  .)  # No --srcdir option.  We are building in place.
-    ac_srcdir=.
-    if test -z "$ac_top_builddir"; then
-       ac_top_srcdir=.
-    else
-       ac_top_srcdir=`echo $ac_top_builddir | sed 's,/$,,'`
-    fi ;;
-  [\\/]* | ?:[\\/]* )  # Absolute path.
-    ac_srcdir=$srcdir$ac_dir_suffix;
-    ac_top_srcdir=$srcdir ;;
-  *) # Relative path.
-    ac_srcdir=$ac_top_builddir$srcdir$ac_dir_suffix
-    ac_top_srcdir=$ac_top_builddir$srcdir ;;
-esac
-
-# Do not use `cd foo && pwd` to compute absolute paths, because
-# the directories may not exist.
-case `pwd` in
-.) ac_abs_builddir="$ac_dir";;
-*)
-  case "$ac_dir" in
-  .) ac_abs_builddir=`pwd`;;
-  [\\/]* | ?:[\\/]* ) ac_abs_builddir="$ac_dir";;
-  *) ac_abs_builddir=`pwd`/"$ac_dir";;
-  esac;;
-esac
-case $ac_abs_builddir in
-.) ac_abs_top_builddir=${ac_top_builddir}.;;
-*)
-  case ${ac_top_builddir}. in
-  .) ac_abs_top_builddir=$ac_abs_builddir;;
-  [\\/]* | ?:[\\/]* ) ac_abs_top_builddir=${ac_top_builddir}.;;
-  *) ac_abs_top_builddir=$ac_abs_builddir/${ac_top_builddir}.;;
-  esac;;
-esac
-case $ac_abs_builddir in
-.) ac_abs_srcdir=$ac_srcdir;;
-*)
-  case $ac_srcdir in
-  .) ac_abs_srcdir=$ac_abs_builddir;;
-  [\\/]* | ?:[\\/]* ) ac_abs_srcdir=$ac_srcdir;;
-  *) ac_abs_srcdir=$ac_abs_builddir/$ac_srcdir;;
-  esac;;
-esac
-case $ac_abs_builddir in
-.) ac_abs_top_srcdir=$ac_top_srcdir;;
-*)
-  case $ac_top_srcdir in
-  .) ac_abs_top_srcdir=$ac_abs_builddir;;
-  [\\/]* | ?:[\\/]* ) ac_abs_top_srcdir=$ac_top_srcdir;;
-  *) ac_abs_top_srcdir=$ac_abs_builddir/$ac_top_srcdir;;
-  esac;;
-esac
-
-    cd $ac_dir
-    # Check for guested configure; otherwise get Cygnus style configure.
-    if test -f $ac_srcdir/configure.gnu; then
-      echo
-      $SHELL $ac_srcdir/configure.gnu  --help=recursive
-    elif test -f $ac_srcdir/configure; then
-      echo
-      $SHELL $ac_srcdir/configure  --help=recursive
-    elif test -f $ac_srcdir/configure.ac ||
-	   test -f $ac_srcdir/configure.in; then
-      echo
-      $ac_configure --help
-    else
-      echo "$as_me: WARNING: no configuration information is in $ac_dir" >&2
-    fi
-    cd "$ac_popdir"
-  done
-fi
-
-test -n "$ac_init_help" && exit 0
-if $ac_init_version; then
-  cat <<\_ACEOF
-
-Copyright (C) 2003 Free Software Foundation, Inc.
-This configure script is free software; the Free Software Foundation
-gives unlimited permission to copy, distribute and modify it.
-_ACEOF
-  exit 0
-fi
-exec 5>config.log
-cat >&5 <<_ACEOF
-This file contains any messages produced by compilers while
-running configure, to aid debugging if configure makes a mistake.
-
-It was created by $as_me, which was
-generated by GNU Autoconf 2.59.  Invocation command line was
-
-  $ $0 $@
-
-_ACEOF
-{
-cat <<_ASUNAME
-## --------- ##
-## Platform. ##
-## --------- ##
-
-hostname = `(hostname || uname -n) 2>/dev/null | sed 1q`
-uname -m = `(uname -m) 2>/dev/null || echo unknown`
-uname -r = `(uname -r) 2>/dev/null || echo unknown`
-uname -s = `(uname -s) 2>/dev/null || echo unknown`
-uname -v = `(uname -v) 2>/dev/null || echo unknown`
-
-/usr/bin/uname -p = `(/usr/bin/uname -p) 2>/dev/null || echo unknown`
-/bin/uname -X     = `(/bin/uname -X) 2>/dev/null     || echo unknown`
-
-/bin/arch              = `(/bin/arch) 2>/dev/null              || echo unknown`
-/usr/bin/arch -k       = `(/usr/bin/arch -k) 2>/dev/null       || echo unknown`
-/usr/convex/getsysinfo = `(/usr/convex/getsysinfo) 2>/dev/null || echo unknown`
-hostinfo               = `(hostinfo) 2>/dev/null               || echo unknown`
-/bin/machine           = `(/bin/machine) 2>/dev/null           || echo unknown`
-/usr/bin/oslevel       = `(/usr/bin/oslevel) 2>/dev/null       || echo unknown`
-/bin/universe          = `(/bin/universe) 2>/dev/null          || echo unknown`
-
-_ASUNAME
-
-as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-for as_dir in $PATH
-do
-  IFS=$as_save_IFS
-  test -z "$as_dir" && as_dir=.
-  echo "PATH: $as_dir"
-done
-
-} >&5
-
-cat >&5 <<_ACEOF
-
-
-## ----------- ##
-## Core tests. ##
-## ----------- ##
-
-_ACEOF
-
-
-# Keep a trace of the command line.
-# Strip out --no-create and --no-recursion so they do not pile up.
-# Strip out --silent because we don't want to record it for future runs.
-# Also quote any args containing shell meta-characters.
-# Make two passes to allow for proper duplicate-argument suppression.
-ac_configure_args=
-ac_configure_args0=
-ac_configure_args1=
-ac_sep=
-ac_must_keep_next=false
-for ac_pass in 1 2
-do
-  for ac_arg
-  do
-    case $ac_arg in
-    -no-create | --no-c* | -n | -no-recursion | --no-r*) continue ;;
-    -q | -quiet | --quiet | --quie | --qui | --qu | --q \
-    | -silent | --silent | --silen | --sile | --sil)
-      continue ;;
-    *" "*|*"	"*|*[\[\]\~\#\$\^\&\*\(\)\{\}\\\|\;\<\>\?\"\']*)
-      ac_arg=`echo "$ac_arg" | sed "s/'/'\\\\\\\\''/g"` ;;
-    esac
-    case $ac_pass in
-    1) ac_configure_args0="$ac_configure_args0 '$ac_arg'" ;;
-    2)
-      ac_configure_args1="$ac_configure_args1 '$ac_arg'"
-      if test $ac_must_keep_next = true; then
-	ac_must_keep_next=false # Got value, back to normal.
-      else
-	case $ac_arg in
-	  *=* | --config-cache | -C | -disable-* | --disable-* \
-	  | -enable-* | --enable-* | -gas | --g* | -nfp | --nf* \
-	  | -q | -quiet | --q* | -silent | --sil* | -v | -verb* \
-	  | -with-* | --with-* | -without-* | --without-* | --x)
-	    case "$ac_configure_args0 " in
-	      "$ac_configure_args1"*" '$ac_arg' "* ) continue ;;
-	    esac
-	    ;;
-	  -* ) ac_must_keep_next=true ;;
-	esac
-      fi
-      ac_configure_args="$ac_configure_args$ac_sep'$ac_arg'"
-      # Get rid of the leading space.
-      ac_sep=" "
-      ;;
-    esac
-  done
-done
-$as_unset ac_configure_args0 || test "${ac_configure_args0+set}" != set || { ac_configure_args0=; export ac_configure_args0; }
-$as_unset ac_configure_args1 || test "${ac_configure_args1+set}" != set || { ac_configure_args1=; export ac_configure_args1; }
-
-# When interrupted or exit'd, cleanup temporary files, and complete
-# config.log.  We remove comments because anyway the quotes in there
-# would cause problems or look ugly.
-# WARNING: Be sure not to use single quotes in there, as some shells,
-# such as our DU 5.0 friend, will then `close' the trap.
-trap 'exit_status=$?
-  # Save into config.log some information that might help in debugging.
-  {
-    echo
-
-    cat <<\_ASBOX
-## ---------------- ##
-## Cache variables. ##
-## ---------------- ##
-_ASBOX
-    echo
-    # The following way of writing the cache mishandles newlines in values,
-{
-  (set) 2>&1 |
-    case `(ac_space='"'"' '"'"'; set | grep ac_space) 2>&1` in
-    *ac_space=\ *)
-      sed -n \
-	"s/'"'"'/'"'"'\\\\'"'"''"'"'/g;
-	  s/^\\([_$as_cr_alnum]*_cv_[_$as_cr_alnum]*\\)=\\(.*\\)/\\1='"'"'\\2'"'"'/p"
-      ;;
-    *)
-      sed -n \
-	"s/^\\([_$as_cr_alnum]*_cv_[_$as_cr_alnum]*\\)=\\(.*\\)/\\1=\\2/p"
-      ;;
-    esac;
-}
-    echo
-
-    cat <<\_ASBOX
-## ----------------- ##
-## Output variables. ##
-## ----------------- ##
-_ASBOX
-    echo
-    for ac_var in $ac_subst_vars
-    do
-      eval ac_val=$`echo $ac_var`
-      echo "$ac_var='"'"'$ac_val'"'"'"
-    done | sort
-    echo
-
-    if test -n "$ac_subst_files"; then
-      cat <<\_ASBOX
-## ------------- ##
-## Output files. ##
-## ------------- ##
-_ASBOX
-      echo
-      for ac_var in $ac_subst_files
-      do
-	eval ac_val=$`echo $ac_var`
-	echo "$ac_var='"'"'$ac_val'"'"'"
-      done | sort
-      echo
-    fi
-
-    if test -s confdefs.h; then
-      cat <<\_ASBOX
-## ----------- ##
-## confdefs.h. ##
-## ----------- ##
-_ASBOX
-      echo
-      sed "/^$/d" confdefs.h | sort
-      echo
-    fi
-    test "$ac_signal" != 0 &&
-      echo "$as_me: caught signal $ac_signal"
-    echo "$as_me: exit $exit_status"
-  } >&5
-  rm -f core *.core &&
-  rm -rf conftest* confdefs* conf$$* $ac_clean_files &&
-    exit $exit_status
-     ' 0
-for ac_signal in 1 2 13 15; do
-  trap 'ac_signal='$ac_signal'; { (exit 1); exit 1; }' $ac_signal
-done
-ac_signal=0
-
-# confdefs.h avoids OS command line length limits that DEFS can exceed.
-rm -rf conftest* confdefs.h
-# AIX cpp loses on an empty file, so make sure it contains at least a newline.
-echo >confdefs.h
-
-# Predefined preprocessor variables.
-
-cat >>confdefs.h <<_ACEOF
-#define PACKAGE_NAME "$PACKAGE_NAME"
-_ACEOF
-
-
-cat >>confdefs.h <<_ACEOF
-#define PACKAGE_TARNAME "$PACKAGE_TARNAME"
-_ACEOF
-
-
-cat >>confdefs.h <<_ACEOF
-#define PACKAGE_VERSION "$PACKAGE_VERSION"
-_ACEOF
-
-
-cat >>confdefs.h <<_ACEOF
-#define PACKAGE_STRING "$PACKAGE_STRING"
-_ACEOF
-
-
-cat >>confdefs.h <<_ACEOF
-#define PACKAGE_BUGREPORT "$PACKAGE_BUGREPORT"
-_ACEOF
-
-
-# Let the site file select an alternate cache file if it wants to.
-# Prefer explicitly selected file to automatically selected ones.
-if test -z "$CONFIG_SITE"; then
-  if test "x$prefix" != xNONE; then
-    CONFIG_SITE="$prefix/share/config.site $prefix/etc/config.site"
-  else
-    CONFIG_SITE="$ac_default_prefix/share/config.site $ac_default_prefix/etc/config.site"
-  fi
-fi
-for ac_site_file in $CONFIG_SITE; do
-  if test -r "$ac_site_file"; then
-    { echo "$as_me:$LINENO: loading site script $ac_site_file" >&5
-echo "$as_me: loading site script $ac_site_file" >&6;}
-    sed 's/^/| /' "$ac_site_file" >&5
-    . "$ac_site_file"
-  fi
-done
-
-if test -r "$cache_file"; then
-  # Some versions of bash will fail to source /dev/null (special
-  # files actually), so we avoid doing that.
-  if test -f "$cache_file"; then
-    { echo "$as_me:$LINENO: loading cache $cache_file" >&5
-echo "$as_me: loading cache $cache_file" >&6;}
-    case $cache_file in
-      [\\/]* | ?:[\\/]* ) . $cache_file;;
-      *)                      . ./$cache_file;;
-    esac
-  fi
-else
-  { echo "$as_me:$LINENO: creating cache $cache_file" >&5
-echo "$as_me: creating cache $cache_file" >&6;}
-  >$cache_file
-fi
-
-# Check that the precious variables saved in the cache have kept the same
-# value.
-ac_cache_corrupted=false
-for ac_var in `(set) 2>&1 |
-	       sed -n 's/^ac_env_\([a-zA-Z_0-9]*\)_set=.*/\1/p'`; do
-  eval ac_old_set=\$ac_cv_env_${ac_var}_set
-  eval ac_new_set=\$ac_env_${ac_var}_set
-  eval ac_old_val="\$ac_cv_env_${ac_var}_value"
-  eval ac_new_val="\$ac_env_${ac_var}_value"
-  case $ac_old_set,$ac_new_set in
-    set,)
-      { echo "$as_me:$LINENO: error: \`$ac_var' was set to \`$ac_old_val' in the previous run" >&5
-echo "$as_me: error: \`$ac_var' was set to \`$ac_old_val' in the previous run" >&2;}
-      ac_cache_corrupted=: ;;
-    ,set)
-      { echo "$as_me:$LINENO: error: \`$ac_var' was not set in the previous run" >&5
-echo "$as_me: error: \`$ac_var' was not set in the previous run" >&2;}
-      ac_cache_corrupted=: ;;
-    ,);;
-    *)
-      if test "x$ac_old_val" != "x$ac_new_val"; then
-	{ echo "$as_me:$LINENO: error: \`$ac_var' has changed since the previous run:" >&5
-echo "$as_me: error: \`$ac_var' has changed since the previous run:" >&2;}
-	{ echo "$as_me:$LINENO:   former value:  $ac_old_val" >&5
-echo "$as_me:   former value:  $ac_old_val" >&2;}
-	{ echo "$as_me:$LINENO:   current value: $ac_new_val" >&5
-echo "$as_me:   current value: $ac_new_val" >&2;}
-	ac_cache_corrupted=:
-      fi;;
-  esac
-  # Pass precious variables to config.status.
-  if test "$ac_new_set" = set; then
-    case $ac_new_val in
-    *" "*|*"	"*|*[\[\]\~\#\$\^\&\*\(\)\{\}\\\|\;\<\>\?\"\']*)
-      ac_arg=$ac_var=`echo "$ac_new_val" | sed "s/'/'\\\\\\\\''/g"` ;;
-    *) ac_arg=$ac_var=$ac_new_val ;;
-    esac
-    case " $ac_configure_args " in
-      *" '$ac_arg' "*) ;; # Avoid dups.  Use of quotes ensures accuracy.
-      *) ac_configure_args="$ac_configure_args '$ac_arg'" ;;
-    esac
-  fi
-done
-if $ac_cache_corrupted; then
-  { echo "$as_me:$LINENO: error: changes in the environment can compromise the build" >&5
-echo "$as_me: error: changes in the environment can compromise the build" >&2;}
-  { { echo "$as_me:$LINENO: error: run \`make distclean' and/or \`rm $cache_file' and start over" >&5
-echo "$as_me: error: run \`make distclean' and/or \`rm $cache_file' and start over" >&2;}
-   { (exit 1); exit 1; }; }
-fi
-
-ac_ext=c
-ac_cpp='$CPP $CPPFLAGS'
-ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
-ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
-ac_compiler_gnu=$ac_cv_c_compiler_gnu
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-ac_ext=c
-ac_cpp='$CPP $CPPFLAGS'
-ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
-ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
-ac_compiler_gnu=$ac_cv_c_compiler_gnu
-if test -n "$ac_tool_prefix"; then
-  # Extract the first word of "${ac_tool_prefix}gcc", so it can be a program name with args.
-set dummy ${ac_tool_prefix}gcc; ac_word=$2
-echo "$as_me:$LINENO: checking for $ac_word" >&5
-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
-if test "${ac_cv_prog_CC+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  if test -n "$CC"; then
-  ac_cv_prog_CC="$CC" # Let the user override the test.
-else
-as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-for as_dir in $PATH
-do
-  IFS=$as_save_IFS
-  test -z "$as_dir" && as_dir=.
-  for ac_exec_ext in '' $ac_executable_extensions; do
-  if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
-    ac_cv_prog_CC="${ac_tool_prefix}gcc"
-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
-    break 2
-  fi
-done
-done
-
-fi
-fi
-CC=$ac_cv_prog_CC
-if test -n "$CC"; then
-  echo "$as_me:$LINENO: result: $CC" >&5
-echo "${ECHO_T}$CC" >&6
-else
-  echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
-fi
-
-fi
-if test -z "$ac_cv_prog_CC"; then
-  ac_ct_CC=$CC
-  # Extract the first word of "gcc", so it can be a program name with args.
-set dummy gcc; ac_word=$2
-echo "$as_me:$LINENO: checking for $ac_word" >&5
-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
-if test "${ac_cv_prog_ac_ct_CC+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  if test -n "$ac_ct_CC"; then
-  ac_cv_prog_ac_ct_CC="$ac_ct_CC" # Let the user override the test.
-else
-as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-for as_dir in $PATH
-do
-  IFS=$as_save_IFS
-  test -z "$as_dir" && as_dir=.
-  for ac_exec_ext in '' $ac_executable_extensions; do
-  if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
-    ac_cv_prog_ac_ct_CC="gcc"
-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
-    break 2
-  fi
-done
-done
-
-fi
-fi
-ac_ct_CC=$ac_cv_prog_ac_ct_CC
-if test -n "$ac_ct_CC"; then
-  echo "$as_me:$LINENO: result: $ac_ct_CC" >&5
-echo "${ECHO_T}$ac_ct_CC" >&6
-else
-  echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
-fi
-
-  CC=$ac_ct_CC
-else
-  CC="$ac_cv_prog_CC"
-fi
-
-if test -z "$CC"; then
-  if test -n "$ac_tool_prefix"; then
-  # Extract the first word of "${ac_tool_prefix}cc", so it can be a program name with args.
-set dummy ${ac_tool_prefix}cc; ac_word=$2
-echo "$as_me:$LINENO: checking for $ac_word" >&5
-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
-if test "${ac_cv_prog_CC+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  if test -n "$CC"; then
-  ac_cv_prog_CC="$CC" # Let the user override the test.
-else
-as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-for as_dir in $PATH
-do
-  IFS=$as_save_IFS
-  test -z "$as_dir" && as_dir=.
-  for ac_exec_ext in '' $ac_executable_extensions; do
-  if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
-    ac_cv_prog_CC="${ac_tool_prefix}cc"
-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
-    break 2
-  fi
-done
-done
-
-fi
-fi
-CC=$ac_cv_prog_CC
-if test -n "$CC"; then
-  echo "$as_me:$LINENO: result: $CC" >&5
-echo "${ECHO_T}$CC" >&6
-else
-  echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
-fi
-
-fi
-if test -z "$ac_cv_prog_CC"; then
-  ac_ct_CC=$CC
-  # Extract the first word of "cc", so it can be a program name with args.
-set dummy cc; ac_word=$2
-echo "$as_me:$LINENO: checking for $ac_word" >&5
-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
-if test "${ac_cv_prog_ac_ct_CC+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  if test -n "$ac_ct_CC"; then
-  ac_cv_prog_ac_ct_CC="$ac_ct_CC" # Let the user override the test.
-else
-as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-for as_dir in $PATH
-do
-  IFS=$as_save_IFS
-  test -z "$as_dir" && as_dir=.
-  for ac_exec_ext in '' $ac_executable_extensions; do
-  if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
-    ac_cv_prog_ac_ct_CC="cc"
-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
-    break 2
-  fi
-done
-done
-
-fi
-fi
-ac_ct_CC=$ac_cv_prog_ac_ct_CC
-if test -n "$ac_ct_CC"; then
-  echo "$as_me:$LINENO: result: $ac_ct_CC" >&5
-echo "${ECHO_T}$ac_ct_CC" >&6
-else
-  echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
-fi
-
-  CC=$ac_ct_CC
-else
-  CC="$ac_cv_prog_CC"
-fi
-
-fi
-if test -z "$CC"; then
-  # Extract the first word of "cc", so it can be a program name with args.
-set dummy cc; ac_word=$2
-echo "$as_me:$LINENO: checking for $ac_word" >&5
-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
-if test "${ac_cv_prog_CC+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  if test -n "$CC"; then
-  ac_cv_prog_CC="$CC" # Let the user override the test.
-else
-  ac_prog_rejected=no
-as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-for as_dir in $PATH
-do
-  IFS=$as_save_IFS
-  test -z "$as_dir" && as_dir=.
-  for ac_exec_ext in '' $ac_executable_extensions; do
-  if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
-    if test "$as_dir/$ac_word$ac_exec_ext" = "/usr/ucb/cc"; then
-       ac_prog_rejected=yes
-       continue
-     fi
-    ac_cv_prog_CC="cc"
-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
-    break 2
-  fi
-done
-done
-
-if test $ac_prog_rejected = yes; then
-  # We found a bogon in the path, so make sure we never use it.
-  set dummy $ac_cv_prog_CC
-  shift
-  if test $# != 0; then
-    # We chose a different compiler from the bogus one.
-    # However, it has the same basename, so the bogon will be chosen
-    # first if we set CC to just the basename; use the full file name.
-    shift
-    ac_cv_prog_CC="$as_dir/$ac_word${1+' '}$@"
-  fi
-fi
-fi
-fi
-CC=$ac_cv_prog_CC
-if test -n "$CC"; then
-  echo "$as_me:$LINENO: result: $CC" >&5
-echo "${ECHO_T}$CC" >&6
-else
-  echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
-fi
-
-fi
-if test -z "$CC"; then
-  if test -n "$ac_tool_prefix"; then
-  for ac_prog in cl
-  do
-    # Extract the first word of "$ac_tool_prefix$ac_prog", so it can be a program name with args.
-set dummy $ac_tool_prefix$ac_prog; ac_word=$2
-echo "$as_me:$LINENO: checking for $ac_word" >&5
-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
-if test "${ac_cv_prog_CC+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  if test -n "$CC"; then
-  ac_cv_prog_CC="$CC" # Let the user override the test.
-else
-as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-for as_dir in $PATH
-do
-  IFS=$as_save_IFS
-  test -z "$as_dir" && as_dir=.
-  for ac_exec_ext in '' $ac_executable_extensions; do
-  if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
-    ac_cv_prog_CC="$ac_tool_prefix$ac_prog"
-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
-    break 2
-  fi
-done
-done
-
-fi
-fi
-CC=$ac_cv_prog_CC
-if test -n "$CC"; then
-  echo "$as_me:$LINENO: result: $CC" >&5
-echo "${ECHO_T}$CC" >&6
-else
-  echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
-fi
-
-    test -n "$CC" && break
-  done
-fi
-if test -z "$CC"; then
-  ac_ct_CC=$CC
-  for ac_prog in cl
-do
-  # Extract the first word of "$ac_prog", so it can be a program name with args.
-set dummy $ac_prog; ac_word=$2
-echo "$as_me:$LINENO: checking for $ac_word" >&5
-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
-if test "${ac_cv_prog_ac_ct_CC+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  if test -n "$ac_ct_CC"; then
-  ac_cv_prog_ac_ct_CC="$ac_ct_CC" # Let the user override the test.
-else
-as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-for as_dir in $PATH
-do
-  IFS=$as_save_IFS
-  test -z "$as_dir" && as_dir=.
-  for ac_exec_ext in '' $ac_executable_extensions; do
-  if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
-    ac_cv_prog_ac_ct_CC="$ac_prog"
-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
-    break 2
-  fi
-done
-done
-
-fi
-fi
-ac_ct_CC=$ac_cv_prog_ac_ct_CC
-if test -n "$ac_ct_CC"; then
-  echo "$as_me:$LINENO: result: $ac_ct_CC" >&5
-echo "${ECHO_T}$ac_ct_CC" >&6
-else
-  echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
-fi
-
-  test -n "$ac_ct_CC" && break
-done
-
-  CC=$ac_ct_CC
-fi
-
-fi
-
-
-test -z "$CC" && { { echo "$as_me:$LINENO: error: no acceptable C compiler found in \$PATH
-See \`config.log' for more details." >&5
-echo "$as_me: error: no acceptable C compiler found in \$PATH
-See \`config.log' for more details." >&2;}
-   { (exit 1); exit 1; }; }
-
-# Provide some information about the compiler.
-echo "$as_me:$LINENO:" \
-     "checking for C compiler version" >&5
-ac_compiler=`set X $ac_compile; echo $2`
-{ (eval echo "$as_me:$LINENO: \"$ac_compiler --version </dev/null >&5\"") >&5
-  (eval $ac_compiler --version </dev/null >&5) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }
-{ (eval echo "$as_me:$LINENO: \"$ac_compiler -v </dev/null >&5\"") >&5
-  (eval $ac_compiler -v </dev/null >&5) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }
-{ (eval echo "$as_me:$LINENO: \"$ac_compiler -V </dev/null >&5\"") >&5
-  (eval $ac_compiler -V </dev/null >&5) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }
-
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-int
-main ()
-{
-
-  ;
-  return 0;
-}
-_ACEOF
-ac_clean_files_save=$ac_clean_files
-ac_clean_files="$ac_clean_files a.out a.exe b.out"
-# Try to create an executable without -o first, disregard a.out.
-# It will help us diagnose broken compilers, and finding out an intuition
-# of exeext.
-echo "$as_me:$LINENO: checking for C compiler default output file name" >&5
-echo $ECHO_N "checking for C compiler default output file name... $ECHO_C" >&6
-ac_link_default=`echo "$ac_link" | sed 's/ -o *conftest[^ ]*//'`
-if { (eval echo "$as_me:$LINENO: \"$ac_link_default\"") >&5
-  (eval $ac_link_default) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; then
-  # Find the output, starting from the most likely.  This scheme is
-# not robust to junk in `.', hence go to wildcards (a.*) only as a last
-# resort.
-
-# Be careful to initialize this variable, since it used to be cached.
-# Otherwise an old cache value of `no' led to `EXEEXT = no' in a Makefile.
-ac_cv_exeext=
-# b.out is created by i960 compilers.
-for ac_file in a_out.exe a.exe conftest.exe a.out conftest a.* conftest.* b.out
-do
-  test -f "$ac_file" || continue
-  case $ac_file in
-    *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.o | *.obj )
-	;;
-    conftest.$ac_ext )
-	# This is the source file.
-	;;
-    [ab].out )
-	# We found the default executable, but exeext='' is most
-	# certainly right.
-	break;;
-    *.* )
-	ac_cv_exeext=`expr "$ac_file" : '[^.]*\(\..*\)'`
-	# FIXME: I believe we export ac_cv_exeext for Libtool,
-	# but it would be cool to find out if it's true.  Does anybody
-	# maintain Libtool? --akim.
-	export ac_cv_exeext
-	break;;
-    * )
-	break;;
-  esac
-done
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-{ { echo "$as_me:$LINENO: error: C compiler cannot create executables
-See \`config.log' for more details." >&5
-echo "$as_me: error: C compiler cannot create executables
-See \`config.log' for more details." >&2;}
-   { (exit 77); exit 77; }; }
-fi
-
-ac_exeext=$ac_cv_exeext
-echo "$as_me:$LINENO: result: $ac_file" >&5
-echo "${ECHO_T}$ac_file" >&6
-
-# Check the compiler produces executables we can run.  If not, either
-# the compiler is broken, or we cross compile.
-echo "$as_me:$LINENO: checking whether the C compiler works" >&5
-echo $ECHO_N "checking whether the C compiler works... $ECHO_C" >&6
-# FIXME: These cross compiler hacks should be removed for Autoconf 3.0
-# If not cross compiling, check that we can run a simple program.
-if test "$cross_compiling" != yes; then
-  if { ac_try='./$ac_file'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-    cross_compiling=no
-  else
-    if test "$cross_compiling" = maybe; then
-	cross_compiling=yes
-    else
-	{ { echo "$as_me:$LINENO: error: cannot run C compiled programs.
-If you meant to cross compile, use \`--host'.
-See \`config.log' for more details." >&5
-echo "$as_me: error: cannot run C compiled programs.
-If you meant to cross compile, use \`--host'.
-See \`config.log' for more details." >&2;}
-   { (exit 1); exit 1; }; }
-    fi
-  fi
-fi
-echo "$as_me:$LINENO: result: yes" >&5
-echo "${ECHO_T}yes" >&6
-
-rm -f a.out a.exe conftest$ac_cv_exeext b.out
-ac_clean_files=$ac_clean_files_save
-# Check the compiler produces executables we can run.  If not, either
-# the compiler is broken, or we cross compile.
-echo "$as_me:$LINENO: checking whether we are cross compiling" >&5
-echo $ECHO_N "checking whether we are cross compiling... $ECHO_C" >&6
-echo "$as_me:$LINENO: result: $cross_compiling" >&5
-echo "${ECHO_T}$cross_compiling" >&6
-
-echo "$as_me:$LINENO: checking for suffix of executables" >&5
-echo $ECHO_N "checking for suffix of executables... $ECHO_C" >&6
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; then
-  # If both `conftest.exe' and `conftest' are `present' (well, observable)
-# catch `conftest.exe'.  For instance with Cygwin, `ls conftest' will
-# work properly (i.e., refer to `conftest.exe'), while it won't with
-# `rm'.
-for ac_file in conftest.exe conftest conftest.*; do
-  test -f "$ac_file" || continue
-  case $ac_file in
-    *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.o | *.obj ) ;;
-    *.* ) ac_cv_exeext=`expr "$ac_file" : '[^.]*\(\..*\)'`
-	  export ac_cv_exeext
-	  break;;
-    * ) break;;
-  esac
-done
-else
-  { { echo "$as_me:$LINENO: error: cannot compute suffix of executables: cannot compile and link
-See \`config.log' for more details." >&5
-echo "$as_me: error: cannot compute suffix of executables: cannot compile and link
-See \`config.log' for more details." >&2;}
-   { (exit 1); exit 1; }; }
-fi
-
-rm -f conftest$ac_cv_exeext
-echo "$as_me:$LINENO: result: $ac_cv_exeext" >&5
-echo "${ECHO_T}$ac_cv_exeext" >&6
-
-rm -f conftest.$ac_ext
-EXEEXT=$ac_cv_exeext
-ac_exeext=$EXEEXT
-echo "$as_me:$LINENO: checking for suffix of object files" >&5
-echo $ECHO_N "checking for suffix of object files... $ECHO_C" >&6
-if test "${ac_cv_objext+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-int
-main ()
-{
-
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.o conftest.obj
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; then
-  for ac_file in `(ls conftest.o conftest.obj; ls conftest.*) 2>/dev/null`; do
-  case $ac_file in
-    *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg ) ;;
-    *) ac_cv_objext=`expr "$ac_file" : '.*\.\(.*\)'`
-       break;;
-  esac
-done
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-{ { echo "$as_me:$LINENO: error: cannot compute suffix of object files: cannot compile
-See \`config.log' for more details." >&5
-echo "$as_me: error: cannot compute suffix of object files: cannot compile
-See \`config.log' for more details." >&2;}
-   { (exit 1); exit 1; }; }
-fi
-
-rm -f conftest.$ac_cv_objext conftest.$ac_ext
-fi
-echo "$as_me:$LINENO: result: $ac_cv_objext" >&5
-echo "${ECHO_T}$ac_cv_objext" >&6
-OBJEXT=$ac_cv_objext
-ac_objext=$OBJEXT
-echo "$as_me:$LINENO: checking whether we are using the GNU C compiler" >&5
-echo $ECHO_N "checking whether we are using the GNU C compiler... $ECHO_C" >&6
-if test "${ac_cv_c_compiler_gnu+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-int
-main ()
-{
-#ifndef __GNUC__
-       choke me
-#endif
-
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_compiler_gnu=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-ac_compiler_gnu=no
-fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-ac_cv_c_compiler_gnu=$ac_compiler_gnu
-
-fi
-echo "$as_me:$LINENO: result: $ac_cv_c_compiler_gnu" >&5
-echo "${ECHO_T}$ac_cv_c_compiler_gnu" >&6
-GCC=`test $ac_compiler_gnu = yes && echo yes`
-ac_test_CFLAGS=${CFLAGS+set}
-ac_save_CFLAGS=$CFLAGS
-CFLAGS="-g"
-echo "$as_me:$LINENO: checking whether $CC accepts -g" >&5
-echo $ECHO_N "checking whether $CC accepts -g... $ECHO_C" >&6
-if test "${ac_cv_prog_cc_g+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-int
-main ()
-{
-
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_prog_cc_g=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-ac_cv_prog_cc_g=no
-fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-fi
-echo "$as_me:$LINENO: result: $ac_cv_prog_cc_g" >&5
-echo "${ECHO_T}$ac_cv_prog_cc_g" >&6
-if test "$ac_test_CFLAGS" = set; then
-  CFLAGS=$ac_save_CFLAGS
-elif test $ac_cv_prog_cc_g = yes; then
-  if test "$GCC" = yes; then
-    CFLAGS="-g -O2"
-  else
-    CFLAGS="-g"
-  fi
-else
-  if test "$GCC" = yes; then
-    CFLAGS="-O2"
-  else
-    CFLAGS=
-  fi
-fi
-echo "$as_me:$LINENO: checking for $CC option to accept ANSI C" >&5
-echo $ECHO_N "checking for $CC option to accept ANSI C... $ECHO_C" >&6
-if test "${ac_cv_prog_cc_stdc+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  ac_cv_prog_cc_stdc=no
-ac_save_CC=$CC
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-#include <stdarg.h>
-#include <stdio.h>
-#include <sys/types.h>
-#include <sys/stat.h>
-/* Most of the following tests are stolen from RCS 5.7's src/conf.sh.  */
-struct buf { int x; };
-FILE * (*rcsopen) (struct buf *, struct stat *, int);
-static char *e (p, i)
-     char **p;
-     int i;
-{
-  return p[i];
-}
-static char *f (char * (*g) (char **, int), char **p, ...)
-{
-  char *s;
-  va_list v;
-  va_start (v,p);
-  s = g (p, va_arg (v,int));
-  va_end (v);
-  return s;
-}
-
-/* OSF 4.0 Compaq cc is some sort of almost-ANSI by default.  It has
-   function prototypes and stuff, but not '\xHH' hex character constants.
-   These don't provoke an error unfortunately, instead are silently treated
-   as 'x'.  The following induces an error, until -std1 is added to get
-   proper ANSI mode.  Curiously '\x00'!='x' always comes out true, for an
-   array size at least.  It's necessary to write '\x00'==0 to get something
-   that's true only with -std1.  */
-int osf4_cc_array ['\x00' == 0 ? 1 : -1];
-
-int test (int i, double x);
-struct s1 {int (*f) (int a);};
-struct s2 {int (*f) (double a);};
-int pairnames (int, char **, FILE *(*)(struct buf *, struct stat *, int), int, int);
-int argc;
-char **argv;
-int
-main ()
-{
-return f (e, argv, 0) != argv[0]  ||  f (e, argv, 1) != argv[1];
-  ;
-  return 0;
-}
-_ACEOF
-# Don't try gcc -ansi; that turns off useful extensions and
-# breaks some systems' header files.
-# AIX			-qlanglvl=ansi
-# Ultrix and OSF/1	-std1
-# HP-UX 10.20 and later	-Ae
-# HP-UX older versions	-Aa -D_HPUX_SOURCE
-# SVR4			-Xc -D__EXTENSIONS__
-for ac_arg in "" -qlanglvl=ansi -std1 -Ae "-Aa -D_HPUX_SOURCE" "-Xc -D__EXTENSIONS__"
-do
-  CC="$ac_save_CC $ac_arg"
-  rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_prog_cc_stdc=$ac_arg
-break
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-fi
-rm -f conftest.err conftest.$ac_objext
-done
-rm -f conftest.$ac_ext conftest.$ac_objext
-CC=$ac_save_CC
-
-fi
-
-case "x$ac_cv_prog_cc_stdc" in
-  x|xno)
-    echo "$as_me:$LINENO: result: none needed" >&5
-echo "${ECHO_T}none needed" >&6 ;;
-  *)
-    echo "$as_me:$LINENO: result: $ac_cv_prog_cc_stdc" >&5
-echo "${ECHO_T}$ac_cv_prog_cc_stdc" >&6
-    CC="$CC $ac_cv_prog_cc_stdc" ;;
-esac
-
-# Some people use a C++ compiler to compile C.  Since we use `exit',
-# in C++ we need to declare it.  In case someone uses the same compiler
-# for both compiling C and C++ we need to have the C++ compiler decide
-# the declaration of exit, since it's the most demanding environment.
-cat >conftest.$ac_ext <<_ACEOF
-#ifndef __cplusplus
-  choke me
-#endif
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  for ac_declaration in \
-   '' \
-   'extern "C" void std::exit (int) throw (); using std::exit;' \
-   'extern "C" void std::exit (int); using std::exit;' \
-   'extern "C" void exit (int) throw ();' \
-   'extern "C" void exit (int);' \
-   'void exit (int);'
-do
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-$ac_declaration
-#include <stdlib.h>
-int
-main ()
-{
-exit (42);
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  :
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-continue
-fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-$ac_declaration
-int
-main ()
-{
-exit (42);
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  break
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-done
-rm -f conftest*
-if test -n "$ac_declaration"; then
-  echo '#ifdef __cplusplus' >>confdefs.h
-  echo $ac_declaration      >>confdefs.h
-  echo '#endif'             >>confdefs.h
-fi
-
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-ac_ext=c
-ac_cpp='$CPP $CPPFLAGS'
-ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
-ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
-ac_compiler_gnu=$ac_cv_c_compiler_gnu
-
-if test "$GCC" = "yes"; then
-	CFLAGS="${CFLAGS} -Wall"
-fi
-ac_aux_dir=
-for ac_dir in $srcdir $srcdir/.. $srcdir/../..; do
-  if test -f $ac_dir/install-sh; then
-    ac_aux_dir=$ac_dir
-    ac_install_sh="$ac_aux_dir/install-sh -c"
-    break
-  elif test -f $ac_dir/install.sh; then
-    ac_aux_dir=$ac_dir
-    ac_install_sh="$ac_aux_dir/install.sh -c"
-    break
-  elif test -f $ac_dir/shtool; then
-    ac_aux_dir=$ac_dir
-    ac_install_sh="$ac_aux_dir/shtool install -c"
-    break
-  fi
-done
-if test -z "$ac_aux_dir"; then
-  { { echo "$as_me:$LINENO: error: cannot find install-sh or install.sh in $srcdir $srcdir/.. $srcdir/../.." >&5
-echo "$as_me: error: cannot find install-sh or install.sh in $srcdir $srcdir/.. $srcdir/../.." >&2;}
-   { (exit 1); exit 1; }; }
-fi
-ac_config_guess="$SHELL $ac_aux_dir/config.guess"
-ac_config_sub="$SHELL $ac_aux_dir/config.sub"
-ac_configure="$SHELL $ac_aux_dir/configure" # This should be Cygnus configure.
-
-# Find a good install program.  We prefer a C program (faster),
-# so one script is as good as another.  But avoid the broken or
-# incompatible versions:
-# SysV /etc/install, /usr/sbin/install
-# SunOS /usr/etc/install
-# IRIX /sbin/install
-# AIX /bin/install
-# AmigaOS /C/install, which installs bootblocks on floppy discs
-# AIX 4 /usr/bin/installbsd, which doesn't work without a -g flag
-# AFS /usr/afsws/bin/install, which mishandles nonexistent args
-# SVR4 /usr/ucb/install, which tries to use the nonexistent group "staff"
-# OS/2's system install, which has a completely different semantic
-# ./install, which can be erroneously created by make from ./install.sh.
-echo "$as_me:$LINENO: checking for a BSD-compatible install" >&5
-echo $ECHO_N "checking for a BSD-compatible install... $ECHO_C" >&6
-if test -z "$INSTALL"; then
-if test "${ac_cv_path_install+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-for as_dir in $PATH
-do
-  IFS=$as_save_IFS
-  test -z "$as_dir" && as_dir=.
-  # Account for people who put trailing slashes in PATH elements.
-case $as_dir/ in
-  ./ | .// | /cC/* | \
-  /etc/* | /usr/sbin/* | /usr/etc/* | /sbin/* | /usr/afsws/bin/* | \
-  ?:\\/os2\\/install\\/* | ?:\\/OS2\\/INSTALL\\/* | \
-  /usr/ucb/* ) ;;
-  *)
-    # OSF1 and SCO ODT 3.0 have their own names for install.
-    # Don't use installbsd from OSF since it installs stuff as root
-    # by default.
-    for ac_prog in ginstall scoinst install; do
-      for ac_exec_ext in '' $ac_executable_extensions; do
-	if $as_executable_p "$as_dir/$ac_prog$ac_exec_ext"; then
-	  if test $ac_prog = install &&
-	    grep dspmsg "$as_dir/$ac_prog$ac_exec_ext" >/dev/null 2>&1; then
-	    # AIX install.  It has an incompatible calling convention.
-	    :
-	  elif test $ac_prog = install &&
-	    grep pwplus "$as_dir/$ac_prog$ac_exec_ext" >/dev/null 2>&1; then
-	    # program-specific install script used by HP pwplus--don't use.
-	    :
-	  else
-	    ac_cv_path_install="$as_dir/$ac_prog$ac_exec_ext -c"
-	    break 3
-	  fi
-	fi
-      done
-    done
-    ;;
-esac
-done
-
-
-fi
-  if test "${ac_cv_path_install+set}" = set; then
-    INSTALL=$ac_cv_path_install
-  else
-    # As a last resort, use the slow shell script.  We don't cache a
-    # path for INSTALL within a source directory, because that will
-    # break other packages using the cache if that directory is
-    # removed, or if the path is relative.
-    INSTALL=$ac_install_sh
-  fi
-fi
-echo "$as_me:$LINENO: result: $INSTALL" >&5
-echo "${ECHO_T}$INSTALL" >&6
-
-# Use test -z because SunOS4 sh mishandles braces in ${var-val}.
-# It thinks the first close brace ends the variable substitution.
-test -z "$INSTALL_PROGRAM" && INSTALL_PROGRAM='${INSTALL}'
-
-test -z "$INSTALL_SCRIPT" && INSTALL_SCRIPT='${INSTALL}'
-
-test -z "$INSTALL_DATA" && INSTALL_DATA='${INSTALL} -m 644'
-
-
-
-
-echo "$as_me:$LINENO: checking for res_query in -lresolv" >&5
-echo $ECHO_N "checking for res_query in -lresolv... $ECHO_C" >&6
-if test "${ac_cv_lib_resolv_res_query+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  ac_check_lib_save_LIBS=$LIBS
-LIBS="-lresolv  $LIBS"
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-/* Override any gcc2 internal prototype to avoid an error.  */
-#ifdef __cplusplus
-extern "C"
-#endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
-char res_query ();
-int
-main ()
-{
-res_query ();
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_lib_resolv_res_query=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-ac_cv_lib_resolv_res_query=no
-fi
-rm -f conftest.err conftest.$ac_objext \
-      conftest$ac_exeext conftest.$ac_ext
-LIBS=$ac_check_lib_save_LIBS
-fi
-echo "$as_me:$LINENO: result: $ac_cv_lib_resolv_res_query" >&5
-echo "${ECHO_T}$ac_cv_lib_resolv_res_query" >&6
-if test $ac_cv_lib_resolv_res_query = yes; then
-  cat >>confdefs.h <<_ACEOF
-#define HAVE_LIBRESOLV 1
-_ACEOF
-
-  LIBS="-lresolv $LIBS"
-
-fi
-
-
-ac_ext=c
-ac_cpp='$CPP $CPPFLAGS'
-ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
-ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
-ac_compiler_gnu=$ac_cv_c_compiler_gnu
-echo "$as_me:$LINENO: checking how to run the C preprocessor" >&5
-echo $ECHO_N "checking how to run the C preprocessor... $ECHO_C" >&6
-# On Suns, sometimes $CPP names a directory.
-if test -n "$CPP" && test -d "$CPP"; then
-  CPP=
-fi
-if test -z "$CPP"; then
-  if test "${ac_cv_prog_CPP+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-      # Double quotes because CPP needs to be expanded
-    for CPP in "$CC -E" "$CC -E -traditional-cpp" "/lib/cpp"
-    do
-      ac_preproc_ok=false
-for ac_c_preproc_warn_flag in '' yes
-do
-  # Use a header file that comes with gcc, so configuring glibc
-  # with a fresh cross-compiler works.
-  # Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
-  # <limits.h> exists even on freestanding compilers.
-  # On the NeXT, cc -E runs the code through the compiler's parser,
-  # not just through cpp. "Syntax error" is here to catch this case.
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-#ifdef __STDC__
-# include <limits.h>
-#else
-# include <assert.h>
-#endif
-		     Syntax error
-_ACEOF
-if { (eval echo "$as_me:$LINENO: \"$ac_cpp conftest.$ac_ext\"") >&5
-  (eval $ac_cpp conftest.$ac_ext) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } >/dev/null; then
-  if test -s conftest.err; then
-    ac_cpp_err=$ac_c_preproc_warn_flag
-    ac_cpp_err=$ac_cpp_err$ac_c_werror_flag
-  else
-    ac_cpp_err=
-  fi
-else
-  ac_cpp_err=yes
-fi
-if test -z "$ac_cpp_err"; then
-  :
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-  # Broken: fails on valid input.
-continue
-fi
-rm -f conftest.err conftest.$ac_ext
-
-  # OK, works on sane cases.  Now check whether non-existent headers
-  # can be detected and how.
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-#include <ac_nonexistent.h>
-_ACEOF
-if { (eval echo "$as_me:$LINENO: \"$ac_cpp conftest.$ac_ext\"") >&5
-  (eval $ac_cpp conftest.$ac_ext) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } >/dev/null; then
-  if test -s conftest.err; then
-    ac_cpp_err=$ac_c_preproc_warn_flag
-    ac_cpp_err=$ac_cpp_err$ac_c_werror_flag
-  else
-    ac_cpp_err=
-  fi
-else
-  ac_cpp_err=yes
-fi
-if test -z "$ac_cpp_err"; then
-  # Broken: success on invalid input.
-continue
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-  # Passes both tests.
-ac_preproc_ok=:
-break
-fi
-rm -f conftest.err conftest.$ac_ext
-
-done
-# Because of `break', _AC_PREPROC_IFELSE's cleaning code was skipped.
-rm -f conftest.err conftest.$ac_ext
-if $ac_preproc_ok; then
-  break
-fi
-
-    done
-    ac_cv_prog_CPP=$CPP
-
-fi
-  CPP=$ac_cv_prog_CPP
-else
-  ac_cv_prog_CPP=$CPP
-fi
-echo "$as_me:$LINENO: result: $CPP" >&5
-echo "${ECHO_T}$CPP" >&6
-ac_preproc_ok=false
-for ac_c_preproc_warn_flag in '' yes
-do
-  # Use a header file that comes with gcc, so configuring glibc
-  # with a fresh cross-compiler works.
-  # Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
-  # <limits.h> exists even on freestanding compilers.
-  # On the NeXT, cc -E runs the code through the compiler's parser,
-  # not just through cpp. "Syntax error" is here to catch this case.
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-#ifdef __STDC__
-# include <limits.h>
-#else
-# include <assert.h>
-#endif
-		     Syntax error
-_ACEOF
-if { (eval echo "$as_me:$LINENO: \"$ac_cpp conftest.$ac_ext\"") >&5
-  (eval $ac_cpp conftest.$ac_ext) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } >/dev/null; then
-  if test -s conftest.err; then
-    ac_cpp_err=$ac_c_preproc_warn_flag
-    ac_cpp_err=$ac_cpp_err$ac_c_werror_flag
-  else
-    ac_cpp_err=
-  fi
-else
-  ac_cpp_err=yes
-fi
-if test -z "$ac_cpp_err"; then
-  :
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-  # Broken: fails on valid input.
-continue
-fi
-rm -f conftest.err conftest.$ac_ext
-
-  # OK, works on sane cases.  Now check whether non-existent headers
-  # can be detected and how.
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-#include <ac_nonexistent.h>
-_ACEOF
-if { (eval echo "$as_me:$LINENO: \"$ac_cpp conftest.$ac_ext\"") >&5
-  (eval $ac_cpp conftest.$ac_ext) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } >/dev/null; then
-  if test -s conftest.err; then
-    ac_cpp_err=$ac_c_preproc_warn_flag
-    ac_cpp_err=$ac_cpp_err$ac_c_werror_flag
-  else
-    ac_cpp_err=
-  fi
-else
-  ac_cpp_err=yes
-fi
-if test -z "$ac_cpp_err"; then
-  # Broken: success on invalid input.
-continue
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-  # Passes both tests.
-ac_preproc_ok=:
-break
-fi
-rm -f conftest.err conftest.$ac_ext
-
-done
-# Because of `break', _AC_PREPROC_IFELSE's cleaning code was skipped.
-rm -f conftest.err conftest.$ac_ext
-if $ac_preproc_ok; then
-  :
-else
-  { { echo "$as_me:$LINENO: error: C preprocessor \"$CPP\" fails sanity check
-See \`config.log' for more details." >&5
-echo "$as_me: error: C preprocessor \"$CPP\" fails sanity check
-See \`config.log' for more details." >&2;}
-   { (exit 1); exit 1; }; }
-fi
-
-ac_ext=c
-ac_cpp='$CPP $CPPFLAGS'
-ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
-ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
-ac_compiler_gnu=$ac_cv_c_compiler_gnu
-
-
-echo "$as_me:$LINENO: checking for egrep" >&5
-echo $ECHO_N "checking for egrep... $ECHO_C" >&6
-if test "${ac_cv_prog_egrep+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  if echo a | (grep -E '(a|b)') >/dev/null 2>&1
-    then ac_cv_prog_egrep='grep -E'
-    else ac_cv_prog_egrep='egrep'
-    fi
-fi
-echo "$as_me:$LINENO: result: $ac_cv_prog_egrep" >&5
-echo "${ECHO_T}$ac_cv_prog_egrep" >&6
- EGREP=$ac_cv_prog_egrep
-
-
-echo "$as_me:$LINENO: checking for ANSI C header files" >&5
-echo $ECHO_N "checking for ANSI C header files... $ECHO_C" >&6
-if test "${ac_cv_header_stdc+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-#include <stdlib.h>
-#include <stdarg.h>
-#include <string.h>
-#include <float.h>
-
-int
-main ()
-{
-
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_header_stdc=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-ac_cv_header_stdc=no
-fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-
-if test $ac_cv_header_stdc = yes; then
-  # SunOS 4.x string.h does not declare mem*, contrary to ANSI.
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-#include <string.h>
-
-_ACEOF
-if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
-  $EGREP "memchr" >/dev/null 2>&1; then
-  :
-else
-  ac_cv_header_stdc=no
-fi
-rm -f conftest*
-
-fi
-
-if test $ac_cv_header_stdc = yes; then
-  # ISC 2.0.2 stdlib.h does not declare free, contrary to ANSI.
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-#include <stdlib.h>
-
-_ACEOF
-if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
-  $EGREP "free" >/dev/null 2>&1; then
-  :
-else
-  ac_cv_header_stdc=no
-fi
-rm -f conftest*
-
-fi
-
-if test $ac_cv_header_stdc = yes; then
-  # /bin/cc in Irix-4.0.5 gets non-ANSI ctype macros unless using -ansi.
-  if test "$cross_compiling" = yes; then
-  :
-else
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-#include <ctype.h>
-#if ((' ' & 0x0FF) == 0x020)
-# define ISLOWER(c) ('a' <= (c) && (c) <= 'z')
-# define TOUPPER(c) (ISLOWER(c) ? 'A' + ((c) - 'a') : (c))
-#else
-# define ISLOWER(c) \
-		   (('a' <= (c) && (c) <= 'i') \
-		     || ('j' <= (c) && (c) <= 'r') \
-		     || ('s' <= (c) && (c) <= 'z'))
-# define TOUPPER(c) (ISLOWER(c) ? ((c) | 0x40) : (c))
-#endif
-
-#define XOR(e, f) (((e) && !(f)) || (!(e) && (f)))
-int
-main ()
-{
-  int i;
-  for (i = 0; i < 256; i++)
-    if (XOR (islower (i), ISLOWER (i))
-	|| toupper (i) != TOUPPER (i))
-      exit(2);
-  exit (0);
-}
-_ACEOF
-rm -f conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && { ac_try='./conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  :
-else
-  echo "$as_me: program exited with status $ac_status" >&5
-echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-( exit $ac_status )
-ac_cv_header_stdc=no
-fi
-rm -f core *.core gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
-fi
-fi
-fi
-echo "$as_me:$LINENO: result: $ac_cv_header_stdc" >&5
-echo "${ECHO_T}$ac_cv_header_stdc" >&6
-if test $ac_cv_header_stdc = yes; then
-
-cat >>confdefs.h <<\_ACEOF
-#define STDC_HEADERS 1
-_ACEOF
-
-fi
-
-          ac_config_headers="$ac_config_headers config.h"
-
-# On IRIX 5.3, sys/types and inttypes.h are conflicting.
-
-
-
-
-
-
-
-
-
-for ac_header in sys/types.h sys/stat.h stdlib.h string.h memory.h strings.h \
-		  inttypes.h stdint.h unistd.h
-do
-as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh`
-echo "$as_me:$LINENO: checking for $ac_header" >&5
-echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6
-if eval "test \"\${$as_ac_Header+set}\" = set"; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-$ac_includes_default
-
-#include <$ac_header>
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  eval "$as_ac_Header=yes"
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-eval "$as_ac_Header=no"
-fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-fi
-echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_Header'}'`" >&5
-echo "${ECHO_T}`eval echo '${'$as_ac_Header'}'`" >&6
-if test `eval echo '${'$as_ac_Header'}'` = yes; then
-  cat >>confdefs.h <<_ACEOF
-#define `echo "HAVE_$ac_header" | $as_tr_cpp` 1
-_ACEOF
-
-fi
-
-done
-
-
-if test "${ac_cv_header_resolv_h+set}" = set; then
-  echo "$as_me:$LINENO: checking for resolv.h" >&5
-echo $ECHO_N "checking for resolv.h... $ECHO_C" >&6
-if test "${ac_cv_header_resolv_h+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-fi
-echo "$as_me:$LINENO: result: $ac_cv_header_resolv_h" >&5
-echo "${ECHO_T}$ac_cv_header_resolv_h" >&6
-else
-  # Is the header compilable?
-echo "$as_me:$LINENO: checking resolv.h usability" >&5
-echo $ECHO_N "checking resolv.h usability... $ECHO_C" >&6
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-$ac_includes_default
-#include <resolv.h>
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_header_compiler=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-ac_header_compiler=no
-fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
-echo "${ECHO_T}$ac_header_compiler" >&6
-
-# Is the header present?
-echo "$as_me:$LINENO: checking resolv.h presence" >&5
-echo $ECHO_N "checking resolv.h presence... $ECHO_C" >&6
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-#include <resolv.h>
-_ACEOF
-if { (eval echo "$as_me:$LINENO: \"$ac_cpp conftest.$ac_ext\"") >&5
-  (eval $ac_cpp conftest.$ac_ext) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } >/dev/null; then
-  if test -s conftest.err; then
-    ac_cpp_err=$ac_c_preproc_warn_flag
-    ac_cpp_err=$ac_cpp_err$ac_c_werror_flag
-  else
-    ac_cpp_err=
-  fi
-else
-  ac_cpp_err=yes
-fi
-if test -z "$ac_cpp_err"; then
-  ac_header_preproc=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-  ac_header_preproc=no
-fi
-rm -f conftest.err conftest.$ac_ext
-echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
-echo "${ECHO_T}$ac_header_preproc" >&6
-
-# So?  What about this header?
-case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in
-  yes:no: )
-    { echo "$as_me:$LINENO: WARNING: resolv.h: accepted by the compiler, rejected by the preprocessor!" >&5
-echo "$as_me: WARNING: resolv.h: accepted by the compiler, rejected by the preprocessor!" >&2;}
-    { echo "$as_me:$LINENO: WARNING: resolv.h: proceeding with the compiler's result" >&5
-echo "$as_me: WARNING: resolv.h: proceeding with the compiler's result" >&2;}
-    ac_header_preproc=yes
-    ;;
-  no:yes:* )
-    { echo "$as_me:$LINENO: WARNING: resolv.h: present but cannot be compiled" >&5
-echo "$as_me: WARNING: resolv.h: present but cannot be compiled" >&2;}
-    { echo "$as_me:$LINENO: WARNING: resolv.h:     check for missing prerequisite headers?" >&5
-echo "$as_me: WARNING: resolv.h:     check for missing prerequisite headers?" >&2;}
-    { echo "$as_me:$LINENO: WARNING: resolv.h: see the Autoconf documentation" >&5
-echo "$as_me: WARNING: resolv.h: see the Autoconf documentation" >&2;}
-    { echo "$as_me:$LINENO: WARNING: resolv.h:     section \"Present But Cannot Be Compiled\"" >&5
-echo "$as_me: WARNING: resolv.h:     section \"Present But Cannot Be Compiled\"" >&2;}
-    { echo "$as_me:$LINENO: WARNING: resolv.h: proceeding with the preprocessor's result" >&5
-echo "$as_me: WARNING: resolv.h: proceeding with the preprocessor's result" >&2;}
-    { echo "$as_me:$LINENO: WARNING: resolv.h: in the future, the compiler will take precedence" >&5
-echo "$as_me: WARNING: resolv.h: in the future, the compiler will take precedence" >&2;}
-    (
-      cat <<\_ASBOX
-## ------------------------------------------ ##
-## Report this to the AC_PACKAGE_NAME lists.  ##
-## ------------------------------------------ ##
-_ASBOX
-    ) |
-      sed "s/^/$as_me: WARNING:     /" >&2
-    ;;
-esac
-echo "$as_me:$LINENO: checking for resolv.h" >&5
-echo $ECHO_N "checking for resolv.h... $ECHO_C" >&6
-if test "${ac_cv_header_resolv_h+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  ac_cv_header_resolv_h=$ac_header_preproc
-fi
-echo "$as_me:$LINENO: result: $ac_cv_header_resolv_h" >&5
-echo "${ECHO_T}$ac_cv_header_resolv_h" >&6
-
-fi
-if test $ac_cv_header_resolv_h = yes; then
-  :
-else
-  { { echo "$as_me:$LINENO: error: \"No headers for name service applications\"" >&5
-echo "$as_me: error: \"No headers for name service applications\"" >&2;}
-   { (exit 1); exit 1; }; }
-fi
-
-
-if test "${ac_cv_header_arpa_nameser_h+set}" = set; then
-  echo "$as_me:$LINENO: checking for arpa/nameser.h" >&5
-echo $ECHO_N "checking for arpa/nameser.h... $ECHO_C" >&6
-if test "${ac_cv_header_arpa_nameser_h+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-fi
-echo "$as_me:$LINENO: result: $ac_cv_header_arpa_nameser_h" >&5
-echo "${ECHO_T}$ac_cv_header_arpa_nameser_h" >&6
-else
-  # Is the header compilable?
-echo "$as_me:$LINENO: checking arpa/nameser.h usability" >&5
-echo $ECHO_N "checking arpa/nameser.h usability... $ECHO_C" >&6
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-$ac_includes_default
-#include <arpa/nameser.h>
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_header_compiler=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-ac_header_compiler=no
-fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
-echo "${ECHO_T}$ac_header_compiler" >&6
-
-# Is the header present?
-echo "$as_me:$LINENO: checking arpa/nameser.h presence" >&5
-echo $ECHO_N "checking arpa/nameser.h presence... $ECHO_C" >&6
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-#include <arpa/nameser.h>
-_ACEOF
-if { (eval echo "$as_me:$LINENO: \"$ac_cpp conftest.$ac_ext\"") >&5
-  (eval $ac_cpp conftest.$ac_ext) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } >/dev/null; then
-  if test -s conftest.err; then
-    ac_cpp_err=$ac_c_preproc_warn_flag
-    ac_cpp_err=$ac_cpp_err$ac_c_werror_flag
-  else
-    ac_cpp_err=
-  fi
-else
-  ac_cpp_err=yes
-fi
-if test -z "$ac_cpp_err"; then
-  ac_header_preproc=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-  ac_header_preproc=no
-fi
-rm -f conftest.err conftest.$ac_ext
-echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
-echo "${ECHO_T}$ac_header_preproc" >&6
-
-# So?  What about this header?
-case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in
-  yes:no: )
-    { echo "$as_me:$LINENO: WARNING: arpa/nameser.h: accepted by the compiler, rejected by the preprocessor!" >&5
-echo "$as_me: WARNING: arpa/nameser.h: accepted by the compiler, rejected by the preprocessor!" >&2;}
-    { echo "$as_me:$LINENO: WARNING: arpa/nameser.h: proceeding with the compiler's result" >&5
-echo "$as_me: WARNING: arpa/nameser.h: proceeding with the compiler's result" >&2;}
-    ac_header_preproc=yes
-    ;;
-  no:yes:* )
-    { echo "$as_me:$LINENO: WARNING: arpa/nameser.h: present but cannot be compiled" >&5
-echo "$as_me: WARNING: arpa/nameser.h: present but cannot be compiled" >&2;}
-    { echo "$as_me:$LINENO: WARNING: arpa/nameser.h:     check for missing prerequisite headers?" >&5
-echo "$as_me: WARNING: arpa/nameser.h:     check for missing prerequisite headers?" >&2;}
-    { echo "$as_me:$LINENO: WARNING: arpa/nameser.h: see the Autoconf documentation" >&5
-echo "$as_me: WARNING: arpa/nameser.h: see the Autoconf documentation" >&2;}
-    { echo "$as_me:$LINENO: WARNING: arpa/nameser.h:     section \"Present But Cannot Be Compiled\"" >&5
-echo "$as_me: WARNING: arpa/nameser.h:     section \"Present But Cannot Be Compiled\"" >&2;}
-    { echo "$as_me:$LINENO: WARNING: arpa/nameser.h: proceeding with the preprocessor's result" >&5
-echo "$as_me: WARNING: arpa/nameser.h: proceeding with the preprocessor's result" >&2;}
-    { echo "$as_me:$LINENO: WARNING: arpa/nameser.h: in the future, the compiler will take precedence" >&5
-echo "$as_me: WARNING: arpa/nameser.h: in the future, the compiler will take precedence" >&2;}
-    (
-      cat <<\_ASBOX
-## ------------------------------------------ ##
-## Report this to the AC_PACKAGE_NAME lists.  ##
-## ------------------------------------------ ##
-_ASBOX
-    ) |
-      sed "s/^/$as_me: WARNING:     /" >&2
-    ;;
-esac
-echo "$as_me:$LINENO: checking for arpa/nameser.h" >&5
-echo $ECHO_N "checking for arpa/nameser.h... $ECHO_C" >&6
-if test "${ac_cv_header_arpa_nameser_h+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  ac_cv_header_arpa_nameser_h=$ac_header_preproc
-fi
-echo "$as_me:$LINENO: result: $ac_cv_header_arpa_nameser_h" >&5
-echo "${ECHO_T}$ac_cv_header_arpa_nameser_h" >&6
-
-fi
-if test $ac_cv_header_arpa_nameser_h = yes; then
-  :
-else
-  { { echo "$as_me:$LINENO: error: \"No headers for name service applications\"" >&5
-echo "$as_me: error: \"No headers for name service applications\"" >&2;}
-   { (exit 1); exit 1; }; }
-fi
-
-
-if test "${ac_cv_header_sys_time_h+set}" = set; then
-  echo "$as_me:$LINENO: checking for sys/time.h" >&5
-echo $ECHO_N "checking for sys/time.h... $ECHO_C" >&6
-if test "${ac_cv_header_sys_time_h+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-fi
-echo "$as_me:$LINENO: result: $ac_cv_header_sys_time_h" >&5
-echo "${ECHO_T}$ac_cv_header_sys_time_h" >&6
-else
-  # Is the header compilable?
-echo "$as_me:$LINENO: checking sys/time.h usability" >&5
-echo $ECHO_N "checking sys/time.h usability... $ECHO_C" >&6
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-$ac_includes_default
-#include <sys/time.h>
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_header_compiler=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-ac_header_compiler=no
-fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
-echo "${ECHO_T}$ac_header_compiler" >&6
-
-# Is the header present?
-echo "$as_me:$LINENO: checking sys/time.h presence" >&5
-echo $ECHO_N "checking sys/time.h presence... $ECHO_C" >&6
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-#include <sys/time.h>
-_ACEOF
-if { (eval echo "$as_me:$LINENO: \"$ac_cpp conftest.$ac_ext\"") >&5
-  (eval $ac_cpp conftest.$ac_ext) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } >/dev/null; then
-  if test -s conftest.err; then
-    ac_cpp_err=$ac_c_preproc_warn_flag
-    ac_cpp_err=$ac_cpp_err$ac_c_werror_flag
-  else
-    ac_cpp_err=
-  fi
-else
-  ac_cpp_err=yes
-fi
-if test -z "$ac_cpp_err"; then
-  ac_header_preproc=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-  ac_header_preproc=no
-fi
-rm -f conftest.err conftest.$ac_ext
-echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
-echo "${ECHO_T}$ac_header_preproc" >&6
-
-# So?  What about this header?
-case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in
-  yes:no: )
-    { echo "$as_me:$LINENO: WARNING: sys/time.h: accepted by the compiler, rejected by the preprocessor!" >&5
-echo "$as_me: WARNING: sys/time.h: accepted by the compiler, rejected by the preprocessor!" >&2;}
-    { echo "$as_me:$LINENO: WARNING: sys/time.h: proceeding with the compiler's result" >&5
-echo "$as_me: WARNING: sys/time.h: proceeding with the compiler's result" >&2;}
-    ac_header_preproc=yes
-    ;;
-  no:yes:* )
-    { echo "$as_me:$LINENO: WARNING: sys/time.h: present but cannot be compiled" >&5
-echo "$as_me: WARNING: sys/time.h: present but cannot be compiled" >&2;}
-    { echo "$as_me:$LINENO: WARNING: sys/time.h:     check for missing prerequisite headers?" >&5
-echo "$as_me: WARNING: sys/time.h:     check for missing prerequisite headers?" >&2;}
-    { echo "$as_me:$LINENO: WARNING: sys/time.h: see the Autoconf documentation" >&5
-echo "$as_me: WARNING: sys/time.h: see the Autoconf documentation" >&2;}
-    { echo "$as_me:$LINENO: WARNING: sys/time.h:     section \"Present But Cannot Be Compiled\"" >&5
-echo "$as_me: WARNING: sys/time.h:     section \"Present But Cannot Be Compiled\"" >&2;}
-    { echo "$as_me:$LINENO: WARNING: sys/time.h: proceeding with the preprocessor's result" >&5
-echo "$as_me: WARNING: sys/time.h: proceeding with the preprocessor's result" >&2;}
-    { echo "$as_me:$LINENO: WARNING: sys/time.h: in the future, the compiler will take precedence" >&5
-echo "$as_me: WARNING: sys/time.h: in the future, the compiler will take precedence" >&2;}
-    (
-      cat <<\_ASBOX
-## ------------------------------------------ ##
-## Report this to the AC_PACKAGE_NAME lists.  ##
-## ------------------------------------------ ##
-_ASBOX
-    ) |
-      sed "s/^/$as_me: WARNING:     /" >&2
-    ;;
-esac
-echo "$as_me:$LINENO: checking for sys/time.h" >&5
-echo $ECHO_N "checking for sys/time.h... $ECHO_C" >&6
-if test "${ac_cv_header_sys_time_h+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  ac_cv_header_sys_time_h=$ac_header_preproc
-fi
-echo "$as_me:$LINENO: result: $ac_cv_header_sys_time_h" >&5
-echo "${ECHO_T}$ac_cv_header_sys_time_h" >&6
-
-fi
-if test $ac_cv_header_sys_time_h = yes; then
-  :
-else
-  { { echo "$as_me:$LINENO: error: \"Mandatory header missing on your system\"" >&5
-echo "$as_me: error: \"Mandatory header missing on your system\"" >&2;}
-   { (exit 1); exit 1; }; }
-fi
-
-
-if test "${ac_cv_header_unistd_h+set}" = set; then
-  echo "$as_me:$LINENO: checking for unistd.h" >&5
-echo $ECHO_N "checking for unistd.h... $ECHO_C" >&6
-if test "${ac_cv_header_unistd_h+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-fi
-echo "$as_me:$LINENO: result: $ac_cv_header_unistd_h" >&5
-echo "${ECHO_T}$ac_cv_header_unistd_h" >&6
-else
-  # Is the header compilable?
-echo "$as_me:$LINENO: checking unistd.h usability" >&5
-echo $ECHO_N "checking unistd.h usability... $ECHO_C" >&6
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-$ac_includes_default
-#include <unistd.h>
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_header_compiler=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-ac_header_compiler=no
-fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
-echo "${ECHO_T}$ac_header_compiler" >&6
-
-# Is the header present?
-echo "$as_me:$LINENO: checking unistd.h presence" >&5
-echo $ECHO_N "checking unistd.h presence... $ECHO_C" >&6
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-#include <unistd.h>
-_ACEOF
-if { (eval echo "$as_me:$LINENO: \"$ac_cpp conftest.$ac_ext\"") >&5
-  (eval $ac_cpp conftest.$ac_ext) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } >/dev/null; then
-  if test -s conftest.err; then
-    ac_cpp_err=$ac_c_preproc_warn_flag
-    ac_cpp_err=$ac_cpp_err$ac_c_werror_flag
-  else
-    ac_cpp_err=
-  fi
-else
-  ac_cpp_err=yes
-fi
-if test -z "$ac_cpp_err"; then
-  ac_header_preproc=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-  ac_header_preproc=no
-fi
-rm -f conftest.err conftest.$ac_ext
-echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
-echo "${ECHO_T}$ac_header_preproc" >&6
-
-# So?  What about this header?
-case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in
-  yes:no: )
-    { echo "$as_me:$LINENO: WARNING: unistd.h: accepted by the compiler, rejected by the preprocessor!" >&5
-echo "$as_me: WARNING: unistd.h: accepted by the compiler, rejected by the preprocessor!" >&2;}
-    { echo "$as_me:$LINENO: WARNING: unistd.h: proceeding with the compiler's result" >&5
-echo "$as_me: WARNING: unistd.h: proceeding with the compiler's result" >&2;}
-    ac_header_preproc=yes
-    ;;
-  no:yes:* )
-    { echo "$as_me:$LINENO: WARNING: unistd.h: present but cannot be compiled" >&5
-echo "$as_me: WARNING: unistd.h: present but cannot be compiled" >&2;}
-    { echo "$as_me:$LINENO: WARNING: unistd.h:     check for missing prerequisite headers?" >&5
-echo "$as_me: WARNING: unistd.h:     check for missing prerequisite headers?" >&2;}
-    { echo "$as_me:$LINENO: WARNING: unistd.h: see the Autoconf documentation" >&5
-echo "$as_me: WARNING: unistd.h: see the Autoconf documentation" >&2;}
-    { echo "$as_me:$LINENO: WARNING: unistd.h:     section \"Present But Cannot Be Compiled\"" >&5
-echo "$as_me: WARNING: unistd.h:     section \"Present But Cannot Be Compiled\"" >&2;}
-    { echo "$as_me:$LINENO: WARNING: unistd.h: proceeding with the preprocessor's result" >&5
-echo "$as_me: WARNING: unistd.h: proceeding with the preprocessor's result" >&2;}
-    { echo "$as_me:$LINENO: WARNING: unistd.h: in the future, the compiler will take precedence" >&5
-echo "$as_me: WARNING: unistd.h: in the future, the compiler will take precedence" >&2;}
-    (
-      cat <<\_ASBOX
-## ------------------------------------------ ##
-## Report this to the AC_PACKAGE_NAME lists.  ##
-## ------------------------------------------ ##
-_ASBOX
-    ) |
-      sed "s/^/$as_me: WARNING:     /" >&2
-    ;;
-esac
-echo "$as_me:$LINENO: checking for unistd.h" >&5
-echo $ECHO_N "checking for unistd.h... $ECHO_C" >&6
-if test "${ac_cv_header_unistd_h+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  ac_cv_header_unistd_h=$ac_header_preproc
-fi
-echo "$as_me:$LINENO: result: $ac_cv_header_unistd_h" >&5
-echo "${ECHO_T}$ac_cv_header_unistd_h" >&6
-
-fi
-if test $ac_cv_header_unistd_h = yes; then
-  :
-else
-  { { echo "$as_me:$LINENO: error: \"Mandatory header missing on your system\"" >&5
-echo "$as_me: error: \"Mandatory header missing on your system\"" >&2;}
-   { (exit 1); exit 1; }; }
-fi
-
-
-
-
-echo "$as_me:$LINENO: checking if libnsl is mandatory" >&5
-echo $ECHO_N "checking if libnsl is mandatory... $ECHO_C" >&6
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-#include <sys/types.h>
-             #include <netinet/in.h>
-             #include <arpa/nameser.h>
-             #include <resolv.h>
-             union
-             {
-                HEADER hdr;
-                u_char buf[4096]; /* With RFC 2671, otherwise 512 is enough */
-             }
-             response;
-             char *domain;
-             int requested_type;
-int
-main ()
-{
-res_query(domain,
-		  C_IN,
-		  requested_type,
-		  (u_char *) & response,
-		  sizeof (response))
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  	echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-	echo "$as_me:$LINENO: result: yes" >&5
-echo "${ECHO_T}yes" >&6; LIBS="${LIBS} -lnsl"
-fi
-rm -f conftest.err conftest.$ac_objext \
-      conftest$ac_exeext conftest.$ac_ext
-
-echo "$as_me:$LINENO: checking loc_ntoa" >&5
-echo $ECHO_N "checking loc_ntoa... $ECHO_C" >&6
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-#include <resolv.h>
-int
-main ()
-{
-	u_char *cp; char *result; loc_ntoa(cp, result)
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  	echo "$as_me:$LINENO: result: yes" >&5
-echo "${ECHO_T}yes" >&6; cat >>confdefs.h <<\_ACEOF
-#define HAVE_LOC_NTOA 1
-_ACEOF
-
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-	echo "$as_me:$LINENO: result: no, using the alternative" >&5
-echo "${ECHO_T}no, using the alternative" >&6; LOC_NTOA=loc_ntoa.o
-fi
-rm -f conftest.err conftest.$ac_objext \
-      conftest$ac_exeext conftest.$ac_ext
-
-
-echo "$as_me:$LINENO: checking for an ANSI C-conforming const" >&5
-echo $ECHO_N "checking for an ANSI C-conforming const... $ECHO_C" >&6
-if test "${ac_cv_c_const+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-int
-main ()
-{
-/* FIXME: Include the comments suggested by Paul. */
-#ifndef __cplusplus
-  /* Ultrix mips cc rejects this.  */
-  typedef int charset[2];
-  const charset x;
-  /* SunOS 4.1.1 cc rejects this.  */
-  char const *const *ccp;
-  char **p;
-  /* NEC SVR4.0.2 mips cc rejects this.  */
-  struct point {int x, y;};
-  static struct point const zero = {0,0};
-  /* AIX XL C 1.02.0.0 rejects this.
-     It does not let you subtract one const X* pointer from another in
-     an arm of an if-expression whose if-part is not a constant
-     expression */
-  const char *g = "string";
-  ccp = &g + (g ? g-g : 0);
-  /* HPUX 7.0 cc rejects these. */
-  ++ccp;
-  p = (char**) ccp;
-  ccp = (char const *const *) p;
-  { /* SCO 3.2v4 cc rejects this.  */
-    char *t;
-    char const *s = 0 ? (char *) 0 : (char const *) 0;
-
-    *t++ = 0;
-  }
-  { /* Someone thinks the Sun supposedly-ANSI compiler will reject this.  */
-    int x[] = {25, 17};
-    const int *foo = &x[0];
-    ++foo;
-  }
-  { /* Sun SC1.0 ANSI compiler rejects this -- but not the above. */
-    typedef const int *iptr;
-    iptr p = 0;
-    ++p;
-  }
-  { /* AIX XL C 1.02.0.0 rejects this saying
-       "k.c", line 2.27: 1506-025 (S) Operand must be a modifiable lvalue. */
-    struct s { int j; const int *ap[3]; };
-    struct s *b; b->j = 5;
-  }
-  { /* ULTRIX-32 V3.1 (Rev 9) vcc rejects this */
-    const int foo = 10;
-  }
-#endif
-
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_c_const=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-ac_cv_c_const=no
-fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-fi
-echo "$as_me:$LINENO: result: $ac_cv_c_const" >&5
-echo "${ECHO_T}$ac_cv_c_const" >&6
-if test $ac_cv_c_const = no; then
-
-cat >>confdefs.h <<\_ACEOF
-#define const
-_ACEOF
-
-fi
-
-echo "$as_me:$LINENO: checking for long" >&5
-echo $ECHO_N "checking for long... $ECHO_C" >&6
-if test "${ac_cv_type_long+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-$ac_includes_default
-int
-main ()
-{
-if ((long *) 0)
-  return 0;
-if (sizeof (long))
-  return 0;
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_type_long=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-ac_cv_type_long=no
-fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-fi
-echo "$as_me:$LINENO: result: $ac_cv_type_long" >&5
-echo "${ECHO_T}$ac_cv_type_long" >&6
-
-echo "$as_me:$LINENO: checking size of long" >&5
-echo $ECHO_N "checking size of long... $ECHO_C" >&6
-if test "${ac_cv_sizeof_long+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  if test "$ac_cv_type_long" = yes; then
-  # The cast to unsigned long works around a bug in the HP C Compiler
-  # version HP92453-01 B.11.11.23709.GP, which incorrectly rejects
-  # declarations like `int a3[[(sizeof (unsigned char)) >= 0]];'.
-  # This bug is HP SR number 8606223364.
-  if test "$cross_compiling" = yes; then
-  # Depending upon the size, compute the lo and hi bounds.
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-$ac_includes_default
-int
-main ()
-{
-static int test_array [1 - 2 * !(((long) (sizeof (long))) >= 0)];
-test_array [0] = 0
-
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_lo=0 ac_mid=0
-  while :; do
-    cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-$ac_includes_default
-int
-main ()
-{
-static int test_array [1 - 2 * !(((long) (sizeof (long))) <= $ac_mid)];
-test_array [0] = 0
-
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_hi=$ac_mid; break
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-ac_lo=`expr $ac_mid + 1`
-		    if test $ac_lo -le $ac_mid; then
-		      ac_lo= ac_hi=
-		      break
-		    fi
-		    ac_mid=`expr 2 '*' $ac_mid + 1`
-fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-  done
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-$ac_includes_default
-int
-main ()
-{
-static int test_array [1 - 2 * !(((long) (sizeof (long))) < 0)];
-test_array [0] = 0
-
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_hi=-1 ac_mid=-1
-  while :; do
-    cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-$ac_includes_default
-int
-main ()
-{
-static int test_array [1 - 2 * !(((long) (sizeof (long))) >= $ac_mid)];
-test_array [0] = 0
-
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_lo=$ac_mid; break
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-ac_hi=`expr '(' $ac_mid ')' - 1`
-		       if test $ac_mid -le $ac_hi; then
-			 ac_lo= ac_hi=
-			 break
-		       fi
-		       ac_mid=`expr 2 '*' $ac_mid`
-fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-  done
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-ac_lo= ac_hi=
-fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-# Binary search between lo and hi bounds.
-while test "x$ac_lo" != "x$ac_hi"; do
-  ac_mid=`expr '(' $ac_hi - $ac_lo ')' / 2 + $ac_lo`
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-$ac_includes_default
-int
-main ()
-{
-static int test_array [1 - 2 * !(((long) (sizeof (long))) <= $ac_mid)];
-test_array [0] = 0
-
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_hi=$ac_mid
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-ac_lo=`expr '(' $ac_mid ')' + 1`
-fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-done
-case $ac_lo in
-?*) ac_cv_sizeof_long=$ac_lo;;
-'') { { echo "$as_me:$LINENO: error: cannot compute sizeof (long), 77
-See \`config.log' for more details." >&5
-echo "$as_me: error: cannot compute sizeof (long), 77
-See \`config.log' for more details." >&2;}
-   { (exit 1); exit 1; }; } ;;
-esac
-else
-  if test "$cross_compiling" = yes; then
-  { { echo "$as_me:$LINENO: error: internal error: not reached in cross-compile" >&5
-echo "$as_me: error: internal error: not reached in cross-compile" >&2;}
-   { (exit 1); exit 1; }; }
-else
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-$ac_includes_default
-long longval () { return (long) (sizeof (long)); }
-unsigned long ulongval () { return (long) (sizeof (long)); }
-#include <stdio.h>
-#include <stdlib.h>
-int
-main ()
-{
-
-  FILE *f = fopen ("conftest.val", "w");
-  if (! f)
-    exit (1);
-  if (((long) (sizeof (long))) < 0)
-    {
-      long i = longval ();
-      if (i != ((long) (sizeof (long))))
-	exit (1);
-      fprintf (f, "%ld\n", i);
-    }
-  else
-    {
-      unsigned long i = ulongval ();
-      if (i != ((long) (sizeof (long))))
-	exit (1);
-      fprintf (f, "%lu\n", i);
-    }
-  exit (ferror (f) || fclose (f) != 0);
-
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && { ac_try='./conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_sizeof_long=`cat conftest.val`
-else
-  echo "$as_me: program exited with status $ac_status" >&5
-echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-( exit $ac_status )
-{ { echo "$as_me:$LINENO: error: cannot compute sizeof (long), 77
-See \`config.log' for more details." >&5
-echo "$as_me: error: cannot compute sizeof (long), 77
-See \`config.log' for more details." >&2;}
-   { (exit 1); exit 1; }; }
-fi
-rm -f core *.core gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
-fi
-fi
-rm -f conftest.val
-else
-  ac_cv_sizeof_long=0
-fi
-fi
-echo "$as_me:$LINENO: result: $ac_cv_sizeof_long" >&5
-echo "${ECHO_T}$ac_cv_sizeof_long" >&6
-cat >>confdefs.h <<_ACEOF
-#define SIZEOF_LONG $ac_cv_sizeof_long
-_ACEOF
-
-
-echo "$as_me:$LINENO: checking for int" >&5
-echo $ECHO_N "checking for int... $ECHO_C" >&6
-if test "${ac_cv_type_int+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-$ac_includes_default
-int
-main ()
-{
-if ((int *) 0)
-  return 0;
-if (sizeof (int))
-  return 0;
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_type_int=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-ac_cv_type_int=no
-fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-fi
-echo "$as_me:$LINENO: result: $ac_cv_type_int" >&5
-echo "${ECHO_T}$ac_cv_type_int" >&6
-
-echo "$as_me:$LINENO: checking size of int" >&5
-echo $ECHO_N "checking size of int... $ECHO_C" >&6
-if test "${ac_cv_sizeof_int+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  if test "$ac_cv_type_int" = yes; then
-  # The cast to unsigned long works around a bug in the HP C Compiler
-  # version HP92453-01 B.11.11.23709.GP, which incorrectly rejects
-  # declarations like `int a3[[(sizeof (unsigned char)) >= 0]];'.
-  # This bug is HP SR number 8606223364.
-  if test "$cross_compiling" = yes; then
-  # Depending upon the size, compute the lo and hi bounds.
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-$ac_includes_default
-int
-main ()
-{
-static int test_array [1 - 2 * !(((long) (sizeof (int))) >= 0)];
-test_array [0] = 0
-
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_lo=0 ac_mid=0
-  while :; do
-    cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-$ac_includes_default
-int
-main ()
-{
-static int test_array [1 - 2 * !(((long) (sizeof (int))) <= $ac_mid)];
-test_array [0] = 0
-
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_hi=$ac_mid; break
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-ac_lo=`expr $ac_mid + 1`
-		    if test $ac_lo -le $ac_mid; then
-		      ac_lo= ac_hi=
-		      break
-		    fi
-		    ac_mid=`expr 2 '*' $ac_mid + 1`
-fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-  done
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-$ac_includes_default
-int
-main ()
-{
-static int test_array [1 - 2 * !(((long) (sizeof (int))) < 0)];
-test_array [0] = 0
-
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_hi=-1 ac_mid=-1
-  while :; do
-    cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-$ac_includes_default
-int
-main ()
-{
-static int test_array [1 - 2 * !(((long) (sizeof (int))) >= $ac_mid)];
-test_array [0] = 0
-
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_lo=$ac_mid; break
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-ac_hi=`expr '(' $ac_mid ')' - 1`
-		       if test $ac_mid -le $ac_hi; then
-			 ac_lo= ac_hi=
-			 break
-		       fi
-		       ac_mid=`expr 2 '*' $ac_mid`
-fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-  done
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-ac_lo= ac_hi=
-fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-# Binary search between lo and hi bounds.
-while test "x$ac_lo" != "x$ac_hi"; do
-  ac_mid=`expr '(' $ac_hi - $ac_lo ')' / 2 + $ac_lo`
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-$ac_includes_default
-int
-main ()
-{
-static int test_array [1 - 2 * !(((long) (sizeof (int))) <= $ac_mid)];
-test_array [0] = 0
-
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_hi=$ac_mid
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-ac_lo=`expr '(' $ac_mid ')' + 1`
-fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-done
-case $ac_lo in
-?*) ac_cv_sizeof_int=$ac_lo;;
-'') { { echo "$as_me:$LINENO: error: cannot compute sizeof (int), 77
-See \`config.log' for more details." >&5
-echo "$as_me: error: cannot compute sizeof (int), 77
-See \`config.log' for more details." >&2;}
-   { (exit 1); exit 1; }; } ;;
-esac
-else
-  if test "$cross_compiling" = yes; then
-  { { echo "$as_me:$LINENO: error: internal error: not reached in cross-compile" >&5
-echo "$as_me: error: internal error: not reached in cross-compile" >&2;}
-   { (exit 1); exit 1; }; }
-else
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-$ac_includes_default
-long longval () { return (long) (sizeof (int)); }
-unsigned long ulongval () { return (long) (sizeof (int)); }
-#include <stdio.h>
-#include <stdlib.h>
-int
-main ()
-{
-
-  FILE *f = fopen ("conftest.val", "w");
-  if (! f)
-    exit (1);
-  if (((long) (sizeof (int))) < 0)
-    {
-      long i = longval ();
-      if (i != ((long) (sizeof (int))))
-	exit (1);
-      fprintf (f, "%ld\n", i);
-    }
-  else
-    {
-      unsigned long i = ulongval ();
-      if (i != ((long) (sizeof (int))))
-	exit (1);
-      fprintf (f, "%lu\n", i);
-    }
-  exit (ferror (f) || fclose (f) != 0);
-
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && { ac_try='./conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_sizeof_int=`cat conftest.val`
-else
-  echo "$as_me: program exited with status $ac_status" >&5
-echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-( exit $ac_status )
-{ { echo "$as_me:$LINENO: error: cannot compute sizeof (int), 77
-See \`config.log' for more details." >&5
-echo "$as_me: error: cannot compute sizeof (int), 77
-See \`config.log' for more details." >&2;}
-   { (exit 1); exit 1; }; }
-fi
-rm -f core *.core gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
-fi
-fi
-rm -f conftest.val
-else
-  ac_cv_sizeof_int=0
-fi
-fi
-echo "$as_me:$LINENO: result: $ac_cv_sizeof_int" >&5
-echo "${ECHO_T}$ac_cv_sizeof_int" >&6
-cat >>confdefs.h <<_ACEOF
-#define SIZEOF_INT $ac_cv_sizeof_int
-_ACEOF
-
-
-echo "$as_me:$LINENO: checking for short" >&5
-echo $ECHO_N "checking for short... $ECHO_C" >&6
-if test "${ac_cv_type_short+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-$ac_includes_default
-int
-main ()
-{
-if ((short *) 0)
-  return 0;
-if (sizeof (short))
-  return 0;
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_type_short=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-ac_cv_type_short=no
-fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-fi
-echo "$as_me:$LINENO: result: $ac_cv_type_short" >&5
-echo "${ECHO_T}$ac_cv_type_short" >&6
-
-echo "$as_me:$LINENO: checking size of short" >&5
-echo $ECHO_N "checking size of short... $ECHO_C" >&6
-if test "${ac_cv_sizeof_short+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  if test "$ac_cv_type_short" = yes; then
-  # The cast to unsigned long works around a bug in the HP C Compiler
-  # version HP92453-01 B.11.11.23709.GP, which incorrectly rejects
-  # declarations like `int a3[[(sizeof (unsigned char)) >= 0]];'.
-  # This bug is HP SR number 8606223364.
-  if test "$cross_compiling" = yes; then
-  # Depending upon the size, compute the lo and hi bounds.
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-$ac_includes_default
-int
-main ()
-{
-static int test_array [1 - 2 * !(((long) (sizeof (short))) >= 0)];
-test_array [0] = 0
-
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_lo=0 ac_mid=0
-  while :; do
-    cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-$ac_includes_default
-int
-main ()
-{
-static int test_array [1 - 2 * !(((long) (sizeof (short))) <= $ac_mid)];
-test_array [0] = 0
-
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_hi=$ac_mid; break
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-ac_lo=`expr $ac_mid + 1`
-		    if test $ac_lo -le $ac_mid; then
-		      ac_lo= ac_hi=
-		      break
-		    fi
-		    ac_mid=`expr 2 '*' $ac_mid + 1`
-fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-  done
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-$ac_includes_default
-int
-main ()
-{
-static int test_array [1 - 2 * !(((long) (sizeof (short))) < 0)];
-test_array [0] = 0
-
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_hi=-1 ac_mid=-1
-  while :; do
-    cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-$ac_includes_default
-int
-main ()
-{
-static int test_array [1 - 2 * !(((long) (sizeof (short))) >= $ac_mid)];
-test_array [0] = 0
-
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_lo=$ac_mid; break
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-ac_hi=`expr '(' $ac_mid ')' - 1`
-		       if test $ac_mid -le $ac_hi; then
-			 ac_lo= ac_hi=
-			 break
-		       fi
-		       ac_mid=`expr 2 '*' $ac_mid`
-fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-  done
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-ac_lo= ac_hi=
-fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-# Binary search between lo and hi bounds.
-while test "x$ac_lo" != "x$ac_hi"; do
-  ac_mid=`expr '(' $ac_hi - $ac_lo ')' / 2 + $ac_lo`
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-$ac_includes_default
-int
-main ()
-{
-static int test_array [1 - 2 * !(((long) (sizeof (short))) <= $ac_mid)];
-test_array [0] = 0
-
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_hi=$ac_mid
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-ac_lo=`expr '(' $ac_mid ')' + 1`
-fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-done
-case $ac_lo in
-?*) ac_cv_sizeof_short=$ac_lo;;
-'') { { echo "$as_me:$LINENO: error: cannot compute sizeof (short), 77
-See \`config.log' for more details." >&5
-echo "$as_me: error: cannot compute sizeof (short), 77
-See \`config.log' for more details." >&2;}
-   { (exit 1); exit 1; }; } ;;
-esac
-else
-  if test "$cross_compiling" = yes; then
-  { { echo "$as_me:$LINENO: error: internal error: not reached in cross-compile" >&5
-echo "$as_me: error: internal error: not reached in cross-compile" >&2;}
-   { (exit 1); exit 1; }; }
-else
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-$ac_includes_default
-long longval () { return (long) (sizeof (short)); }
-unsigned long ulongval () { return (long) (sizeof (short)); }
-#include <stdio.h>
-#include <stdlib.h>
-int
-main ()
-{
-
-  FILE *f = fopen ("conftest.val", "w");
-  if (! f)
-    exit (1);
-  if (((long) (sizeof (short))) < 0)
-    {
-      long i = longval ();
-      if (i != ((long) (sizeof (short))))
-	exit (1);
-      fprintf (f, "%ld\n", i);
-    }
-  else
-    {
-      unsigned long i = ulongval ();
-      if (i != ((long) (sizeof (short))))
-	exit (1);
-      fprintf (f, "%lu\n", i);
-    }
-  exit (ferror (f) || fclose (f) != 0);
-
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && { ac_try='./conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_sizeof_short=`cat conftest.val`
-else
-  echo "$as_me: program exited with status $ac_status" >&5
-echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-( exit $ac_status )
-{ { echo "$as_me:$LINENO: error: cannot compute sizeof (short), 77
-See \`config.log' for more details." >&5
-echo "$as_me: error: cannot compute sizeof (short), 77
-See \`config.log' for more details." >&2;}
-   { (exit 1); exit 1; }; }
-fi
-rm -f core *.core gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
-fi
-fi
-rm -f conftest.val
-else
-  ac_cv_sizeof_short=0
-fi
-fi
-echo "$as_me:$LINENO: result: $ac_cv_sizeof_short" >&5
-echo "${ECHO_T}$ac_cv_sizeof_short" >&6
-cat >>confdefs.h <<_ACEOF
-#define SIZEOF_SHORT $ac_cv_sizeof_short
-_ACEOF
-
-
-echo "$as_me:$LINENO: checking for char" >&5
-echo $ECHO_N "checking for char... $ECHO_C" >&6
-if test "${ac_cv_type_char+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-$ac_includes_default
-int
-main ()
-{
-if ((char *) 0)
-  return 0;
-if (sizeof (char))
-  return 0;
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_type_char=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-ac_cv_type_char=no
-fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-fi
-echo "$as_me:$LINENO: result: $ac_cv_type_char" >&5
-echo "${ECHO_T}$ac_cv_type_char" >&6
-
-echo "$as_me:$LINENO: checking size of char" >&5
-echo $ECHO_N "checking size of char... $ECHO_C" >&6
-if test "${ac_cv_sizeof_char+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  if test "$ac_cv_type_char" = yes; then
-  # The cast to unsigned long works around a bug in the HP C Compiler
-  # version HP92453-01 B.11.11.23709.GP, which incorrectly rejects
-  # declarations like `int a3[[(sizeof (unsigned char)) >= 0]];'.
-  # This bug is HP SR number 8606223364.
-  if test "$cross_compiling" = yes; then
-  # Depending upon the size, compute the lo and hi bounds.
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-$ac_includes_default
-int
-main ()
-{
-static int test_array [1 - 2 * !(((long) (sizeof (char))) >= 0)];
-test_array [0] = 0
-
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_lo=0 ac_mid=0
-  while :; do
-    cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-$ac_includes_default
-int
-main ()
-{
-static int test_array [1 - 2 * !(((long) (sizeof (char))) <= $ac_mid)];
-test_array [0] = 0
-
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_hi=$ac_mid; break
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-ac_lo=`expr $ac_mid + 1`
-		    if test $ac_lo -le $ac_mid; then
-		      ac_lo= ac_hi=
-		      break
-		    fi
-		    ac_mid=`expr 2 '*' $ac_mid + 1`
-fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-  done
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-$ac_includes_default
-int
-main ()
-{
-static int test_array [1 - 2 * !(((long) (sizeof (char))) < 0)];
-test_array [0] = 0
-
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_hi=-1 ac_mid=-1
-  while :; do
-    cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-$ac_includes_default
-int
-main ()
-{
-static int test_array [1 - 2 * !(((long) (sizeof (char))) >= $ac_mid)];
-test_array [0] = 0
-
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_lo=$ac_mid; break
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-ac_hi=`expr '(' $ac_mid ')' - 1`
-		       if test $ac_mid -le $ac_hi; then
-			 ac_lo= ac_hi=
-			 break
-		       fi
-		       ac_mid=`expr 2 '*' $ac_mid`
-fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-  done
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-ac_lo= ac_hi=
-fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-# Binary search between lo and hi bounds.
-while test "x$ac_lo" != "x$ac_hi"; do
-  ac_mid=`expr '(' $ac_hi - $ac_lo ')' / 2 + $ac_lo`
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-$ac_includes_default
-int
-main ()
-{
-static int test_array [1 - 2 * !(((long) (sizeof (char))) <= $ac_mid)];
-test_array [0] = 0
-
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_hi=$ac_mid
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-ac_lo=`expr '(' $ac_mid ')' + 1`
-fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-done
-case $ac_lo in
-?*) ac_cv_sizeof_char=$ac_lo;;
-'') { { echo "$as_me:$LINENO: error: cannot compute sizeof (char), 77
-See \`config.log' for more details." >&5
-echo "$as_me: error: cannot compute sizeof (char), 77
-See \`config.log' for more details." >&2;}
-   { (exit 1); exit 1; }; } ;;
-esac
-else
-  if test "$cross_compiling" = yes; then
-  { { echo "$as_me:$LINENO: error: internal error: not reached in cross-compile" >&5
-echo "$as_me: error: internal error: not reached in cross-compile" >&2;}
-   { (exit 1); exit 1; }; }
-else
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-$ac_includes_default
-long longval () { return (long) (sizeof (char)); }
-unsigned long ulongval () { return (long) (sizeof (char)); }
-#include <stdio.h>
-#include <stdlib.h>
-int
-main ()
-{
-
-  FILE *f = fopen ("conftest.val", "w");
-  if (! f)
-    exit (1);
-  if (((long) (sizeof (char))) < 0)
-    {
-      long i = longval ();
-      if (i != ((long) (sizeof (char))))
-	exit (1);
-      fprintf (f, "%ld\n", i);
-    }
-  else
-    {
-      unsigned long i = ulongval ();
-      if (i != ((long) (sizeof (char))))
-	exit (1);
-      fprintf (f, "%lu\n", i);
-    }
-  exit (ferror (f) || fclose (f) != 0);
-
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && { ac_try='./conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_sizeof_char=`cat conftest.val`
-else
-  echo "$as_me: program exited with status $ac_status" >&5
-echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-( exit $ac_status )
-{ { echo "$as_me:$LINENO: error: cannot compute sizeof (char), 77
-See \`config.log' for more details." >&5
-echo "$as_me: error: cannot compute sizeof (char), 77
-See \`config.log' for more details." >&2;}
-   { (exit 1); exit 1; }; }
-fi
-rm -f core *.core gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
-fi
-fi
-rm -f conftest.val
-else
-  ac_cv_sizeof_char=0
-fi
-fi
-echo "$as_me:$LINENO: result: $ac_cv_sizeof_char" >&5
-echo "${ECHO_T}$ac_cv_sizeof_char" >&6
-cat >>confdefs.h <<_ACEOF
-#define SIZEOF_CHAR $ac_cv_sizeof_char
-_ACEOF
-
-
-
-          ac_config_files="$ac_config_files Makefile"
-cat >confcache <<\_ACEOF
-# This file is a shell script that caches the results of configure
-# tests run on this system so they can be shared between configure
-# scripts and configure runs, see configure's option --config-cache.
-# It is not useful on other systems.  If it contains results you don't
-# want to keep, you may remove or edit it.
-#
-# config.status only pays attention to the cache file if you give it
-# the --recheck option to rerun configure.
-#
-# `ac_cv_env_foo' variables (set or unset) will be overridden when
-# loading this file, other *unset* `ac_cv_foo' will be assigned the
-# following values.
-
-_ACEOF
-
-# The following way of writing the cache mishandles newlines in values,
-# but we know of no workaround that is simple, portable, and efficient.
-# So, don't put newlines in cache variables' values.
-# Ultrix sh set writes to stderr and can't be redirected directly,
-# and sets the high bit in the cache file unless we assign to the vars.
-{
-  (set) 2>&1 |
-    case `(ac_space=' '; set | grep ac_space) 2>&1` in
-    *ac_space=\ *)
-      # `set' does not quote correctly, so add quotes (double-quote
-      # substitution turns \\\\ into \\, and sed turns \\ into \).
-      sed -n \
-	"s/'/'\\\\''/g;
-	  s/^\\([_$as_cr_alnum]*_cv_[_$as_cr_alnum]*\\)=\\(.*\\)/\\1='\\2'/p"
-      ;;
-    *)
-      # `set' quotes correctly as required by POSIX, so do not add quotes.
-      sed -n \
-	"s/^\\([_$as_cr_alnum]*_cv_[_$as_cr_alnum]*\\)=\\(.*\\)/\\1=\\2/p"
-      ;;
-    esac;
-} |
-  sed '
-     t clear
-     : clear
-     s/^\([^=]*\)=\(.*[{}].*\)$/test "${\1+set}" = set || &/
-     t end
-     /^ac_cv_env/!s/^\([^=]*\)=\(.*\)$/\1=${\1=\2}/
-     : end' >>confcache
-if diff $cache_file confcache >/dev/null 2>&1; then :; else
-  if test -w $cache_file; then
-    test "x$cache_file" != "x/dev/null" && echo "updating cache $cache_file"
-    cat confcache >$cache_file
-  else
-    echo "not updating unwritable cache $cache_file"
-  fi
-fi
-rm -f confcache
-
-test "x$prefix" = xNONE && prefix=$ac_default_prefix
-# Let make expand exec_prefix.
-test "x$exec_prefix" = xNONE && exec_prefix='${prefix}'
-
-# VPATH may cause trouble with some makes, so we remove $(srcdir),
-# ${srcdir} and @srcdir@ from VPATH if srcdir is ".", strip leading and
-# trailing colons and then remove the whole line if VPATH becomes empty
-# (actually we leave an empty line to preserve line numbers).
-if test "x$srcdir" = x.; then
-  ac_vpsub='/^[	 ]*VPATH[	 ]*=/{
-s/:*\$(srcdir):*/:/;
-s/:*\${srcdir}:*/:/;
-s/:*@srcdir@:*/:/;
-s/^\([^=]*=[	 ]*\):*/\1/;
-s/:*$//;
-s/^[^=]*=[	 ]*$//;
-}'
-fi
-
-DEFS=-DHAVE_CONFIG_H
-
-ac_libobjs=
-ac_ltlibobjs=
-for ac_i in : $LIBOBJS; do test "x$ac_i" = x: && continue
-  # 1. Remove the extension, and $U if already installed.
-  ac_i=`echo "$ac_i" |
-	 sed 's/\$U\././;s/\.o$//;s/\.obj$//'`
-  # 2. Add them.
-  ac_libobjs="$ac_libobjs $ac_i\$U.$ac_objext"
-  ac_ltlibobjs="$ac_ltlibobjs $ac_i"'$U.lo'
-done
-LIBOBJS=$ac_libobjs
-
-LTLIBOBJS=$ac_ltlibobjs
-
-
-
-: ${CONFIG_STATUS=./config.status}
-ac_clean_files_save=$ac_clean_files
-ac_clean_files="$ac_clean_files $CONFIG_STATUS"
-{ echo "$as_me:$LINENO: creating $CONFIG_STATUS" >&5
-echo "$as_me: creating $CONFIG_STATUS" >&6;}
-cat >$CONFIG_STATUS <<_ACEOF
-#! $SHELL
-# Generated by $as_me.
-# Run this file to recreate the current configuration.
-# Compiler output produced by configure, useful for debugging
-# configure, is in config.log if it exists.
-
-debug=false
-ac_cs_recheck=false
-ac_cs_silent=false
-SHELL=\${CONFIG_SHELL-$SHELL}
-_ACEOF
-
-cat >>$CONFIG_STATUS <<\_ACEOF
-## --------------------- ##
-## M4sh Initialization.  ##
-## --------------------- ##
-
-# Be Bourne compatible
-if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then
-  emulate sh
-  NULLCMD=:
-  # Zsh 3.x and 4.x performs word splitting on ${1+"$@"}, which
-  # is contrary to our usage.  Disable this feature.
-  alias -g '${1+"$@"}'='"$@"'
-elif test -n "${BASH_VERSION+set}" && (set -o posix) >/dev/null 2>&1; then
-  set -o posix
-fi
-DUALCASE=1; export DUALCASE # for MKS sh
-
-# Support unset when possible.
-if ( (MAIL=60; unset MAIL) || exit) >/dev/null 2>&1; then
-  as_unset=unset
-else
-  as_unset=false
-fi
-
-
-# Work around bugs in pre-3.0 UWIN ksh.
-$as_unset ENV MAIL MAILPATH
-PS1='$ '
-PS2='> '
-PS4='+ '
-
-# NLS nuisances.
-for as_var in \
-  LANG LANGUAGE LC_ADDRESS LC_ALL LC_COLLATE LC_CTYPE LC_IDENTIFICATION \
-  LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER \
-  LC_TELEPHONE LC_TIME
-do
-  if (set +x; test -z "`(eval $as_var=C; export $as_var) 2>&1`"); then
-    eval $as_var=C; export $as_var
-  else
-    $as_unset $as_var
-  fi
-done
-
-# Required to use basename.
-if expr a : '\(a\)' >/dev/null 2>&1; then
-  as_expr=expr
-else
-  as_expr=false
-fi
-
-if (basename /) >/dev/null 2>&1 && test "X`basename / 2>&1`" = "X/"; then
-  as_basename=basename
-else
-  as_basename=false
-fi
-
-
-# Name of the executable.
-as_me=`$as_basename "$0" ||
-$as_expr X/"$0" : '.*/\([^/][^/]*\)/*$' \| \
-	 X"$0" : 'X\(//\)$' \| \
-	 X"$0" : 'X\(/\)$' \| \
-	 .     : '\(.\)' 2>/dev/null ||
-echo X/"$0" |
-    sed '/^.*\/\([^/][^/]*\)\/*$/{ s//\1/; q; }
-  	  /^X\/\(\/\/\)$/{ s//\1/; q; }
-  	  /^X\/\(\/\).*/{ s//\1/; q; }
-  	  s/.*/./; q'`
-
-
-# PATH needs CR, and LINENO needs CR and PATH.
-# Avoid depending upon Character Ranges.
-as_cr_letters='abcdefghijklmnopqrstuvwxyz'
-as_cr_LETTERS='ABCDEFGHIJKLMNOPQRSTUVWXYZ'
-as_cr_Letters=$as_cr_letters$as_cr_LETTERS
-as_cr_digits='0123456789'
-as_cr_alnum=$as_cr_Letters$as_cr_digits
-
-# The user is always right.
-if test "${PATH_SEPARATOR+set}" != set; then
-  echo "#! /bin/sh" >conf$$.sh
-  echo  "exit 0"   >>conf$$.sh
-  chmod +x conf$$.sh
-  if (PATH="/nonexistent;."; conf$$.sh) >/dev/null 2>&1; then
-    PATH_SEPARATOR=';'
-  else
-    PATH_SEPARATOR=:
-  fi
-  rm -f conf$$.sh
-fi
-
-
-  as_lineno_1=$LINENO
-  as_lineno_2=$LINENO
-  as_lineno_3=`(expr $as_lineno_1 + 1) 2>/dev/null`
-  test "x$as_lineno_1" != "x$as_lineno_2" &&
-  test "x$as_lineno_3"  = "x$as_lineno_2"  || {
-  # Find who we are.  Look in the path if we contain no path at all
-  # relative or not.
-  case $0 in
-    *[\\/]* ) as_myself=$0 ;;
-    *) as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-for as_dir in $PATH
-do
-  IFS=$as_save_IFS
-  test -z "$as_dir" && as_dir=.
-  test -r "$as_dir/$0" && as_myself=$as_dir/$0 && break
-done
-
-       ;;
-  esac
-  # We did not find ourselves, most probably we were run as `sh COMMAND'
-  # in which case we are not to be found in the path.
-  if test "x$as_myself" = x; then
-    as_myself=$0
-  fi
-  if test ! -f "$as_myself"; then
-    { { echo "$as_me:$LINENO: error: cannot find myself; rerun with an absolute path" >&5
-echo "$as_me: error: cannot find myself; rerun with an absolute path" >&2;}
-   { (exit 1); exit 1; }; }
-  fi
-  case $CONFIG_SHELL in
-  '')
-    as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-for as_dir in /bin$PATH_SEPARATOR/usr/bin$PATH_SEPARATOR$PATH
-do
-  IFS=$as_save_IFS
-  test -z "$as_dir" && as_dir=.
-  for as_base in sh bash ksh sh5; do
-	 case $as_dir in
-	 /*)
-	   if ("$as_dir/$as_base" -c '
-  as_lineno_1=$LINENO
-  as_lineno_2=$LINENO
-  as_lineno_3=`(expr $as_lineno_1 + 1) 2>/dev/null`
-  test "x$as_lineno_1" != "x$as_lineno_2" &&
-  test "x$as_lineno_3"  = "x$as_lineno_2" ') 2>/dev/null; then
-	     $as_unset BASH_ENV || test "${BASH_ENV+set}" != set || { BASH_ENV=; export BASH_ENV; }
-	     $as_unset ENV || test "${ENV+set}" != set || { ENV=; export ENV; }
-	     CONFIG_SHELL=$as_dir/$as_base
-	     export CONFIG_SHELL
-	     exec "$CONFIG_SHELL" "$0" ${1+"$@"}
-	   fi;;
-	 esac
-       done
-done
-;;
-  esac
-
-  # Create $as_me.lineno as a copy of $as_myself, but with $LINENO
-  # uniformly replaced by the line number.  The first 'sed' inserts a
-  # line-number line before each line; the second 'sed' does the real
-  # work.  The second script uses 'N' to pair each line-number line
-  # with the numbered line, and appends trailing '-' during
-  # substitution so that $LINENO is not a special case at line end.
-  # (Raja R Harinath suggested sed '=', and Paul Eggert wrote the
-  # second 'sed' script.  Blame Lee E. McMahon for sed's syntax.  :-)
-  sed '=' <$as_myself |
-    sed '
-      N
-      s,$,-,
-      : loop
-      s,^\(['$as_cr_digits']*\)\(.*\)[$]LINENO\([^'$as_cr_alnum'_]\),\1\2\1\3,
-      t loop
-      s,-$,,
-      s,^['$as_cr_digits']*\n,,
-    ' >$as_me.lineno &&
-  chmod +x $as_me.lineno ||
-    { { echo "$as_me:$LINENO: error: cannot create $as_me.lineno; rerun with a POSIX shell" >&5
-echo "$as_me: error: cannot create $as_me.lineno; rerun with a POSIX shell" >&2;}
-   { (exit 1); exit 1; }; }
-
-  # Don't try to exec as it changes $[0], causing all sort of problems
-  # (the dirname of $[0] is not the place where we might find the
-  # original and so on.  Autoconf is especially sensible to this).
-  . ./$as_me.lineno
-  # Exit status is that of the last command.
-  exit
-}
-
-
-case `echo "testing\c"; echo 1,2,3`,`echo -n testing; echo 1,2,3` in
-  *c*,-n*) ECHO_N= ECHO_C='
-' ECHO_T='	' ;;
-  *c*,*  ) ECHO_N=-n ECHO_C= ECHO_T= ;;
-  *)       ECHO_N= ECHO_C='\c' ECHO_T= ;;
-esac
-
-if expr a : '\(a\)' >/dev/null 2>&1; then
-  as_expr=expr
-else
-  as_expr=false
-fi
-
-rm -f conf$$ conf$$.exe conf$$.file
-echo >conf$$.file
-if ln -s conf$$.file conf$$ 2>/dev/null; then
-  # We could just check for DJGPP; but this test a) works b) is more generic
-  # and c) will remain valid once DJGPP supports symlinks (DJGPP 2.04).
-  if test -f conf$$.exe; then
-    # Don't use ln at all; we don't have any links
-    as_ln_s='cp -p'
-  else
-    as_ln_s='ln -s'
-  fi
-elif ln conf$$.file conf$$ 2>/dev/null; then
-  as_ln_s=ln
-else
-  as_ln_s='cp -p'
-fi
-rm -f conf$$ conf$$.exe conf$$.file
-
-if mkdir -p . 2>/dev/null; then
-  as_mkdir_p=:
-else
-  test -d ./-p && rmdir ./-p
-  as_mkdir_p=false
-fi
-
-as_executable_p="test -f"
-
-# Sed expression to map a string onto a valid CPP name.
-as_tr_cpp="eval sed 'y%*$as_cr_letters%P$as_cr_LETTERS%;s%[^_$as_cr_alnum]%_%g'"
-
-# Sed expression to map a string onto a valid variable name.
-as_tr_sh="eval sed 'y%*+%pp%;s%[^_$as_cr_alnum]%_%g'"
-
-
-# IFS
-# We need space, tab and new line, in precisely that order.
-as_nl='
-'
-IFS=" 	$as_nl"
-
-# CDPATH.
-$as_unset CDPATH
-
-exec 6>&1
-
-# Open the log real soon, to keep \$[0] and so on meaningful, and to
-# report actual input values of CONFIG_FILES etc. instead of their
-# values after options handling.  Logging --version etc. is OK.
-exec 5>>config.log
-{
-  echo
-  sed 'h;s/./-/g;s/^.../## /;s/...$/ ##/;p;x;p;x' <<_ASBOX
-## Running $as_me. ##
-_ASBOX
-} >&5
-cat >&5 <<_CSEOF
-
-This file was extended by $as_me, which was
-generated by GNU Autoconf 2.59.  Invocation command line was
-
-  CONFIG_FILES    = $CONFIG_FILES
-  CONFIG_HEADERS  = $CONFIG_HEADERS
-  CONFIG_LINKS    = $CONFIG_LINKS
-  CONFIG_COMMANDS = $CONFIG_COMMANDS
-  $ $0 $@
-
-_CSEOF
-echo "on `(hostname || uname -n) 2>/dev/null | sed 1q`" >&5
-echo >&5
-_ACEOF
-
-# Files that config.status was made for.
-if test -n "$ac_config_files"; then
-  echo "config_files=\"$ac_config_files\"" >>$CONFIG_STATUS
-fi
-
-if test -n "$ac_config_headers"; then
-  echo "config_headers=\"$ac_config_headers\"" >>$CONFIG_STATUS
-fi
-
-if test -n "$ac_config_links"; then
-  echo "config_links=\"$ac_config_links\"" >>$CONFIG_STATUS
-fi
-
-if test -n "$ac_config_commands"; then
-  echo "config_commands=\"$ac_config_commands\"" >>$CONFIG_STATUS
-fi
-
-cat >>$CONFIG_STATUS <<\_ACEOF
-
-ac_cs_usage="\
-\`$as_me' instantiates files from templates according to the
-current configuration.
-
-Usage: $0 [OPTIONS] [FILE]...
-
-  -h, --help       print this help, then exit
-  -V, --version    print version number, then exit
-  -q, --quiet      do not print progress messages
-  -d, --debug      don't remove temporary files
-      --recheck    update $as_me by reconfiguring in the same conditions
-  --file=FILE[:TEMPLATE]
-		   instantiate the configuration file FILE
-  --header=FILE[:TEMPLATE]
-		   instantiate the configuration header FILE
-
-Configuration files:
-$config_files
-
-Configuration headers:
-$config_headers
-
-Report bugs to <bug-autoconf@gnu.org>."
-_ACEOF
-
-cat >>$CONFIG_STATUS <<_ACEOF
-ac_cs_version="\\
-config.status
-configured by $0, generated by GNU Autoconf 2.59,
-  with options \\"`echo "$ac_configure_args" | sed 's/[\\""\`\$]/\\\\&/g'`\\"
-
-Copyright (C) 2003 Free Software Foundation, Inc.
-This config.status script is free software; the Free Software Foundation
-gives unlimited permission to copy, distribute and modify it."
-srcdir=$srcdir
-INSTALL="$INSTALL"
-_ACEOF
-
-cat >>$CONFIG_STATUS <<\_ACEOF
-# If no file are specified by the user, then we need to provide default
-# value.  By we need to know if files were specified by the user.
-ac_need_defaults=:
-while test $# != 0
-do
-  case $1 in
-  --*=*)
-    ac_option=`expr "x$1" : 'x\([^=]*\)='`
-    ac_optarg=`expr "x$1" : 'x[^=]*=\(.*\)'`
-    ac_shift=:
-    ;;
-  -*)
-    ac_option=$1
-    ac_optarg=$2
-    ac_shift=shift
-    ;;
-  *) # This is not an option, so the user has probably given explicit
-     # arguments.
-     ac_option=$1
-     ac_need_defaults=false;;
-  esac
-
-  case $ac_option in
-  # Handling of the options.
-_ACEOF
-cat >>$CONFIG_STATUS <<\_ACEOF
-  -recheck | --recheck | --rechec | --reche | --rech | --rec | --re | --r)
-    ac_cs_recheck=: ;;
-  --version | --vers* | -V )
-    echo "$ac_cs_version"; exit 0 ;;
-  --he | --h)
-    # Conflict between --help and --header
-    { { echo "$as_me:$LINENO: error: ambiguous option: $1
-Try \`$0 --help' for more information." >&5
-echo "$as_me: error: ambiguous option: $1
-Try \`$0 --help' for more information." >&2;}
-   { (exit 1); exit 1; }; };;
-  --help | --hel | -h )
-    echo "$ac_cs_usage"; exit 0 ;;
-  --debug | --d* | -d )
-    debug=: ;;
-  --file | --fil | --fi | --f )
-    $ac_shift
-    CONFIG_FILES="$CONFIG_FILES $ac_optarg"
-    ac_need_defaults=false;;
-  --header | --heade | --head | --hea )
-    $ac_shift
-    CONFIG_HEADERS="$CONFIG_HEADERS $ac_optarg"
-    ac_need_defaults=false;;
-  -q | -quiet | --quiet | --quie | --qui | --qu | --q \
-  | -silent | --silent | --silen | --sile | --sil | --si | --s)
-    ac_cs_silent=: ;;
-
-  # This is an error.
-  -*) { { echo "$as_me:$LINENO: error: unrecognized option: $1
-Try \`$0 --help' for more information." >&5
-echo "$as_me: error: unrecognized option: $1
-Try \`$0 --help' for more information." >&2;}
-   { (exit 1); exit 1; }; } ;;
-
-  *) ac_config_targets="$ac_config_targets $1" ;;
-
-  esac
-  shift
-done
-
-ac_configure_extra_args=
-
-if $ac_cs_silent; then
-  exec 6>/dev/null
-  ac_configure_extra_args="$ac_configure_extra_args --silent"
-fi
-
-_ACEOF
-cat >>$CONFIG_STATUS <<_ACEOF
-if \$ac_cs_recheck; then
-  echo "running $SHELL $0 " $ac_configure_args \$ac_configure_extra_args " --no-create --no-recursion" >&6
-  exec $SHELL $0 $ac_configure_args \$ac_configure_extra_args --no-create --no-recursion
-fi
-
-_ACEOF
-
-
-
-
-
-cat >>$CONFIG_STATUS <<\_ACEOF
-for ac_config_target in $ac_config_targets
-do
-  case "$ac_config_target" in
-  # Handling of arguments.
-  "Makefile" ) CONFIG_FILES="$CONFIG_FILES Makefile" ;;
-  "config.h" ) CONFIG_HEADERS="$CONFIG_HEADERS config.h" ;;
-  *) { { echo "$as_me:$LINENO: error: invalid argument: $ac_config_target" >&5
-echo "$as_me: error: invalid argument: $ac_config_target" >&2;}
-   { (exit 1); exit 1; }; };;
-  esac
-done
-
-# If the user did not use the arguments to specify the items to instantiate,
-# then the envvar interface is used.  Set only those that are not.
-# We use the long form for the default assignment because of an extremely
-# bizarre bug on SunOS 4.1.3.
-if $ac_need_defaults; then
-  test "${CONFIG_FILES+set}" = set || CONFIG_FILES=$config_files
-  test "${CONFIG_HEADERS+set}" = set || CONFIG_HEADERS=$config_headers
-fi
-
-# Have a temporary directory for convenience.  Make it in the build tree
-# simply because there is no reason to put it here, and in addition,
-# creating and moving files from /tmp can sometimes cause problems.
-# Create a temporary directory, and hook for its removal unless debugging.
-$debug ||
-{
-  trap 'exit_status=$?; rm -rf $tmp && exit $exit_status' 0
-  trap '{ (exit 1); exit 1; }' 1 2 13 15
-}
-
-# Create a (secure) tmp directory for tmp files.
-
-{
-  tmp=`(umask 077 && mktemp -d -q "./confstatXXXXXX") 2>/dev/null` &&
-  test -n "$tmp" && test -d "$tmp"
-}  ||
-{
-  tmp=./confstat$$-$RANDOM
-  (umask 077 && mkdir $tmp)
-} ||
-{
-   echo "$me: cannot create a temporary directory in ." >&2
-   { (exit 1); exit 1; }
-}
-
-_ACEOF
-
-cat >>$CONFIG_STATUS <<_ACEOF
-
-#
-# CONFIG_FILES section.
-#
-
-# No need to generate the scripts if there are no CONFIG_FILES.
-# This happens for instance when ./config.status config.h
-if test -n "\$CONFIG_FILES"; then
-  # Protect against being on the right side of a sed subst in config.status.
-  sed 's/,@/@@/; s/@,/@@/; s/,;t t\$/@;t t/; /@;t t\$/s/[\\\\&,]/\\\\&/g;
-   s/@@/,@/; s/@@/@,/; s/@;t t\$/,;t t/' >\$tmp/subs.sed <<\\CEOF
-s,@SHELL@,$SHELL,;t t
-s,@PATH_SEPARATOR@,$PATH_SEPARATOR,;t t
-s,@PACKAGE_NAME@,$PACKAGE_NAME,;t t
-s,@PACKAGE_TARNAME@,$PACKAGE_TARNAME,;t t
-s,@PACKAGE_VERSION@,$PACKAGE_VERSION,;t t
-s,@PACKAGE_STRING@,$PACKAGE_STRING,;t t
-s,@PACKAGE_BUGREPORT@,$PACKAGE_BUGREPORT,;t t
-s,@exec_prefix@,$exec_prefix,;t t
-s,@prefix@,$prefix,;t t
-s,@program_transform_name@,$program_transform_name,;t t
-s,@bindir@,$bindir,;t t
-s,@sbindir@,$sbindir,;t t
-s,@libexecdir@,$libexecdir,;t t
-s,@datadir@,$datadir,;t t
-s,@sysconfdir@,$sysconfdir,;t t
-s,@sharedstatedir@,$sharedstatedir,;t t
-s,@localstatedir@,$localstatedir,;t t
-s,@libdir@,$libdir,;t t
-s,@includedir@,$includedir,;t t
-s,@oldincludedir@,$oldincludedir,;t t
-s,@infodir@,$infodir,;t t
-s,@mandir@,$mandir,;t t
-s,@build_alias@,$build_alias,;t t
-s,@host_alias@,$host_alias,;t t
-s,@target_alias@,$target_alias,;t t
-s,@DEFS@,$DEFS,;t t
-s,@ECHO_C@,$ECHO_C,;t t
-s,@ECHO_N@,$ECHO_N,;t t
-s,@ECHO_T@,$ECHO_T,;t t
-s,@LIBS@,$LIBS,;t t
-s,@CC@,$CC,;t t
-s,@CFLAGS@,$CFLAGS,;t t
-s,@LDFLAGS@,$LDFLAGS,;t t
-s,@CPPFLAGS@,$CPPFLAGS,;t t
-s,@ac_ct_CC@,$ac_ct_CC,;t t
-s,@EXEEXT@,$EXEEXT,;t t
-s,@OBJEXT@,$OBJEXT,;t t
-s,@INSTALL_PROGRAM@,$INSTALL_PROGRAM,;t t
-s,@INSTALL_SCRIPT@,$INSTALL_SCRIPT,;t t
-s,@INSTALL_DATA@,$INSTALL_DATA,;t t
-s,@CPP@,$CPP,;t t
-s,@EGREP@,$EGREP,;t t
-s,@LOC_NTOA@,$LOC_NTOA,;t t
-s,@LIBOBJS@,$LIBOBJS,;t t
-s,@LTLIBOBJS@,$LTLIBOBJS,;t t
-CEOF
-
-_ACEOF
-
-  cat >>$CONFIG_STATUS <<\_ACEOF
-  # Split the substitutions into bite-sized pieces for seds with
-  # small command number limits, like on Digital OSF/1 and HP-UX.
-  ac_max_sed_lines=48
-  ac_sed_frag=1 # Number of current file.
-  ac_beg=1 # First line for current file.
-  ac_end=$ac_max_sed_lines # Line after last line for current file.
-  ac_more_lines=:
-  ac_sed_cmds=
-  while $ac_more_lines; do
-    if test $ac_beg -gt 1; then
-      sed "1,${ac_beg}d; ${ac_end}q" $tmp/subs.sed >$tmp/subs.frag
-    else
-      sed "${ac_end}q" $tmp/subs.sed >$tmp/subs.frag
-    fi
-    if test ! -s $tmp/subs.frag; then
-      ac_more_lines=false
-    else
-      # The purpose of the label and of the branching condition is to
-      # speed up the sed processing (if there are no `@' at all, there
-      # is no need to browse any of the substitutions).
-      # These are the two extra sed commands mentioned above.
-      (echo ':t
-  /@[a-zA-Z_][a-zA-Z_0-9]*@/!b' && cat $tmp/subs.frag) >$tmp/subs-$ac_sed_frag.sed
-      if test -z "$ac_sed_cmds"; then
-	ac_sed_cmds="sed -f $tmp/subs-$ac_sed_frag.sed"
-      else
-	ac_sed_cmds="$ac_sed_cmds | sed -f $tmp/subs-$ac_sed_frag.sed"
-      fi
-      ac_sed_frag=`expr $ac_sed_frag + 1`
-      ac_beg=$ac_end
-      ac_end=`expr $ac_end + $ac_max_sed_lines`
-    fi
-  done
-  if test -z "$ac_sed_cmds"; then
-    ac_sed_cmds=cat
-  fi
-fi # test -n "$CONFIG_FILES"
-
-_ACEOF
-cat >>$CONFIG_STATUS <<\_ACEOF
-for ac_file in : $CONFIG_FILES; do test "x$ac_file" = x: && continue
-  # Support "outfile[:infile[:infile...]]", defaulting infile="outfile.in".
-  case $ac_file in
-  - | *:- | *:-:* ) # input from stdin
-	cat >$tmp/stdin
-	ac_file_in=`echo "$ac_file" | sed 's,[^:]*:,,'`
-	ac_file=`echo "$ac_file" | sed 's,:.*,,'` ;;
-  *:* ) ac_file_in=`echo "$ac_file" | sed 's,[^:]*:,,'`
-	ac_file=`echo "$ac_file" | sed 's,:.*,,'` ;;
-  * )   ac_file_in=$ac_file.in ;;
-  esac
-
-  # Compute @srcdir@, @top_srcdir@, and @INSTALL@ for subdirectories.
-  ac_dir=`(dirname "$ac_file") 2>/dev/null ||
-$as_expr X"$ac_file" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
-	 X"$ac_file" : 'X\(//\)[^/]' \| \
-	 X"$ac_file" : 'X\(//\)$' \| \
-	 X"$ac_file" : 'X\(/\)' \| \
-	 .     : '\(.\)' 2>/dev/null ||
-echo X"$ac_file" |
-    sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ s//\1/; q; }
-  	  /^X\(\/\/\)[^/].*/{ s//\1/; q; }
-  	  /^X\(\/\/\)$/{ s//\1/; q; }
-  	  /^X\(\/\).*/{ s//\1/; q; }
-  	  s/.*/./; q'`
-  { if $as_mkdir_p; then
-    mkdir -p "$ac_dir"
-  else
-    as_dir="$ac_dir"
-    as_dirs=
-    while test ! -d "$as_dir"; do
-      as_dirs="$as_dir $as_dirs"
-      as_dir=`(dirname "$as_dir") 2>/dev/null ||
-$as_expr X"$as_dir" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
-	 X"$as_dir" : 'X\(//\)[^/]' \| \
-	 X"$as_dir" : 'X\(//\)$' \| \
-	 X"$as_dir" : 'X\(/\)' \| \
-	 .     : '\(.\)' 2>/dev/null ||
-echo X"$as_dir" |
-    sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ s//\1/; q; }
-  	  /^X\(\/\/\)[^/].*/{ s//\1/; q; }
-  	  /^X\(\/\/\)$/{ s//\1/; q; }
-  	  /^X\(\/\).*/{ s//\1/; q; }
-  	  s/.*/./; q'`
-    done
-    test ! -n "$as_dirs" || mkdir $as_dirs
-  fi || { { echo "$as_me:$LINENO: error: cannot create directory \"$ac_dir\"" >&5
-echo "$as_me: error: cannot create directory \"$ac_dir\"" >&2;}
-   { (exit 1); exit 1; }; }; }
-
-  ac_builddir=.
-
-if test "$ac_dir" != .; then
-  ac_dir_suffix=/`echo "$ac_dir" | sed 's,^\.[\\/],,'`
-  # A "../" for each directory in $ac_dir_suffix.
-  ac_top_builddir=`echo "$ac_dir_suffix" | sed 's,/[^\\/]*,../,g'`
-else
-  ac_dir_suffix= ac_top_builddir=
-fi
-
-case $srcdir in
-  .)  # No --srcdir option.  We are building in place.
-    ac_srcdir=.
-    if test -z "$ac_top_builddir"; then
-       ac_top_srcdir=.
-    else
-       ac_top_srcdir=`echo $ac_top_builddir | sed 's,/$,,'`
-    fi ;;
-  [\\/]* | ?:[\\/]* )  # Absolute path.
-    ac_srcdir=$srcdir$ac_dir_suffix;
-    ac_top_srcdir=$srcdir ;;
-  *) # Relative path.
-    ac_srcdir=$ac_top_builddir$srcdir$ac_dir_suffix
-    ac_top_srcdir=$ac_top_builddir$srcdir ;;
-esac
-
-# Do not use `cd foo && pwd` to compute absolute paths, because
-# the directories may not exist.
-case `pwd` in
-.) ac_abs_builddir="$ac_dir";;
-*)
-  case "$ac_dir" in
-  .) ac_abs_builddir=`pwd`;;
-  [\\/]* | ?:[\\/]* ) ac_abs_builddir="$ac_dir";;
-  *) ac_abs_builddir=`pwd`/"$ac_dir";;
-  esac;;
-esac
-case $ac_abs_builddir in
-.) ac_abs_top_builddir=${ac_top_builddir}.;;
-*)
-  case ${ac_top_builddir}. in
-  .) ac_abs_top_builddir=$ac_abs_builddir;;
-  [\\/]* | ?:[\\/]* ) ac_abs_top_builddir=${ac_top_builddir}.;;
-  *) ac_abs_top_builddir=$ac_abs_builddir/${ac_top_builddir}.;;
-  esac;;
-esac
-case $ac_abs_builddir in
-.) ac_abs_srcdir=$ac_srcdir;;
-*)
-  case $ac_srcdir in
-  .) ac_abs_srcdir=$ac_abs_builddir;;
-  [\\/]* | ?:[\\/]* ) ac_abs_srcdir=$ac_srcdir;;
-  *) ac_abs_srcdir=$ac_abs_builddir/$ac_srcdir;;
-  esac;;
-esac
-case $ac_abs_builddir in
-.) ac_abs_top_srcdir=$ac_top_srcdir;;
-*)
-  case $ac_top_srcdir in
-  .) ac_abs_top_srcdir=$ac_abs_builddir;;
-  [\\/]* | ?:[\\/]* ) ac_abs_top_srcdir=$ac_top_srcdir;;
-  *) ac_abs_top_srcdir=$ac_abs_builddir/$ac_top_srcdir;;
-  esac;;
-esac
-
-
-  case $INSTALL in
-  [\\/$]* | ?:[\\/]* ) ac_INSTALL=$INSTALL ;;
-  *) ac_INSTALL=$ac_top_builddir$INSTALL ;;
-  esac
-
-  # Let's still pretend it is `configure' which instantiates (i.e., don't
-  # use $as_me), people would be surprised to read:
-  #    /* config.h.  Generated by config.status.  */
-  if test x"$ac_file" = x-; then
-    configure_input=
-  else
-    configure_input="$ac_file.  "
-  fi
-  configure_input=$configure_input"Generated from `echo $ac_file_in |
-				     sed 's,.*/,,'` by configure."
-
-  # First look for the input files in the build tree, otherwise in the
-  # src tree.
-  ac_file_inputs=`IFS=:
-    for f in $ac_file_in; do
-      case $f in
-      -) echo $tmp/stdin ;;
-      [\\/$]*)
-	 # Absolute (can't be DOS-style, as IFS=:)
-	 test -f "$f" || { { echo "$as_me:$LINENO: error: cannot find input file: $f" >&5
-echo "$as_me: error: cannot find input file: $f" >&2;}
-   { (exit 1); exit 1; }; }
-	 echo "$f";;
-      *) # Relative
-	 if test -f "$f"; then
-	   # Build tree
-	   echo "$f"
-	 elif test -f "$srcdir/$f"; then
-	   # Source tree
-	   echo "$srcdir/$f"
-	 else
-	   # /dev/null tree
-	   { { echo "$as_me:$LINENO: error: cannot find input file: $f" >&5
-echo "$as_me: error: cannot find input file: $f" >&2;}
-   { (exit 1); exit 1; }; }
-	 fi;;
-      esac
-    done` || { (exit 1); exit 1; }
-
-  if test x"$ac_file" != x-; then
-    { echo "$as_me:$LINENO: creating $ac_file" >&5
-echo "$as_me: creating $ac_file" >&6;}
-    rm -f "$ac_file"
-  fi
-_ACEOF
-cat >>$CONFIG_STATUS <<_ACEOF
-  sed "$ac_vpsub
-$extrasub
-_ACEOF
-cat >>$CONFIG_STATUS <<\_ACEOF
-:t
-/@[a-zA-Z_][a-zA-Z_0-9]*@/!b
-s,@configure_input@,$configure_input,;t t
-s,@srcdir@,$ac_srcdir,;t t
-s,@abs_srcdir@,$ac_abs_srcdir,;t t
-s,@top_srcdir@,$ac_top_srcdir,;t t
-s,@abs_top_srcdir@,$ac_abs_top_srcdir,;t t
-s,@builddir@,$ac_builddir,;t t
-s,@abs_builddir@,$ac_abs_builddir,;t t
-s,@top_builddir@,$ac_top_builddir,;t t
-s,@abs_top_builddir@,$ac_abs_top_builddir,;t t
-s,@INSTALL@,$ac_INSTALL,;t t
-" $ac_file_inputs | (eval "$ac_sed_cmds") >$tmp/out
-  rm -f $tmp/stdin
-  if test x"$ac_file" != x-; then
-    mv $tmp/out $ac_file
-  else
-    cat $tmp/out
-    rm -f $tmp/out
-  fi
-
-done
-_ACEOF
-cat >>$CONFIG_STATUS <<\_ACEOF
-
-#
-# CONFIG_HEADER section.
-#
-
-# These sed commands are passed to sed as "A NAME B NAME C VALUE D", where
-# NAME is the cpp macro being defined and VALUE is the value it is being given.
-#
-# ac_d sets the value in "#define NAME VALUE" lines.
-ac_dA='s,^\([	 ]*\)#\([	 ]*define[	 ][	 ]*\)'
-ac_dB='[	 ].*$,\1#\2'
-ac_dC=' '
-ac_dD=',;t'
-# ac_u turns "#undef NAME" without trailing blanks into "#define NAME VALUE".
-ac_uA='s,^\([	 ]*\)#\([	 ]*\)undef\([	 ][	 ]*\)'
-ac_uB='$,\1#\2define\3'
-ac_uC=' '
-ac_uD=',;t'
-
-for ac_file in : $CONFIG_HEADERS; do test "x$ac_file" = x: && continue
-  # Support "outfile[:infile[:infile...]]", defaulting infile="outfile.in".
-  case $ac_file in
-  - | *:- | *:-:* ) # input from stdin
-	cat >$tmp/stdin
-	ac_file_in=`echo "$ac_file" | sed 's,[^:]*:,,'`
-	ac_file=`echo "$ac_file" | sed 's,:.*,,'` ;;
-  *:* ) ac_file_in=`echo "$ac_file" | sed 's,[^:]*:,,'`
-	ac_file=`echo "$ac_file" | sed 's,:.*,,'` ;;
-  * )   ac_file_in=$ac_file.in ;;
-  esac
-
-  test x"$ac_file" != x- && { echo "$as_me:$LINENO: creating $ac_file" >&5
-echo "$as_me: creating $ac_file" >&6;}
-
-  # First look for the input files in the build tree, otherwise in the
-  # src tree.
-  ac_file_inputs=`IFS=:
-    for f in $ac_file_in; do
-      case $f in
-      -) echo $tmp/stdin ;;
-      [\\/$]*)
-	 # Absolute (can't be DOS-style, as IFS=:)
-	 test -f "$f" || { { echo "$as_me:$LINENO: error: cannot find input file: $f" >&5
-echo "$as_me: error: cannot find input file: $f" >&2;}
-   { (exit 1); exit 1; }; }
-	 # Do quote $f, to prevent DOS paths from being IFS'd.
-	 echo "$f";;
-      *) # Relative
-	 if test -f "$f"; then
-	   # Build tree
-	   echo "$f"
-	 elif test -f "$srcdir/$f"; then
-	   # Source tree
-	   echo "$srcdir/$f"
-	 else
-	   # /dev/null tree
-	   { { echo "$as_me:$LINENO: error: cannot find input file: $f" >&5
-echo "$as_me: error: cannot find input file: $f" >&2;}
-   { (exit 1); exit 1; }; }
-	 fi;;
-      esac
-    done` || { (exit 1); exit 1; }
-  # Remove the trailing spaces.
-  sed 's/[	 ]*$//' $ac_file_inputs >$tmp/in
-
-_ACEOF
-
-# Transform confdefs.h into two sed scripts, `conftest.defines' and
-# `conftest.undefs', that substitutes the proper values into
-# config.h.in to produce config.h.  The first handles `#define'
-# templates, and the second `#undef' templates.
-# And first: Protect against being on the right side of a sed subst in
-# config.status.  Protect against being in an unquoted here document
-# in config.status.
-rm -f conftest.defines conftest.undefs
-# Using a here document instead of a string reduces the quoting nightmare.
-# Putting comments in sed scripts is not portable.
-#
-# `end' is used to avoid that the second main sed command (meant for
-# 0-ary CPP macros) applies to n-ary macro definitions.
-# See the Autoconf documentation for `clear'.
-cat >confdef2sed.sed <<\_ACEOF
-s/[\\&,]/\\&/g
-s,[\\$`],\\&,g
-t clear
-: clear
-s,^[	 ]*#[	 ]*define[	 ][	 ]*\([^	 (][^	 (]*\)\(([^)]*)\)[	 ]*\(.*\)$,${ac_dA}\1${ac_dB}\1\2${ac_dC}\3${ac_dD},gp
-t end
-s,^[	 ]*#[	 ]*define[	 ][	 ]*\([^	 ][^	 ]*\)[	 ]*\(.*\)$,${ac_dA}\1${ac_dB}\1${ac_dC}\2${ac_dD},gp
-: end
-_ACEOF
-# If some macros were called several times there might be several times
-# the same #defines, which is useless.  Nevertheless, we may not want to
-# sort them, since we want the *last* AC-DEFINE to be honored.
-uniq confdefs.h | sed -n -f confdef2sed.sed >conftest.defines
-sed 's/ac_d/ac_u/g' conftest.defines >conftest.undefs
-rm -f confdef2sed.sed
-
-# This sed command replaces #undef with comments.  This is necessary, for
-# example, in the case of _POSIX_SOURCE, which is predefined and required
-# on some systems where configure will not decide to define it.
-cat >>conftest.undefs <<\_ACEOF
-s,^[	 ]*#[	 ]*undef[	 ][	 ]*[a-zA-Z_][a-zA-Z_0-9]*,/* & */,
-_ACEOF
-
-# Break up conftest.defines because some shells have a limit on the size
-# of here documents, and old seds have small limits too (100 cmds).
-echo '  # Handle all the #define templates only if necessary.' >>$CONFIG_STATUS
-echo '  if grep "^[	 ]*#[	 ]*define" $tmp/in >/dev/null; then' >>$CONFIG_STATUS
-echo '  # If there are no defines, we may have an empty if/fi' >>$CONFIG_STATUS
-echo '  :' >>$CONFIG_STATUS
-rm -f conftest.tail
-while grep . conftest.defines >/dev/null
-do
-  # Write a limited-size here document to $tmp/defines.sed.
-  echo '  cat >$tmp/defines.sed <<CEOF' >>$CONFIG_STATUS
-  # Speed up: don't consider the non `#define' lines.
-  echo '/^[	 ]*#[	 ]*define/!b' >>$CONFIG_STATUS
-  # Work around the forget-to-reset-the-flag bug.
-  echo 't clr' >>$CONFIG_STATUS
-  echo ': clr' >>$CONFIG_STATUS
-  sed ${ac_max_here_lines}q conftest.defines >>$CONFIG_STATUS
-  echo 'CEOF
-  sed -f $tmp/defines.sed $tmp/in >$tmp/out
-  rm -f $tmp/in
-  mv $tmp/out $tmp/in
-' >>$CONFIG_STATUS
-  sed 1,${ac_max_here_lines}d conftest.defines >conftest.tail
-  rm -f conftest.defines
-  mv conftest.tail conftest.defines
-done
-rm -f conftest.defines
-echo '  fi # grep' >>$CONFIG_STATUS
-echo >>$CONFIG_STATUS
-
-# Break up conftest.undefs because some shells have a limit on the size
-# of here documents, and old seds have small limits too (100 cmds).
-echo '  # Handle all the #undef templates' >>$CONFIG_STATUS
-rm -f conftest.tail
-while grep . conftest.undefs >/dev/null
-do
-  # Write a limited-size here document to $tmp/undefs.sed.
-  echo '  cat >$tmp/undefs.sed <<CEOF' >>$CONFIG_STATUS
-  # Speed up: don't consider the non `#undef'
-  echo '/^[	 ]*#[	 ]*undef/!b' >>$CONFIG_STATUS
-  # Work around the forget-to-reset-the-flag bug.
-  echo 't clr' >>$CONFIG_STATUS
-  echo ': clr' >>$CONFIG_STATUS
-  sed ${ac_max_here_lines}q conftest.undefs >>$CONFIG_STATUS
-  echo 'CEOF
-  sed -f $tmp/undefs.sed $tmp/in >$tmp/out
-  rm -f $tmp/in
-  mv $tmp/out $tmp/in
-' >>$CONFIG_STATUS
-  sed 1,${ac_max_here_lines}d conftest.undefs >conftest.tail
-  rm -f conftest.undefs
-  mv conftest.tail conftest.undefs
-done
-rm -f conftest.undefs
-
-cat >>$CONFIG_STATUS <<\_ACEOF
-  # Let's still pretend it is `configure' which instantiates (i.e., don't
-  # use $as_me), people would be surprised to read:
-  #    /* config.h.  Generated by config.status.  */
-  if test x"$ac_file" = x-; then
-    echo "/* Generated by configure.  */" >$tmp/config.h
-  else
-    echo "/* $ac_file.  Generated by configure.  */" >$tmp/config.h
-  fi
-  cat $tmp/in >>$tmp/config.h
-  rm -f $tmp/in
-  if test x"$ac_file" != x-; then
-    if diff $ac_file $tmp/config.h >/dev/null 2>&1; then
-      { echo "$as_me:$LINENO: $ac_file is unchanged" >&5
-echo "$as_me: $ac_file is unchanged" >&6;}
-    else
-      ac_dir=`(dirname "$ac_file") 2>/dev/null ||
-$as_expr X"$ac_file" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
-	 X"$ac_file" : 'X\(//\)[^/]' \| \
-	 X"$ac_file" : 'X\(//\)$' \| \
-	 X"$ac_file" : 'X\(/\)' \| \
-	 .     : '\(.\)' 2>/dev/null ||
-echo X"$ac_file" |
-    sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ s//\1/; q; }
-  	  /^X\(\/\/\)[^/].*/{ s//\1/; q; }
-  	  /^X\(\/\/\)$/{ s//\1/; q; }
-  	  /^X\(\/\).*/{ s//\1/; q; }
-  	  s/.*/./; q'`
-      { if $as_mkdir_p; then
-    mkdir -p "$ac_dir"
-  else
-    as_dir="$ac_dir"
-    as_dirs=
-    while test ! -d "$as_dir"; do
-      as_dirs="$as_dir $as_dirs"
-      as_dir=`(dirname "$as_dir") 2>/dev/null ||
-$as_expr X"$as_dir" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
-	 X"$as_dir" : 'X\(//\)[^/]' \| \
-	 X"$as_dir" : 'X\(//\)$' \| \
-	 X"$as_dir" : 'X\(/\)' \| \
-	 .     : '\(.\)' 2>/dev/null ||
-echo X"$as_dir" |
-    sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ s//\1/; q; }
-  	  /^X\(\/\/\)[^/].*/{ s//\1/; q; }
-  	  /^X\(\/\/\)$/{ s//\1/; q; }
-  	  /^X\(\/\).*/{ s//\1/; q; }
-  	  s/.*/./; q'`
-    done
-    test ! -n "$as_dirs" || mkdir $as_dirs
-  fi || { { echo "$as_me:$LINENO: error: cannot create directory \"$ac_dir\"" >&5
-echo "$as_me: error: cannot create directory \"$ac_dir\"" >&2;}
-   { (exit 1); exit 1; }; }; }
-
-      rm -f $ac_file
-      mv $tmp/config.h $ac_file
-    fi
-  else
-    cat $tmp/config.h
-    rm -f $tmp/config.h
-  fi
-done
-_ACEOF
-
-cat >>$CONFIG_STATUS <<\_ACEOF
-
-{ (exit 0); exit 0; }
-_ACEOF
-chmod +x $CONFIG_STATUS
-ac_clean_files=$ac_clean_files_save
-
-
-# configure is writing to config.log, and then calls config.status.
-# config.status does its own redirection, appending to config.log.
-# Unfortunately, on DOS this fails, as config.log is still kept open
-# by configure, so config.status won't be able to write to it; its
-# output is simply discarded.  So we exec the FD to /dev/null,
-# effectively closing config.log, so it can be properly (re)opened and
-# appended to by config.status.  When coming back to configure, we
-# need to make the FD available again.
-if test "$no_create" != yes; then
-  ac_cs_success=:
-  ac_config_status_args=
-  test "$silent" = yes &&
-    ac_config_status_args="$ac_config_status_args --quiet"
-  exec 5>/dev/null
-  $SHELL $CONFIG_STATUS $ac_config_status_args || ac_cs_success=false
-  exec 5>>config.log
-  # Use ||, not &&, to avoid exiting from the if with $? = 1, which
-  # would make configure fail if this is the last instruction.
-  $ac_cs_success || { (exit 1); exit 1; }
-fi
-
-
-
-
diff --git a/contrib/query-loc-0.3.0/configure.in b/contrib/query-loc-0.3.0/configure.in
deleted file mode 100644
index 418ddbae..00000000
--- a/contrib/query-loc-0.3.0/configure.in
+++ /dev/null
@@ -1,65 +0,0 @@
-dnl Process this file with autoconf to produce a configure script.
-AC_RELEASE("$Id: configure.in,v 1.1.6.1 2005/04/01 06:23:06 marka Exp $")
-AC_INIT(query-loc.c)
-
-dnl Checks for programs.
-AC_PROG_CC
-if test "$GCC" = "yes"; then
-	CFLAGS="${CFLAGS} -Wall"
-fi
-AC_PROG_INSTALL
-
-dnl Checks for libraries.
-AC_CHECK_LIB(resolv, res_query)
-
-dnl Checks for header files.
-AC_HEADER_STDC
-AC_CONFIG_HEADER(config.h)
-AC_CHECK_HEADER(resolv.h, , AC_MSG_ERROR("No headers for name service applications"))
-AC_CHECK_HEADER(arpa/nameser.h, , AC_MSG_ERROR("No headers for name service applications"))
-AC_CHECK_HEADER(sys/time.h, , AC_MSG_ERROR("Mandatory header missing on your system"))
-AC_CHECK_HEADER(unistd.h, , AC_MSG_ERROR("Mandatory header missing on your system"))
-
-
-dnl This one is only useful for Solaris?
-AC_MSG_CHECKING(if libnsl is mandatory)
-AC_TRY_LINK([#include <sys/types.h>
-             #include <netinet/in.h>
-             #include <arpa/nameser.h>
-             #include <resolv.h>
-             union
-             {
-                HEADER hdr;	
-                u_char buf[4096]; /* With RFC 2671, otherwise 512 is enough */
-             }
-             response;
-             char *domain;
-             int requested_type;	], 
-	[res_query(domain,
-		  C_IN,		
-		  requested_type,	
-		  (u_char *) & response,	
-		  sizeof (response)) ], dnl
-	[AC_MSG_RESULT(no)], dnl
-	[AC_MSG_RESULT(yes); LIBS="${LIBS} -lnsl"]) 
-
-dnl Check for the loc_ntoa macro/function
-AC_MSG_CHECKING(loc_ntoa)
-AC_TRY_LINK([#include <resolv.h>], dnl
-	[u_char *cp; char *result; loc_ntoa(cp, result)], dnl
-	[AC_MSG_RESULT(yes); AC_DEFINE(HAVE_LOC_NTOA)], dnl
-	[AC_MSG_RESULT([no, using the alternative]); LOC_NTOA=loc_ntoa.o]) 
-AC_SUBST(LOC_NTOA)
-
-dnl Checks for typedefs, structures, and compiler characteristics.
-AC_C_CONST
-AC_CHECK_SIZEOF(long)
-AC_CHECK_SIZEOF(int)
-AC_CHECK_SIZEOF(short)
-AC_CHECK_SIZEOF(char)
-
-dnl Misc.
-AC_OUTPUT(Makefile)
-
-
-
diff --git a/contrib/query-loc-0.3.0/install-sh b/contrib/query-loc-0.3.0/install-sh
deleted file mode 100755
index e9de2384..00000000
--- a/contrib/query-loc-0.3.0/install-sh
+++ /dev/null
@@ -1,251 +0,0 @@
-#!/bin/sh
-#
-# install - install a program, script, or datafile
-# This comes from X11R5 (mit/util/scripts/install.sh).
-#
-# Copyright 1991 by the Massachusetts Institute of Technology
-#
-# Permission to use, copy, modify, distribute, and sell this software and its
-# documentation for any purpose is hereby granted without fee, provided that
-# the above copyright notice appear in all copies and that both that
-# copyright notice and this permission notice appear in supporting
-# documentation, and that the name of M.I.T. not be used in advertising or
-# publicity pertaining to distribution of the software without specific,
-# written prior permission.  M.I.T. makes no representations about the
-# suitability of this software for any purpose.  It is provided "as is"
-# without express or implied warranty.
-#
-# Calling this script install-sh is preferred over install.sh, to prevent
-# `make' implicit rules from creating a file called install from it
-# when there is no Makefile.
-#
-# This script is compatible with the BSD install script, but was written
-# from scratch.  It can only install one file at a time, a restriction
-# shared with many OS's install programs.
-
-
-# set DOITPROG to echo to test this script
-
-# Don't use :- since 4.3BSD and earlier shells don't like it.
-doit="${DOITPROG-}"
-
-
-# put in absolute paths if you don't have them in your path; or use env. vars.
-
-mvprog="${MVPROG-mv}"
-cpprog="${CPPROG-cp}"
-chmodprog="${CHMODPROG-chmod}"
-chownprog="${CHOWNPROG-chown}"
-chgrpprog="${CHGRPPROG-chgrp}"
-stripprog="${STRIPPROG-strip}"
-rmprog="${RMPROG-rm}"
-mkdirprog="${MKDIRPROG-mkdir}"
-
-transformbasename=""
-transform_arg=""
-instcmd="$mvprog"
-chmodcmd="$chmodprog 0755"
-chowncmd=""
-chgrpcmd=""
-stripcmd=""
-rmcmd="$rmprog -f"
-mvcmd="$mvprog"
-src=""
-dst=""
-dir_arg=""
-
-while [ x"$1" != x ]; do
-    case $1 in
-	-c) instcmd="$cpprog"
-	    shift
-	    continue;;
-
-	-d) dir_arg=true
-	    shift
-	    continue;;
-
-	-m) chmodcmd="$chmodprog $2"
-	    shift
-	    shift
-	    continue;;
-
-	-o) chowncmd="$chownprog $2"
-	    shift
-	    shift
-	    continue;;
-
-	-g) chgrpcmd="$chgrpprog $2"
-	    shift
-	    shift
-	    continue;;
-
-	-s) stripcmd="$stripprog"
-	    shift
-	    continue;;
-
-	-t=*) transformarg=`echo $1 | sed 's/-t=//'`
-	    shift
-	    continue;;
-
-	-b=*) transformbasename=`echo $1 | sed 's/-b=//'`
-	    shift
-	    continue;;
-
-	*)  if [ x"$src" = x ]
-	    then
-		src=$1
-	    else
-		# this colon is to work around a 386BSD /bin/sh bug
-		:
-		dst=$1
-	    fi
-	    shift
-	    continue;;
-    esac
-done
-
-if [ x"$src" = x ]
-then
-	echo "install:	no input file specified"
-	exit 1
-else
-	true
-fi
-
-if [ x"$dir_arg" != x ]; then
-	dst=$src
-	src=""
-	
-	if [ -d $dst ]; then
-		instcmd=:
-		chmodcmd=""
-	else
-		instcmd=mkdir
-	fi
-else
-
-# Waiting for this to be detected by the "$instcmd $src $dsttmp" command
-# might cause directories to be created, which would be especially bad 
-# if $src (and thus $dsttmp) contains '*'.
-
-	if [ -f $src -o -d $src ]
-	then
-		true
-	else
-		echo "install:  $src does not exist"
-		exit 1
-	fi
-	
-	if [ x"$dst" = x ]
-	then
-		echo "install:	no destination specified"
-		exit 1
-	else
-		true
-	fi
-
-# If destination is a directory, append the input filename; if your system
-# does not like double slashes in filenames, you may need to add some logic
-
-	if [ -d $dst ]
-	then
-		dst="$dst"/`basename $src`
-	else
-		true
-	fi
-fi
-
-## this sed command emulates the dirname command
-dstdir=`echo $dst | sed -e 's,[^/]*$,,;s,/$,,;s,^$,.,'`
-
-# Make sure that the destination directory exists.
-#  this part is taken from Noah Friedman's mkinstalldirs script
-
-# Skip lots of stat calls in the usual case.
-if [ ! -d "$dstdir" ]; then
-defaultIFS='	
-'
-IFS="${IFS-${defaultIFS}}"
-
-oIFS="${IFS}"
-# Some sh's can't handle IFS=/ for some reason.
-IFS='%'
-set - `echo ${dstdir} | sed -e 's@/@%@g' -e 's@^%@/@'`
-IFS="${oIFS}"
-
-pathcomp=''
-
-while [ $# -ne 0 ] ; do
-	pathcomp="${pathcomp}${1}"
-	shift
-
-	if [ ! -d "${pathcomp}" ] ;
-        then
-		$mkdirprog "${pathcomp}"
-	else
-		true
-	fi
-
-	pathcomp="${pathcomp}/"
-done
-fi
-
-if [ x"$dir_arg" != x ]
-then
-	$doit $instcmd $dst &&
-
-	if [ x"$chowncmd" != x ]; then $doit $chowncmd $dst; else true ; fi &&
-	if [ x"$chgrpcmd" != x ]; then $doit $chgrpcmd $dst; else true ; fi &&
-	if [ x"$stripcmd" != x ]; then $doit $stripcmd $dst; else true ; fi &&
-	if [ x"$chmodcmd" != x ]; then $doit $chmodcmd $dst; else true ; fi
-else
-
-# If we're going to rename the final executable, determine the name now.
-
-	if [ x"$transformarg" = x ] 
-	then
-		dstfile=`basename $dst`
-	else
-		dstfile=`basename $dst $transformbasename | 
-			sed $transformarg`$transformbasename
-	fi
-
-# don't allow the sed command to completely eliminate the filename
-
-	if [ x"$dstfile" = x ] 
-	then
-		dstfile=`basename $dst`
-	else
-		true
-	fi
-
-# Make a temp file name in the proper directory.
-
-	dsttmp=$dstdir/#inst.$$#
-
-# Move or copy the file name to the temp name
-
-	$doit $instcmd $src $dsttmp &&
-
-	trap "rm -f ${dsttmp}" 0 &&
-
-# and set any options; do chmod last to preserve setuid bits
-
-# If any of these fail, we abort the whole thing.  If we want to
-# ignore errors from any of these, just make sure not to ignore
-# errors from the above "$doit $instcmd $src $dsttmp" command.
-
-	if [ x"$chowncmd" != x ]; then $doit $chowncmd $dsttmp; else true;fi &&
-	if [ x"$chgrpcmd" != x ]; then $doit $chgrpcmd $dsttmp; else true;fi &&
-	if [ x"$stripcmd" != x ]; then $doit $stripcmd $dsttmp; else true;fi &&
-	if [ x"$chmodcmd" != x ]; then $doit $chmodcmd $dsttmp; else true;fi &&
-
-# Now rename the file to the real destination.
-
-	$doit $rmcmd -f $dstdir/$dstfile &&
-	$doit $mvcmd $dsttmp $dstdir/$dstfile 
-
-fi &&
-
-
-exit 0
diff --git a/contrib/query-loc-0.3.0/loc.c b/contrib/query-loc-0.3.0/loc.c
deleted file mode 100644
index a06e8b5e..00000000
--- a/contrib/query-loc-0.3.0/loc.c
+++ /dev/null
@@ -1,566 +0,0 @@
-#include "loc.h"
-
-/* $Id: loc.c,v 1.1.6.1 2005/04/01 06:23:07 marka Exp $ */
-
-/* Global variables */
-
-short rr_errno;
-
-/*
-   Prints the actual usage
- */
-void
-usage ()
-{
-  (void) fprintf (stderr,
-		  "Usage: %s: [-v] [-d nnn] hostname\n", progname);
-  exit (2);
-}
-
-/*
-   Panics
- */
-void
-panic (message)
-     char *message;
-{
-  (void) fprintf (stderr,
-		  "%s: %s\n", progname, message);
-  exit (2);
-}
-
-/*
-   ** IN_ADDR_ARPA -- Convert dotted quad string to reverse in-addr.arpa
-   ** ------------------------------------------------------------------
-   **
-   **   Returns:
-   **           Pointer to appropriate reverse in-addr.arpa name
-   **           with trailing dot to force absolute domain name.
-   **           NULL in case of invalid dotted quad input string.
- */
-
-#ifndef ARPA_ROOT
-#define ARPA_ROOT "in-addr.arpa"
-#endif
-
-char *
-in_addr_arpa (dottedquad)
-     char *dottedquad;		/* input string with dotted quad */
-{
-  static char addrbuf[4 * 4 + sizeof (ARPA_ROOT) + 2];
-  unsigned int a[4];
-  register int n;
-
-  n = sscanf (dottedquad, "%u.%u.%u.%u", &a[0], &a[1], &a[2], &a[3]);
-  switch (n)
-    {
-    case 4:
-      (void) sprintf (addrbuf, "%u.%u.%u.%u.%s.",
-	     a[3] & 0xff, a[2] & 0xff, a[1] & 0xff, a[0] & 0xff, ARPA_ROOT);
-      break;
-
-    case 3:
-      (void) sprintf (addrbuf, "%u.%u.%u.%s.",
-		      a[2] & 0xff, a[1] & 0xff, a[0] & 0xff, ARPA_ROOT);
-      break;
-
-    case 2:
-      (void) sprintf (addrbuf, "%u.%u.%s.",
-		      a[1] & 0xff, a[0] & 0xff, ARPA_ROOT);
-      break;
-
-    case 1:
-      (void) sprintf (addrbuf, "%u.%s.",
-		      a[0] & 0xff, ARPA_ROOT);
-      break;
-
-    default:
-      return (NULL);
-    }
-
-  while (--n >= 0)
-    if (a[n] > 255)
-      return (NULL);
-
-  return (addrbuf);
-}
-
-/* 
-   Returns a human-readable version of the LOC information or
-   NULL if it failed. Argument is a name (of a network or a machine)
-   and a boolean telling is it is a network name or a machine name.
- */
-char *
-getlocbyname (name, is_network)
-     const char *name;
-     short is_network;
-{
-  char *result;
-  struct list_in_addr *list, *p;
-  result = findRR (name, T_LOC);
-  if (result != NULL)
-    {
-      if (debug >= 2)
-	printf ("LOC record found for the name %s\n", name);
-      return result;
-    }
-  else
-    {
-      if (!is_network)
-	{
-	  list = findA (name);
-	  if (debug >= 2)
-	    printf ("No LOC record found for the name %s, trying addresses\n", name);
-	  if (list != NULL)
-	    {
-	      for (p = list; p != NULL; p = p->next)
-		{
-		  if (debug >= 2)
-		    printf ("Trying address %s\n", inet_ntoa (p->addr));
-		  result = getlocbyaddr (p->addr, NULL);
-		  if (result != NULL)
-		    return result;
-		}
-	      return NULL;
-	    }
-	  else
-	    {
-	      if (debug >= 2)
-		printf ("   No A record found for %s\n", name);
-	      return NULL;
-	    }
-	}
-      else
-	{
-	  if (debug >= 2)
-	    printf ("No LOC record found for the network name %s\n", name);
-	  return NULL;
-	}
-    }
-}
-
-/* 
-   Returns a human-readable version of the LOC information or
-   NULL if it failed. Argument is an IP address.
- */
-char *
-getlocbyaddr (addr, mask)
-     const struct in_addr addr;
-     const struct in_addr *mask;
-{
-  struct in_addr netaddr;
-  u_int32_t a;
-  struct in_addr themask;
-  char *text_addr, *text_mask;
-
-  if (mask == NULL)
-    {
-      themask.s_addr = (u_int32_t) 0;
-    }
-  else
-    {
-      themask = *mask;
-    }
-
-  text_addr = (char *) malloc (256);
-  text_mask = (char *) malloc (256);
-  strcpy (text_addr, inet_ntoa (addr));
-  strcpy (text_mask, inet_ntoa (themask));
-
-  if (debug >= 2)
-    printf ("Testing address %s/%s\n", text_addr, text_mask);
-  if (mask == NULL)
-    {
-      a = ntohl (addr.s_addr);
-      if (IN_CLASSA (a))
-	{
-	  netaddr.s_addr = htonl (a & IN_CLASSA_NET);
-	}
-      else if (IN_CLASSB (a))
-	{
-	  netaddr.s_addr = htonl (a & IN_CLASSB_NET);
-	}
-      else if (IN_CLASSC (a))
-	{
-	  netaddr.s_addr = htonl (a & IN_CLASSC_NET);
-	}
-      else
-	{
-	  /* Error */
-	}
-      return getlocbynet (in_addr_arpa (inet_ntoa (netaddr)), addr, mask);
-    }
-  else
-    {
-      netaddr.s_addr = addr.s_addr & themask.s_addr;
-      return getlocbynet (in_addr_arpa (inet_ntoa (netaddr)), addr, mask);
-    }
-}
-
-/* 
-   Returns a human-readable LOC.
-   Argument is a network name in the 0.z.y.x.in-addr.arpa format
-   and the original address
- */
-char *
-getlocbynet (name, addr, mask)
-     char *name;
-     struct in_addr addr;
-     struct in_addr *mask;
-{
-  char *network;
-  char *result, *result_int;
-  struct list_in_addr *list;
-  if (debug >= 2)
-    printf ("Testing network %s\n", name);
-  network = findRR (name, T_PTR);
-  if (network == NULL)
-    {
-      if (debug >= 2)
-	printf ("No name for network %s\n", name);
-      return NULL;
-    }
-  else
-    {
-      result = getlocbyname (network, TRUE);
-      list = findA (network);
-      if (list == NULL)
-	{
-	  return result;
-	}
-      else if ((mask != NULL) &&
-	       ((mask->s_addr) == (list->addr.s_addr)))
-	{
-	  /* Already checked */
-	  return result;
-	}
-      else
-	{
-	  result_int = getlocbyaddr (addr, &list->addr);
-	  if (result_int == NULL)
-	    return result;
-	  else
-	    return result_int;
-	}
-    }
-}
-
-/* 
-   The code for these two functions is stolen from the examples in Liu and Albitz
-   book "DNS and BIND" (O'Reilly).
- */
-
-/****************************************************************
- * skipName -- This routine skips over a domain name.  If the   *
- *     domain name expansion fails, it crashes.                 *
- *     dn_skipname() is probably not on your manual             *
- *     page; it is similar to dn_expand() except that it just   *
- *     skips over the name.  dn_skipname() is in res_comp.c if  *
- *     you need to find it.                                     *
- ****************************************************************/
-int
-skipName (cp, endOfMsg)
-     u_char *cp;
-     u_char *endOfMsg;
-{
-  int n;
-
-  if ((n = dn_skipname (cp, endOfMsg)) < 0)
-    {
-      panic ("dn_skipname failed\n");
-    }
-  return (n);
-}
-
-/****************************************************************
- * skipToData -- This routine advances the cp pointer to the    *
- *     start of the resource record data portion.  On the way,  *
- *     it fills in the type, class, ttl, and data length        *
- ****************************************************************/
-int
-skipToData (cp, type, class, ttl, dlen, endOfMsg)
-     u_char *cp;
-     u_short *type;
-     u_short *class;
-     u_int32_t *ttl;
-     u_short *dlen;
-     u_char *endOfMsg;
-{
-  u_char *tmp_cp = cp;		/* temporary version of cp */
-
-  /* Skip the domain name; it matches the name we looked up */
-  tmp_cp += skipName (tmp_cp, endOfMsg);
-
-  /*
-   * Grab the type, class, and ttl.  GETSHORT and GETLONG
-   * are macros defined in arpa/nameser.h.
-   */
-  GETSHORT (*type, tmp_cp);
-  GETSHORT (*class, tmp_cp);
-  GETLONG (*ttl, tmp_cp);
-  GETSHORT (*dlen, tmp_cp);
-
-  return (tmp_cp - cp);
-}
-
-
-/* 
-   Returns a human-readable version of a DNS RR (resource record)
-   associated with the name 'domain'.
-   If it does not find, ir returns NULL and sets rr_errno to explain why.
-
-   The code for this function is stolen from the examples in Liu and Albitz
-   book "DNS and BIND" (O'Reilly).
- */
-char *
-findRR (domain, requested_type)
-     char *domain;
-     int requested_type;
-{
-  char *result, *message;
-
-  union
-    {
-      HEADER hdr;		/* defined in resolv.h */
-      u_char buf[PACKETSZ];	/* defined in arpa/nameser.h */
-    }
-  response;			/* response buffers */
-short found = 0;  
-int responseLen;		/* buffer length */
-
-  u_char *cp;			/* character pointer to parse DNS packet */
-  u_char *endOfMsg;		/* need to know the end of the message */
-  u_short class;		/* classes defined in arpa/nameser.h */
-  u_short type;			/* types defined in arpa/nameser.h */
-  u_int32_t ttl;		/* resource record time to live */
-  u_short dlen;			/* size of resource record data */
-
-  int i, count, dup;		/* misc variables */
-
-  char *ptrList[1];
-  int ptrNum = 0;
-  struct in_addr addr;
-
-  result = (char *) malloc (256);
-  message = (char *) malloc (256);
-  /* 
-   * Look up the records for the given domain name.
-   * We expect the domain to be a fully qualified name, so
-   * we use res_query().  If we wanted the resolver search 
-   * algorithm, we would have used res_search() instead.
-   */
-  if ((responseLen =
-       res_query (domain,	/* the domain we care about   */
-		  C_IN,		/* Internet class records     */
-		  requested_type,	/* Look up name server records */
-		  (u_char *) & response,	/*response buffer */
-		  sizeof (response)))	/*buffer size    */
-      < 0)
-    {				/*If negative    */
-      rr_errno = h_errno;
-      return NULL;
-    }
-
-  /*
-   * Keep track of the end of the message so we don't 
-   * pass it while parsing the response.  responseLen is 
-   * the value returned by res_query.
-   */
-  endOfMsg = response.buf + responseLen;
-
-  /*
-   * Set a pointer to the start of the question section, 
-   * which begins immediately AFTER the header.
-   */
-  cp = response.buf + sizeof (HEADER);
-
-  /*
-   * Skip over the whole question section.  The question 
-   * section is comprised of a name, a type, and a class.  
-   * QFIXEDSZ (defined in arpa/nameser.h) is the size of 
-   * the type and class portions, which is fixed.  Therefore, 
-   * we can skip the question section by skipping the 
-   * name (at the beginning) and then advancing QFIXEDSZ.
-   * After this calculation, cp points to the start of the 
-   * answer section, which is a list of NS records.
-   */
-  cp += skipName (cp, endOfMsg) + QFIXEDSZ;
-
-  count = ntohs (response.hdr.ancount) +
-    ntohs (response.hdr.nscount);
-  while ((--count >= 0)		/* still more records     */
-	 && (cp < endOfMsg))
-    {				/* still inside the packet */
-
-
-      /* Skip to the data portion of the resource record */
-      cp += skipToData (cp, &type, &class, &ttl, &dlen, endOfMsg);
-
-      if (type == requested_type)
-	{
-	  switch (requested_type)
-	    {
-	    case (T_LOC):
-	      loc_ntoa (cp, result);
-	      return result;
-	      break;
-	    case (T_PTR):
-	      ptrList[ptrNum] = (char *) malloc (MAXDNAME);
-	      if (ptrList[ptrNum] == NULL)
-		{
-		  panic ("Malloc failed");
-		}
-
-	      if (dn_expand (response.buf,	/* Start of the packet   */
-			     endOfMsg,	/* End of the packet     */
-			     cp,	/* Position in the packet */
-			     (u_char *) ptrList[ptrNum],	/* Result    */
-			     MAXDNAME)	/* size of ptrList buffer */
-		  < 0)
-		{		/* Negative: error    */
-		  panic ("dn_expand failed");
-		}
-
-	      /*
-	       * Check the name we've just unpacked and add it to 
-	       * the list if it is not a duplicate.
-	       * If it is a duplicate, just ignore it.
-	       */
-	      for (i = 0, dup = 0; (i < ptrNum) && !dup; i++)
-		dup = !strcasecmp (ptrList[i], ptrList[ptrNum]);
-	      if (dup)
-		free (ptrList[ptrNum]);
-	      else
-		ptrNum++;
-	      strcpy (result, ptrList[0]);
-	      return result;
-	      break;
-	    case (T_A):
-	      bcopy ((char *) cp, (char *) &addr, INADDRSZ);
-	      strcat (result, " ");
-	      strcat (result, inet_ntoa (addr));
-	      found = 1;
-	      break;
-	    default:
-	      sprintf (message, "Unexpected type %u", requested_type);
-	      panic (message);
-	    }
-	}
-
-      /* Advance the pointer over the resource record data */
-      cp += dlen;
-
-    }				/* end of while */
-  if (found) 
-  return result;
-else
-return NULL;
-}
-
-struct list_in_addr *
-findA (domain)
-     char *domain;
-{
-
-  struct list_in_addr *result, *end;
-
-  union
-    {
-      HEADER hdr;		/* defined in resolv.h */
-      u_char buf[PACKETSZ];	/* defined in arpa/nameser.h */
-    }
-  response;			/* response buffers */
-  int responseLen;		/* buffer length */
-
-  u_char *cp;			/* character pointer to parse DNS packet */
-  u_char *endOfMsg;		/* need to know the end of the message */
-  u_short class;		/* classes defined in arpa/nameser.h */
-  u_short type;			/* types defined in arpa/nameser.h */
-  u_int32_t ttl;		/* resource record time to live */
-  u_short dlen;			/* size of resource record data */
-
-  int count;			/* misc variables */
-
-  struct in_addr addr;
-
-  end = NULL;
-  result = NULL;
-
-  /* 
-   * Look up the records for the given domain name.
-   * We expect the domain to be a fully qualified name, so
-   * we use res_query().  If we wanted the resolver search 
-   * algorithm, we would have used res_search() instead.
-   */
-  if ((responseLen =
-       res_query (domain,	/* the domain we care about   */
-		  C_IN,		/* Internet class records     */
-		  T_A,
-		  (u_char *) & response,	/*response buffer */
-		  sizeof (response)))	/*buffer size    */
-      < 0)
-    {				/*If negative    */
-      rr_errno = h_errno;
-      return NULL;
-    }
-
-  /*
-   * Keep track of the end of the message so we don't 
-   * pass it while parsing the response.  responseLen is 
-   * the value returned by res_query.
-   */
-  endOfMsg = response.buf + responseLen;
-
-  /*
-   * Set a pointer to the start of the question section, 
-   * which begins immediately AFTER the header.
-   */
-  cp = response.buf + sizeof (HEADER);
-
-  /*
-   * Skip over the whole question section.  The question 
-   * section is comprised of a name, a type, and a class.  
-   * QFIXEDSZ (defined in arpa/nameser.h) is the size of 
-   * the type and class portions, which is fixed.  Therefore, 
-   * we can skip the question section by skipping the 
-   * name (at the beginning) and then advancing QFIXEDSZ.
-   * After this calculation, cp points to the start of the 
-   * answer section, which is a list of NS records.
-   */
-  cp += skipName (cp, endOfMsg) + QFIXEDSZ;
-
-  count = ntohs (response.hdr.ancount) +
-    ntohs (response.hdr.nscount);
-  while ((--count >= 0)		/* still more records     */
-	 && (cp < endOfMsg))
-    {				/* still inside the packet */
-
-
-      /* Skip to the data portion of the resource record */
-      cp += skipToData (cp, &type, &class, &ttl, &dlen, endOfMsg);
-
-      if (type == T_A)
-	{
-	  bcopy ((char *) cp, (char *) &addr, INADDRSZ);
-	  if (end == NULL)
-	    {
-	      result = (void *) malloc (sizeof (struct list_in_addr));
-	      result->addr = addr;
-	      result->next = NULL;
-	      end = result;
-	    }
-	  else
-	    {
-	      end->next = (void *) malloc (sizeof (struct list_in_addr));
-	      end = end->next;
-	      end->addr = addr;
-	      end->next = NULL;
-	    }
-	}
-
-      /* Advance the pointer over the resource record data */
-      cp += dlen;
-
-    }				/* end of while */
-  return result;
-}
diff --git a/contrib/query-loc-0.3.0/loc.h b/contrib/query-loc-0.3.0/loc.h
deleted file mode 100644
index 7ae11314..00000000
--- a/contrib/query-loc-0.3.0/loc.h
+++ /dev/null
@@ -1,78 +0,0 @@
-/* $Id: loc.h,v 1.1.6.1 2005/04/01 06:23:07 marka Exp $ */
-
-#define VERSION "0.3.0"
-
-#include "config.h"
-
-/* Probably too many inclusions but this is to keep 'gcc -Wall' happy... */
-#include <stdio.h>
-#include <stdlib.h>
-#include <sys/types.h>
-#include <netdb.h>
-#include <sys/socket.h>
-#include <netinet/in.h>
-#include <arpa/inet.h>
-#include <sys/time.h>
-#include <errno.h>
-#include <unistd.h>
-#include <string.h>
-#include <signal.h>
-#include <arpa/nameser.h>
-#include <resolv.h>
-
-#ifndef FALSE
-#define FALSE 0
-#endif
-#ifndef TRUE
-#define TRUE 1
-#endif
-
-#if SIZEOF_LONG == 4
-#define u_int32_t unsigned long
-#ifndef int32_t 
-#define int32_t   long
-#endif
-#else
-#define u_int32_t unsigned int
-#ifndef int32_t 
-#define int32_t   int
-#endif
-#endif
-
-#if SIZEOF_CHAR == 1
-#define u_int8_t unsigned char
-#ifndef int8_t 
-#define int8_t   char
-#endif
-#else 
-#if SIZEOF_SHORT == 1
-#define u_int8_t unsigned short
-#ifndef int8_t 
-#define int8_t   short
-#endif
-#else
-#error "No suitable native type for storing bytes"
-#endif
-#endif
-
-#ifndef INADDR_NONE
-#define INADDR_NONE (in_addr_t)-1
-#endif
-
-struct list_in_addr
-  {
-    struct in_addr addr;
-    void *next;
-  };
-
-void usage ();
-void panic ();
-
-char *getlocbyname ();
-char *getlocbyaddr ();
-char *getlocbynet ();
-char *findRR ();
-struct list_in_addr *findA ();
-
-extern char *progname;
-extern short debug;
diff --git a/contrib/query-loc-0.3.0/loc_ntoa.c b/contrib/query-loc-0.3.0/loc_ntoa.c
deleted file mode 100644
index 21eada3e..00000000
--- a/contrib/query-loc-0.3.0/loc_ntoa.c
+++ /dev/null
@@ -1,248 +0,0 @@
-/* Stolen from BIND */
-
-/*
- * Copyright (c) 1985
- *    The Regents of the University of California.  All rights reserved.
- * 
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- * 	This product includes software developed by the University of
- * 	California, Berkeley and its contributors.
- * 4. Neither the name of the University nor the names of its contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
- * 
- * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-/*
- * Portions Copyright (c) 1993 by Digital Equipment Corporation.
- * 
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies, and that
- * the name of Digital Equipment Corporation not be used in advertising or
- * publicity pertaining to distribution of the document or software without
- * specific, written prior permission.
- * 
- * THE SOFTWARE IS PROVIDED "AS IS" AND DIGITAL EQUIPMENT CORP. DISCLAIMS ALL
- * WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS.   IN NO EVENT SHALL DIGITAL EQUIPMENT
- * CORPORATION BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
- * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
- * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
- * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
- * SOFTWARE.
- */
-
-/*
- * Portions Copyright (c) 1995 by International Business Machines, Inc.
- *
- * International Business Machines, Inc. (hereinafter called IBM) grants
- * permission under its copyrights to use, copy, modify, and distribute this
- * Software with or without fee, provided that the above copyright notice and
- * all paragraphs of this notice appear in all copies, and that the name of IBM
- * not be used in connection with the marketing of any product incorporating
- * the Software or modifications thereof, without specific, written prior
- * permission.
- *
- * To the extent it has a right to do so, IBM grants an immunity from suit
- * under its patents, if any, for the use, sale or manufacture of products to
- * the extent that such products are used for performing Domain Name System
- * dynamic updates in TCP/IP networks by means of the Software.  No immunity is
- * granted for any product per se or for any other function of any product.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", AND IBM DISCLAIMS ALL WARRANTIES,
- * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
- * PARTICULAR PURPOSE.  IN NO EVENT SHALL IBM BE LIABLE FOR ANY SPECIAL,
- * DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER ARISING
- * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE, EVEN
- * IF IBM IS APPRISED OF THE POSSIBILITY OF SUCH DAMAGES.
- */
-
-/*
- * Portions Copyright (c) 1996-1999 by Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
- * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
- * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
- * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
- * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
- * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
- * SOFTWARE.
- */
-
-#include <sys/types.h>
-#include <sys/param.h>
-#include <sys/socket.h>
-
-#include <netinet/in.h>
-#include <arpa/inet.h>
-#include <arpa/nameser.h>
-
-#include <ctype.h>
-#include <errno.h>
-#include <math.h>
-#include <netdb.h>
-#include <resolv.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <time.h>
-
-#include "loc.h"
-
-const char *precsize_ntoa();
-
-/* takes an on-the-wire LOC RR and formats it in a human readable format. */
-const char *
-loc_ntoa(binary, ascii)
-	const u_char *binary;
-	char *ascii;
-{
-	static char *error = "?";
-	static char tmpbuf[sizeof
-"1000 60 60.000 N 1000 60 60.000 W -12345678.00m 90000000.00m 90000000.00m 90000000.00m"];
-	const u_char *cp = binary;
-
-	int latdeg, latmin, latsec, latsecfrac;
-	int longdeg, longmin, longsec, longsecfrac;
-	char northsouth, eastwest;
-	int altmeters, altfrac, altsign;
-
-	const u_int32_t referencealt = 100000 * 100;
-
-	int32_t latval, longval, altval;
-	u_int32_t templ;
-	u_int8_t sizeval, hpval, vpval, versionval;
-    
-	char *sizestr, *hpstr, *vpstr;
-
-	versionval = *cp++;
-
-	if (ascii == NULL)
-		ascii = tmpbuf;
-
-	if (versionval) {
-		(void) sprintf(ascii, "; error: unknown LOC RR version");
-		return (ascii);
-	}
-
-	sizeval = *cp++;
-
-	hpval = *cp++;
-	vpval = *cp++;
-
-	GETLONG(templ, cp);
-	latval = (templ - ((unsigned)1<<31));
-
-	GETLONG(templ, cp);
-	longval = (templ - ((unsigned)1<<31));
-
-	GETLONG(templ, cp);
-	if (templ < referencealt) { /* below WGS 84 spheroid */
-		altval = referencealt - templ;
-		altsign = -1;
-	} else {
-		altval = templ - referencealt;
-		altsign = 1;
-	}
-
-	if (latval < 0) {
-		northsouth = 'S';
-		latval = -latval;
-	} else
-		northsouth = 'N';
-
-	latsecfrac = latval % 1000;
-	latval = latval / 1000;
-	latsec = latval % 60;
-	latval = latval / 60;
-	latmin = latval % 60;
-	latval = latval / 60;
-	latdeg = latval;
-
-	if (longval < 0) {
-		eastwest = 'W';
-		longval = -longval;
-	} else
-		eastwest = 'E';
-
-	longsecfrac = longval % 1000;
-	longval = longval / 1000;
-	longsec = longval % 60;
-	longval = longval / 60;
-	longmin = longval % 60;
-	longval = longval / 60;
-	longdeg = longval;
-
-	altfrac = altval % 100;
-	altmeters = (altval / 100) * altsign;
-
-	if ((sizestr = strdup(precsize_ntoa(sizeval))) == NULL)
-		sizestr = error;
-	if ((hpstr = strdup(precsize_ntoa(hpval))) == NULL)
-		hpstr = error;
-	if ((vpstr = strdup(precsize_ntoa(vpval))) == NULL)
-		vpstr = error;
-
-	sprintf(ascii,
-	      "%d %.2d %.2d.%.3d %c %d %.2d %.2d.%.3d %c %d.%.2dm %sm %sm %sm",
-		latdeg, latmin, latsec, latsecfrac, northsouth,
-		longdeg, longmin, longsec, longsecfrac, eastwest,
-		altmeters, altfrac, sizestr, hpstr, vpstr);
-
-	if (sizestr != error)
-		free(sizestr);
-	if (hpstr != error)
-		free(hpstr);
-	if (vpstr != error)
-		free(vpstr);
-
-	return (ascii);
-}
-
-static unsigned int poweroften[10] = {1, 10, 100, 1000, 10000, 100000,
-				      1000000,10000000,100000000,1000000000};
-
-/* takes an XeY precision/size value, returns a string representation. */
-const char *
-precsize_ntoa(prec)
-	u_int8_t prec;
-{
-	static char retbuf[sizeof "90000000.00"];	/* XXX nonreentrant */
-	unsigned long val;
-	int mantissa, exponent;
-
-	mantissa = (int)((prec >> 4) & 0x0f) % 10;
-	exponent = (int)((prec >> 0) & 0x0f) % 10;
-
-	val = mantissa * poweroften[exponent];
-
-	(void) sprintf(retbuf, "%ld.%.2ld", val/100, val%100);
-	return (retbuf);
-}
-
diff --git a/contrib/query-loc-0.3.0/query-loc.1 b/contrib/query-loc-0.3.0/query-loc.1
deleted file mode 100644
index b0abef7d..00000000
--- a/contrib/query-loc-0.3.0/query-loc.1
+++ /dev/null
@@ -1,55 +0,0 @@
-.\"                                      Hey, EMACS: -*- nroff -*-
-.\" First parameter, NAME, should be all caps
-.\" Second parameter, SECTION, should be 1-8, maybe w/ subsection
-.\" other parameters are allowed: see man(7), man(1)
-.TH QUERY-LOC SECTION "January 11, 2005"
-.\" Please adjust this date whenever revising the manpage.
-.\"
-.\" Some roff macros, for reference:
-.\" .nh        disable hyphenation
-.\" .hy        enable hyphenation
-.\" .ad l      left justify
-.\" .ad b      justify to both left and right margins
-.\" .nf        disable filling
-.\" .fi        enable filling
-.\" .br        insert line break
-.\" .sp <n>    insert n+1 empty lines
-.\" for manpage-specific macros, see man(7)
-.SH NAME
-query-loc \- to retrieve and display the location information in the DNS
-.SH SYNOPSIS
-.B query-loc
-.RI [-v] [-d nnn] " host"
-.SH DESCRIPTION
-This manual page documents briefly the
-.B query-loc
-command.
-.PP
-.\" TeX users may be more comfortable with the \fB<whatever>\fP and
-.\" \fI<whatever>\fP escape sequences to invode bold face and italics, 
-.\" respectively.
-\fBquery-loc\fP is a program to retrieve and display the location
-information in the DNS. 
-
-It uses the algorithms described in
-RFC 1876 (and RFC 1101 to get the network names).
-You can find examples of networks wchich implement this scheme
-in the ADDRESSES file.
- 
-.SH OPTIONS
-.TP
-.B \-v
-Verbose mode. 
-.TP
-.B \-d nnn
-Debug mode. Displays the RFC's algorithm
-
-.SH BUGS
-
-Very few hosts have location information.
-
-.SH AUTHOR
-This manual page was written by Stephane Bortzmeyer
-<bortzmeyer@debian.org>.
-
-.\" $Id: query-loc.1,v 1.1.6.1 2005/04/01 06:23:09 marka Exp $
diff --git a/contrib/query-loc-0.3.0/query-loc.c b/contrib/query-loc-0.3.0/query-loc.c
deleted file mode 100644
index 5b49a964..00000000
--- a/contrib/query-loc-0.3.0/query-loc.c
+++ /dev/null
@@ -1,98 +0,0 @@
-#include        "loc.h"
-
-/* $Id: query-loc.c,v 1.1.6.1 2005/04/01 06:23:09 marka Exp $ */
-
-/* Global variables */
-char *progname;
-short debug;
-
-int
-main (argc, argv)
-     int argc;
-     char *argv[];
-{
-  extern char *optarg;
-  extern int optind;
-
-  short verbose = FALSE;
-  char *host;
-
-  char ch;
-
-  char *loc = NULL;
-  struct in_addr addr;
-  struct hostent *hp;
-
-  progname = argv[0];
-  while ((ch = getopt (argc, argv, "vd:")) != EOF)
-    {
-      switch (ch)
-	{
-	case 'v':
-	  verbose = TRUE;
-	  break;
-	case 'd':
-	  debug = atoi (optarg);
-	  if (debug <= 0)
-	    {
-	      (void) fprintf (stderr,
-			      "%s: illegal debug value.\n", progname);
-	      exit (2);
-	    }
-	  break;
-	default:
-	  usage ();
-	}
-    }
-  argc -= optind;
-  argv += optind;
-  if (argc != 1)
-    {
-      usage ();
-    }
-  if (verbose || debug)
-    {
-      printf ("\nThis is %s, version %s.\n\n", progname, VERSION);
-    }
-  host = argv[0];
-  (void) res_init ();
-
-  if ((addr.s_addr = inet_addr (host)) == INADDR_NONE)
-    {
-      if (debug >= 1)
-	printf ("%s is a name\n", host);
-      loc = getlocbyname (host, FALSE);
-    }
-  else
-    {
-      if (debug >= 1)
-	printf ("%s is an IP address ", host);
-      hp = (struct hostent *) gethostbyaddr
-	((char *) &addr, sizeof (addr), AF_INET);
-      if (hp)
-	{
-	  if (debug >= 1)
-	    printf ("and %s is its official name\n",
-		    hp->h_name);
-	  loc = getlocbyname (hp->h_name, FALSE);
-	}
-      else
-	{
-	  if (debug >= 1)
-	    printf ("which has no name\n");
-	  loc = getlocbyaddr (addr, NULL);
-	}
-    }
-  if (loc == NULL)
-    {
-      printf ("No LOCation found for %s\n", host);
-      exit (1);
-    }
-  else
-    {
-      if (verbose || debug)
-	printf ("LOCation for %s is ", host);
-      printf ("%s\n", loc);
-      exit (0);
-    }
-}
diff --git a/contrib/queryperf/Makefile.in b/contrib/queryperf/Makefile.in
index b6804a75..2ed19a47 100644
--- a/contrib/queryperf/Makefile.in
+++ b/contrib/queryperf/Makefile.in
@@ -5,7 +5,7 @@ LIBS = @LIBS@
 DEFS = @DEFS@
 
 queryperf: queryperf.o
-	$(CC) $(CFLAGS) $(DEFS) $(LDFLAGS) queryperf.o $(LIBS) -lm -o queryperf
+	$(CC) $(CFLAGS) $(DEFS) queryperf.o $(LIBS) -lm -o queryperf
 
 queryperf.o: queryperf.c
 	$(CC) $(CFLAGS) $(DEFS) -c queryperf.c
diff --git a/contrib/queryperf/queryperf.c b/contrib/queryperf/queryperf.c
index 98cdd1b1..c6256900 100644
--- a/contrib/queryperf/queryperf.c
+++ b/contrib/queryperf/queryperf.c
@@ -18,7 +18,7 @@
 /***
  ***	DNS Query Performance Testing Tool  (queryperf.c)
  ***
- ***	Version $Id: queryperf.c,v 1.1.1.2.2.6 2004/06/21 00:45:24 marka Exp $
+ ***	Version $Id: queryperf.c,v 1.1.1.2.2.5.4.1 2003/10/21 06:24:14 marka Exp $
  ***
  ***	Stephen Jacob <sj@nominum.com>
  ***/
@@ -75,13 +75,13 @@ enum directives_enum	{ V_SERVER, V_PORT, V_MAXQUERIES, V_MAXWAIT };
 #define QTYPE_STRINGS { \
 	"A", "NS", "MD", "MF", "CNAME", "SOA", "MB", "MG", \
 	"MR", "NULL", "WKS", "PTR", "HINFO", "MINFO", "MX", "TXT", \
-	"AAAA", "SRV", "NAPTR", "A6", "AXFR", "MAILB", "MAILA", "*", "ANY" \
+	"AAAA", "SRV", "A6", "AXFR", "MAILB", "MAILA", "*", "ANY" \
 }
 
 #define QTYPE_CODES { \
 	1, 2, 3, 4, 5, 6, 7, 8, \
 	9, 10, 11, 12, 13, 14, 15, 16, \
-	28, 33, 35, 38, 252, 253, 254, 255, 255 \
+	28, 33, 38, 252, 253, 254, 255, 255 \
 }
 
 #define RCODE_STRINGS { \
@@ -180,7 +180,7 @@ void
 show_startup_info(void) {
 	printf("\n"
 "DNS Query Performance Testing Tool\n"
-"Version: $Id: queryperf.c,v 1.1.1.2.2.6 2004/06/21 00:45:24 marka Exp $\n"
+"Version: $Id: queryperf.c,v 1.1.1.2.2.5.4.1 2003/10/21 06:24:14 marka Exp $\n"
 "\n");
 }
 
@@ -923,7 +923,7 @@ update_config(char *config_change_desc) {
 
 	case V_SERVER:
 		if (serverset && (setup_phase == TRUE)) {
-			fprintf(stderr, "Config change overriden by command "
+			fprintf(stderr, "Config change overridden by command "
 			        "line: %s\n", directive);
 			return;
 		}
@@ -935,7 +935,7 @@ update_config(char *config_change_desc) {
 
 	case V_PORT:
 		if (portset && (setup_phase == TRUE)) {
-			fprintf(stderr, "Config change overriden by command "
+			fprintf(stderr, "Config change overridden by command "
 			        "line: %s\n", directive);
 			return;
 		}
@@ -954,7 +954,7 @@ update_config(char *config_change_desc) {
 
 	case V_MAXQUERIES:
 		if (queriesset && (setup_phase == TRUE)) {
-			fprintf(stderr, "Config change overriden by command "
+			fprintf(stderr, "Config change overridden by command "
 			        "line: %s\n", directive);
 			return;
 		}
@@ -970,7 +970,7 @@ update_config(char *config_change_desc) {
 
 	case V_MAXWAIT:
 		if (timeoutset && (setup_phase == TRUE)) {
-			fprintf(stderr, "Config change overriden by command "
+			fprintf(stderr, "Config change overridden by command "
 			        "line: %s\n", directive);
 			return;
 		}
diff --git a/contrib/sdb/dir/dirdb.c b/contrib/sdb/dir/dirdb.c
index 7226816d..5aaefbc3 100644
--- a/contrib/sdb/dir/dirdb.c
+++ b/contrib/sdb/dir/dirdb.c
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000-2002  Internet Software Consortium.
+ * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dirdb.c,v 1.9.4.3 2004/03/09 06:10:34 marka Exp $ */
+/* $Id: dirdb.c,v 1.9.4.2.8.2 2004/03/08 09:04:22 marka Exp $ */
 
 /*
  * A simple database driver that returns basic information about
diff --git a/contrib/sdb/dir/dirdb.h b/contrib/sdb/dir/dirdb.h
index 76bd9ad3..71b01ebd 100644
--- a/contrib/sdb/dir/dirdb.h
+++ b/contrib/sdb/dir/dirdb.h
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000-2002  Internet Software Consortium.
+ * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dirdb.h,v 1.2.4.3 2004/03/09 06:10:34 marka Exp $ */
+/* $Id: dirdb.h,v 1.2.4.2.8.2 2004/03/08 09:04:22 marka Exp $ */
 
 #include <isc/types.h>
 
diff --git a/contrib/sdb/ldap/INSTALL.ldap b/contrib/sdb/ldap/INSTALL.ldap
index 91511296..e3801ed2 100644
--- a/contrib/sdb/ldap/INSTALL.ldap
+++ b/contrib/sdb/ldap/INSTALL.ldap
@@ -1,12 +1,12 @@
-This is the INSTALL file for 1.0-beta. See
+This is the INSTALL file for 0.9. See
 http://www.venaas.no/ldap/bind-sdb/ for updates or other information.
 
 BUILDING
 
 You need the source for BIND 9.1.0 or newer (for zone transfers you
 will need at least 9.1.1rc3 due to a bug). Basically you need to follow
-the instructions in doc/misc/sdb, if my instructions don't make sense,
-please have a look at those as well.
+the instructions in doc/misc/sdb, if my instructions doesn't make sense,
+please have a look at that as well.
 
 Copy ldapdb.c to bin/named and ldapdb.h to bin/named/include in the
 source tree.
@@ -22,19 +22,11 @@ Finally you need to edit bin/named/main.c. Below where it says
 it says "xxdb_init();" add the line "ldapdb_init();", and finally
 below where it says "xxdb_clear();", add "ldapdb_clear();".
 
-Now you should hopefully be able to build as usual; first configure
-and then make. If you get an error message about ldap_memfree() not
-being defined, you're probably using an LDAP library with the
-interface defined in RFC 1823. To build, uncomment the "#define
-LDAPDB_RFC1823API" line near the top of ldapdb.c.
+Now you should hopefully be able to build it. If you get an error
+message about ldap_memfree() not being defined, you're probably
+using an LDAP library with the interface defined in RFC 1823. To
+build, uncomment the #define RFC1823API line near the top of ldapdb.c.
 
-Also, if you're using an LDAPv2 only server, you need to change
-the line "#define LDAPDB_LDAP_VERSION 3" in ldapdb.c. Simply
-replace 3 with 2. Instead of editing the file, you may define
-LDAPDB_LDAP_VERSION yourself.
-
-If you want to use TLS, you need to uncommed the #define LDAPDB_TLS"
-line near the top of ldapdb.c.
 
 CONFIGURING
 
@@ -42,42 +34,26 @@ Before you do any configuring of LDAP stuff, please try to configure
 and start bind as usual to see if things work.
 
 To do anything useful, you need to store a zone in some LDAP server.
-You must use a schema called dNSZone. Note that it relies on some
-attribute definitions in the Cosine schema, so that must be included
-as well. The Cosine schema probably comes with your LDAP server. You
-can find dNSZone and further details on how to store the data in your
-LDAP server at http://www.venaas.no/ldap/bind-sdb/
-
-To make BIND use a zone stored in LDAP, you will have to put something
-like this in named.conf:
-
+From this release on, you must use a schema called dNSZone. Note that
+it relies on some attribute definitions in the Cosine schema, so that
+must be included as well. The Cosine schema probably comes with your
+LDAP server. You can find dNSZone and further details on how to store
+the data in your LDAP server at
+http://www.venaas.no/ldap/bind-sdb/
+
+For an example, have a look at my venaas.com zone. Try a subtree search
+for objectClass=* at
+ldap ldap://129.241.20.67/dc=venaas,dc=com,o=DNS,dc=venaas,dc=no
+
+To use it with BIND, I've added the following to named.conf:
 zone "venaas.com" {
         type master;
-        database "ldap ldap://158.38.160.245/dc=venaas,dc=com,o=DNS,dc=venaas,dc=no 172800";
+        database "ldap ldap://129.241.20.67/dc=venaas,dc=com,o=DNS,dc=venaas,dc=no 172800";
 };
 
 When doing lookups BIND will do a sub-tree search below the base in the
 URL. The number 172800 is the TTL which will be used for all entries that
-haven't got the dNSTTL attribute. It is also possible to add a filter to
-the URL, say "ldap://host/base???(o=internal)".
-
-Version 1.0 also has support for simple LDAP bind, that is, binding to
-LDAP using plain text authentication. The bind dn and password is coded
-into the URL as extensions, according to RFC 2255. If you want simple
-bind with say dn "cn=Manager,dc=venaas,dc=no" and password "secret", the
-URL will be something like this:
-
-ldap://158.38.160.245/dc=venaas,dc=com,o=DNS,dc=venaas,dc=no????!bindname=cn=Manager%2cdc=venaas%2cdc=no,!x-bindpw=secret
-
-This URL may also include a filter part if you need it. Note that in
-the bind dn, "," is hex-escaped as "%2c". This is necessary since ","
-is the separator between the extension elements. The "!" in front of
-"bindname" and "x-bindpw" can be omitted if you prefer. "x-bindpw" is
-not standardized, but it's used by several other LDAP applications. See
-RFC 2255 for details.
-
-Finally, if you enabled TLS when compiling, you can also use TLS if
-you like. To do this you use the extension "x-tls", e.g.
-ldap://158.38.160.245/dc=venaas,dc=com,o=DNS,dc=venaas,dc=no????!bindname=cn=Manager%2cdc=venaas%2cdc=no,!x-bindpw=secret,x-tls
+haven't got the dNSTTL attribute. It is also possible to add an filter to
+the URL, say ldap://host/base???(o=internal)
 
-Stig Venaas <venaas@uninett.no> 2004-08-15
+Stig Venaas <venaas@uninett.no> 2002-04-17
diff --git a/contrib/sdb/ldap/README.ldap b/contrib/sdb/ldap/README.ldap
index b4ea18ab..10d65872 100644
--- a/contrib/sdb/ldap/README.ldap
+++ b/contrib/sdb/ldap/README.ldap
@@ -1,15 +1,7 @@
 This is an attempt at an LDAP back-end for BIND 9 using the new simplified
-database interface "sdb". This is release 1.0-beta and should be pretty
-stable. Note that since version 0.4 a new schema is used. It is not
-backwards compatible with versions before 0.4.
-
-1.0-beta fixes a large memory leak. An extension x-tls for enabling TLS
-has been added.
-
-1.0-alpha uses LDAPv3 by default and also supports LDAP simple bind. That
-is, one can use plain text password for authentication. The bind dn and
-password is coded into the URL using extensions bindname and x-bindpw
-per RFC 2255.
+database interface "sdb". This is the nineth release (0.9) and seems to
+be pretty stable. Note that since version 0.4 a new schema is used.
+It is not backwards compatible with versions before 0.4.
 
 In 0.9 the code has been cleaned up a bit and should be slightly faster
 than previous versions. It also fixes an error with zone transfers (AXFR)
@@ -45,4 +37,4 @@ contact me. See also http://www.venaas.no/ldap/bind-sdb/ for information.
 
 See INSTALL for how to build, install and use.
 
-Stig Venaas <venaas@uninett.no> 2004-08-15
+Stig Venaas <venaas@uninett.no> 2001-12-29
diff --git a/contrib/sdb/ldap/ldapdb.c b/contrib/sdb/ldap/ldapdb.c
index ed124c07..ca2866b9 100644
--- a/contrib/sdb/ldap/ldapdb.c
+++ b/contrib/sdb/ldap/ldapdb.c
@@ -1,31 +1,18 @@
 /*
- * ldapdb.c version 1.0-beta
+ * ldapdb.c version 0.9
  *
- * Copyright (C) 2002, 2004 Stig Venaas
+ * Copyright (C) 2002 Stig Venaas
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
- *
- * Contributors: Jeremy C. McDermond
- */
-
-/*
- * If you want to use TLS, uncomment the define below
  */
-/* #define LDAPDB_TLS */
 
 /*
  * If you are using an old LDAP API uncomment the define below. Only do this
  * if you know what you're doing or get compilation errors on ldap_memfree().
- * This also forces LDAPv2.
  */
-/* #define LDAPDB_RFC1823API */
-
-/* Using LDAPv3 by default, change this if you want v2 */
-#ifndef LDAPDB_LDAP_VERSION
-#define LDAPDB_LDAP_VERSION 3
-#endif
+/* #define RFC1823API */
 
 #include <config.h>
 
@@ -68,11 +55,6 @@ struct ldapdb_data {
 	char *filterone;
 	int filteronelen;
 	char *filtername;
-	char *bindname;
-	char *bindpw;
-#ifdef LDAPDB_TLS
-	int tls;
-#endif
 };
 
 /* used by ldapdb_getconn */
@@ -178,7 +160,7 @@ ldapdb_getconn(struct ldapdb_data *data)
 		conndata = malloc(sizeof(*conndata));
 		if (conndata == NULL)
 			return (NULL);
-		conndata->index = data->hostport;
+		(char *)conndata->index = data->hostport;
 		conndata->size = strlen(data->hostport);
 		conndata->data = NULL;
 		ldapdb_insert((struct ldapdb_entry **)&threaddata->data,
@@ -191,27 +173,12 @@ ldapdb_getconn(struct ldapdb_data *data)
 static void
 ldapdb_bind(struct ldapdb_data *data, LDAP **ldp)
 {
-#ifndef LDAPDB_RFC1823API
-	const int ver = LDAPDB_LDAP_VERSION;
-#endif
-
 	if (*ldp != NULL)
 		ldap_unbind(*ldp);
 	*ldp = ldap_open(data->hostname, data->portno);
 	if (*ldp == NULL)
 		return;
-
-#ifndef LDAPDB_RFC1823API
-	ldap_set_option(*ldp, LDAP_OPT_PROTOCOL_VERSION, &ver);
-#endif
-
-#ifdef LDAPDB_TLS
-	if (data->tls) {
-		ldap_start_tls_s(*ldp, NULL, NULL);
-	}
-#endif
-
-	if (ldap_simple_bind_s(*ldp, data->bindname, data->bindpw) != LDAP_SUCCESS) {
+	if (ldap_simple_bind_s(*ldp, NULL, NULL) != LDAP_SUCCESS) {
 		ldap_unbind(*ldp);
 		*ldp = NULL;
 	}
@@ -224,9 +191,9 @@ ldapdb_search(const char *zone, const char *name, void *dbdata, void *retdata)
 	isc_result_t result = ISC_R_NOTFOUND;
 	LDAP **ldp;
 	LDAPMessage *res, *e;
-	char *fltr, *a, **vals = NULL, **names = NULL;
+	char *fltr, *a, **vals, **names = NULL;
 	char type[64];
-#ifdef LDAPDB_RFC1823API
+#ifdef RFC1823API
 	void *ptr;
 #else
 	BerElement *ptr;
@@ -311,7 +278,7 @@ ldapdb_search(const char *zone, const char *name, void *dbdata, void *retdata)
 				*s = toupper(*s);
 			s = strstr(a, "RECORD");
 			if ((s == NULL) || (s == a) || (s - a >= (signed int)sizeof(type))) {
-#ifndef LDAPDB_RFC1823API
+#ifndef RFC1823API
 				ldap_memfree(a);
 #endif
 				continue;
@@ -335,7 +302,7 @@ ldapdb_search(const char *zone, const char *name, void *dbdata, void *retdata)
 						isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER, ISC_LOG_ERROR,	
 							      "LDAP sdb zone '%s': dns_sdb_put... failed for %s", zone, vals[i]);
 						ldap_value_free(vals);
-#ifndef LDAPDB_RFC1823API
+#ifndef RFC1823API
 						ldap_memfree(a);
 						if (ptr != NULL)
 							ber_free(ptr, 0);
@@ -348,23 +315,21 @@ ldapdb_search(const char *zone, const char *name, void *dbdata, void *retdata)
 				}
 				ldap_value_free(vals);
 			}
-#ifndef LDAPDB_RFC1823API
+#ifndef RFC1823API
 			ldap_memfree(a);
 #endif
 		}
-#ifndef LDAPDB_RFC1823API
+#ifndef RFC1823API
 		if (ptr != NULL)
 			ber_free(ptr, 0);
 #endif
 		if (name == NULL)
 			ldap_value_free(names);
 
-		/* free this result */
+		/* cleanup this result */
 		ldap_msgfree(res);
 	}
 
-	/* free final result */
-	ldap_msgfree(res);
         return (result);
 }
 
@@ -406,56 +371,7 @@ unhex(char *in)
 	return in;
 }
 
-/* returns 0 for ok, -1 for bad syntax, -2 for unknown critical extension */
-static int
-parseextensions(char *extensions, struct ldapdb_data *data)
-{
-	char *s, *next, *name, *value;
-	int critical;
-
-	while (extensions != NULL) {
-		s = strchr(extensions, ',');
-		if (s != NULL) {
-			*s++ = '\0';
-			next = s;
-		} else {
-			next = NULL;
-		}
-
-		if (*extensions != '\0') {
-			s = strchr(extensions, '=');
-			if (s != NULL) {
-				*s++ = '\0';
-				value = *s != '\0' ? s : NULL;
-			} else {
-				value = NULL;
-			}
-			name = extensions;
 
-			critical = *name == '!';
-			if (critical) {
-				name++;
-			}
-			if (*name == '\0') {
-				return -1;
-			}
-			
-			if (!strcasecmp(name, "bindname")) {
-				data->bindname = value;
-			} else if (!strcasecmp(name, "x-bindpw")) {
-				data->bindpw = value;
-#ifdef LDAPDB_TLS
-			} else if (!strcasecmp(name, "x-tls")) {
-				data->tls = value == NULL || !strcasecmp(value, "true");
-#endif
-			} else if (critical) {
-				return -2;
-			}
-		}
-		extensions = next;
-	}
-	return 0;
-}
 
 static void
 free_data(struct ldapdb_data *data)
@@ -477,7 +393,7 @@ ldapdb_create(const char *zone, int argc, char **argv,
 	      void *driverdata, void **dbdata)
 {
 	struct ldapdb_data *data;
-	char *s, *filter = NULL, *extensions = NULL;
+	char *s, *filter = NULL;
 	int defaultttl;
 
 	UNUSED(driverdata);
@@ -523,15 +439,6 @@ ldapdb_create(const char *zone, int argc, char **argv,
 					s = strchr(s, '?');
 					if (s != NULL) {
 						*s++ = '\0';
-						/* extensions */
-						extensions = s;
-						s = strchr(s, '?');
-						if (s != NULL) {
-							*s++ = '\0';
-						}
-						if (*extensions == '\0') {
-							extensions = NULL;
-						}
 					}
 					if (*filter == '\0') {
 						filter = NULL;
@@ -542,37 +449,15 @@ ldapdb_create(const char *zone, int argc, char **argv,
 		if (*data->base == '\0') {
 			data->base = NULL;
 		}
-	}
-
-	/* parse extensions */
-	if (extensions != NULL) {
-		int err;
 
-		err = parseextensions(extensions, data);
-		if (err < 0) {
-			/* err should be -1 or -2 */
+		if ((data->base != NULL && unhex(data->base) == NULL) || (filter != NULL && unhex(filter) == NULL)) {
 			free_data(data);
-			if (err == -1) {
-				isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
-					      "LDAP sdb zone '%s': URL: extension syntax error", zone);
-			} else if (err == -2) {
-				isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
-					      "LDAP sdb zone '%s': URL: unknown critical extension", zone);
-			}
+			isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER, ISC_LOG_ERROR,	
+				      "LDAP sdb zone '%s': bad hex values", zone);
 			return (ISC_R_FAILURE);
 		}
 	}
 
-	if ((data->base != NULL && unhex(data->base) == NULL) ||
-	    (filter != NULL && unhex(filter) == NULL) ||
-	    (data->bindname != NULL && unhex(data->bindname) == NULL) ||
-	    (data->bindpw != NULL && unhex(data->bindpw) == NULL)) {
-		free_data(data);
-		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER, ISC_LOG_ERROR,	
-			      "LDAP sdb zone '%s': URL: bad hex values", zone);
-		return (ISC_R_FAILURE);
-	}
-
 	/* compute filterall and filterone once and for all */
 	if (filter == NULL) {
 		data->filteralllen = strlen(zone) + strlen("(zoneName=)") + 1;
diff --git a/contrib/sdb/ldap/zone2ldap.c b/contrib/sdb/ldap/zone2ldap.c
index 90028b6d..badc06ce 100644
--- a/contrib/sdb/ldap/zone2ldap.c
+++ b/contrib/sdb/ldap/zone2ldap.c
@@ -20,8 +20,6 @@
 #include <getopt.h>
 
 #include <isc/buffer.h>
-#include <isc/entropy.h>
-#include <isc/hash.h>
 #include <isc/mem.h>
 #include <isc/print.h>
 #include <isc/result.h>
@@ -108,8 +106,7 @@ debug = 1;
 int
 main (int *argc, char **argv)
 {
-  isc_mem_t *mctx = NULL;
-  isc_entropy_t *ectx = NULL;
+  isc_mem_t *isc_ctx = NULL;
   isc_result_t result;
   char *basedn;
   ldap_info *tmp;
@@ -188,15 +185,9 @@ main (int *argc, char **argv)
   if (debug)
     printf ("Initializing ISC Routines, parsing zone file\n");
 
-  result = isc_mem_create (0, 0, &mctx);
+  result = isc_mem_create (0, 0, &isc_ctx);
   isc_result_check (result, "isc_mem_create");
 
-  result = isc_entropy_create(mctx, &ectx);
-  isc_result_check (result, "isc_entropy_create");
-
-  result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE);
-  isc_result_check (result, "isc_hash_create");
-
   isc_buffer_init (&buff, argzone, strlen (argzone));
   isc_buffer_add (&buff, strlen (argzone));
   dns_fixedname_init (&fixedzone);
@@ -204,8 +195,9 @@ main (int *argc, char **argv)
   result = dns_name_fromtext (zone, &buff, dns_rootname, ISC_FALSE, NULL);
   isc_result_check (result, "dns_name_fromtext");
 
-  result = dns_db_create (mctx, "rbt", zone, dns_dbtype_zone,
-			  dns_rdataclass_in, 0, NULL, &db);
+  result =
+    dns_db_create (isc_ctx, "rbt", zone, dns_dbtype_zone, dns_rdataclass_in,
+		   0, NULL, &db);
   isc_result_check (result, "dns_db_create");
 
   result = dns_db_load (db, zonefile);
@@ -321,14 +313,9 @@ main (int *argc, char **argv)
       add_ldap_values (tmp);
     }
 
-  if (debug)
+if (debug)
 	printf("Operation Complete.\n");
 
-  /* Cleanup */
-  isc_hash_destroy();
-  isc_entropy_detach(&ectx);
-  isc_mem_destroy(&mctx);
-
   return 0;
 }
 
diff --git a/contrib/sdb/pgsql/pgsqldb.c b/contrib/sdb/pgsql/pgsqldb.c
index 730c5110..9421cebc 100644
--- a/contrib/sdb/pgsql/pgsqldb.c
+++ b/contrib/sdb/pgsql/pgsqldb.c
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000-2002  Internet Software Consortium.
+ * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: pgsqldb.c,v 1.12.4.3 2004/03/09 06:10:34 marka Exp $ */
+/* $Id: pgsqldb.c,v 1.12.4.2.8.2 2004/03/08 09:04:22 marka Exp $ */
 
 #include <config.h>
 
diff --git a/contrib/sdb/pgsql/pgsqldb.h b/contrib/sdb/pgsql/pgsqldb.h
index b151f4e6..f91e98f0 100644
--- a/contrib/sdb/pgsql/pgsqldb.h
+++ b/contrib/sdb/pgsql/pgsqldb.h
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000-2002  Internet Software Consortium.
+ * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: pgsqldb.h,v 1.2.4.3 2004/03/09 06:10:35 marka Exp $ */
+/* $Id: pgsqldb.h,v 1.2.4.2.8.2 2004/03/08 09:04:22 marka Exp $ */
 
 #include <isc/types.h>
 
diff --git a/contrib/sdb/pgsql/zonetodb.c b/contrib/sdb/pgsql/zonetodb.c
index ee837e84..515f07d9 100644
--- a/contrib/sdb/pgsql/zonetodb.c
+++ b/contrib/sdb/pgsql/zonetodb.c
@@ -1,6 +1,6 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000-2002  Internet Software Consortium.
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,14 +15,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: zonetodb.c,v 1.12.4.5 2005/09/06 02:11:54 marka Exp $ */
+/* $Id: zonetodb.c,v 1.12.4.2.8.4 2004/03/08 09:04:22 marka Exp $ */
 
 #include <stdlib.h>
 #include <string.h>
 
 #include <isc/buffer.h>
-#include <isc/entropy.h>
-#include <isc/hash.h>
 #include <isc/mem.h>
 #include <isc/print.h>
 #include <isc/result.h>
@@ -142,7 +140,6 @@ main(int argc, char **argv) {
 	dns_rdataset_t rdataset;
 	dns_rdata_t rdata = DNS_RDATA_INIT;
 	isc_mem_t *mctx = NULL;
-	isc_entropy_t *ectx = NULL;
 	isc_buffer_t b;
 	isc_result_t result;
 	PGresult *res;
@@ -164,12 +161,6 @@ main(int argc, char **argv) {
 	result = isc_mem_create(0, 0, &mctx);
 	check_result(result, "isc_mem_create");
 
-	result = isc_entropy_create(mctx, &ectx);
-	result_check (result, "isc_entropy_create");
-
-	result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE);
-	check_result (result, "isc_hash_create");
-
 	isc_buffer_init(&b, porigin, strlen(porigin));
 	isc_buffer_add(&b, strlen(porigin));
 	dns_fixedname_init(&forigin);
@@ -284,8 +275,6 @@ main(int argc, char **argv) {
 	PQclear(res);
 	dns_dbiterator_destroy(&dbiter);
 	dns_db_detach(&db);
-	isc_hash_destroy();
-	isc_entropy_detach(&ectx);
 	isc_mem_destroy(&mctx);
 	closeandexit(0);
 	exit(0);
diff --git a/contrib/sdb/sqlite/README.sdb_sqlite b/contrib/sdb/sqlite/README.sdb_sqlite
deleted file mode 100644
index 36128e19..00000000
--- a/contrib/sdb/sqlite/README.sdb_sqlite
+++ /dev/null
@@ -1,67 +0,0 @@
-			SQLite BIND SDB driver
-
-The SQLite BIND SDB "driver" is intended as an alternative both to the
-pgsqldb and dirdb drivers, for situations that would like the management
-simplicity and convenience of single filesystem files, with the additional
-capability of SQL databases.  It is also intended as an alternative to
-the standard dynamic DNS update capability in bind, which effectively
-requires use of DNSSEC keys for authorization and is limited to 'nsupdate'
-for updates.  An sqlite database, by contrast, uses and requires only
-normal filesystem permissions, and may be updated however a typical SQLite
-database might be updated, e.g., via a web service with an SQLite backend.
-
-This driver is not considered suitable for very high volume public
-nameserver use, while likely useful for smaller private nameserver
-applications, whether or not in a production environment.  It should
-generally be suitable wherever SQLite is preferable over larger database
-engines, and not suitable where SQLite is not preferable.
-
-Usage:
-
-o Use the named_sdb process ( put ENABLE_SDB=yes in /etc/sysconfig/named )
-
-o Edit your named.conf to contain a database zone, eg.:
-  
-zone "mydomain.net." IN {
-        type master;
-        database "sqlite /etc/named.d/mydomain.db mydomain";
-        #                ^- DB file               ^-Table
-};
-
-o Create the database zone table
-  The table must contain the columns "name", "rdtype", and "rdata", and
-  is expected to contain a properly constructed zone.  The program
-  "zone2sqlite" creates such a table.
-  
-  zone2sqlite usage:
-    
-    zone2sqlite origin zonefile dbfile dbtable
-
-    where
-	origin   : zone origin, eg "mydomain.net."
-	zonefile : master zone database file, eg. mydomain.net.zone
-	dbfile   : name of SQLite database file
-        dbtable  : name of table in database
-
----
-# mydomain.net.zone:
-$TTL 1H
-@       SOA     localhost.      root.localhost. (       1
-                                                3H
-                                                1H
-                                                1W
-                                                1H )
-        NS      localhost.
-host1   A       192.168.2.1
-host2   A       192.168.2.2
-host3   A       192.168.2.3
-host4   A       192.168.2.4
-host5   A       192.168.2.5
-host6   A       192.168.2.6
-host7   A       192.168.2.7
----
-
-# zone2sqlite mydomain.net. mydomain.net.zone mydomain.net.db mydomain
-
-will create/update the 'mydomain' table in database file 'mydomain.net.db'.
-
diff --git a/contrib/sdb/sqlite/sqlitedb.c b/contrib/sdb/sqlite/sqlitedb.c
deleted file mode 100644
index 9eb06e74..00000000
--- a/contrib/sdb/sqlite/sqlitedb.c
+++ /dev/null
@@ -1,324 +0,0 @@
-/*
- * Copyright (C) 2007  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
- * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
- * INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
- * FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
- * NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
- * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: sqlitedb.c,v 1.1.4.1 2007/03/05 05:36:58 marka Exp $ */
-
-#include <config.h>
-
-#include <stdio.h>
-#include <string.h>
-#include <stdlib.h>
-#include <unistd.h>
-
-#include <sqlite3.h>
-
-#include <isc/mem.h>
-#include <isc/print.h>
-#include <isc/result.h>
-#include <isc/util.h>
-
-#include <dns/sdb.h>
-#include <dns/result.h>
-
-#include <named/globals.h>
-
-#include "sqlitedb.h"
-
-/*
- * A simple database driver that interfaces to a SQLite database.
- *
- * The table must contain the fields "name", "rdtype", and "rdata", and 
- * is expected to contain a properly constructed zone.  The program "zonetodb"
- * creates such a table.
- */
-
-static dns_sdbimplementation_t *sqlitedb = NULL;
-
-typedef struct _dbinfo {
-    sqlite3 *db;
-    char *filename;
-    char *table;
-} dbinfo_t;
-
-
-static isc_result_t
-db_connect(dbinfo_t *dbi)
-{
-    if (sqlite3_open(dbi->filename, &dbi->db) == SQLITE_OK) {
-	return (ISC_R_SUCCESS);
-    } else {
-	/* a connection is returned even if the open fails */
-	sqlite3_close(dbi->db);
-	dbi->db = NULL;
-	return (ISC_R_FAILURE);
-    }
-}
-
-
-typedef struct _lookup_parm_t {
-    int              i;
-    dns_sdblookup_t *lookup;
-    isc_result_t     result;
-} lookup_parm_t;
-
-
-static int
-sqlitedb_lookup_cb(void *p, int cc, char **cv, char **cn)
-{
-    lookup_parm_t *parm = p;
-    dns_ttl_t ttl;
-    char *endp;
-
-    /* FIXME - check these(num/names); I'm assuming a mapping for now */
-    char *ttlstr = cv[0];
-    char *type   = cv[1];
-    char *data   = cv[2];
-
-    UNUSED(cc);
-    UNUSED(cn);
-
-    ttl = strtol(ttlstr, &endp, 10);
-    if (*endp) {
-	parm->result = DNS_R_BADTTL;
-	return 1;
-    }
-
-    parm->result = dns_sdb_putrr(parm->lookup, type, ttl, data);
-
-    if (parm->result != ISC_R_SUCCESS)
-	return 1;
-
-    (parm->i)++;
-
-    return 0;
-}
-
-
-static isc_result_t
-sqlitedb_lookup(const char *zone,
-		const char *name, void *dbdata,
-		dns_sdblookup_t *lookup)
-/*
- * synchronous absolute name lookup
- */
-{
-    dbinfo_t *dbi = (dbinfo_t *) dbdata;
-    char *sql;
-    lookup_parm_t parm = { 0, lookup, ISC_R_SUCCESS };
-    char *errmsg = NULL;
-    int result;
-
-    UNUSED(zone);
-
-    sql = sqlite3_mprintf(
-	"SELECT TTL,RDTYPE,RDATA FROM \"%q\" WHERE "
-	"lower(NAME) = lower('%q')",
-	dbi->table, name);
-
-    result = sqlite3_exec(dbi->db, sql,
-			  &sqlitedb_lookup_cb, &parm,
-			  &errmsg);
-    sqlite3_free(sql);
-
-    if (result != SQLITE_OK)
-	return (ISC_R_FAILURE);
-    if (parm.i == 0)
-	return (ISC_R_NOTFOUND);
-
-    return (ISC_R_SUCCESS);
-}
-
-
-typedef struct _allnodes_parm_t {
-    int                i;
-    dns_sdballnodes_t *allnodes;
-    isc_result_t       result;
-} allnodes_parm_t;
-
-
-static int
-sqlitedb_allnodes_cb(void *p, int cc, char **cv, char **cn)
-{
-    allnodes_parm_t *parm = p;
-    dns_ttl_t ttl;
-    char *endp;
-
-    /* FIXME - check these(num/names); I'm assuming a mapping for now */
-    char *ttlstr = cv[0];
-    char *name   = cv[1];
-    char *type   = cv[2];
-    char *data   = cv[3];
-
-    UNUSED(cc);
-    UNUSED(cn);
-
-    ttl = strtol(ttlstr, &endp, 10);
-    if (*endp) {
-	parm->result = DNS_R_BADTTL;
-	return 1;
-    }
-
-    parm->result = dns_sdb_putnamedrr(parm->allnodes, name, type, ttl, data);
-
-    if (parm->result != ISC_R_SUCCESS)
-	return 1;
-
-    (parm->i)++;
-
-    return 0;
-}
-
-
-static isc_result_t
-sqlitedb_allnodes(const char *zone,
-		  void *dbdata,
-		  dns_sdballnodes_t *allnodes)
-{
-    dbinfo_t *dbi = (dbinfo_t *) dbdata;
-    char *sql;
-    allnodes_parm_t parm = { 0, allnodes, ISC_R_SUCCESS };
-    char *errmsg = NULL;
-    int result;
-
-    UNUSED(zone);
-
-    sql = sqlite3_mprintf(
-	"SELECT TTL,NAME,RDTYPE,RDATA FROM \"%q\" ORDER BY NAME",
-	dbi->table);
-
-    result = sqlite3_exec(dbi->db, sql,
-			  &sqlitedb_allnodes_cb, &parm,
-			  &errmsg);
-    sqlite3_free(sql);
-
-    if (result != SQLITE_OK)
-	return (ISC_R_FAILURE);
-    if (parm.i == 0)
-	return (ISC_R_NOTFOUND);
-
-    return (ISC_R_SUCCESS);
-}
-
-
-static void
-sqlitedb_destroy(const char *zone, void *driverdata, void **dbdata)
-{
-    dbinfo_t *dbi = *dbdata;
-
-    UNUSED(zone);
-    UNUSED(driverdata);
-
-    if (dbi->db != NULL)
-	sqlite3_close(dbi->db);
-    if (dbi->table != NULL)
-	isc_mem_free(ns_g_mctx, dbi->table);
-    if (dbi->filename != NULL)
-	isc_mem_free(ns_g_mctx, dbi->filename);
-
-    isc_mem_put(ns_g_mctx, dbi, sizeof(dbinfo_t));
-}
-
-
-#define STRDUP_OR_FAIL(target, source)				\
-	do {							\
-		target = isc_mem_strdup(ns_g_mctx, source);	\
-		if (target == NULL) {				\
-			result = ISC_R_NOMEMORY;		\
-			goto cleanup;				\
-		}						\
-	} while (0);
-
-/*
- * Create a connection to the database and save any necessary information
- * in dbdata.
- *
- * argv[0] is the name of the database file
- * argv[1] is the name of the table
- */
-static isc_result_t
-sqlitedb_create(const char *zone,
-		int argc, char **argv,
-		void *driverdata, void **dbdata)
-{
-    dbinfo_t *dbi;
-    isc_result_t result;
-
-    UNUSED(zone);
-    UNUSED(driverdata);
-
-    if (argc < 2)
-	return (ISC_R_FAILURE);
-
-    dbi = isc_mem_get(ns_g_mctx, sizeof(dbinfo_t));
-    if (dbi == NULL)
-	return (ISC_R_NOMEMORY);
-    dbi->db       = NULL;
-    dbi->filename = NULL;
-    dbi->table    = NULL;
-
-    STRDUP_OR_FAIL(dbi->filename, argv[0]);
-    STRDUP_OR_FAIL(dbi->table, argv[1]);
-
-    result = db_connect(dbi);
-    if (result != ISC_R_SUCCESS)
-	goto cleanup;
-
-    *dbdata = dbi;
-    return (ISC_R_SUCCESS);
-
-cleanup:
-    sqlitedb_destroy(zone, driverdata, (void **)&dbi);
-    return (result);
-}
-
-
-/*
- * Since the SQL database corresponds to a zone, the authority data should
- * be returned by the lookup() function.  Therefore the authority() function
- * is NULL.
- */
-static dns_sdbmethods_t sqlitedb_methods = {
-    sqlitedb_lookup,
-    NULL, /* authority */
-    sqlitedb_allnodes,
-    sqlitedb_create,
-    sqlitedb_destroy
-};
-
-
-/*
- * Wrapper around dns_sdb_register().
- */
-isc_result_t
-sqlitedb_init(void)
-{
-    unsigned int flags;
-    flags = 0;
-    return (dns_sdb_register("sqlite", &sqlitedb_methods, NULL, flags,
-			     ns_g_mctx, &sqlitedb));
-}
-
-
-/*
- * Wrapper around dns_sdb_unregister().
- */
-void
-sqlitedb_clear(void)
-{
-    if (sqlitedb != NULL)
-	dns_sdb_unregister(&sqlitedb);
-}
diff --git a/contrib/sdb/sqlite/sqlitedb.h b/contrib/sdb/sqlite/sqlitedb.h
deleted file mode 100644
index e08c1ff4..00000000
--- a/contrib/sdb/sqlite/sqlitedb.h
+++ /dev/null
@@ -1,25 +0,0 @@
-/*
- * Copyright (C) 2000-2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
- * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
- * INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
- * FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
- * NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
- * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: sqlitedb.h,v 1.1.4.1 2007/03/05 05:36:58 marka Exp $ */
-
-#include <isc/types.h>
-
-isc_result_t sqlitedb_init(void);
-
-void sqlitedb_clear(void);
-
diff --git a/contrib/sdb/sqlite/zone2sqlite.c b/contrib/sdb/sqlite/zone2sqlite.c
deleted file mode 100644
index 40ff0e6f..00000000
--- a/contrib/sdb/sqlite/zone2sqlite.c
+++ /dev/null
@@ -1,301 +0,0 @@
-/*
- * Copyright (C) 2007  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
- * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
- * INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
- * FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
- * NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
- * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: zone2sqlite.c,v 1.1.4.1 2007/03/05 05:36:58 marka Exp $ */
-
-#include <stdlib.h>
-#include <string.h>
-
-#include <isc/buffer.h>
-#include <isc/mem.h>
-#include <isc/print.h>
-#include <isc/result.h>
-
-#include <dns/db.h>
-#include <dns/dbiterator.h>
-#include <dns/fixedname.h>
-#include <dns/name.h>
-#include <dns/rdata.h>
-#include <dns/rdataset.h>
-#include <dns/rdatasetiter.h>
-#include <dns/rdatatype.h>
-#include <dns/result.h>
-
-#include <sqlite3.h>
-
-#ifndef UNUSED
-#define UNUSED(x)  (x) = (x)
-#endif
-
-/*
- * Generate an SQLite table from a zone.
- */
-
-typedef struct _dbinfo {
-    sqlite3 *db;
-    char *filename;
-    char *table;
-} dbinfo_t;
-
-dbinfo_t dbi = { NULL, NULL, NULL };
-
-
-static void
-closeandexit(int status)
-{
-    if (dbi.db) {
-	sqlite3_close(dbi.db);
-	dbi.db = NULL;
-    }
-    exit(status);
-}
-
-static void
-check_result(isc_result_t result, const char *message)
-{
-    if (result != ISC_R_SUCCESS) {
-	fprintf(stderr, "%s: %s\n", message,
-		isc_result_totext(result));
-	closeandexit(1);
-    }
-}
-
-static isc_result_t
-db_connect(dbinfo_t *dbi)
-{
-    if (sqlite3_open(dbi->filename, &dbi->db) == SQLITE_OK) {
-	return (ISC_R_SUCCESS);
-    } else {
-	/* a connection is returned even if the open fails */
-	sqlite3_close(dbi->db);
-	dbi->db = NULL;
-	return (ISC_R_FAILURE);
-    }
-}
-
-static int
-add_rdata_cb(void *parm, int cc, char **cv, char **cn)
-{
-    UNUSED(parm);
-    UNUSED(cc);
-    UNUSED(cv);
-    UNUSED(cn);
-
-    return 0;
-}
-
-
-static void
-addrdata(dns_name_t *name, dns_ttl_t ttl, dns_rdata_t *rdata)
-{
-    unsigned char namearray[DNS_NAME_MAXTEXT + 1];
-    unsigned char typearray[20];
-    unsigned char dataarray[2048];
-    isc_buffer_t b;
-    isc_result_t result;
-    char *sql;
-    char *errmsg = NULL;
-    int res;
-    
-    isc_buffer_init(&b, namearray, sizeof(namearray) - 1);
-    result = dns_name_totext(name, ISC_TRUE, &b);
-    check_result(result, "dns_name_totext");
-    namearray[isc_buffer_usedlength(&b)] = 0;
-    
-    isc_buffer_init(&b, typearray, sizeof(typearray) - 1);
-    result = dns_rdatatype_totext(rdata->type, &b);
-    check_result(result, "dns_rdatatype_totext");
-    typearray[isc_buffer_usedlength(&b)] = 0;
-    
-    isc_buffer_init(&b, dataarray, sizeof(dataarray) - 1);
-    result = dns_rdata_totext(rdata, NULL, &b);
-    check_result(result, "dns_rdata_totext");
-    dataarray[isc_buffer_usedlength(&b)] = 0;
-    
-    sql = sqlite3_mprintf(
-	"INSERT INTO %q (NAME, TTL, RDTYPE, RDATA)"
-	" VALUES ('%q', %d, '%q', '%q') ",
-	dbi.table,
-	namearray, ttl, typearray, dataarray);
-    printf("%s\n", sql);
-    res = sqlite3_exec(dbi.db, sql, add_rdata_cb, NULL, &errmsg);
-    sqlite3_free(sql);
-
-    if (result != SQLITE_OK) {
-	fprintf(stderr, "INSERT failed: %s\n", errmsg);
-	closeandexit(1);
-    }
-}
-
-int
-main(int argc, char *argv[])
-{
-    char *sql;
-    int res;
-    char *errmsg = NULL;
-    char *porigin, *zonefile;
-    dns_fixedname_t forigin, fname;
-    dns_name_t *origin, *name;
-    dns_db_t *db = NULL;
-    dns_dbiterator_t *dbiter;
-    dns_dbnode_t *node;
-    dns_rdatasetiter_t *rdsiter;
-    dns_rdataset_t rdataset;
-    dns_rdata_t rdata = DNS_RDATA_INIT;
-    isc_mem_t *mctx = NULL;
-    isc_buffer_t b;
-    isc_result_t result;
-
-    if (argc != 5) {
-	printf("usage: %s <zone> <zonefile> <dbfile> <dbtable>\n", argv[0]);
-	exit(1);
-    }
-    
-    porigin  = argv[1];
-    zonefile = argv[2];
-
-    dbi.filename = argv[3];
-    dbi.table    = argv[4];
-    
-    dns_result_register();
-    
-    mctx = NULL;
-    result = isc_mem_create(0, 0, &mctx);
-    check_result(result, "isc_mem_create");
-    
-    isc_buffer_init(&b, porigin, strlen(porigin));
-    isc_buffer_add(&b, strlen(porigin));
-    dns_fixedname_init(&forigin);
-    origin = dns_fixedname_name(&forigin);
-    result = dns_name_fromtext(origin, &b, dns_rootname, ISC_FALSE, NULL);
-    check_result(result, "dns_name_fromtext");
-    
-    db = NULL;
-    result = dns_db_create(mctx, "rbt", origin, dns_dbtype_zone,
-			   dns_rdataclass_in, 0, NULL, &db);
-    check_result(result, "dns_db_create");
-    
-    result = dns_db_load(db, zonefile);
-    if (result == DNS_R_SEENINCLUDE)
-	result = ISC_R_SUCCESS;
-    check_result(result, "dns_db_load");
-
-    printf("Connecting to '%s'\n", dbi.filename);
-    
-    if ((result = db_connect(&dbi)) != ISC_R_SUCCESS) {
-	fprintf(stderr, "Connection to database '%s' failed\n",
-		dbi.filename);
-	closeandexit(1);
-    }
-    
-    sql = sqlite3_mprintf("DROP TABLE %q ", dbi.table);
-    printf("%s\n", sql);
-    res = sqlite3_exec(dbi.db, sql, NULL, NULL, &errmsg);
-    sqlite3_free(sql);
-#if 0
-    if (res != SQLITE_OK) {
-	fprintf(stderr, "DROP TABLE %s failed: %s\n",
-		dbi.table, errmsg);
-    }
-#endif
-
-#if 0    
-    sql = sqlite3_mprintf(sql, "BEGIN TRANSACTION");
-    printf("%s\n", sql);
-    res = sqlite3_exec(dbi.db, sql, NULL, NULL, &errmsg);
-    sqlite3_free(sql);
-    if (res != SQLITE_OK) {
-	fprintf(stderr, "BEGIN TRANSACTION failed: %s\n", errmsg);
-	closeandexit(1);
-    }
-#endif
-    
-    sql = sqlite3_mprintf(
-	"CREATE TABLE %q "
-	"(NAME TEXT, TTL INTEGER, RDTYPE TEXT, RDATA TEXT) ",
-	dbi.table);
-    printf("%s\n", sql);
-    res = sqlite3_exec(dbi.db, sql, NULL, NULL, &errmsg);
-    sqlite3_free(sql);
-    if (res != SQLITE_OK) {
-	fprintf(stderr, "CREATE TABLE %s failed: %s\n",
-		dbi.table, errmsg);
-	closeandexit(1);
-    }
-    
-    dbiter = NULL;
-    result = dns_db_createiterator(db, ISC_FALSE, &dbiter);
-    check_result(result, "dns_db_createiterator()");
-    
-    result = dns_dbiterator_first(dbiter);
-    check_result(result, "dns_dbiterator_first");
-    
-    dns_fixedname_init(&fname);
-    name = dns_fixedname_name(&fname);
-    dns_rdataset_init(&rdataset);
-    dns_rdata_init(&rdata);
-    
-    while (result == ISC_R_SUCCESS) {
-	node = NULL;
-	result = dns_dbiterator_current(dbiter, &node, name);
-	if (result == ISC_R_NOMORE)
-	    break;
-	check_result(result, "dns_dbiterator_current");
-	
-	rdsiter = NULL;
-	result = dns_db_allrdatasets(db, node, NULL, 0, &rdsiter);
-	check_result(result, "dns_db_allrdatasets");
-
-	result = dns_rdatasetiter_first(rdsiter);
-
-	while (result == ISC_R_SUCCESS) {
-	    dns_rdatasetiter_current(rdsiter, &rdataset);
-	    result = dns_rdataset_first(&rdataset);
-	    check_result(result, "dns_rdataset_first");
-	    while (result == ISC_R_SUCCESS) {
-		dns_rdataset_current(&rdataset, &rdata);
-		addrdata(name, rdataset.ttl, &rdata);
-		dns_rdata_reset(&rdata);
-		result = dns_rdataset_next(&rdataset);
-	    }
-	    dns_rdataset_disassociate(&rdataset);
-	    result = dns_rdatasetiter_next(rdsiter);
-	}
-	dns_rdatasetiter_destroy(&rdsiter);
-	dns_db_detachnode(db, &node);
-	result = dns_dbiterator_next(dbiter);
-    }
-
-#if 0
-    sql = sqlite3_mprintf(sql, "COMMIT TRANSACTION ");
-    printf("%s\n", sql);
-    res = sqlite3_exec(dbi.db, sql, NULL, NULL, &errmsg);
-    sqlite3_free(sql);
-    if (res != SQLITE_OK) {
-	fprintf(stderr, "COMMIT TRANSACTION failed: %s\n", errmsg);
-	closeandexit(1);
-    }
-#endif
-    
-    dns_dbiterator_destroy(&dbiter);
-    dns_db_detach(&db);
-    isc_mem_destroy(&mctx);
-
-    closeandexit(0);
-
-    exit(0);
-}
diff --git a/contrib/sdb/tcl/lookup.tcl b/contrib/sdb/tcl/lookup.tcl
index fa1a39cc..6e940555 100644
--- a/contrib/sdb/tcl/lookup.tcl
+++ b/contrib/sdb/tcl/lookup.tcl
@@ -1,5 +1,5 @@
 # Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 2000-2002  Internet Software Consortium.
+# Copyright (C) 2000, 2001  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: lookup.tcl,v 1.7.4.3 2004/03/09 06:10:35 marka Exp $
+# $Id: lookup.tcl,v 1.7.4.2.8.2 2004/03/08 09:04:23 marka Exp $
 
 #
 # Sample lookup procedure for tcldb
diff --git a/contrib/sdb/tcl/tcldb.c b/contrib/sdb/tcl/tcldb.c
index afda56bf..7866c871 100644
--- a/contrib/sdb/tcl/tcldb.c
+++ b/contrib/sdb/tcl/tcldb.c
@@ -1,6 +1,6 @@
 /*
- * Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000-2002  Internet Software Consortium.
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: tcldb.c,v 1.7.4.5 2007/01/18 00:06:02 marka Exp $ */
+/* $Id: tcldb.c,v 1.7.4.2.8.2 2004/03/08 09:04:23 marka Exp $ */
 
 /*
  * A simple database driver that calls a Tcl procedure to define
diff --git a/contrib/sdb/tcl/tcldb.h b/contrib/sdb/tcl/tcldb.h
index 32aa20c1..60f4a71f 100644
--- a/contrib/sdb/tcl/tcldb.h
+++ b/contrib/sdb/tcl/tcldb.h
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000-2002  Internet Software Consortium.
+ * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: tcldb.h,v 1.4.4.3 2004/03/09 06:10:36 marka Exp $ */
+/* $Id: tcldb.h,v 1.4.4.2.8.2 2004/03/08 09:04:23 marka Exp $ */
 
 #include <isc/types.h>
 
diff --git a/contrib/sdb/time/timedb.c b/contrib/sdb/time/timedb.c
index 117ac71f..8455dedc 100644
--- a/contrib/sdb/time/timedb.c
+++ b/contrib/sdb/time/timedb.c
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000-2002  Internet Software Consortium.
+ * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: timedb.c,v 1.7.4.3 2004/03/09 06:10:36 marka Exp $ */
+/* $Id: timedb.c,v 1.7.4.2.8.2 2004/03/08 09:04:23 marka Exp $ */
 
 /*
  * A simple database driver that enables the server to return the
diff --git a/contrib/sdb/time/timedb.h b/contrib/sdb/time/timedb.h
index 9fd48de5..f7b16bf1 100644
--- a/contrib/sdb/time/timedb.h
+++ b/contrib/sdb/time/timedb.h
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000-2002  Internet Software Consortium.
+ * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: timedb.h,v 1.2.4.3 2004/03/09 06:10:36 marka Exp $ */
+/* $Id: timedb.h,v 1.2.4.2.8.2 2004/03/08 09:04:24 marka Exp $ */
 
 #include <isc/types.h>
 
diff --git a/doc/Makefile.in b/doc/Makefile.in
index a274d4ae..e7dd9ca3 100644
--- a/doc/Makefile.in
+++ b/doc/Makefile.in
@@ -1,4 +1,4 @@
-# Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 2000, 2001  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and distribute this software for any
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.4.2.3 2005/09/13 00:34:29 marka Exp $
+# $Id: Makefile.in,v 1.4.206.1 2004/03/06 13:16:14 marka Exp $
 
 # This Makefile is a placeholder.  It exists merely to make
 # sure that its directory gets created in the object directory
@@ -23,7 +23,7 @@ srcdir =	@srcdir@
 VPATH =		@srcdir@
 top_srcdir =	@top_srcdir@
 
-SUBDIRS = arm misc xsl
+SUBDIRS = arm misc
 TARGETS =
 
 @BIND9_MAKE_RULES@
diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
index d1d23bc7..4c59aa49 100644
--- a/doc/arm/Bv9ARM-book.xml
+++ b/doc/arm/Bv9ARM-book.xml
@@ -1,46 +1,24 @@
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
-               "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
-	       [<!ENTITY mdash "&#8212;">]>
-<!--
- - Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000-2003  Internet Software Consortium.
- -
- - Permission to use, copy, modify, and distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- -
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-
-<!-- File: $Id: Bv9ARM-book.xml,v 1.155.2.58 2007/05/16 06:15:11 marka Exp $ -->
+
+<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.0//EN"
+               "http://www.oasis-open.org/docbook/xml/4.0/docbookx.dtd">
+
+<!-- File: $Id: Bv9ARM-book.xml,v 1.155.2.27.2.39 2004/03/15 05:50:30 marka Exp $ -->
 
 <book>
 <title>BIND 9 Administrator Reference Manual</title>
 
-  <bookinfo>
-    <copyright>
-      <year>2004</year>
-      <year>2005</year>
-      <year>2006</year>
-      <year>2007</year>
-      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
-    </copyright>
-    <copyright>
-      <year>2000</year>
-      <year>2001</year>
-      <year>2002</year>
-      <year>2003</year>
-      <holder>Internet Software Consortium.</holder>
-    </copyright>
-  </bookinfo>
-
-  <chapter id="Bv9ARM.ch01">
+<bookinfo>
+<copyright>
+<year>2004</year>
+<holder>Internet Systems Consortium, Inc. ("ISC")</holder>
+</copyright>
+<copyright>
+<year>2000-2003</year>
+<holder>Internet Software Consortium</holder>
+</copyright>
+</bookinfo>
+
+  <chapter id="ch01">
   <title>Introduction </title>
   <para>The Internet Domain Name System (<acronym>DNS</acronym>) consists of the syntax
   to specify the names of entities in the Internet in a hierarchical
@@ -52,14 +30,14 @@
   <sect1>
     <title>Scope of Document</title>
 
-    <para>The Berkeley Internet Name Domain (<acronym>BIND</acronym>) implements a
+    <para>The Berkeley Internet Name Domain (<acronym>BIND</acronym>) implements an
     domain name server for a number of operating systems. This
     document provides basic information about the installation and
     care of the Internet Software Consortium (<acronym>ISC</acronym>)
     <acronym>BIND</acronym> version 9 software package for system
     administrators.</para>
 
-    <para>This version of the manual corresponds to BIND version 9.2.</para>
+    <para>This version of the manual corresponds to BIND version 9.3.</para>
     
   </sect1>
   <sect1><title>Organization of This Document</title>
@@ -80,8 +58,8 @@
     </emphasis>addresses security considerations, and
     <emphasis>Section 8</emphasis> contains troubleshooting help. The
     main body of the document is followed by several
-    <emphasis>appendices</emphasis> which contain useful reference
-    information, such as a <emphasis>bibliography</emphasis> and
+    <emphasis>Appendices</emphasis> which contain useful reference
+    information, such as a <emphasis>Bibliography</emphasis> and
     historic information related to <acronym>BIND</acronym> and the Domain Name
     System.</para>
   </sect1>
@@ -149,7 +127,7 @@ describe:</emphasis></para></entry>
 </tgroup></informaltable></para></sect1>
 <sect1><title>The Domain Name System (<acronym>DNS</acronym>)</title>
 <para>The purpose of this document is to explain the installation
-and upkeep of the <acronym>BIND</acronym> (Berkeley Internet Name Domain) software package, and we
+and upkeep of the <acronym>BIND</acronym> software package, and we
 begin by reviewing the fundamentals of the Domain Name System
 (<acronym>DNS</acronym>) as they relate to <acronym>BIND</acronym>.
 </para>
@@ -165,8 +143,10 @@ used by Internet applications.</para>
 <para>Clients look up information in the DNS by calling a
 <emphasis>resolver</emphasis> library, which sends queries to one or
 more <emphasis>name servers</emphasis> and interprets the responses.
-The <acronym>BIND 9</acronym> software distribution contains both a 
-name server and a resolver library.</para>
+The <acronym>BIND</acronym> 9 software distribution contains a
+name server, <command>named</command>, and two resolver
+libraries, <command>liblwres</command> and <command>libbind</command>.
+</para>
 
 </sect2><sect2>
 <title>Domains and Domain Names</title>
@@ -334,7 +314,7 @@ caching are intimately connected, the terms
 <emphasis>caching server</emphasis> are often used synonymously.</para>
 
 <para>The length of time for which a record may be retained in
-the cache of a caching name server is controlled by the 
+in the cache of a caching name server is controlled by the 
 Time To Live (TTL) field associated with each resource record.
 </para>
 
@@ -388,7 +368,7 @@ be placed inside a firewall.</para>
 
 </chapter>
 
-<chapter id="Bv9ARM.ch02"><title><acronym>BIND</acronym> Resource Requirements</title>
+<chapter id="ch02"><title><acronym>BIND</acronym> Resource Requirements</title>
 
 <sect1>
 <title>Hardware requirements</title>
@@ -399,7 +379,7 @@ active duty have performed admirably as <acronym>DNS</acronym> servers.</para>
 <para>The DNSSEC and IPv6 features of <acronym>BIND</acronym> 9 may prove to be quite
 CPU intensive however, so organizations that make heavy use of these
 features may wish to consider larger systems for these applications.
-<acronym>BIND</acronym> 9 is now fully multithreaded, allowing full utilization of
+<acronym>BIND</acronym> 9 is fully multithreaded, allowing full utilization of
 multiprocessor systems for installations that need it.</para></sect1>
 <sect1><title>CPU Requirements</title>
 <para>CPU requirements for <acronym>BIND</acronym> 9 range from i486-class machines
@@ -414,80 +394,54 @@ option can be used to limit the amount of memory used by the cache,
 at the expense of reducing cache hit rates and causing more <acronym>DNS</acronym>
 traffic. It is still good practice to have enough memory to load
 all zone and cache data into memory &mdash; unfortunately, the best way
-to determine this for a given installation is to watch the nameserver
+to determine this for a given installation is to watch the name server
 in operation. After a few weeks the server process should reach
 a relatively stable size where entries are expiring from the cache as
-fast as they are being inserted. Ideally, the resource limits should
-be set higher than this stable size.</para></sect1>
+fast as they are being inserted.</para></sect1>
 
-<sect1><title>Nameserver Intensive Environment Issues</title>
-<para>For nameserver intensive environments, there are two alternative
+<sect1><title>Name Server Intensive Environment Issues</title>
+<para>For name server intensive environments, there are two alternative
 configurations that may be used. The first is where clients and
-any second-level internal nameservers query a main nameserver, which
+any second-level internal name servers query a main name server, which
 has enough memory to build a large cache. This approach minimizes
 the bandwidth used by external name lookups. The second alternative
-is to set up second-level internal nameservers to make queries independently.
+is to set up second-level internal name servers to make queries independently.
 In this configuration, none of the individual machines needs to
 have as much memory or CPU power as in the first alternative, but
 this has the disadvantage of making many more external queries,
-as none of the nameservers share their cached data.</para></sect1>
+as none of the name servers share their cached data.</para></sect1>
+
 <sect1><title>Supported Operating Systems</title>
-<para>ISC <acronym>BIND</acronym> 9 compiles and runs on the following operating
-systems:</para>
-    <itemizedlist>
-      <listitem>
-        <simpara>IBM AIX 4.3</simpara>
-      </listitem>
-      <listitem>
-        <simpara>Compaq Digital/Tru64 UNIX 4.0D</simpara>
-      </listitem>
-      <listitem>
-        <simpara>Compaq Digital/Tru64 UNIX 5 (with IPv6 EAK)</simpara>
-      </listitem>
-      <listitem>
-        <simpara>HP HP-UX 11</simpara>
-      </listitem>
-      <listitem>
-        <simpara>IRIX64 6.5</simpara>
-      </listitem>
-      <listitem>
-        <simpara>Sun Solaris 2.6, 7, 8</simpara>
-      </listitem>
-      <listitem>
-        <simpara>NetBSD 1.5 (with unproven-pthreads 0.17)</simpara>
-      </listitem>
-      <listitem>
-        <simpara>FreeBSD 3.4-STABLE, 3.5, 4.0, 4.1</simpara>
-      </listitem>
-      <listitem>
-        <simpara>Red Hat Linux 6.0, 6.1, 6.2, 7.0</simpara>
-      </listitem>
-    </itemizedlist>
-  </sect1>
-  </chapter>
+<para>ISC <acronym>BIND</acronym> 9 compiles and runs on a large number
+of Unix-like operating system and on Windows NT / 2000.  For an up-to-date
+list of supported systems, see the README file in the top level directory
+of the BIND 9 source distribution.</para>
+</sect1>
+</chapter>
 
-  <chapter id="Bv9ARM.ch03">
-  <title>Nameserver Configuration</title>
+<chapter id="ch03">
+<title>Name Server Configuration</title>
 <para>In this section we provide some suggested configurations along
 with guidelines for their use. We also address the topic of reasonable
 option setting.</para>
-  <sect1 id="sample_configuration">
-    <title>Sample Configurations</title>
-    <sect2>
-      <title>A Caching-only Nameserver</title>
-      <para>The following sample configuration is appropriate for a caching-only
+
+<sect1 id="sample_configuration">
+<title>Sample Configurations</title>
+<sect2>
+<title>A Caching-only Name Server</title>
+<para>The following sample configuration is appropriate for a caching-only
 name server for use by clients internal to a corporation.  All queries
-from outside clients are refused.</para>
-      <programlisting>
+from outside clients are refused using the <command>allow-query</command>
+option.  Alternatively, the same effect could be achieved using suitable
+firewall rules.</para>
+
+<programlisting>
 // Two corporate subnets we wish to allow queries from.
-acl "corpnets" { 192.168.4.0/24; 192.168.7.0/24; };
+acl corpnets { 192.168.4.0/24; 192.168.7.0/24; };
 options {
      directory "/etc/namedb";           // Working directory
-     pid-file "named.pid";              // Put pid file in working dir
-     allow-query { "corpnets"; };
+     allow-query { corpnets; };
 };
-// Root server hints
-zone "." { type hint; file "root.hint"; };
 // Provide a reverse mapping for the loopback address 127.0.0.1
 zone "0.0.127.in-addr.arpa" {
      type master;
@@ -495,21 +449,20 @@ zone "0.0.127.in-addr.arpa" {
      notify no;
 };
 </programlisting>
-    </sect2>
-    <sect2>
-      <title>An Authoritative-only Nameserver</title>
-      <para>This sample configuration is for an authoritative-only server
+</sect2>
+
+<sect2>
+<title>An Authoritative-only Name Server</title>
+<para>This sample configuration is for an authoritative-only server
 that is the master server for "<filename>example.com</filename>"
 and a slave for the subdomain "<filename>eng.example.com</filename>".</para>
-      <programlisting>
+
+<programlisting>
 options {
      directory "/etc/namedb";           // Working directory
-     pid-file "named.pid";              // Put pid file in working dir
      allow-query { any; };              // This is the default
      recursion no;                      // Do not provide recursive service
 };
-// Root server hints
-zone "." { type hint; file "root.hint"; };
 
 // Provide a reverse mapping for the loopback address 127.0.0.1
 zone "0.0.127.in-addr.arpa" {
@@ -535,19 +488,22 @@ zone "eng.example.com" {
      masters { 192.168.4.12; };
 };
 </programlisting>
-    </sect2>
-  </sect1>
-  <sect1>
-    <title>Load Balancing</title>
-    <para>Primitive load balancing can be achieved in <acronym>DNS</acronym> using multiple
-A records for one name.</para>
+</sect2>
+</sect1>
+
+<sect1>
+<title>Load Balancing</title>
+
+<para>A primitive form of load balancing can be achieved in
+the <acronym>DNS</acronym> by using multiple A records for one name.</para>
+
 <para>For example, if you have three WWW servers with network addresses
 of 10.0.0.1, 10.0.0.2 and 10.0.0.3, a set of records such as the
 following means that clients will connect to each machine one third
 of the time:</para>
-    <informaltable colsep = "0" rowsep = "0">
-<tgroup cols = "5" colsep = "0" rowsep = "0"
-    tgroupstyle = "2Level-table">
+
+<informaltable colsep = "0" rowsep = "0">
+<tgroup cols = "5" colsep = "0" rowsep = "0" tgroupstyle = "2Level-table">
 <colspec colname = "1" colnum = "1" colsep = "0" colwidth = "0.875in"/>
 <colspec colname = "2" colnum = "2" colsep = "0" colwidth = "0.500in"/>
 <colspec colname = "3" colnum = "3" colsep = "0" colwidth = "0.750in"/>
@@ -598,113 +554,105 @@ of the time:</para>
     <acronym>BIND</acronym> 9, and only the ordering scheme described above is
     available.</para>
 
-  </sect1>
-  <sect1 id="notify">
-    <title>Notify</title>
-
-    <para><acronym>DNS</acronym> Notify is a mechanism that allows master nameservers to
-    notify their slave servers of changes to a zone's data. In
-    response to a <command>NOTIFY</command> from a master server, the
-    slave will check to see that its version of the zone is the
-    current version and, if not, initiate a transfer.</para> <para><acronym>DNS</acronym>
-    Notify is fully documented in RFC 1996. See also the description
-    of the zone option <command>also-notify</command>, see
-    <xref linkend="zone_transfers"/>. For more information about
-    <command>notify</command>, see <xref
-    linkend="boolean_options"/>.</para>
+</sect1>
 
-  </sect1>
-  <sect1>
-    <title>Nameserver Operations</title>
-    <sect2>
-      <title>Tools for Use With the Nameserver Daemon</title>
-      <para>There are several indispensable diagnostic, administrative
+<sect1>
+<title>Name Server Operations</title>
+
+<sect2>
+<title>Tools for Use With the Name Server Daemon</title>
+<para>There are several indispensable diagnostic, administrative
 and monitoring tools available to the system administrator for controlling
-and debugging the nameserver daemon. We describe several in this
+and debugging the name server daemon. We describe several in this
 section </para>
-      <sect3 id="diagnostic_tools">
-        <title>Diagnostic Tools</title>
-        <variablelist>
-          <varlistentry>
-            <term id="dig"><command>dig</command></term>
-            <listitem>
-              <para>The domain information groper (<command>dig</command>) is
-a command line tool that can be used to gather information from
-the Domain Name System servers. Dig has two modes: simple interactive
+<sect3 id="diagnostic_tools">
+<title>Diagnostic Tools</title>
+<para>The <command>dig</command>, <command>host</command>, and
+<command>nslookup</command> programs are all command line tools
+for manually querying name servers.  They differ in style and
+output format.
+</para>
+
+<variablelist>
+<varlistentry>
+<term id="dig"><command>dig</command></term>
+<listitem>
+<para>The domain information groper (<command>dig</command>)
+is the most versatile and complete of these lookup tools.
+It has two modes: simple interactive
 mode for a single query, and batch mode which executes a query for
 each in a list of several query lines. All query options are accessible
 from the command line.</para>
-              <cmdsynopsis label="Usage">
-                        <command>dig</command>
-                        <arg>@<replaceable>server</replaceable></arg>
-                        <arg choice="plain"><replaceable>domain</replaceable></arg>
-                        <arg><replaceable>query-type</replaceable></arg>
-                        <arg><replaceable>query-class</replaceable></arg>
-                        <arg>+<replaceable>query-option</replaceable></arg>
-                        <arg>-<replaceable>dig-option</replaceable></arg>
-                        <arg>%<replaceable>comment</replaceable></arg>
-                <!-- one of (SBR GROUP ARG COMMAND) -->
-              </cmdsynopsis>
-              <para>The usual simple use of dig will take the form</para>
-              <simpara><command>dig @server domain query-type query-class</command></simpara>
-              <para>For more information and a list of available commands and
+<cmdsynopsis label="Usage">
+        <command>dig</command>
+        <arg>@<replaceable>server</replaceable></arg>
+        <arg choice="plain"><replaceable>domain</replaceable></arg>
+        <arg><replaceable>query-type</replaceable></arg>
+        <arg><replaceable>query-class</replaceable></arg>
+        <arg>+<replaceable>query-option</replaceable></arg>
+        <arg>-<replaceable>dig-option</replaceable></arg>
+        <arg>%<replaceable>comment</replaceable></arg>
+</cmdsynopsis>
+<para>The usual simple use of dig will take the form</para>
+<simpara><command>dig @server domain query-type query-class</command></simpara>
+<para>For more information and a list of available commands and
 options, see the <command>dig</command> man page.</para>
-            </listitem>
-          </varlistentry>
-          <varlistentry>
-            <term><command>host</command></term>
-            <listitem>
-              <para>The <command>host</command> utility
-provides a simple <acronym>DNS</acronym> lookup using a command-line interface for
-looking up Internet hostnames. By default, the utility converts
+</listitem>
+</varlistentry>
+
+<varlistentry>
+<term><command>host</command></term>
+<listitem>
+<para>The <command>host</command> utility emphasizes simplicity
+and ease of use.  By default, it converts
 between host names and Internet addresses, but its functionality
 can be extended with the use of options.</para>
-              <cmdsynopsis label="Usage">
-                <!-- one of (SBR GROUP ARG COMMAND) -->
-                <command>host</command>
-                <arg>-aCdlrTwv</arg>
-                <arg>-c <replaceable>class</replaceable></arg>
-                <arg>-N <replaceable>ndots</replaceable></arg>
-                <arg>-t <replaceable>type</replaceable></arg>
-                <arg>-W <replaceable>timeout</replaceable></arg>
-                <arg>-R <replaceable>retries</replaceable></arg>
-                <arg choice="plain"><replaceable>hostname</replaceable></arg>
-                <arg><replaceable>server</replaceable></arg>
-              </cmdsynopsis>
-              <para>For more information and a list of available commands and
+<cmdsynopsis label="Usage">
+        <command>host</command>
+        <arg>-aCdlrTwv</arg>
+        <arg>-c <replaceable>class</replaceable></arg>
+        <arg>-N <replaceable>ndots</replaceable></arg>
+        <arg>-t <replaceable>type</replaceable></arg>
+        <arg>-W <replaceable>timeout</replaceable></arg>
+        <arg>-R <replaceable>retries</replaceable></arg>
+        <arg choice="plain"><replaceable>hostname</replaceable></arg>
+        <arg><replaceable>server</replaceable></arg>
+</cmdsynopsis>
+<para>For more information and a list of available commands and
 options, see the <command>host</command> man page.</para>
-            </listitem>
-          </varlistentry>
-          <varlistentry>
-            <term><command>nslookup</command></term>
-            <listitem>
-              <para><command>nslookup</command> is a program used to query Internet
-domain nameservers. <command>nslookup</command> has two modes: interactive
-and non-interactive. Interactive mode allows the user to query nameservers
+</listitem>
+</varlistentry>
+
+<varlistentry>
+<term><command>nslookup</command></term>
+<listitem>
+<para><command>nslookup</command> has two modes: interactive
+and non-interactive. Interactive mode allows the user to query name servers
 for information about various hosts and domains or to print a list
 of hosts in a domain. Non-interactive mode is used to print just
 the name and requested information for a host or domain.</para>
-              <cmdsynopsis label="Usage">
-                <command>nslookup</command>
-                <arg rep="repeat">-option</arg>
-                <group>
-                  <arg><replaceable>host-to-find</replaceable></arg>
-                  <arg>- <arg>server</arg></arg>
-                </group>
-              </cmdsynopsis>
+<cmdsynopsis label="Usage">
+        <command>nslookup</command>
+        <arg rep="repeat">-option</arg>
+        <group>
+                <arg><replaceable>host-to-find</replaceable></arg>
+                <arg>- <arg>server</arg></arg>
+        </group>
+</cmdsynopsis>
 <para>Interactive mode is entered when no arguments are given (the
-default nameserver will be used) or when the first argument is a
+default name server will be used) or when the first argument is a
 hyphen (`-') and the second argument is the host name or Internet address
-of a nameserver.</para>
+of a name server.</para>
 <para>Non-interactive mode is used when the name or Internet address
 of the host to be looked up is given as the first argument. The
-optional second argument specifies the host name or address of a nameserver.</para>
+optional second argument specifies the host name or address of a name server.</para>
 <para>Due to its arcane user interface and frequently inconsistent
 behavior, we do not recommend the use of <command>nslookup</command>.
 Use <command>dig</command> instead.</para>
-            </listitem>
-          </varlistentry>
-        </variablelist>
+</listitem>
+
+</varlistentry>
+</variablelist>
 </sect3>
 
 <sect3 id="admin_tools">
@@ -743,12 +691,7 @@ of a server.</para>
             <listitem>
               <para>The remote name daemon control
               (<command>rndc</command>) program allows the system
-              administrator to control the operation of a nameserver.
-              In <acronym>BIND</acronym> 9.2, <command>rndc</command>
-              supports all the commands of the BIND 8 <command>ndc</command>
-              utility except <command>ndc start</command> and
-              <command>ndc restart</command>, which were also
-              not supported in <command>ndc</command>'s channel mode.
+              administrator to control the operation of a name server.
               If you run <command>rndc</command> without any options
               it will display a usage message as follows:</para>
               <cmdsynopsis label="Usage">
@@ -760,7 +703,7 @@ of a server.</para>
                 <arg choice="plain"><replaceable>command</replaceable></arg>
                 <arg rep="repeat"><replaceable>command</replaceable></arg>
               </cmdsynopsis>
-              <para>The <command>command</command> is one of the following:</para>
+              <para><command>command</command> is one of the following:</para>
 
 <variablelist>
 
@@ -780,6 +723,31 @@ of a server.</para>
    <listitem><para>Schedule zone maintenance for the given zone.</para></listitem>
    </varlistentry>
 
+   <varlistentry><term><userinput>retransfer <replaceable>zone</replaceable>
+       <optional><replaceable>class</replaceable>
+           <optional><replaceable>view</replaceable></optional></optional></userinput></term>
+   <listitem><para>Retransfer the given zone from the master.</para></listitem>
+   </varlistentry>
+
+   <varlistentry><term><userinput>freeze <replaceable>zone</replaceable>
+       <optional><replaceable>class</replaceable>
+           <optional><replaceable>view</replaceable></optional></optional></userinput></term>
+   <listitem><para>Suspend updates to a dynamic zone.  This allows manual
+    edits to be made to a zone normally updated by dynamic update.  It
+    also causes changes in the journal file to be synced into the master
+    and the journal file to be removed.  All dynamic update attempts will
+    be refused while the zone is frozen.</para></listitem>
+   </varlistentry>
+
+   <varlistentry><term><userinput>unfreeze <replaceable>zone</replaceable>
+       <optional><replaceable>class</replaceable>
+           <optional><replaceable>view</replaceable></optional></optional></userinput></term>
+   <listitem><para>Enable updates to a frozen dynamic zone.  This causes
+    the server to reload the zone from disk, and re-enables dynamic updates
+    after the load has completed.  After a zone is unfrozen, dynamic updates
+    will no longer be refused.</para></listitem>
+   </varlistentry>
+
    <varlistentry><term><userinput>reconfig</userinput></term>
    <listitem><para>Reload the configuration file and load new zones,
    but do not reload existing zone files even if they have changed.
@@ -830,15 +798,16 @@ of a server.</para>
 
    <varlistentry><term><userinput>status</userinput></term>
    <listitem><para>Display status of the server.
-Note that the number of zones includes the internal <command>bind/CH</command> zone
-and the default <command>./IN</command> hint zone if there is not an
+Note the number of zones includes the internal <command>bind/CH</command> zone
+and the default <command>./IN</command> hint zone if there is not a
 explicit root zone configured.</para></listitem></varlistentry>
 
 </variablelist>
 
 <para>In <acronym>BIND</acronym> 9.2, <command>rndc</command>
 supports all the commands of the BIND 8 <command>ndc</command>
-utility except <command>ndc start</command>, which was also
+utility except <command>ndc start</command> and
+<command>ndc restart</command>, which were also
 not supported in <command>ndc</command>'s channel mode.</para>
 
 <para>A configuration file is required, since all
@@ -876,14 +845,18 @@ host name or address argument  and represents the server that will
 be contacted if no <option>-s</option>
 option is provided on the command line.  
 <command>default-key</command> takes
-the name of key as its argument, as defined by a <command>key</command> statement.
+the name of a key as its argument, as defined by a <command>key</command> statement.
 <command>default-port</command> specifies the port to which
 <command>rndc</command> should connect if no
 port is given on the command line or in a
 <command>server</command> statement.</para>
 
-<para>The <command>key</command> statement names a key with its
-string argument. The string is required by the server to be a valid
+<para>The <command>key</command> statement defines an key to be used
+by <command>rndc</command> when authenticating with
+<command>named</command>.  Its syntax is identical to the
+<command>key</command> statement in named.conf.
+The keyword <userinput>key</userinput> is
+followed by a key name, which must be a valid
 domain name, though it need not actually be hierarchical; thus,
 a string like "<userinput>rndc_key</userinput>" is a valid name.
 The <command>key</command> statement has two clauses:
@@ -892,14 +865,16 @@ While the configuration parser will accept any string as the argument
 to algorithm, currently only the string "<userinput>hmac-md5</userinput>"
 has any meaning.  The secret is a base-64 encoded string.</para>
 
-<para>The <command>server</command> statement uses the key clause
-to associate a <command>key</command>-defined key with a server.
-The argument to the <command>server</command> statement is a
-host name or address (addresses must be double quoted).  The argument
-to the key clause is the name of the key as defined by the <command>key</command> statement.
-The <command>port</command> clause can be used to 
-specify the port to which <command>rndc</command> should connect
-on the given server.</para>
+<para>The <command>server</command> statement associates a key
+defined using the <command>key</command> statement with a server.
+The keyword <userinput>server</userinput> is followed by a
+host name or address.  The <command>server</command> statement
+has two clauses: <command>key</command> and <command>port</command>.
+The <command>key</command> clause specifies the name of the key
+to be used when communicating with this server, and the
+<command>port</command> clause can be used to
+specify the port <command>rndc</command> should connect
+to on the server.</para>
 
 <para>A sample minimal configuration file is as follows:</para>
 <programlisting>
@@ -908,7 +883,7 @@ key rndc_key {
      secret "c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K";
 };
 options {
-     default-server localhost;
+     default-server 127.0.0.1;
      default-key    rndc_key;
 };
 </programlisting>
@@ -918,8 +893,8 @@ would allow the command:</para>
 
 <para><prompt>$ </prompt><userinput>rndc reload</userinput></para>
 
-<para>to connect to 127.0.0.1 port 953 and cause the nameserver
-to reload, if a nameserver on the local machine were running with
+<para>to connect to 127.0.0.1 port 953 and cause the name server
+to reload, if a name server on the local machine were running with
 following controls statements:</para>
 <programlisting>
 controls {
@@ -977,15 +952,35 @@ reload the database. </para></entry>
   </sect1>
   </chapter>
 
-  <chapter id="Bv9ARM.ch04">
-  <title>Advanced Concepts</title>
+<chapter id="ch04">
+<title>Advanced DNS Features</title>
+
+<sect1 id="notify">
+
+<title>Notify</title>
+<para><acronym>DNS</acronym> NOTIFY is a mechanism that allows master
+servers to notify their slave servers of changes to a zone's data. In
+response to a <command>NOTIFY</command> from a master server, the
+slave will check to see that its version of the zone is the
+current version and, if not, initiate a zone transfer.</para>
+
+<para><acronym>DNS</acronym>
+For more information about
+<command>NOTIFY</command>, see the description of the
+<command>notify</command> option in <xref linkend="boolean_options"/> and
+the description of the zone option <command>also-notify</command> in
+<xref linkend="zone_transfers"/>.  The <command>NOTIFY</command>
+protocol is specified in RFC 1996.
+</para>
+
+</sect1>
 
 <sect1 id="dynamic_update">
-    <title>Dynamic Update</title>
+<title>Dynamic Update</title>
 
-    <para>Dynamic update is the term used for the ability under
-    certain specified conditions to add, modify or delete records or
-    RRsets in the master zone files. Dynamic update is fully described
+    <para>Dynamic Update is a method for adding, replacing or deleting
+    records in a master server by sending it a special form of DNS
+    messages.  The format and meaning of these messages is specified
     in RFC 2136.</para>
 
     <para>Dynamic update is enabled on a zone-by-zone basis, by
@@ -1004,7 +999,7 @@ reload the database. </para></entry>
 
     <para>All changes made to a zone using dynamic update are stored in the
     zone's journal file.  This file is automatically created by the
-    server when the first dynamic update takes place.  The name of
+    server when when the first dynamic update takes place.  The name of
     the journal file is formed by appending the
     extension <filename>.jnl</filename> to the
     name of the corresponding zone file.  The journal file is in a
@@ -1014,8 +1009,8 @@ reload the database. </para></entry>
     the complete contents of the updated zone to its zone file.
     This is not done immediately after
     each dynamic update, because that would be too slow when a large
-    zone is updated frequently.  Instead, the dump is delayed by 15
-    minutes, allowing additional updates to take place.</para>
+    zone is updated frequently.  Instead, the dump is delayed by
+    up to 15 minutes, allowing additional updates to take place.</para>
 
     <para>When a server is restarted after a shutdown or crash, it will replay
     the journal file to incorporate into the zone any updates that took
@@ -1026,47 +1021,51 @@ reload the database. </para></entry>
 
     <para>The zone files of dynamic zones cannot normally be edited by
     hand because they are not guaranteed to contain the most recent
-    dynamic changes &mdash; those are only in the journal file.
+    dynamic changes - those are only in the journal file.
     The only way to ensure that the zone file of a dynamic zone
     is up to date is to run <command>rndc stop</command>.</para>
 
     <para>If you have to make changes to a dynamic zone
-    manually, the following procedure will work: Shut down
-    the server using <command>rndc stop</command> (sending a signal
-    or using <command>rndc halt</command> is <emphasis>not</emphasis>
-    sufficient). Wait for the server to exit,
-    then <emphasis>remove</emphasis> the zone's 
-    <filename>.jnl</filename> file, edit the zone file,
-    and restart the server.  Removing the <filename>.jnl</filename>
-    file is necessary because the manual edits will not be
-    present in the journal, rendering it inconsistent with the
-    contents of the zone file.</para>
+    manually, the following procedure will work: Disable dynamic updates
+    to the zone using
+    <command>rndc freeze <replaceable>zone</replaceable></command>.
+    This will also remove the zone's <filename>.jnl</filename> file
+    and update the master file.  Edit the zone file.  Run
+    <command>rndc unfreeze <replaceable>zone</replaceable></command>
+    to reload the changed zone and re-enable dynamic updates.</para>
 
   </sect2>
     
 </sect1>
     
-  <sect1 id="incremental_zone_transfers">
-    <title>Incremental Zone Transfers (IXFR)</title>
+<sect1 id="incremental_zone_transfers">
+<title>Incremental Zone Transfers (IXFR)</title>
 
-    <para>The incremental zone transfer (IXFR) protocol is a way for
-    slave servers to transfer only changed data, instead of having to
-    transfer the entire zone. The IXFR protocol is documented in RFC
-    1995. See <xref linkend="proposed_standards"/>.</para>
+<para>The incremental zone transfer (IXFR) protocol is a way for
+slave servers to transfer only changed data, instead of having to
+transfer the entire zone. The IXFR protocol is specified in RFC
+1995. See <xref linkend="proposed_standards"/>.</para>
 
-<para>When acting as a master, <acronym>BIND</acronym> 9 supports IXFR for those zones
+<para>When acting as a master, <acronym>BIND</acronym> 9
+supports IXFR for those zones
 where the necessary change history information is available. These
 include master zones maintained by dynamic update and slave zones
-whose data was obtained by IXFR, but not manually maintained master
-zones nor slave zones obtained by performing a full zone transfer
-(AXFR).</para>
-<para>When acting as a slave, <acronym>BIND</acronym> 9 will attempt to use IXFR unless
+whose data was obtained by IXFR.  For manually maintained master
+zones, and for slave zones obtained by performing a full zone 
+transfer (AXFR), IXFR is supported only if the option
+<command>ixfr-from-differences</command> is set
+to <userinput>yes</userinput>.
+</para>
+
+<para>When acting as a slave, <acronym>BIND</acronym> 9 will 
+attempt to use IXFR unless
 it is explicitly disabled. For more information about disabling
 IXFR, see the description of the <command>request-ixfr</command> clause
-of the <command>server</command> statement.</para></sect1>
+of the <command>server</command> statement.</para>
+</sect1>
 
 <sect1><title>Split DNS</title>
-<para>Setting up different views, or visibility, of DNS space to
+<para>Setting up different views, or visibility, of the DNS space to
 internal and external resolvers is usually referred to as a <emphasis>Split
 DNS</emphasis> setup. There are several reasons an organization
 would want to set up its DNS this way.</para>
@@ -1081,9 +1080,9 @@ to allow internal networks that are behind filters or in RFC 1918
 space (reserved IP space, as documented in RFC 1918) to resolve DNS
 on the Internet. Split DNS can also be used to allow mail from outside
 back in to the internal network.</para>
-<sect2>
-<title>Example split DNS setup</title>
-<para>Let's say a company named <emphasis>Example, Inc.</emphasis> (example.com)
+<para>Here is an example of a split DNS setup:</para>
+<para>Let's say a company named <emphasis>Example, Inc.</emphasis>
+(<literal>example.com</literal>)
 has several corporate sites that have an internal network with reserved
 Internet Protocol (IP) space and an external demilitarized zone (DMZ),
 or "outside" section of a network, that is available to the public.</para>
@@ -1093,7 +1092,7 @@ people on the outside. The company also wants its internal resolvers
 to have access to certain internal-only zones that are not available
 at all outside of the internal network.</para>
 <para>In order to accomplish this, the company will set up two sets
-of nameservers. One set will be on the inside network (in the reserved
+of name servers. One set will be on the inside network (in the reserved
 IP space) and the other set will be on bastion hosts, which are "proxy"
 hosts that can talk to both sides of its network, in the DMZ.</para>
 <para>The internal servers will be configured to forward all queries,
@@ -1103,7 +1102,7 @@ DMZ. These internal servers will have complete sets of information
 for <filename>site1.example.com</filename>, <filename>site2.example.com</filename>,<emphasis> </emphasis><filename>site1.internal</filename>,
 and <filename>site2.internal</filename>.</para>
 <para>To protect the <filename>site1.internal</filename> and <filename>site2.internal</filename> domains,
-the internal nameservers must be configured to disallow all queries
+the internal name servers must be configured to disallow all queries
 to these domains from any external hosts, including the bastion
 hosts.</para>
 <para>The external servers, which are on the bastion hosts, will
@@ -1119,18 +1118,18 @@ to those internal hosts. With the wildcard records, the mail will
 be delivered to the bastion host, which can then forward it on to
 internal hosts.</para>
 <para>Here's an example of a wildcard MX record:</para>
-<programlisting>*   IN MX 10 external1.example.com.</programlisting>
+<programlisting><literal>*   IN MX 10 external1.example.com.</literal></programlisting>
 <para>Now that they accept mail on behalf of anything in the internal
 network, the bastion hosts will need to know how to deliver mail
 to internal hosts. In order for this to work properly, the resolvers on
 the bastion hosts will need to be configured to point to the internal
-nameservers for DNS resolution.</para>
+name servers for DNS resolution.</para>
 <para>Queries for internal hostnames will be answered by the internal
 servers, and queries for external hostnames will be forwarded back
 out to the DNS servers on the bastion hosts.</para>
 <para>In order for all this to work properly, internal clients will
 need to be configured to query <emphasis>only</emphasis> the internal
-nameservers for DNS queries. This could also be enforced via selective
+name servers for DNS queries. This could also be enforced via selective
 filtering on the network.</para>
 <para>If everything has been set properly, <emphasis>Example, Inc.</emphasis>'s
 internal clients will now be able to:</para>
@@ -1143,7 +1142,7 @@ internal clients will now be able to:</para>
 <listitem>
         <simpara>Look up any hostnames on the Internet.</simpara></listitem>
 <listitem>
-        <simpara>Exchange mail with both internal AND external people.</simpara></listitem></itemizedlist>
+        <simpara>Exchange mail with internal AND external people.</simpara></listitem></itemizedlist>
 <para>Hosts on the Internet will be able to:</para>
 <itemizedlist><listitem>
         <simpara>Look up any hostnames in the <literal>site1</literal> and 
@@ -1155,7 +1154,7 @@ internal clients will now be able to:</para>
     <para>Here is an example configuration for the setup we just
     described above. Note that this is only configuration information;
     for information on how to configure your zone files, see <xref
-    linkend="sample_configuration"/>.</para>
+    linkend="sample_configuration"/></para>
 
 <para>Internal DNS server config:</para>
 <programlisting>
@@ -1187,7 +1186,7 @@ zone "site1.example.com" {                      // sample master zone
   allow-transfer { internals; };
 };
 
-zone "site2.example.com" {
+zone "site2.example.com" {                      // sample slave zone
   type slave;
   file "s/site2.example.com";
   masters { 172.16.72.3; };
@@ -1252,7 +1251,6 @@ nameserver 172.16.72.2
 nameserver 172.16.72.3
 nameserver 172.16.72.4
 </programlisting>
-    </sect2>
 </sect1>
 <sect1 id="tsig"><title>TSIG</title>
 <para>This is a short guide to setting up Transaction SIGnatures
@@ -1267,9 +1265,9 @@ for TSIG.</para>
 
     <para>TSIG might be most useful for dynamic update. A primary
     server for a dynamic zone should use access control to control
-    updates, but IP-based access control is insufficient. Key-based
-    access control is far superior, see <xref
-    linkend="proposed_standards"/>. The <command>nsupdate</command>
+    updates, but IP-based access control is insufficient.
+    The cryptographic access control provided by TSIG
+    is far superior. The <command>nsupdate</command>
     program supports TSIG via the <option>-k</option> and
     <option>-y</option> command line options.</para>
 
@@ -1278,11 +1276,11 @@ for TSIG.</para>
 An arbitrary key name is chosen: "host1-host2.". The key name must
 be the same on both hosts.</para>
 <sect3><title>Automatic Generation</title>
-<para>The following command will generate a 128-bit (16 byte) HMAC-MD5
+<para>The following command will generate a 128 bit (16 byte) HMAC-MD5
 key as described above. Longer keys are better, but shorter keys
 are easier to read. Note that the maximum key length is 512 bits;
-keys longer than that will be digested with MD5 to produce a
-128-bit key.</para>
+keys longer than that will be digested with MD5 to produce a 128
+bit key.</para>
         <para><userinput>dnssec-keygen -a hmac-md5 -b 128 -n HOST host1-host2.</userinput></para>
 <para>The key is in the file <filename>Khost1-host2.+157+00000.private</filename>.
 Nothing directly uses this file, but the base-64 encoded string
@@ -1317,8 +1315,9 @@ readable, or the key directive be added to a non-world readable
 file that is included by <filename>named.conf</filename>.</para>
 <para>At this point, the key is recognized. This means that if the
 server receives a message signed by this key, it can verify the
-signature. If the signature succeeds, the response is signed by
-the same key.</para></sect2>
+signature. If the signature is successfully verified, the
+response is signed by the same key.</para></sect2>
+
 <sect2><title>Instructing the Server to Use the Key</title>
 <para>Since keys are shared between two hosts only, the server must
 be told when keys are to be used. The following is added to the <filename>named.conf</filename> file
@@ -1361,12 +1360,11 @@ allow-update { key host1-host2. ;};
       <title>Errors</title>
 
       <para>The processing of TSIG signed messages can result in
-      several errors. If a signed message is sent to a non-TSIG
-      aware server, a FORMERR (format error) will be returned, since
-      the server will not understand the record. This is a result
-      of misconfiguration, since the server must be explicitly
-      configured to send a TSIG signed message to a specific
-      server.</para>
+      several errors. If a signed message is sent to a non-TSIG aware
+      server, a FORMERR will be returned, since the server will not
+      understand the record. This is a result of misconfiguration,
+      since the server must be explicitly configured to send a TSIG
+      signed message to a specific server.</para>
 
       <para>If a TSIG aware server receives a message signed by an
       unknown key, the response will be unsigned with the TSIG
@@ -1377,8 +1375,8 @@ allow-update { key host1-host2. ;};
       outside of the allowed range, the response will be signed with
       the TSIG extended error code set to BADTIME, and the time values
       will be adjusted so that the response can be successfully
-      verified. In any of these cases, the message's rcode (response code) is set to
-      NOTAUTH (not authenticated).</para>
+      verified. In any of these cases, the message's rcode is set to
+      NOTAUTH.</para>
 
     </sect2>
   </sect1>
@@ -1388,7 +1386,8 @@ allow-update { key host1-host2. ;};
     <para><command>TKEY</command> is a mechanism for automatically
     generating a shared secret between two hosts.  There are several
     "modes" of <command>TKEY</command> that specify how the key is
-    generated or assigned.  <acronym>BIND</acronym> implements only one of these modes,
+    generated or assigned.  <acronym>BIND</acronym> 9
+    implements only one of these modes,
     the Diffie-Hellman key exchange.  Both hosts are required to have
     a Diffie-Hellman KEY record (although this record is not required
     to be present in a zone).  The <command>TKEY</command> process
@@ -1413,21 +1412,21 @@ allow-update { key host1-host2. ;};
   <sect1>
     <title>SIG(0)</title>
 
-    <para><acronym>BIND</acronym> 9 partially supports DNSSEC SIG(0) transaction
-    signatures as specified in RFC 2535.  SIG(0) uses public/private
-    keys to authenticate messages.  Access control is performed in the
-    same manner as TSIG keys; privileges can be granted or denied
-    based on the key name.</para>
+    <para><acronym>BIND</acronym> 9 partially supports DNSSEC SIG(0)
+    transaction signatures as specified in RFC 2535 and RFC2931.  SIG(0)
+    uses public/private keys to authenticate messages.  Access control
+    is performed in the same manner as TSIG keys; privileges can be
+    granted or denied based on the key name.</para>
 
     <para>When a SIG(0) signed message is received, it will only be
     verified if the key is known and trusted by the server; the server
-    will not attempt to locate and / or validate the key.</para>
+    will not attempt to locate and/or validate the key.</para>
 
     <para>SIG(0) signing of multiple-message TCP streams is not
     supported.</para>
 
-    <para><acronym>BIND</acronym> 9 does not ship with any tools that generate SIG(0)
-    signed messages.</para>
+    <para>The only tool shipped with <acronym>BIND</acronym> 9 that
+    generates SIG(0) signed messages is <command>nsupdate</command>.</para>
 
   </sect1>
   <sect1 id="DNSSEC">
@@ -1442,9 +1441,10 @@ allow-update { key host1-host2. ;};
     of steps which must be followed.  <acronym>BIND</acronym> 9 ships
     with several tools
     that are used in this process, which are explained in more detail
-    below.  In all cases, the "<option>-h</option>" option prints a
+    below.  In all cases, the <option>-h</option> option prints a
     full list of parameters.  Note that the DNSSEC tools require the
-    keyset and signedkey files to be in the working directory, and
+    keyset and signedkey files to be in the working directory or the
+    directory specified by the <option>-h</option> option, and
     that the tools shipped with BIND 9.0.x are not fully compatible
     with the current ones.</para>
 
@@ -1470,10 +1470,9 @@ allow-update { key host1-host2. ;};
       <command>ZONE</command>, and must be usable for authentication.
       It is recommended that zone keys use a cryptographic algorithm
       designated as "mandatory to implement" by the IETF; currently
-      these are RSASHA1 (which is not yet supported in BIND 9.2)
-      and DSA.</para>
+      these are RSASHA1 and DSA.</para>
 
-      <para>The following command will generate a 768-bit DSA key for
+      <para>The following command will generate a 768 bit DSA key for
       the <filename>child.example</filename> zone:</para>
 
       <para><userinput>dnssec-keygen -a DSA -b 768 -n ZONE child.example.</userinput></para>
@@ -1481,9 +1480,9 @@ allow-update { key host1-host2. ;};
       <para>Two output files will be produced:
       <filename>Kchild.example.+003+12345.key</filename> and
       <filename>Kchild.example.+003+12345.private</filename> (where
-      12345 is an example of a key tag).  The key filenames contain
+      12345 is an example of a key tag).  The key file names contain
       the key name (<filename>child.example.</filename>), algorithm (3
-      is DSA, 1 is RSA, etc.), and the key tag (12345 in this case).
+      is DSA, 1 is RSAMD5, 5 is RSASHA1, etc.), and the key tag (12345 in this case).
       The private key (in the <filename>.private</filename> file) is
       used to generate signatures, and the public key (in the
       <filename>.key</filename> file) is used for signature
@@ -1492,9 +1491,10 @@ allow-update { key host1-host2. ;};
       <para>To generate another key with the same properties (but with
       a different key tag), repeat the above command.</para>
 
-      <para>The public keys should be inserted into the zone file with
-      <command>$INCLUDE</command> statements, including the
-      <filename>.key</filename> files.</para>
+      <para>The public keys should be inserted into the zone file by
+      including the <filename>.key</filename> files using
+      <command>$INCLUDE</command> statements.
+      </para>
 
     </sect2>
     <sect2>
@@ -1587,8 +1587,8 @@ allow-update { key host1-host2. ;};
 
 <sect2><title>Configuring Servers</title>
 
-<para>Unlike in <acronym>BIND</acronym> 8, 
-data is not verified on load in <acronym>BIND</acronym> 9,
+<para>Unlike <acronym>BIND</acronym> 8, 
+<acronym>BIND</acronym> 9 does not verify signatures on load,
 so zone keys for authoritative zones do not need to be specified
 in the configuration file.</para>
 
@@ -1602,28 +1602,32 @@ statement, as described later in this document. </para>
   <sect1>
     <title>IPv6 Support in <acronym>BIND</acronym> 9</title>
 
-    <para><acronym>BIND</acronym> 9 fully supports all currently
-    defined forms of IPv6 name to address and address to name
-    lookups.  It will also use IPv6 addresses to make queries when
-    running on an IPv6 capable system.</para>
-
-    <para>For forward lookups, <acronym>BIND</acronym> 9 supports
-    both A6 and AAAA records.  The use of A6 records has been moved
-    to experimental (RFC 3363) and should be treated as deprecated.</para>
-
-    <para>The use of "bitstring" labels for IPv6 has been moved to
-    experimental (RFC 3363) reverting to a nibble format.  The
-    suffix for the IPv6 reverse lookups has also changed from
-    <literal>IP6.INT</literal> to <literal>IP6.ARPA</literal> (RFC
-    3152).</para>
-
-    <para><acronym>BIND</acronym> 9 now defaults to nibble
-    <literal>IP6.ARPA</literal> format lookups.</para>
-
-    <para><acronym>BIND</acronym> 9 includes a new lightweight resolver library and
-    resolver daemon which new applications may choose to use to avoid
-    the complexities of A6 chain following and bitstring labels, see <xref
-    linkend="Bv9ARM.ch05"/>.</para>
+    <para><acronym>BIND</acronym> 9 fully supports all currently defined forms of IPv6
+    name to address and address to name lookups.  It will also use
+    IPv6 addresses to make queries when running on an IPv6 capable
+    system.</para>
+
+    <para>For forward lookups, <acronym>BIND</acronym> 9 supports only AAAA
+    records.  The use of A6 records is deprecated by RFC 3363, and the
+    support for forward lookups in <acronym>BIND</acronym> 9 is
+    removed accordingly.
+    However, authoritative <acronym>BIND</acronym> 9 name servers still
+    load zone files containing A6 records correctly, answer queries
+    for A6 records, and accept zone transfer for a zone containing A6
+    records.</para>
+
+    <para>For IPv6 reverse lookups, <acronym>BIND</acronym> 9 supports
+    the traditional "nibble" format used in the
+    <emphasis>ip6.arpa</emphasis> domain, as well as the older, deprecated
+    <emphasis>ip6.int</emphasis> domain.
+    <acronym>BIND</acronym> 9 formerly
+    supported the "binary label" (also known as "bitstring") format.
+    The support of binary labels, however, is now completely removed
+    according to the changes in RFC 3363.
+    Any applications in <acronym>BIND</acronym> 9 do not understand
+    the format any more, and will return an error if given.
+    In particular, an authoritative <acronym>BIND</acronym> 9 name
+    server rejects to load a zone file containing binary labels.</para>
 
     <para>For an overview of the format and structure of IPv6 addresses,
     see <xref linkend="ipv6addresses"/>.</para>
@@ -1637,36 +1641,41 @@ statement, as described later in this document. </para>
 
 <programlisting>
 $ORIGIN example.com.
-host            3600    IN      AAAA    2001:db8::1
+host            3600    IN      AAAA    2001:4f8:201:1860:42::1
 </programlisting>
 
+        <para>It is recommended that IPv4-in-IPv6 mapped addresses not
+        be used.  If a host has an IPv4 address, use an A record, not
+        a AAAA, with <literal>::ffff:192.168.42.1</literal> as the
+        address.</para>
     </sect2>
     <sect2>
       <title>Address to Name Lookups Using Nibble Format</title>
 
       <para>When looking up an address in nibble format, the address
       components are simply reversed, just as in IPv4, and
-      <literal>IP6.ARPA.</literal> is appended to the resulting name.
+      <literal>ip6.arpa.</literal> is appended to the resulting name.
       For example, the following would provide reverse name lookup for
       a host with address
-      <literal>2001:db8::1</literal>.</para>
+      <literal>2001:4f8:201:1860:42::1</literal>.</para>
 
 <programlisting>
-$ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
-1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0   14400 IN      PTR     host.example.com.
+$ORIGIN 0.6.8.1.1.0.2.0.8.f.4.0.1.0.0.2.ip6.arpa.
+1.0.0.0.0.0.0.0.0.0.0.0.2.4.0.0   14400 IN      PTR     host.example.com.
 </programlisting>
     </sect2>
   </sect1>
   </chapter>
 
-  <chapter id="Bv9ARM.ch05"><title>The <acronym>BIND</acronym> 9 Lightweight Resolver</title>
+  <chapter id="ch05"><title>The <acronym>BIND</acronym> 9 Lightweight Resolver</title>
 <sect1><title>The Lightweight Resolver Library</title>
 <para>Traditionally applications have been linked with a stub resolver
 library that sends recursive DNS queries to a local caching name
 server.</para>
-<para>IPv6 introduces new complexity into the resolution process,
+<para>IPv6 once introduced new complexity into the resolution process,
 such as following A6 chains and DNAME records, and simultaneous
-lookup of IPv4 and IPv6 addresses.  These are hard or impossible
+lookup of IPv4 and IPv6 addresses.  Though most of the complexity was
+then removed, these are hard or impossible
 to implement in a traditional stub resolver.</para>
 <para>Instead, <acronym>BIND</acronym> 9 provides resolution services to local clients
 using a combination of a lightweight resolver library and a resolver
@@ -1674,21 +1683,22 @@ daemon process running on the local host.  These communicate using
 a simple UDP-based protocol, the "lightweight resolver protocol"
 that is distinct from and simpler than the full DNS protocol.</para></sect1>
 <sect1 id="lwresd"><title>Running a Resolver Daemon</title>
+
 <para>To use the lightweight resolver interface, the system must
-run the resolver daemon <command>lwresd</command>.</para>
-<para>By default, applications using the light-weight resolver library will make
+run the resolver daemon <command>lwresd</command> or a local
+name server configured with a <command>lwres</command> statement.</para>
+
+<para>By default, applications using the lightweight resolver library will make
 UDP requests to the IPv4 loopback address (127.0.0.1) on port 921.  The
 address can be overridden by <command>lwserver</command> lines in
-<filename>/etc/resolv.conf</filename>.
-The daemon will try to find the answer to the questions "what are the
-addresses for host
-<literal>foo.example.com</literal>?" and "what are
-the names for IPv4 address 10.1.2.3?"</para>
+<filename>/etc/resolv.conf</filename>.</para>
+
 <para>The daemon currently only looks in the DNS, but in the future
 it may use other sources such as <filename>/etc/hosts</filename>,
 NIS, etc.</para>
+
 <para>The <command>lwresd</command> daemon is essentially a
-caching-only name server that answers requests using the lightweight
+caching-only name server that responds to requests using the lightweight
 resolver protocol rather than the DNS protocol.  Because it needs
 to run on each host, it is designed to require no or minimal configuration.
 Unless configured otherwise, it uses the name servers listed on
@@ -1703,13 +1713,16 @@ be configured to act as a lightweight resolver daemon using the
 
 </sect1></chapter>
 
-<chapter id="Bv9ARM.ch06"><title><acronym>BIND</acronym> 9 Configuration Reference</title>
-<para><acronym>BIND</acronym> 9 configuration is broadly similar to <acronym>BIND</acronym> 8.x; however,
-there are a few new areas of configuration, such as views. <acronym>BIND</acronym>
-8.x configuration files should work with few alterations in <acronym>BIND</acronym>
+<chapter id="ch06"><title><acronym>BIND</acronym> 9 Configuration Reference</title>
+
+<para><acronym>BIND</acronym> 9 configuration is broadly similar
+to <acronym>BIND</acronym> 8; however, there are a few new areas
+of configuration, such as views. <acronym>BIND</acronym>
+8 configuration files should work with few alterations in <acronym>BIND</acronym>
 9, although more complex configurations should be reviewed to check
 if they can be more efficiently implemented using the new features
 found in <acronym>BIND</acronym> 9.</para>
+
 <para><acronym>BIND</acronym> 4 configuration files can be converted to the new format
 using the shell script
 <filename>contrib/named-bootconf/named-bootconf.sh</filename>.</para>
@@ -1728,7 +1741,9 @@ defined by the <command>acl</command> statement.</para></entry>
 </row>
 <row rowsep = "0">
 <entry colname = "1"><para><varname>address_match_list</varname></para></entry>
-<entry colname = "2"><para>A list of one or more <varname>ip_addr</varname>, <varname>ip_prefix</varname>, <varname>key_id</varname>, or <varname>acl_name</varname> elements, see
+<entry colname = "2"><para>A list of one or more <varname>ip_addr</varname>, 
+<varname>ip_prefix</varname>, <varname>key_id</varname>, 
+or <varname>acl_name</varname> elements, see
 <xref linkend="address_match_lists"/>.</para></entry>
 </row>
 <row rowsep = "0">
@@ -1738,8 +1753,9 @@ a DNS name, for example "<literal>my.test.domain</literal>".</para></entry>
 </row>
 <row rowsep = "0">
 <entry colname = "1"><para><varname>dotted_decimal</varname></para></entry>
-<entry colname = "2"><para>One or more integers valued 0 through
-255 separated only by dots (`.'), such as <command>123</command>, <command>45.67</command> or <command>89.123.45.67</command>.</para></entry>
+<entry colname = "2"><para>One to four integers valued 0 through
+255 separated by dots (`.'), such as <command>123</command>, 
+<command>45.67</command> or <command>89.123.45.67</command>.</para></entry>
 </row>
 <row rowsep = "0">
 <entry colname = "1"><para><varname>ip4_addr</varname></para></entry>
@@ -1748,7 +1764,21 @@ in <varname>dotted_decimal</varname> notation.</para></entry>
 </row>
 <row rowsep = "0">
 <entry colname = "1"><para><varname>ip6_addr</varname></para></entry>
-<entry colname = "2"><para>An IPv6 address, such as <command>2001:db8::1234</command>.</para></entry>
+<entry colname = "2"><para>An IPv6 address, such as <command>2001:ffff::200:f8ff:fe01:9742</command>.
+IPv6 scoped addresses that have ambiguity on their scope zones must be
+disambiguated by an appropriate zone ID with the percent character
+(`%') as delimiter.
+It is strongly recommended to use string zone names rather than
+numeric identifiers, in order to be robust against system
+configuration changes.
+However, since there is no standard mapping for such names and
+identifier values, currently only interface names as link identifiers
+are supported, assuming one-to-one mapping between interfaces and links.
+For example, a link-local address <command>fe80::1</command> on the
+link attached to the interface <command>ne0</command>
+can be specified as <command>fe80::1%ne0</command>.
+Note that on most systems link-local addresses always have the
+ambiguity, and need to be disambiguated.</para></entry>
 </row>
 <row rowsep = "0">
 <entry colname = "1"><para><varname>ip_addr</varname></para></entry>
@@ -1757,9 +1787,9 @@ in <varname>dotted_decimal</varname> notation.</para></entry>
 <row rowsep = "0">
 <entry colname = "1"><para><varname>ip_port</varname></para></entry>
 <entry colname = "2"><para>An IP port <varname>number</varname>.
-The <varname>number</varname> is limited to 0 through 65535, with values
-below 1024 typically restricted to root-owned processes. In some
-cases, an asterisk (`*') character can be used as a placeholder to
+<varname>number</varname> is limited to 0 through 65535, with values
+below 1024 typically restricted to use by processes running as root.
+In some cases an asterisk (`*') character can be used as a placeholder to
 select a random high-numbered port.</para></entry>
 </row>
 <row rowsep = "0">
@@ -1783,7 +1813,7 @@ separated by semicolons and ending with a semicolon.</para></entry>
 </row>
 <row rowsep = "0">
 <entry colname = "1"><para><varname>number</varname></para></entry>
-<entry colname = "2"><para>A non-negative 32-bit unsigned integer
+<entry colname = "2"><para>A non-negative 32 bit integer
 (i.e., a number between 0 and 4294967295, inclusive).
 Its acceptable value might further
 be limited by the context in which it is used.</para></entry>
@@ -1806,7 +1836,7 @@ megabytes, and <userinput>G</userinput> or <userinput>g</userinput> for gigabyte
 which scale by 1024, 1024*1024, and 1024*1024*1024 respectively.</para>
 <para>The value must be representable as a 64-bit unsigned integer
 (0 to 18446744073709551615, inclusive).
- Using <varname>unlimited</varname> is the best way
+Using <varname>unlimited</varname> is the best way
 to safely set a really large number.</para></entry>
 </row>
 <row rowsep = "0">
@@ -1837,70 +1867,73 @@ are restricted to slave and stub zones.</para></entry>
 </sect3>
 <sect3><title>Definition and Usage</title>
 <para>Address match lists are primarily used to determine access
-control for various server operations. They are also used to define
-priorities for querying other nameservers and to set the addresses
-on which <command>named</command> will listen for queries. The elements
+control for various server operations. They are also used in
+the <command>listen-on</command> and <command>sortlist</command>
+statements. The elements
 which constitute an address match list can be any of the following:</para>
 <itemizedlist><listitem>
             <simpara>an IP address (IPv4 or IPv6)</simpara></listitem>
 <listitem>
-            <simpara>an IP prefix (in the `/'-notation)</simpara></listitem>
+            <simpara>an IP prefix (in `/' notation)</simpara></listitem>
 <listitem>
-            <simpara>a key ID, as defined by the key statement</simpara></listitem>
+            <simpara>a key ID, as defined by the <command>key</command> statement</simpara></listitem>
 <listitem>
-            <simpara>the name of an address match list defined with
+            <simpara>the name of an address match list previously defined with
 the <command>acl</command> statement</simpara></listitem>
 <listitem>
             <simpara>a nested address match list enclosed in braces</simpara></listitem></itemizedlist>
-<para>Elements can be negated with a leading exclamation mark (`!')
-and the match list names "any," "none," "localhost" and "localnets"
+
+<para>Elements can be negated with a leading exclamation mark (`!'),
+and the match list names "any", "none", "localhost", and "localnets"
 are predefined. More information on those names can be found in
 the description of the acl statement.</para>
+
 <para>The addition of the key clause made the name of this syntactic
 element something of a misnomer, since security keys can be used
 to validate access without regard to a host or network address. Nonetheless,
 the term "address match list" is still used throughout the documentation.</para>
+
 <para>When a given IP address or prefix is compared to an address
 match list, the list is traversed in order until an element matches.
 The interpretation of a match depends on whether the list is being used
-for access control, defining listen-on ports, or as a topology,
+for access control, defining listen-on ports, or in a sortlist,
 and whether the element was negated.</para>
+
 <para>When used as an access control list, a non-negated match allows
 access and a negated match denies access. If there is no match,
 access is denied. The clauses <command>allow-notify</command>,
 <command>allow-query</command>, <command>allow-transfer</command>,
-<command>allow-update</command> and <command>blackhole</command> all
+<command>allow-update</command>, <command>allow-update-forwarding</command>,
+and <command>blackhole</command> all
 use address match lists  this. Similarly, the listen-on option will cause
 the server to not accept queries on any of the machine's addresses
 which do not match the list.</para>
-<para>When used with the topology clause, a non-negated match returns
-a distance based on its position on the list (the closer the match
-is to the start of the list, the shorter the distance is between
-it and the server). A negated match will be assigned the maximum
-distance from the server. If there is no match, the address will
-get a distance which is further than any non-negated list element,
-and closer than any negated element.</para>
+
 <para>Because of the first-match aspect of the algorithm, an element
 that defines a subset of another element in the list should come
 before the broader element, regardless of whether either is negated. For
 example, in
 <command>1.2.3/24; ! 1.2.3.13;</command> the 1.2.3.13 element is
 completely useless because the algorithm will match any lookup for
-1.2.3.13 to the 1.2.3/24 element. Using <command>! 1.2.3.13; 1.2.3/24</command> fixes
+1.2.3.13 to the 1.2.3/24 element.
+Using <command>! 1.2.3.13; 1.2.3/24</command> fixes
 that problem by having 1.2.3.13 blocked by the negation but all
-other 1.2.3.* hosts fall through.</para></sect3></sect2>
-    <sect2>
-      <title>Comment Syntax</title>
+other 1.2.3.* hosts fall through.</para>
+</sect3>
+</sect2>
 
-      <para>The <acronym>BIND</acronym> 9 comment syntax allows for comments to appear
-      anywhere that whitespace may appear in a <acronym>BIND</acronym> configuration
-      file. To appeal to programmers of all kinds, they can be written
-      in C, C++, or shell/perl constructs.</para>
+<sect2>
+<title>Comment Syntax</title>
 
-      <sect3>
-        <title>Syntax</title>
+<para>The <acronym>BIND</acronym> 9 comment syntax allows for comments to appear
+anywhere that white space may appear in a <acronym>BIND</acronym> configuration
+file. To appeal to programmers of all kinds, they can be written
+in the C, C++, or shell/perl style.</para>
+
+<sect3>
+<title>Syntax</title>
 
-        <para><programlisting>/* This is a <acronym>BIND</acronym> comment as in C */</programlisting>
+<para><programlisting>/* This is a <acronym>BIND</acronym> comment as in C */</programlisting>
 <programlisting>// This is a <acronym>BIND</acronym> comment as in C++</programlisting>
 <programlisting># This is a <acronym>BIND</acronym> comment as in common UNIX shells and perl</programlisting>
       </para>
@@ -1934,26 +1967,30 @@ comment span multiple lines, each line must use the // pair.</para>
 with the character <literal>#</literal> (number sign) and continue to the end of the
 physical line, as in C++ comments.</para>
 <para>For example:</para>
-        <para><programlisting># This is the start of a comment.  The next line
+
+<para><programlisting># This is the start of a comment.  The next line
 # is a new comment, even though it is logically
 # part of the previous comment.
-</programlisting></para>
-        <warning>
-          <para>WARNING: you cannot use the semicolon (`;') character
-          to start a comment such as you would in a zone file. The
-          semicolon indicates the end of a configuration
-          statement.</para>
-        </warning>
-      </sect3>
-    </sect2>
-  </sect1>
-  <sect1 id="Configuration_File_Grammar">
-    <title>Configuration File Grammar</title>
+</programlisting>
+</para>
+
+<warning>
+   <para>You cannot use the semicolon (`;') character
+   to start a comment such as you would in a zone file. The
+   semicolon indicates the end of a configuration
+   statement.</para>
+</warning>
+</sect3>
+</sect2>
+</sect1>
+
+<sect1 id="Configuration_File_Grammar">
+<title>Configuration File Grammar</title>
 
     <para>A <acronym>BIND</acronym> 9 configuration consists of statements and comments.
     Statements end with a semicolon. Statements and comments are the
     only elements that can appear without enclosing braces. Many
-    statements contain a block of substatements, which are also
+    statements contain a block of sub-statements, which are also
     terminated with a semicolon.</para>
 
     <para>The following statements are supported:</para>
@@ -1989,6 +2026,16 @@ authentication and authorization using TSIG.</para></entry>
 the log messages are sent.</para></entry>
           </row>
           <row rowsep = "0">
+            <entry colname = "1"><para><command>lwres</command></para></entry>
+            <entry colname = "2"><para>configures <command>named</command> to
+also act as a light weight resolver daemon (<command>lwresd</command>).</para></entry>
+          </row>
+          <row rowsep = "0">
+            <entry colname = "1"><para><command>masters</command></para></entry>
+            <entry colname = "2"><para>defines a named masters list for
+inclusion in stub and slave zone masters clauses.</para></entry>
+          </row>
+          <row rowsep = "0">
             <entry colname = "1"><para><command>options</command></para></entry>
             <entry colname = "2"><para>controls global server configuration
 options and sets defaults for other statements.</para></entry>
@@ -2054,25 +2101,22 @@ Usage</title>
 </row>
 <row rowsep = "0">
 <entry colname = "1"><para><command>localhost</command></para></entry>
-<entry colname = "2"><para>Matches the IPv4 addresses of all network
+<entry colname = "2"><para>Matches the IPv4 and IPv6 addresses of all network
 interfaces on the system.</para></entry>
 </row>
 <row rowsep = "0">
 <entry colname = "1"><para><command>localnets</command></para></entry>
-<entry colname = "2"><para>Matches any host on an IPv4 network for which
-the system has an interface.</para></entry>
+<entry colname = "2"><para>Matches any host on an IPv4 or IPv6 network
+for which the system has an interface.
+Some systems do not provide a way to determine the prefix lengths of
+local IPv6 addresses.
+In such a case, <command>localnets</command> only matches the local
+IPv6 addresses, just like <command>localhost</command>.
+</para></entry>
 </row>
 </tbody>
 </tgroup></informaltable>
 
-<para>The <command>localhost</command> and <command>localnets</command>
-ACLs do not currently support IPv6 (that is,
-<command>localhost</command> does not match the host's IPv6 addresses,
-and <command>localnets</command> does not match the host's attached
-IPv6 networks) due to the lack of a standard method of determining the
-complete set of local IPv6 addresses for a host.
-</para>
-
 </sect2>
 <sect2>
       <title><command>controls</command> Statement Grammar</title>
@@ -2088,17 +2132,17 @@ complete set of local IPv6 addresses for a host.
 <title><command>controls</command> Statement Definition and Usage</title>
 
       <para>The <command>controls</command> statement declares control
-      channels to be used by system administrators to affect the
-      operation of the local nameserver. These control channels are
+      channels to be used by system administrators to control the
+      operation of the name server. These control channels are
       used by the <command>rndc</command> utility to send commands to
-      and retrieve non-DNS results from a nameserver.</para>
+      and retrieve non-DNS results from a name server.</para>
 
       <para>An <command>inet</command> control channel is a TCP
       socket listening at the specified
       <command>ip_port</command> on the specified
       <command>ip_addr</command>, which can be an IPv4 or IPv6
       address.  An <command>ip_addr</command>
-      of <literal>*</literal> (asterisk) is interpreted as the IPv4 wildcard
+      of <literal>*</literal> is interpreted as the IPv4 wildcard
       address; connections will be accepted on any of the system's
       IPv4 addresses.  To listen on the IPv6 wildcard address,
       use an <command>ip_addr</command> of <literal>::</literal>.
@@ -2108,28 +2152,36 @@ complete set of local IPv6 addresses for a host.
       security.
       </para>
 
+      <para>
+      If no port is specified, port 953
+      is used.  "<literal>*</literal>" cannot be used for
+      <command>ip_port</command>.</para>
+
       <para>The ability to issue commands over the control channel is
       restricted by the <command>allow</command> and
-      <command>keys</command> clauses.  Connections to the control
-      channel are permitted based on the address permissions in
-      <command>address_match_list</command>. <command>key_id</command>
-      members of the <command>address_match_list</command> are
-      ignored, and instead are interpreted independently based the
-      <command>key_list</command>.  Each <command>key_id</command> in
-      the <command>key_list</command> is allowed to be used to
-      authenticate commands and responses given over the control
-      channel by digitally signing each message between the server and
-      a command client (See <xref linkend="rndc"/> in
-      <xref linkend="admin_tools"/>). All commands to the control channel
-      must be signed by one of its specified keys to
-      be honored.</para>
+      <command>keys</command> clauses. Connections to the control
+      channel are permitted based on the
+      <command>address_match_list</command>.  This is for simple
+      IP address based filtering only; any <command>key_id</command>
+      elements of the <command>address_match_list</command> are
+      ignored.
+      </para>
+
+      <para>The primary authorization mechanism of the command
+      channel is the <command>key_list</command>, which contains
+      a list of <command>key_id</command>s.
+      Each <command>key_id</command> in
+      the <command>key_list</command> is authorized to execute
+      commands over the control channel.
+      See <xref linkend="rndc"/> in
+      <xref linkend="admin_tools"/>) for information about
+      configuring keys in <command>rndc</command>.</para>
 
 <para>
 If no <command>controls</command> statement is present,
 <command>named</command> will set up a default
 control channel listening on the loopback address 127.0.0.1
 and its IPv6 counterpart ::1.
-
 In this case, and also when the <command>controls</command> statement
 is present but does not have a <command>keys</command> clause,
 <command>named</command> will attempt to load the command channel key
@@ -2164,20 +2216,19 @@ installed.
       permissions set such that only the owner of the file (the user that
       <command>named</command> is running as) can access it.  If you
       desire greater flexibility in allowing other users to access
-      <command>rndc</command> commands, then you need to create a
-      <filename>rndc.conf</filename> file and make it group readable by a group
+      <command>rndc</command> commands then you need to create an
+      <filename>rndc.conf</filename> and make it group readable by a group
       that contains the users who should have access.</para>
 
       <para>The UNIX control channel type of <acronym>BIND</acronym> 8 is not supported
-      in <acronym>BIND</acronym> 9.0, <acronym>BIND</acronym> 9.1,
-      <acronym>BIND</acronym> 9.2 and <acronym>BIND</acronym> 9.3.
-      If it is present in the controls statement from a
+      in <acronym>BIND</acronym> 9, and is not expected to be added in future
+      releases.  If it is present in the controls statement from a
       <acronym>BIND</acronym> 8 configuration file, it is ignored
       and a warning is logged.</para>
 
 <para>
 To disable the command channel, use an empty <command>controls</command>
-statement: <command>controls { };</command>.
+statement: <command>controls { };</command>.
 </para>
 
     </sect2>
@@ -2189,12 +2240,12 @@ statement: <command>controls { };</command>.
       <title><command>include</command> Statement Definition and Usage</title>
 
       <para>The <command>include</command> statement inserts the
-      specified file at the point that the <command>include</command>
+      specified file at the point where the <command>include</command>
       statement is encountered. The <command>include</command>
       statement facilitates the administration of configuration files
       by permitting the reading or writing of some things but not
       others. For example, the statement could include private keys
-      that are readable only by a nameserver.</para>
+      that are readable only by the name server.</para>
 
     </sect2>
     <sect2>
@@ -2210,7 +2261,10 @@ statement: <command>controls { };</command>.
 <title><command>key</command> Statement Definition and Usage</title>
 
 <para>The <command>key</command> statement defines a shared
-secret key for use with TSIG, see <xref linkend="tsig"/>.</para>
+secret key for use with TSIG (see <xref linkend="tsig"/>)
+or the command channel
+(see <xref linkend="controls_statement_definition_and_usage"/>).
+</para>
 
 <para>
 The <command>key</command> statement can occur at the top level
@@ -2224,7 +2278,8 @@ must be defined at the top level.
 
 <para>The <replaceable>key_id</replaceable>, also known as the
 key name, is a domain name uniquely identifying the key. It can
-be used in a "server" statement to cause requests sent to that
+be used in a <command>server</command>
+statement to cause requests sent to that
 server to be signed with this key, or in address match lists to
 verify that incoming requests have been signed with a key
 matching this name, algorithm, and secret.</para>
@@ -2243,7 +2298,7 @@ string.</para>
       <programlisting><command>logging</command> {
    [ <command>channel</command> <replaceable>channel_name</replaceable> {
      ( <command>file</command> <replaceable>path name</replaceable>
-         [ <command>versions</command> ( <replaceable>number</replaceable> | <command>unlimited</command> ) ]
+         [ <command>versions</command> ( <replaceable>number</replaceable> | <literal>unlimited</literal> ) ]
          [ <command>size</command> <replaceable>size spec</replaceable> ]
        | <command>syslog</command> <replaceable>syslog_facility</replaceable>
        | <command>stderr</command>
@@ -2266,7 +2321,7 @@ string.</para>
 <title><command>logging</command> Statement Definition and Usage</title>
 
 <para>The <command>logging</command> statement configures a wide
-variety of logging options for the nameserver. Its <command>channel</command> phrase
+variety of logging options for the name server. Its <command>channel</command> phrase
 associates output methods, format options and severity levels with
 a name that can then be used with the <command>category</command> phrase
 to select how various classes of messages are logged.</para>
@@ -2275,8 +2330,8 @@ as many channels and categories as are wanted. If there is no <command>logging</
 the logging configuration will be:</para>
 
 <programlisting>logging {
-     category "unmatched" { "null"; };
-     category "default" { "default_syslog"; "default_debug"; };
+     category default { default_syslog; default_debug; };
+     category unmatched { null; };
 };
 </programlisting>
 
@@ -2314,13 +2369,13 @@ of the file will be saved each time the file is opened.</para>
 
 <para>If you use the <command>versions</command> log file option, then
 <command>named</command> will retain that many backup versions of the file by
-renaming them when opening.  For example, if you choose to keep three old versions
-of the file <filename>lamers.log</filename>, then just before it is opened
+renaming them when opening.  For example, if you choose to keep 3 old versions
+of the file <filename>lamers.log</filename> then just before it is opened
 <filename>lamers.log.1</filename> is renamed to
 <filename>lamers.log.2</filename>, <filename>lamers.log.0</filename> is renamed
 to <filename>lamers.log.1</filename>, and <filename>lamers.log</filename> is
 renamed to <filename>lamers.log.0</filename>.
-You can say <command>versions unlimited;</command> to not limit
+You can say <command>versions unlimited</command> to not limit
 the number of versions.
 If a <command>size</command> option is associated with the log file,
 then renaming is only done when the file being opened exceeds the
@@ -2340,7 +2395,7 @@ file.</para>
 <para>Example usage of the <command>size</command> and
 <command>versions</command> options:</para>
 
-<programlisting>channel "an_example_channel" {
+<programlisting>channel an_example_channel {
     file "example.log" versions 3 size 20m;
     print-time yes;
     print-category yes;
@@ -2365,7 +2420,7 @@ page. If you have a system which uses a very old version of <command>syslog</com
 only uses two arguments to the <command>openlog()</command> function,
 then this clause is silently ignored.</para>
 <para>The <command>severity</command> clause works like <command>syslog</command>'s
-"priorities," except that they can also be used if you are writing
+"priorities", except that they can also be used if you are writing
 straight to a file rather than using <command>syslog</command>.
 Messages which are not at least of the severity level given will
 not be selected for the channel; messages of higher severity levels
@@ -2391,11 +2446,11 @@ level is set either by starting the <command>named</command> server
 with the <option>-d</option> flag followed by a positive integer,
 or by running <command>rndc trace</command>.
 The global debug level
-can be set to zero, and debugging mode turned off, by running <command>rndc
+can be set to zero, and debugging mode turned off, by running <command>ndc
 notrace</command>. All debugging messages in the server have a debug
 level, and higher debug levels give more detailed output. Channels
 that specify a specific debug severity, for example:</para>
-<programlisting>channel "specific_debug_level" {
+<programlisting>channel specific_debug_level {
     file "foo";
     severity debug 3;
 };
@@ -2403,7 +2458,7 @@ that specify a specific debug severity, for example:</para>
         <para>will get debugging output of level 3 or less any time the
 server is in debugging mode, regardless of the global debugging
 level. Channels with <command>dynamic</command> severity use the
-server's global level to determine what messages to print.</para>
+server's global debug level to determine what messages to print.</para>
         <para>If <command>print-time</command> has been turned on, then
 the date and time will be logged. <command>print-time</command> may
 be specified for a <command>syslog</command> channel, but is usually
@@ -2422,14 +2477,14 @@ are on:</para>
 used is described in <xref linkend="the_category_phrase"/>.
 </para>
 
-<programlisting>channel "default_syslog" {
+<programlisting>channel default_syslog {
     syslog daemon;                      // send to syslog's daemon
                                         // facility
     severity info;                      // only send priority info
                                         // and higher
 };
 
-channel "default_debug" {
+channel default_debug {
     file "named.run";                   // write to named.run in
                                         // the working directory
                                         // Note: stderr is used instead
@@ -2440,13 +2495,13 @@ channel "default_debug" {
                                         // current debug level
 };
 
-channel "default_stderr" {              // writes to stderr
-    stderr;
+channel default_stderr {
+    stderr;                             // writes to stderr
     severity info;                      // only send priority info
                                         // and higher
 };
 
-channel "null" {
+channel null {
    null;                                // toss anything sent to
                                         // this channel
 };
@@ -2454,7 +2509,7 @@ channel "null" {
 
 <para>The <command>default_debug</command> channel has the special
 property that it only produces output when the server's debug level is
-nonzero.  It normally writes to a file called <filename>named.run</filename>
+nonzero.  It normally writes to a file <filename>named.run</filename>
 in the server's working directory.</para>
 
 <para>For security reasons, when the "<option>-u</option>"
@@ -2478,23 +2533,23 @@ you don't specify a list of channels for a category, then log messages
 in that category will be sent to the <command>default</command> category
 instead. If you don't specify a default category, the following
 "default default" is used:</para>
-<programlisting>category "default" { "default_syslog"; "default_debug"; };
+<programlisting>category default { default_syslog; default_debug; };
 </programlisting>
 <para>As an example, let's say you want to log security events to
 a file, but you also want keep the default logging behavior. You'd
 specify the following:</para>
-<programlisting>channel "my_security_channel" {
+<programlisting>channel my_security_channel {
     file "my_security_file";
     severity info;
 };
-category "security" {
-    "my_security_channel";
-    "default_syslog";
-    "default_debug";
+category security {
+    my_security_channel;
+    default_syslog;
+    default_debug;
 };</programlisting>
 <para>To discard all messages in a category, specify the <command>null</command> channel:</para>
-<programlisting>category "xfer-out" { "null"; };
-category "notify" { "null"; };
+<programlisting>category xfer-out { null; };
+category notify { null; };
 </programlisting>
 <para>Following are the available categories and brief descriptions
 of the types of log information they contain. More
@@ -2567,8 +2622,17 @@ the <command>null</command> channel.</para></entry>
 <entry colname = "2"><para>Dynamic updates.</para></entry>
 </row>
 <row rowsep = "0">
+<entry colname = "1"><para><command>update-security</command></para></entry>
+<entry colname = "2"><para>Approval and denial of update requests.</para></entry>
+</row>
+<row rowsep = "0">
 <entry colname = "1"><para><command>queries</command></para></entry>
-<entry colname = "2"><para>Queries. Using the category <command>queries</command> will enable query logging.</para></entry>
+<entry colname = "2"><para>Specify where queries should be logged to.</para>
+<para>
+At startup, specifing the category <command>queries</command> will also
+enable query logging unless <command>querylog</command> option has been
+specified.
+</para></entry>
 </row>
 <row rowsep = "0">
 <entry colname = "1"><para><command>dispatch</command></para></entry>
@@ -2592,7 +2656,7 @@ those servers during resolution.
 <entry colname = "1"><para><command>delegation-only</command></para></entry>
 <entry colname = "2"><para>Delegation only.  Logs queries that have have
 been forced to NXDOMAIN as the result of a delegation-only zone or
-a <command>delegation-only</command> in a hint or stub zone declartation.
+a <command>delegation-only</command> in a hint or stub zone declaration.
 </para></entry>
 </row>
 </tbody>
@@ -2619,8 +2683,8 @@ statement in the <filename>named.conf</filename> file:</para>
 <title><command>lwres</command> Statement Definition and Usage</title>
 
 <para>The <command>lwres</command> statement configures the name
-server to also act as a light-weight resolver daemon. (See
-<xref linkend="lwresd"/>.)  There may be multiple
+server to also act as a lightweight resolver server, see
+<xref linkend="lwresd"/>.  There may be be multiple
 <command>lwres</command> statements configuring
 lightweight resolver servers with different properties.</para>
 
@@ -2648,6 +2712,17 @@ number of dots in a relative domain name that should result in an
 exact match lookup before search path elements are appended.</para>
 </sect2>
 <sect2>
+      <title><command>masters</command> Statement Grammar</title>
+<programlisting>
+<command>masters</command> <replaceable>name</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> { ( <replaceable>masters_list</replaceable> | <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> <optional>key <replaceable>key</replaceable></optional> ) ; <optional>...</optional> } ; 
+</programlisting>
+</sect2>
+<sect2>
+      <title><command>masters</command> Statement Definition and Usage </title>
+<para><command>masters</command> lists allow for a common set of masters
+to be easily used by multiple stub and slave zones.</para>
+</sect2>
+<sect2>
 <title><command>options</command> Statement Grammar</title>
 
 <para>This is the grammar of the <command>options</command>
@@ -2655,11 +2730,13 @@ statement in the <filename>named.conf</filename> file:</para>
 
 <programlisting>options {
     <optional> version <replaceable>version_string</replaceable>; </optional>
+    <optional> hostname <replaceable>hostname_string</replaceable>; </optional>
+    <optional> server-id <replaceable>server_id_string</replaceable>; </optional>
     <optional> directory <replaceable>path_name</replaceable>; </optional>
+    <optional> key-directory <replaceable>path_name</replaceable>; </optional>
     <optional> named-xfer <replaceable>path_name</replaceable>; </optional>
     <optional> tkey-domain <replaceable>domainname</replaceable>; </optional>
     <optional> tkey-dhkey <replaceable>key_name</replaceable> <replaceable>key_tag</replaceable>; </optional>
-    <optional> cache-file <replaceable>path_name</replaceable>; </optional>
     <optional> dump-file <replaceable>path_name</replaceable>; </optional>
     <optional> memstatistics-file <replaceable>path_name</replaceable>; </optional>
     <optional> pid-file <replaceable>path_name</replaceable>; </optional>
@@ -2670,9 +2747,9 @@ statement in the <filename>named.conf</filename> file:</para>
     <optional> dialup <replaceable>dialup_option</replaceable>; </optional>
     <optional> fake-iquery <replaceable>yes_or_no</replaceable>; </optional>
     <optional> fetch-glue <replaceable>yes_or_no</replaceable>; </optional>
+    <optional> flush-zones-on-shutdown <replaceable>yes_or_no</replaceable>; </optional>
     <optional> has-old-clients <replaceable>yes_or_no</replaceable>; </optional>
     <optional> host-statistics <replaceable>yes_or_no</replaceable>; </optional>
-    <optional> host-statistics-max <replaceable>number</replaceable>; </optional>
     <optional> minimal-responses <replaceable>yes_or_no</replaceable>; </optional>
     <optional> multiple-cnames <replaceable>yes_or_no</replaceable>; </optional>
     <optional> notify <replaceable>yes_or_no</replaceable> | <replaceable>explicit</replaceable>; </optional>
@@ -2680,15 +2757,21 @@ statement in the <filename>named.conf</filename> file:</para>
     <optional> rfc2308-type1 <replaceable>yes_or_no</replaceable>; </optional>
     <optional> use-id-pool <replaceable>yes_or_no</replaceable>; </optional>
     <optional> maintain-ixfr-base <replaceable>yes_or_no</replaceable>; </optional>
+    <optional> dnssec-enable <replaceable>yes_or_no</replaceable>; </optional>
+    <optional> dnssec-lookaside <replaceable>domain</replaceable>; </optional>
     <optional> forward ( <replaceable>only</replaceable> | <replaceable>first</replaceable> ); </optional>
-    <optional> forwarders { <optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; ... </optional> }; </optional>
+    <optional> forwarders { <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; <optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; ... </optional> }; </optional>
+    <optional> dual-stack-servers <optional>port <replaceable>ip_port</replaceable></optional> { ( <replaceable>domain_name</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> | <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ) ; ... }; </optional>
     <optional> check-names ( <replaceable>master</replaceable> | <replaceable>slave</replaceable> | <replaceable> response</replaceable> )( <replaceable>warn</replaceable> | <replaceable>fail</replaceable> | <replaceable>ignore</replaceable> ); </optional>
     <optional> allow-notify { <replaceable>address_match_list</replaceable> }; </optional>
     <optional> allow-query { <replaceable>address_match_list</replaceable> }; </optional>
     <optional> allow-transfer { <replaceable>address_match_list</replaceable> }; </optional>
     <optional> allow-recursion { <replaceable>address_match_list</replaceable> }; </optional>
+    <optional> allow-update-forwarding { <replaceable>address_match_list</replaceable> }; </optional>
     <optional> allow-v6-synthesis { <replaceable>address_match_list</replaceable> }; </optional>
     <optional> blackhole { <replaceable>address_match_list</replaceable> }; </optional>
+    <optional> avoid-v4-udp-ports { <replaceable>port_list</replaceable> }; </optional>
+    <optional> avoid-v6-udp-ports { <replaceable>port_list</replaceable> }; </optional>
     <optional> listen-on <optional> port <replaceable>ip_port</replaceable> </optional> { <replaceable>address_match_list</replaceable> }; </optional>
     <optional> listen-on-v6 <optional> port <replaceable>ip_port</replaceable> </optional> { <replaceable>address_match_list</replaceable> }; </optional>
     <optional> query-source <optional> address ( <replaceable>ip_addr</replaceable> | <replaceable>*</replaceable> ) </optional> <optional> port ( <replaceable>ip_port</replaceable> | <replaceable>*</replaceable> ) </optional>; </optional>
@@ -2701,16 +2784,21 @@ statement in the <filename>named.conf</filename> file:</para>
     <optional> recursive-clients <replaceable>number</replaceable>; </optional>
     <optional> serial-query-rate <replaceable>number</replaceable>; </optional>
     <optional> serial-queries <replaceable>number</replaceable>; </optional>
+    <optional> tcp-listen-queue <replaceable>number</replaceable>; </optional>
     <optional> transfer-format <replaceable>( one-answer | many-answers )</replaceable>; </optional>
     <optional> transfers-in  <replaceable>number</replaceable>; </optional>
     <optional> transfers-out <replaceable>number</replaceable>; </optional>
     <optional> transfers-per-ns <replaceable>number</replaceable>; </optional>
     <optional> transfer-source (<replaceable>ip4_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
     <optional> transfer-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
+    <optional> alt-transfer-source (<replaceable>ip4_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
+    <optional> alt-transfer-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
+    <optional> use-alt-transfer-source <replaceable>yes_or_no</replaceable>; </optional>
     <optional> notify-source (<replaceable>ip4_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
     <optional> notify-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
     <optional> also-notify { <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; <optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; ... </optional> }; </optional>
     <optional> max-ixfr-log-size <replaceable>number</replaceable>; </optional>
+    <optional> max-journal-size <replaceable>size_spec</replaceable>; </optional>
     <optional> coresize <replaceable>size_spec</replaceable> ; </optional>
     <optional> datasize <replaceable>size_spec</replaceable> ; </optional>
     <optional> files <replaceable>size_spec</replaceable> ; </optional>
@@ -2741,32 +2829,25 @@ statement in the <filename>named.conf</filename> file:</para>
     <optional> random-device <replaceable>path_name</replaceable> ; </optional>
     <optional> max-cache-size <replaceable>size_spec</replaceable> ; </optional>
     <optional> match-mapped-addresses <replaceable>yes_or_no</replaceable>; </optional>
-    <optional> root-delegation-only <optional> exclude { <replaceable>namelist
-</replaceable> } </optional> ; </optional>
-
+    <optional> preferred-glue ( <replaceable>A</replaceable> | <replaceable>AAAA</replaceable> | <replaceable>NONE</replaceable> ); </optional>
+    <optional> edns-udp-size <replaceable>number</replaceable>; </optional>
+    <optional> root-delegation-only <optional> exclude { <replaceable>namelist</replaceable> } </optional> ; </optional>
+    <optional> querylog <replaceable>yes_or_no</replaceable> ; </optional>
 };
+    <optional> disable-algorithms <replaceable>domain</replaceable> { <replaceable>algorithm</replaceable>; <optional> <replaceable>algorithm</replaceable>; </optional> }; </optional>
 </programlisting>
 </sect2>
 
-<sect2><title><command>options</command> Statement Definition and Usage</title>
+<sect2 id="options"><title><command>options</command> Statement Definition and Usage</title>
 
 <para>The <command>options</command> statement sets up global options
 to be used by <acronym>BIND</acronym>. This statement may appear only
-once in a configuration file. If more than one occurrence is found,
-the first occurrence determines the actual options used, and a warning
-will be generated.  If there is no <command>options</command>
+once in a configuration file. If there is no <command>options</command>
 statement, an options block with each option set to its default will
 be used.</para>
 
 <variablelist>
 
-<varlistentry><term><command>version</command></term>
-<listitem><para>The version the server should report
-via a query of name <filename>version.bind</filename> in
-class <command>CHAOS</command>.
-The default is the real version number of this server.</para>
-</listitem></varlistentry>
-
 <varlistentry><term><command>directory</command></term>
 <listitem><para>The working directory of the server.
 Any non-absolute pathnames in the configuration file will be taken
@@ -2777,6 +2858,13 @@ to `<filename>.</filename>', the directory from which the server
 was started. The directory specified should be an absolute path.</para>
 </listitem></varlistentry>
 
+<varlistentry><term><command>key-directory</command></term>
+<listitem><para>When performing dynamic update of secure zones, the
+directory where the public and private key files should be found,
+if different than the current working directory.  The directory specified
+must be an absolute path.</para>
+</listitem></varlistentry>
+
 <varlistentry><term><command>named-xfer</command></term>
 <listitem><para><emphasis>This option is obsolete.</emphasis>
 It was used in <acronym>BIND</acronym> 8 to
@@ -2807,15 +2895,6 @@ public and private keys from files in the working directory. In
 most cases, the keyname should be the server's host name.</para>
 </listitem></varlistentry>
 
-          <varlistentry>
-            <term><command>cache-file</command></term>
-            <listitem>
-              <para>
-		This is for testing only.  Do not use.
-              </para>
-            </listitem>
-          </varlistentry>
-
 <varlistentry><term><command>dump-file</command></term>
 <listitem><para>The pathname of the file the server dumps
 the database to when instructed to do so with
@@ -2826,14 +2905,17 @@ If not specified, the default is <filename>named_dump.db</filename>.</para>
 <listitem><para>The pathname of the file the server writes memory
 usage statistics to on exit. If not specified,
 the default is <filename>named.memstats</filename>.</para>
-<note><para>Not yet implemented in <acronym>BIND</acronym> 9.</para></note>
 </listitem></varlistentry>
 
 <varlistentry><term><command>pid-file</command></term>
 <listitem><para>The pathname of the file the server writes its process ID
 in. If not specified, the default is <filename>/var/run/named.pid</filename>.
 The pid-file is used by programs that want to send signals to the running
-nameserver.</para>
+name server. Specifying <command>pid-file none</command> disables the
+use of a PID file &mdash; no file will be written and any
+existing one will be removed.  Note that <command>none</command>
+is a keyword, not a file name, and therefore is not enclosed in
+double quotes.</para>
 </listitem></varlistentry>
 
 <varlistentry><term><command>statistics-file</command></term>
@@ -2841,7 +2923,7 @@ nameserver.</para>
 to when instructed to do so using <command>rndc stats</command>.
 If not specified, the default is <filename>named.stats</filename> in the
 server's current directory.  The format of the file is described
-in <xref linkend="statsfile"/>.</para>
+in <xref linkend="statsfile"/></para>
 </listitem></varlistentry>
 
 <varlistentry><term><command>port</command></term>
@@ -2868,13 +2950,21 @@ the initial configuration load at server startup time and
 is ignored on subsequent reloads.</para>
 </listitem></varlistentry>
 
+<varlistentry><term><command>preferred-glue</command></term>
+<listitem><para>
+If specified the listed type (A or AAAA) will be emitted before other glue
+in the additional section of a query response.
+The default is not to preference any type (NONE).
+</para>
+</listitem></varlistentry>
+
 <varlistentry><term><command>root-delegation-only</command></term>
 <listitem><para>
-Turn on enforcment of delegation-only in TLDs and root zones with an optional
+Turn on enforcement of delegation-only in TLDs and root zones with an optional
 exclude list.
 </para>
 <para>
-Note some TLDs are not delegation only (e.g. "DE", "LV", "US" and "MUSEUM").
+Note some TLDs are NOT delegation only (e.g. "DE", "LV", "US" and "MUSEUM").
 </para>
 <programlisting>
 options {
@@ -2882,8 +2972,25 @@ options {
 };
 </programlisting>
 </listitem></varlistentry>
-</variablelist>
 
+<varlistentry><term><command>disable-algorithms</command></term>
+<listitem><para>
+Disable the specified DNSSEC algorithms at and below the specified name.
+Multiple <command>disable-algorithms</command> statements are allowed.
+Only the most specific will be applied.
+</para></listitem></varlistentry>
+
+<varlistentry><term><command>dnssec-lookaside</command></term>
+<listitem><para>
+When set <command>dnssec-lookaside</command> provides the
+validator with an alternate method to validate DNSKEY records at the
+top of a zone.  When set the domain specified by
+<command>dnssec-lookaside</command> is appended to DNSKEY's
+name and a DLV record is looked up.  If the DLV record validates
+a DNSKEY (similarly to the way a DS record does) the DNSKEY RRset is deemed to be trusted.
+</para></listitem></varlistentry>
+
+</variablelist>
 
 <sect3 id="boolean_options"><title>Boolean Options</title>
 
@@ -2904,7 +3011,7 @@ the checks.</para></listitem></varlistentry>
 <varlistentry><term><command>dialup</command></term>
 <listitem><para>If <userinput>yes</userinput>, then the
 server treats all zones as if they are doing zone transfers across
-a dial-on-demand dialup link, which can be brought up by traffic
+a dial on demand dialup link, which can be brought up by traffic
 originating from this server. This has different effects according
 to zone type and concentrates the zone maintenance so that it all
 happens in a short interval, once every <command>heartbeat-interval</command> and
@@ -2916,9 +3023,12 @@ may also be specified in the <command>view</command> and
 in which case it overrides the global <command>dialup</command>
 option.</para>
 <para>If the zone is a master zone then the server will send out a NOTIFY 
-request to all the slaves. This will trigger the zone serial number check
-in the slave (providing it supports NOTIFY) allowing the slave to
-verify the zone while the connection is active.</para><para>If the
+request to all the slaves (default). This should trigger the zone serial
+number check in the slave (providing it supports NOTIFY) allowing the slave
+to verify the zone while the connection is active.
+The set of servers to which NOTIFY is sent can be controlled by
+<command>notify</command> and <command>also-notify</command>.</para>
+<para>If the
 zone is a slave or stub zone, then the server will suppress the regular
 "zone up to date" (refresh) queries and only perform them when the
 <command>heartbeat-interval</command> expires in addition to sending
@@ -2926,14 +3036,71 @@ NOTIFY requests.</para><para>Finer control can be achieved by using
 <userinput>notify</userinput> which only sends NOTIFY messages,
 <userinput>notify-passive</userinput> which sends NOTIFY messages and
 suppresses the normal refresh queries, <userinput>refresh</userinput>
-which suppresses normal refresh processing and send refresh queries 
-when the <command>heartbeat-interval</command> expires and
+which suppresses normal refresh processing and sends refresh queries 
+when the <command>heartbeat-interval</command> expires, and
 <userinput>passive</userinput> which just disables normal refresh
-processing.</para></listitem></varlistentry>
+processing.</para>
+
+<informaltable colsep = "0" rowsep = "0">
+<tgroup cols = "4" colsep = "0" rowsep = "0" tgroupstyle = "4Level-table">
+<colspec colname = "1" colnum = "1" colsep = "0" colwidth = "1.150in"/>
+<colspec colname = "2" colnum = "2" colsep = "0" colwidth = "1.150in"/>
+<colspec colname = "3" colnum = "3" colsep = "0" colwidth = "1.150in"/>
+<colspec colname = "4" colnum = "4" colsep = "0" colwidth = "1.150in"/>
+<tbody>
+<row rowsep = "0">
+<entry colname = "1"><para>dialup mode</para></entry>
+<entry colname = "2"><para>normal refresh</para></entry>
+<entry colname = "3"><para>heart-beat refresh</para></entry>
+<entry colname = "4"><para>heart-beat notify</para></entry>
+</row>
+<row rowsep = "0">
+<entry colname = "1"><para><command>no</command> (default)</para></entry>
+<entry colname = "2"><para>yes</para></entry>
+<entry colname = "3"><para>no</para></entry>
+<entry colname = "4"><para>no</para></entry>
+</row>
+<row rowsep = "0">
+<entry colname = "1"><para><command>yes</command></para></entry>
+<entry colname = "2"><para>no</para></entry>
+<entry colname = "3"><para>yes</para></entry>
+<entry colname = "4"><para>yes</para></entry>
+</row>
+<row rowsep = "0">
+<entry colname = "1"><para><command>notify</command></para></entry>
+<entry colname = "2"><para>yes</para></entry>
+<entry colname = "3"><para>no</para></entry>
+<entry colname = "4"><para>yes</para></entry>
+</row>
+<row rowsep = "0">
+<entry colname = "1"><para><command>refresh</command></para></entry>
+<entry colname = "2"><para>no</para></entry>
+<entry colname = "3"><para>yes</para></entry>
+<entry colname = "4"><para>no</para></entry>
+</row>
+<row rowsep = "0">
+<entry colname = "1"><para><command>passive</command></para></entry>
+<entry colname = "2"><para>no</para></entry>
+<entry colname = "3"><para>no</para></entry>
+<entry colname = "4"><para>no</para></entry>
+</row>
+<row rowsep = "0">
+<entry colname = "1"><para><command>notify-passive</command></para></entry>
+<entry colname = "2"><para>no</para></entry>
+<entry colname = "3"><para>no</para></entry>
+<entry colname = "4"><para>yes</para></entry>
+</row>
+</tbody>
+</tgroup></informaltable>
+
+<para>Note that normal NOTIFY processing is not affected by
+<command>dialup</command>.</para>
+
+</listitem></varlistentry>
 
 <varlistentry><term><command>fake-iquery</command></term>
-<listitem><para>In <acronym>BIND</acronym> 8, this option was used to
-enable simulating the obsolete DNS query type
+<listitem><para>In <acronym>BIND</acronym> 8, this option
+enabled simulating the obsolete DNS query type
 IQUERY. <acronym>BIND</acronym> 9 never does IQUERY simulation.
 </para></listitem></varlistentry>
 
@@ -2945,6 +3112,12 @@ didn't have when constructing the additional
 data section of a response.  This is now considered a bad idea
 and BIND 9 never does it.</para></listitem></varlistentry>
 
+<varlistentry><term><command>flush-zones-on-shutdown</command></term>
+<listitem><para>When the nameserver exits due receiving SIGTERM,
+flush / do not flush any pending zone writes.  The default is
+<command>flush-zones-on-shutdown</command> <userinput>no</userinput>.
+</para></listitem></varlistentry>
+
 <varlistentry><term><command>has-old-clients</command></term>
 <listitem><para>This option was incorrectly implemented
 in <acronym>BIND</acronym> 8, and is ignored by <acronym>BIND</acronym> 9.
@@ -2957,7 +3130,7 @@ and <command>rfc2308-type1</command> <userinput>no</userinput> instead.
 
 <varlistentry><term><command>host-statistics</command></term>
 <listitem><para>In BIND 8, this enables keeping of
-statistics for every host that the nameserver interacts with.
+statistics for every host that the name server interacts with.
 Not implemented in BIND 9.
 </para></listitem></varlistentry>
 
@@ -2979,7 +3152,7 @@ The default is <userinput>no</userinput>.
 
 <varlistentry><term><command>multiple-cnames</command></term>
 <listitem><para>This option was used in <acronym>BIND</acronym> 8 to allow
-a domain name to allow multiple CNAME records in violation of the
+a domain name to have multiple CNAME records in violation of the
 DNS standards.  <acronym>BIND</acronym> 9.2 always strictly
 enforces the CNAME rules both in master files and dynamic updates.
 </para></listitem></varlistentry>
@@ -3008,7 +3181,7 @@ DNS query requests recursion, then the server will attempt to do
 all the work required to answer the query. If recursion is off
 and the server does not already know the answer, it will return a
 referral response. The default is <userinput>yes</userinput>.
-Note that setting <command>recursion no;</command> does not prevent
+Note that setting <command>recursion no</command> does not prevent
 clients from getting data from the server's cache; it only
 prevents new data from being cached as an effect of client queries.
 Caching may still occur as an effect the server's internal
@@ -3029,15 +3202,17 @@ answers. The default is <userinput>no</userinput>.</para>
 </para></listitem></varlistentry>
 
 <varlistentry><term><command>zone-statistics</command></term>
-<listitem><para>If <userinput>yes</userinput>, the server will, by default, collect
-statistical data on all zones in the server.  These statistics may be accessed
+<listitem><para>If <userinput>yes</userinput>, the server will collect
+statistical data on all zones (unless specifically turned off
+on a per-zone basis by specifying <command>zone-statistics no</command>
+in the <command>zone</command> statement).  These statistics may be accessed
 using <command>rndc stats</command>, which will dump them to the file listed
 in the <command>statistics-file</command>.  See also <xref linkend="statsfile"/>.
 </para></listitem></varlistentry>
 
 <varlistentry><term><command>use-ixfr</command></term>
 <listitem><para><emphasis>This option is obsolete</emphasis>.
-If you need to disable IXFR to a particular server or servers, see
+If you need to disable IXFR to a particular server or servers see
 the information on the <command>provide-ixfr</command> option
 in <xref linkend="server_statement_definition_and_usage"/>. See also
 <xref linkend="incremental_zone_transfers"/>.
@@ -3048,7 +3223,7 @@ in <xref linkend="server_statement_definition_and_usage"/>. See also
 <para>
 See the description of
 <command>provide-ixfr</command> in
-<xref linkend="server_statement_definition_and_usage"/>.
+<xref linkend="server_statement_definition_and_usage"/>
 </para></listitem></varlistentry>
 
 <varlistentry><term><command>request-ixfr</command></term>
@@ -3056,7 +3231,7 @@ See the description of
 <para>
 See the description of
 <command>request-ixfr</command> in
-<xref linkend="server_statement_definition_and_usage"/>.
+<xref linkend="server_statement_definition_and_usage"/>
 </para></listitem></varlistentry>
 
 <varlistentry><term><command>treat-cr-as-space</command></term>
@@ -3097,15 +3272,17 @@ otherwise be provided in the additional section.
 <para>
 For example, if a query asks for an MX record for host <literal>foo.example.com</literal>,
 and the record found is "<literal>MX 10 mail.example.net</literal>", normally the address
-records (A, A6, and AAAA) for <literal>mail.example.net</literal> will be provided as well,
-if known.  Setting these options to <command>no</command> disables this behavior.
+records (A and AAAA) for <literal>mail.example.net</literal> will be provided as well,
+if known, even though they are not in the example.com zone.
+Setting these options to <command>no</command> disables this behavior and makes
+the server only search for additional data in the zone it answers from.
 </para>
 
 <para>
 These options are intended for use in authoritative-only 
 servers, or in authoritative-only views.  Attempts to set
 them to <command>no</command> without also specifying
-<command>recursion no;</command> will cause the server to
+<command>recursion no</command> will cause the server to
 ignore the options and log a warning message.
 </para>
 
@@ -3143,6 +3320,53 @@ address match lists designed for IPv4 to fail to match.
 The use of this option for any other purpose is discouraged.
 </para></listitem></varlistentry>
 
+<varlistentry><term><command>ixfr-from-differences</command></term>
+<listitem>
+<para>
+When 'yes' and the server loads a new version of a master
+zone from its zone file or receives a new version of a slave
+file by a non-incremental zone transfer, it will compare
+the new version to the previous one and calculate a set
+of differences.  The differences are then logged in the
+zone's journal file such that the changes can be transmitted
+to downstream slaves as an incremental zone transfer.
+</para><para>
+By allowing incremental zone transfers to be used for
+non-dynamic zones, this option saves bandwidth at the
+expense of increased CPU and memory consumption at the master.
+In particular, if the new version of a zone is completely
+different from the previous one, the set of differences
+will be of a size comparable to the combined size of the
+old and new zone version, and the server will need to
+temporarily allocate memory to hold this complete
+difference set.
+</para></listitem></varlistentry>
+
+<varlistentry><term><command>multi-master</command></term>
+<listitem>
+<para>
+This should be set when you have multiple masters for a zone and the
+addresses refer to different machines.  If 'yes' named will not log
+when the serial number on the master is less than what named currently
+has.  The default is <userinput>no</userinput>.
+</para></listitem></varlistentry>
+
+<varlistentry><term><command>dnssec-enable</command></term>
+<listitem>
+<para>
+Enable DNSSEC support in named.  Unless set to <userinput>yes</userinput>
+named behaves as if it does not support DNSSEC.
+The default is <userinput>no</userinput>.
+</para></listitem></varlistentry>
+
+<varlistentry><term><command>querylog</command></term>
+<listitem>
+<para>
+Specify whether query logging should be started when named start.
+If <command>querylog</command> is not specified then the query logging
+is determined by the presence of the logging category <command>queries</command>.
+</para></listitem></varlistentry>
+
 </variablelist>
 
 </sect3>
@@ -3150,7 +3374,7 @@ The use of this option for any other purpose is discouraged.
 <sect3><title>Forwarding</title>
 <para>The forwarding facility can be used to create a large site-wide
 cache on a few servers, reducing traffic over links to external
-nameservers. It can also be used to allow queries by servers that
+name servers. It can also be used to allow queries by servers that
 do not have direct access to the Internet, but wish to look up exterior
 names anyway. Forwarding occurs only on those queries for which
 the server is not authoritative and does not have the answer in
@@ -3160,8 +3384,8 @@ its cache.</para>
 <varlistentry><term><command>forward</command></term>
 <listitem><para>This option is only meaningful if the
 forwarders list is not empty. A value of <varname>first</varname>,
-the default, causes the server to query the forwarders first &mdash; and
-if that doesn't answer the question, the server will then look for
+the default, causes the server to query the forwarders first, and
+if that doesn't answer the question the server will then look for
 the answer itself. If <varname>only</varname> is specified, the
 server will only query the forwarders.
 </para></listitem></varlistentry>
@@ -3180,6 +3404,23 @@ or have a different <command>forward only/first</command> behavior,
 or not forward at all, see <xref linkend="zone_statement_grammar"/>.</para>
 </sect3>
 
+<sect3><title>6 to 4 Servers</title>
+<para>6 to 4 servers are used as servers of last resort to work around
+problems in reachability due the lack of support for either IPv4 or IPv6
+on the host machine.</para>
+
+<variablelist>
+<varlistentry><term><command>dual-stack-servers</command></term>
+<listitem><para>Specifies host names / addresses of machines with access to
+both IPv4 and IPv6 transports. If a hostname is used the server must be able
+to resolve the name using only the transport it has.  If the machine is dual
+stacked then the <command>dual-stack-servers</command> have no effect unless
+access to a transport has been disabled on the command line
+(e.g. <command>named -4</command>).</para></listitem>
+</varlistentry>
+</variablelist>
+</sect3>
+
 <sect3 id="access_control"><title>Access Control</title>
 
 <para>Access to the server can be restricted based on the IP address
@@ -3190,7 +3431,8 @@ details on how to specify IP address lists.</para>
 
 <varlistentry><term><command>allow-notify</command></term>
 <listitem><para>Specifies which hosts are allowed to
-notify slaves of a zone change in addition to the zone masters.
+notify this server, a slave, of zone changes in addition
+to the zone masters.
 <command>allow-notify</command> may also be specified in the
 <command>zone</command> statement, in which case it overrides the
 <command>options allow-notify</command> statement.  It is only meaningful
@@ -3200,7 +3442,7 @@ only from a zone's master.</para>
 
 <varlistentry><term><command>allow-query</command></term>
 <listitem><para>Specifies which hosts are allowed to
-ask ordinary questions. <command>allow-query</command> may also
+ask ordinary DNS questions. <command>allow-query</command> may also
 be specified in the <command>zone</command> statement, in which
 case it overrides the <command>options allow-query</command> statement. If
 not specified, the default is to allow queries from all hosts.</para>
@@ -3216,10 +3458,29 @@ host from retrieving data that is already in the server's cache.
 </para>
 </listitem></varlistentry>
 
+<varlistentry><term><command>allow-update-forwarding</command></term>
+<listitem><para>Specifies which hosts are allowed to
+submit Dynamic DNS updates to slave zones to be forwarded to the
+master.  The default is <userinput>{ none; }</userinput>, which 
+means that no update forwarding will be performed.  To enable
+update forwarding, specify
+<userinput>allow-update-forwarding { any; };</userinput>.
+Specifying values other than <userinput>{ none; }</userinput> or
+<userinput>{ any; }</userinput> is usually counterproductive, since
+the responsibility for update access control should rest with the 
+master server, not the slaves.</para>
+<para>Note that enabling the update forwarding feature on a slave server
+may expose master servers relying on insecure IP address based
+access control to attacks; see <xref linkend="dynamic_update_security"/>
+for more details.</para>
+</listitem></varlistentry>
+
 <varlistentry><term><command>allow-v6-synthesis</command></term>
-<listitem><para>Specifies which hosts are to receive
-synthetic responses to IPv6 queries as described in
-<xref linkend="synthesis"/>.
+<listitem><para>This option was introduced for the smooth transition from AAAA
+to A6 and from "nibble labels" to binary labels.
+However, since both A6 and binary labels were then deprecated,
+this option was also deprecated.
+It is now ignored with some warning messages.
 </para>
 </listitem></varlistentry>
 
@@ -3254,45 +3515,48 @@ For example,</para>
 listen-on port 1234 { !1.2.3.4; 1.2/16; };
 </programlisting>
 
-<para>will enable the nameserver on port 53 for the IP address
+<para>will enable the name server on port 53 for the IP address
 5.6.7.8, and on port 1234 of an address on the machine in net
 1.2 that is not 1.2.3.4.</para>
 
 <para>If no <command>listen-on</command> is specified, the
 server will listen on port 53 on all interfaces.</para>
 
-<para>The <command>listen-on-v6</command> option is used to
-specify the ports on which the server will listen for incoming
-queries sent using IPv6.</para>
-
-<para>The server does not bind a separate socket to each IPv6
-interface address as it does for IPv4. Instead, it always
-listens on the IPv6 wildcard address. Therefore, the only
-values allowed for the <varname>address_match_list</varname>
-argument to the <command>listen-on-v6</command> statement are
-<programlisting>{ any; }</programlisting> and
-<programlisting>{ none;}</programlisting></para>
+<para>By default, the server does not bind a separate socket to each
+IPv6 interface address as it does for IPv4. Instead, it listens on the 
+IPv6 wildcard address.
+Alternatively, a list of IPv6 addresses can be specified, in which case
+the server listens on a separate socket for each specified address.</para>
 
-<para>Multiple <command>listen-on-v6</command> options can be
-used to listen on multiple ports:</para>
+<para>Multiple <command>listen-on-v6</command> options can be used.
+For example,</para>
 
-<programlisting>listen-on-v6 port 53 { any; };
-listen-on-v6 port 1234 { any; };
+<programlisting>listen-on-v6 { any; };
+listen-on-v6 port 1234 { !3ffe::/16; any; };
 </programlisting>
+
+<para>will enable the name server on port 53 for any IPv6 addresses
+(with a single wildcard socket),
+and on port 1234 of IPv6 addresses that is not in the prefix
+3ffe::/16 (with separate sockets for each matched address.)</para>
+
 <para>To make the server not listen on any IPv6 address, use</para>
 <programlisting>listen-on-v6 { none; };
 </programlisting>
 <para>If no <command>listen-on-v6</command> statement is specified,
 the server will not listen on any IPv6 address.</para></sect3>
+
 <sect3><title>Query Address</title>
 <para>If the server doesn't know the answer to a question, it will
-query other nameservers. <command>query-source</command> specifies
+query other name servers. <command>query-source</command> specifies
 the address and port used for such queries. For queries sent over
 IPv6, there is a separate <command>query-source-v6</command> option.
-If <command>address</command> is <command>*</command> (asterisk) or is omitted,
+ If <command>address</command> is <command>*</command> or is omitted,
 a wildcard IP address (<command>INADDR_ANY</command>) will be used.
 If <command>port</command> is <command>*</command> or is omitted,
-a random unprivileged port will be used. The defaults are</para>
+a random unprivileged port will be used, <command>avoid-v4-udp-ports</command>
+and <command>avoid-v6-udp-ports</command> can be used to prevent named
+from selecting certain ports. The defaults are</para>
 <programlisting>query-source address * port *;
 query-source-v6 address * port *;
 </programlisting>
@@ -3301,15 +3565,6 @@ query-source-v6 address * port *;
 is used for both UDP and TCP queries, but the port applies only to 
 UDP queries.  TCP queries always use a random
 unprivileged port.</para></note>
-<note>
-<para>See also <command>transfer-source</command> and
-<command>notify-source</command>.</para></note>
-	<note>
-	  <para>
-	    Solaris 2.5.1 and earlier does not support setting the source
-	    address for TCP sockets.
-	  </para>
-        </note>
 </sect3>
 
 <sect3 id="zone_transfers"><title>Zone Transfers</title>
@@ -3335,25 +3590,25 @@ list (no global notification list).</para>
 <varlistentry><term><command>max-transfer-time-in</command></term>
 <listitem><para>Inbound zone transfers running longer than
 this many minutes will be terminated. The default is 120 minutes
-(2 hours).</para>
+(2 hours).  The maximum value is 28 days (40320 minutes).</para>
 </listitem></varlistentry>
 
 <varlistentry><term><command>max-transfer-idle-in</command></term>
 <listitem><para>Inbound zone transfers making no progress
 in this many minutes will be terminated. The default is 60 minutes
-(1 hour).</para>
+(1 hour).  The maximum value is 28 days (40320 minutes).</para>
 </listitem></varlistentry>
 
 <varlistentry><term><command>max-transfer-time-out</command></term>
 <listitem><para>Outbound zone transfers running longer than
 this many minutes will be terminated. The default is 120 minutes
-(2 hours).</para>
+(2 hours).  The maximum value is 28 days (40320 minutes).</para>
 </listitem></varlistentry>
 
 <varlistentry><term><command>max-transfer-idle-out</command></term>
 <listitem><para>Outbound zone transfers making no progress
 in this many minutes will be terminated.  The default is 60 minutes (1
-hour).</para>
+hour).  The maximum value is 28 days (40320 minutes).</para>
 </listitem></varlistentry>
 
 <varlistentry><term><command>serial-query-rate</command></term>
@@ -3392,8 +3647,7 @@ resource record transferred.
 possible into a message. <command>many-answers</command> is more
 efficient, but is only supported by relatively new slave servers,
 such as <acronym>BIND</acronym> 9, <acronym>BIND</acronym> 8.x and patched
-versions of <acronym>BIND</acronym> 4.9.5. The <command>many-answers</command>
-format is also supported by recent Microsoft Windows nameservers. The default is
+versions of <acronym>BIND</acronym> 4.9.5. The default is
 <command>many-answers</command>. <command>transfer-format</command>
 may be overridden on a per-server basis by using the
 <command>server</command> statement.
@@ -3416,10 +3670,10 @@ of the limit will be refused. The default value is <literal>10</literal>.</para>
 
 <varlistentry><term><command>transfers-per-ns</command></term>
 <listitem><para>The maximum number of inbound zone transfers
-that can be concurrently transferring from a given remote nameserver.
+that can be concurrently transferring from a given remote name server.
 The default value is <literal>2</literal>. Increasing <command>transfers-per-ns</command> may
 speed up the convergence of slave zones, but it also may increase
-the load on the remote nameserver. <command>transfers-per-ns</command> may
+the load on the remote name server. <command>transfers-per-ns</command> may
 be overridden on a per-server basis by using the <command>transfers</command> phrase
 of the <command>server</command> statement.</para>
 </listitem></varlistentry>
@@ -3446,6 +3700,24 @@ in the configuration file.</para>
 except zone transfers are performed using IPv6.</para>
               </listitem></varlistentry>
 
+<varlistentry><term><command>alt-transfer-source</command></term>
+<listitem><para>An alternate transfer source if the one listed in
+<command>transfer-source</command> fails and
+<command>use-alt-transfer-source</command> is set.</para>
+              </listitem></varlistentry>
+
+<varlistentry><term><command>alt-transfer-source-v6</command></term>
+<listitem><para>An alternate transfer source if the one listed in
+<command>transfer-source-v6</command> fails and
+<command>use-alt-transfer-source</command> is set.</para>
+              </listitem></varlistentry>
+
+<varlistentry><term><command>use-alt-transfer-source</command></term>
+<listitem><para>Use the alternate transfer sources or not.  If views are
+specified this defaults to <command>no</command> otherwise it defaults to
+<command>yes</command> (for BIND 8 compatibility).</para>
+</listitem></varlistentry>
+
 <varlistentry><term><command>notify-source</command></term>
 <listitem><para><command>notify-source</command> determines
 which local source address, and optionally UDP port, will be used to
@@ -3453,15 +3725,9 @@ send NOTIFY messages.
 This address must appear in the slave server's <command>masters</command>
 zone clause or in an <command>allow-notify</command> clause.
 This statement sets the <command>notify-source</command> for all zones,
-but can be overridden on a per-zone or per-view basis by including a
+but can be overridden on a per-zone / per-view basis by including a
 <command>notify-source</command> statement within the <command>zone</command>
 or <command>view</command> block in the configuration file.</para>
-               <note>
-                 <para>
-                   Solaris 2.5.1 and earlier does not support setting the
-                   source address for TCP sockets.
-                 </para>
-                 </note>
 </listitem></varlistentry>
 
 <varlistentry><term><command>notify-source-v6</command></term>
@@ -3474,6 +3740,19 @@ but applies to notify messages sent to IPv6 addresses.</para>
 </sect3>
 
 <sect3>
+<title>Bad UDP Port Lists</title>
+<para>
+<command>avoid-v4-udp-ports</command> and <command>avoid-v6-udp-ports</command>
+specify a list of IPv4 and IPv6 UDP ports that will not be used as system
+assigned source ports for UDP sockets.  These lists prevent named
+from choosing as its random source port a port that is blocked by
+your firewall.  If a query went out with such a source port, the
+answer would not get by the firewall and the name server would have
+to query again.
+</para>
+</sect3>
+
+<sect3>
 <title>Operating System Resource Limits</title>
 
 <para>The server's usage of many system resources can be limited.
@@ -3482,8 +3761,8 @@ example, <command>1G</command> can be used instead of
 <command>1073741824</command> to specify a limit of one
 gigabyte. <command>unlimited</command> requests unlimited use, or the
 maximum available amount. <command>default</command> uses the limit
-that was in force when the server was started. See the description
-of <command>size_spec</command> in <xref
+that was in force when the server was started. See the description of
+<command>size_spec</command> in <xref
 linkend="configuration_file_elements"/>.</para>
 
 <para>The following options set operating system resource limits for
@@ -3541,7 +3820,18 @@ server rather than the operating system.</para>
 
 <varlistentry><term><command>max-ixfr-log-size</command></term>
 <listitem><para>This option is obsolete; it is accepted
-and ignored for BIND 8 compatibility.</para>
+and ignored for BIND 8 compatibility.  The option
+<command>max-journal-size</command> performs a similar
+function in BIND 8.
+</para>
+</listitem></varlistentry>
+
+<varlistentry><term><command>max-journal-size</command></term>
+<listitem><para>Sets a maximum size for each journal file
+(<xref linkend="journal"/>).  When the journal file approaches
+the specified size, some of the oldest transactions in the journal
+will be automatically removed.  The default is
+<literal>unlimited</literal>.</para>
 </listitem></varlistentry>
 
 <varlistentry><term><command>recursive-clients</command></term>
@@ -3571,6 +3861,15 @@ records are purged from the cache only when their TTLs expire.
 </para>
 </listitem></varlistentry>
 
+<varlistentry><term><command>tcp-listen-queue</command></term>
+<listitem><para>The listen queue depth.  The default and minimum is 3.
+If the kernel supports the accept filter "dataready" this also controls how
+many TCP connections that will be queued in kernel space waiting for
+some data before being passed to accept.  Values less than 3 will be
+silently raised.
+</para>
+</listitem></varlistentry>
+
 </variablelist>
 
 </sect3>
@@ -3582,32 +3881,36 @@ records are purged from the cache only when their TTLs expire.
 <varlistentry><term><command>cleaning-interval</command></term>
 <listitem><para>The server will remove expired resource records
 from the cache every <command>cleaning-interval</command> minutes.
-The default is 60 minutes.
-If set to 0, no periodic cleaning will occur.</para>
+The default is 60 minutes.  The maximum value is 28 days (40320 minutes).
+If set to 0, no  periodic cleaning will occur.</para>
 </listitem></varlistentry>
 
 <varlistentry><term><command>heartbeat-interval</command></term>
 <listitem><para>The server will perform zone maintenance tasks
 for all zones marked as <command>dialup</command> whenever this
 interval expires. The default is 60 minutes. Reasonable values are up
-to 1 day (1440 minutes). If set to 0, no zone maintenance for these zones will occur.</para>
+to 1 day (1440 minutes).  The maximum value is 28 days (40320 minutes).
+If set to 0, no zone maintenance for these zones will occur.</para>
 </listitem></varlistentry>
 
 <varlistentry><term><command>interface-interval</command></term>
 <listitem><para>The server will scan the network interface list
 every <command>interface-interval</command> minutes. The default
-is 60 minutes. If set to 0, interface scanning will only occur when
-the configuration file is  loaded. After the scan, listeners will be
-started on any new interfaces (provided they are allowed by the
-<command>listen-on</command> configuration). Listeners on interfaces
-that have gone away will be cleaned up.</para>
+is 60 minutes. The maximum value is 28 days (40320 minutes).
+If set to 0, interface scanning will only occur when
+the configuration file is  loaded. After the scan, the server will
+begin listening for queries on any newly discovered
+interfaces (provided they are allowed by the
+<command>listen-on</command> configuration), and will
+stop listening on interfaces that have gone away.</para>
 </listitem></varlistentry>
 
 <varlistentry><term><command>statistics-interval</command></term>
-<listitem><para>Nameserver statistics will be logged
+<listitem><para>Name server statistics will be logged
 every <command>statistics-interval</command> minutes. The default is 
-60. If set to 0, no statistics will be logged.</para><note>
-<simpara>Not yet implemented in <acronym>BIND</acronym> 9.</simpara></note>
+60. The maximum value is 28 days (40320 minutes).
+If set to 0, no statistics will be logged.</para><note>
+<simpara>Not yet implemented in <acronym>BIND</acronym>9.</simpara></note>
 </listitem></varlistentry>
 
 </variablelist>
@@ -3616,8 +3919,8 @@ every <command>statistics-interval</command> minutes. The default is
 
 <sect3 id="topology"><title>Topology</title>
 
-<para>All other things being equal, when the server chooses a nameserver
-to query from a list of nameservers, it prefers the one that is
+<para>All other things being equal, when the server chooses a name server
+to query from a list of name servers, it prefers the one that is
 topologically closest to itself. The <command>topology</command> statement
 takes an <command>address_match_list</command> and interprets it
 in a special way. Each top-level list element is assigned a distance.
@@ -3658,9 +3961,9 @@ statement in <xref linkend="rrset_ordering"/>).
 The client resolver code should rearrange the RRs as appropriate,
 that is, using any addresses on the local net in preference to other addresses.
 However, not all resolvers can do this or are correctly configured.
-When a client is using a local server, the sorting can be performed
+When a client is using a local server the sorting can be performed
 in the server, based on the client's address. This only requires
-configuring the nameservers, not all the clients.</para>
+configuring the name servers, not all the clients.</para>
 
 <para>The <command>sortlist</command> statement (see below) takes
 an <command>address_match_list</command> and interprets it even
@@ -3738,7 +4041,7 @@ See also the <command>sortlist</command> statement,
 </programlisting>
 <para>If no class is specified, the default is <command>ANY</command>.
 If no type is specified, the default is <command>ANY</command>.
-If no name is specified, the default is "<command>*</command>" (asterisk).</para>
+If no name is specified, the default is "<command>*</command>".</para>
 <para>The legal values for <command>ordering</command> are:</para>
 <informaltable colsep = "0" rowsep = "0"><tgroup cols = "2"
     colsep = "0" rowsep = "0" tgroupstyle = "4Level-table">
@@ -3775,48 +4078,9 @@ they are not combined &mdash; the last one applies.</para>
 
 <note>
 <simpara>The <command>rrset-order</command> statement
-is not yet implemented in <acronym>BIND</acronym> 9.
-BIND 9 currently supports only a "random-cyclic" ordering,
-where the server randomly chooses a starting point within
-the RRset and returns the records in order starting at
-that point, wrapping around the end of the RRset if 
-necessary.</simpara></note>
-</sect3>
-
-<sect3 id="synthesis"><title>Synthetic IPv6 responses</title>
-
-<para>Many existing stub resolvers support IPv6 DNS lookups as defined in
-RFC1886, using AAAA records for forward lookups and "nibble labels" in
-the <literal>IP6.INT</literal> domain for reverse lookups, but do not support
-RFC2874-style lookups (using A6 records and binary labels in the
-<literal>IP6.ARPA</literal> domain).</para>
-
-<para>For those who wish to continue to use such stub resolvers rather than
-switching to the BIND 9 lightweight resolver, BIND 9 provides a way
-to automatically convert RFC1886-style lookups into
-RFC2874-style lookups and return the results as "synthetic" AAAA and
-PTR records.</para>
-
-<para>This feature is disabled by default and can be enabled on a per-client
-basis by adding a
-<command>allow-v6-synthesis { <replaceable>address_match_list</replaceable> };</command>
-clause to the <command>options</command> or <command>view</command> statement.
-When it is enabled, recursive
-AAAA queries cause the server to first try an A6 lookup and if that
-fails, an AAAA lookups.  No matter which one succeeds, the results are
-returned as a set of synthetic AAAA records.  Similarly, recursive PTR
-queries in <literal>IP6.INT</literal> will cause a
-lookup in <literal>IP6.ARPA</literal> using binary
-labels, and if that fails, another lookup in <literal>IP6.INT</literal>.
-The results are returned as a synthetic PTR record in
-<literal>ip6.int</literal>.</para>
-
-<para>The synthetic records have a TTL of zero.  DNSSEC validation of
-synthetic responses is not currently supported; therefore responses
-containing synthetic RRs will not have the AD flag set.</para>
-
-<note><para><command>allow-v6-synthesis</command> is only performed for
-clients that are supplied recursive service.</para></note>
+is not yet fully implemented in <acronym>BIND</acronym> 9.
+BIND 9 currently does not support "fixed" ordering.
+</simpara></note>
 </sect3>
 
 <sect3 id="tuning"><title>Tuning</title>
@@ -3827,13 +4091,13 @@ clients that are supplied recursive service.</para></note>
 <listitem><para>Sets the number of seconds to cache a
 lame server indication. 0 disables caching. (This is
 <emphasis role="bold">NOT</emphasis> recommended.)
-The default is <literal>600</literal> (10 minutes) and the maximum value is 
+Default is <literal>600</literal> (10 minutes). Maximum value is 
 <literal>1800</literal> (30 minutes).</para>
 
 </listitem></varlistentry>
 
 <varlistentry><term><command>max-ncache-ttl</command></term>
-<listitem><para>To reduce network traffic and increase performance,
+<listitem><para>To reduce network traffic and increase performance
 the server stores negative answers. <command>max-ncache-ttl</command> is
 used to set a maximum retention time for these answers in the server
 in seconds. The default
@@ -3842,31 +4106,26 @@ in seconds. The default
 be silently truncated to 7 days if set to a greater value.</para>
 </listitem></varlistentry>
 
-<varlistentry><term><command>host-statistics-max</command></term>
-<listitem><para>In BIND 8, specifies the maximum number of host statistics
-entries to be kept.
-Not implemented in BIND 9.
-</para></listitem></varlistentry>
-
 <varlistentry><term><command>max-cache-ttl</command></term>
-<listitem><para>Sets
+<listitem><para><command>max-cache-ttl</command> sets
 the maximum time for which the server will cache ordinary (positive)
 answers. The default is one week (7 days).</para>
 </listitem></varlistentry>
 
 <varlistentry><term><command>min-roots</command></term>
 <listitem><para>The minimum number of root servers that
-is required for a request for the root servers to be accepted. The default
+is required for a request for the root servers to be accepted. Default
 is <userinput>2</userinput>.</para>
 <note>
-<simpara>Not yet implemented in <acronym>BIND</acronym>9.</simpara></note>
+<simpara>Not implemented in <acronym>BIND</acronym>9.</simpara></note>
 </listitem></varlistentry>
 
 <varlistentry><term><command>sig-validity-interval</command></term>
 <listitem><para>Specifies the number of days into the
 future when DNSSEC signatures automatically generated as a result
 of dynamic updates (<xref linkend="dynamic_update"/>)
-will expire. The default is <literal>30</literal> days. The signature
+will expire. The default is <literal>30</literal> days.
+The maximum value is 10 years (3660 days). The signature
 inception time is unconditionally set to one hour before the current time
 to allow for a limited amount of clock skew.</para>
 </listitem></varlistentry>
@@ -3884,11 +4143,77 @@ are set by the master, giving slave server administrators little
 control over their contents.
 </para><para>
 These options allow the administrator to set a minimum and maximum
-refresh and retry time either per-zone, per-view or globally.
-These options are valid for slave and stub zones, 
+refresh and retry time either per-zone, per-view, or globally.
+These options are valid for slave and stub zones,
 and clamp the SOA refresh and retry times to the specified values.
 </para></listitem></varlistentry>
 
+<varlistentry>
+<term><command>edns-udp-size</command></term>
+<listitem><para>
+<command>edns-udp-size</command> sets the advertised EDNS UDP buffer
+size.  Valid values are 512 to 4096 (values outside this range will be
+silently adjusted).  The default value is 4096.  The usual reason for
+setting edns-udp-size to a non default value it to get UDP answers to
+pass through broken firewalls that block fragmented packets and/or
+block UDP packets that are greater than 512 bytes.
+</para></listitem></varlistentry>
+</variablelist>
+
+</sect3>
+
+<sect3 id="builtin">
+<title>Built-in server information zones</title>
+
+<para>The server provides some helpful diagnostic information
+through a number of built-in zones under the
+pseudo-top-level-domain <literal>bind</literal> in the
+<command>CHAOS</command> class.  These zones are part of a
+built-in view (see <xref linkend="view_statement_grammar"/>) of class
+<command>CHAOS</command> which is separate from the default view of
+class <command>IN</command>; therefore, any global server options
+such as <command>allow-query</command> do not apply the these zones.
+If you feel the need to disable these zones, use the options
+below, or hide the built-in <command>CHAOS</command> view by
+defining an explicit view of class <command>CHAOS</command>
+that matches all clients.</para>
+
+<variablelist>
+
+<varlistentry><term><command>version</command></term>
+<listitem><para>The version the server should report
+via a query of the name <literal>version.bind</literal>
+with type <command>TXT</command>, class <command>CHAOS</command>.
+The default is the real version number of this server.
+Specifying <command>version none</command>
+disables processing of the queries.</para>
+</listitem></varlistentry>
+
+<varlistentry><term><command>hostname</command></term>
+<listitem><para>The hostname the server should report via a query of
+the name <filename>hostname.bind</filename>
+with type <command>TXT</command>, class <command>CHAOS</command>.
+This defaults to the hostname of the machine hosting the name server as
+found by gethostname().  The primary purpose of such queries is to
+identify which of a group of anycast servers is actually
+answering your queries.  Specifying <command>hostname none;</command>
+disables processing of the queries.</para> 
+</listitem></varlistentry>
+
+<varlistentry><term><command>server-id</command></term>
+<listitem><para>The ID of the server should report via a query of
+the name <filename>ID.SERVER</filename>
+with type <command>TXT</command>, class <command>CHAOS</command>.
+The primary purpose of such queries is to
+identify which of a group of anycast servers is actually
+answering your queries.  Specifying <command>server-id none;</command>
+disables processing of the queries.
+Specifying <command>server-id hostname;</command> will cause named to
+use the hostname as found by gethostname().
+The default <command>server-id</command> is <command>none</command>.
+</para> 
+</listitem></varlistentry>
+
 </variablelist>
 
 </sect3>
@@ -3900,25 +4225,16 @@ and clamp the SOA refresh and retry times to the specified values.
 is similar, but not identical, to that
 generated by <acronym>BIND</acronym> 8.
 </para>
-<para>The statistics dump begins with a line, like:</para>
- <para>
- <command>+++ Statistics Dump +++ (973798949)</command>
- </para>
- <para>The numberr in parentheses is a standard
+<para>The statistics dump begins with the line <command>+++ Statistics Dump
++++ (973798949)</command>, where the number in parentheses is a standard
 Unix-style timestamp, measured as seconds since January 1, 1970.  Following
 that line are a series of lines containing a counter type, the value of the
 counter, optionally a zone name, and optionally a view name.
 The lines without view and zone listed are global statistics for the entire server.
 Lines with a zone and view name for the given view and zone (the view name is
-omitted for the default view).
-</para>
-<para>
-The statistics dump ends with the line where the
-number is identical to the number in the beginning line; for example:
-</para>
-<para>
-<command>--- Statistics Dump --- (973798949)</command>
-</para>
+omitted for the default view).  The statistics dump ends
+with the line <command>--- Statistics Dump --- (973798949)</command>, where the
+number is identical to the number in the beginning line.</para>
 <para>The following statistics counters are maintained:</para>
 <informaltable
     colsep = "0" rowsep = "0"><tgroup cols = "2"
@@ -3930,8 +4246,8 @@ number is identical to the number in the beginning line; for example:
 <entry colname = "1"><para><command>success</command></para></entry>
 <entry colname = "2"><para>The number of
 successful queries made to the server or zone.  A successful query
-is defined as query which returns a NOERROR response other than
-a referral response.</para></entry>
+is defined as query which returns a NOERROR response with at least
+one answer RR.</para></entry>
 </row>
 <row rowsep = "0">
 <entry colname = "1"><para><command>referral</command></para></entry>
@@ -3949,15 +4265,15 @@ NOERROR responses with no data.</para></entry>
 of queries which resulted in NXDOMAIN responses.</para></entry>
 </row>
 <row rowsep = "0">
-<entry colname = "1"><para><command>recursion</command></para></entry>
-<entry colname = "2"><para>The number of queries which caused the server
-to perform recursion in order to find the final answer.</para></entry>
-</row
-><row rowsep = "0">
 <entry colname = "1"><para><command>failure</command></para></entry>
 <entry colname = "2"><para>The number of queries which resulted in a
 failure response other than those above.</para></entry>
 </row>
+<row rowsep = "0">
+<entry colname = "1"><para><command>recursion</command></para></entry>
+<entry colname = "2"><para>The number of queries which caused the server
+to perform recursion in order to find the final answer.</para></entry>
+</row>
 </tbody>
 </tgroup></informaltable>
 
@@ -3987,6 +4303,8 @@ to be incremented, and may additionally cause the
     <optional> transfers <replaceable>number</replaceable> ; </optional>
     <optional> transfer-format <replaceable>( one-answer | many-answers )</replaceable> ; ]</optional>
     <optional> keys <replaceable>{ string ; <optional> string ; <optional>...</optional></optional> }</replaceable> ; </optional>
+    <optional> transfer-source (<replaceable>ip4_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
+    <optional> transfer-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
 };
 </programlisting>
 
@@ -3996,7 +4314,7 @@ to be incremented, and may additionally cause the
 <title><command>server</command> Statement Definition and Usage</title>
 
 <para>The <command>server</command> statement defines characteristics
-to be associated with a remote nameserver.</para>
+to be associated with a remote name server.</para>
 
 <para>
 The <command>server</command> statement can occur at the top level of the
@@ -4017,7 +4335,7 @@ the local server, acting as master, will respond with an incremental
 zone transfer when the given remote server, a slave, requests it.
 If set to <command>yes</command>, incremental transfer will be provided
 whenever possible. If set to <command>no</command>, all transfers
-to the remote server will be nonincremental. If not set, the value
+to the remote server will be non-incremental. If not set, the value
 of the <command>provide-ixfr</command> option in the view or
 global options block is used as a default.</para>
 
@@ -4049,16 +4367,17 @@ more efficient, but is only known to be understood by <acronym>BIND</acronym> 9,
 to use for a server with the <command>transfer-format</command> option.
 If <command>transfer-format</command> is not specified, the <command>transfer-format</command> specified
 by the <command>options</command> statement will be used.</para>
+
 <para><command>transfers</command> is used to limit the number of
 concurrent inbound zone transfers from the specified server. If
 no <command>transfers</command> clause is specified, the limit is
 set according to the <command>transfers-per-ns</command> option.</para>
 
-<para>The <command>keys</command> clause is used to identify a <command>key_id</command> defined
-by the <command>key</command> statement, to be used for transaction
-security when talking to the remote server. The <command>key</command> statement
-must come before the <command>server</command> statement that references
-it. When a request is sent to the remote server, a request signature
+<para>The <command>keys</command> clause identifies a
+<command>key_id</command> defined by the <command>key</command> statement,
+to be used for transaction security (TSIG, <xref linkend="tsig"/>)
+when talking to the remote server. 
+When a request is sent to the remote server, a request signature
 will be generated using the key specified here and appended to the
 message. A request originating from the remote server is not required
 to be signed by this key.</para>
@@ -4067,6 +4386,18 @@ to be signed by this key.</para>
 allows for multiple keys, only a single key per server is currently
 supported.</para>
 
+<para>The <command>transfer-source</command> and
+<command>transfer-source-v6</command> clauses specify the IPv4 and IPv6 source
+address to be used for zone transfer with the remote server, respectively.
+For an IPv4 remote server, only <command>transfer-source</command> can
+be specified.
+Similarly, for an IPv6 remote server, only
+<command>transfer-source-v6</command> can be specified.
+Form more details, see the description of
+<command>transfer-source</command> and
+<command>transfer-source-v6</command> in
+<xref linkend="zone_transfers"/>.</para>
+
 </sect2>
 
 <sect2><title><command>trusted-keys</command> Statement Grammar</title>
@@ -4081,7 +4412,7 @@ and Usage</title>
 <para>The <command>trusted-keys</command> statement defines DNSSEC
 security roots. DNSSEC is described in <xref linkend="DNSSEC"/>. A security root is defined when the public key for a non-authoritative
 zone is known, but cannot be securely obtained through DNS, either
-because it is the  DNS root zone or its parent zone is unsigned.
+because it is the  DNS root zone or because its parent zone is unsigned.
 Once a key has been configured as a trusted key, it is treated as
 if it had been validated and proven secure. The resolver attempts
 DNSSEC validation on all DNS data in subdomains of a security root.</para>
@@ -4089,13 +4420,15 @@ DNSSEC validation on all DNS data in subdomains of a security root.</para>
 multiple key entries, each consisting of the key's domain name,
 flags, protocol, algorithm, and the base-64 representation of the
 key data.</para></sect2>
-<sect2><title><command>view</command> Statement Grammar</title>
-<programlisting>view <replaceable>view_name</replaceable> <optional><replaceable>class</replaceable></optional> {
+
+<sect2 id="view_statement_grammar">
+<title><command>view</command> Statement Grammar</title>
+<programlisting>view <replaceable>view_name</replaceable> 
+      <optional><replaceable>class</replaceable></optional> {
       match-clients { <replaceable>address_match_list</replaceable> } ;
       match-destinations { <replaceable>address_match_list</replaceable> } ;
       match-recursive-only <replaceable>yes_or_no</replaceable> ;
       <optional> <replaceable>view_option</replaceable>; ...</optional>
-      <optional> zone-statistics <replaceable>yes_or_no</replaceable> ; </optional>
       <optional> <replaceable>zone_statement</replaceable>; ...</optional>
 };
 </programlisting></sect2>
@@ -4114,10 +4447,13 @@ a view if its source IP address matches the
 the <varname>address_match_list</varname> of the view's
 <command>match-destinations</command> clause.  If not specified, both
 <command>match-clients</command> and <command>match-destinations</command>
-default to matching all addresses.  A view can also be specified
+default to matching all addresses.  In addition to checking IP addresses
+<command>match-clients</command> and <command>match-destinations</command>
+can also take <command>keys</command> which provide an mechanism for the
+client to select the view.  A view can also be specified
 as <command>match-recursive-only</command>, which means that only recursive
 requests from matching clients will match that view.
-The order of the <command>view</command> statements is significant &mdash; 
+The order of the <command>view</command> statements is significant &mdash;
 a client request will be resolved in the context of the first
 <command>view</command> that it matches.</para>
 
@@ -4141,32 +4477,39 @@ since only the IN class has compiled-in default hints.</para>
 
 <para>If there are no <command>view</command> statements in the config
 file, a default view that matches any client is automatically created
-in class IN, and any <command>zone</command> statements specified on
+in class IN. Any <command>zone</command> statements specified on
 the top level of the configuration file are considered to be part of
-this default view.  If any explicit <command>view</command> statements
-are present, all <command>zone</command> statements must occur inside
-<command>view</command> statements.</para>
+this default view, and the <command>options</command> statement will
+apply to the default view. If any explicit <command>view</command>
+statements are present, all <command>zone</command> statements must
+occur inside <command>view</command> statements.</para>
 
 <para>Here is an example of a typical split DNS setup implemented
-using <command>view</command> statements:</para>
+using <command>view</command> statements.</para>
 <programlisting>view "internal" {
-               // This should match our internal networks.
+      // This should match our internal networks.
       match-clients { 10.0.0.0/8; };
-               // Provide recursive service to internal clients only.
+
+      // Provide recursive service to internal clients only.
       recursion yes;
-               // Provide a complete view of the example.com zone
-               // including addresses of internal hosts.
+
+      // Provide a complete view of the example.com zone
+      // including addresses of internal hosts.
       zone "example.com" {
             type master;
             file "example-internal.db";
       };
 };
+
 view "external" {
+      // Match all clients not matched by the previous view.
       match-clients { any; };
-               // Refuse recursive service to external clients.
+
+      // Refuse recursive service to external clients.
       recursion no;
-               // Provide a restricted view of the example.com zone
-               // containing only publicly accessible hosts.
+
+      // Provide a restricted view of the example.com zone
+      // containing only publicly accessible hosts.
       zone "example.com" {
            type master;
            file "example-external.db";
@@ -4176,53 +4519,25 @@ view "external" {
 </sect2>
 <sect2 id="zone_statement_grammar"><title><command>zone</command>
 Statement Grammar</title>
-<programlisting>zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replaceable></optional> {
-    type master;
+      <programlisting>zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replaceable></optional> <optional>{ 
+    type ( master | slave | hint | stub | forward | delegation-only ) ;
+    <optional> allow-notify { <replaceable>address_match_list</replaceable> } ; </optional>
     <optional> allow-query { <replaceable>address_match_list</replaceable> } ; </optional>
     <optional> allow-transfer { <replaceable>address_match_list</replaceable> } ; </optional>
     <optional> allow-update { <replaceable>address_match_list</replaceable> } ; </optional>
     <optional> update-policy { <replaceable>update_policy_rule</replaceable> <optional>...</optional> } ; </optional>
-    <optional> also-notify { <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; <optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; ... </optional> }; </optional>
-    <optional> check-names (<constant>warn</constant>|<constant>fail</constant>|<constant>ignore</constant>) ; </optional>
-    <optional> dialup <replaceable>dialup_option</replaceable> ; </optional>
-    <optional> file <replaceable>string</replaceable> ; </optional>
-    <optional> forward (<constant>only</constant>|<constant>first</constant>) ; </optional>
-    <optional> forwarders { <optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; ... </optional> }; </optional>
-    <optional> ixfr-base <replaceable>string</replaceable> ; </optional>
-    <optional> ixfr-tmp-file <replaceable>string</replaceable> ; </optional>
-    <optional> maintain-ixfr-base <replaceable>yes_or_no</replaceable> ; </optional>
-    <optional> max-ixfr-log-size <replaceable>number</replaceable> ; </optional>
-    <optional> max-transfer-idle-out <replaceable>number</replaceable> ; </optional>
-    <optional> max-transfer-time-out <replaceable>number</replaceable> ; </optional>
-    <optional> notify <replaceable>yes_or_no</replaceable> | <replaceable>explicit</replaceable> ; </optional>
-    <optional> pubkey <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>string</replaceable> ; </optional>
-    <optional> notify-source (<replaceable>ip4_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
-    <optional> notify-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
-    <optional> zone-statistics <replaceable>yes_or_no</replaceable> ; </optional>
-    <optional> sig-validity-interval <replaceable>number</replaceable> ; </optional>
-    <optional> database <replaceable>string</replaceable> ; </optional>
-    <optional> min-refresh-time <replaceable>number</replaceable> ; </optional>
-    <optional> max-refresh-time <replaceable>number</replaceable> ; </optional>
-    <optional> min-retry-time <replaceable>number</replaceable> ; </optional>
-    <optional> max-retry-time <replaceable>number</replaceable> ; </optional>
-};
-
-zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replaceable></optional> {
-    type slave;
-    <optional> allow-notify { <replaceable>address_match_list</replaceable> } ; </optional>
-    <optional> allow-query { <replaceable>address_match_list</replaceable> } ; </optional>
-    <optional> allow-transfer { <replaceable>address_match_list</replaceable> } ; </optional>
     <optional> allow-update-forwarding { <replaceable>address_match_list</replaceable> } ; </optional>
     <optional> also-notify { <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; <optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; ... </optional> }; </optional>
     <optional> check-names (<constant>warn</constant>|<constant>fail</constant>|<constant>ignore</constant>) ; </optional>
     <optional> dialup <replaceable>dialup_option</replaceable> ; </optional>
+    <optional> delegation-only <replaceable>yes_or_no</replaceable> ; </optional>
     <optional> file <replaceable>string</replaceable> ; </optional>
     <optional> forward (<constant>only</constant>|<constant>first</constant>) ; </optional>
-    <optional> forwarders { <optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; ... </optional> }; </optional>
+    <optional> forwarders { <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; <optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; ... </optional> }; </optional>
     <optional> ixfr-base <replaceable>string</replaceable> ; </optional>
     <optional> ixfr-tmp-file <replaceable>string</replaceable> ; </optional>
     <optional> maintain-ixfr-base <replaceable>yes_or_no</replaceable> ; </optional>
-    <optional> masters <optional>port <replaceable>ip_port</replaceable></optional> { <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> <optional>key <replaceable>key</replaceable></optional>; <optional>...</optional> } ; </optional>
+    <optional> masters <optional>port <replaceable>ip_port</replaceable></optional> { ( <replaceable>masters_list</replaceable> | <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> <optional>key <replaceable>key</replaceable></optional> ) ; <optional>...</optional> } ; </optional>
     <optional> max-ixfr-log-size <replaceable>number</replaceable> ; </optional>
     <optional> max-transfer-idle-in <replaceable>number</replaceable> ; </optional>
     <optional> max-transfer-idle-out <replaceable>number</replaceable> ; </optional>
@@ -4232,57 +4547,22 @@ zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replacea
     <optional> pubkey <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>string</replaceable> ; </optional>
     <optional> transfer-source (<replaceable>ip4_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
     <optional> transfer-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
+    <optional> alt-transfer-source (<replaceable>ip4_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
+    <optional> alt-transfer-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
+    <optional> use-alt-transfer-source <replaceable>yes_or_no</replaceable>; </optional>
     <optional> notify-source (<replaceable>ip4_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
     <optional> notify-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
     <optional> zone-statistics <replaceable>yes_or_no</replaceable> ; </optional>
+    <optional> sig-validity-interval <replaceable>number</replaceable> ; </optional>
     <optional> database <replaceable>string</replaceable> ; </optional>
     <optional> min-refresh-time <replaceable>number</replaceable> ; </optional>
     <optional> max-refresh-time <replaceable>number</replaceable> ; </optional>
     <optional> min-retry-time <replaceable>number</replaceable> ; </optional>
     <optional> max-retry-time <replaceable>number</replaceable> ; </optional>
-};
-
-zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replaceable></optional> {
-    type hint;
-    <optional> forward (<constant>only</constant>|<constant>first</constant>) ; </optional>
-    <optional> forwarders { <optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; ... </optional> }; </optional>
-    <optional> delegation-only <replaceable>yes_or_no</replaceable> ; </optional>
-    <optional> check-names (<constant>warn</constant>|<constant>fail</constant>|<constant>ignore</constant>) ; </optional>
-};
-
-zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replaceable></optional> {
-    type stub;
-    <optional> allow-query { <replaceable>address_match_list</replaceable> } ; </optional>
-    <optional> check-names (<constant>warn</constant>|<constant>fail</constant>|<constant>ignore</constant>) ; </optional>
-    <optional> dialup <replaceable>dialup_option</replaceable> ; </optional>
-    <optional> delegation-only <replaceable>yes_or_no</replaceable> ; </optional>
-    <optional> file <replaceable>string</replaceable> ; </optional>
-    <optional> forward (<constant>only</constant>|<constant>first</constant>) ; </optional>
-    <optional> forwarders { <optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; ... </optional> }; </optional>
-    <optional> masters <optional>port <replaceable>ip_port</replaceable></optional> { <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> <optional>key <replaceable>key</replaceable></optional>; <optional>...</optional> } ; </optional>
-    <optional> max-transfer-idle-in <replaceable>number</replaceable> ; </optional>
-    <optional> max-transfer-time-in <replaceable>number</replaceable> ; </optional>
-    <optional> pubkey <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>string</replaceable> ; </optional>
-    <optional> transfer-source (<replaceable>ip4_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
-    <optional> transfer-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
-    <optional> zone-statistics <replaceable>yes_or_no</replaceable> ; </optional>
-    <optional> database <replaceable>string</replaceable> ; </optional>
-    <optional> min-refresh-time <replaceable>number</replaceable> ; </optional>
-    <optional> max-refresh-time <replaceable>number</replaceable> ; </optional>
-    <optional> min-retry-time <replaceable>number</replaceable> ; </optional>
-    <optional> max-retry-time <replaceable>number</replaceable> ; </optional>
-};
-
-zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replaceable></optional> {
-    type forward;
-    <optional> forward (<constant>only</constant>|<constant>first</constant>) ; </optional>
-    <optional> forwarders { <optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; ... </optional> }; </optional>
-    <optional> delegation-only <replaceable>yes_or_no</replaceable> ; </optional>
-};
+    <optional> multi-master <replaceable>yes_or_no</replaceable> ; </optional>
+    <optional> key-directory <replaceable>path_name</replaceable>; </optional>
 
-zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replaceable></optional> {
-    type delegation-only;
-};
+}</optional>;
 </programlisting>
 </sect2>
 <sect2><title><command>zone</command> Statement Definition and Usage</title>
@@ -4304,6 +4584,7 @@ it.</para></entry>
 <entry colname = "2"><para>A slave zone is a replica of a master
 zone. The <command>masters</command> list specifies one or more IP addresses
 of master servers that the slave contacts to update its copy of the zone.
+Masters list elements can also be names of other masters lists.
 By default, transfers are made from port 53 on the servers; this can
 be changed for all servers by specifying a port number before the
 list of IP addresses, or on a per-server basis after the IP address.
@@ -4311,15 +4592,16 @@ Authentication to the master can also be done with per-server TSIG keys.
 If a file is specified, then the
 replica will be written to this file whenever the zone is changed,
 and reloaded from this file on a server restart. Use of a file is
-recommended, since it often speeds server startup and eliminates
+recommended, since it often speeds server start-up and eliminates
 a needless waste of bandwidth. Note that for large numbers (in the
 tens or hundreds of thousands) of zones per server, it is best to
-use a two-level naming scheme for zone filenames. For example,
+use a two level naming scheme for zone file names. For example,
 a slave server for the zone <literal>example.com</literal> might place
 the zone contents into a file called
 <filename>ex/example.com</filename> where <filename>ex/</filename> is
 just the first two letters of the zone name. (Most operating systems
-behave very slowly if you put 100K files into a single directory.)</para></entry>
+behave very slowly if you put 100 000 files into
+a single directory.)</para></entry>
 </row>
 <row rowsep = "0">
 <entry colname = "1"><para><varname>stub</varname></para></entry>
@@ -4347,7 +4629,7 @@ configured.</para>
 <para>Stub zones can also be used as a way of forcing the resolution
 of a given domain to use a particular set of authoritative servers.
 For example, the caching name servers on a private network using
-RFC1918 addressing may be configured with stub zones for
+RFC1981 addressing may be configured with stub zones for
 <literal>10.in-addr.arpa</literal>
 to use a set of internal name servers as the authoritative
 servers for that domain.</para>
@@ -4364,17 +4646,17 @@ an empty list for <command>forwarders</command> is given, then no
 forwarding will be done for the domain, canceling the effects of
 any forwarders in the <command>options</command> statement. Thus
 if you want to use this type of zone to change the behavior of the
-global <command>forward</command> option (that is, "forward first"
-to, then "forward only", or vice versa, but want to use the same
-servers as set globally) you need to respecify the global forwarders.</para>
+global <command>forward</command> option (that is, "forward first
+to", then "forward only", or vice versa, but want to use the same
+servers as set globally) you need to re-specify the global forwarders.</para>
 </entry>
 </row>
 <row rowsep = "0">
 <entry colname = "1"><para><varname>hint</varname></para></entry>
-<entry colname = "2"><para>The initial set of root nameservers is
+<entry colname = "2"><para>The initial set of root name servers is
 specified using a "hint zone". When the server starts up, it uses
-the root hints to find a root nameserver and get the most recent
-list of root nameservers. If no hint zone is specified for class
+the root hints to find a root name server and get the most recent
+list of root name servers. If no hint zone is specified for class
 IN, the server uses a compiled-in default set of root servers hints.
 Classes other than IN have no built-in defaults hints.</para></entry>
 </row>
@@ -4382,7 +4664,7 @@ Classes other than IN have no built-in defaults hints.</para></entry>
 <entry colname = "1"><para><varname>delegation-only</varname></para></entry>
 <entry colname = "2"><para>This is used to enforce the delegation only
 status of infrastructure zones (e.g. COM, NET, ORG).  Any answer that
-is received without a explicit or implict delegation in the authority
+is received without a explicit or implicit delegation in the authority
 section will be treated as NXDOMAIN.  This does not apply to the zone
 apex.  This SHOULD NOT be applied to leaf zones.</para>
 <para><varname>delegation-only</varname> has no effect on answers received
@@ -4401,7 +4683,7 @@ used to share information about various systems databases, such
 as users, groups, printers and so on. The keyword 
 <literal>HS</literal> is
 a synonym for hesiod.</para>
-<para>Another MIT development is Chaosnet, a LAN protocol created
+<para>Another MIT development is CHAOSnet, a LAN protocol created
 in the mid-1970s. Zone data for it can be specified with the <literal>CHAOS</literal> class.</para></sect3>
 <sect3>
 
@@ -4411,12 +4693,12 @@ in the mid-1970s. Zone data for it can be specified with the <literal>CHAOS</lit
 
 <varlistentry><term><command>allow-notify</command></term>
 <listitem><para>See the description of
-<command>allow-notify</command> in <xref linkend="access_control"/>.</para>
+<command>allow-notify</command> in <xref linkend="access_control"/></para>
 </listitem></varlistentry>
 
 <varlistentry><term><command>allow-query</command></term>
 <listitem><para>See the description of
-<command>allow-query</command> in <xref linkend="access_control"/>.</para>
+<command>allow-query</command> in <xref linkend="access_control"/></para>
 </listitem></varlistentry>
 
 <varlistentry><term><command>allow-transfer</command></term>
@@ -4427,7 +4709,10 @@ in <xref linkend="access_control"/>.</para>
 <varlistentry><term><command>allow-update</command></term>
 <listitem><para>Specifies which hosts are allowed to
 submit Dynamic DNS updates for master zones. The default is to deny
-updates from all hosts.</para>
+updates from all hosts.  Note that allowing updates based
+on the requestor's IP address is insecure; see
+<xref linkend="dynamic_update_security"/> for details.
+</para>
 </listitem></varlistentry>
 
 <varlistentry><term><command>update-policy</command></term>
@@ -4436,27 +4721,15 @@ updates from all hosts.</para>
 </listitem></varlistentry>
 
 <varlistentry><term><command>allow-update-forwarding</command></term>
-<listitem><para>Specifies which hosts are allowed to
-submit Dynamic DNS updates to slave zones to be forwarded to the
-master.  The default is <userinput>{ none; }</userinput>, which 
-means that no update forwarding will be performed.  To enable
-update forwarding, specify
-<userinput>allow-update-forwarding { any; };</userinput>.
-Specifying values other than <userinput>{ none; }</userinput> or
-<userinput>{ any; }</userinput> is usually counterproductive, since
-the responsibility for update access control should rest with the 
-master server, not the slaves.</para>
-<para>Note that enabling the update forwarding feature on a slave server
-may expose master servers relying on insecure IP address based
-access control to attacks; see <xref linkend="dynamic_update_security"/>
-for more details.</para>
+<listitem><para>See the description of <command>allow-update-forwarding</command>
+in <xref linkend="access_control"/>.</para>
 </listitem></varlistentry>
 
 <varlistentry><term><command>also-notify</command></term>
 <listitem><para>Only meaningful if <command>notify</command> is
 active for this zone. The set of machines that will receive a 
 <literal>DNS NOTIFY</literal> message
-for this zone is made up of all the listed nameservers (other than
+for this zone is made up of all the listed name servers (other than
 the primary master) for the zone plus any IP addresses specified
 with <command>also-notify</command>. A port may be specified
 with each <command>also-notify</command> address to send the notify
@@ -4495,7 +4768,7 @@ with the distribution but none are linked in by default.</para>
 
 <varlistentry><term><command>delegation-only</command></term>
 <listitem><para>The flag only applies to hint and stub zones.  If set
-to <userinput>yes</userinput>, then the zone will also be treated as if it
+to <userinput>yes</userinput> then the zone will also be treated as if it
 is also a delegation-only type zone.
 </para>
 </listitem></varlistentry>
@@ -4510,7 +4783,7 @@ allow a normal lookup to be tried.</para>
 <varlistentry><term><command>forwarders</command></term>
 <listitem><para>Used to override the list of global forwarders.
 If it is not specified in a zone of type <command>forward</command>,
-no forwarding is done for the zone and the global options are not used.</para>
+no forwarding is done for the zone; the global options are not used.</para>
 </listitem></varlistentry>
 
 <varlistentry><term><command>ixfr-base</command></term>
@@ -4555,7 +4828,7 @@ Ignored in <acronym>BIND</acronym> 9.</para>
 <listitem><para>In <acronym>BIND</acronym> 8, this option was intended for specifying
 a public zone key for verification of signatures in DNSSEC signed
 zones when they are loaded from disk. <acronym>BIND</acronym> 9 does not verify signatures
-on loading and ignores the option.</para>
+on load and ignores the option.</para>
 </listitem></varlistentry>
 
 <varlistentry><term><command>zone-statistics</command></term>
@@ -4571,19 +4844,38 @@ information for this zone, which can be dumped to the
 
 <varlistentry><term><command>transfer-source</command></term>
 <listitem><para>See the description of
-<command>transfer-source</command> in <xref linkend="zone_transfers"/>.
+<command>transfer-source</command> in <xref linkend="zone_transfers"/>
 </para>
 </listitem></varlistentry>
 
 <varlistentry><term><command>transfer-source-v6</command></term>
 <listitem><para>See the description of
-<command>transfer-source-v6</command> in <xref linkend="zone_transfers"/>.
+<command>transfer-source-v6</command> in <xref linkend="zone_transfers"/>
+</para>
+</listitem></varlistentry>
+
+<varlistentry><term><command>alt-transfer-source</command></term>
+<listitem><para>See the description of
+<command>alt-transfer-source</command> in <xref linkend="zone_transfers"/>
+</para>
+</listitem></varlistentry>
+
+<varlistentry><term><command>alt-transfer-source-v6</command></term>
+<listitem><para>See the description of
+<command>alt-transfer-source-v6</command> in <xref linkend="zone_transfers"/>
+</para>
+</listitem></varlistentry>
+
+<varlistentry><term><command>use-alt-transfer-source</command></term>
+<listitem><para>See the description of
+<command>use-alt-transfer-source</command> in <xref linkend="zone_transfers"/>
 </para>
 </listitem></varlistentry>
 
+
 <varlistentry><term><command>notify-source</command></term>
 <listitem><para>See the description of
-<command>notify-source</command> in <xref linkend="zone_transfers"/>.
+<command>notify-source</command> in <xref linkend="zone_transfers"/>
 </para>
 </listitem></varlistentry>
 
@@ -4602,6 +4894,21 @@ information for this zone, which can be dumped to the
 See the description in <xref linkend="tuning"/>.
 </para></listitem></varlistentry>
 
+<varlistentry><term><command>ixfr-from-differences</command></term>
+<listitem><para>See the description of
+<command>ixfr-from-differences</command> in <xref linkend="boolean_options"/>.</para>
+</listitem></varlistentry>
+
+<varlistentry><term><command>key-directory</command></term>
+<listitem><para>See the description of
+<command>key-directory</command> in <xref linkend="options"/></para>
+</listitem></varlistentry>
+
+<varlistentry><term><command>multi-master</command></term>
+<listitem><para>See the description of
+<command>multi-master</command> in <xref linkend="boolean_options"/>.</para>
+</listitem></varlistentry>
+
 </variablelist>
 
 </sect3>
@@ -4633,10 +4940,21 @@ examines the signer of a message; the source address is not relevant.</para>
 successfully matched a rule, the operation is immediately granted
 or denied and no further rules are examined.  A rule is matched
 when the signer matches the identity field, the name matches the
-name field, and the type is specified in the type field.</para>
-<para>The identity field specifies a name or a wildcard name.  The
-nametype field has 4 values: <varname>name</varname>, <varname>subdomain</varname>, <varname>wildcard</varname>,
-and <varname>self</varname>
+name field in accordance with the nametype field, and the type matches
+the types specified in the type field.</para>
+
+<para>The identity field specifies a name or a wildcard name.  Normally, this
+is the name of the TSIG or SIG(0) key used to sign the update request.  When a
+TKEY exchange has been used to create a shared secret, the identity of the
+shared secret is the same as the identity of the key used to authenticate the
+TKEY exchange.  When the <replaceable>identity</replaceable> field specifies a
+wildcard name, it is subject to DNS wildcard expansion, so the rule will apply
+to multiple identities.  The <replaceable>identity</replaceable> field must
+contain a fully qualified domain name.</para>
+
+<para>The <replaceable>nametype</replaceable> field has 4 values:
+<varname>name</varname>, <varname>subdomain</varname>,
+<varname>wildcard</varname>, and <varname>self</varname>.
 </para>
 <informaltable>
             <tgroup cols = "2" colsep = "0"
@@ -4646,29 +4964,44 @@ and <varname>self</varname>
 <tbody>
 <row rowsep = "0">
 <entry colname = "1"><para><varname>name</varname></para></entry>
-<entry colname = "2"><para>Matches when the updated name is the
-same as the name in the name field.</para></entry>
+<entry colname = "2"><para>Exact-match semantics.  This rule matches when the
+name being updated is identical to the contents of the
+<replaceable>name</replaceable> field.</para></entry>
 </row>
 <row rowsep = "0">
 <entry colname = "1"><para><varname>subdomain</varname></para></entry>
-<entry colname = "2"><para>Matches when the updated name is a subdomain
-of the name in the name field (which includes the name itself).</para></entry>
+<entry colname = "2"><para>This rule matches when the name being updated
+is a subdomain of, or identical to, the contents of the
+<replaceable>name</replaceable> field.</para></entry>
 </row>
 <row rowsep = "0">
 <entry colname = "1"><para><varname>wildcard</varname></para></entry>
-<entry colname = "2"><para>Matches when the updated name is a valid
-expansion of the wildcard name in the name field.</para></entry>
+<entry colname = "2"><para>The <replaceable>name</replaceable> field is
+subject to DNS wildcard expansion, and this rule matches when the name
+being updated name is a valid expansion of the wildcard.</para></entry>
 </row>
 <row rowsep = "0">
 <entry colname = "1"><para><varname>self</varname></para></entry>
-<entry colname = "2"><para>Matches when the updated name is the
-same as the message signer. The name field is ignored.</para></entry>
+<entry colname = "2"><para>This rule matches when the name being updated
+matches the contents of the <replaceable>identity</replaceable> field.
+The <replaceable>name</replaceable> field is ignored, but should be
+the same as the <replaceable>identity</replaceable> field.  The
+<varname>self</varname> nametype is most useful when allowing using
+one key per name to update, where the key has the same name as the name
+to be updated.  The <replaceable>identity</replaceable> would be
+specified as <constant>*</constant> in this case.</para></entry>
 </row>
 </tbody>
 </tgroup></informaltable>
-<para>If no types are specified, the rule matches all types except
+
+<para>In all cases, the <replaceable>name</replaceable> field must
+specify a fully qualified domain name.</para>
+
+<para>If no types are explicitly specified, this rule matches all types except
 SIG, NS, SOA, and NXT. Types may be specified by name, including
 "ANY" (ANY matches all types except NXT, which can never be updated).
+Note that when an attempt is made to delete all records associated with a
+name, the rules are checked for each existing record type.
 </para>
       </sect3>
     </sect2>
@@ -4688,7 +5021,7 @@ and implemented in the DNS. These are also included.</para>
         resource information, which may be empty.  The set of resource
         information associated with a particular name is composed of
         separate RRs. The order of RRs in a set is not significant and
-        need not be preserved by nameservers, resolvers, or other
+        need not be preserved by name servers, resolvers, or other
         parts of the DNS. However, sorting of multiple RRs is
         permitted for optimization purposes, for example, to specify
         that a particular nearby server be tried first. See <xref
@@ -4708,32 +5041,29 @@ and implemented in the DNS. These are also included.</para>
 </row>
 <row rowsep = "0">
 <entry colname = "1"><para>type</para></entry>
-<entry colname = "2"><para>an encoded 16-bit value that specifies
-the type of the resource in this resource record. Types refer to
-abstract resources.</para></entry>
+<entry colname = "2"><para>an encoded 16 bit value that specifies
+the type of the resource record.</para></entry>
 </row>
 <row rowsep = "0">
 <entry colname = "1"><para>TTL</para></entry>
-<entry colname = "2"><para>the time-to-live of the RR. This field
-is a 32-bit integer in units of seconds, and is primarily used by
+<entry colname = "2"><para>the time to live of the RR. This field
+is a 32 bit integer in units of seconds, and is primarily used by
 resolvers when they cache RRs. The TTL describes how long a RR can
 be cached before it should be discarded.</para></entry>
 </row>
 <row rowsep = "0">
 <entry colname = "1"><para>class</para></entry>
-<entry colname = "2"><para>an encoded 16-bit value that identifies
+<entry colname = "2"><para>an encoded 16 bit value that identifies
 a protocol family or instance of a protocol.</para></entry>
 </row>
 <row rowsep = "0">
 <entry colname = "1"><para>RDATA</para></entry>
-<entry colname = "2"><para>the type and sometimes class-dependent
-data that describes the resource.</para></entry>
+<entry colname = "2"><para>the resource data.  The format of the
+data is type (and sometimes class) specific.</para></entry>
 </row>
 </tbody>
 </tgroup></informaltable>
-<para>The following are <emphasis>types</emphasis> of valid RRs
-(some of these listed, although not obsolete, are experimental (x)
-or historical (h) and no longer in general use):</para>
+<para>The following are <emphasis>types</emphasis> of valid RRs:</para>
 <informaltable colsep = "0"
     rowsep = "0"><tgroup cols = "2" colsep = "0"
     rowsep = "0" tgroupstyle = "4Level-table">
@@ -4742,135 +5072,154 @@ or historical (h) and no longer in general use):</para>
 <tbody>
 <row rowsep = "0">
 <entry colname = "1"><para>A</para></entry>
-<entry colname = "2"><para>a host address.</para></entry>
+<entry colname = "2"><para>a host address.  In the IN class, this is a
+32-bit IP address.  Described in RFC 1035.</para></entry>
 </row>
 <row rowsep = "0">
-<entry colname = "1"><para>A6</para></entry>
-<entry colname = "2"><para>an IPv6 address.</para></entry>
+<entry colname = "1"><para>AAAA</para></entry>
+<entry colname = "2"><para>IPv6 address.  Described in RFC 1886.</para></entry>
 </row>
 <row rowsep = "0">
-<entry colname = "1"><para>AAAA</para></entry>
-<entry colname = "2"><para>Obsolete format of IPv6 address</para></entry>
+<entry colname = "1"><para>A6</para></entry>
+<entry colname = "2"><para>IPv6 address.  This can be a partial
+address (a suffix) and an indirection to the name where the rest of the
+address (the prefix) can be found.  Experimental.  Described in RFC 2874.</para></entry>
 </row>
 <row rowsep = "0">
 <entry colname = "1"><para>AFSDB</para></entry>
-<entry colname = "2"><para>(x) location of AFS database servers.
-Experimental.</para></entry>
+<entry colname = "2"><para>location of AFS database servers.
+Experimental.  Described in RFC 1183.</para></entry>
+</row>
+<row rowsep = "0">
+<entry colname = "1"><para>APL</para></entry>
+<entry colname = "2"><para>address prefix list.  Experimental.
+Described in RFC 3123.</para></entry>
 </row>
 <row rowsep = "0">
 <entry colname = "1"><para>CERT</para></entry>
-<entry colname = "2"><para>holds a digital certificate.</para></entry>
+<entry colname = "2"><para>holds a digital certificate.
+Described in RFC 2538.</para></entry>
 </row>
 <row rowsep = "0">
 <entry colname = "1"><para>CNAME</para></entry>
-<entry colname = "2"><para>identifies the canonical name of an alias.</para></entry>
+<entry colname = "2"><para>identifies the canonical name of an alias.
+Described in RFC 1035.</para></entry>
 </row>
 <row rowsep = "0">
 <entry colname = "1"><para>DNAME</para></entry>
-<entry colname = "2"><para>for delegation of reverse addresses.
-Replaces the domain name specified with another name to be looked
-up. Described in RFC 2672.</para></entry>
+<entry colname = "2"><para>Replaces the domain name specified with
+another name to be looked up, effectively aliasing an entire
+subtree of the domain name space rather than a single record
+as in the case of the CNAME RR.
+Described in RFC 2672.</para></entry>
 </row>
 <row rowsep = "0">
 <entry colname = "1"><para>GPOS</para></entry>
-<entry colname = "2"><para>Specifies the global position. Superseded by LOC.</para></entry>
+<entry colname = "2"><para>Specifies the global position.  Superseded by LOC.</para></entry>
 </row>
 <row rowsep = "0">
 <entry colname = "1"><para>HINFO</para></entry>
-<entry colname = "2"><para>identifies the CPU and OS used by a host.</para></entry>
+<entry colname = "2"><para>identifies the CPU and OS used by a host.
+Described in RFC 1035.</para></entry>
 </row>
 <row rowsep = "0">
 <entry colname = "1"><para>ISDN</para></entry>
-<entry colname = "2"><para>(x) representation of ISDN addresses.
-Experimental.</para></entry>
+<entry colname = "2"><para>representation of ISDN addresses.
+Experimental.  Described in RFC 1183.</para></entry>
 </row>
 <row rowsep = "0">
 <entry colname = "1"><para>KEY</para></entry>
 <entry colname = "2"><para>stores a public key associated with a
-DNS name.</para></entry>
+DNS name.  Described in RFC 2535.</para></entry>
 </row>
 <row rowsep = "0">
 <entry colname = "1"><para>KX</para></entry>
 <entry colname = "2"><para>identifies a key exchanger for this
-DNS name.</para></entry>
+DNS name.  Described in RFC 2230.</para></entry>
 </row>
 <row rowsep = "0">
 <entry colname = "1"><para>LOC</para></entry>
-<entry colname = "2"><para>(x) for storing GPS info. See RFC 1876.
+<entry colname = "2"><para>for storing GPS info.  Described in RFC 1876.
 Experimental.</para></entry>
 </row>
 <row rowsep = "0">
 <entry colname = "1"><para>MX</para></entry>
 <entry colname = "2"><para>identifies a mail exchange for the domain.
- See RFC 974 for details.</para></entry>
+a 16 bit preference value (lower is better)
+followed by the host name of the mail exchange.
+Described in RFC 974, RFC 1035.</para></entry>
 </row>
 <row rowsep = "0">
 <entry colname = "1"><para>NAPTR</para></entry>
-<entry colname = "2"><para>name authority pointer.</para></entry>
+<entry colname = "2"><para>name authority pointer.  Described in RFC 2915.</para></entry>
 </row>
 <row rowsep = "0">
 <entry colname = "1"><para>NSAP</para></entry>
-<entry colname = "2"><para>a network service access point.</para></entry>
+<entry colname = "2"><para>a network service access point.
+Described in RFC 1706.</para></entry>
 </row>
 <row rowsep = "0">
 <entry colname = "1"><para>NS</para></entry>
-<entry colname = "2"><para>the authoritative nameserver for the
-domain.</para></entry>
+<entry colname = "2"><para>the authoritative name server for the
+domain.  Described in RFC 1035.</para></entry>
 </row>
 <row rowsep = "0">
 <entry colname = "1"><para>NXT</para></entry>
 <entry colname = "2"><para>used in DNSSEC to securely indicate that
 RRs with an owner name in a certain name interval do not exist in
 a zone and indicate what RR types are present for an existing name.
-See RFC 2535 for details.</para></entry>
+Described in RFC 2535.</para></entry>
 </row>
 <row rowsep = "0">
 <entry colname = "1"><para>PTR</para></entry>
 <entry colname = "2"><para>a pointer to another part of the domain
-name space.</para></entry>
+name space.  Described in RFC 1035.</para></entry>
 </row>
 <row rowsep = "0">
 <entry colname = "1"><para>PX</para></entry>
 <entry colname = "2"><para>provides mappings between RFC 822 and X.400
-addresses.</para></entry>
+addresses.  Described in RFC 2163.</para></entry>
 </row>
 <row rowsep = "0">
 <entry colname = "1"><para>RP</para></entry>
-<entry colname = "2"><para>(x) information on persons responsible
-for the domain. Experimental.</para></entry>
+<entry colname = "2"><para>information on persons responsible
+for the domain.  Experimental.  Described in RFC 1183.</para></entry>
 </row>
 <row rowsep = "0">
 <entry colname = "1"><para>RT</para></entry>
-<entry colname = "2"><para>(x) route-through binding for hosts that
-do not have their own direct wide area network addresses. Experimental.</para></entry>
+<entry colname = "2"><para>route-through binding for hosts that
+do not have their own direct wide area network addresses.
+Experimental.  Described in RFC 1183.</para></entry>
 </row>
 <row rowsep = "0">
 <entry colname = "1"><para>SIG</para></entry>
 <entry colname = "2"><para>("signature") contains data authenticated
-in the secure DNS. See RFC 2535 for details.</para></entry>
+in the secure DNS.  Described in RFC 2535.</para></entry>
 </row>
 <row rowsep = "0">
 <entry colname = "1"><para>SOA</para></entry>
-<entry colname = "2"><para>identifies the start of a zone of authority.</para></entry>
+<entry colname = "2"><para>identifies the start of a zone of authority.
+Described in RFC 1035.</para></entry>
 </row>
 <row rowsep = "0">
 <entry colname = "1"><para>SRV</para></entry>
 <entry colname = "2"><para>information about well known network
-services (replaces WKS).</para></entry>
+services (replaces WKS).  Described in RFC 2782.</para></entry>
 </row>
 <row rowsep = "0">
 <entry colname = "1"><para>TXT</para></entry>
-<entry colname = "2"><para>text records.</para></entry>
+<entry colname = "2"><para>text records.  Described in RFC 1035.</para></entry>
 </row>
 <row rowsep = "0">
 <entry colname = "1"><para>WKS</para></entry>
-<entry colname = "2"><para>(h) information about which well known
-network services, such as SMTP, that a domain supports. Historical,
-replaced by newer RR SRV.</para></entry>
+<entry colname = "2"><para>information about which well known
+network services, such as SMTP, that a domain supports. Historical.
+</para></entry>
 </row>
 <row rowsep = "0">
 <entry colname = "1"><para>X25</para></entry>
-<entry colname = "2"><para>(x) representation of X.25 network addresses. Experimental.</para></entry>
+<entry colname = "2"><para>representation of X.25 network addresses.
+Experimental.  Described in RFC 1183.</para></entry>
 </row>
 </tbody>
 </tgroup></informaltable>
@@ -4881,65 +5230,37 @@ are currently valid in the DNS:</para><informaltable colsep = "0"
 <colspec colname = "1" colnum = "1" colsep = "0" colwidth = "0.875in"/>
 <colspec colname = "2" colnum = "2" colsep = "0" colwidth = "3.625in"/>
 <tbody>
+
 <row rowsep = "0">
 <entry colname = "1"><para>IN</para></entry>
-<entry colname = "2"><para>the Internet system.</para></entry>
-</row>
-<row rowsep = "0">
-<entry nameend = "2" namest = "1"><para>For information about other,
-older classes of RRs, see <xref linkend="classes_of_resource_records"/>.</para></entry>
-</row>
-</tbody>
-</tgroup></informaltable>
-<para><emphasis>RDATA</emphasis> is the type-dependent or class-dependent
-data that describes the resource:</para><informaltable colsep = "0"
-    rowsep = "0"><tgroup cols = "2" colsep = "0" rowsep = "0"
-    tgroupstyle = "4Level-table">
-<colspec colname = "1" colnum = "1" colsep = "0" colwidth = "0.875in"/>
-<colspec colname = "2" colnum = "2" colsep = "0" colwidth = "3.625in"/>
-<tbody>
-<row rowsep = "0">
-<entry colname = "1"><para>A</para></entry>
-<entry colname = "2"><para>for the IN class, a 32-bit IP address.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para>A6</para></entry>
-<entry colname = "2"><para>maps a domain name to an IPv6 address,
-with a provision for indirection for leading "prefix" bits.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para>CNAME</para></entry>
-<entry colname = "2"><para>a domain name.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para>DNAME</para></entry>
-<entry colname = "2"><para>provides alternate naming to an entire
-subtree of the domain name space, rather than to a single node.
- It causes some suffix of a queried name to be substituted with
-a name from the DNAME record's RDATA.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para>MX</para></entry>
-<entry colname = "2"><para>a 16-bit preference value (lower is better)
-followed by a host name willing to act as a mail exchange for the
-owner domain.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para>NS</para></entry>
-<entry colname = "2"><para>a fully-qualified domain name.</para></entry>
+<entry colname = "2"><para>The Internet.</para></entry>
 </row>
+
 <row rowsep = "0">
-<entry colname = "1"><para>PTR</para></entry>
-<entry colname = "2"><para>a fully-qualified domain name.</para></entry>
+<entry colname = "1"><para>CH</para></entry>
+<entry colname = "2"><para>
+CHAOSnet, a LAN protocol created at MIT in the mid-1970s.
+Rarely used for its historical purpose, but reused for BIND's
+built-in server information zones, e.g.,
+<literal>version.bind</literal>.
+</para></entry>
 </row>
+
 <row rowsep = "0">
-<entry colname = "1"><para>SOA</para></entry>
-<entry colname = "2"><para>several fields.</para></entry>
+<entry colname = "1"><para>HS</para></entry>
+<entry colname = "2"><para>
+Hesiod, an information service
+developed by MIT's Project Athena. It is used to share information
+about various systems databases, such as users, groups, printers
+and so on.
+</para></entry>
 </row>
+
 </tbody>
 </tgroup></informaltable>
+
 <para>The owner name is often implicit, rather than forming an integral
-part of the RR.  For example, many nameservers internally form tree
+part of the RR.  For example, many name servers internally form tree
 or hash structures for the name space, and chain RRs off nodes.
  The remaining RR parts are the fixed header (type, class, TTL)
 which is consistent for all RRs, and a variable part (RDATA) that
@@ -4961,7 +5282,7 @@ used as "pointers" to other data in the DNS.</para></sect3>
 <sect3><title>Textual expression of RRs</title>
 <para>RRs are represented in binary form in the packets of the DNS
 protocol, and are usually represented in highly encoded form when
-stored in a nameserver or resolver.  In the examples provided in
+stored in a name server or resolver.  In the examples provided in
 RFC 1034, a style similar to that used in master files was employed
 in order to show the contents of RRs.  In this format, most RRs
 are shown on a single line, although continuation lines are possible
@@ -5016,10 +5337,10 @@ knowledge of the typical representation for the data.</para>
 </row>
 </tbody>
 </tgroup></informaltable>
-<para>The MX RRs have an RDATA section which consists of a 16-bit
+<para>The MX RRs have an RDATA section which consists of a 16 bit
 number followed by a domain name.  The address RRs use a standard
-IP address format to contain a 32-bit internet address.</para>
-<para>The above example shows six RRs, with two RRs at each of three
+IP address format to contain a 32 bit internet address.</para>
+<para>This example shows six RRs, with two RRs at each of three
 domain names.</para>
 <para>Similarly we might see:</para><informaltable colsep = "0"
     rowsep = "0"><tgroup cols = "3" colsep = "0" rowsep = "0"
@@ -5117,7 +5438,7 @@ pointed to by the CNAME.</para>
 any order), and if neither of those succeed, delivery to <literal>mail.backup.org</literal> will
 be attempted.</para></sect2>
 <sect2 id="Setting_TTLs"><title>Setting TTLs</title>
-<para>The time-to-live of the RR field is a 32-bit integer represented
+<para>The time to live of the RR field is a 32 bit integer represented
 in units of seconds, and is primarily used by resolvers when they
 cache RRs. The TTL describes how long a RR can be cached before it
 should be discarded. The following three types of TTL are currently
@@ -5180,7 +5501,7 @@ in the <optional>example.com</optional> domain:</para>
 </tgroup></informaltable>
       <note>
 <para>The <command>$ORIGIN</command> lines in the examples
-are for providing context to the examples only &mdash; they do not necessarily
+are for providing context to the examples only-they do not necessarily
 appear in the actual usage. They are only used here to indicate
 that the example is relative to the listed origin.</para></note></sect2>
 <sect2><title>Other Zone File Directives</title>
@@ -5198,10 +5519,10 @@ be appended to any unqualified records. When a zone is first read
 in there is an implicit <command>$ORIGIN</command> &#60;<varname>zone-name</varname>><command>.</command> The
 current <command>$ORIGIN</command> is appended to the domain specified
 in the <command>$ORIGIN</command> argument if it is not absolute.</para>
-<programlisting>$ORIGIN example.com.
-WWW     CNAME   MAIN-SERVER</programlisting>
+<programlisting><literal>$ORIGIN example.com.
+WWW     CNAME   MAIN-SERVER</literal></programlisting>
 <para>is equivalent to</para>
-<programlisting>WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.</programlisting></sect3>
+<programlisting><literal>WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.</literal></programlisting></sect3>
 <sect3><title>The <command>$INCLUDE</command> Directive</title>
 <para>Syntax: <command>$INCLUDE</command>
 <replaceable>filename</replaceable> <optional>
@@ -5228,24 +5549,24 @@ This could be construed as a deviation from RFC 1035, a feature, or both.
 <para>Set the default Time To Live (TTL) for subsequent records
 with undefined TTLs. Valid TTLs are of the range 0-2147483647 seconds.</para>
 <para><command>$TTL</command> is defined in RFC 2308.</para></sect3></sect2>
-<sect2><title><acronym>BIND</acronym> Master File Extension: the  <command>$GENERATE</command> Directive</title>.
-        <para>Syntax: <command>$GENERATE</command> <replaceable>range</replaceable> <replaceable>lhs</replaceable> <replaceable>type</replaceable> <replaceable>rhs</replaceable> <optional> <replaceable>comment</replaceable> </optional></para>
+<sect2><title><acronym>BIND</acronym> Master File Extension: the  <command>$GENERATE</command> Directive</title>
+        <para>Syntax: <command>$GENERATE</command> <replaceable>range</replaceable> <replaceable>lhs</replaceable> <optional><replaceable>ttl</replaceable></optional> <optional><replaceable>class</replaceable></optional> <replaceable>type</replaceable> <replaceable>rhs</replaceable> <optional> <replaceable>comment</replaceable> </optional></para>
 <para><command>$GENERATE</command> is used to create a series of
 resource records that only differ from each other by an iterator. <command>$GENERATE</command> can
 be used to easily generate the sets of records required to support
 sub /24 reverse delegations described in RFC 2317: Classless IN-ADDR.ARPA
 delegation.</para>
-<programlisting>$ORIGIN 0.0.192.IN-ADDR.ARPA.
+<programlisting><literal>$ORIGIN 0.0.192.IN-ADDR.ARPA.
 $GENERATE 1-2 0 NS SERVER$.EXAMPLE.
-$GENERATE 1-127 $ CNAME $.0</programlisting>
+$GENERATE 1-127 $ CNAME $.0</literal></programlisting>
 <para>is equivalent to</para>
-<programlisting>0.0.0.192.IN-ADDR.ARPA NS SERVER1.EXAMPLE.
+<programlisting><literal>0.0.0.192.IN-ADDR.ARPA NS SERVER1.EXAMPLE.
 0.0.0.192.IN-ADDR.ARPA. NS SERVER2.EXAMPLE.
 1.0.0.192.IN-ADDR.ARPA. CNAME 1.0.0.0.192.IN-ADDR.ARPA.
 2.0.0.192.IN-ADDR.ARPA. CNAME 2.0.0.0.192.IN-ADDR.ARPA.
 ...
 127.0.0.192.IN-ADDR.ARPA. CNAME 127.0.0.0.192.IN-ADDR.ARPA.
-</programlisting>
+</literal></programlisting>
       <informaltable colsep = "0" rowsep = "0">
         <tgroup cols = "2" colsep = "0" rowsep = "0" tgroupstyle = "3Level-table">
           <colspec colname = "1" colnum = "1" colsep = "0" colwidth = "0.875in"/>
@@ -5254,51 +5575,67 @@ $GENERATE 1-127 $ CNAME $.0</programlisting>
             <row rowsep = "0">
               <entry colname = "1"><para><command>range</command></para></entry>
               <entry colname = "2"><para>This can be one of two forms: start-stop
-or start-stop/step. If the first form is used, then step is set to
+or start-stop/step. If the first form is used then step is set to
         1. All of start, stop and step must be positive.</para></entry>
       </row>
         <row rowsep = "0">
           <entry colname = "1"><para><command>lhs</command></para></entry>
-          <entry colname = "2"><para>This describes the
-owner name of the resource records to be created. Any single
-<command>$</command> (dollar sign) symbols
+          <entry colname = "2"><para><command>lhs</command> describes the
+owner name of the resource records to be created.      Any single <command>$</command> symbols
 within the <command>lhs</command> side are replaced by the iterator
 value.
-To get a $ in the output, you need to escape the <command>$</command>
+To get a $ in the output you need to escape the <command>$</command>
 using a backslash <command>\</command>,
 e.g. <command>\$</command>. The <command>$</command> may optionally be followed
-by modifiers which change the offset from the interator, field width and base. 
-Modifiers are introduced by a <command>{</command> (left brace) immediately following the
+by modifiers which change the offset from the iterator, field width and base. 
+Modifiers are introduced by a <command>{</command> immediately following the
 <command>$</command> as <command>${offset[,width[,base]]}</command>.
-For example, <command>${-20,3,d}</command> which subtracts 20 from the current value,
-prints the result as a decimal in a zero-padded field of width 3.  Available
+e.g. <command>${-20,3,d}</command> which subtracts 20 from the current value,
+prints the result as a decimal in a zero padded field of with 3.  Available
 output forms are decimal (<command>d</command>), octal (<command>o</command>)
 and hexadecimal (<command>x</command> or <command>X</command> for uppercase).
 The default modifier is <command>${0,0,d}</command>.
 If the <command>lhs</command> is not
 absolute, the current <command>$ORIGIN</command> is appended to
 the name.</para>
-<para>For compatibility with earlier versions, <command>$$</command> is still
-recognised as indicating a literal $ in the output.</para></entry>
+<para>For compatibility with earlier versions <command>$$</command> is still
+recognized a indicating a literal $ in the output.</para></entry>
         </row>
         <row rowsep = "0">
+          <entry colname = "1"><para><command>ttl</command></para></entry>
+          <entry colname = "2"><para><command>ttl</command> specifies the
+	  ttl of the generated records. If not specified this will be
+	  inherited using the normal ttl inheritance rules.</para>
+	  <para><command>class</command> and <command>ttl</command> can be
+	  entered in either order.</para></entry>
+	</row>
+        <row rowsep = "0">
+          <entry colname = "1"><para><command>class</command></para></entry>
+          <entry colname = "2"><para><command>class</command> specifies the
+	  class of the generated records.  This must match the zone class if
+	  it is specified.</para>
+	  <para><command>class</command> and <command>ttl</command> can be
+	  entered in either order.</para></entry>
+	</row>
+        <row rowsep = "0">
           <entry colname = "1"><para><command>type</command></para></entry>
           <entry colname = "2"><para>At present the only supported types are
 PTR, CNAME, DNAME, A, AAAA and NS.</para></entry>
         </row>
         <row rowsep = "0">
           <entry colname = "1"><para><command>rhs</command></para></entry>
-          <entry colname = "2"><para><command>rhs</command> is a domain name. It is processed
+          <entry colname = "2"><para>rhs is a domain name. It is processed
 similarly to lhs.</para></entry>
         </row>
       </tbody>
       </tgroup></informaltable>
       <para>The <command>$GENERATE</command> directive is a <acronym>BIND</acronym> extension
 and not part of the standard zone file format.</para>
+      <para>BIND 8 does not support the optional TTL and CLASS fields.</para>
     </sect2>
   </sect1>
 </chapter>
-<chapter id="Bv9ARM.ch07"><title><acronym>BIND</acronym> 9 Security Considerations</title>
+<chapter id="ch07"><title><acronym>BIND</acronym> 9 Security Considerations</title>
 <sect1 id="Access_Control_Lists"><title>Access Control Lists</title>
 <para>Access Control Lists (ACLs), are address match lists that
 you can set up and nickname for future use in <command>allow-notify</command>,
@@ -5306,18 +5643,17 @@ you can set up and nickname for future use in <command>allow-notify</command>,
 <command>blackhole</command>, <command>allow-transfer</command>,
 etc.</para>
 <para>Using ACLs allows you to have finer control over who can access
-your nameserver, without cluttering up your config files with huge
+your name server, without cluttering up your config files with huge
 lists of IP addresses.</para>
 <para>It is a <emphasis>good idea</emphasis> to use ACLs, and to
 control access to your server. Limiting access to your server by
-outside parties can help prevent spoofing and denial of service (DoS)
-attacks against your server.</para>
+outside parties can help prevent spoofing and DoS attacks against
+your server.</para>
 <para>Here is an example of how to properly apply ACLs:</para>
 <programlisting>
 // Set up an ACL named "bogusnets" that will block RFC1918 space,
 // which is commonly used in spoofing attacks.
 acl bogusnets { 0.0.0.0/8; 1.0.0.0/8; 2.0.0.0/8; 192.0.2.0/24; 224.0.0.0/3; 10.0.0.0/8; 172.16.0.0/12; 192.168.0.0/16; };
-
 // Set up an ACL called our-nets. Replace this with the real IP numbers.
 acl our-nets { x.x.x.x/24; x.x.x.x/21; }; 
 options {
@@ -5329,7 +5665,6 @@ options {
   blackhole { bogusnets; };
   ...
 };
-
 zone "example.com" {
   type master;
   file "m/example.com";
@@ -5341,23 +5676,23 @@ unless recursion has been previously disabled.</para>
 <para>For more information on how to use ACLs to protect your server,
 see the <emphasis>AUSCERT</emphasis> advisory at
 <ulink url="ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos">ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos</ulink></para></sect1>
-<sect1><title><command>Chroot</command> and <command>Setuid</command> (for
+<sect1><title><command>chroot</command> and <command>setuid</command> (for
 UNIX servers)</title>
 <para>On UNIX servers, it is possible to run <acronym>BIND</acronym> in a <emphasis>chrooted</emphasis> environment
-(using the <command>chroot()</command> function) by specifying the "<option>-t</option>"
+(<command>chroot()</command>) by specifying the "<option>-t</option>"
 option. This can help improve system security by placing <acronym>BIND</acronym> in
-a "sandbox," which will limit the damage done if a server is compromised.</para>
+a "sandbox", which will limit the damage done if a server is compromised.</para>
 <para>Another useful feature in the UNIX version of <acronym>BIND</acronym> is the
-ability to run the daemon as a nonprivileged user ( <option>-u</option> <replaceable>user</replaceable> ).
-We suggest running as a nonprivileged user when using the <command>chroot</command> feature.</para>
-<para>Here is an example command line to load <acronym>BIND</acronym> in a <command>chroot</command> sandbox, 
+ability to run the daemon as an unprivileged user ( <option>-u</option> <replaceable>user</replaceable> ).
+We suggest running as an unprivileged user when using the <command>chroot</command> feature.</para>
+<para>Here is an example command line to load <acronym>BIND</acronym> in a <command>chroot()</command> sandbox, 
 <command>/var/named</command>, and to run <command>named</command> <command>setuid</command> to
 user 202:</para>
 <para><userinput>/usr/local/bin/named -u 202 -t /var/named</userinput></para>
 
 <sect2><title>The <command>chroot</command> Environment</title>
 
-<para>In order for a <command>chroot</command> environment to
+<para>In order for a <command>chroot()</command> environment to
 work properly in a particular directory
 (for example, <filename>/var/named</filename>),
 you will need to set up an environment that includes everything
@@ -5368,14 +5703,14 @@ like <command>directory</command> and <command>pid-file</command> to account
 for this.
 </para>
 <para>
-Unlike with earlier versions of BIND, you typically will
+Unlike with earlier versions of BIND, you will typically
 <emphasis>not</emphasis> need to compile <command>named</command>
 statically nor install shared libraries under the new root.
 However, depending on your operating system, you may need
 to set up things like
 <filename>/dev/zero</filename>,
 <filename>/dev/random</filename>,
-<filename>/dev/log</filename>, and
+<filename>/dev/log</filename>, and/or
 <filename>/etc/localtime</filename>.
 </para>
 </sect2>
@@ -5387,8 +5722,8 @@ the <command>touch</command> utility (to change file access and
 modification times) or the <command>chown</command> utility (to
 set the user id and/or group id) on files
 to which you want <acronym>BIND</acronym>
-to write.  Note that if the <command>named</command> daemon is running as a
-nonprivileged user, it will not be able to bind to new restricted ports if the
+to write.  Note that if the <command>named</command> daemon is running as an
+unprivileged user, it will not be able to bind to new restricted ports if the
 server is reloaded.</para>
 </sect2>
 </sect1>
@@ -5397,7 +5732,7 @@ server is reloaded.</para>
 
 <para>Access to the dynamic
 update facility should be strictly limited.  In earlier versions of
-<acronym>BIND</acronym>, the only way to do this was based on the IP
+<acronym>BIND</acronym> the only way to do this was based on the IP
 address of the host requesting the update, by listing an IP address or
 network prefix in the <command>allow-update</command> zone option.
 This method is insecure since the source address of the update UDP packet
@@ -5415,7 +5750,7 @@ list only TSIG key names, not IP addresses or network
 prefixes. Alternatively, the new <command>update-policy</command>
 option can be used.</para>
 
-<para>Some sites choose to keep all dynamically-updated DNS data
+<para>Some sites choose to keep all dynamically updated DNS data
 in a subdomain and delegate that subdomain to a separate zone. This
 way, the top-level zone containing critical data such as the IP addresses
 of public web and mail servers need not allow dynamic update at
@@ -5423,7 +5758,7 @@ all.</para>
 
 </sect1></chapter>
 
-<chapter id="Bv9ARM.ch08">
+<chapter id="ch08">
   <title>Troubleshooting</title>
   <sect1>
     <title>Common Problems</title>
@@ -5441,12 +5776,12 @@ all.</para>
   <sect1>
     <title>Incrementing and Changing the Serial Number</title>
 
-    <para>Zone serial numbers are just numbers &mdash; they aren't date
+    <para>Zone serial numbers are just numbers-they aren't date
     related.  A lot of people set them to a number that represents a
-    date, usually of the form YYYYMMDDRR. A number of people
-    tested these numbers for Y2K compliance and set the number
-    to the year 2000 to see if it would work. They then tried to restore
-    the old serial number. This caused problems because serial
+    date, usually of the form YYYYMMDDRR. A number of people have been
+    testing these numbers for Y2K compliance and have set the number
+    to the year 2000 to see if it will work. They then try to restore
+    the old serial number. This will cause problems because serial
     numbers are used to indicate that a zone has been updated. If the
     serial number on the slave server is lower than the serial number
     on the master, the slave server will attempt to update its copy of
@@ -5482,10 +5817,10 @@ all.</para>
     to read more.</para>
   </sect1>
 </chapter>
-<appendix id="Bv9ARM.ch09">
+<appendix id="ch09">
   <title>Appendices</title>
   <sect1>
-    <title>Acknowledgements</title>
+    <title>Acknowledgments</title>
     <sect2>
       <title>A Brief History of the <acronym>DNS</acronym> and <acronym>BIND</acronym></title>
 
@@ -5494,17 +5829,17 @@ all.</para>
       core of the new system was described in 1983 in RFCs 882 and
       883. From 1984 to 1987, the ARPAnet (the precursor to today's
       Internet) became a testbed of experimentation for developing the
-      new naming/addressing scheme in a rapidly expanding,
+      new naming/addressing scheme in an rapidly expanding,
       operational network environment.  New RFCs were written and
       published in 1987 that modified the original documents to
       incorporate improvements based on the working model. RFC 1034,
-      "Domain Names-Concepts and Facilities," and RFC 1035, "Domain
+      "Domain Names-Concepts and Facilities", and RFC 1035, "Domain
       Names-Implementation and Specification" were published and
       became the standards upon which all <acronym>DNS</acronym> implementations are
       built.
 </para>
 
-      <para>The first working domain name server, called "Jeeves," was
+      <para>The first working domain name server, called "Jeeves", was
 written in 1983-84 by Paul Mockapetris for operation on DEC Tops-20
 machines located at the University of Southern California's Information
 Sciences Institute (USC-ISI) and SRI International's Network Information
@@ -5512,10 +5847,7 @@ Center (SRI-NIC). A <acronym>DNS</acronym> server for Unix machines, the Berkele
 Name Domain (<acronym>BIND</acronym>) package, was written soon after by a group of
 graduate students at the University of California at Berkeley under
 a grant from the US Defense Advanced Research Projects Administration
-(DARPA).
-</para>
-<para>
-Versions of <acronym>BIND</acronym> through 4.8.3 were maintained by the Computer
+(DARPA). Versions of <acronym>BIND</acronym> through 4.8.3 were maintained by the Computer
 Systems Research Group (CSRG) at UC Berkeley. Douglas Terry, Mark
 Painter, David Riggle and Songnian Zhou made up the initial <acronym>BIND</acronym>
 project team. After that, additional work on the software package
@@ -5524,72 +5856,38 @@ employee on loan to the CSRG, worked on <acronym>BIND</acronym> for 2 years, fro
 to 1987. Many other people also contributed to <acronym>BIND</acronym> development
 during that time: Doug Kingston, Craig Partridge, Smoot Carl-Mitchell,
 Mike Muuss, Jim Bloom and Mike Schwartz. <acronym>BIND</acronym> maintenance was subsequently
-handled by Mike Karels and &#216;ivind Kure.</para>
+handled by Mike Karels and O. Kure.</para>
       <para><acronym>BIND</acronym> versions 4.9 and 4.9.1 were released by Digital Equipment
 Corporation (now Compaq Computer Corporation). Paul Vixie, then
-a DEC employee, became <acronym>BIND</acronym>'s primary caretaker. He was assisted
+a DEC employee, became <acronym>BIND</acronym>'s primary caretaker. Paul was assisted
 by Phil Almquist, Robert Elz, Alan Barrett, Paul Albitz, Bryan Beecher, Andrew
 Partan, Andy Cherenson, Tom Limoncelli, Berthold Paffrath, Fuat
 Baran, Anant Kumar, Art Harkin, Win Treese, Don Lewis, Christophe
 Wolfhugel, and others.</para>
-      <para>In 1994, <acronym>BIND</acronym> version 4.9.2 was sponsored by Vixie Enterprises. Paul
+      <para><acronym>BIND</acronym> Version 4.9.2 was sponsored by Vixie Enterprises. Paul
 Vixie became <acronym>BIND</acronym>'s principal architect/programmer.</para>
       <para><acronym>BIND</acronym> versions from 4.9.3 onward have been developed and maintained
 by the Internet Software Consortium with support being provided
-by ISC's sponsors.
-      </para>
-      <para>As co-architects/programmers, Bob Halley and
+by ISC's sponsors. As co-architects/programmers, Bob Halley and
 Paul Vixie released the first production-ready version of <acronym>BIND</acronym> version
 8 in May 1997.</para>
-	<para>
-	  BIND version 9 was released in September 2000 and is a
-	  major rewrite of nearly all aspects of the underlying
-	  BIND architecture.
-	  </para>
-	  <para>
-	  BIND version 4 is officially deprecated and BIND version
-	  8 development is considered maintenance-only in favor
-	  of BIND version 9. No additional development is done
-	  on BIND version 4 or BIND version 8 other than for
-	  security-related patches.
-	</para>
       <para><acronym>BIND</acronym> development work is made possible today by the sponsorship
 of several corporations, and by the tireless work efforts of numerous
 individuals.</para>
     </sect2>
   </sect1>
-  <sect1 id="historical_dns_information">
-    <title>Historical <acronym>DNS</acronym> Information</title>
-    <sect2 id="classes_of_resource_records">
-      <title>Classes of Resource Records</title>
-      <sect3>
-        <title>HS = hesiod</title>
-        <para>The <optional>hesiod</optional> class is an information service
-developed by MIT's Project Athena. It is used to share information
-about various systems databases, such as users, groups, printers
-and so on. The keyword <command>hs</command> is a synonym for
-hesiod.</para>
-      </sect3>
-      <sect3>
-        <title>CH = chaos</title>
-        <para>The <command>chaos</command> class is used to specify zone
-data for the MIT-developed Chaosnet, a LAN protocol created in the
-mid-1970s.</para>
-      </sect3>
-    </sect2>
-  </sect1>
-  <sect1>
-    <title>General <acronym>DNS</acronym> Reference Information</title>
+<sect1 id="historical_dns_information">
+
+<title>General <acronym>DNS</acronym> Reference Information</title>
     <sect2 id="ipv6addresses">
-      <title>IPv6 addresses (A6)</title>
+      <title>IPv6 addresses (AAAA)</title>
       <para>IPv6 addresses are 128-bit identifiers for interfaces and
 sets of interfaces which were introduced in the <acronym>DNS</acronym> to facilitate
 scalable Internet routing. There are three types of addresses: <emphasis>Unicast</emphasis>,
 an identifier for a single interface; <emphasis>Anycast</emphasis>,
 an identifier for a set of interfaces; and <emphasis>Multicast</emphasis>,
 an identifier for a set of interfaces. Here we describe the global
-Unicast address scheme. For more information, see RFC 3587,
-"Global Unicast Address Format."</para>
+Unicast address scheme. For more information, see RFC 2374.</para>
 <para>The aggregatable global Unicast address format is as follows:</para>
 <informaltable colsep = "0" rowsep = "0"><tgroup cols = "6"
     colsep = "0" rowsep = "0" tgroupstyle = "1Level-table">
@@ -5689,41 +5987,6 @@ IPv6, addresses belong to interfaces rather than machines.)</para>
       <para>The subnetting capability of IPv6 is much more flexible than
 that of IPv4: subnetting can now be carried out on bit boundaries,
 in much the same way as Classless InterDomain Routing (CIDR).</para>
-<para>The internal structure of the Public Topology for an A6 global
-unicast address consists of:</para>
-<informaltable colsep = "0"  rowsep = "0"><tgroup cols = "4"
-    colsep = "0" rowsep = "0" tgroupstyle = "2Level-table">
-<colspec colname = "1" colnum = "1" colsep = "0" colwidth = "0.506in"/>
-<colspec colname = "2" colnum = "2" colsep = "0" colwidth = "0.662in"/>
-<colspec colname = "3" colnum = "3" colsep = "0" colwidth = "0.556in"/>
-<colspec colname = "4" colnum = "4" colsep = "0" colwidth = "0.825in"/>
-<tbody>
-<row rowsep = "0">
-<entry colname = "1" colsep = "1" rowsep = "1"><para>3</para></entry>
-<entry colname = "2" colsep = "1" rowsep = "1"><para>13</para></entry>
-<entry colname = "3" colsep = "1" rowsep = "1"><para>8</para></entry>
-<entry colname = "4" rowsep = "1"><para>24</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1" colsep = "1"><para>FP</para></entry>
-<entry colname = "2" colsep = "1"><para>TLA ID</para></entry>
-<entry colname = "3" colsep = "1"><para>RES</para></entry>
-<entry colname = "4"><para>NLA ID</para></entry>
-</row>
-</tbody>
-</tgroup></informaltable>
-<para>A 3 bit FP (Format Prefix) of 001 indicates this is a global
-Unicast address. FP lengths for other types of addresses may vary.</para>
-<para>13 TLA (Top Level Aggregator) bits give the prefix of your
-top-level IP backbone carrier.</para>
-<para>8 Reserved bits</para>
-<para>24 bits for Next Level Aggregators. This allows organizations
-with a TLA to hand out portions of their IP space to client organizations,
-so that the client can then split up the network further by filling
-in more NLA bits, and hand out IPv6 prefixes to their clients, and
-so forth.</para>
-<para>There is no particular structure for the Site topology section.
-Organizations can allocate these bits in any way they desire.</para>
 <para>The Interface Identifier must be unique on that network. On
 ethernet networks, one way to ensure this is to set the address
 to the first three bytes of the hardware address, "FFFE", then the
@@ -5731,7 +5994,7 @@ last three bytes of the hardware address. The lowest significant
 bit of the first byte should then be complemented. Addresses are
 written as 32-bit blocks separated with a colon, and leading zeros
 of a block may be omitted, for example:</para>
-<para><command>2001:db8:201:9:a00:20ff:fe81:2b32</command></para>
+<para><command>2001:4f8:201:9:a00:20ff:fe81:2b32</command></para>
 <para>IPv6 address specifications are likely to contain long strings
 of zeros, so the architects have included a shorthand for specifying
 them. The double colon (`::') indicates the longest possible string
diff --git a/doc/arm/Bv9ARM.ch01.html b/doc/arm/Bv9ARM.ch01.html
index 6d540cc9..c79a1fcf 100644
--- a/doc/arm/Bv9ARM.ch01.html
+++ b/doc/arm/Bv9ARM.ch01.html
@@ -1,410 +1,1181 @@
-<!--
- - Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000-2003 Internet Software Consortium.
- - 
- - Permission to use, copy, modify, and distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- - 
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-<!-- $Id: Bv9ARM.ch01.html,v 1.12.2.21 2007/05/08 02:29:19 marka Exp $ -->
-<html>
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>Chapter 1. Introduction</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
-<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="prev" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="next" href="Bv9ARM.ch02.html" title="Chapter 2. BIND Resource Requirements">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
-<div class="navheader">
-<table width="100%" summary="Navigation header">
-<tr><th colspan="3" align="center">Chapter 1. Introduction </th></tr>
-<tr>
-<td width="20%" align="left">
-<a accesskey="p" href="Bv9ARM.html">Prev</a> </td>
-<th width="60%" align="center"> </th>
-<td width="20%" align="right"> <a accesskey="n" href="Bv9ARM.ch02.html">Next</a>
-</td>
-</tr>
-</table>
-<hr>
-</div>
-<div class="chapter" lang="en">
-<div class="titlepage"><div><div><h2 class="title">
-<a name="Bv9ARM.ch01"></a>Chapter 1. Introduction </h2></div></div></div>
-<div class="toc">
-<p><b>Table of Contents</b></p>
-<dl>
-<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2563876">Scope of Document</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2564243">Organization of This Document</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2564314">Conventions Used in This Document</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2564572">The Domain Name System (<acronym class="acronym">DNS</acronym>)</a></span></dt>
-<dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2563159">DNS Fundamentals</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2563184">Domains and Domain Names</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2564974">Zones</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2565117">Authoritative Name Servers</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2565209">Caching Name Servers</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2565267">Name Servers in Multiple Roles</a></span></dt>
-</dl></dd>
-</dl>
-</div>
-<p>The Internet Domain Name System (<acronym class="acronym">DNS</acronym>) consists of the syntax
+<HTML
+><HEAD
+><TITLE
+>Introduction </TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.73
+"><LINK
+REL="HOME"
+TITLE="BIND 9 Administrator Reference Manual"
+HREF="Bv9ARM.html"><LINK
+REL="PREVIOUS"
+TITLE="BIND 9 Administrator Reference Manual"
+HREF="Bv9ARM.html"><LINK
+REL="NEXT"
+TITLE="BIND Resource Requirements"
+HREF="Bv9ARM.ch02.html"></HEAD
+><BODY
+CLASS="chapter"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><DIV
+CLASS="NAVHEADER"
+><TABLE
+SUMMARY="Header navigation table"
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TH
+COLSPAN="3"
+ALIGN="center"
+>BIND 9 Administrator Reference Manual</TH
+></TR
+><TR
+><TD
+WIDTH="10%"
+ALIGN="left"
+VALIGN="bottom"
+><A
+HREF="Bv9ARM.html"
+ACCESSKEY="P"
+>Prev</A
+></TD
+><TD
+WIDTH="80%"
+ALIGN="center"
+VALIGN="bottom"
+></TD
+><TD
+WIDTH="10%"
+ALIGN="right"
+VALIGN="bottom"
+><A
+HREF="Bv9ARM.ch02.html"
+ACCESSKEY="N"
+>Next</A
+></TD
+></TR
+></TABLE
+><HR
+ALIGN="LEFT"
+WIDTH="100%"></DIV
+><DIV
+CLASS="chapter"
+><H1
+><A
+NAME="ch01"
+>Chapter 1. Introduction </A
+></H1
+><DIV
+CLASS="TOC"
+><DL
+><DT
+><B
+>Table of Contents</B
+></DT
+><DT
+>1.1. <A
+HREF="Bv9ARM.ch01.html#AEN15"
+>Scope of Document</A
+></DT
+><DT
+>1.2. <A
+HREF="Bv9ARM.ch01.html#AEN22"
+>Organization of This Document</A
+></DT
+><DT
+>1.3. <A
+HREF="Bv9ARM.ch01.html#AEN42"
+>Conventions Used in This Document</A
+></DT
+><DT
+>1.4. <A
+HREF="Bv9ARM.ch01.html#AEN107"
+>The Domain Name System (<SPAN
+CLASS="acronym"
+>DNS</SPAN
+>)</A
+></DT
+></DL
+></DIV
+><P
+>The Internet Domain Name System (<SPAN
+CLASS="acronym"
+>DNS</SPAN
+>) consists of the syntax
   to specify the names of entities in the Internet in a hierarchical
   manner, the rules used for delegating authority over names, and the
   system implementation that actually maps names to Internet
-  addresses.  <acronym class="acronym">DNS</acronym> data is maintained in a group of distributed
-  hierarchical databases.</p>
-<div class="sect1" lang="en">
-<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2563876"></a>Scope of Document</h2></div></div></div>
-<p>The Berkeley Internet Name Domain (<acronym class="acronym">BIND</acronym>) implements a
+  addresses.  <SPAN
+CLASS="acronym"
+>DNS</SPAN
+> data is maintained in a group of distributed
+  hierarchical databases.</P
+><DIV
+CLASS="sect1"
+><H1
+CLASS="sect1"
+><A
+NAME="AEN15"
+>1.1. Scope of Document</A
+></H1
+><P
+>The Berkeley Internet Name Domain (<SPAN
+CLASS="acronym"
+>BIND</SPAN
+>) implements an
     domain name server for a number of operating systems. This
     document provides basic information about the installation and
-    care of the Internet Software Consortium (<acronym class="acronym">ISC</acronym>)
-    <acronym class="acronym">BIND</acronym> version 9 software package for system
-    administrators.</p>
-<p>This version of the manual corresponds to BIND version 9.2.</p>
-</div>
-<div class="sect1" lang="en">
-<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2564243"></a>Organization of This Document</h2></div></div></div>
-<p>In this document, <span class="emphasis"><em>Section 1</em></span> introduces
-    the basic <acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym> concepts. <span class="emphasis"><em>Section 2</em></span>
-    describes resource requirements for running <acronym class="acronym">BIND</acronym> in various
-    environments. Information in <span class="emphasis"><em>Section 3</em></span> is
-    <span class="emphasis"><em>task-oriented</em></span> in its presentation and is
+    care of the Internet Software Consortium (<SPAN
+CLASS="acronym"
+>ISC</SPAN
+>)
+    <SPAN
+CLASS="acronym"
+>BIND</SPAN
+> version 9 software package for system
+    administrators.</P
+><P
+>This version of the manual corresponds to BIND version 9.3.</P
+></DIV
+><DIV
+CLASS="sect1"
+><H1
+CLASS="sect1"
+><A
+NAME="AEN22"
+>1.2. Organization of This Document</A
+></H1
+><P
+>In this document, <SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>Section 1</I
+></SPAN
+> introduces
+    the basic <SPAN
+CLASS="acronym"
+>DNS</SPAN
+> and <SPAN
+CLASS="acronym"
+>BIND</SPAN
+> concepts. <SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>Section 2</I
+></SPAN
+>
+    describes resource requirements for running <SPAN
+CLASS="acronym"
+>BIND</SPAN
+> in various
+    environments. Information in <SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>Section 3</I
+></SPAN
+> is
+    <SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>task-oriented</I
+></SPAN
+> in its presentation and is
     organized functionally, to aid in the process of installing the
-    <acronym class="acronym">BIND</acronym> 9 software. The task-oriented section is followed by
-    <span class="emphasis"><em>Section 4</em></span>, which contains more advanced
+    <SPAN
+CLASS="acronym"
+>BIND</SPAN
+> 9 software. The task-oriented section is followed by
+    <SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>Section 4</I
+></SPAN
+>, which contains more advanced
     concepts that the system administrator may need for implementing
-    certain options. <span class="emphasis"><em>Section 5</em></span>
-    describes the <acronym class="acronym">BIND</acronym> 9 lightweight
-    resolver.  The contents of <span class="emphasis"><em>Section 6</em></span> are
+    certain options. <SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>Section 5</I
+></SPAN
+>
+    describes the <SPAN
+CLASS="acronym"
+>BIND</SPAN
+> 9 lightweight
+    resolver.  The contents of <SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>Section 6</I
+></SPAN
+> are
     organized as in a reference manual to aid in the ongoing
-    maintenance of the software. <span class="emphasis"><em>Section 7
-    </em></span>addresses security considerations, and
-    <span class="emphasis"><em>Section 8</em></span> contains troubleshooting help. The
+    maintenance of the software. <SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>Section 7
+    </I
+></SPAN
+>addresses security considerations, and
+    <SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>Section 8</I
+></SPAN
+> contains troubleshooting help. The
     main body of the document is followed by several
-    <span class="emphasis"><em>appendices</em></span> which contain useful reference
-    information, such as a <span class="emphasis"><em>bibliography</em></span> and
-    historic information related to <acronym class="acronym">BIND</acronym> and the Domain Name
-    System.</p>
-</div>
-<div class="sect1" lang="en">
-<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2564314"></a>Conventions Used in This Document</h2></div></div></div>
-<p>In this document, we use the following general typographic
-    conventions:</p>
-<div class="informaltable"><table border="1">
-<colgroup>
-<col>
-<col>
-</colgroup>
-<tbody>
-<tr>
-<td>
-<p><span class="emphasis"><em>To
-describe:</em></span></p>
-</td>
-<td>
-<p><span class="emphasis"><em>We use the style:</em></span></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>a pathname, filename, URL, hostname,
-mailing list name, or new term or concept</p>
-</td>
-<td><p><code class="filename">Fixed width</code></p></td>
-</tr>
-<tr>
-<td><p>literal user
-input</p></td>
-<td><p><strong class="userinput"><code>Fixed Width Bold</code></strong></p></td>
-</tr>
-<tr>
-<td><p>program output</p></td>
-<td><p><code class="computeroutput">Fixed Width</code></p></td>
-</tr>
-</tbody>
-</table></div>
-<p>The following conventions are used in descriptions of the
-<acronym class="acronym">BIND</acronym> configuration file:</p>
-<div class="informaltable"><table border="1">
-<colgroup>
-<col>
-<col>
-</colgroup>
-<tbody>
-<tr>
-<td><p><span class="emphasis"><em>To
-describe:</em></span></p></td>
-<td><p><span class="emphasis"><em>We use the style:</em></span></p></td>
-</tr>
-<tr>
-<td><p>keywords</p></td>
-<td><p><code class="literal">Fixed Width</code></p></td>
-</tr>
-<tr>
-<td><p>variables</p></td>
-<td><p><code class="varname">Fixed Width</code></p></td>
-</tr>
-<tr>
-<td><p>Optional input</p></td>
-<td><p>[<span class="optional">Text is enclosed in square brackets</span>]</p></td>
-</tr>
-</tbody>
-</table></div>
-</div>
-<div class="sect1" lang="en">
-<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2564572"></a>The Domain Name System (<acronym class="acronym">DNS</acronym>)</h2></div></div></div>
-<p>The purpose of this document is to explain the installation
-and upkeep of the <acronym class="acronym">BIND</acronym> (Berkeley Internet Name Domain) software package, and we
+    <SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>Appendices</I
+></SPAN
+> which contain useful reference
+    information, such as a <SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>Bibliography</I
+></SPAN
+> and
+    historic information related to <SPAN
+CLASS="acronym"
+>BIND</SPAN
+> and the Domain Name
+    System.</P
+></DIV
+><DIV
+CLASS="sect1"
+><H1
+CLASS="sect1"
+><A
+NAME="AEN42"
+>1.3. Conventions Used in This Document</A
+></H1
+><P
+>In this document, we use the following general typographic
+    conventions:</P
+><DIV
+CLASS="informaltable"
+><A
+NAME="AEN45"
+></A
+><P
+></P
+><TABLE
+CELLPADDING="3"
+BORDER="1"
+CLASS="CALSTABLE"
+><TBODY
+><TR
+><TD
+WIDTH="288"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+>&#13;<P
+><SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>To
+describe:</I
+></SPAN
+></P
+></TD
+><TD
+WIDTH="252"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+>&#13;<P
+><SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>We use the style:</I
+></SPAN
+></P
+></TD
+></TR
+><TR
+><TD
+WIDTH="288"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+>&#13;<P
+>a pathname, filename, URL, hostname,
+mailing list name, or new term or concept</P
+></TD
+><TD
+WIDTH="252"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+><TT
+CLASS="filename"
+>Fixed width</TT
+></P
+></TD
+></TR
+><TR
+><TD
+WIDTH="288"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>literal user
+input</P
+></TD
+><TD
+WIDTH="252"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+><TT
+CLASS="userinput"
+><B
+>Fixed Width Bold</B
+></TT
+></P
+></TD
+></TR
+><TR
+><TD
+WIDTH="288"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>program output</P
+></TD
+><TD
+WIDTH="252"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+><TT
+CLASS="computeroutput"
+>Fixed Width</TT
+></P
+></TD
+></TR
+></TBODY
+></TABLE
+><P
+></P
+></DIV
+><P
+>The following conventions are used in descriptions of the
+<SPAN
+CLASS="acronym"
+>BIND</SPAN
+> configuration file:<DIV
+CLASS="informaltable"
+><A
+NAME="AEN77"
+></A
+><P
+></P
+><TABLE
+CELLPADDING="3"
+BORDER="1"
+CLASS="CALSTABLE"
+><TBODY
+><TR
+><TD
+WIDTH="288"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+><SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>To
+describe:</I
+></SPAN
+></P
+></TD
+><TD
+WIDTH="252"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+><SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>We use the style:</I
+></SPAN
+></P
+></TD
+></TR
+><TR
+><TD
+WIDTH="288"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>keywords</P
+></TD
+><TD
+WIDTH="252"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+><TT
+CLASS="literal"
+>Fixed Width</TT
+></P
+></TD
+></TR
+><TR
+><TD
+WIDTH="288"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>variables</P
+></TD
+><TD
+WIDTH="252"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+><TT
+CLASS="varname"
+>Fixed Width</TT
+></P
+></TD
+></TR
+><TR
+><TD
+WIDTH="288"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>Optional input</P
+></TD
+><TD
+WIDTH="252"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>[<SPAN
+CLASS="optional"
+>Text is enclosed in square brackets</SPAN
+>]</P
+></TD
+></TR
+></TBODY
+></TABLE
+><P
+></P
+></DIV
+></P
+></DIV
+><DIV
+CLASS="sect1"
+><H1
+CLASS="sect1"
+><A
+NAME="AEN107"
+>1.4. The Domain Name System (<SPAN
+CLASS="acronym"
+>DNS</SPAN
+>)</A
+></H1
+><P
+>The purpose of this document is to explain the installation
+and upkeep of the <SPAN
+CLASS="acronym"
+>BIND</SPAN
+> software package, and we
 begin by reviewing the fundamentals of the Domain Name System
-(<acronym class="acronym">DNS</acronym>) as they relate to <acronym class="acronym">BIND</acronym>.
-</p>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2563159"></a>DNS Fundamentals</h3></div></div></div>
-<p>The Domain Name System (DNS) is the hierarchical, distributed
+(<SPAN
+CLASS="acronym"
+>DNS</SPAN
+>) as they relate to <SPAN
+CLASS="acronym"
+>BIND</SPAN
+>.
+</P
+><DIV
+CLASS="sect2"
+><H2
+CLASS="sect2"
+><A
+NAME="AEN114"
+>1.4.1. DNS Fundamentals</A
+></H2
+><P
+>The Domain Name System (DNS) is the hierarchical, distributed
 database.  It stores information for mapping Internet host names to IP
 addresses and vice versa, mail routing information, and other data
-used by Internet applications.</p>
-<p>Clients look up information in the DNS by calling a
-<span class="emphasis"><em>resolver</em></span> library, which sends queries to one or
-more <span class="emphasis"><em>name servers</em></span> and interprets the responses.
-The <acronym class="acronym">BIND 9</acronym> software distribution contains both a 
-name server and a resolver library.</p>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2563184"></a>Domains and Domain Names</h3></div></div></div>
-<p>The data stored in the DNS is identified by <span class="emphasis"><em>domain
-names</em></span> that are organized as a tree according to
+used by Internet applications.</P
+><P
+>Clients look up information in the DNS by calling a
+<SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>resolver</I
+></SPAN
+> library, which sends queries to one or
+more <SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>name servers</I
+></SPAN
+> and interprets the responses.
+The <SPAN
+CLASS="acronym"
+>BIND</SPAN
+> 9 software distribution contains a
+name server, <B
+CLASS="command"
+>named</B
+>, and two resolver
+libraries, <B
+CLASS="command"
+>liblwres</B
+> and <B
+CLASS="command"
+>libbind</B
+>.
+</P
+></DIV
+><DIV
+CLASS="sect2"
+><H2
+CLASS="sect2"
+><A
+NAME="AEN124"
+>1.4.2. Domains and Domain Names</A
+></H2
+><P
+>The data stored in the DNS is identified by <SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>domain
+names</I
+></SPAN
+> that are organized as a tree according to
 organizational or administrative boundaries. Each node of the tree,
-called a <span class="emphasis"><em>domain</em></span>, is given a label. The domain name of the
+called a <SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>domain</I
+></SPAN
+>, is given a label. The domain name of the
 node is the concatenation of all the labels on the path from the
-node to the <span class="emphasis"><em>root</em></span> node.  This is represented
+node to the <SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>root</I
+></SPAN
+> node.  This is represented
 in written form as a string of labels listed from right to left and
 separated by dots. A label need only be unique within its parent
-domain.</p>
-<p>For example, a domain name for a host at the
-company <span class="emphasis"><em>Example, Inc.</em></span> could be
-<code class="literal">mail.example.com</code>,
-where <code class="literal">com</code> is the
+domain.</P
+><P
+>For example, a domain name for a host at the
+company <SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>Example, Inc.</I
+></SPAN
+> could be
+<TT
+CLASS="literal"
+>mail.example.com</TT
+>,
+where <TT
+CLASS="literal"
+>com</TT
+> is the
 top level domain to which
-<code class="literal">ourhost.example.com</code> belongs,
-<code class="literal">example</code> is
-a subdomain of <code class="literal">com</code>, and
-<code class="literal">ourhost</code> is the
-name of the host.</p>
-<p>For administrative purposes, the name space is partitioned into
-areas called <span class="emphasis"><em>zones</em></span>, each starting at a node and
+<TT
+CLASS="literal"
+>ourhost.example.com</TT
+> belongs,
+<TT
+CLASS="literal"
+>example</TT
+> is
+a subdomain of <TT
+CLASS="literal"
+>com</TT
+>, and
+<TT
+CLASS="literal"
+>ourhost</TT
+> is the
+name of the host.</P
+><P
+>For administrative purposes, the name space is partitioned into
+areas called <SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>zones</I
+></SPAN
+>, each starting at a node and
 extending down to the leaf nodes or to nodes where other zones start.
-The data for each zone is stored in a <span class="emphasis"><em>name
-server</em></span>, which answers queries about the zone using the
-<span class="emphasis"><em>DNS protocol</em></span>.
-</p>
-<p>The data associated with each domain name is stored in the
-form of <span class="emphasis"><em>resource records</em></span> (<acronym class="acronym">RR</acronym>s).
+The data for each zone is stored in a <SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>name
+server</I
+></SPAN
+>, which answers queries about the zone using the
+<SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>DNS protocol</I
+></SPAN
+>.
+</P
+><P
+>The data associated with each domain name is stored in the
+form of <SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>resource records</I
+></SPAN
+> (<SPAN
+CLASS="acronym"
+>RR</SPAN
+>s).
 Some of the supported resource record types are described in
-<a href="Bv9ARM.ch06.html#types_of_resource_records_and_when_to_use_them" title="Types of Resource Records and When to Use Them">the section called &#8220;Types of Resource Records and When to Use Them&#8221;</a>.</p>
-<p>For more detailed information about the design of the DNS and
+<A
+HREF="Bv9ARM.ch06.html#types_of_resource_records_and_when_to_use_them"
+>Section 6.3.1</A
+>.</P
+><P
+>For more detailed information about the design of the DNS and
 the DNS protocol, please refer to the standards documents listed in
-<a href="Bv9ARM.ch09.html#rfcs" title="Request for Comments (RFCs)">the section called &#8220;Request for Comments (RFCs)&#8221;</a>.</p>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2564974"></a>Zones</h3></div></div></div>
-<p>To properly operate a name server, it is important to understand
-the difference between a <span class="emphasis"><em>zone</em></span>
-and a <span class="emphasis"><em>domain</em></span>.</p>
-<p>As we stated previously, a zone is a point of delegation in
-the <acronym class="acronym">DNS</acronym> tree. A zone consists of
+<A
+HREF="Bv9ARM.ch09.html#rfcs"
+>Section A.3.1</A
+>.</P
+></DIV
+><DIV
+CLASS="sect2"
+><H2
+CLASS="sect2"
+><A
+NAME="AEN148"
+>1.4.3. Zones</A
+></H2
+><P
+>To properly operate a name server, it is important to understand
+the difference between a <SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>zone</I
+></SPAN
+>
+and a <SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>domain</I
+></SPAN
+>.</P
+><P
+>As we stated previously, a zone is a point of delegation in
+the <SPAN
+CLASS="acronym"
+>DNS</SPAN
+> tree. A zone consists of
 those contiguous parts of the domain
 tree for which a name server has complete information and over which
 it has authority. It contains all domain names from a certain point
 downward in the domain tree except those which are delegated to
 other zones. A delegation point is marked by one or more
-<span class="emphasis"><em>NS records</em></span> in the
+<SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>NS records</I
+></SPAN
+> in the
 parent zone, which should be matched by equivalent NS records at
-the root of the delegated zone.</p>
-<p>For instance, consider the <code class="literal">example.com</code>
+the root of the delegated zone.</P
+><P
+>For instance, consider the <TT
+CLASS="literal"
+>example.com</TT
+>
 domain which includes names
-such as <code class="literal">host.aaa.example.com</code> and
-<code class="literal">host.bbb.example.com</code> even though
-the <code class="literal">example.com</code> zone includes
-only delegations for the <code class="literal">aaa.example.com</code> and
-<code class="literal">bbb.example.com</code> zones.  A zone can map
+such as <TT
+CLASS="literal"
+>host.aaa.example.com</TT
+> and
+<TT
+CLASS="literal"
+>host.bbb.example.com</TT
+> even though
+the <TT
+CLASS="literal"
+>example.com</TT
+> zone includes
+only delegations for the <TT
+CLASS="literal"
+>aaa.example.com</TT
+> and
+<TT
+CLASS="literal"
+>bbb.example.com</TT
+> zones.  A zone can map
 exactly to a single domain, but could also include only part of a
 domain, the rest of which could be delegated to other
-name servers. Every name in the <acronym class="acronym">DNS</acronym> tree is a
-<span class="emphasis"><em>domain</em></span>, even if it is
-<span class="emphasis"><em>terminal</em></span>, that is, has no
-<span class="emphasis"><em>subdomains</em></span>.  Every subdomain is a domain and
+name servers. Every name in the <SPAN
+CLASS="acronym"
+>DNS</SPAN
+> tree is a
+<SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>domain</I
+></SPAN
+>, even if it is
+<SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>terminal</I
+></SPAN
+>, that is, has no
+<SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>subdomains</I
+></SPAN
+>.  Every subdomain is a domain and
 every domain except the root is also a subdomain. The terminology is
 not intuitive and we suggest that you read RFCs 1033, 1034 and 1035 to
 gain a complete understanding of this difficult and subtle
-topic.</p>
-<p>Though <acronym class="acronym">BIND</acronym> is called a "domain name server",
+topic.</P
+><P
+>Though <SPAN
+CLASS="acronym"
+>BIND</SPAN
+> is called a "domain name server",
 it deals primarily in terms of zones. The master and slave
-declarations in the <code class="filename">named.conf</code> file specify
+declarations in the <TT
+CLASS="filename"
+>named.conf</TT
+> file specify
 zones, not domains. When you ask some other site if it is willing to
-be a slave server for your <span class="emphasis"><em>domain</em></span>, you are
-actually asking for slave service for some collection of zones.</p>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2565117"></a>Authoritative Name Servers</h3></div></div></div>
-<p>Each zone is served by at least
-one <span class="emphasis"><em>authoritative name server</em></span>,
+be a slave server for your <SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>domain</I
+></SPAN
+>, you are
+actually asking for slave service for some collection of zones.</P
+></DIV
+><DIV
+CLASS="sect2"
+><H2
+CLASS="sect2"
+><A
+NAME="AEN171"
+>1.4.4. Authoritative Name Servers</A
+></H2
+><P
+>Each zone is served by at least
+one <SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>authoritative name server</I
+></SPAN
+>,
 which contains the complete data for the zone.
 To make the DNS tolerant of server and network failures,
 most zones have two or more authoritative servers.
-</p>
-<p>Responses from authoritative servers have the "authoritative
+</P
+><P
+>Responses from authoritative servers have the "authoritative
 answer" (AA) bit set in the response packets.  This makes them 
 easy to identify when debugging DNS configurations using tools like
-<span><strong class="command">dig</strong></span> (<a href="Bv9ARM.ch03.html#diagnostic_tools" title="Diagnostic Tools">the section called &#8220;Diagnostic Tools&#8221;</a>).</p>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="id2565140"></a>The Primary Master</h4></div></div></div>
-<p>
-The authoritative server where the master copy of the zone data is maintained is
-called the <span class="emphasis"><em>primary master</em></span> server, or simply the
-<span class="emphasis"><em>primary</em></span>.  It loads the zone contents from some
+<B
+CLASS="command"
+>dig</B
+> (<A
+HREF="Bv9ARM.ch03.html#diagnostic_tools"
+>Section 3.3.1.1</A
+>).</P
+><DIV
+CLASS="sect3"
+><H3
+CLASS="sect3"
+><A
+NAME="AEN178"
+>1.4.4.1. The Primary Master</A
+></H3
+><P
+>&#13;The authoritative server where the master copy of the zone data is maintained is
+called the <SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>primary master</I
+></SPAN
+> server, or simply the
+<SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>primary</I
+></SPAN
+>.  It loads the zone contents from some
 local file edited by humans or perhaps generated mechanically from
 some other local file which is edited by humans.  This file is called
-the <span class="emphasis"><em>zone file</em></span> or <span class="emphasis"><em>master file</em></span>.</p>
-</div>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="id2565161"></a>Slave Servers</h4></div></div></div>
-<p>The other authoritative servers, the <span class="emphasis"><em>slave</em></span>
-servers (also known as <span class="emphasis"><em>secondary</em></span> servers) load
+the <SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>zone file</I
+></SPAN
+> or <SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>master file</I
+></SPAN
+>.</P
+></DIV
+><DIV
+CLASS="sect3"
+><H3
+CLASS="sect3"
+><A
+NAME="AEN185"
+>1.4.4.2. Slave Servers</A
+></H3
+><P
+>The other authoritative servers, the <SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>slave</I
+></SPAN
+>
+servers (also known as <SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>secondary</I
+></SPAN
+> servers) load
 the zone contents from another server using a replication process
-known as a <span class="emphasis"><em>zone transfer</em></span>.  Typically the data are
+known as a <SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>zone transfer</I
+></SPAN
+>.  Typically the data are
 transferred directly from the primary master, but it is also possible
 to transfer it from another slave.  In other words, a slave server
-may itself act as a master to a subordinate slave server.</p>
-</div>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="id2565180"></a>Stealth Servers</h4></div></div></div>
-<p>Usually all of the zone's authoritative servers are listed in 
+may itself act as a master to a subordinate slave server.</P
+></DIV
+><DIV
+CLASS="sect3"
+><H3
+CLASS="sect3"
+><A
+NAME="AEN191"
+>1.4.4.3. Stealth Servers</A
+></H3
+><P
+>Usually all of the zone's authoritative servers are listed in 
 NS records in the parent zone.  These NS records constitute
-a <span class="emphasis"><em>delegation</em></span> of the zone from the parent.
+a <SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>delegation</I
+></SPAN
+> of the zone from the parent.
 The authoritative servers are also listed in the zone file itself,
-at the <span class="emphasis"><em>top level</em></span> or <span class="emphasis"><em>apex</em></span>
+at the <SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>top level</I
+></SPAN
+> or <SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>apex</I
+></SPAN
+>
 of the zone.  You can list servers in the zone's top-level NS
 records that are not in the parent's NS delegation, but you cannot
 list servers in the parent's delegation that are not present at
-the zone's top level.</p>
-<p>A <span class="emphasis"><em>stealth server</em></span> is a server that is
+the zone's top level.</P
+><P
+>A <SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>stealth server</I
+></SPAN
+> is a server that is
 authoritative for a zone but is not listed in that zone's NS
 records.  Stealth servers can be used for keeping a local copy of a
 zone to speed up access to the zone's records or to make sure that the
 zone is available even if all the "official" servers for the zone are
-inaccessible.</p>
-<p>A configuration where the primary master server itself is a
+inaccessible.</P
+><P
+>A configuration where the primary master server itself is a
 stealth server is often referred to as a "hidden primary"
 configuration.  One use for this configuration is when the primary master
 is behind a firewall and therefore unable to communicate directly
-with the outside world.</p>
-</div>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2565209"></a>Caching Name Servers</h3></div></div></div>
-<p>The resolver libraries provided by most operating systems are 
-<span class="emphasis"><em>stub resolvers</em></span>, meaning that they are not capable of
+with the outside world.</P
+></DIV
+></DIV
+><DIV
+CLASS="sect2"
+><H2
+CLASS="sect2"
+><A
+NAME="AEN200"
+>1.4.5. Caching Name Servers</A
+></H2
+><P
+>The resolver libraries provided by most operating systems are 
+<SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>stub resolvers</I
+></SPAN
+>, meaning that they are not capable of
 performing the full DNS resolution process by themselves by talking
 directly to the authoritative servers.  Instead, they rely on a local
 name server to perform the resolution on their behalf.  Such a server
-is called a <span class="emphasis"><em>recursive</em></span> name server; it performs
-<span class="emphasis"><em>recursive lookups</em></span> for local clients.</p>
-<p>To improve performance, recursive servers cache the results of
+is called a <SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>recursive</I
+></SPAN
+> name server; it performs
+<SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>recursive lookups</I
+></SPAN
+> for local clients.</P
+><P
+>To improve performance, recursive servers cache the results of
 the lookups they perform.  Since the processes of recursion and
 caching are intimately connected, the terms
-<span class="emphasis"><em>recursive server</em></span> and
-<span class="emphasis"><em>caching server</em></span> are often used synonymously.</p>
-<p>The length of time for which a record may be retained in
-the cache of a caching name server is controlled by the 
+<SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>recursive server</I
+></SPAN
+> and
+<SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>caching server</I
+></SPAN
+> are often used synonymously.</P
+><P
+>The length of time for which a record may be retained in
+in the cache of a caching name server is controlled by the 
 Time To Live (TTL) field associated with each resource record.
-</p>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="id2565241"></a>Forwarding</h4></div></div></div>
-<p>Even a caching name server does not necessarily perform
+</P
+><DIV
+CLASS="sect3"
+><H3
+CLASS="sect3"
+><A
+NAME="AEN210"
+>1.4.5.1. Forwarding</A
+></H3
+><P
+>Even a caching name server does not necessarily perform
 the complete recursive lookup itself.  Instead, it can
-<span class="emphasis"><em>forward</em></span> some or all of the queries
+<SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>forward</I
+></SPAN
+> some or all of the queries
 that it cannot satisfy from its cache to another caching name server,
-commonly referred to as a <span class="emphasis"><em>forwarder</em></span>.
-</p>
-<p>There may be one or more forwarders,
+commonly referred to as a <SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>forwarder</I
+></SPAN
+>.
+</P
+><P
+>There may be one or more forwarders,
 and they are queried in turn until the list is exhausted or an answer
 is found. Forwarders are typically used when you do not
 wish all the servers at a given site to interact directly with the rest of
 the Internet servers. A typical scenario would involve a number
-of internal <acronym class="acronym">DNS</acronym> servers and an Internet firewall. Servers unable
+of internal <SPAN
+CLASS="acronym"
+>DNS</SPAN
+> servers and an Internet firewall. Servers unable
 to pass packets through the firewall would forward to the server
-that can do it, and that server would query the Internet <acronym class="acronym">DNS</acronym> servers
+that can do it, and that server would query the Internet <SPAN
+CLASS="acronym"
+>DNS</SPAN
+> servers
 on the internal server's behalf. An added benefit of using the forwarding
 feature is that the central machine develops a much more complete
 cache of information that all the clients can take advantage
-of.</p>
-</div>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2565267"></a>Name Servers in Multiple Roles</h3></div></div></div>
-<p>The <acronym class="acronym">BIND</acronym> name server can simultaneously act as
+of.</P
+></DIV
+></DIV
+><DIV
+CLASS="sect2"
+><H2
+CLASS="sect2"
+><A
+NAME="AEN218"
+>1.4.6. Name Servers in Multiple Roles</A
+></H2
+><P
+>The <SPAN
+CLASS="acronym"
+>BIND</SPAN
+> name server can simultaneously act as
 a master for some zones, a slave for other zones, and as a caching
-(recursive) server for a set of local clients.</p>
-<p>However, since the functions of authoritative name service
+(recursive) server for a set of local clients.</P
+><P
+>However, since the functions of authoritative name service
 and caching/recursive name service are logically separate, it is
 often advantageous to run them on separate server machines.
 
 A server that only provides authoritative name service
-(an <span class="emphasis"><em>authoritative-only</em></span> server) can run with
+(an <SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>authoritative-only</I
+></SPAN
+> server) can run with
 recursion disabled, improving reliability and security.
 
 A server that is not authoritative for any zones and only provides
 recursive service to local
-clients (a <span class="emphasis"><em>caching-only</em></span> server)
+clients (a <SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>caching-only</I
+></SPAN
+> server)
 does not need to be reachable from the Internet at large and can
-be placed inside a firewall.</p>
-</div>
-</div>
-</div>
-<div class="navfooter">
-<hr>
-<table width="100%" summary="Navigation footer">
-<tr>
-<td width="40%" align="left">
-<a accesskey="p" href="Bv9ARM.html">Prev</a> </td>
-<td width="20%" align="center"> </td>
-<td width="40%" align="right"> <a accesskey="n" href="Bv9ARM.ch02.html">Next</a>
-</td>
-</tr>
-<tr>
-<td width="40%" align="left" valign="top">BIND 9 Administrator Reference Manual </td>
-<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
-<td width="40%" align="right" valign="top"> Chapter 2. <acronym class="acronym">BIND</acronym> Resource Requirements</td>
-</tr>
-</table>
-</div>
-</body>
-</html>
+be placed inside a firewall.</P
+></DIV
+></DIV
+></DIV
+><DIV
+CLASS="NAVFOOTER"
+><HR
+ALIGN="LEFT"
+WIDTH="100%"><TABLE
+SUMMARY="Footer navigation table"
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+><A
+HREF="Bv9ARM.html"
+ACCESSKEY="P"
+>Prev</A
+></TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+><A
+HREF="Bv9ARM.html"
+ACCESSKEY="H"
+>Home</A
+></TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+><A
+HREF="Bv9ARM.ch02.html"
+ACCESSKEY="N"
+>Next</A
+></TD
+></TR
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+>BIND 9 Administrator Reference Manual</TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+>&nbsp;</TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+><SPAN
+CLASS="acronym"
+>BIND</SPAN
+> Resource Requirements</TD
+></TR
+></TABLE
+></DIV
+></BODY
+></HTML
+>
\ No newline at end of file
diff --git a/doc/arm/Bv9ARM.ch02.html b/doc/arm/Bv9ARM.ch02.html
index 51f280de..8e4e6861 100644
--- a/doc/arm/Bv9ARM.ch02.html
+++ b/doc/arm/Bv9ARM.ch02.html
@@ -1,140 +1,284 @@
-<!--
- - Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000-2003 Internet Software Consortium.
- - 
- - Permission to use, copy, modify, and distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- - 
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-<!-- $Id: Bv9ARM.ch02.html,v 1.10.2.16 2007/01/30 00:10:38 marka Exp $ -->
-<html>
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>Chapter 2. BIND Resource Requirements</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
-<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="prev" href="Bv9ARM.ch01.html" title="Chapter 1. Introduction">
-<link rel="next" href="Bv9ARM.ch03.html" title="Chapter 3. Nameserver Configuration">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
-<div class="navheader">
-<table width="100%" summary="Navigation header">
-<tr><th colspan="3" align="center">Chapter 2. <acronym class="acronym">BIND</acronym> Resource Requirements</th></tr>
-<tr>
-<td width="20%" align="left">
-<a accesskey="p" href="Bv9ARM.ch01.html">Prev</a> </td>
-<th width="60%" align="center"> </th>
-<td width="20%" align="right"> <a accesskey="n" href="Bv9ARM.ch03.html">Next</a>
-</td>
-</tr>
-</table>
-<hr>
-</div>
-<div class="chapter" lang="en">
-<div class="titlepage"><div><div><h2 class="title">
-<a name="Bv9ARM.ch02"></a>Chapter 2. <acronym class="acronym">BIND</acronym> Resource Requirements</h2></div></div></div>
-<div class="toc">
-<p><b>Table of Contents</b></p>
-<dl>
-<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2565299">Hardware requirements</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2565323">CPU Requirements</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2565402">Memory Requirements</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2565417">Nameserver Intensive Environment Issues</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2565426">Supported Operating Systems</a></span></dt>
-</dl>
-</div>
-<div class="sect1" lang="en">
-<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2565299"></a>Hardware requirements</h2></div></div></div>
-<p><acronym class="acronym">DNS</acronym> hardware requirements have traditionally been quite modest.
+<HTML
+><HEAD
+><TITLE
+>BIND Resource Requirements</TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.73
+"><LINK
+REL="HOME"
+TITLE="BIND 9 Administrator Reference Manual"
+HREF="Bv9ARM.html"><LINK
+REL="PREVIOUS"
+TITLE="Introduction "
+HREF="Bv9ARM.ch01.html"><LINK
+REL="NEXT"
+TITLE="Name Server Configuration"
+HREF="Bv9ARM.ch03.html"></HEAD
+><BODY
+CLASS="chapter"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><DIV
+CLASS="NAVHEADER"
+><TABLE
+SUMMARY="Header navigation table"
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TH
+COLSPAN="3"
+ALIGN="center"
+>BIND 9 Administrator Reference Manual</TH
+></TR
+><TR
+><TD
+WIDTH="10%"
+ALIGN="left"
+VALIGN="bottom"
+><A
+HREF="Bv9ARM.ch01.html"
+ACCESSKEY="P"
+>Prev</A
+></TD
+><TD
+WIDTH="80%"
+ALIGN="center"
+VALIGN="bottom"
+></TD
+><TD
+WIDTH="10%"
+ALIGN="right"
+VALIGN="bottom"
+><A
+HREF="Bv9ARM.ch03.html"
+ACCESSKEY="N"
+>Next</A
+></TD
+></TR
+></TABLE
+><HR
+ALIGN="LEFT"
+WIDTH="100%"></DIV
+><DIV
+CLASS="chapter"
+><H1
+><A
+NAME="ch02"
+>Chapter 2. <SPAN
+CLASS="acronym"
+>BIND</SPAN
+> Resource Requirements</A
+></H1
+><DIV
+CLASS="TOC"
+><DL
+><DT
+><B
+>Table of Contents</B
+></DT
+><DT
+>2.1. <A
+HREF="Bv9ARM.ch02.html#AEN228"
+>Hardware requirements</A
+></DT
+><DT
+>2.2. <A
+HREF="Bv9ARM.ch02.html#AEN236"
+>CPU Requirements</A
+></DT
+><DT
+>2.3. <A
+HREF="Bv9ARM.ch02.html#AEN240"
+>Memory Requirements</A
+></DT
+><DT
+>2.4. <A
+HREF="Bv9ARM.ch02.html#AEN245"
+>Name Server Intensive Environment Issues</A
+></DT
+><DT
+>2.5. <A
+HREF="Bv9ARM.ch02.html#AEN248"
+>Supported Operating Systems</A
+></DT
+></DL
+></DIV
+><DIV
+CLASS="sect1"
+><H1
+CLASS="sect1"
+><A
+NAME="AEN228"
+>2.1. Hardware requirements</A
+></H1
+><P
+><SPAN
+CLASS="acronym"
+>DNS</SPAN
+> hardware requirements have traditionally been quite modest.
 For many installations, servers that have been pensioned off from
-active duty have performed admirably as <acronym class="acronym">DNS</acronym> servers.</p>
-<p>The DNSSEC and IPv6 features of <acronym class="acronym">BIND</acronym> 9 may prove to be quite
+active duty have performed admirably as <SPAN
+CLASS="acronym"
+>DNS</SPAN
+> servers.</P
+><P
+>The DNSSEC and IPv6 features of <SPAN
+CLASS="acronym"
+>BIND</SPAN
+> 9 may prove to be quite
 CPU intensive however, so organizations that make heavy use of these
 features may wish to consider larger systems for these applications.
-<acronym class="acronym">BIND</acronym> 9 is now fully multithreaded, allowing full utilization of
-multiprocessor systems for installations that need it.</p>
-</div>
-<div class="sect1" lang="en">
-<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2565323"></a>CPU Requirements</h2></div></div></div>
-<p>CPU requirements for <acronym class="acronym">BIND</acronym> 9 range from i486-class machines
+<SPAN
+CLASS="acronym"
+>BIND</SPAN
+> 9 is fully multithreaded, allowing full utilization of
+multiprocessor systems for installations that need it.</P
+></DIV
+><DIV
+CLASS="sect1"
+><H1
+CLASS="sect1"
+><A
+NAME="AEN236"
+>2.2. CPU Requirements</A
+></H1
+><P
+>CPU requirements for <SPAN
+CLASS="acronym"
+>BIND</SPAN
+> 9 range from i486-class machines
 for serving of static zones without caching, to enterprise-class
 machines if you intend to process many dynamic updates and DNSSEC
-signed zones, serving many thousands of queries per second.</p>
-</div>
-<div class="sect1" lang="en">
-<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2565402"></a>Memory Requirements</h2></div></div></div>
-<p>The memory of the server has to be large enough to fit the
-cache and zones loaded off disk.  The <span><strong class="command">max-cache-size</strong></span>
+signed zones, serving many thousands of queries per second.</P
+></DIV
+><DIV
+CLASS="sect1"
+><H1
+CLASS="sect1"
+><A
+NAME="AEN240"
+>2.3. Memory Requirements</A
+></H1
+><P
+>The memory of the server has to be large enough to fit the
+cache and zones loaded off disk.  The <B
+CLASS="command"
+>max-cache-size</B
+>
 option can be used to limit the amount of memory used by the cache,
-at the expense of reducing cache hit rates and causing more <acronym class="acronym">DNS</acronym>
+at the expense of reducing cache hit rates and causing more <SPAN
+CLASS="acronym"
+>DNS</SPAN
+>
 traffic. It is still good practice to have enough memory to load
 all zone and cache data into memory &#8212; unfortunately, the best way
-to determine this for a given installation is to watch the nameserver
+to determine this for a given installation is to watch the name server
 in operation. After a few weeks the server process should reach
 a relatively stable size where entries are expiring from the cache as
-fast as they are being inserted. Ideally, the resource limits should
-be set higher than this stable size.</p>
-</div>
-<div class="sect1" lang="en">
-<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2565417"></a>Nameserver Intensive Environment Issues</h2></div></div></div>
-<p>For nameserver intensive environments, there are two alternative
+fast as they are being inserted.</P
+></DIV
+><DIV
+CLASS="sect1"
+><H1
+CLASS="sect1"
+><A
+NAME="AEN245"
+>2.4. Name Server Intensive Environment Issues</A
+></H1
+><P
+>For name server intensive environments, there are two alternative
 configurations that may be used. The first is where clients and
-any second-level internal nameservers query a main nameserver, which
+any second-level internal name servers query a main name server, which
 has enough memory to build a large cache. This approach minimizes
 the bandwidth used by external name lookups. The second alternative
-is to set up second-level internal nameservers to make queries independently.
+is to set up second-level internal name servers to make queries independently.
 In this configuration, none of the individual machines needs to
 have as much memory or CPU power as in the first alternative, but
 this has the disadvantage of making many more external queries,
-as none of the nameservers share their cached data.</p>
-</div>
-<div class="sect1" lang="en">
-<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2565426"></a>Supported Operating Systems</h2></div></div></div>
-<p>ISC <acronym class="acronym">BIND</acronym> 9 compiles and runs on the following operating
-systems:</p>
-<div class="itemizedlist"><ul type="disc">
-<li>IBM AIX 4.3</li>
-<li>Compaq Digital/Tru64 UNIX 4.0D</li>
-<li>Compaq Digital/Tru64 UNIX 5 (with IPv6 EAK)</li>
-<li>HP HP-UX 11</li>
-<li>IRIX64 6.5</li>
-<li>Sun Solaris 2.6, 7, 8</li>
-<li>NetBSD 1.5 (with unproven-pthreads 0.17)</li>
-<li>FreeBSD 3.4-STABLE, 3.5, 4.0, 4.1</li>
-<li>Red Hat Linux 6.0, 6.1, 6.2, 7.0</li>
-</ul></div>
-</div>
-</div>
-<div class="navfooter">
-<hr>
-<table width="100%" summary="Navigation footer">
-<tr>
-<td width="40%" align="left">
-<a accesskey="p" href="Bv9ARM.ch01.html">Prev</a> </td>
-<td width="20%" align="center"> </td>
-<td width="40%" align="right"> <a accesskey="n" href="Bv9ARM.ch03.html">Next</a>
-</td>
-</tr>
-<tr>
-<td width="40%" align="left" valign="top">Chapter 1. Introduction  </td>
-<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
-<td width="40%" align="right" valign="top"> Chapter 3. Nameserver Configuration</td>
-</tr>
-</table>
-</div>
-</body>
-</html>
+as none of the name servers share their cached data.</P
+></DIV
+><DIV
+CLASS="sect1"
+><H1
+CLASS="sect1"
+><A
+NAME="AEN248"
+>2.5. Supported Operating Systems</A
+></H1
+><P
+>ISC <SPAN
+CLASS="acronym"
+>BIND</SPAN
+> 9 compiles and runs on a large number
+of Unix-like operating system and on Windows NT / 2000.  For an up-to-date
+list of supported systems, see the README file in the top level directory
+of the BIND 9 source distribution.</P
+></DIV
+></DIV
+><DIV
+CLASS="NAVFOOTER"
+><HR
+ALIGN="LEFT"
+WIDTH="100%"><TABLE
+SUMMARY="Footer navigation table"
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+><A
+HREF="Bv9ARM.ch01.html"
+ACCESSKEY="P"
+>Prev</A
+></TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+><A
+HREF="Bv9ARM.html"
+ACCESSKEY="H"
+>Home</A
+></TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+><A
+HREF="Bv9ARM.ch03.html"
+ACCESSKEY="N"
+>Next</A
+></TD
+></TR
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+>Introduction</TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+>&nbsp;</TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+>Name Server Configuration</TD
+></TR
+></TABLE
+></DIV
+></BODY
+></HTML
+>
\ No newline at end of file
diff --git a/doc/arm/Bv9ARM.ch03.html b/doc/arm/Bv9ARM.ch03.html
index b5ce5169..f73d942d 100644
--- a/doc/arm/Bv9ARM.ch03.html
+++ b/doc/arm/Bv9ARM.ch03.html
@@ -1,109 +1,171 @@
-<!--
- - Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000-2003 Internet Software Consortium.
- - 
- - Permission to use, copy, modify, and distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- - 
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-<!-- $Id: Bv9ARM.ch03.html,v 1.26.2.23 2007/05/08 02:29:19 marka Exp $ -->
-<html>
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>Chapter 3. Nameserver Configuration</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
-<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="prev" href="Bv9ARM.ch02.html" title="Chapter 2. BIND Resource Requirements">
-<link rel="next" href="Bv9ARM.ch04.html" title="Chapter 4. Advanced Concepts">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
-<div class="navheader">
-<table width="100%" summary="Navigation header">
-<tr><th colspan="3" align="center">Chapter 3. Nameserver Configuration</th></tr>
-<tr>
-<td width="20%" align="left">
-<a accesskey="p" href="Bv9ARM.ch02.html">Prev</a> </td>
-<th width="60%" align="center"> </th>
-<td width="20%" align="right"> <a accesskey="n" href="Bv9ARM.ch04.html">Next</a>
-</td>
-</tr>
-</table>
-<hr>
-</div>
-<div class="chapter" lang="en">
-<div class="titlepage"><div><div><h2 class="title">
-<a name="Bv9ARM.ch03"></a>Chapter 3. Nameserver Configuration</h2></div></div></div>
-<div class="toc">
-<p><b>Table of Contents</b></p>
-<dl>
-<dt><span class="sect1"><a href="Bv9ARM.ch03.html#sample_configuration">Sample Configurations</a></span></dt>
-<dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2565591">A Caching-only Nameserver</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2565672">An Authoritative-only Nameserver</a></span></dt>
-</dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch03.html#id2565694">Load Balancing</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch03.html#notify">Notify</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch03.html#id2566085">Nameserver Operations</a></span></dt>
-<dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2566090">Tools for Use With the Nameserver Daemon</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2569165">Signals</a></span></dt>
-</dl></dd>
-</dl>
-</div>
-<p>In this section we provide some suggested configurations along
+<HTML
+><HEAD
+><TITLE
+>Name Server Configuration</TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.73
+"><LINK
+REL="HOME"
+TITLE="BIND 9 Administrator Reference Manual"
+HREF="Bv9ARM.html"><LINK
+REL="PREVIOUS"
+TITLE="BIND Resource Requirements"
+HREF="Bv9ARM.ch02.html"><LINK
+REL="NEXT"
+TITLE="Advanced DNS Features"
+HREF="Bv9ARM.ch04.html"></HEAD
+><BODY
+CLASS="chapter"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><DIV
+CLASS="NAVHEADER"
+><TABLE
+SUMMARY="Header navigation table"
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TH
+COLSPAN="3"
+ALIGN="center"
+>BIND 9 Administrator Reference Manual</TH
+></TR
+><TR
+><TD
+WIDTH="10%"
+ALIGN="left"
+VALIGN="bottom"
+><A
+HREF="Bv9ARM.ch02.html"
+ACCESSKEY="P"
+>Prev</A
+></TD
+><TD
+WIDTH="80%"
+ALIGN="center"
+VALIGN="bottom"
+></TD
+><TD
+WIDTH="10%"
+ALIGN="right"
+VALIGN="bottom"
+><A
+HREF="Bv9ARM.ch04.html"
+ACCESSKEY="N"
+>Next</A
+></TD
+></TR
+></TABLE
+><HR
+ALIGN="LEFT"
+WIDTH="100%"></DIV
+><DIV
+CLASS="chapter"
+><H1
+><A
+NAME="ch03"
+>Chapter 3. Name Server Configuration</A
+></H1
+><DIV
+CLASS="TOC"
+><DL
+><DT
+><B
+>Table of Contents</B
+></DT
+><DT
+>3.1. <A
+HREF="Bv9ARM.ch03.html#sample_configuration"
+>Sample Configurations</A
+></DT
+><DT
+>3.2. <A
+HREF="Bv9ARM.ch03.html#AEN268"
+>Load Balancing</A
+></DT
+><DT
+>3.3. <A
+HREF="Bv9ARM.ch03.html#AEN345"
+>Name Server Operations</A
+></DT
+></DL
+></DIV
+><P
+>In this section we provide some suggested configurations along
 with guidelines for their use. We also address the topic of reasonable
-option setting.</p>
-<div class="sect1" lang="en">
-<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="sample_configuration"></a>Sample Configurations</h2></div></div></div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2565591"></a>A Caching-only Nameserver</h3></div></div></div>
-<p>The following sample configuration is appropriate for a caching-only
+option setting.</P
+><DIV
+CLASS="sect1"
+><H1
+CLASS="sect1"
+><A
+NAME="sample_configuration"
+>3.1. Sample Configurations</A
+></H1
+><DIV
+CLASS="sect2"
+><H2
+CLASS="sect2"
+><A
+NAME="AEN257"
+>3.1.1. A Caching-only Name Server</A
+></H2
+><P
+>The following sample configuration is appropriate for a caching-only
 name server for use by clients internal to a corporation.  All queries
-from outside clients are refused.</p>
-<pre class="programlisting">
-// Two corporate subnets we wish to allow queries from.
-acl "corpnets" { 192.168.4.0/24; 192.168.7.0/24; };
+from outside clients are refused using the <B
+CLASS="command"
+>allow-query</B
+>
+option.  Alternatively, the same effect could be achieved using suitable
+firewall rules.</P
+><PRE
+CLASS="programlisting"
+>&#13;// Two corporate subnets we wish to allow queries from.
+acl corpnets { 192.168.4.0/24; 192.168.7.0/24; };
 options {
      directory "/etc/namedb";           // Working directory
-     pid-file "named.pid";              // Put pid file in working dir
-     allow-query { "corpnets"; };
+     allow-query { corpnets; };
 };
-// Root server hints
-zone "." { type hint; file "root.hint"; };
 // Provide a reverse mapping for the loopback address 127.0.0.1
 zone "0.0.127.in-addr.arpa" {
      type master;
      file "localhost.rev";
      notify no;
 };
-</pre>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2565672"></a>An Authoritative-only Nameserver</h3></div></div></div>
-<p>This sample configuration is for an authoritative-only server
-that is the master server for "<code class="filename">example.com</code>"
-and a slave for the subdomain "<code class="filename">eng.example.com</code>".</p>
-<pre class="programlisting">
-options {
+</PRE
+></DIV
+><DIV
+CLASS="sect2"
+><H2
+CLASS="sect2"
+><A
+NAME="AEN262"
+>3.1.2. An Authoritative-only Name Server</A
+></H2
+><P
+>This sample configuration is for an authoritative-only server
+that is the master server for "<TT
+CLASS="filename"
+>example.com</TT
+>"
+and a slave for the subdomain "<TT
+CLASS="filename"
+>eng.example.com</TT
+>".</P
+><PRE
+CLASS="programlisting"
+>&#13;options {
      directory "/etc/namedb";           // Working directory
-     pid-file "named.pid";              // Put pid file in working dir
      allow-query { any; };              // This is the default
      recursion no;                      // Do not provide recursive service
 };
-// Root server hints
-zone "." { type hint; file "root.hint"; };
 
 // Provide a reverse mapping for the loopback address 127.0.0.1
 zone "0.0.127.in-addr.arpa" {
@@ -128,380 +190,1475 @@ zone "eng.example.com" {
      // IP address of eng.example.com master server
      masters { 192.168.4.12; };
 };
-</pre>
-</div>
-</div>
-<div class="sect1" lang="en">
-<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2565694"></a>Load Balancing</h2></div></div></div>
-<p>Primitive load balancing can be achieved in <acronym class="acronym">DNS</acronym> using multiple
-A records for one name.</p>
-<p>For example, if you have three WWW servers with network addresses
+</PRE
+></DIV
+></DIV
+><DIV
+CLASS="sect1"
+><H1
+CLASS="sect1"
+><A
+NAME="AEN268"
+>3.2. Load Balancing</A
+></H1
+><P
+>A primitive form of load balancing can be achieved in
+the <SPAN
+CLASS="acronym"
+>DNS</SPAN
+> by using multiple A records for one name.</P
+><P
+>For example, if you have three WWW servers with network addresses
 of 10.0.0.1, 10.0.0.2 and 10.0.0.3, a set of records such as the
 following means that clients will connect to each machine one third
-of the time:</p>
-<div class="informaltable"><table border="1">
-<colgroup>
-<col>
-<col>
-<col>
-<col>
-<col>
-</colgroup>
-<tbody>
-<tr>
-<td><p>Name</p></td>
-<td><p>TTL</p></td>
-<td><p>CLASS</p></td>
-<td><p>TYPE</p></td>
-<td><p>Resource Record (RR) Data</p></td>
-</tr>
-<tr>
-<td><p><code class="literal">www</code></p></td>
-<td><p><code class="literal">600</code></p></td>
-<td><p><code class="literal">IN</code></p></td>
-<td><p><code class="literal">A</code></p></td>
-<td><p><code class="literal">10.0.0.1</code></p></td>
-</tr>
-<tr>
-<td><p></p></td>
-<td><p><code class="literal">600</code></p></td>
-<td><p><code class="literal">IN</code></p></td>
-<td><p><code class="literal">A</code></p></td>
-<td><p><code class="literal">10.0.0.2</code></p></td>
-</tr>
-<tr>
-<td><p></p></td>
-<td><p><code class="literal">600</code></p></td>
-<td><p><code class="literal">IN</code></p></td>
-<td><p><code class="literal">A</code></p></td>
-<td><p><code class="literal">10.0.0.3</code></p></td>
-</tr>
-</tbody>
-</table></div>
-<p>When a resolver queries for these records, <acronym class="acronym">BIND</acronym> will rotate
+of the time:</P
+><DIV
+CLASS="informaltable"
+><A
+NAME="AEN273"
+></A
+><P
+></P
+><TABLE
+CELLPADDING="3"
+BORDER="1"
+CLASS="CALSTABLE"
+><TBODY
+><TR
+><TD
+WIDTH="84"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>Name</P
+></TD
+><TD
+WIDTH="48"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>TTL</P
+></TD
+><TD
+WIDTH="72"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>CLASS</P
+></TD
+><TD
+WIDTH="72"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>TYPE</P
+></TD
+><TD
+WIDTH="195"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>Resource Record (RR) Data</P
+></TD
+></TR
+><TR
+><TD
+WIDTH="84"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+><TT
+CLASS="literal"
+>www</TT
+></P
+></TD
+><TD
+WIDTH="48"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+><TT
+CLASS="literal"
+>600</TT
+></P
+></TD
+><TD
+WIDTH="72"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+><TT
+CLASS="literal"
+>IN</TT
+></P
+></TD
+><TD
+WIDTH="72"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+><TT
+CLASS="literal"
+>A</TT
+></P
+></TD
+><TD
+WIDTH="195"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+><TT
+CLASS="literal"
+>10.0.0.1</TT
+></P
+></TD
+></TR
+><TR
+><TD
+WIDTH="84"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+></P
+></TD
+><TD
+WIDTH="48"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+><TT
+CLASS="literal"
+>600</TT
+></P
+></TD
+><TD
+WIDTH="72"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+><TT
+CLASS="literal"
+>IN</TT
+></P
+></TD
+><TD
+WIDTH="72"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+><TT
+CLASS="literal"
+>A</TT
+></P
+></TD
+><TD
+WIDTH="195"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+><TT
+CLASS="literal"
+>10.0.0.2</TT
+></P
+></TD
+></TR
+><TR
+><TD
+WIDTH="84"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+></P
+></TD
+><TD
+WIDTH="48"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+><TT
+CLASS="literal"
+>600</TT
+></P
+></TD
+><TD
+WIDTH="72"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+><TT
+CLASS="literal"
+>IN</TT
+></P
+></TD
+><TD
+WIDTH="72"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+><TT
+CLASS="literal"
+>A</TT
+></P
+></TD
+><TD
+WIDTH="195"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+><TT
+CLASS="literal"
+>10.0.0.3</TT
+></P
+></TD
+></TR
+></TBODY
+></TABLE
+><P
+></P
+></DIV
+><P
+>When a resolver queries for these records, <SPAN
+CLASS="acronym"
+>BIND</SPAN
+> will rotate
     them and respond to the query with the records in a different
     order.  In the example above, clients will randomly receive
     records in the order 1, 2, 3; 2, 3, 1; and 3, 1, 2. Most clients
-    will use the first record returned and discard the rest.</p>
-<p>For more detail on ordering responses, check the
-    <span><strong class="command">rrset-order</strong></span> substatement in the
-    <span><strong class="command">options</strong></span> statement, see
-    <a href="Bv9ARM.ch06.html#rrset_ordering">RRset Ordering</a>.
+    will use the first record returned and discard the rest.</P
+><P
+>For more detail on ordering responses, check the
+    <B
+CLASS="command"
+>rrset-order</B
+> substatement in the
+    <B
+CLASS="command"
+>options</B
+> statement, see
+    <A
+HREF="Bv9ARM.ch06.html#rrset_ordering"
+><I
+>RRset Ordering</I
+></A
+>.
     This substatement is not supported in
-    <acronym class="acronym">BIND</acronym> 9, and only the ordering scheme described above is
-    available.</p>
-</div>
-<div class="sect1" lang="en">
-<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="notify"></a>Notify</h2></div></div></div>
-<p><acronym class="acronym">DNS</acronym> Notify is a mechanism that allows master nameservers to
-    notify their slave servers of changes to a zone's data. In
-    response to a <span><strong class="command">NOTIFY</strong></span> from a master server, the
-    slave will check to see that its version of the zone is the
-    current version and, if not, initiate a transfer.</p>
-<p><acronym class="acronym">DNS</acronym>
-    Notify is fully documented in RFC 1996. See also the description
-    of the zone option <span><strong class="command">also-notify</strong></span>, see
-    <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>. For more information about
-    <span><strong class="command">notify</strong></span>, see <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.</p>
-</div>
-<div class="sect1" lang="en">
-<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2566085"></a>Nameserver Operations</h2></div></div></div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2566090"></a>Tools for Use With the Nameserver Daemon</h3></div></div></div>
-<p>There are several indispensable diagnostic, administrative
+    <SPAN
+CLASS="acronym"
+>BIND</SPAN
+> 9, and only the ordering scheme described above is
+    available.</P
+></DIV
+><DIV
+CLASS="sect1"
+><H1
+CLASS="sect1"
+><A
+NAME="AEN345"
+>3.3. Name Server Operations</A
+></H1
+><DIV
+CLASS="sect2"
+><H2
+CLASS="sect2"
+><A
+NAME="AEN347"
+>3.3.1. Tools for Use With the Name Server Daemon</A
+></H2
+><P
+>There are several indispensable diagnostic, administrative
 and monitoring tools available to the system administrator for controlling
-and debugging the nameserver daemon. We describe several in this
-section </p>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="diagnostic_tools"></a>Diagnostic Tools</h4></div></div></div>
-<div class="variablelist"><dl>
-<dt><span class="term"><a name="dig"></a><span><strong class="command">dig</strong></span></span></dt>
-<dd>
-<p>The domain information groper (<span><strong class="command">dig</strong></span>) is
-a command line tool that can be used to gather information from
-the Domain Name System servers. Dig has two modes: simple interactive
+and debugging the name server daemon. We describe several in this
+section </P
+><DIV
+CLASS="sect3"
+><H3
+CLASS="sect3"
+><A
+NAME="diagnostic_tools"
+>3.3.1.1. Diagnostic Tools</A
+></H3
+><P
+>The <B
+CLASS="command"
+>dig</B
+>, <B
+CLASS="command"
+>host</B
+>, and
+<B
+CLASS="command"
+>nslookup</B
+> programs are all command line tools
+for manually querying name servers.  They differ in style and
+output format.
+</P
+><P
+></P
+><DIV
+CLASS="variablelist"
+><DL
+><DT
+><B
+CLASS="command"
+>dig</B
+></DT
+><DD
+><P
+>The domain information groper (<B
+CLASS="command"
+>dig</B
+>)
+is the most versatile and complete of these lookup tools.
+It has two modes: simple interactive
 mode for a single query, and batch mode which executes a query for
 each in a list of several query lines. All query options are accessible
-from the command line.</p>
-<div class="cmdsynopsis"><p><code class="command">dig</code>  [@<em class="replaceable"><code>server</code></em>]  <em class="replaceable"><code>domain</code></em>  [<em class="replaceable"><code>query-type</code></em>] [<em class="replaceable"><code>query-class</code></em>] [+<em class="replaceable"><code>query-option</code></em>] [-<em class="replaceable"><code>dig-option</code></em>] [%<em class="replaceable"><code>comment</code></em>]</p></div>
-<p>The usual simple use of dig will take the form</p>
-<p><span><strong class="command">dig @server domain query-type query-class</strong></span></p>
-<p>For more information and a list of available commands and
-options, see the <span><strong class="command">dig</strong></span> man page.</p>
-</dd>
-<dt><span class="term"><span><strong class="command">host</strong></span></span></dt>
-<dd>
-<p>The <span><strong class="command">host</strong></span> utility
-provides a simple <acronym class="acronym">DNS</acronym> lookup using a command-line interface for
-looking up Internet hostnames. By default, the utility converts
+from the command line.</P
+><P
+><B
+CLASS="command"
+>dig</B
+>  [@<TT
+CLASS="replaceable"
+><I
+>server</I
+></TT
+>]  <TT
+CLASS="replaceable"
+><I
+>domain</I
+></TT
+>  [<TT
+CLASS="replaceable"
+><I
+>query-type</I
+></TT
+>] [<TT
+CLASS="replaceable"
+><I
+>query-class</I
+></TT
+>] [+<TT
+CLASS="replaceable"
+><I
+>query-option</I
+></TT
+>] [-<TT
+CLASS="replaceable"
+><I
+>dig-option</I
+></TT
+>] [%<TT
+CLASS="replaceable"
+><I
+>comment</I
+></TT
+>]</P
+><P
+>The usual simple use of dig will take the form</P
+><P
+><B
+CLASS="command"
+>dig @server domain query-type query-class</B
+></P
+><P
+>For more information and a list of available commands and
+options, see the <B
+CLASS="command"
+>dig</B
+> man page.</P
+></DD
+><DT
+><B
+CLASS="command"
+>host</B
+></DT
+><DD
+><P
+>The <B
+CLASS="command"
+>host</B
+> utility emphasizes simplicity
+and ease of use.  By default, it converts
 between host names and Internet addresses, but its functionality
-can be extended with the use of options.</p>
-<div class="cmdsynopsis"><p><code class="command">host</code>  [-aCdlrTwv] [-c <em class="replaceable"><code>class</code></em>] [-N <em class="replaceable"><code>ndots</code></em>] [-t <em class="replaceable"><code>type</code></em>] [-W <em class="replaceable"><code>timeout</code></em>] [-R <em class="replaceable"><code>retries</code></em>]  <em class="replaceable"><code>hostname</code></em>  [<em class="replaceable"><code>server</code></em>]</p></div>
-<p>For more information and a list of available commands and
-options, see the <span><strong class="command">host</strong></span> man page.</p>
-</dd>
-<dt><span class="term"><span><strong class="command">nslookup</strong></span></span></dt>
-<dd>
-<p><span><strong class="command">nslookup</strong></span> is a program used to query Internet
-domain nameservers. <span><strong class="command">nslookup</strong></span> has two modes: interactive
-and non-interactive. Interactive mode allows the user to query nameservers
+can be extended with the use of options.</P
+><P
+><B
+CLASS="command"
+>host</B
+>  [-aCdlrTwv] [-c <TT
+CLASS="replaceable"
+><I
+>class</I
+></TT
+>] [-N <TT
+CLASS="replaceable"
+><I
+>ndots</I
+></TT
+>] [-t <TT
+CLASS="replaceable"
+><I
+>type</I
+></TT
+>] [-W <TT
+CLASS="replaceable"
+><I
+>timeout</I
+></TT
+>] [-R <TT
+CLASS="replaceable"
+><I
+>retries</I
+></TT
+>]  <TT
+CLASS="replaceable"
+><I
+>hostname</I
+></TT
+>  [<TT
+CLASS="replaceable"
+><I
+>server</I
+></TT
+>]</P
+><P
+>For more information and a list of available commands and
+options, see the <B
+CLASS="command"
+>host</B
+> man page.</P
+></DD
+><DT
+><B
+CLASS="command"
+>nslookup</B
+></DT
+><DD
+><P
+><B
+CLASS="command"
+>nslookup</B
+> has two modes: interactive
+and non-interactive. Interactive mode allows the user to query name servers
 for information about various hosts and domains or to print a list
 of hosts in a domain. Non-interactive mode is used to print just
-the name and requested information for a host or domain.</p>
-<div class="cmdsynopsis"><p><code class="command">nslookup</code>  [-option...] [[<em class="replaceable"><code>host-to-find</code></em>] |  [- [server]]]</p></div>
-<p>Interactive mode is entered when no arguments are given (the
-default nameserver will be used) or when the first argument is a
+the name and requested information for a host or domain.</P
+><P
+><B
+CLASS="command"
+>nslookup</B
+>  [-option...] [<TT
+CLASS="replaceable"
+><I
+>host-to-find</I
+></TT
+> | -  [server]]</P
+><P
+>Interactive mode is entered when no arguments are given (the
+default name server will be used) or when the first argument is a
 hyphen (`-') and the second argument is the host name or Internet address
-of a nameserver.</p>
-<p>Non-interactive mode is used when the name or Internet address
+of a name server.</P
+><P
+>Non-interactive mode is used when the name or Internet address
 of the host to be looked up is given as the first argument. The
-optional second argument specifies the host name or address of a nameserver.</p>
-<p>Due to its arcane user interface and frequently inconsistent
-behavior, we do not recommend the use of <span><strong class="command">nslookup</strong></span>.
-Use <span><strong class="command">dig</strong></span> instead.</p>
-</dd>
-</dl></div>
-</div>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="admin_tools"></a>Administrative Tools</h4></div></div></div>
-<p>Administrative tools play an integral part in the management
-of a server.</p>
-<div class="variablelist"><dl>
-<dt>
-<a name="named-checkconf"></a><span class="term"><span><strong class="command">named-checkconf</strong></span></span>
-</dt>
-<dd>
-<p>The <span><strong class="command">named-checkconf</strong></span> program
-              checks the syntax of a <code class="filename">named.conf</code> file.</p>
-<div class="cmdsynopsis"><p><code class="command">named-checkconf</code>  [-t <em class="replaceable"><code>directory</code></em>] [<em class="replaceable"><code>filename</code></em>]</p></div>
-</dd>
-<dt>
-<a name="named-checkzone"></a><span class="term"><span><strong class="command">named-checkzone</strong></span></span>
-</dt>
-<dd>
-<p>The <span><strong class="command">named-checkzone</strong></span> program checks a master file for
-              syntax and consistency.</p>
-<div class="cmdsynopsis"><p><code class="command">named-checkzone</code>  [-dq] [-c <em class="replaceable"><code>class</code></em>]  <em class="replaceable"><code>zone</code></em>  [<em class="replaceable"><code>filename</code></em>]</p></div>
-</dd>
-<dt>
-<a name="rndc"></a><span class="term"><span><strong class="command">rndc</strong></span></span>
-</dt>
-<dd>
-<p>The remote name daemon control
-              (<span><strong class="command">rndc</strong></span>) program allows the system
-              administrator to control the operation of a nameserver.
-              In <acronym class="acronym">BIND</acronym> 9.2, <span><strong class="command">rndc</strong></span>
-              supports all the commands of the BIND 8 <span><strong class="command">ndc</strong></span>
-              utility except <span><strong class="command">ndc start</strong></span> and
-              <span><strong class="command">ndc restart</strong></span>, which were also
-              not supported in <span><strong class="command">ndc</strong></span>'s channel mode.
-              If you run <span><strong class="command">rndc</strong></span> without any options
-              it will display a usage message as follows:</p>
-<div class="cmdsynopsis"><p><code class="command">rndc</code>  [-c <em class="replaceable"><code>config</code></em>] [-s <em class="replaceable"><code>server</code></em>] [-p <em class="replaceable"><code>port</code></em>] [-y <em class="replaceable"><code>key</code></em>]  <em class="replaceable"><code>command</code></em>  [<em class="replaceable"><code>command</code></em>...]</p></div>
-<p>The <span><strong class="command">command</strong></span> is one of the following:</p>
-<div class="variablelist"><dl>
-<dt><span class="term"><strong class="userinput"><code>reload</code></strong></span></dt>
-<dd><p>Reload configuration file and zones.</p></dd>
-<dt><span class="term"><strong class="userinput"><code>reload <em class="replaceable"><code>zone</code></em>
-       [<span class="optional"><em class="replaceable"><code>class</code></em>
-           [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
-<dd><p>Reload the given zone.</p></dd>
-<dt><span class="term"><strong class="userinput"><code>refresh <em class="replaceable"><code>zone</code></em>
-       [<span class="optional"><em class="replaceable"><code>class</code></em>
-           [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
-<dd><p>Schedule zone maintenance for the given zone.</p></dd>
-<dt><span class="term"><strong class="userinput"><code>reconfig</code></strong></span></dt>
-<dd><p>Reload the configuration file and load new zones,
+optional second argument specifies the host name or address of a name server.</P
+><P
+>Due to its arcane user interface and frequently inconsistent
+behavior, we do not recommend the use of <B
+CLASS="command"
+>nslookup</B
+>.
+Use <B
+CLASS="command"
+>dig</B
+> instead.</P
+></DD
+></DL
+></DIV
+></DIV
+><DIV
+CLASS="sect3"
+><H3
+CLASS="sect3"
+><A
+NAME="admin_tools"
+>3.3.1.2. Administrative Tools</A
+></H3
+><P
+>Administrative tools play an integral part in the management
+of a server.</P
+><P
+></P
+><DIV
+CLASS="variablelist"
+><DL
+><DT
+><A
+NAME="named-checkconf"
+><B
+CLASS="command"
+>named-checkconf</B
+></A
+></DT
+><DD
+><P
+>The <B
+CLASS="command"
+>named-checkconf</B
+> program
+              checks the syntax of a <TT
+CLASS="filename"
+>named.conf</TT
+> file.</P
+><P
+><B
+CLASS="command"
+>named-checkconf</B
+>  [-t <TT
+CLASS="replaceable"
+><I
+>directory</I
+></TT
+>] [<TT
+CLASS="replaceable"
+><I
+>filename</I
+></TT
+>]</P
+></DD
+><DT
+><A
+NAME="named-checkzone"
+><B
+CLASS="command"
+>named-checkzone</B
+></A
+></DT
+><DD
+><P
+>The <B
+CLASS="command"
+>named-checkzone</B
+> program checks a master file for
+              syntax and consistency.</P
+><P
+><B
+CLASS="command"
+>named-checkzone</B
+>  [-dq] [-c <TT
+CLASS="replaceable"
+><I
+>class</I
+></TT
+>]  <TT
+CLASS="replaceable"
+><I
+>zone</I
+></TT
+>  [<TT
+CLASS="replaceable"
+><I
+>filename</I
+></TT
+>]</P
+></DD
+><DT
+><A
+NAME="rndc"
+><B
+CLASS="command"
+>rndc</B
+></A
+></DT
+><DD
+><P
+>The remote name daemon control
+              (<B
+CLASS="command"
+>rndc</B
+>) program allows the system
+              administrator to control the operation of a name server.
+              If you run <B
+CLASS="command"
+>rndc</B
+> without any options
+              it will display a usage message as follows:</P
+><P
+><B
+CLASS="command"
+>rndc</B
+>  [-c <TT
+CLASS="replaceable"
+><I
+>config</I
+></TT
+>] [-s <TT
+CLASS="replaceable"
+><I
+>server</I
+></TT
+>] [-p <TT
+CLASS="replaceable"
+><I
+>port</I
+></TT
+>] [-y <TT
+CLASS="replaceable"
+><I
+>key</I
+></TT
+>]  <TT
+CLASS="replaceable"
+><I
+>command</I
+></TT
+>  [<TT
+CLASS="replaceable"
+><I
+>command</I
+></TT
+>...]</P
+><P
+><B
+CLASS="command"
+>command</B
+> is one of the following:</P
+><P
+></P
+><DIV
+CLASS="variablelist"
+><DL
+><DT
+><TT
+CLASS="userinput"
+><B
+>reload</B
+></TT
+></DT
+><DD
+><P
+>Reload configuration file and zones.</P
+></DD
+><DT
+><TT
+CLASS="userinput"
+><B
+>reload <TT
+CLASS="replaceable"
+><I
+>zone</I
+></TT
+>
+       [<SPAN
+CLASS="optional"
+><TT
+CLASS="replaceable"
+><I
+>class</I
+></TT
+>
+           [<SPAN
+CLASS="optional"
+><TT
+CLASS="replaceable"
+><I
+>view</I
+></TT
+></SPAN
+>]</SPAN
+>]</B
+></TT
+></DT
+><DD
+><P
+>Reload the given zone.</P
+></DD
+><DT
+><TT
+CLASS="userinput"
+><B
+>refresh <TT
+CLASS="replaceable"
+><I
+>zone</I
+></TT
+>
+       [<SPAN
+CLASS="optional"
+><TT
+CLASS="replaceable"
+><I
+>class</I
+></TT
+>
+           [<SPAN
+CLASS="optional"
+><TT
+CLASS="replaceable"
+><I
+>view</I
+></TT
+></SPAN
+>]</SPAN
+>]</B
+></TT
+></DT
+><DD
+><P
+>Schedule zone maintenance for the given zone.</P
+></DD
+><DT
+><TT
+CLASS="userinput"
+><B
+>retransfer <TT
+CLASS="replaceable"
+><I
+>zone</I
+></TT
+>
+       [<SPAN
+CLASS="optional"
+><TT
+CLASS="replaceable"
+><I
+>class</I
+></TT
+>
+           [<SPAN
+CLASS="optional"
+><TT
+CLASS="replaceable"
+><I
+>view</I
+></TT
+></SPAN
+>]</SPAN
+>]</B
+></TT
+></DT
+><DD
+><P
+>Retransfer the given zone from the master.</P
+></DD
+><DT
+><TT
+CLASS="userinput"
+><B
+>freeze <TT
+CLASS="replaceable"
+><I
+>zone</I
+></TT
+>
+       [<SPAN
+CLASS="optional"
+><TT
+CLASS="replaceable"
+><I
+>class</I
+></TT
+>
+           [<SPAN
+CLASS="optional"
+><TT
+CLASS="replaceable"
+><I
+>view</I
+></TT
+></SPAN
+>]</SPAN
+>]</B
+></TT
+></DT
+><DD
+><P
+>Suspend updates to a dynamic zone.  This allows manual
+    edits to be made to a zone normally updated by dynamic update.  It
+    also causes changes in the journal file to be synced into the master
+    and the journal file to be removed.  All dynamic update attempts will
+    be refused while the zone is frozen.</P
+></DD
+><DT
+><TT
+CLASS="userinput"
+><B
+>unfreeze <TT
+CLASS="replaceable"
+><I
+>zone</I
+></TT
+>
+       [<SPAN
+CLASS="optional"
+><TT
+CLASS="replaceable"
+><I
+>class</I
+></TT
+>
+           [<SPAN
+CLASS="optional"
+><TT
+CLASS="replaceable"
+><I
+>view</I
+></TT
+></SPAN
+>]</SPAN
+>]</B
+></TT
+></DT
+><DD
+><P
+>Enable updates to a frozen dynamic zone.  This causes
+    the server to reload the zone from disk, and re-enables dynamic updates
+    after the load has completed.  After a zone is unfrozen, dynamic updates
+    will no longer be refused.</P
+></DD
+><DT
+><TT
+CLASS="userinput"
+><B
+>reconfig</B
+></TT
+></DT
+><DD
+><P
+>Reload the configuration file and load new zones,
    but do not reload existing zone files even if they have changed.
-   This is faster than a full <span><strong class="command">reload</strong></span> when there
+   This is faster than a full <B
+CLASS="command"
+>reload</B
+> when there
    is a large number of zones because it avoids the need to examine the
    modification times of the zones files.
-   </p></dd>
-<dt><span class="term"><strong class="userinput"><code>stats</code></strong></span></dt>
-<dd><p>Write server statistics to the statistics file.</p></dd>
-<dt><span class="term"><strong class="userinput"><code>querylog</code></strong></span></dt>
-<dd><p>Toggle query logging. Query logging can also be enabled
-   by explicitly directing the <span><strong class="command">queries</strong></span>
-   <span><strong class="command">category</strong></span> to a <span><strong class="command">channel</strong></span> in the
-   <span><strong class="command">logging</strong></span> section of
-   <code class="filename">named.conf</code>.</p></dd>
-<dt><span class="term"><strong class="userinput"><code>dumpdb</code></strong></span></dt>
-<dd><p>Dump the server's caches to the dump file. </p></dd>
-<dt><span class="term"><strong class="userinput"><code>stop</code></strong></span></dt>
-<dd><p>Stop the server,
+   </P
+></DD
+><DT
+><TT
+CLASS="userinput"
+><B
+>stats</B
+></TT
+></DT
+><DD
+><P
+>Write server statistics to the statistics file.</P
+></DD
+><DT
+><TT
+CLASS="userinput"
+><B
+>querylog</B
+></TT
+></DT
+><DD
+><P
+>Toggle query logging. Query logging can also be enabled
+   by explicitly directing the <B
+CLASS="command"
+>queries</B
+>
+   <B
+CLASS="command"
+>category</B
+> to a <B
+CLASS="command"
+>channel</B
+> in the
+   <B
+CLASS="command"
+>logging</B
+> section of
+   <TT
+CLASS="filename"
+>named.conf</TT
+>.</P
+></DD
+><DT
+><TT
+CLASS="userinput"
+><B
+>dumpdb</B
+></TT
+></DT
+><DD
+><P
+>Dump the server's caches to the dump file. </P
+></DD
+><DT
+><TT
+CLASS="userinput"
+><B
+>stop</B
+></TT
+></DT
+><DD
+><P
+>Stop the server,
    making sure any recent changes
    made through dynamic update or IXFR are first saved to the master files
-   of the updated zones.</p></dd>
-<dt><span class="term"><strong class="userinput"><code>halt</code></strong></span></dt>
-<dd><p>Stop the server immediately.  Recent changes
+   of the updated zones.</P
+></DD
+><DT
+><TT
+CLASS="userinput"
+><B
+>halt</B
+></TT
+></DT
+><DD
+><P
+>Stop the server immediately.  Recent changes
    made through dynamic update or IXFR are not saved to the master files,
    but will be rolled forward from the journal files when the server
-   is restarted.</p></dd>
-<dt><span class="term"><strong class="userinput"><code>trace</code></strong></span></dt>
-<dd><p>Increment the servers debugging level by one. </p></dd>
-<dt><span class="term"><strong class="userinput"><code>trace <em class="replaceable"><code>level</code></em></code></strong></span></dt>
-<dd><p>Sets the server's debugging level to an explicit
-   value.</p></dd>
-<dt><span class="term"><strong class="userinput"><code>notrace</code></strong></span></dt>
-<dd><p>Sets the server's debugging level to 0.</p></dd>
-<dt><span class="term"><strong class="userinput"><code>flush</code></strong></span></dt>
-<dd><p>Flushes the server's cache.</p></dd>
-<dt><span class="term"><strong class="userinput"><code>status</code></strong></span></dt>
-<dd><p>Display status of the server.
-Note that the number of zones includes the internal <span><strong class="command">bind/CH</strong></span> zone
-and the default <span><strong class="command">./IN</strong></span> hint zone if there is not an
-explicit root zone configured.</p></dd>
-</dl></div>
-<p>In <acronym class="acronym">BIND</acronym> 9.2, <span><strong class="command">rndc</strong></span>
-supports all the commands of the BIND 8 <span><strong class="command">ndc</strong></span>
-utility except <span><strong class="command">ndc start</strong></span>, which was also
-not supported in <span><strong class="command">ndc</strong></span>'s channel mode.</p>
-<p>A configuration file is required, since all
+   is restarted.</P
+></DD
+><DT
+><TT
+CLASS="userinput"
+><B
+>trace</B
+></TT
+></DT
+><DD
+><P
+>Increment the servers debugging level by one. </P
+></DD
+><DT
+><TT
+CLASS="userinput"
+><B
+>trace <TT
+CLASS="replaceable"
+><I
+>level</I
+></TT
+></B
+></TT
+></DT
+><DD
+><P
+>Sets the server's debugging level to an explicit
+   value.</P
+></DD
+><DT
+><TT
+CLASS="userinput"
+><B
+>notrace</B
+></TT
+></DT
+><DD
+><P
+>Sets the server's debugging level to 0.</P
+></DD
+><DT
+><TT
+CLASS="userinput"
+><B
+>flush</B
+></TT
+></DT
+><DD
+><P
+>Flushes the server's cache.</P
+></DD
+><DT
+><TT
+CLASS="userinput"
+><B
+>status</B
+></TT
+></DT
+><DD
+><P
+>Display status of the server.
+Note the number of zones includes the internal <B
+CLASS="command"
+>bind/CH</B
+> zone
+and the default <B
+CLASS="command"
+>./IN</B
+> hint zone if there is not a
+explicit root zone configured.</P
+></DD
+></DL
+></DIV
+><P
+>In <SPAN
+CLASS="acronym"
+>BIND</SPAN
+> 9.2, <B
+CLASS="command"
+>rndc</B
+>
+supports all the commands of the BIND 8 <B
+CLASS="command"
+>ndc</B
+>
+utility except <B
+CLASS="command"
+>ndc start</B
+> and
+<B
+CLASS="command"
+>ndc restart</B
+>, which were also
+not supported in <B
+CLASS="command"
+>ndc</B
+>'s channel mode.</P
+><P
+>A configuration file is required, since all
 communication with the server is authenticated with
 digital signatures that rely on a shared secret, and
 there is no way to provide that secret other than with a
 configuration file.  The default location for the
-<span><strong class="command">rndc</strong></span> configuration file is
-<code class="filename">/etc/rndc.conf</code>, but an alternate
-location can be specified with the <code class="option">-c</code>
+<B
+CLASS="command"
+>rndc</B
+> configuration file is
+<TT
+CLASS="filename"
+>/etc/rndc.conf</TT
+>, but an alternate
+location can be specified with the <TT
+CLASS="option"
+>-c</TT
+>
 option.  If the configuration file is not found,
-<span><strong class="command">rndc</strong></span> will also look in
-<code class="filename">/etc/rndc.key</code> (or whatever
-<code class="varname">sysconfdir</code> was defined when
-the <acronym class="acronym">BIND</acronym> build was configured).
-The <code class="filename">rndc.key</code> file is generated by
-running <span><strong class="command">rndc-confgen -a</strong></span> as described in
-<a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage" title="controls Statement Definition and Usage">the section called &#8220;<span><strong class="command">controls</strong></span> Statement Definition and Usage&#8221;</a>.</p>
-<p>The format of the configuration file is similar to
-that of <code class="filename">named.conf</code>, but limited to
-only four statements, the <span><strong class="command">options</strong></span>,
-<span><strong class="command">key</strong></span>, <span><strong class="command">server</strong></span> and
-<span><strong class="command">include</strong></span>
+<B
+CLASS="command"
+>rndc</B
+> will also look in
+<TT
+CLASS="filename"
+>/etc/rndc.key</TT
+> (or whatever
+<TT
+CLASS="varname"
+>sysconfdir</TT
+> was defined when
+the <SPAN
+CLASS="acronym"
+>BIND</SPAN
+> build was configured).
+The <TT
+CLASS="filename"
+>rndc.key</TT
+> file is generated by
+running <B
+CLASS="command"
+>rndc-confgen -a</B
+> as described in
+<A
+HREF="Bv9ARM.ch06.html#controls_statement_definition_and_usage"
+>Section 6.2.4</A
+>.</P
+><P
+>The format of the configuration file is similar to
+that of <TT
+CLASS="filename"
+>named.conf</TT
+>, but limited to
+only four statements, the <B
+CLASS="command"
+>options</B
+>,
+<B
+CLASS="command"
+>key</B
+>, <B
+CLASS="command"
+>server</B
+> and
+<B
+CLASS="command"
+>include</B
+>
 statements.  These statements are what associate the
 secret keys to the servers with which they are meant to
 be shared.  The order of statements is not
-significant.</p>
-<p>The <span><strong class="command">options</strong></span> statement has three clauses:
-<span><strong class="command">default-server</strong></span>, <span><strong class="command">default-key</strong></span>, 
-and <span><strong class="command">default-port</strong></span>.
-<span><strong class="command">default-server</strong></span> takes a
+significant.</P
+><P
+>The <B
+CLASS="command"
+>options</B
+> statement has three clauses:
+<B
+CLASS="command"
+>default-server</B
+>, <B
+CLASS="command"
+>default-key</B
+>, 
+and <B
+CLASS="command"
+>default-port</B
+>.
+<B
+CLASS="command"
+>default-server</B
+> takes a
 host name or address argument  and represents the server that will
-be contacted if no <code class="option">-s</code>
+be contacted if no <TT
+CLASS="option"
+>-s</TT
+>
 option is provided on the command line.  
-<span><strong class="command">default-key</strong></span> takes
-the name of key as its argument, as defined by a <span><strong class="command">key</strong></span> statement.
-<span><strong class="command">default-port</strong></span> specifies the port to which
-<span><strong class="command">rndc</strong></span> should connect if no
+<B
+CLASS="command"
+>default-key</B
+> takes
+the name of a key as its argument, as defined by a <B
+CLASS="command"
+>key</B
+> statement.
+<B
+CLASS="command"
+>default-port</B
+> specifies the port to which
+<B
+CLASS="command"
+>rndc</B
+> should connect if no
 port is given on the command line or in a
-<span><strong class="command">server</strong></span> statement.</p>
-<p>The <span><strong class="command">key</strong></span> statement names a key with its
-string argument. The string is required by the server to be a valid
+<B
+CLASS="command"
+>server</B
+> statement.</P
+><P
+>The <B
+CLASS="command"
+>key</B
+> statement defines an key to be used
+by <B
+CLASS="command"
+>rndc</B
+> when authenticating with
+<B
+CLASS="command"
+>named</B
+>.  Its syntax is identical to the
+<B
+CLASS="command"
+>key</B
+> statement in named.conf.
+The keyword <TT
+CLASS="userinput"
+><B
+>key</B
+></TT
+> is
+followed by a key name, which must be a valid
 domain name, though it need not actually be hierarchical; thus,
-a string like "<strong class="userinput"><code>rndc_key</code></strong>" is a valid name.
-The <span><strong class="command">key</strong></span> statement has two clauses:
-<span><strong class="command">algorithm</strong></span> and <span><strong class="command">secret</strong></span>.
+a string like "<TT
+CLASS="userinput"
+><B
+>rndc_key</B
+></TT
+>" is a valid name.
+The <B
+CLASS="command"
+>key</B
+> statement has two clauses:
+<B
+CLASS="command"
+>algorithm</B
+> and <B
+CLASS="command"
+>secret</B
+>.
 While the configuration parser will accept any string as the argument
-to algorithm, currently only the string "<strong class="userinput"><code>hmac-md5</code></strong>"
-has any meaning.  The secret is a base-64 encoded string.</p>
-<p>The <span><strong class="command">server</strong></span> statement uses the key clause
-to associate a <span><strong class="command">key</strong></span>-defined key with a server.
-The argument to the <span><strong class="command">server</strong></span> statement is a
-host name or address (addresses must be double quoted).  The argument
-to the key clause is the name of the key as defined by the <span><strong class="command">key</strong></span> statement.
-The <span><strong class="command">port</strong></span> clause can be used to 
-specify the port to which <span><strong class="command">rndc</strong></span> should connect
-on the given server.</p>
-<p>A sample minimal configuration file is as follows:</p>
-<pre class="programlisting">
-key rndc_key {
+to algorithm, currently only the string "<TT
+CLASS="userinput"
+><B
+>hmac-md5</B
+></TT
+>"
+has any meaning.  The secret is a base-64 encoded string.</P
+><P
+>The <B
+CLASS="command"
+>server</B
+> statement associates a key
+defined using the <B
+CLASS="command"
+>key</B
+> statement with a server.
+The keyword <TT
+CLASS="userinput"
+><B
+>server</B
+></TT
+> is followed by a
+host name or address.  The <B
+CLASS="command"
+>server</B
+> statement
+has two clauses: <B
+CLASS="command"
+>key</B
+> and <B
+CLASS="command"
+>port</B
+>.
+The <B
+CLASS="command"
+>key</B
+> clause specifies the name of the key
+to be used when communicating with this server, and the
+<B
+CLASS="command"
+>port</B
+> clause can be used to
+specify the port <B
+CLASS="command"
+>rndc</B
+> should connect
+to on the server.</P
+><P
+>A sample minimal configuration file is as follows:</P
+><PRE
+CLASS="programlisting"
+>&#13;key rndc_key {
      algorithm "hmac-md5";
      secret "c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K";
 };
 options {
-     default-server localhost;
+     default-server 127.0.0.1;
      default-key    rndc_key;
 };
-</pre>
-<p>This file, if installed as <code class="filename">/etc/rndc.conf</code>,
-would allow the command:</p>
-<p><code class="prompt">$ </code><strong class="userinput"><code>rndc reload</code></strong></p>
-<p>to connect to 127.0.0.1 port 953 and cause the nameserver
-to reload, if a nameserver on the local machine were running with
-following controls statements:</p>
-<pre class="programlisting">
-controls {
+</PRE
+><P
+>This file, if installed as <TT
+CLASS="filename"
+>/etc/rndc.conf</TT
+>,
+would allow the command:</P
+><P
+><TT
+CLASS="prompt"
+>$ </TT
+><TT
+CLASS="userinput"
+><B
+>rndc reload</B
+></TT
+></P
+><P
+>to connect to 127.0.0.1 port 953 and cause the name server
+to reload, if a name server on the local machine were running with
+following controls statements:</P
+><PRE
+CLASS="programlisting"
+>&#13;controls {
         inet 127.0.0.1 allow { localhost; } keys { rndc_key; };
 };
-</pre>
-<p>and it had an identical key statement for
-<code class="literal">rndc_key</code>.</p>
-<p>Running the <span><strong class="command">rndc-confgen</strong></span> program will
-conveniently create a <code class="filename">rndc.conf</code>
+</PRE
+><P
+>and it had an identical key statement for
+<TT
+CLASS="literal"
+>rndc_key</TT
+>.</P
+><P
+>Running the <B
+CLASS="command"
+>rndc-confgen</B
+> program will
+conveniently create a <TT
+CLASS="filename"
+>rndc.conf</TT
+>
 file for you, and also display the
-corresponding <span><strong class="command">controls</strong></span> statement that you need to
-add to <code class="filename">named.conf</code>.  Alternatively,
-you can run <span><strong class="command">rndc-confgen -a</strong></span> to set up
-a <code class="filename">rndc.key</code> file and not modify 
-<code class="filename">named.conf</code> at all.
-</p>
-</dd>
-</dl></div>
-</div>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2569165"></a>Signals</h3></div></div></div>
-<p>Certain UNIX signals cause the name server to take specific
+corresponding <B
+CLASS="command"
+>controls</B
+> statement that you need to
+add to <TT
+CLASS="filename"
+>named.conf</TT
+>.  Alternatively,
+you can run <B
+CLASS="command"
+>rndc-confgen -a</B
+> to set up
+a <TT
+CLASS="filename"
+>rndc.key</TT
+> file and not modify 
+<TT
+CLASS="filename"
+>named.conf</TT
+> at all.
+</P
+></DD
+></DL
+></DIV
+></DIV
+></DIV
+><DIV
+CLASS="sect2"
+><H2
+CLASS="sect2"
+><A
+NAME="AEN679"
+>3.3.2. Signals</A
+></H2
+><P
+>Certain UNIX signals cause the name server to take specific
 actions, as described in the following table.  These signals can
-be sent using the <span><strong class="command">kill</strong></span> command.</p>
-<div class="informaltable"><table border="1">
-<colgroup>
-<col>
-<col>
-</colgroup>
-<tbody>
-<tr>
-<td><p><span><strong class="command">SIGHUP</strong></span></p></td>
-<td><p>Causes the server to read <code class="filename">named.conf</code> and
-reload the database. </p></td>
-</tr>
-<tr>
-<td><p><span><strong class="command">SIGTERM</strong></span></p></td>
-<td><p>Causes the server to clean up and exit.</p></td>
-</tr>
-<tr>
-<td>
-<p><span><strong class="command">SIGINT</strong></span></p>
-</td>
-<td><p>Causes the server to clean up and exit.</p></td>
-</tr>
-</tbody>
-</table></div>
-</div>
-</div>
-</div>
-<div class="navfooter">
-<hr>
-<table width="100%" summary="Navigation footer">
-<tr>
-<td width="40%" align="left">
-<a accesskey="p" href="Bv9ARM.ch02.html">Prev</a> </td>
-<td width="20%" align="center"> </td>
-<td width="40%" align="right"> <a accesskey="n" href="Bv9ARM.ch04.html">Next</a>
-</td>
-</tr>
-<tr>
-<td width="40%" align="left" valign="top">Chapter 2. <acronym class="acronym">BIND</acronym> Resource Requirements </td>
-<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
-<td width="40%" align="right" valign="top"> Chapter 4. Advanced Concepts</td>
-</tr>
-</table>
-</div>
-</body>
-</html>
+be sent using the <B
+CLASS="command"
+>kill</B
+> command.</P
+><DIV
+CLASS="informaltable"
+><A
+NAME="AEN683"
+></A
+><P
+></P
+><TABLE
+CELLPADDING="3"
+BORDER="1"
+CLASS="CALSTABLE"
+><TBODY
+><TR
+><TD
+WIDTH="108"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+><B
+CLASS="command"
+>SIGHUP</B
+></P
+></TD
+><TD
+WIDTH="384"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>Causes the server to read <TT
+CLASS="filename"
+>named.conf</TT
+> and
+reload the database. </P
+></TD
+></TR
+><TR
+><TD
+WIDTH="108"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+><B
+CLASS="command"
+>SIGTERM</B
+></P
+></TD
+><TD
+WIDTH="384"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>Causes the server to clean up and exit.</P
+></TD
+></TR
+><TR
+><TD
+WIDTH="108"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+>&#13;<P
+><B
+CLASS="command"
+>SIGINT</B
+></P
+>
+</TD
+><TD
+WIDTH="384"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>Causes the server to clean up and exit.</P
+></TD
+></TR
+></TBODY
+></TABLE
+><P
+></P
+></DIV
+></DIV
+></DIV
+></DIV
+><DIV
+CLASS="NAVFOOTER"
+><HR
+ALIGN="LEFT"
+WIDTH="100%"><TABLE
+SUMMARY="Footer navigation table"
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+><A
+HREF="Bv9ARM.ch02.html"
+ACCESSKEY="P"
+>Prev</A
+></TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+><A
+HREF="Bv9ARM.html"
+ACCESSKEY="H"
+>Home</A
+></TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+><A
+HREF="Bv9ARM.ch04.html"
+ACCESSKEY="N"
+>Next</A
+></TD
+></TR
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+><SPAN
+CLASS="acronym"
+>BIND</SPAN
+> Resource Requirements</TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+>&nbsp;</TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+>Advanced DNS Features</TD
+></TR
+></TABLE
+></DIV
+></BODY
+></HTML
+>
\ No newline at end of file
diff --git a/doc/arm/Bv9ARM.ch04.html b/doc/arm/Bv9ARM.ch04.html
index 80ccaa2b..496c45b4 100644
--- a/doc/arm/Bv9ARM.ch04.html
+++ b/doc/arm/Bv9ARM.ch04.html
@@ -1,257 +1,624 @@
-<!--
- - Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000-2003 Internet Software Consortium.
- - 
- - Permission to use, copy, modify, and distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- - 
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-<!-- $Id: Bv9ARM.ch04.html,v 1.30.2.29 2007/05/08 02:29:19 marka Exp $ -->
-<html>
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>Chapter 4. Advanced Concepts</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
-<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="prev" href="Bv9ARM.ch03.html" title="Chapter 3. Nameserver Configuration">
-<link rel="next" href="Bv9ARM.ch05.html" title="Chapter 5. The BIND 9 Lightweight Resolver">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
-<div class="navheader">
-<table width="100%" summary="Navigation header">
-<tr><th colspan="3" align="center">Chapter 4. Advanced Concepts</th></tr>
-<tr>
-<td width="20%" align="left">
-<a accesskey="p" href="Bv9ARM.ch03.html">Prev</a> </td>
-<th width="60%" align="center"> </th>
-<td width="20%" align="right"> <a accesskey="n" href="Bv9ARM.ch05.html">Next</a>
-</td>
-</tr>
-</table>
-<hr>
-</div>
-<div class="chapter" lang="en">
-<div class="titlepage"><div><div><h2 class="title">
-<a name="Bv9ARM.ch04"></a>Chapter 4. Advanced Concepts</h2></div></div></div>
-<div class="toc">
-<p><b>Table of Contents</b></p>
-<dl>
-<dt><span class="sect1"><a href="Bv9ARM.ch04.html#dynamic_update">Dynamic Update</a></span></dt>
-<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch04.html#journal">The journal file</a></span></dt></dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch04.html#incremental_zone_transfers">Incremental Zone Transfers (IXFR)</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2569474">Split DNS</a></span></dt>
-<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2569491">Example split DNS setup</a></span></dt></dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch04.html#tsig">TSIG</a></span></dt>
-<dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2569971">Generate Shared Keys for Each Pair of Hosts</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2570037">Copying the Shared Secret to Both Machines</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2570045">Informing the Servers of the Key's Existence</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2570085">Instructing the Server to Use the Key</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2570137">TSIG Key Based Access Control</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2570181">Errors</a></span></dt>
-</dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2570195">TKEY</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2570312">SIG(0)</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch04.html#DNSSEC">DNSSEC</a></span></dt>
-<dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2570365">Generating Keys</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2570434">Creating a Keyset</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2570540">Signing the Child's Keyset</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2570650">Signing the Zone</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2570705">Configuring Servers</a></span></dt>
-</dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2570729">IPv6 Support in <acronym class="acronym">BIND</acronym> 9</a></span></dt>
-<dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2570785">Address Lookups Using AAAA Records</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2570798">Address to Name Lookups Using Nibble Format</a></span></dt>
-</dl></dd>
-</dl>
-</div>
-<div class="sect1" lang="en">
-<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="dynamic_update"></a>Dynamic Update</h2></div></div></div>
-<p>Dynamic update is the term used for the ability under
-    certain specified conditions to add, modify or delete records or
-    RRsets in the master zone files. Dynamic update is fully described
-    in RFC 2136.</p>
-<p>Dynamic update is enabled on a zone-by-zone basis, by
-    including an <span><strong class="command">allow-update</strong></span> or
-    <span><strong class="command">update-policy</strong></span> clause in the
-    <span><strong class="command">zone</strong></span> statement.</p>
-<p>Updating of secure zones (zones using DNSSEC) follows
+<HTML
+><HEAD
+><TITLE
+>Advanced DNS Features</TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.73
+"><LINK
+REL="HOME"
+TITLE="BIND 9 Administrator Reference Manual"
+HREF="Bv9ARM.html"><LINK
+REL="PREVIOUS"
+TITLE="Name Server Configuration"
+HREF="Bv9ARM.ch03.html"><LINK
+REL="NEXT"
+TITLE="The BIND 9 Lightweight Resolver"
+HREF="Bv9ARM.ch05.html"></HEAD
+><BODY
+CLASS="chapter"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><DIV
+CLASS="NAVHEADER"
+><TABLE
+SUMMARY="Header navigation table"
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TH
+COLSPAN="3"
+ALIGN="center"
+>BIND 9 Administrator Reference Manual</TH
+></TR
+><TR
+><TD
+WIDTH="10%"
+ALIGN="left"
+VALIGN="bottom"
+><A
+HREF="Bv9ARM.ch03.html"
+ACCESSKEY="P"
+>Prev</A
+></TD
+><TD
+WIDTH="80%"
+ALIGN="center"
+VALIGN="bottom"
+></TD
+><TD
+WIDTH="10%"
+ALIGN="right"
+VALIGN="bottom"
+><A
+HREF="Bv9ARM.ch05.html"
+ACCESSKEY="N"
+>Next</A
+></TD
+></TR
+></TABLE
+><HR
+ALIGN="LEFT"
+WIDTH="100%"></DIV
+><DIV
+CLASS="chapter"
+><H1
+><A
+NAME="ch04"
+>Chapter 4. Advanced DNS Features</A
+></H1
+><DIV
+CLASS="TOC"
+><DL
+><DT
+><B
+>Table of Contents</B
+></DT
+><DT
+>4.1. <A
+HREF="Bv9ARM.ch04.html#notify"
+>Notify</A
+></DT
+><DT
+>4.2. <A
+HREF="Bv9ARM.ch04.html#dynamic_update"
+>Dynamic Update</A
+></DT
+><DT
+>4.3. <A
+HREF="Bv9ARM.ch04.html#incremental_zone_transfers"
+>Incremental Zone Transfers (IXFR)</A
+></DT
+><DT
+>4.4. <A
+HREF="Bv9ARM.ch04.html#AEN757"
+>Split DNS</A
+></DT
+><DT
+>4.5. <A
+HREF="Bv9ARM.ch04.html#tsig"
+>TSIG</A
+></DT
+><DT
+>4.6. <A
+HREF="Bv9ARM.ch04.html#AEN917"
+>TKEY</A
+></DT
+><DT
+>4.7. <A
+HREF="Bv9ARM.ch04.html#AEN932"
+>SIG(0)</A
+></DT
+><DT
+>4.8. <A
+HREF="Bv9ARM.ch04.html#DNSSEC"
+>DNSSEC</A
+></DT
+><DT
+>4.9. <A
+HREF="Bv9ARM.ch04.html#AEN1019"
+>IPv6 Support in <SPAN
+CLASS="acronym"
+>BIND</SPAN
+> 9</A
+></DT
+></DL
+></DIV
+><DIV
+CLASS="sect1"
+><H1
+CLASS="sect1"
+><A
+NAME="notify"
+>4.1. Notify</A
+></H1
+><P
+><SPAN
+CLASS="acronym"
+>DNS</SPAN
+> NOTIFY is a mechanism that allows master
+servers to notify their slave servers of changes to a zone's data. In
+response to a <B
+CLASS="command"
+>NOTIFY</B
+> from a master server, the
+slave will check to see that its version of the zone is the
+current version and, if not, initiate a zone transfer.</P
+><P
+><SPAN
+CLASS="acronym"
+>DNS</SPAN
+>
+For more information about
+<B
+CLASS="command"
+>NOTIFY</B
+>, see the description of the
+<B
+CLASS="command"
+>notify</B
+> option in <A
+HREF="Bv9ARM.ch06.html#boolean_options"
+>Section 6.2.16.1</A
+> and
+the description of the zone option <B
+CLASS="command"
+>also-notify</B
+> in
+<A
+HREF="Bv9ARM.ch06.html#zone_transfers"
+>Section 6.2.16.7</A
+>.  The <B
+CLASS="command"
+>NOTIFY</B
+>
+protocol is specified in RFC 1996.
+</P
+></DIV
+><DIV
+CLASS="sect1"
+><H1
+CLASS="sect1"
+><A
+NAME="dynamic_update"
+>4.2. Dynamic Update</A
+></H1
+><P
+>Dynamic Update is a method for adding, replacing or deleting
+    records in a master server by sending it a special form of DNS
+    messages.  The format and meaning of these messages is specified
+    in RFC 2136.</P
+><P
+>Dynamic update is enabled on a zone-by-zone basis, by
+    including an <B
+CLASS="command"
+>allow-update</B
+> or
+    <B
+CLASS="command"
+>update-policy</B
+> clause in the
+    <B
+CLASS="command"
+>zone</B
+> statement.</P
+><P
+>Updating of secure zones (zones using DNSSEC) follows
     RFC 3007: SIG and NXT records affected by updates are automatically
     regenerated by the server using an online zone key.
     Update authorization is based
-    on transaction signatures and an explicit server policy.</p>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="journal"></a>The journal file</h3></div></div></div>
-<p>All changes made to a zone using dynamic update are stored in the
+    on transaction signatures and an explicit server policy.</P
+><DIV
+CLASS="sect2"
+><H2
+CLASS="sect2"
+><A
+NAME="journal"
+>4.2.1. The journal file</A
+></H2
+><P
+>All changes made to a zone using dynamic update are stored in the
     zone's journal file.  This file is automatically created by the
-    server when the first dynamic update takes place.  The name of
+    server when when the first dynamic update takes place.  The name of
     the journal file is formed by appending the
-    extension <code class="filename">.jnl</code> to the
+    extension <TT
+CLASS="filename"
+>.jnl</TT
+> to the
     name of the corresponding zone file.  The journal file is in a
-    binary format and should not be edited manually.</p>
-<p>The server will also occasionally write ("dump")
+    binary format and should not be edited manually.</P
+><P
+>The server will also occasionally write ("dump")
     the complete contents of the updated zone to its zone file.
     This is not done immediately after
     each dynamic update, because that would be too slow when a large
-    zone is updated frequently.  Instead, the dump is delayed by 15
-    minutes, allowing additional updates to take place.</p>
-<p>When a server is restarted after a shutdown or crash, it will replay
+    zone is updated frequently.  Instead, the dump is delayed by
+    up to 15 minutes, allowing additional updates to take place.</P
+><P
+>When a server is restarted after a shutdown or crash, it will replay
     the journal file to incorporate into the zone any updates that took
-    place after the last zone dump.</p>
-<p>Changes that result from incoming incremental zone transfers are also
-    journalled in a similar way.</p>
-<p>The zone files of dynamic zones cannot normally be edited by
+    place after the last zone dump.</P
+><P
+>Changes that result from incoming incremental zone transfers are also
+    journalled in a similar way.</P
+><P
+>The zone files of dynamic zones cannot normally be edited by
     hand because they are not guaranteed to contain the most recent
-    dynamic changes &#8212; those are only in the journal file.
+    dynamic changes - those are only in the journal file.
     The only way to ensure that the zone file of a dynamic zone
-    is up to date is to run <span><strong class="command">rndc stop</strong></span>.</p>
-<p>If you have to make changes to a dynamic zone
-    manually, the following procedure will work: Shut down
-    the server using <span><strong class="command">rndc stop</strong></span> (sending a signal
-    or using <span><strong class="command">rndc halt</strong></span> is <span class="emphasis"><em>not</em></span>
-    sufficient). Wait for the server to exit,
-    then <span class="emphasis"><em>remove</em></span> the zone's 
-    <code class="filename">.jnl</code> file, edit the zone file,
-    and restart the server.  Removing the <code class="filename">.jnl</code>
-    file is necessary because the manual edits will not be
-    present in the journal, rendering it inconsistent with the
-    contents of the zone file.</p>
-</div>
-</div>
-<div class="sect1" lang="en">
-<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="incremental_zone_transfers"></a>Incremental Zone Transfers (IXFR)</h2></div></div></div>
-<p>The incremental zone transfer (IXFR) protocol is a way for
-    slave servers to transfer only changed data, instead of having to
-    transfer the entire zone. The IXFR protocol is documented in RFC
-    1995. See <a href="Bv9ARM.ch09.html#proposed_standards">Proposed Standards</a>.</p>
-<p>When acting as a master, <acronym class="acronym">BIND</acronym> 9 supports IXFR for those zones
+    is up to date is to run <B
+CLASS="command"
+>rndc stop</B
+>.</P
+><P
+>If you have to make changes to a dynamic zone
+    manually, the following procedure will work: Disable dynamic updates
+    to the zone using
+    <B
+CLASS="command"
+>rndc freeze <TT
+CLASS="replaceable"
+><I
+>zone</I
+></TT
+></B
+>.
+    This will also remove the zone's <TT
+CLASS="filename"
+>.jnl</TT
+> file
+    and update the master file.  Edit the zone file.  Run
+    <B
+CLASS="command"
+>rndc unfreeze <TT
+CLASS="replaceable"
+><I
+>zone</I
+></TT
+></B
+>
+    to reload the changed zone and re-enable dynamic updates.</P
+></DIV
+></DIV
+><DIV
+CLASS="sect1"
+><H1
+CLASS="sect1"
+><A
+NAME="incremental_zone_transfers"
+>4.3. Incremental Zone Transfers (IXFR)</A
+></H1
+><P
+>The incremental zone transfer (IXFR) protocol is a way for
+slave servers to transfer only changed data, instead of having to
+transfer the entire zone. The IXFR protocol is specified in RFC
+1995. See <A
+HREF="Bv9ARM.ch09.html#proposed_standards"
+>Proposed Standards</A
+>.</P
+><P
+>When acting as a master, <SPAN
+CLASS="acronym"
+>BIND</SPAN
+> 9
+supports IXFR for those zones
 where the necessary change history information is available. These
 include master zones maintained by dynamic update and slave zones
-whose data was obtained by IXFR, but not manually maintained master
-zones nor slave zones obtained by performing a full zone transfer
-(AXFR).</p>
-<p>When acting as a slave, <acronym class="acronym">BIND</acronym> 9 will attempt to use IXFR unless
+whose data was obtained by IXFR.  For manually maintained master
+zones, and for slave zones obtained by performing a full zone 
+transfer (AXFR), IXFR is supported only if the option
+<B
+CLASS="command"
+>ixfr-from-differences</B
+> is set
+to <TT
+CLASS="userinput"
+><B
+>yes</B
+></TT
+>.
+</P
+><P
+>When acting as a slave, <SPAN
+CLASS="acronym"
+>BIND</SPAN
+> 9 will 
+attempt to use IXFR unless
 it is explicitly disabled. For more information about disabling
-IXFR, see the description of the <span><strong class="command">request-ixfr</strong></span> clause
-of the <span><strong class="command">server</strong></span> statement.</p>
-</div>
-<div class="sect1" lang="en">
-<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2569474"></a>Split DNS</h2></div></div></div>
-<p>Setting up different views, or visibility, of DNS space to
-internal and external resolvers is usually referred to as a <span class="emphasis"><em>Split
-DNS</em></span> setup. There are several reasons an organization
-would want to set up its DNS this way.</p>
-<p>One common reason for setting up a DNS system this way is
+IXFR, see the description of the <B
+CLASS="command"
+>request-ixfr</B
+> clause
+of the <B
+CLASS="command"
+>server</B
+> statement.</P
+></DIV
+><DIV
+CLASS="sect1"
+><H1
+CLASS="sect1"
+><A
+NAME="AEN757"
+>4.4. Split DNS</A
+></H1
+><P
+>Setting up different views, or visibility, of the DNS space to
+internal and external resolvers is usually referred to as a <SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>Split
+DNS</I
+></SPAN
+> setup. There are several reasons an organization
+would want to set up its DNS this way.</P
+><P
+>One common reason for setting up a DNS system this way is
 to hide "internal" DNS information from "external" clients on the
 Internet. There is some debate as to whether or not this is actually useful.
 Internal DNS information leaks out in many ways (via email headers,
 for example) and most savvy "attackers" can find the information
-they need using other means.</p>
-<p>Another common reason for setting up a Split DNS system is
+they need using other means.</P
+><P
+>Another common reason for setting up a Split DNS system is
 to allow internal networks that are behind filters or in RFC 1918
 space (reserved IP space, as documented in RFC 1918) to resolve DNS
 on the Internet. Split DNS can also be used to allow mail from outside
-back in to the internal network.</p>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2569491"></a>Example split DNS setup</h3></div></div></div>
-<p>Let's say a company named <span class="emphasis"><em>Example, Inc.</em></span> (example.com)
+back in to the internal network.</P
+><P
+>Here is an example of a split DNS setup:</P
+><P
+>Let's say a company named <SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>Example, Inc.</I
+></SPAN
+>
+(<TT
+CLASS="literal"
+>example.com</TT
+>)
 has several corporate sites that have an internal network with reserved
 Internet Protocol (IP) space and an external demilitarized zone (DMZ),
-or "outside" section of a network, that is available to the public.</p>
-<p><span class="emphasis"><em>Example, Inc.</em></span> wants its internal clients
+or "outside" section of a network, that is available to the public.</P
+><P
+><SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>Example, Inc.</I
+></SPAN
+> wants its internal clients
 to be able to resolve external hostnames and to exchange mail with
 people on the outside. The company also wants its internal resolvers
 to have access to certain internal-only zones that are not available
-at all outside of the internal network.</p>
-<p>In order to accomplish this, the company will set up two sets
-of nameservers. One set will be on the inside network (in the reserved
+at all outside of the internal network.</P
+><P
+>In order to accomplish this, the company will set up two sets
+of name servers. One set will be on the inside network (in the reserved
 IP space) and the other set will be on bastion hosts, which are "proxy"
-hosts that can talk to both sides of its network, in the DMZ.</p>
-<p>The internal servers will be configured to forward all queries,
-except queries for <code class="filename">site1.internal</code>, <code class="filename">site2.internal</code>, <code class="filename">site1.example.com</code>,
-and <code class="filename">site2.example.com</code>, to the servers in the
+hosts that can talk to both sides of its network, in the DMZ.</P
+><P
+>The internal servers will be configured to forward all queries,
+except queries for <TT
+CLASS="filename"
+>site1.internal</TT
+>, <TT
+CLASS="filename"
+>site2.internal</TT
+>, <TT
+CLASS="filename"
+>site1.example.com</TT
+>,
+and <TT
+CLASS="filename"
+>site2.example.com</TT
+>, to the servers in the
 DMZ. These internal servers will have complete sets of information
-for <code class="filename">site1.example.com</code>, <code class="filename">site2.example.com</code>,<span class="emphasis"><em> </em></span><code class="filename">site1.internal</code>,
-and <code class="filename">site2.internal</code>.</p>
-<p>To protect the <code class="filename">site1.internal</code> and <code class="filename">site2.internal</code> domains,
-the internal nameservers must be configured to disallow all queries
+for <TT
+CLASS="filename"
+>site1.example.com</TT
+>, <TT
+CLASS="filename"
+>site2.example.com</TT
+>,<SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+> </I
+></SPAN
+><TT
+CLASS="filename"
+>site1.internal</TT
+>,
+and <TT
+CLASS="filename"
+>site2.internal</TT
+>.</P
+><P
+>To protect the <TT
+CLASS="filename"
+>site1.internal</TT
+> and <TT
+CLASS="filename"
+>site2.internal</TT
+> domains,
+the internal name servers must be configured to disallow all queries
 to these domains from any external hosts, including the bastion
-hosts.</p>
-<p>The external servers, which are on the bastion hosts, will
-be configured to serve the "public" version of the <code class="filename">site1</code> and <code class="filename">site2.example.com</code> zones.
+hosts.</P
+><P
+>The external servers, which are on the bastion hosts, will
+be configured to serve the "public" version of the <TT
+CLASS="filename"
+>site1</TT
+> and <TT
+CLASS="filename"
+>site2.example.com</TT
+> zones.
 This could include things such as the host records for public servers
-(<code class="filename">www.example.com</code> and <code class="filename">ftp.example.com</code>),
-and mail exchange (MX)  records (<code class="filename">a.mx.example.com</code> and <code class="filename">b.mx.example.com</code>).</p>
-<p>In addition, the public <code class="filename">site1</code> and <code class="filename">site2.example.com</code> zones
+(<TT
+CLASS="filename"
+>www.example.com</TT
+> and <TT
+CLASS="filename"
+>ftp.example.com</TT
+>),
+and mail exchange (MX)  records (<TT
+CLASS="filename"
+>a.mx.example.com</TT
+> and <TT
+CLASS="filename"
+>b.mx.example.com</TT
+>).</P
+><P
+>In addition, the public <TT
+CLASS="filename"
+>site1</TT
+> and <TT
+CLASS="filename"
+>site2.example.com</TT
+> zones
 should have special MX records that contain wildcard (`*') records
 pointing to the bastion hosts. This is needed because external mail
 servers do not have any other way of looking up how to deliver mail
 to those internal hosts. With the wildcard records, the mail will
 be delivered to the bastion host, which can then forward it on to
-internal hosts.</p>
-<p>Here's an example of a wildcard MX record:</p>
-<pre class="programlisting">*   IN MX 10 external1.example.com.</pre>
-<p>Now that they accept mail on behalf of anything in the internal
+internal hosts.</P
+><P
+>Here's an example of a wildcard MX record:</P
+><PRE
+CLASS="programlisting"
+><TT
+CLASS="literal"
+>*   IN MX 10 external1.example.com.</TT
+></PRE
+><P
+>Now that they accept mail on behalf of anything in the internal
 network, the bastion hosts will need to know how to deliver mail
 to internal hosts. In order for this to work properly, the resolvers on
 the bastion hosts will need to be configured to point to the internal
-nameservers for DNS resolution.</p>
-<p>Queries for internal hostnames will be answered by the internal
+name servers for DNS resolution.</P
+><P
+>Queries for internal hostnames will be answered by the internal
 servers, and queries for external hostnames will be forwarded back
-out to the DNS servers on the bastion hosts.</p>
-<p>In order for all this to work properly, internal clients will
-need to be configured to query <span class="emphasis"><em>only</em></span> the internal
-nameservers for DNS queries. This could also be enforced via selective
-filtering on the network.</p>
-<p>If everything has been set properly, <span class="emphasis"><em>Example, Inc.</em></span>'s
-internal clients will now be able to:</p>
-<div class="itemizedlist"><ul type="disc">
-<li>Look up any hostnames in the <code class="literal">site1</code> and 
-<code class="literal">site2.example.com</code> zones.</li>
-<li>Look up any hostnames in the <code class="literal">site1.internal</code> and 
-<code class="literal">site2.internal</code> domains.</li>
-<li>Look up any hostnames on the Internet.</li>
-<li>Exchange mail with both internal AND external people.</li>
-</ul></div>
-<p>Hosts on the Internet will be able to:</p>
-<div class="itemizedlist"><ul type="disc">
-<li>Look up any hostnames in the <code class="literal">site1</code> and 
-<code class="literal">site2.example.com</code> zones.</li>
-<li>Exchange mail with anyone in the <code class="literal">site1</code> and 
-<code class="literal">site2.example.com</code> zones.</li>
-</ul></div>
-<p>Here is an example configuration for the setup we just
+out to the DNS servers on the bastion hosts.</P
+><P
+>In order for all this to work properly, internal clients will
+need to be configured to query <SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>only</I
+></SPAN
+> the internal
+name servers for DNS queries. This could also be enforced via selective
+filtering on the network.</P
+><P
+>If everything has been set properly, <SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>Example, Inc.</I
+></SPAN
+>'s
+internal clients will now be able to:</P
+><P
+></P
+><UL
+><LI
+><P
+>Look up any hostnames in the <TT
+CLASS="literal"
+>site1</TT
+> and 
+<TT
+CLASS="literal"
+>site2.example.com</TT
+> zones.</P
+></LI
+><LI
+><P
+>Look up any hostnames in the <TT
+CLASS="literal"
+>site1.internal</TT
+> and 
+<TT
+CLASS="literal"
+>site2.internal</TT
+> domains.</P
+></LI
+><LI
+><P
+>Look up any hostnames on the Internet.</P
+></LI
+><LI
+><P
+>Exchange mail with internal AND external people.</P
+></LI
+></UL
+><P
+>Hosts on the Internet will be able to:</P
+><P
+></P
+><UL
+><LI
+><P
+>Look up any hostnames in the <TT
+CLASS="literal"
+>site1</TT
+> and 
+<TT
+CLASS="literal"
+>site2.example.com</TT
+> zones.</P
+></LI
+><LI
+><P
+>Exchange mail with anyone in the <TT
+CLASS="literal"
+>site1</TT
+> and 
+<TT
+CLASS="literal"
+>site2.example.com</TT
+> zones.</P
+></LI
+></UL
+><P
+>Here is an example configuration for the setup we just
     described above. Note that this is only configuration information;
-    for information on how to configure your zone files, see <a href="Bv9ARM.ch03.html#sample_configuration" title="Sample Configurations">the section called &#8220;Sample Configurations&#8221;</a>.</p>
-<p>Internal DNS server config:</p>
-<pre class="programlisting">
-
+    for information on how to configure your zone files, see <A
+HREF="Bv9ARM.ch03.html#sample_configuration"
+>Section 3.1</A
+></P
+><P
+>Internal DNS server config:</P
+><PRE
+CLASS="programlisting"
+>&#13;
 acl internals { 172.16.72.0/24; 192.168.1.0/24; };
 
-acl externals { <code class="varname">bastion-ips-go-here</code>; };
+acl externals { <TT
+CLASS="varname"
+>bastion-ips-go-here</TT
+>; };
 
 options {
     ...
     ...
     forward only;
     forwarders {                                // forward to external servers
-        <code class="varname">bastion-ips-go-here</code>; 
+        <TT
+CLASS="varname"
+>bastion-ips-go-here</TT
+>; 
     };
     allow-transfer { none; };                   // sample allow-transfer (no one)
     allow-query { internals; externals; };      // restrict query access
@@ -269,7 +636,7 @@ zone "site1.example.com" {                      // sample master zone
   allow-transfer { internals; };
 };
 
-zone "site2.example.com" {
+zone "site2.example.com" {                      // sample slave zone
   type slave;
   file "s/site2.example.com";
   masters { 172.16.72.3; };
@@ -294,10 +661,12 @@ zone "site2.internal" {
   allow-query { internals };
   allow-transfer { internals; }
 };
-</pre>
-<p>External (bastion host) DNS server config:</p>
-<pre class="programlisting">
-acl internals { 172.16.72.0/24; 192.168.1.0/24; };
+</PRE
+><P
+>External (bastion host) DNS server config:</P
+><PRE
+CLASS="programlisting"
+>&#13;acl internals { 172.16.72.0/24; 192.168.1.0/24; };
 
 acl externals { bastion-ips-go-here; };
 
@@ -325,148 +694,369 @@ zone "site2.example.com" {
   allow-query { any; };
   allow-transfer { internals; externals; }
 };
-</pre>
-<p>In the <code class="filename">resolv.conf</code> (or equivalent) on
-the bastion host(s):</p>
-<pre class="programlisting">
-search ...
+</PRE
+><P
+>In the <TT
+CLASS="filename"
+>resolv.conf</TT
+> (or equivalent) on
+the bastion host(s):</P
+><PRE
+CLASS="programlisting"
+>&#13;search ...
 nameserver 172.16.72.2
 nameserver 172.16.72.3
 nameserver 172.16.72.4
-</pre>
-</div>
-</div>
-<div class="sect1" lang="en">
-<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="tsig"></a>TSIG</h2></div></div></div>
-<p>This is a short guide to setting up Transaction SIGnatures
-(TSIG) based transaction security in <acronym class="acronym">BIND</acronym>. It describes changes
+</PRE
+></DIV
+><DIV
+CLASS="sect1"
+><H1
+CLASS="sect1"
+><A
+NAME="tsig"
+>4.5. TSIG</A
+></H1
+><P
+>This is a short guide to setting up Transaction SIGnatures
+(TSIG) based transaction security in <SPAN
+CLASS="acronym"
+>BIND</SPAN
+>. It describes changes
 to the configuration file as well as what changes are required for
 different features, including the process of creating transaction
-keys and using transaction signatures with <acronym class="acronym">BIND</acronym>.</p>
-<p><acronym class="acronym">BIND</acronym> primarily supports TSIG for server to server communication.
+keys and using transaction signatures with <SPAN
+CLASS="acronym"
+>BIND</SPAN
+>.</P
+><P
+><SPAN
+CLASS="acronym"
+>BIND</SPAN
+> primarily supports TSIG for server to server communication.
 This includes zone transfer, notify, and recursive query messages.
-Resolvers based on newer versions of <acronym class="acronym">BIND</acronym> 8 have limited support
-for TSIG.</p>
-<p>TSIG might be most useful for dynamic update. A primary
+Resolvers based on newer versions of <SPAN
+CLASS="acronym"
+>BIND</SPAN
+> 8 have limited support
+for TSIG.</P
+><P
+>TSIG might be most useful for dynamic update. A primary
     server for a dynamic zone should use access control to control
-    updates, but IP-based access control is insufficient. Key-based
-    access control is far superior, see <a href="Bv9ARM.ch09.html#proposed_standards">Proposed Standards</a>. The <span><strong class="command">nsupdate</strong></span>
-    program supports TSIG via the <code class="option">-k</code> and
-    <code class="option">-y</code> command line options.</p>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2569971"></a>Generate Shared Keys for Each Pair of Hosts</h3></div></div></div>
-<p>A shared secret is generated to be shared between <span class="emphasis"><em>host1</em></span> and <span class="emphasis"><em>host2</em></span>.
+    updates, but IP-based access control is insufficient.
+    The cryptographic access control provided by TSIG
+    is far superior. The <B
+CLASS="command"
+>nsupdate</B
+>
+    program supports TSIG via the <TT
+CLASS="option"
+>-k</TT
+> and
+    <TT
+CLASS="option"
+>-y</TT
+> command line options.</P
+><DIV
+CLASS="sect2"
+><H2
+CLASS="sect2"
+><A
+NAME="AEN848"
+>4.5.1. Generate Shared Keys for Each Pair of Hosts</A
+></H2
+><P
+>A shared secret is generated to be shared between <SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>host1</I
+></SPAN
+> and <SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>host2</I
+></SPAN
+>.
 An arbitrary key name is chosen: "host1-host2.". The key name must
-be the same on both hosts.</p>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="id2569987"></a>Automatic Generation</h4></div></div></div>
-<p>The following command will generate a 128-bit (16 byte) HMAC-MD5
+be the same on both hosts.</P
+><DIV
+CLASS="sect3"
+><H3
+CLASS="sect3"
+><A
+NAME="AEN853"
+>4.5.1.1. Automatic Generation</A
+></H3
+><P
+>The following command will generate a 128 bit (16 byte) HMAC-MD5
 key as described above. Longer keys are better, but shorter keys
 are easier to read. Note that the maximum key length is 512 bits;
-keys longer than that will be digested with MD5 to produce a
-128-bit key.</p>
-<p><strong class="userinput"><code>dnssec-keygen -a hmac-md5 -b 128 -n HOST host1-host2.</code></strong></p>
-<p>The key is in the file <code class="filename">Khost1-host2.+157+00000.private</code>.
+keys longer than that will be digested with MD5 to produce a 128
+bit key.</P
+><P
+><TT
+CLASS="userinput"
+><B
+>dnssec-keygen -a hmac-md5 -b 128 -n HOST host1-host2.</B
+></TT
+></P
+><P
+>The key is in the file <TT
+CLASS="filename"
+>Khost1-host2.+157+00000.private</TT
+>.
 Nothing directly uses this file, but the base-64 encoded string
-following "<code class="literal">Key:</code>"
-can be extracted from the file and used as a shared secret:</p>
-<pre class="programlisting">Key: La/E5CjG9O+os1jq0a2jdA==</pre>
-<p>The string "<code class="literal">La/E5CjG9O+os1jq0a2jdA==</code>" can
-be used as the shared secret.</p>
-</div>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="id2570021"></a>Manual Generation</h4></div></div></div>
-<p>The shared secret is simply a random sequence of bits, encoded
+following "<TT
+CLASS="literal"
+>Key:</TT
+>"
+can be extracted from the file and used as a shared secret:</P
+><PRE
+CLASS="programlisting"
+>Key: La/E5CjG9O+os1jq0a2jdA==</PRE
+><P
+>The string "<TT
+CLASS="literal"
+>La/E5CjG9O+os1jq0a2jdA==</TT
+>" can
+be used as the shared secret.</P
+></DIV
+><DIV
+CLASS="sect3"
+><H3
+CLASS="sect3"
+><A
+NAME="AEN864"
+>4.5.1.2. Manual Generation</A
+></H3
+><P
+>The shared secret is simply a random sequence of bits, encoded
 in base-64. Most ASCII strings are valid base-64 strings (assuming
 the length is a multiple of 4 and only valid characters are used),
-so the shared secret can be manually generated.</p>
-<p>Also, a known string can be run through <span><strong class="command">mmencode</strong></span> or
-a similar program to generate base-64 encoded data.</p>
-</div>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2570037"></a>Copying the Shared Secret to Both Machines</h3></div></div></div>
-<p>This is beyond the scope of DNS. A secure transport mechanism
-should be used. This could be secure FTP, ssh, telephone, etc.</p>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2570045"></a>Informing the Servers of the Key's Existence</h3></div></div></div>
-<p>Imagine <span class="emphasis"><em>host1</em></span> and <span class="emphasis"><em>host 2</em></span> are
-both servers. The following is added to each server's <code class="filename">named.conf</code> file:</p>
-<pre class="programlisting">
-key host1-host2. {
+so the shared secret can be manually generated.</P
+><P
+>Also, a known string can be run through <B
+CLASS="command"
+>mmencode</B
+> or
+a similar program to generate base-64 encoded data.</P
+></DIV
+></DIV
+><DIV
+CLASS="sect2"
+><H2
+CLASS="sect2"
+><A
+NAME="AEN869"
+>4.5.2. Copying the Shared Secret to Both Machines</A
+></H2
+><P
+>This is beyond the scope of DNS. A secure transport mechanism
+should be used. This could be secure FTP, ssh, telephone, etc.</P
+></DIV
+><DIV
+CLASS="sect2"
+><H2
+CLASS="sect2"
+><A
+NAME="AEN872"
+>4.5.3. Informing the Servers of the Key's Existence</A
+></H2
+><P
+>Imagine <SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>host1</I
+></SPAN
+> and <SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>host 2</I
+></SPAN
+> are
+both servers. The following is added to each server's <TT
+CLASS="filename"
+>named.conf</TT
+> file:</P
+><PRE
+CLASS="programlisting"
+>&#13;key host1-host2. {
   algorithm hmac-md5;
   secret "La/E5CjG9O+os1jq0a2jdA==";
 };
-</pre>
-<p>The algorithm, hmac-md5, is the only one supported by <acronym class="acronym">BIND</acronym>.
+</PRE
+><P
+>The algorithm, hmac-md5, is the only one supported by <SPAN
+CLASS="acronym"
+>BIND</SPAN
+>.
 The secret is the one generated above. Since this is a secret, it
-is recommended that either <code class="filename">named.conf</code> be non-world
+is recommended that either <TT
+CLASS="filename"
+>named.conf</TT
+> be non-world
 readable, or the key directive be added to a non-world readable
-file that is included by <code class="filename">named.conf</code>.</p>
-<p>At this point, the key is recognized. This means that if the
+file that is included by <TT
+CLASS="filename"
+>named.conf</TT
+>.</P
+><P
+>At this point, the key is recognized. This means that if the
 server receives a message signed by this key, it can verify the
-signature. If the signature succeeds, the response is signed by
-the same key.</p>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2570085"></a>Instructing the Server to Use the Key</h3></div></div></div>
-<p>Since keys are shared between two hosts only, the server must
-be told when keys are to be used. The following is added to the <code class="filename">named.conf</code> file
-for <span class="emphasis"><em>host1</em></span>, if the IP address of <span class="emphasis"><em>host2</em></span> is
-10.1.2.3:</p>
-<pre class="programlisting">
-server 10.1.2.3 {
+signature. If the signature is successfully verified, the
+response is signed by the same key.</P
+></DIV
+><DIV
+CLASS="sect2"
+><H2
+CLASS="sect2"
+><A
+NAME="AEN884"
+>4.5.4. Instructing the Server to Use the Key</A
+></H2
+><P
+>Since keys are shared between two hosts only, the server must
+be told when keys are to be used. The following is added to the <TT
+CLASS="filename"
+>named.conf</TT
+> file
+for <SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>host1</I
+></SPAN
+>, if the IP address of <SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>host2</I
+></SPAN
+> is
+10.1.2.3:</P
+><PRE
+CLASS="programlisting"
+>&#13;server 10.1.2.3 {
   keys { host1-host2. ;};
 };
-</pre>
-<p>Multiple keys may be present, but only the first is used.
+</PRE
+><P
+>Multiple keys may be present, but only the first is used.
 This directive does not contain any secrets, so it may be in a world-readable
-file.</p>
-<p>If <span class="emphasis"><em>host1</em></span> sends a message that is a request
-to that address, the message will be signed with the specified key. <span class="emphasis"><em>host1</em></span> will
+file.</P
+><P
+>If <SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>host1</I
+></SPAN
+> sends a message that is a request
+to that address, the message will be signed with the specified key. <SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>host1</I
+></SPAN
+> will
 expect any responses to signed messages to be signed with the same
-key.</p>
-<p>A similar statement must be present in <span class="emphasis"><em>host2</em></span>'s
-configuration file (with <span class="emphasis"><em>host1</em></span>'s address) for <span class="emphasis"><em>host2</em></span> to
-sign request messages to <span class="emphasis"><em>host1</em></span>.</p>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2570137"></a>TSIG Key Based Access Control</h3></div></div></div>
-<p><acronym class="acronym">BIND</acronym> allows IP addresses and ranges to be specified in ACL
+key.</P
+><P
+>A similar statement must be present in <SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>host2</I
+></SPAN
+>'s
+configuration file (with <SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>host1</I
+></SPAN
+>'s address) for <SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>host2</I
+></SPAN
+> to
+sign request messages to <SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>host1</I
+></SPAN
+>.</P
+></DIV
+><DIV
+CLASS="sect2"
+><H2
+CLASS="sect2"
+><A
+NAME="AEN900"
+>4.5.5. TSIG Key Based Access Control</A
+></H2
+><P
+><SPAN
+CLASS="acronym"
+>BIND</SPAN
+> allows IP addresses and ranges to be specified in ACL
 definitions and
-<span><strong class="command">allow-{ query | transfer | update }</strong></span> directives.
+<B
+CLASS="command"
+>allow-{ query | transfer | update }</B
+> directives.
 This has been extended to allow TSIG keys also. The above key would
-be denoted <span><strong class="command">key host1-host2.</strong></span></p>
-<p>An example of an allow-update directive would be:</p>
-<pre class="programlisting">
-allow-update { key host1-host2. ;};
-</pre>
-<p>This allows dynamic updates to succeed only if the request
+be denoted <B
+CLASS="command"
+>key host1-host2.</B
+></P
+><P
+>An example of an allow-update directive would be:</P
+><PRE
+CLASS="programlisting"
+>&#13;allow-update { key host1-host2. ;};
+</PRE
+><P
+>This allows dynamic updates to succeed only if the request
       was signed by a key named
-      "<span><strong class="command">host1-host2.</strong></span>".</p>
-<p>You may want to read about the more
-      powerful <span><strong class="command">update-policy</strong></span> statement in <a href="Bv9ARM.ch06.html#dynamic_update_policies" title="Dynamic Update Policies">the section called &#8220;Dynamic Update Policies&#8221;</a>.</p>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2570181"></a>Errors</h3></div></div></div>
-<p>The processing of TSIG signed messages can result in
-      several errors. If a signed message is sent to a non-TSIG
-      aware server, a FORMERR (format error) will be returned, since
-      the server will not understand the record. This is a result
-      of misconfiguration, since the server must be explicitly
-      configured to send a TSIG signed message to a specific
-      server.</p>
-<p>If a TSIG aware server receives a message signed by an
+      "<B
+CLASS="command"
+>host1-host2.</B
+>".</P
+><P
+>You may want to read about the more
+      powerful <B
+CLASS="command"
+>update-policy</B
+> statement in <A
+HREF="Bv9ARM.ch06.html#dynamic_update_policies"
+>Section 6.2.24.4</A
+>.</P
+></DIV
+><DIV
+CLASS="sect2"
+><H2
+CLASS="sect2"
+><A
+NAME="AEN913"
+>4.5.6. Errors</A
+></H2
+><P
+>The processing of TSIG signed messages can result in
+      several errors. If a signed message is sent to a non-TSIG aware
+      server, a FORMERR will be returned, since the server will not
+      understand the record. This is a result of misconfiguration,
+      since the server must be explicitly configured to send a TSIG
+      signed message to a specific server.</P
+><P
+>If a TSIG aware server receives a message signed by an
       unknown key, the response will be unsigned with the TSIG
       extended error code set to BADKEY. If a TSIG aware server
       receives a message with a signature that does not validate, the
@@ -475,256 +1065,628 @@ allow-update { key host1-host2. ;};
       outside of the allowed range, the response will be signed with
       the TSIG extended error code set to BADTIME, and the time values
       will be adjusted so that the response can be successfully
-      verified. In any of these cases, the message's rcode (response code) is set to
-      NOTAUTH (not authenticated).</p>
-</div>
-</div>
-<div class="sect1" lang="en">
-<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2570195"></a>TKEY</h2></div></div></div>
-<p><span><strong class="command">TKEY</strong></span> is a mechanism for automatically
+      verified. In any of these cases, the message's rcode is set to
+      NOTAUTH.</P
+></DIV
+></DIV
+><DIV
+CLASS="sect1"
+><H1
+CLASS="sect1"
+><A
+NAME="AEN917"
+>4.6. TKEY</A
+></H1
+><P
+><B
+CLASS="command"
+>TKEY</B
+> is a mechanism for automatically
     generating a shared secret between two hosts.  There are several
-    "modes" of <span><strong class="command">TKEY</strong></span> that specify how the key is
-    generated or assigned.  <acronym class="acronym">BIND</acronym> implements only one of these modes,
+    "modes" of <B
+CLASS="command"
+>TKEY</B
+> that specify how the key is
+    generated or assigned.  <SPAN
+CLASS="acronym"
+>BIND</SPAN
+> 9
+    implements only one of these modes,
     the Diffie-Hellman key exchange.  Both hosts are required to have
     a Diffie-Hellman KEY record (although this record is not required
-    to be present in a zone).  The <span><strong class="command">TKEY</strong></span> process
+    to be present in a zone).  The <B
+CLASS="command"
+>TKEY</B
+> process
     must use signed messages, signed either by TSIG or SIG(0).  The
-    result of <span><strong class="command">TKEY</strong></span> is a shared secret that can be
-    used to sign messages with TSIG.  <span><strong class="command">TKEY</strong></span> can also
+    result of <B
+CLASS="command"
+>TKEY</B
+> is a shared secret that can be
+    used to sign messages with TSIG.  <B
+CLASS="command"
+>TKEY</B
+> can also
     be used to delete shared secrets that it had previously
-    generated.</p>
-<p>The <span><strong class="command">TKEY</strong></span> process is initiated by a client
-    or server by sending a signed <span><strong class="command">TKEY</strong></span> query
+    generated.</P
+><P
+>The <B
+CLASS="command"
+>TKEY</B
+> process is initiated by a client
+    or server by sending a signed <B
+CLASS="command"
+>TKEY</B
+> query
     (including any appropriate KEYs) to a TKEY-aware server.  The
     server response, if it indicates success, will contain a
-    <span><strong class="command">TKEY</strong></span> record and any appropriate keys.  After
+    <B
+CLASS="command"
+>TKEY</B
+> record and any appropriate keys.  After
     this exchange, both participants have enough information to
     determine the shared secret; the exact process depends on the
-    <span><strong class="command">TKEY</strong></span> mode.  When using the Diffie-Hellman
-    <span><strong class="command">TKEY</strong></span> mode, Diffie-Hellman keys are exchanged,
-    and the shared secret is derived by both participants.</p>
-</div>
-<div class="sect1" lang="en">
-<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2570312"></a>SIG(0)</h2></div></div></div>
-<p><acronym class="acronym">BIND</acronym> 9 partially supports DNSSEC SIG(0) transaction
-    signatures as specified in RFC 2535.  SIG(0) uses public/private
-    keys to authenticate messages.  Access control is performed in the
-    same manner as TSIG keys; privileges can be granted or denied
-    based on the key name.</p>
-<p>When a SIG(0) signed message is received, it will only be
+    <B
+CLASS="command"
+>TKEY</B
+> mode.  When using the Diffie-Hellman
+    <B
+CLASS="command"
+>TKEY</B
+> mode, Diffie-Hellman keys are exchanged,
+    and the shared secret is derived by both participants.</P
+></DIV
+><DIV
+CLASS="sect1"
+><H1
+CLASS="sect1"
+><A
+NAME="AEN932"
+>4.7. SIG(0)</A
+></H1
+><P
+><SPAN
+CLASS="acronym"
+>BIND</SPAN
+> 9 partially supports DNSSEC SIG(0)
+    transaction signatures as specified in RFC 2535 and RFC2931.  SIG(0)
+    uses public/private keys to authenticate messages.  Access control
+    is performed in the same manner as TSIG keys; privileges can be
+    granted or denied based on the key name.</P
+><P
+>When a SIG(0) signed message is received, it will only be
     verified if the key is known and trusted by the server; the server
-    will not attempt to locate and / or validate the key.</p>
-<p>SIG(0) signing of multiple-message TCP streams is not
-    supported.</p>
-<p><acronym class="acronym">BIND</acronym> 9 does not ship with any tools that generate SIG(0)
-    signed messages.</p>
-</div>
-<div class="sect1" lang="en">
-<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="DNSSEC"></a>DNSSEC</h2></div></div></div>
-<p>Cryptographic authentication of DNS information is possible
-    through the DNS Security (<span class="emphasis"><em>DNSSEC</em></span>) extensions,
+    will not attempt to locate and/or validate the key.</P
+><P
+>SIG(0) signing of multiple-message TCP streams is not
+    supported.</P
+><P
+>The only tool shipped with <SPAN
+CLASS="acronym"
+>BIND</SPAN
+> 9 that
+    generates SIG(0) signed messages is <B
+CLASS="command"
+>nsupdate</B
+>.</P
+></DIV
+><DIV
+CLASS="sect1"
+><H1
+CLASS="sect1"
+><A
+NAME="DNSSEC"
+>4.8. DNSSEC</A
+></H1
+><P
+>Cryptographic authentication of DNS information is possible
+    through the DNS Security (<SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>DNSSEC</I
+></SPAN
+>) extensions,
     defined in RFC 2535. This section describes the creation and use
-    of DNSSEC signed zones.</p>
-<p>In order to set up a DNSSEC secure zone, there are a series
-    of steps which must be followed.  <acronym class="acronym">BIND</acronym> 9 ships
+    of DNSSEC signed zones.</P
+><P
+>In order to set up a DNSSEC secure zone, there are a series
+    of steps which must be followed.  <SPAN
+CLASS="acronym"
+>BIND</SPAN
+> 9 ships
     with several tools
     that are used in this process, which are explained in more detail
-    below.  In all cases, the "<code class="option">-h</code>" option prints a
+    below.  In all cases, the <TT
+CLASS="option"
+>-h</TT
+> option prints a
     full list of parameters.  Note that the DNSSEC tools require the
-    keyset and signedkey files to be in the working directory, and
+    keyset and signedkey files to be in the working directory or the
+    directory specified by the <TT
+CLASS="option"
+>-h</TT
+> option, and
     that the tools shipped with BIND 9.0.x are not fully compatible
-    with the current ones.</p>
-<p>There must also be communication with the administrators of
+    with the current ones.</P
+><P
+>There must also be communication with the administrators of
     the parent and/or child zone to transmit keys and signatures.  A
     zone's security status must be indicated by the parent zone for a
-    DNSSEC capable resolver to trust its data.</p>
-<p>For other servers to trust data in this zone, they must
+    DNSSEC capable resolver to trust its data.</P
+><P
+>For other servers to trust data in this zone, they must
     either be statically configured with this zone's zone key or the
-    zone key of another zone above this one in the DNS tree.</p>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2570365"></a>Generating Keys</h3></div></div></div>
-<p>The <span><strong class="command">dnssec-keygen</strong></span> program is used to
-      generate keys.</p>
-<p>A secure zone must contain one or more zone keys.  The
+    zone key of another zone above this one in the DNS tree.</P
+><DIV
+CLASS="sect2"
+><H2
+CLASS="sect2"
+><A
+NAME="AEN951"
+>4.8.1. Generating Keys</A
+></H2
+><P
+>The <B
+CLASS="command"
+>dnssec-keygen</B
+> program is used to
+      generate keys.</P
+><P
+>A secure zone must contain one or more zone keys.  The
       zone keys will sign all other records in the zone, as well as
       the zone keys of any secure delegated zones.  Zone keys must
       have the same name as the zone, a name type of
-      <span><strong class="command">ZONE</strong></span>, and must be usable for authentication.
+      <B
+CLASS="command"
+>ZONE</B
+>, and must be usable for authentication.
       It is recommended that zone keys use a cryptographic algorithm
       designated as "mandatory to implement" by the IETF; currently
-      these are RSASHA1 (which is not yet supported in BIND 9.2)
-      and DSA.</p>
-<p>The following command will generate a 768-bit DSA key for
-      the <code class="filename">child.example</code> zone:</p>
-<p><strong class="userinput"><code>dnssec-keygen -a DSA -b 768 -n ZONE child.example.</code></strong></p>
-<p>Two output files will be produced:
-      <code class="filename">Kchild.example.+003+12345.key</code> and
-      <code class="filename">Kchild.example.+003+12345.private</code> (where
-      12345 is an example of a key tag).  The key filenames contain
-      the key name (<code class="filename">child.example.</code>), algorithm (3
-      is DSA, 1 is RSA, etc.), and the key tag (12345 in this case).
-      The private key (in the <code class="filename">.private</code> file) is
+      these are RSASHA1 and DSA.</P
+><P
+>The following command will generate a 768 bit DSA key for
+      the <TT
+CLASS="filename"
+>child.example</TT
+> zone:</P
+><P
+><TT
+CLASS="userinput"
+><B
+>dnssec-keygen -a DSA -b 768 -n ZONE child.example.</B
+></TT
+></P
+><P
+>Two output files will be produced:
+      <TT
+CLASS="filename"
+>Kchild.example.+003+12345.key</TT
+> and
+      <TT
+CLASS="filename"
+>Kchild.example.+003+12345.private</TT
+> (where
+      12345 is an example of a key tag).  The key file names contain
+      the key name (<TT
+CLASS="filename"
+>child.example.</TT
+>), algorithm (3
+      is DSA, 1 is RSAMD5, 5 is RSASHA1, etc.), and the key tag (12345 in this case).
+      The private key (in the <TT
+CLASS="filename"
+>.private</TT
+> file) is
       used to generate signatures, and the public key (in the
-      <code class="filename">.key</code> file) is used for signature
-      verification.</p>
-<p>To generate another key with the same properties (but with
-      a different key tag), repeat the above command.</p>
-<p>The public keys should be inserted into the zone file with
-      <span><strong class="command">$INCLUDE</strong></span> statements, including the
-      <code class="filename">.key</code> files.</p>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2570434"></a>Creating a Keyset</h3></div></div></div>
-<p>The <span><strong class="command">dnssec-makekeyset</strong></span> program is used
-      to create a key set from one or more keys.</p>
-<p>Once the zone keys have been generated, a key set must be
+      <TT
+CLASS="filename"
+>.key</TT
+> file) is used for signature
+      verification.</P
+><P
+>To generate another key with the same properties (but with
+      a different key tag), repeat the above command.</P
+><P
+>The public keys should be inserted into the zone file by
+      including the <TT
+CLASS="filename"
+>.key</TT
+> files using
+      <B
+CLASS="command"
+>$INCLUDE</B
+> statements.
+      </P
+></DIV
+><DIV
+CLASS="sect2"
+><H2
+CLASS="sect2"
+><A
+NAME="AEN971"
+>4.8.2. Creating a Keyset</A
+></H2
+><P
+>The <B
+CLASS="command"
+>dnssec-makekeyset</B
+> program is used
+      to create a key set from one or more keys.</P
+><P
+>Once the zone keys have been generated, a key set must be
       built for transmission to the administrator of the parent zone,
       so that the parent zone can sign the keys with its own zone key
       and correctly indicate the security status of this zone.  When
       building a key set, the list of keys to be included and the TTL
       of the set must be specified, and the desired signature validity
-      period of the parent's signature may also be specified.</p>
-<p>The list of keys to be inserted into the key set may also
+      period of the parent's signature may also be specified.</P
+><P
+>The list of keys to be inserted into the key set may also
       included non-zone keys present at the top of the zone.
-      <span><strong class="command">dnssec-makekeyset</strong></span> may also be used at other
-      names in the zone.</p>
-<p>The following command generates a key set containing the
+      <B
+CLASS="command"
+>dnssec-makekeyset</B
+> may also be used at other
+      names in the zone.</P
+><P
+>The following command generates a key set containing the
       above key and another key similarly generated, with a TTL of
       3600 and a signature validity period of 10 days starting from
-      now.</p>
-<p><strong class="userinput"><code>dnssec-makekeyset -t 3600 -e +864000 Kchild.example.+003+12345 Kchild.example.+003+23456</code></strong></p>
-<p>One output file is produced:
-      <code class="filename">keyset-child.example.</code>.  This file should be
+      now.</P
+><P
+><TT
+CLASS="userinput"
+><B
+>dnssec-makekeyset -t 3600 -e +864000 Kchild.example.+003+12345 Kchild.example.+003+23456</B
+></TT
+></P
+><P
+>One output file is produced:
+      <TT
+CLASS="filename"
+>keyset-child.example.</TT
+>.  This file should be
       transmitted to the parent to be signed.  It includes the keys,
       as well as signatures over the key set generated by the zone
       keys themselves, which are used to prove ownership of the
-      private keys and encode the desired validity period.</p>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2570540"></a>Signing the Child's Keyset</h3></div></div></div>
-<p>The <span><strong class="command">dnssec-signkey</strong></span> program is used to
-      sign one child's keyset.</p>
-<p>If the <code class="filename">child.example</code> zone has any
+      private keys and encode the desired validity period.</P
+></DIV
+><DIV
+CLASS="sect2"
+><H2
+CLASS="sect2"
+><A
+NAME="AEN983"
+>4.8.3. Signing the Child's Keyset</A
+></H2
+><P
+>The <B
+CLASS="command"
+>dnssec-signkey</B
+> program is used to
+      sign one child's keyset.</P
+><P
+>If the <TT
+CLASS="filename"
+>child.example</TT
+> zone has any
       delegations which are secure, for example,
-      <code class="filename">grand.child.example</code>, the
-      <code class="filename">child.example</code> administrator should receive
+      <TT
+CLASS="filename"
+>grand.child.example</TT
+>, the
+      <TT
+CLASS="filename"
+>child.example</TT
+> administrator should receive
       keyset files for each secure subzone.  These keys must be signed
-      by this zone's zone keys.</p>
-<p>The following command signs the child's key set with the
-      zone keys:</p>
-<p><strong class="userinput"><code>dnssec-signkey keyset-grand.child.example. Kchild.example.+003+12345 Kchild.example.+003+23456</code></strong></p>
-<p>One output file is produced:
-      <code class="filename">signedkey-grand.child.example.</code>.  This file
+      by this zone's zone keys.</P
+><P
+>The following command signs the child's key set with the
+      zone keys:</P
+><P
+><TT
+CLASS="userinput"
+><B
+>dnssec-signkey keyset-grand.child.example. Kchild.example.+003+12345 Kchild.example.+003+23456</B
+></TT
+></P
+><P
+>One output file is produced:
+      <TT
+CLASS="filename"
+>signedkey-grand.child.example.</TT
+>.  This file
       should be both transmitted back to the child and retained.  It
       includes all keys (the child's keys) from the keyset file and
-      signatures generated by this zone's zone keys.</p>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2570650"></a>Signing the Zone</h3></div></div></div>
-<p>The <span><strong class="command">dnssec-signzone</strong></span> program is used to
-      sign a zone.</p>
-<p>Any <code class="filename">signedkey</code> files corresponding to
+      signatures generated by this zone's zone keys.</P
+></DIV
+><DIV
+CLASS="sect2"
+><H2
+CLASS="sect2"
+><A
+NAME="AEN996"
+>4.8.4. Signing the Zone</A
+></H2
+><P
+>The <B
+CLASS="command"
+>dnssec-signzone</B
+> program is used to
+      sign a zone.</P
+><P
+>Any <TT
+CLASS="filename"
+>signedkey</TT
+> files corresponding to
       secure subzones should be present, as well as a
-      <code class="filename">signedkey</code> file for this zone generated by
+      <TT
+CLASS="filename"
+>signedkey</TT
+> file for this zone generated by
       the parent (if there is one). The zone signer will generate
-      <code class="literal">NXT</code> and <code class="literal">SIG</code> records for
+      <TT
+CLASS="literal"
+>NXT</TT
+> and <TT
+CLASS="literal"
+>SIG</TT
+> records for
       the zone, as well as incorporate the zone key signature from the
       parent and indicate the security status at all delegation
-      points.</p>
-<p>The following command signs the zone, assuming it is in a
-      file called <code class="filename">zone.child.example</code>.  By
+      points.</P
+><P
+>The following command signs the zone, assuming it is in a
+      file called <TT
+CLASS="filename"
+>zone.child.example</TT
+>.  By
       default, all zone keys which have an available private key are
-      used to generate signatures.</p>
-<p><strong class="userinput"><code>dnssec-signzone -o child.example zone.child.example</code></strong></p>
-<p>One output file is produced:
-      <code class="filename">zone.child.example.signed</code>.  This file
-      should be referenced by <code class="filename">named.conf</code> as the
-      input file for the zone.</p>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2570705"></a>Configuring Servers</h3></div></div></div>
-<p>Unlike in <acronym class="acronym">BIND</acronym> 8, 
-data is not verified on load in <acronym class="acronym">BIND</acronym> 9,
+      used to generate signatures.</P
+><P
+><TT
+CLASS="userinput"
+><B
+>dnssec-signzone -o child.example zone.child.example</B
+></TT
+></P
+><P
+>One output file is produced:
+      <TT
+CLASS="filename"
+>zone.child.example.signed</TT
+>.  This file
+      should be referenced by <TT
+CLASS="filename"
+>named.conf</TT
+> as the
+      input file for the zone.</P
+></DIV
+><DIV
+CLASS="sect2"
+><H2
+CLASS="sect2"
+><A
+NAME="AEN1012"
+>4.8.5. Configuring Servers</A
+></H2
+><P
+>Unlike <SPAN
+CLASS="acronym"
+>BIND</SPAN
+> 8, 
+<SPAN
+CLASS="acronym"
+>BIND</SPAN
+> 9 does not verify signatures on load,
 so zone keys for authoritative zones do not need to be specified
-in the configuration file.</p>
-<p>The public key for any security root must be present in
-the configuration file's <span><strong class="command">trusted-keys</strong></span>
-statement, as described later in this document. </p>
-</div>
-</div>
-<div class="sect1" lang="en">
-<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2570729"></a>IPv6 Support in <acronym class="acronym">BIND</acronym> 9</h2></div></div></div>
-<p><acronym class="acronym">BIND</acronym> 9 fully supports all currently
-    defined forms of IPv6 name to address and address to name
-    lookups.  It will also use IPv6 addresses to make queries when
-    running on an IPv6 capable system.</p>
-<p>For forward lookups, <acronym class="acronym">BIND</acronym> 9 supports
-    both A6 and AAAA records.  The use of A6 records has been moved
-    to experimental (RFC 3363) and should be treated as deprecated.</p>
-<p>The use of "bitstring" labels for IPv6 has been moved to
-    experimental (RFC 3363) reverting to a nibble format.  The
-    suffix for the IPv6 reverse lookups has also changed from
-    <code class="literal">IP6.INT</code> to <code class="literal">IP6.ARPA</code> (RFC
-    3152).</p>
-<p><acronym class="acronym">BIND</acronym> 9 now defaults to nibble
-    <code class="literal">IP6.ARPA</code> format lookups.</p>
-<p><acronym class="acronym">BIND</acronym> 9 includes a new lightweight resolver library and
-    resolver daemon which new applications may choose to use to avoid
-    the complexities of A6 chain following and bitstring labels, see <a href="Bv9ARM.ch05.html" title="Chapter 5. The BIND 9 Lightweight Resolver">Chapter 5, <i>The <acronym class="acronym">BIND</acronym> 9 Lightweight Resolver</i></a>.</p>
-<p>For an overview of the format and structure of IPv6 addresses,
-    see <a href="Bv9ARM.ch09.html#ipv6addresses" title="IPv6 addresses (A6)">the section called &#8220;IPv6 addresses (A6)&#8221;</a>.</p>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2570785"></a>Address Lookups Using AAAA Records</h3></div></div></div>
-<p>The AAAA record is a parallel to the IPv4 A record.  It
+in the configuration file.</P
+><P
+>The public key for any security root must be present in
+the configuration file's <B
+CLASS="command"
+>trusted-keys</B
+>
+statement, as described later in this document. </P
+></DIV
+></DIV
+><DIV
+CLASS="sect1"
+><H1
+CLASS="sect1"
+><A
+NAME="AEN1019"
+>4.9. IPv6 Support in <SPAN
+CLASS="acronym"
+>BIND</SPAN
+> 9</A
+></H1
+><P
+><SPAN
+CLASS="acronym"
+>BIND</SPAN
+> 9 fully supports all currently defined forms of IPv6
+    name to address and address to name lookups.  It will also use
+    IPv6 addresses to make queries when running on an IPv6 capable
+    system.</P
+><P
+>For forward lookups, <SPAN
+CLASS="acronym"
+>BIND</SPAN
+> 9 supports only AAAA
+    records.  The use of A6 records is deprecated by RFC 3363, and the
+    support for forward lookups in <SPAN
+CLASS="acronym"
+>BIND</SPAN
+> 9 is
+    removed accordingly.
+    However, authoritative <SPAN
+CLASS="acronym"
+>BIND</SPAN
+> 9 name servers still
+    load zone files containing A6 records correctly, answer queries
+    for A6 records, and accept zone transfer for a zone containing A6
+    records.</P
+><P
+>For IPv6 reverse lookups, <SPAN
+CLASS="acronym"
+>BIND</SPAN
+> 9 supports
+    the traditional "nibble" format used in the
+    <SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>ip6.arpa</I
+></SPAN
+> domain, as well as the older, deprecated
+    <SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>ip6.int</I
+></SPAN
+> domain.
+    <SPAN
+CLASS="acronym"
+>BIND</SPAN
+> 9 formerly
+    supported the "binary label" (also known as "bitstring") format.
+    The support of binary labels, however, is now completely removed
+    according to the changes in RFC 3363.
+    Any applications in <SPAN
+CLASS="acronym"
+>BIND</SPAN
+> 9 do not understand
+    the format any more, and will return an error if given.
+    In particular, an authoritative <SPAN
+CLASS="acronym"
+>BIND</SPAN
+> 9 name
+    server rejects to load a zone file containing binary labels.</P
+><P
+>For an overview of the format and structure of IPv6 addresses,
+    see <A
+HREF="Bv9ARM.ch09.html#ipv6addresses"
+>Section A.2.1</A
+>.</P
+><DIV
+CLASS="sect2"
+><H2
+CLASS="sect2"
+><A
+NAME="AEN1037"
+>4.9.1. Address Lookups Using AAAA Records</A
+></H2
+><P
+>The AAAA record is a parallel to the IPv4 A record.  It
       specifies the entire address in a single record.  For
-      example,</p>
-<pre class="programlisting">
-$ORIGIN example.com.
-host            3600    IN      AAAA    2001:db8::1
-</pre>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2570798"></a>Address to Name Lookups Using Nibble Format</h3></div></div></div>
-<p>When looking up an address in nibble format, the address
+      example,</P
+><PRE
+CLASS="programlisting"
+>&#13;$ORIGIN example.com.
+host            3600    IN      AAAA    2001:4f8:201:1860:42::1
+</PRE
+><P
+>It is recommended that IPv4-in-IPv6 mapped addresses not
+        be used.  If a host has an IPv4 address, use an A record, not
+        a AAAA, with <TT
+CLASS="literal"
+>::ffff:192.168.42.1</TT
+> as the
+        address.</P
+></DIV
+><DIV
+CLASS="sect2"
+><H2
+CLASS="sect2"
+><A
+NAME="AEN1043"
+>4.9.2. Address to Name Lookups Using Nibble Format</A
+></H2
+><P
+>When looking up an address in nibble format, the address
       components are simply reversed, just as in IPv4, and
-      <code class="literal">IP6.ARPA.</code> is appended to the resulting name.
+      <TT
+CLASS="literal"
+>ip6.arpa.</TT
+> is appended to the resulting name.
       For example, the following would provide reverse name lookup for
       a host with address
-      <code class="literal">2001:db8::1</code>.</p>
-<pre class="programlisting">
-$ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
-1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0   14400 IN      PTR     host.example.com.
-</pre>
-</div>
-</div>
-</div>
-<div class="navfooter">
-<hr>
-<table width="100%" summary="Navigation footer">
-<tr>
-<td width="40%" align="left">
-<a accesskey="p" href="Bv9ARM.ch03.html">Prev</a> </td>
-<td width="20%" align="center"> </td>
-<td width="40%" align="right"> <a accesskey="n" href="Bv9ARM.ch05.html">Next</a>
-</td>
-</tr>
-<tr>
-<td width="40%" align="left" valign="top">Chapter 3. Nameserver Configuration </td>
-<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
-<td width="40%" align="right" valign="top"> Chapter 5. The <acronym class="acronym">BIND</acronym> 9 Lightweight Resolver</td>
-</tr>
-</table>
-</div>
-</body>
-</html>
+      <TT
+CLASS="literal"
+>2001:4f8:201:1860:42::1</TT
+>.</P
+><PRE
+CLASS="programlisting"
+>&#13;$ORIGIN 0.6.8.1.1.0.2.0.8.f.4.0.1.0.0.2.ip6.arpa.
+1.0.0.0.0.0.0.0.0.0.0.0.2.4.0.0   14400 IN      PTR     host.example.com.
+</PRE
+></DIV
+></DIV
+></DIV
+><DIV
+CLASS="NAVFOOTER"
+><HR
+ALIGN="LEFT"
+WIDTH="100%"><TABLE
+SUMMARY="Footer navigation table"
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+><A
+HREF="Bv9ARM.ch03.html"
+ACCESSKEY="P"
+>Prev</A
+></TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+><A
+HREF="Bv9ARM.html"
+ACCESSKEY="H"
+>Home</A
+></TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+><A
+HREF="Bv9ARM.ch05.html"
+ACCESSKEY="N"
+>Next</A
+></TD
+></TR
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+>Name Server Configuration</TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+>&nbsp;</TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+>The <SPAN
+CLASS="acronym"
+>BIND</SPAN
+> 9 Lightweight Resolver</TD
+></TR
+></TABLE
+></DIV
+></BODY
+></HTML
+>
\ No newline at end of file
diff --git a/doc/arm/Bv9ARM.ch05.html b/doc/arm/Bv9ARM.ch05.html
index 10d9a567..1153c053 100644
--- a/doc/arm/Bv9ARM.ch05.html
+++ b/doc/arm/Bv9ARM.ch05.html
@@ -1,117 +1,265 @@
-<!--
- - Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000-2003 Internet Software Consortium.
- - 
- - Permission to use, copy, modify, and distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- - 
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-<!-- $Id: Bv9ARM.ch05.html,v 1.24.2.22 2007/05/08 02:29:19 marka Exp $ -->
-<html>
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>Chapter 5. The BIND 9 Lightweight Resolver</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
-<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="prev" href="Bv9ARM.ch04.html" title="Chapter 4. Advanced Concepts">
-<link rel="next" href="Bv9ARM.ch06.html" title="Chapter 6. BIND 9 Configuration Reference">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
-<div class="navheader">
-<table width="100%" summary="Navigation header">
-<tr><th colspan="3" align="center">Chapter 5. The <acronym class="acronym">BIND</acronym> 9 Lightweight Resolver</th></tr>
-<tr>
-<td width="20%" align="left">
-<a accesskey="p" href="Bv9ARM.ch04.html">Prev</a> </td>
-<th width="60%" align="center"> </th>
-<td width="20%" align="right"> <a accesskey="n" href="Bv9ARM.ch06.html">Next</a>
-</td>
-</tr>
-</table>
-<hr>
-</div>
-<div class="chapter" lang="en">
-<div class="titlepage"><div><div><h2 class="title">
-<a name="Bv9ARM.ch05"></a>Chapter 5. The <acronym class="acronym">BIND</acronym> 9 Lightweight Resolver</h2></div></div></div>
-<div class="toc">
-<p><b>Table of Contents</b></p>
-<dl>
-<dt><span class="sect1"><a href="Bv9ARM.ch05.html#id2570830">The Lightweight Resolver Library</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch05.html#lwresd">Running a Resolver Daemon</a></span></dt>
-</dl>
-</div>
-<div class="sect1" lang="en">
-<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2570830"></a>The Lightweight Resolver Library</h2></div></div></div>
-<p>Traditionally applications have been linked with a stub resolver
+<HTML
+><HEAD
+><TITLE
+>The BIND 9 Lightweight Resolver</TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.73
+"><LINK
+REL="HOME"
+TITLE="BIND 9 Administrator Reference Manual"
+HREF="Bv9ARM.html"><LINK
+REL="PREVIOUS"
+TITLE="Advanced DNS Features"
+HREF="Bv9ARM.ch04.html"><LINK
+REL="NEXT"
+TITLE="BIND 9 Configuration Reference"
+HREF="Bv9ARM.ch06.html"></HEAD
+><BODY
+CLASS="chapter"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><DIV
+CLASS="NAVHEADER"
+><TABLE
+SUMMARY="Header navigation table"
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TH
+COLSPAN="3"
+ALIGN="center"
+>BIND 9 Administrator Reference Manual</TH
+></TR
+><TR
+><TD
+WIDTH="10%"
+ALIGN="left"
+VALIGN="bottom"
+><A
+HREF="Bv9ARM.ch04.html"
+ACCESSKEY="P"
+>Prev</A
+></TD
+><TD
+WIDTH="80%"
+ALIGN="center"
+VALIGN="bottom"
+></TD
+><TD
+WIDTH="10%"
+ALIGN="right"
+VALIGN="bottom"
+><A
+HREF="Bv9ARM.ch06.html"
+ACCESSKEY="N"
+>Next</A
+></TD
+></TR
+></TABLE
+><HR
+ALIGN="LEFT"
+WIDTH="100%"></DIV
+><DIV
+CLASS="chapter"
+><H1
+><A
+NAME="ch05"
+>Chapter 5. The <SPAN
+CLASS="acronym"
+>BIND</SPAN
+> 9 Lightweight Resolver</A
+></H1
+><DIV
+CLASS="TOC"
+><DL
+><DT
+><B
+>Table of Contents</B
+></DT
+><DT
+>5.1. <A
+HREF="Bv9ARM.ch05.html#AEN1052"
+>The Lightweight Resolver Library</A
+></DT
+><DT
+>5.2. <A
+HREF="Bv9ARM.ch05.html#lwresd"
+>Running a Resolver Daemon</A
+></DT
+></DL
+></DIV
+><DIV
+CLASS="sect1"
+><H1
+CLASS="sect1"
+><A
+NAME="AEN1052"
+>5.1. The Lightweight Resolver Library</A
+></H1
+><P
+>Traditionally applications have been linked with a stub resolver
 library that sends recursive DNS queries to a local caching name
-server.</p>
-<p>IPv6 introduces new complexity into the resolution process,
+server.</P
+><P
+>IPv6 once introduced new complexity into the resolution process,
 such as following A6 chains and DNAME records, and simultaneous
-lookup of IPv4 and IPv6 addresses.  These are hard or impossible
-to implement in a traditional stub resolver.</p>
-<p>Instead, <acronym class="acronym">BIND</acronym> 9 provides resolution services to local clients
+lookup of IPv4 and IPv6 addresses.  Though most of the complexity was
+then removed, these are hard or impossible
+to implement in a traditional stub resolver.</P
+><P
+>Instead, <SPAN
+CLASS="acronym"
+>BIND</SPAN
+> 9 provides resolution services to local clients
 using a combination of a lightweight resolver library and a resolver
 daemon process running on the local host.  These communicate using
 a simple UDP-based protocol, the "lightweight resolver protocol"
-that is distinct from and simpler than the full DNS protocol.</p>
-</div>
-<div class="sect1" lang="en">
-<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="lwresd"></a>Running a Resolver Daemon</h2></div></div></div>
-<p>To use the lightweight resolver interface, the system must
-run the resolver daemon <span><strong class="command">lwresd</strong></span>.</p>
-<p>By default, applications using the light-weight resolver library will make
+that is distinct from and simpler than the full DNS protocol.</P
+></DIV
+><DIV
+CLASS="sect1"
+><H1
+CLASS="sect1"
+><A
+NAME="lwresd"
+>5.2. Running a Resolver Daemon</A
+></H1
+><P
+>To use the lightweight resolver interface, the system must
+run the resolver daemon <B
+CLASS="command"
+>lwresd</B
+> or a local
+name server configured with a <B
+CLASS="command"
+>lwres</B
+> statement.</P
+><P
+>By default, applications using the lightweight resolver library will make
 UDP requests to the IPv4 loopback address (127.0.0.1) on port 921.  The
-address can be overridden by <span><strong class="command">lwserver</strong></span> lines in
-<code class="filename">/etc/resolv.conf</code>.
-The daemon will try to find the answer to the questions "what are the
-addresses for host
-<code class="literal">foo.example.com</code>?" and "what are
-the names for IPv4 address 10.1.2.3?"</p>
-<p>The daemon currently only looks in the DNS, but in the future
-it may use other sources such as <code class="filename">/etc/hosts</code>,
-NIS, etc.</p>
-<p>The <span><strong class="command">lwresd</strong></span> daemon is essentially a
-caching-only name server that answers requests using the lightweight
+address can be overridden by <B
+CLASS="command"
+>lwserver</B
+> lines in
+<TT
+CLASS="filename"
+>/etc/resolv.conf</TT
+>.</P
+><P
+>The daemon currently only looks in the DNS, but in the future
+it may use other sources such as <TT
+CLASS="filename"
+>/etc/hosts</TT
+>,
+NIS, etc.</P
+><P
+>The <B
+CLASS="command"
+>lwresd</B
+> daemon is essentially a
+caching-only name server that responds to requests using the lightweight
 resolver protocol rather than the DNS protocol.  Because it needs
 to run on each host, it is designed to require no or minimal configuration.
 Unless configured otherwise, it uses the name servers listed on
-<span><strong class="command">nameserver</strong></span> lines in <code class="filename">/etc/resolv.conf</code>
+<B
+CLASS="command"
+>nameserver</B
+> lines in <TT
+CLASS="filename"
+>/etc/resolv.conf</TT
+>
 as forwarders, but is also capable of doing the resolution autonomously if
-none are specified.</p>
-<p>The <span><strong class="command">lwresd</strong></span> daemon may also be configured with a
-<code class="filename">named.conf</code> style configuration file, in
-<code class="filename">/etc/lwresd.conf</code> by default.  A name server may also
+none are specified.</P
+><P
+>The <B
+CLASS="command"
+>lwresd</B
+> daemon may also be configured with a
+<TT
+CLASS="filename"
+>named.conf</TT
+> style configuration file, in
+<TT
+CLASS="filename"
+>/etc/lwresd.conf</TT
+> by default.  A name server may also
 be configured to act as a lightweight resolver daemon using the
-<span><strong class="command">lwres</strong></span> statement in <code class="filename">named.conf</code>.</p>
-</div>
-</div>
-<div class="navfooter">
-<hr>
-<table width="100%" summary="Navigation footer">
-<tr>
-<td width="40%" align="left">
-<a accesskey="p" href="Bv9ARM.ch04.html">Prev</a> </td>
-<td width="20%" align="center"> </td>
-<td width="40%" align="right"> <a accesskey="n" href="Bv9ARM.ch06.html">Next</a>
-</td>
-</tr>
-<tr>
-<td width="40%" align="left" valign="top">Chapter 4. Advanced Concepts </td>
-<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
-<td width="40%" align="right" valign="top"> Chapter 6. <acronym class="acronym">BIND</acronym> 9 Configuration Reference</td>
-</tr>
-</table>
-</div>
-</body>
-</html>
+<B
+CLASS="command"
+>lwres</B
+> statement in <TT
+CLASS="filename"
+>named.conf</TT
+>.</P
+></DIV
+></DIV
+><DIV
+CLASS="NAVFOOTER"
+><HR
+ALIGN="LEFT"
+WIDTH="100%"><TABLE
+SUMMARY="Footer navigation table"
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+><A
+HREF="Bv9ARM.ch04.html"
+ACCESSKEY="P"
+>Prev</A
+></TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+><A
+HREF="Bv9ARM.html"
+ACCESSKEY="H"
+>Home</A
+></TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+><A
+HREF="Bv9ARM.ch06.html"
+ACCESSKEY="N"
+>Next</A
+></TD
+></TR
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+>Advanced DNS Features</TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+>&nbsp;</TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+><SPAN
+CLASS="acronym"
+>BIND</SPAN
+> 9 Configuration Reference</TD
+></TR
+></TABLE
+></DIV
+></BODY
+></HTML
+>
\ No newline at end of file
diff --git a/doc/arm/Bv9ARM.ch06.html b/doc/arm/Bv9ARM.ch06.html
index 7dc60fa1..1ce18a18 100644
--- a/doc/arm/Bv9ARM.ch06.html
+++ b/doc/arm/Bv9ARM.ch06.html
@@ -1,801 +1,2617 @@
-<!--
- - Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000-2003 Internet Software Consortium.
- - 
- - Permission to use, copy, modify, and distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- - 
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-<!-- $Id: Bv9ARM.ch06.html,v 1.56.2.45 2007/05/16 06:57:45 marka Exp $ -->
-<html>
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>Chapter 6. BIND 9 Configuration Reference</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
-<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="prev" href="Bv9ARM.ch05.html" title="Chapter 5. The BIND 9 Lightweight Resolver">
-<link rel="next" href="Bv9ARM.ch07.html" title="Chapter 7. BIND 9 Security Considerations">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
-<div class="navheader">
-<table width="100%" summary="Navigation header">
-<tr><th colspan="3" align="center">Chapter 6. <acronym class="acronym">BIND</acronym> 9 Configuration Reference</th></tr>
-<tr>
-<td width="20%" align="left">
-<a accesskey="p" href="Bv9ARM.ch05.html">Prev</a> </td>
-<th width="60%" align="center"> </th>
-<td width="20%" align="right"> <a accesskey="n" href="Bv9ARM.ch07.html">Next</a>
-</td>
-</tr>
-</table>
-<hr>
-</div>
-<div class="chapter" lang="en">
-<div class="titlepage"><div><div><h2 class="title">
-<a name="Bv9ARM.ch06"></a>Chapter 6. <acronym class="acronym">BIND</acronym> 9 Configuration Reference</h2></div></div></div>
-<div class="toc">
-<p><b>Table of Contents</b></p>
-<dl>
-<dt><span class="sect1"><a href="Bv9ARM.ch06.html#configuration_file_elements">Configuration File Elements</a></span></dt>
-<dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#address_match_lists">Address Match Lists</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2571910">Comment Syntax</a></span></dt>
-</dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch06.html#Configuration_File_Grammar">Configuration File Grammar</a></span></dt>
-<dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2572280"><span><strong class="command">acl</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#acl"><span><strong class="command">acl</strong></span> Statement Definition and
-Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2572459"><span><strong class="command">controls</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage"><span><strong class="command">controls</strong></span> Statement Definition and Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2572988"><span><strong class="command">include</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2573003"><span><strong class="command">include</strong></span> Statement Definition and Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2573026"><span><strong class="command">key</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2573047"><span><strong class="command">key</strong></span> Statement Definition and Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2573110"><span><strong class="command">logging</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2573236"><span><strong class="command">logging</strong></span> Statement Definition and Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574326"><span><strong class="command">lwres</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574398"><span><strong class="command">lwres</strong></span> Statement Definition and Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574530"><span><strong class="command">options</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575390"><span><strong class="command">options</strong></span> Statement Definition and Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#server_statement_grammar"><span><strong class="command">server</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#server_statement_definition_and_usage"><span><strong class="command">server</strong></span> Statement Definition and Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2579171"><span><strong class="command">trusted-keys</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2579219"><span><strong class="command">trusted-keys</strong></span> Statement Definition
-and Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2579242"><span><strong class="command">view</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2579290"><span><strong class="command">view</strong></span> Statement Definition and Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#zone_statement_grammar"><span><strong class="command">zone</strong></span>
-Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2580473"><span><strong class="command">zone</strong></span> Statement Definition and Usage</a></span></dt>
-</dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch06.html#id2581782">Zone File</a></span></dt>
-<dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#types_of_resource_records_and_when_to_use_them">Types of Resource Records and When to Use Them</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2583238">Discussion of MX Records</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#Setting_TTLs">Setting TTLs</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2583872">Inverse Mapping in IPv4</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2584114">Other Zone File Directives</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2584282"><acronym class="acronym">BIND</acronym> Master File Extension: the  <span><strong class="command">$GENERATE</strong></span> Directive</a></span></dt>
-</dl></dd>
-</dl>
-</div>
-<p><acronym class="acronym">BIND</acronym> 9 configuration is broadly similar to <acronym class="acronym">BIND</acronym> 8.x; however,
-there are a few new areas of configuration, such as views. <acronym class="acronym">BIND</acronym>
-8.x configuration files should work with few alterations in <acronym class="acronym">BIND</acronym>
+<HTML
+><HEAD
+><TITLE
+>BIND 9 Configuration Reference</TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.73
+"><LINK
+REL="HOME"
+TITLE="BIND 9 Administrator Reference Manual"
+HREF="Bv9ARM.html"><LINK
+REL="PREVIOUS"
+TITLE="The BIND 9 Lightweight Resolver"
+HREF="Bv9ARM.ch05.html"><LINK
+REL="NEXT"
+TITLE="BIND 9 Security Considerations"
+HREF="Bv9ARM.ch07.html"></HEAD
+><BODY
+CLASS="chapter"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><DIV
+CLASS="NAVHEADER"
+><TABLE
+SUMMARY="Header navigation table"
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TH
+COLSPAN="3"
+ALIGN="center"
+>BIND 9 Administrator Reference Manual</TH
+></TR
+><TR
+><TD
+WIDTH="10%"
+ALIGN="left"
+VALIGN="bottom"
+><A
+HREF="Bv9ARM.ch05.html"
+ACCESSKEY="P"
+>Prev</A
+></TD
+><TD
+WIDTH="80%"
+ALIGN="center"
+VALIGN="bottom"
+></TD
+><TD
+WIDTH="10%"
+ALIGN="right"
+VALIGN="bottom"
+><A
+HREF="Bv9ARM.ch07.html"
+ACCESSKEY="N"
+>Next</A
+></TD
+></TR
+></TABLE
+><HR
+ALIGN="LEFT"
+WIDTH="100%"></DIV
+><DIV
+CLASS="chapter"
+><H1
+><A
+NAME="ch06"
+>Chapter 6. <SPAN
+CLASS="acronym"
+>BIND</SPAN
+> 9 Configuration Reference</A
+></H1
+><DIV
+CLASS="TOC"
+><DL
+><DT
+><B
+>Table of Contents</B
+></DT
+><DT
+>6.1. <A
+HREF="Bv9ARM.ch06.html#configuration_file_elements"
+>Configuration File Elements</A
+></DT
+><DT
+>6.2. <A
+HREF="Bv9ARM.ch06.html#Configuration_File_Grammar"
+>Configuration File Grammar</A
+></DT
+><DT
+>6.3. <A
+HREF="Bv9ARM.ch06.html#AEN4008"
+>Zone File</A
+></DT
+></DL
+></DIV
+><P
+><SPAN
+CLASS="acronym"
+>BIND</SPAN
+> 9 configuration is broadly similar
+to <SPAN
+CLASS="acronym"
+>BIND</SPAN
+> 8; however, there are a few new areas
+of configuration, such as views. <SPAN
+CLASS="acronym"
+>BIND</SPAN
+>
+8 configuration files should work with few alterations in <SPAN
+CLASS="acronym"
+>BIND</SPAN
+>
 9, although more complex configurations should be reviewed to check
 if they can be more efficiently implemented using the new features
-found in <acronym class="acronym">BIND</acronym> 9.</p>
-<p><acronym class="acronym">BIND</acronym> 4 configuration files can be converted to the new format
+found in <SPAN
+CLASS="acronym"
+>BIND</SPAN
+> 9.</P
+><P
+><SPAN
+CLASS="acronym"
+>BIND</SPAN
+> 4 configuration files can be converted to the new format
 using the shell script
-<code class="filename">contrib/named-bootconf/named-bootconf.sh</code>.</p>
-<div class="sect1" lang="en">
-<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="configuration_file_elements"></a>Configuration File Elements</h2></div></div></div>
-<p>Following is a list of elements used throughout the <acronym class="acronym">BIND</acronym> configuration
-file documentation:</p>
-<div class="informaltable"><table border="1">
-<colgroup>
-<col>
-<col>
-</colgroup>
-<tbody>
-<tr>
-<td><p><code class="varname">acl_name</code></p></td>
-<td><p>The name of an <code class="varname">address_match_list</code> as
-defined by the <span><strong class="command">acl</strong></span> statement.</p></td>
-</tr>
-<tr>
-<td><p><code class="varname">address_match_list</code></p></td>
-<td><p>A list of one or more <code class="varname">ip_addr</code>, <code class="varname">ip_prefix</code>, <code class="varname">key_id</code>, or <code class="varname">acl_name</code> elements, see
-<a href="Bv9ARM.ch06.html#address_match_lists" title="Address Match Lists">the section called &#8220;Address Match Lists&#8221;</a>.</p></td>
-</tr>
-<tr>
-<td><p><code class="varname">domain_name</code></p></td>
-<td><p>A quoted string which will be used as
-a DNS name, for example "<code class="literal">my.test.domain</code>".</p></td>
-</tr>
-<tr>
-<td><p><code class="varname">dotted_decimal</code></p></td>
-<td><p>One or more integers valued 0 through
-255 separated only by dots (`.'), such as <span><strong class="command">123</strong></span>, <span><strong class="command">45.67</strong></span> or <span><strong class="command">89.123.45.67</strong></span>.</p></td>
-</tr>
-<tr>
-<td><p><code class="varname">ip4_addr</code></p></td>
-<td><p>An IPv4 address with exactly four elements
-in <code class="varname">dotted_decimal</code> notation.</p></td>
-</tr>
-<tr>
-<td><p><code class="varname">ip6_addr</code></p></td>
-<td><p>An IPv6 address, such as <span><strong class="command">2001:db8::1234</strong></span>.</p></td>
-</tr>
-<tr>
-<td><p><code class="varname">ip_addr</code></p></td>
-<td><p>An <code class="varname">ip4_addr</code> or <code class="varname">ip6_addr</code>.</p></td>
-</tr>
-<tr>
-<td><p><code class="varname">ip_port</code></p></td>
-<td><p>An IP port <code class="varname">number</code>.
-The <code class="varname">number</code> is limited to 0 through 65535, with values
-below 1024 typically restricted to root-owned processes. In some
-cases, an asterisk (`*') character can be used as a placeholder to
-select a random high-numbered port.</p></td>
-</tr>
-<tr>
-<td><p><code class="varname">ip_prefix</code></p></td>
-<td><p>An IP network specified as an <code class="varname">ip_addr</code>,
+<TT
+CLASS="filename"
+>contrib/named-bootconf/named-bootconf.sh</TT
+>.</P
+><DIV
+CLASS="sect1"
+><H1
+CLASS="sect1"
+><A
+NAME="configuration_file_elements"
+>6.1. Configuration File Elements</A
+></H1
+><P
+>Following is a list of elements used throughout the <SPAN
+CLASS="acronym"
+>BIND</SPAN
+> configuration
+file documentation:</P
+><DIV
+CLASS="informaltable"
+><A
+NAME="AEN1094"
+></A
+><P
+></P
+><TABLE
+CELLPADDING="3"
+BORDER="1"
+CLASS="CALSTABLE"
+><TBODY
+><TR
+><TD
+WIDTH="178"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+><TT
+CLASS="varname"
+>acl_name</TT
+></P
+></TD
+><TD
+WIDTH="362"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>The name of an <TT
+CLASS="varname"
+>address_match_list</TT
+> as
+defined by the <B
+CLASS="command"
+>acl</B
+> statement.</P
+></TD
+></TR
+><TR
+><TD
+WIDTH="178"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+><TT
+CLASS="varname"
+>address_match_list</TT
+></P
+></TD
+><TD
+WIDTH="362"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>A list of one or more <TT
+CLASS="varname"
+>ip_addr</TT
+>, 
+<TT
+CLASS="varname"
+>ip_prefix</TT
+>, <TT
+CLASS="varname"
+>key_id</TT
+>, 
+or <TT
+CLASS="varname"
+>acl_name</TT
+> elements, see
+<A
+HREF="Bv9ARM.ch06.html#address_match_lists"
+>Section 6.1.1</A
+>.</P
+></TD
+></TR
+><TR
+><TD
+WIDTH="178"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+><TT
+CLASS="varname"
+>domain_name</TT
+></P
+></TD
+><TD
+WIDTH="362"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>A quoted string which will be used as
+a DNS name, for example "<TT
+CLASS="literal"
+>my.test.domain</TT
+>".</P
+></TD
+></TR
+><TR
+><TD
+WIDTH="178"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+><TT
+CLASS="varname"
+>dotted_decimal</TT
+></P
+></TD
+><TD
+WIDTH="362"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>One to four integers valued 0 through
+255 separated by dots (`.'), such as <B
+CLASS="command"
+>123</B
+>, 
+<B
+CLASS="command"
+>45.67</B
+> or <B
+CLASS="command"
+>89.123.45.67</B
+>.</P
+></TD
+></TR
+><TR
+><TD
+WIDTH="178"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+><TT
+CLASS="varname"
+>ip4_addr</TT
+></P
+></TD
+><TD
+WIDTH="362"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>An IPv4 address with exactly four elements
+in <TT
+CLASS="varname"
+>dotted_decimal</TT
+> notation.</P
+></TD
+></TR
+><TR
+><TD
+WIDTH="178"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+><TT
+CLASS="varname"
+>ip6_addr</TT
+></P
+></TD
+><TD
+WIDTH="362"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>An IPv6 address, such as <B
+CLASS="command"
+>2001:ffff::200:f8ff:fe01:9742</B
+>.
+IPv6 scoped addresses that have ambiguity on their scope zones must be
+disambiguated by an appropriate zone ID with the percent character
+(`%') as delimiter.
+It is strongly recommended to use string zone names rather than
+numeric identifiers, in order to be robust against system
+configuration changes.
+However, since there is no standard mapping for such names and
+identifier values, currently only interface names as link identifiers
+are supported, assuming one-to-one mapping between interfaces and links.
+For example, a link-local address <B
+CLASS="command"
+>fe80::1</B
+> on the
+link attached to the interface <B
+CLASS="command"
+>ne0</B
+>
+can be specified as <B
+CLASS="command"
+>fe80::1%ne0</B
+>.
+Note that on most systems link-local addresses always have the
+ambiguity, and need to be disambiguated.</P
+></TD
+></TR
+><TR
+><TD
+WIDTH="178"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+><TT
+CLASS="varname"
+>ip_addr</TT
+></P
+></TD
+><TD
+WIDTH="362"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>An <TT
+CLASS="varname"
+>ip4_addr</TT
+> or <TT
+CLASS="varname"
+>ip6_addr</TT
+>.</P
+></TD
+></TR
+><TR
+><TD
+WIDTH="178"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+><TT
+CLASS="varname"
+>ip_port</TT
+></P
+></TD
+><TD
+WIDTH="362"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>An IP port <TT
+CLASS="varname"
+>number</TT
+>.
+<TT
+CLASS="varname"
+>number</TT
+> is limited to 0 through 65535, with values
+below 1024 typically restricted to use by processes running as root.
+In some cases an asterisk (`*') character can be used as a placeholder to
+select a random high-numbered port.</P
+></TD
+></TR
+><TR
+><TD
+WIDTH="178"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+><TT
+CLASS="varname"
+>ip_prefix</TT
+></P
+></TD
+><TD
+WIDTH="362"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>An IP network specified as an <TT
+CLASS="varname"
+>ip_addr</TT
+>,
 followed by a slash (`/') and then the number of bits in the netmask.
-Trailing zeros in a <code class="varname">ip_addr</code> may omitted.
-For example, <span><strong class="command">127/8</strong></span> is the network <span><strong class="command">127.0.0.0</strong></span> with
-netmask <span><strong class="command">255.0.0.0</strong></span> and <span><strong class="command">1.2.3.0/28</strong></span> is
-network <span><strong class="command">1.2.3.0</strong></span> with netmask <span><strong class="command">255.255.255.240</strong></span>.</p></td>
-</tr>
-<tr>
-<td><p><code class="varname">key_id</code></p></td>
-<td><p>A <code class="varname">domain_name</code> representing
-the name of a shared key, to be used for transaction security.</p></td>
-</tr>
-<tr>
-<td><p><code class="varname">key_list</code></p></td>
-<td><p>A list of one or more <code class="varname">key_id</code>s,
-separated by semicolons and ending with a semicolon.</p></td>
-</tr>
-<tr>
-<td><p><code class="varname">number</code></p></td>
-<td><p>A non-negative 32-bit unsigned integer
+Trailing zeros in a <TT
+CLASS="varname"
+>ip_addr</TT
+> may omitted.
+For example, <B
+CLASS="command"
+>127/8</B
+> is the network <B
+CLASS="command"
+>127.0.0.0</B
+> with
+netmask <B
+CLASS="command"
+>255.0.0.0</B
+> and <B
+CLASS="command"
+>1.2.3.0/28</B
+> is
+network <B
+CLASS="command"
+>1.2.3.0</B
+> with netmask <B
+CLASS="command"
+>255.255.255.240</B
+>.</P
+></TD
+></TR
+><TR
+><TD
+WIDTH="178"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+><TT
+CLASS="varname"
+>key_id</TT
+></P
+></TD
+><TD
+WIDTH="362"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>A <TT
+CLASS="varname"
+>domain_name</TT
+> representing
+the name of a shared key, to be used for transaction security.</P
+></TD
+></TR
+><TR
+><TD
+WIDTH="178"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+><TT
+CLASS="varname"
+>key_list</TT
+></P
+></TD
+><TD
+WIDTH="362"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>A list of one or more <TT
+CLASS="varname"
+>key_id</TT
+>s,
+separated by semicolons and ending with a semicolon.</P
+></TD
+></TR
+><TR
+><TD
+WIDTH="178"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+><TT
+CLASS="varname"
+>number</TT
+></P
+></TD
+><TD
+WIDTH="362"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>A non-negative 32 bit integer
 (i.e., a number between 0 and 4294967295, inclusive).
 Its acceptable value might further
-be limited by the context in which it is used.</p></td>
-</tr>
-<tr>
-<td><p><code class="varname">path_name</code></p></td>
-<td><p>A quoted string which will be used as
-a pathname, such as <code class="filename">zones/master/my.test.domain</code>.</p></td>
-</tr>
-<tr>
-<td><p><code class="varname">size_spec</code></p></td>
-<td>
-<p>A number, the word <strong class="userinput"><code>unlimited</code></strong>,
-or the word <strong class="userinput"><code>default</code></strong>.</p>
-<p>
-An <code class="varname">unlimited</code> <code class="varname">size_spec</code> requests unlimited
-use, or the maximum available amount. A <code class="varname">default size_spec</code> uses
-the limit that was in force when the server was started.</p>
-<p>A <code class="varname">number</code> can
-optionally be followed by a scaling factor: <strong class="userinput"><code>K</code></strong> or <strong class="userinput"><code>k</code></strong> for
-kilobytes, <strong class="userinput"><code>M</code></strong> or <strong class="userinput"><code>m</code></strong> for
-megabytes, and <strong class="userinput"><code>G</code></strong> or <strong class="userinput"><code>g</code></strong> for gigabytes,
-which scale by 1024, 1024*1024, and 1024*1024*1024 respectively.</p>
-<p>The value must be representable as a 64-bit unsigned integer
+be limited by the context in which it is used.</P
+></TD
+></TR
+><TR
+><TD
+WIDTH="178"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+><TT
+CLASS="varname"
+>path_name</TT
+></P
+></TD
+><TD
+WIDTH="362"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>A quoted string which will be used as
+a pathname, such as <TT
+CLASS="filename"
+>zones/master/my.test.domain</TT
+>.</P
+></TD
+></TR
+><TR
+><TD
+WIDTH="178"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+><TT
+CLASS="varname"
+>size_spec</TT
+></P
+></TD
+><TD
+WIDTH="362"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>A number, the word <TT
+CLASS="userinput"
+><B
+>unlimited</B
+></TT
+>,
+or the word <TT
+CLASS="userinput"
+><B
+>default</B
+></TT
+>.</P
+><P
+>&#13;An <TT
+CLASS="varname"
+>unlimited</TT
+> <TT
+CLASS="varname"
+>size_spec</TT
+> requests unlimited
+use, or the maximum available amount. A <TT
+CLASS="varname"
+>default size_spec</TT
+> uses
+the limit that was in force when the server was started.</P
+><P
+>A <TT
+CLASS="varname"
+>number</TT
+> can
+optionally be followed by a scaling factor: <TT
+CLASS="userinput"
+><B
+>K</B
+></TT
+> or <TT
+CLASS="userinput"
+><B
+>k</B
+></TT
+> for
+kilobytes, <TT
+CLASS="userinput"
+><B
+>M</B
+></TT
+> or <TT
+CLASS="userinput"
+><B
+>m</B
+></TT
+> for
+megabytes, and <TT
+CLASS="userinput"
+><B
+>G</B
+></TT
+> or <TT
+CLASS="userinput"
+><B
+>g</B
+></TT
+> for gigabytes,
+which scale by 1024, 1024*1024, and 1024*1024*1024 respectively.</P
+>
+<P
+>The value must be representable as a 64-bit unsigned integer
 (0 to 18446744073709551615, inclusive).
- Using <code class="varname">unlimited</code> is the best way
-to safely set a really large number.</p>
-</td>
-</tr>
-<tr>
-<td><p><code class="varname">yes_or_no</code></p></td>
-<td><p>Either <strong class="userinput"><code>yes</code></strong> or <strong class="userinput"><code>no</code></strong>.
-The words <strong class="userinput"><code>true</code></strong> and <strong class="userinput"><code>false</code></strong> are
-also accepted, as are the numbers <strong class="userinput"><code>1</code></strong> and <strong class="userinput"><code>0</code></strong>.</p></td>
-</tr>
-<tr>
-<td><p><code class="varname">dialup_option</code></p></td>
-<td><p>One of <strong class="userinput"><code>yes</code></strong>,
-<strong class="userinput"><code>no</code></strong>, <strong class="userinput"><code>notify</code></strong>,
-<strong class="userinput"><code>notify-passive</code></strong>, <strong class="userinput"><code>refresh</code></strong> or
-<strong class="userinput"><code>passive</code></strong>.
-When used in a zone, <strong class="userinput"><code>notify-passive</code></strong>,
-<strong class="userinput"><code>refresh</code></strong>, and <strong class="userinput"><code>passive</code></strong>
-are restricted to slave and stub zones.</p></td>
-</tr>
-</tbody>
-</table></div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="address_match_lists"></a>Address Match Lists</h3></div></div></div>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="id2571796"></a>Syntax</h4></div></div></div>
-<pre class="programlisting"><code class="varname">address_match_list</code> = address_match_list_element ;
-  [<span class="optional"> address_match_list_element; ... </span>]
-<code class="varname">address_match_list_element</code> = [<span class="optional"> ! </span>] (ip_address [<span class="optional">/length</span>] |
+Using <TT
+CLASS="varname"
+>unlimited</TT
+> is the best way
+to safely set a really large number.</P
+></TD
+></TR
+><TR
+><TD
+WIDTH="178"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+><TT
+CLASS="varname"
+>yes_or_no</TT
+></P
+></TD
+><TD
+WIDTH="362"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>Either <TT
+CLASS="userinput"
+><B
+>yes</B
+></TT
+> or <TT
+CLASS="userinput"
+><B
+>no</B
+></TT
+>.
+The words <TT
+CLASS="userinput"
+><B
+>true</B
+></TT
+> and <TT
+CLASS="userinput"
+><B
+>false</B
+></TT
+> are
+also accepted, as are the numbers <TT
+CLASS="userinput"
+><B
+>1</B
+></TT
+> and <TT
+CLASS="userinput"
+><B
+>0</B
+></TT
+>.</P
+></TD
+></TR
+><TR
+><TD
+WIDTH="178"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+><TT
+CLASS="varname"
+>dialup_option</TT
+></P
+></TD
+><TD
+WIDTH="362"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>One of <TT
+CLASS="userinput"
+><B
+>yes</B
+></TT
+>,
+<TT
+CLASS="userinput"
+><B
+>no</B
+></TT
+>, <TT
+CLASS="userinput"
+><B
+>notify</B
+></TT
+>,
+<TT
+CLASS="userinput"
+><B
+>notify-passive</B
+></TT
+>, <TT
+CLASS="userinput"
+><B
+>refresh</B
+></TT
+> or
+<TT
+CLASS="userinput"
+><B
+>passive</B
+></TT
+>.
+When used in a zone, <TT
+CLASS="userinput"
+><B
+>notify-passive</B
+></TT
+>,
+<TT
+CLASS="userinput"
+><B
+>refresh</B
+></TT
+>, and <TT
+CLASS="userinput"
+><B
+>passive</B
+></TT
+>
+are restricted to slave and stub zones.</P
+></TD
+></TR
+></TBODY
+></TABLE
+><P
+></P
+></DIV
+><DIV
+CLASS="sect2"
+><H2
+CLASS="sect2"
+><A
+NAME="address_match_lists"
+>6.1.1. Address Match Lists</A
+></H2
+><DIV
+CLASS="sect3"
+><H3
+CLASS="sect3"
+><A
+NAME="AEN1259"
+>6.1.1.1. Syntax</A
+></H3
+><PRE
+CLASS="programlisting"
+><TT
+CLASS="varname"
+>address_match_list</TT
+> = address_match_list_element ;
+  [<SPAN
+CLASS="optional"
+> address_match_list_element; ... </SPAN
+>]
+<TT
+CLASS="varname"
+>address_match_list_element</TT
+> = [<SPAN
+CLASS="optional"
+> ! </SPAN
+>] (ip_address [<SPAN
+CLASS="optional"
+>/length</SPAN
+>] |
    key key_id | acl_name | { address_match_list } )
-</pre>
-</div>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="id2571822"></a>Definition and Usage</h4></div></div></div>
-<p>Address match lists are primarily used to determine access
-control for various server operations. They are also used to define
-priorities for querying other nameservers and to set the addresses
-on which <span><strong class="command">named</strong></span> will listen for queries. The elements
-which constitute an address match list can be any of the following:</p>
-<div class="itemizedlist"><ul type="disc">
-<li>an IP address (IPv4 or IPv6)</li>
-<li>an IP prefix (in the `/'-notation)</li>
-<li>a key ID, as defined by the key statement</li>
-<li>the name of an address match list defined with
-the <span><strong class="command">acl</strong></span> statement</li>
-<li>a nested address match list enclosed in braces</li>
-</ul></div>
-<p>Elements can be negated with a leading exclamation mark (`!')
-and the match list names "any," "none," "localhost" and "localnets"
+</PRE
+></DIV
+><DIV
+CLASS="sect3"
+><H3
+CLASS="sect3"
+><A
+NAME="AEN1267"
+>6.1.1.2. Definition and Usage</A
+></H3
+><P
+>Address match lists are primarily used to determine access
+control for various server operations. They are also used in
+the <B
+CLASS="command"
+>listen-on</B
+> and <B
+CLASS="command"
+>sortlist</B
+>
+statements. The elements
+which constitute an address match list can be any of the following:</P
+><P
+></P
+><UL
+><LI
+><P
+>an IP address (IPv4 or IPv6)</P
+></LI
+><LI
+><P
+>an IP prefix (in `/' notation)</P
+></LI
+><LI
+><P
+>a key ID, as defined by the <B
+CLASS="command"
+>key</B
+> statement</P
+></LI
+><LI
+><P
+>the name of an address match list previously defined with
+the <B
+CLASS="command"
+>acl</B
+> statement</P
+></LI
+><LI
+><P
+>a nested address match list enclosed in braces</P
+></LI
+></UL
+><P
+>Elements can be negated with a leading exclamation mark (`!'),
+and the match list names "any", "none", "localhost", and "localnets"
 are predefined. More information on those names can be found in
-the description of the acl statement.</p>
-<p>The addition of the key clause made the name of this syntactic
+the description of the acl statement.</P
+><P
+>The addition of the key clause made the name of this syntactic
 element something of a misnomer, since security keys can be used
 to validate access without regard to a host or network address. Nonetheless,
-the term "address match list" is still used throughout the documentation.</p>
-<p>When a given IP address or prefix is compared to an address
+the term "address match list" is still used throughout the documentation.</P
+><P
+>When a given IP address or prefix is compared to an address
 match list, the list is traversed in order until an element matches.
 The interpretation of a match depends on whether the list is being used
-for access control, defining listen-on ports, or as a topology,
-and whether the element was negated.</p>
-<p>When used as an access control list, a non-negated match allows
+for access control, defining listen-on ports, or in a sortlist,
+and whether the element was negated.</P
+><P
+>When used as an access control list, a non-negated match allows
 access and a negated match denies access. If there is no match,
-access is denied. The clauses <span><strong class="command">allow-notify</strong></span>,
-<span><strong class="command">allow-query</strong></span>, <span><strong class="command">allow-transfer</strong></span>,
-<span><strong class="command">allow-update</strong></span> and <span><strong class="command">blackhole</strong></span> all
+access is denied. The clauses <B
+CLASS="command"
+>allow-notify</B
+>,
+<B
+CLASS="command"
+>allow-query</B
+>, <B
+CLASS="command"
+>allow-transfer</B
+>,
+<B
+CLASS="command"
+>allow-update</B
+>, <B
+CLASS="command"
+>allow-update-forwarding</B
+>,
+and <B
+CLASS="command"
+>blackhole</B
+> all
 use address match lists  this. Similarly, the listen-on option will cause
 the server to not accept queries on any of the machine's addresses
-which do not match the list.</p>
-<p>When used with the topology clause, a non-negated match returns
-a distance based on its position on the list (the closer the match
-is to the start of the list, the shorter the distance is between
-it and the server). A negated match will be assigned the maximum
-distance from the server. If there is no match, the address will
-get a distance which is further than any non-negated list element,
-and closer than any negated element.</p>
-<p>Because of the first-match aspect of the algorithm, an element
+which do not match the list.</P
+><P
+>Because of the first-match aspect of the algorithm, an element
 that defines a subset of another element in the list should come
 before the broader element, regardless of whether either is negated. For
 example, in
-<span><strong class="command">1.2.3/24; ! 1.2.3.13;</strong></span> the 1.2.3.13 element is
+<B
+CLASS="command"
+>1.2.3/24; ! 1.2.3.13;</B
+> the 1.2.3.13 element is
 completely useless because the algorithm will match any lookup for
-1.2.3.13 to the 1.2.3/24 element. Using <span><strong class="command">! 1.2.3.13; 1.2.3/24</strong></span> fixes
+1.2.3.13 to the 1.2.3/24 element.
+Using <B
+CLASS="command"
+>! 1.2.3.13; 1.2.3/24</B
+> fixes
 that problem by having 1.2.3.13 blocked by the negation but all
-other 1.2.3.* hosts fall through.</p>
-</div>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2571910"></a>Comment Syntax</h3></div></div></div>
-<p>The <acronym class="acronym">BIND</acronym> 9 comment syntax allows for comments to appear
-      anywhere that whitespace may appear in a <acronym class="acronym">BIND</acronym> configuration
-      file. To appeal to programmers of all kinds, they can be written
-      in C, C++, or shell/perl constructs.</p>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="id2571925"></a>Syntax</h4></div></div></div>
-<pre class="programlisting">/* This is a <acronym class="acronym">BIND</acronym> comment as in C */</pre>
-<p>
-</p>
-<pre class="programlisting">// This is a <acronym class="acronym">BIND</acronym> comment as in C++</pre>
-<p>
-</p>
-<pre class="programlisting"># This is a <acronym class="acronym">BIND</acronym> comment as in common UNIX shells and perl</pre>
-<p>
-      </p>
-</div>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="id2571954"></a>Definition and Usage</h4></div></div></div>
-<p>Comments may appear anywhere that whitespace may appear in
-a <acronym class="acronym">BIND</acronym> configuration file.</p>
-<p>C-style comments start with the two characters /* (slash,
+other 1.2.3.* hosts fall through.</P
+></DIV
+></DIV
+><DIV
+CLASS="sect2"
+><H2
+CLASS="sect2"
+><A
+NAME="AEN1298"
+>6.1.2. Comment Syntax</A
+></H2
+><P
+>The <SPAN
+CLASS="acronym"
+>BIND</SPAN
+> 9 comment syntax allows for comments to appear
+anywhere that white space may appear in a <SPAN
+CLASS="acronym"
+>BIND</SPAN
+> configuration
+file. To appeal to programmers of all kinds, they can be written
+in the C, C++, or shell/perl style.</P
+><DIV
+CLASS="sect3"
+><H3
+CLASS="sect3"
+><A
+NAME="AEN1303"
+>6.1.2.1. Syntax</A
+></H3
+><P
+><PRE
+CLASS="programlisting"
+>/* This is a <SPAN
+CLASS="acronym"
+>BIND</SPAN
+> comment as in C */</PRE
+>
+<PRE
+CLASS="programlisting"
+>// This is a <SPAN
+CLASS="acronym"
+>BIND</SPAN
+> comment as in C++</PRE
+>
+<PRE
+CLASS="programlisting"
+># This is a <SPAN
+CLASS="acronym"
+>BIND</SPAN
+> comment as in common UNIX shells and perl</PRE
+>
+      </P
+></DIV
+><DIV
+CLASS="sect3"
+><H3
+CLASS="sect3"
+><A
+NAME="AEN1312"
+>6.1.2.2. Definition and Usage</A
+></H3
+><P
+>Comments may appear anywhere that whitespace may appear in
+a <SPAN
+CLASS="acronym"
+>BIND</SPAN
+> configuration file.</P
+><P
+>C-style comments start with the two characters /* (slash,
 star) and end with */ (star, slash). Because they are completely
 delimited with these characters, they can be used to comment only
-a portion of a line or to span multiple lines.</p>
-<p>C-style comments cannot be nested. For example, the following
-is not valid because the entire comment ends with the first */:</p>
-<pre class="programlisting">/* This is the start of a comment.
+a portion of a line or to span multiple lines.</P
+><P
+>C-style comments cannot be nested. For example, the following
+is not valid because the entire comment ends with the first */:</P
+><P
+><PRE
+CLASS="programlisting"
+>/* This is the start of a comment.
    This is still part of the comment.
 /* This is an incorrect attempt at nesting a comment. */
    This is no longer in any comment. */
-</pre>
-<p>C++-style comments start with the two characters // (slash,
+</PRE
+></P
+><P
+>C++-style comments start with the two characters // (slash,
 slash) and continue to the end of the physical line. They cannot
 be continued across multiple physical lines; to have one logical
-comment span multiple lines, each line must use the // pair.</p>
-<p>For example:</p>
-<pre class="programlisting">// This is the start of a comment.  The next line
+comment span multiple lines, each line must use the // pair.</P
+><P
+>For example:</P
+><P
+><PRE
+CLASS="programlisting"
+>// This is the start of a comment.  The next line
 // is a new comment, even though it is logically
 // part of the previous comment.
-</pre>
-<p>Shell-style (or perl-style, if you prefer) comments start
-with the character <code class="literal">#</code> (number sign) and continue to the end of the
-physical line, as in C++ comments.</p>
-<p>For example:</p>
-<pre class="programlisting"># This is the start of a comment.  The next line
+</PRE
+></P
+><P
+>Shell-style (or perl-style, if you prefer) comments start
+with the character <TT
+CLASS="literal"
+>#</TT
+> (number sign) and continue to the end of the
+physical line, as in C++ comments.</P
+><P
+>For example:</P
+><P
+><PRE
+CLASS="programlisting"
+># This is the start of a comment.  The next line
 # is a new comment, even though it is logically
 # part of the previous comment.
-</pre>
-<div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;">
-<h3 class="title">Warning</h3>
-<p>WARNING: you cannot use the semicolon (`;') character
-          to start a comment such as you would in a zone file. The
-          semicolon indicates the end of a configuration
-          statement.</p>
-</div>
-</div>
-</div>
-</div>
-<div class="sect1" lang="en">
-<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="Configuration_File_Grammar"></a>Configuration File Grammar</h2></div></div></div>
-<p>A <acronym class="acronym">BIND</acronym> 9 configuration consists of statements and comments.
+</PRE
+>
+</P
+><DIV
+CLASS="warning"
+><P
+></P
+><TABLE
+CLASS="warning"
+BORDER="1"
+WIDTH="100%"
+><TR
+><TD
+ALIGN="CENTER"
+><B
+>Warning</B
+></TD
+></TR
+><TR
+><TD
+ALIGN="LEFT"
+><P
+>You cannot use the semicolon (`;') character
+   to start a comment such as you would in a zone file. The
+   semicolon indicates the end of a configuration
+   statement.</P
+></TD
+></TR
+></TABLE
+></DIV
+></DIV
+></DIV
+></DIV
+><DIV
+CLASS="sect1"
+><H1
+CLASS="sect1"
+><A
+NAME="Configuration_File_Grammar"
+>6.2. Configuration File Grammar</A
+></H1
+><P
+>A <SPAN
+CLASS="acronym"
+>BIND</SPAN
+> 9 configuration consists of statements and comments.
     Statements end with a semicolon. Statements and comments are the
     only elements that can appear without enclosing braces. Many
-    statements contain a block of substatements, which are also
-    terminated with a semicolon.</p>
-<p>The following statements are supported:</p>
-<div class="informaltable"><table border="1">
-<colgroup>
-<col>
-<col>
-</colgroup>
-<tbody>
-<tr>
-<td><p><span><strong class="command">acl</strong></span></p></td>
-<td><p>defines a named IP address
-matching list, for access control and other uses.</p></td>
-</tr>
-<tr>
-<td><p><span><strong class="command">controls</strong></span></p></td>
-<td><p>declares control channels to be used
-by the <span><strong class="command">rndc</strong></span> utility.</p></td>
-</tr>
-<tr>
-<td><p><span><strong class="command">include</strong></span></p></td>
-<td><p>includes a file.</p></td>
-</tr>
-<tr>
-<td><p><span><strong class="command">key</strong></span></p></td>
-<td><p>specifies key information for use in
-authentication and authorization using TSIG.</p></td>
-</tr>
-<tr>
-<td><p><span><strong class="command">logging</strong></span></p></td>
-<td><p>specifies what the server logs, and where
-the log messages are sent.</p></td>
-</tr>
-<tr>
-<td><p><span><strong class="command">options</strong></span></p></td>
-<td><p>controls global server configuration
-options and sets defaults for other statements.</p></td>
-</tr>
-<tr>
-<td><p><span><strong class="command">server</strong></span></p></td>
-<td><p>sets certain configuration options on
-a per-server basis.</p></td>
-</tr>
-<tr>
-<td><p><span><strong class="command">trusted-keys</strong></span></p></td>
-<td><p>defines trusted DNSSEC keys.</p></td>
-</tr>
-<tr>
-<td><p><span><strong class="command">view</strong></span></p></td>
-<td><p>defines a view.</p></td>
-</tr>
-<tr>
-<td><p><span><strong class="command">zone</strong></span></p></td>
-<td><p>defines a zone.</p></td>
-</tr>
-</tbody>
-</table></div>
-<p>The <span><strong class="command">logging</strong></span> and
-    <span><strong class="command">options</strong></span> statements may only occur once per
-    configuration.</p>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2572280"></a><span><strong class="command">acl</strong></span> Statement Grammar</h3></div></div></div>
-<pre class="programlisting"><span><strong class="command">acl</strong></span> acl-name { 
+    statements contain a block of sub-statements, which are also
+    terminated with a semicolon.</P
+><P
+>The following statements are supported:</P
+><DIV
+CLASS="informaltable"
+><A
+NAME="AEN1336"
+></A
+><P
+></P
+><TABLE
+CELLPADDING="3"
+BORDER="1"
+CLASS="CALSTABLE"
+><TBODY
+><TR
+><TD
+WIDTH="128"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+><B
+CLASS="command"
+>acl</B
+></P
+></TD
+><TD
+WIDTH="363"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>defines a named IP address
+matching list, for access control and other uses.</P
+></TD
+></TR
+><TR
+><TD
+WIDTH="128"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+><B
+CLASS="command"
+>controls</B
+></P
+></TD
+><TD
+WIDTH="363"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>declares control channels to be used
+by the <B
+CLASS="command"
+>rndc</B
+> utility.</P
+></TD
+></TR
+><TR
+><TD
+WIDTH="128"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+><B
+CLASS="command"
+>include</B
+></P
+></TD
+><TD
+WIDTH="363"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>includes a file.</P
+></TD
+></TR
+><TR
+><TD
+WIDTH="128"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+><B
+CLASS="command"
+>key</B
+></P
+></TD
+><TD
+WIDTH="363"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>specifies key information for use in
+authentication and authorization using TSIG.</P
+></TD
+></TR
+><TR
+><TD
+WIDTH="128"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+><B
+CLASS="command"
+>logging</B
+></P
+></TD
+><TD
+WIDTH="363"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>specifies what the server logs, and where
+the log messages are sent.</P
+></TD
+></TR
+><TR
+><TD
+WIDTH="128"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+><B
+CLASS="command"
+>lwres</B
+></P
+></TD
+><TD
+WIDTH="363"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>configures <B
+CLASS="command"
+>named</B
+> to
+also act as a light weight resolver daemon (<B
+CLASS="command"
+>lwresd</B
+>).</P
+></TD
+></TR
+><TR
+><TD
+WIDTH="128"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+><B
+CLASS="command"
+>masters</B
+></P
+></TD
+><TD
+WIDTH="363"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>defines a named masters list for
+inclusion in stub and slave zone masters clauses.</P
+></TD
+></TR
+><TR
+><TD
+WIDTH="128"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+><B
+CLASS="command"
+>options</B
+></P
+></TD
+><TD
+WIDTH="363"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>controls global server configuration
+options and sets defaults for other statements.</P
+></TD
+></TR
+><TR
+><TD
+WIDTH="128"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+><B
+CLASS="command"
+>server</B
+></P
+></TD
+><TD
+WIDTH="363"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>sets certain configuration options on
+a per-server basis.</P
+></TD
+></TR
+><TR
+><TD
+WIDTH="128"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+><B
+CLASS="command"
+>trusted-keys</B
+></P
+></TD
+><TD
+WIDTH="363"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>defines trusted DNSSEC keys.</P
+></TD
+></TR
+><TR
+><TD
+WIDTH="128"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+><B
+CLASS="command"
+>view</B
+></P
+></TD
+><TD
+WIDTH="363"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>defines a view.</P
+></TD
+></TR
+><TR
+><TD
+WIDTH="128"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+><B
+CLASS="command"
+>zone</B
+></P
+></TD
+><TD
+WIDTH="363"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>defines a zone.</P
+></TD
+></TR
+></TBODY
+></TABLE
+><P
+></P
+></DIV
+><P
+>The <B
+CLASS="command"
+>logging</B
+> and
+    <B
+CLASS="command"
+>options</B
+> statements may only occur once per
+    configuration.</P
+><DIV
+CLASS="sect2"
+><H2
+CLASS="sect2"
+><A
+NAME="AEN1419"
+>6.2.1. <B
+CLASS="command"
+>acl</B
+> Statement Grammar</A
+></H2
+><PRE
+CLASS="programlisting"
+><B
+CLASS="command"
+>acl</B
+> acl-name { 
     address_match_list 
 };
-</pre>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="acl"></a><span><strong class="command">acl</strong></span> Statement Definition and
-Usage</h3></div></div></div>
-<p>The <span><strong class="command">acl</strong></span> statement assigns a symbolic
+</PRE
+></DIV
+><DIV
+CLASS="sect2"
+><H2
+CLASS="sect2"
+><A
+NAME="acl"
+>6.2.2. <B
+CLASS="command"
+>acl</B
+> Statement Definition and
+Usage</A
+></H2
+><P
+>The <B
+CLASS="command"
+>acl</B
+> statement assigns a symbolic
       name to an address match list. It gets its name from a primary
-      use of address match lists: Access Control Lists (ACLs).</p>
-<p>Note that an address match list's name must be defined
-      with <span><strong class="command">acl</strong></span> before it can be used elsewhere; no
-      forward references are allowed.</p>
-<p>The following ACLs are built-in:</p>
-<div class="informaltable"><table border="1">
-<colgroup>
-<col>
-<col>
-</colgroup>
-<tbody>
-<tr>
-<td><p><span><strong class="command">any</strong></span></p></td>
-<td><p>Matches all hosts.</p></td>
-</tr>
-<tr>
-<td><p><span><strong class="command">none</strong></span></p></td>
-<td><p>Matches no hosts.</p></td>
-</tr>
-<tr>
-<td><p><span><strong class="command">localhost</strong></span></p></td>
-<td><p>Matches the IPv4 addresses of all network
-interfaces on the system.</p></td>
-</tr>
-<tr>
-<td><p><span><strong class="command">localnets</strong></span></p></td>
-<td><p>Matches any host on an IPv4 network for which
-the system has an interface.</p></td>
-</tr>
-</tbody>
-</table></div>
-<p>The <span><strong class="command">localhost</strong></span> and <span><strong class="command">localnets</strong></span>
-ACLs do not currently support IPv6 (that is,
-<span><strong class="command">localhost</strong></span> does not match the host's IPv6 addresses,
-and <span><strong class="command">localnets</strong></span> does not match the host's attached
-IPv6 networks) due to the lack of a standard method of determining the
-complete set of local IPv6 addresses for a host.
-</p>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2572459"></a><span><strong class="command">controls</strong></span> Statement Grammar</h3></div></div></div>
-<pre class="programlisting"><span><strong class="command">controls</strong></span> {
-   inet ( ip_addr | * ) [<span class="optional"> port ip_port </span>] allow { <em class="replaceable"><code> address_match_list </code></em> }
-                keys { <em class="replaceable"><code> key_list </code></em> };
-   [<span class="optional"> inet ...; </span>]
+      use of address match lists: Access Control Lists (ACLs).</P
+><P
+>Note that an address match list's name must be defined
+      with <B
+CLASS="command"
+>acl</B
+> before it can be used elsewhere; no
+      forward references are allowed.</P
+><P
+>The following ACLs are built-in:</P
+><DIV
+CLASS="informaltable"
+><A
+NAME="AEN1432"
+></A
+><P
+></P
+><TABLE
+CELLPADDING="3"
+BORDER="1"
+CLASS="CALSTABLE"
+><TBODY
+><TR
+><TD
+WIDTH="108"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+><B
+CLASS="command"
+>any</B
+></P
+></TD
+><TD
+WIDTH="384"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>Matches all hosts.</P
+></TD
+></TR
+><TR
+><TD
+WIDTH="108"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+><B
+CLASS="command"
+>none</B
+></P
+></TD
+><TD
+WIDTH="384"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>Matches no hosts.</P
+></TD
+></TR
+><TR
+><TD
+WIDTH="108"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+><B
+CLASS="command"
+>localhost</B
+></P
+></TD
+><TD
+WIDTH="384"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>Matches the IPv4 and IPv6 addresses of all network
+interfaces on the system.</P
+></TD
+></TR
+><TR
+><TD
+WIDTH="108"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+><B
+CLASS="command"
+>localnets</B
+></P
+></TD
+><TD
+WIDTH="384"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>Matches any host on an IPv4 or IPv6 network
+for which the system has an interface.
+Some systems do not provide a way to determine the prefix lengths of
+local IPv6 addresses.
+In such a case, <B
+CLASS="command"
+>localnets</B
+> only matches the local
+IPv6 addresses, just like <B
+CLASS="command"
+>localhost</B
+>.
+</P
+></TD
+></TR
+></TBODY
+></TABLE
+><P
+></P
+></DIV
+></DIV
+><DIV
+CLASS="sect2"
+><H2
+CLASS="sect2"
+><A
+NAME="AEN1463"
+>6.2.3. <B
+CLASS="command"
+>controls</B
+> Statement Grammar</A
+></H2
+><PRE
+CLASS="programlisting"
+><B
+CLASS="command"
+>controls</B
+> {
+   inet ( ip_addr | * ) [<SPAN
+CLASS="optional"
+> port ip_port </SPAN
+>] allow { <TT
+CLASS="replaceable"
+><I
+> address_match_list </I
+></TT
+> }
+                keys { <TT
+CLASS="replaceable"
+><I
+> key_list </I
+></TT
+> };
+   [<SPAN
+CLASS="optional"
+> inet ...; </SPAN
+>]
 };
-</pre>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="controls_statement_definition_and_usage"></a><span><strong class="command">controls</strong></span> Statement Definition and Usage</h3></div></div></div>
-<p>The <span><strong class="command">controls</strong></span> statement declares control
-      channels to be used by system administrators to affect the
-      operation of the local nameserver. These control channels are
-      used by the <span><strong class="command">rndc</strong></span> utility to send commands to
-      and retrieve non-DNS results from a nameserver.</p>
-<p>An <span><strong class="command">inet</strong></span> control channel is a TCP
+</PRE
+></DIV
+><DIV
+CLASS="sect2"
+><H2
+CLASS="sect2"
+><A
+NAME="controls_statement_definition_and_usage"
+>6.2.4. <B
+CLASS="command"
+>controls</B
+> Statement Definition and Usage</A
+></H2
+><P
+>The <B
+CLASS="command"
+>controls</B
+> statement declares control
+      channels to be used by system administrators to control the
+      operation of the name server. These control channels are
+      used by the <B
+CLASS="command"
+>rndc</B
+> utility to send commands to
+      and retrieve non-DNS results from a name server.</P
+><P
+>An <B
+CLASS="command"
+>inet</B
+> control channel is a TCP
       socket listening at the specified
-      <span><strong class="command">ip_port</strong></span> on the specified
-      <span><strong class="command">ip_addr</strong></span>, which can be an IPv4 or IPv6
-      address.  An <span><strong class="command">ip_addr</strong></span>
-      of <code class="literal">*</code> (asterisk) is interpreted as the IPv4 wildcard
+      <B
+CLASS="command"
+>ip_port</B
+> on the specified
+      <B
+CLASS="command"
+>ip_addr</B
+>, which can be an IPv4 or IPv6
+      address.  An <B
+CLASS="command"
+>ip_addr</B
+>
+      of <TT
+CLASS="literal"
+>*</TT
+> is interpreted as the IPv4 wildcard
       address; connections will be accepted on any of the system's
       IPv4 addresses.  To listen on the IPv6 wildcard address,
-      use an <span><strong class="command">ip_addr</strong></span> of <code class="literal">::</code>.
-      If you will only use <span><strong class="command">rndc</strong></span> on the local host,
-      using the loopback address (<code class="literal">127.0.0.1</code>
-      or <code class="literal">::1</code>) is recommended for maximum
+      use an <B
+CLASS="command"
+>ip_addr</B
+> of <TT
+CLASS="literal"
+>::</TT
+>.
+      If you will only use <B
+CLASS="command"
+>rndc</B
+> on the local host,
+      using the loopback address (<TT
+CLASS="literal"
+>127.0.0.1</TT
+>
+      or <TT
+CLASS="literal"
+>::1</TT
+>) is recommended for maximum
       security.
-      </p>
-<p>The ability to issue commands over the control channel is
-      restricted by the <span><strong class="command">allow</strong></span> and
-      <span><strong class="command">keys</strong></span> clauses.  Connections to the control
-      channel are permitted based on the address permissions in
-      <span><strong class="command">address_match_list</strong></span>. <span><strong class="command">key_id</strong></span>
-      members of the <span><strong class="command">address_match_list</strong></span> are
-      ignored, and instead are interpreted independently based the
-      <span><strong class="command">key_list</strong></span>.  Each <span><strong class="command">key_id</strong></span> in
-      the <span><strong class="command">key_list</strong></span> is allowed to be used to
-      authenticate commands and responses given over the control
-      channel by digitally signing each message between the server and
-      a command client (See <a href="Bv9ARM.ch03.html#rndc">Remote Name Daemon Control application</a> in
-      <a href="Bv9ARM.ch03.html#admin_tools" title="Administrative Tools">the section called &#8220;Administrative Tools&#8221;</a>). All commands to the control channel
-      must be signed by one of its specified keys to
-      be honored.</p>
-<p>
-If no <span><strong class="command">controls</strong></span> statement is present,
-<span><strong class="command">named</strong></span> will set up a default
+      </P
+><P
+>&#13;      If no port is specified, port 953
+      is used.  "<TT
+CLASS="literal"
+>*</TT
+>" cannot be used for
+      <B
+CLASS="command"
+>ip_port</B
+>.</P
+><P
+>The ability to issue commands over the control channel is
+      restricted by the <B
+CLASS="command"
+>allow</B
+> and
+      <B
+CLASS="command"
+>keys</B
+> clauses. Connections to the control
+      channel are permitted based on the
+      <B
+CLASS="command"
+>address_match_list</B
+>.  This is for simple
+      IP address based filtering only; any <B
+CLASS="command"
+>key_id</B
+>
+      elements of the <B
+CLASS="command"
+>address_match_list</B
+> are
+      ignored.
+      </P
+><P
+>The primary authorization mechanism of the command
+      channel is the <B
+CLASS="command"
+>key_list</B
+>, which contains
+      a list of <B
+CLASS="command"
+>key_id</B
+>s.
+      Each <B
+CLASS="command"
+>key_id</B
+> in
+      the <B
+CLASS="command"
+>key_list</B
+> is authorized to execute
+      commands over the control channel.
+      See <A
+HREF="Bv9ARM.ch03.html#rndc"
+>Remote Name Daemon Control application</A
+> in
+      <A
+HREF="Bv9ARM.ch03.html#admin_tools"
+>Section 3.3.1.2</A
+>) for information about
+      configuring keys in <B
+CLASS="command"
+>rndc</B
+>.</P
+><P
+>&#13;If no <B
+CLASS="command"
+>controls</B
+> statement is present,
+<B
+CLASS="command"
+>named</B
+> will set up a default
 control channel listening on the loopback address 127.0.0.1
 and its IPv6 counterpart ::1.
-
-In this case, and also when the <span><strong class="command">controls</strong></span> statement
-is present but does not have a <span><strong class="command">keys</strong></span> clause,
-<span><strong class="command">named</strong></span> will attempt to load the command channel key
-from the file <code class="filename">rndc.key</code> in
-<code class="filename">/etc</code> (or whatever <code class="varname">sysconfdir</code>
-was specified as when <acronym class="acronym">BIND</acronym> was built).
-To create a <code class="filename">rndc.key</code> file, run
-<strong class="userinput"><code>rndc-confgen -a</code></strong>.
-</p>
-<p>The <code class="filename">rndc.key</code> feature was created to
-      ease the transition of systems from <acronym class="acronym">BIND</acronym> 8,
+In this case, and also when the <B
+CLASS="command"
+>controls</B
+> statement
+is present but does not have a <B
+CLASS="command"
+>keys</B
+> clause,
+<B
+CLASS="command"
+>named</B
+> will attempt to load the command channel key
+from the file <TT
+CLASS="filename"
+>rndc.key</TT
+> in
+<TT
+CLASS="filename"
+>/etc</TT
+> (or whatever <TT
+CLASS="varname"
+>sysconfdir</TT
+>
+was specified as when <SPAN
+CLASS="acronym"
+>BIND</SPAN
+> was built).
+To create a <TT
+CLASS="filename"
+>rndc.key</TT
+> file, run
+<TT
+CLASS="userinput"
+><B
+>rndc-confgen -a</B
+></TT
+>.
+</P
+><P
+>The <TT
+CLASS="filename"
+>rndc.key</TT
+> feature was created to
+      ease the transition of systems from <SPAN
+CLASS="acronym"
+>BIND</SPAN
+> 8,
       which did not have digital signatures on its command channel messages
-      and thus did not have a <span><strong class="command">keys</strong></span> clause.
+      and thus did not have a <B
+CLASS="command"
+>keys</B
+> clause.
 
-It makes it possible to use an existing <acronym class="acronym">BIND</acronym> 8
-configuration file in <acronym class="acronym">BIND</acronym> 9 unchanged,
-and still have <span><strong class="command">rndc</strong></span> work the same way
-<span><strong class="command">ndc</strong></span> worked in BIND 8, simply by executing the
-command <strong class="userinput"><code>rndc-confgen -a</code></strong> after BIND 9 is
+It makes it possible to use an existing <SPAN
+CLASS="acronym"
+>BIND</SPAN
+> 8
+configuration file in <SPAN
+CLASS="acronym"
+>BIND</SPAN
+> 9 unchanged,
+and still have <B
+CLASS="command"
+>rndc</B
+> work the same way
+<B
+CLASS="command"
+>ndc</B
+> worked in BIND 8, simply by executing the
+command <TT
+CLASS="userinput"
+><B
+>rndc-confgen -a</B
+></TT
+> after BIND 9 is
 installed.
-</p>
-<p>
-      Since the <code class="filename">rndc.key</code> feature
+</P
+><P
+>&#13;      Since the <TT
+CLASS="filename"
+>rndc.key</TT
+> feature
       is only intended to allow the backward-compatible usage of
-      <acronym class="acronym">BIND</acronym> 8 configuration files, this feature does not
+      <SPAN
+CLASS="acronym"
+>BIND</SPAN
+> 8 configuration files, this feature does not
       have a high degree of configurability.  You cannot easily change
       the key name or the size of the secret, so you should make a
-      <code class="filename">rndc.conf</code> with your own key if you wish to change
-      those things.  The <code class="filename">rndc.key</code> file also has its
+      <TT
+CLASS="filename"
+>rndc.conf</TT
+> with your own key if you wish to change
+      those things.  The <TT
+CLASS="filename"
+>rndc.key</TT
+> file also has its
       permissions set such that only the owner of the file (the user that
-      <span><strong class="command">named</strong></span> is running as) can access it.  If you
+      <B
+CLASS="command"
+>named</B
+> is running as) can access it.  If you
       desire greater flexibility in allowing other users to access
-      <span><strong class="command">rndc</strong></span> commands, then you need to create a
-      <code class="filename">rndc.conf</code> file and make it group readable by a group
-      that contains the users who should have access.</p>
-<p>The UNIX control channel type of <acronym class="acronym">BIND</acronym> 8 is not supported
-      in <acronym class="acronym">BIND</acronym> 9.0, <acronym class="acronym">BIND</acronym> 9.1,
-      <acronym class="acronym">BIND</acronym> 9.2 and <acronym class="acronym">BIND</acronym> 9.3.
-      If it is present in the controls statement from a
-      <acronym class="acronym">BIND</acronym> 8 configuration file, it is ignored
-      and a warning is logged.</p>
-<p>
-To disable the command channel, use an empty <span><strong class="command">controls</strong></span>
-statement: <span><strong class="command">controls { };</strong></span>.
-</p>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2572988"></a><span><strong class="command">include</strong></span> Statement Grammar</h3></div></div></div>
-<pre class="programlisting">include <em class="replaceable"><code>filename</code></em>;</pre>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2573003"></a><span><strong class="command">include</strong></span> Statement Definition and Usage</h3></div></div></div>
-<p>The <span><strong class="command">include</strong></span> statement inserts the
-      specified file at the point that the <span><strong class="command">include</strong></span>
-      statement is encountered. The <span><strong class="command">include</strong></span>
+      <B
+CLASS="command"
+>rndc</B
+> commands then you need to create an
+      <TT
+CLASS="filename"
+>rndc.conf</TT
+> and make it group readable by a group
+      that contains the users who should have access.</P
+><P
+>The UNIX control channel type of <SPAN
+CLASS="acronym"
+>BIND</SPAN
+> 8 is not supported
+      in <SPAN
+CLASS="acronym"
+>BIND</SPAN
+> 9, and is not expected to be added in future
+      releases.  If it is present in the controls statement from a
+      <SPAN
+CLASS="acronym"
+>BIND</SPAN
+> 8 configuration file, it is ignored
+      and a warning is logged.</P
+><P
+>&#13;To disable the command channel, use an empty <B
+CLASS="command"
+>controls</B
+>
+statement: <B
+CLASS="command"
+>controls { };</B
+>.
+</P
+></DIV
+><DIV
+CLASS="sect2"
+><H2
+CLASS="sect2"
+><A
+NAME="AEN1542"
+>6.2.5. <B
+CLASS="command"
+>include</B
+> Statement Grammar</A
+></H2
+><PRE
+CLASS="programlisting"
+>include <TT
+CLASS="replaceable"
+><I
+>filename</I
+></TT
+>;</PRE
+></DIV
+><DIV
+CLASS="sect2"
+><H2
+CLASS="sect2"
+><A
+NAME="AEN1547"
+>6.2.6. <B
+CLASS="command"
+>include</B
+> Statement Definition and Usage</A
+></H2
+><P
+>The <B
+CLASS="command"
+>include</B
+> statement inserts the
+      specified file at the point where the <B
+CLASS="command"
+>include</B
+>
+      statement is encountered. The <B
+CLASS="command"
+>include</B
+>
       statement facilitates the administration of configuration files
       by permitting the reading or writing of some things but not
       others. For example, the statement could include private keys
-      that are readable only by a nameserver.</p>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2573026"></a><span><strong class="command">key</strong></span> Statement Grammar</h3></div></div></div>
-<pre class="programlisting">key <em class="replaceable"><code>key_id</code></em> {
-    algorithm <em class="replaceable"><code>string</code></em>;
-    secret <em class="replaceable"><code>string</code></em>;
+      that are readable only by the name server.</P
+></DIV
+><DIV
+CLASS="sect2"
+><H2
+CLASS="sect2"
+><A
+NAME="AEN1554"
+>6.2.7. <B
+CLASS="command"
+>key</B
+> Statement Grammar</A
+></H2
+><PRE
+CLASS="programlisting"
+>key <TT
+CLASS="replaceable"
+><I
+>key_id</I
+></TT
+> {
+    algorithm <TT
+CLASS="replaceable"
+><I
+>string</I
+></TT
+>;
+    secret <TT
+CLASS="replaceable"
+><I
+>string</I
+></TT
+>;
 };
-</pre>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2573047"></a><span><strong class="command">key</strong></span> Statement Definition and Usage</h3></div></div></div>
-<p>The <span><strong class="command">key</strong></span> statement defines a shared
-secret key for use with TSIG, see <a href="Bv9ARM.ch04.html#tsig" title="TSIG">the section called &#8220;TSIG&#8221;</a>.</p>
-<p>
-The <span><strong class="command">key</strong></span> statement can occur at the top level
-of the configuration file or inside a <span><strong class="command">view</strong></span> 
-statement.  Keys defined in top-level <span><strong class="command">key</strong></span>
+</PRE
+></DIV
+><DIV
+CLASS="sect2"
+><H2
+CLASS="sect2"
+><A
+NAME="AEN1561"
+>6.2.8. <B
+CLASS="command"
+>key</B
+> Statement Definition and Usage</A
+></H2
+><P
+>The <B
+CLASS="command"
+>key</B
+> statement defines a shared
+secret key for use with TSIG (see <A
+HREF="Bv9ARM.ch04.html#tsig"
+>Section 4.5</A
+>)
+or the command channel
+(see <A
+HREF="Bv9ARM.ch06.html#controls_statement_definition_and_usage"
+>Section 6.2.4</A
+>).
+</P
+><P
+>&#13;The <B
+CLASS="command"
+>key</B
+> statement can occur at the top level
+of the configuration file or inside a <B
+CLASS="command"
+>view</B
+> 
+statement.  Keys defined in top-level <B
+CLASS="command"
+>key</B
+>
 statements can be used in all views.  Keys intended for use in
-a <span><strong class="command">controls</strong></span> statement
-(see <a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage" title="controls Statement Definition and Usage">the section called &#8220;<span><strong class="command">controls</strong></span> Statement Definition and Usage&#8221;</a>)
+a <B
+CLASS="command"
+>controls</B
+> statement
+(see <A
+HREF="Bv9ARM.ch06.html#controls_statement_definition_and_usage"
+>Section 6.2.4</A
+>)
 must be defined at the top level.
-</p>
-<p>The <em class="replaceable"><code>key_id</code></em>, also known as the
+</P
+><P
+>The <TT
+CLASS="replaceable"
+><I
+>key_id</I
+></TT
+>, also known as the
 key name, is a domain name uniquely identifying the key. It can
-be used in a "server" statement to cause requests sent to that
+be used in a <B
+CLASS="command"
+>server</B
+>
+statement to cause requests sent to that
 server to be signed with this key, or in address match lists to
 verify that incoming requests have been signed with a key
-matching this name, algorithm, and secret.</p>
-<p>The <em class="replaceable"><code>algorithm_id</code></em> is a string
+matching this name, algorithm, and secret.</P
+><P
+>The <TT
+CLASS="replaceable"
+><I
+>algorithm_id</I
+></TT
+> is a string
 that specifies a security/authentication algorithm. The only
 algorithm currently supported with TSIG authentication is
-<code class="literal">hmac-md5</code>.  The
-<em class="replaceable"><code>secret_string</code></em> is the secret to be
+<TT
+CLASS="literal"
+>hmac-md5</TT
+>.  The
+<TT
+CLASS="replaceable"
+><I
+>secret_string</I
+></TT
+> is the secret to be
 used by the algorithm, and is treated as a base-64 encoded
-string.</p>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2573110"></a><span><strong class="command">logging</strong></span> Statement Grammar</h3></div></div></div>
-<pre class="programlisting"><span><strong class="command">logging</strong></span> {
-   [ <span><strong class="command">channel</strong></span> <em class="replaceable"><code>channel_name</code></em> {
-     ( <span><strong class="command">file</strong></span> <em class="replaceable"><code>path name</code></em>
-         [ <span><strong class="command">versions</strong></span> ( <em class="replaceable"><code>number</code></em> | <span><strong class="command">unlimited</strong></span> ) ]
-         [ <span><strong class="command">size</strong></span> <em class="replaceable"><code>size spec</code></em> ]
-       | <span><strong class="command">syslog</strong></span> <em class="replaceable"><code>syslog_facility</code></em>
-       | <span><strong class="command">stderr</strong></span>
-       | <span><strong class="command">null</strong></span> );
-     [ <span><strong class="command">severity</strong></span> (<code class="option">critical</code> | <code class="option">error</code> | <code class="option">warning</code> | <code class="option">notice</code> |
-                 <code class="option">info</code> | <code class="option">debug</code> [ <em class="replaceable"><code>level</code></em> ] | <code class="option">dynamic</code> ); ]
-     [ <span><strong class="command">print-category</strong></span> <code class="option">yes</code> or <code class="option">no</code>; ]
-     [ <span><strong class="command">print-severity</strong></span> <code class="option">yes</code> or <code class="option">no</code>; ]
-     [ <span><strong class="command">print-time</strong></span> <code class="option">yes</code> or <code class="option">no</code>; ]
+string.</P
+></DIV
+><DIV
+CLASS="sect2"
+><H2
+CLASS="sect2"
+><A
+NAME="AEN1581"
+>6.2.9. <B
+CLASS="command"
+>logging</B
+> Statement Grammar</A
+></H2
+><PRE
+CLASS="programlisting"
+><B
+CLASS="command"
+>logging</B
+> {
+   [ <B
+CLASS="command"
+>channel</B
+> <TT
+CLASS="replaceable"
+><I
+>channel_name</I
+></TT
+> {
+     ( <B
+CLASS="command"
+>file</B
+> <TT
+CLASS="replaceable"
+><I
+>path name</I
+></TT
+>
+         [ <B
+CLASS="command"
+>versions</B
+> ( <TT
+CLASS="replaceable"
+><I
+>number</I
+></TT
+> | <TT
+CLASS="literal"
+>unlimited</TT
+> ) ]
+         [ <B
+CLASS="command"
+>size</B
+> <TT
+CLASS="replaceable"
+><I
+>size spec</I
+></TT
+> ]
+       | <B
+CLASS="command"
+>syslog</B
+> <TT
+CLASS="replaceable"
+><I
+>syslog_facility</I
+></TT
+>
+       | <B
+CLASS="command"
+>stderr</B
+>
+       | <B
+CLASS="command"
+>null</B
+> );
+     [ <B
+CLASS="command"
+>severity</B
+> (<TT
+CLASS="option"
+>critical</TT
+> | <TT
+CLASS="option"
+>error</TT
+> | <TT
+CLASS="option"
+>warning</TT
+> | <TT
+CLASS="option"
+>notice</TT
+> |
+                 <TT
+CLASS="option"
+>info</TT
+> | <TT
+CLASS="option"
+>debug</TT
+> [ <TT
+CLASS="replaceable"
+><I
+>level</I
+></TT
+> ] | <TT
+CLASS="option"
+>dynamic</TT
+> ); ]
+     [ <B
+CLASS="command"
+>print-category</B
+> <TT
+CLASS="option"
+>yes</TT
+> or <TT
+CLASS="option"
+>no</TT
+>; ]
+     [ <B
+CLASS="command"
+>print-severity</B
+> <TT
+CLASS="option"
+>yes</TT
+> or <TT
+CLASS="option"
+>no</TT
+>; ]
+     [ <B
+CLASS="command"
+>print-time</B
+> <TT
+CLASS="option"
+>yes</TT
+> or <TT
+CLASS="option"
+>no</TT
+>; ]
    }; ]
-   [ <span><strong class="command">category</strong></span> <em class="replaceable"><code>category_name</code></em> {
-     <em class="replaceable"><code>channel_name</code></em> ; [ <em class="replaceable"><code>channel_nam</code></em>e ; ... ]
+   [ <B
+CLASS="command"
+>category</B
+> <TT
+CLASS="replaceable"
+><I
+>category_name</I
+></TT
+> {
+     <TT
+CLASS="replaceable"
+><I
+>channel_name</I
+></TT
+> ; [ <TT
+CLASS="replaceable"
+><I
+>channel_nam</I
+></TT
+>e ; ... ]
    }; ]
    ...
 };
-</pre>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2573236"></a><span><strong class="command">logging</strong></span> Statement Definition and Usage</h3></div></div></div>
-<p>The <span><strong class="command">logging</strong></span> statement configures a wide
-variety of logging options for the nameserver. Its <span><strong class="command">channel</strong></span> phrase
+</PRE
+></DIV
+><DIV
+CLASS="sect2"
+><H2
+CLASS="sect2"
+><A
+NAME="AEN1621"
+>6.2.10. <B
+CLASS="command"
+>logging</B
+> Statement Definition and Usage</A
+></H2
+><P
+>The <B
+CLASS="command"
+>logging</B
+> statement configures a wide
+variety of logging options for the name server. Its <B
+CLASS="command"
+>channel</B
+> phrase
 associates output methods, format options and severity levels with
-a name that can then be used with the <span><strong class="command">category</strong></span> phrase
-to select how various classes of messages are logged.</p>
-<p>Only one <span><strong class="command">logging</strong></span> statement is used to define
-as many channels and categories as are wanted. If there is no <span><strong class="command">logging</strong></span> statement,
-the logging configuration will be:</p>
-<pre class="programlisting">logging {
-     category "unmatched" { "null"; };
-     category "default" { "default_syslog"; "default_debug"; };
+a name that can then be used with the <B
+CLASS="command"
+>category</B
+> phrase
+to select how various classes of messages are logged.</P
+><P
+>Only one <B
+CLASS="command"
+>logging</B
+> statement is used to define
+as many channels and categories as are wanted. If there is no <B
+CLASS="command"
+>logging</B
+> statement,
+the logging configuration will be:</P
+><PRE
+CLASS="programlisting"
+>logging {
+     category default { default_syslog; default_debug; };
+     category unmatched { null; };
 };
-</pre>
-<p>In <acronym class="acronym">BIND</acronym> 9, the logging configuration is only established when
-the entire configuration file has been parsed.  In <acronym class="acronym">BIND</acronym> 8, it was
-established as soon as the <span><strong class="command">logging</strong></span> statement
+</PRE
+><P
+>In <SPAN
+CLASS="acronym"
+>BIND</SPAN
+> 9, the logging configuration is only established when
+the entire configuration file has been parsed.  In <SPAN
+CLASS="acronym"
+>BIND</SPAN
+> 8, it was
+established as soon as the <B
+CLASS="command"
+>logging</B
+> statement
 was parsed. When the server is starting up, all logging messages
 regarding syntax errors in the configuration file go to the default
-channels, or to standard error if the "<code class="option">-g</code>" option
-was specified.</p>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="id2573288"></a>The <span><strong class="command">channel</strong></span> Phrase</h4></div></div></div>
-<p>All log output goes to one or more <span class="emphasis"><em>channels</em></span>;
-you can make as many of them as you want.</p>
-<p>Every channel definition must include a destination clause that
+channels, or to standard error if the "<TT
+CLASS="option"
+>-g</TT
+>" option
+was specified.</P
+><DIV
+CLASS="sect3"
+><H3
+CLASS="sect3"
+><A
+NAME="AEN1637"
+>6.2.10.1. The <B
+CLASS="command"
+>channel</B
+> Phrase</A
+></H3
+><P
+>All log output goes to one or more <SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>channels</I
+></SPAN
+>;
+you can make as many of them as you want.</P
+><P
+>Every channel definition must include a destination clause that
 says whether messages selected for the channel go to a file, to a
 particular syslog facility, to the standard error stream, or are
 discarded. It can optionally also limit the message severity level
 that will be accepted by the channel (the default is
-<span><strong class="command">info</strong></span>), and whether to include a
-<span><strong class="command">named</strong></span>-generated time stamp, the category name
-and/or severity level (the default is not to include any).</p>
-<p>The <span><strong class="command">null</strong></span> destination clause 
+<B
+CLASS="command"
+>info</B
+>), and whether to include a
+<B
+CLASS="command"
+>named</B
+>-generated time stamp, the category name
+and/or severity level (the default is not to include any).</P
+><P
+>The <B
+CLASS="command"
+>null</B
+> destination clause 
 causes all messages sent to the channel to be discarded;
-in that case, other options for the channel are meaningless.</p>
-<p>The <span><strong class="command">file</strong></span> destination clause directs the channel
+in that case, other options for the channel are meaningless.</P
+><P
+>The <B
+CLASS="command"
+>file</B
+> destination clause directs the channel
 to a disk file.  It can include limitations
 both on how large the file is allowed to become, and how many versions
-of the file will be saved each time the file is opened.</p>
-<p>If you use the <span><strong class="command">versions</strong></span> log file option, then
-<span><strong class="command">named</strong></span> will retain that many backup versions of the file by
-renaming them when opening.  For example, if you choose to keep three old versions
-of the file <code class="filename">lamers.log</code>, then just before it is opened
-<code class="filename">lamers.log.1</code> is renamed to
-<code class="filename">lamers.log.2</code>, <code class="filename">lamers.log.0</code> is renamed
-to <code class="filename">lamers.log.1</code>, and <code class="filename">lamers.log</code> is
-renamed to <code class="filename">lamers.log.0</code>.
-You can say <span><strong class="command">versions unlimited;</strong></span> to not limit
+of the file will be saved each time the file is opened.</P
+><P
+>If you use the <B
+CLASS="command"
+>versions</B
+> log file option, then
+<B
+CLASS="command"
+>named</B
+> will retain that many backup versions of the file by
+renaming them when opening.  For example, if you choose to keep 3 old versions
+of the file <TT
+CLASS="filename"
+>lamers.log</TT
+> then just before it is opened
+<TT
+CLASS="filename"
+>lamers.log.1</TT
+> is renamed to
+<TT
+CLASS="filename"
+>lamers.log.2</TT
+>, <TT
+CLASS="filename"
+>lamers.log.0</TT
+> is renamed
+to <TT
+CLASS="filename"
+>lamers.log.1</TT
+>, and <TT
+CLASS="filename"
+>lamers.log</TT
+> is
+renamed to <TT
+CLASS="filename"
+>lamers.log.0</TT
+>.
+You can say <B
+CLASS="command"
+>versions unlimited</B
+> to not limit
 the number of versions.
-If a <span><strong class="command">size</strong></span> option is associated with the log file,
+If a <B
+CLASS="command"
+>size</B
+> option is associated with the log file,
 then renaming is only done when the file being opened exceeds the
 indicated size.  No backup versions are kept by default; any existing
-log file is simply appended.</p>
-<p>The <span><strong class="command">size</strong></span> option for files is used to limit log
-growth. If the file ever exceeds the size, then <span><strong class="command">named</strong></span> will
-stop writing to the file unless it has a <span><strong class="command">versions</strong></span> option
+log file is simply appended.</P
+><P
+>The <B
+CLASS="command"
+>size</B
+> option for files is used to limit log
+growth. If the file ever exceeds the size, then <B
+CLASS="command"
+>named</B
+> will
+stop writing to the file unless it has a <B
+CLASS="command"
+>versions</B
+> option
 associated with it.  If backup versions are kept, the files are rolled as
 described above and a new one begun.  If there is no
-<span><strong class="command">versions</strong></span> option, no more data will be written to the log
+<B
+CLASS="command"
+>versions</B
+> option, no more data will be written to the log
 until some out-of-band mechanism removes or truncates the log to less than the
 maximum size.  The default behavior is not to limit the size of the
-file.</p>
-<p>Example usage of the <span><strong class="command">size</strong></span> and
-<span><strong class="command">versions</strong></span> options:</p>
-<pre class="programlisting">channel "an_example_channel" {
+file.</P
+><P
+>Example usage of the <B
+CLASS="command"
+>size</B
+> and
+<B
+CLASS="command"
+>versions</B
+> options:</P
+><PRE
+CLASS="programlisting"
+>channel an_example_channel {
     file "example.log" versions 3 size 20m;
     print-time yes;
     print-category yes;
 };
-</pre>
-<p>The <span><strong class="command">syslog</strong></span> destination clause directs the
+</PRE
+><P
+>The <B
+CLASS="command"
+>syslog</B
+> destination clause directs the
 channel to the system log.  Its argument is a
-syslog facility as described in the <span><strong class="command">syslog</strong></span> man
-page. Known facilities are <span><strong class="command">kern</strong></span>, <span><strong class="command">user</strong></span>,
-<span><strong class="command">mail</strong></span>, <span><strong class="command">daemon</strong></span>, <span><strong class="command">auth</strong></span>,
-<span><strong class="command">syslog</strong></span>, <span><strong class="command">lpr</strong></span>, <span><strong class="command">news</strong></span>,
-<span><strong class="command">uucp</strong></span>, <span><strong class="command">cron</strong></span>, <span><strong class="command">authpriv</strong></span>,
-<span><strong class="command">ftp</strong></span>, <span><strong class="command">local0</strong></span>, <span><strong class="command">local1</strong></span>,
-<span><strong class="command">local2</strong></span>, <span><strong class="command">local3</strong></span>, <span><strong class="command">local4</strong></span>,
-<span><strong class="command">local5</strong></span>, <span><strong class="command">local6</strong></span> and
-<span><strong class="command">local7</strong></span>, however not all facilities are supported on
+syslog facility as described in the <B
+CLASS="command"
+>syslog</B
+> man
+page. Known facilities are <B
+CLASS="command"
+>kern</B
+>, <B
+CLASS="command"
+>user</B
+>,
+<B
+CLASS="command"
+>mail</B
+>, <B
+CLASS="command"
+>daemon</B
+>, <B
+CLASS="command"
+>auth</B
+>,
+<B
+CLASS="command"
+>syslog</B
+>, <B
+CLASS="command"
+>lpr</B
+>, <B
+CLASS="command"
+>news</B
+>,
+<B
+CLASS="command"
+>uucp</B
+>, <B
+CLASS="command"
+>cron</B
+>, <B
+CLASS="command"
+>authpriv</B
+>,
+<B
+CLASS="command"
+>ftp</B
+>, <B
+CLASS="command"
+>local0</B
+>, <B
+CLASS="command"
+>local1</B
+>,
+<B
+CLASS="command"
+>local2</B
+>, <B
+CLASS="command"
+>local3</B
+>, <B
+CLASS="command"
+>local4</B
+>,
+<B
+CLASS="command"
+>local5</B
+>, <B
+CLASS="command"
+>local6</B
+> and
+<B
+CLASS="command"
+>local7</B
+>, however not all facilities are supported on
 all operating systems.
-How <span><strong class="command">syslog</strong></span> will handle messages sent to
-this facility is described in the <span><strong class="command">syslog.conf</strong></span> man
-page. If you have a system which uses a very old version of <span><strong class="command">syslog</strong></span> that
-only uses two arguments to the <span><strong class="command">openlog()</strong></span> function,
-then this clause is silently ignored.</p>
-<p>The <span><strong class="command">severity</strong></span> clause works like <span><strong class="command">syslog</strong></span>'s
-"priorities," except that they can also be used if you are writing
-straight to a file rather than using <span><strong class="command">syslog</strong></span>.
+How <B
+CLASS="command"
+>syslog</B
+> will handle messages sent to
+this facility is described in the <B
+CLASS="command"
+>syslog.conf</B
+> man
+page. If you have a system which uses a very old version of <B
+CLASS="command"
+>syslog</B
+> that
+only uses two arguments to the <B
+CLASS="command"
+>openlog()</B
+> function,
+then this clause is silently ignored.</P
+><P
+>The <B
+CLASS="command"
+>severity</B
+> clause works like <B
+CLASS="command"
+>syslog</B
+>'s
+"priorities", except that they can also be used if you are writing
+straight to a file rather than using <B
+CLASS="command"
+>syslog</B
+>.
 Messages which are not at least of the severity level given will
 not be selected for the channel; messages of higher severity levels
-will be accepted.</p>
-<p>If you are using <span><strong class="command">syslog</strong></span>, then the <span><strong class="command">syslog.conf</strong></span> priorities
+will be accepted.</P
+><P
+>If you are using <B
+CLASS="command"
+>syslog</B
+>, then the <B
+CLASS="command"
+>syslog.conf</B
+> priorities
 will also determine what eventually passes through. For example,
-defining a channel facility and severity as <span><strong class="command">daemon</strong></span> and <span><strong class="command">debug</strong></span> but
-only logging <span><strong class="command">daemon.warning</strong></span> via <span><strong class="command">syslog.conf</strong></span> will
-cause messages of severity <span><strong class="command">info</strong></span> and <span><strong class="command">notice</strong></span> to
-be dropped. If the situation were reversed, with <span><strong class="command">named</strong></span> writing
-messages of only <span><strong class="command">warning</strong></span> or higher, then <span><strong class="command">syslogd</strong></span> would
-print all messages it received from the channel.</p>
-<p>The <span><strong class="command">stderr</strong></span> destination clause directs the
+defining a channel facility and severity as <B
+CLASS="command"
+>daemon</B
+> and <B
+CLASS="command"
+>debug</B
+> but
+only logging <B
+CLASS="command"
+>daemon.warning</B
+> via <B
+CLASS="command"
+>syslog.conf</B
+> will
+cause messages of severity <B
+CLASS="command"
+>info</B
+> and <B
+CLASS="command"
+>notice</B
+> to
+be dropped. If the situation were reversed, with <B
+CLASS="command"
+>named</B
+> writing
+messages of only <B
+CLASS="command"
+>warning</B
+> or higher, then <B
+CLASS="command"
+>syslogd</B
+> would
+print all messages it received from the channel.</P
+><P
+>The <B
+CLASS="command"
+>stderr</B
+> destination clause directs the
 channel to the server's standard error stream.  This is intended for
 use when the server is running as a foreground process, for example
-when debugging a configuration.</p>
-<p>The server can supply extensive debugging information when
+when debugging a configuration.</P
+><P
+>The server can supply extensive debugging information when
 it is in debugging mode. If the server's global debug level is greater
 than zero, then debugging mode will be active. The global debug
-level is set either by starting the <span><strong class="command">named</strong></span> server
-with the <code class="option">-d</code> flag followed by a positive integer,
-or by running <span><strong class="command">rndc trace</strong></span>.
+level is set either by starting the <B
+CLASS="command"
+>named</B
+> server
+with the <TT
+CLASS="option"
+>-d</TT
+> flag followed by a positive integer,
+or by running <B
+CLASS="command"
+>rndc trace</B
+>.
 The global debug level
-can be set to zero, and debugging mode turned off, by running <span><strong class="command">rndc
-notrace</strong></span>. All debugging messages in the server have a debug
+can be set to zero, and debugging mode turned off, by running <B
+CLASS="command"
+>ndc
+notrace</B
+>. All debugging messages in the server have a debug
 level, and higher debug levels give more detailed output. Channels
-that specify a specific debug severity, for example:</p>
-<pre class="programlisting">channel "specific_debug_level" {
+that specify a specific debug severity, for example:</P
+><PRE
+CLASS="programlisting"
+>channel specific_debug_level {
     file "foo";
     severity debug 3;
 };
-</pre>
-<p>will get debugging output of level 3 or less any time the
+</PRE
+><P
+>will get debugging output of level 3 or less any time the
 server is in debugging mode, regardless of the global debugging
-level. Channels with <span><strong class="command">dynamic</strong></span> severity use the
-server's global level to determine what messages to print.</p>
-<p>If <span><strong class="command">print-time</strong></span> has been turned on, then
-the date and time will be logged. <span><strong class="command">print-time</strong></span> may
-be specified for a <span><strong class="command">syslog</strong></span> channel, but is usually
-pointless since <span><strong class="command">syslog</strong></span> also prints the date and
-time. If <span><strong class="command">print-category</strong></span> is requested, then the
-category of the message will be logged as well. Finally, if <span><strong class="command">print-severity</strong></span> is
-on, then the severity level of the message will be logged. The <span><strong class="command">print-</strong></span> options may
+level. Channels with <B
+CLASS="command"
+>dynamic</B
+> severity use the
+server's global debug level to determine what messages to print.</P
+><P
+>If <B
+CLASS="command"
+>print-time</B
+> has been turned on, then
+the date and time will be logged. <B
+CLASS="command"
+>print-time</B
+> may
+be specified for a <B
+CLASS="command"
+>syslog</B
+> channel, but is usually
+pointless since <B
+CLASS="command"
+>syslog</B
+> also prints the date and
+time. If <B
+CLASS="command"
+>print-category</B
+> is requested, then the
+category of the message will be logged as well. Finally, if <B
+CLASS="command"
+>print-severity</B
+> is
+on, then the severity level of the message will be logged. The <B
+CLASS="command"
+>print-</B
+> options may
 be used in any combination, and will always be printed in the following
-order: time, category, severity. Here is an example where all three <span><strong class="command">print-</strong></span> options
-are on:</p>
-<p><code class="computeroutput">28-Feb-2000 15:05:32.863 general: notice: running</code></p>
-<p>There are four predefined channels that are used for
-<span><strong class="command">named</strong></span>'s default logging as follows. How they are
-used is described in <a href="Bv9ARM.ch06.html#the_category_phrase" title="The category Phrase">the section called &#8220;The <span><strong class="command">category</strong></span> Phrase&#8221;</a>.
-</p>
-<pre class="programlisting">channel "default_syslog" {
+order: time, category, severity. Here is an example where all three <B
+CLASS="command"
+>print-</B
+> options
+are on:</P
+><P
+><TT
+CLASS="computeroutput"
+>28-Feb-2000 15:05:32.863 general: notice: running</TT
+></P
+><P
+>There are four predefined channels that are used for
+<B
+CLASS="command"
+>named</B
+>'s default logging as follows. How they are
+used is described in <A
+HREF="Bv9ARM.ch06.html#the_category_phrase"
+>Section 6.2.10.2</A
+>.
+</P
+><PRE
+CLASS="programlisting"
+>channel default_syslog {
     syslog daemon;                      // send to syslog's daemon
                                         // facility
     severity info;                      // only send priority info
                                         // and higher
 };
 
-channel "default_debug" {
+channel default_debug {
     file "named.run";                   // write to named.run in
                                         // the working directory
                                         // Note: stderr is used instead
@@ -806,600 +2622,3276 @@ channel "default_debug" {
                                         // current debug level
 };
 
-channel "default_stderr" {              // writes to stderr
-    stderr;
+channel default_stderr {
+    stderr;                             // writes to stderr
     severity info;                      // only send priority info
                                         // and higher
 };
 
-channel "null" {
+channel null {
    null;                                // toss anything sent to
                                         // this channel
 };
-</pre>
-<p>The <span><strong class="command">default_debug</strong></span> channel has the special
+</PRE
+><P
+>The <B
+CLASS="command"
+>default_debug</B
+> channel has the special
 property that it only produces output when the server's debug level is
-nonzero.  It normally writes to a file called <code class="filename">named.run</code>
-in the server's working directory.</p>
-<p>For security reasons, when the "<code class="option">-u</code>"
-command line option is used, the <code class="filename">named.run</code> file
-is created only after <span><strong class="command">named</strong></span> has changed to the
-new UID, and any debug output generated while <span><strong class="command">named</strong></span> is
+nonzero.  It normally writes to a file <TT
+CLASS="filename"
+>named.run</TT
+>
+in the server's working directory.</P
+><P
+>For security reasons, when the "<TT
+CLASS="option"
+>-u</TT
+>"
+command line option is used, the <TT
+CLASS="filename"
+>named.run</TT
+> file
+is created only after <B
+CLASS="command"
+>named</B
+> has changed to the
+new UID, and any debug output generated while <B
+CLASS="command"
+>named</B
+> is
 starting up and still running as root is discarded.  If you need
-to capture this output, you must run the server with the "<code class="option">-g</code>"
-option and redirect standard error to a file.</p>
-<p>Once a channel is defined, it cannot be redefined. Thus you
+to capture this output, you must run the server with the "<TT
+CLASS="option"
+>-g</TT
+>"
+option and redirect standard error to a file.</P
+><P
+>Once a channel is defined, it cannot be redefined. Thus you
 cannot alter the built-in channels directly, but you can modify
-the default logging by pointing categories at channels you have defined.</p>
-</div>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="the_category_phrase"></a>The <span><strong class="command">category</strong></span> Phrase</h4></div></div></div>
-<p>There are many categories, so you can send the logs you want
+the default logging by pointing categories at channels you have defined.</P
+></DIV
+><DIV
+CLASS="sect3"
+><H3
+CLASS="sect3"
+><A
+NAME="the_category_phrase"
+>6.2.10.2. The <B
+CLASS="command"
+>category</B
+> Phrase</A
+></H3
+><P
+>There are many categories, so you can send the logs you want
 to see wherever you want, without seeing logs you don't want. If
 you don't specify a list of channels for a category, then log messages
-in that category will be sent to the <span><strong class="command">default</strong></span> category
+in that category will be sent to the <B
+CLASS="command"
+>default</B
+> category
 instead. If you don't specify a default category, the following
-"default default" is used:</p>
-<pre class="programlisting">category "default" { "default_syslog"; "default_debug"; };
-</pre>
-<p>As an example, let's say you want to log security events to
+"default default" is used:</P
+><PRE
+CLASS="programlisting"
+>category default { default_syslog; default_debug; };
+</PRE
+><P
+>As an example, let's say you want to log security events to
 a file, but you also want keep the default logging behavior. You'd
-specify the following:</p>
-<pre class="programlisting">channel "my_security_channel" {
+specify the following:</P
+><PRE
+CLASS="programlisting"
+>channel my_security_channel {
     file "my_security_file";
     severity info;
 };
-category "security" {
-    "my_security_channel";
-    "default_syslog";
-    "default_debug";
-};</pre>
-<p>To discard all messages in a category, specify the <span><strong class="command">null</strong></span> channel:</p>
-<pre class="programlisting">category "xfer-out" { "null"; };
-category "notify" { "null"; };
-</pre>
-<p>Following are the available categories and brief descriptions
+category security {
+    my_security_channel;
+    default_syslog;
+    default_debug;
+};</PRE
+><P
+>To discard all messages in a category, specify the <B
+CLASS="command"
+>null</B
+> channel:</P
+><PRE
+CLASS="programlisting"
+>category xfer-out { null; };
+category notify { null; };
+</PRE
+><P
+>Following are the available categories and brief descriptions
 of the types of log information they contain. More
-categories may be added in future <acronym class="acronym">BIND</acronym> releases.</p>
-<div class="informaltable"><table border="1">
-<colgroup>
-<col>
-<col>
-</colgroup>
-<tbody>
-<tr>
-<td><p><span><strong class="command">default</strong></span></p></td>
-<td><p>The default category defines the logging
+categories may be added in future <SPAN
+CLASS="acronym"
+>BIND</SPAN
+> releases.</P
+><DIV
+CLASS="informaltable"
+><A
+NAME="AEN1761"
+></A
+><P
+></P
+><TABLE
+CELLPADDING="3"
+BORDER="1"
+CLASS="CALSTABLE"
+><TBODY
+><TR
+><TD
+WIDTH="110"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+><B
+CLASS="command"
+>default</B
+></P
+></TD
+><TD
+WIDTH="322"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>The default category defines the logging
 options for those categories where no specific configuration has been
-defined.</p></td>
-</tr>
-<tr>
-<td><p><span><strong class="command">general</strong></span></p></td>
-<td><p>The catch-all. Many things still aren't
-classified into categories, and they all end up here.</p></td>
-</tr>
-<tr>
-<td><p><span><strong class="command">database</strong></span></p></td>
-<td><p>Messages relating to the databases used
-internally by the name server to store zone and cache data.</p></td>
-</tr>
-<tr>
-<td><p><span><strong class="command">security</strong></span></p></td>
-<td><p>Approval and denial of requests.</p></td>
-</tr>
-<tr>
-<td><p><span><strong class="command">config</strong></span></p></td>
-<td><p>Configuration file parsing and processing.</p></td>
-</tr>
-<tr>
-<td><p><span><strong class="command">resolver</strong></span></p></td>
-<td><p>DNS resolution, such as the recursive
-lookups performed on behalf of clients by a caching name server.</p></td>
-</tr>
-<tr>
-<td><p><span><strong class="command">xfer-in</strong></span></p></td>
-<td><p>Zone transfers the server is receiving.</p></td>
-</tr>
-<tr>
-<td><p><span><strong class="command">xfer-out</strong></span></p></td>
-<td><p>Zone transfers the server is sending.</p></td>
-</tr>
-<tr>
-<td><p><span><strong class="command">notify</strong></span></p></td>
-<td><p>The NOTIFY protocol.</p></td>
-</tr>
-<tr>
-<td><p><span><strong class="command">client</strong></span></p></td>
-<td><p>Processing of client requests.</p></td>
-</tr>
-<tr>
-<td><p><span><strong class="command">unmatched</strong></span></p></td>
-<td><p>Messages that named was unable to determine the
-class of or for which there was no matching <span><strong class="command">view</strong></span>.
-A one line summary is also logged to the <span><strong class="command">client</strong></span> category.
+defined.</P
+></TD
+></TR
+><TR
+><TD
+WIDTH="110"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+><B
+CLASS="command"
+>general</B
+></P
+></TD
+><TD
+WIDTH="322"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>The catch-all. Many things still aren't
+classified into categories, and they all end up here.</P
+></TD
+></TR
+><TR
+><TD
+WIDTH="110"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+><B
+CLASS="command"
+>database</B
+></P
+></TD
+><TD
+WIDTH="322"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>Messages relating to the databases used
+internally by the name server to store zone and cache data.</P
+></TD
+></TR
+><TR
+><TD
+WIDTH="110"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+><B
+CLASS="command"
+>security</B
+></P
+></TD
+><TD
+WIDTH="322"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>Approval and denial of requests.</P
+></TD
+></TR
+><TR
+><TD
+WIDTH="110"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+><B
+CLASS="command"
+>config</B
+></P
+></TD
+><TD
+WIDTH="322"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>Configuration file parsing and processing.</P
+></TD
+></TR
+><TR
+><TD
+WIDTH="110"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+><B
+CLASS="command"
+>resolver</B
+></P
+></TD
+><TD
+WIDTH="322"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>DNS resolution, such as the recursive
+lookups performed on behalf of clients by a caching name server.</P
+></TD
+></TR
+><TR
+><TD
+WIDTH="110"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+><B
+CLASS="command"
+>xfer-in</B
+></P
+></TD
+><TD
+WIDTH="322"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>Zone transfers the server is receiving.</P
+></TD
+></TR
+><TR
+><TD
+WIDTH="110"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+><B
+CLASS="command"
+>xfer-out</B
+></P
+></TD
+><TD
+WIDTH="322"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>Zone transfers the server is sending.</P
+></TD
+></TR
+><TR
+><TD
+WIDTH="110"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+><B
+CLASS="command"
+>notify</B
+></P
+></TD
+><TD
+WIDTH="322"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>The NOTIFY protocol.</P
+></TD
+></TR
+><TR
+><TD
+WIDTH="110"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+><B
+CLASS="command"
+>client</B
+></P
+></TD
+><TD
+WIDTH="322"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>Processing of client requests.</P
+></TD
+></TR
+><TR
+><TD
+WIDTH="110"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+><B
+CLASS="command"
+>unmatched</B
+></P
+></TD
+><TD
+WIDTH="322"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>Messages that named was unable to determine the
+class of or for which there was no matching <B
+CLASS="command"
+>view</B
+>.
+A one line summary is also logged to the <B
+CLASS="command"
+>client</B
+> category.
 This category is best sent to a file or stderr, by default it is sent to
-the <span><strong class="command">null</strong></span> channel.</p></td>
-</tr>
-<tr>
-<td><p><span><strong class="command">network</strong></span></p></td>
-<td><p>Network operations.</p></td>
-</tr>
-<tr>
-<td><p><span><strong class="command">update</strong></span></p></td>
-<td><p>Dynamic updates.</p></td>
-</tr>
-<tr>
-<td><p><span><strong class="command">queries</strong></span></p></td>
-<td><p>Queries. Using the category <span><strong class="command">queries</strong></span> will enable query logging.</p></td>
-</tr>
-<tr>
-<td><p><span><strong class="command">dispatch</strong></span></p></td>
-<td><p>Dispatching of incoming packets to the
+the <B
+CLASS="command"
+>null</B
+> channel.</P
+></TD
+></TR
+><TR
+><TD
+WIDTH="110"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+><B
+CLASS="command"
+>network</B
+></P
+></TD
+><TD
+WIDTH="322"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>Network operations.</P
+></TD
+></TR
+><TR
+><TD
+WIDTH="110"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+><B
+CLASS="command"
+>update</B
+></P
+></TD
+><TD
+WIDTH="322"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>Dynamic updates.</P
+></TD
+></TR
+><TR
+><TD
+WIDTH="110"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+><B
+CLASS="command"
+>update-security</B
+></P
+></TD
+><TD
+WIDTH="322"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>Approval and denial of update requests.</P
+></TD
+></TR
+><TR
+><TD
+WIDTH="110"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+><B
+CLASS="command"
+>queries</B
+></P
+></TD
+><TD
+WIDTH="322"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>Specify where queries should be logged to.</P
+>
+<P
+>&#13;At startup, specifing the category <B
+CLASS="command"
+>queries</B
+> will also
+enable query logging unless <B
+CLASS="command"
+>querylog</B
+> option has been
+specified.
+</P
+></TD
+></TR
+><TR
+><TD
+WIDTH="110"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+><B
+CLASS="command"
+>dispatch</B
+></P
+></TD
+><TD
+WIDTH="322"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>Dispatching of incoming packets to the
 server modules where they are to be processed.
-</p></td>
-</tr>
-<tr>
-<td><p><span><strong class="command">dnssec</strong></span></p></td>
-<td><p>DNSSEC and TSIG protocol processing.
-</p></td>
-</tr>
-<tr>
-<td><p><span><strong class="command">lame-servers</strong></span></p></td>
-<td><p>Lame servers.  These are misconfigurations
+</P
+></TD
+></TR
+><TR
+><TD
+WIDTH="110"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+><B
+CLASS="command"
+>dnssec</B
+></P
+></TD
+><TD
+WIDTH="322"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>DNSSEC and TSIG protocol processing.
+</P
+></TD
+></TR
+><TR
+><TD
+WIDTH="110"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+><B
+CLASS="command"
+>lame-servers</B
+></P
+></TD
+><TD
+WIDTH="322"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>Lame servers.  These are misconfigurations
 in remote servers, discovered by BIND 9 when trying to query
 those servers during resolution.
-</p></td>
-</tr>
-<tr>
-<td><p><span><strong class="command">delegation-only</strong></span></p></td>
-<td><p>Delegation only.  Logs queries that have have
+</P
+></TD
+></TR
+><TR
+><TD
+WIDTH="110"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+><B
+CLASS="command"
+>delegation-only</B
+></P
+></TD
+><TD
+WIDTH="322"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>Delegation only.  Logs queries that have have
 been forced to NXDOMAIN as the result of a delegation-only zone or
-a <span><strong class="command">delegation-only</strong></span> in a hint or stub zone declartation.
-</p></td>
-</tr>
-</tbody>
-</table></div>
-</div>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2574326"></a><span><strong class="command">lwres</strong></span> Statement Grammar</h3></div></div></div>
-<p> This is the grammar of the <span><strong class="command">lwres</strong></span>
-statement in the <code class="filename">named.conf</code> file:</p>
-<pre class="programlisting"><span><strong class="command">lwres</strong></span> {
-    [<span class="optional"> listen-on { <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
-    [<span class="optional"> view <em class="replaceable"><code>view_name</code></em>; </span>]
-    [<span class="optional"> search { <em class="replaceable"><code>domain_name</code></em> ; [<span class="optional"> <em class="replaceable"><code>domain_name</code></em> ; ... </span>] }; </span>]
-    [<span class="optional"> ndots <em class="replaceable"><code>number</code></em>; </span>]
+a <B
+CLASS="command"
+>delegation-only</B
+> in a hint or stub zone declaration.
+</P
+></TD
+></TR
+></TBODY
+></TABLE
+><P
+></P
+></DIV
+></DIV
+></DIV
+><DIV
+CLASS="sect2"
+><H2
+CLASS="sect2"
+><A
+NAME="AEN1887"
+>6.2.11. <B
+CLASS="command"
+>lwres</B
+> Statement Grammar</A
+></H2
+><P
+> This is the grammar of the <B
+CLASS="command"
+>lwres</B
+>
+statement in the <TT
+CLASS="filename"
+>named.conf</TT
+> file:</P
+><PRE
+CLASS="programlisting"
+><B
+CLASS="command"
+>lwres</B
+> {
+    [<SPAN
+CLASS="optional"
+> listen-on { <TT
+CLASS="replaceable"
+><I
+>ip_addr</I
+></TT
+> [<SPAN
+CLASS="optional"
+>port <TT
+CLASS="replaceable"
+><I
+>ip_port</I
+></TT
+></SPAN
+>] ; [<SPAN
+CLASS="optional"
+> <TT
+CLASS="replaceable"
+><I
+>ip_addr</I
+></TT
+> [<SPAN
+CLASS="optional"
+>port <TT
+CLASS="replaceable"
+><I
+>ip_port</I
+></TT
+></SPAN
+>] ; ... </SPAN
+>] }; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> view <TT
+CLASS="replaceable"
+><I
+>view_name</I
+></TT
+>; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> search { <TT
+CLASS="replaceable"
+><I
+>domain_name</I
+></TT
+> ; [<SPAN
+CLASS="optional"
+> <TT
+CLASS="replaceable"
+><I
+>domain_name</I
+></TT
+> ; ... </SPAN
+>] }; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> ndots <TT
+CLASS="replaceable"
+><I
+>number</I
+></TT
+>; </SPAN
+>]
 };
-</pre>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2574398"></a><span><strong class="command">lwres</strong></span> Statement Definition and Usage</h3></div></div></div>
-<p>The <span><strong class="command">lwres</strong></span> statement configures the name
-server to also act as a light-weight resolver daemon. (See
-<a href="Bv9ARM.ch05.html#lwresd" title="Running a Resolver Daemon">the section called &#8220;Running a Resolver Daemon&#8221;</a>.)  There may be multiple
-<span><strong class="command">lwres</strong></span> statements configuring
-lightweight resolver servers with different properties.</p>
-<p>The <span><strong class="command">listen-on</strong></span> statement specifies a list of
+</PRE
+></DIV
+><DIV
+CLASS="sect2"
+><H2
+CLASS="sect2"
+><A
+NAME="AEN1911"
+>6.2.12. <B
+CLASS="command"
+>lwres</B
+> Statement Definition and Usage</A
+></H2
+><P
+>The <B
+CLASS="command"
+>lwres</B
+> statement configures the name
+server to also act as a lightweight resolver server, see
+<A
+HREF="Bv9ARM.ch05.html#lwresd"
+>Section 5.2</A
+>.  There may be be multiple
+<B
+CLASS="command"
+>lwres</B
+> statements configuring
+lightweight resolver servers with different properties.</P
+><P
+>The <B
+CLASS="command"
+>listen-on</B
+> statement specifies a list of
 addresses (and ports) that this instance of a lightweight resolver daemon
 should accept requests on.  If no port is specified, port 921 is used.
 If this statement is omitted, requests will be accepted on 127.0.0.1,
-port 921.</p>
-<p>The <span><strong class="command">view</strong></span> statement binds this instance of a
+port 921.</P
+><P
+>The <B
+CLASS="command"
+>view</B
+> statement binds this instance of a
 lightweight resolver daemon to a view in the DNS namespace, so that the
 response will be constructed in the same manner as a normal DNS query
 matching this view.  If this statement is omitted, the default view is
-used, and if there is no default view, an error is triggered.</p>
-<p>The <span><strong class="command">search</strong></span> statement is equivalent to the
-<span><strong class="command">search</strong></span> statement in
-<code class="filename">/etc/resolv.conf</code>.  It provides a list of domains
-which are appended to relative names in queries.</p>
-<p>The <span><strong class="command">ndots</strong></span> statement is equivalent to the
-<span><strong class="command">ndots</strong></span> statement in
-<code class="filename">/etc/resolv.conf</code>.  It indicates the minimum
+used, and if there is no default view, an error is triggered.</P
+><P
+>The <B
+CLASS="command"
+>search</B
+> statement is equivalent to the
+<B
+CLASS="command"
+>search</B
+> statement in
+<TT
+CLASS="filename"
+>/etc/resolv.conf</TT
+>.  It provides a list of domains
+which are appended to relative names in queries.</P
+><P
+>The <B
+CLASS="command"
+>ndots</B
+> statement is equivalent to the
+<B
+CLASS="command"
+>ndots</B
+> statement in
+<TT
+CLASS="filename"
+>/etc/resolv.conf</TT
+>.  It indicates the minimum
 number of dots in a relative domain name that should result in an
-exact match lookup before search path elements are appended.</p>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2574530"></a><span><strong class="command">options</strong></span> Statement Grammar</h3></div></div></div>
-<p>This is the grammar of the <span><strong class="command">options</strong></span>
-statement in the <code class="filename">named.conf</code> file:</p>
-<pre class="programlisting">options {
-    [<span class="optional"> version <em class="replaceable"><code>version_string</code></em>; </span>]
-    [<span class="optional"> directory <em class="replaceable"><code>path_name</code></em>; </span>]
-    [<span class="optional"> named-xfer <em class="replaceable"><code>path_name</code></em>; </span>]
-    [<span class="optional"> tkey-domain <em class="replaceable"><code>domainname</code></em>; </span>]
-    [<span class="optional"> tkey-dhkey <em class="replaceable"><code>key_name</code></em> <em class="replaceable"><code>key_tag</code></em>; </span>]
-    [<span class="optional"> cache-file <em class="replaceable"><code>path_name</code></em>; </span>]
-    [<span class="optional"> dump-file <em class="replaceable"><code>path_name</code></em>; </span>]
-    [<span class="optional"> memstatistics-file <em class="replaceable"><code>path_name</code></em>; </span>]
-    [<span class="optional"> pid-file <em class="replaceable"><code>path_name</code></em>; </span>]
-    [<span class="optional"> statistics-file <em class="replaceable"><code>path_name</code></em>; </span>]
-    [<span class="optional"> zone-statistics <em class="replaceable"><code>yes_or_no</code></em>; </span>]
-    [<span class="optional"> auth-nxdomain <em class="replaceable"><code>yes_or_no</code></em>; </span>]
-    [<span class="optional"> deallocate-on-exit <em class="replaceable"><code>yes_or_no</code></em>; </span>]
-    [<span class="optional"> dialup <em class="replaceable"><code>dialup_option</code></em>; </span>]
-    [<span class="optional"> fake-iquery <em class="replaceable"><code>yes_or_no</code></em>; </span>]
-    [<span class="optional"> fetch-glue <em class="replaceable"><code>yes_or_no</code></em>; </span>]
-    [<span class="optional"> has-old-clients <em class="replaceable"><code>yes_or_no</code></em>; </span>]
-    [<span class="optional"> host-statistics <em class="replaceable"><code>yes_or_no</code></em>; </span>]
-    [<span class="optional"> host-statistics-max <em class="replaceable"><code>number</code></em>; </span>]
-    [<span class="optional"> minimal-responses <em class="replaceable"><code>yes_or_no</code></em>; </span>]
-    [<span class="optional"> multiple-cnames <em class="replaceable"><code>yes_or_no</code></em>; </span>]
-    [<span class="optional"> notify <em class="replaceable"><code>yes_or_no</code></em> | <em class="replaceable"><code>explicit</code></em>; </span>]
-    [<span class="optional"> recursion <em class="replaceable"><code>yes_or_no</code></em>; </span>]
-    [<span class="optional"> rfc2308-type1 <em class="replaceable"><code>yes_or_no</code></em>; </span>]
-    [<span class="optional"> use-id-pool <em class="replaceable"><code>yes_or_no</code></em>; </span>]
-    [<span class="optional"> maintain-ixfr-base <em class="replaceable"><code>yes_or_no</code></em>; </span>]
-    [<span class="optional"> forward ( <em class="replaceable"><code>only</code></em> | <em class="replaceable"><code>first</code></em> ); </span>]
-    [<span class="optional"> forwarders { [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
-    [<span class="optional"> check-names ( <em class="replaceable"><code>master</code></em> | <em class="replaceable"><code>slave</code></em> | <em class="replaceable"><code> response</code></em> )( <em class="replaceable"><code>warn</code></em> | <em class="replaceable"><code>fail</code></em> | <em class="replaceable"><code>ignore</code></em> ); </span>]
-    [<span class="optional"> allow-notify { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
-    [<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
-    [<span class="optional"> allow-transfer { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
-    [<span class="optional"> allow-recursion { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
-    [<span class="optional"> allow-v6-synthesis { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
-    [<span class="optional"> blackhole { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
-    [<span class="optional"> listen-on [<span class="optional"> port <em class="replaceable"><code>ip_port</code></em> </span>] { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
-    [<span class="optional"> listen-on-v6 [<span class="optional"> port <em class="replaceable"><code>ip_port</code></em> </span>] { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
-    [<span class="optional"> query-source [<span class="optional"> address ( <em class="replaceable"><code>ip_addr</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] [<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>]; </span>]
-    [<span class="optional"> query-source-v6 [<span class="optional"> address ( <em class="replaceable"><code>ip_addr</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] [<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>]; </span>]
-    [<span class="optional"> max-transfer-time-in <em class="replaceable"><code>number</code></em>; </span>]
-    [<span class="optional"> max-transfer-time-out <em class="replaceable"><code>number</code></em>; </span>]
-    [<span class="optional"> max-transfer-idle-in <em class="replaceable"><code>number</code></em>; </span>]
-    [<span class="optional"> max-transfer-idle-out <em class="replaceable"><code>number</code></em>; </span>]
-    [<span class="optional"> tcp-clients <em class="replaceable"><code>number</code></em>; </span>]
-    [<span class="optional"> recursive-clients <em class="replaceable"><code>number</code></em>; </span>]
-    [<span class="optional"> serial-query-rate <em class="replaceable"><code>number</code></em>; </span>]
-    [<span class="optional"> serial-queries <em class="replaceable"><code>number</code></em>; </span>]
-    [<span class="optional"> transfer-format <em class="replaceable"><code>( one-answer | many-answers )</code></em>; </span>]
-    [<span class="optional"> transfers-in  <em class="replaceable"><code>number</code></em>; </span>]
-    [<span class="optional"> transfers-out <em class="replaceable"><code>number</code></em>; </span>]
-    [<span class="optional"> transfers-per-ns <em class="replaceable"><code>number</code></em>; </span>]
-    [<span class="optional"> transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
-    [<span class="optional"> transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
-    [<span class="optional"> notify-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
-    [<span class="optional"> notify-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
-    [<span class="optional"> also-notify { <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
-    [<span class="optional"> max-ixfr-log-size <em class="replaceable"><code>number</code></em>; </span>]
-    [<span class="optional"> coresize <em class="replaceable"><code>size_spec</code></em> ; </span>]
-    [<span class="optional"> datasize <em class="replaceable"><code>size_spec</code></em> ; </span>]
-    [<span class="optional"> files <em class="replaceable"><code>size_spec</code></em> ; </span>]
-    [<span class="optional"> stacksize <em class="replaceable"><code>size_spec</code></em> ; </span>]
-    [<span class="optional"> cleaning-interval <em class="replaceable"><code>number</code></em>; </span>]
-    [<span class="optional"> heartbeat-interval <em class="replaceable"><code>number</code></em>; </span>]
-    [<span class="optional"> interface-interval <em class="replaceable"><code>number</code></em>; </span>]
-    [<span class="optional"> statistics-interval <em class="replaceable"><code>number</code></em>; </span>]
-    [<span class="optional"> topology { <em class="replaceable"><code>address_match_list</code></em> }</span>];
-    [<span class="optional"> sortlist { <em class="replaceable"><code>address_match_list</code></em> }</span>];
-    [<span class="optional"> rrset-order { <em class="replaceable"><code>order_spec</code></em> ; [<span class="optional"> <em class="replaceable"><code>order_spec</code></em> ; ... </span>] </span>] };
-    [<span class="optional"> lame-ttl <em class="replaceable"><code>number</code></em>; </span>]
-    [<span class="optional"> max-ncache-ttl <em class="replaceable"><code>number</code></em>; </span>]
-    [<span class="optional"> max-cache-ttl <em class="replaceable"><code>number</code></em>; </span>]
-    [<span class="optional"> sig-validity-interval <em class="replaceable"><code>number</code></em> ; </span>]
-    [<span class="optional"> min-roots <em class="replaceable"><code>number</code></em>; </span>]
-    [<span class="optional"> use-ixfr <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
-    [<span class="optional"> provide-ixfr <em class="replaceable"><code>yes_or_no</code></em>; </span>]
-    [<span class="optional"> request-ixfr <em class="replaceable"><code>yes_or_no</code></em>; </span>]
-    [<span class="optional"> treat-cr-as-space <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
-    [<span class="optional"> min-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
-    [<span class="optional"> max-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
-    [<span class="optional"> min-retry-time <em class="replaceable"><code>number</code></em> ; </span>]
-    [<span class="optional"> max-retry-time <em class="replaceable"><code>number</code></em> ; </span>]
-    [<span class="optional"> port <em class="replaceable"><code>ip_port</code></em>; </span>]
-    [<span class="optional"> additional-from-auth <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
-    [<span class="optional"> additional-from-cache <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
-    [<span class="optional"> random-device <em class="replaceable"><code>path_name</code></em> ; </span>]
-    [<span class="optional"> max-cache-size <em class="replaceable"><code>size_spec</code></em> ; </span>]
-    [<span class="optional"> match-mapped-addresses <em class="replaceable"><code>yes_or_no</code></em>; </span>]
-    [<span class="optional"> root-delegation-only [<span class="optional"> exclude { <em class="replaceable"><code>namelist
-</code></em> } </span>] ; </span>]
-
+exact match lookup before search path elements are appended.</P
+></DIV
+><DIV
+CLASS="sect2"
+><H2
+CLASS="sect2"
+><A
+NAME="AEN1930"
+>6.2.13. <B
+CLASS="command"
+>masters</B
+> Statement Grammar</A
+></H2
+><PRE
+CLASS="programlisting"
+>&#13;<B
+CLASS="command"
+>masters</B
+> <TT
+CLASS="replaceable"
+><I
+>name</I
+></TT
+> [<SPAN
+CLASS="optional"
+>port <TT
+CLASS="replaceable"
+><I
+>ip_port</I
+></TT
+></SPAN
+>] { ( <TT
+CLASS="replaceable"
+><I
+>masters_list</I
+></TT
+> | <TT
+CLASS="replaceable"
+><I
+>ip_addr</I
+></TT
+> [<SPAN
+CLASS="optional"
+>port <TT
+CLASS="replaceable"
+><I
+>ip_port</I
+></TT
+></SPAN
+>] [<SPAN
+CLASS="optional"
+>key <TT
+CLASS="replaceable"
+><I
+>key</I
+></TT
+></SPAN
+>] ) ; [<SPAN
+CLASS="optional"
+>...</SPAN
+>] } ; 
+</PRE
+></DIV
+><DIV
+CLASS="sect2"
+><H2
+CLASS="sect2"
+><A
+NAME="AEN1945"
+>6.2.14. <B
+CLASS="command"
+>masters</B
+> Statement Definition and Usage</A
+></H2
+><P
+><B
+CLASS="command"
+>masters</B
+> lists allow for a common set of masters
+to be easily used by multiple stub and slave zones.</P
+></DIV
+><DIV
+CLASS="sect2"
+><H2
+CLASS="sect2"
+><A
+NAME="AEN1950"
+>6.2.15. <B
+CLASS="command"
+>options</B
+> Statement Grammar</A
+></H2
+><P
+>This is the grammar of the <B
+CLASS="command"
+>options</B
+>
+statement in the <TT
+CLASS="filename"
+>named.conf</TT
+> file:</P
+><PRE
+CLASS="programlisting"
+>options {
+    [<SPAN
+CLASS="optional"
+> version <TT
+CLASS="replaceable"
+><I
+>version_string</I
+></TT
+>; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> hostname <TT
+CLASS="replaceable"
+><I
+>hostname_string</I
+></TT
+>; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> server-id <TT
+CLASS="replaceable"
+><I
+>server_id_string</I
+></TT
+>; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> directory <TT
+CLASS="replaceable"
+><I
+>path_name</I
+></TT
+>; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> key-directory <TT
+CLASS="replaceable"
+><I
+>path_name</I
+></TT
+>; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> named-xfer <TT
+CLASS="replaceable"
+><I
+>path_name</I
+></TT
+>; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> tkey-domain <TT
+CLASS="replaceable"
+><I
+>domainname</I
+></TT
+>; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> tkey-dhkey <TT
+CLASS="replaceable"
+><I
+>key_name</I
+></TT
+> <TT
+CLASS="replaceable"
+><I
+>key_tag</I
+></TT
+>; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> dump-file <TT
+CLASS="replaceable"
+><I
+>path_name</I
+></TT
+>; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> memstatistics-file <TT
+CLASS="replaceable"
+><I
+>path_name</I
+></TT
+>; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> pid-file <TT
+CLASS="replaceable"
+><I
+>path_name</I
+></TT
+>; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> statistics-file <TT
+CLASS="replaceable"
+><I
+>path_name</I
+></TT
+>; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> zone-statistics <TT
+CLASS="replaceable"
+><I
+>yes_or_no</I
+></TT
+>; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> auth-nxdomain <TT
+CLASS="replaceable"
+><I
+>yes_or_no</I
+></TT
+>; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> deallocate-on-exit <TT
+CLASS="replaceable"
+><I
+>yes_or_no</I
+></TT
+>; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> dialup <TT
+CLASS="replaceable"
+><I
+>dialup_option</I
+></TT
+>; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> fake-iquery <TT
+CLASS="replaceable"
+><I
+>yes_or_no</I
+></TT
+>; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> fetch-glue <TT
+CLASS="replaceable"
+><I
+>yes_or_no</I
+></TT
+>; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> flush-zones-on-shutdown <TT
+CLASS="replaceable"
+><I
+>yes_or_no</I
+></TT
+>; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> has-old-clients <TT
+CLASS="replaceable"
+><I
+>yes_or_no</I
+></TT
+>; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> host-statistics <TT
+CLASS="replaceable"
+><I
+>yes_or_no</I
+></TT
+>; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> minimal-responses <TT
+CLASS="replaceable"
+><I
+>yes_or_no</I
+></TT
+>; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> multiple-cnames <TT
+CLASS="replaceable"
+><I
+>yes_or_no</I
+></TT
+>; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> notify <TT
+CLASS="replaceable"
+><I
+>yes_or_no</I
+></TT
+> | <TT
+CLASS="replaceable"
+><I
+>explicit</I
+></TT
+>; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> recursion <TT
+CLASS="replaceable"
+><I
+>yes_or_no</I
+></TT
+>; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> rfc2308-type1 <TT
+CLASS="replaceable"
+><I
+>yes_or_no</I
+></TT
+>; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> use-id-pool <TT
+CLASS="replaceable"
+><I
+>yes_or_no</I
+></TT
+>; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> maintain-ixfr-base <TT
+CLASS="replaceable"
+><I
+>yes_or_no</I
+></TT
+>; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> dnssec-enable <TT
+CLASS="replaceable"
+><I
+>yes_or_no</I
+></TT
+>; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> dnssec-lookaside <TT
+CLASS="replaceable"
+><I
+>domain</I
+></TT
+>; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> forward ( <TT
+CLASS="replaceable"
+><I
+>only</I
+></TT
+> | <TT
+CLASS="replaceable"
+><I
+>first</I
+></TT
+> ); </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> forwarders { <TT
+CLASS="replaceable"
+><I
+>ip_addr</I
+></TT
+> [<SPAN
+CLASS="optional"
+>port <TT
+CLASS="replaceable"
+><I
+>ip_port</I
+></TT
+></SPAN
+>] ; [<SPAN
+CLASS="optional"
+> <TT
+CLASS="replaceable"
+><I
+>ip_addr</I
+></TT
+> [<SPAN
+CLASS="optional"
+>port <TT
+CLASS="replaceable"
+><I
+>ip_port</I
+></TT
+></SPAN
+>] ; ... </SPAN
+>] }; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> dual-stack-servers [<SPAN
+CLASS="optional"
+>port <TT
+CLASS="replaceable"
+><I
+>ip_port</I
+></TT
+></SPAN
+>] { ( <TT
+CLASS="replaceable"
+><I
+>domain_name</I
+></TT
+> [<SPAN
+CLASS="optional"
+>port <TT
+CLASS="replaceable"
+><I
+>ip_port</I
+></TT
+></SPAN
+>] | <TT
+CLASS="replaceable"
+><I
+>ip_addr</I
+></TT
+> [<SPAN
+CLASS="optional"
+>port <TT
+CLASS="replaceable"
+><I
+>ip_port</I
+></TT
+></SPAN
+>] ) ; ... }; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> check-names ( <TT
+CLASS="replaceable"
+><I
+>master</I
+></TT
+> | <TT
+CLASS="replaceable"
+><I
+>slave</I
+></TT
+> | <TT
+CLASS="replaceable"
+><I
+> response</I
+></TT
+> )( <TT
+CLASS="replaceable"
+><I
+>warn</I
+></TT
+> | <TT
+CLASS="replaceable"
+><I
+>fail</I
+></TT
+> | <TT
+CLASS="replaceable"
+><I
+>ignore</I
+></TT
+> ); </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> allow-notify { <TT
+CLASS="replaceable"
+><I
+>address_match_list</I
+></TT
+> }; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> allow-query { <TT
+CLASS="replaceable"
+><I
+>address_match_list</I
+></TT
+> }; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> allow-transfer { <TT
+CLASS="replaceable"
+><I
+>address_match_list</I
+></TT
+> }; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> allow-recursion { <TT
+CLASS="replaceable"
+><I
+>address_match_list</I
+></TT
+> }; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> allow-update-forwarding { <TT
+CLASS="replaceable"
+><I
+>address_match_list</I
+></TT
+> }; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> allow-v6-synthesis { <TT
+CLASS="replaceable"
+><I
+>address_match_list</I
+></TT
+> }; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> blackhole { <TT
+CLASS="replaceable"
+><I
+>address_match_list</I
+></TT
+> }; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> avoid-v4-udp-ports { <TT
+CLASS="replaceable"
+><I
+>port_list</I
+></TT
+> }; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> avoid-v6-udp-ports { <TT
+CLASS="replaceable"
+><I
+>port_list</I
+></TT
+> }; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> listen-on [<SPAN
+CLASS="optional"
+> port <TT
+CLASS="replaceable"
+><I
+>ip_port</I
+></TT
+> </SPAN
+>] { <TT
+CLASS="replaceable"
+><I
+>address_match_list</I
+></TT
+> }; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> listen-on-v6 [<SPAN
+CLASS="optional"
+> port <TT
+CLASS="replaceable"
+><I
+>ip_port</I
+></TT
+> </SPAN
+>] { <TT
+CLASS="replaceable"
+><I
+>address_match_list</I
+></TT
+> }; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> query-source [<SPAN
+CLASS="optional"
+> address ( <TT
+CLASS="replaceable"
+><I
+>ip_addr</I
+></TT
+> | <TT
+CLASS="replaceable"
+><I
+>*</I
+></TT
+> ) </SPAN
+>] [<SPAN
+CLASS="optional"
+> port ( <TT
+CLASS="replaceable"
+><I
+>ip_port</I
+></TT
+> | <TT
+CLASS="replaceable"
+><I
+>*</I
+></TT
+> ) </SPAN
+>]; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> query-source-v6 [<SPAN
+CLASS="optional"
+> address ( <TT
+CLASS="replaceable"
+><I
+>ip_addr</I
+></TT
+> | <TT
+CLASS="replaceable"
+><I
+>*</I
+></TT
+> ) </SPAN
+>] [<SPAN
+CLASS="optional"
+> port ( <TT
+CLASS="replaceable"
+><I
+>ip_port</I
+></TT
+> | <TT
+CLASS="replaceable"
+><I
+>*</I
+></TT
+> ) </SPAN
+>]; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> max-transfer-time-in <TT
+CLASS="replaceable"
+><I
+>number</I
+></TT
+>; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> max-transfer-time-out <TT
+CLASS="replaceable"
+><I
+>number</I
+></TT
+>; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> max-transfer-idle-in <TT
+CLASS="replaceable"
+><I
+>number</I
+></TT
+>; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> max-transfer-idle-out <TT
+CLASS="replaceable"
+><I
+>number</I
+></TT
+>; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> tcp-clients <TT
+CLASS="replaceable"
+><I
+>number</I
+></TT
+>; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> recursive-clients <TT
+CLASS="replaceable"
+><I
+>number</I
+></TT
+>; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> serial-query-rate <TT
+CLASS="replaceable"
+><I
+>number</I
+></TT
+>; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> serial-queries <TT
+CLASS="replaceable"
+><I
+>number</I
+></TT
+>; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> tcp-listen-queue <TT
+CLASS="replaceable"
+><I
+>number</I
+></TT
+>; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> transfer-format <TT
+CLASS="replaceable"
+><I
+>( one-answer | many-answers )</I
+></TT
+>; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> transfers-in  <TT
+CLASS="replaceable"
+><I
+>number</I
+></TT
+>; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> transfers-out <TT
+CLASS="replaceable"
+><I
+>number</I
+></TT
+>; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> transfers-per-ns <TT
+CLASS="replaceable"
+><I
+>number</I
+></TT
+>; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> transfer-source (<TT
+CLASS="replaceable"
+><I
+>ip4_addr</I
+></TT
+> | <TT
+CLASS="constant"
+>*</TT
+>) [<SPAN
+CLASS="optional"
+>port <TT
+CLASS="replaceable"
+><I
+>ip_port</I
+></TT
+></SPAN
+>] ; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> transfer-source-v6 (<TT
+CLASS="replaceable"
+><I
+>ip6_addr</I
+></TT
+> | <TT
+CLASS="constant"
+>*</TT
+>) [<SPAN
+CLASS="optional"
+>port <TT
+CLASS="replaceable"
+><I
+>ip_port</I
+></TT
+></SPAN
+>] ; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> alt-transfer-source (<TT
+CLASS="replaceable"
+><I
+>ip4_addr</I
+></TT
+> | <TT
+CLASS="constant"
+>*</TT
+>) [<SPAN
+CLASS="optional"
+>port <TT
+CLASS="replaceable"
+><I
+>ip_port</I
+></TT
+></SPAN
+>] ; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> alt-transfer-source-v6 (<TT
+CLASS="replaceable"
+><I
+>ip6_addr</I
+></TT
+> | <TT
+CLASS="constant"
+>*</TT
+>) [<SPAN
+CLASS="optional"
+>port <TT
+CLASS="replaceable"
+><I
+>ip_port</I
+></TT
+></SPAN
+>] ; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> use-alt-transfer-source <TT
+CLASS="replaceable"
+><I
+>yes_or_no</I
+></TT
+>; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> notify-source (<TT
+CLASS="replaceable"
+><I
+>ip4_addr</I
+></TT
+> | <TT
+CLASS="constant"
+>*</TT
+>) [<SPAN
+CLASS="optional"
+>port <TT
+CLASS="replaceable"
+><I
+>ip_port</I
+></TT
+></SPAN
+>] ; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> notify-source-v6 (<TT
+CLASS="replaceable"
+><I
+>ip6_addr</I
+></TT
+> | <TT
+CLASS="constant"
+>*</TT
+>) [<SPAN
+CLASS="optional"
+>port <TT
+CLASS="replaceable"
+><I
+>ip_port</I
+></TT
+></SPAN
+>] ; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> also-notify { <TT
+CLASS="replaceable"
+><I
+>ip_addr</I
+></TT
+> [<SPAN
+CLASS="optional"
+>port <TT
+CLASS="replaceable"
+><I
+>ip_port</I
+></TT
+></SPAN
+>] ; [<SPAN
+CLASS="optional"
+> <TT
+CLASS="replaceable"
+><I
+>ip_addr</I
+></TT
+> [<SPAN
+CLASS="optional"
+>port <TT
+CLASS="replaceable"
+><I
+>ip_port</I
+></TT
+></SPAN
+>] ; ... </SPAN
+>] }; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> max-ixfr-log-size <TT
+CLASS="replaceable"
+><I
+>number</I
+></TT
+>; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> max-journal-size <TT
+CLASS="replaceable"
+><I
+>size_spec</I
+></TT
+>; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> coresize <TT
+CLASS="replaceable"
+><I
+>size_spec</I
+></TT
+> ; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> datasize <TT
+CLASS="replaceable"
+><I
+>size_spec</I
+></TT
+> ; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> files <TT
+CLASS="replaceable"
+><I
+>size_spec</I
+></TT
+> ; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> stacksize <TT
+CLASS="replaceable"
+><I
+>size_spec</I
+></TT
+> ; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> cleaning-interval <TT
+CLASS="replaceable"
+><I
+>number</I
+></TT
+>; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> heartbeat-interval <TT
+CLASS="replaceable"
+><I
+>number</I
+></TT
+>; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> interface-interval <TT
+CLASS="replaceable"
+><I
+>number</I
+></TT
+>; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> statistics-interval <TT
+CLASS="replaceable"
+><I
+>number</I
+></TT
+>; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> topology { <TT
+CLASS="replaceable"
+><I
+>address_match_list</I
+></TT
+> }</SPAN
+>];
+    [<SPAN
+CLASS="optional"
+> sortlist { <TT
+CLASS="replaceable"
+><I
+>address_match_list</I
+></TT
+> }</SPAN
+>];
+    [<SPAN
+CLASS="optional"
+> rrset-order { <TT
+CLASS="replaceable"
+><I
+>order_spec</I
+></TT
+> ; [<SPAN
+CLASS="optional"
+> <TT
+CLASS="replaceable"
+><I
+>order_spec</I
+></TT
+> ; ... </SPAN
+>] </SPAN
+>] };
+    [<SPAN
+CLASS="optional"
+> lame-ttl <TT
+CLASS="replaceable"
+><I
+>number</I
+></TT
+>; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> max-ncache-ttl <TT
+CLASS="replaceable"
+><I
+>number</I
+></TT
+>; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> max-cache-ttl <TT
+CLASS="replaceable"
+><I
+>number</I
+></TT
+>; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> sig-validity-interval <TT
+CLASS="replaceable"
+><I
+>number</I
+></TT
+> ; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> min-roots <TT
+CLASS="replaceable"
+><I
+>number</I
+></TT
+>; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> use-ixfr <TT
+CLASS="replaceable"
+><I
+>yes_or_no</I
+></TT
+> ; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> provide-ixfr <TT
+CLASS="replaceable"
+><I
+>yes_or_no</I
+></TT
+>; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> request-ixfr <TT
+CLASS="replaceable"
+><I
+>yes_or_no</I
+></TT
+>; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> treat-cr-as-space <TT
+CLASS="replaceable"
+><I
+>yes_or_no</I
+></TT
+> ; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> min-refresh-time <TT
+CLASS="replaceable"
+><I
+>number</I
+></TT
+> ; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> max-refresh-time <TT
+CLASS="replaceable"
+><I
+>number</I
+></TT
+> ; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> min-retry-time <TT
+CLASS="replaceable"
+><I
+>number</I
+></TT
+> ; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> max-retry-time <TT
+CLASS="replaceable"
+><I
+>number</I
+></TT
+> ; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> port <TT
+CLASS="replaceable"
+><I
+>ip_port</I
+></TT
+>; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> additional-from-auth <TT
+CLASS="replaceable"
+><I
+>yes_or_no</I
+></TT
+> ; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> additional-from-cache <TT
+CLASS="replaceable"
+><I
+>yes_or_no</I
+></TT
+> ; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> random-device <TT
+CLASS="replaceable"
+><I
+>path_name</I
+></TT
+> ; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> max-cache-size <TT
+CLASS="replaceable"
+><I
+>size_spec</I
+></TT
+> ; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> match-mapped-addresses <TT
+CLASS="replaceable"
+><I
+>yes_or_no</I
+></TT
+>; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> preferred-glue ( <TT
+CLASS="replaceable"
+><I
+>A</I
+></TT
+> | <TT
+CLASS="replaceable"
+><I
+>AAAA</I
+></TT
+> | <TT
+CLASS="replaceable"
+><I
+>NONE</I
+></TT
+> ); </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> edns-udp-size <TT
+CLASS="replaceable"
+><I
+>number</I
+></TT
+>; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> root-delegation-only [<SPAN
+CLASS="optional"
+> exclude { <TT
+CLASS="replaceable"
+><I
+>namelist</I
+></TT
+> } </SPAN
+>] ; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> querylog <TT
+CLASS="replaceable"
+><I
+>yes_or_no</I
+></TT
+> ; </SPAN
+>]
 };
-</pre>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2575390"></a><span><strong class="command">options</strong></span> Statement Definition and Usage</h3></div></div></div>
-<p>The <span><strong class="command">options</strong></span> statement sets up global options
-to be used by <acronym class="acronym">BIND</acronym>. This statement may appear only
-once in a configuration file. If more than one occurrence is found,
-the first occurrence determines the actual options used, and a warning
-will be generated.  If there is no <span><strong class="command">options</strong></span>
+    [<SPAN
+CLASS="optional"
+> disable-algorithms <TT
+CLASS="replaceable"
+><I
+>domain</I
+></TT
+> { <TT
+CLASS="replaceable"
+><I
+>algorithm</I
+></TT
+>; [<SPAN
+CLASS="optional"
+> <TT
+CLASS="replaceable"
+><I
+>algorithm</I
+></TT
+>; </SPAN
+>] }; </SPAN
+>]
+</PRE
+></DIV
+><DIV
+CLASS="sect2"
+><H2
+CLASS="sect2"
+><A
+NAME="options"
+>6.2.16. <B
+CLASS="command"
+>options</B
+> Statement Definition and Usage</A
+></H2
+><P
+>The <B
+CLASS="command"
+>options</B
+> statement sets up global options
+to be used by <SPAN
+CLASS="acronym"
+>BIND</SPAN
+>. This statement may appear only
+once in a configuration file. If there is no <B
+CLASS="command"
+>options</B
+>
 statement, an options block with each option set to its default will
-be used.</p>
-<div class="variablelist"><dl>
-<dt><span class="term"><span><strong class="command">version</strong></span></span></dt>
-<dd><p>The version the server should report
-via a query of name <code class="filename">version.bind</code> in
-class <span><strong class="command">CHAOS</strong></span>.
-The default is the real version number of this server.</p></dd>
-<dt><span class="term"><span><strong class="command">directory</strong></span></span></dt>
-<dd><p>The working directory of the server.
+be used.</P
+><P
+></P
+><DIV
+CLASS="variablelist"
+><DL
+><DT
+><B
+CLASS="command"
+>directory</B
+></DT
+><DD
+><P
+>The working directory of the server.
 Any non-absolute pathnames in the configuration file will be taken
 as relative to this directory. The default location for most server
-output files (e.g. <code class="filename">named.run</code>) is this directory.
+output files (e.g. <TT
+CLASS="filename"
+>named.run</TT
+>) is this directory.
 If a directory is not specified, the working directory defaults
-to `<code class="filename">.</code>', the directory from which the server
-was started. The directory specified should be an absolute path.</p></dd>
-<dt><span class="term"><span><strong class="command">named-xfer</strong></span></span></dt>
-<dd><p><span class="emphasis"><em>This option is obsolete.</em></span>
-It was used in <acronym class="acronym">BIND</acronym> 8 to
-specify the pathname to the <span><strong class="command">named-xfer</strong></span> program.
-In <acronym class="acronym">BIND</acronym> 9, no separate <span><strong class="command">named-xfer</strong></span> program is
-needed; its functionality is built into the name server.</p></dd>
-<dt><span class="term"><span><strong class="command">tkey-domain</strong></span></span></dt>
-<dd><p>The domain appended to the names of all
-shared keys generated with <span><strong class="command">TKEY</strong></span>. When a client
-requests a <span><strong class="command">TKEY</strong></span> exchange, it may or may not specify
+to `<TT
+CLASS="filename"
+>.</TT
+>', the directory from which the server
+was started. The directory specified should be an absolute path.</P
+></DD
+><DT
+><B
+CLASS="command"
+>key-directory</B
+></DT
+><DD
+><P
+>When performing dynamic update of secure zones, the
+directory where the public and private key files should be found,
+if different than the current working directory.  The directory specified
+must be an absolute path.</P
+></DD
+><DT
+><B
+CLASS="command"
+>named-xfer</B
+></DT
+><DD
+><P
+><SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>This option is obsolete.</I
+></SPAN
+>
+It was used in <SPAN
+CLASS="acronym"
+>BIND</SPAN
+> 8 to
+specify the pathname to the <B
+CLASS="command"
+>named-xfer</B
+> program.
+In <SPAN
+CLASS="acronym"
+>BIND</SPAN
+> 9, no separate <B
+CLASS="command"
+>named-xfer</B
+> program is
+needed; its functionality is built into the name server.</P
+></DD
+><DT
+><B
+CLASS="command"
+>tkey-domain</B
+></DT
+><DD
+><P
+>The domain appended to the names of all
+shared keys generated with <B
+CLASS="command"
+>TKEY</B
+>. When a client
+requests a <B
+CLASS="command"
+>TKEY</B
+> exchange, it may or may not specify
 the desired name for the key. If present, the name of the shared
-key will be "<code class="varname">client specified part</code>" + 
-"<code class="varname">tkey-domain</code>".
-Otherwise, the name of the shared key will be "<code class="varname">random hex
-digits</code>" + "<code class="varname">tkey-domain</code>". In most cases,
-the <span><strong class="command">domainname</strong></span> should be the server's domain
-name.</p></dd>
-<dt><span class="term"><span><strong class="command">tkey-dhkey</strong></span></span></dt>
-<dd><p>The Diffie-Hellman key used by the server
+key will be "<TT
+CLASS="varname"
+>client specified part</TT
+>" + 
+"<TT
+CLASS="varname"
+>tkey-domain</TT
+>".
+Otherwise, the name of the shared key will be "<TT
+CLASS="varname"
+>random hex
+digits</TT
+>" + "<TT
+CLASS="varname"
+>tkey-domain</TT
+>". In most cases,
+the <B
+CLASS="command"
+>domainname</B
+> should be the server's domain
+name.</P
+></DD
+><DT
+><B
+CLASS="command"
+>tkey-dhkey</B
+></DT
+><DD
+><P
+>The Diffie-Hellman key used by the server
 to generate shared keys with clients using the Diffie-Hellman mode
-of <span><strong class="command">TKEY</strong></span>. The server must be able to load the
+of <B
+CLASS="command"
+>TKEY</B
+>. The server must be able to load the
 public and private keys from files in the working directory. In
-most cases, the keyname should be the server's host name.</p></dd>
-<dt><span class="term"><span><strong class="command">cache-file</strong></span></span></dt>
-<dd><p>
-		This is for testing only.  Do not use.
-              </p></dd>
-<dt><span class="term"><span><strong class="command">dump-file</strong></span></span></dt>
-<dd><p>The pathname of the file the server dumps
+most cases, the keyname should be the server's host name.</P
+></DD
+><DT
+><B
+CLASS="command"
+>dump-file</B
+></DT
+><DD
+><P
+>The pathname of the file the server dumps
 the database to when instructed to do so with
-<span><strong class="command">rndc dumpdb</strong></span>.
-If not specified, the default is <code class="filename">named_dump.db</code>.</p></dd>
-<dt><span class="term"><span><strong class="command">memstatistics-file</strong></span></span></dt>
-<dd>
-<p>The pathname of the file the server writes memory
+<B
+CLASS="command"
+>rndc dumpdb</B
+>.
+If not specified, the default is <TT
+CLASS="filename"
+>named_dump.db</TT
+>.</P
+></DD
+><DT
+><B
+CLASS="command"
+>memstatistics-file</B
+></DT
+><DD
+><P
+>The pathname of the file the server writes memory
 usage statistics to on exit. If not specified,
-the default is <code class="filename">named.memstats</code>.</p>
-<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
-<h3 class="title">Note</h3>
-<p>Not yet implemented in <acronym class="acronym">BIND</acronym> 9.</p>
-</div>
-</dd>
-<dt><span class="term"><span><strong class="command">pid-file</strong></span></span></dt>
-<dd><p>The pathname of the file the server writes its process ID
-in. If not specified, the default is <code class="filename">/var/run/named.pid</code>.
+the default is <TT
+CLASS="filename"
+>named.memstats</TT
+>.</P
+></DD
+><DT
+><B
+CLASS="command"
+>pid-file</B
+></DT
+><DD
+><P
+>The pathname of the file the server writes its process ID
+in. If not specified, the default is <TT
+CLASS="filename"
+>/var/run/named.pid</TT
+>.
 The pid-file is used by programs that want to send signals to the running
-nameserver.</p></dd>
-<dt><span class="term"><span><strong class="command">statistics-file</strong></span></span></dt>
-<dd><p>The pathname of the file the server appends statistics
-to when instructed to do so using <span><strong class="command">rndc stats</strong></span>.
-If not specified, the default is <code class="filename">named.stats</code> in the
+name server. Specifying <B
+CLASS="command"
+>pid-file none</B
+> disables the
+use of a PID file &#8212; no file will be written and any
+existing one will be removed.  Note that <B
+CLASS="command"
+>none</B
+>
+is a keyword, not a file name, and therefore is not enclosed in
+double quotes.</P
+></DD
+><DT
+><B
+CLASS="command"
+>statistics-file</B
+></DT
+><DD
+><P
+>The pathname of the file the server appends statistics
+to when instructed to do so using <B
+CLASS="command"
+>rndc stats</B
+>.
+If not specified, the default is <TT
+CLASS="filename"
+>named.stats</TT
+> in the
 server's current directory.  The format of the file is described
-in <a href="Bv9ARM.ch06.html#statsfile" title="The Statistics File">the section called &#8220;The Statistics File&#8221;</a>.</p></dd>
-<dt><span class="term"><span><strong class="command">port</strong></span></span></dt>
-<dd><p>
-The UDP/TCP port number the server uses for 
+in <A
+HREF="Bv9ARM.ch06.html#statsfile"
+>Section 6.2.16.17</A
+></P
+></DD
+><DT
+><B
+CLASS="command"
+>port</B
+></DT
+><DD
+><P
+>&#13;The UDP/TCP port number the server uses for 
 receiving and sending DNS protocol traffic.
 The default is 53.  This option is mainly intended for server testing;
 a server using a port other than 53 will not be able to communicate with
 the global DNS.
-</p></dd>
-<dt><span class="term"><span><strong class="command">random-device</strong></span></span></dt>
-<dd><p>
-The source of entropy to be used by the server.  Entropy is primarily needed
+</P
+></DD
+><DT
+><B
+CLASS="command"
+>random-device</B
+></DT
+><DD
+><P
+>&#13;The source of entropy to be used by the server.  Entropy is primarily needed
 for DNSSEC operations, such as TKEY transactions and dynamic update of signed
 zones.  This options specifies the device (or file) from which to read
 entropy.  If this is a file, operations requiring entropy will fail when the
 file has been exhausted.  If not specified, the default value is
-<code class="filename">/dev/random</code>
+<TT
+CLASS="filename"
+>/dev/random</TT
+>
 (or equivalent) when present, and none otherwise.  The
-<span><strong class="command">random-device</strong></span> option takes effect during
+<B
+CLASS="command"
+>random-device</B
+> option takes effect during
 the initial configuration load at server startup time and
-is ignored on subsequent reloads.</p></dd>
-<dt><span class="term"><span><strong class="command">root-delegation-only</strong></span></span></dt>
-<dd>
-<p>
-Turn on enforcment of delegation-only in TLDs and root zones with an optional
+is ignored on subsequent reloads.</P
+></DD
+><DT
+><B
+CLASS="command"
+>preferred-glue</B
+></DT
+><DD
+><P
+>&#13;If specified the listed type (A or AAAA) will be emitted before other glue
+in the additional section of a query response.
+The default is not to preference any type (NONE).
+</P
+></DD
+><DT
+><B
+CLASS="command"
+>root-delegation-only</B
+></DT
+><DD
+><P
+>&#13;Turn on enforcement of delegation-only in TLDs and root zones with an optional
 exclude list.
-</p>
-<p>
-Note some TLDs are not delegation only (e.g. "DE", "LV", "US" and "MUSEUM").
-</p>
-<pre class="programlisting">
-options {
+</P
+><P
+>&#13;Note some TLDs are NOT delegation only (e.g. "DE", "LV", "US" and "MUSEUM").
+</P
+><PRE
+CLASS="programlisting"
+>&#13;options {
 	root-delegation-only exclude { "de"; "lv"; "us"; "museum"; };
 };
-</pre>
-</dd>
-</dl></div>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="boolean_options"></a>Boolean Options</h4></div></div></div>
-<div class="variablelist"><dl>
-<dt><span class="term"><span><strong class="command">auth-nxdomain</strong></span></span></dt>
-<dd><p>If <strong class="userinput"><code>yes</code></strong>, then the <span><strong class="command">AA</strong></span> bit
+</PRE
+></DD
+><DT
+><B
+CLASS="command"
+>disable-algorithms</B
+></DT
+><DD
+><P
+>&#13;Disable the specified DNSSEC algorithms at and below the specified name.
+Multiple <B
+CLASS="command"
+>disable-algorithms</B
+> statements are allowed.
+Only the most specific will be applied.
+</P
+></DD
+><DT
+><B
+CLASS="command"
+>dnssec-lookaside</B
+></DT
+><DD
+><P
+>&#13;When set <B
+CLASS="command"
+>dnssec-lookaside</B
+> provides the
+validator with an alternate method to validate DNSKEY records at the
+top of a zone.  When set the domain specified by
+<B
+CLASS="command"
+>dnssec-lookaside</B
+> is appended to DNSKEY's
+name and a DLV record is looked up.  If the DLV record validates
+a DNSKEY (similarly to the way a DS record does) the DNSKEY RRset is deemed to be trusted.
+</P
+></DD
+></DL
+></DIV
+><DIV
+CLASS="sect3"
+><H3
+CLASS="sect3"
+><A
+NAME="boolean_options"
+>6.2.16.1. Boolean Options</A
+></H3
+><P
+></P
+><DIV
+CLASS="variablelist"
+><DL
+><DT
+><B
+CLASS="command"
+>auth-nxdomain</B
+></DT
+><DD
+><P
+>If <TT
+CLASS="userinput"
+><B
+>yes</B
+></TT
+>, then the <B
+CLASS="command"
+>AA</B
+> bit
 is always set on NXDOMAIN responses, even if the server is not actually
-authoritative. The default is <strong class="userinput"><code>no</code></strong>; this is
-a change from <acronym class="acronym">BIND</acronym> 8. If you are using very old DNS software, you
-may need to set it to <strong class="userinput"><code>yes</code></strong>.</p></dd>
-<dt><span class="term"><span><strong class="command">deallocate-on-exit</strong></span></span></dt>
-<dd><p>This option was used in <acronym class="acronym">BIND</acronym> 8 to enable checking
-for memory leaks on exit. <acronym class="acronym">BIND</acronym> 9 ignores the option and always performs
-the checks.</p></dd>
-<dt><span class="term"><span><strong class="command">dialup</strong></span></span></dt>
-<dd>
-<p>If <strong class="userinput"><code>yes</code></strong>, then the
+authoritative. The default is <TT
+CLASS="userinput"
+><B
+>no</B
+></TT
+>; this is
+a change from <SPAN
+CLASS="acronym"
+>BIND</SPAN
+> 8. If you are using very old DNS software, you
+may need to set it to <TT
+CLASS="userinput"
+><B
+>yes</B
+></TT
+>.</P
+></DD
+><DT
+><B
+CLASS="command"
+>deallocate-on-exit</B
+></DT
+><DD
+><P
+>This option was used in <SPAN
+CLASS="acronym"
+>BIND</SPAN
+> 8 to enable checking
+for memory leaks on exit. <SPAN
+CLASS="acronym"
+>BIND</SPAN
+> 9 ignores the option and always performs
+the checks.</P
+></DD
+><DT
+><B
+CLASS="command"
+>dialup</B
+></DT
+><DD
+><P
+>If <TT
+CLASS="userinput"
+><B
+>yes</B
+></TT
+>, then the
 server treats all zones as if they are doing zone transfers across
-a dial-on-demand dialup link, which can be brought up by traffic
+a dial on demand dialup link, which can be brought up by traffic
 originating from this server. This has different effects according
 to zone type and concentrates the zone maintenance so that it all
-happens in a short interval, once every <span><strong class="command">heartbeat-interval</strong></span> and
+happens in a short interval, once every <B
+CLASS="command"
+>heartbeat-interval</B
+> and
 hopefully during the one call. It also suppresses some of the normal
-zone maintenance traffic. The default is <strong class="userinput"><code>no</code></strong>.</p>
-<p>The <span><strong class="command">dialup</strong></span> option
-may also be specified in the <span><strong class="command">view</strong></span> and 
-<span><strong class="command">zone</strong></span> statements,
-in which case it overrides the global <span><strong class="command">dialup</strong></span>
-option.</p>
-<p>If the zone is a master zone then the server will send out a NOTIFY 
-request to all the slaves. This will trigger the zone serial number check
-in the slave (providing it supports NOTIFY) allowing the slave to
-verify the zone while the connection is active.</p>
-<p>If the
+zone maintenance traffic. The default is <TT
+CLASS="userinput"
+><B
+>no</B
+></TT
+>.</P
+><P
+>The <B
+CLASS="command"
+>dialup</B
+> option
+may also be specified in the <B
+CLASS="command"
+>view</B
+> and 
+<B
+CLASS="command"
+>zone</B
+> statements,
+in which case it overrides the global <B
+CLASS="command"
+>dialup</B
+>
+option.</P
+><P
+>If the zone is a master zone then the server will send out a NOTIFY 
+request to all the slaves (default). This should trigger the zone serial
+number check in the slave (providing it supports NOTIFY) allowing the slave
+to verify the zone while the connection is active.
+The set of servers to which NOTIFY is sent can be controlled by
+<B
+CLASS="command"
+>notify</B
+> and <B
+CLASS="command"
+>also-notify</B
+>.</P
+><P
+>If the
 zone is a slave or stub zone, then the server will suppress the regular
 "zone up to date" (refresh) queries and only perform them when the
-<span><strong class="command">heartbeat-interval</strong></span> expires in addition to sending
-NOTIFY requests.</p>
-<p>Finer control can be achieved by using
-<strong class="userinput"><code>notify</code></strong> which only sends NOTIFY messages,
-<strong class="userinput"><code>notify-passive</code></strong> which sends NOTIFY messages and
-suppresses the normal refresh queries, <strong class="userinput"><code>refresh</code></strong>
-which suppresses normal refresh processing and send refresh queries 
-when the <span><strong class="command">heartbeat-interval</strong></span> expires and
-<strong class="userinput"><code>passive</code></strong> which just disables normal refresh
-processing.</p>
-</dd>
-<dt><span class="term"><span><strong class="command">fake-iquery</strong></span></span></dt>
-<dd><p>In <acronym class="acronym">BIND</acronym> 8, this option was used to
-enable simulating the obsolete DNS query type
-IQUERY. <acronym class="acronym">BIND</acronym> 9 never does IQUERY simulation.
-</p></dd>
-<dt><span class="term"><span><strong class="command">fetch-glue</strong></span></span></dt>
-<dd><p>This option is obsolete.
-In BIND 8, <strong class="userinput"><code>fetch-glue yes</code></strong>
+<B
+CLASS="command"
+>heartbeat-interval</B
+> expires in addition to sending
+NOTIFY requests.</P
+><P
+>Finer control can be achieved by using
+<TT
+CLASS="userinput"
+><B
+>notify</B
+></TT
+> which only sends NOTIFY messages,
+<TT
+CLASS="userinput"
+><B
+>notify-passive</B
+></TT
+> which sends NOTIFY messages and
+suppresses the normal refresh queries, <TT
+CLASS="userinput"
+><B
+>refresh</B
+></TT
+>
+which suppresses normal refresh processing and sends refresh queries 
+when the <B
+CLASS="command"
+>heartbeat-interval</B
+> expires, and
+<TT
+CLASS="userinput"
+><B
+>passive</B
+></TT
+> which just disables normal refresh
+processing.</P
+><DIV
+CLASS="informaltable"
+><A
+NAME="AEN2392"
+></A
+><P
+></P
+><TABLE
+CELLPADDING="3"
+BORDER="1"
+CLASS="CALSTABLE"
+><TBODY
+><TR
+><TD
+WIDTH="110"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>dialup mode</P
+></TD
+><TD
+WIDTH="110"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>normal refresh</P
+></TD
+><TD
+WIDTH="110"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>heart-beat refresh</P
+></TD
+><TD
+WIDTH="110"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>heart-beat notify</P
+></TD
+></TR
+><TR
+><TD
+WIDTH="110"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+><B
+CLASS="command"
+>no</B
+> (default)</P
+></TD
+><TD
+WIDTH="110"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>yes</P
+></TD
+><TD
+WIDTH="110"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>no</P
+></TD
+><TD
+WIDTH="110"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>no</P
+></TD
+></TR
+><TR
+><TD
+WIDTH="110"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+><B
+CLASS="command"
+>yes</B
+></P
+></TD
+><TD
+WIDTH="110"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>no</P
+></TD
+><TD
+WIDTH="110"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>yes</P
+></TD
+><TD
+WIDTH="110"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>yes</P
+></TD
+></TR
+><TR
+><TD
+WIDTH="110"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+><B
+CLASS="command"
+>notify</B
+></P
+></TD
+><TD
+WIDTH="110"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>yes</P
+></TD
+><TD
+WIDTH="110"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>no</P
+></TD
+><TD
+WIDTH="110"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>yes</P
+></TD
+></TR
+><TR
+><TD
+WIDTH="110"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+><B
+CLASS="command"
+>refresh</B
+></P
+></TD
+><TD
+WIDTH="110"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>no</P
+></TD
+><TD
+WIDTH="110"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>yes</P
+></TD
+><TD
+WIDTH="110"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>no</P
+></TD
+></TR
+><TR
+><TD
+WIDTH="110"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+><B
+CLASS="command"
+>passive</B
+></P
+></TD
+><TD
+WIDTH="110"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>no</P
+></TD
+><TD
+WIDTH="110"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>no</P
+></TD
+><TD
+WIDTH="110"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>no</P
+></TD
+></TR
+><TR
+><TD
+WIDTH="110"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+><B
+CLASS="command"
+>notify-passive</B
+></P
+></TD
+><TD
+WIDTH="110"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>no</P
+></TD
+><TD
+WIDTH="110"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>no</P
+></TD
+><TD
+WIDTH="110"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>yes</P
+></TD
+></TR
+></TBODY
+></TABLE
+><P
+></P
+></DIV
+><P
+>Note that normal NOTIFY processing is not affected by
+<B
+CLASS="command"
+>dialup</B
+>.</P
+></DD
+><DT
+><B
+CLASS="command"
+>fake-iquery</B
+></DT
+><DD
+><P
+>In <SPAN
+CLASS="acronym"
+>BIND</SPAN
+> 8, this option
+enabled simulating the obsolete DNS query type
+IQUERY. <SPAN
+CLASS="acronym"
+>BIND</SPAN
+> 9 never does IQUERY simulation.
+</P
+></DD
+><DT
+><B
+CLASS="command"
+>fetch-glue</B
+></DT
+><DD
+><P
+>This option is obsolete.
+In BIND 8, <TT
+CLASS="userinput"
+><B
+>fetch-glue yes</B
+></TT
+>
 caused the server to attempt to fetch glue resource records it
 didn't have when constructing the additional
 data section of a response.  This is now considered a bad idea
-and BIND 9 never does it.</p></dd>
-<dt><span class="term"><span><strong class="command">has-old-clients</strong></span></span></dt>
-<dd><p>This option was incorrectly implemented
-in <acronym class="acronym">BIND</acronym> 8, and is ignored by <acronym class="acronym">BIND</acronym> 9.
+and BIND 9 never does it.</P
+></DD
+><DT
+><B
+CLASS="command"
+>flush-zones-on-shutdown</B
+></DT
+><DD
+><P
+>When the nameserver exits due receiving SIGTERM,
+flush / do not flush any pending zone writes.  The default is
+<B
+CLASS="command"
+>flush-zones-on-shutdown</B
+> <TT
+CLASS="userinput"
+><B
+>no</B
+></TT
+>.
+</P
+></DD
+><DT
+><B
+CLASS="command"
+>has-old-clients</B
+></DT
+><DD
+><P
+>This option was incorrectly implemented
+in <SPAN
+CLASS="acronym"
+>BIND</SPAN
+> 8, and is ignored by <SPAN
+CLASS="acronym"
+>BIND</SPAN
+> 9.
 To achieve the intended effect
 of
-<span><strong class="command">has-old-clients</strong></span> <strong class="userinput"><code>yes</code></strong>, specify
-the two separate options <span><strong class="command">auth-nxdomain</strong></span> <strong class="userinput"><code>yes</code></strong>
-and <span><strong class="command">rfc2308-type1</strong></span> <strong class="userinput"><code>no</code></strong> instead.
-</p></dd>
-<dt><span class="term"><span><strong class="command">host-statistics</strong></span></span></dt>
-<dd><p>In BIND 8, this enables keeping of
-statistics for every host that the nameserver interacts with.
+<B
+CLASS="command"
+>has-old-clients</B
+> <TT
+CLASS="userinput"
+><B
+>yes</B
+></TT
+>, specify
+the two separate options <B
+CLASS="command"
+>auth-nxdomain</B
+> <TT
+CLASS="userinput"
+><B
+>yes</B
+></TT
+>
+and <B
+CLASS="command"
+>rfc2308-type1</B
+> <TT
+CLASS="userinput"
+><B
+>no</B
+></TT
+> instead.
+</P
+></DD
+><DT
+><B
+CLASS="command"
+>host-statistics</B
+></DT
+><DD
+><P
+>In BIND 8, this enables keeping of
+statistics for every host that the name server interacts with.
 Not implemented in BIND 9.
-</p></dd>
-<dt><span class="term"><span><strong class="command">maintain-ixfr-base</strong></span></span></dt>
-<dd><p><span class="emphasis"><em>This option is obsolete</em></span>.
- It was used in <acronym class="acronym">BIND</acronym> 8 to determine whether a transaction log was
-kept for Incremental Zone Transfer. <acronym class="acronym">BIND</acronym> 9 maintains a transaction
+</P
+></DD
+><DT
+><B
+CLASS="command"
+>maintain-ixfr-base</B
+></DT
+><DD
+><P
+><SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>This option is obsolete</I
+></SPAN
+>.
+ It was used in <SPAN
+CLASS="acronym"
+>BIND</SPAN
+> 8 to determine whether a transaction log was
+kept for Incremental Zone Transfer. <SPAN
+CLASS="acronym"
+>BIND</SPAN
+> 9 maintains a transaction
 log whenever possible.  If you need to disable outgoing incremental zone
-transfers, use <span><strong class="command">provide-ixfr</strong></span> <strong class="userinput"><code>no</code></strong>.
-</p></dd>
-<dt><span class="term"><span><strong class="command">minimal-responses</strong></span></span></dt>
-<dd><p>If <strong class="userinput"><code>yes</code></strong>, then when generating
+transfers, use <B
+CLASS="command"
+>provide-ixfr</B
+> <TT
+CLASS="userinput"
+><B
+>no</B
+></TT
+>.
+</P
+></DD
+><DT
+><B
+CLASS="command"
+>minimal-responses</B
+></DT
+><DD
+><P
+>If <TT
+CLASS="userinput"
+><B
+>yes</B
+></TT
+>, then when generating
 responses the server will only add records to the authority and
 additional data sections when they are required (e.g. delegations,
 negative responses).  This may improve the performance of the server.
-The default is <strong class="userinput"><code>no</code></strong>.
-</p></dd>
-<dt><span class="term"><span><strong class="command">multiple-cnames</strong></span></span></dt>
-<dd><p>This option was used in <acronym class="acronym">BIND</acronym> 8 to allow
-a domain name to allow multiple CNAME records in violation of the
-DNS standards.  <acronym class="acronym">BIND</acronym> 9.2 always strictly
+The default is <TT
+CLASS="userinput"
+><B
+>no</B
+></TT
+>.
+</P
+></DD
+><DT
+><B
+CLASS="command"
+>multiple-cnames</B
+></DT
+><DD
+><P
+>This option was used in <SPAN
+CLASS="acronym"
+>BIND</SPAN
+> 8 to allow
+a domain name to have multiple CNAME records in violation of the
+DNS standards.  <SPAN
+CLASS="acronym"
+>BIND</SPAN
+> 9.2 always strictly
 enforces the CNAME rules both in master files and dynamic updates.
-</p></dd>
-<dt><span class="term"><span><strong class="command">notify</strong></span></span></dt>
-<dd>
-<p>If <strong class="userinput"><code>yes</code></strong> (the default),
+</P
+></DD
+><DT
+><B
+CLASS="command"
+>notify</B
+></DT
+><DD
+><P
+>If <TT
+CLASS="userinput"
+><B
+>yes</B
+></TT
+> (the default),
 DNS NOTIFY messages are sent when a zone the server is authoritative for
-changes, see <a href="Bv9ARM.ch03.html#notify" title="Notify">the section called &#8220;Notify&#8221;</a>.  The messages are sent to the
+changes, see <A
+HREF="Bv9ARM.ch04.html#notify"
+>Section 4.1</A
+>.  The messages are sent to the
 servers listed in the zone's NS records (except the master server identified
 in the SOA MNAME field), and to any servers listed in the
-<span><strong class="command">also-notify</strong></span> option.
-</p>
-<p>
-If <strong class="userinput"><code>explicit</code></strong>, notifies are sent only to
-servers explicitly listed using <span><strong class="command">also-notify</strong></span>.
-If <strong class="userinput"><code>no</code></strong>, no notifies are sent.
-</p>
-<p>
-The <span><strong class="command">notify</strong></span> option may also be
-specified in the <span><strong class="command">zone</strong></span> statement,
-in which case it overrides the <span><strong class="command">options notify</strong></span> statement.
+<B
+CLASS="command"
+>also-notify</B
+> option.
+</P
+><P
+>&#13;If <TT
+CLASS="userinput"
+><B
+>explicit</B
+></TT
+>, notifies are sent only to
+servers explicitly listed using <B
+CLASS="command"
+>also-notify</B
+>.
+If <TT
+CLASS="userinput"
+><B
+>no</B
+></TT
+>, no notifies are sent.
+</P
+><P
+>&#13;The <B
+CLASS="command"
+>notify</B
+> option may also be
+specified in the <B
+CLASS="command"
+>zone</B
+> statement,
+in which case it overrides the <B
+CLASS="command"
+>options notify</B
+> statement.
 It would only be necessary to turn off this option if it caused slaves
-to crash.</p>
-</dd>
-<dt><span class="term"><span><strong class="command">recursion</strong></span></span></dt>
-<dd><p>If <strong class="userinput"><code>yes</code></strong>, and a
+to crash.</P
+></DD
+><DT
+><B
+CLASS="command"
+>recursion</B
+></DT
+><DD
+><P
+>If <TT
+CLASS="userinput"
+><B
+>yes</B
+></TT
+>, and a
 DNS query requests recursion, then the server will attempt to do
 all the work required to answer the query. If recursion is off
 and the server does not already know the answer, it will return a
-referral response. The default is <strong class="userinput"><code>yes</code></strong>.
-Note that setting <span><strong class="command">recursion no;</strong></span> does not prevent
+referral response. The default is <TT
+CLASS="userinput"
+><B
+>yes</B
+></TT
+>.
+Note that setting <B
+CLASS="command"
+>recursion no</B
+> does not prevent
 clients from getting data from the server's cache; it only
 prevents new data from being cached as an effect of client queries.
 Caching may still occur as an effect the server's internal
 operation, such as NOTIFY address lookups.
-See also <span><strong class="command">fetch-glue</strong></span> above.
-</p></dd>
-<dt><span class="term"><span><strong class="command">rfc2308-type1</strong></span></span></dt>
-<dd>
-<p>Setting this to <strong class="userinput"><code>yes</code></strong> will
+See also <B
+CLASS="command"
+>fetch-glue</B
+> above.
+</P
+></DD
+><DT
+><B
+CLASS="command"
+>rfc2308-type1</B
+></DT
+><DD
+><P
+>Setting this to <TT
+CLASS="userinput"
+><B
+>yes</B
+></TT
+> will
 cause the server to send NS records along with the SOA record for negative
-answers. The default is <strong class="userinput"><code>no</code></strong>.</p>
-<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
-<h3 class="title">Note</h3>
-<p>Not yet implemented in <acronym class="acronym">BIND</acronym> 9.</p>
-</div>
-</dd>
-<dt><span class="term"><span><strong class="command">use-id-pool</strong></span></span></dt>
-<dd><p><span class="emphasis"><em>This option is obsolete</em></span>.
-<acronym class="acronym">BIND</acronym> 9 always allocates query IDs from a pool.
-</p></dd>
-<dt><span class="term"><span><strong class="command">zone-statistics</strong></span></span></dt>
-<dd><p>If <strong class="userinput"><code>yes</code></strong>, the server will, by default, collect
-statistical data on all zones in the server.  These statistics may be accessed
-using <span><strong class="command">rndc stats</strong></span>, which will dump them to the file listed
-in the <span><strong class="command">statistics-file</strong></span>.  See also <a href="Bv9ARM.ch06.html#statsfile" title="The Statistics File">the section called &#8220;The Statistics File&#8221;</a>.
-</p></dd>
-<dt><span class="term"><span><strong class="command">use-ixfr</strong></span></span></dt>
-<dd><p><span class="emphasis"><em>This option is obsolete</em></span>.
-If you need to disable IXFR to a particular server or servers, see
-the information on the <span><strong class="command">provide-ixfr</strong></span> option
-in <a href="Bv9ARM.ch06.html#server_statement_definition_and_usage" title="server Statement Definition and Usage">the section called &#8220;<span><strong class="command">server</strong></span> Statement Definition and Usage&#8221;</a>. See also
-<a href="Bv9ARM.ch04.html#incremental_zone_transfers" title="Incremental Zone Transfers (IXFR)">the section called &#8220;Incremental Zone Transfers (IXFR)&#8221;</a>.
-</p></dd>
-<dt><span class="term"><span><strong class="command">provide-ixfr</strong></span></span></dt>
-<dd><p>
-See the description of
-<span><strong class="command">provide-ixfr</strong></span> in
-<a href="Bv9ARM.ch06.html#server_statement_definition_and_usage" title="server Statement Definition and Usage">the section called &#8220;<span><strong class="command">server</strong></span> Statement Definition and Usage&#8221;</a>.
-</p></dd>
-<dt><span class="term"><span><strong class="command">request-ixfr</strong></span></span></dt>
-<dd><p>
-See the description of
-<span><strong class="command">request-ixfr</strong></span> in
-<a href="Bv9ARM.ch06.html#server_statement_definition_and_usage" title="server Statement Definition and Usage">the section called &#8220;<span><strong class="command">server</strong></span> Statement Definition and Usage&#8221;</a>.
-</p></dd>
-<dt><span class="term"><span><strong class="command">treat-cr-as-space</strong></span></span></dt>
-<dd><p>This option was used in <acronym class="acronym">BIND</acronym> 8 to make
-the server treat carriage return ("<span><strong class="command">\r</strong></span>") characters the same way
+answers. The default is <TT
+CLASS="userinput"
+><B
+>no</B
+></TT
+>.</P
+><DIV
+CLASS="note"
+><BLOCKQUOTE
+CLASS="note"
+><P
+><B
+>Note: </B
+>Not yet implemented in <SPAN
+CLASS="acronym"
+>BIND</SPAN
+> 9.</P
+></BLOCKQUOTE
+></DIV
+></DD
+><DT
+><B
+CLASS="command"
+>use-id-pool</B
+></DT
+><DD
+><P
+><SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>This option is obsolete</I
+></SPAN
+>.
+<SPAN
+CLASS="acronym"
+>BIND</SPAN
+> 9 always allocates query IDs from a pool.
+</P
+></DD
+><DT
+><B
+CLASS="command"
+>zone-statistics</B
+></DT
+><DD
+><P
+>If <TT
+CLASS="userinput"
+><B
+>yes</B
+></TT
+>, the server will collect
+statistical data on all zones (unless specifically turned off
+on a per-zone basis by specifying <B
+CLASS="command"
+>zone-statistics no</B
+>
+in the <B
+CLASS="command"
+>zone</B
+> statement).  These statistics may be accessed
+using <B
+CLASS="command"
+>rndc stats</B
+>, which will dump them to the file listed
+in the <B
+CLASS="command"
+>statistics-file</B
+>.  See also <A
+HREF="Bv9ARM.ch06.html#statsfile"
+>Section 6.2.16.17</A
+>.
+</P
+></DD
+><DT
+><B
+CLASS="command"
+>use-ixfr</B
+></DT
+><DD
+><P
+><SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>This option is obsolete</I
+></SPAN
+>.
+If you need to disable IXFR to a particular server or servers see
+the information on the <B
+CLASS="command"
+>provide-ixfr</B
+> option
+in <A
+HREF="Bv9ARM.ch06.html#server_statement_definition_and_usage"
+>Section 6.2.18</A
+>. See also
+<A
+HREF="Bv9ARM.ch04.html#incremental_zone_transfers"
+>Section 4.3</A
+>.
+</P
+></DD
+><DT
+><B
+CLASS="command"
+>provide-ixfr</B
+></DT
+><DD
+><P
+>&#13;See the description of
+<B
+CLASS="command"
+>provide-ixfr</B
+> in
+<A
+HREF="Bv9ARM.ch06.html#server_statement_definition_and_usage"
+>Section 6.2.18</A
+>
+</P
+></DD
+><DT
+><B
+CLASS="command"
+>request-ixfr</B
+></DT
+><DD
+><P
+>&#13;See the description of
+<B
+CLASS="command"
+>request-ixfr</B
+> in
+<A
+HREF="Bv9ARM.ch06.html#server_statement_definition_and_usage"
+>Section 6.2.18</A
+>
+</P
+></DD
+><DT
+><B
+CLASS="command"
+>treat-cr-as-space</B
+></DT
+><DD
+><P
+>This option was used in <SPAN
+CLASS="acronym"
+>BIND</SPAN
+> 8 to make
+the server treat carriage return ("<B
+CLASS="command"
+>\r</B
+>") characters the same way
 as a space or tab character,
 to facilitate loading of zone files on a UNIX system that were generated
-on an NT or DOS machine. In <acronym class="acronym">BIND</acronym> 9, both UNIX "<span><strong class="command">\n</strong></span>"
-and NT/DOS "<span><strong class="command">\r\n</strong></span>" newlines are always accepted,
-and the option is ignored.</p></dd>
-<dt>
-<span class="term"><span><strong class="command">additional-from-auth</strong></span>, </span><span class="term"><span><strong class="command">additional-from-cache</strong></span></span>
-</dt>
-<dd>
-<p>
-These options control the behavior of an authoritative server when
+on an NT or DOS machine. In <SPAN
+CLASS="acronym"
+>BIND</SPAN
+> 9, both UNIX "<B
+CLASS="command"
+>\n</B
+>"
+and NT/DOS "<B
+CLASS="command"
+>\r\n</B
+>" newlines are always accepted,
+and the option is ignored.</P
+></DD
+><DT
+><B
+CLASS="command"
+>additional-from-auth</B
+>, <B
+CLASS="command"
+>additional-from-cache</B
+></DT
+><DD
+><P
+>&#13;These options control the behavior of an authoritative server when
 answering queries which have additional data, or when following CNAME
 and DNAME chains.
-</p>
-<p>
-When both of these options are set to <strong class="userinput"><code>yes</code></strong> 
+</P
+><P
+>&#13;When both of these options are set to <TT
+CLASS="userinput"
+><B
+>yes</B
+></TT
+> 
 (the default) and a
 query is being answered from authoritative data (a zone
 configured into the server), the additional data section of the
@@ -1411,41 +5903,78 @@ untrusted third parties.  Also, avoiding
 the search for this additional data will speed up server operations
 at the possible expense of additional queries to resolve what would
 otherwise be provided in the additional section.
-</p>
-<p>
-For example, if a query asks for an MX record for host <code class="literal">foo.example.com</code>,
-and the record found is "<code class="literal">MX 10 mail.example.net</code>", normally the address
-records (A, A6, and AAAA) for <code class="literal">mail.example.net</code> will be provided as well,
-if known.  Setting these options to <span><strong class="command">no</strong></span> disables this behavior.
-</p>
-<p>
-These options are intended for use in authoritative-only 
+</P
+><P
+>&#13;For example, if a query asks for an MX record for host <TT
+CLASS="literal"
+>foo.example.com</TT
+>,
+and the record found is "<TT
+CLASS="literal"
+>MX 10 mail.example.net</TT
+>", normally the address
+records (A and AAAA) for <TT
+CLASS="literal"
+>mail.example.net</TT
+> will be provided as well,
+if known, even though they are not in the example.com zone.
+Setting these options to <B
+CLASS="command"
+>no</B
+> disables this behavior and makes
+the server only search for additional data in the zone it answers from.
+</P
+><P
+>&#13;These options are intended for use in authoritative-only 
 servers, or in authoritative-only views.  Attempts to set
-them to <span><strong class="command">no</strong></span> without also specifying
-<span><strong class="command">recursion no;</strong></span> will cause the server to
+them to <B
+CLASS="command"
+>no</B
+> without also specifying
+<B
+CLASS="command"
+>recursion no</B
+> will cause the server to
 ignore the options and log a warning message.
-</p>
-<p>
-Specifying <span><strong class="command">additional-from-cache no</strong></span> actually
+</P
+><P
+>&#13;Specifying <B
+CLASS="command"
+>additional-from-cache no</B
+> actually
 disables the use of the cache not only for additional data lookups
 but also when looking up the answer.  This is usually the desired
 behavior in an authoritative-only server where the correctness of
 the cached data is an issue.
-</p>
-<p>
-When a name server is non-recursively queried for a name that is not
+</P
+><P
+>&#13;When a name server is non-recursively queried for a name that is not
 below the apex of any served zone, it normally answers with an
 "upwards referral" to the root servers or the servers of some other
 known parent of the query name.  Since the data in an upwards referral
 comes from the cache, the server will not be able to provide upwards
-referrals when <span><strong class="command">additional-from-cache no</strong></span>
+referrals when <B
+CLASS="command"
+>additional-from-cache no</B
+>
 has been specified.  Instead, it will respond to such queries
 with REFUSED.  This should not cause any problems since
 upwards referrals are not required for the resolution process.
-</p>
-</dd>
-<dt><span class="term"><span><strong class="command">match-mapped-addresses</strong></span></span></dt>
-<dd><p>If <strong class="userinput"><code>yes</code></strong>, then an
+</P
+></DD
+><DT
+><B
+CLASS="command"
+>match-mapped-addresses</B
+></DT
+><DD
+><P
+>If <TT
+CLASS="userinput"
+><B
+>yes</B
+></TT
+>, then an
 IPv4-mapped IPv6 address will match any address match
 list entries that match the corresponding IPv4 address.
 Enabling this option is sometimes useful on IPv6-enabled Linux
@@ -1454,313 +5983,1050 @@ TCP connections such as zone transfers to be accepted
 on an IPv6 socket using mapped addresses, causing
 address match lists designed for IPv4 to fail to match.
 The use of this option for any other purpose is discouraged.
-</p></dd>
-</dl></div>
-</div>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="id2576566"></a>Forwarding</h4></div></div></div>
-<p>The forwarding facility can be used to create a large site-wide
+</P
+></DD
+><DT
+><B
+CLASS="command"
+>ixfr-from-differences</B
+></DT
+><DD
+><P
+>&#13;When 'yes' and the server loads a new version of a master
+zone from its zone file or receives a new version of a slave
+file by a non-incremental zone transfer, it will compare
+the new version to the previous one and calculate a set
+of differences.  The differences are then logged in the
+zone's journal file such that the changes can be transmitted
+to downstream slaves as an incremental zone transfer.
+</P
+><P
+>&#13;By allowing incremental zone transfers to be used for
+non-dynamic zones, this option saves bandwidth at the
+expense of increased CPU and memory consumption at the master.
+In particular, if the new version of a zone is completely
+different from the previous one, the set of differences
+will be of a size comparable to the combined size of the
+old and new zone version, and the server will need to
+temporarily allocate memory to hold this complete
+difference set.
+</P
+></DD
+><DT
+><B
+CLASS="command"
+>multi-master</B
+></DT
+><DD
+><P
+>&#13;This should be set when you have multiple masters for a zone and the
+addresses refer to different machines.  If 'yes' named will not log
+when the serial number on the master is less than what named currently
+has.  The default is <TT
+CLASS="userinput"
+><B
+>no</B
+></TT
+>.
+</P
+></DD
+><DT
+><B
+CLASS="command"
+>dnssec-enable</B
+></DT
+><DD
+><P
+>&#13;Enable DNSSEC support in named.  Unless set to <TT
+CLASS="userinput"
+><B
+>yes</B
+></TT
+>
+named behaves as if it does not support DNSSEC.
+The default is <TT
+CLASS="userinput"
+><B
+>no</B
+></TT
+>.
+</P
+></DD
+><DT
+><B
+CLASS="command"
+>querylog</B
+></DT
+><DD
+><P
+>&#13;Specify whether query logging should be started when named start.
+If <B
+CLASS="command"
+>querylog</B
+> is not specified then the query logging
+is determined by the presence of the logging category <B
+CLASS="command"
+>queries</B
+>.
+</P
+></DD
+></DL
+></DIV
+></DIV
+><DIV
+CLASS="sect3"
+><H3
+CLASS="sect3"
+><A
+NAME="AEN2671"
+>6.2.16.2. Forwarding</A
+></H3
+><P
+>The forwarding facility can be used to create a large site-wide
 cache on a few servers, reducing traffic over links to external
-nameservers. It can also be used to allow queries by servers that
+name servers. It can also be used to allow queries by servers that
 do not have direct access to the Internet, but wish to look up exterior
 names anyway. Forwarding occurs only on those queries for which
 the server is not authoritative and does not have the answer in
-its cache.</p>
-<div class="variablelist"><dl>
-<dt><span class="term"><span><strong class="command">forward</strong></span></span></dt>
-<dd><p>This option is only meaningful if the
-forwarders list is not empty. A value of <code class="varname">first</code>,
-the default, causes the server to query the forwarders first &#8212; and
-if that doesn't answer the question, the server will then look for
-the answer itself. If <code class="varname">only</code> is specified, the
+its cache.</P
+><P
+></P
+><DIV
+CLASS="variablelist"
+><DL
+><DT
+><B
+CLASS="command"
+>forward</B
+></DT
+><DD
+><P
+>This option is only meaningful if the
+forwarders list is not empty. A value of <TT
+CLASS="varname"
+>first</TT
+>,
+the default, causes the server to query the forwarders first, and
+if that doesn't answer the question the server will then look for
+the answer itself. If <TT
+CLASS="varname"
+>only</TT
+> is specified, the
 server will only query the forwarders.
-</p></dd>
-<dt><span class="term"><span><strong class="command">forwarders</strong></span></span></dt>
-<dd><p>Specifies the IP addresses to be used
+</P
+></DD
+><DT
+><B
+CLASS="command"
+>forwarders</B
+></DT
+><DD
+><P
+>Specifies the IP addresses to be used
 for forwarding. The default is the empty list (no forwarding).
-</p></dd>
-</dl></div>
-<p>Forwarding can also be configured on a per-domain basis, allowing
+</P
+></DD
+></DL
+></DIV
+><P
+>Forwarding can also be configured on a per-domain basis, allowing
 for the global forwarding options to be overridden in a variety
 of ways. You can set particular domains to use different forwarders,
-or have a different <span><strong class="command">forward only/first</strong></span> behavior,
-or not forward at all, see <a href="Bv9ARM.ch06.html#zone_statement_grammar" title="zone
-Statement Grammar">the section called &#8220;<span><strong class="command">zone</strong></span>
-Statement Grammar&#8221;</a>.</p>
-</div>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="access_control"></a>Access Control</h4></div></div></div>
-<p>Access to the server can be restricted based on the IP address
-of the requesting system. See <a href="Bv9ARM.ch06.html#address_match_lists" title="Address Match Lists">the section called &#8220;Address Match Lists&#8221;</a> for
-details on how to specify IP address lists.</p>
-<div class="variablelist"><dl>
-<dt><span class="term"><span><strong class="command">allow-notify</strong></span></span></dt>
-<dd><p>Specifies which hosts are allowed to
-notify slaves of a zone change in addition to the zone masters.
-<span><strong class="command">allow-notify</strong></span> may also be specified in the
-<span><strong class="command">zone</strong></span> statement, in which case it overrides the
-<span><strong class="command">options allow-notify</strong></span> statement.  It is only meaningful
+or have a different <B
+CLASS="command"
+>forward only/first</B
+> behavior,
+or not forward at all, see <A
+HREF="Bv9ARM.ch06.html#zone_statement_grammar"
+>Section 6.2.23</A
+>.</P
+></DIV
+><DIV
+CLASS="sect3"
+><H3
+CLASS="sect3"
+><A
+NAME="AEN2690"
+>6.2.16.3. 6 to 4 Servers</A
+></H3
+><P
+>6 to 4 servers are used as servers of last resort to work around
+problems in reachability due the lack of support for either IPv4 or IPv6
+on the host machine.</P
+><P
+></P
+><DIV
+CLASS="variablelist"
+><DL
+><DT
+><B
+CLASS="command"
+>dual-stack-servers</B
+></DT
+><DD
+><P
+>Specifies host names / addresses of machines with access to
+both IPv4 and IPv6 transports. If a hostname is used the server must be able
+to resolve the name using only the transport it has.  If the machine is dual
+stacked then the <B
+CLASS="command"
+>dual-stack-servers</B
+> have no effect unless
+access to a transport has been disabled on the command line
+(e.g. <B
+CLASS="command"
+>named -4</B
+>).</P
+></DD
+></DL
+></DIV
+></DIV
+><DIV
+CLASS="sect3"
+><H3
+CLASS="sect3"
+><A
+NAME="access_control"
+>6.2.16.4. Access Control</A
+></H3
+><P
+>Access to the server can be restricted based on the IP address
+of the requesting system. See <A
+HREF="Bv9ARM.ch06.html#address_match_lists"
+>Section 6.1.1</A
+> for
+details on how to specify IP address lists.</P
+><P
+></P
+><DIV
+CLASS="variablelist"
+><DL
+><DT
+><B
+CLASS="command"
+>allow-notify</B
+></DT
+><DD
+><P
+>Specifies which hosts are allowed to
+notify this server, a slave, of zone changes in addition
+to the zone masters.
+<B
+CLASS="command"
+>allow-notify</B
+> may also be specified in the
+<B
+CLASS="command"
+>zone</B
+> statement, in which case it overrides the
+<B
+CLASS="command"
+>options allow-notify</B
+> statement.  It is only meaningful
 for a slave zone.  If not specified, the default is to process notify messages
-only from a zone's master.</p></dd>
-<dt><span class="term"><span><strong class="command">allow-query</strong></span></span></dt>
-<dd><p>Specifies which hosts are allowed to
-ask ordinary questions. <span><strong class="command">allow-query</strong></span> may also
-be specified in the <span><strong class="command">zone</strong></span> statement, in which
-case it overrides the <span><strong class="command">options allow-query</strong></span> statement. If
-not specified, the default is to allow queries from all hosts.</p></dd>
-<dt><span class="term"><span><strong class="command">allow-recursion</strong></span></span></dt>
-<dd><p>Specifies which hosts are allowed to
+only from a zone's master.</P
+></DD
+><DT
+><B
+CLASS="command"
+>allow-query</B
+></DT
+><DD
+><P
+>Specifies which hosts are allowed to
+ask ordinary DNS questions. <B
+CLASS="command"
+>allow-query</B
+> may also
+be specified in the <B
+CLASS="command"
+>zone</B
+> statement, in which
+case it overrides the <B
+CLASS="command"
+>options allow-query</B
+> statement. If
+not specified, the default is to allow queries from all hosts.</P
+></DD
+><DT
+><B
+CLASS="command"
+>allow-recursion</B
+></DT
+><DD
+><P
+>Specifies which hosts are allowed to
 make recursive queries through this server. If not specified, the
 default is to allow recursive queries from all hosts. 
 Note that disallowing recursive queries for a host does not prevent the
 host from retrieving data that is already in the server's cache.
-</p></dd>
-<dt><span class="term"><span><strong class="command">allow-v6-synthesis</strong></span></span></dt>
-<dd><p>Specifies which hosts are to receive
-synthetic responses to IPv6 queries as described in
-<a href="Bv9ARM.ch06.html#synthesis" title="Synthetic IPv6 responses">the section called &#8220;Synthetic IPv6 responses&#8221;</a>.
-</p></dd>
-<dt><span class="term"><span><strong class="command">allow-transfer</strong></span></span></dt>
-<dd><p>Specifies which hosts are allowed to
-receive zone transfers from the server. <span><strong class="command">allow-transfer</strong></span> may
-also be specified in the <span><strong class="command">zone</strong></span> statement, in which
-case it overrides the <span><strong class="command">options allow-transfer</strong></span> statement.
-If not specified, the default is to allow transfers to all hosts.</p></dd>
-<dt><span class="term"><span><strong class="command">blackhole</strong></span></span></dt>
-<dd><p>Specifies a list of addresses that the
+</P
+></DD
+><DT
+><B
+CLASS="command"
+>allow-update-forwarding</B
+></DT
+><DD
+><P
+>Specifies which hosts are allowed to
+submit Dynamic DNS updates to slave zones to be forwarded to the
+master.  The default is <TT
+CLASS="userinput"
+><B
+>{ none; }</B
+></TT
+>, which 
+means that no update forwarding will be performed.  To enable
+update forwarding, specify
+<TT
+CLASS="userinput"
+><B
+>allow-update-forwarding { any; };</B
+></TT
+>.
+Specifying values other than <TT
+CLASS="userinput"
+><B
+>{ none; }</B
+></TT
+> or
+<TT
+CLASS="userinput"
+><B
+>{ any; }</B
+></TT
+> is usually counterproductive, since
+the responsibility for update access control should rest with the 
+master server, not the slaves.</P
+><P
+>Note that enabling the update forwarding feature on a slave server
+may expose master servers relying on insecure IP address based
+access control to attacks; see <A
+HREF="Bv9ARM.ch07.html#dynamic_update_security"
+>Section 7.3</A
+>
+for more details.</P
+></DD
+><DT
+><B
+CLASS="command"
+>allow-v6-synthesis</B
+></DT
+><DD
+><P
+>This option was introduced for the smooth transition from AAAA
+to A6 and from "nibble labels" to binary labels.
+However, since both A6 and binary labels were then deprecated,
+this option was also deprecated.
+It is now ignored with some warning messages.
+</P
+></DD
+><DT
+><B
+CLASS="command"
+>allow-transfer</B
+></DT
+><DD
+><P
+>Specifies which hosts are allowed to
+receive zone transfers from the server. <B
+CLASS="command"
+>allow-transfer</B
+> may
+also be specified in the <B
+CLASS="command"
+>zone</B
+> statement, in which
+case it overrides the <B
+CLASS="command"
+>options allow-transfer</B
+> statement.
+If not specified, the default is to allow transfers to all hosts.</P
+></DD
+><DT
+><B
+CLASS="command"
+>blackhole</B
+></DT
+><DD
+><P
+>Specifies a list of addresses that the
 server will not accept queries from or use to resolve a query. Queries
-from these addresses will not be responded to. The default is <strong class="userinput"><code>none</code></strong>.</p></dd>
-</dl></div>
-</div>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="id2576740"></a>Interfaces</h4></div></div></div>
-<p>The interfaces and ports that the server will answer queries
-from may be specified using the <span><strong class="command">listen-on</strong></span> option. <span><strong class="command">listen-on</strong></span> takes
-an optional port, and an <code class="varname">address_match_list</code>.
+from these addresses will not be responded to. The default is <TT
+CLASS="userinput"
+><B
+>none</B
+></TT
+>.</P
+></DD
+></DL
+></DIV
+></DIV
+><DIV
+CLASS="sect3"
+><H3
+CLASS="sect3"
+><A
+NAME="AEN2757"
+>6.2.16.5. Interfaces</A
+></H3
+><P
+>The interfaces and ports that the server will answer queries
+from may be specified using the <B
+CLASS="command"
+>listen-on</B
+> option. <B
+CLASS="command"
+>listen-on</B
+> takes
+an optional port, and an <TT
+CLASS="varname"
+>address_match_list</TT
+>.
 The server will listen on all interfaces allowed by the address
-match list. If a port is not specified, port 53 will be used.</p>
-<p>Multiple <span><strong class="command">listen-on</strong></span> statements are allowed.
-For example,</p>
-<pre class="programlisting">listen-on { 5.6.7.8; };
+match list. If a port is not specified, port 53 will be used.</P
+><P
+>Multiple <B
+CLASS="command"
+>listen-on</B
+> statements are allowed.
+For example,</P
+><PRE
+CLASS="programlisting"
+>listen-on { 5.6.7.8; };
 listen-on port 1234 { !1.2.3.4; 1.2/16; };
-</pre>
-<p>will enable the nameserver on port 53 for the IP address
+</PRE
+><P
+>will enable the name server on port 53 for the IP address
 5.6.7.8, and on port 1234 of an address on the machine in net
-1.2 that is not 1.2.3.4.</p>
-<p>If no <span><strong class="command">listen-on</strong></span> is specified, the
-server will listen on port 53 on all interfaces.</p>
-<p>The <span><strong class="command">listen-on-v6</strong></span> option is used to
-specify the ports on which the server will listen for incoming
-queries sent using IPv6.</p>
-<p>The server does not bind a separate socket to each IPv6
-interface address as it does for IPv4. Instead, it always
-listens on the IPv6 wildcard address. Therefore, the only
-values allowed for the <code class="varname">address_match_list</code>
-argument to the <span><strong class="command">listen-on-v6</strong></span> statement are
-</p>
-<pre class="programlisting">{ any; }</pre>
-<p> and
-</p>
-<pre class="programlisting">{ none;}</pre>
-<p>Multiple <span><strong class="command">listen-on-v6</strong></span> options can be
-used to listen on multiple ports:</p>
-<pre class="programlisting">listen-on-v6 port 53 { any; };
-listen-on-v6 port 1234 { any; };
-</pre>
-<p>To make the server not listen on any IPv6 address, use</p>
-<pre class="programlisting">listen-on-v6 { none; };
-</pre>
-<p>If no <span><strong class="command">listen-on-v6</strong></span> statement is specified,
-the server will not listen on any IPv6 address.</p>
-</div>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="id2576824"></a>Query Address</h4></div></div></div>
-<p>If the server doesn't know the answer to a question, it will
-query other nameservers. <span><strong class="command">query-source</strong></span> specifies
+1.2 that is not 1.2.3.4.</P
+><P
+>If no <B
+CLASS="command"
+>listen-on</B
+> is specified, the
+server will listen on port 53 on all interfaces.</P
+><P
+>By default, the server does not bind a separate socket to each
+IPv6 interface address as it does for IPv4. Instead, it listens on the 
+IPv6 wildcard address.
+Alternatively, a list of IPv6 addresses can be specified, in which case
+the server listens on a separate socket for each specified address.</P
+><P
+>Multiple <B
+CLASS="command"
+>listen-on-v6</B
+> options can be used.
+For example,</P
+><PRE
+CLASS="programlisting"
+>listen-on-v6 { any; };
+listen-on-v6 port 1234 { !3ffe::/16; any; };
+</PRE
+><P
+>will enable the name server on port 53 for any IPv6 addresses
+(with a single wildcard socket),
+and on port 1234 of IPv6 addresses that is not in the prefix
+3ffe::/16 (with separate sockets for each matched address.)</P
+><P
+>To make the server not listen on any IPv6 address, use</P
+><PRE
+CLASS="programlisting"
+>listen-on-v6 { none; };
+</PRE
+><P
+>If no <B
+CLASS="command"
+>listen-on-v6</B
+> statement is specified,
+the server will not listen on any IPv6 address.</P
+></DIV
+><DIV
+CLASS="sect3"
+><H3
+CLASS="sect3"
+><A
+NAME="AEN2778"
+>6.2.16.6. Query Address</A
+></H3
+><P
+>If the server doesn't know the answer to a question, it will
+query other name servers. <B
+CLASS="command"
+>query-source</B
+> specifies
 the address and port used for such queries. For queries sent over
-IPv6, there is a separate <span><strong class="command">query-source-v6</strong></span> option.
-If <span><strong class="command">address</strong></span> is <span><strong class="command">*</strong></span> (asterisk) or is omitted,
-a wildcard IP address (<span><strong class="command">INADDR_ANY</strong></span>) will be used.
-If <span><strong class="command">port</strong></span> is <span><strong class="command">*</strong></span> or is omitted,
-a random unprivileged port will be used. The defaults are</p>
-<pre class="programlisting">query-source address * port *;
+IPv6, there is a separate <B
+CLASS="command"
+>query-source-v6</B
+> option.
+ If <B
+CLASS="command"
+>address</B
+> is <B
+CLASS="command"
+>*</B
+> or is omitted,
+a wildcard IP address (<B
+CLASS="command"
+>INADDR_ANY</B
+>) will be used.
+If <B
+CLASS="command"
+>port</B
+> is <B
+CLASS="command"
+>*</B
+> or is omitted,
+a random unprivileged port will be used, <B
+CLASS="command"
+>avoid-v4-udp-ports</B
+>
+and <B
+CLASS="command"
+>avoid-v6-udp-ports</B
+> can be used to prevent named
+from selecting certain ports. The defaults are</P
+><PRE
+CLASS="programlisting"
+>query-source address * port *;
 query-source-v6 address * port *;
-</pre>
-<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
-<h3 class="title">Note</h3>
-<p>The address specified in the <span><strong class="command">query-source</strong></span> option
+</PRE
+><DIV
+CLASS="note"
+><BLOCKQUOTE
+CLASS="note"
+><P
+><B
+>Note: </B
+>The address specified in the <B
+CLASS="command"
+>query-source</B
+> option
 is used for both UDP and TCP queries, but the port applies only to 
 UDP queries.  TCP queries always use a random
-unprivileged port.</p>
-</div>
-<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
-<h3 class="title">Note</h3>
-<p>See also <span><strong class="command">transfer-source</strong></span> and
-<span><strong class="command">notify-source</strong></span>.</p>
-</div>
-<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
-<h3 class="title">Note</h3>
-<p>
-	    Solaris 2.5.1 and earlier does not support setting the source
-	    address for TCP sockets.
-	  </p>
-</div>
-</div>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="zone_transfers"></a>Zone Transfers</h4></div></div></div>
-<p><acronym class="acronym">BIND</acronym> has mechanisms in place to facilitate zone transfers
+unprivileged port.</P
+></BLOCKQUOTE
+></DIV
+></DIV
+><DIV
+CLASS="sect3"
+><H3
+CLASS="sect3"
+><A
+NAME="zone_transfers"
+>6.2.16.7. Zone Transfers</A
+></H3
+><P
+><SPAN
+CLASS="acronym"
+>BIND</SPAN
+> has mechanisms in place to facilitate zone transfers
 and set limits on the amount of load that transfers place on the
-system. The following options apply to zone transfers.</p>
-<div class="variablelist"><dl>
-<dt><span class="term"><span><strong class="command">also-notify</strong></span></span></dt>
-<dd><p>Defines a global list of IP addresses of name servers
+system. The following options apply to zone transfers.</P
+><P
+></P
+><DIV
+CLASS="variablelist"
+><DL
+><DT
+><B
+CLASS="command"
+>also-notify</B
+></DT
+><DD
+><P
+>Defines a global list of IP addresses of name servers
 that are also sent NOTIFY messages whenever a fresh copy of the
 zone is loaded, in addition to the servers listed in the zone's NS records.
 This helps to ensure that copies of the zones will
-quickly converge on stealth servers. If an <span><strong class="command">also-notify</strong></span> list
-is given in a <span><strong class="command">zone</strong></span> statement, it will override
-the <span><strong class="command">options also-notify</strong></span> statement. When a <span><strong class="command">zone notify</strong></span> statement
-is set to <span><strong class="command">no</strong></span>, the IP addresses in the global <span><strong class="command">also-notify</strong></span> list will
+quickly converge on stealth servers. If an <B
+CLASS="command"
+>also-notify</B
+> list
+is given in a <B
+CLASS="command"
+>zone</B
+> statement, it will override
+the <B
+CLASS="command"
+>options also-notify</B
+> statement. When a <B
+CLASS="command"
+>zone notify</B
+> statement
+is set to <B
+CLASS="command"
+>no</B
+>, the IP addresses in the global <B
+CLASS="command"
+>also-notify</B
+> list will
 not be sent NOTIFY messages for that zone. The default is the empty
-list (no global notification list).</p></dd>
-<dt><span class="term"><span><strong class="command">max-transfer-time-in</strong></span></span></dt>
-<dd><p>Inbound zone transfers running longer than
+list (no global notification list).</P
+></DD
+><DT
+><B
+CLASS="command"
+>max-transfer-time-in</B
+></DT
+><DD
+><P
+>Inbound zone transfers running longer than
 this many minutes will be terminated. The default is 120 minutes
-(2 hours).</p></dd>
-<dt><span class="term"><span><strong class="command">max-transfer-idle-in</strong></span></span></dt>
-<dd><p>Inbound zone transfers making no progress
+(2 hours).  The maximum value is 28 days (40320 minutes).</P
+></DD
+><DT
+><B
+CLASS="command"
+>max-transfer-idle-in</B
+></DT
+><DD
+><P
+>Inbound zone transfers making no progress
 in this many minutes will be terminated. The default is 60 minutes
-(1 hour).</p></dd>
-<dt><span class="term"><span><strong class="command">max-transfer-time-out</strong></span></span></dt>
-<dd><p>Outbound zone transfers running longer than
+(1 hour).  The maximum value is 28 days (40320 minutes).</P
+></DD
+><DT
+><B
+CLASS="command"
+>max-transfer-time-out</B
+></DT
+><DD
+><P
+>Outbound zone transfers running longer than
 this many minutes will be terminated. The default is 120 minutes
-(2 hours).</p></dd>
-<dt><span class="term"><span><strong class="command">max-transfer-idle-out</strong></span></span></dt>
-<dd><p>Outbound zone transfers making no progress
+(2 hours).  The maximum value is 28 days (40320 minutes).</P
+></DD
+><DT
+><B
+CLASS="command"
+>max-transfer-idle-out</B
+></DT
+><DD
+><P
+>Outbound zone transfers making no progress
 in this many minutes will be terminated.  The default is 60 minutes (1
-hour).</p></dd>
-<dt><span class="term"><span><strong class="command">serial-query-rate</strong></span></span></dt>
-<dd><p>Slave servers will periodically query master servers
+hour).  The maximum value is 28 days (40320 minutes).</P
+></DD
+><DT
+><B
+CLASS="command"
+>serial-query-rate</B
+></DT
+><DD
+><P
+>Slave servers will periodically query master servers
 to find out if zone serial numbers have changed. Each such query uses
 a minute amount of the slave server's network bandwidth.  To limit the
 amount of bandwidth used, BIND 9 limits the rate at which queries are
-sent.  The value of the <span><strong class="command">serial-query-rate</strong></span> option,
+sent.  The value of the <B
+CLASS="command"
+>serial-query-rate</B
+> option,
 an integer, is the maximum number of queries sent per second.
 The default is 20.
-</p></dd>
-<dt><span class="term"><span><strong class="command">serial-queries</strong></span></span></dt>
-<dd><p>In BIND 8, the <span><strong class="command">serial-queries</strong></span> option
+</P
+></DD
+><DT
+><B
+CLASS="command"
+>serial-queries</B
+></DT
+><DD
+><P
+>In BIND 8, the <B
+CLASS="command"
+>serial-queries</B
+> option
 set the maximum number of concurrent serial number queries
 allowed to be outstanding at any given time.
 BIND 9 does not limit the number of outstanding
-serial queries and ignores the <span><strong class="command">serial-queries</strong></span> option.
+serial queries and ignores the <B
+CLASS="command"
+>serial-queries</B
+> option.
 Instead, it limits the rate at which the queries are sent
-as defined using the <span><strong class="command">serial-query-rate</strong></span> option.
-</p></dd>
-<dt><span class="term"><span><strong class="command">transfer-format</strong></span></span></dt>
-<dd><p>
-Zone transfers can be sent using two different formats,
-<span><strong class="command">one-answer</strong></span> and <span><strong class="command">many-answers</strong></span>.
-The <span><strong class="command">transfer-format</strong></span> option is used
+as defined using the <B
+CLASS="command"
+>serial-query-rate</B
+> option.
+</P
+></DD
+><DT
+><B
+CLASS="command"
+>transfer-format</B
+></DT
+><DD
+><P
+>&#13;Zone transfers can be sent using two different formats,
+<B
+CLASS="command"
+>one-answer</B
+> and <B
+CLASS="command"
+>many-answers</B
+>.
+The <B
+CLASS="command"
+>transfer-format</B
+> option is used
 on the master server to determine which format it sends.
-<span><strong class="command">one-answer</strong></span> uses one DNS message per
+<B
+CLASS="command"
+>one-answer</B
+> uses one DNS message per
 resource record transferred.
-<span><strong class="command">many-answers</strong></span> packs as many resource records as
-possible into a message. <span><strong class="command">many-answers</strong></span> is more
+<B
+CLASS="command"
+>many-answers</B
+> packs as many resource records as
+possible into a message. <B
+CLASS="command"
+>many-answers</B
+> is more
 efficient, but is only supported by relatively new slave servers,
-such as <acronym class="acronym">BIND</acronym> 9, <acronym class="acronym">BIND</acronym> 8.x and patched
-versions of <acronym class="acronym">BIND</acronym> 4.9.5. The <span><strong class="command">many-answers</strong></span>
-format is also supported by recent Microsoft Windows nameservers. The default is
-<span><strong class="command">many-answers</strong></span>. <span><strong class="command">transfer-format</strong></span>
+such as <SPAN
+CLASS="acronym"
+>BIND</SPAN
+> 9, <SPAN
+CLASS="acronym"
+>BIND</SPAN
+> 8.x and patched
+versions of <SPAN
+CLASS="acronym"
+>BIND</SPAN
+> 4.9.5. The default is
+<B
+CLASS="command"
+>many-answers</B
+>. <B
+CLASS="command"
+>transfer-format</B
+>
 may be overridden on a per-server basis by using the
-<span><strong class="command">server</strong></span> statement.
-</p></dd>
-<dt><span class="term"><span><strong class="command">transfers-in</strong></span></span></dt>
-<dd><p>The maximum number of inbound zone transfers
-that can be running concurrently. The default value is <code class="literal">10</code>.
-Increasing <span><strong class="command">transfers-in</strong></span> may speed up the convergence
-of slave zones, but it also may increase the load on the local system.</p></dd>
-<dt><span class="term"><span><strong class="command">transfers-out</strong></span></span></dt>
-<dd><p>The maximum number of outbound zone transfers
+<B
+CLASS="command"
+>server</B
+> statement.
+</P
+></DD
+><DT
+><B
+CLASS="command"
+>transfers-in</B
+></DT
+><DD
+><P
+>The maximum number of inbound zone transfers
+that can be running concurrently. The default value is <TT
+CLASS="literal"
+>10</TT
+>.
+Increasing <B
+CLASS="command"
+>transfers-in</B
+> may speed up the convergence
+of slave zones, but it also may increase the load on the local system.</P
+></DD
+><DT
+><B
+CLASS="command"
+>transfers-out</B
+></DT
+><DD
+><P
+>The maximum number of outbound zone transfers
 that can be running concurrently. Zone transfer requests in excess
-of the limit will be refused. The default value is <code class="literal">10</code>.</p></dd>
-<dt><span class="term"><span><strong class="command">transfers-per-ns</strong></span></span></dt>
-<dd><p>The maximum number of inbound zone transfers
-that can be concurrently transferring from a given remote nameserver.
-The default value is <code class="literal">2</code>. Increasing <span><strong class="command">transfers-per-ns</strong></span> may
+of the limit will be refused. The default value is <TT
+CLASS="literal"
+>10</TT
+>.</P
+></DD
+><DT
+><B
+CLASS="command"
+>transfers-per-ns</B
+></DT
+><DD
+><P
+>The maximum number of inbound zone transfers
+that can be concurrently transferring from a given remote name server.
+The default value is <TT
+CLASS="literal"
+>2</TT
+>. Increasing <B
+CLASS="command"
+>transfers-per-ns</B
+> may
 speed up the convergence of slave zones, but it also may increase
-the load on the remote nameserver. <span><strong class="command">transfers-per-ns</strong></span> may
-be overridden on a per-server basis by using the <span><strong class="command">transfers</strong></span> phrase
-of the <span><strong class="command">server</strong></span> statement.</p></dd>
-<dt><span class="term"><span><strong class="command">transfer-source</strong></span></span></dt>
-<dd><p><span><strong class="command">transfer-source</strong></span> determines
+the load on the remote name server. <B
+CLASS="command"
+>transfers-per-ns</B
+> may
+be overridden on a per-server basis by using the <B
+CLASS="command"
+>transfers</B
+> phrase
+of the <B
+CLASS="command"
+>server</B
+> statement.</P
+></DD
+><DT
+><B
+CLASS="command"
+>transfer-source</B
+></DT
+><DD
+><P
+><B
+CLASS="command"
+>transfer-source</B
+> determines
 which local address will be bound to IPv4 TCP connections used to
 fetch zones transferred inbound by the server.  It also determines
 the source IPv4 address, and optionally the UDP port, used for the
 refresh queries and forwarded dynamic updates.  If not set, it defaults
 to a system controlled value which will usually be the address of
 the interface "closest to" the remote end. This address must appear
-in the remote end's <span><strong class="command">allow-transfer</strong></span> option for
+in the remote end's <B
+CLASS="command"
+>allow-transfer</B
+> option for
 the zone being transferred, if one is specified. This statement
-sets the <span><strong class="command">transfer-source</strong></span> for all zones, but can
+sets the <B
+CLASS="command"
+>transfer-source</B
+> for all zones, but can
 be overridden on a per-view or per-zone basis by including a
-<span><strong class="command">transfer-source</strong></span> statement within the
-<span><strong class="command">view</strong></span> or <span><strong class="command">zone</strong></span> block
-in the configuration file.</p></dd>
-<dt><span class="term"><span><strong class="command">transfer-source-v6</strong></span></span></dt>
-<dd><p>The same as <span><strong class="command">transfer-source</strong></span>,
-except zone transfers are performed using IPv6.</p></dd>
-<dt><span class="term"><span><strong class="command">notify-source</strong></span></span></dt>
-<dd>
-<p><span><strong class="command">notify-source</strong></span> determines
+<B
+CLASS="command"
+>transfer-source</B
+> statement within the
+<B
+CLASS="command"
+>view</B
+> or <B
+CLASS="command"
+>zone</B
+> block
+in the configuration file.</P
+></DD
+><DT
+><B
+CLASS="command"
+>transfer-source-v6</B
+></DT
+><DD
+><P
+>The same as <B
+CLASS="command"
+>transfer-source</B
+>,
+except zone transfers are performed using IPv6.</P
+></DD
+><DT
+><B
+CLASS="command"
+>alt-transfer-source</B
+></DT
+><DD
+><P
+>An alternate transfer source if the one listed in
+<B
+CLASS="command"
+>transfer-source</B
+> fails and
+<B
+CLASS="command"
+>use-alt-transfer-source</B
+> is set.</P
+></DD
+><DT
+><B
+CLASS="command"
+>alt-transfer-source-v6</B
+></DT
+><DD
+><P
+>An alternate transfer source if the one listed in
+<B
+CLASS="command"
+>transfer-source-v6</B
+> fails and
+<B
+CLASS="command"
+>use-alt-transfer-source</B
+> is set.</P
+></DD
+><DT
+><B
+CLASS="command"
+>use-alt-transfer-source</B
+></DT
+><DD
+><P
+>Use the alternate transfer sources or not.  If views are
+specified this defaults to <B
+CLASS="command"
+>no</B
+> otherwise it defaults to
+<B
+CLASS="command"
+>yes</B
+> (for BIND 8 compatibility).</P
+></DD
+><DT
+><B
+CLASS="command"
+>notify-source</B
+></DT
+><DD
+><P
+><B
+CLASS="command"
+>notify-source</B
+> determines
 which local source address, and optionally UDP port, will be used to
 send NOTIFY messages.
-This address must appear in the slave server's <span><strong class="command">masters</strong></span>
-zone clause or in an <span><strong class="command">allow-notify</strong></span> clause.
-This statement sets the <span><strong class="command">notify-source</strong></span> for all zones,
-but can be overridden on a per-zone or per-view basis by including a
-<span><strong class="command">notify-source</strong></span> statement within the <span><strong class="command">zone</strong></span>
-or <span><strong class="command">view</strong></span> block in the configuration file.</p>
-<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
-<h3 class="title">Note</h3>
-<p>
-                   Solaris 2.5.1 and earlier does not support setting the
-                   source address for TCP sockets.
-                 </p>
-</div>
-</dd>
-<dt><span class="term"><span><strong class="command">notify-source-v6</strong></span></span></dt>
-<dd><p>Like <span><strong class="command">notify-source</strong></span>,
-but applies to notify messages sent to IPv6 addresses.</p></dd>
-</dl></div>
-</div>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="id2577432"></a>Operating System Resource Limits</h4></div></div></div>
-<p>The server's usage of many system resources can be limited.
+This address must appear in the slave server's <B
+CLASS="command"
+>masters</B
+>
+zone clause or in an <B
+CLASS="command"
+>allow-notify</B
+> clause.
+This statement sets the <B
+CLASS="command"
+>notify-source</B
+> for all zones,
+but can be overridden on a per-zone / per-view basis by including a
+<B
+CLASS="command"
+>notify-source</B
+> statement within the <B
+CLASS="command"
+>zone</B
+>
+or <B
+CLASS="command"
+>view</B
+> block in the configuration file.</P
+></DD
+><DT
+><B
+CLASS="command"
+>notify-source-v6</B
+></DT
+><DD
+><P
+>Like <B
+CLASS="command"
+>notify-source</B
+>,
+but applies to notify messages sent to IPv6 addresses.</P
+></DD
+></DL
+></DIV
+></DIV
+><DIV
+CLASS="sect3"
+><H3
+CLASS="sect3"
+><A
+NAME="AEN2940"
+>6.2.16.8. Bad UDP Port Lists</A
+></H3
+><P
+>&#13;<B
+CLASS="command"
+>avoid-v4-udp-ports</B
+> and <B
+CLASS="command"
+>avoid-v6-udp-ports</B
+>
+specify a list of IPv4 and IPv6 UDP ports that will not be used as system
+assigned source ports for UDP sockets.  These lists prevent named
+from choosing as its random source port a port that is blocked by
+your firewall.  If a query went out with such a source port, the
+answer would not get by the firewall and the name server would have
+to query again.
+</P
+></DIV
+><DIV
+CLASS="sect3"
+><H3
+CLASS="sect3"
+><A
+NAME="AEN2945"
+>6.2.16.9. Operating System Resource Limits</A
+></H3
+><P
+>The server's usage of many system resources can be limited.
 Scaled values are allowed when specifying resource limits.  For
-example, <span><strong class="command">1G</strong></span> can be used instead of
-<span><strong class="command">1073741824</strong></span> to specify a limit of one
-gigabyte. <span><strong class="command">unlimited</strong></span> requests unlimited use, or the
-maximum available amount. <span><strong class="command">default</strong></span> uses the limit
-that was in force when the server was started. See the description
-of <span><strong class="command">size_spec</strong></span> in <a href="Bv9ARM.ch06.html#configuration_file_elements" title="Configuration File Elements">the section called &#8220;Configuration File Elements&#8221;</a>.</p>
-<p>The following options set operating system resource limits for
+example, <B
+CLASS="command"
+>1G</B
+> can be used instead of
+<B
+CLASS="command"
+>1073741824</B
+> to specify a limit of one
+gigabyte. <B
+CLASS="command"
+>unlimited</B
+> requests unlimited use, or the
+maximum available amount. <B
+CLASS="command"
+>default</B
+> uses the limit
+that was in force when the server was started. See the description of
+<B
+CLASS="command"
+>size_spec</B
+> in <A
+HREF="Bv9ARM.ch06.html#configuration_file_elements"
+>Section 6.1</A
+>.</P
+><P
+>The following options set operating system resource limits for
 the name server process.  Some operating systems don't support some or
 any of the limits. On such systems, a warning will be issued if the
-unsupported limit is used.</p>
-<div class="variablelist"><dl>
-<dt><span class="term"><span><strong class="command">coresize</strong></span></span></dt>
-<dd><p>The maximum size of a core dump. The default
-is <code class="literal">default</code>.</p></dd>
-<dt><span class="term"><span><strong class="command">datasize</strong></span></span></dt>
-<dd><p>The maximum amount of data memory the server
-may use. The default is <code class="literal">default</code>.
+unsupported limit is used.</P
+><P
+></P
+><DIV
+CLASS="variablelist"
+><DL
+><DT
+><B
+CLASS="command"
+>coresize</B
+></DT
+><DD
+><P
+>The maximum size of a core dump. The default
+is <TT
+CLASS="literal"
+>default</TT
+>.</P
+></DD
+><DT
+><B
+CLASS="command"
+>datasize</B
+></DT
+><DD
+><P
+>The maximum amount of data memory the server
+may use. The default is <TT
+CLASS="literal"
+>default</TT
+>.
 This is a hard limit on server memory usage.
 If the server attempts to allocate memory in excess of this
 limit, the allocation will fail, which may in turn leave
@@ -1770,93 +7036,287 @@ amount of memory used by the server, but it can be used
 to raise an operating system data size limit that is
 too small by default.  If you wish to limit the amount
 of memory used by the server, use the
-<span><strong class="command">max-cache-size</strong></span> and 
-<span><strong class="command">recursive-clients</strong></span>
+<B
+CLASS="command"
+>max-cache-size</B
+> and 
+<B
+CLASS="command"
+>recursive-clients</B
+>
 options instead.
-</p></dd>
-<dt><span class="term"><span><strong class="command">files</strong></span></span></dt>
-<dd><p>The maximum number of files the server
-may have open concurrently. The default is <code class="literal">unlimited</code>.
-</p></dd>
-<dt><span class="term"><span><strong class="command">stacksize</strong></span></span></dt>
-<dd><p>The maximum amount of stack memory the server
-may use. The default is <code class="literal">default</code>.</p></dd>
-</dl></div>
-</div>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="id2577533"></a>Server  Resource Limits</h4></div></div></div>
-<p>The following options set limits on the server's
+</P
+></DD
+><DT
+><B
+CLASS="command"
+>files</B
+></DT
+><DD
+><P
+>The maximum number of files the server
+may have open concurrently. The default is <TT
+CLASS="literal"
+>unlimited</TT
+>.
+</P
+></DD
+><DT
+><B
+CLASS="command"
+>stacksize</B
+></DT
+><DD
+><P
+>The maximum amount of stack memory the server
+may use. The default is <TT
+CLASS="literal"
+>default</TT
+>.</P
+></DD
+></DL
+></DIV
+></DIV
+><DIV
+CLASS="sect3"
+><H3
+CLASS="sect3"
+><A
+NAME="AEN2982"
+>6.2.16.10. Server  Resource Limits</A
+></H3
+><P
+>The following options set limits on the server's
 resource consumption that are enforced internally by the
-server rather than the operating system.</p>
-<div class="variablelist"><dl>
-<dt><span class="term"><span><strong class="command">max-ixfr-log-size</strong></span></span></dt>
-<dd><p>This option is obsolete; it is accepted
-and ignored for BIND 8 compatibility.</p></dd>
-<dt><span class="term"><span><strong class="command">recursive-clients</strong></span></span></dt>
-<dd><p>The maximum number of simultaneous recursive lookups
+server rather than the operating system.</P
+><P
+></P
+><DIV
+CLASS="variablelist"
+><DL
+><DT
+><B
+CLASS="command"
+>max-ixfr-log-size</B
+></DT
+><DD
+><P
+>This option is obsolete; it is accepted
+and ignored for BIND 8 compatibility.  The option
+<B
+CLASS="command"
+>max-journal-size</B
+> performs a similar
+function in BIND 8.
+</P
+></DD
+><DT
+><B
+CLASS="command"
+>max-journal-size</B
+></DT
+><DD
+><P
+>Sets a maximum size for each journal file
+(<A
+HREF="Bv9ARM.ch04.html#journal"
+>Section 4.2.1</A
+>).  When the journal file approaches
+the specified size, some of the oldest transactions in the journal
+will be automatically removed.  The default is
+<TT
+CLASS="literal"
+>unlimited</TT
+>.</P
+></DD
+><DT
+><B
+CLASS="command"
+>recursive-clients</B
+></DT
+><DD
+><P
+>The maximum number of simultaneous recursive lookups
 the server will perform on behalf of clients.  The default is
-<code class="literal">1000</code>.  Because each recursing client uses a fair
+<TT
+CLASS="literal"
+>1000</TT
+>.  Because each recursing client uses a fair
 bit of memory, on the order of 20 kilobytes, the value of the
-<span><strong class="command">recursive-clients</strong></span> option may have to be decreased
+<B
+CLASS="command"
+>recursive-clients</B
+> option may have to be decreased
 on hosts with limited memory.
-</p></dd>
-<dt><span class="term"><span><strong class="command">tcp-clients</strong></span></span></dt>
-<dd><p>The maximum number of simultaneous client TCP
+</P
+></DD
+><DT
+><B
+CLASS="command"
+>tcp-clients</B
+></DT
+><DD
+><P
+>The maximum number of simultaneous client TCP
 connections that the server will accept.
-The default is <code class="literal">100</code>.</p></dd>
-<dt><span class="term"><span><strong class="command">max-cache-size</strong></span></span></dt>
-<dd><p>The maximum amount of memory to use for the
+The default is <TT
+CLASS="literal"
+>100</TT
+>.</P
+></DD
+><DT
+><B
+CLASS="command"
+>max-cache-size</B
+></DT
+><DD
+><P
+>The maximum amount of memory to use for the
 server's cache, in bytes.  When the amount of data in the cache
 reaches this limit, the server will cause records to expire
 prematurely so that the limit is not exceeded.  In a server with
 multiple views, the limit applies separately to the cache of each
-view.  The default is <code class="literal">unlimited</code>, meaning that 
+view.  The default is <TT
+CLASS="literal"
+>unlimited</TT
+>, meaning that 
 records are purged from the cache only when their TTLs expire.
-</p></dd>
-</dl></div>
-</div>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="id2577603"></a>Periodic Task Intervals</h4></div></div></div>
-<div class="variablelist"><dl>
-<dt><span class="term"><span><strong class="command">cleaning-interval</strong></span></span></dt>
-<dd><p>The server will remove expired resource records
-from the cache every <span><strong class="command">cleaning-interval</strong></span> minutes.
-The default is 60 minutes.
-If set to 0, no periodic cleaning will occur.</p></dd>
-<dt><span class="term"><span><strong class="command">heartbeat-interval</strong></span></span></dt>
-<dd><p>The server will perform zone maintenance tasks
-for all zones marked as <span><strong class="command">dialup</strong></span> whenever this
+</P
+></DD
+><DT
+><B
+CLASS="command"
+>tcp-listen-queue</B
+></DT
+><DD
+><P
+>The listen queue depth.  The default and minimum is 3.
+If the kernel supports the accept filter "dataready" this also controls how
+many TCP connections that will be queued in kernel space waiting for
+some data before being passed to accept.  Values less than 3 will be
+silently raised.
+</P
+></DD
+></DL
+></DIV
+></DIV
+><DIV
+CLASS="sect3"
+><H3
+CLASS="sect3"
+><A
+NAME="AEN3023"
+>6.2.16.11. Periodic Task Intervals</A
+></H3
+><P
+></P
+><DIV
+CLASS="variablelist"
+><DL
+><DT
+><B
+CLASS="command"
+>cleaning-interval</B
+></DT
+><DD
+><P
+>The server will remove expired resource records
+from the cache every <B
+CLASS="command"
+>cleaning-interval</B
+> minutes.
+The default is 60 minutes.  The maximum value is 28 days (40320 minutes).
+If set to 0, no  periodic cleaning will occur.</P
+></DD
+><DT
+><B
+CLASS="command"
+>heartbeat-interval</B
+></DT
+><DD
+><P
+>The server will perform zone maintenance tasks
+for all zones marked as <B
+CLASS="command"
+>dialup</B
+> whenever this
 interval expires. The default is 60 minutes. Reasonable values are up
-to 1 day (1440 minutes). If set to 0, no zone maintenance for these zones will occur.</p></dd>
-<dt><span class="term"><span><strong class="command">interface-interval</strong></span></span></dt>
-<dd><p>The server will scan the network interface list
-every <span><strong class="command">interface-interval</strong></span> minutes. The default
-is 60 minutes. If set to 0, interface scanning will only occur when
-the configuration file is  loaded. After the scan, listeners will be
-started on any new interfaces (provided they are allowed by the
-<span><strong class="command">listen-on</strong></span> configuration). Listeners on interfaces
-that have gone away will be cleaned up.</p></dd>
-<dt><span class="term"><span><strong class="command">statistics-interval</strong></span></span></dt>
-<dd>
-<p>Nameserver statistics will be logged
-every <span><strong class="command">statistics-interval</strong></span> minutes. The default is 
-60. If set to 0, no statistics will be logged.</p>
-<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
-<h3 class="title">Note</h3>
-<p>Not yet implemented in <acronym class="acronym">BIND</acronym> 9.</p>
-</div>
-</dd>
-</dl></div>
-</div>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="topology"></a>Topology</h4></div></div></div>
-<p>All other things being equal, when the server chooses a nameserver
-to query from a list of nameservers, it prefers the one that is
-topologically closest to itself. The <span><strong class="command">topology</strong></span> statement
-takes an <span><strong class="command">address_match_list</strong></span> and interprets it
+to 1 day (1440 minutes).  The maximum value is 28 days (40320 minutes).
+If set to 0, no zone maintenance for these zones will occur.</P
+></DD
+><DT
+><B
+CLASS="command"
+>interface-interval</B
+></DT
+><DD
+><P
+>The server will scan the network interface list
+every <B
+CLASS="command"
+>interface-interval</B
+> minutes. The default
+is 60 minutes. The maximum value is 28 days (40320 minutes).
+If set to 0, interface scanning will only occur when
+the configuration file is  loaded. After the scan, the server will
+begin listening for queries on any newly discovered
+interfaces (provided they are allowed by the
+<B
+CLASS="command"
+>listen-on</B
+> configuration), and will
+stop listening on interfaces that have gone away.</P
+></DD
+><DT
+><B
+CLASS="command"
+>statistics-interval</B
+></DT
+><DD
+><P
+>Name server statistics will be logged
+every <B
+CLASS="command"
+>statistics-interval</B
+> minutes. The default is 
+60. The maximum value is 28 days (40320 minutes).
+If set to 0, no statistics will be logged.</P
+><DIV
+CLASS="note"
+><BLOCKQUOTE
+CLASS="note"
+><P
+><B
+>Note: </B
+>Not yet implemented in <SPAN
+CLASS="acronym"
+>BIND</SPAN
+>9.</P
+></BLOCKQUOTE
+></DIV
+></DD
+></DL
+></DIV
+></DIV
+><DIV
+CLASS="sect3"
+><H3
+CLASS="sect3"
+><A
+NAME="topology"
+>6.2.16.12. Topology</A
+></H3
+><P
+>All other things being equal, when the server chooses a name server
+to query from a list of name servers, it prefers the one that is
+topologically closest to itself. The <B
+CLASS="command"
+>topology</B
+> statement
+takes an <B
+CLASS="command"
+>address_match_list</B
+> and interprets it
 in a special way. Each top-level list element is assigned a distance.
 Non-negated elements get a distance based on their position in the
 list, where the closer the match is to the start of the list, the
@@ -1864,61 +7324,124 @@ shorter the distance is between it and the server. A negated match
 will be assigned the maximum distance from the server. If there
 is no match, the address will get a distance which is further than
 any non-negated list element, and closer than any negated element.
-For example,</p>
-<pre class="programlisting">topology {
+For example,</P
+><PRE
+CLASS="programlisting"
+>topology {
     10/8;
     !1.2.3/24;
     { 1.2/16; 3/8; };
-};</pre>
-<p>will prefer servers on network 10 the most, followed by hosts
+};</PRE
+><P
+>will prefer servers on network 10 the most, followed by hosts
 on network 1.2.0.0 (netmask 255.255.0.0) and network 3, with the
 exception of hosts on network 1.2.3 (netmask 255.255.255.0), which
-is preferred least of all.</p>
-<p>The default topology is</p>
-<pre class="programlisting">    topology { localhost; localnets; };
-</pre>
-<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
-<h3 class="title">Note</h3>
-<p>The <span><strong class="command">topology</strong></span> option
-is not implemented in <acronym class="acronym">BIND</acronym> 9.
-</p>
-</div>
-</div>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="the_sortlist_statement"></a>The <span><strong class="command">sortlist</strong></span> Statement</h4></div></div></div>
-<p>The response to a DNS query may consist of multiple resource
+is preferred least of all.</P
+><P
+>The default topology is</P
+><PRE
+CLASS="programlisting"
+>    topology { localhost; localnets; };
+</PRE
+><DIV
+CLASS="note"
+><BLOCKQUOTE
+CLASS="note"
+><P
+><B
+>Note: </B
+>The <B
+CLASS="command"
+>topology</B
+> option
+is not implemented in <SPAN
+CLASS="acronym"
+>BIND</SPAN
+> 9.
+</P
+></BLOCKQUOTE
+></DIV
+></DIV
+><DIV
+CLASS="sect3"
+><H3
+CLASS="sect3"
+><A
+NAME="the_sortlist_statement"
+>6.2.16.13. The <B
+CLASS="command"
+>sortlist</B
+> Statement</A
+></H3
+><P
+>The response to a DNS query may consist of multiple resource
 records (RRs) forming a resource records set (RRset).
 The name server will normally return the
 RRs within the RRset in an indeterminate order
-(but see the <span><strong class="command">rrset-order</strong></span>
-statement in <a href="Bv9ARM.ch06.html#rrset_ordering" title="RRset Ordering">the section called &#8220;RRset Ordering&#8221;</a>).
+(but see the <B
+CLASS="command"
+>rrset-order</B
+>
+statement in <A
+HREF="Bv9ARM.ch06.html#rrset_ordering"
+>Section 6.2.16.14</A
+>).
 The client resolver code should rearrange the RRs as appropriate,
 that is, using any addresses on the local net in preference to other addresses.
 However, not all resolvers can do this or are correctly configured.
-When a client is using a local server, the sorting can be performed
+When a client is using a local server the sorting can be performed
 in the server, based on the client's address. This only requires
-configuring the nameservers, not all the clients.</p>
-<p>The <span><strong class="command">sortlist</strong></span> statement (see below) takes
-an <span><strong class="command">address_match_list</strong></span> and interprets it even
-more specifically than the <span><strong class="command">topology</strong></span> statement
-does (<a href="Bv9ARM.ch06.html#topology" title="Topology">the section called &#8220;Topology&#8221;</a>).
-Each top level statement in the <span><strong class="command">sortlist</strong></span> must
-itself be an explicit <span><strong class="command">address_match_list</strong></span> with
+configuring the name servers, not all the clients.</P
+><P
+>The <B
+CLASS="command"
+>sortlist</B
+> statement (see below) takes
+an <B
+CLASS="command"
+>address_match_list</B
+> and interprets it even
+more specifically than the <B
+CLASS="command"
+>topology</B
+> statement
+does (<A
+HREF="Bv9ARM.ch06.html#topology"
+>Section 6.2.16.12</A
+>).
+Each top level statement in the <B
+CLASS="command"
+>sortlist</B
+> must
+itself be an explicit <B
+CLASS="command"
+>address_match_list</B
+> with
 one or two elements. The first element (which may be an IP address,
-an IP prefix, an ACL name or a nested <span><strong class="command">address_match_list</strong></span>)
+an IP prefix, an ACL name or a nested <B
+CLASS="command"
+>address_match_list</B
+>)
 of each top level list is checked against the source address of
-the query until a match is found.</p>
-<p>Once the source address of the query has been matched, if
+the query until a match is found.</P
+><P
+>Once the source address of the query has been matched, if
 the top level statement contains only one element, the actual primitive
 element that matched the source address is used to select the address
 in the response to move to the beginning of the response. If the
 statement is a list of two elements, then the second element is
-treated the same as the <span><strong class="command">address_match_list</strong></span> in
-a <span><strong class="command">topology</strong></span> statement. Each top level element
+treated the same as the <B
+CLASS="command"
+>address_match_list</B
+> in
+a <B
+CLASS="command"
+>topology</B
+> statement. Each top level element
 is assigned a distance and the address in the response with the minimum
-distance is moved to the beginning of the response.</p>
-<p>In the following example, any queries received from any of
+distance is moved to the beginning of the response.</P
+><P
+>In the following example, any queries received from any of
 the addresses of the host itself will get responses preferring addresses
 on any of the locally connected networks. Next most preferred are addresses
 on the 192.168.1/24 network, and after that either the 192.168.2/24
@@ -1929,8 +7452,10 @@ will prefer other addresses on that network to the 192.168.2/24
 and
 192.168.3/24 networks. Queries received from a host on the 192.168.4/24
 or the 192.168.5/24 network will only prefer other addresses on
-their directly connected networks.</p>
-<pre class="programlisting">sortlist {
+their directly connected networks.</P
+><PRE
+CLASS="programlisting"
+>sortlist {
     { localhost;                                   // IF   the local host
         { localnets;                               // THEN first fit on the
             192.168.1/24;                          //   following nets
@@ -1946,585 +7471,2128 @@ their directly connected networks.</p>
             { 192.168.1/24; 192.168.2/24; }; }; };
     { { 192.168.4/24; 192.168.5/24; };             // if .4 or .5, prefer that net
     };
-};</pre>
-<p>The following example will give reasonable behavior for the
+};</PRE
+><P
+>The following example will give reasonable behavior for the
 local host and hosts on directly connected networks. It is similar
-to the behavior of the address sort in <acronym class="acronym">BIND</acronym> 4.9.x. Responses sent
+to the behavior of the address sort in <SPAN
+CLASS="acronym"
+>BIND</SPAN
+> 4.9.x. Responses sent
 to queries from the local host will favor any of the directly connected
 networks. Responses sent to queries from any other hosts on a directly
 connected network will prefer addresses on that same network. Responses
-to other queries will not be sorted.</p>
-<pre class="programlisting">sortlist {
+to other queries will not be sorted.</P
+><PRE
+CLASS="programlisting"
+>sortlist {
            { localhost; localnets; };
            { localnets; };
 };
-</pre>
-</div>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="rrset_ordering"></a>RRset Ordering</h4></div></div></div>
-<p>When multiple records are returned in an answer it may be
+</PRE
+></DIV
+><DIV
+CLASS="sect3"
+><H3
+CLASS="sect3"
+><A
+NAME="rrset_ordering"
+>6.2.16.14. RRset Ordering</A
+></H3
+><P
+>When multiple records are returned in an answer it may be
 useful to configure the order of the records placed into the response.
-The <span><strong class="command">rrset-order</strong></span> statement permits configuration
+The <B
+CLASS="command"
+>rrset-order</B
+> statement permits configuration
 of the ordering of the records in a multiple record response.
-See also the <span><strong class="command">sortlist</strong></span> statement,
-<a href="Bv9ARM.ch06.html#the_sortlist_statement" title="The sortlist Statement">the section called &#8220;The <span><strong class="command">sortlist</strong></span> Statement&#8221;</a>.
-</p>
-<p>An <span><strong class="command">order_spec</strong></span> is defined as follows:</p>
-<pre class="programlisting">[<span class="optional"> class <em class="replaceable"><code>class_name</code></em> </span>][<span class="optional"> type <em class="replaceable"><code>type_name</code></em> </span>][<span class="optional"> name <em class="replaceable"><code>"domain_name"</code></em></span>]
-      order <em class="replaceable"><code>ordering</code></em>
-</pre>
-<p>If no class is specified, the default is <span><strong class="command">ANY</strong></span>.
-If no type is specified, the default is <span><strong class="command">ANY</strong></span>.
-If no name is specified, the default is "<span><strong class="command">*</strong></span>" (asterisk).</p>
-<p>The legal values for <span><strong class="command">ordering</strong></span> are:</p>
-<div class="informaltable"><table border="1">
-<colgroup>
-<col>
-<col>
-</colgroup>
-<tbody>
-<tr>
-<td><p><span><strong class="command">fixed</strong></span></p></td>
-<td><p>Records are returned in the order they
-are defined in the zone file.</p></td>
-</tr>
-<tr>
-<td><p><span><strong class="command">random</strong></span></p></td>
-<td><p>Records are returned in some random order.</p></td>
-</tr>
-<tr>
-<td><p><span><strong class="command">cyclic</strong></span></p></td>
-<td><p>Records are returned in a round-robin
-order.</p></td>
-</tr>
-</tbody>
-</table></div>
-<p>For example:</p>
-<pre class="programlisting">rrset-order {
+See also the <B
+CLASS="command"
+>sortlist</B
+> statement,
+<A
+HREF="Bv9ARM.ch06.html#the_sortlist_statement"
+>Section 6.2.16.13</A
+>.
+</P
+><P
+>An <B
+CLASS="command"
+>order_spec</B
+> is defined as follows:</P
+><PRE
+CLASS="programlisting"
+>[<SPAN
+CLASS="optional"
+> class <TT
+CLASS="replaceable"
+><I
+>class_name</I
+></TT
+> </SPAN
+>][<SPAN
+CLASS="optional"
+> type <TT
+CLASS="replaceable"
+><I
+>type_name</I
+></TT
+> </SPAN
+>][<SPAN
+CLASS="optional"
+> name <TT
+CLASS="replaceable"
+><I
+>"domain_name"</I
+></TT
+></SPAN
+>]
+      order <TT
+CLASS="replaceable"
+><I
+>ordering</I
+></TT
+>
+</PRE
+><P
+>If no class is specified, the default is <B
+CLASS="command"
+>ANY</B
+>.
+If no type is specified, the default is <B
+CLASS="command"
+>ANY</B
+>.
+If no name is specified, the default is "<B
+CLASS="command"
+>*</B
+>".</P
+><P
+>The legal values for <B
+CLASS="command"
+>ordering</B
+> are:</P
+><DIV
+CLASS="informaltable"
+><A
+NAME="AEN3111"
+></A
+><P
+></P
+><TABLE
+CELLPADDING="3"
+BORDER="1"
+CLASS="CALSTABLE"
+><TBODY
+><TR
+><TD
+WIDTH="72"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+><B
+CLASS="command"
+>fixed</B
+></P
+></TD
+><TD
+WIDTH="360"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>Records are returned in the order they
+are defined in the zone file.</P
+></TD
+></TR
+><TR
+><TD
+WIDTH="72"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+><B
+CLASS="command"
+>random</B
+></P
+></TD
+><TD
+WIDTH="360"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>Records are returned in some random order.</P
+></TD
+></TR
+><TR
+><TD
+WIDTH="72"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+><B
+CLASS="command"
+>cyclic</B
+></P
+></TD
+><TD
+WIDTH="360"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>Records are returned in a round-robin
+order.</P
+></TD
+></TR
+></TBODY
+></TABLE
+><P
+></P
+></DIV
+><P
+>For example:</P
+><PRE
+CLASS="programlisting"
+>rrset-order {
    class IN type A name "host.example.com" order random;
    order cyclic;
 };
-</pre>
-<p>will cause any responses for type A records in class IN that
-have "<code class="literal">host.example.com</code>" as a suffix, to always be returned
-in random order. All other records are returned in cyclic order.</p>
-<p>If multiple <span><strong class="command">rrset-order</strong></span> statements appear,
-they are not combined &#8212; the last one applies.</p>
-<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
-<h3 class="title">Note</h3>
-<p>The <span><strong class="command">rrset-order</strong></span> statement
-is not yet implemented in <acronym class="acronym">BIND</acronym> 9.
-BIND 9 currently supports only a "random-cyclic" ordering,
-where the server randomly chooses a starting point within
-the RRset and returns the records in order starting at
-that point, wrapping around the end of the RRset if 
-necessary.</p>
-</div>
-</div>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="synthesis"></a>Synthetic IPv6 responses</h4></div></div></div>
-<p>Many existing stub resolvers support IPv6 DNS lookups as defined in
-RFC1886, using AAAA records for forward lookups and "nibble labels" in
-the <code class="literal">IP6.INT</code> domain for reverse lookups, but do not support
-RFC2874-style lookups (using A6 records and binary labels in the
-<code class="literal">IP6.ARPA</code> domain).</p>
-<p>For those who wish to continue to use such stub resolvers rather than
-switching to the BIND 9 lightweight resolver, BIND 9 provides a way
-to automatically convert RFC1886-style lookups into
-RFC2874-style lookups and return the results as "synthetic" AAAA and
-PTR records.</p>
-<p>This feature is disabled by default and can be enabled on a per-client
-basis by adding a
-<span><strong class="command">allow-v6-synthesis { <em class="replaceable"><code>address_match_list</code></em> };</strong></span>
-clause to the <span><strong class="command">options</strong></span> or <span><strong class="command">view</strong></span> statement.
-When it is enabled, recursive
-AAAA queries cause the server to first try an A6 lookup and if that
-fails, an AAAA lookups.  No matter which one succeeds, the results are
-returned as a set of synthetic AAAA records.  Similarly, recursive PTR
-queries in <code class="literal">IP6.INT</code> will cause a
-lookup in <code class="literal">IP6.ARPA</code> using binary
-labels, and if that fails, another lookup in <code class="literal">IP6.INT</code>.
-The results are returned as a synthetic PTR record in
-<code class="literal">ip6.int</code>.</p>
-<p>The synthetic records have a TTL of zero.  DNSSEC validation of
-synthetic responses is not currently supported; therefore responses
-containing synthetic RRs will not have the AD flag set.</p>
-<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
-<h3 class="title">Note</h3>
-<p><span><strong class="command">allow-v6-synthesis</strong></span> is only performed for
-clients that are supplied recursive service.</p>
-</div>
-</div>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="tuning"></a>Tuning</h4></div></div></div>
-<div class="variablelist"><dl>
-<dt><span class="term"><span><strong class="command">lame-ttl</strong></span></span></dt>
-<dd><p>Sets the number of seconds to cache a
+</PRE
+><P
+>will cause any responses for type A records in class IN that
+have "<TT
+CLASS="literal"
+>host.example.com</TT
+>" as a suffix, to always be returned
+in random order. All other records are returned in cyclic order.</P
+><P
+>If multiple <B
+CLASS="command"
+>rrset-order</B
+> statements appear,
+they are not combined &#8212; the last one applies.</P
+><DIV
+CLASS="note"
+><BLOCKQUOTE
+CLASS="note"
+><P
+><B
+>Note: </B
+>The <B
+CLASS="command"
+>rrset-order</B
+> statement
+is not yet fully implemented in <SPAN
+CLASS="acronym"
+>BIND</SPAN
+> 9.
+BIND 9 currently does not support "fixed" ordering.
+</P
+></BLOCKQUOTE
+></DIV
+></DIV
+><DIV
+CLASS="sect3"
+><H3
+CLASS="sect3"
+><A
+NAME="tuning"
+>6.2.16.15. Tuning</A
+></H3
+><P
+></P
+><DIV
+CLASS="variablelist"
+><DL
+><DT
+><B
+CLASS="command"
+>lame-ttl</B
+></DT
+><DD
+><P
+>Sets the number of seconds to cache a
 lame server indication. 0 disables caching. (This is
-<span class="bold"><strong>NOT</strong></span> recommended.)
-The default is <code class="literal">600</code> (10 minutes) and the maximum value is 
-<code class="literal">1800</code> (30 minutes).</p></dd>
-<dt><span class="term"><span><strong class="command">max-ncache-ttl</strong></span></span></dt>
-<dd><p>To reduce network traffic and increase performance,
-the server stores negative answers. <span><strong class="command">max-ncache-ttl</strong></span> is
+<SPAN
+CLASS="bold"
+><B
+CLASS="emphasis"
+>NOT</B
+></SPAN
+> recommended.)
+Default is <TT
+CLASS="literal"
+>600</TT
+> (10 minutes). Maximum value is 
+<TT
+CLASS="literal"
+>1800</TT
+> (30 minutes).</P
+></DD
+><DT
+><B
+CLASS="command"
+>max-ncache-ttl</B
+></DT
+><DD
+><P
+>To reduce network traffic and increase performance
+the server stores negative answers. <B
+CLASS="command"
+>max-ncache-ttl</B
+> is
 used to set a maximum retention time for these answers in the server
 in seconds. The default
-<span><strong class="command">max-ncache-ttl</strong></span> is <code class="literal">10800</code> seconds (3 hours).
-<span><strong class="command">max-ncache-ttl</strong></span> cannot exceed 7 days and will
-be silently truncated to 7 days if set to a greater value.</p></dd>
-<dt><span class="term"><span><strong class="command">host-statistics-max</strong></span></span></dt>
-<dd><p>In BIND 8, specifies the maximum number of host statistics
-entries to be kept.
-Not implemented in BIND 9.
-</p></dd>
-<dt><span class="term"><span><strong class="command">max-cache-ttl</strong></span></span></dt>
-<dd><p>Sets
+<B
+CLASS="command"
+>max-ncache-ttl</B
+> is <TT
+CLASS="literal"
+>10800</TT
+> seconds (3 hours).
+<B
+CLASS="command"
+>max-ncache-ttl</B
+> cannot exceed 7 days and will
+be silently truncated to 7 days if set to a greater value.</P
+></DD
+><DT
+><B
+CLASS="command"
+>max-cache-ttl</B
+></DT
+><DD
+><P
+><B
+CLASS="command"
+>max-cache-ttl</B
+> sets
 the maximum time for which the server will cache ordinary (positive)
-answers. The default is one week (7 days).</p></dd>
-<dt><span class="term"><span><strong class="command">min-roots</strong></span></span></dt>
-<dd>
-<p>The minimum number of root servers that
-is required for a request for the root servers to be accepted. The default
-is <strong class="userinput"><code>2</code></strong>.</p>
-<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
-<h3 class="title">Note</h3>
-<p>Not yet implemented in <acronym class="acronym">BIND</acronym>9.</p>
-</div>
-</dd>
-<dt><span class="term"><span><strong class="command">sig-validity-interval</strong></span></span></dt>
-<dd><p>Specifies the number of days into the
+answers. The default is one week (7 days).</P
+></DD
+><DT
+><B
+CLASS="command"
+>min-roots</B
+></DT
+><DD
+><P
+>The minimum number of root servers that
+is required for a request for the root servers to be accepted. Default
+is <TT
+CLASS="userinput"
+><B
+>2</B
+></TT
+>.</P
+><DIV
+CLASS="note"
+><BLOCKQUOTE
+CLASS="note"
+><P
+><B
+>Note: </B
+>Not implemented in <SPAN
+CLASS="acronym"
+>BIND</SPAN
+>9.</P
+></BLOCKQUOTE
+></DIV
+></DD
+><DT
+><B
+CLASS="command"
+>sig-validity-interval</B
+></DT
+><DD
+><P
+>Specifies the number of days into the
 future when DNSSEC signatures automatically generated as a result
-of dynamic updates (<a href="Bv9ARM.ch04.html#dynamic_update" title="Dynamic Update">the section called &#8220;Dynamic Update&#8221;</a>)
-will expire. The default is <code class="literal">30</code> days. The signature
+of dynamic updates (<A
+HREF="Bv9ARM.ch04.html#dynamic_update"
+>Section 4.2</A
+>)
+will expire. The default is <TT
+CLASS="literal"
+>30</TT
+> days.
+The maximum value is 10 years (3660 days). The signature
 inception time is unconditionally set to one hour before the current time
-to allow for a limited amount of clock skew.</p></dd>
-<dt>
-<span class="term"><span><strong class="command">min-refresh-time</strong></span>, </span><span class="term"><span><strong class="command">max-refresh-time</strong></span>, </span><span class="term"><span><strong class="command">min-retry-time</strong></span>, </span><span class="term"><span><strong class="command">max-retry-time</strong></span></span>
-</dt>
-<dd>
-<p>
-These options control the server's behavior on refreshing a zone
+to allow for a limited amount of clock skew.</P
+></DD
+><DT
+><B
+CLASS="command"
+>min-refresh-time</B
+>, <B
+CLASS="command"
+>max-refresh-time</B
+>, <B
+CLASS="command"
+>min-retry-time</B
+>, <B
+CLASS="command"
+>max-retry-time</B
+></DT
+><DD
+><P
+>&#13;These options control the server's behavior on refreshing a zone
 (querying for SOA changes) or retrying failed transfers.
 Usually the SOA values for the zone are used, but these values
 are set by the master, giving slave server administrators little
 control over their contents.
-</p>
-<p>
-These options allow the administrator to set a minimum and maximum
-refresh and retry time either per-zone, per-view or globally.
-These options are valid for slave and stub zones, 
+</P
+><P
+>&#13;These options allow the administrator to set a minimum and maximum
+refresh and retry time either per-zone, per-view, or globally.
+These options are valid for slave and stub zones,
 and clamp the SOA refresh and retry times to the specified values.
-</p>
-</dd>
-</dl></div>
-</div>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="statsfile"></a>The Statistics File</h4></div></div></div>
-<p>The statistics file generated by <acronym class="acronym">BIND</acronym> 9
+</P
+></DD
+><DT
+><B
+CLASS="command"
+>edns-udp-size</B
+></DT
+><DD
+><P
+>&#13;<B
+CLASS="command"
+>edns-udp-size</B
+> sets the advertised EDNS UDP buffer
+size.  Valid values are 512 to 4096 (values outside this range will be
+silently adjusted).  The default value is 4096.  The usual reason for
+setting edns-udp-size to a non default value it to get UDP answers to
+pass through broken firewalls that block fragmented packets and/or
+block UDP packets that are greater than 512 bytes.
+</P
+></DD
+></DL
+></DIV
+></DIV
+><DIV
+CLASS="sect3"
+><H3
+CLASS="sect3"
+><A
+NAME="builtin"
+>6.2.16.16. Built-in server information zones</A
+></H3
+><P
+>The server provides some helpful diagnostic information
+through a number of built-in zones under the
+pseudo-top-level-domain <TT
+CLASS="literal"
+>bind</TT
+> in the
+<B
+CLASS="command"
+>CHAOS</B
+> class.  These zones are part of a
+built-in view (see <A
+HREF="Bv9ARM.ch06.html#view_statement_grammar"
+>Section 6.2.21</A
+>) of class
+<B
+CLASS="command"
+>CHAOS</B
+> which is separate from the default view of
+class <B
+CLASS="command"
+>IN</B
+>; therefore, any global server options
+such as <B
+CLASS="command"
+>allow-query</B
+> do not apply the these zones.
+If you feel the need to disable these zones, use the options
+below, or hide the built-in <B
+CLASS="command"
+>CHAOS</B
+> view by
+defining an explicit view of class <B
+CLASS="command"
+>CHAOS</B
+>
+that matches all clients.</P
+><P
+></P
+><DIV
+CLASS="variablelist"
+><DL
+><DT
+><B
+CLASS="command"
+>version</B
+></DT
+><DD
+><P
+>The version the server should report
+via a query of the name <TT
+CLASS="literal"
+>version.bind</TT
+>
+with type <B
+CLASS="command"
+>TXT</B
+>, class <B
+CLASS="command"
+>CHAOS</B
+>.
+The default is the real version number of this server.
+Specifying <B
+CLASS="command"
+>version none</B
+>
+disables processing of the queries.</P
+></DD
+><DT
+><B
+CLASS="command"
+>hostname</B
+></DT
+><DD
+><P
+>The hostname the server should report via a query of
+the name <TT
+CLASS="filename"
+>hostname.bind</TT
+>
+with type <B
+CLASS="command"
+>TXT</B
+>, class <B
+CLASS="command"
+>CHAOS</B
+>.
+This defaults to the hostname of the machine hosting the name server as
+found by gethostname().  The primary purpose of such queries is to
+identify which of a group of anycast servers is actually
+answering your queries.  Specifying <B
+CLASS="command"
+>hostname none;</B
+>
+disables processing of the queries.</P
+></DD
+><DT
+><B
+CLASS="command"
+>server-id</B
+></DT
+><DD
+><P
+>The ID of the server should report via a query of
+the name <TT
+CLASS="filename"
+>ID.SERVER</TT
+>
+with type <B
+CLASS="command"
+>TXT</B
+>, class <B
+CLASS="command"
+>CHAOS</B
+>.
+The primary purpose of such queries is to
+identify which of a group of anycast servers is actually
+answering your queries.  Specifying <B
+CLASS="command"
+>server-id none;</B
+>
+disables processing of the queries.
+Specifying <B
+CLASS="command"
+>server-id hostname;</B
+> will cause named to
+use the hostname as found by gethostname().
+The default <B
+CLASS="command"
+>server-id</B
+> is <B
+CLASS="command"
+>none</B
+>.
+</P
+></DD
+></DL
+></DIV
+></DIV
+><DIV
+CLASS="sect3"
+><H3
+CLASS="sect3"
+><A
+NAME="statsfile"
+>6.2.16.17. The Statistics File</A
+></H3
+><P
+>The statistics file generated by <SPAN
+CLASS="acronym"
+>BIND</SPAN
+> 9
 is similar, but not identical, to that
-generated by <acronym class="acronym">BIND</acronym> 8.
-</p>
-<p>The statistics dump begins with a line, like:</p>
-<p>
- <span><strong class="command">+++ Statistics Dump +++ (973798949)</strong></span>
- </p>
-<p>The numberr in parentheses is a standard
+generated by <SPAN
+CLASS="acronym"
+>BIND</SPAN
+> 8.
+</P
+><P
+>The statistics dump begins with the line <B
+CLASS="command"
+>+++ Statistics Dump
++++ (973798949)</B
+>, where the number in parentheses is a standard
 Unix-style timestamp, measured as seconds since January 1, 1970.  Following
 that line are a series of lines containing a counter type, the value of the
 counter, optionally a zone name, and optionally a view name.
 The lines without view and zone listed are global statistics for the entire server.
 Lines with a zone and view name for the given view and zone (the view name is
-omitted for the default view).
-</p>
-<p>
-The statistics dump ends with the line where the
-number is identical to the number in the beginning line; for example:
-</p>
-<p>
-<span><strong class="command">--- Statistics Dump --- (973798949)</strong></span>
-</p>
-<p>The following statistics counters are maintained:</p>
-<div class="informaltable"><table border="1">
-<colgroup>
-<col>
-<col>
-</colgroup>
-<tbody>
-<tr>
-<td><p><span><strong class="command">success</strong></span></p></td>
-<td><p>The number of
+omitted for the default view).  The statistics dump ends
+with the line <B
+CLASS="command"
+>--- Statistics Dump --- (973798949)</B
+>, where the
+number is identical to the number in the beginning line.</P
+><P
+>The following statistics counters are maintained:</P
+><DIV
+CLASS="informaltable"
+><A
+NAME="AEN3255"
+></A
+><P
+></P
+><TABLE
+CELLPADDING="3"
+BORDER="1"
+CLASS="CALSTABLE"
+><TBODY
+><TR
+><TD
+WIDTH="110"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+><B
+CLASS="command"
+>success</B
+></P
+></TD
+><TD
+WIDTH="322"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>The number of
 successful queries made to the server or zone.  A successful query
-is defined as query which returns a NOERROR response other than
-a referral response.</p></td>
-</tr>
-<tr>
-<td><p><span><strong class="command">referral</strong></span></p></td>
-<td><p>The number of queries which resulted
-in referral responses.</p></td>
-</tr>
-<tr>
-<td><p><span><strong class="command">nxrrset</strong></span></p></td>
-<td><p>The number of queries which resulted in
-NOERROR responses with no data.</p></td>
-</tr>
-<tr>
-<td><p><span><strong class="command">nxdomain</strong></span></p></td>
-<td><p>The number
-of queries which resulted in NXDOMAIN responses.</p></td>
-</tr>
-<tr>
-<td><p><span><strong class="command">recursion</strong></span></p></td>
-<td><p>The number of queries which caused the server
-to perform recursion in order to find the final answer.</p></td>
-</tr>
-<tr>
-<td><p><span><strong class="command">failure</strong></span></p></td>
-<td><p>The number of queries which resulted in a
-failure response other than those above.</p></td>
-</tr>
-</tbody>
-</table></div>
-<p>
-Each query received by the server will cause exactly one of
-<span><strong class="command">success</strong></span>,
-<span><strong class="command">referral</strong></span>,
-<span><strong class="command">nxrrset</strong></span>,
-<span><strong class="command">nxdomain</strong></span>, or
-<span><strong class="command">failure</strong></span>
+is defined as query which returns a NOERROR response with at least
+one answer RR.</P
+></TD
+></TR
+><TR
+><TD
+WIDTH="110"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+><B
+CLASS="command"
+>referral</B
+></P
+></TD
+><TD
+WIDTH="322"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>The number of queries which resulted
+in referral responses.</P
+></TD
+></TR
+><TR
+><TD
+WIDTH="110"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+><B
+CLASS="command"
+>nxrrset</B
+></P
+></TD
+><TD
+WIDTH="322"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>The number of queries which resulted in
+NOERROR responses with no data.</P
+></TD
+></TR
+><TR
+><TD
+WIDTH="110"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+><B
+CLASS="command"
+>nxdomain</B
+></P
+></TD
+><TD
+WIDTH="322"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>The number
+of queries which resulted in NXDOMAIN responses.</P
+></TD
+></TR
+><TR
+><TD
+WIDTH="110"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+><B
+CLASS="command"
+>failure</B
+></P
+></TD
+><TD
+WIDTH="322"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>The number of queries which resulted in a
+failure response other than those above.</P
+></TD
+></TR
+><TR
+><TD
+WIDTH="110"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+><B
+CLASS="command"
+>recursion</B
+></P
+></TD
+><TD
+WIDTH="322"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>The number of queries which caused the server
+to perform recursion in order to find the final answer.</P
+></TD
+></TR
+></TBODY
+></TABLE
+><P
+></P
+></DIV
+><P
+>&#13;Each query received by the server will cause exactly one of
+<B
+CLASS="command"
+>success</B
+>,
+<B
+CLASS="command"
+>referral</B
+>,
+<B
+CLASS="command"
+>nxrrset</B
+>,
+<B
+CLASS="command"
+>nxdomain</B
+>, or
+<B
+CLASS="command"
+>failure</B
+>
 to be incremented, and may additionally cause the
-<span><strong class="command">recursion</strong></span> counter to be incremented.
-</p>
-</div>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="server_statement_grammar"></a><span><strong class="command">server</strong></span> Statement Grammar</h3></div></div></div>
-<pre class="programlisting">server <em class="replaceable"><code>ip_addr</code></em> {
-    [<span class="optional"> bogus <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
-    [<span class="optional"> provide-ixfr <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
-    [<span class="optional"> request-ixfr <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
-    [<span class="optional"> edns <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
-    [<span class="optional"> transfers <em class="replaceable"><code>number</code></em> ; </span>]
-    [<span class="optional"> transfer-format <em class="replaceable"><code>( one-answer | many-answers )</code></em> ; ]</span>]
-    [<span class="optional"> keys <em class="replaceable"><code>{ string ; [<span class="optional"> string ; [<span class="optional">...</span>]</span>] }</code></em> ; </span>]
+<B
+CLASS="command"
+>recursion</B
+> counter to be incremented.
+</P
+></DIV
+></DIV
+><DIV
+CLASS="sect2"
+><H2
+CLASS="sect2"
+><A
+NAME="server_statement_grammar"
+>6.2.17. <B
+CLASS="command"
+>server</B
+> Statement Grammar</A
+></H2
+><PRE
+CLASS="programlisting"
+>server <TT
+CLASS="replaceable"
+><I
+>ip_addr</I
+></TT
+> {
+    [<SPAN
+CLASS="optional"
+> bogus <TT
+CLASS="replaceable"
+><I
+>yes_or_no</I
+></TT
+> ; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> provide-ixfr <TT
+CLASS="replaceable"
+><I
+>yes_or_no</I
+></TT
+> ; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> request-ixfr <TT
+CLASS="replaceable"
+><I
+>yes_or_no</I
+></TT
+> ; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> edns <TT
+CLASS="replaceable"
+><I
+>yes_or_no</I
+></TT
+> ; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> transfers <TT
+CLASS="replaceable"
+><I
+>number</I
+></TT
+> ; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> transfer-format <TT
+CLASS="replaceable"
+><I
+>( one-answer | many-answers )</I
+></TT
+> ; ]</SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> keys <TT
+CLASS="replaceable"
+><I
+>{ string ; [<SPAN
+CLASS="optional"
+> string ; [<SPAN
+CLASS="optional"
+>...</SPAN
+>]</SPAN
+>] }</I
+></TT
+> ; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> transfer-source (<TT
+CLASS="replaceable"
+><I
+>ip4_addr</I
+></TT
+> | <TT
+CLASS="constant"
+>*</TT
+>) [<SPAN
+CLASS="optional"
+>port <TT
+CLASS="replaceable"
+><I
+>ip_port</I
+></TT
+></SPAN
+>] ; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> transfer-source-v6 (<TT
+CLASS="replaceable"
+><I
+>ip6_addr</I
+></TT
+> | <TT
+CLASS="constant"
+>*</TT
+>) [<SPAN
+CLASS="optional"
+>port <TT
+CLASS="replaceable"
+><I
+>ip_port</I
+></TT
+></SPAN
+>] ; </SPAN
+>]
 };
-</pre>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="server_statement_definition_and_usage"></a><span><strong class="command">server</strong></span> Statement Definition and Usage</h3></div></div></div>
-<p>The <span><strong class="command">server</strong></span> statement defines characteristics
-to be associated with a remote nameserver.</p>
-<p>
-The <span><strong class="command">server</strong></span> statement can occur at the top level of the
-configuration file or inside a <span><strong class="command">view</strong></span> statement.  
-If a <span><strong class="command">view</strong></span> statement contains
-one or more <span><strong class="command">server</strong></span> statements, only those
+</PRE
+></DIV
+><DIV
+CLASS="sect2"
+><H2
+CLASS="sect2"
+><A
+NAME="server_statement_definition_and_usage"
+>6.2.18. <B
+CLASS="command"
+>server</B
+> Statement Definition and Usage</A
+></H2
+><P
+>The <B
+CLASS="command"
+>server</B
+> statement defines characteristics
+to be associated with a remote name server.</P
+><P
+>&#13;The <B
+CLASS="command"
+>server</B
+> statement can occur at the top level of the
+configuration file or inside a <B
+CLASS="command"
+>view</B
+> statement.  
+If a <B
+CLASS="command"
+>view</B
+> statement contains
+one or more <B
+CLASS="command"
+>server</B
+> statements, only those
 apply to the view and any top-level ones are ignored.
-If a view contains no <span><strong class="command">server</strong></span> statements,
-any top-level <span><strong class="command">server</strong></span> statements are used as
+If a view contains no <B
+CLASS="command"
+>server</B
+> statements,
+any top-level <B
+CLASS="command"
+>server</B
+> statements are used as
 defaults.
-</p>
-<p>If you discover that a remote server is giving out bad data,
+</P
+><P
+>If you discover that a remote server is giving out bad data,
 marking it as bogus will prevent further queries to it. The default
-value of <span><strong class="command">bogus</strong></span> is <span><strong class="command">no</strong></span>.</p>
-<p>The <span><strong class="command">provide-ixfr</strong></span> clause determines whether
+value of <B
+CLASS="command"
+>bogus</B
+> is <B
+CLASS="command"
+>no</B
+>.</P
+><P
+>The <B
+CLASS="command"
+>provide-ixfr</B
+> clause determines whether
 the local server, acting as master, will respond with an incremental
 zone transfer when the given remote server, a slave, requests it.
-If set to <span><strong class="command">yes</strong></span>, incremental transfer will be provided
-whenever possible. If set to <span><strong class="command">no</strong></span>, all transfers
-to the remote server will be nonincremental. If not set, the value
-of the <span><strong class="command">provide-ixfr</strong></span> option in the view or
-global options block is used as a default.</p>
-<p>The <span><strong class="command">request-ixfr</strong></span> clause determines whether
+If set to <B
+CLASS="command"
+>yes</B
+>, incremental transfer will be provided
+whenever possible. If set to <B
+CLASS="command"
+>no</B
+>, all transfers
+to the remote server will be non-incremental. If not set, the value
+of the <B
+CLASS="command"
+>provide-ixfr</B
+> option in the view or
+global options block is used as a default.</P
+><P
+>The <B
+CLASS="command"
+>request-ixfr</B
+> clause determines whether
 the local server, acting as a slave, will request incremental zone
 transfers from the given remote server, a master. If not set, the
-value of the <span><strong class="command">request-ixfr</strong></span> option in the view or
-global options block is used as a default.</p>
-<p>IXFR requests to servers that do not support IXFR will automatically
+value of the <B
+CLASS="command"
+>request-ixfr</B
+> option in the view or
+global options block is used as a default.</P
+><P
+>IXFR requests to servers that do not support IXFR will automatically
 fall back to AXFR.  Therefore, there is no need to manually list
 which servers support IXFR and which ones do not; the global default
-of <span><strong class="command">yes</strong></span> should always work.
-The purpose of the <span><strong class="command">provide-ixfr</strong></span> and
-<span><strong class="command">request-ixfr</strong></span> clauses is
+of <B
+CLASS="command"
+>yes</B
+> should always work.
+The purpose of the <B
+CLASS="command"
+>provide-ixfr</B
+> and
+<B
+CLASS="command"
+>request-ixfr</B
+> clauses is
 to make it possible to disable the use of IXFR even when both master
 and slave claim to support it, for example if one of the servers
-is buggy and crashes or corrupts data when IXFR is used.</p>
-<p>The <span><strong class="command">edns</strong></span> clause determines whether the local server
+is buggy and crashes or corrupts data when IXFR is used.</P
+><P
+>The <B
+CLASS="command"
+>edns</B
+> clause determines whether the local server
 will attempt to use EDNS when communicating with the remote server.  The
-default is <span><strong class="command">yes</strong></span>.</p>
-<p>The server supports two zone transfer methods. The first, <span><strong class="command">one-answer</strong></span>,
-uses one DNS message per resource record transferred. <span><strong class="command">many-answers</strong></span> packs
-as many resource records as possible into a message. <span><strong class="command">many-answers</strong></span> is
-more efficient, but is only known to be understood by <acronym class="acronym">BIND</acronym> 9, <acronym class="acronym">BIND</acronym>
-8.x, and patched versions of <acronym class="acronym">BIND</acronym> 4.9.5. You can specify which method
-to use for a server with the <span><strong class="command">transfer-format</strong></span> option.
-If <span><strong class="command">transfer-format</strong></span> is not specified, the <span><strong class="command">transfer-format</strong></span> specified
-by the <span><strong class="command">options</strong></span> statement will be used.</p>
-<p><span><strong class="command">transfers</strong></span> is used to limit the number of
+default is <B
+CLASS="command"
+>yes</B
+>.</P
+><P
+>The server supports two zone transfer methods. The first, <B
+CLASS="command"
+>one-answer</B
+>,
+uses one DNS message per resource record transferred. <B
+CLASS="command"
+>many-answers</B
+> packs
+as many resource records as possible into a message. <B
+CLASS="command"
+>many-answers</B
+> is
+more efficient, but is only known to be understood by <SPAN
+CLASS="acronym"
+>BIND</SPAN
+> 9, <SPAN
+CLASS="acronym"
+>BIND</SPAN
+>
+8.x, and patched versions of <SPAN
+CLASS="acronym"
+>BIND</SPAN
+> 4.9.5. You can specify which method
+to use for a server with the <B
+CLASS="command"
+>transfer-format</B
+> option.
+If <B
+CLASS="command"
+>transfer-format</B
+> is not specified, the <B
+CLASS="command"
+>transfer-format</B
+> specified
+by the <B
+CLASS="command"
+>options</B
+> statement will be used.</P
+><P
+><B
+CLASS="command"
+>transfers</B
+> is used to limit the number of
 concurrent inbound zone transfers from the specified server. If
-no <span><strong class="command">transfers</strong></span> clause is specified, the limit is
-set according to the <span><strong class="command">transfers-per-ns</strong></span> option.</p>
-<p>The <span><strong class="command">keys</strong></span> clause is used to identify a <span><strong class="command">key_id</strong></span> defined
-by the <span><strong class="command">key</strong></span> statement, to be used for transaction
-security when talking to the remote server. The <span><strong class="command">key</strong></span> statement
-must come before the <span><strong class="command">server</strong></span> statement that references
-it. When a request is sent to the remote server, a request signature
+no <B
+CLASS="command"
+>transfers</B
+> clause is specified, the limit is
+set according to the <B
+CLASS="command"
+>transfers-per-ns</B
+> option.</P
+><P
+>The <B
+CLASS="command"
+>keys</B
+> clause identifies a
+<B
+CLASS="command"
+>key_id</B
+> defined by the <B
+CLASS="command"
+>key</B
+> statement,
+to be used for transaction security (TSIG, <A
+HREF="Bv9ARM.ch04.html#tsig"
+>Section 4.5</A
+>)
+when talking to the remote server. 
+When a request is sent to the remote server, a request signature
 will be generated using the key specified here and appended to the
 message. A request originating from the remote server is not required
-to be signed by this key.</p>
-<p>Although the grammar of the <span><strong class="command">keys</strong></span> clause
+to be signed by this key.</P
+><P
+>Although the grammar of the <B
+CLASS="command"
+>keys</B
+> clause
 allows for multiple keys, only a single key per server is currently
-supported.</p>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2579171"></a><span><strong class="command">trusted-keys</strong></span> Statement Grammar</h3></div></div></div>
-<pre class="programlisting">trusted-keys {
-    <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ;
-    [<span class="optional"> <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ; [<span class="optional">...</span>]</span>]
+supported.</P
+><P
+>The <B
+CLASS="command"
+>transfer-source</B
+> and
+<B
+CLASS="command"
+>transfer-source-v6</B
+> clauses specify the IPv4 and IPv6 source
+address to be used for zone transfer with the remote server, respectively.
+For an IPv4 remote server, only <B
+CLASS="command"
+>transfer-source</B
+> can
+be specified.
+Similarly, for an IPv6 remote server, only
+<B
+CLASS="command"
+>transfer-source-v6</B
+> can be specified.
+Form more details, see the description of
+<B
+CLASS="command"
+>transfer-source</B
+> and
+<B
+CLASS="command"
+>transfer-source-v6</B
+> in
+<A
+HREF="Bv9ARM.ch06.html#zone_transfers"
+>Section 6.2.16.7</A
+>.</P
+></DIV
+><DIV
+CLASS="sect2"
+><H2
+CLASS="sect2"
+><A
+NAME="AEN3394"
+>6.2.19. <B
+CLASS="command"
+>trusted-keys</B
+> Statement Grammar</A
+></H2
+><PRE
+CLASS="programlisting"
+>trusted-keys {
+    <TT
+CLASS="replaceable"
+><I
+>string</I
+></TT
+> <TT
+CLASS="replaceable"
+><I
+>number</I
+></TT
+> <TT
+CLASS="replaceable"
+><I
+>number</I
+></TT
+> <TT
+CLASS="replaceable"
+><I
+>number</I
+></TT
+> <TT
+CLASS="replaceable"
+><I
+>string</I
+></TT
+> ;
+    [<SPAN
+CLASS="optional"
+> <TT
+CLASS="replaceable"
+><I
+>string</I
+></TT
+> <TT
+CLASS="replaceable"
+><I
+>number</I
+></TT
+> <TT
+CLASS="replaceable"
+><I
+>number</I
+></TT
+> <TT
+CLASS="replaceable"
+><I
+>number</I
+></TT
+> <TT
+CLASS="replaceable"
+><I
+>string</I
+></TT
+> ; [<SPAN
+CLASS="optional"
+>...</SPAN
+>]</SPAN
+>]
 };
-</pre>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2579219"></a><span><strong class="command">trusted-keys</strong></span> Statement Definition
-and Usage</h3></div></div></div>
-<p>The <span><strong class="command">trusted-keys</strong></span> statement defines DNSSEC
-security roots. DNSSEC is described in <a href="Bv9ARM.ch04.html#DNSSEC" title="DNSSEC">the section called &#8220;DNSSEC&#8221;</a>. A security root is defined when the public key for a non-authoritative
+</PRE
+></DIV
+><DIV
+CLASS="sect2"
+><H2
+CLASS="sect2"
+><A
+NAME="AEN3410"
+>6.2.20. <B
+CLASS="command"
+>trusted-keys</B
+> Statement Definition
+and Usage</A
+></H2
+><P
+>The <B
+CLASS="command"
+>trusted-keys</B
+> statement defines DNSSEC
+security roots. DNSSEC is described in <A
+HREF="Bv9ARM.ch04.html#DNSSEC"
+>Section 4.8</A
+>. A security root is defined when the public key for a non-authoritative
 zone is known, but cannot be securely obtained through DNS, either
-because it is the  DNS root zone or its parent zone is unsigned.
+because it is the  DNS root zone or because its parent zone is unsigned.
 Once a key has been configured as a trusted key, it is treated as
 if it had been validated and proven secure. The resolver attempts
-DNSSEC validation on all DNS data in subdomains of a security root.</p>
-<p>The <span><strong class="command">trusted-keys</strong></span> statement can contain
+DNSSEC validation on all DNS data in subdomains of a security root.</P
+><P
+>The <B
+CLASS="command"
+>trusted-keys</B
+> statement can contain
 multiple key entries, each consisting of the key's domain name,
 flags, protocol, algorithm, and the base-64 representation of the
-key data.</p>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2579242"></a><span><strong class="command">view</strong></span> Statement Grammar</h3></div></div></div>
-<pre class="programlisting">view <em class="replaceable"><code>view_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
-      match-clients { <em class="replaceable"><code>address_match_list</code></em> } ;
-      match-destinations { <em class="replaceable"><code>address_match_list</code></em> } ;
-      match-recursive-only <em class="replaceable"><code>yes_or_no</code></em> ;
-      [<span class="optional"> <em class="replaceable"><code>view_option</code></em>; ...</span>]
-      [<span class="optional"> zone-statistics <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
-      [<span class="optional"> <em class="replaceable"><code>zone_statement</code></em>; ...</span>]
+key data.</P
+></DIV
+><DIV
+CLASS="sect2"
+><H2
+CLASS="sect2"
+><A
+NAME="view_statement_grammar"
+>6.2.21. <B
+CLASS="command"
+>view</B
+> Statement Grammar</A
+></H2
+><PRE
+CLASS="programlisting"
+>view <TT
+CLASS="replaceable"
+><I
+>view_name</I
+></TT
+> 
+      [<SPAN
+CLASS="optional"
+><TT
+CLASS="replaceable"
+><I
+>class</I
+></TT
+></SPAN
+>] {
+      match-clients { <TT
+CLASS="replaceable"
+><I
+>address_match_list</I
+></TT
+> } ;
+      match-destinations { <TT
+CLASS="replaceable"
+><I
+>address_match_list</I
+></TT
+> } ;
+      match-recursive-only <TT
+CLASS="replaceable"
+><I
+>yes_or_no</I
+></TT
+> ;
+      [<SPAN
+CLASS="optional"
+> <TT
+CLASS="replaceable"
+><I
+>view_option</I
+></TT
+>; ...</SPAN
+>]
+      [<SPAN
+CLASS="optional"
+> <TT
+CLASS="replaceable"
+><I
+>zone_statement</I
+></TT
+>; ...</SPAN
+>]
 };
-</pre>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2579290"></a><span><strong class="command">view</strong></span> Statement Definition and Usage</h3></div></div></div>
-<p>The <span><strong class="command">view</strong></span> statement is a powerful new feature
-of <acronym class="acronym">BIND</acronym> 9 that lets a name server answer a DNS query differently
+</PRE
+></DIV
+><DIV
+CLASS="sect2"
+><H2
+CLASS="sect2"
+><A
+NAME="AEN3432"
+>6.2.22. <B
+CLASS="command"
+>view</B
+> Statement Definition and Usage</A
+></H2
+><P
+>The <B
+CLASS="command"
+>view</B
+> statement is a powerful new feature
+of <SPAN
+CLASS="acronym"
+>BIND</SPAN
+> 9 that lets a name server answer a DNS query differently
 depending on who is asking. It is particularly useful for implementing
-split DNS setups without having to run multiple servers.</p>
-<p>Each <span><strong class="command">view</strong></span> statement defines a view of the
+split DNS setups without having to run multiple servers.</P
+><P
+>Each <B
+CLASS="command"
+>view</B
+> statement defines a view of the
 DNS namespace that will be seen by a subset of clients.  A client matches
 a view if its source IP address matches the 
-<code class="varname">address_match_list</code> of the view's
-<span><strong class="command">match-clients</strong></span> clause and its destination IP address matches
-the <code class="varname">address_match_list</code> of the view's
-<span><strong class="command">match-destinations</strong></span> clause.  If not specified, both
-<span><strong class="command">match-clients</strong></span> and <span><strong class="command">match-destinations</strong></span>
-default to matching all addresses.  A view can also be specified
-as <span><strong class="command">match-recursive-only</strong></span>, which means that only recursive
+<TT
+CLASS="varname"
+>address_match_list</TT
+> of the view's
+<B
+CLASS="command"
+>match-clients</B
+> clause and its destination IP address matches
+the <TT
+CLASS="varname"
+>address_match_list</TT
+> of the view's
+<B
+CLASS="command"
+>match-destinations</B
+> clause.  If not specified, both
+<B
+CLASS="command"
+>match-clients</B
+> and <B
+CLASS="command"
+>match-destinations</B
+>
+default to matching all addresses.  In addition to checking IP addresses
+<B
+CLASS="command"
+>match-clients</B
+> and <B
+CLASS="command"
+>match-destinations</B
+>
+can also take <B
+CLASS="command"
+>keys</B
+> which provide an mechanism for the
+client to select the view.  A view can also be specified
+as <B
+CLASS="command"
+>match-recursive-only</B
+>, which means that only recursive
 requests from matching clients will match that view.
-The order of the <span><strong class="command">view</strong></span> statements is significant &#8212; 
+The order of the <B
+CLASS="command"
+>view</B
+> statements is significant &#8212;
 a client request will be resolved in the context of the first
-<span><strong class="command">view</strong></span> that it matches.</p>
-<p>Zones defined within a <span><strong class="command">view</strong></span> statement will
-be only be accessible to clients that match the <span><strong class="command">view</strong></span>.
+<B
+CLASS="command"
+>view</B
+> that it matches.</P
+><P
+>Zones defined within a <B
+CLASS="command"
+>view</B
+> statement will
+be only be accessible to clients that match the <B
+CLASS="command"
+>view</B
+>.
  By defining a zone of the same name in multiple views, different
 zone data can be given to different clients, for example, "internal"
-and "external" clients in a split DNS setup.</p>
-<p>Many of the options given in the <span><strong class="command">options</strong></span> statement
-can also be used within a <span><strong class="command">view</strong></span> statement, and then
+and "external" clients in a split DNS setup.</P
+><P
+>Many of the options given in the <B
+CLASS="command"
+>options</B
+> statement
+can also be used within a <B
+CLASS="command"
+>view</B
+> statement, and then
 apply only when resolving queries with that view.  When no view-specific
-value is given, the value in the <span><strong class="command">options</strong></span> statement
+value is given, the value in the <B
+CLASS="command"
+>options</B
+> statement
 is used as a default.  Also, zone options can have default values specified
-in the <span><strong class="command">view</strong></span> statement; these view-specific defaults
-take precedence over those in the <span><strong class="command">options</strong></span> statement.</p>
-<p>Views are class specific.  If no class is given, class IN
+in the <B
+CLASS="command"
+>view</B
+> statement; these view-specific defaults
+take precedence over those in the <B
+CLASS="command"
+>options</B
+> statement.</P
+><P
+>Views are class specific.  If no class is given, class IN
 is assumed.  Note that all non-IN views must contain a hint zone,
-since only the IN class has compiled-in default hints.</p>
-<p>If there are no <span><strong class="command">view</strong></span> statements in the config
+since only the IN class has compiled-in default hints.</P
+><P
+>If there are no <B
+CLASS="command"
+>view</B
+> statements in the config
 file, a default view that matches any client is automatically created
-in class IN, and any <span><strong class="command">zone</strong></span> statements specified on
+in class IN. Any <B
+CLASS="command"
+>zone</B
+> statements specified on
 the top level of the configuration file are considered to be part of
-this default view.  If any explicit <span><strong class="command">view</strong></span> statements
-are present, all <span><strong class="command">zone</strong></span> statements must occur inside
-<span><strong class="command">view</strong></span> statements.</p>
-<p>Here is an example of a typical split DNS setup implemented
-using <span><strong class="command">view</strong></span> statements:</p>
-<pre class="programlisting">view "internal" {
-               // This should match our internal networks.
+this default view, and the <B
+CLASS="command"
+>options</B
+> statement will
+apply to the default view. If any explicit <B
+CLASS="command"
+>view</B
+>
+statements are present, all <B
+CLASS="command"
+>zone</B
+> statements must
+occur inside <B
+CLASS="command"
+>view</B
+> statements.</P
+><P
+>Here is an example of a typical split DNS setup implemented
+using <B
+CLASS="command"
+>view</B
+> statements.</P
+><PRE
+CLASS="programlisting"
+>view "internal" {
+      // This should match our internal networks.
       match-clients { 10.0.0.0/8; };
-               // Provide recursive service to internal clients only.
+
+      // Provide recursive service to internal clients only.
       recursion yes;
-               // Provide a complete view of the example.com zone
-               // including addresses of internal hosts.
+
+      // Provide a complete view of the example.com zone
+      // including addresses of internal hosts.
       zone "example.com" {
             type master;
             file "example-internal.db";
       };
 };
+
 view "external" {
+      // Match all clients not matched by the previous view.
       match-clients { any; };
-               // Refuse recursive service to external clients.
+
+      // Refuse recursive service to external clients.
       recursion no;
-               // Provide a restricted view of the example.com zone
-               // containing only publicly accessible hosts.
+
+      // Provide a restricted view of the example.com zone
+      // containing only publicly accessible hosts.
       zone "example.com" {
            type master;
            file "example-external.db";
       };
 };
-</pre>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="zone_statement_grammar"></a><span><strong class="command">zone</strong></span>
-Statement Grammar</h3></div></div></div>
-<pre class="programlisting">zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
-    type master;
-    [<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> } ; </span>]
-    [<span class="optional"> allow-transfer { <em class="replaceable"><code>address_match_list</code></em> } ; </span>]
-    [<span class="optional"> allow-update { <em class="replaceable"><code>address_match_list</code></em> } ; </span>]
-    [<span class="optional"> update-policy { <em class="replaceable"><code>update_policy_rule</code></em> [<span class="optional">...</span>] } ; </span>]
-    [<span class="optional"> also-notify { <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
-    [<span class="optional"> check-names (<code class="constant">warn</code>|<code class="constant">fail</code>|<code class="constant">ignore</code>) ; </span>]
-    [<span class="optional"> dialup <em class="replaceable"><code>dialup_option</code></em> ; </span>]
-    [<span class="optional"> file <em class="replaceable"><code>string</code></em> ; </span>]
-    [<span class="optional"> forward (<code class="constant">only</code>|<code class="constant">first</code>) ; </span>]
-    [<span class="optional"> forwarders { [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
-    [<span class="optional"> ixfr-base <em class="replaceable"><code>string</code></em> ; </span>]
-    [<span class="optional"> ixfr-tmp-file <em class="replaceable"><code>string</code></em> ; </span>]
-    [<span class="optional"> maintain-ixfr-base <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
-    [<span class="optional"> max-ixfr-log-size <em class="replaceable"><code>number</code></em> ; </span>]
-    [<span class="optional"> max-transfer-idle-out <em class="replaceable"><code>number</code></em> ; </span>]
-    [<span class="optional"> max-transfer-time-out <em class="replaceable"><code>number</code></em> ; </span>]
-    [<span class="optional"> notify <em class="replaceable"><code>yes_or_no</code></em> | <em class="replaceable"><code>explicit</code></em> ; </span>]
-    [<span class="optional"> pubkey <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ; </span>]
-    [<span class="optional"> notify-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
-    [<span class="optional"> notify-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
-    [<span class="optional"> zone-statistics <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
-    [<span class="optional"> sig-validity-interval <em class="replaceable"><code>number</code></em> ; </span>]
-    [<span class="optional"> database <em class="replaceable"><code>string</code></em> ; </span>]
-    [<span class="optional"> min-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
-    [<span class="optional"> max-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
-    [<span class="optional"> min-retry-time <em class="replaceable"><code>number</code></em> ; </span>]
-    [<span class="optional"> max-retry-time <em class="replaceable"><code>number</code></em> ; </span>]
-};
+</PRE
+></DIV
+><DIV
+CLASS="sect2"
+><H2
+CLASS="sect2"
+><A
+NAME="zone_statement_grammar"
+>6.2.23. <B
+CLASS="command"
+>zone</B
+>
+Statement Grammar</A
+></H2
+><PRE
+CLASS="programlisting"
+>zone <TT
+CLASS="replaceable"
+><I
+>zone_name</I
+></TT
+> [<SPAN
+CLASS="optional"
+><TT
+CLASS="replaceable"
+><I
+>class</I
+></TT
+></SPAN
+>] [<SPAN
+CLASS="optional"
+>{ 
+    type ( master | slave | hint | stub | forward | delegation-only ) ;
+    [<SPAN
+CLASS="optional"
+> allow-notify { <TT
+CLASS="replaceable"
+><I
+>address_match_list</I
+></TT
+> } ; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> allow-query { <TT
+CLASS="replaceable"
+><I
+>address_match_list</I
+></TT
+> } ; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> allow-transfer { <TT
+CLASS="replaceable"
+><I
+>address_match_list</I
+></TT
+> } ; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> allow-update { <TT
+CLASS="replaceable"
+><I
+>address_match_list</I
+></TT
+> } ; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> update-policy { <TT
+CLASS="replaceable"
+><I
+>update_policy_rule</I
+></TT
+> [<SPAN
+CLASS="optional"
+>...</SPAN
+>] } ; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> allow-update-forwarding { <TT
+CLASS="replaceable"
+><I
+>address_match_list</I
+></TT
+> } ; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> also-notify { <TT
+CLASS="replaceable"
+><I
+>ip_addr</I
+></TT
+> [<SPAN
+CLASS="optional"
+>port <TT
+CLASS="replaceable"
+><I
+>ip_port</I
+></TT
+></SPAN
+>] ; [<SPAN
+CLASS="optional"
+> <TT
+CLASS="replaceable"
+><I
+>ip_addr</I
+></TT
+> [<SPAN
+CLASS="optional"
+>port <TT
+CLASS="replaceable"
+><I
+>ip_port</I
+></TT
+></SPAN
+>] ; ... </SPAN
+>] }; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> check-names (<TT
+CLASS="constant"
+>warn</TT
+>|<TT
+CLASS="constant"
+>fail</TT
+>|<TT
+CLASS="constant"
+>ignore</TT
+>) ; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> dialup <TT
+CLASS="replaceable"
+><I
+>dialup_option</I
+></TT
+> ; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> delegation-only <TT
+CLASS="replaceable"
+><I
+>yes_or_no</I
+></TT
+> ; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> file <TT
+CLASS="replaceable"
+><I
+>string</I
+></TT
+> ; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> forward (<TT
+CLASS="constant"
+>only</TT
+>|<TT
+CLASS="constant"
+>first</TT
+>) ; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> forwarders { <TT
+CLASS="replaceable"
+><I
+>ip_addr</I
+></TT
+> [<SPAN
+CLASS="optional"
+>port <TT
+CLASS="replaceable"
+><I
+>ip_port</I
+></TT
+></SPAN
+>] ; [<SPAN
+CLASS="optional"
+> <TT
+CLASS="replaceable"
+><I
+>ip_addr</I
+></TT
+> [<SPAN
+CLASS="optional"
+>port <TT
+CLASS="replaceable"
+><I
+>ip_port</I
+></TT
+></SPAN
+>] ; ... </SPAN
+>] }; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> ixfr-base <TT
+CLASS="replaceable"
+><I
+>string</I
+></TT
+> ; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> ixfr-tmp-file <TT
+CLASS="replaceable"
+><I
+>string</I
+></TT
+> ; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> maintain-ixfr-base <TT
+CLASS="replaceable"
+><I
+>yes_or_no</I
+></TT
+> ; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> masters [<SPAN
+CLASS="optional"
+>port <TT
+CLASS="replaceable"
+><I
+>ip_port</I
+></TT
+></SPAN
+>] { ( <TT
+CLASS="replaceable"
+><I
+>masters_list</I
+></TT
+> | <TT
+CLASS="replaceable"
+><I
+>ip_addr</I
+></TT
+> [<SPAN
+CLASS="optional"
+>port <TT
+CLASS="replaceable"
+><I
+>ip_port</I
+></TT
+></SPAN
+>] [<SPAN
+CLASS="optional"
+>key <TT
+CLASS="replaceable"
+><I
+>key</I
+></TT
+></SPAN
+>] ) ; [<SPAN
+CLASS="optional"
+>...</SPAN
+>] } ; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> max-ixfr-log-size <TT
+CLASS="replaceable"
+><I
+>number</I
+></TT
+> ; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> max-transfer-idle-in <TT
+CLASS="replaceable"
+><I
+>number</I
+></TT
+> ; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> max-transfer-idle-out <TT
+CLASS="replaceable"
+><I
+>number</I
+></TT
+> ; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> max-transfer-time-in <TT
+CLASS="replaceable"
+><I
+>number</I
+></TT
+> ; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> max-transfer-time-out <TT
+CLASS="replaceable"
+><I
+>number</I
+></TT
+> ; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> notify <TT
+CLASS="replaceable"
+><I
+>yes_or_no</I
+></TT
+> | <TT
+CLASS="replaceable"
+><I
+>explicit</I
+></TT
+> ; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> pubkey <TT
+CLASS="replaceable"
+><I
+>number</I
+></TT
+> <TT
+CLASS="replaceable"
+><I
+>number</I
+></TT
+> <TT
+CLASS="replaceable"
+><I
+>number</I
+></TT
+> <TT
+CLASS="replaceable"
+><I
+>string</I
+></TT
+> ; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> transfer-source (<TT
+CLASS="replaceable"
+><I
+>ip4_addr</I
+></TT
+> | <TT
+CLASS="constant"
+>*</TT
+>) [<SPAN
+CLASS="optional"
+>port <TT
+CLASS="replaceable"
+><I
+>ip_port</I
+></TT
+></SPAN
+>] ; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> transfer-source-v6 (<TT
+CLASS="replaceable"
+><I
+>ip6_addr</I
+></TT
+> | <TT
+CLASS="constant"
+>*</TT
+>) [<SPAN
+CLASS="optional"
+>port <TT
+CLASS="replaceable"
+><I
+>ip_port</I
+></TT
+></SPAN
+>] ; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> alt-transfer-source (<TT
+CLASS="replaceable"
+><I
+>ip4_addr</I
+></TT
+> | <TT
+CLASS="constant"
+>*</TT
+>) [<SPAN
+CLASS="optional"
+>port <TT
+CLASS="replaceable"
+><I
+>ip_port</I
+></TT
+></SPAN
+>] ; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> alt-transfer-source-v6 (<TT
+CLASS="replaceable"
+><I
+>ip6_addr</I
+></TT
+> | <TT
+CLASS="constant"
+>*</TT
+>) [<SPAN
+CLASS="optional"
+>port <TT
+CLASS="replaceable"
+><I
+>ip_port</I
+></TT
+></SPAN
+>] ; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> use-alt-transfer-source <TT
+CLASS="replaceable"
+><I
+>yes_or_no</I
+></TT
+>; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> notify-source (<TT
+CLASS="replaceable"
+><I
+>ip4_addr</I
+></TT
+> | <TT
+CLASS="constant"
+>*</TT
+>) [<SPAN
+CLASS="optional"
+>port <TT
+CLASS="replaceable"
+><I
+>ip_port</I
+></TT
+></SPAN
+>] ; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> notify-source-v6 (<TT
+CLASS="replaceable"
+><I
+>ip6_addr</I
+></TT
+> | <TT
+CLASS="constant"
+>*</TT
+>) [<SPAN
+CLASS="optional"
+>port <TT
+CLASS="replaceable"
+><I
+>ip_port</I
+></TT
+></SPAN
+>] ; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> zone-statistics <TT
+CLASS="replaceable"
+><I
+>yes_or_no</I
+></TT
+> ; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> sig-validity-interval <TT
+CLASS="replaceable"
+><I
+>number</I
+></TT
+> ; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> database <TT
+CLASS="replaceable"
+><I
+>string</I
+></TT
+> ; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> min-refresh-time <TT
+CLASS="replaceable"
+><I
+>number</I
+></TT
+> ; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> max-refresh-time <TT
+CLASS="replaceable"
+><I
+>number</I
+></TT
+> ; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> min-retry-time <TT
+CLASS="replaceable"
+><I
+>number</I
+></TT
+> ; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> max-retry-time <TT
+CLASS="replaceable"
+><I
+>number</I
+></TT
+> ; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> multi-master <TT
+CLASS="replaceable"
+><I
+>yes_or_no</I
+></TT
+> ; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> key-directory <TT
+CLASS="replaceable"
+><I
+>path_name</I
+></TT
+>; </SPAN
+>]
 
-zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
-    type slave;
-    [<span class="optional"> allow-notify { <em class="replaceable"><code>address_match_list</code></em> } ; </span>]
-    [<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> } ; </span>]
-    [<span class="optional"> allow-transfer { <em class="replaceable"><code>address_match_list</code></em> } ; </span>]
-    [<span class="optional"> allow-update-forwarding { <em class="replaceable"><code>address_match_list</code></em> } ; </span>]
-    [<span class="optional"> also-notify { <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
-    [<span class="optional"> check-names (<code class="constant">warn</code>|<code class="constant">fail</code>|<code class="constant">ignore</code>) ; </span>]
-    [<span class="optional"> dialup <em class="replaceable"><code>dialup_option</code></em> ; </span>]
-    [<span class="optional"> file <em class="replaceable"><code>string</code></em> ; </span>]
-    [<span class="optional"> forward (<code class="constant">only</code>|<code class="constant">first</code>) ; </span>]
-    [<span class="optional"> forwarders { [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
-    [<span class="optional"> ixfr-base <em class="replaceable"><code>string</code></em> ; </span>]
-    [<span class="optional"> ixfr-tmp-file <em class="replaceable"><code>string</code></em> ; </span>]
-    [<span class="optional"> maintain-ixfr-base <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
-    [<span class="optional"> masters [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] { <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">key <em class="replaceable"><code>key</code></em></span>]; [<span class="optional">...</span>] } ; </span>]
-    [<span class="optional"> max-ixfr-log-size <em class="replaceable"><code>number</code></em> ; </span>]
-    [<span class="optional"> max-transfer-idle-in <em class="replaceable"><code>number</code></em> ; </span>]
-    [<span class="optional"> max-transfer-idle-out <em class="replaceable"><code>number</code></em> ; </span>]
-    [<span class="optional"> max-transfer-time-in <em class="replaceable"><code>number</code></em> ; </span>]
-    [<span class="optional"> max-transfer-time-out <em class="replaceable"><code>number</code></em> ; </span>]
-    [<span class="optional"> notify <em class="replaceable"><code>yes_or_no</code></em> | <em class="replaceable"><code>explicit</code></em> ; </span>]
-    [<span class="optional"> pubkey <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ; </span>]
-    [<span class="optional"> transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
-    [<span class="optional"> transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
-    [<span class="optional"> notify-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
-    [<span class="optional"> notify-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
-    [<span class="optional"> zone-statistics <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
-    [<span class="optional"> database <em class="replaceable"><code>string</code></em> ; </span>]
-    [<span class="optional"> min-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
-    [<span class="optional"> max-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
-    [<span class="optional"> min-retry-time <em class="replaceable"><code>number</code></em> ; </span>]
-    [<span class="optional"> max-retry-time <em class="replaceable"><code>number</code></em> ; </span>]
-};
-
-zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
-    type hint;
-    [<span class="optional"> forward (<code class="constant">only</code>|<code class="constant">first</code>) ; </span>]
-    [<span class="optional"> forwarders { [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
-    [<span class="optional"> delegation-only <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
-    [<span class="optional"> check-names (<code class="constant">warn</code>|<code class="constant">fail</code>|<code class="constant">ignore</code>) ; </span>]
-};
-
-zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
-    type stub;
-    [<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> } ; </span>]
-    [<span class="optional"> check-names (<code class="constant">warn</code>|<code class="constant">fail</code>|<code class="constant">ignore</code>) ; </span>]
-    [<span class="optional"> dialup <em class="replaceable"><code>dialup_option</code></em> ; </span>]
-    [<span class="optional"> delegation-only <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
-    [<span class="optional"> file <em class="replaceable"><code>string</code></em> ; </span>]
-    [<span class="optional"> forward (<code class="constant">only</code>|<code class="constant">first</code>) ; </span>]
-    [<span class="optional"> forwarders { [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
-    [<span class="optional"> masters [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] { <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">key <em class="replaceable"><code>key</code></em></span>]; [<span class="optional">...</span>] } ; </span>]
-    [<span class="optional"> max-transfer-idle-in <em class="replaceable"><code>number</code></em> ; </span>]
-    [<span class="optional"> max-transfer-time-in <em class="replaceable"><code>number</code></em> ; </span>]
-    [<span class="optional"> pubkey <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ; </span>]
-    [<span class="optional"> transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
-    [<span class="optional"> transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
-    [<span class="optional"> zone-statistics <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
-    [<span class="optional"> database <em class="replaceable"><code>string</code></em> ; </span>]
-    [<span class="optional"> min-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
-    [<span class="optional"> max-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
-    [<span class="optional"> min-retry-time <em class="replaceable"><code>number</code></em> ; </span>]
-    [<span class="optional"> max-retry-time <em class="replaceable"><code>number</code></em> ; </span>]
-};
-
-zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
-    type forward;
-    [<span class="optional"> forward (<code class="constant">only</code>|<code class="constant">first</code>) ; </span>]
-    [<span class="optional"> forwarders { [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
-    [<span class="optional"> delegation-only <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
-};
-
-zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
-    type delegation-only;
-};
-</pre>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2580473"></a><span><strong class="command">zone</strong></span> Statement Definition and Usage</h3></div></div></div>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="id2580480"></a>Zone Types</h4></div></div></div>
-<div class="informaltable"><table border="1">
-<colgroup>
-<col>
-<col>
-</colgroup>
-<tbody>
-<tr>
-<td><p><code class="varname">master</code></p></td>
-<td><p>The server has a master copy of the data
+}</SPAN
+>];
+</PRE
+></DIV
+><DIV
+CLASS="sect2"
+><H2
+CLASS="sect2"
+><A
+NAME="AEN3606"
+>6.2.24. <B
+CLASS="command"
+>zone</B
+> Statement Definition and Usage</A
+></H2
+><DIV
+CLASS="sect3"
+><H3
+CLASS="sect3"
+><A
+NAME="AEN3609"
+>6.2.24.1. Zone Types</A
+></H3
+><DIV
+CLASS="informaltable"
+><A
+NAME="AEN3611"
+></A
+><P
+></P
+><TABLE
+CELLPADDING="3"
+BORDER="1"
+CLASS="CALSTABLE"
+><TBODY
+><TR
+><TD
+WIDTH="87"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+><TT
+CLASS="varname"
+>master</TT
+></P
+></TD
+><TD
+WIDTH="405"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>The server has a master copy of the data
 for the zone and will be able to provide authoritative answers for
-it.</p></td>
-</tr>
-<tr>
-<td><p><code class="varname">slave</code></p></td>
-<td><p>A slave zone is a replica of a master
-zone. The <span><strong class="command">masters</strong></span> list specifies one or more IP addresses
+it.</P
+></TD
+></TR
+><TR
+><TD
+WIDTH="87"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+><TT
+CLASS="varname"
+>slave</TT
+></P
+></TD
+><TD
+WIDTH="405"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>A slave zone is a replica of a master
+zone. The <B
+CLASS="command"
+>masters</B
+> list specifies one or more IP addresses
 of master servers that the slave contacts to update its copy of the zone.
+Masters list elements can also be names of other masters lists.
 By default, transfers are made from port 53 on the servers; this can
 be changed for all servers by specifying a port number before the
 list of IP addresses, or on a per-server basis after the IP address.
@@ -2532,592 +9600,1941 @@ Authentication to the master can also be done with per-server TSIG keys.
 If a file is specified, then the
 replica will be written to this file whenever the zone is changed,
 and reloaded from this file on a server restart. Use of a file is
-recommended, since it often speeds server startup and eliminates
+recommended, since it often speeds server start-up and eliminates
 a needless waste of bandwidth. Note that for large numbers (in the
 tens or hundreds of thousands) of zones per server, it is best to
-use a two-level naming scheme for zone filenames. For example,
-a slave server for the zone <code class="literal">example.com</code> might place
+use a two level naming scheme for zone file names. For example,
+a slave server for the zone <TT
+CLASS="literal"
+>example.com</TT
+> might place
 the zone contents into a file called
-<code class="filename">ex/example.com</code> where <code class="filename">ex/</code> is
+<TT
+CLASS="filename"
+>ex/example.com</TT
+> where <TT
+CLASS="filename"
+>ex/</TT
+> is
 just the first two letters of the zone name. (Most operating systems
-behave very slowly if you put 100K files into a single directory.)</p></td>
-</tr>
-<tr>
-<td><p><code class="varname">stub</code></p></td>
-<td>
-<p>A stub zone is similar to a slave zone,
+behave very slowly if you put 100 000 files into
+a single directory.)</P
+></TD
+></TR
+><TR
+><TD
+WIDTH="87"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+><TT
+CLASS="varname"
+>stub</TT
+></P
+></TD
+><TD
+WIDTH="405"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>A stub zone is similar to a slave zone,
 except that it replicates only the NS records of a master zone instead
 of the entire zone. Stub zones are not a standard part of the DNS;
-they are a feature specific to the <acronym class="acronym">BIND</acronym> implementation.
-</p>
+they are a feature specific to the <SPAN
+CLASS="acronym"
+>BIND</SPAN
+> implementation.
+</P
+>
 
-<p>Stub zones can be used to eliminate the need for glue NS record
+<P
+>Stub zones can be used to eliminate the need for glue NS record
 in a parent zone at the expense of maintaining a stub zone entry and
-a set of name server addresses in <code class="filename">named.conf</code>.
+a set of name server addresses in <TT
+CLASS="filename"
+>named.conf</TT
+>.
 This usage is not recommended for new configurations, and BIND 9
 supports it only in a limited way.
-In <acronym class="acronym">BIND</acronym> 4/8, zone transfers of a parent zone
+In <SPAN
+CLASS="acronym"
+>BIND</SPAN
+> 4/8, zone transfers of a parent zone
 included the NS records from stub children of that zone. This meant
 that, in some cases, users could get away with configuring child stubs
-only in the master server for the parent zone. <acronym class="acronym">BIND</acronym>
+only in the master server for the parent zone. <SPAN
+CLASS="acronym"
+>BIND</SPAN
+>
 9 never mixes together zone data from different zones in this
-way. Therefore, if a <acronym class="acronym">BIND</acronym> 9 master serving a parent
+way. Therefore, if a <SPAN
+CLASS="acronym"
+>BIND</SPAN
+> 9 master serving a parent
 zone has child stub zones configured, all the slave servers for the
 parent zone also need to have the same child stub zones
-configured.</p>
+configured.</P
+>
 
-<p>Stub zones can also be used as a way of forcing the resolution
+<P
+>Stub zones can also be used as a way of forcing the resolution
 of a given domain to use a particular set of authoritative servers.
 For example, the caching name servers on a private network using
-RFC1918 addressing may be configured with stub zones for
-<code class="literal">10.in-addr.arpa</code>
+RFC1981 addressing may be configured with stub zones for
+<TT
+CLASS="literal"
+>10.in-addr.arpa</TT
+>
 to use a set of internal name servers as the authoritative
-servers for that domain.</p>
-</td>
-</tr>
-<tr>
-<td><p><code class="varname">forward</code></p></td>
-<td>
-<p>A "forward zone" is a way to configure
-forwarding on a per-domain basis.  A <span><strong class="command">zone</strong></span> statement
-of type <span><strong class="command">forward</strong></span> can contain a <span><strong class="command">forward</strong></span> and/or <span><strong class="command">forwarders</strong></span> statement,
+servers for that domain.</P
+>
+</TD
+></TR
+><TR
+><TD
+WIDTH="87"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+><TT
+CLASS="varname"
+>forward</TT
+></P
+></TD
+><TD
+WIDTH="405"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>A "forward zone" is a way to configure
+forwarding on a per-domain basis.  A <B
+CLASS="command"
+>zone</B
+> statement
+of type <B
+CLASS="command"
+>forward</B
+> can contain a <B
+CLASS="command"
+>forward</B
+> and/or <B
+CLASS="command"
+>forwarders</B
+> statement,
 which will apply to queries within the domain given by the zone
-name. If no <span><strong class="command">forwarders</strong></span> statement is present or
-an empty list for <span><strong class="command">forwarders</strong></span> is given, then no
+name. If no <B
+CLASS="command"
+>forwarders</B
+> statement is present or
+an empty list for <B
+CLASS="command"
+>forwarders</B
+> is given, then no
 forwarding will be done for the domain, canceling the effects of
-any forwarders in the <span><strong class="command">options</strong></span> statement. Thus
+any forwarders in the <B
+CLASS="command"
+>options</B
+> statement. Thus
 if you want to use this type of zone to change the behavior of the
-global <span><strong class="command">forward</strong></span> option (that is, "forward first"
-to, then "forward only", or vice versa, but want to use the same
-servers as set globally) you need to respecify the global forwarders.</p>
-</td>
-</tr>
-<tr>
-<td><p><code class="varname">hint</code></p></td>
-<td><p>The initial set of root nameservers is
+global <B
+CLASS="command"
+>forward</B
+> option (that is, "forward first
+to", then "forward only", or vice versa, but want to use the same
+servers as set globally) you need to re-specify the global forwarders.</P
+>
+</TD
+></TR
+><TR
+><TD
+WIDTH="87"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+><TT
+CLASS="varname"
+>hint</TT
+></P
+></TD
+><TD
+WIDTH="405"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>The initial set of root name servers is
 specified using a "hint zone". When the server starts up, it uses
-the root hints to find a root nameserver and get the most recent
-list of root nameservers. If no hint zone is specified for class
+the root hints to find a root name server and get the most recent
+list of root name servers. If no hint zone is specified for class
 IN, the server uses a compiled-in default set of root servers hints.
-Classes other than IN have no built-in defaults hints.</p></td>
-</tr>
-<tr>
-<td><p><code class="varname">delegation-only</code></p></td>
-<td>
-<p>This is used to enforce the delegation only
+Classes other than IN have no built-in defaults hints.</P
+></TD
+></TR
+><TR
+><TD
+WIDTH="87"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+><TT
+CLASS="varname"
+>delegation-only</TT
+></P
+></TD
+><TD
+WIDTH="405"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>This is used to enforce the delegation only
 status of infrastructure zones (e.g. COM, NET, ORG).  Any answer that
-is received without a explicit or implict delegation in the authority
+is received without a explicit or implicit delegation in the authority
 section will be treated as NXDOMAIN.  This does not apply to the zone
-apex.  This SHOULD NOT be applied to leaf zones.</p>
-<p><code class="varname">delegation-only</code> has no effect on answers received
-from forwarders.</p>
-</td>
-</tr>
-</tbody>
-</table></div>
-</div>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="id2580717"></a>Class</h4></div></div></div>
-<p>The zone's name may optionally be followed by a class. If
-a class is not specified, class <code class="literal">IN</code> (for <code class="varname">Internet</code>),
-is assumed. This is correct for the vast majority of cases.</p>
-<p>The <code class="literal">hesiod</code> class is
+apex.  This SHOULD NOT be applied to leaf zones.</P
+>
+<P
+><TT
+CLASS="varname"
+>delegation-only</TT
+> has no effect on answers received
+from forwarders.</P
+></TD
+></TR
+></TBODY
+></TABLE
+><P
+></P
+></DIV
+></DIV
+><DIV
+CLASS="sect3"
+><H3
+CLASS="sect3"
+><A
+NAME="AEN3674"
+>6.2.24.2. Class</A
+></H3
+><P
+>The zone's name may optionally be followed by a class. If
+a class is not specified, class <TT
+CLASS="literal"
+>IN</TT
+> (for <TT
+CLASS="varname"
+>Internet</TT
+>),
+is assumed. This is correct for the vast majority of cases.</P
+><P
+>The <TT
+CLASS="literal"
+>hesiod</TT
+> class is
 named for an information service from MIT's Project Athena. It is
 used to share information about various systems databases, such
 as users, groups, printers and so on. The keyword 
-<code class="literal">HS</code> is
-a synonym for hesiod.</p>
-<p>Another MIT development is Chaosnet, a LAN protocol created
-in the mid-1970s. Zone data for it can be specified with the <code class="literal">CHAOS</code> class.</p>
-</div>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="id2580748"></a>Zone Options</h4></div></div></div>
-<div class="variablelist"><dl>
-<dt><span class="term"><span><strong class="command">allow-notify</strong></span></span></dt>
-<dd><p>See the description of
-<span><strong class="command">allow-notify</strong></span> in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called &#8220;Access Control&#8221;</a>.</p></dd>
-<dt><span class="term"><span><strong class="command">allow-query</strong></span></span></dt>
-<dd><p>See the description of
-<span><strong class="command">allow-query</strong></span> in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called &#8220;Access Control&#8221;</a>.</p></dd>
-<dt><span class="term"><span><strong class="command">allow-transfer</strong></span></span></dt>
-<dd><p>See the description of <span><strong class="command">allow-transfer</strong></span>
-in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called &#8220;Access Control&#8221;</a>.</p></dd>
-<dt><span class="term"><span><strong class="command">allow-update</strong></span></span></dt>
-<dd><p>Specifies which hosts are allowed to
+<TT
+CLASS="literal"
+>HS</TT
+> is
+a synonym for hesiod.</P
+><P
+>Another MIT development is CHAOSnet, a LAN protocol created
+in the mid-1970s. Zone data for it can be specified with the <TT
+CLASS="literal"
+>CHAOS</TT
+> class.</P
+></DIV
+><DIV
+CLASS="sect3"
+><H3
+CLASS="sect3"
+><A
+NAME="AEN3684"
+>6.2.24.3. Zone Options</A
+></H3
+><P
+></P
+><DIV
+CLASS="variablelist"
+><DL
+><DT
+><B
+CLASS="command"
+>allow-notify</B
+></DT
+><DD
+><P
+>See the description of
+<B
+CLASS="command"
+>allow-notify</B
+> in <A
+HREF="Bv9ARM.ch06.html#access_control"
+>Section 6.2.16.4</A
+></P
+></DD
+><DT
+><B
+CLASS="command"
+>allow-query</B
+></DT
+><DD
+><P
+>See the description of
+<B
+CLASS="command"
+>allow-query</B
+> in <A
+HREF="Bv9ARM.ch06.html#access_control"
+>Section 6.2.16.4</A
+></P
+></DD
+><DT
+><B
+CLASS="command"
+>allow-transfer</B
+></DT
+><DD
+><P
+>See the description of <B
+CLASS="command"
+>allow-transfer</B
+>
+in <A
+HREF="Bv9ARM.ch06.html#access_control"
+>Section 6.2.16.4</A
+>.</P
+></DD
+><DT
+><B
+CLASS="command"
+>allow-update</B
+></DT
+><DD
+><P
+>Specifies which hosts are allowed to
 submit Dynamic DNS updates for master zones. The default is to deny
-updates from all hosts.</p></dd>
-<dt><span class="term"><span><strong class="command">update-policy</strong></span></span></dt>
-<dd><p>Specifies a "Simple Secure Update" policy. See
-<a href="Bv9ARM.ch06.html#dynamic_update_policies" title="Dynamic Update Policies">the section called &#8220;Dynamic Update Policies&#8221;</a>.</p></dd>
-<dt><span class="term"><span><strong class="command">allow-update-forwarding</strong></span></span></dt>
-<dd>
-<p>Specifies which hosts are allowed to
-submit Dynamic DNS updates to slave zones to be forwarded to the
-master.  The default is <strong class="userinput"><code>{ none; }</code></strong>, which 
-means that no update forwarding will be performed.  To enable
-update forwarding, specify
-<strong class="userinput"><code>allow-update-forwarding { any; };</code></strong>.
-Specifying values other than <strong class="userinput"><code>{ none; }</code></strong> or
-<strong class="userinput"><code>{ any; }</code></strong> is usually counterproductive, since
-the responsibility for update access control should rest with the 
-master server, not the slaves.</p>
-<p>Note that enabling the update forwarding feature on a slave server
-may expose master servers relying on insecure IP address based
-access control to attacks; see <a href="Bv9ARM.ch07.html#dynamic_update_security" title="Dynamic Update Security">the section called &#8220;Dynamic Update Security&#8221;</a>
-for more details.</p>
-</dd>
-<dt><span class="term"><span><strong class="command">also-notify</strong></span></span></dt>
-<dd><p>Only meaningful if <span><strong class="command">notify</strong></span> is
+updates from all hosts.  Note that allowing updates based
+on the requestor's IP address is insecure; see
+<A
+HREF="Bv9ARM.ch07.html#dynamic_update_security"
+>Section 7.3</A
+> for details.
+</P
+></DD
+><DT
+><B
+CLASS="command"
+>update-policy</B
+></DT
+><DD
+><P
+>Specifies a "Simple Secure Update" policy. See
+<A
+HREF="Bv9ARM.ch06.html#dynamic_update_policies"
+>Section 6.2.24.4</A
+>.</P
+></DD
+><DT
+><B
+CLASS="command"
+>allow-update-forwarding</B
+></DT
+><DD
+><P
+>See the description of <B
+CLASS="command"
+>allow-update-forwarding</B
+>
+in <A
+HREF="Bv9ARM.ch06.html#access_control"
+>Section 6.2.16.4</A
+>.</P
+></DD
+><DT
+><B
+CLASS="command"
+>also-notify</B
+></DT
+><DD
+><P
+>Only meaningful if <B
+CLASS="command"
+>notify</B
+> is
 active for this zone. The set of machines that will receive a 
-<code class="literal">DNS NOTIFY</code> message
-for this zone is made up of all the listed nameservers (other than
+<TT
+CLASS="literal"
+>DNS NOTIFY</TT
+> message
+for this zone is made up of all the listed name servers (other than
 the primary master) for the zone plus any IP addresses specified
-with <span><strong class="command">also-notify</strong></span>. A port may be specified
-with each <span><strong class="command">also-notify</strong></span> address to send the notify
+with <B
+CLASS="command"
+>also-notify</B
+>. A port may be specified
+with each <B
+CLASS="command"
+>also-notify</B
+> address to send the notify
 messages to a port other than the default of 53.
-<span><strong class="command">also-notify</strong></span> is not meaningful for stub zones.
-The default is the empty list.</p></dd>
-<dt><span class="term"><span><strong class="command">check-names</strong></span></span></dt>
-<dd><p>
-This option was used in BIND 8 to restrict the character set of
+<B
+CLASS="command"
+>also-notify</B
+> is not meaningful for stub zones.
+The default is the empty list.</P
+></DD
+><DT
+><B
+CLASS="command"
+>check-names</B
+></DT
+><DD
+><P
+>&#13;This option was used in BIND 8 to restrict the character set of
 domain names in master files and/or DNS responses received from the
 network.  BIND 9 does not restrict the character set of domain names
-and does not implement the <span><strong class="command">check-names</strong></span> option.
-</p></dd>
-<dt><span class="term"><span><strong class="command">database</strong></span></span></dt>
-<dd>
-<p>Specify the type of database to be used for storing the
-zone data.  The string following the <span><strong class="command">database</strong></span> keyword
+and does not implement the <B
+CLASS="command"
+>check-names</B
+> option.
+</P
+></DD
+><DT
+><B
+CLASS="command"
+>database</B
+></DT
+><DD
+><P
+>Specify the type of database to be used for storing the
+zone data.  The string following the <B
+CLASS="command"
+>database</B
+> keyword
 is interpreted as a list of whitespace-delimited words.  The first word
 identifies the database type, and any subsequent words are passed
 as arguments to the database to be interpreted in a way specific
-to the database type.</p>
-<p>The default is <strong class="userinput"><code>"rbt"</code></strong>, BIND 9's native in-memory
-red-black-tree database.  This database does not take arguments.</p>
-<p>Other values are possible if additional database drivers
+to the database type.</P
+><P
+>The default is <TT
+CLASS="userinput"
+><B
+>"rbt"</B
+></TT
+>, BIND 9's native in-memory
+red-black-tree database.  This database does not take arguments.</P
+><P
+>Other values are possible if additional database drivers
 have been linked into the server.  Some sample drivers are included
-with the distribution but none are linked in by default.</p>
-</dd>
-<dt><span class="term"><span><strong class="command">dialup</strong></span></span></dt>
-<dd><p>See the description of
-<span><strong class="command">dialup</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.</p></dd>
-<dt><span class="term"><span><strong class="command">delegation-only</strong></span></span></dt>
-<dd><p>The flag only applies to hint and stub zones.  If set
-to <strong class="userinput"><code>yes</code></strong>, then the zone will also be treated as if it
+with the distribution but none are linked in by default.</P
+></DD
+><DT
+><B
+CLASS="command"
+>dialup</B
+></DT
+><DD
+><P
+>See the description of
+<B
+CLASS="command"
+>dialup</B
+> in <A
+HREF="Bv9ARM.ch06.html#boolean_options"
+>Section 6.2.16.1</A
+>.</P
+></DD
+><DT
+><B
+CLASS="command"
+>delegation-only</B
+></DT
+><DD
+><P
+>The flag only applies to hint and stub zones.  If set
+to <TT
+CLASS="userinput"
+><B
+>yes</B
+></TT
+> then the zone will also be treated as if it
 is also a delegation-only type zone.
-</p></dd>
-<dt><span class="term"><span><strong class="command">forward</strong></span></span></dt>
-<dd><p>Only meaningful if the zone has a forwarders
-list. The <span><strong class="command">only</strong></span> value causes the lookup to fail
-after trying the forwarders and getting no answer, while <span><strong class="command">first</strong></span> would
-allow a normal lookup to be tried.</p></dd>
-<dt><span class="term"><span><strong class="command">forwarders</strong></span></span></dt>
-<dd><p>Used to override the list of global forwarders.
-If it is not specified in a zone of type <span><strong class="command">forward</strong></span>,
-no forwarding is done for the zone and the global options are not used.</p></dd>
-<dt><span class="term"><span><strong class="command">ixfr-base</strong></span></span></dt>
-<dd><p>Was used in <acronym class="acronym">BIND</acronym> 8 to specify the name
+</P
+></DD
+><DT
+><B
+CLASS="command"
+>forward</B
+></DT
+><DD
+><P
+>Only meaningful if the zone has a forwarders
+list. The <B
+CLASS="command"
+>only</B
+> value causes the lookup to fail
+after trying the forwarders and getting no answer, while <B
+CLASS="command"
+>first</B
+> would
+allow a normal lookup to be tried.</P
+></DD
+><DT
+><B
+CLASS="command"
+>forwarders</B
+></DT
+><DD
+><P
+>Used to override the list of global forwarders.
+If it is not specified in a zone of type <B
+CLASS="command"
+>forward</B
+>,
+no forwarding is done for the zone; the global options are not used.</P
+></DD
+><DT
+><B
+CLASS="command"
+>ixfr-base</B
+></DT
+><DD
+><P
+>Was used in <SPAN
+CLASS="acronym"
+>BIND</SPAN
+> 8 to specify the name
 of the transaction log (journal) file for dynamic update and IXFR.
-<acronym class="acronym">BIND</acronym> 9 ignores the option and constructs the name of the journal
-file by appending "<code class="filename">.jnl</code>" to the name of the
-zone file.</p></dd>
-<dt><span class="term"><span><strong class="command">ixfr-tmp-file</strong></span></span></dt>
-<dd><p>Was an undocumented option in <acronym class="acronym">BIND</acronym> 8.
-Ignored in <acronym class="acronym">BIND</acronym> 9.</p></dd>
-<dt><span class="term"><span><strong class="command">max-transfer-time-in</strong></span></span></dt>
-<dd><p>See the description of
-<span><strong class="command">max-transfer-time-in</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.</p></dd>
-<dt><span class="term"><span><strong class="command">max-transfer-idle-in</strong></span></span></dt>
-<dd><p>See the description of
-<span><strong class="command">max-transfer-idle-in</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.</p></dd>
-<dt><span class="term"><span><strong class="command">max-transfer-time-out</strong></span></span></dt>
-<dd><p>See the description of
-<span><strong class="command">max-transfer-time-out</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.</p></dd>
-<dt><span class="term"><span><strong class="command">max-transfer-idle-out</strong></span></span></dt>
-<dd><p>See the description of
-<span><strong class="command">max-transfer-idle-out</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.</p></dd>
-<dt><span class="term"><span><strong class="command">notify</strong></span></span></dt>
-<dd><p>See the description of
-<span><strong class="command">notify</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.</p></dd>
-<dt><span class="term"><span><strong class="command">pubkey</strong></span></span></dt>
-<dd><p>In <acronym class="acronym">BIND</acronym> 8, this option was intended for specifying
+<SPAN
+CLASS="acronym"
+>BIND</SPAN
+> 9 ignores the option and constructs the name of the journal
+file by appending "<TT
+CLASS="filename"
+>.jnl</TT
+>" to the name of the
+zone file.</P
+></DD
+><DT
+><B
+CLASS="command"
+>ixfr-tmp-file</B
+></DT
+><DD
+><P
+>Was an undocumented option in <SPAN
+CLASS="acronym"
+>BIND</SPAN
+> 8.
+Ignored in <SPAN
+CLASS="acronym"
+>BIND</SPAN
+> 9.</P
+></DD
+><DT
+><B
+CLASS="command"
+>max-transfer-time-in</B
+></DT
+><DD
+><P
+>See the description of
+<B
+CLASS="command"
+>max-transfer-time-in</B
+> in <A
+HREF="Bv9ARM.ch06.html#zone_transfers"
+>Section 6.2.16.7</A
+>.</P
+></DD
+><DT
+><B
+CLASS="command"
+>max-transfer-idle-in</B
+></DT
+><DD
+><P
+>See the description of
+<B
+CLASS="command"
+>max-transfer-idle-in</B
+> in <A
+HREF="Bv9ARM.ch06.html#zone_transfers"
+>Section 6.2.16.7</A
+>.</P
+></DD
+><DT
+><B
+CLASS="command"
+>max-transfer-time-out</B
+></DT
+><DD
+><P
+>See the description of
+<B
+CLASS="command"
+>max-transfer-time-out</B
+> in <A
+HREF="Bv9ARM.ch06.html#zone_transfers"
+>Section 6.2.16.7</A
+>.</P
+></DD
+><DT
+><B
+CLASS="command"
+>max-transfer-idle-out</B
+></DT
+><DD
+><P
+>See the description of
+<B
+CLASS="command"
+>max-transfer-idle-out</B
+> in <A
+HREF="Bv9ARM.ch06.html#zone_transfers"
+>Section 6.2.16.7</A
+>.</P
+></DD
+><DT
+><B
+CLASS="command"
+>notify</B
+></DT
+><DD
+><P
+>See the description of
+<B
+CLASS="command"
+>notify</B
+> in <A
+HREF="Bv9ARM.ch06.html#boolean_options"
+>Section 6.2.16.1</A
+>.</P
+></DD
+><DT
+><B
+CLASS="command"
+>pubkey</B
+></DT
+><DD
+><P
+>In <SPAN
+CLASS="acronym"
+>BIND</SPAN
+> 8, this option was intended for specifying
 a public zone key for verification of signatures in DNSSEC signed
-zones when they are loaded from disk. <acronym class="acronym">BIND</acronym> 9 does not verify signatures
-on loading and ignores the option.</p></dd>
-<dt><span class="term"><span><strong class="command">zone-statistics</strong></span></span></dt>
-<dd><p>If <strong class="userinput"><code>yes</code></strong>, the server will keep statistical
+zones when they are loaded from disk. <SPAN
+CLASS="acronym"
+>BIND</SPAN
+> 9 does not verify signatures
+on load and ignores the option.</P
+></DD
+><DT
+><B
+CLASS="command"
+>zone-statistics</B
+></DT
+><DD
+><P
+>If <TT
+CLASS="userinput"
+><B
+>yes</B
+></TT
+>, the server will keep statistical
 information for this zone, which can be dumped to the
-<span><strong class="command">statistics-file</strong></span> defined in the server options.</p></dd>
-<dt><span class="term"><span><strong class="command">sig-validity-interval</strong></span></span></dt>
-<dd><p>See the description of
-<span><strong class="command">sig-validity-interval</strong></span> in <a href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called &#8220;Tuning&#8221;</a>.</p></dd>
-<dt><span class="term"><span><strong class="command">transfer-source</strong></span></span></dt>
-<dd><p>See the description of
-<span><strong class="command">transfer-source</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.
-</p></dd>
-<dt><span class="term"><span><strong class="command">transfer-source-v6</strong></span></span></dt>
-<dd><p>See the description of
-<span><strong class="command">transfer-source-v6</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.
-</p></dd>
-<dt><span class="term"><span><strong class="command">notify-source</strong></span></span></dt>
-<dd><p>See the description of
-<span><strong class="command">notify-source</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.
-</p></dd>
-<dt><span class="term"><span><strong class="command">notify-source-v6</strong></span></span></dt>
-<dd><p>See the description of
-<span><strong class="command">notify-source-v6</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.
-</p></dd>
-<dt>
-<span class="term"><span><strong class="command">min-refresh-time</strong></span>, </span><span class="term"><span><strong class="command">max-refresh-time</strong></span>, </span><span class="term"><span><strong class="command">min-retry-time</strong></span>, </span><span class="term"><span><strong class="command">max-retry-time</strong></span></span>
-</dt>
-<dd><p>
-See the description in <a href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called &#8220;Tuning&#8221;</a>.
-</p></dd>
-</dl></div>
-</div>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="dynamic_update_policies"></a>Dynamic Update Policies</h4></div></div></div>
-<p><acronym class="acronym">BIND</acronym> 9 supports two alternative methods of granting clients
+<B
+CLASS="command"
+>statistics-file</B
+> defined in the server options.</P
+></DD
+><DT
+><B
+CLASS="command"
+>sig-validity-interval</B
+></DT
+><DD
+><P
+>See the description of
+<B
+CLASS="command"
+>sig-validity-interval</B
+> in <A
+HREF="Bv9ARM.ch06.html#tuning"
+>Section 6.2.16.15</A
+>.</P
+></DD
+><DT
+><B
+CLASS="command"
+>transfer-source</B
+></DT
+><DD
+><P
+>See the description of
+<B
+CLASS="command"
+>transfer-source</B
+> in <A
+HREF="Bv9ARM.ch06.html#zone_transfers"
+>Section 6.2.16.7</A
+>
+</P
+></DD
+><DT
+><B
+CLASS="command"
+>transfer-source-v6</B
+></DT
+><DD
+><P
+>See the description of
+<B
+CLASS="command"
+>transfer-source-v6</B
+> in <A
+HREF="Bv9ARM.ch06.html#zone_transfers"
+>Section 6.2.16.7</A
+>
+</P
+></DD
+><DT
+><B
+CLASS="command"
+>alt-transfer-source</B
+></DT
+><DD
+><P
+>See the description of
+<B
+CLASS="command"
+>alt-transfer-source</B
+> in <A
+HREF="Bv9ARM.ch06.html#zone_transfers"
+>Section 6.2.16.7</A
+>
+</P
+></DD
+><DT
+><B
+CLASS="command"
+>alt-transfer-source-v6</B
+></DT
+><DD
+><P
+>See the description of
+<B
+CLASS="command"
+>alt-transfer-source-v6</B
+> in <A
+HREF="Bv9ARM.ch06.html#zone_transfers"
+>Section 6.2.16.7</A
+>
+</P
+></DD
+><DT
+><B
+CLASS="command"
+>use-alt-transfer-source</B
+></DT
+><DD
+><P
+>See the description of
+<B
+CLASS="command"
+>use-alt-transfer-source</B
+> in <A
+HREF="Bv9ARM.ch06.html#zone_transfers"
+>Section 6.2.16.7</A
+>
+</P
+></DD
+><DT
+><B
+CLASS="command"
+>notify-source</B
+></DT
+><DD
+><P
+>See the description of
+<B
+CLASS="command"
+>notify-source</B
+> in <A
+HREF="Bv9ARM.ch06.html#zone_transfers"
+>Section 6.2.16.7</A
+>
+</P
+></DD
+><DT
+><B
+CLASS="command"
+>notify-source-v6</B
+></DT
+><DD
+><P
+>See the description of
+<B
+CLASS="command"
+>notify-source-v6</B
+> in <A
+HREF="Bv9ARM.ch06.html#zone_transfers"
+>Section 6.2.16.7</A
+>.
+</P
+></DD
+><DT
+><B
+CLASS="command"
+>min-refresh-time</B
+>, <B
+CLASS="command"
+>max-refresh-time</B
+>, <B
+CLASS="command"
+>min-retry-time</B
+>, <B
+CLASS="command"
+>max-retry-time</B
+></DT
+><DD
+><P
+>&#13;See the description in <A
+HREF="Bv9ARM.ch06.html#tuning"
+>Section 6.2.16.15</A
+>.
+</P
+></DD
+><DT
+><B
+CLASS="command"
+>ixfr-from-differences</B
+></DT
+><DD
+><P
+>See the description of
+<B
+CLASS="command"
+>ixfr-from-differences</B
+> in <A
+HREF="Bv9ARM.ch06.html#boolean_options"
+>Section 6.2.16.1</A
+>.</P
+></DD
+><DT
+><B
+CLASS="command"
+>key-directory</B
+></DT
+><DD
+><P
+>See the description of
+<B
+CLASS="command"
+>key-directory</B
+> in <A
+HREF="Bv9ARM.ch06.html#options"
+>Section 6.2.16</A
+></P
+></DD
+><DT
+><B
+CLASS="command"
+>multi-master</B
+></DT
+><DD
+><P
+>See the description of
+<B
+CLASS="command"
+>multi-master</B
+> in <A
+HREF="Bv9ARM.ch06.html#boolean_options"
+>Section 6.2.16.1</A
+>.</P
+></DD
+></DL
+></DIV
+></DIV
+><DIV
+CLASS="sect3"
+><H3
+CLASS="sect3"
+><A
+NAME="dynamic_update_policies"
+>6.2.24.4. Dynamic Update Policies</A
+></H3
+><P
+><SPAN
+CLASS="acronym"
+>BIND</SPAN
+> 9 supports two alternative methods of granting clients
 the right to perform dynamic updates to a zone, 
-configured by the <span><strong class="command">allow-update</strong></span> and
-<span><strong class="command">update-policy</strong></span> option, respectively.</p>
-<p>The <span><strong class="command">allow-update</strong></span> clause works the same
-way as in previous versions of <acronym class="acronym">BIND</acronym>. It grants given clients the
-permission to update any record of any name in the zone.</p>
-<p>The <span><strong class="command">update-policy</strong></span> clause is new in <acronym class="acronym">BIND</acronym>
+configured by the <B
+CLASS="command"
+>allow-update</B
+> and
+<B
+CLASS="command"
+>update-policy</B
+> option, respectively.</P
+><P
+>The <B
+CLASS="command"
+>allow-update</B
+> clause works the same
+way as in previous versions of <SPAN
+CLASS="acronym"
+>BIND</SPAN
+>. It grants given clients the
+permission to update any record of any name in the zone.</P
+><P
+>The <B
+CLASS="command"
+>update-policy</B
+> clause is new in <SPAN
+CLASS="acronym"
+>BIND</SPAN
+>
 9 and allows more fine-grained control over what updates are allowed.
 A set of rules is specified, where each rule either grants or denies
 permissions for one or more names to be updated by one or more identities.
  If the dynamic update request message is signed (that is, it includes
 either a TSIG or SIG(0) record), the identity of the signer can
-be determined.</p>
-<p>Rules are specified in the <span><strong class="command">update-policy</strong></span> zone
-option, and are only meaningful for master zones.  When the <span><strong class="command">update-policy</strong></span> statement
-is present, it is a configuration error for the <span><strong class="command">allow-update</strong></span> statement
-to be present.  The <span><strong class="command">update-policy</strong></span> statement only
-examines the signer of a message; the source address is not relevant.</p>
-<p>This is how a rule definition looks:</p>
-<pre class="programlisting">
-( <span><strong class="command">grant</strong></span> | <span><strong class="command">deny</strong></span> ) <em class="replaceable"><code>identity</code></em> <em class="replaceable"><code>nametype</code></em> <em class="replaceable"><code>name</code></em> [<span class="optional"> <em class="replaceable"><code>types</code></em> </span>]
-</pre>
-<p>Each rule grants or denies privileges.  Once a message has
+be determined.</P
+><P
+>Rules are specified in the <B
+CLASS="command"
+>update-policy</B
+> zone
+option, and are only meaningful for master zones.  When the <B
+CLASS="command"
+>update-policy</B
+> statement
+is present, it is a configuration error for the <B
+CLASS="command"
+>allow-update</B
+> statement
+to be present.  The <B
+CLASS="command"
+>update-policy</B
+> statement only
+examines the signer of a message; the source address is not relevant.</P
+><P
+>This is how a rule definition looks:</P
+><PRE
+CLASS="programlisting"
+>&#13;( <B
+CLASS="command"
+>grant</B
+> | <B
+CLASS="command"
+>deny</B
+> ) <TT
+CLASS="replaceable"
+><I
+>identity</I
+></TT
+> <TT
+CLASS="replaceable"
+><I
+>nametype</I
+></TT
+> <TT
+CLASS="replaceable"
+><I
+>name</I
+></TT
+> [<SPAN
+CLASS="optional"
+> <TT
+CLASS="replaceable"
+><I
+>types</I
+></TT
+> </SPAN
+>]
+</PRE
+><P
+>Each rule grants or denies privileges.  Once a message has
 successfully matched a rule, the operation is immediately granted
 or denied and no further rules are examined.  A rule is matched
 when the signer matches the identity field, the name matches the
-name field, and the type is specified in the type field.</p>
-<p>The identity field specifies a name or a wildcard name.  The
-nametype field has 4 values: <code class="varname">name</code>, <code class="varname">subdomain</code>, <code class="varname">wildcard</code>,
-and <code class="varname">self</code>
-</p>
-<div class="informaltable"><table border="1">
-<colgroup>
-<col>
-<col>
-</colgroup>
-<tbody>
-<tr>
-<td><p><code class="varname">name</code></p></td>
-<td><p>Matches when the updated name is the
-same as the name in the name field.</p></td>
-</tr>
-<tr>
-<td><p><code class="varname">subdomain</code></p></td>
-<td><p>Matches when the updated name is a subdomain
-of the name in the name field (which includes the name itself).</p></td>
-</tr>
-<tr>
-<td><p><code class="varname">wildcard</code></p></td>
-<td><p>Matches when the updated name is a valid
-expansion of the wildcard name in the name field.</p></td>
-</tr>
-<tr>
-<td><p><code class="varname">self</code></p></td>
-<td><p>Matches when the updated name is the
-same as the message signer. The name field is ignored.</p></td>
-</tr>
-</tbody>
-</table></div>
-<p>If no types are specified, the rule matches all types except
+name field in accordance with the nametype field, and the type matches
+the types specified in the type field.</P
+><P
+>The identity field specifies a name or a wildcard name.  Normally, this
+is the name of the TSIG or SIG(0) key used to sign the update request.  When a
+TKEY exchange has been used to create a shared secret, the identity of the
+shared secret is the same as the identity of the key used to authenticate the
+TKEY exchange.  When the <TT
+CLASS="replaceable"
+><I
+>identity</I
+></TT
+> field specifies a
+wildcard name, it is subject to DNS wildcard expansion, so the rule will apply
+to multiple identities.  The <TT
+CLASS="replaceable"
+><I
+>identity</I
+></TT
+> field must
+contain a fully qualified domain name.</P
+><P
+>The <TT
+CLASS="replaceable"
+><I
+>nametype</I
+></TT
+> field has 4 values:
+<TT
+CLASS="varname"
+>name</TT
+>, <TT
+CLASS="varname"
+>subdomain</TT
+>,
+<TT
+CLASS="varname"
+>wildcard</TT
+>, and <TT
+CLASS="varname"
+>self</TT
+>.
+</P
+><DIV
+CLASS="informaltable"
+><A
+NAME="AEN3967"
+></A
+><P
+></P
+><TABLE
+CELLPADDING="3"
+BORDER="1"
+CLASS="CALSTABLE"
+><TBODY
+><TR
+><TD
+WIDTH="79"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+><TT
+CLASS="varname"
+>name</TT
+></P
+></TD
+><TD
+WIDTH="353"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>Exact-match semantics.  This rule matches when the
+name being updated is identical to the contents of the
+<TT
+CLASS="replaceable"
+><I
+>name</I
+></TT
+> field.</P
+></TD
+></TR
+><TR
+><TD
+WIDTH="79"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+><TT
+CLASS="varname"
+>subdomain</TT
+></P
+></TD
+><TD
+WIDTH="353"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>This rule matches when the name being updated
+is a subdomain of, or identical to, the contents of the
+<TT
+CLASS="replaceable"
+><I
+>name</I
+></TT
+> field.</P
+></TD
+></TR
+><TR
+><TD
+WIDTH="79"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+><TT
+CLASS="varname"
+>wildcard</TT
+></P
+></TD
+><TD
+WIDTH="353"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>The <TT
+CLASS="replaceable"
+><I
+>name</I
+></TT
+> field is
+subject to DNS wildcard expansion, and this rule matches when the name
+being updated name is a valid expansion of the wildcard.</P
+></TD
+></TR
+><TR
+><TD
+WIDTH="79"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+><TT
+CLASS="varname"
+>self</TT
+></P
+></TD
+><TD
+WIDTH="353"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>This rule matches when the name being updated
+matches the contents of the <TT
+CLASS="replaceable"
+><I
+>identity</I
+></TT
+> field.
+The <TT
+CLASS="replaceable"
+><I
+>name</I
+></TT
+> field is ignored, but should be
+the same as the <TT
+CLASS="replaceable"
+><I
+>identity</I
+></TT
+> field.  The
+<TT
+CLASS="varname"
+>self</TT
+> nametype is most useful when allowing using
+one key per name to update, where the key has the same name as the name
+to be updated.  The <TT
+CLASS="replaceable"
+><I
+>identity</I
+></TT
+> would be
+specified as <TT
+CLASS="constant"
+>*</TT
+> in this case.</P
+></TD
+></TR
+></TBODY
+></TABLE
+><P
+></P
+></DIV
+><P
+>In all cases, the <TT
+CLASS="replaceable"
+><I
+>name</I
+></TT
+> field must
+specify a fully qualified domain name.</P
+><P
+>If no types are explicitly specified, this rule matches all types except
 SIG, NS, SOA, and NXT. Types may be specified by name, including
 "ANY" (ANY matches all types except NXT, which can never be updated).
-</p>
-</div>
-</div>
-</div>
-<div class="sect1" lang="en">
-<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2581782"></a>Zone File</h2></div></div></div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="types_of_resource_records_and_when_to_use_them"></a>Types of Resource Records and When to Use Them</h3></div></div></div>
-<p>This section, largely borrowed from RFC 1034, describes the
+Note that when an attempt is made to delete all records associated with a
+name, the rules are checked for each existing record type.
+</P
+></DIV
+></DIV
+></DIV
+><DIV
+CLASS="sect1"
+><H1
+CLASS="sect1"
+><A
+NAME="AEN4008"
+>6.3. Zone File</A
+></H1
+><DIV
+CLASS="sect2"
+><H2
+CLASS="sect2"
+><A
+NAME="types_of_resource_records_and_when_to_use_them"
+>6.3.1. Types of Resource Records and When to Use Them</A
+></H2
+><P
+>This section, largely borrowed from RFC 1034, describes the
 concept of a Resource Record (RR) and explains when each is used.
 Since the publication of RFC 1034, several new RRs have been identified
-and implemented in the DNS. These are also included.</p>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="id2581800"></a>Resource Records</h4></div></div></div>
-<p>A domain name identifies a node.  Each node has a set of
+and implemented in the DNS. These are also included.</P
+><DIV
+CLASS="sect3"
+><H3
+CLASS="sect3"
+><A
+NAME="AEN4013"
+>6.3.1.1. Resource Records</A
+></H3
+><P
+>A domain name identifies a node.  Each node has a set of
         resource information, which may be empty.  The set of resource
         information associated with a particular name is composed of
         separate RRs. The order of RRs in a set is not significant and
-        need not be preserved by nameservers, resolvers, or other
+        need not be preserved by name servers, resolvers, or other
         parts of the DNS. However, sorting of multiple RRs is
         permitted for optimization purposes, for example, to specify
-        that a particular nearby server be tried first. See <a href="Bv9ARM.ch06.html#the_sortlist_statement" title="The sortlist Statement">the section called &#8220;The <span><strong class="command">sortlist</strong></span> Statement&#8221;</a> and <a href="Bv9ARM.ch06.html#rrset_ordering" title="RRset Ordering">the section called &#8220;RRset Ordering&#8221;</a>.</p>
-<p>The components of a Resource Record are:</p>
-<div class="informaltable"><table border="1">
-<colgroup>
-<col>
-<col>
-</colgroup>
-<tbody>
-<tr>
-<td><p>owner name</p></td>
-<td><p>the domain name where the RR is found.</p></td>
-</tr>
-<tr>
-<td><p>type</p></td>
-<td><p>an encoded 16-bit value that specifies
-the type of the resource in this resource record. Types refer to
-abstract resources.</p></td>
-</tr>
-<tr>
-<td><p>TTL</p></td>
-<td><p>the time-to-live of the RR. This field
-is a 32-bit integer in units of seconds, and is primarily used by
+        that a particular nearby server be tried first. See <A
+HREF="Bv9ARM.ch06.html#the_sortlist_statement"
+>Section 6.2.16.13</A
+> and <A
+HREF="Bv9ARM.ch06.html#rrset_ordering"
+>Section 6.2.16.14</A
+>.</P
+><P
+>The components of a Resource Record are:</P
+><DIV
+CLASS="informaltable"
+><A
+NAME="AEN4019"
+></A
+><P
+></P
+><TABLE
+CELLPADDING="3"
+BORDER="1"
+CLASS="CALSTABLE"
+><TBODY
+><TR
+><TD
+WIDTH="96"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>owner name</P
+></TD
+><TD
+WIDTH="336"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>the domain name where the RR is found.</P
+></TD
+></TR
+><TR
+><TD
+WIDTH="96"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>type</P
+></TD
+><TD
+WIDTH="336"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>an encoded 16 bit value that specifies
+the type of the resource record.</P
+></TD
+></TR
+><TR
+><TD
+WIDTH="96"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>TTL</P
+></TD
+><TD
+WIDTH="336"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>the time to live of the RR. This field
+is a 32 bit integer in units of seconds, and is primarily used by
 resolvers when they cache RRs. The TTL describes how long a RR can
-be cached before it should be discarded.</p></td>
-</tr>
-<tr>
-<td><p>class</p></td>
-<td><p>an encoded 16-bit value that identifies
-a protocol family or instance of a protocol.</p></td>
-</tr>
-<tr>
-<td><p>RDATA</p></td>
-<td><p>the type and sometimes class-dependent
-data that describes the resource.</p></td>
-</tr>
-</tbody>
-</table></div>
-<p>The following are <span class="emphasis"><em>types</em></span> of valid RRs
-(some of these listed, although not obsolete, are experimental (x)
-or historical (h) and no longer in general use):</p>
-<div class="informaltable"><table border="1">
-<colgroup>
-<col>
-<col>
-</colgroup>
-<tbody>
-<tr>
-<td><p>A</p></td>
-<td><p>a host address.</p></td>
-</tr>
-<tr>
-<td><p>A6</p></td>
-<td><p>an IPv6 address.</p></td>
-</tr>
-<tr>
-<td><p>AAAA</p></td>
-<td><p>Obsolete format of IPv6 address</p></td>
-</tr>
-<tr>
-<td><p>AFSDB</p></td>
-<td><p>(x) location of AFS database servers.
-Experimental.</p></td>
-</tr>
-<tr>
-<td><p>CERT</p></td>
-<td><p>holds a digital certificate.</p></td>
-</tr>
-<tr>
-<td><p>CNAME</p></td>
-<td><p>identifies the canonical name of an alias.</p></td>
-</tr>
-<tr>
-<td><p>DNAME</p></td>
-<td><p>for delegation of reverse addresses.
-Replaces the domain name specified with another name to be looked
-up. Described in RFC 2672.</p></td>
-</tr>
-<tr>
-<td><p>GPOS</p></td>
-<td><p>Specifies the global position. Superseded by LOC.</p></td>
-</tr>
-<tr>
-<td><p>HINFO</p></td>
-<td><p>identifies the CPU and OS used by a host.</p></td>
-</tr>
-<tr>
-<td><p>ISDN</p></td>
-<td><p>(x) representation of ISDN addresses.
-Experimental.</p></td>
-</tr>
-<tr>
-<td><p>KEY</p></td>
-<td><p>stores a public key associated with a
-DNS name.</p></td>
-</tr>
-<tr>
-<td><p>KX</p></td>
-<td><p>identifies a key exchanger for this
-DNS name.</p></td>
-</tr>
-<tr>
-<td><p>LOC</p></td>
-<td><p>(x) for storing GPS info. See RFC 1876.
-Experimental.</p></td>
-</tr>
-<tr>
-<td><p>MX</p></td>
-<td><p>identifies a mail exchange for the domain.
- See RFC 974 for details.</p></td>
-</tr>
-<tr>
-<td><p>NAPTR</p></td>
-<td><p>name authority pointer.</p></td>
-</tr>
-<tr>
-<td><p>NSAP</p></td>
-<td><p>a network service access point.</p></td>
-</tr>
-<tr>
-<td><p>NS</p></td>
-<td><p>the authoritative nameserver for the
-domain.</p></td>
-</tr>
-<tr>
-<td><p>NXT</p></td>
-<td><p>used in DNSSEC to securely indicate that
+be cached before it should be discarded.</P
+></TD
+></TR
+><TR
+><TD
+WIDTH="96"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>class</P
+></TD
+><TD
+WIDTH="336"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>an encoded 16 bit value that identifies
+a protocol family or instance of a protocol.</P
+></TD
+></TR
+><TR
+><TD
+WIDTH="96"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>RDATA</P
+></TD
+><TD
+WIDTH="336"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>the resource data.  The format of the
+data is type (and sometimes class) specific.</P
+></TD
+></TR
+></TBODY
+></TABLE
+><P
+></P
+></DIV
+><P
+>The following are <SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>types</I
+></SPAN
+> of valid RRs:</P
+><DIV
+CLASS="informaltable"
+><A
+NAME="AEN4051"
+></A
+><P
+></P
+><TABLE
+CELLPADDING="3"
+BORDER="1"
+CLASS="CALSTABLE"
+><TBODY
+><TR
+><TD
+WIDTH="84"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>A</P
+></TD
+><TD
+WIDTH="348"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>a host address.  In the IN class, this is a
+32-bit IP address.  Described in RFC 1035.</P
+></TD
+></TR
+><TR
+><TD
+WIDTH="84"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>AAAA</P
+></TD
+><TD
+WIDTH="348"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>IPv6 address.  Described in RFC 1886.</P
+></TD
+></TR
+><TR
+><TD
+WIDTH="84"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>A6</P
+></TD
+><TD
+WIDTH="348"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>IPv6 address.  This can be a partial
+address (a suffix) and an indirection to the name where the rest of the
+address (the prefix) can be found.  Experimental.  Described in RFC 2874.</P
+></TD
+></TR
+><TR
+><TD
+WIDTH="84"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>AFSDB</P
+></TD
+><TD
+WIDTH="348"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>location of AFS database servers.
+Experimental.  Described in RFC 1183.</P
+></TD
+></TR
+><TR
+><TD
+WIDTH="84"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>APL</P
+></TD
+><TD
+WIDTH="348"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>address prefix list.  Experimental.
+Described in RFC 3123.</P
+></TD
+></TR
+><TR
+><TD
+WIDTH="84"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>CERT</P
+></TD
+><TD
+WIDTH="348"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>holds a digital certificate.
+Described in RFC 2538.</P
+></TD
+></TR
+><TR
+><TD
+WIDTH="84"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>CNAME</P
+></TD
+><TD
+WIDTH="348"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>identifies the canonical name of an alias.
+Described in RFC 1035.</P
+></TD
+></TR
+><TR
+><TD
+WIDTH="84"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>DNAME</P
+></TD
+><TD
+WIDTH="348"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>Replaces the domain name specified with
+another name to be looked up, effectively aliasing an entire
+subtree of the domain name space rather than a single record
+as in the case of the CNAME RR.
+Described in RFC 2672.</P
+></TD
+></TR
+><TR
+><TD
+WIDTH="84"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>GPOS</P
+></TD
+><TD
+WIDTH="348"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>Specifies the global position.  Superseded by LOC.</P
+></TD
+></TR
+><TR
+><TD
+WIDTH="84"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>HINFO</P
+></TD
+><TD
+WIDTH="348"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>identifies the CPU and OS used by a host.
+Described in RFC 1035.</P
+></TD
+></TR
+><TR
+><TD
+WIDTH="84"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>ISDN</P
+></TD
+><TD
+WIDTH="348"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>representation of ISDN addresses.
+Experimental.  Described in RFC 1183.</P
+></TD
+></TR
+><TR
+><TD
+WIDTH="84"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>KEY</P
+></TD
+><TD
+WIDTH="348"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>stores a public key associated with a
+DNS name.  Described in RFC 2535.</P
+></TD
+></TR
+><TR
+><TD
+WIDTH="84"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>KX</P
+></TD
+><TD
+WIDTH="348"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>identifies a key exchanger for this
+DNS name.  Described in RFC 2230.</P
+></TD
+></TR
+><TR
+><TD
+WIDTH="84"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>LOC</P
+></TD
+><TD
+WIDTH="348"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>for storing GPS info.  Described in RFC 1876.
+Experimental.</P
+></TD
+></TR
+><TR
+><TD
+WIDTH="84"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>MX</P
+></TD
+><TD
+WIDTH="348"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>identifies a mail exchange for the domain.
+a 16 bit preference value (lower is better)
+followed by the host name of the mail exchange.
+Described in RFC 974, RFC 1035.</P
+></TD
+></TR
+><TR
+><TD
+WIDTH="84"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>NAPTR</P
+></TD
+><TD
+WIDTH="348"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>name authority pointer.  Described in RFC 2915.</P
+></TD
+></TR
+><TR
+><TD
+WIDTH="84"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>NSAP</P
+></TD
+><TD
+WIDTH="348"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>a network service access point.
+Described in RFC 1706.</P
+></TD
+></TR
+><TR
+><TD
+WIDTH="84"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>NS</P
+></TD
+><TD
+WIDTH="348"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>the authoritative name server for the
+domain.  Described in RFC 1035.</P
+></TD
+></TR
+><TR
+><TD
+WIDTH="84"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>NXT</P
+></TD
+><TD
+WIDTH="348"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>used in DNSSEC to securely indicate that
 RRs with an owner name in a certain name interval do not exist in
 a zone and indicate what RR types are present for an existing name.
-See RFC 2535 for details.</p></td>
-</tr>
-<tr>
-<td><p>PTR</p></td>
-<td><p>a pointer to another part of the domain
-name space.</p></td>
-</tr>
-<tr>
-<td><p>PX</p></td>
-<td><p>provides mappings between RFC 822 and X.400
-addresses.</p></td>
-</tr>
-<tr>
-<td><p>RP</p></td>
-<td><p>(x) information on persons responsible
-for the domain. Experimental.</p></td>
-</tr>
-<tr>
-<td><p>RT</p></td>
-<td><p>(x) route-through binding for hosts that
-do not have their own direct wide area network addresses. Experimental.</p></td>
-</tr>
-<tr>
-<td><p>SIG</p></td>
-<td><p>("signature") contains data authenticated
-in the secure DNS. See RFC 2535 for details.</p></td>
-</tr>
-<tr>
-<td><p>SOA</p></td>
-<td><p>identifies the start of a zone of authority.</p></td>
-</tr>
-<tr>
-<td><p>SRV</p></td>
-<td><p>information about well known network
-services (replaces WKS).</p></td>
-</tr>
-<tr>
-<td><p>TXT</p></td>
-<td><p>text records.</p></td>
-</tr>
-<tr>
-<td><p>WKS</p></td>
-<td><p>(h) information about which well known
-network services, such as SMTP, that a domain supports. Historical,
-replaced by newer RR SRV.</p></td>
-</tr>
-<tr>
-<td><p>X25</p></td>
-<td><p>(x) representation of X.25 network addresses. Experimental.</p></td>
-</tr>
-</tbody>
-</table></div>
-<p>The following <span class="emphasis"><em>classes</em></span> of resource records
-are currently valid in the DNS:</p>
-<div class="informaltable"><table border="1">
-<colgroup>
-<col>
-<col>
-</colgroup>
-<tbody>
-<tr>
-<td><p>IN</p></td>
-<td><p>the Internet system.</p></td>
-</tr>
-<tr><td colspan="2"><p>For information about other,
-older classes of RRs, see <a href="Bv9ARM.ch09.html#classes_of_resource_records" title="Classes of Resource Records">the section called &#8220;Classes of Resource Records&#8221;</a>.</p></td></tr>
-</tbody>
-</table></div>
-<p><span class="emphasis"><em>RDATA</em></span> is the type-dependent or class-dependent
-data that describes the resource:</p>
-<div class="informaltable"><table border="1">
-<colgroup>
-<col>
-<col>
-</colgroup>
-<tbody>
-<tr>
-<td><p>A</p></td>
-<td><p>for the IN class, a 32-bit IP address.</p></td>
-</tr>
-<tr>
-<td><p>A6</p></td>
-<td><p>maps a domain name to an IPv6 address,
-with a provision for indirection for leading "prefix" bits.</p></td>
-</tr>
-<tr>
-<td><p>CNAME</p></td>
-<td><p>a domain name.</p></td>
-</tr>
-<tr>
-<td><p>DNAME</p></td>
-<td><p>provides alternate naming to an entire
-subtree of the domain name space, rather than to a single node.
- It causes some suffix of a queried name to be substituted with
-a name from the DNAME record's RDATA.</p></td>
-</tr>
-<tr>
-<td><p>MX</p></td>
-<td><p>a 16-bit preference value (lower is better)
-followed by a host name willing to act as a mail exchange for the
-owner domain.</p></td>
-</tr>
-<tr>
-<td><p>NS</p></td>
-<td><p>a fully-qualified domain name.</p></td>
-</tr>
-<tr>
-<td><p>PTR</p></td>
-<td><p>a fully-qualified domain name.</p></td>
-</tr>
-<tr>
-<td><p>SOA</p></td>
-<td><p>several fields.</p></td>
-</tr>
-</tbody>
-</table></div>
-<p>The owner name is often implicit, rather than forming an integral
-part of the RR.  For example, many nameservers internally form tree
+Described in RFC 2535.</P
+></TD
+></TR
+><TR
+><TD
+WIDTH="84"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>PTR</P
+></TD
+><TD
+WIDTH="348"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>a pointer to another part of the domain
+name space.  Described in RFC 1035.</P
+></TD
+></TR
+><TR
+><TD
+WIDTH="84"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>PX</P
+></TD
+><TD
+WIDTH="348"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>provides mappings between RFC 822 and X.400
+addresses.  Described in RFC 2163.</P
+></TD
+></TR
+><TR
+><TD
+WIDTH="84"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>RP</P
+></TD
+><TD
+WIDTH="348"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>information on persons responsible
+for the domain.  Experimental.  Described in RFC 1183.</P
+></TD
+></TR
+><TR
+><TD
+WIDTH="84"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>RT</P
+></TD
+><TD
+WIDTH="348"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>route-through binding for hosts that
+do not have their own direct wide area network addresses.
+Experimental.  Described in RFC 1183.</P
+></TD
+></TR
+><TR
+><TD
+WIDTH="84"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>SIG</P
+></TD
+><TD
+WIDTH="348"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>("signature") contains data authenticated
+in the secure DNS.  Described in RFC 2535.</P
+></TD
+></TR
+><TR
+><TD
+WIDTH="84"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>SOA</P
+></TD
+><TD
+WIDTH="348"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>identifies the start of a zone of authority.
+Described in RFC 1035.</P
+></TD
+></TR
+><TR
+><TD
+WIDTH="84"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>SRV</P
+></TD
+><TD
+WIDTH="348"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>information about well known network
+services (replaces WKS).  Described in RFC 2782.</P
+></TD
+></TR
+><TR
+><TD
+WIDTH="84"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>TXT</P
+></TD
+><TD
+WIDTH="348"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>text records.  Described in RFC 1035.</P
+></TD
+></TR
+><TR
+><TD
+WIDTH="84"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>WKS</P
+></TD
+><TD
+WIDTH="348"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>information about which well known
+network services, such as SMTP, that a domain supports. Historical.
+</P
+></TD
+></TR
+><TR
+><TD
+WIDTH="84"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>X25</P
+></TD
+><TD
+WIDTH="348"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>representation of X.25 network addresses.
+Experimental.  Described in RFC 1183.</P
+></TD
+></TR
+></TBODY
+></TABLE
+><P
+></P
+></DIV
+><P
+>The following <SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>classes</I
+></SPAN
+> of resource records
+are currently valid in the DNS:</P
+><DIV
+CLASS="informaltable"
+><A
+NAME="AEN4203"
+></A
+><P
+></P
+><TABLE
+CELLPADDING="3"
+BORDER="1"
+CLASS="CALSTABLE"
+><TBODY
+><TR
+><TD
+WIDTH="84"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>IN</P
+></TD
+><TD
+WIDTH="348"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>The Internet.</P
+></TD
+></TR
+><TR
+><TD
+WIDTH="84"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>CH</P
+></TD
+><TD
+WIDTH="348"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>&#13;CHAOSnet, a LAN protocol created at MIT in the mid-1970s.
+Rarely used for its historical purpose, but reused for BIND's
+built-in server information zones, e.g.,
+<TT
+CLASS="literal"
+>version.bind</TT
+>.
+</P
+></TD
+></TR
+><TR
+><TD
+WIDTH="84"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>HS</P
+></TD
+><TD
+WIDTH="348"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>&#13;Hesiod, an information service
+developed by MIT's Project Athena. It is used to share information
+about various systems databases, such as users, groups, printers
+and so on.
+</P
+></TD
+></TR
+></TBODY
+></TABLE
+><P
+></P
+></DIV
+><P
+>The owner name is often implicit, rather than forming an integral
+part of the RR.  For example, many name servers internally form tree
 or hash structures for the name space, and chain RRs off nodes.
  The remaining RR parts are the fixed header (type, class, TTL)
 which is consistent for all RRs, and a variable part (RDATA) that
-fits the needs of the resource being described.</p>
-<p>The meaning of the TTL field is a time limit on how long an
+fits the needs of the resource being described.</P
+><P
+>The meaning of the TTL field is a time limit on how long an
 RR can be kept in a cache.  This limit does not apply to authoritative
 data in zones; it is also timed out, but by the refreshing policies
 for the zone.  The TTL is assigned by the administrator for the
@@ -3127,112 +11544,360 @@ of Internet performance suggest that these times should be on the
 order of days for the typical host.  If a change can be anticipated,
 the TTL can be reduced prior to the change to minimize inconsistency
 during the change, and then increased back to its former value following
-the change.</p>
-<p>The data in the RDATA section of RRs is carried as a combination
+the change.</P
+><P
+>The data in the RDATA section of RRs is carried as a combination
 of binary strings and domain names.  The domain names are frequently
-used as "pointers" to other data in the DNS.</p>
-</div>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="id2582812"></a>Textual expression of RRs</h4></div></div></div>
-<p>RRs are represented in binary form in the packets of the DNS
+used as "pointers" to other data in the DNS.</P
+></DIV
+><DIV
+CLASS="sect3"
+><H3
+CLASS="sect3"
+><A
+NAME="AEN4227"
+>6.3.1.2. Textual expression of RRs</A
+></H3
+><P
+>RRs are represented in binary form in the packets of the DNS
 protocol, and are usually represented in highly encoded form when
-stored in a nameserver or resolver.  In the examples provided in
+stored in a name server or resolver.  In the examples provided in
 RFC 1034, a style similar to that used in master files was employed
 in order to show the contents of RRs.  In this format, most RRs
 are shown on a single line, although continuation lines are possible
-using parentheses.</p>
-<p>The start of the line gives the owner of the RR.  If a line
+using parentheses.</P
+><P
+>The start of the line gives the owner of the RR.  If a line
 begins with a blank, then the owner is assumed to be the same as
-that of the previous RR.  Blank lines are often included for readability.</p>
-<p>Following the owner, we list the TTL, type, and class of the
+that of the previous RR.  Blank lines are often included for readability.</P
+><P
+>Following the owner, we list the TTL, type, and class of the
 RR.  Class and type use the mnemonics defined above, and TTL is
 an integer before the type field.  In order to avoid ambiguity in
 parsing, type and class mnemonics are disjoint, TTLs are integers,
 and the type mnemonic is always last. The IN class and TTL values
-are often omitted from examples in the interests of clarity.</p>
-<p>The resource data or RDATA section of the RR are given using
-knowledge of the typical representation for the data.</p>
-<p>For example, we might show the RRs carried in a message as:</p>
-<div class="informaltable"><table border="1">
-<colgroup>
-<col>
-<col>
-<col>
-</colgroup>
-<tbody>
-<tr>
-<td><p><code class="literal">ISI.EDU.</code></p></td>
-<td><p><code class="literal">MX</code></p></td>
-<td><p><code class="literal">10 VENERA.ISI.EDU.</code></p></td>
-</tr>
-<tr>
-<td><p></p></td>
-<td><p><code class="literal">MX</code></p></td>
-<td><p><code class="literal">10 VAXA.ISI.EDU</code></p></td>
-</tr>
-<tr>
-<td><p><code class="literal">VENERA.ISI.EDU</code></p></td>
-<td><p><code class="literal">A</code></p></td>
-<td><p><code class="literal">128.9.0.32</code></p></td>
-</tr>
-<tr>
-<td><p></p></td>
-<td><p><code class="literal">A</code></p></td>
-<td><p><code class="literal">10.1.0.52</code></p></td>
-</tr>
-<tr>
-<td><p><code class="literal">VAXA.ISI.EDU</code></p></td>
-<td><p><code class="literal">A</code></p></td>
-<td><p><code class="literal">10.2.0.27</code></p></td>
-</tr>
-<tr>
-<td><p></p></td>
-<td><p><code class="literal">A</code></p></td>
-<td><p><code class="literal">128.9.0.33</code></p></td>
-</tr>
-</tbody>
-</table></div>
-<p>The MX RRs have an RDATA section which consists of a 16-bit
+are often omitted from examples in the interests of clarity.</P
+><P
+>The resource data or RDATA section of the RR are given using
+knowledge of the typical representation for the data.</P
+><P
+>For example, we might show the RRs carried in a message as:</P
+><DIV
+CLASS="informaltable"
+><A
+NAME="AEN4234"
+></A
+><P
+></P
+><TABLE
+CELLPADDING="3"
+BORDER="1"
+CLASS="CALSTABLE"
+><TBODY
+><TR
+><TD
+WIDTH="133"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+><TT
+CLASS="literal"
+>ISI.EDU.</TT
+></P
+></TD
+><TD
+WIDTH="98"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+><TT
+CLASS="literal"
+>MX</TT
+></P
+></TD
+><TD
+WIDTH="202"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+><TT
+CLASS="literal"
+>10 VENERA.ISI.EDU.</TT
+></P
+></TD
+></TR
+><TR
+><TD
+WIDTH="133"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+></P
+></TD
+><TD
+WIDTH="98"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+><TT
+CLASS="literal"
+>MX</TT
+></P
+></TD
+><TD
+WIDTH="202"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+><TT
+CLASS="literal"
+>10 VAXA.ISI.EDU</TT
+></P
+></TD
+></TR
+><TR
+><TD
+WIDTH="133"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+><TT
+CLASS="literal"
+>VENERA.ISI.EDU</TT
+></P
+></TD
+><TD
+WIDTH="98"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+><TT
+CLASS="literal"
+>A</TT
+></P
+></TD
+><TD
+WIDTH="202"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+><TT
+CLASS="literal"
+>128.9.0.32</TT
+></P
+></TD
+></TR
+><TR
+><TD
+WIDTH="133"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+></P
+></TD
+><TD
+WIDTH="98"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+><TT
+CLASS="literal"
+>A</TT
+></P
+></TD
+><TD
+WIDTH="202"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+><TT
+CLASS="literal"
+>10.1.0.52</TT
+></P
+></TD
+></TR
+><TR
+><TD
+WIDTH="133"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+><TT
+CLASS="literal"
+>VAXA.ISI.EDU</TT
+></P
+></TD
+><TD
+WIDTH="98"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+><TT
+CLASS="literal"
+>A</TT
+></P
+></TD
+><TD
+WIDTH="202"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+><TT
+CLASS="literal"
+>10.2.0.27</TT
+></P
+></TD
+></TR
+><TR
+><TD
+WIDTH="133"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+></P
+></TD
+><TD
+WIDTH="98"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+><TT
+CLASS="literal"
+>A</TT
+></P
+></TD
+><TD
+WIDTH="202"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+><TT
+CLASS="literal"
+>128.9.0.33</TT
+></P
+></TD
+></TR
+></TBODY
+></TABLE
+><P
+></P
+></DIV
+><P
+>The MX RRs have an RDATA section which consists of a 16 bit
 number followed by a domain name.  The address RRs use a standard
-IP address format to contain a 32-bit internet address.</p>
-<p>The above example shows six RRs, with two RRs at each of three
-domain names.</p>
-<p>Similarly we might see:</p>
-<div class="informaltable"><table border="1">
-<colgroup>
-<col>
-<col>
-<col>
-</colgroup>
-<tbody>
-<tr>
-<td><p><code class="literal">XX.LCS.MIT.EDU. IN</code></p></td>
-<td><p><code class="literal">A</code></p></td>
-<td><p><code class="literal">10.0.0.44</code></p></td>
-</tr>
-<tr>
-<td><p><code class="literal">CH</code></p></td>
-<td><p><code class="literal">A</code></p></td>
-<td><p><code class="literal">MIT.EDU. 2420</code></p></td>
-</tr>
-</tbody>
-</table></div>
-<p>This example shows two addresses for <code class="literal">XX.LCS.MIT.EDU</code>,
-each of a different class.</p>
-</div>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2583238"></a>Discussion of MX Records</h3></div></div></div>
-<p>As described above, domain servers store information as a
+IP address format to contain a 32 bit internet address.</P
+><P
+>This example shows six RRs, with two RRs at each of three
+domain names.</P
+><P
+>Similarly we might see:</P
+><DIV
+CLASS="informaltable"
+><A
+NAME="AEN4300"
+></A
+><P
+></P
+><TABLE
+CELLPADDING="3"
+BORDER="1"
+CLASS="CALSTABLE"
+><TBODY
+><TR
+><TD
+WIDTH="143"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+><TT
+CLASS="literal"
+>XX.LCS.MIT.EDU. IN</TT
+></P
+></TD
+><TD
+WIDTH="102"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+><TT
+CLASS="literal"
+>A</TT
+></P
+></TD
+><TD
+WIDTH="198"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+><TT
+CLASS="literal"
+>10.0.0.44</TT
+></P
+></TD
+></TR
+><TR
+><TD
+WIDTH="143"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+><TT
+CLASS="literal"
+>CH</TT
+></P
+></TD
+><TD
+WIDTH="102"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+><TT
+CLASS="literal"
+>A</TT
+></P
+></TD
+><TD
+WIDTH="198"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+><TT
+CLASS="literal"
+>MIT.EDU. 2420</TT
+></P
+></TD
+></TR
+></TBODY
+></TABLE
+><P
+></P
+></DIV
+><P
+>This example shows two addresses for <TT
+CLASS="literal"
+>XX.LCS.MIT.EDU</TT
+>,
+each of a different class.</P
+></DIV
+></DIV
+><DIV
+CLASS="sect2"
+><H2
+CLASS="sect2"
+><A
+NAME="AEN4328"
+>6.3.2. Discussion of MX Records</A
+></H2
+><P
+>As described above, domain servers store information as a
 series of resource records, each of which contains a particular
 piece of information about a given domain name (which is usually,
 but not always, a host). The simplest way to think of a RR is as
 a typed pair of data, a domain name matched with a relevant datum,
 and stored with some additional type information to help systems 
-determine when the RR is relevant.</p>
-<p>MX records are used to control delivery of email. The data
+determine when the RR is relevant.</P
+><P
+>MX records are used to control delivery of email. The data
 specified in the record is a priority and a domain name. The priority
 controls the order in which email delivery is attempted, with the
 lowest number first. If two priorities are the same, a server is
@@ -3240,110 +11905,413 @@ chosen randomly. If no servers at a given priority are responding,
 the mail transport agent will fall back to the next largest priority.
 Priority numbers do not have any absolute meaning &#8212; they are relevant
 only respective to other MX records for that domain name. The domain
-name given is the machine to which the mail will be delivered. It <span class="emphasis"><em>must</em></span> have
-an associated A record &#8212; CNAME is not sufficient.</p>
-<p>For a given domain, if there is both a CNAME record and an
+name given is the machine to which the mail will be delivered. It <SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>must</I
+></SPAN
+> have
+an associated A record &#8212; CNAME is not sufficient.</P
+><P
+>For a given domain, if there is both a CNAME record and an
 MX record, the MX record is in error, and will be ignored. Instead,
 the mail will be delivered to the server specified in the MX record
-pointed to by the CNAME.</p>
-<div class="informaltable"><table border="1">
-<colgroup>
-<col>
-<col>
-<col>
-<col>
-<col>
-</colgroup>
-<tbody>
-<tr>
-<td><p><code class="literal">example.com.</code></p></td>
-<td><p><code class="literal">IN</code></p></td>
-<td><p><code class="literal">MX</code></p></td>
-<td><p><code class="literal">10</code></p></td>
-<td><p><code class="literal">mail.example.com.</code></p></td>
-</tr>
-<tr>
-<td><p></p></td>
-<td><p><code class="literal">IN</code></p></td>
-<td><p><code class="literal">MX</code></p></td>
-<td><p><code class="literal">10</code></p></td>
-<td><p><code class="literal">mail2.example.com.</code></p></td>
-</tr>
-<tr>
-<td><p></p></td>
-<td><p><code class="literal">IN</code></p></td>
-<td><p><code class="literal">MX</code></p></td>
-<td><p><code class="literal">20</code></p></td>
-<td><p><code class="literal">mail.backup.org.</code></p></td>
-</tr>
-<tr>
-<td><p><code class="literal">mail.example.com.</code></p></td>
-<td><p><code class="literal">IN</code></p></td>
-<td><p><code class="literal">A</code></p></td>
-<td><p><code class="literal">10.0.0.1</code></p></td>
-<td><p></p></td>
-</tr>
-<tr>
-<td><p><code class="literal">mail2.example.com.</code></p></td>
-<td><p><code class="literal">IN</code></p></td>
-<td><p><code class="literal">A</code></p></td>
-<td><p><code class="literal">10.0.0.2</code></p></td>
-<td><p></p></td>
-</tr>
-</tbody>
-</table></div>
-<p>For example:</p>
-<p>Mail delivery will be attempted to <code class="literal">mail.example.com</code> and
-<code class="literal">mail2.example.com</code> (in
-any order), and if neither of those succeed, delivery to <code class="literal">mail.backup.org</code> will
-be attempted.</p>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="Setting_TTLs"></a>Setting TTLs</h3></div></div></div>
-<p>The time-to-live of the RR field is a 32-bit integer represented
+pointed to by the CNAME.</P
+><DIV
+CLASS="informaltable"
+><A
+NAME="AEN4334"
+></A
+><P
+></P
+><TABLE
+CELLPADDING="3"
+BORDER="1"
+CLASS="CALSTABLE"
+><TBODY
+><TR
+><TD
+WIDTH="164"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+><TT
+CLASS="literal"
+>example.com.</TT
+></P
+></TD
+><TD
+WIDTH="43"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+><TT
+CLASS="literal"
+>IN</TT
+></P
+></TD
+><TD
+WIDTH="43"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+><TT
+CLASS="literal"
+>MX</TT
+></P
+></TD
+><TD
+WIDTH="94"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+><TT
+CLASS="literal"
+>10</TT
+></P
+></TD
+><TD
+WIDTH="149"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+><TT
+CLASS="literal"
+>mail.example.com.</TT
+></P
+></TD
+></TR
+><TR
+><TD
+WIDTH="164"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+></P
+></TD
+><TD
+WIDTH="43"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+><TT
+CLASS="literal"
+>IN</TT
+></P
+></TD
+><TD
+WIDTH="43"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+><TT
+CLASS="literal"
+>MX</TT
+></P
+></TD
+><TD
+WIDTH="94"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+><TT
+CLASS="literal"
+>10</TT
+></P
+></TD
+><TD
+WIDTH="149"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+><TT
+CLASS="literal"
+>mail2.example.com.</TT
+></P
+></TD
+></TR
+><TR
+><TD
+WIDTH="164"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+></P
+></TD
+><TD
+WIDTH="43"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+><TT
+CLASS="literal"
+>IN</TT
+></P
+></TD
+><TD
+WIDTH="43"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+><TT
+CLASS="literal"
+>MX</TT
+></P
+></TD
+><TD
+WIDTH="94"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+><TT
+CLASS="literal"
+>20</TT
+></P
+></TD
+><TD
+WIDTH="149"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+><TT
+CLASS="literal"
+>mail.backup.org.</TT
+></P
+></TD
+></TR
+><TR
+><TD
+WIDTH="164"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+><TT
+CLASS="literal"
+>mail.example.com.</TT
+></P
+></TD
+><TD
+WIDTH="43"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+><TT
+CLASS="literal"
+>IN</TT
+></P
+></TD
+><TD
+WIDTH="43"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+><TT
+CLASS="literal"
+>A</TT
+></P
+></TD
+><TD
+WIDTH="94"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+><TT
+CLASS="literal"
+>10.0.0.1</TT
+></P
+></TD
+><TD
+WIDTH="149"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+></P
+></TD
+></TR
+><TR
+><TD
+WIDTH="164"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+><TT
+CLASS="literal"
+>mail2.example.com.</TT
+></P
+></TD
+><TD
+WIDTH="43"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+><TT
+CLASS="literal"
+>IN</TT
+></P
+></TD
+><TD
+WIDTH="43"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+><TT
+CLASS="literal"
+>A</TT
+></P
+></TD
+><TD
+WIDTH="94"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+><TT
+CLASS="literal"
+>10.0.0.2</TT
+></P
+></TD
+><TD
+WIDTH="149"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+></P
+></TD
+></TR
+></TBODY
+></TABLE
+><P
+></P
+></DIV
+><P
+>For example:</P
+><P
+>Mail delivery will be attempted to <TT
+CLASS="literal"
+>mail.example.com</TT
+> and
+<TT
+CLASS="literal"
+>mail2.example.com</TT
+> (in
+any order), and if neither of those succeed, delivery to <TT
+CLASS="literal"
+>mail.backup.org</TT
+> will
+be attempted.</P
+></DIV
+><DIV
+CLASS="sect2"
+><H2
+CLASS="sect2"
+><A
+NAME="Setting_TTLs"
+>6.3.3. Setting TTLs</A
+></H2
+><P
+>The time to live of the RR field is a 32 bit integer represented
 in units of seconds, and is primarily used by resolvers when they
 cache RRs. The TTL describes how long a RR can be cached before it
 should be discarded. The following three types of TTL are currently
-used in a zone file.</p>
-<div class="informaltable"><table border="1">
-<colgroup>
-<col>
-<col>
-</colgroup>
-<tbody>
-<tr>
-<td><p>SOA</p></td>
-<td>
-<p>The last field in the SOA is the negative
+used in a zone file.</P
+><DIV
+CLASS="informaltable"
+><A
+NAME="AEN4426"
+></A
+><P
+></P
+><TABLE
+CELLPADDING="3"
+BORDER="1"
+CLASS="CALSTABLE"
+><TBODY
+><TR
+><TD
+WIDTH="72"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>SOA</P
+></TD
+><TD
+WIDTH="420"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>The last field in the SOA is the negative
 caching TTL. This controls how long other servers will cache no-such-domain
-(NXDOMAIN) responses from you.</p>
-<p>The maximum time for
-negative caching is 3 hours (3h).</p>
-</td>
-</tr>
-<tr>
-<td><p>$TTL</p></td>
-<td><p>The $TTL directive at the top of the
+(NXDOMAIN) responses from you.</P
+><P
+>The maximum time for
+negative caching is 3 hours (3h).</P
+></TD
+></TR
+><TR
+><TD
+WIDTH="72"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>$TTL</P
+></TD
+><TD
+WIDTH="420"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>The $TTL directive at the top of the
 zone file (before the SOA) gives a default TTL for every RR without
-a specific TTL set.</p></td>
-</tr>
-<tr>
-<td><p>RR TTLs</p></td>
-<td><p>Each RR can have a TTL as the second
+a specific TTL set.</P
+></TD
+></TR
+><TR
+><TD
+WIDTH="72"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>RR TTLs</P
+></TD
+><TD
+WIDTH="420"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>Each RR can have a TTL as the second
 field in the RR, which will control how long other servers can cache
-the it.</p></td>
-</tr>
-</tbody>
-</table></div>
-<p>All of these TTLs default to units of seconds, though units
-can be explicitly specified, for example, <code class="literal">1h30m</code>. </p>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2583872"></a>Inverse Mapping in IPv4</h3></div></div></div>
-<p>Reverse name resolution (that is, translation from IP address
-to name) is achieved by means of the <span class="emphasis"><em>in-addr.arpa</em></span> domain
+the it.</P
+></TD
+></TR
+></TBODY
+></TABLE
+><P
+></P
+></DIV
+><P
+>All of these TTLs default to units of seconds, though units
+can be explicitly specified, for example, <TT
+CLASS="literal"
+>1h30m</TT
+>. </P
+></DIV
+><DIV
+CLASS="sect2"
+><H2
+CLASS="sect2"
+><A
+NAME="AEN4449"
+>6.3.4. Inverse Mapping in IPv4</A
+></H2
+><P
+>Reverse name resolution (that is, translation from IP address
+to name) is achieved by means of the <SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>in-addr.arpa</I
+></SPAN
+> domain
 and PTR records. Entries in the in-addr.arpa domain are made in
 least-to-most significant order, read left to right. This is the
 opposite order to the way IP addresses are usually written. Thus,
@@ -3352,181 +12320,723 @@ in-addr.arpa name of
 3.2.1.10.in-addr.arpa. This name should have a PTR resource record
 whose data field is the name of the machine or, optionally, multiple
 PTR records if the machine has more than one name. For example,
-in the [<span class="optional">example.com</span>] domain:</p>
-<div class="informaltable"><table border="1">
-<colgroup>
-<col>
-<col>
-</colgroup>
-<tbody>
-<tr>
-<td><p><code class="literal">$ORIGIN</code></p></td>
-<td><p><code class="literal">2.1.10.in-addr.arpa</code></p></td>
-</tr>
-<tr>
-<td><p><code class="literal">3</code></p></td>
-<td><p><code class="literal">IN PTR foo.example.com.</code></p></td>
-</tr>
-</tbody>
-</table></div>
-<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
-<h3 class="title">Note</h3>
-<p>The <span><strong class="command">$ORIGIN</strong></span> lines in the examples
-are for providing context to the examples only &#8212; they do not necessarily
+in the [<SPAN
+CLASS="optional"
+>example.com</SPAN
+>] domain:</P
+><DIV
+CLASS="informaltable"
+><A
+NAME="AEN4454"
+></A
+><P
+></P
+><TABLE
+CELLPADDING="3"
+BORDER="1"
+CLASS="CALSTABLE"
+><TBODY
+><TR
+><TD
+WIDTH="108"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+><TT
+CLASS="literal"
+>$ORIGIN</TT
+></P
+></TD
+><TD
+WIDTH="384"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+><TT
+CLASS="literal"
+>2.1.10.in-addr.arpa</TT
+></P
+></TD
+></TR
+><TR
+><TD
+WIDTH="108"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+><TT
+CLASS="literal"
+>3</TT
+></P
+></TD
+><TD
+WIDTH="384"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+><TT
+CLASS="literal"
+>IN PTR foo.example.com.</TT
+></P
+></TD
+></TR
+></TBODY
+></TABLE
+><P
+></P
+></DIV
+><DIV
+CLASS="note"
+><BLOCKQUOTE
+CLASS="note"
+><P
+><B
+>Note: </B
+>The <B
+CLASS="command"
+>$ORIGIN</B
+> lines in the examples
+are for providing context to the examples only-they do not necessarily
 appear in the actual usage. They are only used here to indicate
-that the example is relative to the listed origin.</p>
-</div>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2584114"></a>Other Zone File Directives</h3></div></div></div>
-<p>The Master File Format was initially defined in RFC 1035 and
+that the example is relative to the listed origin.</P
+></BLOCKQUOTE
+></DIV
+></DIV
+><DIV
+CLASS="sect2"
+><H2
+CLASS="sect2"
+><A
+NAME="AEN4476"
+>6.3.5. Other Zone File Directives</A
+></H2
+><P
+>The Master File Format was initially defined in RFC 1035 and
 has subsequently been extended. While the Master File Format itself
 is class independent all records in a Master File must be of the same
-class.</p>
-<p>Master File Directives include <span><strong class="command">$ORIGIN</strong></span>, <span><strong class="command">$INCLUDE</strong></span>,
-and <span><strong class="command">$TTL.</strong></span></p>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="id2584133"></a>The <span><strong class="command">$ORIGIN</strong></span> Directive</h4></div></div></div>
-<p>Syntax: <span><strong class="command">$ORIGIN
-</strong></span><em class="replaceable"><code>domain-name</code></em> [<span class="optional"> <em class="replaceable"><code>comment</code></em></span>]</p>
-<p><span><strong class="command">$ORIGIN</strong></span> sets the domain name that will
+class.</P
+><P
+>Master File Directives include <B
+CLASS="command"
+>$ORIGIN</B
+>, <B
+CLASS="command"
+>$INCLUDE</B
+>,
+and <B
+CLASS="command"
+>$TTL.</B
+></P
+><DIV
+CLASS="sect3"
+><H3
+CLASS="sect3"
+><A
+NAME="AEN4483"
+>6.3.5.1. The <B
+CLASS="command"
+>$ORIGIN</B
+> Directive</A
+></H3
+><P
+>Syntax: <B
+CLASS="command"
+>$ORIGIN
+</B
+><TT
+CLASS="replaceable"
+><I
+>domain-name</I
+></TT
+> [<SPAN
+CLASS="optional"
+> <TT
+CLASS="replaceable"
+><I
+>comment</I
+></TT
+></SPAN
+>]</P
+><P
+><B
+CLASS="command"
+>$ORIGIN</B
+> sets the domain name that will
 be appended to any unqualified records. When a zone is first read
-in there is an implicit <span><strong class="command">$ORIGIN</strong></span> &lt;<code class="varname">zone-name</code>&gt;<span><strong class="command">.</strong></span> The
-current <span><strong class="command">$ORIGIN</strong></span> is appended to the domain specified
-in the <span><strong class="command">$ORIGIN</strong></span> argument if it is not absolute.</p>
-<pre class="programlisting">$ORIGIN example.com.
-WWW     CNAME   MAIN-SERVER</pre>
-<p>is equivalent to</p>
-<pre class="programlisting">WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.</pre>
-</div>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="id2584188"></a>The <span><strong class="command">$INCLUDE</strong></span> Directive</h4></div></div></div>
-<p>Syntax: <span><strong class="command">$INCLUDE</strong></span>
-<em class="replaceable"><code>filename</code></em> [<span class="optional">
-<em class="replaceable"><code>origin</code></em> </span>] [<span class="optional"> <em class="replaceable"><code>comment</code></em> </span>]</p>
-<p>Read and process the file <code class="filename">filename</code> as
-if it were included into the file at this point.  If <span><strong class="command">origin</strong></span> is
-specified the file is processed with <span><strong class="command">$ORIGIN</strong></span> set
-to that value, otherwise the current <span><strong class="command">$ORIGIN</strong></span> is
-used.</p>
-<p>The origin and the current domain name
-revert to the values they had prior to the <span><strong class="command">$INCLUDE</strong></span> once
-the file has been read.</p>
-<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
-<h3 class="title">Note</h3>
-<p>
+in there is an implicit <B
+CLASS="command"
+>$ORIGIN</B
+> &#60;<TT
+CLASS="varname"
+>zone-name</TT
+>&#62;<B
+CLASS="command"
+>.</B
+> The
+current <B
+CLASS="command"
+>$ORIGIN</B
+> is appended to the domain specified
+in the <B
+CLASS="command"
+>$ORIGIN</B
+> argument if it is not absolute.</P
+><PRE
+CLASS="programlisting"
+><TT
+CLASS="literal"
+>$ORIGIN example.com.
+WWW     CNAME   MAIN-SERVER</TT
+></PRE
+><P
+>is equivalent to</P
+><PRE
+CLASS="programlisting"
+><TT
+CLASS="literal"
+>WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.</TT
+></PRE
+></DIV
+><DIV
+CLASS="sect3"
+><H3
+CLASS="sect3"
+><A
+NAME="AEN4503"
+>6.3.5.2. The <B
+CLASS="command"
+>$INCLUDE</B
+> Directive</A
+></H3
+><P
+>Syntax: <B
+CLASS="command"
+>$INCLUDE</B
+>
+<TT
+CLASS="replaceable"
+><I
+>filename</I
+></TT
+> [<SPAN
+CLASS="optional"
+>&#13;<TT
+CLASS="replaceable"
+><I
+>origin</I
+></TT
+> </SPAN
+>] [<SPAN
+CLASS="optional"
+> <TT
+CLASS="replaceable"
+><I
+>comment</I
+></TT
+> </SPAN
+>]</P
+><P
+>Read and process the file <TT
+CLASS="filename"
+>filename</TT
+> as
+if it were included into the file at this point.  If <B
+CLASS="command"
+>origin</B
+> is
+specified the file is processed with <B
+CLASS="command"
+>$ORIGIN</B
+> set
+to that value, otherwise the current <B
+CLASS="command"
+>$ORIGIN</B
+> is
+used.</P
+><P
+>The origin and the current domain name
+revert to the values they had prior to the <B
+CLASS="command"
+>$INCLUDE</B
+> once
+the file has been read.</P
+><DIV
+CLASS="note"
+><BLOCKQUOTE
+CLASS="note"
+><P
+><B
+>Note: </B
+>
 RFC 1035 specifies that the current origin should be restored after
-an <span><strong class="command">$INCLUDE</strong></span>, but it is silent on whether the current
+an <B
+CLASS="command"
+>$INCLUDE</B
+>, but it is silent on whether the current
 domain name should also be restored.  BIND 9 restores both of them.
 This could be construed as a deviation from RFC 1035, a feature, or both.
-</p>
-</div>
-</div>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="id2584251"></a>The <span><strong class="command">$TTL</strong></span> Directive</h4></div></div></div>
-<p>Syntax: <span><strong class="command">$TTL</strong></span>
-<em class="replaceable"><code>default-ttl</code></em> [<span class="optional">
-<em class="replaceable"><code>comment</code></em> </span>]</p>
-<p>Set the default Time To Live (TTL) for subsequent records
-with undefined TTLs. Valid TTLs are of the range 0-2147483647 seconds.</p>
-<p><span><strong class="command">$TTL</strong></span> is defined in RFC 2308.</p>
-</div>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2584282"></a><acronym class="acronym">BIND</acronym> Master File Extension: the  <span><strong class="command">$GENERATE</strong></span> Directive</h3></div></div></div>.
-        <p>Syntax: <span><strong class="command">$GENERATE</strong></span> <em class="replaceable"><code>range</code></em> <em class="replaceable"><code>lhs</code></em> <em class="replaceable"><code>type</code></em> <em class="replaceable"><code>rhs</code></em> [<span class="optional"> <em class="replaceable"><code>comment</code></em> </span>]</p>
-<p><span><strong class="command">$GENERATE</strong></span> is used to create a series of
-resource records that only differ from each other by an iterator. <span><strong class="command">$GENERATE</strong></span> can
+</P
+></BLOCKQUOTE
+></DIV
+></DIV
+><DIV
+CLASS="sect3"
+><H3
+CLASS="sect3"
+><A
+NAME="AEN4523"
+>6.3.5.3. The <B
+CLASS="command"
+>$TTL</B
+> Directive</A
+></H3
+><P
+>Syntax: <B
+CLASS="command"
+>$TTL</B
+>
+<TT
+CLASS="replaceable"
+><I
+>default-ttl</I
+></TT
+> [<SPAN
+CLASS="optional"
+>&#13;<TT
+CLASS="replaceable"
+><I
+>comment</I
+></TT
+> </SPAN
+>]</P
+><P
+>Set the default Time To Live (TTL) for subsequent records
+with undefined TTLs. Valid TTLs are of the range 0-2147483647 seconds.</P
+><P
+><B
+CLASS="command"
+>$TTL</B
+> is defined in RFC 2308.</P
+></DIV
+></DIV
+><DIV
+CLASS="sect2"
+><H2
+CLASS="sect2"
+><A
+NAME="AEN4534"
+>6.3.6. <SPAN
+CLASS="acronym"
+>BIND</SPAN
+> Master File Extension: the  <B
+CLASS="command"
+>$GENERATE</B
+> Directive</A
+></H2
+><P
+>Syntax: <B
+CLASS="command"
+>$GENERATE</B
+> <TT
+CLASS="replaceable"
+><I
+>range</I
+></TT
+> <TT
+CLASS="replaceable"
+><I
+>lhs</I
+></TT
+> [<SPAN
+CLASS="optional"
+><TT
+CLASS="replaceable"
+><I
+>ttl</I
+></TT
+></SPAN
+>] [<SPAN
+CLASS="optional"
+><TT
+CLASS="replaceable"
+><I
+>class</I
+></TT
+></SPAN
+>] <TT
+CLASS="replaceable"
+><I
+>type</I
+></TT
+> <TT
+CLASS="replaceable"
+><I
+>rhs</I
+></TT
+> [<SPAN
+CLASS="optional"
+> <TT
+CLASS="replaceable"
+><I
+>comment</I
+></TT
+> </SPAN
+>]</P
+><P
+><B
+CLASS="command"
+>$GENERATE</B
+> is used to create a series of
+resource records that only differ from each other by an iterator. <B
+CLASS="command"
+>$GENERATE</B
+> can
 be used to easily generate the sets of records required to support
 sub /24 reverse delegations described in RFC 2317: Classless IN-ADDR.ARPA
-delegation.</p>
-<pre class="programlisting">$ORIGIN 0.0.192.IN-ADDR.ARPA.
+delegation.</P
+><PRE
+CLASS="programlisting"
+><TT
+CLASS="literal"
+>$ORIGIN 0.0.192.IN-ADDR.ARPA.
 $GENERATE 1-2 0 NS SERVER$.EXAMPLE.
-$GENERATE 1-127 $ CNAME $.0</pre>
-<p>is equivalent to</p>
-<pre class="programlisting">0.0.0.192.IN-ADDR.ARPA NS SERVER1.EXAMPLE.
+$GENERATE 1-127 $ CNAME $.0</TT
+></PRE
+><P
+>is equivalent to</P
+><PRE
+CLASS="programlisting"
+><TT
+CLASS="literal"
+>0.0.0.192.IN-ADDR.ARPA NS SERVER1.EXAMPLE.
 0.0.0.192.IN-ADDR.ARPA. NS SERVER2.EXAMPLE.
 1.0.0.192.IN-ADDR.ARPA. CNAME 1.0.0.0.192.IN-ADDR.ARPA.
 2.0.0.192.IN-ADDR.ARPA. CNAME 2.0.0.0.192.IN-ADDR.ARPA.
 ...
 127.0.0.192.IN-ADDR.ARPA. CNAME 127.0.0.0.192.IN-ADDR.ARPA.
-</pre>
-<div class="informaltable"><table border="1">
-<colgroup>
-<col>
-<col>
-</colgroup>
-<tbody>
-<tr>
-<td><p><span><strong class="command">range</strong></span></p></td>
-<td><p>This can be one of two forms: start-stop
-or start-stop/step. If the first form is used, then step is set to
-        1. All of start, stop and step must be positive.</p></td>
-</tr>
-<tr>
-<td><p><span><strong class="command">lhs</strong></span></p></td>
-<td>
-<p>This describes the
-owner name of the resource records to be created. Any single
-<span><strong class="command">$</strong></span> (dollar sign) symbols
-within the <span><strong class="command">lhs</strong></span> side are replaced by the iterator
+</TT
+></PRE
+><DIV
+CLASS="informaltable"
+><A
+NAME="AEN4558"
+></A
+><P
+></P
+><TABLE
+CELLPADDING="3"
+BORDER="1"
+CLASS="CALSTABLE"
+><TBODY
+><TR
+><TD
+WIDTH="84"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+><B
+CLASS="command"
+>range</B
+></P
+></TD
+><TD
+WIDTH="408"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>This can be one of two forms: start-stop
+or start-stop/step. If the first form is used then step is set to
+        1. All of start, stop and step must be positive.</P
+></TD
+></TR
+><TR
+><TD
+WIDTH="84"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+><B
+CLASS="command"
+>lhs</B
+></P
+></TD
+><TD
+WIDTH="408"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+><B
+CLASS="command"
+>lhs</B
+> describes the
+owner name of the resource records to be created.      Any single <B
+CLASS="command"
+>$</B
+> symbols
+within the <B
+CLASS="command"
+>lhs</B
+> side are replaced by the iterator
 value.
-To get a $ in the output, you need to escape the <span><strong class="command">$</strong></span>
-using a backslash <span><strong class="command">\</strong></span>,
-e.g. <span><strong class="command">\$</strong></span>. The <span><strong class="command">$</strong></span> may optionally be followed
-by modifiers which change the offset from the interator, field width and base. 
-Modifiers are introduced by a <span><strong class="command">{</strong></span> (left brace) immediately following the
-<span><strong class="command">$</strong></span> as <span><strong class="command">${offset[,width[,base]]}</strong></span>.
-For example, <span><strong class="command">${-20,3,d}</strong></span> which subtracts 20 from the current value,
-prints the result as a decimal in a zero-padded field of width 3.  Available
-output forms are decimal (<span><strong class="command">d</strong></span>), octal (<span><strong class="command">o</strong></span>)
-and hexadecimal (<span><strong class="command">x</strong></span> or <span><strong class="command">X</strong></span> for uppercase).
-The default modifier is <span><strong class="command">${0,0,d}</strong></span>.
-If the <span><strong class="command">lhs</strong></span> is not
-absolute, the current <span><strong class="command">$ORIGIN</strong></span> is appended to
-the name.</p>
-<p>For compatibility with earlier versions, <span><strong class="command">$$</strong></span> is still
-recognised as indicating a literal $ in the output.</p>
-</td>
-</tr>
-<tr>
-<td><p><span><strong class="command">type</strong></span></p></td>
-<td><p>At present the only supported types are
-PTR, CNAME, DNAME, A, AAAA and NS.</p></td>
-</tr>
-<tr>
-<td><p><span><strong class="command">rhs</strong></span></p></td>
-<td><p><span><strong class="command">rhs</strong></span> is a domain name. It is processed
-similarly to lhs.</p></td>
-</tr>
-</tbody>
-</table></div>
-<p>The <span><strong class="command">$GENERATE</strong></span> directive is a <acronym class="acronym">BIND</acronym> extension
-and not part of the standard zone file format.</p>
-</div>
-</div>
-</div>
-<div class="navfooter">
-<hr>
-<table width="100%" summary="Navigation footer">
-<tr>
-<td width="40%" align="left">
-<a accesskey="p" href="Bv9ARM.ch05.html">Prev</a> </td>
-<td width="20%" align="center"> </td>
-<td width="40%" align="right"> <a accesskey="n" href="Bv9ARM.ch07.html">Next</a>
-</td>
-</tr>
-<tr>
-<td width="40%" align="left" valign="top">Chapter 5. The <acronym class="acronym">BIND</acronym> 9 Lightweight Resolver </td>
-<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
-<td width="40%" align="right" valign="top"> Chapter 7. <acronym class="acronym">BIND</acronym> 9 Security Considerations</td>
-</tr>
-</table>
-</div>
-</body>
-</html>
+To get a $ in the output you need to escape the <B
+CLASS="command"
+>$</B
+>
+using a backslash <B
+CLASS="command"
+>\</B
+>,
+e.g. <B
+CLASS="command"
+>\$</B
+>. The <B
+CLASS="command"
+>$</B
+> may optionally be followed
+by modifiers which change the offset from the iterator, field width and base. 
+Modifiers are introduced by a <B
+CLASS="command"
+>{</B
+> immediately following the
+<B
+CLASS="command"
+>$</B
+> as <B
+CLASS="command"
+>${offset[,width[,base]]}</B
+>.
+e.g. <B
+CLASS="command"
+>${-20,3,d}</B
+> which subtracts 20 from the current value,
+prints the result as a decimal in a zero padded field of with 3.  Available
+output forms are decimal (<B
+CLASS="command"
+>d</B
+>), octal (<B
+CLASS="command"
+>o</B
+>)
+and hexadecimal (<B
+CLASS="command"
+>x</B
+> or <B
+CLASS="command"
+>X</B
+> for uppercase).
+The default modifier is <B
+CLASS="command"
+>${0,0,d}</B
+>.
+If the <B
+CLASS="command"
+>lhs</B
+> is not
+absolute, the current <B
+CLASS="command"
+>$ORIGIN</B
+> is appended to
+the name.</P
+>
+<P
+>For compatibility with earlier versions <B
+CLASS="command"
+>$$</B
+> is still
+recognized a indicating a literal $ in the output.</P
+></TD
+></TR
+><TR
+><TD
+WIDTH="84"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+><B
+CLASS="command"
+>ttl</B
+></P
+></TD
+><TD
+WIDTH="408"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+><B
+CLASS="command"
+>ttl</B
+> specifies the
+	  ttl of the generated records. If not specified this will be
+	  inherited using the normal ttl inheritance rules.</P
+>
+	  <P
+><B
+CLASS="command"
+>class</B
+> and <B
+CLASS="command"
+>ttl</B
+> can be
+	  entered in either order.</P
+></TD
+></TR
+><TR
+><TD
+WIDTH="84"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+><B
+CLASS="command"
+>class</B
+></P
+></TD
+><TD
+WIDTH="408"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+><B
+CLASS="command"
+>class</B
+> specifies the
+	  class of the generated records.  This must match the zone class if
+	  it is specified.</P
+>
+	  <P
+><B
+CLASS="command"
+>class</B
+> and <B
+CLASS="command"
+>ttl</B
+> can be
+	  entered in either order.</P
+></TD
+></TR
+><TR
+><TD
+WIDTH="84"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+><B
+CLASS="command"
+>type</B
+></P
+></TD
+><TD
+WIDTH="408"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>At present the only supported types are
+PTR, CNAME, DNAME, A, AAAA and NS.</P
+></TD
+></TR
+><TR
+><TD
+WIDTH="84"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+><B
+CLASS="command"
+>rhs</B
+></P
+></TD
+><TD
+WIDTH="408"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>rhs is a domain name. It is processed
+similarly to lhs.</P
+></TD
+></TR
+></TBODY
+></TABLE
+><P
+></P
+></DIV
+><P
+>The <B
+CLASS="command"
+>$GENERATE</B
+> directive is a <SPAN
+CLASS="acronym"
+>BIND</SPAN
+> extension
+and not part of the standard zone file format.</P
+><P
+>BIND 8 does not support the optional TTL and CLASS fields.</P
+></DIV
+></DIV
+></DIV
+><DIV
+CLASS="NAVFOOTER"
+><HR
+ALIGN="LEFT"
+WIDTH="100%"><TABLE
+SUMMARY="Footer navigation table"
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+><A
+HREF="Bv9ARM.ch05.html"
+ACCESSKEY="P"
+>Prev</A
+></TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+><A
+HREF="Bv9ARM.html"
+ACCESSKEY="H"
+>Home</A
+></TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+><A
+HREF="Bv9ARM.ch07.html"
+ACCESSKEY="N"
+>Next</A
+></TD
+></TR
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+>The <SPAN
+CLASS="acronym"
+>BIND</SPAN
+> 9 Lightweight Resolver</TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+>&nbsp;</TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+><SPAN
+CLASS="acronym"
+>BIND</SPAN
+> 9 Security Considerations</TD
+></TR
+></TABLE
+></DIV
+></BODY
+></HTML
+>
\ No newline at end of file
diff --git a/doc/arm/Bv9ARM.ch07.html b/doc/arm/Bv9ARM.ch07.html
index 6f01f2a7..9ef11d9c 100644
--- a/doc/arm/Bv9ARM.ch07.html
+++ b/doc/arm/Bv9ARM.ch07.html
@@ -1,81 +1,162 @@
-<!--
- - Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000-2003 Internet Software Consortium.
- - 
- - Permission to use, copy, modify, and distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- - 
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-<!-- $Id: Bv9ARM.ch07.html,v 1.50.2.34 2007/05/08 02:29:20 marka Exp $ -->
-<html>
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>Chapter 7. BIND 9 Security Considerations</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
-<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="prev" href="Bv9ARM.ch06.html" title="Chapter 6. BIND 9 Configuration Reference">
-<link rel="next" href="Bv9ARM.ch08.html" title="Chapter 8. Troubleshooting">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
-<div class="navheader">
-<table width="100%" summary="Navigation header">
-<tr><th colspan="3" align="center">Chapter 7. <acronym class="acronym">BIND</acronym> 9 Security Considerations</th></tr>
-<tr>
-<td width="20%" align="left">
-<a accesskey="p" href="Bv9ARM.ch06.html">Prev</a> </td>
-<th width="60%" align="center"> </th>
-<td width="20%" align="right"> <a accesskey="n" href="Bv9ARM.ch08.html">Next</a>
-</td>
-</tr>
-</table>
-<hr>
-</div>
-<div class="chapter" lang="en">
-<div class="titlepage"><div><div><h2 class="title">
-<a name="Bv9ARM.ch07"></a>Chapter 7. <acronym class="acronym">BIND</acronym> 9 Security Considerations</h2></div></div></div>
-<div class="toc">
-<p><b>Table of Contents</b></p>
-<dl>
-<dt><span class="sect1"><a href="Bv9ARM.ch07.html#Access_Control_Lists">Access Control Lists</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch07.html#id2584602"><span><strong class="command">Chroot</strong></span> and <span><strong class="command">Setuid</strong></span> (for
-UNIX servers)</a></span></dt>
-<dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2584746">The <span><strong class="command">chroot</strong></span> Environment</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2584804">Using the <span><strong class="command">setuid</strong></span> Function</a></span></dt>
-</dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch07.html#dynamic_update_security">Dynamic Update Security</a></span></dt>
-</dl>
-</div>
-<div class="sect1" lang="en">
-<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="Access_Control_Lists"></a>Access Control Lists</h2></div></div></div>
-<p>Access Control Lists (ACLs), are address match lists that
-you can set up and nickname for future use in <span><strong class="command">allow-notify</strong></span>,
-<span><strong class="command">allow-query</strong></span>, <span><strong class="command">allow-recursion</strong></span>,
-<span><strong class="command">blackhole</strong></span>, <span><strong class="command">allow-transfer</strong></span>,
-etc.</p>
-<p>Using ACLs allows you to have finer control over who can access
-your nameserver, without cluttering up your config files with huge
-lists of IP addresses.</p>
-<p>It is a <span class="emphasis"><em>good idea</em></span> to use ACLs, and to
+<HTML
+><HEAD
+><TITLE
+>BIND 9 Security Considerations</TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.73
+"><LINK
+REL="HOME"
+TITLE="BIND 9 Administrator Reference Manual"
+HREF="Bv9ARM.html"><LINK
+REL="PREVIOUS"
+TITLE="BIND 9 Configuration Reference"
+HREF="Bv9ARM.ch06.html"><LINK
+REL="NEXT"
+TITLE="Troubleshooting"
+HREF="Bv9ARM.ch08.html"></HEAD
+><BODY
+CLASS="chapter"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><DIV
+CLASS="NAVHEADER"
+><TABLE
+SUMMARY="Header navigation table"
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TH
+COLSPAN="3"
+ALIGN="center"
+>BIND 9 Administrator Reference Manual</TH
+></TR
+><TR
+><TD
+WIDTH="10%"
+ALIGN="left"
+VALIGN="bottom"
+><A
+HREF="Bv9ARM.ch06.html"
+ACCESSKEY="P"
+>Prev</A
+></TD
+><TD
+WIDTH="80%"
+ALIGN="center"
+VALIGN="bottom"
+></TD
+><TD
+WIDTH="10%"
+ALIGN="right"
+VALIGN="bottom"
+><A
+HREF="Bv9ARM.ch08.html"
+ACCESSKEY="N"
+>Next</A
+></TD
+></TR
+></TABLE
+><HR
+ALIGN="LEFT"
+WIDTH="100%"></DIV
+><DIV
+CLASS="chapter"
+><H1
+><A
+NAME="ch07"
+>Chapter 7. <SPAN
+CLASS="acronym"
+>BIND</SPAN
+> 9 Security Considerations</A
+></H1
+><DIV
+CLASS="TOC"
+><DL
+><DT
+><B
+>Table of Contents</B
+></DT
+><DT
+>7.1. <A
+HREF="Bv9ARM.ch07.html#Access_Control_Lists"
+>Access Control Lists</A
+></DT
+><DT
+>7.2. <A
+HREF="Bv9ARM.ch07.html#AEN4651"
+><B
+CLASS="command"
+>chroot</B
+> and <B
+CLASS="command"
+>setuid</B
+> (for
+UNIX servers)</A
+></DT
+><DT
+>7.3. <A
+HREF="Bv9ARM.ch07.html#dynamic_update_security"
+>Dynamic Update Security</A
+></DT
+></DL
+></DIV
+><DIV
+CLASS="sect1"
+><H1
+CLASS="sect1"
+><A
+NAME="Access_Control_Lists"
+>7.1. Access Control Lists</A
+></H1
+><P
+>Access Control Lists (ACLs), are address match lists that
+you can set up and nickname for future use in <B
+CLASS="command"
+>allow-notify</B
+>,
+<B
+CLASS="command"
+>allow-query</B
+>, <B
+CLASS="command"
+>allow-recursion</B
+>,
+<B
+CLASS="command"
+>blackhole</B
+>, <B
+CLASS="command"
+>allow-transfer</B
+>,
+etc.</P
+><P
+>Using ACLs allows you to have finer control over who can access
+your name server, without cluttering up your config files with huge
+lists of IP addresses.</P
+><P
+>It is a <SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>good idea</I
+></SPAN
+> to use ACLs, and to
 control access to your server. Limiting access to your server by
-outside parties can help prevent spoofing and denial of service (DoS)
-attacks against your server.</p>
-<p>Here is an example of how to properly apply ACLs:</p>
-<pre class="programlisting">
-// Set up an ACL named "bogusnets" that will block RFC1918 space,
+outside parties can help prevent spoofing and DoS attacks against
+your server.</P
+><P
+>Here is an example of how to properly apply ACLs:</P
+><PRE
+CLASS="programlisting"
+>&#13;// Set up an ACL named "bogusnets" that will block RFC1918 space,
 // which is commonly used in spoofing attacks.
 acl bogusnets { 0.0.0.0/8; 1.0.0.0/8; 2.0.0.0/8; 192.0.2.0/24; 224.0.0.0/3; 10.0.0.0/8; 172.16.0.0/12; 192.168.0.0/16; };
-
 // Set up an ACL called our-nets. Replace this with the real IP numbers.
 acl our-nets { x.x.x.x/24; x.x.x.x/21; }; 
 options {
@@ -87,116 +168,337 @@ options {
   blackhole { bogusnets; };
   ...
 };
-
 zone "example.com" {
   type master;
   file "m/example.com";
   allow-query { any; };
 };
-</pre>
-<p>This allows recursive queries of the server from the outside
-unless recursion has been previously disabled.</p>
-<p>For more information on how to use ACLs to protect your server,
-see the <span class="emphasis"><em>AUSCERT</em></span> advisory at
-<a href="ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos" target="_top">ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos</a></p>
-</div>
-<div class="sect1" lang="en">
-<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2584602"></a><span><strong class="command">Chroot</strong></span> and <span><strong class="command">Setuid</strong></span> (for
-UNIX servers)</h2></div></div></div>
-<p>On UNIX servers, it is possible to run <acronym class="acronym">BIND</acronym> in a <span class="emphasis"><em>chrooted</em></span> environment
-(using the <span><strong class="command">chroot()</strong></span> function) by specifying the "<code class="option">-t</code>"
-option. This can help improve system security by placing <acronym class="acronym">BIND</acronym> in
-a "sandbox," which will limit the damage done if a server is compromised.</p>
-<p>Another useful feature in the UNIX version of <acronym class="acronym">BIND</acronym> is the
-ability to run the daemon as a nonprivileged user ( <code class="option">-u</code> <em class="replaceable"><code>user</code></em> ).
-We suggest running as a nonprivileged user when using the <span><strong class="command">chroot</strong></span> feature.</p>
-<p>Here is an example command line to load <acronym class="acronym">BIND</acronym> in a <span><strong class="command">chroot</strong></span> sandbox, 
-<span><strong class="command">/var/named</strong></span>, and to run <span><strong class="command">named</strong></span> <span><strong class="command">setuid</strong></span> to
-user 202:</p>
-<p><strong class="userinput"><code>/usr/local/bin/named -u 202 -t /var/named</code></strong></p>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2584746"></a>The <span><strong class="command">chroot</strong></span> Environment</h3></div></div></div>
-<p>In order for a <span><strong class="command">chroot</strong></span> environment to
+</PRE
+><P
+>This allows recursive queries of the server from the outside
+unless recursion has been previously disabled.</P
+><P
+>For more information on how to use ACLs to protect your server,
+see the <SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>AUSCERT</I
+></SPAN
+> advisory at
+<A
+HREF="ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos"
+TARGET="_top"
+>ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos</A
+></P
+></DIV
+><DIV
+CLASS="sect1"
+><H1
+CLASS="sect1"
+><A
+NAME="AEN4651"
+>7.2. <B
+CLASS="command"
+>chroot</B
+> and <B
+CLASS="command"
+>setuid</B
+> (for
+UNIX servers)</A
+></H1
+><P
+>On UNIX servers, it is possible to run <SPAN
+CLASS="acronym"
+>BIND</SPAN
+> in a <SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>chrooted</I
+></SPAN
+> environment
+(<B
+CLASS="command"
+>chroot()</B
+>) by specifying the "<TT
+CLASS="option"
+>-t</TT
+>"
+option. This can help improve system security by placing <SPAN
+CLASS="acronym"
+>BIND</SPAN
+> in
+a "sandbox", which will limit the damage done if a server is compromised.</P
+><P
+>Another useful feature in the UNIX version of <SPAN
+CLASS="acronym"
+>BIND</SPAN
+> is the
+ability to run the daemon as an unprivileged user ( <TT
+CLASS="option"
+>-u</TT
+> <TT
+CLASS="replaceable"
+><I
+>user</I
+></TT
+> ).
+We suggest running as an unprivileged user when using the <B
+CLASS="command"
+>chroot</B
+> feature.</P
+><P
+>Here is an example command line to load <SPAN
+CLASS="acronym"
+>BIND</SPAN
+> in a <B
+CLASS="command"
+>chroot()</B
+> sandbox, 
+<B
+CLASS="command"
+>/var/named</B
+>, and to run <B
+CLASS="command"
+>named</B
+> <B
+CLASS="command"
+>setuid</B
+> to
+user 202:</P
+><P
+><TT
+CLASS="userinput"
+><B
+>/usr/local/bin/named -u 202 -t /var/named</B
+></TT
+></P
+><DIV
+CLASS="sect2"
+><H2
+CLASS="sect2"
+><A
+NAME="AEN4674"
+>7.2.1. The <B
+CLASS="command"
+>chroot</B
+> Environment</A
+></H2
+><P
+>In order for a <B
+CLASS="command"
+>chroot()</B
+> environment to
 work properly in a particular directory
-(for example, <code class="filename">/var/named</code>),
+(for example, <TT
+CLASS="filename"
+>/var/named</TT
+>),
 you will need to set up an environment that includes everything
-<acronym class="acronym">BIND</acronym> needs to run.
-From <acronym class="acronym">BIND</acronym>'s point of view, <code class="filename">/var/named</code> is
+<SPAN
+CLASS="acronym"
+>BIND</SPAN
+> needs to run.
+From <SPAN
+CLASS="acronym"
+>BIND</SPAN
+>'s point of view, <TT
+CLASS="filename"
+>/var/named</TT
+> is
 the root of the filesystem.  You will need to adjust the values of options like
-like <span><strong class="command">directory</strong></span> and <span><strong class="command">pid-file</strong></span> to account
+like <B
+CLASS="command"
+>directory</B
+> and <B
+CLASS="command"
+>pid-file</B
+> to account
 for this.
-</p>
-<p>
-Unlike with earlier versions of BIND, you typically will
-<span class="emphasis"><em>not</em></span> need to compile <span><strong class="command">named</strong></span>
+</P
+><P
+>&#13;Unlike with earlier versions of BIND, you will typically
+<SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>not</I
+></SPAN
+> need to compile <B
+CLASS="command"
+>named</B
+>
 statically nor install shared libraries under the new root.
 However, depending on your operating system, you may need
 to set up things like
-<code class="filename">/dev/zero</code>,
-<code class="filename">/dev/random</code>,
-<code class="filename">/dev/log</code>, and
-<code class="filename">/etc/localtime</code>.
-</p>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2584804"></a>Using the <span><strong class="command">setuid</strong></span> Function</h3></div></div></div>
-<p>Prior to running the <span><strong class="command">named</strong></span> daemon, use
-the <span><strong class="command">touch</strong></span> utility (to change file access and
-modification times) or the <span><strong class="command">chown</strong></span> utility (to
+<TT
+CLASS="filename"
+>/dev/zero</TT
+>,
+<TT
+CLASS="filename"
+>/dev/random</TT
+>,
+<TT
+CLASS="filename"
+>/dev/log</TT
+>, and/or
+<TT
+CLASS="filename"
+>/etc/localtime</TT
+>.
+</P
+></DIV
+><DIV
+CLASS="sect2"
+><H2
+CLASS="sect2"
+><A
+NAME="AEN4692"
+>7.2.2. Using the <B
+CLASS="command"
+>setuid</B
+> Function</A
+></H2
+><P
+>Prior to running the <B
+CLASS="command"
+>named</B
+> daemon, use
+the <B
+CLASS="command"
+>touch</B
+> utility (to change file access and
+modification times) or the <B
+CLASS="command"
+>chown</B
+> utility (to
 set the user id and/or group id) on files
-to which you want <acronym class="acronym">BIND</acronym>
-to write.  Note that if the <span><strong class="command">named</strong></span> daemon is running as a
-nonprivileged user, it will not be able to bind to new restricted ports if the
-server is reloaded.</p>
-</div>
-</div>
-<div class="sect1" lang="en">
-<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="dynamic_update_security"></a>Dynamic Update Security</h2></div></div></div>
-<p>Access to the dynamic
+to which you want <SPAN
+CLASS="acronym"
+>BIND</SPAN
+>
+to write.  Note that if the <B
+CLASS="command"
+>named</B
+> daemon is running as an
+unprivileged user, it will not be able to bind to new restricted ports if the
+server is reloaded.</P
+></DIV
+></DIV
+><DIV
+CLASS="sect1"
+><H1
+CLASS="sect1"
+><A
+NAME="dynamic_update_security"
+>7.3. Dynamic Update Security</A
+></H1
+><P
+>Access to the dynamic
 update facility should be strictly limited.  In earlier versions of
-<acronym class="acronym">BIND</acronym>, the only way to do this was based on the IP
+<SPAN
+CLASS="acronym"
+>BIND</SPAN
+> the only way to do this was based on the IP
 address of the host requesting the update, by listing an IP address or
-network prefix in the <span><strong class="command">allow-update</strong></span> zone option.
+network prefix in the <B
+CLASS="command"
+>allow-update</B
+> zone option.
 This method is insecure since the source address of the update UDP packet
 is easily forged.  Also note that if the IP addresses allowed by the
-<span><strong class="command">allow-update</strong></span> option include the address of a slave
+<B
+CLASS="command"
+>allow-update</B
+> option include the address of a slave
 server which performs forwarding of dynamic updates, the master can be
 trivially attacked by sending the update to the slave, which will
 forward it to the master with its own source IP address causing the
-master to approve it without question.</p>
-<p>For these reasons, we strongly recommend that updates be
+master to approve it without question.</P
+><P
+>For these reasons, we strongly recommend that updates be
 cryptographically authenticated by means of transaction signatures
-(TSIG).  That is, the <span><strong class="command">allow-update</strong></span> option should
+(TSIG).  That is, the <B
+CLASS="command"
+>allow-update</B
+> option should
 list only TSIG key names, not IP addresses or network
-prefixes. Alternatively, the new <span><strong class="command">update-policy</strong></span>
-option can be used.</p>
-<p>Some sites choose to keep all dynamically-updated DNS data
+prefixes. Alternatively, the new <B
+CLASS="command"
+>update-policy</B
+>
+option can be used.</P
+><P
+>Some sites choose to keep all dynamically updated DNS data
 in a subdomain and delegate that subdomain to a separate zone. This
 way, the top-level zone containing critical data such as the IP addresses
 of public web and mail servers need not allow dynamic update at
-all.</p>
-</div>
-</div>
-<div class="navfooter">
-<hr>
-<table width="100%" summary="Navigation footer">
-<tr>
-<td width="40%" align="left">
-<a accesskey="p" href="Bv9ARM.ch06.html">Prev</a> </td>
-<td width="20%" align="center"> </td>
-<td width="40%" align="right"> <a accesskey="n" href="Bv9ARM.ch08.html">Next</a>
-</td>
-</tr>
-<tr>
-<td width="40%" align="left" valign="top">Chapter 6. <acronym class="acronym">BIND</acronym> 9 Configuration Reference </td>
-<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
-<td width="40%" align="right" valign="top"> Chapter 8. Troubleshooting</td>
-</tr>
-</table>
-</div>
-</body>
-</html>
+all.</P
+></DIV
+></DIV
+><DIV
+CLASS="NAVFOOTER"
+><HR
+ALIGN="LEFT"
+WIDTH="100%"><TABLE
+SUMMARY="Footer navigation table"
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+><A
+HREF="Bv9ARM.ch06.html"
+ACCESSKEY="P"
+>Prev</A
+></TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+><A
+HREF="Bv9ARM.html"
+ACCESSKEY="H"
+>Home</A
+></TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+><A
+HREF="Bv9ARM.ch08.html"
+ACCESSKEY="N"
+>Next</A
+></TD
+></TR
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+><SPAN
+CLASS="acronym"
+>BIND</SPAN
+> 9 Configuration Reference</TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+>&nbsp;</TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+>Troubleshooting</TD
+></TR
+></TABLE
+></DIV
+></BODY
+></HTML
+>
\ No newline at end of file
diff --git a/doc/arm/Bv9ARM.ch08.html b/doc/arm/Bv9ARM.ch08.html
index 1bb7349e..50fe8512 100644
--- a/doc/arm/Bv9ARM.ch08.html
+++ b/doc/arm/Bv9ARM.ch08.html
@@ -1,124 +1,272 @@
-<!--
- - Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000-2003 Internet Software Consortium.
- - 
- - Permission to use, copy, modify, and distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- - 
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-<!-- $Id: Bv9ARM.ch08.html,v 1.50.2.34 2007/05/08 02:29:20 marka Exp $ -->
-<html>
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>Chapter 8. Troubleshooting</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
-<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="prev" href="Bv9ARM.ch07.html" title="Chapter 7. BIND 9 Security Considerations">
-<link rel="next" href="Bv9ARM.ch09.html" title="Appendix A. Appendices">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
-<div class="navheader">
-<table width="100%" summary="Navigation header">
-<tr><th colspan="3" align="center">Chapter 8. Troubleshooting</th></tr>
-<tr>
-<td width="20%" align="left">
-<a accesskey="p" href="Bv9ARM.ch07.html">Prev</a> </td>
-<th width="60%" align="center"> </th>
-<td width="20%" align="right"> <a accesskey="n" href="Bv9ARM.ch09.html">Next</a>
-</td>
-</tr>
-</table>
-<hr>
-</div>
-<div class="chapter" lang="en">
-<div class="titlepage"><div><div><h2 class="title">
-<a name="Bv9ARM.ch08"></a>Chapter 8. Troubleshooting</h2></div></div></div>
-<div class="toc">
-<p><b>Table of Contents</b></p>
-<dl>
-<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2584874">Common Problems</a></span></dt>
-<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch08.html#id2584880">It's not working; how can I figure out what's wrong?</a></span></dt></dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2584891">Incrementing and Changing the Serial Number</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2584908">Where Can I Get Help?</a></span></dt>
-</dl>
-</div>
-<div class="sect1" lang="en">
-<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2584874"></a>Common Problems</h2></div></div></div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2584880"></a>It's not working; how can I figure out what's wrong?</h3></div></div></div>
-<p>The best solution to solving installation and
+<HTML
+><HEAD
+><TITLE
+>Troubleshooting</TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.73
+"><LINK
+REL="HOME"
+TITLE="BIND 9 Administrator Reference Manual"
+HREF="Bv9ARM.html"><LINK
+REL="PREVIOUS"
+TITLE="BIND 9 Security Considerations"
+HREF="Bv9ARM.ch07.html"><LINK
+REL="NEXT"
+TITLE="Appendices"
+HREF="Bv9ARM.ch09.html"></HEAD
+><BODY
+CLASS="chapter"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><DIV
+CLASS="NAVHEADER"
+><TABLE
+SUMMARY="Header navigation table"
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TH
+COLSPAN="3"
+ALIGN="center"
+>BIND 9 Administrator Reference Manual</TH
+></TR
+><TR
+><TD
+WIDTH="10%"
+ALIGN="left"
+VALIGN="bottom"
+><A
+HREF="Bv9ARM.ch07.html"
+ACCESSKEY="P"
+>Prev</A
+></TD
+><TD
+WIDTH="80%"
+ALIGN="center"
+VALIGN="bottom"
+></TD
+><TD
+WIDTH="10%"
+ALIGN="right"
+VALIGN="bottom"
+><A
+HREF="Bv9ARM.ch09.html"
+ACCESSKEY="N"
+>Next</A
+></TD
+></TR
+></TABLE
+><HR
+ALIGN="LEFT"
+WIDTH="100%"></DIV
+><DIV
+CLASS="chapter"
+><H1
+><A
+NAME="ch08"
+>Chapter 8. Troubleshooting</A
+></H1
+><DIV
+CLASS="TOC"
+><DL
+><DT
+><B
+>Table of Contents</B
+></DT
+><DT
+>8.1. <A
+HREF="Bv9ARM.ch08.html#AEN4713"
+>Common Problems</A
+></DT
+><DT
+>8.2. <A
+HREF="Bv9ARM.ch08.html#AEN4718"
+>Incrementing and Changing the Serial Number</A
+></DT
+><DT
+>8.3. <A
+HREF="Bv9ARM.ch08.html#AEN4723"
+>Where Can I Get Help?</A
+></DT
+></DL
+></DIV
+><DIV
+CLASS="sect1"
+><H1
+CLASS="sect1"
+><A
+NAME="AEN4713"
+>8.1. Common Problems</A
+></H1
+><DIV
+CLASS="sect2"
+><H2
+CLASS="sect2"
+><A
+NAME="AEN4715"
+>8.1.1. It's not working; how can I figure out what's wrong?</A
+></H2
+><P
+>The best solution to solving installation and
       configuration issues is to take preventative measures by setting
       up logging files beforehand. The log files provide a
       source of hints and information that can be used to figure out
-      what went wrong and how to fix the problem.</p>
-</div>
-</div>
-<div class="sect1" lang="en">
-<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2584891"></a>Incrementing and Changing the Serial Number</h2></div></div></div>
-<p>Zone serial numbers are just numbers &#8212; they aren't date
+      what went wrong and how to fix the problem.</P
+></DIV
+></DIV
+><DIV
+CLASS="sect1"
+><H1
+CLASS="sect1"
+><A
+NAME="AEN4718"
+>8.2. Incrementing and Changing the Serial Number</A
+></H1
+><P
+>Zone serial numbers are just numbers-they aren't date
     related.  A lot of people set them to a number that represents a
-    date, usually of the form YYYYMMDDRR. A number of people
-    tested these numbers for Y2K compliance and set the number
-    to the year 2000 to see if it would work. They then tried to restore
-    the old serial number. This caused problems because serial
+    date, usually of the form YYYYMMDDRR. A number of people have been
+    testing these numbers for Y2K compliance and have set the number
+    to the year 2000 to see if it will work. They then try to restore
+    the old serial number. This will cause problems because serial
     numbers are used to indicate that a zone has been updated. If the
     serial number on the slave server is lower than the serial number
     on the master, the slave server will attempt to update its copy of
-    the zone.</p>
-<p>Setting the serial number to a lower number on the master
+    the zone.</P
+><P
+>Setting the serial number to a lower number on the master
     server than the slave server means that the slave will not perform
-    updates to its copy of the zone.</p>
-<p>The solution to this is to add 2147483647 (2^31-1) to the
+    updates to its copy of the zone.</P
+><P
+>The solution to this is to add 2147483647 (2^31-1) to the
     number, reload the zone and make sure all slaves have updated to
     the new zone serial number, then reset the number to what you want
-    it to be, and reload the zone again.</p>
-</div>
-<div class="sect1" lang="en">
-<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2584908"></a>Where Can I Get Help?</h2></div></div></div>
-<p>The Internet Software Consortium (<acronym class="acronym">ISC</acronym>) offers a wide range
-    of support and service agreements for <acronym class="acronym">BIND</acronym> and <acronym class="acronym">DHCP</acronym> servers. Four
+    it to be, and reload the zone again.</P
+></DIV
+><DIV
+CLASS="sect1"
+><H1
+CLASS="sect1"
+><A
+NAME="AEN4723"
+>8.3. Where Can I Get Help?</A
+></H1
+><P
+>The Internet Software Consortium (<SPAN
+CLASS="acronym"
+>ISC</SPAN
+>) offers a wide range
+    of support and service agreements for <SPAN
+CLASS="acronym"
+>BIND</SPAN
+> and <SPAN
+CLASS="acronym"
+>DHCP</SPAN
+> servers. Four
     levels of premium support are available and each level includes
-    support for all <acronym class="acronym">ISC</acronym> programs, significant discounts on products
+    support for all <SPAN
+CLASS="acronym"
+>ISC</SPAN
+> programs, significant discounts on products
     and training, and a recognized priority on bug fixes and
-    non-funded feature requests. In addition, <acronym class="acronym">ISC</acronym> offers a standard
+    non-funded feature requests. In addition, <SPAN
+CLASS="acronym"
+>ISC</SPAN
+> offers a standard
     support agreement package which includes services ranging from bug
     fix announcements to remote support. It also includes training in
-    <acronym class="acronym">BIND</acronym> and <acronym class="acronym">DHCP</acronym>.</p>
-<p>To discuss arrangements for support, contact
-    <a href="mailto:info@isc.org" target="_top">info@isc.org</a> or visit the
-    <acronym class="acronym">ISC</acronym> web page at <a href="http://www.isc.org/services/support/" target="_top">http://www.isc.org/services/support/</a>
-    to read more.</p>
-</div>
-</div>
-<div class="navfooter">
-<hr>
-<table width="100%" summary="Navigation footer">
-<tr>
-<td width="40%" align="left">
-<a accesskey="p" href="Bv9ARM.ch07.html">Prev</a> </td>
-<td width="20%" align="center"> </td>
-<td width="40%" align="right"> <a accesskey="n" href="Bv9ARM.ch09.html">Next</a>
-</td>
-</tr>
-<tr>
-<td width="40%" align="left" valign="top">Chapter 7. <acronym class="acronym">BIND</acronym> 9 Security Considerations </td>
-<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
-<td width="40%" align="right" valign="top"> Appendix A. Appendices</td>
-</tr>
-</table>
-</div>
-</body>
-</html>
+    <SPAN
+CLASS="acronym"
+>BIND</SPAN
+> and <SPAN
+CLASS="acronym"
+>DHCP</SPAN
+>.</P
+><P
+>To discuss arrangements for support, contact
+    <A
+HREF="mailto:info@isc.org"
+TARGET="_top"
+>info@isc.org</A
+> or visit the
+    <SPAN
+CLASS="acronym"
+>ISC</SPAN
+> web page at <A
+HREF="http://www.isc.org/services/support/"
+TARGET="_top"
+>http://www.isc.org/services/support/</A
+>
+    to read more.</P
+></DIV
+></DIV
+><DIV
+CLASS="NAVFOOTER"
+><HR
+ALIGN="LEFT"
+WIDTH="100%"><TABLE
+SUMMARY="Footer navigation table"
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+><A
+HREF="Bv9ARM.ch07.html"
+ACCESSKEY="P"
+>Prev</A
+></TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+><A
+HREF="Bv9ARM.html"
+ACCESSKEY="H"
+>Home</A
+></TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+><A
+HREF="Bv9ARM.ch09.html"
+ACCESSKEY="N"
+>Next</A
+></TD
+></TR
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+><SPAN
+CLASS="acronym"
+>BIND</SPAN
+> 9 Security Considerations</TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+>&nbsp;</TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+>Appendices</TD
+></TR
+></TABLE
+></DIV
+></BODY
+></HTML
+>
\ No newline at end of file
diff --git a/doc/arm/Bv9ARM.ch09.html b/doc/arm/Bv9ARM.ch09.html
index aa5a7744..e4121e93 100644
--- a/doc/arm/Bv9ARM.ch09.html
+++ b/doc/arm/Bv9ARM.ch09.html
@@ -1,546 +1,1725 @@
-<!--
- - Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000-2003 Internet Software Consortium.
- - 
- - Permission to use, copy, modify, and distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- - 
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-<!-- $Id: Bv9ARM.ch09.html,v 1.50.2.37 2007/05/16 06:57:46 marka Exp $ -->
-<html>
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>Appendix A. Appendices</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
-<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="prev" href="Bv9ARM.ch08.html" title="Chapter 8. Troubleshooting">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
-<div class="navheader">
-<table width="100%" summary="Navigation header">
-<tr><th colspan="3" align="center">Appendix A. Appendices</th></tr>
-<tr>
-<td width="20%" align="left">
-<a accesskey="p" href="Bv9ARM.ch08.html">Prev</a> </td>
-<th width="60%" align="center"> </th>
-<td width="20%" align="right"> </td>
-</tr>
-</table>
-<hr>
-</div>
-<div class="appendix" lang="en">
-<div class="titlepage"><div><div><h2 class="title">
-<a name="Bv9ARM.ch09"></a>Appendix A. Appendices</h2></div></div></div>
-<div class="toc">
-<p><b>Table of Contents</b></p>
-<dl>
-<dt><span class="sect1"><a href="Bv9ARM.ch09.html#id2585038">Acknowledgements</a></span></dt>
-<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2585044">A Brief History of the <acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym></a></span></dt></dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch09.html#historical_dns_information">Historical <acronym class="acronym">DNS</acronym> Information</a></span></dt>
-<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch09.html#classes_of_resource_records">Classes of Resource Records</a></span></dt></dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch09.html#id2585254">General <acronym class="acronym">DNS</acronym> Reference Information</a></span></dt>
-<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch09.html#ipv6addresses">IPv6 addresses (A6)</a></span></dt></dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch09.html#bibliography">Bibliography (and Suggested Reading)</a></span></dt>
-<dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch09.html#rfcs">Request for Comments (RFCs)</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch09.html#internet_drafts">Internet Drafts</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2587625">Other Documents About <acronym class="acronym">BIND</acronym></a></span></dt>
-</dl></dd>
-</dl>
-</div>
-<div class="sect1" lang="en">
-<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2585038"></a>Acknowledgements</h2></div></div></div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2585044"></a>A Brief History of the <acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym>
-</h3></div></div></div>
-<p>Although the "official" beginning of the Domain Name
+<HTML
+><HEAD
+><TITLE
+>Appendices</TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.73
+"><LINK
+REL="HOME"
+TITLE="BIND 9 Administrator Reference Manual"
+HREF="Bv9ARM.html"><LINK
+REL="PREVIOUS"
+TITLE="Troubleshooting"
+HREF="Bv9ARM.ch08.html"></HEAD
+><BODY
+CLASS="appendix"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><DIV
+CLASS="NAVHEADER"
+><TABLE
+SUMMARY="Header navigation table"
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TH
+COLSPAN="3"
+ALIGN="center"
+>BIND 9 Administrator Reference Manual</TH
+></TR
+><TR
+><TD
+WIDTH="10%"
+ALIGN="left"
+VALIGN="bottom"
+><A
+HREF="Bv9ARM.ch08.html"
+ACCESSKEY="P"
+>Prev</A
+></TD
+><TD
+WIDTH="80%"
+ALIGN="center"
+VALIGN="bottom"
+></TD
+><TD
+WIDTH="10%"
+ALIGN="right"
+VALIGN="bottom"
+>&nbsp;</TD
+></TR
+></TABLE
+><HR
+ALIGN="LEFT"
+WIDTH="100%"></DIV
+><DIV
+CLASS="appendix"
+><H1
+><A
+NAME="ch09"
+>Appendix A. Appendices</A
+></H1
+><DIV
+CLASS="TOC"
+><DL
+><DT
+><B
+>Table of Contents</B
+></DT
+><DT
+>A.1. <A
+HREF="Bv9ARM.ch09.html#AEN4739"
+>Acknowledgments</A
+></DT
+><DT
+>A.2. <A
+HREF="Bv9ARM.ch09.html#historical_dns_information"
+>General <SPAN
+CLASS="acronym"
+>DNS</SPAN
+> Reference Information</A
+></DT
+><DT
+>A.3. <A
+HREF="Bv9ARM.ch09.html#bibliography"
+>Bibliography (and Suggested Reading)</A
+></DT
+></DL
+></DIV
+><DIV
+CLASS="sect1"
+><H1
+CLASS="sect1"
+><A
+NAME="AEN4739"
+>A.1. Acknowledgments</A
+></H1
+><DIV
+CLASS="sect2"
+><H2
+CLASS="sect2"
+><A
+NAME="AEN4741"
+>A.1.1. A Brief History of the <SPAN
+CLASS="acronym"
+>DNS</SPAN
+> and <SPAN
+CLASS="acronym"
+>BIND</SPAN
+></A
+></H2
+><P
+>Although the "official" beginning of the Domain Name
       System occurred in 1984 with the publication of RFC 920, the
       core of the new system was described in 1983 in RFCs 882 and
       883. From 1984 to 1987, the ARPAnet (the precursor to today's
       Internet) became a testbed of experimentation for developing the
-      new naming/addressing scheme in a rapidly expanding,
+      new naming/addressing scheme in an rapidly expanding,
       operational network environment.  New RFCs were written and
       published in 1987 that modified the original documents to
       incorporate improvements based on the working model. RFC 1034,
-      "Domain Names-Concepts and Facilities," and RFC 1035, "Domain
+      "Domain Names-Concepts and Facilities", and RFC 1035, "Domain
       Names-Implementation and Specification" were published and
-      became the standards upon which all <acronym class="acronym">DNS</acronym> implementations are
+      became the standards upon which all <SPAN
+CLASS="acronym"
+>DNS</SPAN
+> implementations are
       built.
-</p>
-<p>The first working domain name server, called "Jeeves," was
+</P
+><P
+>The first working domain name server, called "Jeeves", was
 written in 1983-84 by Paul Mockapetris for operation on DEC Tops-20
 machines located at the University of Southern California's Information
 Sciences Institute (USC-ISI) and SRI International's Network Information
-Center (SRI-NIC). A <acronym class="acronym">DNS</acronym> server for Unix machines, the Berkeley Internet
-Name Domain (<acronym class="acronym">BIND</acronym>) package, was written soon after by a group of
+Center (SRI-NIC). A <SPAN
+CLASS="acronym"
+>DNS</SPAN
+> server for Unix machines, the Berkeley Internet
+Name Domain (<SPAN
+CLASS="acronym"
+>BIND</SPAN
+>) package, was written soon after by a group of
 graduate students at the University of California at Berkeley under
 a grant from the US Defense Advanced Research Projects Administration
-(DARPA).
-</p>
-<p>
-Versions of <acronym class="acronym">BIND</acronym> through 4.8.3 were maintained by the Computer
+(DARPA). Versions of <SPAN
+CLASS="acronym"
+>BIND</SPAN
+> through 4.8.3 were maintained by the Computer
 Systems Research Group (CSRG) at UC Berkeley. Douglas Terry, Mark
-Painter, David Riggle and Songnian Zhou made up the initial <acronym class="acronym">BIND</acronym>
+Painter, David Riggle and Songnian Zhou made up the initial <SPAN
+CLASS="acronym"
+>BIND</SPAN
+>
 project team. After that, additional work on the software package
 was done by Ralph Campbell. Kevin Dunlap, a Digital Equipment Corporation
-employee on loan to the CSRG, worked on <acronym class="acronym">BIND</acronym> for 2 years, from 1985
-to 1987. Many other people also contributed to <acronym class="acronym">BIND</acronym> development
+employee on loan to the CSRG, worked on <SPAN
+CLASS="acronym"
+>BIND</SPAN
+> for 2 years, from 1985
+to 1987. Many other people also contributed to <SPAN
+CLASS="acronym"
+>BIND</SPAN
+> development
 during that time: Doug Kingston, Craig Partridge, Smoot Carl-Mitchell,
-Mike Muuss, Jim Bloom and Mike Schwartz. <acronym class="acronym">BIND</acronym> maintenance was subsequently
-handled by Mike Karels and Øivind Kure.</p>
-<p><acronym class="acronym">BIND</acronym> versions 4.9 and 4.9.1 were released by Digital Equipment
+Mike Muuss, Jim Bloom and Mike Schwartz. <SPAN
+CLASS="acronym"
+>BIND</SPAN
+> maintenance was subsequently
+handled by Mike Karels and O. Kure.</P
+><P
+><SPAN
+CLASS="acronym"
+>BIND</SPAN
+> versions 4.9 and 4.9.1 were released by Digital Equipment
 Corporation (now Compaq Computer Corporation). Paul Vixie, then
-a DEC employee, became <acronym class="acronym">BIND</acronym>'s primary caretaker. He was assisted
+a DEC employee, became <SPAN
+CLASS="acronym"
+>BIND</SPAN
+>'s primary caretaker. Paul was assisted
 by Phil Almquist, Robert Elz, Alan Barrett, Paul Albitz, Bryan Beecher, Andrew
 Partan, Andy Cherenson, Tom Limoncelli, Berthold Paffrath, Fuat
 Baran, Anant Kumar, Art Harkin, Win Treese, Don Lewis, Christophe
-Wolfhugel, and others.</p>
-<p>In 1994, <acronym class="acronym">BIND</acronym> version 4.9.2 was sponsored by Vixie Enterprises. Paul
-Vixie became <acronym class="acronym">BIND</acronym>'s principal architect/programmer.</p>
-<p><acronym class="acronym">BIND</acronym> versions from 4.9.3 onward have been developed and maintained
+Wolfhugel, and others.</P
+><P
+><SPAN
+CLASS="acronym"
+>BIND</SPAN
+> Version 4.9.2 was sponsored by Vixie Enterprises. Paul
+Vixie became <SPAN
+CLASS="acronym"
+>BIND</SPAN
+>'s principal architect/programmer.</P
+><P
+><SPAN
+CLASS="acronym"
+>BIND</SPAN
+> versions from 4.9.3 onward have been developed and maintained
 by the Internet Software Consortium with support being provided
-by ISC's sponsors.
-      </p>
-<p>As co-architects/programmers, Bob Halley and
-Paul Vixie released the first production-ready version of <acronym class="acronym">BIND</acronym> version
-8 in May 1997.</p>
-<p>
-	  BIND version 9 was released in September 2000 and is a
-	  major rewrite of nearly all aspects of the underlying
-	  BIND architecture.
-	  </p>
-<p>
-	  BIND version 4 is officially deprecated and BIND version
-	  8 development is considered maintenance-only in favor
-	  of BIND version 9. No additional development is done
-	  on BIND version 4 or BIND version 8 other than for
-	  security-related patches.
-	</p>
-<p><acronym class="acronym">BIND</acronym> development work is made possible today by the sponsorship
+by ISC's sponsors. As co-architects/programmers, Bob Halley and
+Paul Vixie released the first production-ready version of <SPAN
+CLASS="acronym"
+>BIND</SPAN
+> version
+8 in May 1997.</P
+><P
+><SPAN
+CLASS="acronym"
+>BIND</SPAN
+> development work is made possible today by the sponsorship
 of several corporations, and by the tireless work efforts of numerous
-individuals.</p>
-</div>
-</div>
-<div class="sect1" lang="en">
-<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="historical_dns_information"></a>Historical <acronym class="acronym">DNS</acronym> Information</h2></div></div></div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="classes_of_resource_records"></a>Classes of Resource Records</h3></div></div></div>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="id2585223"></a>HS = hesiod</h4></div></div></div>
-<p>The [<span class="optional">hesiod</span>] class is an information service
-developed by MIT's Project Athena. It is used to share information
-about various systems databases, such as users, groups, printers
-and so on. The keyword <span><strong class="command">hs</strong></span> is a synonym for
-hesiod.</p>
-</div>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="id2585239"></a>CH = chaos</h4></div></div></div>
-<p>The <span><strong class="command">chaos</strong></span> class is used to specify zone
-data for the MIT-developed Chaosnet, a LAN protocol created in the
-mid-1970s.</p>
-</div>
-</div>
-</div>
-<div class="sect1" lang="en">
-<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2585254"></a>General <acronym class="acronym">DNS</acronym> Reference Information</h2></div></div></div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="ipv6addresses"></a>IPv6 addresses (A6)</h3></div></div></div>
-<p>IPv6 addresses are 128-bit identifiers for interfaces and
-sets of interfaces which were introduced in the <acronym class="acronym">DNS</acronym> to facilitate
-scalable Internet routing. There are three types of addresses: <span class="emphasis"><em>Unicast</em></span>,
-an identifier for a single interface; <span class="emphasis"><em>Anycast</em></span>,
-an identifier for a set of interfaces; and <span class="emphasis"><em>Multicast</em></span>,
+individuals.</P
+></DIV
+></DIV
+><DIV
+CLASS="sect1"
+><H1
+CLASS="sect1"
+><A
+NAME="historical_dns_information"
+>A.2. General <SPAN
+CLASS="acronym"
+>DNS</SPAN
+> Reference Information</A
+></H1
+><DIV
+CLASS="sect2"
+><H2
+CLASS="sect2"
+><A
+NAME="ipv6addresses"
+>A.2.1. IPv6 addresses (AAAA)</A
+></H2
+><P
+>IPv6 addresses are 128-bit identifiers for interfaces and
+sets of interfaces which were introduced in the <SPAN
+CLASS="acronym"
+>DNS</SPAN
+> to facilitate
+scalable Internet routing. There are three types of addresses: <SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>Unicast</I
+></SPAN
+>,
+an identifier for a single interface; <SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>Anycast</I
+></SPAN
+>,
+an identifier for a set of interfaces; and <SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>Multicast</I
+></SPAN
+>,
 an identifier for a set of interfaces. Here we describe the global
-Unicast address scheme. For more information, see RFC 3587,
-"Global Unicast Address Format."</p>
-<p>The aggregatable global Unicast address format is as follows:</p>
-<div class="informaltable"><table border="1">
-<colgroup>
-<col>
-<col>
-<col>
-<col>
-<col>
-<col>
-</colgroup>
-<tbody>
-<tr>
-<td><p>3</p></td>
-<td><p>13</p></td>
-<td><p>8</p></td>
-<td><p>24</p></td>
-<td><p>16</p></td>
-<td><p>64 bits</p></td>
-</tr>
-<tr>
-<td><p>FP</p></td>
-<td><p>TLA ID</p></td>
-<td><p>RES</p></td>
-<td><p>NLA ID</p></td>
-<td><p>SLA ID</p></td>
-<td><p>Interface ID</p></td>
-</tr>
-<tr>
-<td colspan="4"><p>&lt;------ Public Topology
-------&gt;</p></td>
-<td><p></p></td>
-<td><p></p></td>
-</tr>
-<tr>
-<td><p></p></td>
-<td><p></p></td>
-<td><p></p></td>
-<td><p></p></td>
-<td><p>&lt;-Site Topology-&gt;</p></td>
-<td><p></p></td>
-</tr>
-<tr>
-<td><p></p></td>
-<td><p></p></td>
-<td><p></p></td>
-<td><p></p></td>
-<td><p></p></td>
-<td><p>&lt;------ Interface Identifier ------&gt;</p></td>
-</tr>
-</tbody>
-</table></div>
-<p>Where
-</p>
-<div class="informaltable"><table border="1">
-<colgroup>
-<col>
-<col>
-<col>
-</colgroup>
-<tbody>
-<tr>
-<td><p>FP</p></td>
-<td><p>=</p></td>
-<td><p>Format Prefix (001)</p></td>
-</tr>
-<tr>
-<td><p>TLA ID</p></td>
-<td><p>=</p></td>
-<td><p>Top-Level Aggregation Identifier</p></td>
-</tr>
-<tr>
-<td><p>RES</p></td>
-<td><p>=</p></td>
-<td><p>Reserved for future use</p></td>
-</tr>
-<tr>
-<td><p>NLA ID</p></td>
-<td><p>=</p></td>
-<td><p>Next-Level Aggregation Identifier</p></td>
-</tr>
-<tr>
-<td><p>SLA ID</p></td>
-<td><p>=</p></td>
-<td><p>Site-Level Aggregation Identifier</p></td>
-</tr>
-<tr>
-<td><p>INTERFACE ID</p></td>
-<td><p>=</p></td>
-<td><p>Interface Identifier</p></td>
-</tr>
-</tbody>
-</table></div>
-<p>The <span class="emphasis"><em>Public Topology</em></span> is provided by the
-upstream provider or ISP, and (roughly) corresponds to the IPv4 <span class="emphasis"><em>network</em></span> section
-of the address range. The <span class="emphasis"><em>Site Topology</em></span> is
+Unicast address scheme. For more information, see RFC 2374.</P
+><P
+>The aggregatable global Unicast address format is as follows:</P
+><DIV
+CLASS="informaltable"
+><A
+NAME="AEN4777"
+></A
+><P
+></P
+><TABLE
+CELLPADDING="3"
+BORDER="1"
+CLASS="CALSTABLE"
+><TBODY
+><TR
+><TD
+WIDTH="46"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>3</P
+></TD
+><TD
+WIDTH="48"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>13</P
+></TD
+><TD
+WIDTH="50"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>8</P
+></TD
+><TD
+WIDTH="70"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>24</P
+></TD
+><TD
+WIDTH="129"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>16</P
+></TD
+><TD
+WIDTH="243"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>64 bits</P
+></TD
+></TR
+><TR
+><TD
+WIDTH="46"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>FP</P
+></TD
+><TD
+WIDTH="48"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>TLA ID</P
+></TD
+><TD
+WIDTH="50"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>RES</P
+></TD
+><TD
+WIDTH="70"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>NLA ID</P
+></TD
+><TD
+WIDTH="129"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>SLA ID</P
+></TD
+><TD
+WIDTH="243"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>Interface ID</P
+></TD
+></TR
+><TR
+><TD
+COLSPAN="4"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>&#60;------ Public Topology
+------&#62;</P
+></TD
+><TD
+WIDTH="129"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+></P
+></TD
+><TD
+WIDTH="243"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+></P
+></TD
+></TR
+><TR
+><TD
+WIDTH="46"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+></P
+></TD
+><TD
+WIDTH="48"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+></P
+></TD
+><TD
+WIDTH="50"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+></P
+></TD
+><TD
+WIDTH="70"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+></P
+></TD
+><TD
+WIDTH="129"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>&#60;-Site Topology-&#62;</P
+></TD
+><TD
+WIDTH="243"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+></P
+></TD
+></TR
+><TR
+><TD
+WIDTH="46"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+></P
+></TD
+><TD
+WIDTH="48"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+></P
+></TD
+><TD
+WIDTH="50"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+></P
+></TD
+><TD
+WIDTH="70"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+></P
+></TD
+><TD
+WIDTH="129"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+></P
+></TD
+><TD
+WIDTH="243"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>&#60;------ Interface Identifier ------&#62;</P
+></TD
+></TR
+></TBODY
+></TABLE
+><P
+></P
+></DIV
+><P
+>Where
+<DIV
+CLASS="informaltable"
+><A
+NAME="AEN4846"
+></A
+><P
+></P
+><TABLE
+CELLPADDING="3"
+BORDER="1"
+CLASS="CALSTABLE"
+><TBODY
+><TR
+><TD
+WIDTH="132"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>FP</P
+></TD
+><TD
+WIDTH="24"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>=</P
+></TD
+><TD
+WIDTH="336"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>Format Prefix (001)</P
+></TD
+></TR
+><TR
+><TD
+WIDTH="132"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>TLA ID</P
+></TD
+><TD
+WIDTH="24"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>=</P
+></TD
+><TD
+WIDTH="336"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>Top-Level Aggregation Identifier</P
+></TD
+></TR
+><TR
+><TD
+WIDTH="132"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>RES</P
+></TD
+><TD
+WIDTH="24"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>=</P
+></TD
+><TD
+WIDTH="336"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>Reserved for future use</P
+></TD
+></TR
+><TR
+><TD
+WIDTH="132"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>NLA ID</P
+></TD
+><TD
+WIDTH="24"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>=</P
+></TD
+><TD
+WIDTH="336"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>Next-Level Aggregation Identifier</P
+></TD
+></TR
+><TR
+><TD
+WIDTH="132"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>SLA ID</P
+></TD
+><TD
+WIDTH="24"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>=</P
+></TD
+><TD
+WIDTH="336"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>Site-Level Aggregation Identifier</P
+></TD
+></TR
+><TR
+><TD
+WIDTH="132"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>INTERFACE ID</P
+></TD
+><TD
+WIDTH="24"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>=</P
+></TD
+><TD
+WIDTH="336"
+ALIGN="LEFT"
+VALIGN="MIDDLE"
+><P
+>Interface Identifier</P
+></TD
+></TR
+></TBODY
+></TABLE
+><P
+></P
+></DIV
+></P
+><P
+>The <SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>Public Topology</I
+></SPAN
+> is provided by the
+upstream provider or ISP, and (roughly) corresponds to the IPv4 <SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>network</I
+></SPAN
+> section
+of the address range. The <SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>Site Topology</I
+></SPAN
+> is
 where you can subnet this space, much the same as subnetting an
-IPv4 /16 network into /24 subnets. The <span class="emphasis"><em>Interface Identifier</em></span> is
+IPv4 /16 network into /24 subnets. The <SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>Interface Identifier</I
+></SPAN
+> is
 the address of an individual interface on a given network. (With
-IPv6, addresses belong to interfaces rather than machines.)</p>
-<p>The subnetting capability of IPv6 is much more flexible than
+IPv6, addresses belong to interfaces rather than machines.)</P
+><P
+>The subnetting capability of IPv6 is much more flexible than
 that of IPv4: subnetting can now be carried out on bit boundaries,
-in much the same way as Classless InterDomain Routing (CIDR).</p>
-<p>The internal structure of the Public Topology for an A6 global
-unicast address consists of:</p>
-<div class="informaltable"><table border="1">
-<colgroup>
-<col>
-<col>
-<col>
-<col>
-</colgroup>
-<tbody>
-<tr>
-<td><p>3</p></td>
-<td><p>13</p></td>
-<td><p>8</p></td>
-<td><p>24</p></td>
-</tr>
-<tr>
-<td><p>FP</p></td>
-<td><p>TLA ID</p></td>
-<td><p>RES</p></td>
-<td><p>NLA ID</p></td>
-</tr>
-</tbody>
-</table></div>
-<p>A 3 bit FP (Format Prefix) of 001 indicates this is a global
-Unicast address. FP lengths for other types of addresses may vary.</p>
-<p>13 TLA (Top Level Aggregator) bits give the prefix of your
-top-level IP backbone carrier.</p>
-<p>8 Reserved bits</p>
-<p>24 bits for Next Level Aggregators. This allows organizations
-with a TLA to hand out portions of their IP space to client organizations,
-so that the client can then split up the network further by filling
-in more NLA bits, and hand out IPv6 prefixes to their clients, and
-so forth.</p>
-<p>There is no particular structure for the Site topology section.
-Organizations can allocate these bits in any way they desire.</p>
-<p>The Interface Identifier must be unique on that network. On
+in much the same way as Classless InterDomain Routing (CIDR).</P
+><P
+>The Interface Identifier must be unique on that network. On
 ethernet networks, one way to ensure this is to set the address
 to the first three bytes of the hardware address, "FFFE", then the
 last three bytes of the hardware address. The lowest significant
 bit of the first byte should then be complemented. Addresses are
 written as 32-bit blocks separated with a colon, and leading zeros
-of a block may be omitted, for example:</p>
-<p><span><strong class="command">2001:db8:201:9:a00:20ff:fe81:2b32</strong></span></p>
-<p>IPv6 address specifications are likely to contain long strings
+of a block may be omitted, for example:</P
+><P
+><B
+CLASS="command"
+>2001:4f8:201:9:a00:20ff:fe81:2b32</B
+></P
+><P
+>IPv6 address specifications are likely to contain long strings
 of zeros, so the architects have included a shorthand for specifying
 them. The double colon (`::') indicates the longest possible string
-of zeros that can fit, and can be used only once in an address.</p>
-</div>
-</div>
-<div class="sect1" lang="en">
-<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="bibliography"></a>Bibliography (and Suggested Reading)</h2></div></div></div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="rfcs"></a>Request for Comments (RFCs)</h3></div></div></div>
-<p>Specification documents for the Internet protocol suite, including
-the <acronym class="acronym">DNS</acronym>, are published as part of the Request for Comments (RFCs)
+of zeros that can fit, and can be used only once in an address.</P
+></DIV
+></DIV
+><DIV
+CLASS="sect1"
+><H1
+CLASS="sect1"
+><A
+NAME="bibliography"
+>A.3. Bibliography (and Suggested Reading)</A
+></H1
+><DIV
+CLASS="sect2"
+><H2
+CLASS="sect2"
+><A
+NAME="rfcs"
+>A.3.1. Request for Comments (RFCs)</A
+></H2
+><P
+>Specification documents for the Internet protocol suite, including
+the <SPAN
+CLASS="acronym"
+>DNS</SPAN
+>, are published as part of the Request for Comments (RFCs)
 series of technical notes. The standards themselves are defined
 by the Internet Engineering Task Force (IETF) and the Internet Engineering
 Steering Group (IESG). RFCs can be obtained online via FTP at 
-<a href="ftp://www.isi.edu/in-notes/" target="_top">ftp://www.isi.edu/in-notes/RFC<em class="replaceable"><code>xxx</code></em>.txt</a> (where <em class="replaceable"><code>xxx</code></em> is
+<A
+HREF="ftp://www.isi.edu/in-notes/"
+TARGET="_top"
+>ftp://www.isi.edu/in-notes/RFC<TT
+CLASS="replaceable"
+><I
+>xxx</I
+></TT
+>.txt</A
+> (where <TT
+CLASS="replaceable"
+><I
+>xxx</I
+></TT
+> is
 the number of the RFC). RFCs are also available via the Web at
-<a href="http://www.ietf.org/rfc/" target="_top">http://www.ietf.org/rfc/</a>.
-</p>
-<div class="bibliography">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="id2586182"></a>Bibliography</h4></div></div></div>
-<div class="bibliodiv">
-<h3 class="title">Standards</h3>
-<div class="biblioentry">
-<a name="id2586193"></a><p>[<abbr class="abbrev">RFC974</abbr>] <span class="author"><span class="firstname">C.</span> <span class="surname">Partridge</span>. </span><span class="title"><i>Mail Routing and the Domain System</i>. </span><span class="pubdate">January 1986. </span></p>
-</div>
-<div class="biblioentry">
-<a name="id2586216"></a><p>[<abbr class="abbrev">RFC1034</abbr>] <span class="author"><span class="firstname">P.V.</span> <span class="surname">Mockapetris</span>. </span><span class="title"><i>Domain Names &#8212; Concepts and Facilities</i>. </span><span class="pubdate">November 1987. </span></p>
-</div>
-<div class="biblioentry">
-<a name="id2586240"></a><p>[<abbr class="abbrev">RFC1035</abbr>] <span class="author"><span class="firstname">P. V.</span> <span class="surname">Mockapetris</span>. </span><span class="title"><i>Domain Names &#8212; Implementation and
-Specification</i>. </span><span class="pubdate">November 1987. </span></p>
-</div>
-</div>
-<div class="bibliodiv">
-<h3 class="title">
-<a name="proposed_standards"></a>Proposed Standards</h3>
-<div class="biblioentry">
-<a name="id2586277"></a><p>[<abbr class="abbrev">RFC2181</abbr>] <span class="author"><span class="firstname">R., R. Bush</span> <span class="surname">Elz</span>. </span><span class="title"><i>Clarifications to the <acronym class="acronym">DNS</acronym> Specification</i>. </span><span class="pubdate">July 1997. </span></p>
-</div>
-<div class="biblioentry">
-<a name="id2586302"></a><p>[<abbr class="abbrev">RFC2308</abbr>] <span class="author"><span class="firstname">M.</span> <span class="surname">Andrews</span>. </span><span class="title"><i>Negative Caching of <acronym class="acronym">DNS</acronym> Queries</i>. </span><span class="pubdate">March 1998. </span></p>
-</div>
-<div class="biblioentry">
-<a name="id2586328"></a><p>[<abbr class="abbrev">RFC1995</abbr>] <span class="author"><span class="firstname">M.</span> <span class="surname">Ohta</span>. </span><span class="title"><i>Incremental Zone Transfer in <acronym class="acronym">DNS</acronym></i>. </span><span class="pubdate">August 1996. </span></p>
-</div>
-<div class="biblioentry">
-<a name="id2586353"></a><p>[<abbr class="abbrev">RFC1996</abbr>] <span class="author"><span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>A Mechanism for Prompt Notification of Zone Changes</i>. </span><span class="pubdate">August 1996. </span></p>
-</div>
-<div class="biblioentry">
-<a name="id2586376"></a><p>[<abbr class="abbrev">RFC2136</abbr>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Vixie</span>, <span class="firstname">S.</span> <span class="surname">Thomson</span>, <span class="firstname">Y.</span> <span class="surname">Rekhter</span>, and <span class="firstname">J.</span> <span class="surname">Bound</span>. </span><span class="title"><i>Dynamic Updates in the Domain Name System</i>. </span><span class="pubdate">April 1997. </span></p>
-</div>
-<div class="biblioentry">
-<a name="id2586432"></a><p>[<abbr class="abbrev">RFC2845</abbr>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Vixie</span>, <span class="firstname">O.</span> <span class="surname">Gudmundsson</span>, <span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>, and <span class="firstname">B.</span> <span class="surname">Wellington</span>. </span><span class="title"><i>Secret Key Transaction Authentication for <acronym class="acronym">DNS</acronym> (TSIG)</i>. </span><span class="pubdate">May 2000. </span></p>
-</div>
-</div>
-<div class="bibliodiv">
-<h3 class="title">Proposed Standards Still Under Development</h3>
-<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
-<h3 class="title">Note</h3>
-<p><span class="emphasis"><em>Note:</em></span> the following list of
-RFCs are undergoing major revision by the IETF.</p>
-</div>
-<div class="biblioentry">
-<a name="id2586507"></a><p>[<abbr class="abbrev">RFC1886</abbr>] <span class="authorgroup"><span class="firstname">S.</span> <span class="surname">Thomson</span> and <span class="firstname">C.</span> <span class="surname">Huitema</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> Extensions to support IP version 6</i>. </span><span class="pubdate">December 1995. </span></p>
-</div>
-<div class="biblioentry">
-<a name="id2586546"></a><p>[<abbr class="abbrev">RFC2065</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span> and <span class="firstname">C.</span> <span class="surname">Kaufman</span>. </span><span class="title"><i>Domain Name System Security Extensions</i>. </span><span class="pubdate">January 1997. </span></p>
-</div>
-<div class="biblioentry">
-<a name="id2586585"></a><p>[<abbr class="abbrev">RFC2137</abbr>] <span class="author"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>Secure Domain Name System Dynamic Update</i>. </span><span class="pubdate">April 1997. </span></p>
-</div>
-</div>
-<div class="bibliodiv">
-<h3 class="title">Other Important RFCs About <acronym class="acronym">DNS</acronym> Implementation</h3>
-<div class="biblioentry">
-<a name="id2586621"></a><p>[<abbr class="abbrev">RFC1535</abbr>] <span class="author"><span class="firstname">E.</span> <span class="surname">Gavron</span>. </span><span class="title"><i>A Security Problem and Proposed Correction With Widely Deployed <acronym class="acronym">DNS</acronym> Software.</i>. </span><span class="pubdate">October 1993. </span></p>
-</div>
-<div class="biblioentry">
-<a name="id2586647"></a><p>[<abbr class="abbrev">RFC1536</abbr>] <span class="authorgroup"><span class="firstname">A.</span> <span class="surname">Kumar</span>, <span class="firstname">J.</span> <span class="surname">Postel</span>, <span class="firstname">C.</span> <span class="surname">Neuman</span>, <span class="firstname">P.</span> <span class="surname">Danzig</span>, and <span class="firstname">S.</span> <span class="surname">Miller</span>. </span><span class="title"><i>Common <acronym class="acronym">DNS</acronym> Implementation Errors and Suggested Fixes</i>. </span><span class="pubdate">October 1993. </span></p>
-</div>
-<div class="biblioentry">
-<a name="id2586714"></a><p>[<abbr class="abbrev">RFC1982</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Elz</span> and <span class="firstname">R.</span> <span class="surname">Bush</span>. </span><span class="title"><i>Serial Number Arithmetic</i>. </span><span class="pubdate">August 1996. </span></p>
-</div>
-</div>
-<div class="bibliodiv">
-<h3 class="title">Resource Record Types</h3>
-<div class="biblioentry">
-<a name="id2586756"></a><p>[<abbr class="abbrev">RFC1183</abbr>] <span class="authorgroup"><span class="firstname">C.F.</span> <span class="surname">Everhart</span>, <span class="firstname">L. A.</span> <span class="surname">Mamakos</span>, <span class="firstname">R.</span> <span class="surname">Ullmann</span>, and <span class="firstname">P.</span> <span class="surname">Mockapetris</span>. </span><span class="title"><i>New <acronym class="acronym">DNS</acronym> RR Definitions</i>. </span><span class="pubdate">October 1990. </span></p>
-</div>
-<div class="biblioentry">
-<a name="id2586813"></a><p>[<abbr class="abbrev">RFC1706</abbr>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Manning</span> and <span class="firstname">R.</span> <span class="surname">Colella</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> NSAP Resource Records</i>. </span><span class="pubdate">October 1994. </span></p>
-</div>
-<div class="biblioentry">
-<a name="id2586851"></a><p>[<abbr class="abbrev">RFC2168</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Daniel</span> and <span class="firstname">M.</span> <span class="surname">Mealling</span>. </span><span class="title"><i>Resolution of Uniform Resource Identifiers using
-the Domain Name System</i>. </span><span class="pubdate">June 1997. </span></p>
-</div>
-<div class="biblioentry">
-<a name="id2586886"></a><p>[<abbr class="abbrev">RFC1876</abbr>] <span class="authorgroup"><span class="firstname">C.</span> <span class="surname">Davis</span>, <span class="firstname">P.</span> <span class="surname">Vixie</span>, <span class="firstname">T.</span>, and <span class="firstname">I.</span> <span class="surname">Dickinson</span>. </span><span class="title"><i>A Means for Expressing Location Information in the Domain
-Name System</i>. </span><span class="pubdate">January 1996. </span></p>
-</div>
-<div class="biblioentry">
-<a name="id2586940"></a><p>[<abbr class="abbrev">RFC2052</abbr>] <span class="authorgroup"><span class="firstname">A.</span> <span class="surname">Gulbrandsen</span> and <span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>A <acronym class="acronym">DNS</acronym> RR for Specifying the Location of
-Services.</i>. </span><span class="pubdate">October 1996. </span></p>
-</div>
-<div class="biblioentry">
-<a name="id2586980"></a><p>[<abbr class="abbrev">RFC2163</abbr>] <span class="author"><span class="firstname">A.</span> <span class="surname">Allocchio</span>. </span><span class="title"><i>Using the Internet <acronym class="acronym">DNS</acronym> to Distribute MIXER
-Conformant Global Address Mapping</i>. </span><span class="pubdate">January 1998. </span></p>
-</div>
-<div class="biblioentry">
-<a name="id2587006"></a><p>[<abbr class="abbrev">RFC2230</abbr>] <span class="author"><span class="firstname">R.</span> <span class="surname">Atkinson</span>. </span><span class="title"><i>Key Exchange Delegation Record for the <acronym class="acronym">DNS</acronym></i>. </span><span class="pubdate">October 1997. </span></p>
-</div>
-</div>
-<div class="bibliodiv">
-<h3 class="title">
-<acronym class="acronym">DNS</acronym> and the Internet</h3>
-<div class="biblioentry">
-<a name="id2587041"></a><p>[<abbr class="abbrev">RFC1101</abbr>] <span class="author"><span class="firstname">P. V.</span> <span class="surname">Mockapetris</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> Encoding of Network Names and Other Types</i>. </span><span class="pubdate">April 1989. </span></p>
-</div>
-<div class="biblioentry">
-<a name="id2587066"></a><p>[<abbr class="abbrev">RFC1123</abbr>] <span class="author"><span class="surname">Braden</span>. </span><span class="title"><i>Requirements for Internet Hosts - Application and Support</i>. </span><span class="pubdate">October 1989. </span></p>
-</div>
-<div class="biblioentry">
-<a name="id2587090"></a><p>[<abbr class="abbrev">RFC1591</abbr>] <span class="author"><span class="firstname">J.</span> <span class="surname">Postel</span>. </span><span class="title"><i>Domain Name System Structure and Delegation</i>. </span><span class="pubdate">March 1994. </span></p>
-</div>
-<div class="biblioentry">
-<a name="id2587111"></a><p>[<abbr class="abbrev">RFC2317</abbr>] <span class="authorgroup"><span class="firstname">H.</span> <span class="surname">Eidnes</span>, <span class="firstname">G.</span> <span class="surname">de Groot</span>, and <span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>Classless IN-ADDR.ARPA Delegation</i>. </span><span class="pubdate">March 1998. </span></p>
-</div>
-</div>
-<div class="bibliodiv">
-<h3 class="title">
-<acronym class="acronym">DNS</acronym> Operations</h3>
-<div class="biblioentry">
-<a name="id2587165"></a><p>[<abbr class="abbrev">RFC1537</abbr>] <span class="author"><span class="firstname">P.</span> <span class="surname">Beertema</span>. </span><span class="title"><i>Common <acronym class="acronym">DNS</acronym> Data File Configuration Errors</i>. </span><span class="pubdate">October 1993. </span></p>
-</div>
-<div class="biblioentry">
-<a name="id2587259"></a><p>[<abbr class="abbrev">RFC1912</abbr>] <span class="author"><span class="firstname">D.</span> <span class="surname">Barr</span>. </span><span class="title"><i>Common <acronym class="acronym">DNS</acronym> Operational and Configuration Errors</i>. </span><span class="pubdate">February 1996. </span></p>
-</div>
-<div class="biblioentry">
-<a name="id2587286"></a><p>[<abbr class="abbrev">RFC2010</abbr>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Manning</span> and <span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>Operational Criteria for Root Name Servers.</i>. </span><span class="pubdate">October 1996. </span></p>
-</div>
-<div class="biblioentry">
-<a name="id2587322"></a><p>[<abbr class="abbrev">RFC2219</abbr>] <span class="authorgroup"><span class="firstname">M.</span> <span class="surname">Hamilton</span> and <span class="firstname">R.</span> <span class="surname">Wright</span>. </span><span class="title"><i>Use of <acronym class="acronym">DNS</acronym> Aliases for Network Services.</i>. </span><span class="pubdate">October 1997. </span></p>
-</div>
-</div>
-<div class="bibliodiv">
-<h3 class="title">Other <acronym class="acronym">DNS</acronym>-related RFCs</h3>
-<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
-<h3 class="title">Note</h3>
-<p>Note: the following list of RFCs, although
-<acronym class="acronym">DNS</acronym>-related, are not concerned with implementing software.</p>
-</div>
-<div class="biblioentry">
-<a name="id2587382"></a><p>[<abbr class="abbrev">RFC1464</abbr>] <span class="author"><span class="firstname">R.</span> <span class="surname">Rosenbaum</span>. </span><span class="title"><i>Using the Domain Name System To Store Arbitrary String Attributes</i>. </span><span class="pubdate">May 1993. </span></p>
-</div>
-<div class="biblioentry">
-<a name="id2587404"></a><p>[<abbr class="abbrev">RFC1713</abbr>] <span class="author"><span class="firstname">A.</span> <span class="surname">Romao</span>. </span><span class="title"><i>Tools for <acronym class="acronym">DNS</acronym> Debugging</i>. </span><span class="pubdate">November 1994. </span></p>
-</div>
-<div class="biblioentry">
-<a name="id2587429"></a><p>[<abbr class="abbrev">RFC1794</abbr>] <span class="author"><span class="firstname">T.</span> <span class="surname">Brisco</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> Support for Load Balancing</i>. </span><span class="pubdate">April 1995. </span></p>
-</div>
-<div class="biblioentry">
-<a name="id2587453"></a><p>[<abbr class="abbrev">RFC2240</abbr>] <span class="author"><span class="firstname">O.</span> <span class="surname">Vaughan</span>. </span><span class="title"><i>A Legal Basis for Domain Name Allocation</i>. </span><span class="pubdate">November 1997. </span></p>
-</div>
-<div class="biblioentry">
-<a name="id2587476"></a><p>[<abbr class="abbrev">RFC2345</abbr>] <span class="authorgroup"><span class="firstname">J.</span> <span class="surname">Klensin</span>, <span class="firstname">T.</span> <span class="surname">Wolf</span>, and <span class="firstname">G.</span> <span class="surname">Oglesby</span>. </span><span class="title"><i>Domain Names and Company Name Retrieval</i>. </span><span class="pubdate">May 1998. </span></p>
-</div>
-<div class="biblioentry">
-<a name="id2587522"></a><p>[<abbr class="abbrev">RFC2352</abbr>] <span class="author"><span class="firstname">O.</span> <span class="surname">Vaughan</span>. </span><span class="title"><i>A Convention For Using Legal Names as Domain Names</i>. </span><span class="pubdate">May 1998. </span></p>
-</div>
-</div>
-<div class="bibliodiv">
-<h3 class="title">Obsolete and Unimplemented Experimental RRs</h3>
-<div class="biblioentry">
-<a name="id2587553"></a><p>[<abbr class="abbrev">RFC1712</abbr>] <span class="authorgroup"><span class="firstname">C.</span> <span class="surname">Farrell</span>, <span class="firstname">M.</span> <span class="surname">Schulze</span>, <span class="firstname">S.</span> <span class="surname">Pleitner</span>, and <span class="firstname">D.</span> <span class="surname">Baldoni</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> Encoding of Geographical
-Location</i>. </span><span class="pubdate">November 1994. </span></p>
-</div>
-</div>
-</div>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="internet_drafts"></a>Internet Drafts</h3></div></div></div>
-<p>Internet Drafts (IDs) are rough-draft working documents of
+<A
+HREF="http://www.ietf.org/rfc/"
+TARGET="_top"
+>http://www.ietf.org/rfc/</A
+>.
+</P
+><H3
+><A
+NAME="AEN4914"
+>Bibliography</A
+></H3
+><H2
+CLASS="bibliodiv"
+><A
+NAME="AEN4915"
+>Standards</A
+></H2
+><DIV
+CLASS="biblioentry"
+><A
+NAME="AEN4917"
+></A
+><P
+>[RFC974]&nbsp;<SPAN
+CLASS="AUTHOR"
+>C. Partridge</SPAN
+>, <I
+>Mail Routing and the Domain System</I
+>, January 1986.</P
+><DIV
+CLASS="BIBLIOENTRYBLOCK"
+STYLE="margin-left=0.5in"
+></DIV
+></DIV
+><DIV
+CLASS="biblioentry"
+><A
+NAME="AEN4924"
+></A
+><P
+>[RFC1034]&nbsp;<SPAN
+CLASS="AUTHOR"
+>P.V. Mockapetris</SPAN
+>, <I
+>Domain Names &#8212; Concepts and Facilities</I
+>, November 1987.</P
+><DIV
+CLASS="BIBLIOENTRYBLOCK"
+STYLE="margin-left=0.5in"
+></DIV
+></DIV
+><DIV
+CLASS="biblioentry"
+><A
+NAME="AEN4931"
+></A
+><P
+>[RFC1035]&nbsp;<SPAN
+CLASS="AUTHOR"
+>P. V. Mockapetris</SPAN
+>, <I
+>Domain Names &#8212; Implementation and
+Specification</I
+>, November 1987.</P
+><DIV
+CLASS="BIBLIOENTRYBLOCK"
+STYLE="margin-left=0.5in"
+></DIV
+></DIV
+><H2
+CLASS="bibliodiv"
+><A
+NAME="proposed_standards"
+>Proposed Standards</A
+></H2
+><DIV
+CLASS="biblioentry"
+><A
+NAME="AEN4940"
+></A
+><P
+>[RFC2181]&nbsp;<SPAN
+CLASS="AUTHOR"
+>R., R. Bush Elz</SPAN
+>, <I
+>Clarifications to the <SPAN
+CLASS="acronym"
+>DNS</SPAN
+> Specification</I
+>, July 1997.</P
+><DIV
+CLASS="BIBLIOENTRYBLOCK"
+STYLE="margin-left=0.5in"
+></DIV
+></DIV
+><DIV
+CLASS="biblioentry"
+><A
+NAME="AEN4948"
+></A
+><P
+>[RFC2308]&nbsp;<SPAN
+CLASS="AUTHOR"
+>M. Andrews</SPAN
+>, <I
+>Negative Caching of <SPAN
+CLASS="acronym"
+>DNS</SPAN
+> Queries</I
+>, March 1998.</P
+><DIV
+CLASS="BIBLIOENTRYBLOCK"
+STYLE="margin-left=0.5in"
+></DIV
+></DIV
+><DIV
+CLASS="biblioentry"
+><A
+NAME="AEN4956"
+></A
+><P
+>[RFC1995]&nbsp;<SPAN
+CLASS="AUTHOR"
+>M. Ohta</SPAN
+>, <I
+>Incremental Zone Transfer in <SPAN
+CLASS="acronym"
+>DNS</SPAN
+></I
+>, August 1996.</P
+><DIV
+CLASS="BIBLIOENTRYBLOCK"
+STYLE="margin-left=0.5in"
+></DIV
+></DIV
+><DIV
+CLASS="biblioentry"
+><A
+NAME="AEN4964"
+></A
+><P
+>[RFC1996]&nbsp;<SPAN
+CLASS="AUTHOR"
+>P. Vixie</SPAN
+>, <I
+>A Mechanism for Prompt Notification of Zone Changes</I
+>, August 1996.</P
+><DIV
+CLASS="BIBLIOENTRYBLOCK"
+STYLE="margin-left=0.5in"
+></DIV
+></DIV
+><DIV
+CLASS="biblioentry"
+><A
+NAME="AEN4971"
+></A
+><P
+>[RFC2136]&nbsp;<SPAN
+CLASS="AUTHOR"
+>P. Vixie, </SPAN
+><SPAN
+CLASS="AUTHOR"
+>S. Thomson, </SPAN
+><SPAN
+CLASS="AUTHOR"
+>Y. Rekhter, </SPAN
+><SPAN
+CLASS="AUTHOR"
+>and J. Bound</SPAN
+>, <I
+>Dynamic Updates in the Domain Name System</I
+>, April 1997.</P
+><DIV
+CLASS="BIBLIOENTRYBLOCK"
+STYLE="margin-left=0.5in"
+></DIV
+></DIV
+><DIV
+CLASS="biblioentry"
+><A
+NAME="AEN4988"
+></A
+><P
+>[RFC2845]&nbsp;<SPAN
+CLASS="AUTHOR"
+>P. Vixie, </SPAN
+><SPAN
+CLASS="AUTHOR"
+>O. Gudmundsson, </SPAN
+><SPAN
+CLASS="AUTHOR"
+>D. Eastlake, 3rd, </SPAN
+><SPAN
+CLASS="AUTHOR"
+>and B. Wellington</SPAN
+>, <I
+>Secret Key Transaction Authentication for <SPAN
+CLASS="acronym"
+>DNS</SPAN
+> (TSIG)</I
+>, May 2000.</P
+><DIV
+CLASS="BIBLIOENTRYBLOCK"
+STYLE="margin-left=0.5in"
+></DIV
+></DIV
+><H2
+CLASS="bibliodiv"
+><A
+NAME="AEN5007"
+>Proposed Standards Still Under Development</A
+></H2
+><DIV
+CLASS="biblioentry"
+><A
+NAME="AEN5012"
+></A
+><P
+>[RFC1886]&nbsp;<SPAN
+CLASS="AUTHOR"
+>S. Thomson </SPAN
+><SPAN
+CLASS="AUTHOR"
+>and C. Huitema</SPAN
+>, <I
+><SPAN
+CLASS="acronym"
+>DNS</SPAN
+> Extensions to support IP version 6</I
+>, December 1995.</P
+><DIV
+CLASS="BIBLIOENTRYBLOCK"
+STYLE="margin-left=0.5in"
+></DIV
+></DIV
+><DIV
+CLASS="biblioentry"
+><A
+NAME="AEN5024"
+></A
+><P
+>[RFC2065]&nbsp;<SPAN
+CLASS="AUTHOR"
+>D. Eastlake, 3rd </SPAN
+><SPAN
+CLASS="AUTHOR"
+>and C. Kaufman</SPAN
+>, <I
+>Domain Name System Security Extensions</I
+>, January 1997.</P
+><DIV
+CLASS="BIBLIOENTRYBLOCK"
+STYLE="margin-left=0.5in"
+></DIV
+></DIV
+><DIV
+CLASS="biblioentry"
+><A
+NAME="AEN5036"
+></A
+><P
+>[RFC2137]&nbsp;<SPAN
+CLASS="AUTHOR"
+>D. Eastlake, 3rd</SPAN
+>, <I
+>Secure Domain Name System Dynamic Update</I
+>, April 1997.</P
+><DIV
+CLASS="BIBLIOENTRYBLOCK"
+STYLE="margin-left=0.5in"
+></DIV
+></DIV
+><H2
+CLASS="bibliodiv"
+><A
+NAME="AEN5044"
+>Other Important RFCs About <SPAN
+CLASS="acronym"
+>DNS</SPAN
+> Implementation</A
+></H2
+><DIV
+CLASS="biblioentry"
+><A
+NAME="AEN5047"
+></A
+><P
+>[RFC1535]&nbsp;<SPAN
+CLASS="AUTHOR"
+>E. Gavron</SPAN
+>, <I
+>A Security Problem and Proposed Correction With Widely Deployed <SPAN
+CLASS="acronym"
+>DNS</SPAN
+> Software.</I
+>, October 1993.</P
+><DIV
+CLASS="BIBLIOENTRYBLOCK"
+STYLE="margin-left=0.5in"
+></DIV
+></DIV
+><DIV
+CLASS="biblioentry"
+><A
+NAME="AEN5055"
+></A
+><P
+>[RFC1536]&nbsp;<SPAN
+CLASS="AUTHOR"
+>A. Kumar, </SPAN
+><SPAN
+CLASS="AUTHOR"
+>J. Postel, </SPAN
+><SPAN
+CLASS="AUTHOR"
+>C. Neuman, </SPAN
+><SPAN
+CLASS="AUTHOR"
+>P. Danzig, </SPAN
+><SPAN
+CLASS="AUTHOR"
+>and S. Miller</SPAN
+>, <I
+>Common <SPAN
+CLASS="acronym"
+>DNS</SPAN
+> Implementation Errors and Suggested Fixes</I
+>, October 1993.</P
+><DIV
+CLASS="BIBLIOENTRYBLOCK"
+STYLE="margin-left=0.5in"
+></DIV
+></DIV
+><DIV
+CLASS="biblioentry"
+><A
+NAME="AEN5076"
+></A
+><P
+>[RFC1982]&nbsp;<SPAN
+CLASS="AUTHOR"
+>R. Elz </SPAN
+><SPAN
+CLASS="AUTHOR"
+>and R. Bush</SPAN
+>, <I
+>Serial Number Arithmetic</I
+>, August 1996.</P
+><DIV
+CLASS="BIBLIOENTRYBLOCK"
+STYLE="margin-left=0.5in"
+></DIV
+></DIV
+><H2
+CLASS="bibliodiv"
+><A
+NAME="AEN5087"
+>Resource Record Types</A
+></H2
+><DIV
+CLASS="biblioentry"
+><A
+NAME="AEN5089"
+></A
+><P
+>[RFC1183]&nbsp;<SPAN
+CLASS="AUTHOR"
+>C.F. Everhart, </SPAN
+><SPAN
+CLASS="AUTHOR"
+>L. A. Mamakos, </SPAN
+><SPAN
+CLASS="AUTHOR"
+>R. Ullmann, </SPAN
+><SPAN
+CLASS="AUTHOR"
+>and P. Mockapetris</SPAN
+>, <I
+>New <SPAN
+CLASS="acronym"
+>DNS</SPAN
+> RR Definitions</I
+>, October 1990.</P
+><DIV
+CLASS="BIBLIOENTRYBLOCK"
+STYLE="margin-left=0.5in"
+></DIV
+></DIV
+><DIV
+CLASS="biblioentry"
+><A
+NAME="AEN5107"
+></A
+><P
+>[RFC1706]&nbsp;<SPAN
+CLASS="AUTHOR"
+>B. Manning </SPAN
+><SPAN
+CLASS="AUTHOR"
+>and R. Colella</SPAN
+>, <I
+><SPAN
+CLASS="acronym"
+>DNS</SPAN
+> NSAP Resource Records</I
+>, October 1994.</P
+><DIV
+CLASS="BIBLIOENTRYBLOCK"
+STYLE="margin-left=0.5in"
+></DIV
+></DIV
+><DIV
+CLASS="biblioentry"
+><A
+NAME="AEN5119"
+></A
+><P
+>[RFC2168]&nbsp;<SPAN
+CLASS="AUTHOR"
+>R. Daniel </SPAN
+><SPAN
+CLASS="AUTHOR"
+>and M. Mealling</SPAN
+>, <I
+>Resolution of Uniform Resource Identifiers using
+the Domain Name System</I
+>, June 1997.</P
+><DIV
+CLASS="BIBLIOENTRYBLOCK"
+STYLE="margin-left=0.5in"
+></DIV
+></DIV
+><DIV
+CLASS="biblioentry"
+><A
+NAME="AEN5130"
+></A
+><P
+>[RFC1876]&nbsp;<SPAN
+CLASS="AUTHOR"
+>C. Davis, </SPAN
+><SPAN
+CLASS="AUTHOR"
+>P. Vixie, </SPAN
+><SPAN
+CLASS="AUTHOR"
+>T., </SPAN
+><SPAN
+CLASS="AUTHOR"
+>and I. Dickinson</SPAN
+>, <I
+>A Means for Expressing Location Information in the Domain
+Name System</I
+>, January 1996.</P
+><DIV
+CLASS="BIBLIOENTRYBLOCK"
+STYLE="margin-left=0.5in"
+></DIV
+></DIV
+><DIV
+CLASS="biblioentry"
+><A
+NAME="AEN5147"
+></A
+><P
+>[RFC2052]&nbsp;<SPAN
+CLASS="AUTHOR"
+>A. Gulbrandsen </SPAN
+><SPAN
+CLASS="AUTHOR"
+>and P. Vixie</SPAN
+>, <I
+>A <SPAN
+CLASS="acronym"
+>DNS</SPAN
+> RR for Specifying the Location of
+Services.</I
+>, October 1996.</P
+><DIV
+CLASS="BIBLIOENTRYBLOCK"
+STYLE="margin-left=0.5in"
+></DIV
+></DIV
+><DIV
+CLASS="biblioentry"
+><A
+NAME="AEN5159"
+></A
+><P
+>[RFC2163]&nbsp;<SPAN
+CLASS="AUTHOR"
+>A. Allocchio</SPAN
+>, <I
+>Using the Internet <SPAN
+CLASS="acronym"
+>DNS</SPAN
+> to Distribute MIXER
+Conformant Global Address Mapping</I
+>, January 1998.</P
+><DIV
+CLASS="BIBLIOENTRYBLOCK"
+STYLE="margin-left=0.5in"
+></DIV
+></DIV
+><DIV
+CLASS="biblioentry"
+><A
+NAME="AEN5167"
+></A
+><P
+>[RFC2230]&nbsp;<SPAN
+CLASS="AUTHOR"
+>R. Atkinson</SPAN
+>, <I
+>Key Exchange Delegation Record for the <SPAN
+CLASS="acronym"
+>DNS</SPAN
+></I
+>, October 1997.</P
+><DIV
+CLASS="BIBLIOENTRYBLOCK"
+STYLE="margin-left=0.5in"
+></DIV
+></DIV
+><H2
+CLASS="bibliodiv"
+><A
+NAME="AEN5175"
+><SPAN
+CLASS="acronym"
+>DNS</SPAN
+> and the Internet</A
+></H2
+><DIV
+CLASS="biblioentry"
+><A
+NAME="AEN5178"
+></A
+><P
+>[RFC1101]&nbsp;<SPAN
+CLASS="AUTHOR"
+>P. V. Mockapetris</SPAN
+>, <I
+><SPAN
+CLASS="acronym"
+>DNS</SPAN
+> Encoding of Network Names and Other Types</I
+>, April 1989.</P
+><DIV
+CLASS="BIBLIOENTRYBLOCK"
+STYLE="margin-left=0.5in"
+></DIV
+></DIV
+><DIV
+CLASS="biblioentry"
+><A
+NAME="AEN5186"
+></A
+><P
+>[RFC1123]&nbsp;<SPAN
+CLASS="AUTHOR"
+>Braden</SPAN
+>, <I
+>Requirements for Internet Hosts - Application and Support</I
+>, October 1989.</P
+><DIV
+CLASS="BIBLIOENTRYBLOCK"
+STYLE="margin-left=0.5in"
+></DIV
+></DIV
+><DIV
+CLASS="biblioentry"
+><A
+NAME="AEN5193"
+></A
+><P
+>[RFC1591]&nbsp;<SPAN
+CLASS="AUTHOR"
+>J. Postel</SPAN
+>, <I
+>Domain Name System Structure and Delegation</I
+>, March 1994.</P
+><DIV
+CLASS="BIBLIOENTRYBLOCK"
+STYLE="margin-left=0.5in"
+></DIV
+></DIV
+><DIV
+CLASS="biblioentry"
+><A
+NAME="AEN5200"
+></A
+><P
+>[RFC2317]&nbsp;<SPAN
+CLASS="AUTHOR"
+>H. Eidnes, </SPAN
+><SPAN
+CLASS="AUTHOR"
+>G. de Groot, </SPAN
+><SPAN
+CLASS="AUTHOR"
+>and P. Vixie</SPAN
+>, <I
+>Classless IN-ADDR.ARPA Delegation</I
+>, March 1998.</P
+><DIV
+CLASS="BIBLIOENTRYBLOCK"
+STYLE="margin-left=0.5in"
+></DIV
+></DIV
+><H2
+CLASS="bibliodiv"
+><A
+NAME="AEN5214"
+><SPAN
+CLASS="acronym"
+>DNS</SPAN
+> Operations</A
+></H2
+><DIV
+CLASS="biblioentry"
+><A
+NAME="AEN5217"
+></A
+><P
+>[RFC1537]&nbsp;<SPAN
+CLASS="AUTHOR"
+>P. Beertema</SPAN
+>, <I
+>Common <SPAN
+CLASS="acronym"
+>DNS</SPAN
+> Data File Configuration Errors</I
+>, October 1993.</P
+><DIV
+CLASS="BIBLIOENTRYBLOCK"
+STYLE="margin-left=0.5in"
+></DIV
+></DIV
+><DIV
+CLASS="biblioentry"
+><A
+NAME="AEN5225"
+></A
+><P
+>[RFC1912]&nbsp;<SPAN
+CLASS="AUTHOR"
+>D. Barr</SPAN
+>, <I
+>Common <SPAN
+CLASS="acronym"
+>DNS</SPAN
+> Operational and Configuration Errors</I
+>, February 1996.</P
+><DIV
+CLASS="BIBLIOENTRYBLOCK"
+STYLE="margin-left=0.5in"
+></DIV
+></DIV
+><DIV
+CLASS="biblioentry"
+><A
+NAME="AEN5233"
+></A
+><P
+>[RFC2010]&nbsp;<SPAN
+CLASS="AUTHOR"
+>B. Manning </SPAN
+><SPAN
+CLASS="AUTHOR"
+>and P. Vixie</SPAN
+>, <I
+>Operational Criteria for Root Name Servers.</I
+>, October 1996.</P
+><DIV
+CLASS="BIBLIOENTRYBLOCK"
+STYLE="margin-left=0.5in"
+></DIV
+></DIV
+><DIV
+CLASS="biblioentry"
+><A
+NAME="AEN5244"
+></A
+><P
+>[RFC2219]&nbsp;<SPAN
+CLASS="AUTHOR"
+>M. Hamilton </SPAN
+><SPAN
+CLASS="AUTHOR"
+>and R. Wright</SPAN
+>, <I
+>Use of <SPAN
+CLASS="acronym"
+>DNS</SPAN
+> Aliases for Network Services.</I
+>, October 1997.</P
+><DIV
+CLASS="BIBLIOENTRYBLOCK"
+STYLE="margin-left=0.5in"
+></DIV
+></DIV
+><H2
+CLASS="bibliodiv"
+><A
+NAME="AEN5256"
+>Other <SPAN
+CLASS="acronym"
+>DNS</SPAN
+>-related RFCs</A
+></H2
+><DIV
+CLASS="biblioentry"
+><A
+NAME="AEN5262"
+></A
+><P
+>[RFC1464]&nbsp;<SPAN
+CLASS="AUTHOR"
+>R. Rosenbaum</SPAN
+>, <I
+>Using the Domain Name System To Store Arbitrary String Attributes</I
+>, May 1993.</P
+><DIV
+CLASS="BIBLIOENTRYBLOCK"
+STYLE="margin-left=0.5in"
+></DIV
+></DIV
+><DIV
+CLASS="biblioentry"
+><A
+NAME="AEN5269"
+></A
+><P
+>[RFC1713]&nbsp;<SPAN
+CLASS="AUTHOR"
+>A. Romao</SPAN
+>, <I
+>Tools for <SPAN
+CLASS="acronym"
+>DNS</SPAN
+> Debugging</I
+>, November 1994.</P
+><DIV
+CLASS="BIBLIOENTRYBLOCK"
+STYLE="margin-left=0.5in"
+></DIV
+></DIV
+><DIV
+CLASS="biblioentry"
+><A
+NAME="AEN5277"
+></A
+><P
+>[RFC1794]&nbsp;<SPAN
+CLASS="AUTHOR"
+>T. Brisco</SPAN
+>, <I
+><SPAN
+CLASS="acronym"
+>DNS</SPAN
+> Support for Load Balancing</I
+>, April 1995.</P
+><DIV
+CLASS="BIBLIOENTRYBLOCK"
+STYLE="margin-left=0.5in"
+></DIV
+></DIV
+><DIV
+CLASS="biblioentry"
+><A
+NAME="AEN5285"
+></A
+><P
+>[RFC2240]&nbsp;<SPAN
+CLASS="AUTHOR"
+>O. Vaughan</SPAN
+>, <I
+>A Legal Basis for Domain Name Allocation</I
+>, November 1997.</P
+><DIV
+CLASS="BIBLIOENTRYBLOCK"
+STYLE="margin-left=0.5in"
+></DIV
+></DIV
+><DIV
+CLASS="biblioentry"
+><A
+NAME="AEN5292"
+></A
+><P
+>[RFC2345]&nbsp;<SPAN
+CLASS="AUTHOR"
+>J. Klensin, </SPAN
+><SPAN
+CLASS="AUTHOR"
+>T. Wolf, </SPAN
+><SPAN
+CLASS="AUTHOR"
+>and G. Oglesby</SPAN
+>, <I
+>Domain Names and Company Name Retrieval</I
+>, May 1998.</P
+><DIV
+CLASS="BIBLIOENTRYBLOCK"
+STYLE="margin-left=0.5in"
+></DIV
+></DIV
+><DIV
+CLASS="biblioentry"
+><A
+NAME="AEN5306"
+></A
+><P
+>[RFC2352]&nbsp;<SPAN
+CLASS="AUTHOR"
+>O. Vaughan</SPAN
+>, <I
+>A Convention For Using Legal Names as Domain Names</I
+>, May 1998.</P
+><DIV
+CLASS="BIBLIOENTRYBLOCK"
+STYLE="margin-left=0.5in"
+></DIV
+></DIV
+><H2
+CLASS="bibliodiv"
+><A
+NAME="AEN5313"
+>Obsolete and Unimplemented Experimental RRs</A
+></H2
+><DIV
+CLASS="biblioentry"
+><A
+NAME="AEN5315"
+></A
+><P
+>[RFC1712]&nbsp;<SPAN
+CLASS="AUTHOR"
+>C. Farrell, </SPAN
+><SPAN
+CLASS="AUTHOR"
+>M. Schulze, </SPAN
+><SPAN
+CLASS="AUTHOR"
+>S. Pleitner, </SPAN
+><SPAN
+CLASS="AUTHOR"
+>and D. Baldoni</SPAN
+>, <I
+><SPAN
+CLASS="acronym"
+>DNS</SPAN
+> Encoding of Geographical
+Location</I
+>, November 1994.</P
+><DIV
+CLASS="BIBLIOENTRYBLOCK"
+STYLE="margin-left=0.5in"
+></DIV
+></DIV
+></DIV
+><DIV
+CLASS="sect2"
+><H2
+CLASS="sect2"
+><A
+NAME="internet_drafts"
+>A.3.2. Internet Drafts</A
+></H2
+><P
+>Internet Drafts (IDs) are rough-draft working documents of
 the Internet Engineering Task Force. They are, in essence, RFCs
 in the preliminary stages of development. Implementors are cautioned not
 to regard IDs as archival, and they should not be quoted or cited
 in any formal documents unless accompanied by the disclaimer that
 they are "works in progress." IDs have a lifespan of six months
 after which they are deleted unless updated by their authors.
-</p>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2587625"></a>Other Documents About <acronym class="acronym">BIND</acronym>
-</h3></div></div></div>
-<p></p>
-<div class="bibliography">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="id2587635"></a>Bibliography</h4></div></div></div>
-<div class="biblioentry">
-<a name="id2587637"></a><p><span class="authorgroup"><span class="firstname">Paul</span> <span class="surname">Albitz</span> and <span class="firstname">Cricket</span> <span class="surname">Liu</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym></i>. </span><span class="copyright">Copyright © 1998 Sebastopol, CA: O'Reilly and Associates. </span></p>
-</div>
-</div>
-</div>
-</div>
-</div>
-<div class="navfooter">
-<hr>
-<table width="100%" summary="Navigation footer">
-<tr>
-<td width="40%" align="left">
-<a accesskey="p" href="Bv9ARM.ch08.html">Prev</a> </td>
-<td width="20%" align="center"> </td>
-<td width="40%" align="right"> </td>
-</tr>
-<tr>
-<td width="40%" align="left" valign="top">Chapter 8. Troubleshooting </td>
-<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
-<td width="40%" align="right" valign="top"> </td>
-</tr>
-</table>
-</div>
-</body>
-</html>
+</P
+></DIV
+><DIV
+CLASS="sect2"
+><H2
+CLASS="sect2"
+><A
+NAME="AEN5336"
+>A.3.3. Other Documents About <SPAN
+CLASS="acronym"
+>BIND</SPAN
+></A
+></H2
+><P
+></P
+><H3
+><A
+NAME="AEN5340"
+>Bibliography</A
+></H3
+><DIV
+CLASS="biblioentry"
+><A
+NAME="AEN5341"
+></A
+><P
+><SPAN
+CLASS="AUTHOR"
+>Paul Albitz </SPAN
+><SPAN
+CLASS="AUTHOR"
+>and Cricket Liu</SPAN
+>, <I
+><SPAN
+CLASS="acronym"
+>DNS</SPAN
+> and <SPAN
+CLASS="acronym"
+>BIND</SPAN
+></I
+>, 1998.</P
+><DIV
+CLASS="BIBLIOENTRYBLOCK"
+STYLE="margin-left=0.5in"
+></DIV
+></DIV
+></DIV
+></DIV
+></DIV
+><DIV
+CLASS="NAVFOOTER"
+><HR
+ALIGN="LEFT"
+WIDTH="100%"><TABLE
+SUMMARY="Footer navigation table"
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+><A
+HREF="Bv9ARM.ch08.html"
+ACCESSKEY="P"
+>Prev</A
+></TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+><A
+HREF="Bv9ARM.html"
+ACCESSKEY="H"
+>Home</A
+></TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+>&nbsp;</TD
+></TR
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+>Troubleshooting</TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+>&nbsp;</TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+>&nbsp;</TD
+></TR
+></TABLE
+></DIV
+></BODY
+></HTML
+>
\ No newline at end of file
diff --git a/doc/arm/Bv9ARM.html b/doc/arm/Bv9ARM.html
index ebf04826..120716ac 100644
--- a/doc/arm/Bv9ARM.html
+++ b/doc/arm/Bv9ARM.html
@@ -1,225 +1,861 @@
-<!--
- - Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000-2003 Internet Software Consortium.
- - 
- - Permission to use, copy, modify, and distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- - 
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-<!-- $Id: Bv9ARM.html,v 1.60.2.39 2007/05/16 06:57:47 marka Exp $ -->
-<html>
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>BIND 9 Administrator Reference Manual</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
-<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="next" href="Bv9ARM.ch01.html" title="Chapter 1. Introduction">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
-<div class="navheader">
-<table width="100%" summary="Navigation header">
-<tr><th colspan="3" align="center">BIND 9 Administrator Reference Manual</th></tr>
-<tr>
-<td width="20%" align="left"> </td>
-<th width="60%" align="center"> </th>
-<td width="20%" align="right"> <a accesskey="n" href="Bv9ARM.ch01.html">Next</a>
-</td>
-</tr>
-</table>
-<hr>
-</div>
-<div class="book" lang="en">
-<div class="titlepage">
-<div>
-<div><h1 class="title">
-<a name="id2476355"></a>BIND 9 Administrator Reference Manual</h1></div>
-<div><p class="copyright">Copyright © 2004-2007 Internet Systems Consortium, Inc. ("ISC")</p></div>
-<div><p class="copyright">Copyright © 2000-2003 Internet Software Consortium.</p></div>
-</div>
-<hr>
-</div>
-<div class="toc">
-<p><b>Table of Contents</b></p>
-<dl>
-<dt><span class="chapter"><a href="Bv9ARM.ch01.html">1. Introduction </a></span></dt>
-<dd><dl>
-<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2563876">Scope of Document</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2564243">Organization of This Document</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2564314">Conventions Used in This Document</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2564572">The Domain Name System (<acronym class="acronym">DNS</acronym>)</a></span></dt>
-<dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2563159">DNS Fundamentals</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2563184">Domains and Domain Names</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2564974">Zones</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2565117">Authoritative Name Servers</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2565209">Caching Name Servers</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2565267">Name Servers in Multiple Roles</a></span></dt>
-</dl></dd>
-</dl></dd>
-<dt><span class="chapter"><a href="Bv9ARM.ch02.html">2. <acronym class="acronym">BIND</acronym> Resource Requirements</a></span></dt>
-<dd><dl>
-<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2565299">Hardware requirements</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2565323">CPU Requirements</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2565402">Memory Requirements</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2565417">Nameserver Intensive Environment Issues</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2565426">Supported Operating Systems</a></span></dt>
-</dl></dd>
-<dt><span class="chapter"><a href="Bv9ARM.ch03.html">3. Nameserver Configuration</a></span></dt>
-<dd><dl>
-<dt><span class="sect1"><a href="Bv9ARM.ch03.html#sample_configuration">Sample Configurations</a></span></dt>
-<dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2565591">A Caching-only Nameserver</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2565672">An Authoritative-only Nameserver</a></span></dt>
-</dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch03.html#id2565694">Load Balancing</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch03.html#notify">Notify</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch03.html#id2566085">Nameserver Operations</a></span></dt>
-<dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2566090">Tools for Use With the Nameserver Daemon</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2569165">Signals</a></span></dt>
-</dl></dd>
-</dl></dd>
-<dt><span class="chapter"><a href="Bv9ARM.ch04.html">4. Advanced Concepts</a></span></dt>
-<dd><dl>
-<dt><span class="sect1"><a href="Bv9ARM.ch04.html#dynamic_update">Dynamic Update</a></span></dt>
-<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch04.html#journal">The journal file</a></span></dt></dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch04.html#incremental_zone_transfers">Incremental Zone Transfers (IXFR)</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2569474">Split DNS</a></span></dt>
-<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2569491">Example split DNS setup</a></span></dt></dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch04.html#tsig">TSIG</a></span></dt>
-<dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2569971">Generate Shared Keys for Each Pair of Hosts</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2570037">Copying the Shared Secret to Both Machines</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2570045">Informing the Servers of the Key's Existence</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2570085">Instructing the Server to Use the Key</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2570137">TSIG Key Based Access Control</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2570181">Errors</a></span></dt>
-</dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2570195">TKEY</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2570312">SIG(0)</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch04.html#DNSSEC">DNSSEC</a></span></dt>
-<dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2570365">Generating Keys</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2570434">Creating a Keyset</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2570540">Signing the Child's Keyset</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2570650">Signing the Zone</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2570705">Configuring Servers</a></span></dt>
-</dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2570729">IPv6 Support in <acronym class="acronym">BIND</acronym> 9</a></span></dt>
-<dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2570785">Address Lookups Using AAAA Records</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2570798">Address to Name Lookups Using Nibble Format</a></span></dt>
-</dl></dd>
-</dl></dd>
-<dt><span class="chapter"><a href="Bv9ARM.ch05.html">5. The <acronym class="acronym">BIND</acronym> 9 Lightweight Resolver</a></span></dt>
-<dd><dl>
-<dt><span class="sect1"><a href="Bv9ARM.ch05.html#id2570830">The Lightweight Resolver Library</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch05.html#lwresd">Running a Resolver Daemon</a></span></dt>
-</dl></dd>
-<dt><span class="chapter"><a href="Bv9ARM.ch06.html">6. <acronym class="acronym">BIND</acronym> 9 Configuration Reference</a></span></dt>
-<dd><dl>
-<dt><span class="sect1"><a href="Bv9ARM.ch06.html#configuration_file_elements">Configuration File Elements</a></span></dt>
-<dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#address_match_lists">Address Match Lists</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2571910">Comment Syntax</a></span></dt>
-</dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch06.html#Configuration_File_Grammar">Configuration File Grammar</a></span></dt>
-<dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2572280"><span><strong class="command">acl</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#acl"><span><strong class="command">acl</strong></span> Statement Definition and
-Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2572459"><span><strong class="command">controls</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage"><span><strong class="command">controls</strong></span> Statement Definition and Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2572988"><span><strong class="command">include</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2573003"><span><strong class="command">include</strong></span> Statement Definition and Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2573026"><span><strong class="command">key</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2573047"><span><strong class="command">key</strong></span> Statement Definition and Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2573110"><span><strong class="command">logging</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2573236"><span><strong class="command">logging</strong></span> Statement Definition and Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574326"><span><strong class="command">lwres</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574398"><span><strong class="command">lwres</strong></span> Statement Definition and Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574530"><span><strong class="command">options</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575390"><span><strong class="command">options</strong></span> Statement Definition and Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#server_statement_grammar"><span><strong class="command">server</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#server_statement_definition_and_usage"><span><strong class="command">server</strong></span> Statement Definition and Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2579171"><span><strong class="command">trusted-keys</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2579219"><span><strong class="command">trusted-keys</strong></span> Statement Definition
-and Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2579242"><span><strong class="command">view</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2579290"><span><strong class="command">view</strong></span> Statement Definition and Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#zone_statement_grammar"><span><strong class="command">zone</strong></span>
-Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2580473"><span><strong class="command">zone</strong></span> Statement Definition and Usage</a></span></dt>
-</dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch06.html#id2581782">Zone File</a></span></dt>
-<dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#types_of_resource_records_and_when_to_use_them">Types of Resource Records and When to Use Them</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2583238">Discussion of MX Records</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#Setting_TTLs">Setting TTLs</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2583872">Inverse Mapping in IPv4</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2584114">Other Zone File Directives</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2584282"><acronym class="acronym">BIND</acronym> Master File Extension: the  <span><strong class="command">$GENERATE</strong></span> Directive</a></span></dt>
-</dl></dd>
-</dl></dd>
-<dt><span class="chapter"><a href="Bv9ARM.ch07.html">7. <acronym class="acronym">BIND</acronym> 9 Security Considerations</a></span></dt>
-<dd><dl>
-<dt><span class="sect1"><a href="Bv9ARM.ch07.html#Access_Control_Lists">Access Control Lists</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch07.html#id2584602"><span><strong class="command">Chroot</strong></span> and <span><strong class="command">Setuid</strong></span> (for
-UNIX servers)</a></span></dt>
-<dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2584746">The <span><strong class="command">chroot</strong></span> Environment</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2584804">Using the <span><strong class="command">setuid</strong></span> Function</a></span></dt>
-</dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch07.html#dynamic_update_security">Dynamic Update Security</a></span></dt>
-</dl></dd>
-<dt><span class="chapter"><a href="Bv9ARM.ch08.html">8. Troubleshooting</a></span></dt>
-<dd><dl>
-<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2584874">Common Problems</a></span></dt>
-<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch08.html#id2584880">It's not working; how can I figure out what's wrong?</a></span></dt></dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2584891">Incrementing and Changing the Serial Number</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2584908">Where Can I Get Help?</a></span></dt>
-</dl></dd>
-<dt><span class="appendix"><a href="Bv9ARM.ch09.html">A. Appendices</a></span></dt>
-<dd><dl>
-<dt><span class="sect1"><a href="Bv9ARM.ch09.html#id2585038">Acknowledgements</a></span></dt>
-<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2585044">A Brief History of the <acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym></a></span></dt></dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch09.html#historical_dns_information">Historical <acronym class="acronym">DNS</acronym> Information</a></span></dt>
-<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch09.html#classes_of_resource_records">Classes of Resource Records</a></span></dt></dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch09.html#id2585254">General <acronym class="acronym">DNS</acronym> Reference Information</a></span></dt>
-<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch09.html#ipv6addresses">IPv6 addresses (A6)</a></span></dt></dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch09.html#bibliography">Bibliography (and Suggested Reading)</a></span></dt>
-<dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch09.html#rfcs">Request for Comments (RFCs)</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch09.html#internet_drafts">Internet Drafts</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2587625">Other Documents About <acronym class="acronym">BIND</acronym></a></span></dt>
-</dl></dd>
-</dl></dd>
-</dl>
-</div>
-</div>
-<div class="navfooter">
-<hr>
-<table width="100%" summary="Navigation footer">
-<tr>
-<td width="40%" align="left"> </td>
-<td width="20%" align="center"> </td>
-<td width="40%" align="right"> <a accesskey="n" href="Bv9ARM.ch01.html">Next</a>
-</td>
-</tr>
-<tr>
-<td width="40%" align="left" valign="top"> </td>
-<td width="20%" align="center"> </td>
-<td width="40%" align="right" valign="top"> Chapter 1. Introduction </td>
-</tr>
-</table>
-</div>
-</body>
-</html>
+<HTML
+><HEAD
+><TITLE
+>BIND 9 Administrator Reference Manual</TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.73
+"><LINK
+REL="NEXT"
+TITLE="Introduction "
+HREF="Bv9ARM.ch01.html"></HEAD
+><BODY
+CLASS="book"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><DIV
+CLASS="BOOK"
+><A
+NAME="AEN1"
+></A
+><DIV
+CLASS="TITLEPAGE"
+><H1
+CLASS="title"
+><A
+NAME="AEN1"
+>BIND 9 Administrator Reference Manual</A
+></H1
+><P
+CLASS="copyright"
+>Copyright &copy; 2004 by Internet Systems Consortium, Inc. ("ISC")</P
+><P
+CLASS="copyright"
+>Copyright &copy; 2000-2003 by Internet Software Consortium</P
+><HR></DIV
+><DIV
+CLASS="TOC"
+><DL
+><DT
+><B
+>Table of Contents</B
+></DT
+><DT
+>1. <A
+HREF="Bv9ARM.ch01.html"
+>Introduction</A
+></DT
+><DD
+><DL
+><DT
+>1.1. <A
+HREF="Bv9ARM.ch01.html#AEN15"
+>Scope of Document</A
+></DT
+><DT
+>1.2. <A
+HREF="Bv9ARM.ch01.html#AEN22"
+>Organization of This Document</A
+></DT
+><DT
+>1.3. <A
+HREF="Bv9ARM.ch01.html#AEN42"
+>Conventions Used in This Document</A
+></DT
+><DT
+>1.4. <A
+HREF="Bv9ARM.ch01.html#AEN107"
+>The Domain Name System (<SPAN
+CLASS="acronym"
+>DNS</SPAN
+>)</A
+></DT
+><DD
+><DL
+><DT
+>1.4.1. <A
+HREF="Bv9ARM.ch01.html#AEN114"
+>DNS Fundamentals</A
+></DT
+><DT
+>1.4.2. <A
+HREF="Bv9ARM.ch01.html#AEN124"
+>Domains and Domain Names</A
+></DT
+><DT
+>1.4.3. <A
+HREF="Bv9ARM.ch01.html#AEN148"
+>Zones</A
+></DT
+><DT
+>1.4.4. <A
+HREF="Bv9ARM.ch01.html#AEN171"
+>Authoritative Name Servers</A
+></DT
+><DT
+>1.4.5. <A
+HREF="Bv9ARM.ch01.html#AEN200"
+>Caching Name Servers</A
+></DT
+><DT
+>1.4.6. <A
+HREF="Bv9ARM.ch01.html#AEN218"
+>Name Servers in Multiple Roles</A
+></DT
+></DL
+></DD
+></DL
+></DD
+><DT
+>2. <A
+HREF="Bv9ARM.ch02.html"
+><SPAN
+CLASS="acronym"
+>BIND</SPAN
+> Resource Requirements</A
+></DT
+><DD
+><DL
+><DT
+>2.1. <A
+HREF="Bv9ARM.ch02.html#AEN228"
+>Hardware requirements</A
+></DT
+><DT
+>2.2. <A
+HREF="Bv9ARM.ch02.html#AEN236"
+>CPU Requirements</A
+></DT
+><DT
+>2.3. <A
+HREF="Bv9ARM.ch02.html#AEN240"
+>Memory Requirements</A
+></DT
+><DT
+>2.4. <A
+HREF="Bv9ARM.ch02.html#AEN245"
+>Name Server Intensive Environment Issues</A
+></DT
+><DT
+>2.5. <A
+HREF="Bv9ARM.ch02.html#AEN248"
+>Supported Operating Systems</A
+></DT
+></DL
+></DD
+><DT
+>3. <A
+HREF="Bv9ARM.ch03.html"
+>Name Server Configuration</A
+></DT
+><DD
+><DL
+><DT
+>3.1. <A
+HREF="Bv9ARM.ch03.html#sample_configuration"
+>Sample Configurations</A
+></DT
+><DD
+><DL
+><DT
+>3.1.1. <A
+HREF="Bv9ARM.ch03.html#AEN257"
+>A Caching-only Name Server</A
+></DT
+><DT
+>3.1.2. <A
+HREF="Bv9ARM.ch03.html#AEN262"
+>An Authoritative-only Name Server</A
+></DT
+></DL
+></DD
+><DT
+>3.2. <A
+HREF="Bv9ARM.ch03.html#AEN268"
+>Load Balancing</A
+></DT
+><DT
+>3.3. <A
+HREF="Bv9ARM.ch03.html#AEN345"
+>Name Server Operations</A
+></DT
+><DD
+><DL
+><DT
+>3.3.1. <A
+HREF="Bv9ARM.ch03.html#AEN347"
+>Tools for Use With the Name Server Daemon</A
+></DT
+><DT
+>3.3.2. <A
+HREF="Bv9ARM.ch03.html#AEN679"
+>Signals</A
+></DT
+></DL
+></DD
+></DL
+></DD
+><DT
+>4. <A
+HREF="Bv9ARM.ch04.html"
+>Advanced DNS Features</A
+></DT
+><DD
+><DL
+><DT
+>4.1. <A
+HREF="Bv9ARM.ch04.html#notify"
+>Notify</A
+></DT
+><DT
+>4.2. <A
+HREF="Bv9ARM.ch04.html#dynamic_update"
+>Dynamic Update</A
+></DT
+><DD
+><DL
+><DT
+>4.2.1. <A
+HREF="Bv9ARM.ch04.html#journal"
+>The journal file</A
+></DT
+></DL
+></DD
+><DT
+>4.3. <A
+HREF="Bv9ARM.ch04.html#incremental_zone_transfers"
+>Incremental Zone Transfers (IXFR)</A
+></DT
+><DT
+>4.4. <A
+HREF="Bv9ARM.ch04.html#AEN757"
+>Split DNS</A
+></DT
+><DT
+>4.5. <A
+HREF="Bv9ARM.ch04.html#tsig"
+>TSIG</A
+></DT
+><DD
+><DL
+><DT
+>4.5.1. <A
+HREF="Bv9ARM.ch04.html#AEN848"
+>Generate Shared Keys for Each Pair of Hosts</A
+></DT
+><DT
+>4.5.2. <A
+HREF="Bv9ARM.ch04.html#AEN869"
+>Copying the Shared Secret to Both Machines</A
+></DT
+><DT
+>4.5.3. <A
+HREF="Bv9ARM.ch04.html#AEN872"
+>Informing the Servers of the Key's Existence</A
+></DT
+><DT
+>4.5.4. <A
+HREF="Bv9ARM.ch04.html#AEN884"
+>Instructing the Server to Use the Key</A
+></DT
+><DT
+>4.5.5. <A
+HREF="Bv9ARM.ch04.html#AEN900"
+>TSIG Key Based Access Control</A
+></DT
+><DT
+>4.5.6. <A
+HREF="Bv9ARM.ch04.html#AEN913"
+>Errors</A
+></DT
+></DL
+></DD
+><DT
+>4.6. <A
+HREF="Bv9ARM.ch04.html#AEN917"
+>TKEY</A
+></DT
+><DT
+>4.7. <A
+HREF="Bv9ARM.ch04.html#AEN932"
+>SIG(0)</A
+></DT
+><DT
+>4.8. <A
+HREF="Bv9ARM.ch04.html#DNSSEC"
+>DNSSEC</A
+></DT
+><DD
+><DL
+><DT
+>4.8.1. <A
+HREF="Bv9ARM.ch04.html#AEN951"
+>Generating Keys</A
+></DT
+><DT
+>4.8.2. <A
+HREF="Bv9ARM.ch04.html#AEN971"
+>Creating a Keyset</A
+></DT
+><DT
+>4.8.3. <A
+HREF="Bv9ARM.ch04.html#AEN983"
+>Signing the Child's Keyset</A
+></DT
+><DT
+>4.8.4. <A
+HREF="Bv9ARM.ch04.html#AEN996"
+>Signing the Zone</A
+></DT
+><DT
+>4.8.5. <A
+HREF="Bv9ARM.ch04.html#AEN1012"
+>Configuring Servers</A
+></DT
+></DL
+></DD
+><DT
+>4.9. <A
+HREF="Bv9ARM.ch04.html#AEN1019"
+>IPv6 Support in <SPAN
+CLASS="acronym"
+>BIND</SPAN
+> 9</A
+></DT
+><DD
+><DL
+><DT
+>4.9.1. <A
+HREF="Bv9ARM.ch04.html#AEN1037"
+>Address Lookups Using AAAA Records</A
+></DT
+><DT
+>4.9.2. <A
+HREF="Bv9ARM.ch04.html#AEN1043"
+>Address to Name Lookups Using Nibble Format</A
+></DT
+></DL
+></DD
+></DL
+></DD
+><DT
+>5. <A
+HREF="Bv9ARM.ch05.html"
+>The <SPAN
+CLASS="acronym"
+>BIND</SPAN
+> 9 Lightweight Resolver</A
+></DT
+><DD
+><DL
+><DT
+>5.1. <A
+HREF="Bv9ARM.ch05.html#AEN1052"
+>The Lightweight Resolver Library</A
+></DT
+><DT
+>5.2. <A
+HREF="Bv9ARM.ch05.html#lwresd"
+>Running a Resolver Daemon</A
+></DT
+></DL
+></DD
+><DT
+>6. <A
+HREF="Bv9ARM.ch06.html"
+><SPAN
+CLASS="acronym"
+>BIND</SPAN
+> 9 Configuration Reference</A
+></DT
+><DD
+><DL
+><DT
+>6.1. <A
+HREF="Bv9ARM.ch06.html#configuration_file_elements"
+>Configuration File Elements</A
+></DT
+><DD
+><DL
+><DT
+>6.1.1. <A
+HREF="Bv9ARM.ch06.html#address_match_lists"
+>Address Match Lists</A
+></DT
+><DT
+>6.1.2. <A
+HREF="Bv9ARM.ch06.html#AEN1298"
+>Comment Syntax</A
+></DT
+></DL
+></DD
+><DT
+>6.2. <A
+HREF="Bv9ARM.ch06.html#Configuration_File_Grammar"
+>Configuration File Grammar</A
+></DT
+><DD
+><DL
+><DT
+>6.2.1. <A
+HREF="Bv9ARM.ch06.html#AEN1419"
+><B
+CLASS="command"
+>acl</B
+> Statement Grammar</A
+></DT
+><DT
+>6.2.2. <A
+HREF="Bv9ARM.ch06.html#acl"
+><B
+CLASS="command"
+>acl</B
+> Statement Definition and
+Usage</A
+></DT
+><DT
+>6.2.3. <A
+HREF="Bv9ARM.ch06.html#AEN1463"
+><B
+CLASS="command"
+>controls</B
+> Statement Grammar</A
+></DT
+><DT
+>6.2.4. <A
+HREF="Bv9ARM.ch06.html#controls_statement_definition_and_usage"
+><B
+CLASS="command"
+>controls</B
+> Statement Definition and Usage</A
+></DT
+><DT
+>6.2.5. <A
+HREF="Bv9ARM.ch06.html#AEN1542"
+><B
+CLASS="command"
+>include</B
+> Statement Grammar</A
+></DT
+><DT
+>6.2.6. <A
+HREF="Bv9ARM.ch06.html#AEN1547"
+><B
+CLASS="command"
+>include</B
+> Statement Definition and Usage</A
+></DT
+><DT
+>6.2.7. <A
+HREF="Bv9ARM.ch06.html#AEN1554"
+><B
+CLASS="command"
+>key</B
+> Statement Grammar</A
+></DT
+><DT
+>6.2.8. <A
+HREF="Bv9ARM.ch06.html#AEN1561"
+><B
+CLASS="command"
+>key</B
+> Statement Definition and Usage</A
+></DT
+><DT
+>6.2.9. <A
+HREF="Bv9ARM.ch06.html#AEN1581"
+><B
+CLASS="command"
+>logging</B
+> Statement Grammar</A
+></DT
+><DT
+>6.2.10. <A
+HREF="Bv9ARM.ch06.html#AEN1621"
+><B
+CLASS="command"
+>logging</B
+> Statement Definition and Usage</A
+></DT
+><DT
+>6.2.11. <A
+HREF="Bv9ARM.ch06.html#AEN1887"
+><B
+CLASS="command"
+>lwres</B
+> Statement Grammar</A
+></DT
+><DT
+>6.2.12. <A
+HREF="Bv9ARM.ch06.html#AEN1911"
+><B
+CLASS="command"
+>lwres</B
+> Statement Definition and Usage</A
+></DT
+><DT
+>6.2.13. <A
+HREF="Bv9ARM.ch06.html#AEN1930"
+><B
+CLASS="command"
+>masters</B
+> Statement Grammar</A
+></DT
+><DT
+>6.2.14. <A
+HREF="Bv9ARM.ch06.html#AEN1945"
+><B
+CLASS="command"
+>masters</B
+> Statement Definition and Usage</A
+></DT
+><DT
+>6.2.15. <A
+HREF="Bv9ARM.ch06.html#AEN1950"
+><B
+CLASS="command"
+>options</B
+> Statement Grammar</A
+></DT
+><DT
+>6.2.16. <A
+HREF="Bv9ARM.ch06.html#options"
+><B
+CLASS="command"
+>options</B
+> Statement Definition and Usage</A
+></DT
+><DT
+>6.2.17. <A
+HREF="Bv9ARM.ch06.html#server_statement_grammar"
+><B
+CLASS="command"
+>server</B
+> Statement Grammar</A
+></DT
+><DT
+>6.2.18. <A
+HREF="Bv9ARM.ch06.html#server_statement_definition_and_usage"
+><B
+CLASS="command"
+>server</B
+> Statement Definition and Usage</A
+></DT
+><DT
+>6.2.19. <A
+HREF="Bv9ARM.ch06.html#AEN3394"
+><B
+CLASS="command"
+>trusted-keys</B
+> Statement Grammar</A
+></DT
+><DT
+>6.2.20. <A
+HREF="Bv9ARM.ch06.html#AEN3410"
+><B
+CLASS="command"
+>trusted-keys</B
+> Statement Definition
+and Usage</A
+></DT
+><DT
+>6.2.21. <A
+HREF="Bv9ARM.ch06.html#view_statement_grammar"
+><B
+CLASS="command"
+>view</B
+> Statement Grammar</A
+></DT
+><DT
+>6.2.22. <A
+HREF="Bv9ARM.ch06.html#AEN3432"
+><B
+CLASS="command"
+>view</B
+> Statement Definition and Usage</A
+></DT
+><DT
+>6.2.23. <A
+HREF="Bv9ARM.ch06.html#zone_statement_grammar"
+><B
+CLASS="command"
+>zone</B
+>
+Statement Grammar</A
+></DT
+><DT
+>6.2.24. <A
+HREF="Bv9ARM.ch06.html#AEN3606"
+><B
+CLASS="command"
+>zone</B
+> Statement Definition and Usage</A
+></DT
+></DL
+></DD
+><DT
+>6.3. <A
+HREF="Bv9ARM.ch06.html#AEN4008"
+>Zone File</A
+></DT
+><DD
+><DL
+><DT
+>6.3.1. <A
+HREF="Bv9ARM.ch06.html#types_of_resource_records_and_when_to_use_them"
+>Types of Resource Records and When to Use Them</A
+></DT
+><DT
+>6.3.2. <A
+HREF="Bv9ARM.ch06.html#AEN4328"
+>Discussion of MX Records</A
+></DT
+><DT
+>6.3.3. <A
+HREF="Bv9ARM.ch06.html#Setting_TTLs"
+>Setting TTLs</A
+></DT
+><DT
+>6.3.4. <A
+HREF="Bv9ARM.ch06.html#AEN4449"
+>Inverse Mapping in IPv4</A
+></DT
+><DT
+>6.3.5. <A
+HREF="Bv9ARM.ch06.html#AEN4476"
+>Other Zone File Directives</A
+></DT
+><DT
+>6.3.6. <A
+HREF="Bv9ARM.ch06.html#AEN4534"
+><SPAN
+CLASS="acronym"
+>BIND</SPAN
+> Master File Extension: the  <B
+CLASS="command"
+>$GENERATE</B
+> Directive</A
+></DT
+></DL
+></DD
+></DL
+></DD
+><DT
+>7. <A
+HREF="Bv9ARM.ch07.html"
+><SPAN
+CLASS="acronym"
+>BIND</SPAN
+> 9 Security Considerations</A
+></DT
+><DD
+><DL
+><DT
+>7.1. <A
+HREF="Bv9ARM.ch07.html#Access_Control_Lists"
+>Access Control Lists</A
+></DT
+><DT
+>7.2. <A
+HREF="Bv9ARM.ch07.html#AEN4651"
+><B
+CLASS="command"
+>chroot</B
+> and <B
+CLASS="command"
+>setuid</B
+> (for
+UNIX servers)</A
+></DT
+><DD
+><DL
+><DT
+>7.2.1. <A
+HREF="Bv9ARM.ch07.html#AEN4674"
+>The <B
+CLASS="command"
+>chroot</B
+> Environment</A
+></DT
+><DT
+>7.2.2. <A
+HREF="Bv9ARM.ch07.html#AEN4692"
+>Using the <B
+CLASS="command"
+>setuid</B
+> Function</A
+></DT
+></DL
+></DD
+><DT
+>7.3. <A
+HREF="Bv9ARM.ch07.html#dynamic_update_security"
+>Dynamic Update Security</A
+></DT
+></DL
+></DD
+><DT
+>8. <A
+HREF="Bv9ARM.ch08.html"
+>Troubleshooting</A
+></DT
+><DD
+><DL
+><DT
+>8.1. <A
+HREF="Bv9ARM.ch08.html#AEN4713"
+>Common Problems</A
+></DT
+><DD
+><DL
+><DT
+>8.1.1. <A
+HREF="Bv9ARM.ch08.html#AEN4715"
+>It's not working; how can I figure out what's wrong?</A
+></DT
+></DL
+></DD
+><DT
+>8.2. <A
+HREF="Bv9ARM.ch08.html#AEN4718"
+>Incrementing and Changing the Serial Number</A
+></DT
+><DT
+>8.3. <A
+HREF="Bv9ARM.ch08.html#AEN4723"
+>Where Can I Get Help?</A
+></DT
+></DL
+></DD
+><DT
+>A. <A
+HREF="Bv9ARM.ch09.html"
+>Appendices</A
+></DT
+><DD
+><DL
+><DT
+>A.1. <A
+HREF="Bv9ARM.ch09.html#AEN4739"
+>Acknowledgments</A
+></DT
+><DD
+><DL
+><DT
+>A.1.1. <A
+HREF="Bv9ARM.ch09.html#AEN4741"
+>A Brief History of the <SPAN
+CLASS="acronym"
+>DNS</SPAN
+> and <SPAN
+CLASS="acronym"
+>BIND</SPAN
+></A
+></DT
+></DL
+></DD
+><DT
+>A.2. <A
+HREF="Bv9ARM.ch09.html#historical_dns_information"
+>General <SPAN
+CLASS="acronym"
+>DNS</SPAN
+> Reference Information</A
+></DT
+><DD
+><DL
+><DT
+>A.2.1. <A
+HREF="Bv9ARM.ch09.html#ipv6addresses"
+>IPv6 addresses (AAAA)</A
+></DT
+></DL
+></DD
+><DT
+>A.3. <A
+HREF="Bv9ARM.ch09.html#bibliography"
+>Bibliography (and Suggested Reading)</A
+></DT
+><DD
+><DL
+><DT
+>A.3.1. <A
+HREF="Bv9ARM.ch09.html#rfcs"
+>Request for Comments (RFCs)</A
+></DT
+><DT
+>A.3.2. <A
+HREF="Bv9ARM.ch09.html#internet_drafts"
+>Internet Drafts</A
+></DT
+><DT
+>A.3.3. <A
+HREF="Bv9ARM.ch09.html#AEN5336"
+>Other Documents About <SPAN
+CLASS="acronym"
+>BIND</SPAN
+></A
+></DT
+></DL
+></DD
+></DL
+></DD
+></DL
+></DIV
+></DIV
+><DIV
+CLASS="NAVFOOTER"
+><HR
+ALIGN="LEFT"
+WIDTH="100%"><TABLE
+SUMMARY="Footer navigation table"
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+>&nbsp;</TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+>&nbsp;</TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+><A
+HREF="Bv9ARM.ch01.html"
+ACCESSKEY="N"
+>Next</A
+></TD
+></TR
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+>&nbsp;</TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+>&nbsp;</TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+>Introduction</TD
+></TR
+></TABLE
+></DIV
+></BODY
+></HTML
+>
\ No newline at end of file
diff --git a/doc/arm/Bv9ARM.pdf b/doc/arm/Bv9ARM.pdf
deleted file mode 100755
index eef8eefb..00000000
--- a/doc/arm/Bv9ARM.pdf
+++ /dev/null
@@ -1,8794 +0,0 @@
-%PDF-1.4
-5 0 obj
-<< /S /GoTo /D (chapter.1) >>
-endobj
-8 0 obj
-(1 Introduction)
-endobj
-9 0 obj
-<< /S /GoTo /D (section.1.1) >>
-endobj
-12 0 obj
-(1.1 Scope of Document)
-endobj
-13 0 obj
-<< /S /GoTo /D (section.1.2) >>
-endobj
-16 0 obj
-(1.2 Organization of This Document)
-endobj
-17 0 obj
-<< /S /GoTo /D (section.1.3) >>
-endobj
-20 0 obj
-(1.3 Conventions Used in This Document)
-endobj
-21 0 obj
-<< /S /GoTo /D (section.1.4) >>
-endobj
-24 0 obj
-(1.4 The Domain Name System \(DNS\))
-endobj
-25 0 obj
-<< /S /GoTo /D (subsection.1.4.1) >>
-endobj
-28 0 obj
-(1.4.1 DNS Fundamentals)
-endobj
-29 0 obj
-<< /S /GoTo /D (subsection.1.4.2) >>
-endobj
-32 0 obj
-(1.4.2 Domains and Domain Names)
-endobj
-33 0 obj
-<< /S /GoTo /D (subsection.1.4.3) >>
-endobj
-36 0 obj
-(1.4.3 Zones)
-endobj
-37 0 obj
-<< /S /GoTo /D (subsection.1.4.4) >>
-endobj
-40 0 obj
-(1.4.4 Authoritative Name Servers)
-endobj
-41 0 obj
-<< /S /GoTo /D (subsubsection.1.4.4.1) >>
-endobj
-44 0 obj
-(1.4.4.1 The Primary Master)
-endobj
-45 0 obj
-<< /S /GoTo /D (subsubsection.1.4.4.2) >>
-endobj
-48 0 obj
-(1.4.4.2 Slave Servers)
-endobj
-49 0 obj
-<< /S /GoTo /D (subsubsection.1.4.4.3) >>
-endobj
-52 0 obj
-(1.4.4.3 Stealth Servers)
-endobj
-53 0 obj
-<< /S /GoTo /D (subsection.1.4.5) >>
-endobj
-56 0 obj
-(1.4.5 Caching Name Servers)
-endobj
-57 0 obj
-<< /S /GoTo /D (subsubsection.1.4.5.1) >>
-endobj
-60 0 obj
-(1.4.5.1 Forwarding)
-endobj
-61 0 obj
-<< /S /GoTo /D (subsection.1.4.6) >>
-endobj
-64 0 obj
-(1.4.6 Name Servers in Multiple Roles)
-endobj
-65 0 obj
-<< /S /GoTo /D (chapter.2) >>
-endobj
-68 0 obj
-(2 BIND Resource Requirements)
-endobj
-69 0 obj
-<< /S /GoTo /D (section.2.1) >>
-endobj
-72 0 obj
-(2.1 Hardware requirements)
-endobj
-73 0 obj
-<< /S /GoTo /D (section.2.2) >>
-endobj
-76 0 obj
-(2.2 CPU Requirements)
-endobj
-77 0 obj
-<< /S /GoTo /D (section.2.3) >>
-endobj
-80 0 obj
-(2.3 Memory Requirements)
-endobj
-81 0 obj
-<< /S /GoTo /D (section.2.4) >>
-endobj
-84 0 obj
-(2.4 Nameserver Intensive Environment Issues)
-endobj
-85 0 obj
-<< /S /GoTo /D (section.2.5) >>
-endobj
-88 0 obj
-(2.5 Supported Operating Systems)
-endobj
-89 0 obj
-<< /S /GoTo /D (chapter.3) >>
-endobj
-92 0 obj
-(3 Nameserver Configuration)
-endobj
-93 0 obj
-<< /S /GoTo /D (section.3.1) >>
-endobj
-96 0 obj
-(3.1 Sample Configurations)
-endobj
-97 0 obj
-<< /S /GoTo /D (subsection.3.1.1) >>
-endobj
-100 0 obj
-(3.1.1 A Caching-only Nameserver)
-endobj
-101 0 obj
-<< /S /GoTo /D (subsection.3.1.2) >>
-endobj
-104 0 obj
-(3.1.2 An Authoritative-only Nameserver)
-endobj
-105 0 obj
-<< /S /GoTo /D (section.3.2) >>
-endobj
-108 0 obj
-(3.2 Load Balancing)
-endobj
-109 0 obj
-<< /S /GoTo /D (section.3.3) >>
-endobj
-112 0 obj
-(3.3 Notify)
-endobj
-113 0 obj
-<< /S /GoTo /D (section.3.4) >>
-endobj
-116 0 obj
-(3.4 Nameserver Operations)
-endobj
-117 0 obj
-<< /S /GoTo /D (subsection.3.4.1) >>
-endobj
-120 0 obj
-(3.4.1 Tools for Use With the Nameserver Daemon)
-endobj
-121 0 obj
-<< /S /GoTo /D (subsubsection.3.4.1.1) >>
-endobj
-124 0 obj
-(3.4.1.1 Diagnostic Tools)
-endobj
-125 0 obj
-<< /S /GoTo /D (subsubsection.3.4.1.2) >>
-endobj
-128 0 obj
-(3.4.1.2 Administrative Tools)
-endobj
-129 0 obj
-<< /S /GoTo /D (subsection.3.4.2) >>
-endobj
-132 0 obj
-(3.4.2 Signals)
-endobj
-133 0 obj
-<< /S /GoTo /D (chapter.4) >>
-endobj
-136 0 obj
-(4 Advanced Concepts)
-endobj
-137 0 obj
-<< /S /GoTo /D (section.4.1) >>
-endobj
-140 0 obj
-(4.1 Dynamic Update)
-endobj
-141 0 obj
-<< /S /GoTo /D (subsection.4.1.1) >>
-endobj
-144 0 obj
-(4.1.1 The journal file)
-endobj
-145 0 obj
-<< /S /GoTo /D (section.4.2) >>
-endobj
-148 0 obj
-(4.2 Incremental Zone Transfers \(IXFR\))
-endobj
-149 0 obj
-<< /S /GoTo /D (section.4.3) >>
-endobj
-152 0 obj
-(4.3 Split DNS)
-endobj
-153 0 obj
-<< /S /GoTo /D (subsection.4.3.1) >>
-endobj
-156 0 obj
-(4.3.1 Example split DNS setup)
-endobj
-157 0 obj
-<< /S /GoTo /D (section.4.4) >>
-endobj
-160 0 obj
-(4.4 TSIG)
-endobj
-161 0 obj
-<< /S /GoTo /D (subsection.4.4.1) >>
-endobj
-164 0 obj
-(4.4.1 Generate Shared Keys for Each Pair of Hosts)
-endobj
-165 0 obj
-<< /S /GoTo /D (subsubsection.4.4.1.1) >>
-endobj
-168 0 obj
-(4.4.1.1 Automatic Generation)
-endobj
-169 0 obj
-<< /S /GoTo /D (subsubsection.4.4.1.2) >>
-endobj
-172 0 obj
-(4.4.1.2 Manual Generation)
-endobj
-173 0 obj
-<< /S /GoTo /D (subsection.4.4.2) >>
-endobj
-176 0 obj
-(4.4.2 Copying the Shared Secret to Both Machines)
-endobj
-177 0 obj
-<< /S /GoTo /D (subsection.4.4.3) >>
-endobj
-180 0 obj
-(4.4.3 Informing the Servers of the Key's Existence)
-endobj
-181 0 obj
-<< /S /GoTo /D (subsection.4.4.4) >>
-endobj
-184 0 obj
-(4.4.4 Instructing the Server to Use the Key)
-endobj
-185 0 obj
-<< /S /GoTo /D (subsection.4.4.5) >>
-endobj
-188 0 obj
-(4.4.5 TSIG Key Based Access Control)
-endobj
-189 0 obj
-<< /S /GoTo /D (subsection.4.4.6) >>
-endobj
-192 0 obj
-(4.4.6 Errors)
-endobj
-193 0 obj
-<< /S /GoTo /D (section.4.5) >>
-endobj
-196 0 obj
-(4.5 TKEY)
-endobj
-197 0 obj
-<< /S /GoTo /D (section.4.6) >>
-endobj
-200 0 obj
-(4.6 SIG\(0\))
-endobj
-201 0 obj
-<< /S /GoTo /D (section.4.7) >>
-endobj
-204 0 obj
-(4.7 DNSSEC)
-endobj
-205 0 obj
-<< /S /GoTo /D (subsection.4.7.1) >>
-endobj
-208 0 obj
-(4.7.1 Generating Keys)
-endobj
-209 0 obj
-<< /S /GoTo /D (subsection.4.7.2) >>
-endobj
-212 0 obj
-(4.7.2 Creating a Keyset)
-endobj
-213 0 obj
-<< /S /GoTo /D (subsection.4.7.3) >>
-endobj
-216 0 obj
-(4.7.3 Signing the Child's Keyset)
-endobj
-217 0 obj
-<< /S /GoTo /D (subsection.4.7.4) >>
-endobj
-220 0 obj
-(4.7.4 Signing the Zone)
-endobj
-221 0 obj
-<< /S /GoTo /D (subsection.4.7.5) >>
-endobj
-224 0 obj
-(4.7.5 Configuring Servers)
-endobj
-225 0 obj
-<< /S /GoTo /D (section.4.8) >>
-endobj
-228 0 obj
-(4.8 IPv6 Support in BIND 9)
-endobj
-229 0 obj
-<< /S /GoTo /D (subsection.4.8.1) >>
-endobj
-232 0 obj
-(4.8.1 Address Lookups Using AAAA Records)
-endobj
-233 0 obj
-<< /S /GoTo /D (subsection.4.8.2) >>
-endobj
-236 0 obj
-(4.8.2 Address to Name Lookups Using Nibble Format)
-endobj
-237 0 obj
-<< /S /GoTo /D (chapter.5) >>
-endobj
-240 0 obj
-(5 The BIND 9 Lightweight Resolver)
-endobj
-241 0 obj
-<< /S /GoTo /D (section.5.1) >>
-endobj
-244 0 obj
-(5.1 The Lightweight Resolver Library)
-endobj
-245 0 obj
-<< /S /GoTo /D (section.5.2) >>
-endobj
-248 0 obj
-(5.2 Running a Resolver Daemon)
-endobj
-249 0 obj
-<< /S /GoTo /D (chapter.6) >>
-endobj
-252 0 obj
-(6 BIND 9 Configuration Reference)
-endobj
-253 0 obj
-<< /S /GoTo /D (section.6.1) >>
-endobj
-256 0 obj
-(6.1 Configuration File Elements)
-endobj
-257 0 obj
-<< /S /GoTo /D (subsection.6.1.1) >>
-endobj
-260 0 obj
-(6.1.1 Address Match Lists)
-endobj
-261 0 obj
-<< /S /GoTo /D (subsubsection.6.1.1.1) >>
-endobj
-264 0 obj
-(6.1.1.1 Syntax)
-endobj
-265 0 obj
-<< /S /GoTo /D (subsubsection.6.1.1.2) >>
-endobj
-268 0 obj
-(6.1.1.2 Definition and Usage)
-endobj
-269 0 obj
-<< /S /GoTo /D (subsection.6.1.2) >>
-endobj
-272 0 obj
-(6.1.2 Comment Syntax)
-endobj
-273 0 obj
-<< /S /GoTo /D (subsubsection.6.1.2.1) >>
-endobj
-276 0 obj
-(6.1.2.1 Syntax)
-endobj
-277 0 obj
-<< /S /GoTo /D (subsubsection.6.1.2.2) >>
-endobj
-280 0 obj
-(6.1.2.2 Definition and Usage)
-endobj
-281 0 obj
-<< /S /GoTo /D (section.6.2) >>
-endobj
-284 0 obj
-(6.2 Configuration File Grammar)
-endobj
-285 0 obj
-<< /S /GoTo /D (subsection.6.2.1) >>
-endobj
-288 0 obj
-(6.2.1 acl Statement Grammar)
-endobj
-289 0 obj
-<< /S /GoTo /D (subsection.6.2.2) >>
-endobj
-292 0 obj
-(6.2.2 acl Statement Definition and Usage)
-endobj
-293 0 obj
-<< /S /GoTo /D (subsection.6.2.3) >>
-endobj
-296 0 obj
-(6.2.3 controls Statement Grammar)
-endobj
-297 0 obj
-<< /S /GoTo /D (subsection.6.2.4) >>
-endobj
-300 0 obj
-(6.2.4 controls Statement Definition and Usage)
-endobj
-301 0 obj
-<< /S /GoTo /D (subsection.6.2.5) >>
-endobj
-304 0 obj
-(6.2.5 include Statement Grammar)
-endobj
-305 0 obj
-<< /S /GoTo /D (subsection.6.2.6) >>
-endobj
-308 0 obj
-(6.2.6 include Statement Definition and Usage)
-endobj
-309 0 obj
-<< /S /GoTo /D (subsection.6.2.7) >>
-endobj
-312 0 obj
-(6.2.7 key Statement Grammar)
-endobj
-313 0 obj
-<< /S /GoTo /D (subsection.6.2.8) >>
-endobj
-316 0 obj
-(6.2.8 key Statement Definition and Usage)
-endobj
-317 0 obj
-<< /S /GoTo /D (subsection.6.2.9) >>
-endobj
-320 0 obj
-(6.2.9 logging Statement Grammar)
-endobj
-321 0 obj
-<< /S /GoTo /D (subsection.6.2.10) >>
-endobj
-324 0 obj
-(6.2.10 logging Statement Definition and Usage)
-endobj
-325 0 obj
-<< /S /GoTo /D (subsubsection.6.2.10.1) >>
-endobj
-328 0 obj
-(6.2.10.1 The channel Phrase)
-endobj
-329 0 obj
-<< /S /GoTo /D (subsubsection.6.2.10.2) >>
-endobj
-332 0 obj
-(6.2.10.2 The category Phrase)
-endobj
-333 0 obj
-<< /S /GoTo /D (subsection.6.2.11) >>
-endobj
-336 0 obj
-(6.2.11 lwres Statement Grammar)
-endobj
-337 0 obj
-<< /S /GoTo /D (subsection.6.2.12) >>
-endobj
-340 0 obj
-(6.2.12 lwres Statement Definition and Usage)
-endobj
-341 0 obj
-<< /S /GoTo /D (subsection.6.2.13) >>
-endobj
-344 0 obj
-(6.2.13 options Statement Grammar)
-endobj
-345 0 obj
-<< /S /GoTo /D (subsection.6.2.14) >>
-endobj
-348 0 obj
-(6.2.14 options Statement Definition and Usage)
-endobj
-349 0 obj
-<< /S /GoTo /D (subsubsection.6.2.14.1) >>
-endobj
-352 0 obj
-(6.2.14.1 Boolean Options)
-endobj
-353 0 obj
-<< /S /GoTo /D (subsubsection.6.2.14.2) >>
-endobj
-356 0 obj
-(6.2.14.2 Forwarding)
-endobj
-357 0 obj
-<< /S /GoTo /D (subsubsection.6.2.14.3) >>
-endobj
-360 0 obj
-(6.2.14.3 Access Control)
-endobj
-361 0 obj
-<< /S /GoTo /D (subsubsection.6.2.14.4) >>
-endobj
-364 0 obj
-(6.2.14.4 Interfaces)
-endobj
-365 0 obj
-<< /S /GoTo /D (subsubsection.6.2.14.5) >>
-endobj
-368 0 obj
-(6.2.14.5 Query Address)
-endobj
-369 0 obj
-<< /S /GoTo /D (subsubsection.6.2.14.6) >>
-endobj
-372 0 obj
-(6.2.14.6 Zone Transfers)
-endobj
-373 0 obj
-<< /S /GoTo /D (subsubsection.6.2.14.7) >>
-endobj
-376 0 obj
-(6.2.14.7 Operating System Resource Limits)
-endobj
-377 0 obj
-<< /S /GoTo /D (subsubsection.6.2.14.8) >>
-endobj
-380 0 obj
-(6.2.14.8 Server Resource Limits)
-endobj
-381 0 obj
-<< /S /GoTo /D (subsubsection.6.2.14.9) >>
-endobj
-384 0 obj
-(6.2.14.9 Periodic Task Intervals)
-endobj
-385 0 obj
-<< /S /GoTo /D (subsubsection.6.2.14.10) >>
-endobj
-388 0 obj
-(6.2.14.10 Topology)
-endobj
-389 0 obj
-<< /S /GoTo /D (subsubsection.6.2.14.11) >>
-endobj
-392 0 obj
-(6.2.14.11 The sortlist Statement)
-endobj
-393 0 obj
-<< /S /GoTo /D (subsubsection.6.2.14.12) >>
-endobj
-396 0 obj
-(6.2.14.12 RRset Ordering)
-endobj
-397 0 obj
-<< /S /GoTo /D (subsubsection.6.2.14.13) >>
-endobj
-400 0 obj
-(6.2.14.13 Synthetic IPv6 responses)
-endobj
-401 0 obj
-<< /S /GoTo /D (subsubsection.6.2.14.14) >>
-endobj
-404 0 obj
-(6.2.14.14 Tuning)
-endobj
-405 0 obj
-<< /S /GoTo /D (subsubsection.6.2.14.15) >>
-endobj
-408 0 obj
-(6.2.14.15 The Statistics File)
-endobj
-409 0 obj
-<< /S /GoTo /D (subsection.6.2.15) >>
-endobj
-412 0 obj
-(6.2.15 server Statement Grammar)
-endobj
-413 0 obj
-<< /S /GoTo /D (subsection.6.2.16) >>
-endobj
-416 0 obj
-(6.2.16 server Statement Definition and Usage)
-endobj
-417 0 obj
-<< /S /GoTo /D (subsection.6.2.17) >>
-endobj
-420 0 obj
-(6.2.17 trusted-keys Statement Grammar)
-endobj
-421 0 obj
-<< /S /GoTo /D (subsection.6.2.18) >>
-endobj
-424 0 obj
-(6.2.18 trusted-keys Statement Definition and Usage)
-endobj
-425 0 obj
-<< /S /GoTo /D (subsection.6.2.19) >>
-endobj
-428 0 obj
-(6.2.19 view Statement Grammar)
-endobj
-429 0 obj
-<< /S /GoTo /D (subsection.6.2.20) >>
-endobj
-432 0 obj
-(6.2.20 view Statement Definition and Usage)
-endobj
-433 0 obj
-<< /S /GoTo /D (subsection.6.2.21) >>
-endobj
-436 0 obj
-(6.2.21 zone Statement Grammar)
-endobj
-437 0 obj
-<< /S /GoTo /D (subsection.6.2.22) >>
-endobj
-440 0 obj
-(6.2.22 zone Statement Definition and Usage)
-endobj
-441 0 obj
-<< /S /GoTo /D (subsubsection.6.2.22.1) >>
-endobj
-444 0 obj
-(6.2.22.1 Zone Types)
-endobj
-445 0 obj
-<< /S /GoTo /D (subsubsection.6.2.22.2) >>
-endobj
-448 0 obj
-(6.2.22.2 Class)
-endobj
-449 0 obj
-<< /S /GoTo /D (subsubsection.6.2.22.3) >>
-endobj
-452 0 obj
-(6.2.22.3 Zone Options)
-endobj
-453 0 obj
-<< /S /GoTo /D (subsubsection.6.2.22.4) >>
-endobj
-456 0 obj
-(6.2.22.4 Dynamic Update Policies)
-endobj
-457 0 obj
-<< /S /GoTo /D (section.6.3) >>
-endobj
-460 0 obj
-(6.3 Zone File)
-endobj
-461 0 obj
-<< /S /GoTo /D (subsection.6.3.1) >>
-endobj
-464 0 obj
-(6.3.1 Types of Resource Records and When to Use Them)
-endobj
-465 0 obj
-<< /S /GoTo /D (subsubsection.6.3.1.1) >>
-endobj
-468 0 obj
-(6.3.1.1 Resource Records)
-endobj
-469 0 obj
-<< /S /GoTo /D (subsubsection.6.3.1.2) >>
-endobj
-472 0 obj
-(6.3.1.2 Textual expression of RRs)
-endobj
-473 0 obj
-<< /S /GoTo /D (subsection.6.3.2) >>
-endobj
-476 0 obj
-(6.3.2 Discussion of MX Records)
-endobj
-477 0 obj
-<< /S /GoTo /D (subsection.6.3.3) >>
-endobj
-480 0 obj
-(6.3.3 Setting TTLs)
-endobj
-481 0 obj
-<< /S /GoTo /D (subsection.6.3.4) >>
-endobj
-484 0 obj
-(6.3.4 Inverse Mapping in IPv4)
-endobj
-485 0 obj
-<< /S /GoTo /D (subsection.6.3.5) >>
-endobj
-488 0 obj
-(6.3.5 Other Zone File Directives)
-endobj
-489 0 obj
-<< /S /GoTo /D (subsubsection.6.3.5.1) >>
-endobj
-492 0 obj
-(6.3.5.1 The \044ORIGIN Directive)
-endobj
-493 0 obj
-<< /S /GoTo /D (subsubsection.6.3.5.2) >>
-endobj
-496 0 obj
-(6.3.5.2 The \044INCLUDE Directive)
-endobj
-497 0 obj
-<< /S /GoTo /D (subsubsection.6.3.5.3) >>
-endobj
-500 0 obj
-(6.3.5.3 The \044TTL Directive)
-endobj
-501 0 obj
-<< /S /GoTo /D (subsection.6.3.6) >>
-endobj
-504 0 obj
-(6.3.6 BIND Master File Extension: the \044GENERATE Directive)
-endobj
-505 0 obj
-<< /S /GoTo /D (chapter.7) >>
-endobj
-508 0 obj
-(7 BIND 9 Security Considerations)
-endobj
-509 0 obj
-<< /S /GoTo /D (section.7.1) >>
-endobj
-512 0 obj
-(7.1 Access Control Lists)
-endobj
-513 0 obj
-<< /S /GoTo /D (section.7.2) >>
-endobj
-516 0 obj
-(7.2 Chroot and Setuid \(for UNIX servers\))
-endobj
-517 0 obj
-<< /S /GoTo /D (subsection.7.2.1) >>
-endobj
-520 0 obj
-(7.2.1 The chroot Environment)
-endobj
-521 0 obj
-<< /S /GoTo /D (subsection.7.2.2) >>
-endobj
-524 0 obj
-(7.2.2 Using the setuid Function)
-endobj
-525 0 obj
-<< /S /GoTo /D (section.7.3) >>
-endobj
-528 0 obj
-(7.3 Dynamic Update Security)
-endobj
-529 0 obj
-<< /S /GoTo /D (chapter.8) >>
-endobj
-532 0 obj
-(8 Troubleshooting)
-endobj
-533 0 obj
-<< /S /GoTo /D (section.8.1) >>
-endobj
-536 0 obj
-(8.1 Common Problems)
-endobj
-537 0 obj
-<< /S /GoTo /D (subsection.8.1.1) >>
-endobj
-540 0 obj
-(8.1.1 It's not working; how can I figure out what's wrong?)
-endobj
-541 0 obj
-<< /S /GoTo /D (section.8.2) >>
-endobj
-544 0 obj
-(8.2 Incrementing and Changing the Serial Number)
-endobj
-545 0 obj
-<< /S /GoTo /D (section.8.3) >>
-endobj
-548 0 obj
-(8.3 Where Can I Get Help?)
-endobj
-549 0 obj
-<< /S /GoTo /D (appendix.A) >>
-endobj
-552 0 obj
-(A Appendices)
-endobj
-553 0 obj
-<< /S /GoTo /D (section.A.1) >>
-endobj
-556 0 obj
-(A.1 Acknowledgements)
-endobj
-557 0 obj
-<< /S /GoTo /D (subsection.A.1.1) >>
-endobj
-560 0 obj
-(A.1.1 A Brief History of the DNS and BIND)
-endobj
-561 0 obj
-<< /S /GoTo /D (section.A.2) >>
-endobj
-564 0 obj
-(A.2 Historical DNS Information)
-endobj
-565 0 obj
-<< /S /GoTo /D (subsection.A.2.1) >>
-endobj
-568 0 obj
-(A.2.1 Classes of Resource Records)
-endobj
-569 0 obj
-<< /S /GoTo /D (subsubsection.A.2.1.1) >>
-endobj
-572 0 obj
-(A.2.1.1 HS = hesiod)
-endobj
-573 0 obj
-<< /S /GoTo /D (subsubsection.A.2.1.2) >>
-endobj
-576 0 obj
-(A.2.1.2 CH = chaos)
-endobj
-577 0 obj
-<< /S /GoTo /D (section.A.3) >>
-endobj
-580 0 obj
-(A.3 General DNS Reference Information)
-endobj
-581 0 obj
-<< /S /GoTo /D (subsection.A.3.1) >>
-endobj
-584 0 obj
-(A.3.1 IPv6 addresses \(A6\))
-endobj
-585 0 obj
-<< /S /GoTo /D (section.A.4) >>
-endobj
-588 0 obj
-(A.4 Bibliography \(and Suggested Reading\))
-endobj
-589 0 obj
-<< /S /GoTo /D (subsection.A.4.1) >>
-endobj
-592 0 obj
-(A.4.1 Request for Comments \(RFCs\))
-endobj
-593 0 obj
-<< /S /GoTo /D (subsection.A.4.2) >>
-endobj
-596 0 obj
-(A.4.2 Internet Drafts)
-endobj
-597 0 obj
-<< /S /GoTo /D (subsection.A.4.3) >>
-endobj
-600 0 obj
-(A.4.3 Other Documents About BIND)
-endobj
-601 0 obj
-<< /S /GoTo /D [602 0 R  /FitH ] >>
-endobj
-604 0 obj <<
-/Length 221       
-/Filter /FlateDecode
->>
-stream
-xÚ��MKA†ïû+rlÁ‰“¯�™c‹(èAæ&–v[
-v…íîÿw¶«EЃä’<ÉK^_‚ zI
-!)š'ƒÍ±ò°/³ûŠ¾5AS‘Rü1u’£JÇ1¢YÍ?±_8©b�˜À™7Låø„¯su}§�ÉòHö.o_ë‡ç›¥có‹4§Õöx觡o†�~n½´»¶o»M;—OM76ïË·üX$ˆ0™ñY‚S
-
\T¬#ÛYb5îÇÓ0ïÖWsfïÃt¡ºÍ—W¾½ÃÉ�;÷	SQÞendstream
-endobj
-602 0 obj <<
-/Type /Page
-/Contents 604 0 R
-/Resources 603 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 613 0 R
->> endobj
-605 0 obj <<
-/D [602 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-606 0 obj <<
-/D [602 0 R /XYZ 85.0394 769.5949 null]
->> endobj
-603 0 obj <<
-/Font << /F42 609 0 R /F43 612 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-616 0 obj <<
-/Length 309       
-/Filter /FlateDecode
->>
-stream
-xÚµ’MOÂ@†ïý{¤	æc?Ø«D^éM<,È
j Æðï�M…VDãÅìaßÉ<™�ywÈ 2΃�Mˆ’3Ëm†f­¹»Œ>ëœÑàJ¶°(@U‰…±VëSßhÂ
-endobj
-615 0 obj <<
-/Type /Page
-/Contents 616 0 R
-/Resources 614 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 613 0 R
->> endobj
-617 0 obj <<
-/D [615 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-614 0 obj <<
-/Font << /F43 612 0 R /F14 620 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-623 0 obj <<
-/Length 2200      
-/Filter /FlateDecode
->>
-stream
-xÚÝYÝ�ã¶÷_áG-pfù)‘y¼»¦¸ ¸¢Ý
ò�æA–¸¶p²äèc7Î_ß!‡Ôʶ|wé-РX`M�†äpæ7¿ÚlMá�­µ"T¹ÎŒ$Š2µ.+ºÞÁ»¿­XБJ%…€‡…·%4QšgëÍ|‘·«¿|/ùšS’¦\­§½ÒL#¤Y?”?'ïöùq°Ý݆+š°»_~Ài’d:cn…-ÉÕ~‡fèÚr,†ªm‚ºXbRžFí悹Nûaoai�ºi¶kì€OïÛC^58þ˜‚Îý©ì
Çÿ¦Š¾ÿxÌ	²¤h›¾ê‡_·�ø9ÄõûS3ä¿adG[T�§Íö»XÅ6C5T(Í’êŽ%
Ý$8£;cÄ(Å£Âa§‰;ˆà,Éñq_Ù.ïî˜NŠ}Uä5JyÓ€›3™¼
�Ðh�{ÓÝéd¬Ýæn‘±·%ÊÛ¥­í.ªfö‡}ÛU˜yBIûdƒ®?\Ø!oÂJa+Nò>;ó'ªÇÚÀ¹�놃¡Ã>wáÊT’Ø×õ	å‡üØã(ºT¼ÏA4‹³›X–Þ¶ïmOÀ-ˆ*ª–ù�£ZÕÇ•+° jœܳ‡ˆ[w~­v<¢¢·›@ÒUÛqð‹¨¥x8©Û|›{«"æ™$B¦< XRÂS�˜g@È(¥É}Ñ-®àÁŸïÛbtž[N®Iš™³d É[Û}‚ zš³Ô 1@þ’$Ô§ÃÛ߇|€·SÄzÔÈñ£Œ“@¥	™E“Þv"Nêqg8­ñ°µA„	
ŸGë=¶Yòp€"W"
-ìWi&‚:°Bê˜'^¿«ÅM6�ÌS•“!•‚=çDP�
-{"œÙÆ©!™’Ù’uü¦u<¨C–À`Ñ°ÆvD´'Š	~ŽhÔýu¬p0ÑÔõËMÓ`
-ÃsÀŒ�kLò”wU;†y¶yÂÅÚƯ©.y±šg-N¾öƒà)‘B_ùÁMË~àÊè¥~aIF	¥1ŽCÞÚ@)Àí¯×S’h#Ìõ`êУ¥`D%Ï}xŸCÍß@ùò¸AëÕ<þmxõ86þ€¾T2Æ\©ç&¤¼Ï«ç¢%‘¥@ÀØã$b‰/Dk6#†Mxî
Áœ{\�¨öõf¡ÖŸ{Í»¤ŸGO¨
2uÝ>G•íi))…^O±¥
-ȃ�̼ÝÙ0£	s�ðy)›“¯K·Hô„ƒÆúNRý1¾›j.öb )l7øzëÚ£;ý2#¤ÐP‹”]3Bš¨Œ`„Xb„4RU:c#ƒ‚ºÚí‡gëþš ŠnäMômý„-©«ßYú“ŒûØ¢â�lµ.ƒKJ!¯8ØMH—‚C–E2x)“Ùu2�([WaEß­°`ú#¶'
-R¥£¤^ݯþù_ΊvÌš„›à<
-k…aõùR›x¦
séD5›¾‘º€³ Lx’n;¾u
-7•Xù®Ü&¸" §×ó-¾ÍêiÉ/˜- m”.§ÏÌþéxñ&\úáT_B¹þ8Uê!9\=(´X›0÷'ü!þgŠ3n‰‘#^¾à‹prm¦D¶É]+,á>ìÝ×!Žn¥€{=åµ�<ùñ_ƒšû¶fšÀku¬n_Ô@¤Ý ï/ÀáŠßØç
-B·€ójæþYpÃÝ]KÝ‚ˆŒËùoW¿
rOÁ@¨0_k½øCaüýo#q?'.¢G@
-Nå:(¹(ˆ+·ÇŸ_VŠ»ý‡úøendstream
-endobj
-622 0 obj <<
-/Type /Page
-/Contents 623 0 R
-/Resources 621 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 613 0 R
->> endobj
-624 0 obj <<
-/D [622 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-6 0 obj <<
-/D [622 0 R /XYZ 85.0394 769.5949 null]
->> endobj
-625 0 obj <<
-/D [622 0 R /XYZ 85.0394 582.8476 null]
->> endobj
-10 0 obj <<
-/D [622 0 R /XYZ 85.0394 512.9824 null]
->> endobj
-626 0 obj <<
-/D [622 0 R /XYZ 85.0394 474.7837 null]
->> endobj
-14 0 obj <<
-/D [622 0 R /XYZ 85.0394 399.5462 null]
->> endobj
-627 0 obj <<
-/D [622 0 R /XYZ 85.0394 363.8828 null]
->> endobj
-18 0 obj <<
-/D [622 0 R /XYZ 85.0394 223.0066 null]
->> endobj
-631 0 obj <<
-/D [622 0 R /XYZ 85.0394 190.9009 null]
->> endobj
-632 0 obj <<
-/D [622 0 R /XYZ 85.0394 170.4169 null]
->> endobj
-633 0 obj <<
-/D [622 0 R /XYZ 85.0394 158.4617 null]
->> endobj
-621 0 obj <<
-/Font << /F42 609 0 R /F43 612 0 R /F56 630 0 R /F57 636 0 R /F58 639 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-642 0 obj <<
-/Length 3086      
-/Filter /FlateDecode
->>
-stream
-xÚÍÙ’ÛÆñ}¿‚�Ü*™ƒ
ò&ëˆ×U^9S®ÄöH¹(�
-¡vÇCŽ‚ü…*Ý_/Eš¤Q"PÇQô“LUYa/dúŸí
-tˆE”ó;Ð>
g1vŒ�ZžV«ÈȸחIú²q”¥vfu¶$R×­”r^e¾™-dª´žÿ|«Ä@Eòo»§	ùÆ™�2™á==-ÿw(G
oñ"0%"càìISðúb{‰}tO§ÚÛî¦EÞAÈv°E)K7
-¿úmñ-;bþs±éž—’ýÉÅ%
-¹‹s²»bðƒ&Ô4%HÖ§¾Q
-.; –'H6q¤bø#�†•ÓÐ…^è€#IÀRh@U”nJ²³†Iö�
-áI ÇT¹‚ëªä ¼
-�Žª€(Dð©€Üš�Yѱ«køåW¯Éð&#õ[|—Zf�zçû¦ô‰¬¶ä²�÷ÉØbÚú=J„U”Þ ”óHNPaßkßäÕ”›SF!ÁhÞŒ®¿«ÖÑ´£SVÞ²®�å†î[¹‰â=†P€¬àô¬(#f2²&ŽÏP$uÿòÉ2�Œ„�#M�0‡x;v :U¶§rê*	 H'hÝ2KIlP*‚i5„)Ý#Z‚A~aMë(E¹&AÆP�j|]}< Ž¾Â¾”&2q"˜b]íÚÇkô¤"pȧNœë(•½Ç
\æD{{\�}0¸ÌÔF6Žã±€Ç9Á�ÄDâ+OàÅ9˜ÐÏ�6Že5ÅM<”iÑ^4«¾ˆ¾ê{á›™�RƒMþëG˜ˆ«àˆ8.¨[|©å§•„ûj¡eÐç‰÷
-.#„ÎÞبZ˜2×4Š¡~¿€¾¦ÁÇО°Ìð?U
Ì@>Ö]˜ð.q°ÍÞ2™N˜v'�Ô¾%@Q»îêu]N7à}UÏ`¼‚Œdf.Þ)À¦œŽ#”·m½.8äÂoŒ‹±:ìÙƒ"ÌÈ+Æ‘2Ï+»pg
-ק
UYÈ6d¦&³«äÜð•ÖÆy¿Q”T‰Ù‹V_ôG%ȾØU\Ím§«Mîùrîjjø
-ØQìÑ‘ä£;¾êvˆ!�æx�À¦Ø"[­Õšo^¹îä°>ÃESq.I”&JÒŽ©¬CBªjå°öÜ�¾¶„ê|º®þ7ã8�£×ýe“ßìG÷r æ2àšÐæ¯�mé{˜ÜYŒµÏp
ÅTÜYðI9ýlêšûÿˆÚ¸Ò킃ȨcŠxxÆS�á¶Äȧ¡ÐôØp—ÁB/³%<���Wüh3ñαÛWìŽÀµ<Êx$º‹yÇHÊx“sÿ¶µˆìûJ8ÃiÒ¨½š&$5&˜£Ç>ä|ɺ†±Ò ïÉe9ô˱
Ûïî+¤ËwÑQÚÆÇSG�Á¡èB§œŸñpÕ ç‰K}¯ÀžMîè@¢ÈÙà¹k`¨5
-ûÖîÐõëYÉtÌ©â®+g»aQŸÔo
-?¹®]Ó=÷9ÚDøÏ4¾L̾úEù[ÿgçü¯KP3@þ¯žqŠ)ö‰tOª!¾"<üoÏ5åÿôŠL—endstream
-endobj
-641 0 obj <<
-/Type /Page
-/Contents 642 0 R
-/Resources 640 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 613 0 R
-/Annots [ 652 0 R 653 0 R ]
->> endobj
-652 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [272.8897 210.0781 329.1084 222.1378]
-/Subtype /Link
-/A << /S /GoTo /D (types_of_resource_records_and_when_to_use_them) >>
->> endobj
-653 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [190.6691 182.1322 249.6573 191.5418]
-/Subtype /Link
-/A << /S /GoTo /D (rfcs) >>
->> endobj
-643 0 obj <<
-/D [641 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-647 0 obj <<
-/D [641 0 R /XYZ 56.6929 756.8229 null]
->> endobj
-648 0 obj <<
-/D [641 0 R /XYZ 56.6929 744.8677 null]
->> endobj
-22 0 obj <<
-/D [641 0 R /XYZ 56.6929 649.0335 null]
->> endobj
-649 0 obj <<
-/D [641 0 R /XYZ 56.6929 609.5205 null]
->> endobj
-26 0 obj <<
-/D [641 0 R /XYZ 56.6929 551.1302 null]
->> endobj
-650 0 obj <<
-/D [641 0 R /XYZ 56.6929 525.7505 null]
->> endobj
-30 0 obj <<
-/D [641 0 R /XYZ 56.6929 421.2082 null]
->> endobj
-651 0 obj <<
-/D [641 0 R /XYZ 56.6929 395.8284 null]
->> endobj
-34 0 obj <<
-/D [641 0 R /XYZ 56.6929 166.2827 null]
->> endobj
-654 0 obj <<
-/D [641 0 R /XYZ 56.6929 138.253 null]
->> endobj
-640 0 obj <<
-/Font << /F61 646 0 R /F43 612 0 R /F56 630 0 R /F57 636 0 R /F42 609 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-659 0 obj <<
-/Length 3447      
-/Filter /FlateDecode
->>
-stream
-xÚ¥ZKsã6¾ûWè¹jÍàA€äÑÉÌl&U3“+µ•Jr $Úb™"‘´ãüúíHJ¢g’Úò�Ph4ýøа^(øÓ‹ÔEÊfñ"ÉâÈ)í›ý•Z<@ß¿¯´Œ¹	ƒn¦£¾[]}ûÎëEeÞøÅê~Â+�TšêÅjûëòûnZ½ý|}cœZêèúÆyµ|ÿqõùÓ›Ÿ¿_½ÿôñúFkŸ`_,½«Þòð7Ÿ>ܾÿÈí�·„z÷ËÝêínÿ¦œzóñ>úú÷Õ�WoWƒÔÓ�ieQä?®~ý]-¶°Á¯Td³Ô-žá‡Št–™Åþ*v6r±µ�R]Ý]ýg`8饩sšr6�\j’UÅvNU.‹¼5–TÕ횶€}™lù¼+7;l¦Ëüx­Ó¥Ð·EU<ä]±å¾®arÓíŠ#“þjê¢EZe—·'“ʦæ!‡¦¬;î*[&íóã#3Í–ë¦
#á.¬÷�ˆšþö�ó“ýØÔDÚ8ZÀ�|¼ã™<~Ó·-O:QBì#o€
Ï)kž[Á±‹›Ø¤Qâ4hUë(sÎаƒèƒv
-™b?|ó™x®m)ïýi¤˜ñÐý(�EÜ	E¹—¥ºaÉ˵ ­ŸÄ£+Žû²Î«™Ål'«üébÝŽ¢2.Ö
-i—ËÎêff9ï#e‚S¶ýš÷6›Ÿ’(	É|ÝTáÃTqÑ`�?ÏV¤c›�ùZ?F\$Õ[nšc¿7؇Žé|”И$ëGîdÒÃ:É(

·\…ù¬Ý¦jdEfáAU²@ƒ¾ìʧb”òÄðØŸžÑ8ÁÛþá�m_erH~iz&±Áå[&~÷}Ë-
-n„>f@_˜Òd¹ºÎÌ3Eâ <¢~A2Hbœ€”¦*Ž9]‰€L'Ô`ÔHã@	ĺ螛ã#Sïó²êa.N
ÜÛŽG’að¸Ù­ôÜp£ÆÓ¨¢é›¹45–ŒDAÚÓ¸ÏE{€Æ—˜dyÏ)t/—ë3Ã
‹ûERR040F_LÃäÕ>s
-䡈KaÓ�ÂC››±O
-4?Ï9…ébP3xþ(5ø‰JýiɇêÔÄ{æL]¤ã$Lhf
¢ŽRïÂý8xϹÆ:rÚºÁTf‘ÔÂ!ÍÄ	#qâŽAâ?aJ	ê3˜$Ë
-R¯*SGJч‘43~h#
èæÄDa‘zˆñX7ϵ@¿¹B\ë"“%#'p›í¼+Æ67§kr²'DÙЕט
-–îâA§vi혌�œ3…ï¡¿ê®õ’²ÒÌpS´²BÐ	²o‹KÕ˜ìÔ¥îÄ°qp8±½Ÿ��ÎÅÇzŒWÎgAÕòåü݆âò’8�¢Œ
 ¥+zÀóTK²0�$4
-™¢”º=ד¸—¨•$C�¥âRºÓ˜Š‰4ž0›äüJ¡4m[®)\$R¥Äœ´Á³º9†SÄ.²iŒD
-•æ.Ê™áÅ.%ÿ|a]"endstream
-endobj
-658 0 obj <<
-/Type /Page
-/Contents 659 0 R
-/Resources 657 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 613 0 R
-/Annots [ 662 0 R 663 0 R ]
->> endobj
-662 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [519.8432 466.9635 539.579 479.0232]
-/Subtype /Link
-/A << /S /GoTo /D (diagnostic_tools) >>
->> endobj
-663 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [84.0431 455.6759 133.308 467.068]
-/Subtype /Link
-/A << /S /GoTo /D (diagnostic_tools) >>
->> endobj
-660 0 obj <<
-/D [658 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-38 0 obj <<
-/D [658 0 R /XYZ 85.0394 572.6667 null]
->> endobj
-661 0 obj <<
-/D [658 0 R /XYZ 85.0394 544.2407 null]
->> endobj
-42 0 obj <<
-/D [658 0 R /XYZ 85.0394 439.1939 null]
->> endobj
-664 0 obj <<
-/D [658 0 R /XYZ 85.0394 412.3081 null]
->> endobj
-46 0 obj <<
-/D [658 0 R /XYZ 85.0394 339.9542 null]
->> endobj
-665 0 obj <<
-/D [658 0 R /XYZ 85.0394 316.1468 null]
->> endobj
-50 0 obj <<
-/D [658 0 R /XYZ 85.0394 241.2623 null]
->> endobj
-666 0 obj <<
-/D [658 0 R /XYZ 85.0394 217.5147 null]
->> endobj
-657 0 obj <<
-/Font << /F61 646 0 R /F43 612 0 R /F56 630 0 R /F57 636 0 R /F42 609 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-670 0 obj <<
-/Length 2399      
-/Filter /FlateDecode
->>
-stream
-xڥ˒ã¶ñ>_¡[4UM|VNkï8;.ïl¼#RŽ�XK‚²HÎDùút£ )q*©Jé@ 
t7úÝ�X…ð«$
Ò"*VYI(’UÙÜ…«XûÛ�à=·i3ÝõÃöîûŸR±*‚"�ÒÕö0Á•až‹ÕvÿûZqpÂõöÓÃý&JÂõÇ/Ÿ?<>ÑøéÃg†>ÿãyûð™Æÿ“ðãÓ3|ÄýFˆ4×?~úð÷íÃWZŒòñiûõËÇß~Ü>~yºÿcûóÝÃÖs=½™%²üçÝï„«=\ðç»0�Ež¬Þ`¢(¢Us'2Hb)¤¾{¾ûÕ#œ¬Ú£‹’aÉ4ZU­„Š$‰f²JŠ •‘ô²JàÂa÷Uå±2/,%Õh–’>¿ês‡—”r"ýpµ‰â ˆElqm�x"�×ç{‘¯u×ÖpŽ uµ;«s¥;šžìŽöµÚë=Avú6m×Ó¨=é³ê‰˜v—®×�=Ÿ¬Q –’tÂR”å�È£xC–º~ØÝò´t—$	â(|î;8TÈu£•ñôGÕ»‘fv#vbÚ¯6RÊ 

ýÆ‹p–ê¤v5îMávúÂ%í¹!"©EMƒÃP×4«¤�¿ÂÐW­áó$ÉRw
¬ 	QÓi¸í5\Õß<µ}E8˾vËíjè�í¹ÚØ›…îFäh=èç÷eɺC+¹ësŽ"A�¦ö(É\8‘eî–³÷€¯¢Åº-UMC@‹úLPË_æåÆÀ£žâžHÈS°7ªÉNU}`>Ÿ‡ò8¿©K‘õ{â0®:ú�µ5\«#Ì£ OsɶÄ"Î
-ëÖòd„ü’vïwDù¯Lº§/ß»[ * ¤‘,ÉÚÃuÛ~NKÖŸáÅÝI àö“6ðÊu¥Mº%ã Îcˆ>"
-åäÿ÷E´ýÈ4_W�óq�€Â1®L©Á$ š]3ˆ§:5öD	áˆáý‘±°‚‡ºïhýz·ÕÝÑ�»ÌȃÎÓ4Y?WÀÆxpÁ´'~e=Hä²q8åÛÚ,)³§µÒ‡P„úà
-ÌŽço•$Œ´*yä‚æ`¥žB�ìV4Ïþ�焘T]I ¸–ø©=¿©óeó_놇W2‘”bn:‘*L\@L'¡8[ï[ë–¸Þö<Ðè­PeXÀ˜#`ÂBämsªuϳ›(™r¡qÕCµ™"*ÆŒ¶ ;ŒÏR‚ø”YªJ°:Íâ1¾¢l–R
HE„¾xiñæˆM¿
-kÀ°']ØÀŸƒ¦ò
-'T©àh–•Ž;ÈÚÝáB“™dCè`»Xw4váñµLpõÙ¡d%áÄ*ɦ†4‚��¥óhÊšƒ,ü§“¶iZS_¦¶vÐg°­ö­³á÷3­ˆ‹@ÈBÎ%»­ ÍF…�pœÈDž±ÑU"ÃKR“`6dà`Ç€ÖØABzÁít?qaý’f»<¢!É�š"òŒ@vïpæÑ
-ke»¿£¯þ×Q
]ïÐ8öÈ&o
-Ó½YeÆTÙ Òí`öØéd»°»íYF㻜*,….´FñÞŽèл´�ö-
È
-cŒDÝ‘–ȨãÐs1)�dÏÛhúR½:ä]Õ/ænk®i„)Zˆ²§Ù¼ÖEC™JW=D.ò*.¢qù1ÍËÌ&Öq¶þÀ{I(¼£ÔóóÖ—‰µWìDh¢ˆ	34;²ÜkM‘·Çt!c‘Ë„ú�â‚	Ù,+C€	Ï0Ãì@—|¹ÛžVúÏžu)¸›ªmÕñêI•ßtÏ´ú#E�áåè
-î¥d
ÔS¢…u4µ^ëü¦áž/p‰4ƒ#ä¶*yBÑŽð]¿¿nZß;*¦oT×r¬ÛŸ8s<vRg¨Ññ""¢š-眜®…B�·s0‚Ø�acœCäfØQ74jÍœíuúÀöw›ÄŠÂ&±<œí°~¹””Œ{Ù¼æYM¯<}ÎIG)!Íf¹dE "éäf7–öÂ+Fdy‘¹òÙ^‚ÍH±›¥^Vä†(KoÚzXÜWæB®øq”çQ~êýKE_0E~âªÔ®ª«þB@2%4T$‚`ê|7	äK”{4¾tá6ŽÔ0²†
-endobj
-669 0 obj <<
-/Type /Page
-/Contents 670 0 R
-/Resources 668 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 613 0 R
->> endobj
-671 0 obj <<
-/D [669 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-54 0 obj <<
-/D [669 0 R /XYZ 56.6929 769.5949 null]
->> endobj
-672 0 obj <<
-/D [669 0 R /XYZ 56.6929 749.4437 null]
->> endobj
-58 0 obj <<
-/D [669 0 R /XYZ 56.6929 609.0996 null]
->> endobj
-673 0 obj <<
-/D [669 0 R /XYZ 56.6929 584.3177 null]
->> endobj
-62 0 obj <<
-/D [669 0 R /XYZ 56.6929 437.466 null]
->> endobj
-674 0 obj <<
-/D [669 0 R /XYZ 56.6929 410.2571 null]
->> endobj
-668 0 obj <<
-/Font << /F61 646 0 R /F42 609 0 R /F43 612 0 R /F56 630 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-677 0 obj <<
-/Length 1940      
-/Filter /FlateDecode
->>
-stream
-xÚ�XK“Û6¾çWø¨�‰U½e›W»�i¦ÓlOM\‹¶8+‰ŽHÙëüú(É¥“éø $@âÁ ãM¿x³ËÃ(­²MYeaÅùfß½Š6G˜ûåUÌk²<
ó,Ma°2»ÍÓ]˜ï’r³]*yóðê§Y²I¢°(’|óp˜ö*Ê2,òr·y¨ÿÞ6âdåp·Mò(Hîþyø�IJ°Ü•1ŠE°EFEY9�7÷ßÑê?¥Ñã°—~ôeTƒìdoͤ&ÎÂ4+VSà
hÛ$Œï¶qEÁ¯b¨/b`-÷ZÒMVER°’4
-ó<O�–w?�X‘�îâ]€Šð‹ÊŠ4 :•ÞÅ�¡ÉFœ%	ÛAÔÊ*Ý‹¶½ëQÊž(�¶¬®Óµ46¼Û¦Y|Ð-èDÏBª7TTe^#/ŒÎrà-m#,…fÄqXåyâÌࣀù¼/P'ÙÐ#kêšp ÁÁÙ£;‰½U^¾함YçI=t^“¨;5ˆÇ–×	C_r%|âp:h&QEQ{hPg¹ÃÕŸÞ¿%Zô5÷œ¢RØ‘œnˆ£ôåì
ª¢O'®DœÈ¨3ï`5}yìã
-Ë"-X•>®¤»Ę@7à ¸&
-­Æo«:e™Õð*Ñé±g&º¿>·Z¯/DÝA
þ²ê£SQØ9Ð|Èg¬ÎrÒM6³
7LxQ�û	@}0°ª(K¼�¯� ·n4,—JÏmM點/úûhBî¹x)Vh
-ͤ°’év
-pæÈ€^{ÑDˆ²ºvÒÅ
ê8‚‚AøN;›:m�¡ˆG–Apv�­|éyNT9`Ö¤p�Ñ÷ir“¨ÈÞ·Š:58 ÂE®i@õ
Û
-Ma‡goi~v«ÀvâÊJˆÓ	¼Ü·‹ùý‘fx…W籨¯˜1!mZ, �ñ¾�£r™ˆ�8Ë& åZå\•ƒ«”¿•§zûî¾Dã`�
¤i
-ߣúF‚@È
<nÛ‘;÷5ØÏÎÉs¬×k	æÿ´`o/:þ	åoÓÁ�úŒW´P1ƺ+Äp�­‰CìW樂ØügiâßpkÂù%Ûy
ý·Äd€³0M¢IšR¾Ülú;ïÛÝþe;€$endstream
-endobj
-676 0 obj <<
-/Type /Page
-/Contents 677 0 R
-/Resources 675 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 684 0 R
->> endobj
-678 0 obj <<
-/D [676 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-66 0 obj <<
-/D [676 0 R /XYZ 85.0394 769.5949 null]
->> endobj
-679 0 obj <<
-/D [676 0 R /XYZ 85.0394 574.3444 null]
->> endobj
-70 0 obj <<
-/D [676 0 R /XYZ 85.0394 574.3444 null]
->> endobj
-680 0 obj <<
-/D [676 0 R /XYZ 85.0394 540.5052 null]
->> endobj
-74 0 obj <<
-/D [676 0 R /XYZ 85.0394 438.4586 null]
->> endobj
-681 0 obj <<
-/D [676 0 R /XYZ 85.0394 398.3838 null]
->> endobj
-78 0 obj <<
-/D [676 0 R /XYZ 85.0394 336.8073 null]
->> endobj
-682 0 obj <<
-/D [676 0 R /XYZ 85.0394 299.2678 null]
->> endobj
-82 0 obj <<
-/D [676 0 R /XYZ 85.0394 189.9853 null]
->> endobj
-683 0 obj <<
-/D [676 0 R /XYZ 85.0394 156.0037 null]
->> endobj
-675 0 obj <<
-/Font << /F42 609 0 R /F43 612 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-687 0 obj <<
-/Length 845       
-/Filter /FlateDecode
->>
-stream
-xÚ¥–]o›0…ïù\©xþÄöî’–µtmš"mjw-¬�”¯&dÝþýœƒ“€Ñ4U||œ×F>TÈgˆ$–>—0ˆ˜ÿcéAÿYõ]{¨Ô„FÚªAæ}ø!_áÈÏ~Zc	
-7ÅËûM>�•èÔ¡…»Ê Ê:Ê…­jçU©ºx9M+^g¦�¼ŽL?éôy�
-endobj
-686 0 obj <<
-/Type /Page
-/Contents 687 0 R
-/Resources 685 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 684 0 R
->> endobj
-688 0 obj <<
-/D [686 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-86 0 obj <<
-/D [686 0 R /XYZ 56.6929 769.5949 null]
->> endobj
-689 0 obj <<
-/D [686 0 R /XYZ 56.6929 744.7247 null]
->> endobj
-685 0 obj <<
-/Font << /F61 646 0 R /F42 609 0 R /F43 612 0 R /F14 620 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-692 0 obj <<
-/Length 1140      
-/Filter /FlateDecode
->>
-stream
-xÚÅW;�ã6î÷W®ìB4zb«Ëæ�¤‰�+r)¸m'‹Š({³	òß3äP²äÕ]€	Tp8œ÷?IlEáa«<!Tñ*+b’P–¬Êó]áì»dâD�$6§Q"r’ä<[ES#_ívßÆ|Å)ISž¬ö‡ÑWš�‚
--”ó ,
-ÉÚ4Ç`U÷'=^À\­„¦Ãƒþ¤t‡¼‹UdÅ1Û|Ø|£sÖ¸ô\BŒ‘"I¸OHV•�UY‹%
K�0­.‘4\QRZÓÈç:ˆ™6¤´U}¯›#Áb"┇BÆŒ¤´`Þ¯ l1JéægyncO÷¥

!{C‚ž†
-·öòÜ(çÇm^óEÛR}Ð’®[HŽ¸Í¡3g²8úe�kçйXãþO\XÁ	Ksºãñ㜙M™=Îíc^x3ì`ÓIð‚äyVÌã¨tbº×ÍNõåÎÍAõ¼vs¨ÑÓ}òé67Å…ìZ]E]‡r­½=Lg2�'&ß_z$à0TlTÓM¨ö�Û¥t}ý#Wú×YoÕ�W+Z,Æ})ùlD~2&;ÜGú¿
Ò¦ò'óÞö¯­º)?Þç½îÀqGëÏ´x×ûÎ\ý½ðƒˆK§ @xg@„±€þ6û(Ná¸6¦}–å§`
-endobj
-691 0 obj <<
-/Type /Page
-/Contents 692 0 R
-/Resources 690 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 684 0 R
->> endobj
-693 0 obj <<
-/D [691 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-90 0 obj <<
-/D [691 0 R /XYZ 85.0394 769.5949 null]
->> endobj
-694 0 obj <<
-/D [691 0 R /XYZ 85.0394 575.896 null]
->> endobj
-94 0 obj <<
-/D [691 0 R /XYZ 85.0394 529.2011 null]
->> endobj
-695 0 obj <<
-/D [691 0 R /XYZ 85.0394 492.9468 null]
->> endobj
-98 0 obj <<
-/D [691 0 R /XYZ 85.0394 492.9468 null]
->> endobj
-696 0 obj <<
-/D [691 0 R /XYZ 85.0394 466.0581 null]
->> endobj
-102 0 obj <<
-/D [691 0 R /XYZ 85.0394 213.2018 null]
->> endobj
-697 0 obj <<
-/D [691 0 R /XYZ 85.0394 182.4971 null]
->> endobj
-690 0 obj <<
-/Font << /F42 609 0 R /F43 612 0 R /F57 636 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-700 0 obj <<
-/Length 2029      
-/Filter /FlateDecode
->>
-stream
-xÚÍ]oã6òÝ¿ÂÈËÉÀšË}^ž²ÛM/Å6›óú.(Ú>(¶+‰®$'M‹ýï7Ã!eÙ–›´à
ÂÑp83çƒcb„,Ld2ŽŸ\ãE9âã{˜ûv$,ÍÔMûTï棷—¡',	e8ž¯z¼bÆãXŒçË=Å›
-‹ÖU•-,
Æ<³Ô‰*ñÀ++F; ]ç¤éáÔF}î\›—Ùß˦*“ˆË±’
ó“8|QÝ$ 2Šãx¿núk«œ½9©
­ãÀË‚nwû¬¦nOS%L	·+Êöîb¬÷C5VàÙBqr…kpùÉÔ�•ðæó�èRQè½ÿxñn–ò#é͸ù
-µ™ÍLÑ-¥ô>õÏà@#
Õ)�¢pO¥£À×Q=£É17T…™tãÍ×yC
-œ`ÜL¥[G²Ùèº5+íy
šBB	ZYÆÖ—
¡+sÓ
"'–G·lÁÓJ;»ÌšE�ß�Ó©Bÿªb?:xîÀ(c[A{Ópòô® þm ‰õ¡‰åJ¹×YÛÅ^Ó;×pãš°@	Š£Ôiú¡[``#Æ”®K™-Öi•7%a©2óØ%YZ×Î#Œíæ®Ä%ÚNtBL³•[zû4bÀþ2Óˆâï³^éPZÀ’¿!¡
-¼%ÔèŒ*Û
Õ„1Ü`Lî%Ä=El/œ}ð>6©/Xè+G¶¢\X:¾f謰}ì€Ìƒ>¥bë@8cí
-endobj
-699 0 obj <<
-/Type /Page
-/Contents 700 0 R
-/Resources 698 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 684 0 R
-/Annots [ 705 0 R ]
->> endobj
-705 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [55.6967 169.1151 126.0739 181.1748]
-/Subtype /Link
-/A << /S /GoTo /D (rrset_ordering) >>
->> endobj
-701 0 obj <<
-/D [699 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-106 0 obj <<
-/D [699 0 R /XYZ 56.6929 432.4444 null]
->> endobj
-702 0 obj <<
-/D [699 0 R /XYZ 56.6929 393.9716 null]
->> endobj
-703 0 obj <<
-/D [699 0 R /XYZ 56.6929 337.8523 null]
->> endobj
-704 0 obj <<
-/D [699 0 R /XYZ 56.6929 325.8971 null]
->> endobj
-110 0 obj <<
-/D [699 0 R /XYZ 56.6929 143.0931 null]
->> endobj
-706 0 obj <<
-/D [699 0 R /XYZ 56.6929 103.9279 null]
->> endobj
-698 0 obj <<
-/Font << /F61 646 0 R /F57 636 0 R /F42 609 0 R /F43 612 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-710 0 obj <<
-/Length 2769      
-/Filter /FlateDecode
->>
-stream
-xÚÕËrã¸ñî¯Ð%¹b"ă¯œvv›ÙªõlÆšìaÖU¡DJbV"µe¯Sùøt£

-¤(ËS>¥t`h4�~S|Â�OÒˆ…2S“$S,
-y4Yl¯ÂÉ
-æ~¸â'pH��õýìê¯b>ÉX‹x2[z´R¦)ŸÌŠ¯Ó·óóìýçë@DáT²ë ŠÃé훟ÞßÁ`MÿéæÞ~ºýðñ‡/Ÿß\'j:ûøéö:H¢LÁõ̪O?¿?®¸»¾Ÿýxõ~Öq‡Ùþýêë}8)à�?^…Lfi4y„—�ñ,“í•Š$‹””ndsuwõ�Ž 7k–ŽI+’)‹R‘ŒˆKÉ1qE‹¥�F\ïà�åô¶i«åÂjZi[6;T4‹Ã¶¬Û² ©ª¦ñÏÞÒ
-9K²$ƒóãp› &þ	Ù?¶Ê˜ˆTbqoc¨ˆ³0„€s–E‘0“Ü(‡­D–ŠI¢'	GÙÒä~5!à³w~à/8½ŒSºÈÀ]¹ É ªÅL0®X|ÂRœ°,I’K'ZÑa]bä„27)y8ýÐ쉗-
-ñ˵L¦U»¦7cÊ9x——ÛΠýcÃæ î³uÙi›J¦ùñ%¥
-ícC#Ûtüo€|éj»ÛØ-*HPöùÂZºE$È:­Ì
-P5ØئìÛ/yÛßåþÉè3º0+’gª¦ó¼] �K¥#ƒ�ëÊ
–”‹C[jšÈéAäÌ<ñ
-ôÂ
-Lõ Æy`Jí|¥¶€q3ð,È߆ÓÇjcñÛü·rà0Ä�'þæ­ïüü¯–
-%SÉ€®z>…ò±Î§Pn¿†Lî´ðU T ²ÏîÚa�l+¾Q¦P±÷ö��ÊO„P'Î2oÊj•4q6yh«MÕb«"–Ó…¯‡ªÀH,cYqÂi?ÂÔ÷€¹MÓüvØÑàA›ÄÁœf­>”Iá„I1–ù¾š�îèt«� µ0eŒUßÇ|D
-uÙb“#1çÃäÞòTL¿¢ñ¢\æ‡M{ƒIwÝ‘Ä;iÕDSƒmµš¦æeûX–õ‘,A†8�FŸðYÀ© +ÒºÔ7c)Ñü`ͦj]
x¨MÝ�7ÆvœÏ­y”´e]”…ó*'õቲvv6±�
-t
-à×qŸÆùĢú˜X@hƒ")‹^Å“Gã|bÑauvAá%Èß›ýìñÁÅ›`1ÅDÄ"(]Ä9�EÆÒ´k­uo/f/uÑ´ß@°½HðLÞA�s˜"¿\¦WmË®MõlŒµ$?��„Ê$†\ÜSϦ÷e»¯JýÒøýLzáüÁXr!Y‚-Ãfoß–NR
-̘xüÿuÏ…
¸�¨SÆ—…]›öš|>ìúXçÃn‡e,FÛà3½hç!·gwî°.lÍ¥d<M£ó{{�PRqád„ýÅc¼K|ØàºÚç[ ¦
BØ4À§­P<Æ|séÂu×Ôl,H‹…t]ûskZ†™ÇƦù™`jØ¡pý•ˆ~Ï@Jn£$
-ç“‹Ó³F'ÉO3Æ rrq® $Ã/G÷´M°¬àúFêu8{èŒÿ¿´O`·#s¹
[ü{gý°Õ7X:õCÑ4‚6I
-x\›D º±cæWæ#¨UÚ®‰†ó+ o—`›—4Šòø£Úº‚Ølc*m„æ
Á4wÇ:x¶ƒIÌ™†èÚv7
C±§(›õXµ}QÝë}®ŸvD¬ŒÂ¶
eÄ1á×'®K(4ŠK´»>/Õ]—×°s]@qv^2Èèá	/QôMlظí{l¬�"wÝ
-‘ó*8ÔÐsngÐnÜÖ¦è„ý*=v×V�„‚
5=í§§È»lœõ.„Q=7sˆd˜ôµ,:^ã`•�Ý•‹
-)—Ãíì}dïS‘h„Šw¦Hfƒ±C½àߌ!ØøOSq"@,C‘i¤‹«\ôJrîâ
-endobj
-709 0 obj <<
-/Type /Page
-/Contents 710 0 R
-/Resources 708 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 684 0 R
-/Annots [ 712 0 R 713 0 R ]
->> endobj
-712 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [100.302 744.0309 168.974 755.9311]
-/Subtype /Link
-/A << /S /GoTo /D (zone_transfers) >>
->> endobj
-713 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [346.8549 744.0309 415.5269 755.9311]
-/Subtype /Link
-/A << /S /GoTo /D (boolean_options) >>
->> endobj
-711 0 obj <<
-/D [709 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-114 0 obj <<
-/D [709 0 R /XYZ 85.0394 725.0585 null]
->> endobj
-714 0 obj <<
-/D [709 0 R /XYZ 85.0394 687.0856 null]
->> endobj
-118 0 obj <<
-/D [709 0 R /XYZ 85.0394 687.0856 null]
->> endobj
-715 0 obj <<
-/D [709 0 R /XYZ 85.0394 661.3732 null]
->> endobj
-122 0 obj <<
-/D [709 0 R /XYZ 85.0394 608.5488 null]
->> endobj
-667 0 obj <<
-/D [709 0 R /XYZ 85.0394 581.5021 null]
->> endobj
-708 0 obj <<
-/Font << /F61 646 0 R /F43 612 0 R /F42 609 0 R /F57 636 0 R /F66 718 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-723 0 obj <<
-/Length 2786      
-/Filter /FlateDecode
->>
-stream
-xÚÅZKsÛF¾ëWðª*œÅ¼€™ÜœÄÎ*Uk'³Ù*Ç€H¬A€&@É̯Oæ�×
-ùóM€¨|õ7
ÂR’Õá†qŠ8£Ô®7÷7¿:†½§í«^ká
-y8²	„Žã\CFQÄ ©/µO5WG5²ÓŸU™Má*À¸œ-+à¨<á
-ù;
-£¡
-®VÍ1\ÔúUp�m­È’íµ†•¾~¬NS4ÇejUe
9=+“K[
-æ¡¥€ù¢¸ï±X€¢¥ºE¬ìÿ¢äÐqX
-n³Á·Ê4ÁúyŸ'{ýæs¦� ïâ¢VaDøº¬£­öG–êuhî}Ñ£ãѲYCÈ·./}SköÉ>.ˬÐÌUšµ1†×w�zéR�Í'ÞŠõÙ'È¢8Äøž6h¼­¦Ïy³¯Î�-šfÀ©Ž
-¦üææés^˜I'ÍëÞ0¤ÿ�ÛB¦uVw7qm«téïæjTDøÎ_Pìú,æ˯£ºZ~¡Ç„á0 /Q©Çb¾
-¼­Ü¯î±rÇ)�ªÁJÓå�m;ןtݬ±™—»	:m ³JB‘åhïSéhžhwTm´gE§“1
-©Þ©õóG»Ók;Ýí‡ÕX/<ž¡
žÖfB¡È¨ë`’°–§ڔВ=ï­¾ §›C@˜U)Ö·EÜ>l›jX-χ­ PÕ¼µ	™jÈp4k ãù!Kâs�
›úø©ÊÓñ¶x™e6;Vúö%†y;kTi®|’ôªf“¬ÀIŸÑSƸr_„©–˜]ÁW�j
_–ªmo›¸©§ýFLD|Y¬£šÊ‚†h5ÄPðïjÿà”7ÙàÌG_ƒN*â“zhõîœbD0sª`íBÔ
ž˜9«qÆëSÍÏQ©oø|ÎN—¢šON‹’»ä4íONÙÛ[IÖÕn§ÒÅ‘ÖE]:`Ò…:ûÄdýëä�~!Q@V«zÆWK™^�šðP¨˜oÍËÙ—c‘'yS\ôzšk€&�a)ìÎÒt÷¤&¥onÓíÜ™Åàë#5Y¶”ÛPˆ½{9(dÒ�fÁ“r Ås·Ò?œô¤1h©¥;½²öóðT«ìfƤË
-endobj
-722 0 obj <<
-/Type /Page
-/Contents 723 0 R
-/Resources 721 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 684 0 R
->> endobj
-724 0 obj <<
-/D [722 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-126 0 obj <<
-/D [722 0 R /XYZ 56.6929 769.5949 null]
->> endobj
-725 0 obj <<
-/D [722 0 R /XYZ 56.6929 752.3102 null]
->> endobj
-721 0 obj <<
-/Font << /F61 646 0 R /F42 609 0 R /F43 612 0 R /F57 636 0 R /F66 718 0 R /F58 639 0 R /F68 728 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-731 0 obj <<
-/Length 3427      
-/Filter /FlateDecode
->>
-stream
-xÚ¥Zm�Û6þ¾¿Â(8/+|)^?%išn—ö’mŠ¾á µµ¶YÚZr¶{‡þ÷›á�´dÓ»9Qäp8ÎËÑùŒÁŸyƤU3cU–3žÏ–Û6[ÃØ›îi�h1¦zy}ñükÍg6³ZèÙõíˆW‘±¢à³ëÕ/óWß¼øþúõ»Ë…ÈÙ\f—‹\³ùÛÿxý:ó|þ!Œ½úîí×Wo~x÷âÒ¨ùõÕwo/&·
-æ¨Gf}÷ýëÃŒ÷—¿]{ñú:J>ÞgÅþýâ—ßØl›üö‚eÒùì^XÆ­³í…Êe–+)COsñþ⟑áhÔMMi†3Í‹Ù"Y¡
Oq¦@oÊ€NÏ´T*ê4/F:åÚJÏ"êô¶Ù÷›ã½ri³BJ;3<]7P�®«äx]¥²‚çbºð׸pÕ“ê‡ME�¾Ú}ªvp\jþW?¶,—›*;1lÚp`Zpõ”jFd�¨&P¡„ýPûþda•ÃnÀn_8P�.<ÕMÎ2cE1]ù«º¿kÊØ?A×înñ)½¾p�ôêÃ`âo»Á
›r-ßÕî·7¨]dA¬Äüß][yîu»lö«ðgÕíPíÚ²AM€øb$¾T&3†	Ø4Ê}S·«ç¯¾ñ„ã}.¤Ö™F'XÀFmÖ€pq:å²]™Âªº-÷Í�XÕ
-àÀr¿höüêmbE
NÇÀÖˆh› ¶‡%ëÛ¸âî’óÐíí®í† =«?îšzYû^7¥ëN¸.»öWÆÄzO<WÎrÑYÀ�
-0-`ßÖËÈ”ÍïëaC-2 
-!;Ã"å†Û
§¢¢�ÌÍÄ­°©®WõºJÜ°„pU¯[ˆf$jDʧ`”º›êG‘°·¤×~SúyVÕ’Þ‡gØ¡}qþ„ΟáÙv4|ï+t¾ãŽ\ùS½ò3‚Dr´�tŽw»�î—@
-iPHE‚«ÓÃ2w‡×ÀÙ/$¼áBô†�çæ5Ý2NPóÛnG
<—S‹á2ÿOÄ
-CÅé’±Œé«èÑ\Võ.Á_@yˆè.R#óU…ºl]´qkU-µ(NAÃ%,
-ú°TÎÍÔ1oöuƒ¶�±ÊÅÿâ4YÃv8°Ôs�´ÚÖJÉ‘£�Ñ
-V�.µÂ³¯·uSîüôŽ)#aOw›Še9¸°â�•[À�g"2 Ið¯b„˜¬ à‹ìX�Rúhõ®ÅœL[Üï¼µ@l”\Û©�á]¥Ú2è1)ks&[é"³ŒOÂjŸw¸çŽcTi$âÝ´
-Ó̘ÏeâÁNBùÕ2Ä)Pœ)Ó…¿M¥xip4Žà 3L-`å`P=†
-Ðüaß
RD`ƒ÷S Uö}·¬1Uº³°éBX9õdÊT…ž‚šÂ âzqˆŸDj¼:ü¨Ï¨Ør
-
½È°åÀâÅ»Ê%å}è®oj¡}Yu
-„ÈLÚÓ}¹ržOC,,Ç
¡xŽn=(×ó@A‚†¯ÐKS·Uê 9BmŠÏ37°Í-œÕxMFÜ»?wብ§­ß–¿Z@4Ì—|š–ÜL“�A$¾:ÄÏ2eŸ�&eÔñ™Üb3©ÌI$HiIAjà²øLï1Y.dXûp³ñ» ]AÃM§®Žž±òqR°
-¡|-&¬ÈŠ‚ƒ;Œo9ƒ W’™»Q̪Ïùà#@ME‘þܳˆc–§ß"r¦!ÑÂå?’=bep02B·YRsï+-hÕ…1S×D�™"žœ±î´Ð–l~Æä
yþd4,¸MX<¬E¸Vî;êyñŒ&°*›u··Ø&U†BÏ°
-®2+”ôJx;+b• ‹)žÇ
¬OŽ:+ß½Ý7žÃªÛ߸Rôý¾ï†C-°ˆµ@úõ¦‰pêœÂ_yE@µ¢ðç
-ÌŽ€îØÍÈ�ÃzÓ´ ñ—ۻÆóØÖm½-›sß 3–”DZÑ?o»¦éîCr�\!"
-xƒc‹¶°ÐŒ9ü+¾ýÇI„æá)zˆéØQ~2Ã_¦>‡ùtK¤KùîáFäíÕ›ûù¡-_½ÜÞÈ«õOï_?ý¨Ö?µØÕ¾ùùÍ럷öáêÍëõJXû»g¿HÊôç—©’P¨áœßO•\9~nj0Ô$9�o¹¡Fê{ZÊ##‹çáT8J:ÞgÓŸ*Ô-øeÓw(S_è8X˜e±Ró?¢#Ç9Øz‰¦”¾®¥ìk�÷±¼Ðù4óþ%
1r@L1u9$K¬š®\¥~Dâ'L|‡ò�9¸ä!)™9ÖÖüqº'Q€À
Ð75Ü¥ÓͧÀìfo|ÃÝÓÂço¦#[ÿ¡¤ÄŠ™àî|·Ô<ã"Ä„±³®”a�/mâí÷~ò»”Ñw!¥”½=`}‰Š;MQ¨ >Âgáaçf¼& ¼£/CÁ¯GZÆWo04ýØ™ÜûŸô ÂóˆîàDDæ�)¹<
¦~¡'óV—ø
-ÿžÃÿýë½ÃA:€."ý9	¬Kñ&…’syrÙ”¸Œ0	Ñÿ{$€Áendstream
-endobj
-730 0 obj <<
-/Type /Page
-/Contents 731 0 R
-/Resources 729 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 734 0 R
-/Annots [ 733 0 R ]
->> endobj
-733 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [120.1376 578.8887 176.3563 588.104]
-/Subtype /Link
-/A << /S /GoTo /D (controls_statement_definition_and_usage) >>
->> endobj
-732 0 obj <<
-/D [730 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-729 0 obj <<
-/Font << /F61 646 0 R /F58 639 0 R /F43 612 0 R /F42 609 0 R /F57 636 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-738 0 obj <<
-/Length 1223      
-/Filter /FlateDecode
->>
-stream
-xÚÍXßSÛ8~Ï_áGg«ZÉúõÈ1@éL�ƒps3½>˜X
ŽÍÙ”ÿþÖ–í8‰Ó2½Ü\Ûliµûí·ŸVrÀ£ø<!‰4ÌxÊ„DPÞ|9¡ÞÎ�O µ	:£`hõÛlòáL‚gˆ‘Lz³ÅÀ—&TkðfñŸ“�LÑõ/�?ŸÞžÞL…ðÿÀ?
Ô¿º>½9žªÐŸ]\]ÞN%LèŸ|<¾žuü;«O®.Ï.ÎïÖ¦_gŸ&§³ù0; ¼†ý÷äËWêŘä§	%Ühá½â%`ó–“Pp"Bλ‘tr;ù½w8˜m–Ž²”0.Ù]!Ð¥�c„‡9Éo芲Øå–TîïcÔDY;Û¬JæQê^Ÿì›{(«¨²Kœs¯‹¼¨Ùøp&Ô &hĆÿi­Èâù6gLK™Ñk\ï`�£µç,è=C—
!à˜6„ƒ–›ŒÔ	6‰l�ŠÎT›©-0D
-P^à¦u3y³Ê²${@ZŒò«GÛzcCåjd…‡V‚yž-l6Zr”‹)h?(¢¥‹ðš¤uiŒôÑÅ‹Í,Iúæææ�±ÅB9‹h¬D¤‚!5˜$(o%zØQÊRëÕÕo"¼å«£iÀ©i•UMËÜñŹ$!køb„p;6NÊç4ªkøÂŽÉ|ùœgqÍç.�
-êtOû.ÔžhñXŽí T?Ѻ–㼧yw	ê¡Ä´;zñ†`H$7œ(ª�Èõ¥ïU0RÁïf@á
-¦†h#U§`¼�Þ/á�˃Ix渄‡8ß-áyj»^Ù¥�
-endobj
-737 0 obj <<
-/Type /Page
-/Contents 738 0 R
-/Resources 736 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 734 0 R
->> endobj
-739 0 obj <<
-/D [737 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-130 0 obj <<
-/D [737 0 R /XYZ 56.6929 699.7944 null]
->> endobj
-740 0 obj <<
-/D [737 0 R /XYZ 56.6929 672.4899 null]
->> endobj
-741 0 obj <<
-/D [737 0 R /XYZ 56.6929 642.9726 null]
->> endobj
-742 0 obj <<
-/D [737 0 R /XYZ 56.6929 631.0174 null]
->> endobj
-736 0 obj <<
-/Font << /F61 646 0 R /F43 612 0 R /F57 636 0 R /F42 609 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-745 0 obj <<
-/Length 2206      
-/Filter /FlateDecode
->>
-stream
-xÚ�XI³ã6¾÷¯ðmäªX#‘"%Ímò²TÏ!‡î—JªÒ9Ð’ü¬´L9Zúµóë [¯2åƒÀ$Ö�€ã]¿x—©0’y²Kó$TQ¬vÅå]´{�µßż'Q2T‰”0ØX=(™…*éî°<äÛçwÿþ!;…Zµ{>Mwé4	…Ùî¹ü-x:›ëPuûƒPQ�ìþ±%aš¥1²E»ƒŽÂ$¹cøoùÅØ¢*‰ã©ú:ôcœ„2ÑÂ3fa¢¥ãKÂxˆ£(
-¾»Ys©:àçki†ŠÙå.s-4sKŠiíØ'&)E0“£ëž¾ÃÙMÈ
-¿N$.¦Ÿ<÷WkyÅmª>„ûã;[{³¹ÓøÔÓØ47"˪/ºúè]ëïûðÃ"–:ôêj™dÿŸo*kŽ�÷EËÆ5ôAÉÇÛ�4À™£éëÞÙRGöPm‹f,kû¼v
-¸9b$Ä^¬tâ¡T¦iÚ×ÃøV|ijЈ7“ŸîŒAÇHÚB'®mS·�2‡4Ñ‘\ûºhÄᣯSi(òÄ‹ïìñx$f”æ^¦~
-¡YÌâõ
šc–$��ÚÛÓa­ŠÂLæ©'¬~ö`óG;vÖ4KŒy´ã0K²”ÞŠd–ÅÙØP0¸˜²"Êa'|
}€ò1d9�K&gpA¦)|aÐH.l`ìo8WóÙÿb
&]p@º€ÓX€ºu¿œæÃú­¼�´$
-’�£&\”%9GLL^
úõ\Y¢¦e¼µëbš4Ç•	»q»ùì‚
-z™‘g8¾ã•|…ä‘/Ú–ˆ^;Úïrwh¹!pzqx“੤g‹áò‰b÷ÏL<9l‘ï-”x¦d¡¹xMôÛú<¨(ÍÍŸGE“bEßKmGx-Ý)ÕE\I¥X¶Öƒ‹“-L˜ßYLDŸ�
-ŠÍ•‘óFs‚=y;–$½¯+‘Ë03v>
ÝìþÄ�¹7%1H
-…:yuü«r�‰ó4Që7xnrŠtøV_ëᛩ¶‚gI%‘Š±½ý²Õ´AÇe±·ÚTnsÇôX̃”�LêŸkù,O'ïbö³Äˆ½«¶((Ôy'
2‹Jᮡaë¤IÀÅýT“Þ5¾áQ¡òPäB¬<�ˆTZÝ5
-z(`ÁA|,æ3âÑ„±·þ¿I6AŽ�%…
-
-endobj
-744 0 obj <<
-/Type /Page
-/Contents 745 0 R
-/Resources 743 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 734 0 R
->> endobj
-746 0 obj <<
-/D [744 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-134 0 obj <<
-/D [744 0 R /XYZ 85.0394 769.5949 null]
->> endobj
-747 0 obj <<
-/D [744 0 R /XYZ 85.0394 567.4944 null]
->> endobj
-138 0 obj <<
-/D [744 0 R /XYZ 85.0394 567.4944 null]
->> endobj
-748 0 obj <<
-/D [744 0 R /XYZ 85.0394 528.5092 null]
->> endobj
-142 0 obj <<
-/D [744 0 R /XYZ 85.0394 387.579 null]
->> endobj
-749 0 obj <<
-/D [744 0 R /XYZ 85.0394 353.3672 null]
->> endobj
-743 0 obj <<
-/Font << /F42 609 0 R /F43 612 0 R /F57 636 0 R /F56 630 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-752 0 obj <<
-/Length 3450      
-/Filter /FlateDecode
->>
-stream
-xÚ¥ZYsÛF~ׯà[ -‹¹p<*¶¼ëT¬x%Õ&•£j!2Q&
†
-€¾-v(¶ÐÏùñ°_‹=þÜÙã�1K|)f2ìV8i¦{�fŠAŠ4~ÐÆ/ÐB$Ÿ@Íxî¡ÄMÐì¶-6Û–;hÜð¹'8À<A.’ª5@�ÛeË£¥ô‹OÛu¹([”1ö—eƒèZ¼ã‚7z ojA÷K`Õ
-ÓLy÷oÄýßÂ�´¨××·_òè¬w·EËX”�öòsY>à�=ˆYªZ&?–Å¡Á+ˆàä;OkÊûÖ|¢à‚F-ÉGqÔh¶ù¢à&¢
Ÿ �Å®Âà
{d,°Q|’yM½f�OïÑÓZE¿ûy°an,§LÁFIcðÉÒqñð.thåïB„‰“§…iÁ™Ø4én¸ÝoѸ*2®�Mǵ†�¦€Óà	�JdçySW~[?Yk>äUù¹3æip¨÷ë%¿yÈ+Ùœ?l€x‘8¥l›~û<<‡8Â,ôŒ´Ã.¼ÅIóó™­Ä‹z³!5OØïžÇ8^ƒ�Æã
-©¸$æÜ¥ÍФ'°Â&ÒƨÅÁ_ÂŽ‹†jî¯Ê¥láw­­Ç¶y\øš#«#¬l¦L¾ïAǼL¢AËKÀ}Ã�ú\7Ù9Cã--_€šÎãÄ�îFKy³©7BY÷ì±Ù‰^xB
-bJŒFKJå
-ªâô#±·É0»�“Ðı7žè'UØmûÔÖ¦&ŒÓXËô‹	ŽsëT9}ä4‘³þ{œ“Põ‰8ïtL°TØX•fϹMÀ§Ìu؆rÐ_Åýˆ9^–â	#–”].©ˆ ÁhÜ#ë.KM
-²*‹FÅ‘Áì0–°ÅÖ[d·Š¶ðÓ[™Ëu˜£t	Óø
-¤>(IûE±ãwI$ŒH»ˆwÂïè´_iý#æä‘)„—êÐp“¸àD Â_OÕ3°ëÒÎŒl§*â:Œ3e¿ˆV•AD©o2á6´py…âSü–Y¸þ«A>T_ÅtÅø8p×2§ÙsèÂ…<XZQ=I,ß…„šò¦˜]Ä‚…}¹ôè{)‰™�Ôå6ümhÊ€“Ô�­;/H õâì%¹*—yûÐn_à™Â=Ä&íwE"ŸÿpóR#�VŸi£èPï~‘XÓD{þäʹ0qÖÇy¸ù$Öj°»ÎÙ1*¿|†Â
kÕKr�ÀÊ/x�¾ lÆV
*òUîÞÀr:�ÊM
-Ûš‹Îȃ+–Zr"ü±.=_Æì‡åŸ
-Øæ׺—ƒŠƒŸÏ�JέŒÏ”ôø:&\ÄÑ]\%Z}MUòÊA1ÖïÚ‡
Sõ¦þÚ眲€O9G¹"}S§úí0åâ¼PòÄ£ší¸Üлø©�âß¾&þÌu5Ý¿ýï²þow6Á?êèéÅè¬M
-LdSx*>Ù¹ÿÚéÖÿ–g”<endstream
-endobj
-751 0 obj <<
-/Type /Page
-/Contents 752 0 R
-/Resources 750 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 734 0 R
-/Annots [ 755 0 R 756 0 R ]
->> endobj
-755 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [487.3921 714.1324 511.2325 726.192]
-/Subtype /Link
-/A << /S /GoTo /D (proposed_standards) >>
->> endobj
-756 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [55.6967 702.1772 134.4009 714.2368]
-/Subtype /Link
-/A << /S /GoTo /D (proposed_standards) >>
->> endobj
-753 0 obj <<
-/D [751 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-146 0 obj <<
-/D [751 0 R /XYZ 56.6929 769.5949 null]
->> endobj
-754 0 obj <<
-/D [751 0 R /XYZ 56.6929 746.8206 null]
->> endobj
-150 0 obj <<
-/D [751 0 R /XYZ 56.6929 601.0198 null]
->> endobj
-757 0 obj <<
-/D [751 0 R /XYZ 56.6929 564.7564 null]
->> endobj
-154 0 obj <<
-/D [751 0 R /XYZ 56.6929 410.3779 null]
->> endobj
-758 0 obj <<
-/D [751 0 R /XYZ 56.6929 382.4543 null]
->> endobj
-750 0 obj <<
-/Font << /F61 646 0 R /F42 609 0 R /F43 612 0 R /F56 630 0 R /F57 636 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-762 0 obj <<
-/Length 1949      
-/Filter /FlateDecode
->>
-stream
-xÚåY[oÛ6~÷¯0ú2g¨R$uižº6]StYÛÀ¶ŠÌÄ^eɵä¤îÐÿ¾Ã›DY´�vØÓ âåð\?ÒdŒá�ŒŽ0MÙ8Nâ˜ðq¾áñ-Ìý:"†&°D�KõËttú""ã¥Q�§7¯á$!ãéìýäÙ˧o¦çïN‚�ã	C'
�ðäéó?N!“§—ÏΟë©g¿CûÍô
-z˜“H©!¾zóúbª‰ž_^�|œ¾�O[å\¦R³Ï£÷ñxv¼aDÓ„�IÓp¼1Ng”Ú‘bt5zÛ2tfÕRŸC8MOÂØãF}á)ŠhH•G^Šõ	I&â§Z••ú+¾dËU!t§º1“ús¿(fy¦ÖÍôÈoê¯æ•Wzî‰tÏé;Jà1¸ʹÿ³$‡¥Ò]ÅŒ25qqyDXs–_‚õW|iĺÌ
-‚Œ†(¯–HêYX¦
IÀw¡âzYÝŸ”òI3ÏÛ[ÝÊò\¬Ìè2[ºU•òË&×bž7fÌ|³rÛÌå­î-Ê–£кê^)šûjýé1ôxÔ]gu³¨ÌÒyU7µn‚“Û…b¦Ü¾#¥œkcš
-æq:ùT*« 5·
=!Åâ"¬�Mítê*¨Vƒp€9K¢ÉE©ÇL$-‹›Ê4ÀìºÏKÚ¦[+µ¦Z‰uqB&[µ·¤Õ!3V�J] �aT•–µè[«·në'‰3ã'ÆB·”ŸTKê$¿×¿yU~À8¼Ýh±;T«
-üÐRzÊFç!%![ŠZ¬µÎr@ùÃæg€a©-j-é0øv#Ö!$Ô0HBWKû”0=il„	eŒde}/:käÌVµêŽFmˆC˜Ê]nV}î”	­2´Ýd�2�€VÃ^¬Ï�Ù½ÉÖá×YþÉ$”Í>‡·ŽìùÙƽ%¢Áçj‰âÒ·ƒbÙÕvØ¿Ji8«V¥¿βµwˆná†Ôu1æÅB”�ácB¸…¥Ã[¹H.²¥â*4[“A#'±Ñ„"š@’ÇÊƪ,¶žôGR”DòÜЩbnD¶KgS2–xÂzå6�,(Á“©öžÚh›Â;+ê�](ʈÜân‘Ù`"o Ué®ôJ
ŠªÔê�¿I¦Þ ›ÃJ€
6=+”dµÕG”V¬�ájà¡ã	�eqj|z®ÏŸÇšÃE™ûN!ÎQÈÃÐ,±‡l?«t¸é§3™Ì]ÿe×ö<nª'û*�Ä84–N.•*s”N¡™P‡—Ôý&ñ®P‚,bña©-ÕPl²Ú,ê‹}]U&glV¶BÙvÛÞIA#ú*õ›Ýõ¢Ä/"'voÉ4éa•"Êcæp
-ÝbÄ·±,ÓÈ,ùZ•Bç+_9ìoÅG"èRí�`Ku4‚¥vˆõF°'ö¿Œ róÙn¹!GÉBI{¡<ÊÒ&€YUy �CQÌ�Ò¡:HKu<�‡¤:�Üë¤+öá�¤ëåSÑì÷‹Ôôˆ¯ª¾²TÇ}uHªã«]±~_¹bÏ¿äó¬¼5æëÊ[§÷fn²ze[ýÓàéås{s‡W¢’ùEŸÛ!h†£¨wì½ìJâ½îßW«=èdá`'KÓc!r¨„ÈRÑ!©NˆvÅúCäŠýÿ�,,%@‰ Kµ?‚-ÕÑ”ÚEp ÖÁžØã›"
-yPyˆ À‹Å軕Œâ8  1Åij÷:é½Ú€E1›¨ê¾êí¾ÝÛ
tÚK†¼ÆdæÒ㺨�Í�\6 V;
š÷fè¯MÝèÖLÔùzq­*w)꺺²üOÈä²j„e•5¶e•²_uOékøîù­Ž*d åR
œí\Eœ©~Ò›Û²Ù^-wnYzp[m£¯-@Ô­CÔ�íÝ@ìBšAF“1‹0Š¡L•XÕ“ëÛ±n¼sÀÝÒî‚!¸‡|¥#®ä�ÈZEhAÞIûÊö—%:¦Á./©€E`‚çIÔGàEïÐÚ¹µ÷¿ç�ÁVÂæ2Ëý¼gÏÂZwÿ6�1lÎÁ|²33˜ÊÁwðۙŔ~þc}ööLí³7�	ÁbU·U0k±‡�Ö¶ZIò–‡û‚Ù»H#„|kjý`2Ó\ån9;@¥îæÆp4NOõ@��ܮݺg/÷�âÌûÖÖwˆ®<úäZ§o^M³¢¨îƒf�•õ�„„ãðö\çaXÅj“¼dÛÇã測¬›t‰ÏËz©~Dqe·;Û�„£�}Ö¢nÖ‹¼Ñ=‡¡|/®ëý¦¯E¾Y×j�/åÅÉ^y�œ#
-endobj
-761 0 obj <<
-/Type /Page
-/Contents 762 0 R
-/Resources 760 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 734 0 R
-/Annots [ 764 0 R ]
->> endobj
-764 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [417.8476 456.9544 466.5943 469.014]
-/Subtype /Link
-/A << /S /GoTo /D (sample_configuration) >>
->> endobj
-763 0 obj <<
-/D [761 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-760 0 obj <<
-/Font << /F61 646 0 R /F43 612 0 R /F57 636 0 R /F56 630 0 R /F14 620 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-767 0 obj <<
-/Length 818       
-/Filter /FlateDecode
->>
-stream
-xÚ½WÝOÛ0Ï_ñÔ>ÄõgšÀƒ²�&ÆÖh/€P.TJã‡�nÚÿ>;NÓ´u*hªÔ^.w¿óýξs‘Õ¹Ì~ˆC·RÀ bn2q {¯Þ}uPeãÍ�¼¦Õ—Èé�øÈ
Aècß�F
¬
-5é­DØ…iü.¦7ÕémÌîJ,ÞŠX™ÆÏÜNÓú
hã}ÖîcM>­$½J�D…"ª[!”6ƒêô™Öx¼U�EfBJ‰šÍV	’çÏzaZNDv!¾ß7Á–ºÖJ°8I­,¬ö0­D¡V
-ÖV>ÿC°¾ôÿ!Zuöendstream
-endobj
-766 0 obj <<
-/Type /Page
-/Contents 767 0 R
-/Resources 765 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 734 0 R
->> endobj
-768 0 obj <<
-/D [766 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-765 0 obj <<
-/Font << /F61 646 0 R /F57 636 0 R /F43 612 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-771 0 obj <<
-/Length 2344      
-/Filter /FlateDecode
->>
-stream
-xÚ¥ÉvÛ8òî¯Ð‘zi!Á5óú 8›;íÄëõ%É
"a‰	…‹Ýš¯Ÿ*@‘2Ý™ž‰ß…B¡P; ¾pá�/‹"ñQâ³ÀåÁ"-/ÜÅæÞ^pC³²D«1ÕËÍÅó7!_$,	½p±¹ñŠ™Ç|±É>;—ïÖ7›×Ÿ–+/pŸ-WAè:ëW.9çÎúÃåëW4uùà›Í-Œ„ðc µÄ›Û«·Ë¯›ß.^o‘ÆbsW <?.>uHÿÛ…ËD‹¸Œ'‰·(/ü@°ÀÂbŠ‹Û‹?†£Y½tN
�ˆY{ÑŒ‚hNAÂBá	­‡VÉ&Ý/W¡ë:Œ1<p]qÎ’ ð4I%KÕªæ^5DÆ#�ñ�ÁÿÞ?#SrþrÉŸ¿ñ½÷™ðC
«ƒ�q߬s,WÜuOæ€bth .ó]húÍ>oÁ”aèد¤O»¯›ÁÀÙõy¦ÛÕfVu]^íhÐè»Y&®ÓȪ•i—×!AŠJv}³ä±£Ì_ÜÀÕâq9!·²U™ÙåœI«Ò¾É»£‘Ô`_^}xżêæ4Ÿ©6mò-n+xà¤{Yíì
-,þ]WÊ0ã¡	"ßùP±çTu—ßuœÕ?i(v�}ÁMÛü^êG¯š#�Ò­Ç
-ßJ=è³
-C«í»V}
-üUõ‚\ÀKBærÿ̾xž¯�³Ò²0c8qW‡“m *{]!
-4NìqyHðöØ)Ûè&λëõåêúU@#Ò2iék›V³§ÜÖ÷ºj†‘ó{
Íål0-[ŸšN€£v£v& J†3º½§n)~jµ’mnI¨ÏŠM›#3”(ñ�ugˆ;ÝdP¥ü+/ûr؃€BU;mæˆêš%NÀ=#pÞµÿ0ñH¨™"^�Œ/Éj€:Ûzj#�<.Ë¡óêlÂ9µ¦d\\Ošæ¬OÍJIŸ“a�“c;h¼3ˆ§N5î�²ª…Œ³‚à/t›[IúîK™®Ê,0Ø­¹ëy±Aòwo7fÁ(öæÝyÒµi$6$
ЪN8]ž†
-Öh£¡¶žˆ�M3wjÎKí…é�†~söʽ.Úň8u‘ó½ª*‡°˜v
@ïßf	WWƒëö”WúÝ~ÆŸyì1&¶s,Kr‰_… õ£!Hu�FV0pļ�7½	¡5}ÇÝR4òXO¤L.|C‘˜zÜÂäßß7â!m$^Ö‡ããG±ñ½ã,f­eëÿË¡ÿ¼†+ÜyÚÿ&vµƒÆæ
{,u¬éU(4[²Mëƒ"½à„Ϋ·Œ&ׄЯœÖ%qñ’ëçÔƒy¼	�RácÞ–f�}þлýK-�ÑðmÓÐ…Ýh³™¨}³¹Yr/Ñm#æÆvo Nê°¯+eƪKÙS�þ"`øR?s�w3þß?œ~ôð#¸ÕÆO¼7d±—v#’'ç’¿<ý?ƒì�ûendstream
-endobj
-770 0 obj <<
-/Type /Page
-/Contents 771 0 R
-/Resources 769 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 779 0 R
-/Annots [ 774 0 R ]
->> endobj
-774 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [141.6323 523.4685 238.8039 535.5281]
-/Subtype /Link
-/A << /S /GoTo /D (proposed_standards) >>
->> endobj
-772 0 obj <<
-/D [770 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-158 0 obj <<
-/D [770 0 R /XYZ 85.0394 692.7058 null]
->> endobj
-773 0 obj <<
-/D [770 0 R /XYZ 85.0394 656.0665 null]
->> endobj
-162 0 obj <<
-/D [770 0 R /XYZ 85.0394 494.5719 null]
->> endobj
-775 0 obj <<
-/D [770 0 R /XYZ 85.0394 465.5432 null]
->> endobj
-166 0 obj <<
-/D [770 0 R /XYZ 85.0394 416.9144 null]
->> endobj
-776 0 obj <<
-/D [770 0 R /XYZ 85.0394 392.879 null]
->> endobj
-170 0 obj <<
-/D [770 0 R /XYZ 85.0394 240.9131 null]
->> endobj
-777 0 obj <<
-/D [770 0 R /XYZ 85.0394 216.8777 null]
->> endobj
-174 0 obj <<
-/D [770 0 R /XYZ 85.0394 124.8814 null]
->> endobj
-778 0 obj <<
-/D [770 0 R /XYZ 85.0394 93.2026 null]
->> endobj
-769 0 obj <<
-/Font << /F61 646 0 R /F57 636 0 R /F42 609 0 R /F43 612 0 R /F56 630 0 R /F58 639 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-782 0 obj <<
-/Length 2387      
-/Filter /FlateDecode
->>
-stream
-xÚ¥YësÛ6ÿî¿BÓ/‘æ"”
-«ð«³å€Õl‡Ó
É÷åQœ�rj(³­ÎÙ²*WÙ#ÁD9]ü'ÄFãá9gI‚ãÈ€)žZúÿêûÙ<°ªž›ÿ‚áÈŸ†IçFóΟŒ†6ëª.Ú»-­ÝfËù6W¯ìŠ`HÛèe­[$üê§ìëKuñámúîUÃ?|2ñ!?ÿöÛ¯pé|´^Ù¿^ù=
-��4Ö2GÑ^;…�lÔ5æ1d­£¯ÊͽiqhÑP³ßíªº5æ3ã‹{~}õˆCÝnæpÖYZœð°×8³Ö¥®3b
-b.ªOšùôuS˜+4—Q\,¿ˆÄ†of>ª·­9V*¦EÛ§SSœ]VÛ­.­"»ŒÈ4(üÏãxR1Îù,Ç“,dJ¤’¹¬Êù¡ª7´'
-’åÙb£­¬rZÕNZb|ÐZ_@ VBŒÌŸtš¶øä.¥~ð’eøé‰aº}1p/Š‹hY;¼½`ƒÍ¾ã½¸÷©*•}ãçh
-Ânw·­>—á.8,œ:’xÏ­ ™^¨xº«ŠÒ˜Y¨Ä…Þ¯­i8*gðuYü
‚€bE
-nŠÓÑt«³’(ÝaaíÊ�W–L›jÐ9-Ì«¦ÉÖnE±.QK±½'CÑ�”&�¾ôùyA*_f%6`ëbu?Ê1fƒ¬Ý£4z¯V�ÑÐ~¹Ô:o^ŽH‘¦ÙUe£‡&?% £ôw
-�fìq(6l-hºóvÖbûØ%VjvzYÝèœÒ´dq¨¡Ž’À@Q*6¨Ê¾¨‚!1M�ð Ó¢OŒ’V3pý¬E'Q,ô)%üÊ°i*ù¦àuiŠm±Éjê´
-‚Âðæø\Âs±Ë/:¶ü€$�' ¸9AŠ@=¹œ±�×Yã¼ò ›ËpëjóôS‚©ÊŒr8T~
-¬=fN3v´‹U‚*slÔY‰š
zT0'Wåƒ0`	lT…‰ó‹Ÿ°‘k3]Æ͈I÷
zé
Èž
èÎ=.)çHÇþ†(:à°òpŠ!…46®ï}\R€øàá¢À�έ@ÍÊ‚>2a‚§á#|æ¡
-LY“]p¿Ë!ø8†ŒÇ.,®=†�YÄ;Ñ)Ô¾¹(é2,Ô·w™m„`0ƒ.MKn©Ö5Ö ¦`6êÆ!r>,87ÝT–yH:fÌ”æ¸Ë,;T{[JÚq.×�ÉuîÕgqÊãÓœa]{
-"�<®wTOrÊíá t"Ôi‚Œ(A^ÖuU7Oú¬xL˜ª2‰ëa³Ñ�G.àÁHçøÐîAèáëwï=
”N8ažYª¡ÊË6ØÑ5ng_ÁEšàSG|ï߇¸5¸a?±Ž|\iÞë|¥>�A@X>ßå¡KågÚêY¤–Œ÷îúçËëkì´g~Ù°eô;ù	¤ÁAoA�]¸'Ëv_ÃQˆwƒï*fï×Q€¬î ±‡\Õ"¢
Zç9Ÿ{·³_[IÂEH¡¦î›õE##Á°µ4|·E3B¾FpWNpÕ¼é‚@:|¡
-endobj
-781 0 obj <<
-/Type /Page
-/Contents 782 0 R
-/Resources 780 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 779 0 R
-/Annots [ 787 0 R ]
->> endobj
-787 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [389.9997 160.4711 458.6717 172.5308]
-/Subtype /Link
-/A << /S /GoTo /D (dynamic_update_policies) >>
->> endobj
-783 0 obj <<
-/D [781 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-178 0 obj <<
-/D [781 0 R /XYZ 56.6929 769.5949 null]
->> endobj
-784 0 obj <<
-/D [781 0 R /XYZ 56.6929 749.1477 null]
->> endobj
-182 0 obj <<
-/D [781 0 R /XYZ 56.6929 562.9559 null]
->> endobj
-785 0 obj <<
-/D [781 0 R /XYZ 56.6929 534.7243 null]
->> endobj
-186 0 obj <<
-/D [781 0 R /XYZ 56.6929 329.9686 null]
->> endobj
-786 0 obj <<
-/D [781 0 R /XYZ 56.6929 301.737 null]
->> endobj
-190 0 obj <<
-/D [781 0 R /XYZ 56.6929 144.802 null]
->> endobj
-788 0 obj <<
-/D [781 0 R /XYZ 56.6929 119.5353 null]
->> endobj
-780 0 obj <<
-/Font << /F61 646 0 R /F42 609 0 R /F43 612 0 R /F56 630 0 R /F57 636 0 R /F14 620 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-792 0 obj <<
-/Length 3118      
-/Filter /FlateDecode
->>
-stream
-xÚ¥ZKsÛ8¾ûWè¹*b@‚à£ròØÎijµ™ìX»[[3s $Èâ†"‘²ãùõÛ/ðef<U[>h4€F£Zö
-þüEb<¥Óp§¡g”oÛã…Z<ÀØ�¾ð¬ÓjÈõÃúâ݇È_¤^Ñb½¬•x*IüÅz÷ëòúãÕçõí/—«À¨eè]®L¤–W7ÿºô}yõéúö†‡®†öçõ=ô‚4J�Õóúo·ÿ¹ü}ýÓÅíºi(¶¯4Êóõâ×ßÕbÒÿt¡<�&fñåùi,Ž¡Ñž	µv”ââþâÝ‚ƒQš:§£Ï$A<£‡PÏéÁ¤^¤Mz¸Û_®t�,3þ¬ïï~ÄV¼Ìž²Ó¥Ÿ,-4öôhOÜfúÖæ�¶ÌŽ—GÛ4Ùƒ›‘?”vÇíͳð•ü=—_Êê©äY_ì3iý-tÃdÙ,Óy›¦®ÊF–|Ê‹B´n!Ù.´±ò}/5& £=åí
¸´/KBCŽ§ÕÒ~km¹#ù€nO´Yuâî¶ÚYfkl+KTüýáêïåõ˜B„oÆ3ÜþHƒÐí4í‰aZƽ¡Ó ›;ž<kÏÝ*‚ƒf(¯Š—»ŠVZY	é1+ò]ÖZÔs D)ê…žaŠèÆ6BéôLTŒ6”EäØ@hèCÍ hP³£C±_’žCƒz†=î�ŠÃˆ”]ÙZCC·S1´'*îg÷*†Žœ—b¦6?ÊPun›|ç:{þòy‘½(ª':$L:eå©rÌ\ÖDɾrJ†ÖF(�Ši”óÝ=ù�e©t¨b U]Q±ïŒ—¨øJ]ßýýö-÷²r7ÙA-°•3éÍ	:s$;ˆ@¯»ÿž›¥Á^Sá׈)"…–ÇÆXHÙb@À†[«9o·p?ûsQ<ó:p¡ùoJv‡Æ`’å�LÉÊgnàÝðŽ¶_·±
3ˆU¿½\ü›f 
)kÆSFMÄ5¬Zñ¹—7ü%5cÕŒßO?¯/ãpyõÏõG&àjä†ØÉÎ QÙæ[pÅ®æ¡
-RO›0nd¢!š~hÐÏö�•ysdê

-é puÌP`¾{°¥=
©|&7qÇ“»å~ËãÛ>Y[ò`ûT1õP5mƒ—« @¬sh’¬ïàj`›âÊ�d|k0çwÔ`]3Dãx©,zIù¢†ïèJ+Ï
-“DVX±©í6ßcB5ÈþÄT	š²Qò†¿¢+ŽšÝÈYÃîŽh"…¼r÷é†òc]Ø#XˆÌ¯ÊB6«J;<
 PGfì–Î
ÒtIº o\¤VË›|�J%ŸZ}´Eq$'v]arDKx° [÷C…±9誘§¿ sûë9ï®YÈpVö({gL˜
ä*æ£ç¶¢/—NÈ©²¢=Tç”NcèÍ/!Ïrgn
-<|ÙõœÜ8Lrkø­%À�ð´¼ä�Œ?ÀÅ°#SŽ[s˜Øœöc/LuüçFf

-J{…Ä=Š‡ZwYðìÒB–±'noÈ·DJ%#@@e«îŒšÎHc¢šsÑÊœ9BãÅ*ð_={¨b3
-N)‡–tZ’IhI]º�ç<�ˆª’ãÒÅ
-4•0
-¬‘y›”½GceÂ9“Ö&å0‰ß2os	“†­QGŒ‹¡»-rò>lS…o‡ö;ÑÊe¥ÁÜÞC¦âÇà.Jý%ùµ0}=Û“ì…>‘—Ûâ,;	1	{¢�7Y¥c»Êj9~}£b`Ž1ä5*°ÇP-&ÙáC2¥Ár5Dº~ìÎ(ó‡ï³CF¨Ý!‹
-˜n™…32ñKiŒœÃÁã]–Ûó—¥×¡H?ØHê‚$m)Á½%KWbÀÕŸûUfTÏðýDO./2¢+ÄúWyÛÚc=yÈUoZ,
4Þ�ïÉUÕf®…‹„372¹
-œ«>ä[Ø0	†ƒÃ[¢YÛ	EE&PÞÄt0‘j�©®àÙ¾),SÛG†‰<²G‹ÝÛíù”·ÏLF]°à€šé	<�$ß}÷€:õà)ïžQ¢SXÖ~“dêÐó“@O*¶là$ô
-Íö”ol31zIœYÏÙyÍÙÕÐœqwIhbø˜nfíõ®ä÷µ€E¹Ê0b2W;�p®™�q×mÄ<ÛA½ÜÐf}9|8’
Ë겄�ÜUÕ© Œ´ÖÖBz3;0•ßéHÜÈzûŠÆ³âØ•{€!�-íƒÛ¹U»Z»«Qù\|oXô�ÆBó3yóÒ1æ2e€/åø�ðñxû­.
-ÕøSÉ»ÿ¥x)úÿ
-endobj
-791 0 obj <<
-/Type /Page
-/Contents 792 0 R
-/Resources 790 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 779 0 R
->> endobj
-793 0 obj <<
-/D [791 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-194 0 obj <<
-/D [791 0 R /XYZ 85.0394 664.4553 null]
->> endobj
-794 0 obj <<
-/D [791 0 R /XYZ 85.0394 629.6667 null]
->> endobj
-198 0 obj <<
-/D [791 0 R /XYZ 85.0394 447.4087 null]
->> endobj
-795 0 obj <<
-/D [791 0 R /XYZ 85.0394 411.3863 null]
->> endobj
-202 0 obj <<
-/D [791 0 R /XYZ 85.0394 274.5298 null]
->> endobj
-796 0 obj <<
-/D [791 0 R /XYZ 85.0394 239.7411 null]
->> endobj
-790 0 obj <<
-/Font << /F61 646 0 R /F43 612 0 R /F42 609 0 R /F56 630 0 R /F57 636 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-799 0 obj <<
-/Length 2708      
-/Filter /FlateDecode
->>
-stream
-xÚµ]sÛ¸ñÝ¿B�‰<‰P 	2}ò9¹»ÜÝ$×Xmgîã�a‹‰Ô‰”]õ×w»
-jº�åsè”5�VºÍrî¹ê†'¼rRÃÍ„ûyØ¡c=°H[Ç*@Ü^œw8#%HQŸh2T~—vkï@é%á#
;Éòù/LOzšµŠ³MqoG¨y[ìT‡Ù�Ë	±HÞ…ÊÒy
ƒÉy+κӞg Åc«Ì±·³_>¼;aŒ*Zå#½"rE]Ò„mf+>éØ«-Ïo�‰ þ¸¯»j
þÔÔh¹™¿ã�Ξaô÷»ÛÙº´|@·)�MfŸØA*±Ô¹W	4p8AǨ­õ|}8í;t ý¦ZóÊö®9TÝfG¥EÓãKÄå–Æß”Šw lÑ¡ÕÍOEwñÚí·˜í�­<Š»Q
-1lQÐèøv€� Óy’›�xÓÙc¤äË”èÌ|öØí�.Và­Gjk[Z -ãleiäQ׶|=¡:™F"W±WÝ�c¾^F‘~)•Ž�wñ˜KiRat¤x;^÷Äõ@â�Ó§Ž Õ‰y¤Æ¶ÞŸ¾?T÷h3D	Ô�c‰:9�
alÆQ@eQ@ÑΦéÛÛˆR<Ï]lðƇ“®¸CoxqY{¿øt[™zHŠ¸Ú
ñ)4yŽG¡‰cslœZÔ`µ:2S6>e?ài–Ê^-#tœ
œ?MÓŠ‹
-Õz{a¦}ŠP•&úiAœ–ceDCTi¹¯$CID {{¨�®OâSIâ2‡Š	³t6Ô�«|%K$»ÁHÖmD:PËÕKæƒÚÞºÊr�€ÊZ!wç¸ø)«[Üuk}ª=;‘ÝÜUL	—{ëk樭š{fÜb*EcÖ{&Sæqݹ/(Únšã¶¤¹+š`µª[Ë© Uí¬,ç2¸ø
Ý,Í*ÔÄf¢´SÐÕ€>0üéÝûëŸþöfª¾KçÆ×wm7†%
±Žàe½=–”ísý„�JƒøF>o¡`|ØjéqDäÌ&‚ƒ
«3¡"èœ|w¦¸;»>ØAoVô-”?ÿË&mW|²Ÿž"›G"6!-~E£¶&Ã;¯�B%Ôú"î–h2A2‚„[¯dÔz�>¡ªáþG–ù¡^».)ñíR²$4d17&[Y[Ì{sé‚q`â0‰c€ø®1!ãÈêXmDáÏ?u»«Ú-¸©Øœ1W”»ª®Z@îüFjdÎ}‘ý"l1ôû´ïŽÀïùŽÂø]éÙ.Z
ÌV5¡pkÚï2^a°è£从AÍC}N‹cPê»' ÞpG°v�#P—Ø%Ùg¥t-hÕñôÙcKs¬n(œVm¾k¸äüw›°ìB(”ä@>zñ„ŽÕÝVm7<¤W@F7�•õR`Ô°,f�7ÐZ.¢�ç×)‚jï*ô™
-Ôûz+ñµf‚uê®Ú‡íiÀÞàd�㣽ëë»Í(S‘s;…£†v÷ì%¡xº’쾂Ã
ÈI&V'¾ˆr‡>á�óbÝ<`á)&úûàQéD�;�$…ƒX_fiyà“}óäò”NÝÜ‘~þ1àƒó·T…‡
-+Y#ùÕ„÷ß4@ÆÝÁÀµ„5¤Åø¶£I(Šsu:;Ý¿'›þÉòq¦Ûµv{ïšÆ8Rs~Ús‡ç
ø `¥�"u
-³ñj’k�s¯~P$4ÏŸcŸ„þ xÅO©±4êqm<ùa“~…²â,¼rŽ›™'!ÊIè½¹p·Õ½¥EŸOpžkóÖo·)4ý‡„(íqÅuº‚<¶tÿ
-¢„â*`2èØ£$_ÔPpäBçä]Ê›+òb0?ïÿ“7<±=óÝs‹?ëjûrbTSõܼ~.“›)v	˜3Û„u�f¥úâ>ÚF[BŸú¿[Ãýh=õïtâý_xÿ��4ËTÿ7÷èUÐd"΀3…’(õˆsÿ§ùcÖÿ
 }éendstream
-endobj
-798 0 obj <<
-/Type /Page
-/Contents 799 0 R
-/Resources 797 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 779 0 R
->> endobj
-800 0 obj <<
-/D [798 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-206 0 obj <<
-/D [798 0 R /XYZ 56.6929 769.5949 null]
->> endobj
-801 0 obj <<
-/D [798 0 R /XYZ 56.6929 749.0094 null]
->> endobj
-210 0 obj <<
-/D [798 0 R /XYZ 56.6929 483.1107 null]
->> endobj
-802 0 obj <<
-/D [798 0 R /XYZ 56.6929 451.796 null]
->> endobj
-214 0 obj <<
-/D [798 0 R /XYZ 56.6929 202.106 null]
->> endobj
-803 0 obj <<
-/D [798 0 R /XYZ 56.6929 173.4413 null]
->> endobj
-797 0 obj <<
-/Font << /F61 646 0 R /F42 609 0 R /F43 612 0 R /F57 636 0 R /F58 639 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-806 0 obj <<
-/Length 2601      
-/Filter /FlateDecode
->>
-stream
-xÚ¥]oÛ8ò=¿ÂÔ
j®HŠ"Õ·´Ûö²8´ÙÔ],n»²ÄÄBeÉkÉI³¿þf8¤$ËJ·À5@9Ž†Ãù&Íüñ…Q,’i¼ÐiÌTÄÕ"ß]D‹{X{Á=Í*­ÆT¯×?½Kø"ei"’ÅúnÄ˰ȾX,ßüûêfýöör%T´ŒÙåJ%Ñòêçß.9çË«oÞþLKo>|³þt¹â2I8�O|}ó[B4Ÿ>ßÜ|¼½”z¹&Äõ__ðlÒË?׿\¼]÷Â�È#‰’ÿuñÇŸÑ¢€sþr1™µx„IÄxšŠÅî"V’©XÊ€©.>]üÚ3­ºO禤aÊ=£±XÎiL¥,‘B:�}¬íåJ
-¾lŽÝþØ!,–_¢HT_¶„Û.¹Y6Å1·Å+<÷Oï”qç’3%R2!߶¼¯mñÕ>­îY]°|[V³ß²Ý¾²Œ¾?‘Žë”I¡•ÿÍ!âåzöËÔn›cU¼±´¾iº-a:Ø°]á‹•ä3JËÅŠs–*%ó]Ùu¿Wð]–%¨kü¸µ8™	„#à´`»¬„Ó�Œ	×Ë뎖Ê:¯Ž…mýUE
-¾=LÕZÖ¢É�ÈxP0â$tä1tž‰Ô>Œ‚뛇p±=î¡Âw§ì'—Ú™ €K£I)zâH±îŽU…F‚fª%î--PU

-onÿ‘+Ø3+Ã'“ªi¾÷£¦`d’k¯êÿ¨4¶M_¸ü[@¯ÍÑná–Bi—}õä!ؾ˜Z¯ôÃ¥Yëáš‚(TÖa—<Û¶}7ÜÍÆØ;—¤ËŸ�TsBø#¿¤nßç‰ævÃ`6œùË4@W	�Ô!þ4é;ñÆ®"ßSI¯+КcVçýªÄ¶"lmA;3fÙ5ÓTe¿íA­
-Y²�Šnß½¡‰„6“.Õ¤Sÿu¨‹ãdבLÃÍxˆKŸT°C-¾“ÖLpC:]~"Þ”]ÛaÝÁ	-C¯d«–`Jy¦7µñšÀÏ�&*œÝø³›³³›ñÙáÛÑÙMÐ8T¢Ž\mÄ'£¡.7›j¶óÆ°Ì:4n®L1\”ŽwÈøa¨Åá‚
-
Ž©!.—LÇ‹sÏÝ=ÕjLv~²snte"×–ŠIÉgŠç¸þBÚ=<”ÖÇ£3õ¸
GÎP^:WÕóá]düí3}ƒ¿ƒÏØ]jÃ4wž*ÌOÿ`öž|5¢?×ÍW÷èdó¡�¿b’ñ3'­	Ú1?³OOô}ÎxõÖ9»ßAÃÂt¥Óž
	©¹½eR»‡>ŠN>·}wE�9!tEûcÑ+!uøVêI÷‚8³,!x[3¢Úg|Þ©hæR
-Ž�¸ALô³\½;ºNh†«X;áå¿ìÝLN[_éo@ƒX¨ŒÊ>»eâB`&aú‡‰—3eˆ˜ÒŠ2Ç¿>Þ^¿Ç_Êð™%¼g@Úœmµ·
^á´
-endobj
-805 0 obj <<
-/Type /Page
-/Contents 806 0 R
-/Resources 804 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 779 0 R
-/Annots [ 811 0 R 812 0 R 813 0 R ]
->> endobj
-811 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [466.9412 221.8939 539.579 233.9535]
-/Subtype /Link
-/A << /S /GoTo /D (Bv9ARM.ch05) >>
->> endobj
-812 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [84.0431 209.9387 221.3667 221.9983]
-/Subtype /Link
-/A << /S /GoTo /D (Bv9ARM.ch05) >>
->> endobj
-813 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [377.8384 192.5936 436.8266 203.378]
-/Subtype /Link
-/A << /S /GoTo /D (ipv6addresses) >>
->> endobj
-807 0 obj <<
-/D [805 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-218 0 obj <<
-/D [805 0 R /XYZ 85.0394 716.1148 null]
->> endobj
-808 0 obj <<
-/D [805 0 R /XYZ 85.0394 687.8003 null]
->> endobj
-222 0 obj <<
-/D [805 0 R /XYZ 85.0394 518.4955 null]
->> endobj
-809 0 obj <<
-/D [805 0 R /XYZ 85.0394 490.181 null]
->> endobj
-226 0 obj <<
-/D [805 0 R /XYZ 85.0394 414.0847 null]
->> endobj
-810 0 obj <<
-/D [805 0 R /XYZ 85.0394 374.8759 null]
->> endobj
-230 0 obj <<
-/D [805 0 R /XYZ 85.0394 176.7921 null]
->> endobj
-814 0 obj <<
-/D [805 0 R /XYZ 85.0394 147.2024 null]
->> endobj
-804 0 obj <<
-/Font << /F61 646 0 R /F43 612 0 R /F57 636 0 R /F42 609 0 R /F58 639 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-819 0 obj <<
-/Length 693       
-/Filter /FlateDecode
->>
-stream
-xÚ¥TKs›0¾ó+8ô
-½ö®4³kÍ�Ye†ùTy}VZPZEmcjzÙÇüˆ�¼nU¼óô±Y·M]Ô�å3£6̶\·ÕCùs±ÙyïUz?vÛN+…—½$‚E겄±¬iò,ôc	¹�!ŒF0ˆ"�bÍ%LæÉŽ
-ƒò¯ƒ¿Oa*!&šŽÊ5‘¤s=nÄ€¶q€£ïí‚^G6–Á綾--"àJ±—•3†žE
-„B'6©¾YâMæ‡ö6õ¿3ÕvÈendstream
-endobj
-818 0 obj <<
-/Type /Page
-/Contents 819 0 R
-/Resources 817 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 779 0 R
->> endobj
-820 0 obj <<
-/D [818 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-234 0 obj <<
-/D [818 0 R /XYZ 56.6929 769.5949 null]
->> endobj
-821 0 obj <<
-/D [818 0 R /XYZ 56.6929 749.4437 null]
->> endobj
-817 0 obj <<
-/Font << /F61 646 0 R /F42 609 0 R /F43 612 0 R /F57 636 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-824 0 obj <<
-/Length 1954      
-/Filter /FlateDecode
->>
-stream
-xÚ�X[�ܶ~ϯ˜G/�QlI¾=I·=ÈAíöé¤[³#Ä—éÈÎtÿý!EÚkÏzÓ`€1MQER)'»~É®HE¬J½ËK-Ò8IwUû&Þ=ÂØÞ$,£S%R­¼lŒîSUˆ´�ùn¿TòááÍ»ŸµÜÉXd™LwÇy­,/D©t¹{¨ÿýx2çÁ^îö2�£ôÿÒ4-ò"OpZK¤"/ã"Lx8YþðñÓ=Q%=~q�§ájñŸ¿[ß7_Aù¤5ÑBéL²ÖL‰<‹ÉŒT$wû$Žãgý¯«ãáÃÅ\žX·Ú•¢Ìdƪe!²¼Tdð]GS»Áõ�iš'X¨Ì"s>7®2ÈôÄ9™¯©<:XÛ¯qÝ[}uÉÆ
1ü0ˆºÜ%E4›Gɼ ?œÌÀSlWûåœj¼xGëfÑý§?hÂߣ½8ëqs¸�$ešÊ°�¡§ýz4}e"+S�\÷H/�iÙ�Þ^Ъ\GbÖ—C@Æ ¾�¿}Í@0Ï#×
Á¦¾+X;ð:{%¢êÛscÿqÃÓ,Ü5„€
1;aD§ïLAŸœBG~¬N4fx�cß4ý•,‡×÷lNu2®cÓÕDÜzÿëO[naoöáYãb*Îxúݵc3˜Îö#ª,Sp\ÿe<Ýé	¾ÐDñÄtr²êšwè­w{­3LVoy˜éåDo¬£¿ÐÓµçÞ{whX*xŒsèÚýÖ®ZÛqò»nöá9¡9Ê!‘Zåâ«Qïü`M�nÊ4e¥<Êøà°}u5&rnƒ‹<Ì,WM¸¥å”‘Ȫàñч#ix¸o®3Ï
-1ó8hrwI´
-œB“	¤pÜyzÖή«?Ò¬–Æȧ@�©¬tt› 5�úql8aÖ!±´F¼R*t,d¦
-.’KÅïSTc]$î)®ßS#dÄÀ:z¶u6º¹­Dk—Òñ„"z4•}{3×?ÁAk‰nG?+À”º}©µ^š/æ«,©„Úó›ëÅúzc›*e¡R#$Ø«2‡6Aë	È­ð°€j{4
-ÁÆç8–
$Ô•À4�¿†ŒXò ŠBÈ9ÓP
@Ó•@	çúºš²*Ê4vì/´ói«�#@o¸â-ãXñŽ�}/ì?�
\Ônx¨(¡­V9ËÿÀ(š2."ñl}`ÏÝÁòÄc“æ{>ó܃àœeÆ!#�¬R(Z.ì1
^‘éuq§:+æH!
�&iël�‘Õw…Í�'Ò±ü0)
 ~KÔa^‘9ŽÃ8ïX°5¼
-›Ùïq¼„j‰ 	›ù³k¸`ĉ ³fe訫óØ9(ì$â�hñvSÄq�"Îã
´i³¶­ná¦HÔy­ê¤™PEšßT�B¾ZuŠ2SËùíÊR–�P:ã	†uø]ùÆ»ÂÖ#Ñ„6ae–2�ÌÙ„[”*øÒ
-endobj
-823 0 obj <<
-/Type /Page
-/Contents 824 0 R
-/Resources 822 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 828 0 R
->> endobj
-825 0 obj <<
-/D [823 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-238 0 obj <<
-/D [823 0 R /XYZ 85.0394 769.5949 null]
->> endobj
-815 0 obj <<
-/D [823 0 R /XYZ 85.0394 576.7004 null]
->> endobj
-242 0 obj <<
-/D [823 0 R /XYZ 85.0394 576.7004 null]
->> endobj
-826 0 obj <<
-/D [823 0 R /XYZ 85.0394 544.8207 null]
->> endobj
-246 0 obj <<
-/D [823 0 R /XYZ 85.0394 403.9445 null]
->> endobj
-827 0 obj <<
-/D [823 0 R /XYZ 85.0394 368.2811 null]
->> endobj
-822 0 obj <<
-/Font << /F42 609 0 R /F43 612 0 R /F57 636 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-831 0 obj <<
-/Length 69        
-/Filter /FlateDecode
->>
-stream
-xÚ3T0
-endobj
-830 0 obj <<
-/Type /Page
-/Contents 831 0 R
-/Resources 829 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 828 0 R
->> endobj
-832 0 obj <<
-/D [830 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-829 0 obj <<
-/ProcSet [ /PDF ]
->> endobj
-835 0 obj <<
-/Length 3326      
-/Filter /FlateDecode
->>
-stream
-xÚÍÙrãÆñ]_Á·P©ÅìÜÇæÉצì'±õf»* 	‰¨%
š
-Ò+…A8r<y{k4q¦>T«0,£Ð÷Tƒt+Ð5>T>—ø‰Q ãýƒýƒM›U‘iʳ„¸õ`Ï1˜ŽDóD4÷Û¼
PÝîz€ÍºØlâp¹/wmPVezÊ*´#V´6¸X»Ý—‹÷U¾-VAʳdÀÎE]·
-œÅw”gÕì~PÂ
-ÂwpÅaúbˆ*K{Ê„…sqÖu.m œð%B¨™¤’pI�?¾|¹9åãŒX-ÜðLâÄYkÇ7›u³>ÊÁ“Z`@"êĘ ;@ƒ¢< ¬ê¸¡È	²X�èªáÄZiã×ùjµ/šæ”BKÂP\nʼn„p‚BÂô)#À>-×g$:C´´·¤1aœ RRLHø€H¯ñç§ÅAHu‰ÝM8¡U�ª[¡
ÀŸ‹—p`¨÷ɨõN†Â&³÷d0
–fÙÐÿ6`¼Ù!§ìS@‡ oÖWž·é#j¾ ÀÞ?BÅ5ÆšVO¨¸°°† âšl3	�ª
îuÀoVó„1ë£!SÂiÁ†dŽJ7ƒCçV¼‘	ã‘–.ŒyAºµ&š�Ñüê’
-Ÿ©&CÌÎgq©ç¿°†ÒeøÙ@þê3;©æÏëÒ×a`ú¹ô©0Lú4fb3¾F3yx|ûãÏaÉxæÑýá ø’oG«?»”Íýʹ±,�O0A“©Ý¾�¶hZr<‰“½Z
~M'ÅEœWÄ´'
-‚˜bóïÿùYÆ¡ÿÒWp›8ªã0¤h·—¾Rì_<Ö‡}‹{þg9Vx9מ«Ä­"‚1=ãpDZJöö€0aÌú(GBÑ…˜¢»n•¤DÑH©_U‡Âãe}èKÚ­ô!ñóõ(ÓõÁ‚‡¥\Nè·<«‹ê /ªC‚»�6ô0^Q†>}¯×4× 
-:î£&¼Î¨3ÆᨻB§”}X-쇰”+H"�å“–´&o;æ?Tr4ø
i¦hnÀù‹x-qžô3É´Õò÷fÑI³>Ê
-dé˜Í(¼(<06‚…g¤�£ñ&Ùtõ
ynëÀË2«n·×ãÄ^¹Å„ÖˆWíu�üŽæûÃøaÄ)§’ßn§Ɖ�
-	±{åF£¹�ÔÇž¤ßJ¥!–_«áŸ¡L_\ÔG0™‚k5¥�šB(
-Ùù”>&¸êcå5}ìS¸«÷í«ô1ãÔ‚1ǧé}5,~�	›Bãê°]ûÉúÁží¯�FòSI˜•“ñº»¡ýÍ)Ųñ¶¹Pìï«a’ÆŸƒœæ�¡Þ…«e_~ç|^Åž¦C
-„k0iû¦~ÓèQÂd©ÿË®\æŸïÀLô{í¾\Š
-¯%È–f“‡Æ¼m³̤jžWå÷Q•%2»ƒ¤ð7¿U˜ò½8ˆ*æ_ãEÎ-JÌ1q„íDñÃ^´Û¼ù†Æ‚Qx¸w¨µå˘#6à?Ayk<HãVÿÌǽ„¿ºxGA!%Õ3f¡Ò¼ÝEv³>Ê‘àÎø.�+_;QC4Õ)ºÙæ/aÇ58°ñÀ6mÄü#ÖÔp+´»M1VuBÍa(m©xeÞÛñ°Q™ã5fdt¼áŸa˜X*øÐY$µ;_U8¢™ë-J(þó®Ø.�œë±µ/ÊÇj
¡¡a逹R×QÛ®™¡Z�±ÇPþT¬dŽˆÐ÷|ŒE[QŒíÇ
�Ð,ñ²XÊO”èƒ8
LÈáºcçâpÑSþÐëüQNêºÿrlmàE·­Ë>±ïmÞæÀþÈ
-!ØC§*"L	ý8»tÅÛU0:ÀÛÕDú(¯E$Ž_ñžÔDƼ%�ú$a¿ãdÑbcâ­öÚaœØ+wD·zùRWž&Är»ùUî¿BGm„3ndèi„™<5íæÇP~ãñ3Æ|û´q]·î"š>–±×	Êccm
-$Ã-Æ£u6yïr·)–‡}ÙäWôª'±ÞWÆd_SZpÃì´V%ÀjUå5­ê“x¡MèL¯ j’±OG¾a»)ðjËOìÃóJŸ�ƒ°„
-}¹©Dh0Ж‹Ûñ¦Ã8Ál€·|È›+M%)Jh| ©úqÈ…fâô¶\Öß,�óÑ
£�fØô1Ô¨¢ZuÝÉG7—'UŠ¨®¨Q' ·R¢THx=ÊôÅ%%2�#j9UãaT¡!¹Z•À2‚b²× á(ªºÊªâ)oËÏh+=<ƒ0<¼=TMùäË
-ê
|QŒÚç¢ðõ竾�w~+¥Ó¼
šVPŒ²Zn
�†)E¬Ì|ïoe
:_.‹]›/|O
 ñ…�ðj9|;–<öþ¯]¼�,ŠÔÌž*3*ä<ƒuìö/¾´Ã¿rHM8Õ;äÑÒ_–ºÞ‰¾MF¤„�k¬-r"Åø_MeéÏ�P6ñ¯§ÆûŽ(ÄêÜaO‹òa 9ÛBú«#ª´Ü
ôà40endstream
-endobj
-834 0 obj <<
-/Type /Page
-/Contents 835 0 R
-/Resources 833 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 828 0 R
-/Annots [ 841 0 R ]
->> endobj
-841 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [356.2946 363.7923 412.5133 376.6291]
-/Subtype /Link
-/A << /S /GoTo /D (address_match_lists) >>
->> endobj
-836 0 obj <<
-/D [834 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-250 0 obj <<
-/D [834 0 R /XYZ 85.0394 769.5949 null]
->> endobj
-837 0 obj <<
-/D [834 0 R /XYZ 85.0394 576.7004 null]
->> endobj
-254 0 obj <<
-/D [834 0 R /XYZ 85.0394 479.565 null]
->> endobj
-838 0 obj <<
-/D [834 0 R /XYZ 85.0394 441.8891 null]
->> endobj
-839 0 obj <<
-/D [834 0 R /XYZ 85.0394 424.9629 null]
->> endobj
-840 0 obj <<
-/D [834 0 R /XYZ 85.0394 413.0077 null]
->> endobj
-833 0 obj <<
-/Font << /F42 609 0 R /F43 612 0 R /F57 636 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-845 0 obj <<
-/Length 3238      
-/Filter /FlateDecode
->>
-stream
-xÚ­ZYsÛF~ׯ`žB¥xn`’Ú'‘gc'ë(µÙ”�…2Ð(YÙÝÿ¾Ýsàâ�RV.WÃ9zzúüzFtAà]H+Íô"Ñ"–„ÊE¾9#‹5Œ}wFÝœÈOŠÆ³¾¾<{þRÑ…Žµbjqy=¢•Æ$MéârõÛRÅ4>
-dùÍOo^¾úî×·/α¼|õÓ›óˆI²|ùêÇÛºøñâõÅ›Ë_àázùÍ÷/~¾¼xkÇ”#òõ«7ßÚm?G¨¾½xyñöâÍ7ç¿_þpvqÙf|`J8žäÃÙo¿“Å
-ÎýɹNåâ~�˜jÍ›3!y,羧:ûåì=ÁѨY 4VLr%‰¥Çwµ;ØÕ5�5ò9Ý4Ri¬(A•M•Èd¤’DÄ:M‰Ô±âŒ�l³îf.­c¡%&>B,H§iX(‘'�)òG	‹EÊõ”Ã:ÛÈáó—‚�'S°+
-;šI/Î#®Òå‡}Ó+Ûn»]Y¯±�,ïnÊüÆvß•Ue[W…ýî[¿$kÝ×~P6¸û3ø©“e»÷4`žahÂ=YD”ÆZJf8ú³©‹öù&k»b÷|swEÛÅ«f“•uè4Š‚PEâŽÏU"tš× ¼‘†Ÿf4‚阃gÛœ‚#«ô/Ðì—³DEY,Sžœ¶D.ã„QmÎÜ–G-ÑOüt–8¢xÊ'n‹ü1–ˆ!§Þo®Š†¡g¶£»)lã®Ù�Ót¹r&”Ž(iZ2Gi_Wå¦D{>ÜÂVîfº-€ð£·c<ŽÀª¸ÎöUØbU*8Ûå"bBÅ;ƒ·±ýEp
-
䈃EB² Æ9G�Z,0ÛD�2ÊGª¼§�Iêœ3s‘²aç:g)Fn/>#åâÃ\¼µG›�BÌ9E5IÂ�š°ÕdÄI9‹™L’i
-‡ÄŽ9)å�Ë`!¥T=Yì=ÅhLòPìZ
-)~Øù”Ø“8Õ¢w�¶h�AJ� …9	ö~`tá}#s­;ŒöØ€€l¾×Ö[rï<7E=ó§¶ØÝ»Ùò¶Ëv hëdæ!Õ€92)Ý\œ8<*‡H%zË3à¬xÙl»²©³ªº·¿MƒïuSUÍ�IdØëF1‘IH…yVÙ\ˆ3³¼kv_b£ã��dp1%c¡ØÌV›]€å1#ÒŸà}€šŽSÒ1ÄS±|_VÍÕ=äËg
¢
-ˆŠ~Íë#D•7üG0¶y4c›b�9Æ"AAºõ‘ Îdê©÷	8\?šÃuùÍcÀ35
ìsÎ{PD•1�Â6�éÀR 0™i~ÑÿææÜýœ/úÿB`##zsWÞ`´”ÒåÌU,o—èdœ¨åmVí]s³o;l%ÖÌ¡ÇÒÛ:²EÝÙ˜ˆC¼á×®P"º*;Ûµ¯Ûr]ç€_eÝkëss&þÉŠà,ˆÎ
~ù’¦B(@]$á	Ás)*QT¡¼Ú·p.X†u
Ì[þÚ¢£z=#	&õ˜Ü® ?³ô!NAz¢	›Ê·MWEÛǵ{¶ ²k”¼‹`nVf?V�6œ˜H™™žu1G1Çéé==�ÔbVñ	K#™B+áü$ UD@q²½·Ùe‚G¡º£‰æ=�:‚јâ!{Z¡¼ø”?9ÆìÁA
nÁ.ŸŒ¿žâR0"Ò)ƒuBË “ä>É\”`¡È	æáœ.æp
-
-·Nê’°aî“�ÜSŒÆ$CN.b
Eñ„IHƒŽ®b¢˜7ןj0+%¡ü¹Ø‚
-šl$ »+7Ù®4¥ü´Q[&RÀwUtÅnSÖ…[œç=ù¼©;C«©l‡¹ÀÆ-�lön¿þšm±Ëð„^
-¾<ö Šé²ÁéàÑ$q©Z¨Í¸(ÙëšÌwL€…JáÔŽ~ÎÁŽS”@!OCþï˜9ÿ}õ³óã‰_J¸^ý|+¦/(У|üŠG@n’
-lîÞÛ!Y|ö¹	Læ±ÂA8æ
‘gbý™˜!Ž˜fV|³x†?†î+[ÓzE€þªÉ³ê¦i;»ŽêÐ4úñºèÚÑx�³à‡‹Á½­›ç¾|ÝŒ'•5
-endobj
-844 0 obj <<
-/Type /Page
-/Contents 845 0 R
-/Resources 843 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 828 0 R
->> endobj
-846 0 obj <<
-/D [844 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-258 0 obj <<
-/D [844 0 R /XYZ 56.6929 505.7727 null]
->> endobj
-842 0 obj <<
-/D [844 0 R /XYZ 56.6929 477.4219 null]
->> endobj
-262 0 obj <<
-/D [844 0 R /XYZ 56.6929 477.4219 null]
->> endobj
-847 0 obj <<
-/D [844 0 R /XYZ 56.6929 448.8438 null]
->> endobj
-266 0 obj <<
-/D [844 0 R /XYZ 56.6929 367.8184 null]
->> endobj
-848 0 obj <<
-/D [844 0 R /XYZ 56.6929 339.0253 null]
->> endobj
-843 0 obj <<
-/Font << /F61 646 0 R /F57 636 0 R /F43 612 0 R /F58 639 0 R /F42 609 0 R /F14 620 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-851 0 obj <<
-/Length 2606      
-/Filter /FlateDecode
->>
-stream
-xÚ­YYsÛF~ׯ`*KY"ÌàÜ<9Š”(•Uvmºv«’<€ä�D
-'óu�Wì¸qìMæ«ß¦÷?½þ÷üáÍõLî4t®gAèN¿zþ�gnî}~|úñÝ›×ב?�?ýúÌÓoÞ<<ß?ÀXÃ~O8¼°áñé—î=üòð¯‡çùÛë?æ?_=ÌÛËô/ì¹oòçÕo¸“Üûç+×ÑILŽ0p/IÔdwåÚ	|­íL~õöê?-ÃÞ*mS` c'ˆU4¢A_�i0HœP+MüïÖ×3í'ÓCmVÜKkie%].M�spóeY4ÕµOËœó¬nn¡šJy¦(‹Ya6icùíÒf¹Vy^ë3¶t”=[x´ûáÌÞþ•)2S£Úáî3Ïs’ Ptæ†¢éÓȵž6[CªiVs[”¼LŒQø@wÒ´tšO[	ÏùV¸,ótEB€†UOÃ*ÔŽ$ I„w�e“­OBÜ7G:¾EB|;Â.t\·%`nL5Ê,p4ìý¯pÀ«©Ò¢^ƒ‚.Ù…à¾q~‚ßÌ<¸+†V ·ý
-¬7ÆWƒ˜‰gÅ
-SÌÊ‚gÊ}“Ùþ1³2,ÑEÈMgžö
-óÙÐÓ…åqÜf¨
ì®ÎM
8âÝ�6ôbG+p¨CT	†`ï˜5¸?	e?L5å¾ÌË͉GE¨_—¢IÈ�DVè²ôÍ¡*jžH¹Y�Ti±4Ìa‘¶”"SÖȆ}Ygl+YA6t¤ÙЄj¿»�ÛN/ó²Fka¿�´nÄ„¸VžÑ€�•0DS
ÖB}òEÃDõ¶¬š‹“ºËö[˜æhÆa�5Ü2¢FÌrä¦ìwp9|ôtM_ƒ^ÂòâÀêºìÛØ[nÓºÎ6…%e3Óž�Ùî°ãAÏ:0Zó˱;Û!!
-…F¤§ž%‘£ ˜6/Ë÷‡=z‚ž®Igžß“§éiô¬1=Ýꄧ
¨Þ†3ž¾«³b3–¢y�v)ßÍ|ÃÔ�*ÉÇ[Þ—Š� çðÂ@¶£¯$_G%üéžm
ñÒâÄÛôŠÕ]
-wªjž¤t
ZÎo¡ó>+Võm›œ˜ß2•ñyÆö!̤ٙ½¿•öæF8”Õ(Õ[“çw{S‰wÀÝj¨ûâéaÙÔÎH\¡{øàqÒ¹‡ã‰ƒô}"ˆ^ö‰;%p’(º‰|ÐÂ+Z°Úï-Ì·ˆ[¡ËÉ
¶)7lìµîD«–ºàöž#\B&4r¦Ó›¿“€uGyA0|{ïî˜ïß–ëæfìiÿöëpÇÅRúþÇ=²¹å‡)
-vȾÐÜ~à ë°‰3輫Ó�ù<8ÜwAMň _”\ùô£š,mÚʦ‹ê—dV6nº¯FqŒ“6ŽGŒr?«›Sn?´’ã›õÃDòQ‚§š£|‡XnÓ*]6ò°p÷Šç±ô¨ó´¶ß(�fìLÅ>�îôÏxuÇ3Ä
varm™ CÉûƒ nÓÅñ”ÑÅ´j?£À`�"Àxeòl—ñç×–~Ú¥Ò¯¶{Ú+ÞJö
- �Ï�Hé:*ýS¬ÝÜ´Ñæ'ýhƒ‘8	vŃ}[Âbq–6õpÇøZcÛÇYbg!’‡üzÑ¡SÅÁ²-ÏÎ1–Ž*ÆþÊ~{ªgc~š-)T!¡"²Ž15>ñ¤Eì4✱âaºä¤‘K´°‡]8ƒ‡gÔXD†œ)ã”$B[ÒÉËM·§Ã]DŽ€ê`ÞʇŠÔ~Gì€ww°p¨ÕG2I€1šÉ¡Ü}´Ð-Øù%˜ôbböW�fæ)âalh~”
t¹ûÚcÏò´Âœoyd>˜Â
-……˜ìm†<Ä<ùiÌöÀO`ܾ2²òP_ïeRÖ�À·˜öcÃÆZóD^“Ê$NåA(ø1Z›ª‹¬ÏEqëýà16$Žj[Õ;öE¼®nÜâ°[PyŒ'g›B¤j³Õ~¼3f‚2˜>Ë‘Ê366×½ø$ߣ�	’´¦¤˜ýK*Êúq^ú£Qþ;8ò· Û¾DûOÈî/Z?rt«ñÿ!ãsb•DV(ÔŽJÎ%oÿ­¼ýÿ6ÃÜ¡endstream
-endobj
-850 0 obj <<
-/Type /Page
-/Contents 851 0 R
-/Resources 849 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 828 0 R
->> endobj
-852 0 obj <<
-/D [850 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-270 0 obj <<
-/D [850 0 R /XYZ 85.0394 572.5495 null]
->> endobj
-853 0 obj <<
-/D [850 0 R /XYZ 85.0394 544.6651 null]
->> endobj
-274 0 obj <<
-/D [850 0 R /XYZ 85.0394 486.6864 null]
->> endobj
-854 0 obj <<
-/D [850 0 R /XYZ 85.0394 461.3244 null]
->> endobj
-278 0 obj <<
-/D [850 0 R /XYZ 85.0394 391.3163 null]
->> endobj
-855 0 obj <<
-/D [850 0 R /XYZ 85.0394 364.709 null]
->> endobj
-849 0 obj <<
-/Font << /F61 646 0 R /F43 612 0 R /F42 609 0 R /F57 636 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-859 0 obj <<
-/Length 2182      
-/Filter /FlateDecode
->>
-stream
-xÚÍ]oã6ò=¿BÀ=œÔ\~H”¸}J³IÎÅnÚK\ÜC[ô™±…Ê’kÉ›f÷ßoÈ¡dÚ‘ãl×,Äü˜r¾‡#PøcA,‰T\‰ŠHLYäË3ÌaïúŒ9˜q4ö¡¾›ž½¹’,PDI.ƒéƒG+%4MY0�ýJÂÉ(Ðð⇛«ÉõO·ç£$
-§“nFcÓðjòþG×·ç>œßŽÆ,�Yxñ�ó§—·¸%�ï&7ïpEáÏ
¢·—W—·—7—£_§ßŸ]N{^|~†‘?Î~þ•3`ûû3J„Jãà&”0¥x°<‹bAâHˆn¥<»;ûgOÐÛµ¨ƒòc”p!ù€
-$	QgÙ—ƒ�ÙÁšV
-·“mÀÌ«ÖT�®¨Q]9�›õ`°.>yUЦéSÕônr}X[Nâ”aêôÚJ HLå‘ÜDñs¼]çFŸ§2‘@Ia«a¡$R(ÖmЇE k‹xw R,ŠîÓÿÏÂ"�%¤™lÏ…°Á…®\Ðc3XÔ÷êò$qZu�°€r•ÀøHDRÀS3ŬR¯ŒíO*^
-1¢Ti8/ëûÌäÈì½¢`ýyñ
-Í ˜—S	ìõM«ÿÇ[›)f¿0ÆI’½o<ϾUð$%Q*
-êŽ!~„¡wèyÅ6µöý‹Ÿl!:Üõ8=lJ,íLé@ûb«j_õ®�Ø4ż꺒®9ø´¼¯Ë"ÇJÕ¶!뮧é~ý�$6xpÏÖvÓp⎚뮟Ytƒ-í¬!—;Y­°ײ4Ï2«)žBæÝQkדܽ“5í¶kHš;5oáRŒ†ç®Ód¿™îwAÞ»v²}[Çôüâ}c>€üReM„-óýðAƒ£ÉáµV·z(_Ešòá8ÔÇ+w)#AŸÝ¼ûûüêÿš[G¡endstream
-endobj
-858 0 obj <<
-/Type /Page
-/Contents 859 0 R
-/Resources 857 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 828 0 R
->> endobj
-856 0 obj <<
-/Type /XObject
-/Subtype /Form
-/FormType 1
-/PTEX.FileName (/usr/local/share/db2latex/xsl/figures/warning.pdf)
-/PTEX.PageNumber 1
-/Matrix [1.00000000 0.00000000 0.00000000 1.00000000 0.00000000 0.00000000]
-/BBox [0.00000000 0.00000000 31.00000000 31.00000000]
-/Resources <<
-/ProcSet [ /PDF ]
->>
-/Length 557
-/Filter [/FlateDecode]
->>
-stream
-xÚm”In1EOPw¨u€$ÅIg0²Êľÿ6¤¤êV5oʯÅésÀó�ή¯�ƒÖ×O²Î Ž¢‘ÿ¨#h8Çùø:„5?ùÆ [ÄIÚL’~”F ØPÈùYÌÀ¹�dˆÐzZ8å±Ýƒ²ÙËò‘–Œ€f¾Å(ÌÀ�E#@x˜oL Û¹[ƒ±ñðù
-ä
-6\>RgÈbÏWÖ¹j[†�›
-WŒÏ¢®{6;»²þFÃÇñ÷ø]š¨)Õ/Ô¬Mu;pk;Ì©Ëdh<åE–ñ¬AÏw³ð¬±±Nê¦ó¡Ä½�t•‹ùD„™Â²]°Ä(�‡;�„ ·åŽ°Š­r²ÂÙÄLûˆ
T¥Í¡誋ŠŽt’¹w_=Î]ˆ‹=¦uSä÷—ä"ï±yl±‡µÃ-ËkHsŠöreOÚ³êvg›<7ºt,‡Ýe—;ãÒèЭ/I…B÷&ê(ýê³ö󻉨YÙ¹Ç,çkRÔšÚ'^
m"	^�˜h±�ÎW9AVªy­Â©/f�ýÆ"•œãûFy-Sng	\Çdª¼˜©Æ¥†Í}B©•µŒÎ$âw1.¶&�Øíþ²C¶O–ÃVç X×9g¹E{îÇ<•ãóP)!ÍZÜÅŸLÞª~ÑÔ'¯UâXLµüc“ÅXsЖõÚ¯½˜Ó’~òBL–§èªÆ¹O¦ºNZ�_[Èü.øšŠû*]3QôçÇñ!Ö-žendstream
-endobj
-860 0 obj <<
-/D [858 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-282 0 obj <<
-/D [858 0 R /XYZ 56.6929 569.9953 null]
->> endobj
-864 0 obj <<
-/D [858 0 R /XYZ 56.6929 538.1512 null]
->> endobj
-865 0 obj <<
-/D [858 0 R /XYZ 56.6929 479.3819 null]
->> endobj
-866 0 obj <<
-/D [858 0 R /XYZ 56.6929 467.4268 null]
->> endobj
-286 0 obj <<
-/D [858 0 R /XYZ 56.6929 226.4738 null]
->> endobj
-867 0 obj <<
-/D [858 0 R /XYZ 56.6929 199.8706 null]
->> endobj
-290 0 obj <<
-/D [858 0 R /XYZ 56.6929 125.9475 null]
->> endobj
-868 0 obj <<
-/D [858 0 R /XYZ 56.6929 93.5699 null]
->> endobj
-857 0 obj <<
-/Font << /F61 646 0 R /F43 612 0 R /F57 636 0 R /F84 863 0 R /F42 609 0 R >>
-/XObject << /Im1 856 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-871 0 obj <<
-/Length 3976      
-/Filter /FlateDecode
->>
-stream
-xÚÅ[Ý“Û¶¿¿BoÕu,ß
-'>øæÍ÷¯©ôí»?üðâÝåoWß]¼¾jçÒŸ¯à
-'òÏ‹_~ã³Lû»ÎTæÍì^8Y&g›m3Z©T³¾xñ�–`¯5|:%?£<3^º	
j5%@“1«¤
-|»mŠË…RfÞÜå
–ì<¯¨&_­ö—ÂÏ‹º¦†MÞ,ï¨m]ÖÍ_bu•o"�Í¡Ž4®cͪø•sY+ª¾/›;°&{¬IçYÆÌyÊ—ëاϾ°Œ[ícŸëâfKÌÑ8ew™˜'ìüPÓØf^¬ëâþ® ¯¾†:—Í«-Ž4[H�\æ„Ÿ-„`™12CÜç¡ÿŠÔNßÞDÕ²¨©>O¬„—õz{_¬X Ì�¢c™’>P¼º‹�n¶Ø«¬néõÅËï§H]Êu³(«çcCB3眜9(/ej |¡sCSûß¾JŒðNb'9 ï8ЊÅôÅ�Ô¢�ÔÂqÉ@í¢3ä¾µ)˜0°(‡%+ÀòƒÕTŸ&¬&SL	c¢Õü€Ü*m½¦Âݶnj6±ážima½ô˜ù²	*àÆZhÿ3df3άãÙ™YP§4ÎyTÛªø<¡Á‚yŒÌúÌ<•Ì¤bÙƒNõˆdúâ´Ì¬eÎr{Nf^2Å¥âXo—ù§ÿxÁ)ÅÁ½TxóÓGM¥žM½¶7ød›XQÍývÿ�^ʪ)ö7ù²í]�hןêEëvzŽ¬)6èª'„/쟫+-™7Dó!]ƒÈNU Áú3l\êàI  ‚‘SJkòŠÞI‰Xj„͸'…Úû»wJ¬ÊÁ:Pè�ÊwyÝœÐW«è´ÖÇSi­ÿ�­Dd’q#
pÄ¡`²>Ú9B=
-|¿— +`uf&{õ˜¥vܵÛð1
-Ó™H&ñÐ:×
-WŒJx¥ZMS³^ô‰�°D &¹LÃF$àå|…®Ö+p¹
U,û<šõ'j«»ÝvÛÁ(-UÿÊ
'<‡õeýl’¿Œ	.ú±ÓÕ±çj[D#g*
C¬kH´  ›1.­Z6Ž€¸Q:“øufè	Ÿ!!qJª V‘=R¬
-¢L�zä4q²Ø	ÍŸJåî÷0¹ðòoú–f…Ïàcæ´"¶ÿJM‘Z¯�4,$|N-R¥—Pð~â.VÁ˜ Ì߃‰ýŽ±RløO\†y›ÏÀ>Ÿê!¨|ü5}í€?%NMž1û‘¿×ÃŽDdB‹<¶7¦Õ¢~Œ_QxW6eØ!Ñ^ªhª?×ùí¸©÷¤+æʤ€°eá˜Øžo½lÝcN9X$Ëu§�{Œ‘Vl×Ôey—WU&oaíÂcGÙÆŽ¡æ=Û=Ãä.ÀºÙçÍv?¢�ßà(7Å2²Q¯A”·;Š	©-ز»É<
-ÔZ¹69«Û%uy×Åþ#tzÎ
-VÄ䦤
ÿ¡Í¶¥¸è“<¬„ˆP—u#?$XØ3¹N+|ï1>
‘ZÅeĦÃãÈã37ëõB\’Ã
-Þ—õ‡}\ø ûôí¢S¾Å_Ó“Ìz%]ùù}¹^-;¤ˆúìt• 
-#ƒÝ\'æÞ0°”�¸�A
±X5í`½¹“Ö*,¸J@ï°ÛAO©Å[kKqÑ'9‘È€°É«º‘²Vˆ§…5g¬Õé6º|þ|j—Š‚¤.¸Ê
ØÙ
‰ïÓö
-ùX¸™C€ Ïm¼éyq$Hf£E�ƒuz´J
{ߨçvw�1i»wfA+À Zì(V±°0'äOà·Ÿ˜àÞ
-0ÞŽùò-)Q\ôINlIÜ0
-ótHÏ@‚C²\eC
L&n7Þ:û„<&Šç˜8ì�5C&O¦eZ´¡`ç‡@?åmOÖWXnlª
-Tå¼üòÅ‘(.ú$§žŒQ²ù3ü
€5�/'ïDàæ­ÜsÆÀRyñ„sNÏÍCUé†S>å2nÛ¨0äÅ	%Ã~NØœž°Ô¹'œpKñÌ„¥†PPñã”l™w.+A9‘n…D
léqxÆÜ[Û"çù
„Tá	D¹Ì)›/ûˆÌˆ”	aí`÷/"ê¶z¯GIâÛòcˆµ„‹pKm‰V		«àB6|®ÊÛ²�ÉÄ×Üarx)òp=JðÞ˜þ¥O‹æ¾H·ÃŤ[(‡©(:O¬„‰#=áYI	^-Š_GC	¼Ì3“‚3g]8¤¶ýíŒ
-ïz'‰©û¢ßÿø ñˆ*róË»bnP!;oÃ=(,½Ê¡º¢òË
„Š|·[£R
­ýv”‚«ÔÕçåøì3õ:ò–=‡]uÀ3aÃÁ¨°2qÈ#%Öö?7þ]ÿ=AfD�L0yB¹g
-·Êwó먛Þ
-Óq1j�whîtIA
ž;1ZgÈÇ(-܉·¹Ò¡¬™Ì…HÏçªbxPW¦¬u?Ÿ*èœ(úm‡„ï¶íÖ=™ÈƘ^
-o½�p‘îqG.Ö¶é‚þ™�îžÔÐ0uøœ
ˆ6í¾€9ø©ÝC)&”M#Q‰Ó©&;zæôX7ùaÛ†¡—0=­3ȤJpá“4�í)«±Š
~�>™t3òº—1€W½Ô]b!&´ m¹=È”ã1"6=ŽÆ¦4SQ—殌Ÿ-
5
Ó­§„º|]o©ßý]ð­þ´V&cÂ^³³ðÚk6L¢Nq0&¨ºcErË=}Ó
—ëC,Ä“w™NÞÃí—�ñNL>ö
-‘ß4!Óßc3­Å½/«˜Ñ¹r:­ÀôD†|Ný/F†f™Àò|vöJücÿ3Óý¡Vì–òDp’.�F¦p&J%šÓŸkŽYÿ/€HϘendstream
-endobj
-870 0 obj <<
-/Type /Page
-/Contents 871 0 R
-/Resources 869 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 878 0 R
-/Annots [ 876 0 R 877 0 R ]
->> endobj
-876 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [130.9748 206.9622 330.4015 219.0219]
-/Subtype /Link
-/A << /S /GoTo /D (rndc) >>
->> endobj
-877 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [341.9066 206.9622 405.5068 219.0219]
-/Subtype /Link
-/A << /S /GoTo /D (admin_tools) >>
->> endobj
-872 0 obj <<
-/D [870 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-873 0 obj <<
-/D [870 0 R /XYZ 85.0394 726.9349 null]
->> endobj
-874 0 obj <<
-/D [870 0 R /XYZ 85.0394 714.9798 null]
->> endobj
-294 0 obj <<
-/D [870 0 R /XYZ 85.0394 549.2383 null]
->> endobj
-875 0 obj <<
-/D [870 0 R /XYZ 85.0394 523.4408 null]
->> endobj
-298 0 obj <<
-/D [870 0 R /XYZ 85.0394 427.4422 null]
->> endobj
-735 0 obj <<
-/D [870 0 R /XYZ 85.0394 395.8704 null]
->> endobj
-869 0 obj <<
-/Font << /F61 646 0 R /F43 612 0 R /F42 609 0 R /F57 636 0 R /F58 639 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-882 0 obj <<
-/Length 2808      
-/Filter /FlateDecode
->>
-stream
-xÚµksãÆí»…>Ò3§½}ñÕ|º$¾«ÓäÒúœ™v’L†)™s©ˆÔ9îã¿X`W¤H÷<Étü�Ð.Ä{
Ðj!áO-âD$¹ÎinE,U¼Xï¯äb{ï®ã,=ÒrˆõåýÕë·‰Zä"Ot²¸ßheBf™ZÜ—?F‰Ðâ(Èè«ïß¿½}÷ÃÝ›ëÔF÷·ß¿¿^êXFoo¿½!èÝÝ›ï¾{sw½TY¬¢¯þüæ¯÷7w´•0�/oßM+9=ž!zwóöæîæýW7×?ßsusdÊ«¤AA~½úñg¹(Aìo®¤0y/á‡*Ïõbec#bkŒ_Ù]}¸ú[ 8ØuGgõ§¤Ð&Ñ3
-´fN�q.£�Sà‡ºYW×K#uÔ?T(Ïë·q:8eµÈc«áUˆ~lʵøX=☼™N-#nª¢?¯U1õº£gÛìžRQÝôUSV%¿½¥g±Ûµ�g†æªX|,µr¹n÷‡¢¯W;&|êŠ-ƒí†ždG<™Ñºm–Èòb™‘f*Y,•¹bí˜ýIJ½=�jÛ€…MîVvU÷
-~Y	Œ ÷¸>ʶr[YÔ´=-=Ÿx³ �‡zûÀØÕ–W´ƒã:ðçyXÕ»ººVJE™O¢\ç Ú‰1‹†_TŠ®Feºõ‡¢ÙòkÙ�`‰‘”h6pß8jŠ}EP{¤§Ó4]ýO¿µmÙ¨«ÖÄ{�Z‰Ó¨k	ãÉñ†íiWÒâ¾øÈ„Š§Ò6©±éЫ@›9·J„1#>ÖýCx)óÞ>6ùê͈±ŽuÄ"x™sЫ�©N½†(›%:¹Û.€u³íÐ:Žîg£D)
lõ¢0�Xõˆäg¬¨�×èCѱ$=‡ê¸¯»ü“ºªgà´v²%ÀfÁkc#–ªã¬ecÏ„SŒJ4d	ð˜‹
-V1R
--�¢Ðæq» àn0u	øËá�éÔeJ×�]ªõYõÐG\rc±?Õ�
-Щ©=U®ÚÁζO¯7OTêdü‚0ÖÑ-·ØÔ
-š{V¿¹�Tä§F°·ªÜø
 /Â\f
-�ÔrçA‡#!GâÜnÛ±Uøå�Ùùþ:lNûÞDÿ›§fWïkg	ÆUýüÜ'}Ð2~‡Ÿ)Þd°ÇþÜþ_ˆZ“ez¾
-„nEØˆ0S¨£'œûÿ˜²þ_è|’endstream
-endobj
-881 0 obj <<
-/Type /Page
-/Contents 882 0 R
-/Resources 880 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 878 0 R
-/Annots [ 888 0 R 889 0 R ]
->> endobj
-888 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [358.2788 296.3979 407.0255 308.4575]
-/Subtype /Link
-/A << /S /GoTo /D (tsig) >>
->> endobj
-889 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [75.273 254.3653 131.4917 266.4249]
-/Subtype /Link
-/A << /S /GoTo /D (controls_statement_definition_and_usage) >>
->> endobj
-883 0 obj <<
-/D [881 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-302 0 obj <<
-/D [881 0 R /XYZ 56.6929 609.3074 null]
->> endobj
-884 0 obj <<
-/D [881 0 R /XYZ 56.6929 584.6894 null]
->> endobj
-306 0 obj <<
-/D [881 0 R /XYZ 56.6929 550.0567 null]
->> endobj
-885 0 obj <<
-/D [881 0 R /XYZ 56.6929 520.7603 null]
->> endobj
-310 0 obj <<
-/D [881 0 R /XYZ 56.6929 451.5135 null]
->> endobj
-886 0 obj <<
-/D [881 0 R /XYZ 56.6929 423.9307 null]
->> endobj
-314 0 obj <<
-/D [881 0 R /XYZ 56.6929 345.538 null]
->> endobj
-887 0 obj <<
-/D [881 0 R /XYZ 56.6929 315.1458 null]
->> endobj
-318 0 obj <<
-/D [881 0 R /XYZ 56.6929 143.7116 null]
->> endobj
-890 0 obj <<
-/D [881 0 R /XYZ 56.6929 116.1287 null]
->> endobj
-880 0 obj <<
-/Font << /F61 646 0 R /F43 612 0 R /F57 636 0 R /F42 609 0 R /F14 620 0 R /F66 718 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-893 0 obj <<
-/Length 2682      
-/Filter /FlateDecode
->>
-stream
-xÚ­]“Û¶ñý~…&O¼‹&
-‘ð®#„hñž|B™­tAÛ‰PðW»ª# Ñ	0'g‚KäÜ7Û´�jàÜ×
-‡^Ääá©Šs‘«±sô‚Ç°ïDÝtã×û´myQ°q0¸AÀ˜no>Ž%^uöýéRLœÅ™ò™d0´ê†F™©y
¸MÓ	�éßv
š”‰25=dmh
æ#ƒ°+xbS6a(:O@‹±;‚Æš
™ƒGè)tr]…D<™¡F-×Îøv¶¶Î$­þü!!e*öoˈI7a\ª)a‹La‹%BT•]K‹dš¸ËÓŽÛ¬Ïd6fâäø‰ˆ|%È•
WöhQÓjïb
-w6ô]˜²ÙÙ4 R×'”zh¸ä
-#p¸Öéf6Õ>u¡‹’;}Û⳿ØåÆ�µq€+þ$Ù“ñ‚ÉrÒ>°U©¦d/À H£©~¢BW*Ná-'ð7ñüÀb¥Ô —'¬¡d
¥zH–ÒÉå}*G%ø—bg§™ð‘ƒD‰·‘Mv…-§¥˜ÁÒŽEù鸧õ^_¸Ò¬zIØåÞQ „Ò‹'™Ks™È¸»˜mµŸqW_áȵp0B½À´ú,‹nm °ù"¼-3@Ô¶ÈF(iå¦iÈí¸ó'}2fï݆f»¤Á€5¯U8£0ªÝϪ¤-hàÐƨÏK5HgY(GQ±iæ^¾Ï£ÙâG³jBË
-óÊÁm³Åsg°S�hZeIx	Ô@UIt
ZgÞ=ò ›[
Ð57©4–ÙÄ=|êú¯À³}‰L‚
-Ùâœòðoî%éÿi%!Éendstream
-endobj
-892 0 obj <<
-/Type /Page
-/Contents 893 0 R
-/Resources 891 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 878 0 R
->> endobj
-894 0 obj <<
-/D [892 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-322 0 obj <<
-/D [892 0 R /XYZ 85.0394 562.2587 null]
->> endobj
-895 0 obj <<
-/D [892 0 R /XYZ 85.0394 530.3529 null]
->> endobj
-326 0 obj <<
-/D [892 0 R /XYZ 85.0394 316.5151 null]
->> endobj
-896 0 obj <<
-/D [892 0 R /XYZ 85.0394 292.4118 null]
->> endobj
-891 0 obj <<
-/Font << /F61 646 0 R /F57 636 0 R /F42 609 0 R /F43 612 0 R /F56 630 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-899 0 obj <<
-/Length 3904      
-/Filter /FlateDecode
->>
-stream
-xÚ­:ÛrÛÈ•ïú
-Õ¼„®±}GcüäÌÚ3Îî8Y¯÷)“š‚H�B™
-ø“·Öe®PÅm^˜Ì
-ioWûq»…¹o$¯YÆEËùª?~ºù·wNÞYá”»ý´™íå3á½¼ý´þëÂe*{;ˆÅþðîý�ÿóñÍ«Ü,>½ÿó‡WKeÅâÝûÿ|K­?¾ùùç7_-¥·rñÃOoþòéíGšr¼Çßøw)èçʦß¾{ûñí‡Þ¾úÛ§?ݼý4â2ÇW
-�ˆüý毷k@ûO7"Ó…··'èˆL…ºÝß«3k´Ž#»›ÿ¾ù¯qÃÙlø4I?)2¥�JÐè
m‘9­t àðP5ˆ”[t¯¤_TM¹¯›-ŽØEÝÓLÛ잨µn›ŠæNãw°5~Bíxú¾â]àëCÕTk®~[UÕº¿ø°nÖõª⢾þGÑ*_|hiÅ}¹ú|<Pû±êúºmz¤=`)eVX«6%!A\ú\jÝ?ÑïºÚ”ÇÝðšzeÃÃÕou?0¼b±k¹1á#˜`ÛvüYy
-ç¶�Bíix@™—jñ~C+7¦Íi°bs+r.ðÀóˆÂ4µ!AúeídæòÜ1: ^
-ËR¥ÆédŲ
-ß·)Q‘>“¹w/ ¸ÌT¡äÁïHc4-�°oçç®Ë¡$ZiP~&ù¹@�vH@‚~Q°TqØ	
-x–®4ŽÍPó—}»çÙö8,ÛÍòž¨ûjõP6u¿§.A¶êöüAÇûw¯<l‰º°¿vb„…¤™Ö”MJ²~‹}ù[½?î£#í*EPRs½Èʲz(ki®øš–§Ã%C5IÊ%Å}‚F­vs1EÒx®*Mà|û[	J•×ûr›ØãKi)\–+0z_Ó¥²0qò#©”µÍ_vÍA“�K]ÿ=-´ùláRæØ`ü™I@h*'Ä⻲ùµ"¼å‰ïh扔Î
-t κ©‘Jásþ6±àï&��=M?Äl)±}.$¤%]ÝË¡Þ󺧪�&Z‡’¹m»§‹µË$¸ÿ÷:ADØVè	ù¼�´ÞùÈÛ§¥?a4À´2r´˜‚’•o¡«]	6‘Úëš.Ýjèi€WE¶„ÑöbΪ=µ
ÔnÚ-ÞÇ]H­n�ûªh¤Ž3ã÷äOz±)Wõ®}9<Ñ@I>˜áLåàОQo®ŒM
>ý¦/Cn3g
-óU‚©<¨œ—íKÞó
-}®º&ue&t¼=w‰mÀ——2œë›àeu¹zé.û²Þ¥Õ‚Á½ºI”¿u	º:…QðM”)0åŒÿ5`^ŒÒUæ*Ÿ�å/ÝgwHÒWgÏ"´4 ¬ÂBçLXÁHiLPy!žÉfRš(·Çãê�ÚEeÎÿµ]¢ó¸ê’ÌÉ)”})(È+Py�)®è|˜—î´×è,äK7Ùµ«r'R´
tB}Ó>òÿ¿��ï£~'xôï´�ù�ð²¿<.µO
qNn¾æ�§ý|«ü -•Ó‹‡öb6
-žD‘å¹ÑçŸ<¹œúÝŽsM&Æ€:ýñph;Š` KÆuüX`xß•ƒáò`0û`(õâ§ö”@P�¹²Åä»=gßýˆ!ùèxXìõŽÁÛƒæ‹!ïÙK¶äè×leµÈÁÌ:sáSî!¤×ìíš¹ñ
Ã
ý¦�¯”Àû|ŒØ	�lÕ6›NT¢’g&wf¬• €`xj�4îxEC%
ŒN	´Oõê�fÁdö4Èë@žhªÝ­Ç¡ž$è´›”†—Îg¾¸�žã‘ÊGm¡Ç1g$F°À‘?qì0w›úó°â
-‰¦¸F»�)%
-èiû_”2`òÚ.h‚;ìÒa˜ú¡Lš’,O4¶"!¶ ú–&ïdÊI…\â¹TϳvJã²Jg²á»Èùte½}ÀÓUAâ¿(éz–ªƒ!ÐF˜t e
6h{ÞÿßÕgÒçßè]…Ü�^ü<)8"^EUÌS61tÆQþÝUeÏÍãê'ÃÀ(¼ò1„&ÐÜÖ�ã2¥ÇB éŠ�6Æê÷1.¯vù+¥Ï‚sŽ�8/:S©³(ü
ˆ_uq¿HÌ �¼š•ôììr…Òs™%廂ºÎÈ‚¤#á°s„Xé
-Û@Òµš2©/õ‰—ÆI¾þx@ZÙ€Dx§íËÔ¹Ít>š¨éúÐþD�€W¸p[WCÕíë†q<……- b3Á®>QÿPö¨9IÓ
-"�ÜÅ"Ù©ìšiù)3fŽêt9³J›—	“™h1'©AÁ …šÝMœÀ»‰£æä\¿IˆÁLÜ´n6m:6÷zù«n)VÝDT1õ*•qÓ}¶HJVjΪªÅšöpm¨öyVhïÏ}Ô�>6¦?±&Wƒ+!Ð=MYe+WèÚTë;ªP„D{m9Öž©F=zàc�
Ož3À2,I^Ê34YnMÔë’„	m5&f(l£ÊÉX×j,à°�—ž.K¡…ú's¹¹0§ö¸cÓ²|¬·£"?71çËé´
-¬R4+ÄÛ}Ú¶|S‘|ª›a]uÝ•Hʨ<™ü³ÅÌq*.’n®˜%ÿ,û¶˜fûªõ/`ÀøË~€ËAFjM‹:Ä»ão:«Ü£� = Iîd±›!Ô
9HŸM¨ýD&Ú«á
-ëFª1;EPÍÛéú
ņ–f{ìÊe*ÛŒü¹&	À1N
-Šé.w
-ÜmüEµ¤kÖ+Ö?]™4­Æd$b‚hkxÅÄYTxÌYëG΢²+Y7’ksÍ7=ÇU_\8—<XÆ’‡;~ÛB$å)JzrQ<O
-°û™1"êú@.ûëLä—%p:®�–gÕD£ìâ
]‰âüâø¹Aóžô€�Zßû™Z-bêÅ{Rp~º3›…Kê™R0?FI‰µ|à–”—/¦5yBŒÃÙ½ƒh¡¬wÑĶÇáp¸zûÙ®˜?3/ý¡ZÕ›øFe6†šy¾, ³XNJ¹¸»ˆYù§Šœâ™â&�P¯~
çü°ÿ¦òæ¦m¿{�ÖC1ÁuŒF(xþ«•HŽ\Þí�dx.7N2õi*DÅNŽ×Ë…’kXÕQ—_›„kôÄnG¨²*M
-úQØ[&Ç–É�[&G–)\.ÃÎ×–ý�xÒU|rÍ<Ésc"ÙDe(ÌÅ\°¤»êIç´Ñ˜7Y?áñUÚµ5v¬)Í2ôd‰D8íÒå’ùÔ‘ÜøIãiì†xšcfÐ!þ2ò;÷fcÖ1ø½×2‰· œÆR欂žÀÞg>Ã?zodð•I0êFLÔ`nùkt´ù&zª0·W�Z¤kÌ(N0IJkèù
-þB°åë2Ƶ>f�¾
ú}ù4?d¦U"¨7H—9ƒ�Ø.�T|œgÙT´qÑ/`esÇÖ,ÜI°Rä_£Tq-àÇ7Ä⃵f•N0ƒ%ºŒÓ¿
-HLxæDÆžŽäø!�<³Ñ>À:Xn�–,i@%cXsñêâKxœËò©VKÆ8ÀF¨#h�¿!T
-q2:ô,iy|�™c:7¾ñÀ^P)¹�¦ùÑG,x¹%™€_<jiÏ1Zß¡nÑàh¾ƒ 
y�
†.):h£2/Ç<Ñᙬ9È[.ýŒ|s7ÆLM¬‰�Äaæð<.yà‡b³tôXÝ„‡nz	7®é€ÎÕ„Gpü)_À¥)Ü•@Wé"ÓjLˆŽW"]1ú}üîˆ�(ŸÎ���@=‘l}p`Õîï9D¾c
‰B¯Cýb~K›ñ±b`.8™åîT>ñkÄÀhàÆw�5¿wä——Ž=êñe&9:ÉOù ¼á£ŸÄ-Š„öç>IFIžŸªù3È:¾�lè¼)JÕámò´Ö…LFòy-J²Ô—vö«œ
úá‹êÎL%®ø’­I>³“ØæÜà(¿|WÝ/•‚<i¿ö{ˆ¼ãW]Ûª©ºr´„xFp..öºÉÛN½L×6Ãçä‰wäðÏÔù—_­OOúMž�“¯ÒÒÖ«<lÂ@!úÚ|
y|Þþ%èÿ~ð‘‚endstream
-endobj
-898 0 obj <<
-/Type /Page
-/Contents 899 0 R
-/Resources 897 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 878 0 R
->> endobj
-900 0 obj <<
-/D [898 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-897 0 obj <<
-/Font << /F61 646 0 R /F43 612 0 R /F42 609 0 R /F57 636 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-903 0 obj <<
-/Length 2162      
-/Filter /FlateDecode
->>
-stream
-xÚÍY_oã6ϧ0ö%2°ÖŠ”(QÍSºM¶)Úl/Mm±PlÚ*K®$7õî»ßg(K²6›Ã½y05ç?dÄ,€?1ÓÊÂ4š%iä«@¨ÙrwÌ60÷áB0ÏÂ1-ú\_?^¼»�Å,õÓXƳÇuO–ö­Åìqõ‹÷þÛëoæ©/öçÞ×w÷ß%¥Ÿ÷ïoï>üüp=O"ïñîã=‘nnonîßßÌB+
ë%KøÌ‚Û»ïohôááú‡®æ¿=~wqóØÙÒ·W!òÇÅ/¿³˜ýÝEà‡©V³gø|‘¦r¶»ˆTè«(¥¸øéâ�ÀÞ¬]:å?j_i™L80
-§¨R?ehø¸5õ\hÏ€]qèe§é­«CMä=‘Wæ× �¥Yu¹ÍÊÒ
q·Û¬=z‡Æ±¯«ýZÉžV2”¾LƒlA}ÊlüÄÖW>ü4
cæºlHäʬ³CÑ’EµÙäå†uhܦEQ=7×0ÒÞ·Õ3‘Û­9Ò*§,l9Ã)_êHÍBø©RÒîÆ&@Øó†~W¦YÖùSG.lj ’È�¥gG‰'‰À�Ðd½™Ñà¡ÃŽÑ_pÃs¹¨àOfÙæUéª@Bîùr¬’Œ„BT:K¦ŽëŠœKCE|ŠœJzœ¡@¥mÚ�cANåä™/â ðÞp ?5ÇÂø†¨ÿ¶A‘¡Ÿb-
BB|ĶÊÌ®*¯ ˆC	ŸïÞ¹1åŠFmÅ»sç´Œ¶
-Š¯Û‚lqrÖÙ2/òöÈ2demÌŸ¦F» /×Õ™6UYÇzíë¼.›ÒF´ÉÜâm¾ÁÒ%¥ÂÛÍÈ€ÿ\ÙÙ
-4mV·fõ’œç¼ÝŽ$].Ö—¬ÓËÝŸÌH1‘‘«#(Ÿ/ÏÕ•vî	­¡T¾¦å¡®MÉëm±lР˜NO9™žáKmÁF±ËÏ…>K·fTêöÏ÷;5ø¿[1¿Þ[å¡(5,?
ô%!Z”ö-j«¦q:ÛmWnMÚ–í‘ÂIO¬d1N³¾IÑ”I£s„£>qO¦0CàGÒa
‡
Æ'0 ¢›^˜(�ˆ×€1é§Zëi(¶è$.ú"éhìk'àhŒq}ÇFjbiL
-ej�{uXš†çíþÀüÏ[S:n/n\€€¹,4„1=Å^ö³Ðƒj~€”ʪü!Ì
-1˜¼»ÖÍÔ»¬@õðË1Ž±ˆñ7£Äœxìàx	+> ˜ô…ÖIFÚóæÜãG´v€3gØdíÆÁÐnRÎ�@ûå„éBx܈à ö£$‰‡8ç¶B�F Z¥møE2²¦*›·s\Ê!À9R¿Ò›°UD¡¯S!Ø‚ÅaÂH!b±‚¬ÈeµÛÙ¶ƒE^Ú�Ÿ(Dµ¡ƒ_<&­nÊj4¡‡½HÄêu>OdêJ¶‹ho·%{¤µ UÂÔ%Ç&pErÔ>²uk&/Ò×BË/Ý'à^¥´s¡­4©[‚õšó0q©¡½Ò<åç»oÞÒˆ|	sÐ7‰ÒÕƒî*ÉSšš­SXp¥Îµoû‘N“ÿIýœµ·¸‚U{‡=»/‘€×‡-›‡$oÚ¼(hXÏaUY’ø¶^I8Y«
--IBÚ
¨«¼YÒíiq‡DÑÒ»[Óܱ:Р4†÷±Þ„ße¶oÝ
1	ùÐÀ)òzV'»CÓöõcq6(¨?×+Ž-jš@U]q¦¢àP“:u-a±ymA©àT9*pÉpuŸ:w–ØcDAŒ‚®­_h|®»ÀÍ4RÂ5
-âÇrÉŒKÒøt~ �JKyݵÝV3H_oÅã'CF}kÅpXEe°8ö²ð¾ðjúâö2yÑ.lƒÅ§×`:ù¦ &úv*nOvmk
-endobj
-902 0 obj <<
-/Type /Page
-/Contents 903 0 R
-/Resources 901 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 878 0 R
-/Annots [ 905 0 R ]
->> endobj
-905 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [173.6261 746.5215 242.2981 755.9311]
-/Subtype /Link
-/A << /S /GoTo /D (the_category_phrase) >>
->> endobj
-904 0 obj <<
-/D [902 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-330 0 obj <<
-/D [902 0 R /XYZ 85.0394 258.809 null]
->> endobj
-906 0 obj <<
-/D [902 0 R /XYZ 85.0394 232.957 null]
->> endobj
-901 0 obj <<
-/Font << /F61 646 0 R /F43 612 0 R /F42 609 0 R /F57 636 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-909 0 obj <<
-/Length 2641      
-/Filter /FlateDecode
->>
-stream
-xÚÍkoãÆñ»…p_*Ñf\’ÛûäÜÙWg_âS€¶ip ÄµEE*$eG-òß;³»¤H‰íž�Ä}̾æ=³ËF~l$}â+®F�òˆ¤LŽæË:ºƒ¾'ÌÁLj Iê‡éÉ÷>)¢|î�¦·­¹BBÃ��¦ñ¯cŸpr
-3Ðñ»O×—~¹9;
¼ñôòÓõé„K:¾¸üxnKnή®ÎnN',”lüîog?MÏol—ïæøáòú½mQös`Ò›ó‹ó›óëw秿M<9Ÿ6giŸ—Q�ùýä×ßè(†cÿxB‰P¡=@…¦-O<)ˆô„¨[Ò“Ï'?7¶zÍÐ^ü1J¸ðyeЇ@©ˆ/¸0œG•¾Ë‹Íéħtü¦Ôóu‘T›7¶þ<àˆ¢õFƈ’’›�o–›/5ô—ù"Ê2�¾ykàéd¬o£uZ})7ešßí±.P¬gëfÒ»òŸ¦óûO´‡ÓD	˜é©âãÜR+NÊyTœ²pÛ†(Mma©Ë2ºÓ¥­%™ë¶Ÿ3Œ±ñw¶­\éyr»±•j¡ÝFxk#œIˆ0€áF²5,¶¿]ΈpwµPŠÁùBq2w¸ �fÜêb’¯«†f¶W<šÊŸ½„Ù™'Ë+8Ûà,ûˆçŠ„a ÌœyšæIv8¢ÞØâ]Û
-"̶ÞGIÍÒSVw¹­$†‘Ŷ0ƒ¶[[Œu9/’U•ä™ƒÊo;‹qµYé�>à8[H²Û¼XF8¼µq«çY%éCÒUÞaËIÍ3ËÈ1ÃÌ
Dq¬ã.?Ý®«u{Ž­–±­©ŽJ]’]]¨"þF>õ‰
-½à1ÚDx!	h°£Mþ·QõF
-s¹b=¢;Õ¤9ÔDJ
-J06"‰ÌAH¯™Ü
Z—HNì
-½øÈ…ch”bÛø¹èm�E³T;HšÅ¼úe’ÕÍW0á\ŸùDr‰P�ÁŸEMÔo	Úkl«¶q½éÁ
`;øØ`‡°Ÿd!#¨\ìéîýЗä„	_9 ˆXŽÏì¨ôlj”
-2L›··Ÿš£r
Šn½\F˜íÀŠÑ~Î#ÁLžÃ¸	ÂE-âPB“IØŽ§Â:]yH€[Ȭ�=…#ða¦‹Äâ|“2Ýð6C#„0{Â祬lKiÛLX-‘­Ö^+6z	Œåc]gå;àÍ6¶£I
-™EÜ„I/3”�ÄÖ�]?Š@¼À;OMùý¶L}›œ¾¨&…8™(îhR
[“Ì%æ3]=äÅ×AÁ¿vpV‡‚Ãk‚”#Ú²½—WìAÐ	±c(ó"eà´å*ÁŽ66 “y�GÂ1ÇÐÕÚÇó†gÞs†g‚SB}:à§!‰O¹4x
-n}/ø&Ù<_ºV6^Eó¯ÚD¾ÐemwD‡B4@y™ÇëT—}÷•­ÜþNN·Óœwo‡ZÉ“c‰û6’^q
Œ�r@ýóƒ�Yõgpòùc2'ŸÏßídž¦Ÿ/?ì‡#OËJµ·ü\jï.Ç8NÎÕ€Úã
ÌÃ}ß*ðˆ'–y‡ußG“Ó
Ãìص /þJ×Ñð±ðéx‰9õr碪´}x͉,ü2·¦jß•2ë€/æqß\Éç÷N‚0
¯˜õÏàk¯G±¤ìD-³¥ªØ)6åÜ~·šsGBÝÅÜ6à2
-ùøcŽwiØS›DS±�–f4»%s©ÙŸÊDúÌ‘C 6$Çïõßߺ:»¼¶¼„Ñ—é5W¸PpDµ¿PG+€ßÈ~ZGîcs"ˆ	|wkƒ%SH˜aßðCpD
ãd–+¯†7Â+Dö¦«²KÙ%}cÖ³Öv¬‡
-Ç”
x7�Ö sûXŠ	
a­ç7¯Í;‰£tœ>õ+�Ï€u½l‚ÅE„±÷�Ç2
uàrmuZ2ÙÍ]Þ¹9:9¤
:ƒ3I¯Ž¼í¾zãóí³¤²»ãú©J³@çR m{“y!`
-n{Öð9
{TƒÚ°¼ÿaSÈ1þ‰TÜoí¼ýðÌ=,ÚIq”•Fñê<TJV_¢8.le•UÓ¼­¼ÊñÇÃâ‡âõ?¡2‰¥/ˆœ·‡‚EÀ—|=OøèhÐ;{ìƒÁíkJ/ع:ì2ƒ‘Qo
-Ï"ü½�×/÷·þ_FÝ-endstream
-endobj
-908 0 obj <<
-/Type /Page
-/Contents 909 0 R
-/Resources 907 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 878 0 R
->> endobj
-910 0 obj <<
-/D [908 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-911 0 obj <<
-/D [908 0 R /XYZ 56.6929 619.3384 null]
->> endobj
-912 0 obj <<
-/D [908 0 R /XYZ 56.6929 607.3833 null]
->> endobj
-334 0 obj <<
-/D [908 0 R /XYZ 56.6929 154.3198 null]
->> endobj
-913 0 obj <<
-/D [908 0 R /XYZ 56.6929 126.2014 null]
->> endobj
-907 0 obj <<
-/Font << /F61 646 0 R /F57 636 0 R /F43 612 0 R /F42 609 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-916 0 obj <<
-/Length 1949      
-/Filter /FlateDecode
->>
-stream
-xÚ¥XYsä6~÷¯èGuÕJ#’¢Ž�§ÉŒ=ëÔŽ³k;OIÊEKìnÖèèHjIö¿/@PêKíé$åj‹A
-¥«¦†ÈÅ°àçP†wZŸt
dð
 ‹æÚ匷S©¼Ëo‘¸ç™#©è ;�S˜D{2à‡¦0!ÅbÏ–£d¹¾a±4´!
-�ÞË´Â,PÀÂmtHšµ}mÖºí�î‚1¡SÀ¼ÌÞΊ�eîM×ëÚ‡€ï<°ó‰¼ÒëÖ:7¸q›"¶€ÒŠ#B³ Š*
-·ÿŽx¥±Mpä[7mßQ<q®_)' _ÇojÐ^çú@ð q×Ûbð¶O�aÑAåÁ˜K.w«fS4Vy®×(�
)ùëFw6è0kÓ1Ê„w½ BÝÐ7C#ãX·Ž*þ
ïðdœ‘†�yÓéâ@²óJÚ‰
-Ó…^((ÓÄCÞÇÑ°
-³ÂæNFm��UnËÿŽ"ÊÇè@28Öî,P5Íè–ji;*žH­¾5Ë¥ÓVü¹`Q6›ú¸ã,,àQMdA”Ú}árÙ<©r¤[äFÔ�Lh™q,ØßSíN†½UÆÛ“á�îów­M®
-or“)ýWýê™°ý¢pR:ñ¯à?±Ã`ç#¾õjz¹ÊWÚ_˜RŸcW±©Ög0“èJW8+LÞ�½jmŠ³Íùâkjío×Ñ’WÝ=4íCÝL.Q›~å×/»á8µÀyI«²l°�ÂíÍ×/¦?GMaT‰eɆێ¹“ÜõUûÆõ‡ß6i
'ÃÊ_–}Ž)+ÕùMYøyi¨È�±¤éú³ýʦ–ø•z9þÄuˆ)Sh“ýÖµægÙ6|iðs×C|Û¶ºéÍâгôú=ô˺4¹é'5BaØì“·Ík9aê÷¯kÍÎ1Ún²dÝ4åYÛØöðóÍË¢õUwà\|VmA¬ø]€FM]¾îùaaÚ®¹ØûSÀ„ð3ìÄ'§p< ÿö×Þí÷³(	Dšžøv%B8¶8œÁÎ(ܯH-?›þ â=Tendstream
-endobj
-915 0 obj <<
-/Type /Page
-/Contents 916 0 R
-/Resources 914 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 921 0 R
-/Annots [ 919 0 R ]
->> endobj
-919 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [84.0431 645.8685 134.1426 657.9281]
-/Subtype /Link
-/A << /S /GoTo /D (lwresd) >>
->> endobj
-917 0 obj <<
-/D [915 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-338 0 obj <<
-/D [915 0 R /XYZ 85.0394 707.5656 null]
->> endobj
-918 0 obj <<
-/D [915 0 R /XYZ 85.0394 676.8153 null]
->> endobj
-342 0 obj <<
-/D [915 0 R /XYZ 85.0394 449.6033 null]
->> endobj
-920 0 obj <<
-/D [915 0 R /XYZ 85.0394 421.758 null]
->> endobj
-914 0 obj <<
-/Font << /F61 646 0 R /F57 636 0 R /F42 609 0 R /F43 612 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-924 0 obj <<
-/Length 1177      
-/Filter /FlateDecode
->>
-stream
-xÚ­XKsÛ6¾ëWð(u(
|LNŽ+»Î4N«ª§4£�IÈ„$
-Cl¥#—8�¸ŽS¯$£?G4€­§…joü�
±ãáž
-ùDe̤š
-,l;¦Ü}Ó/ô]‡ˆ?�j­yÆç-¯ãB·\â#L Á¦��_vƒ\8CÏ÷Éq�wA=ÃiŒ òm¯"å#å^æ´sâ·�ömè!wÓ(¥ß›*š§ðª³MúÀdon*‰�>O‹ÇÉ	SèˆÒS:Zƒ(á,Óê¤lÕz¶l€FÉI1ÉiR¶P ©f'm´48;M©qؼùLµîç†È0O{o¥”fÏÕº:ú*AªØ‚"ÏÐQÃbßH¯�Ùép6ÞÖͦö–¯Ýƒ"Cž»=•O`èû^á�ŠÒ@¾rdZ
aGÌ;$è{oK,DØïR+G€aá"ºÈÇ==£ÍÊ=�•‡Ì¤çÝmì°:®<än¾ñ>†ÐÁû}�&Jô�MÇÇ·5óŽÆ¿/%HÄ#Püv²@"3îó»…Z³¨íúž�˜jzžÆ’'uczY¼j�ÚŒGçYˆF3ž=š–cæé-MNv’£R?0ª‡¨”¼
-Á%�Øp+Æmf!©á:Z¬…Ù¾KÆpeòf'óªMJÅ4ù—Q¥XélG™�=뻄
Ž�±æ«h�zWg5ßR'Äw…0\ZñG`¶†Ç\?÷nÔÙšòH!ÅŠâ,Ÿ™Z¹ÈÄi½–bËã^­^.’™)@é
òõ{(/€Hª€ZÓºá¡V¸Í–&£VÅ”64Zf_ÎRk[Óf$:G©°5X©$xÐû?,c“*æ‹ÒÌ]K)R@7z5<vûÚE¢Q¯v™f±ÑŠÙ–×;¶¦zµÈON„£,‰—{kßyŽcÞôŽÓwúb7ߟõìÂ\3‡
nŽq\§uŒƒý
-endobj
-923 0 obj <<
-/Type /Page
-/Contents 924 0 R
-/Resources 922 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 921 0 R
->> endobj
-925 0 obj <<
-/D [923 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-922 0 obj <<
-/Font << /F61 646 0 R /F57 636 0 R /F43 612 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-929 0 obj <<
-/Length 2982      
-/Filter /FlateDecode
->>
-stream
-xÚ¥Zm“Û¶þ~¿Bߢ›„^˜|râsric·Îe:�$“R"tâX"e‘Š}Óéï. H‰Ò¹õÜÌ
ØŃ}%fþÄÌhÆ•Mg¹M™æBÏ–Û>{„wß߈@“D¢dHõíÃÍׯ21³Ìf2›=¬kÆ�³‡ò×ùw?¼øÛÃÝÛÛDj>ÏØm¢3>ÿöþõK±Ô|÷æõ«ûïyûâ6Oç÷o^ÓðÛ»Wwoï^ww›£Ì—a…^ÝÿõŽzß¿}ñÓO/ÞÞþþðãÍÝC¿—á~W¸‘÷7¿þÎg%lûÇΔ5zö
8ÖÊÙö&ÕŠéT©8²¹ùùæïý‚ƒ·~ê~Z¦�Ì'
-3w4¯[�¸©ÃP³\öDƒ"ø—~ЮšC]~…}Sݑ;í.Ï.]çöÛªvmd^Ëî
-U`T7Ú%sÁ2«ÒçÕ+gBsª^½ä
 áΛfù.
-ß­é¼7Ìp
-�Ávez•kOtÎvxœWnT>â‹N#QiÚà:Õ
-z~pû'ê6+zƒN—c
-d¦À…Y4#ˆÁ(ó¹嚉ŒGâ*ˆ»Üm;¡�àÓ@_"5è7?O«f&M¨éY
-žU¤™ë™GëL�ª U]|KèA«zdñ¡>l¨×ÕUœWpC¤¿¬~ ˜’V<£ª+
-©poeµwË®�c;ÕA	ÑÏju�uO5Á{¤…ŠC,Ͳ1sRC©çšý;ï³ð
DòH.»[ð
^¡`Ô+´]œ3D
R�tþ¢¤5äÅ¢m6‡.ÐîŠn�šØâcJ4\ë,Và ÅŠ�-ÀŽgã€C.Uqá
Â`ñÎí,Ú¡Íl`Ý?ƒÍùmE‹«ÙqÓ¸cpš~WVMµW>dN2J
-¯VM0ÖmÓÓ<š0ÄÍC·;„qÚT4wì‘MèIðAðJ¶?Ô–"¤Ä*X¬)`u®½�(Þo’ëéM¦9Eb$(hƘn´XÝt4ÐîܲÂÝø@¨€œN“µéŒ'-OH¡0L`û¯	T>6ãfè%Nv>C²NjØ(�Þ
‚݉ÒòùÊ�4["ø°®|8³q’í=½G�òƒ]±ñ[Úàœ`¸¬@¯`ÅB8d?G6¤Â@pé¸ê"Ìö±Ûh7£„ô­è¢‡JÓœå:7×=Ô�겇ê©zÕK>®
-ø>làt\]z¥ÖAuTW<�~¡ëC¹Îç…Ÿ¨'ë‚œc˜Û¤}µB3bEpšñ�V–Gõ~øËÝ?'ÔHB1ÙûrÏàk·J
ÖÏS;>÷å¦òUª²yˆè�ë¶>„Ø0õD¦<g)„Åë")H+ŒŽ>Â}\BíùèÀŠR°¯ª£Õ}UŒŒ}”‡6˜aäè!à� ‡×¥k«#®ð&¸èQÆ`ãùÀ`#r®%Fd‡€ÊKgzÒ¸–j9ÐÏ°N–EÐóÇœéã«Ñ1Ãdé_„D
-z>‘‚W¿I™N•
<W�Ë
-µÖ§¢Én³ÙRÖiÈ I¸7„¡Eéâì>¶]p,†š…$—ÖRÏÇ
OC.£�Üè¢Ì¾‚-X«ÆFzAr#@ßÊp±Ö¬¦Òï>Só	‘éXdø…â�à±
-z‘Ê;äÃvw<Üå3¼#Ñï1t)3©<aNY®ÊFeVÈi íâë ßpðèªpwÑžL*‹®X€¶‡á†Ú”ŠB¯ªÛnkæ‡%e¾¢2´mC¬.dÄ	DKcÑc�>˜Õå2˜%HU..:�ÉA’Œ¶º:чñåËÈOïHÏ“
-lÍÕ™…S™J��ôvzVHÓÌçR ¯Ÿô	_ÿ‹„ªÏg	~¯ã™¾¼Íã°VèÆ'V¥KrU2¹ÔÁçp!ÀÄ%”:èƒyNÅ_À€œHvLã
�ñªÈ|à¿œß�ÓLImf&<.³÷3( Së‹>êû�ð_ßoåìeû™
·×MŽû-™txÈvg`ÃÛœÔæµ÷‡¹�ÚK‚Ö…‡j»ÛøÏœ>Íé‚ÛpQ={vì©Å@Ÿ©Ù
-ê@éüâJŠ¿
-À£QöáþW*‘l ü
1?Ó¢endstream
-endobj
-928 0 obj <<
-/Type /Page
-/Contents 929 0 R
-/Resources 927 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 921 0 R
->> endobj
-926 0 obj <<
-/Type /XObject
-/Subtype /Form
-/FormType 1
-/PTEX.FileName (/usr/local/share/db2latex/xsl/figures/note.pdf)
-/PTEX.PageNumber 1
-/PTEX.InfoDict 932 0 R 
-/Matrix [1.00000000 0.00000000 0.00000000 1.00000000 0.00000000 0.00000000]
-/BBox [0.00000000 0.00000000 27.00000000 27.00000000]
-/Resources <<
-/ProcSet [ /PDF ]
-/ExtGState <<
-/R4 933 0 R
->>>>
-/Length 934 0 R
-/Filter /FlateDecode
->>
-stream
-xœeU9²,GôûeË@@Q‡�!é¡%bd(dèúʤ—÷ÿ(žÑ¯
-’$¡T¬)ÿ®ïë¯ãïãÇ_¢ýþÏaíÏc‹®½Ú¿G—=ûÌöÓ1ÄF¬lÖ]töö×ãqu‰Ý¦‹÷5š�”�<8Ç—ý:\;âúãñ‰ü<q¸Í;.\ži2c¶û~ð¶e¸í×qc¸=7Ä+Àg
¯ã�ã×ctéa³ÙL1ca·cu™šmQOƒ½¥ì-¡
{wñ¨¼&kñÄÞ
-¨9xcH
-¤Ï’ÃigÙ¥—ÇáC6uéíÛ&”\ÊGTœ„Méêö–KòlÜ’Fyu|?é%åiÈ¥K”êNÊq{vˆ�*êèJE¢]8hÍò¤p0R±ˆ$Á(+ÁnÖN¬
-q�ª„Ñ«ò�^ÿï>‹«>÷—
.13×…Óƒ!¶3¢SËAÕ”ih¥Å¨Š^…(€<Îm䦽ªšÛÆlLÊâ³ò7Ù
-г2"ïE9~ 
-n*Œ1½÷¨¾x¥Æˆpîâ‹
&Xî
Ãœ§³±è\íD¤ß�ä0}#XŒûž˜‹¸À>#^V°¡|2Îi‰9ÊÎ�r)`˜¢Xh¡Ò& „hb—H°Œe"Ãê
-þrÓGçX5¾ûû8‡´ÕªOª«t–Ô³$Ây°‰—BÒ›ÀÄ5
©/¨�vp�÷o`kA“ôr±ñœÓ4N.4Žæ
-endobj
-932 0 obj
-<<
-/Producer (AFPL Ghostscript 6.50)
->>
-endobj
-933 0 obj
-<<
-/Type /ExtGState
-/Name /R4
-/TR /Identity
-/OPM 1
-/SM 0.02
-/SA true
->>
-endobj
-934 0 obj
-1049
-endobj
-930 0 obj <<
-/D [928 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-346 0 obj <<
-/D [928 0 R /XYZ 85.0394 682.6479 null]
->> endobj
-931 0 obj <<
-/D [928 0 R /XYZ 85.0394 651.2667 null]
->> endobj
-927 0 obj <<
-/Font << /F61 646 0 R /F57 636 0 R /F42 609 0 R /F43 612 0 R /F56 630 0 R /F84 863 0 R >>
-/XObject << /Im2 926 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-937 0 obj <<
-/Length 3426      
-/Filter /FlateDecode
->>
-stream
-xÚ¥]sÛÆñ]¿B“—R3æéîðu?)–œ*‰åT¦;ͤy€@PĘ�¬vúß»{»w@PN§öŒp‹Û½ýÞÕ¹„ÿê<ŠEœêô<ICI�çÛ3yþ{?œ)†™; yêûÅÙåûX�§"�u|¾XõÎ2B£ÎËßf±ÐâN�³wïÞßþðùþê"	g‹Û�wsÉÙûÛŸohôÃýÕ‡W÷se"5{÷׫_7÷´óßßÞ]ÓJJ�‡Þß¼¿¹¿¹{wsñûâdz›…¿Kÿ¾Jx‘?Î~û]ž/áÚ?žI¤&:†‰*Mõùö,Œ…AàV6gŸÎþæìíÚW§øFFD:Œ�“Z¤‘	¦¹¬D¢
-oa«Yv@îÍ.ó.ñ÷j`"Ÿ	q±rtÚ{É¡-?—›
‚ua8x`ëÍœS¤”³¼Þn»ªÌ³–7žËv=²ÿÇMý�ñ‘Àú“%)Ø
äO¯jxê´†{(ëÉA
êí|Y<•ùqlÔ¡HâD½ŽÞCMàÄF�Š”fH€Õv•JˆD�U¹œçè+ñ	þ—Tq÷BÈ_|>0 %<vÅAø3{™89»†
-‡ÏݾÜfûrÃËUQ,Ý©Vãp
-BJ
-,ú’	qÏÌ‘€h‘£�챸�â�®Ü“á9mÃ	6+yD)“N[fÒ‹Ì0^£ôp÷áBÍ
-Z|]g]™z´„.‚Ðä9Ênt¹ÓUÏ7ÜS¶éÓd¢„	„	(¹°
-î1;®ýÀfD¨•z½‡šÀ?0Ã@‰PêpH
-—o¤ò�$]Ý—GŸ*üÞÀ•-Û‡
©=IXøQ7ˉ…;£×º•Óy‰Ž‘$æϧ%‚Ëñ$‚D2Ѓiºc R‡þóçÁGŽÐZ˜0�Æ­‚Ôp�Þ€8K¶[Ï^k†lŒKÓIªŠÄÏÀ!y*‹ç	Jt$”ômv0Ç—2�OL¬|&‚ì%–N7ñ“V�¥/u¥§•½’Ÿg
ßÌæEð¬ŸÈÌ™ïø©!ÆDaP£•Ë£àÉ-écÒ8!	“?!� 6Cy÷‰e5¾Í1cκqÀJó×€˜Zö1~hZÛ€
-§šE“0•'Vlò	Ϧíoa˜ˆ#ÎYgôF{½:æÑ´üØm2~[)Êl�ákzb/Ÿ;1£&»ó+ƹæÞ,(hå¾,œ]�6'®?#Îl½šòˆ[º¬ºÝYLþ§p
-)��_wå!<%ãË–Ë’Åì-)ñß¹EãOÃôPá¼EúȉôÜ5Q"�?¦šÈ’¥�Eÿ÷o¶?hsâçN:�€aà&
-/Ê㻥ÀõcÒÿ$*âñendstream
-endobj
-936 0 obj <<
-/Type /Page
-/Contents 937 0 R
-/Resources 935 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 921 0 R
-/Annots [ 939 0 R ]
->> endobj
-939 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [222.5592 662.5227 296.2125 671.9323]
-/Subtype /Link
-/A << /S /GoTo /D (statsfile) >>
->> endobj
-938 0 obj <<
-/D [936 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-350 0 obj <<
-/D [936 0 R /XYZ 56.6929 378.3537 null]
->> endobj
-720 0 obj <<
-/D [936 0 R /XYZ 56.6929 350.6124 null]
->> endobj
-935 0 obj <<
-/Font << /F61 646 0 R /F42 609 0 R /F43 612 0 R /F57 636 0 R /F58 639 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-943 0 obj <<
-/Length 3590      
-/Filter /FlateDecode
->>
-stream
-xÚ¥]sÛ6òÝ¿Bo•g"HLŸÒÔéùæâ\÷¡×ö�–h‹™TDÊŽï×ß.v
“"%§Óñx¸–ØÅb¿!9ð'g¹I„vé,sib„4³åÙ˜ÝÃÜÏg’q
iÑÇúñæìû÷VÎ\⬲³›»ÞZy"ò\ÎnV¿Ïßýãí¿o.®Ïʈ¹MÎÆŠù�—W?ш£Ç»�Wï/þõúíy–Îo.?^ÑðõÅû‹ë‹«wç™	ß+^áÈï/ÿuAÐÏ×o?|x{}þçÍ?Ï.nâ^úû•BãF¾œýþ§˜­`Ûÿ<‰v¹™=Á‹H¤sjöp–�˜Të0²9ûtöK\°7ë?�’ŸÑybr•M0Õ=
J
pjg™q‰ÕJ{
¾¯êrw¾ÐÊÍ—MÝíÎe>o6<PÔÜ–ðÔb^,×UùX®xô™žû¶ªïQß¿7yŸ^–%ʦ
-¸DJuÓUwÏ„7àK»D¦iÎhOëj¹¦…›zÃ$Ú²^µ^}¼¹|ÿÁeÛ÷eûf’:ˆ,‡íö©/q¶Ð¹M2§íl!eâŒQe[´mõXNp˜šDi#8LEä+•/|Ápà‹fŠzÅØûíÖ¦Ãd·.i²nvņ	éŽq™Ö—}¹«¦÷
-ß$Æ€zƒ;ø?oäÈÎyGJf#•´‘5œ±†ƒôE³„oPüG~×~Å2@“ßò¶è£§uYÓ0Ê…øWƒ�‚J9P]Úèº,vÝmYt‹ªîÊÝ#09µçðï™<Gùu[1'dÒÈðX´`ÍR¼¦"i¢µÎ†*‚Ëþwßv­ª¶¸ÝrQ¨
-1†S›3¸Imtð3Ë‚´
-ix�A®Zp8þ,q°¡gÑuåö#„0è)’ŽÀp’k7TâE¹œý@Ûì=°Œ.ÿÄpƒƒUGÏUµª¿cx]<ò'ìG
‚ ÞBTÏçû%i=Ò
-åì®VtAm¹ä€—æŸn^ØÜÂÒ%)¿úV>FPå*z»'�ŸjUÒ+ö¼ô¸-øæ‹Ÿì�o3¤ª;j0ÆÙĦYvÚ`úXÇ
&bùT´‹f³Z,7UYwíÈjÈ%ËòÓD¬	Vc,HÙÉ!$n�Ùh5{�ˆ@u.ç5¨ëQç“*ØnÊ`Ú't8À_’°BŸ›ŠŒSD	kÞ×M<C¸"χŸ;°T›çó›s§æ
™
-z^‰Q@F=€)ç
-¦—€+	MŽí®y„,‡Ôv¢è„‚µßº˜r´¼¯ 8Ç,‹•¹~ÅòzX',/`yË«ê
-ê×ÅŽóÀ±�Í€CǧYˆX<C°Mr—Ê!—wÂs‰’¹ý†€ž÷ºño&dÏ
-^/
-ŒµÌ‚Û!übóT<3
(½+.¸
-;ÜuS ŒIjUv*/Ô.Ö\~ÝnªeÕMÝädI®D¿Û“9ï¾¼T8ʽdKYʪá#"e{1fõăƒ�j@
-⢸oQ‡•”è�ù~N*…(d".¦@¹8â
-‚£ó‹@Èõ@‚îÐ÷�5ŠÉ�Ë{É
ýqYÎ(&K&‘XÕë6»=–€&ä@7`ßÎRB‰
-Lx¼êQéø79d.2(|q!ûxX�¦¯D¡¤Aˆ‘&oé†W[&јŸ¢‘Æć["Ñé�ø§`Øf§èî¡fêº0M2+Ìé"êHoÃ寮†á‚>%TJRËXÙAÿ¤_—!DõT6Ñì˜6�i¼Ý,œq
$ìÁ·¡³‰L37QUÓ]Blzú®úòö¯7¥qI&�ü;ÍÇÐw
G§'Ûí".ñ·˜úò«]¨—tž«i¡B5å²À2žŽ”6þ‚uÌúÿ
/A¬endstream
-endobj
-942 0 obj <<
-/Type /Page
-/Contents 943 0 R
-/Resources 941 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 921 0 R
-/Annots [ 945 0 R ]
->> endobj
-945 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [182.6146 321.2011 231.8861 333.2607]
-/Subtype /Link
-/A << /S /GoTo /D (notify) >>
->> endobj
-944 0 obj <<
-/D [942 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-941 0 obj <<
-/Font << /F61 646 0 R /F43 612 0 R /F58 639 0 R /F42 609 0 R /F56 630 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-948 0 obj <<
-/Length 3707      
-/Filter /FlateDecode
->>
-stream
-xÚ­]sÛ6òÝ¿B�ôLÄâƒ
-kNã¢}pñ0죚;›,3³¹ÍÒظ,ëś虔qfŒBùº4V©4Æ€Ì-É÷9ì!³ØØD" ±Ñ*
ìñérnetÿ«èHÎÆÈH“±ÓÊsföu&c‘d™& ÁØßuÏ?ñÝÍZÍ>4p£ÙðRŒx>Äì/å’�ÎJ¥A4@}*]ìR«éRMz”ºèõR‰¨à—r½©ŠuQwÅ’'jz²VÂ(‹/˜Ø,V.s³!sÿš¼4Âf ¼ó½Îý5mš«,v.ͼ‚*ãì´�10Ó‚ž
-[‹Uf%³g[/´ñO±3ѱHí��JE/Oåâ‰ö!i´Ü­7t8ÜrMs]ÃÏ'¦ò7!TÅã
-îCôbS­„ã
�cÏŠ91LƒSÆf�c�ø¨	
IbØ16ÝÏEÌ´mŽ´]C°I2³ÒÆ©Ñ€Óâö‘ÎÝPïü|¸aBï�ð"EŸAßzW„iÐ+Í!M
-ƒ©åqd�=Ô”c#Þœp;Æ™Ø@ÂwÞí¡N»�ª€<88ƒTÄHwþà
-kFäiZõÇؾÕåhë |ßÌ–þ-ŠŽð1&‰ÕQ²*!ýË’7¸ÒC½AÃ1¶óÎ&
3.}ÃÙ Î8›
-'4±WŠ§ü¹ôÕ#nZÑ-Î?áŽÍCù
-H§ba0ëõ¤Ø'JD/OE�#	hZ0pïHp
�%jAùÆ�‚‚7ôŒ¤l©a)kµ7ú!v­šªj^zìïo¯~ºç.§Ü΂@‰�3,ë6î¡°O@ÿõøµTì-päÙÏŽÙ+倽0ßk9¾´ø1ÀC7mK™ŠXé³mK%c¡ûÖ&Æ(’ ôMɪ£8âOF»ñ"‹{É8S2q…gA·Ááò¶}ŸÙ¯ï8"ÉLÆ*=HM
-âóX[Š_
M_\­ùp¿c‚aÚ;_‰1¾`®mÖ¼Ú–Ý.gu£mÞ!f¾+5¡ç»2úr‹M¥wuÔî|“6S”0€ 3ÂvÒ°@¨ŠoQl¦¡ü*8ZßÒ¶E×d¬^„“¡ðbLDÃ(JFÊ­ªž¦bB@må=„²{¦ZÇ}o˜{à5P/DsëfY¢|~÷í}
-
-z®ó²êɯ‹nêˉ–±6d…hæÊD5v’«ê•‡./TÖ¦l|­–À1’\½#€+Ë9ÈÉè
-þ…Ø'‚…
-Â@~’˜ÀXfTæâ4quÖùkZK¨|¦NI›áy Íš+2Xy)ø“¢ e„©/uóRû"ÅDŸ‹®#'œWà°Ï+ü<hA3õÌ
-¸cÏüº™¤õ=øCÀKNÈß’¯P†&ø�	›£O
›<N•B¶©õ ‚—}:¤ÑÛwEí¹ƒoÞŒp°kûu|ŽSM¸v1oj¯C°´ÿ¦¡
…œ¥�zyû]:z.‹—A†7¸ÒUué¦CjgŽó6‘ñ7K^šøn*\ìœÖg™ŸÄ©�I¯6@Ꮁû?¸)åêõÄ×Y‘‚æÙ}»m±Û¶ô5
-�ÔÍ?¦”UÇÒfj¤¬½È‰Û‚ÃÎ…02äÀ¾¼"…€¸µ£H‹÷Q…ÖpUó8úÑÂK¾­IÑáe
ÖŸ?SÊôù7`¹ìõ}ºÜSS'¤
µ¼´2x»|
éTEÉ¡ZF"'<Çp@Éå`etZÇ@u@Gq"ÑD$(2Å1ʪ­‰³Ã>…}m‘s͗ݵ"Áƒ×+‚¾ØPùà"BRRÓ˜à$‰wP–O?(°:_4-Ò»k™8ÙoôYc_ ûâÐRœ&üSF5e†¼9_ñyB1ìôštœK†¬~…Œ_Ž*�Ao ï{í®8]Øá�p§ÔQMí4™ìi”œÿÂ\ÝÔs&
--ï¹ð
-qyUl·yEM+­¨ýŠ«¤,
¬iøØ>—ǯ0CØñêŠ0úúf"Ëä¢J[E
“†*uGï‹UAyU_ùÂ…€ªŸ¤Ñç²^�Áâk´"~X̱‡¼€‰!/h’¹‚µ³Õýöõ�埾@”Ý;ß$$û:x�?Ab0þU@¢ˆûð¤41¦8SÌSÞoûT(øc—)sÞ©êSNuÞïÝ÷Éç?��?ÞÜÀ‹ø8G5&?K\(»rßû³Ò«.îez
-ŒMCAÅqå‘…:fú^íô}]
-’éí‹�ÚÝLK
-…Ãï÷uQÏû£þ'
-endobj
-947 0 obj <<
-/Type /Page
-/Contents 948 0 R
-/Resources 946 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 921 0 R
-/Annots [ 950 0 R 951 0 R 952 0 R 953 0 R 954 0 R ]
->> endobj
-950 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [137.8681 615.6107 211.5214 625.0402]
-/Subtype /Link
-/A << /S /GoTo /D (statsfile) >>
->> endobj
-951 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [265.4578 569.7892 326.6578 581.8489]
-/Subtype /Link
-/A << /S /GoTo /D (server_statement_definition_and_usage) >>
->> endobj
-952 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [367.5441 569.7892 416.2908 581.8489]
-/Subtype /Link
-/A << /S /GoTo /D (incremental_zone_transfers) >>
->> endobj
-953 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [280.9692 538.553 342.1692 550.6127]
-/Subtype /Link
-/A << /S /GoTo /D (server_statement_definition_and_usage) >>
->> endobj
-954 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [277.6219 507.3168 338.8219 519.3765]
-/Subtype /Link
-/A << /S /GoTo /D (server_statement_definition_and_usage) >>
->> endobj
-949 0 obj <<
-/D [947 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-946 0 obj <<
-/Font << /F61 646 0 R /F43 612 0 R /F84 863 0 R /F42 609 0 R /F56 630 0 R /F58 639 0 R /F14 620 0 R /F57 636 0 R >>
-/XObject << /Im2 926 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-958 0 obj <<
-/Length 3444      
-/Filter /FlateDecode
->>
-stream
-xÚ­Z[së6~ϯð[�™c–7ÝOÏætÓiOOÓìÃNÛÅ–Mlɵä¤î¯_€
-úkáL‡Ï÷?ÞõýÃÇŸ~úøpûÇã7w�Ý\Âù*ip"Þüö‡œ­`Ú?ÜHa²4š½Ã)T–éÙöÆFFDÖÏÙÜüzóK7`ÐêºNùÏF©ˆ´�gcEÓ^–BFàµEe"6Út^¶zÊË^
-½¼ÍÛåËb›ïvÅj‘¯Vû¢iŠf8y-¥ˆS›ÍB
#;:©	CL`ˆ–‘ˆãØô-¹_£Öo?Gi ª¤Ð&†áQâH†
FS‰ÈŒNXæÃí¤vÞ¾PQ:ÏÝ3™ß}³<Oj
-¿œ�ËOŠì×ÔË×¢%î¡qîGÒ‡šëtZªÂy(¢y±po-§ÀÇGœ¸Xjˆ\Mù\¹p†_ëzOGP8#×”—æ@0Ó�	�ÇàMtÀWQ¯¹rv-EP¨‹r[!n™·;ìwµ§œœÏªl–õaŸ?+Áª…¶"“1V=- R­ë„%\Y¡¡¢K	»Þ¿ç{—ãš iË]i~2FÃß)}FEà�e¹)Û#I,]½
-.mØãHr¬‚-¡zÔŠ»W53^ò·b*}W%¹a‰r:q9骮æ‰é”+&0î+œaÑ¢m<:´$ð^6/apO]¿uØ‘ŒóNéÂZ³wXcu|Ï�·J©9«9ð‚©z¹<ì¹G]mŽ4(,ôÄ*µ/.;jt>Ã.©�x)©hIšäH¢Kî༇D~€1÷e›·åËç®Ì±ª‹¡¸svx(„ïÝð?[îèBWŒðƒŽ(‰
™È+È$”:�L:)ôåêj¨Wi%¢De—wRš{àAÇ"Š
-b
-Ü
-qk/O�]A®êm^rÓSÞ”ÿÞpСÓF^Ó>É€xÞÔOˆV¸udUæ†{ÕSèÁÙ‡‹öåjårʘ3ø9=ÞrØ„�»¡­^6}DFö¿ßbÝ=ŸÜ‚�ÃüÀÙåû¶\þ¹ß4ᆤ¨ Ö®µtnMÞ�ó ÉõЕ[
-Ðå–ÃÀàú×îË%‰�ÙL$ŸŽqP?˜+�VõïJ°Áå×IRñÈ´i»ÜFSÜ]¦ŸL`©F±bS+¬ÉÌÌJØtbØn/ÇJ'¿;L,ÒhÜ~¬€i±€­chOd ÆR�ôì…J'uÅ
-¿Cš4JÉȧ,g{ÑÂq¾ñ¹Ë�OaÑל`¸©­�ôÃ-æ_o1€á.Îîö&J…Ö`ÓÅÝ>”:¿ÛwR®naé_@½@‡û½U¦Éí�Ô„úÞŽocaãt ¿¿ãÌö'.Ø ápÖ2—jXA|g³wC7
Èä)8^³�*Ýß¹¡­~ò•0–/yõÌ#º]…V«’ã+šò®³Ûº
U´¶Ã«!H†lÚ/w*®ÜC§<eBÇÒß´ns‡µßüSC•
-.íîP:DœÈìJ
-RRÐK�bn_à�hIW ½4Œ`KÖWô{¡	ý½$Œ
Hmúô·wwñ¤ßÞ�<mï6
-¶wË/¯à¹Í_¢øgôƬÓ
-`�~»õüBãÑ{lbXíª!”ôŒJ:4`8¸h�³¹�âóÙõ!¼~J’ F’”bžôÂ-íbä†FCëÉhø„M’pØ
-ß	Ø+±H]ˆ]/uŠ]ÿ~ŒÔà0¢ÓËê½Ð„úÞŒ#+´„#}O/j­î¢IŽZ«ƒ-Âê`‹°táèž½F�õœÈéóëT¦¬¿æD"ÜÆ8ÅD‘ˆñ³©Î1ÆÈ2‘Æ6¼ß\:¼K`é;dH'<“ùPî„Ï>°3Œ»ÌY,¥
„®ÑW��Y¢Ô²³ªÓÐÄ3�ì¬$dœÙ�·&�ƒ~”F#h禸/«•ôwªËîËd–{ç>%iS/Aÿ¯÷}JOâ¿ÁwI"àØ­®|0vºð½¹ûßM¾|}©7Ÿvb8^VëeÆjûoi¬H­îëí¬´vèAw/S5],º†þËdñ®¯µÿVàtÙ‰4í¥ý‹XÄ}ûCô	½À�
-üsQûŸ?³<}ƒj8Ù§gÎóFÆ"ÕYâ�Bí9{Ñ;6ý?ž×Sendstream
-endobj
-957 0 obj <<
-/Type /Page
-/Contents 958 0 R
-/Resources 956 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 965 0 R
-/Annots [ 961 0 R 963 0 R 964 0 R ]
->> endobj
-961 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [367.5469 453.6623 428.747 465.5625]
-/Subtype /Link
-/A << /S /GoTo /D (zone_statement_grammar) >>
->> endobj
-963 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [483.4431 396.26 539.579 408.3196]
-/Subtype /Link
-/A << /S /GoTo /D (address_match_lists) >>
->> endobj
-964 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [120.1376 159.8067 193.791 169.0221]
-/Subtype /Link
-/A << /S /GoTo /D (synthesis) >>
->> endobj
-959 0 obj <<
-/D [957 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-354 0 obj <<
-/D [957 0 R /XYZ 85.0394 682.6783 null]
->> endobj
-960 0 obj <<
-/D [957 0 R /XYZ 85.0394 657.8964 null]
->> endobj
-358 0 obj <<
-/D [957 0 R /XYZ 85.0394 440.2898 null]
->> endobj
-962 0 obj <<
-/D [957 0 R /XYZ 85.0394 417.8192 null]
->> endobj
-956 0 obj <<
-/Font << /F61 646 0 R /F42 609 0 R /F43 612 0 R /F58 639 0 R /F57 636 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-970 0 obj <<
-/Length 2351      
-/Filter /FlateDecode
->>
-stream
-xÚ­YYsÛF~ׯÀ>…Ü2Æsë'Å’¼J­eGË<l%y€(Èb‰d’Vµµÿ=Ýsà  Y±R|À==Ý=}|3d…Ë”&Úq—'‰¢LeËÍ
;À܇iòD”÷©~\¼=Ñ,sÄi®³ÅU�—%ÔZ–-.�iÂÉ8ÐÙûOg'§~9?œ9[œ~:›ç\ÑÙÉé¿ŽCëÃùáÇ�‡çóœYÅfïÿyøyq|¦täñãéÙQqáóÓóã“ãóã³÷Çóß?/Z]úú2*P‘¯¿þN³KPû§J„³*{€%Ì9žm¤DI!ÒÈúàß?·{³~é¤ý%\h>a@ɧ¨Ñ‚‹Ö€L	f¡”ÎN«¦Ü^Ër‡ª
Ñc@³œ¢¹ô+×%Xñ٪[}>+ªË0q[o›]h6×Ef›´lWnïËmh?¬Öë´x÷�F¿Þ•ÛU9\mçÌÎêM Û�aø¢»Ûr¹ú�R^ÆÍïv«êKÚ¼ŒÚôÍ!™ L)4#ª³^íš²ÊëjBñ¼¥Í#N)î—Էͪ®Èo¡‰¥Ê¾€µD[	›âÕ‚�Â7ìQ¬±G½Eß@S±`åHéÙ*ÓcË„9-�Œ‹ËËm¹Ûí»«`–(Ëlf8%T	ö‡åÄYk§Ý5o9æ}–Þò	Έ2Tw;£˜›¢Y^�„T(´ø…L¿%¤R„J8õ��xšÉqòÁà˜P1‚‡”œÛÁÙ±#tŽ¸€IàRrN¸æjèsƒ`Sž¼~ð>�‹Çð
1†³pî6xö~ XØ7qsS0ˆú«H>èe¡µŠËª:ôÂìÍ>±áƒå‰bÜíÊK&˜B˜#FYçµùx·nV·ëÉð¤�i´{Iqb�M”»¦hÊMY5É@Á
-c#MÝ3ÁÕcôÚC#ᆤ=\¯RÞjÉZ#áüØH0<%¨–õ&à
 I¸ÂÃ(81ô©¤�$r»êôó½žôŸä™³­@ؾ¬1CcËû6.VØ*ým±…l{õò¦Œ¤hü–j�-Ü=´Ú㌼úñââwÕìKâÍ™�»{ÜtZ�¹
-ï€ÔµkŠu>kÅ£g•¬;xHøm‚!h+¬wÞËeHÁ—a¤'¯�¢ýÂʇ_/ïØÕÕú1´î‹õ]wm+v¢j´ÃzÃJ®-1\˜çá�Ô�»”‘™âp¼:ÀíW!�–cÞg9FÒPb%ZKö$|O
-ùʥī‚±C
-®ðånÓFXJÓ Ý`æTîO$ m÷�ÀL”xú(ÇÍ0¬c.ªÇTt§kn
V¼ñt’qUWå»çx~/DzÎ8n�žc’]Õ¯
Ogªôl’dm!ÚýcʼÎ!ÅS
-¥ÝƒBXÉz@¨wÏCª	V#TµÏìyµ˜CŠ¬t¾)Ÿ)Ó-œ˜2ìÚ‘4ÓZýÛÎ3V¶ïN/×ì;€ÍKüj/è¾ê¼ÂšS÷ñÜ8¢…'á\ëþÛ‡Šo?,ˆŒ»ñìZQ˜ðÂ
-C¤e²»3Œ9AZ�JEŠ¿O‰†ÏI²ß¨¢Óvµ»�6O×bæ2|}¤j9˜Ü4!Jƒ¹prˆâ�Ìß
- *£"�š�˜	!
-¥½‹¥ŒqE
-pŸÅ�äH<–õ&†âÙ‰E^:Õ_óî©¿&äaù‹^Q%ƒèòQ;]Ô?Ži)ÜÓ¼Â:
-¼b3­Ø¿ƒ¤ÿ€4%ÄëÂT´†.Ë	T:8€2L1ãU=ëù¶Òˆo®2F‰<y÷'8
`.×|6úÏxRàßB¶dÆàÎÙW0%•Î‰@Ók{M;ø�·§žÕ OÖS)ñÍ{Œ½JVö£/¦0É ARæL÷¢ ¹l}:bøÎâk~Û«“Õƒ¿
-endobj
-969 0 obj <<
-/Type /Page
-/Contents 970 0 R
-/Resources 968 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 965 0 R
->> endobj
-971 0 obj <<
-/D [969 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-362 0 obj <<
-/D [969 0 R /XYZ 56.6929 769.5949 null]
->> endobj
-972 0 obj <<
-/D [969 0 R /XYZ 56.6929 751.5879 null]
->> endobj
-366 0 obj <<
-/D [969 0 R /XYZ 56.6929 301.5992 null]
->> endobj
-973 0 obj <<
-/D [969 0 R /XYZ 56.6929 274.1347 null]
->> endobj
-968 0 obj <<
-/Font << /F61 646 0 R /F42 609 0 R /F43 612 0 R /F57 636 0 R /F84 863 0 R /F86 976 0 R >>
-/XObject << /Im2 926 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-979 0 obj <<
-/Length 2662      
-/Filter /FlateDecode
->>
-stream
-xÚÅZÝsÛ6÷_¡·R3ŠÓÄɹsurŽnnîÚ>ÐmqB‘ŽHÅçþõ·‹(R¦äö’¹›Ì˜Kp�ÝÅþöPÄŒÃ?1³šqåÒYæR¦¹Ð³Õö‚ÏîáÛ»x‘i1äúqyñÃ[#fŽ9#Íly7XË2n­˜-׿$¯ÿòêÃòòf¾�š'†ÍÚðäÇ«ë74âèñúýõÛ«w¿y5ÏÒdyõþš†o.ß^Þ\^¿¾œ/„Õæ˰‰	o¯þzIÔ»›W?ÿüêfþÛò§‹ËeoËÐ^Áòùâ—ßøl
fÿtÁ™rVÏá…3᜜m/R­˜N•Š#ÕÅÇ‹¿õ¾ú©Sû×ó,Rˤ€5þˆX!™s:�ËÁ‚#ÒÓkÑ<k2Î/up¯ÉRf$w½{S5‚9­%ú×q–	pk¦ã8î½Æ
öŒŽi“
-äœi%AqÏñ~¾0"YÂ_™\»–Lq?ŒµÌ	‹‚gŸg‚ñÔ9E<Ú[zØ
?ðÃÕVÎÞ4`Ïl`R\w1XØ[dÓ
`…ÌÏRï4³‚‹ ”Ù$¯Ú†Ì³f0+`ž2Á¼n—×íÝ\ð¤ØÍ%Om³÷Īs‡3ÍTjâܼ^O¬/S6,uÓ•wOç5
-2ý2ŽÞ5UÕ<zÄúY]ÙÔaµüá¡z
-«4ôü½ß÷^ò3,Zð­¶ØWX
-Ÿ®Åú{Lf6D‘Ow%bŠÞ(�«l…Ü·bMqþHÞwAÒõÇq0P£Nª¯ÿ\0©‚Ú´Aý¤ãɦ¨éñÏ¢n÷q[¥a·ñX^�m÷³6�
u	ß˪"êó¾\}ò
ã§×¸µ°ò}©i.˜˜W݆ƒùAÕ«»©Ïë�ÕäšØb‰Ø†�#âÆZ0k¤
-¼N	õÚïìæ}ù¥¨ÃPxæ"¡•Ê�ŸwÿsY%ÎÄN®Å<¹€~�ËBÁíHbØ4Ô€ù»r]Ðnð”­Ð­ÛÔ…E9
-=k9´Î™åîXFQ¡,ž ªGÛý��ß§&7AeLh军àyOo>´ܤÇ*Ð,B¦¢�D×LÈ´’Y©UßOOH
€Š,‚<�pU>ûxƒÆÙÇkàmð†<6帷äÈAµÎ´CV�Ñâ7,x!ƒ³¶‚-Åòm¬Z´W@Åì†tŸÝB
ÛÅZ—w‡:u\êÖÅ]¾¯CÙ•ÇbûÐ…bÔêW®yJ_LðH£ÝXV9¥¶8øÅÉzu6ЉóõpÈuºö\¸WÛüß‹XŽÑ½‹®Ü‹²~Va§�4éyMz®	UF�³xPÈìX—«úúßC§±D
-úGxÍ2HQZŒŽŠh·‰/0ϸ]�u|¾ø¨çáVY Ó–Ûý–^YÄÕ=XÏE<£p�ú8´jê5£³Õ’lùbëì–“ùGòÓ™Žþ"æ…Ì2à:“Y"×Ñö–tq4J+iÆ8Ç´rN~Ï5¡À(­@êtÓÊPƒ+ô�t¡Ò&=¤Ô	x4ÂœŸÐÿH¨I™LÓt„
Hço�G€‘`´G
-endobj
-978 0 obj <<
-/Type /Page
-/Contents 979 0 R
-/Resources 977 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 965 0 R
->> endobj
-980 0 obj <<
-/D [978 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-370 0 obj <<
-/D [978 0 R /XYZ 85.0394 545.7078 null]
->> endobj
-719 0 obj <<
-/D [978 0 R /XYZ 85.0394 521.7654 null]
->> endobj
-977 0 obj <<
-/Font << /F61 646 0 R /F43 612 0 R /F84 863 0 R /F86 976 0 R /F42 609 0 R >>
-/XObject << /Im2 926 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-983 0 obj <<
-/Length 3526      
-/Filter /FlateDecode
->>
-stream
-xÚ­ZYsã6~÷¯ÐÛÊU#'	<N2Ç:•ÌÌÎ8µµ›ä�–(›5©ˆ’ç×o7ºAe{*[®²@G£�¯›”
rbó,÷ÊO
-o2+¤�Ì×brcï/$óÌ"ÓlÈõýõÅwïr9ñ™ÏU>¹^ær™pNN®¿NóLe—0ƒ˜þðñû«÷¿|~}Y˜éõÕÇ—3eÅôÝÕOo‰zÿùõÏ?¿þ|9“ÎÊéÿ|ýéúígÊyŽï¯>¼¡O?g&ýüöÝÛÏo?üðöò÷ë/Þ^÷gžW
-�ùãâ×ßÅd
ÇþñBdÚ;;y€†È¤÷j²¾0VgÖh{V_.þÕO8
�ŽÉÏX—YeòÉL›ÌÁúãR–Y!%0Ög¹Vº—²QcRŽ\(åݶlºeµ½”n:[¶Ûu¹;>¹T„�§?ÙDÏ5²=Ø…Ô"Ë8R²�ÿ¶M×çm¿¡Žšó²!â†Ç»ªÙµïêæ–zh‰XÔK<	¨g¥ƒu¯ðhGRQºÈœ7xÜìcx€	ˆw¸wJ,md-›ÅÈ|ÒeNÀEϺly¾ndÂÜfÎIÌrÀ¥«<“xçRfÞZƮ缾Å|¦L¿¡3wy´f!3›;Ï»ÙÕmƒºï¦u‡¿¶ZPOÙÁê�X—Ýl]µ½'Zú]T0¼®f¸«çwÄÍû¡…øîrÑe#çÒ/Å
î„E#ªºMesö¾4ø´UšŽÔáXÅô͇/Ô³®º®¼åÞ
ž
-{I‰ºvˆy5ì�·áwA�DÑÓØbìL
-ìöo^¨>3ÒZfÞ”ó¯¼÷²£ñyŠÎU&4¬ÅB!÷yºw%‹£½wÔYòï¦íºúfŬu.Çé‡e”�ê¡ÊÀo¿TëÁËK홹æÕ×´)^½
-vü›j^ƒ¿‚^¥§7ûoŽj›Õ#QÝ~³i·»jABQ¹
-P¬áêÁvŒôÛÁF´£D¸.ìƒÝ±ñ`‹Œ©�ñ ;ãAâ†9‡Æƒ¬gŒ‡lÆe²È�">%áö¢c-šâ�}Õíº¨
-ô[ý9 Ã7¿<¾ùzMàULêëÀM5œs‰ð·ë`¨·]l°í†EÇlWCf(|�¦^d¼çôÏ ˆO+à€ë	
Œ\©
-Æ`Öt§‰£ËŒÑòé]ô\#ÛHG�ÈvÒ}�„¥8(#6¢2*áZ‰ƒ#Çé"R]Í ‹ø\ÐEìºaÎÝKžß²»buÊøÔ÷,	)a 
QãÏ-ÀφHšvÝî*jpÖ'Ð9;ÉQF¡ 8„‚b\�”ÑYaTÌÕ˜Ÿ†ÈXäƒH
-qÚ<w1ýåÍ'êÁüUZ‘e´„?�¨ƒW½£N
-Î(
—¿£x¸Z…�@_E@FÕC’Ô¨}·ga)rxa�;&R½Tä^°b´»»”¡¦tÝÀu.Ë9?ó›Rf¾j»ÙØ=
.D)À-ò!ÍËagâïa jñY�Åõ]p§À“l	™Öû8g¹ÙTå–zë†×¹ã¹Ò¹5Îý�n´FšgVæ1ùá´³ÞòGê Ef„:®ûâ
-¨Szuæ%¸ë46!kA“Fù‡��;�oj|¨:ŸÖKbè
-u&è€X?¯±²G0YZ‹®›
ã�ñ0¡äÉ}mçÅnO‰\“=Á%ù1	¤P€åò£Ò*áÉ/'à(
-
-cI=Öîtt®´VøBFáÁrƒ€š!à"5îÕ¥�XáûLëj˜熱籉CvnbvNt
-=àˆæèz„Â%±6´Ã/½­„fQÃ6¡(Œ�p¬ÅÁ�&nk±9kUa2iMþrY/ò“(æïãiQœÍˆu�/û�¤ÄÖèÿW`u_X˜]
!äK>¦Ñ.|äÆ?¦
ô^€›.`×gç¢çÌÅd|"�jw7“¹8\Øa íe¿œ8¸�V)¸¶Þ}ÑæFòëJ«{çñüX üWÓ“¯Œ\Žï¨ÌDêçpéÉ0:ãCE$t8ëA¡ã»«µš¼iáD“á¡xâÙpæp(g’h«ñœ¾
-ÀÝ“8¦ç:ñZ£àSd¼ÄpêìIL#H+ø6s€;ÓüT-2¡ðSÀ:W�­Ò2E™ôµ"ÉÍfÅÕÁ…$ÁSòû@Æ‚É-xcòT°Q�~º^CfÊjvyV¨Bõ_3â;7°!Äô#¡r×cØ/±8‚_ VQ÷±õ¾pC¿q
)æf€àÕ1”	]{ú´	I*‹xúzˆøûºÌé÷Nü<½	
â†g	oÁ8{×Ó/€ ©Šã¨ŠÃ�ð;6«—üYñŒ¡°|ŒïNŽŠ0#ß_	E«‡¯Iò|ú.`
-!!¥(×›U5ö‰¾9’¶wÀòýØû4¸ WÄB5%ö‚+ëBE�*°^ò*¹
âû:Eeú|¥(ta¤Sf£a}AôUKÓ²T¨QNMG¥·áŠ?cⶾ-ow#lŸufø¥éˆíŠ>¢ýíZ_ûBî~íÌ;epЙq0	o
-nòÓNàgjdëÿó)1­endstream
-endobj
-982 0 obj <<
-/Type /Page
-/Contents 983 0 R
-/Resources 981 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 965 0 R
->> endobj
-984 0 obj <<
-/D [982 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-374 0 obj <<
-/D [982 0 R /XYZ 56.6929 120.0048 null]
->> endobj
-985 0 obj <<
-/D [982 0 R /XYZ 56.6929 93.6379 null]
->> endobj
-981 0 obj <<
-/Font << /F61 646 0 R /F42 609 0 R /F43 612 0 R /F57 636 0 R /F84 863 0 R >>
-/XObject << /Im2 926 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-988 0 obj <<
-/Length 3141      
-/Filter /FlateDecode
->>
-stream
-xÚ¥Ërã6òî¯Ð-rU„Ńx°ö4™x²N%“¬Ç[{Hr€$Úf�D*"e�óõÛ�ø�(9S[SS
týnYÌ8ü3§Wy6³yÆ4z¶Ú^ñÙ#¬ýp%"Î"!-†XßÝ_ýンœåFšÙýÃà,Ǹsbv¿þmþþ_ï~½¿¹»^HÍç†]/´áóïn?~O�œ>ïùøáö‡ÿܽ»¶Ùüþö—�¾»ùpswóñýÍõB8-`¿Œ'œÙðáö§ýp÷îçŸßÝ]ÿqÿãÕÍ}w—á}Wx‘?¯~ûƒÏÖpí¯8S¹Ó³˜p&ò\ζW™VLgJ%ÈæêÓÕ¿»«aëÔûiå˜vÒN<`&§PçÌ(©ÂªM¹-Ûb�W�
j°!³Ì
-n�
-b›Š¦mà”ì¥iS|‹#7¯÷iŸ
-lý—r{ØÒÄ?ûrã—›¸æ·õ¡jY¤?dXÁœÉtd`]<øæ�`Te,w.á
ÍýÀg‚ù8zñ­¬ðÌÙBeð|FÁC
-Ár­e8î¡7_$ù—§¢¢�ƒ¦Ø?û¸E`ë÷ð4 PJðù§¢8Ú´.šÕ¾Üµe�«¦ž@s¦•MWkÊ¿Šc�S "Î:9³ /c­ø;Z'ñÁÜ´Î-ºÃ#OJiò±=áÀâ®XMˆHJ–qíâ=èÅG·È9Ë·£[ÐâþqFƒ»�Òwø<ŽTãä\¤ÿ©Xõo˜8æ&S–I‘å#nN¯Ãzƒ‡ÓÓ�•NK&¬Ö t9S6šå=i®íÛlê—²z¤i&èmz×&h±÷m‡Ô¼6m±¥1YmSz%†�ÁšDaOƒ6Ѭü¶H¢ftN¨WEÓ Rólþ©Nx=x'>6 b¨)'çëºú¦Å¡˜7‡Ý®Þ·oÂY8Bvðë«WÂÀÀˆ{`Âr=ÿ¥ŠVOqDôÀe"›{¾ø}(LÊ͆Î^Æ#˦9 ã
½ÑuDô˜‘ñà÷@’s�a�\К�ÎÀÄÌXŸ9£S	i1Ä:ïË;,älUï‹)!¤
-ÂYqôä–)ÙÓéå“I¹)¥˜Íí×Ë
) Œ¬;C�dÖ96Óp=òAÑÖ4K¦
-ÃàýáÛß+\³ÿ.—éùíÁâc7AþÒ‚·Ù]ÃS5«Žà¹W¾�[†g—‘vñ½i䧣ïuäEëߢ㵉“HP(ƒ996=@Ž°d,%ºF„FÁ™È�™·‡}m
-ÿOíŽï¯iÀíÅ”
jú‚ׇ豥É÷?õ»ÊUÁ¦n
jB†³*Ì!DÓ­ÊÈáhœ`{b±y¥9¨ÝÃ
=¸Qsq<}^|Ä	QÃÄ`Ažß¤‚èц¨ID‘Äš,A´¯4<â3A©òß|¾< :à^:~W¾¢lsY€(à(<'¬ì}ÙÄEB6ãÈ®‘Ý${…Qô²Ã<×ty®¡ „™o]Gü­jÃå+­E#�Ý ¾OÈîµ>
-E2¥]Oë³8ŒmÈÔŸO°¼3NÈËaiˆu>,uXÈÅïœËMÑœD%WËœ½L¸Ãš <ŠJÜ1§Æ„crk‡e¡�W‡í’rMKúßÄb˜´i[Ÿ•ÚèÑ æ|"÷…›w¡BƒÑª®@lä;ª¼‡bt\÷Lô
N)Áp'cä:™Q©~¹T5kŒnP<½‘mhnA%àÄËb`]kÂ
-Þ¨õ«ÏÓé†f¹Õæ2ék‚öH°Šƒâ›|L|:
ì\Á lFÜäÎÕ$dÊ«¿>OTÀ©ëkϯÊ�*
-I²ÉÀX–C&P±q$2æ®Á,8û=ëw¡öJ̓Ÿ¨î:%
®Ó7­óþ•Ì‡åŸ’®w¸Ê?¤j.`TkÓ	éÁ™~7¦št½/q
ì¥�T<àpŠ�4|ÊבHQuM‘5-—U[ì++¯4—>A&…ñí)��Þqse
qgˆ€g­Jå9ÔàÚ/ZÕë¼UuX)¦”_­›úq1ia2oÇóËltX|Œ,Ìf�”cFbþ^¦ïat°eSoŠ¶øgÕ¥~µ*v]áŠ��–«˜ŽE
-–6\Åk¸¡ugê6¡ræ°À$ÿˆ®nªÑ§XŽ­ï¾hãrþ]±ò”ÃÁá…刽C°ïŽ;ZŽ�\yZ„¢fO€eÙoÕÕ¬¨�˜3:×=Œ0�©páÆ9;ùGzÕXâ++A™‚%§ùçrS/_ÛÛI*µ”qáÙoéˆM'§Â9–	nN2ÉóÙ¢µÌi™�²E""!Ò¢tA˜ƒ#dçëbEïê©„ÁKŧ�àQ¤Qz¬$O5uôƒŽµOƒ¦VrƒÇ=oíœCdotO†X¬=aI­vgíÒj®¥½L¼Ãš >Îh «#ê÷©ôOLoæ0¦ÂÝ›9@:]†ñýû_#°®*ê>7©Úöí¨î¶£º»/éÉyǶ1fÎ�×7'2’A920å	-˜áHûV"+µeÒ¾qHçÅž�¦k¸±ƒWŒçÊ^$Þ!�R]S;Æ­#ò”€e®»Êú’‚Ñ#BjÀz0ÅÌQ¹ŠƒGÃJ:ï8P¸&º«B_aÁå€ó4P©ü7üâ”N	ÒÏ2cñwYvlià76	°—RÑ—”�,
£¿€9ꤱ#Sû=ªÑýÖN?Mê¥Ó�äâ»c“w�
-Íø_ve×ý…9ý°Pl}{èÚ<S?#àv)“½ÈÔ›”È$¤²Ô��Ô5ÂoUG<l³kú-ÒóÛŠÖ=}Âe®1…it�0sÆ6N¹ÛD2Ïeñ‚q@J;¤	C”ÚíÀâ›tìÎCâzV�ÙŽýÉR”V¦A³àKqGHø:—!šÚXº"¼³sœLÇlHÀ´ìß®[SàF}Ø°ññgž~:Åщ|Ø—0Ù‘,C‚9eÎõ6�ÑèÚäÑ8(u~ÔQ©«ÍëÄï®ẻî«WªÉºMf,çƤ²M˶<–m¿û²^—«xtw¾‰5ê-8ó›sn£Œ†é²b�w„5•H‹2²pZu
-ꇿ¤€�7´b5Â|:÷5Ûúýç È
-¬„˜¤Ý¨„8ï•÷ÜAePÇ_sp5T2
�{ÛáÄNM_Aàµ�Š`¿sÍE–�õ€âkuŸÄE¥õ@\£¾ø„¦èÑ›¯°ŒTch†W5¡—ð?Jæÿþó­þoÛ2PçÎ4É7ÌA⟘ÂçÌì1çÝßy�²þ?U·Ù
endstream
-endobj
-987 0 obj <<
-/Type /Page
-/Contents 988 0 R
-/Resources 986 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 965 0 R
-/Annots [ 990 0 R ]
->> endobj
-990 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [389.4645 743.8714 438.2112 755.9311]
-/Subtype /Link
-/A << /S /GoTo /D (configuration_file_elements) >>
->> endobj
-989 0 obj <<
-/D [987 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-378 0 obj <<
-/D [987 0 R /XYZ 85.0394 485.9834 null]
->> endobj
-991 0 obj <<
-/D [987 0 R /XYZ 85.0394 461.5576 null]
->> endobj
-382 0 obj <<
-/D [987 0 R /XYZ 85.0394 188.0879 null]
->> endobj
-992 0 obj <<
-/D [987 0 R /XYZ 85.0394 163.6621 null]
->> endobj
-986 0 obj <<
-/Font << /F61 646 0 R /F42 609 0 R /F43 612 0 R /F57 636 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-995 0 obj <<
-/Length 2469      
-/Filter /FlateDecode
->>
-stream
-xÚ­ËrÛ8òî¯àÞèªÁ‹ P9y'ë©g×ñžfæ@K�Ä
-E:"Ç55ÿ¾
4@‘í$•”ËÐh4û…~À,¡ðÃ’\e¸I
-#INYž,¶g4YÃÞ»3p²ˆ”�±~¹={ùV±Ä£¸JnW#ZšP­Yr»ü#U„“s @Ó×ï¯ß^½ûßÍÅy!ÓÛ«÷×çÏiúöê·Kœ½»¹øý÷‹›óŒéœ¥¯ÿ}ñŸÛËÜR�Æ/W×obpx‚èÍåÛË›Ëë×—çÝþzvy;È2–—QáùtöÇ_4Y‚Ø¿žQ"ŒÎ“XPÂŒáÉöLæ‚äRˆ©Ï>œýw 8ÚõGçô'sMr.hR‚fh1¯eF
-Æ
-àýi%q®a¹'¶U³ïmÎ%„öìÃ�$3/@Œ˜<çwiWå¾vi™V�óTQ\I&Ó«B;Û#Zß"€¾€Ñˆ‰¤°íÓTÍ‘‚Â
-A„Ö_	)c¬§CÊ€ådƒö dµèž‰)’(m¾ÂÄ€5ÃÅ$¦CTA�ظ.·v'R�Ørë"jv¼æ`¬ÛõÚ+æOE¦5)„̃�Ÿ�õ8t@¨SÒœÆjBèƒ/Â,½Ë/x¿žú¬¢Á™|¼
-ÓxbJ*‹ÜeyzR¹;È 10€Ó¢æ‰b9Q’aÒ¹Y*¨7/äÁe°ÔûóL±ôþòô¤ Њ(’xËiáó]ò)a„Jc"�æ^Öƒ<àåÕ–'oZ�(gcÊ^(-ÇžÈQ¸Ï(‚g\·Î
-�>žsšÚ°¨¶÷µÝÚ&„Y
-ö| Ê™&Ü0>T˜ÌUsP8RJÁÐŒA
-ºoá.<Î\cð\aýçÂ]!ÉTÚBîØá´ß@6îp~g}fvSûi_Öp%e^„4ŒÈ'1L¹ùbÓ¶�
$JšQ(ó[?í]�òÓ¦ÂíäBžÅÕ�R6—‘|<
-ÃÒ
-Ž	pzL°våÓ•PYv;>!¤ÈUÄA
VȺ�¸µ¨�L}Üø}gëD2%‡êÈl‚‚èpû§-#¡:æÆŒ‚²w÷ð½s(
-ì«£àŒ}`}Üs£÷y·ìîí¢‚,ì®LrwÚ5�P^– ¿
¾”Õ�ãk<‹ÅmØ:zŽ#>Uv]µö5•_á°„3e³°}¥PD(v”¨¯Û&kìºô�äŠä]ˆÏk ¸Äu$‰À»²‹Ç\•èàúU;Ý·]…5»ÛðJà¡w
-œNÙÄȦgÕ1¿|_†‡:ÇÉröÁÖÑáÛÐrAqCÔ‘5ÃSõs¾/‹.îÝ©Süç×öCÝBiåÔój´ù»‰GÎ=^B†þ§ø¦ÇKHïPXËg›8ξ·‰s'Ž
-‰á‘˜9k�ÉžhâØ»`*áL¨eÕÏhâ€&-x‘0ßìpõÓš¸H8S>mâŒ&€ßwåClL‡ZX«qiS‘ÏÖÂ’PkÁ"boV�YÕ�MûSú±¹~Ìœ¯åF™ïéŸ÷ϱSIøæWÞ¯S¢›´…,¶…ñFwP¸2߇¡Ëøj§ˆ„LCþ¾o›ÎC°r;%.ß\ÀuhíÜtëßú`s
Çðó
-õÿ~×à3ˆÉS Oº|²+SÿuœÆ=_�ÀÁ
-ZÃfi¡ÉÁœ
r
;3©ÀÉs·
Bgmè'fÛW¸ …ñ»𑵻@øÈerÿÖ#gZXìqŽn!çœH©d¢\wå[/ÜÚ­Chº½¤ØÙ
ýôõ˜¦cäƒ]„.؈7ƒŸpc$1hè@þä5wÀyž‡#JAå,tp·› ðE]íèÁIëÏØVÀn»xÐmìëи!^¹Û•Ízj·¹\)r"…˜•…&Ñ#~ø¿€‡@%÷vÍŸPK¡‰Ô@$råô"õéÛ>%\(>Çüÿ
EkE‰endstream
-endobj
-994 0 obj <<
-/Type /Page
-/Contents 995 0 R
-/Resources 993 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 965 0 R
-/Annots [ 999 0 R ]
->> endobj
-999 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [221.4501 61.5153 295.9714 73.5749]
-/Subtype /Link
-/A << /S /GoTo /D (rrset_ordering) >>
->> endobj
-996 0 obj <<
-/D [994 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-386 0 obj <<
-/D [994 0 R /XYZ 56.6929 533.7018 null]
->> endobj
-997 0 obj <<
-/D [994 0 R /XYZ 56.6929 508.0329 null]
->> endobj
-390 0 obj <<
-/D [994 0 R /XYZ 56.6929 131.4617 null]
->> endobj
-998 0 obj <<
-/D [994 0 R /XYZ 56.6929 108.2635 null]
->> endobj
-993 0 obj <<
-/Font << /F61 646 0 R /F42 609 0 R /F43 612 0 R /F84 863 0 R /F57 636 0 R /F86 976 0 R >>
-/XObject << /Im2 926 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1002 0 obj <<
-/Length 3045      
-/Filter /FlateDecode
->>
-stream
-xÚ½]sÛ6òÝ¿BoGÏD>Ipò”æìÄ�6ißÜCÛZ¢lN(R©8™Nÿûíb

-üPì¹øn<€Àb±Ø]ìÄþøÂè˜ÉL-ÒLÅšq½XmÏØâæÞžq³ô@Ëꇛ³——	_dq–ˆdq³	p™˜Ã7ëߢ7ï^ÿrsq}¾šEI|¾Ô	‹~¸zÿOɨyóáýåÕÛ]¿>OUtsõá=
__\^\_¼sq¾äFsX/†.¯~º ÞÛë×?ÿüúúü�›Ï.nú³„çåLâAþ<ûí¶Xñ<c±ÌŒ^<À‹y–‰ÅöLik%¥©Î>žýÚ#fíÒ9þiibmD:Ã@%稳8‘BZ^_·x¢4Ê}»ÛíϹ‰šÝ¾Ì»âŽfQwŸwØ3QÙº¡C[ÖwnMýÕuÖk»¸hÛÂákjj»û‚TÍ*¯h¬.:ꔈ¶.6µõÊ­é‡°ìg¶±I)¢wÍÃE|YrgZ{Èâ3¬Iå’™¨npÛ,‰òª¢ŽÃÔT
-„ƒ¢á,º!î
–¦¶ü
(ùóP:X‡©çZOúäxtùë|[‘¤“ÌI	°’�äxD&æ©6Ñ
á‡û"‚ûÂáš$J
°çeU¶�/–„[Ävpm¶V ’±èw¦Y[ôq[TÍŒp”#ܪüžg@83ÀÍ6Y–8ÌÈUàèØèH6"5é"e:ÖŠÕqfŒ™·9Ëá2ÀHö$¤Nò$ÖIªû}‘ÆmÞ­î'*ÉÅóQè>B¡Jc#PxBˆ<�e"¹gu½&¹”uWì�YꜬʎÄf¥¦‘mãM
~µ»bU¢Ã…]G…[
-'QÒ/(˜U¼H	÷*>>
-½Cióy€qµ ¢´T[$TVÛÒW¿Ê:™p³Q

‘M`î딡çÛ(±ê�½»¢›cQxr[gÒAÅÍ•[25©â
˜ÍØpÊVúp`C-qflyªr³`Öjp
-ESŽ"4Ô<qz
€ù¦³õE[R³O€-JWut…6;èQ
-‡ÒPU0˜‘ýŒÛŒ>¬öϳÐuJ>[Åñö¾y¨©{ø(ê�)jeÐ	ø­µŒ~íàGŠ	Ð�bÂWN�Ó0É-7-v«|€aÀÍyôÇ•:õ:9¬íÚoWË•Ó²1¦vW[6¶AŠN‡hm á«ÊØÊÃ"µžU�Bù‰çÏùGnélÌ-=¸ÆÇ„ÇqãêšFaY¿»r»ûdiD�	¤iÏBã#Âcz昙9fΨդ"?¨Ý–{ê®ËA횪°ý
ÆÂjȱ——`(�þiTLí«àVYô—%JÈ8Ã÷�
£ÿ"k8��¯ð22yù’f®.ña†9ÓÝÃRײ|7ŸàÚÛWˆ)	pß¼»xO½M¹÷ÄnJ×A%ìXx¦=F^4¼ˆ_{ü–æÀgà81§mŽÐP}_
‡äqèïiK•"[æLgY0¦2sö^U9zrì¾­T�ã�3ËïCë„óŽÛ{7 Fßò4óÿo|ßÉ7ñd¾‰§òMŒùÆÿk¾ñÿßäwòM>™oò©|“�ñM|ßÄ÷ñm´�šn ‡¤áq±Ú`� FGÒîÌ»=9²jy×[¥9£äé�å>MŽr”Q}C�}ZAüt‘3}�_ÃÞ�-P`Ïå»mSç·Ï?—6¼²]§ó{ø‡Qè’ÆžKUh¨¥.=;$co—$�·;ÏØ—La¢+[Ör/µ^´å¶¬ò=
ÒCµ'Nˆ‡/ÊE‚éQ	,±Þ3|Oú_3$‘Š³ø‹£â:ãq¥s
}6‚¸ú e&Bpq]æùˆ]ýõÁ‡„À'ÿl#¤äEº*¢ÌŽ8†¬Å‘ �ÀÏ04M“ð8KÇ°j�I|„‘*Q1#.ÿ
#{ÙA²‡¡œš‘
-
-endobj
-1001 0 obj <<
-/Type /Page
-/Contents 1002 0 R
-/Resources 1000 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1006 0 R
-/Annots [ 1004 0 R 1005 0 R ]
->> endobj
-1004 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [238.0484 689.8302 311.8142 701.8898]
-/Subtype /Link
-/A << /S /GoTo /D (topology) >>
->> endobj
-1005 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [353.6787 61.5153 427.332 73.5749]
-/Subtype /Link
-/A << /S /GoTo /D (the_sortlist_statement) >>
->> endobj
-1003 0 obj <<
-/D [1001 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-394 0 obj <<
-/D [1001 0 R /XYZ 85.0394 132.7054 null]
->> endobj
-707 0 obj <<
-/D [1001 0 R /XYZ 85.0394 104.7571 null]
->> endobj
-1000 0 obj <<
-/Font << /F61 646 0 R /F43 612 0 R /F42 609 0 R /F57 636 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1009 0 obj <<
-/Length 3019      
-/Filter /FlateDecode
->>
-stream
-xÚÅZmoÛFþî_!ô}¨¶ûNnóÉMœœ‹ÖÍ9:mq %:&J‹ªHÙU÷ßofg—"iÊv›.
Ìá¾ÌÎÎÎÎ<3”˜qø/fÆ2뤛¥N3Ã…™-ïNøì#ô½;aÌ<š÷G}³8ùê­3Çœ•v¶¸éñÊÏ21[¬~L,“ì8ðäõ—o/Þýýêì4ÕÉââ‡ËÓ¹4<y{ñÝ9Qï®Î¾ÿþìêt.2#’×={¿8¿¢.x|sqù†Z=Ž0½:{~u~ùúüôçÅ·'ç‹n/ýý
-®p#¿žüø3Ÿ­`Ûßžp¦\ffð™pNÎîN´QÌh¥bKuòáäoÃ^¯Ÿ:©?Á™TVN(P«)Ǭ’Ê+ðl�{€‘²7RXÆ•K�=©·«b;Þ©K™Í²ôÀì[•ÌeY6½Ñyd8ïs¤MDãœÙ45Ã]4›böÑß±”LsãÂ>ʆNoUüĹ\+zÍCóM]UõCó5ñ1i�ÏÜr¦š¨H™S2óü–UÞÀ\Ë9‘ÿZçw˜—„†v¿)¨©~‘ØóŪ¾Ë˵ïüW�IÇ@¸Œ`ÎÑS¿ŸáÉrýqb«seXf�™Í=’ðâæÚ]²®ñ™E‰±©<I Qy%ª¤X}	-™MÚÛ‚&¬Š›|WµaJ3i*36Í‚ŽÏ.ÿ9}ÖéhOŒØ‘pYÎ�¢@¤MÑ­å;�Êæú²eGdKÓR›ÈfŸ–�í°¨;K™Ê„žÕP\´*/.Y]_¢)þ$¥žœgp†à?H¨¿Lˆ­agJ‡
ž
1ä†çMVÒü´`$­Š)®Ò¡
/¢lUñ1¯ˆ¼Ï«]Ñ݈í„pYŒê;‡i“Ô‚¥èoh`¾=YR|=v$‚;&àÏÌÍ2nôK<‰ÒKy:ršnV„ÃÕQÌ=é¶i^�Œ3FάÛÔÜ*Î2æ1íÍ„aœžÕ–ie�&ØÏoà�kÔ454zU,k¯Ôž—æQÅø"¢ÛÝ–t—kz’IÂ�0½Khß?b4t—0iÄ…'¿×ëÂ[�wAvÛ¨
-6>omRð¥\úšù4mã¹*€‡õ_Î2Î8~€íݹg܈‘Öø�oó5¸ö?x~¦¯vx�Ÿ	çϦ¾‹ch!O ÊZïmçÓT4Öºø¬ZçÀ‚ΞÑ: “
-Â
-"óõž2ëfS¯Ümꃻï£="uÖÜ¿%Ðè͹“’�D%!§ö6o©å6¿¬Àfp8ÒI°ÁÃX…Ût†Y-F@·„ÈéÑìnPZ:y¥"iëˆÔ _2ê4¯ò}ð
- H£ðR9—<€)¨›î‰C-Á(Ú©4‰w2ÐxàK‹êdy[×ää½±$Ƽ
²Z�lêÒëÓ$í­W4‡\['WWMúa1jÛ¢çÂûš¬›Áp�
-ÝÞ*´FfaŸØ?!AÞF@Md^BïÙ³ä�v½ÙøÙØ’o’M
-¢ˆ-õͨ'lÉ2ô­‹eÑ49©xüùˆ¤#3—ÍúWü“œ:'ã ïûîi‡6ôCR)£ÅQ2…�X£ºbªÐL(°F
-ø°_ƒÊÚˆ.ÞßÛ¸:(1‰KdʤqTcøÞcų•M8o.Àv×Ô°I]ÝÛ†šèVµ4’–Åæ7—ˆ¨êú—ݦ¡þ<Lêå©ØìÍš¯Þ¾Yf±z$T²k‚³á
Gê‰;Ch‰;$(Сq‰ž,Øë/x½×åõuUÐ{•_U.½�ÚÛè$‡0‰K–šõ\¼·ìâr1Ub�„X¦±ÄBõÄNNZ‰6‡º�¢�Àx—Dš\ïZ·ª©›7ñ¼ó“&u#ﺕYªçM»¯b4ïÔªQAãøzfŸBFë
-øçå­WiŸ¹wmHPCÊÑ£*?Þ¶þ�ò«ý…ªƒd.C�ú`¨³dCéî}¹ÂØ‚9u
-ßÀò÷¡5–ŠñÅ/�ÄM
-"Mó¨bl
-¥[‡û<–1$¬
>#ÇçdļBY3²‚Ø;q©ÓC®÷qÊ@¦._ŸªC`9+žè²¢ÚƒÊ4¹ƒÌÜõ€­pn„ôõ¦-
OLpW .º�
SK“\EîËâaê+�
ÒŽ3@þ)€‚ÜkºlIhŸTÀ{¸b_†Ð
-endobj
-1008 0 obj <<
-/Type /Page
-/Contents 1009 0 R
-/Resources 1007 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1006 0 R
->> endobj
-1010 0 obj <<
-/D [1008 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-1011 0 obj <<
-/D [1008 0 R /XYZ 56.6929 667.1591 null]
->> endobj
-1012 0 obj <<
-/D [1008 0 R /XYZ 56.6929 655.2039 null]
->> endobj
-398 0 obj <<
-/D [1008 0 R /XYZ 56.6929 286.3754 null]
->> endobj
-967 0 obj <<
-/D [1008 0 R /XYZ 56.6929 260.2665 null]
->> endobj
-1007 0 obj <<
-/Font << /F61 646 0 R /F43 612 0 R /F42 609 0 R /F57 636 0 R /F84 863 0 R /F86 976 0 R /F14 620 0 R /F68 728 0 R >>
-/XObject << /Im2 926 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1015 0 obj <<
-/Length 2789      
-/Filter /FlateDecode
->>
-stream
-xÚ­]sÛ6òÝ¿BoGÍ„(>Ià1M�^:WçÎqŸÚ>Ðms"‘IÙuýíb
Š”h%�v<c‹°Øï]‰‡?±²†qåô*wš.̪Ü]ðÕ=¬ýx!N‘Ò)Ö÷7ß½ÏÄÊ1—Élus79Ë2n­XÝl~MÞýûío.¯×©4<ÉØ:5O¾ÿpõA}Þ}¼zÿáÇ_®ß®s�Ü|øxEàëË÷—×—Wï.ש°FÀ~NxeÃûÿ¹¤Ñ�×oþùíõú÷›Ÿ..oÆ·Lß+¸Â‡|¹øõw¾ÚÀ³ºàL9kVÏ0áL8'W»m3Z©Ù^|ºøßxàdÕo]â߈“jˤ€3¾åZ!™sF/_ËAË4?síãpVÆó£âÍ2RŒâÕj%sÆH”¯ã, Ö\)Æâ½B{DÇL¦â	ÎŒ’@¸Çø¸N3‘ÜÀ™\‹ŽÔÈ�ÌZæ„Å‹W_V‚qíœ"œÉØ¿ôÀ
øîÃN®~há=«É“â¹éä`ÿ"›MVÈœñ\c8¬ŒžTl·íZ˜ä9}ÊÒþ¥ª¾îé�VO¶;ÁDƳðN@Ie®’¶Ù¾àH'�Uw·V<i;TÉdWmã
-é’}S7÷'n�ƒFƒj`ŠË^1㈔N±^§eÄBZ¶Å®J‡a{|±� ©¤pöækáj5Shô̳ùÝŸ*¯_Z‚~¡Òh•4ûÝmÕ°½£o_•m³é	ah	X%í‘IA+ø’¸¡{Š‡Ôͦ.‹¡npЊۄ|S÷Åí¶
-§âiu³É}Àú�~óPò¢•ÍØ©,ŒÅèN®>ÞL\NDJ57Ìë	é>Åžn-l¯ÚíªfSmÜ&à^
ªàabSÝûí@“x¿É§<E•²ãýç÷£|¤Š8ø*ÁéÌ]Ý쇪§«P4‘†]ñG½ÛïhòTl÷Õ9ròœI§d¸JØez2¦¹˜�£NÉa¯�ÉÀ-Šì+F0Á:c	�‡¦�רES
-🤛}‰ì–:iªá¹í>ÓâÐw¸þ粤u¬ÕMI{‹¾"zú¶ÛMY½AˆÂ…¥ÑHà„~hicOkMu&ó0‹¦®ºž-Ø@ªá1™Qs×~ÊÎ#d–ebÔJoeR%ûÞGŒ\bhP�…Q<@�ãûjï`tç HXxMêf\�wE~ÄEMž¼Â†�Q›ŸYs°Ù|´ÙS>Až%®â[ø㌔þœš„F«óhl|ÙÚ”ïìLÀ:øQ ÕÛ
ZÝ£áÛDA®å_£<xY4M;Ð-Õeååã<ð«x	Ô 
-{+
F�Œ�)Ôs½Ý’›¸
.¨¯· xŸÐ ÇêÖâ'øù*ú°–¾yð¦á&ð]wá€j˜cô¹4x]ˆ~ïU—¤!¡“™Vç]Òëu—4bá“Ú~Hû
Ì°ê²O�ó'~	2!Áãž%bÄZ bæ—r,<t6'ãZBfca”å‰EG’C�}¬Ê½�w€B–ƒƒ•úÐaÁtøâÛhõð@Z
™v5˜“d
-Š3ÿHÓd<9�Mm=s{ðDË�¨Ý-†ÿ,¯h¹M^Ö’'U˜ÌcúbŒp¯7%¦œý{ÂRŽt\ý•¦ÄyU±3\L¥žhyÆ«­0Â2ÉÝWz#–O ëûÒ¡zS/i
¬ë`v¢¹a¹µr5½àÔÁE¬:fÈÍ3X�òiš{(²xD'‡ctrø¥äOql ™m¸Û{rY4~¨ýpõéÓå;ÃË›""†;‹ýÐîŠ!ô¸rάTæ()‹-æ¨è¥î«¦ê(AUB$EOà‚¦ádï½ìiøæ¥)vuIÀýãèiÃÜ1ï•&)ä½1L²Zì]O¤0â§Ó
§R8=—ò‰’J/¤
ò°j £4rùéá'š0b}�†“ÓB!tN(AÎT<†
B;A
Âs3Ü°ÜÅ�àE+µTU�7âÚƪ
-µ‹Å´üz§™Px’r®D‚Š"Y¨_åX¿ÊPK,j f«…TiRËP'Ë�Á
-Ü$¿ôxÕAQ_è¾!TGzJ·;GÅ|Oc¢Íż á10*FÓ�	ö¥Þ�¹Ý‹m¥£3'ûl0S€Þ¾Œ›h°+zì/€H¹÷õ=ûmñðÆR�Þ¤ó§�Z
4–¶ë£5B}2â™Zx‹|Š}
 ¦îXø[/ÈA?²lªqXu�§2í�z&8S„m&䄵–¾ž‡æciâaØÁôÐX�âäHõŽPG}!x4ÈcþT5Pçß©°Š›R”ó*f#è©®ž	‰ª�ÜoÛ[ïrÈǨ<ò—G^àžƒØaâ3$B
-¥�ejb·aÃþ–@HOÿf¶¬Ág»Ç%eÛó¤Õ08aÔ¬�?a”—;0ªŸ·¾Æ=�ͤùµÜù…ÊÌqБT)(A­šý²eâ/[#­ÓFþ¦½Z9f
ŒKn¦…,Ÿ÷‰|�ÏeÔñIbå;„/'½žyË ‡hµ-¢õù-û¯B³p7ØV†ìíÍ1§ŠáoµìµŸø•aø›ûBpàc‘ö·þ?ü@©s¦ÐÙ/G,ˆ¥Ë#QÈus’Ée™±2_ ýÿ£� |endstream
-endobj
-1014 0 obj <<
-/Type /Page
-/Contents 1015 0 R
-/Resources 1013 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1006 0 R
-/Annots [ 1018 0 R ]
->> endobj
-1018 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [326.242 251.4486 375.5914 263.5083]
-/Subtype /Link
-/A << /S /GoTo /D (dynamic_update) >>
->> endobj
-1016 0 obj <<
-/D [1014 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-402 0 obj <<
-/D [1014 0 R /XYZ 85.0394 648.9507 null]
->> endobj
-1017 0 obj <<
-/D [1014 0 R /XYZ 85.0394 625.2603 null]
->> endobj
-406 0 obj <<
-/D [1014 0 R /XYZ 85.0394 105.5187 null]
->> endobj
-940 0 obj <<
-/D [1014 0 R /XYZ 85.0394 83.1283 null]
->> endobj
-1013 0 obj <<
-/Font << /F61 646 0 R /F43 612 0 R /F86 976 0 R /F84 863 0 R /F42 609 0 R /F57 636 0 R /F58 639 0 R >>
-/XObject << /Im2 926 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1021 0 obj <<
-/Length 2359      
-/Filter /FlateDecode
->>
-stream
-xÚÍ]oÛ8ò=¿Â�
-Zóø)RÛ§l›ôRl“½l
-°-
-ÅRaeÉ+ÉI½wûßwÈ!eÙ–_[à
"r8r¾‡c6¡ðÇ&*&q“‰N$Q”©Él~D'w°ööˆyœi@š±~¼>úÇYÌ&	IbO®o´¡Æ°ÉuökNŽ��^_^œ�¿ýpur¬et}~yq<åŠFgç?�âèíÕÉû÷'WÇSf‹^ÿóäçëÓ+\Š=�Ï/Þ $ÁÏ¢W§g§W§¯O�?]¿;:½îyò˨°Œü~ôë':É€íwG”ˆÄ¨É#L(aIÂ'ó#©QRˆ
-{B)nÿÎJ�‚QÅú™'c
ïí$D¸Ù²iá¹p Vb¶ÖJŒ!ÎÂÖZ�IÐ
-gé²uú
-M4³ºÔ~ÿä¹…pzzÕ>ÏáÁ›½¡4�Ý•‡dY1lFÑ î�G4Ë%‰{žžÊOÀ=£4ˆ©ïÃ
Ãÿžû’þÜ^ "A98‹AXÒý kÎÔ1„YJשË÷=ß2oÒù<õ²Wz³™
-1SÀ¨H4aTiê+¦~­ïwõ!eþ�—ÿvIØŸ¬Ìî–Mê5
-@)=BíÉU[d¡Ë=–€Z�)aü…C“z‹+ˆ´F™®l›]'Ñùí~úö!LÕrÓ¶÷Ÿ£)”&#f¢ÃÏ*Î |Ö·`ì›h^ûêpDw¦�V‡(�K¶s|ë²VGbn2ëúQGébÑCkùçƒéÑÁÙV©^LQÃÎTW†móR¢ƒßL•QqWy^3Û]ÔÔiÀ¡!ƒm«Û£íd-6‹
1wD>Š\mÔ
ò‰ÃÇä#˜FÞì!¼í<.$áFò¯=kDørtà¥	ï"TÂ6�Îÿp²û|ï‹WeëØÏÁ´Áßüãóú—y©·ÚX®€…·—²(¾sóð+õîÕÿOÀû/endstream
-endobj
-1020 0 obj <<
-/Type /Page
-/Contents 1021 0 R
-/Resources 1019 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1006 0 R
->> endobj
-1022 0 obj <<
-/D [1020 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-1023 0 obj <<
-/D [1020 0 R /XYZ 56.6929 607.3833 null]
->> endobj
-1024 0 obj <<
-/D [1020 0 R /XYZ 56.6929 595.4281 null]
->> endobj
-410 0 obj <<
-/D [1020 0 R /XYZ 56.6929 342.1161 null]
->> endobj
-1025 0 obj <<
-/D [1020 0 R /XYZ 56.6929 315.4194 null]
->> endobj
-414 0 obj <<
-/D [1020 0 R /XYZ 56.6929 169.5524 null]
->> endobj
-955 0 obj <<
-/D [1020 0 R /XYZ 56.6929 137.0813 null]
->> endobj
-1019 0 obj <<
-/Font << /F61 646 0 R /F43 612 0 R /F42 609 0 R /F57 636 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1028 0 obj <<
-/Length 3495      
-/Filter /FlateDecode
->>
-stream
-xÚ­ZÝsã¶÷_á·Ê3K
-?ì¸�þïÝÅ. ’¢ÏwMGß‹Ýß~€â2†Ÿ¸4:Š•M.3›D:úr}¸ˆ/·ÐöÝ…à>Kßi9ìõíýÅߥâÒF6•éåýÃ`.ÅƈËûÍÏ‹7ºùËýíÝÕRêx‘FWK�Æ‹oßxKKo~üðîýw?ÝÝ\eÉâþý�ˆ|wûîöîöÛ۫¥0ZÀxÉ3¼0àÝû?ßRé»»›~¸¹»úåþû‹Ûûp–áyE¬ð ¿^üüK|¹�cGÊ}ù•8ÖÊËÃE¢U¤¥<eññâ¯aÂA«:Ç?­L¤�Ìf˜¨9j¥J*ÇÀ÷WK•èÅsÝSaS¶ëú±h¨ÖíòKé"'Bs%Ì¢8Ô]Aõ¶hBç²¥ÿmùXV[*×=�_å^ ïòk(¦vqÈ›O¡gÙÑγ¬êmÏŧr¿§Ò‘Ö,*žö¡oºl
-ú'5sò²á>À¨âÑ�8Öm[®ö,S–d:fJ¥ækdÅB—ýöü¶Û°
-ýïxÛ£ûrûigéX#S
ˆ±øTu5a$Úɇ”
-:tT€Ó"çÉ
-:åÜ—µYËRƒÔ�^Ó¨YuËt”ÄV�ùGà#³t(À2Ó‹R³7º}gÚ#Ò†�Mãsðž¡ß	JѼ™ÔI+68i¥‘Ýõ�?Ðæ�´Ö§=Ì@’΢DÍ}ýÚLªõDZqö’q;*îª	(y‹L2ìlpCÿ^†ÍË0VX†�egÒÿ$­ïÿþ�H•Lðt”\h!Þ·T!Ç›7ÜLœÆ~ýñX7Üzš˜E	hyßÕ‡¼+A:÷ÏÔø�Sc~’;Ð`ݘ"¢â=
-9î¼R•-:OŸóƒc
-’Ú—àÜÈ(ùr8mʤ÷‘k³@©“ D¯k\fí'ù\%ÿ»›v÷'w ãÜmwJ6塹
BG 3ÙXC!6È©«ñ·…€ÊŽG&È<”
-2£ØÑÂ^«Ý8¤1h¹2ÉúRO8IyàÅjn
’•Ò!š‹‡šg)~Ëè3ú=–¼#`£Âù§ªr’ò
 ¬úíö™‘¤bhY7y»ó±…G©uÝ4WfÑ;nÀP‡J||(1s&€õu&Ô$Âcq±©æÄ_&Q–yÞ¼0#Ó©D6på¡‘Ü zWhÁ‰‚2;QÐ!ïºâpìxXMÿ¼H¶¸}ûá#� hëúpè+
-·S¯,„™ �ʾ<8G*óÖ
-
-UX9·úQ\…®Aµîû*PV«ºwÚ#ŠqŒ�bÄÁ"#þã°±M„$r`dù(“,ÇþtI“L¤âö(›id>pjÆ‚8²æžgÃÞòµ‡dŠÎ™ÛyÁ’2ø¾aÏË#‹ó¬”e˜åŠç•$K‹(¶V|a~5ŽC¦îSñü‚'¦R1e•R	)¯Ò,UHqX†->hÏgM%Ü•Rƒµ§Oè!¨Ä¨Ë$Îð	!û’ÇYcÌüSÄ2̸NIïcß”]eò´²Ó¡ÍœŸ%áÚKܦ@�©<7V|þù‹GûËdÌ€éôPTA š 2jÍÜÖ”ô„õN÷@&—FyÂTQÍ™	À©²d5€n—n7®¾…`*ßóóFLbìþ�X;I.OœÚDÛ—„"³ØŠ×έmðþG(
-ÞKïÂ{Ø
xä¼ö*$N›œ{üБˆm0
´áÙ×�4ÙÙòœû‰Áq›zHœN	9w¶FEµvA–Ï¢K«#þÆîIê4Âgæ°«‚)¯Š)C|’_N2ûršÙÓÜú|î¶ÜVy×ßHœØ�ÒŠ)Û¢*8õ†ª}ë#žI¸Â-¼F
-¶FfZBbÇ5;çË…_ÇcQQr>Ä_™ŸÏœ<Ô¥rqCÄÑY°{ݔ۲ÊùaO¶f4ÛHR¡aræ8žš—n¹ýÚ—ìö�!Ýldªo[={¸÷Æ
™#„XÌÆÈ7{pû-xu‰W.,l›üpȪ N^–je£,Õé+0Z'ÎrÑ8k¾ß×O-•p$NÉö]yÜsœã.Ì­0=ñŒtO`3ŠÇ +ЀQ+sË>O/Rˆï�˜xœcÏ\ä@tè…Î!Jbt]Ýp|þÙÕRÄÈ«`¢Ø,;ÜTO0â^À™ÃnZ��Ý,	nœLS¶ÉÙR˜ûßî`Á,¾‘�¡´kœ4b7ïG}®<ìÿ�›|ê,KÿŸ³º¿(bAÚȘlòžöŸo^`/ÄÞ‰ÍÔ‰¿æKùû–ŒaÉÙóaòé'�ŸËè„ñ/¿À çŸ_ÎLêÀFRšC"MÌuKÕ·>~¼}Cå“EÄ¡JÝa‚Å~سlýdíº)W�\Mý™$îÙÄ€J¢T+÷q56ÛK*Ü
¾Šý—Ã
ç_EœÏ‹GýX¬™ñ°еéntœIìh3çfp§Wvp6圜Âßx~.½3®klÓ3Å'f+˜M5Êý‹¡k%UðQ �sðbqìWûrMeBX Äª¢ÌüUuµÌ{@\XìÆ#�åàEÅa=—~p�š³@„¸¾ò[ñP')´öÏcKBšU¯º¼$—P¢+HÇs€�¥k*%§1%ztkv³%W"ùëéúi,N,Ã'é T7~†–
-ÇüÁ�»–Ü£¯È–¡åUéâGDûuAçs–’X­åbG¯UÈJKñÖ¶ýÀxr’JÓËŸÆpSÎ-9@öÖòšš)Ò’i¹î8Wúûé\ª|0`—o¦ûyÌ÷åÆ��døZ€ú
ïÔ¥gµG¢éÙ}fnï웃8Ê*3"œ spí
-¡ÿ*$K“¡oÈ_t¡¯>¼Þ‡ÉHÖºÞè¥ïî”Æg¸90ŽƒaþÝßä�>XLÀÚ#ça]Åid¤Íü¦�…Z�ÿñÞùÖÿ[¨Áqendstream
-endobj
-1027 0 obj <<
-/Type /Page
-/Contents 1028 0 R
-/Resources 1026 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1006 0 R
-/Annots [ 1032 0 R ]
->> endobj
-1032 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [461.1985 140.8476 510.2452 152.9073]
-/Subtype /Link
-/A << /S /GoTo /D (DNSSEC) >>
->> endobj
-1029 0 obj <<
-/D [1027 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-418 0 obj <<
-/D [1027 0 R /XYZ 85.0394 306.4089 null]
->> endobj
-1030 0 obj <<
-/D [1027 0 R /XYZ 85.0394 276.7192 null]
->> endobj
-422 0 obj <<
-/D [1027 0 R /XYZ 85.0394 193.529 null]
->> endobj
-1031 0 obj <<
-/D [1027 0 R /XYZ 85.0394 161.0298 null]
->> endobj
-1026 0 obj <<
-/Font << /F61 646 0 R /F43 612 0 R /F42 609 0 R /F57 636 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1035 0 obj <<
-/Length 2836      
-/Filter /FlateDecode
->>
-stream
-xÚ­Z_sÛ6÷§Ðäåä!
-í—k7«ŠyÑV�æºÝ¦�Aú±êî›å¾|ðl°Ý5ôÜžÛéŽa³Þ­º
-Ö£é±Ý[ŠÚ�»,ç÷À¨œ¦9‰•Ê"‚©@³Éu$¥?1 ð±å�!Ž¤
IÇßnÊ9Ó(Ðz¬V+šrÇc­s5µîžFë´»;Päx%öŒpˆia¦¯.èγb¬iš	ª³99-ÜvJ|ØéÃ9؃·`è
-†£(ä¶w3ãLNœR}R™Êƒï'ˆx1øÉñƒË ðÖ¬ÛŽ2É7”íÙ'êbæŠûÁvó	pI“ôdº™i°Íçé¦_©áÜžî
¥œÏÁr«»÷½@Í”z"Y´¥DŒ!Må¹P29•%cÒ‘ËÄBêé¡Z�h¯URzlª½)ëÓNUøÒ”þøj}É„¤ºoyÁØ PVÚD°~^Ñ”°N1]”]I4ïÕ°qÇCÀQ0É×ðŒ²+‚z/bÕ¶/Ž_î÷Ë£F³RipßÖå
-Û¥0’À†÷Îf`>%@Tiùë*Š ÒŠ•Dß—õNÑlf:˜6|‚� hVõ~bßi&¤IƒK
-L"¹_&¬Vˆ#o:hP`ÁÖ‹!{A­`j~^LH¢r›«ÓÞÀØgÞÑŸNÎÁï¶�3©V#åfƒ6¨Š‚­[�÷^iÐÚ;=B:�°�¯|I„3a/زÁ
m"R“OÿÕ3ÃK�0aÖÚ9ËÕÎQ³bæþð.5èá¼:†×#çECš§�üEäzE)‹•†“,ðÊ�Ÿôàì÷�ªék€ÀEI¶V˜²'t-и/܈uüVyî(/ñÒð»ñíÎŒ†Tù°hþ¬À2¼XãøÕr{~p@d‘Ù¨»òWž¼á„Å-\=gZ㯊ˆk¸Ãh$WPX¤ê³3éïÏú]p8ÔV
-‹UúЋüóܼ%@Ù1Õ·bØá]5Ì	çun|Ò�Ðã¹?v•L‡ÃW×ãi0°[»ó½n:^�­É§¨«°X=¯?ì…^ï|Ê‚R@öQÚ[9ßHU!ßAD²#o«ýñ�&-W×ÁsÓü½VÒ�õ¦Z¹Å,œà½¼ØÁu–*¼4^}¯�\¯qŒýûŽBÕFÊ*
Gœ|†cLÓ"–6_5ø €Öðh?P›âiM
w¥úkaÙ'`jpI„/Q`’ƒôRÑqãà®k`v5‡SåôŠÖ45^yNª
-CÀkFÈ`Õá'àÑV΂l¤c;ô±úxÛKŸø‚*XÜþ4“Q53´k:Cw¿CR2¯Žåì©•ò$¥MóѶ‡‡ýeËAüš~ä<e*
-eóç©éÒôÙ”ÓbýŠßÆv¡úiæPgïŒêŽÈaH@2óGj–½ì•!3‡’x씿8…„-ËQ:.±Ø½uO´¬é$ó
7ý¡˜Ûµ|ÅpxΨÉÿ¿mþ=r‡Õ¨‰MÍh×û‹/BVýbø9Ñ"ËôAûò%M¹õèÆV{ßìVjsq„M¼îö�À›zµë›í¯á4 gÈ«b_cŸ,e"üï¥åOpù£ g£ã¢¾Ý6ˆ'ßéoLXx·}¨æÜ隘Ä#90\�D?X“Ù££áO‹Q
åq
K^µA´tnÿå—X²¬÷<Äès¼kAB°ÎÀVƒØ»ÚÑÇ­Á'[׎ù�u
-endobj
-1034 0 obj <<
-/Type /Page
-/Contents 1035 0 R
-/Resources 1033 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1006 0 R
->> endobj
-1036 0 obj <<
-/D [1034 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-426 0 obj <<
-/D [1034 0 R /XYZ 56.6929 769.5949 null]
->> endobj
-1037 0 obj <<
-/D [1034 0 R /XYZ 56.6929 752.2115 null]
->> endobj
-430 0 obj <<
-/D [1034 0 R /XYZ 56.6929 622.2614 null]
->> endobj
-1038 0 obj <<
-/D [1034 0 R /XYZ 56.6929 591.5303 null]
->> endobj
-1033 0 obj <<
-/Font << /F61 646 0 R /F42 609 0 R /F57 636 0 R /F43 612 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1041 0 obj <<
-/Length 1083      
-/Filter /FlateDecode
->>
-stream
-xÚÍX[SÛ8~ϯððDvF²,_†'Ê–ΖvÓìS·“¶šúVI
ÒÂ_Ù²'˜�@:ÓɃuûÎMŸtŽ‚,[ÿ�hãеüÐ…ÄFÄŠÒ�m]ë¹ó
ª×€fè®z7�yÈ
-aè9ž5™udÐdMâ/‡§�|šŒÆCàûЃC@<ûðÝÅåŸf$4ŸÓ�—gçÿŽO†¾{8¹øxi†Ç£³Ñxty:¤ñN-áÀÙÅß#Ó:Ÿ|øp2~�¼Œ&­/]‘�KG¾¾|µ­X»ý~`CĺÓ¢0t¬tà‰‹q3’>þivf+h_ü 	¿'€Äïù.ômŒ,Ÿ„Ðî"xt4žm~ù-�™éPóL*Á#ÅbÓ¿åìδò™ùª›ÁîiZ$Fyj~ä+ãmÁ�gE_”gŠòŒg×µÄ,Y˜V1¿JxÔôh1)ùUR+ºÉ¥’°’¬=‡š
Ϊ‚Jqµô cÔ�úY
��68C%µ(j\J¥bâ¸ÏúOÖ„v¯g4�ñÕ�Á€5ùúXOb��UåfòèÌu¬3+•»¾ÞQßlUÉOi²ÚM|+.~VT±”eª¦¦ iJ…‘·B
-Ö”-˜œæbšåô¥ôÞÀ’üHþ£†fóôª9pÏâšs	x¬oÆ|®^Ä¢§XÅÓí°Fo÷d¬ù÷Ðä¦BŸ;®6Ñ9ç[<Õø\ûÅ0V
™ÏEÄ–Dä…Û!ÒC…D„@ùeƒ¾‹I…ÿ£{›vÆ—ü}–…U–AÒƒôŪ¶
-Üz]ü§†ùb7÷k˜BìøäiÒR'2}ÑòHnÃVgɯÁ-MxÌÕhÒ3¡{[2GßÉt‡ƒ˜êó$ØL§…›Š£;p{'XW›‹�@•®—@ ·þYÞV&Ý»o+Ö‹*™Ð[ÖW#tqO–{}VkÁ�~uÁ
êlÓÒîMr“"
í¡Hp~m‘€^]$8¿_‘€^Q$8{(Ê’_ntu¶¹W7Ž7”Æ}omýž*È=/c»}K½ù¾ü“B?Èp8íÛÅ�¶=8¡ßU†Š�uËÛûSÓÿ[
-•Tendstream
-endobj
-1040 0 obj <<
-/Type /Page
-/Contents 1041 0 R
-/Resources 1039 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1043 0 R
->> endobj
-1042 0 obj <<
-/D [1040 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-434 0 obj <<
-/D [1040 0 R /XYZ 85.0394 660.4512 null]
->> endobj
-966 0 obj <<
-/D [1040 0 R /XYZ 85.0394 633.1083 null]
->> endobj
-1039 0 obj <<
-/Font << /F61 646 0 R /F57 636 0 R /F42 609 0 R /F43 612 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1046 0 obj <<
-/Length 897       
-/Filter /FlateDecode
->>
-stream
-xÚÕX]sÛ(}ׯУ½3°‚ÉSšu²élÓ]¯÷©Ûñ(6r˜Ê’r·É_ddY±åÄq=mv2pî=÷.ù�ýC>e�	,üH„�ˆú£©ø;wá¡j
X-ÍUoÞ¯çù
-†™?H²88Gþ`ü¡Ã †]+!蜽¿:¿¼ø§Ú�ÂÎàòýU`tÎ/ÿè¹ÞEÿôÝ»Ó~ NQçì÷Ó?½¾›b•Œ7—W¿¹ášBû½ó^¿wuÖë~¼õzƒÚ–¦½( ¥!Ÿ½lÍ~ë�Ný[û@$ö§^H	¤!!«‘ÔûÛû«ؘ]B[ý‡ˆ	Ã-¤QÃ�œAÊîGT@F0Y:pß
u—h�æ`ÔWÙ,:Ù|z-µëŸ”VZU
-½x¹®ç@
-endobj
-1045 0 obj <<
-/Type /Page
-/Contents 1046 0 R
-/Resources 1044 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1043 0 R
->> endobj
-1047 0 obj <<
-/D [1045 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-1044 0 obj <<
-/Font << /F61 646 0 R /F57 636 0 R /F43 612 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1050 0 obj <<
-/Length 3486      
-/Filter /FlateDecode
->>
-stream
-xÚ¥ËrÛFò®¯à‘ª
-áyâQ99ŽäUvãdmå²I
ŠØ�
-°z¨º},�-7x
-ÚάÖ&Q¦T,t»ªídÁ‡r]¡»a—€n¥0èLX÷Àw�:Àwßð6°¥—7?36/
-F·mÙÊ€�
-
-3·Vðî±
'B‚H¼¨bú…
-‘0XaU¯…GÕñ€fƒâš‘$œOY�ì°.„qE§7DäPí«“ŒÈùS�h+¶Ìò°\jò/ÐO;�ï0z¬ŠnÍ-å]ƒÏ:%î!v

-9Ç`™"’°+}gK]³áLB9d)±²!ñØW÷[Yœ.»|M1#Q&
»FRð‹-ã«š“É "˜Âk.`Á3;Ð1f|I¿…W“]@š‘B&x®/nÃd&l\��ç³Z%g“~–©“M–ÿ>‘:
ı¼Ïc�}lØ•]Ç6b9a@R“!„Ê‚¥mbÈ’~lZú«2F¯“IÖŠQ•ÓXðïOtö-7îÊ-'9
-Ó0äÅL_'>r^eŸÉôè–ÊbvïÝéîKò|cÓdCpè¿�.˜t"†½?öIf ¤ ”�J¯ËCÇ„’#?ùŽ">À55i	ÑÏFýwPlõèKÁË:Ž1–Í!ê·PU6/ÎGHå–˜aõi±Œ‹¸¤øÀ²d+S
Ö=
uÓ�˨ƒðÂôwò£È‚ÖaÂ:
-Ê(†(
-
-֋
²i“‡„ï>Ÿÿ‡`Âæ�ˆ�)Ìs|ânÌ‘^(KÒb+NŸ¦<KÊN7tIØxRkâ
-)èsIø-—f0å‰n߬dJT^}Uìη4I:9Oç;�çúÈXªâýéHJÕ’_Ð’KB¿\ÄÂ�Œíé€Õ[ËHÎ\}ð
-ˆyéàM¹hYG‹�Æc.ŽŸµè¦f´Ì�{•ârb|àÎ
-d#¶üÇŠ…ía$Û»SQΞ¾D[Ï
-mÝs×…�CÑ�-Ñ3‹Erµ}¨¹�£¸	²uÁGyØŠœ)tïËœ@(1ãóþ™ü¤
-Èn ¹)Ç>(ëý%€T¥�ª$g©*¤ƒx!ƃÃ}ž]–RÞÔû¢~G0>›[jü¾Já�FΟ3eNz#€Ú–ïx×]ÒçBúûÓ把ÊfÅ78Øÿ,„ëÑÅãʨlta
vJܳQéùUpºÉ•@Ch˜`¶={aó�§Eö„U–	©ÑÜ9ËEñt“Ÿ
-ŒÞ
Õ¡•À8^,¢(Dú>D&o…†›dSØæj“õæ]K%îÙ|È€Úfwâû ñ¨|Nî÷Õ]—€—/Œp“Ø(” ‚¤$ü®ZŸ8ãá
òŠH7¹bïãU�àæ©êDtùq6]¥¨	·qwšÃ‘®Bƒ#$^^š‚ÆVó7çÏáX=ðE©F}€âçø÷œÚžÕûë7:Óéì:†ˆKäP
€ù<1€G†ß©0–]Bl!Nªª–‘RªO«ÍPMr8Ö*‚zñÉj3?ò¹‘*W-¼¸PŠå0mÒWLtxRJMUë|ÇX‘39ã`)À$;î�,¨?uÛŸº,^Ös&áþµEª
-ÔÜZO̶.^/pÆׂ\’Ôžó�äò.	š©tÀuze–�Ûj�Nȹ3wx«x8`†…HT
üþçT’é’s"bHAøHW™†¥+?—¹º!\ ,Qĺ˜e\2ÐIzäúû¤X)z  T3#�ÅQœféIÁ‚gH’ç:‚Ü«ñ3ŸO&;9ˆçLK0‰LôDírèžäç „6³ç¦�‹ŒN¾hÅ&Š“ÌŽ.ï�-IÃ^–„‡*¸xE›¤Mé$ÛsÍâöZqZ
	d!WÀáÎ\‡»pꃣÇcü†ß¶À
-endobj
-1049 0 obj <<
-/Type /Page
-/Contents 1050 0 R
-/Resources 1048 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1043 0 R
->> endobj
-1051 0 obj <<
-/D [1049 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-438 0 obj <<
-/D [1049 0 R /XYZ 85.0394 732.4917 null]
->> endobj
-1052 0 obj <<
-/D [1049 0 R /XYZ 85.0394 702.3779 null]
->> endobj
-442 0 obj <<
-/D [1049 0 R /XYZ 85.0394 702.3779 null]
->> endobj
-1053 0 obj <<
-/D [1049 0 R /XYZ 85.0394 677.9665 null]
->> endobj
-1054 0 obj <<
-/D [1049 0 R /XYZ 85.0394 677.9665 null]
->> endobj
-1055 0 obj <<
-/D [1049 0 R /XYZ 85.0394 666.0113 null]
->> endobj
-1048 0 obj <<
-/Font << /F61 646 0 R /F57 636 0 R /F42 609 0 R /F43 612 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1058 0 obj <<
-/Length 3286      
-/Filter /FlateDecode
->>
-stream
-xÚ­ZÝsÛ6÷_¡·Ê3‹/ÀäÉMœÔ�ÆîÙÎÜGÛZ¢,¶©ŠT\÷æþ÷ÛÅ)ÒRîÚ‰3\
-µbA5hQøÍJÔ-8ÝyæVñîg£7¥£À¬›�5¹ór¹Mëf{†=ovd=cG‡ÚŽX$
hX̲è	ýIÊsûñ‚êo®Ð…øÒíÝ`ä•.Ë"Ò²~v
t³J¢ÌIÞZoþÙá´<çͪÚ�j9Zˆ‚­ø}SäsOPrß|�µ¾²»'®ÑÉ�Hw0Ë6o^¨XgóÀ¬@‚¢ êGÏÝ�˜iBŽ
-�°�fú 4úÿzA¸å‘Ѭ̄Ž’8VÝ�jZ	m"epëb±©èDBJŒÄ¦qÌ"«ÙƦþ âdŒ‘'ÑP G\ÅfqK÷UM4zb¢ÖéÕ•,-
-_~ô˪(ªgTWë[Sú8_묄9_~ØDdfED¢ã¼ÑA³à´‡Ö ÁéX0G¯Ýà‡æ22JDGÄDuŽÅÑO†*›l[fcÁ¥Ò‘Lïä¤ø
-0VY÷5ß�Z|]ïÖÙ"¢΃FÌÚöyµõvÖP…,+ŸÓÚ·­Ó_HB©ò¨1Ok�'à⢹m�ydÉ@²8lÍ*«ój1²`i#f¥õlþä$Äg¹ÿ¢¾,ˆtB#�ÁŠãA÷¸öˆ�ûäè+{‹#Xúxýð•òjøÅíV\Â.”)z:pE×M_
-í�õõ‘>õKY•/ë•#] Uš…þ=�º,Cxjb<8$0äùœÕfí‚~lq³Á÷í*­j°§
-aSªýþò†úmh›šj^Ô4ïxv©$V²¨Xç€Í\ìÌÕô_䜡�ˆ˜iAØÛË3½ñÏÁ-÷ï
P�AÏÞ
-‡ûè³°µpË¿;
-!çŸ/_'ç
--N|ËuB�áh(Hôª²)à*9¡l®#ʸöçôÛ.ێ蚈˜Töøä-×Èì}]ýàLõ¦ÿ+•­]Ä¡®A@!ÛÈcL×dÄ8�îŽêšç?±âá¸_®kÊFZqq|ë[®‚G;®k€ÜÌêSºÖá:¢k�kLÍ.?Ël;P7Á
-áƇL.u
•õîqíb, ß½À… Ÿû›{ª¥EÖTKqÔ®áJ“yÚ'= @LÂ….Upé6F¦=Bæµs�
-Y”EVú{Ñ~ʸ›²pѯË$a¤‹«|ýàñîcŒ<qð®#¸p$ÚlSù|ı
êØŸ¾å™¿ò
-ŒN˾
-‹§¾uOàBXç®@#—»‚ÊùصÖÄÝ,Ü«É:
d¬m7Á
#¦s*¢ýÏ?,jhFÿ4�ë†:÷› $Ü‹
-J™ÎW9Å	®sêÛ½;ªó6ê§É‹$Ž”n‘ºÜÀi¦oÅ×ïÿ9þÃ¥Ø¿+LŸÜ;Š	Ï.Ư)z«FŠjp1_³ÛÐ×ýGº
QwÏ�?Ö¡7sðS(aÜ#Zp�®=ö´Ý-¾r¬SJvaMr÷P‰À_ÏÀüt�ðP*àjSàKR©ûñˆT®b�TÎ9«ƒßþ �óCå	ÜâdŸ4éYÅ¡Y£1·~C£§—^¼jÛåaš"Éž,àØè'
-c¿ß“ rÔÖà¿×Œ?ýÛ¾ý•¦+õxR�Þ e
-—›!@10j@áèÿ¥•«endstream
-endobj
-1057 0 obj <<
-/Type /Page
-/Contents 1058 0 R
-/Resources 1056 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1043 0 R
-/Annots [ 1062 0 R 1063 0 R 1064 0 R 1065 0 R 1066 0 R ]
->> endobj
-1062 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [284.2769 367.346 352.9489 379.4056]
-/Subtype /Link
-/A << /S /GoTo /D (access_control) >>
->> endobj
-1063 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [282.0654 337.3189 350.7374 349.3786]
-/Subtype /Link
-/A << /S /GoTo /D (access_control) >>
->> endobj
-1064 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [299.7586 307.2919 368.4306 319.3515]
-/Subtype /Link
-/A << /S /GoTo /D (access_control) >>
->> endobj
-1065 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [330.7921 235.2826 399.4641 247.3423]
-/Subtype /Link
-/A << /S /GoTo /D (dynamic_update_policies) >>
->> endobj
-1066 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [369.8158 115.4527 418.5625 127.5123]
-/Subtype /Link
-/A << /S /GoTo /D (dynamic_update_security) >>
->> endobj
-1059 0 obj <<
-/D [1057 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-446 0 obj <<
-/D [1057 0 R /XYZ 56.6929 569.0182 null]
->> endobj
-1060 0 obj <<
-/D [1057 0 R /XYZ 56.6929 543.6932 null]
->> endobj
-450 0 obj <<
-/D [1057 0 R /XYZ 56.6929 423.5151 null]
->> endobj
-1061 0 obj <<
-/D [1057 0 R /XYZ 56.6929 398.6084 null]
->> endobj
-1056 0 obj <<
-/Font << /F61 646 0 R /F57 636 0 R /F43 612 0 R /F42 609 0 R /F58 639 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1070 0 obj <<
-/Length 3259      
-/Filter /FlateDecode
->>
-stream
-xÚµZÝoã6Ï_aôå fEJ¤ÈÇí6ÛKqÝíeSÜ
m[NÔÈ’kÉ›¦ýÍpHZ_–Ûk‹ 0EŽ8úÍpf$¾ˆà�/´dQl’Ej&#.ëÝU´x„µ¯¯¸£Yy¢U—êËû«/Þ)¾0Ì(¡÷ÛÎ^šEZóÅýæ‡åÛ¾ùîþæîz%d´Tìz%U´üòöýW4cèçí‡÷ïn¿þþîÍuš,ïo?¼§é»›w7w7ïßÞ\¯¸–în‡37¼»ý×
�¾¾{óí·oÿæêæ>èÒÕ—G1*òËÕ?E‹
¨ýÍUÄb£åâ."Æ�‹ÝU"c&“8ö3åÕÇ«‡
;«öÖ)ûÉX3©E:aÀ$î�G0NÔ"•†©XÄÖ€/Eût½Š#½Ì³õêw‰Î]‰bq*$°Bò¬lêUU·ÅöÕÑv9HÁb¡RO»Ù®9lÜ4Ä¡­ñ×,›¼Ú¸™§œnK»¼ƒ²Ç¼w“^f´¸¯-MÔpóÁo“U´6ÜäÛìXzÒ-­‚1'4\
 š~Å93RŠß£)gi"§iÑ*€œ»<«Šêq{,éz[hдÇýVWyp‹y´¼G©q2H�~×Ö¯æ»}ûJòhZ6B_Ä"	Ž‘ò”Å:6ÓÞæˆV]*‹˜ò6O…z®ŸòõóªÊà	
yó$fJ›ÌÕ÷Tx$i4`ÿTXPÈe½o‹º¢ñKæ&�M¾¡Qá–(àHÓ�I..ÛC±nÝ
-
G‚ŽÙ![·-	Xu„!¹ÜÔ»ÌïO–è±Üe
ÞÖY¬À/S‘$}\ýE¢Ä»„âˬÚ|a¡
1ç«÷iÒ	·¯«†è"7µÎ‹O¨"míT½£+‚VyûRžW‰ð�ýlêüš/sB뉡³nãöã]kà%ZU‹¼N…Ñ6¾Î6ÖÈ68ÌÐÝi=zJ±Û—ù.¯ÚÖÇ*¢„n|Àp€ÅO"ïš„”³®¢T̸êYWéR�w•@…|7Y›=dM>ò‘0
GØ<ç@5Áºç'Â0­¸èóþ¸Ï×M÷(ãBãë>§)eø
2ÒzM³ŽÊ¹S⢒4m}€°ÖÝ8¡HFë¸!ž Ú…4ºçt˶.Ëú¥·ÃD8æ0æRô!ÖµçÀSxi÷ÀŸóWð
-ÖIL꼧e§áA~NyÌeÕ+
šãC“ÿr$‡2)éOû¬±ÏØ.ô�è’^Œz^·ü�÷Cé3²ºuz#2úyÉÜ©Ö pÑk
êÁ	ØáŒÓ`˜jÇÚ�H�ðÎq
-…Rwƒd,<òËg‡‡ö³	„¡—�;:ªÏq¿ØWØÙüÃUWYAÚq¬V»|W^é’Œ°Y=”„¯–.½¤N1ÜQêN:ÑóQKF
4¡àmQdä�Zõ­ÞfÏÎF½ç9e¬.�Š“姬<Úó,ŽO@Á…}Ý4ÅC™ÓR±¥YÈï
-®YIóÝp’,7°ÃÁíö”}rÓy^Ñ\YTÏÖ—`PRÓ¬W	5¸óo›“óåÇz—O>M†GˆÃ‡gzR=÷�[—Ç� e½}h©Ž”XàŒýaUå[zºˆ~xí%rgÏ+–Äò¹ӥ:î*'xˆûÑ©Ãñ
-ïFáYg�8†ôE±³Ù~_t„*w8©åSA¢ôG¦ò¥Œ|)–$éòvëVsG;Œ�
�‡+‡Æ×ÉDJ)ÄéÔÀÈÎQ9Ѽ”?!¯—¢,�P}ÒÈ«xܳÈèAºàN‘,­™~…KÉ‹A1é6>¾ÃÇNÖS™zc	d�Ú\*4»Tç1¨P-È8_²Ãfœ<s&Snæª	ÎýäY1)ã¸Ïúƒ5BË^o©-Í»#J†Ä7�ó­¡©Œ~H~›x¹30q%;e‰EðD•##–F¡}â�k�@VžrGd�lâ¹ÎŽMîx˺~†pJr×´¸ÍŠ’0%ÔJ1çý5ÛR½—¯6[©¯1Óh¤.’WÁâc޶ᖪ¦É¬j^è,ÇÜ)U˜U—Ó&àLi;í|&=aÛóVx©�¥ãŸa…ád¢™ª>ì0EÁ)o«[MsÞÁD*X¤U2t°"ßœw
-"]_€ÿ\aÏ8n|Ã�›Ä‚g¨&ѦD0^6¾%‚Ö渊-$šB0u–`p€ •¹$iËú‘V~Œdôs}<@ÝCî'±«G”ö¹ãäæk'ìê#j Nc™ΕkíÝþ÷Ý£!è¥e¿‡W<VµëØ
š¾+ê:‹®ƒ@‚,A/�ëvxé�SÖ™NK|é4$:¯.Ø
-ì÷yåà—?
-‘¸D)íöf„`J¨™÷.7Û;w~®Ê‹Y”e3ÝpÊP™qÎïH“óŽÃc&b¨¦ç§C5ã8žªç8ín¿ræuÐñ
�¸ D š�¢ßA—Œ§ñ@Œà>ƒ\(©6õÚ6|Ywj6_Ùž^ªi÷Öâ6
-=Õä3+6å4
-!Ï�ÊÌK¨&Dé£óy|]YþšÆÌœFCÆLEZÌ ž
v2ºÚÌ¢ÐÑ_P¼ïïGa‚ïÄ!JÎ>‡@uA�ñnó(„ã0Æãp…ªzªó‘£>¶#ê„%JªyQÕ„,}ÈØÔ]aþ&vU}ð
-~a‚ÀmßÔÍéUÝçôMéËS±~¢ÙuV…wuöwsÜíó
!>åLGÑ ÕÕm^M¼IY¢•Õ}z2�ÆÑðsTH¸e¸c“#a5l˔ӜZÍìܗ̱døùñÄ3‡‡ø?ý•óéð?÷ÔâLÔ�Ó¤^(ÔUš¡äásè±èÿt&˜endstream
-endobj
-1069 0 obj <<
-/Type /Page
-/Contents 1070 0 R
-/Resources 1068 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1043 0 R
-/Annots [ 1072 0 R 1073 0 R 1074 0 R 1075 0 R 1076 0 R 1077 0 R ]
->> endobj
-1072 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [259.4835 532.6298 328.1555 544.6894]
-/Subtype /Link
-/A << /S /GoTo /D (boolean_options) >>
->> endobj
-1073 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [387.5019 279.1398 456.1739 291.1994]
-/Subtype /Link
-/A << /S /GoTo /D (zone_transfers) >>
->> endobj
-1074 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [381.9629 248.8466 450.6349 260.9062]
-/Subtype /Link
-/A << /S /GoTo /D (zone_transfers) >>
->> endobj
-1075 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [398.5803 218.5535 467.2523 230.6131]
-/Subtype /Link
-/A << /S /GoTo /D (zone_transfers) >>
->> endobj
-1076 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [393.0412 188.2603 461.7132 200.3199]
-/Subtype /Link
-/A << /S /GoTo /D (zone_transfers) >>
->> endobj
-1077 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [255.0796 157.9671 323.7516 170.0268]
-/Subtype /Link
-/A << /S /GoTo /D (boolean_options) >>
->> endobj
-1071 0 obj <<
-/D [1069 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-1068 0 obj <<
-/Font << /F61 646 0 R /F43 612 0 R /F42 609 0 R /F58 639 0 R /F57 636 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1080 0 obj <<
-/Length 2903      
-/Filter /FlateDecode
->>
-stream
-xÚÍZÝsÛÆ×_ÁGjÆDîûpí“’È®2µœÊÊ´�$0	Q˜�€B€’™éß]ì>TgÚñX8ì-övoûq
-Xˆu«'€Çbp½å=s§€øÏ>”{
-xf ’UQ,Œžö@ÃuN‘�´I虘GNH;
½.×iè5\'ܵxØÎe)®ÏèÑp�(ÒCŸ’�ém_‘?}Þœ#b	.'
-ñ°ÜìW´{¬³Ó<t¹ÿxóÎG•Ÿ
-d‹¸ª·PÆàÃXô¿cî¹µ'ꀎ#ÁšŠû´8ëFô²"àÁÊyú9Aœ—D§è
-�—ŽlYјRò‚®û�¯ðD§ä#o[ú\À46
J˜ºi
-ä¬<â+›©äx*4È#NõÝ Us쮹ïY&b»9©¬sÿrfʵ�=ûR®m÷¿¨ôÜ@§a4<ªáÞ¯«_I„�
σÄ)wâK\ó£'	kètQ¿ÜÒœŽ
-ZøCVMj�@?~%LuN�¼Û˜s|
0�š~^¦O‘ñu§öLÌo?zÁ?\y’ïÛùüö÷<xw	l�¸KDÿÔÕu1v–êö÷Ÿ:ï›ßtKHVcAD
-¡®nÿ‰—¶â
-endobj
-1079 0 obj <<
-/Type /Page
-/Contents 1080 0 R
-/Resources 1078 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1043 0 R
-/Annots [ 1082 0 R 1083 0 R 1084 0 R 1085 0 R 1086 0 R 1087 0 R ]
->> endobj
-1082 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [352.879 737.8938 426.5323 749.9535]
-/Subtype /Link
-/A << /S /GoTo /D (tuning) >>
->> endobj
-1083 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [307.1508 708.0059 375.8228 720.0656]
-/Subtype /Link
-/A << /S /GoTo /D (zone_transfers) >>
->> endobj
-1084 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [334.8268 678.118 403.4988 690.1776]
-/Subtype /Link
-/A << /S /GoTo /D (zone_transfers) >>
->> endobj
-1085 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [292.0276 648.2301 360.6996 660.2897]
-/Subtype /Link
-/A << /S /GoTo /D (zone_transfers) >>
->> endobj
-1086 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [319.7036 618.3422 388.3756 630.4018]
-/Subtype /Link
-/A << /S /GoTo /D (zone_transfers) >>
->> endobj
-1087 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [460.1655 588.4542 533.2211 600.5139]
-/Subtype /Link
-/A << /S /GoTo /D (tuning) >>
->> endobj
-1081 0 obj <<
-/D [1079 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-454 0 obj <<
-/D [1079 0 R /XYZ 56.6929 574.2651 null]
->> endobj
-789 0 obj <<
-/D [1079 0 R /XYZ 56.6929 549.4832 null]
->> endobj
-1088 0 obj <<
-/D [1079 0 R /XYZ 56.6929 251.7198 null]
->> endobj
-1089 0 obj <<
-/D [1079 0 R /XYZ 56.6929 239.7646 null]
->> endobj
-1078 0 obj <<
-/Font << /F61 646 0 R /F42 609 0 R /F43 612 0 R /F57 636 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1092 0 obj <<
-/Length 3064      
-/Filter /FlateDecode
->>
-stream
-xÚÝZYsã6~÷¯Ð£\!¸H�ûæø˜8‡í•”Ú#É%Á+©%©ñxý6Ð
-ÿØ ‰©¨T’ˆ²h0_�ÑÁ¼ûpÆܘ‘4
-G}7=ûö&fƒ”¤1�ÓÇ`­„Ð$aƒéâ×áå÷ÓëñùˆGt“óQÓáw·wWHIñqywsûá—ñŹ’Ãéíý’Ç×7×ãë»Ëëó2â°€pKüóþîÝÜþt}þûô‡³ëiÇrx,F…á÷_g¿þN8Ýg”ˆ4‰ÏС„¥)¬Îd$H$…ð”âlrö×nÁà­�zHL‘HH”pu@N’˜$BÆ|GPQJx¢¸
NI)­*µ;Z^hs4\€‘4Šìt0”ÄŠ%~*anòô<¥Ã—µnp…êÑIR7Õ¦žkß›WõÂ
ÉÊ6þ¶Ô%¶Ú
-Ÿ¿4nÂt©WŽhøà’¤’IËÇt™Ãš"J†�ž·yU~½$Y}Î’á“.^Ìët8«jK©žõ'<b…ïÇ7—HÝI·ÈB7ó:Ÿi·C»Ô8v^•s½n‘jŽkˆvñÔfå¹mOnnßßhDÇcøŸ¹‰ 8§9Y'o8™þ´.²¼4{3>|¶‚Lu6_"-wï6�^€‰ÊT
'yi·*rÖ›Y‘Ï3#|c9†'þÈÜHñ£®³é¥~Æ%Æc·Õ2ûè–ŸiÏP¾Ðe›ÿF)×{ÁëØ);_­½‚ÁÚ¼î—NçWwÒißjÒwŠ¦ò“çÅfaNî­uÇHØ'sÁkg®‡í²×Ò.`:HxQ­2÷i—ÙJc+�Aƒ”Ì
©Ú)Ãk«8OÄÖ2ÛÞèFGæ‰gMÊnW>Võ*söÎiö‘ûÕWÙ6fn´^­Û—sÆØÐqÂ=dqvsÎS¼Áð|½94܇eMSÍóÕ
-ýç¼]º78c�Õm>ߘ;iÉ(7Ó2&lžójµ®»€ Ýþ�†™°.öÀ�A‘dï•®»yŽe�—ËÍ
ž>ð¸†nßµ8B“?•V™ó¬t$4bh”Zû–nälžk'/]ôcf/n,œØÒëæÜÌ˶hU�£+¸®iDçØ·R�Qí¾öÐÈÝ݉Ùð{ðq°ª‰kfáX›
-P>™Ž“.[mŠ6‡‰T”�s÷\ëz•Ÿ³a‹zÊ£åÕºÍWù¿½	Àìõ¦6úkÜ~ÝHý)3—Þ‘­�j³Öóüñå�²ÚeÖº›Ž�Û�~©³ÚJÚ(QlÏÜ}nëÜ»£Áºi�Ñ0:œh½²yªˆT"%H’<ñeý4ÀÆ8ˆ¶ÝøQ8
£mè9^¯kŽ6Á
-ø­(ªgÌ`å¶"dk6Q,£`àˆvàçPa,™bn¦ÕÔ\{0–|�=W4 ¶ZgŒñƒ[WžR‘7�!ÛøÁ­hÁÿ>-ñ•«ÀåžA€Ñ­Íƒ%*ZðN‚L;7e1Sv3ÓÌ–Ÿ°>h'ט¬€M€
ð=oÁ¶­ê|n'GÈïÒM+­¥+›™Ø£ëÝúÛ“.±èg:"Íôã9À;¢Òÿ·œEï#{sÁb"¹ËYÀ1�¿Š½Ï^V�¯],ÎEœ
-&8è
–ùO	®ë*‚×Öó‚ÓGç{ÜŽß³\cˆ¡œ%}‚�S—ê]^�Ï!ã™Z„e<XÑ}¢ó©ÃSÞúÐ0×uëêâí	Ì2òžå	Bã¸/‘àQLâH ¼¼»øù¬'–é^J°ƒ!�«ÊmLÞ¬:”_úÏYyvÂ:Õ;/Lq¦§¬×JIâ4ñŸ+P’Q"ñs�P x¡Ÿü—JåÊJ@G×g®®FBàM�f'�Dëu‘Ímz¦|%
-Öp•C¡”<€ðQ9’Ҡе@~È2-Ð'~“1�íSY2Ï™ëUõ‡Ÿ¼Y_
-.ÕÕ‘"“Í,ö¾„ÚO²¦ÁcÅOØE ð·*>}�F#( Ï,¨­¾¢§ÿðp?15=À“°î¸s½žŠjæïÖºjrc0þ+ÏƦ|`(‹®Râ¾ýtyB¢[Vß±Ëb© <¥}.ž¥�t)—I{ws"e	?å².~ÙËî']B°'É
-vÇÑ+Uò¼ÞàEí7^w“‹‘Jº¢`©Ûçªþc[ÈýŸl>7Õœ­ØŽ,àä{Qà6Ne_LJÌ�iêÄeBRœla¨7'ÀMõ6„¿ôÚF#pŒ»¿9.Á€·/;.¤vDñ$QÂ!žú]ôŠ÷Ïþ
-|ûKx©
-endobj
-1091 0 obj <<
-/Type /Page
-/Contents 1092 0 R
-/Resources 1090 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1102 0 R
-/Annots [ 1096 0 R 1097 0 R ]
->> endobj
-1096 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [296.3342 570.0778 369.9875 582.1375]
-/Subtype /Link
-/A << /S /GoTo /D (the_sortlist_statement) >>
->> endobj
-1097 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [389.843 570.0778 463.4963 582.1375]
-/Subtype /Link
-/A << /S /GoTo /D (rrset_ordering) >>
->> endobj
-1093 0 obj <<
-/D [1091 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-458 0 obj <<
-/D [1091 0 R /XYZ 85.0394 769.5949 null]
->> endobj
-1094 0 obj <<
-/D [1091 0 R /XYZ 85.0394 748.2826 null]
->> endobj
-462 0 obj <<
-/D [1091 0 R /XYZ 85.0394 748.2826 null]
->> endobj
-655 0 obj <<
-/D [1091 0 R /XYZ 85.0394 718.4268 null]
->> endobj
-466 0 obj <<
-/D [1091 0 R /XYZ 85.0394 661.7689 null]
->> endobj
-1095 0 obj <<
-/D [1091 0 R /XYZ 85.0394 639.4577 null]
->> endobj
-1098 0 obj <<
-/D [1091 0 R /XYZ 85.0394 553.1414 null]
->> endobj
-1099 0 obj <<
-/D [1091 0 R /XYZ 85.0394 541.1862 null]
->> endobj
-1100 0 obj <<
-/D [1091 0 R /XYZ 85.0394 337.1513 null]
->> endobj
-1101 0 obj <<
-/D [1091 0 R /XYZ 85.0394 325.1962 null]
->> endobj
-1090 0 obj <<
-/Font << /F61 646 0 R /F42 609 0 R /F43 612 0 R /F56 630 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1105 0 obj <<
-/Length 3263      
-/Filter /FlateDecode
->>
-stream
-xÚåksÛÆñ»~¿œ±�{×~R)QšÈ.Å6ž&ù
-Í¢›Û Ç¥Ò"zýÝÕÛáõ€>?õëÛ»ob©yýæîæöÛ®ú‰Š†·oî<¸¾¹\ß½¾îÿ:üþâz¸B¹û³8“ˆïû‹Ÿe½~Ý÷,–6Õ½'°˜[+zÓ¥e¬•”
R]Ü_ücµaç«[º�LŠñ˜-�N*–‚9–Ž`p¬ïª$NK¶N½äÌÆþÀ–f¦L¬H¯d‡ôœëX¥I/Ñ66RHGú»wC §â2Z6E]–FåŒÚoîîï¯_S¿­±µQSŒ—‹>O£¢z	³órœµ}o'YKðÁ ¡ÎSÙNèc6Côà—[­`ΩƒˆÔO³bÑ¿T‚G³lZ`O8L’Q3.mF0±šÅaV[,>dÁóÚïR·Ô)žË¦ÝÞñ`›ü^Ï`C©
à™SgýÛpôä~öjÛ—yÑ`7‰2¢
-Áç4hŠ™_ðP/ÂÖÔ:¤.7Ñ e(g�$¸øAÖ%gÑ}Qxa¾yM!M=·5vòˆS5ñ¶œ+�ÄŠ[`|G<>Mä¤Jc	ê»&àÇoV–b–ÆBèBÛ¤œG²·Ã
ÚiQP�óÚÉ
Pt±Í@"&
8Ï-õê?mâiœ×S'd�ÔkæÙ¸Ât„¼k¼?�Ÿ•ºÆšX›'¯±6NµQDÞwýKçźþPæ(õH•i6ŸƒÀúѨhŸŠb¶%ª©�
9uÞÅŠ1Ës¯+MqDt»XŸ‹¸BÆö¨ÝßÙ2¬8LÜDÄRÛ²kÒ$¶Œ“
¼uÄÑ/L³gøÃ�0If
-ðU‡"1°³ÖÕÙ
-#=ºW…!‰JçÐw‚�SfÔbuou³
-ãf9jiì
ßH«É.! ¯�\ox]Ã"
-Èo]¬Ž/�ŠtÂ0
-CU‘fº—ÐÆK#`1˵ԀjTÔ+žÇ ú�~ºÌ‚…¤a
-ºÓ\Pôà×Cd…õwny±çgh (AQœnF”pDl´®å*ïÄpjOŸGÏÎÐÀxiŽsÊ0	}4"0«Ur�áB8üÁ;i˜.š”÷ã
-=PTm:Õ{	ØL‹Œ˜�÷ÀN~
H2

-Œ�4èÔ=<ÈkºÒöoKe<Ÿ;J¸OÖO	²¶tÏzàÕ¨°GЄæo Ü`­ÿæ7ϪÆo…”È	X/Ñ®(Æ£ÑÒŸ=
-u<+'ž
<š×h—î(‘{ti•?!j@“är`Ä7ëYeAt|'ã�¨ÃĪõYFÔ
- l�—ðH
-endobj
-1104 0 obj <<
-/Type /Page
-/Contents 1105 0 R
-/Resources 1103 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1102 0 R
-/Annots [ 1109 0 R ]
->> endobj
-1109 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [370.4473 443.4181 429.4355 457.3658]
-/Subtype /Link
-/A << /S /GoTo /D (classes_of_resource_records) >>
->> endobj
-1106 0 obj <<
-/D [1104 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-1107 0 obj <<
-/D [1104 0 R /XYZ 56.6929 480.6783 null]
->> endobj
-1108 0 obj <<
-/D [1104 0 R /XYZ 56.6929 468.7232 null]
->> endobj
-1110 0 obj <<
-/D [1104 0 R /XYZ 56.6929 396.1951 null]
->> endobj
-1111 0 obj <<
-/D [1104 0 R /XYZ 56.6929 384.24 null]
->> endobj
-1103 0 obj <<
-/Font << /F61 646 0 R /F43 612 0 R /F56 630 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1115 0 obj <<
-/Length 2902      
-/Filter /FlateDecode
->>
-stream
-xÚÍ]sã6î=¿Â�ÎLÂ?ôuoû‘ôÒi³½lz³sÝ>È’ëV–\KŽ×ýõ LÛr²×Ý™ÛÉL‚$€ 
-h&ñïw·W4èú槫óßï<»ºXöÅ’�F~ÿ8ûí÷`R€t?žB§I8Ù@#2MÕdqfB-B£µÃÔgïÏþ9ôzíÔ15…:a¢â==¦§0‘VÚê)ÏšóK­Ò鬤oÖôU^-³¾,.
-Žx y)å´üܯ³š¨”Ÿ—«²ëHy!oAH[@Äõ>qeDj¤±ÄiŸRå©
-ùÉ£¶Ë’Ç[�‡¸¼e2͇ƒ™VfÞì
‘ApÈ&.šrÑ6UÞ�íPQâ¹o†è<kŸìሜ†àjs*›!˜<œíG2Üã‡vлŸ7oáRe] F’kĈ¿s&vxKèì©­W�#<®qkö28lxò˜]»Ìˆ!1´qÊEp§ÛÜÙ4Šªûw$«~l‹ÞÙQñn’
’Ú[[!é©Õ›lË00Ö£RÃÎ
ÆÝÜú\Ÿ”Ì—¶Ç¥€/�vQõýp(ú,\21D¦±ŒÅæ;ä\þéN*ð¸:qpbßåí¢äÚ9c]ÒÉѾG¹¦ñsMÃ^Ï©'ÜÑw'74Ðuòç£
üÔ´›º,ˤ`çªÜfXÃ^¦AÑa<RhÅUǵÊ*çûÀ†ç- ]a_Hu�*…¾ÐO«½íâ|r”.{\ìß/�RKaà2:1qw:ÈA¿à¨£@D‘
-÷¯�m–cÄsG'9 y
ÐbЩ}ŸÔå d¡P:•Ã%3Œ½<XêX$a˜NL”ˆD…´)7ïoÄÕÛ_áF:	¦?8¿Œu¬ ÿdßÿºº½º{%†a5©±Ñ Qoí¯“56¸3³o©!¸´«D§ãR&Ê@Ô3a$’8­†ŽUòêà�ÓúðVúŽõa¤€0¿d1.P2¤ºÄ¾EÀY‹ÁnÀ[Å)êH%"À’:­Z3ùÎ5£R¡c½d)Z
2 _8(

„ÏèÀ£þë
-ZQñi­xë}ÇZ	Ba"­^²Œ
-Èr*­H¾!nÊþˆä3éoÈ׫½Ôo—æ17]õyÍå…tGGö6í�ÜŽñ2Ëç‡×gâéTùsô†ûž*H®ö9–‘–åq6©"‘¢K
-tkÒ0z>v(	¡6�Qä­ªîy5¸!Ïñ•;oJOû[+!µJ�½ãÓ1òT‘h%‘äá§|{æ¢z@.JW|Êì�í+ËpÀ@-a(	ÚÔ’£$^[Ü[ËÛªË×#/+O­.óvUœze
µ††[ªSÓ¢ìòU5³a‹k\hÓéÎ5#žžxÎðA}UC¡Š"3ôg<.æV%£¨|¨G
-.ØKØœ+o�åC²~ýÙúÇÞ1)>Úú•´Û m=®¯òµ}�°íª´ͯzZî‹`§ÎÚ5n—W´
pˆYš^øú„
ç$–$3ሰuA5´‘†É-Tu;ùœ"!?j»V�ø>‘ÆœH
¾«lqó‰ï#[BÛ§iß/°�(«<©A¬LaùÄvæ¾<q»´6
˜eV­I$´­ ]ÐÓ4lzI%�FArê(QÆ@«Œìm]>eö¨[�[/Pk&äÂ" ÷^ Íyö´v3
-v35—Ë�ÙãAŽKúØ_.Ør¸E6…ëQÓ`0&æÛFOâp-ùrvÔß»�þ›4‰f4Ü
-}JoPä+û°d:<퀊§çàÈ%%Óh»]Ô®Öí­Ÿ€—a·۵{þÒgðnéNó'~ ¡	U3òsš`òbŽö¥?ÞÙý€É@^‘$'.™CBÁLÙpytu~åsÌú
Îh¸endstream
-endobj
-1114 0 obj <<
-/Type /Page
-/Contents 1115 0 R
-/Resources 1113 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1102 0 R
->> endobj
-1116 0 obj <<
-/D [1114 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-470 0 obj <<
-/D [1114 0 R /XYZ 85.0394 699.7944 null]
->> endobj
-1117 0 obj <<
-/D [1114 0 R /XYZ 85.0394 675.0921 null]
->> endobj
-1118 0 obj <<
-/D [1114 0 R /XYZ 85.0394 489.5479 null]
->> endobj
-1119 0 obj <<
-/D [1114 0 R /XYZ 85.0394 477.5928 null]
->> endobj
-1120 0 obj <<
-/D [1114 0 R /XYZ 85.0394 309.4234 null]
->> endobj
-1121 0 obj <<
-/D [1114 0 R /XYZ 85.0394 297.4682 null]
->> endobj
-474 0 obj <<
-/D [1114 0 R /XYZ 85.0394 197.3098 null]
->> endobj
-1122 0 obj <<
-/D [1114 0 R /XYZ 85.0394 172.8568 null]
->> endobj
-1113 0 obj <<
-/Font << /F61 646 0 R /F43 612 0 R /F42 609 0 R /F57 636 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1125 0 obj <<
-/Length 2885      
-/Filter /FlateDecode
->>
-stream
-xÚÍZÝsÛ6÷_¡‡>Ð3Šo‚}sS'çNcçÝLç’<ÐmqŽ"u"Çýëo�]P”L;ÉÅ�fô
-Ø—S	ÖÛMS/ËúöGhÌdÒ­B¯NÖyY!]·Ík Úvø™ßu‡4weE479Ötr�/þCã*#˺øD<*\ÈmѧͶl¶ew*„Hà|´àɛ؆Իõu±m‘|Ùø³
-ÓŽ¨"™ƃFø²¼­›½>hP䋺íŠÜ¯Hq]A½yÈä@­°	]IFã¡¡-¶ƒmù:_é�+R‡­dƒÙÂþ³¥€¶MSÖÝ`žƒ}¢Š]ߣf ¿¨>ì8XÇlêÒ‰µ–¥–Û/Š2c&éa<øÿFÅuNéÑà8¼¨G²šÆ=M­ÑÌq£û`cÒ�é¦,S»‰5¦@í(>åëMU°E³ö¾Ai�\@DU’ã�@Å%‚ŸNSN~†9’®ÎRæŒÈ&Õ|Ûæ¼Eªäþ´ŸQ^ZÂr<”È€
g=±Ú2­l$v,ž,ŠGñÈ/”Ï`æç•Ï³ê“âÌe(ò§ä£4Ó4}\>r(æ¡ÇnÚííÒÌûKB]¦²ì3Ö&%3Òªhª6ç|`T.èó?ñ¸ˆ“ÇÆ-¨HáiÁnÁSª^DGFáí	ÉÇe4˜ý¹d´ýGÔð&ç¸6	ãéaöñ ‘©»ô«6)pú§³cÌmØ	Â(�Äχ
-æ¬�‡8,€La‹’2øhn"hiÚ""ÛÅ¢(:4|(WÛ…³U î±í�ì˜Ô$tˆñ¡!heVŒïÍFþÌ:8&ÀýLÀ�õɽ‚Lž€|[t&nÀm>ÿ½Yh¤™:Ÿ#j³IW®‹i×L+LÔ e”F`g“ÙË€&«%~`†€>•œ^—u
t¼E‰[B—ÊB•�
-ìê²k‡3[À±H¿Ûp$Þ÷SZŸ¯óm’MÏ -F�x
-¬Îf­Ú‘˜ 	¤Š•eÑ.¶åuAœVÍVª&
-ŸV(Áã¡rÈ�«ª¹ëU¢[áÔÛÝoŠöÐp{^ûÕÀÇb‡iœZE„�)bM#°ø³©i”W0öã(áÀé	žM´‚ølÁá~�KW™b)OÕ×¹ôñQƒD@ƒ“<ýŠ0G…©¸'ˆ�š¥ZŒ»{°ÿ‚³û™Âã{{QUƒ‰‡¦“*÷>€Û†¦HÎ:š£Â¡’î/|C9ÔÅmN.õŒT è/C¢ù*Ž#ë0­­ZìóÚìuÍ4£{"
7¦¿Â�*¦œd˜Ñµ™Þ˜ Z7Sp±«i¼ŽñmÞÇ_þñëÕ볋KïѱuõÖí˜Îßàjרg÷ÍŽ�Ù}oëüS¹Þµ÷sÑ8¶12ìÅŇâÚß(,À·mÔnÈ"V~Ñá4ýLdéd 
ߦ_^“w|·Ö_•¾Ä�ª¬̯Ð
-ÕY•BœI%ÆŒ‚—ÐþÞ/Ù càpHt‘€"õ�þÞNá
"ÒtÍ[¼ß	
‘º_C÷�Ý^ØCyÀì
-ÀúÞ#ÂGYQÎf
ÚxWëÛ"$6C7÷¸f`‡mD/Ç÷^Ž½§½�Ç(Ž.Áʧ4` ÛçÒ€/O�þŠX*2@Þ©T_›)H«´Òy2=’ÀÝŽùÑY¸gϺ|“ñÞ7¡êùÆeq*²ñ@Ô �Lß„ãÅ
-6ÿóc™´€LÚòLý�™ô³]ò÷
-Ȇs}Ûò÷€ì/�w€‡\ö´D„dÒÄJà‚\
-²ðB±àà‚øÊMÓ<ý\ÖKf0çsIæ{�ª$–fúi¨*K3®_¹±?ñÉgÏúKÿâ´ÿ›—N™rNŽã@Öó¼ÔÓþ€ÿETƒ¥ÿ½)ãendstream
-endobj
-1124 0 obj <<
-/Type /Page
-/Contents 1125 0 R
-/Resources 1123 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1102 0 R
->> endobj
-1126 0 obj <<
-/D [1124 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-1127 0 obj <<
-/D [1124 0 R /XYZ 56.6929 679.1143 null]
->> endobj
-1128 0 obj <<
-/D [1124 0 R /XYZ 56.6929 667.1591 null]
->> endobj
-478 0 obj <<
-/D [1124 0 R /XYZ 56.6929 513.6923 null]
->> endobj
-1129 0 obj <<
-/D [1124 0 R /XYZ 56.6929 486.3878 null]
->> endobj
-1130 0 obj <<
-/D [1124 0 R /XYZ 56.6929 444.9153 null]
->> endobj
-1131 0 obj <<
-/D [1124 0 R /XYZ 56.6929 432.9601 null]
->> endobj
-482 0 obj <<
-/D [1124 0 R /XYZ 56.6929 264.2455 null]
->> endobj
-1132 0 obj <<
-/D [1124 0 R /XYZ 56.6929 234.2561 null]
->> endobj
-1133 0 obj <<
-/D [1124 0 R /XYZ 56.6929 144.9629 null]
->> endobj
-1134 0 obj <<
-/D [1124 0 R /XYZ 56.6929 133.0078 null]
->> endobj
-1123 0 obj <<
-/Font << /F61 646 0 R /F43 612 0 R /F56 630 0 R /F57 636 0 R /F42 609 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1137 0 obj <<
-/Length 2328      
-/Filter /FlateDecode
->>
-stream
-xÚ½]oÛ8ò=¿Â÷ 5—ß’‹²©ÓË"MöRïv±m›IØRjÉM{¿þf8¤,%JÒ»¶‡
-Þœ¥{}Ü„¼¤
­SåÞPßu§wÒp°*oJ


‰/\y|së–=#ÙÇßöf,ÚÙœ‰4·Ï3F"dä¶ðâ_ï6](c¾h‡yÃ×f>œ]6õz×:6r£ €eKáQï›Yˆ]ŽŠ#^ÎÆòÛÛ·oÁü1Ê�¾ÆÞ+øõáÉÙìÍüâhæF£[ÿ¼È3¤ÚòS±îdƒ[xÈó½½p<›ÿyøú·Ó9;:͈éÀŠr2D|x'|,†Ë1<æ“Ä	kw
Ô^VEk¸‚LûH7P
-–vÎÿT�ñFëhWuµt²Ø‡Z–A79Ì…}C¢fÊ7®ê·+ÅŠ=öòA˜€Nõ{<‰A�)%tÊ_ßsÇ�5ÈÂXfEfžy“
-Ñ‚J¾Ó›D(–‚oÿG±>å'^Å0"AËLBù&Z§yh¢uÆ{1§¡%rg‚á ;xWÀÙÞÃ	M47õn½"L,Ñqn뚶޺0[\ùfŠjäYN)ɬÙ{=
-endobj
-1136 0 obj <<
-/Type /Page
-/Contents 1137 0 R
-/Resources 1135 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1102 0 R
->> endobj
-1138 0 obj <<
-/D [1136 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-486 0 obj <<
-/D [1136 0 R /XYZ 85.0394 641.1347 null]
->> endobj
-1139 0 obj <<
-/D [1136 0 R /XYZ 85.0394 617.8999 null]
->> endobj
-490 0 obj <<
-/D [1136 0 R /XYZ 85.0394 552.2511 null]
->> endobj
-1140 0 obj <<
-/D [1136 0 R /XYZ 85.0394 527.2608 null]
->> endobj
-494 0 obj <<
-/D [1136 0 R /XYZ 85.0394 385.255 null]
->> endobj
-1144 0 obj <<
-/D [1136 0 R /XYZ 85.0394 358.9197 null]
->> endobj
-498 0 obj <<
-/D [1136 0 R /XYZ 85.0394 135.339 null]
->> endobj
-1145 0 obj <<
-/D [1136 0 R /XYZ 85.0394 112.6153 null]
->> endobj
-1135 0 obj <<
-/Font << /F61 646 0 R /F43 612 0 R /F84 863 0 R /F86 976 0 R /F42 609 0 R /F66 718 0 R /F11 1143 0 R /F57 636 0 R >>
-/XObject << /Im2 926 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1148 0 obj <<
-/Length 2580      
-/Filter /FlateDecode
->>
-stream
-xÚÅYKsÛ8¾ûWèà]e!x97�#g=5q²Žvkj39P"e³–"5"Çóë·
R”)žÍV­}
-÷ûÇÅç/|”Áé~¹àL%±=ÃÎD’ÈÑê"ÔŠéP©n¤¼øtñ÷žáà«�ê“àLªHzäJŸœtÂ"%••Óålö+žhÕ€VF,a7Ü
�;Ëç\VyF?‹Ê‰ãö†:Rñ˜9nr$K´–ÈnÜñ+Í„à¦×Q
-á|(ú÷iÓ槱¢Ì©7ýÖæUSÔÕOWc%xÐ>¹—ï¦÷SPP"ƒ™ÓóÛb“/Úâkî9‡½„,	Eh·ÀˆÛ§—ªM¿ýÔo}G
-ÆáNû‹Yê(PGŠq®:êMZ=º]–ON„íËÚ
m`èx	èFF¡ãðÙ³†bJ˜n‰E½ZåUëa�C%ÝÏÑ@1‹ãh4†%JšSGÜãIft¤†–!u°m¬Q@¯­±�‚ÅæJÄAž¶9�§Ô4ù¦ÈݤzI-Q6õÖv91 ÑEmÛÌMiŸÒÖM®ÊêeÅI–Öhà÷ÒΨWÄ&OOnØŒ#™»©iEm
—¶°¸9ó‰ª;õ¸7ê׈
-‚@$:,p1EÁ<ÇÖ8™áÊÛ<m
-<öó
-÷äh­¹ãp“·
õPzøéHNø‘ÿØÔÙ[ÇÍv½®7­ã¸�Sç�‡“¿æ›ÆzœÞdïôY^æ�i.ÙG‡f±)æg¢ƒ0Î{oÊ´iʼq3ïîÇ“·oØäá#
-sÒñëp*Ñfß‘÷ÌöÃÃÝ»;ˆÏÎ0˜J6à;±<ì¬c
bàÀyb,jî?QûiúðÏéÃ%›þ6yÿñ×é
+ág%¤¡î%57÷“÷îã%ãþÐD'Š÷‚.jñkZ¢—S©¿/
À±|‡'%Ïða>Fò,#qŽÑ@2D÷]í‘Èå+™Ê×1¥�2æ?€4¯=‚£<±Þ.Ä�‘OFa¢!%©ä5xA%ŠnðÂ7«Û·y9Ž´>½šÇ�—ëv3öY�»3�Ãd`âÐF@4IlFal˜6Z
òå±c˜�ô@qtöd=#Š)¢b#*¶ue;†2´Ï5u–õfÕ`ð	!àµé¦7m½v³6ÔîÆß
-ÄHGF�¼H@7þ˜M õ
4Œa‘aÊȿ³ŸrÊÐ$Ø’áÑy;ÓhŠ¬¥yù¬sU—Öš^�4^?W'p¬JWÝàò€êÛàçãœ-8eghçŽh‡ 2oHšTˆb4(½¨ËÜ[4ˆ5Ž“¼úÍt¤cGð;×<«Ë2Ýt|+h÷<h^VóºlèÓsÑ>Ù?^[„
-Ýæ­Ã$˜!ʨiü1o©“Rsé&WÔöÜêm»ÞZσ¹/õ–F«œ°•rØJ�®é:ßM>–Ì!ñÈ%fpðcoQ¿ÀP&v�ÐÌÓÅ¿€PO4j™ÁTÀýQÔ™qå«À#DÇÉÙ#ó0ƒ²Í0“‡ÌÂ3¶·ÖÙ¡
çòÉòfÂù9^V,Á*}!iÔkĈiYºßÖ ]‚)×ÏV?rg3N’0<
-	†.ïÓ.@F©ú�î®}<gŠaõ>B’°VˆÁ:¢Ș‚櫬»¸²5˜\1#¼÷"ð[k:�˜õj�¶Å¼(‹ö…†!S/O7e‘;J¼UÃ+3_P0elú”çËyB1	…ÌP¨Àµi,±Û•�UA÷‹0–:²¢ÊŠÎh!=iÀ ³2ž:u7×F—î²}ÿj¯—Ŷӥä DûÁªoWJJ¼Ï½±ñìfœ,$#HX‰6g+Iƒ·+£©ÖÀÛüï•’4xa ]Qj²¹Lõ&_è.‡ÜͬU|@þ
}éóŽœ=\Ó°½xº¦Ñ·}?&×Þ’þœv+gí÷ŸÎ¨m �“ñàÀmç/˜‚›qRm—¸>¯¶ˆCÜ0äïøô2†Úôä#ÔP Ѓ×/çY½J; È`«ö;w=ÛQ“¶ëEÞ4]`iŠ
-·^ÍÊó¸)9Ä}é^÷üu¦HD—äô“Þ>–²Oz]rÌ܃
-=/î)Ü™Çî!3ïž,<Îf@k"éÆõ,’Ô¦rry7ëOºÜÔ„A»gQ’éqàí¤¡4ÃÇcÏ«1}×_ûF½{§
Þ7I¿†zMºMÙàèhçÝcöñÖÿÖ´!endstream
-endobj
-1147 0 obj <<
-/Type /Page
-/Contents 1148 0 R
-/Resources 1146 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1102 0 R
->> endobj
-1149 0 obj <<
-/D [1147 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-502 0 obj <<
-/D [1147 0 R /XYZ 56.6929 743.3113 null]
->> endobj
-1150 0 obj <<
-/D [1147 0 R /XYZ 56.6929 716.1502 null]
->> endobj
-1151 0 obj <<
-/D [1147 0 R /XYZ 56.6929 508.2976 null]
->> endobj
-1152 0 obj <<
-/D [1147 0 R /XYZ 56.6929 496.3424 null]
->> endobj
-1146 0 obj <<
-/Font << /F61 646 0 R /F42 609 0 R /F43 612 0 R /F66 718 0 R /F57 636 0 R /F14 620 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1155 0 obj <<
-/Length 1552      
-/Filter /FlateDecode
->>
-stream
-xÚ•XYoÜ6~ß_!øId¹"u'E
ÇIZ§AÑÆÎS’­–»+X+*:ì¸Eÿ{g8¤ö�r†¡!9üf8g¸Üñà�;IÈ<?
œ8
XèñÐÉ÷3ÏÙÂÚo3nx‚Ðgaàû0˜X]„~ÂÂDÄÎâäåílù&ŽðX‰Ð¹Ý²¢8da*œÛõG÷j—Õ�læzn<ÿ|û–v,NbŽ»<��2îû±ÞðòúÏWÄ�ÒçFæ}St�4ºRU[¬e“uP˜DÂàE1㞟h< çîyž{™ç²m˜®Q%
Þmg¡|'ei$"ƒäƒeR�sØÒî9O\B‚^ûä…ÞåÕ»¾üNEn¦y%­gë5
	,p÷Y—ïh­<Àt»¬£õGÕÓTžUD´Ò,õµÁ¬ÖDTE~We{#j£âÛô]¬Cߢ¨ž›s–†!y0+Kõ°¨TWl'ŒF,âv!ó³	¼€¥	÷
¡}ée3	‚Xƒ
ÒB8L
-”B%·4B²”&g—¨]¿•D
ã¹jCßë¿è{”h²eV:“®škÐÑ}·h雑—ÀÔ/‰”‰¼@^Ú*µ6{Ö2›
-Î’4¶
Ü)bÖù†ú¬äÇ)å¬Éi™NÜ¡Õ1&Gš˜c(œ9˜�ÍOáÚ�ŽdoöÇ›5½z¤€ƒTáQ`ýÃõ
À�xÛ’Aë¬é
-ës�/diœX“¹ïeÕÑD[+¥#ÎxÓ\Sž»–U‘•§nC•Š\Z¿‡Þ+uƒw¨ÙÚu�™Fv¶ÍŠªíÎCçØ"Þþ]®@Oûœt2‰÷5Û×¥<Õi§ˆ@Ž¨jÙ”¦eumItîsBñ¨Œߣ‚´\‚¿<¬k˜øEUð8D`v­‰¼X©mßV²k/h‚êREYµ*U~Gäû7W<å	
Ú:Ë峩ü³º<ì
-¬AH¢að›«ý^Ux6­ck5)*ªÔF‡›Ö�üæ„d¹ÕÏž�†ÿÒÇcúo™¼ 1?‹óõgà)Ëí1ù–i„Ãué).Ž�x”Ðdd&ÿ{1�ÏRh#žè´nck+Íž—§Èê‹´´–¦{�æÌb#3c3¼Ít,ôû•l~``+ïľ_™þ;Xk˜à£#Ÿä~M-–ÁB»|"�±I¥FÓ|Tÿ�µ´ªC%1YïŸð
¥eÿqן‚\Lg:šþQ•uaîévñCSw�µÙ·ÏZ¨ª“~Ûöûå1üwL:öGV=žû{ç›ì›‡ïVGºÏý¡QAš.cíIìNp
-µÐxû< œÀ‰¡f
½¡{xO£�e(W8è«’*à©0œÚefm%eE¢l
+ôN}‹wN¯‹v1iº$úY©¡.í
5ÞÜÝ«CÍpuBG¾×/Z¦¯°u†›:#lƒÎm“S´Äm	êdÞÑ‚-€Ü=íÄ`©•F2ZhÜÛønQ/°ë凛«×ïçð,¸�êlb–B9¶Ýíú¾hUóH‚¡é
œ÷ò`ª8H̆_�cöúvxV†ðd‹b
/ÓqzzÒê�c©?Žž¡vÃâh‡~…žTۮΉ®~NQ@CÁS÷$e–K``Yßæ²é˜j¶@/ë~µ4SK{Üåå»Å|béHS´[Ó#ôød�ˆXÆ¡ÁkFh5¿Ì>~öœ5ðíÌc~š„Î<8ÂÙϼ’ÄŽËÙÍìïÃÁ¼Å
p|n<X@g˜ð\k5VüÇ)?RnôàxΞø÷	þz.Îþ$à‡`˜’fYúmá8ú|l ÒØ¡°(Å”ý¥b,îDLhendstream
-endobj
-1154 0 obj <<
-/Type /Page
-/Contents 1155 0 R
-/Resources 1153 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1161 0 R
-/Annots [ 1159 0 R 1160 0 R ]
->> endobj
-1159 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[0 1 1]
-/Rect [513.6761 73.4705 539.579 85.5301]
-/Subtype/Link/A<</Type/Action/S/URI/URI(ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos)>>
->> endobj
-1160 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[0 1 1]
-/Rect [84.0431 62.7606 448.7754 72.9224]
-/Subtype/Link/A<</Type/Action/S/URI/URI(ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos)>>
->> endobj
-1156 0 obj <<
-/D [1154 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-506 0 obj <<
-/D [1154 0 R /XYZ 85.0394 769.5949 null]
->> endobj
-1157 0 obj <<
-/D [1154 0 R /XYZ 85.0394 570.0146 null]
->> endobj
-510 0 obj <<
-/D [1154 0 R /XYZ 85.0394 570.0146 null]
->> endobj
-1158 0 obj <<
-/D [1154 0 R /XYZ 85.0394 536.782 null]
->> endobj
-1153 0 obj <<
-/Font << /F42 609 0 R /F43 612 0 R /F56 630 0 R /F57 636 0 R /F11 1143 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1164 0 obj <<
-/Length 3217      
-/Filter /FlateDecode
->>
-stream
-xÚ¥ËrÛ8òî¯Ðmé*‹&
ðµ·LâÌxI6Vvwj2ˆ‚%n(RÇÍ×o7ºA‘2½NÕÚ‚�Fèw7.øQìÇ™ÈI¦ü(£E¾¿
-[˜ûù*dœ¥CZŽ±~Z]ݾ�ÃEæg±ˆ«Ç­ÔÒ4\¬6¿{‰/üë?V¿Þ¾Ï‚®üHH �8oùüñ㊰&Uê«0Œöæû9J±/d¨çánõåþÝ©Ð"ÆúDÁû�Ÿ¯—"
-¼/îÿM£‡»Ï×Qäýóîó`„×°@ÁáÞ|ZÝ1nâ_7ï§{8‹…dnéÛ/ŸïW¿ÑÛÛ�îßÝ}~s�(ouox¢«»ÕÀÓ1ßÃ@"Cÿ¼úý�`±
öÿzø2K£Å^?Ì2±Ø_©Hú‘’ÒAÊ«‡«G³vé¬Ã
-B¯ö¦êhäEßÕ–¶3LGŒè„Aì§j0ˆÜ2W¾À+™ú"2F쫼+êÊ"ÛM×'\´XÊ,óU Ôb†~E$Éö`òâñdÏ$¥´g‚�ð¾
-¡˜%Éh·$ðS‘ļ۲›9‘�}!Kº>àÁÐj¢Ô[íPX¸Q®+šß™ò@£b Þ=´§¶3{ÂoMÞ7Ew¢™5?¥Îù‚¥k)1m}¾Tjº®¿ß¸.–©ð¸”c9«ã®Èw¤«Ç¢,iTû‚•Ý2
-½×[7®+�lcuç©–žyí®¹/Z³±®5”.“"%?WÕ°.TÊë[óØãI”ô�îz»ÚФÕcÅD
-³ÇAexÿºÎ„ÇkûíÖ´,]ºjE¦Šbl'âœÞÌ‚Îw9îLå`�y[IQMML}ÎÄ!`%¡�Dï³i'ÊO’ uº“X¼_ŒÓfVÄø´ÖOó]ï%O‚*î­÷Æ—²¨Œ‚·�Zó[�-˜Žž»–Ì h(ù÷ʢ̉×æA%ý@ŽÞí“nn+½Ÿuà [Sõí>ö†»¹±*?ß	Â]”¦nù°Éb©„€ š%î“"ÝÌÕˆ*a:Ö‚&J"ñwVøt´léÖM$yÛ·ÍmY纼]_}Cø“°O Ç€ŽžÏx$ùm|•‘†A2$f!ô•ókù(²ßa4ãH6­•Ÿ¡"#µ{Ð%¯¶ê·Á+{6	@øœÆÄ	„•0|Ua@äŸÅX¤Ž¬ÆíŽuó� ìd¦)O4WTî$„ ›®ÈûRóI7DÕä]ÝœeÈbð…MçfÆaIÐ’tȬœúH?Ž"5
2/)±Èü4M²‘ÃBEN„wªAàR¥“pTTYå†'(%
zŒ§*!›‡÷g³«všGE•—ýÆ´ŒaãÔí(¨Â;›>�ÃÛé–dO>êžòÞsT£›»»Lì‰ý
}j–A¶Vس€òÙÈ §ÂÑ5ϱÒ˜$ÍÂñ1ö(q~³àý(Å	ÐÉS:G`·7E6|
QJ=àf
-²–ßðP(œg
-7#LôŠ3ùgæË3ÓÅfIŒ˜3ÇÈ�ÓøÂÇé<¯ûŠÇ�ùƒ"µ­Â\tO]Ü—Š¯©B`l‡™—
-<£›² ô'Ä4¦e®(V€¢&ÝÐÐÎu§C
β<9z ¨™ì^Áñ³Ð�¿šõ8!à$C8aAMʉ(‰+ʤ	pîÁÿ´tðh2²÷¶ÓÝøä•elST0E·
-—B詬'ÆÒðõöHg	˜e©÷K}DëÇŠY›&àŦÚP6ø6áÀq¦‰îÎN¥MÀ	û
Õ9$€îõ‰°™�
-ä_´ß<}H£!Í;;´*À™à‚ŠçDûn¨”B›&¸+å;]m�ƒ[jáàMÛœ:&
-a¤Þõ‰ZcÂÙò“\FBq>T’
-.

ª(ÝÏd—çMƒsuy}°Ñ§sMz0Óž_È�¡1ÏôÔߣۑ�UŸÖ–æ.(ê7ú7
ô!A
-‚ÚØG‚óì›9Ñ [Ã
½=%3rõù]+xËËY3ºeX»\bfî
-RŒ1-xS‚Â
‹'çÃÐÕaƒNb5“g«ÌbéZ0Ħå¡.‹ü4_4F‰Œ/¹e
�k3tŒ7®Ë©Tµÿ´qòPï-*hjÑÑ�cÌôë–Ád9°×¢Éþ?†É¢ÝÐÄ»Œ¡;M#ŠÀ‘ǯm¿†‚X4vŸ~a��L–]R<ÄÆ_Îy&"SNè3»…Ä6æA7D
-Þ0Nûd$›
S%'%å¤$±
wX–„x^K£¼®:Ø�|
¾Cv‰ e|[Ü»§$¥”]º¦	
-endobj
-1163 0 obj <<
-/Type /Page
-/Contents 1164 0 R
-/Resources 1162 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1161 0 R
->> endobj
-1165 0 obj <<
-/D [1163 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-514 0 obj <<
-/D [1163 0 R /XYZ 56.6929 769.5949 null]
->> endobj
-1169 0 obj <<
-/D [1163 0 R /XYZ 56.6929 747.0488 null]
->> endobj
-518 0 obj <<
-/D [1163 0 R /XYZ 56.6929 613.0366 null]
->> endobj
-1170 0 obj <<
-/D [1163 0 R /XYZ 56.6929 586.6546 null]
->> endobj
-522 0 obj <<
-/D [1163 0 R /XYZ 56.6929 473.2336 null]
->> endobj
-1171 0 obj <<
-/D [1163 0 R /XYZ 56.6929 445.9291 null]
->> endobj
-526 0 obj <<
-/D [1163 0 R /XYZ 56.6929 376.148 null]
->> endobj
-1067 0 obj <<
-/D [1163 0 R /XYZ 56.6929 340.4845 null]
->> endobj
-1162 0 obj <<
-/Font << /F61 646 0 R /F90 1168 0 R /F42 609 0 R /F43 612 0 R /F56 630 0 R /F57 636 0 R /F66 718 0 R /F58 639 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1174 0 obj <<
-/Length 1967      
-/Filter /FlateDecode
->>
-stream
-xÚ¥]�ã¶ñý~…ߢb­¨o¥EÓd¯I¶A‚ ·@�öú K´­®$:ewóë3ÃR²­4z÷°Ãùæ|q,±	à¿Øä‰DE¼ÉŠØO‘lªî]°9
-¶Í-3J.´‚J’œüÀ<…º™ W߈L¥Yp°
Àj$‘Ÿáßwß½ÿã�>‘¾ ?ìÍB<Ÿïƒª`x˜Ê$µ£\Š�k·À΃NN½ŸÃo	¨Twj›²¯$�yœ$,Äè#“¬;©nˆo²dRµwÍ4Jfjö¤»aÕ5µµ‡W¸}Rä8Þœöž¡¡‘µÓºÒ£œ­\­å‚c
€B3aÎ5
-H¾O{`8"0Œ#Ùª’{>Ëþ	³“†N‡{�¬£\z2«3—ã0¯›Š
-ÚxjÊÅÖòö+5N¶Ò�QÙÛ‘[ÛFÈï™G ¶Õ9ȹ¢2oƒ¬zlËó,s¶|Íh'óÅ¢ÀÛ;ák+¥+CäÑÊݺrÔ”†OoÆ‘uAëNÓ¦åUj-»“¾ž¡‚Ís¥No<¨÷7V0¶¾s,ƒ5ö"tìƒ{×r{Ñ|Î<™Ã™§œWz™ò9ZyºàJ(Ku|{«úìÔQˆgÖą㆞é~tBzZ{ªçˆÎQt»ÐI<”\ÇëØþ_ñ¤7^¤‹U'é販4Á'RG)ëš¡ˆ³8�Ò8#ÂÇ 	Â�¡"±p·%!æNÇ#û~¨²¾áäFvo˜¡W&Žó‹�&~‚ûfuÜ)ÚAl{ùH²
-ˆ^^Ãæ
re†ä+÷EÄsÙì+¤Yó‘Å]Í-ÌñfЛšˆt){F5úšy'ÙÅÁ™21[}éçî<”Mÿ¿­,¯,?¥Ý±Ÿn6ð¯%Wé7²=}þÇ{	U[�Á
ÖS„2ïƒÚëË<š
ó¤úQ
º™::cQ=xârT8pïi°´+
-
þUƒ`Ù÷�ºÊÖ<¢Ì–ˆš¨4¾ÝÆùŽK!”׳fíÈü×^Ù[ÚZÁ™¦ºþ!dÚH„…wóbÙïÔr&¦ê¦Ñ<Ø)&ÚÞ6o’ró&Îs³Îdø»\—•&þý+hòiOå¯ B,æ¨ò“$ÍÀôáÏÈòîo/îãM0Hã|#¢ÐÏ’œ>ðõuc¡oç�=N`»�0ßz’la÷N/-gM«Õg··þÀL÷‘×þÜ|prLw>\ÝýNúð—•a/àù(DÁ1²�?7cÃ�æ÷(5Mƒ©…å8÷E&âëÚ¾È/?Ôf«\ÉJ’øI&~/'"†7,)
-�Ý$©ÛKnÃŽ¶ù·NÛï�Qâã×Ì5�-Ëvæ¡™K'àòó°È¬"t%-n­¹Ï¢÷æ~6\›Çendstream
-endobj
-1173 0 obj <<
-/Type /Page
-/Contents 1174 0 R
-/Resources 1172 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1161 0 R
-/Annots [ 1181 0 R 1182 0 R ]
->> endobj
-1181 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[0 1 1]
-/Rect [348.3486 128.9523 463.9152 141.0119]
-/Subtype/Link/A<</Type/Action/S/URI/URI(mailto:info@isc.org)>>
->> endobj
-1182 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[0 1 1]
-/Rect [147.3629 116.9971 364.5484 129.0567]
-/Subtype/Link/A<</Type/Action/S/URI/URI(http://www.isc.org/services/support/)>>
->> endobj
-1175 0 obj <<
-/D [1173 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-530 0 obj <<
-/D [1173 0 R /XYZ 85.0394 769.5949 null]
->> endobj
-1176 0 obj <<
-/D [1173 0 R /XYZ 85.0394 576.7004 null]
->> endobj
-534 0 obj <<
-/D [1173 0 R /XYZ 85.0394 576.7004 null]
->> endobj
-1177 0 obj <<
-/D [1173 0 R /XYZ 85.0394 548.3785 null]
->> endobj
-538 0 obj <<
-/D [1173 0 R /XYZ 85.0394 548.3785 null]
->> endobj
-1178 0 obj <<
-/D [1173 0 R /XYZ 85.0394 518.5228 null]
->> endobj
-542 0 obj <<
-/D [1173 0 R /XYZ 85.0394 460.6968 null]
->> endobj
-1179 0 obj <<
-/D [1173 0 R /XYZ 85.0394 425.0333 null]
->> endobj
-546 0 obj <<
-/D [1173 0 R /XYZ 85.0394 260.2468 null]
->> endobj
-1180 0 obj <<
-/D [1173 0 R /XYZ 85.0394 224.698 null]
->> endobj
-1172 0 obj <<
-/Font << /F42 609 0 R /F43 612 0 R /F11 1143 0 R /F57 636 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1185 0 obj <<
-/Length 69        
-/Filter /FlateDecode
->>
-stream
-xÚ3T0
-endobj
-1184 0 obj <<
-/Type /Page
-/Contents 1185 0 R
-/Resources 1183 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1161 0 R
->> endobj
-1186 0 obj <<
-/D [1184 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-1183 0 obj <<
-/ProcSet [ /PDF ]
->> endobj
-1189 0 obj <<
-/Length 2594      
-/Filter /FlateDecode
->>
-stream
-xÚ}Y[sÛ:~ï¯È[•™ÚÕÕ’ö-qÒ6íI&§{fv»´DÛ<‘HU—¸>¿~
º8Õît:"A€qù
-�¡AíæA€€~V5Q\óhêæÖ¯Š| ñà?]96`™½èyÎQrÔÌøàX«¶•V§{Ù‹)T›ƒ
 “αu)QÚƒh‰Vš\ažõ¼Œ°`jɹFÊÇNn²Žà„
‘•†¨®\Tòi%¹Þ¼Ê�=v¶¢�#fn€Ž\† …ÈôiŠêÉL®\Î, zn‚‰/°`1d|Jß,ÖFg²Â£qCk|™*T«dó� åluº}ôûö3!C‡Ý•U!'Qø)o
-ƒM%3k_>§Â,™:ìL¼O“�`д°.¬xÞ©«ú“�•x—¢˜3ø
-‹qÀ`qFÖ5q DÆžs/l
-Âò#^f„OX»¯*§Å'µßx©UÌ)Ä�Ñ{ˆM³AÃM¥È%Ñì]€BYa»
-ë$±¬¹ÝÂZB5'ɈKTJ‚àu꨽ñÁ„ÃçY#xô�i¿%:P,."ɧù	qæ“ì†>êb„£ˆŽ'JŒ�TUQè-,@´^ISÙð
²(–ÊŒ†â¹í¨º¥Ü÷
«î´ÙB°”w57pC§‰z@«þ8‘B~.¨¾�¼45Âr�WÛ~
jä„ØIàlJcZZZ‹ºXÜ«šô¢`É{õ"iõ¾ëš†…¾ª’ˆ×…1<¤V‘Mv€àkÿc­üd&ÈÞX¤F\$qXB•ë¶�üÙ�=
-~3à˜¢‡Ï-éD}ãX/š7éAà*ˆ[ž~ëˆo7û˜I�×<a.SN@ÚÆRð±�Ã	VÂŒµ�¶W·Ò5�&DzžéÛ„H-*jsìWËJüÇjgÌ9Ù…ˆà�:¹ ˆ¡,ÀKTýR6"‹ßšV}l¯†ƒ>-㤇Í°·ÁqoG�?jà$c´â…à•Ïÿ‚Ô!àað.lÚù§Œ5V9�UÐèª(ÁV�…@xƒ>™­¬ÑjÉʹ-þfêUa‘دÿ.ÑöÜÉÚ­¶ªíE®ëÓ #evKî§ù	{du ˜…O¤ÀúÀ¾×‹¹\llb‰¡Þ·¤zð‡*ñqUÊ®úXÒÚƒ)rZ~ö—›8òÀâŸ:‹
-°pãÈÀo§h|®#•Í»QwAb"?kÆs¯åÝy›âŽ1�“„_àé½`KA¶Äÿ/¢ ØŽûø©“�ê*Þ”'à°GÀÊFVеom+Sßu]b 8’â=ÑKñ—©§»âËOÒš½,hhµl
G±¢à
›Š9~2pR0âï0öùû͆\qÂi´ÜY
-Nëû»ÛçáýŸ‚h‰œ˜ûÓDϲyèïÓ_àwµLü4î7B­bïíiÃ_9~?î¿ÆÄÐ�endstream
-endobj
-1188 0 obj <<
-/Type /Page
-/Contents 1189 0 R
-/Resources 1187 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1161 0 R
->> endobj
-1190 0 obj <<
-/D [1188 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-550 0 obj <<
-/D [1188 0 R /XYZ 85.0394 769.5949 null]
->> endobj
-1191 0 obj <<
-/D [1188 0 R /XYZ 85.0394 576.5762 null]
->> endobj
-554 0 obj <<
-/D [1188 0 R /XYZ 85.0394 576.5762 null]
->> endobj
-1192 0 obj <<
-/D [1188 0 R /XYZ 85.0394 544.2616 null]
->> endobj
-558 0 obj <<
-/D [1188 0 R /XYZ 85.0394 544.2616 null]
->> endobj
-1193 0 obj <<
-/D [1188 0 R /XYZ 85.0394 517.7268 null]
->> endobj
-1187 0 obj <<
-/Font << /F42 609 0 R /F43 612 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1196 0 obj <<
-/Length 2518      
-/Filter /FlateDecode
->>
-stream
-xÚÍZ[sÛ¸~÷¯Ð[©™J\ˆK·Ýob'ÞI´®­N;“ä�&a›]‰Ô’”½ê¯ï
HQ6{ïÔÉ$$€ƒƒï\
ŠNbøK'‰$Ò03QF�$¦É$[Å“è{wDØY7h6õãâèϧ’N1’ÉÉâzÀK“Xk:Y䟢cÂÉ8ÄÑ»“ùÉÅñ‡éŒ%qôv~‰/'§''ó7'Ø<›Ÿþ|ññxªD´8ûy>�ie’èøüüdþöì_8æØ1ŒãŽúæärúeñÓÑÉ¢—x¸+s'î¯GŸ¾Ä“6÷ÓQL¸ÑÉä1¡Æ°ÉêH$œ$‚óŽ²<º<ú{ÏpÐ많¢Dc¸d#0	>SbˆäŒ{˜~<›¿�Î8gÑ�­›¢*±!܃GEƒÍêzJuô9ŽYV¤Ë婹]׎n³´µ9ÒÒ2¼tŒù>cÝM½³Ëj½²e‹„n¥¬*›"·È7G«´([[¦efgqØöŒRb’„ù=T¥“ˆQ%>¯Ó»ªÆWž<Èã(½<®a@§Ìèh^a;Íó¢…Þt‰í=AýMè¨J‹œ;VVAŽúШ‘i4¸ª½µ5¾¶·i‰o×U 56ÛÔE»�!XKT‚ëY§mvkÒ³VÄp¦
-g
-¦–»MÑ,ÆLfO8fâ(½ª6Îê
�îÒº@£
-$ŠªýÄ°“Ûå)¢÷½qȤ÷³Sn›¬.®BËG×}³¬®\qÄÎ |c`M8²�seç^V¶ª†‹
ò®Û.½�
+^œ¾Á1<Ñê»1gú̘xÄqQ¦ǟņâ8©_ˆ¸Iceé
&j{ã²û2Po­“>\7JÈ.Áö}Ëeu�¾6v,
-N�­ @|çίu§! *ÍÍ¡yD!C­T$i y*œöwÌw|㦀·ñêå`‚“T_…‰NŒâx2?=wÞ9gñá8dn8¸Q‘èèâäÒy“’Ñ|Øk°èrHQÒÕÎ]@èé‡�
-ùz‘„¤eóî’ƒï‚LB(Ä„AÚˆ»šõ¯#ÁÊH
-~
-î.ÆÅ3-]qË÷/ùJÛú�ž#—ŒÂ¹G
-endobj
-1195 0 obj <<
-/Type /Page
-/Contents 1196 0 R
-/Resources 1194 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1161 0 R
->> endobj
-1197 0 obj <<
-/D [1195 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-562 0 obj <<
-/D [1195 0 R /XYZ 56.6929 689.3212 null]
->> endobj
-1198 0 obj <<
-/D [1195 0 R /XYZ 56.6929 654.5655 null]
->> endobj
-566 0 obj <<
-/D [1195 0 R /XYZ 56.6929 654.5655 null]
->> endobj
-1112 0 obj <<
-/D [1195 0 R /XYZ 56.6929 627.6746 null]
->> endobj
-570 0 obj <<
-/D [1195 0 R /XYZ 56.6929 627.6746 null]
->> endobj
-1199 0 obj <<
-/D [1195 0 R /XYZ 56.6929 602.7691 null]
->> endobj
-574 0 obj <<
-/D [1195 0 R /XYZ 56.6929 543.1105 null]
->> endobj
-1200 0 obj <<
-/D [1195 0 R /XYZ 56.6929 520.7993 null]
->> endobj
-578 0 obj <<
-/D [1195 0 R /XYZ 56.6929 474.5778 null]
->> endobj
-1201 0 obj <<
-/D [1195 0 R /XYZ 56.6929 439.8221 null]
->> endobj
-582 0 obj <<
-/D [1195 0 R /XYZ 56.6929 439.8221 null]
->> endobj
-816 0 obj <<
-/D [1195 0 R /XYZ 56.6929 411.9031 null]
->> endobj
-1202 0 obj <<
-/D [1195 0 R /XYZ 56.6929 326.6507 null]
->> endobj
-1203 0 obj <<
-/D [1195 0 R /XYZ 56.6929 314.6956 null]
->> endobj
-1204 0 obj <<
-/D [1195 0 R /XYZ 56.6929 208.9521 null]
->> endobj
-1205 0 obj <<
-/D [1195 0 R /XYZ 56.6929 196.9969 null]
->> endobj
-1194 0 obj <<
-/Font << /F61 646 0 R /F43 612 0 R /F42 609 0 R /F56 630 0 R /F11 1143 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1208 0 obj <<
-/Length 2983      
-/Filter /FlateDecode
->>
-stream
-xÚÅZ[oëÆ~÷¯Ð[)àh½^�¢€Ï9¶ë4q\ÛiZ$
JI´DŠTDʶòë;³3K‘å´

-?p/³3³3³3ß®¬FþÔ(„4‰?Š_R£ÙêLŽ0ws¦˜fâˆ&]ª�Ogçס%"	u8zzîðŠ…Œc5zšÿä]Þß_Ý}¾ýçx¢é]Šñ$�Ò�~ºzO¢0Á	§Bé}¼ýøíí÷7—÷ý-úYòòî3u¸¹¹z|ºâîÃÕåçÛ» Qã_ž¾9»zjÕînMIƒ:ÿzöÓ/r4‡~s&…Iâ`ô
-)T’èÑêÌŒ|cÜHqöxö÷–agÖ.2U`bÄ:°•o†l$"4ÚX[¥õx¢’Ø«·Ó2kš¼\P?-é{{ÿâSë\…ØH< {­6_h4/›ŠçµßeUƒmub¼§e†V:¿ÂŽ.Ú�„Œd
-—!‡gQM�¤m™ÏÒº9Š@˜Ue�×Míä_æ4•"2±?
-c_„‰ù]YM-”øý¬öß­rŠtÂऴN/nºÝg5i75	#�-=œ3µ�”›�Ba´O.5ã‰o‚ÈSØHbß‹á�U!XÏבðcP +çÓ]%"?Œ÷éê�4G(E›¯Y#ô…	“ÐZãú2_˜DÞÓ·—|b°R†ZA©„bk|å{w�¹“&ÚËþ£,´/›ÿ�ˆU ŸL”
�b¡eÔ«ßGuÜÈPÄ:�2"W¨Gï–ñP‡QB�
.10u�pB„>º¿˜¤®«Í*åñ{Ê
Xaßlõ°Ëlò�Y)5°PÎÒ†ÊPIÉ–œàoJŸ}¶I¼Úlö²
–G“´Y¹h–̘ÒŒV\ç ÙìÖK
½ze€êó@-]¹Lþ’nvc°¾·Ïȱ0à
-»RΧ.&Ñ<œ\iàÛì%ãìy¹X�˜EÚTg,[tê=8ÈÚëŽ}û‰}Wm]!¯Ö“b/çöžù¦³/ÓªdFT7ãÈÞJÌ)«³Í”˽jÄÐt¤œê‘«0t—½54䶃ý­�•g�i(i6
-™0gÚXßã²²Þ»ÀŠ±®“Ö…† ƒ�j°«Âl‰3U�"²
¿©ÛuDÍsÓ`D7‡ÎºejIç¯é>X¢®<{�•÷³Öþõõõ~í�nÏjGÏ"ýš
-QO…�c8 Ð`¹£ÀzW½f„Áá”/JëO.”mŦ:ᲈ-ÝÎdH¶³!Œ<–Õ¶˜s©¤-â</šU«u
	;[A¨esTƇRÖ«˜C%ÕmƘØ{ÝäMƒŒ±ƒW#Ü�Ñ«*ŽMáH}©©]gp¾á|Íy­Íù¸ ¥�œÜòâDÎ)8WdéÜ&?¤ø�²GÅÑV0‘ZY4b‹¼•ÏŠV+Ttn¹+›A¶–½¥`’ì‚ŸtPVI€?ói|¡á›\¤RBëu{¾xÎbu¡§F¼J°áÄ›^¹(£ëlÆþw¹
-ÉÚH’"ÿ’;š°§(±7µ†î H@�‰½H‚™µ
l­‰V‘ŠÒwâJ+m¶„ì:kxñ2}áÙ¼œÛ¹Å0žpÓpÁa³#æ§Í=﨨…¶f¯lüî0(o^méå
-÷H4¢ykˆH©>‘Æ&ýùè‰ÄH‘Ä�(ð½Aâ{ƒ}H é/#×úÛþ1¡]1é.±¯	AÔ|Ìh­ÑZ‚_Êý@$½§'z)ŸàO,ÅçGï‡&ÆñHk)d"õà�-Õ¤Kfõíêˆjð—!»K¡3)†Ôk{Cp¥±Ñþ»žÔ
-,$ÃÎïFiñÚ+·«)"zlÛsÞ�„
-®"Žet*¦‹0ñýòNLµ+Ž}Ô‹©cÎ27TF¾6" ÖzaÄ
—5Ï¢Ú,Î7ϳãXJ€³2ÁHƒü†’#št¨"é�ש@ŠDäÇÎŒƒµ{¢ 4\áû5ü!{Î6Y9#°=TŠC|E%É�”íçõ©ß•ôQ‘ðýŸK»T§ß[*”üD£’ÆÿåÈÚ
¡D«÷E·TDz{?ù©
-endobj
-1207 0 obj <<
-/Type /Page
-/Contents 1208 0 R
-/Resources 1206 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1227 0 R
-/Annots [ 1213 0 R 1214 0 R 1215 0 R 1216 0 R ]
->> endobj
-1213 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[0 1 1]
-/Rect [429.9899 228.2397 539.579 240.2993]
-/Subtype/Link/A<</Type/Action/S/URI/URI(ftp://www.isi.edu/in-notes/)>>
->> endobj
-1214 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[0 1 1]
-/Rect [84.0431 216.9521 140.332 228.3441]
-/Subtype/Link/A<</Type/Action/S/URI/URI(ftp://www.isi.edu/in-notes/)>>
->> endobj
-1215 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[0 1 1]
-/Rect [507.6985 216.9521 539.579 228.3441]
-/Subtype/Link/A<</Type/Action/S/URI/URI(http://www.ietf.org/rfc/)>>
->> endobj
-1216 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[0 1 1]
-/Rect [84.0431 205.5747 199.6097 215.7365]
-/Subtype/Link/A<</Type/Action/S/URI/URI(http://www.ietf.org/rfc/)>>
->> endobj
-1209 0 obj <<
-/D [1207 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-1210 0 obj <<
-/D [1207 0 R /XYZ 85.0394 697.047 null]
->> endobj
-1211 0 obj <<
-/D [1207 0 R /XYZ 85.0394 685.0919 null]
->> endobj
-586 0 obj <<
-/D [1207 0 R /XYZ 85.0394 346.1071 null]
->> endobj
-1212 0 obj <<
-/D [1207 0 R /XYZ 85.0394 309.8908 null]
->> endobj
-590 0 obj <<
-/D [1207 0 R /XYZ 85.0394 309.8908 null]
->> endobj
-656 0 obj <<
-/D [1207 0 R /XYZ 85.0394 283.1356 null]
->> endobj
-1217 0 obj <<
-/D [1207 0 R /XYZ 85.0394 155.4311 null]
->> endobj
-1218 0 obj <<
-/D [1207 0 R /XYZ 85.0394 155.4311 null]
->> endobj
-1219 0 obj <<
-/D [1207 0 R /XYZ 85.0394 122.8426 null]
->> endobj
-1220 0 obj <<
-/D [1207 0 R /XYZ 85.0394 122.8426 null]
->> endobj
-1221 0 obj <<
-/D [1207 0 R /XYZ 85.0394 122.8426 null]
->> endobj
-1222 0 obj <<
-/D [1207 0 R /XYZ 85.0394 116.7037 null]
->> endobj
-1223 0 obj <<
-/D [1207 0 R /XYZ 85.0394 101.9392 null]
->> endobj
-1224 0 obj <<
-/D [1207 0 R /XYZ 85.0394 98.3946 null]
->> endobj
-1225 0 obj <<
-/D [1207 0 R /XYZ 85.0394 83.6301 null]
->> endobj
-1226 0 obj <<
-/D [1207 0 R /XYZ 85.0394 80.0855 null]
->> endobj
-1206 0 obj <<
-/Font << /F61 646 0 R /F43 612 0 R /F56 630 0 R /F42 609 0 R /F66 718 0 R /F11 1143 0 R /F57 636 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1230 0 obj <<
-/Length 2762      
-/Filter /FlateDecode
->>
-stream
-xÚ¥ZËrã6Ýû+´”ªÆ
ð¹T[jGî´Ú‘ìI2�^Ðm±L‘
-îv¾~.ž)šÔ”&�KòÜ'„&.ü¡‰8AŒãI{Žï"²;^¹“˜»½BBæZ
-]ëR®~ú IìÄ
&ÏÚZ‘ãFš<ì¿NçŽçÌ`wúaõá—Õ—ÛÍüþç?f×Øw§º¾;_/øÍöñöv¹}XŠÛÍr¾X­oAͮà v§óûûåz±ú�ÏÏ骮½Yngßî®–êµõOC.¡ïü×Õ×oîd_xwå:$ŽüÉw¸qÇxr¼ò|âø!r$¿Ú^ýªÔfÙ£FU!×Á$À]yx‚�û>î)Ë��€`”u_•§²N÷B#MRì“j_�~¡~t�4MŠ¿1‘&¥è{|Ý|¼
ø߆ÈcP�Ú¡•Ô9¶h؇Ž�Ã>öªØU3MÓcZ4IÎUñŸ²HùÕÃ!4­’¢~N+>”üÿbÍöÀà‘‡D¼]þ_\ö³Ãÿ94‰š·/mÝðkøøÀU;
-ÏѵkRµK)Mí�Eí6hMíCl³Úuì¹ÐKº;$EVùís)t|Ï8)�'¡ uÙdº.Þ%MV
-ý—ÏC²n`­—´6°‚á]ƒ÷I¹Ÿ!O3ÿžùþ4û‘¥ÿ”ž
-Þ`ÏÇ?f?ÌM:aŒô‚‡x¬sHùÔY Ò<íÎá«Ý—°r.oÄà:m™çiœ\·ç·{Ý‹ERü�½ó8Ú?Cr¥Šã¶#HšŒ.øMh|?H¡®óáñí`ÃívÃظtà-ÔK²É·n»f~àpL!Ÿ7ùuÜ­w^Ȫªu v½²µu“Î<
-(ȯïà7i]¶ÕN„¥Mº+«½lNÆîôý”Žvl	qŒýKôiRþ¤”"EÄB 
Zcpˆm¦PÇ^§ßáóÆ›�HiC¢Èš±LËõœ€=@³Ìé#­s¾ÆÒhêIÕ0
4ýEL1KF* còZÖbv#fóL¶‹òÍ
->ª�€Ÿ›`Ñ9¦*ï†I‘wÃèh瘸�Ó^KÂ*‹˜t±ä-«ÅXgs¸×MæI“\¦—4=ÐèèèJ†×l÷šµÊ¨dYuùt
-èªÓ‚ð¶?Òºhô¦w¢
-è©…ðÜâÑÉ�X‡ZÉÓ`kc‹öBÝøÒ¡º.e!YJ)–¡„³°lƒÖhb›yÖ±ù™ëïØQ¸ìÖæìLI6wõB�¸÷NøLMJßÁd¤š7½è8ÌšÆÚYô|0Ç*÷SAX½™rFcœBd÷Ht!Ö¥,œJ©®Úq-ç²Vh�Ó!¶™S»;(våþì(p�6ßËêµk^ÖíiíÁZæÈrñ,ÌFvƒÈú	í¦WÉœ·0£xÔò"5n|!QÖ„Æ9’BEØ8m¸CC`#A:ð&ý«Íº_Õ³ê(;E)k)q-µvÊ3ýW-]óFœñ˜ûLq/&²ú¦JÀa›MÐBGà;Ôô.œ KÛù¹#M˜7ûbÛÏÆAõ³óêÈɹB½ÜÅß6U»kz­¥mÍGšû¾„dð›®;a
-]ÏxŽ>^3‚Û£?ï3hÁUŽòÿþ¡Ö¶
éï{°™FFŽÁ"â¥èw†Þٛ˟ž¿ú
3Εendstream
-endobj
-1229 0 obj <<
-/Type /Page
-/Contents 1230 0 R
-/Resources 1228 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1227 0 R
->> endobj
-1231 0 obj <<
-/D [1229 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-1232 0 obj <<
-/D [1229 0 R /XYZ 56.6929 749.4802 null]
->> endobj
-759 0 obj <<
-/D [1229 0 R /XYZ 56.6929 749.4802 null]
->> endobj
-1233 0 obj <<
-/D [1229 0 R /XYZ 56.6929 749.4802 null]
->> endobj
-1234 0 obj <<
-/D [1229 0 R /XYZ 56.6929 746.461 null]
->> endobj
-1235 0 obj <<
-/D [1229 0 R /XYZ 56.6929 731.6964 null]
->> endobj
-1236 0 obj <<
-/D [1229 0 R /XYZ 56.6929 728.4022 null]
->> endobj
-1237 0 obj <<
-/D [1229 0 R /XYZ 56.6929 713.6376 null]
->> endobj
-1238 0 obj <<
-/D [1229 0 R /XYZ 56.6929 710.3435 null]
->> endobj
-1239 0 obj <<
-/D [1229 0 R /XYZ 56.6929 683.6237 null]
->> endobj
-1240 0 obj <<
-/D [1229 0 R /XYZ 56.6929 680.3295 null]
->> endobj
-1241 0 obj <<
-/D [1229 0 R /XYZ 56.6929 665.565 null]
->> endobj
-1242 0 obj <<
-/D [1229 0 R /XYZ 56.6929 662.2708 null]
->> endobj
-1243 0 obj <<
-/D [1229 0 R /XYZ 56.6929 647.5661 null]
->> endobj
-1244 0 obj <<
-/D [1229 0 R /XYZ 56.6929 644.212 null]
->> endobj
-1245 0 obj <<
-/D [1229 0 R /XYZ 56.6929 574.6175 null]
->> endobj
-1246 0 obj <<
-/D [1229 0 R /XYZ 56.6929 574.6175 null]
->> endobj
-1247 0 obj <<
-/D [1229 0 R /XYZ 56.6929 574.6175 null]
->> endobj
-1248 0 obj <<
-/D [1229 0 R /XYZ 56.6929 571.5983 null]
->> endobj
-1249 0 obj <<
-/D [1229 0 R /XYZ 56.6929 556.8936 null]
->> endobj
-1250 0 obj <<
-/D [1229 0 R /XYZ 56.6929 553.5395 null]
->> endobj
-1251 0 obj <<
-/D [1229 0 R /XYZ 56.6929 529.4698 null]
->> endobj
-1252 0 obj <<
-/D [1229 0 R /XYZ 56.6929 523.5256 null]
->> endobj
-1253 0 obj <<
-/D [1229 0 R /XYZ 56.6929 465.8862 null]
->> endobj
-1254 0 obj <<
-/D [1229 0 R /XYZ 56.6929 465.8862 null]
->> endobj
-1255 0 obj <<
-/D [1229 0 R /XYZ 56.6929 465.8862 null]
->> endobj
-1256 0 obj <<
-/D [1229 0 R /XYZ 56.6929 462.867 null]
->> endobj
-1257 0 obj <<
-/D [1229 0 R /XYZ 56.6929 437.4225 null]
->> endobj
-1258 0 obj <<
-/D [1229 0 R /XYZ 56.6929 432.8531 null]
->> endobj
-1259 0 obj <<
-/D [1229 0 R /XYZ 56.6929 406.1333 null]
->> endobj
-1260 0 obj <<
-/D [1229 0 R /XYZ 56.6929 402.8392 null]
->> endobj
-1261 0 obj <<
-/D [1229 0 R /XYZ 56.6929 345.1042 null]
->> endobj
-1262 0 obj <<
-/D [1229 0 R /XYZ 56.6929 345.1042 null]
->> endobj
-1263 0 obj <<
-/D [1229 0 R /XYZ 56.6929 345.1042 null]
->> endobj
-1264 0 obj <<
-/D [1229 0 R /XYZ 56.6929 342.1806 null]
->> endobj
-1265 0 obj <<
-/D [1229 0 R /XYZ 56.6929 318.1109 null]
->> endobj
-1266 0 obj <<
-/D [1229 0 R /XYZ 56.6929 312.1667 null]
->> endobj
-1267 0 obj <<
-/D [1229 0 R /XYZ 56.6929 297.4021 null]
->> endobj
-1268 0 obj <<
-/D [1229 0 R /XYZ 56.6929 294.1079 null]
->> endobj
-1269 0 obj <<
-/D [1229 0 R /XYZ 56.6929 267.3882 null]
->> endobj
-1270 0 obj <<
-/D [1229 0 R /XYZ 56.6929 264.094 null]
->> endobj
-1271 0 obj <<
-/D [1229 0 R /XYZ 56.6929 240.0243 null]
->> endobj
-1272 0 obj <<
-/D [1229 0 R /XYZ 56.6929 234.0801 null]
->> endobj
-1273 0 obj <<
-/D [1229 0 R /XYZ 56.6929 207.3603 null]
->> endobj
-1274 0 obj <<
-/D [1229 0 R /XYZ 56.6929 204.0661 null]
->> endobj
-1275 0 obj <<
-/D [1229 0 R /XYZ 56.6929 177.3464 null]
->> endobj
-1276 0 obj <<
-/D [1229 0 R /XYZ 56.6929 174.0522 null]
->> endobj
-1277 0 obj <<
-/D [1229 0 R /XYZ 56.6929 119.2821 null]
->> endobj
-1278 0 obj <<
-/D [1229 0 R /XYZ 56.6929 119.2821 null]
->> endobj
-1279 0 obj <<
-/D [1229 0 R /XYZ 56.6929 119.2821 null]
->> endobj
-1280 0 obj <<
-/D [1229 0 R /XYZ 56.6929 113.3936 null]
->> endobj
-1281 0 obj <<
-/D [1229 0 R /XYZ 56.6929 98.6291 null]
->> endobj
-1282 0 obj <<
-/D [1229 0 R /XYZ 56.6929 95.3349 null]
->> endobj
-1283 0 obj <<
-/D [1229 0 R /XYZ 56.6929 80.6302 null]
->> endobj
-1284 0 obj <<
-/D [1229 0 R /XYZ 56.6929 77.2761 null]
->> endobj
-1228 0 obj <<
-/Font << /F61 646 0 R /F42 609 0 R /F43 612 0 R /F56 630 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1287 0 obj <<
-/Length 2217      
-/Filter /FlateDecode
->>
-stream
-xÚ¥Y[sâ8~çWð¶¦jÐJ–å˼‘@Òô¦IÒ3»ÕÝÆ(àjc3¶Iwæ×ÏÑŶpl³S[<X—st¤ó�›cø‘±Ï¦�3ö1LØ8:Žðxs÷#¢i¦ÑÔ¤ºyýóÎ%ã
-rÂè
-ØJó°Uë.N4:·Yúc{VjÒxæ
-³¼è2ßCŽC¦p
æ
çyÉ�¡ž{ŒÊlËóIŠzÁð	rïJ@3©À¨¨j0b€1$Ú
-±™Aõ¡³”«¬°<T¬pºiΓ°ä•Ä»ÛÞ”A2†º¡éGZÓÔñ¢z?ÐBœ[R»a6Ä~.¤CPìX Ñ`Ö<;†qª•×‰ÑÍ[
E�>O!V¦'ÊLFF®æfù6.sÛÔl^K˜•ÐÙžKÞB!«a3‚RXSÀ.VYgO·áù¨Ç?…ob	ÀUsMk°�y0Ã1¡犟Dèi¢>�Ð
øäøµ÷
-nèÉb¾÷<ÛçáéGRC0ò0N]ù¶„)±n‘b¼ÕÍ™'‰ž‘µ¾
µat8'r=ºÑôO	�Ë”×7f˜RXÂÜ\Ó@ŠÝeiü‹öëJ¾ökõ„ÚS°¼3&ÔHriKâaÕžL	ÆØZ‚áä)×	ž‡/e—�c¨F8Ä‘+\>«¸ íȇÙå¼��¯r2¬êgÑQ¯àÓ�àQƒâf¥0þ]�…íjNB_Y¿‹ùKÉ‹J?ÎsÍÎ š
-�+¾+â;U¼G4ë˜=p-ñ¥6õ
û–LžgñêòH�êÊãn=¯îÐ8iˆ�qªî0X”á^æh‹SÎåIv烹
±–•÷Š§ISëK0FáY˜¥pmÑMÅ{��]C{ŹW+£#,TCF5�ZÕËg©KX _EOÞ’ÞUqÈΉ•REcËÕ÷�s¦¢
ʨ
-cQ¬‡©)1Õ‹A5s”žæ]âÝsª_Ž}eÇi×Á ÿÆru‚­í›ú*‹€ÆJÊ$„€—WaY“hâÆ¡ój>as…êÊíÂW¡‘A’tjJ)‡ðU/ªO¿ð¶§zÒZá[Ä?U㘥åAó‚½W[ü
¡çÐeˆzÇÌܱ|ì¡_Ç÷Ze¢}Ú5—ú­f…EbÀ|Yóštðû @uP0Ÿ¼Då¹ÍÎ:VÜ,Wóf]`vÜz]Œ¢²ñš¿ð\¸Qo
-"Pq2÷Ê Aô>
 Ûc~½”L@¤?õ‰l2O[fwâ1eª¼WzåQØ5•dîØ…Xê›÷$ày
-ωbš%Û¸üób%&Þ£ï2î
ÅC|\DT§§7ùd$ÍI<2ÇñÅßQ««]¤äCänäOmä¹�7žt_1a]ùJeìWéO”-j?¾
‹2;e2Š@p½�ýªfÿ±æq’T�LÈòZ
·ª_fE‘E1ØpÑ[¥‚‘Š?Ï:°Âµ9ÿßÿã™å.¢~ß+&Å.”{ 8½)q�µwÎ( àÛ^ÇÖÿ!Ý�endstream
-endobj
-1286 0 obj <<
-/Type /Page
-/Contents 1287 0 R
-/Resources 1285 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1227 0 R
->> endobj
-1288 0 obj <<
-/D [1286 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-1289 0 obj <<
-/D [1286 0 R /XYZ 85.0394 769.5949 null]
->> endobj
-1290 0 obj <<
-/D [1286 0 R /XYZ 85.0394 771.5874 null]
->> endobj
-1291 0 obj <<
-/D [1286 0 R /XYZ 85.0394 714.4286 null]
->> endobj
-1292 0 obj <<
-/D [1286 0 R /XYZ 85.0394 714.4286 null]
->> endobj
-1293 0 obj <<
-/D [1286 0 R /XYZ 85.0394 714.4286 null]
->> endobj
-1294 0 obj <<
-/D [1286 0 R /XYZ 85.0394 711.5354 null]
->> endobj
-1295 0 obj <<
-/D [1286 0 R /XYZ 85.0394 696.8307 null]
->> endobj
-1296 0 obj <<
-/D [1286 0 R /XYZ 85.0394 693.6027 null]
->> endobj
-1297 0 obj <<
-/D [1286 0 R /XYZ 85.0394 678.8381 null]
->> endobj
-1298 0 obj <<
-/D [1286 0 R /XYZ 85.0394 675.6699 null]
->> endobj
-1299 0 obj <<
-/D [1286 0 R /XYZ 85.0394 660.9053 null]
->> endobj
-1300 0 obj <<
-/D [1286 0 R /XYZ 85.0394 657.7372 null]
->> endobj
-1301 0 obj <<
-/D [1286 0 R /XYZ 85.0394 603.4476 null]
->> endobj
-1302 0 obj <<
-/D [1286 0 R /XYZ 85.0394 603.4476 null]
->> endobj
-1303 0 obj <<
-/D [1286 0 R /XYZ 85.0394 603.4476 null]
->> endobj
-1304 0 obj <<
-/D [1286 0 R /XYZ 85.0394 597.6851 null]
->> endobj
-1305 0 obj <<
-/D [1286 0 R /XYZ 85.0394 573.6154 null]
->> endobj
-1306 0 obj <<
-/D [1286 0 R /XYZ 85.0394 567.7972 null]
->> endobj
-1307 0 obj <<
-/D [1286 0 R /XYZ 85.0394 553.0925 null]
->> endobj
-1308 0 obj <<
-/D [1286 0 R /XYZ 85.0394 549.8645 null]
->> endobj
-1309 0 obj <<
-/D [1286 0 R /XYZ 85.0394 535.0999 null]
->> endobj
-1310 0 obj <<
-/D [1286 0 R /XYZ 85.0394 531.9317 null]
->> endobj
-1311 0 obj <<
-/D [1286 0 R /XYZ 85.0394 517.1671 null]
->> endobj
-1312 0 obj <<
-/D [1286 0 R /XYZ 85.0394 513.999 null]
->> endobj
-1313 0 obj <<
-/D [1286 0 R /XYZ 85.0394 489.9292 null]
->> endobj
-1314 0 obj <<
-/D [1286 0 R /XYZ 85.0394 484.111 null]
->> endobj
-1315 0 obj <<
-/D [1286 0 R /XYZ 85.0394 426.9522 null]
->> endobj
-1316 0 obj <<
-/D [1286 0 R /XYZ 85.0394 426.9522 null]
->> endobj
-1317 0 obj <<
-/D [1286 0 R /XYZ 85.0394 426.9522 null]
->> endobj
-1318 0 obj <<
-/D [1286 0 R /XYZ 85.0394 424.059 null]
->> endobj
-594 0 obj <<
-/D [1286 0 R /XYZ 85.0394 384.8039 null]
->> endobj
-1319 0 obj <<
-/D [1286 0 R /XYZ 85.0394 357.8143 null]
->> endobj
-598 0 obj <<
-/D [1286 0 R /XYZ 85.0394 274.2812 null]
->> endobj
-1320 0 obj <<
-/D [1286 0 R /XYZ 85.0394 249.9416 null]
->> endobj
-1321 0 obj <<
-/D [1286 0 R /XYZ 85.0394 215.2417 null]
->> endobj
-1322 0 obj <<
-/D [1286 0 R /XYZ 85.0394 215.2417 null]
->> endobj
-1323 0 obj <<
-/D [1286 0 R /XYZ 85.0394 215.2417 null]
->> endobj
-1324 0 obj <<
-/D [1286 0 R /XYZ 85.0394 215.2417 null]
->> endobj
-1285 0 obj <<
-/Font << /F61 646 0 R /F43 612 0 R /F56 630 0 R /F42 609 0 R /F14 620 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-879 0 obj
-[602 0 R /Fit]
-endobj
-1325 0 obj <<
-/Type /Encoding
-/Differences [ 0 /.notdef 1/dotaccent/fi/fl/fraction/hungarumlaut/Lslash/lslash/ogonek/ring 10/.notdef 11/breve/minus 13/.notdef 14/Zcaron/zcaron/caron/dotlessi/dotlessj/ff/ffi/ffl/notequal/infinity/lessequal/greaterequal/partialdiff/summation/product/pi/grave/quotesingle/space/exclam/quotedbl/numbersign/dollar/percent/ampersand/quoteright/parenleft/parenright/asterisk/plus/comma/hyphen/period/slash/zero/one/two/three/four/five/six/seven/eight/nine/colon/semicolon/less/equal/greater/question/at/A/B/C/D/E/F/G/H/I/J/K/L/M/N/O/P/Q/R/S/T/U/V/W/X/Y/Z/bracketleft/backslash/bracketright/asciicircum/underscore/quoteleft/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y/z/braceleft/bar/braceright/asciitilde 127/.notdef 128/Euro/integral/quotesinglbase/florin/quotedblbase/ellipsis/dagger/daggerdbl/circumflex/perthousand/Scaron/guilsinglleft/OE/Omega/radical/approxequal 144/.notdef 147/quotedblleft/quotedblright/bullet/endash/emdash/tilde/trademark/scaron/guilsinglright/oe/Delta/lozenge/Ydieresis 160/.notdef 161/exclamdown/cent/sterling/currency/yen/brokenbar/section/dieresis/copyright/ordfeminine/guillemotleft/logicalnot/hyphen/registered/macron/degree/plusminus/twosuperior/threesuperior/acute/mu/paragraph/periodcentered/cedilla/onesuperior/ordmasculine/guillemotright/onequarter/onehalf/threequarters/questiondown/Agrave/Aacute/Acircumflex/Atilde/Adieresis/Aring/AE/Ccedilla/Egrave/Eacute/Ecircumflex/Edieresis/Igrave/Iacute/Icircumflex/Idieresis/Eth/Ntilde/Ograve/Oacute/Ocircumflex/Otilde/Odieresis/multiply/Oslash/Ugrave/Uacute/Ucircumflex/Udieresis/Yacute/Thorn/germandbls/agrave/aacute/acircumflex/atilde/adieresis/aring/ae/ccedilla/egrave/eacute/ecircumflex/edieresis/igrave/iacute/icircumflex/idieresis/eth/ntilde/ograve/oacute/ocircumflex/otilde/odieresis/divide/oslash/ugrave/uacute/ucircumflex/udieresis/yacute/thorn/ydieresis]
->> endobj
-1167 0 obj <<
-/Length1 1628
-/Length2 8040
-/Length3 532
-/Length 8905      
-/Filter /FlateDecode
->>
-stream
-xÚíte\Ôí¶6Ò ˆtÃÐÝÝÝÝ¡Ä000Ì ÝÝÝÝ’‚R"‚´t	ÒÈ‹>ïÞûüž³?�³?½¿w¾Ìÿ^×Z׺î7�¶‡Œ5Ü
-¬‡¹rðpr‹t�´�P(ÐWç�…C­
�f
L9g0ЇÉ]Á¢
-Äü{fXE
-0Üú÷äè¹aÖ�ÃöOÃoäæìüØã?ûÿxýœÿŒ=ì	a.ÌÁAb¡ö™9Y®
Ä£ò/z{x�Âœ*Þè—ÖÁ»2#×Dj,ïêÃ8›ÇEµyÍî;Ýoª²n
öA™ºÓÁß‹(üèX>ã.3v±ms™W`gÅúϨ¯"›
-rn­�êèš—ß¡RŽwð9£_²Ò¹Ð_8=óe4%v>oFÀk(Ù?`LÙ½¼`êú4ð±ûåÃ&9[~ƒ˜;26cLà«|r)Sƒj…×Íl(ßÛ
-b¬Å7ÎßÊçÏVð™h9�Žù,¢I‚°RÊ• e®äß·RÆ%=²ìÙ
êt›œ(†Ì%³LÇ�î)®Ž>1Ù¥‘„µ…^Ñ2¼éˆO£Ý	%õ‰>•pjÕr{2–Âw�Í<–g¬™-j—!3cäáakIè,AŒ$ÁLˆÇÆ‹J¯³nöùU»Ïm›Þ‰D3
-~"ÅVöè=”Žòíí`õ§ï3t;k‡–Bf?õ[¼„Y®¤¾ša£„+gl’ft]ÎB‚²w3ë‹,£ªˆôkêyô’­úÅ>¡ï„móW¯µrÅý¼0Ï”dË#»§BŠ¸ÝUJàžuÕñÆIÍôaòÔã·×¸§™	žL¦€Ädô<­cË-8àÒ—£t‰Äº4ú£|©D„¡¹šŒ]¸ãÏßE¯¡>ÓR·9xyôöŽ[Ìï`º~ͲûDœ¨'ˆº5e[-0GMÓ=KÊÊJþ&â&’PøS¤8ëãin,õ	2PU«r`ZÅÄí¢v8Q—ÁèÍ	×ë¯oã»o[�2ÝO2Ó¾Ðm/Ÿß×Y¿üìvV¹"_=5Ó›é�¶è áaÖ™7þv|g	“y×&"YæЖ(¾+ÐMoûÁ|°>›à¦±vZÎI ÏW´Ä%�^‘›üˆ¯­Ú]Ö%½ZÆÁ_Ï@ÄR�dçÒÄ9è©‚†õ‘kã�C¾¥HzõOlnÕž
ÝÍà™>{óbÙ7U^|ä-)G?
-8òÞ¼x“mì¾%ÿjã=!•š[žž;[#ÆŠ™éJ©/A%Ñv–µû`éióöí؜njP~^z•çQ•7˜¿\扯â	ÈÛ.|âùúÁèéá™
-¸È÷»Œq„z`²\F棖ûEœ!~õT¦¾\Ž'4/ýCîe–7,î9tãÒ¾Â1¦’·IM^y/¢˜kIm;˜¨½}O«•oÐHâ•¡Ç6—]í
7ôh`†J­TÂcweófœkÔ­—ÕRÐÓ(9%�Ö¯c
-Ó·_Ü€¡èüêr_7ýGmÔ&œÐ‰lÞÆŽ
-Kê#�TðÖ†§øñÞ¿šûDE&ñžËœ^QH¶!’Þ»¸>àáÉà̹ç$ÚxþF`Š×Í4IŽ@N@ÒÖ>_9²J¾ÃEúOê
-uÿ'¢µ?s_¯Ð‡öÿŠ˜'u
-BêH—‚?ý
-$O�íœàÅ€DÈ
-¶_O®ð-¡;…®u§uªºXÄ[AŒù××¼^L¹ê=_󱑵ħŠfJ—äÌ;7œ1¾,`_q”�¾´9›Œx•±tþ”
->C{(�©¼Ê°nwð,K
?EÚ7þBq&‚´”jÉ�¸ˆ�·?è¦ú-ŸCØüƒ%¥uXcýøââBïÅ ´;ÁµÜ3höŬ¶÷Ét(‡„šœì :î´cØ¢>:ƒ‚¯úò‚#ÑǤ_VItSÏ$ëŽ`ø~"ÔܲÜr$ŒU–Y7÷“ø?¢ê¹iâ¯ÉqÅõãÏØ�ISª5ñ4Â…èÑb“EÝêÑÑn
›p³ú†-.ä‰ìošå•Hû~B»ÎÂ�î‚T§Z§Ï_)�©OqÓzèß�÷>ë˜Ê;­dpI¡rr1ÛA
-öÝPî2Pw]¶u¢èúä»(£ý/Ž¾ªˆ§þßÜ¿~&æ[1¸Aé-KžÚEО5JÃ÷.føzßwi°h“bLñB³ß6ˆ
-ÃÐÙ²¶©HÈ 9^©�;¢Ìœp»Ãm%{r7E•�€�ÏŒµÂE±…ʨ*o,„óQÞúʭ䦀(ô$íªy{Çgk9©‘�5Â1ª0Û˜F3ŒÛ!s0¸4XàŠú#r¥Æ2á\8nqå°Ãs}䮀„s–è5)q…i¹
C9ad¼¿`u	
^<‰2@´ÄR­×$âƳ—xº>áÈïž¡wdª‡}Té†×ÎÂËõ€Èøt\1Ü~‚9 ÿ½8iaD9©ì"Ð!gÑßqÝùA“ׯøŠ
-»]‚Ä�ÙªAÓ8ﯙÎd@Iî?_ɽŽbÎJÊ8&1ß’bçy·ÌJü®J_ƒ|¡iïÂC®¡L;¡Æ–=x8"ÆÝù\šGd'—®®ðÖ/B¿ÝÞpRÆ'µsñX'MÂÁd;ŸäÕEûtGmý«†g¾ ¿¨öùWí},¾Ï†Ä›tÓk„fªõžÑ »›&�oô/L¿ÇGìü²•âBZmÎOw݉Úñ¼>–¶ü^ÝvšÉŽHk6Œ´­¶DM0¦›}Öda'¨šßo·é˾xWp¼311ïçdϘ9óÅ­Ô§?¯jò>*§¨¦‰Ð:’-+X}7¿$ÏL\œö¦nD™ðì�¡ÉX˜vWŠñ=mç¡|'M}„ç‹çÄ_’øÏ£÷rci%Åës܃ ¨ÄÏ,n±±ˆ" 5Ù½6ìÉ6úQèÒõmŽ¬öó–à+q®Æ�¾ùÃ$ô|Òî]¾öÒñÕäË&�æèñ²€Õ„KfVº”DfƒŒåZóbúä`#öZ·<Ò_Ç÷-¦�ªÏôª
-_˜lg˜¨Î>«ŠTÂ70¡ðW~—ÛC!<ZüòþÅ#(·�3¨bæ:ߨn¢Œè½Ù$ÞÄ‘Îf;®Ì*=ËnÙ†b…ƒ´ÂVE¼Á<öuBgˆÿׯxî×_ò­Ìz—XˆÖ`©Ö4s�iÝÏAí+<¾ŸãÁE.Q˜ÒQqúÖDõ”ÏÓ$`d�lÚ/BŒñY<xŽ%Á„+{æÔ¢´®³N‡­”TøTõ”V3Tj+"}âžÂr}©Xž\L$ÓÇÈš÷ŽEh®Š-x�ù
->_ŽÎr¦x‰|„ŠúNx‡<7M–/&×gaÅj[²Ë±‹4—À¤ÀÖO–|¾1_JSw{ðÐıDÃP~�ÜFY­Yy³]ˆ:¬aÔ_|žjÓM+ý­‚0@îhÅtÙl¿Êgšê…µAbDå·�Ôw¿þ}û�YÕ×iîBÕ*jòýZö˦ÏN’FéT/H
n±úÁÖ“4ÑOEìØœz~Ÿ
Þ88‡á ‹w|q£ªšîFªãÆÇ
-TT>/5—䬽%‰”dðqÚnCÃ%Î4Ã
XDmeß:#ƒU¹Ø•l1~à4±GL§%ÕëEЈ®ìÒ\;ãÛ8Å+§êJZdº×d¡K©¡ZÅIŽf3zV#W•c[Û¡*_-�߈¯Þ­—¶5k
ª€º—,ìd¿»Ìë÷S/úò¢×Ž Nâ)uóÒY~	]ßjÑ×Ù˜fšuž²K,tÊ�÷“\'gy¿÷5­<TÏ4CUMà£Æ�gÿ3Q£8Nð²Ã‰ËzN5\/MØr®]�SÝé}pæ§VD@™:]¬ÔË7>1ÌÈéC•'ÛEÆŒ!…Ù7aVì:ASQ×µ{|ãÇj9YÈ4Ö|m Î·*_íw4ø!D1 ñX¿Ù¤X•³ç
-t�‡Í=žÝbóÆÃwî6ß"£“˵?�”JËOP2RÐoQo+†â1)©w†¦ÜèådîI½ÈZ¿VÍ�­(e÷åû È
"QÔüFØs(úF�$'‘qL ®/¶!õÔ
¤HvkÖ‰Œh¼È‰¬ê؉á¶o?Ùa:Šÿ±qêcŒ°gã!_QÇ~ÏWê¡1üaœ¯UÝGmã§Yñmn%ìRãr9÷¬ß0qˆ5†/‚E…(êÚ“�†,W‚˜$Ù½ï¶åçLxËÎÔ|ú奕£w†Z|ÂV€ãž÷,éOd
-ÞyŠGÝ
 ŽÎ¨Ý3lÍ4©¿Î\×T2Zª½Ag—.7Ù#ÏPæï™v¼eŦQLÞ»±Oþ¼Ô\’	¬ÿĵJÅñ¾(š3Ç].Å*,MÎ>ÛBx�(ÃSÃó|D³uû‚Þ¡ï†{:Ò‘Á¨2G9¡Cê{É•<|?�ÒK áéá@F)Ø,êw÷ó?�È ¸¢Ëa„Çh%Ù±o^Œñ{‹6™Ý@¥-«ä%
Å~jÉwXjz1�îi´·î¬%uÕ3^¿±g�¸`d+ÎK[ŽDe—„]âò†Yè�ÖýÇ?Ï>£³HjË,èkѸÍhÔ8Š”™v_Å
[ªJÖ®²9m=·�âú?\‹k>¼à¬‡¤*³Ñ³ž,Y
ê<‹ý¹uÓZ/ZV$S·é#ƒmNOš¨5M@¿§rãÝ0Hõ7¬&7[àçŽAØñêOõƧÈêÚ5±pE6~d»Ž^.x¨T1¬µ¤$£Í7¿ÿ4òÆêüj§‹G1¬èípoóÌ3³QýÐZ:œNÍÆéç,0½‹Š‡Zg‹ðâ£à)‹Q©¯³‹X""œÛÆ0�ÏÁ¾äBvFA‚)Y9(ÎYÖý…ì¬S…|¸Ôü¾“qbæÇN.LÔX§…_�ï‚¿œ%�%½¥åŒìé|°
D>W²7}C–Í#—ZR¸
­$º`bÛGο…a¿9gÝS%\”Á/œîñ�hC|�?s§Ø…šg¯ÎÙÈ)ª¬m}ÐvÖËk†Ÿ.bÉ&O
-üõí+uqfº`Îa‡„°£â,I§ã¯½/‘�˜÷�ÇÝ›Á¤'P6ߢH‚
Ú?÷›½šÙ¹˜Žà9¦ŠmHr7:pMRYŸ#£ 'æW¥¿ðKCß|-¡mWÝ躖nᲶË0–«ÞÐ3äÛÙ=j’
¸Ë-,n–³e±€¢üb½iÙ;‘˜Hâ°l<)žL.ßÐYÖÿ°Ú·)�wL=(‚Œ£± L|�)=å'ÀÆ-Å@²öò¾µ<ÃNrä³6îµEôʃ3±d¶kÓ»¬ÿ‹%ôµøü·(kD~ô(¬_yñ‡Í;¯åä²fùOî{&*‰äyÒ¯9Û�B±T¨d>è.<Sâ¢éX3p7«Á~ª"럽Ÿ“lË´ÍÔDQÿfŒ°Ì
-*s"}Y
;Ò‰¢ú{YÌÝÇí]p¶Òݯ€Ž¶Xo³êÙ}
-endobj
-1168 0 obj <<
-/Type /Font
-/Subtype /Type1
-/Encoding 1325 0 R
-/FirstChar 67
-/LastChar 85
-/Widths 1326 0 R
-/BaseFont /QATDOB+URWPalladioL-Bold-Slant_167
-/FontDescriptor 1166 0 R
->> endobj
-1166 0 obj <<
-/Ascent 708
-/CapHeight 672
-/Descent -266
-/FontName /QATDOB+URWPalladioL-Bold-Slant_167
-/ItalicAngle -9
-/StemV 123
-/XHeight 471
-/FontBBox [-152 -301 1000 935]
-/Flags 4
-/CharSet (/C/D/E/H/I/O/R/S/T/U)
-/FontFile 1167 0 R
->> endobj
-1326 0 obj
-[722 833 611 0 0 833 389 0 0 0 0 0 833 0 0 722 611 667 778 ]
-endobj
-1142 0 obj <<
-/Length1 771
-/Length2 1151
-/Length3 532
-/Length 1712      
-/Filter /FlateDecode
->>
-stream
-xÚíRkTSW‘ª¡¬òRIÕzX%2yj	 B,žò�˜{CnIH@Ä•TeYÄF—<EE©°ªÔJ-±
-SÀiaËq�ªUð5¬««ôç̯YsΟ³¿ý�½¿ó�Móˆ’1D¶ÅP‚Áar„ X*•pØ€<³Ù-‡å‚¡!rŽ@àVkÕ€»°ùBÞ
-!�O¡�`,C�#i*xÓ'I| ÒÀ8¢�£@*'T°†¬¡�«�S 0¡g‘Z
ÖMÞÈëàLÏ‚!&…Ã
¢ ÀF8
A)¬IMT‰
þ[Òf¼KeÁx&)
-xMɤR$„¡j=€`%…µ#»Á¤–ÿ†¬éÅCµjõ¹f²ü”SÉË5ˆZÿ;Ódh	R‚qt:5~+N
-CˆV3=+!äjD!BÓÔ0`pV2Ù+ßâHf(¢ƒ¡(„P¨€R®Î„§p…¦+!ý›ÒÁŠ”Šc¥QÞ¿íT2JŽ D´>ì?ØS1ç�˜4	Gt ‘Íd³9$‘ÜïNÉÓš‰Q!hàò|€Çåz
-9DdÄ@PÖ
XG*f1QŒ ¯
-rKÃã$1£ŽUº(j¨ýÃj¨¶pCÛúVM
-ïsXel×ü=p §eL
-â7òÝnýÂÓ¥܎köUüMºÞûÛfóž$±ÎF�p	ýx êÑ¿.µpSBƒûRÏFßò¾\×x¡:ĵ®pf²¹94´zIól¬w0h¾G€ëB¿¹N¢$k4Pí²\ìÑ?P�ËqáMŒ/:.ô9ØóÒoè§ÒsÓÈŸEyöC[¤ïb>ˆ^nðýÕî|D]ª¾Ë·î¤ùÇyËöAÑ9ŒµûÒ�×FÔn×èæì=&hxı«È9÷TÔüƒ²/õ^›ž-§·Ó6\©{L8G½¨Jeâ	�g[ÛPµž7dqÏ~²�ç—”öº'àȺC5†Ý›>¾µrÑŽ
¡Ã@ï €š!þ¼4ïÍÖÑÞ0­ƒ³¸¹#Ñ‚Þ;fºóc?"Ürî�³ÖÓ?þ›¥
­Ôúÿ[µ–ÁuVFØêï"Û�	ÔR¥©s£AnÖËAò4/‹»Yêú½ä©;jnÉ0n%h‡_�¬.�eåY{W�òñ "Ǫ„¨l©ä´z¹ÍŒ;3Çž”º[Ÿá›^ç7Vì‚oWF­­œð¿Û=¡Íw½2RÔùË™R¥ôM¢loê|e¶^×5/»¹»l�S….˜áµõÌ'†/¹_�66m¶™‡¯‘DAßÙª:¶_w½ë¨ál‰è¸Ï�ÆwؽŸ[´šJý5.­Óí¯/³öÝy);æÃBó]¯X÷2qékÛ„Øú¡Ûò¤Ã\¡K“¢©Á¸çbU‰ãDZê`¼,º@Ñ~;eËêai}ã‰Ý;8‡T9%Ýs[f-ܹùg·Ç˲d•_¯8Ï/ÈŠ=Êëœó½çâb
¥äž*×L»'î
ÏyøÃÐ{ö!£KžÄ�5¾°ªúÎøV”H†¯t‰nµí¡Õu«›kÊ
-÷HçÖºlx/ÌépÇá5'ÿÝ%¼ÏÚǩˈ—¯O-wûVŸZÌ	é1>
-k�̆Ð#­Xˆãš¾&—ö@f~¾¨,¨ûÆ®UJcçõòü_ÐY#u¢½zÿNL>+ }¾X`7ëþGW>ÿ.µ†?8vAÜš|­÷Ëѵ;ù/-É,zr1CN¬êáͳl|šu¸ šZ7Àþåÿþ'
-(Ô°'0�O§üê«Œ¡endstream
-endobj
-1143 0 obj <<
-/Type /Font
-/Subtype /Type1
-/Encoding 1327 0 R
-/FirstChar 60
-/LastChar 62
-/Widths 1328 0 R
-/BaseFont /LMEVMP+CMMI10
-/FontDescriptor 1141 0 R
->> endobj
-1141 0 obj <<
-/Ascent 694
-/CapHeight 683
-/Descent -194
-/FontName /LMEVMP+CMMI10
-/ItalicAngle -14.04
-/StemV 72
-/XHeight 431
-/FontBBox [-32 -250 1048 750]
-/Flags 4
-/CharSet (/less/greater)
-/FontFile 1142 0 R
->> endobj
-1328 0 obj
-[778 0 778 ]
-endobj
-1327 0 obj <<
-/Type /Encoding
-/Differences [ 0 /.notdef 60/less 61/.notdef 62/greater 63/.notdef]
->> endobj
-975 0 obj <<
-/Length1 1608
-/Length2 7158
-/Length3 532
-/Length 8009      
-/Filter /FlateDecode
->>
-stream
-xÚíwgPTݶ-’$)¹
ɱ‰’sRšŒ(Qèn ¡é†î&JÎ’³$%JÎ*9J’“d‰‚dúÝsέï�_÷ž_¯Þ®ÚU{Í9טcÎ1תÚì,ºüŠ¤5T
‰Àð„¤
-Ðu±†ÃÀ
-†Ýlƒºƒ¡N¿]|
-�¹é
	€!ÀpÈo7väBN(äM„ã�ïL‰Æ Á(˜p“UWEí/ž;+ÌïÜhØ�€´¹‰„ Á.¿Kúã»�¹ñb¬`4
-�CÑè˜ìßÝùW�€ÿV½•“ÜãÏn䟨r€aÐP¸�
-vʯ2ÌËñ+E6û&‡-I?¿(¨”ºjðøòÝérõÏZO
œ³9º“ÍàÍÆÝšswžãƒïZ€ E>iÊ–qä‹Ýq­E\q¡'k_ûõô-Þ]à1~AìþâöcsÍñ£zpìtÇœTMý‘¼‹¢<÷ûGÜæ¯cÎŽÞî®ÎæýÛ­«ô¼™Ñ„ìÒ®¸¤~Ιôò&FÅ/^Y¿Æu”Æ·„´q‰ÌOíÓÔ,Š
-V2ñ>”[
	´ûå
-œ
×Å$=®é—-#ŒU§z’ˆ¶v[õ—ç,þ‡}âP=—ëdãã+{µ:ômä�ë[Tdi
«ài¡¦r`ëûùg'êì°p†—Sï”:*‚*>º¾›XaÚï-úIö
ΊûDÇ1i2‘¯`¨Á
-¼ú·E+¥
-…Ì̼w�ìèÒ{EN\¸zSy±íª¥ä2}¥§À}ú	øèOiøÀ9ÍXCFï�,£ÏÐùQ ï½Ûm¤ÌqÜôýìZ��Jf8¼ÒÔ·Ig¨®¿VMíäqšÜúL?Ѭ”|ŸáñSW۹위ÛWPôÅy:¥[
-býl„`çó¸þ->ØпÿÓ­¬ñmQf÷©i@´?$È�çpЙ_§ŒÑ\ñ™‚ý�pŽ©
D�|‚
-d¦g¹)§ø³æáÇ·Ì&ðOQÔÛœK,oWoŒ2é~è!‹;µ|tEà©Ùa›ùuŠ±ý[Xþôåb„x
§
Ët¦‚¡¾Ë(ŸÍÐÚ–µ“|bYé+
«Uâèj#}©@‘Áµ²T‘#; ©ø2ï³’L¥�M…ÛÄ�}œÍ.jS}>¨¹~Õ™I틉È$N,;×9Û_Ѳ
-(c�ð×
û\í¥”xÜ’§ÙökW`¿„ËÓ×'ZÓ|3Ws}óª—ê8ãS úÒ|#‡Œ�4
«M6>¨, åxý—†¸ìËŸê+eÝ–}`±š»˜þÓ]ûýZ9;ê´Ã$�Ë™‰…Ä&ö¤Ë,"ñ¬c*Ã6fìD›óÙM³:*O6µ€Á‡ùÃe5¢U™Ý·Ædý‚·¶0ÙZ"}=
m,~|áêìÜ“{æó#Wžè9Ð}†g4ap®]é#×3ýé;ÙíýãLOÇÉ?eUúלwiØ•!y\—ÈøïfƒIv£ìHÒUŸŸF·	-~IdóXÜ.¬Hƒ�R
‡ÊÓ2‡ÃÞj]E7ÈÞ~ÁÕk¬·ú0-+ÝkX˜ˆŒ²õd•Í�‡¼*µ»,3/T�&UCIuûĺ5ÊïNš:ÜIs%+±Æ®œ�õÆóawŒTT ª|ç™”`ñdw}Æôƒ#XV5&6yã1qqÔÐK®¤M¬*Ð[îÛe?AÕ”¸ím1bùŒ¼Æ>Æ;z
¢¶ýâáUãá`½
„w½MÎ,}¨7žŠmÖ­'_¤A<bŽü×J†ó+�Î
]å/­^–û”Ñ`!d
-í™ÚÑ�E@Xt�J)AŸTËÏ_}»/™u´ÆÞ"Š]_(H'MÚÞ$ò‰Ma[Q£?@C
sÝ÷“QªU*LCÝ
g\*�’™„²M
÷5»¢ìs’k±E–yíø—ñõÙ)Ö‹æ_§È9y
ïÙØ#3Gz'Ê¿3|;ÅJÞ¯+¶¢ÐU8_àójá¥7¾È½¾×**À¢�
Â5ëùÞšR¬º–Æ#L‰|“tŸ‘ˆ�¸¦µnÆ¥®‹-JDVz1föÊRó�Dòš"iÊךú�Ußøÿs,…<´ ¿BîüñÀçÓ”¢Òœ§WÆ»)´5§6m?P±ß8¥TY�²Ö½ìpeÖGŸÍ$ª×ˆ¶ØÔøõ<¤öñNìëV&B†‘tÇ-_^w¨‘×D›ÚwëƲ÷|ÚkÛÞ¨–Z¸ª¸Ç`í€õ~x¤àœKΘ†£úDñ�Äë´žÖŸz ãýžý1ƒ*qï)	 0EÙÛÝÎÈónå‹ç©OV}²?N×éG€YwnáPGîkR¥N!»4ÒKÌ/Ö/2B™´Ç¹1¸„/ý³Ö^Î?jÕÔé°Ð÷æ¯,‹ä§k$,ž�<¾šŽZ¡ê“¤yÍ‚#Ÿæ¼H°}èøž¸ùyLw¶�SÔböxźTÀŸú¤ØZˆå¬ÁmvïîÆÞ%<M.Ù=úPªº÷©öUGKß*C©Ot[¾+ÁåÛvøM*•M¥ç‚ÝÇמknDÚS‰qf²ÛÌ^ÍÄʆg©b<öüñLcÝJÎ�¾‘|¶ç
-A½q\S­µ�*¨So�é¸yÅŒù³†”ϱÕÇj)
-x¬¦À#’G|ÓÆ2=W,Øí¯ïýÜõ1
-'mµ}Íá Iûf–}8¶Ã‹;§ÕDq‘2ΡQ¯¤›f:„_¡ÚV ¡ºãôÙz®ŠZ: 6þ~±Ý£ØêûÞ�˜ZŽ6Ü
-­K…š\Jr#»ÀÁnÝ.ê}ý‹§Á
-ꥩë¦ß�˸]
-T”�‡róO×ßÕ‹ÂB銺íO
{@ЗЩÔúœÆÔé"g¢'Ó`k™F¢ææ>§7ø†Ì°ÃÓ\‹Çç1!ët´‹Ÿ‰zÎMîf|Ê©ü:Iï*íé=¹¶ÂŠëPâ@d鉩¨ò=Ï?jévi3¹ÖÑ]2	U/©˜0"c‹�Iþ²LkÙï;ÇÁå´ª%gÆ]Gˆ�=óøÅF
-ûö÷°Y¼Š~C£©k^qåâÛ¦r<Û1rYüg<ͽɋW§�
ƒ¤£ª¤óï•Xý/¬f¿â%"	*Èœ¨Ç,üb¥×	–ÞH�*&ø4ÎHgY"ö_`
-¢çS’3üx%÷XhÌÉÝ6�JÕ)i‡ž[Å(VS&™NÌñnÍËo{zÌ£ÝõÕR›p^ˆ|¶�¬ß·|­²‚PµÑ˜4|‚û¬®wÑï£B‘�ôº£G¤ŠÁrý÷ïÙï‡)‰wªÙÇ\±w(ÙªW’(†Ùӵƙˆ¹ÉÔmû�‘Á£?$é³Vñ¾NSO®½ró6 †×Lߺ
e–ï{�ÉÑ0GH@c•ÊbI·Uë(=ÇåãX	 ôÉAná^	Ï,*Jt(6ó>×
-äÃ?NÍÎ0´?j·Å±ãN?Ø®šWg
-�ˆU(–îÙ×ù`Ì™F²)‰õd§;:îBB¯pkdÚ‹þ‘ì=
r£¢æÜÖ¨]Yy£\	ÌþxÊù²L×{ñg˜Aʬ_‰[Ö—p½ á)óÌc¶>”"j5,�ëjm.ùÁì
ÊâšB•‹³Úp_2Ü/œy
qŠÝ6KjÙño¯~]Ú…gD²å¼â~`òèR
-vȓT;
-J4ã4à;�³ºÜt|†bžD¨´|¾¥ºˆ|ñ¸h�"jj‹î�ë/ß/ƒv£a¦Jö’¡Áž—	—C+f
@,»GmüÒëgô2@£Ž¶ÞéZw-¿»éuÞICßbŸ[�‹öç¡ßåËYBÑ–×ã8¯ÎuEõ�¬#¼ÏkÊ­"`Ë
ÇÞC¯fñÅèÂ>†OØ<*¯Žq§hññR²®$¯æÞ\”Î'±¿ÖÁ'Ç™”;pW¢“âœú’tÐE§“)nó^0îýM¤ñ	¥Ý„gÖ‰ÄVL§Æk¼lÍT3ŸÑ¼à¨HÖð'xWV"^ïUì쯬GsSC˜¨Îý
º5wI×·C#¿µ'Æ
whø6œÉ,É›ð«sà}á0؇«‹÷{úA TË×] §¥#íýî]9åÎgŒ@ä^;ÛÇ“’Lɽ×�ŸDz×ßÝšþX+ô
-~/ëÀ«Åt#Ô^ÎI<ê«X¡k~‘€ÕÅlè!­/ŸXùÝdXH6¢v0
-ŸµÈ ?¢>P#…\«^íV<òÛeû#ŒPWÂXmÑØWmÕUåÔC
�©noZæ�Y…øm:ê(�]+â<K
-~öY^¤I�Ša=}&œ1v]¯bCÍê(ºcT®‹�c(`ãîM×ÙF!Ìõ„·çäHÖ¯±NÅY˜ÍžL¥è53™ñ'rzN�[-Xù?TfX.RâdB"ÛbÒ~joOå.â¶}
-;]Õ]Â�þÛâ´ñSCq/“}[«w¤ûðÔ™Læó%óMmƒÉŒúi åªQs"ðrî£9š|g#þŠ—°¯…3»ò>¥ä­öKÅò
SM8­
;ÂÑ[x±EhÕ²ëdfT	F�“åp“>&fˆ­ãhŇAŠaÄ_2‘ä*ö#WípèêfåM§÷ž¾zÛ99©¾Ïõlåá€ä´…P÷ûwJ°«•¦ˆŒ;
±û3m
/Ô’-Ä·{éØy×¹‰—`ó¦7U4PéU†ô¶ö™U�›t¢ýæ<+²ù8úü—�
Qô¢k´ò=Îëü›Þœõ»‘Ó”ŸN?+ÛaBãS°žjÈÄèªL+œ|‰æ£
-4žî}(wû�Þ°…¬j&€yLnCszð•fIG‰+fîô·¬§ËfˆZEq¡oñ­ìŊƈwtÂT3b³âPŒtåi–ªY	õA¹“ŠB$°Ê:H¤v³»û[Å…kŸP%+—D6B⺎p1´·
-8¸øÜ]Ë|e¥sòɺ”}!SfÒÀK¢7:Ó0œÏ+ZDñÁCÒô‡ oA{&,Qæªê¹¬{Ä¢ãñòë
-$‚tòÔ‹%‰åóJ¯`s`ß[,¡y�[öÔ›_RR{™g.,Y$6üù8	0ý#
-¾™¾s­Ív�KÜÊ<Š¥+KÚéÏT
-„Í—\*Ã�ï>•¾éœGá‡Ç{r®�êïÇ7_à:Š®ü’9O&»Š[Öpé�Ùxëáªw¯P�!vÁYjŸ@á…Ë�
ô†š¢á}ÿ7ÜùÛ!>åžñOÜ(érm�î&Õ>´´›×²s5�)PrZXq
P>ú…Zëõ>,dV¥Àuw¦8§%ÄJ¬aV$NÇ›ñ;´rä8ÇygKÙœ‚�³úˆÁ¼/oÓ‰F@¢6#�^Ëzúk3t©ê¾göh£¦W¤
-ÕÀ²û>…+û6DʺbTÄRŠ�ôóÑÉð¾O\á9;u°ü5Ö¼@㌜“Ï‹Õ¯yB–%q�s´ðpsR¹ØÇ왤ºÖ©g<O 7cµ¢›;H$ð°cy±^º§‰-n*a[ºDvª‘¼ìe�ƒtç%hw�¾ï÷�jÀ¡æ#=©áë>ÀseÒ½rQL0;uRFòÏ�Œçùrb4ÈB´·dà”Þ±¸÷‡»Õ‚4©…·óS?^?Ý'e›„ˆ±ï‡X†NÌØÒpù•B´[B'è'�JTNãîzwɹtWFÓ,iŒÉQçˆp¦+ûkÏ>è%ÝIkÛ�np'ï3²,pæ¦pVó©ÚQÛ%ĵ
-¥C›Qçr:Ü�ãî{¦2?=›ïpkº®„ñŒ>,�ã.T@û­°ó>iXb5>¾(wJ½º<¼½béŒ%F˜f帖§Å/¬½Ê²j”~¹z9CI9Ø®œèùFæùhà„‡ÙRx)íSÏæ××Îý,G
§åe÷ý”ß³Æu(ý$jªþ«ö{adŽB]ݼkèö{6²Ùå±sõÞuÃÈÏàºXÄ,9(—.¦Æ1î
-î�#[ú�yf�ž}�¸çÉ«"ó°åÉÏÅ”«C9öM¹/Ý,!^AlM»ÝA„EÀ÷�ˤB‡$Ï»}ߘBº_U	-yúͼŸˆ´�L¿À9º†Ò£é•ïeZVâUPî›(°€ÃS~1§ßÎ�üÜé�Âʹ×*üt¬~ðiêÉJL#6‡¡Å«®¬W#J;ËW;žžæ
-;5"ø/–Z
-7~6lû†óJ,ðqßO›âžg|þœœªýGÄàvù\,·mqñnƒËëS5I¿Ä¹.»©¬Ñ
ÄÍÖðs›Ë>f¬_ñÜ/NåxU›oaŧ‰¥·ý8ip¢Ò¶„BåuM¼x˜9%ç"
SsÆ‚4aãûÑΠQ©šÊLv	\½Å§ÙÇ›aI¬ïÅüTÅ»–ÍÁ^	ú_>Dÿàÿ	
-endobj
-976 0 obj <<
-/Type /Font
-/Subtype /Type1
-/Encoding 1325 0 R
-/FirstChar 36
-/LastChar 121
-/Widths 1329 0 R
-/BaseFont /BMQMAT+NimbusSanL-Bold
-/FontDescriptor 974 0 R
->> endobj
-974 0 obj <<
-/Ascent 722
-/CapHeight 722
-/Descent -217
-/FontName /BMQMAT+NimbusSanL-Bold
-/ItalicAngle 0
-/StemV 141
-/XHeight 532
-/FontBBox [-173 -307 1003 949]
-/Flags 4
-/CharSet (/dollar/hyphen/six/C/D/E/G/I/L/N/O/R/U/a/c/d/e/f/g/h/i/l/n/o/p/q/r/s/t/u/v/w/y)
-/FontFile 975 0 R
->> endobj
-1329 0 obj
-[556 0 0 0 0 0 0 0 0 333 0 0 0 0 0 0 0 0 556 0 0 0 0 0 0 0 0 0 0 0 0 722 722 667 0 778 0 278 0 0 611 0 722 778 0 0 722 0 0 722 0 0 0 0 0 0 0 0 0 0 0 556 0 556 611 556 333 611 611 278 0 0 278 0 611 611 611 611 389 556 333 611 556 778 0 556 ]
-endobj
-862 0 obj <<
-/Length1 1166
-/Length2 8033
-/Length3 544
-/Length 8848      
-/Filter /FlateDecode
->>
-stream
-xÚízUX\[Ö-
‚Ü­‚ww·à\(¤€¢p÷à$¸	îîÜÝ-¸$x€p9§ÿÓ}ûtߧûv¿[õ°×cî1çkîïۛ歪³¸…ƒPÆ
efga
-}á5­]
-
Ù;xT�P Ä~¡¤Ì]ì�`¨†‹££h¡tvp�˜�
-´spü#Ó‹„,„¼mñG¬ª¥©´úG»
-…€Ü
úl,llì
-�
S÷ïôPNnqÊÛ±Mææû$йýfCeQ 5f$º%¼c�¿¬K[-U
9æs+p:®0õç"¬÷룖Úm}±û‹£­Q!q+ØDÉ;�ß*„¨p!þw�‹¨âZꎻŠ”:uVåssª7ä½
-®¸œ‰›µJZ]‘u1ÆS`üf+5â-M®Æ[­öŸ:âñ;½«ê‘ úŸ•v!w÷_ ò}U¬¼®Vć"Ž)Ú„€™`-…à%®ªºŒ«låVd¦«hÅnd$ƒOËúL¿óƒf�û��QY3®‘NiÚÈ=VdöúX6–et5®/_�Ù�¬
‰’í¥¾r7
-£XÞw7.~ß)ÉO}œIž°¯ªnÔ«¸Ÿ¼šX¦y&o{`ä*´<éRëÌëÄâEdqŸÂA^"º×ísy¥–l4:e[EÜ°ùH$`6O
…,ªØT{ÅP›‡2OT=pZ)Šö*ÅÂA~FŸš,ÍçA8
´DLŬÕ,È—È·Úqð<2DKÌTÖ—Òn¯&¦±yZÔo•y&Þ'Ñd¬ä�“™–'æ5K”„Û"M£é�6g…{4{Êòûx­¬ß­³HlÜæJô“¼[pÑ'2@-¤)º<Ú,,‚TÚbµ
dN7eFnnïýö¥ùx/úAD™<'í×[Ū6÷>µP"þ{ØÕ—<¤aãq´lÁO²ì,ËBÌÂcO#ÚÏ›‚<+>š™p>Ån¬ÎxëV†Ø=уZ;“x6n^׸X­»¼#)Ar8[!qã{’u]é[‡¼G©MãÈ�}ÓºF'³2CgE°X¿|Ú°ÆC3µ:Ñ|J¡¾5Lµ£ÌC<CšhÛ›�ñ‚<7š+)­÷Ë%ßÌèÅ‘B4Ñ‹ú>—®°õÆ©
%Žhz�é[È­"wúýœªF*;a¨ØE@'dh¯ÅDx·÷-èàŠ9n>íl´8•,ë[ÒØV¨’¯ð
-ùhÈ·'d~ºñKzª«5H«2¦iúÆ÷†^ôÇ-<d©mf„ô·­³M,å¬r÷Õ‡¯$Ô·+ÒQÙ¶™ÿ 3—
‚|r‹fÊè[Ÿ ¶l�ß“þ)ðs4*ÒŒ<‹ÃÉ‘{h°›ô­åhÆÀ©†^Œü7®¥"¯J_eqiQ)	b>�WàÈM=ù…Vv$=è
‚:
\�Ll¯ª6AíUp æf¤ŒÑ;‡Æ|*¤Yy]	g)x¶@	L
ríÑk�ogOòmµj·áyscâ(Í¿ìò¿>¿…õ¼å¹àlD�C¡&AAí~f0QÐÏí­p›¢Î¢~�…f-§]UžâDjìDÖ¨ŠI5èÙù¹ç9LÈäy£~l'–Å2!€œQEÂm%“Ð=·¢Ðù¾eos÷Dç<`ÎÍéuD¯p¬áœCJmÒfc©Ôž·çGßëqÏßÌiÖס	óÕò0®«}‡ißAÕ^Œe®+Í{poŠk„°\?é…ß/
ÕŽ”ADsåðDÆ|!
OºEËqsœÂÈtê¿IÓ(!gåXnD�²ã³§jæò|CCZ+½îÎÍWæè@¬ÕÉÿÊØáLÔK˜Rðgj[Ánñ¸òé]Û¦@·è
yl=pÅÆö`úæµ1MÙa¨À$‰·­¢�FEKs9…]#e!‚‹�·/¨‡t‹kw¾jAh¼;><©•>ú‘ú¹ý¨wìRä[ ‰F½
7¤ýºßŽgrÀBQäÈ	3"dÒb]ÚQ™£‚!fV(j¶ôx,]{ïsñdÊñ£®¶ŸßÅ×�º6³l ôÉÀ€;û5rR¯:Üú”¸*bšëßöÛX©ùVlÅf*ÿ)¥ap#cRÖLööQºbj¢.Í÷[‘ø­õºlC85©5Ú
-{�Õp­Û‰�f´Ž»GaŽG@:V’Õ.gµEr^gõ1<G³gb�^Ô<&æ�a‘>¢QY­§Àí¡î/ÅV6Ç
-�Ž”ðv1ζi±'÷ªCêjRáo‰ZÙèú?—gÅ!yzÐ8½ŽOlt"¶ƒÇgA9d2³^žñS-ÅE_�ºêVY¸
-D¼áHwb<,É6o[£Æ>c“ŸÙ!4¡kµ~mÞ/þ%}²˜1H2Ýjë/³ë›/¶Îf™ÔtÌXÃøsXOr7}åjêïDS±ßwÀc=Zöí�(°ÒÊ9=ùûQ’i#÷øt°{9ðüî;÷e×¹+¼Sš¯!Ž0Ûç�.,,Yÿ¥Â¼|7îf�Ô·ÎôU4Í54‘¶ä0ÍG
-p0©@Ô€ô«‡Vý°­|S6~�L¶þñ	­ý¸VM‹KøŠãÚñR¹	“åÊê¬<·êíxÓKÅÞÅ.•K�ãÕá—
#¼!{5©"m(³ µ ø—Çù鉺£D
:¾W$ƒÌN‡S=ºYsuág=„32+�•–«æ`-4‡°È—T¬¹%õ¬Ë'C
ÌxƒÈíÍn´ý¾Ymªg"Žæ¤—œ[wa0¿Ý]tkÌ—îþÇ‹°”^¹@zŠ£ß—"ÉÌdØ¡¦ÁÅÃ&¾ßÆçšpÜíý´óØù!n(¤�ëó gÜÃrY`/|ÓÙL ì:8o½T	ùFÌF²
-q%
-7Ø?›ž	«$©O\W©œoE/4©ïH¿		hJœšÇOçq¾Þâ_9ä¾›Æ Ìh&"m敬
ïm&ËLñŽvIªtâ�ú–1Ÿû±®Ÿ¶~’dßR­L"�·0ÛƒÖÖGß²ô¬¶¼¥œ~Y‘�"ƒãw»ƒ&5²®ÄKj¾c¨·_$gÐÊi1òûÝ
-¯;眷J3ñšÈWÚßxTÌÒ4Q><ŒääW/•Ä™sä'q‘ÜCxûŒÌÞS¼‚ߟÖÏQUeï¢ÐsˆÀEÌ4'Ïá¡ÞsšÔYêR£ñ“ÛܪMܯ€</Ã<%Õ»t0<b�'–«‡Øöûç/*Ï>m_v´Ÿ�)Å+8M¦ÿ0…˜ˆÙ0†3$'=¦ç¨jÕIýþâ†cPãâèá`�YLh:çe|ÊF%‘}E±»µclî=|<79
-{/}ºo'uä.ÙQ;Ù?€i½†p{ë|ÕSÈ‚%¦Ì�Oó8¨*
-”y?¹ú��D‘´§‡·£«¹×Q¹‰�hPe¤Í2ÙŒ�¯†�€H‡¥â²V ä øÛÝÉ­š²Ü¶œUñ“÷Ù¶ç~~4uúï_E@™4c/Q¯¦ìⵋ Y™âþm– "²ü)ø%m=Ÿc½â$ãoÕVk2ébÄ7öä—
æ|h‚WÐ&^®7Dg—¤â{Uˆ9^ÖËše^Ô\áÅÁ�{RÁh¶—YrºI€óí›æáKDÂ^±”ÎàŠ½d3y”ðoÙdx
Qsi˜LM”úk¢a¬•‚„]XÏ’WA7o›BÖW-©ïÐO²�í-Á0²Sú¹;�³Å“àZâ�ži½Ìµ”5³�ƒ,ÚÃM¸Â:CΔÔ�:Rš™Øò§¥äõT|tª®\ÁR0­Aù€?¶(2/^¤”é`ÏxþØnJ‚æ!¯"´àËR'­Žr©9íªu¾ºÀ\fÔH¥NQüY}YrRÕ×[m[ú>»ú¿~@è²N”Q)ljXlþ‰ûý`c0ÊÔé�îà_àÎÉSÁ„KzŽÏ¤ô“¤ýŠQ5®M¿¤×„!uV»‰×ëþcf¸Ôø9Fš÷Õwº¦”Mi¼Z
-ï‘KËh¾ìG£`öúXwô¶Ræo¸�(öYÃäD‚x¸Š
¸a¯Û×5ÏJNôÈY|ø¾Oi³¿­Ô%¶±®õìÞ»µˆ¢}J2;„6\Çû8::r;ÏyÄ�G«;6À‡é—|~‡��Ÿ!¿#f¸Ê|��î;Ê·Lw÷6Ý22¡¯Ê•ÕLñãblx£¹æÁS±2†Ÿ['�“v—ôP\¶ÒýÕ0A"ÙÐZ„ÿÓëûóÙ¾†¯W€›‰:öùχšs0çÀÆ‚ dGöÌèñd MOmˆ:9"Ó¨Þ¥‡°Y¡A0H›‘è1Û9ðÙLPÇ›lh3V<uÕÝ^•Ÿ:öáÌ&Æ^`¦écóºÁÛw*=>M§-ïîÍ¡?iOä°ÌWj«„øÔà”"†9˄ôu˜&r'o]
‹/šîyqû>Ìz4ú•Ñ�±T Ømõ+:l¦àpm¸¶Æ/°}ïÏ.�òü^‡\¹@”JR–�â9õñÄÚCê{Ï´Â&¯oîr'r�‚Úæ5sÇc7+FlH%И§§Ý:œÂÓV„‰ÝH*¦bjŒ“F�¾(	&p*¢$N’€�…›mø	¦_n«„´#Ýí¤Ø¦È½
-^pn¯Æÿ²8Œo‹¨¨³…ƒOr
-¿@a"y^fJoþiÓù°ûSò�E±cÉs6áŠhf-áL<“×)eø#ÂlãŸþ+ì�¸×˜ýs˽¶9îÌŸ42½ã)5t°€›`ýpüYeÚ2êÁÃô¯Elh1v"„xnÓ¯Jë$0=>�Ù1+#wû&RÌ€IñW¹rd”Þ êΠè^½Ówô9«=þhóËd"·�¶"ÇqÓÕ u$õ	duã:pO®+ÛÅñX–Gï%4í£ÑŸ:¾¥Kˆ­ŒÕûÓû]à챜ÕÖåQ#ñ»%7׎€'Úzô™æ¼Ž<_MNXÿ2ÓÙ»jþTÖDj	Ë1K¥®%Ö—·UWB˜Ü]îáY.;y
)ï})6
ĶÐrsí”�M¹kIY™Y—ñ[L›
-¤ÖS	è Pù6lêÙqZ|칋Hªb¡aá�æ�¡*Ýmæ•Ù
¼g•Ã”¬Ü»8õ ­5ªœ8$¥Ü�}½X9šzÍð(žo\:ö	¤�wŠ[Sq®-Ñ?˜
-,‰è.ÆU7F’«Ï´^|­ðìëáÿM¤‹ŠM'©Jqb©úÍ”¯¢Y³‹^ðùvÔ}r…ûIöUb§Ã‚÷çRŠõµBÔFÞƒKÑ4‰´t
-k2]Ÿá‹Zš¨ïîæè259
‘¾[kUsv÷^‰1ôø¦û³«�éûP¡ðœW>¤�óe:smŒþõ#÷C8]¦åieuº˜Õü9
-Ýìsû‚[VqàÂï®ëLzT�Š­õÁêIëÆÔÝ�ñ¨~÷WdAZeÊñúÙ0“]oy•ŠwâƒØ܆dúÖ<»eÇR¯¢�Ó�z>’¿Ñ>Ýa=F´ÿdêCÆ"fÝ*šýZaå‚ tƒÀaضsF”a|H[bÁV¯a€40ýVF':CÑnsò^¯™É'ñWÒOŒS^ßpí~h!wŽ!¿Š÷»Ö‘¸9à!÷&&»Û\Ë3Ilj®Ö*ùw<a°@ã?Ã/e/{æ,¯i’Þ{MeÁs‹
èñÍšnaÛç_Déù_%o~J(�ê(¦GbRBÎáËýþkÔ‰�Ïx[Ù4uL©MŠÀä°Í™Fžø¥»/³WZ�u&é  ¼r=rÆôr[;	a£˜—’l®jŸtÙF‰{^º¶`ÁÔ_�
-‘H—µÁaSh^™JRèáJÕ¥ÖpÕ®¢�Q!‹ƒÜ€3„ª<¹Ž†ÍØ�Qáá)Ê´cû3$‚$²o‡êXê`Sê!•Ïõ¹x;‚DÇL=� à8LQ¶Øî�—Ã%$¹yŠÒ­o
+è¢p7(š°b\ˆí
kè®uL[± rr_èŽ&P�‹�.jÿá#Ž~+gŸ2;9úŽ×„=ŽtŽ>
d)¿BƒµP³o7Öò®>´Dÿ{…3Ð-Aà�q‡~úÁïêWÔŠ_<�ïúø™Ñu&ò·“ …™�Zâ~¥�’ë&[ä[ð.¤|G˜‰Éâ¿‘FÔMö&
ssoMïœR/[‚1V§T¥{	>Â7ëb�`âŽÚ»�[‹ÄBÒ<c¯©KI;Út²ÊŽpUR:O>áY�èˈץ;•¬û:	ÖÆt^Û›M®Üq0f'Ä|j¡jf«£²’ºXÌg†ó‹Ä'>oeàLôí8N§2–©êÔêwmL+Ùâ¾¼9À]ÓñHlS¤”Ô^ 7hdÚ†išÌO ¸6H¨PÑ1×w ÒT¾ù©½3©t/ê&h¹ŠiffPï
-Æ÷J}¯ÕHXÖ¢J¬heŒñº/½u•f¼ET©q‡?G@á¨<íì¬Zð7±nvZ*….6kï19˜"­r™õXS?ëî¬)«Ág¬'Œ÷¸Øvð
M¹÷*kòM|�ýmë`#åÐú²Æ›31Ï€7mï¾¼¯k`óçÎÊ¡ÛMªžŸCY¯n@QÕò‘»Êq°0R*á;漧hnIÜ©ªÞ´'¼¹Bõà°e€i- C>òޡÙ¦üÍäüA²õWšSuúÛv¥ÑŠ_—\T>t8[jÁ£e·š½‹¿ÔniQZÀo»çµÒfzªwλ½Ï~†\£ÁMfþ4@ô¯™:Ìw3âÓh,FŒ{n©¨ãåàø±c.¢Ó´Æ �°ˆË:Ž>üè¢(´4³ŠuÁ"Û}Sü��ÅÊj›Y¡Ðm:ú–%]ì·{Äw'¡a[ýÐ;b³� o½Ñ^š©:ÎÔ§†LšŠ¾•S)Ló¦å¯V¥¼X8M9ÛE<ć~bÔm¬Ê<áe˜<€çI}xøÓVîH¢9´Â¼~°@ÎìfÛë%�²/v»6<1��-ô£Þ=þ.Q¤€íK^,1ƒ
U½5Ýå¶í$xtžœ¶~£@Pžâl‘¬‰N›^r0õ{¬�Ayy¬‹rÚõçÇ�Ô]š|ZÍ\®'d Îy8£6̃íÿò‡òÿþŸ0·šB ö¦[/Ðê
-endobj
-863 0 obj <<
-/Type /Font
-/Subtype /Type1
-/Encoding 1325 0 R
-/FirstChar 2
-/LastChar 151
-/Widths 1330 0 R
-/BaseFont /PQATHD+NimbusSanL-Regu
-/FontDescriptor 861 0 R
->> endobj
-861 0 obj <<
-/Ascent 712
-/CapHeight 712
-/Descent -213
-/FontName /PQATHD+NimbusSanL-Regu
-/ItalicAngle 0
-/StemV 85
-/XHeight 523
-/FontBBox [-174 -285 1001 953]
-/Flags 4
-/CharSet (/fi/quoteright/parenleft/parenright/comma/hyphen/period/zero/one/two/three/five/nine/colon/semicolon/A/B/C/D/F/G/I/N/P/R/S/T/U/W/quoteleft/a/b/c/d/e/f/g/h/i/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y/z/quotedblright/emdash)
-/FontFile 862 0 R
->> endobj
-1330 0 obj
-[500 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 222 333 333 0 0 278 333 278 0 556 556 556 556 0 556 0 0 0 556 278 278 0 0 0 0 0 667 667 722 722 0 611 778 0 278 0 0 0 0 722 0 667 0 722 667 611 722 0 944 0 0 0 0 0 0 0 0 222 556 556 500 556 556 278 556 556 222 0 500 222 833 556 556 556 556 333 500 278 556 500 722 500 500 500 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 333 0 0 1000 ]
-endobj
-727 0 obj <<
-/Length1 1624
-/Length2 6416
-/Length3 532
-/Length 7273      
-/Filter /FlateDecode
->>
-stream
-xÚíteT”ÿÖ6ˆJHKKÝ0„Hw+%ÒÃ
-ð
-†ÀÑn€-€ýu
-h
-óø7VW4‚üéo²¿cÐM9àv7-á
-zcþ
{f;—ÿá_nó÷Øoõ'rA-M­g††¼ÿn·þÑÔ½™
Ì3$ðÜi!lþyøÍ£¨ˆpxñ‹	
ø…‰ÄE�
-Œ°ù=3úÜæfÌþ)ø
ƒ]P¨›îþ¹ù7Iÿãügà!w˜`þ,ì�š‘†©¢ÎîU6ëîÂéAÕ>ËÏó¯@tø¥†¯I”Y]U†Ô½“üõÖcfùsS“gk°“
-ÆÙ‘9Ê¥÷aåîÊ#[æhyÄ»(hQD”v`íõyúÉêmS1 áÖú¨ÞS‹Â«»ïZDPxŸÏ¹ýY]óü)ØÎ�Ä¾à”š”­¤uXäU¯÷8wÏÏ8{‡úû:¾ÜéÚ|Àûê>»”ëm"Ž(çWäL
ʼ"ØdU†FÈî™'*¼cYô"ò�p•ÀfZÕË9%›,a„U$ÇG®ÝÇ•%5ÖájTp‚ŶF
-2õŸñV
-Ÿr9
-Si-“%�Œý‹ÅäXð&°U*DæÈ¿eªié` ŠÚ1²Ž¡pv7!
´¢hZÜ¡T´Õ5�UÖžV)]§/‰Òèþj¡i—uT÷èQ]sùRP¹þ³2¼ÖÐt
Rú�†ZòsvFúYcà T'Á™mÎÏž:Ú¤ø˜’%ª†›#Ü£¨׈Ïß
½õž&­ŒÀƒ•¿î;>¯e±ÓM«lZœ²òœ”Åò5µ´$ü þ®¹¥­BË4áðe-ë%ÕÕågÊ%!åGZž6þ骅Ä!”§aJhà^ B*9’=�Ã6‘,ºeǭņÜS©u ¤u7uné5}¸9K[ÅàÓÁ‘Þ¨ª¥}Aëq´ÏuKK´¢s›?á/ŠÐ:oÕ“6“[ï
-‚ær�/ˆ<$üÎcâlÓF2Ë8S$ÞVÈ,åÎë®kSLÆçŠ}Ÿèæ¡fJòb\èr‚K2Ü‚õkh$ó�'ðÃ	™<B±[žZé—÷u^[ß­y)�¨»åjT‹ÎWº<²«ªº­Oæì-)ïA¸-²}ï¾4iöÄ]šNd±þÑÚ^`„²f›FÅqO*ða÷1û¬¤´HƒÚwÑIÐÍÑq¶Cë§�ög,KºFT¸¿Ë¹IÙš®ß7…”×QCÒè™Xy嵇Ý!‰ÜÝGùB,³²rß´¶Ðô}�£Š~µÁÞP±gÌ`„ñ{w]»…<T[ê{e·šv‹t)§>8Iþ¹&!§&÷‘`'={¼T¯´¶Rpc¬>h¡æj³ŠiE!È?×á3/¡îp�ƒ¡�dUK„b$U©­þ½ÜÁ—!íêmˆ2ÚaÜ‹§x¸³eÒ{ž'‹ÐLužµÆÈC/±‡Ý«ü‘nþèÎ㺌úe3áê%o�É¢ChÌ’’ñ³ñlƒ—õqΩ	¿ 6wŸš•j›
-“Hûâza]âaèÍJå}Ô©/¢~·–ª@ç›ûÂã�gàäZuÓð¹24f3dOy\—‚—0¸‘—–I³#ðpÅ8ê�a D›¤;½ta0fîÍÈ>›�’¨Pâm%¬è$yß±
-qÓØ ö—X#äÃkÑ”ã«Þ	¤zë7u�† š`+Z.þüà…¹¯H™½á”Ï´ˆ=šB´Id
ÁÓ…æsó�T§­ô)ì·’%6·R
—V¶�U‡Ø夔e-­+ãZ’4ÓÓ×8¹´áëF\¯¼A¯¼?5äMV÷’_Ÿæöe‰³À‡©å!´NSt3ööŽ‹=žef�Ý)å±Ä}n4÷�Ž¼2ÄNh%*¡Ö9�Õrv&¸ðmrßß÷<Þ
-‡È)Ö.Y'´„×ìçêk&“*Å–"¢ö{™†b‹Þ[OAF1ýØŸûXâèòÄ–5¾%Üõ?5_xÑæµb·;Ò°¦ì ÞŸ£žw–ë­TÍšÓ%žM1¦?0ÞgÈ%üÐ
-´‚ó]Ut§cúá9þü�æY�ó.ã‰v#	ŸÉÊ"ΧÙù¼ãWLsQÙݺqÌŒ ´Otü³¦i\]•¢ÜHÊ|l–mê„WåǼ[}zÍuÏ[S–ÚñY$ãÉ–ñ-Ÿ¸<ÏX&A´›¿ë®îP‘8üŠ¯#š—‘Àõ<!9rêÀgéó|aÿ�ÔAyUŸ_êÂßc6rŽÊhé˜ð**ïn¬$?â5þ±Î{¨òÉÛ:Cd.øIª•l/ËxØz49\øöÓ–84•tCsT3†µ{ü	<Ð'S’"ol8ÕñðŒ¦:?Eïb²xõ@Žš¢º�÷Ë‘\‹áþ=jγûeZýÉÆ}²?‹1ˆŒP»ŸÎ½K‡ßÆûÃõ²gr¤c�îËc×ëëÙÕ÷TcŒ©ÆüuŠk:#ûYXvöW`s*ØN2�µ$ú–Ø´¹U=€™ÔÇSûõ%-?¡/‹23ßíCMºk‘º®¸õ”èc-ãyëR%Åõ„³«°;gÜTDöÀÀhÿ1Ò„:ñº—À×&�GÍYôxû³4†.òpõj–9…¤eÍÚ­Øùás|õ|
ÞÔPgÁ€5qÝ&ªõžN0·&½nº)·e±34s¾£€ÝÀ1‰ûlƺěY;|éø—xAmÆÎÈ
|4\}ÒÙÓ´7S8]z±Ÿlüø6×G»OIåÐ!�$Žäz‚Ñ…ÑÏ{…£OI¾õš-—ÔRQÑTµÙsWpd)ÄÈ´MåÛ¥ž^º<E^™H¦lÉ™Ë^±sô®ä“±ŒÂô°«Ä(ן¼(Ç»Tî4̇ÑJ}RÇ¿½l±*[]D¡�àØs|ÕõêmØY~]¥äž|ñ†…ÚÖœûÙ‹¤0ïUCô3¹‹|À
-‚Üð¸]IC~Ïè”=¶´ëZ˵R�-÷±Cu¼ôýãwô5);†¨­†™»½z4DŠŸ—12^l»ßÊìäZTs;@ƒ‡|íì­4Þ‘¥¨PX/é·îðk1«}ʼŸKI„]J�r&-ëÐK©–´�S\”_>y]ÎÙÊ'œ§Ž¨ëž…±>µ‡Ï¬{¨5Ë÷<\9²
-q‹“F{Š‘xqºµÚ™¢Kï»[fµ
Ss
;«N£:á{Í®�Õ”5€ŒéôÌaïžZ\g¼,/¶|¤‹Ý“õc·Ó)ûà
-éè÷cy~x_ç’Ï›ÚlCŽ¥íç&+JÉoK>§~PY“Y–¬‹�Œ'êx¥:²­!‡&µíšÕãiXG”€¥¦[ãZJ÷íðFìÚSôŽ¨/®$ R¨CòMÙ mÆKñø+Zšä‚ïÛ~%|^…Ü1âP—9ç&/¾â€—rŽÌþ½ý¶]¿oØ”}DÒY¨¯¯EñpÌ&·Fd�¡­wh”cXÓ·±$êì7¹]¦K|=™.	èªK!µ$*íOí/
jfݲ“˜K™¼Â%G3J�Ññ}r=¶½ñ�fMƒŸÍ»?
z1_;1ÈZZ ­taN^Þ¹ÌM°ãÊÚcnwCÅwaçu©Û]\Ç9!^ÀåŒ)PÍ]hß¹ˆOëÐq^?‹ò¬2R`8
-r7Crµe)„@”™~ºw4¸˜½ft_戴ý_ʵkgLßq¯ã¨ßýÆb¶Q÷Ëoí㧗çPô£IÙ�7=üüåUÝb‚o’ª™Ò$œ³[Êy=_]Ös‡*(EFŸ·8Ÿ/8up\+Š³Bòïûåq¸ÇJ}H˜«ÛÞßLN0<ÖQ‹Ò÷‰`§“rÒÑK÷•™•{%e(cKèÞ@ÞΗyħÓ�I8×+^ºBËÌç8]øÓûø£ô°†¸,G']/?_f`ÈêL£GWîrÃ_³8�ÝWï7+pµ$ŸFQêMPÅ�§
5»Øˆ݅é3ëïâÝ
Eƒ˜�_P
ÆôMG6Ÿ�/÷‡�®r$‹í5/®VühÉð?='?yZÏ«ú5xzÞÃ&£²QŽ,yO>g(TÓ[sÌÛ�~ŸéÊe˜-³x²’~6ØÊZõ™ºT²íŽº©1TÂ^
-êEJGÏ£r+Ö
-wñrûn˜ç°ó†‹]Mˆ“n“c°ÏwÙß�UsÛ»"fV¶7ýÌš
äšôW5&[Æ&V!v±oß9´AA®C?š.2yè»ÁjVäô„
-J�nbÊÄ它+·Â`$úÑØViá'Ã'»²�g+€³n�Ñ©ÏÌÓ$v=Ëm¤ô
Üc{d¥ÍñU
-áÊ”û_Ä\Ð)‰*õ!´ø˜/|b§¢û5pظúŠ®wÂĽKB%Ó£³‹Ç½Z,wC)G÷-7;Ç]|¸ج
Ô>x€™îS.áê•p�ÊÚòà¨ï¤äƒÙY|äµ	8ðD.;qÐÛeͦÂ
-¹-gðÊ°Gül�èëê)0â*þÞRþØònTõœõ}J|¹W`‹ÇUc0æû$TÇÓžŒ$,îD‰[£¶%L‚ßúüä1ûÊ”*’Z”…Fßϲ®á±a|Ó
-qj‹ÂkZŒMšpïq­¤«Úê
Ng¿W¡•hœ;bÇ+R­¿ÞO+þ�‚¡šá Ô4
Íó
§Â—aâtÞ™Ÿ+ÎÞ¿N*~˜%'ðÁΙ¶&[ˆbÁÏ6–G6wÜàÛÔ?áúœan@ÿym˘
Û€’Œ—îzÑË¢z~D’åì’�ÈÙõ¦·ãËó0šÄ&²ž›‘Éý˦È%£.F%â~*ð(
-pì4`Ð"6H#ƒéíû)?/ïCC¾)¨ç]‡œèJõr~[Ejq/?Vö(M,‰šÜd{sSø¬ÍrsÃ@‘:
ò´
-Y6ë-¸ëdgéÓ÷ÝÆ#ç»u�~7½ü¶§…YÒô3‰laï—œ�§~ž&Ìú®—š‘µ2mzm)!ÙÒÃ+qt—j¹»p¬íi¹¤z%Öj"ï«õñAøÊBo³$?hù2XèÔvožÒ¾Lÿ Ø(¾S®éÃÖ³'›#m0zmâ<ÀM¸ÎUi¯jí2h¸ŽYVUU¥da�{
-endstream
-endobj
-728 0 obj <<
-/Type /Font
-/Subtype /Type1
-/Encoding 1325 0 R
-/FirstChar 97
-/LastChar 122
-/Widths 1331 0 R
-/BaseFont /MJMTVV+NimbusMonL-BoldObli
-/FontDescriptor 726 0 R
->> endobj
-726 0 obj <<
-/Ascent 624
-/CapHeight 552
-/Descent -126
-/FontName /MJMTVV+NimbusMonL-BoldObli
-/ItalicAngle -12
-/StemV 103
-/XHeight 439
-/FontBBox [-61 -278 840 871]
-/Flags 4
-/CharSet (/a/c/d/e/h/i/l/m/n/o/r/s/t/v/w/z)
-/FontFile 727 0 R
->> endobj
-1331 0 obj
-[600 0 600 600 600 0 0 600 600 0 0 600 600 600 600 0 0 600 600 600 0 600 600 0 0 600 ]
-endobj
-717 0 obj <<
-/Length1 1630
-/Length2 7779
-/Length3 532
-/Length 8652      
-/Filter /FlateDecode
->>
-stream
-xÚíwePœÝ².î<XÜ	îîî—
l† \Cp×`Á‚[ 	.A†`	.Á	�à\.ÉwöÞ§¾»�³ݺS5Sïê§ûéîõôZõ3½®
·œ=Ĥq÷äæãáhƒÝl½àZwMn}�£—Ž­+ð
-(è蚪i«
-ÐõzhÅ 	¶¹ÃAì
-uõý
ùãõÏÀžp�«ÿCN;χ܎`wœ§¿‡EÍÝ
àãýËnïýæ
‚ýÙ ¶ß3ÃþPÐâîê°9à<Õ†x>¤°ýÏTæùωü�ø?"ðDÞÿ�¸×è¿âÿíyþ;µ²—««6Ðía
-º�]}ÿMàß�Aû_|‡Õ<�›"çîø 7?ï_f0\ì²×{Ú9
€®{öÇnän‚¹‚ÝAÚþÙÖ‡ ^Þ¿a†N`;÷ß"ý�Üíÿ^þƒ\Š*oªf¦ ÊùïnØ?žº“àiè
þ+�±ÄþŸ‹ß<òò€·0€›_@ ""åãø7ÿÐðýk­ô„�}
-`¼Äq²A˜ºsÖ‘­x
Eö¶ÒÇ¥ŠL²­å¹šÜ+šö¯%°üÁÖ’&jÓò7àÏ¿Z3‹†‹²Ÿ6V"ˆI…ÉáÚE$©×1Íxꇶ.…Q¿ªïô�a§ÉÜ”Ï
-Êl4¦?cßpèNlùé6˜@t+o…¦å¶€cÀ/w2�=MÂ%K‘­�õõüûv ‘òO®¢/Òµ¬‘Iõݾ[ŸpÁ“ë'oÞÎ|ÅF?éÅ&ÞÃg¥;[ö¿Œ¾°ÀPãûŒù1÷|äþ=�³´-‹•H�æQk&tìã$<>ÏhݦY«†)ÛùÎÇ¿Ñ5ž‡éÛYlÅž»JL‘úÓ†x,LˆÑ¨ÍŽ¬Ø—)HEhP|pë� _$[äë"6*!¶(•´£\ªOÈM«®ÚÈùnÙ
-gšs»~“©¹€8Æ஺|ÿHf!Í)/Üü¨/ÒÀq ?.-0Hbl^{g¶©7Œ%ää)£Kýg!ns*ÃÜkØq©m8Ò$9	»4ñžÎâ–””\$=2¤`R©2~Ûœ£U1xÚAäaR|]…¥‚U:Õ2Á±E›í^´JÕÈËrí4õ»I}\¬F†�R´”‹c8°¬%ã„ž¬ûžcT»;±&±R_¦´‹{½9ƒó(¥œg“>¶&Ä®J8?´²
”?~�¼Î5‹,ñï­)¬%O­\'»ÙÏîð£[®H$¦è¸B§¾ˆþ
-y¿Ÿ-@ë‘¿\Ÿ
--*K
™Z7âÀrK!ËPѸ‰„œ="Rù‰aÉû6ì–4EFƒh˜ˆ{K
-Ð_®PÔâ÷fnJÖ1€nwËà8DÑ!¨tÎŽÊa›/ÎCZŸF4òŽïN^‚+Ùœ“&Lým¨/”lÏ=L:;ªÅ›Ó_}ƒÛ”÷|RÀk±i8Øôÿü¶O¶aEÏÑÕRLÞG!¹¶[±w2…w	o¿Ž1Ÿ|ž°ª@u.Rô¦çÖm­Æ¬[؇¬”Ǿ
-‚×ñœE¼™
-§K€v”ke�À}Ât—�/XÕäIöT†h;æX'zªPsFÿÁI݈¹ÿ«ô™u~Ò5Ú·hGåÉæ­ÅœÐ3›)áaÂéÝ•䶹ýA�Ú© ‰yâm)ÕÇÙµÕú¯.›¾›þH¸Ê >ª™�‚¡;]j™è™4�k`3xvwmoíø6¼»Ð£Œ� á´
-_3š>k§( /ƒ	Y_²Z^åldÄŽ*7.„•á·ØV‹7fÉðýù½Æ´ºÌ×”È\b}]àÞå‚`Ú(·�šøÁ�º!øØ�µßBl&4sÊä‹l Ûø3c¾¡a
Ee¿•Æ€À¡ÐmAlwx�¢“Oc+u5Â!tí”q¡ü3
-GÒDh&Mr/7m“ç(þŸò!KÏ9ʬ/ï0
Wš¶g”›­âêçh:U£;ÓòÚË­t玿Mžr¬7ð}¿`[)–óuéxµÈ?sÐ<Ž?Æ{6\+SEã9>öĹº]Æã/3ú¨“hƒ‰Æ*Û�g6_“¾M@Îdøì£[„M™Í�õ±¼ûמê(òs§cÝç…åÃgùï¿ZŸ^ü”øÔõ6ö¦'Ö¤í&¼ø\¾l÷ùÙ;wÒÃ9�³N2ÆÑv;�ÉìÑ©„5WÊú’=µÏ¢ªF0€[ï ¨S \=ú&‹â©GW¦$¾%“W/'ù°2î7¡É¦/GBÏ'8±
z ˆÑ�Þ8·3û{hÌà¦Möa
-¾Þ¦>lÜ<íYá¥GX.Ùœ€ë­{Ã/>êM¤/¸™§tãº�?¦M\'o-�dW£ð«VÆ…n¯*i–\fýF}Ò
-¤e+GÖë¯:§Ô!© [aR 9fdƒh#!æ±r•9üBr^f›äÙbtŒ=§°LPAÕlGQâtR´æ‰-2ù6‰0£“˜o0¢Ä¨„Ý¢Ü$8¾´û‘ÚI„•Â.ÛÌA5GÜU°À‘Çk
Å‚žD4W¼ù®ph3l�ƒ‹œd걶r6äOÅK:ò*¼ÀÆåŽ;t“C<¸b@'Àà‹6»hàOú‰åìB냺a2Q·1Þ·ƒ”ˆ"1Ìú¬Èx¨(×Ç›‹Ôý]ò`obG´Çã=>Zy4Ÿìíæ)Û±ŒÆø8“ª�ÓÊgç“GeîÊ‚	Š?60ô=!Ò[ž‰Â„‹“rÔä¼XqV¢ä÷tv^dŸ�:¨*{ ¿®ÍN	B�~}ÌNÀ;)I¬Nƒc0Q8_1–úã5¿:©—iɃŽvB8FPv¢P/w<‡¼ÿ¥²Ê³öL–dþ‚Š¥Žò/Ž„zÛ�^_µ°òt®
úØîR½šöß÷3lFÑcÐÎ1”ƒ7F&wI—çtÌpCÐ&&ó­ùêÓ\ZŒ˜¬íÏ–Í]j‰»hhö=d–ë	¶…^q–º§‰ªU-¿“bì#yàà¥õbm>6¸äåýl‚}�ߪCij¾NéY?×qú‹{¡-ªxîy˜KHÅ-x¡!Åw`-(ý#"£7Ã?õDS©º8½l3BaËì0
-^²íöû´÷[¤Ñ¼4ºˆ×ÑǼ­ý{|7l)[Hoï�MBuŒ
{U´\:_é3sPþÚMÀu'1šJu®%¹"|¡Xg‹%ZoW¹N�ͪk+Ðy&DÂ%é–¶ì»Ý
Ì×—oÂœ+Ø*åR6º²>ò³ëÅe]F°® ¡OÕ“’Q¼½ÿ
-î_ðQñľ¢õï¦ÒlÔ&
-ò¢NMõ'ŸÜªÒôÂÃúIIBrcv—¹-BO¹8.
©Ó¦.ß^šO·ä¬¯aæ0\û¸M#�]ÊiYûFÚ½·ÍÌú<µ¾=�vùΞ”^dƒ%1.HEwœ˜rÏéc-«xTÐ]Å712û¥y‡â4	ïßÇ>žG`˜¨_›¶s¸6­ö	S„.á`?bE=}Î�/=M³‹¦¿€Jÿªî9ÆäœÀƒ	¦âÂ苉{Ñ#EÝÖ÷àmù–ñ=]fï�+±"ÿ–CúZµ«†åÝÇTªØȉG=ÉfÕÓNk¼ó3
Ùx¢fÛû?ÆK£Ç�œÙhÉÝ”‚°¾¿ºÑ³–Š1$à`²ÍnUh+jXwqæF0ˆ¼›²–'·½LÐts:)x¤oV뀢
-Ìg�÷¸²¶_-j۽̆¦g•d=‹?zAØ36}\’Šµ5»T7“;’Á£Š*½|Ní½–†à	ò-jSYÓYxxéš‹îûKI”쯙wOkÏ…ºÕ�tÐL¬�.8
r‚¶åIj•Œ·ƒ“7’¥÷ËÙÕ˜™ÃÈÀ§ì²¶`¼1pÜ
-ÞÏ!Úì:Ý€É!íýŒœ;–ïÙvŒµ�‡J‚•¨ûBkŽ‹8Ö(HÛp šú”¡î³2e^›‚;û˜ä1ƒBwm
C³'?EbáýJ•@:“¸?þ7¹–äfz—¬zk&Û—Eòìx‡ŸHWßuJ6̸m~_Å•×ô_À‡²“ÐX�£ùOÚ¾Az2Æç,~Õr‹m•A54J
"å’\�ÜZL½eÆ𸭡ðíØh(¤*9»Ïë”ߪ8gµ½£GzçäHtèÛJñH¯/X¤ÐPk‹ãÉžms•ò·�²—WÚ:A—¦©f]�´ô
¿-Tg›bEÉÓÔ6Š9Q4´^�T>– iæ‰*S¹xŸõêÃ×ëØ*6>hðôm˜ÎèÓÏñ²u;?ÍÕmæ“‚]¸*ýƵ.KfŠC¦ÇDª°ȶ“f½A·2Ÿo‡ÈM«HÔš	v-5
-¹:±»Z—‚~~™	
-Vœ^�&4/Kè%aØ
-Sq°ž:ä…Ï	¥ÙŸ¿m<±ü§8’ÖXl—qeØûv)
-‰uµâ>¬\&rêƒ_À�&ÈŒ-Çœ[ƒJ°?LM+bKÒ-¬¹àn²jò	㶊°Òr,Å|²�Sne�óS›œ{

dàðTÂ)h¦Å~$\f<JëY£¿‘cpxož&œCÜO—¥+°·uÌ
ü ?…,ØÒrLóJç—e.AŠ¦˜Ð²Í#õ½½þ~…{v<ŽºÏSó»c½ì>5¯„2Z^òz4³8¿
-ŠúÔ¥”Ù‚{èL¹™BòR²¾Zû%‰íMð‰éG\ÕÈ„ó¬¬F^Ú§[„ºIö”ÂËj)4€q'VãM·çnó]oß%SXèü	M¼•– ¦·8Þ‹DÝ4V§…q6ubhM1(n^ò\˜ñaB'3¥ºš9q�³C0S:’bÐL¼‘é¡‚3¨­Ø¯‰OϯvxµU2Òê_Üé�Çݲ×õ=±H•”C[÷?˜rÀ(w:‹ÀML˜“´rQ•Ú48lE¨éÃjhò‰l_ÓÓaÔÕÒÇl¶z£¨Šfæ¢Yì% ˆøwÝ‡Zñ“W§¬éj§‹A².1ƒ:îÎÂ/úK_.C…²ðÜ�ß‘…ìg\úš¬Ž]´«‹M#·
-FÞ*L¾q]j™¡_"ÁHGÖF)ÜjJûÁj¡�myð¹êŒ^BÓ{Æ
WÑp£Â¿fÝå\­>XZòÉ)wŠÕµúÏþgêªÐ'_”.­?˜¡�{`ã%g'¼Þ”)–y¡ùñ�„ˈªõÛÏ¡Ù�^5åuÚ“˜GrMÄ2Ðk¬ªa©¹²�”f/®æ\r®¢5œÉ_ñÚ:µ-NØ�<;§ÕºŽNqDëmO&É‘Œ
-{æô�¡ÌÝxÈG¤¸ki•zÁ;þª
]…þ_QËâO—Ž
->ë"Ｇçe6#‡ºö~š!&š½v	tVaî”&@µNóÐìyÜ8öë’ê‡û	Îk1[°è©s4×2·=‡÷_j.b¹G>ÞÒ»ô´¿õWHP€DFàÐGu�ðP£v=M)žî_yNwë¯
'tX�C:f–sÑ”Ü,þÕçðe"J’·x[W½(äƒ	íÉÅÜLTG;ó…ƒùÂMŽqIÖÆÜà[¡óÿ¡�
-ŒS0hn¡5ë—©}äÝ_ÏZÝ�AÝuK0yŠ‚º†
¿«Âî:ÙürbèÍ+Ù¬lÓ“W~¤áR7vŒ6ÿAï9ÑØÎf$Á”0ƒ$’£9ŽR´í1Ø{2î>–+¿ÇEU›‰@Ñ5%a…úÉ�5
-Q˜yöð-û—0<$œ_vx.4�6ºGÙ-Ü,wèð/To³='m›4j–ýÕ2|¿’×N«Zša¿-dÙéоپ†S~ßÑM
|g
-ñ5ñ¶<vObÄ¥\С'ìMôBò
;z‰Ç†6—
-e!te>oP]}ÌyJMÑÁâA˜ŽYé櫱d~…Yï=¶’®Zý⛃b�Ïô‡4þw=SÛÅ’ÓoL�¢ó(¤‰·»ªâ~h(dMösGxœrëÙßXUð¼6
Ö¢2ì!´‚66µŠ’Ó}ÙYÉèž™‹»Wûô‰ÓguÔ£õ€ÐÇæ ¬µ1"í�À€d´ÊF¯3 fþåð Å``T‰•Z»7ÝùÉPx³CÚBîª>^û²Päñ ô›!$ûÄñµtë�È3X™þs£luB†MÏìè,„<<|ŒÁ½¿1ð‹”qè¯à[ŽèYj‰ägcÍ°$8dW_SS†y×leðú®gÕ—øL`¾ÒípŸ)+8Ó>ášå#™nà'aå[zÆÔ\€ñ3ÿ~è{Ó…cœC%ÎIžc½-ã�ÐÒPtâ샽C?Cúy-Ö&(QhO¥áÒ7&tŽA
-Ìã½çëD|†ÝÆl]HÓ!:±Ëõm’tnÒsªFÇÆ©WCp6«#•…Ù!7Ÿ¾p4‰ìU¯HtçS6h¾�§.p¶ÉWEI�‰›>9�ß
-�F®5úþÙkàIÃË÷¨D
¨v�uQæ+T×7.ªþôY´œmm»BüÒ	3Øõ4_Á˜ºE:ãº\üýUuyŽ�Ãd¨KŽçÛ®ÏÞ|FÉøŽðÖg<{2†{ŠÚ¢ñ-*ûNî¹�1ªÄç÷òðbÂ%.þê]¯�v.~a;줫ÍÔ*A�èn>–
¿…Hï«hÂk‡ûïG�0^v1qËÇ%V©ò(ñH$gì
±ù»Õ41=Gã]RÅÂð|ìã姰֣O§Ë<×ð³B¬™‚qš�ÎoÌ[ùëQ©¶BYHUOf¡¦k™§äÇÜÉ£ãØD§®Va§9¢w*V¹ç¬FdßDÏT¨Ó‹�lİdõ„Þnêôk¸ìçn¿
-­r
-îaf^õ6¾%ÍÙùõ…³,ìe82OZÂé36ÅúcÞó´Îê’÷JsÛÕú!²ÕriÑ;Mæ$qÙÊdñ­Df¯Döb
-Ç·ì™eB˜�|Øò„ùûárJ¾áZù	ÚOz0$b/Hõ¢¼ÄxA(ŽÉψbŸnYEýüªþ�ĽíœtA@ÃdW6ñ‡LÖþ¼ó†Þ+b‰ÄthˆÁžHk×se7%í“ 2e3xäÓÔÈ$?“æƒ�ÅKã׺·Ã!‚8Î)ƒ
-¾˜»ix½'/F¦—Ÿ}ÊH’A¶$p cê	£±«‹X\¼DB˜u4c*HÝ}¼YR�kÍgƒ˜#A)“®Á¦ÅÅßyÿ—œÿOðÿ��+ó„¸
a.8ÿ\,¦âendstream
-endobj
-718 0 obj <<
-/Type /Font
-/Subtype /Type1
-/Encoding 1325 0 R
-/FirstChar 45
-/LastChar 122
-/Widths 1332 0 R
-/BaseFont /BYIZCH+NimbusMonL-ReguObli
-/FontDescriptor 716 0 R
->> endobj
-716 0 obj <<
-/Ascent 625
-/CapHeight 557
-/Descent -147
-/FontName /BYIZCH+NimbusMonL-ReguObli
-/ItalicAngle -12
-/StemV 43
-/XHeight 426
-/FontBBox [-61 -237 774 811]
-/Flags 4
-/CharSet (/hyphen/a/c/d/e/f/g/h/i/k/l/m/n/o/p/q/r/s/t/u/v/x/y/z)
-/FontFile 717 0 R
->> endobj
-1332 0 obj
-[600 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 600 0 600 600 600 600 600 600 600 0 600 600 600 600 600 600 600 600 600 600 600 600 0 600 600 600 ]
-endobj
-645 0 obj <<
-/Length1 1630
-/Length2 15731
-/Length3 532
-/Length 16611     
-/Filter /FlateDecode
->>
-stream
-xÚí¹UT¤]“%Œ»kቻ;îîîNâZ¸»»;…»»»;…»Z¸ÃÔûõt÷¬ž¹šé«ýy“ω±#Nì8çY¹’œXQ…^ÈÔÞØLÜÞÎ…ž™�‰ ¦¬¡hdccd
-´—¥W¶·5ü5³Ã‘“‹8™¹
-rp²ÿëaûûK¦hïìâlâtp
üͪ(*þouºX¹ü“ÛøØ›ÿõ4µ7qýgKÿÂþÒüE]Œ€vÎ
-±ªVõ¶ý^Nc_ñõiÜ�¬æ§•Q¿ÑŠÔ+«ñïP�Y
ŸÌôZ#Ûõ½¼6SºßS7Cç0ÂþD¶X>ªO¯Æ¶aÕl¾JüÁøÒŠuwßùöüh¨ÁŽ7n-	ª}»›ËÏì¯ò[ùwµ gïèÕËä‡× †¸ºŽïÛ­�IZR
» ˜Yâu#1¯›t,’‹¤×CMMW•M�¬îÓ–$�IÁ]•Ð}}™ß×(+�X{—üÓHï=s]Ô�½í<›Øáb57U
‘Ct¸¹# ¹@
²KCúFúØì¸5Ö0ë
-ƒŽÊ©ˆtÝÊNõ‹æíùu§TþÝ4F¯ä‚™ϸý§:Ù0Ìîz2.‡8Á¤¥"ð�@b¹ð:Í(o`Ô¿kM.Z’#ï£2GYŠ
nplwÌÙm݆øf[8³")Ý-Ì>ØÐÀ"¤¹ú,�ï6çš#±VEÿú4Í ÙTÙ	ƒ˜êççX}×¹�F; yhȱ½ýx˜!:Á<œ?-p©yó�>sd³aEG2 ‰iħØä¢_,Ì:ý¡ÒI“
-Èú€èç“.ª¡Ü^ó!Ozü(~”@½ð¤Ê¨JïŽ	÷(ù)I¡É’!Ë[í¿7O’0	™(Öê/Êó#?ŸòtssÕï“wÏgWWÂù;í
-ivPS“
ÙL+¥6º:]ø¹à s¡†U²;nü[Þþ¥ºÈ…\F˜+6ØU«Iæ´ÿµ´*mg_^ú3Q;.~ÄHB/׌0w=>>b¦u¨„Ê>D_×$,?z^ŽÄ'dð�1QèQïþ®Ä‡:RdDc]ØS
-y­)øM˯ìý>z¦ÓÁ‘,£¸º!6ãã
-d-ãµ!2AnXî}uM#Ek}ÚÛÀ£>ñ´0¥š¥b˜)£9Ëà_dö%ÐþÄd'~}?
-<$Œ^ƒ™yJŠ³Þ·|f¯¡_XÍé65È‹‡xȳT#¢Ê›c˜Fn²äjvb¡"£Dñuô‰ŽÔ7pô¨Þ3kµ¢ÃgnI\H�ý•ŽxÅaÙvè#Ýü½ä®ªª	Å9ñD“‹.š¾S2Àôõî”a½)m¾Úò~€ûó …â#_ôI\§êë•/»šžÇ¬"ñI4/á°ø¹;øë3  ËÍÄõ?X"M4Óþ0ÿÔžóë:i·áèÿ„X
µOTª—‚ wgÞZ%•ùÂkéúq¬4Ò7&Võ1;»:牦¯NªÞºŠÃ™5ÛUÆTŠ1 þäX›V­!ó™!*N4�3cÅß^uu”ûZ¹b«îÖÀì䱇R©ù)sÈ3:ð¸$®ÃÜ}þUœEc—Ìuø
-ÌŠÚø,Å@Hˆ¹´z$¦“¢Rõ„¾®û£6pzñŸZTyûÈ2(†4–²7h®GœÅ‰Ý?5ëË€ 7m›TÞQ¤‚+̇�ßG.¬¿sŸ‘7¢ÉnYFV³œÜÛQ$yÄE%û²±Q´…P”‡¹°Ý�Üï…Žžbÿ	_0}}rÅZ¥¶	š¦K.…¢ÌUkÎÖ »iÖý	MÒwÎûÃä˜‚ÊPÁ„Ð’
-ÒÀ^Ò6¾©Þ°´äÀÏqTÑíö® çŸ$@ÆOo‰…¿§ dêVMäáêh‘´B
-ODµóš\ÕåQÝ¥Út‰f»G	û*NèlÂò�;Ö× y<n‘G£4°»HÆßyᆣ§…‘ÙÊF-x/þ	%³ znj·<Ÿè„­÷ô
í	‰ª	šR˜*¯xM®Ì6`C¨€qÑÂzýÖóçÑú;þ¨#f\êŠ��³pÉôâˆ9£ö…¿4ðÕ«är	ã%�MKÂê·³©3[¯ïm©ð–J)”úகç'ï”oéa} “S\±Š£zÿGtÀàØ
-�µùœw¡ƒ Ì´ç+;ž"¶ë¦Ñ?doû‘ööb"!äMeßÙ°°XƒÛ"b±-`OX‹1Õ�û_µ²F„«WaŸï£˜@p+ëakqÛ€ŸÐˆnYôbôóºL¨�RÌaóå Çfh#-!”„pe·EŸ¥ìªäÂh��-lS–Úq•—;`âB=)vÎ?{w
Ùh`U“m1Q2X—Y˜õœj‡ú[µ®æ4öZ$DT›ß°Ó5'B~´)2Ï#*�pãŠCñ}t¬Akª#òô%ä`)~¨ä½{�ZXܱÄÃÇ’@K'‚Ú3Œ…¯�QÄüäYÁE›kÔïœÖ€w»îTð³'aH»xÙ^ôÃÛ²ö³›úRÆŽæl帘k%Ǧ‹ÀŽ¬ßkN¶óš×„~Yy¬Öåwã;™¾ex±xª}Î�fÖ†'ñg%·”Kkø“
-ü…ä”÷FT‹K¨âŸ‚øŠRʲŽ[	Ž�_n™N>ßÎ2rWìÐc”r…£ã‘mµ%Ç}6	Z_æ6?ë¦VS¡|Y=!j­¬å ÎÿùPÔ¶ÌÅì€Íˆëb޸ʮòu[É¢Ü%f)0ÅÊE�6¾7�ô§N«E[.©ß<¼ÆÓ,
-ë®o|:o•ÚœÅSŠ%)Õ}ø=™)WÜÔµÑ;¦Í“Øøæ�“úm±a
εVsJvö@K£áûç(BÂ^àwðg�®Ð‰'cÃfBÇ…¼"(Q
¦î†÷´sø¬kÿåõƒk¤3N}óx=©ZÍg´¼˜ù?¯…šÉ€—\E¢ŒíoAËLÕ‡õ©Û¹FCcËo÷³¸Ïá€Ò‘îÚ~ÿü…On4G!>Ü-[·,3!E‚VQ¥H¤HÿÇ°
-+¢±�'£ë(‘gå]h’
v–i`PÚEÞ…W‰¨¹úmõ'>Më³&#kÃ^z’0†i¹"Qrå>+o
’BP,ºðü R¥ ¯0˜÷—Ü]�ý°ùc‡’_´6iY"ëf¶á=µŽpe 
îìI‹vfê"
.Ÿ£ËæDáišó„TýL-k,I•:ðkÃæ&ïJŽáóÆfø	”fŠ×Mž-
æ,Eˆ,‹bù8#^à0T§L’‡Tvn轸ÿT,5÷S> +‹o7ëX¾õ±“¸K«¶CÕTå)#«:
-W£Ì8DB¡ÏUÿ,”…œ'‡n#íÀ‹ªUI“ƒè®œB �
-ÎÓq$Mö—YêqH$Ã…ýuQóë®_¡Eë´½ó:`$ËÄÉ•!‹‰@3^[�ůiF@êU›ÈxcmÄ*k�â\yýqj_¯*]U|ë•ð;š:Ýc¬Qz�
-j*
-Ô^Ó�ã¦6¼ÕìÀU\{~t
-¨2e¹ð={f´Wdo´@°£Hüd·J¬‰+z$Õ²Õ(
;Vœ¬~]1B\ØLäë{u*ûä èrƒË�WƤÍy^ݘ˜Ó\2Æ,´Nƒ	‹ù}Ì3Ý¿Úû|^žM‡Ó]¦�
-áÙœ´7S‡zõ¶lܵº"+7Uý	dÎÞ2jèá+ÏÊ�"eåc¯/äcà Ã±m¯h:ÙÙåUFñì>Ä&ûk©³=]§¬¨ßîaêÉv)£°®4Ê	+pö–fÛ˦ȃâ²o•LdšŽÍV?H%ù¡¬éBi©WO.Gßæ@X¬Ù¬†ÐøÒ‹@jGxô¾±–rƒ�Š%}ê0ÿB"jì
4
-cyÑ=—Ó2ÂÊnüžÚî`Ìëá(å9Úv˜t,‚v¤©©äX
?r—ýØJH¸Œ›Ámòƒ å’†ðº£Nk9'~µÕAœ Xs{c�ήz§O9�M‡GÒ§]I-þ3‡Õ6Œ°€ã1bµ9ü»:ˆŸ¡
-ÝtÅ	çÊzȆ¦ÏÇ3œ—5”Ö<ÝÊU½‰bâånm
-l_:¾
-ÃY_ÂK¬ìüvE\aÐNJð�ÿÞ¹nèbWo@ü7•öÙ58±£–%\É^
-òÌ%_Kì
-w½Á-Bõ?ïmif‹
:¯
í² ŠÔ|ÑŽé.QØ
l(è®!mW´»âŸ˜Å>2adQ”ÄpO}UŸN†}¤‹—çäsê2„|97pŸY^½VSz¯‰*ýsŠüä͸Î
=¶ù
Á
;ݽZ¸k²[lC)Â0ÐÐx·8äý=ÊÕi~°‰Œ÷æ	
¦j>ÝÏ	cê
^´5»kú¨Û®¢ð
-Õ8§¥rצT~& ¾}÷+Z?/_Èà£�w4E+^o:g’,¸’/f‚Ò MüFœ;xóÝ†—Åà`öÇ‘y´ºù‡Ú÷òD€Õð•MU‰¸ÑµEh&¼¤(Ýn�VŒè.lX@ÄôÑDvx™ƒïˆß†)~–EËKNæpר0-Ô§(†3øÚ8»!¹ þÚY‡Lcù°ô4à7¬wO[(V›âz'O]’ùÌ1Ô‡ã�MÇ‘+¹Ù“}ï`¢7aj?ýÇËš–x¾1ß÷»0Á3ðy—œbHey‹é¶ßí“£…™âa44•bô|ëi¾«!Öø±w€fïü@åÀuƒwt�—œû,a—ž�eú:o¤Õ”]aXS¹/Yv¶N£oúƒMU�G9–П9XoìÌ‹eóš_•·pI^Ç|B/ôÏpüÊ[®ÒnvÈp×6Ó¼îZ™ ?¼ð`Í‘‹…U¾£
-SUŽDŸ˜ƒpjU=y(Ž~{×R'¶7UÔG.!ÜÃe®ÉA+ðÔ±·v0H­7)m(pÍ~û%ƶ*¥â9êÊ<¢¨›]`Òël=�šV¾�ê5³ÝF2…2ÀG›±‘ƺ�»8Öñ‡%…x‚©ÙŒx&rq],`Ïcj!¬¢L›‰‚ꌻx
-—”tšJ°7ͼû	›¹yéÐjA0/Á ³	bHgnÁ�¯'Š€•é?d+lDVmË$;6†º—u™ 9>üAZØÁíšw`MíÙÝF:d”ç‚y³ñ\fË_3e4S
-CÔ„0XWÄQ(8@XKp9ätñHkaìÙ¶[öƒ!×�¿oT_N1;aµ<2WN¤øùÕBãAqÉBa@PNYocYÍ\Dç™ô’žÓ	…¸ßëö¡^uCGd¹êU¡RÌè>áëLúƒ¡¾\‹û¦_[³$$�ËÓ#¿%,8Kú—ËÀ
—ºé?ðZ;RÝèŒT@¾ïÝ­;s|ûÃìÓöYÊ[(T©ž™PLýMJÚ§âÐ×:®C:”P¥qg$)¦)šp4kÖÀ§B´#�¶á×çûsVÁ²!ÁÓ÷ú9ÅÂ|5/
…}Ù¸W�6:mº“Q7Œ£{PØUA%fBë*N`s´B1ÒMO‡b
-„v‡‡²˜¯ñ!�
+^×ÞJ{u¢õˆ8Æðl™GÓÉ`S‡„d9ªsiã¼™wnÌäz3ÉÞ}­ì#$ؘŸáÇ´.E‘Û<œÞ]oÀ×}¶Àå�d“‰CÌ®™§jÈ{ò3¯�÷bƱÒÂ$·+6ó(¸ÍÝ%3^E‹Y\~Òˆv/;˜˜ßï–ª%—â�Ž.’
-\1$xo«ñ—«zÂH•`öè€üFt©økbL"eŒ"Y�²ÚcQ½9O£ÎÂ&&¥-
É3íØ9ýz^–‘¥Áh†�~‘Ó_ˆ	xÃOZr@‰Uâ #1Ôq90½�dò«§”-˜=H\2†PÅ^äÝ9jÿšY ŒÞȃ°Dêp4?¢ð¢F
y™;:�š¿‰þÏ]Y›vÎ
ý12ÿX߶ï Z˜F‘ê+¨�Á+ª
’³HÌ•éq·¥óþê— S¶^5nJ,ŸÐ=ØâÄàѯÁVdÙÑ‚ýWÁ^‡„5ÐÓJ�<;POSgkÍÅ=Û‚Çj^i
-`‚Õ´¶È·ŽÈ:ã‹
'ê#&nnv
¿qÿt”êÄæ‰
-ÝKž*gÍ)âM3íålÉ+VÂRa°xÚ·^Ôp«=„j°®¡�HQÑ:8CiZ[
-J(˜LÝ
-ÐýÛ¹\g|Æ\ѤÇ/1—«ÂzwîP|MF¦‘ƒBXOèÈ�ªUŸâD b³N
-ªõ'M˜CkC
Ú„àŒìŽŸÊsÚb‹t&oYy•G%œ+šÏs/'KS8°È¿œf‰�_­³(V›tŒðI'ìÚ
-]RÎîà]­ÄÖÔ6h	Rû·@3¹9¦–P.áYä’v7êÀ!çbkú26«&¶Ýs8ðd·XåëGⲶ Í
-tþZè
-,,SÄ³®Û·Q–Ú‡Ý6%€¹·„SCTÛæ0nǽ]r	U¸¥Îô ÿ×7u)“q›&Kñáè×D\Oì!Hç‚íÄV¼²�¢8‡èä¨ÐM¿Ê-ú o<öž¿þ†îܬ²;¼½
:èå9ô“6s:Þ$ùÛõ}ü9ß[™ÎáÕU=u[h†J ¯ã®`/Ô Å-!¼:G%…R¾"¯�Éç›Ø…¿{føšÃw²rT(Ú<e?
-ÅŒ ò}¸‰2íFz�¡;f$Mµ÷KvQJ~4
-ug°{ŠÌ™‘ùjǼ­Q>ýR	Cþ 2U9BS×û¨þøDáɈ‚œmhºßa¾Eí¬ÇCøw[fÝQ¬ê_1ð¶
-㧣<¡žH4Ðé;7F9y¼Ì§@xcד;çUæõ<+sühUÌ-­F$F=©�
Åòƒ¼»vQº%‡Óò0j1±dÉpQfVëtFçÔq!›5V(ð¹s¼Q—6
-E
WÎ^ÌË#ÅwÂWÊö‰·²mý$ï�ãœ9ž"��ã�abH¶Ë'B÷Ô"žiØ¥±AËݧå—F‡(È-'ˆÏÕ)ŸÔ38ÝH—ð¢9p
Ï«1ç•¥)³Ðûí4�&P"tœ{#§ˆ:’úa@û#¿½ßsÒ¢ñ4:‹â¾%lÊ[PLxUµY¾L‰à'v4ûd)ÿR
-·ãtÛ”I67ˆ-
-ï3º¢\ïLV´m4ó
-2c
-·î:LH,rÍ̘}�”©”ÏmôwqDUp˜¢¦`ï³KÜÂM‘C¸2Ò¨æLëQ{ÐC¬,Ë•ºõtv@þýï$&�|Gh­–yšÔ=•€L�Â×�þ´9QÞìž/ú¾dÊO
-¥$y{o/ºÊ…-â^	³7˜ÞÌu7î×æÕ]ÞÕÛ 7K–
ö
Llœ®èBÉ0ä]F�ç Ã.Ȇ•O‘J®B�$¨QLJ‘
IxÖ-€I¨9
-ý +�î$aÉÚ ¼MÚÄ17œf
-µ…¬÷TýMŒpq�lî^²�²jd»¸m]
-ÑL=&†ØÚ稺Y²?·SjJJ}-ôäÀNT ftŸ
s %–þ²8—NŒ ÷¢—?³¼B¬ý�Ðã&~1$*nGTÌ1÷>¬�œå4>‹
šÁöm¡Jv6õg/Š0¦Î2¤׶j*ž™¥Ißëã¼é¤Tœ´g»ìr¦Âé‡Ô{vÆP>ý$ez.´r™Âòêc>«y.AžXn�7å�s"p.w¥Y¶üÁVc°rÆúÄÇ’QN¸ÿ‹)®D?â1œJŽJúwI×9õ€ž´ò3–\æsNçAS*Ö0a gîêv¦EËÕÔª
-ÃÕ³5šQ^­šõÙZfé©4ûå-IeU“®é	
-šÉ,‹^Ì*hÞÔ�@k
-ÙOâî¯4*ÐHÛŠå«<Ôš>OïY�ò™ì˜„_ó×Kßž6ÒóÕ�¹�“äÁ;áfÐ	ft°‰]vÁsò¾x¯»?N¶1…þªYGtìmÐp¥Ó¾ÉtZƉâ‚^¬·JHëƒÎE[+Í;þ ØÞ_�×�†ás·ÚW¾}Â]Ϫ'ÅOÍÜ“Ë£øЬããêd7
¦‰0Fª�kº‘*äýêLk¬ÔE¦ÜXÚ@Ùà#Œ]ËNÆ›y³?}/Ø­ÚÝö»µšqÁ§‡šMO×ÒNП
-î€þ™X
-â*áz^.\¥„!Á“{d¿ÜÐ#ü
-ïH
--|ò0¡÷F¢$ßñGÊÌká{ËâÈÍL–±¨ÀËäýŒÛª‡k[£·3žÐ îF§¦¹äð”Â-kû4•5}Â;²©%Ÿêm&øɈ`r}‹¼
ÇZöŸN�p±Q†}É |~+±Ú<¶Ð1öŸm*ÌCÃ!̤A©„=í«(OÈnœ¥cã7äG“dÊ}O²º¼óçžê‹T&Ý&ÚpÎZæ2«�æ\Y=9xb•	ž/PʹK¾âµm@0zõI:ì›`ßAhÃðæq¾g{o÷ ÖA;{Õ`ÓY£º\zÒUuxVè3óxðÛ‰¢¢3Ø­Vb&š
m¦G3I §¶„¤Ý1�Ž`°Êã>(•X‡¡=xô´¸®N×›ì€èLb”ˆC‚yÆ­G‡^
B[5zÜa¨(Ï:R7ÑÎœHü­b^ÏV.»(…âKY×÷¤M¨¬y0rôYÅOxÞœ“Ü‹Z¾ƒ4X�ÝáJ[K/pêٱ傥‰žeÐh˜8ÎS×R]öVa’ƃ|Qh Ú¡ÿî>†2v£O8xÍÕ�HØ媚:_øÓ秜ØGÞ8hùõáyQyáíšßål0ÌÃxñ¶ât× ½<•W°Fôä‰Yä)«Ë’%¦H¯Ø�Ñä冰<–ý&Í—.!l/C2CÉ›ÿÃ’i�WMvM´a¯à¢¨ ºÛåòÏ’«€G¯M+ëèr(“
-÷z¦iB‡®”wufX]¹©ô£~n¼N-ã1JtIà³7–›fãm~|GË×è§õE’N¥h­ÿÁ†‘ÿÜÖ1„ÖZE”BôÎ&ÕaÁðÃ_ç€Õ¶�ÇÍX¤kÅǠĀ%_, Å¥oCÝÃu´
-ù¹ñmá>¬$=Þp™i—à
-èÝŽòN½‡©*;€5'®­¾¯l�š²^~ÍPó­œ1ý®Ëôƒ¹q[½	zÊhwäºÂ�êáG:É:JÌ7�ƒ…?Ý�Ù¢|�³D2˹})ÔÍ4槄ªF?Îa
â[×’©©eÛKúyÛÜÞX]Ÿp�w’“?…Z$­ŠîÛÀÖ¬^ù¶ßu›¾3ˆ|
ÚãUi`�TîjRÑÜšZ�kôúŠW4*™º´Rþ.å
-HÇ’#Ñ6aG
HÄÖËvx�@³öÀþ­ÑȪ/áïba·DI)Rán®1.ŒxÏS[
¾¼m(ß�¹I$á(Á!Ý{æið¤ÆÙßuuòûk?–ÿ”_;Â2u9ifï›ïéÞ.WË,ß¼I•r
-·Kæ1š3rÇÖC´žBhŒ/ 7�¬-éËíâD™Ø¤Â½3ÇÚô89 ÝÁÁei?ääï‡à�)gLÄÐ'ЗDvf¥#|8Ì{êc!¡"M?Æ"Wfßîé5D¤EÕ,˲üŠËÜzät*VõÔ„òp	¥ö7Ñý
-º¶ÏŽmná›Á¹àŒ¹ŠF0„éY)Åšá«P�ñ‹6œ0`z)ú…Ý«Èg\¬<ÐãF�DQIòl¡_¨(¹XÀÄ.Ìšú¥ÎÛÏÕèU—æâïJ[�èhÜîè{”iÐÍî6®"#çÝcî]©%¡î!û1Bá¿^î:ê'\>•«wz¿Škb0	ç®OøñÍ!¬ªc!@¢ìp((‘åÏPCæàü�ùËóZü;(º›´Ÿ…pSõ‰Ô:®‚tÝîó7å²¥_!ÅZm¸Šý¶¬Î´ Eý¶5|JZ®DÊC|63^âaµ'ÐϺ)ÞÉßBÕ]¯žZ$•OAž¥€¥·qàvlàê±xh¯ØŒ¾Æ\O@Á\àqc–	$úfX›ŒMÿºÝâ	Ï—_~ÿ¥Œ;Ñþ™MN¶í/–ÌlŽöŒó bDTh‰·K,¹#To-—Ô‡ç·ÚÐÃ>¼—‡rùˆÏР$&ú"„Q.4éÎÿÖ¿v¡
	QXʽ֟ÿžÍÆZ¦|Ï?õ•òL›ï!u¶øZ†w^ v�OT˜ÿáKKîŠj*ìKía·iØÖ+TnÚ˜.PÑoÐV-š°ܶæ.Uä:MP 6J·-hé|î›õJãH”jh·UÜáU4|‡†ÍÈlŠ×=F|•Ž¸R�õË’ŒTL<“À>ó‡Hk;ÐØú!×½‹~%g E´·P”�Úíf×$Aœ¦‘Gþ°u†Wý‡czfb
WÔÅX�Ú´Ö\ü	|+B›·ñS€­)è7RD¬ós:?y‚Ã-r]þ
½^ó�nv-Ï]/žVcà·~6•ažBÖeÃH¸ïòYr£ìË$³°^(„*Œ©cÈ=¶1®waÖn÷>¿ÈžQSÌ«¯UßÍ ™?œ
-Ó2±_,¬0?$éýœEAíÓ!yyÊ$ð¦Ïœ6{‹1‹'®[+\Á‰�3‡ŽŒóàyp)
BèÐãk3¼Ý(ì08á^,Ánœÿÿ‘^‰{zË0
-PпÜ ¼ST 
-þè»ÜÔÕòø9¾ŸØþžÅe´8kô;_¿÷‰³RªLϳ÷7÷rÏ’XÈàð�ÆZ
-ªjDÒG�@œ=ù¢0Vþ23qð8@R‚¢Sx†€ÀˆQšk>Ö˜IÛ»åÆnÕ@ Šœ+7ƒ¥	#xA&
-V°î2»“u=œÕÏ"¨¡
¥}ŨRpÔG0Ò|Ëÿ°Á÷v¯×ã#Ði¹j3ÍTâè(3Z÷†]ö‰6$áHý.ù2rä"Šñ.Q}Œ[ô(~áa¼ô|·g7LÜëèi	GÕzBƒ¤�ìò°ôÉy,<ri5¢Ó<øQ°–"ß@X1páJ9¥œÜ{5ÖXOù!Òâ™DŒŸ-ƒÞÒ{ßî|¥Þ‹|õÈ”…;°ßUÃFrEþ÷÷>£–¢€%ÝÞû.îcäG�3*Ùºr¢ê.ûÝS²Z°¶¯Üi𥰛‰àò"ë8׊Ê[¬oœæiªÈtB!N²Ma3_#”Ö‘3?z25Q«û%Tb÷‹ºðƒS‰\	”Ë`�DðÌø¹Õ"†Ò»K$šù‘ W»P-$Ô"taâ5í.§œi�"2a îÎEg|鞢³‹O-,Œ'²Æ¤ùp|’Ì”‹Ò7rž´­‘€µ‘‹Üä!ðvƒŸÖß0ÕBöy\åqýXkÊ€XƒÆ;my»”(~aŸ›{á|±ob’ØÏÖ­Ùxœ=†¤…` Ö罦(h
ö˜85]‰„C¬…ù×UÎu×ÞÃ4
- ?0
-tâï¯tãq·˜þ?pÿ?Áÿ'LlÌŒœ\ìm�œ¬áþöJ®endstream
-endobj
-646 0 obj <<
-/Type /Font
-/Subtype /Type1
-/Encoding 1325 0 R
-/FirstChar 40
-/LastChar 90
-/Widths 1333 0 R
-/BaseFont /QBHJJO+URWPalladioL-Roma-Slant_167
-/FontDescriptor 644 0 R
->> endobj
-644 0 obj <<
-/Ascent 715
-/CapHeight 680
-/Descent -282
-/FontName /QBHJJO+URWPalladioL-Roma-Slant_167
-/ItalicAngle -9
-/StemV 84
-/XHeight 469
-/FontBBox [-166 -283 1021 943]
-/Flags 4
-/CharSet (/parenleft/parenright/period/one/two/three/four/five/six/seven/eight/nine/A/B/C/D/E/F/G/H/I/K/L/M/N/O/P/Q/R/S/T/U/V/X/Y/Z)
-/FontFile 645 0 R
->> endobj
-1333 0 obj
-[333 333 0 0 0 0 250 0 0 500 500 500 500 500 500 500 500 500 0 0 0 0 0 0 0 778 611 709 774 611 556 763 832 337 0 726 611 946 831 786 604 786 668 525 613 778 722 0 667 667 667 ]
-endobj
-638 0 obj <<
-/Length1 1606
-/Length2 15571
-/Length3 532
-/Length 16429     
-/Filter /FlateDecode
->>
-stream
-xÚí´cpæ_·-[;OlÛ¶mÛ¶mÛ¶m³cÛIÇf'é$·ÿï{öÙ§ö=ŸÎÙŸnݧê©úM¬1Çœc®EJ¨ L+hbod*foçBËHÇÀ�³´5ru–µ·“¡²·1
üu²Â�’
-;™ºXÚÛ‰º˜r
ÔMM
-@%yq@ð3NoŠGëAj
Bn(¾¸$K>{}!ù9>6Ú>xŒC�MÊíOà˜‡Ã¯¥ZíIµr’59mƒ.pÉ`Þ?&Éñ„ζÁÁ½S=æî{ƒñp&�§;n¯8Fèzeíä4˜¼0€=’Ô}ØbFÖKøPÛý‰*ž|ë*u¡�»ÉŒtÆëQ��g¶Ú0+é›;Xì3|ú˳_~
-¹Í4“Ü'c¤@t¨OŽ4!õ¹ÈƉ}dX~«;OÖôZUž�é•‘»œ†–óŒ“S#a,ì×sæyó`~esx¿L»UŸ/³Ì²£@M¦Zrª§ ºýðŠ1áÛÓ'Lš‰8®ÏŒë’�ºðFÿŒxÙµÉ3F9ÄÌ"Ù– ÄÍ
¡” š(-«Ç9ñI,jÚ8:‰?±…]˜Ÿšcì=áJ-10Zˆ˜á°È"™5aŠœ¸ÈŽY×`ã¶(A'F(o(kI Õ¿�O›yælàTŒJö?Ó‹6òc€÷܃떡Í|fÅ1Ú!a¹P»á´&äŽt¹”
Œ~CIôÖìqoÔcpÞ£bXY¤שŽ'D쓯íð�„nëó ÝN”Îë·>ÙK_ï%…‡Œ±™‘¸¯";ÀFßQpÈ“•"¨ÕŒFGáÑu|°¤ξ,~å/�_%
Ûè
I	ö�UøÁ2!Äü$|Æ#ö½2Óë{ZöãC^|´l´YAßúëSE¿Xü䨺®B³jötâ*‰õdȇ÷ùÔ�c>,üæ�)7º`Ì�'Žª°sSíû.rœ.ßË»"9ÉÊ­�ñòw̆d”%1w Ü-®D*’Ëo¦lS‡µ;|‹:û7ê3ýOE|m²UúU?¾ÒMÑr(!¥-€Ùü³´ü»åš„¸�»ßò}"‘ŠL _‡°‘Fô¨—†…óOU�Ø?4o#›d(Ðù“ªdR'õÓåôëQjœtD5tS¿¡Ççà|¤v¾eW¥�Ó-œž³�ûKDñA¾îúlÙ.ÎdÀ|�
‰�çZºøªRG¥8LÎj9eN»ÂðeðóÚ·¬ªçc“K<:…
-1±€ÈÔhC	'zšŸõR##¢á݃×nXxþ»\p„¢Y5¸g	þ*iê¿HfròÿLìlÄDÁ}�ë«°>î$âà5`瀙¨B:úü©Ï\d½GÓã•OVçy»žˆâŒq¿13’…‘ƒË+”�/ÓUYÐ!©«Ù7G’J‰Š’µ/µ‹E[½u=èšãwlâ
/ZDvØ
×+‡¬Uõ8× ðòÊNx7RÕºÉ`¾µ™XÌT˹j#R“ÛGt/ eÊKÎõÊí.U;’ÊÌi½ÚT19òŸJ*|ÌŽ{ë
-6L@>ÎzfjiÍfüüÕÉh¨i?CÂŽcÿP²©3.¯0(çßc°–žNvÙ5˜£ÎÜX'oÿÌÐ]'�KS0©†|ȧÕQRãYhýžµnôøá|ôë§q£7ê‡íÞú°»üm=·_�ÉÞ´åQæ(y˜÷Mý&e_:¸Ø»;¥=lQ|Ók‘¢}ÒëâIJµ„g¶»Jå¸CÑEC?&
7<ŒcñÉ¿2Õî˜äs£äµ•8Ítˆbvç¯dyõœizmg€n‹Ê +ô`J²D7»Ôr¬Rª"ïÊ¥­¿ÌÒoŸ¬SïdRN
Ä—R¶m’³_5õÀÓljr^ÊÈ›©¶”¯èà_äLÊúœå镹„>ÖÆuŒxºÛáXÓDñtú<!K$÷“ZÓ’°£$r^ý¥Œ]„éHú.‹²€†²‡å«©:¡±GĪßÈj)K2ëž?–ëÒ-øž uqÔÜ:`âýèžÇ»ð}pbD�˜ζ›?¸õ~š)\í\ÓÌÇš-RõïéLíø>‚tì
-ì“Ÿ—éÞÅIúcÃÂÔ”»;Èo|j�Chjž¦÷ Èg¿”,ͪYÏ6\3ŠŸá60–±XÆó	•Ù7‹GW÷ÍXº†æAä;¼®eywÙšç-¯/í
<¶�à*ëW aNnQ†gŽ¨¶M1—�øsVv¡£ÏýúéÕ6®ÆJùpoPËíñÞxÐFtœÇlɬº�;J•"@ë]P�}ƒ| æ%0#¨–Ú.ç™á0Ô�Ž¥¿¬f$5÷›L’Ÿ[ŸÞKI-?<š	ØIAŸ@éÛ™
-r}&d#ÚÜÃ%Üœ�&Ø9«ñ \ÔfèŽF#Â#ÂìÙòOÌx«ÊmUq½�yÔY˘QD'êÕµ¼Â]F°Z*IÓ’¢WCÈbÿdÃNöÛÛƒžzf7.°û=|:‹du)JªÄ´c¨YçnؼÅ&¯º:Z•ïœ?�m^zÇy›Yzì8ôøRzòHXƒæ9Z5%o7�z(IÎÆëÝ5uÒD¶O¿ýƸ×dÎDYŒÛ‘èo¡‡tCr}ëA´dl9¶0ž¹R«<ê»u'RbÁ,Naà¿&“QsMÇ"€ÇÆa²Ü´8º™)…Òü›¹ì2éfãð¸•âÝž:Õ'Å)eT'\a‚O„TGèr�•#K®šo„?^ÙŒebä]NZɽÁj¡×±êˆ>ÇjE6ˆa-ÚÂÅ|·Y“k³˜§ELÖ7ÒúeC@7ÒùÅ|j¹¤’RÀßÈ⃾‚°˜p|Ϻ„¥kxl‚ ²ûe
©~»…:ä¦Wý	ÈõvÐià²ãD•§9ážq+ÐEÝ°�Â%IBr�[5ÈTV•éh‰UYŠ¬2ªÑ·VôÔ�ädI†
‹ÝøÃVNDâ_Œe”¨bbnjƒDCblg¿bãYCn«õç7«¸Ÿ	}‘�èc'¥'aç¡X¡Ì…²úRÉkVœþNÅÑjÕƒ°‡�[HÛé[
-I¬8¶ròYÆ’Ê-òàòkóü¶ƒˆ»hâÓõâ�ÓÊ$lN]ƒ¥ÆlêtÂ&‹Y�G
kO	?v}^Ò€áþ‚2€[uƒ³x|�”G%“¹t� É€¬œ›±ùBŒLÉOóªÑn66pÏUì’µýÑy—Ôä��ߣüFš¥�¤É=êÖüD’†0T-
-ãøŠ4B¡U}þ³Ð<õ¶«FäG+qâû�tê›
-'! Ò‚c†`±ª×¾õª�qëò<�C8ØpÕgÏ4ƒXÙ›º®9èuÃÝ›‘êl»+)l=s�/”±nþÜ ¹%­±¹cì ¶Kÿ*K>gZÈPã‚ÛæŽf¦ö抠|‡�ßð£ýÚŠGêƒð3X',	$«#¬ÉFL
-†1©É©aÕÓ
1åà’tTµÔ`:y\黌¢
'!24×"tãnE\Ž-?,ç&îFÇ=%bû8 æ™ãŽ¸çÎήY‹Üž†Ë%,ô‰!‘G�þÙ"¡eÔž§G
-ñ½aCê> ùr§8À55¹�QÊ©lh™/øSž}¡åJÅ`´R°[ Pšjþçrv)M,Àju½$Ó© ß>­GRwC·Õ
-Ú«&{~‹ñµŽ@£Ž@g€(P(›Ù
,cÂõÚ™˜m¿y(·Ï�L	ŽWHËÚ~®ë)L—¬”ìÚ1©Öh(õ2•Ø¦Ó]HܲöÇ(÷54Íò F‰€E<º§®í¬T¿�9»ë�5¾Ä¶)Wä%�£¨úºý‡­š×­ycR[A¿ IŽV’’ÙÂ~þK_£X.ç~,
Ï^âÓWE¹Îa0LqI-d;ä™~dIŽ9佬t\#¯yŽç(8(!t4ÑÌ&ÈH	4Í<2Jæê<|2ÉufÚB´þ)¶
-]µ•FNrÙX¦ýø‰™,�l'øjE3~ãâ+,ÆÀ‹†N\Ûœ,;þѨ78uZÝÜÓ_–K$3o‚%:7%Ö¸zÁÙè/¾(2Ÿ»¦ñ³C©´�Õ0¡ù
-ŒõŠÝ’攸þ4}‹uÜ5Û{óÛÑpW‡ó”¶¸Óm%k¦
-=¹Ê¼A-{œƒ�MO�ì+cÌíÙwŠ§Zõ¦fª´9ÛÏ !U1ÿ­Óð…_Ó‘ºÓjñ®#Áíä—³”&€�A{ýtú¹*�'ÇÉØ¥°vsÂlù„%ð&Þôäy¶Ã¡p®
Šæã�»
-æ»å€åŲ4§Y—ÊH¥LQ"�§ï&L ~COØ"rH©k¯¤øì¸\¨‰>e÷᧬sý›êQHìéë6Ûz? bHŽì¶4~DUBERyv�ÓÛôØUH33S·vɆõµ*1ìþÛ¸ËjÃ݉ˆ%Û”»�qÒVzsu4,@½/»‡û‘®¸×y»Ýwb8©€†Œ
Õ"
-èð‘Íù‘óÌx-�Å
‰[½þ›R€ÞØŸd/B“ú*(13eÆqL%ý¦n%Hê]0Œ¤¡-¾4cž»‡ÅP¼Q
-¡P4+—¢¢Éq¥BÌm­¾gª&Ã�0­Y,Œ…ªîψ
-q†
s艺ám%$<Õa§- ¦RÝ©ÂœäJdס?Í¢¿ÒMXµÁ5äÆ'î´ØYË@8	}b»„̧îãS¥ø2¾8zHŠ%–ÑçgRÏìO_Á÷À5;@Y%(„v–*uë-BÅéÖÁ±;ż¼~•RФDO…}0æg¨}_‚{ÊL¤û™iÕ))™[÷¯¡¢vÂJ¸áôx²SŸ¶ku¢¥™K[P«UžÜè÷3GúgúÒ­–ÌÖ­ü^’ö•�w[¥•Æob!2á:lê�p=gk™—úêoô}G@aŠ™/2<Ê¢‚ºRÙ¤*Á›lDV?Ek˵1‹"2ìüÔ·hI}¢œ4À»MycTÒÃ~±ÔÒZ¯1ú*r¶¸R&‰`Ö0æ\K˜LÝvOg@”§³Í0èÚð­z7,ÿ…¸¨w‹»�ÓM®W‰›uÜ…“ïÞ¢øÑ"ÿ{Èéjò}eîÁ——¡ÔðÌHð¦©�~ûà­#>‹&
¿-äIx1*ˆˆÃ:§*ÇÕE>KUEû5Ô
-xîFdW~—X
-ÛžônœTiÈjÖ·Œôž7G¡+äÂBBш|ÙL¸»ic&ÏÕZ6žã*ÖŽ2âí3²j%�ä‹rÕ³w„%	Ã-�¿×}׿õ7Ýlû¾5þ1NQŽØºÀe6§÷vf¼RËG +n=Ì:é.«=f$ßR��.òTêý<†�þ!5
KÇì(0‰ŽŽÇ™·'2Oò=IbÛÜy†§­ù@éPÕWPaÌÆŠ˜¶Ø¢,�ÌjZ²¿Òn&�=Oó±açj�T£Dظ¸O€/]Ò•™}d'ü"L“Äà<Ì‘éÎ/7';›e”Ÿ™\Îv틈­–^óÏ—>¤’$�ÊZÒ‘“�”üçE
-§Ä©�;o iƈ†ºTΗȫã‡÷Œ»L5ù�h	ª'¬¼
-i)³í×YZ4¬ü‰iW<<Ds®NÙ³¬öÞ§ý6wmŽEÆ¿W ,˜ä˜fÑk×q7§À%ņ€PõÝÛá9ØÍ8qEÑûïå“Õ$QlÅf<H̤E¡³´Çö8#Ò1ßPí§Ùê®~¦ä›.=W£¬¥÷`‹y% E&·„wFøèDÍ�Z_ÛL?.-€ýæÜ00[7êÄ÷<Z¤/Cš–™£õõÛ„=ªŠ6KìZxáb@½¸NúazîLEÕ¸Aí‚IYYDýþ¢À¸¸¤¡i
-LþmÞÏCýÛ¡rT»`œMÍ#£%ø\£t?Ò‰‘ÉçaËúª&òfäFóæ°ëK]ÖŠCKH¶<9UѦÈ
-~¾µza4T%Ê3Å
-¾[]bÛ³9,ˆ}žÿÚaˆ:ÁDÝÞ·j*p~aªF�Ý3–ý¦¢Ça2
-&‡ÇÏ	ËîÀ;üþMx¡u¦û&½…%`•ôKÕ½¢'KFÄÕéä‰P¿’Óos-u,“‰j.;åŸÍ¤¢)¼î&ºRåŸßWüÓµ†ÌÇ#¾ñr¸Ë¹¢ÀkO˯È� ÏyôR�J…ÍÛõŒ)^q>I_>ª ª`æWÜ4õ”ÿ‘J´<…=ÑŠŒÿM‡4QòiðF?†nšÕ];i{�¢†RºÊûKšráÆ3ù6ø€Ê6Ô°J*LçC¹ëH–´ŸWpƒ„ô\f^7Nn4[3_7-~�]—™bêlyôK+€¢RÒÈcÐkÓRfõ”PmçX§–å!¥ûéêwnƒ†j­Ð£d\Í}ß]vËЕa·6�€BMz5úÜ;¿ÙûÇ|“儹ðE¢ÅÒ&z…´‚aK¥}�çšìP^_½(	q¼c°9!Nx6„ÒZÞv°²ë5×2í	sþ‰z0vRe‹W•5s¤Ü“
¬³rèÞ!öÝd�px_Î9ï�ÖÛI{ï¹N!�ùV*¹½6à€sE×ÂÆ/íˆ}ßRÛ�Ìm:´¯ªorŸn¦kˆnpe ëÇê>ŸŽ6Œ‹{J5¶Úï"V*wIî„œ(î#^ê@Z´¸ˆ~Mèxÿl”Žt‰‰ÔÙÀÎ7tÛÅ›ÀÈËGfa¶ ÙÂ\öóÔ÷­Áõ”Þ«ðî´å«FÇÖ�Ó“ ¶
-Íu¥Eª�‰–ªóRW¹®`¶…+–ÍÓ�~feÖà <�á¶9If[ŸúÎõ
â0Ñ!åS”ƒªÞ…é5œ„ùùŽ´˜’='oþÔ%“	Ž"1¼ˆâ¥;ŽÃ‡:m›¼8¥(ü:¥âÞ¬ãA<5¢ŠÜT™?šÓ@[ÐУ>ÎêWr®'y öÐyCå^†ËRúGFGD�À08
¦jŽ’É×%V"�l…ÑJFaŒ_}ׇsë¨ ƒ½f�¨,呯ß[ª¸·w3¸*wùuEuM^ï´€9š",[`‡,8fãåé3ì¥æ\Ê'^¡úNeOµs†6”×xñGYÆât™@ç¹aðŠp„Ô@
-Û¼ )˜_mQd<Bì:…›k&Ë“á(\aíe±udÔˆ=Ì¿�MÔiKÂúÇwx¾>nä~—Ô_„ŸÑ,Í´]
¿×âU"nL 
-~È…Ü]E+�C4h»-¢òË¿ÿP”8ŸåÖ]öãñœi©uƒ–št�Ò°d͵‘]¼@¡—¸óí‹2ø)Qn£Ê
õgg)…nü¦>?ýÞ
-ïRŽ³Ô+Ú§™§EøÒâ:r÷‹o³ö-wçh­øE>¦Ÿ®
-Áx±?´—Æé‰iõÊ{dºkê
-­ì†
u¨ÏîRi
.íoÜBIYqoQÆpõ¹"ƒ�ˆT§™Ò‰|¥¹mAò0IÒÆ—
-¢†§Æ“Ef=»Ôô!1dL–~-·þ:½>ôbŠzg<
-Aî”™›žmÚæÞÈaïs�{ª×K®Þú|1:ŒŸrw'ˆv”™Ú5vüæN–yéi_/â¨K\â­’—[ù[%ºk6=šMç“\
-ªÛ¼()m?m{¥±-ùË“¸Ô¹5㓨‹Åd5ëÚ­\ð~¨û	q¦ì
-¥”ÄÅòÈç¹³$KZóèUþa˜’diMW:_3úæ÷ÏuPÌø$>9¾Ò°)'õÜ´óTò•UJZ&›�úÂ3t‰OTËûx¢æC›C=ÎÀùª@'µ0ßPü´æw€Ë�ŸQ]V˜îÍ,è‡R‡V¦?ó`ïS1îâï'ÿJ²•}O®—‡{¡rÙŠ{¹ôßS×PÓ­o¦‰ôoé…œ5>›<
-Íš™K™2ñx(ÆT`ÏÑ¡(Þ(&pª“–_|–¨0
-ýÔæENFq„Ìú©?íïš©Náq1!YïÌ*&|'P°�iÎv˜2ħԳÔïhfÛÀÎèø—eKvë£Ä“Îs•»QqˆÕŸvËû(ßÕz‹Iä�/³÷36¼ÑTçNÐô\“r _¹®#,‘g…¨³â¥Zõ{Š5²(àåz
´›ëBëCÏÉ@ËkL?y_Â>¬lèµ’Têas|ÂfY_â‡GkT@¸\&@½	‰Ý\_cÀZk4
-7IŒ¨„؈tžü
Ÿ?àù¥tb½ÒëQI(çì¶3åzáÂ
NßKe<?íGÅ`—h “¥Ý…ëfROcC¯ÚÓøDÝm³�¿‚6­¸�#Y…Ï1ƶ·µ.	
-"lð“ìh§JIÆä¼¢¬©¢Ùhù²Ð²éê
ñT¼.±WÎß¡ŠXCV
-‘ÎÒ+Où¼ñô5ñ.¤X‹o&?­]ØÃßG,Zwo]Qš‰ÉÌÓƒ@7Ô	o|±J­ü¤qÌ/+hD/�‡áÑ«R?@ʼn‰.Õ.e-ªÏHS@àšwdc£‹I{€”‘—ZØÂêÞ‘Ü›,€!¢=Ù(†l0õ›Ý”¨ft*,4•Ðµ~*¢™ª©ju¤QšTHÒ¶×éí亰'ò¶¼)½·˜Ý¥ràGj”§qU_û•n¦ïr/¯%¸0Â.ðç.V¶Å—�ýé4Fn[¼ì–Ž¸»˜ù	_ãZî(‹ëÆÆ“%j"†ùÆ™¤„6ŠJÎ$×âímýPJ6üí9rµRˆBç}Ÿš I=	N]Ù¾íîåé‰Eè�ôVƒQQxMórZfû§³brÂ�0
-<rBöQh@¨¶d9Ù®ÇCV„˜Ü&ØuÌ_EL¹þïCz�óå¥&“1˜úƒcÐa|å²®jœ{'œ�pƒüèøg“qöãZv™¤ÙV¯‡G¹¼gºÒøJ;x6hïh&ý UÙ'üæ�K,+Š³Öѵ‰¸øý™ŸÃ¬„裋VlV¹‘㌎
-rßÓ†wéš(ò¥DáI¡UÇ\ò÷
‚w¢g
-›xÃmCÒyý]VìßÃòF­Œ­­¿áœäw¤ÒJ²�ã8´j”NXô]˜1g$æ}¤‹9´5„¾²1ÌHÚf0ü4=ùòÉ`æäµhÜÕIžü©t=w›‹-t3v²}èâªã�¹��n€™3¡8Içˆu1ò^Ê;
8 ù?6Äq蘅x;:è}F�Ç"‰±¿bÏX)õm‘(§7i¼ ø˜ú`7e9¡ªjüÔ…‚÷ó)½™\©àùåøHÁ„Àn=Ñ+×mêž Æ/»iðœ‚Û²„×Á7(ÑZ „eÕ@_ ´îKÐ�¬=ʶ‘^§�ÇYm(oŽ£åÞfqýCÄâOeWjas"õ¦ç™¢Ó}j0û®¨»�
âf"Õê%3v²¢
-ô\özzX£´:)§Óž…â‹.zVUc¦&ã£2>Ã|¸x4Ì@»X[.¤ºØ…6Ù^~#BG¿Äw}Ì5{ãâ'yÈ;z�*C_!Û½w7²ï'
Ìš(õ“YôŒÞö	Ñ>
-�‘ìüöûh†äsóÝq<	#�
±qbÖ‡iŠÞI“‘›LÿJ`æ×È­–ÀÏ0#=2µ³3–²ùÅt™‹\¾ÃºlàÑé›8
HW…)–Í ƒUÃFGWÙéæäÑ%²ò.“KŠx¶ê$	ùcÑ/Ô�dDQħ˜ö?øÃ/¤(„
-wëëÔ8d&A˜À	ŽQy‘›Î9g3NÂu@ÌëC¨lQ'q‚ÙÝ ·¢/˜ïˆ›äoÅ$‘–‹¹u¡Ç÷hnÚEWEä>BŸjw
¤
-¡t0ï›Ì?Ì\\$…Vœ¿"ÐÇ+$8•C-ƒ¯ðÁB¹lL4Ü&îÂV>ÙðßÅÏO×7•€5¤ÛJ‹'F6z¡²ê‡ï>>‡ýµ{“ªY€çNŠ‘Ì«•ÓtO—…R~:h�]a'ÖÁ¶>­T‰°n˜°e`î
XªõÙÎËý-–kúŒQpq‘•Åþ
-ÜÉÓp"S	eýÀõâ	NT…Â÷;枌¾²cñ4!Ô82Ü¿”�ë¼#CbßÍ!3ùeœ‹"nI[×µrÕÿíiÚCI‰u�Y›7ÝåhQ[ÛJŸºò…QÜò§Z’GÑü‡kïU¼¿µ'¹>Ìo¨)4¯]•C9ºNÖLÜ\/Ð
-wK�–‡É‡ðWçŒÈ°ÃY.YR¤þõúXyÑ9}÷7

-�4¥ïöôñ›
âàºâê›AÖÚ§WµNªÈÌ´ß5,4eíNg•�`­Æ0ƒÔè“@í¡×?[¹ª(�$œ½Ø\+¶WHF£ù1¿ëå¸ï«ûôÉ]eI×XI˜Ðî/̺÷Ç+<¾[ä÷Ø&´
S[;A„‡›a� G¬²
B€.X`Ö-¢nØN~¶§Klx:’ËÁ¥-2Ü„Iæ,]ka¬W£ýškS¦Ýƒäu¯f}ôÌ¢—<gCo½uûbv€Ñ”ÂDƒ&RSîŽO²Õ¦b	”Ôp^pGà€à6e¸×»­
-’t\ðÒ €®+ػǎöŸOµ·	É6ƒñ±Ávú‰J|‚LR®>µz\ŒR:­ÈvLMlõÃËÙÍn)b6¾û§é÷³"óS2k
 r7—CúTõVØö[JÑyúæܸá6.^f=£å[gnÈnuâ¼rùô¥“ Øuѱç©9Éñ‘Ê#êx-fé0³û´Màtý„8š}ÚÒ­Üò}l°%¶n%Àv¤0†pféËdäp™
"áÓÃ2‹Uí¸ü#w‰Ágyì ôäoÎÊ¢¯MÂ÷ê�MY²S¸=Ò­%Oé'‚ËüãâjÏÀðwÍœ’
-p´©+ƒ}ñI	ÛÇÓ¤ó!Âît™ð�5=};áÁ•ר­åÎÑB%Æ…
-‚Vju„⯠º~£¢Ê3èÌF‘eô£ëèq3ÈØRj|ª„¯kóÆU‚R§CãÓA7øÀ€w}é@Þè±2ªaÞT’üÈ€ô©¦ŒN&ä+óIT]Ÿ\ä?œs˜ÄÂ6ò@Ñ�›.CdtÝ¢>g7�y¯Aj»9JŒµúubp5ôŠ6&ÔR*øÓ·%^ø…'Uó~ÍUãy7�‡�ZÀ-l
žÃ@Œý±£ku3Ãí8Ò⸦GØ6
àØø/ç9Ž’#ûNåã„z
Gi˜òà}…?ˆr
Ç�xjÎ7»æU
-™fo-âÝ“�
rá·#×}ÿ~¡¯‹OðLçqäú·:`’" >�Èìè§û|™m
-é&È×EGÐ×¼ÌþáEÖöyä^ÜãY;.O4³BVÀ_â¤*ðú®-IP	S¯Õï|œúš¢žÙ£D•IšTUÔ4ÐùŒ†âÅjá’g¼ŠPÓÎyÜ"ïš…(ð
-µxFäüñ²f�L6ë·:Ùºù$ˆ�©ŠIi´Nl�@“'ÉYPÁìpW�“Š)È%çäéÄX«w”£—û­¾[œlÌg.~ɰر;+»/yäáEèY7)5’Ùäs+¹š”ëÍÊ·"õâ,ëgßáNÊšŒ8¸iƒC1ºÁÊX×!êïŠ&‰!-ýå÷ÓbH³ÚSÂDÔíT"2'ŽXêEñ=ísk-*iæú7eÚÊ>«DÁwOmJ96!>bˆ,Ïä‡?¸Y7š“'»�
-õqå$J*ˆ×èã3²û…s-�dÞ,ªUÄrÿ£øc-þ—n�,ìýXêŸ]90ÜÎ+â1éW,‹Òç©"={LSœý©ÙDY$
šHʾ&Œ9êe+Ðíˆ�‚4wP$�öXyßÝ�›@4}{¡+/�@Œ÷Ðþ
È
-•”P�'D�Ô$*)	Â|%“<ð	+ÐVƒ–8'A^PDÿ—?˜ÿàÿ
-endobj
-639 0 obj <<
-/Type /Font
-/Subtype /Type1
-/Encoding 1325 0 R
-/FirstChar 34
-/LastChar 125
-/Widths 1334 0 R
-/BaseFont /XPNGRD+NimbusMonL-Bold
-/FontDescriptor 637 0 R
->> endobj
-637 0 obj <<
-/Ascent 624
-/CapHeight 552
-/Descent -126
-/FontName /XPNGRD+NimbusMonL-Bold
-/ItalicAngle 0
-/StemV 101
-/XHeight 439
-/FontBBox [-43 -278 681 871]
-/Flags 4
-/CharSet (/quotedbl/plus/hyphen/period/slash/zero/one/two/three/four/five/six/seven/eight/semicolon/A/B/D/E/F/G/H/K/M/N/O/S/T/W/Z/bracketleft/bracketright/a/b/c/d/e/f/g/h/i/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y/z/braceleft/braceright)
-/FontFile 638 0 R
->> endobj
-1334 0 obj
-[600 0 0 0 0 0 0 0 0 600 0 600 600 600 600 600 600 600 600 600 600 600 600 0 0 600 0 0 0 0 0 600 600 0 600 600 600 600 600 0 0 600 0 600 600 600 0 0 0 600 600 0 0 600 0 0 600 600 0 600 0 0 0 600 600 600 600 600 600 600 600 600 0 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 0 600 ]
-endobj
-635 0 obj <<
-/Length1 1612
-/Length2 18107
-/Length3 532
-/Length 19033     
-/Filter /FlateDecode
->>
-stream
-xÚ¬·ct¦]Ó-štØ1:ÖÛêضíÜqrÇ6:¶�ŽÑÛ¶m£c[§Ÿ÷Ý{{¼gŸ?û|?®1®UUkÖ¬šµÖ‹œXQ…^ÈdÙ9Ó330qä-m�]œä@v²ôÊ@sÀ_#;9¹ˆ#ÐÈÙd'jääh
-´
ÙÛíœÿBü_oT

Î@€™¥
 ¢ ¨%%/
 ’�WH
-®;-¸9"LOlñ�øþ¤(™è›‹¿üfg†"©jĮތòBô€Úbš‹©Jÿøq²9ˆ³<®aÁGL…žýÍ1¢€’tgÆ€æéŠ�dªjÍ!b‚è`{*³Ñ>vçîóƒË|û·UBtOrÀ'�v‡”ѳªã8~»%¼È&#Xú�å9VÔÅn

͉$xܹ†ÌK+t†õÆ”S39h–‚Ñ_0t.Äý×®)Vü6]æ‘£ô)—ôÚ¶‡QU<ñQ`ÛfyÜ
d!ÄI{—9Í°Êz=,_*#”„-wS¨F‘ýþj‰Á#i‹³g¾}Õ.bê%aòàáøˆ¥3Òä°UI«QÕ>›‹¼µÚ�ê©u?ïA°¤†æ6'¡wd^χö%c?E!Osõ±ëÍ“F€àíÁ¹¬+ËÐÝSa[?ò‹LdH²'Ä™ÊÔË(*¯¿ãÄ^ǹ„æ–1©´±ó¾¬þ²;l…!j_lŒ‰ƒBQÖ©k�‘7s|Éõ«:¢­…eá0O ÙËÛôOfC–ôBÙßÕÐ�Òe/ÅO?ž�Rà²ÜÇ®¸¢u¾,ùÊ«.ì4ð”’áâ·×6ŠmãT*´Õs	Óî”ì
-³@bSiyäÚK`G¡á›�ÿAgýª¬×‘	Íàì1 ÜSW©Îƒóyl3>ÛúŒ#žÞë˜øw3Ëȱ¬@"%ÓZÏæ&k]}Ö­¦Ç4¶ò´!o
aQ™ý\–«Wløeû
ð–§j&!”Eö¼
-e˜žPŠ†ºTŽ”oRÈJt¿¿˜òä:7iûCì~7„D|?·
-*ÊÚ¶tí¢“>R
l�`ßl×d.?l‡¬0
¯T2„Ðyì‡/ŽZ*&öÆÕ5XÙ¸Ãa-¸8ûUGÉ0ÄÌ8ëž~wï?ç]~%õ«mÁaá™æ0`Qàl
m^ÌDt¿ÿZЇl­¦·ÀGCr2ÎΘ;¾Bú’¹»ø�z¼ì]Ÿ­*•¨˜‹ê‡½£s¢ÿ…J5¢¯¤tX¾ä;Ö'’'Œ¶šBÎU^!%„ãÛ§eQ'"ô¢D
-Yx…'FÁä&“hûÖ/jv „8¾uÂÔvÑÅ�#¦š:nˆ†tO}ÝtG.®ýœsW?õb_ñÛ_&1ürªóaUëìÂ�yû‰ÎÖoæ+f{ÎâÉØW½�¢MuZ!Ž¡9W¨HØÂxŽ‘W§3,šãÅr×gÆ=¡ŠŸº×Q¾¿´zkt›TÕ=;ቼÝEC@¬»ÕoŒ	Þíh¹
XÀô㤮hýÈuÿκ™UV>½‡¾Z€ˆ‡0ªI·‡�:@7¢sÚö¸«ØˆM(ÕE�áP$Õl�
-GQ¹þìØ
7Ÿˆkз[Ô‚t™Áy�z°,S†Äô’\ÄÊ:ò,¤	
-G—»†Iµ#¸uoÓ©QT·¤9½”XA&5+Mw3£"Ò>�Ëþ3
->ˆYukïê›%ƒ‰ÊdŠ¬¸zK±þÛu„¸w‡¾–Wuµ“Øív½Oã”Âs
-*F[Pèå+˜ì‡"C˜`ƒ�A΂b]Œ‘jjˆôû^ýZ³,rŠŠ}mèš³,#Qš?€»K,Bøb¥
®¿H·Yÿ;äÆøuÏËóŠÊ@–’F­ã]¡P”5pt'áÝ‹Q
-Pþ¦G*ô„ÞNY£.¾Á¸YDJ{�â2OWO~ùZb
-lÑ
-r Ð¹Éw:ÿïâSh-Ó´àßá3#
‚ê™wš	˜'::Q
-¦(sáØž¬õWé�õ©‰Q¯˜tÝ ¼Ð7«OK£#ÈÖšÁùX\¸Ô¹¶âÂ
ÀßÂüzó�>ô<Æ9•)djŠ#xDû§<p�ÿÌ$Í%HÆ÷M
-@jÏrYQBÙ†ìí� �YõÆï ƒ�®ÏT!øË7„¹í
]eágòXó¸ÄB†~Mž
-+ÃÞ‹•¿oIMQ<”‰O#ßg»s¬5pobm0†°„ìáð\2tc²a÷�Ùúð }
µTu
-Ž9Œ›úˆCM­©G€Lj¬
-͈sÝ	®}Ù)e�H{�0Õ{ÁXÆUÁîs�^¦®þC»Ð•ëak»Ægwrˆ(çBŸÊ=�zߪ`ïœÕ·³ŒQÄ=˼%Ôè5ã_“3á²ßk9çT�9ȳ2šÁÖÁǘtÊ�¶
‹Ý¥z,æ¶[#A®¹1äÃ’”®kB7óëû‹Y
-E“¨w?\]SÚ{Þ¯$›GàÀ‰Sy»M‹dì|’!CA•ÌÔ‰xð>ké{Uºb¡Cya®„5­ŽÃDô
K°5XágG;P³„ŠmÃÈ ³›b5è]”·1WÆßèÙ[\yDî6ãzçÔG-ª”õoeEÊŒ¥àãMß‘fHx¨mÀE+Ugg›¤Ý{ÁqŠ@+âW�åîä8êsI6}ÓQåæ#ÇúÏ`2I²D¬ÑÐ÷‹Ù˜Èh}Œ•îK&ããð%—
ÄôÅVܲ�GßÛ¨æV™~ÂTÓ³2J
-0âaÞæÞAOöfÄGq^{”e}aA½
ÀÝXe¥v~qüpˆ�ä¡Q€x(”ÌßIüqÖÒ`Í10ùò
-3ôF,BZÞí>ñÜ
v€}
-6´î)x#as"$¨W/d¤Ôt †ð=˜Ý²SÅè›,y™B“Ñš_Ëüekÿ¨Ý
-aßn„C�¹@3¬C÷âF¤!/„·[(Þ¡Qœð-
˜û×|¦Z�
-Øê�¼i¨u
ç€ßŒûG&×{vs@‡±«ªh•¦Ü{ѼÁç(ÇŠÜàÛ6B-m¯Z	Â_¼‡Ým�VŸ�oÂeÕüóì8ž^Å~YöÂAAž®Ÿ_+Ó'¾lU¿QF*géØŠ4hp�®•ðƒ?Ó‚Ú„”´ò×iB0Èf̆À?�‡Ò¦/
-ôy3œý—”¨¸Ã•­ñð•œ-HÈ–Ð-J·.uBn\ni—ˆŽÓ`¨EXY^4õåÚDyLj¢Öõ@ùžLµž…‹[•L¿:m|нâµèå—œVT´†eP4¿hWŒÛmo滈êèR™X
ѵ&1ô
-éÌœ³¹îlN—Çà‡yÂÆõ$MU—Ì(®´Ä¡f£Äô¨Œ‡ÆÓ¶}¨>×1o_ìu«)Ýõ:ò¥¥»¸¤ÙFþ<αÒè�ÜÈ°É.uŠª�GN–öBtøo‡íŠ&\l_+E›Ø-�z_+Þ©³|ü‹Ú¡y7é®k8јUÙYbÏsp¾iiŽM}~Ðô}VÌ–É!’Æ-ŠzǽKtåX}ž‹…–Õ׈¤÷€÷2
ZˆÌ)‰Ûn£˜ÿÚÁ¬ã	„/Q©Ž~*UÝ(&èâ÷ÕgT‡qº±§½ðVåtó¯~——T6|‰Ítb;zÏKg/�³¦BuŸ@<-2¥,TìigØmýÕÛ®TJ0{Iî£L[-Ïè7¤WÌHmyÕâLÐMÊÆpVÃå˲»ÈËþxux§?�åûçÙˆìÐØB-×E‡
×È:j,;mö‡ˆÚáýÁcxOLƒ´‰rS]…ýtèXñ]>+¶(!–°8—0¯OXÌõº3Gº ¹ëØ–TŒÎ•þ¾#Š´º¬ÆÄ×ì$²š† ’Òd®è¦ß…ìkI�
ÛA¦¿§›ó¥–GÿZã+óÖ:Š)¹HÐn2ЀeF‰kÌ% ­+Ù-NVjé寀£6ºPi“$ˆ¯
-‡ç¸áÚ,i;I�Ò�2k?†d”-
-ƒ(Vè ˜3†­+Ýï€.˜Q½7Ä©ô±mðšî­,«ºïmÿ¶‚÷rõ=Ú嫆°_zûæΪSj+è‚þßʶu=¿ë�X…M})FŽèû€U‘’+RÛž½MU¶r}×}K¢:`§[n";Ågµ%­6·I)0q¬Fß±h‹Ž×·V1½©!§£°¹=‘
-÷,ª6-�ço1™hžpD�M¹¨Ûšã†ÿÈÿI¡‘ÝÓ}ãš ÓË>»
-»,©

¿™[÷7dÁ¹Ü¹Œ²ðA]½´ßs‰ÌOõq«åI›È�ÆȾҀ¦Ý·šóçÃûÛbîÏ41ª„s[ÄE”±v…à¨ôv‚I�àw—1Ž^¯Öd}ÈðŽܨ�|¢Äã¯f-ù�á"²‡8ø§ËG^óM/çðJ!Ù ””‚ä%Zòw&¨é’ó�ü°“Þ^LðŒ'®:9•zi"‚Bß#¯T…ÑyLwt é8ÇšOºèíyö×#÷rWŽ�Ô6Ø%Gøâ0Y„´çUî
-OCbÀ˜~¢ÞµÎEž½ü¶p«×V·›
ß*;>'d¹uô7»Y…ß>ie%„aJÒèYP„‚9ˆ §ãtR_ã6Ý’¶}G[ÿ�¦öçdÌÃÍ™1HéFc^†aVú¥ÝAÝ*�©_ີvŽ�%ÿþîÄäã‹›óä(�°-bhJTà] 4‚úQr_´%çÃ-�jø¹ý3ÄøûG&PjUïhL‡æ'fŸédFt&qò”íK©ú¡Ì)zBg˜0.µ½v?Ê—Œ/ÙsA»cÇê†]dF#•WfO‹¬îo÷âO°xØlW\ NîE_"mïŸ5Ø–c;Òïa,üÖö‚\Dd…]¿\~^àJÉÐÍiÔ±%D£1ô\“Óì	/·QH^¡DþùÔK³„àÄÙ[
*©‰L‚ÕÏïx1huJRé`sVgúE#ëÁcu,ÎHWá˜öë�Mƒœ½E—MK�Yè†âi�·«1­F)ºïS`û³ˆ>r/-BiYv—PÈÕœvI²�I´Ïïê9óc).)ŽÝö•ª¼¥ÓS®1H!…þ_n#Ü´×V—d%Šs=,70篟TƒòÖõ\>ù%ý�Â%KÀΆ¿õ&5.m=v®8Ö›GšE‰SѬ3&î}€´†nã8ymèy*¼Þ²¼¢òë‰ÖrÖgUè©WÁ„œLU%¯„ï$ØÚ×å°qo9GSýªé[Ⱥi¢f%�‡’ˆ'E&ÙÒ×hÖQs”å=GÎõ|-.A¥ËžU¦{÷tã›>\h“«gpÏN
,�ò·buÖWO‡¯_`‰ÌH&
bDÏRF©ÂjNhñšÍE†µlÚÜŒ¿ÎM›¢=óÒáº/¨^+æMVÕkkÂJqÕÌcÜ›aË™YÿŒbQ®å@üEX'0/GcÜ™?IBSBH) !k—¶›œ4 šb¶íéÑúñû«ZÂy@€PH.õrU†ÕUn®ä®e^ŸÀ‘j0tólÙlG ‰ÂŒéµjLŒQÛÝRIý1(Æ·ª,òÒå]1c‘ìÈbx†ïÚ`n ß?G¬é=%+•�zÇþCÕ-;²|(ÏÛÃ’lLx”µÁù^íÀŒ(Û¸
Ï[ppþ’x¸áyб^”�aô”ô]o¨;„ê}ür‘.qú‚¸tbS%ÿ^|êëدg—¤U
-·†Œ¼PµõCsqQbè/ê#î:IV™�è†fÂ�
û¢¡àí/Ó™N{pÄÒ@ŽD¡ÆŠe–— ¿ý#›´Ö6ì݇O[f�Üg^)qrä¢À.2º‡¤F¤
-™ä:¥6ELJŠy¨¥Öý‚ÛÛë{¨¿aÆÈ&~à[…~hð7[˜_Öê�™q?a4ŠZR" ÛMºïDñÞi¬™Òf°
s.§‰ìÌ8y¤zÓ>%ÕÙJO÷X9š37:ò÷Ãyp—&3ZÃjýãƒÉ3`È:VKþ
-¸Z´š³[8~¡#áÍßË^oÐÿ\©
-)W‡.VµÝ¼�ùJBöUgG|—ÿäMµ·èlG&x¥ß
-ª’M+8ÂREÍœÉâdÒÓ�)¤WßìÑk±”ÏŒÊyŽm8ås†îd—BÜ´}ç¨ÚBCTšb#ÞS†ÚšXRù
�l#Ž»Wa.ÂÁK>%º5Xý'1÷(µ‰ì¦äÝÆú
-û|<ÒF8£á„Ë„ò•Õœ¡ûèoUØ´J	F)TÇH­ ˆáš³Q�’Ô¾Âϲ93Ì·£‚€Ú™pšëlÅ©ëáÃkâI	¯�:R%NÃÉ%Þ(7t±‹W	U^­ÃNyRº©�eKÇi$ŸzÞ=4Œ¼Í_mÉs
q±å&�ep=Ö¿1çñ§ÆrÓŽLipâ`ÖZëÄ-	¾€¾h&Ô¬êC¿:HJå»cŽ^œŒ�4“ø6W
-®µ<z¦ÛciõtlŠÔSì¸Tk�éÜÄZè�kV•	
-çHB�M*‚Àb÷y§‘Õ3–â>{iž˜HXËI[Óª{›§+ÂÞ4r/s9ñ5�¸xKY:IXFÕ!íqQ4M^@•¼.Æn€o6涔í‚ý0qe±Ë’$!{8á)H ‡£�ên	Ÿb�Ê_Uà¹NÖðû�¯º«$_C1qh�wËZ�üÓòE)ì¡'~ofâ’E*sÆøŽÿ¡­îÇ ³#H’ÕH/wß}óäöŽÞŽ Ê`Þۛǰ‰W.Jç;ýòòóµTæî—D�“½:(ËéHzù*ŠNŒþU‡Ö*“Š‚äÅÆõJtƉ-¾À;Þ¬?Wî°sš�ÔqjÒËÒg´‰Š⬪ÑZGÃP`­#¥[9x¹g
î�ôÀHô«rœ(hüst7³2«SC#R5%zà3£_a㚤N̦õìT©/
�*ŸP
‚å2°Ç^:sâø@µ\pšøzîÕ5Jf6„–¦¨‹(óSqgXæ‚_^tú
An¥
-Á?…;±=‹4Å¿;éÄÉÌ·“krÙ{-cò¾X{º†9˜ë!
-^q©Ï¤d±¥@Ô	®é'®êI°çÁt%´×ß^eÈ“mcX½
-æDk=“ùÜP ¥êå�!
-ÒÛÔîÎzÔé*0uýá>ÖtB~ú§ çû(Û
-Û
Ýô¥²:&ü²¦dcP³b܋װé›Íš¿l†­VZm9ŸÅùñ»]„{0>ùm¹)›Uß`ç—a9–‹ë´2ü/÷Kö¶Ü·ˆ%if™ª6¨azf{SuƒÍÐ�ò,�¥v„rµH„_ŸP%}×8<œøíɦhö×}°	'Û·™Öz
-É–à±]uºÔnbZŽ‹1ñ÷×zº¼<1�ñÀz5 
-b©Œ+|ÍÜDüŸ%!#Vzs„z}ñ=R†J�Ò9„–*å5�@ç–1¾bwYÁY,¼•rž“€øŠèËä4è:%ŸDG„¿Ï(‰o%
_”–�öë”sçöîóµªÇÑ2ûµ+&ÈÌ?ŽQ8®úYÎì[ošXÓ¨2Ð(»´ÁMjÍM(ψéåp½ÁˆÖ›R©xå,8áŠÍ±o•1Ö‰’-÷¦äb¾Û´‘Q]}Ü]Låõ±½¿ºË>®yh˜niäh±ÇûŠ°•œdXî~ø,0'VA>‰úæϵ
Árü9
Ò=jUt(VªÕ¯]6$KR
-ùóõÙZ]¯-pY߈	¿é [mbÑ|…&Ò‚Š¨Ì^æüˆð3“Àð³,6®'­N>5y¼R®+\+œ÷|²”�žãZ:èÄõµn'Ȇéš•ŸÆ�œiÉïɆ¼LPW¼Ÿ{Ùa{HÄ—:K_˜�E,<@‚úYP+IêXÛ‹´œ¼+�dý#6£†kS’(eNά÷cÑæI´>®�SH�3¬³<[%¿Ì€w¥ŽÆ¿ŒŽEv5¼¥ý{Èátp]7a––Ì™a$ŸF‡&(G½2,¸løuܤý#‘oÔFCqÑ–	B’§A¹íM±‘Š®™ät ¨Ä\Œ“Ýàÿ¾”ärFÅoèUxRÒ9Ô›
.L�\^jß±gÏ]ƒ8W	–üÌŽû?36Ì›’ˆ69ù>}$°x.ïeã��fK~È�!­¥1"µ“,{Kv8Œý€öÔ÷ðô41žÌ_Nj0á.W'?@Ø·ø-?þyX
�%u+q¬øb£'£¦fN>Çiá{ÙÜ©�Ò—[¤Ú²XíýAâ
¸Mzf�’4ÞÞ�ÁZ
Ä‹àKb¼	ò¸;é"_ðÌc£þIb­þa¢×Óc“¾®ˆU£Òºú‡«?©åÂOµ£¾9/¢­"î†áì¾73×QŽ­Ÿ4‹]s�š&‘{çE¦¢7t§ìc<Úª7©=Q¹_eèZôdýufþt¾2$-ÖìfEJþÁP¥ÞÕç;áë܆N2ûY'SW²Æú‰HèûíkòÅB”Å¥ØÄ2A0)ÝxdNôÉ)©=P¬a0´vGúÌUe*Ï-]ï§Å³â¶%d«|‰Ž¸æçÍá„ÄK—87�5Håú¾J{’¹r÷a{0ÓõÅ5"@iZ�ó!Ôµ6ý…&v´¸ô·p?e§`C§"¯qXš¯�ò›
ÄÅ{ÒÅ•f.dc×	ÂVÛ–bI¼Z¦ÈoÿéÚc¹bÏlÔÃõ•Ê\:Û"Å‚ò»tW熑=å¡Q ŒiœwfX/Ä`üS‘šRc¢ëkÙS5–T5ivr¾B$‘‹çM{EÌÃå�$Uà5'€iàü—‡!qH[›Ù*óâDR‘ì€Sâç”n¢Å“‘í"94ÅÔúÀîzSœÓÖl/X|ÙN—9â/ŠÈĦrvê}EÉÊz‡Ð¦Uóv÷,ï^ßjÈû/ü±^«÷M–åè®DÉOÚô¯0߈S
-ã':çÑ÷âžzî$i;{9¢úéA
ÚÜš¬ìùÚSΫ½z…ÌÔÎÌ€U«�Ç™x}ÃrÃ{ÐÀ˜o(Uz?8 ¨,YËGtÕ$$ÄEÝväÇÁ“F’¶ß›(6{ŸÓQB\÷,¸
¯Uüþ¥îw€Š´ _�õ)Û~Ý{m`±OÜF¶÷.›'-*Îð›~�²éædÂÓ™ž«r
l{VWðŠ?A±)Ãü�.»¿ŽE'|BŠo'ó
xîuúìG‹Cën± ÐŸ\È»÷¤E~ô¯Ê¥à®‹J(oæh+ÛqmHräÂÎÓhí1ÄTgð;O'¨êW4©#ƒå£t,’ÔêHY&±5fHÏ\-4ík£ïÊì˜ÆÌ•ÓŠpU.ÌÆütvñy8Ì°>‹Þr×wœtµƒ�ÂQyêÙëáÙµ¡{Ñ"#¨A£SîßâÎö…W¥w*.VAÜÍ&ŠíÏ-dIëÕœEuôR^ô�Bë°h•
-Ÿú	únŒÛ]¾#B /zª±ð÷2¥EàÃPÃÌçæþ[>GˆYpÒbÂ.ØàËÂ�bØsbçD^Ìà·B„�µ«ã%¹�NøÊŠ¾@Pã*"èK/uá5	f-âR)ÌNµxŒ+@þ]…Æ)p¥S§T¤Éy0ᤅļ¦§ðì›Ë“Ôï"“îNAm]Bi­p;ýЗ»ùݺGM®îD™ùŽsŸùdq;1¡Òà�
c=¦µŠi=»)un)䉈jòü©rL*½š5
èô^êVY#£ÅæUrÃdÅlTnz5ð\‡˜�(¾wT{ä%?}
-k	)Cñ(Å’hÏÄš·’bqw�ØâÁýãÑRvÕ:ÔPN²È$áÌ}96/ò%=¡
-¤>4�Çâ½K„íëq)OÛݨ6FÖ0b`S¹^œÐíoÒp€fæ&¥ÊH3„–®œÒ:¨#ïÑ xüs±\êT3¤OÙ‰õF	²
ò^v•¹˜è2¿|J9MƒK~b’«qâ®ZsHÕl)Æ4§z]ßá¥a„€áà:ÊïÁ©ó½hr
-ÑغˆN§·p0 ýه߹½V)}i™À+H1ÛÖµbH†RÑD¯ucÏ!ÖD!rÅã
-ž
ñd¥4¡x—Ò…Åÿe—OÕ|A‚*ÛO¬‡ö»S"
-ÉÆnâY*UI·U�Œ8
-æ{O;+ËDß¡ßtü^¬¾"ïa(jÞ§÷�WPeJ;:	&à$\·²)hƒæAé²�ö´p,@eöíQ+,\ý@qO¼à€ð'c2~xÔ°�ÁÚ0“Ãÿ÷’ÛÎÈÄV¡
-äd„Q
-z\cÍ:c÷`Ùƒoiµ“·1U»Z³t^Ũ�@Ü
-
<SÁ{ýŠõœí¯ÖM®œÌÎp*nfRQX¤]Hõ*ö¸¿Ñj	D¬ÖwI z ¸³û�¯=±Â¢däAÜŽHò&f­Æ�Ä¡ËÛÒ‹‰¡}(sÊ‘³/Eµ´Ÿ…I÷¯/ý�#C‚´ÉšÚýmÜ	%µÃJ/º×Xügü½™ÚPyMTmmJsM¿#á®=1Lþ0V­D:`5Uí)‡*ÈαU˜K(e4ÿ‘hj?g=UÕ,¥Úv>’)&ø(†ôó²êÈ#R’ùYu5?Ý=+/¼PêË¥—11M7N‚€á "ÀvÔËàžˆŠÚh´²¤xÏU¶Êw™¶	`ö8HP ÈWL:ê(í ¨êŸ¬'7�“¾ÞªÖÒXt�e¹Ö‘Ïàvç[~Q‡RüIŸQó÷ÍÿBuÙ+lMpÙÂ
tð¼=‰¡×‘.½Dº�I
{œ?Z¹^ôd09ÛwÏ-‘ÁÈü`ŒïÉ„poU>滦bZIVi4ú!¶kDLÓôÅxÅŽýàHñ,o’M³î
-КÅqÜ_4%’ý6mñ2/Ͼ¦ M™Z 9»-ñ 
-0Gþrœ$0x•õ¢«úÊø+ùF@]çÈíBV‡eGpë§Ü šoôKê>~ôÿi—Îÿ™pŽ»
É1ÞÉ-™c”k®æÊ69rÓÛ¡ˆÜÇPÂ[‹Ea¡ÉÌæΉڻ„Ü–ÉÛ\˱”·+3Ÿïÿðýíóø¼þ€çO/­¯œPç9Ù1¼Bžßÿ@kj˜¶Í
mbßÊ4åÁ“»WÚ‚äÌéfBòó	9!ö›måD”è@ýÕéLkÙ‡ÕÃ-Üy¹´n42òrö}oŽw0 ÛL�)«%ºZßðŠ¸loyôô†è,à	)Å»3ºüL#–3lyq$§NX·ôBkÚFHßXó]Óión/âh�zØj�ñsÙÏ©n+þÑm‡GM+]j$ÎB†ëvo`ÅË%Dúís?zâò]]†°ã,âüîTôÞ
-Bc 0¶Ï‘±Ç¸�T�÷sÒþÑÔq�†ª´˜öߣèéPf>Ã5·<)L†Ùl_Úºjn&ý”CŒ×„m.ô²ü
-²Ï#®)�º.*`2~¾U}��“K¾:éU‡-}ŠzpOýÿ6)ª›¿ëpŸœŸŽ¾c]PzfÒAV2ÌEqYaù½²KSDa¶²ÿh�ê~Æx
-ŒnÂïqÝ“äZÆM"%3wöšžk×éÔ´—~«û>W–ûÄ�Çbèþ!ÿ¾@¾Þ§.8pO§’]éDÜÄùû/ÏÇ­ƒzöb7žpÜü¶ny"KÌD¶<£1#3—±òðó€Ô5ï©ø¸2@Jh(C¨ô,ð0¨ŒK

-O\‰Ù)¬U°Î®ø+²d€,…•ÅáxÝ2mïË¿¯5Äž&‘=+3–ˆõn&•çV8h·~êåwŸÚ²ÿˆTÖÿþϨLÚ~
-üù %:�à`¨_¿.77•‘CÉÒâÐ_™í¡Ð�à04~39jbÑ®ü›&Fï©°ío®GãV&mdRç–Èë
-H?›qtÄ'Ê—¸õ7RïàýZ$�?¤FÝîc?e
IŸöãõ}unw°¿ìpd3<ŽéæË\�ðþLøkÝ|hÛð‡œ}26šËèm’¤�¹Cíê®—ìõª³¸µ¨Ã;á]Ëý@ˇ^¼ÌÒûNÕ—ª#]c—ø¿(
-endobj
-636 0 obj <<
-/Type /Font
-/Subtype /Type1
-/Encoding 1325 0 R
-/FirstChar 33
-/LastChar 125
-/Widths 1335 0 R
-/BaseFont /OPCZXK+NimbusMonL-Regu
-/FontDescriptor 634 0 R
->> endobj
-634 0 obj <<
-/Ascent 625
-/CapHeight 557
-/Descent -147
-/FontName /OPCZXK+NimbusMonL-Regu
-/ItalicAngle 0
-/StemV 41
-/XHeight 426
-/FontBBox [-12 -237 650 811]
-/Flags 4
-/CharSet (/exclam/quotedbl/numbersign/dollar/percent/quoteright/parenleft/parenright/asterisk/plus/comma/hyphen/period/slash/zero/one/two/three/four/five/six/seven/eight/nine/colon/semicolon/equal/at/A/B/C/D/E/F/G/H/I/K/L/M/N/O/P/R/S/T/U/V/W/X/Y/Z/bracketleft/bracketright/underscore/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y/z/braceleft/bar/braceright)
-/FontFile 635 0 R
->> endobj
-1335 0 obj
-[600 600 600 600 600 0 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 0 600 0 0 600 600 600 600 600 600 600 600 600 600 0 600 600 600 600 600 600 0 600 600 600 600 600 600 600 600 600 600 0 600 0 600 0 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 ]
-endobj
-629 0 obj <<
-/Length1 1620
-/Length2 19156
-/Length3 532
-/Length 20062     
-/Filter /FlateDecode
->>
-stream
-xÚ¬zSx¥]·eœTlcÇv%©Ø¶íìضmÛ¨Šm£b£bÛ6»¾ÿïÓ§ŸÓ}Õ}.ö~Þ5Çœcb¬µö¾xɉ”éM쌀bv¶ÎôÌL\
-´¶³·
Ú:ÿ¥øT
Îæ@€©…5 ,¯ ))' —Sˆm�Ž›Pp1²¶0ÈXm�€Ô
-Ë(gçü7%€êÿMe†ÿ>‘ÿ$þoø¿EÞÿ?qÿ«FÿÛ!þÿ=Ïÿ•ZÌÅÚZÎÐø¯ ÀÜ1
-Hk
-
-\P3ÏØ©®â%ª«Q¶°sy1*õŸ�ƒð3›Wž®õ;7 K³y²mÇZÉh\H�ÐçãîäÑ|Àÿ´_˜D®á!)?¬oöër$q0>°±�ÏO„<X)
-V¼TC	ÝÐÆÕ»ýÈû]…:€n&)‹ãº}°Äk’…ÀUꜹþ®æSM¼^ž“O›@õò.ŽŠå†"5sÝ€ÐV›¿eXšÑÎI´Üû‹#k•ÚÖ®§alaUÑbPh¬4'Û´~ô2þy×DEã)
-É{<D¶¤
}[DY¶¤T­±ê-úcØ'Ÿ[z‘.J(›
ôb#Ö¹_{—Újå1ã�ysœÃ
--0ñö®ˆ(É0fö‡óÁ0–\Â9Šüµn3ÿ�>J¾™Ê
-Sò¹ °žô9w:%x?RŒ¾÷å9:…œÖÄáöýŠÞ‰Mb*x:�lô-1Y+„-0ÃÂâÒ�
-Ú8äWó	<'Æ–©läÍM*i�Þ
3E2
-r&Õ}Yðù0qLW*€2V:ãJÙ™³œ
-9O¥Ýò“O.2&ÀŒp&'¼(5
-rØàŽ:—UïÃ3;&^ƒH¾÷Ä¡@\³cöW¥ËĤo9z”ðq£9ÊÂÉ�¶Ò]èä´|Í6ّ͸;këá²êäQËÖË”W¯˜›}M;¦ºù“
-nƒ¡”C�ÓÓÚëíûDÌuU£–¡b½³i»´lÜUšd�¼mîRiSgC¡-kÖ;Uõü§3ƒsèº(sT
ØÔw{vUˆ?*?Èñ'f27ØÄbLà×I(~o뜫’°P/>³�ŠÖ²,9Cæp6ª%"Sš¼�ä¿Õ
-ý>Óv¯"žKa†­dLWA¤;a#
>ûëöêÍ¢®Ú:¾"
)¸-!Ó#Kþ=ñ]õû3¿fö™	† ›[ý9‘3Q�"mn±`÷Hé-ɦ
‘=]“¤GÇëÎ'*¨j
¦—œ�1*\
-Úâ\ô3†JÌtÂD†‚V­¹˜=ŠÛXüh¬‹:L›m8}äœZ¢Z¥UŽâý“kZM<íYáʦ¬b”Žnhuë²fè@–KüT‚GÐ_2ž�Ÿ=\kAõÛ;Ÿ¹š@t�å|#Žì¸bK]˜ÑÕa1%­• ÓÞÑÑgñ÷½«É®,Ï|ÒKp(À·ê»²“£K¶z7÷›Xi!P0L#‹
-K™ázŠŽï“ÕOG‚î
-é5[¬xv”C°‹S=ßPWâ±Géšæ­iúaÒ�~öäÁy�	o¿µþ¬�ís@q+@ñ›�¯0/<ϵº¸gÆ+útÊEQ”§ÎOƒÉ!qÝãÉ›¾e“Ø;E†èÏð‘#VÃèlµÃwÛ‡¥Y¿ÜºDöâã§7™“
m­*<„"ÉSé0
-$¦äh]�™!î;Ö¦xµ;5rÀDW’GT>—0Nzœý¼�
èè8FÃñ;Ó�‚ñ-ßFIüëJvë~-bñ¥=`°Êvýlö¸E‚æ!Äímâ/º�=ü1Ÿ/ˆÍX)²È<w×Øߣ¶ã™÷‘/‘Í“ì%mFÔÈøDÉÄÄRߎpHÀÒµÎÍäŒÊ‘
"X9€ãv-Þsçþ
æ¢	Ô'ÕžQ›©(Â8ø„˜º“lŒO!âàºBw‹IËd !�¸_a§\ünÉýùâH ]«y8û"VºÔìJ\+;£´ñ¦LÖŠ
�ÚhHõtñ¯^v÷Ý}²p¬|ú•¾<îög—#á5ñ¥;QÛöNW³#M²Ž#í³?Ð_ÀöÐGR¤
0\.%B
-À”ö¢+ˆÞ)Á÷
Ð?ŽGíL€êd´-1ucÊÅåâzh�4${Gg¬Øÿò¾Æʇ­’NÌå¥fdã€U{h%õIí®Ïyö¢˜Iw¯e,á#ooó§–Êù’¬°<ã5quèËîЂsºêJ&ÆŠÙÈ…_+LCi¬Å»oGö"ÑâÕ2þn¿ÆÇjPÁ¸:’¿¶XS0`ÕÔ*‘>Ø“}‹ÏÔ»•…w2øÜÝO1<¡½¹†’Œ8
-+ˆC:S¡€5‡a|°k÷gHƽ´)�2t•§©oš5O}ÞÉ({9nŠ5\·iøH@O°·ôŠB‹#"—r;uî?Û܇X©>pŒßú’•SŠÂòq¾Uãt´}	õåùb�#1,Z±jçX@7¼ •§ÉZ—rc?™”�AUäûÖ»+[ä»zÄ+G ÓÖ�_ÍÎðv_Mól
‰YKW£ðÌ”‚ 4vÚÖ©.æÛ™@ãÄÄý~´¥Ôx+3Ê
-Wi�7í”rU¾µ;a‘
-ž�¾\’’‡†@™´DÍ_7w[}æ˜ã£1™dªÓfGÑïÙä’e¸¡cî–\‘Aú”÷G¨ùøã¿ÇØs£â‚|cˆ¶zÅr}¿¡5oÅ_¯ÞðP­2þYìŒR TËašÚuAC¼	ñÙEωt¸²ž5ŽèÖä~ì¢ÛœD³ÅD“Ùµ”êR/ÍbÕeŠ%Æší®*²(D
lûU�czﲎT““)ëûm?i&lëlëWà<Û�Z¸ýd´GS€•/qV N“=
ŽÂÚ di¼fÑa2ð ú‰{Š›�âÄÊRm!ƒt‘Ùé7p‰œ„—ƒs;
ï÷ÄŸ¼Ý¬ÎQÎ2¬fqÇf!>ZSäÕ‹Üq{	àðŠi^
-Âhû'zO`Ícõ¤õ0P±rLYβ›G^¦È¥Þ#©ì
-ºR…ÒBnÖÂϾîÆ¿
-y5~Psòí>x7ªU•$峀ݪü´vƈ´5@àƒ³ä¡ïý’8JôF~¨FGÃü‰0¯ji�ô…q°…Ü€õRVË#»“é¦mV!‹·ä0B0IÅOا$—Á4à�¶]ãNáÙv™Ÿ—³#1zl»,¹	ãÄ5#\û‹zQÜ‹Žïi¬Ö#nÝÕ–¯µ(¾U¨“„f
p/¡Esªjˆé^©n6 „.ëÖ^
+"®
ÏeV¾¢
-8ðÞaí"Œ}9£tÍ\ÿ*÷Ü^"ªs/ü.Äöì0_
-ØÁ({0/“GÖ-m«Ôá>ñÔ‚Üb¹ýQ»ð�Ök¦«Ô«sö28¯âªV–Ñþ$JYÒ3ñî—ðZk‹w½¥·BJ¢?mÁ¢`g?%uÓÂÄ9§‰.‘älʤq+4ìcXä_¶=né£fóÑ�¸5­){_Ð�'Ëš”sO+Ú¢{~Œ¹#Ï\%5
ɸ„êdʺÖZ²¾`•[%UP+âóJ¬�~g½U8n( ö
£ó·( £Hž7á$m�¡D¹µ�hO�ëHíW„;hKÈß8φó�ú	†H~Â$+·CO‹-y�ÿB©˜R"g[¹dIP3(EÙKµSÄcm%==„ÕÅ»ÀrpÔÕRÈ q¥6úà +Ú,ë…4|¿‚
¯Yì-EI—m4’ªiE+D¨ZD2£BÌ%Hݼ³‘ö£~·ã»]bË	'ò|ŸÞtÿ½¢P)¯…¹'ÆÝ±¿IÒ/)>€j¸u™T-gí’;l´Ë'ÿ(sQÉd#r¹ÀFá3€m°¨^LuRñom×7ÿ\ _+3‘ñ›‘¢Ä1öXá
-^õÙ´ bš:®Ý~ì
-fÂéN~aŒ?á°¼¦‡·®_"ÎI¨}˜ÇØöµ`u7ñ›9“p°”¿�M�ûKJ�¡m
-|•n�ýÒˆÚXýyaݯℎºé
„J‰ÇI^}mèD„·_GN¢¢óÉRs±ì}o†|
-Mö¨Eçe€z§½Ð@ñômú³”ÞÇŨ¶¼�+D쇕a<¯‡»A´’– ¦r³S¿ÀóI!/LÕ¯GK^X"âQ¸ê9µ¦›µé�‹º
-Nl}MI{kIËJß.¿&ëƱʟ˜„èºã«mL²´,\…½´PνᆤyêÑc„MJ/›Î
xÎS,‡ñ4�C«uÌJh[Ž0ïoZËëûo=‰XR¯ÒFl�0JøÓŸ;ýQ
-0ª‰ø³»À5F%n{zY„v¶näâk‘†,¡œÊ}¬©©ÂåzŠ”Ý/ð)H\
-á	·óGÿ-ãæÄ`öS¢ç¤^wS‹6ÁŸù×õ�ÍÔýˆ_h±rà6zó|:èX£«~c&#ôÈîhzó'(Z{+<†r¹P­®ï’8­%·´	"™[n—�hsè7ßC'Üo³íV¤æYò›Aè�|ÒHnŽµÉ³“&<ÆÔâA—„w#ŒNH
-üzdùp»ºÇºû=Ì3j<óòSàìlúÊÖƒÛf|­µæ�Î÷eìgûÝ™0±�H{4Ê
-
Èo÷mxÖ¼þÒ‚âÌ×åBÍ–9Nhé#Äy»Ò«Ã{ÄÈTŒMmS
-î:Ó¯+1³¼+–ý0§ŽÕ’Ä:[”ð‰d覹,�J„ŸÒNE‰Ý	Ïq5þ&Ã
îVwmÌð¾ß;0´Œà0»’Âóüֺĩd¨¦M ;
ÛMM;4²¡>š/£û3/r3¬Å#šÙç¼ø•èwW˜Õh)¡ŒòÏæ¼³öFlò„ºWR†é^mLÉŒÂ{ðsLF6¨.ûžŠè,¨êz¬·f�o
-+ý¯Ü—Û¦@¼
�kn‡–°‰Ë-ÏvCø +W²žkFV옘rºË^ø¸ábçvœ»š±¨K?u4ŽP¢+‘ý—ÃT»¸ÇaÁéçytQ8árj”ôH¸
¥²�b®I5íÀù¼Uù¹Á[صuuH´éêìœHjûµ{Ã">gf'y»[8.¢|¿lA˜$‰
æ¨èH!K¿»Tl]²Qã­þßI
-»y¼¯ÈŸùt:Ùå6
-ðš$3:ÁHªËÖx×ÊÐùŸ'O&©>“ús)pCŠê–¤‚埌Ÿ÷dðqøÌûúçlsËçÆÓðž_pUwôû�ß;^š”ûÀ¤à<“¤TµzŸ�ÁDEdká6�]A=5ìƒË	"ûDMOò䃛½%[êÓ�×*{=F¹"ï£Ã?
-‘XE†™xð†Itò	ö~›sóUúˆ£©Ç“µäÍC]0𬼕”„€¢
ƒÇ‰?§×N®ÎANš±D¢¸Á1ø=Ði!íø'(ßMêá—ï­R�bøÚá²áCPþ(�¾8Lµ:$PøÍ
¥×èX;—Ý�­1'?�¶dUou±K…wõÔˆ“x4êºÓ»Ÿ*Ä·"+ìiÎUk|º;ÀÄZ2۽̹ºz×óä€ÍÍÄø0]*bí ¹àÅ�¼òªìš16
-¾9¡¶çÜ@Oƒ+'ÔÝ{Us~Íxeoèí×}ÔûhµÙ<rã.
-’/=ÿÀÔèÍD±Rî9œÓd -(‚*’NE畲é^:,SÄÔZR·âj ɺc�]žŽ’´’ø¶V¬µ=yf§F>Cˆ!Aÿqø�L•z35G0�ÿ3TxY¤ñYS“Ø»äOö–VÆÅ}¦×ºXGˆÈ° v�Ÿ8»úŒgŽŒ‹´ëuZÛ‚ì@ËŽk¤¨éN“ú|›EILœpöêñïDMfG ÏSk‰úºÀWVú›õˆ<	é5§ü”Kùiã“#OiÝcäM²RA+�Õ\Òuä8/)ˆ3ôžwû›eÈëDñ9æ7 «³‚�Ü1µóL8”(µåD:lU
Ùg>	‰>ˆ“9°-A–ãÒ
-é3ž¬¼·µ9ŸœJ#iy£LCpøWØJñ¬fHêÐCÚ¢ÀVÑ

é^¤Ç‹oCÔ‰bêb΢Bê7A”$qIË5i�Ôò`ŸØLtuŠ�·ÂÍ:Y‘¨:EÖìò¹fì…žÔ&Îœä? FQÈ
-åF¤zÍÜ-E¬%õ@ÄÄ:ƒ}Ñ„dœ­v4KÿÈ«Ùø€	 ìîrµßõ¦…!Q<u¬:\�ƒ|79l‚MVþ˜
ªfç·„�”
-[‰Wèûáù©>«�OæI¾¶C‡KV;%Œä¨ðò%rÚàŠ™"ßj@d+ËÔ5z¢fvrÃÕ¿uõzÆ‘¼Å–=]çÿêÌ
ikðšv)ÝrrÊJ¸
-¥¼¢ÏÉyÓ½¼Þ2Ÿeþh
-,ÏsË(ÙÁ½Á.(s8…›oAΖ¤*êæî¶}‰ý'·—õ*�ÈQðUXëjúé›úŸ8æ!õ5*|÷,ÚÜ­GïËopŒˆz´¾¹øãGRê
òù«M³t³”–ŸLæ
A�t,­c…Èc¾7]Aèùù¶£ÉN€ºÉ
-(‰ª¢û.t<bÎ2o;ˆ}¾â³±Ãã¤Ib$æ‘"­é[”‹
-Žìdh
-´D¨1a2(iégµ;x{‚7\©A0‚’yyáóäVv¾ªÙDâû:MTƒÔ’í)‘rrê7׋?,{œt˜O3q‡©r¥…Û”çÎÕÂLéÄ*ÝûÌò¦°Ã³·¥À1`äuÔ›¹$pÔ…RûmJ
-‚¶=ÆŽÍÉnù-4­0
-7{¢Wk¸»× 7µÇ�†»jåË%‡‚ó
ºÉ×E�&¦ Ü¦žüâW†g�Ô;7ŠÎ[R'P¾¿ÝÈÍè�ÒO¸L�^¾óuY�Î6ûÀj/ÎHÌ5¬¥ØÔ¼ºÇ`jT!I9%f|°‘"XÝJî&3ýÀþz›&ƒ¶q¨ç¬&6ŽäåÙäcŒ˜L16Zó61GŒÃÛ).1äÔSz‚(ãu—-ø(øi~pçrYÜ—�6^
õ\𛪗.ü]øš1‡½}l¬]m:¯|¥?D²sWFÇç¤>§�Èù›ýtÓáX ö§È%¦‹òf5T]ĨX;ÝöŠÖ–»	¡Ç–Et0ÞÛ8ë%
-EU¸ò€d+uQꞥz²™j#™f‰«
-ÊË'5lZ)c®wŒë¦éCD(¬G©ãe²µP³´5~PÏi¶L™æd!ɱnO�;Ë}i¦$²AbD�µ[¶¿o3˜g³!©\#ö³FU¾-Þ¹ÿæí>ú9¤ 2áUÉk�ûª»¦�|óíDIÀÙ
Þ@¡Ä
-»_C¶Mãl@â:}j·@Ý´2¥½Ú²•¿…à9SäfƺyJ-gj"ôøÜû4A±ƒÿ!=Ò]¥õ"/ïäl•N»"ïQE¨û]'œÌ¤O™|…KÄeЧXšcõ»³öûDCïJMÁ“„‚b`úÆĦL$ýš­Á­·™³4"Â-c ®'•–äÇvŒZ•Ræ�êêOÍ/Ø5¾¥lÌÂïkiLÄÙf
°k9rÆü³š#ª¿'•Õ
-052BÍ6�¸~ëϬ*“Þã“׫BL^x¹bÂ~;ý°^0æè
Z±!拵Å=>÷1•/µþÁ…Ÿ9y.×›k�ôÈ ÷=r�¼†=Eq‡q·ýçžáБš?	ÃMÒ ,:ä§j4rŒ
E¸ÅlôÍoÞ¢‡5fBµþFo˜@ÓÒJ1xÚ>véÙ!ùl"Ô><|qbŠúÇ”›_BŒ=÷úÖÏ#ð
4Øvg{ÎŽƒ`#µ“‹ëEB1útȯ_y
-ÐV×p™%V˜5ÞÒîm08ÂDyTø¤—ûAQe
-.Ú¢6‰Ài¤õ™qUÌGŒOËç”AÙ•B¯ß8¾?‡6Ë5yª4�VBô@ý¹ŽIÉõ*'Çïy•Ãˆ>qѦB-z¿:ÙýW–	ÊW‹;_ºdð°
«&µ#h™8†ÊŠ®Išëmw÷ Xg =sSi§ÅÄ5ãÈôÓKB?Ó›µT�ÉÌ]~ð�
l{ü(Œs`.¦¼o]çè_“3x¼ê_’o9å÷×Z•“ÒêȨd6Ê
-$bðê0eN½™•â­ÉŽÓG2f*Um‡�}÷WEySV8!#CŠØ§¯é(¥½óÁ9¿;-Z[3ù*³ôVžüzãa¬ïÆPcÑ
-‡À/Ä�‚u‚’í|£.襡=͋¼ÉÄ38:¢•¡j-rç·
Ã�(¬¨ L8;çFû>´P]bð®NX1ZÅy.Ê°>®®ªŠ³F7”åõÒ÷ý!ù†’½²ú®Y±¨Ñã?S×ü‹žÃÛ¡)ì­(­ý&GÔ‰]¾27t‡{Fn*+i{wBŒE0øÕ¹žà2Ý+y y#ÏnÕ0ÊÑókóôìN¹‘૬¼�í4Kã*ìŠÛg§n�4L”�l¹{6‡Çá7t¬UË>_šS.u
á¬r`<>¸ÆÕ>ÛçïWgdØô’Ö³2�å˜údG_ÇñœDßzn*q×ZŠÄ ñ%¨ó/F‡Fb‚öÙÀˆž&Ú%5ÄíÔ�RÍüÊgfêûWže‘Þé�ÒšÏØtôük{øÙ¿b©½×	춨q¯.Y©¿Â§kqçîW!öÏt£œìçL×ÀkèbmÝÑ:g=�G½ÐLk·þçÛ#&Êßnø`‰†Á&·»"
-�ž°ÍXVë/h$S¶ƒŒ:Añ¾÷TS!Ê!Œ?Ì�
¢-®%ÞöjÈ3”\uèD¡v»[M¯ TªõjW,‘@4\2‚¦Ür²€$ðã©Ü“ƒ*íÙˆH%ˆŸŠEgó¨è©~°ë
-ýqž\Q\²Ã‹±ûÍ—˜lËûâ¸æ­ph]ß,‚Üžúòš¿Â6Í%•¢ð“;‚)¬¼*¡¹ÀÜ'{‡Éõ(ÍÜö\CÈWýÈîƾýÂÓË
-†bJ6¾öÕûžõpIËÄZõ¶Ãp%}Eœ7*X§ïcáÄOÊòµúf3`#û¯é9	vqñ„§x§p b%c»šÌØ7¨D³¤ùF|X1/§¬ñFÛÌxË./U
­Åß4
-ˆ~_È‹õì盽ׂR¬£� U«Ö퟼¿52Wëýà9ZOÚ$a߶mO¼ësm@ƒÏJ>4¹5Êe3iöÅlê<$ê;4¼&™’ãÄÙОiÖ�Ütþùê;^1]öÐP½†Ä
-¨p9¹¸LNüÒÇÀÍБi'ëVên­_ÖËX¼L+UíZ÷¾÷\£–/ܱ šeý‘ne#x=XJ±RúS�ô‰�ÔÑ{£¡otdKaðĤåd@ˆ›Oàš595´ºà³Ù‡ꔨÒõ÷ÍvJH\µè&©)rp´T{þ-mñ¾äšuåžÏ(t6#=êåV§¨
øBKFôJ‹„vÍCÐ’Ã
-¤ê
-¾Õx;x�ŽM„}ÌÅȺéf‚øL��¶Ãpr6Ë(ÔTà£'ŽãáÜ–½‰Læ‰=¼�’cÉDÛ­¡“â-‚¶:àž k„Τ/ýjº‰/®ÙÉŠaÑ¡&©£Î•4#¨–͸Ò
Ú‹¦b-ùÜu¸ò
]ΚÊi^-6Š¹ÇºCè×Êu}M={ØÁj"¹/¶Îž\].¼ÜkYèä$U6“B¤l÷Jß"bÈÊ";„Fuj§&0$¼ò/Äé»c†ÈÌ�kñéP/¾�I”³,[R!&À$µ'¾?Á¥1Öaи¡€f(9
ÿ&œÐò
-EÉ�Ãc9²ÎÄS‡õ<z™,ÿZ^‰»;ôAÃÆÓýÕÙRÞìÕËï³xvvZ6ÿ)~——sÇéŒm¿ƒ)çÁK͘Ã"¹æhae™MH!Oî1¾ÂyxÅ aà…P£ÌMv]ZÞ…jTH™œ…ÂÍbdù`7ˉlO˜—K›�‡h”¸%Ì›uŭ§ë×½'EÙ3ú]ö@
ñƬ‘aÊY‹^ȸ"PÙóÂ(¿*Î8³h[d)yLšOãg°Èž f:Ì>(.&{>AY›uS)/âȈ†óôi‰‹V<èXÞl˾�)jÊ22ø~ÁU؆ҰfNmi%:iš~Vò]moòãªkYÞB5�òûõêÃ�4º8Tq$1òUé¼y§lP6Ö_ó½c^yÝø}·øš�£”™ãD6­Ûˇ=Sœ/ƒ‡ªKȶº‹áÆ#JŒ�0âüØoÛÖmf¼9ŽýS�&çùÍ:\Ã<ä¢B�©"H{f¢y®«Ÿ· d¶uzýØüøD…ŸbÝØ/”¿"ΦU_³µ/!0?Ù”Ìa£zêÙëDÔH¿îBqi›i–Œ`HËöCŤÇLéòñK'oùº�æ…–à@(ê×-[„rh–H~BV´Ü4è¡@O€h‚œ±¢¶—ÛÛ/f¦¨–‚p[—È"„ÇzúQòüÐ;­­äš/èN@öµÇ¶æwÒ$é;ÉYP›:r=Ñï9„
EÿBx'aËdzI–ᵇ^ÕTä摨	¬-Xœ¨ðoOòW<[z9sá›p
ß:—¾Ûl~(æ„B²b	ø>KƒSÐþ2•ŒûÄšåêx꼄JýX�§;
{B v
-
-¥&ôÙÝxK”ætªü«*Ã}Eñ($
kbAk²
-Íï!VS@ù¯b;8
~‡ÛUgžƒ¥ÎŸ“µ~ÑÆìåÔú<ÂŽ}¸K­¾�jﮣj„Þ²’çç�IYBÀõ<K®ß°”—ÚQ…”S" Ð<™—ÄÇÈãÚnÙûW-úÕ9ôTæ¹£;4E&x%v˜ˆZ	Éô±zÏBð­„¿‘Á;Ž)ÎÈJ…5ÓKÚ(1d¾>�ðœ{ûZ„Ì¿Q>3¬
-®Ã±U
,m;Œê*§Éáèï7‚§¯¨»×¹n[¡Óˆè¶bÌž �þ$”ŸÏid÷cvXqh@ú‚DmÛâÄWÅ
èôsÃù£í«Ó:
-kÅAž—v|étå@òó0´U]¼Y¨ß©ðYôsÚ÷/þGûôý…ã8pÜÂÙqöÞÎ&ãì¬d22Îv!ãrÙÊ9#3ûçÌtÙºÌã"{d�d¼…Ì>ßÿáûÛçñyý
Ïß^Ñð%¥Õ“ó/½Þ�x+¢ç«À:C_j=�ä¦DÅÈÖë8ÍT\Ln Íæ¹°†DŽ%‘ÍÐL÷ʵûYÈSEkþý÷•,¨8=ñt³Ô‰¦EP&§!ÉIÆ
ÿ:Ú
ËítüFkû!®9:<ÚMÂÀŒOÅEàg€R&Ö
¿_n›âT�Ë�1ê¾ç·Ÿ[~òTýpD÷ni³Y3ÀÜ–ês¨½”‹‹Ôñõz–bÚzÍísÃú ëgša9ZlÈê_Ö�mO‡�çH¦ª­Çʬû�%!#Ÿ£”ªÂ�÷¾Ù¨ÙÈÕ•ëË�Àå¾$1¹—bT!PÅÚhº¡Îî^Ôˆ6ëáÐr‡Ý£=�e[
]t×w“ãŠóùzmæE	DƒL%½ó\}°�¡·¬ÿ
å„|;®–ÚRÑX
-3ŸÖrÿFíöJÞL–¿8ÁϘ/»«Ð,!DÇ…î<ÆiÊOµSÙ”ñ£ÝT²Ç‘N�#èxîj«»�åuûoñ:Þ֧׹‹»ÄózFê’½Tõœý
-˜‰âüÝTRŠ‡ì¶NòØ]Æ_Ó”i¬ŽŸ_úú‘Å‚¼K‚ΆÇSIÊe°µ{ˆ×Xsë(ÛÜT+ö®ë^º
-+ •QͲƒâ„Þ˜Ò¸.É Ôï­]Wpü½¯vëùëBåP•®ðDÐ8©ôNr°z¼‡ïæìñ6ù]“ó˜Õ¥™ß‡ÄÂ9.æw™þ�ИݺÓ
-…%lÜOÍßc†ó‰
é4Ü´Ê0Kñ•ªA[lØAuâÂØáÑÂ÷>DÙÇ+ø³ûôëófÔÈóÖ)ñ�ÄIw�‹ªè×J#4RH΋‘¯¤ÐÛCé_ﾈņkŒKº·mWfö/…	<å"èq:”$±öñå”M¸уÜVý*Ž¼ù餱Î-ÎcH“í`ן,¬ùô­O­@™˜À<xc´á°2Š9L1.Î33µ±¹sWk¨gç@B¯8ßô+£@™Èv~¾”J©“öJ°ûZ€•0ÉDjëœÑ¾õ0õx9(Ç©Þ8×
}ñžûð»	Ý<#ÃÛƒ®
ºX6�GG†ßd�±œÎ
-lÅŸœ$f_dq_“ÉñøC–C'O§_œ„Í¢z™À7Í°5åAƒí`Eû�Kࣃ„>­Ò„rÖ:«Í·ä—ˆ•Ö’"îJ�ìK4åäNϲN^U©çuÃ̼ß!¿|gbTM‡H³™¢"
1�WK‹pr)*Ó:ô}øù&X}¿³�¼åð¡øúùDÊ’‰‰à†£/ÿ©“€óD-z°,¢L“4G{¨îwN
-Ã磵E˜±Ÿºùxünôqbßd˜[<ÇfÎ@ߤ»Pª p§vŠ,à ÈY·“›Úˆg”þ½#©Ø¦”üëÈ`�…>—âI�¼¤®;p»ï“‚ºúÈÞ˜Ôm}*�Ð÷î7zžôCDuQÒé”c§„Ë/οc�Ö”�N~?¾¨À¦Œâ~ Ò®QR__èeýrå
-@¤õÃo_U¡;¤¢æªe?Z*½¿ÚOæËͦcZ¢6zÓ*î
-€mK1”£»ã
ß:¹�<f:µ¦V.sF»øÎN®õÎîÅEQ‡gŒ�‹uà,�¥vz­!ìuS,ñš#\¥€ª6KѯAÃIá)è˜SX1ïŒ~†‰<& �;Ã]zÜ)ZP=ëN¾Ðºg¼)Q�µ°}¼>Õ˜z_#å*’Ðs,b½“o&‰ð]ÎÎì†Ò¬¦{˜±�ãxÂZ©–\å.ÉÉq™5í—]Í_ã
Ó~wX~˜½UÖ"bg¬%Ì—ÊÉbÙ¶Õ¾VÂ3a¾�$�þ—ì!íL;ENLãÖ[µô(ÁzŠþÐÞÂ
:\¦oŽìÿÞÉðdþÌn¤j’Pïn‰“Ì{:}*PDvŸw*[ð@9‚
-Ô0a¸­¦û[ßÅräÛ%Ó\qŸž]£÷Àëð|O-FêkÞ‹³€'‰Qö.ÊÂTqëÚĵ¦Îš)RžcÀ¾ôßØDã“V¶¢Ååž5yÔLùR„w
Oƒùͳ¬¯ãƲ¹ûx¥óuj2a�™	dêMèaÁxö³]&e9õ};ªÄqÜm–íʳì $j´’V¢_yŸ¹6€W3‚èíRõ�ѹc§EsšN1}œÇ‹”Çžácž!\°­1£�,,ᄬ¨\XMÔ�›ÖÁ€DÊŸ&ë«~9F=Þ'KJk®
-ÀÝÏói<ÐÿiŒö?!`ª¤endstream
-endobj
-630 0 obj <<
-/Type /Font
-/Subtype /Type1
-/Encoding 1325 0 R
-/FirstChar 2
-/LastChar 151
-/Widths 1336 0 R
-/BaseFont /DANEYW+URWPalladioL-Ital
-/FontDescriptor 628 0 R
->> endobj
-628 0 obj <<
-/Ascent 722
-/CapHeight 693
-/Descent -261
-/FontName /DANEYW+URWPalladioL-Ital
-/ItalicAngle -9.5
-/StemV 78
-/XHeight 482
-/FontBBox [-170 -305 1010 941]
-/Flags 4
-/CharSet (/fi/parenleft/parenright/comma/hyphen/period/one/two/three/four/five/six/seven/eight/colon/A/B/C/D/E/F/G/H/I/K/L/M/N/O/P/Q/R/S/T/U/W/X/Z/a/b/c/d/e/f/g/h/i/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y/z/emdash)
-/FontFile 629 0 R
->> endobj
-1336 0 obj
-[528 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 333 333 0 0 250 333 250 0 0 500 500 500 500 500 500 500 500 0 250 0 0 0 0 0 0 722 611 667 778 611 556 722 778 333 0 667 556 944 778 778 611 778 667 556 611 778 0 944 722 0 667 0 0 0 0 0 0 444 463 407 500 389 278 500 500 278 0 444 278 778 556 444 500 463 389 389 333 556 500 722 500 500 444 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1000 ]
-endobj
-619 0 obj <<
-/Length1 862
-/Length2 1251
-/Length3 532
-/Length 1860      
-/Filter /FlateDecode
->>
-stream
-xÚíUkTgnõJÀ+Å€€¸
-æ2�@	ŠM厊T†dBI&	(—
-A@0¨P¹TZ)­`�r1±¢à©¡ 7�‚	V®º¢î
-ߢÒAÆnú>_«·s]$=!®@´?*ÈïÕ‹5ø¾ÆRB¹ €L$“ALˆ½ï¾—m¶[ÀDX\A@¡ÚŠBQ8ìaˆ

®€K
-�‚±Ìá?Ad
-†¡æÁì?ÃÖoᥡ¿Çm1BßXÀò !gþkpt:"‰!Pì
‚½-ö# hØÙQcÿMÈ£(,-žM,þw5›‹�†%0×Û�0’CókR*ãvŸ»ýýG$­mUê^Íÿº¸.+Ö‡zÖË$DT6Z¢¼r\†SèÁt8©‹^6ÈtÏørºT÷•ôâ
-ÿìj3±Ç•”.]õÚÊ|”!‹ð=UøµÒ�ÖŒ><óÍ–­½Ó[âÛtβTôCçšæ»µ×[zŸ°4Ýh×{^sàÃ
ø¨�Ç�›'ëâó¯ogNܺçÊðÄ]ÒÍlGíàihö.�©PXy�8µÞU)�ê³æ×zd4Hž§™¦š=“ûTHfÒãc~¿®‰¿“6–Y2󕇮٘~mà¶,ùº’”•°§ÉØÕ¨í¡5çåÆ6+wé'!äAëGêÚCø¹L}£ÒÜX÷¼
-+¬Í3Þõ$:⻆ísð™±Ä}5§>-k�iw7è�º;îö:g½(ÒrïÐH§¸‰¯ÌJë8ÇÇHøáq›ŽîÛ{Ê&ð?Ð1øö+¯ÀZ\¦äòZ#³uxðصpŠ–©´ËÎÈüKß—Œ•«…¥„¥Æ’hýGÁê�]à}ÕxæáÜ8Æ$#]//äj"Œ#'ØW[¶¬—ÖëõÔž‘ÊútŒ5û•ÙÑz
-i•(ˆË>­=›•‘éèîå¿O#þpK~r Gà3µºïyåÓrä̶±M‰c~êÆqù‹Á	«)á¸�6íbW™ª¡y|±ÑÑf¦PÓ©âÌZC�ä¶ß û_ØßÅ)JÉáDO¥�ýÍôEüà“ß­/%üc94¡�ÜÜ›3?âfp¢œóLéQïPSnlBìµ·Kî	�Ä9¢Òävåª'øÖA�‡öÞ§GÄg‰3ñÔÐõ¨�^vÐNLä«9®›(¯²ºÃ&ÂrÿY¥˜È�¨Ÿzf‚«z7oÛ5ù±ö¥Bï‘“Û~TS,Åòok÷³‚îO×Øð&Ë÷Y]?ï“°èÎú«_FäÏVSyHûd—p4I¾çÿñ·¡²ÉˆµWoʮʈ.ù„¼ÿf±-UqôÁ¤òZÕõ1qã
s)Iy‹r ñt6+ ,ßïÂj�(æe•Å£ê榞úùÔ Aá«p订úSÚ<Ê~ê2^é0YU@ûÜgï¯ñTû„Óó_N’Þ$u?ר—KŒÊýèÕ©SÓ¥Zò7›=³Û‡<õ¤sV–tJÍ*ñÞ�n¿³ßpÛ.öÜùß%ö­kÆýI1ö:Þ!MÎ8Ë�užüt§eçkNÁÓc1©²áb:>iMÀ=Õ
-•ú”Q8íž,°rŒX_”~þW÷EÊÔ”ùÈMCך*wøæ3Z|ZØ[7Ûü2ÉBõMVµ§éJã’¾W¥U
-endobj
-620 0 obj <<
-/Type /Font
-/Subtype /Type1
-/Encoding 1337 0 R
-/FirstChar 13
-/LastChar 110
-/Widths 1338 0 R
-/BaseFont /YIEBKV+CMSY10
-/FontDescriptor 618 0 R
->> endobj
-618 0 obj <<
-/Ascent 750
-/CapHeight 683
-/Descent -194
-/FontName /YIEBKV+CMSY10
-/ItalicAngle -14.035
-/StemV 85
-/XHeight 431
-/FontBBox [-29 -960 1116 775]
-/Flags 4
-/CharSet (/circlecopyrt/bullet/braceleft/braceright/bar/backslash)
-/FontFile 619 0 R
->> endobj
-1338 0 obj
-[1000 0 500 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 500 500 0 0 278 0 0 0 500 ]
-endobj
-1337 0 obj <<
-/Type /Encoding
-/Differences [ 0 /.notdef 13/circlecopyrt 14/.notdef 15/bullet 16/.notdef 102/braceleft/braceright 104/.notdef 106/bar 107/.notdef 110/backslash 111/.notdef]
->> endobj
-611 0 obj <<
-/Length1 1616
-/Length2 25067
-/Length3 532
-/Length 25956     
-/Filter /FlateDecode
->>
-stream
-xÚ¬ºc”¤]°%\]v—�,Û¶mÛvuÙ¶mÛ¶m£ËU]¶í¯ß÷Î�;ëÎüšo~äZωˆ³cGìsb­'3Iä•hŒíMDíl�hhé9
*ŠjòÖÖÆvÒ4Šv6€¿fh!';[a'N€š‰1@ØÄÀÈ`ààà€&
ÙÙ»;X˜™;
ÈÿbPPQQÿ—埀¡ûzþît´0³�þ}p1±¶³·1±uúñ½QÉÄàdn0µ°6
ÉÉkHÈŠ
ÈÅdU
-üPˆŸìá}ŒRbQ»š€�ê
-ÏÎIOžŸÈ†ÆGG†{oÁú°©rb¡H¸\@áH#ý~å`óiªTˆTµª¶íõj±úˆ®JÊ9ag6?¯ŒúŽV¤\YŽsƒOdú1ìÓhŒl×÷rYOis'¤l†Ì¡„ÞD´˜?©N¯Æ´¡ÕlὉݠ|kĸ�»í`¼<髱`�[‰ÿмû“ÃËà§tªxZÍÏÖ;zõ:ùé9¨&ªªåó~'`”šXÃâ
-ÅIÕÓ¥¹ªývç	ã'Á„€[ý„9]òrpÈN67W}¿¸v½ÿb‰9rS­e…Z¢ª3cþ4ÑC¨�ªN|Éßï\¨aïŽÇÈÝ»Tº�	E	uFB¾j5ʘö»–ƒP¦êìËM{ÁoÇÂ	‰ïeŸä¨ÇÁ�Ë°
-SÚíëš„âEÎÍ6
-ÞJúì�—ÓU>‹Aì„v<Dp8c±>OÔ-kýsU;dT˜¥wb/ŠJ»Zm
+SØ1Δ?¸™É
-ÜÚ&ë4i¡‘éÁ¾šq±‹¼ƒÆ"ÓãˆÊ<kvoI]¯k�Ÿ™~,g³€&udc
^£ïTÿ9a/g¦$^.·5§i¹â-Ÿ¥ß[Çx:(‚qK;Øz|\Ž¸e¼6X*ÐÍ­¯®i¤h­OsÛâ°O45Tá—raâ4ñT_f)¦!Øøpg‡æëgÆcþ®#snu„Áïr‡1¥—‚uÔîwÚosàðFÉ=ÂÐÜ:ž:�ÎUšelòéÕY󸚉ƒ+ŽÜ×$í¸‡„ýM·bƒI”Âïò´Úê`9åÃÄu1КBP
-31îgµ¬éIM�¬O”ñs¼˜Ù?$oûš‘r¢~çþMsbÙK͈®iA°¨~Ìžõ•ðßuÍÜÖÑMÞl×(qƒCS ÂIe‚�³˜`_ÛZ! Éßé=ªuá83êKQÊa<ÒŠa@<’ºÄkå¤Z¬ºÌKÕj‹ËË:ýxÎðbîsLŽ[‰ÁÅSZªx—b
-“êÏÑ.YÂ+öÉ
-PoKkj¼4,Ê¥È|— ™¨ÔJtªëŽBgžg!©ÂüµœeÏ'ÉV!¯­àlЖ/ü
-'Äí™Õ¨dbÜÜDË!ZA�[NÉ}b¦YŒ¯åsÁê†xÇnLM¾ÍíKŠ¾Ž>žÈXt©æN¸ZxåÓc:”[ C¼Ê”Oû;(nÚã…rZN›ÄÇr¾ui:èÝr’€ÙeGQÔÁØkbÅô-»ÑñšäcqêcÒ»
-<½#Dq%s¶yVv£ge™—ê�Œa…f³3çi‘DûK$TòZ´PÅÐY6i…½p_ÞþÈ‘ª2‹� �„4ëqŒätÆP»gUo†¦°ƒ—!Ýnºº›+\IðÙ#$ä´XžoqºÖq„ìà½E¡T	û”hö
-SŸ:ÔÔj"IL0Îñ̘…°'.^&C†"ëL-¥ºÔ)ÌÄ8>€eE½ÞµO"“?Š,+�$Ÿú
lXô”Qìç
PgÏV¾ß󯾺ý/†YeŸms8q	Ø›ŒºcéæýhJìÊ3/�f�nš´j«¯×à·J|æ_²&uWY*¯QíÇûÚñÃ÷°]Àa°‹«¬’WÆÀ|1Í®ýNQ}Mƒ wïü(ÍçÏ̘lí¨ÛXþ4=40åºîr*ôä5±·ŸN�ÓË›šŸ½%:€šÒ�aªÛk‰”ŒåŒÐ¦¶šu]Œ1õHsȤ$±˜ÌœI–¹6ܽãshÊFâ`äb›Ü”ÞówbÎkŽì}
-iÓT+'d•ÇÒ)�Ý’”£&u:Z¡ºI�Ú³¦°8¹íê6ƒ8ä{+ݳ]ƒVÅ’­ƒYíyH°Fˆñ9¥ú°LD«:¼‘—
-°Ï®€¸§RÏŒ_/‹
kÔãPYqwËÒÕ\j¾\h~ ïbH“³Yàý|Yæ
1D!Ø«Ûæl®ú~ñ¶Â)µ•fFã¡zÁ×à9N2òò¬YPd,´|úÀ£ñÁI
-ª\0TѸ@‹,æ‚rßyäF${ºÓ«±OmVÎgJ¶”KšãOT=µoòaiË)¨­"Vj÷ÛRÓºÔµ…	EÐöüD€)þ¥¼0˜ë÷h>Úg0§c\/ñâI`½Þ:f×|ô"÷…7+JTn³jÅCšظ}>nˌ֗F´–žUÛ½À{
2„á-L”™~Ü+�¥òE©´;úйÇcªËo=h›ù°jbù´òÙ-þYä ébhô!×%­?ÁGûZHƒ�q„¬/ÛJN¥eJlÏ^“1²;#RJ	,2Jß�>êCa}F*#D`©ÈÃùjŽÖÒîÀIhb%¼îV“úBCߺ(?gÎÖ/Ý&ÌŸÊÅž3sœñˆF”ïsÎ�ÂpHŒ÷.“ÉÏ,2Å.!Á%ZïY±Åº,íDÔnDz§
h+ñ¥\�£>k•á„žjß6Ù6–Ô8tµÄ�̤&¢„œ´bú‰|uTè@é^[Û5œ¼N>vñ•we·!XŽû²)wê^½´É¤²�ªµ42Ý´Lä€Ù¡Yú	ó—Y	JëØ	ûNdLªKqHÍ*~ŸÌCO©_¼ìhµz/*«·ä´X)‰F_6JxF¿K·Ê­ö
ñÚÑfî{-wM"TШ`½ú�ÏIÖT;# t�¢*�–<åµ +ûÓµ*>&ËØRªç- Ù”ù…È^çxW÷< 7:‘Q!·tyo%®Œâûûû쀹‚EP+®eöò™«W9°æÓw;ÉÎ,+h³Þ¹Gª‹@näòòõ@JÒØ�fë°¦ t—Xü|®ÃæQ§„÷áUÆ)7jàègœW…2ö!囶:Óâ•…1–‹nðoÉ<¿8¦šÒSnθz²eŽqYˆè»±™á+†röÒãž¿â	Kúi¬-UןWï¬î=]ÀBANmM·Gwh’3«­!²²ðëôˆñ'|¿”�ª¤hŒFÊç˜Mý‘t€ÚèßK³íìËÁ�ƒmã.­«$îU¶Yê‚+[6á•B)»Ý|ßÇzµ¥z»îÄæ7ÙÇ9í4•	øPÞ®	8òàþ¶ɪ­K‹—.èÛi²8ãôV;´6ù¯Ñ®×´v‚r«VÑ/Ø{9›ëžÍÜE
-ËbÑd•]¹¥HTŽøòÆÉ×£½ª!¡Û“RÁíßcûÚóuYÚ;â>BáYÓ.ñ�°
(J¬¨SQ(ÐGTŃUÖxK(Øú¢Æ˜ÔÞ%çó±gäTmÏäÐADÝW�æ¶ó�„£ô°£êî$1‰ŸÚüŒ²ã2‡Šø:TÞ
-ñ¡¤½"žŸè²èoÝ0Gd4äÊ­ŒÊª¤1“ïäõ]îPü•�¸º
-LÙö²ÊƒŒz‚ˆvï“LÃè“Æ©ONw½‰÷Ä9Q9óµôâ
˜×*Ê™õs&B§P&G ‡Iiä¿–žÓîè½À¤Œêˆc­Òئ¼¹!·5â[$µúÙÌZÜ›˜�@_q´öOAš
-´á€fÓ´s!(ˆ)§é‡¸˜Š Â
Mí0Âß<_°7;3s]˜(ª¬Þ)J�ÁsTæû°€½F’§Ò“_íç#¹ÏïЉ¯"#(à×!È¢‹ù£ê%ˆæ5äí©ÍŒ×E¦N+¨éœN¼ÍüJÕuFžCµ]'¯kXOr^!'Še-
-“»;Ȳœ=�mÉl
-RÜÍrgøê3†¿¥6ìL ¾–:5â沸ÃcÃ+©@¨¢®Á¢zª?%ÉȾªŒ¼—0;¿üä耳ª
ò÷‘ë{ÙnHc\æüxôG­qž+ÛG?—Í×ØUϽÞm“G@ëÌÎ
-!¾o]rþÍÄk$­ƒ´Úˆ&VL¿ëŒŒ5úl׿å2•¸((ùp~·¦³t¢
:š3¶±/e…)ÁÌ
-¼ìÇRi¯z¾àuÙ1^Ïм(ÿ¬&‘»�L.~Yú³d'S¡ÅŸÀí�DäNMI@k=Ò
Æz+Ħ2”iÇáÁi´OŸ«Ž„º|¥XÖl³JÅz´”�J{–ýj<bBzRÔië�¾=0(ØMÚä�çÜ€wÀ‹2ËÔkèULyHZ9+}ò¥<w„Œ‡öH#}Þ
cÓ˜ØÖwØš{ä~˜ÂQeZSgØ“›èŠGŽ¥FY¨2Ðç¥ÑÚ½©e¼ì®Š˜Õ
YHÝ
-oGÀåÂíìd’PLB¢£‡ŽPçîªÊà¬Ìî—µ/Í9[¥†%®—ÝßW´æ†ÇñÑô,±ÌZZLy)5œRb;vbçÐæöF+Ã"¬°‚®5»>|ÅrÞ%>‚�‘8É+©;r`HÔ\	�ñ˜²?

Oà<‹Eü·²çs§Ë—…¦aV1 ¨�DV‘J¾6Û°JZ„)¬"·Ò¤úR��Ôü$¤¿£¿†ÏÂÉ‘kaòœ^€Æ¶ì•¯†ã™¾†§†-¦ÅÚüÖÀ	Nó2ÿŒåf„Y�à'È‘»ž¯õiŒŠðΦO"›˜éÈ°D�þ;»VíÛW�¾2{EñUv¡šÛç$‘;ò;d–J9*l	З}’cûâÇJ:. 'IÃ">|–ðs�ü¬ãxAäpñ#ùÌdFÓL
†šžs;ýsùU#\°Âká/mÈ ‘ç1MO=ò=ÓÒ*íÂK›_JX	ÒyNìhõ‹û¨Søù¬Vzí¼-Á×ôûéáz¢˜šVNÜ‹ºó˜»¨2¨¯ˆ
¯{ÄÆ1vˆä‹?™Î¸°Ü!Ç`®ÁÞä±Úgô�öz<ÂÒœ5H¯e¸§üÞ}{ÐûëÕ%F½¬ÈêÄÐ’Ô ¬FÕ´“ºÌYåpMŸ9Ì­Œ<‹PP3¬à’§eÃ=Ò«‹_#
qÜR×AkùD÷¿¨Ìq8ð½þ´kx†”•¦,^yR½Ý/÷EþÔÐ꿲®5Yøífnl9)Pài~ñw
³ÅÐ=Í!ÁwK�úd¢zð‘ö”#ÄöòƳ›Ú#ë·H›Ó;Uy9
ÎãV½mVÔ‡j:>FÌëó��ô„?6mQRIì01K]Yû²vŽå±ÿôU郆0µÜuÈ’¦°3:?XÁ£'ac58P ›kÀËÆ*¶‡¹‹%2G6ùŠ=ÏÏå`#WŒÝ#[ÿ¨XnôÞÒ&$ZcÖàEä�½Oaâ¯/a
Kœ6™ßûÈùÍÒãžú…n…pRÄ—Š+kmÁu¢t½Óâsüü½i6ºÑ÷DtôHaš¸Ç-Ùá.bï½Ì�&ôf+üàâ—@¨ˆK
-†r<›Òâä4€›¬�Å@;ß–/r¶Ì7êÃfA-&Qí›BT8ú¹«î¶Ì”Ô7ºìŠ
Ÿc®Qw¤]“X¬„J™”—·Þ•ÚÔP.Œ¥Œ¸l—üÅpý3úÜh/ù$Àê0öUÃEhº
ó¤
c�lúTmùyÖAr[êø½6cܦ×~Nw²ïe
-«»9ÌÃkDÑÁJ.…ž�‹ìC	­èv¼S³ãº˜½TÁ87Äô’è”íŠeµŠy]8²X§qg$[ŽÍðy}Т¿EZl•õ/UFצ:¦Ð¨ØVô¶¸XzÓÃÙ Lÿ�0�¢Bÿ|Ù@mfBv˜XG…·ØÙfšÃ³”ÖZÔÐ
-¢œõ £‘I½…M©�:l/
?Xã›ìSîvåžÍ›ãÎÁñiM„CD“¬Êòòn[¿yÙ§’	•Ýõ§âCå5ú‚Ò�BäJ„óK@8Uø”ˆã»E}/©j„�ú0ç+¦í¨ànØ É„'[-ÓF­¤öÒ9’f÷m÷BŠÀEE‹W¹PM·Ð!ífòÒmEfïä�óÂmž0ÙK¥·¢
Ì&�L´ß£ª’èí
-xu‚9þªËÁpW×°ì4(Ï2lYa¬�çŸ,¯.‰W<ÉÙÂ$l>©IjÐÉÙí«˜Õ%¯£Ÿ:‡�S5ç½à
-=~‚ŽjÎVºŒˆ·tÇ¢h©ÕØ3u¯º¾HuF�†ÊHÁu(ÈÃJ¶ÕVé„	õ˾M-Èó½R;®mUHÁÌúñ'¦ODÚ9YËZÔ³c!\“;N1žh	äÝDÏ\ý<ãê´0îâv¥/`¸6ël‘¥Ä[HGÊÁnŠ½�Ô¯þM9&*‚G*
^o¹rF+á>ÇÌ«ÜKž¶!TÌœCE Þú�f-ï)Qñô&ùkT4ð®m«ã³!I	AÕƒýÄ?Ä¥7nuPnbîR&D3¬„G
-QÐú
-qÆ~΄‚ô<¥Ên˜;eÞE@|DxÛ³r
AA¢¤yãÃ&µK’6Ìuy¡†’Î'Ÿe²QŒ@ŠõžpÚ~Í)˜ëqúkõX_Û÷�[
q$Ètá+cÇàg¨ÝË)
/~б҇ÂG/Ù¸ÍÃqg9~¼/
-ÑÒ(+N�uüšW6eÿ·Ýh|7%ÊÏ3�™a¶âõqh½¦£.!£*άhz¦@ÏY\@À}³0p…дå­á—Î&æ›Z_õÉi
»û”ÒtüªüD1=mÒ¹”ÍN�òâ‘þÞ»GŠ÷1{« ‰K³Xæ?9¸Â“mÀÏD#â]ì}ê°ù‰ì#à�[—
-o¯–ͳݣҙ�¤`l0CàÎ(ÂŽ%üSCo¤J˧x7^§�ÆJƒa”ùL#pXuAëÞŸ_éB	‘_HöÎI¯ÖÅûµOñžŒ×À=Ç\�èfy€õSUÚP^[—i?ËÀÊäŠ3Ó;Æ>ý¤Åå/íø“›mÆ´†á¢œ5ÚïcÑ÷C핺o@7„aÙˆd0ldÛ1*t
åùÉåq‰.«j¤úÆ·£�HŒ×´V‹xøvw‹±nÉí¨@.éäeó_©dR6hõ¶žXtºfŸ­ñcª81‡
èxXup\ <”m‡Í¼8‹œÆ[ïÜAXAžZ|)W“Ã<β
�CŽ}´_Ÿ¯—¿–PÓT÷tu	W„y?®~£¡uÅÔw}Ÿ‘±þ˜?¡€È0ß«JJuRÃtµ%K½!fi’ˆ‚_/¿K<¾
-{B�1�?6¸T"¾yyÕyvÃÃÊR>FÓåE`FÛÞ-’[K
ü`«Â	m‚áþð`Zê£&‡¸iÍ6ð¼ÍÐ	tRf¾h¶OX¤Š'ÞÔ[ÛÙ
{Öø“ú¶åíÑà¯ý¨_†ÓЇØ'”ÃÝÄÞg»¿�³÷5œT/)yî°ÕânÓ?„g;·Š0ª`×c
mzO¨^ºúöç(ÓçÓÍ×ã€�I’Ö}ÛQ¤™_g%)5ǼÿxÓ7dÜŽŽânqˆ)`ê´ÖÅæ¢GñF¬6È‚�íçmŸãT`»u6J�+kŽ¦‡+Ö3ê~ªdô›™Ò]þAO†ðq
†4Â
…“”ÈH
®è$#c*ÿ1^ïÉ’^‹ÍR¹aéc‚ç'JžÂF°úÝŽH18lVÙë`¨çòö«�;nQRGí\vß]"zÊ°�¼~Ë*œ‰@ôàÀ°··¹K
-
ª`Ί‹šXN”ÀU?Ž¢®ºëÈ5ËXrB0n9½âà!§æ®»u*PSçoiyµÚÒLNöol�U®/'
²ºN�l¾�+
-z·ôÌ�‡oŠ%ž}Áwiô[ªÙ׶K�¸ðWâ^­
níåÛiíèf.\«™C0
f¤: l©N}Vâk¿3Ê[‹æ+>C²W�97û&
Î_lûnú6±pÎÈè?9+Ì^?…ö	z×û±·ÝIÉ*ð¸ãEu…nÄsA´Ç×ñ�^dŒ–kC2^FvBó§	Ó¬Yƒ¸†|óIÔµ%y$¥Í•Èƒ’¬¿BPÞƒúuÓ?fÒrJZÔø¯e¢ú
-WL©,ãõ®<ò¼z8Ø�AÚBgåŽýAf!Òç.P£MX“mtŠž¼ßZ‰^`«-Þè|‘ª<:´N†„£,ûP£—ærÌö)ìÆFSuê‘Ù-Qà‘×®
-õó"KŒŸIF€£%(³–_@k°„j-éù•_"R§‡7D.àúœµÁK`RŠcàÅR
Û¶µËê‘V¡€Â‚�
¾±Ð
�‰ŸV�':–ðê$íôÃDgènº¾Í·ìM‡k/‡&ŽNYúÞVÖ3‚tӾݭæ;["Û‰`Ëk•¬‡~bŒók-<ÓLÄHsH‡X®¡Ê%¨};É„ÞÌ“Äo·ç™HV²[]û:ûýã÷ön±Út‹©¯¼€ x-0å­¤ò3(×|–¤á#¸Úª$xœ£
“µ[=~©øwBˆ¢ÞЦîx´-«’Â@iaéLßÀÏÁ¸ÂD⼑:Ï߇W\Ð&pþkÏ©Èã oyŸHt”õ½ ±ïÞ=_Á�oŠÍGGéhÒ,Õ×fhƒnáô©8WÌU}÷x¸Z´‘8=¹7¡á¿Jö<ÕÞ,’ËV{$wçüSDãéa/²5Uu”åoέ€¯¥ˆáÓhµzxzô
-¹$–CêiHÊÈÒ36—Ôêü$ÃYN‹!]~L�&¸@7}?¾ð,"lº›É[·x&ì,`HÊG‹(¨U£MUzl‚`–”
WÕÓ
ýäÄêhŽÒnÀ>Õåêu@ZcØ££¯$Ezúeaãøg�” ƒÓé4–ÉÇ“³§°Í¹‚:ÚîXì`
-VÉ
-þÌdÛ×Æ€afTœG»¨�Yô÷–h�©>OO•-šsЋÊssBis7R4̶9ñAeº»^¦
l„jÄ×ÝA‡gGE½æÔ²Ñs
-˜íó·ŠàLlîÒ†‹æÛåT<ËplìÍI†"-ã„çòÀÂßѣΰڢm㎺ىƒK«õµ\|R€DìŠ�1Ì­ú¾]³_"ÊD´ÿ(XÆgGØŠ£8ß쟰ì~•}ç#ÛÑWwgTuÝå“õÁçaÀô`�$å=pl6#röìVåx”ùÕ$3ròÖy¼íÑF“³º¡U¯Aµ‡-ë>½X@DDGÈè#æP³›p�óU!SÏ®ÑÁÓŠY³Ö\$rÕ@2À‹
M*à\gûvMJ¢Ý{¼Ú˜‹g¹•¬Bœ7z0ÊËûøÖë3Bý�àÔ9ÿÁ
¬)€dÂ#š‘í¸Š�æ’ùŽ
-Ó.ÕA9tægÌ}Íשº,„+©lñ£*O¤	ÀSWÃ_ά”v©f®åU�’=˜UÕ~r3š ƒÐuãŸaU*Š‚ŽvÚ4©]ÓK™
-dZ¾p?Ñy[Ów÷gcˆ
¢€ë¢ÄEâ™öäî;*%³kƒ`FN¨›œÂò†™:;¼‹!]‘T›°ETÿL¸Så_ß´oð½rÆüR¡ìu¦UʇJ«AnQ-ˆAú(Áµs5\ÐÐÍìB{ÊôÊ®mSì¹À1_!ò
-ò\Rðo·»=ÔÛ¹øÑ�\ñ¹ÑpèžwéÃÜÚ'
->%•¤ÞÄ+QYÖ‹
-ÏÆB:«B<Iuë�k'I¯·ôΣH£†DjÈÆ�ùn5s0˜L½I½\ðî	¯¼õq·aø‹_®sÅ$Ö꩜Ė]dyé=t°P‚Ö¦—3YoÝçÒ2Ëp•ç]Lò2–ÎïOñfÊäNªQJUfî‰8¶÷$ý›°‰¯6;ÑNœd
-sy¦	;«4e­qVðÒ+³R
-3Sùohšý¹_�rÔÝìäK¡„×ð†øs|ÆÞq*.ÏWÏ:C;Ž0¬åmqઋºQïY‹éE•³äßöů7—n«¹u“§FÒUcšj+ÖÔ…–Èlت›EóÖAø»ŸÑôl£”R“‘uEc±ÖÁ2^¹AP�5OçÂQ‰ç‹vv"ÂÊ€ò#Šhm4½ž8•aG¤ZåÆ”VdZ_çEg#yÏ~Ÿ…[BÆY’éxcx×6;ìÏ}ÓÞŽ¿ˆŠçáâ]E‘ü2¾ž@%4öÇ(ò¿‹ìíÙö ÄŠcýö:i–
¶r½X	z
 ¼{VÉy9Ï$»e0¬i)½É£µ'M
JñëVé@ÕNn‰ÜÇs�
-ïÊù´Œ(	mâÑÀh:§ÄIî…¤#/â
µ‚î�@TF9UŒÇ!Å»¥
-dÈM´ë)é sIjªð
-ê=nÓí¹ÝõÁ­Ýø
-›¹Ë×±BnWMõ¦Í;öy‹{?%Zt±þ�ï,OOÑ^:=–çð0Ì+¤‚¹§jÀøñó52…°~©³ák�q	 «Èo‰ø]&ÒWú]½ÃˆÈ¿Ä#aË®5T=�®w),Ûv£
íÊpÿS¿�ÊN-�x¿Î”"AWœ_ÉB 
ÐbÙº4;²4þJqT7ÈÔ% :L’ö·Šð¾îd˃´™�àøÓƒ"e×Gò%H·Պ	‹†Èœ@(<[69j8åjYY0ܺé—Ú·V÷I´XÃL]ÒêpRîúÁ°П£n³k†Çµ�=4Q)óë'�eb”ÕEOþçÓÎÃijW$Ä,=
B‘Å)HS†b@‚ÕIw´«–¨;œÙ\ͨn³]]C�þÃzÃÅH4¯9¦d˜«çï¡~�¬ˆÊ \ES ·Â>VjPÈ7³�ßtë™LËYýUå€(É™Ÿ.à /,±ƒ¿Á6‡©È¾EûÒñ7ž2À�ãYc`ó`y?îð8vØLE,§�öÞµ—'a±Ó�·OjA;9ëŸ"ñ¢m€n
Ü'ùAx:¦–ýÚB|Ãu3ù	â×IÀ†�d”zó—kƒÆ+ÞµN®W:Ëèµ
-]q»Ü0€aTiä1£Ê
-éáIÆ©¿l’ÿè^’ù¢Š6DŸŽ)SóÌà˜«fPˆðx‚Ö7#ø³ì	r	þ0
iåMo›Íƒ(©²aúJ¯­=±¥úô’ÖD›Y‹\-¿`‡«v$H‘óx̤÷DQUïÇÓÑ&H¬<Y¬ýit¹®¢�qû[h‹x^2Öš5^.=D²—Ó…¯•D3Ù!©Ô7¶iÀØï£z²B¿\Ä45ŒŽæŒ$•«e
>†TBî´¼O}]q}hàkxtLV‡EÈ'â<ãÀ—-З¸
-B;Èý5§ÚV1Áhº&”’n­²R²¨â’ûÂáîݤ`^~ÿõÔÖkæ™+r*ý§pÃí¤çÄê6ÓYM~1¯è�š2õºnÕf­—Ž³QfO­ö‡îKïËk�Y.&꯳yÿˆÃÁct�:Úþ9ƒ½Ö@0�.¼Ø›Á•¸Ì`ã:S5ãFRaKl;:VBJís¹³¬o
-…Èäk¾xG%ô_>„�!�ÅžÅï­ŽB…±ÐfLeŠ	“½6Ÿ—‘Û²6Û‡ûÃ.Zñ"#…qCâŸCšé¨èbù';¦Èd߆[]¯
-C!1Yé­—j´“¯~æXØü€6Ë”#WkÉ5·6ƒì"ïRø‰ŠX£‘�RIÌöê°šdÒÁ4%ì$ƒ‡þJæ{ 1ßC:²}«–1_Ž9y÷†¹o™ò¥ŠT<C=”t%ë·ç}ì�²Ha²üÝ
ç�¬uhÿë5¾_+Œ¿žòÚÞ`F›mmàZãrã¶ù¤³T�ÆŸÍÙ£»óZ @|D%Ûw5õl-58kûÉÞͶrí‹æÉȀġô–ûn±áI¬‘YÄ.·äÈ"R½¨³®®c41V8;Mmà[Ë¢ò·ÝHu0”àPMĦ‹Â‘.;¢¯|í/âcb�ÇóŽ—GÛR>BŒÛb}7krê«<Hú€·Ïg†Îq¯Kîý� \—|XY¿k˜ôÆñÚ.ŠÖ§	rõy£çu‚dàmríÝ‚KWe>À¡꓃ BÓwè‰)YXP›Ålè•1«€KD~RSœûÅ™e@eœM=¤®%Õ3– Cw^yQ ä7ô£¿˜e*²»ž¬js»
¯ù‘1'¡Û~POœÓü	T™æ·UFaØ­ŸsA?Áè¼³Þïê/Ã×›Ý/ˆ'xû:ï+#™>ãàiýƒžþˆ¶	âh1CJi•ÅĨ�
0+íˆ	ªä›Ò¼fÓjæ®3„&:b^¿’ž¾>œÒGßzHű�I
ŠÍ2ú©x.ñ)ZÝcÃÔ>hˆj'jV¹þlo>AÇz�ÄÂ_qÎ¥“2ô¨à
-K[¯:€¬'™Êd8Û~›¾Q‡p=Ï|ùÀ™I%¼…„ݽ‰ñ0cz®þª¨î\:
-¤…dÑ}©;ÏW¦ÞÕRõð„C#”ZÒ¦™Kí¨yWòIô‚Ÿ+2�–`Lú,ÇÇUyY³ór"šV†K§ -J˜]È·y[{Ò5Å¥Ã3ÿ|êšœ¯ ¿”ôc‹QDf*dq„îôîoèÛhá”`…"iJ)�׶ë ä²›óI
ç�î%¬aÚõ��»ÄÌð§óxv°i¤e¥¬u$ÕÃ&#ã°˜DËrŽÐ
5JÁ¦‡\K
-7שª'# *Ü䉰,êàZyN·[‘=IŸˆ´ñkZM_vGðÛ}r»Q
uAüN,]/,ò®Å§þÞe•e	iÁ@5¸.µÚŸUÍ…¾¡@£VÍÓØòšDºµóŸ�¡¿Þ0�“­ùyp›»6QL+PfŠ!ÖUDøàu¬OD`k~5f•ê�6úøß8LÀÚ@k×·‘HÊ>†¡d
ÓWRJëð¾ð·eÕøɇ½K¾N·¼Rä»Â±c‰[{2WÇuà
f’úMËù¶[
©r{ûõ=˜¶¸)l-êÇN—:RFún˜{{ÓÈ…uw78§žv¹å·HÄêîØÂ"W˜sDØ’5Öu|ÕRÅè Â6ªK7l
»Û¡7K¢Uå3ãÖ~�Œvª9ŸÐy�è¤ßê*¦K¡E]Øš=I±G±–Åê§d¸H
šÀ;g4RÌ9ÉÜ_›okF+ñÔ]–é:Ž3ƒ…ƒÚP„ÛFc@ ÂÜbBà„²û9o¢Éu›hÒº½†îÒ®(Oq3æ± jn„†ùT:�Óml­:¼ùR¢64<¿n’9VC:Í/§ú&¦S˜†#ë¥ÆØ;"rÏëyBç�øH*þ—_L:T5â‘h˜‡Ò‚$'tâ�^søGQòô¥Ô>Åãe>†›aä¯U#(mÛV©¿•îž$	ž
3•ï|ŒV
¿+]éãŸØê©Q ßÑõ”HûðçNÖ;žò%#˜ªã|žÿçÿgÙp!–ášsÄ
-pŸ�F’�=6ÅÛ!#ï—@rD,‚3Ï�qýS=H>éç”E@
EŠo6ÓµõoF—´É{ÆfS·þe¼…�tUý‚	€½T3d:Ãs2tâÅ¥ù£—3�'‘Ÿ¼þïœ5åºf‘Š Òžû8ž}a¥vàGaÒìš&öðÑŸóó§Tï7f`¸4œîŒDùñ5`+°@$1þš`zõwúŠ</ØŠbwÆ©=²4»*¿Ÿéð7Áãï]&ƒâFã—Ö¢«šºÕ._åÊ
xô*hÃ0è=­®Û¿ Wµ*²4º³
ïù5¦1·AQ�«qe	NUÝÆpW¼	ïºíÃ
-j³
-g+šËœ—al>#wÐ}<Y™ª9N,
-Æ×øvœ±ü!–BEý
-  ývÖ²~*O�O[ƒSÑšž"<&
VÏç…%z-+—ÌU BLœöÙLŽ´¯€2ÉÎ:rê¢ëˆDÚ©¢‹|c`pƒÆjöÎßpBÏ™p�f†²+�
0•øúœ~ÜšNf—B”Ͻ3%ŸØú‘6`q¸z|uéñì÷äŠõ�½;\ü­ã™äÏoŽuÙþ©[@mûäJ	¾ŒÖ›§ßõôyПݜ؟5ôŒäçä q·ãÆ€1cá
-I^Ò€d;¾‡ ñáÇéÈ qC(¼�€˜‹ˆ‡œ=TI'’ÀÞ
‘8Û IN…wJÏb.1�–·º‰M¨–ùpDü¨!�,
-PœQV­•ªªˆVÒ÷ו
…Bu„ïGMO[ãî.o!€å	‹}ºð oštÁt†–n~È"8ng¨Z¬¿£ëz12جL›Î£„iuGèËk…¿,ß[× à§káÃíθuüZ‡V”WSŠ-èÂKhÔ‡ªbpc
ìPõÁÍE]Ûg…„” (‰(VH�9�H#»yªYíäÅÄfg½ùÆ#§®QýÒ.:ÊÎYÖJC–‰™I±I,$„E©Ý÷Ò† þtò
-%^ÔÖ‹•AÖkaÍdG¨H¼`MWÅHâðkÂ1ñëXv¨€®|͹
)Ñ«-òð¥JÂŒí–/tvFGò_Ò¢|óøõ3Cxž™eàM”OÚƒnr�si2u_ð9âs„Ë;æqœœ*PC¹þ¾çõG÷o{$Ü\–@%á  9CÝSUC	¡X�Üë¢8ŒäÇqbÿ_;óØ	(
-ý�=®êÛëë2\Då�ycxÈ¡,ä²@Ž¡z' ±aT‹ê~ñÓ—5ÅZüwÍ&!(ö(§ôªvXñZ0f� O™<1µ(!ˆ’v5X¾—Å|ôqÿ*àée’‰+]ñG߆Ž_-fW¿®<5[’S‘1*u nœ7ï%Ë_X–Π.ÄD(ã‘	¬À“Í~Í=}³�‘|ÁiÃKð¥vK`vÚç%(ódX“ˆ‚jjF’ûdéei×=†UôH³i@¯¬n‡ñ€-Abñ;†¢{î䘦 ÏU_"’®ÎŽEâFò#ôk@ÕÀd㞸þ;»ŸUÁ„éhÝ/vó1/Ž+�U±dê›â¸9!Í`/˜`QÒ¦‘“ä“'Øvååaph¡	]¿ ­õiº˜=&
”œnÍUÉ=áÏ© ‰ȧ%tÔ·eŽi¬×•Wž~
-ƒkkºjñ;Náæ¸TÞI'¹³Ïëi«ý’t+¶îÿÕaV®0.@:›qL#²n|…
,t/Þ*.cL�¢ÓV4+–~ÖÛ—bžÞ˜íð’-Ž&-Ö6ÇoÜiÞR´’¹u“œžèÖGTWž†sû!®Ö<î+`hàÖiá:�?êgǵ#Çé2d3–gÓyž
u'&_ß	}Ù6õäjè†[Óy¹wƒ@lii%�í¤-Á>¡xKäÔ×P[–§#wƒÚcÖ	6¤>’Fï“´ÄÃXBdÚúϽ¸ð‰
-…òW·5Ë€7ö`4N¤ä‡¬m|*5»‚ù–­Äךð�K)î‡Â—äÔhx : ZÑ¿3øÜÊ«1x[³ÒC)°bãèÎñöïg¯m™6v*7–@›xÓÜŽ 电B¤‡îSž×¹`�%lì	¿1µüÀ”¤Òè›óˆ´lzñ¿ÙŒÎ¾ô‚øR�ÒÚ® èZf a?ÙcÎ:F}�"´zKÍ®°hÿ'Ãï\ßRCÍœþDÑ—ÉV†‰?Ò)³1OrÕϼíù’6^䤨.šhíéê2"ß%ÀŒJÛ.üf!”¤µz…§¸JDn.ɤSÅtXP	ÛØëxi9é¡!]o�/ÿ>w®4˜úny¸<c‡†)¦ˆQþõŠ	ÅòåÓ¯gRLfyb½Ú©9K-Pq<e×uê(�ãþDÙ9Ò\-Öù¬‰tÜäüøaB¬w]áɵ8,$J¤Û¾Õп¯!XAJGÍÌA)ª“uRAØlκoÑ3á•FþnVN,ÙÓrtÈNyTAV ÉÒxµ¥˜1,®×¡  ˆÿŒÕ¡¥_¥úÞï"JÌ
-üÖÕ
}­Ôhñ«<Ìû©…ª‹([–!Çø>}<ÓÑ1K×hW_ÏR�xL‚Ñ�œ=fYá§Ðò´¾C“kØqýéGìÊô;šdN„ÄÓÿæ]2˪XÌ<AIÀÊ7óÖI¼c±x÷‰Q‡=Oî$¢Œµw'ž–w³K–ƒ`­ŸIùQê—âySj5ím=r¶œ³#_¶’$4ßÙ^k5ÕwÔȤW¨=΋8©!æ©|hu£U\ë¢9pQáT¬ñTß+’Ö«9u5q“"¦ÙÀNÌ
-
dyéS²Š‡¶…ÀÔÙýëJ”KÏ{¹P
†R~X	ÅlÔ�M®#Í© î"ë"§Qéú§á;×°R�lô}¾ý¼$	Gûêâ׉/^Fz¸¨ËH2Œ˜#ÚåŽ…ùA¦ÛœOl›ò¼@ß->*Œ¦ïÚ+™ßtoõRÅ�™ŒTÌQJÕ¶ì6ɲr9R"})BG¢øÔˬÅ$2³1³Ølç-Ñ^�è(¡ÅhÓ¡Œ[+Ù;ß3ü
9D´8åME:‘®d!V` ~/«9Õ}Ÿ› ŠÖ×ø2¯_Û9LXñ¯e_àqž‹»¸ò÷Tú7éñõû·XȆ„S–¼!⦒8°
TeðA^
¼±BòI�Jj>êŠg¢¤¡ÙøµÿZîôì´|7œ2aMû©0žuB`A0Il}¨2qGÇäïjéØ*O‰ÄoÂö®5xKJ—\z»“‘¾;iñ½Åg59(H=ç›zlð>Qñ
C=µ–Œè/Ê]h•ìý½g½°g–'ì®Ë¡Ï«Rñ:ºïˆMú
ó
RZÏUû"+è¹[Ö7-cqrç,/ÚÝ5«ë©¤¾
-£l×±©^‹Á6Š¹ü°ï.˧•¾§ê#°Ûþ¡ÿ‚#¶•jGÇ£:–¢<"˜ÝsTò¦šâ|¤©$,P&�ê)œ/ñŸ¡¢‘ÍÃŒ|šÐ@J÷:	NwE¬·6$ò 
ŒjM$>pW¹Ñ£F“!ã|g´âà‘âz¤¿†6Ї¶ÐœFbº?uqÖ(KÔ?@˜ÍŠ-®šŒ?œpª¡/ÜqTæ�aéµç%båUÀ#®páWÍÒ”8Þh~fë噇Ãgr£p÷!öžPÕZ›Õ°b­Ûg	áKQðÐjÞ…:ã5ÙïâL+Ö#„÷ÀŠÍœ+?"X
nâTÓ½A’χòp´ºYs•ŸÆÒ-^Œu衘ØRõ‚>x6^êÙ¢W»ŸóìîÝêì}ˆý¯Û{õ�x¤CÅ;›¦k«¤}½FëûTi½qO¦*zŸ_¦¯à=û7«‡Ÿ›‚™üÃÕm•Ó|bñ+ó4ªEx3ÈFz¥U8~ÆW9{â:PÍvzðLp¡ª¶Bä`Rt;ÒíˆU$òÔ{\iFÇ3Q‚á—*@VUÀ’ ûÿbPÏ0´Ë@<̹Þ¦€îkó«HTbëÔú-‚Ï…h„ýÈ_ß±ÊìQ2G�K-c›>©n¶³›ûlb£©‚Mý×›8�`’±{p>eóßá©JŒYJèü›~uä[
ÐG”åÇOTǤùÇ®Ö÷«Ç1å\`ɵÖïZ|¤$ú�Ö"ôܯ4ÇžAÏJóþ¬†”u©×çfäì „ÁÐWc
»…~b­5È“d�•ÁdÕ3+úò
-Ú%þ�t?þ•Û.“±‡»Âé8N©Ï�T•d$ìý+Â@#IÁkè7‘�K—h
®äç‘òý“:fz£QôºZW{Žf—óœè/–×tíPy™“vfÝíùWϸi‰¥š‡ãÍí5Òí"?EîÜÃ"�ÁMŽÎÇe#ø3ˆ¼as6ƒc Oa�îç	¢NDêö«OPÑ8=Å
-ªèQ½usaø°Œ	]�šç ƒ,õoRðcã=Í’âÖ1Ì9�†’!šâóï¸vÍ�ú±V„˜sm)
-¨	T
-¦±8ÐÄ|ôˇóîH§ÀÇvyàùßQ{EÞ²ì+Ðt�BØ/®_Ó"<âýeù1ñÀúÏŸ0•ˆoþíÕ¡”©È+T¡ÌÄwÄ^]{~$]…”öR{¸JóÚÛUJZC:êR�»®D÷¿¡èÙó?ÛäÌnùOx8ºø_
=´‡²gÀ›¿ÀÇi—úþ�€²Ðï9GD®J"�Dÿ{8À±ê]à×^â°|†*²t,„¾®LAƒŒ,”ÕƒˆWxµž­Q�øúéÓ˜‘wð?�þõ„	p¯§q%\¶ÄÕ–ÑB4^xmú	ÛIÚ7E-Z^{08šJj\„
L=ÝÉ�VZf|ÐPÐ=C‚¨¨
-Tà«·ó5‰Ÿ=`¾’½L4柪xà,�ä«4p(s«M(–:`G¤äÁÓHäMMZå#&æË<’®>_T×Wá¹ÂÛl‰ÄñX$+¼[;E�
w'|e•™—šÁûGž)’á� *¿$Áˆ¯kO»–v9°]ë_~'F\ÞZ†�Rˆ\,›JæN�o
	d˺O5VŠ‹nîe¯ötƒ–¹ãKæ/[ıϵæ¨Â¢²FÁË-®Ot\k)e0§&~?eÕj[¦·7ÂN�ȵ°Ã‡öeqŸ"eÁh�þóH¸ßèú+îÙéÍ»}—å²Ï^¶cýzŸNIÏrø6LÆI:ú¾¡kOgºãº+idŽ©|(ê($èNÆ	zëöèù™»ö3®0}ÉñÊF¯\ß3~©ïº÷‡J·2C$ùŒ»¡><:ÃJòUÒgÖ[
-Î8B˜­7Ïß½f|"hªû›
-…šZlOå ÒvµžIœá‚y!S36ª69ÔzíìIÙ>î�¸£ê"ÿÉ©�¿æ,Ì\:ú•¥káýl3ŠèFøÂeÛøp«äÍyRb|*ÅŒdoƒÒX0æ
-¢*J½úBÌÈâí¿YiŽˆÇäN¼õ…7DèÒõÊTÏÔ+~D=LD›ØáŠïò
-\€‚îC+§MYK %ŠT‰Ì³†õìªYžÈ 
œË‚ÃZ®ÄC¤¦NE3ÚóJŽ@óÔaYµÃ¼€ß:ìô¶-}
)„e"vr8ŽSE[�1¶EʯO¯®Èt4„ß*VMëðF†oNéyͺ©P4·åõþ‡à½Øð*¨J\ÛΚֲë6CF	¼q&ˆB\³A×ÿGO@[œ,Äeñ«Ogñâýû+†g}(/»éÐT!!äžxÓ*´–cl²d£­ÚK\C}½ɪSãÌM1¶¡^:¾ë™xxév²à|»ERJ9¨ƒ,:˜ƒ™íÕÜ9	M1²XBÞú&l£@mŠ?œ/§t	�mŠù<š@ÞN�A*õ5¬kütLò‘G?c?üxÑ2—…þ†QáþÃ+
X4-8¬ƒ´›1,©'}úMµÜ•wçojxê¯YÓÄ�6ƒÂ¦Aê/ëæ)׌C"C1d´\ ³0Ñ…L$�œèÒAº$ÞÜr†5<¹z½	¡Îó*n“¡b2“]»z˜˜·àuOR»ë1¼-K7Ö™
-H:¬£ÝÌÅ>´óó™UXg¸X˯¶Ñ®J!dµ‹‡ÍƒDR%9Í#�²Fix384{'a­]EAíÖ
-ÖuŠ»çGù›ý;è~ôs‘ðîsýSÀ¹ò5•»‡9H3z‰ºl®…úÜË¿X¢¾�£á•ÙÞšÜt­¥µQú�h*NÌ=>ÐÏg˜ñ;�âœV�Â!WœãFÂB|œOþàÞ1ø�Ñívm†m¤Bññ¢çI~/ ¡=åŽ.¾ÙÇ�
-#‘nGvL‡F²ÂðÖêÛ‰·ÜÓ¼
ô¡GŠ+®²DCL×dQë (d\õzºŒF£$Z÷c2ë(K§?Dü,{þ^-ÎáÂņ*OQÛ:*žì-ƒ˜ áÉ	¿H�¶H6¨:_Iä"±÷”•
P“4õÅ)‰
“…‘àCÁ�ñæ_ó¶]ví(¦
-¸º	# 7e B�[†âUÚóžî¬jÕ=ýáÃr¶uœÝ^¢$C›ý�‹R Ñœ8º˜GHH¡¹*0û'žtø¦7WëqO~ìÍgqÛÊðI½±Ó4¿&Ï*N�È} Ûé÷Ûµ±rØ
(›©×{Ë>Kš¥æž‰çÃ͉DÉ
-æ@š{fˆp§Ý|Ów\T˜¿Çl½‹,Ï5	‰¦Ñžô·A»BU‡žîýdºC€Ä&­‰
Tå©U牺E�—X³FN(�”•Áþ‚èé[â´±Ÿ0ÓïÓGÁV7PN M4Û)ï®L{�fÅïd¸ƒ: #{ܹo×UÉ�"ÊŠ´ÙË;‰By\ØsJýϽ6¡ãÌ¿6p·ƒTÝѹ©‰ß–8Å4¥g·n�¤O÷“±Ìt)w;»´,#SŒÇ’~Ûä8ùŽ‡ÚôÔ‘¹-´UÊœ©�McfSà¼�Ün�N_Q’K–`9þ
…Ó;mß%P60çdXÕ}ù¢¾ùˆš
ГؙšÜS¥@¶±ûO’øNåÕÈ»LÛÄì
º¥ÞçÏÐÀnø:�“u9ßK¼<]ýC‰Xª7˜’®Lî5º"Åê^b0ä”Yƒ°¤Ü€Fê‘\¿îZ«ya½W¥¡nK£Û}®ÏLc–´˜÷Ÿð„/jÂ!‰÷�“{tOêö¹ÀÝŠr䨂á«l+�~yË?âp„Ÿdѧ¯®—IØÛ�[\.†yO™ß÷þ©îV5ćÉ·gʘ0$:k]ŸÏ
-Ú_ùzŽz¤
ÿãoíjØdN�¢ÌpÄËŠÙ}V{»1Åú$4÷W¨>·XžX)ħO¿A¥Î‡eH €_£§HRù”£ÈäâœWŒè
8Sx+«b
r´½45�Ž
¡å;ß6Bl_r=7�õo²hÑë?=¨þÙÒlW_ûÄAí}ÒE˜c//ͯ*Ú§”Öï~W™áïÆ›#~+(²äXsU§,
-%ó–¡>2 €ÈšJvkƒ·”U·,9£æôåZ8|vz=M"¿kë57Ý@ïÝâPãýp,è†�³MAGtÝ$j¬m�Wí{x9”Ò*S%e\1âŽÒƬü>å"Ï÷ªQ¢²‹6ò‹1Y5Â5M=6;Â#�Ú!×zï3qÈ‹âØøóZÁZ¸á$²ÅcÏC>«xËÿŠQhh2
-3ÔGÔÀp¢m‰-§ÉK’>Í_ëMÒÄûá䘄#–xªyë%¶`7Y�­šÚ6‹È/gôbxˆH‘¯Ò=Yž·uë7¼»~4ñ�ÏÉ# «ÒKÝÜË#æד<Ò¿f:»}Ó¶…�>f½�ïÇy’�‹RzD‡OJvº´›«YK™ٵŵÓ1¿òaïGá•fF âwëÅYi5ð‚hç¸ÿ<‰ ×<Ü)c¢FRÿ6½šAžüføgFíNa¶¼Áð¨!mxÃ7ïa�9`¾6ZŸ7ÿóé±Úh¡A$xMË
-Ê?kwÉu/Ülí«þ¸¾~Øz.!ȵª¼�eìžOrÊè¦~u4ëÅh¨éUEªkj´(W<?cB¬ÞΗâ;Ëp-V-ìF±ÂÞT�‹ý
-ˆnU£
-Þ•…«-~X«Bi’7°ü'²xýzß‚A¨û�;{ØÄ«ƒ´k¨<dùM©¦A›=Tx,!S[¯· ZÜ
-¾)Š£f&oN¢ˆ�¾ˆW-ÏZHLk-–Vú½øCÁ¾›Õ	L˜`Ww²Å˜|Ÿðä
ÓÚHSjE¹ZS8Ù)`„vx‚?Ò#…µâ×ÑÖýù6¬Œ $,TÝUoH¢ÉæYìú}çj¬�O#]'N^S­’ÑÒM�v²F²�‰æ/ÎlÏ|¦›
-ÉŠŒ~è²ý+ÉÓXÑökè/j„Jɾ$‰¹
-Èé
¡HÑìn–y+°,žrËŸÃÕ�ÿ¡æD «¥ºñnæ]B°’97‘¡­õÄ2;mÞñŽgJ–k�fØï–ë²vMQªTX— „¡'ÛIl¡Âw®†ª"KõŠ»×X|EE‹
Ò¶I¾zeËÈó ç(¿Õ|ÚZSÕóƧÂèÎáðÝ�l†6l�kßá’îXDÎ6�¹0«4qi°Qî´e¢óvU!m¬mž¥áÿÚ¶ºþ3áÕBô|eôØÐ8Š‰Ï p©*�i«z
-²æY%U3Z£</ÎÇ(%*%\2ßà¯K<
¶‘Øž™>¸¿~ÜšCÒø(ìhYélÇ9(|ê�íãyèÜâ5l3Ê©±qÙÊe‡úÔaó5°ôCÖ`ìÎÛØ-ú^˜—yiùß³Ÿ98+/=Ê“ŠÛ¯Øp¸f‡6wÉ5ë.jô»ÇE²zHŸÝ¾¯Ž(L¸1D5¬
lSÛá¡ÇÔÇx
-ð•p@E­'‘C÷®¤¸3ä
Ã.#I�Öä�<\úÿÅ°ñï¯i¨>=8ƒQ
-ùÃýÐb‰œEãbÐñ‹Ù>æò°§­p{
qçf_FòèòOƒ�B^/ÿÉÒCÈUUÖÊÈh¯x){�ÞXŠ]¸ˆê\
¬ËZ�C“8¥ï*RJ=ê_õõ-áY´x =¿öçÞäÇ8f“Ù4Ã_!¹0'¯Ø˜Òœ�j]laEqn%÷>+,ßïÇãL˜}lŠ-ƒÊAI��›€£|qé†‚¼©D¶ÿ%Àÿÿ'3#'{[#'kÀÿ
-endobj
-612 0 obj <<
-/Type /Font
-/Subtype /Type1
-/Encoding 1325 0 R
-/FirstChar 2
-/LastChar 216
-/Widths 1339 0 R
-/BaseFont /DLEZXP+URWPalladioL-Roma
-/FontDescriptor 610 0 R
->> endobj
-610 0 obj <<
-/Ascent 715
-/CapHeight 680
-/Descent -282
-/FontName /DLEZXP+URWPalladioL-Roma
-/ItalicAngle 0
-/StemV 84
-/XHeight 469
-/FontBBox [-166 -283 1021 943]
-/Flags 4
-/CharSet (/fi/fl/exclam/dollar/quoteright/parenleft/parenright/asterisk/plus/comma/hyphen/period/slash/zero/one/two/three/four/five/six/seven/eight/nine/colon/semicolon/equal/question/at/A/B/C/D/E/F/G/H/I/J/K/L/M/N/O/P/Q/R/S/T/U/V/W/X/Y/Z/bracketleft/bracketright/quoteleft/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y/z/circumflex/quotedblleft/quotedblright/emdash/Oslash)
-/FontFile 611 0 R
->> endobj
-1339 0 obj
-[605 608 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 278 0 0 500 0 0 278 333 333 389 606 250 333 250 606 500 500 500 500 500 500 500 500 500 500 250 250 0 606 0 444 747 778 611 709 774 611 556 763 832 337 333 726 611 946 831 786 604 786 668 525 613 778 722 1000 667 667 667 333 0 333 0 0 278 500 553 444 611 479 333 556 582 291 234 556 291 883 582 546 601 560 395 424 326 603 565 834 516 556 500 0 0 0 0 0 0 0 0 0 0 0 0 0 333 0 0 0 0 0 0 0 0 0 0 500 500 0 0 1000 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 833 ]
-endobj
-608 0 obj <<
-/Length1 1614
-/Length2 23636
-/Length3 532
-/Length 24536     
-/Filter /FlateDecode
->>
-stream
-xÚ¬´ct¦[´%VìTŒ76ß bÛ¶mÛ¬ŠmÛ¶SqR±mÛÆWçܾ}{Üî_ýõ�gŒg/Ì5ךko2"y%:
c;CQ;[g:&zFN€Š¢š¼�µµ�±…�4� �µ1௙–ŒLÈÑÄÀÙÂÎVØÀÙ„ fb6103˜888`É
-:ÿ¦ÐüÈ­?š¼dOQ7ÿVK
U	¸¹S=ýˆ»ü Ã^‹Y¶>Grù‚£d„)Ó�â~à|¿¥n¾`Ãc™·)áâ6‡.k¨A«!]Ýõ€=Úa
-¦ë;�”K–’+M̦ŽöæOloôRŒÃxcב›nÊ÷‰E·yöì¬ä2÷‹2O$2–b
PoÑk#OóÐ)ä�³%Õ°¹±y?‚E»@y¶žƒtù"ùë÷Q÷«}NC&ýjŸ/Ü3sÑ2?ávƒä­ë“ò
-$>–S²²ðNùMZ,T±‰p_š·ïI­"h|\9¢3Á†¥ßNÑÎØ›õº
-g�ži‹àV–bx§E9Ž 9i‰½nÈ1£Jj^ƒ2‡RÕXªVl©HEç£{qÌcšK,�Ò’øUBÉ“e"LCµb¡Ãü@TjP³óŠmIó~Ê“É[;F=|mî=èMºWlhüqe
-ý<çÃ¥<¿jB£Ö¨å3dÊ‹¬¹â(E¦`Ô9I~�w™s3³…ð›…kdá*~BEoï͹ øÔ­”û@ãfµ52Iì–M™h$�ð+"bÕ:ƒ„€wT.¸Ìôç
-\)êïO0iÒ°œ]¬kN�VôÖ�cÑêƘ÷´?•VHcš¿N�õƒ”ó}Jr¦_¬x©…�U”ö8ꃡšl�g·H^Ò
®·®Ë’—¿-g¥EÁgÚyãMö°‡5ˆS¡ègÛ$Gd|†
èlGËT_~I
-0B<Ú9ˆwÄ”ÀÔ 	S 8)&8ÖXxßÊ�%™ZhAìCp€³�°œÛ‘7¤3omÒT„Ub€*£yú©“YþÒ� œ�?³×y%úÈSÀ}ˆ±�•í@`^B˜X¹Ó£{ŽÖ2ÓÑ/¢d©üÇ´™:fCr‚K9¿mõ`!J‡mÐ�s%heÖ.iY¾®’‹„îêvŽRluÂcµ²
¾1#œ„ÕZ°ª
„.{Ñœ
–åÙ�÷aúé´a¬ü}È–tBy&S{IRšäMUð‹k<‹z:ù�bn!L0OA¦Ÿ›Ô¥7éQNèPIÛF]¨F´£fw<@ڡϱÃV£Dú�¹'v¢f¦ìŸ‚/9¡ªë~bÕ\‘!Q®)!} Hy<«¯ÉM:�ù罄U‰&Õú›gvÑÊi�Y˜6…	ЫTÛ5l¯&L%§ÍøKfÐ'Mm;‘*&i¬t»©{õ¡‘»¼Eíô„ºŠ¶:W)µQ1~׉«5Qú;Ë®�ÿ¨�u\X
-}1„Ü�þöd—Ã;'q^xfÁ;³ˆ{Ÿpr˜ÍÐÈÚy¸fôÆhô
-ˆŽ’sË£(æÙ‰ÃÂåÅ¿ÞyJ¿àdz‡óx¸Æ†hֳˬ$kØ'f
Ë‹ÆŽËji÷¾âs^¥.~Žµ(V¼šÕù�/UÕͼç,ë8Zùt„nþ+ª†ÚÔŸÓüÞ#ð›û}«íí¯¹ø¿âãCB²óÉÂÇ9]§úf+YWý>1kïe÷¹‰ÎÁ™_!†ºiµ¥0ø3§ñ¬ÏpÕëéÒ‚·µÖö€•s[»ƒ»H¬®r/º¥‹,Ã`à‘n¯bù¡Ê;zaêÕ]æmª¥ÈH(®¡t^¶h)È“Üa'ûÈ-‹£R>I½¥°¤‡¢
-î ’³,Ý3Š$0³²+Ù=¾“/PÝœÈ<åb``8�II´;'+nKs¢¾Îº
-Š}-åô²A®¿}—ЙÁIÄ_\ä“�µXi$<Z6å*€¢ø›rùí‹wÊã†Óûø¨ªM]£²8=Is\AÉÕä,´¿góC>5fŇVÛ ?¾l
XáÇü�Ún(ÏŸsÛ‡á äÕÄ6UTX+rZÏlRI¤ÍÒñòæ¢dÇåÊ´Í<}6ýßá‰å`ÏjbL4mà߬¹¹¬€,‘-¬’â\r«>¤®GKÒlRüo-�‰(mºêê²=íJÇ+ÉÇçu…òN«¤ÍAW¨‰·G–Hè'rü
-EÇ'h0ûf›½u›	Âú·[Ö‡DFŒ#³£N1f" ‡Æ�‡�a^ú™º’øA{:@Þ¥‹¯©â26ê‘š3-¾!šƒ»+Öíd²6à†“=0­™\}<¡zJqÀ×@‰?”ò§<ÇAtä^T9\eæÝxW'Qo®éT½/]Šëö÷óô2"¸ÿ4¯¥í*¼�<—|T!/»ÁN‰¡�Ìÿá
-Í
-7)Le³
-£>´lfæ:]e+|çà‡³Ô™â1Óˆ˜Ý?™Ô¨�Tì~”X샘qêZÚ˜�àÃPØo“;îªÞÂWMºR‚ÔmǘK¢nô'�43çwf<ïl¤œŒŠ3•$6m·ü.§�4cPîiK¬}o¡¿’ÖkŠ¾ÝÿAgá発/:èo+éÍÀ0�:¨G@‹á©]b‚ô½
2…í:ôîŸÙXïb÷ùQ_z‰'¾3ˈ-Î2O[g	WԳЀ ªÍçA>~Áª(~¨«Ò¦24ö-æÍnÍ’ÿràŃh…•[‡çûxïm’©#'|U²Ø
-©‘\íú÷´‹e+ér#îi*¦šƒ_kCcõÇÜY%„…)!ç*&³-\aýÓöIgÕJ]g„mÙ<œ‚[
-‡{}ÎÒÁ£Áº
^w(›üñ7àF
-¨áô³¢Á°Û”@“Ñ‘tÈ	:ªópV
i·YÍ=<IžëS™š¸žæ�ò]â
- 
-xvf	Ö„ºK-üÈòÓ%	%%ˆêžÄ~P£ú×<é“"…]HÒ»-Ýè‹¡6	J ró‰Hé‰ÅöG
	´ÇYíI³6uLƒ1CŸkL*”ü`�¹	)öÉÓàOw"ô#ãæê呈Ÿôµ×±Ó“C]ª¦Â
®ÕéA´ºpEs›§EQÜ©µíÈÃœ‚‡]¬Q~ˆ}džS˜U�ƒ–ΔÃÓêìƒ?ÍÎG„(Ò?”ä<b6¦!4CX2p‡y7\"õCê'Š–ÀÖ¹�Ô£;ªÞ‹Ï懖ëwb#xYÉ!õ@¼Ùjiðí9/$
-38ËEOa‚PŠi+|#8ëT5jòT}ƒþ�µ‘W©urãl‘Jq‘¿ý”0baš ¿›ºûr­ÿyþJ½×Ç¢½Ë‡%P¸´ŽKÓ£V¨1tFZÖuçõŒ€eVòZTÀ¼©1,ÔÞýrïQ’H'&€³
-6¤ª½¨ìÙ¼øSïhqS›Ë(t‘NPiÌÌ«¼ÄäÀ2Å5ߣ¼Ê}’*õs
ŽÛµ£ŸzÞÝß4î÷¾9Ñí^îM?¢G*/”Ÿ>#8A$„DzoŠÒÍ­ÖR»>U
-HåSCú%fŽz°
Ö0‘/uÐ&7á ħDjJŠ“Whc*´¤æ3bü=+†ŠMKw˜»u6ØÅ÷
-sƒLÖWçJ £F—HÿˆƒKŽ&Ü 0{ÕÓGJñË[�r/®$®bØ4Æ› œƒýÝÝžùjåž@�r­Û¹¼
-—�/Jš<…¯ÑAî䄘)“<*Êý´«ÿQ06Ôò¥(1e9åëꃬÂ[:
-ÐçaÕÝŒËݲ㳧`RiÜQÕ,¾9	Ÿ¯Oö‹cî•êÐP'Àü�Pxãõs<š€vz;VßLhB;4
yº’yy¿WÆÔ¥{íò)ÓÔèI9äm*A‹4'S½L�óSRÖã�xélôõT›Ëç¥ÁTAŠumq¡Ò\¶‹–‚QÚÚ¹Ki__Z
nPˆTY¾$#Ò+¥êsé
r¡…¹Éš•÷3
-mW?¿�õ÷iòq GN$„Œ£,«m‡*v´ñ3¥qó⌦®ú°ì9"
-�ôÖºX m¶Åh–&î7C
ͱKõæ§CŸáûJóè.qÂ
-Ê2UJþøE³,N4Añƒvº˜…dÍÏʅ𒲯 £ý§)	õÓó´O}*¤=‹�rYs?-JŠŸ%÷âKÑ)tÁÒ; ­-ÑãßçÐ^½Òõ[V?w�„Ê©Påæc
--¹–ÜÐCk4’”ñ•�		yÍâÄøÏÒÖçF§jùæp¼Ñ>¦ 䑧»ÇzpQHªC7¬ó`UGŽËG38å“`¨p­“5Âë]x°nŽW¯�
Aö®Z‘™üùŠ"¿qž�ý11¡é,ÒÄ{j"_p§6¾¨‚t™ÔNÒ-{û·n¶-ð�‹ÿ0ª­úë\À}×ýŠeQ“½0*8á€ÁëÁ¶¡âD
È‹¥¤oü�uÓ/Ëj—ƒ~*oý5|‡*êæyìë·Ãù§ê–t¦ªRU	»UòT^LQê\ÚŠ
-Ä”1zÆD˜¹é}YºB‡üM�+ýÛ6
4§ýõ¡X,YPYg÷‘Í„…®W=É\ݘá\5æ×¥(¥ûP9‡Ž¹?nüî¬åžU1S�£?¸°±¼™ÛÌn{‚ùût´Ù³¡ÜÜ
-ŒÜZž
_n{)…™±HÅ~äõ¢¬ûUsN=�µdÆoOf•Ž*=IbÐ
5ök�}OÏôrìÄy?Š'AkAý1:C:\Ÿ«¾åýª‚Ä\æR™žÇ±Cî
-£ÄM•È�”Ý�»Âvë2 ”s¯ÒP§�x—Ô·Ë.Ñ�ß»PlBwpõ�·‹Är¹U	nyË^cOïŒYù`U9ŒK¼Q¨;õDýñõÐçïÒ=¢4{Û€ó/ê©<x4ºâà8žž ­7H;$y<?žc#;’×·÷&oÄg¹sËûˆ–@‡Ù¶#=
-j²òšw“'%A\ÅëähôûÜs™F˜:\.ž†ãâ'‹ÝìËÛeáQ8önÓÄ4s^;<uÒX¨ Ý” ¦|—ÍËQs-lDè%LPKö¦”ýL-n�ì¿p½�¯W<�ÏRõl³A5bņàF3,«"ârè:ù'Ÿ’â$Iü˜úÁ§7ð®Zƒx(¤ú«%£Þî}.=Æš=Z—•æ
zÝIÕ"r¡ÒWË|LÉ~weèrNsØ©�Ã߶¦|@Lþð+ž¾^»L{ˆÈºú
œÜžÇ<vY�¬Ñ{
-»@¯Ý
C¼’`òdRœô”½Ú�Ã{⫵ϟl­"*åPçË™˜fèL6¼-ÍN–¢I
?ìÑÃd^TÁ«¹ÁzÙÁŸõ
¹Öû­ºÖ)…šËòð[ðbç±L#Làh-Êk~7ƒøÚ�*Ï#åÎt[‡LHY}�¬¤~±R«T¬¤Màø<’ÜV	Ó•’ÌMÓ?~Ër:•äóðÐfF6øÔyqšÝï{€ºŒç&ÌW
-qE� ý@¢,eMfå&²È•K]d'3Ø֦ȼ.’>éOï"\2Eñ1!g‰¼#c7ŠYU2Ï„aF/ÈnÕA$\.ßo(ûV”9ªÉ-̦Qï|\á�AüÑ÷岋ðÌ¢¹¿¹W=ç˜R/ܾà݃ްˆ¸ÝBÀé@+Ï©Éú:ˆ9:î_¬¹«Ô™ðˆ£a#@o©Êè*¶ùƒ‹Lª>IßÕéð'�¬›Ý«±òûÉÒ;Ë·»]Ü[ŠÕs2$÷>LdÚ½	I…Ó[YÎO]’3Ýô¢Óš‹ÉBñéØ)ñïŸ$2bÅß•gD§™R±oçOŒÞtB<Y³¿âÙ,Û¤øm¸tƯiÐWº±ÈB¢Qj8	$9™U¥âÜ?{cΰ–µnå¦ÊxTB…£xÙ°

½ŒzåÙ„bû:sŠ
-�ëúÝþôsy à(UP¶@ÏÙtøU¶_Aû¢0–æ5[™ª;HƒYI:)¾Êö¥”BQ’‡y%~žð”>?ãViNŸ+MSpÑOéwöiOÜøŒŽ·–þδäweo%SD°{j
-Œx%G«M²j}\Do�
-×÷y4䦯|³<Å0º!fš
8ØÍìbH‡Ã“#ý�éAà³I¦K‰
6äÁ
Ó‡wïoy]GÀ …d¸œF²mÒ’JhseoóNÊo¬ëw®†Œó1Á	º–ݱ¨ï5Bò„Ç„  ¡s�~XÌTó•�¶ƒQM0Ûj×
-yrâˆA&¥k;\ù¨%Ëjó´hËŠD¢_hËô\Md![.Fx-¾
M¤¯EaÔµ‚ø­—·¥=ø3l}I2í‡]UºÎE$“Ϻ=°¦s†ÖËKø{²Üó–6
-‰ÎzþÛ?`¦Ù~0*>¼ÏÔ	ñd`F¯ŸÏÀÌPs­±‹ÊÞ‘ÜV;:&¸@Õ¸(.Ša¸�^§Ú³=Ø
-À¤,•S[6cV~'‘¬ÙíPIŒ�x[\6O°2€™}—�Ã@ê+?ßoK:žÎ’�s£®¢|Û“ßÐP7šY«(
¤¶¬Ÿ¹ó˜¶>è{Zå-%_wGpܪœAˆc¾–öGÄŽ¾
Bi7U>•Þ	$°•›Fv,ä¶Ë8!=e¢.‚Í·zÐlÅӋй­Û3!-'‰Û‘9´œcÈÀ]„ÉÒbÉj¦„ �ùƒœûÅ¢—Lulš–y1óK‚@î _’«¬ä˜·ýd#FåͲŒø�äðºŽî‡­'¹–ãÕùF?ýÞï'DÌy$[ ô†_Ú¶²ÝhÕ/ø,¯5÷›ù¶6ó�…í,I°Al³±1¼dûDÔg8ÛõUs<‘þ:çQq?rõ‰–ž(ã¡,у¹—ah¬VúÉ$¬³q¨´l>´A;Åîxõ,´Jo>ž‰Ût±W¨Ù–|–8l�Qy©³,ÔôÉŸü
-£Âiÿj³z&~\M#©pƦ¾ÈŽJ–îÔ|=ÜôÑsƒj•Ø|æ‚%¼—Ž-vQ>];&fxéž´"°O›;a¤
-ÈÒÏ[ÏvXÑ–P‚Ã,„-l9Y°lÜ°mšõ?=á»mzÉ„=”ˆ·m<kÑ�-î‚=êN‚xmž7ËY�I®UtNrö¸-§ Ç)1o“eï:4n$í¢^§à·Õ&X’6�Õ¡’DöT¦ˆK’�¬ßJŸm4#|æCuRŸFæâ*—nC.§qVL±L~µìär2#ÿñ‰`™ ¶„¦ä‡ŠÂ·ÛO!ödÓQbÙ´Ó]¬�…YB¡}fšpcsP>æFÿfÍÂ�ÁÁ
-ïrw I¼oß	«tB·8!Á…Ë1÷º‰Ò{Khdä�á×wýÀ÷
µcÌ”;nvÑÍ]2î.îaI^§„²¾(m6—õ
-ª\§c
-žx@ôäî�?MÂ! ÊDEÀÎ�Œªµ¯Ø‰»sAí×ÅáHP(äN°©¨ÆKPîpÅj½‘’…µòù�?�6¹oÂÅ
-eÀa)ÛOÿücãNox�søpž„I™�ú°VÐ?E?¨ÃÁÍýx*OÒGÿ(òdàõ…¦“P™œ´i@#yh´ûíBrãùöj–=µÿ2³YõôËJ]Ä÷–� 8SŽ hR8nƒ@_FœGŸKD¿HpÓú¼W†Å~¯eÛõùVnÀÕ‰�gš�ˆžÃYUÕ:bDÛPÕ¬WÒ¾ð&
*l7¿«÷šÆÀº2jܨD‹®¤¢U"}œö´`@Ná[¼<|o'53âÁ”éÇ|D
-®
KŲš¦ÉØŠ.9iÊ‹eÄaÆJ났¹;8cnû¥³k•‹é“Ç·•€A3×,òÍI¼Â¶È\Ýç¾£SnžÆÉŸx�Ì^³5†‚Œx¼)àf&s8䪯3oˆx`¡‘uZ£Ì|[×I�©]½˜y!êíQkÝÚx?u<H}Ÿ@cà¿­8Bíž8Ý|èv_-&óÃ�qA'a!^�9\â¨9c´†Pè¯;ýa¯fJ]ØGæ;Ãâwõ"óRÂoœiD†B�ÿ-Ùá\eú`Ú#Ú§ûéKioº?‰;1aÙo(œ0ÅM‡§f™fI›lút+mÚM²aI.ƒÓ˜
ø4È+¤Š½«jH&8íQg€¾³vO{:,7‹DåY œV˜“*:ÈËhÿµ{Þ,ó°,T« Ú¸ [ìÆ“:ô¡½¢ëÎØ)�ö=ädI†£âÁ³{­ljëpÀ'…Hxpa¬_²�*ËGèw)„eé±Zƒ4ìDtÀ™pRÑ�òßë›ïö%úYÐCn‘t4¯·.ñ¤�8I†¬(wÂÓÕO�ZÙ`–°VÍ'¦¼#;¶&¿*®pÎßáeÙúó³«ßÍMzã©~…Nö��38Sª\$	~°2¾ ç „>Z1‹T¤Ç£µxTXyºp‰�ûFA
"+à`¾cSŠÈÆìFólB8ù̽ÿBà0Ù“Ä°¯Ò•ëv@f‹rTкæõ$z¬�ë�nšÑxB}Dkú«(‘:qDé‡{Ð-ÝcÎUë‹]ÙÈ84«O+S
uY¸]SxN�²^º<ÁŸ¼¡h*"oH<ËD�·ù~å~×^
-t4ô:G
Ýñþâ?žzúcÊ7’zw
·
¹ÓñCø®µå¿½ÇYù¾™àfiÁüvš†�KÓ¬Á¬óÓ+æw"#ö\ƒ3ž€ÄO
$
-m(Ò‡içØÊÎ÷žû¢û­r÷ê
õ�lUH:н!~†^)V€ÈŽñ+‘cEÓŸÞq…Iù+Pús†�KèŽ\ké~îæPŸ ‘Û¥Þκ»ÓG:NfzŸÊ±QD/ˆ•åòCv’•B4BZèß(¨;9Øt™‚)•Ð‰eõl¿ù”:…1·ŽXð.!rElŸ_rŠ¨.éØ)ˆ®=ˆ˜1³M�¸iË
-1ëtƒ…fò=`j¿Û•Ñ$@uÃûŒnó>¾“^xòÅIt¡“| ½R±ÜBý‰�°î­b}ÿX{jlîë¶ÀØ$›@î¾”…þÒ‹Öôò"§xä$²÷
õ±f ðüBL(ØÔ{¤éþ®÷³I0Þ€ŒjþSx–©À›†ñ¢NÏŽ¼…Çì{yÛRY	˯úyÜ
-4³{uHA-|
Ú­ÙI¤³ò•|àVO&ÅV½z›­
WŠ¨h½�*Gn�®ÁŽG¸	Ë‚Ü‘�2[j<ŠŽrãOYT™ª
-8-¼‡ÏáЃÜ;�ÑÇ		úõt_ÉY2†o|È%wm+u¦ó‚ÍÆ…bÓ]T—0£) c[�òͱ¡ƒ™>ãUaéLP¦¥.½^
?Îâfu[¸$à—+¹õ0£26”��´I~ˆ?Ù¦·÷Pȶþ lTÒeüU§>†¿Î÷Ü™‡´@΀ ?E:^
-H§²‹#ýæððý‹	p!ÒUÈZüîjx_—ù%φå•Ü¥öË+ŒR=¦ì’%§£ Û¬´pû²ñ1æïz¬ÏÞ–*'¹=S˜Ð½ÐïÑE5ò“+† çvbñ«Z½|æûWÅh\†c¥ß%ÃMî_~…kØ�ÜÖAÅ´gíÜz€hlŠºl˜xÈ™D{
-¼¢»þ~%áu>V 4"ü‡úËj芕�å÷ȳ±¨[�Iq £$Ýrà7SåE«Ðš*Šñî"4†è€^éFÖóˆç¨0粒W
-zÌ8Þ½ï¿ð™²Ê¾¦MvrBU½Ú�iÊ÷IMÇ°€AÖÕ㼈l5>”: «ªRô‚Sì„aG=ÏY‹bQL6vÊ#ä’ÁÖB!ÒÇ}tûjÃ*Ž
…}›ß)&äµmųâ¥Y`í©ÎŽwža²™ÀK±Æp
S~.?"&ƒn¥f�éÂ'ÿög¸IÌP©fýNhKsfbôùÀʆ]ÐôtodQÔл]{ªš|AtµYჇóÛð`§ÿVæú²1Á¶²)¯›&)_¦é*¶2Ðýÿk¿û"q
-º×ª3“�Å—ߎŽâˆ¡ñÆÔµÝèç7Э¼r-�ÅvÙD›?VÃ$ Ä¤èA®*©ø×Å´T´úI Ê<ZdW€~a$a_¯ƒêÊ)­m\<x§Æ�Ó¦%([ÜûºæÛœFA�‡2�ª<¥bôˆ°Ò zÏWoÐYEÍ-mEøƒãPí&c´†DLkÑTÉU+]°¤•@ªôfEræQÖ9‡éJÁ·÷AÜÈe€W°ëˆ‹³—‚øæÃí¥a>ÞS‡´š„iÕ(�SG¨iÉv-Œùñ^•wy~YâoCFDjªÚ *«Š:È+).ØÂ%5ÀA$cäo•ûçày©<(ÔiáF²x¹[�âzâwÚcêéJ¼«1þï‚yŒùö;CÆnôÝùc«G€°©Ð%×ߧÌû€YCF· ,”¢K¯†á:ö
Oܧc~Q´º2G_³é^’¯–	çZØ©ŠÎéß	—ñUÖ�D+'­h&˜s‡ð|bÀY‰z�(ÔV½Œ\>O¯*¿h�g\§‰ºécCN0PèE¾7˜£ñyc
!²i> þ²s„KØÏêÅý3¥@´/}P$UR›iÿÖÝJ¼Žü=„[u5NE#$Afë
Å~ZIß iS‰Î§ªN
-jØÐ1¯ö†{•¼Yq9¾(Gn\€óüç÷\¹½…X
ÔØJS~»Ý¼8½!´wf›Êmñ¥ä�xñ'‘>ÝOÜS´�y«(Qm¥fëæŽ)ÊÒ™>Øàq
-Z_~	§ˆLw‹'¦Õ!ࣾg•ÎöÂÊo-ÊåIUC5øÌ3�î_Å�æãœWÜM1wþ
-’ym™Ëx· ÇQº‚woƒÍËÝB”ÄÄôµÄRŽ“õ™€˜!¼kœÐJS›þ�ùÜ1ìor=÷×4~:ž
w%9`_X¤“S«—Yºõyî×+DȨfc´€i¢ó÷-£½Nj–Ëü7ª³YY²I�¹ãïE#÷$´9�†«SHŸ…~1!Ž¼éš8Fâ¢ë³¸+ú÷sÖÐM«#_5¯Vohý¨#”Œ²É†‹]^ò1¾µÀ×ö-Þè¿Pj÷+£û·Œ4ƒ`+aü@Õ�Ù¬Çg	­DîÝyZuMÚÆêUŒÛÍoÑåÐ2J‚‰†ÉSƒ–Ò?´“Oµ€×0Xp•cb/s	2oÊ5¡9é
-ÑÎÚVŸ^ƒ�Kƒ­›?ü¯ßpkŒ’�eWÆÆÌ0&Õ¶ósDbZ´RÎbµ�7w¾RU&¿’Sedwøˆl¤z,
-‡Ê{�f|è	îo1ì#� &
‚B¨zµ5ëÙRjïMîû›8Ï-~=…Šä`jÏ�î´¡æ?%/£Ä¾kÈLÈú
-F⣌µLo8¼´¡©G;8+·fŽú	Ù"üs9\«3±J˜½B!ãyPDå«1ˆ`?h£™†¶uŠyIì.ðøÖ�y\Zë~oQ½?ñ†PuÜô¶#ª}¬rÖ‹ÿ™¿Ú"¡”eëËz4¾^äqáÜõÍŒj.lC$Ýágá£Í86œíf;oóØÕºuÁE~ƒöÚ SPÒ<@_E?"tV6Ð`)c<›7µ‚>Žù™BþQWGœ€V¯´é-Œ€W>רQ+—Xn½ö½'B¡¥Ní�nOot²
E2}T™´ý=·È4ʬÃÞŒÁ™<z"ðZÂ挨ZoªvõØKª„(w§”Ü°YwµÐÿfs|Ú¸¬7ê†hØM“)U¥Šõ�Yê÷©%>×.\á
ži¨Þ
-)JqÅ#IYìÍ”@‰:ßΘ5«P×$‹<MÂ’¨?—éžú¤¥k_Öûe›Óýæä›úôc/Ö	!Ê“0n£�ôñÅ´QŸ-Ï–õë_HIŽY™Q5*+«]5ó1Ç€VÐÍè»0Øá&—(I³Ô	ªÐÿþ왳ºmäû{S5U/:c:ébŸ—þ¾ˆºÓE±µ³ö®n‹80™Á²7ïN®Vw¥bâPKZ”ÀÃYmšþõo‡ rH¬r7›ÉÍ—R,«SSG
-Fù‹#ú&ܦoˆúåU?úßê|cÃ&~ÔÄ̦!bƒÙ`—¸öŒ/³çe…ì¾Û{ŠaKôlv©oR.ÐŽÈà�
-ºã°öŠ:‹£“
-0"&†û× çfZ’@æIž†Îø)HPœï¨@Q	çíóÓ4.¬‚cüÊ-
-c<Q€§£¢ÔÆj0>±Ë�ˆ+C[¦únϳ;»#m6»Ï"çùO» 
-’²ÌË}¹½_?&¿øxËòp€¯ù߸�E~Ø
-,ãÉ¿ÃíH
zN…�{d)¥¥ETWdKÍÔÿtE78¯äÞ¥�”$šÈöHE|eÅC.›ØcQ’>¤Ú"蜷¬F±€ª‚ý¨	íÁ7S5wHdQÃN�Kó¤þ:ÓEk�eRÅ%lE®Æ€kgž,uxÜšYó;
½{þÄ”hûZ}‚Èc3T~±R Ý„ÈÅCV9ùq "ƒ„ÖiÃ6¯–�„þí>yÑQþW²„ïàÂôOÙ¢NÈ…¤l¦[ÍÒÑ�ƒ
-(�&ì'¼ú!Cºüœ¦¾à¡ÔÊÍ¥¦£)@Z¶
-ymQ‡ùEJüw	ÄR¨ã�í컘2Þä	K©žfå؉;>»‘F`[}‰—T°D�—z#†!ÎE>JÆ�ýû«¢GÅjNýÍóNÉX�«¹}cçrõ�ÊÉ
-ᔇ֗}šõÜÒÆÛð§ÓDJEìVê©£æ-�yœcÓ‹fѺîÚ$Z„__SÃU@äf g¹]S
-Ö}ß‚TËÔaEs¡×¦É’÷ÍïW˜›D_¦I*Èé%NEûneÄM="%„/R¼�·ÐZ.	µ
„~O¤‘X?ÖÅlqŸja·ƒ¼Ø‡
EÅàÖÄÀ�#à¯ÔI
-ÓŸ3ËûÚ0ƒªþŠßMHó:íˆû9)±
Ñ�°ËÔZpCCO©Ãmô©ÁÌ…Ø ýŠÄkÕâòsͪԱáx>¤-žÄ“@÷Xm“†¼<ÿ-q&|~�y�­!$
-
-U�,"ÿÃaádB9.°Üo˜bLSq�ôFâ`6]ÈÐÀq»Å‡\=Zo�Þ÷
ìè¥ò
*Ìÿƒ²¿ø­¬ºÇæL„ÛOþJÕÂe=C~-QΡ"�j”Ö+Иâ IV’ïQÁ€¾øˆÕýÅtÝ.†¿Ö6Iþª÷-_ã¤ÃoE,ï	==lS%&sêq�Á2.GâÑMžµ�¢L•‡Ä!çÛG
-�vÿüE¾yo–GG~õJ¯qL|<OÿGÞc‘]°Dá–Ç×6Ô(=Ü¡Ö»|—Îh>ÎrþRCí-þþxD�ÔOà¢bl<…x{ô¤Œ^SýX€I(ûÕú�^C¬ßztÃÈÄEˆÜ€U½z#óOûÚ>ôlyV–‡D!9o~‡ª¶õO_
-�Àð`LD¿ Ê3¥/_›ÈÄG¯�mמ
-üÉÅyËu3�3¬ˆ‘xë¬;çcÖ6ì{ÈMO¢�×Î sm­z!'V·bs„ØÊÊ ‰¼«Óú¹r9h†MN Ï3¨UNíÃÄÇg5~Sô‰›Z`›ë\áRTyo´e�½M9飡?¯tïhŠÂÒ¼
->/Ílú5´Åðþ®�"êø7\ׯ÷�|$‡a±¨|Û´€¥µJ…ÅÚÆÞj.LW}[?T$áº8Œ:2ÝP>ά‚™ûU¥¥ƒ÷Ÿp¢óóî³cví¶4¡dBòâo7£ÿL¢½·ˆYP�ˆÂ`ÁÆ’¤x	é³q6oÒ&ÛYäAeÎ…üï¯*&’•D¿9Ð?\€½îØÆ,òÌXuÏ
-vŸ™ëÓ¥ø|ÏÆ_Á¢%6¹H[aÙ‚�"ÆVCS’ºE&ˆ<ʼnœjpXL2©÷åK^àû>“=m;›	ètº
-€êp™ž	.#¨Œ‹ÐtºjQ�U)(&N“ä~oqžt½$Â�/zÚp=íåKÙ˜aÜI@»V9²�„ŸÜ;yYùQé9 ž]wwÉí‡�z]º‘ðè×Jø,asÊMötœ·í£k'Y¨&
Ø…l¼ð©£$Qºyˆå–ÖÁRõ¬L[dÏpJi5Cª¹_
-ùT�Ql”ØR=ûiÊ�Â'ÿîYs�ÑqŽ¥ßŠyœkì…öÝ]šðnÜÓÌ.ÊÅäDÍ
èûGˆbÅ7üZÕ?ñ‹Óvo*“[óâ~Q“ØÚŒ=e8–GoV¨l5笹Ä)µ‘6@´�Ó¸åwû¨Í·Rùüdr:¦:!Û|Ʀ�\®Q>¢éÑ	µvЄªSä?‰7Él§ßçáÜ�Í$?4Ý°rúôžM8¼TP-­û!–3Y~ºÃy.@Îá™ùÃqÌÞØTSôcËþž«âÙ"¬D
K²}ONñռפ�Åí1nD˜WÀì%€8?!ÂýZKö<Qîßn
6G³e#ÐðÆpþM ©,zæ㺄éZb/1Ö|?vœ…6$œ=bñLÍ&‰X¶ïbIkïÃU3le›Léö(4ë G�±N“$³@7è[ڶ̳í!ÞѦ_áHòµö¦“Ë®ò`'jñïズ�ð$^ú`òzçöFwy£M^;aL"ºŠ›è5¤¨©ž$FS×>Wž™r2Õ›“˜N‰¢ÕûaìÈÏÕZº¥‘ÉpýwñJ”ŽLdý^âZ•ª“ÄÇÂæý‹`+3~×HºZêM2y©óòçkýMÂi×7kNÝÎþÂÆÅÞ9›.\yÄAñÃ0ôÁ?FÛ1’¿ãO™
-�ÙIŸºßj¦U©%<TÌåÔcU’PŒ¿(ù�ˆ÷³iúi
-Áê(ÂÙ:æùÄ1OÃ4móGi‡L¥IÈóÒŠÑ.-Дæé(ÞQ«çM,1€°Öí©!8
A“Õin‹OØs
-&ìºnDE5h—ì�-pûEùÈ,½�~l{O9ÆöX™LC\å&½~¾ÑSð@PµôÒ™ÏÕO¢\wP7·—©XŒŽ�€¶{î½|Dl/Ù¾b6$²ÿ¹ÑÜ­)·72¾*@䯑vû]Š°™ˆ
-óº
-G½n�=Ênz5Ù‹ðþÑÂpAëỂm[˜á£D‡ÍTñž7µ™i=ê?5T×?+Á¾¢èÞÍÏðÃú룈É?m
-õ#=eqy»`
Î!o4Y6g
-­\^Élxχ¾PÙ´[äS®ãEhs�ŽаÂÜ]5:zÕÐSSœUÌï�^�F€kv»¥’ ã{'˜áÿ¸´–1¼Mwô‡
êýê�'‡u-ËÅ1sÜQ&
ö¦X£…#!z×è‡_QËsŠÑ•ÜÕ_‚ÜS8^íÞÙLóŪUµwg$T´8ý™Gÿ¥`ïç4ß$.¢ŽüpdÞé5¸á-pÏÎH¦å’àRm…ìÝÒ�€”S±
-Ô¢æ–[¶Ø„K'�ÓÉåv;ôs'ˆdž�“¯¯uè÷–WhU/RŽ¨ËöÓ¯�%ØãkûŸ-ò„Ï
-däœ|UNò©‡Ñùƒ,Ÿj˶ÙײèËæ‚,L�yªpò9\åk„9ð/U o�w
âB+Dž^ÇC…óíò–ý•H½‰½ÍYáˆR]SžÈt
¦¢z—Ðݶ”ö¸2
¤õ·´ä¦ƒ¡áÉÜ’ë
-‹@�jv!Ò³Á“ì[�È.8°î§*[®yåZøóA’3®ž ®0þ—mÅ2›�¯Íµ7k_°±­¯çÿg¨ÿü¯
-endobj
-609 0 obj <<
-/Type /Font
-/Subtype /Type1
-/Encoding 1325 0 R
-/FirstChar 2
-/LastChar 151
-/Widths 1340 0 R
-/BaseFont /EGARIM+URWPalladioL-Bold
-/FontDescriptor 607 0 R
->> endobj
-607 0 obj <<
-/Ascent 708
-/CapHeight 672
-/Descent -266
-/FontName /EGARIM+URWPalladioL-Bold
-/ItalicAngle 0
-/StemV 123
-/XHeight 471
-/FontBBox [-152 -301 1000 935]
-/Flags 4
-/CharSet (/fi/exclam/dollar/quoteright/parenleft/parenright/asterisk/plus/comma/hyphen/period/slash/zero/one/two/three/four/five/six/seven/eight/nine/colon/semicolon/equal/question/at/A/B/C/D/E/F/G/H/I/K/L/M/N/O/P/Q/R/S/T/U/W/X/Y/Z/bracketleft/bracketright/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y/z/emdash)
-/FontFile 608 0 R
->> endobj
-1340 0 obj
-[611 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 278 0 0 500 0 0 278 333 333 444 606 250 333 250 296 500 500 500 500 500 500 500 500 500 500 250 250 0 606 0 444 747 778 667 722 833 611 556 833 833 389 0 778 611 1000 833 833 611 833 722 611 667 778 0 1000 667 667 667 333 0 333 0 0 0 500 611 444 611 500 389 556 611 333 333 611 333 889 611 556 611 611 389 444 333 611 556 833 500 556 500 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1000 ]
-endobj
-613 0 obj <<
-/Type /Pages
-/Count 6
-/Parent 1341 0 R
-/Kids [602 0 R 615 0 R 622 0 R 641 0 R 658 0 R 669 0 R]
->> endobj
-684 0 obj <<
-/Type /Pages
-/Count 6
-/Parent 1341 0 R
-/Kids [676 0 R 686 0 R 691 0 R 699 0 R 709 0 R 722 0 R]
->> endobj
-734 0 obj <<
-/Type /Pages
-/Count 6
-/Parent 1341 0 R
-/Kids [730 0 R 737 0 R 744 0 R 751 0 R 761 0 R 766 0 R]
->> endobj
-779 0 obj <<
-/Type /Pages
-/Count 6
-/Parent 1341 0 R
-/Kids [770 0 R 781 0 R 791 0 R 798 0 R 805 0 R 818 0 R]
->> endobj
-828 0 obj <<
-/Type /Pages
-/Count 6
-/Parent 1341 0 R
-/Kids [823 0 R 830 0 R 834 0 R 844 0 R 850 0 R 858 0 R]
->> endobj
-878 0 obj <<
-/Type /Pages
-/Count 6
-/Parent 1341 0 R
-/Kids [870 0 R 881 0 R 892 0 R 898 0 R 902 0 R 908 0 R]
->> endobj
-921 0 obj <<
-/Type /Pages
-/Count 6
-/Parent 1342 0 R
-/Kids [915 0 R 923 0 R 928 0 R 936 0 R 942 0 R 947 0 R]
->> endobj
-965 0 obj <<
-/Type /Pages
-/Count 6
-/Parent 1342 0 R
-/Kids [957 0 R 969 0 R 978 0 R 982 0 R 987 0 R 994 0 R]
->> endobj
-1006 0 obj <<
-/Type /Pages
-/Count 6
-/Parent 1342 0 R
-/Kids [1001 0 R 1008 0 R 1014 0 R 1020 0 R 1027 0 R 1034 0 R]
->> endobj
-1043 0 obj <<
-/Type /Pages
-/Count 6
-/Parent 1342 0 R
-/Kids [1040 0 R 1045 0 R 1049 0 R 1057 0 R 1069 0 R 1079 0 R]
->> endobj
-1102 0 obj <<
-/Type /Pages
-/Count 6
-/Parent 1342 0 R
-/Kids [1091 0 R 1104 0 R 1114 0 R 1124 0 R 1136 0 R 1147 0 R]
->> endobj
-1161 0 obj <<
-/Type /Pages
-/Count 6
-/Parent 1342 0 R
-/Kids [1154 0 R 1163 0 R 1173 0 R 1184 0 R 1188 0 R 1195 0 R]
->> endobj
-1227 0 obj <<
-/Type /Pages
-/Count 3
-/Parent 1343 0 R
-/Kids [1207 0 R 1229 0 R 1286 0 R]
->> endobj
-1341 0 obj <<
-/Type /Pages
-/Count 36
-/Parent 1344 0 R
-/Kids [613 0 R 684 0 R 734 0 R 779 0 R 828 0 R 878 0 R]
->> endobj
-1342 0 obj <<
-/Type /Pages
-/Count 36
-/Parent 1344 0 R
-/Kids [921 0 R 965 0 R 1006 0 R 1043 0 R 1102 0 R 1161 0 R]
->> endobj
-1343 0 obj <<
-/Type /Pages
-/Count 3
-/Parent 1344 0 R
-/Kids [1227 0 R]
->> endobj
-1344 0 obj <<
-/Type /Pages
-/Count 75
-/Kids [1341 0 R 1342 0 R 1343 0 R]
->> endobj
-1345 0 obj <<
-/Type /Outlines
-/First 7 0 R
-/Last 551 0 R
-/Count 9
->> endobj
-599 0 obj <<
-/Title 600 0 R
-/A 597 0 R
-/Parent 587 0 R
-/Prev 595 0 R
->> endobj
-595 0 obj <<
-/Title 596 0 R
-/A 593 0 R
-/Parent 587 0 R
-/Prev 591 0 R
-/Next 599 0 R
->> endobj
-591 0 obj <<
-/Title 592 0 R
-/A 589 0 R
-/Parent 587 0 R
-/Next 595 0 R
->> endobj
-587 0 obj <<
-/Title 588 0 R
-/A 585 0 R
-/Parent 551 0 R
-/Prev 579 0 R
-/First 591 0 R
-/Last 599 0 R
-/Count -3
->> endobj
-583 0 obj <<
-/Title 584 0 R
-/A 581 0 R
-/Parent 579 0 R
->> endobj
-579 0 obj <<
-/Title 580 0 R
-/A 577 0 R
-/Parent 551 0 R
-/Prev 563 0 R
-/Next 587 0 R
-/First 583 0 R
-/Last 583 0 R
-/Count -1
->> endobj
-575 0 obj <<
-/Title 576 0 R
-/A 573 0 R
-/Parent 567 0 R
-/Prev 571 0 R
->> endobj
-571 0 obj <<
-/Title 572 0 R
-/A 569 0 R
-/Parent 567 0 R
-/Next 575 0 R
->> endobj
-567 0 obj <<
-/Title 568 0 R
-/A 565 0 R
-/Parent 563 0 R
-/First 571 0 R
-/Last 575 0 R
-/Count -2
->> endobj
-563 0 obj <<
-/Title 564 0 R
-/A 561 0 R
-/Parent 551 0 R
-/Prev 555 0 R
-/Next 579 0 R
-/First 567 0 R
-/Last 567 0 R
-/Count -1
->> endobj
-559 0 obj <<
-/Title 560 0 R
-/A 557 0 R
-/Parent 555 0 R
->> endobj
-555 0 obj <<
-/Title 556 0 R
-/A 553 0 R
-/Parent 551 0 R
-/Next 563 0 R
-/First 559 0 R
-/Last 559 0 R
-/Count -1
->> endobj
-551 0 obj <<
-/Title 552 0 R
-/A 549 0 R
-/Parent 1345 0 R
-/Prev 531 0 R
-/First 555 0 R
-/Last 587 0 R
-/Count -4
->> endobj
-547 0 obj <<
-/Title 548 0 R
-/A 545 0 R
-/Parent 531 0 R
-/Prev 543 0 R
->> endobj
-543 0 obj <<
-/Title 544 0 R
-/A 541 0 R
-/Parent 531 0 R
-/Prev 535 0 R
-/Next 547 0 R
->> endobj
-539 0 obj <<
-/Title 540 0 R
-/A 537 0 R
-/Parent 535 0 R
->> endobj
-535 0 obj <<
-/Title 536 0 R
-/A 533 0 R
-/Parent 531 0 R
-/Next 543 0 R
-/First 539 0 R
-/Last 539 0 R
-/Count -1
->> endobj
-531 0 obj <<
-/Title 532 0 R
-/A 529 0 R
-/Parent 1345 0 R
-/Prev 507 0 R
-/Next 551 0 R
-/First 535 0 R
-/Last 547 0 R
-/Count -3
->> endobj
-527 0 obj <<
-/Title 528 0 R
-/A 525 0 R
-/Parent 507 0 R
-/Prev 515 0 R
->> endobj
-523 0 obj <<
-/Title 524 0 R
-/A 521 0 R
-/Parent 515 0 R
-/Prev 519 0 R
->> endobj
-519 0 obj <<
-/Title 520 0 R
-/A 517 0 R
-/Parent 515 0 R
-/Next 523 0 R
->> endobj
-515 0 obj <<
-/Title 516 0 R
-/A 513 0 R
-/Parent 507 0 R
-/Prev 511 0 R
-/Next 527 0 R
-/First 519 0 R
-/Last 523 0 R
-/Count -2
->> endobj
-511 0 obj <<
-/Title 512 0 R
-/A 509 0 R
-/Parent 507 0 R
-/Next 515 0 R
->> endobj
-507 0 obj <<
-/Title 508 0 R
-/A 505 0 R
-/Parent 1345 0 R
-/Prev 251 0 R
-/Next 531 0 R
-/First 511 0 R
-/Last 527 0 R
-/Count -3
->> endobj
-503 0 obj <<
-/Title 504 0 R
-/A 501 0 R
-/Parent 459 0 R
-/Prev 487 0 R
->> endobj
-499 0 obj <<
-/Title 500 0 R
-/A 497 0 R
-/Parent 487 0 R
-/Prev 495 0 R
->> endobj
-495 0 obj <<
-/Title 496 0 R
-/A 493 0 R
-/Parent 487 0 R
-/Prev 491 0 R
-/Next 499 0 R
->> endobj
-491 0 obj <<
-/Title 492 0 R
-/A 489 0 R
-/Parent 487 0 R
-/Next 495 0 R
->> endobj
-487 0 obj <<
-/Title 488 0 R
-/A 485 0 R
-/Parent 459 0 R
-/Prev 483 0 R
-/Next 503 0 R
-/First 491 0 R
-/Last 499 0 R
-/Count -3
->> endobj
-483 0 obj <<
-/Title 484 0 R
-/A 481 0 R
-/Parent 459 0 R
-/Prev 479 0 R
-/Next 487 0 R
->> endobj
-479 0 obj <<
-/Title 480 0 R
-/A 477 0 R
-/Parent 459 0 R
-/Prev 475 0 R
-/Next 483 0 R
->> endobj
-475 0 obj <<
-/Title 476 0 R
-/A 473 0 R
-/Parent 459 0 R
-/Prev 463 0 R
-/Next 479 0 R
->> endobj
-471 0 obj <<
-/Title 472 0 R
-/A 469 0 R
-/Parent 463 0 R
-/Prev 467 0 R
->> endobj
-467 0 obj <<
-/Title 468 0 R
-/A 465 0 R
-/Parent 463 0 R
-/Next 471 0 R
->> endobj
-463 0 obj <<
-/Title 464 0 R
-/A 461 0 R
-/Parent 459 0 R
-/Next 475 0 R
-/First 467 0 R
-/Last 471 0 R
-/Count -2
->> endobj
-459 0 obj <<
-/Title 460 0 R
-/A 457 0 R
-/Parent 251 0 R
-/Prev 283 0 R
-/First 463 0 R
-/Last 503 0 R
-/Count -6
->> endobj
-455 0 obj <<
-/Title 456 0 R
-/A 453 0 R
-/Parent 439 0 R
-/Prev 451 0 R
->> endobj
-451 0 obj <<
-/Title 452 0 R
-/A 449 0 R
-/Parent 439 0 R
-/Prev 447 0 R
-/Next 455 0 R
->> endobj
-447 0 obj <<
-/Title 448 0 R
-/A 445 0 R
-/Parent 439 0 R
-/Prev 443 0 R
-/Next 451 0 R
->> endobj
-443 0 obj <<
-/Title 444 0 R
-/A 441 0 R
-/Parent 439 0 R
-/Next 447 0 R
->> endobj
-439 0 obj <<
-/Title 440 0 R
-/A 437 0 R
-/Parent 283 0 R
-/Prev 435 0 R
-/First 443 0 R
-/Last 455 0 R
-/Count -4
->> endobj
-435 0 obj <<
-/Title 436 0 R
-/A 433 0 R
-/Parent 283 0 R
-/Prev 431 0 R
-/Next 439 0 R
->> endobj
-431 0 obj <<
-/Title 432 0 R
-/A 429 0 R
-/Parent 283 0 R
-/Prev 427 0 R
-/Next 435 0 R
->> endobj
-427 0 obj <<
-/Title 428 0 R
-/A 425 0 R
-/Parent 283 0 R
-/Prev 423 0 R
-/Next 431 0 R
->> endobj
-423 0 obj <<
-/Title 424 0 R
-/A 421 0 R
-/Parent 283 0 R
-/Prev 419 0 R
-/Next 427 0 R
->> endobj
-419 0 obj <<
-/Title 420 0 R
-/A 417 0 R
-/Parent 283 0 R
-/Prev 415 0 R
-/Next 423 0 R
->> endobj
-415 0 obj <<
-/Title 416 0 R
-/A 413 0 R
-/Parent 283 0 R
-/Prev 411 0 R
-/Next 419 0 R
->> endobj
-411 0 obj <<
-/Title 412 0 R
-/A 409 0 R
-/Parent 283 0 R
-/Prev 347 0 R
-/Next 415 0 R
->> endobj
-407 0 obj <<
-/Title 408 0 R
-/A 405 0 R
-/Parent 347 0 R
-/Prev 403 0 R
->> endobj
-403 0 obj <<
-/Title 404 0 R
-/A 401 0 R
-/Parent 347 0 R
-/Prev 399 0 R
-/Next 407 0 R
->> endobj
-399 0 obj <<
-/Title 400 0 R
-/A 397 0 R
-/Parent 347 0 R
-/Prev 395 0 R
-/Next 403 0 R
->> endobj
-395 0 obj <<
-/Title 396 0 R
-/A 393 0 R
-/Parent 347 0 R
-/Prev 391 0 R
-/Next 399 0 R
->> endobj
-391 0 obj <<
-/Title 392 0 R
-/A 389 0 R
-/Parent 347 0 R
-/Prev 387 0 R
-/Next 395 0 R
->> endobj
-387 0 obj <<
-/Title 388 0 R
-/A 385 0 R
-/Parent 347 0 R
-/Prev 383 0 R
-/Next 391 0 R
->> endobj
-383 0 obj <<
-/Title 384 0 R
-/A 381 0 R
-/Parent 347 0 R
-/Prev 379 0 R
-/Next 387 0 R
->> endobj
-379 0 obj <<
-/Title 380 0 R
-/A 377 0 R
-/Parent 347 0 R
-/Prev 375 0 R
-/Next 383 0 R
->> endobj
-375 0 obj <<
-/Title 376 0 R
-/A 373 0 R
-/Parent 347 0 R
-/Prev 371 0 R
-/Next 379 0 R
->> endobj
-371 0 obj <<
-/Title 372 0 R
-/A 369 0 R
-/Parent 347 0 R
-/Prev 367 0 R
-/Next 375 0 R
->> endobj
-367 0 obj <<
-/Title 368 0 R
-/A 365 0 R
-/Parent 347 0 R
-/Prev 363 0 R
-/Next 371 0 R
->> endobj
-363 0 obj <<
-/Title 364 0 R
-/A 361 0 R
-/Parent 347 0 R
-/Prev 359 0 R
-/Next 367 0 R
->> endobj
-359 0 obj <<
-/Title 360 0 R
-/A 357 0 R
-/Parent 347 0 R
-/Prev 355 0 R
-/Next 363 0 R
->> endobj
-355 0 obj <<
-/Title 356 0 R
-/A 353 0 R
-/Parent 347 0 R
-/Prev 351 0 R
-/Next 359 0 R
->> endobj
-351 0 obj <<
-/Title 352 0 R
-/A 349 0 R
-/Parent 347 0 R
-/Next 355 0 R
->> endobj
-347 0 obj <<
-/Title 348 0 R
-/A 345 0 R
-/Parent 283 0 R
-/Prev 343 0 R
-/Next 411 0 R
-/First 351 0 R
-/Last 407 0 R
-/Count -15
->> endobj
-343 0 obj <<
-/Title 344 0 R
-/A 341 0 R
-/Parent 283 0 R
-/Prev 339 0 R
-/Next 347 0 R
->> endobj
-339 0 obj <<
-/Title 340 0 R
-/A 337 0 R
-/Parent 283 0 R
-/Prev 335 0 R
-/Next 343 0 R
->> endobj
-335 0 obj <<
-/Title 336 0 R
-/A 333 0 R
-/Parent 283 0 R
-/Prev 323 0 R
-/Next 339 0 R
->> endobj
-331 0 obj <<
-/Title 332 0 R
-/A 329 0 R
-/Parent 323 0 R
-/Prev 327 0 R
->> endobj
-327 0 obj <<
-/Title 328 0 R
-/A 325 0 R
-/Parent 323 0 R
-/Next 331 0 R
->> endobj
-323 0 obj <<
-/Title 324 0 R
-/A 321 0 R
-/Parent 283 0 R
-/Prev 319 0 R
-/Next 335 0 R
-/First 327 0 R
-/Last 331 0 R
-/Count -2
->> endobj
-319 0 obj <<
-/Title 320 0 R
-/A 317 0 R
-/Parent 283 0 R
-/Prev 315 0 R
-/Next 323 0 R
->> endobj
-315 0 obj <<
-/Title 316 0 R
-/A 313 0 R
-/Parent 283 0 R
-/Prev 311 0 R
-/Next 319 0 R
->> endobj
-311 0 obj <<
-/Title 312 0 R
-/A 309 0 R
-/Parent 283 0 R
-/Prev 307 0 R
-/Next 315 0 R
->> endobj
-307 0 obj <<
-/Title 308 0 R
-/A 305 0 R
-/Parent 283 0 R
-/Prev 303 0 R
-/Next 311 0 R
->> endobj
-303 0 obj <<
-/Title 304 0 R
-/A 301 0 R
-/Parent 283 0 R
-/Prev 299 0 R
-/Next 307 0 R
->> endobj
-299 0 obj <<
-/Title 300 0 R
-/A 297 0 R
-/Parent 283 0 R
-/Prev 295 0 R
-/Next 303 0 R
->> endobj
-295 0 obj <<
-/Title 296 0 R
-/A 293 0 R
-/Parent 283 0 R
-/Prev 291 0 R
-/Next 299 0 R
->> endobj
-291 0 obj <<
-/Title 292 0 R
-/A 289 0 R
-/Parent 283 0 R
-/Prev 287 0 R
-/Next 295 0 R
->> endobj
-287 0 obj <<
-/Title 288 0 R
-/A 285 0 R
-/Parent 283 0 R
-/Next 291 0 R
->> endobj
-283 0 obj <<
-/Title 284 0 R
-/A 281 0 R
-/Parent 251 0 R
-/Prev 255 0 R
-/Next 459 0 R
-/First 287 0 R
-/Last 439 0 R
-/Count -22
->> endobj
-279 0 obj <<
-/Title 280 0 R
-/A 277 0 R
-/Parent 271 0 R
-/Prev 275 0 R
->> endobj
-275 0 obj <<
-/Title 276 0 R
-/A 273 0 R
-/Parent 271 0 R
-/Next 279 0 R
->> endobj
-271 0 obj <<
-/Title 272 0 R
-/A 269 0 R
-/Parent 255 0 R
-/Prev 259 0 R
-/First 275 0 R
-/Last 279 0 R
-/Count -2
->> endobj
-267 0 obj <<
-/Title 268 0 R
-/A 265 0 R
-/Parent 259 0 R
-/Prev 263 0 R
->> endobj
-263 0 obj <<
-/Title 264 0 R
-/A 261 0 R
-/Parent 259 0 R
-/Next 267 0 R
->> endobj
-259 0 obj <<
-/Title 260 0 R
-/A 257 0 R
-/Parent 255 0 R
-/Next 271 0 R
-/First 263 0 R
-/Last 267 0 R
-/Count -2
->> endobj
-255 0 obj <<
-/Title 256 0 R
-/A 253 0 R
-/Parent 251 0 R
-/Next 283 0 R
-/First 259 0 R
-/Last 271 0 R
-/Count -2
->> endobj
-251 0 obj <<
-/Title 252 0 R
-/A 249 0 R
-/Parent 1345 0 R
-/Prev 239 0 R
-/Next 507 0 R
-/First 255 0 R
-/Last 459 0 R
-/Count -3
->> endobj
-247 0 obj <<
-/Title 248 0 R
-/A 245 0 R
-/Parent 239 0 R
-/Prev 243 0 R
->> endobj
-243 0 obj <<
-/Title 244 0 R
-/A 241 0 R
-/Parent 239 0 R
-/Next 247 0 R
->> endobj
-239 0 obj <<
-/Title 240 0 R
-/A 237 0 R
-/Parent 1345 0 R
-/Prev 135 0 R
-/Next 251 0 R
-/First 243 0 R
-/Last 247 0 R
-/Count -2
->> endobj
-235 0 obj <<
-/Title 236 0 R
-/A 233 0 R
-/Parent 227 0 R
-/Prev 231 0 R
->> endobj
-231 0 obj <<
-/Title 232 0 R
-/A 229 0 R
-/Parent 227 0 R
-/Next 235 0 R
->> endobj
-227 0 obj <<
-/Title 228 0 R
-/A 225 0 R
-/Parent 135 0 R
-/Prev 203 0 R
-/First 231 0 R
-/Last 235 0 R
-/Count -2
->> endobj
-223 0 obj <<
-/Title 224 0 R
-/A 221 0 R
-/Parent 203 0 R
-/Prev 219 0 R
->> endobj
-219 0 obj <<
-/Title 220 0 R
-/A 217 0 R
-/Parent 203 0 R
-/Prev 215 0 R
-/Next 223 0 R
->> endobj
-215 0 obj <<
-/Title 216 0 R
-/A 213 0 R
-/Parent 203 0 R
-/Prev 211 0 R
-/Next 219 0 R
->> endobj
-211 0 obj <<
-/Title 212 0 R
-/A 209 0 R
-/Parent 203 0 R
-/Prev 207 0 R
-/Next 215 0 R
->> endobj
-207 0 obj <<
-/Title 208 0 R
-/A 205 0 R
-/Parent 203 0 R
-/Next 211 0 R
->> endobj
-203 0 obj <<
-/Title 204 0 R
-/A 201 0 R
-/Parent 135 0 R
-/Prev 199 0 R
-/Next 227 0 R
-/First 207 0 R
-/Last 223 0 R
-/Count -5
->> endobj
-199 0 obj <<
-/Title 200 0 R
-/A 197 0 R
-/Parent 135 0 R
-/Prev 195 0 R
-/Next 203 0 R
->> endobj
-195 0 obj <<
-/Title 196 0 R
-/A 193 0 R
-/Parent 135 0 R
-/Prev 159 0 R
-/Next 199 0 R
->> endobj
-191 0 obj <<
-/Title 192 0 R
-/A 189 0 R
-/Parent 159 0 R
-/Prev 187 0 R
->> endobj
-187 0 obj <<
-/Title 188 0 R
-/A 185 0 R
-/Parent 159 0 R
-/Prev 183 0 R
-/Next 191 0 R
->> endobj
-183 0 obj <<
-/Title 184 0 R
-/A 181 0 R
-/Parent 159 0 R
-/Prev 179 0 R
-/Next 187 0 R
->> endobj
-179 0 obj <<
-/Title 180 0 R
-/A 177 0 R
-/Parent 159 0 R
-/Prev 175 0 R
-/Next 183 0 R
->> endobj
-175 0 obj <<
-/Title 176 0 R
-/A 173 0 R
-/Parent 159 0 R
-/Prev 163 0 R
-/Next 179 0 R
->> endobj
-171 0 obj <<
-/Title 172 0 R
-/A 169 0 R
-/Parent 163 0 R
-/Prev 167 0 R
->> endobj
-167 0 obj <<
-/Title 168 0 R
-/A 165 0 R
-/Parent 163 0 R
-/Next 171 0 R
->> endobj
-163 0 obj <<
-/Title 164 0 R
-/A 161 0 R
-/Parent 159 0 R
-/Next 175 0 R
-/First 167 0 R
-/Last 171 0 R
-/Count -2
->> endobj
-159 0 obj <<
-/Title 160 0 R
-/A 157 0 R
-/Parent 135 0 R
-/Prev 151 0 R
-/Next 195 0 R
-/First 163 0 R
-/Last 191 0 R
-/Count -6
->> endobj
-155 0 obj <<
-/Title 156 0 R
-/A 153 0 R
-/Parent 151 0 R
->> endobj
-151 0 obj <<
-/Title 152 0 R
-/A 149 0 R
-/Parent 135 0 R
-/Prev 147 0 R
-/Next 159 0 R
-/First 155 0 R
-/Last 155 0 R
-/Count -1
->> endobj
-147 0 obj <<
-/Title 148 0 R
-/A 145 0 R
-/Parent 135 0 R
-/Prev 139 0 R
-/Next 151 0 R
->> endobj
-143 0 obj <<
-/Title 144 0 R
-/A 141 0 R
-/Parent 139 0 R
->> endobj
-139 0 obj <<
-/Title 140 0 R
-/A 137 0 R
-/Parent 135 0 R
-/Next 147 0 R
-/First 143 0 R
-/Last 143 0 R
-/Count -1
->> endobj
-135 0 obj <<
-/Title 136 0 R
-/A 133 0 R
-/Parent 1345 0 R
-/Prev 91 0 R
-/Next 239 0 R
-/First 139 0 R
-/Last 227 0 R
-/Count -8
->> endobj
-131 0 obj <<
-/Title 132 0 R
-/A 129 0 R
-/Parent 115 0 R
-/Prev 119 0 R
->> endobj
-127 0 obj <<
-/Title 128 0 R
-/A 125 0 R
-/Parent 119 0 R
-/Prev 123 0 R
->> endobj
-123 0 obj <<
-/Title 124 0 R
-/A 121 0 R
-/Parent 119 0 R
-/Next 127 0 R
->> endobj
-119 0 obj <<
-/Title 120 0 R
-/A 117 0 R
-/Parent 115 0 R
-/Next 131 0 R
-/First 123 0 R
-/Last 127 0 R
-/Count -2
->> endobj
-115 0 obj <<
-/Title 116 0 R
-/A 113 0 R
-/Parent 91 0 R
-/Prev 111 0 R
-/First 119 0 R
-/Last 131 0 R
-/Count -2
->> endobj
-111 0 obj <<
-/Title 112 0 R
-/A 109 0 R
-/Parent 91 0 R
-/Prev 107 0 R
-/Next 115 0 R
->> endobj
-107 0 obj <<
-/Title 108 0 R
-/A 105 0 R
-/Parent 91 0 R
-/Prev 95 0 R
-/Next 111 0 R
->> endobj
-103 0 obj <<
-/Title 104 0 R
-/A 101 0 R
-/Parent 95 0 R
-/Prev 99 0 R
->> endobj
-99 0 obj <<
-/Title 100 0 R
-/A 97 0 R
-/Parent 95 0 R
-/Next 103 0 R
->> endobj
-95 0 obj <<
-/Title 96 0 R
-/A 93 0 R
-/Parent 91 0 R
-/Next 107 0 R
-/First 99 0 R
-/Last 103 0 R
-/Count -2
->> endobj
-91 0 obj <<
-/Title 92 0 R
-/A 89 0 R
-/Parent 1345 0 R
-/Prev 67 0 R
-/Next 135 0 R
-/First 95 0 R
-/Last 115 0 R
-/Count -4
->> endobj
-87 0 obj <<
-/Title 88 0 R
-/A 85 0 R
-/Parent 67 0 R
-/Prev 83 0 R
->> endobj
-83 0 obj <<
-/Title 84 0 R
-/A 81 0 R
-/Parent 67 0 R
-/Prev 79 0 R
-/Next 87 0 R
->> endobj
-79 0 obj <<
-/Title 80 0 R
-/A 77 0 R
-/Parent 67 0 R
-/Prev 75 0 R
-/Next 83 0 R
->> endobj
-75 0 obj <<
-/Title 76 0 R
-/A 73 0 R
-/Parent 67 0 R
-/Prev 71 0 R
-/Next 79 0 R
->> endobj
-71 0 obj <<
-/Title 72 0 R
-/A 69 0 R
-/Parent 67 0 R
-/Next 75 0 R
->> endobj
-67 0 obj <<
-/Title 68 0 R
-/A 65 0 R
-/Parent 1345 0 R
-/Prev 7 0 R
-/Next 91 0 R
-/First 71 0 R
-/Last 87 0 R
-/Count -5
->> endobj
-63 0 obj <<
-/Title 64 0 R
-/A 61 0 R
-/Parent 23 0 R
-/Prev 55 0 R
->> endobj
-59 0 obj <<
-/Title 60 0 R
-/A 57 0 R
-/Parent 55 0 R
->> endobj
-55 0 obj <<
-/Title 56 0 R
-/A 53 0 R
-/Parent 23 0 R
-/Prev 39 0 R
-/Next 63 0 R
-/First 59 0 R
-/Last 59 0 R
-/Count -1
->> endobj
-51 0 obj <<
-/Title 52 0 R
-/A 49 0 R
-/Parent 39 0 R
-/Prev 47 0 R
->> endobj
-47 0 obj <<
-/Title 48 0 R
-/A 45 0 R
-/Parent 39 0 R
-/Prev 43 0 R
-/Next 51 0 R
->> endobj
-43 0 obj <<
-/Title 44 0 R
-/A 41 0 R
-/Parent 39 0 R
-/Next 47 0 R
->> endobj
-39 0 obj <<
-/Title 40 0 R
-/A 37 0 R
-/Parent 23 0 R
-/Prev 35 0 R
-/Next 55 0 R
-/First 43 0 R
-/Last 51 0 R
-/Count -3
->> endobj
-35 0 obj <<
-/Title 36 0 R
-/A 33 0 R
-/Parent 23 0 R
-/Prev 31 0 R
-/Next 39 0 R
->> endobj
-31 0 obj <<
-/Title 32 0 R
-/A 29 0 R
-/Parent 23 0 R
-/Prev 27 0 R
-/Next 35 0 R
->> endobj
-27 0 obj <<
-/Title 28 0 R
-/A 25 0 R
-/Parent 23 0 R
-/Next 31 0 R
->> endobj
-23 0 obj <<
-/Title 24 0 R
-/A 21 0 R
-/Parent 7 0 R
-/Prev 19 0 R
-/First 27 0 R
-/Last 63 0 R
-/Count -6
->> endobj
-19 0 obj <<
-/Title 20 0 R
-/A 17 0 R
-/Parent 7 0 R
-/Prev 15 0 R
-/Next 23 0 R
->> endobj
-15 0 obj <<
-/Title 16 0 R
-/A 13 0 R
-/Parent 7 0 R
-/Prev 11 0 R
-/Next 19 0 R
->> endobj
-11 0 obj <<
-/Title 12 0 R
-/A 9 0 R
-/Parent 7 0 R
-/Next 15 0 R
->> endobj
-7 0 obj <<
-/Title 8 0 R
-/A 5 0 R
-/Parent 1345 0 R
-/Next 67 0 R
-/First 11 0 R
-/Last 23 0 R
-/Count -4
->> endobj
-1346 0 obj <<
-/Names [(Access_Control_Lists) 1158 0 R (Bv9ARM.ch01) 625 0 R (Bv9ARM.ch02) 679 0 R (Bv9ARM.ch03) 694 0 R (Bv9ARM.ch04) 747 0 R (Bv9ARM.ch05) 815 0 R (Bv9ARM.ch06) 837 0 R (Bv9ARM.ch07) 1157 0 R (Bv9ARM.ch08) 1176 0 R (Bv9ARM.ch09) 1191 0 R (Configuration_File_Grammar) 864 0 R (DNSSEC) 796 0 R (Doc-Start) 606 0 R (Setting_TTLs) 1129 0 R (access_control) 962 0 R (acl) 868 0 R (address_match_lists) 842 0 R (admin_tools) 725 0 R (appendix.A) 550 0 R (bibliography) 1212 0 R (boolean_options) 720 0 R (chapter.1) 6 0 R (chapter.2) 66 0 R (chapter.3) 90 0 R (chapter.4) 134 0 R (chapter.5) 238 0 R (chapter.6) 250 0 R (chapter.7) 506 0 R (chapter.8) 530 0 R (cite.RFC1034) 1222 0 R (cite.RFC1035) 1224 0 R (cite.RFC1101) 1280 0 R (cite.RFC1123) 1282 0 R (cite.RFC1183) 1264 0 R (cite.RFC1464) 1304 0 R (cite.RFC1535) 1256 0 R (cite.RFC1536) 1258 0 R (cite.RFC1537) 1294 0 R (cite.RFC1591) 1284 0 R (cite.RFC1706) 1266 0 R (cite.RFC1712) 1318 0 R (cite.RFC1713) 1306 0 R (cite.RFC1794) 1308 0 R (cite.RFC1876) 1268 0 R (cite.RFC1886) 1248 0 R (cite.RFC1912) 1296 0 R (cite.RFC1982) 1260 0 R (cite.RFC1995) 1234 0 R (cite.RFC1996) 1236 0 R (cite.RFC2010) 1298 0 R (cite.RFC2052) 1270 0 R (cite.RFC2065) 1250 0 R (cite.RFC2136) 1238 0 R (cite.RFC2137) 1252 0 R (cite.RFC2163) 1272 0 R (cite.RFC2168) 1274 0 R (cite.RFC2181) 1240 0 R (cite.RFC2219) 1300 0 R (cite.RFC2230) 1276 0 R (cite.RFC2240) 1310 0 R (cite.RFC2308) 1242 0 R (cite.RFC2317) 1290 0 R (cite.RFC2345) 1312 0 R (cite.RFC2352) 1314 0 R (cite.RFC2845) 1244 0 R (cite.RFC974) 1226 0 R (cite.id2490365) 1323 0 R (classes_of_resource_records) 1112 0 R (configuration_file_elements) 838 0 R (controls_statement_definition_and_usage) 735 0 R (diagnostic_tools) 667 0 R (dynamic_update) 748 0 R (dynamic_update_policies) 789 0 R (dynamic_update_security) 1067 0 R (historical_dns_information) 1198 0 R (id2464552) 626 0 R (id2464616) 627 0 R (id2465937) 649 0 R (id2465957) 650 0 R (id2465981) 651 0 R (id2466966) 631 0 R (id2466974) 632 0 R (id2467159) 696 0 R (id2467172) 697 0 R (id2467194) 702 0 R (id2467211) 703 0 R (id2467296) 647 0 R (id2467772) 654 0 R (id2467847) 661 0 R (id2467869) 664 0 R (id2467891) 665 0 R (id2467910) 666 0 R (id2467939) 672 0 R (id2467971) 673 0 R (id2468133) 674 0 R (id2468165) 680 0 R (id2468258) 681 0 R (id2468268) 682 0 R (id2468282) 683 0 R (id2468291) 689 0 R (id2468950) 714 0 R (id2468955) 715 0 R (id2471826) 740 0 R (id2471837) 741 0 R (id2472270) 757 0 R (id2472288) 758 0 R (id2472768) 775 0 R (id2472784) 776 0 R (id2472818) 777 0 R (id2472834) 778 0 R (id2472842) 784 0 R (id2472882) 785 0 R (id2472934) 786 0 R (id2472978) 788 0 R (id2472992) 794 0 R (id2473177) 795 0 R (id2473230) 801 0 R (id2473299) 802 0 R (id2473405) 803 0 R (id2473515) 808 0 R (id2473570) 809 0 R (id2473594) 810 0 R (id2473718) 814 0 R (id2473732) 821 0 R (id2473764) 826 0 R (id2473971) 839 0 R (id2474524) 847 0 R (id2474551) 848 0 R (id2474707) 853 0 R (id2474722) 854 0 R (id2474750) 855 0 R (id2474963) 865 0 R (id2475213) 867 0 R (id2475255) 873 0 R (id2475393) 875 0 R (id2475717) 884 0 R (id2475732) 885 0 R (id2475754) 886 0 R (id2475776) 887 0 R (id2475838) 890 0 R (id2475964) 895 0 R (id2476017) 896 0 R (id2476642) 911 0 R (id2477123) 913 0 R (id2477264) 918 0 R (id2477326) 920 0 R (id2478256) 931 0 R (id2479226) 960 0 R (id2479605) 972 0 R (id2479689) 973 0 R (id2480161) 985 0 R (id2480262) 991 0 R (id2480331) 992 0 R (id2480874) 1011 0 R (id2481399) 1023 0 R (id2481899) 1030 0 R (id2481947) 1031 0 R (id2482039) 1037 0 R (id2482087) 1038 0 R (id2483202) 1052 0 R (id2483208) 1053 0 R (id2483212) 1054 0 R (id2483514) 1060 0 R (id2483613) 1061 0 R (id2484389) 1088 0 R (id2484579) 1094 0 R (id2484597) 1095 0 R (id2484618) 1098 0 R (id2484758) 1100 0 R (id2485397) 1107 0 R (id2485480) 1110 0 R (id2485677) 1117 0 R (id2485699) 1118 0 R (id2485988) 1120 0 R (id2486103) 1122 0 R (id2486121) 1127 0 R (id2486426) 1130 0 R (id2486532) 1132 0 R (id2486614) 1133 0 R (id2486706) 1139 0 R (id2486725) 1140 0 R (id2486780) 1144 0 R (id2486843) 1145 0 R (id2486874) 1150 0 R (id2486926) 1151 0 R (id2487194) 1169 0 R (id2487406) 1170 0 R (id2487601) 1171 0 R (id2487671) 1177 0 R (id2487676) 1178 0 R (id2487688) 1179 0 R (id2487705) 1180 0 R (id2487767) 1192 0 R (id2487772) 1193 0 R (id2487883) 1199 0 R (id2487899) 1200 0 R (id2487982) 1201 0 R (id2488021) 1202 0 R (id2488332) 1204 0 R (id2488558) 1210 0 R (id2488842) 1218 0 R (id2488844) 1220 0 R (id2488853) 1225 0 R (id2488876) 1221 0 R (id2488900) 1223 0 R (id2488937) 1239 0 R (id2488963) 1241 0 R (id2488988) 1233 0 R (id2489013) 1235 0 R (id2489036) 1237 0 R (id2489092) 1243 0 R (id2489153) 1246 0 R (id2489168) 1247 0 R (id2489206) 1249 0 R (id2489245) 1251 0 R (id2489273) 1254 0 R (id2489282) 1255 0 R (id2489307) 1257 0 R (id2489374) 1259 0 R (id2489411) 1262 0 R (id2489416) 1263 0 R (id2489474) 1265 0 R (id2489511) 1273 0 R (id2489546) 1267 0 R (id2489601) 1269 0 R (id2489640) 1271 0 R (id2489667) 1275 0 R (id2489693) 1278 0 R (id2489701) 1279 0 R (id2489726) 1281 0 R (id2489750) 1283 0 R (id2489771) 1289 0 R (id2489818) 1292 0 R (id2489826) 1293 0 R (id2489851) 1295 0 R (id2489878) 1297 0 R (id2489982) 1299 0 R (id2490022) 1302 0 R (id2490042) 1303 0 R (id2490065) 1305 0 R (id2490089) 1307 0 R (id2490182) 1309 0 R (id2490204) 1311 0 R (id2490250) 1313 0 R (id2490275) 1316 0 R (id2490281) 1317 0 R (id2490354) 1320 0 R (id2490363) 1322 0 R (id2490365) 1324 0 R (incremental_zone_transfers) 754 0 R (internet_drafts) 1319 0 R (ipv6addresses) 816 0 R (journal) 749 0 R (lwresd) 827 0 R (notify) 706 0 R (page.1) 605 0 R (page.10) 701 0 R (page.11) 711 0 R (page.12) 724 0 R (page.13) 732 0 R (page.14) 739 0 R (page.15) 746 0 R (page.16) 753 0 R (page.17) 763 0 R (page.18) 768 0 R (page.19) 772 0 R (page.2) 617 0 R (page.20) 783 0 R (page.21) 793 0 R (page.22) 800 0 R (page.23) 807 0 R (page.24) 820 0 R (page.25) 825 0 R (page.26) 832 0 R (page.27) 836 0 R (page.28) 846 0 R (page.29) 852 0 R (page.3) 624 0 R (page.30) 860 0 R (page.31) 872 0 R (page.32) 883 0 R (page.33) 894 0 R (page.34) 900 0 R (page.35) 904 0 R (page.36) 910 0 R (page.37) 917 0 R (page.38) 925 0 R (page.39) 930 0 R (page.4) 643 0 R (page.40) 938 0 R (page.41) 944 0 R (page.42) 949 0 R (page.43) 959 0 R (page.44) 971 0 R (page.45) 980 0 R (page.46) 984 0 R (page.47) 989 0 R (page.48) 996 0 R (page.49) 1003 0 R (page.5) 660 0 R (page.50) 1010 0 R (page.51) 1016 0 R (page.52) 1022 0 R (page.53) 1029 0 R (page.54) 1036 0 R (page.55) 1042 0 R (page.56) 1047 0 R (page.57) 1051 0 R (page.58) 1059 0 R (page.59) 1071 0 R (page.6) 671 0 R (page.60) 1081 0 R (page.61) 1093 0 R (page.62) 1106 0 R (page.63) 1116 0 R (page.64) 1126 0 R (page.65) 1138 0 R (page.66) 1149 0 R (page.67) 1156 0 R (page.68) 1165 0 R (page.69) 1175 0 R (page.7) 678 0 R (page.70) 1186 0 R (page.71) 1190 0 R (page.72) 1197 0 R (page.73) 1209 0 R (page.74) 1231 0 R (page.75) 1288 0 R (page.8) 688 0 R (page.9) 693 0 R (proposed_standards) 759 0 R (rfcs) 656 0 R (rndc) 879 0 R (rrset_ordering) 707 0 R (sample_configuration) 695 0 R (section*.1) 1217 0 R (section*.10) 1315 0 R (section*.11) 1321 0 R (section*.2) 1219 0 R (section*.3) 1232 0 R (section*.4) 1245 0 R (section*.5) 1253 0 R (section*.6) 1261 0 R (section*.7) 1277 0 R (section*.8) 1291 0 R (section*.9) 1301 0 R (section.1.1) 10 0 R (section.1.2) 14 0 R (section.1.3) 18 0 R (section.1.4) 22 0 R (section.2.1) 70 0 R (section.2.2) 74 0 R (section.2.3) 78 0 R (section.2.4) 82 0 R (section.2.5) 86 0 R (section.3.1) 94 0 R (section.3.2) 106 0 R (section.3.3) 110 0 R (section.3.4) 114 0 R (section.4.1) 138 0 R (section.4.2) 146 0 R (section.4.3) 150 0 R (section.4.4) 158 0 R (section.4.5) 194 0 R (section.4.6) 198 0 R (section.4.7) 202 0 R (section.4.8) 226 0 R (section.5.1) 242 0 R (section.5.2) 246 0 R (section.6.1) 254 0 R (section.6.2) 282 0 R (section.6.3) 458 0 R (section.7.1) 510 0 R (section.7.2) 514 0 R (section.7.3) 526 0 R (section.8.1) 534 0 R (section.8.2) 542 0 R (section.8.3) 546 0 R (section.A.1) 554 0 R (section.A.2) 562 0 R (section.A.3) 578 0 R (section.A.4) 586 0 R (server_statement_definition_and_usage) 955 0 R (server_statement_grammar) 1025 0 R (statsfile) 940 0 R (subsection.1.4.1) 26 0 R (subsection.1.4.2) 30 0 R (subsection.1.4.3) 34 0 R (subsection.1.4.4) 38 0 R (subsection.1.4.5) 54 0 R (subsection.1.4.6) 62 0 R (subsection.3.1.1) 98 0 R (subsection.3.1.2) 102 0 R (subsection.3.4.1) 118 0 R (subsection.3.4.2) 130 0 R (subsection.4.1.1) 142 0 R (subsection.4.3.1) 154 0 R (subsection.4.4.1) 162 0 R (subsection.4.4.2) 174 0 R (subsection.4.4.3) 178 0 R (subsection.4.4.4) 182 0 R (subsection.4.4.5) 186 0 R (subsection.4.4.6) 190 0 R (subsection.4.7.1) 206 0 R (subsection.4.7.2) 210 0 R (subsection.4.7.3) 214 0 R (subsection.4.7.4) 218 0 R (subsection.4.7.5) 222 0 R (subsection.4.8.1) 230 0 R (subsection.4.8.2) 234 0 R (subsection.6.1.1) 258 0 R (subsection.6.1.2) 270 0 R (subsection.6.2.1) 286 0 R (subsection.6.2.10) 322 0 R (subsection.6.2.11) 334 0 R (subsection.6.2.12) 338 0 R (subsection.6.2.13) 342 0 R (subsection.6.2.14) 346 0 R (subsection.6.2.15) 410 0 R (subsection.6.2.16) 414 0 R (subsection.6.2.17) 418 0 R (subsection.6.2.18) 422 0 R (subsection.6.2.19) 426 0 R (subsection.6.2.2) 290 0 R (subsection.6.2.20) 430 0 R (subsection.6.2.21) 434 0 R (subsection.6.2.22) 438 0 R (subsection.6.2.3) 294 0 R (subsection.6.2.4) 298 0 R (subsection.6.2.5) 302 0 R (subsection.6.2.6) 306 0 R (subsection.6.2.7) 310 0 R (subsection.6.2.8) 314 0 R (subsection.6.2.9) 318 0 R (subsection.6.3.1) 462 0 R (subsection.6.3.2) 474 0 R (subsection.6.3.3) 478 0 R (subsection.6.3.4) 482 0 R (subsection.6.3.5) 486 0 R (subsection.6.3.6) 502 0 R (subsection.7.2.1) 518 0 R (subsection.7.2.2) 522 0 R (subsection.8.1.1) 538 0 R (subsection.A.1.1) 558 0 R (subsection.A.2.1) 566 0 R (subsection.A.3.1) 582 0 R (subsection.A.4.1) 590 0 R (subsection.A.4.2) 594 0 R (subsection.A.4.3) 598 0 R (subsubsection.1.4.4.1) 42 0 R (subsubsection.1.4.4.2) 46 0 R (subsubsection.1.4.4.3) 50 0 R (subsubsection.1.4.5.1) 58 0 R (subsubsection.3.4.1.1) 122 0 R (subsubsection.3.4.1.2) 126 0 R (subsubsection.4.4.1.1) 166 0 R (subsubsection.4.4.1.2) 170 0 R (subsubsection.6.1.1.1) 262 0 R (subsubsection.6.1.1.2) 266 0 R (subsubsection.6.1.2.1) 274 0 R (subsubsection.6.1.2.2) 278 0 R (subsubsection.6.2.10.1) 326 0 R (subsubsection.6.2.10.2) 330 0 R (subsubsection.6.2.14.1) 350 0 R (subsubsection.6.2.14.10) 386 0 R (subsubsection.6.2.14.11) 390 0 R (subsubsection.6.2.14.12) 394 0 R (subsubsection.6.2.14.13) 398 0 R (subsubsection.6.2.14.14) 402 0 R (subsubsection.6.2.14.15) 406 0 R (subsubsection.6.2.14.2) 354 0 R (subsubsection.6.2.14.3) 358 0 R (subsubsection.6.2.14.4) 362 0 R (subsubsection.6.2.14.5) 366 0 R (subsubsection.6.2.14.6) 370 0 R (subsubsection.6.2.14.7) 374 0 R (subsubsection.6.2.14.8) 378 0 R (subsubsection.6.2.14.9) 382 0 R (subsubsection.6.2.22.1) 442 0 R (subsubsection.6.2.22.2) 446 0 R (subsubsection.6.2.22.3) 450 0 R (subsubsection.6.2.22.4) 454 0 R (subsubsection.6.3.1.1) 466 0 R (subsubsection.6.3.1.2) 470 0 R (subsubsection.6.3.5.1) 490 0 R (subsubsection.6.3.5.2) 494 0 R (subsubsection.6.3.5.3) 498 0 R (subsubsection.A.2.1.1) 570 0 R (subsubsection.A.2.1.2) 574 0 R (synthesis) 967 0 R (table.1.1) 633 0 R (table.1.2) 648 0 R (table.3.1) 704 0 R (table.3.2) 742 0 R (table.6.1) 840 0 R (table.6.10) 1101 0 R (table.6.11) 1108 0 R (table.6.12) 1111 0 R (table.6.13) 1119 0 R (table.6.14) 1121 0 R (table.6.15) 1128 0 R (table.6.16) 1131 0 R (table.6.17) 1134 0 R (table.6.18) 1152 0 R (table.6.2) 866 0 R (table.6.3) 874 0 R (table.6.4) 912 0 R (table.6.5) 1012 0 R (table.6.6) 1024 0 R (table.6.7) 1055 0 R (table.6.8) 1089 0 R (table.6.9) 1099 0 R (table.A.1) 1203 0 R (table.A.2) 1205 0 R (table.A.3) 1211 0 R (the_category_phrase) 906 0 R (the_sortlist_statement) 998 0 R (topology) 997 0 R (tsig) 773 0 R (tuning) 1017 0 R (types_of_resource_records_and_when_to_use_them) 655 0 R (zone_statement_grammar) 966 0 R (zone_transfers) 719 0 R]
-/Limits [(Access_Control_Lists) (zone_transfers)]
->> endobj
-1347 0 obj <<
-/Kids [1346 0 R]
->> endobj
-1348 0 obj <<
-/Dests 1347 0 R
->> endobj
-1349 0 obj <<
-/Type /Catalog
-/Pages 1344 0 R
-/Outlines 1345 0 R
-/Names 1348 0 R
-/PageMode /UseOutlines 
-/OpenAction 601 0 R
->> endobj
-1350 0 obj <<
-/Author()/Title()/Subject()/Creator(LaTeX with hyperref package)/Producer(pdfeTeX-1.21a)/Keywords()
-/CreationDate (D:20070806120531+10'00')
-/PTEX.Fullbanner (This is pdfeTeX, Version 3.141592-1.21a-2.2 (Web2C 7.5.4) kpathsea version 3.5.4)
->> endobj
-xref
-0 1351
-0000000001 65535 f 
-0000000002 00000 f 
-0000000003 00000 f 
-0000000004 00000 f 
-0000000000 00000 f 
-0000000009 00000 n 
-0000019104 00000 n 
-0000471694 00000 n 
-0000000054 00000 n 
-0000000086 00000 n 
-0000019228 00000 n 
-0000471622 00000 n 
-0000000133 00000 n 
-0000000173 00000 n 
-0000019353 00000 n 
-0000471536 00000 n 
-0000000221 00000 n 
-0000000273 00000 n 
-0000019478 00000 n 
-0000471450 00000 n 
-0000000321 00000 n 
-0000000377 00000 n 
-0000023702 00000 n 
-0000471340 00000 n 
-0000000425 00000 n 
-0000000478 00000 n 
-0000023827 00000 n 
-0000471266 00000 n 
-0000000531 00000 n 
-0000000572 00000 n 
-0000023952 00000 n 
-0000471179 00000 n 
-0000000625 00000 n 
-0000000674 00000 n 
-0000024077 00000 n 
-0000471092 00000 n 
-0000000727 00000 n 
-0000000757 00000 n 
-0000028387 00000 n 
-0000470968 00000 n 
-0000000810 00000 n 
-0000000861 00000 n 
-0000028512 00000 n 
-0000470894 00000 n 
-0000000919 00000 n 
-0000000964 00000 n 
-0000028637 00000 n 
-0000470807 00000 n 
-0000001022 00000 n 
-0000001062 00000 n 
-0000028762 00000 n 
-0000470733 00000 n 
-0000001120 00000 n 
-0000001162 00000 n 
-0000031675 00000 n 
-0000470609 00000 n 
-0000001215 00000 n 
-0000001260 00000 n 
-0000031800 00000 n 
-0000470548 00000 n 
-0000001318 00000 n 
-0000001355 00000 n 
-0000031925 00000 n 
-0000470474 00000 n 
-0000001408 00000 n 
-0000001463 00000 n 
-0000034365 00000 n 
-0000470349 00000 n 
-0000001509 00000 n 
-0000001556 00000 n 
-0000034490 00000 n 
-0000470275 00000 n 
-0000001604 00000 n 
-0000001648 00000 n 
-0000034615 00000 n 
-0000470188 00000 n 
-0000001696 00000 n 
-0000001735 00000 n 
-0000034740 00000 n 
-0000470101 00000 n 
-0000001783 00000 n 
-0000001825 00000 n 
-0000034865 00000 n 
-0000470014 00000 n 
-0000001873 00000 n 
-0000001935 00000 n 
-0000036185 00000 n 
-0000469940 00000 n 
-0000001983 00000 n 
-0000002033 00000 n 
-0000037826 00000 n 
-0000469812 00000 n 
-0000002079 00000 n 
-0000002124 00000 n 
-0000037950 00000 n 
-0000469699 00000 n 
-0000002172 00000 n 
-0000002216 00000 n 
-0000038075 00000 n 
-0000469623 00000 n 
-0000002269 00000 n 
-0000002320 00000 n 
-0000038200 00000 n 
-0000469546 00000 n 
-0000002374 00000 n 
-0000002432 00000 n 
-0000040898 00000 n 
-0000469455 00000 n 
-0000002481 00000 n 
-0000002519 00000 n 
-0000041150 00000 n 
-0000469363 00000 n 
-0000002568 00000 n 
-0000002598 00000 n 
-0000044770 00000 n 
-0000469246 00000 n 
-0000002647 00000 n 
-0000002692 00000 n 
-0000044896 00000 n 
-0000469128 00000 n 
-0000002746 00000 n 
-0000002812 00000 n 
-0000045022 00000 n 
-0000469049 00000 n 
-0000002871 00000 n 
-0000002915 00000 n 
-0000048323 00000 n 
-0000468970 00000 n 
-0000002974 00000 n 
-0000003022 00000 n 
-0000054108 00000 n 
-0000468891 00000 n 
-0000003076 00000 n 
-0000003109 00000 n 
-0000056942 00000 n 
-0000468759 00000 n 
-0000003156 00000 n 
-0000003195 00000 n 
-0000057068 00000 n 
-0000468641 00000 n 
-0000003244 00000 n 
-0000003282 00000 n 
-0000057194 00000 n 
-0000468576 00000 n 
-0000003336 00000 n 
-0000003378 00000 n 
-0000061501 00000 n 
-0000468483 00000 n 
-0000003427 00000 n 
-0000003486 00000 n 
-0000061627 00000 n 
-0000468351 00000 n 
-0000003535 00000 n 
-0000003568 00000 n 
-0000061753 00000 n 
-0000468286 00000 n 
-0000003622 00000 n 
-0000003671 00000 n 
-0000068502 00000 n 
-0000468154 00000 n 
-0000003720 00000 n 
-0000003748 00000 n 
-0000068628 00000 n 
-0000468036 00000 n 
-0000003802 00000 n 
-0000003871 00000 n 
-0000068754 00000 n 
-0000467957 00000 n 
-0000003930 00000 n 
-0000003978 00000 n 
-0000068879 00000 n 
-0000467878 00000 n 
-0000004037 00000 n 
-0000004082 00000 n 
-0000069005 00000 n 
-0000467785 00000 n 
-0000004136 00000 n 
-0000004204 00000 n 
-0000072109 00000 n 
-0000467692 00000 n 
-0000004258 00000 n 
-0000004328 00000 n 
-0000072235 00000 n 
-0000467599 00000 n 
-0000004382 00000 n 
-0000004445 00000 n 
-0000072361 00000 n 
-0000467506 00000 n 
-0000004499 00000 n 
-0000004554 00000 n 
-0000072486 00000 n 
-0000467427 00000 n 
-0000004608 00000 n 
-0000004640 00000 n 
-0000076131 00000 n 
-0000467334 00000 n 
-0000004689 00000 n 
-0000004717 00000 n 
-0000076257 00000 n 
-0000467241 00000 n 
-0000004766 00000 n 
-0000004798 00000 n 
-0000076383 00000 n 
-0000467109 00000 n 
-0000004847 00000 n 
-0000004877 00000 n 
-0000079606 00000 n 
-0000467030 00000 n 
-0000004931 00000 n 
-0000004972 00000 n 
-0000079732 00000 n 
-0000466937 00000 n 
-0000005026 00000 n 
-0000005069 00000 n 
-0000079857 00000 n 
-0000466844 00000 n 
-0000005123 00000 n 
-0000005175 00000 n 
-0000083481 00000 n 
-0000466751 00000 n 
-0000005229 00000 n 
-0000005271 00000 n 
-0000083607 00000 n 
-0000466672 00000 n 
-0000005325 00000 n 
-0000005370 00000 n 
-0000083732 00000 n 
-0000466554 00000 n 
-0000005419 00000 n 
-0000005465 00000 n 
-0000083858 00000 n 
-0000466475 00000 n 
-0000005519 00000 n 
-0000005579 00000 n 
-0000085066 00000 n 
-0000466396 00000 n 
-0000005633 00000 n 
-0000005702 00000 n 
-0000087522 00000 n 
-0000466263 00000 n 
-0000005749 00000 n 
-0000005802 00000 n 
-0000087648 00000 n 
-0000466184 00000 n 
-0000005851 00000 n 
-0000005907 00000 n 
-0000087774 00000 n 
-0000466105 00000 n 
-0000005956 00000 n 
-0000006005 00000 n 
-0000092150 00000 n 
-0000465972 00000 n 
-0000006052 00000 n 
-0000006104 00000 n 
-0000092276 00000 n 
-0000465854 00000 n 
-0000006153 00000 n 
-0000006204 00000 n 
-0000096128 00000 n 
-0000465736 00000 n 
-0000006258 00000 n 
-0000006303 00000 n 
-0000096254 00000 n 
-0000465657 00000 n 
-0000006362 00000 n 
-0000006396 00000 n 
-0000096380 00000 n 
-0000465578 00000 n 
-0000006455 00000 n 
-0000006503 00000 n 
-0000099514 00000 n 
-0000465460 00000 n 
-0000006557 00000 n 
-0000006597 00000 n 
-0000099640 00000 n 
-0000465381 00000 n 
-0000006656 00000 n 
-0000006690 00000 n 
-0000099766 00000 n 
-0000465302 00000 n 
-0000006749 00000 n 
-0000006797 00000 n 
-0000103374 00000 n 
-0000465169 00000 n 
-0000006846 00000 n 
-0000006896 00000 n 
-0000103626 00000 n 
-0000465090 00000 n 
-0000006950 00000 n 
-0000006997 00000 n 
-0000103752 00000 n 
-0000464997 00000 n 
-0000007051 00000 n 
-0000007111 00000 n 
-0000108733 00000 n 
-0000464904 00000 n 
-0000007165 00000 n 
-0000007217 00000 n 
-0000108859 00000 n 
-0000464811 00000 n 
-0000007271 00000 n 
-0000007336 00000 n 
-0000112545 00000 n 
-0000464718 00000 n 
-0000007390 00000 n 
-0000007441 00000 n 
-0000112671 00000 n 
-0000464625 00000 n 
-0000007495 00000 n 
-0000007559 00000 n 
-0000112797 00000 n 
-0000464532 00000 n 
-0000007613 00000 n 
-0000007660 00000 n 
-0000112923 00000 n 
-0000464439 00000 n 
-0000007714 00000 n 
-0000007774 00000 n 
-0000113048 00000 n 
-0000464346 00000 n 
-0000007828 00000 n 
-0000007879 00000 n 
-0000116258 00000 n 
-0000464214 00000 n 
-0000007934 00000 n 
-0000007999 00000 n 
-0000116384 00000 n 
-0000464135 00000 n 
-0000008059 00000 n 
-0000008106 00000 n 
-0000123527 00000 n 
-0000464056 00000 n 
-0000008166 00000 n 
-0000008214 00000 n 
-0000126794 00000 n 
-0000463963 00000 n 
-0000008269 00000 n 
-0000008319 00000 n 
-0000129417 00000 n 
-0000463870 00000 n 
-0000008374 00000 n 
-0000008437 00000 n 
-0000129543 00000 n 
-0000463777 00000 n 
-0000008492 00000 n 
-0000008544 00000 n 
-0000136202 00000 n 
-0000463644 00000 n 
-0000008599 00000 n 
-0000008664 00000 n 
-0000140360 00000 n 
-0000463565 00000 n 
-0000008724 00000 n 
-0000008768 00000 n 
-0000154088 00000 n 
-0000463472 00000 n 
-0000008828 00000 n 
-0000008867 00000 n 
-0000154214 00000 n 
-0000463379 00000 n 
-0000008927 00000 n 
-0000008970 00000 n 
-0000157080 00000 n 
-0000463286 00000 n 
-0000009030 00000 n 
-0000009069 00000 n 
-0000157206 00000 n 
-0000463193 00000 n 
-0000009129 00000 n 
-0000009171 00000 n 
-0000160424 00000 n 
-0000463100 00000 n 
-0000009231 00000 n 
-0000009274 00000 n 
-0000164493 00000 n 
-0000463007 00000 n 
-0000009334 00000 n 
-0000009395 00000 n 
-0000168370 00000 n 
-0000462914 00000 n 
-0000009455 00000 n 
-0000009506 00000 n 
-0000168496 00000 n 
-0000462821 00000 n 
-0000009566 00000 n 
-0000009618 00000 n 
-0000171646 00000 n 
-0000462728 00000 n 
-0000009679 00000 n 
-0000009717 00000 n 
-0000171772 00000 n 
-0000462635 00000 n 
-0000009778 00000 n 
-0000009830 00000 n 
-0000175733 00000 n 
-0000462542 00000 n 
-0000009891 00000 n 
-0000009935 00000 n 
-0000179394 00000 n 
-0000462449 00000 n 
-0000009996 00000 n 
-0000010050 00000 n 
-0000182957 00000 n 
-0000462356 00000 n 
-0000010111 00000 n 
-0000010147 00000 n 
-0000183086 00000 n 
-0000462277 00000 n 
-0000010208 00000 n 
-0000010257 00000 n 
-0000186153 00000 n 
-0000462184 00000 n 
-0000010312 00000 n 
-0000010363 00000 n 
-0000186282 00000 n 
-0000462091 00000 n 
-0000010418 00000 n 
-0000010482 00000 n 
-0000190464 00000 n 
-0000461998 00000 n 
-0000010537 00000 n 
-0000010594 00000 n 
-0000190593 00000 n 
-0000461905 00000 n 
-0000010649 00000 n 
-0000010719 00000 n 
-0000193941 00000 n 
-0000461812 00000 n 
-0000010774 00000 n 
-0000010823 00000 n 
-0000194070 00000 n 
-0000461719 00000 n 
-0000010878 00000 n 
-0000010940 00000 n 
-0000195666 00000 n 
-0000461626 00000 n 
-0000010995 00000 n 
-0000011044 00000 n 
-0000200932 00000 n 
-0000461508 00000 n 
-0000011099 00000 n 
-0000011161 00000 n 
-0000201061 00000 n 
-0000461429 00000 n 
-0000011221 00000 n 
-0000011260 00000 n 
-0000205874 00000 n 
-0000461336 00000 n 
-0000011320 00000 n 
-0000011354 00000 n 
-0000206003 00000 n 
-0000461243 00000 n 
-0000011414 00000 n 
-0000011455 00000 n 
-0000215148 00000 n 
-0000461164 00000 n 
-0000011515 00000 n 
-0000011567 00000 n 
-0000219215 00000 n 
-0000461046 00000 n 
-0000011616 00000 n 
-0000011649 00000 n 
-0000219344 00000 n 
-0000460928 00000 n 
-0000011703 00000 n 
-0000011775 00000 n 
-0000219472 00000 n 
-0000460849 00000 n 
-0000011834 00000 n 
-0000011878 00000 n 
-0000227235 00000 n 
-0000460770 00000 n 
-0000011937 00000 n 
-0000011990 00000 n 
-0000227624 00000 n 
-0000460677 00000 n 
-0000012044 00000 n 
-0000012094 00000 n 
-0000231152 00000 n 
-0000460584 00000 n 
-0000012148 00000 n 
-0000012186 00000 n 
-0000231411 00000 n 
-0000460491 00000 n 
-0000012240 00000 n 
-0000012289 00000 n 
-0000234395 00000 n 
-0000460359 00000 n 
-0000012343 00000 n 
-0000012395 00000 n 
-0000234524 00000 n 
-0000460280 00000 n 
-0000012454 00000 n 
-0000012506 00000 n 
-0000234653 00000 n 
-0000460187 00000 n 
-0000012565 00000 n 
-0000012618 00000 n 
-0000234781 00000 n 
-0000460108 00000 n 
-0000012677 00000 n 
-0000012726 00000 n 
-0000237954 00000 n 
-0000460029 00000 n 
-0000012780 00000 n 
-0000012860 00000 n 
-0000240635 00000 n 
-0000459896 00000 n 
-0000012907 00000 n 
-0000012959 00000 n 
-0000240764 00000 n 
-0000459817 00000 n 
-0000013008 00000 n 
-0000013052 00000 n 
-0000244507 00000 n 
-0000459685 00000 n 
-0000013101 00000 n 
-0000013163 00000 n 
-0000244636 00000 n 
-0000459606 00000 n 
-0000013217 00000 n 
-0000013265 00000 n 
-0000244765 00000 n 
-0000459527 00000 n 
-0000013319 00000 n 
-0000013370 00000 n 
-0000244894 00000 n 
-0000459448 00000 n 
-0000013419 00000 n 
-0000013466 00000 n 
-0000247817 00000 n 
-0000459315 00000 n 
-0000013513 00000 n 
-0000013550 00000 n 
-0000247946 00000 n 
-0000459197 00000 n 
-0000013599 00000 n 
-0000013638 00000 n 
-0000248075 00000 n 
-0000459132 00000 n 
-0000013692 00000 n 
-0000013770 00000 n 
-0000248204 00000 n 
-0000459039 00000 n 
-0000013819 00000 n 
-0000013886 00000 n 
-0000248333 00000 n 
-0000458960 00000 n 
-0000013935 00000 n 
-0000013980 00000 n 
-0000251823 00000 n 
-0000458841 00000 n 
-0000014028 00000 n 
-0000014060 00000 n 
-0000251952 00000 n 
-0000458723 00000 n 
-0000014109 00000 n 
-0000014149 00000 n 
-0000252081 00000 n 
-0000458658 00000 n 
-0000014203 00000 n 
-0000014264 00000 n 
-0000255086 00000 n 
-0000458526 00000 n 
-0000014313 00000 n 
-0000014363 00000 n 
-0000255215 00000 n 
-0000458422 00000 n 
-0000014417 00000 n 
-0000014470 00000 n 
-0000255344 00000 n 
-0000458343 00000 n 
-0000014529 00000 n 
-0000014568 00000 n 
-0000255473 00000 n 
-0000458264 00000 n 
-0000014627 00000 n 
-0000014665 00000 n 
-0000255602 00000 n 
-0000458132 00000 n 
-0000014714 00000 n 
-0000014771 00000 n 
-0000255731 00000 n 
-0000458067 00000 n 
-0000014825 00000 n 
-0000014872 00000 n 
-0000260386 00000 n 
-0000457949 00000 n 
-0000014921 00000 n 
-0000014983 00000 n 
-0000260515 00000 n 
-0000457870 00000 n 
-0000015037 00000 n 
-0000015092 00000 n 
-0000272524 00000 n 
-0000457777 00000 n 
-0000015146 00000 n 
-0000015187 00000 n 
-0000272653 00000 n 
-0000457698 00000 n 
-0000015241 00000 n 
-0000015293 00000 n 
-0000015647 00000 n 
-0000015895 00000 n 
-0000015346 00000 n 
-0000015769 00000 n 
-0000015832 00000 n 
-0000454676 00000 n 
-0000429844 00000 n 
-0000454502 00000 n 
-0000428640 00000 n 
-0000402388 00000 n 
-0000428466 00000 n 
-0000455674 00000 n 
-0000016554 00000 n 
-0000016369 00000 n 
-0000015980 00000 n 
-0000016491 00000 n 
-0000401703 00000 n 
-0000399559 00000 n 
-0000401539 00000 n 
-0000019729 00000 n 
-0000018919 00000 n 
-0000016639 00000 n 
-0000019041 00000 n 
-0000019165 00000 n 
-0000019290 00000 n 
-0000019415 00000 n 
-0000398705 00000 n 
-0000378347 00000 n 
-0000398531 00000 n 
-0000019540 00000 n 
-0000019603 00000 n 
-0000019666 00000 n 
-0000377418 00000 n 
-0000358090 00000 n 
-0000377245 00000 n 
-0000357347 00000 n 
-0000340623 00000 n 
-0000357174 00000 n 
-0000024201 00000 n 
-0000023019 00000 n 
-0000019853 00000 n 
-0000023513 00000 n 
-0000340088 00000 n 
-0000323171 00000 n 
-0000339904 00000 n 
-0000023576 00000 n 
-0000023639 00000 n 
-0000023764 00000 n 
-0000023889 00000 n 
-0000024014 00000 n 
-0000023169 00000 n 
-0000023362 00000 n 
-0000024139 00000 n 
-0000219408 00000 n 
-0000260579 00000 n 
-0000028887 00000 n 
-0000027852 00000 n 
-0000024325 00000 n 
-0000028324 00000 n 
-0000028449 00000 n 
-0000028002 00000 n 
-0000028164 00000 n 
-0000028574 00000 n 
-0000028699 00000 n 
-0000028824 00000 n 
-0000045085 00000 n 
-0000032049 00000 n 
-0000031490 00000 n 
-0000029011 00000 n 
-0000031612 00000 n 
-0000031737 00000 n 
-0000031862 00000 n 
-0000031986 00000 n 
-0000034990 00000 n 
-0000034180 00000 n 
-0000032160 00000 n 
-0000034302 00000 n 
-0000034427 00000 n 
-0000034552 00000 n 
-0000034677 00000 n 
-0000034802 00000 n 
-0000034927 00000 n 
-0000455792 00000 n 
-0000036310 00000 n 
-0000036000 00000 n 
-0000035075 00000 n 
-0000036122 00000 n 
-0000036247 00000 n 
-0000038326 00000 n 
-0000037641 00000 n 
-0000036421 00000 n 
-0000037763 00000 n 
-0000037888 00000 n 
-0000038012 00000 n 
-0000038137 00000 n 
-0000038263 00000 n 
-0000041276 00000 n 
-0000040533 00000 n 
-0000038424 00000 n 
-0000040835 00000 n 
-0000040961 00000 n 
-0000041024 00000 n 
-0000041087 00000 n 
-0000040675 00000 n 
-0000041213 00000 n 
-0000175797 00000 n 
-0000045148 00000 n 
-0000044236 00000 n 
-0000041387 00000 n 
-0000044707 00000 n 
-0000044386 00000 n 
-0000044545 00000 n 
-0000044833 00000 n 
-0000044959 00000 n 
-0000322683 00000 n 
-0000313733 00000 n 
-0000322506 00000 n 
-0000160487 00000 n 
-0000140423 00000 n 
-0000048449 00000 n 
-0000048138 00000 n 
-0000045272 00000 n 
-0000048260 00000 n 
-0000048386 00000 n 
-0000313385 00000 n 
-0000305814 00000 n 
-0000313208 00000 n 
-0000052496 00000 n 
-0000052106 00000 n 
-0000048599 00000 n 
-0000052433 00000 n 
-0000052248 00000 n 
-0000455910 00000 n 
-0000108922 00000 n 
-0000054360 00000 n 
-0000053923 00000 n 
-0000052620 00000 n 
-0000054045 00000 n 
-0000054171 00000 n 
-0000054234 00000 n 
-0000054297 00000 n 
-0000057319 00000 n 
-0000056757 00000 n 
-0000054471 00000 n 
-0000056879 00000 n 
-0000057005 00000 n 
-0000057131 00000 n 
-0000057256 00000 n 
-0000061879 00000 n 
-0000060960 00000 n 
-0000057430 00000 n 
-0000061438 00000 n 
-0000061564 00000 n 
-0000061110 00000 n 
-0000061274 00000 n 
-0000061690 00000 n 
-0000061816 00000 n 
-0000264541 00000 n 
-0000064403 00000 n 
-0000064032 00000 n 
-0000062003 00000 n 
-0000064340 00000 n 
-0000064174 00000 n 
-0000065610 00000 n 
-0000065425 00000 n 
-0000064527 00000 n 
-0000065547 00000 n 
-0000069130 00000 n 
-0000068132 00000 n 
-0000065708 00000 n 
-0000068439 00000 n 
-0000068565 00000 n 
-0000068274 00000 n 
-0000068691 00000 n 
-0000068817 00000 n 
-0000068942 00000 n 
-0000069068 00000 n 
-0000456028 00000 n 
-0000072611 00000 n 
-0000071734 00000 n 
-0000069267 00000 n 
-0000072046 00000 n 
-0000072172 00000 n 
-0000072298 00000 n 
-0000072424 00000 n 
-0000071876 00000 n 
-0000072548 00000 n 
-0000215212 00000 n 
-0000076509 00000 n 
-0000075946 00000 n 
-0000072748 00000 n 
-0000076068 00000 n 
-0000076194 00000 n 
-0000076320 00000 n 
-0000076446 00000 n 
-0000079982 00000 n 
-0000079421 00000 n 
-0000076633 00000 n 
-0000079543 00000 n 
-0000079669 00000 n 
-0000079795 00000 n 
-0000079919 00000 n 
-0000083984 00000 n 
-0000082787 00000 n 
-0000080106 00000 n 
-0000083418 00000 n 
-0000083544 00000 n 
-0000083670 00000 n 
-0000083795 00000 n 
-0000082945 00000 n 
-0000083102 00000 n 
-0000083259 00000 n 
-0000083921 00000 n 
-0000087585 00000 n 
-0000255795 00000 n 
-0000085192 00000 n 
-0000084881 00000 n 
-0000084108 00000 n 
-0000085003 00000 n 
-0000085129 00000 n 
-0000087900 00000 n 
-0000087337 00000 n 
-0000085303 00000 n 
-0000087459 00000 n 
-0000087711 00000 n 
-0000087837 00000 n 
-0000456146 00000 n 
-0000088332 00000 n 
-0000088147 00000 n 
-0000087998 00000 n 
-0000088269 00000 n 
-0000092527 00000 n 
-0000091779 00000 n 
-0000088373 00000 n 
-0000092087 00000 n 
-0000092213 00000 n 
-0000092338 00000 n 
-0000092401 00000 n 
-0000092464 00000 n 
-0000091921 00000 n 
-0000096191 00000 n 
-0000096506 00000 n 
-0000095943 00000 n 
-0000092625 00000 n 
-0000096065 00000 n 
-0000096317 00000 n 
-0000096443 00000 n 
-0000099891 00000 n 
-0000099329 00000 n 
-0000096643 00000 n 
-0000099451 00000 n 
-0000099577 00000 n 
-0000099703 00000 n 
-0000099829 00000 n 
-0000102386 00000 n 
-0000103877 00000 n 
-0000102264 00000 n 
-0000100002 00000 n 
-0000103311 00000 n 
-0000304963 00000 n 
-0000295822 00000 n 
-0000304791 00000 n 
-0000103437 00000 n 
-0000103500 00000 n 
-0000103563 00000 n 
-0000103689 00000 n 
-0000103815 00000 n 
-0000108985 00000 n 
-0000108085 00000 n 
-0000104029 00000 n 
-0000108544 00000 n 
-0000108607 00000 n 
-0000108670 00000 n 
-0000108796 00000 n 
-0000108235 00000 n 
-0000108386 00000 n 
-0000456264 00000 n 
-0000273167 00000 n 
-0000113174 00000 n 
-0000111997 00000 n 
-0000109109 00000 n 
-0000112482 00000 n 
-0000112608 00000 n 
-0000112734 00000 n 
-0000112860 00000 n 
-0000112985 00000 n 
-0000112147 00000 n 
-0000112298 00000 n 
-0000113111 00000 n 
-0000116510 00000 n 
-0000116073 00000 n 
-0000113311 00000 n 
-0000116195 00000 n 
-0000116321 00000 n 
-0000116447 00000 n 
-0000120803 00000 n 
-0000120618 00000 n 
-0000116634 00000 n 
-0000120740 00000 n 
-0000123651 00000 n 
-0000123156 00000 n 
-0000120914 00000 n 
-0000123464 00000 n 
-0000123298 00000 n 
-0000123589 00000 n 
-0000126920 00000 n 
-0000126483 00000 n 
-0000123762 00000 n 
-0000126605 00000 n 
-0000126668 00000 n 
-0000126731 00000 n 
-0000126857 00000 n 
-0000129668 00000 n 
-0000129060 00000 n 
-0000127031 00000 n 
-0000129354 00000 n 
-0000129480 00000 n 
-0000129202 00000 n 
-0000129606 00000 n 
-0000456382 00000 n 
-0000131221 00000 n 
-0000131036 00000 n 
-0000129779 00000 n 
-0000131158 00000 n 
-0000134503 00000 n 
-0000136328 00000 n 
-0000134381 00000 n 
-0000131319 00000 n 
-0000136139 00000 n 
-0000136265 00000 n 
-0000135971 00000 n 
-0000136028 00000 n 
-0000136117 00000 n 
-0000140486 00000 n 
-0000139999 00000 n 
-0000136493 00000 n 
-0000140297 00000 n 
-0000140141 00000 n 
-0000183150 00000 n 
-0000144638 00000 n 
-0000144280 00000 n 
-0000140610 00000 n 
-0000144575 00000 n 
-0000144422 00000 n 
-0000149666 00000 n 
-0000148549 00000 n 
-0000144762 00000 n 
-0000149603 00000 n 
-0000148723 00000 n 
-0000148879 00000 n 
-0000149063 00000 n 
-0000149236 00000 n 
-0000149419 00000 n 
-0000186346 00000 n 
-0000154340 00000 n 
-0000153381 00000 n 
-0000149857 00000 n 
-0000154025 00000 n 
-0000154151 00000 n 
-0000153539 00000 n 
-0000154277 00000 n 
-0000153707 00000 n 
-0000153870 00000 n 
-0000456500 00000 n 
-0000195730 00000 n 
-0000179458 00000 n 
-0000157332 00000 n 
-0000156895 00000 n 
-0000154464 00000 n 
-0000157017 00000 n 
-0000157143 00000 n 
-0000157269 00000 n 
-0000295278 00000 n 
-0000286975 00000 n 
-0000295105 00000 n 
-0000160550 00000 n 
-0000160239 00000 n 
-0000157497 00000 n 
-0000160361 00000 n 
-0000164618 00000 n 
-0000164308 00000 n 
-0000160702 00000 n 
-0000164430 00000 n 
-0000164556 00000 n 
-0000168622 00000 n 
-0000167991 00000 n 
-0000164770 00000 n 
-0000168307 00000 n 
-0000168133 00000 n 
-0000168433 00000 n 
-0000168559 00000 n 
-0000171898 00000 n 
-0000171282 00000 n 
-0000168733 00000 n 
-0000171583 00000 n 
-0000171709 00000 n 
-0000171835 00000 n 
-0000171424 00000 n 
-0000175861 00000 n 
-0000175189 00000 n 
-0000172063 00000 n 
-0000175668 00000 n 
-0000175345 00000 n 
-0000175501 00000 n 
-0000456618 00000 n 
-0000179522 00000 n 
-0000179073 00000 n 
-0000175973 00000 n 
-0000179199 00000 n 
-0000179264 00000 n 
-0000179329 00000 n 
-0000183213 00000 n 
-0000182584 00000 n 
-0000179714 00000 n 
-0000182892 00000 n 
-0000183021 00000 n 
-0000182731 00000 n 
-0000186410 00000 n 
-0000185832 00000 n 
-0000183392 00000 n 
-0000185958 00000 n 
-0000186023 00000 n 
-0000186088 00000 n 
-0000186217 00000 n 
-0000190721 00000 n 
-0000190098 00000 n 
-0000186522 00000 n 
-0000190399 00000 n 
-0000190528 00000 n 
-0000190656 00000 n 
-0000190245 00000 n 
-0000194199 00000 n 
-0000193750 00000 n 
-0000190833 00000 n 
-0000193876 00000 n 
-0000194005 00000 n 
-0000194134 00000 n 
-0000195794 00000 n 
-0000195475 00000 n 
-0000194311 00000 n 
-0000195601 00000 n 
-0000456743 00000 n 
-0000197075 00000 n 
-0000196884 00000 n 
-0000195906 00000 n 
-0000197010 00000 n 
-0000201320 00000 n 
-0000200741 00000 n 
-0000197174 00000 n 
-0000200867 00000 n 
-0000200996 00000 n 
-0000201125 00000 n 
-0000201190 00000 n 
-0000201255 00000 n 
-0000206132 00000 n 
-0000204799 00000 n 
-0000201432 00000 n 
-0000205809 00000 n 
-0000205938 00000 n 
-0000206067 00000 n 
-0000204982 00000 n 
-0000205143 00000 n 
-0000205305 00000 n 
-0000205467 00000 n 
-0000205638 00000 n 
-0000244957 00000 n 
-0000210828 00000 n 
-0000209597 00000 n 
-0000206257 00000 n 
-0000210763 00000 n 
-0000209789 00000 n 
-0000209952 00000 n 
-0000210114 00000 n 
-0000210276 00000 n 
-0000210438 00000 n 
-0000210600 00000 n 
-0000215406 00000 n 
-0000213937 00000 n 
-0000210953 00000 n 
-0000215083 00000 n 
-0000214129 00000 n 
-0000214282 00000 n 
-0000214444 00000 n 
-0000214605 00000 n 
-0000214767 00000 n 
-0000214929 00000 n 
-0000215276 00000 n 
-0000215341 00000 n 
-0000219861 00000 n 
-0000218663 00000 n 
-0000215518 00000 n 
-0000219150 00000 n 
-0000219279 00000 n 
-0000219536 00000 n 
-0000218819 00000 n 
-0000218989 00000 n 
-0000219601 00000 n 
-0000219666 00000 n 
-0000219731 00000 n 
-0000219796 00000 n 
-0000456868 00000 n 
-0000223962 00000 n 
-0000223317 00000 n 
-0000219973 00000 n 
-0000223639 00000 n 
-0000223704 00000 n 
-0000223769 00000 n 
-0000223464 00000 n 
-0000223834 00000 n 
-0000223899 00000 n 
-0000255279 00000 n 
-0000227753 00000 n 
-0000227044 00000 n 
-0000224061 00000 n 
-0000227170 00000 n 
-0000227299 00000 n 
-0000227364 00000 n 
-0000227429 00000 n 
-0000227494 00000 n 
-0000227559 00000 n 
-0000227688 00000 n 
-0000231670 00000 n 
-0000230831 00000 n 
-0000227865 00000 n 
-0000230957 00000 n 
-0000231022 00000 n 
-0000231087 00000 n 
-0000231216 00000 n 
-0000231281 00000 n 
-0000231346 00000 n 
-0000231475 00000 n 
-0000231540 00000 n 
-0000231605 00000 n 
-0000234909 00000 n 
-0000234204 00000 n 
-0000231795 00000 n 
-0000234330 00000 n 
-0000234459 00000 n 
-0000234588 00000 n 
-0000286620 00000 n 
-0000284622 00000 n 
-0000286455 00000 n 
-0000234716 00000 n 
-0000234844 00000 n 
-0000238213 00000 n 
-0000237763 00000 n 
-0000235102 00000 n 
-0000237889 00000 n 
-0000238018 00000 n 
-0000238083 00000 n 
-0000238148 00000 n 
-0000240892 00000 n 
-0000239984 00000 n 
-0000238351 00000 n 
-0000240570 00000 n 
-0000240699 00000 n 
-0000240828 00000 n 
-0000240140 00000 n 
-0000240355 00000 n 
-0000456993 00000 n 
-0000245022 00000 n 
-0000244316 00000 n 
-0000241018 00000 n 
-0000244442 00000 n 
-0000284301 00000 n 
-0000275088 00000 n 
-0000284115 00000 n 
-0000244571 00000 n 
-0000244700 00000 n 
-0000244829 00000 n 
-0000248461 00000 n 
-0000247235 00000 n 
-0000245187 00000 n 
-0000247752 00000 n 
-0000247881 00000 n 
-0000248010 00000 n 
-0000248139 00000 n 
-0000248268 00000 n 
-0000248397 00000 n 
-0000247391 00000 n 
-0000247563 00000 n 
-0000248915 00000 n 
-0000248724 00000 n 
-0000248574 00000 n 
-0000248850 00000 n 
-0000252210 00000 n 
-0000251632 00000 n 
-0000248957 00000 n 
-0000251758 00000 n 
-0000251887 00000 n 
-0000252016 00000 n 
-0000252145 00000 n 
-0000256119 00000 n 
-0000254895 00000 n 
-0000252296 00000 n 
-0000255021 00000 n 
-0000255150 00000 n 
-0000255408 00000 n 
-0000255537 00000 n 
-0000255666 00000 n 
-0000255859 00000 n 
-0000255924 00000 n 
-0000255989 00000 n 
-0000256054 00000 n 
-0000261290 00000 n 
-0000259309 00000 n 
-0000256245 00000 n 
-0000260192 00000 n 
-0000260257 00000 n 
-0000260321 00000 n 
-0000260450 00000 n 
-0000259483 00000 n 
-0000259662 00000 n 
-0000259840 00000 n 
-0000260016 00000 n 
-0000260643 00000 n 
-0000260708 00000 n 
-0000260773 00000 n 
-0000260838 00000 n 
-0000260903 00000 n 
-0000260968 00000 n 
-0000261033 00000 n 
-0000261098 00000 n 
-0000261162 00000 n 
-0000261226 00000 n 
-0000457118 00000 n 
-0000267976 00000 n 
-0000264285 00000 n 
-0000261442 00000 n 
-0000264411 00000 n 
-0000264476 00000 n 
-0000264605 00000 n 
-0000264670 00000 n 
-0000264734 00000 n 
-0000264799 00000 n 
-0000264864 00000 n 
-0000264929 00000 n 
-0000264994 00000 n 
-0000265059 00000 n 
-0000265124 00000 n 
-0000265188 00000 n 
-0000265253 00000 n 
-0000265318 00000 n 
-0000265382 00000 n 
-0000265447 00000 n 
-0000265512 00000 n 
-0000265577 00000 n 
-0000265642 00000 n 
-0000265707 00000 n 
-0000265772 00000 n 
-0000265837 00000 n 
-0000265902 00000 n 
-0000265967 00000 n 
-0000266032 00000 n 
-0000266097 00000 n 
-0000266161 00000 n 
-0000266226 00000 n 
-0000266291 00000 n 
-0000266356 00000 n 
-0000266421 00000 n 
-0000266486 00000 n 
-0000266551 00000 n 
-0000266616 00000 n 
-0000266681 00000 n 
-0000266746 00000 n 
-0000266811 00000 n 
-0000266876 00000 n 
-0000266941 00000 n 
-0000267006 00000 n 
-0000267070 00000 n 
-0000267135 00000 n 
-0000267200 00000 n 
-0000267265 00000 n 
-0000267330 00000 n 
-0000267395 00000 n 
-0000267460 00000 n 
-0000267525 00000 n 
-0000267590 00000 n 
-0000267655 00000 n 
-0000267720 00000 n 
-0000267784 00000 n 
-0000267848 00000 n 
-0000267912 00000 n 
-0000273042 00000 n 
-0000270386 00000 n 
-0000268088 00000 n 
-0000270512 00000 n 
-0000270577 00000 n 
-0000270642 00000 n 
-0000270707 00000 n 
-0000270772 00000 n 
-0000270837 00000 n 
-0000270902 00000 n 
-0000270967 00000 n 
-0000271032 00000 n 
-0000271097 00000 n 
-0000271162 00000 n 
-0000271227 00000 n 
-0000271292 00000 n 
-0000271357 00000 n 
-0000271422 00000 n 
-0000271487 00000 n 
-0000271552 00000 n 
-0000271617 00000 n 
-0000271682 00000 n 
-0000271747 00000 n 
-0000271812 00000 n 
-0000271877 00000 n 
-0000271942 00000 n 
-0000272007 00000 n 
-0000272072 00000 n 
-0000272136 00000 n 
-0000272201 00000 n 
-0000272265 00000 n 
-0000272330 00000 n 
-0000272395 00000 n 
-0000272460 00000 n 
-0000272588 00000 n 
-0000272717 00000 n 
-0000272782 00000 n 
-0000272847 00000 n 
-0000272912 00000 n 
-0000272977 00000 n 
-0000273199 00000 n 
-0000284543 00000 n 
-0000286867 00000 n 
-0000286836 00000 n 
-0000295563 00000 n 
-0000305378 00000 n 
-0000313628 00000 n 
-0000322946 00000 n 
-0000340428 00000 n 
-0000357767 00000 n 
-0000377972 00000 n 
-0000399109 00000 n 
-0000402190 00000 n 
-0000401960 00000 n 
-0000429215 00000 n 
-0000455190 00000 n 
-0000457216 00000 n 
-0000457336 00000 n 
-0000457460 00000 n 
-0000457540 00000 n 
-0000457622 00000 n 
-0000471804 00000 n 
-0000483877 00000 n 
-0000483918 00000 n 
-0000483958 00000 n 
-0000484092 00000 n 
-trailer
-<<
-/Size 1351
-/Root 1349 0 R
-/Info 1350 0 R
-/ID [<074F60B6803A3962AEA60A9080600248> <074F60B6803A3962AEA60A9080600248>]
->>
-startxref
-484356
-%%EOF
diff --git a/doc/arm/Makefile.in b/doc/arm/Makefile.in
index 019ed09a..ede93425 100644
--- a/doc/arm/Makefile.in
+++ b/doc/arm/Makefile.in
@@ -1,4 +1,4 @@
-# Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 2001, 2002  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and distribute this software for any
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.8.2.7 2007/02/07 23:57:56 marka Exp $
+# $Id: Makefile.in,v 1.8.2.2.8.3 2004/03/08 09:04:24 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
@@ -23,41 +23,47 @@ top_srcdir =	@top_srcdir@
 
 MANOBJS = Bv9ARM.html
 
-PDFOBJS = Bv9ARM.pdf
-
 distclean::
 	rm -f validate.sh
 	rm -f nominum-docbook-html.dsl nominum-docbook-print.dsl
 	rm -f HTML.index HTML.manifest
 
-doc man:: ${MANOBJS} ${PDFOBJS}
+doc man:: ${MANOBJS}
 
-clean::
-	rm -f Bv9ARM.aux Bv9ARM.brf Bv9ARM.glo Bv9ARM.idx
-	rm -f Bv9ARM.log Bv9ARM.out Bv9ARM.tex Bv9ARM.tex.tmp
+docclean manclean maintainer-clean::
+	rm -f *.html
 
-docclean manclean maintainer-clean:: clean
-	rm -f *.html *.pdf
+Bv9ARM.html: Bv9ARM-book.xml nominum-docbook-html.dsl
+	${OPENJADE} -v \
+	    -c ${SGMLCATALOG} \
+	    -t sgml \
+	    -d ./nominum-docbook-html.dsl \
+	    ${XMLDCL} ./Bv9ARM-book.xml
+	rm -f HTML.index HTML.manifest
 
-Bv9ARM.html: Bv9ARM-book.xml
-	${XSLTPROC} --stringparam root.filename Bv9ARM \
-		${top_srcdir}/doc/xsl/isc-docbook-chunk.xsl \
-		Bv9ARM-book.xml
+Bv9ARM-book.rtf: Bv9ARM-book.xml nominum-docbook-print.dsl
+	${OPENJADE} -v \
+	    -c ${SGMLCATALOG} \
+	    -t rtf \
+	    -d ./nominum-docbook-print.dsl \
+	    ${XMLDCL} ./Bv9ARM-book.xml
 
-Bv9ARM.tex: Bv9ARM-book.xml
-	${XSLTPROC} ${top_srcdir}/doc/xsl/pre-latex.xsl Bv9ARM-book.xml | \
-	${XSLTPROC} ${top_srcdir}/doc/xsl/isc-docbook-latex.xsl - | \
-	@PERL@ latex-fixup.pl >$@.tmp 
-	if test -s $@.tmp; then mv $@.tmp $@; else rm -f $@.tmp; exit 1; fi
+Bv9ARM-book.tex: Bv9ARM-book.xml nominum-docbook-print.dsl
+	${OPENJADE} -v \
+	     -c ${SGMLCATALOG} \
+	     -d ./nominum-docbook-print.dsl \
+	     -t tex \
+	     ${XMLDCL} ./Bv9ARM-book.xml
 
-Bv9ARM.dvi: Bv9ARM.tex
+Bv9ARM-book.dvi: Bv9ARM-book.tex
 	rm -f Bv9ARM-book.aux Bv9ARM-book.dvi Bv9ARM-book.log
-	${LATEX} '\batchmode\input Bv9ARM.tex' || (rm -f $@; exit 1)
-	${LATEX} '\batchmode\input Bv9ARM.tex' || (rm -f $@; exit 1)
-	${LATEX} '\batchmode\input Bv9ARM.tex' || (rm -f $@; exit 1)
+	${JADETEX} ./Bv9ARM-book.tex || true
+	${JADETEX} ./Bv9ARM-book.tex || true
+	${JADETEX} ./Bv9ARM-book.tex || true
 
-Bv9ARM.pdf: Bv9ARM.tex
+Bv9ARM-book.pdf: Bv9ARM-book.tex
 	rm -f Bv9ARM-book.aux Bv9ARM-book.pdf Bv9ARM-book.log
-	${PDFLATEX} '\batchmode\input Bv9ARM.tex' || (rm -f $@; exit 1)
-	${PDFLATEX} '\batchmode\input Bv9ARM.tex' || (rm -f $@; exit 1)
-	${PDFLATEX} '\batchmode\input Bv9ARM.tex' || (rm -f $@; exit 1)
+	${PDFJADETEX} ./Bv9ARM-book.tex || true
+	${PDFJADETEX} ./Bv9ARM-book.tex || true
+	${PDFJADETEX} ./Bv9ARM-book.tex || true
+
diff --git a/doc/arm/README-SGML b/doc/arm/README-SGML
index 9a1f4bbc..8e7bc4eb 100644
--- a/doc/arm/README-SGML
+++ b/doc/arm/README-SGML
@@ -4,7 +4,7 @@ See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
 
 The BIND v9 ARM master document is now kept in DocBook XML format.
 
-Version: $Id: README-SGML,v 1.16.2.1 2004/03/09 06:10:37 marka Exp $
+Version: $Id: README-SGML,v 1.16.206.1 2004/03/06 13:16:14 marka Exp $
 
 The entire ARM is in the single file:
 
diff --git a/doc/arm/isc.color.gif b/doc/arm/isc.color.gif
new file mode 100644
index 00000000..09c327cc
--- /dev/null
+++ b/doc/arm/isc.color.gif
diff --git a/doc/arm/latex-fixup.pl b/doc/arm/latex-fixup.pl
deleted file mode 100644
index e2f58051..00000000
--- a/doc/arm/latex-fixup.pl
+++ /dev/null
@@ -1,45 +0,0 @@
-#!/usr/bin/perl -w
-#
-# Copyright (C) 2005  Internet Systems Consortium, Inc. ("ISC")
-#
-# Permission to use, copy, modify, and distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id: latex-fixup.pl,v 1.2.8.1 2005/05/12 21:35:16 sra Exp $
-
-# Sadly, the final stages of generating a presentable PDF file always
-# seem to require some manual tweaking.  Doesn't seem to matter what
-# typesetting tool one uses, sane forms of automation only go so far,
-# at least with present technology.
-#
-# This script is intended to be a collection of tweaks.  The theory is
-# that, while we can't avoid the need for tweaking, we can at least
-# write the silly things down in a form that a program might be able
-# to execute.  Undoubtedly everythig in here will break, eventually,
-# at which point it will need to be updated, but since the alternative
-# is to do the final editing by hand every time, this approach seems
-# the lesser of two evils.
-
-while (<>) {
-
-    # At the moment, the only tweak we have is fixup for a db2latex
-    # oops.  LaTeX2e does not like having tables with duplicate names.
-    # Perhaps the dblatex project will fix this someday, but we can
-    # get by with just deleting the offending LaTeX commands for now.
-
-    s/\\addtocounter\{table\}\{-1\}//g;
-
-    # Add any further tweaking here.
-
-    # Write out whatever we have now.
-    print;
-}
diff --git a/doc/arm/nominum-docbook-html.dsl.in b/doc/arm/nominum-docbook-html.dsl.in
new file mode 100644
index 00000000..33fc9387
--- /dev/null
+++ b/doc/arm/nominum-docbook-html.dsl.in
@@ -0,0 +1,148 @@
+<!DOCTYPE style-sheet PUBLIC "-//James Clark//DTD DSSSL Style Sheet//EN" [
+<!ENTITY dbstyle SYSTEM "@HTMLSTYLE@" CDATA DSSSL>
+]>
+
+<style-sheet>
+<style-specification use="docbook">
+<style-specification-body>
+
+<!-- ;; your stuff goes here... -->
+
+(define %html-prefix% 
+  ;; Add the specified prefix to HTML output filenames
+  "Bv9ARM.")
+
+(define %use-id-as-filename%
+  ;; Use ID attributes as name for component HTML files?
+  #t)
+
+(define %root-filename%
+  ;; Name for the root HTML document
+  "Bv9ARM")
+
+(define %section-autolabel%
+  ;; REFENTRY section-autolabel
+  ;; PURP Are sections enumerated?
+  ;; DESC
+  ;; If true, unlabeled sections will be enumerated.
+  ;; /DESC
+  ;; AUTHOR N/A
+  ;; /REFENTRY
+  #t)
+
+(define %html-ext% 
+  ;; REFENTRY html-ext
+  ;; PURP Default extension for HTML output files
+  ;; DESC
+  ;; The default extension for HTML output files.
+  ;; /DESC
+  ;; AUTHOR N/A
+  ;; /REFENTRY
+  ".html")
+
+(define nochunks
+  ;; REFENTRY nochunks
+  ;; PURP Suppress chunking of output pages
+  ;; DESC
+  ;; If true, the entire source document is formatted as a single HTML
+  ;; document and output on stdout.
+  ;; (This option can conveniently be set with '-V nochunks' on the 
+  ;; Jade command line).
+  ;; /DESC
+  ;; AUTHOR N/A
+  ;; /REFENTRY
+  #f)
+
+(define rootchunk
+  ;; REFENTRY rootchunk
+  ;; PURP Make a chunk for the root element when nochunks is used
+  ;; DESC
+  ;; If true, a chunk will be created for the root element, even though
+  ;; nochunks is specified. This option has no effect if nochunks is not
+  ;; true.
+  ;; (This option can conveniently be set with '-V rootchunk' on the 
+  ;; Jade command line).
+  ;; /DESC
+  ;; AUTHOR N/A
+  ;; /REFENTRY
+  #t)
+
+(define html-index
+  ;; REFENTRY html-index
+  ;; PURP HTML indexing?
+  ;; DESC
+  ;; Turns on HTML indexing.  If true, then index data will be written
+  ;; to the file defined by 'html-index-filename'.  This data can be
+  ;; collated and turned into a DocBook index with bin/collateindex.pl.
+  ;; /DESC
+  ;; AUTHOR N/A
+  ;; /REFENTRY
+  #t)
+
+(define html-manifest
+  ;; REFENTRY html-manifest
+  ;; PURP Write a manifest?
+  ;; DESC
+  ;; If not '#f' then the list of HTML files created by the stylesheet
+  ;; will be written to the file named by 'html-manifest-filename'.
+  ;; /DESC
+  ;; AUTHOR N/A
+  ;; /REFENTRY
+  #t)
+
+(define (chunk-element-list)
+  (list (normalize "preface")
+	(normalize "chapter")
+	(normalize "appendix") 
+	(normalize "article")
+	(normalize "glossary")
+	(normalize "bibliography")
+	(normalize "index")
+	(normalize "colophon")
+	(normalize "setindex")
+	(normalize "reference")
+	(normalize "refentry")
+	(normalize "part")
+	(normalize "book") ;; just in case nothing else matches...
+	(normalize "set")  ;; sets are definitely chunks...
+	))
+
+;
+; Add some cell padding to tables so that they don't look so cramped
+; in Netscape.
+;
+; The following definition was cut-and-pasted from dbtable.dsl and the 
+; single line containing the word CELLPADDING was added.
+;
+(element tgroup
+  (let* ((wrapper   (parent (current-node)))
+	 (frameattr (attribute-string (normalize "frame") wrapper))
+	 (pgwide    (attribute-string (normalize "pgwide") wrapper))
+	 (footnotes (select-elements (descendants (current-node)) 
+				     (normalize "footnote")))
+	 (border (if (equal? frameattr (normalize "none"))
+		     '(("BORDER" "0"))
+		     '(("BORDER" "1"))))
+	 (width (if (equal? pgwide "1")
+		    (list (list "WIDTH" ($table-width$)))
+		    '()))
+	 (head (select-elements (children (current-node)) (normalize "thead")))
+	 (body (select-elements (children (current-node)) (normalize "tbody")))
+	 (feet (select-elements (children (current-node)) (normalize "tfoot"))))
+    (make element gi: "TABLE"
+	  attributes: (append
+		       '(("CELLPADDING" "3"))
+		       border
+		       width
+		       (if %cals-table-class%
+			   (list (list "CLASS" %cals-table-class%))
+			   '()))
+	  (process-node-list head)
+	  (process-node-list body)
+	  (process-node-list feet)
+	  (make-table-endnotes))))
+
+</style-specification-body>
+</style-specification>
+<external-specification id="docbook" document="dbstyle">
+</style-sheet>
diff --git a/doc/arm/nominum-docbook-print.dsl.in b/doc/arm/nominum-docbook-print.dsl.in
new file mode 100644
index 00000000..511d6c48
--- /dev/null
+++ b/doc/arm/nominum-docbook-print.dsl.in
@@ -0,0 +1,42 @@
+<!DOCTYPE style-sheet PUBLIC "-//James Clark//DTD DSSSL Style Sheet//EN" [
+<!ENTITY dbstyle SYSTEM "@PRINTSTYLE@" CDATA DSSSL>
+]>
+
+
+<style-sheet>
+<style-specification use="docbook">
+<style-specification-body>
+
+<!-- ;; your stuff goes here... -->
+
+(define %generate-book-titlepage% #t)
+
+(define %section-autolabel%
+  ;; REFENTRY section-autolabel
+  ;; PURP Are sections enumerated?
+  ;; DESC
+  ;; If true, unlabeled sections will be enumerated.
+  ;; /DESC
+  ;; AUTHOR N/A
+  ;; /REFENTRY
+  #t)
+
+;; Margins around cell contents
+;; (define %cals-cell-before-row-margin% 20pt)
+;; (define %cals-cell-after-row-margin% 20pt)
+
+;; seems to be a bug in JadeTeX -- we get a wierd indent on table
+;;   cells for the first line only.  This is a workaround.
+;; Adam Di Carlo, adam@onshore.com
+(define %cals-cell-before-column-margin% 5pt)
+(define %cals-cell-after-column-margin% 5pt)
+
+;; Inheritable start and end indent for cell contents
+(define %cals-cell-content-start-indent% 5pt)
+(define %cals-cell-content-end-indent% 5pt)
+
+
+</style-specification-body>
+</style-specification>
+<external-specification id="docbook" document="dbstyle">
+</style-sheet>
diff --git a/doc/arm/validate.sh.in b/doc/arm/validate.sh.in
new file mode 100644
index 00000000..f50d8a09
--- /dev/null
+++ b/doc/arm/validate.sh.in
@@ -0,0 +1,21 @@
+#!/bin/sh
+#
+# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2000, 2001  Internet Software Consortium.
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: validate.sh.in,v 1.2.206.1 2004/03/06 13:16:14 marka Exp $
+
+nsgmls -sv @SGMLDIR@/docbook/dsssl/modular/dtds/decls/xml.dcl \
+       Bv9ARM-book.xml
diff --git a/doc/draft/draft-ietf-dnsext-2929bis-01.txt b/doc/draft/draft-ietf-dnsext-2929bis-01.txt
deleted file mode 100644
index fa41e763..00000000
--- a/doc/draft/draft-ietf-dnsext-2929bis-01.txt
+++ /dev/null
@@ -1,928 +0,0 @@
-
-INTERNET-DRAFT                                    Donald E. Eastlake 3rd
-Obsoletes RFC 2929, Updates RFC 1183               Motorola Laboratories
-Expires: February 2006                                       August 2005
-
-
-
-              Domain Name System (DNS) IANA Considerations
-              ------ ---- ------ ----- ---- --------------
-                   <draft-ietf-dnsext-2929bis-01.txt>
-
-
-
-Status of This Document
-
-   By submitting this Internet-Draft, each author represents that any
-   applicable patent or other IPR claims of which he or she is aware
-   have been or will be disclosed, and any of which he or she becomes
-   aware will be disclosed, in accordance with Section 6 of BCP 79.
-
-   Distribution of this draft is unlimited.  It is intended to become
-   the new BCP 42 obsoleting RFC 2929.  Comments should be sent to the
-   DNS Working Group mailing list <namedroppers@ops.ietf.org>.
-
-   Internet-Drafts are working documents of the Internet Engineering
-   Task Force (IETF), its areas, and its working groups.  Note that
-   other groups may also distribute working documents as Internet-
-   Drafts.
-
-   Internet-Drafts are draft documents valid for a maximum of six months
-   and may be updated, replaced, or obsoleted by other documents at any
-   time.  It is inappropriate to use Internet-Drafts as reference
-   material or to cite them other than a "work in progress."
-
-   The list of current Internet-Drafts can be accessed at
-   http://www.ietf.org/1id-abstracts.html
-
-   The list of Internet-Draft Shadow Directories can be accessed at
-   http://www.ietf.org/shadow.html
-
-
-
-Abstract
-
-   Internet Assigned Number Authority (IANA) parameter assignment
-   considerations are given for the allocation of Domain Name System
-   (DNS) classes, RR types, operation codes, error codes, RR header
-   bits, and AFSDB subtypes.
-
-
-
-
-
-
-
-
-D. Eastlake 3rd                                                 [Page 1]
-
-
-INTERNET-DRAFT           DNS IANA Considerations             August 2005
-
-
-Table of Contents
-
-      Status of This Document....................................1
-      Abstract...................................................1
-
-      Table of Contents..........................................2
-
-      1. Introduction............................................3
-      2. DNS Query/Response Headers..............................3
-      2.1 One Spare Bit?.........................................4
-      2.2 Opcode Assignment......................................4
-      2.3 RCODE Assignment.......................................5
-      3. DNS Resource Records....................................6
-      3.1 RR TYPE IANA Considerations............................7
-      3.1.1 DNS TYPE Allocation Policy...........................8
-      3.1.2 Special Note on the OPT RR...........................9
-      3.1.3 The AFSDB RR Subtype Field...........................9
-      3.2 RR CLASS IANA Considerations...........................9
-      3.3 RR NAME Considerations................................11
-      4. Security Considerations................................11
-
-      Appendix: Changes from RFC 2929...........................12
-
-      Copyright and Disclaimer..................................13
-      Normative References......................................13
-      Informative References....................................14
-
-      Authors Addresses.........................................16
-      Expiration and File Name..................................16
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-D. Eastlake 3rd                                                 [Page 2]
-
-
-INTERNET-DRAFT           DNS IANA Considerations             August 2005
-
-
-1. Introduction
-
-   The Domain Name System (DNS) provides replicated distributed secure
-   hierarchical databases which hierarchically store "resource records"
-   (RRs) under domain names.  DNS data is structured into CLASSes and
-   zones which can be independently maintained.  See [RFC 1034, 1035,
-   2136, 2181, 4033] familiarity with which is assumed.
-
-   This document provides, either directly or by reference, general IANA
-   parameter assignment considerations applying across DNS query and
-   response headers and all RRs.  There may be additional IANA
-   considerations that apply to only a particular RR type or
-   query/response opcode.  See the specific RFC defining that RR type or
-   query/response opcode for such considerations if they have been
-   defined, except for AFSDB RR considerations [RFC 1183] which are
-   included herein. This RFC obsoletes [RFC 2929].
-
-   IANA currently maintains a web page of DNS parameters.  See
-   <http://www.iana.org/numbers.htm>.
-
-   "IETF Standards Action", "IETF Consensus", "Specification Required",
-   and "Private Use" are as defined in [RFC 2434].
-
-
-
-2. DNS Query/Response Headers
-
-   The header for DNS queries and responses contains field/bits in the
-   following diagram taken from [RFC 2136, 2929]:
-
-                                              1  1  1  1  1  1
-                0  1  2  3  4  5  6  7  8  9  0  1  2  3  4  5
-               +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-               |                      ID                       |
-               +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-               |QR|   Opcode  |AA|TC|RD|RA| Z|AD|CD|   RCODE   |
-               +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-               |                QDCOUNT/ZOCOUNT                |
-               +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-               |                ANCOUNT/PRCOUNT                |
-               +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-               |                NSCOUNT/UPCOUNT                |
-               +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-               |                    ARCOUNT                    |
-               +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-
-   The ID field identifies the query and is echoed in the response so
-   they can be matched.
-
-   The QR bit indicates whether the header is for a query or a response.
-
-
-D. Eastlake 3rd                                                 [Page 3]
-
-
-INTERNET-DRAFT           DNS IANA Considerations             August 2005
-
-
-   The AA, TC, RD, RA, AD, and CD bits are each theoretically meaningful
-   only in queries or only in responses, depending on the bit.  However,
-   many DNS implementations copy the query header as the initial value
-   of the response header without clearing bits.  Thus any attempt to
-   use a "query" bit with a different meaning in a response or to define
-   a query meaning for a "response" bit is dangerous given existing
-   implementation.  Such meanings may only be assigned by an IETF
-   Standards Action.
-
-   The unsigned fields query count (QDCOUNT), answer count (ANCOUNT),
-   authority count (NSCOUNT), and additional information count (ARCOUNT)
-   express the number of records in each section for all opcodes except
-   Update.  These fields have the same structure and data type for
-   Update but are instead the counts for the zone (ZOCOUNT),
-   prerequisite (PRCOUNT), update (UPCOUNT), and additional information
-   (ARCOUNT) sections.
-
-
-
-2.1 One Spare Bit?
-
-   There have been ancient DNS implementations for which the Z bit being
-   on in a query meant that only a response from the primary server for
-   a zone is acceptable.  It is believed that current DNS
-   implementations ignore this bit.
-
-   Assigning a meaning to the Z bit requires an IETF Standards Action.
-
-
-
-2.2 Opcode Assignment
-
-   Currently DNS OpCodes are assigned as follows:
-
-          OpCode Name                      Reference
-
-           0     Query                     [RFC 1035]
-           1     IQuery  (Inverse Query, Obsolete) [RFC 3425]
-           2     Status                    [RFC 1035]
-           3     available for assignment
-           4     Notify                    [RFC 1996]
-           5     Update                    [RFC 2136]
-          6-15   available for assignment
-
-   New OpCode assignments require an IETF Standards Action as modified
-   by [RFC 4020].
-
-
-
-
-
-
-D. Eastlake 3rd                                                 [Page 4]
-
-
-INTERNET-DRAFT           DNS IANA Considerations             August 2005
-
-
-2.3 RCODE Assignment
-
-   It would appear from the DNS header above that only four bits of
-   RCODE, or response/error code are available.  However, RCODEs can
-   appear not only at the top level of a DNS response but also inside
-   OPT RRs [RFC 2671], TSIG RRs [RFC 2845], and TKEY RRs [RFC 2930].
-   The OPT RR provides an eight bit extension resulting in a 12 bit
-   RCODE field and the TSIG and TKEY RRs have a 16 bit RCODE field.
-
-   Error codes appearing in the DNS header and in these three RR types
-   all refer to the same error code space with the single exception of
-   error code 16 which has a different meaning in the OPT RR from its
-   meaning in other contexts.  See table below.
-
-        RCODE   Name    Description                        Reference
-        Decimal
-          Hexadecimal
-         0    NoError   No Error                           [RFC 1035]
-         1    FormErr   Format Error                       [RFC 1035]
-         2    ServFail  Server Failure                     [RFC 1035]
-         3    NXDomain  Non-Existent Domain                [RFC 1035]
-         4    NotImp    Not Implemented                    [RFC 1035]
-         5    Refused   Query Refused                      [RFC 1035]
-         6    YXDomain  Name Exists when it should not     [RFC 2136]
-         7    YXRRSet   RR Set Exists when it should not   [RFC 2136]
-         8    NXRRSet   RR Set that should exist does not  [RFC 2136]
-         9    NotAuth   Server Not Authoritative for zone  [RFC 2136]
-        10    NotZone   Name not contained in zone         [RFC 2136]
-        11 - 15         Available for assignment
-        16    BADVERS   Bad OPT Version                    [RFC 2671]
-        16    BADSIG    TSIG Signature Failure             [RFC 2845]
-        17    BADKEY    Key not recognized                 [RFC 2845]
-        18    BADTIME   Signature out of time window       [RFC 2845]
-        19    BADMODE   Bad TKEY Mode                      [RPC 2930]
-        20    BADNAME   Duplicate key name                 [RPF 2930]
-        21    BADALG    Algorithm not supported            [RPF 2930]
-
-        22 - 3,840
-          0x0016 - 0x0F00   Available for assignment
-
-        3,841 - 4,095
-          0x0F01 - 0x0FFF   Private Use
-
-        4,096 - 65,534
-          0x1000 - 0xFFFE   Available for assignment
-
-        65,535
-          0xFFFF            Reserved, can only be allocated by an IETF
-                            Standards Action.
-
-
-
-D. Eastlake 3rd                                                 [Page 5]
-
-
-INTERNET-DRAFT           DNS IANA Considerations             August 2005
-
-
-   Since it is important that RCODEs be understood for interoperability,
-   assignment of new RCODE listed above as "available for assignment"
-   requires an IETF Consensus.
-
-
-
-3. DNS Resource Records
-
-   All RRs have the same top level format shown in the figure below
-   taken from [RFC 1035]:
-
-                                       1  1  1  1  1  1
-         0  1  2  3  4  5  6  7  8  9  0  1  2  3  4  5
-       +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-       |                                               |
-       /                                               /
-       /                      NAME                     /
-       |                                               |
-       +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-       |                      TYPE                     |
-       +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-       |                     CLASS                     |
-       +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-       |                      TTL                      |
-       |                                               |
-       +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-       |                   RDLENGTH                    |
-       +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--|
-       /                     RDATA                     /
-       /                                               /
-       +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-
-   NAME is an owner name, i.e., the name of the node to which this
-   resource record pertains.  NAMEs are specific to a CLASS as described
-   in section 3.2.  NAMEs consist of an ordered sequence of one or more
-   labels each of which has a label type [RFC 1035, 2671].
-
-   TYPE is a two octet unsigned integer containing one of the RR TYPE
-   codes.  See section 3.1.
-
-   CLASS is a two octet unsigned integer containing one of the RR CLASS
-   codes.  See section 3.2.
-
-   TTL is a four octet (32 bit) bit unsigned integer that specifies the
-   number of seconds that the resource record may be cached before the
-   source of the information should again be consulted.  Zero is
-   interpreted to mean that the RR can only be used for the transaction
-   in progress.
-
-   RDLENGTH is an unsigned 16 bit integer that specifies the length in
-
-
-D. Eastlake 3rd                                                 [Page 6]
-
-
-INTERNET-DRAFT           DNS IANA Considerations             August 2005
-
-
-   octets of the RDATA field.
-
-   RDATA is a variable length string of octets that constitutes the
-   resource. The format of this information varies according to the TYPE
-   and in some cases the CLASS of the resource record.
-
-
-
-3.1 RR TYPE IANA Considerations
-
-   There are three subcategories of RR TYPE numbers: data TYPEs, QTYPEs,
-   and MetaTYPEs.
-
-   Data TYPEs are the primary means of storing data.  QTYPES can only be
-   used in queries.  Meta-TYPEs designate transient data associated with
-   an particular DNS message and in some cases can also be used in
-   queries.  Thus far, data TYPEs have been assigned from 1 upwards plus
-   the block from 100 through 103 while Q and Meta Types have been
-   assigned from 255 downwards except for the OPT Meta-RR which is
-   assigned TYPE 41.  There have been DNS implementations which made
-   caching decisions based on the top bit of the bottom byte of the RR
-   TYPE.
-
-   There are currently three Meta-TYPEs assigned: OPT [RFC 2671], TSIG
-   [RFC 2845], and TKEY [RFC 2930].
-
-   There are currently five QTYPEs assigned: * (all), MAILA, MAILB,
-   AXFR, and IXFR.
-
-   Considerations for the allocation of new RR TYPEs are as follows:
-
-     Decimal
-   Hexadecimal
-
-     0
-   0x0000 - TYPE zero is used as a special indicator for the SIG RR [RFC
-          2535] and in other circumstances and must never be allocated
-          for ordinary use.
-
-     1 - 127
-   0x0001 - 0x007F - remaining TYPEs in this range are assigned for data
-          TYPEs by the DNS TYPE Allocation Policy as specified in
-          section 3.1.1.
-
-     128 - 255
-   0x0080 - 0x00FF - remaining TYPEs in this rage are assigned for Q and
-          Meta TYPEs by the DNS TYPE Allocation Policy as specified in
-          section 3.1.1.
-
-
-
-
-D. Eastlake 3rd                                                 [Page 7]
-
-
-INTERNET-DRAFT           DNS IANA Considerations             August 2005
-
-
-     256 - 32,767
-   0x0100 - 0x7FFF - assigned for data, Q, or Meta TYPE use by the DNS
-          TYPE Allocation Policy as specified in section 3.1.1.
-
-     32,768 - 65,279
-   0x8000 - 0xFEFF - Specification Required as defined in [RFC 2434].
-
-     65,280 - 65534
-   0xFF00 - 0xFFFE - Private Use.
-
-     65,535
-   0xFFFF - Reserved, can only be assigned by an IETF Standards Action.
-
-
-
-3.1.1 DNS TYPE Allocation Policy
-
-   Parameter values specified above as assigned based on DNS TYPE
-   Allocation Policy. That is, Expert Review with the additional
-   requirement that the review be based on a complete template as
-   specified below which has been posted for three weeks to the
-   namedroppers@ops.ietf.org mailing list.
-
-   Partial or draft templates may be posted with the intend of
-   soliciting feedback.
-
-
-                 DNS RR TYPE PARAMETER ALLOCATION TEMPLATE
-
-        Date:
-
-        Name and email of originator:
-
-        Pointer to internet-draft or other document giving a detailed
-        description of the protocol use of the new RR Type:
-
-        What need is the new RR TYPE intended to fix?
-
-        What existing RR TYPE(s) come closest to filling that need and why are
-        they unsatisfactory?
-
-        Does the proposed RR TYPR require special handling within the DNS
-        different from an Unknown RR TYPE?
-
-        Comments:
-
-
-
-
-
-
-
-D. Eastlake 3rd                                                 [Page 8]
-
-
-INTERNET-DRAFT           DNS IANA Considerations             August 2005
-
-
-3.1.2 Special Note on the OPT RR
-
-   The OPT (OPTion) RR, number 41, is specified in [RFC 2671].  Its
-   primary purpose is to extend the effective field size of various DNS
-   fields including RCODE, label type, OpCode, flag bits, and RDATA
-   size.  In particular, for resolvers and servers that recognize it, it
-   extends the RCODE field from 4 to 12 bits.
-
-
-
-3.1.3 The AFSDB RR Subtype Field
-
-   The AFSDB RR [RFC 1183] is a CLASS insensitive RR that has the same
-   RDATA field structure as the MX RR but the 16 bit unsigned integer
-   field at the beginning of the RDATA is interpreted as a subtype as
-   follows:
-
-     Decimal
-   Hexadecimal
-
-     0
-   0x0000 -  Allocation requires IETF Standards Action.
-
-     1
-   0x0001 - Andrews File Service v3.0 Location Service [RFC 1183].
-
-     2
-   0x0002 - DCE/NCA root cell directory node [RFC 1183].
-
-     3 - 65,279
-   0x0003 - 0xFEFF - Allocation by IETF Consensus.
-
-     65,280 - 65,534
-   0xFF00 - 0xFFFE - Private Use.
-
-     65,535
-   0xFFFF - Reserved, allocation requires IETF Standards Action.
-
-
-
-3.2 RR CLASS IANA Considerations
-
-   DNS CLASSes have been little used but constitute another dimension of
-   the DNS distributed database.  In particular, there is no necessary
-   relationship between the name space or root servers for one CLASS and
-   those for another CLASS.  The same name can have completely different
-   meanings in different CLASSes; however, the label types are the same
-   and the null label is usable only as root in every CLASS.  However,
-   as global networking and DNS have evolved, the IN, or Internet, CLASS
-   has dominated DNS use.
-
-
-D. Eastlake 3rd                                                 [Page 9]
-
-
-INTERNET-DRAFT           DNS IANA Considerations             August 2005
-
-
-   There are two subcategories of DNS CLASSes: normal data containing
-   classes and QCLASSes that are only meaningful in queries or updates.
-
-   The current CLASS assignments and considerations for future
-   assignments are as follows:
-
-     Decimal
-   Hexadecimal
-
-     0
-   0x0000 - Reserved, assignment requires an IETF Standards Action.
-
-     1
-   0x0001 - Internet (IN).
-
-     2
-   0x0002 - Available for assignment by IETF Consensus as a data CLASS.
-
-     3
-   0x0003 - Chaos (CH) [Moon 1981].
-
-     4
-   0x0004 - Hesiod (HS) [Dyer 1987].
-
-     5 - 127
-   0x0005 - 0x007F - available for assignment by IETF Consensus for data
-          CLASSes only.
-
-     128 - 253
-   0x0080 - 0x00FD - available for assignment by IETF Consensus for
-          QCLASSes only.
-
-     254
-   0x00FE - QCLASS None [RFC 2136].
-
-     255
-   0x00FF - QCLASS Any [RFC 1035].
-
-     256 - 32,767
-   0x0100 - 0x7FFF - Assigned by IETF Consensus.
-
-     32,768 - 65,279
-   0x8000 - 0xFEFF - Assigned based on Specification Required as defined
-          in [RFC 2434].
-
-     65,280 - 65,534
-   0xFF00 - 0xFFFE - Private Use.
-
-     65,535
-   0xFFFF - Reserved, can only be assigned by an IETF Standards Action.
-
-
-D. Eastlake 3rd                                                [Page 10]
-
-
-INTERNET-DRAFT           DNS IANA Considerations             August 2005
-
-
-3.3 RR NAME Considerations
-
-   DNS NAMEs are sequences of labels [RFC 1035].  The last label in each
-   NAME is "ROOT" which is the zero length label.  By definition, the
-   null or ROOT label can not be used for any other NAME purpose.
-
-   At the present time, there are two categories of label types, data
-   labels and compression labels.  Compression labels are pointers to
-   data labels elsewhere within an RR or DNS message and are intended to
-   shorten the wire encoding of NAMEs.  The two existing data label
-   types are sometimes referred to as Text and Binary.  Text labels can,
-   in fact, include any octet value including zero value octets but most
-   current uses involve only [US-ASCII].  For retrieval, Text labels are
-   defined to treat ASCII upper and lower case letter codes as matching
-   [insensitive].  Binary labels are bit sequences [RFC 2673]. The
-   Binary label type is Experimental [RFC 3363].
-
-   IANA considerations for label types are given in [RFC 2671].
-
-   NAMEs are local to a CLASS.  The Hesiod [Dyer 1987] and Chaos [Moon
-   1981] CLASSes are essentially for local use.  The IN or Internet
-   CLASS is thus the only DNS CLASS in global use on the Internet at
-   this time.
-
-   A somewhat out-of-date description of name allocation in the IN Class
-   is given in [RFC 1591].  Some information on reserved top level
-   domain names is in BCP 32 [RFC 2606].
-
-
-
-4. Security Considerations
-
-   This document addresses IANA considerations in the allocation of
-   general DNS parameters, not security.  See [RFC 4033, 4034, 4035] for
-   secure DNS considerations.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-D. Eastlake 3rd                                                [Page 11]
-
-
-INTERNET-DRAFT           DNS IANA Considerations             August 2005
-
-
-Appendix: Changes from RFC 2929
-
-   RFC Editor: This Appendix should be deleted for publication.
-
-   Changes from RFC 2929 to this draft:
-
-   1. Changed many "IETF Consensus" for RR TYPEs to be "DNS TYPE
-   Allocation Policy" and add the specification of that policy. Change
-   some remaining "IETF Standards Action" allocation requirements to say
-   "as modified by [RFC 4020]".
-
-   2. Updated various RFC references.
-
-   3. Mentioned that the Binary label type is now Experimental and
-   IQuery is Obsolete.
-
-   4. Changed allocation status of RR Type 0xFFFF and RCODE 0xFFFF to be
-   IETF Standards Action required.
-
-   5. Add an IANA allocation policy for the AFSDB RR Subtype field.
-
-   6. Addition of reference to case insensitive draft.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-D. Eastlake 3rd                                                [Page 12]
-
-
-INTERNET-DRAFT           DNS IANA Considerations             August 2005
-
-
-Copyright and Disclaimer
-
-   Copyright (C) The Internet Society (2005).  This document is subject to
-   the rights, licenses and restrictions contained in BCP 78, and except
-   as set forth therein, the authors retain all their rights.
-
-
-   This document and the information contained herein are provided on an
-   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
-   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
-   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
-   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
-   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
-   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-
-
-Normative References
-
-   [RFC 1034] - Mockapetris, P., "Domain Names - Concepts and
-   Facilities", STD 13, RFC 1034, November 1987.
-
-   [RFC 1035] - Mockapetris, P., "Domain Names - Implementation and
-   Specifications", STD 13, RFC 1035, November 1987.
-
-   [RFC 1183] - Everhart, C., Mamakos, L., Ullmann, R., and P.
-   Mockapetris, "New DNS RR Definitions", RFC 1183, October 1990.
-
-   [RFC 1996] - Vixie, P., "A Mechanism for Prompt Notification of Zone
-   Changes (DNS NOTIFY)", RFC 1996, August 1996.
-
-   [RFC 2136] - Vixie, P., Thomson, S., Rekhter, Y. and J. Bound,
-   "Dynamic Updates in the Domain Name System (DNS UPDATE)", RFC 2136,
-   April 1997.
-
-   [RFC 2181] - Elz, R. and R. Bush, "Clarifications to the DNS
-   Specification", RFC 2181, July 1997.
-
-   [RFC 2434] - Narten, T. and H. Alvestrand, "Guidelines for Writing an
-   IANA Considerations Section in RFCs", BCP 26, RFC 2434, October 1998.
-
-   [RFC 2671] - Vixie, P., "Extension mechanisms for DNS (EDNS0)", RFC
-   2671, August 1999.
-
-   [RFC 2673] - Crawford, M., "Binary Labels in the Domain Name System",
-   RFC 2673, August 1999.
-
-   [RFC 2845] - Vixie, P., Gudmundsson, O., Eastlake, D. and B.
-   Wellington, "Secret Key Transaction Authentication for DNS (TSIG)",
-   RFC 2845, May 2000.
-
-
-D. Eastlake 3rd                                                [Page 13]
-
-
-INTERNET-DRAFT           DNS IANA Considerations             August 2005
-
-
-   [RFC 2930] - Eastlake, D., "Secret Key Establishment for DNS (TKEY
-   RR)", September 2000.
-
-   [RFC 3363] - Bush, R., Durand, A., Fink, B., Gudmundsson, O., and T.
-   Hain, "Representing Internet Protocol version 6 (IPv6) Addresses in
-   the Domain Name System (DNS)", RFC 3363, August 2002.
-
-   [RFC 3425] - Lawrence, D., "Obsoleting IQUERY", RFC 3425, November
-   2002.
-
-   [RFC 4020] - Kompella, K. and A. Zinin, "Early IANA Allocation of
-   Standards Track Code Points", BCP 100, RFC 4020, February 2005.
-
-   [RFC 4033] - Arends, R., Austein, R., Larson, M., Massey, D., and S.
-   Rose, "DNS Security Introduction and Requirements", RFC 4033, March
-   2005.
-
-   [RFC 4034] - Arends, R., Austein, R., Larson, M., Massey, D., and S.
-   Rose, "Resource Records for the DNS Security Extensions", RFC 4034,
-   March 2005.
-
-   [RFC 4044] - Arends, R., Austein, R., Larson, M., Massey, D., and S.
-   Rose, "Protocol Modifications for the DNS Security Extensions", RFC
-   4035, March 2005.
-
-   [US-ASCII] - ANSI, "USA Standard Code for Information Interchange",
-   X3.4, American National Standards Institute: New York, 1968.
-
-
-
-Informative References
-
-   [Dyer 1987] - Dyer, S., and F. Hsu, "Hesiod", Project Athena
-   Technical Plan - Name Service, April 1987,
-
-   [Moon 1981] - D. Moon, "Chaosnet", A.I. Memo 628, Massachusetts
-   Institute of Technology Artificial Intelligence Laboratory, June
-   1981.
-
-   [RFC 1591] - Postel, J., "Domain Name System Structure and
-   Delegation", RFC 1591, March 1994.
-
-   [RFC 2929] - Eastlake 3rd, D., Brunner-Williams, E., and B. Manning,
-   "Domain Name System (DNS) IANA Considerations", BCP 42, RFC 2929,
-   September 2000.
-
-   [RFC 2606] - Eastlake, D. and A. Panitz, "Reserved Top Level DNS
-   Names", RFC 2606, June 1999.
-
-   [insensitive] - Eastlake, D., "Domain Name System (DNS) Case
-
-
-D. Eastlake 3rd                                                [Page 14]
-
-
-INTERNET-DRAFT           DNS IANA Considerations             August 2005
-
-
-   Insensitivity Clarification", draft-ietf-dnsext-insensitive-*.txt,
-   work in progress.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-D. Eastlake 3rd                                                [Page 15]
-
-
-INTERNET-DRAFT           DNS IANA Considerations             August 2005
-
-
-Authors Addresses
-
-   Donald E. Eastlake 3rd
-   Motorola Laboratories
-   155 Beaver Street
-   Milford, MA 01757 USA
-
-   Telephone:   +1-508-786-7554 (w)
-   email:       Donald.Eastlake@motorola.com
-
-
-
-Expiration and File Name
-
-   This draft expires February 2006.
-
-   Its file name is draft-ietf-dnsext-2929bis-01.txt.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-D. Eastlake 3rd                                                [Page 16]
-
diff --git a/doc/draft/draft-ietf-dnsext-dhcid-rr-07.txt b/doc/draft/draft-ietf-dnsext-dhcid-rr-07.txt
new file mode 100644
index 00000000..4634cfdf
--- /dev/null
+++ b/doc/draft/draft-ietf-dnsext-dhcid-rr-07.txt
@@ -0,0 +1,560 @@
+
+
+DNSEXT Working Group                                            M. Stapp
+Internet-Draft                                       Cisco Systems, Inc.
+Expires: April 23, 2004                                         T. Lemon
+                                                           A. Gustafsson
+                                                           Nominum, Inc.
+                                                        October 24, 2003
+
+
+           A DNS RR for Encoding DHCP Information (DHCID RR)
+                  <draft-ietf-dnsext-dhcid-rr-07.txt>
+
+Status of this Memo
+
+   This document is an Internet-Draft and is in full conformance with
+   all provisions of Section 10 of RFC2026.
+
+   Internet-Drafts are working documents of the Internet Engineering
+   Task Force (IETF), its areas, and its working groups. Note that
+   other groups may also distribute working documents as
+   Internet-Drafts.
+
+   Internet-Drafts are draft documents valid for a maximum of six
+   months and may be updated, replaced, or obsoleted by other documents
+   at any time. It is inappropriate to use Internet-Drafts as reference
+   material or to cite them other than as "work in progress."
+
+   The list of current Internet-Drafts can be accessed at
+   http://www.ietf.org/ietf/1id-abstracts.txt.
+
+   The list of Internet-Draft Shadow Directories can be accessed at
+   http://www.ietf.org/shadow.html.
+
+   This Internet-Draft will expire on April 23, 2004.
+
+Copyright Notice
+
+   Copyright (C) The Internet Society (2003). All Rights Reserved.
+
+Abstract
+
+   It is possible for multiple DHCP clients to attempt to update the
+   same DNS FQDN as they obtain DHCP leases. Whether the DHCP server or
+   the clients themselves perform the DNS updates, conflicts can arise.
+   To resolve such conflicts, "Resolution of DNS Name Conflicts"[1]
+   proposes storing client identifiers in the DNS to unambiguously
+   associate domain names with the DHCP clients to which they refer.
+   This memo defines a distinct RR type for this purpose for use by
+   DHCP clients and servers, the "DHCID" RR.
+
+
+
+
+Stapp, et. al.           Expires April 23, 2004                 [Page 1]
+
+Internet-Draft                The DHCID RR                  October 2003
+
+
+Table of Contents
+
+   1.    Terminology  . . . . . . . . . . . . . . . . . . . . . . . .  3
+   2.    Introduction . . . . . . . . . . . . . . . . . . . . . . . .  3
+   3.    The DHCID RR . . . . . . . . . . . . . . . . . . . . . . . .  3
+   3.1   DHCID RDATA format . . . . . . . . . . . . . . . . . . . . .  4
+   3.2   DHCID Presentation Format  . . . . . . . . . . . . . . . . .  4
+   3.3   The DHCID RR Type Codes  . . . . . . . . . . . . . . . . . .  4
+   3.4   Computation of the RDATA . . . . . . . . . . . . . . . . . .  5
+   3.5   Examples . . . . . . . . . . . . . . . . . . . . . . . . . .  6
+   3.5.1 Example 1  . . . . . . . . . . . . . . . . . . . . . . . . .  6
+   3.5.2 Example 2  . . . . . . . . . . . . . . . . . . . . . . . . .  6
+   4.    Use of the DHCID RR  . . . . . . . . . . . . . . . . . . . .  6
+   5.    Updater Behavior . . . . . . . . . . . . . . . . . . . . . .  6
+   6.    Security Considerations  . . . . . . . . . . . . . . . . . .  7
+   7.    IANA Considerations  . . . . . . . . . . . . . . . . . . . .  7
+   8.    Acknowledgements . . . . . . . . . . . . . . . . . . . . . .  7
+         References . . . . . . . . . . . . . . . . . . . . . . . . .  7
+         References . . . . . . . . . . . . . . . . . . . . . . . . .  8
+         Authors' Addresses . . . . . . . . . . . . . . . . . . . . .  8
+         Full Copyright Statement . . . . . . . . . . . . . . . . . . 10
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Stapp, et. al.           Expires April 23, 2004                 [Page 2]
+
+Internet-Draft                The DHCID RR                  October 2003
+
+
+1. Terminology
+
+   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
+   document are to be interpreted as described in RFC 2119[2].
+
+2. Introduction
+
+   A set of procedures to allow DHCP[7] clients and servers to
+   automatically update the DNS (RFC 1034[3], RFC 1035[4]) is proposed
+   in "Resolution of DNS Name Conflicts"[1].
+
+   Conflicts can arise if multiple DHCP clients wish to use the same
+   DNS name. To resolve such conflicts, "Resolution of DNS Name
+   Conflicts"[1] proposes storing client identifiers in the DNS to
+   unambiguously associate domain names with the DHCP clients using
+   them. In the interest of clarity, it is preferable for this DHCP
+   information to use a distinct RR type. This memo defines a distinct
+   RR for this purpose for use by DHCP clients or servers, the "DHCID"
+   RR.
+
+   In order to avoid exposing potentially sensitive identifying
+   information, the data stored is the result of a one-way MD5[5] hash
+   computation. The hash includes information from the DHCP client's
+   REQUEST message as well as the domain name itself, so that the data
+   stored in the DHCID RR will be dependent on both the client
+   identification used in the DHCP protocol interaction and the domain
+   name. This means that the DHCID RDATA will vary if a single client
+   is associated over time with more than one name. This makes it
+   difficult to 'track' a client as it is associated with various
+   domain names.
+
+   The MD5 hash algorithm has been shown to be weaker than the SHA-1
+   algorithm; it could therefore be argued that SHA-1 is a better
+   choice. However, SHA-1 is significantly slower than MD5. A
+   successful attack of MD5's weakness does not reveal the original
+   data that was used to generate the signature, but rather provides a
+   new set of input data that will produce the same signature. Because
+   we are using the MD5 hash to conceal the original data, the fact
+   that an attacker could produce a different plaintext resulting in
+   the same MD5 output is not significant concern.
+
+3. The DHCID RR
+
+   The DHCID RR is defined with mnemonic DHCID and type code [TBD]. The
+   DHCID RR is only defined in the IN class. DHCID RRs cause no
+   additional section processing. The DHCID RR is not a singleton type.
+
+
+
+
+Stapp, et. al.           Expires April 23, 2004                 [Page 3]
+
+Internet-Draft                The DHCID RR                  October 2003
+
+
+3.1 DHCID RDATA format
+
+   The RDATA section of a DHCID RR in transmission contains RDLENGTH
+   bytes of binary data.  The format of this data and its
+   interpretation by DHCP servers and clients are described below.
+
+   DNS software should consider the RDATA section to be opaque. DHCP
+   clients or servers use the DHCID RR to associate a DHCP client's
+   identity with a DNS name, so that multiple DHCP clients and servers
+   may deterministically perform dynamic DNS updates to the same zone.
+   From the updater's perspective, the DHCID resource record RDATA
+   consists of a 16-bit identifier type, in network byte order,
+   followed by one or more bytes representing the actual identifier:
+
+     	< 16 bits >	DHCP identifier used
+     	< n bytes >	MD5 digest
+
+3.2 DHCID Presentation Format
+
+   In DNS master files, the RDATA is represented as a single block in
+   base 64 encoding identical to that used for representing binary data
+   in RFC 2535[8]. The data may be divided up into any number of white
+   space separated substrings, down to single base 64 digits, which are
+   concatenated to form the complete RDATA.  These substrings can span
+   lines using the standard parentheses.
+
+3.3 The DHCID RR Type Codes
+
+   The DHCID RR Type Code specifies what data from the DHCP client's
+   request was used as input into the hash function. The type codes are
+   defined in a registry maintained by IANA, as specified in Section 7.
+   The initial list of assigned values for the type code is:
+
+     0x0000 = htype, chaddr from a DHCPv4 client's
+              DHCPREQUEST (RFC 2131)
+     0x0001 = The data portion from a DHCPv4 client's Client
+              Identifier option (RFC 2132)
+     0x0002 = The data portion (i.e., the DUID) from a DHCPv6
+              client's Client Identifier option
+   	   (draft-ietf-dhc-dhcpv6-*.txt)
+
+     0x0003 - 0xfffe = Available to be assigned by IANA
+
+     0xffff = RESERVED
+
+
+
+
+
+
+
+Stapp, et. al.           Expires April 23, 2004                 [Page 4]
+
+Internet-Draft                The DHCID RR                  October 2003
+
+
+3.4 Computation of the RDATA
+
+   The DHCID RDATA is formed by concatenating the two type bytes with
+   some variable-length identifying data.
+
+       < type > < data >
+
+   The RDATA for all type codes other than 0xffff, which is reserved
+   for future expansion, is formed by concatenating the two type bytes
+   and a 16-byte MD5 hash value. The input to the hash function is
+   defined to be:
+
+       data = MD5(< identifier > < FQDN >)
+
+   The FQDN is represented in the buffer in unambiguous canonical form
+   as described in RFC 2535[8], section 8.1. The type code and the
+   identifier are related as specified in Section 3.3: the type code
+   describes the source of the identifier.
+
+   When the updater is using the client's link-layer address as the
+   identifier, the first two bytes of the DHCID RDATA MUST be zero. To
+   generate the rest of the resource record, the updater computes a
+   one-way hash using the MD5 algorithm across a buffer containing the
+   client's network hardware type, link-layer address, and the FQDN
+   data.  Specifically, the first byte of the buffer contains the
+   network hardware type as it appeared in the DHCP 'htype' field of
+   the client's DHCPREQUEST message. All of the significant bytes of
+   the chaddr field in the client's DHCPREQUEST message follow, in the
+   same order in which the bytes appear in the DHCPREQUEST message. The
+   number of significant bytes in the 'chaddr' field is specified in
+   the 'hlen' field of the DHCPREQUEST message. The FQDN data, as
+   specified above, follows.
+
+   When the updater is using the DHCPv4 Client Identifier option sent
+   by the client in its DHCPREQUEST message, the first two bytes of the
+   DHCID RR MUST be 0x0001, in network byte order. The rest of the
+   DHCID RR MUST contain the results of computing an MD5 hash across
+   the payload of the option, followed by the FQDN. The payload of the
+   option consists of the bytes of the option following the option code
+   and length.
+
+   When the updater is using the DHCPv6 DUID sent by the client in its
+   REQUEST message, the first two bytes of the DHCID RR MUST be 0x0002,
+   in network byte order. The rest of the DHCID RR MUST contain the
+   results of computing an MD5 hash across the payload of the option,
+   followed by the FQDN. The payload of the option consists of the
+   bytes of the option following the option code and length.
+
+
+
+
+Stapp, et. al.           Expires April 23, 2004                 [Page 5]
+
+Internet-Draft                The DHCID RR                  October 2003
+
+
+3.5 Examples
+
+3.5.1 Example 1
+
+   A DHCP server allocating the IPv4 address 10.0.0.1 to a client with
+   Ethernet MAC address 01:02:03:04:05:06 using domain name
+   "client.example.com" uses the client's link-layer address to
+   identify the client. The DHCID RDATA is composed by setting the two
+   type bytes to zero, and performing an MD5 hash computation across a
+   buffer containing the Ethernet MAC type byte, 0x01, the six bytes of
+   MAC address, and the domain name (represented as specified in
+   Section 3.4).
+
+     client.example.com.	A   	10.0.0.1
+     client.example.com. 	DHCID 	AAAUMru0ZM5OK/PdVAJgZ/HU
+
+3.5.2 Example 2
+
+   A DHCP server allocates the IPv4 address 10.0.12.99 to a client
+   which included the DHCP client-identifier option data
+   01:07:08:09:0a:0b:0c in its DHCP request. The server updates the
+   name "chi.example.com" on the client's behalf, and uses the DHCP
+   client identifier option data as input in forming a DHCID RR. The
+   DHCID RDATA is formed by setting the two type bytes to the value
+   0x0001, and performing an MD5 hash computation across a buffer
+   containing the seven bytes from the client-id option and the FQDN
+   (represented as specified in Section 3.4).
+
+     chi.example.com.	A    	10.0.12.99
+     chi.example.com.	DHCID 	AAHdd5jiQ3kEjANDm82cbObk\012
+
+4. Use of the DHCID RR
+
+   This RR MUST NOT be used for any purpose other than that detailed in
+   "Resolution of DNS Name Conflicts"[1]. Although this RR contains
+   data that is opaque to DNS servers, the data must be consistent
+   across all entities that update and interpret this record.
+   Therefore, new data formats may only be defined through actions of
+   the DHC Working Group, as a result of revising [1].
+
+5. Updater Behavior
+
+   The data in the DHCID RR allows updaters to determine whether more
+   than one DHCP client desires to use a particular FQDN.  This allows
+   site administrators to establish policy about DNS updates. The DHCID
+   RR does not establish any policy itself.
+
+   Updaters use data from a DHCP client's request and the domain name
+   that the client desires to use to compute a client identity hash,
+
+
+Stapp, et. al.           Expires April 23, 2004                 [Page 6]
+
+Internet-Draft                The DHCID RR                  October 2003
+
+
+   and then compare that hash to the data in any DHCID RRs on the name
+   that they wish to associate with the client's IP address. If an
+   updater discovers DHCID RRs whose RDATA does not match the client
+   identity that they have computed, the updater SHOULD conclude that a
+   different client is currently associated with the name in question.
+   The updater SHOULD then proceed according to the site's
+   administrative policy. That policy might dictate that a different
+   name be selected, or it might permit the updater to continue.
+
+6. Security Considerations
+
+   The DHCID record as such does not introduce any new security
+   problems into the DNS.  In order to avoid exposing private
+   information about DHCP clients to public scrutiny, a one-way hash is
+   used to obscure all client information. In order to make it
+   difficult to 'track' a client by examining the names associated with
+   a particular hash value, the FQDN is included in the hash
+   computation. Thus, the RDATA is dependent on both the DHCP client
+   identification data and on each FQDN associated with the client.
+
+   Administrators should be wary of permitting unsecured DNS updates to
+   zones which are exposed to the global Internet. Both DHCP clients
+   and servers SHOULD use some form of update authentication (e.g.,
+   TSIG[11]) when performing DNS updates.
+
+7. IANA Considerations
+
+   IANA is requested to allocate an RR type number for the DHCID record
+   type.
+
+   This specification defines a new number-space for the 16-bit type
+   codes associated with the DHCID RR. IANA is requested to establish a
+   registry of the values for this number-space.
+
+   Three initial values are assigned in Section 3.3, and the value
+   0xFFFF is reserved for future use. New DHCID RR type codes are
+   tentatively assigned after the specification for the associated type
+   code, published as an Internet Draft, has received expert review by
+   a designated expert. The final assignment of DHCID RR type codes is
+   through Standards Action, as defined in RFC 2434[6].
+
+8. Acknowledgements
+
+   Many thanks to Josh Littlefield, Olafur Gudmundsson, Bernie Volz,
+   and Ralph Droms for their review and suggestions.
+
+Normative References
+
+   [1]  Stapp, M., "Resolution of DNS Name Conflicts Among DHCP Clients
+
+
+Stapp, et. al.           Expires April 23, 2004                 [Page 7]
+
+Internet-Draft                The DHCID RR                  October 2003
+
+
+        (draft-ietf-dhc-dns-resolution-*)", November 2002.
+
+   [2]  Bradner, S., "Key words for use in RFCs to Indicate Requirement
+        Levels", RFC 2119, March 1997.
+
+   [3]  Mockapetris, P., "Domain names - Concepts and Facilities", RFC
+        1034, Nov 1987.
+
+   [4]  Mockapetris, P., "Domain names - Implementation and
+        Specification", RFC 1035, Nov 1987.
+
+   [5]  Rivest, R., "The MD5 Message Digest Algorithm", RFC 1321, April
+        1992.
+
+   [6]  Narten, T. and H. Alvestrand, "Guidelines for Writing an IANA
+        Considerations Section in RFCs", RFC 2434, October 1998.
+
+Informative References
+
+   [7]   Droms, R., "Dynamic Host Configuration Protocol", RFC 2131,
+         Mar 1997.
+
+   [8]   Eastlake, D., "Domain Name System Security Extensions", RFC
+         2535, March 1999.
+
+   [9]   Alexander, S. and R. Droms, "DHCP Options and BOOTP Vendor
+         Extensions", RFC 2132, Mar 1997.
+
+   [10]  Droms, R., Bound, J., Volz, B., Lemon, T., Perkins, C. and M.
+         Carney, "Dynamic Host Configuration Protocol for IPv6 (DHCPv6)
+         (draft-ietf-dhc-dhcpv6-*.txt)", November 2002.
+
+   [11]  Vixie, P., Gudmundsson, O., Eastlake, D. and B. Wellington,
+         "Secret Key Transaction Authentication for DNS (TSIG)", RFC
+         2845, May 2000.
+
+
+Authors' Addresses
+
+   Mark Stapp
+   Cisco Systems, Inc.
+   1414 Massachusetts Ave.
+   Boxborough, MA  01719
+   USA
+
+   Phone: 978.936.1535
+   EMail: mjs@cisco.com
+
+
+
+
+Stapp, et. al.           Expires April 23, 2004                 [Page 8]
+
+Internet-Draft                The DHCID RR                  October 2003
+
+
+   Ted Lemon
+   Nominum, Inc.
+   950 Charter St.
+   Redwood City, CA  94063
+   USA
+
+   EMail: mellon@nominum.com
+
+
+   Andreas Gustafsson
+   Nominum, Inc.
+   950 Charter St.
+   Redwood City, CA  94063
+   USA
+
+   EMail: gson@nominum.com
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Stapp, et. al.           Expires April 23, 2004                 [Page 9]
+
+Internet-Draft                The DHCID RR                  October 2003
+
+
+Full Copyright Statement
+
+   Copyright (C) The Internet Society (2003). All Rights Reserved.
+
+   This document and translations of it may be copied and furnished to
+   others, and derivative works that comment on or otherwise explain it
+   or assist in its implementation may be prepared, copied, published
+   and distributed, in whole or in part, without restriction of any
+   kind, provided that the above copyright notice and this paragraph
+   are included on all such copies and derivative works. However, this
+   document itself may not be modified in any way, such as by removing
+   the copyright notice or references to the Internet Society or other
+   Internet organizations, except as needed for the purpose of
+   developing Internet standards in which case the procedures for
+   copyrights defined in the Internet Standards process must be
+   followed, or as required to translate it into languages other than
+   English.
+
+   The limited permissions granted above are perpetual and will not be
+   revoked by the Internet Society or its successors or assigns.
+
+   This document and the information contained herein is provided on an
+   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
+   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
+   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
+   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
+   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+Acknowledgement
+
+   Funding for the RFC editor function is currently provided by the
+   Internet Society.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Stapp, et. al.           Expires April 23, 2004                [Page 10]
+
diff --git a/doc/draft/draft-ietf-dnsext-dhcid-rr-09.txt b/doc/draft/draft-ietf-dnsext-dhcid-rr-09.txt
deleted file mode 100644
index 2cd97247..00000000
--- a/doc/draft/draft-ietf-dnsext-dhcid-rr-09.txt
+++ /dev/null
@@ -1,562 +0,0 @@
-
-
-
-
-DNSEXT                                                          M. Stapp
-Internet-Draft                                       Cisco Systems, Inc.
-Expires: August 13, 2005                                        T. Lemon
-                                                           A. Gustafsson
-                                                           Nominum, Inc.
-                                                        February 9, 2005
-
-
-           A DNS RR for Encoding DHCP Information (DHCID RR)
-                  <draft-ietf-dnsext-dhcid-rr-09.txt>
-
-Status of this Memo
-
-   This document is an Internet-Draft and is subject to all provisions
-   of Section 3 of RFC 3667.  By submitting this Internet-Draft, each
-   author represents that any applicable patent or other IPR claims of
-   which he or she is aware have been or will be disclosed, and any of
-   which he or she become aware will be disclosed, in accordance with
-   RFC 3668.
-
-   Internet-Drafts are working documents of the Internet Engineering
-   Task Force (IETF), its areas, and its working groups.  Note that
-   other groups may also distribute working documents as
-   Internet-Drafts.
-
-   Internet-Drafts are draft documents valid for a maximum of six months
-   and may be updated, replaced, or obsoleted by other documents at any
-   time.  It is inappropriate to use Internet-Drafts as reference
-   material or to cite them other than as "work in progress."
-
-   The list of current Internet-Drafts can be accessed at
-   http://www.ietf.org/ietf/1id-abstracts.txt.
-
-   The list of Internet-Draft Shadow Directories can be accessed at
-   http://www.ietf.org/shadow.html.
-
-   This Internet-Draft will expire on August 13, 2005.
-
-Copyright Notice
-
-   Copyright (C) The Internet Society (2005).
-
-Abstract
-
-   It is possible for multiple DHCP clients to attempt to update the
-   same DNS FQDN as they obtain DHCP leases.  Whether the DHCP server or
-   the clients themselves perform the DNS updates, conflicts can arise.
-   To resolve such conflicts, "Resolution of DNS Name Conflicts" [1]
-
-
-
-Stapp, et al.            Expires August 13, 2005                [Page 1]
-
-Internet-Draft                The DHCID RR                 February 2005
-
-
-   proposes storing client identifiers in the DNS to unambiguously
-   associate domain names with the DHCP clients to which they refer.
-   This memo defines a distinct RR type for this purpose for use by DHCP
-   clients and servers, the "DHCID" RR.
-
-Table of Contents
-
-   1.  Terminology  . . . . . . . . . . . . . . . . . . . . . . . . .  3
-   2.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
-   3.  The DHCID RR . . . . . . . . . . . . . . . . . . . . . . . . .  3
-     3.1   DHCID RDATA format . . . . . . . . . . . . . . . . . . . .  4
-     3.2   DHCID Presentation Format  . . . . . . . . . . . . . . . .  4
-     3.3   The DHCID RR Type Codes  . . . . . . . . . . . . . . . . .  4
-     3.4   Computation of the RDATA . . . . . . . . . . . . . . . . .  4
-     3.5   Examples . . . . . . . . . . . . . . . . . . . . . . . . .  5
-       3.5.1   Example 1  . . . . . . . . . . . . . . . . . . . . . .  6
-       3.5.2   Example 2  . . . . . . . . . . . . . . . . . . . . . .  6
-   4.  Use of the DHCID RR  . . . . . . . . . . . . . . . . . . . . .  6
-   5.  Updater Behavior . . . . . . . . . . . . . . . . . . . . . . .  6
-   6.  Security Considerations  . . . . . . . . . . . . . . . . . . .  7
-   7.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . .  7
-   8.  Acknowledgements . . . . . . . . . . . . . . . . . . . . . . .  7
-   9.  References . . . . . . . . . . . . . . . . . . . . . . . . . .  8
-     9.1   Normative References . . . . . . . . . . . . . . . . . . .  8
-     9.2   Informative References . . . . . . . . . . . . . . . . . .  8
-       Authors' Addresses . . . . . . . . . . . . . . . . . . . . . .  9
-       Intellectual Property and Copyright Statements . . . . . . . . 10
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Stapp, et al.            Expires August 13, 2005                [Page 2]
-
-Internet-Draft                The DHCID RR                 February 2005
-
-
-1.  Terminology
-
-   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
-   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
-   document are to be interpreted as described in RFC 2119 [2].
-
-2.  Introduction
-
-   A set of procedures to allow DHCP [7] clients and servers to
-   automatically update the DNS (RFC 1034 [3], RFC 1035 [4]) is proposed
-   in "Resolution of DNS Name Conflicts" [1].
-
-   Conflicts can arise if multiple DHCP clients wish to use the same DNS
-   name.  To resolve such conflicts, "Resolution of DNS Name Conflicts"
-   [1] proposes storing client identifiers in the DNS to unambiguously
-   associate domain names with the DHCP clients using them.  In the
-   interest of clarity, it is preferable for this DHCP information to
-   use a distinct RR type.  This memo defines a distinct RR for this
-   purpose for use by DHCP clients or servers, the "DHCID" RR.
-
-   In order to avoid exposing potentially sensitive identifying
-   information, the data stored is the result of a one-way MD5 [5] hash
-   computation.  The hash includes information from the DHCP client's
-   REQUEST message as well as the domain name itself, so that the data
-   stored in the DHCID RR will be dependent on both the client
-   identification used in the DHCP protocol interaction and the domain
-   name.  This means that the DHCID RDATA will vary if a single client
-   is associated over time with more than one name.  This makes it
-   difficult to 'track' a client as it is associated with various domain
-   names.
-
-   The MD5 hash algorithm has been shown to be weaker than the SHA-1
-   algorithm; it could therefore be argued that SHA-1 is a better
-   choice.  However, SHA-1 is significantly slower than MD5.  A
-   successful attack of MD5's weakness does not reveal the original data
-   that was used to generate the signature, but rather provides a new
-   set of input data that will produce the same signature.  Because we
-   are using the MD5 hash to conceal the original data, the fact that an
-   attacker could produce a different plaintext resulting in the same
-   MD5 output is not significant concern.
-
-3.  The DHCID RR
-
-   The DHCID RR is defined with mnemonic DHCID and type code [TBD].  The
-   DHCID RR is only defined in the IN class.  DHCID RRs cause no
-   additional section processing.  The DHCID RR is not a singleton type.
-
-
-
-
-
-Stapp, et al.            Expires August 13, 2005                [Page 3]
-
-Internet-Draft                The DHCID RR                 February 2005
-
-
-3.1  DHCID RDATA format
-
-   The RDATA section of a DHCID RR in transmission contains RDLENGTH
-   bytes of binary data.  The format of this data and its interpretation
-   by DHCP servers and clients are described below.
-
-   DNS software should consider the RDATA section to be opaque.  DHCP
-   clients or servers use the DHCID RR to associate a DHCP client's
-   identity with a DNS name, so that multiple DHCP clients and servers
-   may deterministically perform dynamic DNS updates to the same zone.
-   From the updater's perspective, the DHCID resource record RDATA
-   consists of a 16-bit identifier type, in network byte order, followed
-   by one or more bytes representing the actual identifier:
-
-     	< 16 bits >	DHCP identifier used
-     	< n bytes >	MD5 digest
-
-
-3.2  DHCID Presentation Format
-
-   In DNS master files, the RDATA is represented as a single block in
-   base 64 encoding identical to that used for representing binary data
-   in RFC 2535 [8].  The data may be divided up into any number of white
-   space separated substrings, down to single base 64 digits, which are
-   concatenated to form the complete RDATA.  These substrings can span
-   lines using the standard parentheses.
-
-3.3  The DHCID RR Type Codes
-
-   The DHCID RR Type Code specifies what data from the DHCP client's
-   request was used as input into the hash function.  The type codes are
-   defined in a registry maintained by IANA, as specified in Section 7.
-   The initial list of assigned values for the type code is:
-
-   0x0000 = htype, chaddr from a DHCPv4 client's DHCPREQUEST [7].
-   0x0001 = The data portion from a DHCPv4 client's Client Identifier
-      option [9].
-   0x0002 = The client's DUID (i.e., the data portion of a DHCPv6
-      client's Client Identifier option [10] or the DUID field from a
-      DHCPv4 client's Client Identifier option [12]).
-
-   0x0003 - 0xfffe = Available to be assigned by IANA.
-
-   0xffff = RESERVED
-
-3.4  Computation of the RDATA
-
-   The DHCID RDATA is formed by concatenating the two type bytes with
-
-
-
-Stapp, et al.            Expires August 13, 2005                [Page 4]
-
-Internet-Draft                The DHCID RR                 February 2005
-
-
-   some variable-length identifying data.
-
-       < type > < data >
-
-   The RDATA for all type codes other than 0xffff, which is reserved for
-   future expansion, is formed by concatenating the two type bytes and a
-   16-byte MD5 hash value.  The input to the hash function is defined to
-   be:
-
-       data = MD5(< identifier > < FQDN >)
-
-   The FQDN is represented in the buffer in unambiguous canonical form
-   as described in RFC 2535 [8], section 8.1.  The type code and the
-   identifier are related as specified in Section 3.3: the type code
-   describes the source of the identifier.
-
-   When the updater is using the client's link-layer address as the
-   identifier, the first two bytes of the DHCID RDATA MUST be zero.  To
-   generate the rest of the resource record, the updater computes a
-   one-way hash using the MD5 algorithm across a buffer containing the
-   client's network hardware type, link-layer address, and the FQDN
-   data.  Specifically, the first byte of the buffer contains the
-   network hardware type as it appeared in the DHCP 'htype' field of the
-   client's DHCPREQUEST message.  All of the significant bytes of the
-   chaddr field in the client's DHCPREQUEST message follow, in the same
-   order in which the bytes appear in the DHCPREQUEST message.  The
-   number of significant bytes in the 'chaddr' field is specified in the
-   'hlen' field of the DHCPREQUEST message.  The FQDN data, as specified
-   above, follows.
-
-   When the updater is using the DHCPv4 Client Identifier option sent by
-   the client in its DHCPREQUEST message, the first two bytes of the
-   DHCID RR MUST be 0x0001, in network byte order.  The rest of the
-   DHCID RR MUST contain the results of computing an MD5 hash across the
-   payload of the option, followed by the FQDN.  The payload of the
-   option consists of the bytes of the option following the option code
-   and length.
-
-   When the updater is using the DHCPv6 DUID sent by the client in its
-   REQUEST message, the first two bytes of the DHCID RR MUST be 0x0002,
-   in network byte order.  The rest of the DHCID RR MUST contain the
-   results of computing an MD5 hash across the payload of the option,
-   followed by the FQDN.  The payload of the option consists of the
-   bytes of the option following the option code and length.
-
-3.5  Examples
-
-
-
-
-
-Stapp, et al.            Expires August 13, 2005                [Page 5]
-
-Internet-Draft                The DHCID RR                 February 2005
-
-
-3.5.1  Example 1
-
-   A DHCP server allocating the IPv4 address 10.0.0.1 to a client with
-   Ethernet MAC address 01:02:03:04:05:06 using domain name
-   "client.example.com" uses the client's link-layer address to identify
-   the client.  The DHCID RDATA is composed by setting the two type
-   bytes to zero, and performing an MD5 hash computation across a buffer
-   containing the Ethernet MAC type byte, 0x01, the six bytes of MAC
-   address, and the domain name (represented as specified in
-   Section 3.4).
-
-     client.example.com.	A   	10.0.0.1
-     client.example.com. 	DHCID 	AAAUMru0ZM5OK/PdVAJgZ/HU
-
-
-3.5.2  Example 2
-
-   A DHCP server allocates the IPv4 address 10.0.12.99 to a client which
-   included the DHCP client-identifier option data 01:07:08:09:0a:0b:0c
-   in its DHCP request.  The server updates the name "chi.example.com"
-   on the client's behalf, and uses the DHCP client identifier option
-   data as input in forming a DHCID RR.  The DHCID RDATA is formed by
-   setting the two type bytes to the value 0x0001, and performing an MD5
-   hash computation across a buffer containing the seven bytes from the
-   client-id option and the FQDN (represented as specified in
-   Section 3.4).
-
-     chi.example.com.	A    	10.0.12.99
-     chi.example.com.	DHCID 	AAHdd5jiQ3kEjANDm82cbObk\012
-
-
-4.  Use of the DHCID RR
-
-   This RR MUST NOT be used for any purpose other than that detailed in
-   "Resolution of DNS Name Conflicts" [1].  Although this RR contains
-   data that is opaque to DNS servers, the data must be consistent
-   across all entities that update and interpret this record.
-   Therefore, new data formats may only be defined through actions of
-   the DHC Working Group, as a result of revising [1].
-
-5.  Updater Behavior
-
-   The data in the DHCID RR allows updaters to determine whether more
-   than one DHCP client desires to use a particular FQDN.  This allows
-   site administrators to establish policy about DNS updates.  The DHCID
-   RR does not establish any policy itself.
-
-   Updaters use data from a DHCP client's request and the domain name
-
-
-
-Stapp, et al.            Expires August 13, 2005                [Page 6]
-
-Internet-Draft                The DHCID RR                 February 2005
-
-
-   that the client desires to use to compute a client identity hash, and
-   then compare that hash to the data in any DHCID RRs on the name that
-   they wish to associate with the client's IP address.  If an updater
-   discovers DHCID RRs whose RDATA does not match the client identity
-   that they have computed, the updater SHOULD conclude that a different
-   client is currently associated with the name in question.  The
-   updater SHOULD then proceed according to the site's administrative
-   policy.  That policy might dictate that a different name be selected,
-   or it might permit the updater to continue.
-
-6.  Security Considerations
-
-   The DHCID record as such does not introduce any new security problems
-   into the DNS.  In order to avoid exposing private information about
-   DHCP clients to public scrutiny, a one-way hash is used to obscure
-   all client information.  In order to make it difficult to 'track' a
-   client by examining the names associated with a particular hash
-   value, the FQDN is included in the hash computation.  Thus, the RDATA
-   is dependent on both the DHCP client identification data and on each
-   FQDN associated with the client.
-
-   Administrators should be wary of permitting unsecured DNS updates to
-   zones which are exposed to the global Internet.  Both DHCP clients
-   and servers SHOULD use some form of update authentication (e.g., TSIG
-   [11]) when performing DNS updates.
-
-7.  IANA Considerations
-
-   IANA is requested to allocate an RR type number for the DHCID record
-   type.
-
-   This specification defines a new number-space for the 16-bit type
-   codes associated with the DHCID RR.  IANA is requested to establish a
-   registry of the values for this number-space.
-
-   Three initial values are assigned in Section 3.3, and the value
-   0xFFFF is reserved for future use.  New DHCID RR type codes are
-   tentatively assigned after the specification for the associated type
-   code, published as an Internet Draft, has received expert review by a
-   designated expert.  The final assignment of DHCID RR type codes is
-   through Standards Action, as defined in RFC 2434 [6].
-
-8.  Acknowledgements
-
-   Many thanks to Josh Littlefield, Olafur Gudmundsson, Bernie Volz, and
-   Ralph Droms for their review and suggestions.
-
-
-
-
-
-Stapp, et al.            Expires August 13, 2005                [Page 7]
-
-Internet-Draft                The DHCID RR                 February 2005
-
-
-9.  References
-
-9.1  Normative References
-
-   [1]  Stapp, M. and B. Volz, "Resolution of DNS Name Conflicts Among
-        DHCP Clients (draft-ietf-dhc-dns-resolution-*)", July 2004.
-
-   [2]  Bradner, S., "Key words for use in RFCs to Indicate Requirement
-        Levels", BCP 14, RFC 2119, March 1997.
-
-   [3]  Mockapetris, P., "Domain names - concepts and facilities",
-        STD 13, RFC 1034, November 1987.
-
-   [4]  Mockapetris, P., "Domain names - implementation and
-        specification", STD 13, RFC 1035, November 1987.
-
-   [5]  Rivest, R., "The MD5 Message-Digest Algorithm", RFC 1321, April
-        1992.
-
-   [6]  Narten, T. and H. Alvestrand, "Guidelines for Writing an IANA
-        Considerations Section in RFCs", BCP 26, RFC 2434, October 1998.
-
-9.2  Informative References
-
-   [7]   Droms, R., "Dynamic Host Configuration Protocol", RFC 2131,
-         March 1997.
-
-   [8]   Eastlake, D., "Domain Name System Security Extensions",
-         RFC 2535, March 1999.
-
-   [9]   Alexander, S. and R. Droms, "DHCP Options and BOOTP Vendor
-         Extensions", RFC 2132, March 1997.
-
-   [10]  Droms, R., Bound, J., Volz, B., Lemon, T., Perkins, C. and M.
-         Carney, "Dynamic Host Configuration Protocol for IPv6
-         (DHCPv6)", RFC 3315, July 2003.
-
-   [11]  Vixie, P., Gudmundsson, O., Eastlake, D. and B. Wellington,
-         "Secret Key Transaction Authentication for DNS (TSIG)",
-         RFC 2845, May 2000.
-
-   [12]  Lemon, T. and B. Sommerfeld, "Node-Specific Client Identifiers
-         for DHCPv4 (draft-ietf-dhc-3315id-for-v4-*)", February 2004.
-
-
-
-
-
-
-
-
-Stapp, et al.            Expires August 13, 2005                [Page 8]
-
-Internet-Draft                The DHCID RR                 February 2005
-
-
-Authors' Addresses
-
-   Mark Stapp
-   Cisco Systems, Inc.
-   1414 Massachusetts Ave.
-   Boxborough, MA  01719
-   USA
-
-   Phone: 978.936.1535
-   Email: mjs@cisco.com
-
-
-   Ted Lemon
-   Nominum, Inc.
-   950 Charter St.
-   Redwood City, CA  94063
-   USA
-
-   Email: mellon@nominum.com
-
-
-   Andreas Gustafsson
-   Nominum, Inc.
-   950 Charter St.
-   Redwood City, CA  94063
-   USA
-
-   Email: gson@nominum.com
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Stapp, et al.            Expires August 13, 2005                [Page 9]
-
-Internet-Draft                The DHCID RR                 February 2005
-
-
-Intellectual Property Statement
-
-   The IETF takes no position regarding the validity or scope of any
-   Intellectual Property Rights or other rights that might be claimed to
-   pertain to the implementation or use of the technology described in
-   this document or the extent to which any license under such rights
-   might or might not be available; nor does it represent that it has
-   made any independent effort to identify any such rights.  Information
-   on the procedures with respect to rights in RFC documents can be
-   found in BCP 78 and BCP 79.
-
-   Copies of IPR disclosures made to the IETF Secretariat and any
-   assurances of licenses to be made available, or the result of an
-   attempt made to obtain a general license or permission for the use of
-   such proprietary rights by implementers or users of this
-   specification can be obtained from the IETF on-line IPR repository at
-   http://www.ietf.org/ipr.
-
-   The IETF invites any interested party to bring to its attention any
-   copyrights, patents or patent applications, or other proprietary
-   rights that may cover technology that may be required to implement
-   this standard.  Please address the information to the IETF at
-   ietf-ipr@ietf.org.
-
-
-Disclaimer of Validity
-
-   This document and the information contained herein are provided on an
-   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
-   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
-   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
-   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
-   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
-   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-
-Copyright Statement
-
-   Copyright (C) The Internet Society (2005).  This document is subject
-   to the rights, licenses and restrictions contained in BCP 78, and
-   except as set forth therein, the authors retain all their rights.
-
-
-Acknowledgment
-
-   Funding for the RFC Editor function is currently provided by the
-   Internet Society.
-
-
-
-
-Stapp, et al.            Expires August 13, 2005               [Page 10]
-
-
diff --git a/doc/draft/draft-ietf-dnsext-dns-name-p-s-00.txt b/doc/draft/draft-ietf-dnsext-dns-name-p-s-00.txt
deleted file mode 100644
index 438e8008..00000000
--- a/doc/draft/draft-ietf-dnsext-dns-name-p-s-00.txt
+++ /dev/null
@@ -1,1397 +0,0 @@
-DNS Extensions Working Group                                   G. Sisson
-Internet-Draft                                                 B. Laurie
-Expires: January 11, 2006                                        Nominet
-                                                           July 10, 2005
-
-
-            Derivation of DNS Name Predecessor and Successor
-                   draft-ietf-dnsext-dns-name-p-s-00
-
-Status of this Memo
-
-   By submitting this Internet-Draft, each author represents that any
-   applicable patent or other IPR claims of which he or she is aware
-   have been or will be disclosed, and any of which he or she becomes
-   aware will be disclosed, in accordance with Section 6 of BCP 79.
-
-   Internet-Drafts are working documents of the Internet Engineering
-   Task Force (IETF), its areas, and its working groups.  Note that
-   other groups may also distribute working documents as Internet-
-   Drafts.
-
-   Internet-Drafts are draft documents valid for a maximum of six months
-   and may be updated, replaced, or obsoleted by other documents at any
-   time.  It is inappropriate to use Internet-Drafts as reference
-   material or to cite them other than as "work in progress."
-
-   The list of current Internet-Drafts can be accessed at
-   http://www.ietf.org/ietf/1id-abstracts.txt.
-
-   The list of Internet-Draft Shadow Directories can be accessed at
-   http://www.ietf.org/shadow.html.
-
-   This Internet-Draft will expire on January 11, 2006.
-
-Copyright Notice
-
-   Copyright (C) The Internet Society (2005).
-
-Abstract
-
-   This document describes two methods for deriving the canonically-
-   ordered predecessor and successor of a DNS name.  These methods may
-   be used for dynamic NSEC resource record synthesis, enabling
-   security-aware name servers to provide authenticated denial of
-   existence without disclosing other owner names in a DNSSEC-secured
-   zone.
-
-
-
-
-
-Sisson & Laurie         Expires January 11, 2006                [Page 1]
-
-Internet-Draft     DNS Name Predecessor and Successor          July 2005
-
-
-Table of Contents
-
-   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
-   2.  Notational Conventions . . . . . . . . . . . . . . . . . . . .  3
-   3.  Absolute Method  . . . . . . . . . . . . . . . . . . . . . . .  4
-     3.1.  Derivation of DNS Name Predecessor . . . . . . . . . . . .  4
-     3.2.  Derivation of DNS Name Successor . . . . . . . . . . . . .  4
-   4.  Modified Method  . . . . . . . . . . . . . . . . . . . . . . .  5
-     4.1.  Derivation of DNS Name Predecessor . . . . . . . . . . . .  6
-     4.2.  Derivation of DNS Name Successor . . . . . . . . . . . . .  6
-   5.  Notes  . . . . . . . . . . . . . . . . . . . . . . . . . . . .  7
-     5.1.  Case Considerations  . . . . . . . . . . . . . . . . . . .  7
-     5.2.  Choice of Range  . . . . . . . . . . . . . . . . . . . . .  7
-     5.3.  Wild Card Considerations . . . . . . . . . . . . . . . . .  8
-     5.4.  Possible Modifications . . . . . . . . . . . . . . . . . .  8
-       5.4.1.  Restriction of Effective Maximum DNS Name Length . . .  8
-       5.4.2.  Use of Modified Method With Zones Containing
-               SRV RRs  . . . . . . . . . . . . . . . . . . . . . . .  9
-   6.  Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
-     6.1.  Examples of Immediate Predecessors Using Absolute
-           Method . . . . . . . . . . . . . . . . . . . . . . . . . . 10
-     6.2.  Examples of Immediate Successors Using Absolute Method . . 13
-     6.3.  Examples of Predecessors Using Modified Method . . . . . . 19
-     6.4.  Examples of Successors Using Modified Method . . . . . . . 20
-   7.  Security Considerations  . . . . . . . . . . . . . . . . . . . 21
-   8.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 21
-   10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 22
-     10.1. Normative References . . . . . . . . . . . . . . . . . . . 22
-     10.2. Informative References . . . . . . . . . . . . . . . . . . 22
-   9.  Acknowledgments  . . . . . . . . . . . . . . . . . . . . . . . 21
-   Appendix A.  Change History  . . . . . . . . . . . . . . . . . . . 22
-     A.1.  Changes from sisson-02 to ietf-00  . . . . . . . . . . . . 22
-     A.2.  Changes from sisson-01 to sisson-02  . . . . . . . . . . . 23
-     A.3.  Changes from sisson-00 to sisson-01  . . . . . . . . . . . 23
-   Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 24
-   Intellectual Property and Copyright Statements . . . . . . . . . . 25
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Sisson & Laurie         Expires January 11, 2006                [Page 2]
-
-Internet-Draft     DNS Name Predecessor and Successor          July 2005
-
-
-1.  Introduction
-
-   One of the proposals for avoiding the exposure of zone information
-   during the deployment DNSSEC is dynamic NSEC resource record (RR)
-   synthesis.  This technique is described in [I-D.ietf-dnsext-dnssec-
-   trans] and [I-D.ietf-dnsext-dnssec-online-signing], and involves the
-   generation of NSEC RRs that just span the query name for non-existent
-   owner names.  In order to do this, the DNS names which would occur
-   just prior to and just following a given query name must be
-   calculated in real time, as maintaining a list of all possible owner
-   names that might occur in a zone would be impracticable.
-
-   Section 6.1 of [RFC4034] defines canonical DNS name order.  This
-   document does not amend or modify this definition.  However, the
-   derivation of immediate predecessor and successor, while trivial, is
-   non-obvious.  Accordingly, several methods are described here as an
-   aid to implementors and a reference to other interested parties.
-
-   This document describes two methods:
-
-   1.  An ``absolute method'', which returns the immediate predecessor
-       or successor of a domain name such that no valid DNS name could
-       exist between that DNS name and the predecessor or successor.
-
-   2.  A ``modified method'', which returns a predecessor and successor
-       which are more economical in size and computation.  This method
-       is restricted to use with zones consisting only of single-label
-       owner names where a maximum-length owner name would not result in
-       a DNS name exceeding the maximum DNS name length.  This is,
-       however, the type of zone for which the technique of online-
-       signing is most likely to be used.
-
-
-2.  Notational Conventions
-
-   The following notational conventions are used in this document for
-   economy of expression:
-
-   N: An unspecified DNS name.
-
-   P(N): Immediate predecessor to N (absolute method).
-
-   S(N): Immediate successor to N (absolute method).
-
-   P'(N): Predecessor to N (modified method).
-
-
-
-
-
-
-Sisson & Laurie         Expires January 11, 2006                [Page 3]
-
-Internet-Draft     DNS Name Predecessor and Successor          July 2005
-
-
-   S'(N): Successor to N (modified method).
-
-
-3.  Absolute Method
-
-   These derivations assume that all uppercase US-ASCII letters in N
-   have already been replaced by their corresponding lowercase
-   equivalents.  Unless otherwise specified, processing stops after the
-   first step in which a condition is met.
-
-3.1.  Derivation of DNS Name Predecessor
-
-   To derive P(N):
-
-   1.  If N is the same as the owner name of the zone apex, prepend N
-       repeatedly with labels of the maximum length possible consisting
-       of octets of the maximum sort value (e.g. 0xff) until N is the
-       maximum length possible; otherwise continue to the next step.
-
-   2.  If the least significant (left-most) label of N consists of a
-       single octet of the minimum sort value (e.g. 0x00), remove that
-       label; otherwise continue to the next step.
-
-   3.  If the least significant (right-most) octet in the least
-       significant (left-most) label of N is the minimum sort value,
-       remove the least significant octet and continue with step 5.
-
-   4.  Decrement the value of the least significant (right-most) octet,
-       skipping any values that correspond to uppercase US-ASCII
-       letters, and then append the label with as many octets as
-       possible of the maximum sort value.  Continue to the next step.
-
-   5.  Prepend N repeatedly with labels of as long a length as possible
-       consisting of octets of the maximum sort value until N is the
-       maximum length possible.
-
-3.2.  Derivation of DNS Name Successor
-
-   To derive S(N):
-
-   1.  If N is two or more octets shorter than the maximum DNS name
-       length, prepend N with a label containing a single octet of the
-       minimum sort value (e.g. 0x00); otherwise continue to the next
-       step.
-
-   2.  If N is one or more octets shorter than the maximum DNS name
-       length and the least significant (left-most) label is one or more
-       octets shorter than the maximum label length, append an octet of
-
-
-
-Sisson & Laurie         Expires January 11, 2006                [Page 4]
-
-Internet-Draft     DNS Name Predecessor and Successor          July 2005
-
-
-       the minimum sort value to the least significant label; otherwise
-       continue to the next step.
-
-   3.  Increment the value of the least significant (right-most) octet
-       in the least significant (left-most) label that is less than the
-       maximum sort value (e.g. 0xff), skipping any values that
-       correspond to uppercase US-ASCII letters, and then remove any
-       octets to the right of that one.  If all octets in the label are
-       the maximum sort value, then continue to the next step.
-
-   4.  Remove the least significant (left-most) label.  If N is now the
-       same as the owner name of the zone apex, do nothing.  (This will
-       occur only if N is the maximum possible name in canonical DNS
-       name order, and thus has wrapped to the owner name of zone apex.)
-       Otherwise repeat starting at step 2.
-
-
-4.  Modified Method
-
-   This method is for use with zones consisting only of single-label
-   owner names where an owner name consisting of label of maximum length
-   would not result in a DNS name which exceeded the maximum DNS name
-   length.  This method is computationally simpler and returns values
-   which are more economical in size than the absolute method.  It
-   differs from the absolute method detailed above in the following
-   ways:
-
-   1.  Step 1 of the derivation P(N) has been omitted as the existence
-       of the owner name of the zone apex never requires denial.
-
-   2.  A new step 1 has been introduced which removes unnecessary
-       labels.
-
-   3.  Step 4 of the derivation P(N) has been omitted as it is only
-       necessary for zones containing owner names consisting of more
-       than one label.  This omission generally results in a significant
-       reduction of the length of derived predecessors.
-
-   4.  Step 1 of the derivation S(N) had been omitted as it is only
-       necessary for zones containing owner names consisting of more
-       than one label.  This omission results in a tiny reduction of the
-       length of derived successors, and maintains consistency with the
-       modification of step 4 of the derivation P(N) described above.
-
-   5.  Steps 2 and 4 of the derivation S(N) have been modified to
-       eliminate checks for maximum DNS name length, as it is an
-       assumption of this method that no DNS name in the zone can exceed
-       the maximum DNS name length.
-
-
-
-Sisson & Laurie         Expires January 11, 2006                [Page 5]
-
-Internet-Draft     DNS Name Predecessor and Successor          July 2005
-
-
-   These derivations assume that all uppercase US-ASCII letters in N
-   have already been replaced by their corresponding lowercase
-   equivalents.  Unless otherwise specified, processing stops after the
-   first step in which a condition is met.
-
-4.1.  Derivation of DNS Name Predecessor
-
-   To derive P'(N):
-
-   1.  If N has more labels than the number of labels in the owner name
-       of the apex + 1, repeatedly remove the least significant (left-
-       most) label until N has no more labels than the number of labels
-       in the owner name of the apex + 1; otherwise continue to next
-       step.
-
-   2.  If the least significant (left-most) label of N consists of a
-       single octet of the minimum sort value (e.g. 0x00), remove that
-       label; otherwise continue to the next step.
-
-   3.  If the least significant (right-most) octet in the least
-       significant (left-most) label of N is the minimum sort value,
-       remove the least significant octet.
-
-   4.  Decrement the value of the least significant (right-most) octet,
-       skipping any values which correspond to uppercase US-ASCII
-       letters, and then append the label with as many octets as
-       possible of the maximum sort value.
-
-4.2.  Derivation of DNS Name Successor
-
-   To derive S'(N):
-
-   1.  If N has more labels than the number of labels in the owner name
-       of the apex + 1, repeatedly remove the least significant (left-
-       most) label until N has no more labels than the number of labels
-       in the owner name of the apex + 1.  Continue to next step.
-
-   2.  If the least significant (left-most) label of N is one or more
-       octets shorter than the maximum label length, append an octet of
-       the minimum sort value to the least significant label; otherwise
-       continue to the next step.
-
-   3.  Increment the value of the least significant (right-most) octet
-       in the least significant (left-most) label that is less than the
-       maximum sort value (e.g. 0xff), skipping any values which
-       correspond to uppercase US-ASCII letters, and then remove any
-       octets to the right of that one.  If all octets in the label are
-       the maximum sort value, then continue to the next step.
-
-
-
-Sisson & Laurie         Expires January 11, 2006                [Page 6]
-
-Internet-Draft     DNS Name Predecessor and Successor          July 2005
-
-
-   4.  Remove the least significant (left-most) label.  (This will occur
-       only if the least significant label is the maximum label length
-       and consists entirely of octets of the maximum sort value, and
-       thus has wrapped to the owner name of the zone apex.)
-
-
-5.  Notes
-
-5.1.  Case Considerations
-
-   Section 3.5 of [RFC1034] specifies that "while upper and lower case
-   letters are allowed in [DNS] names, no significance is attached to
-   the case".  Additionally, Section 6.1 of [RFC4034] states that when
-   determining canonical DNS name order, "uppercase US-ASCII letters are
-   treated as if they were lowercase US-ASCII letters".  Consequently,
-   values corresponding to US-ASCII uppercase letters must be skipped
-   when decrementing and incrementing octets in the derivations
-   described in Section 3.1 and Section 3.2.
-
-   The following pseudo-code is illustrative:
-
-   Decrement the value of an octet:
-
-      if (octet == '[')       // '[' is just after uppercase 'Z'
-              octet = '@';    // '@' is just prior to uppercase 'A'
-      else
-              octet--;
-
-   Increment the value of an octet:
-
-      if (octet == '@')       // '@' is just prior to uppercase 'A'
-              octet = '[';    // '[' is just after uppercase 'Z'
-      else
-              octet++;
-
-5.2.  Choice of Range
-
-   [RFC2181] makes the clarification that "any binary string whatever
-   can be used as the label of any resource record".  Consequently the
-   minimum sort value may be set as 0x00 and the maximum sort value as
-   0xff, and the range of possible values will be any DNS name which
-   contains octets of any value other than those corresponding to
-   uppercase US-ASCII letters.
-
-   However, if all owner names in a zone are in the letter-digit-hyphen,
-   or LDH, format specified in [RFC1034], it may be desirable to
-   restrict the range of possible values to DNS names containing only
-   LDH values.  This has the effect of:
-
-
-
-Sisson & Laurie         Expires January 11, 2006                [Page 7]
-
-Internet-Draft     DNS Name Predecessor and Successor          July 2005
-
-
-   1.  making the output of tools such as `dig' and `nslookup' less
-       subject to confusion;
-
-   2.  minimising the impact that NSEC RRs containing DNS names with
-       non-LDH values (or non-printable values) might have on faulty DNS
-       resolver implementations; and
-
-   3.  preventing the possibility of results which are wildcard DNS
-       names (see Section 5.3).
-
-   This may be accomplished by using a minimum sort value of 0x1f (US-
-   ASCII character `-') and a maximum sort value of 0x7a (US-ASCII
-   character lowercase `z'), and then skipping non-LDH, non-lowercase
-   values when incrementing or decrementing octets.
-
-5.3.  Wild Card Considerations
-
-   Neither derivation avoids the possibility that the result may be a
-   DNS name containing a wildcard label, i.e. a label containing a
-   single octet with the value 0x2a (US-ASCII character `*').  With
-   additional tests, wildcard DNS names may be explicitly avoided;
-   alternatively, if the range of octet values can be restricted to
-   those corresponding to letter-digit-hyphen, or LDH, characters (see
-   Section 5.2), such DNS names will not occur.
-
-   Note that it is improbable that a result which is a wildcard DNS name
-   will occur unintentionally; even if one does occur either as the
-   owner name of, or in the RDATA of an NSEC RR, it is treated as a
-   literal DNS name with no special meaning.
-
-5.4.  Possible Modifications
-
-5.4.1.  Restriction of Effective Maximum DNS Name Length
-
-   [RFC1034] specifies that "the total number of octets that represent a
-   [DNS] name (i.e., the sum of all label octets and label lengths) is
-   limited to 255", including the null (zero-length) label which
-   represents the root.  For the purpose of deriving predecessors and
-   successors during NSEC RR synthesis, the maximum DNS name length may
-   be effectively restricted to the length of the longest DNS name in
-   the zone.  This will minimise the size of responses containing
-   synthesised NSEC RRs but, especially in the case of the modified
-   method, may result in some additional computational complexity.
-
-   Note that this modification will have the effect of revealing
-   information about the longest name in the zone.  Moreover, when the
-   contents of the zone changes, e.g. during dynamic updates and zone
-   transfers, care must be taken to ensure that the effective maximum
-
-
-
-Sisson & Laurie         Expires January 11, 2006                [Page 8]
-
-Internet-Draft     DNS Name Predecessor and Successor          July 2005
-
-
-   DNS name length agrees with the new contents.
-
-5.4.2.  Use of Modified Method With Zones Containing SRV RRs
-
-   Normally the modified method cannot be used in zones that contain
-   SRV RRs [RFC2782], as SRV RRs have owner names which contain multiple
-   labels.  However the use of SRV RRs can be accommodated by various
-   techniques.  There are at least four possible ways to do this:
-
-   1.  Use conventional NSEC RRs for the region of the zone that
-       contains first-level labels beginning with the underscore (`_')
-       character.  For the purposes of generating these NSEC RRs, the
-       existence of (possibly fictional) ownernames `9{63}' and `a'
-       could be assumed, providing a lower and upper bound for this
-       region.  Then all queries where the QNAME doesn't exist but
-       contains a first-level label beginning with an underscore could
-       be handled using the normal DNSSEC protocol.
-
-       This approach would make it possible to enumerate all DNS names
-       in the zone containing a first-level label beginning with
-       underscore, including all SRV RRs, but this may be of less a
-       concern to the zone administrator than incurring the overhead of
-       the absolute method or of the following variants of the modified
-       method.
-
-   2.  The absolute method could be used for synthesising NSEC RRs for
-       all queries where the QNAME contains a leading underscore.
-       However this re-introduces the susceptibility of the absolute
-       method to denial of service activity, as an attacker could send
-       queries for an effectively inexhaustible supply of domain names
-       beginning with a leading underscore.
-
-   3.  A variant of the modified method could be used for synthesising
-       NSEC RRs for all queries where the QNAME contains a leading
-       underscore.  This variant would assume that all predecessors and
-       successors to queries where the QNAME contains a leading
-       underscore may consist of two lablels rather than only one.  This
-       introduces a little additional complexity without incurring the
-       full increase in response size and computational complexity as
-       the absolute method.
-
-   4.  Finally, a variant the modified method which assumes that all
-       owner names in the zone consist of one or two labels could be
-       used.  However this negates much of the reduction in response
-       size of the modified method and may be nearly as computationally
-       complex as the absolute method.
-
-
-
-
-
-Sisson & Laurie         Expires January 11, 2006                [Page 9]
-
-Internet-Draft     DNS Name Predecessor and Successor          July 2005
-
-
-6.  Examples
-
-   In the following examples:
-
-      the owner name of the zone apex is "example.com.";
-
-      the range of octet values is 0x00 - 0xff excluding values
-      corresponding to uppercase US-ASCII letters; and
-
-      non-printable octet values are expressed as three-digit decimal
-      numbers preceded by a backslash (as specified in Section 5.1 of
-      [RFC1035]).
-
-6.1.  Examples of Immediate Predecessors Using Absolute Method
-
-   Example of typical case:
-
-      P(foo.example.com.) =
-
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255.\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255.\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255.fon\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255.example.com.
-
-      or, in alternate notation:
-
-           \255{49}.\255{63}.\255{63}.fon\255{60}.example.com.
-
-      where {n} represents the number of repetitions of an octet.
-
-
-
-
-
-
-Sisson & Laurie         Expires January 11, 2006               [Page 10]
-
-Internet-Draft     DNS Name Predecessor and Successor          July 2005
-
-
-   Example where least significant (left-most) label of DNS name
-   consists of a single octet of the minimum sort value:
-
-      P(\000.foo.example.com.) = foo.example.com.
-
-   Example where least significant (right-most) octet of least
-   significant (left-most) label has the minimum sort value:
-
-      P(foo\000.example.com.) =
-
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255.\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255.\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255.\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255.foo.example.com.
-
-      or, in alternate notation:
-
-           \255{45}.\255{63}.\255{63}.\255{63}.foo.example.com.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Sisson & Laurie         Expires January 11, 2006               [Page 11]
-
-Internet-Draft     DNS Name Predecessor and Successor          July 2005
-
-
-   Example where DNS name contains an octet which must be decremented by
-   skipping values corresponding to US-ASCII uppercase letters:
-
-      P(fo\[.example.com.) =
-
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255.\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255.\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255.fo\@\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255.example.com.
-
-      or, in alternate notation:
-
-           \255{49}.\255{63}.\255{63}.fo\@\255{60}.example.com.
-
-      where {n} represents the number of repetitions of an octet.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Sisson & Laurie         Expires January 11, 2006               [Page 12]
-
-Internet-Draft     DNS Name Predecessor and Successor          July 2005
-
-
-   Example where DNS name is the owner name of the zone apex, and
-   consequently wraps to the DNS name with the maximum possible sort
-   order in the zone:
-
-      P(example.com.) =
-
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255.\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255.\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255.\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255.example.com.
-
-      or, in alternate notation:
-
-           \255{49}.\255{63}.\255{63}.\255{63}.example.com.
-
-6.2.  Examples of Immediate Successors Using Absolute Method
-
-   Example of typical case:
-
-      S(foo.example.com.) = \000.foo.example.com.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Sisson & Laurie         Expires January 11, 2006               [Page 13]
-
-Internet-Draft     DNS Name Predecessor and Successor          July 2005
-
-
-   Example where DNS name is one octet short of the maximum DNS name
-   length:
-
-      N =  fooooooooooooooooooooooooooooooooooooooooooooooo
-           .ooooooooooooooooooooooooooooooooooooooooooooooo
-           oooooooooooooooo.ooooooooooooooooooooooooooooooo
-           oooooooooooooooooooooooooooooooo.ooooooooooooooo
-           oooooooooooooooooooooooooooooooooooooooooooooooo.example.com.
-
-      or, in alternate notation:
-
-           fo{47}.o{63}.o{63}.o{63}.example.com.
-
-      S(N) =
-
-           fooooooooooooooooooooooooooooooooooooooooooooooo
-           \000.ooooooooooooooooooooooooooooooooooooooooooo
-           oooooooooooooooooooo.ooooooooooooooooooooooooooo
-           oooooooooooooooooooooooooooooooooooo.ooooooooooo
-           oooooooooooooooooooooooooooooooooooooooooooooooo
-           oooo.example.com.
-
-      or, in alternate notation:
-
-           fo{47}\000.o{63}.o{63}.o{63}.example.com.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Sisson & Laurie         Expires January 11, 2006               [Page 14]
-
-Internet-Draft     DNS Name Predecessor and Successor          July 2005
-
-
-   Example where DNS name is the maximum DNS name length:
-
-      N  = fooooooooooooooooooooooooooooooooooooooooooooooo
-           o.oooooooooooooooooooooooooooooooooooooooooooooo
-           ooooooooooooooooo.oooooooooooooooooooooooooooooo
-           ooooooooooooooooooooooooooooooooo.oooooooooooooo
-           oooooooooooooooooooooooooooooooooooooooooooooooo
-           o.example.com.
-
-      or, in alternate notation:
-
-           fo{48}.o{63}.o{63}.o{63}.example.com.
-
-      S(N) =
-
-           fooooooooooooooooooooooooooooooooooooooooooooooo
-           p.oooooooooooooooooooooooooooooooooooooooooooooo
-           ooooooooooooooooo.oooooooooooooooooooooooooooooo
-           ooooooooooooooooooooooooooooooooo.oooooooooooooo
-           oooooooooooooooooooooooooooooooooooooooooooooooo
-           o.example.com.
-
-      or, in alternate notation:
-
-           fo{47}p.o{63}.o{63}.o{63}.example.com.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Sisson & Laurie         Expires January 11, 2006               [Page 15]
-
-Internet-Draft     DNS Name Predecessor and Successor          July 2005
-
-
-   Example where DNS name is the maximum DNS name length and the least
-   significant (left-most) label has the maximum sort value:
-
-      N =  \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255.ooooooooooooooooooooooooooooooooooooooooooo
-           oooooooooooooooooooo.ooooooooooooooooooooooooooo
-           oooooooooooooooooooooooooooooooooooo.ooooooooooo
-           oooooooooooooooooooooooooooooooooooooooooooooooo
-           oooo.example.com.
-
-      or, in alternate notation:
-
-           \255{49}.o{63}.o{63}.o{63}.example.com.
-
-      S(N) =
-
-           oooooooooooooooooooooooooooooooooooooooooooooooo
-           oooooooooooooop.oooooooooooooooooooooooooooooooo
-           ooooooooooooooooooooooooooooooo.oooooooooooooooo
-           ooooooooooooooooooooooooooooooooooooooooooooooo.
-           example.com.
-
-      or, in alternate notation:
-
-           o{62}p.o{63}.o{63}.example.com.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Sisson & Laurie         Expires January 11, 2006               [Page 16]
-
-Internet-Draft     DNS Name Predecessor and Successor          July 2005
-
-
-   Example where DNS name is the maximum DNS name length and the eight
-   least significant (right-most) octets of the least significant (left-
-   most) label have the maximum sort value:
-
-      N  = foooooooooooooooooooooooooooooooooooooooo\255
-           \255\255\255\255\255\255\255.ooooooooooooooooooo
-           oooooooooooooooooooooooooooooooooooooooooooo.ooo
-           oooooooooooooooooooooooooooooooooooooooooooooooo
-           oooooooooooo.ooooooooooooooooooooooooooooooooooo
-           oooooooooooooooooooooooooooo.example.com.
-
-      or, in alternate notation:
-
-           fo{40}\255{8}.o{63}.o{63}.o{63}.example.com.
-
-      S(N) =
-
-           fooooooooooooooooooooooooooooooooooooooop.oooooo
-           oooooooooooooooooooooooooooooooooooooooooooooooo
-           ooooooooo.oooooooooooooooooooooooooooooooooooooo
-           ooooooooooooooooooooooooo.oooooooooooooooooooooo
-           ooooooooooooooooooooooooooooooooooooooooo.example.com.
-
-      or, in alternate notation:
-
-           fo{39}p.o{63}.o{63}.o{63}.example.com.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Sisson & Laurie         Expires January 11, 2006               [Page 17]
-
-Internet-Draft     DNS Name Predecessor and Successor          July 2005
-
-
-   Example where DNS name is the maximum DNS name length and contains an
-   octet which must be incremented by skipping values corresponding to
-   US-ASCII uppercase letters:
-
-      N  = fooooooooooooooooooooooooooooooooooooooooooooooo
-           \@.ooooooooooooooooooooooooooooooooooooooooooooo
-           oooooooooooooooooo.ooooooooooooooooooooooooooooo
-           oooooooooooooooooooooooooooooooooo.ooooooooooooo
-           oooooooooooooooooooooooooooooooooooooooooooooooo
-           oo.example.com.
-
-      or, in alternate notation:
-
-           fo{47}\@.o{63}.o{63}.o{63}.example.com.
-
-      S(N) =
-
-           fooooooooooooooooooooooooooooooooooooooooooooooo
-           \[.ooooooooooooooooooooooooooooooooooooooooooooo
-           oooooooooooooooooo.ooooooooooooooooooooooooooooo
-           oooooooooooooooooooooooooooooooooo.ooooooooooooo
-           oooooooooooooooooooooooooooooooooooooooooooooooo
-           oo.example.com.
-
-      or, in alternate notation:
-
-           fo{47}\[.o{63}.o{63}.o{63}.example.com.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Sisson & Laurie         Expires January 11, 2006               [Page 18]
-
-Internet-Draft     DNS Name Predecessor and Successor          July 2005
-
-
-   Example where DNS name has the maximum possible sort order in the
-   zone, and consequently wraps to the owner name of the zone apex:
-
-      N  = \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255.\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255.\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255.\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255.example.com.
-
-      or, in alternate notation:
-
-           \255{49}.\255{63}.\255{63}.\255{63}.example.com.
-
-      S(N) = example.com.
-
-6.3.  Examples of Predecessors Using Modified Method
-
-   Example of typical case:
-
-      P'(foo.example.com.) =
-
-           fon\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255.example.com.
-
-      or, in alternate notation:
-
-           fon\255{60}.example.com.
-
-
-
-
-Sisson & Laurie         Expires January 11, 2006               [Page 19]
-
-Internet-Draft     DNS Name Predecessor and Successor          July 2005
-
-
-   Example where DNS name contains more labels than DNS names in the
-   zone:
-
-      P'(bar.foo.example.com.) = foo.example.com.
-
-   Example where least significant (right-most) octet of least
-   significant (left-most) label has the minimum sort value:
-
-      P'(foo\000.example.com.) = foo.example.com.
-
-   Example where least significant (left-most) label has the minimum
-   sort value:
-
-      P'(\000.example.com.) = example.com.
-
-   Example where DNS name is the owner name of the zone apex, and
-   consequently wraps to the DNS name with the maximum possible sort
-   order in the zone:
-
-      P'(example.com.) =
-
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255.example.com.
-
-      or, in alternate notation:
-
-           \255{63}.example.com.
-
-6.4.  Examples of Successors Using Modified Method
-
-   Example of typical case:
-
-      S'(foo.example.com.) = foo\000.example.com.
-
-   Example where DNS name contains more labels than DNS names in the
-   zone:
-
-      S'(bar.foo.example.com.) = foo\000.example.com.
-
-
-
-
-
-
-
-
-
-Sisson & Laurie         Expires January 11, 2006               [Page 20]
-
-Internet-Draft     DNS Name Predecessor and Successor          July 2005
-
-
-   Example where least significant (left-most) label has the maximum
-   sort value, and consequently wraps to the owner name of the zone
-   apex:
-
-      N  = \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255.example.com.
-
-      or, in alternate notation:
-
-           \255{63}.example.com.
-
-      S'(N) = example.com.
-
-
-7.  Security Considerations
-
-   The derivation of some predecessors/successors requires the testing
-   of more conditions than others.  Consequently the effectiveness of a
-   denial-of-service attack may be enhanced by sending queries that
-   require more conditions to be tested.  The modified method involves
-   the testing of fewer conditions than the absolute method and
-   consequently is somewhat less susceptible to this exposure.
-
-
-8.  IANA Considerations
-
-   This document has no IANA actions.
-
-   Note to RFC Editor: This section is included to make it clear during
-   pre-publication review that this document has no IANA actions.  It
-   may therefore be removed should it be published as an RFC.
-
-
-9.  Acknowledgments
-
-   The authors would like to thank Olaf Kolkman, Olafur Gudmundsson and
-   Niall O'Reilly for their review and input.
-
-
-10.  References
-
-
-
-
-
-
-
-Sisson & Laurie         Expires January 11, 2006               [Page 21]
-
-Internet-Draft     DNS Name Predecessor and Successor          July 2005
-
-
-10.1  Normative References
-
-   [RFC1034]  Mockapetris, P., "Domain names - concepts and facilities",
-              STD 13, RFC 1034, November 1987.
-
-   [RFC1035]  Mockapetris, P., "Domain names - implementation and
-              specification", STD 13, RFC 1035, November 1987.
-
-   [RFC2181]  Elz, R. and R. Bush, "Clarifications to the DNS
-              Specification", RFC 2181, July 1997.
-
-   [RFC2782]  Gulbrandsen, A., Vixie, P., and L. Esibov, "A DNS RR for
-              specifying the location of services (DNS SRV)", RFC 2782,
-              February 2000.
-
-   [RFC4034]  Arends, R., Austein, R., Larson, M., Massey, D., and S.
-              Rose, "Resource Records for the DNS Security Extensions",
-              RFC 4034, March 2005.
-
-10.2  Informative References
-
-   [I-D.ietf-dnsext-dnssec-online-signing]
-              Ihren, J. and S. Weiler, "Minimally Covering NSEC Records
-              and DNSSEC On-line Signing",
-              draft-ietf-dnsext-dnssec-online-signing-00 (work in
-              progress), May 2005.
-
-   [I-D.ietf-dnsext-dnssec-trans]
-              Arends, R., Koch, P., and J. Schlyter, "Evaluating DNSSEC
-              Transition Mechanisms",
-              draft-ietf-dnsext-dnssec-trans-02 (work in progress),
-              February 2005.
-
-
-Appendix A.  Change History
-
-A.1.  Changes from sisson-02 to ietf-00
-
-   o  Added notes on use of SRV RRs with modified method.
-
-   o  Changed reference from weiler-dnssec-online-signing to ietf-
-      dnsext-dnssec-online-signing.
-
-   o  Changed reference from ietf-dnsext-dnssec-records to RFC 4034.
-
-   o  Miscellaneous minor changes to text.
-
-
-
-
-
-Sisson & Laurie         Expires January 11, 2006               [Page 22]
-
-Internet-Draft     DNS Name Predecessor and Successor          July 2005
-
-
-A.2.  Changes from sisson-01 to sisson-02
-
-   o  Added modified version of derivation (with supporting examples).
-
-   o  Introduced notational conventions N, P(N), S(N), P'(N) and S'(N).
-
-   o  Added clarification to derivations about when processing stops.
-
-   o  Miscellaneous minor changes to text.
-
-A.3.  Changes from sisson-00 to sisson-01
-
-   o  Split step 3 of derivation of DNS name predecessor into two
-      distinct steps for clarity.
-
-   o  Added clarifying text and examples related to the requirement to
-      avoid uppercase characters when decrementing or incrementing
-      octets.
-
-   o  Added optimisation using restriction of effective maximum DNS name
-      length.
-
-   o  Changed examples to use decimal rather than octal notation as per
-      [RFC1035].
-
-   o  Corrected DNS name length of some examples.
-
-   o  Added reference to weiler-dnssec-online-signing.
-
-   o  Miscellaneous minor changes to text.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Sisson & Laurie         Expires January 11, 2006               [Page 23]
-
-Internet-Draft     DNS Name Predecessor and Successor          July 2005
-
-
-Authors' Addresses
-
-   Geoffrey Sisson
-   Nominet
-   Sandford Gate
-   Sandy Lane West
-   Oxford
-   OX4 6LB
-   GB
-
-   Phone: +44 1865 332339
-   Email: geoff@nominet.org.uk
-
-
-   Ben Laurie
-   Nominet
-   17 Perryn Road
-   London
-   W3 7LR
-   GB
-
-   Phone: +44 20 8735 0686
-   Email: ben@algroup.co.uk
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Sisson & Laurie         Expires January 11, 2006               [Page 24]
-
-Internet-Draft     DNS Name Predecessor and Successor          July 2005
-
-
-Intellectual Property Statement
-
-   The IETF takes no position regarding the validity or scope of any
-   Intellectual Property Rights or other rights that might be claimed to
-   pertain to the implementation or use of the technology described in
-   this document or the extent to which any license under such rights
-   might or might not be available; nor does it represent that it has
-   made any independent effort to identify any such rights.  Information
-   on the procedures with respect to rights in RFC documents can be
-   found in BCP 78 and BCP 79.
-
-   Copies of IPR disclosures made to the IETF Secretariat and any
-   assurances of licenses to be made available, or the result of an
-   attempt made to obtain a general license or permission for the use of
-   such proprietary rights by implementers or users of this
-   specification can be obtained from the IETF on-line IPR repository at
-   http://www.ietf.org/ipr.
-
-   The IETF invites any interested party to bring to its attention any
-   copyrights, patents or patent applications, or other proprietary
-   rights that may cover technology that may be required to implement
-   this standard.  Please address the information to the IETF at
-   ietf-ipr@ietf.org.
-
-
-Disclaimer of Validity
-
-   This document and the information contained herein are provided on an
-   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
-   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
-   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
-   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
-   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
-   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-
-Copyright Statement
-
-   Copyright (C) The Internet Society (2005).  This document is subject
-   to the rights, licenses and restrictions contained in BCP 78, and
-   except as set forth therein, the authors retain all their rights.
-
-
-Acknowledgment
-
-   Funding for the RFC Editor function is currently provided by the
-   Internet Society.
-
-
-
-
-Sisson & Laurie         Expires January 11, 2006               [Page 25]
-
diff --git a/doc/rfc/rfc3833.txt b/doc/draft/draft-ietf-dnsext-dns-threats-06.txt
index 8ce4d34e..6540f0de 100644
--- a/doc/rfc/rfc3833.txt
+++ b/doc/draft/draft-ietf-dnsext-dns-threats-06.txt
@@ -1,27 +1,38 @@
 
 
+Network Working Group                                          D. Atkins
+draft-ietf-dnsext-dns-threats-06.txt                    IHTFP Consulting
+                                                              R. Austein
+                                                                     ISC
+                                                           February 2004
 
 
+               Threat Analysis of the Domain Name System
 
 
-Network Working Group                                          D. Atkins
-Request for Comments: 3833                              IHTFP Consulting
-Category: Informational                                       R. Austein
-                                                                     ISC
-                                                             August 2004
+Status of this document
 
+   This document is an Internet-Draft and is in full conformance with
+   all provisions of Section 10 of RFC 2026.
 
-            Threat Analysis of the Domain Name System (DNS)
+   Internet-Drafts are working documents of the Internet Engineering
+   Task Force (IETF), its areas, and its working groups.  Note that
+   other groups may also distribute working documents as Internet-
+   Drafts.
 
-Status of this Memo
+   Internet-Drafts are draft documents valid for a maximum of six months
+   and may be updated, replaced, or obsoleted by other documents at any
+   time.  It is inappropriate to use Internet-Drafts as reference
+   material or to cite them other than as "work in progress."
 
-   This memo provides information for the Internet community.  It does
-   not specify an Internet standard of any kind.  Distribution of this
-   memo is unlimited.
+   The list of current Internet-Drafts can be accessed at
+   <http://www.ietf.org/ietf/1id-abstracts.txt>
 
-Copyright Notice
+   The list of Internet-Draft Shadow Directories can be accessed at
+   <http://www.ietf.org/shadow.html>
 
-   Copyright (C) The Internet Society (2004).
+   Distribution of this document is unlimited.  Please send comments to
+   the Namedroppers mailing list <namedroppers@ops.ietf.org>.
 
 Abstract
 
@@ -35,6 +46,16 @@ Abstract
    doing so, attempts to measure to what extent (if any) DNSSEC is a
    useful tool in defending against these threats.
 
+
+
+
+
+
+Atkins & Austein         Expires 21 August 2004                 [Page 1]
+
+draft-ietf-dnsext-dns-threats-06.txt                       February 2004
+
+
 1. Introduction
 
    The earliest organized work on DNSSEC within the IETF was an open
@@ -53,13 +74,6 @@ Abstract
      authentication of DNS clients and servers as a basis for access
      control, this work was also ruled out of scope for DNSSEC per se.
 
-
-
-Atkins & Austein             Informational                      [Page 1]
-
-RFC 3833                  DNS Threat Analysis                August 2004
-
-
    - Backwards compatibility and co-existence with "insecure DNS" was
      listed as an explicit requirement.
 
@@ -84,12 +98,20 @@ RFC 3833                  DNS Threat Analysis                August 2004
 
    While it may seem a bit strange to publish the threat analysis a
    decade after starting work on the protocol designed to defend against
-   it, that is, nevertheless, what this note attempts to do.  Better
-   late than never.
+   it, that is nevertheless what this note attempts to do.  Better late
+   than never.
 
    This note assumes that the reader is familiar with both the DNS and
    with DNSSEC, and does not attempt to provide a tutorial on either.
    The DNS documents most relevant to the subject of this note are:
+
+
+
+Atkins & Austein         Expires 21 August 2004                 [Page 2]
+
+draft-ietf-dnsext-dns-threats-06.txt                       February 2004
+
+
    [RFC1034], [RFC1035], section 6.1 of [RFC1123], [RFC2181], [RFC2308],
    [RFC2671], [RFC2845], [RFC2930], [RFC3007], and [RFC2535].
 
@@ -105,17 +127,6 @@ RFC 3833                  DNS Threat Analysis                August 2004
    as zone transfers and dynamic update requests), and perhaps should be
    changed in a future revision of this note.
 
-
-
-
-
-
-
-Atkins & Austein             Informational                      [Page 2]
-
-RFC 3833                  DNS Threat Analysis                August 2004
-
-
 2.  Known Threats
 
    There are several distinct classes of threats to the DNS, most of
@@ -139,38 +150,36 @@ RFC 3833                  DNS Threat Analysis                August 2004
    may just be a means to an end for the attacker: the attacker might
    even choose to return the correct result in the answer section of a
    reply message while using other parts of the message to set the stage
-   for something more complicated, for example, a name chaining attack
-   (see section 2.3).
+   for something more complicated, for example, a name-based attack (see
+   below).
 
    While it certainly would be possible to sign DNS messages using a
    channel security mechanism such as TSIG or IPsec, or even to encrypt
-   them using IPsec, this would not be a very good solution for
-   interception attacks.  First, this approach would impose a fairly
-   high processing cost per DNS message, as well as a very high cost
-   associated with establishing and maintaining bilateral trust
-   relationships between all the parties that might be involved in
-   resolving any particular query.  For heavily used name servers (such
-   as the servers for the root zone), this cost would almost certainly
-   be prohibitively high.  Even more important, however, is that the
-   underlying trust model in such a design would be wrong, since at best
-   it would only provide a hop-by-hop integrity check on DNS messages
-   and would not provide any sort of end-to-end integrity check between
-   the producer of DNS data (the zone administrator) and the consumer of
-   DNS data (the application that triggered the query).
-
-   By contrast, DNSSEC (when used properly) does provide an end-to-end
-   data integrity check, and is thus a much better solution for this
-   class of problems during basic DNS lookup operations.
+   them using IPsec, this would not be a very good solution.  First,
+   this approach would impose a fairly high processing cost per DNS
+   message, as well as a very high cost associated with establishing and
+   maintaining bilateral trust relationships between all the parties
+   that might be involved in resolving any particular query.  For
 
 
 
+Atkins & Austein         Expires 21 August 2004                 [Page 3]
+
+draft-ietf-dnsext-dns-threats-06.txt                       February 2004
 
 
+   heavily used name servers (such as the servers for the root zone),
+   this cost would almost certainly be prohibitively high.  Even more
+   important, however, is that the underlying trust model in such a
+   design would be wrong, since at best it would only provide a hop-by-
+   hop integrity check on DNS messages and would not provide any sort of
+   end-to-end integrity check between the producer of DNS data (the zone
+   administrator) and the consumer of DNS data (the application that
+   triggered the query).
 
-Atkins & Austein             Informational                      [Page 3]
-
-RFC 3833                  DNS Threat Analysis                August 2004
-
+   By contrast, DNSSEC (when used properly) does provide an end-to-end
+   data integrity check, and is thus a much better solution for this
+   class of problems during basic DNS lookup operations.
 
    TSIG does have its place in corners of the DNS protocol where there's
    a specific trust relationship between a particular client and a
@@ -207,6 +216,14 @@ RFC 3833                  DNS Threat Analysis                August 2004
 
    By itself, ID guessing is not enough to allow an attacker to inject
    bogus data, but combined with knowledge (or guesses) about QNAMEs and
+
+
+
+Atkins & Austein         Expires 21 August 2004                 [Page 4]
+
+draft-ietf-dnsext-dns-threats-06.txt                       February 2004
+
+
    QTYPEs for which a resolver might be querying, this leaves the
    resolver only weakly defended against injection of bogus responses.
 
@@ -217,17 +234,6 @@ RFC 3833                  DNS Threat Analysis                August 2004
    because the victim is responding (in a predictable way) to some third
    party action known to the attacker.
 
-
-
-
-
-
-
-Atkins & Austein             Informational                      [Page 4]
-
-RFC 3833                  DNS Threat Analysis                August 2004
-
-
    This attack is both more and less difficult for the attacker than the
    simple interception attack described above: more difficult, because
    the attack only works when the attacker guesses correctly; less
@@ -236,39 +242,30 @@ RFC 3833                  DNS Threat Analysis                August 2004
 
    In most other respects, this attack is similar to a packet
    interception attack.  A resolver that checks DNSSEC signatures will
-   be able to detect the forged response; resolvers that do not perform
-   DNSSEC signature checking themselves should use TSIG or some
+   be able to detect the forged response; resolvers that do not
+   themselves perform DNSSEC signature checking should use TSIG or some
    equivalent mechanism to ensure the integrity of their communication
-   with a recursive name server that does perform DNSSEC signature
+   with a recursing name server that does perform DNSSEC signature
    checking.
 
-2.3.  Name Chaining
+2.3.  Name Games
 
    Perhaps the most interesting class of DNS-specific threats are the
-   name chaining attacks.  These are a subset of a larger class of
-   name-based attacks, sometimes called "cache poisoning" attacks.  Most
-   name-based attacks can be partially mitigated by the long-standing
-   defense of checking RRs in response messages for relevance to the
-   original query, but such defenses do not catch name chaining attacks.
-   There are several variations on the basic attack, but what they all
-   have in common is that they all involve DNS RRs whose RDATA portion
-   (right hand side) includes a DNS name (or, in a few cases, something
-   that is not a DNS name but which directly maps to a DNS name).  Any
-   such RR is, at least in principle, a hook that lets an attacker feed
-   bad data into a victim's cache, thus potentially subverting
-   subsequent decisions based on DNS names.
-
-   The worst examples in this class of RRs are CNAME, NS, and DNAME RRs
+   name-based attacks.  There are several variations within this class,
+   sometimes called "cache poisoning" or "fake authority" attacks.  What
+   all of these attacks have in common is that they all involve DNS RRs
+   whose RDATA portion (right hand side) includes a DNS name.  Any such
+   RR is, at least in principle, a hook that lets an attacker feed bad
+   data into a victim's cache, thus potentially subverting subsequent
+   decisions based on DNS names.
+
+   The worst examples in this class of RRs are CNAME, NS, and DNAME RRs,
    because they can redirect a victim's query to a location of the
    attacker's choosing.  RRs like MX and SRV are somewhat less
    dangerous, but in principle they can also be used to trigger further
-   lookups at a location of the attacker's choosing.  Address RR types
-   such as A or AAAA don't have DNS names in their RDATA, but since the
-   IN-ADDR.ARPA and IP6.ARPA trees are indexed using a DNS encoding of
-   IPv4 and IPv6 addresses, these record types can also be used in a
-   name chaining attack.
+   lookups at a location of the attacker's choosing.
 
-   The general form of a name chaining attack is something like this:
+   The general form of a name-based attack is something like this:
 
    - Victim issues a query, perhaps at the instigation of the attacker
      or some third party; in some cases the query itself may be
@@ -278,10 +275,9 @@ RFC 3833                  DNS Threat Analysis                August 2004
 
 
 
-
-Atkins & Austein             Informational                      [Page 5]
+Atkins & Austein         Expires 21 August 2004                 [Page 5]
 
-RFC 3833                  DNS Threat Analysis                August 2004
+draft-ietf-dnsext-dns-threats-06.txt                       February 2004
 
 
    - Attacker injects response, whether via packet interception, query
@@ -302,19 +298,19 @@ RFC 3833                  DNS Threat Analysis                August 2004
 
    Any attacker who can insert resource records into a victim's cache
    can almost certainly do some kind of damage, so there are cache
-   poisoning attacks which are not name chaining attacks in the sense
-   discussed here.  However, in the case of name chaining attacks, the
+   poisoning attacks which are not name-based attacks in the sense
+   discussed here.  However, in the case of name-based attacks, the
    cause and effect relationship between the initial attack and the
    eventual result may be significantly more complex than in the other
-   forms of cache poisoning, so name chaining attacks merit special
+   forms of cache poisoning, so name-based attacks merit special
    attention.
 
-   The common thread in all of the name chaining attacks is that
-   response messages allow the attacker to introduce arbitrary DNS names
-   of the attacker's choosing and provide further information that the
-   attacker claims is associated with those names; unless the victim has
-   better knowledge of the data associated with those names, the victim
-   is going to have a hard time defending against this class of attacks.
+   The common thread in all of the name-based attacks is that response
+   messages allow the attacker to introduce arbitrary DNS names of the
+   attacker's choosing and provide further information that the attacker
+   claims is associated with those names; unless the victim has better
+   knowledge of the data associated with those names, the victim is
+   going to have a hard time defending against this class of attacks.
 
    This class of attack is particularly insidious given that it's quite
    easy for an attacker to provoke a victim into querying for a
@@ -327,27 +323,25 @@ RFC 3833                  DNS Threat Analysis                August 2004
    DNSSEC should provide a good defense against most (all?) variations
    on this class of attack.  By checking signatures, a resolver can
    determine whether the data associated with a name really was inserted
-   by the delegated authority for that portion of the DNS name space.
-   More precisely, a resolver can determine whether the entity that
+   by the delegated authority for that portion of the DNS name space
+   (more precisely, a resolver can determine whether the entity that
    injected the data had access to an allegedly secret key whose
+   corresponding public key appears at an expected location in the DNS
+   name space with an expected chain of parental signatures that start
 
 
 
-
-
-Atkins & Austein             Informational                      [Page 6]
+Atkins & Austein         Expires 21 August 2004                 [Page 6]
 
-RFC 3833                  DNS Threat Analysis                August 2004
+draft-ietf-dnsext-dns-threats-06.txt                       February 2004
 
 
-   corresponding public key appears at an expected location in the DNS
-   name space with an expected chain of parental signatures that start
-   with a public key of which the resolver has prior knowledge.
+   with a public key of which the resolver has prior knowledge).
 
    DNSSEC signatures do not cover glue records, so there's still a
-   possibility of a name chaining attack involving glue, but with DNSSEC
-   it is possible to detect the attack by temporarily accepting the glue
-   in order to fetch the signed authoritative version of the same data,
+   possibility of a name-based attack involving glue, but with DNSSEC it
+   is possible to detect the attack by temporarily accepting the glue in
+   order to fetch the signed authoritative version of the same data,
    then checking the signatures on the authoritative version.
 
 2.4.  Betrayal By Trusted Server
@@ -361,16 +355,15 @@ RFC 3833                  DNS Threat Analysis                August 2004
    PPP options.  Besides accidental betrayal of this trust relationship
    (via server bugs, successful server break-ins, etc), the server
    itself may be configured to give back answers that are not what the
-   user would expect, whether in an honest attempt to help the user or
-   to promote some other goal such as furthering a business partnership
-   between the ISP and some third party.
+   user would expect (whether in an honest attempt to help the user or
+   to further some other goal such as furthering a business partnership
+   between the ISP and some third party).
 
    This problem is particularly acute for frequent travelers who carry
-   their own equipment and expect it to work in much the same way
-   wherever they go.  Such travelers need trustworthy DNS service
-   without regard to who operates the network into which their equipment
-   is currently plugged or what brand of middle boxes the local
-   infrastructure might use.
+   their own equipment and expect it to work in much the same way no
+   matter which network it's plugged into at any given moment (and no
+   matter what brand of middle boxes a particular hotel chain might have
+   installed when adding network drops in every guest room...).
 
    While the obvious solution to this problem would be for the client to
    choose a more trustworthy server, in practice this may not be an
@@ -388,17 +381,17 @@ RFC 3833                  DNS Threat Analysis                August 2004
    Viewed strictly from the DNS protocol standpoint, the only difference
    between this sort of betrayal and a packet interception attack is
    that in this case the client has voluntarily sent its request to the
+   attacker.  The defense against this is the same as with a packet
+   interception attack: the resolver must either check DNSSEC signatures
+   itself or use TSIG (or equivalent) to authenticate the server that it
 
 
 
-Atkins & Austein             Informational                      [Page 7]
+Atkins & Austein         Expires 21 August 2004                 [Page 7]
 
-RFC 3833                  DNS Threat Analysis                August 2004
+draft-ietf-dnsext-dns-threats-06.txt                       February 2004
 
 
-   attacker.  The defense against this is the same as with a packet
-   interception attack: the resolver must either check DNSSEC signatures
-   itself or use TSIG (or equivalent) to authenticate the server that it
    has chosen to trust.  Note that use of TSIG does not by itself
    guarantee that a name server is at all trustworthy: all TSIG can do
    is help a resolver protect its communication with a name server that
@@ -410,8 +403,8 @@ RFC 3833                  DNS Threat Analysis                August 2004
    that is doing work on its behalf and wants to check the DNSSEC
    signatures itself, the resolver really does need to have independent
    knowledge of the DNSSEC public key(s) it needs in order to perform
-   the check.  Usually the public key for the root zone is enough, but
-   in some cases knowledge of additional keys may also be appropriate.
+   the check (usually the public key for the root zone, but in some
+   cases knowledge of additional keys may also be appropriate).
 
    It is difficult to escape the conclusion that a properly paranoid
    resolver must always perform its own signature checking, and that
@@ -443,20 +436,21 @@ RFC 3833                  DNS Threat Analysis                August 2004
    General paranoia aside, the existence of RR types whose absence
    causes an action other than immediate failure (such as missing MX and
    SRV RRs, which fail over to A RRs) constitutes a real threat.
-   Arguably, in some cases, even the absence of an RR might be
+   Arguably, in some cases, even the immediate failure of a missing RR
+   might be considered a problem.  The question remains: how serious is
+   this threat?  Clearly the threat does exist; general paranoia says
+   that some day it'll be on the front page of some major newspaper,
 
 
 
-Atkins & Austein             Informational                      [Page 8]
+Atkins & Austein         Expires 21 August 2004                 [Page 8]
 
-RFC 3833                  DNS Threat Analysis                August 2004
+draft-ietf-dnsext-dns-threats-06.txt                       February 2004
 
 
-   considered a problem.  The question remains: how serious is this
-   threat?  Clearly the threat does exist; general paranoia says that
-   some day it'll be on the front page of some major newspaper, even if
-   we cannot conceive of a plausible scenario involving this attack
-   today.  This implies that some mitigation of this risk is required.
+   even if we cannot conceive of a plausible scenario involving this
+   attack today.  This implies that some mitigation of this risk is
+   required.
 
    Note that it's necessary to prove the non-existence of applicable
    wildcard RRs as part of the authenticated denial mechanism, and that,
@@ -498,21 +492,19 @@ RFC 3833                  DNS Threat Analysis                August 2004
    make it possible for a resolver to verify that a name server applied
    the wildcard expansion rules correctly when generating an answer.
 
+3.  Weaknesses of DNSSEC
 
+   DNSSEC has some problems of its own:
 
 
 
 
-Atkins & Austein             Informational                      [Page 9]
+Atkins & Austein         Expires 21 August 2004                 [Page 9]
 
-RFC 3833                  DNS Threat Analysis                August 2004
+draft-ietf-dnsext-dns-threats-06.txt                       February 2004
 
 
-3.  Weaknesses of DNSSEC
-
-   DNSSEC has some problems of its own:
-
-   - DNSSEC is complex to implement and includes some nasty edge cases
+   - DNSSEC is complex to implement, and includes some nasty edge cases
      at the zone cuts that require very careful coding.  Testbed
      experience to date suggests that trivial zone configuration errors
      or expired keys can cause serious problems for a DNSSEC-aware
@@ -528,10 +520,10 @@ RFC 3833                  DNS Threat Analysis                August 2004
      and in some cases will also need to issue further queries.  This
      increased workload will also increase the time it takes to get an
      answer back to the original DNS client, which is likely to trigger
-     both timeouts and re-queries in some cases.  Arguably, many current
-     DNS clients are already too impatient even before taking the
-     further delays that DNSSEC will impose into account, but that topic
-     is beyond the scope of this note.
+     both timeouts and re-queries in some cases.  (Arguably, many
+     current DNS clients are already too impatient even before taking
+     the further delays that DNSSEC will impose into account, but that's
+     a separate topic for another document....)
 
    - Like DNS itself, DNSSEC's trust model is almost totally
      hierarchical.  While DNSSEC does allow resolvers to have special
@@ -556,19 +548,18 @@ RFC 3833                  DNS Threat Analysis                August 2004
      determine whether the signature is within its validity period or
      has expired.  An attacker that can change a resolver's opinion of
      the current absolute time can fool the resolver using expired
+     signatures.  An attacker that can change the zone signer's opinion
+     of the current absolute time can fool the zone signer into
+     generating signatures whose validity period does not match what the
+     signer intended.
 
 
 
-Atkins & Austein             Informational                     [Page 10]
+Atkins & Austein         Expires 21 August 2004                [Page 10]
 
-RFC 3833                  DNS Threat Analysis                August 2004
+draft-ietf-dnsext-dns-threats-06.txt                       February 2004
 
 
-     signatures.  An attacker that can change the zone signer's opinion
-     of the current absolute time can fool the zone signer into
-     generating signatures whose validity period does not match what the
-     signer intended.
-
    - The possible existence of wildcard RRs in a zone complicates the
      authenticated denial mechanism considerably.  For most of the
      decade that DNSSEC has been under development these issues were
@@ -576,23 +567,24 @@ RFC 3833                  DNS Threat Analysis                August 2004
      to whether the authenticated denial mechanism is completely
      airtight and whether it would be worthwhile to optimize the
      authenticated denial mechanism for the common case in which
-     wildcards are not present in a zone.  However, the main problem is
-     just the inherent complexity of the wildcard mechanism itself.
-     This complexity probably makes the code for generating and checking
+     wildcards are not present in a zone, but the main problem is just
+     the inherent complexity of the wildcard mechanism itself.  This
+     complexity probably makes the code for generating and checking
      authenticated denial attestations somewhat fragile, but since the
      alternative of giving up wildcards entirely is not practical due to
-     widespread use, we are going to have to live with wildcards. The
-     question just becomes one of whether or not the proposed
+     widespread use, we are going to have to live with wildcards, and
+     the question just becomes one of whether or not the proposed
      optimizations would make DNSSEC's mechanisms more or less fragile.
 
    - Even with DNSSEC, the class of attacks discussed in section 2.4 is
      not easy to defeat.  In order for DNSSEC to be effective in this
      case, it must be possible to configure the resolver to expect
-     certain categories of DNS records to be signed.  This may require
+     certain categories of DNS records to be signed, which may require
      manual configuration of the resolver, especially during the initial
      DNSSEC rollout period when the resolver cannot reasonably expect
      the root and TLD zones to be signed.
 
+
 4.  Topics for Future Work
 
    This section lists a few subjects not covered above which probably
@@ -601,10 +593,10 @@ RFC 3833                  DNS Threat Analysis                August 2004
 4.1.  Interactions With Other Protocols
 
    The above discussion has concentrated exclusively on attacks within
-   the boundaries of the DNS protocol itself, since those are (some of)
-   the problems against which DNSSEC was intended to protect.  There
-   are, however, other potential problems at the boundaries where DNS
-   interacts with other protocols.
+   the boundaries of the DNS protocol itself, since those are the
+   problems against (some of) which DNSSEC was intended to protect.
+   There are, however, other potential problems at the boundaries where
+   DNS interacts with other protocols.
 
 4.2.  Securing DNS Dynamic Update
 
@@ -612,18 +604,18 @@ RFC 3833                  DNS Threat Analysis                August 2004
    with DNSSEC.  Dynamic update of a non-secure zone can use TSIG to
    authenticate the updating client to the server.  While TSIG does not
    scale very well (it requires manual configuration of shared keys
+   between the DNS name server and each TSIG client), it works well in a
+   limited or closed environment such as a DHCP server updating a local
+   DNS name server.
+
 
 
 
-Atkins & Austein             Informational                     [Page 11]
+Atkins & Austein         Expires 21 August 2004                [Page 11]
 
-RFC 3833                  DNS Threat Analysis                August 2004
+draft-ietf-dnsext-dns-threats-06.txt                       February 2004
 
 
-   between the DNS name server and each TSIG client), it works well in a
-   limited or closed environment such as a DHCP server updating a local
-   DNS name server.
-
    Major issues arise when trying to use dynamic update on a secure
    zone.  TSIG can similarly be used in a limited fashion to
    authenticate the client to the server, but TSIG only protects DNS
@@ -632,10 +624,10 @@ RFC 3833                  DNS Threat Analysis                August 2004
    the changes to the zone.  This means that either:
 
    a) The updating client must have access to a zone-signing key in
-      order to sign the update before sending it to the server, or
+       order to sign the update before sending it to the server, or
 
    b) The DNS name server must have access to an online zone-signing key
-      in order to sign the update.
+       in order to sign the update.
 
    In either case, a zone-signing key must be available to create signed
    RRsets to place in the updated zone.  The fact that this key must be
@@ -668,27 +660,27 @@ RFC 3833                  DNS Threat Analysis                August 2004
    protocol.  For purposes of replicating entire DNS zones, however,
    DNSSEC does not provide object security, because zones include
    unsigned NS RRs and glue at delegation points.  Use of TSIG to
+   protect zone transfer (AXFR or IXFR) operations provides "channel
+   security", but still does not provide object security for complete
+   zones, so the trust relationships involved in zone transfer are still
+   very much a hop-by-hop matter of name server operators trusting other
 
 
 
-Atkins & Austein             Informational                     [Page 12]
+Atkins & Austein         Expires 21 August 2004                [Page 12]
 
-RFC 3833                  DNS Threat Analysis                August 2004
+draft-ietf-dnsext-dns-threats-06.txt                       February 2004
 
 
-   protect zone transfer (AXFR or IXFR) operations provides "channel
-   security", but still does not provide object security for complete
-   zones. The trust relationships involved in zone transfer are still
-   very much a hop-by-hop matter of name server operators trusting other
-   name server operators rather than an end-to-end matter of name server
-   operators trusting zone administrators.
+   name server operators, rather than an end-to-end matter of name
+   server operators trusting zone administrators.
 
    Zone object security was not an explicit design goal of DNSSEC, so
    failure to provide this service should not be a surprise.
    Nevertheless, there are some zone replication scenarios for which
    this would be a very useful additional service, so this seems like a
    useful area for future work.  In theory it should not be difficult to
-   add zone object security as a backwards compatible enhancement to the
+   zone object security as a backwards compatible enhancement to the
    existing DNSSEC model, but the DNSEXT WG has not yet discussed either
    the desirability of or the requirements for such an enhancement.
 
@@ -703,38 +695,21 @@ Security Considerations
    The authors believe that deploying DNSSEC will help to address some,
    but not all, of the known threats to the DNS.
 
-Acknowledgments
+IANA Considerations
 
-   This note is based both on previous published works by others and on
-   a number of discussions both public and private over a period of many
-   years, but particular thanks go to
-
-   Jaap Akkerhuis,
-   Steve Bellovin,
-   Dan Bernstein,
-   Randy Bush,
-   Steve Crocker,
-   Olafur Gudmundsson,
-   Russ Housley,
-   Rip Loomis,
-   Allison Mankin,
-   Paul Mockapetris,
-   Thomas Narten
-   Mans Nilsson,
-   Pekka Savola,
-   Paul Vixie,
-   Xunhua Wang,
-
-
-
-Atkins & Austein             Informational                     [Page 13]
-
-RFC 3833                  DNS Threat Analysis                August 2004
+   None.
 
+Acknowledgments
 
-   and any other members of the DNS, DNSSEC, DNSIND, and DNSEXT working
-   groups whose names and contributions the authors have forgotten, none
-   of whom are responsible for what the authors did with their ideas.
+   This note is based both previous published works by others and on a
+   number of discussions both public and private over a period of many
+   years, but particular thanks go to Jaap Akkerhuis, Steve Bellovin,
+   Dan Bernstein, Randy Bush, Steve Crocker, Olafur Gudmundsson, Russ
+   Housley, Rip Loomis, Allison Mankin, Paul Mockapetris, Thomas Narten
+   Mans Nilsson, Pekka Savola, Paul Vixie, Xunhua Wang, and any other
+   members of the DNS, DNSSEC, DNSIND, and DNSEXT working groups whose
+   names and contributions the authors have forgotten, none of whom are
+   responsible for what the authors did with their ideas.
 
    As with any work of this nature, the authors of this note acknowledge
    that we are standing on the toes of those who have gone before us.
@@ -743,92 +718,151 @@ RFC 3833                  DNS Threat Analysis                August 2004
 
 Normative References
 
-   [RFC1034]    Mockapetris, P., "Domain names - concepts and
-                facilities", STD 13, RFC 1034, November 1987.
+   [RFC1034] Mockapetris, P., "Domain names - concepts and facilities",
+        RFC 1034, November 1987.
 
-   [RFC1035]    Mockapetris, P., "Domain names - implementation and
-                specification", STD 13, RFC 1035, November 1987.
 
-   [RFC1123]    Braden, R., "Requirements for Internet Hosts -
-                Application and Support", STD 3, RFC 1123, October 1989.
 
-   [RFC2181]    Elz, R. and R. Bush, "Clarifications to the DNS
-                Specification", RFC 2181, July 1997.
+Atkins & Austein         Expires 21 August 2004                [Page 13]
+
+draft-ietf-dnsext-dns-threats-06.txt                       February 2004
 
-   [RFC2308]    Andrews, M., "Negative Caching of DNS Queries (DNS
-                NCACHE)", RFC 2308, March 1998.
 
-   [RFC2671]    Vixie, P., "Extension Mechanisms for DNS (EDNS0)", RFC
-                2671, August 1999.
+   [RFC1035] Mockapetris, P., "Domain names - implementation and
+        specification", RFC 1035, November 1987.
 
-   [RFC2845]    Vixie, P., Gudmundsson, O., Eastlake 3rd, D., and B.
-                Wellington, "Secret Key Transaction Authentication for
-                DNS (TSIG)", RFC 2845, May 2000.
+   [RFC1123] Braden, R., Editor, "Requirements for Internet Hosts -
+        Application and Support", RFC 1123, October 1989.
 
-   [RFC2930]    Eastlake 3rd, D., "Secret Key Establishment for DNS
-                (TKEY RR)", RFC 2930, September 2000.
+   [RFC2181] Elz, R., and R. Bush, "Clarifications to the DNS
+        Specification" RFC 2181, July 1997.
 
-   [RFC3007]    Wellington, B., "Secure Domain Name System (DNS) Dynamic
-                Update", RFC 3007, November 2000.
+   [RFC2308] Andrews, M., "Negative Caching of DNS Queries (DNS NCACHE)"
+        RFC 2308, March 1998.
 
-   [RFC2535]    Eastlake 3rd, D., "Domain Name System Security
-                Extensions", RFC 2535, March 1999.
+   [RFC2671] Vixie, P., "Extension Mechanisms for DNS (EDNS0)", RFC
+        2671, August 1999.
 
+   [RFC2845] Vixie, P., Gudmundsson, O., Eastlake, D., and B.
+        Wellington, "Secret Key Transaction Authentication for DNS
+        (TSIG)" RFC 2845, May 2000.
 
+   [RFC2930] Eastlake, D., "Secret Key Establishment for DNS (TKEY RR)"
+        RFC 2930, September 2000.
 
+   [RFC3007] Wellington, B., "Secure Domain Name System (DNS) Dynamic
+        Update" RFC 3007, November 2000.
 
+   [RFC2535] Eastlake, D., "Domain Name System Security Extensions", RFC
+        2535, March 1999.
 
+Informative References
 
+   [RFC3552] Rescorla, E., Korver, B., and the Internet Architecture
+        Board, "Guidelines for Writing RFC Text on Security
+        Considerations", RFC 3552, July 2003.
+
+   [Bellovin95] Bellovin, S., "Using the Domain Name System for System
+        Break-Ins", Proceedings of the Fifth Usenix Unix Security
+        Symposium, June 1995.
+
+   [Galvin93] Design team meeting summary message posted to dns-
+        security@tis.com mailing list by Jim Galvin on 19 November 1993.
+
+   [Schuba93] Schuba, C., "Addressing Weaknesses in the Domain Name
+        System Protocol", Master's thesis, Purdue University Department
+        of Computer Sciences, August 1993.
+
+   [Vixie95] Vixie, P, "DNS and BIND Security Issues", Proceedings of
+        the Fifth Usenix Unix Security Symposium, June 1995.
 
 
 
 
-Atkins & Austein             Informational                     [Page 14]
+Atkins & Austein         Expires 21 August 2004                [Page 14]
 
-RFC 3833                  DNS Threat Analysis                August 2004
+draft-ietf-dnsext-dns-threats-06.txt                       February 2004
 
 
-Informative References
+Authors' addresses:
 
-   [RFC3552]    Rescorla, E. and B. Korver, "Guidelines for Writing RFC
-                Text on Security Considerations", BCP 72, RFC 3552, July
-                2003.
+      Derek Atkins
+      IHTFP Consulting, Inc.
+      6 Farragut Ave
+      Somerville, MA  02144
+      USA
 
-   [Bellovin95] Bellovin, S., "Using the Domain Name System for System
-                Break-Ins", Proceedings of the Fifth Usenix Unix
-                Security Symposium, June 1995.
+      Email: derek@ihtfp.com
+
+      Rob Austein
+      Internet Systems Consortium
+      950 Charter Street
+      Redwood City, CA 94063
+      USA
+
+      Email: sra@isc.org
+Intellectual Property Statement
+
+   The IETF takes no position regarding the validity or scope of any
+   intellectual property or other rights that might be claimed to
+   pertain to the implementation or use of the technology described in
+   this document or the extent to which any license under such rights
+   might or might not be available; neither does it represent that it
+   has made any effort to identify any such rights.  Information on the
+   IETF's procedures with respect to rights in standards-track and
+   standards-related documentation can be found in BCP-11.  Copies of
+   claims of rights made available for publication and any assurances of
+   licenses to be made available, or the result of an attempt made to
+   obtain a general license or permission for the use of such
+   proprietary rights by implementors or users of this specification can
+   be obtained from the IETF Secretariat.
+
+   The IETF invites any interested party to bring to its attention any
+   copyrights, patents or patent applications, or other proprietary
+   rights which may cover technology that may be required to practice
+   this standard.  Please address the information to the IETF Executive
+   Director.
+
+Full Copyright Statement
 
-   [Galvin93]   Design team meeting summary message posted to dns-
-                security@tis.com mailing list by Jim Galvin on 19
-                November 1993.
+   Copyright (C) The Internet Society (2003).  All Rights Reserved.
 
-   [Schuba93]   Schuba, C., "Addressing Weaknesses in the Domain Name
-                System Protocol", Master's thesis, Purdue University
-                Department of Computer Sciences,  August 1993.
+   This document and translations of it may be copied and furnished to
+   others, and derivative works that comment on or otherwise explain it
+   or assist in its implementation may be prepared, copied, published
+   and distributed, in whole or in part, without restriction of any
+   kind, provided that the above copyright notice and this paragraph are
 
-   [Vixie95]    Vixie, P, "DNS and BIND Security Issues", Proceedings of
-                the Fifth Usenix Unix Security Symposium, June 1995.
 
-Authors' Addresses
 
-   Derek Atkins
-   IHTFP Consulting, Inc.
-   6 Farragut Ave
-   Somerville, MA  02144
-   USA
+Atkins & Austein         Expires 21 August 2004                [Page 15]
+
+draft-ietf-dnsext-dns-threats-06.txt                       February 2004
 
-   EMail: derek@ihtfp.com
 
+   included on all such copies and derivative works.  However, this
+   document itself may not be modified in any way, such as by removing
+   the copyright notice or references to the Internet Society or other
+   Internet organizations, except as needed for the purpose of
+   developing Internet standards in which case the procedures for
+   copyrights defined in the Internet Standards process must be
+   followed, or as required to translate it into languages other than
+   English.
 
-   Rob Austein
-   Internet Systems Consortium
-   950 Charter Street
-   Redwood City, CA 94063
-   USA
+   The limited permissions granted above are perpetual and will not be
+   revoked by the Internet Society or its successors or assigns.
 
-   EMail: sra@isc.org
+   This document and the information contained herein is provided on an
+   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
+   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
+   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
+   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
+   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
 
+Acknowledgement
 
+   Funding for the RFC Editor function is currently provided by the
+   Internet Society.
 
 
 
@@ -839,53 +873,15 @@ Authors' Addresses
 
 
 
-Atkins & Austein             Informational                     [Page 15]
-
-RFC 3833                  DNS Threat Analysis                August 2004
 
 
-Full Copyright Statement
 
-   Copyright (C) The Internet Society (2004).  This document is subject
-   to the rights, licenses and restrictions contained in BCP 78, and
-   except as set forth therein, the authors retain all their rights.
 
-   This document and the information contained herein are provided on an
-   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
-   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
-   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
-   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
-   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
-   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
 
-Intellectual Property
 
-   The IETF takes no position regarding the validity or scope of any
-   Intellectual Property Rights or other rights that might be claimed to
-   pertain to the implementation or use of the technology described in
-   this document or the extent to which any license under such rights
-   might or might not be available; nor does it represent that it has
-   made any independent effort to identify any such rights.  Information
-   on the procedures with respect to rights in RFC documents can be
-   found in BCP 78 and BCP 79.
-
-   Copies of IPR disclosures made to the IETF Secretariat and any
-   assurances of licenses to be made available, or the result of an
-   attempt made to obtain a general license or permission for the use of
-   such proprietary rights by implementers or users of this
-   specification can be obtained from the IETF on-line IPR repository at
-   http://www.ietf.org/ipr.
 
-   The IETF invites any interested party to bring to its attention any
-   copyrights, patents or patent applications, or other proprietary
-   rights that may cover technology that may be required to implement
-   this standard.  Please address the information to the IETF at ietf-
-   ipr@ietf.org.
 
-Acknowledgement
 
-   Funding for the RFC Editor function is currently provided by the
-   Internet Society.
 
 
 
@@ -895,5 +891,5 @@ Acknowledgement
 
 
 
-Atkins & Austein             Informational                     [Page 16]
-
+Atkins & Austein         Expires 21 August 2004                [Page 16]
+
diff --git a/doc/draft/draft-ietf-dnsext-dnssec-bis-updates-01.txt b/doc/draft/draft-ietf-dnsext-dnssec-bis-updates-01.txt
deleted file mode 100644
index 3a800f98..00000000
--- a/doc/draft/draft-ietf-dnsext-dnssec-bis-updates-01.txt
+++ /dev/null
@@ -1,616 +0,0 @@
-
-
-
-Network Working Group                                          S. Weiler
-Internet-Draft                                               SPARTA, Inc
-Updates: 4034, 4035 (if approved)                           May 23, 2005
-Expires: November 24, 2005
-
-
-         Clarifications and Implementation Notes for DNSSECbis
-                draft-ietf-dnsext-dnssec-bis-updates-01
-
-Status of this Memo
-
-   By submitting this Internet-Draft, each author represents that any
-   applicable patent or other IPR claims of which he or she is aware
-   have been or will be disclosed, and any of which he or she becomes
-   aware will be disclosed, in accordance with Section 6 of BCP 79.
-
-   Internet-Drafts are working documents of the Internet Engineering
-   Task Force (IETF), its areas, and its working groups.  Note that
-   other groups may also distribute working documents as Internet-
-   Drafts.
-
-   Internet-Drafts are draft documents valid for a maximum of six months
-   and may be updated, replaced, or obsoleted by other documents at any
-   time.  It is inappropriate to use Internet-Drafts as reference
-   material or to cite them other than as "work in progress."
-
-   The list of current Internet-Drafts can be accessed at
-   http://www.ietf.org/ietf/1id-abstracts.txt.
-
-   The list of Internet-Draft Shadow Directories can be accessed at
-   http://www.ietf.org/shadow.html.
-
-   This Internet-Draft will expire on November 24, 2005.
-
-Copyright Notice
-
-   Copyright (C) The Internet Society (2005).
-
-Abstract
-
-   This document is a collection of minor technical clarifications to
-   the DNSSECbis document set.  It is meant to serve as a resource to
-   implementors as well as an interim repository of possible DNSSECbis
-   errata.
-
-
-
-
-
-
-
-Weiler                  Expires November 24, 2005               [Page 1]
-
-Internet-Draft       DNSSECbis Implementation Notes             May 2005
-
-
-Proposed additions in future versions
-
-   An index sorted by the section of DNSSECbis being clarified.
-
-   A list of proposed protocol changes being made in other documents,
-   such as NSEC3 and Epsilon.  This document would not make those
-   changes, merely provide an index into the documents that are making
-   changes.
-
-Changes between -00 and -01
-
-   Document significantly restructured.
-
-   Added section on QTYPE=ANY.
-
-Changes between personal submission and first WG draft
-
-   Added Section 2.1 based on namedroppers discussions from March 9-10,
-   2005.
-
-   Added Section 3.4, Section 3.3, Section 4.3, and Section 2.2.
-
-   Added the DNSSECbis RFC numbers.
-
-   Figured out the confusion in Section 4.1.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Weiler                  Expires November 24, 2005               [Page 2]
-
-Internet-Draft       DNSSECbis Implementation Notes             May 2005
-
-
-Table of Contents
-
-   1.  Introduction and Terminology . . . . . . . . . . . . . . . . .  4
-     1.1   Structure of this Document . . . . . . . . . . . . . . . .  4
-     1.2   Terminology  . . . . . . . . . . . . . . . . . . . . . . .  4
-   2.  Significant Concerns . . . . . . . . . . . . . . . . . . . . .  4
-     2.1   Clarifications on Non-Existence Proofs . . . . . . . . . .  4
-     2.2   Empty Non-Terminal Proofs  . . . . . . . . . . . . . . . .  5
-     2.3   Validating Responses to an ANY Query . . . . . . . . . . .  5
-   3.  Interoperability Concerns  . . . . . . . . . . . . . . . . . .  5
-     3.1   Unknown DS Message Digest Algorithms . . . . . . . . . . .  5
-     3.2   Private Algorithms . . . . . . . . . . . . . . . . . . . .  6
-     3.3   Caution About Local Policy and Multiple RRSIGs . . . . . .  6
-     3.4   Key Tag Calculation  . . . . . . . . . . . . . . . . . . .  7
-   4.  Minor Corrections and Clarifications . . . . . . . . . . . . .  7
-     4.1   Finding Zone Cuts  . . . . . . . . . . . . . . . . . . . .  7
-     4.2   Clarifications on DNSKEY Usage . . . . . . . . . . . . . .  7
-     4.3   Errors in Examples . . . . . . . . . . . . . . . . . . . .  8
-   5.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . .  8
-   6.  Security Considerations  . . . . . . . . . . . . . . . . . . .  8
-   7.  References . . . . . . . . . . . . . . . . . . . . . . . . . .  8
-     7.1   Normative References . . . . . . . . . . . . . . . . . . .  8
-     7.2   Informative References . . . . . . . . . . . . . . . . . .  9
-       Author's Address . . . . . . . . . . . . . . . . . . . . . . .  9
-   A.  Acknowledgments  . . . . . . . . . . . . . . . . . . . . . . .  9
-       Intellectual Property and Copyright Statements . . . . . . . . 11
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Weiler                  Expires November 24, 2005               [Page 3]
-
-Internet-Draft       DNSSECbis Implementation Notes             May 2005
-
-
-1.  Introduction and Terminology
-
-   This document lists some minor clarifications and corrections to
-   DNSSECbis, as described in [1], [2], and [3].
-
-   It is intended to serve as a resource for implementors and as a
-   repository of items that need to be addressed when advancing the
-   DNSSECbis documents from Proposed Standard to Draft Standard.
-
-   In this version (-01 of the WG document), feedback is particularly
-   solicited on the structure of the document and whether the text in
-   the recently added sections is correct and sufficient.
-
-   Proposed substantive additions to this document should be sent to the
-   namedroppers mailing list as well as to the editor of this document.
-   The editor would greatly prefer text suitable for direct inclusion in
-   this document.
-
-1.1  Structure of this Document
-
-   The clarifications to DNSSECbis are sorted according to the editor's
-   impression of their importance, starting with ones which could, if
-   ignored, lead to security and stability problems and progressing down
-   to clarifications that are likely to have little operational impact.
-   Mere typos and awkward phrasings are not addressed unless they could
-   lead to misinterpretation of the DNSSECbis documents.
-
-1.2  Terminology
-
-   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
-   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
-   document are to be interpreted as described in RFC 2119 [4].
-
-2.  Significant Concerns
-
-   This section provides clarifications that, if overlooked, could lead
-   to security issues or major interoperability problems.
-
-2.1  Clarifications on Non-Existence Proofs
-
-   RFC4035 Section 5.4 slightly underspecifies the algorithm for
-   checking non-existence proofs.  In particular, the algorithm there
-   might incorrectly allow the NSEC from the parent side of a zone cut
-   to prove the non-existence of either other RRs at that name in the
-   child zone or other names in the child zone.  It might also allow a
-   NSEC at the same name as a DNAME to prove the non-existence of names
-   beneath that DNAME.
-
-
-
-
-Weiler                  Expires November 24, 2005               [Page 4]
-
-Internet-Draft       DNSSECbis Implementation Notes             May 2005
-
-
-   A parent-side delegation NSEC (one with the NS bit set, but no SOA
-   bit set, and with a singer field that's shorter than the owner name)
-   must not be used to assume non-existence of any RRs below that zone
-   cut (both RRs at that ownername and at ownernames with more leading
-   labels, no matter their content).  Similarly, an NSEC with the DNAME
-   bit set must not be used to assume the non-existence of any
-   descendant of that NSEC's owner name.
-
-2.2  Empty Non-Terminal Proofs
-
-   To be written, based on Roy Arends' May 11th message to namedroppers.
-
-2.3  Validating Responses to an ANY Query
-
-   RFC4035 does not address now to validate responses when QTYPE=*.  As
-   described in Section 6.2.2 of RFC1034, a proper response to QTYPE=*
-   may include a subset of the RRsets at a given name -- it is not
-   necessary to include all RRsets at the QNAME in the response.
-
-   When validating a response to QTYPE=*, validate all received RRsets
-   that match QNAME and QCLASS.  If any of those RRsets fail validation,
-   treat the answer as Bogus.  If there are no RRsets matching QNAME and
-   QCLASS, validate that fact using the rules in RFC4035 Section 5.4 (as
-   clarified in this document).  To be clear, a validator must not
-   insist on receiving all records at the QNAME in response to QTYPE=*.
-
-3.  Interoperability Concerns
-
-3.1  Unknown DS Message Digest Algorithms
-
-   Section 5.2 of RFC4035 includes rules for how to handle delegations
-   to zones that are signed with entirely unsupported algorithms, as
-   indicated by the algorithms shown in those zone's DS RRsets.  It does
-   not explicitly address how to handle DS records that use unsupported
-   message digest algorithms.  In brief, DS records using unknown or
-   unsupported message digest algorithms MUST be treated the same way as
-   DS records referring to DNSKEY RRs of unknown or unsupported
-   algorithms.
-
-   The existing text says:
-
-      If the validator does not support any of the algorithms listed
-      in an authenticated DS RRset, then the resolver has no supported
-      authentication path leading from the parent to the child.  The
-      resolver should treat this case as it would the case of an
-      authenticated NSEC RRset proving that no DS RRset exists, as
-      described above.
-
-
-
-
-Weiler                  Expires November 24, 2005               [Page 5]
-
-Internet-Draft       DNSSECbis Implementation Notes             May 2005
-
-
-   To paraphrase the above, when determining the security status of a
-   zone, a validator discards (for this purpose only) any DS records
-   listing unknown or unsupported algorithms.  If none are left, the
-   zone is treated as if it were unsigned.
-
-   Modified to consider DS message digest algorithms, a validator also
-   discards any DS records using unknown or unsupported message digest
-   algorithms.
-
-3.2  Private Algorithms
-
-   As discussed above, section 5.2 of RFC4035 requires that validators
-   make decisions about the security status of zones based on the public
-   key algorithms shown in the DS records for those zones.  In the case
-   of private algorithms, as described in RFC4034 Appendix A.1.1, the
-   eight-bit algorithm field in the DS RR is not conclusive about what
-   algorithm(s) is actually in use.
-
-   If no private algorithms appear in the DS set or if any supported
-   algorithm appears in the DS set, no special processing will be
-   needed.  In the remaining cases, the security status of the zone
-   depends on whether or not the resolver supports any of the private
-   algorithms in use (provided that these DS records use supported hash
-   functions, as discussed in Section 3.1).  In these cases, the
-   resolver MUST retrieve the corresponding DNSKEY for each private
-   algorithm DS record and examine the public key field to determine the
-   algorithm in use.  The security-aware resolver MUST ensure that the
-   hash of the DNSKEY RR's owner name and RDATA matches the digest in
-   the DS RR.  If they do not match, and no other DS establishes that
-   the zone is secure, the referral should be considered BAD data, as
-   discussed in RFC4035.
-
-   This clarification facilitates the broader use of private algorithms,
-   as suggested by [5].
-
-3.3  Caution About Local Policy and Multiple RRSIGs
-
-   When multiple RRSIGs cover a given RRset, RFC4035 Section 5.3.3
-   suggests that "the local resolver security policy determines whether
-   the resolver also has to test these RRSIG RRs and how to resolve
-   conflicts if these RRSIG RRs lead to differing results."  In most
-   cases, a resolver would be well advised to accept any valid RRSIG as
-   sufficient.  If the first RRSIG tested fails validation, a resolver
-   would be well advised to try others, giving a successful validation
-   result if any can be validated and giving a failure only if all
-   RRSIGs fail validation.
-
-   If a resolver adopts a more restrictive policy, there's a danger that
-
-
-
-Weiler                  Expires November 24, 2005               [Page 6]
-
-Internet-Draft       DNSSECbis Implementation Notes             May 2005
-
-
-   properly-signed data might unnecessarily fail validation, perhaps
-   because of cache timing issues.  Furthermore, certain zone management
-   techniques, like the Double Signature Zone-signing Key Rollover
-   method described in section 4.2.1.2 of [6] might not work reliably.
-
-3.4  Key Tag Calculation
-
-   RFC4034 Appendix B.1 incorrectly defines the Key Tag field
-   calculation for algorithm 1.  It correctly says that the Key Tag is
-   the most significant 16 of the least significant 24 bits of the
-   public key modulus.  However, RFC4034 then goes on to incorrectly say
-   that this is 4th to last and 3rd to last octets of the public key
-   modulus.  It is, in fact, the 3rd to last and 2nd to last octets.
-
-4.  Minor Corrections and Clarifications
-
-4.1  Finding Zone Cuts
-
-   Appendix C.8 of RFC4035 discusses sending DS queries to the servers
-   for a parent zone.  To do that, a resolver may first need to apply
-   special rules to discover what those servers are.
-
-   As explained in Section 3.1.4.1 of RFC4035, security-aware name
-   servers need to apply special processing rules to handle the DS RR,
-   and in some situations the resolver may also need to apply special
-   rules to locate the name servers for the parent zone if the resolver
-   does not already have the parent's NS RRset.  Section 4.2 of RFC4035
-   specifies a mechanism for doing that.
-
-4.2  Clarifications on DNSKEY Usage
-
-   Questions of the form "can I use a different DNSKEY for signing the
-   X" have occasionally arisen.
-
-   The short answer is "yes, absolutely".  You can even use a different
-   DNSKEY for each RRset in a zone, subject only to practical limits on
-   the size of the DNSKEY RRset.  However, be aware that there is no way
-   to tell resolvers what a particularly DNSKEY is supposed to be used
-   for -- any DNSKEY in the zone's signed DNSKEY RRset may be used to
-   authenticate any RRset in the zone.  For example, if a weaker or less
-   trusted DNSKEY is being used to authenticate NSEC RRsets or all
-   dynamically updated records, that same DNSKEY can also be used to
-   sign any other RRsets from the zone.
-
-   Furthermore, note that the SEP bit setting has no effect on how a
-   DNSKEY may be used -- the validation process is specifically
-   prohibited from using that bit by RFC4034 section 2.1.2.  It possible
-   to use a DNSKEY without the SEP bit set as the sole secure entry
-
-
-
-Weiler                  Expires November 24, 2005               [Page 7]
-
-Internet-Draft       DNSSECbis Implementation Notes             May 2005
-
-
-   point to the zone, yet use a DNSKEY with the SEP bit set to sign all
-   RRsets in the zone (other than the DNSKEY RRset).  It's also possible
-   to use a single DNSKEY, with or without the SEP bit set, to sign the
-   entire zone, including the DNSKEY RRset itself.
-
-4.3  Errors in Examples
-
-   The text in RFC4035 Section C.1 refers to the examples in B.1 as
-   "x.w.example.com" while B.1 uses "x.w.example".  This is painfully
-   obvious in the second paragraph where it states that the RRSIG labels
-   field value of 3 indicates that the answer was not the result of
-   wildcard expansion.  This is true for "x.w.example" but not for
-   "x.w.example.com", which of course has a label count of 4
-   (antithetically, a label count of 3 would imply the answer was the
-   result of a wildcard expansion).
-
-   The first paragraph of RFC4035 Section C.6 also has a minor error:
-   the reference to "a.z.w.w.example" should instead be "a.z.w.example",
-   as in the previous line.
-
-5.  IANA Considerations
-
-   This document specifies no IANA Actions.
-
-6.  Security Considerations
-
-   This document does not make fundamental changes to the DNSSEC
-   protocol, as it was generally understood when DNSSECbis was
-   published.  It does, however, address some ambiguities and omissions
-   in those documents that, if not recognized and addressed in
-   implementations, could lead to security failures.  In particular, the
-   validation algorithm clarifications in Section 2 are critical for
-   preserving the security properties DNSSEC offers.  Furthermore,
-   failure to address some of the interoperability concerns in Section 3
-   could limit the ability to later change or expand DNSSEC, including
-   by adding new algorithms.
-
-7.  References
-
-7.1  Normative References
-
-   [1]  Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
-        "DNS Security Introduction and Requirements", RFC 4033,
-        March 2005.
-
-   [2]  Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
-        "Resource Records for the DNS Security Extensions", RFC 4034,
-        March 2005.
-
-
-
-Weiler                  Expires November 24, 2005               [Page 8]
-
-Internet-Draft       DNSSECbis Implementation Notes             May 2005
-
-
-   [3]  Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
-        "Protocol Modifications for the DNS Security Extensions",
-        RFC 4035, March 2005.
-
-   [4]  Bradner, S., "Key words for use in RFCs to Indicate Requirement
-        Levels", BCP 14, RFC 2119, March 1997.
-
-7.2  Informative References
-
-   [5]  Blacka, D., "DNSSEC Experiments",
-        draft-blacka-dnssec-experiments-00 (work in progress),
-        December 2004.
-
-   [6]  Gieben, R. and O. Kolkman, "DNSSEC Operational Practices",
-        draft-ietf-dnsop-dnssec-operational-practices-04 (work in
-        progress), May 2005.
-
-
-Author's Address
-
-   Samuel Weiler
-   SPARTA, Inc
-   7075 Samuel Morse Drive
-   Columbia, Maryland  21046
-   US
-
-   Email: weiler@tislabs.com
-
-Appendix A.  Acknowledgments
-
-   The editor is extremely grateful to those who, in addition to finding
-   errors and omissions in the DNSSECbis document set, have provided
-   text suitable for inclusion in this document.
-
-   The lack of specificity about handling private algorithms, as
-   described in Section 3.2, and the lack of specificity in handling ANY
-   queries, as described in Section 2.3, were discovered by David
-   Blacka.
-
-   The error in algorithm 1 key tag calculation, as described in
-   Section 3.4, was found by Abhijit Hayatnagarkar.  Donald Eastlake
-   contributed text for Section 3.4.
-
-   The bug relating to delegation NSEC RR's in Section 2.1 was found by
-   Roy Badami.  Roy Arends found the related problem with DNAME.
-
-   The errors in the RFC4035 examples were found by Roy Arends, who also
-   contributed text for Section 4.3 of this document.
-
-
-
-Weiler                  Expires November 24, 2005               [Page 9]
-
-Internet-Draft       DNSSECbis Implementation Notes             May 2005
-
-
-   The editor would like to thank Olafur Gudmundsson and Scott Rose for
-   their substantive comments on the text of this document.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Weiler                  Expires November 24, 2005              [Page 10]
-
-Internet-Draft       DNSSECbis Implementation Notes             May 2005
-
-
-Intellectual Property Statement
-
-   The IETF takes no position regarding the validity or scope of any
-   Intellectual Property Rights or other rights that might be claimed to
-   pertain to the implementation or use of the technology described in
-   this document or the extent to which any license under such rights
-   might or might not be available; nor does it represent that it has
-   made any independent effort to identify any such rights.  Information
-   on the procedures with respect to rights in RFC documents can be
-   found in BCP 78 and BCP 79.
-
-   Copies of IPR disclosures made to the IETF Secretariat and any
-   assurances of licenses to be made available, or the result of an
-   attempt made to obtain a general license or permission for the use of
-   such proprietary rights by implementers or users of this
-   specification can be obtained from the IETF on-line IPR repository at
-   http://www.ietf.org/ipr.
-
-   The IETF invites any interested party to bring to its attention any
-   copyrights, patents or patent applications, or other proprietary
-   rights that may cover technology that may be required to implement
-   this standard.  Please address the information to the IETF at
-   ietf-ipr@ietf.org.
-
-
-Disclaimer of Validity
-
-   This document and the information contained herein are provided on an
-   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
-   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
-   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
-   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
-   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
-   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-
-Copyright Statement
-
-   Copyright (C) The Internet Society (2005).  This document is subject
-   to the rights, licenses and restrictions contained in BCP 78, and
-   except as set forth therein, the authors retain all their rights.
-
-
-Acknowledgment
-
-   Funding for the RFC Editor function is currently provided by the
-   Internet Society.
-
-
-
-
-Weiler                  Expires November 24, 2005              [Page 11]
-
diff --git a/doc/draft/draft-ietf-dnsext-dnssec-experiments-01.txt b/doc/draft/draft-ietf-dnsext-dnssec-experiments-01.txt
deleted file mode 100644
index ee03583a..00000000
--- a/doc/draft/draft-ietf-dnsext-dnssec-experiments-01.txt
+++ /dev/null
@@ -1,784 +0,0 @@
-
-
-
-DNSEXT                                                         D. Blacka
-Internet-Draft                                            Verisign, Inc.
-Expires: January 19, 2006                                  July 18, 2005
-
-
-                           DNSSEC Experiments
-                draft-ietf-dnsext-dnssec-experiments-01
-
-Status of this Memo
-
-   By submitting this Internet-Draft, each author represents that any
-   applicable patent or other IPR claims of which he or she is aware
-   have been or will be disclosed, and any of which he or she becomes
-   aware will be disclosed, in accordance with Section 6 of BCP 79.
-
-   Internet-Drafts are working documents of the Internet Engineering
-   Task Force (IETF), its areas, and its working groups.  Note that
-   other groups may also distribute working documents as Internet-
-   Drafts.
-
-   Internet-Drafts are draft documents valid for a maximum of six months
-   and may be updated, replaced, or obsoleted by other documents at any
-   time.  It is inappropriate to use Internet-Drafts as reference
-   material or to cite them other than as "work in progress."
-
-   The list of current Internet-Drafts can be accessed at
-   http://www.ietf.org/ietf/1id-abstracts.txt.
-
-   The list of Internet-Draft Shadow Directories can be accessed at
-   http://www.ietf.org/shadow.html.
-
-   This Internet-Draft will expire on January 19, 2006.
-
-Copyright Notice
-
-   Copyright (C) The Internet Society (2005).
-
-Abstract
-
-   In the long history of the development of the DNS security extensions
-   [1] (DNSSEC), a number of alternate methodologies and modifications
-   have been proposed and rejected for practical, rather than strictly
-   technical, reasons.  There is a desire to be able to experiment with
-   these alternate methods in the public DNS.  This document describes a
-   methodology for deploying alternate, non-backwards-compatible, DNSSEC
-   methodologies in an experimental fashion without disrupting the
-   deployment of standard DNSSEC.
-
-
-
-
-Blacka                  Expires January 19, 2006                [Page 1]
-
-Internet-Draft             DNSSEC Experiments                  July 2005
-
-
-Table of Contents
-
-   1.   Definitions and Terminology  . . . . . . . . . . . . . . . .   3
-   2.   Overview . . . . . . . . . . . . . . . . . . . . . . . . . .   4
-   3.   Experiments  . . . . . . . . . . . . . . . . . . . . . . . .   5
-   4.   Method . . . . . . . . . . . . . . . . . . . . . . . . . . .   6
-   5.   Defining an Experiment . . . . . . . . . . . . . . . . . . .   8
-   6.   Considerations . . . . . . . . . . . . . . . . . . . . . . .   9
-   7.   Transitions  . . . . . . . . . . . . . . . . . . . . . . . .  10
-   8.   Security Considerations  . . . . . . . . . . . . . . . . . .  11
-   9.   IANA Considerations  . . . . . . . . . . . . . . . . . . . .  12
-   10.  References . . . . . . . . . . . . . . . . . . . . . . . . .  13
-     10.1   Normative References . . . . . . . . . . . . . . . . . .  13
-     10.2   Informative References . . . . . . . . . . . . . . . . .  13
-        Author's Address . . . . . . . . . . . . . . . . . . . . . .  13
-        Intellectual Property and Copyright Statements . . . . . . .  14
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Blacka                  Expires January 19, 2006                [Page 2]
-
-Internet-Draft             DNSSEC Experiments                  July 2005
-
-
-1.  Definitions and Terminology
-
-   Throughout this document, familiarity with the DNS system (RFC 1035
-   [4]) and the DNS security extensions ([1], [2], and [3].
-
-   The key words "MUST, "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
-   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY, and "OPTIONAL" in this
-   document are to be interpreted as described in RFC 2119 [5].
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Blacka                  Expires January 19, 2006                [Page 3]
-
-Internet-Draft             DNSSEC Experiments                  July 2005
-
-
-2.  Overview
-
-   Historically, experimentation with DNSSEC alternatives has been a
-   problematic endeavor.  There has typically been a desire to both
-   introduce non-backwards-compatible changes to DNSSEC, and to try
-   these changes on real zones in the public DNS.  This creates a
-   problem when the change to DNSSEC would make all or part of the zone
-   using those changes appear bogus (bad) or otherwise broken to
-   existing DNSSEC-aware resolvers.
-
-   This document describes a standard methodology for setting up public
-   DNSSEC experiments.  This methodology addresses the issue of co-
-   existence with standard DNSSEC and DNS by using unknown algorithm
-   identifiers to hide the experimental DNSSEC protocol modifications
-   from standard DNSSEC-aware resolvers.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Blacka                  Expires January 19, 2006                [Page 4]
-
-Internet-Draft             DNSSEC Experiments                  July 2005
-
-
-3.  Experiments
-
-   When discussing DNSSEC experiments, it is necessary to classify these
-   experiments into two broad categories:
-
-   Backwards-Compatible: describes experimental changes that, while not
-      strictly adhering to the DNSSEC standard, are nonetheless
-      interoperable with clients and server that do implement the DNSSEC
-      standard.
-
-   Non-Backwards-Compatible: describes experiments that would cause a
-      standard DNSSEC-aware resolver to (incorrectly) determine that all
-      or part of a zone is bogus, or to otherwise not interoperable with
-      standard DNSSEC clients and servers.
-
-   Not included in these terms are experiments with the core DNS
-   protocol itself.
-
-   The methodology described in this document is not necessary for
-   backwards-compatible experiments, although it certainly could be used
-   if desired.
-
-   Note that, in essence, this metholodolgy would also be used to
-   introduce a new DNSSEC algorithm, independently from any DNSSEC
-   experimental protocol change.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Blacka                  Expires January 19, 2006                [Page 5]
-
-Internet-Draft             DNSSEC Experiments                  July 2005
-
-
-4.  Method
-
-   The core of the methodology is the use of strictly "unknown"
-   algorithms to sign the experimental zone, and more importantly,
-   having only unknown algorithm DS records for the delegation to the
-   zone at the parent.
-
-   This technique works because of the way DNSSEC-compliant validators
-   are expected to work in the presence of a DS set with only unknown
-   algorithms.  From [3], Section 5.2:
-
-      If the validator does not support any of the algorithms listed in
-      an authenticated DS RRset, then the resolver has no supported
-      authentication path leading from the parent to the child.  The
-      resolver should treat this case as it would the case of an
-      authenticated NSEC RRset proving that no DS RRset exists, as
-      described above.
-
-   And further:
-
-      If the resolver does not support any of the algorithms listed in
-      an authenticated DS RRset, then the resolver will not be able to
-      verify the authentication path to the child zone.  In this case,
-      the resolver SHOULD treat the child zone as if it were unsigned.
-
-   While this behavior isn't strictly mandatory (as marked by MUST), it
-   is unlikely that a validator would not implement the behavior, or,
-   more to the point, it will not violate this behavior in an unsafe way
-   (see below (Section 6).)
-
-   Because we are talking about experiments, it is RECOMMENDED that
-   private algorithm numbers be used (see [2], appendix A.1.1.  Note
-   that secure handling of private algorithms requires special handing
-   by the validator logic.  See [6] for futher details.)  Normally,
-   instead of actually inventing new signing algorithms, the recommended
-   path is to create alternate algorithm identifiers that are aliases
-   for the existing, known algorithms.  While, strictly speaking, it is
-   only necessary to create an alternate identifier for the mandatory
-   algorithms, it is RECOMMENDED that all OPTIONAL defined algorithms be
-   aliased as well.
-
-   It is RECOMMENDED that for a particular DNSSEC experiment, a
-   particular domain name base is chosen for all new algorithms, then
-   the algorithm number (or name) is prepended to it.  For example, for
-   experiment A, the base name of "dnssec-experiment-a.example.com" is
-   chosen.  Then, aliases for algorithms 3 (DSA) and 5 (RSASHA1) are
-   defined to be "3.dnssec-experiment-a.example.com" and "5.dnssec-
-   experiment-a.example.com".  However, any unique identifier will
-
-
-
-Blacka                  Expires January 19, 2006                [Page 6]
-
-Internet-Draft             DNSSEC Experiments                  July 2005
-
-
-   suffice.
-
-   Using this method, resolvers (or, more specificially, DNSSEC
-   validators) essentially indicate their ability to understand the
-   DNSSEC experiment's semantics by understanding what the new algorithm
-   identifiers signify.
-
-   This method creates two classes of DNSSEC-aware servers and
-   resolvers: servers and resolvers that are aware of the experiment
-   (and thus recognize the experiments algorithm identifiers and
-   experimental semantics), and servers and resolvers that are unware of
-   the experiment.
-
-   This method also precludes any zone from being both in an experiment
-   and in a classic DNSSEC island of security.  That is, a zone is
-   either in an experiment and only experimentally validatable, or it
-   isn't.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Blacka                  Expires January 19, 2006                [Page 7]
-
-Internet-Draft             DNSSEC Experiments                  July 2005
-
-
-5.  Defining an Experiment
-
-   The DNSSEC experiment must define the particular set of (previously
-   unknown) algorithms that identify the experiment, and define what
-   each unknown algorithm identifier means.  Typically, unless the
-   experiment is actually experimenting with a new DNSSEC algorithm,
-   this will be a mapping of private algorithm identifiers to existing,
-   known algorithms.
-
-   Normally the experiment will choose a DNS name as the algorithm
-   identifier base.  This DNS name SHOULD be under the control of the
-   authors of the experiment.  Then the experiment will define a mapping
-   between known mandatory and optional algorithms into this private
-   algorithm identifier space.  Alternately, the experiment MAY use the
-   OID private algorithm space instead (using algorithm number 254), or
-   may choose non-private algorithm numbers, although this would require
-   an IANA allocation (see below (Section 9).)
-
-   For example, an experiment might specify in its description the DNS
-   name "dnssec-experiment-a.example.com" as the base name, and provide
-   the mapping of "3.dnssec-experiment-a.example.com" is an alias of
-   DNSSEC algorithm 3 (DSA), and "5.dnssec-experiment-a.example.com" is
-   an alias of DNSSEC algorithm 5 (RSASHA1).
-
-   Resolvers MUST then only recognize the experiment's semantics when
-   present in a zone signed by one or more of these private algorithms.
-
-   In general, however, resolvers involved in the experiment are
-   expected to understand both standard DNSSEC and the defined
-   experimental DNSSEC protocol, although this isn't required.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Blacka                  Expires January 19, 2006                [Page 8]
-
-Internet-Draft             DNSSEC Experiments                  July 2005
-
-
-6.  Considerations
-
-   There are a number of considerations with using this methodology.
-
-   1.  Under some circumstances, it may be that the experiment will not
-       be sufficiently masked by this technique and may cause resolution
-       problem for resolvers not aware of the experiment.  For instance,
-       the resolver may look at the not validatable response and
-       conclude that the response is bogus, either due to local policy
-       or implementation details.  This is not expected to be the common
-       case, however.
-
-   2.  In general, it will not be possible for DNSSEC-aware resolvers
-       not aware of the experiment to build a chain of trust through an
-       experimental zone.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Blacka                  Expires January 19, 2006                [Page 9]
-
-Internet-Draft             DNSSEC Experiments                  July 2005
-
-
-7.  Transitions
-
-   If an experiment is successful, there may be a desire to move the
-   experiment to a standards-track extension.  One way to do so would be
-   to move from private algorithm numbers to IANA allocated algorithm
-   numbers, with otherwise the same meaning.  This would still leave a
-   divide between resolvers that understood the extension versus
-   resolvers that did not.  It would, in essence, create an additional
-   version of DNSSEC.
-
-   An alternate technique might be to do a typecode rollover, thus
-   actually creating a definitive new version of DNSSEC.  There may be
-   other transition techniques available, as well.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Blacka                  Expires January 19, 2006               [Page 10]
-
-Internet-Draft             DNSSEC Experiments                  July 2005
-
-
-8.  Security Considerations
-
-   Zones using this methodology will be considered insecure by all
-   resolvers except those aware of the experiment.  It is not generally
-   possible to create a secure delegation from an experimental zone that
-   will be followed by resolvers unaware of the experiment.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Blacka                  Expires January 19, 2006               [Page 11]
-
-Internet-Draft             DNSSEC Experiments                  July 2005
-
-
-9.  IANA Considerations
-
-   IANA may need to allocate new DNSSEC algorithm numbers if that
-   transition approach is taken, or the experiment decides to use
-   allocated numbers to begin with.  No IANA action is required to
-   deploy an experiment using private algorithm identifiers.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Blacka                  Expires January 19, 2006               [Page 12]
-
-Internet-Draft             DNSSEC Experiments                  July 2005
-
-
-10.  References
-
-10.1  Normative References
-
-   [1]  Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
-        "DNS Security Introduction and Requirements", RFC 4033,
-        March 2005.
-
-   [2]  Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
-        "Resource Records for the DNS Security Extensions", RFC 4034,
-        March 2005.
-
-   [3]  Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
-        "Protocol Modifications for the DNS Security Extensions",
-        RFC 4035, March 2005.
-
-10.2  Informative References
-
-   [4]  Mockapetris, P., "Domain names - implementation and
-        specification", STD 13, RFC 1035, November 1987.
-
-   [5]  Bradner, S., "Key words for use in RFCs to Indicate Requirement
-        Levels", BCP 14, RFC 2119, March 1997.
-
-   [6]  Weiler, S., "Clarifications and Implementation Notes for
-        DNSSECbis", draft-weiler-dnsext-dnssec-bis-updates-00 (work in
-        progress), March 2005.
-
-
-Author's Address
-
-   David Blacka
-   Verisign, Inc.
-   21355 Ridgetop Circle
-   Dulles, VA  20166
-   US
-
-   Phone: +1 703 948 3200
-   Email: davidb@verisign.com
-   URI:   http://www.verisignlabs.com
-
-
-
-
-
-
-
-
-
-
-
-Blacka                  Expires January 19, 2006               [Page 13]
-
-Internet-Draft             DNSSEC Experiments                  July 2005
-
-
-Intellectual Property Statement
-
-   The IETF takes no position regarding the validity or scope of any
-   Intellectual Property Rights or other rights that might be claimed to
-   pertain to the implementation or use of the technology described in
-   this document or the extent to which any license under such rights
-   might or might not be available; nor does it represent that it has
-   made any independent effort to identify any such rights.  Information
-   on the procedures with respect to rights in RFC documents can be
-   found in BCP 78 and BCP 79.
-
-   Copies of IPR disclosures made to the IETF Secretariat and any
-   assurances of licenses to be made available, or the result of an
-   attempt made to obtain a general license or permission for the use of
-   such proprietary rights by implementers or users of this
-   specification can be obtained from the IETF on-line IPR repository at
-   http://www.ietf.org/ipr.
-
-   The IETF invites any interested party to bring to its attention any
-   copyrights, patents or patent applications, or other proprietary
-   rights that may cover technology that may be required to implement
-   this standard.  Please address the information to the IETF at
-   ietf-ipr@ietf.org.
-
-
-Disclaimer of Validity
-
-   This document and the information contained herein are provided on an
-   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
-   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
-   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
-   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
-   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
-   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-
-Copyright Statement
-
-   Copyright (C) The Internet Society (2005).  This document is subject
-   to the rights, licenses and restrictions contained in BCP 78, and
-   except as set forth therein, the authors retain all their rights.
-
-
-Acknowledgment
-
-   Funding for the RFC Editor function is currently provided by the
-   Internet Society.
-
-
-
-
-Blacka                  Expires January 19, 2006               [Page 14]
-
diff --git a/doc/draft/draft-ietf-dnsext-dnssec-intro-09.txt b/doc/draft/draft-ietf-dnsext-dnssec-intro-09.txt
new file mode 100644
index 00000000..8097d634
--- /dev/null
+++ b/doc/draft/draft-ietf-dnsext-dnssec-intro-09.txt
@@ -0,0 +1,1401 @@
+
+
+DNS Extensions                                                 R. Arends
+Internet-Draft                                      Telematica Instituut
+Expires: August 16, 2004                                      R. Austein
+                                                                     ISC
+                                                               M. Larson
+                                                                VeriSign
+                                                               D. Massey
+                                                                 USC/ISI
+                                                                 S. Rose
+                                                                    NIST
+                                                       February 16, 2004
+
+
+               DNS Security Introduction and Requirements
+                   draft-ietf-dnsext-dnssec-intro-09
+
+Status of this Memo
+
+   This document is an Internet-Draft and is in full conformance with
+   all provisions of Section 10 of RFC2026.
+
+   Internet-Drafts are working documents of the Internet Engineering
+   Task Force (IETF), its areas, and its working groups. Note that other
+   groups may also distribute working documents as Internet-Drafts.
+
+   Internet-Drafts are draft documents valid for a maximum of six months
+   and may be updated, replaced, or obsoleted by other documents at any
+   time. It is inappropriate to use Internet-Drafts as reference
+   material or to cite them other than as "work in progress."
+
+   The list of current Internet-Drafts can be accessed at http://
+   www.ietf.org/ietf/1id-abstracts.txt.
+
+   The list of Internet-Draft Shadow Directories can be accessed at
+   http://www.ietf.org/shadow.html.
+
+   This Internet-Draft will expire on August 16, 2004.
+
+Copyright Notice
+
+   Copyright (C) The Internet Society (2004). All Rights Reserved.
+
+Abstract
+
+   The Domain Name System Security Extensions (DNSSEC) add data origin
+   authentication and data integrity to the Domain Name System.  This
+   document introduces these extensions, and describes their
+   capabilities and limitations.  This document also discusses the
+   services that the DNS security extensions do and do not provide.
+
+
+
+Arends, et al.          Expires August 16, 2004                 [Page 1]
+
+Internet-Draft    DNSSEC Introduction and Requirements     February 2004
+
+
+   Last, this document describes the interrelationships between the
+   group of documents that collectively describe DNSSEC.
+
+Table of Contents
+
+   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
+   2.  Definitions of Important DNSSEC Terms  . . . . . . . . . . . .  4
+   3.  Services Provided by DNS Security  . . . . . . . . . . . . . .  7
+   3.1 Data Origin Authentication and Data Integrity  . . . . . . . .  7
+   3.2 Authenticating Name and Type Non-Existence . . . . . . . . . .  8
+   4.  Services Not Provided by DNS Security  . . . . . . . . . . . . 10
+   5.  Resolver Considerations  . . . . . . . . . . . . . . . . . . . 11
+   6.  Stub Resolver Considerations . . . . . . . . . . . . . . . . . 12
+   7.  Zone Considerations  . . . . . . . . . . . . . . . . . . . . . 13
+   7.1 TTL values vs. RRSIG validity period . . . . . . . . . . . . . 13
+   7.2 New Temporal Dependency Issues for Zones . . . . . . . . . . . 13
+   8.  Name Server Considerations . . . . . . . . . . . . . . . . . . 14
+   9.  DNS Security Document Family . . . . . . . . . . . . . . . . . 15
+   10. IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 16
+   11. Security Considerations  . . . . . . . . . . . . . . . . . . . 17
+   12. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 19
+       Normative References . . . . . . . . . . . . . . . . . . . . . 20
+       Informative References . . . . . . . . . . . . . . . . . . . . 21
+       Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 22
+       Intellectual Property and Copyright Statements . . . . . . . . 24
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Arends, et al.          Expires August 16, 2004                 [Page 2]
+
+Internet-Draft    DNSSEC Introduction and Requirements     February 2004
+
+
+1. Introduction
+
+   This document introduces the Domain Name System Security Extensions
+   (DNSSEC).  This document and its two companion documents
+   ([I-D.ietf-dnsext-dnssec-records] and
+   [I-D.ietf-dnsext-dnssec-protocol]) update, clarify, and refine the
+   security extensions defined in RFC 2535 [RFC2535] and its
+   predecessors. These security extensions consist of a set of new
+   resource record types and modifications to the existing DNS protocol
+   [RFC1035].  The new records and protocol modifications are not fully
+   described in this document, but are described in a family of
+   documents outlined in Section 9. Section 3 and Section 4 describe the
+   capabilities and limitations of the security extensions in greater
+   detail. Section 5, Section 6, Section 7, and Section 8 discuss the
+   effect that these security extensions will have on resolvers, stub
+   resolvers, zones and name servers.
+
+   This document and its two companions update and obsolete RFCs 2535
+   [RFC2535], 3008 [RFC3008], 3090 [RFC3090], 3226 [RFC3226], and 3445
+   [RFC3445], as well as several works in progress: "Redefinition of the
+   AD bit" [RFC3655], "Legacy Resolver Compatibility for Delegation
+   Signer" [I-D.ietf-dnsext-dnssec-2535typecode-change], and "Delegation
+   Signer Resource Record" [RFC3658].  This document set also updates,
+   but does not obsolete, RFCs 1034 [RFC1034], 1035 [RFC1035], 2136
+   [RFC2136], 2181 [RFC2181], 2308 [RFC2308] and 3597 [RFC3597].
+
+   The DNS security extensions provide origin authentication and
+   integrity protection for DNS data, as well as a means of public key
+   distribution.  These extensions do not provide confidentiality.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Arends, et al.          Expires August 16, 2004                 [Page 3]
+
+Internet-Draft    DNSSEC Introduction and Requirements     February 2004
+
+
+2. Definitions of Important DNSSEC Terms
+
+   This section defines a number of terms used in this document set.
+   Since this is intended to be useful as a reference while reading the
+   rest of the document set, first-time readers may wish to skim this
+   section quickly, read the rest of this document, then come back to
+   this section.
+
+   authentication chain: an alternating sequence of DNSKEY RRsets and DS
+      RRsets forms a chain of signed data, with each link in the chain
+      vouching for the next.  A DNSKEY RR is used to verify the
+      signature covering a DS RR and allows the DS RR to be
+      authenticated.  The DS RR contains a hash of another DNSKEY RR and
+      this new DNSKEY RR is authenticated by matching the hash in the DS
+      RR.  This new DNSKEY RR in turn authenticates another DNSKEY RRset
+      and, in turn, some DNSKEY RR in this set may be used to
+      authenticate another DS RR and so forth until the chain finally
+      ends with a DNSKEY RR which signs the desired DNS data.  For
+      example, the root DNSKEY RRset can be used to authenticate the DS
+      RRset for "example."  The "example." DS RRset contains a hash that
+      matches some "example." DNSKEY and this DNSKEY signs the
+      "example." DNSKEY RRset.  Private key counterparts of the
+      "example." DNSKEY RRset sign data records such as "www.example."
+      as well as DS RRs for delegations such as "subzone.example."
+
+   authentication key: A public key which a security-aware resolver has
+      verified and can therefore use to authenticate data.  A
+      security-aware resolver can obtain authentication keys in three
+      ways.  First, the resolver is generally preconfigured to know
+      about at least one public key.  This preconfigured data is usually
+      either the public key itself or a hash of the key as found in the
+      DS RR.  Second, the resolver may use an authenticated public key
+      to verify a DS RR and its associated DNSKEY RR.  Third, the
+      resolver may be able to determine that a new key has been signed
+      by another key which the resolver has verified.  Note that the
+      resolver must always be guided by local policy when deciding
+      whether to authenticate a new key, even if the local policy is
+      simply to authenticate any new key for which the resolver is able
+      verify the signature.
+
+   delegation point: Term used to describe the name at the parental side
+      of a zone cut.  That is, the delegation point for "foo.example"
+      would be the foo.example node in the "example" zone (as opposed to
+      the zone apex of the "foo.example" zone).
+
+   island of security: Term used to describe a signed, delegated zone
+      that does not have an authentication chain from its delegating
+      parent.  That is, there is no DS RR with the island's public key
+
+
+
+Arends, et al.          Expires August 16, 2004                 [Page 4]
+
+Internet-Draft    DNSSEC Introduction and Requirements     February 2004
+
+
+      in its delegating parent zone (see
+      [I-D.ietf-dnsext-dnssec-records]). An island of security is served
+      by a security-aware nameserver and may provide authentication
+      chains to any delegated child zones.  Responses from an island of
+      security or its descendents can only be authenticated if its zone
+      key can be authenticated by some trusted means out of band from
+      the DNS protocol.
+
+   key signing key: An authentication key which is used to sign one or
+      more other authentication keys for a given zone.  Typically, a key
+      signing key will sign a zone signing key, which in turn will sign
+      other zone data.  Local policy may require the zone signing key to
+      be changed frequently, while the key signing key may have a longer
+      validity period in order to provide a more stable secure entry
+      point into the zone.  Designating an authentication key as a key
+      signing key is purely an operational issue: DNSSEC validation does
+      not distinguish between key signing keys and other DNSSEC
+      authentication keys.  Key signing keys are discussed in more
+      detail in [I-D.ietf-dnsext-keyrr-key-signing-flag]. See also: zone
+      signing key.
+
+   non-validating security-aware stub resolver: A security-aware stub
+      resolver which trusts one or more security-aware recursive name
+      servers to perform most of the tasks discussed in this document
+      set on its behalf. In particular, a non-validating security-aware
+      stub resolver is an entity which sends DNS queries, receives DNS
+      responses, and is capable of establishing an appropriately secured
+      channel to a security-aware recursive name server which will
+      provide these services on behalf of the security-aware stub
+      resolver.  See also: security-aware stub resolver, validating
+      security-aware stub resolver.
+
+   non-validating stub resolver: A less tedious term for a
+      non-validating security-aware stub resolver.
+
+   security-aware name server: An entity acting in the role of a name
+      server (defined in section 2.4 of [RFC1034]) which understands the
+      DNS security extensions defined in this document set.  In
+      particular, a security-aware name server is an entity which
+      receives DNS queries, sends DNS responses, supports the EDNS0
+      [RFC2671] message size extension and the DO bit [RFC3225], and
+      supports the RR types and message header bits defined in this
+      document set.
+
+   security-aware recursive name server: An entity which acts in both
+      the security-aware name server and security-aware resolver roles.
+      A more cumbersome equivalent phrase would be "a security-aware
+      name server which offers recursive service".
+
+
+
+Arends, et al.          Expires August 16, 2004                 [Page 5]
+
+Internet-Draft    DNSSEC Introduction and Requirements     February 2004
+
+
+   security-aware resolver: An entity acting in the role of a resolver
+      (defined in section 2.4 of [RFC1034]) which understands the DNS
+      security extensions defined in this document set.  In particular,
+      a security-aware resolver is an entity which sends DNS queries,
+      receives DNS responses, supports the EDNS0 [RFC2671] message size
+      extension and the DO bit [RFC3225], and is capable of using the RR
+      types and message header bits defined in this document set to
+      provide DNSSEC services.
+
+   security-aware stub resolver: An entity acting in the role of a stub
+      resolver (defined in section 5.3.1 of [RFC1034]) which has enough
+      of an understanding the DNS security extensions defined in this
+      document set to provide additional services not available from a
+      security-oblivious stub resolver.   Security-aware stub resolvers
+      may be either "validating" or "non-validating" depending on
+      whether the stub resolver attempts to verify DNSSEC signatures on
+      its own or trusts a friendly security-aware name server to do so.
+      See also: validating stub resolver, non-validating stub resolver.
+
+   security-oblivious <anything>: An <anything> which is not
+      "security-aware".
+
+   signed zone: A zone whose RRsets are signed and which contains
+      properly constructed DNSKEY, RRSIG, NSEC and (optionally) DS
+      records.
+
+   unsigned zone: A zone which is not signed.
+
+   validating security-aware stub resolver: A security-aware resolver
+      which operates sends queries in recursive mode but which performs
+      signature validation on its own rather than just blindly trusting
+      a friendly security-aware recursive name server.  See also:
+      security-aware stub resolver, non-validating security-aware stub
+      resolver.
+
+   validating stub resolver: A less tedious term for a validating
+      security-aware stub resolver.
+
+   zone signing key: An authentication key which is used to sign a zone.
+      See key signing key, above.  Typically a zone signing key will be
+      part of the same DNSKEY RRset as the key signing key which signs
+      it, but is used for a slightly different purpose and may differ
+      from the key signing key in other ways, such as validity lifetime.
+      Designating an authentication key as a zone signing key is purely
+      an operational issue: DNSSEC validation does not distinguish
+      between zone signing keys and other DNSSEC authentication keys.
+      See also: key signing key.
+
+
+
+
+Arends, et al.          Expires August 16, 2004                 [Page 6]
+
+Internet-Draft    DNSSEC Introduction and Requirements     February 2004
+
+
+3. Services Provided by DNS Security
+
+   The Domain Name System (DNS) security extensions provide origin
+   authentication and integrity assurance services for DNS data,
+   including mechanisms for authenticated denial of existence of DNS
+   data.  These mechanisms are described below.
+
+   These mechanisms require changes to the DNS protocol.  DNSSEC adds
+   four new resource record types (RRSIG, DNSKEY, DS and NSEC) and two
+   new message header bits (CD and AD).  In order to support the larger
+   DNS message sizes that result from adding the DNSSEC RRs, DNSSEC also
+   requires EDNS0 support [RFC2671].  Finally, DNSSEC requires support
+   for the DO bit [RFC3225], so that a security-aware resolver can
+   indicate in its queries that it wishes to receive DNSSEC RRs in
+   response messages.
+
+   These services protect against most of the threats to the Domain Name
+   System described in [I-D.ietf-dnsext-dns-threats].
+
+3.1 Data Origin Authentication and Data Integrity
+
+   DNSSEC provides authentication by associating cryptographically
+   generated digital signatures with DNS RRsets. These digital
+   signatures are stored in a new resource record, the RRSIG record.
+   Typically, there will be a single private key that signs a zone's
+   data, but multiple keys are possible: for example, there may be keys
+   for each of several different digital signature algorithms. If a
+   security-aware resolver reliably learns a zone's public key, it can
+   authenticate that zone's signed data.  An important DNSSEC concept is
+   that the key that signs a zone's data is associated with the zone
+   itself and not with the zone's authoritative name servers (public
+   keys for DNS transaction authentication mechanisms may also appear in
+   zones, as described in [RFC2931], but DNSSEC itself is concerned with
+   object security of DNS data, not channel security of DNS
+   transactions).
+
+   A security-aware resolver can learn a zone's public key either by
+   having the key preconfigured into the resolver or by normal DNS
+   resolution.  To allow the latter, public keys are stored in a new
+   type of resource record, the DNSKEY RR.  Note that the private keys
+   used to sign zone data must be kept secure, and should be stored
+   offline when practical to do so.  To discover a public key reliably
+   via DNS resolution, the target key itself needs to be signed by
+   either a preconfigured authentication key or another key that has
+   been authenticated previously. Security-aware resolvers authenticate
+   zone information by forming an authentication chain from a newly
+   learned public key back to a previously known authentication public
+   key, which in turn either must have been preconfigured into the
+
+
+
+Arends, et al.          Expires August 16, 2004                 [Page 7]
+
+Internet-Draft    DNSSEC Introduction and Requirements     February 2004
+
+
+   resolver or must have been learned and verified previously.
+   Therefore, the resolver must be configured with at least one public
+   key or hash of a public key: if the preconfigured key is a zone
+   signing key, then it will authenticate the associated zone; if the
+   preconfigured key is a key signing key, it will authenticate a zone
+   signing key.  If the resolver has been preconfigured with the hash of
+   a key rather than the key itself, the resolver may need to obtain the
+   key via a DNS query.  To help security-aware resolvers establish this
+   authentication chain, security-aware name servers attempt to send the
+   signature(s) needed to authenticate a zone's public key in the DNS
+   reply message along with the public key itself, provided there is
+   space available in the message.
+
+   The Delegation Signer (DS) RR type simplifies some of the
+   administrative tasks involved in signing delegations across
+   organizational boundaries.  The DS RRset resides at a delegation
+   point in a parent zone and indicates the key or keys used by the
+   delegated child zone to self-sign the DNSKEY RRset at the child
+   zone's apex.  The child zone, in turn, uses one or more of the keys
+   in this DNSKEY RRset to sign its zone data.  The typical
+   authentication chain is therefore DNSKEY->[DS->DNSKEY]*->RRset, where
+   "*" denotes zero or more DS->DNSKEY subchains.  DNSSEC permits more
+   complex authentication chains, such as additional layers of DNSKEY
+   RRs signing other DNSKEY RRs within a zone.
+
+   A security-aware resolver normally constructs this authentication
+   chain from the root of the DNS hierarchy down to the leaf zones based
+   on preconfigured knowledge of the public key for the root.  Local
+   policy, however, may also allow a security-aware resolver to use one
+   or more preconfigured keys (or key hashes) other than the root key,
+   or may not provide preconfigured knowledge of the root key, or may
+   prevent the resolver from using particular keys for arbitrary reasons
+   even if those keys are properly signed with verifiable signatures.
+   DNSSEC provides mechanisms by which a security-aware resolver can
+   determine whether an RRset's signature is "valid" within the meaning
+   of DNSSEC.  In the final analysis however, authenticating both DNS
+   keys and data is a matter of local policy, which may extend or even
+   override the protocol extensions defined in this document set.
+
+3.2 Authenticating Name and Type Non-Existence
+
+   The security mechanism described in Section 3.1 only provides a way
+   to sign existing RRsets in a zone.  The problem of providing negative
+   responses with the same level of authentication and integrity
+   requires the use of another new resource record type, the NSEC
+   record.  The NSEC record allows a security-aware resolver to
+   authenticate a negative reply for either name or type non-existence
+   via the same mechanisms used to authenticate other DNS replies.  Use
+
+
+
+Arends, et al.          Expires August 16, 2004                 [Page 8]
+
+Internet-Draft    DNSSEC Introduction and Requirements     February 2004
+
+
+   of NSEC records requires a canonical representation and ordering for
+   domain names in zones.  Chains of NSEC records explicitly describe
+   the gaps, or "empty space", between domain names in a zone, as well
+   as listing the types of RRsets present at existing names.  Each NSEC
+   record is signed and authenticated using the mechanisms described in
+   Section 3.1.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Arends, et al.          Expires August 16, 2004                 [Page 9]
+
+Internet-Draft    DNSSEC Introduction and Requirements     February 2004
+
+
+4. Services Not Provided by DNS Security
+
+   DNS was originally designed with the assumptions that the DNS will
+   return the same answer to any given query regardless of who may have
+   issued the query, and that all data in the DNS is thus visible.
+   Accordingly, DNSSEC is not designed to provide confidentiality,
+   access control lists, or other means of differentiating between
+   inquirers.
+
+   DNSSEC provides no protection against denial of service attacks.
+   Security-aware resolvers and security-aware name servers are
+   vulnerable to an additional class of denial of service attacks based
+   on cryptographic operations.  Please see Section 11 for details.
+
+   The DNS security extensions provide data and origin authentication
+   for DNS data.  The mechanisms outlined above are not designed to
+   protect operations such as zone transfers and dynamic update
+   [RFC3007].  Message authentication schemes described in [RFC2845] and
+   [RFC2931] address security operations that pertain to these
+   transactions.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Arends, et al.          Expires August 16, 2004                [Page 10]
+
+Internet-Draft    DNSSEC Introduction and Requirements     February 2004
+
+
+5. Resolver Considerations
+
+   A security-aware resolver needs to be able to perform cryptographic
+   functions necessary to verify digital signatures using at least the
+   mandatory-to-implement algorithm(s).  Security-aware resolvers must
+   also be capable of forming an authentication chain from a newly
+   learned zone back to an authentication key, as described above.  This
+   process might require additional queries to intermediate DNS zones to
+   obtain necessary DNSKEY, DS and RRSIG records.  A security-aware
+   resolver should be configured with at least one authentication key or
+   a key's DS RR hash as the starting point from which it will attempt
+   to establish authentication chains.
+
+   If a security-aware resolver is separated from the relevant
+   authoritative name servers by a recursive name server or by any sort
+   of device which acts as a proxy for DNS, and if the recursive name
+   server or proxy is not security-aware, the security-aware resolver
+   may not be capable of operating in a secure mode.  For example, if a
+   security-aware resolver's packets are routed through a network
+   address translation device that includes a DNS proxy which is not
+   security-aware, the security-aware resolver may find it difficult or
+   impossible to obtain or validate signed DNS data.
+
+   If a security-aware resolver must rely on an unsigned zone or a name
+   server that is not security aware, the resolver may not be able to
+   validate DNS responses, and will need a local policy on whether to
+   accept unverified responses.
+
+   A security-aware resolver should take a signature's validation period
+   into consideration when determining the TTL of data in its cache, to
+   avoid caching signed data beyond the validity period of the
+   signature, but should also allow for the possibility that the
+   security-aware resolver's own clock is wrong.  Thus, a security-aware
+   resolver which is part of a security-aware recursive name server will
+   need to pay careful attention to the DNSSEC "checking disabled" (CD)
+   bit [I-D.ietf-dnsext-dnssec-records].  This is in order to avoid
+   blocking valid signatures from getting through to other
+   security-aware resolvers which are clients of this recursive name
+   server.  See [I-D.ietf-dnsext-dnssec-protocol] for how a secure
+   recursive server handles queries with the CD bit set.
+
+
+
+
+
+
+
+
+
+
+
+Arends, et al.          Expires August 16, 2004                [Page 11]
+
+Internet-Draft    DNSSEC Introduction and Requirements     February 2004
+
+
+6. Stub Resolver Considerations
+
+   Although not strictly required to do so by the protocol, most DNS
+   queries originate from stub resolvers.  Stub resolvers, by
+   definition, are minimal DNS resolvers which use recursive query mode
+   to offload most of the work of DNS resolution to a recursive name
+   server.  Given the widespread use of stub resolvers, the DNSSEC
+   architecture has to take stub resolvers into account, but the
+   security features needed in a stub resolver differ in some respects
+   from those needed in a full security-aware resolver.
+
+   Even an unaugmented stub resolver may get some benefit from DNSSEC if
+   the recursive name servers it uses are security-aware, but for the
+   stub resolver to place any real reliance on DNSSEC services, the stub
+   resolver must trust both the recursive name servers in question and
+   the communication channels between itself and those name servers.
+   The first of these issues is a local policy issue: in essence, a
+   security-oblivious stub resolver has no real choice but to place
+   itself at the mercy of the recursive name servers that it uses, since
+   it does not perform DNSSEC validity checks on its own.  The second
+   issue requires some kind of channel security mechanism; proper use of
+   DNS transaction authentication mechanisms such as SIG(0) or TSIG
+   would suffice, as would appropriate use of IPsec, and particular
+   implementations may have other choices available, such as operating
+   system specific interprocess communication mechanisms.
+   Confidentiality is not needed for this channel, but data integrity
+   and message authentication are.
+
+   A security-aware stub resolver which does trust both its recursive
+   name servers and its communication channel to them may choose to
+   examine the setting of the AD bit in the message header of the
+   response messages it receives.  The stub resolver can use this flag
+   bit as a hint to find out whether the recursive name server was able
+   to validate signatures for all of the data in the Answer and
+   Authority sections of the response.
+
+   There is one more step which a security-aware stub resolver can take
+   if, for whatever reason, it is not able to establish a useful trust
+   relationship with the recursive name servers which it uses: it can
+   perform its own signature validation, by setting the Checking
+   Disabled (CD) bit in its query messages.  A validating stub resolver
+   is thus able to treat the DNSSEC signatures as a trust relationship
+   between the zone administrator and the stub resolver itself.
+
+
+
+
+
+
+
+
+Arends, et al.          Expires August 16, 2004                [Page 12]
+
+Internet-Draft    DNSSEC Introduction and Requirements     February 2004
+
+
+7. Zone Considerations
+
+   There are several differences between signed and unsigned zones.  A
+   signed zone will contain additional security-related records (RRSIG,
+   DNSKEY, DS and NSEC records).  RRSIG and NSEC records may be
+   generated by a signing process prior to serving the zone.  The RRSIG
+   records that accompany zone data have defined inception and
+   expiration times, which establish a validity period for the
+   signatures and the zone data the signatures cover.
+
+7.1 TTL values vs. RRSIG validity period
+
+   It is important to note the distinction between a RRset's TTL value
+   and the signature validity period specified by the RRSIG RR covering
+   that RRset.  DNSSEC does not change the definition or function of the
+   TTL value, which is intended to maintain database coherency in
+   caches. A caching resolver purges RRsets from its cache no later than
+   the end of the time period specified by the TTL fields of those
+   RRsets, regardless of whether or not the resolver is security-aware.
+
+   The inception and expiration fields in the RRSIG RR
+   [I-D.ietf-dnsext-dnssec-records], on the other hand, specify the time
+   period during which the signature can be used to validate the RRset
+   that it covers.  The signatures associated with signed zone data are
+   only valid for the time period specified by these fields in the RRSIG
+   RRs in question.  TTL values cannot extend the validity period of
+   signed RRsets in a resolver's cache, but the resolver may use the
+   time remaining before expiration of the signature validity period of
+   a signed RRset as an upper bound for the TTL of the signed RRset and
+   its associated RRSIG RR in the resolver's cache.
+
+7.2 New Temporal Dependency Issues for Zones
+
+   Information in a signed zone has a temporal dependency which did not
+   exist in the original DNS protocol.  A signed zone requires regular
+   maintenance to ensure that each RRset in the zone has a current valid
+   RRSIG RR.  The signature validity period of an RRSIG RR is an
+   interval during which the signature for one particular signed RRset
+   can be considered valid, and the signatures of different RRsets in a
+   zone may expire at different times.  Re-signing one or more RRsets in
+   a zone will change one or more RRSIG RRs, which in turn will require
+   incrementing the zone's SOA serial number to indicate that a zone
+   change has occurred and re-signing the SOA RRset itself.  Thus,
+   re-signing any RRset in a zone may also trigger DNS NOTIFY messages
+   and zone transfers operations.
+
+
+
+
+
+
+Arends, et al.          Expires August 16, 2004                [Page 13]
+
+Internet-Draft    DNSSEC Introduction and Requirements     February 2004
+
+
+8. Name Server Considerations
+
+   A security-aware name server should include the appropriate DNSSEC
+   records (RRSIG, DNSKEY, DS and NSEC) in all responses to queries from
+   resolvers which have signaled their willingness to receive such
+   records via use of the DO bit in the EDNS header, subject to message
+   size limitations.  Since inclusion of these DNSSEC RRs could easily
+   cause UDP message truncation and fallback to TCP, a security-aware
+   name server must also support the EDNS "sender's UDP payload"
+   mechanism.
+
+   If possible, the private half of each DNSSEC key pair should be kept
+   offline, but this will not be possible for a zone for which DNS
+   dynamic update has been enabled.  In the dynamic update case, the
+   primary master server for the zone will have to re-sign the zone when
+   updated, so the private half of the zone signing key will have to be
+   kept online.  This is an example of a situation where the ability to
+   separate the zone's DNSKEY RRset into zone signing key(s) and key
+   signing key(s) may be useful, since the key signing key(s) in such a
+   case can still be kept offline.
+
+   DNSSEC, by itself, is not enough to protect the integrity of an
+   entire zone during zone transfer operations, since even a signed zone
+   contains some unsigned, nonauthoritative data if the zone has any
+   children, so zone maintenance operations will require some additional
+   mechanisms (most likely some form of channel security, such as TSIG,
+   SIG(0), or IPsec).
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Arends, et al.          Expires August 16, 2004                [Page 14]
+
+Internet-Draft    DNSSEC Introduction and Requirements     February 2004
+
+
+9. DNS Security Document Family
+
+   The DNSSEC document set can be partitioned into several main groups,
+   under the larger umbrella of the DNS base protocol documents.
+
+   The "DNSSEC protocol document set" refers to the three documents
+   which form the core of the DNS security extensions:
+
+   1.  DNS Security Introduction and Requirements (this document)
+
+   2.  Resource Records for DNS Security Extensions
+       [I-D.ietf-dnsext-dnssec-records]
+
+   3.  Protocol Modifications for the DNS Security Extensions
+       [I-D.ietf-dnsext-dnssec-protocol]
+
+   The "Digital Signature Algorithm Specification" document set refers
+   to the group of documents that describe how specific digital
+   signature algorithms should be implemented to fit the DNSSEC resource
+   record format.  Each of these documents deals with a specific digital
+   signature algorithm.
+
+   The "Transaction Authentication Protocol" document set refers to the
+   group of documents that deal with DNS message authentication,
+   including secret key establishment and verification.  While not
+   strictly part of the DNSSEC specification as defined in this set of
+   documents, this group is noted to show its relationship to DNSSEC.
+
+   The final document set, "New Security Uses", refers to documents that
+   seek to use proposed DNS Security extensions for other security
+   related purposes.  DNSSEC does not provide any direct security for
+   these new uses, but may be used to support them.  Documents that fall
+   in this category include the use of DNS in the storage and
+   distribution of certificates [RFC2538].
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Arends, et al.          Expires August 16, 2004                [Page 15]
+
+Internet-Draft    DNSSEC Introduction and Requirements     February 2004
+
+
+10. IANA Considerations
+
+   This overview document introduces no new IANA considerations. Please
+   see [I-D.ietf-dnsext-dnssec-records] for a complete review of the
+   IANA considerations introduced by DNSSEC.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Arends, et al.          Expires August 16, 2004                [Page 16]
+
+Internet-Draft    DNSSEC Introduction and Requirements     February 2004
+
+
+11. Security Considerations
+
+   This document introduces the DNS security extensions and describes
+   the document set that contains the new security records and DNS
+   protocol modifications.  This document discusses the capabilities and
+   limitations of these extensions.  The extensions provide data origin
+   authentication and data integrity using digital signatures over
+   resource record sets.
+
+   In order for a security-aware resolver to validate a DNS response,
+   all zones along the path from the trusted starting point to the zone
+   containing the response zones must be signed, and all name servers
+   and resolvers involved in the resolution process must be
+   security-aware, as defined in this document set.  A security-aware
+   resolver cannot verify responses originating from an unsigned zone,
+   from a zone not served by a security-aware name server, or for any
+   DNS data which the resolver is only able to obtain through a
+   recursive name server which is not security-aware.  If there is a
+   break in the authentication chain such that a security-aware resolver
+   cannot obtain and validate the authentication keys it needs, then the
+   security-aware resolver cannot validate the affected DNS data.
+
+   This document briefly discusses other methods of adding security to a
+   DNS query, such as using a channel secured by IPsec or using a DNS
+   transaction authentication mechanism, but transaction security is not
+   part of DNSSEC per se.
+
+   A non-validating security-aware stub resolver, by definition, does
+   not perform DNSSEC signature validation on its own, and thus is
+   vulnerable both to attacks on (and by) the security-aware recursive
+   name servers which perform these checks on its behalf and also to
+   attacks on its communication with those security-aware recursive name
+   servers. Non-validating security-aware stub resolvers should use some
+   form of channel security to defend against the latter threat. The
+   only known defense against the former threat would be for the
+   security-aware stub resolver to perform its own signature validation,
+   at which point, again by definition, it would no longer be a
+   non-validating security-aware stub resolver.
+
+   DNSSEC does not protect against denial of service attacks.  DNSSEC
+   makes DNS vulnerable to a new class of denial of service attacks
+   based on cryptographic operations against security-aware resolvers
+   and security-aware name servers, since an attacker can attempt to use
+   DNSSEC mechanisms to consume a victim's resources.  This class of
+   attacks takes at least two forms.  An attacker may be able to consume
+   resources in a security-aware resolver's signature validation code by
+   tampering with RRSIG RRs in response messages or by constructing
+   needlessly complex signature chains.  An attacker may also be able to
+
+
+
+Arends, et al.          Expires August 16, 2004                [Page 17]
+
+Internet-Draft    DNSSEC Introduction and Requirements     February 2004
+
+
+   consume resources in a security-aware name server which supports DNS
+   dynamic update, by sending a stream of update messages that force the
+   security-aware name server to re-sign some RRsets in the zone more
+   frequently than would otherwise be necessary.
+
+   DNSSEC introduces the ability for a hostile party to enumerate all
+   the names in a zone by following the NSEC chain. NSEC RRs assert
+   which names do not exist in a zone by linking from existing name to
+   existing name along a canonical ordering of all the names within a
+   zone. Thus, an attacker can query these NSEC RRs in sequence to
+   obtain all the names in a zone. While not an attack on the DNS
+   itself, this could allow an attacker to map network hosts or other
+   resources by enumerating the contents of a zone. There are non-DNS
+   protocol means of detecting and limiting this attack beyond the scope
+   of this document set.
+
+   DNSSEC introduces significant additional complexity to the DNS, and
+   thus introduces many new opportunities for implementation bugs and
+   misconfigured zones.  In particular, enabling DNSSEC signature
+   validation in a resolver may cause entire legitimate zones to become
+   effectively unreachable due to DNSSEC configuration errors or bugs.
+
+   DNSSEC does not provide confidentiality, due to a deliberate design
+   choice.
+
+   DNSSEC does not protect against tampering with unsigned zone data.
+   Non-authoritative data at zone cuts (glue and NS RRs in the parent
+   zone) are not signed.  This does not pose a problem when validating
+   the authentication chain, but does mean that the non-authoritative
+   data itself is vulnerable to tampering during zone transfer
+   operations.  Thus, while DNSSEC can provide data origin
+   authentication and data integrity for RRsets, it cannot do so for
+   zones, and other mechanisms must be used to protect zone transfer
+   operations.
+
+   Please see [I-D.ietf-dnsext-dnssec-records] and
+   [I-D.ietf-dnsext-dnssec-protocol] for additional security
+   considerations.
+
+
+
+
+
+
+
+
+
+
+
+
+
+Arends, et al.          Expires August 16, 2004                [Page 18]
+
+Internet-Draft    DNSSEC Introduction and Requirements     February 2004
+
+
+12. Acknowledgements
+
+   This document was created from the input and ideas of the members of
+   the DNS Extensions Working Group.  While explicitly listing everyone
+   who has contributed during the decade during which DNSSEC has been
+   under development would be an impossible task, the editors would
+   particularly like to thank the following people for their
+   contributions to and comments on this document set: Mark Andrews,
+   Derek Atkins, Alan Barrett, Dan Bernstein, David Blacka, Len Budney,
+   Randy Bush, Francis Dupont, Donald Eastlake, Miek Gieben, Michael
+   Graff, Olafur Gudmundsson, Gilles Guette, Andreas Gustafsson, Phillip
+   Hallam-Baker, Walter Howard, Stephen Jacob, Simon Josefsson, Olaf
+   Kolkman, Mark Kosters, David Lawrence, Ted Lemon, Ed Lewis, Ted
+   Lindgreen, Josh Littlefield, Rip Loomis, Bill Manning, Mans Nilsson,
+   Masataka Ohta, Rob Payne, Jim Reid, Michael Richardson, Erik
+   Rozendaal, Jakob Schlyter, Mike StJohns, Sam Weiler, and Brian
+   Wellington.
+
+   No doubt the above is an incomplete list.  We apologize to anyone we
+   left out.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Arends, et al.          Expires August 16, 2004                [Page 19]
+
+Internet-Draft    DNSSEC Introduction and Requirements     February 2004
+
+
+Normative References
+
+   [RFC1034]  Mockapetris, P., "Domain names - concepts and facilities",
+              STD 13, RFC 1034, November 1987.
+
+   [RFC1035]  Mockapetris, P., "Domain names - implementation and
+              specification", STD 13, RFC 1035, November 1987.
+
+   [RFC2535]  Eastlake, D., "Domain Name System Security Extensions",
+              RFC 2535, March 1999.
+
+   [RFC2671]  Vixie, P., "Extension Mechanisms for DNS (EDNS0)", RFC
+              2671, August 1999.
+
+   [RFC3225]  Conrad, D., "Indicating Resolver Support of DNSSEC", RFC
+              3225, December 2001.
+
+   [RFC3226]  Gudmundsson, O., "DNSSEC and IPv6 A6 aware server/resolver
+              message size requirements", RFC 3226, December 2001.
+
+   [RFC3445]  Massey, D. and S. Rose, "Limiting the Scope of the KEY
+              Resource Record (RR)", RFC 3445, December 2002.
+
+   [I-D.ietf-dnsext-dnssec-records]
+              Arends, R., Austein, R., Larson, M., Massey, D. and S.
+              Rose, "Resource Records for DNS Security Extensions",
+              draft-ietf-dnsext-dnssec-records-07 (work in progress),
+              February 2004.
+
+   [I-D.ietf-dnsext-dnssec-protocol]
+              Arends, R., Austein, R., Larson, M., Massey, D. and S.
+              Rose, "Protocol Modifications for the DNS Security
+              Extensions", draft-ietf-dnsext-dnssec-protocol-05 (work in
+              progress), February 2004.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Arends, et al.          Expires August 16, 2004                [Page 20]
+
+Internet-Draft    DNSSEC Introduction and Requirements     February 2004
+
+
+Informative References
+
+   [RFC2136]  Vixie, P., Thomson, S., Rekhter, Y. and J. Bound, "Dynamic
+              Updates in the Domain Name System (DNS UPDATE)", RFC 2136,
+              April 1997.
+
+   [RFC2181]  Elz, R. and R. Bush, "Clarifications to the DNS
+              Specification", RFC 2181, July 1997.
+
+   [RFC2308]  Andrews, M., "Negative Caching of DNS Queries (DNS
+              NCACHE)", RFC 2308, March 1998.
+
+   [RFC2538]  Eastlake, D. and O. Gudmundsson, "Storing Certificates in
+              the Domain Name System (DNS)", RFC 2538, March 1999.
+
+   [RFC2845]  Vixie, P., Gudmundsson, O., Eastlake, D. and B.
+              Wellington, "Secret Key Transaction Authentication for DNS
+              (TSIG)", RFC 2845, May 2000.
+
+   [RFC2931]  Eastlake, D., "DNS Request and Transaction Signatures (
+              SIG(0)s)", RFC 2931, September 2000.
+
+   [RFC3007]  Wellington, B., "Secure Domain Name System (DNS) Dynamic
+              Update", RFC 3007, November 2000.
+
+   [RFC3008]  Wellington, B., "Domain Name System Security (DNSSEC)
+              Signing Authority", RFC 3008, November 2000.
+
+   [RFC3090]  Lewis, E., "DNS Security Extension Clarification on Zone
+              Status", RFC 3090, March 2001.
+
+   [RFC3597]  Gustafsson, A., "Handling of Unknown DNS Resource Record
+              (RR) Types", RFC 3597, September 2003.
+
+   [RFC3655]  Wellington, B. and O. Gudmundsson, "Redefinition of DNS
+              Authenticated Data (AD) bit", RFC 3655, November 2003.
+
+   [RFC3658]  Gudmundsson, O., "Delegation Signer (DS) Resource Record
+              (RR)", RFC 3658, December 2003.
+
+   [I-D.ietf-dnsext-dns-threats]
+              Atkins, D. and R. Austein, "Threat Analysis Of The Domain
+              Name System", draft-ietf-dnsext-dns-threats-05 (work in
+              progress), November 2003.
+
+   [I-D.ietf-dnsext-dnssec-2535typecode-change]
+              Weiler, S., "Legacy Resolver Compatibility for Delegation
+              Signer", draft-ietf-dnsext-dnssec-2535typecode-change-06
+
+
+
+Arends, et al.          Expires August 16, 2004                [Page 21]
+
+Internet-Draft    DNSSEC Introduction and Requirements     February 2004
+
+
+              (work in progress), December 2003.
+
+   [I-D.ietf-dnsext-keyrr-key-signing-flag]
+              Kolkman, O., Schlyter, J. and E. Lewis, "KEY RR Secure
+              Entry Point Flag",
+              draft-ietf-dnsext-keyrr-key-signing-flag-12 (work in
+              progress), December 2003.
+
+
+Authors' Addresses
+
+   Roy Arends
+   Telematica Instituut
+   Drienerlolaan 5
+   7522 NB  Enschede
+   NL
+
+   EMail: roy.arends@telin.nl
+
+
+   Rob Austein
+   Internet Systems Consortium
+   950 Charter Street
+   Redwood City, CA  94063
+   USA
+
+   EMail: sra@isc.org
+
+
+   Matt Larson
+   VeriSign, Inc.
+   21345 Ridgetop Circle
+   Dulles, VA  20166-6503
+   USA
+
+   EMail: mlarson@verisign.com
+
+
+   Dan Massey
+   USC Information Sciences Institute
+   3811 N. Fairfax Drive
+   Arlington, VA  22203
+   USA
+
+   EMail: masseyd@isi.edu
+
+
+
+
+
+
+Arends, et al.          Expires August 16, 2004                [Page 22]
+
+Internet-Draft    DNSSEC Introduction and Requirements     February 2004
+
+
+   Scott Rose
+   National Institute for Standards and Technology
+   100 Bureau Drive
+   Gaithersburg, MD  20899-8920
+   USA
+
+   EMail: scott.rose@nist.gov
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Arends, et al.          Expires August 16, 2004                [Page 23]
+
+Internet-Draft    DNSSEC Introduction and Requirements     February 2004
+
+
+Intellectual Property Statement
+
+   The IETF takes no position regarding the validity or scope of any
+   intellectual property or other rights that might be claimed to
+   pertain to the implementation or use of the technology described in
+   this document or the extent to which any license under such rights
+   might or might not be available; neither does it represent that it
+   has made any effort to identify any such rights. Information on the
+   IETF's procedures with respect to rights in standards-track and
+   standards-related documentation can be found in BCP-11. Copies of
+   claims of rights made available for publication and any assurances of
+   licenses to be made available, or the result of an attempt made to
+   obtain a general license or permission for the use of such
+   proprietary rights by implementors or users of this specification can
+   be obtained from the IETF Secretariat.
+
+   The IETF invites any interested party to bring to its attention any
+   copyrights, patents or patent applications, or other proprietary
+   rights which may cover technology that may be required to practice
+   this standard. Please address the information to the IETF Executive
+   Director.
+
+
+Full Copyright Statement
+
+   Copyright (C) The Internet Society (2004). All Rights Reserved.
+
+   This document and translations of it may be copied and furnished to
+   others, and derivative works that comment on or otherwise explain it
+   or assist in its implementation may be prepared, copied, published
+   and distributed, in whole or in part, without restriction of any
+   kind, provided that the above copyright notice and this paragraph are
+   included on all such copies and derivative works. However, this
+   document itself may not be modified in any way, such as by removing
+   the copyright notice or references to the Internet Society or other
+   Internet organizations, except as needed for the purpose of
+   developing Internet standards in which case the procedures for
+   copyrights defined in the Internet Standards process must be
+   followed, or as required to translate it into languages other than
+   English.
+
+   The limited permissions granted above are perpetual and will not be
+   revoked by the Internet Society or its successors or assignees.
+
+   This document and the information contained herein is provided on an
+   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
+   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
+   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
+
+
+
+Arends, et al.          Expires August 16, 2004                [Page 24]
+
+Internet-Draft    DNSSEC Introduction and Requirements     February 2004
+
+
+   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
+   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+
+Acknowledgement
+
+   Funding for the RFC Editor function is currently provided by the
+   Internet Society.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Arends, et al.          Expires August 16, 2004                [Page 25]
+
+
diff --git a/doc/draft/draft-ietf-dnsext-dnssec-online-signing-00.txt b/doc/draft/draft-ietf-dnsext-dnssec-online-signing-00.txt
deleted file mode 100644
index f7abddc4..00000000
--- a/doc/draft/draft-ietf-dnsext-dnssec-online-signing-00.txt
+++ /dev/null
@@ -1,560 +0,0 @@
-
-
-
-Network Working Group                                          S. Weiler
-Internet-Draft                                               SPARTA, Inc
-Updates: 4034, 4035 (if approved)                               J. Ihren
-Expires: November 13, 2005                                 Autonomica AB
-                                                            May 12, 2005
-
-
-       Minimally Covering NSEC Records and DNSSEC On-line Signing
-               draft-ietf-dnsext-dnssec-online-signing-00
-
-Status of this Memo
-
-   By submitting this Internet-Draft, each author represents that any
-   applicable patent or other IPR claims of which he or she is aware
-   have been or will be disclosed, and any of which he or she becomes
-   aware will be disclosed, in accordance with Section 6 of BCP 79.
-
-   Internet-Drafts are working documents of the Internet Engineering
-   Task Force (IETF), its areas, and its working groups.  Note that
-   other groups may also distribute working documents as Internet-
-   Drafts.
-
-   Internet-Drafts are draft documents valid for a maximum of six months
-   and may be updated, replaced, or obsoleted by other documents at any
-   time.  It is inappropriate to use Internet-Drafts as reference
-   material or to cite them other than as "work in progress."
-
-   The list of current Internet-Drafts can be accessed at
-   http://www.ietf.org/ietf/1id-abstracts.txt.
-
-   The list of Internet-Draft Shadow Directories can be accessed at
-   http://www.ietf.org/shadow.html.
-
-   This Internet-Draft will expire on November 13, 2005.
-
-Copyright Notice
-
-   Copyright (C) The Internet Society (2005).
-
-Abstract
-
-   This document describes how to construct DNSSEC NSEC resource records
-   that cover a smaller range of names than called for by RFC4034.  By
-   generating and signing these records on demand, authoritative name
-   servers can effectively stop the disclosure of zone contents
-   otherwise made possible by walking the chain of NSEC records in a
-   signed zone.
-
-
-
-
-Weiler & Ihren          Expires November 13, 2005               [Page 1]
-
-Internet-Draft                NSEC Epsilon                      May 2005
-
-
-Changes from weiler-01 to ietf-00
-
-   Inserted RFC numbers for 4033, 4034, and 4035.
-
-   Specified contents of bitmap field in synthesized NSEC RR's, pointing
-   out that this relaxes a constraint in 4035.  Added 4035 to the
-   Updates header.
-
-Changes from weiler-00 to weiler-01
-
-   Clarified that this updates RFC4034 by relaxing requirements on the
-   next name field.
-
-   Added examples covering wildcard names.
-
-   In the 'better functions' section, reiterated that perfect functions
-   aren't needed.
-
-   Added a reference to RFC 2119.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Weiler & Ihren          Expires November 13, 2005               [Page 2]
-
-Internet-Draft                NSEC Epsilon                      May 2005
-
-
-Table of Contents
-
-   1.   Introduction and Terminology . . . . . . . . . . . . . . . .   4
-   2.   Minimally Covering NSEC Records  . . . . . . . . . . . . . .   4
-   3.   Better Increment & Decrement Functions . . . . . . . . . . .   6
-   4.   IANA Considerations  . . . . . . . . . . . . . . . . . . . .   7
-   5.   Security Considerations  . . . . . . . . . . . . . . . . . .   7
-   6.   Normative References . . . . . . . . . . . . . . . . . . . .   8
-        Authors' Addresses . . . . . . . . . . . . . . . . . . . . .   8
-   A.   Acknowledgments  . . . . . . . . . . . . . . . . . . . . . .   8
-        Intellectual Property and Copyright Statements . . . . . . .  10
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Weiler & Ihren          Expires November 13, 2005               [Page 3]
-
-Internet-Draft                NSEC Epsilon                      May 2005
-
-
-1.  Introduction and Terminology
-
-   With DNSSEC [1], an NSEC record lists the next instantiated name in
-   its zone, proving that no names exist in the "span" between the
-   NSEC's owner name and the name in the "next name" field.  In this
-   document, an NSEC record is said to "cover" the names between its
-   owner name and next name.
-
-   Through repeated queries that return NSEC records, it is possible to
-   retrieve all of the names in the zone, a process commonly called
-   "walking" the zone.  Some zone owners have policies forbidding zone
-   transfers by arbitrary clients; this side-effect of the NSEC
-   architecture subverts those policies.
-
-   This document presents a way to prevent zone walking by constructing
-   NSEC records that cover fewer names.  These records can make zone
-   walking take approximately as many queries as simply asking for all
-   possible names in a zone, making zone walking impractical.  Some of
-   these records must be created and signed on demand, which requires
-   on-line private keys.  Anyone contemplating use of this technique is
-   strongly encouraged to review the discussion of the risks of on-line
-   signing in Section 5.
-
-   The technique presented here may be useful to a zone owner that wants
-   to use DNSSEC, is concerned about exposure of its zone contents via
-   zone walking, and is willing to bear the costs of on-line signing.
-
-   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
-   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
-   document are to be interpreted as described in RFC 2119 [4].
-
-2.  Minimally Covering NSEC Records
-
-   This mechanism involves changes to NSEC records for instantiated
-   names, which can still be generated and signed in advance, as well as
-   the on-demand generation and signing of new NSEC records whenever a
-   name must be proven not to exist.
-
-   In the 'next name' field of instantiated names' NSEC records, rather
-   than list the next instantiated name in the zone, list any name that
-   falls lexically after the NSEC's owner name and before the next
-   instantiated name in the zone, according to the ordering function in
-   RFC4034 [2] section 6.2.  This relaxes the requirement in section
-   4.1.1 of RFC4034 that the 'next name' field contains the next owner
-   name in the zone.  This change is expected to be fully compatible
-   with all existing DNSSEC validators.  These NSEC records are returned
-   whenever proving something specifically about the owner name (e.g.
-   that no resource records of a given type appear at that name).
-
-
-
-Weiler & Ihren          Expires November 13, 2005               [Page 4]
-
-Internet-Draft                NSEC Epsilon                      May 2005
-
-
-   Whenever an NSEC record is needed to prove the non-existence of a
-   name, a new NSEC record is dynamically produced and signed.  The new
-   NSEC record has an owner name lexically before the QNAME but
-   lexically following any existing name and a 'next name' lexically
-   following the QNAME but before any existing name.
-
-   The generated NSEC record's type bitmap SHOULD have the RRSIG and
-   NSEC bits set and SHOULD NOT have any other bits set.  This relaxes
-   the requirement in Section 2.3 of RFC4035 that NSEC RRs not appear at
-   names that did not exist before the zone wsa signed.
-
-   The functions to generate the lexically following and proceeding
-   names need not be perfect nor consistent, but the generated NSEC
-   records must not cover any existing names.  Furthermore, this
-   technique works best when the generated NSEC records cover as few
-   names as possible.
-
-   An NSEC record denying the existence of a wildcard may be generated
-   in the same way.  Since the NSEC record covering a non-existent
-   wildcard is likely to be used in response to many queries,
-   authoritative name servers using the techniques described here may
-   want to pregenerate or cache that record and its corresponding RRSIG.
-
-   For example, a query for an A record at the non-instantiated name
-   example.com might produce the following two NSEC records, the first
-   denying the existence of the name example.com and the second denying
-   the existence of a wildcard:
-
-             exampld.com 3600 IN NSEC example-.com ( RRSIG NSEC )
-
-             ).com 3600 IN NSEC +.com ( RRSIG NSEC )
-
-   Before answering a query with these records, an authoritative server
-   must test for the existence of names between these endpoints.  If the
-   generated NSEC would cover existing names (e.g. exampldd.com or
-   *bizarre.example.com), a better increment or decrement function may
-   be used or the covered name closest to the QNAME could be used as the
-   NSEC owner name or next name, as appropriate.  If an existing name is
-   used as the NSEC owner name, that name's real NSEC record MUST be
-   returned.  Using the same example, assuming an exampldd.com
-   delegation exists, this record might be returned from the parent:
-
-             exampldd.com 3600 IN NSEC example-.com ( NS DS RRSIG NSEC )
-
-   Like every authoritative record in the zone, each generated NSEC
-   record MUST have corresponding RRSIGs generated using each algorithm
-   (but not necessarily each DNSKEY) in the zone's DNSKEY RRset, as
-   described in RFC4035 [3] section 2.2.  To minimize the number of
-
-
-
-Weiler & Ihren          Expires November 13, 2005               [Page 5]
-
-Internet-Draft                NSEC Epsilon                      May 2005
-
-
-   signatures that must be generated, a zone may wish to limit the
-   number of algorithms in its DNSKEY RRset.
-
-3.  Better Increment & Decrement Functions
-
-   Section 6.2 of RFC4034 defines a strict ordering of DNS names.
-   Working backwards from that definition, it should be possible to
-   define increment and decrement functions that generate the
-   immediately following and preceding names, respectively.  This
-   document does not define such functions.  Instead, this section
-   presents functions that come reasonably close to the perfect ones.
-   As described above, an authoritative server should still ensure than
-   no generated NSEC covers any existing name.
-
-   To increment a name, add a leading label with a single null (zero-
-   value) octet.
-
-   To decrement a name, decrement the last character of the leftmost
-   label, then fill that label to a length of 63 octets with octets of
-   value 255.  To decrement a null (zero-value) octet, remove the octet
-   -- if an empty label is left, remove the label.  Defining this
-   function numerically: fill the left-most label to its maximum length
-   with zeros (numeric, not ASCII zeros) and subtract one.
-
-   In response to a query for the non-existent name foo.example.com,
-   these functions produce NSEC records of:
-
-     fon\255\255\255\255\255\255\255\255\255\255\255\255\255\255
-     \255\255\255\255\255\255\255\255\255\255\255\255\255\255\255
-     \255\255\255\255\255\255\255\255\255\255\255\255\255\255\255
-     \255\255\255\255\255\255\255\255\255\255\255\255\255\255\255
-     \255.example.com 3600 IN NSEC \000.foo.example.com ( NSEC RRSIG )
-
-     )\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255
-     \255\255\255\255\255\255\255\255\255\255\255\255\255\255\255
-     \255\255\255\255\255\255\255\255\255\255\255\255\255\255\255
-     \255\255\255\255\255\255\255\255\255\255\255\255\255\255\255
-     \255\255.example.com 3600 IN NSEC \000.*.example.com ( NSEC RRSIG )
-
-   The first of these NSEC RRs proves that no exact match for
-   foo.example.com exists, and the second proves that there is no
-   wildcard in example.com.
-
-   Both of these functions are imperfect: they don't take into account
-   constraints on number of labels in a name nor total length of a name.
-   As noted in the previous section, though, this technique does not
-   depend on the use of perfect increment or decrement functions: it is
-   sufficient to test whether any instantiated names fall into the span
-
-
-
-Weiler & Ihren          Expires November 13, 2005               [Page 6]
-
-Internet-Draft                NSEC Epsilon                      May 2005
-
-
-   covered by the generated NSEC and, if so, substitute those
-   instantiated owner names for the NSEC owner name or next name, as
-   appropriate.
-
-4.  IANA Considerations
-
-   Per RFC4041, IANA should think carefully about the protection of
-   their immortal souls.
-
-5.  Security Considerations
-
-   This approach requires on-demand generation of RRSIG records.  This
-   creates several new vulnerabilities.
-
-   First, on-demand signing requires that a zone's authoritative servers
-   have access to its private keys.  Storing private keys on well-known
-   internet-accessible servers may make them more vulnerable to
-   unintended disclosure.
-
-   Second, since generation of public key signatures tends to be
-   computationally demanding, the requirement for on-demand signing
-   makes authoritative servers vulnerable to a denial of service attack.
-
-   Lastly, if the increment and decrement functions are predictable, on-
-   demand signing may enable a chosen-plaintext attack on a zone's
-   private keys.  Zones using this approach should attempt to use
-   cryptographic algorithms that are resistant to chosen-plaintext
-   attacks.  It's worth noting that while DNSSEC has a "mandatory to
-   implement" algorithm, that is a requirement on resolvers and
-   validators -- there is no requirement that a zone be signed with any
-   given algorithm.
-
-   The success of using minimally covering NSEC record to prevent zone
-   walking depends greatly on the quality of the increment and decrement
-   functions chosen.  An increment function that chooses a name
-   obviously derived from the next instantiated name may be easily
-   reverse engineered, destroying the value of this technique.  An
-   increment function that always returns a name close to the next
-   instantiated name is likewise a poor choice.  Good choices of
-   increment and decrement functions are the ones that produce the
-   immediately following and preceding names, respectively, though zone
-   administrators may wish to use less perfect functions that return
-   more human-friendly names than the functions described in Section 3
-   above.
-
-   Another obvious but misguided concern is the danger from synthesized
-   NSEC records being replayed.  It's possible for an attacker to replay
-   an old but still validly signed NSEC record after a new name has been
-
-
-
-Weiler & Ihren          Expires November 13, 2005               [Page 7]
-
-Internet-Draft                NSEC Epsilon                      May 2005
-
-
-   added in the span covered by that NSEC, incorrectly proving that
-   there is no record at that name.  This danger exists with DNSSEC as
-   defined in [-bis].  The techniques described here actually decrease
-   the danger, since the span covered by any NSEC record is smaller than
-   before.  Choosing better increment and decrement functions will
-   further reduce this danger.
-
-6.  Normative References
-
-   [1]  Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
-        "DNS Security Introduction and Requirements", RFC 4033,
-        March 2005.
-
-   [2]  Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
-        "Resource Records for the DNS Security Extensions", RFC 4034,
-        March 2005.
-
-   [3]  Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
-        "Protocol Modifications for the DNS Security Extensions",
-        RFC 4035, March 2005.
-
-   [4]  Bradner, S., "Key words for use in RFCs to Indicate Requirement
-        Levels", BCP 14, RFC 2119, March 1997.
-
-
-Authors' Addresses
-
-   Samuel Weiler
-   SPARTA, Inc
-   7075 Samuel Morse Drive
-   Columbia, Maryland  21046
-   US
-
-   Email: weiler@tislabs.com
-
-
-   Johan Ihren
-   Autonomica AB
-   Bellmansgatan 30
-   Stockholm  SE-118 47
-   Sweden
-
-   Email: johani@autonomica.se
-
-Appendix A.  Acknowledgments
-
-   Many individuals contributed to this design.  They include, in
-   addition to the authors of this document, Olaf Kolkman, Ed Lewis,
-
-
-
-Weiler & Ihren          Expires November 13, 2005               [Page 8]
-
-Internet-Draft                NSEC Epsilon                      May 2005
-
-
-   Peter Koch, Matt Larson, David Blacka, Suzanne Woolf, Jaap Akkerhuis,
-   Jakob Schlyter, Bill Manning, and Joao Damas.
-
-   The key innovation of this document, namely that perfect increment
-   and decrement functions are not necessary, arose during a discussion
-   among the above-listed people at the RIPE49 meeting in September
-   2004.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Weiler & Ihren          Expires November 13, 2005               [Page 9]
-
-Internet-Draft                NSEC Epsilon                      May 2005
-
-
-Intellectual Property Statement
-
-   The IETF takes no position regarding the validity or scope of any
-   Intellectual Property Rights or other rights that might be claimed to
-   pertain to the implementation or use of the technology described in
-   this document or the extent to which any license under such rights
-   might or might not be available; nor does it represent that it has
-   made any independent effort to identify any such rights.  Information
-   on the procedures with respect to rights in RFC documents can be
-   found in BCP 78 and BCP 79.
-
-   Copies of IPR disclosures made to the IETF Secretariat and any
-   assurances of licenses to be made available, or the result of an
-   attempt made to obtain a general license or permission for the use of
-   such proprietary rights by implementers or users of this
-   specification can be obtained from the IETF on-line IPR repository at
-   http://www.ietf.org/ipr.
-
-   The IETF invites any interested party to bring to its attention any
-   copyrights, patents or patent applications, or other proprietary
-   rights that may cover technology that may be required to implement
-   this standard.  Please address the information to the IETF at
-   ietf-ipr@ietf.org.
-
-
-Disclaimer of Validity
-
-   This document and the information contained herein are provided on an
-   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
-   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
-   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
-   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
-   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
-   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-
-Copyright Statement
-
-   Copyright (C) The Internet Society (2005).  This document is subject
-   to the rights, licenses and restrictions contained in BCP 78, and
-   except as set forth therein, the authors retain all their rights.
-
-
-Acknowledgment
-
-   Funding for the RFC Editor function is currently provided by the
-   Internet Society.
-
-
-
-
-Weiler & Ihren          Expires November 13, 2005              [Page 10]
-
diff --git a/doc/draft/draft-ietf-dnsext-dnssec-opt-in-07.txt b/doc/draft/draft-ietf-dnsext-dnssec-opt-in-07.txt
deleted file mode 100644
index 17e28e82..00000000
--- a/doc/draft/draft-ietf-dnsext-dnssec-opt-in-07.txt
+++ /dev/null
@@ -1,896 +0,0 @@
-
-
-
-DNSEXT                                                         R. Arends
-Internet-Draft                                      Telematica Instituut
-Expires: January 19, 2006                                     M. Kosters
-                                                               D. Blacka
-                                                          Verisign, Inc.
-                                                           July 18, 2005
-
-
-                             DNSSEC Opt-In
-                   draft-ietf-dnsext-dnssec-opt-in-07
-
-Status of this Memo
-
-   By submitting this Internet-Draft, each author represents that any
-   applicable patent or other IPR claims of which he or she is aware
-   have been or will be disclosed, and any of which he or she becomes
-   aware will be disclosed, in accordance with Section 6 of BCP 79.
-
-   Internet-Drafts are working documents of the Internet Engineering
-   Task Force (IETF), its areas, and its working groups.  Note that
-   other groups may also distribute working documents as Internet-
-   Drafts.
-
-   Internet-Drafts are draft documents valid for a maximum of six months
-   and may be updated, replaced, or obsoleted by other documents at any
-   time.  It is inappropriate to use Internet-Drafts as reference
-   material or to cite them other than as "work in progress."
-
-   The list of current Internet-Drafts can be accessed at
-   http://www.ietf.org/ietf/1id-abstracts.txt.
-
-   The list of Internet-Draft Shadow Directories can be accessed at
-   http://www.ietf.org/shadow.html.
-
-   This Internet-Draft will expire on January 19, 2006.
-
-Copyright Notice
-
-   Copyright (C) The Internet Society (2005).
-
-Abstract
-
-   In the DNS security extensions (DNSSEC, defined in RFC 4033 [3], RFC
-   4034 [4], and RFC 4035 [5]), delegations to unsigned subzones are
-   cryptographically secured.  Maintaining this cryptography is not
-   practical or necessary.  This document describes an experimental
-   "Opt-In" model that allows administrators to omit this cryptography
-   and manage the cost of adopting DNSSEC with large zones.
-
-
-
-Arends, et al.          Expires January 19, 2006                [Page 1]
-
-Internet-Draft                DNSSEC Opt-In                    July 2005
-
-
-Table of Contents
-
-   1.  Definitions and Terminology  . . . . . . . . . . . . . . . . .  3
-   2.  Overview . . . . . . . . . . . . . . . . . . . . . . . . . . .  3
-   3.  Experimental Status  . . . . . . . . . . . . . . . . . . . . .  4
-   4.  Protocol Additions . . . . . . . . . . . . . . . . . . . . . .  4
-     4.1   Server Considerations  . . . . . . . . . . . . . . . . . .  5
-       4.1.1   Delegations Only . . . . . . . . . . . . . . . . . . .  5
-       4.1.2   Insecure Delegation Responses  . . . . . . . . . . . .  6
-       4.1.3   Wildcards and Opt-In . . . . . . . . . . . . . . . . .  6
-       4.1.4   Dynamic Update . . . . . . . . . . . . . . . . . . . .  7
-     4.2   Client Considerations  . . . . . . . . . . . . . . . . . .  7
-       4.2.1   Delegations Only . . . . . . . . . . . . . . . . . . .  7
-       4.2.2   Validation Process Changes . . . . . . . . . . . . . .  7
-       4.2.3   NSEC Record Caching  . . . . . . . . . . . . . . . . .  8
-       4.2.4   Use of the AD bit  . . . . . . . . . . . . . . . . . .  8
-   5.  Benefits . . . . . . . . . . . . . . . . . . . . . . . . . . .  8
-   6.  Example  . . . . . . . . . . . . . . . . . . . . . . . . . . .  9
-   7.  Transition Issues  . . . . . . . . . . . . . . . . . . . . . . 10
-   8.  Security Considerations  . . . . . . . . . . . . . . . . . . . 11
-   9.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 12
-   10.   Acknowledgments  . . . . . . . . . . . . . . . . . . . . . . 12
-   11.   References . . . . . . . . . . . . . . . . . . . . . . . . . 13
-     11.1  Normative References . . . . . . . . . . . . . . . . . . . 13
-     11.2  Informative References . . . . . . . . . . . . . . . . . . 13
-       Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 14
-   A.  Implementing Opt-In using "Views"  . . . . . . . . . . . . . . 14
-       Intellectual Property and Copyright Statements . . . . . . . . 16
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Arends, et al.          Expires January 19, 2006                [Page 2]
-
-Internet-Draft                DNSSEC Opt-In                    July 2005
-
-
-1.  Definitions and Terminology
-
-   Throughout this document, familiarity with the DNS system (RFC 1035
-   [1]), DNS security extensions ([3], [4], and [5], referred to in this
-   document as "standard DNSSEC"), and DNSSEC terminology (RFC 3090
-   [10]) is assumed.
-
-   The following abbreviations and terms are used in this document:
-
-   RR: is used to refer to a DNS resource record.
-   RRset: refers to a Resource Record Set, as defined by [8].  In this
-      document, the RRset is also defined to include the covering RRSIG
-      records, if any exist.
-   signed name: refers to a DNS name that has, at minimum, a (signed)
-      NSEC record.
-   unsigned name: refers to a DNS name that does not (at least) have a
-      NSEC record.
-   covering NSEC record/RRset: is the NSEC record used to prove
-      (non)existence of a particular name or RRset.  This means that for
-      a RRset or name 'N', the covering NSEC record has the name 'N', or
-      has an owner name less than 'N' and "next" name greater than 'N'.
-   delegation: refers to a NS RRset with a name different from the
-      current zone apex (non-zone-apex), signifying a delegation to a
-      subzone.
-   secure delegation: refers to a signed name containing a delegation
-      (NS RRset), and a signed DS RRset, signifying a delegation to a
-      signed subzone.
-   insecure delegation: refers to a signed name containing a delegation
-      (NS RRset), but lacking a DS RRset, signifying a delegation to an
-      unsigned subzone.
-   Opt-In insecure delegation: refers to an unsigned name containing
-      only a delegation NS RRset.  The covering NSEC record uses the
-      Opt-In methodology described in this document.
-
-   The key words "MUST, "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
-   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY, and "OPTIONAL" in this
-   document are to be interpreted as described in RFC 2119 [7].
-
-2.  Overview
-
-   The cost to cryptographically secure delegations to unsigned zones is
-   high for large delegation-centric zones and zones where insecure
-   delegations will be updated rapidly.  For these zones, the costs of
-   maintaining the NSEC record chain may be extremely high relative to
-   the gain of cryptographically authenticating existence of unsecured
-   zones.
-
-   This document describes an experimental method of eliminating the
-
-
-
-Arends, et al.          Expires January 19, 2006                [Page 3]
-
-Internet-Draft                DNSSEC Opt-In                    July 2005
-
-
-   superfluous cryptography present in secure delegations to unsigned
-   zones.  Using "Opt-In", a zone administrator can choose to remove
-   insecure delegations from the NSEC chain.  This is accomplished by
-   extending the semantics of the NSEC record by using a redundant bit
-   in the type map.
-
-3.  Experimental Status
-
-   This document describes an EXPERIMENTAL extension to DNSSEC.  It
-   interoperates with non-experimental DNSSEC using the technique
-   described in [6].  This experiment is identified with the following
-   private algorithms (using algorithm 253):
-
-   "3.optin.verisignlabs.com": is an alias for DNSSEC algorithm 3, DSA,
-      and
-   "5.optin.verisignlabs.com": is an alias for DNSSEC algorithm 5,
-      RSASHA1.
-
-   Servers wishing to sign and serve zones that utilize Opt-In MUST sign
-   the zone with only one or more of these private algorithms.  This
-   requires the signing tools and servers to support private algorithms,
-   as well as Opt-In.
-
-   Resolvers wishing to validate Opt-In zones MUST only do so when the
-   zone is only signed using one or more of these private algorithms.
-
-   The remainder of this document assumes that the servers and resolvers
-   involved are aware of and are involved in this experiment.
-
-4.  Protocol Additions
-
-   In DNSSEC, delegation NS RRsets are not signed, but are instead
-   accompanied by a NSEC RRset of the same name and (possibly) a DS
-   record.  The security status of the subzone is determined by the
-   presence or absence of the DS RRset, cryptographically proven by the
-   NSEC record.  Opt-In expands this definition by allowing insecure
-   delegations to exist within an otherwise signed zone without the
-   corresponding NSEC record at the delegation's owner name.  These
-   insecure delegations are proven insecure by using a covering NSEC
-   record.
-
-   Since this represents a change of the interpretation of NSEC records,
-   resolvers must be able to distinguish between RFC standard DNSSEC
-   NSEC records and Opt-In NSEC records.  This is accomplished by
-   "tagging" the NSEC records that cover (or potentially cover) insecure
-   delegation nodes.  This tag is indicated by the absence of the NSEC
-   bit in the type map.  Since the NSEC bit in the type map merely
-   indicates the existence of the record itself, this bit is redundant
-
-
-
-Arends, et al.          Expires January 19, 2006                [Page 4]
-
-Internet-Draft                DNSSEC Opt-In                    July 2005
-
-
-   and safe for use as a tag.
-
-   An Opt-In tagged NSEC record does not assert the (non)existence of
-   the delegations that it covers (except for a delegation with the same
-   name).  This allows for the addition or removal of these delegations
-   without recalculating or resigning records in the NSEC chain.
-   However, Opt-In tagged NSEC records do assert the (non)existence of
-   other RRsets.
-
-   An Opt-In NSEC record MAY have the same name as an insecure
-   delegation.  In this case, the delegation is proven insecure by the
-   lack of a DS bit in type map and the signed NSEC record does assert
-   the existence of the delegation.
-
-   Zones using Opt-In MAY contain a mixture of Opt-In tagged NSEC
-   records and standard DNSSEC NSEC records.  If a NSEC record is not
-   Opt-In, there MUST NOT be any insecure delegations (or any other
-   records) between it and the RRsets indicated by the 'next domain
-   name' in the NSEC RDATA.  If it is Opt-In, there MUST only be
-   insecure delegations between it and the next node indicated by the
-   'next domain name' in the NSEC RDATA.
-
-   In summary,
-
-   o  An Opt-In NSEC type is identified by a zero-valued (or not-
-      specified) NSEC bit in the type bit map of the NSEC record.
-   o  A RFC2535bis NSEC type is identified by a one-valued NSEC bit in
-      the type bit map of the NSEC record.
-
-   and,
-
-   o  An Opt-In NSEC record does not assert the non-existence of a name
-      between its owner name and "next" name, although it does assert
-      that any name in this span MUST be an insecure delegation.
-   o  An Opt-In NSEC record does assert the (non)existence of RRsets
-      with the same owner name.
-
-4.1  Server Considerations
-
-   Opt-In imposes some new requirements on authoritative DNS servers.
-
-4.1.1  Delegations Only
-
-   This specification dictates that only insecure delegations may exist
-   between the owner and "next" names of an Opt-In tagged NSEC record.
-   Signing tools SHOULD NOT generate signed zones that violate this
-   restriction.  Servers SHOULD refuse to load and/or serve zones that
-   violate this restriction.  Servers also SHOULD reject AXFR or IXFR
-
-
-
-Arends, et al.          Expires January 19, 2006                [Page 5]
-
-Internet-Draft                DNSSEC Opt-In                    July 2005
-
-
-   responses that violate this restriction.
-
-4.1.2  Insecure Delegation Responses
-
-   When returning an Opt-In insecure delegation, the server MUST return
-   the covering NSEC RRset in the Authority section.
-
-   In standard DNSSEC, NSEC records already must be returned along with
-   the insecure delegation.  The primary difference that this proposal
-   introduces is that the Opt-In tagged NSEC record will have a
-   different owner name from the delegation RRset.  This may require
-   implementations to search for the covering NSEC RRset.
-
-4.1.3  Wildcards and Opt-In
-
-   Standard DNSSEC describes the practice of returning NSEC records to
-   prove the non-existence of an applicable wildcard in non-existent
-   name responses.  This NSEC record can be described as a "negative
-   wildcard proof".  The use of Opt-In NSEC records changes the
-   necessity for this practice.  For non-existent name responses when
-   the query name (qname) is covered by an Opt-In tagged NSEC record,
-   servers MAY choose to omit the wildcard proof record, and clients
-   MUST NOT treat the absence of this NSEC record as a validation error.
-
-   The intent of the standard DNSSEC negative wildcard proof requirement
-   is to prevent malicious users from undetectably removing valid
-   wildcard responses.  In order for this cryptographic proof to work,
-   the resolver must be able to prove:
-
-   1.  The exact qname does not exist.  This is done by the "normal"
-       NSEC record.
-   2.  No applicable wildcard exists.  This is done by returning a NSEC
-       record proving that the wildcard does not exist (this is the
-       negative wildcard proof).
-
-   However, if the NSEC record covering the exact qname is an Opt-In
-   NSEC record, the resolver will not be able to prove the first part of
-   this equation, as the qname might exist as an insecure delegation.
-   Thus, since the total proof cannot be completed, the negative
-   wildcard proof NSEC record is not useful.
-
-   The negative wildcard proof is also not useful when returned as part
-   of an Opt-In insecure delegation response for a similar reason: the
-   resolver cannot prove that the qname does or does not exist, and
-   therefore cannot prove that a wildcard expansion is valid.
-
-   The presence of an Opt-In tagged NSEC record does not change the
-   practice of returning a NSEC along with a wildcard expansion.  Even
-
-
-
-Arends, et al.          Expires January 19, 2006                [Page 6]
-
-Internet-Draft                DNSSEC Opt-In                    July 2005
-
-
-   though the Opt-In NSEC will not be able to prove that the wildcard
-   expansion is valid, it will prove that the wildcard expansion is not
-   masking any signed records.
-
-4.1.4  Dynamic Update
-
-   Opt-In changes the semantics of Secure DNS Dynamic Update [9].  In
-   particular, it introduces the need for rules that describe when to
-   add or remove a delegation name from the NSEC chain.  This document
-   does not attempt to define these rules.  Until these rules are
-   defined, servers MUST NOT process DNS Dynamic Update requests against
-   zones that use Opt-In NSEC records.  Servers SHOULD return responses
-   to update requests with RCODE=REFUSED.
-
-4.2  Client Considerations
-
-   Opt-In imposes some new requirements on security-aware resolvers
-   (caching or otherwise).
-
-4.2.1  Delegations Only
-
-   As stated in the "Server Considerations" section above, this
-   specification restricts the namespace covered by Opt-In tagged NSEC
-   records to insecure delegations only.  Thus, resolvers MUST reject as
-   invalid any records that fall within an Opt-In NSEC record's span
-   that are not NS records or corresponding glue records.
-
-4.2.2  Validation Process Changes
-
-   This specification does not change the resolver's resolution
-   algorithm.  However, it does change the DNSSEC validation process.
-   Resolvers MUST be able to use Opt-In tagged NSEC records to
-   cryptographically prove the validity and security status (as
-   insecure) of a referral.  Resolvers determine the security status of
-   the referred-to zone as follows:
-
-   o  In standard DNSSEC, the security status is proven by the existence
-      or absence of a DS RRset at the same name as the delegation.  The
-      existence of the DS RRset indicates that the referred-to zone is
-      signed.  The absence of the DS RRset is proven using a verified
-      NSEC record of the same name that does not have the DS bit set in
-      the type map.  This NSEC record MAY also be tagged as Opt-In.
-   o  Using Opt-In, the security status is proven by the existence of a
-      DS record (for signed) or the presence of a verified Opt-In tagged
-      NSEC record that covers the delegation name.  That is, the NSEC
-      record does not have the NSEC bit set in the type map, and the
-      delegation name falls between the NSEC's owner and "next" name.
-
-
-
-
-Arends, et al.          Expires January 19, 2006                [Page 7]
-
-Internet-Draft                DNSSEC Opt-In                    July 2005
-
-
-   Using Opt-In does not substantially change the nature of following
-   referrals within DNSSEC.  At every delegation point, the resolver
-   will have cryptographic proof that the referred-to subzone is signed
-   or unsigned.
-
-   When receiving either an Opt-In insecure delegation response or a
-   non-existent name response where that name is covered by an Opt-In
-   tagged NSEC record, the resolver MUST NOT require proof (in the form
-   of a NSEC record) that a wildcard did not exist.
-
-4.2.3  NSEC Record Caching
-
-   Caching resolvers MUST be able to retrieve the appropriate covering
-   Opt-In NSEC record when returning referrals that need them.  This
-   requirement differs from standard DNSSEC in that the covering NSEC
-   will not have the same owner name as the delegation.  Some
-   implementations may have to use new methods for finding these NSEC
-   records.
-
-4.2.4  Use of the AD bit
-
-   The AD bit, as defined by [2] and [5], MUST NOT be set when:
-
-   o  sending a Name Error (RCODE=3) response where the covering NSEC is
-      tagged as Opt-In.
-   o  sending an Opt-In insecure delegation response, unless the
-      covering (Opt-In) NSEC record's owner name equals the delegation
-      name.
-
-   This rule is based on what the Opt-In NSEC record actually proves:
-   for names that exist between the Opt-In NSEC record's owner and
-   "next" names, the Opt-In NSEC record cannot prove the non-existence
-   or existence of the name.  As such, not all data in the response has
-   been cryptographically verified, so the AD bit cannot be set.
-
-5.  Benefits
-
-   Using Opt-In allows administrators of large and/or changing
-   delegation-centric zones to minimize the overhead involved in
-   maintaining the security of the zone.
-
-   Opt-In accomplishes this by eliminating the need for NSEC records for
-   insecure delegations.  This, in a zone with a large number of
-   delegations to unsigned subzones, can lead to substantial space
-   savings (both in memory and on disk).  Additionally, Opt-In allows
-   for the addition or removal of insecure delegations without modifying
-   the NSEC record chain.  Zones that are frequently updating insecure
-   delegations (e.g., TLDs) can avoid the substantial overhead of
-
-
-
-Arends, et al.          Expires January 19, 2006                [Page 8]
-
-Internet-Draft                DNSSEC Opt-In                    July 2005
-
-
-   modifying and resigning the affected NSEC records.
-
-6.  Example
-
-   Consider the zone EXAMPLE, shown below.  This is a zone where all of
-   the NSEC records are tagged as Opt-In.
-
-   Example A: Fully Opt-In Zone.
-
-         EXAMPLE.               SOA    ...
-         EXAMPLE.               RRSIG  SOA ...
-         EXAMPLE.               NS     FIRST-SECURE.EXAMPLE.
-         EXAMPLE.               RRSIG  NS ...
-         EXAMPLE.               DNSKEY ...
-         EXAMPLE.               RRSIG  DNSKEY ...
-         EXAMPLE.               NSEC   FIRST-SECURE.EXAMPLE. (
-                                       SOA NS RRSIG DNSKEY )
-         EXAMPLE.               RRSIG  NSEC ...
-
-         FIRST-SECURE.EXAMPLE.  A      ...
-         FIRST-SECURE.EXAMPLE.  RRSIG  A ...
-         FIRST-SECURE.EXAMPLE.  NSEC   NOT-SECURE-2.EXAMPLE. A RRSIG
-         FIRST-SECURE.EXAMPLE.  RRSIG  NSEC ...
-
-         NOT-SECURE.EXAMPLE.    NS     NS.NOT-SECURE.EXAMPLE.
-         NS.NOT-SECURE.EXAMPLE. A      ...
-
-         NOT-SECURE-2.EXAMPLE.  NS     NS.NOT-SECURE.EXAMPLE.
-         NOT-SECURE-2.EXAMPLE   NSEC   SECOND-SECURE.EXAMPLE NS RRSIG
-         NOT-SECURE-2.EXAMPLE   RRSIG  NSEC ...
-
-         SECOND-SECURE.EXAMPLE. NS     NS.ELSEWHERE.
-         SECOND-SECURE.EXAMPLE. DS     ...
-         SECOND-SECURE.EXAMPLE. RRSIG  DS ...
-         SECOND-SECURE.EXAMPLE. NSEC   EXAMPLE. NS RRSIG DNSKEY
-         SECOND-SECURE.EXAMPLE. RRSIG  NSEC ...
-
-         UNSIGNED.EXAMPLE.      NS     NS.UNSIGNED.EXAMPLE.
-         NS.UNSIGNED.EXAMPLE.   A      ...
-
-
-   In this example, a query for a signed RRset (e.g., "FIRST-
-   SECURE.EXAMPLE A"), or a secure delegation ("WWW.SECOND-
-   SECURE.EXAMPLE A") will result in a standard DNSSEC response.
-
-   A query for a nonexistent RRset will result in a response that
-   differs from standard DNSSEC by: the NSEC record will be tagged as
-   Opt-In, there may be no NSEC record proving the non-existence of a
-
-
-
-Arends, et al.          Expires January 19, 2006                [Page 9]
-
-Internet-Draft                DNSSEC Opt-In                    July 2005
-
-
-   matching wildcard record, and the AD bit will not be set.
-
-   A query for an insecure delegation RRset (or a referral) will return
-   both the answer (in the Authority section) and the corresponding
-   Opt-In NSEC record to prove that it is not secure.
-
-   Example A.1: Response to query for WWW.UNSIGNED.EXAMPLE.  A
-
-
-         RCODE=NOERROR, AD=0
-
-         Answer Section:
-
-         Authority Section:
-         UNSIGNED.EXAMPLE.      NS     NS.UNSIGNED.EXAMPLE
-         SECOND-SECURE.EXAMPLE. NSEC   EXAMPLE. NS RRSIG DS
-         SECOND-SECURE.EXAMPLE. RRSIG  NSEC ...
-
-         Additional Section:
-         NS.UNSIGNED.EXAMPLE.   A      ...
-
-   In the Example A.1 zone, the EXAMPLE. node MAY use either style of
-   NSEC record, because there are no insecure delegations that occur
-   between it and the next node, FIRST-SECURE.EXAMPLE.  In other words,
-   Example A would still be a valid zone if the NSEC record for EXAMPLE.
-   was changed to the following RR:
-
-         EXAMPLE.               NSEC   FIRST-SECURE.EXAMPLE. (SOA NS
-                                       RRSIG DNSKEY NSEC )
-
-   However, the other NSEC records (FIRST-SECURE.EXAMPLE. and SECOND-
-   SECURE.EXAMPLE.)  MUST be tagged as Opt-In because there are insecure
-   delegations in the range they define.  (NOT-SECURE.EXAMPLE. and
-   UNSIGNED.EXAMPLE., respectively).
-
-   NOT-SECURE-2.EXAMPLE. is an example of an insecure delegation that is
-   part of the NSEC chain and also covered by an Opt-In tagged NSEC
-   record.  Because NOT-SECURE-2.EXAMPLE. is a signed name, it cannot be
-   removed from the zone without modifying and resigning the prior NSEC
-   record.  Delegations with names that fall between NOT-SECURE-
-   2.EXAMPLE. and SECOND-SECURE.EXAMPLE. may be added or removed without
-   resigning any NSEC records.
-
-7.  Transition Issues
-
-   Opt-In is not backwards compatible with standard DNSSEC and is
-   considered experimental.  Standard DNSSEC compliant implementations
-   would not recognize Opt-In tagged NSEC records as different from
-
-
-
-Arends, et al.          Expires January 19, 2006               [Page 10]
-
-Internet-Draft                DNSSEC Opt-In                    July 2005
-
-
-   standard NSEC records.  Because of this, standard DNSSEC
-   implementations, if they were to validate Opt-In style responses,
-   would reject all Opt-In insecure delegations within a zone as
-   invalid.  However, by only signing with private algorithms, standard
-   DNSSEC implementations will treat Opt-In responses as unsigned.
-
-   It should be noted that all elements in the resolution path between
-   (and including) the validator and the authoritative name server must
-   be aware of the Opt-In experiment and implement the Opt-In semantics
-   for successful validation to be possible.  In particular, this
-   includes any caching middleboxes between the validator and
-   authoritative name server.
-
-8.  Security Considerations
-
-   Opt-In allows for unsigned names, in the form of delegations to
-   unsigned subzones, to exist within an otherwise signed zone.  All
-   unsigned names are, by definition, insecure, and their validity or
-   existence cannot by cryptographically proven.
-
-   In general:
-
-   o  Records with unsigned names (whether existing or not) suffer from
-      the same vulnerabilities as records in an unsigned zone.  These
-      vulnerabilities are described in more detail in [12] (note in
-      particular sections 2.3, "Name Games" and 2.6, "Authenticated
-      Denial").
-   o  Records with signed names have the same security whether or not
-      Opt-In is used.
-
-   Note that with or without Opt-In, an insecure delegation may have its
-   contents undetectably altered by an attacker.  Because of this, the
-   primary difference in security that Opt-In introduces is the loss of
-   the ability to prove the existence or nonexistence of an insecure
-   delegation within the span of an Opt-In NSEC record.
-
-   In particular, this means that a malicious entity may be able to
-   insert or delete records with unsigned names.  These records are
-   normally NS records, but this also includes signed wildcard
-   expansions (while the wildcard record itself is signed, its expanded
-   name is an unsigned name).
-
-   For example, if a resolver received the following response from the
-   example zone above:
-
-
-
-
-
-
-
-Arends, et al.          Expires January 19, 2006               [Page 11]
-
-Internet-Draft                DNSSEC Opt-In                    July 2005
-
-
-   Example S.1: Response to query for WWW.DOES-NOT-EXIST.EXAMPLE.  A
-
-         RCODE=NOERROR
-
-         Answer Section:
-
-         Authority Section:
-         DOES-NOT-EXIST.EXAMPLE. NS     NS.FORGED.
-         EXAMPLE.                NSEC   FIRST-SECURE.EXAMPLE. SOA NS \
-                                        RRSIG DNSKEY
-         EXAMPLE.                RRSIG  NSEC ...
-
-         Additional Section:
-
-
-   The resolver would have no choice but to believe that the referral to
-   NS.FORGED. is valid.  If a wildcard existed that would have been
-   expanded to cover "WWW.DOES-NOT-EXIST.EXAMPLE.", an attacker could
-   have undetectably removed it and replaced it with the forged
-   delegation.
-
-   Note that being able to add a delegation is functionally equivalent
-   to being able to add any record type: an attacker merely has to forge
-   a delegation to nameserver under his/her control and place whatever
-   records needed at the subzone apex.
-
-   While in particular cases, this issue may not present a significant
-   security problem, in general it should not be lightly dismissed.
-   Therefore, it is strongly RECOMMENDED that Opt-In be used sparingly.
-   In particular, zone signing tools SHOULD NOT default to Opt-In, and
-   MAY choose to not support Opt-In at all.
-
-9.  IANA Considerations
-
-   None.
-
-10.  Acknowledgments
-
-   The contributions, suggestions and remarks of the following persons
-   (in alphabetic order) to this draft are acknowledged:
-
-      Mats Dufberg, Miek Gieben, Olafur Gudmundsson, Bob Halley, Olaf
-      Kolkman, Edward Lewis, Ted Lindgreen, Rip Loomis, Bill Manning,
-      Dan Massey, Scott Rose, Mike Schiraldi, Jakob Schlyter, Brian
-      Wellington.
-
-11.  References
-
-
-
-
-Arends, et al.          Expires January 19, 2006               [Page 12]
-
-Internet-Draft                DNSSEC Opt-In                    July 2005
-
-
-11.1  Normative References
-
-   [1]  Mockapetris, P., "Domain names - implementation and
-        specification", STD 13, RFC 1035, November 1987.
-
-   [2]  Wellington, B. and O. Gudmundsson, "Redefinition of DNS
-        Authenticated Data (AD) bit", RFC 3655, November 2003.
-
-   [3]  Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
-        "DNS Security Introduction and Requirements", RFC 4033,
-        March 2005.
-
-   [4]  Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
-        "Resource Records for the DNS Security Extensions", RFC 4034,
-        March 2005.
-
-   [5]  Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
-        "Protocol Modifications for the DNS Security Extensions",
-        RFC 4035, March 2005.
-
-   [6]  Blacka, D., "DNSSEC Experiments",
-        draft-ietf-dnsext-dnssec-experiments-01 (work in progress),
-        July 2005.
-
-11.2  Informative References
-
-   [7]   Bradner, S., "Key words for use in RFCs to Indicate Requirement
-         Levels", BCP 14, RFC 2119, March 1997.
-
-   [8]   Elz, R. and R. Bush, "Clarifications to the DNS Specification",
-         RFC 2181, July 1997.
-
-   [9]   Eastlake, D., "Secure Domain Name System Dynamic Update",
-         RFC 2137, April 1997.
-
-   [10]  Lewis, E., "DNS Security Extension Clarification on Zone
-         Status", RFC 3090, March 2001.
-
-   [11]  Conrad, D., "Indicating Resolver Support of DNSSEC", RFC 3225,
-         December 2001.
-
-   [12]  Atkins, D. and R. Austein, "Threat Analysis of the Domain Name
-         System (DNS)", RFC 3833, August 2004.
-
-
-
-
-
-
-
-
-Arends, et al.          Expires January 19, 2006               [Page 13]
-
-Internet-Draft                DNSSEC Opt-In                    July 2005
-
-
-Authors' Addresses
-
-   Roy Arends
-   Telematica Instituut
-   Drienerlolaan 5
-   7522 NB  Enschede
-   NL
-
-   Email: roy.arends@telin.nl
-
-
-   Mark Kosters
-   Verisign, Inc.
-   21355 Ridgetop Circle
-   Dulles, VA  20166
-   US
-
-   Phone: +1 703 948 3200
-   Email: markk@verisign.com
-   URI:   http://www.verisignlabs.com
-
-
-   David Blacka
-   Verisign, Inc.
-   21355 Ridgetop Circle
-   Dulles, VA  20166
-   US
-
-   Phone: +1 703 948 3200
-   Email: davidb@verisign.com
-   URI:   http://www.verisignlabs.com
-
-Appendix A.  Implementing Opt-In using "Views"
-
-   In many cases, it may be convenient to implement an Opt-In zone by
-   combining two separately maintained "views" of a zone at request
-   time.  In this context, "view" refers to a particular version of a
-   zone, not to any specific DNS implementation feature.
-
-   In this scenario, one view is the secure view, the other is the
-   insecure (or legacy) view.  The secure view consists of an entirely
-   signed zone using Opt-In tagged NSEC records.  The insecure view
-   contains no DNSSEC information.  It is helpful, although not
-   necessary, for the secure view to be a subset (minus DNSSEC records)
-   of the insecure view.
-
-   In addition, the only RRsets that may solely exist in the insecure
-   view are non-zone-apex NS RRsets.  That is, all non-NS RRsets (and
-
-
-
-Arends, et al.          Expires January 19, 2006               [Page 14]
-
-Internet-Draft                DNSSEC Opt-In                    July 2005
-
-
-   the zone apex NS RRset) MUST be signed and in the secure view.
-
-   These two views may be combined at request time to provide a virtual,
-   single Opt-In zone.  The following algorithm is used when responding
-   to each query:
-      V_A is the secure view as described above.
-      V_B is the insecure view as described above.
-      R_A is a response generated from V_A, following RFC 2535bis.
-      R_B is a response generated from V_B, following DNS resolution as
-      per RFC 1035 [1].
-      R_C is the response generated by combining R_A with R_B, as
-      described below.
-      A query is DNSSEC-aware if it either has the DO bit [11] turned
-      on, or is for a DNSSEC-specific record type.
-
-
-
-   1.  If V_A is a subset of V_B and the query is not DNSSEC-aware,
-       generate and return R_B, otherwise
-   2.  Generate R_A.
-   3.  If R_A's RCODE != NXDOMAIN, return R_A, otherwise
-   4.  Generate R_B and combine it with R_A to form R_C:
-          For each section (ANSWER, AUTHORITY, ADDITIONAL), copy the
-          records from R_A into R_B, EXCEPT the AUTHORITY section SOA
-          record, if R_B's RCODE = NOERROR.
-   5.  Return R_C.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Arends, et al.          Expires January 19, 2006               [Page 15]
-
-Internet-Draft                DNSSEC Opt-In                    July 2005
-
-
-Intellectual Property Statement
-
-   The IETF takes no position regarding the validity or scope of any
-   Intellectual Property Rights or other rights that might be claimed to
-   pertain to the implementation or use of the technology described in
-   this document or the extent to which any license under such rights
-   might or might not be available; nor does it represent that it has
-   made any independent effort to identify any such rights.  Information
-   on the procedures with respect to rights in RFC documents can be
-   found in BCP 78 and BCP 79.
-
-   Copies of IPR disclosures made to the IETF Secretariat and any
-   assurances of licenses to be made available, or the result of an
-   attempt made to obtain a general license or permission for the use of
-   such proprietary rights by implementers or users of this
-   specification can be obtained from the IETF on-line IPR repository at
-   http://www.ietf.org/ipr.
-
-   The IETF invites any interested party to bring to its attention any
-   copyrights, patents or patent applications, or other proprietary
-   rights that may cover technology that may be required to implement
-   this standard.  Please address the information to the IETF at
-   ietf-ipr@ietf.org.
-
-
-Disclaimer of Validity
-
-   This document and the information contained herein are provided on an
-   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
-   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
-   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
-   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
-   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
-   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-
-Copyright Statement
-
-   Copyright (C) The Internet Society (2005).  This document is subject
-   to the rights, licenses and restrictions contained in BCP 78, and
-   except as set forth therein, the authors retain all their rights.
-
-
-Acknowledgment
-
-   Funding for the RFC Editor function is currently provided by the
-   Internet Society.
-
-
-
-
-Arends, et al.          Expires January 19, 2006               [Page 16]
-
diff --git a/doc/draft/draft-ietf-dnsext-dnssec-protocol-05.txt b/doc/draft/draft-ietf-dnsext-dnssec-protocol-05.txt
new file mode 100644
index 00000000..1a9f8aaf
--- /dev/null
+++ b/doc/draft/draft-ietf-dnsext-dnssec-protocol-05.txt
@@ -0,0 +1,3249 @@
+
+
+DNS Extensions                                                 R. Arends
+Internet-Draft                                      Telematica Instituut
+Expires: August 16, 2004                                       M. Larson
+                                                                VeriSign
+                                                              R. Austein
+                                                                     ISC
+                                                               D. Massey
+                                                                 USC/ISI
+                                                                 S. Rose
+                                                                    NIST
+                                                       February 16, 2004
+
+
+         Protocol Modifications for the DNS Security Extensions
+                  draft-ietf-dnsext-dnssec-protocol-05
+
+Status of this Memo
+
+   This document is an Internet-Draft and is in full conformance with
+   all provisions of Section 10 of RFC2026.
+
+   Internet-Drafts are working documents of the Internet Engineering
+   Task Force (IETF), its areas, and its working groups. Note that other
+   groups may also distribute working documents as Internet-Drafts.
+
+   Internet-Drafts are draft documents valid for a maximum of six months
+   and may be updated, replaced, or obsoleted by other documents at any
+   time. It is inappropriate to use Internet-Drafts as reference
+   material or to cite them other than as "work in progress."
+
+   The list of current Internet-Drafts can be accessed at http://
+   www.ietf.org/ietf/1id-abstracts.txt.
+
+   The list of Internet-Draft Shadow Directories can be accessed at
+   http://www.ietf.org/shadow.html.
+
+   This Internet-Draft will expire on August 16, 2004.
+
+Copyright Notice
+
+   Copyright (C) The Internet Society (2004). All Rights Reserved.
+
+Abstract
+
+   This document is part of a family of documents which describe the DNS
+   Security Extensions (DNSSEC).  The DNS Security Extensions are a
+   collection of new resource records and protocol modifications which
+   add data origin authentication and data integrity to the DNS.  This
+   document describes the DNSSEC protocol modifications.  This document
+
+
+
+Arends, et al.          Expires August 16, 2004                 [Page 1]
+
+Internet-Draft       DNSSEC Protocol Modifications         February 2004
+
+
+   defines the concept of a signed zone, along with the requirements for
+   serving and resolving using DNSSEC.  These techniques allow a
+   security-aware resolver to authenticate both DNS resource records and
+   authoritative DNS error indications.
+
+   This document obsoletes RFC 2535 and incorporates changes from all
+   updates to RFC 2535.
+
+Table of Contents
+
+   1.    Introduction . . . . . . . . . . . . . . . . . . . . . . . .  4
+   1.1   Background and Related Documents . . . . . . . . . . . . . .  4
+   1.2   Reserved Words . . . . . . . . . . . . . . . . . . . . . . .  4
+   1.3   Editors' Notes . . . . . . . . . . . . . . . . . . . . . . .  4
+   1.3.1 Open Technical Issues  . . . . . . . . . . . . . . . . . . .  4
+   1.3.2 Technical Changes or Corrections . . . . . . . . . . . . . .  4
+   1.3.3 Typos and Minor Corrections  . . . . . . . . . . . . . . . .  5
+   2.    Zone Signing . . . . . . . . . . . . . . . . . . . . . . . .  6
+   2.1   Including DNSKEY RRs in a Zone . . . . . . . . . . . . . . .  6
+   2.2   Including RRSIG RRs in a Zone  . . . . . . . . . . . . . . .  6
+   2.3   Including NSEC RRs in a Zone . . . . . . . . . . . . . . . .  7
+   2.4   Including DS RRs in a Zone . . . . . . . . . . . . . . . . .  8
+   2.5   Changes to the CNAME Resource Record.  . . . . . . . . . . .  8
+   2.6   Example of a Secure Zone . . . . . . . . . . . . . . . . . .  9
+   3.    Serving  . . . . . . . . . . . . . . . . . . . . . . . . . . 10
+   3.1   Authoritative Name Servers . . . . . . . . . . . . . . . . . 10
+   3.1.1 Including RRSIG RRs in a Response  . . . . . . . . . . . . . 11
+   3.1.2 Including DNSKEY RRs In a Response . . . . . . . . . . . . . 11
+   3.1.3 Including NSEC RRs In a Response . . . . . . . . . . . . . . 12
+   3.1.4 Including DS RRs In a Response . . . . . . . . . . . . . . . 14
+   3.1.5 Responding to Queries for Type AXFR or IXFR  . . . . . . . . 16
+   3.1.6 The AD and CD Bits in an Authoritative Response  . . . . . . 17
+   3.2   Recursive Name Servers . . . . . . . . . . . . . . . . . . . 17
+   3.2.1 The DO bit . . . . . . . . . . . . . . . . . . . . . . . . . 18
+   3.2.2 The CD bit . . . . . . . . . . . . . . . . . . . . . . . . . 18
+   3.2.3 The AD bit . . . . . . . . . . . . . . . . . . . . . . . . . 18
+   3.3   Example DNSSEC Responses . . . . . . . . . . . . . . . . . . 19
+   4.    Resolving  . . . . . . . . . . . . . . . . . . . . . . . . . 20
+   4.1   EDNS Support . . . . . . . . . . . . . . . . . . . . . . . . 20
+   4.2   Signature Verification Support . . . . . . . . . . . . . . . 20
+   4.3   Determining Security Status of Data  . . . . . . . . . . . . 21
+   4.4   Preconfigured Public Keys  . . . . . . . . . . . . . . . . . 22
+   4.5   Response Caching . . . . . . . . . . . . . . . . . . . . . . 22
+   4.6   Handling of the CD and AD bits . . . . . . . . . . . . . . . 22
+   4.7   Rate Limiting  . . . . . . . . . . . . . . . . . . . . . . . 23
+   4.8   Stub resolvers . . . . . . . . . . . . . . . . . . . . . . . 24
+   4.8.1 Handling of the DO Bit . . . . . . . . . . . . . . . . . . . 24
+   4.8.2 Handling of the CD Bit . . . . . . . . . . . . . . . . . . . 24
+
+
+
+Arends, et al.          Expires August 16, 2004                 [Page 2]
+
+Internet-Draft       DNSSEC Protocol Modifications         February 2004
+
+
+   4.8.3 Handling of the AD Bit . . . . . . . . . . . . . . . . . . . 24
+   5.    Authenticating DNS Responses . . . . . . . . . . . . . . . . 26
+   5.1   Special Considerations for Islands of Security . . . . . . . 27
+   5.2   Authenticating Referrals . . . . . . . . . . . . . . . . . . 27
+   5.3   Authenticating an RRset Using an RRSIG RR  . . . . . . . . . 28
+   5.3.1 Checking the RRSIG RR Validity . . . . . . . . . . . . . . . 29
+   5.3.2 Reconstructing the Signed Data . . . . . . . . . . . . . . . 30
+   5.3.3 Checking the Signature . . . . . . . . . . . . . . . . . . . 31
+   5.3.4 Authenticating A Wildcard Expanded RRset Positive
+         Response . . . . . . . . . . . . . . . . . . . . . . . . . . 32
+   5.4   Authenticated Denial of Existence  . . . . . . . . . . . . . 32
+   5.5   Authentication Example . . . . . . . . . . . . . . . . . . . 33
+   6.    IANA Considerations  . . . . . . . . . . . . . . . . . . . . 34
+   7.    Security Considerations  . . . . . . . . . . . . . . . . . . 35
+   8.    Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 36
+         Normative References . . . . . . . . . . . . . . . . . . . . 37
+         Informative References . . . . . . . . . . . . . . . . . . . 38
+         Authors' Addresses . . . . . . . . . . . . . . . . . . . . . 38
+   A.    Signed Zone Example  . . . . . . . . . . . . . . . . . . . . 40
+   B.    Example Responses  . . . . . . . . . . . . . . . . . . . . . 46
+   B.1   Answer . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
+   B.2   Name Error . . . . . . . . . . . . . . . . . . . . . . . . . 47
+   B.3   No Data Error  . . . . . . . . . . . . . . . . . . . . . . . 48
+   B.4   Referral to Signed Zone  . . . . . . . . . . . . . . . . . . 49
+   B.5   Referral to Unsigned Zone  . . . . . . . . . . . . . . . . . 50
+   B.6   Wildcard Expansion . . . . . . . . . . . . . . . . . . . . . 50
+   B.7   Wildcard No Data Error . . . . . . . . . . . . . . . . . . . 51
+   B.8   DS Child Zone No Data Error  . . . . . . . . . . . . . . . . 52
+   C.    Authentication Examples  . . . . . . . . . . . . . . . . . . 54
+   C.1   Authenticating An Answer . . . . . . . . . . . . . . . . . . 54
+   C.1.1 Authenticating the example DNSKEY RR . . . . . . . . . . . . 54
+   C.2   Name Error . . . . . . . . . . . . . . . . . . . . . . . . . 55
+   C.3   No Data Error  . . . . . . . . . . . . . . . . . . . . . . . 55
+   C.4   Referral to Signed Zone  . . . . . . . . . . . . . . . . . . 55
+   C.5   Referral to Unsigned Zone  . . . . . . . . . . . . . . . . . 55
+   C.6   Wildcard Expansion . . . . . . . . . . . . . . . . . . . . . 56
+   C.7   Wildcard No Data Error . . . . . . . . . . . . . . . . . . . 56
+   C.8   DS Child Zone No Data Error  . . . . . . . . . . . . . . . . 56
+         Intellectual Property and Copyright Statements . . . . . . . 57
+
+
+
+
+
+
+
+
+
+
+
+
+Arends, et al.          Expires August 16, 2004                 [Page 3]
+
+Internet-Draft       DNSSEC Protocol Modifications         February 2004
+
+
+1. Introduction
+
+   The DNS Security Extensions (DNSSEC) are a collection of new resource
+   records and protocol modifications which add data origin
+   authentication and data integrity to the DNS. This document defines
+   the DNSSEC protocol modifications. Section 2 of this document defines
+   the concept of a signed zone and lists the requirements for zone
+   signing. Section 3 describes the modifications to authoritative name
+   server behavior necessary to handle signed zones. Section 4 describes
+   the behavior of entities which include security-aware resolver
+   functions. Finally, Section 5 defines how to use DNSSEC RRs to
+   authenticate a response.
+
+1.1 Background and Related Documents
+
+   The reader is assumed to be familiar with the basic DNS concepts
+   described in RFC1034 [RFC1034] and RFC1035 [RFC1035].
+
+   This document is part of a family of documents which define DNSSEC.
+   An introduction to DNSSEC and definition of common terms can be found
+   in [I-D.ietf-dnsext-dnssec-intro].  A definition of the DNSSEC
+   resource records can be found in [I-D.ietf-dnsext-dnssec-records].
+
+1.2 Reserved Words
+
+   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+   "SHOULD", "SHOULD NOT", "RECOMMENDED",  "MAY", and "OPTIONAL" in this
+   document are to be interpreted as described in RFC 2119. [RFC2119].
+
+1.3 Editors' Notes
+
+1.3.1 Open Technical Issues
+
+1.3.2 Technical Changes or Corrections
+
+   Please report technical corrections to dnssec-editors@east.isi.edu.
+   To assist the editors, please indicate the text in error and point
+   out the RFC that defines the correct behavior.  For a technical
+   change where no RFC that defines the correct behavior, or if there's
+   more than one applicable RFC and the definitions conflict, please
+   post the issue to namedroppers.
+
+   An example correction to dnssec-editors might be: Page X says
+   "DNSSEC RRs SHOULD be automatically returned in responses."  This was
+   true in RFC 2535, but RFC 3225 (Section 3, 3rd paragraph) says the
+   DNSSEC RR types MUST NOT be included in responses unless the resolver
+   indicated support for DNSSEC.
+
+
+
+
+Arends, et al.          Expires August 16, 2004                 [Page 4]
+
+Internet-Draft       DNSSEC Protocol Modifications         February 2004
+
+
+1.3.3 Typos and Minor Corrections
+
+   Please report any typos corrections to dnssec-editors@east.isi.edu.
+   To assist the editors, please provide enough context for us to find
+   the incorrect text quickly.
+
+   An example message to dnssec-editors might be: page X says "the
+   DNSSEC standard has been in development for over 1 years".   It
+   should read "over 10 years".
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Arends, et al.          Expires August 16, 2004                 [Page 5]
+
+Internet-Draft       DNSSEC Protocol Modifications         February 2004
+
+
+2. Zone Signing
+
+   DNSSEC introduces the concept of signed zones.  A signed zone
+   includes DNSKEY, RRSIG, NSEC and (optionally) DS records according to
+   the rules specified in Section 2.1, Section 2.2, Section 2.3 and
+   Section 2.4, respectively.  A zone that does not include these
+   records according to the rules in this section is an unsigned zone.
+
+   DNSSEC requires a change to the definition of the CNAME resource
+   record [RFC1035].  Section 2.5 changes the CNAME RR to allow RRSIG
+   and NSEC RRs to appear at the same owner name as a CNAME RR.
+
+2.1 Including DNSKEY RRs in a Zone
+
+   To sign a zone, the zone's administrator generates one or more
+   public/private key pairs and uses the private key(s) to sign
+   authoritative RRsets in the zone.  For each private key used to
+   create RRSIG RRs, there SHOULD be a corresponding zone DNSKEY RR with
+   the public component stored in the zone. A zone key DNSKEY RR MUST
+   have the Zone Key bit of the flags RDATA field set to one -- see
+   Section 2.1.1 of [I-D.ietf-dnsext-dnssec-records].  Public keys
+   associated with other DNS operations MAY be stored in DNSKEY RRs that
+   are not marked as zone keys but MUST NOT be used to verify RRSIGs.
+
+   If the zone is delegated and does not wish to act as an island of
+   security, the zone MUST have at least one DNSKEY RR at the apex to
+   act as a secure entry point into the zone.  This DNSKEY would then be
+   used to generate a DS RR at the delegating parent (see
+   [I-D.ietf-dnsext-dnssec-records]).
+
+   DNSKEY RRs MUST NOT appear at delegation points.
+
+2.2 Including RRSIG RRs in a Zone
+
+   For each authoritative RRset in a signed zone, there MUST be at least
+   one RRSIG record that meets all of the following requirements:
+
+   o  The RRSIG owner name is equal to the RRset owner name;
+
+   o  The RRSIG class is equal to the RRset class;
+
+   o  The RRSIG Type Covered field is equal to the RRset type;
+
+   o  The RRSIG Original TTL field is equal to the TTL of the RRset;
+
+   o  The RRSIG RR's TTL is equal to the TTL of the RRset;
+
+   o  The RRSIG Labels field is equal to the number of labels in the
+
+
+
+Arends, et al.          Expires August 16, 2004                 [Page 6]
+
+Internet-Draft       DNSSEC Protocol Modifications         February 2004
+
+
+      RRset owner name, not counting the null root label and not
+      counting the leftmost label if it is a wildcard;
+
+   o  The RRSIG Signer's Name field is equal to the name of the zone
+      containing the RRset; and
+
+   o  The RRSIG Algorithm, Signer's Name, and Key Tag fields identify a
+      zone key DNSKEY record at the zone apex.
+
+   The process for constructing the RRSIG RR for a given RRset is
+   described in [I-D.ietf-dnsext-dnssec-records]. An RRset MAY have
+   multiple RRSIG RRs associated with it.
+
+   An RRSIG RR itself MUST NOT be signed, since signing an RRSIG RR
+   would add no value and would create an infinite loop in the signing
+   process.
+
+   The NS RRset that appears at the zone apex name MUST be signed, but
+   the NS RRsets that appear at delegation points (that is, the NS
+   RRsets in the parent zone that delegate the name to the child zone's
+   name servers) MUST NOT be signed. Glue address RRsets associated with
+   delegations MUST NOT be signed.
+
+   There MUST be an RRSIG for each RRset using at least one DNSKEY of
+   each algorithm in the parent zone's DS RRset and each additional
+   algorithm, if any, in the apex DNSKEY RRset. The apex DNSKEY RRset
+   itself MUST be signed by each algorithm appearing in the DS RRset.
+
+2.3 Including NSEC RRs in a Zone
+
+   Each owner name in the zone which has authoritative data or a
+   delegation point NS RRset MUST have an NSEC resource record. The
+   process for constructing the NSEC RR for a given name is described in
+   [I-D.ietf-dnsext-dnssec-records].
+
+   The TTL value for any NSEC RR SHOULD be the same as the minimum TTL
+   value field in the zone SOA RR.
+
+   An NSEC record (and its associated RRSIG RRset) MUST NOT be the only
+   RRset at any particular owner name.  That is, the signing process
+   MUST NOT create NSEC or RRSIG RRs for owner names nodes which were
+   not the owner name of any RRset before the zone was signed.
+
+   The type bitmap of every NSEC resource record in a signed zone MUST
+   indicate the presence of both the NSEC record itself and its
+   corresponding RRSIG record.
+
+   The difference between the set of owner names that require RRSIG
+
+
+
+Arends, et al.          Expires August 16, 2004                 [Page 7]
+
+Internet-Draft       DNSSEC Protocol Modifications         February 2004
+
+
+   records and the set of owner names that require NSEC records is
+   subtle and worth highlighting.  RRSIG records are present at the
+   owner names of all authoritative RRsets.  NSEC records are present at
+   the owner names of all names for which the signed zone is
+   authoritative and also at the owner names of delegations from the
+   signed zone to its children.  Neither NSEC nor RRSIG records are
+   present (in the parent zone) at the owner names of glue address
+   RRsets.  Note, however, that this distinction is for the most part is
+   only visible during the zone signing process, because NSEC RRsets are
+   authoritative data, and are therefore signed, thus any owner name
+   which has an NSEC RRset will have RRSIG RRs as well in the signed
+   zone.
+
+2.4 Including DS RRs in a Zone
+
+   The DS resource record establishes authentication chains between DNS
+   zones.  A DS RRset SHOULD be present at a delegation point when the
+   child zone is signed.  The DS RRset MAY contain multiple records,
+   each referencing a public key in the child zone used to verify the
+   RRSIGs in that zone. All DS RRsets in a zone MUST be signed and DS
+   RRsets MUST NOT appear at a zone's apex.
+
+   A DS RR SHOULD point to a DNSKEY RR which is present in the child's
+   apex DNSKEY RRset, and the child's apex DNSKEY RRset SHOULD be signed
+   by the corresponding private key.
+
+   The TTL of a DS RRset SHOULD match the TTL of the delegating NS RRset
+   (i.e., the NS RRset from the same zone containing the DS RRset).
+
+   Construction of a DS RR requires knowledge of the corresponding
+   DNSKEY RR in the child zone, which implies communication between the
+   child and parent zones.  This communication is an operational matter
+   not covered by this document.
+
+2.5 Changes to the CNAME Resource Record.
+
+   If a CNAME RRset is present at a name in a signed zone, appropriate
+   RRSIG and NSEC RRsets are REQUIRED at that name. A KEY RRset at that
+   name for secure dynamic update purposes is also allowed.  Other types
+   MUST NOT be present at that name.
+
+   This is a modification to the original CNAME definition given in
+   [RFC1034].  The original definition of the CNAME RR did not allow any
+   other types to coexist with a CNAME record, but a signed zone
+   requires NSEC and RRSIG RRs for every authoritative name.  To resolve
+   this conflict, this specification modifies the definition of the
+   CNAME resource record to allow it to coexist with NSEC and RRSIG RRs.
+
+
+
+
+Arends, et al.          Expires August 16, 2004                 [Page 8]
+
+Internet-Draft       DNSSEC Protocol Modifications         February 2004
+
+
+2.6 Example of a Secure Zone
+
+   Appendix A shows a complete example of a small signed zone.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Arends, et al.          Expires August 16, 2004                 [Page 9]
+
+Internet-Draft       DNSSEC Protocol Modifications         February 2004
+
+
+3. Serving
+
+   This section describes the behavior of entities that include
+   security-aware name server functions.  In many cases such functions
+   will be part of a security-aware recursive name server, but a
+   security-aware authoritative name server has some of the same
+   requirements as a security-aware recursive name server does.
+   Functions specific to security-aware recursive name servers are
+   described in Section 3.2; functions specific to authoritative servers
+   are described in Section 3.1.
+
+   The terms "SNAME", "SCLASS", and "STYPE" in the following discussion
+   are as used in [RFC1034].
+
+   A security-aware name server MUST support the EDNS0 [RFC2671] message
+   size extension, MUST support a message size of at least 1220 octets,
+   and SHOULD support a message size of 4000 octets [RFC3226].
+
+   A security-aware name server that receives a DNS query that does not
+   include the EDNS OPT pseudo-RR or that has the DO bit set to zero
+   MUST treat the RRSIG, DNSKEY, and NSEC RRs as it would any other
+   RRset, and MUST NOT perform any of the additional processing
+   described below.  Since the DS RR type has the peculiar property of
+   only existing in the parent zone at delegation points, DS RRs always
+   require some special processing, as described in Section 3.1.4.1.
+
+   DNSSEC allocates two new bits in the DNS message header: the CD
+   (Checking Disabled) bit and the AD (Authentic Data) bit.  The CD bit
+   is controlled by resolvers; a security-aware name server MUST copy
+   the CD bit from a query into the corresponding response.  The AD bit
+   is controlled by name servers; a security-aware name server MUST
+   ignore the setting of the AD bit in queries.  See Section 3.1.6,
+   Section 3.2.2, Section 3.2.3, Section 4, and Section 4.8 for details
+   on the behavior of these bits.
+
+3.1 Authoritative Name Servers
+
+   Upon receiving a relevant query that has the EDNS [RFC2671] OPT
+   pseudo-RR DO bit [RFC3225] set to one, a security-aware authoritative
+   name server for a signed zone MUST include additional RRSIG, NSEC,
+   and DS RRs according to the following rules:
+
+   o  RRSIG RRs that can be used to authenticate a response MUST be
+      included in the response according to the rules in Section 3.1.1;
+
+   o  NSEC RRs that can be used to provide authenticated denial of
+      existence MUST be included in the response automatically according
+      to the rules in Section 3.1.3;
+
+
+
+Arends, et al.          Expires August 16, 2004                [Page 10]
+
+Internet-Draft       DNSSEC Protocol Modifications         February 2004
+
+
+   o  Either a DS RRset or an NSEC RR proving that no DS RRs exist MUST
+      be included in referrals automatically according to the rules in
+      Section 3.1.4.
+
+   DNSSEC does not change the DNS zone transfer protocol.  Section 3.1.5
+   discusses zone transfer requirements.
+
+3.1.1 Including RRSIG RRs in a Response
+
+   When responding to a query that has the DO bit set to one, a
+   security-aware authoritative name server SHOULD attempt to send RRSIG
+   RRs that a security-aware resolver can use to authenticate the RRsets
+   in the response.  Inclusion of RRSIG RRs in a response is subject to
+   the following rules:
+
+   o  When placing a signed RRset in the Answer section, the name server
+      MUST also place its RRSIG RRs in the Answer section.  The RRSIG
+      RRs have a higher priority for inclusion than any other RRsets
+      that may need to be included.  If space does not permit inclusion
+      of these RRSIG RRs, the name server MUST set the TC bit.
+
+   o  When placing a signed RRset in the Authority section, the name
+      server MUST also place its RRSIG RRs in the Authority section.
+      The RRSIG RRs have a higher priority for inclusion than any other
+      RRsets that may need to be included.  If space does not permit
+      inclusion of these RRSIG RRs, the name server MUST set the TC bit.
+
+   o  When placing a signed RRset in the Additional section, the name
+      server MUST also place its RRSIG RRs in the Additional section.
+      If space does not permit inclusion of both the RRset and its
+      associated RRSIG RRs, the name server MUST NOT set the TC bit
+      solely because these RRSIG RRs didn't fit.
+
+
+3.1.2 Including DNSKEY RRs In a Response
+
+   When responding to a query that has the DO bit set to one and that
+   requests the SOA or NS RRs at the apex of a signed zone, a
+   security-aware authoritative name server for that zone MAY return the
+   zone apex DNSKEY RRset in the Additional section.  In this situation,
+   the DNSKEY RRset and associated RRSIG RRs have lower priority than
+   any other information that would be placed in the additional section.
+   The name server SHOULD NOT include the DNSKEY RRset unless there is
+   enough space in the response message for both the DNSKEY RRset and
+   its associated RRSIG RR(s). If there is not enough space to include
+   these DNSKEY and RRSIG RRs, the name server MUST omit them and MUST
+   NOT set the TC bit solely because these RRs didn't fit (see Section
+   3.1.1).
+
+
+
+Arends, et al.          Expires August 16, 2004                [Page 11]
+
+Internet-Draft       DNSSEC Protocol Modifications         February 2004
+
+
+3.1.3 Including NSEC RRs In a Response
+
+   When responding to a query that has the DO bit set to one, a
+   security-aware authoritative name server for a signed zone MUST
+   include NSEC RRs in each of the following cases:
+
+   No Data: The zone contains RRsets that exactly match <SNAME, SCLASS>,
+      but does not contain any RRsets that exactly match <SNAME, SCLASS,
+      STYPE>.
+
+   Name Error: The zone does not contain any RRsets that match <SNAME,
+      SCLASS> either exactly or via wildcard name expansion.
+
+   Wildcard Answer: The zone does not contain any RRsets that exactly
+      match <SNAME, SCLASS> but does contain an RRset that matches
+      <SNAME, SCLASS, STYPE> via wildcard name expansion.
+
+   Wildcard No Data: The zone does not contain any RRsets that exactly
+      match <SNAME, SCLASS>, does contain one or more RRsets that match
+      <SNAME, SCLASS> via wildcard name expansion, but does not contain
+      any RRsets that match <SNAME, SCLASS, STYPE> via wildcard name
+      expansion.
+
+   In each of these cases, the name server includes NSEC RRs in the
+   response to prove that an exact match for <SNAME, SCLASS, STYPE> was
+   not present in the zone and that the response that the name server is
+   returning is correct given the data that are in the zone.
+
+3.1.3.1 Including NSEC RRs: No Data Response
+
+   If the zone contains RRsets matching <SNAME, SCLASS> but contains no
+   RRset matching <SNAME, SCLASS, STYPE>, then the name server MUST
+   include the NSEC RR for <SNAME, SCLASS> along with its associated
+   RRSIG RR(s) in the Authority section of the response (see Section
+   3.1.1).  If space does not permit inclusion of the NSEC RR or its
+   associated RRSIG RR(s), the name server MUST set the TC bit (see
+   Section 3.1.1).
+
+   Since the search name exists, wildcard name expansion does not apply
+   to this query, and a single signed NSEC RR suffices to prove the
+   requested RR type does not exist.
+
+3.1.3.2 Including NSEC RRs: Name Error Response
+
+   If the zone does not contain any RRsets matching <SNAME, SCLASS>
+   either exactly or via wildcard name expansion, then the name server
+   MUST include the following NSEC RRs in the Authority section, along
+   with their associated RRSIG RRs:
+
+
+
+Arends, et al.          Expires August 16, 2004                [Page 12]
+
+Internet-Draft       DNSSEC Protocol Modifications         February 2004
+
+
+   o  An NSEC RR proving that there is no exact match for <SNAME,
+      SCLASS>; and
+
+   o  An NSEC RR proving that the zone contains no RRsets that would
+      match <SNAME, SCLASS> via wildcard name expansion.
+
+   In some cases a single NSEC RR may prove both of these points, in
+   that case the name server SHOULD only include the NSEC RR and its
+   RRSIG RR(s) once in the Authority section.
+
+   If space does not permit inclusion of these NSEC and RRSIG RRs, the
+   name server MUST set the TC bit (see Section 3.1.1).
+
+   The owner names of these NSEC and RRSIG RRs are not subject to
+   wildcard name expansion when these RRs are included in the Authority
+   section of the response.
+
+   Note that this form of response includes cases in which SNAME
+   corresponds to an empty non-terminal name within the zone (a name
+   which is not the owner name for any RRset but which is the parent
+   name of one or more RRsets).
+
+3.1.3.3 Including NSEC RRs: Wildcard Answer Response
+
+   If the zone does not contain any RRsets which exactly match <SNAME,
+   SCLASS> but does contain an RRset which matches <SNAME, SCLASS,
+   STYPE> via wildcard name expansion, the name server MUST include the
+   wildcard-expanded answer and the corresponding wildcard-expanded
+   RRSIG RRs in the Answer section, and MUST include in the Authority
+   section an NSEC RR and associated RRSIG RR(s) proving that the zone
+   does not contain a closer match for <SNAME, SCLASS>.  If space does
+   not permit inclusion of the answer, NSEC and RRSIG RRs, the name
+   server MUST set the TC bit (see Section 3.1.1).
+
+3.1.3.4 Including NSEC RRs: Wildcard No Data Response
+
+   This case is a combination of the previous cases.  The zone does not
+   contain an exact match for <SNAME, SCLASS>, and while the zone does
+   contain RRsets which match <SNAME, SCLASS> via wildcard expansion,
+   none of those RRsets match STYPE.  The name server MUST include the
+   following NSEC RRs in the Authority section, along with their
+   associated RRSIG RRs:
+
+   o  An NSEC RR proving that there are no RRsets matching STYPE at the
+      wildcard owner name which matched <SNAME, SCLASS> via wildcard
+      expansion; and
+
+   o  An NSEC RR proving that there are no RRsets in the zone which
+
+
+
+Arends, et al.          Expires August 16, 2004                [Page 13]
+
+Internet-Draft       DNSSEC Protocol Modifications         February 2004
+
+
+      would have been a closer match for <SNAME, SCLASS>.
+
+   In some cases a single NSEC RR may prove both of these points, in
+   which case the name server SHOULD only include the NSEC RR and its
+   RRSIG RR(s) once in the Authority section.
+
+   The owner names of these NSEC and RRSIG RRs are not subject to
+   wildcard name expansion when these RRs are included in the Authority
+   section of the response.
+
+   If space does not permit inclusion of these NSEC and RRSIG RRs, the
+   name server MUST set the TC bit (see Section 3.1.1).
+
+3.1.3.5 Finding The Right NSEC RRs
+
+   As explained above, there are several situations in which a
+   security-aware authoritative name server needs to locate an NSEC RR
+   which proves that a particular SNAME does not exist.  Locating such
+   an NSEC RR within an authoritative zone is relatively simple, at
+   least in concept.  The following discussion assumes that the name
+   server is authoritative for the zone which would have held the
+   nonexistent SNAME.  The algorithm below is written for clarity, not
+   efficiency.
+
+   To find the NSEC which proves that name N does not exist in the zone
+   Z which would have held it, construct sequence S consisting of every
+   name in Z, sorted into canonical order
+   [I-D.ietf-dnsext-dnssec-records].  Find the name M which would have
+   immediately preceded N in S if N had existed.  M is the owner name of
+   the NSEC RR which proves that N does not exist.
+
+   The algorithm for finding the NSEC RR which proves that a given name
+   is not covered by any applicable wildcard is similar, but requires an
+   extra step.  More precisely, the algorithm for finding the NSEC
+   proving that the applicable wildcard name does not exist is precisely
+   the same as the algorithm for finding the NSEC RR which proves that
+   any other name does not exist: the part that's missing is how to
+   determine the name of the nonexistent applicable wildcard.  In
+   practice, this is easy, because the authoritative name server has
+   already checked for the presence of precisely this wildcard name as
+   part of step (1)(c) of the normal lookup algorithm described in
+   Section 4.3.2 of [RFC1034].
+
+3.1.4 Including DS RRs In a Response
+
+   When responding to a query which has the DO bit set to one, a
+   security-aware authoritative name server returning a referral
+   includes DNSSEC data along with the NS RRset.
+
+
+
+Arends, et al.          Expires August 16, 2004                [Page 14]
+
+Internet-Draft       DNSSEC Protocol Modifications         February 2004
+
+
+   If a DS RRset is present at the delegation point, the name server
+   MUST return both the DS RRset and its associated RRSIG RR(s) in the
+   Authority section along with the NS RRset.  The name server MUST
+   place the NS RRset before the DS RRset and its associated RRSIG
+   RR(s).
+
+   If no DS RRset is present at the delegation point, the name server
+   MUST return both the NSEC RR which proves that the DS RRset is not
+   present and the NSEC RR's associated RRSIG RR(s) along with the NS
+   RRset.  The name server MUST place the NS RRset before the NSEC RRset
+   and its associated RRSIG RR(s).
+
+   Including these DS, NSEC, and RRSIG RRs increases the size of
+   referral messages, and may cause some or all glue RRs to be omitted.
+   If space does not permit inclusion of the DS or NSEC RRset and
+   associated RRSIG RRs, the name server MUST set the TC bit (see
+   Section 3.1.1).
+
+3.1.4.1 Responding to Queries for DS RRs
+
+   The DS resource record type is unusual in that it appears only on the
+   parent zone's side of a zone cut.  For example, the DS RRset for the
+   delegation of "foo.example" is stored in the "example" zone rather
+   than in the "foo.example" zone.  This requires special processing
+   rules for both name servers and resolvers, since the name server for
+   the child zone is authoritative for the name at the zone cut by the
+   normal DNS rules but the child zone does not contain the DS RRset.
+
+   A security-aware resolver sends queries to the parent zone when
+   looking for a needed DS RR at a delegation point (see Section 4.2).
+   However, special rules are necessary to avoid confusing
+   security-oblivious resolvers which might become involved in
+   processing such a query (for example, in a network configuration that
+   forces a security-aware resolver to channel its queries through a
+   security-oblivious recursive name server).  The rest of this section
+   describes how a security-aware name server processes DS queries in
+   order to avoid this problem.
+
+   The need for special processing by a security-aware name server only
+   arises when all the following conditions are met:
+
+   o  the name server has received a query for the DS RRset at a zone
+      cut; and
+
+   o  the name server is authoritative for the child zone; and
+
+   o  the name server is not authoritative for the parent zone; and
+
+
+
+
+Arends, et al.          Expires August 16, 2004                [Page 15]
+
+Internet-Draft       DNSSEC Protocol Modifications         February 2004
+
+
+   o  the name server does not offer recursion.
+
+   In all other cases, the name server either has some way of obtaining
+   the DS RRset or could not have been expected to have the DS RRset
+   even by the pre-DNSSEC processing rules, so the name server can
+   return either the DS RRset or an error response according to the
+   normal processing rules.
+
+   If all of the above conditions are met, however, the name server is
+   authoritative for SNAME but cannot supply the requested RRset.  In
+   this case, the name server MUST return an authoritative "no data"
+   response showing that the DS RRset does not exist in the child zone's
+   apex.  See Appendix B.8 for an example of such a response.
+
+3.1.5 Responding to Queries for Type AXFR or IXFR
+
+   DNSSEC does not change the DNS zone transfer process.  A signed zone
+   will contain RRSIG, DNSKEY, NSEC, and DS resource records, but these
+   records have no special meaning with respect to a zone transfer
+   operation, and these RRs are treated as any other resource record
+   type.
+
+   An authoritative name server is not required to verify that a zone is
+   properly signed before sending or accepting a zone transfer.
+   However, an authoritative name server MAY choose to reject the entire
+   zone transfer if the zone fails meets any of the signing requirements
+   described in Section 2.  The primary objective of a zone transfer is
+   to ensure that all authoritative name servers have identical copies
+   of the zone.  An authoritative name server which chooses to perform
+   its own zone validation MUST NOT selectively reject some RRs and
+   accept others.
+
+   DS RRsets appear only on the parental side of a zone cut and are
+   authoritative data in the parent zone.  As with any other
+   authoritative RRset, the DS RRset MUST be included in zone transfers
+   of the zone in which the RRset is authoritative data: in the case of
+   the DS RRset, this is the parent zone.
+
+   NSEC RRs appear in both the parent and child zones at a zone cut, and
+   are authoritative data in both the parent and child zones.  The
+   parental and child NSEC RRs at a zone cut are never identical to each
+   other, since the NSEC RR in the child zone's apex will always
+   indicate the presence of the child zone's SOA RR while the parental
+   NSEC RR at the zone cut will never indicate the presence of an SOA
+   RR.  As with any other authoritative RRs, NSEC RRs MUST be included
+   in zone transfers of the zone in which they are authoritative data:
+   the parental NSEC RR at a zone cut MUST be included zone transfers of
+   the parent zone, while the NSEC at the zone apex of the child zone
+
+
+
+Arends, et al.          Expires August 16, 2004                [Page 16]
+
+Internet-Draft       DNSSEC Protocol Modifications         February 2004
+
+
+   MUST be included in zone transfers of the child zone.
+
+   RRSIG RRs appear in both the parent and child zones at a zone cut,
+   and are authoritative in whichever zone contains the authoritative
+   RRset for which the RRSIG RR provides the signature.  That is, the
+   RRSIG RR for a DS RRset or a parental NSEC RR at a zone cut will be
+   authoritative in the parent zone, while the RRSIG for any RRset in
+   the child zone's apex will be authoritative in the child zone. As
+   with any other authoritative RRs, RRSIG RRs MUST be included in zone
+   transfers of the zone in which they are authoritative data.
+
+3.1.6 The AD and CD Bits in an Authoritative Response
+
+   The CD and AD bits are designed to be used in communication between
+   security-aware resolvers and security-aware recursive name servers.
+   This bits are for the most part not relevant to query processing by
+   security-aware authoritative name servers.
+
+   Since a security-aware name server does not perform signature
+   validation for authoritative data during query processing even when
+   the CD bit is set to zero, a security-aware name server SHOULD ignore
+   the setting of the CD bit when composing an authoritative response.
+
+   A security-aware name server MUST NOT set the AD bit in a response
+   unless the name server considers all RRsets in the Answer and
+   Authority sections of the response to be authentic.  A security-aware
+   name server's local policy MAY consider data from an authoritative
+   zone to be authentic without further validation, but the name server
+   MUST NOT do so unless the name server obtained the authoritative zone
+   via secure means (such as a secure zone transfer mechanism), and MUST
+   NOT do so unless this behavior has been configured explicitly.
+
+   A security-aware name server which supports recursion MUST follow the
+   rules for the CD and AD bits given in Section 3.2 when generating a
+   response that involves data obtained via recursion.
+
+3.2 Recursive Name Servers
+
+   As explained in [I-D.ietf-dnsext-dnssec-intro], a security-aware
+   recursive name server is an entity which acts in both the
+   security-aware name server and security-aware resolver roles. This
+   section uses the terms "name server side" and "resolver side" to
+   refer to the code within a security-aware recursive name server which
+   implements the security-aware name server role and the code which
+   implements the security-aware resolver role, respectively.
+
+   The resolver side follows the usual rules for caching and negative
+   caching which would apply to any security-aware resolver.
+
+
+
+Arends, et al.          Expires August 16, 2004                [Page 17]
+
+Internet-Draft       DNSSEC Protocol Modifications         February 2004
+
+
+3.2.1 The DO bit
+
+   The resolver side of a security-aware recursive name server MUST set
+   the DO bit when sending requests, regardless of the state of the DO
+   bit in the initiating request received by the name server side.  If
+   the DO bit in an initiating query is not set, the name server side
+   MUST strip any authenticating DNSSEC RRs from the response, but MUST
+   NOT strip any DNSSEC RRs that the initiating query explicitly
+   requested.
+
+3.2.2 The CD bit
+
+   The CD bit exists in order to allow a security-aware resolver to
+   disable signature validation in a security-aware name server's
+   processing of a particular query.
+
+   The name server side MUST copy the setting of the CD bit from a query
+   to the corresponding response.
+
+   The name server side of a security-aware recursive name server MUST
+   pass the sense of the CD bit to the resolver side along with the rest
+   of an initiating query, so that the resolver side will know whether
+   or not it is required to verify the response data it returns to the
+   name server side. If the CD bit is set to one, it indicates that the
+   originating resolver is willing to perform whatever authentication
+   its local policy requires, thus the resolver side of the recursive
+   name server need not perform authentication on the RRsets in the
+   response.  When the CD bit is set to one the recursive name server
+   SHOULD, if possible, return the requested data to the originating
+   resolver even if the recursive name server's local authentication
+   policy would reject the records in question. That is, by setting the
+   CD bit, the originating resolver has indicated that it takes
+   responsibility for performing its own authentication, and the
+   recursive name server should not interfere.
+
+   If the resolver side implements a BAD cache (see Section 4.7) and the
+   name server side receives a query which matches an entry in the
+   resolver side's BAD cache, the name server side's response depends on
+   the sense of the CD bit in the original query.  If the CD bit is set,
+   the name server side SHOULD return the data from the BAD cache; if
+   the CD bit is not set, the name server side MUST return RCODE 2
+   (server failure).
+
+3.2.3 The AD bit
+
+   The name server side of a security-aware recursive name server MUST
+   NOT set the AD bit in a response unless the name server considers all
+   RRsets in the Answer and Authority sections of the response to be
+
+
+
+Arends, et al.          Expires August 16, 2004                [Page 18]
+
+Internet-Draft       DNSSEC Protocol Modifications         February 2004
+
+
+   authentic, and SHOULD set the AD bit if and only if the resolver side
+   considers all RRsets in the Answer section and any relevant negative
+   response RRs in the Authority section to be authentic.  The resolver
+   side MUST follow the procedure described in Section 5 to determine
+   whether the RRs in question are authentic.
+
+3.3 Example DNSSEC Responses
+
+   See Appendix B for example response packets.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Arends, et al.          Expires August 16, 2004                [Page 19]
+
+Internet-Draft       DNSSEC Protocol Modifications         February 2004
+
+
+4. Resolving
+
+   This section describes the behavior of entities which include
+   security-aware resolver functions.  In many cases such functions will
+   be part of a security-aware recursive name server, but a stand-alone
+   security-aware resolver has many of the same requirements.  Functions
+   specific to security-aware recursive name servers are described in
+   Section 3.2.
+
+4.1 EDNS Support
+
+   A security-aware resolver MUST include an EDNS [RFC2671] OPT
+   pseudo-RR with the DO [RFC3225] bit set to one when sending queries.
+
+   A security-aware resolver MUST support a message size of at least
+   1220 octets, SHOULD support a message size of 4000 octets, and MUST
+   advertise the supported message size using the "sender's UDP payload
+   size" field in the EDNS OPT pseudo-RR. A security-aware resolver MUST
+   handle fragmented UDP packets correctly regardless of whether any
+   such fragmented packets were received via IPv4 or IPv6.  Please see
+   [RFC3226] for discussion of these requirements.
+
+4.2 Signature Verification Support
+
+   A security-aware resolver MUST support the signature verification
+   mechanisms described in Section 5, and MUST apply them to every
+   received response except when:
+
+   o  The security-aware resolver is part of a security-aware recursive
+      name server, and the response is the result of recursion on behalf
+      of a query received with the CD bit set;
+
+   o  The response is the result of a query generated directly via some
+      form of application interface which instructed the security-aware
+      resolver not to perform validation for this query; or
+
+   o  Validation for this query has been disabled by local policy.
+
+   A security-aware resolver's support for signature verification MUST
+   include support for verification of wildcard owner names.
+
+      Editors' note: The rest of this section is expected to change once
+      the WG reaches closure on Q-23.
+
+   A security-aware resolver MUST attempt to retrieve missing DS,
+   DNSKEY, or RRSIG RRs via explicit queries if the resolver needs these
+   RRs in order to perform signature verification.
+
+
+
+
+Arends, et al.          Expires August 16, 2004                [Page 20]
+
+Internet-Draft       DNSSEC Protocol Modifications         February 2004
+
+
+   A security-aware resolver MUST attempt to retrieve a missing NSEC RR
+   which the resolver needs to authenticate a NODATA response.  In
+   general it is not possible for a resolver to retrieve missing NSEC
+   RRs, since the resolver will have no way of knowing the owner name of
+   the missing NSEC RR, but in the specific case of a NODATA response,
+   the resolver may know the name of the missing NSEC RR, and in such
+   cases must therefore attempt to retrieve it.
+
+   When attempting to retrieve missing NSEC RRs which reside on the
+   parental side at a zone cut, a security-aware iterative-mode resolver
+   MUST query the name servers for the parent zone, not the child zone.
+
+   When attempting to retrieve a missing DS, a security-aware
+   iterative-mode resolver MUST query the name servers for the parent
+   zone, not the child zone.  As explained in Section 3.1.4.1,
+   security-aware name servers need to apply special processing rules to
+   handle the DS RR, and in some situations the resolver may also need
+   to apply special rules to locate the name servers for the parent zone
+   if the resolver does not already have the parent's NS RRset.  To
+   locate the parent NS RRset, the resolver can start with the
+   delegation name, strip off the leftmost label, and query for an NS
+   RRset by that name; if no NS RRset is present at that name, the
+   resolver then strips of the leftmost remaining label and retries the
+   query for that name, repeating this process of walking up the tree
+   until it either finds the NS RRset or runs out of labels.
+
+      Editors' note: This algorithm could easily be read as an
+      invitation to careless implementors to hammer the root zone
+      servers.  Better wording would be welcome.
+
+
+4.3 Determining Security Status of Data
+
+      Editors' note: This section is waiting for resolution of Q-28.
+
+   A security-aware resolver MUST be able to determine whether or not it
+   should expect a particular RRset to be signed.  More precisely, a
+   security-aware resolver must be able to distinguish between three
+   cases:
+
+   1.  An RRset for which the resolver is able to build a chain of
+       signed DNSKEY and DS RRs from a trusted security anchor to the
+       RRset.  In this case, the RRset should be signed, and is subject
+       to signature validation as described above.
+
+   2.  An RRset for which the resolver knows that it has no chain of
+       signed DNSKEY and DS RRs from any trusted starting point to the
+       RRset.  This can occur when the target RRset lies in an unsigned
+
+
+
+Arends, et al.          Expires August 16, 2004                [Page 21]
+
+Internet-Draft       DNSSEC Protocol Modifications         February 2004
+
+
+       zone or in a descendent of an unsigned zone.  In this case, the
+       RRset may or may not be signed, but the resolver will not be able
+       to verify the signature.
+
+   3.  An RRset for which the resolver is not able to determine whether
+       or not the RRset should be signed, because the resolver is not
+       able to obtain the necessary DNSSEC RRs. This can occur when the
+       security-aware resolver is not able to contact security-aware
+       name servers for the relevant zones.
+
+
+4.4 Preconfigured Public Keys
+
+   A security-aware resolver MUST be capable of being preconfigured with
+   at least one trusted public key or DS RR, and SHOULD be capable of
+   being preconfigured with multiple trusted public keys or DS RRs.
+   Since a security-aware resolver will not be able to validate
+   signatures without such a preconfigured trusted key, the resolver
+   SHOULD have some reasonably robust mechanism for obtaining such keys
+   when it boots; examples of such a mechanism would be some form of
+   non-volatile storage (such as a disk drive) or some form of trusted
+   local network configuration mechanism.
+
+4.5 Response Caching
+
+      Editors' note: RIPE "last call" workshop felt that the WG needs to
+      reexamine and discuss this section.
+
+   A security-aware resolver SHOULD cache each response as a single
+   atomic entry containing the entire answer, including the named RRset
+   and any associated DNSSEC RRs.  The resolver SHOULD discard the
+   entire atomic entry when any of the RRs contained in it expire.  In
+   most cases the appropriate cache index for the atomic entry will be
+   the triple <QNAME, QTYPE, QCLASS>, but in cases such as the response
+   form described in Section 3.1.3.2 the appropriate cache index will be
+   the double <QNAME,QCLASS>.
+
+4.6 Handling of the CD and AD bits
+
+   A security-aware resolver MAY set the CD bit in a query to one in
+   order to indicate that the resolver takes responsibility for
+   performing whatever authentication its local policy requires on the
+   RRsets in the response.  See Section 3.2 for the effect this bit has
+   on the behavior of security-aware recursive name servers.
+
+   A security-aware resolver MUST zero the AD bit when composing query
+   messages to protect against buggy name servers which blindly copy
+   header bits which they do not understand from the query message to
+
+
+
+Arends, et al.          Expires August 16, 2004                [Page 22]
+
+Internet-Draft       DNSSEC Protocol Modifications         February 2004
+
+
+   the response message.
+
+   A resolver MUST disregard the meaning of the CD and AD bits in a
+   response unless the response was obtained using a secure channel or
+   the resolver was specifically configured to regard the message header
+   bits without using a secure channel.
+
+4.7 Rate Limiting
+
+   A security-aware resolver SHOULD NOT cache data with invalid
+   signatures under normal circumstances.  However, a security-aware
+   resolver SHOULD take steps to rate limit the number of identical
+   queries that it generates if signature validation of the responses
+   fails repeatedly.
+
+   Conceptually, this is similar in some respects to negative caching
+   [RFC2308], but since the resolver has no way of obtaining an
+   appropriate caching TTL from received data in this case, the TTL will
+   have to be set by the implementation.  This document refers to the
+   data retained as part of such a rate limiting mechanism as the "BAD
+   cache".
+
+   A security-aware resolver MAY chose to retain RRsets for which
+   signature validation has failed in its BAD cache, but MUST NOT return
+   such RRsets from its BAD cache unless both of the following
+   conditions are met:
+
+   o  The resolver has recently generated enough queries identical to
+      this one that the resolver is suppressing queries for this <QNAME,
+      QTYPE, QCLASS>; and
+
+   o  The resolver is not required to validate the signatures of the
+      RRsets in question under the rules given in Section 4 of this
+      document.
+
+   The intent of the above rule is to provide the raw data to clients
+   which are capable of performing their own signature verification
+   checks while protecting clients which depend on this resolver to
+   perform such checks.  Several of the possible reasons why signature
+   validation might fail involve conditions which may not apply equally
+   to this resolver and the client which invoked it: for example, this
+   resolver's clock may be set incorrectly, or the client may have
+   knowledge of a relevant island of security which this resolver does
+   not share.  In such cases, "protecting" a client which is capable of
+   performing its own signature validation from ever seeing the "bad"
+   data does not help the client.
+
+
+
+
+
+Arends, et al.          Expires August 16, 2004                [Page 23]
+
+Internet-Draft       DNSSEC Protocol Modifications         February 2004
+
+
+4.8 Stub resolvers
+
+   A security-aware stub resolver MUST support the DNSSEC RR types, at
+   least to the extent of not mishandling responses just because they
+   contain DNSSEC RRs.
+
+4.8.1 Handling of the DO Bit
+
+   A non-validating security-aware stub resolver MAY include the DNSSEC
+   RRs returned by a security-aware recursive name server as part of the
+   data that the stub resolver hands back to the application which
+   invoked it but is not required to do so.  A non-validating stub
+   resolver that wishes to do this will need to set the DO bit in
+   receive DNSSEC RRs from the recursive name server.
+
+   A validating security-aware stub resolver MUST set the DO bit, since
+   otherwise it will not receive the DNSSEC RRs it needs to perform
+   signature validation.
+
+4.8.2 Handling of the CD Bit
+
+   A non-validating security-aware stub resolver SHOULD NOT set the CD
+   bit when sending queries unless requested by the application layer,
+   since by definition, a non-validating stub resolver depends on the
+   security-aware recursive name server to perform validation on its
+   behalf.
+
+   A validating security-aware stub resolver SHOULD set the CD bit,
+   since otherwise the security-aware recursive name server will answer
+   the query using the name server's local policy, which may prevent the
+   stub resolver from receiving data which would be acceptable to the
+   stub resolver's local policy.
+
+4.8.3 Handling of the AD Bit
+
+   A non-validating security-aware stub resolver MAY chose to examine
+   the setting of the AD bit in response messages that it receives in
+   order to determine whether the security-aware recursive name server
+   which sent the response claims to have cryptographically verified the
+   data in the Answer and Authority sections of the response message.
+   Note, however, that the responses received by a security-aware stub
+   resolver are heavily dependent on the local policy of the
+   security-aware recursive name server, so as a practical matter there
+   may be little practical value to checking the status of the AD bit
+   except perhaps as a debugging aid.  In any case, a security-aware
+   stub resolver MUST NOT place any reliance on signature validation
+   allegedly performed on its behalf except when the security-aware stub
+   resolver obtained the data in question from a trusted security-aware
+
+
+
+Arends, et al.          Expires August 16, 2004                [Page 24]
+
+Internet-Draft       DNSSEC Protocol Modifications         February 2004
+
+
+   recursive name server via a secure channel.
+
+   A validating security-aware stub resolver SHOULD NOT examine the
+   setting of the AD bit in response messages, since, by definition, the
+   stub resolver performs its own signature validation regardless of the
+   setting of the AD bit.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Arends, et al.          Expires August 16, 2004                [Page 25]
+
+Internet-Draft       DNSSEC Protocol Modifications         February 2004
+
+
+5. Authenticating DNS Responses
+
+   In order to use DNSSEC RRs for authentication, a security-aware
+   resolver requires preconfigured knowledge of at least one
+   authenticated DNSKEY or DS RR.  The process for obtaining and
+   authenticating this initial DNSKEY or DS RR is achieved via some
+   external mechanism.  For example, a resolver could use some off-line
+   authenticated exchange to obtain a zone's DNSKEY RR or obtain a DS RR
+   that identifies and authenticates a zone's DNSKEY RR.  The remainder
+   of this section assumes that the resolver has somehow obtained an
+   initial set of authenticated DNSKEY RRs.
+
+   An initial DNSKEY RR can be used to authenticate a zone's apex DNSKEY
+   RRset.  To authenticate an apex DNSKEY RRset using an initial key,
+   the resolver MUST:
+
+   1.  Verify that the initial DNSKEY RR appears in the apex DNSKEY
+       RRset, and verify that the DNSKEY RR MUST have the Zone Key Flag
+       (DNSKEY RDATA bit 7) set to one.
+
+   2.  Verify that there is some RRSIG RR that covers the apex DNSKEY
+       RRset, and that the combination of the RRSIG RR and the initial
+       DNSKEY RR authenticates the DNSKEY RRset.  The process for using
+       an RRSIG RR to authenticate an RRset is described in Section 5.3.
+
+   Once the resolver has authenticated the apex DNSKEY RRset using an
+   initial DNSKEY RR, delegations from that zone can be authenticated
+   using DS RRs.  This allows a resolver to start from an initial key,
+   and use DS RRsets to proceed recursively down the DNS tree obtaining
+   other apex DNSKEY RRsets.  If the resolver were preconfigured with a
+   root DNSKEY RR, and if every delegation had a DS RR associated with
+   it, then the resolver could obtain and validate any apex DNSKEY
+   RRset.  The process of using DS RRs to authenticate referrals is
+   described in Section 5.2.
+
+   Once the resolver has authenticated a zone's apex DNSKEY RRset,
+   Section 5.3 shows how the resolver can use DNSKEY RRs in the apex
+   DNSKEY RRset and RRSIG RRs from the zone to authenticate any other
+   RRsets in the zone.  Section 5.4 shows how the resolver can use
+   authenticated NSEC RRsets from the zone to prove that an RRset is not
+   present in the zone.
+
+   When a resolver indicates support for DNSSEC (by setting the DO bit),
+   a security-aware name server should attempt to provide the necessary
+   DNSKEY, RRSIG, NSEC, and DS RRsets in a response (see Section 3).
+   However, a security-aware resolver may still receive a response that
+   that lacks the appropriate DNSSEC RRs, whether due to configuration
+   issues such as a security-oblivious recursive name server that
+
+
+
+Arends, et al.          Expires August 16, 2004                [Page 26]
+
+Internet-Draft       DNSSEC Protocol Modifications         February 2004
+
+
+   accidentally interfere with DNSSEC RRs or due to a deliberate attack
+   in which an adversary forges a response, strips DNSSEC RRs from a
+   response, or modifies a query so that DNSSEC RRs appear not to be
+   requested.  The absence of DNSSEC data in a response MUST NOT by
+   itself be taken as an indication that no authentication information
+   exists.
+
+   A resolver SHOULD expect authentication information from signed
+   zones. A resolver SHOULD believe that a zone is signed if the
+   resolver has been configured with public key information for the
+   zone, or if the zone's parent is signed and the delegation from the
+   parent contains a DS RRset.
+
+5.1 Special Considerations for Islands of Security
+
+   Islands of security (see [I-D.ietf-dnsext-dnssec-intro]) are signed
+   zones for which it is not possible to construct an authentication
+   chain to the zone from its parent.  Validating signatures within an
+   island of security requires the validator to have some other means of
+   obtaining an initial authenticated zone key for the island.  If a
+   validator cannot obtain such a key, it will have to choose whether to
+   accept the unvalidated responses or not based on local policy.
+
+   All the normal processes for validating responses apply to islands of
+   security.  The only difference between normal validation and
+   validation within an island of security is in how the validator
+   obtains a starting point for the authentication chain.
+
+5.2 Authenticating Referrals
+
+   Once the apex DNSKEY RRset for a signed parent zone has been
+   authenticated, DS RRsets can be used to authenticate the delegation
+   to a signed child zone.  A DS RR identifies a DNSKEY RR in the child
+   zone's apex DNSKEY RRset, and contains a cryptographic digest of the
+   child zone's DNSKEY RR.  A strong cryptographic digest algorithm
+   ensures that an adversary can not easily generate a DNSKEY RR that
+   matches the digest.  Thus, authenticating the digest allows a
+   resolver to authenticate the matching DNSKEY RR.  The resolver can
+   then use this child DNSKEY RR to authenticate the entire child apex
+   DNSKEY RRset.
+
+   Given a DS RR for a delegation, the child zone's apex DNSKEY RRset
+   can be authenticated if all of the following hold:
+
+   o  The DS RR has been authenticated using some DNSKEY RR in the
+      parent's apex DNSKEY RRset (see Section 5.3);
+
+   o  The Algorithm and Key Tag in the DS RR match the Algorithm field
+
+
+
+Arends, et al.          Expires August 16, 2004                [Page 27]
+
+Internet-Draft       DNSSEC Protocol Modifications         February 2004
+
+
+      and the key tag of a DNSKEY RR in the child zone's apex DNSKEY
+      RRset that, when hashed using the digest algorithm specified in
+      the DS RR's Digest Type field, results in a digest value that
+      matches the Digest field of the DS RR; and
+
+   o  The matching DNSKEY RR in the child zone has the Zone Flag bit set
+      to one, the corresponding private key has signed the child zone's
+      apex DNSKEY RRset, and the resulting RRSIG RR authenticates the
+      child zone's apex DNSKEY RRset.
+
+   If the referral from the parent zone did not contain a DS RRset, the
+   response should have included a signed NSEC RRset proving that no DS
+   RRset exists for the delegated name (see Section 3.1.4).  A
+   security-aware resolver MUST query the name servers for the parent
+   zone for the DS RRset if the referral includes neither a DS RRset nor
+   a NSEC RRset proving that the DS RRset does not exist (see Section
+   4).
+
+   If the resolver authenticates an NSEC RRset that proves that no DS
+   RRset is present for this zone, then there is no authentication path
+   leading from the parent to the child.  If the resolver has an initial
+   DNSKEY or DS RR that belongs to the child zone or to any delegation
+   below the child zone, this initial DNSKEY or DS RR MAY be used to
+   re-establish an authentication path.  If no such initial DNSKEY or DS
+   RR exists, the resolver can not authenticate RRsets in or below the
+   child zone.
+
+   Note that, for a signed delegation, there are two NSEC RRs associated
+   with the delegated name.  One NSEC RR resides in the parent zone, and
+   can be used to prove whether a DS RRset exists for the delegated
+   name.  The second NSEC RR resides in the child zone, and identifies
+   which RRsets are present at the apex of the child zone.  The parent
+   NSEC RR and child NSEC RR can always be distinguished, since the SOA
+   bit will be set in the child NSEC RR and clear in the parent NSEC RR.
+   A security-aware resolver MUST use the parent NSEC RR when attempting
+   to prove that a DS RRset does not exist.
+
+   If the resolver does not support any of the algorithms listed in an
+   authenticated DS RRset, then the resolver will not be able to verify
+   the authentication path to the child zone.  In this case, the
+   resolver SHOULD treat the child zone as if it were unsigned.
+
+5.3 Authenticating an RRset Using an RRSIG RR
+
+   A resolver can use an RRSIG RR and its corresponding DNSKEY RR to
+   attempt to authenticate RRsets.  The resolver first checks the RRSIG
+   RR to verify that it covers the RRset, has a valid time interval, and
+   identifies a valid DNSKEY RR.  The resolver then constructs the
+
+
+
+Arends, et al.          Expires August 16, 2004                [Page 28]
+
+Internet-Draft       DNSSEC Protocol Modifications         February 2004
+
+
+   canonical form of the signed data by appending the RRSIG RDATA
+   (excluding the Signature Field) with the canonical form of the
+   covered RRset.  Finally, resolver uses the public key and signature
+   to authenticate the signed data.  Section 5.3.1, Section 5.3.2, and
+   Section 5.3.3 describe each step in detail.
+
+5.3.1 Checking the RRSIG RR Validity
+
+   A security-aware resolver can use an RRSIG RR to authenticate an
+   RRset if all of the following conditions hold:
+
+   o  The RRSIG RR and the RRset MUST have the same owner name and the
+      same class;
+
+   o  The RRSIG RR's Signer's Name field MUST be the name of the zone
+      that contains the RRset;
+
+   o  The RRSIG RR's Type Covered field MUST equal the RRset's type;
+
+   o  The number of labels in the RRset owner name MUST be greater than
+      or equal to the value in the RRSIG RR's Labels field;
+
+   o  The resolver's notion of the current time MUST be less than or
+      equal to the time listed in the RRSIG RR's Expiration field;
+
+   o  The resolver's notion of the current time MUST be greater than or
+      equal to the time listed in the RRSIG RR's Inception field;
+
+   o  The RRSIG RR's Signer's Name, Algorithm, and Key Tag fields MUST
+      match the owner name, algorithm, and key tag for some DNSKEY RR in
+      the zone's apex DNSKEY RRset;
+
+   o  The matching DNSKEY RR MUST be present in the zone's apex DNSKEY
+      RRset, and MUST have the Zone Flag bit (DNSKEY RDATA Flag bit 7)
+      set to one.
+
+   It is possible for more than one DNSKEY RR to match the conditions
+   above.  In this case, the resolver can not predetermine which DNSKEY
+   RR to use to authenticate the signature, MUST try each matching
+   DNSKEY RR until the resolver has either validated the signature or
+   has run out of matching public keys to try.
+
+   Note that this authentication process is only meaningful if the
+   resolver authenticates the DNSKEY RR before using it to validate
+   signatures.  The matching DNSKEY RR is considered to be authentic if:
+
+   o  The apex DNSKEY RRset containing the DNSKEY RR is considered
+      authentic; or
+
+
+
+Arends, et al.          Expires August 16, 2004                [Page 29]
+
+Internet-Draft       DNSSEC Protocol Modifications         February 2004
+
+
+   o  The RRset covered by the RRSIG RR is the apex DNSKEY RRset itself,
+      and the DNSKEY RR either matches an authenticated DS RR from the
+      parent zone or matches a DS RR or DNSKEY RR that the resolver has
+      been preconfigured to believe to be authentic.
+
+
+5.3.2 Reconstructing the Signed Data
+
+   Once the RRSIG RR has met the validity requirements described in
+   Section 5.3.1, the resolver needs to reconstruct the original signed
+   data.  The original signed data includes RRSIG RDATA (excluding the
+   Signature field) and the canonical form of the RRset.  Aside from
+   being ordered, the canonical form of the RRset might also differ from
+   the received RRset due to DNS name compression, decremented TTLs, or
+   wildcard expansion.  The resolver should use the following to
+   reconstruct the original signed data:
+
+         signed_data = RRSIG_RDATA | RR(1) | RR(2)...  where
+
+            "|" denotes concatenation
+
+            RRSIG_RDATA is the wire format of the RRSIG RDATA fields
+               with the Signature field excluded and the Signer's Name
+               in canonical form.
+
+            RR(i) = name | class | type | OrigTTL | RDATA length | RDATA
+
+               name is calculated according to the function below
+
+               class is the RRset's class
+
+               type is the RRset type and all RRs in the class
+
+               OrigTTL is the value from the RRSIG Original TTL field
+
+               All names in the RDATA field are in canonical form
+
+               The set of all RR(i) is sorted into canonical order.
+
+            To calculate the name:
+               let rrsig_labels = the value of the RRSIG Labels field
+
+               let fqdn = RRset's fully qualified domain name in
+                               canonical form
+
+               let fqdn_labels = Label count of the fqdn above.
+
+               if rrsig_labels = fqdn_labels,
+
+
+
+Arends, et al.          Expires August 16, 2004                [Page 30]
+
+Internet-Draft       DNSSEC Protocol Modifications         February 2004
+
+
+                   name = fqdn
+
+               if rrsig_labels < fqdn_labels,
+                  name = "*." | the rightmost rrsig_label labels of the
+                                fqdn
+
+               if rrsig_labels > fqdn_labels
+                  the RRSIG RR did not pass the necessary validation
+                  checks and MUST NOT be used to authenticate this
+                  RRset.
+
+   The canonical forms for names and RRsets are defined in
+   [I-D.ietf-dnsext-dnssec-records].
+
+   NSEC RRsets at a delegation boundary require special processing.
+   There are two distinct NSEC RRsets associated with a signed delegated
+   name.  One NSEC RRset resides in the parent zone, and specifies which
+   RRset are present at the parent zone.  The second NSEC RRset resides
+   at the child zone, and identifies which RRsets are present at the
+   apex in the child zone.  The parent NSEC RRset and child NSEC RRset
+   can always be distinguished since only the child NSEC RRs will
+   specify an SOA RRset exists at the name. When reconstructing the
+   original NSEC RRset for the delegation from the parent zone, the NSEC
+   RRs MUST NOT be combined with NSEC RRs from the child zone, and when
+   reconstructing the original NSEC RRset for the apex of the child
+   zone, the NSEC RRs MUST NOT be combined with NSEC RRs from the parent
+   zone.
+
+   Note also that each of the two NSEC RRsets at a delegation point has
+   a corresponding RRSIG RR with an owner name matching the delegated
+   name, and each of these RRSIG RRs is authoritative data associated
+   with the same zone that contains the corresponding NSEC RRset.  If
+   necessary, a resolver can tell these RRSIG RRs apart by checking the
+   Signer's Name field.
+
+5.3.3 Checking the Signature
+
+   Once the resolver has validated the RRSIG RR as described in Section
+   5.3.1 and reconstructed the original signed data as described in
+   Section 5.3.2, the resolver can attempt to use the cryptographic
+   signature to authenticate the signed data, and thus (finally!)
+   authenticate the RRset.
+
+   The Algorithm field in the RRSIG RR identifies the cryptographic
+   algorithm used to generate the signature.  The signature itself is
+   contained in the Signature field of the RRSIG RDATA, and the public
+   key used to verify the signature is contained in the Public Key field
+   of the matching DNSKEY RR(s) (found in Section 5.3.1).
+
+
+
+Arends, et al.          Expires August 16, 2004                [Page 31]
+
+Internet-Draft       DNSSEC Protocol Modifications         February 2004
+
+
+   [I-D.ietf-dnsext-dnssec-records] provides a list of algorithm types,
+   and provides pointers to the documents that define each algorithm's
+   use.
+
+   Note that it is possible for more than one DNSKEY RR to match the
+   conditions in Section 5.3.1.  In this case, the resolver can only
+   determine which DNSKEY RR by trying each matching public key until
+   the resolver either succeeds in validating the signature or runs out
+   of keys to try.
+
+   If the Labels field of the RRSIG RR is not equal to the number of
+   labels in the RRset's fully qualified owner name, then the RRset is
+   either invalid or the result of wildcard expansion.  The resolver
+   MUST verify that wildcard expansion was applied properly before
+   considering the RRset to be authentic.  Section 5.3.4 describes how
+   to determine whether a wildcard was applied properly.
+
+   If other RRSIG RRs also cover this RRset, the local resolver security
+   policy determines whether the resolver also needs to test these RRSIG
+   RRs, and determines how to resolve conflicts if these RRSIG RRs lead
+   to differing results.
+
+   If the resolver accepts the RRset as authentic, the resolver MUST set
+   the TTL of the RRSIG RR and each RR in the authenticated RRset to a
+   value no greater than the minimum of:
+
+   o  The RRset's TTL as received in the response;
+
+   o  The RRSIG RR's TTL as received in the response; and
+
+   o  The value in the RRSIG RR's Original TTL field.
+
+
+5.3.4 Authenticating A Wildcard Expanded RRset Positive Response
+
+   If the number of labels in an RRset's owner name is greater than the
+   Labels field of the covering RRSIG RR, then the RRset and its
+   covering RRSIG RR were created as a result of wildcard expansion.
+   Once the resolver has verified the signature as described in Section
+   5.3, the resolver must take additional steps to verify the
+   non-existence of an exact match or closer wildcard match for the
+   query.  Section 5.4 discusses these steps.
+
+   Note that the response received by the resolver should include all
+   NSEC RRs needed to authenticate the response (see Section 3.1.3).
+
+5.4 Authenticated Denial of Existence
+
+
+
+
+Arends, et al.          Expires August 16, 2004                [Page 32]
+
+Internet-Draft       DNSSEC Protocol Modifications         February 2004
+
+
+   A resolver can use authenticated NSEC RRs to prove that an RRset is
+   not present in a signed zone.  Security-aware name servers should
+   automatically include any necessary NSEC RRs for signed zones in
+   their responses to security-aware resolvers.
+
+   Security-aware resolvers MUST first authenticate NSEC RRsets
+   according to the standard RRset authentication rules described in
+   Section 5.3, then apply the NSEC RRsets as follows:
+
+   o  If the requested RR name matches the owner name of an
+      authenticated NSEC RR, then the NSEC RR's type bit map field lists
+      all RR types present at that owner name, and a resolver can prove
+      that the requested RR type does not exist by checking for the RR
+      type in the bit map.  If the number of labels in an authenticated
+      NSEC RR's owner name equals the Labels field of the covering RRSIG
+      RR, then the existence of the NSEC RR proves that wildcard
+      expansion could not have been used to match the request.
+
+   o  If the requested RR name would appear after an authenticated NSEC
+      RR's owner name and before the name listed in that NSEC RR's Next
+      Domain Name field according to the canonical DNS name order
+      defined in [I-D.ietf-dnsext-dnssec-records], then no RRsets with
+      the requested name exist in the zone.  However, it is possible
+      that a wildcard could be used to match the requested RR owner name
+      and type, so proving that the requested RRset does not exist also
+      requires proving that no possible wildcard RRset exists that could
+      have been used to generate a positive response.
+
+   To prove non-existence of an RRset, the resolver must be able to
+   verify both that the queried RRset does not exist and that no
+   relevant wildcard RRset exists.  Proving this may require more than
+   one NSEC RRset from the zone.  If the complete set of necessary NSEC
+   RRsets is not present in a response (perhaps due to message
+   truncation), then a security-aware resolver MUST resend the query in
+   order to attempt to obtain the full collection of NSEC RRs necessary
+   to verify non-existence of the requested RRset.  As with all DNS
+   operations, however, the resolver MUST bound the work it puts into
+   answering any particular query.
+
+   Since a verified NSEC RR proves the existence of both itself and its
+   corresponding RRSIG RR, a verifier MUST ignore the settings of the
+   NSEC and RRSIG bits in an NSEC RR.
+
+5.5 Authentication Example
+
+   Appendix C shows an example the authentication process.
+
+
+
+
+
+Arends, et al.          Expires August 16, 2004                [Page 33]
+
+Internet-Draft       DNSSEC Protocol Modifications         February 2004
+
+
+6. IANA Considerations
+
+   [I-D.ietf-dnsext-dnssec-records] contains a review of the IANA
+   considerations introduced by DNSSEC.  The additional IANA
+   considerations discussed in this document:
+
+   [RFC2535] reserved the CD and AD bits in the message header.  The
+   meaning of the AD bit was redefined in [RFC3655] and the meaning of
+   both the CD and AD bit are restated in this document.  No new bits in
+   the DNS message header are defined in this document.
+
+   [RFC2671] introduced EDNS and [RFC3225] reserved the DNSSEC OK bit
+   and defined its use.  The use is restated but not altered in this
+   document.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Arends, et al.          Expires August 16, 2004                [Page 34]
+
+Internet-Draft       DNSSEC Protocol Modifications         February 2004
+
+
+7. Security Considerations
+
+   This document describes how the DNS security extensions use public
+   key cryptography to sign and authenticate DNS resource record sets.
+   Please see [I-D.ietf-dnsext-dnssec-intro] for terminology and general
+   security considerations related to DNSSEC; see
+   [I-D.ietf-dnsext-dnssec-intro] for considerations specific to the
+   DNSSEC resource record types.
+
+   An active attacker who can set the CD bit in a DNS query message or
+   the AD bit in a DNS response message can use these bits to defeat the
+   protection which DNSSEC attempts to provide to security-oblivious
+   recursive-mode resolvers.  For this reason, use of these control bits
+   by a security-aware recursive-mode resolver requires a secure
+   channel.  See Section 3.2.2 and Section 4.8 for further discussion.
+
+   The protocol described in this document attempts to extend the
+   benefits of DNSSEC to security-oblivious stub resolvers. However,
+   since recovery from validation failures is likely to be specific to
+   particular applications, the facilities that DNSSEC provides for stub
+   resolvers may prove inadequate.  Operators of security-aware
+   recursive name servers will need to pay close attention to the
+   behavior of the applications which use their services when choosing a
+   local validation policy; failure to do so could easily result in the
+   recursive name server accidently denying service to the clients it is
+   intended to support.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Arends, et al.          Expires August 16, 2004                [Page 35]
+
+Internet-Draft       DNSSEC Protocol Modifications         February 2004
+
+
+8. Acknowledgements
+
+   This document was created from the input and ideas of the members of
+   the DNS Extensions Working Group and working group mailing list.  The
+   editors would like to express their thanks for the comments and
+   suggestions received during the revision of these security extension
+   specifications.  While explicitly listing everyone who has
+   contributed during the decade during which DNSSEC has been under
+   development would be an impossible task,
+   [I-D.ietf-dnsext-dnssec-intro] includes a list of some of the
+   participants who were kind enough to comment on these documents.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Arends, et al.          Expires August 16, 2004                [Page 36]
+
+Internet-Draft       DNSSEC Protocol Modifications         February 2004
+
+
+Normative References
+
+   [RFC1034]  Mockapetris, P., "Domain names - concepts and facilities",
+              STD 13, RFC 1034, November 1987.
+
+   [RFC1035]  Mockapetris, P., "Domain names - implementation and
+              specification", STD 13, RFC 1035, November 1987.
+
+   [RFC1982]  Elz, R. and R. Bush, "Serial Number Arithmetic", RFC 1982,
+              August 1996.
+
+   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
+              Requirement Levels", BCP 14, RFC 2119, March 1997.
+
+   [RFC2181]  Elz, R. and R. Bush, "Clarifications to the DNS
+              Specification", RFC 2181, July 1997.
+
+   [RFC2671]  Vixie, P., "Extension Mechanisms for DNS (EDNS0)", RFC
+              2671, August 1999.
+
+   [RFC3225]  Conrad, D., "Indicating Resolver Support of DNSSEC", RFC
+              3225, December 2001.
+
+   [RFC3226]  Gudmundsson, O., "DNSSEC and IPv6 A6 aware server/resolver
+              message size requirements", RFC 3226, December 2001.
+
+   [I-D.ietf-dnsext-dnssec-intro]
+              Arends, R., Austein, R., Larson, M., Massey, D. and S.
+              Rose, "DNS Security Introduction and Requirements",
+              draft-ietf-dnsext-dnssec-intro-09 (work in progress),
+              February 2004.
+
+   [I-D.ietf-dnsext-dnssec-records]
+              Arends, R., Austein, R., Larson, M., Massey, D. and S.
+              Rose, "Resource Records for DNS Security Extensions",
+              draft-ietf-dnsext-dnssec-records-07 (work in progress),
+              February 2004.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Arends, et al.          Expires August 16, 2004                [Page 37]
+
+Internet-Draft       DNSSEC Protocol Modifications         February 2004
+
+
+Informative References
+
+   [RFC2308]  Andrews, M., "Negative Caching of DNS Queries (DNS
+              NCACHE)", RFC 2308, March 1998.
+
+   [RFC2535]  Eastlake, D., "Domain Name System Security Extensions",
+              RFC 2535, March 1999.
+
+   [RFC2930]  Eastlake, D., "Secret Key Establishment for DNS (TKEY
+              RR)", RFC 2930, September 2000.
+
+   [RFC2931]  Eastlake, D., "DNS Request and Transaction Signatures (
+              SIG(0)s)", RFC 2931, September 2000.
+
+   [RFC3655]  Wellington, B. and O. Gudmundsson, "Redefinition of DNS
+              Authenticated Data (AD) bit", RFC 3655, November 2003.
+
+   [RFC3658]  Gudmundsson, O., "Delegation Signer (DS) Resource Record
+              (RR)", RFC 3658, December 2003.
+
+   [I-D.ietf-dnsext-wcard-clarify]
+              Halley, B. and E. Lewis, "Clarifying the Role of Wild Card
+              Domains in the Domain Name System",
+              draft-ietf-dnsext-wcard-clarify-02 (work in progress),
+              September 2003.
+
+
+Authors' Addresses
+
+   Roy Arends
+   Telematica Instituut
+   Drienerlolaan 5
+   7522 NB  Enschede
+   NL
+
+   EMail: roy.arends@telin.nl
+
+
+   Matt Larson
+   VeriSign, Inc.
+   21345 Ridgetop Circle
+   Dulles, VA  20166-6503
+   USA
+
+   EMail: mlarson@verisign.com
+
+
+
+
+
+
+Arends, et al.          Expires August 16, 2004                [Page 38]
+
+Internet-Draft       DNSSEC Protocol Modifications         February 2004
+
+
+   Rob Austein
+   Internet Systems Consortium
+   950 Charter Street
+   Redwood City, CA  94063
+   USA
+
+   EMail: sra@isc.org
+
+
+   Dan Massey
+   USC Information Sciences Institute
+   3811 N. Fairfax Drive
+   Arlington, VA  22203
+   USA
+
+   EMail: masseyd@isi.edu
+
+
+   Scott Rose
+   National Institute for Standards and Technology
+   100 Bureau Drive
+   Gaithersburg, MD  20899-8920
+   USA
+
+   EMail: scott.rose@nist.gov
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Arends, et al.          Expires August 16, 2004                [Page 39]
+
+Internet-Draft       DNSSEC Protocol Modifications         February 2004
+
+
+Appendix A. Signed Zone Example
+
+   The following example shows a (small) complete signed zone.
+
+   example.       3600 IN SOA ns1.example. bugs.x.w.example. (
+                              1071609350
+                              3600
+                              300
+                              3600000
+                              3600
+                              )
+                  3600 RRSIG  SOA 5 1 3600 20040115201552 (
+                              20031216201552 41681 example.
+                              F1KxMLu2zwDUFgUtdAqCq6F9zkaIPb3B7dzA
+                              hRLp8riOMQQgCCQ4x9KvSu2xLJa539jQIRW0
+                              VBU6+FZWzC2IJcc5liv2SXzyfiPu8diB9+Bj
+                              CSITjVX0IGrQgd+PKkaTxWQzG9TDZ2TtgnyM
+                              owLe/OV+Qqqic7ShV/S9l2YJF9I= )
+                  3600 NS     ns1.example.
+                  3600 NS     ns2.example.
+                  3600 RRSIG  NS 5 1 3600 20040115201552 (
+                              20031216201552 41681 example.
+                              YgTFj4yXRzbOddwfOTQhLHGPWm7x55ZRoPVz
+                              +bxuPHTozw3I2gpno81Em1RuVekWJHivAvQj
+                              s1h72oh+ipBadjCGSRu46u1T9JYUSLxLecgY
+                              eEw9qDeQIoZHRny5bYrX1x87ItEo5+n1lwOH
+                              FTVyQbVkcaxQ6U2FbZtMbfo//go= )
+                  3600 MX     1 xx.example.
+                  3600 RRSIG  MX 5 1 3600 20040115201552 (
+                              20031216201552 41681 example.
+                              JE9Kcx4NaXpaO2Jjyo5yi+DT6wgxwregHg18
+                              7xOOF0KjIYQpaoFY3Kp8MAKT7aupZpr5DmHe
+                              IpBNI6jC59A2uNVP+6UfqAyJMoNnq9d/paM+
+                              M+adwb+xrT+dZYpFZzyeXPmBqA/PVAtw1d5Q
+                              7wxkDWyzgasGiMNIKgYrm9vXz04= )
+                  3600 NSEC   a.example. NS SOA MX RRSIG NSEC DNSKEY
+                  3600 RRSIG  NSEC 5 1 3600 20040115201552 (
+                              20031216201552 41681 example.
+                              kE9ARiewdQSCsLXY9ldasZEW54kKhfEN2lsT
+                              vDD4biJsTPeaOXJ6bJ7s0CvybknENin3uqIX
+                              TAy6bsL919sEI3/SoHiRCwHalVmUPIWCsz4g
+                              Ee7gkQ+1uFzi7L8LGX9NjQI74s3M//OW2+T4
+                              7T/nOEOVZujD8IN/Utv+KUg+P6U= )
+                  3600 DNSKEY 256 3 5 (
+                              AQPmfvH5TF0S/vnd08C9EbVlG/+wbmFecyjH
+                              UtEh3d8h045BE36XSbr0XZU6kPLgA/Shf7TV
+                              fKduDMH7ASlP8MpUX4ci9ZiXffBjUKvsHORv
+                              BgtAcUYRofvzRZ/jl078bI/JJg9ee4ndY6FO
+
+
+
+Arends, et al.          Expires August 16, 2004                [Page 40]
+
+Internet-Draft       DNSSEC Protocol Modifications         February 2004
+
+
+                              5LtAM3ElSpRIIhAm4b2c69IMdwrU2Q==
+                              )
+                  3600 DNSKEY 257 3 5 (
+                              AQOwHAYrbYVzzKHF0PDHSt4zY+Vz1+yLz1/U
+                              Pv2j2nukkWKLipnqg8X2vI754SRpqwpPCKpv
+                              klUr36CE0byYLOpRE5WlKZjXm3uzDFIVdHUE
+                              2lFwkMP9tSHUrXbjypiZWZP71qNuBeYCDAyT
+                              nLu7mxrT1Y7GdSV7I6vwt0mDSWQDXQ==
+                              )
+                  3600 RRSIG  DNSKEY 5 1 3600 20040115201552 (
+                              20031216201552 41681 example.
+                              Pkxt/YJHVcnm3+56YGYziM69NDFJDEernUEU
+                              pU1yBY8H7TlvIWhJz/qHsWcPt79ri0lP0Ho5
+                              YDVp6GOFxBcR/7ejtV/izHO5tb88WM8xJLNc
+                              tJZeSSVG62kt1q5fiKKsxhhpqZFQgc+h6htG
+                              PjJstq6fvRq8kX7TPJcljUmDFKM= )
+                  3600 RRSIG  DNSKEY 5 1 3600 20040115201552 (
+                              20031216201552 60717 example.
+                              EVJnkWJSUTdaxIRX374Ki84OhYRYB+7TM/Z/
+                              C8ufeGjcZkAPpkA3XjPao+4kG/lR/qW8oyNK
+                              L0g5BI9fkcptXjf+0y3n5y/con6f+FOwHgdY
+                              J7/fjSW27L3Je0MSrR3T/RNaokZafWDCT/34
+                              Uu/YHFJKdBxs7sMeSBJ4UPm2uwc= )
+   a.example.     3600 IN NS  ns1.a.example.
+                  3600 IN NS  ns2.a.example.
+                  3600 DS     48327 5 1 (
+                              DFEB5E00E71A4DED5CABBBD7F15F24871983
+                              CAB7 )
+                  3600 RRSIG  DS 5 2 3600 20040115201552 (
+                              20031216201552 41681 example.
+                              wj4ME4MuuZN77PGiE8xgBmCXpRpUocRJLbW/
+                              hBbMGk2qtA9ose1Jr2F9rOU6zvU9Z0HQgxnb
+                              rSBfaeCZFmk3yOlo9Uqref4ukk9hwIjzxo7c
+                              ZbJstCYWiLF57i1k5Cj6npMbUZSIgRGcB+dC
+                              0yfe2uolEkeegjesDZuF+fC61Eg= )
+                  3600 NSEC   ai.example. NS DS RRSIG NSEC
+                  3600 RRSIG  NSEC 5 2 3600 20040115201552 (
+                              20031216201552 41681 example.
+                              iq8exEVhvdx4s3w3VmK3Mzfngwpmpv3NwOpb
+                              RMtgba/u5kyD4Mf03jyLtJLUevry2rZcRjF1
+                              3kDuKmewJ0jWA4sMuljJpx10rhvwlcKaJE3O
+                              ViEb66GFqDxCXExikKWsPm8qckYZLQ7ABNjf
+                              YgfAHJEJJj7K88QbKEK4/Je1hyk= )
+   ns1.a.example. 3600 IN A   192.0.2.5
+   ns2.a.example. 3600 IN A   192.0.2.6
+   ai.example.    3600 IN A   192.0.2.9
+                  3600 RRSIG  A 5 2 3600 20040115201552 (
+                              20031216201552 41681 example.
+
+
+
+Arends, et al.          Expires August 16, 2004                [Page 41]
+
+Internet-Draft       DNSSEC Protocol Modifications         February 2004
+
+
+                              hxNyPE9Wn675NDH/IpB2LZzhrUtV9eEndid8
+                              jiteGyki6CAEJKm1Dr2bjlrzdgfFBrpIac9c
+                              Up4zMlAkitX/7D9vFus8nLSvEHngpdc12Hlk
+                              OrvT0EsYA2XeQ0h3PPQk5FcK2ekxZvw5Zm7A
+                              sWifTxvcG5hv+A6TOd0O2xJYRik= )
+                  3600 HINFO  "KLH-10" "ITS"
+                  3600 RRSIG  HINFO 5 2 3600 20040115201552 (
+                              20031216201552 41681 example.
+                              4aSnKLykRT7htnnS8HtlM0YLMwU1Z92pvf/C
+                              hxETE5B6W8x+uJs9KV9nlZ/B6TNk4nFRgKg2
+                              KpKvEq7xUybNKwbbeGZE9n2fDH0FeDgHjqW2
+                              Ke0lQuszRxjx+McTEqVJMyHrBKnqNdUh1G92
+                              xo9NLoltg0GuwggZM240pRoTwO8= )
+                  3600 AAAA   2001:db8::f00:baa9
+                  3600 RRSIG  AAAA 5 2 3600 20040115201552 (
+                              20031216201552 41681 example.
+                              oq16/pU4MuvkgQyFqGrHqggz47i6iZL714u5
+                              9UsmGM1Y/qyQZsR4wi6hC2zIWXNJxIPIhitJ
+                              G6M5pjExUH/vOe0DIW73t/NHzcj0zOjxAPEI
+                              A+jBlOwn2EY5q87PMzBIeHWSx7DxtEIMC8XI
+                              zkK+1+Z5aqj1pmZ4yXUvd2znGnQ= )
+                  3600 NSEC   b.example. A HINFO AAAA RRSIG NSEC
+                  3600 RRSIG  NSEC 5 2 3600 20040115201552 (
+                              20031216201552 41681 example.
+                              Xr3qBss/U0yN12SL2stWs0AACeQjvRms9+xE
+                              ishTjb4B/XQ8yAfAmby5yF5DKR8900M0hT3Y
+                              ikp/wIF4TmtH5W7UFN13To/GWGJygaa7wyzU
+                              4AtgtRwmmevSAgzxhC7yRXUWyhpfQoW7zwpR
+                              ovChG5Ih3TOa8Qnch4IJQVfSFNU= )
+   b.example.     3600 IN NS  ns1.b.example.
+                  3600 IN NS  ns2.b.example.
+                  3600 NSEC   ns1.example. NS RRSIG NSEC
+                  3600 RRSIG  NSEC 5 2 3600 20040115201552 (
+                              20031216201552 41681 example.
+                              nFufQRM2UtSYTAwQaKEnIpua5ZHLqJrcLGAs
+                              VUpLoPOEsAXex1N3uIJQWmoXnr9Up00G7jbW
+                              VOVaLUvXR7b/4sQkyQLbOl9GpWiA1NYjPneN
+                              k3i+OWi3NmvRN71CuNky87DrVg0p2Mf2MjLX
+                              GRIZP9W1bgeDHZRcCNz2hQ67SgY= )
+   ns1.b.example. 3600 IN A   192.0.2.7
+   ns2.b.example. 3600 IN A   192.0.2.8
+   ns1.example.   3600 IN A   192.0.2.1
+                  3600 RRSIG  A 5 2 3600 20040115201552 (
+                              20031216201552 41681 example.
+                              5FrF88yOT6iiBdkiQLqaXkma0gCQza5/kLK7
+                              CgoMNlCR2QYhsur2X7Fex2/OYEmOkzOqO7Gs
+                              RoIc4e3nt+kfpd/4Htp9T5v+NXmMVPmW3Jmf
+                              +ZGpEf86AI7Rw3x2bSmVOzsxa4xUxE+DuINa
+
+
+
+Arends, et al.          Expires August 16, 2004                [Page 42]
+
+Internet-Draft       DNSSEC Protocol Modifications         February 2004
+
+
+                              WNJ/ulvIFa20d0xtlB7jazNCZ3Y= )
+                  3600 NSEC   ns2.example. A RRSIG NSEC
+                  3600 RRSIG  NSEC 5 2 3600 20040115201552 (
+                              20031216201552 41681 example.
+                              WaeyPcQtFjXj4cxDcqVseuhZPA4K/qSb7ylZ
+                              sj55rJ8OqEKDYt71e1MT3F5p76wKtLaPmoc0
+                              eLGnDD+Xouu/tWXtsjj5QpMhl13DUD0GLBiA
+                              s/wwxreW0SWkh4JJirodDE7vSIiI6gPJYhIj
+                              I2A5W86mMEbSgEF/pZHX/wi5FJI= )
+   ns2.example.   3600 IN A   192.0.2.2
+                  3600 RRSIG  A 5 2 3600 20040115201552 (
+                              20031216201552 41681 example.
+                              sfFOjxKZz1LMhyDfmB43RhIUVOHlVbLtP0lL
+                              xBsxcHt48NKLth81pzSWRFQfUtMCjaGWMtuK
+                              HFEVaAQXcwllWXXLbVpc9a32govT+hsapcht
+                              sPyxkcEpYEFTtB93edKRVQ0IgZBPOI02R6vG
+                              wCbeY0Rl8MIRcAaiIkFos/8hd1g= )
+                  3600 NSEC   *.w.example. A RRSIG NSEC
+                  3600 RRSIG  NSEC 5 2 3600 20040115201552 (
+                              20031216201552 41681 example.
+                              Vxovi9gQjxqYBI5QF2ZcbZ/5my7C+22uXKVb
+                              IN5dmV82uu2TqJ4g2a2KKywlVi+4Kcnm4O3b
+                              f7pV4g7pcQopa9AFiY8byFrPftuNvraDyp6J
+                              aPllr/HnIPGP4Vw78LKW4n812K2VxV8p/IJl
+                              yCup5bk/Dr47eU2/6+lqrBTOV8Q= )
+   *.w.example.   3600 IN MX  1 ai.example.
+                  3600 RRSIG  MX 5 2 3600 20040115201552 (
+                              20031216201552 41681 example.
+                              mzcZPkLFaFycrnJuHY8LHdmvmyD8prPbQXHg
+                              OXuGLRpO+qRU04v97KYNy8si1Ijmo85nI4Ns
+                              Hl2+WpbMguW9gyPpdHqIYkKJbOrX2b4bz6WA
+                              n7NlR05Rf2tE3e54a1LP0po55yqGtxdPKWOK
+                              91Ena87PA2MvoOE+A3ZpEk8MjEE= )
+                  3600 NSEC   x.w.example. MX RRSIG NSEC
+                  3600 RRSIG  NSEC 5 2 3600 20040115201552 (
+                              20031216201552 41681 example.
+                              OeBMvLlBam90xU/KxvyAYBNGWpvMf1TbaJFr
+                              f0Ip+tTkiqeEE8fx2ZAg1JcY9uhldms/9y45
+                              9HxO9Q3ZO6jfQzsx62YQaBte85d/Udhzf4AK
+                              /RHsZGSOabsu6DhacWC2Ew7vEgcMfiPHFzWW
+                              ANi1i3zhPOd3+Vjt4IQzaJXqVZE= )
+   x.w.example.   3600 IN MX  1 xx.example.
+                  3600 RRSIG  MX 5 3 3600 20040115201552 (
+                              20031216201552 41681 example.
+                              g2H7+tChKsYRqxDkrLZgraaKBF2pah6YNCEW
+                              ORmXLzrB6RWtXbjVHXjagBhZYsMPzkPqwn4m
+                              8IYSaPD0X3z001aXsgsh9WF+AOgbqa0eoIIY
+                              MHIEJ9MHB5cS33XXv2fY6iFmjLuZUz+pNSfv
+
+
+
+Arends, et al.          Expires August 16, 2004                [Page 43]
+
+Internet-Draft       DNSSEC Protocol Modifications         February 2004
+
+
+                              btznHMFDIbtuw/tAX7xXH2pDDHY= )
+                  3600 NSEC   x.y.w.example. MX RRSIG NSEC
+                  3600 RRSIG  NSEC 5 3 3600 20040115201552 (
+                              20031216201552 41681 example.
+                              zwAU3bQHLeDawvqbvlmNosGMGDz9wdEe/iia
+                              CU8DbanqOzUiPfqEgBN3evFMpGBM9H3zMjGA
+                              EjnP4fMerk7dzD8jfyLzNdCGsJjPtnEgctGA
+                              aNd+NGtSmedzeNGvlj7mNxnAdqHFY1c902pT
+                              3lMXiX4KNWUhB87q/pT/5z+xrqY= )
+   x.y.w.example. 3600 IN MX  1 xx.example.
+                  3600 RRSIG  MX 5 4 3600 20040115201552 (
+                              20031216201552 41681 example.
+                              slLY7KbPseET3XMJz/yGJBJpDczy1N2W4SAD
+                              v5Jx/osOWviEJBpUEwRndX+VmsmQJqKsQxtE
+                              unmxl4Sh9cuVyALJy1ByF9hZ0+E3i35qoxOK
+                              Oe+JZyiEiebZfZ8doH5J+keCkIQ8EHzw8Hnk
+                              Iykd5UmaTO5j4LlRnAvF8Z1m9/k= )
+                  3600 NSEC   xx.example. MX RRSIG NSEC
+                  3600 RRSIG  NSEC 5 4 3600 20040115201552 (
+                              20031216201552 41681 example.
+                              sjHnEm4kiIK64bRskNc3vxEHe12l9Lg8Y7G8
+                              VsXMUEEDeBCB3qlrGQeqhdl+gsQGRBiOA8Jj
+                              Jr5F9RNZepVLGv+t5fALeoe0gLHsWoTlfTdq
+                              AJ8a2E5BZYYvy9hjh9Y4Kqd23HOv21o2OC0J
+                              viOQHZ6I4xoZQP5G7r98/PhlrLM= )
+   xx.example.    3600 IN A   192.0.2.10
+                  3600 RRSIG  A 5 2 3600 20040115201552 (
+                              20031216201552 41681 example.
+                              fQfj8RhKKhC2vI0OJxgnZLeXFhpMmpjwV/ap
+                              tCkUP1YagLF9gB4NLRUrV1QO/e1f2zyxSngq
+                              iDW9yUJjKQcv9EWzbDd0kzXxPu11y/iS7oMS
+                              KOsVB4Mp7BM5q2kcBXBrM+Rr0eibvBXmHs8G
+                              0ToQVY81bPc3WXKZjRxQl3jiKtU= )
+                  3600 HINFO  "KLH-10" "TOPS-20"
+                  3600 RRSIG  HINFO 5 2 3600 20040115201552 (
+                              20031216201552 41681 example.
+                              fZIotOyJqpRTZ0KH5lsZIksuyslAMckBclZw
+                              p3LJiaYAibf+rwNFpS3CPUFsyCrA8UL+iVfA
+                              gTxa6O8+yKYsDXZ2x6wPPDqmBEeHT1XiKEA/
+                              pC+O35tVS6oLMYWJyGAGBJitXZQGr+MiBvSp
+                              EDXT07qFXtGntvBSpF9uQbEub6Y= )
+                  3600 AAAA   2001:db8::f00:baaa
+                  3600 RRSIG  AAAA 5 2 3600 20040115201552 (
+                              20031216201552 41681 example.
+                              kLh5dTA0XBIIjEV/guGo9pEOKNZ0Elvbuhm2
+                              dFbnHuZ1tLirjzCYr8CsmF9bSIKLbiMRc/SD
+                              mDhMUKFMhsVqCMwqfYjxXvTOG21BKyCki0Gg
+                              CgvRD47lC4NnCSaB6B6Ysj0Aupv75Nnqwi9Z
+
+
+
+Arends, et al.          Expires August 16, 2004                [Page 44]
+
+Internet-Draft       DNSSEC Protocol Modifications         February 2004
+
+
+                              D4ZubIon0XGe9fIjLnmb3pX/FUk= )
+                  3600 NSEC   example. A HINFO AAAA RRSIG NSEC
+                  3600 RRSIG  NSEC 5 2 3600 20040115201552 (
+                              20031216201552 41681 example.
+                              sbF8bfC6zqyuio2iov0C9byDCejWvxMJYgjn
+                              uy3nXbvVXXzcA+d2zG6uPQ8VLRSolCE+OQqE
+                              NsABxmoBhBwdxCrCpnU8SvzAkrRLwuOqAu1a
+                              1yBIfd352PHkQg1sxVDHGoFo3cFKzvkuD187
+                              sSNF3PAC0HPadh7SdHmXlFQtQ44= )
+
+   The apex DNSKEY set includes two DNSKEY RRs, and the DNSKEY RDATA
+   Flags indicate that each of these DNSKEY RRs is a zone key.  One of
+   these DNSKEY RRs also has the SEP flag set and has been used to sign
+   the apex DNSKEY RRset; this is the key which should be hashed to
+   generate a DS record to be inserted into the parent zone.  The other
+   DNSKEY is used to sign all the other RRsets in the zone.
+
+   The zone includes a wildcard entry "*.w.example".  Note that the name
+   "*.w.example" is used in constructing NSEC chains, and that the RRSIG
+   covering the "*.w.example" MX RRset has a label count of 2.
+
+   The zone also includes two delegations.  The delegation to
+   "b.example" includes an NS RRset, glue address records, and an NSEC
+   RR; note that only the NSEC RRset is signed.  The delegation to
+   "a.example" provides a DS RR; note that only the NSEC and DS RRsets
+   are signed.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Arends, et al.          Expires August 16, 2004                [Page 45]
+
+Internet-Draft       DNSSEC Protocol Modifications         February 2004
+
+
+Appendix B. Example Responses
+
+   The examples in this section show response messages using the signed
+   zone example in Appendix A.
+
+B.1 Answer
+
+   A successful query to an authoritative server.
+
+   ;; Header: QR AA DO RCODE=0
+   ;;
+   ;; Question
+   x.w.example.        IN MX
+
+   ;; Answer
+   x.w.example.   3600 IN MX  1 xx.example.
+   x.w.example.   3600 RRSIG  MX 5 3 3600 20040115201552 (
+                              20031216201552 41681 example.
+                              g2H7+tChKsYRqxDkrLZgraaKBF2pah6YNCEW
+                              ORmXLzrB6RWtXbjVHXjagBhZYsMPzkPqwn4m
+                              8IYSaPD0X3z001aXsgsh9WF+AOgbqa0eoIIY
+                              MHIEJ9MHB5cS33XXv2fY6iFmjLuZUz+pNSfv
+                              btznHMFDIbtuw/tAX7xXH2pDDHY= )
+
+   ;; Authority
+   example.       3600 NS     ns1.example.
+   example.       3600 NS     ns2.example.
+   example.       3600 RRSIG  NS 5 1 3600 20040115201552 (
+                              20031216201552 41681 example.
+                              YgTFj4yXRzbOddwfOTQhLHGPWm7x55ZRoPVz
+                              +bxuPHTozw3I2gpno81Em1RuVekWJHivAvQj
+                              s1h72oh+ipBadjCGSRu46u1T9JYUSLxLecgY
+                              eEw9qDeQIoZHRny5bYrX1x87ItEo5+n1lwOH
+                              FTVyQbVkcaxQ6U2FbZtMbfo//go= )
+
+   ;; Additional
+   xx.example.    3600 IN A   192.0.2.10
+   xx.example.    3600 RRSIG  A 5 2 3600 20040115201552 (
+                              20031216201552 41681 example.
+                              fQfj8RhKKhC2vI0OJxgnZLeXFhpMmpjwV/ap
+                              tCkUP1YagLF9gB4NLRUrV1QO/e1f2zyxSngq
+                              iDW9yUJjKQcv9EWzbDd0kzXxPu11y/iS7oMS
+                              KOsVB4Mp7BM5q2kcBXBrM+Rr0eibvBXmHs8G
+                              0ToQVY81bPc3WXKZjRxQl3jiKtU= )
+   xx.example.    3600 AAAA   2001:db8::f00:baaa
+   xx.example.    3600 RRSIG  AAAA 5 2 3600 20040115201552 (
+                              20031216201552 41681 example.
+                              kLh5dTA0XBIIjEV/guGo9pEOKNZ0Elvbuhm2
+
+
+
+Arends, et al.          Expires August 16, 2004                [Page 46]
+
+Internet-Draft       DNSSEC Protocol Modifications         February 2004
+
+
+                              dFbnHuZ1tLirjzCYr8CsmF9bSIKLbiMRc/SD
+                              mDhMUKFMhsVqCMwqfYjxXvTOG21BKyCki0Gg
+                              CgvRD47lC4NnCSaB6B6Ysj0Aupv75Nnqwi9Z
+                              D4ZubIon0XGe9fIjLnmb3pX/FUk= )
+   ns1.example.   3600 IN A   192.0.2.1
+   ns1.example.   3600 RRSIG  A 5 2 3600 20040115201552 (
+                              20031216201552 41681 example.
+                              5FrF88yOT6iiBdkiQLqaXkma0gCQza5/kLK7
+                              CgoMNlCR2QYhsur2X7Fex2/OYEmOkzOqO7Gs
+                              RoIc4e3nt+kfpd/4Htp9T5v+NXmMVPmW3Jmf
+                              +ZGpEf86AI7Rw3x2bSmVOzsxa4xUxE+DuINa
+                              WNJ/ulvIFa20d0xtlB7jazNCZ3Y= )
+   ns2.example.   3600 IN A   192.0.2.2
+   ns2.example.   3600 RRSIG  A 5 2 3600 20040115201552 (
+                              20031216201552 41681 example.
+                              sfFOjxKZz1LMhyDfmB43RhIUVOHlVbLtP0lL
+                              xBsxcHt48NKLth81pzSWRFQfUtMCjaGWMtuK
+                              HFEVaAQXcwllWXXLbVpc9a32govT+hsapcht
+                              sPyxkcEpYEFTtB93edKRVQ0IgZBPOI02R6vG
+                              wCbeY0Rl8MIRcAaiIkFos/8hd1g= )
+
+
+B.2 Name Error
+
+   An authoritative name error.  The NSEC RRs prove that the name does
+   not exist and that no covering wildcard exists.
+
+   ;; Header: QR AA DO RCODE=3
+   ;;
+   ;; Question
+   ml.example.         IN A
+
+   ;; Answer
+   ;; (empty)
+
+   ;; Authority
+   example.       3600 IN SOA ns1.example. bugs.x.w.example. (
+                              1071609350
+                              3600
+                              300
+                              3600000
+                              3600
+                              )
+   example.       3600 RRSIG  SOA 5 1 3600 20040115201552 (
+                              20031216201552 41681 example.
+                              F1KxMLu2zwDUFgUtdAqCq6F9zkaIPb3B7dzA
+                              hRLp8riOMQQgCCQ4x9KvSu2xLJa539jQIRW0
+                              VBU6+FZWzC2IJcc5liv2SXzyfiPu8diB9+Bj
+
+
+
+Arends, et al.          Expires August 16, 2004                [Page 47]
+
+Internet-Draft       DNSSEC Protocol Modifications         February 2004
+
+
+                              CSITjVX0IGrQgd+PKkaTxWQzG9TDZ2TtgnyM
+                              owLe/OV+Qqqic7ShV/S9l2YJF9I= )
+   b.example.     3600 NSEC   ns1.example. NS RRSIG NSEC
+   b.example.     3600 RRSIG  NSEC 5 2 3600 20040115201552 (
+                              20031216201552 41681 example.
+                              nFufQRM2UtSYTAwQaKEnIpua5ZHLqJrcLGAs
+                              VUpLoPOEsAXex1N3uIJQWmoXnr9Up00G7jbW
+                              VOVaLUvXR7b/4sQkyQLbOl9GpWiA1NYjPneN
+                              k3i+OWi3NmvRN71CuNky87DrVg0p2Mf2MjLX
+                              GRIZP9W1bgeDHZRcCNz2hQ67SgY= )
+   example.       3600 NSEC   a.example. NS SOA MX RRSIG NSEC DNSKEY
+   example.       3600 RRSIG  NSEC 5 1 3600 20040115201552 (
+                              20031216201552 41681 example.
+                              kE9ARiewdQSCsLXY9ldasZEW54kKhfEN2lsT
+                              vDD4biJsTPeaOXJ6bJ7s0CvybknENin3uqIX
+                              TAy6bsL919sEI3/SoHiRCwHalVmUPIWCsz4g
+                              Ee7gkQ+1uFzi7L8LGX9NjQI74s3M//OW2+T4
+                              7T/nOEOVZujD8IN/Utv+KUg+P6U= )
+
+   ;; Additional
+   ;; (empty)
+
+
+B.3 No Data Error
+
+   A "NODATA" response.  The NSEC RR proves that the name exists and
+   that the requested RR type does not.
+
+   ;; Header: QR AA DO RCODE=0
+   ;;
+   ;; Question
+   ns1.example.        IN MX
+
+   ;; Answer
+   ;; (empty)
+
+   ;; Authority
+   example.       3600 IN SOA ns1.example. bugs.x.w.example. (
+                              1071609350
+                              3600
+                              300
+                              3600000
+                              3600
+                              )
+   example.       3600 RRSIG  SOA 5 1 3600 20040115201552 (
+                              20031216201552 41681 example.
+                              F1KxMLu2zwDUFgUtdAqCq6F9zkaIPb3B7dzA
+                              hRLp8riOMQQgCCQ4x9KvSu2xLJa539jQIRW0
+
+
+
+Arends, et al.          Expires August 16, 2004                [Page 48]
+
+Internet-Draft       DNSSEC Protocol Modifications         February 2004
+
+
+                              VBU6+FZWzC2IJcc5liv2SXzyfiPu8diB9+Bj
+                              CSITjVX0IGrQgd+PKkaTxWQzG9TDZ2TtgnyM
+                              owLe/OV+Qqqic7ShV/S9l2YJF9I= )
+   ns1.example.   3600 NSEC   ns2.example. A RRSIG NSEC
+   ns1.example.   3600 RRSIG  NSEC 5 2 3600 20040115201552 (
+                              20031216201552 41681 example.
+                              WaeyPcQtFjXj4cxDcqVseuhZPA4K/qSb7ylZ
+                              sj55rJ8OqEKDYt71e1MT3F5p76wKtLaPmoc0
+                              eLGnDD+Xouu/tWXtsjj5QpMhl13DUD0GLBiA
+                              s/wwxreW0SWkh4JJirodDE7vSIiI6gPJYhIj
+                              I2A5W86mMEbSgEF/pZHX/wi5FJI= )
+
+   ;; Additional
+   ;; (empty)
+
+
+B.4 Referral to Signed Zone
+
+   Referral to a signed zone.   The DS RR contains the data which the
+   resolver will need to validate the corresponding DNSKEY RR in the
+   child zone's apex.
+
+   ;; Header: QR DO RCODE=0
+   ;;
+   ;; Question
+   mc.a.example.       IN MX
+
+   ;; Answer
+   ;; (empty)
+
+   ;; Authority
+   a.example.     3600 IN NS  ns1.a.example.
+   a.example.     3600 IN NS  ns2.a.example.
+   a.example.     3600 DS     48327 5 1 (
+                              DFEB5E00E71A4DED5CABBBD7F15F24871983
+                              CAB7 )
+   a.example.     3600 RRSIG  DS 5 2 3600 20040115201552 (
+                              20031216201552 41681 example.
+                              wj4ME4MuuZN77PGiE8xgBmCXpRpUocRJLbW/
+                              hBbMGk2qtA9ose1Jr2F9rOU6zvU9Z0HQgxnb
+                              rSBfaeCZFmk3yOlo9Uqref4ukk9hwIjzxo7c
+                              ZbJstCYWiLF57i1k5Cj6npMbUZSIgRGcB+dC
+                              0yfe2uolEkeegjesDZuF+fC61Eg= )
+
+   ;; Additional
+   ns1.a.example. 3600 IN A   192.0.2.5
+   ns2.a.example. 3600 IN A   192.0.2.6
+
+
+
+
+Arends, et al.          Expires August 16, 2004                [Page 49]
+
+Internet-Draft       DNSSEC Protocol Modifications         February 2004
+
+
+B.5 Referral to Unsigned Zone
+
+   Referral to an unsigned zone.  The NSEC RR proves that no DS RR for
+   this delegation exists in the parent zone.
+
+   ;; Header: QR DO RCODE=0
+   ;;
+   ;; Question
+   mc.b.example.       IN MX
+
+   ;; Answer
+   ;; (empty)
+
+   ;; Authority
+   b.example.     3600 IN NS  ns1.b.example.
+   b.example.     3600 IN NS  ns2.b.example.
+   b.example.     3600 NSEC   ns1.example. NS RRSIG NSEC
+   b.example.     3600 RRSIG  NSEC 5 2 3600 20040115201552 (
+                              20031216201552 41681 example.
+                              nFufQRM2UtSYTAwQaKEnIpua5ZHLqJrcLGAs
+                              VUpLoPOEsAXex1N3uIJQWmoXnr9Up00G7jbW
+                              VOVaLUvXR7b/4sQkyQLbOl9GpWiA1NYjPneN
+                              k3i+OWi3NmvRN71CuNky87DrVg0p2Mf2MjLX
+                              GRIZP9W1bgeDHZRcCNz2hQ67SgY= )
+
+   ;; Additional
+   ns1.b.example. 3600 IN A   192.0.2.7
+   ns2.b.example. 3600 IN A   192.0.2.8
+
+
+B.6 Wildcard Expansion
+
+   A successful query which was answered via wildcard expansion. The
+   label count in the answer's RRSIG RR indicates that a wildcard RRset
+   was expanded to produce this response, and the NSEC RR proves that no
+   closer match exists in the zone.
+
+   ;; Header: QR AA DO RCODE=0
+   ;;
+   ;; Question
+   a.z.w.example.      IN MX
+
+   ;; Answer
+   a.z.w.example. 3600 IN MX  1 ai.example.
+   a.z.w.example. 3600 RRSIG  MX 5 2 3600 20040115201552 (
+                              20031216201552 41681 example.
+                              mzcZPkLFaFycrnJuHY8LHdmvmyD8prPbQXHg
+                              OXuGLRpO+qRU04v97KYNy8si1Ijmo85nI4Ns
+
+
+
+Arends, et al.          Expires August 16, 2004                [Page 50]
+
+Internet-Draft       DNSSEC Protocol Modifications         February 2004
+
+
+                              Hl2+WpbMguW9gyPpdHqIYkKJbOrX2b4bz6WA
+                              n7NlR05Rf2tE3e54a1LP0po55yqGtxdPKWOK
+                              91Ena87PA2MvoOE+A3ZpEk8MjEE= )
+
+   ;; Authority
+   example.       3600 NS     ns1.example.
+   example.       3600 NS     ns2.example.
+   example.       3600 RRSIG  NS 5 1 3600 20040115201552 (
+                              20031216201552 41681 example.
+                              YgTFj4yXRzbOddwfOTQhLHGPWm7x55ZRoPVz
+                              +bxuPHTozw3I2gpno81Em1RuVekWJHivAvQj
+                              s1h72oh+ipBadjCGSRu46u1T9JYUSLxLecgY
+                              eEw9qDeQIoZHRny5bYrX1x87ItEo5+n1lwOH
+                              FTVyQbVkcaxQ6U2FbZtMbfo//go= )
+   x.y.w.example. 3600 NSEC   xx.example. MX RRSIG NSEC
+   x.y.w.example. 3600 RRSIG  NSEC 5 4 3600 20040115201552 (
+                              20031216201552 41681 example.
+                              sjHnEm4kiIK64bRskNc3vxEHe12l9Lg8Y7G8
+                              VsXMUEEDeBCB3qlrGQeqhdl+gsQGRBiOA8Jj
+                              Jr5F9RNZepVLGv+t5fALeoe0gLHsWoTlfTdq
+                              AJ8a2E5BZYYvy9hjh9Y4Kqd23HOv21o2OC0J
+                              viOQHZ6I4xoZQP5G7r98/PhlrLM= )
+
+   ;; Additional
+   ai.example.    3600 IN A   192.0.2.9
+   ai.example.    3600 RRSIG  A 5 2 3600 20040115201552 (
+                              20031216201552 41681 example.
+                              hxNyPE9Wn675NDH/IpB2LZzhrUtV9eEndid8
+                              jiteGyki6CAEJKm1Dr2bjlrzdgfFBrpIac9c
+                              Up4zMlAkitX/7D9vFus8nLSvEHngpdc12Hlk
+                              OrvT0EsYA2XeQ0h3PPQk5FcK2ekxZvw5Zm7A
+                              sWifTxvcG5hv+A6TOd0O2xJYRik= )
+   ai.example.    3600 AAAA   2001:db8::f00:baa9
+   ai.example.    3600 RRSIG  AAAA 5 2 3600 20040115201552 (
+                              20031216201552 41681 example.
+                              oq16/pU4MuvkgQyFqGrHqggz47i6iZL714u5
+                              9UsmGM1Y/qyQZsR4wi6hC2zIWXNJxIPIhitJ
+                              G6M5pjExUH/vOe0DIW73t/NHzcj0zOjxAPEI
+                              A+jBlOwn2EY5q87PMzBIeHWSx7DxtEIMC8XI
+                              zkK+1+Z5aqj1pmZ4yXUvd2znGnQ= )
+
+
+B.7 Wildcard No Data Error
+
+   A "NODATA" response for a name covered by a wildcard.  The NSEC RRs
+   prove that the matching wildcard name does not have any RRs of the
+   requested type and that no closer match exists in the zone.
+
+
+
+
+Arends, et al.          Expires August 16, 2004                [Page 51]
+
+Internet-Draft       DNSSEC Protocol Modifications         February 2004
+
+
+   ;; Header: QR AA DO RCODE=0
+   ;;
+   ;; Question
+   a.z.w.example.      IN AAAA
+
+   ;; Answer
+   ;; (empty)
+
+   ;; Authority
+   example.       3600 IN SOA ns1.example. bugs.x.w.example. (
+                              1071609350
+                              3600
+                              300
+                              3600000
+                              3600
+                              )
+   example.       3600 RRSIG  SOA 5 1 3600 20040115201552 (
+                              20031216201552 41681 example.
+                              F1KxMLu2zwDUFgUtdAqCq6F9zkaIPb3B7dzA
+                              hRLp8riOMQQgCCQ4x9KvSu2xLJa539jQIRW0
+                              VBU6+FZWzC2IJcc5liv2SXzyfiPu8diB9+Bj
+                              CSITjVX0IGrQgd+PKkaTxWQzG9TDZ2TtgnyM
+                              owLe/OV+Qqqic7ShV/S9l2YJF9I= )
+   x.y.w.example. 3600 NSEC   xx.example. MX RRSIG NSEC
+   x.y.w.example. 3600 RRSIG  NSEC 5 4 3600 20040115201552 (
+                              20031216201552 41681 example.
+                              sjHnEm4kiIK64bRskNc3vxEHe12l9Lg8Y7G8
+                              VsXMUEEDeBCB3qlrGQeqhdl+gsQGRBiOA8Jj
+                              Jr5F9RNZepVLGv+t5fALeoe0gLHsWoTlfTdq
+                              AJ8a2E5BZYYvy9hjh9Y4Kqd23HOv21o2OC0J
+                              viOQHZ6I4xoZQP5G7r98/PhlrLM= )
+   *.w.example.   3600 NSEC   x.w.example. MX RRSIG NSEC
+   *.w.example.   3600 RRSIG  NSEC 5 2 3600 20040115201552 (
+                              20031216201552 41681 example.
+                              OeBMvLlBam90xU/KxvyAYBNGWpvMf1TbaJFr
+                              f0Ip+tTkiqeEE8fx2ZAg1JcY9uhldms/9y45
+                              9HxO9Q3ZO6jfQzsx62YQaBte85d/Udhzf4AK
+                              /RHsZGSOabsu6DhacWC2Ew7vEgcMfiPHFzWW
+                              ANi1i3zhPOd3+Vjt4IQzaJXqVZE= )
+
+   ;; Additional
+   ;; (empty)
+
+
+B.8 DS Child Zone No Data Error
+
+   A "NODATA" response for a QTYPE=DS query which was mistakenly sent to
+   a name server for the child zone.
+
+
+
+Arends, et al.          Expires August 16, 2004                [Page 52]
+
+Internet-Draft       DNSSEC Protocol Modifications         February 2004
+
+
+   ;; Header: QR AA DO RCODE=0
+   ;;
+   ;; Question
+   example.            IN DS
+
+   ;; Answer
+   ;; (empty)
+
+   ;; Authority
+   example.       3600 IN SOA ns1.example. bugs.x.w.example. (
+                              1071609350
+                              3600
+                              300
+                              3600000
+                              3600
+                              )
+   example.       3600 RRSIG  SOA 5 1 3600 20040115201552 (
+                              20031216201552 41681 example.
+                              F1KxMLu2zwDUFgUtdAqCq6F9zkaIPb3B7dzA
+                              hRLp8riOMQQgCCQ4x9KvSu2xLJa539jQIRW0
+                              VBU6+FZWzC2IJcc5liv2SXzyfiPu8diB9+Bj
+                              CSITjVX0IGrQgd+PKkaTxWQzG9TDZ2TtgnyM
+                              owLe/OV+Qqqic7ShV/S9l2YJF9I= )
+   example.       3600 NSEC   a.example. NS SOA MX RRSIG NSEC DNSKEY
+   example.       3600 RRSIG  NSEC 5 1 3600 20040115201552 (
+                              20031216201552 41681 example.
+                              kE9ARiewdQSCsLXY9ldasZEW54kKhfEN2lsT
+                              vDD4biJsTPeaOXJ6bJ7s0CvybknENin3uqIX
+                              TAy6bsL919sEI3/SoHiRCwHalVmUPIWCsz4g
+                              Ee7gkQ+1uFzi7L8LGX9NjQI74s3M//OW2+T4
+                              7T/nOEOVZujD8IN/Utv+KUg+P6U= )
+
+   ;; Additional
+   ;; (empty)
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Arends, et al.          Expires August 16, 2004                [Page 53]
+
+Internet-Draft       DNSSEC Protocol Modifications         February 2004
+
+
+Appendix C. Authentication Examples
+
+   The examples in this section show how the response messages in
+   Appendix B are authenticated.
+
+C.1 Authenticating An Answer
+
+   The query in section Appendix B.1 returned an MX RRset for
+   "x.w.example.com". The corresponding RRSIG indicates the MX RRset was
+   signed by an "example" DNSKEY with algorithm 5 and key tag 41681.
+   The resolver needs the corresponding DNSKEY RR in order to
+   authenticate this answer.   The discussion below describes how a
+   resolver might obtain this DNSKEY RR.
+
+   The RRSIG indicates the original TTL of the MX RRset was 3600 and,
+   for the purpose of authentication, the current TTL is replaced by
+   3600.   The RRSIG labels field value of 3 indicates the answer was
+   not the result of wildcard expansion.  The "x.w.example.com" MX RRset
+   is placed in canonical form and, assuming the current time falls
+   between the signature inception and expiration dates, the signature
+   is authenticated.
+
+C.1.1 Authenticating the example DNSKEY RR
+
+   This example shows the logical authentication process that starts
+   from the a preconfigured root DNSKEY (or DS RR) and moves down the
+   tree to authenticate the desired "example" DNSKEY RR.   Note the
+   logical order is presented for clarity and an implementation may
+   choose to construct the authentication as referrals are received or
+   may choose to construct the authentication chain only after all
+   RRsets have been obtained, or in any other combination it sees fit.
+   The example here demonstrates only the logical process and does not
+   dictate any implementation rules.
+
+   We assume the resolver starts with an preconfigured DNSKEY RR for the
+   root zone (or a preconfigured DS RR for the root zone).  The resolver
+   checks this preconfigured DNSKEY RR is present in the root DNSKEY
+   RRset (or the DS RR matches some DNSKEY in the root DNSKEY RRset),
+   this DNSKEY RR has signed the root DNSKEY RRset and the signature
+   lifetime is valid.  If all these conditions are met, all keys in the
+   DNSKEY RRset are considered authenticated.   The resolver then uses
+   one (or more) of the root DNSKEY RRs to authenticate the "example" DS
+   RRset.  Note the resolver may need to query the root zone to obtain
+   the root DNSKEY RRset and/or "example" DS RRset.
+
+   Once the DS RRset has been authenticated using the root DNSKEY, the
+   resolver checks the "example" DNSKEY RRset for some "example" DNSKEY
+   RR that matches one of the authenticated "example" DS RRs.  If such a
+
+
+
+Arends, et al.          Expires August 16, 2004                [Page 54]
+
+Internet-Draft       DNSSEC Protocol Modifications         February 2004
+
+
+   matching "example" DNSKEY is found, the resolver checks this DNSKEY
+   RR has signed the "example" DNSKEY RRset and the signature lifetime
+   is valid.  If all these conditions are met, all keys in the "example"
+   DNSKEY RRset are considered authenticated.
+
+   Finally the resolver checks that some DNSKEY RR in the "example"
+   DNSKEY RRset uses algorithm 5 and has a key tag of 41681.  This
+   DNSKEY is used to authenticated the RRSIG included in the response.
+   If multiple "example" DNSKEY RRs have algorithm 5 and key tag of
+   41681, then each DNSKEY RR is tried and the answer is authenticated
+   if either DNSKEY RR validates the signature as described above.
+
+C.2 Name Error
+
+   The query in section Appendix B.2 returned NSEC RRs that prove the
+   requested data does not exist and no wildcard applies.  The negative
+   reply is authenticated by verifying both NSEC RRs. The NSEC RRs are
+   authenticated in a manner identical to that of the MX RRset discussed
+   above.
+
+C.3 No Data Error
+
+   The query in section Appendix B.3 returned an NSEC RR that proves the
+   requested name exists, but the requested RR type does not exist. The
+   negative reply is authenticated by verifying the NSEC RR.  The NSEC
+   RR is authenticated in a manner identical to that of the MX RRset
+   discussed above.
+
+C.4 Referral to Signed Zone
+
+   The query in section Appendix B.4 returned a referral to the signed
+   "a.example." zone.  The DS RR is authenticated in a manner identical
+   to that of the MX RRset discussed above. This DS RR is used to
+   authenticate the "a.example" DNSKEY RRset.
+
+   Once the "a.example" DS RRset has been authenticated using the
+   "example" DNSKEY, the resolver checks the "a.example" DNSKEY RRset
+   for some "a.example" DNSKEY RR that matches the DS RR.  If such a
+   matching "a.example" DNSKEY is found, the resolver checks this DNSKEY
+   RR has signed the "a.example" DNSKEY RRset and the signature lifetime
+   is valid.  If all these conditions are met, all keys in the
+   "a.example" DNSKEY RRset are considered authenticated.
+
+C.5 Referral to Unsigned Zone
+
+   The query in section Appendix B.5 returned a referral to an unsigned
+   "b.example." zone.  The NSEC proves that no authentication leads from
+   "example" to "b.example" and the NSEC RR is authenticated in a manner
+
+
+
+Arends, et al.          Expires August 16, 2004                [Page 55]
+
+Internet-Draft       DNSSEC Protocol Modifications         February 2004
+
+
+   identical to that of the MX RRset discussed above.
+
+C.6 Wildcard Expansion
+
+   The query in section Appendix B.6 returned an answer that was
+   produced as a result of wildcard expansion.   The RRset expanded as
+   the similar to The corresponding RRSIG indicates the MX RRset was
+   signed by an "example" DNSKEY with algorithm 5 and key tag 41681.
+   The RRSIG indicates the original TTL of the MX RRset was 3600 and,
+   for the purpose of authentication, the current TTL is replaced by
+   3600.   The RRSIG labels field value of 2 indicates the answer the
+   result of wildcard expansion since the "a.z.w.example" name contains
+   4 labels.  The name "a.z.w.w.example" is replaced by "*.w.example",
+   the MX RRset is placed in canonical form and, assuming the current
+   time falls between the signature inception and expiration dates, the
+   signature is authenticated.
+
+   The NSEC proves that no closer match (exact or closer wildcard) could
+   have been used to answer this query and the NSEC RR must also be
+   authenticated before the answer is considered valid.
+
+C.7 Wildcard No Data Error
+
+   The query in section Appendix B.7 returned NSEC RRs that prove the
+   requested data does not exist and no wildcard applies.  The negative
+   reply is authenticated by verifying both NSEC RRs.
+
+C.8 DS Child Zone No Data Error
+
+   The query in section Appendix B.8 returned NSEC RRs that shows the
+   requested was answered by a child server ("example" server).   The
+   NSEC RR indicates the presence of an SOA RR, showing the answer is
+   from the child .  Queries for the "example" DS RRset should be sent
+   to the parent servers ("root" servers).
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Arends, et al.          Expires August 16, 2004                [Page 56]
+
+Internet-Draft       DNSSEC Protocol Modifications         February 2004
+
+
+Intellectual Property Statement
+
+   The IETF takes no position regarding the validity or scope of any
+   intellectual property or other rights that might be claimed to
+   pertain to the implementation or use of the technology described in
+   this document or the extent to which any license under such rights
+   might or might not be available; neither does it represent that it
+   has made any effort to identify any such rights. Information on the
+   IETF's procedures with respect to rights in standards-track and
+   standards-related documentation can be found in BCP-11. Copies of
+   claims of rights made available for publication and any assurances of
+   licenses to be made available, or the result of an attempt made to
+   obtain a general license or permission for the use of such
+   proprietary rights by implementors or users of this specification can
+   be obtained from the IETF Secretariat.
+
+   The IETF invites any interested party to bring to its attention any
+   copyrights, patents or patent applications, or other proprietary
+   rights which may cover technology that may be required to practice
+   this standard. Please address the information to the IETF Executive
+   Director.
+
+
+Full Copyright Statement
+
+   Copyright (C) The Internet Society (2004). All Rights Reserved.
+
+   This document and translations of it may be copied and furnished to
+   others, and derivative works that comment on or otherwise explain it
+   or assist in its implementation may be prepared, copied, published
+   and distributed, in whole or in part, without restriction of any
+   kind, provided that the above copyright notice and this paragraph are
+   included on all such copies and derivative works. However, this
+   document itself may not be modified in any way, such as by removing
+   the copyright notice or references to the Internet Society or other
+   Internet organizations, except as needed for the purpose of
+   developing Internet standards in which case the procedures for
+   copyrights defined in the Internet Standards process must be
+   followed, or as required to translate it into languages other than
+   English.
+
+   The limited permissions granted above are perpetual and will not be
+   revoked by the Internet Society or its successors or assignees.
+
+   This document and the information contained herein is provided on an
+   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
+   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
+   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
+
+
+
+Arends, et al.          Expires August 16, 2004                [Page 57]
+
+Internet-Draft       DNSSEC Protocol Modifications         February 2004
+
+
+   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
+   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+
+Acknowledgement
+
+   Funding for the RFC Editor function is currently provided by the
+   Internet Society.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Arends, et al.          Expires August 16, 2004                [Page 58]
+
+
diff --git a/doc/draft/draft-ietf-dnsext-dnssec-records-07.txt b/doc/draft/draft-ietf-dnsext-dnssec-records-07.txt
new file mode 100644
index 00000000..cfd3567f
--- /dev/null
+++ b/doc/draft/draft-ietf-dnsext-dnssec-records-07.txt
@@ -0,0 +1,2073 @@
+
+
+DNS Extensions                                                 R. Arends
+Internet-Draft                                      Telematica Instituut
+Expires: August 16, 2004                                      R. Austein
+                                                                     ISC
+                                                               M. Larson
+                                                                VeriSign
+                                                               D. Massey
+                                                                 USC/ISI
+                                                                 S. Rose
+                                                                    NIST
+                                                       February 16, 2004
+
+
+            Resource Records for the DNS Security Extensions
+                  draft-ietf-dnsext-dnssec-records-07
+
+Status of this Memo
+
+   This document is an Internet-Draft and is in full conformance with
+   all provisions of Section 10 of RFC2026.
+
+   Internet-Drafts are working documents of the Internet Engineering
+   Task Force (IETF), its areas, and its working groups. Note that other
+   groups may also distribute working documents as Internet-Drafts.
+
+   Internet-Drafts are draft documents valid for a maximum of six months
+   and may be updated, replaced, or obsoleted by other documents at any
+   time. It is inappropriate to use Internet-Drafts as reference
+   material or to cite them other than as "work in progress."
+
+   The list of current Internet-Drafts can be accessed at http://
+   www.ietf.org/ietf/1id-abstracts.txt.
+
+   The list of Internet-Draft Shadow Directories can be accessed at
+   http://www.ietf.org/shadow.html.
+
+   This Internet-Draft will expire on August 16, 2004.
+
+Copyright Notice
+
+   Copyright (C) The Internet Society (2004). All Rights Reserved.
+
+Abstract
+
+   This document is part of a family of documents that describes the DNS
+   Security Extensions (DNSSEC).  The DNS Security Extensions are a
+   collection of resource records and protocol modifications that
+   provide source authentication for the DNS. This document defines the
+   public key (DNSKEY), delegation signer (DS), resource record digital
+
+
+
+Arends, et al.          Expires August 16, 2004                 [Page 1]
+
+Internet-Draft          DNSSEC Resource Records            February 2004
+
+
+   signature (RRSIG), and authenticated denial of existence (NSEC)
+   resource records.  The purpose and format of each resource record is
+   described in detail, and an example of each resource record is given.
+
+   This document obsoletes RFC 2535 and incorporates changes from all
+   updates to RFC 2535.
+
+Table of Contents
+
+   1.    Introduction . . . . . . . . . . . . . . . . . . . . . . . .  4
+   1.1   Background and Related Documents . . . . . . . . . . . . . .  4
+   1.2   Reserved Words . . . . . . . . . . . . . . . . . . . . . . .  4
+   1.3   Editors' Notes . . . . . . . . . . . . . . . . . . . . . . .  4
+   1.3.1 Open Technical Issues  . . . . . . . . . . . . . . . . . . .  4
+   1.3.2 Technical Changes or Corrections . . . . . . . . . . . . . .  4
+   1.3.3 Typos and Minor Corrections  . . . . . . . . . . . . . . . .  5
+   2.    The DNSKEY Resource Record . . . . . . . . . . . . . . . . .  6
+   2.1   DNSKEY RDATA Wire Format . . . . . . . . . . . . . . . . . .  6
+   2.1.1 The Flags Field  . . . . . . . . . . . . . . . . . . . . . .  6
+   2.1.2 The Protocol Field . . . . . . . . . . . . . . . . . . . . .  7
+   2.1.3 The Algorithm Field  . . . . . . . . . . . . . . . . . . . .  7
+   2.1.4 The Public Key Field . . . . . . . . . . . . . . . . . . . .  7
+   2.1.5 Notes on DNSKEY RDATA Design . . . . . . . . . . . . . . . .  7
+   2.2   The DNSKEY RR Presentation Format  . . . . . . . . . . . . .  7
+   2.3   DNSKEY RR Example  . . . . . . . . . . . . . . . . . . . . .  8
+   3.    The RRSIG Resource Record  . . . . . . . . . . . . . . . . .  9
+   3.1   RRSIG RDATA Wire Format  . . . . . . . . . . . . . . . . . .  9
+   3.1.1 The Type Covered Field . . . . . . . . . . . . . . . . . . . 10
+   3.1.2 The Algorithm Number Field . . . . . . . . . . . . . . . . . 10
+   3.1.3 The Labels Field . . . . . . . . . . . . . . . . . . . . . . 10
+   3.1.4 Original TTL Field . . . . . . . . . . . . . . . . . . . . . 11
+   3.1.5 Signature Expiration and Inception Fields  . . . . . . . . . 11
+   3.1.6 The Key Tag Field  . . . . . . . . . . . . . . . . . . . . . 11
+   3.1.7 The Signer's Name Field  . . . . . . . . . . . . . . . . . . 12
+   3.1.8 The Signature Field  . . . . . . . . . . . . . . . . . . . . 12
+   3.2   The RRSIG RR Presentation Format . . . . . . . . . . . . . . 13
+   3.3   RRSIG RR Example . . . . . . . . . . . . . . . . . . . . . . 13
+   4.    The NSEC Resource Record . . . . . . . . . . . . . . . . . . 15
+   4.1   NSEC RDATA Wire Format . . . . . . . . . . . . . . . . . . . 15
+   4.1.1 The Next Domain Name Field . . . . . . . . . . . . . . . . . 15
+   4.1.2 The Type Bit Maps Field  . . . . . . . . . . . . . . . . . . 16
+   4.1.3 Inclusion of Wildcard Names in NSEC RDATA  . . . . . . . . . 17
+   4.2   The NSEC RR Presentation Format  . . . . . . . . . . . . . . 17
+   4.3   NSEC RR Example  . . . . . . . . . . . . . . . . . . . . . . 17
+   5.    The DS Resource Record . . . . . . . . . . . . . . . . . . . 19
+   5.1   DS RDATA Wire Format . . . . . . . . . . . . . . . . . . . . 19
+   5.1.1 The Key Tag Field  . . . . . . . . . . . . . . . . . . . . . 20
+   5.1.2 The Algorithm Field  . . . . . . . . . . . . . . . . . . . . 20
+
+
+
+Arends, et al.          Expires August 16, 2004                 [Page 2]
+
+Internet-Draft          DNSSEC Resource Records            February 2004
+
+
+   5.1.3 The Digest Type Field  . . . . . . . . . . . . . . . . . . . 20
+   5.1.4 The Digest Field . . . . . . . . . . . . . . . . . . . . . . 20
+   5.2   Processing of DS RRs When Validating Responses . . . . . . . 20
+   5.3   The DS RR Presentation Format  . . . . . . . . . . . . . . . 21
+   5.4   DS RR Example  . . . . . . . . . . . . . . . . . . . . . . . 21
+   6.    Canonical Form and Order of Resource Records . . . . . . . . 22
+   6.1   Canonical DNS Name Order . . . . . . . . . . . . . . . . . . 22
+   6.2   Canonical RR Form  . . . . . . . . . . . . . . . . . . . . . 22
+   6.3   Canonical RR Ordering Within An RRset  . . . . . . . . . . . 23
+   7.    IANA Considerations  . . . . . . . . . . . . . . . . . . . . 24
+   8.    Security Considerations  . . . . . . . . . . . . . . . . . . 26
+   9.    Acknowledgments  . . . . . . . . . . . . . . . . . . . . . . 27
+         Normative References . . . . . . . . . . . . . . . . . . . . 28
+         Informative References . . . . . . . . . . . . . . . . . . . 30
+         Authors' Addresses . . . . . . . . . . . . . . . . . . . . . 30
+   A.    DNSSEC Algorithm and Digest Types  . . . . . . . . . . . . . 32
+   A.1   DNSSEC Algorithm Types . . . . . . . . . . . . . . . . . . . 32
+   A.1.1 Private Algorithm Types  . . . . . . . . . . . . . . . . . . 32
+   A.2   DNSSEC Digest Types  . . . . . . . . . . . . . . . . . . . . 33
+   B.    Key Tag Calculation  . . . . . . . . . . . . . . . . . . . . 34
+   B.1   Key Tag for Algorithm 1 (RSA/MD5)  . . . . . . . . . . . . . 35
+         Intellectual Property and Copyright Statements . . . . . . . 36
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Arends, et al.          Expires August 16, 2004                 [Page 3]
+
+Internet-Draft          DNSSEC Resource Records            February 2004
+
+
+1. Introduction
+
+   The DNS Security Extensions (DNSSEC) introduce four new DNS resource
+   record types: DNSKEY, RRSIG, NSEC, and DS.  This document defines the
+   purpose of each resource record (RR), the RR's RDATA format, and its
+   presentation format (ASCII representation).
+
+1.1 Background and Related Documents
+
+   The reader is assumed to be familiar with the basic DNS concepts
+   described in RFC1034 [RFC1034], RFC1035 [RFC1035] and subsequent RFCs
+   that update them:  RFC2136 [RFC2136], RFC2181 [RFC2181] and RFC2308
+   [RFC2308].
+
+   This document is part of a family of documents that define the DNS
+   security extensions.  The DNS security extensions (DNSSEC) are a
+   collection of resource records and DNS protocol modifications that
+   add source authentication and data integrity to the Domain Name
+   System (DNS).  An introduction to DNSSEC and definitions of common
+   terms can be found in [I-D.ietf-dnsext-dnssec-intro]. A description
+   of DNS protocol modifications can be found in
+   [I-D.ietf-dnsext-dnssec-protocol]. This document defines the DNSSEC
+   resource records.
+
+1.2 Reserved Words
+
+   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+   "SHOULD", "SHOULD NOT", "RECOMMENDED",  "MAY", and "OPTIONAL" in this
+   document are to be interpreted as described in RFC 2119 [RFC2119].
+
+1.3 Editors' Notes
+
+1.3.1 Open Technical Issues
+
+   The cryptographic algorithm types (Appendix A) requires input from
+   the working group.  The DSA algorithm was moved to OPTIONAL.  This
+   had strong consensus in workshops and various discussions and a
+   separate Internet-Draft solely to move DSA from MANDATORY to OPTIONAL
+   seemed excessive.  This draft solicits input on that proposed change.
+
+1.3.2 Technical Changes or Corrections
+
+   Please report technical corrections to dnssec-editors@east.isi.edu.
+   To assist the editors, please indicate the text in error and point
+   out the RFC that defines the correct behavior.  For a technical
+   change where no RFC that defines the correct behavior, or if there's
+   more than one applicable RFC and the definitions conflict, please
+   post the issue to namedroppers.
+
+
+
+Arends, et al.          Expires August 16, 2004                 [Page 4]
+
+Internet-Draft          DNSSEC Resource Records            February 2004
+
+
+   An example correction to dnssec-editors might be: Page X says
+   "DNSSEC RRs SHOULD be automatically returned in responses."  This was
+   true in RFC 2535, but RFC 3225 (Section 3, 3rd paragraph) says the
+   DNSSEC RR types MUST NOT be included in responses unless the resolver
+   indicated support for DNSSEC.
+
+1.3.3 Typos and Minor Corrections
+
+   Please report any typos corrections to dnssec-editors@east.isi.edu.
+   To assist the editors, please provide enough context for us to find
+   the incorrect text quickly.
+
+   An example message to dnssec-editors might be: page X says "the
+   DNSSEC standard has been in development for over 1 years".   It
+   should read "over 10 years".
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Arends, et al.          Expires August 16, 2004                 [Page 5]
+
+Internet-Draft          DNSSEC Resource Records            February 2004
+
+
+2. The DNSKEY Resource Record
+
+   DNSSEC uses public key cryptography to sign and authenticate DNS
+   resource record sets (RRsets).  The public keys are stored in DNSKEY
+   resource records and are used in the DNSSEC authentication process
+   described in [I-D.ietf-dnsext-dnssec-protocol]: A zone signs its
+   authoritative RRsets using a private key and stores the corresponding
+   public key in a DNSKEY RR.  A resolver can then use the public key to
+   authenticate signatures covering the RRsets in the zone.
+
+   The DNSKEY RR is not intended as a record for storing arbitrary
+   public keys, and MUST NOT be used to store certificates or public
+   keys that do not directly relate to the DNS infrastructure.
+
+   The Type value for the DNSKEY RR type is 48.
+
+   The DNSKEY RR is class independent.
+
+   The DNSKEY RR has no special TTL requirements.
+
+2.1 DNSKEY RDATA Wire Format
+
+   The RDATA for a DNSKEY RR consists of a 2 octet Flags Field, a 1
+   octet Protocol Field, a 1 octet Algorithm Field, and the Public Key
+   Field.
+
+                        1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
+    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+   |              Flags            |    Protocol   |   Algorithm   |
+   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+   /                                                               /
+   /                            Public Key                         /
+   /                                                               /
+   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+
+2.1.1 The Flags Field
+
+   Bit 7 of the Flags field is the Zone Key flag.  If bit 7 has value 1,
+   then the DNSKEY record holds a DNS zone key and the DNSKEY RR's owner
+   name MUST be the name of a zone. If bit 7 has value 0, then the
+   DNSKEY record holds some other type of DNS public key, such as a
+   public key used by TKEY and MUST NOT be used to verify RRSIGs that
+   cover RRsets.
+
+   Bit 15 of the Flags field is the Secure Entry Point flag, described
+   in [I-D.ietf-dnsext-keyrr-key-signing-flag]. If bit 15 has value 1,
+
+
+
+Arends, et al.          Expires August 16, 2004                 [Page 6]
+
+Internet-Draft          DNSSEC Resource Records            February 2004
+
+
+   then the DNSKEY record holds a key intended for use as a secure entry
+   point.  This flag is only intended to be to a hint to zone signing or
+   debugging software as to the intended use of this DNSKEY record;
+   security-aware resolvers MUST NOT alter their behavior during the
+   signature validation process in any way based on the setting of this
+   bit.
+
+   Bits 0-6 and 8-14 are reserved: these bits MUST have value 0 upon
+   creation of the DNSKEY RR, and MUST be ignored upon reception.
+
+2.1.2 The Protocol Field
+
+   The Protocol Field MUST have value 3 and MUST be treated as invalid
+   during signature verification if found to be some value other than 3.
+
+2.1.3 The Algorithm Field
+
+   The Algorithm field identifies the public key's cryptographic
+   algorithm and determines the format of the Public Key field.  A list
+   of DNSSEC algorithm types can be found in Appendix A.1
+
+2.1.4 The Public Key Field
+
+   The Public Key Field holds the public key material.  The format
+   depends on the algorithm of the key being stored and are described in
+   separate documents.
+
+2.1.5 Notes on DNSKEY RDATA Design
+
+   Although the Protocol Field always has value 3, it is retained for
+   backward compatibility with early versions of the KEY record.
+
+2.2 The DNSKEY RR Presentation Format
+
+   The presentation format of the RDATA portion is as follows:
+
+   The Flag field MUST be represented as an unsigned decimal integer
+   with a value of 0, 256, or 257.
+
+   The Protocol Field MUST be represented as an unsigned decimal integer
+   with a value of 3.
+
+   The Algorithm field MUST  be represented either as an unsigned
+   decimal integer or as an algorithm mnemonic as specified in Appendix
+   A.1.
+
+   The Public Key field MUST be represented as a Base64 encoding of the
+   Public Key.  Whitespace is allowed within the Base64 text.  For a
+
+
+
+Arends, et al.          Expires August 16, 2004                 [Page 7]
+
+Internet-Draft          DNSSEC Resource Records            February 2004
+
+
+   definition of Base64 encoding, see [RFC1521] Section 5.2.
+
+2.3 DNSKEY RR Example
+
+   The following DNSKEY RR stores a DNS zone key for example.com.
+
+   example.com. 86400 IN DNSKEY 256 3 5 ( AQPSKmynfzW4kyBv015MUG2DeIQ3
+                                          Cbl+BBZH4b/0PY1kxkmvHjcZc8no
+                                          kfzj31GajIQKY+5CptLr3buXA10h
+                                          WqTkF7H6RfoRqXQeogmMHfpftf6z
+                                          Mv1LyBUgia7za6ZEzOJBOztyvhjL
+                                          742iU/TpPSEDhm2SNKLijfUppn1U
+                                          aNvv4w==  )
+
+   The first four text fields specify the owner name, TTL, Class, and RR
+   type (DNSKEY).  Value 256 indicates that the Zone Key bit (bit 7) in
+   the Flags field has value 1.  Value 3 is the fixed Protocol value.
+   Value 5 indicates the public key algorithm.  Appendix A.1 identifies
+   algorithm type 5 as RSA/SHA1 and indicates that the format of the
+   RSA/SHA1 public key field is defined in [RFC3110].  The remaining
+   text is a Base64 encoding of the public key.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Arends, et al.          Expires August 16, 2004                 [Page 8]
+
+Internet-Draft          DNSSEC Resource Records            February 2004
+
+
+3. The RRSIG Resource Record
+
+   DNSSEC uses public key cryptography to sign and authenticate DNS
+   resource record sets (RRsets).  Digital signatures are stored in
+   RRSIG resource records and are used in the DNSSEC authentication
+   process described in [I-D.ietf-dnsext-dnssec-protocol]. A
+   security-aware resolver can use these RRSIG RRs to authenticate
+   RRsets from the zone.  The RRSIG RR MUST only be used to carry
+   verification material (digital signatures) used to secure DNS
+   operations.
+
+   An RRSIG record contains the signature for an RRset with a particular
+   name, class, and type.  The RRSIG RR specifies a validity interval
+   for the signature and uses the Algorithm, the Signer's Name, and the
+   Key Tag to identify the DNSKEY RR containing the public key that a
+   resolver can use to verify the signature.
+
+   Because every authoritative RRset in a zone must be protected by a
+   digital signature, RRSIG RRs must be present for names containing a
+   CNAME RR.  This is a change to the traditional DNS specification
+   [RFC1034] that stated that if a CNAME is present for a name, it is
+   the only type allowed at that name.  A RRSIG and NSEC (see Section 4)
+   MUST exist for the same name as a CNAME resource record in a secure
+   zone.
+
+   The Type value for the RRSIG RR type is 46.
+
+   The RRSIG RR is class independent.
+
+   An RRSIG RR MUST have the same class as the RRset it covers.
+
+   The TTL value of an RRSIG RR SHOULD match the TTL value of the RRset
+   it covers.  This is an exception to the [RFC2181] rules for TTL
+   values of individual RRs within a RRset: individual RRSIG with the
+   same owner name will have different TTL values if the RRsets that
+   they cover have different TTL values.
+
+3.1 RRSIG RDATA Wire Format
+
+   The RDATA for an RRSIG RR consists of a 2 octet Type Covered field, a
+   1 octet Algorithm field, a 1 octet Labels field, a 4 octet Original
+   TTL field, a 4 octet Signature Expiration field, a 4 octet Signature
+   Inception field, a 2 octet Key tag, the Signer's Name field, and the
+   Signature field.
+
+                        1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
+    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+
+
+Arends, et al.          Expires August 16, 2004                 [Page 9]
+
+Internet-Draft          DNSSEC Resource Records            February 2004
+
+
+   |        Type Covered           |  Algorithm    |     Labels    |
+   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+   |                         Original TTL                          |
+   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+   |                      Signature Expiration                     |
+   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+   |                      Signature Inception                      |
+   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+   |            Key Tag            |                               /
+   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+         Signer's Name         /
+   /                                                               /
+   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+   /                                                               /
+   /                            Signature                          /
+   /                                                               /
+   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+
+3.1.1 The Type Covered Field
+
+   The Type Covered field identifies the type of the RRset which is
+   covered by this RRSIG record.
+
+3.1.2 The Algorithm Number Field
+
+   The Algorithm Number field identifies the cryptographic algorithm
+   used to create the signature.  A list of DNSSEC algorithm types can
+   be found in Appendix A.1
+
+3.1.3 The Labels Field
+
+   The Labels field specifies the number of labels in the original RRSIG
+   RR owner name. The significance of this field is that from it a
+   verifier can determine if the answer was synthesized from a wildcard.
+   If so, it can be used to determine what owner name was used in
+   generating the signature.
+
+   To validate a signature, the validator needs the original owner name
+   that was used to create the signature. If the original owner name
+   contains a wildcard label ("*"), the owner name may have been
+   expanded by the server during the response process, in which case the
+   validator will need to reconstruct the original owner name in order
+   to validate the signature.  [I-D.ietf-dnsext-dnssec-protocol]
+   describes how to use the Labels field to reconstruct the original
+   owner name.
+
+   The value of the Labels field MUST NOT count either the null (root)
+   label that terminates the owner name or the wildcard label (if
+
+
+
+Arends, et al.          Expires August 16, 2004                [Page 10]
+
+Internet-Draft          DNSSEC Resource Records            February 2004
+
+
+   present).  The value of the Labels field MUST be less than or equal
+   to the number of labels in the RRSIG owner name.  For example,
+   "www.example.com." has a Labels field value of 3, and
+   "*.example.com." has a Labels field value of 2.  Root (".") has a
+   Labels field value of 0.
+
+   Although the wildcard label is not included in the count stored in
+   the Labels field of the RRSIG RR, the wildcard label is part of the
+   RRset's owner name when generating or verifying the signature.
+
+3.1.4 Original TTL Field
+
+   The Original TTL field specifies the TTL of the covered RRset as it
+   appears in the authoritative zone.
+
+   The Original TTL field is necessary because a caching resolver
+   decrements the TTL value of a cached RRset. In order to validate a
+   signature, a resolver requires the original TTL.
+   [I-D.ietf-dnsext-dnssec-protocol] describes how to use the Original
+   TTL field value to reconstruct the original TTL.
+
+3.1.5 Signature Expiration and Inception Fields
+
+   The Signature Expiration and Inception fields specify a validity
+   period for the signature.  The RRSIG record MUST NOT be used for
+   authentication prior to the inception date and MUST NOT be used for
+   authentication after the expiration date.
+
+   Signature Expiration and Inception field values are in POSIX.1 time
+   format: a 32-bit unsigned number of seconds elapsed since 1 January
+   1970 00:00:00 UTC, ignoring leap seconds, in network byte order.  The
+   longest interval which can be expressed by this format without
+   wrapping is approximately 136 years.  An RRSIG RR can have an
+   Expiration field value which is numerically smaller than the
+   Inception field value if the expiration field value is near the
+   32-bit wrap-around point or if the signature is long lived.  Because
+   of this, all comparisons involving these fields MUST use "Serial
+   number arithmetic" as defined in [RFC1982].  As a direct consequence,
+   the values contained in these fields cannot refer to dates more than
+   68 years in either the past or the future.
+
+3.1.6 The Key Tag Field
+
+   The Key Tag field contains the key tag value of the DNSKEY RR that
+   validates this signature.  Appendix B explains how to calculate Key
+   Tag values.
+
+
+
+
+
+Arends, et al.          Expires August 16, 2004                [Page 11]
+
+Internet-Draft          DNSSEC Resource Records            February 2004
+
+
+3.1.7 The Signer's Name Field
+
+   The Signer's Name field value identifies the owner name of the DNSKEY
+   RR which a security-aware resolver should use to validate this
+   signature.  The Signer's Name field MUST contain the name of the zone
+   of the covered RRset.  A sender MUST NOT use DNS name compression on
+   the Signer's Name field when transmitting a RRSIG RR.  A receiver
+   which receives an RRSIG RR containing a compressed Signer's Name
+   field SHOULD decompress the field value.
+
+3.1.8 The Signature Field
+
+   The Signature field contains the cryptographic signature which covers
+   the RRSIG RDATA (excluding the Signature field) and the RRset
+   specified by the RRSIG owner name, RRSIG class, and RRSIG Type
+   Covered field.  The format of this field depends on the algorithm in
+   use and these formats are described in separate companion documents.
+
+3.1.8.1 Signature Calculation
+
+   A signature covers the RRSIG RDATA (excluding the Signature Field)
+   and covers the data RRset specified by the RRSIG owner name, RRSIG
+   class, and RRSIG Type Covered fields.  The RRset is in canonical form
+   (see Section 6) and the set RR(1),...RR(n) is signed as follows:
+
+         signature = sign(RRSIG_RDATA | RR(1) | RR(2)... ) where
+
+            "|" denotes concatenation;
+
+            RRSIG_RDATA is the wire format of the RRSIG RDATA fields
+               with the Signer's Name field in canonical form and
+               the Signature field excluded;
+
+            RR(i) = owner | class | type | TTL | RDATA length | RDATA;
+
+               "owner" is the fully qualified owner name of the RRset in
+               canonical form (for RRs with wildcard owner names, the
+               wildcard label is included in the owner name);
+
+               Each RR MUST have the same owner name as the RRSIG RR;
+
+               Each RR MUST have the same class as the RRSIG RR;
+
+               Each RR in the RRset MUST have the RR type listed in the
+               RRSIG RR's Type Covered field;
+
+               Each RR in the RRset MUST have the TTL listed in the
+               RRSIG Original TTL Field;
+
+
+
+Arends, et al.          Expires August 16, 2004                [Page 12]
+
+Internet-Draft          DNSSEC Resource Records            February 2004
+
+
+               Any DNS names in the RDATA field of each RR MUST be in
+               canonical form; and
+
+               The RRset MUST be sorted in canonical order.
+
+
+3.2 The RRSIG RR Presentation Format
+
+   The presentation format of the RDATA portion is as follows:
+
+   The Type Covered field value MUST be represented either as an
+   unsigned decimal integer or as the mnemonic for the covered RR type.
+
+   The Algorithm field value MUST be represented either as an unsigned
+   decimal  integer or as an algorithm mnemonic as specified in Appendix
+   A.1.
+
+   The Labels field value MUST be represented as an unsigned decimal
+   integer.
+
+   The Original TTL field value MUST be represented as an unsigned
+   decimal integer.
+
+   The Signature Expiration Time and Inception Time field values MUST be
+   represented in the form YYYYMMDDHHmmSS in UTC, where:
+
+      YYYY is the year (0000-9999, but see Section 3.1.5);
+
+      MM is the month number (01-12);
+
+      DD is the day of the month (01-31);
+
+      HH is the hour in 24 hours notation (00-23);
+
+      mm is the minute (00-59);
+
+      SS is the second (00-59).
+
+   The Key Tag field MUST be represented as an unsigned decimal integer.
+
+   The Signer's Name field value MUST be represented as a domain name.
+
+   The Signature field is represented as a Base64 encoding of the
+   signature.  Whitespace is allowed within the Base64 text.  For a
+   definition of Base64 encoding see [RFC1521] Section 5.2.
+
+3.3 RRSIG RR Example
+
+
+
+
+Arends, et al.          Expires August 16, 2004                [Page 13]
+
+Internet-Draft          DNSSEC Resource Records            February 2004
+
+
+   The following an RRSIG RR stores the signature for the A RRset of
+   host.example.com:
+
+   host.example.com. 86400 IN RRSIG A 5 3 86400 20030322173103 (
+                                  20030220173103 2642 example.com.
+                                  oJB1W6WNGv+ldvQ3WDG0MQkg5IEhjRip8WTr
+                                  PYGv07h108dUKGMeDPKijVCHX3DDKdfb+v6o
+                                  B9wfuh3DTJXUAfI/M0zmO/zz8bW0Rznl8O3t
+                                  GNazPwQKkRN20XPXV6nwwfoXmJQbsLNrLfkG
+                                  J5D6fwFm8nN+6pBzeDQfsS3Ap3o= )
+
+   The first four fields specify the owner name, TTL, Class, and RR type
+   (RRSIG).  The "A" represents the Type Covered field. The value 5
+   identifies the algorithm used (RSA/SHA1) to create the signature.
+   The value 3 is the number of Labels in the original owner name.  The
+   value 86400 in the RRSIG RDATA is the Original TTL for the covered A
+   RRset.  20030322173103 and 20030220173103 are the expiration and
+   inception dates, respectively.  2642 is the Key Tag, and example.com.
+   is the Signer's Name.  The remaining text is a Base64 encoding of the
+   signature.
+
+   Note that combination of RRSIG RR owner name, class, and Type Covered
+   indicate that this RRSIG covers the "host.example.com" A RRset.  The
+   Label value of 3 indicates that no wildcard expansion was used.  The
+   Algorithm, Signer's Name, and Key Tag indicate this signature can be
+   authenticated using an example.com zone DNSKEY RR whose algorithm is
+   5 and key tag is 2642.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Arends, et al.          Expires August 16, 2004                [Page 14]
+
+Internet-Draft          DNSSEC Resource Records            February 2004
+
+
+4. The NSEC Resource Record
+
+   The NSEC resource record lists two separate things: the owner name of
+   the next authoritative RRset in the canonical ordering of the zone,
+   and the set of RR types present at the NSEC RR's owner name.  The
+   complete set of NSEC RRs in a zone both indicate which authoritative
+   RRsets exist in a zone and also form a chain of authoritative owner
+   names in the zone.  This information is used to provide authenticated
+   denial of existence for DNS data, as described in
+   [I-D.ietf-dnsext-dnssec-protocol].
+
+   Because every authoritative name in a zone must be part of the NSEC
+   chain, NSEC RRs must be present for names containing a CNAME RR.
+   This is a change to the traditional DNS specification [RFC1034] that
+   stated that if a CNAME is present for a name, it is the only type
+   allowed at that name.  An RRSIG (see Section 3) and NSEC MUST exist
+   for the same name as a CNAME resource record in a secure zone.
+
+   The type value for the NSEC RR is 47.
+
+   The NSEC RR is class independent.
+
+   The NSEC RR SHOULD have the same TTL value as the SOA minimum TTL
+   field. This is in the spirt of negative caching [RFC2308].
+
+4.1 NSEC RDATA Wire Format
+
+   The RDATA of the NSEC RR is as shown below:
+
+                        1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
+    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+   /                      Next Domain Name                         /
+   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+   /                       Type Bit Maps                           /
+   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+
+4.1.1 The Next Domain Name Field
+
+   The Next Domain Name field contains the owner name of the next
+   authoritative owner name in the canonical ordering of the zone; see
+   Section 6.1 for an explanation of canonical ordering.  The value of
+   the Next Domain Name field in the last NSEC record in the zone is the
+   name of the zone apex (the owner name of the zone's SOA RR).
+
+   A sender MUST NOT use DNS name compression on the Next Domain Name
+   field when transmitting an NSEC RR.  A receiver which receives an
+
+
+
+Arends, et al.          Expires August 16, 2004                [Page 15]
+
+Internet-Draft          DNSSEC Resource Records            February 2004
+
+
+   NSEC RR containing a compressed Next Domain Name field SHOULD
+   decompress the field value.
+
+   Owner names of RRsets not authoritative for the given zone (such as
+   glue records) MUST NOT be listed in the Next Domain Name unless at
+   least one authoritative RRset exists at the same owner name.
+
+4.1.2 The Type Bit Maps Field
+
+   The Type Bit Maps field identifies the RRset types which exist at the
+   NSEC RR's owner name.
+
+   The RR type space is split into 256 window blocks, each representing
+   the low-order 8 bits of the 16-bit RR type space. Each block that has
+   at least one active RR type is encoded using a single octet window
+   number (from 0 to 255), a single octet bitmap length (from 1 to 32)
+   indicating the number of octets used for the window block's bitmap,
+   and up to 32 octets (256 bits) of bitmap.
+
+   Blocks are present in the NSEC RR RDATA in increasing numerical
+   order.
+
+      Type Bit Maps Field = ( Window Block # | Bitmap Length | Bitmap )+
+
+      where "|" denotes concatenation.
+
+   Each bitmap encodes the low-order 8 bits of RR types within the
+   window block, in network bit order.  The first bit is bit 0.  For
+   window block 0, bit 1 corresponds to RR type 1 (A), bit 2 corresponds
+   to RR type 2 (NS), and so forth.  For window block 1, bit 1
+   corresponds to RR type 257, bit 2 to RR type 258.  If a bit is set to
+   1, it indicates that an RRset of that type is present for the NSEC
+   RR's owner name.  If a bit is set to 0, it indicates that no RRset of
+   that type is present for the NSEC RR's owner name.
+
+   Since bit 0 in window block 0 refers to the non-existent RR type 0,
+   it MUST be set to 0.  After verification, the validator MUST ignore
+   the value of bit 0 in window block 0.
+
+   Bits representing pseudo-types MUST be set to 0, since they do not
+   appear in zone data.  If encountered, they MUST be ignored upon
+   reading.
+
+   Blocks with no types present MUST NOT be included. Trailing zero
+   octets in the bitmap MUST be omitted.  The length of each block's
+   bitmap is determined by the type code with the largest numerical
+   value, within that block, among the set of RR types present at the
+   NSEC RR's owner name.  Trailing zero octets not specified MUST be
+
+
+
+Arends, et al.          Expires August 16, 2004                [Page 16]
+
+Internet-Draft          DNSSEC Resource Records            February 2004
+
+
+   interpreted as zero octets.
+
+   A zone MUST NOT generate an NSEC RR for any domain name that only
+   holds glue records.
+
+4.1.3 Inclusion of Wildcard Names in NSEC RDATA
+
+   If a wildcard owner name appears in a zone, the wildcard label ("*")
+   is treated as a literal symbol and is treated the same as any other
+   owner name for purposes of generating NSEC RRs.  Wildcard owner names
+   appear in the Next Domain Name field without any wildcard expansion.
+   [I-D.ietf-dnsext-dnssec-protocol] describes the impact of wildcards
+   on authenticated denial of existence.
+
+4.2 The NSEC RR Presentation Format
+
+   The presentation format of the RDATA portion is as follows:
+
+   The Next Domain Name field is represented as a domain name.
+
+   The Type Bit Maps field is represented as a sequence of RR type
+   mnemonics.  When the mnemonic is not known, the TYPE representation
+   as described in [RFC3597] (section 5) MUST be used.
+
+4.3 NSEC RR Example
+
+   The following NSEC RR identifies the RRsets associated with
+   alfa.example.com. and identifies the next authoritative name after
+   alfa.example.com.
+
+   alfa.example.com. 86400 IN NSEC host.example.com. (
+                                   A MX RRSIG NSEC TYPE1234 )
+
+   The first four text fields specify the name, TTL, Class, and RR type
+   (NSEC).  The entry host.example.com. is the next authoritative name
+   after alfa.example.com. in canonical order.  The A, MX, RRSIG, NSEC,
+   and TYPE1234 mnemonics indicate there are A, MX, RRSIG, NSEC, and
+   TYPE1234 RRsets associated with the name alfa.example.com.
+
+   The RDATA section of the NSEC RR above would be encoded as:
+
+            0x04 'h'  'o'  's'  't'
+            0x07 'e'  'x'  'a'  'm'  'p'  'l'  'e'
+            0x03 'c'  'o'  'm'  0x00
+            0x00 0x06 0x40 0x01 0x00 0x00 0x00 0x03
+            0x04 0x1b 0x00 0x00 0x00 0x00 0x00 0x00
+            0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
+            0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
+
+
+
+Arends, et al.          Expires August 16, 2004                [Page 17]
+
+Internet-Draft          DNSSEC Resource Records            February 2004
+
+
+            0x00 0x00 0x00 0x00 0x20
+
+   Assuming that the resolver can authenticate this NSEC record, it
+   could be used to prove that beta.example.com does not exist, or could
+   be used to prove there is no AAAA record associated with
+   alfa.example.com.  Authenticated denial of existence is discussed in
+   [I-D.ietf-dnsext-dnssec-protocol].
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Arends, et al.          Expires August 16, 2004                [Page 18]
+
+Internet-Draft          DNSSEC Resource Records            February 2004
+
+
+5. The DS Resource Record
+
+   The DS Resource Record refers to a DNSKEY RR and is used in the DNS
+   DNSKEY authentication process. A DS RR refers to a DNSKEY RR by
+   storing the key tag, algorithm number, and a digest of the DNSKEY RR.
+   Note that while the digest should be sufficient to identify the
+   public key, storing the key tag and key algorithm helps make the
+   identification process more efficient.  By authenticating the DS
+   record, a resolver can authenticate the DNSKEY RR to which the DS
+   record points.  The key authentication process is described in
+   [I-D.ietf-dnsext-dnssec-protocol].
+
+   The DS RR and its corresponding DNSKEY RR have the same owner name,
+   but they are stored in different locations.  The DS RR appears only
+   on the upper (parental) side of a delegation, and is authoritative
+   data in the parent zone.  For example, the DS RR for "example.com" is
+   stored in the "com" zone (the parent zone) rather than in the
+   "example.com" zone (the child zone).  The corresponding DNSKEY RR is
+   stored in the "example.com" zone (the child zone).  This simplifies
+   DNS zone management and zone signing, but introduces special response
+   processing requirements for the DS RR; these are described in
+   [I-D.ietf-dnsext-dnssec-protocol].
+
+   The type number for the DS record is 43.
+
+   The DS resource record is class independent.
+
+   The DS RR has no special TTL requirements.
+
+5.1 DS RDATA Wire Format
+
+   The RDATA for a DS RR consists of a 2 octet Key Tag field, a one
+   octet Algorithm field, a one octet Digest Type field, and a Digest
+   field.
+
+                        1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
+    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+   |           Key Tag             |  Algorithm    |  Digest Type  |
+   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+   /                                                               /
+   /                            Digest                             /
+   /                                                               /
+   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+
+
+
+
+
+
+Arends, et al.          Expires August 16, 2004                [Page 19]
+
+Internet-Draft          DNSSEC Resource Records            February 2004
+
+
+5.1.1 The Key Tag Field
+
+   The Key Tag field lists the key tag of the DNSKEY RR referred to by
+   the DS record.
+
+   The Key Tag used by the DS RR is identical to the Key Tag used by
+   RRSIG RRs.  Appendix B describes how to compute a Key Tag.
+
+5.1.2 The Algorithm Field
+
+   The Algorithm field lists the algorithm number of the DNSKEY RR
+   referred to by the DS record.
+
+   The algorithm number used by the DS RR is identical to the algorithm
+   number used by RRSIG and DNSKEY RRs. Appendix A.1 lists the algorithm
+   number types.
+
+5.1.3 The Digest Type Field
+
+   The DS RR refers to a DNSKEY RR by including a digest of that DNSKEY
+   RR. The Digest Type field identifies the algorithm used to construct
+   the digest.  Appendix A.2 lists the possible digest algorithm types.
+
+5.1.4 The Digest Field
+
+   The DS record refers to a DNSKEY RR by including a digest of that
+   DNSKEY RR.
+
+   The digest is calculated by concatenating the canonical form of the
+   fully qualified owner name of the DNSKEY RR with the DNSKEY RDATA,
+   and then applying the digest algorithm.
+
+     digest = digest_algorithm( DNSKEY owner name | DNSKEY RDATA);
+
+      "|" denotes concatenation
+
+     DNSKEY RDATA = Flags | Protocol | Algorithm | Public Key.
+
+
+   The size of the digest may vary depending on the digest algorithm and
+   DNSKEY RR size.  As of the time of writing, the only defined digest
+   algorithm is SHA-1, which produces a 20 octet digest.
+
+5.2 Processing of DS RRs When Validating Responses
+
+   The DS RR links the authentication chain across zone boundaries, so
+   the DS RR requires extra care in processing.  The DNSKEY RR referred
+   to in the DS RR MUST be a DNSSEC zone key. The DNSKEY RR Flags MUST
+
+
+
+Arends, et al.          Expires August 16, 2004                [Page 20]
+
+Internet-Draft          DNSSEC Resource Records            February 2004
+
+
+   have Flags bit 7 set to value 1. If the key tag does not indicate a
+   DNSSEC zone key, the DS RR (and DNSKEY RR it references) MUST NOT be
+   used in the validation process.
+
+5.3 The DS RR Presentation Format
+
+   The presentation format of the RDATA portion is as follows:
+
+   The Key Tag field MUST be represented as an unsigned decimal integer.
+
+   The Algorithm field MUST be represented either as an unsigned decimal
+   integer or as an algorithm mnemonic specified in Appendix A.1.
+
+   The Digest Type field MUST be represented as an unsigned decimal
+   integer.
+
+   The Digest MUST be represented as a sequence of case-insensitive
+   hexadecimal digits.  Whitespace is allowed within the hexadecimal
+   text.
+
+5.4 DS RR Example
+
+   The following example shows a DNSKEY RR and its corresponding DS RR.
+
+   dskey.example.com. 86400 IN DNSKEY 256 3 5 ( AQOeiiR0GOMYkDshWoSKz9Xz
+                                             fwJr1AYtsmx3TGkJaNXVbfi/
+                                             2pHm822aJ5iI9BMzNXxeYCmZ
+                                             DRD99WYwYqUSdjMmmAphXdvx
+                                             egXd/M5+X7OrzKBaMbCVdFLU
+                                             Uh6DhweJBjEVv5f2wwjM9Xzc
+                                             nOf+EPbtG9DMBmADjFDc2w/r
+                                             ljwvFw==
+                                             ) ;  key id = 60485
+
+   dskey.example.com. 86400 IN DS 60485 5 1 ( 2BB183AF5F22588179A53B0A
+                                              98631FAD1A292118 )
+
+
+   The first four text fields specify the name, TTL, Class, and RR type
+   (DS). Value 60485 is the key tag for the corresponding
+   "dskey.example.com." DNSKEY RR, and value 5 denotes the algorithm
+   used by this "dskey.example.com." DNSKEY RR.  The value 1 is the
+   algorithm used to construct the digest, and the rest of the RDATA
+   text is the digest in hexadecimal.
+
+
+
+
+
+
+
+Arends, et al.          Expires August 16, 2004                [Page 21]
+
+Internet-Draft          DNSSEC Resource Records            February 2004
+
+
+6. Canonical Form and Order of Resource Records
+
+   This section defines a canonical form for resource records, a
+   canonical ordering of DNS names, and a canonical ordering of resource
+   records within an RRset.  A canonical name order is required to
+   construct the NSEC name chain.  A canonical RR form and ordering
+   within an RRset are required to construct and verify RRSIG RRs.
+
+6.1 Canonical DNS Name Order
+
+   For purposes of DNS security, owner names are ordered by treating
+   individual labels as unsigned left-justified octet strings.  The
+   absence of a octet sorts before a zero value octet, and upper case
+   US-ASCII letters are treated as if they were lower case US-ASCII
+   letters.
+
+   To compute the canonical ordering of a set of DNS names, start by
+   sorting the names according to their most significant (rightmost)
+   labels.  For names in which the most significant label is identical,
+   continue sorting according to their next most significant label, and
+   so forth.
+
+   For example, the following names are sorted in canonical DNS name
+   order.  The most significant label is "example".  At this level,
+   "example" sorts first, followed by names ending in "a.example", then
+   names ending "z.example".  The names within each level are sorted in
+   the same way.
+
+             example
+             a.example
+             yljkjljk.a.example
+             Z.a.example
+             zABC.a.EXAMPLE
+             z.example
+             \001.z.example
+             *.z.example
+             \200.z.example
+
+
+6.2 Canonical RR Form
+
+   For purposes of DNS security, the canonical form of an RR is the wire
+   format of the RR where:
+
+   1.  Every domain name in the RR is fully expanded (no DNS name
+       compression) and fully qualified;
+
+   2.  All uppercase US-ASCII letters in the owner name of the RR are
+
+
+
+Arends, et al.          Expires August 16, 2004                [Page 22]
+
+Internet-Draft          DNSSEC Resource Records            February 2004
+
+
+       replaced by the corresponding lowercase US-ASCII letters;
+
+   3.  If the type of the RR is NS, MD, MF, CNAME, SOA, MB, MG, MR, PTR,
+       HINFO, MINFO, MX, HINFO, RP, AFSDB, RT, SIG, PX, NXT, NAPTR, KX,
+       SRV, DNAME, A6, RRSIG or NSEC, all uppercase US-ASCII letters in
+       the DNS names contained within the RDATA are replaced by the
+       corresponding lowercase US-ASCII letters;
+
+   4.  If the owner name of the RR is a wildcard name, the owner name is
+       in its original unexpanded form, including the "*" label (no
+       wildcard substitution); and
+
+   5.  The RR's TTL is set to its original value as it appears in the
+       originating authoritative zone or the Original TTL field of the
+       covering RRSIG RR.
+
+
+6.3 Canonical RR Ordering Within An RRset
+
+   For purposes of DNS security, RRs with the same owner name, class,
+   and type are sorted by treating the RDATA portion of the canonical
+   form of each RR as a left-justified unsigned octet sequence where the
+   absence of an octet sorts before a zero octet.
+
+   [RFC2181] specifies that an RRset is not allowed to contain duplicate
+   records (multiple RRs with the same owner name, class, type, and
+   RDATA).  Therefore, if an implementation detects duplicate RRs during
+   RRset canonicalization, the implementation MUST treat this as a
+   protocol error.  If the implementation chooses to handle this
+   protocol error in the spirit of the robustness principle (being
+   liberal in what it accepts), the implementation MUST remove all but
+   one of the duplicate RR(s) for purposes of calculating the canonical
+   form of the RRset.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Arends, et al.          Expires August 16, 2004                [Page 23]
+
+Internet-Draft          DNSSEC Resource Records            February 2004
+
+
+7. IANA Considerations
+
+   This document introduces no new IANA considerations, because all of
+   the protocol parameters used in this document have already been
+   assigned by previous specifications.  However, since the evolution of
+   DNSSEC has been long and somewhat convoluted, this section attempts
+   to describe the current state of the IANA registries and other
+   protocol parameters which are (or once were) related to DNSSEC.
+
+   Please refer to [I-D.ietf-dnsext-dnssec-protocol] for additional IANA
+   considerations.
+
+   DNS Resource Record Types: [RFC2535] assigned types 24, 25, and 30 to
+      the SIG, KEY, and NXT RRs, respectively. [RFC3658] assigned DNS
+      Resource Record Type 43 to DS.
+      [I-D.ietf-dnsext-dnssec-2535typecode-change] assigned types 46,
+      47, and 48 to the RRSIG, NSEC, and DNSKEY RRs, respectively.
+      [I-D.ietf-dnsext-dnssec-2535typecode-change] also marked type 30
+      (NXT) as Obsolete, and restricted use of types 24 (SIG) and 25
+      (KEY) to the "SIG(0)" transaction security protocol described in
+      [RFC2931] and the transaction KEY Resource Record described in
+      [RFC2930].
+
+   DNS Security Algorithm Numbers: [RFC2535] created an IANA registry
+      for DNSSEC Resource Record Algorithm field numbers, and assigned
+      values 1-4 and 252-255.   [RFC3110] assigned value 5.
+      [I-D.ietf-dnsext-dnssec-2535typecode-change] altered this registry
+      to include flags for each entry regarding its use with the DNS
+      security extensions.  Each algorithm entry could refer to an
+      algorithm that can be used for zone signing, transaction security
+      (see [RFC2931]) or both. Values 6-251 are available for assignment
+      by IETF standards action. See Appendix A for a full listing of the
+      DNS Security Algorithm Numbers entries at the time of writing and
+      their status of use in DNSSEC.
+
+      [RFC3658] created an IANA registry for DNSSEC DS Digest Types, and
+      assigned value 0 to reserved and value 1 to SHA-1.
+
+   KEY Protocol Values: [RFC2535] created an IANA Registry for KEY
+      Protocol Values, but [RFC3445] re-assigned all assigned values
+      other than 3 to reserved and closed this IANA registry.  The
+      registry remains closed, and all KEY and DNSKEY records are
+      required to have Protocol Octet value of 3.
+
+   Flag bits in the KEY and DNSKEY RRs:
+      [I-D.ietf-dnsext-dnssec-2535typecode-change] created an IANA
+      registry for the DNSSEC KEY and DNSKEY RR flag bits.  Initially,
+      this registry only contains an assignment for bit 7 (the ZONE bit)
+
+
+
+Arends, et al.          Expires August 16, 2004                [Page 24]
+
+Internet-Draft          DNSSEC Resource Records            February 2004
+
+
+      and a reservation for bit 15 for the Secure Entry Point flag (SEP
+      bit) [I-D.ietf-dnsext-keyrr-key-signing-flag]. Bits 0-6 and 8-14
+      are available for assignment by IETF Standards Action.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Arends, et al.          Expires August 16, 2004                [Page 25]
+
+Internet-Draft          DNSSEC Resource Records            February 2004
+
+
+8. Security Considerations
+
+   This document describes the format of four DNS resource records used
+   by the DNS security extensions, and presents an algorithm for
+   calculating a key tag for a public key. Other than the items
+   described below, the resource records themselves introduce no
+   security considerations.  Please see [I-D.ietf-dnsext-dnssec-intro]
+   and [I-D.ietf-dnsext-dnssec-protocol] for additional security
+   considerations related to the use of these records.
+
+   The DS record points to a DNSKEY RR using a cryptographic digest, the
+   key algorithm type and a key tag.  The DS record is intended to
+   identify an existing DNSKEY RR, but it is theoretically possible for
+   an attacker to generate a DNSKEY that matches all the DS fields.  The
+   probability of constructing such a matching DNSKEY depends on the
+   type of digest algorithm in use.  The only currently defined digest
+   algorithm is SHA-1, and the working group believes that constructing
+   a public key which would match the algorithm, key tag, and SHA-1
+   digest given in a DS record would be a sufficiently difficult problem
+   that such an attack is not a serious threat at this time.
+
+   The key tag is used to help select DNSKEY resource records
+   efficiently, but it does not uniquely identify a single DNSKEY
+   resource record.  It is possible for two distinct DNSKEY RRs to have
+   the same owner name, the same algorithm type, and the same key tag.
+   An implementation which used only the key tag to select a DNSKEY RR
+   might select the wrong public key in some circumstances.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Arends, et al.          Expires August 16, 2004                [Page 26]
+
+Internet-Draft          DNSSEC Resource Records            February 2004
+
+
+9. Acknowledgments
+
+   This document was created from the input and ideas of the members of
+   the DNS Extensions Working Group and working group mailing list.  The
+   editors would like to express their thanks for the comments and
+   suggestions received during the revision of these security extension
+   specifications.  While explicitly listing everyone who has
+   contributed during the decade during which DNSSEC has been under
+   development would be an impossible task,
+   [I-D.ietf-dnsext-dnssec-intro] includes a list of some of the
+   participants who were kind enough to comment on these documents.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Arends, et al.          Expires August 16, 2004                [Page 27]
+
+Internet-Draft          DNSSEC Resource Records            February 2004
+
+
+Normative References
+
+   [RFC1034]  Mockapetris, P., "Domain names - concepts and facilities",
+              STD 13, RFC 1034, November 1987.
+
+   [RFC1035]  Mockapetris, P., "Domain names - implementation and
+              specification", STD 13, RFC 1035, November 1987.
+
+   [RFC1521]  Borenstein, N. and N. Freed, "MIME (Multipurpose Internet
+              Mail Extensions) Part One: Mechanisms for Specifying and
+              Describing the Format of Internet Message Bodies", RFC
+              1521, September 1993.
+
+   [RFC1982]  Elz, R. and R. Bush, "Serial Number Arithmetic", RFC 1982,
+              August 1996.
+
+   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
+              Requirement Levels", BCP 14, RFC 2119, March 1997.
+
+   [RFC2136]  Vixie, P., Thomson, S., Rekhter, Y. and J. Bound, "Dynamic
+              Updates in the Domain Name System (DNS UPDATE)", RFC 2136,
+              April 1997.
+
+   [RFC2181]  Elz, R. and R. Bush, "Clarifications to the DNS
+              Specification", RFC 2181, July 1997.
+
+   [RFC2308]  Andrews, M., "Negative Caching of DNS Queries (DNS
+              NCACHE)", RFC 2308, March 1998.
+
+   [RFC2671]  Vixie, P., "Extension Mechanisms for DNS (EDNS0)", RFC
+              2671, August 1999.
+
+   [RFC2931]  Eastlake, D., "DNS Request and Transaction Signatures (
+              SIG(0)s)", RFC 2931, September 2000.
+
+   [RFC3110]  Eastlake, D., "RSA/SHA-1 SIGs and RSA KEYs in the Domain
+              Name System (DNS)", RFC 3110, May 2001.
+
+   [RFC3445]  Massey, D. and S. Rose, "Limiting the Scope of the KEY
+              Resource Record (RR)", RFC 3445, December 2002.
+
+   [RFC3597]  Gustafsson, A., "Handling of Unknown DNS Resource Record
+              (RR) Types", RFC 3597, September 2003.
+
+   [RFC3658]  Gudmundsson, O., "Delegation Signer (DS) Resource Record
+              (RR)", RFC 3658, December 2003.
+
+   [I-D.ietf-dnsext-dnssec-intro]
+
+
+
+Arends, et al.          Expires August 16, 2004                [Page 28]
+
+Internet-Draft          DNSSEC Resource Records            February 2004
+
+
+              Arends, R., Austein, R., Larson, M., Massey, D. and S.
+              Rose, "DNS Security Introduction and Requirements",
+              draft-ietf-dnsext-dnssec-intro-09 (work in progress),
+              February 2004.
+
+   [I-D.ietf-dnsext-dnssec-protocol]
+              Arends, R., Austein, R., Larson, M., Massey, D. and S.
+              Rose, "Protocol Modifications for the DNS Security
+              Extensions", draft-ietf-dnsext-dnssec-protocol-05 (work in
+              progress), February 2004.
+
+   [I-D.ietf-dnsext-keyrr-key-signing-flag]
+              Kolkman, O., Schlyter, J. and E. Lewis, "KEY RR Secure
+              Entry Point Flag",
+              draft-ietf-dnsext-keyrr-key-signing-flag-12 (work in
+              progress), December 2003.
+
+   [I-D.ietf-dnsext-dnssec-2535typecode-change]
+              Weiler, S., "Legacy Resolver Compatibility for Delegation
+              Signer", draft-ietf-dnsext-dnssec-2535typecode-change-06
+              (work in progress), December 2003.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Arends, et al.          Expires August 16, 2004                [Page 29]
+
+Internet-Draft          DNSSEC Resource Records            February 2004
+
+
+Informative References
+
+   [RFC2535]  Eastlake, D., "Domain Name System Security Extensions",
+              RFC 2535, March 1999.
+
+   [RFC2930]  Eastlake, D., "Secret Key Establishment for DNS (TKEY
+              RR)", RFC 2930, September 2000.
+
+
+Authors' Addresses
+
+   Roy Arends
+   Telematica Instituut
+   Drienerlolaan 5
+   7522 NB  Enschede
+   NL
+
+   EMail: roy.arends@telin.nl
+
+
+   Rob Austein
+   Internet Systems Consortium
+   950 Charter Street
+   Redwood City, CA  94063
+   USA
+
+   EMail: sra@isc.org
+
+
+   Matt Larson
+   VeriSign, Inc.
+   21345 Ridgetop Circle
+   Dulles, VA  20166-6503
+   USA
+
+   EMail: mlarson@verisign.com
+
+
+   Dan Massey
+   USC Information Sciences Institute
+   3811 N. Fairfax Drive
+   Arlington, VA  22203
+   USA
+
+   EMail: masseyd@isi.edu
+
+
+
+
+
+
+Arends, et al.          Expires August 16, 2004                [Page 30]
+
+Internet-Draft          DNSSEC Resource Records            February 2004
+
+
+   Scott Rose
+   National Institute for Standards and Technology
+   100 Bureau Drive
+   Gaithersburg, MD  20899-8920
+   USA
+
+   EMail: scott.rose@nist.gov
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Arends, et al.          Expires August 16, 2004                [Page 31]
+
+Internet-Draft          DNSSEC Resource Records            February 2004
+
+
+Appendix A. DNSSEC Algorithm and Digest Types
+
+   The DNS security extensions are designed to be independent of the
+   underlying cryptographic algorithms. The DNSKEY, RRSIG, and DS
+   resource records all use a DNSSEC Algorithm Number to identify the
+   cryptographic algorithm in use by the resource record.   The DS
+   resource record also specifies a Digest Algorithm Number to identify
+   the digest algorithm used to construct the DS record. The currently
+   defined Algorithm and Digest Types are listed below.  Additional
+   Algorithm or Digest Types could be added as advances in cryptography
+   warrant.
+
+   A DNSSEC aware resolver or name server MUST implement all MANDATORY
+   algorithms.
+
+A.1 DNSSEC Algorithm Types
+
+   The DNSKEY, RRSIG, and DS RRs use an 8-bit number used to identify
+   the security algorithm being used.  These values are stored in the
+   "Algorithm number" field in the resource record RDATA.
+
+   Some algorithms are usable only for zone signing (DNSSEC), some only
+   for transaction security mechanisms (SIG(0) and TSIG), and some for
+   both.  Those usable for zone signing may appear in DNSKEY, RRSIG, and
+   DS RRs.  Those usable for transaction security would be present in
+   SIG(0) and KEY RRs as described in [RFC2931]
+
+                                Zone
+   Value Algorithm [Mnemonic]  Signing  References   Status
+   ----- -------------------- --------- ----------  ---------
+     0   reserved
+     1   RSA/MD5 [RSAMD5]         n      RFC 2537   NOT RECOMMENDED
+     2   Diffie-Hellman [DH]      n      RFC 2539    -
+     3   DSA/SHA-1 [DSA]          y      RFC 2536   OPTIONAL
+     4   Elliptic Curve [ECC]              TBA       -
+     5   RSA/SHA-1 [RSASHA1]      y      RFC 3110   MANDATORY
+   252   Indirect [INDIRECT]      n                  -
+   253   Private [PRIVATEDNS]     y      see below  OPTIONAL
+   254   Private [PRIVATEOID]     y      see below  OPTIONAL
+   255   reserved
+
+   6 - 251  Available for assignment by IETF Standards Action.
+
+A.1.1 Private Algorithm Types
+
+   Algorithm number 253 is reserved for private use and will never be
+   assigned to a specific algorithm.  The public key area in the DNSKEY
+   RR and the signature area in the RRSIG RR begin with a wire encoded
+
+
+
+Arends, et al.          Expires August 16, 2004                [Page 32]
+
+Internet-Draft          DNSSEC Resource Records            February 2004
+
+
+   domain name, which MUST NOT be compressed. The domain name indicates
+   the private algorithm to use and the remainder of the public key area
+   is determined by that algorithm.  Entities should only use domain
+   names they control to designate their private algorithms.
+
+   Algorithm number 254 is reserved for private use and will never be
+   assigned to a specific algorithm. The public key area in the DNSKEY
+   RR and the signature area in the RRSIG RR begin with an unsigned
+   length byte followed by a BER encoded Object Identifier (ISO OID) of
+   that length.  The OID indicates the private algorithm in use and the
+   remainder of the area is whatever is required by that algorithm.
+   Entities should only use OIDs they control to designate their private
+   algorithms.
+
+A.2 DNSSEC Digest Types
+
+   A "Digest Type" field in the DS resource record types identifies the
+   cryptographic digest algorithm used by the resource record.   The
+   following table lists the currently defined digest algorithm types.
+
+              VALUE   Algorithm                 STATUS
+                0      Reserved                   -
+                1      SHA-1                   MANDATORY
+              2-255    Unassigned                 -
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Arends, et al.          Expires August 16, 2004                [Page 33]
+
+Internet-Draft          DNSSEC Resource Records            February 2004
+
+
+Appendix B. Key Tag Calculation
+
+   The Key Tag field in the RRSIG and DS resource record types provides
+   a mechanism for selecting a public key efficiently. In most cases, a
+   combination of owner name, algorithm, and key tag can efficiently
+   identify a DNSKEY record.  Both the RRSIG and DS resource records
+   have corresponding DNSKEY records.  The Key Tag field in the RRSIG
+   and DS records can be used to help select the corresponding DNSKEY RR
+   efficiently when more than one candidate DNSKEY RR is available.
+
+   However, it is essential to note that the key tag is not a unique
+   identifier. It is theoretically possible for two distinct DNSKEY RRs
+   to have the same owner name, the same algorithm, and the same key
+   tag. The key tag is used to limit the possible candidate keys, but it
+   does not uniquely identify a DNSKEY record. Implementations MUST NOT
+   assume that the key tag uniquely identifies a DNSKEY RR.
+
+   The key tag is the same for all DNSKEY algorithm types except
+   algorithm 1 (please see Appendix B.1 for the definition of the key
+   tag for algorithm 1).  The key tag algorithm is the sum of the wire
+   format of the DNSKEY RDATA broken into 2 octet groups.  First the
+   RDATA (in wire format) is treated as a series of 2 octet groups,
+   these groups are then added together ignoring any carry bits. A
+   reference implementation of the key tag algorithm is as an ANSI C
+   function is given below with the RDATA portion of the DNSKEY RR is
+   used as input.  It is not necessary to use the following reference
+   code verbatim, but the numerical value of the Key Tag MUST be
+   identical to what the reference implementation would generate for the
+   same input.
+
+   Please note that the algorithm for calculating the Key Tag is almost
+   but not completely identical to the familiar ones complement checksum
+   used in many other Internet protocols.  Key Tags MUST be calculated
+   using the algorithm described here rather than the ones complement
+   checksum.
+
+   The following ANSI C reference implementation calculates the value of
+   a Key Tag.  This reference implementation applies to all algorithm
+   types except algorithm 1 (see Appendix B.1).  The input is the wire
+   format of the RDATA portion of the DNSKEY RR.  The code is written
+   for clarity, not efficiency.
+
+   /*
+    * Assumes that int is at least 16 bits.
+    * First octet of the key tag is the most significant 8 bits of the
+    * return value;
+    * Second octet of the key tag is the least significant 8 bits of the
+    * return value.
+
+
+
+Arends, et al.          Expires August 16, 2004                [Page 34]
+
+Internet-Draft          DNSSEC Resource Records            February 2004
+
+
+    */
+
+   unsigned int
+   keytag (
+           unsigned char key[],  /* the RDATA part of the DNSKEY RR */
+           unsigned int keysize  /* the RDLENGTH */
+          )
+   {
+           unsigned long ac;     /* assumed to be 32 bits or larger */
+           int i;                /* loop index */
+
+           for ( ac = 0, i = 0; i < keysize; ++i )
+                   ac += (i & 1) ? key[i] : key[i] << 8;
+           ac += (ac >> 16) & 0xFFFF;
+           return ac & 0xFFFF;
+   }
+
+
+B.1 Key Tag for Algorithm 1 (RSA/MD5)
+
+   The key tag for algorithm 1 (RSA/MD5) is defined differently than the
+   key tag for all other algorithms, for historical reasons.  For a
+   DNSKEY RR with algorithm 1, the key tag is defined to be the most
+   significant 16 bits of the least significant 24 bits in the public
+   key modulus (in other words, the 4th to last and 3rd to last octets
+   of the public key modulus).
+
+   Please note that Algorithm 1 is NOT RECOMMENDED.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Arends, et al.          Expires August 16, 2004                [Page 35]
+
+Internet-Draft          DNSSEC Resource Records            February 2004
+
+
+Intellectual Property Statement
+
+   The IETF takes no position regarding the validity or scope of any
+   intellectual property or other rights that might be claimed to
+   pertain to the implementation or use of the technology described in
+   this document or the extent to which any license under such rights
+   might or might not be available; neither does it represent that it
+   has made any effort to identify any such rights. Information on the
+   IETF's procedures with respect to rights in standards-track and
+   standards-related documentation can be found in BCP-11. Copies of
+   claims of rights made available for publication and any assurances of
+   licenses to be made available, or the result of an attempt made to
+   obtain a general license or permission for the use of such
+   proprietary rights by implementors or users of this specification can
+   be obtained from the IETF Secretariat.
+
+   The IETF invites any interested party to bring to its attention any
+   copyrights, patents or patent applications, or other proprietary
+   rights which may cover technology that may be required to practice
+   this standard. Please address the information to the IETF Executive
+   Director.
+
+
+Full Copyright Statement
+
+   Copyright (C) The Internet Society (2004). All Rights Reserved.
+
+   This document and translations of it may be copied and furnished to
+   others, and derivative works that comment on or otherwise explain it
+   or assist in its implementation may be prepared, copied, published
+   and distributed, in whole or in part, without restriction of any
+   kind, provided that the above copyright notice and this paragraph are
+   included on all such copies and derivative works. However, this
+   document itself may not be modified in any way, such as by removing
+   the copyright notice or references to the Internet Society or other
+   Internet organizations, except as needed for the purpose of
+   developing Internet standards in which case the procedures for
+   copyrights defined in the Internet Standards process must be
+   followed, or as required to translate it into languages other than
+   English.
+
+   The limited permissions granted above are perpetual and will not be
+   revoked by the Internet Society or its successors or assignees.
+
+   This document and the information contained herein is provided on an
+   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
+   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
+   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
+
+
+
+Arends, et al.          Expires August 16, 2004                [Page 36]
+
+Internet-Draft          DNSSEC Resource Records            February 2004
+
+
+   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
+   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+
+Acknowledgement
+
+   Funding for the RFC Editor function is currently provided by the
+   Internet Society.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Arends, et al.          Expires August 16, 2004                [Page 37]
+
+
diff --git a/doc/draft/draft-ietf-dnsext-dnssec-trans-02.txt b/doc/draft/draft-ietf-dnsext-dnssec-trans-02.txt
deleted file mode 100644
index dd8cbf06..00000000
--- a/doc/draft/draft-ietf-dnsext-dnssec-trans-02.txt
+++ /dev/null
@@ -1,839 +0,0 @@
-
-DNS Extensions Working Group                                   R. Arends
-Internet-Draft                                      Telematica Instituut
-Expires: August 25, 2005                                         P. Koch
-                                                                DENIC eG
-                                                             J. Schlyter
-                                                                  NIC-SE
-                                                       February 21, 2005
-
-
-                Evaluating DNSSEC Transition Mechanisms
-                 draft-ietf-dnsext-dnssec-trans-02.txt
-
-Status of this Memo
-
-   This document is an Internet-Draft and is subject to all provisions
-   of Section 3 of RFC 3667.  By submitting this Internet-Draft, each
-   author represents that any applicable patent or other IPR claims of
-   which he or she is aware have been or will be disclosed, and any of
-   which he or she become aware will be disclosed, in accordance with
-   RFC 3668.
-
-   Internet-Drafts are working documents of the Internet Engineering
-   Task Force (IETF), its areas, and its working groups.  Note that
-   other groups may also distribute working documents as
-   Internet-Drafts.
-
-   Internet-Drafts are draft documents valid for a maximum of six months
-   and may be updated, replaced, or obsoleted by other documents at any
-   time.  It is inappropriate to use Internet-Drafts as reference
-   material or to cite them other than as "work in progress."
-
-   The list of current Internet-Drafts can be accessed at
-   http://www.ietf.org/ietf/1id-abstracts.txt.
-
-   The list of Internet-Draft Shadow Directories can be accessed at
-   http://www.ietf.org/shadow.html.
-
-   This Internet-Draft will expire on August 25, 2005.
-
-Copyright Notice
-
-   Copyright (C) The Internet Society (2005).
-
-Abstract
-
-   This document collects and summarizes different proposals for
-   alternative and additional strategies for authenticated denial in DNS
-   responses, evaluates these proposals and gives a recommendation for a
-
-
-
-Arends, et al.           Expires August 25, 2005                [Page 1]
-
-Internet-Draft    Evaluating DNSSEC Transition Mechanisms  February 2005
-
-
-   way forward.
-
-Table of Contents
-
-   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
-   2.  Transition Mechanisms  . . . . . . . . . . . . . . . . . . . .  3
-     2.1   Mechanisms With Need of Updating DNSSEC-bis  . . . . . . .  4
-       2.1.1   Dynamic NSEC Synthesis . . . . . . . . . . . . . . . .  4
-       2.1.2   Add Versioning/Subtyping to Current NSEC . . . . . . .  5
-       2.1.3   Type Bit Map NSEC Indicator  . . . . . . . . . . . . .  6
-       2.1.4   New Apex Type  . . . . . . . . . . . . . . . . . . . .  6
-       2.1.5   NSEC White Lies  . . . . . . . . . . . . . . . . . . .  7
-       2.1.6   NSEC Optional via DNSSKEY Flag . . . . . . . . . . . .  8
-       2.1.7   New Answer Pseudo RR Type  . . . . . . . . . . . . . .  9
-       2.1.8   SIG(0) Based Authenticated Denial  . . . . . . . . . .  9
-     2.2   Mechanisms Without Need of Updating DNSSEC-bis . . . . . . 10
-       2.2.1   Partial Type-code and Signal Rollover  . . . . . . . . 10
-       2.2.2   A Complete Type-code and Signal Rollover . . . . . . . 11
-       2.2.3   Unknown Algorithm in RRSIG . . . . . . . . . . . . . . 11
-   3.  Recommendation . . . . . . . . . . . . . . . . . . . . . . . . 12
-   4.  Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 13
-   5.  References . . . . . . . . . . . . . . . . . . . . . . . . . . 13
-     5.1   Normative References . . . . . . . . . . . . . . . . . . . 13
-     5.2   Informative References . . . . . . . . . . . . . . . . . . 13
-       Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 14
-       Intellectual Property and Copyright Statements . . . . . . . . 15
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Arends, et al.           Expires August 25, 2005                [Page 2]
-
-Internet-Draft    Evaluating DNSSEC Transition Mechanisms  February 2005
-
-
-1.  Introduction
-
-   This report shall document the process of dealing with the NSEC
-   walking problem late in the Last Call for
-   [I-D.ietf-dnsext-dnssec-intro, I-D.ietf-dnsext-dnssec-protocol,
-   I-D.ietf-dnsext-dnssec-records].  It preserves some of the discussion
-   that took place in the DNSEXT WG during the first half of June 2004
-   as well as some additional ideas that came up subsequently.
-
-   This is an edited excerpt of the chairs' mail to the WG:
-      The working group consents on not including NSEC-alt in the
-      DNSSEC-bis documents.  The working group considers to take up
-      "prevention of zone enumeration" as a work item.
-      There may be multiple mechanisms to allow for co-existence with
-      DNSSEC-bis.  The chairs allow the working group a little over a
-      week (up to June 12, 2004) to come to consensus on a possible
-      modification to the document to enable gentle rollover.  If that
-      consensus cannot be reached the DNSSEC-bis documents will go out
-      as-is.
-
-   To ease the process of getting consensus, a summary of the proposed
-   solutions and analysis of the pros and cons were written during the
-   weekend.
-
-   This summary includes:
-
-      An inventory of the proposed mechanisms to make a transition to
-      future work on authenticated denial of existence.
-      List the known Pros and Cons, possibly provide new arguments, and
-      possible security considerations of these mechanisms.
-      Provide a recommendation on a way forward that is least disruptive
-      to the DNSSEC-bis specifications as they stand and keep an open
-      path to other methods for authenticated denial of existence.
-
-   The descriptions of the proposals in this document are coarse and do
-   not cover every detail necessary for implementation.  In any case,
-   documentation and further study is needed before implementaion and/or
-   deployment, including those which seem to be solely operational in
-   nature.
-
-2.  Transition Mechanisms
-
-   In the light of recent discussions and past proposals, we have found
-   several ways to allow for transition to future expansion of
-   authenticated denial.  We tried to illuminate the paths and pitfalls
-   in these ways forward.  Some proposals lead to a versioning of
-   DNSSEC, where DNSSEC-bis may co-exist with DNSSEC-ter, other
-   proposals are 'clean' but may cause delay, while again others may be
-
-
-
-Arends, et al.           Expires August 25, 2005                [Page 3]
-
-Internet-Draft    Evaluating DNSSEC Transition Mechanisms  February 2005
-
-
-   plain hacks.
-
-   Some paths do not introduce versioning, and might require the current
-   DNSSEC-bis documents to be fully updated to allow for extensions to
-   authenticated denial mechanisms.  Other paths introduce versioning
-   and do not (or minimally) require DNSSEC-bis documents to be updated,
-   allowing DNSSEC-bis to be deployed, while future versions can be
-   drafted independent from or partially depending on DNSSEC-bis.
-
-2.1  Mechanisms With Need of Updating DNSSEC-bis
-
-   Mechanisms in this category demand updates to the DNSSEC-bis document
-   set.
-
-2.1.1  Dynamic NSEC Synthesis
-
-   This proposal assumes that NSEC RRs and the authenticating RRSIG will
-   be generated dynamically to just cover the (non existent) query name.
-   The owner name is (the) one preceding the name queried for, the Next
-   Owner Name Field has the value of the Query Name Field + 1 (first
-   successor in canonical ordering).  A separate key (the normal ZSK or
-   a separate ZSK per authoritative server) would be used for RRSIGs on
-   NSEC RRs.  This is a defense against enumeration, though it has the
-   presumption of online signing.
-
-2.1.1.1  Coexistence and Migration
-
-   There is no change in interpretation other then that the next owner
-   name might or might not exist.
-
-2.1.1.2  Limitations
-
-   This introduces an unbalanced cost between query and response
-   generation due to dynamic generation of signatures.
-
-2.1.1.3  Amendments to DNSSEC-bis
-
-   The current DNSSEC-bis documents might need to be updated to indicate
-   that the next owner name might not be an existing name in the zone.
-   This is not a real change to the spec since implementers have been
-   warned not to synthesize with previously cached NSEC records.  A
-   specific bit to identify the dynamic signature generating key might
-   be useful as well, to prevent it from being used to fake positive
-   data.
-
-2.1.1.4  Cons
-
-   Unbalanced cost is a ground for DDoS.  Though this protects against
-
-
-
-Arends, et al.           Expires August 25, 2005                [Page 4]
-
-Internet-Draft    Evaluating DNSSEC Transition Mechanisms  February 2005
-
-
-   enumeration, it is not really a path for versioning.
-
-2.1.1.5  Pros
-
-   Hardly any amendments to DNSSEC-bis.
-
-2.1.2  Add Versioning/Subtyping to Current NSEC
-
-   This proposal introduces versioning for the NSEC RR type (a.k.a.
-   subtyping) by adding a (one octet) version field to the NSEC RDATA.
-   Version number 0 is assigned to the current (DNSSEC-bis) meaning,
-   making this an 'Must Be Zero' (MBZ) for the to be published docset.
-
-2.1.2.1  Coexistence and Migration
-
-   Since the versioning is done inside the NSEC RR, different versions
-   may coexist.  However, depending on future methods, that may or may
-   not be useful inside a single zone.  Resolvers cannot ask for
-   specific NSEC versions but may be able to indicate version support by
-   means of a to be defined EDNS option bit.
-
-2.1.2.2  Limitations
-
-   There are no technical limitations, though it will cause delay to
-   allow testing of the (currently unknown) new NSEC interpretation.
-
-   Since the versioning and signaling is done inside the NSEC RR, future
-   methods will likely be restricted to a single RR type authenticated
-   denial (as opposed to e.g.  NSEC-alt, which currently proposes three
-   RR types).
-
-2.1.2.3  Amendments to DNSSEC-bis
-
-   Full Update of the current DNSSEC-bis documents to provide for new
-   fields in NSEC, while specifying behavior in case of unknown field
-   values.
-
-2.1.2.4  Cons
-
-   Though this is a clean and clear path without versioning DNSSEC, it
-   takes some time to design, gain consensus, update the current
-   dnssec-bis document, test and implement a new authenticated denial
-   record.
-
-2.1.2.5  Pros
-
-   Does not introduce an iteration to DNSSEC while providing a clear and
-   clean migration strategy.
-
-
-
-Arends, et al.           Expires August 25, 2005                [Page 5]
-
-Internet-Draft    Evaluating DNSSEC Transition Mechanisms  February 2005
-
-
-2.1.3  Type Bit Map NSEC Indicator
-
-   Bits in the type-bit-map are reused or allocated to signify the
-   interpretation of NSEC.
-
-   This proposal assumes that future extensions make use of the existing
-   NSEC RDATA syntax, while it may need to change the interpretation of
-   the RDATA or introduce an alternative denial mechanism, invoked by
-   the specific type-bit-map-bits.
-
-2.1.3.1  Coexistence and migration
-
-   Old and new NSEC meaning could coexist, depending how the signaling
-   would be defined.  The bits for NXT, NSEC, RRSIG or other outdated RR
-   types are available  as well as those covering meta/query types or
-   types to be specifically allocated.
-
-2.1.3.2  Limitations
-
-   This mechanism uses an NSEC field that was not designed for that
-   purpose.  Similar methods were discussed during the Opt-In discussion
-   and the Silly-State discussion.
-
-2.1.3.3  Amendments to DNSSEC-bis
-
-   The specific type-bit-map-bits must be allocated and they need to be
-   specified as 'Must Be Zero' (MBZ) when used for standard (dnssec-bis)
-   interpretation.  Also, behaviour of the resolver and validator must
-   be documented in case unknown values are encountered for the MBZ
-   field.  Currently the protocol document specifies that the validator
-   MUST ignore the setting of the NSEC and the RRSIG bits, while other
-   bits are only used for the specific purpose of the type-bit-map field
-
-2.1.3.4  Cons
-
-   The type-bit-map was not designed for this purpose.  It is a
-   straightforward hack.  Text in protocol section 5.4 was put in
-   specially to defend against this usage.
-
-2.1.3.5  Pros
-
-   No change needed to the on-the-wire protocol as specified in the
-   current docset.
-
-2.1.4  New Apex Type
-
-   This introduces a new Apex type (parallel to the zone's SOA)
-   indicating the DNSSEC version (or authenticated denial) used in or
-
-
-
-Arends, et al.           Expires August 25, 2005                [Page 6]
-
-Internet-Draft    Evaluating DNSSEC Transition Mechanisms  February 2005
-
-
-   for this zone.
-
-2.1.4.1  Coexistence and Migration
-
-   Depending on the design of this new RR type multiple denial
-   mechanisms may coexist in a zone.  Old validators will not understand
-   and thus ignore the new type, so interpretation of the new NSEC
-   scheme may fail, negative responses may appear 'bogus'.
-
-2.1.4.2  Limitations
-
-   A record of this kind is likely to carry additional
-   feature/versioning indications unrelated to the current question of
-   authenticated denial.
-
-2.1.4.3  Amendments to DNSSEC-bis
-
-   The current DNSSEC-bis documents need to be updated to indicate that
-   the absence of this type indicates dnssec-bis, and that the (mere)
-   presence of this type indicated unknown versions.
-
-2.1.4.4  Cons
-
-   The only other 'zone' or 'apex' record is the SOA record.  Though
-   this proposal is not new, it is yet unknown how it might fulfill
-   authenticated denial extensions.  This new RR type would only provide
-   for a generalized signaling mechanism, not the new authenticated
-   denial scheme.  Since it is likely to be general in nature, due to
-   this generality consensus is not to be reached soon.
-
-2.1.4.5  Pros
-
-   This approach would allow for a lot of other per zone information to
-   be transported or signaled to both (slave) servers and resolvers.
-
-2.1.5  NSEC White Lies
-
-   This proposal disables one part of NSEC (the pointer part) by means
-   of a special target (root, apex, owner, ...), leaving intact only the
-   ability to authenticate denial of existence of RR sets, not denial of
-   existence of domain names (NXDOMAIN).  It may be necessary to have
-   one working NSEC to prove the absence of a wildcard.
-
-2.1.5.1  Coexistence and Migration
-
-   The NSEC target can be specified per RR, so standard NSEC and 'white
-   lie' NSEC can coexist in a zone.  There is no need for migration
-   because no versioning is introduced or intended.
-
-
-
-Arends, et al.           Expires August 25, 2005                [Page 7]
-
-Internet-Draft    Evaluating DNSSEC Transition Mechanisms  February 2005
-
-
-2.1.5.2  Limitations
-
-   This proposal breaks the protocol and is applicable to certain types
-   of zones only (no wildcard, no deep names, delegation only).  Most of
-   the burden is put on the resolver side and operational consequences
-   are yet to be studied.
-
-2.1.5.3  Amendments to DNSSEC-bis
-
-   The current DNSSEC-bis documents need to be updated to indicate that
-   the NXDOMAIN responses may be insecure.
-
-2.1.5.4  Cons
-
-   Strictly speaking this breaks the protocol and doesn't fully fulfill
-   the requirements for authenticated denial of existence.  Security
-   implications need to be carefully documented: search path problems
-   (forged denial of existence may lead to wrong expansion of non-FQDNs
-   [RFC1535]) and replay attacks to deny existence of records.
-
-2.1.5.5  Pros
-
-   Hardly any amendments to DNSSEC-bis.  Operational "trick" that is
-   available anyway.
-
-2.1.6  NSEC Optional via DNSSKEY Flag
-
-   A new DNSKEY may be defined to declare NSEC optional per zone.
-
-2.1.6.1  Coexistence and Migration
-
-   Current resolvers/validators will not understand the Flag bit and
-   will have to treat negative responses as bogus.  Otherwise, no
-   migration path is needed since NSEC is simply turned off.
-
-2.1.6.2  Limitations
-
-   NSEC can only be made completely optional at the cost of being unable
-   to prove unsecure delegations (absence of a DS RR [RFC3658]).  A next
-   to this approach would just disable authenticated denial for
-   non-existence of nodes.
-
-2.1.6.3  Amendments to DNSSEC-bis
-
-   New DNSKEY Flag to be defined.  Resolver/Validator behaviour needs to
-   be specified in the light of absence of authenticated denial.
-
-
-
-
-
-Arends, et al.           Expires August 25, 2005                [Page 8]
-
-Internet-Draft    Evaluating DNSSEC Transition Mechanisms  February 2005
-
-
-2.1.6.4  Cons
-
-   Doesn't fully meet requirements.  Operational consequences to be
-   studied.
-
-2.1.6.5  Pros
-
-   Official version of the "trick" presented in (8).  Operational
-   problems can be addressed during future work on validators.
-
-2.1.7  New Answer Pseudo RR Type
-
-   A new pseudo RR type may be defined that will be dynamically created
-   (and signed) by the responding authoritative server.  The RR in the
-   response will cover the QNAME, QCLASS and QTYPE and will authenticate
-   both denial of existence of name (NXDOMAIN) or RRset.
-
-2.1.7.1  Coexistence and Migration
-
-   Current resolvers/validators will not understand the pseudo RR and
-   will thus not be able to process negative responses so testified.  A
-   signaling or solicitation method would have to be specified.
-
-2.1.7.2  Limitations
-
-   This method can only be used with online keys and online signing
-   capacity.
-
-2.1.7.3  Amendments to DNSSEC-bis
-
-   Signaling method needs to be defined.
-
-2.1.7.4  Cons
-
-   Keys have to be held and processed online with all security
-   implications.  An additional flag for those keys identifying them as
-   online or negative answer only keys should be considered.
-
-2.1.7.5  Pros
-
-   Expands DNSSEC authentication to the RCODE.
-
-2.1.8  SIG(0) Based Authenticated Denial
-
-
-2.1.8.1  Coexistence and Migration
-
-
-
-
-
-Arends, et al.           Expires August 25, 2005                [Page 9]
-
-Internet-Draft    Evaluating DNSSEC Transition Mechanisms  February 2005
-
-
-2.1.8.2  Limitations
-
-
-2.1.8.3  Amendments to DNSSEC-bis
-
-
-2.1.8.4  Cons
-
-
-2.1.8.5  Pros
-
-
-2.2  Mechanisms Without Need of Updating DNSSEC-bis
-
-2.2.1  Partial Type-code and Signal Rollover
-
-   Carefully crafted type code/signal rollover to define a new
-   authenticated denial space that extends/replaces DNSSEC-bis
-   authenticated denial space.  This particular path is illuminated by
-   Paul Vixie in a Message-Id <20040602070859.0F50913951@sa.vix.com>
-   posted to <namedroppers@ops.ietf.org> 2004-06-02.
-
-2.2.1.1  Coexistence and Migration
-
-   To protect the current resolver for future versions, a new DNSSEC-OK
-   bit must be allocated to make clear it does or does not understand
-   the future version.  Also, a new DS type needs to be allocated to
-   allow differentiation between a current signed delegation and a
-   'future' signed delegation.  Also, current NSEC needs to be rolled
-   into a new authenticated denial type.
-
-2.2.1.2  Limitations
-
-   None.
-
-2.2.1.3  Amendments to DNSSEC-bis
-
-   None.
-
-2.2.1.4  Cons
-
-   It is cumbersome to carefully craft an TCR that 'just fits'.  The
-   DNSSEC-bis protocol has many 'borderline' cases that needs special
-   consideration.  It might be easier to do a full TCR, since a few of
-   the types and signals need upgrading anyway.
-
-
-
-
-
-
-Arends, et al.           Expires August 25, 2005               [Page 10]
-
-Internet-Draft    Evaluating DNSSEC Transition Mechanisms  February 2005
-
-
-2.2.1.5  Pros
-
-   Graceful adoption of future versions of NSEC, while there are no
-   amendments to DNSSEC-bis.
-
-2.2.2  A Complete Type-code and Signal Rollover
-
-   A new DNSSEC space is defined which can exist independent of current
-   DNSSEC-bis space.
-
-   This proposal assumes that all current DNSSEC type-codes
-   (RRSIG/DNSKEY/NSEC/DS) and signals (DNSSEC-OK) are not used in any
-   future versions of DNSSEC.  Any future version of DNSSEC has its own
-   types to allow for keys, signatures, authenticated denial, etcetera.
-
-2.2.2.1  Coexistence and Migration
-
-   Both spaces can co-exist.  They can be made completely orthogonal.
-
-2.2.2.2  Limitations
-
-   None.
-
-2.2.2.3  Amendments to DNSSEC-bis
-
-   None.
-
-2.2.2.4  Cons
-
-   With this path we abandon the current DNSSEC-bis.  Though it is easy
-   to role specific well-known and well-tested parts into the re-write,
-   once deployment has started this path is very expensive for
-   implementers, registries, registrars and registrants as well as
-   resolvers/users.  A TCR is not to be expected to occur frequently, so
-   while a next generation authenticated denial may be enabled by a TCR,
-   it is likely that that TCR will only be agreed upon if it serves a
-   whole basket of changes or additions.  A quick introduction of
-   NSEC-ng should not be expected from this path.
-
-2.2.2.5  Pros
-
-   No amendments/changes to current DNSSEC-bis docset needed.  It is
-   always there as last resort.
-
-2.2.3  Unknown Algorithm in RRSIG
-
-   This proposal assumes that future extensions make use of the existing
-   NSEC RDATA syntax, while it may need to change the interpretation of
-
-
-
-Arends, et al.           Expires August 25, 2005               [Page 11]
-
-Internet-Draft    Evaluating DNSSEC Transition Mechanisms  February 2005
-
-
-   the RDATA or introduce an alternative denial mechanism, invoked by
-   the specific unknown signing algorithm.  The different interpretation
-   would be signaled by use of different signature algorithms in the
-   RRSIG records covering the NSEC RRs.
-
-   When an entire zone is signed with a single unknown algorithm, it
-   will cause implementations that follow current dnssec-bis documents
-   to treat individual RRsets as unsigned.
-
-2.2.3.1  Coexistence and migration
-
-   Old and new NSEC RDATA interpretation or known and unknown Signatures
-   can NOT coexist in a zone since signatures cover complete (NSEC)
-   RRSets.
-
-2.2.3.2  Limitations
-
-   Validating resolvers agnostic of new interpretation will treat the
-   NSEC RRset as "not signed".  This affects wildcard and non-existence
-   proof, as well as proof for (un)secured delegations.  Also, all
-   positive signatures (RRSIGs on RRSets other than DS, NSEC) appear
-   insecure/bogus to an old validator.
-
-   The algorithm version space is split for each future version of
-   DNSSEC.  Violation of the 'modular components' concept.  We use the
-   'validator' to protect the 'resolver' from unknown interpretations.
-
-2.2.3.3  Amendments to DNSSEC-bis
-
-   None.
-
-2.2.3.4  Cons
-
-   The algorithm field was not designed for this purpose.  This is a
-   straightforward hack.
-
-2.2.3.5  Pros
-
-   No amendments/changes to current DNSSEC-bis docset needed.
-
-3.  Recommendation
-
-   The authors recommend that the working group commits to and starts
-   work on a partial TCR, allowing graceful transition towards a future
-   version of NSEC.  Meanwhile, to accomodate the need for an
-   immediately, temporary, solution against zone-traversal, we recommend
-   On-Demand NSEC synthesis.
-
-
-
-
-Arends, et al.           Expires August 25, 2005               [Page 12]
-
-Internet-Draft    Evaluating DNSSEC Transition Mechanisms  February 2005
-
-
-   This approach does not require any mandatory changes to DNSSEC-bis,
-   does not violate the protocol and fulfills the requirements.  As a
-   side effect, it moves the cost of implementation and deployment to
-   the users (zone owners) of this mechanism.
-
-4.  Acknowledgements
-
-   The authors would like to thank Sam Weiler and Mark Andrews for their
-   input and constructive comments.
-
-5.  References
-
-5.1  Normative References
-
-   [I-D.ietf-dnsext-dnssec-intro]
-              Arends, R., Austein, R., Massey, D., Larson, M. and S.
-              Rose, "DNS Security Introduction and Requirements",
-              Internet-Draft draft-ietf-dnsext-dnssec-intro-13, October
-              2004.
-
-   [I-D.ietf-dnsext-dnssec-protocol]
-              Arends, R., "Protocol Modifications for the DNS Security
-              Extensions",
-              Internet-Draft draft-ietf-dnsext-dnssec-protocol-09,
-              October 2004.
-
-   [I-D.ietf-dnsext-dnssec-records]
-              Arends, R., "Resource Records for the DNS Security
-              Extensions",
-              Internet-Draft draft-ietf-dnsext-dnssec-records-11,
-              October 2004.
-
-   [RFC1034]  Mockapetris, P., "Domain names - concepts and facilities",
-              STD 13, RFC 1034, November 1987.
-
-   [RFC1035]  Mockapetris, P., "Domain names - implementation and
-              specification", STD 13, RFC 1035, November 1987.
-
-   [RFC2931]  Eastlake, D., "DNS Request and Transaction Signatures (
-              SIG(0)s)", RFC 2931, September 2000.
-
-5.2  Informative References
-
-   [RFC1535]  Gavron, E., "A Security Problem and Proposed Correction
-              With Widely Deployed DNS Software", RFC 1535, October
-              1993.
-
-   [RFC2535]  Eastlake, D., "Domain Name System Security Extensions",
-
-
-
-Arends, et al.           Expires August 25, 2005               [Page 13]
-
-Internet-Draft    Evaluating DNSSEC Transition Mechanisms  February 2005
-
-
-              RFC 2535, March 1999.
-
-   [RFC2629]  Rose, M., "Writing I-Ds and RFCs using XML", RFC 2629,
-              June 1999.
-
-   [RFC3658]  Gudmundsson, O., "Delegation Signer (DS) Resource Record
-              (RR)", RFC 3658, December 2003.
-
-
-Authors' Addresses
-
-   Roy Arends
-   Telematica Instituut
-   Brouwerijstraat 1
-   Enschede  7523 XC
-   The Netherlands
-
-   Phone: +31 53 4850485
-   Email: roy.arends@telin.nl
-
-
-   Peter Koch
-   DENIC eG
-   Wiesenh"uttenplatz 26
-   Frankfurt  60329
-   Germany
-
-   Phone: +49 69 27235 0
-   Email: pk@DENIC.DE
-
-
-   Jakob Schlyter
-   NIC-SE
-   Box 5774
-   Stockholm  SE-114 87
-   Sweden
-
-   Email: jakob@nic.se
-   URI:   http://www.nic.se/
-
-
-
-
-
-
-
-
-
-
-
-
-Arends, et al.           Expires August 25, 2005               [Page 14]
-
-Internet-Draft    Evaluating DNSSEC Transition Mechanisms  February 2005
-
-
-Intellectual Property Statement
-
-   The IETF takes no position regarding the validity or scope of any
-   Intellectual Property Rights or other rights that might be claimed to
-   pertain to the implementation or use of the technology described in
-   this document or the extent to which any license under such rights
-   might or might not be available; nor does it represent that it has
-   made any independent effort to identify any such rights.  Information
-   on the procedures with respect to rights in RFC documents can be
-   found in BCP 78 and BCP 79.
-
-   Copies of IPR disclosures made to the IETF Secretariat and any
-   assurances of licenses to be made available, or the result of an
-   attempt made to obtain a general license or permission for the use of
-   such proprietary rights by implementers or users of this
-   specification can be obtained from the IETF on-line IPR repository at
-   http://www.ietf.org/ipr.
-
-   The IETF invites any interested party to bring to its attention any
-   copyrights, patents or patent applications, or other proprietary
-   rights that may cover technology that may be required to implement
-   this standard.  Please address the information to the IETF at
-   ietf-ipr@ietf.org.
-
-
-Disclaimer of Validity
-
-   This document and the information contained herein are provided on an
-   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
-   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
-   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
-   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
-   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
-   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-
-Copyright Statement
-
-   Copyright (C) The Internet Society (2005).  This document is subject
-   to the rights, licenses and restrictions contained in BCP 78, and
-   except as set forth therein, the authors retain all their rights.
-
-
-Acknowledgment
-
-   Funding for the RFC Editor function is currently provided by the
-   Internet Society.
-
-
-
-
-Arends, et al.           Expires August 25, 2005               [Page 15]
-
-
diff --git a/doc/draft/draft-ietf-dnsext-ecc-key-07.txt b/doc/draft/draft-ietf-dnsext-ecc-key-07.txt
deleted file mode 100644
index 2cdcdb16..00000000
--- a/doc/draft/draft-ietf-dnsext-ecc-key-07.txt
+++ /dev/null
@@ -1,928 +0,0 @@
-
-INTERNET-DRAFT                                       ECC Keys in the DNS
-Expires: January 2006                                          July 2005
-
-
-
-                     Elliptic Curve KEYs in the DNS
-                     -------- ----- ---- -- --- ---
-                   <draft-ietf-dnsext-ecc-key-07.txt>
-
-                         Richard C. Schroeppel
-                          Donald Eastlake 3rd
-
-
-Status of This Document
-
-   By submitting this Internet-Draft, each author represents that any
-   applicable patent or other IPR claims of which he or she is aware
-   have been or will be disclosed, and any of which he or she becomes
-   aware will be disclosed, in accordance with Section 6 of BCP 79.
-
-   This draft is intended to be become a Proposed Standard RFC.
-   Distribution of this document is unlimited. Comments should be sent
-   to the DNS mailing list <namedroppers@ops.ietf.org>.
-
-   Internet-Drafts are working documents of the Internet Engineering
-   Task Force (IETF), its areas, and its working groups.  Note that
-   other groups may also distribute working documents as Internet-
-   Drafts.
-
-   Internet-Drafts are draft documents valid for a maximum of six months
-   and may be updated, replaced, or obsoleted by other documents at any
-   time.  It is inappropriate to use Internet-Drafts as reference
-   material or to cite them other than a "work in progress."
-
-   The list of current Internet-Drafts can be accessed at
-   http://www.ietf.org/1id-abstracts.html
-
-   The list of Internet-Draft Shadow Directories can be accessed at
-   http://www.ietf.org/shadow.html
-
-
-Abstract
-
-   The standard method for storing elliptic curve cryptographic keys and
-   signatures in the Domain Name System is specified.
-
-
-Copyright Notice
-
-   Copyright (C) The Internet Society (2005). All Rights Reserved.
-
-
-
-
-
-R. Schroeppel, et al                                            [Page 1]
-
-
-INTERNET-DRAFT                                       ECC Keys in the DNS
-
-
-Acknowledgement
-
-   The assistance of Hilarie K. Orman in the production of this document
-   is greatfully acknowledged.
-
-
-
-Table of Contents
-
-      Status of This Document....................................1
-      Abstract...................................................1
-      Copyright Notice...........................................1
-
-      Acknowledgement............................................2
-      Table of Contents..........................................2
-
-      1. Introduction............................................3
-      2. Elliptic Curve Data in Resource Records.................3
-      3. The Elliptic Curve Equation.............................9
-      4. How do I Compute Q, G, and Y?..........................10
-      5. Elliptic Curve SIG Resource Records....................11
-      6. Performance Considerations.............................13
-      7. Security Considerations................................13
-      8. IANA Considerations....................................13
-      Copyright and Disclaimer..................................14
-
-      Informational References..................................15
-      Normative Refrences.......................................15
-
-      Author's Addresses........................................16
-      Expiration and File Name..................................16
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-R. Schroeppel, et al                                            [Page 2]
-
-
-INTERNET-DRAFT                                       ECC Keys in the DNS
-
-
-1. Introduction
-
-   The Domain Name System (DNS) is the global hierarchical replicated
-   distributed database system for Internet addressing, mail proxy, and
-   other information. The DNS has been extended to include digital
-   signatures and cryptographic keys as described in [RFC 4033, 4034,
-   4035].
-
-   This document describes how to store elliptic curve cryptographic
-   (ECC) keys and signatures in the DNS so they can be used for a
-   variety of security purposes.  Familiarity with ECC cryptography is
-   assumed [Menezes].
-
-   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
-   "SHOULD", "SHOULD NOT", "RECOMMENDED",  "MAY", and "OPTIONAL" in this
-   document are to be interpreted as described in [RFC 2119].
-
-
-
-2. Elliptic Curve Data in Resource Records
-
-   Elliptic curve public keys are stored in the DNS within the RDATA
-   portions of key RRs, such as RRKEY and KEY [RFC 4034] RRs, with the
-   structure shown below.
-
-   The research world continues to work on the issue of which is the
-   best elliptic curve system, which finite field to use, and how to
-   best represent elements in the field.  So, representations are
-   defined for every type of finite field, and every type of elliptic
-   curve.  The reader should be aware that there is a unique finite
-   field with a particular number of elements, but many possible
-   representations of that field and its elements.  If two different
-   representations of a field are given, they are interconvertible with
-   a tedious but practical precomputation, followed by a fast
-   computation for each field element to be converted.  It is perfectly
-   reasonable for an algorithm to work internally with one field
-   representation, and convert to and from a different external
-   representation.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-R. Schroeppel, et al                                            [Page 3]
-
-
-INTERNET-DRAFT                                       ECC Keys in the DNS
-
-
-                            1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
-        0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
-       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-       |S M -FMT- A B Z|
-       +-+-+-+-+-+-+-+-+
-       |       LP      |
-       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-       |                        P (length determined from LP)       .../
-       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-       |       LF      |
-       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-       |                        F (length determined from LF)       .../
-       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-       |             DEG               |
-       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-       |             DEGH              |
-       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-       |             DEGI              |
-       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-       |             DEGJ              |
-       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-       |             TRDV              |
-       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-       |S|     LH      |
-       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-       |                        H (length determined from LH)       .../
-       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-       |S|     LK      |
-       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-       |                        K (length determined from LK)       .../
-       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-       |       LQ      |
-       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-       |                        Q (length determined from LQ)       .../
-       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-       |       LA      |
-       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-       |                        A (length determined from LA)       .../
-       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-       |             ALTA              |
-       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-       |       LB      |
-       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-       |                        B (length determined from LB)       .../
-       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-       |       LC      |
-       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-       |                        C (length determined from LC)       .../
-       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-       |       LG      |
-
-
-R. Schroeppel, et al                                            [Page 4]
-
-
-INTERNET-DRAFT                                       ECC Keys in the DNS
-
-
-       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-       |                        G (length determined from LG)       .../
-       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-       |       LY      |
-       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-       |                        Y (length determined from LY)       .../
-       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-
-   SMFMTABZ is a flags octet as follows:
-
-        S = 1 indicates that the remaining 7 bits of the octet selects
-           one of 128 predefined choices of finite field, element
-           representation, elliptic curve, and signature parameters.
-           MFMTABZ are omitted, as are all parameters from LP through G.
-           LY and Y are retained.
-
-        If S = 0, the remaining parameters are as in the picture and
-           described below.
-
-        M determines the type of field underlying the elliptic curve.
-
-        M = 0 if the field is a GF[2^N] field;
-
-        M = 1 if the field is a (mod P) or GF[P^D] field with P>2.
-
-        FMT is a three bit field describing the format of the field
-           representation.
-
-        FMT = 0  for a (mod P) field.
-            > 0  for an extension field, either GF[2^D] or GF[P^D].
-                The degree D of the extension, and the field polynomial
-                must be specified.  The field polynomial is always monic
-                (leading coefficient 1.)
-
-        FMT = 1  The field polynomial is given explicitly; D is implied.
-
-        If FMT >=2, the degree D is given explicitly.
-
-           = 2  The field polynomial is implicit.
-           = 3  The field polynomial is a binomial.  P>2.
-           = 4  The field polynomial is a trinomial.
-           = 5  The field polynomial is the quotient of a trinomial by a
-                short polynomial.  P=2.
-           = 6  The field polynomial is a pentanomial.  P=2.
-
-        Flags A and B apply to the elliptic curve parameters.
-
-
-
-
-
-
-R. Schroeppel, et al                                            [Page 5]
-
-
-INTERNET-DRAFT                                       ECC Keys in the DNS
-
-
-        A = 1 When P>=5, the curve parameter A is negated.  If P=2, then
-              A=1 indicates that the A parameter is special.  See the
-              ALTA parameter below, following A.  The combination A=1,
-              P=3 is forbidden.
-
-        B = 1 When P>=5, the curve parameter B is negated.  If P=2 or 3,
-              then B=1 indicates an alternate elliptic curve equation is
-              used.  When P=2 and B=1, an additional curve parameter C
-              is present.
-
-        The Z bit SHOULD be set to zero on creation of an RR and MUST be
-           ignored when processing an RR (when S=0).
-
-   Most of the remaining parameters are present in some formats and
-   absent in others.  The presence or absence of a parameter is
-   determined entirely by the flags.  When a parameter occurs, it is in
-   the order defined by the picture.
-
-   Of the remaining parameters, PFHKQABCGY are variable length.  When
-   present, each is preceded by a one-octet length field as shown in the
-   diagram above.  The length field does not include itself.  The length
-   field may have values from 0 through 110.  The parameter length in
-   octets is determined by a conditional formula: If LL<=64, the
-   parameter length is LL.  If LL>64, the parameter length is 16 times
-   (LL-60).  In some cases, a parameter value of 0 is sensible, and MAY
-   be represented by an LL value of 0, with the data field omitted.  A
-   length value of 0 represents a parameter value of 0, not an absent
-   parameter.  (The data portion occupies 0 space.)  There is no
-   requirement that a parameter be represented in the minimum number of
-   octets; high-order 0 octets are allowed at the front end.  Parameters
-   are always right adjusted, in a field of length defined by LL.  The
-   octet-order is always most-significant first, least-significant last.
-   The parameters H and K may have an optional sign bit stored in the
-   unused high-order bit of their length fields.
-
-   LP defines the length of the prime P.  P must be an odd prime.  The
-   parameters LP,P are present if and only if the flag M=1.  If M=0, the
-   prime is 2.
-
-   LF,F define an explicit field polynomial.  This parameter pair is
-   present only when FMT = 1.  The length of a polynomial coefficient is
-   ceiling(log2 P) bits.  Coefficients are in the numerical range
-   [0,P-1].  The coefficients are packed into fixed-width fields, from
-   higher order to lower order.  All coefficients must be present,
-   including any 0s and also the leading coefficient (which is required
-   to be 1).  The coefficients are right justified into the octet string
-   of length specified by LF, with the low-order "constant" coefficient
-   at the right end.  As a concession to storage efficiency, the higher
-   order bits of the leading coefficient may be elided, discarding high-
-   order 0 octets and reducing LF.  The degree is calculated by
-
-
-R. Schroeppel, et al                                            [Page 6]
-
-
-INTERNET-DRAFT                                       ECC Keys in the DNS
-
-
-   determining the bit position of the left most 1-bit in the F data
-   (counting the right most bit as position 0), and dividing by
-   ceiling(log2 P).  The division must be exact, with no remainder.  In
-   this format, all of the other degree and field parameters are
-   omitted.  The next parameters will be LQ,Q.
-
-   If FMT>=2, the degree of the field extension is specified explicitly,
-   usually along with other parameters to define the field polynomial.
-
-   DEG is a two octet field that defines the degree of the field
-   extension.  The finite field will have P^DEG elements.  DEG is
-   present when FMT>=2.
-
-   When FMT=2, the field polynomial is specified implicitly.  No other
-   parameters are required to define the field; the next parameters
-   present will be the LQ,Q pair.  The implicit field poynomial is the
-   lexicographically smallest irreducible (mod P) polynomial of the
-   correct degree.  The ordering of polynomials is by highest-degree
-   coefficients first -- the leading coefficient 1 is most important,
-   and the constant term is least important.  Coefficients are ordered
-   by sign-magnitude: 0 < 1 < -1 < 2 < -2 < ...  The first polynomial of
-   degree D is X^D (which is not irreducible).  The next is X^D+1, which
-   is sometimes irreducible, followed by X^D-1, which isn't.  Assuming
-   odd P, this series continues to X^D - (P-1)/2, and then goes to X^D +
-   X, X^D + X + 1, X^D + X - 1, etc.
-
-   When FMT=3, the field polynomial is a binomial, X^DEG + K.  P must be
-   odd.  The polynomial is determined by the degree and the low order
-   term K.  Of all the field parameters, only the LK,K parameters are
-   present.  The high-order bit of the LK octet stores on optional sign
-   for K; if the sign bit is present, the field polynomial is X^DEG - K.
-
-   When FMT=4, the field polynomial is a trinomial, X^DEG + H*X^DEGH +
-   K.  When P=2, the H and K parameters are implicitly 1, and are
-   omitted from the representation.  Only DEG and DEGH are present; the
-   next parameters are LQ,Q.  When P>2, then LH,H and LK,K are
-   specified.  Either or both of LH, LK may contain a sign bit for its
-   parameter.
-
-   When FMT=5, then P=2 (only).  The field polynomial is the exact
-   quotient of a trinomial divided by a small polynomial, the trinomial
-   divisor.  The small polynomial is right-adjusted in the two octet
-   field TRDV.  DEG specifies the degree of the field.  The degree of
-   TRDV is calculated from the position of the high-order 1 bit.  The
-   trinomial to be divided is X^(DEG+degree(TRDV)) + X^DEGH + 1.  If
-   DEGH is 0, the middle term is omitted from the trinomial.  The
-   quotient must be exact, with no remainder.
-
-   When FMT=6, then P=2 (only).  The field polynomial is a pentanomial,
-   with the degrees of the middle terms given by the three 2-octet
-
-
-R. Schroeppel, et al                                            [Page 7]
-
-
-INTERNET-DRAFT                                       ECC Keys in the DNS
-
-
-   values DEGH, DEGI, DEGJ.  The polynomial is X^DEG + X^DEGH + X^DEGI +
-   X^DEGJ + 1.  The values must satisfy the inequality DEG > DEGH > DEGI
-   > DEGJ > 0.
-
-        DEGH, DEGI, DEGJ  are two-octet fields that define the degree of
-           a term in a field polynomial.   DEGH is present when FMT = 4,
-           5, or 6.  DEGI and DEGJ are present only when FMT = 6.
-
-        TRDV is a two-octet right-adjusted binary polynomial of degree <
-           16.  It is present only for FMT=5.
-
-        LH and H define the H parameter, present only when FMT=4 and P
-           is odd.  The high bit of LH is an optional sign bit for H.
-
-        LK and K define the K parameter, present when FMT = 3 or 4, and
-           P is odd.  The high bit of LK is an optional sign bit for K.
-
-   The remaining parameters are concerned with the elliptic curve and
-   the signature algorithm.
-
-        LQ defines the length of the prime Q.  Q is a prime > 2^159.
-
-   In all 5 of the parameter pairs LA+A,LB+B,LC+C,LG+G,LY+Y, the data
-   member of the pair is an element from the finite field defined
-   earlier.  The length field defines a long octet string.  Field
-   elements are represented as (mod P) polynomials of degree < DEG, with
-   DEG or fewer coefficients.  The coefficients are stored from left to
-   right, higher degree to lower, with the constant term last.  The
-   coefficients are represented as integers in the range [0,P-1].  Each
-   coefficient is allocated an area of ceiling(log2 P) bits.  The field
-   representation is right-justified; the "constant term" of the field
-   element ends at the right most bit.  The coefficients are fitted
-   adjacently without regard for octet boundaries.  (Example: if P=5,
-   three bits are used for each coefficient.  If the field is GF[5^75],
-   then 225 bits are required for the coefficients, and as many as 29
-   octets may be needed in the data area.  Fewer octets may be used if
-   some high-order coefficients are 0.)  If a flag requires a field
-   element to be negated, each non-zero coefficient K is replaced with
-   P-K.  To save space, 0 bits may be removed from the left end of the
-   element representation, and the length field reduced appropriately.
-   This would normally only happen with A,B,C, because the designer
-   chose curve parameters with some high-order 0 coefficients or bits.
-
-   If the finite field is simply (mod P), then the field elements are
-   simply numbers (mod P), in the usual right-justified notation.  If
-   the finite field is GF[2^D], the field elements are the usual right-
-   justified polynomial basis representation.
-
-
-
-
-
-R. Schroeppel, et al                                            [Page 8]
-
-
-INTERNET-DRAFT                                       ECC Keys in the DNS
-
-
-        LA,A is the first parameter of the elliptic curve equation.
-           When P>=5, the flag A = 1 indicates A should be negated (mod
-           P).  When P=2 (indicated by the flag M=0), the flag A = 1
-           indicates that the parameter pair LA,A is replaced by the two
-           octet parameter ALTA.  In this case, the parameter A in the
-           curve equation is x^ALTA, where x is the field generator.
-           Parameter A often has the value 0, which may be indicated by
-           LA=0 (with no A data field), and sometimes A is 1, which may
-           be represented with LA=1 and a data field of 1, or by setting
-           the A flag and using an ALTA value of 0.
-
-        LB,B is the second parameter of the elliptic curve equation.
-           When P>=5, the flag B = 1 indicates B should be negated (mod
-           P).  When P=2 or 3, the flag B selects an alternate curve
-           equation.
-
-        LC,C is the third parameter of the elliptic curve equation,
-           present only when P=2 (indicated by flag M=0) and flag B=1.
-
-        LG,G defines a point on the curve, of order Q.  The W-coordinate
-           of the curve point is given explicitly; the Z-coordinate is
-           implicit.
-
-        LY,Y is the user's public signing key, another curve point of
-           order Q.  The W-coordinate is given explicitly; the Z-
-           coordinate is implicit.  The LY,Y parameter pair is always
-           present.
-
-
-
-3. The Elliptic Curve Equation
-
-   (The coordinates of an elliptic curve point are named W,Z instead of
-   the more usual X,Y to avoid confusion with the Y parameter of the
-   signing key.)
-
-   The elliptic curve equation is determined by the flag octet, together
-   with information about the prime P.  The primes 2 and 3 are special;
-   all other primes are treated identically.
-
-   If M=1, the (mod P) or GF[P^D] case, the curve equation is Z^2 = W^3
-   + A*W + B.  Z,W,A,B are all numbers (mod P) or elements of GF[P^D].
-   If A and/or B is negative (i.e., in the range from P/2 to P), and
-   P>=5, space may be saved by putting the sign bit(s) in the A and B
-   bits of the flags octet, and the magnitude(s) in the parameter
-   fields.
-
-   If M=1 and P=3, the B flag has a different meaning: it specifies an
-   alternate curve equation, Z^2 = W^3 + A*W^2 + B.  The middle term of
-   the right-hand-side is different.  When P=3, this equation is more
-
-
-R. Schroeppel, et al                                            [Page 9]
-
-
-INTERNET-DRAFT                                       ECC Keys in the DNS
-
-
-   commonly used.
-
-   If M=0, the GF[2^N] case, the curve equation is Z^2 + W*Z = W^3 +
-   A*W^2 + B.  Z,W,A,B are all elements of the field GF[2^N].  The A
-   parameter can often be 0 or 1, or be chosen as a single-1-bit value.
-   The flag B is used to select an alternate curve equation, Z^2 + C*Z =
-   W^3 + A*W + B.  This is the only time that the C parameter is used.
-
-
-
-4. How do I Compute Q, G, and Y?
-
-   The number of points on the curve is the number of solutions to the
-   curve equation, + 1 (for the "point at infinity").  The prime Q must
-   divide the number of points.  Usually the curve is chosen first, then
-   the number of points is determined with Schoof's algorithm.  This
-   number is factored, and if it has a large prime divisor, that number
-   is taken as Q.
-
-   G must be a point of order Q on the curve, satisfying the equation
-
-        Q * G  =  the point at infinity (on the elliptic curve)
-
-   G may be chosen by selecting a random [RFC 1750] curve point, and
-   multiplying it by (number-of-points-on-curve/Q).  G must not itself
-   be the "point at infinity"; in this astronomically unlikely event, a
-   new random curve point is recalculated.
-
-   G is specified by giving its W-coordinate.  The Z-coordinate is
-   calculated from the curve equation.  In general, there will be two
-   possible Z values.  The rule is to choose the "positive" value.
-
-   In the (mod P) case, the two possible Z values sum to P.  The smaller
-   value is less than P/2; it is used in subsequent calculations.  In
-   GF[P^D] fields, the highest-degree non-zero coefficient of the field
-   element Z is used; it is chosen to be less than P/2.
-
-   In the GF[2^N] case, the two possible Z values xor to W (or to the
-   parameter C with the alternate curve equation).  The numerically
-   smaller Z value (the one which does not contain the highest-order 1
-   bit of W (or C)) is used in subsequent calculations.
-
-   Y is specified by giving the W-coordinate of the user's public
-   signature key.  The Z-coordinate value is determined from the curve
-   equation.  As with G, there are two possible Z values; the same rule
-   is followed for choosing which Z to use.
-
-
-
-
-
-
-R. Schroeppel, et al                                           [Page 10]
-
-
-INTERNET-DRAFT                                       ECC Keys in the DNS
-
-
-   During the key generation process, a random [RFC 1750] number X must
-   be generated such that 1 <= X <= Q-1.  X is the private key and is
-   used in the final step of public key generation where Y is computed
-   as
-
-        Y = X * G (as points on the elliptic curve)
-
-   If the Z-coordinate of the computed point Y is wrong (i.e., Z > P/2
-   in the (mod P) case, or the high-order non-zero coefficient of Z >
-   P/2 in the GF[P^D] case, or Z sharing a high bit with W(C) in the
-   GF[2^N] case), then X must be replaced with Q-X.  This will
-   correspond to the correct Z-coordinate.
-
-
-
-5. Elliptic Curve SIG Resource Records
-
-   The signature portion of an RR RDATA area when using the EC
-   algorithm, for example in the RRSIG and SIG [RFC records] RRs is
-   shown below.
-
-                       1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
-   0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
-   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-   |                   R, (length determined from LQ)           .../
-   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-   |                   S, (length determined from LQ)           .../
-   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-
-   R and S are integers (mod Q).  Their length is specified by the LQ
-   field of the corresponding KEY RR and can also be calculated from the
-   SIG RR's RDLENGTH. They are right justified, high-order-octet first.
-   The same conditional formula for calculating the length from LQ is
-   used as for all the other length fields above.
-
-   The data signed is determined as specified in [RFC 2535].  Then the
-   following steps are taken where Q, P, G, and Y are as specified in
-   the public key [Schneier]:
-
-     hash = SHA-1 ( data )
-
-     Generate random [RFC 4086] K such that 0 < K < Q.  (Never sign two
-          different messages with the same K.  K should be chosen from a
-          very large space: If an opponent learns a K value for a single
-          signature, the user's signing key is compromised, and a forger
-          can sign arbitrary messages. There is no harm in signing the
-          same message multiple times with the same key or different
-          keys.)
-
-     R = (the W-coordinate of ( K*G on the elliptic curve )) interpreted
-
-
-R. Schroeppel, et al                                           [Page 11]
-
-
-INTERNET-DRAFT                                       ECC Keys in the DNS
-
-
-          as an integer, and reduced (mod Q).  (R must not be 0.  In
-          this astronomically unlikely event, generate a new random K
-          and recalculate R.)
-
-     S = ( K^(-1) * (hash + X*R) ) mod Q.
-
-     S must not be 0.  In this astronomically unlikely event, generate a
-          new random K and recalculate R and S.
-
-     If S > Q/2, set S = Q - S.
-
-     The pair (R,S) is the signature.
-
-     Another party verifies the signature as follows:
-
-          Check that 0 < R < Q and 0 < S < Q/2.  If not, it can not be a
-               valid EC sigature.
-
-          hash = SHA-1 ( data )
-
-          Sinv = S^(-1) mod Q.
-
-          U1 = (hash * Sinv) mod Q.
-
-          U2 = (R * Sinv) mod Q.
-
-          (U1 * G + U2 * Y) is computed on the elliptic curve.
-
-          V = (the W-coordinate of this point) interpreted as an integer
-               and reduced (mod Q).
-
-          The signature is valid if V = R.
-
-     The reason for requiring S < Q/2 is that, otherwise, both (R,S) and
-     (R,Q-S) would be valid signatures for the same data.  Note that a
-     signature that is valid for hash(data) is also valid for
-     hash(data)+Q or hash(data)-Q, if these happen to fall in the range
-     [0,2^160-1].  It's believed to be computationally infeasible to
-     find data that hashes to an assigned value, so this is only a
-     cosmetic blemish.  The blemish can be eliminated by using Q >
-     2^160, at the cost of having slightly longer signatures, 42 octets
-     instead of 40.
-
-     We must specify how a field-element E ("the W-coordinate") is to be
-     interpreted as an integer.  The field-element E is regarded as a
-     radix-P integer, with the digits being the coefficients in the
-     polynomial basis representation of E.  The digits are in the ragne
-     [0,P-1].  In the two most common cases, this reduces to "the
-     obvious thing".  In the (mod P) case, E is simply a residue mod P,
-     and is taken as an integer in the range [0,P-1].  In the GF[2^D]
-
-
-R. Schroeppel, et al                                           [Page 12]
-
-
-INTERNET-DRAFT                                       ECC Keys in the DNS
-
-
-     case, E is in the D-bit polynomial basis representation, and is
-     simply taken as an integer in the range [0,(2^D)-1].  For other
-     fields GF[P^D], it's necessary to do some radix conversion
-     arithmetic.
-
-
-
-  6. Performance Considerations
-
-     Elliptic curve signatures use smaller moduli or field sizes than
-     RSA and DSA.  Creation of a curve is slow, but not done very often.
-     Key generation is faster than RSA or DSA.
-
-     DNS implementations have been optimized for small transfers,
-     typically less than 512 octets including DNS overhead. Larger
-     transfers will perform correctly and and extensions have been
-     standardized to make larger transfers more efficient [RFC 2671].
-     However, it is still advisable at this time to make reasonable
-     efforts to minimize the size of RR sets stored within the DNS
-     consistent with adequate security.
-
-
-
-  7. Security Considerations
-
-     Keys retrieved from the DNS should not be trusted unless (1) they
-     have been securely obtained from a secure resolver or independently
-     verified by the user and (2) this secure resolver and secure
-     obtainment or independent verification conform to security policies
-     acceptable to the user.  As with all cryptographic algorithms,
-     evaluating the necessary strength of the key is essential and
-     dependent on local policy.
-
-     Some specific key generation considerations are given in the body
-     of this document.
-
-
-
-  8. IANA Considerations
-
-     The key and signature data structures defined herein correspond to
-     the value 4 in the Algorithm number field of the IANA registry
-
-     Assignment of meaning to the remaining ECC data flag bits or to
-     values of ECC fields outside the ranges for which meaning in
-     defined in this document requires an IETF consensus as defined in
-     [RFC 2434].
-
-
-
-
-
-R. Schroeppel, et al                                           [Page 13]
-
-
-INTERNET-DRAFT                                       ECC Keys in the DNS
-
-
-  Copyright and Disclaimer
-
-     Copyright (C) The Internet Society 2005.  This document is subject
-     to the rights, licenses and restrictions contained in BCP 78, and
-     except as set forth therein, the authors retain all their rights.
-
-
-     This document and the information contained herein are provided on
-     an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE
-     REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND
-     THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES,
-     EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT
-     THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR
-     ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A
-     PARTICULAR PURPOSE.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-R. Schroeppel, et al                                           [Page 14]
-
-
-INTERNET-DRAFT                                       ECC Keys in the DNS
-
-
-  Informational References
-
-     [RFC 1034] - P. Mockapetris, "Domain names - concepts and
-     facilities", 11/01/1987.
-
-     [RFC 1035] - P. Mockapetris, "Domain names - implementation and
-     specification", 11/01/1987.
-
-     [RFC 2671] - P. Vixie, "Extension Mechanisms for DNS (EDNS0)",
-     August 1999.
-
-     [RFC 4033] - Arends, R., Austein, R., Larson, M., Massey, D., and
-     S. Rose, "DNS Security Introduction and Requirements", RFC 4033,
-     March 2005.
-
-     [RFC 4035] - Arends, R., Austein, R., Larson, M., Massey, D., and
-     S. Rose, "Protocol Modifications for the DNS Security Extensions",
-     RFC 4035, March 2005.
-
-     [RFC 4086] - Eastlake, D., 3rd, Schiller, J., and S. Crocker,
-     "Randomness Requirements for Security", BCP 106, RFC 4086, June
-     2005.
-
-     [Schneier] - Bruce Schneier, "Applied Cryptography: Protocols,
-     Algorithms, and Source Code in C", 1996, John Wiley and Sons
-
-     [Menezes] - Alfred Menezes, "Elliptic Curve Public Key
-     Cryptosystems", 1993 Kluwer.
-
-     [Silverman] - Joseph Silverman, "The Arithmetic of Elliptic
-     Curves", 1986, Springer Graduate Texts in mathematics #106.
-
-
-
-  Normative Refrences
-
-     [RFC 2119] - S. Bradner, "Key words for use in RFCs to Indicate
-     Requirement Levels", March 1997.
-
-     [RFC 2434] - T. Narten, H. Alvestrand, "Guidelines for Writing an
-     IANA Considerations Section in RFCs", October 1998.
-
-     [RFC 4034] - Arends, R., Austein, R., Larson, M., Massey, D., and
-     S. Rose, "Resource Records for the DNS Security Extensions", RFC
-     4034, March 2005.
-
-
-
-
-
-
-
-R. Schroeppel, et al                                           [Page 15]
-
-
-INTERNET-DRAFT                                       ECC Keys in the DNS
-
-
-  Author's Addresses
-
-     Rich Schroeppel
-     500 S. Maple Drive
-     Woodland Hills, UT 84653 USA
-
-     Telephone:   +1-505-844-9079(w)
-     Email:       rschroe@sandia.gov
-
-
-     Donald E. Eastlake 3rd
-     Motorola Laboratories
-     155 Beaver Street
-     Milford, MA 01757 USA
-
-     Telephone:   +1 508-786-7554 (w)
-     EMail:       Donald.Eastlake@motorola.com
-
-
-
-  Expiration and File Name
-
-     This draft expires in January 2006.
-
-     Its file name is draft-ietf-dnsext-ecc-key-07.txt.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-R. Schroeppel, et al                                           [Page 16]
-
diff --git a/doc/draft/draft-ietf-dnsext-insensitive-06.txt b/doc/draft/draft-ietf-dnsext-insensitive-06.txt
deleted file mode 100644
index 1c4c3f63..00000000
--- a/doc/draft/draft-ietf-dnsext-insensitive-06.txt
+++ /dev/null
@@ -1,754 +0,0 @@
-
-INTERNET-DRAFT                                    Donald E. Eastlake 3rd
-Updates RFC 1034, 1035                             Motorola Laboratories
-Expires January 2006                                           July 2005
-
-
-
-       Domain Name System (DNS) Case Insensitivity Clarification
-       ------ ---- ------ ----- ---- ------------- -------------
-                 <draft-ietf-dnsext-insensitive-06.txt>
-
-                         Donald E. Eastlake 3rd
-
-
-
-Status of This Document
-
-   By submitting this Internet-Draft, each author represents that any
-   applicable patent or other IPR claims of which he or she is aware
-   have been or will be disclosed, and any of which he or she becomes
-   aware will be disclosed, in accordance with Section 6 of BCP 79.
-
-   Distribution of this document is unlimited. Comments should be sent
-   to the DNSEXT working group at namedroppers@ops.ietf.org.
-
-   Internet-Drafts are working documents of the Internet Engineering
-   Task Force (IETF), its areas, and its working groups.  Note that
-   other groups may also distribute working documents as Internet-
-   Drafts.
-
-   Internet-Drafts are draft documents valid for a maximum of six months
-   and may be updated, replaced, or obsoleted by other documents at any
-   time.  It is inappropriate to use Internet-Drafts as reference
-   material or to cite them other than a "work in progress."
-
-   The list of current Internet-Drafts can be accessed at
-   http://www.ietf.org/1id-abstracts.html
-
-   The list of Internet-Draft Shadow Directories can be accessed at
-   http://www.ietf.org/shadow.html
-
-
-
-Copyright Notice
-
-   Copyright (C) The Internet Society (2005). All Rights Reserved.
-
-
-
-Abstract
-
-   Domain Name System (DNS) names are "case insensitive". This document
-   explains exactly what that means and provides a clear specification
-   of the rules. This clarification updates RFCs 1034 and 1035.
-
-
-D. Eastlake 3rd                                                 [Page 1]
-
-
-INTERNET-DRAFT                                    DNS Case Insensitivity
-
-
-Acknowledgements
-
-   The contributions to this document of Rob Austein, Olafur
-   Gudmundsson, Daniel J. Anderson, Alan Barrett, Marc Blanchet, Dana,
-   Andreas Gustafsson, Andrew Main, Thomas Narten, and Scott Seligman
-   are gratefully acknowledged.
-
-
-
-Table of Contents
-
-      Status of This Document....................................1
-      Copyright Notice...........................................1
-      Abstract...................................................1
-
-      Acknowledgements...........................................2
-      Table of Contents..........................................2
-
-      1. Introduction............................................3
-      2. Case Insensitivity of DNS Labels........................3
-      2.1 Escaping Unusual DNS Label Octets......................3
-      2.2 Example Labels with Escapes............................4
-      3. Name Lookup, Label Types, and CLASS.....................4
-      3.1 Original DNS Label Types...............................5
-      3.2 Extended Label Type Case Insensitivity Considerations..5
-      3.3 CLASS Case Insensitivity Considerations................5
-      4. Case on Input and Output................................6
-      4.1 DNS Output Case Preservation...........................6
-      4.2 DNS Input Case Preservation............................6
-      5. Internationalized Domain Names..........................7
-      6. Security Considerations.................................8
-
-      Copyright and Disclaimer...................................9
-      Normative References.......................................9
-      Informative References....................................10
-
-      Changes Between Draft Version.............................11
-      -02 to -03 Changes........................................11
-      -03 to -04 Changes........................................11
-      -04 to -05 Changes........................................11
-      -05 to -06 Changes........................................12
-
-      Author's Address..........................................13
-      Expiration and File Name..................................13
-
-
-
-
-
-
-
-
-D. Eastlake 3rd                                                 [Page 2]
-
-
-INTERNET-DRAFT                                    DNS Case Insensitivity
-
-
-1. Introduction
-
-   The Domain Name System (DNS) is the global hierarchical replicated
-   distributed database system for Internet addressing, mail proxy, and
-   other information. Each node in the DNS tree has a name consisting of
-   zero or more labels [STD 13][RFC 1591, 2606] that are treated in a
-   case insensitive fashion. This document clarifies the meaning of
-   "case insensitive" for the DNS. This clarification updates RFCs 1034
-   and 1035 [STD 13].
-
-   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
-   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
-   document are to be interpreted as described in [RFC 2119].
-
-
-
-2. Case Insensitivity of DNS Labels
-
-   DNS was specified in the era of [ASCII]. DNS names were expected to
-   look like most host names or Internet email address right halves (the
-   part after the at-sign, "@") or be numeric as in the in-addr.arpa
-   part of the DNS name space. For example,
-
-       foo.example.net.
-       aol.com.
-       www.gnu.ai.mit.edu.
-   or  69.2.0.192.in-addr.arpa.
-
-   Case varied alternatives to the above would be DNS names like
-
-       Foo.ExamplE.net.
-       AOL.COM.
-       WWW.gnu.AI.mit.EDU.
-   or  69.2.0.192.in-ADDR.ARPA.
-
-   However, the individual octets of which DNS names consist are not
-   limited to valid ASCII character codes. They are 8-bit bytes and all
-   values are allowed. Many applications, however, interpret them as
-   ASCII characters.
-
-
-
-2.1 Escaping Unusual DNS Label Octets
-
-   In Master Files [STD 13] and other human readable and writable ASCII
-   contexts, an escape is needed for the byte value for period (0x2E,
-   ".") and all octet values outside of the inclusive range of 0x21
-   ("!")  to 0x7E ("~"). That is to say, 0x2E and all octet values in
-   the two inclusive ranges 0x00 to 0x20 and 0x7F to 0xFF.
-
-
-
-D. Eastlake 3rd                                                 [Page 3]
-
-
-INTERNET-DRAFT                                    DNS Case Insensitivity
-
-
-   One typographic convention for octets that do not correspond to an
-   ASCII printing graphic is to use a back-slash followed by the value
-   of the octet as an unsigned integer represented by exactly three
-   decimal digits.
-
-   The same convention can be used for printing ASCII characters so that
-   they will be treated as a normal label character.  This includes the
-   back-slash character used in this convention itself which can be
-   expressed as \092 or \\ and the special label separator period (".")
-   which can be expressed as and \046 or \.  respectively. It is
-   advisable to avoid using a backslash to quote an immediately
-   following non-printing ASCII character code to avoid implementation
-   difficulties.
-
-   A back-slash followed by only one or two decimal digits is undefined.
-   A back-slash followed by four decimal digits produces two octets, the
-   first octet having the value of the first three digits considered as
-   a decimal number and the second octet being the character code for
-   the fourth decimal digit.
-
-
-
-2.2 Example Labels with Escapes
-
-   The first example below shows embedded spaces and a period (".")
-   within a label. The second one show a 5-octet label where the second
-   octet has all bits zero, the third is a backslash, and the fourth
-   octet has all bits one.
-
-         Donald\032E\.\032Eastlake\0323rd.example.
-   and   a\000\\\255z.example.
-
-
-
-3. Name Lookup, Label Types, and CLASS
-
-   The original DNS design decision was made that comparisons on name
-   lookup for DNS queries should be case insensitive [STD 13]. That is
-   to say, a lookup string octet with a value in the inclusive range of
-   0x41 to 0x5A, the upper case ASCII letters, MUST match the identical
-   value and also match the corresponding value in the inclusive range
-   0x61 to 0x7A, the lower case ASCII letters. And a lookup string octet
-   with a lower case ASCII letter value MUST similarly match the
-   identical value and also match the corresponding value in the upper
-   case ASCII letter range.
-
-   (Historical Note: the terms "upper case" and "lower case" were
-   invented after movable type.  The terms originally referred to the
-   two font trays for storing, in partitioned areas, the different
-   physical type elements.  Before movable type, the nearest equivalent
-
-
-D. Eastlake 3rd                                                 [Page 4]
-
-
-INTERNET-DRAFT                                    DNS Case Insensitivity
-
-
-   terms were "majuscule" and "minuscule".)
-
-   One way to implement this rule would be, when comparing octets, to
-   subtract 0x20 from all octets in the inclusive range 0x61 to 0x7A
-   before the comparison. Such an operation is commonly known as "case
-   folding" but implementation via case folding is not required. Note
-   that the DNS case insensitivity does NOT correspond to the case
-   folding specified in [iso-8859-1] or [iso-8859-2]. For example, the
-   octets 0xDD (\221) and 0xFD (\253) do NOT match although in other
-   contexts, where they are interpreted as the upper and lower case
-   version of "Y" with an acute accent, they might.
-
-
-
-3.1 Original DNS Label Types
-
-   DNS labels in wire-encoded names have a type associated with them.
-   The original DNS standard [RFC 1035] had only two types. ASCII
-   labels, with a length of from zero to 63 octets, and indirect (or
-   compression) labels which consist of an offset pointer to a name
-   location elsewhere in the wire encoding on a DNS message. (The ASCII
-   label of length zero is reserved for use as the name of the root node
-   of the name tree.) ASCII labels follow the ASCII case conventions
-   described herein and, as stated above, can actually contain arbitrary
-   byte values. Indirect labels are, in effect, replaced by the name to
-   which they point which is then treated with the case insensitivity
-   rules in this document.
-
-
-
-3.2 Extended Label Type Case Insensitivity Considerations
-
-   DNS was extended by [RFC 2671] to have additional label type numbers
-   available. (The only such type defined so far is the BINARY type [RFC
-   2673] which is now Experimental [RFC 3363].)
-
-   The ASCII case insensitivity conventions only apply to ASCII labels,
-   that is to say, label type 0x0, whether appearing directly or invoked
-   by indirect labels.
-
-
-
-3.3 CLASS Case Insensitivity Considerations
-
-   As described in [STD 13] and [RFC 2929], DNS has an additional axis
-   for data location called CLASS. The only CLASS in global use at this
-   time is the "IN" or Internet CLASS.
-
-   The handling of DNS label case is not CLASS dependent. With the
-   original design of DNS, it was intended that a recursive DNS resolver
-
-
-D. Eastlake 3rd                                                 [Page 5]
-
-
-INTERNET-DRAFT                                    DNS Case Insensitivity
-
-
-   be able to handle new CLASSes that were unknown at the time of its
-   implementation. This requires uniform handling of label case
-   insensitivity. Should it become desireable, for example, to allocate
-   a CLASS with "case sensitive ASCII labels" for example, it would be
-   necessary to allocate a new label type for these labels.
-
-
-
-4. Case on Input and Output
-
-   While ASCII label comparisons are case insensitive, [STD 13] says
-   case MUST be preserved on output, and preserved when convenient on
-   input. However, this means less than it would appear since the
-   preservation of case on output is NOT required when output is
-   optimized by the use of indirect labels, as explained below.
-
-
-
-4.1 DNS Output Case Preservation
-
-   [STD 13] views the DNS namespace as a node tree. ASCII output is as
-   if a name was marshaled by taking the label on the node whose name is
-   to be output, converting it to a typographically encoded ASCII
-   string, walking up the tree outputting each label encountered, and
-   preceding all labels but the first with a period ("."). Wire output
-   follows the same sequence but each label is wire encoded and no
-   periods inserted. No "case conversion" or "case folding" is done
-   during such output operations, thus "preserving" case.  However, to
-   optimize output, indirect labels may be used to point to names
-   elsewhere in the DNS answer. In determining whether the name to be
-   pointed to, for example the QNAME, is the "same" as the remainder of
-   the name being optimized, the case insensitive comparison specified
-   above is done. Thus such optimization may easily destroy the output
-   preservation of case. This type of optimization is commonly called
-   "name compression".
-
-
-
-4.2 DNS Input Case Preservation
-
-   Originally, DNS data came from an ASCII Master File as defined in
-   [STD 13] or a zone transfer.  DNS Dynamic update and incremental zone
-   transfers [RFC 1995] have been added as a source of DNS data [RFC
-   2136, 3007]. When a node in the DNS name tree is created by any of
-   such inputs, no case conversion is done. Thus the case of ASCII
-   labels is preserved if they are for nodes being created. However,
-   when a name label is input for a node that already exist in DNS data
-   being held, the situation is more complex. Implementations are free
-   to retain the case first loaded for such a label or allow new input
-   to override the old case or even maintain separate copies preserving
-
-
-D. Eastlake 3rd                                                 [Page 6]
-
-
-INTERNET-DRAFT                                    DNS Case Insensitivity
-
-
-   the input case.
-
-   For example, if data with owner name "foo.bar.example" is loaded and
-   then later data with owner name "xyz.BAR.example" is input, the name
-   of the label on the "bar.example" node, i.e. "bar", might or might
-   not be changed to "BAR" in the DNS stored data or the actual input
-   case could be preserved.  Thus later retrieval of data stored under
-   "xyz.bar.example" in this case can return all data with
-   "xyz.BAR.example" or all data with "xyz.bar.example" or even, when
-   more than one RR is being returned, a mixture of these two cases.
-   This last case is unlikely because optimization of answer length
-   through indirect labels tends to cause only copy of the name tail
-   ("bar.example" or "BAR.example") to be used for all returned RRs.
-   Note that none of this has any effect on the number of completeness
-   of the RR set returned, only on the case of the names in the RR set
-   returned.
-
-   The same considerations apply when inputting multiple data records
-   with owner names differing only in case. For example, if an "A"
-   record is the first resourced record stored under owner name
-   "xyz.BAR.example" and then a second "A" record is stored under
-   "XYZ.BAR.example", the second MAY be stored with the first (lower
-   case initial label) name or the second MAY override the first so that
-   only an upper case initial label is retained or both capitalizations
-   MAY be kept in the DNS stored data. In any case, a retrieval with
-   either capitalization will retrieve all RRs with either
-   capitalization.
-
-   Note that the order of insertion into a server database of the DNS
-   name tree nodes that appear in a Master File is not defined so that
-   the results of inconsistent capitalization in a Master File are
-   unpredictable output capitalization.
-
-
-
-5. Internationalized Domain Names
-
-   A scheme has been adopted for "internationalized domain names" and
-   "internationalized labels" as described in [RFC 3490, 3454, 3491, and
-   3492]. It makes most of [UNICODE] available through a separate
-   application level transformation from internationalized domain name
-   to DNS domain name and from DNS domain name to internationalized
-   domain name. Any case insensitivity that internationalized domain
-   names and labels have varies depending on the script and is handled
-   entirely as part of the transformation described in [RFC 3454] and
-   [RFC 3491] which should be seen for further details.  This is not a
-   part of the DNS as standardized in STD 13.
-
-
-
-
-
-D. Eastlake 3rd                                                 [Page 7]
-
-
-INTERNET-DRAFT                                    DNS Case Insensitivity
-
-
-6. Security Considerations
-
-   The equivalence of certain DNS label types with case differences, as
-   clarified in this document, can lead to security problems. For
-   example, a user could be confused by believing two domain names
-   differing only in case were actually different names.
-
-   Furthermore, a domain name may be used in contexts other than the
-   DNS.  It could be used as a case sensitive index into some data base
-   or file system. Or it could be interpreted as binary data by some
-   integrity or authentication code system. These problems can usually
-   be handled by using a standardized or "canonical" form of the DNS
-   ASCII type labels, that is, always mapping the ASCII letter value
-   octets in ASCII labels to some specific pre-chosen case, either upper
-   case or lower case. An example of a canonical form for domain names
-   (and also a canonical ordering for them) appears in Section 6 of [RFC
-   4034]. See also [RFC 3597].
-
-   Finally, a non-DNS name may be stored into DNS with the false
-   expectation that case will always be preserved. For example, although
-   this would be quite rare, on a system with case sensitive email
-   address local parts, an attempt to store two "RP" records that
-   differed only in case would probably produce unexpected results that
-   might have security implications. That is because the entire email
-   address, including the possibly case sensitive local or left hand
-   part, is encoded into a DNS name in a readable fashion where the case
-   of some letters might be changed on output as described above.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-D. Eastlake 3rd                                                 [Page 8]
-
-
-INTERNET-DRAFT                                    DNS Case Insensitivity
-
-
-Copyright and Disclaimer
-
-   Copyright (C) The Internet Society (2005).  This document is subject
-   to the rights, licenses and restrictions contained in BCP 78, and
-   except as set forth therein, the authors retain all their rights.
-
-
-   This document and the information contained herein are provided on an
-   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
-   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
-   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
-   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
-   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
-   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-
-
-Normative References
-
-   [ASCII] - ANSI, "USA Standard Code for Information Interchange",
-   X3.4, American National Standards Institute: New York, 1968.
-
-   [RFC 1034, 1035] - See [STD 13].
-
-   [RFC 1995] - M. Ohta, "Incremental Zone Transfer in DNS", August
-   1996.
-
-   [RFC 2119] - S. Bradner, "Key words for use in RFCs to Indicate
-   Requirement Levels", March 1997.
-
-   [RFC 2136] - P. Vixie, Ed., S. Thomson, Y. Rekhter, J. Bound,
-   "Dynamic Updates in the Domain Name System (DNS UPDATE)", April 1997.
-
-   [RFC 3007] - B. Wellington, "Secure Domain Name System (DNS) Dynamic
-   Update", November 2000.
-
-   [RFC 3597] - Andreas Gustafsson, "Handling of Unknown DNS RR Types",
-   draft-ietf-dnsext-unknown-rrs-05.txt, March 2003.
-
-   [RFC 4034} - Arends, R., Austein, R., Larson, M., Massey, D., and S.
-   Rose, "Resource Records for the DNS Security Extensions", RFC 4034,
-   March 2005.
-
-   [STD 13]
-       - P. Mockapetris, "Domain names - concepts and facilities", RFC
-   1034, November 1987.
-       - P. Mockapetris, "Domain names - implementation and
-   specification", RFC 1035, November 1987.
-
-
-
-
-D. Eastlake 3rd                                                 [Page 9]
-
-
-INTERNET-DRAFT                                    DNS Case Insensitivity
-
-
-Informative References
-
-   [ISO 8859-1] - International Standards Organization, Standard for
-   Character Encodings, Latin-1.
-
-   [ISO 8859-2] - International Standards Organization, Standard for
-   Character Encodings, Latin-2.
-
-   [RFC 1591] - J. Postel, "Domain Name System Structure and
-   Delegation", March 1994.
-
-   [RFC 2606] - D. Eastlake, A. Panitz, "Reserved Top Level DNS Names",
-   June 1999.
-
-   [RFC 2929] - D. Eastlake, E. Brunner-Williams, B. Manning, "Domain
-   Name System (DNS) IANA Considerations", September 2000.
-
-   [RFC 2671] - P. Vixie, "Extension mechanisms for DNS (EDNS0)", August
-   1999.
-
-   [RFC 2673] - M. Crawford, "Binary Labels in the Domain Name System",
-   August 1999.
-
-   [RFC 3092] - D. Eastlake 3rd, C. Manros, E. Raymond, "Etymology of
-   Foo", 1 April 2001.
-
-   [RFC 3363] - Bush, R., Durand, A., Fink, B., Gudmundsson, O., and T.
-   Hain, "Representing Internet Protocol version 6 (IPv6) Addresses in
-   the Domain Name System (DNS)", RFC 3363, August 2002.
-
-   [RFC 3454] - P. Hoffman, M. Blanchet, "Preparation of
-   Internationalized String ("stringprep")", December 2002.
-
-   [RFC 3490] - P. Faltstrom, P. Hoffman, A. Costello,
-   "Internationalizing Domain Names in Applications (IDNA)", March 2003.
-
-   [RFC 3491] - P. Hoffman, M. Blanchet, "Nameprep: A Stringprep Profile
-   for Internationalized Domain Names (IDN)", March 2003.
-
-   [RFC 3492] - A. Costello, "Punycode: A Bootstring encoding of Unicode
-   for Internationalized Domain Names in Applications (IDNA)", March
-   2003.
-
-   [UNICODE] - The Unicode Consortium, "The Unicode Standard",
-   <http://www.unicode.org/unicode/standard/standard.html>.
-
-
-
-
-
-
-
-D. Eastlake 3rd                                                [Page 10]
-
-
-INTERNET-DRAFT                                    DNS Case Insensitivity
-
-
-Changes Between Draft Version
-
-   RFC Editor: The following summaries of changes between draft versions
-   are to be removed before publication.
-
-
-
--02 to -03 Changes
-
-   The following changes were made between draft version -02 and -03:
-
-   1. Add internationalized domain name section and references.
-
-   2. Change to indicate that later input of a label for an existing DNS
-   name tree node may or may not be normalized to the earlier input or
-   override it or both may be preserved.
-
-   3. Numerous minor wording changes.
-
-
-
--03 to -04 Changes
-
-   The following changes were made between draft versions -03 and -04:
-
-   1. Change to conform to the new IPR, Copyright, etc., notice
-   requirements.
-
-   2. Change in some section headers for clarity.
-
-   3. Drop section on wildcards.
-
-   4. Add emphasis on loss of case preservation due to name compression.
-
-   5. Add references to RFCs 1995 and 3092.
-
-
-
--04 to -05 Changes
-
-   The following changes were made between draft versions -04 and -05:
-
-   1. More clearly state that this draft updates RFCs 1034, 1035 [STD
-   13].
-
-   2. Add informative references to ISO 8859-1 and ISO 8859-2.
-
-   3. Fix hyphenation and capitalization nits.
-
-
-
-
-D. Eastlake 3rd                                                [Page 11]
-
-
-INTERNET-DRAFT                                    DNS Case Insensitivity
-
-
--05 to -06 Changes
-
-   The following changes were made between draft version -05 and -06.
-
-   1. Add notation to the RFC Editor that the draft version change
-   summaries are to be removed before RFC publication.
-
-   2. Additional text explaining why labe case insensitivity is CLASS
-   independent.
-
-   3. Changes and additional text clarifying that the fact that
-   inconsistent case in data loaded into DNS may result in
-   unpredicatable or inconsistent case in DNS storage but has no effect
-   on the completeness of RR sets retrieved.
-
-   4. Add reference to [RFC 3363] and update reference to [RFC 2535] to
-   be to [RFC 4034].
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-D. Eastlake 3rd                                                [Page 12]
-
-
-INTERNET-DRAFT                                    DNS Case Insensitivity
-
-
-Author's Address
-
-   Donald E. Eastlake 3rd
-   Motorola Laboratories
-   155 Beaver Street
-   Milford, MA 01757 USA
-
-   Telephone:   +1 508-786-7554 (w)
-
-   EMail:       Donald.Eastlake@motorola.com
-
-
-
-Expiration and File Name
-
-   This draft expires January 2006.
-
-   Its file name is draft-ietf-dnsext-insensitive-06.txt.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-D. Eastlake 3rd                                                [Page 13]
-
diff --git a/doc/draft/draft-ietf-dnsext-interop3597-02.txt b/doc/draft/draft-ietf-dnsext-interop3597-02.txt
deleted file mode 100644
index 160afc35..00000000
--- a/doc/draft/draft-ietf-dnsext-interop3597-02.txt
+++ /dev/null
@@ -1,334 +0,0 @@
-DNS Extensions Working Group                                 J. Schlyter
-Internet-Draft                                              May 19, 2005
-Expires: November 20, 2005
-
-
-                     RFC 3597 Interoperability Report
-                   draft-ietf-dnsext-interop3597-02.txt
-
-Status of this Memo
-
-    By submitting this Internet-Draft, each author represents that any
-    applicable patent or other IPR claims of which he or she is aware
-    have been or will be disclosed, and any of which he or she becomes
-    aware will be disclosed, in accordance with Section 6 of BCP 79.
-
-    Internet-Drafts are working documents of the Internet Engineering
-    Task Force (IETF), its areas, and its working groups.  Note that
-    other groups may also distribute working documents as Internet-
-    Drafts.
-
-    Internet-Drafts are draft documents valid for a maximum of six months
-    and may be updated, replaced, or obsoleted by other documents at any
-    time.  It is inappropriate to use Internet-Drafts as reference
-    material or to cite them other than as "work in progress."
-
-    The list of current Internet-Drafts can be accessed at
-    http://www.ietf.org/ietf/1id-abstracts.txt.
-
-    The list of Internet-Draft Shadow Directories can be accessed at
-    http://www.ietf.org/shadow.html.
-
-    This Internet-Draft will expire on November 20, 2005.
-
-Copyright Notice
-
-    Copyright (C) The Internet Society (2005).
-
-Abstract
-
-    This memo documents the result from the RFC 3597 (Handling of Unknown
-    DNS Resource Record Types) interoperability testing.
-
-
-
-
-
-
-
-
-
-
-Schlyter                Expires November 20, 2005               [Page 1]
-
-Internet-Draft      RFC 3597 Interoperability Report            May 2005
-
-
-Table of Contents
-
-    1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
-    2.  Implementations  . . . . . . . . . . . . . . . . . . . . . . .  3
-    3.  Tests  . . . . . . . . . . . . . . . . . . . . . . . . . . . .  3
-      3.1   Authoritative Primary Name Server  . . . . . . . . . . . .  3
-      3.2   Authoritative Secondary Name Server  . . . . . . . . . . .  3
-      3.3   Full Recursive Resolver  . . . . . . . . . . . . . . . . .  4
-      3.4   Stub Resolver  . . . . . . . . . . . . . . . . . . . . . .  4
-      3.5   DNSSEC Signer  . . . . . . . . . . . . . . . . . . . . . .  4
-    4.  Problems found . . . . . . . . . . . . . . . . . . . . . . . .  4
-    5.  Summary  . . . . . . . . . . . . . . . . . . . . . . . . . . .  4
-    6.  Normative References . . . . . . . . . . . . . . . . . . . . .  4
-        Author's Address . . . . . . . . . . . . . . . . . . . . . . .  4
-    A.  Test zone data . . . . . . . . . . . . . . . . . . . . . . . .  5
-        Intellectual Property and Copyright Statements . . . . . . . .  6
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Schlyter                Expires November 20, 2005               [Page 2]
-
-Internet-Draft      RFC 3597 Interoperability Report            May 2005
-
-
-1.  Introduction
-
-    This memo documents the result from the RFC 3597 (Handling of Unknown
-    DNS Resource Record Types) interoperability testing.  The test was
-    performed during June and July 2004 by request of the IETF DNS
-    Extensions Working Group.
-
-2.  Implementations
-
-    The following is a list, in alphabetic order, of implementations
-    tested for compliance with RFC 3597:
-
-       DNSJava 1.6.4
-       ISC BIND 8.4.5
-       ISC BIND 9.3.0
-       NSD 2.1.1
-       Net::DNS 0.47 patchlevel 1
-       Nominum ANS 2.2.1.0.d
-
-    These implementations covers the following functions (number of
-    implementations tested for each function in paranthesis):
-
-       Authoritative Name Servers (4)
-       Full Recursive Resolver (2)
-       Stub Resolver (4)
-       DNSSEC Zone Signers (2)
-
-    All listed implementations are genetically different.
-
-3.  Tests
-
-    The following tests was been performed to validate compliance with
-    RFC 3597 section 3 ("Transparency"), 4 ("Domain Name Compression")
-    and 5 ("Text Representation").
-
-3.1  Authoritative Primary Name Server
-
-    The test zone data (Appendix A) was loaded into the name server
-    implementation and the server was queried for the loaded information.
-
-3.2  Authoritative Secondary Name Server
-
-    The test zone data (Appendix A) was transferred using AXFR from
-    another name server implementation and the server was queried for the
-    transferred information.
-
-
-
-
-
-
-Schlyter                Expires November 20, 2005               [Page 3]
-
-Internet-Draft      RFC 3597 Interoperability Report            May 2005
-
-
-3.3  Full Recursive Resolver
-
-    A recursive resolver was queried for resource records from a domain
-    with the test zone data (Appendix A).
-
-3.4  Stub Resolver
-
-    A stub resolver was used to query resource records from a domain with
-    the test zone data (Appendix A).
-
-3.5  DNSSEC Signer
-
-    A DNSSEC signer was used to sign a zone with test zone data
-    (Appendix A).
-
-4.  Problems found
-
-    Two implementations had problems with text presentation of zero
-    length RDATA.
-
-    One implementation had problems with text presentation of RR type
-    code and classes >= 4096.
-
-    Bug reports were filed for problems found.
-
-5.  Summary
-
-    Unknown type codes works in the tested authoritative servers,
-    recursive resolvers and stub clients.
-
-    No changes are needed to advance RFC 3597 to draft standard.
-
-6.  Normative References
-
-    [1]  Gustafsson, A., "Handling of Unknown DNS Resource Record (RR)
-         Types", RFC 3597, September 2003.
-
-
-Author's Address
-
-    Jakob Schlyter
-
-    Email: jakob@rfc.se
-
-
-
-
-
-
-
-
-Schlyter                Expires November 20, 2005               [Page 4]
-
-Internet-Draft      RFC 3597 Interoperability Report            May 2005
-
-
-Appendix A.  Test zone data
-
-    ; A-record encoded as TYPE1
-    a  TYPE1  \# 4 7f000001
-    a  TYPE1  192.0.2.1
-    a  A      \# 4 7f000002
-
-    ; draft-ietf-secsh-dns-05.txt
-    sshfp  TYPE44  \# 22 01 01 c691e90714a1629d167de8e5ee0021f12a7eaa1e
-
-    ; bogus test record (from RFC 3597)
-    type731    TYPE731    \# 6 abcd (
-                               ef 01 23 45 )
-
-    ; zero length RDATA (from RFC 3597)
-    type62347  TYPE62347  \# 0
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Schlyter                Expires November 20, 2005               [Page 5]
-
-Internet-Draft      RFC 3597 Interoperability Report            May 2005
-
-
-Intellectual Property Statement
-
-    The IETF takes no position regarding the validity or scope of any
-    Intellectual Property Rights or other rights that might be claimed to
-    pertain to the implementation or use of the technology described in
-    this document or the extent to which any license under such rights
-    might or might not be available; nor does it represent that it has
-    made any independent effort to identify any such rights.  Information
-    on the procedures with respect to rights in RFC documents can be
-    found in BCP 78 and BCP 79.
-
-    Copies of IPR disclosures made to the IETF Secretariat and any
-    assurances of licenses to be made available, or the result of an
-    attempt made to obtain a general license or permission for the use of
-    such proprietary rights by implementers or users of this
-    specification can be obtained from the IETF on-line IPR repository at
-    http://www.ietf.org/ipr.
-
-    The IETF invites any interested party to bring to its attention any
-    copyrights, patents or patent applications, or other proprietary
-    rights that may cover technology that may be required to implement
-    this standard.  Please address the information to the IETF at
-    ietf-ipr@ietf.org.
-
-
-Disclaimer of Validity
-
-    This document and the information contained herein are provided on an
-    "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
-    OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
-    ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
-    INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
-    INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
-    WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-
-Copyright Statement
-
-    Copyright (C) The Internet Society (2005).  This document is subject
-    to the rights, licenses and restrictions contained in BCP 78, and
-    except as set forth therein, the authors retain all their rights.
-
-
-Acknowledgment
-
-    Funding for the RFC Editor function is currently provided by the
-    Internet Society.
-
-
-
-
-Schlyter                Expires November 20, 2005               [Page 6]
-
-
diff --git a/doc/draft/draft-ietf-dnsext-mdns-29.txt b/doc/draft/draft-ietf-dnsext-mdns-29.txt
new file mode 100644
index 00000000..1a51b690
--- /dev/null
+++ b/doc/draft/draft-ietf-dnsext-mdns-29.txt
@@ -0,0 +1,1555 @@
+
+
+DNSEXT Working Group                                        Levon Esibov
+INTERNET-DRAFT                                             Bernard Aboba
+Category: Standards Track                                    Dave Thaler
+<draft-ietf-dnsext-mdns-29.txt>                                Microsoft
+20 January 2004
+
+
+              Linklocal Multicast Name Resolution (LLMNR)
+
+This document is an Internet-Draft and is in full conformance with all
+provisions of Section 10 of RFC 2026.
+
+Internet-Drafts are working documents of the Internet Engineering Task
+Force (IETF), its areas, and its working groups.  Note that other groups
+may also distribute working documents as Internet-Drafts.
+
+Internet-Drafts are draft documents valid for a maximum of six months
+and may be updated, replaced, or obsoleted by other documents at any
+time.  It is inappropriate to use Internet-Drafts as reference material
+or to cite them other than as "work in progress."
+
+The list of current Internet-Drafts can be accessed at
+http://www.ietf.org/ietf/1id-abstracts.txt
+
+The list of Internet-Draft Shadow Directories can be accessed at
+http://www.ietf.org/shadow.html.
+
+Copyright Notice
+
+Copyright (C) The Internet Society (2004).  All Rights Reserved.
+
+Abstract
+
+Today, with the rise of home networking, there are an increasing number
+of ad-hoc networks operating without a Domain Name System (DNS) server.
+In order to allow name resolution in such environments, Link-Local
+Multicast Name Resolution (LLMNR) is proposed.  LLMNR supports all
+current and future DNS formats, types and classes, while operating on a
+separate port from DNS, and with a distinct resolver cache.
+
+The goal of LLMNR is to enable name resolution in scenarios in which
+conventional DNS name resolution is not possible.  Since LLMNR only
+operates on the local link, it cannot be considered a substitute for
+DNS.
+
+
+
+
+
+
+
+Esibov, Aboba & Thaler       Standards Track                    [Page 1]
+
+
+
+
+
+INTERNET-DRAFT                    LLMNR                  20 January 2004
+
+
+Table of Contents
+
+1.     Introduction ..........................................    3
+   1.1       Requirements ....................................    3
+   1.2       Terminology .....................................    4
+2.     Name resolution using LLMNR ...........................    4
+   2.1       LLMNR packet format .............................    5
+   2.2       Sender behavior .................................    8
+   2.3       Responder behavior ..............................    8
+   2.4       Unicast queries .................................   10
+   2.5       Off-link detection ..............................   11
+   2.6       Responder responsibilities ......................   12
+   2.7       Retransmission and jitter .......................   13
+   2.8       DNS TTL .........................................   14
+   2.9       Use of the authority and additional sections ....   14
+3.     Usage model ...........................................   14
+   3.1       LLMNR configuration .............................   15
+4.     Conflict resolution ...................................   16
+   4.1       Considerations for multiple interfaces ..........   18
+   4.2       API issues ......................................   19
+5.     Security considerations ...............................   20
+   5.1       Scope restriction ...............................   20
+   5.2       Usage restriction ...............................   21
+   5.3       Cache and port separation .......................   22
+   5.4       Authentication ..................................   22
+6.     IANA considerations ...................................   22
+7.     References ............................................   22
+   7.1       Normative References ............................   22
+   7.2       Informative References ..........................   23
+Acknowledgments ..............................................   24
+Authors' Addresses ...........................................   25
+Intellectual Property Statement ..............................   25
+Full Copyright Statement .....................................   26
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Esibov, Aboba & Thaler       Standards Track                    [Page 2]
+
+
+
+
+
+INTERNET-DRAFT                    LLMNR                  20 January 2004
+
+
+1.  Introduction
+
+This document discusses Link Local Multicast Name Resolution (LLMNR),
+which utilizes the DNS packet format and supports all current and future
+DNS formats, types and classes.  LLMNR operates on a separate port from
+the Domain Name System (DNS), with a distinct resolver cache.
+
+The goal of LLMNR is to enable name resolution in scenarios in which
+conventional DNS name resolution is not possible.  These include
+scenarios in which hosts are not configured with the address of a DNS
+server, where configured DNS servers do not reply to a query, or where
+they respond with errors, as described in Section 2.  Since LLMNR only
+operates on the local link, it cannot be considered a substitute for
+DNS.
+
+Link-scope multicast addresses are used to prevent propagation of LLMNR
+traffic across routers, potentially flooding the network.  LLMNR queries
+can also be sent to a unicast address, as described in Section 2.4.
+
+Propagation of LLMNR packets on the local link is considered sufficient
+to enable name resolution in small networks.  The assumption is that if
+a network has a gateway, then the network is able to provide DNS server
+configuration.   Configuration issues are discussed in Section 3.1.
+
+In the future, it may be desirable to consider use of multicast name
+resolution with multicast scopes beyond the link-scope.  This could
+occur if LLMNR deployment is successful, the need for multicast name
+resolution beyond the link-scope, or multicast routing becomes
+ubiquitous.  For example, expanded support for multicast name resolution
+might be required for mobile ad-hoc networking scenarios, or where no
+DNS server is available that is authoritative for the names of local
+hosts, and can support dynamic DNS, such as in wireless hotspots.
+
+Once we have experience in LLMNR deployment in terms of administrative
+issues, usability and impact on the network, it will be possible to
+reevaluate which multicast scopes are appropriate for use with multicast
+name resolution.
+
+Service discovery in general, as well as discovery of DNS servers using
+LLMNR in particular, is outside of the scope of this document, as is
+name resolution over non-multicast capable media.
+
+1.1.  Requirements
+
+In this document, several words are used to signify the requirements of
+the specification.  These words are often capitalized.  The key words
+"MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD
+NOT", "RECOMMENDED",  "MAY", and "OPTIONAL" in this document are to be
+
+
+
+Esibov, Aboba & Thaler       Standards Track                    [Page 3]
+
+
+
+
+
+INTERNET-DRAFT                    LLMNR                  20 January 2004
+
+
+interpreted as described in [RFC2119].
+
+1.2.  Terminology
+
+This document assumes familiarity with DNS terminology defined in
+[RFC1035].  Other terminology used in this document includes:
+
+Positively Resolved
+     Responses with RCODE set to zero are referred to in this document
+     as "positively resolved".
+
+Routable Address
+     An address other than a Link-Local address.  This includes globally
+     routable addresses, as well as private addresses.
+
+Reachable
+     An address is considered reachable over a link if either an ARP or
+     neighbor discovery cache entry exists for the address on the link.
+
+Responder
+     A host that listens to LLMNR queries, and responds to those for
+     which it is authoritative.
+
+Sender
+     A host that sends an LLMNR query.
+
+2.  Name resolution using LLMNR
+
+LLMNR is a peer-to-peer name resolution protocol that is not intended as
+a replacement for DNS.  LLMNR queries are sent to and received on port
+TBD.  IPv4 administratively scoped multicast usage is specified in
+"Administratively Scoped IP Multicast" [RFC2365].  The IPv4 link-scope
+multicast address a given responder listens to, and to which a sender
+sends queries, is TBD.  The IPv6 link-scope multicast address a given
+responder listens to, and to which a sender sends all queries, is TBD.
+
+Typically a host is configured as both an LLMNR sender and a responder.
+A host MAY be configured as a sender, but not a responder.  However, a
+host configured as a responder MUST act as a sender to verify the
+uniqueness of names as described in Section 4.  This document does not
+specify how names are chosen or configured.  This may occur via any
+mechanism, including DHCPv4 [RFC2131] or DHCPv6 [RFC3315].
+
+LLMNR usage MAY be configured manually or automatically on a per
+interface basis.  By default, LLMNR responders SHOULD be enabled on all
+interfaces, at all times.  Enabling LLMNR for use in situations where a
+DNS server has been configured will result in a change in default
+behavior without a simultaneous update to configuration information.
+
+
+
+Esibov, Aboba & Thaler       Standards Track                    [Page 4]
+
+
+
+
+
+INTERNET-DRAFT                    LLMNR                  20 January 2004
+
+
+Where this is considered undesirable, LLMNR SHOULD NOT be enabled by
+default, so that hosts will neither listen on the link-scope multicast
+address, nor will they send queries to that address.
+
+An LLMNR sender may send a request for any name.  However, by default,
+LLMNR requests SHOULD be sent only when one of the following conditions
+are met:
+
+[1]  No manual or automatic DNS configuration has been performed.  If an
+     interface has been configured with DNS server address(es), then
+     LLMNR SHOULD NOT be used as the primary name resolution mechanism
+     on that interface, although it MAY be used as a name resolution
+     mechanism of last resort.
+
+[2]  DNS servers do not respond.
+
+[3]  DNS servers respond to a DNS query with RCODE=3 (Authoritative Name
+     Error) or RCODE=0, and an empty answer section.
+
+A typical sequence of events for LLMNR usage is as follows:
+
+[a]  DNS servers are not configured or do not respond to a DNS query, or
+     respond with RCODE=3, or RCODE=0 and an empty answer section.
+
+[b]  An LLMNR sender sends an LLMNR query to the link-scope multicast
+     address(es) defined in Section 2, unless a unicast query is
+     indicated.  A sender SHOULD send LLMNR queries for PTR RRs via
+     unicast, as specified in Section 2.4.
+
+[c]  A responder responds to this query only if it is authoritative for
+     the domain name in the query.  A responder responds to a multicast
+     query by sending a unicast UDP response to the sender.  Unicast
+     queries are responded to as indicated in Section 2.4.
+
+[d]  Upon reception of the response, the sender processes it.
+
+Further details of sender and responder behavior are provided in the
+sections that follow.
+
+2.1.  LLMNR packet format
+
+LLMNR utilizes the DNS packet format defined in [RFC1035] Section 4 for
+both queries and responses.  LLMNR implementations SHOULD send UDP
+queries and responses only as large as are known to be permissible
+without causing fragmentation.  When in doubt a maximum packet size of
+512 octets SHOULD be used.  LLMNR implementations MUST accept UDP
+queries and responses as large as permitted by the link MTU.
+
+
+
+
+Esibov, Aboba & Thaler       Standards Track                    [Page 5]
+
+
+
+
+
+INTERNET-DRAFT                    LLMNR                  20 January 2004
+
+
+2.1.1.  LLMNR header format
+
+LLMNR queries and responses utilize the DNS header format defined in
+[RFC1035] with exceptions noted below:
+
+                                1  1  1  1  1  1
+  0  1  2  3  4  5  6  7  8  9  0  1  2  3  4  5
++--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+|                      ID                       |
++--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+|QR|   Opcode  | Z|TC| Z| Z| Z| Z| Z|   RCODE   |
++--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+|                    QDCOUNT                    |
++--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+|                    ANCOUNT                    |
++--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+|                    NSCOUNT                    |
++--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+|                    ARCOUNT                    |
++--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+where:
+
+ID   A 16 bit identifier assigned by the program that generates any kind
+     of query.  This identifier is copied from the query to the response
+     and can be used by the sender to match responses to outstanding
+     queries. The ID field in a query SHOULD be set to a pseudo-random
+     value.
+
+QR   A one bit field that specifies whether this message is an LLMNR
+     query (0), or an LLMNR response (1).
+
+OPCODE
+     A four bit field that specifies the kind of query in this message.
+     This value is set by the originator of a query and copied into the
+     response.  This specification defines the behavior of standard
+     queries and responses (opcode value of zero).  Future
+     specifications may define the use of other opcodes with LLMNR.
+     LLMNR senders and responders MUST support standard queries (opcode
+     value of zero).  LLMNR queries with unsupported OPCODE values MUST
+     be silently discarded by responders.
+
+TC   TrunCation - specifies that this message was truncated due to
+     length greater than that permitted on the transmission channel.
+     The TC bit MUST NOT be set in an LLMNR query and if set is ignored
+     by an LLMNR responder.  If the TC bit is set an LLMNR response,
+     then the sender MAY use the response if it contains all necessary
+     information, or the sender MAY discard the response and resend the
+
+
+
+Esibov, Aboba & Thaler       Standards Track                    [Page 6]
+
+
+
+
+
+INTERNET-DRAFT                    LLMNR                  20 January 2004
+
+
+     LLMNR query over TCP using the unicast address of the responder as
+     the destination address.  See  [RFC2181] and Section 2.4 of this
+     specification for further discussion of the TC bit.
+
+Z    Reserved for future use.  Implementations of this specification
+     MUST set these bits to zero in both queries and responses.  If
+     these bits are set in a LLMNR query or response, implementations of
+     this specification MUST ignore them.  Since reserved bits could
+     conceivably be used for different purposes than in DNS,
+     implementors are advised not to enable processing of these bits in
+     an LLMNR implementation starting from a DNS code base.
+
+RCODE
+     Response code -- this 4 bit field is set as part of LLMNR
+     responses.  In an LLMNR query, the RCODE MUST be zero, and is
+     ignored by the responder.  The response to a multicast LLMNR query
+     MUST have RCODE set to zero.  A sender MUST silently discard an
+     LLMNR response with a non-zero RCODE sent in response to a
+     multicast query.
+
+     If an LLMNR responder is authoritative for the name in a multicast
+     query, but an error is encountered, the responder SHOULD send an
+     LLMNR response with an RCODE of zero, no RRs in the answer section,
+     and the TC bit set.  This will cause the query to be resent using
+     TCP, and allow the inclusion of a non-zero RCODE in the response to
+     the TCP query.  Responding with the TC bit set is preferrable to
+     not sending a response, since it enables errors to be diagnosed.
+
+     Since LLMNR responders only respond to LLMNR queries for names for
+     which they are authoritative, LLMNR responders MUST NOT respond
+     with an RCODE of 3; instead, they should not respond at all.
+
+     LLMNR implementations MUST support EDNS0 [RFC2671] and extended
+     RCODE values.
+
+QDCOUNT
+     An unsigned 16 bit integer specifying the number of entries in the
+     question section. A sender MUST place only one question into the
+     question section of an LLMNR query.  LLMNR responders MUST silently
+     discard LLMNR queries with QDCOUNT not equal to one.  LLMNR senders
+     MUST silently discard LLMNR responses with QDCOUNT not equal to
+     one.
+
+ANCOUNT
+     An unsigned 16 bit integer specifying the number of resource
+     records in the answer section.  LLMNR responders MUST silently
+     discard LLMNR queries with ANCOUNT not equal to zero.
+
+
+
+
+Esibov, Aboba & Thaler       Standards Track                    [Page 7]
+
+
+
+
+
+INTERNET-DRAFT                    LLMNR                  20 January 2004
+
+
+NSCOUNT
+     An unsigned 16 bit integer specifying the number of name server
+     resource records in the authority records section.  Authority
+     record section processing is described in Section 2.9.
+
+ARCOUNT
+     An unsigned 16 bit integer specifying the number of resource
+     records in the additional records section.  Additional record
+     section processing is described in Section 2.9.
+
+2.2.  Sender behavior
+
+A sender may send an LLMNR query for any legal resource record  type
+(e.g.  A, AAAA, SRV, etc.) to the link-scope multicast address.
+
+As described in Section 2.4, a sender may also send a unicast query.
+Sections 2 and 3 describe the circumstances in which LLMNR queries may
+be sent.
+
+The sender MUST anticipate receiving no replies to some LLMNR queries,
+in the event that no responders are available within the link-scope or
+in the event no positive non-null responses exist for the transmitted
+query.  If no positive response is received, a resolver treats it as a
+response that no records of the specified type and class exist for the
+specified name (it is treated the same as a response with RCODE=0 and an
+empty answer section).
+
+Since the responder may order the RRs in the response so as to indicate
+preference, the sender SHOULD preserve ordering in the response to the
+querying application.
+
+2.3.  Responder behavior
+
+An LLMNR response MUST be sent to the sender via unicast.
+
+Upon configuring an IP address responders typically will synthesize
+corresponding A, AAAA and PTR RRs so as to be able to respond to LLMNR
+queries for these RRs.  An SOA RR is synthesized only when a responder
+has another RR as well;  the SOA RR MUST NOT be the only RR that a
+responder has.  However, in general whether RRs are manually or
+automatically created is an implementation decision.
+
+For example, a host configured to have computer name "host1" and to be a
+member of the "example.com" domain, and with IPv4 address 10.1.1.1 and
+IPv6 address 2001:0DB8::1:2:3:FF:FE:4:5:6 might be authoritative for the
+following records:
+
+host1. IN A 10.1.1.1
+
+
+
+Esibov, Aboba & Thaler       Standards Track                    [Page 8]
+
+
+
+
+
+INTERNET-DRAFT                    LLMNR                  20 January 2004
+
+
+IN AAAA 2001:0DB8::1:2:3:FF:FE:4:5:6
+
+host1.example.com. IN A 10.1.1.1
+IN AAAA 2001:0DB8::1:2:3:FF:FE:4:5:6
+
+1.1.1.10.in-addr.arpa. IN PTR host1.
+IN PTR host1.example.com.
+
+6.0.5.0.4.0.E.F.F.F.3.0.2.0.1.0.0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa
+IN PTR host1.
+IN PTR host1.example.com
+
+An LLMNR responder might be further manually configured with the name of
+a local mail server with an MX RR included in the "host1." and
+"host1.example.com." records.
+
+In responding to queries:
+
+[a]  Responders MUST listen on UDP port TBD on the link-scope multicast
+     address(es) defined in Section 2, and on UDP and TCP port TBD on
+     the unicast address(es) that could be set as the source address(es)
+     when the responder responds to the LLMNR query.
+
+[b]  Responders MUST direct responses to the port from which the query
+     was sent.  When queries are received via TCP this is an inherent
+     part of the transport protocol.  For queries received by UDP the
+     responder MUST take note of the source port and use that as the
+     destination port in the response.  Responses SHOULD always be sent
+     from the port to which they were directed.
+
+[c]  Responders MUST respond to LLMNR queries for names and addresses
+     they are authoritative for.  This applies to both forward and
+     reverse lookups.
+
+[d]  Responders MUST NOT respond to LLMNR queries for names they are not
+     authoritative for.
+
+[e]  Responders MUST NOT respond using cached data.
+
+[f]  If a DNS server is running on a host that supports LLMNR, the DNS
+     server MUST respond to LLMNR queries only for the RRSets relating
+     to the host on which the server is running, but MUST NOT respond
+     for other records for which the server is authoritative.  DNS
+     servers also MUST NOT send LLMNR queries in order to resolve DNS
+     queries.
+
+[g]  If a responder is authoritative for a name, it MAY respond with
+     RCODE=0 and an empty answer section, if the type of query does not
+
+
+
+Esibov, Aboba & Thaler       Standards Track                    [Page 9]
+
+
+
+
+
+INTERNET-DRAFT                    LLMNR                  20 January 2004
+
+
+     match a RR that the responder has.
+
+As an example, a host configured to respond to LLMNR queries for the
+name "foo.example.com."  is authoritative for the name
+"foo.example.com.".  On receiving an LLMNR query for an A RR with the
+name "foo.example.com." the host authoritatively responds with A RR(s)
+that contain IP address(es) in the RDATA of the resource record.  If the
+responder has a AAAA RR, but no A RR, and an A RR query is received, the
+responder would respond with RCODE=0 and an empty answer section.
+
+In conventional DNS terminology a DNS server authoritative for a zone is
+authoritative for all the domain names under the zone apex except for
+the branches delegated into separate zones.  Contrary to conventional
+DNS terminology, an LLMNR responder is authoritative only for the zone
+apex.
+
+For example the host "foo.example.com." is not authoritative for the
+name "child.foo.example.com." unless the host is configured with
+multiple names, including "foo.example.com."  and
+"child.foo.example.com.".  As a result, "foo.example.com." cannot reply
+to an LLMNR query for "child.foo.example.com." with RCODE=3
+(authoritative name error).  The purpose of limiting the name authority
+scope of a responder is to prevent complications that could be caused by
+coexistence of two or more hosts with the names representing child and
+parent (or grandparent) nodes in the DNS tree, for example,
+"foo.example.com." and "child.foo.example.com.".
+
+In this example (unless this limitation is introduced) an LLMNR query
+for an A resource record for the name "child.foo.example.com." would
+result in two authoritative responses: RCODE=3 (authoritative name
+error) received from "foo.example.com.", and a requested A record - from
+"child.foo.example.com.".  To prevent this ambiguity, LLMNR enabled
+hosts could perform a dynamic update of the parent (or grandparent) zone
+with a delegation to a child zone.  In this example a host
+"child.foo.example.com." would send a dynamic update for the NS and glue
+A record to "foo.example.com.", but this approach significantly
+complicates implementation of LLMNR and would not be acceptable for
+lightweight hosts.
+
+2.4.  Unicast queries and responses
+
+Unicast queries SHOULD be sent when:
+
+[a]  A sender repeats a query after it received a response with the TC
+     bit set to the previous LLMNR multicast query, or
+
+[b]  The sender queries for a PTR RR of a fully formed IP address within
+     the "in-addr.arpa" or "ip6.arpa" zones.
+
+
+
+Esibov, Aboba & Thaler       Standards Track                   [Page 10]
+
+
+
+
+
+INTERNET-DRAFT                    LLMNR                  20 January 2004
+
+
+A responder receiving a unicast query MUST send the response with a
+source address set to the destination address field of the IP header of
+the query causing the response.
+
+Unicast LLMNR queries SHOULD be sent using TCP.  Senders MUST support
+sending TCP queries, and responders MUST support listening for TCP
+queries.
+
+Responses to TCP unicast LLMNR queries MUST be sent using TCP,  using
+the same connection as the query.  If the sender of a TCP query receives
+a response to that query not using TCP, the response MUST be silently
+discarded.
+
+Unicast UDP queries MAY be responded to with a UDP response containing
+an empty answer section and the TC bit set, so as to require the sender
+to resend the query using TCP.
+
+If an ICMP "Time Exceeded" message is received in response to a unicast
+UDP query, or if TCP connection setup cannot be completed in order to
+send a unicast TCP query, this is treated as a response that no records
+of the specified type and class exist for the specified name (it is
+treated the same as a response with RCODE=0 and an empty answer
+section).  The UDP sender receiving an ICMP "Time Exceeded" message
+SHOULD verify that the ICMP error payload contains a valid LLMNR query
+packet, which matches a query that is currently in progress, so as to
+guard against a potential Denial of Service (DoS) attack.  If a match
+cannot be made, then the sender relies on the retransmission and timeout
+behavior described in Section 2.7.
+
+2.5.  "Off link" detection
+
+For IPv4, an "on link" address is defined as a link-local address
+[IPv4Link] or an address whose prefix belongs to a subnet on the local
+link.  For IPv6 [RFC2460] an "on link" address is either a link-local
+address, defined in [RFC2373], or an address whose prefix belongs to a
+subnet on the local link.
+
+A sender MUST select a source address for LLMNR queries that is "on
+link".  The destination address of an LLMNR query MUST be a link-scope
+multicast address or an "on link" unicast address.
+
+A responder MUST select a source address for responses that is "on
+link". The destination address of an LLMNR response MUST be an "on link"
+unicast address.
+
+On receiving an LLMNR query, the responder MUST check whether it was
+sent to a LLMNR multicast addresses defined in Section 2.  If it was
+sent to another multicast address, then the query MUST be silently
+
+
+
+Esibov, Aboba & Thaler       Standards Track                   [Page 11]
+
+
+
+
+
+INTERNET-DRAFT                    LLMNR                  20 January 2004
+
+
+discarded.
+
+In composing LLMNR queries, the sender MUST set the Hop Limit field in
+the IPv6 header and the TTL field in IPv4 header of the response to one
+(1).  Even when LLMNR queries are sent to a link-scope multicast
+address, it is possible that some routers may not properly implement
+link-scope multicast, or that link-scope multicast addresses may leak
+into the multicast routing system.  Therefore setting the IPv6 Hop Limit
+or IPv4 TTL field to one provides an additional precaution against
+leakage of LLMNR queries.
+
+In composing a response to an LLMNR query, the responder MUST set the
+Hop Limit field in the IPv6 header and the TTL field in IPv4 header of
+the response to one (1).  This is done so as to prevent the use of LLMNR
+for denial of service attacks across the Internet.
+
+Section 2.4 discusses use of TCP for LLMNR queries and responses.  The
+responder SHOULD set the TTL or Hop Limit settings on the TCP listen
+socket to one (1) so that SYN-ACK packets will have TTL (IPv4) or Hop
+Limit (IPv6) set to one (1). This prevents an incoming connection from
+off-link since the sender will not receive a SYN-ACK from the responder.
+
+Implementation note:
+
+   In the sockets API for IPv4 [POSIX], the IP_TTL and IP_MULTICAST_TTL
+   socket options are used to set the TTL of outgoing unicast and
+   multicast packets. The IP_RECVTTL socket option is available on some
+   platforms to retrieve the IPv4 TTL of received packets with
+   recvmsg().  [RFC2292] specifies similar options for setting and
+   retrieving the IPv6 Hop Limit.
+
+2.6.  Responder responsibilities
+
+It is the responsibility of the responder to ensure that RRs returned in
+LLMNR responses MUST only include values that are valid on the local
+interface, such as IPv4 or IPv6 addresses valid on the local link or
+names defended using the mechanism described in Section 4.  In
+particular:
+
+[a]  If a link-scope IPv6 address is returned in a AAAA RR, that address
+     MUST be valid on the local link over which LLMNR is used.
+
+[b]  If an IPv4 address is returned, it MUST be reachable through the
+     link over which LLMNR is used.
+
+[c]  If a name is returned (for example in a CNAME, MX or SRV RR), the
+     name MUST be resolvable on the local link over which LLMNR is used.
+
+
+
+
+Esibov, Aboba & Thaler       Standards Track                   [Page 12]
+
+
+
+
+
+INTERNET-DRAFT                    LLMNR                  20 January 2004
+
+
+Routable addresses MUST be included first in the response, if available.
+This encourages use of routable address(es) for establishment of new
+connections.
+
+2.7.  Retransmission and jitter
+
+An LLMNR sender uses the timeout interval LLMNR_TIMEOUT to determine
+when to retransmit an LLMNR query and how long to collect responses to
+an LLMNR query.
+
+If an LLMNR query sent over UDP is not resolved within LLMNR_TIMEOUT,
+then a sender MAY repeat the transmission of the query in order to
+assure that it was received by a host capable of responding to it.
+Retransmission of UDP queries SHOULD NOT be attempted more than 3 times.
+Where LLMNR queries are sent using TCP, retransmission is handled by the
+transport layer.
+
+Because an LLMNR sender cannot know in advance if a query sent using
+multicast will receive no response, one response, or more than one
+response, the sender SHOULD wait for LLMNR_TIMEOUT in order to collect
+all possible responses, rather than considering the multicast query
+answered after the first response is received. A unicast query sender
+considers the query answered after the first response is received, so
+that it only waits for LLMNR_TIMEOUT if no response has been received.
+
+An LLMNR sender SHOULD dynamically compute the value of LLMNR_TIMEOUT
+for each transmission. It is suggested that the computation of
+LLMNR_TIMEOUT be based on the response times for earlier LLMNR queries
+sent on the same interface.
+
+For example, the algorithms described in RFC 2988 [RFC2988] (including
+exponential backoff) to compute an RTO, which is used as the value of
+LLMNR_TIMEOUT. Smaller values MAY be used for the initial RTO (discussed
+in Section 2 of [RFC2988], paragraph 2.1), the minimum RTO (discussed in
+Section 2 of [RFC2988], paragraph 2.4), and the maximum RTO (discussed
+in Section 2 of [RFC2988], paragraph 2.5).
+
+Recommended values are an initial RTO of 1 second, a minimum RTO of
+200ms, and a maximum RTO of 5 seconds.  In order to avoid
+synchronization, the transmission of each LLMNR query and response
+SHOULD delayed by a time randomly selected from the interval 0 to 100
+ms. This delay MAY be avoided by responders responding with RRs which
+they have previously determined to be UNIQUE (see Section 4 for
+details).
+
+
+
+
+
+
+
+Esibov, Aboba & Thaler       Standards Track                   [Page 13]
+
+
+
+
+
+INTERNET-DRAFT                    LLMNR                  20 January 2004
+
+
+2.8.  DNS TTL
+
+The responder should use a pre-configured TTL value in the records
+returned an LLMNR response.  A default value of 30 seconds is
+RECOMMENDED.  In highly dynamic environments (such as mobile ad-hoc
+networks), the TTL value may need to be reduced.
+
+Due to the TTL minimalization necessary when caching an RRset, all TTLs
+in an RRset MUST be set to the same value.
+
+2.9.  Use of the authority and additional sections
+
+Unlike the DNS, LLMNR is a peer-to-peer protocol and does not have a
+concept of delegation.  In LLMNR, the NS resource record type may be
+stored and queried for like any other type, but it has no special
+delegation semantics as it does in the DNS.  Responders MAY have NS
+records associated with the names for which they are authoritative, but
+they SHOULD NOT include these NS records in the authority sections of
+responses.
+
+Responders SHOULD insert an SOA record into the authority section of a
+negative response, to facilitate negative caching as specified in
+[RFC2308].  The owner name of this SOA record MUST be equal to the query
+name.
+
+Responders SHOULD NOT perform DNS additional section processing, except
+as required for EDNS0 and DNSSEC.
+
+Senders MUST NOT cache RRs from the authority or additional section of a
+response as answers, though they may be used for other purposes such as
+negative caching.
+
+3.  Usage model
+
+Since LLMNR is a secondary name resolution mechanism, its usage is in
+part determined by the behavior of DNS implementations.  This document
+does not specify any changes to DNS resolver behavior, such as
+searchlist processing or retransmission/failover policy.  However,
+robust DNS resolver implementations are more likely to avoid unnecessary
+LLMNR queries.
+
+As noted in [DNSPerf], even when DNS servers are configured, a
+significant fraction of DNS queries do not receive a response, or result
+in negative responses due to missing inverse mappings or NS records that
+point to nonexistent or inappropriate hosts.  This has the potential to
+result in a large number of unnecessary LLMNR queries.
+
+[RFC1536] describes common DNS implementation errors and fixes.  If the
+
+
+
+Esibov, Aboba & Thaler       Standards Track                   [Page 14]
+
+
+
+
+
+INTERNET-DRAFT                    LLMNR                  20 January 2004
+
+
+proposed fixes are implemented, unnecessary LLMNR queries will be
+reduced substantially, and so implementation of [RFC1536] is
+recommended.
+
+For example, [RFC1536] Section 1 describes issues with retransmission
+and recommends implementation of a retransmission policy based on round
+trip estimates, with exponential backoff.  [RFC1536] Section 4 describes
+issues with failover, and recommends that resolvers try another server
+when they don't receive a response to a query.  These policies are
+likely to avoid unnecessary LLMNR queries.
+
+[RFC1536] Section 3 describes zero answer bugs, which if addressed will
+also reduce unnecessary LLMNR queries.
+
+[RFC1536] Section 6 describes name error bugs and recommended searchlist
+processing that will reduce unnecessary RCODE=3 (authoritative name)
+errors, thereby also reducing unnecessary LLMNR queries.
+
+3.1.  LLMNR configuration
+
+Since IPv4 and IPv6 utilize distinct configuration mechanisms, it is
+possible for a dual stack host to be configured with the address of a
+DNS server over IPv4, while remaining unconfigured with a DNS server
+suitable for use over IPv6.
+
+In these situations, a dual stack host will send AAAA queries to the
+configured DNS server over IPv4.  However, an IPv6-only host
+unconfigured with a DNS server suitable for use over IPv6 will be unable
+to resolve names using DNS.  Automatic IPv6 DNS configuration mechanisms
+(such as [RFC3315] and [DNSDisc]) are not yet widely deployed, and not
+all DNS servers support IPv6. Therefore lack of IPv6 DNS configuration
+may be a common problem in the short term, and LLMNR may prove useful in
+enabling linklocal name resolution over IPv6.
+
+Where a DHCPv4 server is available but not a DHCPv6 server [RFC3315],
+IPv6-only hosts may not be configured with a DNS server.  Where there is
+no DNS server authoritative for the name of a host or the authoritative
+DNS server does not support dynamic client update over IPv6 or
+DHCPv6-based dynamic update, then an IPv6-only host will not be able to
+do DNS dynamic update, and other hosts will not be able to resolve its
+name.
+
+For example, if the configured DNS server responds to AAAA RR queries
+sent over IPv4 or IPv6 with an authoritative name error (RCODE=3), then
+it will not be possible to resolve the names of IPv6-only hosts.  In
+this situation, LLMNR over IPv6 can be used for local name resolution.
+
+Similarly, if a DHCPv4 server is available providing DNS server
+
+
+
+Esibov, Aboba & Thaler       Standards Track                   [Page 15]
+
+
+
+
+
+INTERNET-DRAFT                    LLMNR                  20 January 2004
+
+
+configuration, and DNS server(s) exist which are authoritative for the A
+RRs of local hosts and support either dynamic client update over IPv4 or
+DHCPv4-based dynamic update, then the names of local IPv4 hosts can be
+resolved over IPv4 without LLMNR.  However,  if no DNS server is
+authoritative for the names of local hosts, or the authoritative DNS
+server(s) do not support dynamic update, then LLMNR enables linklocal
+name resolution over IPv4.
+
+Where DHCPv4 or DHCPv6 is implemented, DHCP options can be used to
+configure LLMNR on an interface.  The LLMNR Enable Option, described in
+[LLMNREnable], can be used to explicitly enable or disable use of LLMNR
+on an interface.  The LLMNR Enable Option does not determine whether or
+in which order DNS itself is used for name resolution.  The order in
+which various name resolution mechanisms should be used can be specified
+using the Name Service Search Option (NSSO) for DHCP [RFC2937], using
+the LLMNR Enable Option code carried in the NSSO data.
+
+It is possible that DNS configuration mechanisms will go in and out of
+service.  In these circumstances, it is possible for hosts within an
+administrative domain to be inconsistent in their DNS configuration.
+
+For example, where DHCP is used for configuring DNS servers, one or more
+DHCP servers can fail.  As a result, hosts configured prior to the
+outage will be configured with a DNS server, while hosts configured
+after the outage will not.  Alternatively, it is possible for the DNS
+configuration mechanism to continue functioning while configured DNS
+servers fail.
+
+Unless unconfigured hosts periodically retry configuration, an outage in
+the DNS configuration mechanism will result in hosts continuing to use
+LLMNR even once the outage is repaired.  Since LLMNR only enables
+linklocal name resolution, this represents an unnecessary degradation in
+capabilities.  As a result, it is recommended that hosts without a
+configured DNS server periodically attempt to obtain DNS configuration.
+For example, where DHCP is used for DNS configuration, [RFC2131]
+recommends a maximum retry interval of 64 seconds.  In the absence of
+other guidance, a default retry interval of one (1) minute is
+RECOMMENDED.
+
+4.  Conflict resolution
+
+The sender MUST anticipate receiving multiple replies to the same LLMNR
+query, in the event that several LLMNR enabled computers receive the
+query and respond with valid answers.  When this occurs, the responses
+may first be concatenated, and then treated in the same manner that
+multiple RRs received from the same DNS server would; the sender
+perceives no inherent conflict in the receipt of multiple responses.
+
+
+
+
+Esibov, Aboba & Thaler       Standards Track                   [Page 16]
+
+
+
+
+
+INTERNET-DRAFT                    LLMNR                  20 January 2004
+
+
+There are some scenarios when multiple responders MAY respond to the
+same query.  There are other scenarios when only one responder MAY
+respond to a query.  Resource records for which the latter queries are
+submitted are referred as UNIQUE throughout this document.  The
+uniqueness of a resource record depends on a nature of the name in the
+query and type of the query.  For example it is expected that:
+
+   - multiple hosts may respond to a query for an SRV type record
+   - multiple hosts may respond to a query for an A or AAAA type
+     record for a cluster name (assigned to multiple hosts in
+     the cluster)
+   - only a single host may respond to a query for an A or AAAA
+     type record for a name.
+
+Every responder that responds to an LLMNR query AND includes a UNIQUE
+record in the response:
+
+[1]  MUST verify that there is no other host within the scope of the
+     LLMNR query propagation that can return a resource record for the
+     same name, type and class.
+
+[2]  MUST NOT include a UNIQUE resource record in the response without
+     having verified its uniqueness.
+
+Where a host is configured to issue LLMNR queries on more than one
+interface, each interface should have its own independent LLMNR cache.
+For each UNIQUE resource record in a given interface's configuration,
+the host MUST verify resource record uniqueness on that interface.  To
+accomplish this, the host MUST send an LLMNR query for each UNIQUE
+resource record.
+
+By default, a host SHOULD be configured to behave as though all RRs are
+UNIQUE.  Uniqueness verification is carried out when the host:
+
+  - starts up or is rebooted
+  - wakes from sleep (if the network interface was inactive during sleep)
+  - is configured to respond to the LLMNR queries on an interface
+    enabled for transmission and reception of IP traffic
+  - is configured to respond to the LLMNR queries using additional
+    UNIQUE resource records
+  - detects that an interface is connected and is usable
+    (e.g. an IEEE 802 hardware link-state change indicating
+    that a cable was attached or that an association has occurred
+    with a wireless base station and that any required authentication
+    has completed)
+
+When a host that has a UNIQUE record receives an LLMNR query for that
+record, the host MUST respond.  After the client receives a response, it
+
+
+
+Esibov, Aboba & Thaler       Standards Track                   [Page 17]
+
+
+
+
+
+INTERNET-DRAFT                    LLMNR                  20 January 2004
+
+
+MUST check whether the response arrived on an interface different from
+the one on which the query was sent.  If the response arrives on a
+different interface, the client can use the UNIQUE resource record in
+response to LLMNR queries.  If not, then it MUST NOT use the UNIQUE
+resource record in response to LLMNR queries.
+
+The name conflict detection mechanism doesn't prevent name conflicts
+when previously partitioned segments are connected by a bridge. In order
+to minimize the chance of conflicts in such a situation, it is
+recommended that steps be taken to ensure name uniqueness. For example,
+the name could be chosen randomly from a large pool of potential names,
+or the name could be assigned via a process designed to guarantee
+uniqueness.
+
+When name conflicts are detected, they SHOULD be logged.  To detect
+duplicate use of a name, an administrator can use a name resolution
+utility which employs LLMNR and lists both responses and responders.
+This would allow an administrator to diagnose behavior and potentially
+to intervene and reconfigure LLMNR responders who should not be
+configured to respond to the same name.
+
+4.1.  Considerations for Multiple Interfaces
+
+A multi-homed host may elect to configure LLMNR on only one of its
+active interfaces.  In many situations this will be adequate.  However,
+should a host need to configure LLMNR on more than one of its active
+interfaces, there are some additional precautions it MUST take.
+Implementers who are not planning to support LLMNR on multiple
+interfaces simultaneously may skip this section.
+
+A multi-homed host checks the uniqueness of UNIQUE records as described
+in Section 4.  The situation is illustrated in figure 1.
+
+     ----------  ----------
+      |      |    |      |
+     [A]    [myhost]   [myhost]
+
+   Figure 1.  Link-scope name conflict
+
+In this situation, the multi-homed myhost will probe for, and defend,
+its host name on both interfaces.  A conflict will be detected on one
+interface, but not the other.  The multi-homed myhost will not be able
+to respond with a host RR for "myhost" on the interface on the right
+(see Figure 1).  The multi-homed host may, however, be configured to use
+the "myhost" name on the interface on the left.
+
+Since names are only unique per-link, hosts on different links could be
+using the same name.  If an LLMNR client sends requests over multiple
+
+
+
+Esibov, Aboba & Thaler       Standards Track                   [Page 18]
+
+
+
+
+
+INTERNET-DRAFT                    LLMNR                  20 January 2004
+
+
+interfaces, and receives replies from more than one, the result returned
+to the client is defined by the implementation.  The situation is
+illustrated in figure 2.
+
+     ----------  ----------
+      |      |    |     |
+     [A]    [myhost]   [A]
+
+
+   Figure 2.  Off-segment name conflict
+
+If host myhost is configured to use LLMNR on both interfaces, it will
+send LLMNR queries on both interfaces.  When host myhost sends a query
+for the host RR for name "A" it will receive a response from hosts on
+both interfaces.
+
+Host myhost cannot distinguish between the situation shown in Figure 2,
+and that shown in Figure 3 where no conflict exists.
+
+             [A]
+            |   |
+        -----   -----
+            |   |
+           [myhost]
+
+   Figure 3.  Multiple paths to same host
+
+This illustrates that the proposed name conflict resolution mechanism
+does not support detection or resolution of conflicts between hosts on
+different links.  This problem can also occur with unicast DNS when a
+multi-homed host is connected to two different networks with separated
+name spaces.  It is not the intent of this document to address the issue
+of uniqueness of names within DNS.
+
+4.2.  API issues
+
+[RFC2553] provides an API which can partially solve the name ambiguity
+problem for applications written to use this API, since the sockaddr_in6
+structure exposes the scope within which each scoped address exists, and
+this structure can be used for both IPv4 (using v4-mapped IPv6
+addresses) and IPv6 addresses.
+
+Following the example in Figure 2, an application on 'myhost' issues the
+request getaddrinfo("A", ...) with ai_family=AF_INET6 and
+ai_flags=AI_ALL|AI_V4MAPPED.  LLMNR requests will be sent from both
+interfaces and the resolver library will return a list containing
+multiple addrinfo structures, each with an associated sockaddr_in6
+structure.  This list will thus contain the IPv4 and IPv6 addresses of
+
+
+
+Esibov, Aboba & Thaler       Standards Track                   [Page 19]
+
+
+
+
+
+INTERNET-DRAFT                    LLMNR                  20 January 2004
+
+
+both hosts responding to the name 'A'.  Link-local addresses will have a
+sin6_scope_id value that disambiguates which interface is used to reach
+the address.  Of course, to the application, Figures 2 and 3 are still
+indistinguishable, but this API allows the application to communicate
+successfully with any address in the list.
+
+5.  Security Considerations
+
+LLMNR is by nature a peer-to-peer name resolution protocol. It is
+therefore inherently more vulnerable than DNS, since existing DNS
+security mechanisms are difficult to apply to LLMNR. While tools exist
+to alllow an attacker to spoof a response to a DNS query, spoofing a
+response to an LLMNR query is easier since the query is sent to a link-
+scope multicast address, where every host on the logical link will be
+made aware of it.
+
+In order to address the security vulnerabilities, the following
+mechanisms are contemplated:
+
+[1]  Scope restrictions.
+
+[2]  Usage restrictions.
+
+[3]  Cache and port separation.
+
+[4]  Authentication.
+
+These techniques are described in the following sections.
+
+5.1.  Scope restriction
+
+With LLMNR it is possible that hosts will allocate conflicting names for
+a period of time, or that attackers will attempt to deny service to
+other hosts by allocating the same name. Such attacks also allow hosts
+to receive packets destined for other hosts.
+
+Since LLMNR is typically deployed in situations where no trust model can
+be assumed, it is likely that LLMNR queries and responses will be
+unauthenticated. In the absence of authentication, LLMNR reduces the
+exposure to such threats by utilizing queries sent to a link-scope
+multicast address, as well as setting the TTL (IPv4) or Hop Limit (IPv6)
+fields to one (1) on both queries and responses.
+
+A TTL of one (1) was chosen so as to limit the likelihood that LLMNR can
+be used to launch denial of service attacks. For example, were the TTL
+of an LLMNR Response to be set to a value larger than one (1), an
+attacker could send a large volume of queries from a spoofed source
+address, causing an off-link target to be deluged with responses.
+
+
+
+Esibov, Aboba & Thaler       Standards Track                   [Page 20]
+
+
+
+
+
+INTERNET-DRAFT                    LLMNR                  20 January 2004
+
+
+Utilizing a TTL of one (1) in LLMNR responses ensures that they will not
+be forwarded off-link. Using a TTL of one (1) to set up a TCP connection
+in order to send a unicast LLMNR query reduces the likelihood of both
+denial of service attacks and spoofed responses.  Checking that an LLMNR
+query is sent to a link-scope multicast address should prevent spoofing
+of multicast queries by off-link attackers.
+
+While this limits the ability of off-link attackers to spoof LLMNR
+queries and responses, it does not eliminate it. For example, it is
+possible for an attacker to spoof a response to a frequent query (such
+as an A or AAAA query for a popular Internet host), and by using a TTL
+or Hop Limit field larger than one (1), for the forged response to reach
+the LLMNR sender.
+
+There also are scenarios such as public "hotspots" where attackers can
+be present on the same link.  These threats are most serious in wireless
+networks such as 802.11, since attackers on a wired network will require
+physical access to the home network, while wireless attackers may reside
+outside the home.  Link-layer security can be of assistance against
+these threats if it is available.
+
+5.2.  Usage restriction
+
+As noted in Sections 2 and 3, LLMNR is intended for usage in a limited
+set of scenarios.
+
+If an LLMNR query is sent whenever a DNS server does not respond in a
+timely way, then an attacker can poison the LLMNR cache by responding to
+the query with incorrect information.  To some extent, these
+vulnerabilities exist today, since DNS response spoofing tools are
+available that can allow an attacker to respond to a query more quickly
+than a distant DNS server.
+
+Since LLMNR queries are sent and responded to on the local-link, an
+attacker will need to respond more quickly to provide its own response
+prior to arrival of the response from a legitimate responder. If an
+LLMNR query is sent for an off-link host, spoofing a response in a
+timely way is not difficult, since a legitimate response will never be
+received.
+
+The vulnerability is more serious if LLMNR is given higher priority than
+DNS among the enabled name resolution mechanisms. In such a
+configuration, a denial of service attack on the DNS server would not be
+necessary in order to poison the LLMNR cache, since LLMNR queries would
+be sent even when the DNS server is available. In addition, the LLMNR
+cache, once poisoned, would take precedence over the DNS cache,
+eliminating the benefits of cache separation. As a result, LLMNR is only
+used as a name resolution mechanism of last resort.
+
+
+
+Esibov, Aboba & Thaler       Standards Track                   [Page 21]
+
+
+
+
+
+INTERNET-DRAFT                    LLMNR                  20 January 2004
+
+
+5.3.  Cache and port separation
+
+In order to prevent responses to LLMNR queries from polluting the DNS
+cache, LLMNR implementations MUST use a distinct, isolated cache for
+LLMNR on each interface. The use of separate caches is most effective
+when LLMNR is used as a name resolution mechanism of last resort, since
+this minimizes the opportunities for poisoning the LLMNR cache, and
+decreases reliance on it.
+
+LLMNR operates on a separate port from DNS, reducing the likelihood that
+a DNS server will unintentionally respond to an LLMNR query.
+
+5.4.  Authentication
+
+LLMNR implementations may not support DNSSEC or TSIG, and as a result,
+responses to LLMNR queries may be unauthenticated.  If authentication is
+desired, and a pre-arranged security configuration is possible, then
+IPsec ESP with a null-transform MAY be used to authenticate LLMNR
+responses.  In a small network without a certificate authority, this can
+be most easily accomplished through configuration of a group pre-shared
+key for trusted hosts.
+
+6.  IANA Considerations
+
+This specification creates one new name space:  the reserved bits in the
+LLMNR header.  These are allocated by IETF Consensus, in accordance with
+BCP 26 [RFC2434].
+
+LLMNR requires allocation of a port TBD for both TCP and UDP.
+Assignment of the same port for both transports is requested.
+
+LLMNR requires allocation of a link-scope multicast IPv4 address TBD.
+LLMNR also requires allocation of a link-scope multicast IPv6 address
+TBD.
+
+7.  References
+
+7.1.  Normative References
+
+[RFC1035] Mockapetris, P., "Domain Names - Implementation and
+          Specification", RFC 1035, November 1987.
+
+[RFC1321] Rivest, R., "The MD5 Message-Digest Algorithm", RFC 1321,
+          April 1992.
+
+[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
+          Requirement Levels", BCP 14, RFC 2119, March 1997.
+
+
+
+
+Esibov, Aboba & Thaler       Standards Track                   [Page 22]
+
+
+
+
+
+INTERNET-DRAFT                    LLMNR                  20 January 2004
+
+
+[RFC2181] Elz, R. and R. Bush, "Clarifications to the DNS
+          Specification", RFC 2181, July 1997.
+
+[RFC2308] Andrews, M., "Negative Caching of DNS Queries (DNS NCACHE)",
+          RFC 2308, March 1998.
+
+[RFC2365] Meyer, D., "Administratively Scoped IP Multicast", BCP 23, RFC
+          2365, July 1998.
+
+[RFC2373] Hinden, R. and S. Deering, "IP Version 6 Addressing
+          Architecture", RFC 2373, July 1998.
+
+[RFC2434] Alvestrand, H. and T. Narten, "Guidelines for Writing an IANA
+          Considerations Section in RFCs", BCP 26, RFC 2434, October
+          1998.
+
+[RFC2460] Deering, S. and R. Hinden, "Internet Protocol, Version 6
+          (IPv6) Specification", RFC 2460, December 1998.
+
+[RFC2535] Eastlake, D., "Domain Name System Security Extensions", RFC
+          2535, March 1999.
+
+[RFC2671] Vixie, P., "Extension Mechanisms for DNS (EDNS0)", RFC 2671,
+          August 1999.
+
+[RFC2988] Paxson, V. and M. Allman, "Computing TCP's Retransmission
+          Timer", RFC 2988, November 2000.
+
+7.2.  Informative References
+
+[RFC1536] Kumar, A., et. al., "DNS Implementation Errors and Suggested
+          Fixes", RFC 1536, October 1993.
+
+[RFC2131] Droms, R., "Dynamic Host Configuration Protocol", RFC 2131,
+          March 1997.
+
+[RFC2136] Vixie, P., Thomson, S., Rekhter, Y. and J. Bound, "Dynamic
+          Updates in the Domain Name System (DNS UPDATE)", RFC 2136,
+          April 1997.
+
+[RFC2292] Stevens, W. and M. Thomas, "Advanced Sockets API for IPv6",
+          RFC 2292, February 1998.
+
+[RFC2553] Gilligan, R., Thomson, S., Bound, J. and W. Stevens, "Basic
+          Socket Interface Extensions for IPv6", RFC 2553, March 1999.
+
+[RFC2937] Smith, C., "The Name Service Search Option for DHCP", RFC
+          2937, September 2000.
+
+
+
+Esibov, Aboba & Thaler       Standards Track                   [Page 23]
+
+
+
+
+
+INTERNET-DRAFT                    LLMNR                  20 January 2004
+
+
+[RFC3315] Droms, R., et al., "Dynamic Host Configuration Protocol for
+          IPv6 (DHCPv6)", RFC 3315, July 2003.
+
+[DNSPerf] Jung, J., et al., "DNS Performance and the Effectiveness of
+          Caching", IEEE/ACM Transactions on Networking, Volume 10,
+          Number 5, pp. 589, October 2002.
+
+[DNSDisc] Durand, A., Hagino, I. and D. Thaler, "Well known site local
+          unicast addresses to communicate with recursive DNS servers",
+          Internet draft (work in progress), draft-ietf-ipv6-dns-
+          discovery-07.txt, October 2002.
+
+[IPV4Link]
+          Cheshire, S., Aboba, B. and E. Guttman, "Dynamic Configuration
+          of IPv4 Link-Local Addresses", Internet draft (work in
+          progress), draft-ietf-zeroconf-ipv4-linklocal-10.txt, October
+          2003.
+
+[POSIX]   IEEE Std. 1003.1-2001 Standard for Information Technology --
+          Portable Operating System Interface (POSIX). Open Group
+          Technical Standard: Base Specifications, Issue 6, December
+          2001.  ISO/IEC 9945:2002.  http://www.opengroup.org/austin
+
+[LLMNREnable]
+          Guttman, E., "DHCP LLMNR Enable Option", Internet draft (work
+          in progress), draft-guttman-mdns-enable-02.txt, April 2002.
+
+[NodeInfo]
+          Crawford, M., "IPv6 Node Information Queries", Internet draft
+          (work in progress), draft-ietf-ipn-gwg-icmp-name-
+          lookups-09.txt, May 2002.
+
+Acknowledgments
+
+This work builds upon original work done on multicast DNS by Bill
+Manning and Bill Woodcock. Bill Manning's work was funded under DARPA
+grant #F30602-99-1-0523. The authors gratefully acknowledge their
+contribution to the current specification.  Constructive input has also
+been received from Mark Andrews, Stuart Cheshire, Randy Bush, Robert
+Elz, Rob Austein, James Gilroy, Olafur Gudmundsson, Erik Guttman, Myron
+Hattig, Thomas Narten, Christian Huitema, Erik Nordmark, Sander Van-
+Valkenburg, Tomohide Nagashima, Brian Zill, Keith Moore and Markku
+Savela.
+
+
+
+
+
+
+
+
+Esibov, Aboba & Thaler       Standards Track                   [Page 24]
+
+
+
+
+
+INTERNET-DRAFT                    LLMNR                  20 January 2004
+
+
+Authors' Addresses
+
+Levon Esibov
+Microsoft Corporation
+One Microsoft Way
+Redmond, WA 98052
+
+EMail: levone@microsoft.com
+
+Bernard Aboba
+Microsoft Corporation
+One Microsoft Way
+Redmond, WA 98052
+
+Phone: +1 425 706 6605
+EMail: bernarda@microsoft.com
+
+Dave Thaler
+Microsoft Corporation
+One Microsoft Way
+Redmond, WA 98052
+
+Phone: +1 425 703 8835
+EMail: dthaler@microsoft.com
+
+Intellectual Property Statement
+
+The IETF takes no position regarding the validity or scope of any
+intellectual property or other rights that might be claimed to  pertain
+to the implementation or use of the technology described in this
+document or the extent to which any license under such rights might or
+might not be available; neither does it represent that it has made any
+effort to identify any such rights.  Information on the IETF's
+procedures with respect to rights in standards-track and standards-
+related documentation can be found in BCP-11.  Copies of claims of
+rights made available for publication and any assurances of licenses to
+be made available, or the result of an attempt made to obtain a general
+license or permission for the use of such proprietary rights by
+implementors or users of this specification can be obtained from the
+IETF Secretariat.
+
+The IETF invites any interested party to bring to its attention any
+copyrights, patents or patent applications, or other proprietary rights
+which may cover technology that may be required to practice this
+standard.  Please address the information to the IETF Executive
+Director.
+
+
+
+
+
+Esibov, Aboba & Thaler       Standards Track                   [Page 25]
+
+
+
+
+
+INTERNET-DRAFT                    LLMNR                  20 January 2004
+
+
+Full Copyright Statement
+
+Copyright (C) The Internet Society (2004).  All Rights Reserved.
+This document and translations of it may be copied and furnished to
+others, and derivative works that comment on or otherwise explain it or
+assist in its implementation may be prepared, copied, published and
+distributed, in whole or in part, without restriction of any kind,
+provided that the above copyright notice and this paragraph are included
+on all such copies and derivative works.  However, this document itself
+may not be modified in any way, such as by removing the copyright notice
+or references to the Internet Society or other Internet organizations,
+except as needed for the purpose of developing Internet standards in
+which case the procedures for copyrights defined in the Internet
+Standards process must be followed, or as required to translate it into
+languages other than English.  The limited permissions granted above are
+perpetual and will not be revoked by the Internet Society or its
+successors or assigns.  This document and the information contained
+herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE
+INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
+INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
+WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+Open Issues
+
+Open issues with this specification are tracked on the following web
+site:
+
+http://www.drizzle.com/~aboba/DNSEXT/llmnrissues.html
+
+Expiration Date
+
+This memo is filed as <draft-ietf-dnsext-mdns-29.txt>,  and  expires
+August 4, 2004.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Esibov, Aboba & Thaler       Standards Track                   [Page 26]
+
diff --git a/doc/draft/draft-ietf-dnsext-mdns-43.txt b/doc/draft/draft-ietf-dnsext-mdns-43.txt
deleted file mode 100644
index 5de6e85e..00000000
--- a/doc/draft/draft-ietf-dnsext-mdns-43.txt
+++ /dev/null
@@ -1,1740 +0,0 @@
-
-
-
-
-
-
-DNSEXT Working Group                                       Bernard Aboba
-INTERNET-DRAFT                                               Dave Thaler
-Category: Standards Track                                   Levon Esibov
-<draft-ietf-dnsext-mdns-43.txt>                    Microsoft Corporation
-29 August 2005
-
-              Linklocal Multicast Name Resolution (LLMNR)
-
-Status of this Memo
-
-   By submitting this Internet-Draft, each author represents that any
-   applicable patent or other IPR claims of which he or she is aware
-   have been or will be disclosed, and any of which he or she becomes
-   aware will be disclosed, in accordance with Section 6 of BCP 79.
-
-   Internet-Drafts are working documents of the Internet Engineering
-   Task Force (IETF), its areas, and its working groups.  Note that
-   other groups may also distribute working documents as Internet-
-   Drafts.
-
-   Internet-Drafts are draft documents valid for a maximum of six months
-   and may be updated, replaced, or obsoleted by other documents at any
-   time.  It is inappropriate to use Internet-Drafts as reference
-   material or to cite them other than as "work in progress."
-
-   The list of current Internet-Drafts can be accessed at
-   http://www.ietf.org/ietf/1id-abstracts.txt.
-
-   The list of Internet-Draft Shadow Directories can be accessed at
-   http://www.ietf.org/shadow.html.
-
-   This Internet-Draft will expire on March 15, 2006.
-
-Copyright Notice
-
-   Copyright (C) The Internet Society 2005.
-
-Abstract
-
-   The goal of Link-Local Multicast Name Resolution (LLMNR) is to enable
-   name resolution in scenarios in which conventional DNS name
-   resolution is not possible.  LLMNR supports all current and future
-   DNS formats, types and classes, while operating on a separate port
-   from DNS, and with a distinct resolver cache.  Since LLMNR only
-   operates on the local link, it cannot be considered a substitute for
-   DNS.
-
-
-
-
-
-Aboba, Thaler & Esibov       Standards Track                    [Page 1]
-
-
-
-
-
-INTERNET-DRAFT                    LLMNR                   29 August 2005
-
-
-Table of Contents
-
-1.     Introduction ..........................................    3
-   1.1       Requirements ....................................    4
-   1.2       Terminology .....................................    4
-2.     Name Resolution Using LLMNR ...........................    4
-   2.1       LLMNR Packet Format .............................    6
-   2.2       Sender Behavior .................................    9
-   2.3       Responder Behavior ..............................   10
-   2.4       Unicast Queries and Responses ...................   12
-   2.5       Off-link Detection ..............................   13
-   2.6       Responder Responsibilities ......................   13
-   2.7       Retransmission and Jitter .......................   14
-   2.8       DNS TTL .........................................   15
-   2.9       Use of the Authority and Additional Sections ....   15
-3.     Usage model ...........................................   16
-   3.1       LLMNR Configuration .............................   17
-4.     Conflict Resolution ...................................   18
-   4.1       Uniqueness Verification .........................   19
-   4.2       Conflict Detection and Defense ..................   20
-   4.3       Considerations for Multiple Interfaces ..........   21
-   4.4       API issues ......................................   22
-5.     Security Considerations ...............................   22
-   5.1       Denial of Service ...............................   23
-   5.2       Spoofing ...............,........................   23
-   5.3       Authentication ..................................   24
-   5.4       Cache and Port Separation .......................   25
-6.     IANA considerations ...................................   25
-7.     Constants .............................................   25
-8.     References ............................................   25
-   8.1       Normative References ............................   25
-   8.2       Informative References ..........................   26
-Acknowledgments ..............................................   27
-Authors' Addresses ...........................................   28
-Intellectual Property Statement ..............................   28
-Disclaimer of Validity .......................................   29
-Copyright Statement ..........................................   29
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Aboba, Thaler & Esibov       Standards Track                    [Page 2]
-
-
-
-
-
-INTERNET-DRAFT                    LLMNR                   29 August 2005
-
-
-1.  Introduction
-
-   This document discusses Link Local Multicast Name Resolution (LLMNR),
-   which is based on the DNS packet format and supports all current and
-   future DNS formats, types and classes.  LLMNR operates on a separate
-   port from the Domain Name System (DNS), with a distinct resolver
-   cache.
-
-   The goal of LLMNR is to enable name resolution in scenarios in which
-   conventional DNS name resolution is not possible.  Usage scenarios
-   (discussed in more detail in Section 3.1) include situations in which
-   hosts are not configured with the address of a DNS server; where the
-   DNS server is unavailable or unreachable; where there is no DNS
-   server authoritative for the name of a host, or where the
-   authoritative DNS server does not have the desired RRs, as described
-   in Section 2.
-
-   Since LLMNR only operates on the local link, it cannot be considered
-   a substitute for DNS.  Link-scope multicast addresses are used to
-   prevent propagation of LLMNR traffic across routers, potentially
-   flooding the network.  LLMNR queries can also be sent to a unicast
-   address, as described in Section 2.4.
-
-   Propagation of LLMNR packets on the local link is considered
-   sufficient to enable name resolution in small networks.  In such
-   networks, if a network has a gateway, then typically the network is
-   able to provide DNS server configuration.  Configuration issues are
-   discussed in Section 3.1.
-
-   In the future, it may be desirable to consider use of multicast name
-   resolution with multicast scopes beyond the link-scope.  This could
-   occur if LLMNR deployment is successful, the need arises for
-   multicast name resolution beyond the link-scope, or multicast routing
-   becomes ubiquitous.  For example, expanded support for multicast name
-   resolution might be required for mobile ad-hoc networks.
-
-   Once we have experience in LLMNR deployment in terms of
-   administrative issues, usability and impact on the network, it will
-   be possible to reevaluate which multicast scopes are appropriate for
-   use with multicast name resolution.  IPv4 administratively scoped
-   multicast usage is specified in "Administratively Scoped IP
-   Multicast" [RFC2365].
-
-   Service discovery in general, as well as discovery of DNS servers
-   using LLMNR in particular, is outside of the scope of this document,
-   as is name resolution over non-multicast capable media.
-
-
-
-
-
-Aboba, Thaler & Esibov       Standards Track                    [Page 3]
-
-
-
-
-
-INTERNET-DRAFT                    LLMNR                   29 August 2005
-
-
-1.1.  Requirements
-
-   In this document, several words are used to signify the requirements
-   of the specification.  The key words "MUST", "MUST NOT", "REQUIRED",
-   "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED",  "MAY",
-   and "OPTIONAL" in this document are to be interpreted as described in
-   [RFC2119].
-
-1.2.  Terminology
-
-   This document assumes familiarity with DNS terminology defined in
-   [RFC1035].  Other terminology used in this document includes:
-
-Positively Resolved
-     Responses with RCODE set to zero are referred to in this document
-     as "positively resolved".
-
-Routable Address
-     An address other than a Link-Local address.  This includes globally
-     routable addresses, as well as private addresses.
-
-Reachable
-     An LLMNR responder considers one of its addresses reachable over a
-     link if it will respond to an ARP or Neighbor Discovery query for
-     that address received on that link.
-
-Responder
-     A host that listens to LLMNR queries, and responds to those for
-     which it is authoritative.
-
-Sender
-     A host that sends an LLMNR query.
-
-UNIQUE
-     There are some scenarios when multiple responders may respond to
-     the same query.  There are other scenarios when only one responder
-     may respond to a query.  Names for which only a single responder is
-     anticipated are referred to as UNIQUE.  Name uniqueness is
-     configured on the responder, and therefore uniqueness verification
-     is the responder's responsibility.
-
-2.  Name Resolution Using LLMNR
-
-   LLMNR is a peer-to-peer name resolution protocol that is not intended
-   as a replacement for DNS.  LLMNR queries are sent to and received on
-   port 5355.  The IPv4 link-scope multicast address a given responder
-   listens to, and to which a sender sends queries, is 224.0.0.252.  The
-   IPv6 link-scope multicast address a given responder listens to, and
-
-
-
-Aboba, Thaler & Esibov       Standards Track                    [Page 4]
-
-
-
-
-
-INTERNET-DRAFT                    LLMNR                   29 August 2005
-
-
-   to which a sender sends all queries, is FF02:0:0:0:0:0:1:3.
-
-   Typically a host is configured as both an LLMNR sender and a
-   responder.  A host MAY be configured as a sender, but not a
-   responder.  However, a host configured as a responder MUST act as a
-   sender, if only to verify the uniqueness of names as described in
-   Section 4.  This document does not specify how names are chosen or
-   configured.  This may occur via any mechanism, including DHCPv4
-   [RFC2131] or DHCPv6 [RFC3315].
-
-   LLMNR usage MAY be configured manually or automatically on a per
-   interface basis.  By default, LLMNR responders SHOULD be enabled on
-   all interfaces, at all times.  Enabling LLMNR for use in situations
-   where a DNS server has been configured will result in a change in
-   default behavior without a simultaneous update to configuration
-   information.  Where this is considered undesirable, LLMNR SHOULD NOT
-   be enabled by default, so that hosts will neither listen on the link-
-   scope multicast address, nor will they send queries to that address.
-
-   By default, LLMNR queries MAY be sent only when one of the following
-   conditions are met:
-
-   [1] No manual or automatic DNS configuration has been performed.
-       If DNS server address(es) have been configured, then LLMNR
-       SHOULD NOT be used as the primary name resolution mechanism,
-       although it MAY be used as a secondary name resolution
-       mechanism.  A dual stack host SHOULD attempt to reach DNS
-       servers overall protocols on which DNS server address(es) are
-       configured, prior to sending LLMNR queries.  For dual stack
-       hosts configured with DNS server address(es) for one protocol
-       but not another, this inplies that DNS queries SHOULD be sent
-       over the protocol configured with a DNS server, prior to
-       sending LLMNR queries.
-
-   [2] All attempts to resolve the name via DNS on all interfaces
-       have failed after exhausting the searchlist.  This can occur
-       because DNS servers did not respond, or because they
-       responded to DNS queries with RCODE=3 (Authoritative Name
-       Error) or RCODE=0, and an empty answer section.  Where a
-       single resolver call generates DNS queries for A and AAAA RRs,
-       an implementation MAY choose not to send LLMNR queries if any
-       of the DNS queries is successful.  An LLMNR query SHOULD only
-       be sent for the originally requested name;  a searchlist
-       is not used to form additional LLMNR queries.
-
-   While these conditions are necessary for sending an LLMNR query, they
-   are not sufficient.  While an LLMNR sender MAY send a query for any
-   name, it also MAY impose additional conditions on sending LLMNR
-
-
-
-Aboba, Thaler & Esibov       Standards Track                    [Page 5]
-
-
-
-
-
-INTERNET-DRAFT                    LLMNR                   29 August 2005
-
-
-   queries.  For example, a sender configured with a DNS server MAY send
-   LLMNR queries only for unqualified names and for fully qualified
-   domain names within configured zones.
-
-   A typical sequence of events for LLMNR usage is as follows:
-
-   [a]  DNS servers are not configured or attempts to resolve the
-        name via DNS have failed, after exhausting the searchlist.
-        Also, the name to be queried satisfies the restrictions
-        imposed by the implementation.
-
-   [b]  An LLMNR sender sends an LLMNR query to the link-scope
-        multicast address(es), unless a unicast query is indicated,
-        as specified in Section 2.4.
-
-   [c]  A responder responds to this query only if it is authoritative
-        for the domain name in the query.  A responder responds to a
-        multicast query by sending a unicast UDP response to the sender.
-        Unicast queries are responded to as indicated in Section 2.4.
-
-   [d]  Upon reception of the response, the sender processes it.
-
-   The sections that follow provide further details on sender and
-   responder behavior.
-
-2.1.  LLMNR Packet Format
-
-   LLMNR is based on the DNS packet format defined in [RFC1035] Section
-   4 for both queries and responses.  LLMNR implementations SHOULD send
-   UDP queries and responses only as large as are known to be
-   permissible without causing fragmentation.  When in doubt a maximum
-   packet size of 512 octets SHOULD be used.  LLMNR implementations MUST
-   accept UDP queries and responses as large as the smaller of the link
-   MTU or 9194 octets (Ethernet jumbo frame size of 9KB (9216) minus 22
-   octets for the header, VLAN tag and CRC).
-
-2.1.1.  LLMNR Header Format
-
-   LLMNR queries and responses utilize the DNS header format defined in
-   [RFC1035] with exceptions noted below:
-
-
-
-
-
-
-
-
-
-
-
-Aboba, Thaler & Esibov       Standards Track                    [Page 6]
-
-
-
-
-
-INTERNET-DRAFT                    LLMNR                   29 August 2005
-
-
-                                   1  1  1  1  1  1
-     0  1  2  3  4  5  6  7  8  9  0  1  2  3  4  5
-   +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-   |                      ID                       |
-   +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-   |QR|   Opcode  | C|TC| T| Z| Z| Z| Z|   RCODE   |
-   +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-   |                    QDCOUNT                    |
-   +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-   |                    ANCOUNT                    |
-   +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-   |                    NSCOUNT                    |
-   +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-   |                    ARCOUNT                    |
-   +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-
-   where:
-
-ID   A 16 bit identifier assigned by the program that generates any kind
-     of query.  This identifier is copied from the query to the response
-     and can be used by the sender to match responses to outstanding
-     queries. The ID field in a query SHOULD be set to a pseudo-random
-     value.  For advice on generation of pseudo-random values, please
-     consult [RFC1750].
-
-QR   Query/Response.  A one bit field, which if set indicates that the
-     message is an LLMNR response; if clear then the message is an LLMNR
-     query.
-
-OPCODE
-     A four bit field that specifies the kind of query in this message.
-     This value is set by the originator of a query and copied into the
-     response.  This specification defines the behavior of standard
-     queries and responses (opcode value of zero).  Future
-     specifications may define the use of other opcodes with LLMNR.
-     LLMNR senders and responders MUST support standard queries (opcode
-     value of zero).  LLMNR queries with unsupported OPCODE values MUST
-     be silently discarded by responders.
-
-C    Conflict.  When set within a request, the 'C'onflict bit indicates
-     that a sender has received multiple LLMNR responses to this query.
-     In an LLMNR response, if the name is considered UNIQUE, then the
-     'C' bit is clear, otherwise it is set.  LLMNR senders do not
-     retransmit queries with the 'C' bit set.  Responders MUST NOT
-     respond to LLMNR queries with the 'C' bit set, but may start the
-     uniqueness verification process, as described in Section 4.2.
-
-
-
-
-
-Aboba, Thaler & Esibov       Standards Track                    [Page 7]
-
-
-
-
-
-INTERNET-DRAFT                    LLMNR                   29 August 2005
-
-
-TC   TrunCation - specifies that this message was truncated due to
-     length greater than that permitted on the transmission channel.
-     The TC bit MUST NOT be set in an LLMNR query and if set is ignored
-     by an LLMNR responder.  If the TC bit is set in an LLMNR response,
-     then the sender SHOULD discard the response and resend the LLMNR
-     query over TCP using the unicast address of the responder as the
-     destination address.  See  [RFC2181] and Section 2.4 of this
-     specification for further discussion of the TC bit.
-
-T    Tentative.  The 'T'entative bit is set in a response if the
-     responder is authoritative for the name, but has not yet verified
-     the uniqueness of the name.  A responder MUST ignore the 'T' bit in
-     a query, if set.  A response with the 'T' bit set is silently
-     discarded by the sender, except if it is a uniqueness query, in
-     which case a conflict has been detected and a responder MUST
-     resolve the conflict as described in Section 4.1.
-
-Z    Reserved for future use.  Implementations of this specification
-     MUST set these bits to zero in both queries and responses.  If
-     these bits are set in a LLMNR query or response, implementations of
-     this specification MUST ignore them.  Since reserved bits could
-     conceivably be used for different purposes than in DNS,
-     implementors are advised not to enable processing of these bits in
-     an LLMNR implementation starting from a DNS code base.
-
-RCODE
-     Response code -- this 4 bit field is set as part of LLMNR
-     responses.  In an LLMNR query, the sender MUST set RCODE to zero;
-     the responder ignores the RCODE and assumes it to be zero.  The
-     response to a multicast LLMNR query MUST have RCODE set to zero.  A
-     sender MUST silently discard an LLMNR response with a non-zero
-     RCODE sent in response to a multicast query.
-
-     If an LLMNR responder is authoritative for the name in a multicast
-     query, but an error is encountered, the responder SHOULD send an
-     LLMNR response with an RCODE of zero, no RRs in the answer section,
-     and the TC bit set.  This will cause the query to be resent using
-     TCP, and allow the inclusion of a non-zero RCODE in the response to
-     the TCP query.  Responding with the TC bit set is preferable to not
-     sending a response, since it enables errors to be diagnosed.
-     Errors include those defined in [RFC2845], such as BADSIG(16),
-     BADKEY(17) and BADTIME(18).
-
-     Since LLMNR responders only respond to LLMNR queries for names for
-     which they are authoritative, LLMNR responders MUST NOT respond
-     with an RCODE of 3; instead, they should not respond at all.
-
-     LLMNR implementations MUST support EDNS0 [RFC2671] and extended
-
-
-
-Aboba, Thaler & Esibov       Standards Track                    [Page 8]
-
-
-
-
-
-INTERNET-DRAFT                    LLMNR                   29 August 2005
-
-
-     RCODE values.
-
-QDCOUNT
-     An unsigned 16 bit integer specifying the number of entries in the
-     question section.  A sender MUST place only one question into the
-     question section of an LLMNR query.  LLMNR responders MUST silently
-     discard LLMNR queries with QDCOUNT not equal to one.  LLMNR senders
-     MUST silently discard LLMNR responses with QDCOUNT not equal to
-     one.
-
-ANCOUNT
-     An unsigned 16 bit integer specifying the number of resource
-     records in the answer section.  LLMNR responders MUST silently
-     discard LLMNR queries with ANCOUNT not equal to zero.
-
-NSCOUNT
-     An unsigned 16 bit integer specifying the number of name server
-     resource records in the authority records section.  Authority
-     record section processing is described in Section 2.9.  LLMNR
-     responders MUST silently discard LLMNR queries with NSCOUNT not
-     equal to zero.
-
-ARCOUNT
-     An unsigned 16 bit integer specifying the number of resource
-     records in the additional records section.  Additional record
-     section processing is described in Section 2.9.
-
-2.2.  Sender Behavior
-
-   A sender MAY send an LLMNR query for any legal resource record  type
-   (e.g., A, AAAA, PTR, SRV, etc.) to the link-scope multicast address.
-   As described in Section 2.4, a sender MAY also send a unicast query.
-
-   The sender MUST anticipate receiving no replies to some LLMNR
-   queries, in the event that no responders are available within the
-   link-scope.  If no response is received, a resolver treats it as a
-   response that the name does not exist (RCODE=3 is returned).  A
-   sender can handle duplicate responses by discarding responses with a
-   source IP address and ID field that duplicate a response already
-   received.
-
-   When multiple valid LLMNR responses are received with the 'C' bit
-   set, they SHOULD be concatenated and treated in the same manner that
-   multiple RRs received from the same DNS server would be.  However,
-   responses with the 'C' bit set SHOULD NOT be concatenated with
-   responses with the 'C' bit clear; instead, only the responses with
-   the 'C' bit set SHOULD be returned.  If valid LLMNR response(s) are
-   received along with error response(s), then the error responses are
-
-
-
-Aboba, Thaler & Esibov       Standards Track                    [Page 9]
-
-
-
-
-
-INTERNET-DRAFT                    LLMNR                   29 August 2005
-
-
-   silently discarded.
-
-   If error responses are received from both DNS and LLMNR, then the
-   lowest RCODE value should be returned. For example, if either DNS or
-   LLMNR receives a response with RCODE=0, then this should returned to
-   the caller.
-
-   Since the responder may order the RRs in the response so as to
-   indicate preference, the sender SHOULD preserve ordering in the
-   response to the querying application.
-
-2.3.  Responder Behavior
-
-   An LLMNR response MUST be sent to the sender via unicast.
-
-   Upon configuring an IP address, responders typically will synthesize
-   corresponding A, AAAA and PTR RRs so as to be able to respond to
-   LLMNR queries for these RRs.  An SOA RR is synthesized only when a
-   responder has another RR in addition to the SOA RR;  the SOA RR MUST
-   NOT be the only RR that a responder has.  However, in general whether
-   RRs are manually or automatically created is an implementation
-   decision.
-
-   For example, a host configured to have computer name "host1" and to
-   be a member of the "example.com" domain, and with IPv4 address
-   192.0.2.1 and IPv6 address 2001:0DB8::1:2:3:FF:FE:4:5:6 might be
-   authoritative for the following records:
-
-   host1. IN A 192.0.2.1
-          IN AAAA 2001:0DB8::1:2:3:FF:FE:4:5:6
-
-   host1.example.com. IN A 192.0.2.1
-          IN AAAA 2001:0DB8::1:2:3:FF:FE:4:5:6
-
-   1.2.0.192.in-addr.arpa. IN PTR host1.
-          IN PTR host1.example.com.
-
-   6.0.5.0.4.0.E.F.F.F.3.0.2.0.1.0.0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.
-   ip6.arpa IN PTR host1.  (line split for formatting reasons)
-            IN PTR host1.example.com.
-
-   An LLMNR responder might be further manually configured with the name
-   of a local mail server with an MX RR included in the "host1." and
-   "host1.example.com." records.
-
-   In responding to queries:
-
-
-
-
-
-Aboba, Thaler & Esibov       Standards Track                   [Page 10]
-
-
-
-
-
-INTERNET-DRAFT                    LLMNR                   29 August 2005
-
-
-[a]  Responders MUST listen on UDP port 5355 on the link-scope multicast
-     address(es) defined in Section 2, and on UDP and TCP port 5355 on
-     the unicast address(es) that could be set as the source address(es)
-     when the responder responds to the LLMNR query.
-
-[b]  Responders MUST direct responses to the port from which the query
-     was sent.  When queries are received via TCP this is an inherent
-     part of the transport protocol.  For queries received by UDP the
-     responder MUST take note of the source port and use that as the
-     destination port in the response.  Responses MUST always be sent
-     from the port to which they were directed.
-
-[c]  Responders MUST respond to LLMNR queries for names and addresses
-     they are authoritative for.  This applies to both forward and
-     reverse lookups, with the exception of queries with the 'C' bit
-     set, which do not elicit a response.
-
-[d]  Responders MUST NOT respond to LLMNR queries for names they are not
-     authoritative for.
-
-[e]  Responders MUST NOT respond using data from the LLMNR or DNS
-     resolver cache.
-
-[f]  If a DNS server is running on a host that supports LLMNR, the DNS
-     server MUST respond to LLMNR queries only for the RRSets relating
-     to the host on which the server is running, but MUST NOT respond
-     for other records for which the server is authoritative.  DNS
-     servers also MUST NOT send LLMNR queries in order to resolve DNS
-     queries.
-
-[g]  If a responder is authoritative for a name, it MUST respond with
-     RCODE=0 and an empty answer section, if the type of query does not
-     match a RR that the responder has.
-
-   As an example, a host configured to respond to LLMNR queries for the
-   name "foo.example.com."  is authoritative for the name
-   "foo.example.com.".  On receiving an LLMNR query for an A RR with the
-   name "foo.example.com." the host authoritatively responds with A
-   RR(s) that contain IP address(es) in the RDATA of the resource
-   record.  If the responder has a AAAA RR, but no A RR, and an A RR
-   query is received, the responder would respond with RCODE=0 and an
-   empty answer section.
-
-   In conventional DNS terminology a DNS server authoritative for a zone
-   is authoritative for all the domain names under the zone apex except
-   for the branches delegated into separate zones.  Contrary to
-   conventional DNS terminology, an LLMNR responder is authoritative
-   only for the zone apex.
-
-
-
-Aboba, Thaler & Esibov       Standards Track                   [Page 11]
-
-
-
-
-
-INTERNET-DRAFT                    LLMNR                   29 August 2005
-
-
-   For example the host "foo.example.com." is not authoritative for the
-   name "child.foo.example.com." unless the host is configured with
-   multiple names, including "foo.example.com."  and
-   "child.foo.example.com.".  As a result, "foo.example.com." cannot
-   reply to an LLMNR query for "child.foo.example.com." with RCODE=3
-   (authoritative name error).  The purpose of limiting the name
-   authority scope of a responder is to prevent complications that could
-   be caused by coexistence of two or more hosts with the names
-   representing child and parent (or grandparent) nodes in the DNS tree,
-   for example, "foo.example.com." and "child.foo.example.com.".
-
-   Without the restriction on authority an LLMNR query for an A resource
-   record for the name "child.foo.example.com." would result in two
-   authoritative responses: RCODE=3 (authoritative name error) received
-   from "foo.example.com.", and a requested A record - from
-   "child.foo.example.com.".  To prevent this ambiguity, LLMNR enabled
-   hosts could perform a dynamic update of the parent (or grandparent)
-   zone with a delegation to a child zone;  for example a host
-   "child.foo.example.com." could send a dynamic update for the NS and
-   glue A record to "foo.example.com.".  However, this approach
-   significantly complicates implementation of LLMNR and would not be
-   acceptable for lightweight hosts.
-
-2.4.  Unicast Queries and Responses
-
-   Unicast queries SHOULD be sent when:
-
-   [a] A sender repeats a query after it received a response
-       with the TC bit set to the previous LLMNR multicast query, or
-
-   [b] The sender queries for a PTR RR of a fully formed IP address
-       within the "in-addr.arpa" or "ip6.arpa" zones.
-
-   Unicast LLMNR queries MUST be done using TCP and the responses MUST
-   be sent using the same TCP connection as the query.  Senders MUST
-   support sending TCP queries, and responders MUST support listening
-   for TCP queries. If the sender of a TCP query receives a response to
-   that query not using TCP, the response MUST be silently discarded.
-
-   Unicast UDP queries MUST be silently discarded.
-
-   If TCP connection setup cannot be completed in order to send a
-   unicast TCP query, this is treated as a response that no records of
-   the specified type and class exist for the specified name (it is
-   treated the same as a response with RCODE=0 and an empty answer
-   section).
-
-
-
-
-
-Aboba, Thaler & Esibov       Standards Track                   [Page 12]
-
-
-
-
-
-INTERNET-DRAFT                    LLMNR                   29 August 2005
-
-
-2.5.  "Off link" Detection
-
-   A sender MUST select a source address for LLMNR queries that is
-   assigned on the interface on which the query is sent.  The
-   destination address of an LLMNR query MUST be a link-scope multicast
-   address or a unicast address.
-
-   A responder MUST select a source address for responses that is
-   assigned on the interface on which the query was received.  The
-   destination address of an LLMNR response MUST be a unicast address.
-
-   On receiving an LLMNR query, the responder MUST check whether it was
-   sent to a LLMNR multicast addresses defined in Section 2.  If it was
-   sent to another multicast address, then the query MUST be silently
-   discarded.
-
-   Section 2.4 discusses use of TCP for LLMNR queries and responses.  In
-   composing an LLMNR query using TCP, the sender MUST set the Hop Limit
-   field in the IPv6 header and the TTL field in the IPv4 header of the
-   response to one (1).  The responder SHOULD set the TTL or Hop Limit
-   settings on the TCP listen socket to one (1) so that SYN-ACK packets
-   will have TTL (IPv4) or Hop Limit (IPv6) set to one (1). This
-   prevents an incoming connection from off-link since the sender will
-   not receive a SYN-ACK from the responder.
-
-   For UDP queries and responses, the Hop Limit field in the IPv6 header
-   and the TTL field in the IPV4 header MAY be set to any value.
-   However, it is RECOMMENDED that the value 255 be used for
-   compatibility with Apple Bonjour [Bonjour].
-
-   Implementation note:
-
-      In the sockets API for IPv4 [POSIX], the IP_TTL and
-      IP_MULTICAST_TTL socket options are used to set the TTL of
-      outgoing unicast and multicast packets. The IP_RECVTTL socket
-      option is available on some platforms to retrieve the IPv4 TTL of
-      received packets with recvmsg().  [RFC2292] specifies similar
-      options for setting and retrieving the IPv6 Hop Limit.
-
-2.6.  Responder Responsibilities
-
-   It is the responsibility of the responder to ensure that RRs returned
-   in LLMNR responses MUST only include values that are valid on the
-   local interface, such as IPv4 or IPv6 addresses valid on the local
-   link or names defended using the mechanism described in Section 4.
-   IPv4 Link-Local addresses are defined in [RFC3927].  IPv6 Link-Local
-   addresses are defined in [RFC2373].  In particular:
-
-
-
-
-Aboba, Thaler & Esibov       Standards Track                   [Page 13]
-
-
-
-
-
-INTERNET-DRAFT                    LLMNR                   29 August 2005
-
-
-   [a] If a link-scope IPv6 address is returned in a AAAA RR,
-       that address MUST be valid on the local link over which
-       LLMNR is used.
-
-   [b] If an IPv4 address is returned, it MUST be reachable
-       through the link over which LLMNR is used.
-
-   [c] If a name is returned (for example in a CNAME, MX
-       or SRV RR), the name MUST be resolvable on the local
-       link over which LLMNR is used.
-
-   Where multiple addresses represent valid responses to a query, the
-   order in which the addresses are returned is as follows:
-
-   [d] If the source address of the query is a link-scope address,
-       then the responder SHOULD include a link-scope address first
-       in the response, if available.
-
-   [e] If the source address of the query is a routable address,
-       then the responder MUST include a routable address first
-       in the response, if available.
-
-2.7.  Retransmission and Jitter
-
-   An LLMNR sender uses the timeout interval LLMNR_TIMEOUT to determine
-   when to retransmit an LLMNR query.  An LLMNR sender SHOULD either
-   estimate the LLMNR_TIMEOUT for each interface, or set a reasonably
-   high initial timeout.  Suggested constants are described in Section
-   7.
-
-   If an LLMNR query sent over UDP is not resolved within LLMNR_TIMEOUT,
-   then a sender SHOULD repeat the transmission of the query in order to
-   assure that it was received by a host capable of responding to it,
-   while increasing the value of LLMNR_TIMEOUT exponentially.  An LLMNR
-   query SHOULD NOT be sent more than three times.
-
-   Where LLMNR queries are sent using TCP, retransmission is handled by
-   the transport layer.  Queries with the 'C' bit set MUST be sent using
-   multicast UDP and MUST NOT be retransmitted.
-
-   An LLMNR sender cannot know in advance if a query sent using
-   multicast will receive no response, one response, or more than one
-   response.  An LLMNR sender MUST wait for LLMNR_TIMEOUT if no response
-   has been received, or if it is necessary to collect all potential
-   responses, such as if a uniqueness verification query is being made.
-   Otherwise an LLMNR sender SHOULD consider a multicast query answered
-   after the first response is received, if that response has the 'C'
-   bit clear.
-
-
-
-Aboba, Thaler & Esibov       Standards Track                   [Page 14]
-
-
-
-
-
-INTERNET-DRAFT                    LLMNR                   29 August 2005
-
-
-   However, if the first response has the 'C' bit set, then the sender
-   SHOULD wait for LLMNR_TIMEOUT in order to collect all possible
-   responses.  When multiple valid answers are received, they may first
-   be concatenated, and then treated in the same manner that multiple
-   RRs received from the same DNS server would.  A unicast query sender
-   considers the query answered after the first response is received, so
-   that it only waits for LLMNR_TIMEOUT if no response has been
-   received.
-
-   Since it is possible for a response with the 'C' bit clear to be
-   followed by a response with the 'C' bit set, an LLMNR sender SHOULD
-   be prepared to process additional responses for the purposes of
-   conflict detection and LLMNR_TIMEOUT estimation, even after it has
-   considered a query answered.
-
-   In order to avoid synchronization, the transmission of each LLMNR
-   query and response SHOULD delayed by a time randomly selected from
-   the interval 0 to JITTER_INTERVAL. This delay MAY be avoided by
-   responders responding with names which they have previously
-   determined to be UNIQUE (see Section 4 for details).
-
-2.8.  DNS TTL
-
-   The responder should insert a pre-configured TTL value in the records
-   returned in an LLMNR response.  A default value of 30 seconds is
-   RECOMMENDED.  In highly dynamic environments (such as mobile ad-hoc
-   networks), the TTL value may need to be reduced.
-
-   Due to the TTL minimalization necessary when caching an RRset, all
-   TTLs in an RRset MUST be set to the same value.
-
-2.9.  Use of the Authority and Additional Sections
-
-   Unlike the DNS, LLMNR is a peer-to-peer protocol and does not have a
-   concept of delegation.  In LLMNR, the NS resource record type may be
-   stored and queried for like any other type, but it has no special
-   delegation semantics as it does in the DNS.  Responders MAY have NS
-   records associated with the names for which they are authoritative,
-   but they SHOULD NOT include these NS records in the authority
-   sections of responses.
-
-   Responders SHOULD insert an SOA record into the authority section of
-   a negative response, to facilitate negative caching as specified in
-   [RFC2308]. The TTL of this record is set from the minimum of the
-   MINIMUM field of the SOA record and the TTL of the SOA itself, and
-   indicates how long a resolver may cache the negative answer.  The
-   owner name of the SOA record (MNAME) MUST be set to the query name.
-   The RNAME, SERIAL, REFRESH, RETRY and EXPIRE values MUST be ignored
-
-
-
-Aboba, Thaler & Esibov       Standards Track                   [Page 15]
-
-
-
-
-
-INTERNET-DRAFT                    LLMNR                   29 August 2005
-
-
-   by senders.  Negative responses without SOA records SHOULD NOT be
-   cached.
-
-   In LLMNR, the additional section is primarily intended for use by
-   EDNS0, TSIG and SIG(0).  As a result, unless the 'C' bit is set,
-   senders MAY only include pseudo RR-types in the additional section of
-   a query; unless the 'C' bit is set, responders MUST ignore the
-   additional section of queries containing other RR types.
-
-   In queries where the 'C' bit is set, the sender SHOULD include the
-   conflicting RRs in the additional section.  Since conflict
-   notifications are advisory, responders SHOULD log information from
-   the additional section, but otherwise MUST ignore the additional
-   section.
-
-   Senders MUST NOT cache RRs from the authority or additional section
-   of a response as answers, though they may be used for other purposes
-   such as negative caching.
-
-3.  Usage Model
-
-   Since LLMNR is a secondary name resolution mechanism, its usage is in
-   part determined by the behavior of DNS implementations.  This
-   document does not specify any changes to DNS resolver behavior, such
-   as searchlist processing or retransmission/failover policy.  However,
-   robust DNS resolver implementations are more likely to avoid
-   unnecessary LLMNR queries.
-
-   As noted in [DNSPerf], even when DNS servers are configured, a
-   significant fraction of DNS queries do not receive a response, or
-   result in negative responses due to missing inverse mappings or NS
-   records that point to nonexistent or inappropriate hosts.  This has
-   the potential to result in a large number of unnecessary LLMNR
-   queries.
-
-   [RFC1536] describes common DNS implementation errors and fixes.  If
-   the proposed fixes are implemented, unnecessary LLMNR queries will be
-   reduced substantially, and so implementation of [RFC1536] is
-   recommended.
-
-   For example, [RFC1536] Section 1 describes issues with retransmission
-   and recommends implementation of a retransmission policy based on
-   round trip estimates, with exponential backoff.  [RFC1536] Section 4
-   describes issues with failover, and recommends that resolvers try
-   another server when they don't receive a response to a query.  These
-   policies are likely to avoid unnecessary LLMNR queries.
-
-   [RFC1536] Section 3 describes zero answer bugs, which if addressed
-
-
-
-Aboba, Thaler & Esibov       Standards Track                   [Page 16]
-
-
-
-
-
-INTERNET-DRAFT                    LLMNR                   29 August 2005
-
-
-   will also reduce unnecessary LLMNR queries.
-
-   [RFC1536] Section 6 describes name error bugs and recommended
-   searchlist processing that will reduce unnecessary RCODE=3
-   (authoritative name) errors, thereby also reducing unnecessary LLMNR
-   queries.
-
-3.1.  LLMNR Configuration
-
-   Since IPv4 and IPv6 utilize distinct configuration mechanisms, it is
-   possible for a dual stack host to be configured with the address of a
-   DNS server over IPv4, while remaining unconfigured with a DNS server
-   suitable for use over IPv6.
-
-   In these situations, a dual stack host will send AAAA queries to the
-   configured DNS server over IPv4.  However, an IPv6-only host
-   unconfigured with a DNS server suitable for use over IPv6 will be
-   unable to resolve names using DNS.  Automatic IPv6 DNS configuration
-   mechanisms (such as [RFC3315] and [DNSDisc]) are not yet widely
-   deployed, and not all DNS servers support IPv6.  Therefore lack of
-   IPv6 DNS configuration may be a common problem in the short term, and
-   LLMNR may prove useful in enabling link-local name resolution over
-   IPv6.
-
-   Where a DHCPv4 server is available but not a DHCPv6 server [RFC3315],
-   IPv6-only hosts may not be configured with a DNS server.  Where there
-   is no DNS server authoritative for the name of a host or the
-   authoritative DNS server does not support dynamic client update over
-   IPv6 or DHCPv6-based dynamic update, then an IPv6-only host will not
-   be able to do DNS dynamic update, and other hosts will not be able to
-   resolve its name.
-
-   For example, if the configured DNS server responds to a AAAA RR query
-   sent over IPv4 or IPv6 with an authoritative name error (RCODE=3) or
-   RCODE=0 and an empty answer section, then a AAAA RR query sent using
-   LLMNR over IPv6 may be successful in resolving the name of an
-   IPv6-only host on the local link.
-
-   Similarly, if a DHCPv4 server is available providing DNS server
-   configuration, and DNS server(s) exist which are authoritative for
-   the A RRs of local hosts and support either dynamic client update
-   over IPv4 or DHCPv4-based dynamic update, then the names of local
-   IPv4 hosts can be resolved over IPv4 without LLMNR.  However,  if no
-   DNS server is authoritative for the names of local hosts, or the
-   authoritative DNS server(s) do not support dynamic update, then LLMNR
-   enables linklocal name resolution over IPv4.
-
-   Where DHCPv4 or DHCPv6 is implemented, DHCP options can be used to
-
-
-
-Aboba, Thaler & Esibov       Standards Track                   [Page 17]
-
-
-
-
-
-INTERNET-DRAFT                    LLMNR                   29 August 2005
-
-
-   configure LLMNR on an interface.  The LLMNR Enable Option, described
-   in [LLMNREnable], can be used to explicitly enable or disable use of
-   LLMNR on an interface.  The LLMNR Enable Option does not determine
-   whether or in which order DNS itself is used for name resolution.
-   The order in which various name resolution mechanisms should be used
-   can be specified using the Name Service Search Option (NSSO) for DHCP
-   [RFC2937], using the LLMNR Enable Option code carried in the NSSO
-   data.
-
-   It is possible that DNS configuration mechanisms will go in and out
-   of service.  In these circumstances, it is possible for hosts within
-   an administrative domain to be inconsistent in their DNS
-   configuration.
-
-   For example, where DHCP is used for configuring DNS servers, one or
-   more DHCP servers can fail.  As a result, hosts configured prior to
-   the outage will be configured with a DNS server, while hosts
-   configured after the outage will not.  Alternatively, it is possible
-   for the DNS configuration mechanism to continue functioning while
-   configured DNS servers fail.
-
-   An outage in the DNS configuration mechanism may result in hosts
-   continuing to use LLMNR even once the outage is repaired.  Since
-   LLMNR only enables linklocal name resolution, this represents a
-   degradation in capabilities.  As a result, hosts without a configured
-   DNS server may wish to periodically attempt to obtain DNS
-   configuration if permitted by the configuration mechanism in use.  In
-   the absence of other guidance, a default retry interval of one (1)
-   minute is RECOMMENDED.
-
-4.  Conflict Resolution
-
-   By default, a responder SHOULD be configured to behave as though its
-   name is UNIQUE on each interface on which LLMNR is enabled.  However,
-   it is also possible to configure multiple responders to be
-   authoritative for the same name.  For example, multiple responders
-   MAY respond to a query for an A or AAAA type record for a cluster
-   name (assigned to multiple hosts in the cluster).
-
-   To detect duplicate use of a name, an administrator can use a name
-   resolution utility which employs LLMNR and lists both responses and
-   responders.  This would allow an administrator to diagnose behavior
-   and potentially to intervene and reconfigure LLMNR responders who
-   should not be configured to respond to the same name.
-
-
-
-
-
-
-
-Aboba, Thaler & Esibov       Standards Track                   [Page 18]
-
-
-
-
-
-INTERNET-DRAFT                    LLMNR                   29 August 2005
-
-
-4.1.  Uniqueness Verification
-
-   Prior to sending an LLMNR response with the 'T' bit clear, a
-   responder configured with a UNIQUE name MUST verify that there is no
-   other host within the scope of LLMNR query propagation that is
-   authoritative for the same name on that interface.
-
-   Once a responder has verified that its name is UNIQUE, if it receives
-   an LLMNR query for that name, with the 'C' bit clear, it MUST
-   respond, with the 'T' bit clear. Prior to verifying that its name is
-   UNIQUE, a responder MUST set the 'T' bit in responses.
-
-   Uniqueness verification is carried out when the host:
-
-     - starts up or is rebooted
-     - wakes from sleep (if the network interface was inactive
-       during sleep)
-     - is configured to respond to LLMNR queries on an interface
-       enabled for transmission and reception of IP traffic
-     - is configured to respond to LLMNR queries using additional
-       UNIQUE resource records
-     - verifies the acquisition of a new IP address and configuration
-       on an interface
-
-   To verify uniqueness, a responder MUST send an LLMNR query with the
-   'C' bit clear, over all protocols on which it responds to LLMNR
-   queries (IPv4 and/or IPv6).  It is RECOMMENDED that responders verify
-   uniqueness of a name by sending a query for the name with type='ANY'.
-
-   If no response is received, the sender retransmits the query, as
-   specified in Section 2.7.  If a response is received, the sender MUST
-   check if the source address matches the address of any of its
-   interfaces; if so, then the response is not considered a conflict,
-   since it originates from the sender.  To avoid triggering conflict
-   detection, a responder that detects that it is connected to the same
-   link on multiple interfaces SHOULD set the 'C' bit in responses.
-
-   If a response is received with the 'T' bit clear, the responder MUST
-   NOT use the name in response to LLMNR queries received over any
-   protocol (IPv4 or IPv6).  If a response is received with the 'T' bit
-   set, the responder MUST check if the source IP address in the
-   response, interpreted as an unsigned integer, is less than the source
-   IP address in the query.  If so, the responder MUST NOT use the name
-   in response to LLMNR queries received over any protocol (IPv4 or
-   IPv6).  For the purpose of uniqueness verification, the contents of
-   the answer section in a response is irrelevant.
-
-   Periodically carrying out uniqueness verification in an attempt to
-
-
-
-Aboba, Thaler & Esibov       Standards Track                   [Page 19]
-
-
-
-
-
-INTERNET-DRAFT                    LLMNR                   29 August 2005
-
-
-   detect name conflicts is not necessary, wastes network bandwidth, and
-   may actually be detrimental.  For example, if network links are
-   joined only briefly, and are separated again before any new
-   communication is initiated, temporary conflicts are benign and no
-   forced reconfiguration is required.  LLMNR responders SHOULD NOT
-   periodically attempt uniqueness verification.
-
-4.2.  Conflict Detection and Defense
-
-   Hosts on disjoint network links may configure the same name for use
-   with LLMNR.  If these separate network links are later joined or
-   bridged together, then there may be multiple hosts which are now on
-   the same link, trying to use the same name.
-
-   In order to enable ongoing detection of name conflicts, when an LLMNR
-   sender receives multiple LLMNR responses to a query, it MUST check if
-   the 'C' bit is clear in any of the responses.  If so, the sender
-   SHOULD send another query for the same name, type and class, this
-   time with the 'C' bit set, with the potentially conflicting resource
-   records included in the additional section.
-
-   Queries with the 'C' bit set are considered advisory and responders
-   MUST verify the existence of a conflict before acting on it.  A
-   responder receiving a query with the 'C' bit set MUST NOT respond.
-
-   If the query is for a UNIQUE name, then the responder MUST send its
-   own query for the same name, type and class, with the 'C' bit clear.
-   If a response is received, the sender MUST check if the source
-   address matches the address of any of its interfaces; if so, then the
-   response is not considered a conflict, since it originates from the
-   sender.  To avoid triggering conflict detection, a responder that
-   detects that it is connected to the same link on multiple interfaces
-   SHOULD set the 'C' bit in responses.
-
-   An LLMNR responder MUST NOT ignore conflicts once detected and SHOULD
-   log them.  Upon detecting a conflict, an LLMNR responder MUST
-   immediately stop using the conflicting name in response to LLMNR
-   queries received over any supported protocol, if the source IP
-   address in the response, interpreted as an unsigned integer, is less
-   than the source IP address in the uniqueness verification query.
-
-   After stopping the use of a name, the responder MAY elect to
-   configure a new name.  However, since name reconfiguration may be
-   disruptive, this is not required, and a responder may have been
-   configured to respond to multiple names so that alternative names may
-   already be available.  A host that has stopped the use of a name may
-   attempt uniqueness verification again after the expiration of the TTL
-   of the conflicting response.
-
-
-
-Aboba, Thaler & Esibov       Standards Track                   [Page 20]
-
-
-
-
-
-INTERNET-DRAFT                    LLMNR                   29 August 2005
-
-
-4.3.  Considerations for Multiple Interfaces
-
-   A multi-homed host may elect to configure LLMNR on only one of its
-   active interfaces.  In many situations this will be adequate.
-   However, should a host need to configure LLMNR on more than one of
-   its active interfaces, there are some additional precautions it MUST
-   take.  Implementers who are not planning to support LLMNR on multiple
-   interfaces simultaneously may skip this section.
-
-   Where a host is configured to issue LLMNR queries on more than one
-   interface, each interface maintains its own independent LLMNR
-   resolver cache, containing the responses to LLMNR queries.
-
-   A multi-homed host checks the uniqueness of UNIQUE records as
-   described in Section 4.  The situation is illustrated in figure 1.
-
-        ----------  ----------
-         |      |    |      |
-        [A]    [myhost]   [myhost]
-
-      Figure 1.  Link-scope name conflict
-
-   In this situation, the multi-homed myhost will probe for, and defend,
-   its host name on both interfaces.  A conflict will be detected on one
-   interface, but not the other.  The multi-homed myhost will not be
-   able to respond with a host RR for "myhost" on the interface on the
-   right (see Figure 1).  The multi-homed host may, however, be
-   configured to use the "myhost" name on the interface on the left.
-
-   Since names are only unique per-link, hosts on different links could
-   be using the same name.  If an LLMNR client sends requests over
-   multiple interfaces, and receives replies from more than one, the
-   result returned to the client is defined by the implementation.  The
-   situation is illustrated in figure 2.
-
-        ----------  ----------
-         |      |    |     |
-        [A]    [myhost]   [A]
-
-
-      Figure 2.  Off-segment name conflict
-
-   If host myhost is configured to use LLMNR on both interfaces, it will
-   send LLMNR queries on both interfaces.  When host myhost sends a
-   query for the host RR for name "A" it will receive a response from
-   hosts on both interfaces.
-
-   Host myhost cannot distinguish between the situation shown in Figure
-
-
-
-Aboba, Thaler & Esibov       Standards Track                   [Page 21]
-
-
-
-
-
-INTERNET-DRAFT                    LLMNR                   29 August 2005
-
-
-   2, and that shown in Figure 3 where no conflict exists.
-
-                [A]
-               |   |
-           -----   -----
-               |   |
-              [myhost]
-
-      Figure 3.  Multiple paths to same host
-
-   This illustrates that the proposed name conflict resolution mechanism
-   does not support detection or resolution of conflicts between hosts
-   on different links.  This problem can also occur with DNS when a
-   multi-homed host is connected to two different networks with
-   separated name spaces.  It is not the intent of this document to
-   address the issue of uniqueness of names within DNS.
-
-4.4.  API Issues
-
-   [RFC2553] provides an API which can partially solve the name
-   ambiguity problem for applications written to use this API, since the
-   sockaddr_in6 structure exposes the scope within which each scoped
-   address exists, and this structure can be used for both IPv4 (using
-   v4-mapped IPv6 addresses) and IPv6 addresses.
-
-   Following the example in Figure 2, an application on 'myhost' issues
-   the request getaddrinfo("A", ...) with ai_family=AF_INET6 and
-   ai_flags=AI_ALL|AI_V4MAPPED.  LLMNR requests will be sent from both
-   interfaces and the resolver library will return a list containing
-   multiple addrinfo structures, each with an associated sockaddr_in6
-   structure.  This list will thus contain the IPv4 and IPv6 addresses
-   of both hosts responding to the name 'A'.  Link-local addresses will
-   have a sin6_scope_id value that disambiguates which interface is used
-   to reach the address.  Of course, to the application, Figures 2 and 3
-   are still indistinguishable, but this API allows the application to
-   communicate successfully with any address in the list.
-
-5.  Security Considerations
-
-   LLMNR is a peer-to-peer name resolution protocol designed for use on
-   the local link.  While LLMNR limits the vulnerability of responders
-   to off-link senders, it is possible for an off-link responder to
-   reach a sender.
-
-   In scenarios such as public "hotspots" attackers can be present on
-   the same link.  These threats are most serious in wireless networks
-   such as 802.11, since attackers on a wired network will require
-   physical access to the network, while wireless attackers may mount
-
-
-
-Aboba, Thaler & Esibov       Standards Track                   [Page 22]
-
-
-
-
-
-INTERNET-DRAFT                    LLMNR                   29 August 2005
-
-
-   attacks from a distance.  Link-layer security such as [IEEE-802.11i]
-   can be of assistance against these threats if it is available.
-
-   This section details security measures available to mitigate threats
-   from on and off-link attackers.
-
-5.1.  Denial of Service
-
-   Attackers may take advantage of LLMNR conflict detection by
-   allocating the same name, denying service to other LLMNR responders
-   and possibly allowing an attacker to receive packets destined for
-   other hosts.  By logging conflicts, LLMNR responders can provide
-   forensic evidence of these attacks.
-
-   An attacker may spoof LLMNR queries from a victim's address in order
-   to mount a denial of service attack.  Responders setting the IPv6 Hop
-   Limit or IPv4 TTL field to a value larger than one in an LLMNR UDP
-   response may be able to reach the victim across the Internet.
-
-   While LLMNR responders only respond to queries for which they are
-   authoritative and LLMNR does not provide wildcard query support, an
-   LLMNR response may be larger than the query, and an attacker can
-   generate multiple responses to a query for a name used by multiple
-   responders.  A sender may protect itself against unsolicited
-   responses by silently discarding them as rapidly as possible.
-
-5.2.  Spoofing
-
-   LLMNR is designed to prevent reception of queries sent by an off-link
-   attacker.  LLMNR requires that responders receiving UDP queries check
-   that they are sent to a link-scope multicast address.  However, it is
-   possible that some routers may not properly implement link-scope
-   multicast, or that link-scope multicast addresses may leak into the
-   multicast routing system.  To prevent successful setup of TCP
-   connections by an off-link sender, responders receiving a TCP SYN
-   reply with a TCP SYN-ACK with TTL set to one (1).
-
-   While it is difficult for an off-link attacker to send an LLMNR query
-   to a responder,  it is possible for an off-link attacker to spoof a
-   response to a query (such as an A or AAAA query for a popular
-   Internet host), and by using a TTL or Hop Limit field larger than one
-   (1), for the forged response to reach the LLMNR sender.  Since the
-   forged response will only be accepted if it contains a matching ID
-   field, choosing a pseudo-random ID field within queries provides some
-   protection against off-link responders.
-
-   Since LLMNR queries can be sent when DNS server(s) do not respond, an
-   attacker can execute a denial of service attack on the DNS server(s)
-
-
-
-Aboba, Thaler & Esibov       Standards Track                   [Page 23]
-
-
-
-
-
-INTERNET-DRAFT                    LLMNR                   29 August 2005
-
-
-   and then poison the LLMNR cache by responding to an LLMNR query with
-   incorrect information.  As noted in "Threat Analysis of the Domain
-   Name System (DNS)" [RFC3833] these threats also exist with DNS, since
-   DNS response spoofing tools are available that can allow an attacker
-   to respond to a query more quickly than a distant DNS server.
-   However, while switched networks or link layer security may make it
-   difficult for an on-link attacker to snoop unicast DNS queries,
-   multicast LLMNR queries are propagated to all hosts on the link,
-   making it possible for an on-link attacker to spoof LLMNR responses
-   without having to guess the value of the ID field in the query.
-
-   Since LLMNR queries are sent and responded to on the local-link, an
-   attacker will need to respond more quickly to provide its own
-   response prior to arrival of the response from a legitimate
-   responder.   If an LLMNR query is sent for an off-link host, spoofing
-   a response in a timely way is not difficult, since a legitimate
-   response will never be received.
-
-   Limiting the situations in which LLMNR queries are sent, as described
-   in Section 2, is the best protection against these attacks.  If LLMNR
-   is given higher priority than DNS among the enabled name resolution
-   mechanisms, a denial of service attack on the DNS server would not be
-   necessary in order to poison the LLMNR cache, since LLMNR queries
-   would be sent even when the DNS server is available.  In addition,
-   the LLMNR cache, once poisoned, would take precedence over the DNS
-   cache, eliminating the benefits of cache separation.  As a result,
-   LLMNR is only used as a name resolution mechanism of last resort.
-
-5.3.  Authentication
-
-   LLMNR is a peer-to-peer name resolution protocol, and as a result,
-   it is often deployed in situations where no trust model can be
-   assumed.  This makes it difficult to apply existing DNS security
-   mechanisms to LLMNR.
-
-   LLMNR does not support "delegated trust" (CD or AD bits).  As a
-   result, unless LLMNR senders are DNSSEC aware, it is not feasible to
-   use DNSSEC [RFC4033] with LLMNR.
-
-   If authentication is desired, and a pre-arranged security
-   configuration is possible, then the following security mechanisms may
-   be used:
-
-[a]  LLMNR implementations MAY support TSIG [RFC2845] and/or SIG(0)
-     [RFC2931] security mechanisms. "DNS Name Service based on Secure
-     Multicast DNS for IPv6 Mobile Ad Hoc Networks" [LLMNRSec] describes
-     the use of TSIG to secure LLMNR responses, based on group keys.
-
-
-
-
-Aboba, Thaler & Esibov       Standards Track                   [Page 24]
-
-
-
-
-
-INTERNET-DRAFT                    LLMNR                   29 August 2005
-
-
-[b]  IPsec ESP with a null-transform MAY be used to authenticate unicast
-     LLMNR queries and responses or LLMNR responses to multicast
-     queries.  In a small network without a certificate authority, this
-     can be most easily accomplished through configuration of a group
-     pre-shared key for trusted hosts.
-
-   Where these mechanisms cannot be supported, responses to LLMNR
-   queries may be unauthenticated.
-
-5.4.  Cache and Port Separation
-
-   In order to prevent responses to LLMNR queries from polluting the DNS
-   cache, LLMNR implementations MUST use a distinct, isolated cache for
-   LLMNR on each interface.  The use of separate caches is most
-   effective when LLMNR is used as a name resolution mechanism of last
-   resort, since this minimizes the opportunities for poisoning the
-   LLMNR cache, and decreases reliance on it.
-
-   LLMNR operates on a separate port from DNS, reducing the likelihood
-   that a DNS server will unintentionally respond to an LLMNR query.
-
-6.  IANA Considerations
-
-   This specification creates one new name space:  the reserved bits in
-   the LLMNR header.  These are allocated by IETF Consensus, in
-   accordance with BCP 26 [RFC2434].
-
-   LLMNR requires allocation of port 5355 for both TCP and UDP.
-
-   LLMNR requires allocation of link-scope multicast IPv4 address
-   224.0.0.252, as well as link-scope multicast IPv6 address
-   FF02:0:0:0:0:0:1:3.
-
-7.  Constants
-
-   The following timing constants are used in this protocol; they are
-   not intended to be user configurable.
-
-      JITTER_INTERVAL      100 ms
-      LLMNR_TIMEOUT        1 second (if set statically on all interfaces)
-                           100 ms (IEEE 802 media, including IEEE 802.11)
-
-8.  References
-
-8.1.  Normative References
-
-[RFC1035] Mockapetris, P., "Domain Names - Implementation and
-          Specification", RFC 1035, November 1987.
-
-
-
-Aboba, Thaler & Esibov       Standards Track                   [Page 25]
-
-
-
-
-
-INTERNET-DRAFT                    LLMNR                   29 August 2005
-
-
-[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
-          Requirement Levels", BCP 14, RFC 2119, March 1997.
-
-[RFC2181] Elz, R. and R. Bush, "Clarifications to the DNS
-          Specification", RFC 2181, July 1997.
-
-[RFC2308] Andrews, M., "Negative Caching of DNS Queries (DNS NCACHE)",
-          RFC 2308, March 1998.
-
-[RFC2373] Hinden, R. and S. Deering, "IP Version 6 Addressing
-          Architecture", RFC 2373, July 1998.
-
-[RFC2434] Alvestrand, H. and T. Narten, "Guidelines for Writing an IANA
-          Considerations Section in RFCs", BCP 26, RFC 2434, October
-          1998.
-
-[RFC2671] Vixie, P., "Extension Mechanisms for DNS (EDNS0)", RFC 2671,
-          August 1999.
-
-[RFC2845] Vixie, P., Gudmundsson, O., Eastlake, D. and B. Wellington,
-          "Secret Key Transaction Authentication for DNS (TSIG)", RFC
-          2845, May 2000.
-
-[RFC2931] Eastlake, D., "DNS Request and Transaction Signatures
-          (SIG(0)s)", RFC 2931, September 2000.
-
-8.2.  Informative References
-
-[Bonjour] Cheshire, S. and M. Krochmal, "Multicast DNS", Internet draft
-          (work in progress), draft-cheshire-dnsext-multicastdns-05.txt,
-          June 2005.
-
-[DNSPerf] Jung, J., et al., "DNS Performance and the Effectiveness of
-          Caching", IEEE/ACM Transactions on Networking, Volume 10,
-          Number 5, pp. 589, October 2002.
-
-[DNSDisc] Durand, A., Hagino, I. and D. Thaler, "Well known site local
-          unicast addresses to communicate with recursive DNS servers",
-          Internet draft (work in progress), draft-ietf-ipv6-dns-
-          discovery-07.txt, October 2002.
-
-[IEEE-802.11i]
-          Institute of Electrical and Electronics Engineers, "Supplement
-          to Standard for Telecommunications and Information Exchange
-          Between Systems - LAN/MAN Specific Requirements - Part 11:
-          Wireless LAN Medium Access Control (MAC) and Physical Layer
-          (PHY) Specifications: Specification for Enhanced Security",
-          IEEE 802.11i, July 2004.
-
-
-
-Aboba, Thaler & Esibov       Standards Track                   [Page 26]
-
-
-
-
-
-INTERNET-DRAFT                    LLMNR                   29 August 2005
-
-
-[LLMNREnable]
-          Guttman, E., "DHCP LLMNR Enable Option", Internet draft (work
-          in progress), draft-guttman-mdns-enable-02.txt, April 2002.
-
-[LLMNRSec]
-          Jeong, J., Park, J. and H. Kim, "DNS Name Service based on
-          Secure Multicast DNS for IPv6 Mobile Ad Hoc Networks", ICACT
-          2004, Phoenix Park, Korea, February 9-11, 2004.
-
-[POSIX]   IEEE Std. 1003.1-2001 Standard for Information Technology --
-          Portable Operating System Interface (POSIX). Open Group
-          Technical Standard: Base Specifications, Issue 6, December
-          2001.  ISO/IEC 9945:2002.  http://www.opengroup.org/austin
-
-[RFC1536] Kumar, A., et. al., "DNS Implementation Errors and Suggested
-          Fixes", RFC 1536, October 1993.
-
-[RFC1750] Eastlake, D., Crocker, S. and J. Schiller, "Randomness
-          Recommendations for Security", RFC 1750, December 1994.
-
-[RFC2131] Droms, R., "Dynamic Host Configuration Protocol", RFC 2131,
-          March 1997.
-
-[RFC2292] Stevens, W. and M. Thomas, "Advanced Sockets API for IPv6",
-          RFC 2292, February 1998.
-
-[RFC2365] Meyer, D., "Administratively Scoped IP Multicast", BCP 23, RFC
-          2365, July 1998.
-
-[RFC2553] Gilligan, R., Thomson, S., Bound, J. and W. Stevens, "Basic
-          Socket Interface Extensions for IPv6", RFC 2553, March 1999.
-
-[RFC2937] Smith, C., "The Name Service Search Option for DHCP", RFC
-          2937, September 2000.
-
-[RFC3315] Droms, R., et al., "Dynamic Host Configuration Protocol for
-          IPv6 (DHCPv6)", RFC 3315, July 2003.
-
-[RFC3833] Atkins, D. and R. Austein, "Threat Analysis of the Domain Name
-          System (DNS)", RFC 3833, August 2004.
-
-[RFC3927] Cheshire, S., Aboba, B. and E. Guttman, "Dynamic Configuration
-          of Link-Local IPv4 Addresses", RFC 3927, October 2004.
-
-[RFC4033] Arends, R., Austein, R., Larson, M., Massey, D. and S. Rose,
-          "DNS Security Introduction and Requirement", RFC 4033, March
-          2005.
-
-
-
-
-Aboba, Thaler & Esibov       Standards Track                   [Page 27]
-
-
-
-
-
-INTERNET-DRAFT                    LLMNR                   29 August 2005
-
-
-Acknowledgments
-
-   This work builds upon original work done on multicast DNS by Bill
-   Manning and Bill Woodcock.  Bill Manning's work was funded under
-   DARPA grant #F30602-99-1-0523.  The authors gratefully acknowledge
-   their contribution to the current specification.  Constructive input
-   has also been received from Mark Andrews, Rob Austein, Randy Bush,
-   Stuart Cheshire, Ralph Droms, Robert Elz, James Gilroy, Olafur
-   Gudmundsson, Andreas Gustafsson, Erik Guttman, Myron Hattig,
-   Christian Huitema, Olaf Kolkman, Mika Liljeberg, Keith Moore,
-   Tomohide Nagashima, Thomas Narten, Erik Nordmark, Markku Savela, Mike
-   St. Johns, Sander Van-Valkenburg, and Brian Zill.
-
-Authors' Addresses
-
-   Bernard Aboba
-   Microsoft Corporation
-   One Microsoft Way
-   Redmond, WA 98052
-
-   Phone: +1 425 706 6605
-   EMail: bernarda@microsoft.com
-
-   Dave Thaler
-   Microsoft Corporation
-   One Microsoft Way
-   Redmond, WA 98052
-
-   Phone: +1 425 703 8835
-   EMail: dthaler@microsoft.com
-
-   Levon Esibov
-   Microsoft Corporation
-   One Microsoft Way
-   Redmond, WA 98052
-
-   EMail: levone@microsoft.com
-
-Intellectual Property Statement
-
-   The IETF takes no position regarding the validity or scope of any
-   Intellectual Property Rights or other rights that might be claimed to
-   pertain to the implementation or use of the technology described in
-   this document or the extent to which any license under such rights
-   might or might not be available; nor does it represent that it has
-   made any independent effort to identify any such rights.  Information
-   on the procedures with respect to rights in RFC documents can be
-   found in BCP 78 and BCP 79.
-
-
-
-Aboba, Thaler & Esibov       Standards Track                   [Page 28]
-
-
-
-
-
-INTERNET-DRAFT                    LLMNR                   29 August 2005
-
-
-   Copies of IPR disclosures made to the IETF Secretariat and any
-   assurances of licenses to be made available, or the result of an
-   attempt made to obtain a general license or permission for the use of
-   such proprietary rights by implementers or users of this
-   specification can be obtained from the IETF on-line IPR repository at
-   http://www.ietf.org/ipr.
-
-   The IETF invites any interested party to bring to its attention any
-   copyrights, patents or patent applications, or other proprietary
-   rights that may cover technology that may be required to implement
-   this standard.  Please address the information to the IETF at ietf-
-   ipr@ietf.org.
-
-Disclaimer of Validity
-
-   This document and the information contained herein are provided on an
-   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
-   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
-   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
-   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
-   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
-   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-Copyright Statement
-
-   Copyright (C) The Internet Society (2005).  This document is subject
-   to the rights, licenses and restrictions contained in BCP 78, and
-   except as set forth therein, the authors retain all their rights.
-
-Acknowledgment
-
-   Funding for the RFC Editor function is currently provided by the
-   Internet Society.
-
-Open Issues
-
-   Open issues with this specification are tracked on the following web
-   site:
-
-   http://www.drizzle.com/~aboba/DNSEXT/llmnrissues.html
-
-
-
-
-
-
-
-
-
-
-
-Aboba, Thaler & Esibov       Standards Track                   [Page 29]
-
-
diff --git a/doc/draft/draft-ietf-dnsext-nsec-rdata-05.txt b/doc/draft/draft-ietf-dnsext-nsec-rdata-05.txt
new file mode 100644
index 00000000..acdf4581
--- /dev/null
+++ b/doc/draft/draft-ietf-dnsext-nsec-rdata-05.txt
@@ -0,0 +1,503 @@
+
+
+DNS Extensions Working Group                            J. Schlyter, Ed.
+Internet-Draft                                            March 11, 2004
+Updates: RFC 2535, RFC TCR
+Expires: September 9, 2004
+
+
+                        DNSSEC NSEC RDATA Format
+                  draft-ietf-dnsext-nsec-rdata-05.txt
+
+Status of this Memo
+
+   This document is an Internet-Draft and is in full conformance with
+   all provisions of Section 10 of RFC2026.
+
+   Internet-Drafts are working documents of the Internet Engineering
+   Task Force (IETF), its areas, and its working groups. Note that other
+   groups may also distribute working documents as Internet-Drafts.
+
+   Internet-Drafts are draft documents valid for a maximum of six months
+   and may be updated, replaced, or obsoleted by other documents at any
+   time. It is inappropriate to use Internet-Drafts as reference
+   material or to cite them other than as "work in progress."
+
+   The list of current Internet-Drafts can be accessed at http://
+   www.ietf.org/ietf/1id-abstracts.txt.
+
+   The list of Internet-Draft Shadow Directories can be accessed at
+   http://www.ietf.org/shadow.html.
+
+   This Internet-Draft will expire on September 9, 2004.
+
+Copyright Notice
+
+   Copyright (C) The Internet Society (2004). All Rights Reserved.
+
+Abstract
+
+   This document redefines the wire format of the "Type Bit Map" field
+   in the NSEC resource record RDATA format to cover the full RR type
+   space.
+
+
+
+
+
+
+
+
+
+
+
+Schlyter               Expires September 9, 2004                [Page 1]
+
+Internet-Draft          DNSSEC NSEC RDATA Format              March 2004
+
+
+Table of Contents
+
+   1.    Introduction . . . . . . . . . . . . . . . . . . . . . . . .  3
+   2.    The NSEC Resource Record . . . . . . . . . . . . . . . . . .  3
+   2.1   NSEC RDATA Wire Format . . . . . . . . . . . . . . . . . . .  4
+   2.1.1 The Next Domain Name Field . . . . . . . . . . . . . . . . .  4
+   2.1.2 The List of Type Bit Map(s) Field  . . . . . . . . . . . . .  4
+   2.1.3 Inclusion of Wildcard Names in NSEC RDATA  . . . . . . . . .  5
+   2.2   The NSEC RR Presentation Format  . . . . . . . . . . . . . .  5
+   2.3   NSEC RR Example  . . . . . . . . . . . . . . . . . . . . . .  6
+   3.    IANA Considerations  . . . . . . . . . . . . . . . . . . . .  6
+   4.    Security Considerations  . . . . . . . . . . . . . . . . . .  6
+         Normative References . . . . . . . . . . . . . . . . . . . .  6
+         Informational References . . . . . . . . . . . . . . . . . .  7
+         Author's Address . . . . . . . . . . . . . . . . . . . . . .  7
+   A.    Acknowledgements . . . . . . . . . . . . . . . . . . . . . .  7
+         Intellectual Property and Copyright Statements . . . . . . .  8
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Schlyter               Expires September 9, 2004                [Page 2]
+
+Internet-Draft          DNSSEC NSEC RDATA Format              March 2004
+
+
+1. Introduction
+
+   The NSEC [6] Resource Record (RR) is used for authenticated proof of
+   the non-existence of DNS owner names and types.  The NSEC RR is based
+   on the NXT RR as described in RFC 2535 [3], and is similar except for
+   the name and typecode. The RDATA format for the NXT RR had a
+   limitation in that, without using a yet undefined extension
+   mechanism, the the RDATA could only carry information about the
+   existence of the first 127 types.
+
+   To prevent the introduction of an extension mechanism into a deployed
+   base of DNSSEC aware servers and resolvers, once the first 127 type
+   codes are allocated, this document redefines the wire format of the
+   "Type Bit Map" field in the NSEC RDATA to cover the full RR type
+   space.
+
+   This document introduces a new format for the type bit map.  The
+   properties of the type bit map format are that it can cover the full
+   possible range of typecodes, that it is relatively economic in the
+   amount of space it uses for the common case of a few types with an
+   owner name, that it can represent owner names with all possible types
+   present in packets of approximately 8.5 kilobytes and that the
+   representation is simple to implement. Efficient searching of the
+   type bitmap for the presence of certain types is not a requirement.
+
+   For convenience and completeness this document presents the syntax
+   and semantics for the NSEC RR based on the specification in RFC 2535
+   [3] and as updated by RFC TCR [6], thereby not introducing changes
+   except for the syntax of the type bit map.
+
+   This document updates RFC 2535 [3] and RFC TCR [6].
+
+   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
+   document are to be interpreted as described in RFC 2119 [1].
+
+2. The NSEC Resource Record
+
+   The NSEC resource record lists two separate things: the owner name of
+   the next RRset in the canonical ordering of the zone, and the set of
+   RR types present at the NSEC RR's owner name.  The complete set of
+   NSEC RRs in a zone both indicate which RRsets exist in a zone and
+   also form a chain of owner names in the zone.  This information is
+   used to provide authenticated denial of existence for DNS data, as
+   described in RFC 2535 [3].
+
+   The type value for the NSEC RR is 47.
+
+
+
+
+Schlyter               Expires September 9, 2004                [Page 3]
+
+Internet-Draft          DNSSEC NSEC RDATA Format              March 2004
+
+
+   The NSEC RR RDATA format is class independent and defined for all
+   classes.
+
+   The NSEC RR SHOULD have the same TTL value as the SOA minimum TTL
+   field. This is in the spirit of negative caching [2].
+
+2.1 NSEC RDATA Wire Format
+
+   The RDATA of the NSEC RR is as shown below:
+
+                        1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
+    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+   /                      Next Domain Name                         /
+   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+   /                   List of Type Bit Map(s)                     /
+   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+
+2.1.1 The Next Domain Name Field
+
+   The Next Domain Name field contains the owner name of the next RR in
+   the canonical ordering of the zone.  The value of the Next Domain
+   Name field in the last NSEC record in the zone is the name of the
+   zone apex (the owner name of the zone's SOA RR).
+
+   A sender MUST NOT use DNS name compression on the Next Domain Name
+   field when transmitting an NSEC RR.  A receiver which receives an
+   NSEC RR containing a compressed Next Domain Name field SHOULD
+   decompress the field value.
+
+   Owner names of RRsets not authoritative for the given zone (such as
+   glue records) MUST NOT be listed in the Next Domain Name unless at
+   least one authoritative RRset exists at the same owner name.
+
+2.1.2 The List of Type Bit Map(s) Field
+
+   The RR type space is split into 256 window blocks, each representing
+   the low-order 8 bits of the 16-bit RR type space. Each block that has
+   at least one active RR type is encoded using a single octet window
+   number (from 0 to 255), a single octet bitmap length (from 1 to 32)
+   indicating the number of octets used for the window block's bitmap,
+   and up to 32 octets (256 bits) of bitmap.
+
+   Blocks are present in the NSEC RR RDATA in increasing numerical
+   order.
+
+   "|" denotes concatenation
+
+
+
+Schlyter               Expires September 9, 2004                [Page 4]
+
+Internet-Draft          DNSSEC NSEC RDATA Format              March 2004
+
+
+   Type Bit Map(s) Field = ( Window Block # | Bitmap Length | Bitmap ) +
+
+   Each bitmap encodes the low-order 8 bits of RR types within the
+   window block, in network bit order.  The first bit is bit 0.  For
+   window block 0, bit 1 corresponds to RR type 1 (A), bit 2 corresponds
+   to RR type 2 (NS), and so forth.  For window block 1, bit 1
+   corresponds to RR type 257, bit 2 to RR type 258.  If a bit is set to
+   1, it indicates that an RRset of that type is present for the NSEC
+   RR's owner name.  If a bit is set to 0, it indicates that no RRset of
+   that type is present for the NSEC RR's owner name.
+
+   Since bit 0 in window block 0 refers to the non-existing RR type 0,
+   it MUST be set to 0.  After verification, the validator MUST ignore
+   the value of bit 0 in window block 0.
+
+   Bits representing Meta-TYPEs or QTYPEs as specified in RFC 2929 [4]
+   (section 3.1) or within the range reserved for assignment only to
+   QTYPEs and Meta-TYPEs MUST be set to 0, since they do not appear in
+   zone data.  If encountered, they must be ignored upon reading.
+
+   Blocks with no types present MUST NOT be included.  Trailing zero
+   octets in the bitmap MUST be omitted.  The length of each block's
+   bitmap is determined by the type code with the largest numerical
+   value, within that block, among the set of RR types present at the
+   NSEC RR's owner name.  Trailing zero octets not specified MUST be
+   interpretted as zero octets.
+
+2.1.3 Inclusion of Wildcard Names in NSEC RDATA
+
+   If a wildcard owner name appears in a zone, the wildcard label ("*")
+   is treated as a literal symbol and is treated the same as any other
+   owner name for purposes of generating NSEC RRs. Wildcard owner names
+   appear in the Next Domain Name field without any wildcard expansion.
+   RFC 2535 [3] describes the impact of wildcards on authenticated
+   denial of existence.
+
+2.2 The NSEC RR Presentation Format
+
+   The presentation format of the RDATA portion is as follows:
+
+   The Next Domain Name field is represented as a domain name.
+
+   The List of Type Bit Map(s) Field is represented as a sequence of RR
+   type mnemonics.  When the mnemonic is not known, the TYPE
+   representation as described in RFC 3597 [5] (section 5) MUST be used.
+
+
+
+
+
+
+Schlyter               Expires September 9, 2004                [Page 5]
+
+Internet-Draft          DNSSEC NSEC RDATA Format              March 2004
+
+
+2.3 NSEC RR Example
+
+   The following NSEC RR identifies the RRsets associated with
+   alfa.example.com. and identifies the next authoritative name after
+   alfa.example.com.
+
+   alfa.example.com. 86400 IN NSEC host.example.com. A MX RRSIG NSEC TYPE1234
+
+   The first four text fields specify the name, TTL, Class, and RR type
+   (NSEC).  The entry host.example.com. is the next authoritative name
+   after alfa.example.com. in canonical order. The A, MX, RRSIG, NSEC
+   and TYPE1234 mnemonics indicate there are A, MX, RRSIG, NSEC and
+   TYPE1234 RRsets associated with the name alfa.example.com.
+
+   The RDATA section of the NSEC RR above would be encoded as:
+
+         0x04 'h'  'o'  's'  't'
+         0x07 'e'  'x'  'a'  'm'  'p'  'l'  'e'
+         0x03 'c'  'o'  'm'  0x00
+         0x00 0x06 0x40 0x01 0x00 0x00 0x00 0x03
+         0x04 0x1b 0x00 0x00 0x00 0x00 0x00 0x00
+         0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
+         0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
+         0x00 0x00 0x00 0x00 0x20
+
+   Assuming that the resolver can authenticate this NSEC record, it
+   could be used to prove that beta.example.com does not exist, or could
+   be used to prove there is no AAAA record associated with
+   alfa.example.com.  Authenticated denial of existence is discussed in
+   RFC 2535 [3].
+
+3. IANA Considerations
+
+   This document introduces no new IANA considerations, because all of
+   the protocol parameters used in this document have already been
+   assigned by RFC TCR [6].
+
+4. Security Considerations
+
+   The update of the RDATA format and encoding does not affect the
+   security of the use of NSEC RRs.
+
+Normative References
+
+   [1]  Bradner, S., "Key words for use in RFCs to Indicate Requirement
+        Levels", BCP 14, RFC 2119, March 1997.
+
+   [2]  Andrews, M., "Negative Caching of DNS Queries (DNS NCACHE)", RFC
+
+
+
+Schlyter               Expires September 9, 2004                [Page 6]
+
+Internet-Draft          DNSSEC NSEC RDATA Format              March 2004
+
+
+        2308, March 1998.
+
+   [3]  Eastlake, D., "Domain Name System Security Extensions", RFC
+        2535, March 1999.
+
+   [4]  Eastlake, D., Brunner-Williams, E. and B. Manning, "Domain Name
+        System (DNS) IANA Considerations", BCP 42, RFC 2929, September
+        2000.
+
+   [5]  Gustafsson, A., "Handling of Unknown DNS Resource Record (RR)
+        Types", RFC 3597, September 2003.
+
+   [6]  Weiler, S., "Legacy Resolver Compatibility for Delegation
+        Signer", draft-ietf-dnsext-dnssec-2535typecode-change-05 (work
+        in progress), October 2003.
+
+Informational References
+
+   [7]  Mockapetris, P., "Domain names - concepts and facilities", STD
+        13, RFC 1034, November 1987.
+
+   [8]  Mockapetris, P., "Domain names - implementation and
+        specification", STD 13, RFC 1035, November 1987.
+
+
+Author's Address
+
+   Jakob Schlyter (editor)
+   Karl Gustavsgatan 15
+   Goteborg  SE-411 25
+   Sweden
+
+   EMail: jakob@schlyter.se
+
+Appendix A. Acknowledgements
+
+   The encoding described in this document was initially proposed by
+   Mark Andrews.  Other encodings where proposed by David Blacka and
+   Michael Graff.
+
+
+
+
+
+
+
+
+
+
+
+
+Schlyter               Expires September 9, 2004                [Page 7]
+
+Internet-Draft          DNSSEC NSEC RDATA Format              March 2004
+
+
+Intellectual Property Statement
+
+   The IETF takes no position regarding the validity or scope of any
+   intellectual property or other rights that might be claimed to
+   pertain to the implementation or use of the technology described in
+   this document or the extent to which any license under such rights
+   might or might not be available; neither does it represent that it
+   has made any effort to identify any such rights. Information on the
+   IETF's procedures with respect to rights in standards-track and
+   standards-related documentation can be found in BCP-11. Copies of
+   claims of rights made available for publication and any assurances of
+   licenses to be made available, or the result of an attempt made to
+   obtain a general license or permission for the use of such
+   proprietary rights by implementors or users of this specification can
+   be obtained from the IETF Secretariat.
+
+   The IETF invites any interested party to bring to its attention any
+   copyrights, patents or patent applications, or other proprietary
+   rights which may cover technology that may be required to practice
+   this standard. Please address the information to the IETF Executive
+   Director.
+
+
+Full Copyright Statement
+
+   Copyright (C) The Internet Society (2004). All Rights Reserved.
+
+   This document and translations of it may be copied and furnished to
+   others, and derivative works that comment on or otherwise explain it
+   or assist in its implementation may be prepared, copied, published
+   and distributed, in whole or in part, without restriction of any
+   kind, provided that the above copyright notice and this paragraph are
+   included on all such copies and derivative works. However, this
+   document itself may not be modified in any way, such as by removing
+   the copyright notice or references to the Internet Society or other
+   Internet organizations, except as needed for the purpose of
+   developing Internet standards in which case the procedures for
+   copyrights defined in the Internet Standards process must be
+   followed, or as required to translate it into languages other than
+   English.
+
+   The limited permissions granted above are perpetual and will not be
+   revoked by the Internet Society or its successors or assignees.
+
+   This document and the information contained herein is provided on an
+   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
+   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
+   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
+
+
+
+Schlyter               Expires September 9, 2004                [Page 8]
+
+Internet-Draft          DNSSEC NSEC RDATA Format              March 2004
+
+
+   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
+   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+
+Acknowledgment
+
+   Funding for the RFC Editor function is currently provided by the
+   Internet Society.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Schlyter               Expires September 9, 2004                [Page 9]
+
diff --git a/doc/draft/draft-ietf-dnsext-nsec3-02.txt b/doc/draft/draft-ietf-dnsext-nsec3-02.txt
deleted file mode 100644
index cc3c276b..00000000
--- a/doc/draft/draft-ietf-dnsext-nsec3-02.txt
+++ /dev/null
@@ -1,2072 +0,0 @@
-
-
-
-Network Working Group                                          B. Laurie
-Internet-Draft                                                 G. Sisson
-Expires: December 3, 2005                                        Nominet
-                                                               R. Arends
-                                                    Telematica Instituut
-                                                               june 2005
-
-
-             DNSSEC Hash Authenticated Denial of Existence
-                       draft-ietf-dnsext-nsec3-02
-
-Status of this Memo
-
-   By submitting this Internet-Draft, each author represents that any
-   applicable patent or other IPR claims of which he or she is aware
-   have been or will be disclosed, and any of which he or she becomes
-   aware will be disclosed, in accordance with Section 6 of BCP 79.
-
-   Internet-Drafts are working documents of the Internet Engineering
-   Task Force (IETF), its areas, and its working groups.  Note that
-   other groups may also distribute working documents as Internet-
-   Drafts.
-
-   Internet-Drafts are draft documents valid for a maximum of six months
-   and may be updated, replaced, or obsoleted by other documents at any
-   time.  It is inappropriate to use Internet-Drafts as reference
-   material or to cite them other than as "work in progress."
-
-   The list of current Internet-Drafts can be accessed at
-   http://www.ietf.org/ietf/1id-abstracts.txt.
-
-   The list of Internet-Draft Shadow Directories can be accessed at
-   http://www.ietf.org/shadow.html.
-
-   This Internet-Draft will expire on December 3, 2005.
-
-Copyright Notice
-
-   Copyright (C) The Internet Society (2005).
-
-Abstract
-
-   The DNS Security (DNSSEC) NSEC resource record (RR) is intended to be
-   used to provide authenticated denial of existence of DNS ownernames
-   and types; however, it permits any user to traverse a zone and obtain
-   a listing of all ownernames.
-
-   A complete zone file can be used either directly as a source of
-
-
-
-Laurie, et al.          Expires December 3, 2005                [Page 1]
-
-Internet-Draft                    nsec3                        june 2005
-
-
-   probable e-mail addresses for spam, or indirectly as a key for
-   multiple WHOIS queries to reveal registrant data which many
-   registries (particularly in Europe) may be under strict legal
-   obligations to protect.  Many registries therefore prohibit copying
-   of their zone file; however the use of NSEC RRs renders policies
-   unenforceable.
-
-   This document proposes a scheme which obscures original ownernames
-   while permitting authenticated denial of existence of non-existent
-   names.  Non-authoritative delegation point NS RR types may be
-   excluded.
-
-Table of Contents
-
-   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  4
-     1.1   Rationale  . . . . . . . . . . . . . . . . . . . . . . . .  4
-     1.2   Reserved Words . . . . . . . . . . . . . . . . . . . . . .  4
-     1.3   Terminology  . . . . . . . . . . . . . . . . . . . . . . .  4
-   2.  The NSEC3 Resource Record  . . . . . . . . . . . . . . . . . .  5
-     2.1   NSEC3 RDATA Wire Format  . . . . . . . . . . . . . . . . .  5
-       2.1.1   The Authoritative Only Flag Field  . . . . . . . . . .  6
-       2.1.2   The Hash Function Field  . . . . . . . . . . . . . . .  6
-       2.1.3   The Iterations Field . . . . . . . . . . . . . . . . .  7
-       2.1.4   The Salt Length Field  . . . . . . . . . . . . . . . .  7
-       2.1.5   The Salt Field . . . . . . . . . . . . . . . . . . . .  7
-       2.1.6   The Next Hashed Ownername Field  . . . . . . . . . . .  7
-       2.1.7   The list of Type Bit Map(s) Field  . . . . . . . . . .  8
-     2.2   The NSEC3 RR Presentation Format . . . . . . . . . . . . .  9
-   3.  Creating Additional NSEC3 RRs for Empty Non Terminals  . . . .  9
-   4.  Calculation of the Hash  . . . . . . . . . . . . . . . . . . . 10
-   5.  Including NSEC3 RRs in a Zone  . . . . . . . . . . . . . . . . 10
-   6.  Special Considerations . . . . . . . . . . . . . . . . . . . . 11
-     6.1   Delegation Points  . . . . . . . . . . . . . . . . . . . . 11
-       6.1.1   Unsigned Delegations . . . . . . . . . . . . . . . . . 11
-     6.2   Proving Nonexistence . . . . . . . . . . . . . . . . . . . 12
-     6.3   Salting  . . . . . . . . . . . . . . . . . . . . . . . . . 13
-     6.4   Hash Collision . . . . . . . . . . . . . . . . . . . . . . 13
-       6.4.1   Avoiding Hash Collisions during generation . . . . . . 14
-       6.4.2   Second Preimage Requirement Analysis . . . . . . . . . 14
-       6.4.3   Possible Hash Value Truncation Method  . . . . . . . . 14
-   7.  Performance Considerations . . . . . . . . . . . . . . . . . . 15
-   8.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 15
-   9.  Security Considerations  . . . . . . . . . . . . . . . . . . . 15
-   10.   References . . . . . . . . . . . . . . . . . . . . . . . . . 16
-     10.1  Normative References . . . . . . . . . . . . . . . . . . . 16
-     10.2  Informative References . . . . . . . . . . . . . . . . . . 17
-       Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 17
-   A.  Example Zone . . . . . . . . . . . . . . . . . . . . . . . . . 18
-
-
-
-Laurie, et al.          Expires December 3, 2005                [Page 2]
-
-Internet-Draft                    nsec3                        june 2005
-
-
-   B.  Example Responses  . . . . . . . . . . . . . . . . . . . . . . 23
-     B.1   answer . . . . . . . . . . . . . . . . . . . . . . . . . . 23
-       B.1.1   Authenticating the Example DNSKEY RRset  . . . . . . . 25
-     B.2   Name Error . . . . . . . . . . . . . . . . . . . . . . . . 26
-     B.3   No Data Error  . . . . . . . . . . . . . . . . . . . . . . 28
-       B.3.1   No Data Error, Empty Non-Terminal  . . . . . . . . . . 29
-     B.4   Referral to Signed Zone  . . . . . . . . . . . . . . . . . 30
-     B.5   Referral to Unsigned Zone using Opt-In . . . . . . . . . . 31
-     B.6   Wildcard Expansion . . . . . . . . . . . . . . . . . . . . 32
-     B.7   Wildcard No Data Error . . . . . . . . . . . . . . . . . . 34
-     B.8   DS Child Zone No Data Error  . . . . . . . . . . . . . . . 35
-       Intellectual Property and Copyright Statements . . . . . . . . 37
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Laurie, et al.          Expires December 3, 2005                [Page 3]
-
-Internet-Draft                    nsec3                        june 2005
-
-
-1.  Introduction
-
-   The DNS Security Extensions (DNSSEC) introduced the NSEC Resource
-   Record (RR) for authenticated denial of existence.  This document
-   introduces a new RR as an alternative to NSEC that provides measures
-   against zone traversal and allows for gradual expansion of
-   delegation-centric zones.
-
-1.1  Rationale
-
-   The DNS Security Extensions included the NSEC RR to provide
-   authenticated denial of existence.  Though the NSEC RR meets the
-   requirements for authenticated denial of existence, it introduced a
-   side-effect in that the contents of a zone can be enumerated.  This
-   property introduces undesired policy issues.
-
-   A second problem was the requirement that the existence of all record
-   types in a zone - including delegation point NS record types - must
-   be accounted for, despite the fact that delegation point NS RRsets
-   are not authoritative and not signed.  This requirement has a side-
-   effect that the overhead of delegation-centric signed zones is not
-   related to the increase in security of subzones.  This requirement
-   does not allow delegation-centric zones size to grow in relation to
-   the growth of signed subzones.
-
-   In the past, solutions have been proposed as a measure against these
-   side effects but at the time were regarded as secondary over the need
-   to have a stable DNSSEC specification.  With (draft-vixie-dnssec-ter)
-   a graceful transition path to future enhancements is introduced,
-   while current DNSSEC deployment can continue.  This document presents
-   the NSEC3 Resource Record which mitigates these issues with the NSEC
-   RR.
-
-   The reader is assumed to be familiar with the basic DNS concepts
-   described in RFC1034 [RFC1034], RFC1035 [RFC1035] and subsequent RFCs
-   that update them:  RFC2136 [RFC2136], RFC2181 [RFC2181] and RFC2308
-   [RFC2308].
-
-1.2  Reserved Words
-
-   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
-   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
-   document are to be interpreted as described in RFC 2119 [RFC2119].
-
-1.3  Terminology
-
-   In this document the term "original ownername" refers to a standard
-   ownername.  Because this proposal uses the result of a hash function
-
-
-
-Laurie, et al.          Expires December 3, 2005                [Page 4]
-
-Internet-Draft                    nsec3                        june 2005
-
-
-   over the original (unmodified) ownername, this result is referred to
-   as "hashed ownername".
-
-   "Canonical ordering of the zone" means the order in which hashed
-   ownernames are arranged according to their numerical value, treating
-   the leftmost (lowest numbered) byte as the most significant byte.
-
-2.  The NSEC3 Resource Record
-
-   The NSEC3 RR provides Authenticated Denial of Existence for DNS
-   Resource Record Sets.
-
-   The NSEC3 Resource Record lists RR types present at the NSEC3 RR's
-   original ownername.  It includes the next hashed ownername in the
-   canonical ordering of the zone.  The complete set of NSEC3 RRs in a
-   zone indicates which RRsets exist for the original ownername of the
-   RRset and form a chain of hashed ownernames in the zone.  This
-   information is used to provide authenticated denial of existence for
-   DNS data, as described in RFC 4035 [RFC4035].  Unsigned delegation
-   point NS RRsets can optionally be excluded.  To provide protection
-   against zone traversal, the ownernames used in the NSEC3 RR are
-   cryptographic hashes of the original ownername prepended to the name
-   of the zone.  The NSEC3 RR indicates which hash function is used to
-   construct the hash, which salt is used, and how many iterations of
-   the hash function are performed over the original ownername.
-
-   The ownername for the NSEC3 RR is the base32 encoding of the hashed
-   ownername.
-
-   The type value for the NSEC3 RR is XX.
-
-   The NSEC3 RR RDATA format is class independent.
-
-   The NSEC3 RR SHOULD have the same TTL value as the SOA minimum TTL
-   field.  This is in the spirit of negative caching [RFC2308].
-
-2.1  NSEC3 RDATA Wire Format
-
-   The RDATA of the NSEC3 RR is as shown below:
-
-
-
-
-
-
-
-
-
-
-
-
-Laurie, et al.          Expires December 3, 2005                [Page 5]
-
-Internet-Draft                    nsec3                        june 2005
-
-
-                        1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
-    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
-   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-   |A|Hash Function|                  Iterations                   |
-   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-   |  Salt Length  |                     Salt                      /
-   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-   /                     Next Hashed Ownername                     /
-   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-   /                         Type Bit Maps                         /
-   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-
-
-2.1.1  The Authoritative Only Flag Field
-
-   The Authoritative Only Flag field indicates whether the Type Bit Maps
-   include delegation point NS record types.
-
-   If the flag is set to 1, the NS RR type bit for a delegation point
-   ownername SHOULD be clear when the NSEC3 RR is generated.  The NS RR
-   type bit MUST be ignored during processing of the NSEC3 RR.  The NS
-   RR type bit has no meaning in this context (it is not authoritative),
-   hence the NSEC3 does not contest the existence of a NS RRset for this
-   ownername.  When a delegation is not secured, there exist no DS RR
-   type nor any other authoritative types for this delegation, hence the
-   unsecured delegation has no NSEC3 record associated.  Please see the
-   Special Consideration section for implications for unsigned
-   delegations.
-
-   If the flag is set to 0, the NS RR type bit for a delegation point
-   ownername MUST be set if the NSEC3 covers a delegation, even though
-   the NS RR itself is not authoritative.  This implies that all
-   delegations, signed or unsigned, have an NSEC3 record associated.
-   This behaviour is identical to NSEC behaviour.
-
-2.1.2  The Hash Function Field
-
-   The Hash Function field identifies the cryptographic hash function
-   used to construct the hash-value.
-
-   This document defines Value 1 for SHA-1 and Value 127 for
-   experimental.  All other values are reserved.
-
-   On reception, a resolver MUST discard an NSEC3 RR with an unknown
-   hash function value.
-
-
-
-
-
-
-Laurie, et al.          Expires December 3, 2005                [Page 6]
-
-Internet-Draft                    nsec3                        june 2005
-
-
-2.1.3  The Iterations Field
-
-   The Iterations field defines the number of times the hash has been
-   iterated.  More iterations results in greater resiliency of the hash
-   value against dictionary attacks, but at a higher cost for both the
-   server and resolver.
-
-2.1.4  The Salt Length Field
-
-   The salt length field defines the length of the salt in octets.
-
-2.1.5  The Salt Field
-
-   The Salt field is not present when the Salt Length Field has a value
-   of 0.
-
-   The Salt field is prepended to the original ownername before hashing
-   in order to defend against precalculated dictionary attacks.
-
-   The salt is also prepended during iterations of the hash function.
-
-   Note that although it is theoretically possible to cover the entire
-   possible ownername space with different salt values, it is
-   computationally infeasible to do so, and so there MUST be at least
-   one salt which is the same for all NSEC3 records.  This means that no
-   matter what name is asked for in a query, it is guaranteed to be
-   possible to find a covering NSEC3 record.  Note that this does not
-   preclude the use of two different salts at the same time - indeed
-   this may well occur naturally, due to rolling the salt value
-   periodically.
-
-   The salt value SHOULD be changed from time to time - this is to
-   prevent the use of a precomputed dictionary to reduce the cost of
-   enumeration.
-
-2.1.6  The Next Hashed Ownername Field
-
-   The Next Hashed Ownername field contains the hash of the ownername of
-   the next RR in the canonical ordering of the hashed ownernames of the
-   zone.  The value of the Next Hashed Ownername Field in the last NSEC3
-   record in the zone is the same as the ownername of the first NSEC3 RR
-   in the zone in canonical order.
-
-   Hashed ownernames of RRsets not authoritative for the given zone
-   (such as glue records) MUST NOT be listed in the Next Hashed
-   Ownername unless at least one authoritative RRset exists at the same
-   ownername.
-
-
-
-
-Laurie, et al.          Expires December 3, 2005                [Page 7]
-
-Internet-Draft                    nsec3                        june 2005
-
-
-   Note that the Next Hashed Ownername field is not encoded, unlike the
-   NSEC3 RR's ownername.  It is the unmodified binary hash value.
-
-2.1.7  The list of Type Bit Map(s) Field
-
-   The Type Bit Maps field identifies the RRset types which exist at the
-   NSEC3 RR's ownername.
-
-   The Type bits for the NSEC3 RR and RRSIG RR MUST be set during
-   generation, and MUST be ignored during processing.
-
-   The RR type space is split into 256 window blocks, each representing
-   the low-order 8 bits of the 16-bit RR type space.  Each block that
-   has at least one active RR type is encoded using a single octet
-   window number (from 0 to 255), a single octet bitmap length (from 1
-   to 32) indicating the number of octets used for the window block's
-   bitmap, and up to 32 octets (256 bits) of bitmap.
-
-   Blocks are present in the NSEC3 RR RDATA in increasing numerical
-   order.
-
-   "|" denotes concatenation
-
-   Type Bit Map(s) Field = ( Window Block # | Bitmap Length | Bitmap ) +
-
-   Each bitmap encodes the low-order 8 bits of RR types within the
-   window block, in network bit order.  The first bit is bit 0.  For
-   window block 0, bit 1 corresponds to RR type 1 (A), bit 2 corresponds
-   to RR type 2 (NS), and so forth.  For window block 1, bit 1
-   corresponds to RR type 257, bit 2 to RR type 258.  If a bit is set to
-   1, it indicates that an RRset of that type is present for the NSEC3
-   RR's ownername.  If a bit is set to 0, it indicates that no RRset of
-   that type is present for the NSEC3 RR's ownername.
-
-   The RR type 2 (NS) is authoritative at the apex of a zone and is not
-   authoritative at delegation points.  If the Authoritative Only Flag
-   is set to 1, the delegation point NS RR type MUST NOT be included in
-   the type bit maps.  If the Authoritative Only Flag is set to 0, the
-   NS RR type at a delegation point MUST be included in the type bit
-   maps.
-
-   Since bit 0 in window block 0 refers to the non-existing RR type 0,
-   it MUST be set to 0.  After verification, the validator MUST ignore
-   the value of bit 0 in window block 0.
-
-   Bits representing Meta-TYPEs or QTYPEs as specified in RFC 2929
-   [RFC2929] (section 3.1) or within the range reserved for assignment
-   only to QTYPEs and Meta-TYPEs MUST be set to 0, since they do not
-
-
-
-Laurie, et al.          Expires December 3, 2005                [Page 8]
-
-Internet-Draft                    nsec3                        june 2005
-
-
-   appear in zone data.  If encountered, they must be ignored upon
-   reading.
-
-   Blocks with no types present MUST NOT be included.  Trailing zero
-   octets in the bitmap MUST be omitted.  The length of each block's
-   bitmap is determined by the type code with the largest numerical
-   value, within that block, among the set of RR types present at the
-   NSEC3 RR's actual ownername.  Trailing zero octets not specified MUST
-   be interpreted as zero octets.
-
-2.2  The NSEC3 RR Presentation Format
-
-   The presentation format of the RDATA portion is as follows:
-
-   The Authoritative Only Field is represented as an unsigned decimal
-   integer.  The value are either 0 or 1.
-
-   The Hash field is presented as the name of the hash or as an unsigned
-   decimal integer.  The value has a maximum of 127.
-
-   The Iterations field is presented as an unsigned decimal integer.
-
-   The Salt Length field is not presented.
-
-   The Salt field is represented as a sequence of case-insensitive
-   hexadecimal digits.  Whitespace is not allowed within the sequence.
-   The Salt Field is represented as 00 when the Salt Length field has
-   value 0.
-
-   The Next Hashed Ownername field is represented as a sequence of case-
-   insensitive base32 digits.  Whitespace is allowed within the
-   sequence.
-
-   The List of Type Bit Map(s) Field is represented as a sequence of RR
-   type mnemonics.  When the mnemonic is not known, the TYPE
-   representation as described in RFC 3597 [RFC3597] (section 5) MUST be
-   used.
-
-3.  Creating Additional NSEC3 RRs for Empty Non Terminals
-
-   In order to prove the non-existence of a record that might be covered
-   by a wildcard, it is necessary to prove the existence of its closest
-   encloser.  A closest encloser might be an Empty Non Terminal.
-
-   Additional NSEC3 RRs are synthesized which cover every existing
-   intermediate label level.  Additional NSEC3 RRs are identical in
-   format to NSEC3 RRs that cover existing RRs in the zone.  The
-   difference is that the type-bit-maps only indicate the existence of
-
-
-
-Laurie, et al.          Expires December 3, 2005                [Page 9]
-
-Internet-Draft                    nsec3                        june 2005
-
-
-   an NSEC3 RR type and an RRSIG RR type.
-
-4.  Calculation of the Hash
-
-   Define H(x) to be the hash of x using the hash function selected by
-   the NSEC3 record and || to indicate concatenation.  Then define:
-
-   IH(salt,x,0)=H(x || salt)
-
-   IH(salt,x,k)=H(IH(salt,x,k-1) || salt) if k > 0
-
-   Then the calculated hash of an ownername is
-   IH(salt,ownername,iterations-1), where the ownername is the canonical
-   form.
-
-   The canonical form of the ownername is the wire format of the
-   ownername where:
-   1.  The ownername is fully expanded (no DNS name compression) and
-       fully qualified;
-   2.  All uppercase US-ASCII letters are replaced by the corresponding
-       lowercase US-ASCII letters;
-   3.  If the ownername is a wildcard name, the ownername is in its
-       original unexpanded form, including the "*" label (no wildcard
-       substitution);
-
-5.  Including NSEC3 RRs in a Zone
-
-   Each owner name in the zone which has authoritative data or a secured
-   delegation point NS RRset MUST have an NSEC3 resource record.
-
-   An unsecured delegation point NS RRset MAY have an NSEC3 resource
-   record.  This is different from NSEC records where an unsecured
-   delegation point NS RRset MUST have an NSEC record.
-
-   The TTL value for any NSEC3 RR SHOULD be the same as the minimum TTL
-   value field in the zone SOA RR.
-
-   The type bitmap of every NSEC3 resource record in a signed zone MUST
-   indicate the presence of both the NSEC3 RR type itself and its
-   corresponding RRSIG RR type.
-
-   The bitmap for the NSEC3 RR at a delegation point requires special
-   attention.  Bits corresponding to the delegation NS RRset and any
-   RRsets for which the parent zone has authoritative data MUST be set;
-   bits corresponding to any non-NS RRset for which the parent is not
-   authoritative MUST be clear.
-
-   The following steps describe the proper construction of NSEC3
-
-
-
-Laurie, et al.          Expires December 3, 2005               [Page 10]
-
-Internet-Draft                    nsec3                        june 2005
-
-
-   records.
-   1.  For each unique original owner name in the zone, add an NSEC3
-       RRset.  This includes NSEC3 RRsets for unsigned delegation point
-       NS RRsets, unless the policy is to have Authoritative Only NSEC3
-       RRsets.  The ownername of the NSEC3 RR is the hashed equivalent
-       of the original owner name, prepended to the zone name.
-   2.  For each RRset at the original owner, set the corresponding bit
-       in the type bit map.
-   3.  If the difference in number of labels between the apex and the
-       original ownername is greater then 1, additional NSEC3s need to
-       be added for every empty non-terminal between the apex and the
-       original ownername.
-   4.  Sort the set of NSEC3 RRs.
-   5.  In each NSEC3 RR, insert the Next Hashed Ownername.  The Next
-       Hashed Ownername of the last NSEC3 in the zone contains the value
-       of the hashed ownername of the first NSEC3 in the zone.
-   6.  If the policy is to have authoritative only, set the
-       Authoritative Only bit in those NSEC3 RRs that cover unsecured
-       delegation points.
-
-6.  Special Considerations
-
-   The following paragraphs clarify specific behaviour explain special
-   considerations for implementations.
-
-6.1  Delegation Points
-
-   This proposal introduces the Authoritative Only Flag which indicates
-   whether non authoritative delegation point NS records are included in
-   the type bit Maps.  As discussed in paragraph 2.1.1, a flag value of
-   0 indicates that the interpretation of the type bit maps is identical
-   to NSEC records.
-
-   The following subsections describe behaviour when the flag value is
-   1.
-
-6.1.1  Unsigned Delegations
-
-   Delegation point NS records are not authoritative.  They are
-   authoritative in the delegated zone.  No other data exists at the
-   ownername of an unsigned delegation point.
-
-   Since no authoritative data exist at this ownername, it is excluded
-   from the NSEC3 chain.  This is an optimization, since it relieves the
-   zone of including an NSEC3 record and its associated signature for
-   this name.
-
-   An NSEC3 that denies existence of ownernames between X and X' with
-
-
-
-Laurie, et al.          Expires December 3, 2005               [Page 11]
-
-Internet-Draft                    nsec3                        june 2005
-
-
-   the Authoritative Only Flag set to 1 can not be used to prove the
-   presence or the absence of delegation point NS records for unsigned
-   delegations in the interval (X, X').  The Authoritative Only Flag
-   effectively states No Contest on the presence of delegation point NS
-   resource records.
-
-   Since proof is absent, there exists a new attack vector.  Unsigned
-   delegation point NS records can be deleted during a man in the middle
-   attack, effectively denying existence of the delegation.  This is a
-   form of Denial of Service, where the victim has no information it is
-   under attack, since all signatures are valid and the fabricated
-   response form is a known type of response.
-
-   The only possible mitigation is to either not use this method, hence
-   proving existence or absence of unsigned delegations, or to sign all
-   delegations, regardless of whether the delegated zone is signed or
-   not.
-
-   A second attack vector exists in that an adversary is able to
-   successfully fabricate an (unsigned) response claiming a nonexistent
-   delegation exists.
-
-   The only possible mitigation is to mandate the signing of all
-   delegations.
-
-6.2  Proving Nonexistence
-
-   If a wildcard resource record appears in a zone, its asterisk label
-   is treated as a literal symbol and is treated in the same way as any
-   other ownername for purposes of generating NSEC3 RRs.  RFC 4035
-   [RFC4035] describes the impact of wildcards on authenticated denial
-   of existence.
-
-   In order to prove there exist no RRs for a domain, as well as no
-   source of synthesis, an RR must be shown for the closest encloser,
-   and non-existence must be shown for all closer labels and for the
-   wildcard at the closest encloser.
-
-   This can be done as follows.  If the QNAME in the query is
-   omega.alfa.beta.example, and the closest encloser is beta.example
-   (the nearest ancestor to omega.alfa.beta.example), then the server
-   should return an NSEC3 that demonstrates the nonexistence of
-   alfa.beta.example, an NSEC3 that demonstrates the nonexistence of
-   *.beta.example, and an NSEC3 that demonstrates the existence of
-   beta.example.  This takes between one and three NSEC3 records, since
-   a single record can, by chance, prove more than one of these facts.
-
-   When a verifier checks this response, then the existence of
-
-
-
-Laurie, et al.          Expires December 3, 2005               [Page 12]
-
-Internet-Draft                    nsec3                        june 2005
-
-
-   beta.example together with the non-existence of alfa.beta.example
-   proves that the closest encloser is indeed beta.example.  The non-
-   existence of *.beta.example shows that there is no wildcard at the
-   closest encloser, and so no source of synthesis for
-   omega.alfa.beta.example.  These two facts are sufficient to satisfy
-   the resolver that the QNAME cannot be resolved.
-
-   In practice, since the NSEC3 owner and next names are hashed, if the
-   server responds with an NSEC3 for beta.example, the resolver will
-   have to try successively longer names, starting with example, moving
-   to beta.example, alfa.beta.example, and so on, until one of them
-   hashes to a value that matches the interval (but not the ownername
-   nor next owner name) of one of the returned NSEC3s (this name will be
-   alfa.beta.example).  Once it has done this, it knows the closest
-   encloser (i.e. beta.example), and can then easily check the other two
-   required proofs.
-
-   Note that it is not possible for one of the shorter names tried by
-   the resolver to be denied by one of the returned NSEC3s, since, by
-   definition, all these names exist and so cannot appear within the
-   range covered by an NSEC3.  Note, however, that the first name that
-   the resolver tries MUST be the apex of the zone, since names above
-   the apex could be denied by one of the returned NSEC3s.
-
-6.3  Salting
-
-   Augmenting original ownernames with salt before hashing increases the
-   cost of a dictionary of pre-generated hash-values.  For every bit of
-   salt, the cost of the dictionary doubles.  The NSEC3 RR can use a
-   maximum of 2040 bits of salt, multiplying the cost by 2^2040.
-
-   There MUST be a complete set of NSEC3s for the zone using the same
-   salt value.  The salt value for each NSEC3 RR MUST be equal for a
-   single version of the zone.
-
-   The salt SHOULD be changed every time the zone is resigned to prevent
-   precomputation using a single salt.
-
-6.4  Hash Collision
-
-   Hash collisions occur when different messages have the same hash
-   value.  The expected number of domain names needed to give a 1 in 2
-   chance of a single collision is about 2^(n/2) for a hash of length n
-   bits (i.e. 2^80 for SHA-1).  Though this probability is extremely
-   low, the following paragraphs deal with avoiding collisions and
-   assessing possible damage in the event of an attack using hash
-   collisions.
-
-
-
-
-Laurie, et al.          Expires December 3, 2005               [Page 13]
-
-Internet-Draft                    nsec3                        june 2005
-
-
-6.4.1  Avoiding Hash Collisions during generation
-
-   During generation of NSEC3 RRs, hash values are supposedly unique.
-   In the (academic) case of a collision occurring, an alternative salt
-   SHOULD be chosen and all hash values SHOULD be regenerated.
-
-   If hash values are not regenerated on collision, the NSEC3 RR MUST
-   list all authoritative RR types that exist for both owners, to avoid
-   a replay attack, spoofing an existing type as non-existent.
-
-6.4.2  Second Preimage Requirement Analysis
-
-   A cryptographic hash function has a second-preimage resistance
-   property.  The second-preimage resistance property means that it is
-   computationally infeasible to find another message with the same hash
-   value as a given message, i.e. given preimage X, to find a second
-   preimage X' <> X such that hash(X) = hash(X').  The work factor for
-   finding a second preimage is of the order of 2^160 for SHA-1.  To
-   mount an attack using an existing NSEC3 RR, an adversary needs to
-   find a second preimage.
-
-   Assuming an adversary is capable of mounting such an extreme attack,
-   the actual damage is that a response message can be generated which
-   claims that a certain QNAME (i.e. the second pre-image) does exist,
-   while in reality QNAME does not exist (a false positive), which will
-   either cause a security aware resolver to re-query for the non-
-   existent name, or to fail the initial query.  Note that the adversary
-   can't mount this attack on an existing name but only on a name that
-   the adversary can't choose and does not yet exist.
-
-6.4.3  Possible Hash Value Truncation Method
-
-   The previous sections outlined the low probability and low impact of
-   a second-preimage attack.  When impact and probability are low, while
-   space in a DNS message is costly, truncation is tempting.  Truncation
-   might be considered to allow for shorter ownernames and rdata for
-   hashed labels.  In general, if a cryptographic hash is truncated to n
-   bits, then the expected number of domains required to give a 1 in 2
-   probability of a single collision is approximately 2^(n/2) and the
-   work factor to produce a second preimage resistance is 2^n.
-
-   An extreme hash value truncation would be truncating to the shortest
-   possible unique label value.  Considering that hash values are
-   presented in base32, which represents 5 bits per label character,
-   truncation must be done on a 5 bit boundary.  This would be unwise,
-   since the work factor to produce collisions would then approximate
-   the size of the zone.
-
-
-
-
-Laurie, et al.          Expires December 3, 2005               [Page 14]
-
-Internet-Draft                    nsec3                        june 2005
-
-
-   Though the mentioned truncation can be maximized to a certain
-   extreme, the probability of collision increases exponentially for
-   every truncated bit.  Given the low impact of hash value collisions
-   and limited space in DNS messages, the balance between truncation
-   profit and collision damage may be determined by local policy.  Of
-   course, the size of the corresponding RRSIG RR is not reduced, so
-   truncation is of limited benefit.
-
-   Truncation could be signalled simply by reducing the length of the
-   first label in the ownername.  Note that there would have to be a
-   corresponding reduction in the length of the Next Hashed Ownername
-   field.
-
-7.  Performance Considerations
-
-   Iterated hashes will obviously impose a performance penalty on both
-   authoritative servers and resolvers.  Therefore, the number of
-   iterations should be carefully chosen.  In particular it should be
-   noted that a high value for iterations gives an attacker a very good
-   denial of service attack, since the attacker need not bother to
-   verify the results of their queries, and hence has no performance
-   penalty of his own.
-
-   On the other hand, nameservers with low query rates and limited
-   bandwidth are already subject to a bandwidth based denial of service
-   attack, since responses are typically an order of magnitude larger
-   than queries, and hence these servers may choose a high value of
-   iterations in order to increase the difficulty of offline attempts to
-   enumerate their namespace without significantly increasing their
-   vulnerability to denial of service attacks.
-
-8.  IANA Considerations
-
-   IANA has to create a new registry for NSEC3 Hash Functions.  The
-   range for this registry is 0-127.  Value 0 is the identity function.
-   Value 1 is SHA-1.  Values 2-126 are Reserved For Future Use. Value
-   127 is marked as Experimental.
-
-9.  Security Considerations
-
-   The NSEC3 records are still susceptible to dictionary attacks (i.e.
-   the attacker retrieves all the NSEC3 records, then calculates the
-   hashes of all likely domain names, comparing against the hashes found
-   in the NSEC3 records, and thus enumerating the zone).  These are
-   substantially more expensive than traversing the original NSEC
-   records would have been, and in any case, such an attack could also
-   be used directly against the name server itself by performing queries
-   for all likely names, though this would obviously be more detectable.
-
-
-
-Laurie, et al.          Expires December 3, 2005               [Page 15]
-
-Internet-Draft                    nsec3                        june 2005
-
-
-   The expense of this off-line attack can be chosen by setting the
-   number of iterations in the NSEC3 RR.
-
-   High-value domains are also susceptible to a precalculated dictionary
-   attack - that is, a list of hashes for all likely names is computed
-   once, then NSEC3 is scanned periodically and compared against the
-   precomputed hashes.  This attack is prevented by changing the salt on
-   a regular basis.
-
-   Walking the NSEC3 RRs will reveal the total number of records in the
-   zone, and also what types they are.  This could be mitigated by
-   adding dummy entries, but certainly an upper limit can always be
-   found.
-
-   Hash collisions may occur.  If they do, it will be impossible to
-   prove the non-existence of the colliding domain - however, this is
-   fantastically unlikely, and, in any case, DNSSEC already relies on
-   SHA-1 to not collide.
-
-10.  References
-
-10.1  Normative References
-
-   [RFC1034]  Mockapetris, P., "Domain names - concepts and facilities",
-              STD 13, RFC 1034, November 1987.
-
-   [RFC1035]  Mockapetris, P., "Domain names - implementation and
-              specification", STD 13, RFC 1035, November 1987.
-
-   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
-              Requirement Levels", BCP 14, RFC 2119, March 1997.
-
-   [RFC2136]  Vixie, P., Thomson, S., Rekhter, Y., and J. Bound,
-              "Dynamic Updates in the Domain Name System (DNS UPDATE)",
-              RFC 2136, April 1997.
-
-   [RFC2181]  Elz, R. and R. Bush, "Clarifications to the DNS
-              Specification", RFC 2181, July 1997.
-
-   [RFC2308]  Andrews, M., "Negative Caching of DNS Queries (DNS
-              NCACHE)", RFC 2308, March 1998.
-
-   [RFC2929]  Eastlake, D., Brunner-Williams, E., and B. Manning,
-              "Domain Name System (DNS) IANA Considerations", BCP 42,
-              RFC 2929, September 2000.
-
-   [RFC3597]  Gustafsson, A., "Handling of Unknown DNS Resource Record
-              (RR) Types", RFC 3597, September 2003.
-
-
-
-Laurie, et al.          Expires December 3, 2005               [Page 16]
-
-Internet-Draft                    nsec3                        june 2005
-
-
-   [RFC4033]  Arends, R., Austein, R., Larson, M., Massey, D., and S.
-              Rose, "DNS Security Introduction and Requirements",
-              RFC 4033, March 2005.
-
-   [RFC4034]  Arends, R., Austein, R., Larson, M., Massey, D., and S.
-              Rose, "Resource Records for the DNS Security Extensions",
-              RFC 4034, March 2005.
-
-   [RFC4035]  Arends, R., Austein, R., Larson, M., Massey, D., and S.
-              Rose, "Protocol Modifications for the DNS Security
-              Extensions", RFC 4035, March 2005.
-
-10.2  Informative References
-
-   [I-D.ietf-dnsext-trustupdate-threshold]
-              Ihren, J., "An In-Band Rollover Mechanism and an Out-Of-
-              Band Priming Method for DNSSEC  Trust Anchors.",
-              draft-ietf-dnsext-trustupdate-threshold-00 (work in
-              progress), October 2004.
-
-   [RFC2026]  Bradner, S., "The Internet Standards Process -- Revision
-              3", BCP 9, RFC 2026, October 1996.
-
-   [RFC2418]  Bradner, S., "IETF Working Group Guidelines and
-              Procedures", BCP 25, RFC 2418, September 1998.
-
-
-Authors' Addresses
-
-   Ben Laurie
-   Nominet
-   17 Perryn Road
-   London  W3 7LR
-   England
-
-   Phone: +44 (20) 8735 0686
-   Email: ben@algroup.co.uk
-
-
-   Geoffrey Sisson
-   Nominet
-
-
-
-
-
-
-
-
-
-
-Laurie, et al.          Expires December 3, 2005               [Page 17]
-
-Internet-Draft                    nsec3                        june 2005
-
-
-   Roy Arends
-   Telematica Instituut
-   Brouwerijstraat 1
-   7523 XC  Enschede
-   The Netherlands
-
-   Phone: +31 (53) 485 0485
-   Email: roy.arends@telin.nl
-
-Appendix A.  Example Zone
-
-   This is a zone showing its NSEC3 records.  They can also be used as
-   test vectors for the hash algorithm.
-
-
-   example.       3600 IN SOA ns1.example. bugs.x.w.example. (
-                              1
-                              3600
-                              300
-                              3600000
-                              3600 )
-                  3600 RRSIG  SOA 5 1 3600 20050712112304 (
-                              20050612112304 62699 example.
-                              RtctD6aLUU5Md5wOOItilS7JXX1tf58Ql3sK
-                              mTXkL13jqLiUFOGg0uzqRh1U9GbydS0P7M0g
-                              qYIt90txzE/4+g== )
-                  3600 NS     ns1.example.
-                  3600 NS     ns2.example.
-                  3600 RRSIG  NS 5 1 3600 20050712112304 (
-                              20050612112304 62699 example.
-                              hNyyin2JpECIFxW4vsj8RhHcWCQKUXgO+z4l
-                              m7g2zM8q3Qpsm/gYIXSF2Rhj6lAG7esR/X9d
-                              1SH5r/wfjuCg+g== )
-                  3600 MX     1 xx.example.
-                  3600 RRSIG  MX 5 1 3600 20050712112304 (
-                              20050612112304 62699 example.
-                              L/ZDLMSZJKITmSxmM9Kni37/wKQsdSg6FT0l
-                              NMm14jy2Stp91Pwp1HQ1hAMkGWAqCMEKPMtU
-                              S/o/g5C8VM6ftQ== )
-                  3600 DNSKEY 257 3 5 (
-                              AQOnsGyJvywVjYmiLbh0EwIRuWYcDiB/8blX
-                              cpkoxtpe19Oicv6Zko+8brVsTMeMOpcUeGB1
-                              zsYKWJ7BvR2894hX
-                              ) ; Key ID = 21960
-                  3600 DNSKEY 256 3 5 (
-                              AQO0gEmbZUL6xbD/xQczHbnwYnf+jQjwz/sU
-                              5k44rHTt0Ty+3aOdYoome9TjGMhwkkGby1TL
-                              ExXT48OGGdbfIme5
-
-
-
-Laurie, et al.          Expires December 3, 2005               [Page 18]
-
-Internet-Draft                    nsec3                        june 2005
-
-
-                              ) ; Key ID = 62699
-                  3600 RRSIG  DNSKEY 5 1 3600 20050712112304 (
-                              20050612112304 62699 example.
-                              e6EB+K21HbyZzoLUeRDb6+g0+n8XASYe6h+Z
-                              xtnB31sQXZgq8MBHeNFDQW9eZw2hjT9zMClx
-                              mTkunTYzqWJrmQ== )
-                  3600 RRSIG  DNSKEY 5 1 3600 20050712112304 (
-                              20050612112304 21960 example.
-                              SnWLiNWLbOuiKU/F/wVMokvcg6JVzGpQ2VUk
-                              ZbKjB9ON0t3cdc+FZbOCMnEHRJiwgqlnncik
-                              3w7ZY2UWyYIvpw== )
-   5pe7ctl7pfs2cilroy5dcofx4rcnlypd.example. 3600 NSEC3  0 1 1 (
-                              deadbeaf
-                              7nomf47k3vlidh4vxahhpp47l3tgv7a2
-                              NSEC3 RRSIG )
-                  3600 RRSIG  NSEC3 5 2 3600 20050712112304 (
-                              20050612112304 62699 example.
-                              PTWYq4WZmmtgh9UQif342HWf9DD9RuuM4ii5
-                              Z1oZQgRi5zrsoKHAgl2YXprF2Rfk1TLgsiFQ
-                              sb7KfbaUo/vzAg== )
-   7nomf47k3vlidh4vxahhpp47l3tgv7a2.example. 3600 NSEC3  0 1 1 (
-                              deadbeaf
-                              dw4o7j64wnel3j4jh7fb3c5n7w3js2yb
-                              MX NSEC3 RRSIG )
-                  3600 RRSIG  NSEC3 5 2 3600 20050712112304 (
-                              20050612112304 62699 example.
-                              YTcqole3h8EOsTT3HKnwhR1QS8borR0XtZaA
-                              ZrLsx6n0RDC1AAdZONYOvdqvcal9PmwtWjlo
-                              MEFQmc/gEuxojA== )
-   a.example.     3600 IN NS  ns1.a.example.
-                  3600 IN NS  ns2.a.example.
-                  3600 DS     58470 5 1 3079F1593EBAD6DC121E202A8B
-                              766A6A4837206C )
-                  3600 RRSIG  DS 5 2 3600 20050712112304 (
-                              20050612112304 62699 example.
-                              QavhbsSmEvJLSUzGoTpsV3SKXCpaL1UO3Ehn
-                              cB0ObBIlex/Zs9kJyG/9uW1cYYt/1wvgzmX2
-                              0kx7rGKTc3RQDA== )
-   ns1.a.example. 3600 IN A   192.0.2.5
-   ns2.a.example. 3600 IN A   192.0.2.6
-   ai.example.    3600 IN A   192.0.2.9
-                  3600 RRSIG  A 5 2 3600 20050712112304 (
-                              20050612112304 62699 example.
-                              plY5M26ED3Owe3YX0pBIhgg44j89NxUaoBrU
-                              6bLRr99HpKfFl1sIy18JiRS7evlxCETZgubq
-                              ZXW5S+1VjMZYzQ== )
-                  3600 HINFO  "KLH-10" "ITS"
-                  3600 RRSIG  HINFO 5 2 3600 20050712112304 (
-
-
-
-Laurie, et al.          Expires December 3, 2005               [Page 19]
-
-Internet-Draft                    nsec3                        june 2005
-
-
-                              20050612112304 62699 example.
-                              AR0hG/Z/e+vlRhxRQSVIFORzrJTBpdNHhwUk
-                              tiuqg+zGqKK84eIqtrqXelcE2szKnF3YPneg
-                              VGNmbgPnqDVPiA== )
-                  3600 AAAA   2001:db8:0:0:0:0:f00:baa9
-                  3600 RRSIG  AAAA 5 2 3600 20050712112304 (
-                              20050612112304 62699 example.
-                              PNF/t7+DeosEjhfuL0kmsNJvn16qhYyLI9FV
-                              ypSCorFx/PKIlEL3syomkYM2zcXVSRwUXMns
-                              l5/UqLCJJ9BDMg== )
-   b.example.     3600 IN NS  ns1.b.example.
-                  3600 IN NS  ns2.b.example.
-   ns1.b.example. 3600 IN A   192.0.2.7
-   ns2.b.example. 3600 IN A   192.0.2.8
-   dw4o7j64wnel3j4jh7fb3c5n7w3js2yb.example. 3600 NSEC3  0 1 1 (
-                              deadbeaf
-                              gmnfcccja7wkax3iv26bs75myptje3qk
-                              MX DNSKEY NS SOA NSEC3 RRSIG )
-                  3600 RRSIG  NSEC3 5 2 3600 20050712112304 (
-                              20050612112304 62699 example.
-                              VqEbXiZLJVYmo25fmO3IuHkAX155y8NuA50D
-                              C0NmJV/D4R3rLm6tsL6HB3a3f6IBw6kKEa2R
-                              MOiKMSHozVebqw== )
-   gmnfcccja7wkax3iv26bs75myptje3qk.example. 3600 NSEC3  0 1 1 (
-                              deadbeaf
-                              jt4bbfokgbmr57qx4nqucvvn7fmo6ab6
-                              DS NS NSEC3 RRSIG )
-                  3600 RRSIG  NSEC3 5 2 3600 20050712112304 (
-                              20050612112304 62699 example.
-                              ZqkdmF6eICpHyn1Cj7Yvw+nLcbji46Qpe76/
-                              ZetqdZV7K5sO3ol5dOc0dZyXDqsJp1is5StW
-                              OwQBGbOegrW/Zw== )
-   jt4bbfokgbmr57qx4nqucvvn7fmo6ab6.example. 3600 NSEC3  0 1 1 (
-                              deadbeaf
-                              kcll7fqfnisuhfekckeeqnmbbd4maanu
-                              NSEC3 RRSIG )
-                  3600 RRSIG  NSEC3 5 2 3600 20050712112304 (
-                              20050612112304 62699 example.
-                              FXyCVQUdFF1EW1NcgD2V724/It0rn3lr+30V
-                              IyjmqwOMvQ4G599InTpiH46xhX3U/FmUzHOK
-                              94Zbq3k8lgdpZA== )
-   kcll7fqfnisuhfekckeeqnmbbd4maanu.example. 3600 NSEC3  1 1 1 (
-                              deadbeaf
-                              n42hbhnjj333xdxeybycax5ufvntux5d
-                              MX NSEC3 RRSIG )
-                  3600 RRSIG  NSEC3 5 2 3600 20050712112304 (
-                              20050612112304 62699 example.
-                              d0g8MTOvVwByOAIwvYV9JrTHwJof1VhnMKuA
-
-
-
-Laurie, et al.          Expires December 3, 2005               [Page 20]
-
-Internet-Draft                    nsec3                        june 2005
-
-
-                              IBj6Xaeney86RBZYgg7Qyt9WnQSK3uCEeNpx
-                              TOLtc5jPrkL4zQ== )
-   n42hbhnjj333xdxeybycax5ufvntux5d.example. 3600 NSEC3  0 1 1 (
-                              deadbeaf
-                              nimwfwcnbeoodmsc6npv3vuaagaevxxu
-                              A NSEC3 RRSIG )
-                  3600 RRSIG  NSEC3 5 2 3600 20050712112304 (
-                              20050612112304 62699 example.
-                              MZGzllh+YFqZbY8SkHxARhXFiMDPS0tvQYyy
-                              91tj+lbl45L/BElD3xxB/LZMO8vQejYtMLHj
-                              xFPFGRIW3wKnrA== )
-   nimwfwcnbeoodmsc6npv3vuaagaevxxu.example. 3600 NSEC3  0 1 1 (
-                              deadbeaf
-                              vhgwr2qgykdkf4m6iv6vkagbxozphazr
-                              HINFO A AAAA NSEC3 RRSIG )
-                  3600 RRSIG  NSEC3 5 2 3600 20050712112304 (
-                              20050612112304 62699 example.
-                              c3zQdK68cYTHTjh1cD6pi0vblXwzyoU/m7Qx
-                              z8kaPYikbJ9vgSl9YegjZukgQSwybHUC0SYG
-                              jL33Wm1p07TBdw== )
-   ns1.example.   3600 A      192.0.2.1
-                  3600 RRSIG  A 5 2 3600 20050712112304 (
-                              20050612112304 62699 example.
-                              QLGkaqWXxRuE+MHKkMvVlswg65HcyjvD1fyb
-                              BDZpcfiMHH9w4x1eRqRamtSDTcqLfUrcYkrr
-                              nWWLepz1PjjShQ== )
-   ns2.example.   3600 A      192.0.2.2
-                  3600 RRSIG  A 5 2 3600 20050712112304 (
-                              20050612112304 62699 example.
-                              UoIZaC1O6XHRWGHBOl8XFQKPdYTkRCz6SYh3
-                              P2mZ3xfY22fLBCBDrEnOc8pGDGijJaLl26Cz
-                              AkeTJu3J3auUiA== )
-   vhgwr2qgykdkf4m6iv6vkagbxozphazr.example. 3600 NSEC3  0 1 1 (
-                              deadbeaf
-                              wbyijvpnyj33pcpi3i44ecnibnaj7eiw
-                              HINFO A AAAA NSEC3 RRSIG )
-                  3600 RRSIG  NSEC3 5 2 3600 20050712112304 (
-                              20050612112304 62699 example.
-                              leFhoF5FXZAiNOxK4OBOOA0WKdbaD5lLDT/W
-                              kLoyWnQ6WGBwsUOdsEcVmqz+1n7q9bDf8G8M
-                              5SNSHIyfpfsi6A== )
-   *.w.example.   3600 MX     1 ai.example.
-                  3600 RRSIG  MX 5 3 3600 20050712112304 (
-                              20050612112304 62699 example.
-                              sYNUPHn1/gJ87wTHNksGdRm3vfnSFa2BbofF
-                              xGfJLF5A4deRu5f0hvxhAFDCcXfIASj7z0wQ
-                              gQlgxEwhvQDEaQ== )
-   x.w.example.   3600 MX     1 xx.example.
-
-
-
-Laurie, et al.          Expires December 3, 2005               [Page 21]
-
-Internet-Draft                    nsec3                        june 2005
-
-
-                  3600 RRSIG  MX 5 3 3600 20050712112304 (
-                              20050612112304 62699 example.
-                              s1XQ/8SlViiEDik9edYs1Ooe3XiXo453Dg7w
-                              lqQoewuDzmtd6RaLNu52W44zTM1EHJES8ujP
-                              U9VazOa1KEIq1w== )
-   x.y.w.example. 3600 MX     1 xx.example.
-                  3600 RRSIG  MX 5 4 3600 20050712112304 (
-                              20050612112304 62699 example.
-                              aKVCGO/Fx9rm04UUsHRTTYaDA8o8dGfyq6t7
-                              uqAcYxU9xiXP+xNtLHBv7er6Q6f2JbOs6SGF
-                              9VrQvJjwbllAfA== )
-   wbyijvpnyj33pcpi3i44ecnibnaj7eiw.example. 3600 NSEC3  0 1 1 (
-                              deadbeaf
-                              zjxfz5o7t4ty4u3f6fa7mhhqzjln4mui
-                              A NSEC3 RRSIG )
-                  3600 RRSIG  NSEC3 5 2 3600 20050712112304 (
-                              20050612112304 62699 example.
-                              ledFAaDCqDxapQ1FvBAjjK2DP06iQj8AN6gN
-                              ZycTeSmobKLTpzbgQp8uKYYe/DPHjXYmuEhd
-                              oorBv4xkb0flXw== )
-   xx.example.    3600 A      192.0.2.10
-                  3600 RRSIG  A 5 2 3600 20050712112304 (
-                              20050612112304 62699 example.
-                              XSuMVjNxovbZUsnKU6oQDygaK+WB+O5HYQG9
-                              tJgphHIX7TM4uZggfR3pNM+4jeC8nt2OxZZj
-                              cxwCXWj82GVGdw== )
-                  3600 HINFO  "KLH-10" "TOPS-20"
-                  3600 RRSIG  HINFO 5 2 3600 20050712112304 (
-                              20050612112304 62699 example.
-                              ghS2DimOqPSacG9j6KMgXSfTMSjLxvoxvx3q
-                              OKzzPst4tEbAmocF2QX8IrSHr67m4ZLmd2Fk
-                              KMf4DgNBDj+dIQ== )
-                  3600 AAAA   2001:db8:0:0:0:0:f00:baaa
-                  3600 RRSIG  AAAA 5 2 3600 20050712112304 (
-                              20050612112304 62699 example.
-                              rto7afZkXYB17IfmQCT5QoEMMrlkeOoAGXzo
-                              w8Wmcg86Fc+MQP0hyXFScI1gYNSgSSoDMXIy
-                              rzKKwb8J04/ILw== )
-   zjxfz5o7t4ty4u3f6fa7mhhqzjln4mui.example. 3600 NSEC3  0 1 1 (
-                              deadbeaf
-                              5pe7ctl7pfs2cilroy5dcofx4rcnlypd
-                              MX NSEC3 RRSIG )
-                  3600 RRSIG  NSEC3 5 2 3600 20050712112304 (
-                              20050612112304 62699 example.
-                              eULkdWjcjmM+wXQcr7zXNfnGLgHjZSJINGkt
-                              7Zmvp7WKVAqoHMm1RXV8IfBH1aRgv5+/Lgny
-                              OcFlrPGPMm48/A== )
-
-
-
-
-Laurie, et al.          Expires December 3, 2005               [Page 22]
-
-Internet-Draft                    nsec3                        june 2005
-
-
-Appendix B.  Example Responses
-
-   The examples in this section show response messages using the signed
-   zone example in Appendix A.
-
-B.1  answer
-
-   A successful query to an authoritative server.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Laurie, et al.          Expires December 3, 2005               [Page 23]
-
-Internet-Draft                    nsec3                        june 2005
-
-
-   ;; Header: QR AA DO RCODE=0
-   ;;
-   ;; Question
-   x.w.example.        IN MX
-
-   ;; Answer
-   x.w.example.   3600 IN MX  1 xx.example.
-   x.w.example.   3600 IN RRSIG  MX 5 3 3600 20050712112304 (
-                              20050612112304 62699 example.
-                              s1XQ/8SlViiEDik9edYs1Ooe3XiXo453Dg7w
-                              lqQoewuDzmtd6RaLNu52W44zTM1EHJES8ujP
-                              U9VazOa1KEIq1w== )
-
-   ;; Authority
-   example.       3600 IN NS  ns1.example.
-   example.       3600 IN NS  ns2.example.
-   example.       3600 IN RRSIG  NS 5 1 3600 20050712112304 (
-                              20050612112304 62699 example.
-                              hNyyin2JpECIFxW4vsj8RhHcWCQKUXgO+z4l
-                              m7g2zM8q3Qpsm/gYIXSF2Rhj6lAG7esR/X9d
-                              1SH5r/wfjuCg+g== )
-
-   ;; Additional
-   xx.example.    3600 IN A   192.0.2.10
-   xx.example.    3600 IN RRSIG  A 5 2 3600 20050712112304 (
-                              20050612112304 62699 example.
-                              XSuMVjNxovbZUsnKU6oQDygaK+WB+O5HYQG9
-                              tJgphHIX7TM4uZggfR3pNM+4jeC8nt2OxZZj
-                              cxwCXWj82GVGdw== )
-   xx.example.    3600 IN AAAA   2001:db8::f00:baaa
-   xx.example.    3600 IN RRSIG  AAAA 5 2 3600 20050712112304 (
-                              20050612112304 62699 example.
-                              rto7afZkXYB17IfmQCT5QoEMMrlkeOoAGXzo
-                              w8Wmcg86Fc+MQP0hyXFScI1gYNSgSSoDMXIy
-                              rzKKwb8J04/ILw== )
-   ns1.example.   3600 IN A   192.0.2.1
-   ns1.example.   3600 IN RRSIG  A 5 2 3600 20050712112304 (
-                              20050612112304 62699 example.
-                              QLGkaqWXxRuE+MHKkMvVlswg65HcyjvD1fyb
-                              BDZpcfiMHH9w4x1eRqRamtSDTcqLfUrcYkrr
-                              nWWLepz1PjjShQ== )
-   ns2.example.   3600 IN A   192.0.2.2
-   ns2.example.   3600 IN RRSIG  A 5 2 3600 20050712112304 (
-                              20050612112304 62699 example.
-                              UoIZaC1O6XHRWGHBOl8XFQKPdYTkRCz6SYh3
-                              P2mZ3xfY22fLBCBDrEnOc8pGDGijJaLl26Cz
-                              AkeTJu3J3auUiA== )
-
-
-
-
-Laurie, et al.          Expires December 3, 2005               [Page 24]
-
-Internet-Draft                    nsec3                        june 2005
-
-
-   The query returned an MX RRset for "x.w.example".  The corresponding
-   RRSIG RR indicates that the MX RRset was signed by an "example"
-   DNSKEY with algorithm 5 and key tag 62699.  The resolver needs the
-   corresponding DNSKEY RR in order to authenticate this answer.  The
-   discussion below describes how a resolver might obtain this DNSKEY
-   RR.
-
-   The RRSIG RR indicates the original TTL of the MX RRset was 3600,
-   and, for the purpose of authentication, the current TTL is replaced
-   by 3600.  The RRSIG RR's labels field value of 3 indicates that the
-   answer was not the result of wildcard expansion.  The "x.w.example"
-   MX RRset is placed in canonical form, and, assuming the current time
-   falls between the signature inception and expiration dates, the
-   signature is authenticated.
-
-B.1.1  Authenticating the Example DNSKEY RRset
-
-   This example shows the logical authentication process that starts
-   from a configured root DNSKEY RRset (or DS RRset) and moves down the
-   tree to authenticate the desired "example" DNSKEY RRset.  Note that
-   the logical order is presented for clarity.  An implementation may
-   choose to construct the authentication as referrals are received or
-   to construct the authentication chain only after all RRsets have been
-   obtained, or in any other combination it sees fit.  The example here
-   demonstrates only the logical process and does not dictate any
-   implementation rules.
-
-   We assume the resolver starts with a configured DNSKEY RRset for the
-   root zone (or a configured DS RRset for the root zone).  The resolver
-   checks whether this configured DNSKEY RRset is present in the root
-   DNSKEY RRset (or whether a DS RR in the DS RRset matches some DNSKEY
-   RR in the root DNSKEY RRset), whether this DNSKEY RR has signed the
-   root DNSKEY RRset, and whether the signature lifetime is valid.  If
-   all these conditions are met, all keys in the DNSKEY RRset are
-   considered authenticated.  The resolver then uses one (or more) of
-   the root DNSKEY RRs to authenticate the "example" DS RRset.  Note
-   that the resolver may have to query the root zone to obtain the root
-   DNSKEY RRset or "example" DS RRset.
-
-   Once the DS RRset has been authenticated using the root DNSKEY, the
-   resolver checks the "example" DNSKEY RRset for some "example" DNSKEY
-   RR that matches one of the authenticated "example" DS RRs.  If such a
-   matching "example" DNSKEY is found, the resolver checks whether this
-   DNSKEY RR has signed the "example" DNSKEY RRset and the signature
-   lifetime is valid.  If these conditions are met, all keys in the
-   "example" DNSKEY RRset are considered authenticated.
-
-   Finally, the resolver checks that some DNSKEY RR in the "example"
-
-
-
-Laurie, et al.          Expires December 3, 2005               [Page 25]
-
-Internet-Draft                    nsec3                        june 2005
-
-
-   DNSKEY RRset uses algorithm 5 and has a key tag of 62699.  This
-   DNSKEY is used to authenticate the RRSIG included in the response.
-   If multiple "example" DNSKEY RRs match this algorithm and key tag,
-   then each DNSKEY RR is tried, and the answer is authenticated if any
-   of the matching DNSKEY RRs validate the signature as described above.
-
-B.2  Name Error
-
-   An authoritative name error.  The NSEC3 RRs prove that the name does
-   not exist and that no covering wildcard exists.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Laurie, et al.          Expires December 3, 2005               [Page 26]
-
-Internet-Draft                    nsec3                        june 2005
-
-
-   ;; Header: QR AA DO RCODE=3
-   ;;
-   ;; Question
-   a.c.x.w.example.         IN A
-
-   ;; Answer
-   ;; (empty)
-
-   ;; Authority
-   example.       3600 IN SOA ns1.example. bugs.x.w.example. (
-                              1
-                              3600
-                              300
-                              3600000
-                              3600
-                              )
-   example.       3600 IN RRSIG  SOA 5 1 3600 20050712112304 (
-                              20050612112304 62699 example.
-                              RtctD6aLUU5Md5wOOItilS7JXX1tf58Ql3sK
-                              mTXkL13jqLiUFOGg0uzqRh1U9GbydS0P7M0g
-                              qYIt90txzE/4+g== )
-   7nomf47k3vlidh4vxahhpp47l3tgv7a2.example. 3600 IN NSEC3  0 1 1 (
-                              deadbeaf
-                              dw4o7j64wnel3j4jh7fb3c5n7w3js2yb
-                              MX NSEC3 RRSIG )
-   7nomf47k3vlidh4vxahhpp47l3tgv7a2.example. 3600 IN RRSIG  NSEC3 (
-                              5 2 3600 20050712112304
-                              20050612112304 62699 example.
-                              YTcqole3h8EOsTT3HKnwhR1QS8borR0XtZaA
-                              ZrLsx6n0RDC1AAdZONYOvdqvcal9PmwtWjlo
-                              MEFQmc/gEuxojA== )
-   nimwfwcnbeoodmsc6npv3vuaagaevxxu.example. 3600 IN NSEC3  0 1 1 (
-                              deadbeaf
-                              vhgwr2qgykdkf4m6iv6vkagbxozphazr
-                              HINFO A AAAA NSEC3 RRSIG )
-   nimwfwcnbeoodmsc6npv3vuaagaevxxu.example. 3600 IN RRSIG  NSEC3 (
-                              5 2 3600 20050712112304
-                              20050612112304 62699 example.
-                              c3zQdK68cYTHTjh1cD6pi0vblXwzyoU/m7Qx
-                              z8kaPYikbJ9vgSl9YegjZukgQSwybHUC0SYG
-                              jL33Wm1p07TBdw== )
-   ;; Additional
-   ;; (empty)
-
-   The query returned two NSEC3 RRs that prove that the requested data
-   does not exist and no wildcard applies.  The negative reply is
-   authenticated by verifying both NSEC3 RRs.  The NSEC3 RRs are
-   authenticated in a manner identical to that of the MX RRset discussed
-
-
-
-Laurie, et al.          Expires December 3, 2005               [Page 27]
-
-Internet-Draft                    nsec3                        june 2005
-
-
-   above.  At least one of the owner names of the NSEC3 RRs will match
-   the closest encloser.  At least one of the NSEC3 RRs prove that there
-   exists no longer name.  At least one of the NSEC3 RRs prove that
-   there exists no wildcard RRsets that should have been expanded.  The
-   closest encloser can be found by hasing the apex ownername (The SOA
-   RR's ownername, or the ownername of the DNSKEY RRset referred by an
-   RRSIG RR), matching it to the ownername of one of the NSEC3 RRs, and
-   if that fails, continue by adding labels.
-
-   In the above example, the name 'x.w.example' hashes to
-   '7nomf47k3vlidh4vxahhpp47l3tgv7a2'.  This indicates that this might
-   be the closest encloser.  To prove that 'c.x.w.example' and
-   '*.x.w.example' do not exists, these names are hashed to respectively
-   'qsgoxsf2lanysajhtmaylde4tqwnqppl' and
-   'cvljzyf6nsckjowghch4tt3nohocpdka'.  The two NSEC3 records prove that
-   these hashed ownernames do not exists, since the names are within the
-   given intervals.
-
-B.3  No Data Error
-
-   A "no data" response.  The NSEC3 RR proves that the name exists and
-   that the requested RR type does not.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Laurie, et al.          Expires December 3, 2005               [Page 28]
-
-Internet-Draft                    nsec3                        june 2005
-
-
-   ;; Header: QR AA DO RCODE=0
-   ;;
-   ;; Question
-   ns1.example.        IN MX
-
-   ;; Answer
-   ;; (empty)
-
-   ;; Authority
-   example.       3600 IN SOA ns1.example. bugs.x.w.example. (
-                              1
-                              3600
-                              300
-                              3600000
-                              3600
-                              )
-   example.       3600 IN RRSIG  SOA 5 1 3600 20050712112304 (
-                              20050612112304 62699 example.
-                              RtctD6aLUU5Md5wOOItilS7JXX1tf58Ql3sK
-                              mTXkL13jqLiUFOGg0uzqRh1U9GbydS0P7M0g
-                              qYIt90txzE/4+g== )
-   wbyijvpnyj33pcpi3i44ecnibnaj7eiw.example. 3600 IN NSEC3  0 1 1 (
-                              deadbeaf
-                              zjxfz5o7t4ty4u3f6fa7mhhqzjln4mui
-                              A NSEC3 RRSIG )
-   wbyijvpnyj33pcpi3i44ecnibnaj7eiw.example. 3600 IN RRSIG  NSEC3 (
-                              5 2 3600 20050712112304
-                              20050612112304 62699 example.
-                              ledFAaDCqDxapQ1FvBAjjK2DP06iQj8AN6gN
-                              ZycTeSmobKLTpzbgQp8uKYYe/DPHjXYmuEhd
-                              oorBv4xkb0flXw== )
-   ;; Additional
-   ;; (empty)
-
-   The query returned an NSEC3 RR that proves that the requested name
-   exists ("ns1.example." hashes to "wbyijvpnyj33pcpi3i44ecnibnaj7eiw"),
-   but the requested RR type does not exist (type MX is absent in the
-   type code list of the NSEC RR).  The negative reply is authenticated
-   by verifying the NSEC3 RR.  The NSEC3 RR is authenticated in a manner
-   identical to that of the MX RRset discussed above.
-
-B.3.1  No Data Error, Empty Non-Terminal
-
-   A "no data" response because of an empty non-terminal.  The NSEC3 RR
-   proves that the name exists and that the requested RR type does not.
-
-
-
-
-
-
-Laurie, et al.          Expires December 3, 2005               [Page 29]
-
-Internet-Draft                    nsec3                        june 2005
-
-
-   ;; Header: QR AA DO RCODE=0
-   ;;
-   ;; Question
-   y.w.example.        IN A
-
-   ;; Answer
-   ;; (empty)
-
-   ;; Authority
-   example.       3600 IN SOA ns1.example. bugs.x.w.example. (
-                              1
-                              3600
-                              300
-                              3600000
-                              3600
-                              )
-   example.       3600 IN RRSIG  SOA 5 1 3600 20050712112304 (
-                              20050612112304 62699 example.
-                              RtctD6aLUU5Md5wOOItilS7JXX1tf58Ql3sK
-                              mTXkL13jqLiUFOGg0uzqRh1U9GbydS0P7M0g
-                              qYIt90txzE/4+g== )
-   jt4bbfokgbmr57qx4nqucvvn7fmo6ab6.example. 3600 IN NSEC3  0 1 1 (
-                              deadbeaf
-                              kcll7fqfnisuhfekckeeqnmbbd4maanu
-                              NSEC3 RRSIG )
-   jt4bbfokgbmr57qx4nqucvvn7fmo6ab6.example. 3600 IN RRSIG  NSEC3 (
-                              5 2 3600 20050712112304
-                              20050612112304 62699 example.
-                              FXyCVQUdFF1EW1NcgD2V724/It0rn3lr+30V
-                              IyjmqwOMvQ4G599InTpiH46xhX3U/FmUzHOK
-                              94Zbq3k8lgdpZA== )
-
-   The query returned an NSEC3 RR that proves that the requested name
-   exists ("y.w.example." hashes to "jt4bbfokgbmr57qx4nqucvvn7fmo6ab6"),
-   but the requested RR type does not exist (Type A is absent in the
-   type-bit-maps of the NSEC3 RR).  The negative reply is authenticated
-   by verifying the NSEC3 RR.  The NSEC3 RR is authenticated in a manner
-   identical to that of the MX RRset discussed above.  Note that, unlike
-   generic empty non terminal proof using NSECs, this is identical to
-   proving a No Data Error.  This example is solely mentioned to be
-   complete.
-
-B.4  Referral to Signed Zone
-
-   Referral to a signed zone.  The DS RR contains the data which the
-   resolver will need to validate the corresponding DNSKEY RR in the
-   child zone's apex.
-
-
-
-
-Laurie, et al.          Expires December 3, 2005               [Page 30]
-
-Internet-Draft                    nsec3                        june 2005
-
-
-   ;; Header: QR DO RCODE=0
-   ;;
-
-   ;; Question
-   mc.a.example.       IN MX
-
-   ;; Answer
-   ;; (empty)
-
-   ;; Authority
-   a.example.     3600 IN NS  ns1.a.example.
-   a.example.     3600 IN NS  ns2.a.example.
-   a.example.     3600 IN DS  58470 5 1 (
-                              3079F1593EBAD6DC121E202A8B766A6A4837
-                              206C )
-   a.example.     3600 IN RRSIG  DS 5 2 3600 20050712112304 (
-                              20050612112304 62699 example.
-                              QavhbsSmEvJLSUzGoTpsV3SKXCpaL1UO3Ehn
-                              cB0ObBIlex/Zs9kJyG/9uW1cYYt/1wvgzmX2
-                              0kx7rGKTc3RQDA== )
-
-   ;; Additional
-   ns1.a.example. 3600 IN A   192.0.2.5
-   ns2.a.example. 3600 IN A   192.0.2.6
-
-   The query returned a referral to the signed "a.example." zone.  The
-   DS RR is authenticated in a manner identical to that of the MX RRset
-   discussed above.  This DS RR is used to authenticate the "a.example"
-   DNSKEY RRset.
-
-   Once the "a.example" DS RRset has been authenticated using the
-   "example" DNSKEY, the resolver checks the "a.example" DNSKEY RRset
-   for some "a.example" DNSKEY RR that matches the DS RR.  If such a
-   matching "a.example" DNSKEY is found, the resolver checks whether
-   this DNSKEY RR has signed the "a.example" DNSKEY RRset and whether
-   the signature lifetime is valid.  If all these conditions are met,
-   all keys in the "a.example" DNSKEY RRset are considered
-   authenticated.
-
-B.5  Referral to Unsigned Zone using Opt-In
-
-   Referral to an unsigned zone using Opt-In.  The NSEC3 RR proves that
-   nothing for this delegation was signed in the parent zone.  There is
-   no proof that the delegation exists
-
-
-
-
-
-
-
-Laurie, et al.          Expires December 3, 2005               [Page 31]
-
-Internet-Draft                    nsec3                        june 2005
-
-
-   ;; Header: QR DO RCODE=0
-   ;;
-   ;; Question
-   mc.b.example.       IN MX
-
-   ;; Answer
-   ;; (empty)
-
-   ;; Authority
-   b.example.     3600 IN NS  ns1.b.example.
-   b.example.     3600 IN NS  ns2.b.example.
-   kcll7fqfnisuhfekckeeqnmbbd4maanu.example. 3600 IN NSEC3  1 1 1 (
-                              deadbeaf
-                              n42hbhnjj333xdxeybycax5ufvntux5d
-                              MX NSEC3 RRSIG )
-   kcll7fqfnisuhfekckeeqnmbbd4maanu.example. 3600 IN RRSIG  NSEC3 (
-                              5 2 3600 20050712112304
-                              20050612112304 62699 example.
-                              d0g8MTOvVwByOAIwvYV9JrTHwJof1VhnMKuA
-                              IBj6Xaeney86RBZYgg7Qyt9WnQSK3uCEeNpx
-                              TOLtc5jPrkL4zQ== )
-
-   ;; Additional
-   ns1.b.example. 3600 IN A   192.0.2.7
-   ns2.b.example. 3600 IN A   192.0.2.8
-
-   The query returned a referral to the unsigned "b.example." zone.  The
-   NSEC3 proves that no authentication leads from "example" to
-   "b.example", since the hash of "b.example"
-   ("ldjpfcucebeks5azmzpty4qlel4cftzo") is within the NSEC3 interval and
-   the NSEC3 opt-in bit is set.  The NSEC3 RR is authenticated in a
-   manner identical to that of the MX RRset discussed above.
-
-B.6  Wildcard Expansion
-
-   A successful query that was answered via wildcard expansion.  The
-   label count in the answer's RRSIG RR indicates that a wildcard RRset
-   was expanded to produce this response, and the NSEC3 RR proves that
-   no closer match exists in the zone.
-
-
-
-
-
-
-
-
-
-
-
-
-Laurie, et al.          Expires December 3, 2005               [Page 32]
-
-Internet-Draft                    nsec3                        june 2005
-
-
-   ;; Header: QR AA DO RCODE=0
-   ;;
-   ;; Question
-   a.z.w.example.      IN MX
-
-   ;; Answer
-   a.z.w.example. 3600 IN MX  1 ai.example.
-   a.z.w.example. 3600 IN RRSIG  MX 5 3 3600 20050712112304 (
-                              20050612112304 62699 example.
-                              sYNUPHn1/gJ87wTHNksGdRm3vfnSFa2BbofF
-                              xGfJLF5A4deRu5f0hvxhAFDCcXfIASj7z0wQ
-                              gQlgxEwhvQDEaQ== )
-   ;; Authority
-   example.       3600 NS     ns1.example.
-   example.       3600 NS     ns2.example.
-   example.       3600 IN RRSIG  NS 5 1 3600 20050712112304 (
-                              20050612112304 62699 example.
-                              hNyyin2JpECIFxW4vsj8RhHcWCQKUXgO+z4l
-                              m7g2zM8q3Qpsm/gYIXSF2Rhj6lAG7esR/X9d
-                              1SH5r/wfjuCg+g== )
-   zjxfz5o7t4ty4u3f6fa7mhhqzjln4mui.example. 3600 IN NSEC3  0 1 1 (
-                              deadbeaf
-                              5pe7ctl7pfs2cilroy5dcofx4rcnlypd
-                              MX NSEC3 RRSIG )
-   zjxfz5o7t4ty4u3f6fa7mhhqzjln4mui.example. 3600 IN RRSIG  NSEC3 (
-                              5 2 3600 20050712112304
-                              20050612112304 62699 example.
-                              eULkdWjcjmM+wXQcr7zXNfnGLgHjZSJINGkt
-                              7Zmvp7WKVAqoHMm1RXV8IfBH1aRgv5+/Lgny
-                              OcFlrPGPMm48/A== )
-   ;; Additional
-   ai.example.    3600 IN A   192.0.2.9
-   ai.example.    3600 IN RRSIG  A 5 2 3600 20050712112304 (
-                              20050612112304 62699 example.
-                              plY5M26ED3Owe3YX0pBIhgg44j89NxUaoBrU
-                              6bLRr99HpKfFl1sIy18JiRS7evlxCETZgubq
-                              ZXW5S+1VjMZYzQ== )
-   ai.example.    3600 AAAA   2001:db8::f00:baa9
-   ai.example.    3600 IN RRSIG  AAAA 5 2 3600 20050712112304 (
-                              20050612112304 62699 example.
-                              PNF/t7+DeosEjhfuL0kmsNJvn16qhYyLI9FV
-                              ypSCorFx/PKIlEL3syomkYM2zcXVSRwUXMns
-                              l5/UqLCJJ9BDMg== )
-
-   The query returned an answer that was produced as a result of
-   wildcard expansion.  The answer section contains a wildcard RRset
-   expanded as it would be in a traditional DNS response, and the
-   corresponding RRSIG indicates that the expanded wildcard MX RRset was
-
-
-
-Laurie, et al.          Expires December 3, 2005               [Page 33]
-
-Internet-Draft                    nsec3                        june 2005
-
-
-   signed by an "example" DNSKEY with algorithm 5 and key tag 62699.
-   The RRSIG indicates that the original TTL of the MX RRset was 3600,
-   and, for the purpose of authentication, the current TTL is replaced
-   by 3600.  The RRSIG labels field value of 2 indicates that the answer
-   is the result of wildcard expansion, as the "a.z.w.example" name
-   contains 4 labels.  The name "a.z.w.example" is replaced by
-   "*.w.example", the MX RRset is placed in canonical form, and,
-   assuming that the current time falls between the signature inception
-   and expiration dates, the signature is authenticated.
-
-   The NSEC3 proves that no closer match (exact or closer wildcard)
-   could have been used to answer this query, and the NSEC3 RR must also
-   be authenticated before the answer is considered valid.
-
-B.7  Wildcard No Data Error
-
-   A "no data" response for a name covered by a wildcard.  The NSEC3 RRs
-   prove that the matching wildcard name does not have any RRs of the
-   requested type and that no closer match exists in the zone.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Laurie, et al.          Expires December 3, 2005               [Page 34]
-
-Internet-Draft                    nsec3                        june 2005
-
-
-   ;; Header: QR AA DO RCODE=0
-   ;;
-   ;; Question
-   a.z.w.example.      IN AAAA
-
-   ;; Answer
-   ;; (empty)
-
-   ;; Authority
-   example.       3600 IN SOA ns1.example. bugs.x.w.example. (
-                              1
-                              3600
-                              300
-                              3600000
-                              3600
-                              )
-   example.       3600 IN RRSIG  SOA 5 1 3600 20050712112304 (
-                              20050612112304 62699 example.
-                              RtctD6aLUU5Md5wOOItilS7JXX1tf58Ql3sK
-                              mTXkL13jqLiUFOGg0uzqRh1U9GbydS0P7M0g
-                              qYIt90txzE/4+g== )
-   zjxfz5o7t4ty4u3f6fa7mhhqzjln4mui.example. 3600 IN NSEC3  0 1 1 (
-                              deadbeaf
-                              5pe7ctl7pfs2cilroy5dcofx4rcnlypd
-                              MX NSEC3 RRSIG )
-   zjxfz5o7t4ty4u3f6fa7mhhqzjln4mui.example. 3600 IN RRSIG  NSEC3 (
-                              5 2 3600 20050712112304
-                              20050612112304 62699 example.
-                              eULkdWjcjmM+wXQcr7zXNfnGLgHjZSJINGkt
-                              7Zmvp7WKVAqoHMm1RXV8IfBH1aRgv5+/Lgny
-                              OcFlrPGPMm48/A== )
-   ;; Additional
-   ;; (empty)
-
-   The query returned NSEC3 RRs that prove that the requested data does
-   not exist and no wildcard applies.  The negative reply is
-   authenticated by verifying both NSEC3 RRs.
-
-B.8  DS Child Zone No Data Error
-
-   A "no data" response for a QTYPE=DS query that was mistakenly sent to
-   a name server for the child zone.
-
-
-
-
-
-
-
-
-
-Laurie, et al.          Expires December 3, 2005               [Page 35]
-
-Internet-Draft                    nsec3                        june 2005
-
-
-   ;; Header: QR AA DO RCODE=0
-   ;;
-   ;; Question
-   example.            IN DS
-
-   ;; Answer
-   ;; (empty)
-
-   ;; Authority
-   example.       3600 IN SOA ns1.example. bugs.x.w.example. (
-                              1
-                              3600
-                              300
-                              3600000
-                              3600
-                              )
-   example.       3600 IN RRSIG  SOA 5 1 3600 20050712112304 (
-                              20050612112304 62699 example.
-                              RtctD6aLUU5Md5wOOItilS7JXX1tf58Ql3sK
-                              mTXkL13jqLiUFOGg0uzqRh1U9GbydS0P7M0g
-                              qYIt90txzE/4+g== )
-   dw4o7j64wnel3j4jh7fb3c5n7w3js2yb.example. 3600 IN NSEC3  0 1 1 (
-                              deadbeaf
-                              gmnfcccja7wkax3iv26bs75myptje3qk
-                              MX DNSKEY NS SOA NSEC3 RRSIG )
-   dw4o7j64wnel3j4jh7fb3c5n7w3js2yb.example. 3600 IN RRSIG  NSEC3 (
-                              5 2 3600 20050712112304
-                              20050612112304 62699 example.
-                              VqEbXiZLJVYmo25fmO3IuHkAX155y8NuA50D
-                              C0NmJV/D4R3rLm6tsL6HB3a3f6IBw6kKEa2R
-                              MOiKMSHozVebqw== )
-
-   ;; Additional
-   ;; (empty)
-
-   The query returned NSEC RRs that shows the requested was answered by
-   a child server ("example" server).  The NSEC RR indicates the
-   presence of an SOA RR, showing that the answer is from the child .
-   Queries for the "example" DS RRset should be sent to the parent
-   servers ("root" servers).
-
-
-
-
-
-
-
-
-
-
-
-Laurie, et al.          Expires December 3, 2005               [Page 36]
-
-Internet-Draft                    nsec3                        june 2005
-
-
-Intellectual Property Statement
-
-   The IETF takes no position regarding the validity or scope of any
-   Intellectual Property Rights or other rights that might be claimed to
-   pertain to the implementation or use of the technology described in
-   this document or the extent to which any license under such rights
-   might or might not be available; nor does it represent that it has
-   made any independent effort to identify any such rights.  Information
-   on the procedures with respect to rights in RFC documents can be
-   found in BCP 78 and BCP 79.
-
-   Copies of IPR disclosures made to the IETF Secretariat and any
-   assurances of licenses to be made available, or the result of an
-   attempt made to obtain a general license or permission for the use of
-   such proprietary rights by implementers or users of this
-   specification can be obtained from the IETF on-line IPR repository at
-   http://www.ietf.org/ipr.
-
-   The IETF invites any interested party to bring to its attention any
-   copyrights, patents or patent applications, or other proprietary
-   rights that may cover technology that may be required to implement
-   this standard.  Please address the information to the IETF at
-   ietf-ipr@ietf.org.
-
-
-Disclaimer of Validity
-
-   This document and the information contained herein are provided on an
-   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
-   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
-   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
-   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
-   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
-   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-
-Copyright Statement
-
-   Copyright (C) The Internet Society (2005).  This document is subject
-   to the rights, licenses and restrictions contained in BCP 78, and
-   except as set forth therein, the authors retain all their rights.
-
-
-Acknowledgment
-
-   Funding for the RFC Editor function is currently provided by the
-   Internet Society.
-
-
-
-
-Laurie, et al.          Expires December 3, 2005               [Page 37]
-
diff --git a/doc/draft/draft-ietf-dnsext-rfc2536bis-dsa-06.txt b/doc/draft/draft-ietf-dnsext-rfc2536bis-dsa-06.txt
deleted file mode 100644
index 5b6d6552..00000000
--- a/doc/draft/draft-ietf-dnsext-rfc2536bis-dsa-06.txt
+++ /dev/null
@@ -1,464 +0,0 @@
-
-INTERNET-DRAFT                                DSA Information in the DNS
-OBSOLETES: RFC 2536                               Donald E. Eastlake 3rd
-                                                   Motorola Laboratories
-Expires: January 2006                                          July 2005
-
-
-            DSA Keying and Signature Information in the DNS
-            --- ------ --- --------- ----------- -- --- ---
-               <draft-ietf-dnsext-rfc2536bis-dsa-06.txt>
-                         Donald E. Eastlake 3rd
-
-
-Status of This Document
-
-   By submitting this Internet-Draft, each author represents that any
-   applicable patent or other IPR claims of which he or she is aware
-   have been or will be disclosed, and any of which he or she becomes
-   aware will be disclosed, in accordance with Section 6 of BCP 79.
-
-   Distribution of this document is unlimited. Comments should be sent
-   to the DNS extensions working group mailing list
-   <namedroppers@ops.ietf.org>.
-
-   Internet-Drafts are working documents of the Internet Engineering
-   Task Force (IETF), its areas, and its working groups.  Note that
-   other groups may also distribute working documents as Internet-
-   Drafts.
-
-   Internet-Drafts are draft documents valid for a maximum of six months
-   and may be updated, replaced, or obsoleted by other documents at any
-   time.  It is inappropriate to use Internet-Drafts as reference
-   material or to cite them other than a "work in progress."
-
-   The list of current Internet-Drafts can be accessed at
-   http://www.ietf.org/1id-abstracts.html
-
-   The list of Internet-Draft Shadow Directories can be accessed at
-   http://www.ietf.org/shadow.html
-
-
-Abstract
-
-   The standard method of encoding US Government Digital Signature
-   Algorithm keying and signature information for use in the Domain Name
-   System is specified.
-
-
-Copyright Notice
-
-   Copyright (C) The Internet Society 2005. All Rights Reserved.
-
-
-
-
-
-D. Eastlake 3rd                                                 [Page 1]
-
-
-INTERNET-DRAFT                                DSA Information in the DNS
-
-
-Table of Contents
-
-      Status of This Document....................................1
-      Abstract...................................................1
-      Copyright Notice...........................................1
-
-      Table of Contents..........................................2
-
-      1. Introduction............................................3
-      2. DSA Keying Information..................................3
-      3. DSA Signature Information...............................4
-      4. Performance Considerations..............................4
-      5. Security Considerations.................................5
-      6. IANA Considerations.....................................5
-      Copyright and Disclaimer...................................5
-
-      Normative References.......................................7
-      Informative References.....................................7
-
-      Authors Address............................................8
-      Expiration and File Name...................................8
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-D. Eastlake 3rd                                                 [Page 2]
-
-
-INTERNET-DRAFT                                DSA Information in the DNS
-
-
-1. Introduction
-
-   The Domain Name System (DNS) is the global hierarchical replicated
-   distributed database system for Internet addressing, mail proxy, and
-   other information [RFC 1034, 1035]. The DNS has been extended to
-   include digital signatures and cryptographic keys as described in
-   [RFC 4033, 4034, 4035] and additional work is underway which would
-   require the storage of keying and signature information in the DNS.
-
-   This document describes how to encode US Government Digital Signature
-   Algorithm (DSA) keys and signatures in the DNS.  Familiarity with the
-   US Digital Signature Algorithm is assumed [FIPS 186-2, Schneier].
-
-
-
-2. DSA Keying Information
-
-   When DSA public keys are stored in the DNS, the structure of the
-   relevant part of the RDATA part of the RR being used is the fields
-   listed below in the order given.
-
-   The period of key validity is not included in this data but is
-   indicated separately, for example by an RR such as RRSIG which signs
-   and authenticates the RR containing the keying information.
-
-        Field     Size
-        -----     ----
-         T         1  octet
-         Q        20  octets
-         P        64 + T*8  octets
-         G        64 + T*8  octets
-         Y        64 + T*8  octets
-
-   As described in [FIPS 186-2] and [Schneier], T is a key size
-   parameter chosen such that 0 <= T <= 8.  (The meaning if the T octet
-   is greater than 8 is reserved and the remainder of the data may have
-   a different format in that case.)  Q is a prime number selected at
-   key generation time such that 2**159 < Q < 2**160. Thus Q is always
-   20 octets long and, as with all other fields, is stored in "big-
-   endian" network order.  P, G, and Y are calculated as directed by the
-   [FIPS 186-2] key generation algorithm [Schneier].  P is in the range
-   2**(511+64T) < P < 2**(512+64T) and thus is 64 + 8*T octets long.  G
-   and Y are quantities modulo P and so can be up to the same length as
-   P and are allocated fixed size fields with the same number of octets
-   as P.
-
-   During the key generation process, a random number X must be
-   generated such that 1 <= X <= Q-1.  X is the private key and is used
-   in the final step of public key generation where Y is computed as
-
-
-
-D. Eastlake 3rd                                                 [Page 3]
-
-
-INTERNET-DRAFT                                DSA Information in the DNS
-
-
-        Y = G**X mod P
-
-
-
-3. DSA Signature Information
-
-   The portion of the RDATA area used for US Digital Signature Algorithm
-   signature information is shown below with fields in the order they
-   are listed and the contents of each multi-octet field in "big-endian"
-   network order.
-
-        Field     Size
-        -----     ----
-         T         1 octet
-         R        20 octets
-         S        20 octets
-
-   First, the data signed must be determined.  Then the following steps
-   are taken, as specified in [FIPS 186-2], where Q, P, G, and Y are as
-   specified in the public key [Schneier]:
-
-        hash = SHA-1 ( data )
-
-        Generate a random K such that 0 < K < Q.
-
-        R = ( G**K mod P ) mod Q
-
-        S = ( K**(-1) * (hash + X*R) ) mod Q
-
-   For information on the SHA-1 hash function see [FIPS 180-2] and [RFC
-   3174].
-
-   Since Q is 160 bits long, R and S can not be larger than 20 octets,
-   which is the space allocated.
-
-   T is copied from the public key.  It is not logically necessary in
-   the SIG but is present so that values of T > 8 can more conveniently
-   be used as an escape for extended versions of DSA or other algorithms
-   as later standardized.
-
-
-
-4. Performance Considerations
-
-   General signature generation speeds are roughly the same for RSA [RFC
-   3110] and DSA.  With sufficient pre-computation, signature generation
-   with DSA is faster than RSA.  Key generation is also faster for DSA.
-   However, signature verification is an order of magnitude slower than
-   RSA when the RSA public exponent is chosen to be small, as is
-   recommended for some applications.
-
-
-D. Eastlake 3rd                                                 [Page 4]
-
-
-INTERNET-DRAFT                                DSA Information in the DNS
-
-
-   Current DNS implementations are optimized for small transfers,
-   typically less than 512 bytes including DNS overhead.  Larger
-   transfers will perform correctly and extensions have been
-   standardized [RFC 2671] to make larger transfers more efficient, it
-   is still advisable at this time to make reasonable efforts to
-   minimize the size of RR sets containing keying and/or signature
-   inforamtion consistent with adequate security.
-
-
-
-5. Security Considerations
-
-   Keys retrieved from the DNS should not be trusted unless (1) they
-   have been securely obtained from a secure resolver or independently
-   verified by the user and (2) this secure resolver and secure
-   obtainment or independent verification conform to security policies
-   acceptable to the user.  As with all cryptographic algorithms,
-   evaluating the necessary strength of the key is essential and
-   dependent on local policy.
-
-   The key size limitation of a maximum of 1024 bits ( T = 8 ) in the
-   current DSA standard may limit the security of DSA.  For particular
-   applications, implementors are encouraged to consider the range of
-   available algorithms and key sizes.
-
-   DSA assumes the ability to frequently generate high quality random
-   numbers.  See [random] for guidance.  DSA is designed so that if
-   biased rather than random numbers are used, high bandwidth covert
-   channels are possible.  See [Schneier] and more recent research.  The
-   leakage of an entire DSA private key in only two DSA signatures has
-   been demonstrated.  DSA provides security only if trusted
-   implementations, including trusted random number generation, are
-   used.
-
-
-
-6. IANA Considerations
-
-   Allocation of meaning to values of the T parameter that are not
-   defined herein (i.e., > 8 ) requires an IETF standards actions.  It
-   is intended that values unallocated herein be used to cover future
-   extensions of the DSS standard.
-
-
-
-Copyright and Disclaimer
-
-   Copyright (C) The Internet Society (2005).  This document is subject to
-   the rights, licenses and restrictions contained in BCP 78, and except
-   as set forth therein, the authors retain all their rights.
-
-
-D. Eastlake 3rd                                                 [Page 5]
-
-
-INTERNET-DRAFT                                DSA Information in the DNS
-
-
-   This document and the information contained herein are provided on an
-   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
-   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
-   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
-   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
-   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
-   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-D. Eastlake 3rd                                                 [Page 6]
-
-
-INTERNET-DRAFT                                DSA Information in the DNS
-
-
-Normative References
-
-   [FIPS 186-2] - U.S. Federal Information Processing Standard: Digital
-   Signature Standard, 27 January 2000.
-
-   [RFC 4034] - Arends, R., Austein, R., Larson, M., Massey, D., and S.
-   Rose, "Resource Records for the DNS Security Extensions", RFC 4034,
-   March 2005.
-
-
-
-Informative References
-
-   [RFC 1034] - "Domain names - concepts and facilities", P.
-   Mockapetris, 11/01/1987.
-
-   [RFC 1035] - "Domain names - implementation and specification", P.
-   Mockapetris, 11/01/1987.
-
-   [RFC 2671] - "Extension Mechanisms for DNS (EDNS0)", P. Vixie, August
-   1999.
-
-   [RFC 3110] - "RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System
-   (DNS)", D.  Eastlake 3rd. May 2001.
-
-   [RFC 3174] - "US Secure Hash Algorithm 1 (SHA1)", D. Eastlake, P.
-   Jones, September 2001.
-
-   [RFC 4033] - Arends, R., Austein, R., Larson, M., Massey, D., and S.
-   Rose, "DNS Security Introduction and Requirements", RFC 4033, March
-   2005.
-
-   [RFC 4035] - Arends, R., Austein, R., Larson, M., Massey, D., and S.
-   Rose, "Protocol Modifications for the DNS Security Extensions", RFC
-   4035, March 2005.
-
-   [RFC 4086] - Eastlake, D., 3rd, Schiller, J., and S. Crocker,
-   "Randomness Requirements for Security", BCP 106, RFC 4086, June 2005.
-
-   [Schneier] - "Applied Cryptography Second Edition: protocols,
-   algorithms, and source code in C" (second edition), Bruce Schneier,
-   1996, John Wiley and Sons, ISBN 0-471-11709-9.
-
-
-
-
-
-
-
-
-
-
-D. Eastlake 3rd                                                 [Page 7]
-
-
-INTERNET-DRAFT                                DSA Information in the DNS
-
-
-Authors Address
-
-   Donald E. Eastlake 3rd
-   Motorola Labortories
-   155 Beaver Street
-   Milford, MA 01757 USA
-
-   Telephone:   +1-508-786-7554(w)
-   EMail:       Donald.Eastlake@motorola.com
-
-
-
-Expiration and File Name
-
-   This draft expires in January 2006.
-
-   Its file name is draft-ietf-dnsext-rfc2536bis-dsa-06.txt.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-D. Eastlake 3rd                                                 [Page 8]
-
diff --git a/doc/draft/draft-ietf-dnsext-rfc2538bis-04.txt b/doc/draft/draft-ietf-dnsext-rfc2538bis-04.txt
deleted file mode 100644
index 2ec9dbec..00000000
--- a/doc/draft/draft-ietf-dnsext-rfc2538bis-04.txt
+++ /dev/null
@@ -1,840 +0,0 @@
-
-
-
-Network Working Group                                       S. Josefsson
-Internet-Draft                                           August 30, 2005
-Expires: March 3, 2006
-
-
-          Storing Certificates in the Domain Name System (DNS)
-                    draft-ietf-dnsext-rfc2538bis-04
-
-Status of this Memo
-
-   By submitting this Internet-Draft, each author represents that any
-   applicable patent or other IPR claims of which he or she is aware
-   have been or will be disclosed, and any of which he or she becomes
-   aware will be disclosed, in accordance with Section 6 of BCP 79.
-
-   Internet-Drafts are working documents of the Internet Engineering
-   Task Force (IETF), its areas, and its working groups.  Note that
-   other groups may also distribute working documents as Internet-
-   Drafts.
-
-   Internet-Drafts are draft documents valid for a maximum of six months
-   and may be updated, replaced, or obsoleted by other documents at any
-   time.  It is inappropriate to use Internet-Drafts as reference
-   material or to cite them other than as "work in progress."
-
-   The list of current Internet-Drafts can be accessed at
-   http://www.ietf.org/ietf/1id-abstracts.txt.
-
-   The list of Internet-Draft Shadow Directories can be accessed at
-   http://www.ietf.org/shadow.html.
-
-   This Internet-Draft will expire on March 3, 2006.
-
-Copyright Notice
-
-   Copyright (C) The Internet Society (2005).
-
-Abstract
-
-   Cryptographic public keys are frequently published and their
-   authenticity demonstrated by certificates.  A CERT resource record
-   (RR) is defined so that such certificates and related certificate
-   revocation lists can be stored in the Domain Name System (DNS).
-
-   This document obsoletes RFC 2538.
-
-
-
-
-
-
-Josefsson                 Expires March 3, 2006                 [Page 1]
-
-Internet-Draft       Storing Certificates in the DNS         August 2005
-
-
-Table of Contents
-
-   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
-   2.  The CERT Resource Record . . . . . . . . . . . . . . . . . . .  3
-     2.1.  Certificate Type Values  . . . . . . . . . . . . . . . . .  4
-     2.2.  Text Representation of CERT RRs  . . . . . . . . . . . . .  5
-     2.3.  X.509 OIDs . . . . . . . . . . . . . . . . . . . . . . . .  6
-   3.  Appropriate Owner Names for CERT RRs . . . . . . . . . . . . .  6
-     3.1.  Content-based X.509 CERT RR Names  . . . . . . . . . . . .  7
-     3.2.  Purpose-based X.509 CERT RR Names  . . . . . . . . . . . .  8
-     3.3.  Content-based OpenPGP CERT RR Names  . . . . . . . . . . .  9
-     3.4.  Purpose-based OpenPGP CERT RR Names  . . . . . . . . . . .  9
-     3.5.  Owner names for IPKIX, ISPKI, and IPGP . . . . . . . . . .  9
-   4.  Performance Considerations . . . . . . . . . . . . . . . . . . 10
-   5.  Contributors . . . . . . . . . . . . . . . . . . . . . . . . . 10
-   6.  Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 10
-   7.  Security Considerations  . . . . . . . . . . . . . . . . . . . 10
-   8.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 11
-   9.  Changes since RFC 2538 . . . . . . . . . . . . . . . . . . . . 11
-   Appendix A.  Copying conditions  . . . . . . . . . . . . . . . . . 12
-   10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 12
-     10.1. Normative References . . . . . . . . . . . . . . . . . . . 12
-     10.2. Informative References . . . . . . . . . . . . . . . . . . 13
-   Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 14
-   Intellectual Property and Copyright Statements . . . . . . . . . . 15
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Josefsson                 Expires March 3, 2006                 [Page 2]
-
-Internet-Draft       Storing Certificates in the DNS         August 2005
-
-
-1.  Introduction
-
-   Public keys are frequently published in the form of a certificate and
-   their authenticity is commonly demonstrated by certificates and
-   related certificate revocation lists (CRLs).  A certificate is a
-   binding, through a cryptographic digital signature, of a public key,
-   a validity interval and/or conditions, and identity, authorization,
-   or other information.  A certificate revocation list is a list of
-   certificates that are revoked, and incidental information, all signed
-   by the signer (issuer) of the revoked certificates.  Examples are
-   X.509 certificates/CRLs in the X.500 directory system or OpenPGP
-   certificates/revocations used by OpenPGP software.
-
-   Section 2 below specifies a CERT resource record (RR) for the storage
-   of certificates in the Domain Name System [1] [2].
-
-   Section 3 discusses appropriate owner names for CERT RRs.
-
-   Sections 4, 5, and 6 below cover performance, IANA, and security
-   considerations, respectively.
-
-   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
-   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
-   document are to be interpreted as described in [3].
-
-
-2.  The CERT Resource Record
-
-   The CERT resource record (RR) has the structure given below.  Its RR
-   type code is 37.
-
-                       1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
-   0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
-   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-   |             type              |             key tag           |
-   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-   |   algorithm   |                                               /
-   +---------------+            certificate or CRL                 /
-   /                                                               /
-   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-|
-
-   The type field is the certificate type as defined in section 2.1
-   below.
-
-   The key tag field is the 16 bit value computed for the key embedded
-   in the certificate, using the RRSIG Key Tag algorithm described in
-   Appendix B of [10].  This field is used as an efficiency measure to
-   pick which CERT RRs may be applicable to a particular key.  The key
-
-
-
-Josefsson                 Expires March 3, 2006                 [Page 3]
-
-Internet-Draft       Storing Certificates in the DNS         August 2005
-
-
-   tag can be calculated for the key in question and then only CERT RRs
-   with the same key tag need be examined.  However, the key must always
-   be transformed to the format it would have as the public key portion
-   of a DNSKEY RR before the key tag is computed.  This is only possible
-   if the key is applicable to an algorithm (and limits such as key size
-   limits) defined for DNS security.  If it is not, the algorithm field
-   MUST BE zero and the tag field is meaningless and SHOULD BE zero.
-
-   The algorithm field has the same meaning as the algorithm field in
-   DNSKEY and RRSIG RRs [10], except that a zero algorithm field
-   indicates the algorithm is unknown to a secure DNS, which may simply
-   be the result of the algorithm not having been standardized for
-   DNSSEC.
-
-2.1.  Certificate Type Values
-
-   The following values are defined or reserved:
-
-       Value  Mnemonic  Certificate Type
-       -----  --------  ----------------
-           0            reserved
-           1  PKIX      X.509 as per PKIX
-           2  SPKI      SPKI certificate
-           3  PGP       OpenPGP packet
-           4  IPKIX     The URL of an X.509 data object
-           5  ISPKI     The URL of an SPKI certificate
-           6  IPGP      The URL of an OpenPGP packet
-       7-252            available for IANA assignment
-         253  URI       URI private
-         254  OID       OID private
-   255-65534            available for IANA assignment
-       65535            reserved
-
-   The PKIX type is reserved to indicate an X.509 certificate conforming
-   to the profile being defined by the IETF PKIX working group.  The
-   certificate section will start with a one-byte unsigned OID length
-   and then an X.500 OID indicating the nature of the remainder of the
-   certificate section (see 2.3 below).  (NOTE: X.509 certificates do
-   not include their X.500 directory type designating OID as a prefix.)
-
-   The SPKI type is reserved to indicate the SPKI certificate format
-   [13], for use when the SPKI documents are moved from experimental
-   status.
-
-   The PGP type indicates an OpenPGP packet as described in [6] and its
-   extensions and successors.  Two uses are to transfer public key
-   material and revocation signatures.  The data is binary, and MUST NOT
-   be encoded into an ASCII armor.  An implementation SHOULD process
-
-
-
-Josefsson                 Expires March 3, 2006                 [Page 4]
-
-Internet-Draft       Storing Certificates in the DNS         August 2005
-
-
-   transferable public keys as described in section 10.1 of [6], but it
-   MAY handle additional OpenPGP packets.
-
-   The IPKIX, ISPKI and IPGP types indicate a URL which will serve the
-   content that would have been in the "certificate, CRL or URL" field
-   of the corresponding (PKIX, SPKI or PGP) packet types.  These types
-   are known as "indirect".  These packet types MUST be used when the
-   content is too large to fit in the CERT RR, and MAY be used at the
-   implementer's discretion.  They SHOULD NOT be used where the entire
-   UDP packet would have fit in 512 bytes.
-
-   The URI private type indicates a certificate format defined by an
-   absolute URI.  The certificate portion of the CERT RR MUST begin with
-   a null terminated URI [5] and the data after the null is the private
-   format certificate itself.  The URI SHOULD be such that a retrieval
-   from it will lead to documentation on the format of the certificate.
-   Recognition of private certificate types need not be based on URI
-   equality but can use various forms of pattern matching so that, for
-   example, subtype or version information can also be encoded into the
-   URI.
-
-   The OID private type indicates a private format certificate specified
-   by an ISO OID prefix.  The certificate section will start with a one-
-   byte unsigned OID length and then a BER encoded OID indicating the
-   nature of the remainder of the certificate section.  This can be an
-   X.509 certificate format or some other format.  X.509 certificates
-   that conform to the IETF PKIX profile SHOULD be indicated by the PKIX
-   type, not the OID private type.  Recognition of private certificate
-   types need not be based on OID equality but can use various forms of
-   pattern matching such as OID prefix.
-
-2.2.  Text Representation of CERT RRs
-
-   The RDATA portion of a CERT RR has the type field as an unsigned
-   decimal integer or as a mnemonic symbol as listed in section 2.1
-   above.
-
-   The key tag field is represented as an unsigned decimal integer.
-
-   The algorithm field is represented as an unsigned decimal integer or
-   a mnemonic symbol as listed in [10].
-
-   The certificate / CRL portion is represented in base 64 [14] and may
-   be divided up into any number of white space separated substrings,
-   down to single base 64 digits, which are concatenated to obtain the
-   full signature.  These substrings can span lines using the standard
-   parenthesis.
-
-
-
-
-Josefsson                 Expires March 3, 2006                 [Page 5]
-
-Internet-Draft       Storing Certificates in the DNS         August 2005
-
-
-   Note that the certificate / CRL portion may have internal sub-fields,
-   but these do not appear in the master file representation.  For
-   example, with type 254, there will be an OID size, an OID, and then
-   the certificate / CRL proper.  But only a single logical base 64
-   string will appear in the text representation.
-
-2.3.  X.509 OIDs
-
-   OIDs have been defined in connection with the X.500 directory for
-   user certificates, certification authority certificates, revocations
-   of certification authority, and revocations of user certificates.
-   The following table lists the OIDs, their BER encoding, and their
-   length-prefixed hex format for use in CERT RRs:
-
-       id-at-userCertificate
-           = { joint-iso-ccitt(2) ds(5) at(4) 36 }
-              == 0x 03 55 04 24
-       id-at-cACertificate
-           = { joint-iso-ccitt(2) ds(5) at(4) 37 }
-              == 0x 03 55 04 25
-       id-at-authorityRevocationList
-           = { joint-iso-ccitt(2) ds(5) at(4) 38 }
-              == 0x 03 55 04 26
-       id-at-certificateRevocationList
-           = { joint-iso-ccitt(2) ds(5) at(4) 39 }
-              == 0x 03 55 04 27
-
-
-3.  Appropriate Owner Names for CERT RRs
-
-   It is recommended that certificate CERT RRs be stored under a domain
-   name related to their subject, i.e., the name of the entity intended
-   to control the private key corresponding to the public key being
-   certified.  It is recommended that certificate revocation list CERT
-   RRs be stored under a domain name related to their issuer.
-
-   Following some of the guidelines below may result in the use in DNS
-   names of characters that require DNS quoting which is to use a
-   backslash followed by the octal representation of the ASCII code for
-   the character (e.g., \000 for NULL).
-
-   The choice of name under which CERT RRs are stored is important to
-   clients that perform CERT queries.  In some situations, the clients
-   may not know all information about the CERT RR object it wishes to
-   retrieve.  For example, a client may not know the subject name of an
-   X.509 certificate, or the e-mail address of the owner of an OpenPGP
-   key.  Further, the client might only know the hostname of a service
-   that uses X.509 certificates or the Key ID of an OpenPGP key.
-
-
-
-Josefsson                 Expires March 3, 2006                 [Page 6]
-
-Internet-Draft       Storing Certificates in the DNS         August 2005
-
-
-   Therefore, two owner name guidelines are defined: content-based owner
-   names and purpose-based owner names.  A content-based owner name is
-   derived from the content of the CERT RR data; for example, the
-   Subject field in an X.509 certificate or the User ID field in OpenPGP
-   keys.  A purpose-based owner name is a name that a client retrieving
-   CERT RRs MUST already know; for example, the host name of an X.509
-   protected service or the Key ID of an OpenPGP key.  The content-based
-   and purpose-based owner name MAY be the same; for example, when a
-   client looks up a key based on the From: address of an incoming
-   e-mail.
-
-   Implementations SHOULD use the purpose-based owner name guidelines
-   described in this document, and MAY use CNAMEs of content-based owner
-   names (or other names), pointing to the purpose-based owner name.
-
-3.1.  Content-based X.509 CERT RR Names
-
-   Some X.509 versions permit multiple names to be associated with
-   subjects and issuers under "Subject Alternate Name" and "Issuer
-   Alternate Name".  For example, X.509v3 has such Alternate Names with
-   an ASN.1 specification as follows:
-
-        GeneralName ::= CHOICE {
-           otherName                  [0] INSTANCE OF OTHER-NAME,
-           rfc822Name                 [1] IA5String,
-           dNSName                    [2] IA5String,
-           x400Address                [3] EXPLICIT OR-ADDRESS.&Type,
-           directoryName              [4] EXPLICIT Name,
-           ediPartyName               [5] EDIPartyName,
-           uniformResourceIdentifier  [6] IA5String,
-           iPAddress                  [7] OCTET STRING,
-           registeredID               [8] OBJECT IDENTIFIER
-        }
-
-   The recommended locations of CERT storage are as follows, in priority
-   order:
-   1.  If a domain name is included in the identification in the
-       certificate or CRL, that should be used.
-   2.  If a domain name is not included but an IP address is included,
-       then the translation of that IP address into the appropriate
-       inverse domain name should be used.
-   3.  If neither of the above is used, but a URI containing a domain
-       name is present, that domain name should be used.
-   4.  If none of the above is included but a character string name is
-       included, then it should be treated as described for OpenPGP
-       names below.
-
-
-
-
-
-Josefsson                 Expires March 3, 2006                 [Page 7]
-
-Internet-Draft       Storing Certificates in the DNS         August 2005
-
-
-   5.  If none of the above apply, then the distinguished name (DN)
-       should be mapped into a domain name as specified in [4].
-
-   Example 1: An X.509v3 certificate is issued to /CN=John Doe /DC=Doe/
-   DC=com/DC=xy/O=Doe Inc/C=XY/ with Subject Alternative Names of (a)
-   string "John (the Man) Doe", (b) domain name john-doe.com, and (c)
-   uri <https://www.secure.john-doe.com:8080/>.  The storage locations
-   recommended, in priority order, would be
-   1.  john-doe.com,
-   2.  www.secure.john-doe.com, and
-   3.  Doe.com.xy.
-
-   Example 2: An X.509v3 certificate is issued to /CN=James Hacker/
-   L=Basingstoke/O=Widget Inc/C=GB/ with Subject Alternate names of (a)
-   domain name widget.foo.example, (b) IPv4 address 10.251.13.201, and
-   (c) string "James Hacker <hacker@mail.widget.foo.example>".  The
-   storage locations recommended, in priority order, would be
-   1.  widget.foo.example,
-   2.  201.13.251.10.in-addr.arpa, and
-   3.  hacker.mail.widget.foo.example.
-
-3.2.  Purpose-based X.509 CERT RR Names
-
-   Due to the difficulty for clients that do not already possess a
-   certificate to reconstruct the content-based owner name, purpose-
-   based owner names are recommended in this section.  Recommendations
-   for purpose-based owner names vary per scenario.  The following table
-   summarizes the purpose-based X.509 CERT RR owner name guidelines for
-   use with S/MIME [16], SSL/TLS [11], and IPSEC [12]:
-
-    Scenario             Owner name
-    ------------------   ----------------------------------------------
-    S/MIME Certificate   Standard translation of an RFC 2822 email
-                         address.  Example: An S/MIME certificate for
-                         "postmaster@example.org" will use a standard
-                         hostname translation of the owner name,
-                         "postmaster.example.org".
-
-    TLS Certificate      Hostname of the TLS server.
-
-    IPSEC Certificate    Hostname of the IPSEC machine and/or, for IPv4
-                         or IPv6 addresses, the fully qualified domain
-                         name in the appropriate reverse domain.
-
-   An alternate approach for IPSEC is to store raw public keys [15].
-
-
-
-
-
-
-Josefsson                 Expires March 3, 2006                 [Page 8]
-
-Internet-Draft       Storing Certificates in the DNS         August 2005
-
-
-3.3.  Content-based OpenPGP CERT RR Names
-
-   OpenPGP signed keys (certificates) use a general character string
-   User ID [6].  However, it is recommended by OpenPGP that such names
-   include the RFC 2822 [8] email address of the party, as in "Leslie
-   Example <Leslie@host.example>".  If such a format is used, the CERT
-   should be under the standard translation of the email address into a
-   domain name, which would be leslie.host.example in this case.  If no
-   RFC 2822 name can be extracted from the string name, no specific
-   domain name is recommended.
-
-   If a user has more than one email address, the CNAME type can be used
-   to reduce the amount of data stored in the DNS.  Example:
-
-      $ORIGIN example.org.
-      smith        IN CERT PGP 0 0 <OpenPGP binary>
-      john.smith   IN CNAME smith
-      js           IN CNAME smith
-
-3.4.  Purpose-based OpenPGP CERT RR Names
-
-   Applications that receive an OpenPGP packet containing encrypted or
-   signed data but do not know the email address of the sender will have
-   difficulties constructing the correct owner name and cannot use the
-   content-based owner name guidelines.  However, these clients commonly
-   know the key fingerprint or the Key ID.  The key ID is found in
-   OpenPGP packets, and the key fingerprint is commonly found in
-   auxilliary data that may be available.  In this case, use of an owner
-   name identical to the key fingerprint and the key ID expressed in
-   hexadecimal [14] is recommended.  Example:
-
-      $ORIGIN example.org.
-      0424D4EE81A0E3D119C6F835EDA21E94B565716F IN CERT PGP ...
-      F835EDA21E94B565716F                     IN CERT PGP ...
-      B565716F                                 IN CERT PGP ...
-
-   If the same key material is stored for several owner names, the use
-   of CNAME may be used to avoid data duplication.  Note that CNAME is
-   not always applicable, because it maps one owner name to the other
-   for all purposes, which may be sub-optimal when two keys with the
-   same Key ID are stored.
-
-3.5.  Owner names for IPKIX, ISPKI, and IPGP
-
-   These types are stored under the same owner names, both purpose- and
-   content-based, as the PKIX, SPKI and PGP types.
-
-
-
-
-
-Josefsson                 Expires March 3, 2006                 [Page 9]
-
-Internet-Draft       Storing Certificates in the DNS         August 2005
-
-
-4.  Performance Considerations
-
-   Current Domain Name System (DNS) implementations are optimized for
-   small transfers, typically not more than 512 bytes including
-   overhead.  While larger transfers will perform correctly and work is
-   underway to make larger transfers more efficient, it is still
-   advisable at this time to make every reasonable effort to minimize
-   the size of certificates stored within the DNS.  Steps that can be
-   taken may include using the fewest possible optional or extension
-   fields and using short field values for necessary variable length
-   fields.
-
-   The RDATA field in the DNS protocol may only hold data of size 65535
-   octets (64kb) or less.  This means that each CERT RR MUST NOT contain
-   more than 64kb of payload, even if the corresponding certificate or
-   certificate revocation list is larger.  This document addresses this
-   by defining "indirect" data types for each normal type.
-
-
-5.  Contributors
-
-   The majority of this document is copied verbatim from RFC 2538, by
-   Donald Eastlake 3rd and Olafur Gudmundsson.
-
-
-6.  Acknowledgements
-
-   Thanks to David Shaw and Michael Graff for their contributions to
-   earlier works that motivated, and served as inspiration for, this
-   document.
-
-   This document was improved by suggestions and comments from Olivier
-   Dubuisson, Olaf M. Kolkman, Ben Laurie, Edward Lewis, Jason
-   Sloderbeck, Samuel Weiler, and Florian Weimer.  No doubt the list is
-   incomplete.  We apologize to anyone we left out.
-
-
-7.  Security Considerations
-
-   By definition, certificates contain their own authenticating
-   signature.  Thus, it is reasonable to store certificates in non-
-   secure DNS zones or to retrieve certificates from DNS with DNS
-   security checking not implemented or deferred for efficiency.  The
-   results MAY be trusted if the certificate chain is verified back to a
-   known trusted key and this conforms with the user's security policy.
-
-   Alternatively, if certificates are retrieved from a secure DNS zone
-   with DNS security checking enabled and are verified by DNS security,
-
-
-
-Josefsson                 Expires March 3, 2006                [Page 10]
-
-Internet-Draft       Storing Certificates in the DNS         August 2005
-
-
-   the key within the retrieved certificate MAY be trusted without
-   verifying the certificate chain if this conforms with the user's
-   security policy.
-
-   If an organization chooses to issue certificates for it's employees,
-   placing CERT RR's in the DNS by owner name, and if DNSSEC (with NSEC)
-   is in use, it is possible for someone to enumerate all employees of
-   the organization.  This is usually not considered desirable, for the
-   same reason enterprise phone listings are not often publicly
-   published and are even mark confidential.
-
-   When the URI type is used, it should be understood that it introduces
-   an additional indirection that may allow for a new attack vector.
-   One method to secure that indirection is to include a hash of the
-   certificate in the URI itself.
-
-   CERT RRs are not used by DNSSEC [9], so there are no security
-   considerations related to CERT RRs and securing the DNS itself.
-
-   If DNSSEC is used, then the non-existence of a CERT RR and,
-   consequently, certificates or revocation lists can be securely
-   asserted.  Without DNSSEC, this is not possible.
-
-
-8.  IANA Considerations
-
-   Certificate types 0x0000 through 0x00FF and 0xFF00 through 0xFFFF can
-   only be assigned by an IETF standards action [7].  This document
-   assigns 0x0001 through 0x0006 and 0x00FD and 0x00FE.  Certificate
-   types 0x0100 through 0xFEFF are assigned through IETF Consensus [7]
-   based on RFC documentation of the certificate type.  The availability
-   of private types under 0x00FD and 0x00FE should satisfy most
-   requirements for proprietary or private types.
-
-   The CERT RR reuses the DNS Security Algorithm Numbers registry.  In
-   particular, the CERT RR requires that algorithm number 0 remain
-   reserved, as described in Section 2.  The IANA is directed to
-   reference the CERT RR as a user of this registry and value 0, in
-   particular.
-
-
-9.  Changes since RFC 2538
-
-   1.   Editorial changes to conform with new document requirements,
-        including splitting reference section into two parts and
-        updating the references to point at latest versions, and to add
-        some additional references.
-
-
-
-
-Josefsson                 Expires March 3, 2006                [Page 11]
-
-Internet-Draft       Storing Certificates in the DNS         August 2005
-
-
-   2.   Improve terminology.  For example replace "PGP" with "OpenPGP",
-        to align with RFC 2440.
-   3.   In section 2.1, clarify that OpenPGP public key data are binary,
-        not the ASCII armored format, and reference 10.1 in RFC 2440 on
-        how to deal with OpenPGP keys, and acknowledge that
-        implementations may handle additional packet types.
-   4.   Clarify that integers in the representation format are decimal.
-   5.   Replace KEY/SIG with DNSKEY/RRSIG etc, to align with DNSSECbis
-        terminology.  Improve reference for Key Tag Algorithm
-        calculations.
-   6.   Add examples that suggest use of CNAME to reduce bandwidth.
-   7.   In section 3, appended the last paragraphs that discuss
-        "content-based" vs "purpose-based" owner names.  Add section 3.2
-        for purpose-based X.509 CERT owner names, and section 3.4 for
-        purpose-based OpenPGP CERT owner names.
-   8.   Added size considerations.
-   9.   The SPKI types has been reserved, until RFC 2692/2693 is moved
-        from the experimental status.
-   10.  Added indirect types IPKIX, ISPKI, and IPGP.
-
-
-Appendix A.  Copying conditions
-
-   Regarding the portion of this document that was written by Simon
-   Josefsson ("the author", for the remainder of this section), the
-   author makes no guarantees and is not responsible for any damage
-   resulting from its use.  The author grants irrevocable permission to
-   anyone to use, modify, and distribute it in any way that does not
-   diminish the rights of anyone else to use, modify, and distribute it,
-   provided that redistributed derivative works do not contain
-   misleading author or version information.  Derivative works need not
-   be licensed under similar terms.
-
-
-10.  References
-
-10.1.  Normative References
-
-   [1]   Mockapetris, P., "Domain names - concepts and facilities",
-         STD 13, RFC 1034, November 1987.
-
-   [2]   Mockapetris, P., "Domain names - implementation and
-         specification", STD 13, RFC 1035, November 1987.
-
-   [3]   Bradner, S., "Key words for use in RFCs to Indicate Requirement
-         Levels", BCP 14, RFC 2119, March 1997.
-
-   [4]   Kille, S., Wahl, M., Grimstad, A., Huber, R., and S. Sataluri,
-
-
-
-Josefsson                 Expires March 3, 2006                [Page 12]
-
-Internet-Draft       Storing Certificates in the DNS         August 2005
-
-
-         "Using Domains in LDAP/X.500 Distinguished Names", RFC 2247,
-         January 1998.
-
-   [5]   Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
-         Resource Identifiers (URI): Generic Syntax", RFC 2396,
-         August 1998.
-
-   [6]   Callas, J., Donnerhacke, L., Finney, H., and R. Thayer,
-         "OpenPGP Message Format", RFC 2440, November 1998.
-
-   [7]   Narten, T. and H. Alvestrand, "Guidelines for Writing an IANA
-         Considerations Section in RFCs", BCP 26, RFC 2434,
-         October 1998.
-
-   [8]   Resnick, P., "Internet Message Format", RFC 2822, April 2001.
-
-   [9]   Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
-         "DNS Security Introduction and Requirements", RFC 4033,
-         March 2005.
-
-   [10]  Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
-         "Resource Records for the DNS Security Extensions", RFC 4034,
-         March 2005.
-
-10.2.  Informative References
-
-   [11]  Dierks, T. and C. Allen, "The TLS Protocol Version 1.0",
-         RFC 2246, January 1999.
-
-   [12]  Kent, S. and R. Atkinson, "Security Architecture for the
-         Internet Protocol", RFC 2401, November 1998.
-
-   [13]  Ellison, C., Frantz, B., Lampson, B., Rivest, R., Thomas, B.,
-         and T. Ylonen, "SPKI Certificate Theory", RFC 2693,
-         September 1999.
-
-   [14]  Josefsson, S., "The Base16, Base32, and Base64 Data Encodings",
-         RFC 3548, July 2003.
-
-   [15]  Richardson, M., "A Method for Storing IPsec Keying Material in
-         DNS", RFC 4025, March 2005.
-
-   [16]  Ramsdell, B., "Secure/Multipurpose Internet Mail Extensions
-         (S/MIME) Version 3.1 Message Specification", RFC 3851,
-         July 2004.
-
-
-
-
-
-
-Josefsson                 Expires March 3, 2006                [Page 13]
-
-Internet-Draft       Storing Certificates in the DNS         August 2005
-
-
-Author's Address
-
-   Simon Josefsson
-
-   Email: simon@josefsson.org
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Josefsson                 Expires March 3, 2006                [Page 14]
-
-Internet-Draft       Storing Certificates in the DNS         August 2005
-
-
-Intellectual Property Statement
-
-   The IETF takes no position regarding the validity or scope of any
-   Intellectual Property Rights or other rights that might be claimed to
-   pertain to the implementation or use of the technology described in
-   this document or the extent to which any license under such rights
-   might or might not be available; nor does it represent that it has
-   made any independent effort to identify any such rights.  Information
-   on the procedures with respect to rights in RFC documents can be
-   found in BCP 78 and BCP 79.
-
-   Copies of IPR disclosures made to the IETF Secretariat and any
-   assurances of licenses to be made available, or the result of an
-   attempt made to obtain a general license or permission for the use of
-   such proprietary rights by implementers or users of this
-   specification can be obtained from the IETF on-line IPR repository at
-   http://www.ietf.org/ipr.
-
-   The IETF invites any interested party to bring to its attention any
-   copyrights, patents or patent applications, or other proprietary
-   rights that may cover technology that may be required to implement
-   this standard.  Please address the information to the IETF at
-   ietf-ipr@ietf.org.
-
-
-Disclaimer of Validity
-
-   This document and the information contained herein are provided on an
-   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
-   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
-   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
-   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
-   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
-   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-
-Copyright Statement
-
-   Copyright (C) The Internet Society (2005).  This document is subject
-   to the rights, licenses and restrictions contained in BCP 78, and
-   except as set forth therein, the authors retain all their rights.
-
-
-Acknowledgment
-
-   Funding for the RFC Editor function is currently provided by the
-   Internet Society.
-
-
-
-
-Josefsson                 Expires March 3, 2006                [Page 15]
-
diff --git a/doc/draft/draft-ietf-dnsext-rfc2539bis-dhk-06.txt b/doc/draft/draft-ietf-dnsext-rfc2539bis-dhk-06.txt
deleted file mode 100644
index 5e6cb1d0..00000000
--- a/doc/draft/draft-ietf-dnsext-rfc2539bis-dhk-06.txt
+++ /dev/null
@@ -1,580 +0,0 @@
-
-INTERNET-DRAFT                     Diffie-Hellman Information in the DNS
-OBSOLETES: RFC 2539                               Donald E. Eastlake 3rd
-                                                   Motorola Laboratories
-Expires: January 2006                                          July 2005
-
-
-
-
-        Storage of Diffie-Hellman Keying Information in the DNS
-        ------- -- -------------- ------ ----------- -- --- ---
-               <draft-ietf-dnsext-rfc2539bis-dhk-06.txt>
-
-
-
-Status of This Document
-
-   By submitting this Internet-Draft, each author represents that any
-   applicable patent or other IPR claims of which he or she is aware
-   have been or will be disclosed, and any of which he or she becomes
-   aware will be disclosed, in accordance with Section 6 of BCP 79.
-
-   Distribution of this document is unlimited. Comments should be sent
-   to the DNS extensions working group mailing list
-   <namedroppers@ops.ietf.org>.
-
-   Internet-Drafts are working documents of the Internet Engineering
-   Task Force (IETF), its areas, and its working groups.  Note that
-   other groups may also distribute working documents as Internet-
-   Drafts.
-
-   Internet-Drafts are draft documents valid for a maximum of six months
-   and may be updated, replaced, or obsoleted by other documents at any
-   time.  It is inappropriate to use Internet-Drafts as reference
-   material or to cite them other than a "work in progress."
-
-   The list of current Internet-Drafts can be accessed at
-   http://www.ietf.org/1id-abstracts.html
-
-   The list of Internet-Draft Shadow Directories can be accessed at
-   http://www.ietf.org/shadow.html
-
-
-Abstract
-
-   The standard method for encoding Diffie-Hellman keys in the Domain
-   Name System is specified.
-
-
-
-Copyright
-
-   Copyright (C) The Internet Society 2005.
-
-
-
-D. Eastlake 3rd                                                 [Page 1]
-
-
-INTERNET-DRAFT                     Diffie-Hellman Information in the DNS
-
-
-Acknowledgements
-
-   Part of the format for Diffie-Hellman keys and the description
-   thereof was taken from a work in progress by Ashar Aziz, Tom Markson,
-   and Hemma Prafullchandra.  In addition, the following persons
-   provided useful comments that were incorporated into the predecessor
-   of this document: Ran Atkinson, Thomas Narten.
-
-
-
-Table of Contents
-
-      Status of This Document....................................1
-      Abstract...................................................1
-      Copyright..................................................1
-
-      Acknowledgements...........................................2
-      Table of Contents..........................................2
-
-      1. Introduction............................................3
-      1.1 About This Document....................................3
-      1.2 About Diffie-Hellman...................................3
-      2. Encoding Diffie-Hellman Keying Information..............4
-      3. Performance Considerations..............................5
-      4. IANA Considerations.....................................5
-      5. Security Considerations.................................5
-      Copyright and Disclaimer...................................5
-
-      Normative References.......................................7
-      Informative Refences.......................................7
-
-      Author Address.............................................8
-      Expiration and File Name...................................8
-
-      Appendix A: Well known prime/generator pairs...............9
-      A.1. Well-Known Group 1:  A 768 bit prime..................9
-      A.2. Well-Known Group 2:  A 1024 bit prime.................9
-      A.3. Well-Known Group 3:  A 1536 bit prime................10
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-D. Eastlake 3rd                                                 [Page 2]
-
-
-INTERNET-DRAFT                     Diffie-Hellman Information in the DNS
-
-
-1. Introduction
-
-   The Domain Name System (DNS) is the global hierarchical replicated
-   distributed database system for Internet addressing, mail proxy, and
-   similar information [RFC 1034, 1035]. The DNS has been extended to
-   include digital signatures and cryptographic keys as described in
-   [RFC 4033, 4034, 4035] and additonal work is underway which would use
-   the storage of keying information in the DNS.
-
-
-
-1.1 About This Document
-
-   This document describes how to store Diffie-Hellman keys in the DNS.
-   Familiarity with the Diffie-Hellman key exchange algorithm is assumed
-   [Schneier, RFC 2631].
-
-
-
-1.2 About Diffie-Hellman
-
-   Diffie-Hellman requires two parties to interact to derive keying
-   information which can then be used for authentication.  Thus Diffie-
-   Hellman is inherently a key agreement algorithm. As a result, no
-   format is defined for Diffie-Hellman "signature information".  For
-   example, assume that two parties have local secrets "i" and "j".
-   Assume they each respectively calculate X and Y as follows:
-
-        X = g**i ( mod p )
-
-        Y = g**j ( mod p )
-
-   They exchange these quantities and then each calculates a Z as
-   follows:
-
-        Zi = Y**i ( mod p )
-
-        Zj = X**j ( mod p )
-
-   Zi and Zj will both be equal to g**(i*j)(mod p) and will be a shared
-   secret between the two parties that an adversary who does not know i
-   or j will not be able to learn from the exchanged messages (unless
-   the adversary can derive i or j by performing a discrete logarithm
-   mod p which is hard for strong p and g).
-
-   The private key for each party is their secret i (or j).  The public
-   key is the pair p and g, which must be the same for the parties, and
-   their individual X (or Y).
-
-   For further information about Diffie-Hellman and precautions to take
-
-
-D. Eastlake 3rd                                                 [Page 3]
-
-
-INTERNET-DRAFT                     Diffie-Hellman Information in the DNS
-
-
-   in deciding on a p and g, see [RFC 2631].
-
-
-
-2. Encoding Diffie-Hellman Keying Information
-
-   When Diffie-Hellman keys appear within the RDATA portion of a RR,
-   they are encoded as shown below.
-
-   The period of key validity is not included in this data but is
-   indicated separately, for example by an RR such as RRSIG which signs
-   and authenticates the RR containing the keying information.
-
-                            1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
-        0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
-       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-       |           KEY flags           |    protocol   |  algorithm=2  |
-       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-       |     prime length (or flag)    |  prime (p) (or special)       /
-       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-       /  prime (p)  (variable length) |       generator length        |
-       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-       | generator (g) (variable length)                               |
-       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-       |     public value length       | public value (variable length)/
-       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-       /  public value (g^i mod p)    (variable length)                |
-       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-
-   Prime length is the length of the Diffie-Hellman prime (p) in bytes
-   if it is 16 or greater.  Prime contains the binary representation of
-   the Diffie-Hellman prime with most significant byte first (i.e., in
-   network order). If "prime length" field is 1 or 2, then the "prime"
-   field is actually an unsigned index into a table of 65,536
-   prime/generator pairs and the generator length SHOULD be zero.  See
-   Appedix A for defined table entries and Section 4 for information on
-   allocating additional table entries.  The meaning of a zero or 3
-   through 15 value for "prime length" is reserved.
-
-   Generator length is the length of the generator (g) in bytes.
-   Generator is the binary representation of generator with most
-   significant byte first.  PublicValueLen is the Length of the Public
-   Value (g**i (mod p)) in bytes.  PublicValue is the binary
-   representation of the DH public value with most significant byte
-   first.
-
-
-
-
-
-
-
-D. Eastlake 3rd                                                 [Page 4]
-
-
-INTERNET-DRAFT                     Diffie-Hellman Information in the DNS
-
-
-3. Performance Considerations
-
-   Current DNS implementations are optimized for small transfers,
-   typically less than 512 bytes including DNS overhead.  Larger
-   transfers will perform correctly and extensions have been
-   standardized [RFC 2671] to make larger transfers more efficient. But
-   it is still advisable at this time to make reasonable efforts to
-   minimize the size of RR sets containing keying information consistent
-   with adequate security.
-
-
-
-4. IANA Considerations
-
-   Assignment of meaning to Prime Lengths of 0 and 3 through 15 requires
-   an IETF consensus as defined in [RFC 2434].
-
-   Well known prime/generator pairs number 0x0000 through 0x07FF can
-   only be assigned by an IETF standards action. [RFC 2539], the
-   Proposed Standard predecessor of this document, assigned 0x0001
-   through 0x0002. This document additionally assigns 0x0003.  Pairs
-   number 0s0800 through 0xBFFF can be assigned based on RFC
-   documentation. Pairs number 0xC000 through 0xFFFF are available for
-   private use and are not centrally coordinated. Use of such private
-   pairs outside of a closed environment may result in conflicts and/or
-   security failures.
-
-
-
-5. Security Considerations
-
-   Keying information retrieved from the DNS should not be trusted
-   unless (1) it has been securely obtained from a secure resolver or
-   independently verified by the user and (2) this secure resolver and
-   secure obtainment or independent verification conform to security
-   policies acceptable to the user.  As with all cryptographic
-   algorithms, evaluating the necessary strength of the key is important
-   and dependent on security policy.
-
-   In addition, the usual Diffie-Hellman key strength considerations
-   apply. (p-1)/2 should also be prime, g should be primitive mod p, p
-   should be "large", etc. See [RFC 2631, Schneier].
-
-
-
-Copyright and Disclaimer
-
-   Copyright (C) The Internet Society (2005).  This document is subject to
-   the rights, licenses and restrictions contained in BCP 78, and except
-   as set forth therein, the authors retain all their rights.
-
-
-D. Eastlake 3rd                                                 [Page 5]
-
-
-INTERNET-DRAFT                     Diffie-Hellman Information in the DNS
-
-
-   This document and the information contained herein are provided on an
-   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
-   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
-   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
-   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
-   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
-   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-D. Eastlake 3rd                                                 [Page 6]
-
-
-INTERNET-DRAFT                     Diffie-Hellman Information in the DNS
-
-
-Normative References
-
-   [RFC 2631] - "Diffie-Hellman Key Agreement Method", E. Rescorla, June
-   1999.
-
-   [RFC 2434] - "Guidelines for Writing an IANA Considerations Section
-   in RFCs", T.  Narten, H. Alvestrand, October 1998.
-
-   [RFC 4034] - Arends, R., Austein, R., Larson, M., Massey, D., and S.
-   Rose, "Resource Records for the DNS Security Extensions", RFC 4034,
-   March 2005.
-
-
-
-Informative Refences
-
-   [RFC 1034] - "Domain names - concepts and facilities", P.
-   Mockapetris, November 1987.
-
-   [RFC 1035] - "Domain names - implementation and specification", P.
-   Mockapetris, November 1987.
-
-   [RFC 2539] - "Storage of Diffie-Hellman Keys in the Domain Name
-   System (DNS)", D. Eastlake, March 1999, obsoleted by this RFC.
-
-   [RFC 2671] - "Extension Mechanisms for DNS (EDNS0)", P. Vixie, August
-   1999.
-
-   [RFC 4033] - Arends, R., Austein, R., Larson, M., Massey, D., and S.
-   Rose, "DNS Security Introduction and Requirements", RFC 4033, March
-   2005.
-
-   [RFC 4035] - Arends, R., Austein, R., Larson, M., Massey, D., and S.
-   Rose, "Protocol Modifications for the DNS Security Extensions", RFC
-   4035, March 2005.
-
-   [Schneier] - Bruce Schneier, "Applied Cryptography: Protocols,
-   Algorithms, and Source Code in C" (Second Edition), 1996, John Wiley
-   and Sons.
-
-
-
-
-
-
-
-
-
-
-
-
-
-D. Eastlake 3rd                                                 [Page 7]
-
-
-INTERNET-DRAFT                     Diffie-Hellman Information in the DNS
-
-
-Author Address
-
-   Donald E. Eastlake 3rd
-   Motorola Laboratories
-   155 Beaver Street
-   Milford, MA 01757 USA
-
-   Telephone:   +1-508-786-7554
-   EMail:       Donald.Eastlake@motorola.com
-
-
-
-Expiration and File Name
-
-   This draft expires in January 2006.
-
-   Its file name is draft-ietf-dnsext-rfc2539bis-dhk-06.txt.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-D. Eastlake 3rd                                                 [Page 8]
-
-
-INTERNET-DRAFT                     Diffie-Hellman Information in the DNS
-
-
-Appendix A: Well known prime/generator pairs
-
-   These numbers are copied from the IPSEC effort where the derivation of
-   these values is more fully explained and additional information is
-   available.
-   Richard Schroeppel performed all the mathematical and computational
-   work for this appendix.
-
-
-
-A.1. Well-Known Group 1:  A 768 bit prime
-
-   The prime is 2^768 - 2^704 - 1 + 2^64 * { [2^638 pi] + 149686 }.  Its
-   decimal value is
-          155251809230070893513091813125848175563133404943451431320235
-          119490296623994910210725866945387659164244291000768028886422
-          915080371891804634263272761303128298374438082089019628850917
-          0691316593175367469551763119843371637221007210577919
-
-   Prime modulus: Length (32 bit words): 24, Data (hex):
-            FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1
-            29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD
-            EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245
-            E485B576 625E7EC6 F44C42E9 A63A3620 FFFFFFFF FFFFFFFF
-
-   Generator: Length (32 bit words): 1, Data (hex): 2
-
-
-
-A.2. Well-Known Group 2:  A 1024 bit prime
-
-   The prime is 2^1024 - 2^960 - 1 + 2^64 * { [2^894 pi] + 129093 }.
-   Its decimal value is
-         179769313486231590770839156793787453197860296048756011706444
-         423684197180216158519368947833795864925541502180565485980503
-         646440548199239100050792877003355816639229553136239076508735
-         759914822574862575007425302077447712589550957937778424442426
-         617334727629299387668709205606050270810842907692932019128194
-         467627007
-
-   Prime modulus:  Length (32 bit words): 32, Data (hex):
-            FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1
-            29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD
-            EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245
-            E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED
-            EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE65381
-            FFFFFFFF FFFFFFFF
-
-   Generator: Length (32 bit words): 1, Data (hex): 2
-
-
-
-D. Eastlake 3rd                                                 [Page 9]
-
-
-INTERNET-DRAFT                     Diffie-Hellman Information in the DNS
-
-
-A.3. Well-Known Group 3:  A 1536 bit prime
-
-   The prime is 2^1536 - 2^1472 - 1 + 2^64 * { [2^1406 pi] +  741804 }.
-   Its decimal value is
-            241031242692103258855207602219756607485695054850245994265411
-            694195810883168261222889009385826134161467322714147790401219
-            650364895705058263194273070680500922306273474534107340669624
-            601458936165977404102716924945320037872943417032584377865919
-            814376319377685986952408894019557734611984354530154704374720
-            774996976375008430892633929555996888245787241299381012913029
-            459299994792636526405928464720973038494721168143446471443848
-            8520940127459844288859336526896320919633919
-
-   Prime modulus Length (32 bit words): 48, Data (hex):
-              FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1
-              29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD
-              EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245
-              E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED
-              EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE45B3D
-              C2007CB8 A163BF05 98DA4836 1C55D39A 69163FA8 FD24CF5F
-              83655D23 DCA3AD96 1C62F356 208552BB 9ED52907 7096966D
-              670C354E 4ABC9804 F1746C08 CA237327 FFFFFFFF FFFFFFFF
-
-   Generator: Length (32 bit words):  1, Data (hex): 2
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-D. Eastlake 3rd                                                [Page 10]
-
diff --git a/doc/draft/draft-ietf-dnsext-signed-nonexistence-requirements-01.txt b/doc/draft/draft-ietf-dnsext-signed-nonexistence-requirements-01.txt
deleted file mode 100644
index 0af13c61..00000000
--- a/doc/draft/draft-ietf-dnsext-signed-nonexistence-requirements-01.txt
+++ /dev/null
@@ -1,755 +0,0 @@
-
-
-Network Working Group                                          B. Laurie
-Internet-Draft                                                   Nominet
-Expires: March 2, 2005                                         R. Loomis
-                                                                    SAIC
-                                                          September 2004
-
-
-
-      Requirements related to DNSSEC Signed Proof of Non-Existence
-         draft-ietf-dnsext-signed-nonexistence-requirements-01
-
-
-Status of this Memo
-
-
-   This document is an Internet-Draft and is subject to all provisions
-   of section 3 of RFC 3667.  By submitting this Internet-Draft, each
-   author represents that any applicable patent or other IPR claims of
-   which he or she is aware have been or will be disclosed, and any of
-   which he or she become aware will be disclosed, in accordance with
-   RFC 3668.
-
-
-   Internet-Drafts are working documents of the Internet Engineering
-   Task Force (IETF), its areas, and its working groups.  Note that
-   other groups may also distribute working documents as
-   Internet-Drafts.
-
-
-   Internet-Drafts are draft documents valid for a maximum of six months
-   and may be updated, replaced, or obsoleted by other documents at any
-   time.  It is inappropriate to use Internet-Drafts as reference
-   material or to cite them other than as "work in progress."
-
-
-   The list of current Internet-Drafts can be accessed at
-   http://www.ietf.org/ietf/1id-abstracts.txt.
-
-
-   The list of Internet-Draft Shadow Directories can be accessed at
-   http://www.ietf.org/shadow.html.
-
-
-   This Internet-Draft will expire on March 2, 2005.
-
-
-Copyright Notice
-
-
-   Copyright (C) The Internet Society (2004).
-
-
-Abstract
-
-
-   DNSSEC-bis uses the NSEC record to provide authenticated denial of
-   existence of RRsets.  NSEC also has the side-effect of permitting
-   zone enumeration, even if zone transfers have been forbidden.
-   Because some see this as a problem, this document has been assembled
-   to detail the possible requirements for denial of existence A/K/A
-   signed proof of non-existence.
-
-
-
-
-Laurie & Loomis          Expires March 2, 2005                  [Page 1]
-Internet-Draft      signed-nonexistence-requirements      September 2004
-
-
-
-Table of Contents
-
-
-   1.   Introduction . . . . . . . . . . . . . . . . . . . . . . . .   3
-   2.   Non-purposes . . . . . . . . . . . . . . . . . . . . . . . .   3
-   3.   Zone Enumeration . . . . . . . . . . . . . . . . . . . . . .   3
-   4.   Zone Enumeration II  . . . . . . . . . . . . . . . . . . . .   4
-   5.   Zone Enumeration III . . . . . . . . . . . . . . . . . . . .   4
-   6.   Exposure of Contents . . . . . . . . . . . . . . . . . . . .   4
-   7.   Zone Size  . . . . . . . . . . . . . . . . . . . . . . . . .   4
-   8.   Single Method  . . . . . . . . . . . . . . . . . . . . . . .   5
-   9.   Empty Non-terminals  . . . . . . . . . . . . . . . . . . . .   5
-   10.  Prevention of Precomputed Dictionary Attacks . . . . . . . .   6
-   11.  DNSSEC-Adoption and Zone-Growth Relationship . . . . . . . .   6
-   12.  Non-overlap of denial records with possible zone records . .   7
-   13.  Exposure of Private Keys . . . . . . . . . . . . . . . . . .   7
-   14.  Minimisation of Zone Signing Cost  . . . . . . . . . . . . .   8
-   15.  Minimisation of Asymmetry  . . . . . . . . . . . . . . . . .   8
-   16.  Minimisation of Client Complexity  . . . . . . . . . . . . .   8
-   17.  Completeness . . . . . . . . . . . . . . . . . . . . . . . .   8
-   18.  Purity of Namespace  . . . . . . . . . . . . . . . . . . . .   8
-   19.  Replay Attacks . . . . . . . . . . . . . . . . . . . . . . .   8
-   20.  Compatibility with NSEC  . . . . . . . . . . . . . . . . . .   8
-   21.  Compatibility with NSEC II . . . . . . . . . . . . . . . . .   9
-   22.  Compatibility with NSEC III  . . . . . . . . . . . . . . . .   9
-   23.  Coexistence with NSEC  . . . . . . . . . . . . . . . . . . .   9
-   24.  Coexistence with NSEC II . . . . . . . . . . . . . . . . . .   9
-   25.  Protocol Design  . . . . . . . . . . . . . . . . . . . . . .   9
-   26.  Process  . . . . . . . . . . . . . . . . . . . . . . . . . .   9
-   27.  Acknowledgements . . . . . . . . . . . . . . . . . . . . . .   9
-   28.  Requirements notation  . . . . . . . . . . . . . . . . . . .   9
-   29.  Security Considerations  . . . . . . . . . . . . . . . . . .  10
-   30.  References . . . . . . . . . . . . . . . . . . . . . . . . .  10
-   30.1   Normative References . . . . . . . . . . . . . . . . . . .  10
-   30.2   Informative References . . . . . . . . . . . . . . . . . .  10
-        Authors' Addresses . . . . . . . . . . . . . . . . . . . . .  10
-        Intellectual Property and Copyright Statements . . . . . . .  11
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Laurie & Loomis          Expires March 2, 2005                  [Page 2]
-Internet-Draft      signed-nonexistence-requirements      September 2004
-
-
-
-1.  Introduction
-
-
-   NSEC records allow trivial enumeration of zones - a situation that
-   has existed for several years but which has recently been raised as a
-   significant concern for DNSSECbis deployment in several zones.
-   Alternate proposals have been made that make zone enumeration more
-   difficult, and some previous proposals to modify DNSSEC had related
-   requirements/desirements that are relevant to the discussion.  In
-   addition the original designs for NSEC/NXT records were based on
-   working group discussions and the choices made were not always
-   documented with context and requirements-- so some of those choices
-   may need to be restated as requirements.  Overall, the working group
-   needs to better understand the requirements for denial of existence
-   (and certain other requirements related to DNSSECbis deployment) in
-   order to evaluate the proposals that may replace NSEC.
-
-
-   In the remainder of this document, "NSEC++" is used as shorthand for
-   "a denial of existence proof that will replace NSEC".  "NSECbis" has
-   also been used as shorthand for this, but we avoid that usage since
-   NSECbis will not be part of DNSSECbis and therefore there might be
-   some confusion.
-
-
-2.  Non-purposes
-
-
-   This document does not currently document the reasons why zone
-   enumeration might be "bad" from a privacy, security, business, or
-   other perspective--except insofar as those reasons result in
-   requirements.  Once the list of requirements is complete and vaguely
-   coherent, the trade-offs (reducing zone enumeration will have X cost,
-   while providing Y benefit) may be revisited.  The editors of this
-   compendium received inputs on the potential reasons why zone
-   enumeration is bad (and there was significant discussion on the
-   DNSEXT WG mailing list) but that information fell outside the scope
-   of this document.
-
-
-   Note also that this document does not assume that NSEC *must* be
-   replaced with NSEC++, if the requirements can be met through other
-   methods (e.g., "white lies" with the current NSEC).  As is stated
-   above, this document is focused on requirements collection and
-   (ideally) prioritization rather than on the actual implementation.
-
-
-3.  Zone Enumeration
-
-
-   Authenticated denial should not permit trivial zone enumeration.
-
-
-   Additional discussion:  NSEC (and NXT before it) provide a linked
-   list that could be "walked" to trivially enumerate all the signed
-   records in a zone.  This requirement is primarily (though not
-
-
-
-
-Laurie & Loomis          Expires March 2, 2005                  [Page 3]
-Internet-Draft      signed-nonexistence-requirements      September 2004
-
-
-
-   exclusively) important for zones that either are delegation-only/
-   -mostly or do not have reverse lookup (PTR) records configured, since
-   enterprises that have PTR records for all A records have already
-   provided a similar capability to enumerate the contents of DNS zones.
-
-
-   Contributor: various
-
-
-4.  Zone Enumeration II
-
-
-   Zone enumeration should be at least as difficult as it would be to
-   effect a dictionary attack using simple DNS queries to do the same in
-   an unsecured zone.
-
-
-   (Editor comment: it is not clear how to measure difficulty in this
-   case.  Some examples could be monetary cost, bandwidth, processing
-   power or some combination of these.  It has also been suggested that
-   the requirement is that the graph of difficulty of enumeration vs.
-   the fraction of the zone enumerated should be approximately the same
-   shape in the two cases)
-
-
-   Contributor: Nominet
-
-
-5.  Zone Enumeration III
-
-
-   Enumeration of a zone with random contents should computationally
-   infeasible.
-
-
-   Editor comment: this is proposed as a way of evaluating the
-   effectiveness of a proposal rather than as a requirement anyone would
-   actually have in practice.
-
-
-   Contributor: Alex Bligh
-
-
-6.  Exposure of Contents
-
-
-   NSEC++ should not expose any of the contents of the zone (apart from
-   the NSEC++ records themselves, of course).
-
-
-   Editor comment: this is a weaker requirement than prevention of
-   enumeration, but certainly any zone that satisfied this requirement
-   would also satisfy the trivial prevention of enumeration requirement.
-
-
-   Contributor: Ed Lewis
-
-
-7.  Zone Size
-
-
-   Requirement:  NSEC++ should make it possible to take precautions
-   against trivial zone size estimates.  Since not all zone owners care
-
-
-
-
-Laurie & Loomis          Expires March 2, 2005                  [Page 4]
-Internet-Draft      signed-nonexistence-requirements      September 2004
-
-
-
-   about others estimation of the size of a zone, it is not always
-   necessary to prohibit trivial estimation of the size of the zone but
-   NSEC++ should allow such measures.
-
-
-   Additional Discussion: Even with proposals based on obfuscating names
-   with hashes it is trivial to give very good estimates of the number
-   of domains in a certain zone.  Just send 10 random queries and look
-   at the range between the two hash values returned in each NSEC++.  As
-   hash output can be assumed to follow a rectangular random
-   distribution, using the mean difference between the two values, you
-   can estimate the total number of records.  It is probably sufficient
-   to look at even one NSEC++, since the two hash values should follow a
-   (I believe) Poisson distribution.
-
-
-   The concern is motivated by some wording remembered from NSEC, which
-   stated that NSEC MUST only be present for existing owner names in the
-   zone, and MUST NOT be present for non-existing owner names.  If
-   similar wording were carried over to NSEC++, introducing bogus owner
-   names in the hash chain (an otherwise simple solution to guard
-   against trivial estimates of zone size) wouldn't be allowed.
-
-
-   One simple attempt at solving this is to describe in the
-   specifications how zone signer tools can add a number of random
-   "junk" records.
-
-
-   Editor's comment: it is interesting that obfuscating names might
-   actually make it easier to estimate zone size.
-
-
-   Contributor: Simon Josefsson.
-
-
-8.  Single Method
-
-
-   Requirement:  A single NSEC++ method must be able to carry both
-   old-style denial (i.e.  plain labels) and whatever the new style
-   looks like.  Having two separate denial methods could result in
-   cornercases where one method can deny the other and vice versa.
-
-
-   Additional discussion:  This requirement can help -bis folks to a
-   smooth upgrade to -ter.  First they'd change the method while the
-   content is the same, then they can change content of the method.
-
-
-   Contributor: Roy Arends.
-
-
-9.  Empty Non-terminals
-
-
-   Requirement:  Empty-non-terminals (ENT) should remain empty.  In
-   other words, adding NSEC++ records to an existing DNS structure
-   should not cause the creation of NSEC++ records (or related records)
-
-
-
-
-Laurie & Loomis          Expires March 2, 2005                  [Page 5]
-Internet-Draft      signed-nonexistence-requirements      September 2004
-
-
-
-   at points that are otherwise ENT.
-
-
-   Additional discussion:  Currently NSEC complies with ENT requirement:
-   b.example.com NSEC a.c.example.com implies the existence of an ENT
-   with ownername c.example.com.  NSEC2 breaks that requirement, since
-   the ownername is entirely hashed causing the structure to disappear.
-   This is why EXIST was introduced.  But EXIST causes ENT to be
-   non-empty-terminals.  Next to the dissappearance of ENT, it causes
-   (some) overhead since an EXIST record needs a SIG, NSEC2 and
-   SIG(NSEC2).  DNSNR honours this requirement by hashing individual
-   labels instead of ownernames.  However this causes very long labels.
-   Truncation is a measure against very long ownernames, but that is
-   controversial.  There is a fair discussion of the validity of
-   truncation in the DNSNR draft, but that hasn't got proper review yet.
-
-
-   Contributor: Roy Arends.
-
-
-   (Editor comment: it is not clear to us that an EXIST record needs an
-   NSEC2 record, since it is a special purpose record only used for
-   denial of existence)
-
-
-10.  Prevention of Precomputed Dictionary Attacks
-
-
-   Requirement:  NSEC++ needs to provide a method to reduce the
-   effectiveness of precomputed dictionary attacks.
-
-
-   Additional Discussion:  Salt is a measure against dictionary attacks.
-   There are other possible measures (such as iterating hashes in
-   NSEC2).  The salt needs to be communicated in every response, since
-   it is needed in every verification.  Some have suggested to move the
-   salt to a special record instead of the denial record.  I think this
-   is not wise.  Response size has more priority over zone size.  An
-   extra record causes a larger response than a larger existing record.
-
-
-   Contributor: Roy Arends.
-
-
-   (Editor comment: the current version of NSEC2 also has the salt in
-   every NSEC2 record)
-
-
-11.  DNSSEC-Adoption and Zone-Growth Relationship
-
-
-   Background:  Currently with NSEC, when a delegation centric zone
-   deploys DNSSEC, the zone-size multiplies by a non-trivial factor even
-   when the DNSSEC-adoption rate of the subzones remains low--because
-   each delegation point creates at least one NSEC record and
-   corresponding signature in the parent even if the child is not
-   signed.
-
-
-
-
-
-Laurie & Loomis          Expires March 2, 2005                  [Page 6]
-Internet-Draft      signed-nonexistence-requirements      September 2004
-
-
-
-   Requirements:  A delegation-only (or delegation-mostly) zone that is
-   signed but which has no signed child zones should initially need only
-   to add SIG(SOA), DNSKEY, and SIG(DNSKEY) at the apex, along with some
-   minimal set of NSEC++ records to cover zone contents.  Further,
-   during the transition of a delegation-only zone from 0% signed
-   children to 100% signed children, the growth in the delegation-only
-   zone should be roughly proportional to the percentage of signed child
-   zones.
-
-
-   Additional Discussion: This is why DNSNR has the Authoritative Only
-   bit.  This is similar to opt-in for delegations only.  This (bit) is
-   currently the only method to help delegation-centric zone cope with
-   zone-growth due to DNSSEC adoption.  As an example, A delegation only
-   zone which deploys DNSSEC with the help of this bit, needs to add
-   SIG(SOA), DNSKEY, SIG(DNSKEY), DNSNR, SIG(DNSNR) at the apex.  No
-   more than that.
-
-
-   Contributor: Roy Arends.
-
-
-12.  Non-overlap of denial records with possible zone records
-
-
-   Requirement:  NSEC++ records should in some way be differentiated
-   from regular zone records, so that there is no possibility that a
-   record in the zone could be duplicated by a non-existence proof
-   (NSEC++) record.
-
-
-   Additional discussion:  This requirement is derived from a discussion
-   on the DNSEXT mailing list related to copyrights and domain names.
-   As was outlined there, one solution is to put NSEC++ records in a
-   separate namespace, e.g.: $ORIGIN co.uk.
-   873bcdba87401b485022b8dcd4190e3e IN NS jim.rfc1035.com ; your
-   delegation 873bcdba87401b485022b8dcd4190e3e._no IN NSEC++ 881345...
-   ; for amazon.co.uk.
-
-
-   Contributor: various
-
-
-   (Editor comment:  One of us still does not see why a conflict
-   matters.  Even if there is an apparent conflict or overlap, the
-   "conflicting" NSEC2 name _only_ appears in NSEC2 records, and the
-   other name _never_ appears in NSEC2 records.)
-
-
-13.  Exposure of Private Keys
-
-
-   Private keys associated with the public keys in the DNS should be
-   exposed as little as possible.  It is highly undesirable for private
-   keys to be distributed to nameservers, or to otherwise be available
-   in the run-time environment of nameservers.
-
-
-
-
-
-Laurie & Loomis          Expires March 2, 2005                  [Page 7]
-Internet-Draft      signed-nonexistence-requirements      September 2004
-
-
-
-   Contributors: Nominet, Olaf Kolkman, Ed Lewis
-
-
-14.  Minimisation of Zone Signing Cost
-
-
-   The additional cost of creating an NSEC++ signed zone should not
-   significantly exceed the cost of creating an ordinary signed zone.
-
-
-   Contributor: Nominet
-
-
-15.  Minimisation of Asymmetry
-
-
-   Nameservers should have to do as little additional work as necessary.
-   More precisely, it is desirable for any increase in cost incurred by
-   the nameservers to be offset by a proportionate increase in cost to
-   DNS `clients', e.g.  stub and/or `full-service' resolvers.
-
-
-   Contributor: Nominet
-
-
-16.  Minimisation of Client Complexity
-
-
-   Caching, wildcards, CNAMEs, DNAMEs should continue to work without
-   adding too much complexity at the client side.
-
-
-   Contributor: Olaf Kolkman
-
-
-17.  Completeness
-
-
-   A proof of nonexistence should be possible for all nonexistent data
-   in the zone.
-
-
-   Contributor: Olaf Kolkman
-
-
-18.  Purity of Namespace
-
-
-   The name space should not be muddied with fake names or data sets.
-
-
-   Contributor: Ed Lewis
-
-
-19.  Replay Attacks
-
-
-   NSEC++ should not allow a replay to be used to deny existence of an
-   RR that actually exists.
-
-
-   Contributor: Ed Lewis
-
-
-20.  Compatibility with NSEC
-
-
-   NSEC++ should not introduce changes incompatible with NSEC.
-
-
-
-
-Laurie & Loomis          Expires March 2, 2005                  [Page 8]
-Internet-Draft      signed-nonexistence-requirements      September 2004
-
-
-
-   Contributor: Ed Lewis
-
-
-21.  Compatibility with NSEC II
-
-
-   NSEC++ should differ from NSEC in a way that is transparent to the
-   resolver or validator.
-
-
-   Contributor: Ed Lewis
-
-
-22.  Compatibility with NSEC III
-
-
-   NSEC++ should differ from NSEC as little as possible whilst achieving
-   other requirements.
-
-
-   Contributor: Alex Bligh
-
-
-23.  Coexistence with NSEC
-
-
-   NSEC++ should be optional, allowing NSEC to be used instead.
-
-
-   Contributor: Ed Lewis, Alex Bligh
-
-
-24.  Coexistence with NSEC II
-
-
-   NSEC++ should not impose extra work on those content with NSEC.
-
-
-   Contributor: Ed Lewis
-
-
-25.  Protocol Design
-
-
-   A good security protocol would allow signing the nonexistence of some
-   selected names without revealing anything about other names.
-
-
-   Contributor: Dan Bernstein
-
-
-26.  Process
-
-
-   Clearly not all of these requirements can be met.  Therefore the next
-   phase of this document will be to either prioritise them or narrow
-   them down to a non-contradictory set, which should then allow us to
-   judge proposals on the basis of their fit.
-
-
-27.  Acknowledgements
-
-
-28.  Requirements notation
-
-
-   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
-   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
-
-
-
-
-Laurie & Loomis          Expires March 2, 2005                  [Page 9]
-Internet-Draft      signed-nonexistence-requirements      September 2004
-
-
-
-   document are to be interpreted as            described in [RFC2119].
-
-
-29.  Security Considerations
-
-
-   There are currently no security considerations called out in this
-   draft.  There will be security considerations in the choice of which
-   requirements will be implemented, but there are no specific security
-   requirements during the requirements collection process.
-
-
-30.  References
-
-
-30.1  Normative References
-
-
-   [dnssecbis-protocol]
-              "DNSSECbis Protocol Definitions", BCP XX, RFC XXXX, Some
-              Month 2004.
-
-
-30.2  Informative References
-
-
-   [RFC2026]  Bradner, S., "The Internet Standards Process -- Revision
-              3", BCP 9, RFC 2026, October 1996.
-
-
-   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
-              Requirement Levels", BCP 14, RFC 2119, March 1997.
-
-
-   [RFC2418]  Bradner, S., "IETF Working Group Guidelines and
-              Procedures", BCP 25, RFC 2418, September 1998.
-
-
-
-Authors' Addresses
-
-
-   Ben Laurie
-   Nominet
-   17 Perryn Road
-   London  W3 7LR
-   England
-
-
-   Phone: +44 (20) 8735 0686
-   EMail: ben@algroup.co.uk
-
-
-
-   Rip Loomis
-   Science Applications International Corporation
-   7125 Columbia Gateway Drive, Suite 300
-   Columbia, MD  21046
-   US
-
-
-   EMail: gilbert.r.loomis@saic.com
-
-
-
-
-Laurie & Loomis          Expires March 2, 2005                 [Page 10]
-Internet-Draft      signed-nonexistence-requirements      September 2004
-
-
-
-Intellectual Property Statement
-
-
-   The IETF takes no position regarding the validity or scope of any
-   Intellectual Property Rights or other rights that might be claimed to
-   pertain to the implementation or use of the technology described in
-   this document or the extent to which any license under such rights
-   might or might not be available; nor does it represent that it has
-   made any independent effort to identify any such rights.  Information
-   on the procedures with respect to rights in RFC documents can be
-   found in BCP 78 and BCP 79.
-
-
-   Copies of IPR disclosures made to the IETF Secretariat and any
-   assurances of licenses to be made available, or the result of an
-   attempt made to obtain a general license or permission for the use of
-   such proprietary rights by implementers or users of this
-   specification can be obtained from the IETF on-line IPR repository at
-   http://www.ietf.org/ipr.
-
-
-   The IETF invites any interested party to bring to its attention any
-   copyrights, patents or patent applications, or other proprietary
-   rights that may cover technology that may be required to implement
-   this standard.  Please address the information to the IETF at
-   ietf-ipr@ietf.org.
-
-
-
-Disclaimer of Validity
-
-
-   This document and the information contained herein are provided on an
-   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
-   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
-   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
-   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
-   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
-   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-
-
-Copyright Statement
-
-
-   Copyright (C) The Internet Society (2004).  This document is subject
-   to the rights, licenses and restrictions contained in BCP 78, and
-   except as set forth therein, the authors retain all their rights.
-
-
-
-Acknowledgment
-
-
-   Funding for the RFC Editor function is currently provided by the
-   Internet Society.
-
-
-
-
-
-Laurie & Loomis          Expires March 2, 2005                 [Page 11]
\ No newline at end of file
diff --git a/doc/draft/draft-ietf-dnsext-tkey-renewal-mode-05.txt b/doc/draft/draft-ietf-dnsext-tkey-renewal-mode-04.txt
index 9c73c68b..c5c3b84b 100644
--- a/doc/draft/draft-ietf-dnsext-tkey-renewal-mode-05.txt
+++ b/doc/draft/draft-ietf-dnsext-tkey-renewal-mode-04.txt
@@ -3,116 +3,117 @@
 
 
 
-DNS Extensions                                              Yuji Kamite
-Internet-Draft                                       NTT Communications
-Expires: April 15, 2005                                 Masaya Nakayama
-                                                The University of Tokyo
-                                                       October 14, 2004
 
+DNSEXT Working Group                                        Yuji Kamite
+INTERNET-DRAFT                                       NTT Communications
+<draft-ietf-dnsext-tkey-renewal-mode-04.txt>            Masaya Nakayama
+Expires: Aug. 2004                              The University of Tokyo
+                                                              Feb. 2004
 
 
-                      TKEY Secret Key Renewal Mode
-                 draft-ietf-dnsext-tkey-renewal-mode-05
 
 
-Status of this Memo
+                      TKEY Secret Key Renewal Mode
 
-   This document is an Internet-Draft and is subject to all provisions
-   of section 3 of RFC 3667.  By submitting this Internet-Draft, each
-   author represents that any applicable patent or other IPR claims of
-   which he or she is aware have been or will be disclosed, and any of
-   which he or she become aware will be disclosed, in accordance with
-   RFC 3668.
 
-   Internet-Drafts are working documents of the Internet Engineering
-   Task Force (IETF), its areas, and its working groups.  Note that
-   other groups may also distribute working documents as
-   Internet-Drafts.
+Status of this Memo
 
-   Internet-Drafts are draft documents valid for a maximum of six months
-   and may be updated, replaced, or obsoleted by other documents at any
-   time.  It is inappropriate to use Internet-Drafts as reference
-   material or to cite them other than as "work in progress."
+  This document is an Internet-Draft and is in full conformance with all
+  provisions of Section 10 of RFC2026.
 
-   The list of current Internet-Drafts can be accessed at
-   http://www.ietf.org/ietf/1id-abstracts.txt.
+  Internet-Drafts are working documents of the Internet Engineering Task
+  Force (IETF), its areas, and its working groups.  Note that other
+  groups may also distribute working documents as Internet-Drafts.
 
-   The list of Internet-Draft Shadow Directories can be accessed at
-   http://www.ietf.org/shadow.html.
+  Internet-Drafts are draft documents valid for a maximum of six months
+  and may be updated, replaced, or obsoleted by other documents at any
+  time.  It is inappropriate to use Internet-Drafts as reference
+  material or to cite them other than as ``work in progress.''
 
-   This Internet-Draft will expire on April 15, 2005.
+  The list of current Internet-Drafts can be accessed at
+  http://www.ietf.org/ietf/1id-abstracts.txt
 
-Copyright Notice
+  The list of Internet-Draft Shadow Directories can be accessed at
+  http://www.ietf.org/shadow.html
 
-   Copyright (C) The Internet Society (2004).
 
 Abstract
 
    This document defines a new mode in TKEY and proposes an atomic
    method for changing secret keys used for TSIG periodically.
    Originally, TKEY provides methods of setting up shared secrets other
+   than manual exchange, but it cannot control timing of key renewal
+   very well though it can add or delete shared keys separately. This
+   proposal is a systematical key renewal procedure intended for
+   preventing signing DNS messages with old and non-safe keys
+   permanently.
+
+
+
 
 
 
-Kamite, et. al.          Expires April 15, 2005                 [Page 1]
+
+
+Kamite, et. al.                                                 [Page 1]
 
-INTERNET-DRAFT                                              October 2004
+INTERNET-DRAFT                                                 Feb. 2004
+
+
+                           Table of Contents
+
+
+1  Introduction  . . . . . . . . . . . . . . . . . . . . . . . . . .   3
+  1.1  Defined Words . . . . . . . . . . . . . . . . . . . . . . . .   3
+  1.2  New Format and Assigned Numbers . . . . . . . . . . . . . . .   4
+  1.3  Overview of Secret Key Renewal Mode . . . . . . . . . . . . .   4
+2  Shared Secret Key Renewal . . . . . . . . . . . . . . . . . . . .   5
+  2.1  Key Usage Time Check  . . . . . . . . . . . . . . . . . . . .   5
+  2.2  Partial Revocation  . . . . . . . . . . . . . . . . . . . . .   6
+  2.3  Key Renewal Message Exchange  . . . . . . . . . . . . . . . .   7
+    2.3.1  Query for Key Renewal . . . . . . . . . . . . . . . . . .   7
+    2.3.2  Response for Key Renewal  . . . . . . . . . . . . . . . .   7
+    2.3.3  Attributes of Generated Key . . . . . . . . . . . . . . .   8
+    2.3.4  TKEY RR structure . . . . . . . . . . . . . . . . . . . .   8
+  2.4  Key Adoption  . . . . . . . . . . . . . . . . . . . . . . . .  10
+    2.4.1  Query for Key Adoption  . . . . . . . . . . . . . . . . .  10
+    2.4.2  Response for Key Adoption . . . . . . . . . . . . . . . .  10
+  2.5  Keying Schemes  . . . . . . . . . . . . . . . . . . . . . . .  11
+    2.5.1  DH Exchange for Key Renewal . . . . . . . . . . . . . . .  11
+    2.5.2  Server Assigned Keying for Key Renewal  . . . . . . . . .  12
+    2.5.3  Resolver Assigned Keying for Key Renewal  . . . . . . . .  13
+  2.6  Considerations about Non-compliant Hosts  . . . . . . . . . .  14
+3  Secret Storage  . . . . . . . . . . . . . . . . . . . . . . . . .  15
+4  Compulsory Key Revocation . . . . . . . . . . . . . . . . . . . .  15
+  4.1  Compulsory Key Revocation by Server . . . . . . . . . . . . .  15
+  4.2  Authentication Methods Considerations . . . . . . . . . . . .  15
+5  Special Considerations for Two Servers' Case  . . . . . . . . . .  16
+  5.1  To Cope with Collisions of Renewal Requests . . . . . . . . .  16
+6  Key Name Considerations . . . . . . . . . . . . . . . . . . . . .  17
+7  Example Usage of Secret Key Renewal Mode  . . . . . . . . . . . .  17
+8  Security Considerations . . . . . . . . . . . . . . . . . . . . .  20
+9  IANA Considerations . . . . . . . . . . . . . . . . . . . . . . .  20
+10 Acknowledgement . . . . . . . . . . . . . . . . . . . . . . . . .  21
+11 References  . . . . . . . . . . . . . . . . . . . . . . . . . . .  21
+Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . .  22
+
+
+
+
+
+
+
+
+
 
 
-   than manual exchange, but it cannot control timing of key renewal
-   very well though it can add or delete shared keys separately. This
-   proposal is a systematical key renewal procedure intended for
-   preventing signing DNS messages with old and non-safe keys
-   permanently.
 
-Table of Contents
-
-   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
-     1.1   Defined Words  . . . . . . . . . . . . . . . . . . . . . .  3
-     1.2   New Format and Assigned Numbers  . . . . . . . . . . . . .  4
-     1.3   Overview of Secret Key Renewal Mode  . . . . . . . . . . .  4
-   2.  Shared Secret Key Renewal  . . . . . . . . . . . . . . . . . .  5
-     2.1   Key Usage Time Check . . . . . . . . . . . . . . . . . . .  5
-     2.2   Partial Revocation . . . . . . . . . . . . . . . . . . . .  6
-     2.3   Key Renewal Message Exchange . . . . . . . . . . . . . . .  7
-       2.3.1   Query for Key Renewal  . . . . . . . . . . . . . . . .  7
-       2.3.2   Response for Key Renewal . . . . . . . . . . . . . . .  7
-       2.3.3   Attributes of Generated Key  . . . . . . . . . . . . .  8
-       2.3.4   TKEY RR structure  . . . . . . . . . . . . . . . . . .  8
-     2.4   Key Adoption . . . . . . . . . . . . . . . . . . . . . . . 10
-       2.4.1   Query for Key Adoption . . . . . . . . . . . . . . . . 10
-       2.4.2   Response for Key Adoption  . . . . . . . . . . . . . . 10
-     2.5   Keying Schemes . . . . . . . . . . . . . . . . . . . . . . 11
-       2.5.1   DH Exchange for Key Renewal  . . . . . . . . . . . . . 11
-       2.5.2   Server Assigned Keying for Key Renewal . . . . . . . . 12
-       2.5.3   Resolver Assigned Keying for Key Renewal . . . . . . . 13
-     2.6   Considerations about Non-compliant Hosts . . . . . . . . . 14
-   3.  Secret Storage . . . . . . . . . . . . . . . . . . . . . . . . 15
-   4.  Compulsory Key Revocation  . . . . . . . . . . . . . . . . . . 15
-     4.1   Compulsory Key Revocation by Server  . . . . . . . . . . . 15
-     4.2   Authentication Methods Considerations  . . . . . . . . . . 15
-   5.  Special Considerations for Two Servers' Case   . . . . . . . . 16
-     5.1   To Cope with Collisions of Renewal Requests  . . . . . . . 16
-   6.  Key Name Considerations  . . . . . . . . . . . . . . . . . . . 17
-   7.  Example Usage of Secret Key Renewal Mode   . . . . . . . . . . 17
-   8.  Security Considerations  . . . . . . . . . . . . . . . . . . . 20
-   9.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 20
-  10.  Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 21
-  11.  References . . . . . . . . . . . . . . . . . . . . . . . . . . 21
-    11.1   Normative References . . . . . . . . . . . . . . . . . . . 21
-    11.2   Informative References . . . . . . . . . . . . . . . . . . 21
-       Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 22
-       Intellectual Property and Copyright Statements . . . . . . . . 23
-
-
-
-
-
-
-
-Kamite, et. al.          Expires April 15, 2005                 [Page 2]
+
+
+
+Kamite, et. al.                                                 [Page 2]
 
-INTERNET-DRAFT                                              October 2004
+INTERNET-DRAFT                                                 Feb. 2004
 
 
 1.  Introduction
@@ -166,9 +167,9 @@ INTERNET-DRAFT                                              October 2004
 
 
 
-Kamite, et. al.          Expires April 15, 2005                 [Page 3]
+Kamite, et. al.                                                 [Page 3]
 
-INTERNET-DRAFT                                              October 2004
+INTERNET-DRAFT                                                 Feb. 2004
 
 
    and must be updated. It must be between Inception Time and Expiry
@@ -222,9 +223,9 @@ INTERNET-DRAFT                                              October 2004
 
 
 
-Kamite, et. al.          Expires April 15, 2005                 [Page 4]
+Kamite, et. al.                                                 [Page 4]
 
-INTERNET-DRAFT                                              October 2004
+INTERNET-DRAFT                                                 Feb. 2004
 
 
    In this state, if a client sends a normal query (e.g., question about
@@ -278,9 +279,9 @@ INTERNET-DRAFT                                              October 2004
 
 
 
-Kamite, et. al.          Expires April 15, 2005                 [Page 5]
+Kamite, et. al.                                                 [Page 5]
 
-INTERNET-DRAFT                                              October 2004
+INTERNET-DRAFT                                                 Feb. 2004
 
 
    When the present time is equal to Inception Time, or between
@@ -334,9 +335,9 @@ INTERNET-DRAFT                                              October 2004
 
 
 
-Kamite, et. al.          Expires April 15, 2005                 [Page 6]
+Kamite, et. al.                                                 [Page 6]
 
-INTERNET-DRAFT                                              October 2004
+INTERNET-DRAFT                                                 Feb. 2004
 
 
    Server MUST keep track of clients ignoring PartialRevoke, thus
@@ -390,9 +391,9 @@ INTERNET-DRAFT                                              October 2004
 
 
 
-Kamite, et. al.          Expires April 15, 2005                 [Page 7]
+Kamite, et. al.                                                 [Page 7]
 
-INTERNET-DRAFT                                              October 2004
+INTERNET-DRAFT                                                 Feb. 2004
 
 
    client, a new shared secret can be established. The details of
@@ -446,9 +447,9 @@ INTERNET-DRAFT                                              October 2004
 
 
 
-Kamite, et. al.          Expires April 15, 2005                 [Page 8]
+Kamite, et. al.                                                 [Page 8]
 
-INTERNET-DRAFT                                              October 2004
+INTERNET-DRAFT                                                 Feb. 2004
 
 
         CLASS        u_int16_t    (defined in [RFC2930])
@@ -493,18 +494,18 @@ INTERNET-DRAFT                                              October 2004
 
         in Other Data filed:
 
-          Field            Type       Comment
-          -------          ------     -------
-          OldNAME          domain     name of the old key
-          OldAlgorithm     domain     algorithm of the old key
+          Field          Type     Comment
+          -------        ------   -------
+          OldNAME        domain   name of the old key
+          OldAlgorithm   domain   algorithm of the old key
 
 
 
 
 
-Kamite, et. al.          Expires April 15, 2005                 [Page 9]
+Kamite, et. al.                                                 [Page 9]
 
-INTERNET-DRAFT                                              October 2004
+INTERNET-DRAFT                                                 Feb. 2004
 
 
           "OldName" indicates the name of the previous key (usually,
@@ -558,9 +559,9 @@ INTERNET-DRAFT                                              October 2004
 
 
 
-Kamite, et. al.          Expires April 15, 2005                [Page 10]
+Kamite, et. al.                                                [Page 10]
 
-INTERNET-DRAFT                                              October 2004
+INTERNET-DRAFT                                                 Feb. 2004
 
 
    including "OldName" and "OldAlgorithm" that indicate the revoked key.
@@ -614,9 +615,9 @@ INTERNET-DRAFT                                              October 2004
 
 
 
-Kamite, et. al.          Expires April 15, 2005                [Page 11]
+Kamite, et. al.                                                [Page 11]
 
-INTERNET-DRAFT                                              October 2004
+INTERNET-DRAFT                                                 Feb. 2004
 
 
       TKEY "Mode" field stores the value of "DH exchange for key
@@ -670,9 +671,9 @@ INTERNET-DRAFT                                              October 2004
 
 
 
-Kamite, et. al.          Expires April 15, 2005                [Page 12]
+Kamite, et. al.                                                [Page 12]
 
-INTERNET-DRAFT                                              October 2004
+INTERNET-DRAFT                                                 Feb. 2004
 
 
    Query
@@ -726,9 +727,9 @@ INTERNET-DRAFT                                              October 2004
 
 
 
-Kamite, et. al.          Expires April 15, 2005                [Page 13]
+Kamite, et. al.                                                [Page 13]
 
-INTERNET-DRAFT                                              October 2004
+INTERNET-DRAFT                                                 Feb. 2004
 
 
    Query
@@ -782,9 +783,9 @@ INTERNET-DRAFT                                              October 2004
 
 
 
-Kamite, et. al.          Expires April 15, 2005                [Page 14]
+Kamite, et. al.                                                [Page 14]
 
-INTERNET-DRAFT                                              October 2004
+INTERNET-DRAFT                                                 Feb. 2004
 
 
    client or not. If client has not received yet because of any reasons
@@ -838,9 +839,9 @@ INTERNET-DRAFT                                              October 2004
 
 
 
-Kamite, et. al.          Expires April 15, 2005                [Page 15]
+Kamite, et. al.                                                [Page 15]
 
-INTERNET-DRAFT                                              October 2004
+INTERNET-DRAFT                                                 Feb. 2004
 
 
      shared secret, they keep using TSIG for queries and responses.
@@ -894,9 +895,9 @@ INTERNET-DRAFT                                              October 2004
 
 
 
-Kamite, et. al.          Expires April 15, 2005                [Page 16]
+Kamite, et. al.                                                [Page 16]
 
-INTERNET-DRAFT                                              October 2004
+INTERNET-DRAFT                                                 Feb. 2004
 
 
    hosts want to send queries, but it is possible.
@@ -950,9 +951,9 @@ INTERNET-DRAFT                                              October 2004
 
 
 
-Kamite, et. al.          Expires April 15, 2005                [Page 17]
+Kamite, et. al.                                                [Page 17]
 
-INTERNET-DRAFT                                              October 2004
+INTERNET-DRAFT                                                 Feb. 2004
 
 
      (3) Suppose the present time is 19:55. If Client sends a query
@@ -1006,9 +1007,9 @@ INTERNET-DRAFT                                              October 2004
 
 
 
-Kamite, et. al.          Expires April 15, 2005                [Page 18]
+Kamite, et. al.                                                [Page 18]
 
-INTERNET-DRAFT                                              October 2004
+INTERNET-DRAFT                                                 Feb. 2004
 
 
      Answer Section also contains KEY RRs for DH.
@@ -1062,9 +1063,9 @@ INTERNET-DRAFT                                              October 2004
 
 
 
-Kamite, et. al.          Expires April 15, 2005                [Page 19]
+Kamite, et. al.                                                [Page 19]
 
-INTERNET-DRAFT                                              October 2004
+INTERNET-DRAFT                                                 Feb. 2004
 
 
      (11) This key is used until next day's 15:00. After that, it will
@@ -1118,12 +1119,12 @@ INTERNET-DRAFT                                              October 2004
 
 
 
-Kamite, et. al.          Expires April 15, 2005                [Page 20]
+Kamite, et. al.                                                [Page 20]
 
-INTERNET-DRAFT                                              October 2004
+INTERNET-DRAFT                                                 Feb. 2004
 
 
-10.  Acknowledgements
+10.  Acknowledgement
 
    The authors would like to thank Olafur Gudmundsson, whose helpful
    input and comments contributed greatly to this document.
@@ -1131,7 +1132,9 @@ INTERNET-DRAFT                                              October 2004
 
 11.  References
 
-11.1.  Normative References
+[RFC2104]
+     H. Krawczyk, M.Bellare, R. Canetti, "Keyed-Hashing for Message
+     Authentication", RFC2104, February 1997.
 
 [RFC2119]
      Bradner, S., "Key words for use in RFCs to Indicate Requirement
@@ -1154,11 +1157,7 @@ INTERNET-DRAFT                                              October 2004
      D. Eastlake 3rd, "DNS Request and Transaction Signatures (SIG(0)s
      )", RFC 2931, September 2000.
 
-11.2.  Informative References
 
-[RFC2104]
-     H. Krawczyk, M.Bellare, R. Canetti, "Keyed-Hashing for Message
-     Authentication", RFC2104, February 1997.
 
 
 
@@ -1174,9 +1173,11 @@ INTERNET-DRAFT                                              October 2004
 
 
 
-Kamite, et. al.          Expires April 15, 2005                [Page 21]
+
+
+Kamite, et. al.                                                [Page 21]
 
-INTERNET-DRAFT                                              October 2004
+INTERNET-DRAFT                                                 Feb. 2004
 
 
 Authors' Addresses
@@ -1230,63 +1231,5 @@ Authors' Addresses
 
 
 
-Kamite, et. al.          Expires April 15, 2005                [Page 22]
-
-INTERNET-DRAFT                                              October 2004
-
-
-Intellectual Property Statement
-
-   The IETF takes no position regarding the validity or scope of any
-   Intellectual Property Rights or other rights that might be claimed to
-   pertain to the implementation or use of the technology described in
-   this document or the extent to which any license under such rights
-   might or might not be available; nor does it represent that it has
-   made any independent effort to identify any such rights.  Information
-   on the procedures with respect to rights in RFC documents can be
-   found in BCP 78 and BCP 79.
-
-   Copies of IPR disclosures made to the IETF Secretariat and any
-   assurances of licenses to be made available, or the result of an
-   attempt made to obtain a general license or permission for the use of
-   such proprietary rights by implementers or users of this
-   specification can be obtained from the IETF on-line IPR repository at
-   http://www.ietf.org/ipr.
-
-   The IETF invites any interested party to bring to its attention any
-   copyrights, patents or patent applications, or other proprietary
-   rights that may cover technology that may be required to implement
-   this standard.  Please address the information to the IETF at
-   ietf-ipr@ietf.org.
-
-
-Disclaimer of Validity
-
-   This document and the information contained herein are provided on an
-   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
-   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
-   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
-   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
-   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
-   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-
-Copyright Statement
-
-   Copyright (C) The Internet Society (2004).  This document is subject
-   to the rights, licenses and restrictions contained in BCP 78, and
-   except as set forth therein, the authors retain all their rights.
-
-
-Acknowledgment
-
-   Funding for the RFC Editor function is currently provided by the
-   Internet Society.
-
-
-
-
-Kamite, et. al.          Expires April 15, 2005                [Page 23]
+Kamite, et. al.                                                [Page 22]
 
-
-
diff --git a/doc/draft/draft-ietf-dnsext-trustupdate-threshold-00.txt b/doc/draft/draft-ietf-dnsext-trustupdate-threshold-00.txt
deleted file mode 100644
index 901706ac..00000000
--- a/doc/draft/draft-ietf-dnsext-trustupdate-threshold-00.txt
+++ /dev/null
@@ -1,1501 +0,0 @@
-Network Working Group                                           J. Ihren
-Internet-Draft                                             Autonomica AB
-Expires: April 18, 2005                                       O. Kolkman
-                                                                RIPE NCC
-                                                              B. Manning
-                                                                  EP.net
-                                                        October 18, 2004
-
-
-
-  An In-Band Rollover Mechanism and an Out-Of-Band Priming Method for
-                         DNSSEC Trust Anchors.
-               draft-ietf-dnsext-trustupdate-threshold-00
-
-
-Status of this Memo
-
-
-   By submitting this Internet-Draft, I certify that any applicable
-   patent or other IPR claims of which I am aware have been disclosed,
-   and any of which I become aware will be disclosed, in accordance with
-   RFC 3668.
-
-
-   Internet-Drafts are working documents of the Internet Engineering
-   Task Force (IETF), its areas, and its working groups.  Note that
-   other groups may also distribute working documents as
-   Internet-Drafts.
-
-
-   Internet-Drafts are draft documents valid for a maximum of six months
-   and may be updated, replaced, or obsoleted by other documents at any
-   time.  It is inappropriate to use Internet-Drafts as reference
-   material or to cite them other than as "work in progress."
-
-
-   The list of current Internet-Drafts can be accessed at
-   http://www.ietf.org/ietf/1id-abstracts.txt.
-
-
-   The list of Internet-Draft Shadow Directories can be accessed at
-   http://www.ietf.org/shadow.html.
-
-
-   This Internet-Draft will expire on April 18, 2005.
-
-
-Copyright Notice
-
-
-   Copyright (C) The Internet Society (2004).  All Rights Reserved.
-
-
-Abstract
-
-
-   The DNS Security Extensions (DNSSEC) works by validating so called
-   chains of authority.  The start of these chains of authority are
-   usually public keys that are anchored in the DNS clients.  These keys
-   are known as the so called trust anchors.
-
-
-
-
-
-Ihren, et al.            Expires April 18, 2005                 [Page 1]
-Internet-Draft    DNSSEC Threshold-based Trust Update       October 2004
-
-
-
-   This memo describes a method how these client trust anchors can be
-   replaced using the DNS validation and querying mechanisms (in-band)
-   when the key pairs used for signing by zone owner are rolled.
-
-
-   This memo also describes a method to establish the validity of trust
-   anchors for initial configuration, or priming, using out of band
-   mechanisms.
-
-
-Table of Contents
-
-
-   1.  Terminology  . . . . . . . . . . . . . . . . . . . . . . . . .  3
-     1.1   Key Signing Keys, Zone Signing Keys and Secure Entry
-           Points . . . . . . . . . . . . . . . . . . . . . . . . . .  3
-   2.  Introduction and Background  . . . . . . . . . . . . . . . . .  5
-     2.1   Dangers of Stale Trust Anchors . . . . . . . . . . . . . .  5
-   3.  Threshold-based Trust Anchor Rollover  . . . . . . . . . . . .  7
-     3.1   The Rollover . . . . . . . . . . . . . . . . . . . . . . .  7
-     3.2   Threshold-based Trust Update . . . . . . . . . . . . . . .  8
-     3.3   Possible Trust Update States . . . . . . . . . . . . . . .  9
-     3.4   Implementation notes . . . . . . . . . . . . . . . . . . . 10
-     3.5   Possible transactions  . . . . . . . . . . . . . . . . . . 11
-       3.5.1   Single DNSKEY replaced . . . . . . . . . . . . . . . . 12
-       3.5.2   Addition of a new DNSKEY (no removal)  . . . . . . . . 12
-       3.5.3   Removal of old DNSKEY (no addition)  . . . . . . . . . 12
-       3.5.4   Multiple DNSKEYs replaced  . . . . . . . . . . . . . . 12
-     3.6   Removal of trust anchors for a trust point . . . . . . . . 12
-     3.7   No need for resolver-side overlap of old and new keys  . . 13
-   4.  Bootstrapping automatic rollovers  . . . . . . . . . . . . . . 14
-     4.1   Priming Keys . . . . . . . . . . . . . . . . . . . . . . . 14
-       4.1.1   Bootstrapping trust anchors using a priming key  . . . 14
-       4.1.2   Distribution of priming keys . . . . . . . . . . . . . 15
-   5.  The Threshold Rollover Mechanism vs Priming  . . . . . . . . . 16
-   6.  Security Considerations  . . . . . . . . . . . . . . . . . . . 17
-     6.1   Threshold-based Trust Update Security Considerations . . . 17
-     6.2   Priming Key Security Considerations  . . . . . . . . . . . 17
-   7.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 19
-   8.  References . . . . . . . . . . . . . . . . . . . . . . . . . . 20
-   8.1   Normative References . . . . . . . . . . . . . . . . . . . . 20
-   8.2   Informative References . . . . . . . . . . . . . . . . . . . 20
-       Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 20
-   A.  Acknowledgments  . . . . . . . . . . . . . . . . . . . . . . . 22
-   B.  Document History . . . . . . . . . . . . . . . . . . . . . . . 23
-     B.1   prior to version 00  . . . . . . . . . . . . . . . . . . . 23
-     B.2   version 00 . . . . . . . . . . . . . . . . . . . . . . . . 23
-       Intellectual Property and Copyright Statements . . . . . . . . 24
-
-
-
-
-
-
-
-Ihren, et al.            Expires April 18, 2005                 [Page 2]
-Internet-Draft    DNSSEC Threshold-based Trust Update       October 2004
-
-
-
-1.  Terminology
-
-
-   The key words "MUST", "SHALL", "REQUIRED", "SHOULD", "RECOMMENDED",
-   and "MAY" in this document are to be interpreted as described in
-   RFC2119 [1].
-
-
-   The term "zone" refers to the unit of administrative control in the
-   Domain Name System.  In this document "name server" denotes a DNS
-   name server that is authoritative (i.e.  knows all there is to know)
-   for a DNS zone.  A "zone owner" is the entity responsible for signing
-   and publishing a zone on a name server.  The terms "authentication
-   chain", "bogus", "trust anchors" and "Island of Security" are defined
-   in [4].  Throughout this document we use the term "resolver" to mean
-   "Validating Stub Resolvers" as defined in [4].
-
-
-   We use the term "security apex" as the zone for which a trust anchor
-   has been configured (by validating clients) and which is therefore,
-   by definition, at the root of an island of security.  The
-   configuration of trust anchors is a client side issue.  Therefore a
-   zone owner may not always know if their zone has become a security
-   apex.
-
-
-   A "stale anchor" is a trust anchor (a public key) that relates to a
-   key that is not used for signing.  Since trust anchors indicate that
-   a zone is supposed to be secure a validator will mark the all data in
-   an island of security as bogus when all trust anchors become stale.
-
-
-   It is assumed that the reader is familiar with public key
-   cryptography concepts [REF: Schneier Applied Cryptography] and is
-   able to distinguish between the private and public parts of a key
-   based on the context in which we use the term "key".  If there is a
-   possible ambiguity we will explicitly mention if a private or a
-   public part of a key is used.
-
-
-   The term "administrator" is used loosely throughout the text.  In
-   some cases an administrator is meant to be a person, in other cases
-   the administrator may be a process that has been delegated certain
-   responsibilities.
-
-
-1.1  Key Signing Keys, Zone Signing Keys and Secure Entry Points
-
-
-   Although the DNSSEC protocol does not make a distinction between
-   different keys the operational practice is that a distinction is made
-   between zone signing keys and key signing keys.  A key signing key is
-   used to exclusively sign the DNSKEY Resource Record (RR) set at the
-   apex of a zone and the zone signing keys sign all the data in the
-   zone (including the DNSKEY RRset at the apex).
-
-
-
-
-
-Ihren, et al.            Expires April 18, 2005                 [Page 3]
-Internet-Draft    DNSSEC Threshold-based Trust Update       October 2004
-
-
-
-   Keys that are intended to be used as the start of the authentication
-   chain for a particular zone, either because they are pointed to by a
-   parental DS RR or because they are configured as a trust anchor, are
-   called Secure Entry Point (SEP) keys.  In practice these SEP keys
-   will be key signing keys.
-
-
-   In order for the mechanism described herein to work the keys that are
-   intended to be used as secure entry points MUST have the SEP [2] flag
-   set.  In the examples it is assumed that keys with the SEP flag set
-   are used as key signing keys and thus exclusively sign the DNSKEY
-   RRset published at the apex of the zone.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Ihren, et al.            Expires April 18, 2005                 [Page 4]
-Internet-Draft    DNSSEC Threshold-based Trust Update       October 2004
-
-
-
-2.  Introduction and Background
-
-
-   When DNSSEC signatures are validated the resolver constructs a chain
-   of authority from a pre-configured trust anchor to the DNSKEY
-   Resource Record (RR), which contains the public key that validates
-   the signature stored in an RRSIG RR.  DNSSEC is designed so that the
-   administrator of a resolver can validate data in multiple islands of
-   security by configuring multiple trust anchors.
-
-
-   It is expected that resolvers will have more than one trust anchor
-   configured.  Although there is no deployment experience it is not
-   unreasonable to expect resolvers to be configured with a number of
-   trust anchors that varies between order 1 and order 1000.  Because
-   zone owners are expected to roll their keys, trust anchors will have
-   to be maintained (in the resolver end) in order not to become stale.
-
-
-   Since there is no global key maintenance policy for zone owners and
-   there are no mechanisms in the DNS to signal the key maintenance
-   policy it may be very hard for resolvers administrators to keep their
-   set of trust anchors up to date.  For instance, if there is only one
-   trust anchor configured and the key maintenance policy is clearly
-   published, through some out of band trusted channel, then a resolver
-   administrator can probably keep track of key rollovers and update the
-   trust anchor manually.  However, with an increasing number of trust
-   anchors all rolled according to individual policies that are all
-   published through different channels this soon becomes an
-   unmanageable problem.
-
-
-2.1  Dangers of Stale Trust Anchors
-
-
-   Whenever a SEP key at a security apex is rolled there exists a danger
-   that "stale anchors" are created.  A stale anchor is a trust anchor
-   (i.e.  a public key configured in a validating resolver) that relates
-   to a private key that is no longer used for signing.
-
-
-   The problem with a stale anchors is that they will (from the
-   validating resolvers point of view) prove data to be false even
-   though it is actually correct.  This is because the data is either
-   signed by a new key or is no longer signed and the resolver expects
-   data to be signed by the old (now stale) key.
-
-
-   This situation is arguably worse than not having a trusted key
-   configured for the secure entry point, since with a stale key no
-   lookup is typically possible (presuming that the default
-   configuration of a validating recursive nameserver is to not give out
-   data that is signed but failed to verify.
-
-
-   The danger of making configured trust anchors become stale anchors
-
-
-
-
-Ihren, et al.            Expires April 18, 2005                 [Page 5]
-Internet-Draft    DNSSEC Threshold-based Trust Update       October 2004
-
-
-
-   may be a reason for zone owners not to roll their keys.  If a
-   resolver is configured with many trust anchors that need manual
-   maintenance it may be easy to not notice a key rollover at a security
-   apex, resulting in a stale anchor.
-
-
-   In Section 3 this memo sets out a lightweight, in-DNS, mechanism to
-   track key rollovers and modify the configured trust anchors
-   accordingly.  The mechanism is stateless and does not need protocol
-   extensions.  The proposed design is that this mechanism is
-   implemented as a "trust updating machine" that is run entirely
-   separate from the validating resolver except that the trust updater
-   will have influence over the trust anchors used by the latter.
-
-
-   In Section 4 we describe a method [Editors note: for now only the
-   frame work and a set of requirements] to install trust anchors.  This
-   method can be used at first configuration or when the trust anchors
-   became stale (typically due to a failure to track several rollover
-   events).
-
-
-   The choice for which domains trust anchors are to be configured is a
-   local policy issue.  So is the choice which trust anchors has
-   prevalence if there are multiple chains of trust to a given piece of
-   DNS data (e.g.  when a parent zone and its child both have trust
-   anchors configured).  Both issues are out of the scope of this
-   document.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Ihren, et al.            Expires April 18, 2005                 [Page 6]
-Internet-Draft    DNSSEC Threshold-based Trust Update       October 2004
-
-
-
-3.  Threshold-based Trust Anchor Rollover
-
-
-3.1  The Rollover
-
-
-   When a key pair is replaced all signatures (in DNSSEC these are the
-   RRSIG records) created with the old key will be replaced by new
-   signatures created by the new key.  Access to the new public key is
-   needed to verify these signatures.
-
-
-   Since zone signing keys are in "the middle" of a chain of authority
-   they can be verified using the signature made by a key signing key.
-   Rollover of zone signing keys is therefore transparent to validators
-   and requires no action in the validator end.
-
-
-   But if a key signing key is rolled a resolver can determine its
-   authenticity by either following the authorization chain from the
-   parents DS record, an out-of-DNS authentication mechanism or by
-   relying on other trust anchors known for the zone in which the key is
-   rolled.
-
-
-   The threshold trust anchor rollover mechanism (or trust update),
-   described below, is based on using existing trust anchors to verify a
-   subset of the available signatures.  This is then used as the basis
-   for a decision to accept the new keys as valid trust anchors.
-
-
-   Our example pseudo zone below contains a number of key signing keys
-   numbered 1 through Y and two zone signing keys A and B.  During a key
-   rollover key 2 is replaced by key Y+1.  The zone content changes
-   from:
-
-
-          example.com.  DNSKEY key1
-          example.com.  DNSKEY key2
-          example.com.  DNSKEY key3
-          ...
-          example.com.  DNSKEY keyY
-
-
-          example.com.  DNSKEY keyA
-          example.com.  DNSKEY keyB
-
-
-          example.com.  RRSIG DNSKEY ... (key1)
-          example.com.  RRSIG DNSKEY ... (key2)
-          example.com.  RRSIG DNSKEY ... (key3)
-          ...
-          example.com.  RRSIG DNSKEY ... (keyY)
-          example.com.  RRSIG DNSKEY ... (keyA)
-          example.com.  RRSIG DNSKEY ... (keyB)
-
-
-    to:
-
-
-
-
-Ihren, et al.            Expires April 18, 2005                 [Page 7]
-Internet-Draft    DNSSEC Threshold-based Trust Update       October 2004
-
-
-
-          example.com.  DNSKEY key1
-          example.com.  DNSKEY key3
-          ...
-          example.com.  DNSKEY keyY
-          example.com.  DNSKEY keyY+1
-
-
-          example.com.  RRSIG DNSKEY ... (key1)
-          example.com.  RRSIG DNSKEY ... (key3)
-          ...
-          example.com.  RRSIG DNSKEY ... (keyY)
-          example.com.  RRSIG DNSKEY ... (keyY+1)
-          example.com.  RRSIG DNSKEY ... (keyA)
-          example.com.  RRSIG DNSKEY ... (keyB)
-
-
-   When the rollover becomes visible to the verifying stub resolver it
-   will be able to verify the RRSIGs associated with key1, key3 ...
-   keyY.  There will be no RRSIG by key2 and the RRSIG by keyY+1 will
-   not be used for validation, since that key is previously unknown and
-   therefore not trusted.
-
-
-   Note that this example is simplified.  Because of operational
-   considerations described in [5] having a period during which the two
-   key signing keys are both available is necessary.
-
-
-3.2  Threshold-based Trust Update
-
-
-   The threshold-based trust update algorithm applies as follows.  If
-   for a particular secure entry point
-   o  if the DNSKEY RRset in the zone has been replaced by a more recent
-      one (as determined by comparing the RRSIG inception dates)
-   and
-   o  if at least M configured trust anchors directly verify the related
-      RRSIGs over the new DNSKEY RRset
-   and
-   o  the number of configured trust anchors that verify the related
-      RRSIGs over the new DNSKEY RRset exceed a locally defined minimum
-      number that should be greater than one
-   then all the trust anchors for the particular secure entry point are
-   replaced by the set of keys from the zones DNSKEY RRset that have the
-   SEP flag set.
-
-
-   The choices for the rollover acceptance policy parameter M is left to
-   the administrator of the resolver.  To be certain that a rollover is
-   accepted up by resolvers using this mechanism zone owners should roll
-   as few SEP keys at a time as possible (preferably just one).  That
-   way they comply to the most strict rollover acceptance policy of
-   M=N-1.
-
-
-
-
-
-Ihren, et al.            Expires April 18, 2005                 [Page 8]
-Internet-Draft    DNSSEC Threshold-based Trust Update       October 2004
-
-
-
-   The value of M has an upper bound, limited by the number of of SEP
-   keys a zone owner publishes (i.e.  N).  But there is also a lower
-   bound, since it will not be safe to base the trust in too few
-   signatures.  The corner case is M=1 when any validating RRSIG will be
-   sufficient for a complete replacement of the trust anchors for that
-   secure entry point.  This is not a recommended configuration, since
-   that will allow an attacker to initiate rollover of the trust anchors
-   himself given access to just one compromised key.  Hence M should in
-   be strictly larger than 1 as shown by the third requirement above.
-
-
-   If the rollover acceptance policy is M=1 then the result for the
-   rollover in our example above should be that the local database of
-   trust anchors is updated by removing key "key2" from and adding key
-   "keyY+1" to the key store.
-
-
-3.3  Possible Trust Update States
-
-
-   We define five states for trust anchor configuration at the client
-   side.
-   PRIMING: There are no trust anchors configured.  There may be priming
-      keys available for initial priming of trust anchors.
-   IN-SYNC: The set of trust anchors configured exactly matches the set
-      of SEP keys used by the zone owner to sign the zone.
-   OUT-OF-SYNC: The set of trust anchors is not exactly the same as the
-      set of SEP keys used by the zone owner to sign the zone but there
-      are enough SEP key in use by the zone owner that is also in the
-      trust anchor configuration.
-   UNSYNCABLE: There is not enough overlap between the configured trust
-      anchors and the set of SEP keys used to sign the zone for the new
-      set to be accepted by the validator (i.e.  the number of
-      signatures that verify is not sufficient).
-   STALE: There is no overlap between the configured trust anchors and
-      the set of SEP keys used to sign the zone.  Here validation of
-      data is no longer possible and hence we are in a situation where
-      the trust anchors are stale.
-
-
-   Of these five states only two (IN-SYNC and OUT-OF-SYNC) are part of
-   the automatic trust update mechanism.  The PRIMING state is where a
-   validator is located before acquiring an up-to-date set of trust
-   anchors.  The transition from PRIMING to IN-SYNC is manual (see
-   Section 4 below).
-
-
-   Example: assume a secure entry point with four SEP keys and a
-   validator with the policy that it will accept any update to the set
-   of trust anchors as long as no more than two signatures fail to
-   validate (i.e.  M >= N-2) and at least two signature does validate
-   (i.e.  M >= 2).  In this case the rollover of a single key will move
-   the validator from IN-SYNC to OUT-OF-SYNC.  When the trust update
-
-
-
-
-Ihren, et al.            Expires April 18, 2005                 [Page 9]
-Internet-Draft    DNSSEC Threshold-based Trust Update       October 2004
-
-
-
-   state machine updates the trust anchors it returns to state IN-SYNC.
-
-
-   If if for some reason it fails to update the trust anchors then the
-   next rollover (of a different key) will move the validator from
-   OUT-OF-SYNC to OUT-OF-SYNC (again), since there are still two keys
-   that are configured as trust anchors and that is sufficient to accpt
-   an automatic update of the trust anchors.
-
-
-   The UNSYNCABLE state is where a validator is located if it for some
-   reason fails to incorporate enough updates to the trust anchors to be
-   able to accept new updates according to its local policy.  In this
-   example (i.e.  with the policy specified above) this will either be
-   because M < N-2 or M < 2, which does not suffice to authenticate a
-   successful update of trust anchors.
-
-
-   Continuing with the previous example where two of the four SEP keys
-   have already rolled, but the validator has failed to update the set
-   of trust anchors.  When the third key rolls over there will only be
-   one trust anchor left that can do successful validation.  This is not
-   sufficient to enable automatic update of the trust anchors, hence the
-   new state is UNSYNCABLE.  Note, however, that the remaining
-   up-to-date trust anchor is still enough to do successful validation
-   so the validator is still "working" from a DNSSEC point of view.
-
-
-   The STALE state, finally, is where a validator ends up when it has
-   zero remaining current trust anchors.  This is a dangerous state,
-   since the stale trust anchors will cause all validation to fail.  The
-   escape is to remove the stale trust anchors and thereby revert to the
-   PRIMING state.
-
-
-3.4  Implementation notes
-
-
-   The DNSSEC protocol specification ordains that a DNSKEY to which a DS
-   record points should be self-signed.  Since the keys that serve as
-   trust anchors and the keys that are pointed to by DS records serve
-   the same purpose, they are both secure entry points, we RECOMMEND
-   that zone owners who want to facilitate the automated rollover scheme
-   documented herein self-sign DNSKEYs with the SEP bit set and that
-   implementation check that DNSKEYs with the SEP bit set are
-   self-signed.
-
-
-   In order to maintain a uniform way of determining that a keyset in
-   the zone has been replaced by a more recent set the automatic trust
-   update machine SHOULD only accept new DNSKEY RRsets if the
-   accompanying RRSIGs show a more recent inception date than the
-   present set of trust anchors.  This is also needed as a safe guard
-   against possible replay attacks where old updates are replayed
-   "backwards" (i.e.  one change at a time, but going in the wrong
-
-
-
-
-Ihren, et al.            Expires April 18, 2005                [Page 10]
-Internet-Draft    DNSSEC Threshold-based Trust Update       October 2004
-
-
-
-   direction, thereby luring the validator into the UNSYNCABLE and
-   finally STALE states).
-
-
-   In order to be resilient against failures the implementation should
-   collect the DNSKEY RRsets from (other) authoritative servers if
-   verification of the self signatures fails.
-
-
-   The threshold-based trust update mechanism SHOULD only be applied to
-   algorithms, as represented in the algorithm field in the DNSKEY/RRSIG
-   [3], that the resolver is aware of.  In other words the SEP keys of
-   unknown algorithms should not be used when counting the number of
-   available signatures (the N constant) and the SEP keys of unknown
-   algorithm should not be entered as trust anchors.
-
-
-   When in state UNSYNCABLE or STALE manual intervention will be needed
-   to return to the IN-SYNC state.  These states should be flagged.  The
-   most appropriate action is human audit possibly followed by
-   re-priming (Section 4) the keyset (i.e.  manual transfer to the
-   PRIMING state through removal of the configured trust anchors).
-
-
-   An implementation should regularly probe the the authoritative
-   nameservers for new keys.  Since there is no mechanism to publish
-   rollover frequencies this document RECOMMENDS zone owners not to roll
-   their key signing keys more often than once per month and resolver
-   administrators to probe for key rollsovers (and apply the threshold
-   criterion for acceptance of trust update) not less often than once
-   per month.  If the rollover frequency is higher than the probing
-   frequency then trust anchors may become stale.  The exact relation
-   between the frequencies depends on the number of SEP keys rolled by
-   the zone owner and the value M configured by the resolver
-   administrator.
-
-
-   In all the cases below a transaction where the threshold criterion is
-   not satisfied should be considered bad (i.e.  possibly spoofed or
-   otherwise corrupted data).  The most appropriate action is human
-   audit.
-
-
-   There is one case where a "bad" state may be escaped from in an
-   automated fashion.  This is when entering the STALE state where all
-   DNSSEC validation starts to fail.  If this happens it is concievable
-   that it is better to completely discard the stale trust anchors
-   (thereby reverting to the PRIMING state where validation is not
-   possible).  A local policy that automates removal of stale trust
-   anchors is therefore suggested.
-
-
-3.5  Possible transactions
-
-
-
-
-
-
-Ihren, et al.            Expires April 18, 2005                [Page 11]
-Internet-Draft    DNSSEC Threshold-based Trust Update       October 2004
-
-
-
-3.5.1  Single DNSKEY replaced
-
-
-   This is probably the most typical transaction on the zone owners
-   part.  The result should be that if the threshold criterion is
-   satisfied then the key store is updated by removal of the old trust
-   anchor and addition of the new key as a new trust anchor.  Note that
-   if the DNSKEY RRset contains exactly M keys replacement of keys is
-   not possible, i.e.  for automatic rollover to work M must be stricly
-   less than N.
-
-
-3.5.2  Addition of a new DNSKEY (no removal)
-
-
-   If the threshold criterion is satisfied then the new key is added as
-   a configured trust anchor.  Not more than N-M keys can be added at
-   once, since otherwise the algorithm will fail.
-
-
-3.5.3  Removal of old DNSKEY (no addition)
-
-
-   If the threshold criterion is satisfied then the old key is removed
-   from being a configured trust anchor.  Note that it is not possible
-   to reduce the size of the DNSKEY RRset to a size smaller than the
-   minimum required value for M.
-
-
-3.5.4  Multiple DNSKEYs replaced
-
-
-   Arguably it is not a good idea for the zone administrator to replace
-   several keys at the same time, but from the resolver point of view
-   this is exactly what will happen if the validating resolver for some
-   reason failed to notice a previous rollover event.
-
-
-   Not more than N-M keys can be replaced at one time or the threshold
-   criterion will not be satisfied.  Or, expressed another way: as long
-   as the number of changed keys is less than or equal to N-M the
-   validator is in state OUT-OF-SYNC.  When the number of changed keys
-   becomes greater than N-M the state changes to UNSYNCABLE and manual
-   action is needed.
-
-
-3.6  Removal of trust anchors for a trust point
-
-
-   If the parent of a secure entry point gets signed and it's trusted
-   keys get configured in the key store of the validating resolver then
-   the configured trust anchors for the child should be removed entirely
-   unless explicitly configured (in the utility configuration) to be an
-   exception.
-
-
-   The reason for such a configuration would be that the resolver has a
-   local policy that requires maintenance of trusted keys further down
-   the tree hierarchy than strictly needed from the point of view.
-
-
-
-
-Ihren, et al.            Expires April 18, 2005                [Page 12]
-Internet-Draft    DNSSEC Threshold-based Trust Update       October 2004
-
-
-
-   The default action when the parent zone changes from unsigned to
-   signed should be to remove the configured trust anchors for the
-   child.  This form of "garbage collect" will ensure that the automatic
-   rollover machinery scales as DNSSEC deployment progresses.
-
-
-3.7  No need for resolver-side overlap of old and new keys
-
-
-   It is worth pointing out that there is no need for the resolver to
-   keep state about old keys versus new keys, beyond the requirement of
-   tracking signature inception time for the covering RRSIGs as
-   described in Section 3.4.
-
-
-   From the resolver point of view there are only trusted and not
-   trusted keys.  The reason is that the zone owner needs to do proper
-   maintenance of RRSIGs regardless of the resolver rollover mechanism
-   and hence must ensure that no key rolled out out the DNSKEY set until
-   there cannot be any RRSIGs created by this key still legally cached.
-
-
-   Hence the rollover mechanism is entirely stateless with regard to the
-   keys involved: as soon as the resolver (or in this case the rollover
-   tracking utility) detects a change in the DNSKEY RRset (i.e.  it is
-   now in the state OUT-OF-SYNC) with a sufficient number of matching
-   RRSIGs the configured trust anchors are immediately updated (and
-   thereby the machine return to state IN-SYNC).  I.e.  the rollover
-   machine changes states (mostly oscillating between IN-SYNC and
-   OUT-OF-SYNC), but the status of the DNSSEC keys is stateless.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Ihren, et al.            Expires April 18, 2005                [Page 13]
-Internet-Draft    DNSSEC Threshold-based Trust Update       October 2004
-
-
-
-4.  Bootstrapping automatic rollovers
-
-
-   It is expected that with the ability to automatically roll trust
-   anchors at trust points will follow a diminished unwillingness to
-   roll these keys, since the risks associated with stale keys are
-   minimized.
-
-
-   The problem of "priming" the trust anchors, or bringing them into
-   sync (which could happen if a resolver is off line for a long period
-   in which a set of SEP keys in a zone 'evolve' away from its trust
-   anchor configuration) remains.
-
-
-   For (re)priming we can rely on out of band technology and we propose
-   the following framework.
-
-
-4.1  Priming Keys
-
-
-   If all the trust anchors roll somewhat frequently (on the order of
-   months or at most about a year) then it will not be possible to
-   design a device, or a software distribution that includes trust
-   anchors, that after being manufactured is put on a shelf for several
-   key rollover periods before being brought into use (since no trust
-   anchors that were known at the time of manufacture remain active).
-
-
-   To alleviate this we propose the concept of "priming keys".  Priming
-   keys are ordinary DNSSEC Key Signing Keys with the characteristic
-   that
-   o  The private part of a priming key signs the DNSKEY RRset at the
-      security apex, i.e.  at least one RRSIG DNSKEY is created by a
-      priming key rather than by an "ordinary" trust anchor
-   o  the public parts of priming keys are not included in the DNSKEY
-      RRset.  Instead the public parts of priming keys are only
-      available out-of-band.
-   o  The public parts of the priming keys have a validity period.
-      Within this period they can be used to obtain trust anchors.
-   o  The priming key pairs are long lived (relative to the key rollover
-      period.)
-
-
-4.1.1  Bootstrapping trust anchors using a priming key
-
-
-   To install the trust anchors for a particular security apex an
-   administrator of a validating resolver will need to:
-   o  query for the DNSKEY RRset of the zone at the security apex;
-   o  verify the self signatures of all DNSKEYs in the RRset;
-   o  verify the signature of the RRSIG made with a priming key --
-      verification using one of the public priming keys that is valid at
-      that moment is sufficient;
-
-
-
-
-
-Ihren, et al.            Expires April 18, 2005                [Page 14]
-Internet-Draft    DNSSEC Threshold-based Trust Update       October 2004
-
-
-
-   o  create the trust anchors by extracting the DNSKEY RRs with the SEP
-      flag set.
-   The SEP keys with algorithms unknown to the validating resolver
-   SHOULD be ignored during the creation of the trust anchors.
-
-
-4.1.2  Distribution of priming keys
-
-
-   The public parts of the priming keys SHOULD be distributed
-   exclusively through out-of-DNS mechanisms.  The requirements for a
-   distribution mechanism are:
-   o  it can carry the "validity" period for the priming keys;
-   o  it can carry the self-signature of the priming keys;
-   o  and it allows for verification using trust relations outside the
-      DNS.
-   A distribution mechanism would benefit from:
-   o  the availability of revocation lists;
-   o  the ability of carrying zone owners policy information such as
-      recommended values for "M" and "N" and a rollover frequency;
-   o  and the technology on which is based is readily available.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Ihren, et al.            Expires April 18, 2005                [Page 15]
-Internet-Draft    DNSSEC Threshold-based Trust Update       October 2004
-
-
-
-5.  The Threshold Rollover Mechanism vs Priming
-
-
-   There is overlap between the threshold-based trust updater and the
-   Priming method.  One could exclusively use the Priming method for
-   maintaining the trust anchors.  However the priming method probably
-   relies on "non-DNS' technology and may therefore not be available for
-   all devices that have a resolver.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Ihren, et al.            Expires April 18, 2005                [Page 16]
-Internet-Draft    DNSSEC Threshold-based Trust Update       October 2004
-
-
-
-6.  Security Considerations
-
-
-6.1  Threshold-based Trust Update Security Considerations
-
-
-   A clear issue for resolvers will be how to ensure that they track all
-   rollover events for the zones they have configure trust anchors for.
-   Because of temporary outages validating resolvers may have missed a
-   rollover of a KSK.  The parameters that determine the robustness
-   against failures are: the length of the period between rollovers
-   during which the KSK set is stable and validating resolvers can
-   actually notice the change; the number of available KSKs (i.e.  N)
-   and the number of signatures that may fail to validate (i.e.  N-M).
-
-
-   With a large N (i.e.  many KSKs) and a small value of M this
-   operation becomes more robust since losing one key, for whatever
-   reason, will not be crucial.  Unfortunately the choice for the number
-   of KSKs is a local policy issue for the zone owner while the choice
-   for the parameter M is a local policy issue for the resolver
-   administrator.
-
-
-   Higher values of M increase the resilience against attacks somewhat;
-   more signatures need to verify for a rollover to be approved.  On the
-   other hand the number of rollover events that may pass unnoticed
-   before the resolver reaches the UNSYNCABLE state goes down.
-
-
-   The threshold-based trust update intentionally does not provide a
-   revocation mechanism.  In the case that a sufficient number of
-   private keys of a zone owner are simultaneously compromised the the
-   attacker may use these private keys to roll the trust anchors of (a
-   subset of) the resolvers.  This is obviously a bad situation but it
-   is not different from most other public keys systems.
-
-
-   However, it is important to point out that since any reasonable trust
-   anchor rollover policy (in validating resolvers) will require more
-   than one RRSIG to validate this proposal does provide security
-   concious zone administrators with the option of not storing the
-   individual private keys in the same location and thereby decreasing
-   the likelihood of simultaneous compromise.
-
-
-6.2  Priming Key Security Considerations
-
-
-   Since priming keys are not included in the DNSKEY RR set they are
-   less sensitive to packet size constraints and can be chosen
-   relatively large.  The private parts are only needed to sign the
-   DNSKEY RR set during the validity period of the particular priming
-   key pair.  Note that the private part of the priming key is used each
-   time when a DNSKEY RRset has to be resigned.  In practice there is
-   therefore little difference between the usage pattern of the private
-
-
-
-
-Ihren, et al.            Expires April 18, 2005                [Page 17]
-Internet-Draft    DNSSEC Threshold-based Trust Update       October 2004
-
-
-
-   part of key signing keys and priming keys.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Ihren, et al.            Expires April 18, 2005                [Page 18]
-Internet-Draft    DNSSEC Threshold-based Trust Update       October 2004
-
-
-
-7.  IANA Considerations
-
-
-   NONE.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Ihren, et al.            Expires April 18, 2005                [Page 19]
-Internet-Draft    DNSSEC Threshold-based Trust Update       October 2004
-
-
-
-8.  References
-
-
-8.1  Normative References
-
-
-   [1]  Bradner, S., "Key words for use in RFCs to Indicate Requirement
-        Levels", BCP 14, RFC 2119, March 1997.
-
-
-   [2]  Kolkman, O., Schlyter, J. and E. Lewis, "Domain Name System KEY
-        (DNSKEY) Resource Record (RR) Secure Entry Point (SEP) Flag",
-        RFC 3757, May 2004.
-
-
-   [3]  Arends, R., "Resource Records for the DNS Security Extensions",
-        draft-ietf-dnsext-dnssec-records-10 (work in progress),
-        September 2004.
-
-
-8.2  Informative References
-
-
-   [4]  Arends, R., Austein, R., Massey, D., Larson, M. and S. Rose,
-        "DNS Security Introduction and Requirements",
-        draft-ietf-dnsext-dnssec-intro-12 (work in progress), September
-        2004.
-
-
-   [5]  Kolkman, O., "DNSSEC Operational Practices",
-        draft-ietf-dnsop-dnssec-operational-practices-01 (work in
-        progress), May 2004.
-
-
-   [6]  Housley, R., Ford, W., Polk, T. and D. Solo, "Internet X.509
-        Public Key Infrastructure Certificate and CRL Profile", RFC
-        2459, January 1999.
-
-
-
-Authors' Addresses
-
-
-   Johan Ihren
-   Autonomica AB
-   Bellmansgatan 30
-   Stockholm  SE-118 47
-   Sweden
-
-
-   EMail: johani@autonomica.se
-
-
-
-
-
-
-
-
-
-
-
-
-Ihren, et al.            Expires April 18, 2005                [Page 20]
-Internet-Draft    DNSSEC Threshold-based Trust Update       October 2004
-
-
-
-   Olaf M. Kolkman
-   RIPE NCC
-   Singel 256
-   Amsterdam  1016 AB
-   NL
-
-
-   Phone: +31 20 535 4444
-   EMail: olaf@ripe.net
-   URI:   http://www.ripe.net/
-
-
-
-   Bill Manning
-   EP.net
-   Marina del Rey, CA  90295
-   USA
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Ihren, et al.            Expires April 18, 2005                [Page 21]
-Internet-Draft    DNSSEC Threshold-based Trust Update       October 2004
-
-
-
-Appendix A.  Acknowledgments
-
-
-   The present design for in-band automatic rollovers of DNSSEC trust
-   anchors is the result of many conversations and it is no longer
-   possible to remember exactly who contributed what.
-
-
-   In addition we've also had appreciated help from (in no particular
-   order) Paul Vixie, Sam Weiler, Suzanne Woolf, Steve Crocker, Matt
-   Larson and Mark Kosters.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Ihren, et al.            Expires April 18, 2005                [Page 22]
-Internet-Draft    DNSSEC Threshold-based Trust Update       October 2004
-
-
-
-Appendix B.  Document History
-
-
-   This appendix will be removed if and when the document is submitted
-   to the RFC editor.
-
-
-   The version you are reading is tagged as $Revision: 1.1.234.1 $.
-
-
-   Text between square brackets, other than references, are editorial
-   comments and will be removed.
-
-
-B.1  prior to version 00
-
-
-   This draft was initially published as a personal submission under the
-   name draft-kolkman-dnsext-dnssec-in-band-rollover-00.txt.
-
-
-   Kolkman documented the ideas provided by Ihren and Manning.  In the
-   process of documenting (and prototyping) Kolkman changed some of the
-   details of the M-N algorithms working.  Ihren did not have a chance
-   to review the draft before Kolkman posted;
-
-
-   Kolkman takes responsibilities for omissions, fuzzy definitions and
-   mistakes.
-
-
-B.2  version 00
-   o  The name of the draft was changed as a result of the draft being
-      adopted as a working group document.
-   o  A small section on the concept of stale trust anchors was added.
-   o  The different possible states are more clearly defined, including
-      examples of transitions between states.
-   o  The terminology is changed throughout the document.  The old term
-      "M-N" is replaced by "threshold" (more or less).  Also the
-      interpretation of the constants M and N is significantly
-      simplified to bring the usage more in line with "standard"
-      threshold terminlogy.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Ihren, et al.            Expires April 18, 2005                [Page 23]
-Internet-Draft    DNSSEC Threshold-based Trust Update       October 2004
-
-
-
-Intellectual Property Statement
-
-
-   The IETF takes no position regarding the validity or scope of any
-   Intellectual Property Rights or other rights that might be claimed to
-   pertain to the implementation or use of the technology described in
-   this document or the extent to which any license under such rights
-   might or might not be available; nor does it represent that it has
-   made any independent effort to identify any such rights.  Information
-   on the procedures with respect to rights in RFC documents can be
-   found in BCP 78 and BCP 79.
-
-
-   Copies of IPR disclosures made to the IETF Secretariat and any
-   assurances of licenses to be made available, or the result of an
-   attempt made to obtain a general license or permission for the use of
-   such proprietary rights by implementers or users of this
-   specification can be obtained from the IETF on-line IPR repository at
-   http://www.ietf.org/ipr.
-
-
-   The IETF invites any interested party to bring to its attention any
-   copyrights, patents or patent applications, or other proprietary
-   rights that may cover technology that may be required to implement
-   this standard.  Please address the information to the IETF at
-   ietf-ipr@ietf.org.
-
-
-
-Disclaimer of Validity
-
-
-   This document and the information contained herein are provided on an
-   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
-   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
-   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
-   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
-   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
-   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-
-
-Copyright Statement
-
-
-   Copyright (C) The Internet Society (2004).  This document is subject
-   to the rights, licenses and restrictions contained in BCP 78, and
-   except as set forth therein, the authors retain all their rights.
-
-
-
-Acknowledgment
-
-
-   Funding for the RFC Editor function is currently provided by the
-   Internet Society.
-
-
-
-
-Ihren, et al.            Expires April 18, 2005                [Page 24] 
\ No newline at end of file
diff --git a/doc/draft/draft-ietf-dnsext-trustupdate-timers-01.txt b/doc/draft/draft-ietf-dnsext-trustupdate-timers-01.txt
deleted file mode 100644
index df702b41..00000000
--- a/doc/draft/draft-ietf-dnsext-trustupdate-timers-01.txt
+++ /dev/null
@@ -1,730 +0,0 @@
-
-
-
-
-Network Working Group                                         M. StJohns
-Internet-Draft                                             Nominum, Inc.
-Expires: February 16, 2006                               August 15, 2005
-
-
-               Automated Updates of DNSSEC Trust Anchors
-                draft-ietf-dnsext-trustupdate-timers-01
-
-Status of this Memo
-
-   By submitting this Internet-Draft, each author represents that any
-   applicable patent or other IPR claims of which he or she is aware
-   have been or will be disclosed, and any of which he or she becomes
-   aware will be disclosed, in accordance with Section 6 of BCP 79.
-
-   Internet-Drafts are working documents of the Internet Engineering
-   Task Force (IETF), its areas, and its working groups.  Note that
-   other groups may also distribute working documents as Internet-
-   Drafts.
-
-   Internet-Drafts are draft documents valid for a maximum of six months
-   and may be updated, replaced, or obsoleted by other documents at any
-   time.  It is inappropriate to use Internet-Drafts as reference
-   material or to cite them other than as "work in progress."
-
-   The list of current Internet-Drafts can be accessed at
-   http://www.ietf.org/ietf/1id-abstracts.txt.
-
-   The list of Internet-Draft Shadow Directories can be accessed at
-   http://www.ietf.org/shadow.html.
-
-   This Internet-Draft will expire on February 16, 2006.
-
-Copyright Notice
-
-   Copyright (C) The Internet Society (2005).
-
-Abstract
-
-   This document describes a means for automated, authenticated and
-   authorized updating of DNSSEC "trust anchors".  The method provides
-   protection against single key compromise of a key in the trust point
-   key set.  Based on the trust established by the presence of a current
-   anchor, other anchors may be added at the same place in the
-   hierarchy, and, ultimately, supplant the existing anchor.
-
-   This mechanism, if adopted, will require changes to resolver
-   management behavior (but not resolver resolution behavior), and the
-
-
-
-StJohns                 Expires February 16, 2006               [Page 1]
-
-Internet-Draft             trustanchor-update                August 2005
-
-
-   addition of a single flag bit to the DNSKEY record.
-
-Table of Contents
-
-   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
-     1.1   Compliance Nomenclature  . . . . . . . . . . . . . . . . .  3
-     1.2   Changes since -00  . . . . . . . . . . . . . . . . . . . .  3
-   2.  Theory of Operation  . . . . . . . . . . . . . . . . . . . . .  4
-     2.1   Revocation . . . . . . . . . . . . . . . . . . . . . . . .  4
-     2.2   Add Hold-Down  . . . . . . . . . . . . . . . . . . . . . .  4
-     2.3   Remove Hold-down . . . . . . . . . . . . . . . . . . . . .  5
-     2.4   Active Refresh . . . . . . . . . . . . . . . . . . . . . .  6
-     2.5   Resolver Parameters  . . . . . . . . . . . . . . . . . . .  6
-       2.5.1   Add Hold-Down Time . . . . . . . . . . . . . . . . . .  6
-       2.5.2   Remove Hold-Down Time  . . . . . . . . . . . . . . . .  6
-       2.5.3   Minimum Trust Anchors per Trust Point  . . . . . . . .  6
-   3.  Changes to DNSKEY RDATA Wire Format  . . . . . . . . . . . . .  6
-   4.  State Table  . . . . . . . . . . . . . . . . . . . . . . . . .  6
-     4.1   Events . . . . . . . . . . . . . . . . . . . . . . . . . .  7
-     4.2   States . . . . . . . . . . . . . . . . . . . . . . . . . .  7
-   5.  Scenarios  . . . . . . . . . . . . . . . . . . . . . . . . . .  8
-     5.1   Adding A Trust Anchor  . . . . . . . . . . . . . . . . . .  8
-     5.2   Deleting a Trust Anchor  . . . . . . . . . . . . . . . . .  9
-     5.3   Key Roll-Over  . . . . . . . . . . . . . . . . . . . . . .  9
-     5.4   Active Key Compromised . . . . . . . . . . . . . . . . . .  9
-     5.5   Stand-by Key Compromised . . . . . . . . . . . . . . . . .  9
-   6.  Security Considerations  . . . . . . . . . . . . . . . . . . . 10
-     6.1   Key Ownership vs Acceptance Policy . . . . . . . . . . . . 10
-     6.2   Multiple Key Compromise  . . . . . . . . . . . . . . . . . 10
-     6.3   Dynamic Updates  . . . . . . . . . . . . . . . . . . . . . 10
-   7.  Normative References . . . . . . . . . . . . . . . . . . . . . 10
-       Editorial Comments . . . . . . . . . . . . . . . . . . . . . . 11
-       Author's Address . . . . . . . . . . . . . . . . . . . . . . . 11
-       Intellectual Property and Copyright Statements . . . . . . . . 12
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-StJohns                 Expires February 16, 2006               [Page 2]
-
-Internet-Draft             trustanchor-update                August 2005
-
-
-1.  Introduction
-
-   As part of the reality of fielding DNSSEC (Domain Name System
-   Security Extensions) [RFC2535] [RFC4033][RFC4034][RFC4035], the
-   community has come to the realization that there will not be one
-   signed name space, but rather islands of signed name space each
-   originating from specific points (i.e. 'trust points') in the DNS
-   tree.  Each of those islands will be identified by the trust point
-   name, and validated by at least one associated public key.  For the
-   purpose of this document we'll call the association of that name and
-   a particular key a 'trust anchor'.  A particular trust point can have
-   more than one key designated as a trust anchor.
-
-   For a DNSSEC-aware resolver to validate information in a DNSSEC
-   protected branch of the hierarchy, it must have knowledge of a trust
-   anchor applicable to that branch.  It may also have more than one
-   trust anchor for any given trust point.  Under current rules, a chain
-   of trust for DNSSEC-protected data that chains its way back to ANY
-   known trust anchor is considered 'secure'.
-
-   Because of the probable balkanization of the DNSSEC tree due to
-   signing voids at key locations, a resolver may need to know literally
-   thousands of trust anchors to perform its duties. (e.g.  Consider an
-   unsigned ".COM".)  Requiring the owner of the resolver to manually
-   manage this many relationships is problematic.  It's even more
-   problematic when considering the eventual requirement for key
-   replacement/update for a given trust anchor.  The mechanism described
-   herein won't help with the initial configuration of the trust anchors
-   in the resolvers, but should make trust point key replacement/
-   rollover more viable.
-
-   As mentioned above, this document describes a mechanism whereby a
-   resolver can update the trust anchors for a given trust point, mainly
-   without human intervention at the resolver.  There are some corner
-   cases discussed (e.g. multiple key compromise) that may require
-   manual intervention, but they should be few and far between.  This
-   document DOES NOT discuss the general problem of the initial
-   configuration of trust anchors for the resolver.
-
-1.1  Compliance Nomenclature
-
-   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
-   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
-   document are to be interpreted as described in BCP 14, [RFC2119].
-
-1.2  Changes since -00
-
-   Added the concept of timer triggered resolver queries to refresh the
-
-
-
-StJohns                 Expires February 16, 2006               [Page 3]
-
-Internet-Draft             trustanchor-update                August 2005
-
-
-   resolvers view of the trust anchor key RRSet.
-
-   Re-submitted expired draft as -01.  Updated DNSSEC RFC References.
-
-2.  Theory of Operation
-
-   The general concept of this mechanism is that existing trust anchors
-   can be used to authenticate new trust anchors at the same point in
-   the DNS hierarchy.  When a new SEP key is added to a trust point
-   DNSKEY RRSet, and when that RRSet is validated by an existing trust
-   anchor, then the new key can be added to the set of trust anchors.
-
-   There are some issues with this approach which need to be mitigated.
-   For example, a compromise of one of the existing keys could allow an
-   attacker to add their own 'valid' data.  This implies a need for a
-   method to revoke an existing key regardless of whether or not that
-   key is compromised.  As another example assuming a single key
-   compromise, an attacker could add a new key and revoke all the other
-   old keys.
-
-2.1  Revocation
-
-   Assume two trust anchor keys A and B. Assume that B has been
-   compromised.  Without a specific revocation bit, B could invalidate A
-   simply by sending out a signed trust point key set which didn't
-   contain A. To fix this, we add a mechanism which requires knowledge
-   of the private key of a DNSKEY to revoke that DNSKEY.
-
-   A key is considered revoked when the resolver sees the key in a self-
-   signed RRSet and the key has the REVOKE bit set to '1'.  Once the
-   resolver sees the REVOKE bit, it MUST NOT use this key as a trust
-   anchor or for any other purposes except validating the RRSIG over the
-   DNSKEY RRSet specifically for the purpose of validating the
-   revocation.  Unlike the 'Add' operation below, revocation is
-   immediate and permanent upon receipt of a valid revocation at the
-   resolver.
-
-   N.B. A DNSKEY with the REVOKE bit set has a different fingerprint
-   than one without the bit set.  This affects the matching of a DNSKEY
-   to DS records in the parent, or the fingerprint stored at a resolver
-   used to configure a trust point. [msj3]
-
-   In the given example, the attacker could revoke B because it has
-   knowledge of B's private key, but could not revoke A.
-
-2.2  Add Hold-Down
-
-   Assume two trust point keys A and B. Assume that B has been
-
-
-
-StJohns                 Expires February 16, 2006               [Page 4]
-
-Internet-Draft             trustanchor-update                August 2005
-
-
-   compromised.  An attacker could generate and add a new trust anchor
-   key - C (by adding C to the DNSKEY RRSet and signing it with B), and
-   then invalidate the compromised key.  This would result in the both
-   the attacker and owner being able to sign data in the zone and have
-   it accepted as valid by resolvers.
-
-   To mitigate, but not completely solve, this problem, we add a hold-
-   down time to the addition of the trust anchor.  When the resolver
-   sees a new SEP key in a validated trust point DNSKEY RRSet, the
-   resolver starts an acceptance timer, and remembers all the keys that
-   validated the RRSet.  If the resolver ever sees the DNSKEY RRSet
-   without the new key but validly signed, it stops the acceptance
-   process and resets the acceptance timer.  If all of the keys which
-   were originally used to validate this key are revoked prior to the
-   timer expiring, the resolver stops the acceptance process and resets
-   the timer.
-
-   Once the timer expires, the new key will be added as a trust anchor
-   the next time the validated RRSet with the new key is seen at the
-   resolver.  The resolver MUST NOT treat the new key as a trust anchor
-   until the hold down time expires AND it has retrieved and validated a
-   DNSKEY RRSet after the hold down time which contains the new key.
-
-   N.B.: Once the resolver has accepted a key as a trust anchor, the key
-   MUST be considered a valid trust anchor by that resolver until
-   explictly revoked as described above.
-
-   In the given example, the zone owner can recover from a compromise by
-   revoking B and adding a new key D and signing the DNSKEY RRSet with
-   both A and B.
-
-   The reason this does not completely solve the problem has to do with
-   the distributed nature of DNS.  The resolver only knows what it sees.
-   A determined attacker who holds one compromised key could keep a
-   single resolver from realizing that key had been compromised by
-   intercepting 'real' data from the originating zone and substituting
-   their own (e.g. using the example, signed only by B).  This is no
-   worse than the current situation assuming a compromised key.
-
-2.3  Remove Hold-down
-
-   A new key which has been seen by the resolver, but hasn't reached
-   it's add hold-down time, MAY be removed from the DNSKEY RRSet by the
-   zone owner.  If the resolver sees a validated DNSKEY RRSet without
-   this key, it waits for the remove hold-down time and then, if the key
-   hasn't reappeared, SHOULD discard any information about the key.
-
-
-
-
-
-StJohns                 Expires February 16, 2006               [Page 5]
-
-Internet-Draft             trustanchor-update                August 2005
-
-
-2.4  Active Refresh
-
-   A resolver which has been configured for automatic update of keys
-   from a particular trust point MUST query that trust point (e.g. do a
-   lookup for the DNSKEY RRSet and related RRSIG records) no less often
-   than the lesser of 15 days or half the original TTL for the DNSKEY
-   RRSet or half the RRSIG expiration interval.  The expiration interval
-   is the amount of time from when the RRSIG was last retrieved until
-   the expiration time in the RRSIG.
-
-   If the query fails, the resolver MUST repeat the query until
-   satisfied no more often than once an hour and no less often than the
-   lesser of 1 day or 10% of the original TTL or 10% of the original
-   expiration interval.
-
-2.5  Resolver Parameters
-
-2.5.1  Add Hold-Down Time
-
-   The add hold-down time is 30 days or the expiration time of the TTL
-   of the first trust point DNSKEY RRSet which contained the key,
-   whichever is greater.  This ensures that at least two validated
-   DNSKEY RRSets which contain the new key MUST be seen by the resolver
-   prior to the key's acceptance.
-
-2.5.2  Remove Hold-Down Time
-
-   The remove hold-down time is 30 days.
-
-2.5.3  Minimum Trust Anchors per Trust Point
-
-   A compliant resolver MUST be able to manage at least five SEP keys
-   per trust point.
-
-3.  Changes to DNSKEY RDATA Wire Format
-
-   Bit n [msj2] of the DNSKEY Flags field is designated as the 'REVOKE'
-   flag.  If this bit is set to '1', AND the resolver sees an
-   RRSIG(DNSKEY) signed by the associated key, then the resolver MUST
-   consider this key permanently invalid for all purposes except for
-   validing the revocation.
-
-4.  State Table
-
-   The most important thing to understand is the resolver's view of any
-   key at a trust point.  The following state table describes that view
-   at various points in the key's lifetime.  The table is a normative
-   part of this specification.  The initial state of the key is 'Start'.
-
-
-
-StJohns                 Expires February 16, 2006               [Page 6]
-
-Internet-Draft             trustanchor-update                August 2005
-
-
-   The resolver's view of the state of the key changes as various events
-   occur.
-
-   [msj1] This is the state of a trust point key as seen from the
-   resolver.  The column on the left indicates the current state.  The
-   header at the top shows the next state.  The intersection of the two
-   shows the event that will cause the state to transition from the
-   current state to the next.
-
-                             NEXT STATE
-           --------------------------------------------------
-    FROM   |Start  |AddPend |Valid  |Missing|Revoked|Removed|
-   ----------------------------------------------------------
-   Start   |       |NewKey  |       |       |       |       |
-   ----------------------------------------------------------
-   AddPend |KeyRem |        |AddTime|       |       |
-   ----------------------------------------------------------
-   Valid   |       |        |       |KeyRem |Revbit |       |
-   ----------------------------------------------------------
-   Missing |       |        |KeyPres|       |Revbit |       |
-   ----------------------------------------------------------
-   Revoked |       |        |       |       |       |RemTime|
-   ----------------------------------------------------------
-   Removed |       |        |       |       |       |       |
-   ----------------------------------------------------------
-
-
-4.1  Events
-   NewKey The resolver sees a valid DNSKEY RRSet with a new SEP key.
-      That key will become a new trust anchor for the named trust point
-      after its been present in the RRSet for at least 'add time'.
-   KeyPres The key has returned to the valid DNSKEY RRSet.
-   KeyRem The resolver sees a valid DNSKEY RRSet that does not contain
-      this key.
-   AddTime The key has been in every valid DNSKEY RRSet seen for at
-      least the 'add time'.
-   RemTime A revoked key has been missing from the trust point DNSKEY
-      RRSet for sufficient time to be removed from the trust set.
-   RevBit The key has appeared in the trust anchor DNSKEY RRSet with its
-      "REVOKED" bit set, and there is an RRSig over the DNSKEY RRSet
-      signed by this key.
-
-4.2  States
-   Start The key doesn't yet exist as a trust anchor at the resolver.
-      It may or may not exist at the zone server, but hasn't yet been
-      seen at the resolver.
-
-
-
-
-
-StJohns                 Expires February 16, 2006               [Page 7]
-
-Internet-Draft             trustanchor-update                August 2005
-
-
-   AddPend The key has been seen at the resolver, has its 'SEP' bit set,
-      and has been included in a validated DNSKEY RRSet.  There is a
-      hold-down time for the key before it can be used as a trust
-      anchor.
-   Valid The key has been seen at the resolver and has been included in
-      all validated DNSKEY RRSets from the time it was first seen up
-      through the hold-down time.  It is now valid for verifying RRSets
-      that arrive after the hold down time.  Clarification:  The DNSKEY
-      RRSet does not need to be continuously present at the resolver
-      (e.g. its TTL might expire).  If the RRSet is seen, and is
-      validated (i.e. verifies against an existing trust anchor), this
-      key MUST be in the RRSet otherwise  a 'KeyRem' event is triggered.
-   Missing This is an abnormal state.  The key remains as a valid trust
-      point key, but was not seen at the resolver in the last validated
-      DNSKEY RRSet.  This is an abnormal state because the zone operator
-      should be using the REVOKE bit prior to removal.  [Discussion
-      item:  Should a missing key be considered revoked after some
-      period of time?]
-   Revoked This is the state a key moves to once the resolver sees an
-      RRSIG(DNSKEY) signed by this key where that DNSKEY RRSet contains
-      this key with its REVOKE bit set to '1'.  Once in this state, this
-      key MUST permanently be considered invalid as a trust anchor.
-   Removed After a fairly long hold-down time, information about this
-      key may be purged from the resolver.  A key in the removed state
-      MUST NOT be considered a valid trust anchor.
-
-5.  Scenarios
-
-   The suggested model for operation is to have one active key and one
-   stand-by key at each trust point.  The active key will be used to
-   sign the DNSKEY RRSet.  The stand-by key will not normally sign this
-   RRSet, but the resolver will accept it as a trust anchor if/when it
-   sees the signature on the trust point DNSKEY RRSet.
-
-   Since the stand-by key is not in active signing use, the associated
-   private key may (and SHOULD) be provided with additional protections
-   not normally available to a key that must be used frequently.  E.g.
-   locked in a safe, split among many parties, etc.  Notionally, the
-   stand-by key should be less subject to compromise than an active key,
-   but that will be dependent on operational concerns not addressed
-   here.
-
-5.1  Adding A Trust Anchor
-
-   Assume an existing trust anchor key 'A'.
-   1.  Generate a new key pair.
-
-
-
-
-
-StJohns                 Expires February 16, 2006               [Page 8]
-
-Internet-Draft             trustanchor-update                August 2005
-
-
-   2.  Create a DNSKEY record from the key pair and set the SEP and Zone
-       Key  bits.
-   3.  Add the DNSKEY to the RRSet.
-   4.  Sign the DNSKEY RRSet ONLY with the existing trust anchor key -
-       'A'.
-   5.  Wait a while.
-
-5.2  Deleting a Trust Anchor
-
-   Assume existing trust anchors 'A' and 'B' and that you want to revoke
-   and delete 'A'.
-   1.  Set the revolcation bit on key 'A'.
-   2.  Sign the DNSKEY RRSet with both 'A' and 'B'.
-   'A' is now revoked.  The operator SHOULD include the revoked 'A' in
-   the RRSet for at least the remove hold-down time, but then may remove
-   it from the DNSKEY RRSet.
-
-5.3  Key Roll-Over
-
-   Assume existing keys A and B. 'A' is actively in use (i.e. has been
-   signing the DNSKEY RRSet.)  'B' was the stand-by key. (i.e. has been
-   in the DNSKEY RRSet and is a valid trust anchor, but wasn't being
-   used to sign the RRSet.)
-   1.  Generate a new key pair 'C'.
-   2.  Add 'C' to the DNSKEY RRSet.
-   3.  Set the revocation bit on key 'A'.
-   4.  Sign the RRSet with 'A' and 'B'.
-   'A' is now revoked, 'B' is now the active key, and 'C' will be  the
-   stand-by key once the hold-down expires.  The operator SHOULD include
-   the revoked 'A' in the RRSet for at least the remove hold-down time,
-   but may then remove it from the DNSKEY RRSet.
-
-5.4  Active Key Compromised
-
-   This is the same as the mechanism for Key Roll-Over (Section 5.3)
-   above assuming 'A' is the active key.
-
-5.5  Stand-by Key Compromised
-
-   Using the same assumptions and naming conventions as Key Roll-Over
-   (Section 5.3) above:
-   1.  Generate a new key pair 'C'.
-   2.  Add 'C' to the DNSKEY RRSet.
-   3.  Set the revocation bit on key 'B'.
-   4.  Sign the RRSet with 'A' and 'B'.
-   'B' is now revoked, 'A' remains the active key, and 'C' will be the
-   stand-by key once the hold-down expires.  'B' SHOULD continue to be
-   included in the RRSet for the remove hold-down time.
-
-
-
-StJohns                 Expires February 16, 2006               [Page 9]
-
-Internet-Draft             trustanchor-update                August 2005
-
-
-6.  Security Considerations
-
-6.1  Key Ownership vs Acceptance Policy
-
-   The reader should note that, while the zone owner is responsible
-   creating and distributing keys, it's wholly the decision of the
-   resolver owner as to whether to accept such keys for the
-   authentication of the zone information.  This implies the decision
-   update trust anchor keys based on trust for a current trust anchor
-   key is also the resolver owner's decision.
-
-   The resolver owner (and resolver implementers) MAY choose to permit
-   or prevent key status updates based on this mechanism for specific
-   trust points.  If they choose to prevent the automated updates, they
-   will need to establish a mechanism for manual or other out-of-band
-   updates outside the scope of this document.
-
-6.2  Multiple Key Compromise
-
-   This scheme permits recovery as long as at least one valid trust
-   anchor key remains uncompromised.  E.g. if there are three keys, you
-   can recover if two of them are compromised.  The zone owner should
-   determine their own level of comfort with respect to the number of
-   active valid trust anchors in a zone and should be prepared to
-   implement recovery procedures once they detect a compromise.  A
-   manual or other out-of-band update of all resolvers will be required
-   if all trust anchor keys at a trust point are compromised.
-
-6.3  Dynamic Updates
-
-   Allowing a resolver to update its trust anchor set based in-band key
-   information is potentially less secure than a manual process.
-   However, given the nature of the DNS, the number of resolvers that
-   would require update if a trust anchor key were compromised, and the
-   lack of a standard management framework for DNS, this approach is no
-   worse than the existing situation.
-
-7.  Normative References
-
-   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
-              Requirement Levels", BCP 14, RFC 2119, March 1997.
-
-   [RFC2535]  Eastlake, D., "Domain Name System Security Extensions",
-              RFC 2535, March 1999.
-
-   [RFC4033]  Arends, R., Austein, R., Larson, M., Massey, D., and S.
-              Rose, "DNS Security Introduction and Requirements",
-              RFC 4033, March 2005.
-
-
-
-StJohns                 Expires February 16, 2006              [Page 10]
-
-Internet-Draft             trustanchor-update                August 2005
-
-
-   [RFC4034]  Arends, R., Austein, R., Larson, M., Massey, D., and S.
-              Rose, "Resource Records for the DNS Security Extensions",
-              RFC 4034, March 2005.
-
-   [RFC4035]  Arends, R., Austein, R., Larson, M., Massey, D., and S.
-              Rose, "Protocol Modifications for the DNS Security
-              Extensions", RFC 4035, March 2005.
-
-Editorial Comments
-
-   [msj1]  msj: N.B. This table is preliminary and will be revised to
-           match implementation experience.  For example, should there
-           be a state for "Add hold-down expired, but haven't seen the
-           new RRSet"?
-
-   [msj2]  msj: To be assigned.
-
-   [msj3]  msj: For discussion: What's the implementation guidance for
-           resolvers currently with respect to the non-assigned flag
-           bits?  If they consider the flag bit when doing key matching
-           at the trust anchor, they won't be able to match.
-
-
-Author's Address
-
-   Michael StJohns
-   Nominum, Inc.
-   2385 Bay Road
-   Redwood City, CA  94063
-   USA
-
-   Phone: +1-301-528-4729
-   Email: Mike.StJohns@nominum.com
-   URI:   www.nominum.com
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-StJohns                 Expires February 16, 2006              [Page 11]
-
-Internet-Draft             trustanchor-update                August 2005
-
-
-Intellectual Property Statement
-
-   The IETF takes no position regarding the validity or scope of any
-   Intellectual Property Rights or other rights that might be claimed to
-   pertain to the implementation or use of the technology described in
-   this document or the extent to which any license under such rights
-   might or might not be available; nor does it represent that it has
-   made any independent effort to identify any such rights.  Information
-   on the procedures with respect to rights in RFC documents can be
-   found in BCP 78 and BCP 79.
-
-   Copies of IPR disclosures made to the IETF Secretariat and any
-   assurances of licenses to be made available, or the result of an
-   attempt made to obtain a general license or permission for the use of
-   such proprietary rights by implementers or users of this
-   specification can be obtained from the IETF on-line IPR repository at
-   http://www.ietf.org/ipr.
-
-   The IETF invites any interested party to bring to its attention any
-   copyrights, patents or patent applications, or other proprietary
-   rights that may cover technology that may be required to implement
-   this standard.  Please address the information to the IETF at
-   ietf-ipr@ietf.org.
-
-   The IETF has been notified of intellectual property rights claimed in
-   regard to some or all of the specification contained in this
-   document.  For more information consult the online list of claimed
-   rights.
-
-
-Disclaimer of Validity
-
-   This document and the information contained herein are provided on an
-   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
-   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
-   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
-   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
-   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
-   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-
-Copyright Statement
-
-   Copyright (C) The Internet Society (2005).  This document is subject
-   to the rights, licenses and restrictions contained in BCP 78, and
-   except as set forth therein, the authors retain all their rights.
-
-
-
-
-
-StJohns                 Expires February 16, 2006              [Page 12]
-
-Internet-Draft             trustanchor-update                August 2005
-
-
-Acknowledgment
-
-   Funding for the RFC Editor function is currently provided by the
-   Internet Society.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-StJohns                 Expires February 16, 2006              [Page 13]
-
-
diff --git a/doc/draft/draft-ietf-dnsext-tsig-sha-04.txt b/doc/draft/draft-ietf-dnsext-tsig-sha-04.txt
deleted file mode 100644
index a59595f5..00000000
--- a/doc/draft/draft-ietf-dnsext-tsig-sha-04.txt
+++ /dev/null
@@ -1,580 +0,0 @@
-
-INTERNET-DRAFT                                    Donald E. Eastlake 3rd
-UPDATES RFC 2845                                   Motorola Laboratories
-Expires: December 2005                                         June 2005
-
-
-                  HMAC SHA TSIG Algorithm Identifiers
-                  ---- --- ---- --------- -----------
-                  <draft-ietf-dnsext-tsig-sha-04.txt>
-
-
-Status of This Document
-
-   By submitting this Internet-Draft, each author represents that any
-   applicable patent or other IPR claims of which he or she is aware
-   have been or will be disclosed, and any of which he or she becomes
-   aware will be disclosed, in accordance with Section 6 of BCP 79.
-
-   This draft is intended to be become a Proposed Standard RFC.
-   Distribution of this document is unlimited. Comments should be sent
-   to the DNSEXT working group mailing list <namedroppers@ops.ietf.org>.
-
-   Internet-Drafts are working documents of the Internet Engineering
-   Task Force (IETF), its areas, and its working groups.  Note that
-   other groups may also distribute working documents as Internet-
-   Drafts.
-
-   Internet-Drafts are draft documents valid for a maximum of six months
-   and may be updated, replaced, or obsoleted by other documents at any
-   time.  It is inappropriate to use Internet-Drafts as reference
-   material or to cite them other than a "work in progress."
-
-   The list of current Internet-Drafts can be accessed at
-   http://www.ietf.org/1id-abstracts.html
-
-   The list of Internet-Draft Shadow Directories can be accessed at
-   http://www.ietf.org/shadow.html
-
-
-Abstract
-
-   Use of the TSIG DNS resource record requires specification of a
-   cryptographic message authentication code.  Currently identifiers
-   have been specified only for the HMAC-MD5 and GSS TSIG algorithms.
-   This document standardizes identifiers and implementation
-   requirements for additional HMAC SHA TSIG algorithms and standardizes
-   how to specify and handle the truncation of HMAC values.
-
-
-Copyright Notice
-
-   Copyright (C) The Internet Society 2005. All Rights Reserved.
-
-
-
-
-D. Eastlake 3rd                                                 [Page 1]
-
-
-INTERNET-DRAFT                                 HMAC-SHA TSIG Identifiers
-
-
-Table of Contents
-
-      Status of This Document....................................1
-      Abstract...................................................1
-      Copyright Notice...........................................1
-
-      Table of Contents..........................................2
-
-      1. Introduction............................................3
-
-      2. Algorithms and Identifiers..............................4
-
-      3. Specifying Truncation...................................5
-      3.1 Truncation Specification...............................5
-
-      4. TSIG Policy Provisions and Truncation Error.............7
-
-      5. IANA Considerations.....................................8
-      6. Security Considerations.................................8
-      6. Copyright and Disclaimer................................8
-
-      7. Normative References....................................9
-      8. Informative References..................................9
-
-      Author's Address..........................................10
-      Expiration and File Name..................................10
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-D. Eastlake 3rd                                                 [Page 2]
-
-
-INTERNET-DRAFT                                 HMAC-SHA TSIG Identifiers
-
-
-1. Introduction
-
-   [RFC 2845] specifies a TSIG Resource Record (RR) that can be used to
-   authenticate DNS queries and responses. This RR contains a domain
-   name syntax data item which names the authentication algorithm used.
-   [RFC 2845] defines the HMAC-MD5.SIG-ALG.REG.INT name for
-   authentication codes using the HMAC [RFC 2104] algorithm with the MD5
-   [RFC 1321] hash algorithm. IANA has also registered "gss-tsig" as an
-   identifier for TSIG authentication where the cryptographic operations
-   are delegated to GSS [RFC 3645].
-
-   In Section 2, this document specifies additional names for TSIG
-   authentication algorithms based on US NIST SHA algorithms and HMAC
-   and specifies the implementation requirements for those algorithms.
-
-   In Section 3, this document specifies the meaning of inequality
-   between the normal output size of the specified hash function and the
-   length of MAC (message authentication code) data given in the TSIG
-   RR. In particular, it specifies that a shorter length field value
-   specifies truncation and a longer length field is an error.
-
-   In Section 4, policy restrictions and implications related to
-   truncation and a new error code to indicate truncation shorter than
-   permitted by policy are described and specified.
-
-   The use herein of MUST, SHOULD, MAY, MUST NOT, and SHOULD NOT is as
-   defined in [RFC 2119].
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-D. Eastlake 3rd                                                 [Page 3]
-
-
-INTERNET-DRAFT                                 HMAC-SHA TSIG Identifiers
-
-
-2. Algorithms and Identifiers
-
-   TSIG Resource Records (RRs) [RFC 2845] are used to authenticate DNS
-   queries and responses.  They are intended to be efficient symmetric
-   authentication codes based on a shared secret. (Asymmetric signatures
-   can be provided using the SIG RR [RFC 2931]. In particular, SIG(0)
-   can be used for transaction signatures.) Used with a strong hash
-   function, HMAC [RFC 2104] provides a way to calculate such symmetric
-   authentication codes. The only specified HMAC based TSIG algorithm
-   identifier has been HMAC-MD5.SIG-ALG.REG.INT based on MD5 [RFC 1321].
-
-   The use of SHA-1 [FIPS 180-2, RFC 3174], which is a 160 bit hash, as
-   compared with the 128 bits for MD5, and additional hash algorithms in
-   the SHA family [FIPS 180-2, RFC 3874, SHA2draft] with 224, 256, 384,
-   and 512 bits, may be preferred in some cases particularly since
-   increasingly successful cryptanalytic attacks are being made on the
-   shorter hashes.  Use of TSIG between a DNS resolver and server is by
-   mutual agreement. That agreement can include the support of
-   additional algorithms and may specify policies as to which algorithms
-   and truncations are acceptable subject to the restrication and
-   guidelines in Section 3 and 4 below.
-
-   The current HMAC-MD5.SIG-ALG.REG.INT identifier is included in the
-   table below for convenience.  Implementations which support TSIG MUST
-   also implement HMAC SHA1 and HMAC SHA256 and MAY implement gss-tsig
-   and the other algorithms listed below.
-
-         Mandatory      HMAC-MD5.SIG-ALG.REG.INT
-         Mandatory      hmac-sha1
-         Optional       hmac-sha224
-         Mandatory      hmac-sha256
-         Optional       hamc-sha384
-         Optional       hmac-sha512
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-D. Eastlake 3rd                                                 [Page 4]
-
-
-INTERNET-DRAFT                                 HMAC-SHA TSIG Identifiers
-
-
-3. Specifying Truncation
-
-   When space is at a premium and the strength of the full length of an
-   HMAC is not needed, it is reasonable to truncate the HMAC output and
-   use the truncated value for authentication. HMAC SHA-1 truncated to
-   96 bits is an option available in several IETF protocols including
-   IPSEC and TLS.
-
-   The TSIG RR [RFC 2845] includes a "MAC size" field, which gives the
-   size of the MAC field in octets. But [RFC 2845] does not specify what
-   to do if this MAC size differs from the length of the output of HMAC
-   for a particular hash function. Truncation is indicated by a MAC size
-   less than the HMAC size as specified below.
-
-
-
-3.1 Truncation Specification
-
-   The specification for TSIG handling is changed as follows:
-
-   1. If "MAC size" field is greater than HMAC output length:
-         This case MUST NOT be generated and if received MUST cause the
-      packet to be dropped and RCODE 1 (FORMERR) to be returned.
-
-   2. If "MAC size" field equals HMAC output length:
-         Operation is as described in [RFC 2845] with the entire output
-      HMAC output present.
-
-   3. "MAC size" field is less than HMAC output length but greater than
-      that specified in case 4 below:
-         This is sent when the signer has truncated the HMAC output to
-      an allowable length, as described in RFC 2104, taking initial
-      octets and discarding trailing octets. TSIG truncation can only be
-      to an integral number of octets. On receipt of a packet with
-      truncation thus indicated, the locally calculated MAC is similarly
-      truncated and only the truncated values compared for
-      authentication. The request MAC used when calculating the TSIG MAC
-      for a reply is the trucated request MAC.
-
-   4. "MAC size" field is less than the larger of 10 (octets) and half
-      the length of the hash function in use:
-         With the exception of certain TSIG error messages described in
-      RFC 2845 section 3.2 where it is permitted that the MAC size be
-      zero, this case MUST NOT be generated and if received MUST cause
-      the packet to be dropped and RCODE 1 (FORMERR) to be returned. The
-      size limit for this case can also, for the hash functions
-      mentioned in this document, be stated as less than half the hash
-      function length for hash functions other than MD5 and less than 10
-      octets for MD5.
-
-
-
-D. Eastlake 3rd                                                 [Page 5]
-
-
-INTERNET-DRAFT                                 HMAC-SHA TSIG Identifiers
-
-
-   SHA-1 truncated to 96 bits (12 octets) SHOULD be implemented.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-D. Eastlake 3rd                                                 [Page 6]
-
-
-INTERNET-DRAFT                                 HMAC-SHA TSIG Identifiers
-
-
-4. TSIG Policy Provisions and Truncation Error
-
-   Use of TSIG is by mutual agreement between a resolver and server.
-   Implicit in such "agreement" are policies as to acceptable keys and
-   algorithms and, with the extensions in this doucment, truncations. In
-   particular note the following:
-
-      Such policies MAY require the rejection of TSIGs even though they
-   use an algorithm for which implementation is mandatory.
-
-      When a policy calls for the acceptance of a TSIG with a particular
-   algorithm and a particular non-zero amount of trunction it SHOULD
-   also permit the use of that algorithm with lesser truncation (a
-   longer MAC) up to the full HMAC output.
-
-      Regardless of a lower acceptable truncated MAC length specified by
-   policy, a reply SHOULD be sent with a MAC at least as long as that in
-   the corresponding request unless the request specified a MAC length
-   longer than the HMAC output.
-
-      Implementations permitting policies with multiple acceptable
-   algorithms and/or truncations SHOULD permit this list to be ordered
-   by presumed strength and SHOULD allow different truncations for the
-   same algorithm to be treatred as spearate entities in this list. When
-   so implemented, policies SHOULD accept a presumed stronger algorithm
-   and truncation than the minimum strength required by the policy.
-
-      If a TSIG is received with truncation which is permitted under
-   Section 3 above but the MAC is too short for the policy in force, an
-   RCODE of TBA [22 suggested](BADTRUNC) MUST be returned.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-D. Eastlake 3rd                                                 [Page 7]
-
-
-INTERNET-DRAFT                                 HMAC-SHA TSIG Identifiers
-
-
-5. IANA Considerations
-
-   This document, on approval for publication as a standards track RFC,
-   (1) registers the new TSIG algorithm identifiers listed in Section 2
-   with IANA and (2) Section 4 allocates the BADTRUNC RCODE TBA [22
-   suggested].
-
-
-
-
-6. Security Considerations
-
-   For all of the message authentication code algorithms listed herein,
-   those producing longer values are believed to be stronger; however,
-   while there have been some arguments that mild truncation can
-   strengthen a MAC by reducing the information available to an
-   attacker, excessive truncation clearly weakens authentication by
-   reducing the number of bits an attacker has to try to brute force
-   [RFC 2104].
-
-   Significant progress has been made recently in cryptanalysis of hash
-   function of the type used herein, all of which ultimately derive from
-   the design of MD4. While the results so far should not effect HMAC,
-   the stronger SHA-1 and SHA-256 algorithms are being made mandatory
-   due to caution.
-
-   See the Security Considerations section of [RFC 2845].  See also the
-   Security Considerations section of [RFC 2104] from which the limits
-   on truncation in this RFC were taken.
-
-
-
-6. Copyright and Disclaimer
-
-   Copyright (C) The Internet Society (2005).  This document is subject to
-   the rights, licenses and restrictions contained in BCP 78, and except
-   as set forth therein, the authors retain all their rights.
-
-
-   This document and the information contained herein are provided on an
-   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
-   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
-   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
-   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
-   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
-   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-
-
-
-
-
-D. Eastlake 3rd                                                 [Page 8]
-
-
-INTERNET-DRAFT                                 HMAC-SHA TSIG Identifiers
-
-
-7. Normative References
-
-   [FIPS 180-2] - "Secure Hash Standard", (SHA-1/224/256/384/512) US
-   Federal Information Processing Standard, with Change Notice 1,
-   February 2004.
-
-   [RFC 1321] - Rivest, R., "The MD5 Message-Digest Algorithm ", RFC
-   1321, April 1992.
-
-   [RFC 2104] - Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed-
-   Hashing for Message Authentication", RFC 2104, February 1997.
-
-   [RFC 2119] - Bradner, S., "Key words for use in RFCs to Indicate
-   Requirement Levels", BCP 14, RFC 2119, March 1997.
-
-   [RFC 2845] - Vixie, P., Gudmundsson, O., Eastlake 3rd, D., and B.
-   Wellington, "Secret Key Transaction Authentication for DNS (TSIG)",
-   RFC 2845, May 2000.
-
-
-
-8. Informative References.
-
-   [RFC 2931] - Eastlake 3rd, D., "DNS Request and Transaction
-   Signatures ( SIG(0)s )", RFC 2931, September 2000.
-
-   [RFC 3174] - Eastlake 3rd, D. and P. Jones, "US Secure Hash Algorithm
-   1 (SHA1)", RFC 3174, September 2001.
-
-   [RFC 3645] - Kwan, S., Garg, P., Gilroy, J., Esibov, L., Westhead,
-   J., and R. Hall, "Generic Security Service Algorithm for Secret Key
-   Transaction Authentication for DNS (GSS-TSIG)", RFC 3645, October
-   2003.
-
-   [RFC 3874] - R. Housely, "A 224-bit One-way Hash Function: SHA-224",
-   September 2004,
-
-   [SHA2draft] - Eastlake, D., T. Hansen, "US Secure Hash Algorithms
-   (SHA)", work in progress.
-
-
-
-
-
-
-
-
-
-
-
-
-
-D. Eastlake 3rd                                                 [Page 9]
-
-
-INTERNET-DRAFT                                 HMAC-SHA TSIG Identifiers
-
-
-Author's Address
-
-   Donald E. Eastlake 3rd
-   Motorola Laboratories
-   155 Beaver Street
-   Milford, MA 01757 USA
-
-   Telephone:   +1-508-786-7554 (w)
-
-   EMail:       Donald.Eastlake@motorola.com
-
-
-
-Expiration and File Name
-
-   This draft expires in December 2005.
-
-   Its file name is draft-ietf-dnsext-tsig-sha-04.txt
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-D. Eastlake 3rd                                                [Page 10]
-
diff --git a/doc/draft/draft-ietf-dnsext-wcard-clarify-02.txt b/doc/draft/draft-ietf-dnsext-wcard-clarify-02.txt
new file mode 100644
index 00000000..d65fa710
--- /dev/null
+++ b/doc/draft/draft-ietf-dnsext-wcard-clarify-02.txt
@@ -0,0 +1,1010 @@
+
+
+
+
+
+
+dnsext Working Group                                           B. Halley
+Internet Draft                                                   Nominum
+Expiration Date: March 2004
+                                                                E. Lewis
+                                                                    ARIN
+
+                                                          September 2003
+
+
+                Clarifying the Role of Wild Card Domains
+                       in the Domain Name System
+
+
+                 draft-ietf-dnsext-wcard-clarify-02.txt
+
+Status of this Memo
+
+   This document is an Internet-Draft and is subject to all provisions
+   of Section 10 of RFC2026.
+
+   Internet-Drafts are working documents of the Internet Engineering
+   Task Force (IETF), its areas, and its working groups.  Note that
+   other groups may also distribute working documents as Internet-
+   Drafts.
+
+   Internet-Drafts are draft documents valid for a maximum of six months
+   and may be updated, replaced, or obsoleted by other documents at any
+   time.  It is inappropriate to use Internet-Drafts as reference
+   material or to cite them other than as "work in progress."
+
+   The list of current Internet-Drafts can be accessed at
+   http://www.ietf.org/ietf/1id-abstracts.txt.
+
+   To view the list Internet-Draft Shadow Directories, see
+   http://www.ietf.org/shadow.html.
+
+Abstract
+
+   The definition of wild cards is recast from the original in RFC 1034,
+   in words that are more specific and in line with RFC 2119.  This
+   document is meant to supplement the definition in RFC 1034 and to
+   alter neither the spirit nor intent of that definition.
+
+
+
+
+
+
+
+
+
+Halley & Lewis            [Expires March 2004]                  [Page 1]
+
+Internet Draft   draft-ietf-dnsext-wcard-clarify-02.txt   September 2003
+
+
+Table of Contents
+
+          Abstract  ................................................   1
+    1     Introduction  ............................................   2
+    1.1   Document Limits  .........................................   3
+    1.2   Existence  ...............................................   4
+    1.3   An Example  ..............................................   4
+    1.4   Empty Non-terminals  .....................................   5
+    1.5   Terminology  .............................................   6
+    2     Defining the Wild Card Domain Name  ......................   7
+    3     Defining Existence  ......................................   8
+    4     Impact of a Wild Card In a Query or in RDATA  ............   8
+    5     Impact of a Wild Card Domain On a Response  ..............   9
+    6     Considerations with Special Types  .......................  12
+    6.1   SOA RR's at a Wild Card Domain Name  .....................  12
+    6.2   NS RR's at a Wild Card Domain Name  ......................  12
+    6.3   CNAME RR's at a Wild Card Domain Name  ...................  13
+    6.4   DNAME RR's at a Wild Card Domain Name  ...................  13
+    7     Security Considerations  .................................  14
+    8     References  ..............................................  14
+    9     Others Contributing to This Document  ....................  14
+   10     Editors  .................................................  15
+          Appendix A: Subdomains of Wild Card Domain Names  ........  16
+          Full Copyright Statement  ................................  18
+          Acknowledgement  .........................................  18
+
+
+
+
+1. Introduction
+
+   The first section of this document will give a crisp overview of what
+   is begin defined, as well as the motivation rewording of an original
+   document and making a change to bring the specification in line with
+   implementations.  Examples are included to help orient the reader.
+
+   Wild card domain names are defined in Section 4.3.3. of RFC 1034 as
+   "instructions for synthesizing RRs." [RFC1034].  The meaning of this
+   is that a specific, special domain name is used to construct
+   responses in instances in which the query name is not otherwise
+   represented in a zone.
+
+   A wild card domain name has a specific range of influence on query
+   names (QNAMEs) within a given class, which is rooted at the domain
+   name containing the wild card label, and is limited by explicit
+   entries, zone cuts and empty non-terminal domains (see section 1.3 of
+   this document).
+
+
+
+
+Halley & Lewis            [Expires March 2004]                  [Page 2]
+
+Internet Draft   draft-ietf-dnsext-wcard-clarify-02.txt   September 2003
+
+
+   Note that a wild card domain name has no special impact on the search
+   for a query type (QTYPE).  If a domain name is found that matches the
+   QNAME (exact or a wild card) but the QTYPE is not found at that
+   point, the proper response is that there is no data available.  The
+   search does not continue on to seek other wild cards that might match
+   the QTYPE.  To illustrate, a wild card owning an MX RR does not
+   'cover' other names in the zone that own an A RR.  There are certain
+   special case RR types that will be singled out for discussion, the
+   SOA RR, NS RR, CNAME RR, and DNAME RR.
+
+   Why is this document needed?  Empirical evidence suggests that the
+   words in RFC 1034 are not clear enough.  There exist a number of
+   implementations that have strayed (each differently) from that
+   definition.  There also exists a misconception of operators that the
+   wild card can be used to add a specific RR type to all names, such as
+   the MX RR example cited above.  This document is also needed as input
+   to efforts to extend DNS, such as the DNS Security Extensions [RFC
+   2535].  Lack of a clear base specification has proven to result in
+   extension documents that have unpredictable consequences.  (This is
+   true in general, not just for DNS.)
+
+   Another reason this clarification is needed is to answer questions
+   regarding authenticated denial of existence, a service introduced in
+   the DNS Security Extensions [RFC 2535].  Prior to the work leading up
+   to this document, it had been feared that a large number of proof
+   records (NXTs) might be needed in each reply because of the unknown
+   number of potential wild card domains that were thought to be
+   applicable.  One outcome of this fear is a now discontinued document
+   solving a problem that is now known not to exist.  I.e., this
+   clarification has the impact of defending against unwarranted
+   protocol surgery.  It is not "yet another" effort to just rewrite the
+   early specifications for the sake of purity.
+
+   Although the effort to define the DNS Security Extensions has
+   prompted this document, the clarifications herein relate to basic DNS
+   only.  No DNS Security Extensions considerations are mentioned in the
+   document.
+
+1.1. Document Limits
+
+   This document limits itself to reinforcing the concepts in RFC 1034.
+   In the effort to do this, a few issues have been discussed that
+   change parts of what is in RFC 1034.  The discussions have been held
+   within the DNS Extensions Working Group.
+
+
+
+
+
+
+
+Halley & Lewis            [Expires March 2004]                  [Page 3]
+
+Internet Draft   draft-ietf-dnsext-wcard-clarify-02.txt   September 2003
+
+
+   Briefly, the issues raised include:
+     - The lack of clarity in the definition of domain name existence
+     - Implications of a wild card domain name owning any of the
+       following resource record sets: DNAME [RFC 2672], CNAME, NS, and
+       SOA
+     - Whether RFC 1034 meant to allow special processing of CNAME RR's
+       owned by wild card domain names
+
+1.2. Existence
+
+   The notion that a domain name 'exists' will arise numerous times in
+   this discussion.  RFC 1034 raises the issue of existence in a number
+   of places, usually in reference to non-existence and often in
+   reference to processing involving wild card domain names.  RFC 1034
+   contains algorithms that describe how domain names impact the
+   preparation of an answer and does define wild cards as a means of
+   synthesizing answers.  Because of this a discussion on wild card
+   domain names has to start with the issue of existence.
+
+   To help clarify the topic of wild cards, a positive definition of
+   existence is needed.  Complicating matters, though, is the
+   realization that existence is relative.  To an authoritative server,
+   a domain name exists if the domain name plays a role following the
+   algorithms of preparing a response.  To a resolver, a domain name
+   exists if there is any data available corresponding to the name.  The
+   difference between the two is the synthesis of records according to a
+   wild card.
+
+   For the purposes of this document, the point of view of an
+   authoritative server is adopted.  A domain name is said to exist if
+   it plays a role in the execution of the algorithms in RFC 1034.
+
+1.3. An Example
+
+   For example, consider this wild card domain name: *.example.  Any
+   query name under example. is a candidate to be matched (answered) by
+   this wild card, i.e., to have an response returned that is
+   synthesized from the wild card's RR sets.  Although any name is a
+   candidate, not all queries will match.
+
+
+
+
+
+
+
+
+
+
+
+
+Halley & Lewis            [Expires March 2004]                  [Page 4]
+
+Internet Draft   draft-ietf-dnsext-wcard-clarify-02.txt   September 2003
+
+
+   To further illustrate this, consider this zone:
+
+             $ORIGIN example.
+             @                IN  SOA
+                                  NS
+                                  NS
+             *                    TXT "this is a wild card"
+                                  MX  10 mailhost.example.
+             host1                A   10.0.0.1
+             _ssh._tcp.host1      SRV
+             _ssh._tcp.host2      SRV
+             subdel               NS
+
+
+   The following queries would be synthesized from the wild card:
+
+        QNAME=host3.example. QTYPE=MX, QCLASS=IN
+             the answer will be a "host3.example. IN MX ..."
+        QNAME=host3.example. QTYPE=A, QCLASS=IN
+             the answer will reflect "no error, but no data"
+             because there is no A RR set at '*'
+
+   The following queries would not be synthesized from the wild card:
+
+        QNAME=host1.example., QTYPE=MX, QCLASS=IN
+             because host1.example. exists
+        QNAME=_telnet._tcp.host1.example., QTYPE=SRV, QCLASS=IN
+             because _tcp.host1.example. exists (without data)
+        QNAME=_telnet._tcp.host2.example., QTYPE=SRV, QCLASS=IN
+             because host2.example. exists (without data)
+        QNAME=host.subdel.example., QTYPE=A, QCLASS=IN
+             because subdel.example. exists and is a zone cut
+
+   To the server, the following domains are considered to exist in the
+   zone: *, host1, _tcp.host1, _ssh._tcp.host1, host2, _tcp.host2,
+   _ssh._tcp.host2, and subdel.  To a resolver, many more domains appear
+   to exist via the synthesis of the wild card.
+
+1.4. Empty Non-terminals
+
+   Empty non-terminals are domain names that own no data but have
+   subdomains.  This is defined in section 3.1 of RFC 1034:
+
+#    The domain name space is a tree structure.  Each node and leaf on the
+#    tree corresponds to a resource set (which may be empty).  The domain
+#    system makes no distinctions between the uses of the interior nodes and
+#    leaves, and this memo uses the term "node" to refer to both.
+
+
+
+
+Halley & Lewis            [Expires March 2004]                  [Page 5]
+
+Internet Draft   draft-ietf-dnsext-wcard-clarify-02.txt   September 2003
+
+
+   The parenthesized "which may be empty" specifies that empty non-
+   terminals are explicitly recognized.  According to the definition of
+   existence in this document, empty non-terminals do exist at the
+   server.
+
+   Carefully reading the above paragraph can lead to an interpretation
+   that all possible domains exist - up to the suggested limit of 255
+   octets for a domain name [RFC 1035].  For example, www.example. may
+   have an A RR, and as far as is practically concerned, is a leaf of
+   the domain tree.  But the definition can be taken to mean that
+   sub.www.example. also exists, albeit with no data.  By extension, all
+   possible domains exist, from the root on down.  As RFC 1034 also
+   defines "an authoritative name error indicating that the name does
+   not exist" in section 4.3.1, this is not the intent of the original
+   document.
+
+   RFC1034's wording is to be clarified by adding the following
+   paragraph:
+
+        A node is considered to have an impact on the algorithms of
+        4.3.2 if it is a leaf node with any resource sets or an interior
+        node, with or without a resource set, that has a subdomain that
+        is a leaf node with a resource set.  A QNAME and QCLASS matching
+        an existing node never results in a response return code of
+        authoritative name error.
+
+   The terminology in the above paragraph is chosen to remain as close
+   to that in the original document.  The term "with" is a alternate
+   form for "owning" in this case, hence "a leaf node owning resources
+   sets, or an interior node, owning or not owning any resource set,
+   that has a leaf node owning a resource set as a subdomain," is the
+   proper interpretation of the middle sentence.
+
+   As an aside, an "authoritative name error" has been called NXDOMAIN
+   in some RFCs, such as RFC 2136 [RFC 2136].  NXDOMAIN is the mnemonic
+   assigned to such an error by at least one implementation of DNS.  As
+   this mnemonic is specific to implementations, it is avoided in the
+   remainder of this document.
+
+1.5. Terminology
+
+   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
+   document are to be interpreted as described in the document entitled
+   "Key words for use in RFCs to Indicate Requirement Levels." [RFC2119]
+
+   Requirements are denoted by paragraphs that begin with with the
+   following convention: 'R'<sect>.<count>.
+
+
+
+Halley & Lewis            [Expires March 2004]                  [Page 6]
+
+Internet Draft   draft-ietf-dnsext-wcard-clarify-02.txt   September 2003
+
+
+   Quotations of RFC 1034 (as has already been done once above) are
+   denoted by a '#' in the leftmost column.
+
+2. Defining the Wild Card Domain Name
+
+   A wild card domain name is defined by having the initial label be:
+
+        0000 0001 0010 1010 (binary) = 0x01 0x2a (hexadecimal)
+
+   This defines domain names that may play a role in being a wild card,
+   that is, being a source for synthesized answers.  Domain names
+   conforming to this definition that appear in queries and RDATA
+   sections do not have any special role.  These cases will be described
+   in more detail in following sections.
+
+   R2.1 A domain name that is to be interpreted as a wild card MUST
+        begin with a label of '0000 0001 0010 1010' in binary.
+
+   The first octet is the normal label type and length for a 1 octet
+   long label, the second octet is the ASCII representation [RFC 20] for
+   the '*' character.  In RFC 1034, ASCII encoding is assumed to be the
+   character encoding.
+
+   In the master file formats used in RFCs, a "*" is a legal
+   representation for the wild card label.  Even if the "*" is escaped,
+   it is still interpreted as the wild card when it is the only
+   character in the label.
+
+   R2.2 A server MUST treat a wild card domain name as the basis of
+        synthesized answers regardless of any "escape" sequences in the
+        input format.
+
+   RFC 1034 and RFC 1035 ignore the case in which a domain name might be
+   "the*.example.com." The interpretation is that this domain name in a
+   zone would only match queries for "the*.example.com" and not have any
+   other role.
+
+   Note: By virtue of this definition, a wild card domain name may have
+   a subdomain.  The subdomain (or sub-subdomain) itself may also be a
+   wild card.  E.g., *.*.example. is a wild card, so is *.sub.*.example.
+   More discussion on this is given in Appendix A.
+
+
+
+
+
+
+
+
+
+
+Halley & Lewis            [Expires March 2004]                  [Page 7]
+
+Internet Draft   draft-ietf-dnsext-wcard-clarify-02.txt   September 2003
+
+
+3. Defining Existence
+
+   As described in the Introduction, a precise definition of existence
+   is needed.
+
+   R3.1 An authoritative server MUST treat a domain name as existing
+        during the execution of the algorithms in RFC 1034 when the
+        domain name conforms to the following definition.  A domain name
+        is defined to exist if the domain name owns data and/or has a
+        subdomain that exists.
+
+   Note that at a zone boundary, the domain name owns data, including
+   the NS RR set.  At the delegating server, the NS RR set is not
+   authoritative, but that is of no consequence here.  The domain name
+   owns data, therefore, it exists.
+
+   R3.2 An authoritative server MUST treat a domain name that has
+        neither a resource record set nor an existing subdomain as non-
+        existent when executing the algorithm in section 4.3.2. of RFC
+        1034.
+
+   A note on terminology.  A domain transcends zones, i.e., all DNS data
+   is in the root domain but segmented into zones of control.  In this
+   document, there are references to a "domain name" in the context of
+   existing "in a zone." In this usage, a domain name is the root of a
+   domain, not the entire domain.  The domain's root point is said to
+   "exist in a zone" if the zone is authoritative for the name.  RR sets
+   existing in a domain need not be owned by the domain's root domain
+   name, but are owned by other domain names in the domain.
+
+4. Impact of a Wild Card In a Query or in RDATA
+
+   When a wild card domain name appears in a question, e.g., the query
+   name is "*.example.", the response in no way differs from any other
+   query.  In other words, the wild card label in a QNAME has no special
+   meaning, and query processing will proceed using '*' as a literal
+   query name.
+
+   R4.1 A wild card domain name acting as a QNAME MUST be treated as any
+        other QNAME, there MUST be no special processing accorded it.
+
+   If a wild card domain name appears in the RDATA of a CNAME RR or any
+   other RR that has a domain name in it, the same rule applies.  In the
+   instance of a CNAME RR, the wild card domain name is used in the same
+   manner of as being the original QNAME.  For other RR's, rules vary
+   regarding what is done with the domain name(s) appearing in them, in
+   no case does the wild card hold special meaning.
+
+
+
+
+Halley & Lewis            [Expires March 2004]                  [Page 8]
+
+Internet Draft   draft-ietf-dnsext-wcard-clarify-02.txt   September 2003
+
+
+   R4.2 A wild card domain name appearing in any RR's RDATA MUST be
+        treated as any other domain name in that situation, there MUST
+        be no special processing accorded it.
+
+5. Impact of a Wild Card Domain On a Response
+
+   The description of how wild cards impact response generation is in
+   RFC 1034, section 4.3.2.  That passage contains the algorithm
+   followed by a server in constructing a response.  Within that
+   algorithm, step 3, part 'c' defines the behavior of the wild card.
+   The algorithm is directly quoted in lines that begin with a '#' sign.
+   Commentary is interleaved.
+
+   There is a documentation issue deserving some explanation.  The
+   algorithm in RFC 1034, section 4.3.2. is not intended to be pseudo
+   code, i.e., it's steps are not intended to be followed in strict
+   order.  The "algorithm" is a suggestion.  As such, in step 3, parts
+   a, b, and c, do not have to be implemented in that order.
+
+   Another issue needing explanation is that RFC 1034 is a full
+   standard.  There is another RFC, RFC 2672, which makes, or proposes
+   an adjustment to RFC 1034's section 4.3.2 for the sake of the DNAME
+   RR.  RFC 2672 is a proposed standard.  The dilemma in writing these
+   clarifications is knowing which document is the one being clarified.
+   Fortunately, the difference between RFC 1034 and RFC 2672 is not
+   significant with respect to wild card synthesis, so this document
+   will continue to state that it is clarifying RFC 1034.  If RFC 2672
+   progresses along the standards track, it will need to refer to
+   modifying RFC 1034's algorithm as amended here.
+
+   The context of part 'c' is that the search is progressing label by
+   label through the QNAME.  (Note that the data being searched is the
+   authoritative data in the server, the cache is searched in step 4.)
+   Step 3's part 'a' covers the case that the QNAME has been matched in
+   full, regardless of the presence of a CNAME RR.  Step 'b' covers
+   crossing a cut point, resulting in a referral.  All that is left is
+   to look for the wild card.
+
+   Step 3 of the algorithm also assumes that the search is looking in
+   the zone closest to the answer, i.e., in the same class as QCLASS and
+   as close to the authority as possible on this server.  If the zone is
+   not the authority, then a referral is given, possibly one indicating
+   lameness.
+
+
+
+
+
+
+
+
+Halley & Lewis            [Expires March 2004]                  [Page 9]
+
+Internet Draft   draft-ietf-dnsext-wcard-clarify-02.txt   September 2003
+
+
+#         c. If at some label, a match is impossible (i.e., the
+#            corresponding label does not exist), look to see if a
+#            the "*" label exists.
+
+   The above paragraph refers to finding the domain name that exists in
+   the zone and that most encloses the QNAME.  Such a domain name will
+   mark the boundary of candidate wild card domain names that might be
+   used to synthesize an answer.  (Remember that at this point, if the
+   most enclosing name is the same as the QNAME, part 'a' would have
+   recorded an exact match.)  The existence of the enclosing name means
+   that no wild card name higher in the tree is a candidate to answer
+   the query.
+
+   Once the closest enclosing node is identified, there's the matter of
+   what exists below it.  It may have subdomains, but none will be
+   closer to the QNAME.  One of the subdomains just might be a wild
+   card.  If it exists, this is the only wild card eligible to be used
+   to synthesize an answer for the query.  Even if the closest enclosing
+   node conforms to the syntax rule in section 2 for being a wild card
+   domain name, the closest enclosing node is not eligible to be a
+   source of a synthesized answer.
+
+   The only wild card domain name that is a candidate to synthesize an
+   answer will be the "*" subdomain of the closest enclosing domain
+   name.  Three possibilities can happen.  The "*" subdomain does not
+   exist, the "*" subdomain does but does not have an RR set of the same
+   type as the QTYPE, or it exists and has the desired RR set.
+
+   For the sake of brevity, the closest enclosing node can be referred
+   to as the "closest encloser." The closest encloser is the most
+   important concept in this clarification.  Describing the closest
+   encloser is a bit tricky, but it is an easy concept.
+
+   To find the closest encloser, you have to first locate the zone that
+   is the authority for the query name.  This eliminates the need to be
+   concerned that the closest encloser is a cut point.  In addition, we
+   can assume too that the query name does not exist, hence the closest
+   encloser is not equal to the query name.  We can assume away these
+   two cases because they are handled in steps 2, 3a and 3b of section
+   4.3.2.'s algorithm.
+
+   What is left is to identify the existing domain name that would have
+   been up the tree (closer to the root) from the query name.  Knowing
+   that an exact match is impossible, if there is a "*" label descending
+   from the unique closest encloser, this is the one and only wild card
+   from which an answer can be synthesized for the query.
+
+
+
+
+
+Halley & Lewis            [Expires March 2004]                 [Page 10]
+
+Internet Draft   draft-ietf-dnsext-wcard-clarify-02.txt   September 2003
+
+
+   To illustrate, using the example in section 1.2 of this document, the
+   following chart shows QNAMEs and the closest enclosers.  In
+   Appendix A there is another chart showing unusual cases.
+
+        QNAME                        Closest Encloser     Wild Card Source
+        host3.example.               example.             *.example.
+        _telnet._tcp.host1.example.  _tcp.host1.example.  no wild card
+        _telnet._tcp.host2.example.  host2.example.       no wild card
+        _telnet._tcp.host3.example.  example.             *.example.
+        _chat._udp.host3.example.    example.             *.example.
+
+   Note that host1.subdel.example. is in a subzone, so the search for it
+   ends in a referral in part 'b', thus does not enter into finding a
+   closest encloser.
+
+   The fact that a closest encloser will be the only superdomain that
+   can have a candidate wild card will have an impact when it comes to
+   designing authenticated denial of existence proofs.
+
+#            If the "*" label does not exist, check whether the name
+#            we are looking for is the original QNAME in the query
+#            or a name we have followed due to a CNAME.  If the name
+#            is original, set an authoritative name error in the
+#            response and exit.  Otherwise just exit.
+
+   The above passage says that if there is not even a wild card domain
+   name to match at this point (failing to find an explicit answer
+   elsewhere), we are to return an authoritative name error at this
+   point.  If we were following a CNAME, the specification is unclear,
+   but seems to imply that a no error return code is appropriate, with
+   just the CNAME RR (or sequence of CNAME RRs) in the answer section.
+
+#            If the "*" label does exist, match RRs at that node
+#            against QTYPE.  If any match, copy them into the answer
+#            section, but set the owner of the RR to be QNAME, and
+#            not the node with the "*" label.  Go to step 6.
+
+   This final paragraph covers the role of the QTYPE in the process.
+   Note that if no resource record set matches the QTYPE the result is
+   that no data is copied, but the search still ceases ("Go to step
+   6.").  In the following section, a suggested change is made to this,
+   under the heading "CNAME RRs at a Wild Card Domain Name."
+
+
+
+
+
+
+
+
+
+Halley & Lewis            [Expires March 2004]                 [Page 11]
+
+Internet Draft   draft-ietf-dnsext-wcard-clarify-02.txt   September 2003
+
+
+6. Considerations with Special Types
+
+   For the purposes of this section, "special" means that a record
+   induces processing at the server beyond simple lookup.  The special
+   types in this section are SOA, NS, CNAME, and DNAME.  SOA is special
+   because it is used as a zone marker and has an impact on step 2 of
+   the algorithm in 4.3.2.  NS denotes a cut point and has an impact on
+   step 3b.  CNAME redirects the query and is mentioned in steps 3a and
+   3b.  DNAME is a "CNAME generator."
+
+6.1. SOA RR's at a Wild Card Domain Name
+
+   If the owner of an SOA record conforms to the basic rules of owning
+   an SOA RR (meaning it is the apex of a zone) the impact on the search
+   algorithm is not in section 3c (where records are synthesized) as
+   would be expected.  The impact is really in step 2 of the algorithm,
+   the choice of zone.
+
+   We are no longer talking about whether or not an SOA RR can be
+   synthesized in a response because we are shifting attention to step
+   2.  We are now talking about what it means for a name server to
+   synthesize a zone for a response.  To date, no implementation has
+   done this.  Thinking ahead though, anyone choosing to pursue this
+   would have to be aware that a server would have to be able to
+   distinguish between queries for data it will have to synthesize and
+   queries that ought to be treated as if they were prompted by a lame
+   delegation.
+
+   It is not a protocol error to have an SOA RR owned by a wild card
+   domain name, just as it is not an error to have zone name be
+   syntactically equivalent to a domain name.  However, this situation
+   requires careful consideration of how a server chooses the
+   appropriate zone for an answer.  And an SOA RR is not able to be
+   synthesized as in step 3c.
+
+6.2. NS RR's at a Wild Card Domain Name
+
+   Complimentary to the issue of an SOA RR owned by a wild card domain
+   name is the issue of NS RR's owned by a wild card domain name.  In
+   this instance, each machine being referred to in the RDATA of the NS
+   RR has to be able to understand the impact of this on step 2, the
+   choosing of the authoritative zone.
+
+   Referring to the same machine in such a NS RR will probably not work
+   well.  This is because the server may become confused as to whether
+   the query name ought to be answered by the zone owning the NS RR in
+   question or a synthesized zone.  (It isn't known in advance that the
+   query name will invoke the wild card synthesis.)
+
+
+
+Halley & Lewis            [Expires March 2004]                 [Page 12]
+
+Internet Draft   draft-ietf-dnsext-wcard-clarify-02.txt   September 2003
+
+
+   The status of other RR's owned by a wild card domain name is the same
+   as if the owner name was not a wild card domain name.  I.e., when
+   there is a NS RR at a wild card domain name, other records are
+   treated as being below the zone cut.
+
+   Is it not a protocol error to have a NS RR owned by a wild card
+   domian name, complimentary to the case of a SOA RR.  However, for
+   this to work, an implementation has to know how to synthesize a zone.
+
+6.3. CNAME RR's at a Wild Card Domain Name
+
+   The issue of CNAME RR's owned by wild card domain names has prompted
+   a suggested change to the last paragraph of step 3c of the algorithm
+   in 4.3.2.  The changed text is this:
+
+        If the "*" label does exist and if the data at the node is a
+        CNAME and QTYPE doesn't match CNAME, copy the CNAME RR into the
+        answer section of the response, set the owner of the CNAME RR to
+        be QNAME, and then change QNAME to the canonical name in the
+        CNAME RR, and go back to step 1.
+
+        If the "*" label does exist and either QTYPE is CNAME or the
+        data at the node is not a CNAME, then match RRs at that node
+        against QTYPE.  If any match, copy them into the answer section,
+        but set the owner of the RR to be QNAME, and not the node with
+        the "*" label.  Go to step 6.
+
+   Apologies if the above isn't clear, but an attempt was made to stitch
+   together the passage using just the phrases in section 3a and 3c of
+   the algorithm so as to preserve the original flavor.
+
+   In case the passage as suggested isn't clear enough, the intent is to
+   make "landing" at a wild card name and finding a CNAME the same as if
+   this happened as a result of a direct match.  I.e., Finding a CNAME
+   at the name matched in step 3c is supposed to have the same impact as
+   finding the CNAME in step 3a.
+
+6.4. DNAME RR's at a Wild Card Domain Name
+
+   The specification of the DNAME RR, which is at the proposed level of
+   standardization, is not as mature as the full standard in RFC 1034.
+   Because of this, or the reason for this is, there appears to be a
+   host of issues with that definition and it's rewrite of the algorithm
+   in 4.3.2.  For the time being, when it comes to wild card processing
+   issues, a DNAME can be considered to be a CNAME synthesizer.  A DNAME
+   at a wild card domain name is effectively the same as a CNAME at a
+   wild card domain name.
+
+
+
+
+Halley & Lewis            [Expires March 2004]                 [Page 13]
+
+Internet Draft   draft-ietf-dnsext-wcard-clarify-02.txt   September 2003
+
+
+7. Security Considerations
+
+   This document is refining the specifications to make it more likely
+   that security can be added to DNS.  No functional additions are being
+   made, just refining what is considered proper to allow the DNS,
+   security of the DNS, and extending the DNS to be more predictable.
+
+8. References
+
+   Normative References
+
+   [RFC 20] ASCII Format for Network Interchange, V.G. Cerf, Oct-16-1969
+
+   [RFC 1034] Domain Names - Concepts and Facilities, P.V. Mockapetris,
+               Nov-01-1987
+
+   [RFC 1035] Domain Names - Implementation and Specification, P.V
+               Mockapetris, Nov-01-1987
+
+   [RFC 2119] Key Words for Use in RFCs to Indicate Requirement Levels, S
+               Bradner, March 1997
+
+   Informative References
+
+   [RFC 2136] Dynamic Updates in the Domain Name System (DNS UPDATE), P. Vixie,
+               Ed., S. Thomson, Y. Rekhter, J. Bound, April 1997
+
+   [RFC 2535] Domain Name System Security Extensions, D. Eastlake, March 1999
+
+   [RFC 2672] Non-Terminal DNS Name Redirection, M. Crawford, August 1999
+
+9. Others Contributing to This Document
+
+   Others who have directly caused text to appear in the document: Paul
+   Vixie and Olaf Kolkman.  Many others have indirect influences on the
+   content.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Halley & Lewis            [Expires March 2004]                 [Page 14]
+
+Internet Draft   draft-ietf-dnsext-wcard-clarify-02.txt   September 2003
+
+
+10. Editors
+
+        Name:         Bob Halley
+        Affiliation:  Nominum, Inc.
+        Address:      2385 Bay Road, Redwood City, CA 94063 USA
+        Phone:        +1-650-381-6016
+        EMail:        Bob.Halley@nominum.com
+
+        Name:         Edward Lewis
+        Affiliation:  ARIN
+        Address:      3635 Concorde Pkwy, Suite 200, Chantilly, VA 20151 USA
+        Phone:        +1-703-227-9854
+        Email:        edlewis@arin.net
+
+   Comments on this document can be sent to the editors or the mailing
+   list for the DNSEXT WG, namedroppers@ops.ietf.org.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Halley & Lewis            [Expires March 2004]                 [Page 15]
+
+Internet Draft   draft-ietf-dnsext-wcard-clarify-02.txt   September 2003
+
+
+Appendix A: Subdomains of Wild Card Domain Names
+
+   In reading the definition of section 2 carefully, it is possible to
+   rationalize unusual names as legal.  In the example given,
+   *.example. could have subdomains of *.sub.*.example. and even the
+   more direct *.*.example.  (The implication here is that these domain
+   names own explicit resource records sets.)  Although defining these
+   names is not easy to justify, it is important that implementions
+   account for the possibility.  This section will give some further
+   guidence on handling these names.
+
+   The first thing to realize is that by all definitions, subdomains of
+   wild card domain names are legal.  In analyzing them, one realizes
+   that they cause no harm by their existence.  Because of this, they
+   are allowed to exist, i.e., there are no special case rules made to
+   disallow them.  The reason for not preventing these names is that the
+   prevention would just introduce more code paths to put into
+   implementations.
+
+   The concept of "closest enclosing" existing names is important to
+   keep in mind.  It is also important to realize that a wild card
+   domain name can be a closest encloser of a query name.  For example,
+   if *.*.example. is defined in a zone, and the query name is
+   a.*.example., then the closest enclosing domain name is *.example.
+   Keep in mind that the closest encloser is not eligible to be a source
+   of synthesized answers, just the subdomain of it that has the first
+   label "*".
+
+   To illustrate this, the following chart shows some matches.  Assume
+   that the names *.example., *.*.example., and *.sub.*.example. are
+   defined in the zone.
+
+        QNAME               Closest Encloser  Wild Card Source
+        a.example.          example.          *.example.
+        b.a.example.        example.          *.example.
+        a.*.example.        *.example.        *.*.example.
+        b.a.*.example.      *.example.        *.*.example.
+        b.a.*.*.example.    *.*.example.      no wild card
+        a.sub.*.example.    sub.*.example.    *.sub.*.example.
+        b.a.sub.*.example.  sub.*.example.    *.sub.*.example.
+        a.*.sub.*.example.  *.sub.*.example.  no wild card
+        *.a.example.        example.          *.example.
+        a.sub.b.example.    example.          *.example.
+
+   Recall that the closest encloser itself cannot be the wild card.
+   Therefore the match for b.a.*.*.example. has no applicable wild card.
+
+
+
+
+
+Halley & Lewis            [Expires March 2004]                 [Page 16]
+
+Internet Draft   draft-ietf-dnsext-wcard-clarify-02.txt   September 2003
+
+
+   Finally, if a query name is sub.*.example., any answer available will
+   come from an exact name match for sub.*.example.  No wild card
+   synthesis is performed in this case.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Halley & Lewis            [Expires March 2004]                 [Page 17]
+
+Internet Draft   draft-ietf-dnsext-wcard-clarify-02.txt   September 2003
+
+
+Full Copyright Statement
+
+   Copyright (C) The Internet Society 2003.  All Rights Reserved.
+
+   This document and translations of it may be copied and furnished to
+   others, and derivative works that comment on or otherwise explain it
+   or assist in its implementation may be prepared, copied, published
+   and distributed, in whole or in part, without restriction of any
+   kind, provided that the above copyright notice and this paragraph are
+   included on all such copies and derivative works.  However, this
+   document itself may not be modified in any way, such as by removing
+   the copyright notice or references to the Internet Society or other
+   Internet organizations, except as needed for the purpose of
+   developing Internet standards in which case the procedures for
+   copyrights defined in the Internet Standards process must be
+   followed, or as required to translate it into languages other than
+   English.
+
+   The limited permissions granted above are perpetual and will not be
+   revoked by the Internet Society or its successors or assigns.
+
+   This document and the information contained herein is provided on an
+   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
+   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
+   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
+   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
+   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+Acknowledgement
+
+   Funding for the RFC Editor function is currently provided by the
+   Internet Society.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Halley & Lewis            [Expires March 2004]                 [Page 18]
diff --git a/doc/draft/draft-ietf-dnsext-wcard-clarify-08.txt b/doc/draft/draft-ietf-dnsext-wcard-clarify-08.txt
deleted file mode 100644
index fad88aed..00000000
--- a/doc/draft/draft-ietf-dnsext-wcard-clarify-08.txt
+++ /dev/null
@@ -1,956 +0,0 @@
-DNSEXT Working Group                                          E. Lewis
-INTERNET DRAFT                                                 NeuStar
-Expiration Date: January 6, 2006                          July 6, 2005
-Updates RFC 1034, RFC 2672
-
-                             The Role of Wildcards
-                           in the Domain Name System
-                     draft-ietf-dnsext-wcard-clarify-08.txt
-
-Status of this Memo
-
-     By submitting this Internet-Draft, each author represents that
-     any applicable patent or other IPR claims of which he or she is
-     aware have been or will be disclosed, and any of which he or she
-     becomes aware will be disclosed, in accordance with Section 6 of
-     BCP 79.
-
-     Internet-Drafts are working documents of the Internet Engineering
-     Task Force (IETF), its areas, and its working groups.  Note that
-     other groups may also distribute working documents as Internet-
-     Drafts.
-
-     Internet-Drafts are draft documents valid for a maximum of six
-     months and may be updated, replaced, or obsoleted by other
-     documents at any time.  It is inappropriate to use Internet-Drafts
-     as reference material or to cite them other than as "work in
-     progress."
-
-     The list of current Internet-Drafts can be accessed at
-       http://www.ietf.org/ietf/1id-abstracts.txt
-
-     The list of Internet-Draft Shadow Directories can be accessed at
-       http://www.ietf.org/shadow.html
-
-     This Internet-Draft will expire on January 6, 2006.
-
-Copyright Notice
-
-     Copyright (C) The Internet Society (2005).
-
-Abstract
-
-     This is an update to the wildcard definition of RFC 1034.  The
-     interaction with wildcards and CNAME is changed, an error
-     condition removed, and the words defining some concepts central
-     to wildcards are changed.  The overall goal is not to change
-     wildcards, but to refine the definition of RFC 1034.
-
-Table of Contents
-
-1.    Introduction
-1.1   Motivation
-1.2   The Original Definition
-1.3   Roadmap to This Document
-1.3.1 New Terms
-1.3.2 Changed Text
-1.3.3 Considerations with Special Types
-1.4   Standards Terminology
-2.    Wildcard Syntax
-2.1   Identifying a Wildcard
-2.1.1 Wild Card Domain Name and Asterisk Label
-2.1.2 Asterisks and Other Characters
-2.1.3 Non-terminal Wild Card Domain Names
-2.2   Existence Rules
-2.2.1 An Example
-2.2.2 Empty Non-terminals
-2.2.3 Yet Another Definition of Existence
-2.3   When is a Wild Card Domain Name Not Special
-3.    Impact of a Wild Card Domain Name On a Response
-3.1   Step 2
-3.2   Step 3
-3.3   Part 'c'
-3.3.1 Closest Encloser and the Source of Synthesis
-3.3.2 Closest Encloser and Source of Synthesis Examples
-3.3.3 Type Matching
-4.    Considerations with Special Types
-4.1   SOA RRSet at a Wild Card Domain Name
-4.2   NS RRSet at a Wild Card Domain Name
-4.2.1 Discarded Notions
-4.3   CNAME RRSet at a Wild Card Domain Name
-4.4   DNAME RRSet at a Wild Card Domain Name
-4.5   SRV RRSet at a Wild Card Domain Name
-4.6   DS RRSet at a Wild Card Domain Name
-4.7   NSEC RRSet at a Wild Card Domain Name
-4.8   RRSIG at a Wild Card Domain Name
-4.9   Empty Non-terminal Wild Card Domain Name
-5.    Security Considerations
-6.    IANA Considerations
-7.    References
-8.    Editor
-9.    Others Contributing to the Document
-10.   Trailing Boilerplate
-
-1. Introduction
-
-     In RFC 1034 [RFC1034], sections 4.3.2 and 4.3.3 describe the
-     synthesis of answers from special resource records called
-     wildcards.  The definition in RFC 1034 is incomplete and has
-     proven to be confusing.  This document describes the wildcard
-     synthesis by adding to the discussion and making limited
-     modifications.  Modifications are made to close inconsistencies
-     that have led to interoperability issues.  This description
-     does not expand the service intended by the original definition.
-
-     Staying within the spirit and style of the original documents,
-     this document avoids specifying rules for DNS implementations
-     regarding wildcards.  The intention is to only describe what is
-     needed for interoperability, not restrict implementation choices.
-     In addition, consideration is given to minimize any backwards
-     compatibility issues with implementations that comply with RFC
-     1034's definition.
-
-     This document is focused on the concept of wildcards as defined
-     in RFC 1034.  Nothing is implied regarding alternative means of
-     synthesizing resource record sets, nor are alternatives discussed.
-
-1.1 Motivation
-
-     Many DNS implementations diverge, in different ways, from the
-     original definition of wildcards.  Although there is clearly a
-     need to clarify the original documents in light of this alone,
-     the impetus for this document lay in the engineering of the DNS
-     security extensions [RFC4033].  With an unclear definition of
-     wildcards the design of authenticated denial became entangled.
-
-     This document is intended to limit its changes, documenting only
-     those based on implementation experience, and to remain as close
-     to the original document as possible.  To reinforce that this
-     document is meant to clarify and adjust and not redefine wildcards,
-     relevant sections of RFC 1034 are repeated verbatim to facilitate
-     comparison of the old and new text.
-
-1.2 The Original Definition
-
-     The defintion of the wildcard concept is comprised by the
-     documentation of the algorithm by which a name server prepares
-     a response (in RFC 1034's section 4.3.2) and the way in which
-     a resource record (set) is identified as being a source of
-     synthetic data (section 4.3.3).
-
-     This is the definition of the term "wildcard" as it appears in
-     RFC 1034, section 4.3.3.
-
-# In the previous algorithm, special treatment was given to RRs with
-# owner names starting with the label "*".  Such RRs are called
-# wildcards. Wildcard RRs can be thought of as instructions for
-# synthesizing RRs.  When the appropriate conditions are met, the name
-# server creates RRs with an owner name equal to the query name and
-# contents taken from the wildcard RRs.
-
-     This passage follows the algorithm in which the term wildcard
-     is first used.   In this definition, wildcard refers to resource
-     records.  In other usage, wildcard has referred to domain names,
-     and it has been used to describe the operational practice of
-     relying on wildcards to generate answers.  It is clear from this
-     that there is a need to define clear and unambiguous terminology
-     in the process of discussing wildcards.
-
-     The mention of the use of wildcards in the preparation of a
-     response is contained in step 3c of RFC 1034's section 4.3.2
-     entitled "Algorithm."  Note that "wildcard" does not appear in
-     the algorithm, instead references are made to the "*" label.
-     The portion of the algorithm relating to wildcards is
-     deconstructed in detail in section 3 of this document, this is
-     the beginning of the relevant portion of the "Algorithm."
-
-#    c. If at some label, a match is impossible (i.e., the
-#       corresponding label does not exist), look to see if [...]
-#       the "*" label exists.
-
-     The scope of this document is the RFC 1034 definition of
-     wildcards and the implications of updates to those documents,
-     such as DNSSEC.  Alternate schemes for synthesizing answers are
-     not considered.  (Note that there is no reference listed.  No
-     document is known to describe any alternate schemes, although
-     there has been some mention of them in mailing lists.)
-
-1.3 Roadmap to This Document
-
-     This document accomplishes these three items.
-     o Defines new terms
-     o Makes minor changes to avoid conflicting concepts
-     o Describes the actions of certain resource records as wildcards
-
-1.3.1 New Terms
-
-     To help in discussing what resource records are wildcards, two
-     terms will be defined - "asterisk label" and "wild card domain
-     name".  These are defined in section 2.1.1.
-
-     To assist in clarifying the role of wildcards in the name server
-     algorithm in RFC 1034, 4.3.2, "source of synthesis" and "closest
-     encloser" are defined.  These definitions are in section 3.3.2.
-     "Label match" is defined in section 3.2.
-
-     The new terms are used to make discussions of wildcards clearer.
-     Terminology doesn't directly have an impact on implementations.
-
-1.3.2 Changed Text
-
-     The definition of "existence" is changed superficially.  This
-     change will not be apparent to implementations; it is needed to
-     make descriptions more precise.  The change appears in section
-     2.2.3.
-
-     RFC 1034, section 4.3.3., seems to prohibit having two asterisk
-     labels in a wildcard owner name.  With this document the
-     restriction is removed entirely.  This change and its implications
-     are in section 2.1.3.
-
-     The actions when a source of synthesis owns a CNAME RR are
-     changed to mirror the actions if an exact match name owns a
-     CNAME RR.  This is an addition to the words in RFC 1034,
-     section 4.3.2, step 3, part c.  The discussion of this is in
-     section 3.3.3.
-
-     Only the latter change represents an impact to implementations.
-     The definition of existence is not a protocol impact.  The change
-     to the restriction on names is unlikely to have an impact, as
-     RFC 1034 contained no specification on when and how to enforce the
-     restriction.
-
-1.3.3 Considerations with Special Types
-
-     This document describes semantics of wildcard RRSets for
-     "interesting" types as well as empty non-terminal wildcards.
-     Understanding these situations in the context of wildcards has
-     been clouded because these types incur special processing if
-     they are the result of an exact match.  This discussion is in
-     section 4.
-
-     These discussions do not have an implementation impact, they cover
-     existing knowledge of the types, but to a greater level of detail.
-
-1.4 Standards Terminology
-
-     This document does not use terms as defined in "Key words for use
-     in RFCs to Indicate Requirement Levels." [RFC2119]
-
-     Quotations of RFC 1034 are denoted by a '#' in the leftmost
-     column.  References to section "4.3.2" are assumed to refer
-     to RFC 1034's section 4.3.2, simply titled "Algorithm."
-
-2. Wildcard Syntax
-
-     The syntax of a wildcard is the same as any other DNS resource
-     record, across all classes and types.  The only significant
-     feature is the owner name.
-
-     Because wildcards are encoded as resource records with special
-     names, they are included in zone transfers and incremental zone
-     transfers[RFC1995] just as non-wildcard resource records are.
-     This feature has been underappreciated until discussions on
-     alternative approaches to wildcards appeared on mailing lists.
-
-2.1 Identifying a Wildcard
-
-     To provide a more accurate description of wildcards, the
-     definition has to start with a discussion of the domain names
-     that appear as owners.  Two new terms are needed, "Asterisk
-     Label" and "Wild Card Domain Name."
-
-2.1.1 Wild Card Domain Name and Asterisk Label
-
-     A "wild card domain name" is defined by having its initial
-     (i.e., left-most or least significant) label be, in binary format:
-
-          0000 0001 0010 1010 (binary) = 0x01 0x2a (hexadecimal)
-
-     The first octet is the normal label type and length for a 1 octet
-     long label, the second octet is the ASCII representation [RFC20]
-     for the '*' character.
-
-     A descriptive name of a label equaling that value is an "asterisk
-     label."
-
-     RFC 1034's definition of wildcard would be "a resource record
-     owned by a wild card domain name."
-
-2.1.2 Asterisks and Other Characters
-
-     No label values other than that in section 2.1.1 are asterisk
-     labels, hence names beginning with other labels are never wild
-     card domain names.  Labels such as 'the*' and '**' are not
-     asterisk labels so these labels do not start wild card domain
-     names.
-
-2.1.3 Non-terminal Wild Card Domain Names
-
-     In section 4.3.3, the following is stated:
-
-# ..........................  The owner name of the wildcard RRs is of
-# the form "*.<anydomain>", where <anydomain> is any domain name.
-# <anydomain> should not contain other * labels......................
-
-     The restriction is now removed.  The original documentation of it
-     is incomplete and the restriction does not serve any purpose given
-     years of operational experience.
-
-     There are three possible reasons for putting the restriction in
-     place, but none of the three has held up over time.  One is
-     that the restriction meant that there would never be subdomains
-     of wild card domain names, but the restriciton as stated still
-     permits "example.*.example." for instance.  Another is that
-     wild card domain names are not intended to be empty non-terminals,
-     but this situation does not disrupt the algorithm in 4.3.2.
-     Finally, "nested" wild card domain names are not ambiguous once
-     the concept of the closest encloser had been documented.
-
-     A wild card domain name can have subdomains.  There is no need
-     to inspect the subdomains to see if there is another asterisk
-     label in any subdomain.
-
-     A wild card domain name can be an empty non-terminal.  (See the
-     upcoming sections on empty non-terminals.)  In this case, any
-     lookup encountering it will terminate as would any empty
-     non-terminal match.
-
-2.2 Existence Rules
-
-     The notion that a domain name 'exists' is mentioned in the
-     definition of wildcards.  In section 4.3.3 of RFC 1034:
-
-# Wildcard RRs do not apply:
-#
-...
-#   - When the query name or a name between the wildcard domain and
-#     the query name is know[n] to exist.  For example, if a wildcard
-
-     "Existence" is therefore an important concept in the understanding
-     of wildcards.  Unfortunately, the definition of what exists, in RFC
-     1034, is unlcear.  So, in sections 2.2.2. and 2.2.3, another look is
-     taken at the definition of existence.
-
-2.2.1 An Example
-
-     To illustrate what is meant by existence consider this complete
-     zone:
-
-       $ORIGIN example.
-       example.                 3600 IN  SOA   <SOA RDATA>
-       example.                 3600     NS    ns.example.com.
-       example.                 3600     NS    ns.example.net.
-       *.example.               3600     TXT   "this is a wild card"
-       *.example.               3600     MX    10 host1.example.
-       sub.*.example.           3600     TXT   "this is not a wild card"
-       host1.example.           3600     A     192.0.4.1
-       _ssh._tcp.host1.example. 3600     SRV  <SRV RDATA>
-       _ssh._tcp.host2.example. 3600     SRV  <SRV RDATA>
-       subdel.example.          3600     NS   ns.example.com.
-       subdel.example.          3600     NS   ns.example.net.
-
-     A look at the domain names in a tree structure is helpful:
-
-                                   |
-                   -------------example------------
-                  /           /         \          \
-                 /           /           \          \
-                /           /             \          \
-               *          host1          host2      subdel
-               |            |             |
-               |            |             |
-              sub         _tcp          _tcp
-                            |             |
-                            |             |
-                          _ssh          _ssh
-
-     The following responses would be synthesized from one of the
-     wildcards in the zone:
-
-         QNAME=host3.example. QTYPE=MX, QCLASS=IN
-              the answer will be a "host3.example. IN MX ..."
-
-         QNAME=host3.example. QTYPE=A, QCLASS=IN
-              the answer will reflect "no error, but no data"
-              because there is no A RR set at '*.example.'
-
-         QNAME=foo.bar.example. QTYPE=TXT, QCLASS=IN
-              the answer will be "foo.bar.example. IN TXT ..."
-              because bar.example. does not exist, but the wildcard
-              does.
-
-     The following responses would not be synthesized from any of the
-     wildcards in the zone:
-
-         QNAME=host1.example., QTYPE=MX, QCLASS=IN
-              because host1.example. exists
-
-         QNAME=sub.*.example., QTYPE=MX, QCLASS=IN
-              because sub.*.example. exists
-
-         QNAME=_telnet._tcp.host1.example., QTYPE=SRV, QCLASS=IN
-              because _tcp.host1.example. exists (without data)
-
-         QNAME=host.subdel.example., QTYPE=A, QCLASS=IN
-              because subdel.example. exists (and is a zone cut)
-
-         QNAME=ghost.*.example., QTYPE=MX, QCLASS=IN
-              because *.example. exists
-
-     The final example highlights one common misconception about
-     wildcards.  A wildcard "blocks itself" in the sense that a
-     wildcard does not match its own subdomains.  I.e. "*.example."
-     does not match all names in the "example." zone, it fails to
-     match the names below "*.example." To cover names under
-     "*.example.", another wild card domain name is needed -
-     "*.*.example." - which covers all but it's own subdomains.
-
-2.2.2 Empty Non-terminals
-
-     Empty non-terminals [RFC2136, Section 7.16] are domain names
-     that own no resource records but have subdomains that do.  In
-     section 2.2.1, "_tcp.host1.example." is an example of a empty
-     non-terminal name.  Empty non-terminals are introduced by this
-     text in section 3.1 of RFC 1034:
-
-# The domain name space is a tree structure.  Each node and leaf on
-# the tree corresponds to a resource set (which may be empty).  The
-# domain system makes no distinctions between the uses of the
-# interior nodes and leaves, and this memo uses the term "node" to
-# refer to both.
-
-     The parenthesized "which may be empty" specifies that empty non-
-     terminals are explicitly recognized, and that empty non-terminals
-     "exist."
-
-     Pedantically reading the above paragraph can lead to an
-     interpretation that all possible domains exist - up to the
-     suggested limit of 255 octets for a domain name [RFC1035].
-     For example, www.example. may have an A RR, and as far as is
-     practically concerned, is a leaf of the domain tree.  But the
-     definition can be taken to mean that sub.www.example. also
-     exists, albeit with no data.  By extension, all possible domains
-     exist, from the root on down.
-
-     As RFC 1034 also defines "an authoritative name error indicating
-     that the name does not exist" in section 4.3.1, so this apparently
-     is not the intent of the original definition, justifying the
-     need for an updated definition in the next section.
-
-2.2.3 Yet Another Definition of Existence
-
-     RFC1034's wording is fixed by the following paragraph:
-
-     The domain name space is a tree structure.  Nodes in the tree
-     either own at least one RRSet and/or have descendants that
-     collectively own at least one RRSet.  A node may exist with no
-     RRSets only if it has descendents that do, this node is an empty
-     non-terminal.
-
-     A node with no descendants is a leaf node.  Empty leaf nodes do
-     not exist.
-
-     Note that at a zone boundary, the domain name owns data,
-     including the NS RR set.  In the delegating zone, the NS RR
-     set is not authoritative, but that is of no consequence here.
-     The domain name owns data, therefore, it exists.
-
-2.3 When is a Wild Card Domain Name Not Special
-
-     When a wild card domain name appears in a message's query section,
-     no special processing occurs.  An asterisk label in a query name
-     only matches a single, corresponding asterisk label in the
-     existing zone tree when the 4.3.2 algorithm is being followed.
-
-     When a wild card domain name appears in the resource data of a
-     record, no special processing occurs.  An asterisk label in that
-     context literally means just an asterisk.
-
-3. Impact of a Wild Card Domain Name On a Response
-
-     RFC 1034's description of how wildcards impact response
-     generation is in its section 4.3.2.  That passage contains the
-     algorithm followed by a server in constructing a response.
-     Within that algorithm, step 3, part 'c' defines the behavior of
-     the wildcard.
-
-     The algorithm in section 4.3.2. is not intended to be pseudo-code,
-     i.e., its steps are not intended to be followed in strict order.
-     The "algorithm" is a suggested means of implementing the
-     requirements.  As such, in step 3, parts a, b, and c, do not have
-     to be implemented in that order, provided that the result of the
-     implemented code is compliant with the protocol's specification.
-
-3.1 Step 2
-
-     Step 2 of the section 4.3.2 reads:
-
-#   2. Search the available zones for the zone which is the nearest
-#      ancestor to QNAME.  If such a zone is found, go to step 3,
-#      otherwise step 4.
-
-     In this step, the most appropriate zone for the response is
-     chosen.  The significance of this step is that it means all of
-     step 3 is being performed within one zone.  This has significance
-     when considering whether or not an SOA RR can be ever be used for
-     synthesis.
-
-3.2 Step 3
-
-     Step 3 is dominated by three parts, labelled 'a', 'b', and 'c'.
-     But the beginning of the step is important and needs explanation.
-
-#   3. Start matching down, label by label, in the zone.  The
-#      matching process can terminate several ways:
-
-     The word 'matching' refers to label matching.  The concept
-     is based in the view of the zone as the tree of existing names.
-     The query name is considered to be an ordered sequence of
-     labels - as if the name were a path from the root to the owner
-     of the desired data.  (Which it is - 3rd paragraph of RFC 1034,
-     section 3.1.)
-
-     The process of label matching a query name ends in exactly one of
-     three choices, the parts 'a', 'b', and 'c'.  Either the name is
-     found, the name is below a cut point, or the name is not found.
-
-     Once one of the parts is chosen, the other parts are not
-     considered.  (E.g., do not execute part 'c' and then change
-     the execution path to finish in part 'b'.)  The process of label
-     matching is also done independent of the query type (QTYPE).
-
-     Parts 'a' and 'b' are not an issue for this clarification as they
-     do not relate to record synthesis.  Part 'a' is an exact match
-     that results in an answer, part 'b' is a referral.
-
-3.3 Part 'c'
-
-     The context of part 'c' is that the process of label matching the
-     labels of the query name has resulted in a situation in which
-     there is no corresponding label in the tree.  It is as if the
-     lookup has "fallen off the tree."
-
-#     c. If at some label, a match is impossible (i.e., the
-#        corresponding label does not exist), look to see if [...]
-#        the "*" label exists.
-
-     To help describe the process of looking 'to see if [...] the "*"
-     label exists' a term has been coined to describe the last domain
-     (node) matched.  The term is "closest encloser."
-
-3.3.1 Closest Encloser and the Source of Synthesis
-
-     The closest encloser is the node in the zone's tree of existing
-     domain names that has the most labels matching the query name
-     (consecutively, counting from the root label downward). Each match
-     is a "label match" and the order of the labels is the same.
-
-     The closest encloser is, by definition, an existing name in the
-     zone.  The closest encloser might be an empty non-terminal or even
-     be a wild card domain name itself.  In no circumstances is the
-     closest encloser to be used to synthesize records for the current
-     query.
-
-     The source of synthesis is defined in the context of a query
-     process as that wild card domain name immediately descending
-     from the closest encloser, provided that this wild card domain
-     name exists.  "Immediately descending" means that the source
-     of synthesis has a name of the form:
-           <asterisk label>.<closest encloser>.
-     A source of synthesis does not guarantee having a RRSet to use
-     for synthesis.  The source of synthesis could be an empty
-     non-terminal.
-
-     If the source of synthesis does not exist (not on the domain
-     tree), there will be no wildcard synthesis.  There is no search
-     for an alternate.
-
-     The important concept is that for any given lookup process, there
-     is at most one place at which wildcard synthetic records can be
-     obtained.  If the source of synthesis does not exist, the lookup
-     terminates, the lookup does not look for other wildcard records.
-
-3.3.2 Closest Encloser and Source of Synthesis Examples
-
-     To illustrate, using the example zone in section 2.2.1 of this
-     document, the following chart shows QNAMEs and the closest
-     enclosers.
-
-     QNAME                       Closest Encloser    Source of Synthesis
-     host3.example.              example.            *.example.
-     _telnet._tcp.host1.example. _tcp.host1.example. no source
-     _telnet._tcp.host2.example. host2.example.      no source
-     _telnet._tcp.host3.example. example.            *.example.
-     _chat._udp.host3.example.   example.            *.example.
-     foobar.*.example.           *.example.          no source
-
-3.3.3 Type Matching
-
-      RFC 1034 concludes part 'c' with this:
-
-#            If the "*" label does not exist, check whether the name
-#            we are looking for is the original QNAME in the query
-#            or a name we have followed due to a CNAME.  If the name
-#            is original, set an authoritative name error in the
-#            response and exit.  Otherwise just exit.
-#
-#            If the "*" label does exist, match RRs at that node
-#            against QTYPE.  If any match, copy them into the answer
-#            section, but set the owner of the RR to be QNAME, and
-#            not the node with the "*" label.  Go to step 6.
-
-     The final paragraph covers the role of the QTYPE in the lookup
-     process.
-
-     Based on implementation feedback and similarities between step
-     'a' and step 'c' a change to this passage has been made.
-
-     The change is to add the following text to step 'c' prior to the
-     instructions to "go to step 6":
-
-              If the data at the source of synthesis is a CNAME, and
-              QTYPE doesn't match CNAME, copy the CNAME RR into the
-              answer section of the response changing the owner name
-              to the QNAME, change QNAME to the canonical name in the
-              CNAME RR, and go back to step 1.
-
-     This is essentially the same text in step a covering the
-     processing of CNAME RRSets.
-
-4. Considerations with Special Types
-
-     Sections 2 and 3 of this document discuss wildcard synthesis
-     with respect to names in the domain tree and ignore the impact
-     of types.  In this section, the implication of wildcards of
-     specific types are discussed.  The types covered are those
-     that have proven to be the most difficult to understand.  The
-     types are SOA, NS, CNAME, DNAME, SRV, DS, NSEC, RRSIG and
-     "none," i.e., empty non-terminal wild card domain names.
-
-4.1 SOA RRSet at a Wild Card Domain Name
-
-     A wild card domain name owning an SOA RRSet means that the
-     domain is at the root of the zone (apex).  The domain can not
-     be a source of synthesis because that is, by definition, a
-     descendent node (of the closest encloser) and a zone apex is
-     at the top of the zone.
-
-     Although a wild card domain name owning an SOA RRSet can never
-     be a source of synthesis, there is no reason to forbid the
-     ownership of an SOA RRSet.
-
-     E.g., given this zone:
-            $ORIGIN *.example.
-            @                 3600 IN  SOA   <SOA RDATA>
-                              3600     NS    ns1.example.com.
-                              3600     NS    ns1.example.net.
-            www               3600     TXT   "the www txt record"
-
-     A query for www.*.example.'s TXT record would still find the
-     "the www txt record" answer.  The reason is that the asterisk
-     label only becomes significant when section's 4.3.2, step 3
-     part 'c' in in effect.
-
-     Of course, there would need to be a delegation in the parent
-     zone, "example." for this to work too.  This is covered in the
-     next section.
-
-4.2 NS RRSet at a Wild Card Domain Name
-
-     With the definition of DNSSEC [RFC4033, RFC4034, RFC4035] now
-     in place, the semantics of a wild card domain name owning an
-     NS RRSet has come to be poorly defined.  The dilemma relates to
-     a conflict between the rules for synthesis in part 'c' and the
-     fact that the resulting synthesis generates a record for which
-     the zone is not authoritative.  In a DNSSEC signed zone, the
-     mechanics of signature management (generation and inclusion
-     in a message) become unclear.
-
-     After some lengthy discussions, there has been no clear "best
-     answer" on how to document the semantics of such a situation.
-     Barring such records from the DNS would require definition of
-     rules for that, as well as introducing a restriction on records
-     that were once legal.  Allowing such records and amending the
-     process of signature management would entail complicating the
-     DNSSEC definition.
-
-     There is one more ingredient to the discussion, that being the
-     utility of a wild card domain name owned NS RRSet.  Although
-     there are cases of this use, it is an operational rarity.
-     Expending effort to close this topic has proven to be an
-     exercise in diminishing returns.
-
-     In summary, there is no definition given for wild card domain
-     names owning an NS RRSet.  The semantics are left undefined until
-     there is a clear need to have a set defined, and until there is
-     a clear direction to proceed.  Operationally, inclusion of wild
-     card NS RRSets in a zone is discouraged, but not barred.
-
-4.2.1 Discarded Notions
-
-     Prior to DNSSEC, a wild card domain name owning a NS RRSet
-     appeared to be workable, and there are some instances in which
-     it is found in deployments using implementations that support
-     this.  Continuing to allow this in the specificaion is not
-     tenable with DNSSEC.  The reason is that the synthesis of the
-     NS RRSet is being done in a zone that has delegated away the
-     responsibility for the name.  This "unauthorized" synthesis is
-     not a problem for the base DNS protocol, but DNSSEC, in affirming
-     the authorization model for DNS exposes the problem.
-
-     Outright banning of wildcards of type NS is also untenable as
-     the DNS protocol does not define how to handle "illegal" data.
-     Implementations may choose not to load a zone, but there is no
-     protocol definition.  The lack of the definition is complicated
-     by having to cover dynamic update [RFC 2136], zone transfers,
-     as well as loading at the master server.  The case of a client
-     (resolver, cacheing server) getting a wildcard of type NS in
-     a reply would also have to be considered.
-
-     Given the daunting challenge of a complete definition of how to
-     ban such records, dealing with existing implementations that
-     permit the records today is a further complication.  There are
-     uses of wild card domain name owning NS RRSets.
-
-     One compromise proposed would have redefined wildcards of type
-     NS to not be used in synthesis, this compromise fell apart
-     because it would have required significant edits to the DNSSEC
-     signing and validation work.  (Again, DNSSEC catches
-     unauthorized data.)
-
-     With no clear consensus forming on the solution to this dilemma,
-     and the realization that wildcards of type NS are a rarity in
-     operations, the best course of action is to leave this open-ended
-     until "it matters."
-
-4.3 CNAME RRSet at a Wild Card Domain Name
-
-     The issue of a CNAME RRSet owned by a wild card domain name has
-     prompted a suggested change to the last paragraph of step 3c of
-     the algorithm in 4.3.2.  The changed text appears in section
-     3.3.3 of this document.
-
-4.4 DNAME RRSet at a Wild Card Domain Name
-
-     Ownership of a DNAME [RFC2672] RRSet by a wild card domain name
-     represents a threat to the coherency of the DNS and is to be
-     avoided or outright rejected.  Such a DNAME RRSet represents
-     non-deterministic synthesis of rules fed to different caches.
-     As caches are fed the different rules (in an unpredictable
-     manner) the caches will cease to be coherent.  ("As caches
-     are fed" refers to the storage in a cache of records obtained
-     in responses by recursive or iterative servers.)
-
-     For example, assume one cache, responding to a recursive
-     request, obtains the record:
-        "a.b.example. DNAME foo.bar.example.net."
-     and another cache obtains:
-        "b.example.  DNAME foo.bar.example.net."
-     both generated from the record:
-        "*.example. DNAME foo.bar.example.net."
-     by an authoritative server.
-
-     The DNAME specification is not clear on whether DNAME records
-     in a cache are used to rewrite queries.  In some interpretations,
-     the rewrite occurs, in some, it is not.  Allowing for the
-     occurrence of rewriting, queries for "sub.a.b.example. A" may
-     be rewritten as "sub.foo.bar.tld. A" by the former caching
-     server and may be rewritten as "sub.a.foo.bar.tld. A" by the
-     latter.  Coherency is lost, an operational nightmare ensues.
-
-     Another justification for banning or avoiding wildcard DNAME
-     records is the observation that such a record could synthesize
-     a DNAME owned by "sub.foo.bar.example." and "foo.bar.example."
-     There is a restriction in the DNAME definition that no domain
-     exist below a DNAME-owning domain, hence, the wildcard DNAME
-     is not to be permitted.
-
-4.5 SRV RRSet at a Wild Card Domain Name
-
-     The definition of the SRV RRset is RFC 2782 [RFC2782].  In the
-     definition of the record, there is some confusion over the term
-     "Name."  The definition reads as follows:
-
-# The format of the SRV RR
-...
-#    _Service._Proto.Name TTL Class SRV Priority Weight Port Target
-...
-#  Name
-#   The domain this RR refers to.  The SRV RR is unique in that the
-#   name one searches for is not this name; the example near the end
-#   shows this clearly.
-
-     Do not confuse the definition "Name" with the owner name.  I.e.,
-     once removing the _Service and _Proto labels from the owner name
-     of the SRV RRSet, what remains could be a wild card domain name
-     but this is immaterial to the SRV RRSet.
-
-     E.g.,  If an SRV record is:
-        _foo._udp.*.example. 10800 IN SRV 0 1 9 old-slow-box.example.
-
-     *.example is a wild card domain name and although it it the Name
-     of the SRV RR, it is not the owner (domain name).  The owner
-     domain name is "_foo._udp.*.example." which is not a wild card
-     domain name.
-
-     The confusion is likely based on the mixture of the specification
-     of the SRV RR and the description of a "use case."
-
-4.6 DS RRSet at a Wild Card Domain Name
-
-     A DS RRSet owned by a wild card domain name is meaningless and
-     harmless.  This statement is made in the context that an NS RRSet
-     at a wild card domain name is undefined.  At a non-delegation
-     point, a DS RRSet has no value (no corresponding DNSKEY RRSet
-     will be used in DNSSEC validation).  If there is a synthesized
-     DS RRSet, it alone will not be very useful as it exists in the
-     context of a delegation point.
-
-4.7 NSEC RRSet at a Wild Card Domain Name
-
-     Wild card domain names in DNSSEC signed zones will have an NSEC
-     RRSet.  Synthesis of these records will only occur when the
-     query exactly matches the record.  Synthesized NSEC RR's will not
-     be harmful as they will never be used in negative caching or to
-     generate a negative response.
-
-4.8 RRSIG at a Wild Card Domain Name
-
-     RRSIG records will be present at a wild card domain name in a
-     signed zone, and will be synthesized along with data sought in a
-     query.  The fact that the owner name is synthesized is not a
-     problem as the label count in the RRSIG will instruct the
-     verifying code to ignore it.
-
-4.9 Empty Non-terminal Wild Card Domain Name
-
-     If a source of synthesis is an empty non-terminal, then the
-     response will be one of no error in the return code and no RRSet
-     in the answer section.
-
-5. Security Considerations
-
-     This document is refining the specifications to make it more
-     likely that security can be added to DNS.  No functional
-     additions are being made, just refining what is considered
-     proper to allow the DNS, security of the DNS, and extending
-     the DNS to be more predictable.
-
-6. IANA Considerations
-
-      None.
-
-7. References
-
-     Normative References
-
-     [RFC20]   ASCII Format for Network Interchange, V.G. Cerf,
-               Oct-16-1969
-
-     [RFC1034] Domain Names - Concepts and Facilities,
-               P.V. Mockapetris, Nov-01-1987
-
-     [RFC1035] Domain Names - Implementation and Specification, P.V
-               Mockapetris, Nov-01-1987
-
-     [RFC1995] Incremental Zone Transfer in DNS, M. Ohta, August 1996
-
-     [RFC2119] Key Words for Use in RFCs to Indicate Requirement
-               Levels, S Bradner, March 1997
-
-     [RFC2181] Clarifications to the DNS Specification, R. Elz and
-               R. Bush, July 1997
-
-     [RFC2308] Negative Caching of DNS Queries (DNS NCACHE),
-               M. Andrews, March 1998
-
-     [RFC2672] Non-Terminal DNS Name Redirection, M. Crawford,
-               August 1999.
-
-     [RFC2782] A DNS RR for specifying the location of services (DNS
-               SRV), A. Gulbrandsen, et.al., February 2000
-
-     [RFC4033] DNS Security Introduction and Requirements, R. Arends,
-               et.al., March 2005
-
-     [RFC4034] Resource Records for the DNS Security Extensions,
-               R. Arends, et.al., March 2005
-
-     [RFC4035] Protocol Modifications for the DNS Security Extensions,
-               R. Arends, et.al., March 2005
-
-     [RFC2672] Non-Terminal DNS Name Redirection, M. Crawford,
-               August 1999
-
-     Informative References
-
-     [RFC2136] Dynamic Updates in the Domain Name System (DNS UPDATE),
-               P. Vixie, Ed., S. Thomson, Y. Rekhter, J. Bound,
-               April 1997
-
-8. Editor
-
-          Name:         Edward Lewis
-          Affiliation:  NeuStar
-          Address:      46000 Center Oak Plaza, Sterling, VA, 20166, US
-          Phone:        +1-571-434-5468
-          Email:        ed.lewis@neustar.biz
-
-     Comments on this document can be sent to the editor or the mailing
-     list for the DNSEXT WG, namedroppers@ops.ietf.org.
-
-9. Others Contributing to the Document
-
-     This document represents the work of a large working group.  The
-     editor merely recorded the collective wisdom of the working group.
-
-10. Trailing Boilerplate
-
-     Copyright (C) The Internet Society (2005).
-
-     This document is subject to the rights, licenses and restrictions
-     contained in BCP 78, and except as set forth therein, the authors
-     retain all their rights.
-
-     This document and the information contained herein are provided
-     on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION
-     HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET
-     SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL
-     WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO
-     ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT
-     INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
-     MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-Intellectual Property
-
-     The IETF takes no position regarding the validity or scope of
-     any Intellectual Property Rights or other rights that might
-     be claimed to pertain to the implementation or use of the
-     technology described in this document or the extent to which
-     any license under such rights might or might not be available;
-     nor does it represent that it has made any independent effort
-     to identify any such rights.  Information on the procedures
-     with respect to rights in RFC documents can be found in BCP 78
-     and BCP 79.
-
-     Copies of IPR disclosures made to the IETF Secretariat and any
-     assurances of licenses to be made available, or the result of an
-     attempt made to obtain a general license or permission for the
-     use of such proprietary rights by implementers or users of this
-     specification can be obtained from the IETF on-line IPR
-     repository at http://www.ietf.org/ipr.  The IETF invites any
-     interested party to bring to its attention any copyrights,
-     patents or patent applications, or other proprietary rights
-     that may cover technology that may be required to implement
-     this standard.  Please address the information to the IETF at
-     ietf-ipr@ietf.org.
-
-Acknowledgement
-
-     Funding for the RFC Editor function is currently provided by the
-     Internet Society.
-
-Expiration
-
-     This document expires on or about January 6, 2006.
diff --git a/doc/draft/draft-ietf-dnsop-bad-dns-res-02.txt b/doc/draft/draft-ietf-dnsop-bad-dns-res-02.txt
new file mode 100644
index 00000000..e9943015
--- /dev/null
+++ b/doc/draft/draft-ietf-dnsop-bad-dns-res-02.txt
@@ -0,0 +1,1120 @@
+
+
+DNS Operations                                                 M. Larson
+Internet-Draft                                                 P. Barber
+Expires: August 16, 2004                                        VeriSign
+                                                       February 16, 2004
+
+
+                  Observed DNS Resolution Misbehavior
+                    draft-ietf-dnsop-bad-dns-res-02
+
+Status of this Memo
+
+   This document is an Internet-Draft and is in full conformance with
+   all provisions of Section 10 of RFC2026.
+
+   Internet-Drafts are working documents of the Internet Engineering
+   Task Force (IETF), its areas, and its working groups. Note that other
+   groups may also distribute working documents as Internet-Drafts.
+
+   Internet-Drafts are draft documents valid for a maximum of six months
+   and may be updated, replaced, or obsoleted by other documents at any
+   time. It is inappropriate to use Internet-Drafts as reference
+   material or to cite them other than as "work in progress."
+
+   The list of current Internet-Drafts can be accessed at http://
+   www.ietf.org/ietf/1id-abstracts.txt.
+
+   The list of Internet-Draft Shadow Directories can be accessed at
+   http://www.ietf.org/shadow.html.
+
+   This Internet-Draft will expire on August 16, 2004.
+
+Copyright Notice
+
+   Copyright (C) The Internet Society (2004). All Rights Reserved.
+
+Abstract
+
+   This Internet-Draft describes DNS name server and resolver behavior
+   that results in a significant query volume sent to the root and
+   top-level domain (TLD) name servers.  In some cases we recommend
+   minor additions to the DNS protocol specification and corresponding
+   changes in name server implementations to alleviate these unnecessary
+   queries. The recommendations made in this document are a direct
+   byproduct of observation and analysis of abnormal query traffic
+   patterns seen at two of the thirteen root name servers and all
+   thirteen com/net TLD name servers.
+
+   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
+
+
+
+Larson & Barber         Expires August 16, 2004                 [Page 1]
+
+Internet-Draft    Observed DNS Resolution Misbehavior      February 2004
+
+
+   document are to be interpreted as described in RFC 2119 [1].
+
+Table of Contents
+
+   1.     Introduction . . . . . . . . . . . . . . . . . . . . . . .   3
+   2.     Observed name server misbehavior . . . . . . . . . . . . .   4
+   2.1    Aggressive requerying for delegation information . . . . .   4
+   2.1.1  Recommendation . . . . . . . . . . . . . . . . . . . . . .   5
+   2.2    Repeated queries to lame servers . . . . . . . . . . . . .   5
+   2.2.1  Recommendation . . . . . . . . . . . . . . . . . . . . . .   6
+   2.3    Inability to follow multiple levels of out-of-zone glue  .   6
+   2.3.1  Recommendation . . . . . . . . . . . . . . . . . . . . . .   7
+   2.4    Aggressive retransmission when fetching glue . . . . . . .   7
+   2.4.1  Recommendation . . . . . . . . . . . . . . . . . . . . . .   8
+   2.5    Aggressive retransmission behind firewalls . . . . . . . .   8
+   2.5.1  Recommendation . . . . . . . . . . . . . . . . . . . . . .   8
+   2.6    Misconfigured NS records . . . . . . . . . . . . . . . . .   9
+   2.6.1  Recommendation . . . . . . . . . . . . . . . . . . . . . .  10
+   2.7    Name server records with zero TTL  . . . . . . . . . . . .  10
+   2.7.1  Recommendation . . . . . . . . . . . . . . . . . . . . . .  11
+   2.8    Unnecessary dynamic update messages  . . . . . . . . . . .  11
+   2.8.1  Recommendation . . . . . . . . . . . . . . . . . . . . . .  11
+   2.9    Queries for domain names resembling IP addresses . . . . .  12
+   2.9.1  Recommendation . . . . . . . . . . . . . . . . . . . . . .  12
+   2.10   Misdirected recursive queries  . . . . . . . . . . . . . .  12
+   2.10.1 Recommendation . . . . . . . . . . . . . . . . . . . . . .  13
+   2.11   Suboptimal name server selection algorithm . . . . . . . .  13
+   2.11.1 Recommendation . . . . . . . . . . . . . . . . . . . . . .  13
+   3.     IANA considerations  . . . . . . . . . . . . . . . . . . .  15
+   4.     Security considerations  . . . . . . . . . . . . . . . . .  16
+   5.     Internationalization considerations  . . . . . . . . . . .  17
+          Normative References . . . . . . . . . . . . . . . . . . .  18
+          Authors' Addresses . . . . . . . . . . . . . . . . . . . .  18
+          Intellectual Property and Copyright Statements . . . . . .  19
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Larson & Barber         Expires August 16, 2004                 [Page 2]
+
+Internet-Draft    Observed DNS Resolution Misbehavior      February 2004
+
+
+1. Introduction
+
+   Observation of query traffic received by two root name servers and
+   the thirteen com/net TLD name servers has revealed that a large
+   proportion of the total traffic often consists of "requeries".  A
+   requery is the same question (<qname, qtype, qclass>) asked
+   repeatedly at an unexpectedly high rate.  We have observed requeries
+   from both a single IP address and multiple IP addresses.
+
+   By analyzing requery events we have found that the cause of the
+   duplicate traffic is almost always a deficient name server, stub
+   resolver and/or application implementation combined with an
+   operational anomaly.  The implementation deficiencies we have
+   identified to date include well-intentioned recovery attempts gone
+   awry, insufficient caching of failures, early abort when multiple
+   levels of glue records must be followed, and aggressive retry by stub
+   resolvers and/or applications.  Anomalies that we have seen trigger
+   requery events include lame delegations, unusual glue records, and
+   anything that makes all authoritative name servers for a zone
+   unreachable (DoS attacks, crashes, maintenance, routing failures,
+   congestion, etc.).
+
+   In the following sections, we provide a detailed explanation of the
+   observed behavior and recommend changes that will reduce the requery
+   rate.  Some of the changes recommended affect the core DNS protocol
+   specification, described principally in RFC 1034 [2], RFC 1035 [3]
+   and RFC 2181 [4].
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Larson & Barber         Expires August 16, 2004                 [Page 3]
+
+Internet-Draft    Observed DNS Resolution Misbehavior      February 2004
+
+
+2. Observed name server misbehavior
+
+2.1 Aggressive requerying for delegation information
+
+   There can be times when every name server in a zone's NS RRset is
+   unreachable (e.g., during a network outage), unavailable (e.g., the
+   name server process is not running on the server host) or
+   misconfigured (e.g., the name server is not authoritative for the
+   given zone, also known as "lame").  Consider a recursive name server
+   that attempts to resolve a query for a domain name in such a zone and
+   discovers that none of the zone's name servers can provide an answer.
+   We have observed a recursive name server implementation that then
+   verifies the zone's NS RRset in its cache by querying for the zone's
+   delegation information: it sends a query for the zone's NS RRset to
+   one of the parent zone's name servers.
+
+   For example, suppose that "example.com" has the following NS RRset:
+
+     example.com.   IN   NS   ns1.example.com.
+     example.com.   IN   NS   ns2.example.com.
+
+   Upon receipt of a query for "www.example.com" and assuming that
+   neither "ns1.example.com" nor "ns2.example.com" can provide an
+   answer, this recursive name server implementation immediately queries
+   a "com" zone name server for the "example.com" NS RRset to verify it
+   has the proper delegation information.  This name server
+   implementation performs this query to a zone's parent zone for each
+   recursive query it receives that fails because of a completely
+   unresponsive set of name servers for the target zone.  Consider the
+   effect when a popular zone experiences a catastrophic failure of all
+   its name servers: now every recursive query for domain names in that
+   zone sent to this name server implementation results in a query to
+   the failed zone's parent name servers.  On one occasion when several
+   dozen popular zones became unreachable, the query load on the com/net
+   name servers increased by 50%.
+
+   We believe this verification query is not reasonable.  Consider the
+   circumstances: When a recursive name server is resolving a query for
+   a domain name in a zone it has not previously searched, it uses the
+   list of name servers in the referral from the target zone's parent.
+   If on its first attempt to search the target zone, none of the name
+   servers in the referral is reachable, a verification query to the
+   parent is pointless: this query to the parent would come so quickly
+   on the heels of the referral that it would be almost certain to
+   contain the same list of name servers.  The chance of discovering any
+   new information is slim.
+
+   The other possibility is that the recursive name server successfully
+
+
+
+Larson & Barber         Expires August 16, 2004                 [Page 4]
+
+Internet-Draft    Observed DNS Resolution Misbehavior      February 2004
+
+
+   contacts one of the target zone's name servers and then caches the NS
+   RRset from the authority section of a response, the proper behavior
+   according to section 5.4.1 of RFC 2181 [4], because the NS RRset from
+   the target zone is more trustworthy than delegation information from
+   the parent zone.  If, while processing a subsequent recursive query,
+   the recursing name server discovers that none of the name servers
+   specified in the cached NS RRset is available or authoritative,
+   querying the parent would be wrong.  An NS RRset from the parent zone
+   would now be less trustworthy than data already in the cache.
+
+   For this query of the parent zone to be useful, the target zone's
+   entire set of name servers would have to change AND the former set of
+   name servers would have to be deconfigured and/or decommissioned AND
+   the delegation information in the parent zone would have to be
+   updated with the new set of name servers, all within the TTL of the
+   target zone's NS RRset.  We believe this scenario is uncommon:
+   administrative best practices dictate that changes to a zone's set of
+   name servers happen gradually, with servers that are removed from the
+   NS RRset left authoritative for the zone as long as possible.  The
+   scenarios that we can envision that would benefit from the parent
+   requery behavior do not outweigh its damaging effects.
+
+2.1.1 Recommendation
+
+   Name servers offering recursion MUST NOT send a query for the NS
+   RRset of a non-responsive zone to any of the name servers for that
+   zone's parent zone.  For the purposes of this injunction, a
+   non-responsive zone is defined as a zone for which every name server
+   listed in the zone's NS RRset:
+
+   1.  is not authoritative for the zone (i.e., lame), or,
+
+   2.  returns a server failure response (RCODE=2), or,
+
+   3.  is dead or unreachable according to section 7.2 of RFC 2308 [5].
+
+
+2.2 Repeated queries to lame servers
+
+   Section 2.1 describes a catastrophic failure: when every name server
+   for a zone is unable to provide an answer for one reason or another.
+   A more common occurrence is a subset of a zone's name servers being
+   unavailable or misconfigured.  Different failure modes have different
+   expected durations.  Some symptoms indicate problems that are
+   potentially transient: various types of ICMP unreachable messages
+   because a name server process is not running or a host or network is
+   unreachable, or a complete lack of a response to a query.  Such
+   responses could be the result of a host rebooting or temporary
+
+
+
+Larson & Barber         Expires August 16, 2004                 [Page 5]
+
+Internet-Draft    Observed DNS Resolution Misbehavior      February 2004
+
+
+   outages; these events don't necessarily require any human
+   intervention and can be reasonably expected to be temporary.
+
+   Other symptoms clearly indicate a condition requiring human
+   intervention, such as lame server: if a name server is misconfigured
+   and not authoritative for a zone delegated to it, it is reasonable to
+   assume that this condition has potential to last longer than
+   unreachability or unresponsiveness.  Consequently, repeated queries
+   to known lame servers are not useful.  In this case of a condition
+   with potential to persist for a long time, a better practice would be
+   to maintain a list of known lame servers and avoid querying them
+   repeatedly in a short interval.
+
+2.2.1 Recommendation
+
+   Recursive name servers SHOULD cache name servers that they discover
+   are not authoritative for zones delegated to them (i.e. lame
+   servers). Lame servers MUST be cached against the specific query
+   tuple <zone name, class, server IP address>.  Zone name can be
+   derived from the owner name of the NS record that was referenced to
+   query the name server that was discovered to be lame.
+   Implementations that perform lame server caching MUST refrain from
+   sending queries to known lame servers based on a time interval from
+   when the server is discovered to be lame.  A minimum interval of
+   thirty minutes is RECOMMENDED.
+
+2.3 Inability to follow multiple levels of out-of-zone glue
+
+   Some recursive name server implementations are unable to follow more
+   than one level of out-of-zone glue.  For example, consider the
+   following delegations:
+
+     foo.example.        IN   NS   ns1.example.com.
+     foo.example.        IN   NS   ns2.example.com.
+
+     example.com.        IN   NS   ns1.test.example.net.
+     example.com.        IN   NS   ns2.test.example.net.
+
+     test.example.net.   IN   NS   ns1.test.example.net.
+     test.example.net.   IN   NS   ns2.test.example.net.
+
+   A name server processing a recursive query for "www.foo.example" must
+   follow two levels of indirection, first obtaining address records for
+   "ns1.test.example.net" and/or "ns2.test.example.net" in order to
+   obtain address records for "ns1.example.com" and/or "ns2.example.com"
+   in order to query those name servers for the address records of
+   "www.foo.example".  While this situation may appear contrived, we
+   have seen multiple similar occurrences and expect more as new generic
+
+
+
+Larson & Barber         Expires August 16, 2004                 [Page 6]
+
+Internet-Draft    Observed DNS Resolution Misbehavior      February 2004
+
+
+   top-level domains (gTLDs) become active.  We anticipate many zones in
+   the new gTLDs will use name servers in other gTLDs, increasing the
+   amount of inter-zone glue.
+
+2.3.1 Recommendation
+
+   Clearly constructing a delegation that relies on multiple levels of
+   out-of-zone glue is not a good administrative practice.  This issue
+   could be mitigated with an operational injunction in an RFC to
+   refrain from construction of such delegations.  In our opinion the
+   practice is widespread enough to merit clarifications to the DNS
+   protocol specification to permit it on a limited basis.
+
+   Name servers offering recursion SHOULD be able to handle at least
+   three levels of indirection resulting from out-of-zone glue.
+
+2.4 Aggressive retransmission when fetching glue
+
+   When an authoritative name server responds with a referral, it
+   includes NS records in the authority section of the response.
+   According to the algorithm in section 4.3.2 of RFC 1034 [2], the name
+   server should also "put whatever addresses are available into the
+   additional section, using glue RRs if the addresses are not available
+   from authoritative data or the cache."  Some name server
+   implementations take this address inclusion a step further with a
+   feature called "glue fetching".  A name server that implements glue
+   fetching attempts to include A records for every NS record in the
+   authority section.  If necessary, the name server issues multiple
+   queries of its own to obtain any missing A records.
+
+   Problems with glue fetching can arise in the context of
+   "authoritative-only" name servers, which only serve authoritative
+   data and ignore requests for recursion.  Such a server will not
+   generate any queries of its own.  Instead it answers non-recursive
+   queries from resolvers looking for information in zones it serves.
+   With glue fetching enabled, however, an authoritative server will
+   generate queries whenever it needs to look up an unknown address
+   record to complete the additional section of a response.
+
+   We have observed situations where a glue-fetching name server can
+   send queries that reach other name servers, but apparently is
+   prevented from receiving the responses.  For example, perhaps the
+   name server is authoritative-only and therefore its administrators
+   expect it to receive only queries.  Perhaps unaware of glue fetching
+   and presuming that the name server will generate no queries, its
+   administrators place the name server behind a network device that
+   prevents it from receiving responses.  If this is the case, all
+   glue-fetching queries will go answered.
+
+
+
+Larson & Barber         Expires August 16, 2004                 [Page 7]
+
+Internet-Draft    Observed DNS Resolution Misbehavior      February 2004
+
+
+   We have observed name server implementations that retry excessively
+   when glue-fetching queries are unanswered.  A single com/net name
+   server has received hundreds of queries per second from a single name
+   server.  Judging from the specific queries received and based on
+   additional analysis, we believe these queries result from overly
+   aggressive glue fetching.
+
+2.4.1 Recommendation
+
+   Implementers whose name servers support glue fetching should take
+   care to avoid sending queries at excessive rates.  Implementations
+   should support throttling logic to detect when queries are sent but
+   no responses are received.
+
+2.5 Aggressive retransmission behind firewalls
+
+   A common occurrence and one of the largest sources of repeated
+   queries at the com/net and root name servers appears to result from
+   resolvers behind misconfigured firewalls.  In this situation, a
+   recursive name server is apparently allowed to send queries through a
+   firewall to other name servers, but not receive the responses.  The
+   result is more queries than necessary because of retransmission, all
+   of which are useless because the responses are never received.  Just
+   as with the glue-fetching scenario described in Section 2.4, the
+   queries are sometimes sent at excessive rates.  To make matters
+   worse, sometimes the responses, sent in reply to legitimate queries,
+   trigger an alarm on the originator's intrusion detection system.  We
+   are frequently contacted by administrators responding to such alarms
+   who believe our name servers are attacking their systems.
+
+   Not only do some resolvers in this situation retransmit queries at an
+   excessive rate, but they continue to do so for days or even weeks.
+   This scenario could result from an organization with multiple
+   recursive name servers, only a subset of whose traffic is improperly
+   filtered in this manner.  Stub resolvers in the organization could be
+   configured to query multiple name servers.  Consider the case where a
+   stub resolver queries a filtered name server first.  This name server
+   sends one or more queries whose replies are filtered, so it can't
+   respond to the stub resolver, which times out.  The resolver
+   retransmits to a name server that is able to provide an answer.
+   Since resolution ultimately succeeds the underlying problem might not
+   be recognized or corrected.  A popular stub resolver has a very
+   aggressive retransmission schedule, including simultaneous queries to
+   multiple name servers, which could explain how such a situation could
+   persist without being detected.
+
+2.5.1 Recommendation
+
+
+
+
+Larson & Barber         Expires August 16, 2004                 [Page 8]
+
+Internet-Draft    Observed DNS Resolution Misbehavior      February 2004
+
+
+   The most obvious recommendation is that administrators should take
+   care not to place recursive name servers behind a firewall that
+   prohibits queries to pass through but not the resulting replies.
+
+   Name servers should take care to avoid sending queries at excessive
+   rates.  Implementations should support throttling logic to detect
+   when queries are sent but no responses are received.
+
+2.6 Misconfigured NS records
+
+   Sometimes a zone administrator forgets to add the trailing dot on the
+   domain names in the RDATA of a zone's NS records.  Consider this
+   fragment of the zone file for "example.com":
+
+     $ORIGIN example.com.
+     example.com.      3600   IN   NS   ns1.example.com  ; Note missing
+     example.com.      3600   IN   NS   ns2.example.com  ; trailing dots
+
+   The zone's authoritative servers will parse the NS RDATA as
+   "ns1.example.com.example.com" and "ns2.example.com.example.com" and
+   return NS records with this incorrect RDATA in responses, including
+   typically the authority section of every response containing records
+   from the "example.com" zone.
+
+   Now consider a typical sequence of queries.  A recursive name server
+   attempting to resolve A records for "www.example.com" with no cached
+   information for this zone will query a "com" authoritative server.
+   The "com" server responds with a referral to the "example.com" zone,
+   consisting of NS records with valid RDATA and associated glue
+   records. (This example assumes that the "example.com" zone
+   information is correct in the "com" zone.)  The recursive name server
+   caches the NS RRset from the "com" server and follows the referral by
+   querying one of the "example.com" authoritative servers.  This server
+   responds with the "www.example.com" A record in the answer section
+   and, typically, the "example.com" NS records in the authority section
+   and, if space in the message remains, glue A records in the
+   additional section. According to Section 5.4 of RFC 2181 [4], NS
+   records in the authority section of an authoritative answer are more
+   trustworthy than NS records from the authority section of a
+   non-authoritative answer.  Thus the "example.com" NS RRset just
+   received from the "example.com" authoritative server displaces the
+   "example.com" NS RRset received moments ago from the "com"
+   authoritative server.
+
+   But the "example.com" zone contains the erroneous NS RRset as shown
+   in the example above.  Subsequent queries for names in "example.com"
+   will cause the server to attempt to use the incorrect NS records and
+   so the server will try to resolve the nonexistent names
+
+
+
+Larson & Barber         Expires August 16, 2004                 [Page 9]
+
+Internet-Draft    Observed DNS Resolution Misbehavior      February 2004
+
+
+   "ns1.example.com.example.com" and "ns2.example.com.example.com".  In
+   this example, since all of the zone's name servers are named in the
+   zone itself (i.e., "ns1.example.com.example.com" and
+   "ns2.example.com.example.com" both end in "example.com") and all are
+   bogus, the recursive server cannot reach any "example.com" name
+   servers.  Therefore attempts to resolve these names result in A
+   record queries to the "com' authoritative servers.  Queries for such
+   obviously bogus glue A records occur frequently at the com/net name
+   servers.
+
+2.6.1 Recommendation
+
+   An authoritative server can detect this situation.  A trailing dot
+   missing from an NS record's RDATA always results by definition in a
+   name server name that is in the zone.  But any in-zone name server
+   should have a corresponding glue A record also in the zone.  An
+   authoritative name server should report an error when a zone's NS
+   record references an in-zone name server without a corresponding glue
+   A record.
+
+2.7 Name server records with zero TTL
+
+   Sometimes a popular com/net subdomain's zone is configured with a TTL
+   of zero on the zone's NS records, which prohibits these records from
+   being cached and will result in a higher query volume to the zone's
+   authoritative servers.  The zone's administrator should understand
+   the consequences of such a configuration and provision resources
+   accordingly.  A zero TTL on the zone's NS RRset, however, carries
+   additional consequences beyond the zone itself: if a recursive name
+   server cannot cache a zone's NS records because of a zero TTL, it
+   will be forced to query that zone's parent's name servers each time
+   it resolves a name in the zone.  The com/net authoritative servers do
+   see an increased query load when a popular com/net subdomain's zone
+   is configured with a TTL of zero on the zone's NS records.
+
+   A zero TTL on an RRset expected to change frequently is extreme but
+   permissible.  A zone's NS RRset is a special case, however, because
+   changes to it must be coordinated with the zone's parent.  In most
+   zone parent/child relationships we are aware of, there is typically
+   some delay involved in effecting changes.  Further, changes to the
+   set of a zone's authoritative name servers (and therefore to the
+   zone's NS RRset) are typically relatively rare: providing reliable
+   authoritative service requires a reasonably stable set of servers.
+   Therefore an extremely low or zero TTL on a zone's NS RRset rarely
+   makes sense, except in anticipation of an upcoming change.  In this
+   case, when the zone's administrator has planned a change and does not
+   want recursive name servers throughout the Internet to cache the NS
+   RRset for a long period of time, a low TTL is reasonable.
+
+
+
+Larson & Barber         Expires August 16, 2004                [Page 10]
+
+Internet-Draft    Observed DNS Resolution Misbehavior      February 2004
+
+
+2.7.1 Recommendation
+
+   Because of the additional load placed on a zone's parent's
+   authoritative servers imposed by a zero TTL on a zone's NS RRset,
+   under such circumstances authoritative name servers should issue a
+   warning when loading a zone or refuse to load the zone altogether.
+
+2.8 Unnecessary dynamic update messages
+
+   The UPDATE message specified in RFC 2136 [6] allows an authorized
+   agent to update a zone's data on an authoritative name server using a
+   DNS message sent over the network.  Consider the case of an agent
+   desiring to add a particular resource record. Because of zone cuts,
+   the agent does not necessarily know the proper zone to which the
+   record should be added.  The dynamic update process requires that the
+   agent determine the appropriate zone so the UPDATE message can be
+   sent to one of the zone's authoritative servers (typically the
+   primary master as specified in the zone's SOA MNAME field).
+
+   The appropriate zone to update is the closest enclosing zone, which
+   is the lowest zone in the name space.  The closest enclosing zone
+   cannot be determined only by inspecting the domain name of the record
+   to be updated, since zone cuts can occur anywhere.  One way to
+   determine the closest enclosing zone involves working up the name
+   space tree and sending repeated UPDATE messages until success.  For
+   example, consider an agent attempting to add an A record with the
+   name "foo.bar.example.com".  The agent could first attempt to update
+   the "foo.bar.example.com" zone.  If the attempt failed, the update
+   could be directed to the "bar.example.com" zone, then the
+   "example.com" zone, then the "com" zone, and finally the root zone.
+
+   A popular dynamic agent follows this algorithm.  The result is many
+   UPDATE messages received by the root name servers, the com/net
+   authoritative servers, and presumably other TLD authoritative
+   servers. A reasonable question is why the algorithm proceeds with
+   sending updates all the way to TLD and root name servers.  In
+   enterprise DNS architectures with an "internal root" design, there
+   could conceivably be private, non-public TLD or root zones that would
+   be the appropriate target for a dynamic update.  However, we question
+   if designing an algorithm to accommodate these limited cases is worth
+   the load it places on the public DNS in the form of unnecessary
+   UPDATE messages.
+
+2.8.1 Recommendation
+
+   Dynamic update agents should not attempt to send UPDATE messages to
+   authoritative servers for TLD zones or the root zone by default.  If
+   this functionality is supported, it should be require specific action
+
+
+
+Larson & Barber         Expires August 16, 2004                [Page 11]
+
+Internet-Draft    Observed DNS Resolution Misbehavior      February 2004
+
+
+   by a user to be enabled.
+
+2.9 Queries for domain names resembling IP addresses
+
+   The root name servers receive a significant number of A record
+   queries where the qname is an IP address.  The source of these
+   queries is unknown.  It could be attributed to situations where a
+   user believes an application will accept either a domain name or an
+   IP address in a given configuration option.  The user enters an IP
+   address, but the application assumes any input is a domain name and
+   attempts to resolve it, resulting in an A record lookup.  There could
+   also be applications that produce such queries in a misguided attempt
+   to reverse map IP addresses.
+
+   These queries result in Name Error (RCODE=3) responses.  A recursive
+   name server can negatively cache such responses, but each response
+   requires a separate cache entry, i.e., a negative cache entry for the
+   domain name "192.0.2.1" does not prevent a subsequent query for the
+   domain name "192.0.2.2".
+
+2.9.1 Recommendation
+
+   It would be desirable for the root name servers not to have to answer
+   these queries: they unnecessarily consume CPU resources and network
+   bandwidth.  One possibility is for recursive name server
+   implementations to produce the Name Error response directly.  We
+   suggest that implementors consider the option of synthesizing Name
+   Error responses at the recursive name server.  The server could claim
+   authority for synthesized TLD zones corresponding to the first octet
+   of every possible IP address, e.g. 1., 2., through 255.  This
+   behavior could be configurable in the (probably unlikely) event that
+   numeric TLDs are ever put into use.
+
+   Another option is to delegate these numeric TLDs from the root zone
+   to a separate set of servers to absorb the traffic.  The "blackhole
+   servers" used by the the AS 112 Project [8], which are currently
+   delegated the in-addr.arpa zones corresponding to RFC 1918 [7]
+   private use address space, would be a possible choice to receive
+   these delegations.
+
+2.10 Misdirected recursive queries
+
+   The root name servers receive a significant number of recursive
+   queries (i.e., queries with the RD bit set in the header).  Since
+   none of the root servers offer recursion, the servers' response in
+   such a situation ignores the request for recursion and the response
+   probably does not contain the data the querier anticipated.  Some of
+   these queries result from users configuring stub resolvers to query a
+
+
+
+Larson & Barber         Expires August 16, 2004                [Page 12]
+
+Internet-Draft    Observed DNS Resolution Misbehavior      February 2004
+
+
+   root server.  (This situation is not hypothetical: we have received
+   complaints from users when this configuration does not work as
+   hoped.) Of course, users should not direct stub resolvers to use name
+   servers that do not offer recursion, but we are not aware of any stub
+   resolver implementation that offers any feedback to the user when so
+   configured, aside from simply "not working".
+
+2.10.1 Recommendation
+
+   When the IP address of a (supposedly) recursive name server is
+   configured in a stub resolver using an interactive user interface,
+   the resolver could send a test query to verify that the server
+   supports recursion (i.e., the response has the RA bit set in the
+   header).  The user could be immediately notified if the server is
+   non-recursive.
+
+   The stub resolver could also report an error, either through a user
+   interface or in a log file, if the queried server does not support
+   recursion.  Error reporting should be throttled to avoid a
+   notification or log message for every response from a non-recursive
+   server.
+
+2.11 Suboptimal name server selection algorithm
+
+   An entire document could be devoted to the topic of problems with
+   different implementations of the recursive resolution algorithm.  The
+   entire process of recursion is woefully underspecified, requiring
+   each implementor to design an algorithm.  Sometimes implementors make
+   poor design choices that could be avoided if a suggested algorithm
+   and best practices were documented, but that is a topic for another
+   document.
+
+   Some deficiencies cause significant operational impact and are
+   therefore worth mentioning here.  One of these is name server
+   selection by a recursive name server.  When a recursive name server
+   wants to contact one of a zone's authoritative name servers, how does
+   it choose from the NS records listed in the zone's NS RRset?  If the
+   selection mechanism is suboptimal, queries are not spread evenly
+   among a zone's authoritative servers.  The details of the selection
+   mechanism are up to the implementor, but we offer some suggestions.
+
+2.11.1 Recommendation
+
+   This list is not conclusive, but reflects the changes that would
+   produce the most impact in terms of reducing disproportionate query
+   load among a zone's authoritative servers.  I.e., these changes would
+   help spread the query load evenly.
+
+
+
+
+Larson & Barber         Expires August 16, 2004                [Page 13]
+
+Internet-Draft    Observed DNS Resolution Misbehavior      February 2004
+
+
+   o  Do not make assumptions based on NS RRset order: all NS RRs should
+      be treated equally.  (In the case of the "com" zone, for example,
+      most of the root servers return the NS record for
+      "a.gtld-servers.net" first in the authority section of referrals.
+      As a result, this server receives disproportionately more traffic
+      than the other 12 authoritative servers for "com".)
+
+   o  Use all NS records in an RRset.  (For example, we are aware of
+      implementations that hard-coded information for a subset of the
+      root servers.)
+
+   o  Maintain state and favor the best-performing of a zone's
+      authoritative servers.  A good definition of performance is
+      response time. Non-responsive servers can be penalized with an
+      extremely high response time.
+
+   o  Do not lock onto the best-performing of a zone's name servers.  A
+      recursive name server should periodically check the performance of
+      all of a zone's name servers to adjust its determination of the
+      best-performing one.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Larson & Barber         Expires August 16, 2004                [Page 14]
+
+Internet-Draft    Observed DNS Resolution Misbehavior      February 2004
+
+
+3. IANA considerations
+
+   There are no new IANA considerations introduced by this
+   Internet-Draft.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Larson & Barber         Expires August 16, 2004                [Page 15]
+
+Internet-Draft    Observed DNS Resolution Misbehavior      February 2004
+
+
+4. Security considerations
+
+   Name server and resolver misbehaviors identical or similar to those
+   discussed in this document expose the root and TLD name servers to
+   increased risk of both intentional and unintentional denial of
+   service.
+
+   We believe that implementation of the recommendations offered in this
+   document will reduce the amount of unnecessary traffic seen at root
+   and TLD name servers, thus reducing the opportunity for an attacker
+   to use such queries to his or her advantage.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Larson & Barber         Expires August 16, 2004                [Page 16]
+
+Internet-Draft    Observed DNS Resolution Misbehavior      February 2004
+
+
+5. Internationalization considerations
+
+   We do not believe this document introduces any new
+   internationalization considerations to the DNS protocol
+   specification.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Larson & Barber         Expires August 16, 2004                [Page 17]
+
+Internet-Draft    Observed DNS Resolution Misbehavior      February 2004
+
+
+Normative References
+
+   [1]  Bradner, S., "Key words for use in RFCs to Indicate Requirement
+        Levels", BCP 14, RFC 2119, March 1997.
+
+   [2]  Mockapetris, P., "Domain names - concepts and facilities", STD
+        13, RFC 1034, November 1987.
+
+   [3]  Mockapetris, P., "Domain names - implementation and
+        specification", STD 13, RFC 1035, November 1987.
+
+   [4]  Elz, R. and R. Bush, "Clarifications to the DNS Specification",
+        RFC 2181, July 1997.
+
+   [5]  Andrews, M., "Negative Caching of DNS Queries (DNS NCACHE)", RFC
+        2308, March 1998.
+
+   [6]  Vixie, P., Thomson, S., Rekhter, Y. and J. Bound, "Dynamic
+        Updates in the Domain Name System (DNS UPDATE)", RFC 2136, April
+        1997.
+
+   [7]  Rekhter, Y., Moskowitz, R., Karrenberg, D., Groot, G. and E.
+        Lear, "Address Allocation for Private Internets", BCP 5, RFC
+        1918, February 1996.
+
+   [8]  <http://www.as112.net>
+
+
+Authors' Addresses
+
+   Matt Larson
+   VeriSign, Inc.
+   21345 Ridgetop Circle
+   Dulles, VA  20166-6503
+   USA
+
+   EMail: mlarson@verisign.com
+
+
+   Piet Barber
+   VeriSign, Inc.
+   21345 Ridgetop Circle
+   Dulles, VA  20166-6503
+   USA
+
+   EMail: pbarber@verisign.com
+
+
+
+
+
+Larson & Barber         Expires August 16, 2004                [Page 18]
+
+Internet-Draft    Observed DNS Resolution Misbehavior      February 2004
+
+
+Intellectual Property Statement
+
+   The IETF takes no position regarding the validity or scope of any
+   intellectual property or other rights that might be claimed to
+   pertain to the implementation or use of the technology described in
+   this document or the extent to which any license under such rights
+   might or might not be available; neither does it represent that it
+   has made any effort to identify any such rights. Information on the
+   IETF's procedures with respect to rights in standards-track and
+   standards-related documentation can be found in BCP-11. Copies of
+   claims of rights made available for publication and any assurances of
+   licenses to be made available, or the result of an attempt made to
+   obtain a general license or permission for the use of such
+   proprietary rights by implementors or users of this specification can
+   be obtained from the IETF Secretariat.
+
+   The IETF invites any interested party to bring to its attention any
+   copyrights, patents or patent applications, or other proprietary
+   rights which may cover technology that may be required to practice
+   this standard. Please address the information to the IETF Executive
+   Director.
+
+
+Full Copyright Statement
+
+   Copyright (C) The Internet Society (2004). All Rights Reserved.
+
+   This document and translations of it may be copied and furnished to
+   others, and derivative works that comment on or otherwise explain it
+   or assist in its implementation may be prepared, copied, published
+   and distributed, in whole or in part, without restriction of any
+   kind, provided that the above copyright notice and this paragraph are
+   included on all such copies and derivative works. However, this
+   document itself may not be modified in any way, such as by removing
+   the copyright notice or references to the Internet Society or other
+   Internet organizations, except as needed for the purpose of
+   developing Internet standards in which case the procedures for
+   copyrights defined in the Internet Standards process must be
+   followed, or as required to translate it into languages other than
+   English.
+
+   The limited permissions granted above are perpetual and will not be
+   revoked by the Internet Society or its successors or assignees.
+
+   This document and the information contained herein is provided on an
+   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
+   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
+   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
+
+
+
+Larson & Barber         Expires August 16, 2004                [Page 19]
+
+Internet-Draft    Observed DNS Resolution Misbehavior      February 2004
+
+
+   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
+   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+
+Acknowledgement
+
+   Funding for the RFC Editor function is currently provided by the
+   Internet Society.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Larson & Barber         Expires August 16, 2004                [Page 20]
+
diff --git a/doc/draft/draft-ietf-dnsop-bad-dns-res-04.txt b/doc/draft/draft-ietf-dnsop-bad-dns-res-04.txt
deleted file mode 100644
index a56969e5..00000000
--- a/doc/draft/draft-ietf-dnsop-bad-dns-res-04.txt
+++ /dev/null
@@ -1,1176 +0,0 @@
-
-
-
-DNS Operations                                                 M. Larson
-Internet-Draft                                                 P. Barber
-Expires: January 18, 2006                                       VeriSign
-                                                           July 17, 2005
-
-
-                  Observed DNS Resolution Misbehavior
-                    draft-ietf-dnsop-bad-dns-res-04
-
-Status of this Memo
-
-   By submitting this Internet-Draft, each author represents that any
-   applicable patent or other IPR claims of which he or she is aware
-   have been or will be disclosed, and any of which he or she becomes
-   aware will be disclosed, in accordance with Section 6 of BCP 79.
-
-   Internet-Drafts are working documents of the Internet Engineering
-   Task Force (IETF), its areas, and its working groups.  Note that
-   other groups may also distribute working documents as Internet-
-   Drafts.
-
-   Internet-Drafts are draft documents valid for a maximum of six months
-   and may be updated, replaced, or obsoleted by other documents at any
-   time.  It is inappropriate to use Internet-Drafts as reference
-   material or to cite them other than as "work in progress."
-
-   The list of current Internet-Drafts can be accessed at
-   http://www.ietf.org/ietf/1id-abstracts.txt.
-
-   The list of Internet-Draft Shadow Directories can be accessed at
-   http://www.ietf.org/shadow.html.
-
-   This Internet-Draft will expire on January 18, 2006.
-
-Copyright Notice
-
-   Copyright (C) The Internet Society (2005).
-
-Abstract
-
-   This memo describes DNS iterative resolver behavior that results in a
-   significant query volume sent to the root and top-level domain (TLD)
-   name servers.  We offer implementation advice to iterative resolver
-   developers to alleviate these unnecessary queries.  The
-   recommendations made in this document are a direct byproduct of
-   observation and analysis of abnormal query traffic patterns seen at
-   two of the thirteen root name servers and all thirteen com/net TLD
-   name servers.
-
-
-
-Larson & Barber         Expires January 18, 2006                [Page 1]
-
-Internet-Draft     Observed DNS Resolution Misbehavior         July 2005
-
-
-   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
-   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
-   document are to be interpreted as described in RFC 2119 [1].
-
-Table of Contents
-
-   1.   Introduction . . . . . . . . . . . . . . . . . . . . . . . .   3
-     1.1  A note about terminology in this memo  . . . . . . . . . .   3
-   2.   Observed iterative resolver misbehavior  . . . . . . . . . .   5
-     2.1  Aggressive requerying for delegation information . . . . .   5
-       2.1.1  Recommendation . . . . . . . . . . . . . . . . . . . .   6
-     2.2  Repeated queries to lame servers . . . . . . . . . . . . .   7
-       2.2.1  Recommendation . . . . . . . . . . . . . . . . . . . .   7
-     2.3  Inability to follow multiple levels of indirection . . . .   8
-       2.3.1  Recommendation . . . . . . . . . . . . . . . . . . . .   9
-     2.4  Aggressive retransmission when fetching glue . . . . . . .   9
-       2.4.1  Recommendation . . . . . . . . . . . . . . . . . . . .  10
-     2.5  Aggressive retransmission behind firewalls . . . . . . . .  10
-       2.5.1  Recommendation . . . . . . . . . . . . . . . . . . . .  11
-     2.6  Misconfigured NS records . . . . . . . . . . . . . . . . .  11
-       2.6.1  Recommendation . . . . . . . . . . . . . . . . . . . .  12
-     2.7  Name server records with zero TTL  . . . . . . . . . . . .  12
-       2.7.1  Recommendation . . . . . . . . . . . . . . . . . . . .  13
-     2.8  Unnecessary dynamic update messages  . . . . . . . . . . .  13
-       2.8.1  Recommendation . . . . . . . . . . . . . . . . . . . .  14
-     2.9  Queries for domain names resembling IPv4 addresses . . . .  14
-       2.9.1  Recommendation . . . . . . . . . . . . . . . . . . . .  14
-     2.10   Misdirected recursive queries  . . . . . . . . . . . . .  15
-       2.10.1   Recommendation . . . . . . . . . . . . . . . . . . .  15
-     2.11   Suboptimal name server selection algorithm . . . . . . .  15
-       2.11.1   Recommendation . . . . . . . . . . . . . . . . . . .  16
-   3.   IANA considerations  . . . . . . . . . . . . . . . . . . . .  17
-   4.   Security considerations  . . . . . . . . . . . . . . . . . .  18
-   5.   Internationalization considerations  . . . . . . . . . . . .  19
-   6.   Informative References . . . . . . . . . . . . . . . . . . .  19
-        Authors' Addresses . . . . . . . . . . . . . . . . . . . . .  19
-        Intellectual Property and Copyright Statements . . . . . . .  21
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Larson & Barber         Expires January 18, 2006                [Page 2]
-
-Internet-Draft     Observed DNS Resolution Misbehavior         July 2005
-
-
-1.  Introduction
-
-   Observation of query traffic received by two root name servers and
-   the thirteen com/net TLD name servers has revealed that a large
-   proportion of the total traffic often consists of "requeries".  A
-   requery is the same question (<QNAME, QTYPE, QCLASS>) asked
-   repeatedly at an unexpectedly high rate.  We have observed requeries
-   from both a single IP address and multiple IP addresses (i.e., the
-   same query received simultaneously from multiple IP addresses).
-
-   By analyzing requery events we have found that the cause of the
-   duplicate traffic is almost always a deficient iterative resolver,
-   stub resolver or application implementation combined with an
-   operational anomaly.  The implementation deficiencies we have
-   identified to date include well-intentioned recovery attempts gone
-   awry, insufficient caching of failures, early abort when multiple
-   levels of indirection must be followed, and aggressive retry by stub
-   resolvers or applications.  Anomalies that we have seen trigger
-   requery events include lame delegations, unusual glue records, and
-   anything that makes all authoritative name servers for a zone
-   unreachable (DoS attacks, crashes, maintenance, routing failures,
-   congestion, etc.).
-
-   In the following sections, we provide a detailed explanation of the
-   observed behavior and recommend changes that will reduce the requery
-   rate.  None of the changes recommended affects the core DNS protocol
-   specification; instead, this document consists of guidelines to
-   implementors of iterative resolvers.
-
-1.1  A note about terminology in this memo
-
-   To recast an old saying about standards, the nice thing about DNS
-   terms is that there are so many of them to choose from.  Writing or
-   talking about DNS can be difficult and cause confusion resulting from
-   a lack of agreed-upon terms for its various components.  Further
-   complicating matters are implementations that combine multiple roles
-   into one piece of software, which makes naming the result
-   problematic.  An example is the entity that accepts recursive
-   queries, issues iterative queries as necessary to resolve the initial
-   recursive query, caches responses it receives, and which is also able
-   to answer questions about certain zones authoritatively.  This entity
-   is an iterative resolver combined with an authoritative name server
-   and is often called a "recursive name server" or a "caching name
-   server".
-
-   This memo is concerned principally with the behavior of iterative
-   resolvers, which are typically found as part of a recursive name
-   server.  This memo uses the more precise term "iterative resolver",
-
-
-
-Larson & Barber         Expires January 18, 2006                [Page 3]
-
-Internet-Draft     Observed DNS Resolution Misbehavior         July 2005
-
-
-   because the focus is usually on that component.  In instances where
-   the name server role of this entity requires mentioning, this memo
-   uses the term "recursive name server".  As an example of the
-   difference, the name server component of a recursive name server
-   receives DNS queries and the iterative resolver component sends
-   queries.
-
-   The advent of IPv6 requires mentioning AAAA records as well as A
-   records when discussing glue.  To avoid continuous repetition and
-   qualification, this memo uses the general term "address record" to
-   encompass both A and AAAA records when a particular situation is
-   relevant to both types.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Larson & Barber         Expires January 18, 2006                [Page 4]
-
-Internet-Draft     Observed DNS Resolution Misbehavior         July 2005
-
-
-2.  Observed iterative resolver misbehavior
-
-2.1  Aggressive requerying for delegation information
-
-   There can be times when every name server in a zone's NS RRset is
-   unreachable (e.g., during a network outage), unavailable (e.g., the
-   name server process is not running on the server host) or
-   misconfigured (e.g., the name server is not authoritative for the
-   given zone, also known as "lame").  Consider an iterative resolver
-   that attempts to resolve a query for a domain name in such a zone and
-   discovers that none of the zone's name servers can provide an answer.
-   We have observed a recursive name server implementation whose
-   iterative resolver then verifies the zone's NS RRset in its cache by
-   querying for the zone's delegation information: it sends a query for
-   the zone's NS RRset to one of the parent zone's name servers.  (Note
-   that queries with QTYPE=NS are not required by the standard
-   resolution algorithm described in section 4.3.2 of RFC 1034 [2].
-   These NS queries represent this implementation's addition to that
-   algorithm.)
-
-   For example, suppose that "example.com" has the following NS RRset:
-
-     example.com.   IN   NS   ns1.example.com.
-     example.com.   IN   NS   ns2.example.com.
-
-   Upon receipt of a query for "www.example.com" and assuming that
-   neither "ns1.example.com" nor "ns2.example.com" can provide an
-   answer, this iterative resolver implementation immediately queries a
-   "com" zone name server for the "example.com" NS RRset to verify it
-   has the proper delegation information.  This implementation performs
-   this query to a zone's parent zone for each recursive query it
-   receives that fails because of a completely unresponsive set of name
-   servers for the target zone.  Consider the effect when a popular zone
-   experiences a catastrophic failure of all its name servers: now every
-   recursive query for domain names in that zone sent to this recursive
-   name server implementation results in a query to the failed zone's
-   parent name servers.  On one occasion when several dozen popular
-   zones became unreachable, the query load on the com/net name servers
-   increased by 50%.
-
-   We believe this verification query is not reasonable.  Consider the
-   circumstances: When an iterative resolver is resolving a query for a
-   domain name in a zone it has not previously searched, it uses the
-   list of name servers in the referral from the target zone's parent.
-   If on its first attempt to search the target zone, none of the name
-   servers in the referral is reachable, a verification query to the
-   parent would be pointless: this query to the parent would come so
-   quickly on the heels of the referral that it would be almost certain
-
-
-
-Larson & Barber         Expires January 18, 2006                [Page 5]
-
-Internet-Draft     Observed DNS Resolution Misbehavior         July 2005
-
-
-   to contain the same list of name servers.  The chance of discovering
-   any new information is slim.
-
-   The other possibility is that the iterative resolver successfully
-   contacts one of the target zone's name servers and then caches the NS
-   RRset from the authority section of a response, the proper behavior
-   according to section 5.4.1 of RFC 2181 [3], because the NS RRset from
-   the target zone is more trustworthy than delegation information from
-   the parent zone.  If, while processing a subsequent recursive query,
-   the iterative resolver discovers that none of the name servers
-   specified in the cached NS RRset is available or authoritative,
-   querying the parent would be wrong.  An NS RRset from the parent zone
-   would now be less trustworthy than data already in the cache.
-
-   For this query of the parent zone to be useful, the target zone's
-   entire set of name servers would have to change AND the former set of
-   name servers would have to be deconfigured or decommissioned AND the
-   delegation information in the parent zone would have to be updated
-   with the new set of name servers, all within the TTL of the target
-   zone's NS RRset.  We believe this scenario is uncommon:
-   administrative best practices dictate that changes to a zone's set of
-   name servers happen gradually when at all possible, with servers
-   removed from the NS RRset left authoritative for the zone as long as
-   possible.  The scenarios that we can envision that would benefit from
-   the parent requery behavior do not outweigh its damaging effects.
-
-   This section should not be understood to claim that all queries to a
-   zone's parent are bad.  In some cases, such queries are not only
-   reasonable but required.  Consider the situation when required
-   information, such as the address of a name server (i.e., the address
-   record corresponding to the RDATA of an NS record), has timed out of
-   an iterative resolver's cache before the corresponding NS record.  If
-   the name of the name server is below the apex of the zone, then the
-   name server's address record is only available as glue in the parent
-   zone.  For example, consider this NS record:
-
-     example.com.        IN   NS   ns.example.com.
-
-   If a cache has this NS record but not the address record for
-   "ns.example.com", it is unable to contact the "example.com" zone
-   directly and must query the "com" zone to obtain the address record.
-   Note, however, that such a query would not have QTYPE=NS according to
-   the standard resolution algorithm.
-
-2.1.1  Recommendation
-
-   An iterative resolver MUST NOT send a query for the NS RRset of a
-   non-responsive zone to any of the name servers for that zone's parent
-
-
-
-Larson & Barber         Expires January 18, 2006                [Page 6]
-
-Internet-Draft     Observed DNS Resolution Misbehavior         July 2005
-
-
-   zone.  For the purposes of this injunction, a non-responsive zone is
-   defined as a zone for which every name server listed in the zone's NS
-   RRset:
-
-   1.  is not authoritative for the zone (i.e., lame), or,
-
-   2.  returns a server failure response (RCODE=2), or,
-
-   3.  is dead or unreachable according to section 7.2 of RFC 2308 [4].
-
-
-2.2  Repeated queries to lame servers
-
-   Section 2.1 describes a catastrophic failure: when every name server
-   for a zone is unable to provide an answer for one reason or another.
-   A more common occurrence is when a subset of a zone's name servers
-   are unavailable or misconfigured.  Different failure modes have
-   different expected durations.  Some symptoms indicate problems that
-   are potentially transient; for example, various types of ICMP
-   unreachable messages because a name server process is not running or
-   a host or network is unreachable, or a complete lack of a response to
-   a query.  Such responses could be the result of a host rebooting or
-   temporary outages; these events don't necessarily require any human
-   intervention and can be reasonably expected to be temporary.
-
-   Other symptoms clearly indicate a condition requiring human
-   intervention, such as lame server: if a name server is misconfigured
-   and not authoritative for a zone delegated to it, it is reasonable to
-   assume that this condition has potential to last longer than
-   unreachability or unresponsiveness.  Consequently, repeated queries
-   to known lame servers are not useful.  In this case of a condition
-   with potential to persist for a long time, a better practice would be
-   to maintain a list of known lame servers and avoid querying them
-   repeatedly in a short interval.
-
-   It should also be noted, however, that some authoritative name server
-   implementations appear to be lame only for queries of certain types
-   as described in RFC 4074 [5].  In this case, it makes sense to retry
-   the "lame" servers for other types of queries, particularly when all
-   known authoritative name servers appear to be "lame".
-
-2.2.1  Recommendation
-
-   Iterative resolvers SHOULD cache name servers that they discover are
-   not authoritative for zones delegated to them (i.e. lame servers).
-   If this caching is performed, lame servers MUST be cached against the
-   specific query tuple <zone name, class, server IP address>.  Zone
-   name can be derived from the owner name of the NS record that was
-
-
-
-Larson & Barber         Expires January 18, 2006                [Page 7]
-
-Internet-Draft     Observed DNS Resolution Misbehavior         July 2005
-
-
-   referenced to query the name server that was discovered to be lame.
-   Implementations that perform lame server caching MUST refrain from
-   sending queries to known lame servers based on a time interval from
-   when the server is discovered to be lame.  A minimum interval of
-   thirty minutes is RECOMMENDED.
-
-   An exception to this recommendation occurs if all name servers for a
-   zone are marked lame.  In that case, the iterative resolver SHOULD
-   temporarily ignore the servers' lameness status and query one or more
-   servers.  This behavior is a workaround for the type-specific
-   lameness issue described in the previous section.
-
-   Implementors should take care not to make lame server avoidance logic
-   overly broad: note that a name server could be lame for a parent zone
-   but not a child zone, e.g., lame for "example.com" but properly
-   authoritative for "sub.example.com".  Therefore a name server should
-   not be automatically considered lame for subzones.  In the case
-   above, even if a name server is known to be lame for "example.com",
-   it should be queried for QNAMEs at or below "sub.example.com" if an
-   NS record indicates it should be authoritative for that zone.
-
-2.3  Inability to follow multiple levels of indirection
-
-   Some iterative resolver implementations are unable to follow
-   sufficient levels of indirection.  For example, consider the
-   following delegations:
-
-     foo.example.        IN   NS   ns1.example.com.
-     foo.example.        IN   NS   ns2.example.com.
-
-     example.com.        IN   NS   ns1.test.example.net.
-     example.com.        IN   NS   ns2.test.example.net.
-
-     test.example.net.   IN   NS   ns1.test.example.net.
-     test.example.net.   IN   NS   ns2.test.example.net.
-
-   An iterative resolver resolving the name "www.foo.example" must
-   follow two levels of indirection, first obtaining address records for
-   "ns1.test.example.net" or "ns2.test.example.net" in order to obtain
-   address records for "ns1.example.com" or "ns2.example.com" in order
-   to query those name servers for the address records of
-   "www.foo.example".  While this situation may appear contrived, we
-   have seen multiple similar occurrences and expect more as new generic
-   top-level domains (gTLDs) become active.  We anticipate many zones in
-   new gTLDs will use name servers in existing gTLDs, increasing the
-   number of delegations using out-of-zone name servers.
-
-
-
-
-
-Larson & Barber         Expires January 18, 2006                [Page 8]
-
-Internet-Draft     Observed DNS Resolution Misbehavior         July 2005
-
-
-2.3.1  Recommendation
-
-   Clearly constructing a delegation that relies on multiple levels of
-   indirection is not a good administrative practice.  However, the
-   practice is widespread enough to require that iterative resolvers be
-   able to cope with it.  Iterative resolvers SHOULD be able to handle
-   arbitrary levels of indirection resulting from out-of-zone name
-   servers.  Iterative resolvers SHOULD implement a level-of-effort
-   counter to avoid loops or otherwise performing too much work in
-   resolving pathological cases.
-
-   A best practice that avoids this entire issue of indirection is to
-   name one or more of a zone's name servers in the zone itself.  For
-   example, if the zone is named "example.com", consider naming some of
-   the name servers "ns{1,2,...}.example.com" (or similar).
-
-2.4  Aggressive retransmission when fetching glue
-
-   When an authoritative name server responds with a referral, it
-   includes NS records in the authority section of the response.
-   According to the algorithm in section 4.3.2 of RFC 1034 [2], the name
-   server should also "put whatever addresses are available into the
-   additional section, using glue RRs if the addresses are not available
-   from authoritative data or the cache."  Some name server
-   implementations take this address inclusion a step further with a
-   feature called "glue fetching".  A name server that implements glue
-   fetching attempts to include address records for every NS record in
-   the authority section.  If necessary, the name server issues multiple
-   queries of its own to obtain any missing address records.
-
-   Problems with glue fetching can arise in the context of
-   "authoritative-only" name servers, which only serve authoritative
-   data and ignore requests for recursion.  Such an entity will not
-   normally generate any queries of its own.  Instead it answers non-
-   recursive queries from iterative resolvers looking for information in
-   zones it serves.  With glue fetching enabled, however, an
-   authoritative server invokes an iterative resolver to look up an
-   unknown address record to complete the additional section of a
-   response.
-
-   We have observed situations where the iterative resolver of a glue-
-   fetching name server can send queries that reach other name servers,
-   but is apparently prevented from receiving the responses.  For
-   example, perhaps the name server is authoritative-only and therefore
-   its administrators expect it to receive only queries and not
-   responses.  Perhaps unaware of glue fetching and presuming that the
-   name server's iterative resolver will generate no queries, its
-   administrators place the name server behind a network device that
-
-
-
-Larson & Barber         Expires January 18, 2006                [Page 9]
-
-Internet-Draft     Observed DNS Resolution Misbehavior         July 2005
-
-
-   prevents it from receiving responses.  If this is the case, all glue-
-   fetching queries will go answered.
-
-   We have observed name server implementations whose iterative
-   resolvers retry excessively when glue-fetching queries are
-   unanswered.  A single com/net name server has received hundreds of
-   queries per second from a single such source.  Judging from the
-   specific queries received and based on additional analysis, we
-   believe these queries result from overly aggressive glue fetching.
-
-2.4.1  Recommendation
-
-   Implementers whose name servers support glue fetching SHOULD take
-   care to avoid sending queries at excessive rates.  Implementations
-   SHOULD support throttling logic to detect when queries are sent but
-   no responses are received.
-
-2.5  Aggressive retransmission behind firewalls
-
-   A common occurrence and one of the largest sources of repeated
-   queries at the com/net and root name servers appears to result from
-   resolvers behind misconfigured firewalls.  In this situation, an
-   iterative resolver is apparently allowed to send queries through a
-   firewall to other name servers, but not receive the responses.  The
-   result is more queries than necessary because of retransmission, all
-   of which are useless because the responses are never received.  Just
-   as with the glue-fetching scenario described in Section 2.4, the
-   queries are sometimes sent at excessive rates.  To make matters
-   worse, sometimes the responses, sent in reply to legitimate queries,
-   trigger an alarm on the originator's intrusion detection system.  We
-   are frequently contacted by administrators responding to such alarms
-   who believe our name servers are attacking their systems.
-
-   Not only do some resolvers in this situation retransmit queries at an
-   excessive rate, but they continue to do so for days or even weeks.
-   This scenario could result from an organization with multiple
-   recursive name servers, only a subset of whose iterative resolvers'
-   traffic is improperly filtered in this manner.  Stub resolvers in the
-   organization could be configured to query multiple recursive name
-   servers.  Consider the case where a stub resolver queries a filtered
-   recursive name server first.  The iterative resolver of this
-   recursive name server sends one or more queries whose replies are
-   filtered, so it can't respond to the stub resolver, which times out.
-   Then the stub resolver retransmits to a recursive name server that is
-   able to provide an answer.  Since resolution ultimately succeeds the
-   underlying problem might not be recognized or corrected.  A popular
-   stub resolver implementation has a very aggressive retransmission
-   schedule, including simultaneous queries to multiple recursive name
-
-
-
-Larson & Barber         Expires January 18, 2006               [Page 10]
-
-Internet-Draft     Observed DNS Resolution Misbehavior         July 2005
-
-
-   servers, which could explain how such a situation could persist
-   without being detected.
-
-2.5.1  Recommendation
-
-   The most obvious recommendation is that administrators SHOULD take
-   care not to place iterative resolvers behind a firewall that allows
-   queries to pass through but not the resulting replies.
-
-   Iterative resolvers SHOULD take care to avoid sending queries at
-   excessive rates.  Implementations SHOULD support throttling logic to
-   detect when queries are sent but no responses are received.
-
-2.6  Misconfigured NS records
-
-   Sometimes a zone administrator forgets to add the trailing dot on the
-   domain names in the RDATA of a zone's NS records.  Consider this
-   fragment of the zone file for "example.com":
-
-     $ORIGIN example.com.
-     example.com.      3600   IN   NS   ns1.example.com  ; Note missing
-     example.com.      3600   IN   NS   ns2.example.com  ; trailing dots
-
-   The zone's authoritative servers will parse the NS RDATA as
-   "ns1.example.com.example.com" and "ns2.example.com.example.com" and
-   return NS records with this incorrect RDATA in responses, including
-   typically the authority section of every response containing records
-   from the "example.com" zone.
-
-   Now consider a typical sequence of queries.  An iterative resolver
-   attempting to resolve address records for "www.example.com" with no
-   cached information for this zone will query a "com" authoritative
-   server.  The "com" server responds with a referral to the
-   "example.com" zone, consisting of NS records with valid RDATA and
-   associated glue records.  (This example assumes that the
-   "example.com" zone delegation information is correct in the "com"
-   zone.)  The iterative resolver caches the NS RRset from the "com"
-   server and follows the referral by querying one of the "example.com"
-   authoritative servers.  This server responds with the
-   "www.example.com" address record in the answer section and,
-   typically, the "example.com" NS records in the authority section and,
-   if space in the message remains, glue address records in the
-   additional section.  According to Section 5.4 of RFC 2181 [3], NS
-   records in the authority section of an authoritative answer are more
-   trustworthy than NS records from the authority section of a non-
-   authoritative answer.  Thus the "example.com" NS RRset just received
-   from the "example.com" authoritative server overrides the
-   "example.com" NS RRset received moments ago from the "com"
-
-
-
-Larson & Barber         Expires January 18, 2006               [Page 11]
-
-Internet-Draft     Observed DNS Resolution Misbehavior         July 2005
-
-
-   authoritative server.
-
-   But the "example.com" zone contains the erroneous NS RRset as shown
-   in the example above.  Subsequent queries for names in "example.com"
-   will cause the iterative resolver to attempt to use the incorrect NS
-   records and so it will try to resolve the nonexistent names
-   "ns1.example.com.example.com" and "ns2.example.com.example.com".  In
-   this example, since all of the zone's name servers are named in the
-   zone itself (i.e., "ns1.example.com.example.com" and
-   "ns2.example.com.example.com" both end in "example.com") and all are
-   bogus, the iterative resolver cannot reach any "example.com" name
-   servers.  Therefore attempts to resolve these names result in address
-   record queries to the "com" authoritative servers.  Queries for such
-   obviously bogus glue address records occur frequently at the com/net
-   name servers.
-
-2.6.1  Recommendation
-
-   An authoritative server can detect this situation.  A trailing dot
-   missing from an NS record's RDATA always results by definition in a
-   name server name that exists somewhere under the apex of the zone the
-   NS record appears in.  Note that further levels of delegation are
-   possible, so a missing trailing dot could inadvertently create a name
-   server name that actually exists in a subzone.
-
-   An authoritative name server SHOULD issue a warning when one of a
-   zone's NS records references a name server below the zone's apex when
-   a corresponding address record does not exist in the zone AND there
-   are no delegated subzones where the address record could exist.
-
-2.7  Name server records with zero TTL
-
-   Sometimes a popular com/net subdomain's zone is configured with a TTL
-   of zero on the zone's NS records, which prohibits these records from
-   being cached and will result in a higher query volume to the zone's
-   authoritative servers.  The zone's administrator should understand
-   the consequences of such a configuration and provision resources
-   accordingly.  A zero TTL on the zone's NS RRset, however, carries
-   additional consequences beyond the zone itself: if an iterative
-   resolver cannot cache a zone's NS records because of a zero TTL, it
-   will be forced to query that zone's parent's name servers each time
-   it resolves a name in the zone.  The com/net authoritative servers do
-   see an increased query load when a popular com/net subdomain's zone
-   is configured with a TTL of zero on the zone's NS records.
-
-   A zero TTL on an RRset expected to change frequently is extreme but
-   permissible.  A zone's NS RRset is a special case, however, because
-   changes to it must be coordinated with the zone's parent.  In most
-
-
-
-Larson & Barber         Expires January 18, 2006               [Page 12]
-
-Internet-Draft     Observed DNS Resolution Misbehavior         July 2005
-
-
-   zone parent/child relationships we are aware of, there is typically
-   some delay involved in effecting changes.  Further, changes to the
-   set of a zone's authoritative name servers (and therefore to the
-   zone's NS RRset) are typically relatively rare: providing reliable
-   authoritative service requires a reasonably stable set of servers.
-   Therefore an extremely low or zero TTL on a zone's NS RRset rarely
-   makes sense, except in anticipation of an upcoming change.  In this
-   case, when the zone's administrator has planned a change and does not
-   want iterative resolvers throughout the Internet to cache the NS
-   RRset for a long period of time, a low TTL is reasonable.
-
-2.7.1  Recommendation
-
-   Because of the additional load placed on a zone's parent's
-   authoritative servers resulting from a zero TTL on a zone's NS RRset,
-   under such circumstances authoritative name servers SHOULD issue a
-   warning when loading a zone.
-
-2.8  Unnecessary dynamic update messages
-
-   The UPDATE message specified in RFC 2136 [6] allows an authorized
-   agent to update a zone's data on an authoritative name server using a
-   DNS message sent over the network.  Consider the case of an agent
-   desiring to add a particular resource record.  Because of zone cuts,
-   the agent does not necessarily know the proper zone to which the
-   record should be added.  The dynamic update process requires that the
-   agent determine the appropriate zone so the UPDATE message can be
-   sent to one of the zone's authoritative servers (typically the
-   primary master as specified in the zone's SOA MNAME field).
-
-   The appropriate zone to update is the closest enclosing zone, which
-   cannot be determined only by inspecting the domain name of the record
-   to be updated, since zone cuts can occur anywhere.  One way to
-   determine the closest enclosing zone entails walking up the name
-   space tree by sending repeated UPDATE messages until success.  For
-   example, consider an agent attempting to add an address record with
-   the name "foo.bar.example.com".  The agent could first attempt to
-   update the "foo.bar.example.com" zone.  If the attempt failed, the
-   update could be directed to the "bar.example.com" zone, then the
-   "example.com" zone, then the "com" zone, and finally the root zone.
-
-   A popular dynamic agent follows this algorithm.  The result is many
-   UPDATE messages received by the root name servers, the com/net
-   authoritative servers, and presumably other TLD authoritative
-   servers.  A valid question is why the algorithm proceeds to send
-   updates all the way to TLD and root name servers.  This behavior is
-   not entirely unreasonable: in enterprise DNS architectures with an
-   "internal root" design, there could conceivably be private, non-
-
-
-
-Larson & Barber         Expires January 18, 2006               [Page 13]
-
-Internet-Draft     Observed DNS Resolution Misbehavior         July 2005
-
-
-   public TLD or root zones that would be the appropriate targets for a
-   dynamic update.
-
-   A significant deficiency with this algorithm is that knowledge of a
-   given UPDATE message's failure is not helpful in directing future
-   UPDATE messages to the appropriate servers.  A better algorithm would
-   be to find the closest enclosing zone by walking up the name space
-   with queries for SOA or NS rather than "probing" with UPDATE
-   messages.  Once the appropriate zone is found, an UPDATE message can
-   be sent.  In addition, the results of these queries can be cached to
-   aid in determining closest enclosing zones for future updates.  Once
-   the closest enclosing zone is determined with this method, the update
-   will either succeed or fail and there is no need to send further
-   updates to higher-level zones.  The important point is that walking
-   up the tree with queries yields cacheable information, whereas
-   walking up the tree by sending UPDATE messages does not.
-
-2.8.1  Recommendation
-
-   Dynamic update agents SHOULD send SOA or NS queries to progressively
-   higher-level names to find the closest enclosing zone for a given
-   name to update.  Only after the appropriate zone is found should the
-   client send an UPDATE message to one of the zone's authoritative
-   servers.  Update clients SHOULD NOT "probe" using UPDATE messages by
-   walking up the tree to progressively higher-level zones.
-
-2.9  Queries for domain names resembling IPv4 addresses
-
-   The root name servers receive a significant number of A record
-   queries where the QNAME looks like an IPv4 address.  The source of
-   these queries is unknown.  It could be attributed to situations where
-   a user believes an application will accept either a domain name or an
-   IP address in a given configuration option.  The user enters an IP
-   address, but the application assumes any input is a domain name and
-   attempts to resolve it, resulting in an A record lookup.  There could
-   also be applications that produce such queries in a misguided attempt
-   to reverse map IP addresses.
-
-   These queries result in Name Error (RCODE=3) responses.  An iterative
-   resolver can negatively cache such responses, but each response
-   requires a separate cache entry, i.e., a negative cache entry for the
-   domain name "192.0.2.1" does not prevent a subsequent query for the
-   domain name "192.0.2.2".
-
-2.9.1  Recommendation
-
-   It would be desirable for the root name servers not to have to answer
-   these queries: they unnecessarily consume CPU resources and network
-
-
-
-Larson & Barber         Expires January 18, 2006               [Page 14]
-
-Internet-Draft     Observed DNS Resolution Misbehavior         July 2005
-
-
-   bandwidth.  A possible solution is to delegate these numeric TLDs
-   from the root zone to a separate set of servers to absorb the
-   traffic.  The "black hole servers" used by the AS 112 Project [8],
-   which are currently delegated the in-addr.arpa zones corresponding to
-   RFC 1918 [7] private use address space, would be a possible choice to
-   receive these delegations.  Of course, the proper and usual root zone
-   change procedures would have to be followed to make such a change to
-   the root zone.
-
-2.10  Misdirected recursive queries
-
-   The root name servers receive a significant number of recursive
-   queries (i.e., queries with the RD bit set in the header).  Since
-   none of the root servers offers recursion, the servers' response in
-   such a situation ignores the request for recursion and the response
-   probably does not contain the data the querier anticipated.  Some of
-   these queries result from users configuring stub resolvers to query a
-   root server.  (This situation is not hypothetical: we have received
-   complaints from users when this configuration does not work as
-   hoped.)  Of course, users should not direct stub resolvers to use
-   name servers that do not offer recursion, but we are not aware of any
-   stub resolver implementation that offers any feedback to the user
-   when so configured, aside from simply "not working".
-
-2.10.1  Recommendation
-
-   When the IP address of a name server that supposedly offers recursion
-   is configured in a stub resolver using an interactive user interface,
-   the resolver could send a test query to verify that the server indeed
-   supports recursion (i.e., verify that the response has the RA bit set
-   in the header).  The user could be immediately notified if the server
-   is non-recursive.
-
-   The stub resolver could also report an error, either through a user
-   interface or in a log file, if the queried server does not support
-   recursion.  Error reporting SHOULD be throttled to avoid a
-   notification or log message for every response from a non-recursive
-   server.
-
-2.11  Suboptimal name server selection algorithm
-
-   An entire document could be devoted to the topic of problems with
-   different implementations of the recursive resolution algorithm.  The
-   entire process of recursion is woefully under specified, requiring
-   each implementor to design an algorithm.  Sometimes implementors make
-   poor design choices that could be avoided if a suggested algorithm
-   and best practices were documented, but that is a topic for another
-   document.
-
-
-
-Larson & Barber         Expires January 18, 2006               [Page 15]
-
-Internet-Draft     Observed DNS Resolution Misbehavior         July 2005
-
-
-   Some deficiencies cause significant operational impact and are
-   therefore worth mentioning here.  One of these is name server
-   selection by an iterative resolver.  When an iterative resolver wants
-   to contact one of a zone's authoritative name servers, how does it
-   choose from the NS records listed in the zone's NS RRset?  If the
-   selection mechanism is suboptimal, queries are not spread evenly
-   among a zone's authoritative servers.  The details of the selection
-   mechanism are up to the implementor, but we offer some suggestions.
-
-2.11.1  Recommendation
-
-   This list is not conclusive, but reflects the changes that would
-   produce the most impact in terms of reducing disproportionate query
-   load among a zone's authoritative servers.  I.e., these changes would
-   help spread the query load evenly.
-
-   o  Do not make assumptions based on NS RRset order: all NS RRs SHOULD
-      be treated equally.  (In the case of the "com" zone, for example,
-      most of the root servers return the NS record for "a.gtld-
-      servers.net" first in the authority section of referrals.
-      Apparently as a result, this server receives disproportionately
-      more traffic than the other 12 authoritative servers for "com".)
-
-   o  Use all NS records in an RRset.  (For example, we are aware of
-      implementations that hard-coded information for a subset of the
-      root servers.)
-
-   o  Maintain state and favor the best-performing of a zone's
-      authoritative servers.  A good definition of performance is
-      response time.  Non-responsive servers can be penalized with an
-      extremely high response time.
-
-   o  Do not lock onto the best-performing of a zone's name servers.  An
-      iterative resolver SHOULD periodically check the performance of
-      all of a zone's name servers to adjust its determination of the
-      best-performing one.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Larson & Barber         Expires January 18, 2006               [Page 16]
-
-Internet-Draft     Observed DNS Resolution Misbehavior         July 2005
-
-
-3.  IANA considerations
-
-   There are no new IANA considerations introduced by this memo.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Larson & Barber         Expires January 18, 2006               [Page 17]
-
-Internet-Draft     Observed DNS Resolution Misbehavior         July 2005
-
-
-4.  Security considerations
-
-   The iterative resolver misbehavior discussed in this document exposes
-   the root and TLD name servers to increased risk of both intentional
-   and unintentional denial of service attacks.
-
-   We believe that implementation of the recommendations offered in this
-   document will reduce the amount of unnecessary traffic seen at root
-   and TLD name servers, thus reducing the opportunity for an attacker
-   to use such queries to his or her advantage.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Larson & Barber         Expires January 18, 2006               [Page 18]
-
-Internet-Draft     Observed DNS Resolution Misbehavior         July 2005
-
-
-5.  Internationalization considerations
-
-   There are no new internationalization considerations introduced by
-   this memo.
-
-6.  Informative References
-
-   [1]  Bradner, S., "Key words for use in RFCs to Indicate Requirement
-        Levels", BCP 14, RFC 2119, March 1997.
-
-   [2]  Mockapetris, P., "Domain names - concepts and facilities",
-        STD 13, RFC 1034, November 1987.
-
-   [3]  Elz, R. and R. Bush, "Clarifications to the DNS Specification",
-        RFC 2181, July 1997.
-
-   [4]  Andrews, M., "Negative Caching of DNS Queries (DNS NCACHE)",
-        RFC 2308, March 1998.
-
-   [5]  Morishita, Y. and T. Jinmei, "Common Misbehavior Against DNS
-        Queries for IPv6 Addresses", RFC 4074, May 2005.
-
-   [6]  Vixie, P., Thomson, S., Rekhter, Y., and J. Bound, "Dynamic
-        Updates in the Domain Name System (DNS UPDATE)", RFC 2136,
-        April 1997.
-
-   [7]  Rekhter, Y., Moskowitz, R., Karrenberg, D., Groot, G., and E.
-        Lear, "Address Allocation for Private Internets", BCP 5,
-        RFC 1918, February 1996.
-
-   [8]  <http://www.as112.net>
-
-
-Authors' Addresses
-
-   Matt Larson
-   VeriSign, Inc.
-   21345 Ridgetop Circle
-   Dulles, VA  20166-6503
-   USA
-
-   Email: mlarson@verisign.com
-
-
-
-
-
-
-
-
-
-Larson & Barber         Expires January 18, 2006               [Page 19]
-
-Internet-Draft     Observed DNS Resolution Misbehavior         July 2005
-
-
-   Piet Barber
-   VeriSign, Inc.
-   21345 Ridgetop Circle
-   Dulles, VA  20166-6503
-   USA
-
-   Email: pbarber@verisign.com
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Larson & Barber         Expires January 18, 2006               [Page 20]
-
-Internet-Draft     Observed DNS Resolution Misbehavior         July 2005
-
-
-Intellectual Property Statement
-
-   The IETF takes no position regarding the validity or scope of any
-   Intellectual Property Rights or other rights that might be claimed to
-   pertain to the implementation or use of the technology described in
-   this document or the extent to which any license under such rights
-   might or might not be available; nor does it represent that it has
-   made any independent effort to identify any such rights.  Information
-   on the procedures with respect to rights in RFC documents can be
-   found in BCP 78 and BCP 79.
-
-   Copies of IPR disclosures made to the IETF Secretariat and any
-   assurances of licenses to be made available, or the result of an
-   attempt made to obtain a general license or permission for the use of
-   such proprietary rights by implementers or users of this
-   specification can be obtained from the IETF on-line IPR repository at
-   http://www.ietf.org/ipr.
-
-   The IETF invites any interested party to bring to its attention any
-   copyrights, patents or patent applications, or other proprietary
-   rights that may cover technology that may be required to implement
-   this standard.  Please address the information to the IETF at
-   ietf-ipr@ietf.org.
-
-
-Disclaimer of Validity
-
-   This document and the information contained herein are provided on an
-   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
-   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
-   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
-   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
-   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
-   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-
-Copyright Statement
-
-   Copyright (C) The Internet Society (2005).  This document is subject
-   to the rights, licenses and restrictions contained in BCP 78, and
-   except as set forth therein, the authors retain all their rights.
-
-
-Acknowledgment
-
-   Funding for the RFC Editor function is currently provided by the
-   Internet Society.
-
-
-
-
-Larson & Barber         Expires January 18, 2006               [Page 21]
-
diff --git a/doc/draft/draft-ietf-dnsop-dnssec-operational-practices-00.txt b/doc/draft/draft-ietf-dnsop-dnssec-operational-practices-00.txt
new file mode 100644
index 00000000..04addcfb
--- /dev/null
+++ b/doc/draft/draft-ietf-dnsop-dnssec-operational-practices-00.txt
@@ -0,0 +1,1288 @@
+
+
+DNSOP                                                         O. Kolkman
+Internet-Draft                                                  RIPE NCC
+Expires: March 1, 2004                                         R. Gieben
+                                                              NLnet Labs
+                                                          September 2003
+
+
+                      DNSSEC Operational Practices
+          draft-ietf-dnsop-dnssec-operational-practices-00.txt
+
+Status of this Memo
+
+   This document is an Internet-Draft and is in full conformance with
+   all provisions of Section 10 of RFC2026.
+
+   Internet-Drafts are working documents of the Internet Engineering
+   Task Force (IETF), its areas, and its working groups. Note that other
+   groups may also distribute working documents as Internet-Drafts.
+
+   Internet-Drafts are draft documents valid for a maximum of six months
+   and may be updated, replaced, or obsoleted by other documents at any
+   time. It is inappropriate to use Internet-Drafts as reference
+   material or to cite them other than as "work in progress."
+
+   The list of current Internet-Drafts can be accessed at http://
+   www.ietf.org/ietf/1id-abstracts.txt.
+
+   The list of Internet-Draft Shadow Directories can be accessed at
+   http://www.ietf.org/shadow.html.
+
+   This Internet-Draft will expire on March 1, 2004.
+
+Copyright Notice
+
+   Copyright (C) The Internet Society (2003). All Rights Reserved.
+
+Abstract
+
+   This document intends to describe a set of practices for operating a
+   DNSSEC aware enviroment. Its target audience is zone administrators
+   who are deploying DNSSEC and need a guide to help them chose sensible
+   values for DNSSEC parameters. Is also discusses operational matters
+   like key rollovers, KSK and ZSK considerations and more.
+
+
+
+
+
+
+
+
+
+Kolkman & Gieben         Expires March 1, 2004                  [Page 1]
+
+Internet-Draft        DNSSEC Operational Practices        September 2003
+
+
+Table of Contents
+
+   1.    Introduction . . . . . . . . . . . . . . . . . . . . . . . .  3
+   1.1   The use of the term 'key'  . . . . . . . . . . . . . . . . .  3
+   2.    Time in DNSSEC . . . . . . . . . . . . . . . . . . . . . . .  3
+   2.1   Time definitions . . . . . . . . . . . . . . . . . . . . . .  3
+   2.2   Time considerations  . . . . . . . . . . . . . . . . . . . .  4
+   3.    Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . .  6
+   3.1   Motivations for the KSK and ZSK functions  . . . . . . . . .  6
+   3.2   Key security considerations  . . . . . . . . . . . . . . . .  7
+   3.3   Key rollovers  . . . . . . . . . . . . . . . . . . . . . . .  8
+   3.3.1 Zone-signing key rollovers . . . . . . . . . . . . . . . . .  9
+   3.3.2 Key-signing key rollovers  . . . . . . . . . . . . . . . . . 12
+   4.    Planning for emergency key rollover. . . . . . . . . . . . . 13
+   4.1   KSK compromise . . . . . . . . . . . . . . . . . . . . . . . 13
+   4.2   ZSK compromise . . . . . . . . . . . . . . . . . . . . . . . 14
+   4.3   Compromises of keys anchored in resolvers  . . . . . . . . . 14
+   5.    Parental policies. . . . . . . . . . . . . . . . . . . . . . 14
+   5.1   Initial key exchanges and parental policies
+         considerations.  . . . . . . . . . . . . . . . . . . . . . . 14
+   5.2   Storing keys so hashes can be regenerated  . . . . . . . . . 15
+   5.3   Security lameness checks.  . . . . . . . . . . . . . . . . . 15
+   5.4   SIG DS validity period.  . . . . . . . . . . . . . . . . . . 15
+   6.    Security considerations  . . . . . . . . . . . . . . . . . . 16
+   7.    Acknowledgments  . . . . . . . . . . . . . . . . . . . . . . 16
+         Normative References . . . . . . . . . . . . . . . . . . . . 16
+         Informative References . . . . . . . . . . . . . . . . . . . 16
+         Authors' Addresses . . . . . . . . . . . . . . . . . . . . . 17
+   A.    Terminology  . . . . . . . . . . . . . . . . . . . . . . . . 17
+   B.    Zone-signing key rollover howto  . . . . . . . . . . . . . . 18
+   C.    Typographic conventions  . . . . . . . . . . . . . . . . . . 19
+   D.    Document Details and Changes . . . . . . . . . . . . . . . . 20
+   D.1   draft-ietf-dnsop-dnssec-operational-practices-00 . . . . . . 21
+         Intellectual Property and Copyright Statements . . . . . . . 22
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Kolkman & Gieben         Expires March 1, 2004                  [Page 2]
+
+Internet-Draft        DNSSEC Operational Practices        September 2003
+
+
+1. Introduction
+
+   During workshops and early operational deployment tests, operators
+   and system administrators gained knowledge about operating DNSSEC
+   aware DNS services. This document describes these practices.
+
+   The structure of the document is as follows. It starts with
+   discussing some of the considerations with respect to timing
+   parameters of DNS in relation to DNSSEC (Section 2). Aspects of key
+   management such as key rollover schemes are described in Section 3.
+   Emergency rollover considerations are addressed in Section 4. The
+   Typographic conventions used in this document are explained in
+   Appendix C.
+
+   Since this is a document with operational suggestions and there is no
+   protocol specifications the RFC2119 [5] language does not apply.
+
+1.1 The use of the term 'key'
+
+   It is assumed that the reader is familiar with the concept of
+   asymmetric keys on which DNSSEC is based. Therefore this document
+   will use the term key rather loosely. Wherever we write that 'a key
+   is used to sign data' it is assumed that the reader knows that it is
+   the private part of the key-pair that is used for signing. It is also
+   assumed that the reader will know that the public part of the
+   key-pair is published in the DNSKEY resource record and that it is
+   the public part of a key-pair that is used in key-exchanges.
+
+2. Time in DNSSEC
+
+   Without DNSSEC all times in DNS are relative. The SOA's refresh,
+   retry and expiration timers are counters that are being used to
+   determine the time elapsed after a slave server synced (or tried to
+   sync) with a master server. The TTL value and the SOA minimum TTL
+   parameter [6] are used to to determine how long a forwarder should
+   cache data after it has been fetched from an authoritative server.
+   DNSSEC introduces the notion of an absolute time in the DNS.
+   Signatures in DNSSEC have an expiration date after which the
+   signature is invalid and the signed data is to be considered BAD.
+
+2.1 Time definitions
+
+   In this document we will be using a number of time related terms.
+   Within the context of this document the following definitions apply:
+
+   o  "Signature validity period"
+
+
+
+
+
+Kolkman & Gieben         Expires March 1, 2004                  [Page 3]
+
+Internet-Draft        DNSSEC Operational Practices        September 2003
+
+
+         The period that a signature is valid. It starts at the time
+         specified in the signature inception field of the RRSIG RR and
+         ends at the time specified in the expiration field of the RRSIG
+         RR.
+
+   o  "Signature publication period"
+
+         Time after which a signature made with a key is replaced with a
+         new signature made with the same key. This replacement takes
+         place by publishing the relevant RRSIG in the master zone file.
+         If a signature is published on time T0 and a new signature is
+         published on time T1, the signature publication period is T1 -
+         T0. If all signatures are refreshed at zone (re)signing then
+         the signature publication period is equal to the period between
+         two consecutive zone signing operations.
+
+   o  "Key publication period"
+
+         The period for which the public part of the key is published in
+         the DNS. The public part of the key can be published in the DNS
+         while it has not yet been used to sign data. As soon as a
+         public key is published a brute force attack can be attempted
+         to recover the private key. Publishing the public key in
+         advance (and not signing any data with it) does not guard
+         against this attack.
+
+         [Editor's Note: We don't use this term in the doc yet, is it
+         needed elsewhere and handy to define here? No:1 Yes:0]
+
+   o  "Maximum/Minimum Zone TTL"
+
+         The maximum or minimum value of all the TTLs in a zone.
+
+
+2.2 Time considerations
+
+   Because of the expiration of signatures one should consider the
+   following.
+
+   o  The Maximum zone TTL of your zone data should be a fraction of
+      your signature validity period.
+
+         If the TTL would be of similar order as the signature validity
+         period then all RRsets fetched during the validity period would
+         be cached until the signature expiration time.  As a result
+         query behavior might become bursty.
+
+
+
+
+
+Kolkman & Gieben         Expires March 1, 2004                  [Page 4]
+
+Internet-Draft        DNSSEC Operational Practices        September 2003
+
+
+         We suggest the TTL on all the RRs in your zone to be at least
+         an order of magnitude smaller than your signature validity
+         period.
+
+   o  The signature publication period should at least be one maximum
+      TTL smaller than the signature validity period.
+
+         If a zone is resigned shortly before the end of the signature
+         validity period this may cause simultaneous expiration of data
+         from caches which leads to bursty query behavior and increase
+         the load on authoritative servers.
+
+   o  The Minimum zone TTL should be long enough to fetch and verify all
+      the RRs in the authentication chain.
+
+            1. During validation, some data may expire before validation
+            is complete. The validator should be able to keep all the
+            data, until validation is complete. This applies to all data
+            in the chain of trust: DSs, DNSKEYs, RRSIGs, and the final
+            answers i.e. the RR that is returned for the initial query.
+
+            2. Frequent verification causes load on recursive
+            nameservers. Data at delegation points, DSs, DNSKEYs and
+            RRSIGs benefit from caching. The TTL on those should be
+            relatively long.
+
+         We have seen events where data needed for verification of an
+         authentication chain had expired from caches.
+
+         We suggest the TTL on DNSKEY and DSs to be at least of the
+         order 10 minutes to an hour and all the other RRs in your zone
+         to be at least 30 seconds. These are absolute minimum, we
+         recommend zone administrators to chose longer ones.
+
+         [Editor's Note: this observation could be implementation
+         specific. We are not sure if we should leave this item]
+
+   o  Slave servers will need to be able to fetch newly signed zones
+      well before the data expires from your zone.
+
+         If a properly implemented slave server is not able to contact a
+         master server for an extended period the data will at some
+         point expire and the slave server will not hand out any data.
+         If the server serves a DNSSEC zone than it may well happen that
+         the signatures expire well before the SOA expiration timer
+         counted down to zero. It is not possible to fully prevent this
+         from happening by tweaking the SOA parameters. But the effects
+         can be minimized if the SOA expiration time is of the same of
+
+
+
+Kolkman & Gieben         Expires March 1, 2004                  [Page 5]
+
+Internet-Draft        DNSSEC Operational Practices        September 2003
+
+
+         order of magnitude as or smaller than the signature validity
+         period.
+
+         When a zone cannot be updated while signatures in that zone
+         have expired non-secure resolvers will continue to be able to
+         resolve the data served by the particular slave servers. Only
+         security aware resolvers that receive data with expired
+         signatures will experience problems.
+
+         We suggest the SOA expiration timer being approximately one
+         third or one fourth of the signature validity period.
+
+         We also suggest that operators of nameservers with slave zones
+         develop watchdogs to be able to spot these upcoming signature
+         expirations in slave zones, so that appropriate action can be
+         taken.
+
+   o  [Editor's Note: Need examples here]
+
+
+3. Keys
+
+3.1 Motivations for the KSK and ZSK functions
+
+   Delegation Signer [7] introduced the concept of key-signing and
+   zone-signing keys.The Key-signing-flag [4] introduced the concept of
+   a key with the Secure Entry Point flag set; a key that is the first
+   key from the zone when following an authentication chain. When using
+   a key-signing key with the SEP flag set (the parent has a DS RR
+   pointing to that DNSKEY) and when using zone-signing keys without the
+   SEP flag set (a practice which we recommend ) one can use the
+   following operational procedures.
+
+   The zone-signing key can be used to sign all the data in a zone on a
+   regular basis. When a zone-signing key is to be rolled over no
+   interactions with the parent is needed. This allows for relatively
+   short "Signature Validity Periods" (order of days).
+
+   The key-signing key (with the SEP flag set) is only to be used to
+   sign the Key RR set from the zone apex. If a key-signing key is to be
+   rolled over, there will be interactions with parties other than the
+   zone maintainer such as the registry of the parent zone or
+   administrators of verifying resolvers that have the particular key
+   configured as trusted entry points. Hence, the "Key Usage Time" of
+   these keys can and should be made much longer. Although, given a long
+   enough key, the "Key Usage Time" can be on the order of years we
+   suggest to plan for a "Key Usage Time" of the order of a few months
+   so that a key rollover remains an operational routine.
+
+
+
+Kolkman & Gieben         Expires March 1, 2004                  [Page 6]
+
+Internet-Draft        DNSSEC Operational Practices        September 2003
+
+
+3.2 Key security considerations
+
+   In RFC2541 [2] a number of considerations with respect to the
+   security of keys are described. That document deals with the
+   generation, lifetime, size and storage of private keys.
+
+   In Section 3 of RFC2541 [2], Eastlake does have some suggestions: 13
+   months for long-lived keys and 36 days for transaction keys but
+   suggestions for key sizes are not made.
+
+   If we read the long-lived key being a key that is used as key-signing
+   key and transaction keys being zone signing keys, then these
+   recommendations are good starting points for an operational
+   procedure. These recommendations will lead to rollovers occurring
+   frequently enough so that they can become part of 'operational
+   habits' and the procedure does not have to be reinvented every time a
+   key is replaced.
+
+   When choosing a key sizes, zone administrators will need to take into
+   account how long a key will be used and how much data will be signed
+   during the key publication period. It is hard to give precise
+   recommendations but Lenstra and Verheul [9] supplied the following
+   table with lower bound estimates for cryptographic key sizes. Their
+   recommendations are based on a set of explicitly formulated parameter
+   settings, combined with existing data points about cryptosystems. For
+   details we refer to the original paper.
+
+   	Year		RSA key sizes	Elliptic Curve Key Size
+   	2000		952			132
+   	2001		990			135
+   	2002		1028			139
+   	2003		1068			140
+   	2004		1108			143
+
+   	2005		1149			147
+   	2006		1191			148
+   	2007		1235			152
+   	2008		1279			155
+   	2009		1323			157
+
+
+   	2010		1369			160
+   	2011		1416			163
+   	2012		1464			165
+   	2013		1513			168
+   	2014		1562			172
+
+   	2015		1613			173
+
+
+
+Kolkman & Gieben         Expires March 1, 2004                  [Page 7]
+
+Internet-Draft        DNSSEC Operational Practices        September 2003
+
+
+   	2016		1664			177
+   	2017		1717			180
+   	2018		1771			181
+   	2019		1825			185
+
+
+   	2020		1881			188
+   	2021		1937			190
+   	2022		1995			193
+   	2023		2054			197
+   	2024		2113			198
+
+   	2025		2174			202
+   	2026		2236			205
+   	2027		2299			207
+   	2028		2362			210
+   	2029		2427			213
+
+   Suppose you want your key to last 3 years and the current year is
+   2003. Add 3 to 2003 equals 2006 and read of the sizes: 1191 for
+   asymmetric keys and 148 bits for elliptic curve keys.
+
+   Note that adding only a "handful of bits" to the key size will
+   increase the key's resistance against brute force attacks.
+
+3.3 Key rollovers
+
+   Key rollovers are a fact of life when using DNSSEC. A DNSSEC key
+   cannot be used forever (see RFC2541 [2] and Section 3.2 ).  Zone
+   maintainers who are in the process of rolling their keys have to take
+   into account that data they have published in previous versions of
+   their zone still lives in caches. When deploying DNSSEC this becomes
+   an important consideration; ignoring data that may be in caches may
+   lead to loss of service for clients.
+
+   The most pressing example of this is when zone material which is
+   signed with an old key is being validated by a resolver which does
+   not have the old zone key cached. If the old key is no longer present
+   in the current zone, this validation fails, marking the data BAD.
+   Alternatively, an attempt could be made to validate data which is
+   signed with a new key against an old key that lives in a local cache,
+   also resulting in data being marked BAD.
+
+   To appreciate the situation one could think of a number of
+   authoritative servers that may not be instantaneously running the
+   same version of a zone and a security aware non-recursive resolver
+   that sits behind security aware caching forwarders.
+
+
+
+
+Kolkman & Gieben         Expires March 1, 2004                  [Page 8]
+
+Internet-Draft        DNSSEC Operational Practices        September 2003
+
+
+   Note that KSK rollovers and ZSK rollovers are different. A zone-key
+   rollover can be handled in two different way: pre-publish and
+   [Editors note: ref please] double-sig. The pre-publish technique
+   works because the key-signing key stays the same during this ZSK
+   rollover. With this KSK a cache is able to validate the new keyset of
+   a zone. With a KSK rollover a cache can not validate the new keyset,
+   because it does not trust the new KSK.
+
+   [Editors note: This needs more verbose explanation, nobody will
+   appreciate the situation just yet. Help with text and examples is
+   appreciated]
+
+3.3.1 Zone-signing key rollovers
+
+   For zone-signing key rollovers there are two ways to make sure that
+   during the rollover the data still in caches can be verified with the
+   new keysets or the newly generated signatures can be verified with
+   the keys still in caches. One schema uses double signatures, it is
+   described in Section 3.3.1.1, the other uses key pre-publication
+   (Section 3.3.1.2). The pros, cons and recommendations are described
+   in Section 3.3.1.3.
+
+3.3.1.1 A double signature zone-signing key rollover
+
+   This section shows how to perform a ZSK key rollover using the double
+   zone data signature scheme.
+
+   During the rollover stage the new version of the zone file will need
+   to propagate to all authoritative servers and the data that exists in
+   (distant) caches will need to expire, this will take at least the
+   maximum Zone TTL .
+
+       normal              roll              after
+
+       SOA0                SOA1              SOA2
+       RRSIG10(SOA0)       RRSIG10(SOA1)     RRSIG11(SOA2)
+                           RRSIG11(SOA1)
+
+       DNSKEY1             DNSKEY1           DNSKEY1
+       DNSKEY10            DNSKEY10          DNSKEY11
+                           DNSKEY11
+       RRSIG1(DNSKEY)      RRSIG1(DNSKEY)    RRSIG1(DNSKEY)
+       RRSIG10(DNSKEY)     RRSIG10(DNSKEY)   RRSIG11(DNSKEY)
+                           RRSIG11(DNSKEY)
+
+
+
+
+
+
+
+Kolkman & Gieben         Expires March 1, 2004                  [Page 9]
+
+Internet-Draft        DNSSEC Operational Practices        September 2003
+
+
+   normal: Version 0 of the zone: DNSKEY 1 is a key-signing key. DNSKEY
+      10 is used to sign all the data of the zone, it is the
+      zone-signing key.
+
+   roll: At the rollover stage (SOA serial 1) DNSKEY 11 is introduced
+      into the keyset and all the data in the zone is signed with DNSKEY
+      10 and DNSKEY 11. The rollover period will need to exist until all
+      data from version 0 of the zone has expired from remote caches.
+      This will take at least the Maximum Zone TTL of the version 0 of
+      the zone.
+
+   after: DNSKEY 10 is removed from the zone. All the signatures from
+      DNSKEY 10 are removed from the zone. The keyset, now only
+      containing DNSKEY 11 is resigned with the DNSKEY 1.
+
+   At every instance the data from the previous version of the zone can
+   be verified with the key from the current version. And vice verse,
+   the data from the current version can be verified with the data from
+   the previous version of the zone. The duration of the rollover phase
+   and the period between rollovers should be at least the "Maximum Zone
+   TTL".
+
+   To be on the safe side one could make sure that the rollover phase
+   lasts until the signature expiration time of the data in version 0 of
+   the zone. But this date could be considerable longer than the Maximum
+   Zone TTL, making the rollover a lengthly procedure.
+
+   Note that in this example we assumed that the zone did not get
+   modified during the rollover. New data can be introduced in the zone
+   as long as it is signed with both keys.
+
+3.3.1.2 Pre-publish keyset rollover
+
+   This section shows how to perform a ZSK rollover without the need to
+   sign all the data in a zone twice. We recommend this method because
+   it has advantages in the case of key compromises. If the old key gets
+   compromised the new key is already distributed in the DNS. The zone
+   administrator is then able to quickly switch to the new key and
+   remove the compromised key from the zone. Another major advantage is
+   that the zone size does not double, as is the case with the double
+   signature ZSK rollover. A small "HOWTO" for this kind of rollover can
+   be found in Appendix B.
+
+       normal          pre-roll         roll            after
+
+       SOA0            SOA1             SOA2            SOA3
+       RRSIG10(SOA0)   RRSIG10(SOA1)    RRSIG11(SOA2)   RRSIG11(SOA3)
+
+
+
+
+Kolkman & Gieben         Expires March 1, 2004                 [Page 10]
+
+Internet-Draft        DNSSEC Operational Practices        September 2003
+
+
+       DNSKEY1         DNSKEY1          DNSKEY1         DNSKEY1
+       DNSKEY10        DNSKEY10         DNSKEY10        DNSKEY11
+                       DNSKEY11         DNSKEY11
+       RRSIG1 (DNSKEY) RRSIG1 (DNSKEY)  RRSIG1(DNSKEY)  RRSIG1 (DNSKEY)
+       RRSIG10(DNSKEY) RRSIG10(DNSKEY)  RRSIG11(DNSKEY) RRSIG11(DNSKEY)
+
+
+   normal: Version 0 of the zone: DNSKEY 1 is a key-signing key. DNSKEY
+      10 is used to sign all the data of the zone, its the zone-signing
+      key.
+
+   pre-roll: DNSKEY 11 is introduced in the keyset. Note that no
+      signatures are generated with this key yet, but this will not
+      prevent brute force attacks on the public key. The minimum
+      duration of this pre-roll phase is the time it takes for the data
+      to propagate to the authoritative servers plus TTL value on the
+      keyset. This would boil down to two times the Maximum Zone TTL.
+
+   roll:
+
+      At the rollover stage (SOA serial 1) DNSKEY 11 is used to sign the
+      data in the zone (exclusively i.e. all the signatures from DNSKEY
+      10 are removed from the zone.). DNSKEY 10 remains published in the
+      keyset. This way data that was loaded into caches from version 1
+      of the zone can still be verified with key sets fetched from
+      version 2 of the zone.
+
+      The minimum time that the keyset that includes DNSKEY 10 is to be
+      published is the time that it takes for zone data from the
+      previous version of the zone to expire from old caches i.e. the
+      time it takes for this zone to propagate to all authoritative
+      servers plus the Maximum Zone TTL value of any of the data in the
+      previous version of the zone.
+
+   after: DNSKEY 10 is removed from the zone. The keyset, now only
+      containing DNSKEY 11 is resigned with the DNSKEY 1.
+
+   The above scheme can be simplified a bit by always publishing the
+   "future" key immediately after the rollover. The scheme would look
+   like this (we show 2 rollovers); the future key is introduced in
+   "after" as DNSKEY 12 and again a newer one, numbered 13, in "2nd
+   after":
+
+
+       normal          roll            after           2nd roll        2nd after
+
+       SOA0            SOA2            SOA3            SOA4            SOA5
+       RRSIG10(SOA0)   RRSIG11(SOA2)   RRSIG11(SOA3)   RRSIG12(SOA4)   RRSIG12(SOA5)
+
+
+
+Kolkman & Gieben         Expires March 1, 2004                 [Page 11]
+
+Internet-Draft        DNSSEC Operational Practices        September 2003
+
+
+       DNSKEY1         DNSKEY1         DNSKEY1         DNSKEY1         DNSKEY1
+       DNSKEY10        DNSKEY10        DNSKEY11        DNSKEY11        DNSKEY12
+       DNSKEY11        DNSKEY11        DNSKEY12        DNSKEY12        DNSKEY13
+       RRSIG1(DNSKEY)  RRSIG1 (DNSKEY) RRSIG1(DNSKEY)  RRSIG1(DNSKEY)  RRSIG1(DNSKEY)
+       RRSIG10(DNSKEY) RRSIG11(DNSKEY) RRSIG11(DNSKEY) RRSIG12(DNSKEY) RRSIG12(DNSKEY)
+
+
+   Note that the key introduced after the rollover is not used for
+   production yet; the private key can thus be stored in a physically
+   secure manner and does not need to be 'fetched' every time a zone
+   needs to be signed.
+
+   This scheme has the benefit that the key that is intended for future
+   use, can immediately be used during an emergency rollover under the
+   assumption that it was stored in a physically secure manner.
+
+3.3.1.3 Pros and cons of the schemes
+
+   A double signature rollover: The drawback of this signing scheme is
+      that during the rollover the number of signatures in your zone
+      doubles, which may be prohibitive if you have very big zones. An
+      advantage is that it only requires three steps.
+
+   Prepublish-keyset rollover: This rollover does not involve signing
+      the zone data twice. Instead, just before the actual rollover the
+      new key is published in the keyset and thus available for
+      cryptanalysis attacks. A small disavantage is that this process
+      requires four steps. Also the prepublish scheme is useless for
+      KSKs as explained in Section 3.3.
+
+
+3.3.2 Key-signing key rollovers
+
+   For the rollover of a key-signing key the same considerations as for
+   the rollover of a zone-signing key apply. However we can use a double
+   signature scheme to guarantee that old data (only the apex keyset) in
+   caches can be verified with a new keyset and vice versa. Since only
+   the keyset is signed with a KSK, size considerations do not apply.
+
+
+       normal          roll            after
+
+       SOA0            SOA1            SOA2
+       RRSIG10(SOA0)   RRSIG10(SOA1)   RRSIG10(SOA2)
+
+       DNSKEY1         DNSKEY1         DNSKEY2
+                       DNSKEY2
+       DNSKEY10        DNSKEY10        DNSKEY10
+
+
+
+Kolkman & Gieben         Expires March 1, 2004                 [Page 12]
+
+Internet-Draft        DNSSEC Operational Practices        September 2003
+
+
+       RRSIG1 (DNSKEY) RRSIG1 (DNSKEY) RRSIG2(DNSKEY)
+                       RRSIG2 (DNSKEY)
+       RRSIG10(DNSKEY) RRSIG10(DNSKEY) RRSIG10(DNSKEY)
+
+
+4. Planning for emergency key rollover.
+
+   This section deals with preparation for a possible key compromise.
+   Our advice is to have a documented procedure ready for when a key
+   compromise is suspected or confirmed.
+
+   [Editors note: We are much in favor of a rollover tactic that keeps
+   the authentication chain intact as long as possible. This has as a
+   result that one has to take all the regular rollover properties into
+   account.]
+
+   When the private material of one of your keys is compromised it can
+   be used by 'blackhats' for as long as a valid authentication chain
+   exists.  A authentication chain remains intact for:
+
+      as long as a signature over the compromised key in the
+      authentication chain is valid,
+
+      as long as a parental DS RR (and signature) points to the
+      compromised key,
+
+      as long as the key is anchored in a resolver and is used as a
+      starting point for validation. (This is the hardest to update.)
+
+   While an authentication chain to your compromised key exists your
+   name-space is vulnerable to abuse by the "blackhat". Zone operators
+   have to make a trade off if the abuse of the compromised key is worse
+   than having data in caches that cannot be validated. If the zone
+   operator chooses to break the authentication chain to the compromised
+   key, data in caches signed with this key can not be validated. On the
+   other hand if the zone administrator chooses to take the path of a
+   regular roll-over the "blackhat" can spoof data so that it appears to
+   be valid, note that this kind of attack will usually be localized in
+   the Internet topology.
+
+
+4.1 KSK compromise
+
+   When the KSK has been compromised the parent must be notified as soon
+   as possible and through secure means. The keyset of the zone should
+   be resigned as soon as possible. Care must be taken to not break the
+   authentication chain. The local zone can only be resigned with the
+   new KSK after the parent's zone has been updated with the new KSK.
+
+
+
+Kolkman & Gieben         Expires March 1, 2004                 [Page 13]
+
+Internet-Draft        DNSSEC Operational Practices        September 2003
+
+
+   Before this update takes place it would be best to drop the security
+   status of a zone all together: the parent removes the DS of the child
+   at the next zone update.  After that the child can be made secure
+   again. An additional danger of a key compromise is that the
+   compromised key can be used to facilitate a legitemate DNSKEY/DS and/
+   or nameserver rollover at the parent. When that happens the domain
+   can be in dispute. An out of band and secure notify mechanism to
+   contact a parent is needed in this case.
+
+4.2 ZSK compromise
+
+   Mainly because there is no parental interaction required when a ZSK
+   is compromised the situation is less severe than with with a KSK
+   compromise.  The zone must still be resigned with a new ZSK as soon
+   as possible. As this is a local operation and requires no
+   communication between the parent and child this can be achieved
+   fairly quickly. One has to take into account though that just as with
+   a normal rollover the immediate disappearance from the old
+   compromised key may lead to verification problems. The
+   pre-publication scheme as discussed above minimizes that problem.
+
+4.3 Compromises of keys anchored in resolvers
+
+   A key can also be pre-configured in resolvers. If DNSSEC is rolled
+   out as planned the root key should be pre-configured in every secure
+   aware resolver on the planet. [Editors Note: add more about
+   authentication of a newly received resolver key]
+
+   If that key is compromised all the resolvers should be notified of
+   this fact. Zone administrators may consider setting up a mailing list
+   to communicate the fact that a SEP key is about to be rolled over.
+   This communication will of course need to be authenticated e.g. by
+   using digital signatures.
+
+5. Parental policies.
+
+5.1 Initial key exchanges and parental policies considerations.
+
+   The initial key exchange is always subject to the policies set by the
+   parent (or its registry). When designing a key exchange policy one
+   should take into account that the authentication and authorization
+   mechanisms used during a key exchange should be as strong as the
+   authentication and authorization mechanisms used for the exchange of
+   delegation information between parent and child.
+
+   Using the DNS itself as the source for the actual DNSKEY material
+   with an off-band check on the validity of the DNSKEY has the benefit
+   that it reduces the changes of operator error. A parental DNSKEY
+
+
+
+Kolkman & Gieben         Expires March 1, 2004                 [Page 14]
+
+Internet-Draft        DNSSEC Operational Practices        September 2003
+
+
+   download tool can make use of the SEP bit [4] to select the proper
+   key from a DNSSEC keyset; thereby reducing the change that the wrong
+   DNSKEY is sent. It can validate the self-signature over a key;
+   thereby verifying the ownership of the private key material. Besides,
+   by fetching the DNSKEY from the DNS one can be sure that the child
+   will not become invisible once the parent indicates the child is
+   secure by publishing the DS RR.
+
+   Note: the off-band verification is still needed when the keymaterial
+   is fetched by a tool. The parent can not be sure if the DNSKEY RRs
+   where not spoofed.
+
+5.2 Storing keys so hashes can be regenerated
+
+   When designing a registry system one should consider if the DNSKEYs
+   or the corresponding DSs are stored. Storing DNSKEYs will help during
+   troubleshooting while the overhead of calculating DS records from
+   them is minimal.
+
+   Having a out-of-band mechanism, such as a WHOIS database, to find out
+   which keys are used to generate DS Resource Records for specific
+   owners may also help with troubleshooting.
+
+5.3 Security lameness checks.
+
+   Security lameness is defined as the event that a parent has a DS
+   Resource Record that points to a non-existing DNSKEY RR. At key
+   exchange a parent should make sure that the childs key is actually
+   configured in the DNS before publishing a DS RR in its zone. Failure
+   to do so would render the child's zone marked "BAD".
+
+   Child zones should be very careful removing DNSKEY material,
+   specifically SEP keys, for which a DS RR exist.
+
+   Once a zone is "security lame" a fix (e.g. by removing a DS RR) will
+   take time to propagate through the DNS.
+
+5.4 SIG DS validity period.
+
+   Since the DS can be replayed as long as it has a valid signature a
+   short signature validity period over the DS minimizes the time a
+   child is vulnerable in the case of a compromise of the child's KSK.
+   A signature validity period that is too short introduces the
+   possibility that a zone is marked BAD in case of a configuration
+   error in the signer; there may not be enough time to fix the problems
+   before signatures expire.  Something as mundane as weekends show the
+   need for a DS signature lifetimes longer than 2 days. We recommend
+   the minimum for a DS signature validity period to be about a few
+
+
+
+Kolkman & Gieben         Expires March 1, 2004                 [Page 15]
+
+Internet-Draft        DNSSEC Operational Practices        September 2003
+
+
+   days.
+
+   The maximum signature lifetime of the DS record depends on how long
+   child zones are willing to be vulnerable after a key compromise. We
+   consider a signature validity period of the order of one week a good
+   compromise between the operational constraints of the parent and
+   minimizing damage for the child.
+
+6. Security considerations
+
+   DNSSEC adds data integrity to the DNS. This document tries to assess
+   considerations to operate a stable and secure DNSSEC service.
+
+7. Acknowledgments
+
+   We, the folk mentioned as authors, only acted as editors. Most of the
+   ideas in this draft where the result of collective efforts during
+   workshops and discussions and try outs.
+
+   At the risk of forgetting individuals who where the original
+   contributors of the ideas we like to acknowledge people who where
+   actively involved in the compilation of this document. In
+   alphabetical order: Olafur Gudmundsson, Wesley Griffin, Michael
+   Richardson, Scott Rose, Rick van Rein, Tim McGinnis.
+
+   Kolkman and Gieben take the blame for all mistakes.
+
+Normative References
+
+   [1]  Eastlake, D., "Domain Name System Security Extensions", RFC
+        2535, March 1999.
+
+   [2]  Eastlake, D., "DNS Security Operational Considerations", RFC
+        2541, March 1999.
+
+   [3]  Lewis, E., "DNS Security Extension Clarification on Zone
+        Status", RFC 3090, March 2001.
+
+   [4]  Lewis, E., Kolkman, O. and J. Schlyter, "KEY RR Key-Signing Key
+        (KSK) Flag", draft-ietf-dnsext-keyrr-key-signing-flag-06 (work
+        in progress), February 2003.
+
+Informative References
+
+   [5]  Bradner, S., "Key words for use in RFCs to Indicate Requirement
+        Levels", BCP 14, RFC 2119, March 1997.
+
+   [6]  Andrews, M., "Negative Caching of DNS Queries (DNS NCACHE)", RFC
+
+
+
+Kolkman & Gieben         Expires March 1, 2004                 [Page 16]
+
+Internet-Draft        DNSSEC Operational Practices        September 2003
+
+
+        2308, March 1998.
+
+   [7]  Gudmundsson, O., "Delegation Signer Resource Record",
+        draft-ietf-dnsext-delegation-signer-13 (work in progress), March
+        2003.
+
+   [8]  Arends, R., "Protocol Modifications for the DNS Security
+        Extensions", draft-ietf-dnsext-dnssec-protocol-01 (work in
+        progress), March 2003.
+
+   [9]  Lenstra, A. and E. Verheul, "Selecting Cryptographic Key Sizes",
+        The Journal of Cryptology 14 (255-293), 2001.
+
+
+Authors' Addresses
+
+   Olaf M. Kolkman
+   RIPE NCC
+   Singel 256
+   Amsterdam  1016 AB
+   NL
+
+   Phone: +31 20 535 4444
+   EMail: olaf@ripe.net
+   URI:   http://www.ripe.net/
+
+
+   Miek Gieben
+   NLnet Labs
+   Kruislaan 419
+   Amsterdam  1098 VA
+   NL
+
+   EMail: miek@nlnetlabs.nl
+   URI:   http://www.nlnetlabs.nl
+
+Appendix A. Terminology
+
+   In this document there is some jargon used that is defined in other
+   documents. In most cases we have not copied the text from the
+   documents defining the terms but give a more elaborate explanation of
+   the meaning. Note that these explanations should not be seen as
+   authoritative.
+
+   Private and Public Keys: DNSSEC secures the DNS through the use of
+      public key cryptography. Public key cryptography is based on the
+      existence of 2 keys, a public key and a private key. The public
+      keys are published in the DNS by use of the DNSKEY Resource Record
+
+
+
+Kolkman & Gieben         Expires March 1, 2004                 [Page 17]
+
+Internet-Draft        DNSSEC Operational Practices        September 2003
+
+
+      (DNSKEY RR). Private keys are supposed to remain private i.e.
+      should not be exposed to parties not-authorized to do the actual
+      signing.
+
+   Signer: The system that has access to the private key material and
+      signs the Resource Record sets in a zone. A signer may be
+      configured to sign only parts of the zone e.g. only those RRsets
+      for which existing signatures are about to expire.
+
+   KSK: A Key-Signing key (KSK) is a key that is used for exclusively
+      signing the apex keyset.  The fact that a key is a KSK is only
+      relevant to the signing tool.
+
+   ZSK: A Zone signing key (ZSK) is a key that is used for signing all
+      data in a zone.  The fact that a key is a ZSK is only relevant to
+      the signing tool.
+
+   BAD: [Editors Note: a reference here] A RRset in DNSSEC is marked
+      "bad" when a signature of a RRset does not validate against the
+      DNSKEY. Even is the key itself was not marked BAD. BAD data is not
+      cached.
+
+   Singing the Zone File: The term used for the event where an
+      administrator joyfully signs its zone file while producing melodic
+      sound patterns.
+
+
+Appendix B. Zone-signing key rollover howto
+
+   Using the pre-published signature scheme and the most conservative
+   method to assure oneself that data does not live in distant caches
+   here follows the "HOWTO". [WES: has some comments about this]
+
+      STEP 0, the preparation: Create two keys and publish them both in
+      your keyset.  Mark one of the keys as "active" and the other as
+      "published". Use the "active" key for signing your zone data.
+      Store the private part of the "published" key, preferably
+      off-line.
+
+      STEP 1, determine expiration: At the beginning of the rollover:
+      make a note of the highest expiration time of signatures in your
+      zonefile created with the current key currently marked as
+      "active".
+
+      Wait until the expiration time marked in STEP 1
+
+
+
+
+
+
+Kolkman & Gieben         Expires March 1, 2004                 [Page 18]
+
+Internet-Draft        DNSSEC Operational Practices        September 2003
+
+
+      STEP 2  Then start using the key that was marked as "published" to
+      sign your data i.e. mark it as "active". Stop using the key that
+      was marked as "active", mark it as "rolled".
+
+      STEP 3: It is safe to engage in a new rollover (STEP 1) after at
+      least one "signature validity period".
+
+
+Appendix C. Typographic conventions
+
+   The following typographic conventions are used in this document:
+
+   Key notation: A key is denoted by KEYx, where x is a number, x could
+      be thought of as the key id.
+
+   RRset notations: RRs are only denoted by the type all other
+      information, owner, class, rdata and TTL is left out. Thus:
+      example.com 3600 IN A 192.168.1.1 is reduced to: A. RRsets are a
+      list of RRs. A example of this would be: A1,A2, specifying the
+      RRset containing two A records. This could again be abreviated to
+      just: A.
+
+   Signature notation: Signatures are denoted as SIGx(RRset), which
+      means that RRset is signed with KEYx.
+
+   Zone representation: Using the above notation we have simplify the
+      representation of a signed zone by leaving out all unneeded
+      details such as the names and by just representing all data by
+      "SOAx"
+
+   SOA representation: Soa's are represented as SOA x, where x is the
+      serial number.
+
+   Using this notation the following zone :
+
+
+   example.net.      600     IN SOA  ns.example.net. ernie.example.net. (
+                                     10         ; serial
+                                     450        ; refresh (7 minutes 30 seconds)
+                                     600        ; retry (10 minutes)
+                                     345600     ; expire (4 days)
+                                     300        ; minimum (5 minutes)
+                                     )
+                     600     RRSIG   SOA 5 2 600 20130522213204 (
+                                     20130422213204 14 example.net.
+                                     cmL62SI6iAX46xGNQAdQ... )
+                     600     NS      a.iana-servers.net.
+                     600     NS      b.iana-servers.net.
+
+
+
+Kolkman & Gieben         Expires March 1, 2004                 [Page 19]
+
+Internet-Draft        DNSSEC Operational Practices        September 2003
+
+
+                     600     RRSIG   NS 5 2 600 20130507213204 (
+                                     20130407213204 14 example.net.
+                                     SO5epiJei19AjXoUpFnQ ... )
+                     3600    DNSKEY  256 3 5 (
+                                     EtRB9MP5/AvOuVO0I8XDxy0...
+                                     ) ; key id = 14
+                     3600    DNSKEY  256 3 5 (
+                                     gsPW/Yy19GzYIY+Gnr8HABU...
+                                     ) ; key id = 15
+                     3600    RRSIG   DNSKEY 5 2 3600 20130522213204 (
+                                     20130422213204 14 example.net.
+                                     J4zCe8QX4tXVGjV4e1r9... )
+                     3600    RRSIG   DNSKEY 5 2 3600 20130522213204 (
+                                     20130422213204 15 example.net.
+                                     keVDCOpsSeDReyV6O... )
+                     600     NSEC    a.example.net. NS SOA TXT RRSIG DNSKEY NSEC
+                     600     RRSIG   NSEC 5 2 600 20130507213204 (
+                                     20130407213204 14 example.net.
+                                     obj3HEp1GjnmhRjX... )
+   a.example.net.    600     IN TXT  "A label"
+                     600     RRSIG   TXT 5 3 600 20130507213204 (
+                                     20130407213204 14 example.net.
+                                     IkDMlRdYLmXH7QJnuF3v... )
+                     600     NSEC    b.example.com. TXT RRSIG NSEC
+                     600     RRSIG   NSEC 5 3 600 20130507213204 (
+                                     20130407213204 14 example.net.
+                                     bZMjoZ3bHjnEz0nIsPMM... )
+
+                     ...
+
+
+    is reduced to the following represenation:
+
+       SOA10
+       RRSIG14(SOA10)
+
+       DNSKEY14
+       DNSKEY15
+
+       RRSIG14(KEY)
+       RRSIG15(KEY)
+
+    The rest of the zone data has the same signature as the SOA record,
+   i.e a RRSIG created with DNSKEY 14.
+
+Appendix D. Document Details and Changes
+
+   This section is to be removed by the RFC editor if and when the
+
+
+
+Kolkman & Gieben         Expires March 1, 2004                 [Page 20]
+
+Internet-Draft        DNSSEC Operational Practices        September 2003
+
+
+   document is published.
+
+   $Header: /var/cvs/dnssec-key/
+   draft-ietf-dnsop-dnssec-operational-practices.xml,v 1.5 2003/10/10
+   09:49:07 dnssec Exp $
+
+D.1 draft-ietf-dnsop-dnssec-operational-practices-00
+
+   Submission as working group document. This document is a modified and
+   updated version of draft-kolkman-dnssec-operational-practices-00.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Kolkman & Gieben         Expires March 1, 2004                 [Page 21]
+
+Internet-Draft        DNSSEC Operational Practices        September 2003
+
+
+Intellectual Property Statement
+
+   The IETF takes no position regarding the validity or scope of any
+   intellectual property or other rights that might be claimed to
+   pertain to the implementation or use of the technology described in
+   this document or the extent to which any license under such rights
+   might or might not be available; neither does it represent that it
+   has made any effort to identify any such rights. Information on the
+   IETF's procedures with respect to rights in standards-track and
+   standards-related documentation can be found in BCP-11. Copies of
+   claims of rights made available for publication and any assurances of
+   licenses to be made available, or the result of an attempt made to
+   obtain a general license or permission for the use of such
+   proprietary rights by implementors or users of this specification can
+   be obtained from the IETF Secretariat.
+
+   The IETF invites any interested party to bring to its attention any
+   copyrights, patents or patent applications, or other proprietary
+   rights which may cover technology that may be required to practice
+   this standard. Please address the information to the IETF Executive
+   Director.
+
+
+Full Copyright Statement
+
+   Copyright (C) The Internet Society (2003). All Rights Reserved.
+
+   This document and translations of it may be copied and furnished to
+   others, and derivative works that comment on or otherwise explain it
+   or assist in its implementation may be prepared, copied, published
+   and distributed, in whole or in part, without restriction of any
+   kind, provided that the above copyright notice and this paragraph are
+   included on all such copies and derivative works. However, this
+   document itself may not be modified in any way, such as by removing
+   the copyright notice or references to the Internet Society or other
+   Internet organizations, except as needed for the purpose of
+   developing Internet standards in which case the procedures for
+   copyrights defined in the Internet Standards process must be
+   followed, or as required to translate it into languages other than
+   English.
+
+   The limited permissions granted above are perpetual and will not be
+   revoked by the Internet Society or its successors or assignees.
+
+   This document and the information contained herein is provided on an
+   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
+   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
+   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
+
+
+
+Kolkman & Gieben         Expires March 1, 2004                 [Page 22]
+
+Internet-Draft        DNSSEC Operational Practices        September 2003
+
+
+   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
+   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+
+Acknowledgment
+
+   Funding for the RFC Editor function is currently provided by the
+   Internet Society.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Kolkman & Gieben         Expires March 1, 2004                 [Page 23]
+
diff --git a/doc/draft/draft-ietf-dnsop-dnssec-operational-practices-04.txt b/doc/draft/draft-ietf-dnsop-dnssec-operational-practices-04.txt
deleted file mode 100644
index a5d0d607..00000000
--- a/doc/draft/draft-ietf-dnsop-dnssec-operational-practices-04.txt
+++ /dev/null
@@ -1,1736 +0,0 @@
-
-
-
-DNSOP                                                         O. Kolkman
-Internet-Draft                                                  RIPE NCC
-Expires: September 2, 2005                                     R. Gieben
-                                                              NLnet Labs
-                                                              March 2005
-
-
-                      DNSSEC Operational Practices
-          draft-ietf-dnsop-dnssec-operational-practices-04.txt
-
-Status of this Memo
-
-   By submitting this Internet-Draft, each author represents that any
-   applicable patent or other IPR claims of which he or she is aware
-   have been or will be disclosed, and any of which he or she becomes
-   aware will be disclosed, in accordance with Section 6 of BCP 79.
-
-   Internet-Drafts are working documents of the Internet Engineering
-   Task Force (IETF), its areas, and its working groups.  Note that
-   other groups may also distribute working documents as Internet-
-   Drafts.
-
-   Internet-Drafts are draft documents valid for a maximum of six months
-   and may be updated, replaced, or obsoleted by other documents at any
-   time.  It is inappropriate to use Internet-Drafts as reference
-   material or to cite them other than as "work in progress."
-
-   The list of current Internet-Drafts can be accessed at
-   http://www.ietf.org/ietf/1id-abstracts.txt.
-
-   The list of Internet-Draft Shadow Directories can be accessed at
-   http://www.ietf.org/shadow.html.
-
-   This Internet-Draft will expire on September 2, 2005.
-
-Copyright Notice
-
-   Copyright (C) The Internet Society (2005).
-
-Abstract
-
-   This document describes a set of practices for operating the DNS with
-   security extensions (DNSSEC).  The target audience is zone
-   administrators deploying DNSSEC.
-
-   The document discusses operational aspects of using keys and
-   signatures in the DNS.  It discusses issues as key generation, key
-   storage, signature generation, key rollover and related policies.
-
-
-
-Kolkman & Gieben        Expires September 2, 2005               [Page 1]
-
-Internet-Draft        DNSSEC Operational Practices            March 2005
-
-
-Table of Contents
-
-   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  4
-     1.1   The Use of the Term 'key'  . . . . . . . . . . . . . . . .  4
-     1.2   Time Definitions . . . . . . . . . . . . . . . . . . . . .  5
-   2.  Keeping the Chain of Trust Intact  . . . . . . . . . . . . . .  5
-   3.  Keys Generation and Storage  . . . . . . . . . . . . . . . . .  6
-     3.1   Zone and Key Signing Keys  . . . . . . . . . . . . . . . .  6
-       3.1.1   Motivations for the KSK and ZSK Separation . . . . . .  6
-       3.1.2   KSKs for high level zones  . . . . . . . . . . . . . .  7
-     3.2   Randomness . . . . . . . . . . . . . . . . . . . . . . . .  8
-     3.3   Key Effectivity Period . . . . . . . . . . . . . . . . . .  8
-     3.4   Key Algorithm  . . . . . . . . . . . . . . . . . . . . . .  9
-     3.5   Key Sizes  . . . . . . . . . . . . . . . . . . . . . . . .  9
-     3.6   Private Key Storage  . . . . . . . . . . . . . . . . . . . 10
-   4.  Signature generation, Key Rollover and Related Policies  . . . 11
-     4.1   Time in DNSSEC . . . . . . . . . . . . . . . . . . . . . . 11
-       4.1.1   Time Considerations  . . . . . . . . . . . . . . . . . 11
-     4.2   Key Rollovers  . . . . . . . . . . . . . . . . . . . . . . 13
-       4.2.1   Zone-signing Key Rollovers . . . . . . . . . . . . . . 13
-       4.2.2   Key-signing Key Rollovers  . . . . . . . . . . . . . . 17
-       4.2.3   Difference Between ZSK and KSK Rollovers . . . . . . . 18
-       4.2.4   Automated Key Rollovers  . . . . . . . . . . . . . . . 19
-     4.3   Planning for Emergency Key Rollover  . . . . . . . . . . . 19
-       4.3.1   KSK Compromise . . . . . . . . . . . . . . . . . . . . 20
-       4.3.2   ZSK Compromise . . . . . . . . . . . . . . . . . . . . 20
-       4.3.3   Compromises of Keys Anchored in Resolvers  . . . . . . 20
-     4.4   Parental Policies  . . . . . . . . . . . . . . . . . . . . 21
-       4.4.1   Initial Key Exchanges and Parental Policies
-               Considerations . . . . . . . . . . . . . . . . . . . . 21
-       4.4.2   Storing Keys or Hashes?  . . . . . . . . . . . . . . . 21
-       4.4.3   Security Lameness  . . . . . . . . . . . . . . . . . . 22
-       4.4.4   DS Signature Validity Period . . . . . . . . . . . . . 22
-   5.  Security Considerations  . . . . . . . . . . . . . . . . . . . 23
-   6.  Acknowledgments  . . . . . . . . . . . . . . . . . . . . . . . 23
-   7.  References . . . . . . . . . . . . . . . . . . . . . . . . . . 24
-     7.1   Normative References . . . . . . . . . . . . . . . . . . . 24
-     7.2   Informative References . . . . . . . . . . . . . . . . . . 24
-       Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 25
-   A.  Terminology  . . . . . . . . . . . . . . . . . . . . . . . . . 25
-   B.  Zone-signing Key Rollover Howto  . . . . . . . . . . . . . . . 26
-   C.  Typographic Conventions  . . . . . . . . . . . . . . . . . . . 26
-   D.  Document Details and Changes . . . . . . . . . . . . . . . . . 29
-     D.1   draft-ietf-dnsop-dnssec-operational-practices-00 . . . . . 29
-     D.2   draft-ietf-dnsop-dnssec-operational-practices-01 . . . . . 29
-     D.3   draft-ietf-dnsop-dnssec-operational-practices-02 . . . . . 29
-     D.4   draft-ietf-dnsop-dnssec-operational-practices-03 . . . . . 29
-     D.5   draft-ietf-dnsop-dnssec-operational-practices-04 . . . . . 30
-
-
-
-Kolkman & Gieben        Expires September 2, 2005               [Page 2]
-
-Internet-Draft        DNSSEC Operational Practices            March 2005
-
-
-       Intellectual Property and Copyright Statements . . . . . . . . 31
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Kolkman & Gieben        Expires September 2, 2005               [Page 3]
-
-Internet-Draft        DNSSEC Operational Practices            March 2005
-
-
-1.  Introduction
-
-   During workshops and early operational deployment tests, operators
-   and system administrators gained experience about operating the DNS
-   with security extensions (DNSSEC).  This document translates these
-   experiences into a set of practices for zone administrators.  At the
-   time of writing, there exists very little experience with DNSSEC in
-   production environments; this document should therefore explicitly
-   not be seen as representing 'Best Current Practices'.
-
-   The procedures herein are focused on the maintenance of signed zones
-   (i.e. signing and publishing zones on authoritative servers).  It is
-   intended that maintenance of zones such as resigning or key rollovers
-   be transparent to any verifying clients on the Internet.
-
-   The structure of this document is as follows.  In Section 2 we
-   discuss the importance of keeping the "chain of trust" intact.
-   Aspects of key generation and storage of private keys are discussed
-   in Section 3; the focus in this section is mainly on the private part
-   of the key(s).  Section 4 describes considerations concerning the
-   public part of the keys.  Since these public keys appear in the DNS
-   one has to take into account all kinds of timing issues, which are
-   discussed in Section 4.1.  Section 4.2 and Section 4.3 deal with the
-   rollover, or which, of keys.  Finally Section 4.4 discusses
-   considerations on how parents deal with their children's public keys
-   in order to maintain chains of trust.
-
-   The typographic conventions used in this document are explained in
-   Appendix C.
-
-   Since this is a document with operational suggestions and there are
-   no protocol specifications, the RFC2119 [4] language does not apply.
-
-   This document obsoletes RFC2541 [7]
-
-1.1  The Use of the Term 'key'
-
-   It is assumed that the reader is familiar with the concept of
-   asymmetric keys on which DNSSEC is based (Public Key Cryptography
-   [11]).  Therefore, this document will use the term 'key' rather
-   loosely.  Where it is written that 'a key is used to sign data' it is
-   assumed that the reader understands that it is the private part of
-   the key-pair that is used for signing.  It is also assumed that the
-   reader understands that the public part of the key-pair is published
-   in the DNSKEY resource record and that it is the public part that is
-   used in key-exchanges.
-
-
-
-
-
-Kolkman & Gieben        Expires September 2, 2005               [Page 4]
-
-Internet-Draft        DNSSEC Operational Practices            March 2005
-
-
-1.2  Time Definitions
-
-   In this document we will be using a number of time related terms.
-   The following definitions apply:
-   o  "Signature validity period"
-         The period that a signature is valid.  It starts at the time
-         specified in the signature inception field of the RRSIG RR and
-         ends at the time specified in the expiration field of the RRSIG
-         RR.
-   o  "Signature publication period"
-         Time after which a signature (made with a specific key) is
-         replaced with a new signature (made with the same key).  This
-         replacement takes place by publishing the relevant RRSIG in the
-         master zone file.
-         After one stopped publishing an RRSIG in a zone it may take a
-         while before the RRSIG has expired from caches and has actually
-         been removed from the DNS.
-   o  "Key effectivity period"
-         The period which a key pair is expected to be effective.  This
-         period is defined as the time between the first inception time
-         stamp and the last expiration date of any signature made with
-         this key.
-         The key effectivity period can span multiple signature validity
-         periods.
-   o  "Maximum/Minimum Zone TTL"
-         The maximum or minimum value of the TTLs from the complete set
-         of RRs in a zone.
-
-2.  Keeping the Chain of Trust Intact
-
-   Maintaining a valid chain of trust is important because broken chains
-   of trust will result in data being marked as Bogus (as defined in [2]
-   section 5), which may cause entire (sub)domains to become invisible
-   to verifying clients.  The administrators of secured zones have to
-   realize that their zone is, to their clients, part of a chain of
-   trust.
-
-   As mentioned in the introduction, the procedures herein are intended
-   to ensure maintenance of zones, such as resigning or key rollovers,
-   will be transparent to the verifying clients on the Internet.
-
-   Administrators of secured zones will have to keep in mind that data
-   published on an authoritative primary server will not be immediately
-   seen by verifying clients; it may take some time for the data to be
-   transfered to other secondary authoritative nameservers and clients
-   may be fetching data from caching non-authoritative servers.
-
-   For the verifying clients it is important that data from secured
-
-
-
-Kolkman & Gieben        Expires September 2, 2005               [Page 5]
-
-Internet-Draft        DNSSEC Operational Practices            March 2005
-
-
-   zones can be used to build chains of trust regardless of whether the
-   data came directly from an authoritative server, a caching nameserver
-   or some middle box.  Only by carefully using the available timing
-   parameters can a zone administrator assure that the data necessary
-   for verification can be obtained.
-
-   The responsibility for maintaining the chain of trust is shared by
-   administrators of secured zones in the chain of trust.  This is most
-   obvious in the case of a 'key compromise' when a trade off between
-   maintaining a valid chain of trust and replacing the compromised keys
-   as soon as possible must be made.  Then zone administrators will have
-   to make a trade off, between keeping the chain of trust intact -
-   thereby allowing for attacks with the compromised key - or to
-   deliberately break the chain of trust and making secured sub domains
-   invisible to security aware resolvers.  Also see Section 4.3.
-
-3.  Keys Generation and Storage
-
-   This section describes a number of considerations with respect to the
-   security of keys.  It deals with the generation, effectivity period,
-   size and storage of private keys.
-
-3.1  Zone and Key Signing Keys
-
-   The DNSSEC validation protocol does not distinguish between DNSKEYs.
-   All DNSKEYs can be used during the validation.  In practice operators
-   use Key Signing and Zone Signing Keys and use the so-called (Secure
-   Entry Point) SEP flag to distinguish between them during operations.
-   The dynamics and considerations are discussed below.
-
-   To make zone resigning and key rollover procedures easier to
-   implement, it is possible to use one or more keys as Key Signing Keys
-   (KSK).  These keys will only sign the apex DNSKEY RR set in a zone.
-   Other keys can be used to sign all the RRsets in a zone and are
-   referred to as Zone Signing Keys (ZSK).  In this document we assume
-   that KSKs are the subset of keys that are used for key exchanges with
-   the parent and potentially for configuration as trusted anchors - the
-   SEP keys.  In this document we assume a one-to-one mapping between
-   KSK and SEP keys and we assume the SEP flag [1] to be set on all
-   KSKs.
-
-3.1.1  Motivations for the KSK and ZSK Separation
-
-   Differentiating between the KSK and ZSK functions has several
-   advantages:
-
-
-
-
-
-
-Kolkman & Gieben        Expires September 2, 2005               [Page 6]
-
-Internet-Draft        DNSSEC Operational Practices            March 2005
-
-
-   o  No parent/child interaction is required when ZSKs are updated.
-   o  The KSK can be made stronger (i.e. using more bits in the key
-      material).  This has little operational impact since it is only
-      used to sign a small fraction of the zone data.  Also when
-      verifying the KSK is only used to verify the zone's keyset.
-   o  As the KSK is only used to sign a key set, which is most probably
-      updated less frequently than other data in the zone, it can be
-      stored separately from and in a safer location than the ZSK.
-   o  A KSK can have a longer key effectivity period.
-
-   For almost any method of key management and zone signing the KSK is
-   used less frequently than the ZSK.  Once a key set is signed with the
-   KSK all the keys in the key set can be used as ZSK.  If a ZSK is
-   compromised, it can be simply dropped from the key set.  The new key
-   set is then resigned with the KSK.
-
-   Given the assumption that for KSKs the SEP flag is set, the KSK can
-   be distinguished from a ZSK by examining the flag field in the DNSKEY
-   RR.  If the flag field is an odd number it is a KSK.  If it is an
-   even number it is a ZSK.
-
-   The zone-signing key can be used to sign all the data in a zone on a
-   regular basis.  When a zone-signing key is to be rolled, no
-   interaction with the parent is needed.  This allows for "Signature
-   Validity Periods" on the order of days.
-
-   The key-signing key is only to be used to sign the DNSKEY RRs in a
-   zone.  If a key-signing key is to be rolled over, there will be
-   interactions with parties other than the zone administrator.  These
-   can include the registry of the parent zone or administrators of
-   verifying resolvers that have the particular key configured as
-   trusted entry points.  Hence, the key effectivity period of these
-   keys can and should be made much longer.  Although, given a long
-   enough key, the Key Usage Time can be on the order of years we
-   suggest planning for a key effectivity of the order of a few months
-   so that a key rollover remains an operational routine.
-
-3.1.2  KSKs for high level zones
-
-   Higher level zones are generally more sensitive than lower level
-   zones.  Anyone controlling or breaking the security of a zone thereby
-   obtains authority over all of its sub domains (except in the case of
-   resolvers that have locally configured the public key of a sub
-   domain).  Therefore, extra care should be taken with high level zones
-   and strong keys used.
-
-   The root zone is the most critical of all zones.  Someone controlling
-   or compromising the security of the root zone would control the
-
-
-
-Kolkman & Gieben        Expires September 2, 2005               [Page 7]
-
-Internet-Draft        DNSSEC Operational Practices            March 2005
-
-
-   entire DNS name space of all resolvers using that root zone (except
-   in the case of resolvers that have locally configured the public key
-   of a sub domain).  Therefore, the utmost care must be taken in the
-   securing of the root zone.  The strongest and most carefully handled
-   keys should be used.  The root zone private key should always be kept
-   off line.
-
-   Many resolvers will start at a root server for their access to and
-   authentication of DNS data.  Securely updating the trust anchors in
-   an enormous population of resolvers around the world will be
-   extremely difficult.
-
-3.2  Randomness
-
-   Careful generation of all keys is a sometimes overlooked but
-   absolutely essential element in any cryptographically secure system.
-   The strongest algorithms used with the longest keys are still of no
-   use if an adversary can guess enough to lower the size of the likely
-   key space so that it can be exhaustively searched.  Technical
-   suggestions for the generation of random keys will be found in
-   RFC1750 [3].  One should carefully assess if the random number
-   generator used during key generation adheres to these suggestions.
-
-   Keys with a long effectivity period are particularly sensitive as
-   they will represent a more valuable target and be subject to attack
-   for a longer time than short period keys.  It is strongly recommended
-   that long term key generation occur off-line in a manner isolated
-   from the network via an air gap or, at a minimum, high level secure
-   hardware.
-
-3.3  Key Effectivity Period
-
-   For various reasons keys in DNSSEC need to be changed once in a
-   while.  The longer a key is in use, the greater the probability that
-   it will have been compromised through carelessness, accident,
-   espionage, or cryptanalysis.  Furthermore when key rollovers are too
-   rare an event, they will not become part of the operational habit and
-   there is risk that nobody on-site will remember the procedure for
-   rollover when the need is there.
-
-   For Key Signing Keys a reasonable key effectivity period is 13
-   months, with the intent to replace them after 12 months.  An intended
-   key effectivity period of a month is reasonable for Zone Signing
-   Keys.
-
-   Using these recommendations will lead to rollovers occurring
-   frequently enough to become part of 'operational habits'; the
-   procedure does not have to be reinvented every time a key is
-
-
-
-Kolkman & Gieben        Expires September 2, 2005               [Page 8]
-
-Internet-Draft        DNSSEC Operational Practices            March 2005
-
-
-   replaced.
-
-   Key effectivity periods can be made very short, as in the order of a
-   few minutes.  But when replacing keys one has to take the
-   considerations from Section 4.1 and Section 4.2 into account.
-
-3.4  Key Algorithm
-
-   There are currently three different types of algorithms that can be
-   used in DNSSEC: RSA, DSA and elliptic curve cryptography.  The latter
-   is fairly new and still needs to be standardized for usage in DNSSEC.
-
-   RSA has been developed in an open and transparent manner.  As the
-   patent on RSA expired in 2000, its use is now also free.
-
-   DSA has been developed by NIST.  The creation of signatures is
-   roughly done at the same speed as with RSA, but is 10 to 40 times as
-   slow for verification [11].
-
-   We suggest the use of RSA/SHA-1 as the preferred algorithm for the
-   key.  The current known attacks on RSA can be defeated by making your
-   key longer.  As the MD5 hashing algorithm is showing (theoretical)
-   cracks, we recommend the usage of SHA1.
-
-   In 2005 some discoveries were made that SHA-1 also has some
-   weaknesses.  Currently SHA-1 is strong enough for DNSSEC.  It is
-   expected that a new hashing algorithm is rolled out, before any
-   attack becomes practical.
-
-3.5  Key Sizes
-
-   When choosing key sizes, zone administrators will need to take into
-   account how long a key will be used and how much data will be signed
-   during the key publication period.  It is hard to give precise
-   recommendations but Lenstra and Verheul [10] supplied the following
-   table with lower bound estimates for cryptographic key sizes.  Their
-   recommendations are based on a set of explicitly formulated parameter
-   settings, combined with existing data points about cryptographic
-   systems.  For details we refer to the original paper.
-
-
-
-
-
-
-
-
-
-
-
-
-Kolkman & Gieben        Expires September 2, 2005               [Page 9]
-
-Internet-Draft        DNSSEC Operational Practices            March 2005
-
-
-       Year    RSA Key Sizes       Year    RSA Key Sizes
-
-       2000        952             2015        1613
-       2001        990             2016        1664
-       2002        1028            2017        1717
-       2003        1068            2018        1771
-       2004        1108            2019        1825
-
-
-       2005        1149            2020        1881
-       2006        1191            2021        1937
-       2007        1235            2022        1995
-       2008        1279            2023        2054
-       2009        1323            2024        2113
-
-
-       2026        2236            2025        2174
-       2010        1369            2027        2299
-       2011        1416            2028        2362
-       2012        1464            2029        2427
-       2013        1513
-       2014        1562
-
-   For example, should you wish your key to last three years from 2003,
-   check the RSA key size values for 2006 in this table.  In this case
-   it should be at least 1191 bits.
-
-   Please keep in mind that nobody can see into the future, and that
-   these key lengths are only provided here as a guide.
-
-   When determining a key size one should take into account that a large
-   key will be slower during generation and verification.  For RSA,
-   verification, the most common operation, will vary roughly with the
-   square of the key size; signing will vary with the cube of the key
-   size length; and key generation will vary with the fourth power of
-   the modulus length.  Besides larger keys will increase the sizes of
-   the RRSIG and DNSKEY records and will therefore increase the chance
-   of DNS UDP packet overflow.  Also see Section 3.1.1 for a discussion
-   of how keys serving different roles (ZSK v.  KSK) may need different
-   key strengths.
-
-3.6  Private Key Storage
-
-   It is recommended that, where possible, zone private keys and the
-   zone file master copy be kept and used in off-line, non-network
-   connected, physically secure machines only.  Periodically an
-   application can be run to add authentication to a zone by adding
-   RRSIG and NSEC RRs.  Then the augmented file can be transferred,
-
-
-
-Kolkman & Gieben        Expires September 2, 2005              [Page 10]
-
-Internet-Draft        DNSSEC Operational Practices            March 2005
-
-
-   perhaps by sneaker-net, to the networked zone primary server machine.
-
-   The ideal situation is to have a one way information flow to the
-   network to avoid the possibility of tampering from the network.
-   Keeping the zone master file on-line on the network and simply
-   cycling it through an off-line signer does not do this.  The on-line
-   version could still be tampered with if the host it resides on is
-   compromised.  For maximum security, the master copy of the zone file
-   should be off net and should not be updated based on an unsecured
-   network mediated communication.
-
-   In general keeping a zone-file off-line will not be practical and the
-   machines on which zone files are maintained will be connected to a
-   network.  Operators are advised to take security measures to shield
-   unauthorized access to the master copy.
-
-   For dynamically updated secured zones [5] both the master copy and
-   the private key that is used to update signatures on updated RRs will
-   need to be on line.
-
-4.  Signature generation, Key Rollover and Related Policies
-
-4.1  Time in DNSSEC
-
-   Without DNSSEC all times in DNS are relative.  The SOA RR's refresh,
-   retry and expiration timers are counters that are used to determine
-   the time elapsed after a slave server synchronized (or tried to
-   synchronize) with a master server.  The Time to Live (TTL) value and
-   the SOA RR minimum TTL parameter [6] are used to determine how long a
-   forwarder should cache data after it has been fetched from an
-   authoritative server.  By using a signature validity period, DNSSEC
-   introduces the notion of an absolute time in the DNS.  Signatures in
-   DNSSEC have an expiration date after which the signature is marked as
-   invalid and the signed data is to be considered Bogus.
-
-4.1.1  Time Considerations
-
-   Because of the expiration of signatures, one should consider the
-   following:
-   o  We suggest the Maximum Zone TTL of your zone data to be a fraction
-      of your signature validity period.
-         If the TTL would be of similar order as the signature validity
-         period, then all RRsets fetched during the validity period
-         would be cached until the signature expiration time.  Section
-         7.1 of [2] suggests that "the resolver may use the time
-         remaining before expiration of the signature validity period of
-         a signed RRset as an upper bound for the TTL".  As a result
-         query load on authoritative servers would peak at signature
-
-
-
-Kolkman & Gieben        Expires September 2, 2005              [Page 11]
-
-Internet-Draft        DNSSEC Operational Practices            March 2005
-
-
-         expiration time, as this is also the time at which records
-         simultaneously expire from caches.
-         To avoid query load peaks we suggest the TTL on all the RRs in
-         your zone to be at least a few times smaller than your
-         signature validity period.
-   o  We suggest the signature publication period to be at least one
-      maximum TTL smaller than the signature validity period.
-         Resigning a zone shortly before the end of the signature
-         validity period may cause simultaneous expiration of data from
-         caches.  This in turn may lead to peaks in the load on
-         authoritative servers.
-   o  We suggest the minimum zone TTL to be long enough to both fetch
-      and verify all the RRs in the authentication chain.  A low TTL
-      could cause two problems:
-         1.  During validation, some data may expire before the
-         validation is complete.  The validator should be able to keep
-         all data, until is completed.  This applies to all RRs needed
-         to complete the chain of trust: DSs, DNSKEYs, RRSIGs, and the
-         final answers i.e. the RR set that is returned for the initial
-         query.
-         2.  Frequent verification causes load on recursive nameservers.
-         Data at delegation points, DSs, DNSKEYs and RRSIGs benefit from
-         caching.  The TTL on those should be relatively long.
-   o  Slave servers will need to be able to fetch newly signed zones
-      well before the RRSIGs in the zone served by the slave server pass
-      their signature expiration time.
-         When a slave server is out of sync with its master and data in
-         a zone is signed by expired signatures it may be better for the
-         slave server not to give out any answer.
-         Normally a slave server that is not able to contact a master
-         server for an extended period will expire a zone.  When that
-         happens the zone will not respond on queries.  The time of
-         expiration is set in the SOA record and is relative to the last
-         successful refresh between the master and the slave server.
-         There exists no coupling between the signature expiration of
-         RRSIGs in the zone and the expire parameter in the SOA.
-         If the server serves a DNSSEC zone than it may well happen that
-         the signatures expire well before the SOA expiration timer
-         counts down to zero.  It is not possible to completely prevent
-         this from happening by tweaking the SOA parameters.
-         However, the effects can be minimized where the SOA expiration
-         time is equal or smaller than the signature validity period.
-         The consequence of an authoritative server not being able to
-         update a zone, whilst that zone includes expired signatures, is
-         that non-secure resolvers will continue to be able to resolve
-         data served by the particular slave servers while security
-         aware resolvers will experience problems because of answers
-         being marked as Bogus.
-
-
-
-Kolkman & Gieben        Expires September 2, 2005              [Page 12]
-
-Internet-Draft        DNSSEC Operational Practices            March 2005
-
-
-         We suggest the SOA expiration timer being approximately one
-         third or one fourth of the signature validity period.  It will
-         allow problems with transfers from the master server to be
-         noticed before the actual signature time out.
-         We also suggest that operators of nameservers that supply
-         secondary services develop 'watch dogs' to spot upcoming
-         signature expirations in zones they slave, and take appropriate
-         action.
-         When determining the value for the expiration parameter one has
-         to take the following into account: What are the chances that
-         all my secondary zones expire; How quickly can I reach an
-         administrator of secondary servers to load a valid zone?  All
-         these arguments are not DNSSEC specific but may influence the
-         choice of your signature validity intervals.
-
-4.2  Key Rollovers
-
-   A DNSSEC key cannot be used forever (see Section 3.3).  So key
-   rollovers -- or supercessions, as they are sometimes called -- are a
-   fact of life when using DNSSEC.  Zone administrators who are in the
-   process of rolling their keys have to take into account that data
-   published in previous versions of their zone still lives in caches.
-   When deploying DNSSEC, this becomes an important consideration;
-   ignoring data that may be in caches may lead to loss of service for
-   clients.
-
-   The most pressing example of this is when zone material signed with
-   an old key is being validated by a resolver which does not have the
-   old zone key cached.  If the old key is no longer present in the
-   current zone, this validation fails, marking the data Bogus.
-   Alternatively, an attempt could be made to validate data which is
-   signed with a new key against an old key that lives in a local cache,
-   also resulting in data being marked Bogus.
-
-4.2.1  Zone-signing Key Rollovers
-
-   For zone-signing key rollovers there are two ways to make sure that
-   during the rollover data still cached can be verified with the new
-   key sets or newly generated signatures can be verified with the keys
-   still in caches.  One schema, described in Section 4.2.1.2, uses
-   double signatures; the other uses key pre-publication
-   (Section 4.2.1.1).  The pros, cons and recommendations are described
-   in Section 4.2.1.3.
-
-4.2.1.1  Pre-publish key set Rollover
-
-   This section shows how to perform a ZSK rollover without the need to
-   sign all the data in a zone twice - the so-called "pre-publish
-
-
-
-Kolkman & Gieben        Expires September 2, 2005              [Page 13]
-
-Internet-Draft        DNSSEC Operational Practices            March 2005
-
-
-   rollover".This method has advantages in the case of a key compromise.
-   If the old key is compromised, the new key has already been
-   distributed in the DNS.  The zone administrator is then able to
-   quickly switch to the new key and remove the compromised key from the
-   zone.  Another major advantage is that the zone size does not double,
-   as is the case with the double signature ZSK rollover.  A small
-   "HOWTO" for this kind of rollover can be found in Appendix B.
-
-    normal          pre-roll         roll            after
-
-    SOA0            SOA1             SOA2            SOA3
-    RRSIG10(SOA0)   RRSIG10(SOA1)    RRSIG11(SOA2)   RRSIG11(SOA3)
-
-    DNSKEY1         DNSKEY1          DNSKEY1         DNSKEY1
-    DNSKEY10        DNSKEY10         DNSKEY10        DNSKEY11
-                    DNSKEY11         DNSKEY11
-    RRSIG1 (DNSKEY) RRSIG1 (DNSKEY)  RRSIG1(DNSKEY)  RRSIG1 (DNSKEY)
-    RRSIG10(DNSKEY) RRSIG10(DNSKEY)  RRSIG11(DNSKEY) RRSIG11(DNSKEY)
-
-
-   normal: Version 0 of the zone: DNSKEY 1 is the key-signing key.
-      DNSKEY 10 is used to sign all the data of the zone, the zone-
-      signing key.
-   pre-roll: DNSKEY 11 is introduced into the key set.  Note that no
-      signatures are generated with this key yet, but this does not
-      secure against brute force attacks on the public key.  The minimum
-      duration of this pre-roll phase is the time it takes for the data
-      to propagate to the authoritative servers plus TTL value of the
-      key set.  This equates to two times the Maximum Zone TTL.
-   roll: At the rollover stage (SOA serial 2) DNSKEY 11 is used to sign
-      the data in the zone exclusively  (i.e. all the signatures from
-      DNSKEY 10 are removed from the zone).  DNSKEY 10 remains published
-      in the key set.  This way data that was loaded into caches from
-      version 1 of the zone can still be verified with key sets fetched
-      from version 2 of the zone.
-      The minimum time that the key set including DNSKEY 10 is to be
-      published is the time that it takes for zone data from the
-      previous version of the zone to expire from old caches i.e. the
-      time it takes for this zone to propagate to all authoritative
-      servers plus the Maximum Zone TTL value of any of the data in the
-      previous version of the zone.
-   after: DNSKEY 10 is removed from the zone.  The key set, now only
-      containing DNSKEY 1 and DNSKEY 11 is resigned with the DNSKEY 1.
-
-   The above scheme can be simplified by always publishing the "future"
-   key immediately after the rollover.  The scheme would look as follows
-   (we show two rollovers); the future key is introduced in "after" as
-   DNSKEY 12 and again a newer one, numbered 13, in "2nd after":
-
-
-
-Kolkman & Gieben        Expires September 2, 2005              [Page 14]
-
-Internet-Draft        DNSSEC Operational Practices            March 2005
-
-
-       normal              roll                after
-
-       SOA0                SOA2                SOA3
-       RRSIG10(SOA0)       RRSIG11(SOA2)       RRSIG11(SOA3)
-
-       DNSKEY1             DNSKEY1             DNSKEY1
-       DNSKEY10            DNSKEY10            DNSKEY11
-       DNSKEY11            DNSKEY11            DNSKEY12
-       RRSIG1(DNSKEY)      RRSIG1 (DNSKEY)     RRSIG1(DNSKEY)
-       RRSIG10(DNSKEY)     RRSIG11(DNSKEY)     RRSIG11(DNSKEY)
-
-
-       2nd roll            2nd after
-
-       SOA4                SOA5
-       RRSIG12(SOA4)       RRSIG12(SOA5)
-
-       DNSKEY1             DNSKEY1
-       DNSKEY11            DNSKEY12
-       DNSKEY12            DNSKEY13
-       RRSIG1(DNSKEY)      RRSIG1(DNSKEY)
-       RRSIG12(DNSKEY)     RRSIG12(DNSKEY)
-
-
-   Note that the key introduced after the rollover is not used for
-   production yet; the private key can thus be stored in a physically
-   secure manner and does not need to be 'fetched' every time a zone
-   needs to be signed.
-
-4.2.1.2  Double Signature Zone-signing Key Rollover
-
-   This section shows how to perform a ZSK key rollover using the double
-   zone data signature scheme, aptly named "double sig rollover".
-
-   During the rollover stage the new version of the zone file will need
-   to propagate to all authoritative servers and the data that exists in
-   (distant) caches will need to expire, requiring at least the maximum
-   Zone TTL.
-
-
-
-
-
-
-
-
-
-
-
-
-
-Kolkman & Gieben        Expires September 2, 2005              [Page 15]
-
-Internet-Draft        DNSSEC Operational Practices            March 2005
-
-
-       normal              roll               after
-
-       SOA0                SOA1               SOA2
-       RRSIG10(SOA0)       RRSIG10(SOA1)      RRSIG11(SOA2)
-                           RRSIG11(SOA1)
-
-       DNSKEY1             DNSKEY1            DNSKEY1
-       DNSKEY10            DNSKEY10           DNSKEY11
-                           DNSKEY11
-       RRSIG1(DNSKEY)      RRSIG1(DNSKEY)     RRSIG1(DNSKEY)
-       RRSIG10(DNSKEY)     RRSIG10(DNSKEY)    RRSIG11(DNSKEY)
-                           RRSIG11(DNSKEY)
-
-   normal: Version 0 of the zone: DNSKEY 1 is the key-signing key.
-      DNSKEY 10 is used to sign all the data of the zone, the zone-
-      signing key.
-   roll: At the rollover stage (SOA serial 1) DNSKEY 11 is introduced
-      into the key set and all the data in the zone is signed with
-      DNSKEY 10 and DNSKEY 11.  The rollover period will need to exist
-      until all data from version 0 of the zone has expired from remote
-      caches.  This will take at least the maximum Zone TTL of version 0
-      of the zone.
-   after: DNSKEY 10 is removed from the zone.  All the signatures from
-      DNSKEY 10 are removed from the zone.  The key set, now only
-      containing DNSKEY 11, is resigned with DNSKEY 1.
-
-   At every instance, RRSIGs from the previous version of the zone can
-   be verified with the DNSKEY RRset from the current version and the
-   other way around.  The data from the current version can be verified
-   with the data from the previous version of the zone.  The duration of
-   the rollover phase and the period between rollovers should be at
-   least the "Maximum Zone TTL".
-
-   Making sure that the rollover phase lasts until the signature
-   expiration time of the data in version 0 of the zone is recommended.
-   This way all caches are cleared of the old signatures.  However, this
-   date could be considerably longer than the Maximum Zone TTL, making
-   the rollover a lengthy procedure.
-
-   Note that in this example we assumed that the zone was not modified
-   during the rollover.  New data can be introduced in the zone as long
-   as it is signed with both keys.
-
-4.2.1.3  Pros and Cons of the Schemes
-
-
-
-
-
-
-
-Kolkman & Gieben        Expires September 2, 2005              [Page 16]
-
-Internet-Draft        DNSSEC Operational Practices            March 2005
-
-
-   Pre-publish-key set rollover: This rollover does not involve signing
-      the zone data twice.  Instead, before the actual rollover, the new
-      key is published in the key set and thus available for
-      cryptanalysis attacks.  A small disadvantage is that this process
-      requires four steps.  Also the pre-publish scheme involves more
-      parental work when used for KSK rollovers as explained in
-      Section 4.2.
-   Double signature rollover: The drawback of this signing scheme is
-      that during the rollover the number of signatures in your zone
-      doubles, this may be prohibitive if you have very big zones.  An
-      advantage is that it only requires three steps.
-
-4.2.2  Key-signing Key Rollovers
-
-   For the rollover of a key-signing key the same considerations as for
-   the rollover of a zone-signing key apply.  However we can use a
-   double signature scheme to guarantee that old data (only the apex key
-   set) in caches can be verified with a new key set and vice versa.
-
-   Since only the key set is signed with a KSK, zone size considerations
-   do not apply.
-
-
-       normal          roll            after
-
-       SOA0            SOA1            SOA2
-       RRSIG10(SOA0)   RRSIG10(SOA1)   RRSIG10(SOA2)
-
-       DNSKEY1         DNSKEY1         DNSKEY2
-                       DNSKEY2
-       DNSKEY10        DNSKEY10        DNSKEY10
-       RRSIG1 (DNSKEY) RRSIG1 (DNSKEY) RRSIG2(DNSKEY)
-                       RRSIG2 (DNSKEY)
-       RRSIG10(DNSKEY) RRSIG10(DNSKEY) RRSIG10(DNSKEY)
-
-   normal: Version 0 of the zone.  The parental DS points to DNSKEY1.
-      Before the rollover starts the child will have to verify what the
-      TTL is of the DS RR that points to DNSKEY1 - it is needed during
-      the rollover and we refer to the value as TTL_DS.
-   roll: During the rollover phase the zone administrator generates a
-      second KSK, DNSKEY2.  The key is provided to the parent and the
-      child will have to wait until a new DS RR has been generated that
-      points to DNSKEY2.  After that DS RR has been published on all
-      servers authoritative for the parent's zone, the zone
-      administrator has to wait at least TTL_DS to make sure that the
-      old DS RR has expired from caches.
-
-
-
-
-
-Kolkman & Gieben        Expires September 2, 2005              [Page 17]
-
-Internet-Draft        DNSSEC Operational Practices            March 2005
-
-
-   after: DNSKEY1 has been removed.
-
-   The scenario above puts the responsibility for maintaining a valid
-   chain of trust with the child.  It also is based on the premises that
-   the parent only has one DS RR (per algorithm) per zone.  An
-   alternative mechanism has been considered.  Using an established
-   trust relation, the interaction can be performed in-band, and the
-   removal of the keys by the child can possibly be signaled by the
-   parent.  In this mechanism there are periods where there are two DS
-   RRs at the parent.  Since at the moment of writing the protocol for
-   this interaction has not been developed further discussion is out of
-   scope for this document.
-
-4.2.3  Difference Between ZSK and KSK Rollovers
-
-   Note that KSK rollovers and ZSK rollovers are different.  A zone-key
-   rollover can be handled in two different ways: pre-publish (Section
-   Section 4.2.1.1) and double signature (Section Section 4.2.1.2).
-
-   As the KSK is used to validate the key set and because the KSK is not
-   changed during a ZSK rollover, a cache is able to validate the new
-   key set of the zone.  The pre-publish method would work for a KSK
-   rollover.  The record that are to be pre-published are the parental
-   DS RRs.
-
-   The pre-publish method has some drawbacks.  We first describe the
-   rollover scheme and then indicate these drawbacks.
-
-     normal          pre-roll         roll            after
-   Parent:
-     SOA0            SOA1             SOA2            SOA3
-     RRSIGpar(SOA0)  RRSIGpar(SOA1)   RRSIGpar(SOA2)  RRSIGpar(SOA3)
-     DS1             DS1              DS1             DS2
-                     DS2              DS2
-     RRSIGpar(DS)    RRSIGpar(DS)     RRSIGpar(DS)    RRSIGpar(DS)
-
-
-
-   Child:
-     SOA0            SOA0             SOA1            SOA1
-     RRSIG10(SOA0)   RRSIG10(SOA0)    RRSIG10(SOA1)   RRSIG10(SOA1)
-
-     DNSKEY1         DNSKEY1          DNSKEY2         DNSKEY2
-
-     DNSKEY10        DNSKEY10         DNSKEY10        DNSKEY10
-     RRSIG1 (DNSKEY) RRSIG1 (DNSKEY)  RRSIG2(DNSKEY)  RRSIG2 (DNSKEY)
-     RRSIG10(DNSKEY) RRSIG10(DNSKEY)  RRSIG10(DNSKEY) RRSIG10(DNSKEY)
-
-
-
-
-Kolkman & Gieben        Expires September 2, 2005              [Page 18]
-
-Internet-Draft        DNSSEC Operational Practices            March 2005
-
-
-   When the child zone wants to roll it notifies the parent during the
-   pre-roll phase and submits the new key to the parent.  The parent
-   publishes DS1 and DS2, pointing to DNSKEY1 and DNSKEY2 respectively.
-   During the rollover, which can take place as soon as the new DS set
-   propagated through the DNS, the child replaces DNSKEY1 with DNSKEY2.
-   Immediately after that it can notify the parent that the old DS
-   record can be deleted.
-
-   The drawbacks of these scheme are that during the pre-roll phase the
-   parent cannot verify the match between the DS RR and DNSKEY2 using
-   the DNS.  Besides, we introduce a "security lame" DS record
-   Section 4.4.3.  Finally the child-parent interaction consists of two
-   steps.  The "double signature" method only needs one interaction.
-
-4.2.4  Automated Key Rollovers
-
-   As keys must be renewed periodically, there is some motivation to
-   automate the rollover process.  Consider that:
-
-   o  ZSK rollovers are easy to automate as only the local zone is
-      involved.
-   o  A KSK rollover needs interaction between the parent and child.
-      Data exchange is needed to provide the new keys to the parent,
-      consequently, this data must be authenticated and integrity must
-      be guaranteed in order to avoid attacks on the rollover.
-   o  All time and TTL considerations presented in Section 4.2 apply to
-      an automated rollover.
-
-4.3  Planning for Emergency Key Rollover
-
-   This section deals with preparation for a possible key compromise.
-   Our advice is to have a documented procedure ready for when a key
-   compromise is suspected or confirmed.
-
-   When the private material of one of your keys is compromised it can
-   be used for as long as a valid authentication chain exists.  An
-   authentication chain remains intact for:
-   o  as long as a signature over the compromised key in the
-      authentication chain is valid,
-   o  as long as a parental DS RR (and signature) points to the
-      compromised key,
-   o  as long as the key is anchored in a resolver and is used as a
-      starting point for validation.  (This is generally the hardest to
-      update.)
-
-   While an authentication chain to your compromised key exists, your
-   name-space is vulnerable to abuse by anyone who has obtained
-   illegitimate possession of the key.Zone operators have to make a
-
-
-
-Kolkman & Gieben        Expires September 2, 2005              [Page 19]
-
-Internet-Draft        DNSSEC Operational Practices            March 2005
-
-
-   trade off if the abuse of the compromised key is worse than having
-   data in caches that cannot be validated.  If the zone operator
-   chooses to break the authentication chain to the compromised key,
-   data in caches signed with this key cannot be validated.  However, if
-   the zone administrator chooses to take the path of a regular roll-
-   over, the malicious key holder can spoof data so that it appears to
-   be valid.  Note that this kind of attack is more likely to occur in a
-   localized part of the network topology i.e. downstream from where the
-   spoof takes place.
-
-
-4.3.1  KSK Compromise
-
-   When the KSK has been compromised the parent must be notified as soon
-   as possible using secure means.  The key set of the zone should be
-   resigned as soon as possible.  Care must be taken to not break the
-   authentication chain.  The local zone can only be resigned with the
-   new KSK after the parent's zone has created and reloaded its zone
-   with the DS created from the new KSK.  Before this update takes place
-   it would be best to drop the security status of a zone all together:
-   the parent removes the DS of the child at the next zone update.
-   After that the child can be made secure again.
-
-   An additional danger of a key compromise is that the compromised key
-   can be used to facilitate a legitimate DNSKEY/DS and/or nameserver
-   rollover at the parent.  When that happens the domain can be in
-   dispute.  An authenticated out of band and secure notify mechanism to
-   contact a parent is needed in this case.
-
-4.3.2  ZSK Compromise
-
-   Primarily because there is no parental interaction required when a
-   ZSK is compromised, the situation is less severe than with with a KSK
-   compromise.  The zone must still be resigned with a new ZSK as soon
-   as possible.  As this is a local operation and requires no
-   communication between the parent and child this can be achieved
-   fairly quickly.  However, one has to take into account that just as
-   with a normal rollover the immediate disappearance from the old
-   compromised key may lead to verification problems.  The pre-
-   publication scheme as discussed above minimizes such problems.
-
-4.3.3  Compromises of Keys Anchored in Resolvers
-
-   A key can also be pre-configured in resolvers.  For instance, if
-   DNSSEC is successfully deployed the root key may be pre-configured in
-   most security aware resolvers.
-
-   If trust-anchor keys are compromised, the resolvers using these keys
-
-
-
-Kolkman & Gieben        Expires September 2, 2005              [Page 20]
-
-Internet-Draft        DNSSEC Operational Practices            March 2005
-
-
-   should be notified of this fact.  Zone administrators may consider
-   setting up a mailing list to communicate the fact that a SEP key is
-   about to be rolled over.  This communication will of course need to
-   be authenticated e.g. by using digital signatures.
-
-   End-users faced with the task of updating an anchored key should
-   always validate the new key.  New keys should be authenticated out of
-   the DNS, for example, looking them up on an SSL secured announcement
-   website.
-
-4.4  Parental Policies
-
-4.4.1  Initial Key Exchanges and Parental Policies Considerations
-
-   The initial key exchange is always subject to the policies set by the
-   parent (or its registry).  When designing a key exchange policy one
-   should take into account that the authentication and authorization
-   mechanisms used during a key exchange should be as strong as the
-   authentication and authorization mechanisms used for the exchange of
-   delegation information between parent and child.  I.e. there is no
-   implicit need in DNSSEC to make the authentication process stronger
-   than it was in DNS.
-
-   Using the DNS itself as the source for the actual DNSKEY material,
-   with an off-band check on the validity of the DNSKEY, has the benefit
-   that it reduces the chances of user error.  A parental DNSKEY
-   download tool can make use of the SEP bit [1] to select the proper
-   key from a DNSSEC key set; thereby reducing the chance that the wrong
-   DNSKEY is sent.  It can validate the self-signature over a key;
-   thereby verifying the ownership of the private key material.
-   Fetching the DNSKEY from the DNS ensures that the chain of trust
-   remains intact once the parent publishes the DS RR indicating the
-   child is secure.
-
-   Note: the off-band verification is still needed when the key-material
-   is fetched via the DNS.  The parent can never be sure whether the
-   DNSKEY RRs have been spoofed or not.
-
-4.4.2  Storing Keys or Hashes?
-
-   When designing a registry system one should consider which of the
-   DNSKEYs and/or the corresponding DSs to store.  Since a child zone
-   might wish to have a DS published using a message digest algorithm
-   not yet understood by the registry, the registry can't count on being
-   able to generate the DS record from a raw DNSKEY.  Thus, we recommend
-   that registry system at least support storing DS records.
-
-   It may also be useful to store DNSKEYs, since having them may help
-
-
-
-Kolkman & Gieben        Expires September 2, 2005              [Page 21]
-
-Internet-Draft        DNSSEC Operational Practices            March 2005
-
-
-   during troubleshooting and, so long as the child's chosen message
-   digest is supported, the overhead of generating DS records from them
-   is minimal.  Having an out-of-band mechanism, such as a Whois
-   database, to find out which keys are used to generate DS Resource
-   Records for specific owners and/or zones may also help with
-   troubleshooting.
-
-   The storage considerations also relate the design of the customer
-   interface and the method by which data is transfered between
-   registrant and registry; Will the child zone owner be able to upload
-   DS RRs with unknown hash algorithms or does the interface only allows
-   DNSKEYs?  In the registry-registrar model one can use the DNSSEC EPP
-   protocol extensions [9] which allows transfer of DS RRs and
-   optionally DNSKEY RRs.
-
-4.4.3  Security Lameness
-
-   Security Lameness is defined as what happens when a parent has a DS
-   RR pointing to a non-existing DNSKEY RR.  During key exchange a
-   parent should make sure that the child's key is actually configured
-   in the DNS before publishing a DS RR in its zone.  Failure to do so
-   could cause the child's zone being marked as Bogus.
-
-   Child zones should be very careful removing DNSKEY material,
-   specifically SEP keys, for which a DS RR exists.
-
-   Once a zone is "security lame", a fix (e.g. removing a DS RR) will
-   take time to propagate through the DNS.
-
-4.4.4  DS Signature Validity Period
-
-   Since the DS can be replayed as long as it has a valid signature, a
-   short signature validity period over the DS minimizes the time a
-   child is vulnerable in the case of a compromise of the child's
-   KSK(s).  A signature validity period that is too short introduces the
-   possibility that a zone is marked Bogus in case of a configuration
-   error in the signer.  There may not be enough time to fix the
-   problems before signatures expire.  Something as mundane as operator
-   unavailability during weekends shows the need for DS signature
-   validity periods longer than 2 days.  We recommend the minimum for a
-   DS signature validity period of a few days.
-
-   The maximum signature validity period of the DS record depends on how
-   long child zones are willing to be vulnerable after a key compromise.
-   Other considerations, such as how often the zone is (re)signed can
-   also be taken into account.
-
-   We consider a signature validity period of around one week to be a
-
-
-
-Kolkman & Gieben        Expires September 2, 2005              [Page 22]
-
-Internet-Draft        DNSSEC Operational Practices            March 2005
-
-
-   good compromise between the operational constraints of the parent and
-   minimizing damage for the child.
-
-   In addition to the signature validity period, which sets a lower
-   bound on the amount of times the zone owner will need to sign the
-   zone data and which sets an upper bound to the time a child is
-   vulnerable after key compromise,  there is the TTL value on the DS
-   RRs.  By lowering the TTL, the authoritative servers will see more
-   queries, on the other hand a low TTL increases the speed with which
-   new DS RRs propagate through the DNS.  As argued in Section 4.1.1,
-   the TTL should be a fraction of the signature validity period.
-
-5.  Security Considerations
-
-   DNSSEC adds data integrity to the DNS.  This document tries to assess
-   the operational considerations to maintain a stable and secure DNSSEC
-   service.  Not taking into account the 'data propagation' properties
-   in the DNS will cause validation failures and may make secured zones
-   unavailable to security aware resolvers.
-
-6.  Acknowledgments
-
-   Most of the ideas in this draft were the result of collective efforts
-   during workshops, discussions and try outs.
-
-   At the risk of forgetting individuals who were the original
-   contributors of the ideas we would like to acknowledge people who
-   were actively involved in the compilation of this document.  In
-   random order: Rip Loomis, Olafur Gudmundsson, Wesley Griffin, Michael
-   Richardson, Scott Rose, Rick van Rein, Tim McGinnis, Gilles Guette
-   Olivier Courtay, Sam Weiler, Jelte Jansen and Niall O'Reilly.
-
-   Some material in this document has been shamelessly copied from
-   RFC2541 [7] by Donald Eastlake.
-
-   Mike StJohns designed the key exchange between parent and child
-   mentioned in the last paragraph of Section 4.2.2
-
-   Section 4.2.4 was supplied by G. Guette and O. Courtay.
-
-   Emma Bretherick, Adrian Bedford and Lindy Foster corrected many of
-   the spelling and style issues.
-
-   Kolkman and Gieben take the blame for introducing all miscakes(SIC).
-
-7.  References
-
-
-
-
-
-Kolkman & Gieben        Expires September 2, 2005              [Page 23]
-
-Internet-Draft        DNSSEC Operational Practices            March 2005
-
-
-7.1  Normative References
-
-   [1]  Kolkman, O., Schlyter, J., and E. Lewis, "Domain Name System KEY
-        (DNSKEY) Resource Record (RR) Secure Entry Point (SEP) Flag",
-        RFC 3757, May 2004.
-
-   [2]  Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
-        "DNS Security Introduction and Requirements", RFC 4033,
-        March 2005.
-
-7.2  Informative References
-
-   [3]   Eastlake, D., Crocker, S., and J. Schiller, "Randomness
-         Recommendations for Security", RFC 1750, December 1994.
-
-   [4]   Bradner, S., "Key words for use in RFCs to Indicate Requirement
-         Levels", BCP 14, RFC 2119, March 1997.
-
-   [5]   Eastlake, D., "Secure Domain Name System Dynamic Update",
-         RFC 2137, April 1997.
-
-   [6]   Andrews, M., "Negative Caching of DNS Queries (DNS NCACHE)",
-         RFC 2308, March 1998.
-
-   [7]   Eastlake, D., "DNS Security Operational Considerations",
-         RFC 2541, March 1999.
-
-   [8]   Gudmundsson, O., "Delegation Signer (DS) Resource Record (RR)",
-         RFC 3658, December 2003.
-
-   [9]   Hollenbeck, S., "Domain Name System (DNS) Security Extensions
-         Mapping for the Extensible  Provisioning Protocol (EPP)",
-         draft-hollenbeck-epp-secdns-07 (work in progress), March 2005.
-
-   [10]  Lenstra, A. and E. Verheul, "Selecting Cryptographic Key
-         Sizes", The Journal of Cryptology 14 (255-293), 2001.
-
-   [11]  Schneier, B., "Applied Cryptography: Protocols, Algorithms, and
-         Source Code in C", 1996.
-
-
-
-
-
-
-
-
-
-
-
-
-Kolkman & Gieben        Expires September 2, 2005              [Page 24]
-
-Internet-Draft        DNSSEC Operational Practices            March 2005
-
-
-Authors' Addresses
-
-   Olaf M. Kolkman
-   RIPE NCC
-   Singel 256
-   Amsterdam  1016 AB
-   The Netherlands
-
-   Phone: +31 20 535 4444
-   Email: olaf@ripe.net
-   URI:   http://www.ripe.net/
-
-
-   Miek Gieben
-   NLnet Labs
-   Kruislaan 419
-   Amsterdam  1098 VA
-   The Netherlands
-
-   Email: miek@nlnetlabs.nl
-   URI:   http://www.nlnetlabs.nl
-
-Appendix A.  Terminology
-
-   In this document there is some jargon used that is defined in other
-   documents.  In most cases we have not copied the text from the
-   documents defining the terms but given a more elaborate explanation
-   of the meaning.  Note that these explanations should not be seen as
-   authoritative.
-
-   Anchored Key: A DNSKEY configured in resolvers around the globe.
-      This key is hard to update, hence the term anchored.
-   Bogus: Also see Section 5 of [2].  An RRset in DNSSEC is marked
-      "Bogus" when a signature of a RRset does not validate against a
-      DNSKEY.
-   Key-Signing Key or KSK: A Key-Signing Key (KSK) is a key that is used
-      exclusively for signing the apex key set.  The fact that a key is
-      a KSK is only relevant to the signing tool.
-   Private and Public Keys: DNSSEC secures the DNS through the use of
-      public key cryptography.  Public key cryptography is based on the
-      existence of two keys, a public key and a private key.  The public
-      keys are published in the DNS by use of the DNSKEY Resource Record
-      (DNSKEY RR).  Private keys should remain private.
-   Key Rollover: A key rollover (also called key supercession in some
-      environments) is the act of replacing one key pair by another at
-      the end of a key effectivity period.
-
-
-
-
-
-Kolkman & Gieben        Expires September 2, 2005              [Page 25]
-
-Internet-Draft        DNSSEC Operational Practices            March 2005
-
-
-   Secure Entry Point key or SEP Key: A KSK that has a parental DS
-      record pointing to it.  Note: this is not enforced in the
-      protocol.  A SEP Key with no parental DS is security lame.
-   Singing the Zone File: The term used for the event where an
-      administrator joyfully signs its zone file while producing melodic
-      sound patterns.
-   Signer: The system that has access to the private key material and
-      signs the Resource Record sets in a zone.  A signer may be
-      configured to sign only parts of the zone e.g. only those RRsets
-      for which existing signatures are about to expire.
-   Zone-Signing Key or ZSK: A Zone Signing Key (ZSK) is a key that is
-      used for signing all data in a zone.  The fact that a key is a ZSK
-      is only relevant to the signing tool.
-   Zone Administrator: The 'role' that is responsible for signing a zone
-      and publishing it on the primary authoritative server.
-
-Appendix B.  Zone-signing Key Rollover Howto
-
-   Using the pre-published signature scheme and the most conservative
-   method to assure oneself that data does not live in caches here
-   follows the "HOWTO".
-   Step 0: The preparation: Create two keys and publish both in your key
-      set.  Mark one of the keys as "active" and the other as
-      "published".  Use the "active" key for signing your zone data.
-      Store the private part of the "published" key, preferably off-
-      line.
-      The protocol does not provide for attributes to mark a key as
-      active or published.  This is something you have to do on your
-      own, through the use of a notebook or key management tool.
-   Step 1: Determine expiration: At the beginning of the rollover make a
-      note of the highest expiration time of signatures in your zone
-      file created with the current key marked as "active".
-      Wait until the expiration time marked in Step 1 has passed
-   Step 2: Then start using the key that was marked as "published" to
-      sign your data i.e. mark it as "active".  Stop using the key that
-      was marked as "active", mark it as "rolled".
-   Step 3: It is safe to engage in a new rollover (Step 1) after at
-      least one "signature validity period".
-
-Appendix C.  Typographic Conventions
-
-   The following typographic conventions are used in this document:
-   Key notation: A key is denoted by KEYx, where x is a number, x could
-      be thought of as the key id.
-
-
-
-
-
-
-
-Kolkman & Gieben        Expires September 2, 2005              [Page 26]
-
-Internet-Draft        DNSSEC Operational Practices            March 2005
-
-
-   RRset notations: RRs are only denoted by the type.  All other
-      information - owner, class, rdata and TTL - is left out.  Thus:
-      "example.com 3600 IN A 192.168.1.1" is reduced to "A".  RRsets are
-      a list of RRs.  A example of this would be: "A1,A2", specifying
-      the RRset containing two "A" records.  This could again be
-      abbreviated to just "A".
-   Signature notation: Signatures are denoted as RRSIGx(RRset), which
-      means that RRset is signed with DNSKEYx.
-   Zone representation: Using the above notation we have simplified the
-      representation of a signed zone by leaving out all unnecessary
-      details such as the names and by representing all data by "SOAx"
-   SOA representation: SOA's are represented as SOAx, where x is the
-      serial number.
-   Using this notation the following zone:
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Kolkman & Gieben        Expires September 2, 2005              [Page 27]
-
-Internet-Draft        DNSSEC Operational Practices            March 2005
-
-
-   example.net.     600     IN SOA  ns.example.net. bert.example.net. (
-                            10         ; serial
-                            450        ; refresh (7 minutes 30 seconds)
-                            600        ; retry (10 minutes)
-                            345600     ; expire (4 days)
-                            300        ; minimum (5 minutes)
-                             )
-                     600     RRSIG   SOA 5 2 600 20130522213204 (
-                                     20130422213204 14 example.net.
-                                     cmL62SI6iAX46xGNQAdQ... )
-                     600     NS      a.iana-servers.net.
-                     600     NS      b.iana-servers.net.
-                     600     RRSIG   NS 5 2 600 20130507213204 (
-                                     20130407213204 14 example.net.
-                                     SO5epiJei19AjXoUpFnQ ... )
-                     3600    DNSKEY  256 3 5 (
-                                     EtRB9MP5/AvOuVO0I8XDxy0...
-                                     ) ; key id = 14
-                     3600    DNSKEY  256 3 5 (
-                                     gsPW/Yy19GzYIY+Gnr8HABU...
-                                     ) ; key id = 15
-                     3600    RRSIG   DNSKEY 5 2 3600 20130522213204 (
-                                     20130422213204 14 example.net.
-                                     J4zCe8QX4tXVGjV4e1r9... )
-                     3600    RRSIG   DNSKEY 5 2 3600 20130522213204 (
-                                     20130422213204 15 example.net.
-                                     keVDCOpsSeDReyV6O... )
-                     600     RRSIG   NSEC 5 2 600 20130507213204 (
-                                     20130407213204 14 example.net.
-                                     obj3HEp1GjnmhRjX... )
-   a.example.net.    600     IN TXT  "A label"
-                     600     RRSIG   TXT 5 3 600 20130507213204 (
-                                     20130407213204 14 example.net.
-                                     IkDMlRdYLmXH7QJnuF3v... )
-                     600     NSEC    b.example.com. TXT RRSIG NSEC
-                     600     RRSIG   NSEC 5 3 600 20130507213204 (
-                                     20130407213204 14 example.net.
-                                     bZMjoZ3bHjnEz0nIsPMM... )
-
-                     ...
-
-
-   is reduced to the following representation:
-
-
-
-
-
-
-
-
-Kolkman & Gieben        Expires September 2, 2005              [Page 28]
-
-Internet-Draft        DNSSEC Operational Practices            March 2005
-
-
-       SOA10
-       RRSIG14(SOA10)
-
-       DNSKEY14
-       DNSKEY15
-
-       RRSIG14(KEY)
-       RRSIG15(KEY)
-
-   The rest of the zone data has the same signature as the SOA record,
-   i.e a RRSIG created with DNSKEY 14.
-
-Appendix D.  Document Details and Changes
-
-   This section is to be removed by the RFC editor if and when the
-   document is published.
-
-   $Id: draft-ietf-dnsop-dnssec-operational-practices.xml,v 1.31.2.14
-   2005/03/21 15:51:41 dnssec Exp $
-
-D.1  draft-ietf-dnsop-dnssec-operational-practices-00
-
-   Submission as working group document.  This document is a modified
-   and updated version of draft-kolkman-dnssec-operational-practices-00.
-
-D.2  draft-ietf-dnsop-dnssec-operational-practices-01
-
-   changed the definition of "Bogus" to reflect the one in the protocol
-   draft.
-
-   Bad to Bogus
-
-   Style and spelling corrections
-
-   KSK - SEP mapping made explicit.
-
-   Updates from Sam Weiler added
-
-D.3  draft-ietf-dnsop-dnssec-operational-practices-02
-
-   Style and errors corrected.
-
-   Added Automatic rollover requirements from I-D.ietf-dnsop-key-
-   rollover-requirements.
-
-D.4  draft-ietf-dnsop-dnssec-operational-practices-03
-
-   Added the definition of Key effectivity period and used that term
-
-
-
-Kolkman & Gieben        Expires September 2, 2005              [Page 29]
-
-Internet-Draft        DNSSEC Operational Practices            March 2005
-
-
-   instead of Key validity period.
-
-   Modified the order of the sections, based on a suggestion by Rip
-   Loomis.
-
-   Included parts from RFC2541 [7].  Most of its ground was already
-   covered.  This document obsoletes RFC2541 [7].  Section 3.1.2
-   deserves some review as it in contrast to RFC2541 does _not_ give
-   recomendations about root-zone keys.
-
-   added a paragraph to Section 4.4.4
-
-D.5  draft-ietf-dnsop-dnssec-operational-practices-04
-
-   Somewhat more details added about the pre-publish KSK rollover.  Also
-   moved that subsection down a bit.
-
-   Editorial and content nits that came in during wg last call were
-   fixed.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Kolkman & Gieben        Expires September 2, 2005              [Page 30]
-
-Internet-Draft        DNSSEC Operational Practices            March 2005
-
-
-Intellectual Property Statement
-
-   The IETF takes no position regarding the validity or scope of any
-   Intellectual Property Rights or other rights that might be claimed to
-   pertain to the implementation or use of the technology described in
-   this document or the extent to which any license under such rights
-   might or might not be available; nor does it represent that it has
-   made any independent effort to identify any such rights.  Information
-   on the procedures with respect to rights in RFC documents can be
-   found in BCP 78 and BCP 79.
-
-   Copies of IPR disclosures made to the IETF Secretariat and any
-   assurances of licenses to be made available, or the result of an
-   attempt made to obtain a general license or permission for the use of
-   such proprietary rights by implementers or users of this
-   specification can be obtained from the IETF on-line IPR repository at
-   http://www.ietf.org/ipr.
-
-   The IETF invites any interested party to bring to its attention any
-   copyrights, patents or patent applications, or other proprietary
-   rights that may cover technology that may be required to implement
-   this standard.  Please address the information to the IETF at
-   ietf-ipr@ietf.org.
-
-
-Disclaimer of Validity
-
-   This document and the information contained herein are provided on an
-   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
-   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
-   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
-   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
-   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
-   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-
-Copyright Statement
-
-   Copyright (C) The Internet Society (2005).  This document is subject
-   to the rights, licenses and restrictions contained in BCP 78, and
-   except as set forth therein, the authors retain all their rights.
-
-
-Acknowledgment
-
-   Funding for the RFC Editor function is currently provided by the
-   Internet Society.
-
-
-
-
-Kolkman & Gieben        Expires September 2, 2005              [Page 31]
-
diff --git a/doc/draft/draft-ietf-dnsop-inaddr-required-07.txt b/doc/draft/draft-ietf-dnsop-inaddr-required-07.txt
deleted file mode 100644
index bcd0d14e..00000000
--- a/doc/draft/draft-ietf-dnsop-inaddr-required-07.txt
+++ /dev/null
@@ -1,396 +0,0 @@
-
-
-
-
-
-
-INTERNET-DRAFT                                                  D. Senie
-Category: BCP                                     Amaranth Networks Inc.
-Expires in six months                                          July 2005
-
-               Encouraging the use of DNS IN-ADDR Mapping
-		    draft-ietf-dnsop-inaddr-required-07.txt 
-
-Status of this Memo
-
-   By submitting this Internet-Draft, each author represents that any
-   applicable patent or other IPR claims of which he or she is aware
-   have been or will be disclosed, and any of which he or she becomes
-   aware will be disclosed, in accordance with Section 6 of BCP 79.
-
-   Internet-Drafts are working documents of the Internet Engineering
-   Task Force (IETF), its areas, and its working groups.  Note that
-   other groups may also distribute working documents as Internet-
-   Drafts.
-
-   Internet-Drafts are draft documents valid for a maximum of six months
-   and may be updated, replaced, or obsoleted by other documents at any
-   time.  It is inappropriate to use Internet-Drafts as reference
-   material or to cite them other than as "work in progress."
-
-   The list of current Internet-Drafts can be accessed at
-   http://www.ietf.org/ietf/1id-abstracts.txt
-
-   The list of Internet-Draft Shadow Directories can be accessed at
-   http://www.ietf.org/shadow.html
-
-Abstract
-
-   Mapping of addresses to names has been a feature of DNS.  Many sites,
-   implement it, many others don't.  Some applications attempt to use it
-   as a part of a security strategy. The goal of this document is to
-   encourage proper deployment of address to name mappings, and provide
-   guidance for their use.
-
-Copyright Notice
-
-   Copyright (C) The Internet Society. (2005)
-
-1. Introduction
-
-   The Domain Name Service has provision for providing mapping of IP
-   addresses to host names. It is common practice to ensure both name to
-   address, and address to name mappings are provided for networks. This
-   practice, while documented, has never been required, though it is
-   generally encouraged.  This document both encourages the presence of
-
-
-
-Senie                                                           [Page 1]
-
-Internet-Draft Encouraging the use of DNS IN-ADDR Mapping      July 2005
-
-
-   these mappings and discourages reliance on such mappings for security
-   checks.
-
-   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
-   "SHOULD", "SHOULD NOT", "RECOMMENDED",  "MAY", and "OPTIONAL" in this
-   document are to be interpreted as described in RFC 2119 [RFC2119].
-
-2. Discussion
-
-
-   From the early days of the Domain Name Service [RFC883] a special
-   domain has been set aside for resolving mappings of IP addresses to
-   domain names.  This was refined in [RFC1035], describing the .IN-
-   ADDR.ARPA in use today.  For the in the IPv6 address space, .IP6.ARPA
-   was added [RFC3152]. This document uses IPv4 CIDR block sizes and
-   allocation strategy where there are differences and uses IPv4
-   terminology.  Aside from these differences, this document can and
-   should be applied to both address spaces.
-
-   The assignment of blocks of IP address space was delegated to three
-   regional registries. Guidelines for the registries are specified in
-   [RFC2050], which requires regional registries to maintain IN-ADDR
-   records on the large blocks of space issued to ISPs and others.
-
-   ARIN's policy requires ISPs to maintain IN-ADDR for /16 or larger
-   allocations. For smaller allocations, ARIN can provide IN-ADDR for
-   /24 and shorter prefixes. [ARIN].  APNIC provides methods for ISPs to
-   update IN-ADDR, however the present version of its policy document
-   for IPv4 [APNIC] dropped the IN-ADDR requirements that were in draft
-   copies of this document. As of this writing, it appears APNIC has no
-   actual policy on IN-ADDR.  RIPE appears to have the strongest policy
-   in this area [RIPE302] indicating Local Internet Registries should
-   provide IN-ADDR services, and delegate those as appropriate when
-   address blocks are delegated.
-
-   As we can see, the regional registries have their own policies for
-   recommendations and/or requirements for IN-ADDR maintenance. It
-   should be noted, however, that many address blocks were allocated
-   before the creation of the regional registries, and thus it is
-   unclear whether any of the policies of the registries are binding on
-   those who hold blocks from that era.
-
-   Registries allocate address blocks on CIDR [RFC1519] boundaries.
-   Unfortunately the IN-ADDR zones are based on classful allocations.
-   Guidelines [RFC2317] for delegating on non-octet-aligned boundaries
-   exist, but are not always implemented.
-
-3. Examples of impact of missing IN-ADDR
-
-
-
-Senie                                                           [Page 2]
-
-Internet-Draft Encouraging the use of DNS IN-ADDR Mapping      July 2005
-
-
-   These are some examples of problems that may be introduced by
-   reliance on IN-ADDR.
-
-   Some applications use DNS lookups for security checks. To ensure
-   validity of claimed names, some applications will look up IN-ADDR
-   records to get names, and then look up the resultant name to see if
-   it maps back to the address originally known. Failure to resolve
-   matching names is seen as a potential security concern.
-
-   Some FTP sites will flat-out reject users, even for anonymous FTP, if
-   the IN-ADDR lookup fails or if the result of the IN-ADDR lookup when
-   itself resolved, does not match. Some Telnet servers also implement
-   this check.
-
-   Web sites are in some cases using IN-ADDR checks to verify whether
-   the client is located within a certain geopolitical entity. This
-   approach has been employed for downloads of crypto software, for
-   example, where export of that software is prohibited to some locales.
-   Credit card anti-fraud systems also use these methods for geographic
-   placement purposes.
-
-   The popular TCP Wrappers program found on most Unix and Linux systems
-   has options to enforce IN-ADDR checks and to reject any client that
-   does not resolve. This program also has a way to check to see that
-   the name given by a PTR record then resolves back to the same IP
-   address. This method provdes more comfort but no appreciable
-   additional security.
-
-   Some anti-spam (anti junk email) systems use IN-ADDR to verify the
-   presence of a PTR record, or validate the PTR value points back to
-   the same address.
-
-   Many web servers look up the IN-ADDR of visitors to be used in log
-   analysis.  This adds to the server load, but in the case of IN-ADDR
-   unavailability, it can lead to delayed responses for users.
-
-   Traceroutes with descriptive IN-ADDR naming proves useful when
-   debugging problems spanning large areas. When this information is
-   missing, the traceroutes take longer, and it takes additional steps
-   to determine that network is the cause of problems.
-
-   Wider-scale implementation of IN-ADDR on dialup, wireless access and
-   other such client-oriented portions of the Internet would result in
-   lower latency for queries (due to lack of negative caching), and
-   lower name server load and DNS traffic.
-
-4. Recommendations
-
-
-
-
-Senie                                                           [Page 3]
-
-Internet-Draft Encouraging the use of DNS IN-ADDR Mapping      July 2005
-
-
-   4.1 Delegation Recommendations
-
-
-   Regional Registries and any Local Registries to whom they delegate
-   should establish and convey a policy to those to whom they delegate
-   blocks that IN-ADDR mappings are recommended.  Policies should
-   recommend those receiving delegations to provide IN-ADDR service
-   and/or delegate to downstream customers.
-
-   Network operators should define and implement policies and procedures
-   which delegate IN-ADDR to their clients who wish to run their own IN-
-   ADDR DNS services, and provide IN-ADDR services for those who do not
-   have the resources to do it themselves.  Delegation mechanisms should
-   permit the downstream customer to implement and comply with IETF
-   recommendations application of IN-ADDR to CIDR [RFC2317].
-
-   All IP address space assigned and in use should be resolved by IN-
-   ADDR records. All PTR records must use canonical names.
-
-   All IP addresses in use within a block should have an IN-ADDR
-   mapping. Those addresses not in use, and those that are not valid for
-   use (zeros or ones broadcast addresses within a CIDR block) need not
-   have mappings.
-
-   It should be noted that due to CIDR, many addresses that appear to be
-   otherwise valid host addresses may actually be zeroes or ones
-   broadcast addresses. As such, attempting to audit a site's degree of
-   compliance may only be done with knowledge of the internal subnet
-   architecture of the site.  It can be assumed, however, any host that
-   originates an IP packet necessarily will have a valid host address,
-   and must therefore have an IN-ADDR mapping.
-
-4.2 Application Recommendations
-
-
-   Applications SHOULD NOT rely on IN-ADDR for proper operation. The use
-   of IN-ADDR, sometimes in conjunction with a lookup of the name
-   resulting from the PTR record provides no real security, can lead to
-   erroneous results and generally just increases load on DNS servers.
-   Further, in cases where address block holders fail to properly
-   configure IN-ADDR, users of those blocks are penalized.
-
-5. Security Considerations
-
-   This document has no negative impact on security. While it could be
-   argued that lack of PTR record capabilities provides a degree of
-   anonymity, this is really not valid. Trace routes, whois lookups and
-   other sources will still provide methods for discovering identity.
-
-
-
-Senie                                                           [Page 4]
-
-Internet-Draft Encouraging the use of DNS IN-ADDR Mapping      July 2005
-
-
-   By recommending applications avoid using IN-ADDR as a security
-   mechanism this document points out that this practice, despite its
-   use by many applications, is an ineffective form of security.
-   Applications should use better mechanisms of authentication.
-
-6. IANA Considerations
-
-   There are no IANA considerations for this document.
-
-7. References
-
-7.1 Normative References
-
-   [RFC883] P.V. Mockapetris, "Domain names: Implementation
-   specification," RFC883, November 1983.
-
-   [RFC1035] P.V. Mockapetris, "Domain Names: Implementation
-   Specification," RFC 1035, November 1987.
-
-   [RFC1519] V. Fuller, et. al., "Classless Inter-Domain Routing (CIDR):
-   an Address Assignment and Aggregation Strategy," RFC 1519, September
-   1993.
-
-   [RFC2026] S. Bradner, "The Internet Standards Process -- Revision 3",
-   RFC 2026, BCP 9, October 1996.
-
-   [RFC2119] S. Bradner, "Key words for use in RFCs to Indicate
-   Requirement Levels", RFC 2119, BCP 14, March 1997.
-
-   [RFC2050] K. Hubbard, et. al., "Internet Registry IP Allocation
-   Guidelines", RFC2050, BCP 12, Novebmer 1996.
-
-   [RFC2317] H. Eidnes, et. al., "Classless IN-ADDR.ARPA delegation,"
-   RFC 2317, March 1998.
-
-   [RFC3152] R. Bush, "Delegation of IP6.ARPA," RFC 3152, BCP 49, August
-   2001.
-
-7.2 Informative References
-
-   [ARIN] "ISP Guidelines for Requesting Initial IP Address Space," date
-   unknown, http://www.arin.net/regserv/initial-isp.html
-
-   [APNIC] "Policies For IPv4 Address Space Management in the Asia
-   Pacific Region," APNIC-086, 13 January 2003.
-
-   [RIPE302] "Policy for Reverse Address Delegation of IPv4 and IPv6
-   Address Space in the RIPE NCC Service Region", RIPE-302, April 26,
-
-
-
-Senie                                                           [Page 5]
-
-Internet-Draft Encouraging the use of DNS IN-ADDR Mapping      July 2005
-
-
-   2004. http://www.ripe.net//ripe/docs/rev-del.html
-
-
-
-8. Acknowledgements
-
-   Thanks to Peter Koch and Gary Miller for their input, and to many
-   people who encouraged me to write this document.
-
-9. Author's Address
-
-   Daniel Senie
-   Amaranth Networks Inc.
-   324 Still River Road
-   Bolton, MA 01740
-
-   Phone: (978) 779-5100
-
-   EMail: dts@senie.com
-
-10.  Full Copyright Statement
-
-      Copyright (C) The Internet Society (2005).
-
-      This document is subject to the rights, licenses and restrictions
-      contained in BCP 78, and except as set forth therein, the authors
-      retain all their rights.
-
-      This document and the information contained herein are provided
-      on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE
-      REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND
-      THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES,
-      EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT
-      THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR
-      ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A
-      PARTICULAR PURPOSE.
-
-Intellectual Property
-
-      The IETF takes no position regarding the validity or scope of any
-      Intellectual Property Rights or other rights that might be claimed
-      to pertain to the implementation or use of the technology
-      described in this document or the extent to which any license
-      under such rights might or might not be available; nor does it
-      represent that it has made any independent effort to identify any
-      such rights.  Information on the procedures with respect to
-      rights in RFC documents can be found in BCP 78 and BCP 79.
-
-
-
-
-Senie                                                           [Page 6]
-
-Internet-Draft Encouraging the use of DNS IN-ADDR Mapping      July 2005
-
-
-      Copies of IPR disclosures made to the IETF Secretariat and any
-      assurances of licenses to be made available, or the result of an
-      attempt made to obtain a general license or permission for the use
-      of such proprietary rights by implementers or users of this
-      specification can be obtained from the IETF on-line IPR repository
-      at http://www.ietf.org/ipr.
-
-      The IETF invites any interested party to bring to its attention
-      any copyrights, patents or patent applications, or other
-      proprietary rights that may cover technology that may be required
-      to implement this standard.  Please address the information to the
-      IETF at ietf-ipr@ietf.org.
-
-      Internet-Drafts are working documents of the
-      Internet Engineering Task Force (IETF), its areas, and its
-      working groups. Note that other groups may also distribute
-      working documents as Internet-Drafts.
-
-      Internet-Drafts are draft documents valid for a maximum of
-      six months and may be updated, replaced, or obsoleted by
-      other documents at any time. It is inappropriate to use
-      Internet-Drafts as reference material or to cite them other
-      than as "work in progress."
-
-      The list of current Internet-Drafts can be accessed at
-      http://www.ietf.org/1id-abstracts.html
-
-      The list of Internet-Draft Shadow Directories can be
-      accessed at http://www.ietf.org/shadow.html
-
-Acknowledgement
-
-      Funding for the RFC Editor function is currently provided by the
-      Internet Society.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Senie                                                           [Page 7]
-
diff --git a/doc/draft/draft-ietf-dnsop-ipv6-dns-configuration-06.txt b/doc/draft/draft-ietf-dnsop-ipv6-dns-configuration-06.txt
deleted file mode 100644
index bf2afcdf..00000000
--- a/doc/draft/draft-ietf-dnsop-ipv6-dns-configuration-06.txt
+++ /dev/null
@@ -1,1848 +0,0 @@
-
-
-
-DNS Operations WG                                          J. Jeong, Ed.
-Internet-Draft                              ETRI/University of Minnesota
-Expires: November 6, 2005                                    May 5, 2005
-
-
-      IPv6 Host Configuration of DNS Server Information Approaches
-             draft-ietf-dnsop-ipv6-dns-configuration-06.txt
-
-Status of this Memo
-
-   This document is an Internet-Draft and is subject to all provisions
-   of Section 3 of RFC 3667.  By submitting this Internet-Draft, each
-   author represents that any applicable patent or other IPR claims of
-   which he or she is aware have been or will be disclosed, and any of
-   which he or she become aware will be disclosed, in accordance with
-   RFC 3668.
-
-   Internet-Drafts are working documents of the Internet Engineering
-   Task Force (IETF), its areas, and its working groups.  Note that
-   other groups may also distribute working documents as Internet-
-   Drafts.
-
-   Internet-Drafts are draft documents valid for a maximum of six months
-   and may be updated, replaced, or obsoleted by other documents at any
-   time.  It is inappropriate to use Internet-Drafts as reference
-   material or to cite them other than as "work in progress."
-
-   The list of current Internet-Drafts can be accessed at
-   http://www.ietf.org/ietf/1id-abstracts.txt.
-
-   The list of Internet-Draft Shadow Directories can be accessed at
-   http://www.ietf.org/shadow.html.
-
-   This Internet-Draft will expire on November 6, 2005.
-
-Copyright Notice
-
-   Copyright (C) The Internet Society (2005).
-
-Abstract
-
-   This document describes three approaches for IPv6 recursive DNS
-   server address configuration.  It details the operational attributes
-   of three solutions: RA option, DHCPv6 option, and Well-known anycast
-   addresses for recursive DNS servers.  Additionally, it suggests the
-   deployment scenarios in four kinds of networks, such as ISP,
-   Enterprise, 3GPP, and Unmanaged networks, considering multi-solution
-   resolution.  Therefore, this document will give the audience a
-
-
-
-Jeong                   Expires November 6, 2005                [Page 1]
-
-Internet-Draft    IPv6 Host Configuration of DNS Server         May 2005
-
-
-   guideline for IPv6 host DNS configuration.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Jeong                   Expires November 6, 2005                [Page 2]
-
-Internet-Draft    IPv6 Host Configuration of DNS Server         May 2005
-
-
-Table of Contents
-
-   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  5
-   2.  Terminology  . . . . . . . . . . . . . . . . . . . . . . . . .  6
-   3.  IPv6 DNS Configuration Approaches  . . . . . . . . . . . . . .  7
-     3.1   RA Option  . . . . . . . . . . . . . . . . . . . . . . . .  7
-       3.1.1   Advantages . . . . . . . . . . . . . . . . . . . . . .  8
-       3.1.2   Disadvantages  . . . . . . . . . . . . . . . . . . . .  8
-       3.1.3   Observations . . . . . . . . . . . . . . . . . . . . .  9
-     3.2   DHCPv6 Option  . . . . . . . . . . . . . . . . . . . . . .  9
-       3.2.1   Advantages . . . . . . . . . . . . . . . . . . . . . . 11
-       3.2.2   Disadvantages  . . . . . . . . . . . . . . . . . . . . 12
-       3.2.3   Observations . . . . . . . . . . . . . . . . . . . . . 12
-     3.3   Well-known Anycast Addresses . . . . . . . . . . . . . . . 12
-       3.3.1   Advantages . . . . . . . . . . . . . . . . . . . . . . 13
-       3.3.2   Disadvantages  . . . . . . . . . . . . . . . . . . . . 14
-       3.3.3   Observations . . . . . . . . . . . . . . . . . . . . . 14
-   4.  Interworking among IPv6 DNS Configuration Approaches . . . . . 15
-   5.  Deployment Scenarios . . . . . . . . . . . . . . . . . . . . . 16
-     5.1   ISP Network  . . . . . . . . . . . . . . . . . . . . . . . 16
-       5.1.1   RA Option Approach . . . . . . . . . . . . . . . . . . 16
-       5.1.2   DHCPv6 Option Approach . . . . . . . . . . . . . . . . 17
-       5.1.3   Well-known Anycast Addresses Approach  . . . . . . . . 17
-     5.2   Enterprise Network . . . . . . . . . . . . . . . . . . . . 17
-     5.3   3GPP Network . . . . . . . . . . . . . . . . . . . . . . . 18
-       5.3.1   Currently Available Mechanisms and Recommendations . . 19
-       5.3.2   RA Extension . . . . . . . . . . . . . . . . . . . . . 19
-       5.3.3   Stateless DHCPv6 . . . . . . . . . . . . . . . . . . . 20
-       5.3.4   Well-known Addresses . . . . . . . . . . . . . . . . . 21
-       5.3.5   Recommendations  . . . . . . . . . . . . . . . . . . . 21
-     5.4   Unmanaged Network  . . . . . . . . . . . . . . . . . . . . 22
-       5.4.1   Case A: Gateway does not provide IPv6 at all . . . . . 22
-       5.4.2   Case B: A dual-stack gateway connected to a
-               dual-stack ISP . . . . . . . . . . . . . . . . . . . . 22
-       5.4.3   Case C: A dual-stack gateway connected to an
-               IPv4-only ISP  . . . . . . . . . . . . . . . . . . . . 22
-       5.4.4   Case D: A gateway connected to an IPv6-only ISP  . . . 23
-   6.  Security Considerations  . . . . . . . . . . . . . . . . . . . 24
-     6.1   RA Option  . . . . . . . . . . . . . . . . . . . . . . . . 25
-     6.2   DHCPv6 Option  . . . . . . . . . . . . . . . . . . . . . . 25
-     6.3   Well-known Anycast Addresses . . . . . . . . . . . . . . . 25
-   7.  Contributors . . . . . . . . . . . . . . . . . . . . . . . . . 26
-   8.  Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 28
-   9.  References . . . . . . . . . . . . . . . . . . . . . . . . . . 29
-     9.1   Normative References . . . . . . . . . . . . . . . . . . . 29
-     9.2   Informative References . . . . . . . . . . . . . . . . . . 29
-       Author's Address . . . . . . . . . . . . . . . . . . . . . . . 31
-   A.  Link-layer Multicast Acknowledgements for RA Option  . . . . . 32
-
-
-
-Jeong                   Expires November 6, 2005                [Page 3]
-
-Internet-Draft    IPv6 Host Configuration of DNS Server         May 2005
-
-
-       Intellectual Property and Copyright Statements . . . . . . . . 33
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Jeong                   Expires November 6, 2005                [Page 4]
-
-Internet-Draft    IPv6 Host Configuration of DNS Server         May 2005
-
-
-1.  Introduction
-
-   Neighbor Discovery (ND) for IP Version 6 and IPv6 Stateless Address
-   Autoconfiguration provide the ways to configure either fixed or
-   mobile nodes with one or more IPv6 addresses, default routes and some
-   other parameters [3][4].  To support the access to additional
-   services in the Internet that are identified by a DNS name, such as a
-   web server, the configuration of at least one recursive DNS server is
-   also needed for DNS name resolution.
-
-   This document describes three approaches of recursive DNS server
-   address configuration for IPv6 host: (a) RA option [8], (b) DHCPv6
-   option [5]-[7], and (c) Well-known anycast addresses for recursive
-   DNS servers [9].  Also, it suggests the applicable scenarios for four
-   kinds of networks: (a) ISP network, (b) Enterprise network, (c) 3GPP
-   network, and (d) Unmanaged network.
-
-   This document is just an analysis of each possible approach, and does
-   not make any recommendation on a particular one or on a combination
-   of particular ones.  Some approaches may even not be adopted at all
-   as a result of further discussion.
-
-   Therefore, the objective of this document is to help the audience
-   select the approaches suitable for IPv6 host configuration of
-   recursive DNS servers.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Jeong                   Expires November 6, 2005                [Page 5]
-
-Internet-Draft    IPv6 Host Configuration of DNS Server         May 2005
-
-
-2.  Terminology
-
-   This document uses the terminology described in [3]-[9].  In
-   addition, a new term is defined below:
-
-   o  Recursive DNS Server (RDNSS): A Recursive DNS Server is a name
-      server that offers the recursive service of DNS name resolution.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Jeong                   Expires November 6, 2005                [Page 6]
-
-Internet-Draft    IPv6 Host Configuration of DNS Server         May 2005
-
-
-3.  IPv6 DNS Configuration Approaches
-
-   In this section, the operational attributes of the three solutions
-   are described in detail.
-
-3.1  RA Option
-
-   The RA approach is to define a new ND option called the RDNSS option
-   that contains a recursive DNS server address.  Existing ND transport
-   mechanisms (i.e., advertisements and solicitations) are used.  This
-   works in the same way that nodes learn about routers and prefixes.
-   An IPv6 host can configure the IPv6 addresses of one or more RDNSSes
-   via RA message periodically sent by a router or solicited by a Router
-   Solicitation (RS) [8].
-
-   This approach needs RDNSS information to be configured in the routers
-   doing the advertisements.  The configuration of RDNSS addresses can
-   be performed manually by an operator or other ways, such as automatic
-   configuration through a DHCPv6 client running on the router.  When
-   advertising more than one RDNSS option, an RA message includes as
-   many RDNSS options as RDNSSes.
-
-   Through the ND protocol and RDNSS option along with a prefix
-   information option, an IPv6 host can perform its network
-   configuration of its IPv6 address and RDNSS simultaneously [3][4].
-   The RA option for RDNSS can be used on any network that supports the
-   use of ND.
-
-   However, it is worth noting that some link layers, such as Wireless
-   LANs (e.g., IEEE 802.11 a/b/g), do not support reliable multicast,
-   which means that they cannot guarantee the timely delivery of RA
-   messages [25]-[28].  This is discussed in Appendix A.
-
-   The RA approach is useful in some mobile environments where the
-   addresses of the RDNSSes are changing because the RA option includes
-   a lifetime field that allows client to use RDNSSes nearer to the
-   client.  This can be configured to a value that will require the
-   client to time out the entry and switch over to another RDNSS address
-   [8].  However, from the viewpoint of implementation, the lifetime
-   field would seem to make matters a bit more complex.  Instead of just
-   writing to a DNS configuration file, such as resolv.conf for the list
-   of RDNSS addresses, we have to have a daemon around (or a program
-   that is called at the defined intervals) that keeps monitoring the
-   lifetime of RDNSSes all the time.
-
-   The preference value of RDNSS, included in the RDNSS option, allows
-   IPv6 hosts to select primary RDNSS among several RDNSSes; this can be
-   used for the load balancing of RDNSSes [8].
-
-
-
-Jeong                   Expires November 6, 2005                [Page 7]
-
-Internet-Draft    IPv6 Host Configuration of DNS Server         May 2005
-
-
-3.1.1  Advantages
-
-   The RA option for RDNSS has a number of advantages.  These include:
-
-   1.  The RA option is an extension of existing ND/Autoconfig
-       mechanisms [3][4], and does not require a change in the base ND
-       protocol.
-
-   2.  This approach, like ND, works well on a variety of link types
-       including point-to-point links, point-to-multipoint, and
-       multipoint-to-multipoint (i.e., Ethernet LANs), etc.  RFC 2461
-       [3] states, however, that there may be some link types on which
-       ND is not feasible; on such links, some other mechanisms will be
-       needed for DNS configuration.
-
-   3.  All of the information a host needs to run the basic Internet
-       applications such as the email, web, ftp, etc., can be obtained
-       with the addition of this option to ND and address
-       autoconfiguration.  The use of a single mechanism is more
-       reliable and easier to provide than when the RDNSS information is
-       learned via another protocol mechanism.  Debugging problems when
-       multiple protocol mechanisms are being used is harder and much
-       more complex.
-
-   4.  This mechanism works over a broad range of scenarios and
-       leverages IPv6 ND.  This works well on links that support
-       broadcast reliably (e.g., Ethernet LANs) but not necessarily on
-       other links (e.g., Wireless LANs): Refer to Appendix A.  Also,
-       this works well on links that are high performance (e.g.,
-       Ethernet LANs) and low performance (e.g., Cellular networks).  In
-       the latter case, by combining the RDNSS information with the
-       other information in the RA, the host can learn all of the
-       information needed to use most Internet applications, such as the
-       web in a single packet.  This not only saves bandwidth where this
-       is an issue, but also minimizes the delay needed to learn the
-       RDNSS information.
-
-   5.  The RA approach could be used as a model for other similar types
-       of configuration information.  New RA options for other server
-       addresses, such as NTP server address, that are common to all
-       clients on a subnet would be easy to define.
-
-
-3.1.2  Disadvantages
-
-   1.  ND is mostly implemented in the kernel of operating system.
-       Therefore, if ND supports the configuration of some additional
-       services, such as DNS servers, ND should be extended in the
-
-
-
-Jeong                   Expires November 6, 2005                [Page 8]
-
-Internet-Draft    IPv6 Host Configuration of DNS Server         May 2005
-
-
-       kernel, and complemented by a user-land process.  DHCPv6,
-       however, has more flexibility for the extension of service
-       discovery because it is an application layer protocol.
-
-   2.  The current ND framework should be modified to facilitate the
-       synchronization between another ND cache for RDNSSes in the
-       kernel space and the DNS configuration file in the user space.
-       Because it is unacceptable to write and rewrite to the DNS
-       configuration file (e.g., resolv.conf) from the kernel, another
-       approach is needed.  One simple approach to solve this is to have
-       a daemon listening to what the kernel conveys, and to have the
-       daemon do these steps, but such a daemon is not needed with the
-       current ND framework.
-
-   3.  It is necessary to configure RDNSS addresses at least at one
-       router on every link where this information needs to be
-       configured via the RA option.
-
-
-3.1.3  Observations
-
-   The proposed RDNSS RA option along with the IPv6 ND and
-   Autoconfiguration allows a host to obtain all of the information it
-   needs to access the basic Internet services like the web, email, ftp,
-   etc.  This is preferable in the environments where hosts use RAs to
-   autoconfigure their addresses and all the hosts on the subnet share
-   the same router and server addresses.  If the configuration
-   information can be obtained from a single mechanism, it is preferable
-   because it does not add additional delay, and it uses a minimum of
-   bandwidth.  The environments like this include the homes, public
-   cellular networks, and enterprise environments where no per host
-   configuration is needed, but exclude public WLAN hot spots.
-
-   DHCPv6 is preferable where it is being used for address configuration
-   and if there is a need for host specific configuration [5]-[7].  The
-   environments like this are most likely to be the enterprise
-   environments where the local administration chooses to have per host
-   configuration control.
-
-Note
-
-   The observation section is based on what the proponents of each
-   approach think makes a good overall solution.
-
-3.2  DHCPv6 Option
-
-   DHCPv6 [5] includes the "DNS Recursive Name Server" option, through
-   which a host can obtain a list of IP addresses of recursive DNS
-
-
-
-Jeong                   Expires November 6, 2005                [Page 9]
-
-Internet-Draft    IPv6 Host Configuration of DNS Server         May 2005
-
-
-   servers [7].  The DNS Recursive Name Server option carries a list of
-   IPv6 addresses of RDNSSes to which the host may send DNS queries.
-   The DNS servers are listed in the order of preference for use by the
-   DNS resolver on the host.
-
-   The DNS Recursive Name Server option can be carried in any DHCPv6
-   Reply message, in response to either a Request or an Information
-   request message.  Thus, the DNS Recursive Name Server option can be
-   used either when DHCPv6 is used for address assignment, or when
-   DHCPv6 is used only for other configuration information as stateless
-   DHCPv6 [6].
-
-   Stateless DHCPv6 can be deployed either using DHCPv6 servers running
-   on general-purpose computers, or on router hardware.  Several router
-   vendors currently implement stateless DHCPv6 servers.  Deploying
-   stateless DHCPv6 in routers has the advantage that no special
-   hardware is required, and should work well for networks where DHCPv6
-   is needed for very straightforward configuration of network devices.
-
-   However, routers can also act as DHCPv6 relay agents.  In this case,
-   the DHCPv6 server need not be on the router - it can be on a general
-   purpose computer.  This has the potential to give the operator of the
-   DHCPv6 server more flexibility in how the DHCPv6 server responds to
-   individual clients - clients can easily be given different
-   configuration information based on their identity, or for any other
-   reason.  Nothing precludes adding this flexibility to a router, but
-   generally in current practice, DHCP servers running on general-
-   purpose hosts tend to have more configuration options than those that
-   are embedded in routers.
-
-   DHCPv6 currently provides a mechanism for reconfiguring DHCPv6
-   clients that use a stateful configuration assignment.  To do this,
-   the DHCPv6 server sends a Reconfigure message to the client.  The
-   client validates the Reconfigure message, and then contacts the
-   DHCPv6 server to obtain updated configuration information.  Using
-   this mechanism, it is currently possible to propagate new
-   configuration information to DHCPv6 clients as this information
-   changes.
-
-   The DHC Working Group is currently studying an additional mechanism
-   through which configuration information, including the list of
-   RDNSSes, can be updated.  The lifetime option for DHCPv6 [10] assigns
-   a lifetime to configuration information obtained through DHCPv6.  At
-   the expiration of the lifetime, the host contacts the DHCPv6 server
-   to obtain updated configuration information, including the list of
-   RDNSSes.  This lifetime gives the network administrator another
-   mechanism to configure hosts with new RDNSSes by controlling the time
-   at which the host refreshes the list.
-
-
-
-Jeong                   Expires November 6, 2005               [Page 10]
-
-Internet-Draft    IPv6 Host Configuration of DNS Server         May 2005
-
-
-   The DHC Working Group has also discussed the possibility of defining
-   an extension to DHCPv6 that would allow the use of multicast to
-   provide configuration information to multiple hosts with a single
-   DHCPv6 message.  Because of the lack of deployment experience, the WG
-   has deferred consideration of multicast DHCPv6 configuration at this
-   time.  Experience with DHCPv4 has not identified a requirement for
-   multicast message delivery, even in large service provider networks
-   with tens of thousands of hosts that may initiate a DHCPv4 message
-   exchange simultaneously.
-
-3.2.1  Advantages
-
-   The DHCPv6 option for RDNSS has a number of advantages.  These
-   include:
-
-   1.  DHCPv6 currently provides a general mechanism for conveying
-       network configuration information to clients.  So configuring
-       DHCPv6 servers allows the network administrator to configure
-       RDNSSes along with the addresses of other network services, as
-       well as location-specific information like time zones.
-
-   2.  As a consequence, when the network administrator goes to
-       configure DHCPv6, all the configuration information can be
-       managed through a single service, typically with a single user
-       interface and a single configuration database.
-
-   3.  DHCPv6 allows for the configuration of a host with information
-       specific to that host, so that hosts on the same link can be
-       configured with different RDNSSes as well as with other
-       configuration information.  This capability is important in some
-       network deployments such as service provider networks or WiFi hot
-       spots.
-
-   4.  A mechanism exists for extending DHCPv6 to support the
-       transmission of additional configuration that has not yet been
-       anticipated.
-
-   5.  Hosts that require other configuration information such as the
-       addresses of SIP servers and NTP servers are likely to need
-       DHCPv6 for other configuration information.
-
-   6.  The specification for configuration of RDNSSes through DHCPv6 is
-       available as an RFC.  No new protocol extensions such as new
-       options are necessary.
-
-   7.  Interoperability among independent implementations has been
-       demonstrated.
-
-
-
-
-Jeong                   Expires November 6, 2005               [Page 11]
-
-Internet-Draft    IPv6 Host Configuration of DNS Server         May 2005
-
-
-3.2.2  Disadvantages
-
-   The DHCPv6 option for RDNSS has a few disadvantages.  These include:
-
-   1.  Update currently requires message from server (however, see
-       [10]).
-
-   2.  Because DNS information is not contained in RA messages, the host
-       must receive two messages from the router, and must transmit at
-       least one message to the router.  On networks where bandwidth is
-       at a premium, this is a disadvantage, although on most networks
-       it is not a practical concern.
-
-   3.  Increased latency for initial configuration - in addition to
-       waiting for an RA message, the client must now exchange packets
-       with a DHCPv6 server; even if it is locally installed on a
-       router, this will slightly extend the time required to configure
-       the client.  For clients that are moving rapidly from one network
-       to another, this will be a disadvantage.
-
-
-3.2.3  Observations
-
-   In the general case, on general-purpose networks, stateless DHCPv6
-   provides significant advantages and no significant disadvantages.
-   Even in the case where bandwidth is at a premium and low latency is
-   desired, if hosts require other configuration information in addition
-   to a list of RDNSSes or if hosts must be configured selectively,
-   those hosts will use DHCPv6 and the use of the DHCPv6 DNS recursive
-   name server option will be advantageous.
-
-   However, we are aware of some applications where it would be
-   preferable to put the RDNSS information into an RA packet; for
-   example, on a cell phone network, where bandwidth is at a premium and
-   extremely low latency is desired.  The final DNS configuration draft
-   should be written so as to allow these special applications to be
-   handled using DNS information in the RA packet.
-
-3.3  Well-known Anycast Addresses
-
-   Anycast uses the same routing system as unicast [11].  However,
-   administrative entities are local ones.  The local entities may
-   accept unicast routes (including default routes) to anycast servers
-   from adjacent entities.  The administrative entities should not
-   advertise their peers routes to their internal anycast servers, if
-   they want to prohibit external access from some peers to the servers.
-   If some advertisement is inevitable (such as the case with default
-   routes), the packets to the servers should be blocked at the boundary
-
-
-
-Jeong                   Expires November 6, 2005               [Page 12]
-
-Internet-Draft    IPv6 Host Configuration of DNS Server         May 2005
-
-
-   of the entities.  Thus, for this anycast, not only unicast routing
-   but also unicast ND protocols can be used as is.
-
-   First of all, the well-known anycast addresses approach is much
-   different from that discussed at IPv6 Working Group in the past [9].
-   It should be noted that "anycast" in this memo is simpler than that
-   of RFC 1546 [11] and RFC 3513 [12] where it is assumed to be
-   prohibited to have multiple servers on a single link sharing an
-   anycast address.  That is, on a link, an anycast address is assumed
-   to be unique.  DNS clients today already have redundancy by having
-   multiple well-known anycast addresses configured as RDNSS addresses.
-   There is no point in having multiple RDNSSes sharing an anycast
-   address on a single link.
-
-   The approach with well-known anycast addresses is to set multiple
-   well-known anycast addresses in clients' resolver configuration files
-   from the beginning, say, as factory default.  Thus, there is no
-   transport mechanism and no packet format [9].
-
-   An anycast address is an address shared by multiple servers (in this
-   case, the servers are RDNSSes).  A request from a client to the
-   anycast address is routed to a server selected by the routing system.
-   However, it is a bad idea to mandate "site" boundary on anycast
-   addresses, because most users just do not have their own servers and
-   want to access their ISPs' across their site boundaries.  Larger
-   sites may also depend on their ISPs or may have their own RDNSSes
-   within "site" boundaries.
-
-3.3.1  Advantages
-
-   The basic advantage of the well-known addresses approach is that it
-   uses no transport mechanism.  Thus,
-
-   1.  There is no delay to get the response and no further delay by
-       packet losses.
-
-   2.  The approach can be combined with any other configuration
-       mechanisms, such as the RA-based approach and DHCP based
-       approach, as well as the factory default configuration.
-
-   3.  The approach works over any environment where DNS works.
-
-   Another advantage is that the approach needs to configure DNS servers
-   as a router, but nothing else.  Considering that DNS servers do need
-   configuration, the amount of overall configuration effort is
-   proportional to the number of the DNS servers and scales linearly.
-   It should be noted that, in the simplest case where a subscriber to
-   an ISP does not have any DNS server, the subscriber naturally
-
-
-
-Jeong                   Expires November 6, 2005               [Page 13]
-
-Internet-Draft    IPv6 Host Configuration of DNS Server         May 2005
-
-
-   accesses DNS servers of the ISP even though the subscriber and the
-   ISP do nothing and there is no protocol to exchange DNS server
-   information between the subscriber and the ISP.
-
-3.3.2  Disadvantages
-
-   Well-known anycast addresses approach requires that DNS servers (or
-   routers near it as a proxy) act as routers to advertise their anycast
-   addresses to the routing system, which requires some configuration
-   (see the last paragraph of the previous section on the scalability of
-   the effort).
-
-3.3.3  Observations
-
-   If other approaches are used in addition, the well-known anycast
-   addresses should also be set in RA or DHCP configuration files to
-   reduce the configuration effort of users.
-
-   The redundancy by multiple RDNSSes is better provided by multiple
-   servers having different anycast addresses than multiple servers
-   sharing the same anycast address because the former approach allows
-   stale servers to still generate routes to their anycast addresses.
-   Thus, in a routing domain (or domains sharing DNS servers), there
-   will be only one server having an anycast address unless the domain
-   is so large that load distribution is necessary.
-
-   Small ISPs will operate one RDNSS at each anycast address which is
-   shared by all the subscribers.  Large ISPs may operate multiple
-   RDNSSes at each anycast address to distribute and reduce load, where
-   the boundary between RDNSSes may be fixed (redundancy is still
-   provided by multiple addresses) or change dynamically.  DNS packets
-   with the well-known anycast addresses are not expected (though not
-   prohibited) to cross ISP boundaries, as ISPs are expected to be able
-   to take care of themselves.
-
-   Because "anycast" in this memo is simpler than that of RFC 1546 [11]
-   and RFC 3513 [12] where it is assumed to be administratively
-   prohibited to have multiple servers on a single link sharing an
-   anycast address, anycast in this memo should be implemented as
-   UNICAST of RFC 2461 [3] and RFC 3513 [12].  As a result, ND-related
-   instability disappears.  Thus, anycast in well-known anycast
-   addresses approach can and should use the anycast address as a source
-   unicast (according to RFC 3513 [12]) address of packets of UDP and
-   TCP responses.  With TCP, if a route flips and packets to an anycast
-   address are routed to a new server, it is expected that the flip is
-   detected by ICMP or sequence number inconsistency and the TCP
-   connection is reset and retried.
-
-
-
-
-Jeong                   Expires November 6, 2005               [Page 14]
-
-Internet-Draft    IPv6 Host Configuration of DNS Server         May 2005
-
-
-4.  Interworking among IPv6 DNS Configuration Approaches
-
-   Three approaches can work together for IPv6 host configuration of
-   RDNSS.  This section shows a consideration on how these approaches
-   can interwork each other.
-
-   For ordering between RA and DHCP approaches, the O (Other stateful
-   configuration) flag in RA message can be used [8][32].  If no RDNSS
-   option is included, an IPv6 host may perform DNS configuration
-   through DHCPv6 [5]-[7] regardless of whether the O flag is set or
-   not.
-
-   The well-known anycast addresses approach fully interworks with the
-   other approaches.  That is, the other approaches can remove the
-   configuration effort on servers by using the well-known addresses as
-   the default configuration.  Moreover, the clients preconfigured with
-   the well-known anycast addresses can be further configured to use
-   other approaches to override the well-known addresses, if the
-   configuration information from other approaches is available.
-   Otherwise, all the clients need to have the well-known anycast
-   addresses preconfigured.  In order to use the anycast approach along
-   with two other approaches, there are three choices as follows:
-
-   1.  The first choice is that well-known addresses are used as last
-       resort, when an IPv6 host cannot get RDNSS information through RA
-       and DHCP.  The well-known anycast addresses have to be
-       preconfigured in all of IPv6 hosts' resolver configuration files.
-
-   2.  The second is that an IPv6 host can configure well-known
-       addresses as the most preferable in its configuration file even
-       though either an RA option or DHCP option is available.
-
-   3.  The last is that the well-known anycast addresses can be set in
-       RA or DHCP configuration to reduce the configuration effort of
-       users.  According to either the RA or DHCP mechanism, the well-
-       known addresses can be obtained by an IPv6 host.  Because this
-       approach is the most convenient for users, the last option is
-       recommended.
-
-
-Note
-
-   This section does not necessarily mean this document suggests
-   adopting all these three approaches and making them interwork in the
-   way described here.  In fact, some approaches may even not be adopted
-   at all as a result of further discussion.
-
-
-
-
-
-Jeong                   Expires November 6, 2005               [Page 15]
-
-Internet-Draft    IPv6 Host Configuration of DNS Server         May 2005
-
-
-5.  Deployment Scenarios
-
-   Regarding the DNS configuration on the IPv6 host, several mechanisms
-   are being considered at the DNSOP Working Group such as RA option,
-   DHCPv6 option and well-known preconfigured anycast addresses as of
-   today, and this document is a final result from the long thread.  In
-   this section, we suggest four applicable scenarios of three
-   approaches for IPv6 DNS configuration.
-
-Note
-
-   In the applicable scenarios, authors do not implicitly push any
-   specific approaches into the restricted environments.  No enforcement
-   is in each scenario and all mentioned scenarios are probable.  The
-   main objective of this work is to provide a useful guideline for IPv6
-   DNS configuration.
-
-5.1  ISP Network
-
-   A characteristic of ISP network is that multiple Customer Premises
-   Equipment (CPE) devices are connected to IPv6 PE (Provider Edge)
-   routers and each PE connects multiple CPE devices to the backbone
-   network infrastructure [13].  The CPEs may be hosts or routers.
-
-   In the case where the CPE is a router, there is a customer network
-   that is connected to the ISP backbone through the CPE.  Typically,
-   each customer network gets a different IPv6 prefix from an IPv6 PE
-   router, but the same RDNSS configuration will be distributed.
-
-   This section discusses how the different approaches to distributing
-   DNS information are compared in an ISP network.
-
-5.1.1  RA Option Approach
-
-   When the CPE is a host, the RA option for RDNSS can be used to allow
-   the CPE to get RDNSS information as well as /64 prefix information
-   for stateless address autoconfiguration at the same time when the
-   host is attached to a new subnet [8].  Because an IPv6 host must
-   receive at least one RA message for stateless address
-   autoconfiguration and router configuration, the host could receive
-   RDNSS configuration information in that RA without the overhead of an
-   additional message exchange.
-
-   When the CPE is a router, the CPE may accept the RDNSS information
-   from the RA on the interface connected to the ISP, and copy that
-   information into the RAs advertised in the customer network.
-
-   This approach is more valuable in the mobile host scenario, in which
-
-
-
-Jeong                   Expires November 6, 2005               [Page 16]
-
-Internet-Draft    IPv6 Host Configuration of DNS Server         May 2005
-
-
-   the host must receive at least an RA message for detecting a new
-   network, than in other scenarios generally although administrator
-   should configure RDNSS information on the routers.  Secure ND [14]
-   can provide extended security when using RA messages.
-
-5.1.2  DHCPv6 Option Approach
-
-   DHCPv6 can be used for RDNSS configuration through the use of the DNS
-   option, and can provide other configuration information in the same
-   message with RDNSS configuration [5]-[7].  The DHCPv6 DNS option is
-   already in place for DHCPv6 as RFC 3646 [7] and DHCPv6-lite or
-   stateless DHCP [6] is nowhere as complex as a full DHCPv6
-   implementation.  DHCP is a client-server model protocol, so ISPs can
-   handle user identification on its network intentionally, and also
-   authenticated DHCP [15] can be used for secure message exchange.
-
-   The expected model for deployment of IPv6 service by ISPs is to
-   assign a prefix to each customer, which will be used by the customer
-   gateway to assign a /64 prefix to each network in the customer's
-   network.  Prefix delegation with DHCP (DHCPv6 PD) has already been
-   adopted by ISPs for automating the assignment of the customer prefix
-   to the customer gateway [17].  DNS configuration can be carried in
-   the same DHCPv6 message exchange used for DHCPv6 to efficiently
-   provide that information, along with any other configuration
-   information needed by the customer gateway or customer network.  This
-   service model can be useful to Home or SOHO subscribers.  The Home or
-   SOHO gateway, which is a customer gateway for ISP, can then pass that
-   RDNSS configuration information to the hosts in the customer network
-   through DHCP.
-
-5.1.3  Well-known Anycast Addresses Approach
-
-   The well-known anycast addresses approach is also a feasible and
-   simple mechanism for ISP [9].  The use of well-known anycast
-   addresses avoids some of the security risks in rogue messages sent
-   through an external protocol like RA or DHCPv6.  The configuration of
-   hosts for the use of well-known anycast addresses requires no
-   protocol or manual configuration, but the configuration of routing
-   for the anycast addresses requires intervention on the part of the
-   network administrator.  Also, the number of special addresses would
-   be equal to the number of RDNSSes that could be made available to
-   subscribers.
-
-5.2  Enterprise Network
-
-   Enterprise network is defined as a network that has multiple internal
-   links, one or more router connections, to one or more Providers and
-   is actively managed by a network operations entity [16].  An
-
-
-
-Jeong                   Expires November 6, 2005               [Page 17]
-
-Internet-Draft    IPv6 Host Configuration of DNS Server         May 2005
-
-
-   enterprise network can get network prefixes from an ISP by either
-   manual configuration or prefix delegation [17].  In most cases,
-   because an enterprise network manages its own DNS domains, it
-   operates its own DNS servers for the domains.  These DNS servers
-   within enterprise network process recursive DNS name resolution
-   requests from IPv6 hosts as RDNSSes.  The RDNSS configuration in the
-   enterprise network can be performed like in Section 4, in which three
-   approaches can be used together as follows:
-
-   1.  An IPv6 host can decide which approach is or may be used in its
-       subnet with the O flag in RA message [8][32].  As the first
-       choice in Section 4, well-known anycast addresses can be used as
-       a last resort when RDNSS information cannot be obtained through
-       either an RA option or DHCP option.  This case needs IPv6 hosts
-       to preconfigure the well-known anycast addresses in their DNS
-       configuration files.
-
-   2.  When the enterprise prefers the well-known anycast approach to
-       others, IPv6 hosts should preconfigure the well-known anycast
-       addresses like in the first choice.
-
-   3.  The last choice, a more convenient and transparent way, does not
-       need IPv6 hosts to preconfigure the well-known anycast addresses
-       because the addresses are delivered to IPv6 hosts via either the
-       RA option or DHCPv6 option as if they were unicast addresses.
-       This way is most recommended for the sake of user's convenience.
-
-
-5.3  3GPP Network
-
-   The IPv6 DNS configuration is a missing part of IPv6
-   autoconfiguration and an important part of the basic IPv6
-   functionality in the 3GPP User Equipment (UE).  The higher level
-   description of the 3GPP architecture can be found in [18], and
-   transition to IPv6 in 3GPP networks is analyzed in [19] and [20].
-
-   In the 3GPP architecture, there is a dedicated link between the UE
-   and the GGSN called the Packet Data Protocol (PDP) Context.  This
-   link is created through the PDP Context activation procedure [21].
-   There is a separate PDP context type for IPv4 and IPv6 traffic.  If a
-   3GPP UE user is communicating using IPv6 (having an active IPv6 PDP
-   context), it cannot be assumed that (s)he has simultaneously an
-   active IPv4 PDP context, and DNS queries could be done using IPv4.  A
-   3GPP UE can thus be an IPv6 node, and it needs to somehow discover
-   the address of the RDNSS.  Before IP-based services (e.g., web
-   browsing or e-mail) can be used, the IPv6 (and IPv4) RDNSS addresses
-   need to be discovered in the 3GPP UE.
-
-
-
-
-Jeong                   Expires November 6, 2005               [Page 18]
-
-Internet-Draft    IPv6 Host Configuration of DNS Server         May 2005
-
-
-   Section 5.3.1 briefly summarizes currently available mechanisms in
-   3GPP networks and recommendations. 5.3.2 analyzes the Router
-   Advertisement based solution, 5.3.3 analyzes the Stateless DHCPv6
-   mechanism, and 5.3.4 analyzes the Well-known addresses approach.
-   Section 5.3.5 finally summarizes the recommendations.
-
-5.3.1  Currently Available Mechanisms and Recommendations
-
-   3GPP has defined a mechanism, in which RDNSS addresses can be
-   received in the PDP context activation (a control plane mechanism).
-   That is called the Protocol Configuration Options Information Element
-   (PCO-IE) mechanism [22].  The RDNSS addresses can also be received
-   over the air (using text messages), or typed in manually in the UE.
-   Note that the two last mechanisms are not very well scalable.  The UE
-   user most probably does not want to type IPv6 RDNSS addresses
-   manually in his/her UE.  The use of well-known addresses is briefly
-   discussed in section 5.3.4.
-
-   It is seen that the mechanisms above most probably are not sufficient
-   for the 3GPP environment.  IPv6 is intended to operate in a zero-
-   configuration manner, no matter what the underlying network
-   infrastructure is.  Typically, the RDNSS address is needed to make an
-   IPv6 node operational - and the DNS configuration should be as simple
-   as the address autoconfiguration mechanism.  It must also be noted
-   that there will be additional IP interfaces in some near future 3GPP
-   UEs, e.g., WLAN, and 3GPP-specific DNS configuration mechanisms (such
-   as PCO-IE [22]) do not work for those IP interfaces.  In other words,
-   a good IPv6 DNS configuration mechanism should also work in a multi-
-   access network environment.
-
-   From a 3GPP point of view, the best IPv6 DNS configuration solution
-   is feasible for a very large number of IPv6-capable UEs (can be even
-   hundreds of millions in one operator's network), is automatic and
-   thus requires no user action.  It is suggested to standardize a
-   lightweight, stateless mechanism that works in all network
-   environments.  The solution could then be used for 3GPP, 3GPP2, WLAN
-   and other access network technologies.  A light, stateless IPv6 DNS
-   configuration mechanism is thus not only needed in 3GPP networks, but
-   also 3GPP networks and UEs would certainly benefit from the new
-   mechanism.
-
-5.3.2  RA Extension
-
-   Router Advertisement extension [8] is a lightweight IPv6 DNS
-   configuration mechanism that requires minor changes in the 3GPP UE
-   IPv6 stack and Gateway GPRS Support Node (GGSN, the default router in
-   the 3GPP architecture) IPv6 stack.  This solution can be specified in
-   the IETF (no action needed in the 3GPP) and taken in use in 3GPP UEs
-
-
-
-Jeong                   Expires November 6, 2005               [Page 19]
-
-Internet-Draft    IPv6 Host Configuration of DNS Server         May 2005
-
-
-   and GGSNs
-
-   In this solution, an IPv6-capable UE configures DNS information via
-   RA message sent by its default router (GGSN), i.e., RDNSS option for
-   recursive DNS server is included in the RA message.  This solution is
-   easily scalable for a very large number of UEs.  The operator can
-   configure the RDNSS addresses in the GGSN as a part of normal GGSN
-   configuration.  The IPv6 RDNSS address is received in the Router
-   Advertisement, and an extra Round Trip Time (RTT) for asking RDNSS
-   addresses can be avoided.
-
-   If thinking about the cons, this mechanism still requires
-   standardization effort in the IETF, and the end nodes and routers
-   need to support this mechanism.  The equipment software update
-   should, however, be pretty straightforward, and new IPv6 equipment
-   could support RA extension already from the beginning.
-
-5.3.3  Stateless DHCPv6
-
-   DHCPv6-based solution needs the implementation of Stateless DHCP [6]
-   and DHCPv6 DNS options [7] in the UE, and a DHCPv6 server in the
-   operator's network.  A possible configuration is such that the GGSN
-   works as a DHCP relay.
-
-   Pros for Stateless DHCPv6-based solution are
-
-   1.  Stateless DHCPv6 is a standardized mechanism.
-
-   2.  DHCPv6 can be used for receiving other configuration information
-       than RDNSS addresses, e.g., SIP server addresses.
-
-   3.  DHCPv6 works in different network environments.
-
-   4.  When DHCPv6 service is deployed through a single, centralized
-       server, the RDNSS configuration information can be updated by the
-       network administrator at a single source.
-
-   Some issues with DHCPv6 in 3GPP networks are listed below:
-
-   1.  DHCPv6 requires an additional server in the network unless the
-       (Stateless) DHCPv6 functionality is integrated into a router
-       already existing, and that means one box more to be maintained.
-
-   2.  DHCPv6 is not necessarily needed for 3GPP UE IPv6 addressing
-       (3GPP Stateless Address Autoconfiguration is typically used), and
-       not automatically implemented in 3GPP IPv6 UEs.
-
-
-
-
-
-Jeong                   Expires November 6, 2005               [Page 20]
-
-Internet-Draft    IPv6 Host Configuration of DNS Server         May 2005
-
-
-   3.  Scalability and reliability of DHCPv6 in very large 3GPP networks
-       (with tens or hundreds of millions of UEs) may be an issue, at
-       least the redundancy needs to be taken care of.  However, if the
-       DHCPv6 service is integrated into the network elements, such as a
-       router operating system, scalability and reliability is
-       comparable with other DNS configuration approaches.
-
-   4.  It is sub-optimal to utilize the radio resources in 3GPP networks
-       for DHCPv6 messages if there is a simpler alternative available.
-
-       *  The use of Stateless DHCPv6 adds one round trip delay to the
-          case in which the UE can start transmitting data right after
-          the Router Advertisement.
-
-   5.  If the DNS information (suddenly) changes, Stateless DHCPv6 can
-       not automatically update the UE, see [23].
-
-
-5.3.4  Well-known Addresses
-
-   Using well-known addresses is also a feasible and a light mechanism
-   for 3GPP UEs.  Those well-known addresses can be preconfigured in the
-   UE software and the operator makes the corresponding configuration on
-   the network side.  So this is a very easy mechanism for the UE, but
-   requires some configuration work in the network.  When using well-
-   known addresses, UE forwards queries to any of the preconfigured
-   addresses.  In the current proposal [9], IPv6 anycast addresses are
-   suggested.
-
-Note
-
-   The IPv6 DNS configuration proposal based on the use of well-known
-   site-local addresses developed at the IPv6 Working Group was seen as
-   a feasible mechanism for 3GPP UEs, but opposition by some people in
-   the IETF and finally deprecating IPv6 site-local addresses made it
-   impossible to standardize it.  Note that this mechanism is
-   implemented in some existing operating systems today (also in some
-   3GPP UEs) as a last resort of IPv6 DNS configuration.
-
-5.3.5  Recommendations
-
-   It is suggested that a lightweight, stateless DNS configuration
-   mechanism is specified as soon as possible.  From a 3GPP UE and
-   network point of view, the Router Advertisement based mechanism looks
-   most promising.  The sooner a light, stateless mechanism is
-   specified, the sooner we can get rid of using well-known site-local
-   addresses for IPv6 DNS configuration.
-
-
-
-
-Jeong                   Expires November 6, 2005               [Page 21]
-
-Internet-Draft    IPv6 Host Configuration of DNS Server         May 2005
-
-
-5.4  Unmanaged Network
-
-   There are 4 deployment scenarios of interest in unmanaged networks
-   [24]:
-
-   1.  A gateway which does not provide IPv6 at all;
-
-   2.  A dual-stack gateway connected to a dual-stack ISP;
-
-   3.  A dual-stack gateway connected to an IPv4-only ISP; and
-
-   4.  A gateway connected to an IPv6-only ISP.
-
-
-5.4.1  Case A: Gateway does not provide IPv6 at all
-
-   In this case, the gateway does not provide IPv6; the ISP may or may
-   not provide IPv6.  Automatic or Configured tunnels are the
-   recommended transition mechanisms for this scenario.
-
-   The case where dual-stack hosts behind an NAT, that need access to an
-   IPv6 RDNSS, cannot be entirely ruled out.  The DNS configuration
-   mechanism has to work over the tunnel, and the underlying tunneling
-   mechanism could be implementing NAT traversal.  The tunnel server
-   assumes the role of a relay (both for DHCP and Well-known anycast
-   addresses approaches).
-
-   RA-based mechanism is relatively straightforward in its operation,
-   assuming the tunnel server is also the IPv6 router emitting RAs.
-   Well-known anycast addresses approach seems also simple in operation
-   across the tunnel, but the deployment model using Well-known anycast
-   addresses in a tunneled environment is unclear or not well
-   understood.
-
-5.4.2  Case B: A dual-stack gateway connected to a dual-stack ISP
-
-   This is similar to a typical IPv4 home user scenario, where DNS
-   configuration parameters are obtained using DHCP.  Except that
-   Stateless DHCPv6 is used, as opposed to the IPv4 scenario where the
-   DHCP server is stateful (maintains the state for clients).
-
-5.4.3  Case C: A dual-stack gateway connected to an IPv4-only ISP
-
-   This is similar to Case B. If a gateway provides IPv6 connectivity by
-   managing tunnels, then it is also supposed to provide access to an
-   RDNSS.  Like this, the tunnel for IPv6 connectivity originates from
-   the dual-stack gateway instead of the host.
-
-
-
-
-Jeong                   Expires November 6, 2005               [Page 22]
-
-Internet-Draft    IPv6 Host Configuration of DNS Server         May 2005
-
-
-5.4.4  Case D: A gateway connected to an IPv6-only ISP
-
-   This is similar to Case B.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Jeong                   Expires November 6, 2005               [Page 23]
-
-Internet-Draft    IPv6 Host Configuration of DNS Server         May 2005
-
-
-6.  Security Considerations
-
-   As security requirements depend solely on applications and are
-   different application by application, there can be no generic
-   requirement defined at IP or application layer for DNS.
-
-   However, it should be noted that cryptographic security requires
-   configured secret information that full autoconfiguration and
-   cryptographic security are mutually exclusive.  People insisting on
-   secure full autoconfiguration will get false security, false
-   autoconfiguration or both.
-
-   In some deployment scenarios [19], where cryptographic security is
-   required for applications, the secret information for the
-   cryptographic security is preconfigured through which application
-   specific configuration data, including those for DNS, can be securely
-   configured.  It should be noted that if applications requiring
-   cryptographic security depend on DNS, the applications also require
-   cryptographic security to DNS.  Therefore, the full autoconfiguration
-   of DNS is not acceptable.
-
-   However, with full autoconfiguration, weaker but still reasonable
-   security is being widely accepted and will continue to be acceptable.
-   That is, with full autoconfiguration, which means there is no
-   cryptographic security for the autoconfiguration, it is already
-   assumed that the local environment is secure enough that the
-   information from the local autoconfiguration server has acceptable
-   security even without cryptographic security.  Thus, the
-   communication between the local DNS client and local DNS server has
-   acceptable security.
-
-   In autoconfiguring recursive servers, DNSSEC may be overkill, because
-   DNSSEC [29] needs the configuration and reconfiguration of clients at
-   root key roll-over [30][31].  Even if additional keys for secure key
-   roll-over are added at the initial configuration, they are as
-   vulnerable as the original keys to some forms of attacks, such as
-   social hacking.  Another problem of using DNSSEC and
-   autoconfiguration together is that DNSSEC requires secure time, which
-   means secure communication with autoconfigured time servers, which
-   requires configured secret information.  Therefore, in order that the
-   autoconfiguration may be secure, it requires configured secret
-   information.
-
-   If DNSSEC [29] is used and the signatures are verified on the client
-   host, the misconfiguration of a DNS server may be simply denial of
-   service.  Also, if local routing environment is not reliable, clients
-   may be directed to a false resolver with the same IP address as the
-   true one.
-
-
-
-Jeong                   Expires November 6, 2005               [Page 24]
-
-Internet-Draft    IPv6 Host Configuration of DNS Server         May 2005
-
-
-6.1  RA Option
-
-   The security of RA option for RDNSS is the same as the ND protocol
-   security [3][8].  The RA option does not add any new vulnerability.
-
-   It should be noted that the vulnerability of ND is not worse and is a
-   subset of the attacks that any node attached to a LAN can do
-   independently of ND.  A malicious node on a LAN can promiscuously
-   receive packets for any router's MAC address and send packets with
-   the router's MAC address as the source MAC address in the L2 header.
-   As a result, the L2 switches send packets addressed to the router to
-   the malicious node.  Also, this attack can send redirects that tell
-   the hosts to send their traffic somewhere else.  The malicious node
-   can send unsolicited RA or NA replies, answer RS or NS requests, etc.
-   All of this can be done independently of implementing ND.  Therefore,
-   the RA option for RDNSS does not add to the vulnerability.
-
-   Security issues regarding the ND protocol were discussed at IETF SEND
-   (Securing Neighbor Discovery) Working Group and RFC 3971 for the ND
-   security has been published [14].
-
-6.2  DHCPv6 Option
-
-   The DNS Recursive Name Server option may be used by an intruder DHCP
-   server to cause DHCP clients to send DNS queries to an intruder DNS
-   recursive name server [7].  The results of these misdirected DNS
-   queries may be used to spoof DNS names.
-
-   To avoid attacks through the DNS Recursive Name Server option, the
-   DHCP client SHOULD require DHCP authentication (see section
-   "Authentication of DHCP messages" in RFC 3315 [5]) before installing
-   a list of DNS recursive name servers obtained through authenticated
-   DHCP.
-
-6.3  Well-known Anycast Addresses
-
-   Well-known anycast addresses does not require configuration security
-   since there is no protocol [9].
-
-   The DNS server with the preconfigured addresses are still reasonably
-   reliable, if local environment is reasonably secure, that is, there
-   is no active attackers receiving queries to the anycast addresses of
-   the servers and reply to them.
-
-
-
-
-
-
-
-
-Jeong                   Expires November 6, 2005               [Page 25]
-
-Internet-Draft    IPv6 Host Configuration of DNS Server         May 2005
-
-
-7.  Contributors
-
-   Ralph Droms
-   Cisco Systems, Inc.
-   1414 Massachusetts Ave.
-   Boxboro, MA  01719
-   US
-
-   Phone: +1 978 936 1674
-   Email: rdroms@cisco.com
-
-
-   Robert M. Hinden
-   Nokia
-   313 Fairchild Drive
-   Mountain View, CA  94043
-   US
-
-   Phone: +1 650 625 2004
-   Email: bob.hinden@nokia.com
-
-
-   Ted Lemon
-   Nominum, Inc.
-   950 Charter Street
-   Redwood City, CA  94043
-   US
-
-   Email: Ted.Lemon@nominum.com
-
-
-   Masataka Ohta
-   Tokyo Institute of Technology
-   2-12-1, O-okayama, Meguro-ku
-   Tokyo  152-8552
-   Japan
-
-   Phone: +81 3 5734 3299
-   Fax:   +81 3 5734 3299
-   Email: mohta@necom830.hpcl.titech.ac.jp
-
-
-   Soohong Daniel Park
-   Mobile Platform Laboratory, SAMSUNG Electronics
-   416 Maetan-3dong, Yeongtong-Gu
-   Suwon, Gyeonggi-Do  443-742
-   Korea
-
-
-
-
-Jeong                   Expires November 6, 2005               [Page 26]
-
-Internet-Draft    IPv6 Host Configuration of DNS Server         May 2005
-
-
-   Phone: +82 31 200 4508
-   Email: soohong.park@samsung.com
-
-
-   Suresh Satapati
-   Cisco Systems, Inc.
-   San Jose, CA  95134
-   US
-
-   Email: satapati@cisco.com
-
-
-   Juha Wiljakka
-   Nokia
-   Visiokatu 3
-   FIN-33720, TAMPERE
-   Finland
-
-   Phone: +358 7180 48372
-   Email: juha.wiljakka@nokia.com
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Jeong                   Expires November 6, 2005               [Page 27]
-
-Internet-Draft    IPv6 Host Configuration of DNS Server         May 2005
-
-
-8.  Acknowledgements
-
-   This draft has greatly benefited from inputs by David Meyer, Rob
-   Austein, Tatuya Jinmei, Pekka Savola, Tim Chown, Luc Beloeil,
-   Christian Huitema, Thomas Narten, Pascal Thubert, and Greg Daley.
-   Also, Tony Bonanno proofread this draft.  The authors appreciate
-   their contribution.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Jeong                   Expires November 6, 2005               [Page 28]
-
-Internet-Draft    IPv6 Host Configuration of DNS Server         May 2005
-
-
-9.  References
-
-9.1  Normative References
-
-   [1]  Bradner, S., "IETF Rights in Contributions", RFC 3667,
-        February 2004.
-
-   [2]  Bradner, S., "Intellectual Property Rights in IETF Technology",
-        RFC 3668, February 2004.
-
-   [3]  Narten, T., Nordmark, E., and W. Simpson, "Neighbor Discovery
-        for IP Version 6 (IPv6)", RFC 2461, December 1998.
-
-   [4]  Thomson, S. and T. Narten, "IPv6 Stateless Address
-        Autoconfiguration", RFC 2462, December 1998.
-
-   [5]  Droms, R., Ed., "Dynamic Host Configuration Protocol for IPv6
-        (DHCPv6)", RFC 3315, July 2003.
-
-   [6]  Droms, R., "Stateless Dynamic Host Configuration Protocol (DHCP)
-        Service for IPv6", RFC 3736, April 2004.
-
-   [7]  Droms, R., Ed., "DNS Configuration options for Dynamic Host
-        Configuration Protocol for IPv6 (DHCPv6)", RFC 3646,
-        December 2003.
-
-9.2  Informative References
-
-   [8]   Jeong, J., Park, S., Beloeil, L., and S. Madanapalli, "IPv6 DNS
-         Discovery based on Router Advertisement",
-         draft-jeong-dnsop-ipv6-dns-discovery-04.txt (Work in Progress),
-         February 2005.
-
-   [9]   Ohta, M., "Preconfigured DNS Server Addresses",
-         draft-ohta-preconfigured-dns-01.txt (Work in Progress),
-         February 2004.
-
-   [10]  Venaas, S., Chown, T., and B. Volz, "Information Refresh Time
-         Option for DHCPv6", draft-ietf-dhc-lifetime-03.txt (Work in
-         Progress), January 2005.
-
-   [11]  Partridge, C., Mendez, T., and W. Milliken, "Host Anycasting
-         Service", RFC 1546, November 1993.
-
-   [12]  Hinden, R. and S. Deering, "Internet Protocol Version 6 (IPv6)
-         Addressing Architecture", RFC 3513, April 2003.
-
-   [13]  Lind, M., Ed., "Scenarios and Analysis for Introduction IPv6
-
-
-
-Jeong                   Expires November 6, 2005               [Page 29]
-
-Internet-Draft    IPv6 Host Configuration of DNS Server         May 2005
-
-
-         into ISP Networks", RFC 4029, March 2005.
-
-   [14]  Arkko, J., Ed., "SEcure Neighbor Discovery (SEND)", RFC 3971,
-         March 2005.
-
-   [15]  Droms, R. and W. Arbaugh, "Authentication for DHCP Messages",
-         RFC 3118, June 2001.
-
-   [16]  Bound, J., Ed., "IPv6 Enterprise Network Scenarios",
-         draft-ietf-v6ops-ent-scenarios-05.txt (Work in Progress),
-         July 2004.
-
-   [17]  Troan, O. and R. Droms, "IPv6 Prefix Options for Dynamic Host
-         Configuration Protocol (DHCP) version 6", RFC 3633,
-         December 2003.
-
-   [18]  Wasserman, M., Ed., "Recommendations for IPv6 in 3GPP
-         Standards", RFC 3314, September 2002.
-
-   [19]  Soininen, J., Ed., "Transition Scenarios for 3GPP Networks",
-         RFC 3574, August 2003.
-
-   [20]  Wiljakka, J., Ed., "Analysis on IPv6 Transition in 3GPP
-         Networks", draft-ietf-v6ops-3gpp-analysis-11.txt (Work in
-         Progress), October 2004.
-
-   [21]  3GPP TS 23.060 V5.4.0, "General Packet Radio Service (GPRS);
-         Service description; Stage 2 (Release 5)", December 2002.
-
-   [22]  3GPP TS 24.008 V5.8.0, "Mobile radio interface Layer 3
-         specification; Core network protocols; Stage 3 (Release 5)",
-         June 2003.
-
-   [23]  Chown, T., Venaas, S., and A. Vijayabhaskar, "Renumbering
-         Requirements for Stateless DHCPv6",
-         draft-ietf-dhc-stateless-dhcpv6-renumbering-02.txt (Work in
-         Progress), October 2004.
-
-   [24]  Huitema, C., Ed., "Unmanaged Networks IPv6 Transition
-         Scenarios", RFC 3750, April 2004.
-
-   [25]  ANSI/IEEE Std 802.11, "Part 11: Wireless LAN Medium Access
-         Control (MAC) and Physical Layer (PHY) Specifications",
-         March 1999.
-
-   [26]  IEEE Std 802.11a, "Part 11: Wireless LAN Medium Access Control
-         (MAC) and Physical Layer (PHY) specifications: High-speed
-         Physical Layer in the 5 GHZ Band", September 1999.
-
-
-
-Jeong                   Expires November 6, 2005               [Page 30]
-
-Internet-Draft    IPv6 Host Configuration of DNS Server         May 2005
-
-
-   [27]  IEEE Std 802.11b, "Part 11: Wireless LAN Medium Access Control
-         (MAC) and Physical Layer (PHY) specifications: Higher-Speed
-         Physical Layer Extension in the 2.4 GHz Band", September 1999.
-
-   [28]  IEEE P802.11g/D8.2, "Part 11: Wireless LAN Medium Access
-         Control (MAC) and Physical Layer (PHY) specifications: Further
-         Higher Data Rate Extension in the 2.4 GHz Band", April 2003.
-
-   [29]  Eastlake, D., "Domain Name System Security Extensions",
-         RFC 2535, March 1999.
-
-   [30]  Kolkman, O. and R. Gieben, "DNSSEC Operational Practices",
-         draft-ietf-dnsop-dnssec-operational-practices-03.txt (Work in
-         Progress), December 2004.
-
-   [31]  Guette, G. and O. Courtay, "Requirements for Automated Key
-         Rollover in DNSSEC",
-         draft-ietf-dnsop-key-rollover-requirements-02.txt (Work in
-         Progress), January 2005.
-
-   [32]  Park, S., Madanapalli, S., and T. Jinmei, "Considerations on M
-         and O Flags of IPv6 Router Advertisement",
-         draft-ietf-ipv6-ra-mo-flags-01.txt (Work in Progress),
-         March 2005.
-
-
-Author's Address
-
-   Jaehoon Paul Jeong (editor)
-   ETRI/Department of Computer Science and Engineering
-   University of Minnesota
-   117 Pleasant Street SE
-   Minneapolis, MN  55455
-   US
-
-   Phone: +1 651 587 7774
-   Fax:   +1 612 625 2002
-   Email: jjeong@cs.umn.edu
-   URI:   http://www.cs.umn.edu/~jjeong/
-
-
-
-
-
-
-
-
-
-
-
-
-Jeong                   Expires November 6, 2005               [Page 31]
-
-Internet-Draft    IPv6 Host Configuration of DNS Server         May 2005
-
-
-Appendix A.  Link-layer Multicast Acknowledgements for RA Option
-
-   One benefit of an RA option [8] is to be able to multicast the
-   advertisements, reducing the need for duplicated unicast
-   communications.
-
-   However, some link-layers may not support this as well as others.
-   Consider, for example, WLAN networks where multicast is unreliable.
-   The unreliability problem is caused by lack of ACK for multicast,
-   especially on the path from the Access Point (AP) to the Station
-   (STA), which is specific to CSMA/CA of WLAN, such as IEEE 802.11
-   a/b/g [25]-[28].  That is, a multicast packet is unacknowledged on
-   the path from the AP to the STA, but acknowledged in the reverse
-   direction from the STA to the AP [25].  For example, when a router is
-   placed at wired network connected to an AP, a host may sometimes not
-   receive RA message advertised through the AP.  Therefore, the RA
-   option solution might not work well on a congested medium that uses
-   unreliable multicast for RA.
-
-   The fact that this problem has not been addressed in Neighbor
-   Discovery [3] indicates that the extra link-layer acknowledgements
-   have not been considered a serious problem till now.
-
-   A possible mitigation technique could be to map all-nodes link- local
-   multicast address to the link-layer broadcast address, and to rely on
-   the ND retransmissions for message delivery in order to achieve more
-   reliability.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Jeong                   Expires November 6, 2005               [Page 32]
-
-Internet-Draft    IPv6 Host Configuration of DNS Server         May 2005
-
-
-Intellectual Property Statement
-
-   The IETF takes no position regarding the validity or scope of any
-   Intellectual Property Rights or other rights that might be claimed to
-   pertain to the implementation or use of the technology described in
-   this document or the extent to which any license under such rights
-   might or might not be available; nor does it represent that it has
-   made any independent effort to identify any such rights.  Information
-   on the procedures with respect to rights in RFC documents can be
-   found in BCP 78 and BCP 79.
-
-   Copies of IPR disclosures made to the IETF Secretariat and any
-   assurances of licenses to be made available, or the result of an
-   attempt made to obtain a general license or permission for the use of
-   such proprietary rights by implementers or users of this
-   specification can be obtained from the IETF on-line IPR repository at
-   http://www.ietf.org/ipr.
-
-   The IETF invites any interested party to bring to its attention any
-   copyrights, patents or patent applications, or other proprietary
-   rights that may cover technology that may be required to implement
-   this standard.  Please address the information to the IETF at
-   ietf-ipr@ietf.org.
-
-
-Disclaimer of Validity
-
-   This document and the information contained herein are provided on an
-   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
-   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
-   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
-   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
-   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
-   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-
-Copyright Statement
-
-   Copyright (C) The Internet Society (2005).  This document is subject
-   to the rights, licenses and restrictions contained in BCP 78, and
-   except as set forth therein, the authors retain all their rights.
-
-
-Acknowledgment
-
-   Funding for the RFC Editor function is currently provided by the
-   Internet Society.
-
-
-
-
-Jeong                   Expires November 6, 2005               [Page 33]
-
diff --git a/doc/draft/draft-ietf-dnsop-ipv6-dns-issues-04.txt b/doc/draft/draft-ietf-dnsop-ipv6-dns-issues-04.txt
new file mode 100644
index 00000000..280c2f2d
--- /dev/null
+++ b/doc/draft/draft-ietf-dnsop-ipv6-dns-issues-04.txt
@@ -0,0 +1,1233 @@
+
+
+DNS Operations WG                                              A. Durand
+Internet-Draft                                    SUN Microsystems, Inc.
+Expires: July 1, 2004                                           J. Ihren
+                                                              Autonomica
+                                                               P. Savola
+                                                               CSC/FUNET
+                                                                Jan 2004
+
+
+          Operational Considerations and Issues with IPv6 DNS
+                draft-ietf-dnsop-ipv6-dns-issues-04.txt
+
+Status of this Memo
+
+   This document is an Internet-Draft and is in full conformance with
+   all provisions of Section 10 of RFC2026.
+
+   Internet-Drafts are working documents of the Internet Engineering
+   Task Force (IETF), its areas, and its working groups. Note that other
+   groups may also distribute working documents as Internet-Drafts.
+
+   Internet-Drafts are draft documents valid for a maximum of six months
+   and may be updated, replaced, or obsoleted by other documents at any
+   time. It is inappropriate to use Internet-Drafts as reference
+   material or to cite them other than as "work in progress."
+
+   The list of current Internet-Drafts can be accessed at http://
+   www.ietf.org/ietf/1id-abstracts.txt.
+
+   The list of Internet-Draft Shadow Directories can be accessed at
+   http://www.ietf.org/shadow.html.
+
+   This Internet-Draft will expire on July 1, 2004.
+
+Copyright Notice
+
+   Copyright (C) The Internet Society (2004). All Rights Reserved.
+
+Abstract
+
+   This memo presents operational considerations and issues with IPv6
+   Domain Name System (DNS), including a summary of special IPv6
+   addresses, documentation of known DNS implementation misbehaviour,
+   recommendations and considerations on how to perform DNS naming for
+   service provisioning and for DNS resolver IPv6 support,
+   considerations for DNS updates for both the forward and reverse
+   trees, and miscellaneous issues.  This memo is aimed to include a
+   summary of information about IPv6 DNS considerations for those who
+   have experience with IPv4 DNS.
+
+
+
+Durand, et al.            Expires July 1, 2004                  [Page 1]
+
+Internet-Draft    Considerations and Issues with IPv6 DNS       Jan 2004
+
+
+Table of Contents
+
+   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
+   1.1 Representing IPv6 Addresses in DNS Records . . . . . . . . . .  3
+   1.2 Independence of DNS Transport and DNS Records  . . . . . . . .  3
+   1.3 Avoiding IPv4/IPv6 Name Space Fragmentation  . . . . . . . . .  4
+   2.  DNS Considerations about Special IPv6 Addresses  . . . . . . .  4
+   2.1 Limited-scope Addresses  . . . . . . . . . . . . . . . . . . .  4
+   2.2 Privacy (RFC3041) Address  . . . . . . . . . . . . . . . . . .  4
+   2.3 6to4 Addresses . . . . . . . . . . . . . . . . . . . . . . . .  5
+   3.  Observed DNS Implementation Misbehaviour . . . . . . . . . . .  5
+   3.1 Misbehaviour of DNS Servers and Load-balancers . . . . . . . .  5
+   3.2 Misbehaviour of DNS Resolvers  . . . . . . . . . . . . . . . .  6
+   4.  Recommendations for Service Provisioning using DNS . . . . . .  6
+   4.1 Use of Service Names instead of Node Names . . . . . . . . . .  6
+   4.2 Separate vs the Same Service Names for IPv4 and IPv6 . . . . .  7
+   4.3 Adding the Records Only when Fully IPv6-enabled  . . . . . . .  7
+   4.4 The Use of TTL for IPv4 and IPv6 RRs . . . . . . . . . . . . .  8
+   4.5 Behaviour of Glue in Mixed IPv4/IPv6 Environments  . . . . . .  8
+   4.6 IPv6 Transport Guidelines for DNS Servers  . . . . . . . . . .  9
+   5.  Recommendations for DNS Resolver IPv6 Support  . . . . . . . .  9
+   5.1 DNS Lookups May Query IPv6 Records Prematurely . . . . . . . .  9
+   5.2 Recursive DNS Resolver Discovery . . . . . . . . . . . . . . . 11
+   5.3 IPv6 Transport Guidelines for Resolvers  . . . . . . . . . . . 11
+   6.  Considerations about Forward DNS Updating  . . . . . . . . . . 11
+   6.1 Manual or Custom DNS Updates . . . . . . . . . . . . . . . . . 12
+   6.2 Dynamic DNS  . . . . . . . . . . . . . . . . . . . . . . . . . 12
+   7.  Considerations about Reverse DNS Updating  . . . . . . . . . . 13
+   7.1 Applicability of Reverse DNS . . . . . . . . . . . . . . . . . 13
+   7.2 Manual or Custom DNS Updates . . . . . . . . . . . . . . . . . 14
+   7.3 DDNS with Stateless Address Autoconfiguration  . . . . . . . . 14
+   7.4 DDNS with DHCP . . . . . . . . . . . . . . . . . . . . . . . . 14
+   7.5 DDNS with Dynamic Prefix Delegation  . . . . . . . . . . . . . 15
+   8.  Miscellaneous DNS Considerations . . . . . . . . . . . . . . . 15
+   8.1 NAT-PT with DNS-ALG  . . . . . . . . . . . . . . . . . . . . . 15
+   8.2 Renumbering Procedures and Applications' Use of DNS  . . . . . 15
+   9.  Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 16
+   10. Security Considerations  . . . . . . . . . . . . . . . . . . . 16
+       Normative References . . . . . . . . . . . . . . . . . . . . . 16
+       Informative References . . . . . . . . . . . . . . . . . . . . 16
+       Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 19
+   A.  Site-local Addressing Considerations for DNS . . . . . . . . . 19
+       Intellectual Property and Copyright Statements . . . . . . . . 21
+
+
+
+
+
+
+
+
+Durand, et al.            Expires July 1, 2004                  [Page 2]
+
+Internet-Draft    Considerations and Issues with IPv6 DNS       Jan 2004
+
+
+1. Introduction
+
+   This memo presents operational considerations and issues with IPv6
+   DNS; it is meant to be an extensive summary and a list of pointers
+   for more information about IPv6 DNS considerations for those with
+   experience with IPv4 DNS.
+
+   The first section gives a brief overview of how IPv6 addresses and
+   names are represented in the DNS, how transport protocols and
+   resource records (don't) relate, and what IPv4/IPv6 name space
+   fragmentation means and how to avoid it; all of these are described
+   at more length in other documents.
+
+   The second section summarizes the special IPv6 address types and how
+   they relate to DNS.  The third section describes observed DNS
+   implementation misbehaviours which have a varying effect on the use
+   of IPv6 records with DNS.  The fourth section lists recommendations
+   and considerations for provisioning services with DNS.  The fifth
+   section in turn looks at recommendations and considerations about
+   providing IPv6 support in the resolvers.  The sixth and seventh
+   sections describe considerations with forward and reverse DNS
+   updates, respectively.  The eighth section introduces several
+   miscellaneous IPv6 issues relating to DNS for which no better place
+   has been found in this memo.  Appendix A looks briefly at the
+   requirements for site-local addressing.
+
+1.1 Representing IPv6 Addresses in DNS Records
+
+   In the forward zones, IPv6 addresses are represented using AAAA
+   records.  In the reverse zones, IPv6 address are represented using
+   PTR records in the nibble format under the ip6.arpa. -tree.  See [1]
+   for more about IPv6 DNS usage, and [2] or [4] for background
+   information.
+
+   In particular one should note that the use of A6 records, DNAME
+   records in the reverse tree, or Bitlabels in the reverse tree is not
+   recommended [2].
+
+1.2 Independence of DNS Transport and DNS Records
+
+   DNS has been designed to present a single, globally unique name space
+   [6].  This property should be maintained, as described here and in
+   Section 1.3.
+
+   In DNS, the IP version used to transport the queries and responses is
+   independent of the records being queried: AAAA records can be queried
+   over IPv4, and A records over IPv6. The DNS servers must not make any
+   assumptions about what data to return for Answer and Authority
+
+
+
+Durand, et al.            Expires July 1, 2004                  [Page 3]
+
+Internet-Draft    Considerations and Issues with IPv6 DNS       Jan 2004
+
+
+   sections.
+
+   However, there is some debate whether the addresses in Additional
+   section could be selected or filtered using hints obtained from which
+   transport was being used; this has some obvious problems because in
+   many cases the transport protocol does not correlate with the
+   requests, and because a "bad" answer is in a way worse than no answer
+   at all (consider the case where the client is led to believe that a
+   name received in the additional record does not have any AAAA records
+   to begin with).
+
+   As stated in [1]:
+
+      The IP protocol version used for querying resource records is
+      independent of the protocol version of the resource records; e.g.,
+      IPv4 transport can be used to query IPv6 records and vice versa.
+
+
+1.3 Avoiding IPv4/IPv6 Name Space Fragmentation
+
+   To avoid the DNS name space from fragmenting into parts where some
+   parts of DNS are only visible using IPv4 (or IPv6) transport, the
+   recommendation is to always keep at least one authoritative server
+   IPv4-enabled, and to ensure that recursive DNS servers support IPv4.
+   See DNS IPv6 transport guidelines [3] for more information.
+
+2. DNS Considerations about Special IPv6 Addresses
+
+   There are a couple of IPv6 address types which are somewhat special;
+   these are considered here.
+
+2.1 Limited-scope Addresses
+
+   The IPv6 addressing architecture [5] includes two kinds of local-use
+   addresses: link-local (fe80::/10) and site-local (fec0::/10).  The
+   site-local addresses are being deprecated [7], and are only discussed
+   in Appendix A.
+
+   Link-local addresses should never be published in DNS, because they
+   have only local (to the connected link) significance [8].
+
+2.2 Privacy (RFC3041) Address
+
+   Privacy addresses (RFC3041 [9]) use a random number as the interface
+   identifier.  Publishing DNS records relating to such addresses would
+   defeat the purpose of the mechanism and is not recommended.  If
+   absolutely necessary, a mapping could be made to some
+   non-identifiable name, as described in [9].
+
+
+
+Durand, et al.            Expires July 1, 2004                  [Page 4]
+
+Internet-Draft    Considerations and Issues with IPv6 DNS       Jan 2004
+
+
+2.3 6to4 Addresses
+
+   6to4 [10] specifies an automatic tunneling mechanism which maps a
+   public IPv4 address V4ADDR to an IPv6 prefix 2002:V4ADDR::/48.
+   Providing reverse DNS delegation path for such addresses is a
+   challenge.  Note that similar difficulties don't surface with the
+   other automatic tunneling mechanisms (in particular, providing
+   reverse DNS information for Teredo [11] hosts whose address includes
+   the UDP port of the NAT binding does not seem reasonable).
+
+   If the reverse DNS population would be desirable (see Section 7.1 for
+   applicability), there are a number of ways to tackle the delegation
+   path problem [12], some more applicable than the others.
+
+   The main proposal [13] has been to allocate 2.0.0.2.ip6.arpa. to RIRs
+   and let them do subdelegations in accordance to the delegations of
+   the respective IPv4 address space.  This has a major practical
+   drawback: those ISPs and IPv4 address space holders where 6to4 is
+   being used do not, in general, provide any IPv6 services -- as
+   otherwise, most people would not have to use 6to4 to begin with --
+   and it is improbable that the reverse delegation chain would be
+   completed either.  In most cases, creating such delegation chains
+   might just lead to latencies caused by lookups for (almost always)
+   non-existent DNS records.
+
+3. Observed DNS Implementation Misbehaviour
+
+   Several classes of misbehaviour in DNS servers, load-balancers and
+   resolvers have been observed.  Most of these are rather generic, not
+   only applicable to IPv6 -- but in some cases, the consequences of
+   this misbehaviour are extremely severe in IPv6 environments and
+   deserve to be mentioned.
+
+3.1 Misbehaviour of DNS Servers and Load-balancers
+
+   There are several classes of misbehaviour in certain DNS servers and
+   load-balancers which have been noticed and documented [14]: some
+   implementations silently drop queries for unimplemented DNS records
+   types, or provide wrong answers to such queries (instead of a proper
+   negative reply).  While typically these issues are not limited to
+   AAAA records, the problems are aggravated by the fact that AAAA
+   records are being queried instead of (mainly) A records.
+
+   The problems are serious because when looking up a DNS name, typical
+   getaddrinfo() implementations, with AF_UNSPEC hint given, first try
+   to query the AAAA records of the name, and after receiving a
+   response, query the A records. This is done in a serial fashion -- if
+   the first query is never responded to (instead of properly returning
+
+
+
+Durand, et al.            Expires July 1, 2004                  [Page 5]
+
+Internet-Draft    Considerations and Issues with IPv6 DNS       Jan 2004
+
+
+   a negative answer), significant timeouts will occur.
+
+   In consequence, this is an enormous problem for IPv6 deployments, and
+   in some cases, IPv6 support in the software has even been disabled
+   due to these problems.
+
+   The solution is to fix or retire those misbehaving implementations,
+   but that is likely not going to be effective.  There are some
+   possible ways to mitigate the problem, e.g. by performing the lookups
+   somewhat in parallel and reducing the timeout as long as at least one
+   answer has been received; but such methods remain to be investigated;
+   slightly more on this is included in Section 5.
+
+3.2 Misbehaviour of DNS Resolvers
+
+   Several classes of misbehaviour have also been noticed in DNS
+   resolvers [15].  However, these do not seem to directly impair IPv6
+   use, and are only referred to for completeness.
+
+4. Recommendations for Service Provisioning using DNS
+
+   When names are added in the DNS to facilitate a service, there are
+   several general guidelines to consider to be able to do it as
+   smoothly as possible.
+
+4.1 Use of Service Names instead of Node Names
+
+   When a node includes multiple services, one should keep them
+   logically separate in the DNS.  This can be done by the use of
+   service names instead of node names (or, "hostnames").
+
+   For example, assume a node named "pobox.example.com" provides both
+   SMTP and IMAP service.  Instead of configuring the MX records to
+   point at "pobox.example.com", and configuring the mail clients to
+   look up the mail via IMAP from "pobox.example.com", one should use
+   e.g. "smtp.example.com" for SMTP (for both message submission and
+   mail relaying between SMTP servers) and "imap.example.com" for IMAP.
+   Note that in the specific case of SMTP relaying, the server itself
+   must typically also be configured to know all its names to ensure
+   loops do not occur. DNS can provide a layer of indirection between
+   service names and where the service actually is, and using which
+   addresses.
+
+   This is a good practice with IPv4 as well, because it provides more
+   flexibility and enables easier migration of services from one host to
+   another.  A specific reason why this is relevant for IPv6 is that the
+   different services may have a different level of IPv6 support -- that
+   is, one node providing multiple services might want to enable just
+
+
+
+Durand, et al.            Expires July 1, 2004                  [Page 6]
+
+Internet-Draft    Considerations and Issues with IPv6 DNS       Jan 2004
+
+
+   one service to be IPv6-visible while keeping some others as
+   IPv4-only.  Using service names enables more flexibility with
+   different IP versions as well.
+
+4.2 Separate vs the Same Service Names for IPv4 and IPv6
+
+   The service naming can be achieved in basically two ways: when a
+   service is named "service.example.com" for IPv4, the IPv6-enabled
+   service could be either added to "service.example.com", or added
+   separately to a sub-domain, like, "service.ipv6.example.com".
+
+   Both methods have different characteristics.  Using a sub-domain
+   allows for easier service piloting, minimizing the disturbance to the
+   "regular" users of IPv4 service; however, the service would not be
+   used without explicitly asking for it (or, within a restricted
+   network, modifying the DNS search path) -- so it will not actually be
+   used that much.  Using the same service name is the "long-term"
+   solution, but may degrade performance for those clients whose IPv6
+   performance is lower than IPv4, or does not work as well (see the
+   next subsection for more).
+
+   In most cases, it makes sense to pilot or test a service using
+   separate service names, and move to the use of the same name when
+   confident enough that the service level will not degrade for the
+   users unaware of IPv6.
+
+4.3 Adding the Records Only when Fully IPv6-enabled
+
+   The recommendation is that AAAA records for a service should not be
+   added to the DNS until all of following are true:
+
+   1.  The address is assigned to the interface on the node.
+
+   2.  The address is configured on the interface.
+
+   3.  The interface is on a link which is connected to the IPv6
+       infrastructure.
+
+   In addition, if the AAAA record is added for the node, instead of
+   service as recommended, all the services of the node should be
+   IPv6-enabled prior to adding the resource record.
+
+   For example, if an IPv6 node is isolated from an IPv6 perspective
+   (e.g., it is not connected to IPv6 Internet) constraint #3 would mean
+   that it should not have an address in the DNS.
+
+   Consider the case of two dual-stack nodes, which both have IPv6
+   enabled, but the server does not have (global) IPv6 connectivity. As
+
+
+
+Durand, et al.            Expires July 1, 2004                  [Page 7]
+
+Internet-Draft    Considerations and Issues with IPv6 DNS       Jan 2004
+
+
+   the client looks up the server's name, only A records are returned
+   (if the recommendations above are followed), and no IPv6
+   communication, which would have been unsuccessful, is even attempted.
+
+   The issues are not always so black-and-white.  Usually it's important
+   if the service offered using both protocols is of roughly equal
+   quality, using the appropriate metrics for the service (e.g.,
+   latency, throughput, low packet loss, general reliability, etc.) --
+   this is typically very important especially for interactive or
+   real-time services.  In many cases, the quality of IPv6 connectivity
+   is not yet equal to that of IPv4, at least globally -- this has to be
+   taken into consideration when enabling services [16].
+
+4.4 The Use of TTL for IPv4 and IPv6 RRs
+
+   The behaviour of DNS caching when different TTL values are used for
+   different records of the same name requires explicit discussion. For
+   example, let's consider a part of a zone:
+
+   example.com.        300    IN    MX     foo.example.com.
+   foo.example.com.    300    IN    A      192.0.2.1
+   foo.example.com.    100    IN    AAAA   2001:db8::1
+
+   Now, when a caching resolver asks for the MX record of example.com,
+   it gets both A and AAAA records of foo.example.com.  Then, after 100
+   seconds, the AAAA record is removed from the cache because its TTL
+   expired.  Now, subsequent queries only result in the cache returning
+   the A record; after 200 seconds the A record is purged as well.  So,
+   in this particular case, there is a window of 200 seconds when
+   incomplete information is returned from the cache.
+
+   Therefore, when the same name refers to both A and AAAA records,
+   these records should have the same TTL.  Otherwise, the caches may
+   return incomplete information about the queried names.  More issues
+   with caching and A/AAAA records is presented in the next section.
+
+4.5 Behaviour of Glue in Mixed IPv4/IPv6 Environments
+
+   In the previous section, we discussed the effect of impartial data
+   returned from the caches when the TTLs are not kept the same.  Now,
+   we present another problem highlighted in the mixed IPv4/IPv6
+   environments.
+
+   Consider the case where the query is so long or the number of the
+   additional ("glue") records is so high that the response must either
+   be truncated (leading to a retry with TCP) or some of the additional
+   data removed from the reply.  Further, resource record sets are never
+   "broken up", so if a name has 4 A records and 5 AAAA records, you can
+
+
+
+Durand, et al.            Expires July 1, 2004                  [Page 8]
+
+Internet-Draft    Considerations and Issues with IPv6 DNS       Jan 2004
+
+
+   either return all 9, all 4 A records, all 5 AAAA records or nothing.
+
+   In the case of too much additional data, it might be tempting to not
+   return the AAAA records if the transport for DNS query was IPv4, or
+   not return the A records, if the transport was IPv6.  However, this
+   breaks the model of independence of DNS transport and resource
+   records, as noted in Section 1.2.
+
+   This temptation would have significant problems in multiple areas.
+   Remember that often the end-node, which will be using the records, is
+   not the same one as the node requesting them from the authorative DNS
+   server (or even a caching resolver).  So, whichever version the
+   requestor ("the middleman") uses makes no difference to the ultimate
+   user of the records.  This might result in e.g., inappropriately
+   returning A records to an IPv6-only node, going through a
+   translation, or opening up another IP-level session (e.g., a PDP
+   context [31]).
+
+   The problem of too much additional data seems to be an operational
+   one: the zone administrator entering too many records which will be
+   returned either truncated or impartial to the users.  A protocol fix
+   for this is using EDNS0 [32] to signal the capacity for larger UDP
+   packet sizes, pushing up the relevant threshold.  The operational fix
+   for this is having the DNS server implementations return a warning
+   when the administrators create the zones which would result in too
+   much additional data being returned.
+
+4.6 IPv6 Transport Guidelines for DNS Servers
+
+   As described in Section 1.3 and [3], there should continue to be at
+   least one authorative IPv4 DNS server for every zone, even if the
+   zone has only IPv6 records. (Note that obviously, having more servers
+   with robust connectivity would be preferable, but this is the minimum
+   recommendation; also see [17].)
+
+5. Recommendations for DNS Resolver IPv6 Support
+
+   When IPv6 is enabled on a node, there are several things to consider
+   to ensure that the process is as smooth as possible.
+
+5.1 DNS Lookups May Query IPv6 Records Prematurely
+
+   The system library that implements the getaddrinfo() function for
+   looking up names is a critical piece when considering the robustness
+   of enabling IPv6; it may come in basically three flavours:
+
+   1.  The system library does not know whether IPv6 has been enabled in
+       the kernel of the operating system: it may start looking up AAAA
+
+
+
+Durand, et al.            Expires July 1, 2004                  [Page 9]
+
+Internet-Draft    Considerations and Issues with IPv6 DNS       Jan 2004
+
+
+       records with getaddrinfo() and AF_UNSPEC hint when the system is
+       upgraded to a system library version which supports IPv6.
+
+   2.  The system library might start to perform IPv6 queries with
+       getaddrinfo() only when IPv6 has been enabled in the kernel.
+       However, this does not guarantee that there exists any useful
+       IPv6 connectivity (e.g., the node could be isolated from the
+       other IPv6 networks, only having link-local addresses).
+
+   3.  The system library might implement a toggle which would apply
+       some heuristics to the "IPv6-readiness" of the node before
+       starting to perform queries; for example, it could check whether
+       only link-local IPv6 address(es) exists, or if at least one
+       global IPv6 address exists.
+
+   First, let us consider generic implications of unnecessary queries
+   for AAAA records: when looking up all the records in the DNS, AAAA
+   records are typically tried first, and then A records.  These are
+   done in serial, and the A query is not performed until a response is
+   received to the AAAA query.  Considering the misbehaviour of DNS
+   servers and load-balancers, as described in Section 3.1, the look-up
+   delay for AAAA may incur additional unnecessary latency, and
+   introduce a component of unreliability.
+
+   One option here could be to do the queries partially in parallel; for
+   example, if the final response to the AAAA query is not received in
+   0.5 seconds, start performing the A query while waiting for the
+   result (immediate parallelism might be unoptimal without information
+   sharing between the look-up threads, as that would probably lead to
+   duplicate non-cached delegation chain lookups).
+
+   An additional concern is the address selection, which may, in some
+   circumstances, prefer AAAA records over A records, even when the node
+   does not have any IPv6 connectivity [18]. In some cases, the
+   implementation may attempt to connect or send a datagram on a
+   physical link [19], incurring very long protocol timeouts, instead of
+   quickly failing back to IPv4.
+
+   Now, we can consider the issues specific to each of the three
+   possibilities:
+
+   In the first case, the node performs a number of completely useless
+   DNS lookups as it will not be able to use the returned AAAA records
+   anyway. (The only exception is where the application desires to know
+   what's in the DNS, but not use the result for communication.)  One
+   should be able to disable these unnecessary queries, for both latency
+   and reliability reasons.  However, as IPv6 has not been enabled, the
+   connections to IPv6 addresses fail immediately, and if the
+
+
+
+Durand, et al.            Expires July 1, 2004                 [Page 10]
+
+Internet-Draft    Considerations and Issues with IPv6 DNS       Jan 2004
+
+
+   application is programmed properly, the application can fall
+   gracefully back to IPv4 [20].
+
+   The second case is similar to the first, except it happens to a
+   smaller set of nodes when IPv6 has been enabled but connectivity has
+   not been provided yet; similar considerations apply, with the
+   exception that IPv6 records, when returned, will be actually tried
+   first which may typically lead to long timeouts.
+
+   The third case is a bit more complex: optimizing away the DNS lookups
+   with only link-locals is probably safe (but may be desirable with
+   different lookup services which getaddrinfo() may support), as the
+   link-locals are typically automatically generated when IPv6 is
+   enabled, and do not indicate any form of IPv6 connectivity.   That
+   is, performing DNS lookups only when a non-link-local address has
+   been configured on any interface could be beneficial -- this would be
+   an indication that either the address has been configured either from
+   a router advertisement, DHCPv6, or manually.  Each would indicate at
+   least some form of IPv6 connectivity, even though there would not be
+   guarantees of it.
+
+   These issues should be analyzed at more depth, and the fixes found
+   consensus on, perhaps in a separate document.
+
+5.2 Recursive DNS Resolver Discovery
+
+   Recursive IPv6 DNS resolver discovery is a subject of active debate
+   at the moment: the main proposed mechanisms include the use of
+   well-known addresses [21], the use of Router Advertisements to convey
+   the information [22], and using DHCPv6 (or the stateless subset of it
+   [23]) for DNS resolver configuration. No consensus has been reached
+   yet.
+
+   Note that IPv6 DNS resolver discovery, while an important topic, is
+   not required for dual-stack nodes in dual-stack networks: IPv6 DNS
+   records can very well be queried over IPv4 as well.
+
+5.3 IPv6 Transport Guidelines for Resolvers
+
+   As described in Section 1.3 and [3], the recursive resolvers should
+   be IPv4-only or dual-stack to be able to reach any IPv4-only DNS
+   server.  Note that this requirement is also fulfilled by an IPv6-only
+   stub resolver pointing to a dual-stack recursive DNS resolver.
+
+6. Considerations about Forward DNS Updating
+
+   While the topic how to enable updating the forward DNS, i.e., the
+   mapping from names to the correct new addresses, is not specific to
+
+
+
+Durand, et al.            Expires July 1, 2004                 [Page 11]
+
+Internet-Draft    Considerations and Issues with IPv6 DNS       Jan 2004
+
+
+   IPv6, it bears thinking about especially due to adding Stateless
+   Address Autoconfiguration [24] to the mix.
+
+   Typically forward DNS updates are more manageable than doing them in
+   the reverse DNS, because the updater can, typically, be assumed to
+   "own" a certain DNS name -- and we can create a form of security
+   association with the DNS name and the node allowed to update it to
+   point to a new address.
+
+   A more complex form of DNS updates -- adding a whole new name to a
+   DNS zone, instead of updating an existing name -- is considered
+   out-of-scope: this is not an IPv6-specific problem, and one still
+   being explored.
+
+6.1 Manual or Custom DNS Updates
+
+   The DNS mappings can be maintained by hand, in a semi-automatic
+   fashion or by running non-standardized protocols.  These are not
+   considered at more length in this memo.
+
+6.2 Dynamic DNS
+
+   Dynamic DNS updates (DDNS) [25][26] is a standardized mechanism for
+   dynamically updating the DNS.  It works equally well with stateless
+   address autoconfiguration (SLAAC), DHCPv6 or manual address
+   configuration.  The only (minor) twist is that with SLAAC, the DNS
+   server cannot tie the authentication of the user to the IP address,
+   and stronger mechanisms must be used.  Actually, relying on IP
+   addresses for Dynamic DNS is rather insecure at best, so this is
+   probably not a significant problem (but requires that the
+   authorization keying will be explicitly configured).
+
+   Note that with DHCP, it is also possible that the DHCP server updates
+   the DNS, not the host.  The host might only indicate in the DHCP
+   exchange which hostname it would prefer, and the DHCP server would
+   make the appropriate updates. Nonetheless, while this makes setting
+   up a secure channel between the updater and the DNS server easier, it
+   does not help much with "content" security, i.e., whether the
+   hostname was acceptable -- if the DNS server does not include
+   policies, they must be included in the DHCP server (e.g., a regular
+   host should not be able to state that its name is "www.example.com").
+
+   The nodes must somehow be configured with the information about the
+   servers where they will attempt to update their addresses, sufficient
+   security material for authenticating themselves to the server, and
+   the hostname they will be updating.  Unless otherwise configured, the
+   first could be obtained by looking up the authorative name servers
+   for the hostname; the second must be configured explicitly unless one
+
+
+
+Durand, et al.            Expires July 1, 2004                 [Page 12]
+
+Internet-Draft    Considerations and Issues with IPv6 DNS       Jan 2004
+
+
+   chooses to trust the IP address -based authentication (not a good
+   idea); and lastly, the nodename is typically pre-configured somehow
+   on the node, e.g. at install time.
+
+   Care should be observed when updating the addresses not to use longer
+   TTLs for addresses than are preferred lifetimes for the
+   autoconfigured addresses, so that if the node is renumbered in a
+   managed fashion, the amount of stale DNS information is kept to the
+   minimum. Actually, the DNS TTL should be much shorter (e.g., a half
+   or a third) than the lifetime of an address; that way, the node can
+   start lowering the DNS TTL if it seems like the address has not be
+   renewed/refreshed in a while.  Some discussion on how to manage the
+   DNS TTL is included in [28].
+
+7. Considerations about Reverse DNS Updating
+
+   Forward DNS updating is rather straightforward; reverse DNS is
+   significantly trickier especially with certain mechanisms.  However,
+   first it makes sense to look at the applicability of reverse DNS in
+   the first place.
+
+7.1 Applicability of Reverse DNS
+
+   Today, some applications use reverse DNS to either look up some hints
+   about the topological information associated with an address (e.g.
+   resolving web server access logs), or as a weak form of a security
+   check, to get a feel whether the user's network administrator has
+   "authorized" the use of the address (on the premises that adding a
+   reverse record for an address would signal some form of
+   authorization).
+
+   One additional, maybe slightly more useful usage is ensuring the
+   reverse and forward DNS contents match and correspond to a configured
+   name or domain.  As a security check, it is typically accompanied by
+   other mechanisms, such as a user/password login; the main purpose of
+   the DNS check is to weed out the majority of unauthorized users, and
+   if someone managed to bypass the checks, he would still need to
+   authenticate "properly".
+
+   It is not clear whether it makes sense to require or recommend that
+   reverse DNS records be updated.  In many cases, it would just make
+   more sense to use proper mechanisms for security (or topological
+   information lookup) in the first place.  At minimum, the applications
+   which use it as a generic authorization (in the sense that a record
+   exists at all) should be modified as soon as possible to avoid such
+   lookups completely.
+
+   The applicability is discussed at more length in [29].
+
+
+
+Durand, et al.            Expires July 1, 2004                 [Page 13]
+
+Internet-Draft    Considerations and Issues with IPv6 DNS       Jan 2004
+
+
+7.2 Manual or Custom DNS Updates
+
+   Reverse DNS can of course be updated using manual or custom methods.
+   These are not further described here, except for one special case.
+
+   One way to deploy reverse DNS would be to use wildcard records, for
+   example, by configuring one name for a subnet (/64) or a site (/48).
+   Naturally, such a name could not be verified from the forward DNS,
+   but would at least provide some form of "topological information" or
+   "weak authorization" if that is really considered to be useful.  Note
+   that this is not actually updating the DNS as such, as the whole
+   point is to avoid DNS updates completely by manually configuring a
+   generic name.
+
+7.3 DDNS with Stateless Address Autoconfiguration
+
+   Dynamic DNS with SLAAC is a bit complicated, but manageable with a
+   rather low form of security with some implementation.
+
+   Every node on a link must then be allowed to insert its own reverse
+   DNS record in the reverse zone.  However, in the typical case, there
+   can be no stronger form of authentication between the nodes and the
+   server than the source IP address (the user may roam to other
+   administrative domains as well, requiring updates to foreign DNS
+   servers), which might make attacks more lucrative.
+
+   Moreover, the reverse zones must be cleaned up by some janitorial
+   process: the node does not typically know a priori that it will be
+   disconnected, and cannot send a DNS update using the correct source
+   address to remove a record.
+
+   To insert or update the record, the node must discover the DNS server
+   to send the update to somehow, similar to as discussed in Section
+   6.2. One way to automate this is looking up the DNS server
+   authoritative for the IP address being updated, but the security
+   material (unless the IP address -based authorization is trusted) must
+   also be established by some other means.
+
+7.4 DDNS with DHCP
+
+   With DHCP, the reverse DNS name is typically already inserted to the
+   DNS that reflects to the name (e.g., "dhcp-67.example.com").  This is
+   pre-configured, and requires no updating.
+
+   If a more explicit control is required, similar considerations as
+   with SLAAC apply, except for the fact that typically one must update
+   a reverse DNS record instead of inserting one -- due to a denser
+   address assignment policy -- and updating a record seems like a
+
+
+
+Durand, et al.            Expires July 1, 2004                 [Page 14]
+
+Internet-Draft    Considerations and Issues with IPv6 DNS       Jan 2004
+
+
+   slightly more difficult thing to secure.
+
+   Note that when using DHCP, either the host or the DHCP server could
+   perform the DNS updates; see the implications in Section 6.2.
+
+7.5 DDNS with Dynamic Prefix Delegation
+
+   In cases where more than one address is being used and updated, one
+   should consider where the updated server resides.  That is, whether
+   the prefixes have been delegated to a node in the local site, or
+   whether they reside elsewhere, e.g., at the ISP.  The reverse DNS
+   updates are typically easier to manage if they can be done within a
+   single administrative entity -- and therefore, if a reverse DNS
+   delegation has been made, it may be easier to enable reverse DNS at
+   the site, e.g. by a wildcard record, or by some DNS update mechanism.
+
+8. Miscellaneous DNS Considerations
+
+   This section describes miscellaneous considerations about DNS which
+   seem related to IPv6, for which no better place has been found in
+   this document.
+
+8.1 NAT-PT with DNS-ALG
+
+   NAT-PT [27] DNS-ALG is a critical component (unless something
+   replacing that functionality is specified) which mangles A records to
+   look like AAAA records to the IPv6-only nodes. Numerous problems have
+   been identified with DNS-ALG [30].
+
+8.2 Renumbering Procedures and Applications' Use of DNS
+
+   One of the most difficult problems of systematic IP address
+   renumbering procedures [28] is that an application which looks up a
+   DNS name disregards information such as TTL, and uses the result
+   obtained from DNS as long as it happens to be stored in the memory of
+   the application.  For applications which run for a long time, this
+   could be days, weeks or even months; some applications may be clever
+   enough to organize the data structures and functions in such a manner
+   that look-ups get refreshed now and then.
+
+   While the issue appears to have a clear solution, "fix the
+   applications", practically this is not reasonable immediate advice;
+   the TTL information is not typically available in the APIs and
+   libraries (so, the advice becomes "fix the applications, APIs and
+   libraries"), and a lot more analysis is needed on how to practically
+   go about to achieve the ultimate goal of avoiding using the names
+   longer than expected.
+
+
+
+
+Durand, et al.            Expires July 1, 2004                 [Page 15]
+
+Internet-Draft    Considerations and Issues with IPv6 DNS       Jan 2004
+
+
+9. Acknowledgements
+
+   Some recommendations (Section 4.3, Section 5.1) about IPv6 service
+   provisioning were moved here from [33] by Erik Nordmark and Bob
+   Gilligan.  Havard Eidnes and Michael Patton provided useful feedback
+   and improvements.  Scott Rose, Rob Austein, Masataka Ohta, and Mark
+   Andrews helped in clarifying the issues regarding additional data and
+   the use of TTL.
+
+10. Security Considerations
+
+   This document reviews the operational procedures for IPv6 DNS
+   operations and does not have security considerations in itself.
+
+   However, it is worth noting that in particular with Dynamic DNS
+   Updates, security models based on the source address validation are
+   very weak and cannot be recommended.  On the other hand, it should be
+   noted that setting up an authorization mechanism (e.g., a shared
+   secret, or public-private keys) between a node and the DNS server has
+   to be done manually, and may require quite a bit of time and
+   expertise.
+
+   To re-emphasize which was already stated, reverse DNS checks provide
+   very weak security at best, and the only (questionable)
+   security-related use for them may be in conjunction with other
+   mechanisms when authenticating a user.
+
+Normative References
+
+   [1]  Thomson, S., Huitema, C., Ksinant, V. and M. Souissi, "DNS
+        Extensions to Support IP Version 6", RFC 3596, October 2003.
+
+   [2]  Bush, R., Durand, A., Fink, B., Gudmundsson, O. and T. Hain,
+        "Representing Internet Protocol version 6 (IPv6) Addresses in
+        the Domain Name System (DNS)", RFC 3363, August 2002.
+
+   [3]  Durand, A. and J. Ihren, "DNS IPv6 transport operational
+        guidelines", draft-ietf-dnsop-ipv6-transport-guidelines-01 (work
+        in progress), October 2003.
+
+Informative References
+
+   [4]   Bush, R., "Delegation of IP6.ARPA", BCP 49, RFC 3152, August
+         2001.
+
+   [5]   Hinden, R. and S. Deering, "Internet Protocol Version 6 (IPv6)
+         Addressing Architecture", RFC 3513, April 2003.
+
+
+
+
+Durand, et al.            Expires July 1, 2004                 [Page 16]
+
+Internet-Draft    Considerations and Issues with IPv6 DNS       Jan 2004
+
+
+   [6]   Internet Architecture Board, "IAB Technical Comment on the
+         Unique DNS Root", RFC 2826, May 2000.
+
+   [7]   Huitema, C. and B. Carpenter, "Deprecating Site Local
+         Addresses", draft-ietf-ipv6-deprecate-site-local-02 (work in
+         progress), November 2003.
+
+   [8]   Hazel, P., "IP Addresses that should never appear in the public
+         DNS", draft-ietf-dnsop-dontpublish-unreachable-03 (work in
+         progress), February 2002.
+
+   [9]   Narten, T. and R. Draves, "Privacy Extensions for Stateless
+         Address Autoconfiguration in IPv6", RFC 3041, January 2001.
+
+   [10]  Carpenter, B. and K. Moore, "Connection of IPv6 Domains via
+         IPv4 Clouds", RFC 3056, February 2001.
+
+   [11]  Huitema, C., "Teredo: Tunneling IPv6 over UDP through NATs",
+         draft-huitema-v6ops-teredo-00 (work in progress), June 2003.
+
+   [12]  Moore, K., "6to4 and DNS", draft-moore-6to4-dns-03 (work in
+         progress), October 2002.
+
+   [13]  Bush, R. and J. Damas, "Delegation of 2.0.0.2.ip6.arpa",
+         draft-ymbk-6to4-arpa-delegation-00 (work in progress), February
+         2003.
+
+   [14]  Morishita, Y. and T. Jinmei, "Common Misbehavior against DNS
+         Queries for IPv6 Addresses",
+         draft-morishita-dnsop-misbehavior-against-aaaa-00 (work in
+         progress), June 2003.
+
+   [15]  Larson, M. and P. Barber, "Observed DNS Resolution
+         Misbehavior", draft-ietf-dnsop-bad-dns-res-01 (work in
+         progress), June 2003.
+
+   [16]  Savola, P., "Moving from 6bone to IPv6 Internet",
+         draft-savola-v6ops-6bone-mess-01 (work in progress), November
+         2002.
+
+   [17]  Elz, R., Bush, R., Bradner, S. and M. Patton, "Selection and
+         Operation of Secondary DNS Servers", BCP 16, RFC 2182, July
+         1997.
+
+   [18]  Roy, S., "Dual Stack IPv6 on by Default",
+         draft-ietf-v6ops-v6onbydefault-00 (work in progress), October
+         2003.
+
+
+
+
+Durand, et al.            Expires July 1, 2004                 [Page 17]
+
+Internet-Draft    Considerations and Issues with IPv6 DNS       Jan 2004
+
+
+   [19]  Roy, S., "IPv6 Neighbor Discovery On-Link Assumption Considered
+         Harmful", draft-ietf-v6ops-onlinkassumption-00 (work in
+         progress), October 2003.
+
+   [20]  Shin, M., "Application Aspects of IPv6 Transition",
+         draft-ietf-v6ops-application-transition-00 (work in progress),
+         December 2003.
+
+   [21]  Ohta, M., "Preconfigured DNS Server Addresses",
+         draft-ohta-preconfigured-dns-00 (work in progress), July 2003.
+
+   [22]  Jeong, J., "IPv6 DNS Discovery based on Router Advertisement",
+         draft-jeong-dnsop-ipv6-dns-discovery-00 (work in progress),
+         July 2003.
+
+   [23]  Droms, R., "Stateless DHCP Service for IPv6",
+         draft-ietf-dhc-dhcpv6-stateless-04 (work in progress), January
+         2004.
+
+   [24]  Thomson, S. and T. Narten, "IPv6 Stateless Address
+         Autoconfiguration", RFC 2462, December 1998.
+
+   [25]  Vixie, P., Thomson, S., Rekhter, Y. and J. Bound, "Dynamic
+         Updates in the Domain Name System (DNS UPDATE)", RFC 2136,
+         April 1997.
+
+   [26]  Wellington, B., "Secure Domain Name System (DNS) Dynamic
+         Update", RFC 3007, November 2000.
+
+   [27]  Tsirtsis, G. and P. Srisuresh, "Network Address Translation -
+         Protocol Translation (NAT-PT)", RFC 2766, February 2000.
+
+   [28]  Baker, F., "Procedures for Renumbering an IPv6 Network without
+         a Flag Day", draft-baker-ipv6-renumber-procedure-01 (work in
+         progress), October 2003.
+
+   [29]  Senie, D., "Requiring DNS IN-ADDR Mapping",
+         draft-ietf-dnsop-inaddr-required-03 (work in progress), March
+         2002.
+
+   [30]  Durand, A., "Issues with NAT-PT DNS ALG in RFC2766",
+         draft-durand-v6ops-natpt-dns-alg-issues-00 (work in progress),
+         February 2003.
+
+   [31]  Wiljakka, J., "Analysis on IPv6 Transition in 3GPP Networks",
+         draft-ietf-v6ops-3gpp-analysis-07 (work in progress), October
+         2003.
+
+
+
+
+Durand, et al.            Expires July 1, 2004                 [Page 18]
+
+Internet-Draft    Considerations and Issues with IPv6 DNS       Jan 2004
+
+
+   [32]  Vixie, P., "Extension Mechanisms for DNS (EDNS0)", RFC 2671,
+         August 1999.
+
+   [33]  Nordmark, E. and R. Gilligan, "Basic Transition Mechanisms for
+         IPv6 Hosts and Routers", draft-ietf-v6ops-mech-v2-01 (work in
+         progress), October 2003.
+
+
+Authors' Addresses
+
+   Alain Durand
+   SUN Microsystems, Inc.
+   17 Network circle UMPL17-202
+   Menlo Park, CA  94025
+   USA
+
+   EMail: Alain.Durand@sun.com
+
+
+   Johan Ihren
+   Autonomica
+   Bellmansgatan 30
+   SE-118 47 Stockholm
+   Sweden
+
+   EMail: johani@autonomica.se
+
+
+   Pekka Savola
+   CSC/FUNET
+
+   Espoo
+   Finland
+
+   EMail: psavola@funet.fi
+
+Appendix A. Site-local Addressing Considerations for DNS
+
+   As site-local addressing is being deprecated, and it is not yet clear
+   whether an addressing-based replacement (and which kind) is devised,
+   the considerations for site-local addressing are discussed briefly
+   here.
+
+   The interactions with DNS come in two flavors: forward and reverse
+   DNS.
+
+   To actually use site-local addresses within a site, this implies the
+   deployment of a "split-faced" or a fragmented DNS name space, for the
+
+
+
+Durand, et al.            Expires July 1, 2004                 [Page 19]
+
+Internet-Draft    Considerations and Issues with IPv6 DNS       Jan 2004
+
+
+   zones internal to the site, and the outsiders' view to it.  The
+   procedures to achieve this are not elaborated here.  The implication
+   is that site-local addresses must not be published in the public DNS.
+
+   To faciliate reverse DNS (if desired) with site-local addresses, the
+   stub resolvers must look for DNS information from the local DNS
+   servers, not e.g. starting from the root servers, so that the
+   site-local information may be provided locally.  Note that the
+   experience private addresses in IPv4 has shown that the root servers
+   get loaded for requests for private address lookups in any.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Durand, et al.            Expires July 1, 2004                 [Page 20]
+
+Internet-Draft    Considerations and Issues with IPv6 DNS       Jan 2004
+
+
+Intellectual Property Statement
+
+   The IETF takes no position regarding the validity or scope of any
+   intellectual property or other rights that might be claimed to
+   pertain to the implementation or use of the technology described in
+   this document or the extent to which any license under such rights
+   might or might not be available; neither does it represent that it
+   has made any effort to identify any such rights. Information on the
+   IETF's procedures with respect to rights in standards-track and
+   standards-related documentation can be found in BCP-11. Copies of
+   claims of rights made available for publication and any assurances of
+   licenses to be made available, or the result of an attempt made to
+   obtain a general license or permission for the use of such
+   proprietary rights by implementors or users of this specification can
+   be obtained from the IETF Secretariat.
+
+   The IETF invites any interested party to bring to its attention any
+   copyrights, patents or patent applications, or other proprietary
+   rights which may cover technology that may be required to practice
+   this standard. Please address the information to the IETF Executive
+   Director.
+
+
+Full Copyright Statement
+
+   Copyright (C) The Internet Society (2004). All Rights Reserved.
+
+   This document and translations of it may be copied and furnished to
+   others, and derivative works that comment on or otherwise explain it
+   or assist in its implementation may be prepared, copied, published
+   and distributed, in whole or in part, without restriction of any
+   kind, provided that the above copyright notice and this paragraph are
+   included on all such copies and derivative works. However, this
+   document itself may not be modified in any way, such as by removing
+   the copyright notice or references to the Internet Society or other
+   Internet organizations, except as needed for the purpose of
+   developing Internet standards in which case the procedures for
+   copyrights defined in the Internet Standards process must be
+   followed, or as required to translate it into languages other than
+   English.
+
+   The limited permissions granted above are perpetual and will not be
+   revoked by the Internet Society or its successors or assignees.
+
+   This document and the information contained herein is provided on an
+   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
+   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
+   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
+
+
+
+Durand, et al.            Expires July 1, 2004                 [Page 21]
+
+Internet-Draft    Considerations and Issues with IPv6 DNS       Jan 2004
+
+
+   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
+   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+
+Acknowledgment
+
+   Funding for the RFC Editor function is currently provided by the
+   Internet Society.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Durand, et al.            Expires July 1, 2004                 [Page 22]
+
+
diff --git a/doc/draft/draft-ietf-dnsop-ipv6-dns-issues-11.txt b/doc/draft/draft-ietf-dnsop-ipv6-dns-issues-11.txt
deleted file mode 100644
index 1276f9f9..00000000
--- a/doc/draft/draft-ietf-dnsop-ipv6-dns-issues-11.txt
+++ /dev/null
@@ -1,1682 +0,0 @@
-
-
-
-
-DNS Operations WG                                              A. Durand
-Internet-Draft                                    SUN Microsystems, Inc.
-Expires: January 17, 2006                                       J. Ihren
-                                                              Autonomica
-                                                               P. Savola
-                                                               CSC/FUNET
-                                                           July 16, 2005
-
-
-          Operational Considerations and Issues with IPv6 DNS
-                draft-ietf-dnsop-ipv6-dns-issues-11.txt
-
-Status of this Memo
-
-   By submitting this Internet-Draft, each author represents that any
-   applicable patent or other IPR claims of which he or she is aware
-   have been or will be disclosed, and any of which he or she becomes
-   aware will be disclosed, in accordance with Section 6 of BCP 79.
-
-   Internet-Drafts are working documents of the Internet Engineering
-   Task Force (IETF), its areas, and its working groups.  Note that
-   other groups may also distribute working documents as Internet-
-   Drafts.
-
-   Internet-Drafts are draft documents valid for a maximum of six months
-   and may be updated, replaced, or obsoleted by other documents at any
-   time.  It is inappropriate to use Internet-Drafts as reference
-   material or to cite them other than as "work in progress."
-
-   The list of current Internet-Drafts can be accessed at
-   http://www.ietf.org/ietf/1id-abstracts.txt.
-
-   The list of Internet-Draft Shadow Directories can be accessed at
-   http://www.ietf.org/shadow.html.
-
-   This Internet-Draft will expire on January 17, 2006.
-
-Copyright Notice
-
-   Copyright (C) The Internet Society (2005).
-
-Abstract
-
-   This memo presents operational considerations and issues with IPv6
-   Domain Name System (DNS), including a summary of special IPv6
-   addresses, documentation of known DNS implementation misbehaviour,
-   recommendations and considerations on how to perform DNS naming for
-   service provisioning and for DNS resolver IPv6 support,
-
-
-
-Durand, et al.          Expires January 17, 2006                [Page 1]
-
-Internet-Draft        Considerations with IPv6 DNS             July 2005
-
-
-   considerations for DNS updates for both the forward and reverse
-   trees, and miscellaneous issues.  This memo is aimed to include a
-   summary of information about IPv6 DNS considerations for those who
-   have experience with IPv4 DNS.
-
-Table of Contents
-
-   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  4
-     1.1   Representing IPv6 Addresses in DNS Records . . . . . . . .  4
-     1.2   Independence of DNS Transport and DNS Records  . . . . . .  4
-     1.3   Avoiding IPv4/IPv6 Name Space Fragmentation  . . . . . . .  5
-     1.4   Query Type '*' and A/AAAA Records  . . . . . . . . . . . .  5
-   2.  DNS Considerations about Special IPv6 Addresses  . . . . . . .  5
-     2.1   Limited-scope Addresses  . . . . . . . . . . . . . . . . .  6
-     2.2   Temporary Addresses  . . . . . . . . . . . . . . . . . . .  6
-     2.3   6to4 Addresses . . . . . . . . . . . . . . . . . . . . . .  6
-     2.4   Other Transition Mechanisms  . . . . . . . . . . . . . . .  6
-   3.  Observed DNS Implementation Misbehaviour . . . . . . . . . . .  7
-     3.1   Misbehaviour of DNS Servers and Load-balancers . . . . . .  7
-     3.2   Misbehaviour of DNS Resolvers  . . . . . . . . . . . . . .  7
-   4.  Recommendations for Service Provisioning using DNS . . . . . .  7
-     4.1   Use of Service Names instead of Node Names . . . . . . . .  8
-     4.2   Separate vs the Same Service Names for IPv4 and IPv6 . . .  8
-     4.3   Adding the Records Only when Fully IPv6-enabled  . . . . .  9
-     4.4   The Use of TTL for IPv4 and IPv6 RRs . . . . . . . . . . . 10
-       4.4.1   TTL With Courtesy Additional Data  . . . . . . . . . . 10
-       4.4.2   TTL With Critical Additional Data  . . . . . . . . . . 10
-     4.5   IPv6 Transport Guidelines for DNS Servers  . . . . . . . . 11
-   5.  Recommendations for DNS Resolver IPv6 Support  . . . . . . . . 11
-     5.1   DNS Lookups May Query IPv6 Records Prematurely . . . . . . 11
-     5.2   Obtaining a List of DNS Recursive Resolvers  . . . . . . . 13
-     5.3   IPv6 Transport Guidelines for Resolvers  . . . . . . . . . 13
-   6.  Considerations about Forward DNS Updating  . . . . . . . . . . 13
-     6.1   Manual or Custom DNS Updates . . . . . . . . . . . . . . . 14
-     6.2   Dynamic DNS  . . . . . . . . . . . . . . . . . . . . . . . 14
-   7.  Considerations about Reverse DNS Updating  . . . . . . . . . . 15
-     7.1   Applicability of Reverse DNS . . . . . . . . . . . . . . . 15
-     7.2   Manual or Custom DNS Updates . . . . . . . . . . . . . . . 16
-     7.3   DDNS with Stateless Address Autoconfiguration  . . . . . . 16
-     7.4   DDNS with DHCP . . . . . . . . . . . . . . . . . . . . . . 18
-     7.5   DDNS with Dynamic Prefix Delegation  . . . . . . . . . . . 18
-   8.  Miscellaneous DNS Considerations . . . . . . . . . . . . . . . 19
-     8.1   NAT-PT with DNS-ALG  . . . . . . . . . . . . . . . . . . . 19
-     8.2   Renumbering Procedures and Applications' Use of DNS  . . . 19
-   9.  Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 20
-   10.   Security Considerations  . . . . . . . . . . . . . . . . . . 20
-   11.   References . . . . . . . . . . . . . . . . . . . . . . . . . 20
-     11.1  Normative References . . . . . . . . . . . . . . . . . . . 20
-
-
-
-Durand, et al.          Expires January 17, 2006                [Page 2]
-
-Internet-Draft        Considerations with IPv6 DNS             July 2005
-
-
-     11.2  Informative References . . . . . . . . . . . . . . . . . . 22
-       Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 24
-   A.  Unique Local Addressing Considerations for DNS . . . . . . . . 25
-   B.  Behaviour of Additional Data in IPv4/IPv6 Environments . . . . 25
-     B.1   Description of Additional Data Scenarios . . . . . . . . . 26
-     B.2   Which Additional Data to Keep, If Any? . . . . . . . . . . 27
-     B.3   Discussion of the Potential Problems . . . . . . . . . . . 28
-       Intellectual Property and Copyright Statements . . . . . . . . 30
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Durand, et al.          Expires January 17, 2006                [Page 3]
-
-Internet-Draft        Considerations with IPv6 DNS             July 2005
-
-
-1.  Introduction
-
-   This memo presents operational considerations and issues with IPv6
-   DNS; it is meant to be an extensive summary and a list of pointers
-   for more information about IPv6 DNS considerations for those with
-   experience with IPv4 DNS.
-
-   The purpose of this document is to give information about various
-   issues and considerations related to DNS operations with IPv6; it is
-   not meant to be a normative specification or standard for IPv6 DNS.
-
-   The first section gives a brief overview of how IPv6 addresses and
-   names are represented in the DNS, how transport protocols and
-   resource records (don't) relate, and what IPv4/IPv6 name space
-   fragmentation means and how to avoid it; all of these are described
-   at more length in other documents.
-
-   The second section summarizes the special IPv6 address types and how
-   they relate to DNS.  The third section describes observed DNS
-   implementation misbehaviours which have a varying effect on the use
-   of IPv6 records with DNS.  The fourth section lists recommendations
-   and considerations for provisioning services with DNS.  The fifth
-   section in turn looks at recommendations and considerations about
-   providing IPv6 support in the resolvers.  The sixth and seventh
-   sections describe considerations with forward and reverse DNS
-   updates, respectively.  The eighth section introduces several
-   miscellaneous IPv6 issues relating to DNS for which no better place
-   has been found in this memo.  Appendix A looks briefly at the
-   requirements for unique local addressing.
-
-1.1  Representing IPv6 Addresses in DNS Records
-
-   In the forward zones, IPv6 addresses are represented using AAAA
-   records.  In the reverse zones, IPv6 address are represented using
-   PTR records in the nibble format under the ip6.arpa. tree.  See
-   [RFC3596] for more about IPv6 DNS usage, and [RFC3363] or [RFC3152]
-   for background information.
-
-   In particular one should note that the use of A6 records in the
-   forward tree or Bitlabels in the reverse tree is not recommended
-   [RFC3363].  Using DNAME records is not recommended in the reverse
-   tree in conjunction with A6 records; the document did not mean to
-   take a stance on any other use of DNAME records [RFC3364].
-
-1.2  Independence of DNS Transport and DNS Records
-
-   DNS has been designed to present a single, globally unique name space
-   [RFC2826].  This property should be maintained, as described here and
-
-
-
-Durand, et al.          Expires January 17, 2006                [Page 4]
-
-Internet-Draft        Considerations with IPv6 DNS             July 2005
-
-
-   in Section 1.3.
-
-   The IP version used to transport the DNS queries and responses is
-   independent of the records being queried: AAAA records can be queried
-   over IPv4, and A records over IPv6.  The DNS servers must not make
-   any assumptions about what data to return for Answer and Authority
-   sections based on the underlying transport used in a query.
-
-   However, there is some debate whether the addresses in Additional
-   section could be selected or filtered using hints obtained from which
-   transport was being used; this has some obvious problems because in
-   many cases the transport protocol does not correlate with the
-   requests, and because a "bad" answer is in a way worse than no answer
-   at all (consider the case where the client is led to believe that a
-   name received in the additional record does not have any AAAA records
-   at all).
-
-   As stated in [RFC3596]:
-
-      The IP protocol version used for querying resource records is
-      independent of the protocol version of the resource records; e.g.,
-      IPv4 transport can be used to query IPv6 records and vice versa.
-
-
-1.3  Avoiding IPv4/IPv6 Name Space Fragmentation
-
-   To avoid the DNS name space from fragmenting into parts where some
-   parts of DNS are only visible using IPv4 (or IPv6) transport, the
-   recommendation is to always keep at least one authoritative server
-   IPv4-enabled, and to ensure that recursive DNS servers support IPv4.
-   See DNS IPv6 transport guidelines [RFC3901] for more information.
-
-1.4  Query Type '*' and A/AAAA Records
-
-   QTYPE=* is typically only used for debugging or management purposes;
-   it is worth keeping in mind that QTYPE=* ("ANY" queries) only return
-   any available RRsets, not *all* the RRsets, because the caches do not
-   necessarily have all the RRsets and have no way of guaranteeing that
-   they have all the RRsets.  Therefore, to get both A and AAAA records
-   reliably, two separate queries must be made.
-
-2.  DNS Considerations about Special IPv6 Addresses
-
-   There are a couple of IPv6 address types which are somewhat special;
-   these are considered here.
-
-
-
-
-
-
-Durand, et al.          Expires January 17, 2006                [Page 5]
-
-Internet-Draft        Considerations with IPv6 DNS             July 2005
-
-
-2.1  Limited-scope Addresses
-
-   The IPv6 addressing architecture [RFC3513] includes two kinds of
-   local-use addresses: link-local (fe80::/10) and site-local
-   (fec0::/10).  The site-local addresses have been deprecated [RFC3879]
-   but are discussed with unique local addresses in Appendix A.
-
-   Link-local addresses should never be published in DNS (whether in
-   forward or reverse tree), because they have only local (to the
-   connected link) significance [I-D.durand-dnsop-dont-publish].
-
-2.2  Temporary Addresses
-
-   Temporary addresses defined in RFC3041 [RFC3041] (sometimes called
-   "privacy addresses") use a random number as the interface identifier.
-   Having DNS AAAA records that are updated to always contain the
-   current value of a node's temporary address would defeat the purpose
-   of the mechanism and is not recommended.  However, it would still be
-   possible to return a non-identifiable name (e.g., the IPv6 address in
-   hexadecimal format), as described in [RFC3041].
-
-2.3  6to4 Addresses
-
-   6to4 [RFC3056] specifies an automatic tunneling mechanism which maps
-   a public IPv4 address V4ADDR to an IPv6 prefix 2002:V4ADDR::/48.
-
-   If the reverse DNS population would be desirable (see Section 7.1 for
-   applicability), there are a number of possible ways to do so.
-
-   The main proposal [I-D.huston-6to4-reverse-dns] aims to design an
-   autonomous reverse-delegation system that anyone being capable of
-   communicating using a specific 6to4 address would be able to set up a
-   reverse delegation to the corresponding 6to4 prefix.  This could be
-   deployed by e.g., Regional Internet Registries (RIRs).  This is a
-   practical solution, but may have some scalability concerns.
-
-2.4  Other Transition Mechanisms
-
-   6to4 is mentioned as a case of an IPv6 transition mechanism requiring
-   special considerations.  In general, mechanisms which include a
-   special prefix may need a custom solution; otherwise, for example
-   when IPv4 address is embedded as the suffix or not embedded at all,
-   special solutions are likely not needed.
-
-   Note that it does not seem feasible to provide reverse DNS with
-   another automatic tunneling mechanism, Teredo [I-D.huitema-v6ops-
-   teredo]; this is because the IPv6 address is based on the IPv4
-   address and UDP port of the current NAT mapping which is likely to be
-
-
-
-Durand, et al.          Expires January 17, 2006                [Page 6]
-
-Internet-Draft        Considerations with IPv6 DNS             July 2005
-
-
-   relatively short-lived.
-
-3.  Observed DNS Implementation Misbehaviour
-
-   Several classes of misbehaviour in DNS servers, load-balancers and
-   resolvers have been observed.  Most of these are rather generic, not
-   only applicable to IPv6 -- but in some cases, the consequences of
-   this misbehaviour are extremely severe in IPv6 environments and
-   deserve to be mentioned.
-
-3.1  Misbehaviour of DNS Servers and Load-balancers
-
-   There are several classes of misbehaviour in certain DNS servers and
-   load-balancers which have been noticed and documented [RFC4074]: some
-   implementations silently drop queries for unimplemented DNS records
-   types, or provide wrong answers to such queries (instead of a proper
-   negative reply).  While typically these issues are not limited to
-   AAAA records, the problems are aggravated by the fact that AAAA
-   records are being queried instead of (mainly) A records.
-
-   The problems are serious because when looking up a DNS name, typical
-   getaddrinfo() implementations, with AF_UNSPEC hint given, first try
-   to query the AAAA records of the name, and after receiving a
-   response, query the A records.  This is done in a serial fashion --
-   if the first query is never responded to (instead of properly
-   returning a negative answer), significant timeouts will occur.
-
-   In consequence, this is an enormous problem for IPv6 deployments, and
-   in some cases, IPv6 support in the software has even been disabled
-   due to these problems.
-
-   The solution is to fix or retire those misbehaving implementations,
-   but that is likely not going to be effective.  There are some
-   possible ways to mitigate the problem, e.g., by performing the
-   lookups somewhat in parallel and reducing the timeout as long as at
-   least one answer has been received; but such methods remain to be
-   investigated; slightly more on this is included in Section 5.
-
-3.2  Misbehaviour of DNS Resolvers
-
-   Several classes of misbehaviour have also been noticed in DNS
-   resolvers [I-D.ietf-dnsop-bad-dns-res].  However, these do not seem
-   to directly impair IPv6 use, and are only referred to for
-   completeness.
-
-4.  Recommendations for Service Provisioning using DNS
-
-   When names are added in the DNS to facilitate a service, there are
-
-
-
-Durand, et al.          Expires January 17, 2006                [Page 7]
-
-Internet-Draft        Considerations with IPv6 DNS             July 2005
-
-
-   several general guidelines to consider to be able to do it as
-   smoothly as possible.
-
-4.1  Use of Service Names instead of Node Names
-
-   It makes sense to keep information about separate services logically
-   separate in the DNS by using a different DNS hostname for each
-   service.  There are several reasons for doing this, for example:
-
-   o  It allows more flexibility and ease for migration of (only a part
-      of) services from one node to another,
-
-   o  It allows configuring different properties (e.g., TTL) for each
-      service, and
-
-   o  It allows deciding separately for each service whether to publish
-      the IPv6 addresses or not (in cases where some services are more
-      IPv6-ready than others).
-
-   Using SRV records [RFC2782] would avoid these problems.
-   Unfortunately, those are not sufficiently widely used to be
-   applicable in most cases.  Hence an operation technique is to use
-   service names instead of node names (or, "hostnames").  This
-   operational technique is not specific to IPv6, but required to
-   understand the considerations described in Section 4.2 and
-   Section 4.3.
-
-   For example, assume a node named "pobox.example.com" provides both
-   SMTP and IMAP service.  Instead of configuring the MX records to
-   point at "pobox.example.com", and configuring the mail clients to
-   look up the mail via IMAP from "pobox.example.com", one could use
-   e.g., "smtp.example.com" for SMTP (for both message submission and
-   mail relaying between SMTP servers) and "imap.example.com" for IMAP.
-   Note that in the specific case of SMTP relaying, the server itself
-   must typically also be configured to know all its names to ensure
-   loops do not occur.  DNS can provide a layer of indirection between
-   service names and where the service actually is, and using which
-   addresses.  (Obviously, when wanting to reach a specific node, one
-   should use the hostname rather than a service name.)
-
-4.2  Separate vs the Same Service Names for IPv4 and IPv6
-
-   The service naming can be achieved in basically two ways: when a
-   service is named "service.example.com" for IPv4, the IPv6-enabled
-   service could either be added to "service.example.com", or added
-   separately under a different name, e.g., in a sub-domain, like,
-   "service.ipv6.example.com".
-
-
-
-
-Durand, et al.          Expires January 17, 2006                [Page 8]
-
-Internet-Draft        Considerations with IPv6 DNS             July 2005
-
-
-   These two methods have different characteristics.  Using a different
-   name allows for easier service piloting, minimizing the disturbance
-   to the "regular" users of IPv4 service; however, the service would
-   not be used transparently, without the user/application explicitly
-   finding it and asking for it -- which would be a disadvantage in most
-   cases.  When the different name is under a sub-domain, if the
-   services are deployed within a restricted network (e.g., inside an
-   enterprise), it's possible to prefer them transparently, at least to
-   a degree, by modifying the DNS search path; however, this is a
-   suboptimal solution.  Using the same service name is the "long-term"
-   solution, but may degrade performance for those clients whose IPv6
-   performance is lower than IPv4, or does not work as well (see
-   Section 4.3 for more).
-
-   In most cases, it makes sense to pilot or test a service using
-   separate service names, and move to the use of the same name when
-   confident enough that the service level will not degrade for the
-   users unaware of IPv6.
-
-4.3  Adding the Records Only when Fully IPv6-enabled
-
-   The recommendation is that AAAA records for a service should not be
-   added to the DNS until all of following are true:
-
-   1.  The address is assigned to the interface on the node.
-
-   2.  The address is configured on the interface.
-
-   3.  The interface is on a link which is connected to the IPv6
-       infrastructure.
-
-   In addition, if the AAAA record is added for the node, instead of
-   service as recommended, all the services of the node should be IPv6-
-   enabled prior to adding the resource record.
-
-   For example, if an IPv6 node is isolated from an IPv6 perspective
-   (e.g., it is not connected to IPv6 Internet) constraint #3 would mean
-   that it should not have an address in the DNS.
-
-   Consider the case of two dual-stack nodes, which both have IPv6
-   enabled, but the server does not have (global) IPv6 connectivity.  As
-   the client looks up the server's name, only A records are returned
-   (if the recommendations above are followed), and no IPv6
-   communication, which would have been unsuccessful, is even attempted.
-
-   The issues are not always so black-and-white.  Usually it's important
-   that the service offered using both protocols is of roughly equal
-   quality, using the appropriate metrics for the service (e.g.,
-
-
-
-Durand, et al.          Expires January 17, 2006                [Page 9]
-
-Internet-Draft        Considerations with IPv6 DNS             July 2005
-
-
-   latency, throughput, low packet loss, general reliability, etc.) --
-   this is typically very important especially for interactive or real-
-   time services.  In many cases, the quality of IPv6 connectivity may
-   not yet be equal to that of IPv4, at least globally -- this has to be
-   taken into consideration when enabling services.
-
-4.4  The Use of TTL for IPv4 and IPv6 RRs
-
-   The behaviour of DNS caching when different TTL values are used for
-   different RRsets of the same name calls for explicit discussion.  For
-   example, let's consider two unrelated zone fragments:
-
-      example.com.        300    IN    MX     foo.example.com.
-      foo.example.com.    300    IN    A      192.0.2.1
-      foo.example.com.    100    IN    AAAA   2001:db8::1
-
-   ...
-
-      child.example.com.    300  IN    NS     ns.child.example.com.
-      ns.child.example.com. 300  IN    A      192.0.2.1
-      ns.child.example.com. 100  IN    AAAA   2001:db8::1
-
-   In the former case, we have "courtesy" additional data; in the
-   latter, we have "critical" additional data.  See more extensive
-   background discussion of additional data handling in Appendix B.
-
-4.4.1  TTL With Courtesy Additional Data
-
-   When a caching resolver asks for the MX record of example.com, it
-   gets back "foo.example.com".  It may also get back either one or both
-   of the A and AAAA records in the additional section.  The resolver
-   must explicitly query for both A and AAAA records [RFC2821].
-
-   After 100 seconds, the AAAA record is removed from the cache(s)
-   because its TTL expired.  It could be argued to be useful for the
-   caching resolvers to discard the A record when the shorter TTL (in
-   this case, for the AAAA record) expires; this would avoid the
-   situation where there would be a window of 200 seconds when
-   incomplete information is returned from the cache.  Further argument
-   for discarding is that in the normal operation, the TTL values are so
-   high that very likely the incurred additional queries would not be
-   noticeable, compared to the obtained performance optimization.  The
-   behaviour in this scenario is unspecified.
-
-4.4.2  TTL With Critical Additional Data
-
-   The difference to courtesy additional data is that the A/AAAA records
-   served by the parent zone cannot be queried explicitly.  Therefore
-
-
-
-Durand, et al.          Expires January 17, 2006               [Page 10]
-
-Internet-Draft        Considerations with IPv6 DNS             July 2005
-
-
-   after 100 seconds the AAAA record is removed from the cache(s), but
-   the A record remains.  Queries for the remaining 200 seconds
-   (provided that there are no further queries from the parent which
-   could refresh the caches) only return the A record, leading to a
-   potential opererational situation with unreachable servers.
-
-   Similar cache flushing strategies apply in this scenario; the record.
-
-4.5  IPv6 Transport Guidelines for DNS Servers
-
-   As described in Section 1.3 and [RFC3901], there should continue to
-   be at least one authoritative IPv4 DNS server for every zone, even if
-   the zone has only IPv6 records.  (Note that obviously, having more
-   servers with robust connectivity would be preferable, but this is the
-   minimum recommendation; also see [RFC2182].)
-
-5.  Recommendations for DNS Resolver IPv6 Support
-
-   When IPv6 is enabled on a node, there are several things to consider
-   to ensure that the process is as smooth as possible.
-
-5.1  DNS Lookups May Query IPv6 Records Prematurely
-
-   The system library that implements the getaddrinfo() function for
-   looking up names is a critical piece when considering the robustness
-   of enabling IPv6; it may come in basically three flavours:
-
-   1.  The system library does not know whether IPv6 has been enabled in
-       the kernel of the operating system: it may start looking up AAAA
-       records with getaddrinfo() and AF_UNSPEC hint when the system is
-       upgraded to a system library version which supports IPv6.
-
-   2.  The system library might start to perform IPv6 queries with
-       getaddrinfo() only when IPv6 has been enabled in the kernel.
-       However, this does not guarantee that there exists any useful
-       IPv6 connectivity (e.g., the node could be isolated from the
-       other IPv6 networks, only having link-local addresses).
-
-   3.  The system library might implement a toggle which would apply
-       some heuristics to the "IPv6-readiness" of the node before
-       starting to perform queries; for example, it could check whether
-       only link-local IPv6 address(es) exists, or if at least one
-       global IPv6 address exists.
-
-   First, let us consider generic implications of unnecessary queries
-   for AAAA records: when looking up all the records in the DNS, AAAA
-   records are typically tried first, and then A records.  These are
-   done in serial, and the A query is not performed until a response is
-
-
-
-Durand, et al.          Expires January 17, 2006               [Page 11]
-
-Internet-Draft        Considerations with IPv6 DNS             July 2005
-
-
-   received to the AAAA query.  Considering the misbehaviour of DNS
-   servers and load-balancers, as described in Section 3.1, the look-up
-   delay for AAAA may incur additional unnecessary latency, and
-   introduce a component of unreliability.
-
-   One option here could be to do the queries partially in parallel; for
-   example, if the final response to the AAAA query is not received in
-   0.5 seconds, start performing the A query while waiting for the
-   result (immediate parallelism might be unoptimal, at least without
-   information sharing between the look-up threads, as that would
-   probably lead to duplicate non-cached delegation chain lookups).
-
-   An additional concern is the address selection, which may, in some
-   circumstances, prefer AAAA records over A records even when the node
-   does not have any IPv6 connectivity [I-D.ietf-v6ops-v6onbydefault].
-   In some cases, the implementation may attempt to connect or send a
-   datagram on a physical link [I-D.ietf-v6ops-onlinkassumption],
-   incurring very long protocol timeouts, instead of quickly failing
-   back to IPv4.
-
-   Now, we can consider the issues specific to each of the three
-   possibilities:
-
-   In the first case, the node performs a number of completely useless
-   DNS lookups as it will not be able to use the returned AAAA records
-   anyway.  (The only exception is where the application desires to know
-   what's in the DNS, but not use the result for communication.)  One
-   should be able to disable these unnecessary queries, for both latency
-   and reliability reasons.  However, as IPv6 has not been enabled, the
-   connections to IPv6 addresses fail immediately, and if the
-   application is programmed properly, the application can fall
-   gracefully back to IPv4 [RFC4038].
-
-   The second case is similar to the first, except it happens to a
-   smaller set of nodes when IPv6 has been enabled but connectivity has
-   not been provided yet; similar considerations apply, with the
-   exception that IPv6 records, when returned, will be actually tried
-   first which may typically lead to long timeouts.
-
-   The third case is a bit more complex: optimizing away the DNS lookups
-   with only link-locals is probably safe (but may be desirable with
-   different lookup services which getaddrinfo() may support), as the
-   link-locals are typically automatically generated when IPv6 is
-   enabled, and do not indicate any form of IPv6 connectivity.  That is,
-   performing DNS lookups only when a non-link-local address has been
-   configured on any interface could be beneficial -- this would be an
-   indication that either the address has been configured either from a
-   router advertisement, DHCPv6 [RFC3315], or manually.  Each would
-
-
-
-Durand, et al.          Expires January 17, 2006               [Page 12]
-
-Internet-Draft        Considerations with IPv6 DNS             July 2005
-
-
-   indicate at least some form of IPv6 connectivity, even though there
-   would not be guarantees of it.
-
-   These issues should be analyzed at more depth, and the fixes found
-   consensus on, perhaps in a separate document.
-
-5.2  Obtaining a List of DNS Recursive Resolvers
-
-   In scenarios where DHCPv6 is available, a host can discover a list of
-   DNS recursive resolvers through DHCPv6 "DNS Recursive Name Server"
-   option [RFC3646].  This option can be passed to a host through a
-   subset of DHCPv6 [RFC3736].
-
-   The IETF is considering the development of alternative mechanisms for
-   obtaining the list of DNS recursive name servers when DHCPv6 is
-   unavailable or inappropriate.  No decision about taking on this
-   development work has been reached as of this writing (Aug 2004)
-   [I-D.ietf-dnsop-ipv6-dns-configuration].
-
-   In scenarios where DHCPv6 is unavailable or inappropriate, mechanisms
-   under consideration for development include the use of well-known
-   addresses [I-D.ohta-preconfigured-dns] and the use of Router
-   Advertisements to convey the information [I-D.jeong-dnsop-ipv6-dns-
-   discovery].
-
-   Note that even though IPv6 DNS resolver discovery is a recommended
-   procedure, it is not required for dual-stack nodes in dual-stack
-   networks as IPv6 DNS records can be queried over IPv4 as well as
-   IPv6.  Obviously, nodes which are meant to function without manual
-   configuration in IPv6-only networks must implement the DNS resolver
-   discovery function.
-
-5.3  IPv6 Transport Guidelines for Resolvers
-
-   As described in Section 1.3 and [RFC3901], the recursive resolvers
-   should be IPv4-only or dual-stack to be able to reach any IPv4-only
-   DNS server.  Note that this requirement is also fulfilled by an IPv6-
-   only stub resolver pointing to a dual-stack recursive DNS resolver.
-
-6.  Considerations about Forward DNS Updating
-
-   While the topic of how to enable updating the forward DNS, i.e., the
-   mapping from names to the correct new addresses, is not specific to
-   IPv6, it should be considered especially due to the advent of
-   Stateless Address Autoconfiguration [RFC2462].
-
-   Typically forward DNS updates are more manageable than doing them in
-   the reverse DNS, because the updater can often be assumed to "own" a
-
-
-
-Durand, et al.          Expires January 17, 2006               [Page 13]
-
-Internet-Draft        Considerations with IPv6 DNS             July 2005
-
-
-   certain DNS name -- and we can create a form of security relationship
-   with the DNS name and the node which is allowed to update it to point
-   to a new address.
-
-   A more complex form of DNS updates -- adding a whole new name into a
-   DNS zone, instead of updating an existing name -- is considered out
-   of scope for this memo as it could require zone-wide authentication.
-   Adding a new name in the forward zone is a problem which is still
-   being explored with IPv4, and IPv6 does not seem to add much new in
-   that area.
-
-6.1  Manual or Custom DNS Updates
-
-   The DNS mappings can also be maintained by hand, in a semi-automatic
-   fashion or by running non-standardized protocols.  These are not
-   considered at more length in this memo.
-
-6.2  Dynamic DNS
-
-   Dynamic DNS updates (DDNS) [RFC2136] [RFC3007] is a standardized
-   mechanism for dynamically updating the DNS.  It works equally well
-   with stateless address autoconfiguration (SLAAC), DHCPv6 or manual
-   address configuration.  It is important to consider how each of these
-   behave if IP address-based authentication, instead of stronger
-   mechanisms [RFC3007], was used in the updates.
-
-   1.  manual addresses are static and can be configured
-
-   2.  DHCPv6 addresses could be reasonably static or dynamic, depending
-       on the deployment, and could or could not be configured on the
-       DNS server for the long term
-
-   3.  SLAAC addresses are typically stable for a long time, but could
-       require work to be configured and maintained.
-
-   As relying on IP addresses for Dynamic DNS is rather insecure at
-   best, stronger authentication should always be used; however, this
-   requires that the authorization keying will be explicitly configured
-   using unspecified operational methods.
-
-   Note that with DHCP it is also possible that the DHCP server updates
-   the DNS, not the host.  The host might only indicate in the DHCP
-   exchange which hostname it would prefer, and the DHCP server would
-   make the appropriate updates.  Nonetheless, while this makes setting
-   up a secure channel between the updater and the DNS server easier, it
-   does not help much with "content" security, i.e., whether the
-   hostname was acceptable -- if the DNS server does not include
-   policies, they must be included in the DHCP server (e.g., a regular
-
-
-
-Durand, et al.          Expires January 17, 2006               [Page 14]
-
-Internet-Draft        Considerations with IPv6 DNS             July 2005
-
-
-   host should not be able to state that its name is "www.example.com").
-   DHCP-initiated DDNS updates have been extensively described in
-   [I-D.ietf-dhc-ddns-resolution], [I-D.ietf-dhc-fqdn-option] and
-   [I-D.ietf-dnsext-dhcid-rr].
-
-   The nodes must somehow be configured with the information about the
-   servers where they will attempt to update their addresses, sufficient
-   security material for authenticating themselves to the server, and
-   the hostname they will be updating.  Unless otherwise configured, the
-   first could be obtained by looking up the authoritative name servers
-   for the hostname; the second must be configured explicitly unless one
-   chooses to trust the IP address-based authentication (not a good
-   idea); and lastly, the nodename is typically pre-configured somehow
-   on the node, e.g., at install time.
-
-   Care should be observed when updating the addresses not to use longer
-   TTLs for addresses than are preferred lifetimes for the addresses, so
-   that if the node is renumbered in a managed fashion, the amount of
-   stale DNS information is kept to the minimum.  That is, if the
-   preferred lifetime of an address expires, the TTL of the record needs
-   be modified unless it was already done before the expiration.  For
-   better flexibility, the DNS TTL should be much shorter (e.g., a half
-   or a third) than the lifetime of an address; that way, the node can
-   start lowering the DNS TTL if it seems like the address has not been
-   renewed/refreshed in a while.  Some discussion on how an
-   administrator could manage the DNS TTL is included in [I-D.ietf-
-   v6ops-renumbering-procedure]; this could be applied to (smart) hosts
-   as well.
-
-7.  Considerations about Reverse DNS Updating
-
-   Updating the reverse DNS zone may be difficult because of the split
-   authority over an address.  However, first we have to consider the
-   applicability of reverse DNS in the first place.
-
-7.1  Applicability of Reverse DNS
-
-   Today, some applications use reverse DNS to either look up some hints
-   about the topological information associated with an address (e.g.
-   resolving web server access logs), or as a weak form of a security
-   check, to get a feel whether the user's network administrator has
-   "authorized" the use of the address (on the premises that adding a
-   reverse record for an address would signal some form of
-   authorization).
-
-   One additional, maybe slightly more useful usage is ensuring that the
-   reverse and forward DNS contents match (by looking up the pointer to
-   the name by the IP address from the reverse tree, and ensuring that a
-
-
-
-Durand, et al.          Expires January 17, 2006               [Page 15]
-
-Internet-Draft        Considerations with IPv6 DNS             July 2005
-
-
-   record under the name in the forward tree points to the IP address)
-   and correspond to a configured name or domain.  As a security check,
-   it is typically accompanied by other mechanisms, such as a user/
-   password login; the main purpose of the reverse+forward DNS check is
-   to weed out the majority of unauthorized users, and if someone
-   managed to bypass the checks, he would still need to authenticate
-   "properly".
-
-   It may also be desirable to store IPsec keying material corresponding
-   to an IP address in the reverse DNS, as justified and described in
-   [RFC4025].
-
-   It is not clear whether it makes sense to require or recommend that
-   reverse DNS records be updated.  In many cases, it would just make
-   more sense to use proper mechanisms for security (or topological
-   information lookup) in the first place.  At minimum, the applications
-   which use it as a generic authorization (in the sense that a record
-   exists at all) should be modified as soon as possible to avoid such
-   lookups completely.
-
-   The applicability is discussed at more length in [I-D.ietf-dnsop-
-   inaddr-required].
-
-7.2  Manual or Custom DNS Updates
-
-   Reverse DNS can of course be updated using manual or custom methods.
-   These are not further described here, except for one special case.
-
-   One way to deploy reverse DNS would be to use wildcard records, for
-   example, by configuring one name for a subnet (/64) or a site (/48).
-   As a concrete example, a site (or the site's ISP) could configure the
-   reverses of the prefix 2001:db8:f00::/48 to point to one name using a
-   wildcard record like "*.0.0.f.0.8.b.d.0.1.0.0.2.ip6.arpa.  IN PTR
-   site.example.com."  Naturally, such a name could not be verified from
-   the forward DNS, but would at least provide some form of "topological
-   information" or "weak authorization" if that is really considered to
-   be useful.  Note that this is not actually updating the DNS as such,
-   as the whole point is to avoid DNS updates completely by manually
-   configuring a generic name.
-
-7.3  DDNS with Stateless Address Autoconfiguration
-
-   Dynamic reverse DNS with SLAAC is simpler than forward DNS updates in
-   some regard, while being more difficult in another, as described
-   below.
-
-   The address space administrator decides whether the hosts are trusted
-   to update their reverse DNS records or not.  If they are trusted and
-
-
-
-Durand, et al.          Expires January 17, 2006               [Page 16]
-
-Internet-Draft        Considerations with IPv6 DNS             July 2005
-
-
-   deployed at the same site (e.g., not across the Internet), a simple
-   address-based authorization is typically sufficient (i.e., check that
-   the DNS update is done from the same IP address as the record being
-   updated); stronger security can also be used [RFC3007].  If they
-   aren't allowed to update the reverses, no update can occur.  However,
-   such address-based update authorization operationally requires that
-   ingress filtering [RFC3704] has been set up at the border of the site
-   where the updates occur, and as close to the updater as possible.
-
-   Address-based authorization is simpler with reverse DNS (as there is
-   a connection between the record and the address) than with forward
-   DNS.  However, when a stronger form of security is used, forward DNS
-   updates are simpler to manage because the host can be assumed to have
-   an association with the domain.  Note that the user may roam to
-   different networks, and does not necessarily have any association
-   with the owner of that address space -- so, assuming stronger form of
-   authorization for reverse DNS updates than an address association is
-   generally infeasible.
-
-   Moreover, the reverse zones must be cleaned up by an unspecified
-   janitorial process: the node does not typically know a priori that it
-   will be disconnected, and cannot send a DNS update using the correct
-   source address to remove a record.
-
-   A problem with defining the clean-up process is that it is difficult
-   to ensure that a specific IP address and the corresponding record are
-   no longer being used.  Considering the huge address space, and the
-   unlikelihood of collision within 64 bits of the interface
-   identifiers, a process which would remove the record after no traffic
-   has been seen from a node in a long period of time (e.g., a month or
-   year) might be one possible approach.
-
-   To insert or update the record, the node must discover the DNS server
-   to send the update to somehow, similar to as discussed in
-   Section 6.2.  One way to automate this is looking up the DNS server
-   authoritative (e.g., through SOA record) for the IP address being
-   updated, but the security material (unless the IP address-based
-   authorization is trusted) must also be established by some other
-   means.
-
-   One should note that Cryptographically Generated Addresses [RFC3972]
-   (CGAs) may require a slightly different kind of treatment.  CGAs are
-   addresses where the interface identifier is calculated from a public
-   key, a modifier (used as a nonce), the subnet prefix, and other data.
-   Depending on the usage profile, CGAs might or might not be changed
-   periodically due to e.g., privacy reasons.  As the CGA address is not
-   predicatable, a reverse record can only reasonably be inserted in the
-   DNS by the node which generates the address.
-
-
-
-Durand, et al.          Expires January 17, 2006               [Page 17]
-
-Internet-Draft        Considerations with IPv6 DNS             July 2005
-
-
-7.4  DDNS with DHCP
-
-   With DHCPv4, the reverse DNS name is typically already inserted to
-   the DNS that reflects to the name (e.g., "dhcp-67.example.com").  One
-   can assume similar practice may become commonplace with DHCPv6 as
-   well; all such mappings would be pre-configured, and would require no
-   updating.
-
-   If a more explicit control is required, similar considerations as
-   with SLAAC apply, except for the fact that typically one must update
-   a reverse DNS record instead of inserting one (if an address
-   assignment policy that reassigns disused addresses is adopted) and
-   updating a record seems like a slightly more difficult thing to
-   secure.  However, it is yet uncertain how DHCPv6 is going to be used
-   for address assignment.
-
-   Note that when using DHCP, either the host or the DHCP server could
-   perform the DNS updates; see the implications in Section 6.2.
-
-   If disused addresses were to be reassigned, host-based DDNS reverse
-   updates would need policy considerations for DNS record modification,
-   as noted above.  On the other hand, if disused address were not to be
-   assigned, host-based DNS reverse updates would have similar
-   considerations as SLAAC in Section 7.3.  Server-based updates have
-   similar properties except that the janitorial process could be
-   integrated with DHCP address assignment.
-
-7.5  DDNS with Dynamic Prefix Delegation
-
-   In cases where a prefix, instead of an address, is being used and
-   updated, one should consider what is the location of the server where
-   DDNS updates are made.  That is, where the DNS server is located:
-
-   1.  At the same organization as the prefix delegator.
-
-   2.  At the site where the prefixes are delegated to.  In this case,
-       the authority of the DNS reverse zone corresponding to the
-       delegated prefix is also delegated to the site.
-
-   3.  Elsewhere; this implies a relationship between the site and where
-       DNS server is located, and such a relationship should be rather
-       straightforward to secure as well.  Like in the previous case,
-       the authority of the DNS reverse zone is also delegated.
-
-   In the first case, managing the reverse DNS (delegation) is simpler
-   as the DNS server and the prefix delegator are in the same
-   administrative domain (as there is no need to delegate anything at
-   all); alternatively, the prefix delegator might forgo DDNS reverse
-
-
-
-Durand, et al.          Expires January 17, 2006               [Page 18]
-
-Internet-Draft        Considerations with IPv6 DNS             July 2005
-
-
-   capability altogether, and use e.g., wildcard records (as described
-   in Section 7.2).  In the other cases, it can be slighly more
-   difficult, particularly as the site will have to configure the DNS
-   server to be authoritative for the delegated reverse zone, implying
-   automatic configuration of the DNS server -- as the prefix may be
-   dynamic.
-
-   Managing the DDNS reverse updates is typically simple in the second
-   case, as the updated server is located at the local site, and
-   arguably IP address-based authentication could be sufficient (or if
-   not, setting up security relationships would be simpler).  As there
-   is an explicit (security) relationship between the parties in the
-   third case, setting up the security relationships to allow reverse
-   DDNS updates should be rather straightforward as well (but IP
-   address-based authentication might not be acceptable).  In the first
-   case, however, setting up and managing such relationships might be a
-   lot more difficult.
-
-8.  Miscellaneous DNS Considerations
-
-   This section describes miscellaneous considerations about DNS which
-   seem related to IPv6, for which no better place has been found in
-   this document.
-
-8.1  NAT-PT with DNS-ALG
-
-   The DNS-ALG component of NAT-PT mangles A records  to look like AAAA
-   records to the IPv6-only nodes.  Numerous problems have been
-   identified with DNS-ALG [I-D.ietf-v6ops-natpt-to-exprmntl].  This is
-   a strong reason not to use NAT-PT in the first place.
-
-8.2  Renumbering Procedures and Applications' Use of DNS
-
-   One of the most difficult problems of systematic IP address
-   renumbering procedures [I-D.ietf-v6ops-renumbering-procedure] is that
-   an application which looks up a DNS name disregards information such
-   as TTL, and uses the result obtained from DNS as long as it happens
-   to be stored in the memory of the application.  For applications
-   which run for a long time, this could be days, weeks or even months;
-   some applications may be clever enough to organize the data
-   structures and functions in such a manner that look-ups get refreshed
-   now and then.
-
-   While the issue appears to have a clear solution, "fix the
-   applications", practically this is not reasonable immediate advice;
-   the TTL information is not typically available in the APIs and
-   libraries (so, the advice becomes "fix the applications, APIs and
-   libraries"), and a lot more analysis is needed on how to practically
-
-
-
-Durand, et al.          Expires January 17, 2006               [Page 19]
-
-Internet-Draft        Considerations with IPv6 DNS             July 2005
-
-
-   go about to achieve the ultimate goal of avoiding using the names
-   longer than expected.
-
-9.  Acknowledgements
-
-   Some recommendations (Section 4.3, Section 5.1) about IPv6 service
-   provisioning were moved here from [I-D.ietf-v6ops-mech-v2] by Erik
-   Nordmark and Bob Gilligan.  Havard Eidnes and Michael Patton provided
-   useful feedback and improvements.  Scott Rose, Rob Austein, Masataka
-   Ohta, and Mark Andrews helped in clarifying the issues regarding
-   additional data and the use of TTL.  Jefsey Morfin, Ralph Droms,
-   Peter Koch, Jinmei Tatuya, Iljitsch van Beijnum, Edward Lewis, and
-   Rob Austein provided useful feedback during the WG last call.  Thomas
-   Narten provided extensive feedback during the IESG evaluation.
-
-10.  Security Considerations
-
-   This document reviews the operational procedures for IPv6 DNS
-   operations and does not have security considerations in itself.
-
-   However, it is worth noting that in particular with Dynamic DNS
-   Updates, security models based on the source address validation are
-   very weak and cannot be recommended -- they could only be considered
-   in the environments where ingress filtering [RFC3704] has been
-   deployed.  On the other hand, it should be noted that setting up an
-   authorization mechanism (e.g., a shared secret, or public-private
-   keys) between a node and the DNS server has to be done manually, and
-   may require quite a bit of time and expertise.
-
-   To re-emphasize what was already stated, the reverse+forward DNS
-   check provides very weak security at best, and the only
-   (questionable) security-related use for them may be in conjunction
-   with other mechanisms when authenticating a user.
-
-11.  References
-
-11.1  Normative References
-
-   [I-D.ietf-dnsop-ipv6-dns-configuration]
-              Jeong, J., "IPv6 Host Configuration of DNS Server
-              Information Approaches",
-              draft-ietf-dnsop-ipv6-dns-configuration-06 (work in
-              progress), May 2005.
-
-   [I-D.ietf-ipv6-unique-local-addr]
-              Hinden, R. and B. Haberman, "Unique Local IPv6 Unicast
-              Addresses", draft-ietf-ipv6-unique-local-addr-09 (work in
-              progress), January 2005.
-
-
-
-Durand, et al.          Expires January 17, 2006               [Page 20]
-
-Internet-Draft        Considerations with IPv6 DNS             July 2005
-
-
-   [I-D.ietf-v6ops-renumbering-procedure]
-              Baker, F., "Procedures for Renumbering an IPv6 Network
-              without a Flag Day",
-              draft-ietf-v6ops-renumbering-procedure-05 (work in
-              progress), March 2005.
-
-   [RFC1034]  Mockapetris, P., "Domain names - concepts and facilities",
-              STD 13, RFC 1034, November 1987.
-
-   [RFC2136]  Vixie, P., Thomson, S., Rekhter, Y., and J. Bound,
-              "Dynamic Updates in the Domain Name System (DNS UPDATE)",
-              RFC 2136, April 1997.
-
-   [RFC2181]  Elz, R. and R. Bush, "Clarifications to the DNS
-              Specification", RFC 2181, July 1997.
-
-   [RFC2182]  Elz, R., Bush, R., Bradner, S., and M. Patton, "Selection
-              and Operation of Secondary DNS Servers", BCP 16, RFC 2182,
-              July 1997.
-
-   [RFC2462]  Thomson, S. and T. Narten, "IPv6 Stateless Address
-              Autoconfiguration", RFC 2462, December 1998.
-
-   [RFC2671]  Vixie, P., "Extension Mechanisms for DNS (EDNS0)",
-              RFC 2671, August 1999.
-
-   [RFC2821]  Klensin, J., "Simple Mail Transfer Protocol", RFC 2821,
-              April 2001.
-
-   [RFC3007]  Wellington, B., "Secure Domain Name System (DNS) Dynamic
-              Update", RFC 3007, November 2000.
-
-   [RFC3041]  Narten, T. and R. Draves, "Privacy Extensions for
-              Stateless Address Autoconfiguration in IPv6", RFC 3041,
-              January 2001.
-
-   [RFC3056]  Carpenter, B. and K. Moore, "Connection of IPv6 Domains
-              via IPv4 Clouds", RFC 3056, February 2001.
-
-   [RFC3152]  Bush, R., "Delegation of IP6.ARPA", BCP 49, RFC 3152,
-              August 2001.
-
-   [RFC3315]  Droms, R., Bound, J., Volz, B., Lemon, T., Perkins, C.,
-              and M. Carney, "Dynamic Host Configuration Protocol for
-              IPv6 (DHCPv6)", RFC 3315, July 2003.
-
-   [RFC3363]  Bush, R., Durand, A., Fink, B., Gudmundsson, O., and T.
-              Hain, "Representing Internet Protocol version 6 (IPv6)
-
-
-
-Durand, et al.          Expires January 17, 2006               [Page 21]
-
-Internet-Draft        Considerations with IPv6 DNS             July 2005
-
-
-              Addresses in the Domain Name System (DNS)", RFC 3363,
-              August 2002.
-
-   [RFC3364]  Austein, R., "Tradeoffs in Domain Name System (DNS)
-              Support for Internet Protocol version 6 (IPv6)", RFC 3364,
-              August 2002.
-
-   [RFC3513]  Hinden, R. and S. Deering, "Internet Protocol Version 6
-              (IPv6) Addressing Architecture", RFC 3513, April 2003.
-
-   [RFC3596]  Thomson, S., Huitema, C., Ksinant, V., and M. Souissi,
-              "DNS Extensions to Support IP Version 6", RFC 3596,
-              October 2003.
-
-   [RFC3646]  Droms, R., "DNS Configuration options for Dynamic Host
-              Configuration Protocol for IPv6 (DHCPv6)", RFC 3646,
-              December 2003.
-
-   [RFC3736]  Droms, R., "Stateless Dynamic Host Configuration Protocol
-              (DHCP) Service for IPv6", RFC 3736, April 2004.
-
-   [RFC3879]  Huitema, C. and B. Carpenter, "Deprecating Site Local
-              Addresses", RFC 3879, September 2004.
-
-   [RFC3901]  Durand, A. and J. Ihren, "DNS IPv6 Transport Operational
-              Guidelines", BCP 91, RFC 3901, September 2004.
-
-   [RFC4038]  Shin, M-K., Hong, Y-G., Hagino, J., Savola, P., and E.
-              Castro, "Application Aspects of IPv6 Transition",
-              RFC 4038, March 2005.
-
-   [RFC4074]  Morishita, Y. and T. Jinmei, "Common Misbehavior Against
-              DNS Queries for IPv6 Addresses", RFC 4074, May 2005.
-
-11.2  Informative References
-
-   [I-D.durand-dnsop-dont-publish]
-              Durand, A. and T. Chown, "To publish, or not to publish,
-              that is the question.", draft-durand-dnsop-dont-publish-00
-              (work in progress), February 2005.
-
-   [I-D.huitema-v6ops-teredo]
-              Huitema, C., "Teredo: Tunneling IPv6 over UDP through
-              NATs", draft-huitema-v6ops-teredo-05 (work in progress),
-              April 2005.
-
-   [I-D.huston-6to4-reverse-dns]
-              Huston, G., "6to4 Reverse DNS Delegation",
-
-
-
-Durand, et al.          Expires January 17, 2006               [Page 22]
-
-Internet-Draft        Considerations with IPv6 DNS             July 2005
-
-
-              draft-huston-6to4-reverse-dns-03 (work in progress),
-              October 2004.
-
-   [I-D.ietf-dhc-ddns-resolution]
-              Stapp, M. and B. Volz, "Resolution of FQDN Conflicts among
-              DHCP Clients", draft-ietf-dhc-ddns-resolution-09 (work in
-              progress), June 2005.
-
-   [I-D.ietf-dhc-fqdn-option]
-              Stapp, M. and Y. Rekhter, "The DHCP Client FQDN Option",
-              draft-ietf-dhc-fqdn-option-10 (work in progress),
-              February 2005.
-
-   [I-D.ietf-dnsext-dhcid-rr]
-              Stapp, M., Lemon, T., and A. Gustafsson, "A DNS RR for
-              encoding DHCP information (DHCID RR)",
-              draft-ietf-dnsext-dhcid-rr-09 (work in progress),
-              February 2005.
-
-   [I-D.ietf-dnsop-bad-dns-res]
-              Larson, M. and P. Barber, "Observed DNS Resolution
-              Misbehavior", draft-ietf-dnsop-bad-dns-res-03 (work in
-              progress), October 2004.
-
-   [I-D.ietf-dnsop-inaddr-required]
-              Senie, D., "Encouraging the use of DNS IN-ADDR Mapping",
-              draft-ietf-dnsop-inaddr-required-06 (work in progress),
-              February 2005.
-
-   [I-D.ietf-v6ops-3gpp-analysis]
-              Wiljakka, J., "Analysis on IPv6 Transition in 3GPP
-              Networks", draft-ietf-v6ops-3gpp-analysis-11 (work in
-              progress), October 2004.
-
-   [I-D.ietf-v6ops-mech-v2]
-              Nordmark, E. and R. Gilligan, "Basic Transition Mechanisms
-              for IPv6 Hosts and Routers", draft-ietf-v6ops-mech-v2-07
-              (work in progress), March 2005.
-
-   [I-D.ietf-v6ops-natpt-to-exprmntl]
-              Aoun, C. and E. Davies, "Reasons to Move NAT-PT to
-              Experimental", draft-ietf-v6ops-natpt-to-exprmntl-01 (work
-              in progress), July 2005.
-
-   [I-D.ietf-v6ops-onlinkassumption]
-              Roy, S., "IPv6 Neighbor Discovery On-Link Assumption
-              Considered Harmful", draft-ietf-v6ops-onlinkassumption-03
-              (work in progress), May 2005.
-
-
-
-Durand, et al.          Expires January 17, 2006               [Page 23]
-
-Internet-Draft        Considerations with IPv6 DNS             July 2005
-
-
-   [I-D.ietf-v6ops-v6onbydefault]
-              Roy, S., Durand, A., and J. Paugh, "Issues with Dual Stack
-              IPv6 on by Default", draft-ietf-v6ops-v6onbydefault-03
-              (work in progress), July 2004.
-
-   [I-D.jeong-dnsop-ipv6-dns-discovery]
-              Jeong, J., "IPv6 DNS Configuration based on Router
-              Advertisement", draft-jeong-dnsop-ipv6-dns-discovery-04
-              (work in progress), February 2005.
-
-   [I-D.ohta-preconfigured-dns]
-              Ohta, M., "Preconfigured DNS Server Addresses",
-              draft-ohta-preconfigured-dns-01 (work in progress),
-              February 2004.
-
-   [RFC2766]  Tsirtsis, G. and P. Srisuresh, "Network Address
-              Translation - Protocol Translation (NAT-PT)", RFC 2766,
-              February 2000.
-
-   [RFC2782]  Gulbrandsen, A., Vixie, P., and L. Esibov, "A DNS RR for
-              specifying the location of services (DNS SRV)", RFC 2782,
-              February 2000.
-
-   [RFC2826]  Internet Architecture Board, "IAB Technical Comment on the
-              Unique DNS Root", RFC 2826, May 2000.
-
-   [RFC3704]  Baker, F. and P. Savola, "Ingress Filtering for Multihomed
-              Networks", BCP 84, RFC 3704, March 2004.
-
-   [RFC3972]  Aura, T., "Cryptographically Generated Addresses (CGA)",
-              RFC 3972, March 2005.
-
-   [RFC4025]  Richardson, M., "A Method for Storing IPsec Keying
-              Material in DNS", RFC 4025, March 2005.
-
-
-Authors' Addresses
-
-   Alain Durand
-   SUN Microsystems, Inc.
-   17 Network circle UMPL17-202
-   Menlo Park, CA  94025
-   USA
-
-   Email: Alain.Durand@sun.com
-
-
-
-
-
-
-Durand, et al.          Expires January 17, 2006               [Page 24]
-
-Internet-Draft        Considerations with IPv6 DNS             July 2005
-
-
-   Johan Ihren
-   Autonomica
-   Bellmansgatan 30
-   SE-118 47 Stockholm
-   Sweden
-
-   Email: johani@autonomica.se
-
-
-   Pekka Savola
-   CSC/FUNET
-   Espoo
-   Finland
-
-   Email: psavola@funet.fi
-
-Appendix A.  Unique Local Addressing Considerations for DNS
-
-   Unique local addresses [I-D.ietf-ipv6-unique-local-addr] have
-   replaced the now-deprecated site-local addresses [RFC3879].  From the
-   perspective of the DNS, the locally generated unique local addresses
-   (LUL) and site-local addresses have similar properties.
-
-   The interactions with DNS come in two flavors: forward and reverse
-   DNS.
-
-   To actually use local addresses within a site, this implies the
-   deployment of a "split-faced" or a fragmented DNS name space, for the
-   zones internal to the site, and the outsiders' view to it.  The
-   procedures to achieve this are not elaborated here.  The implication
-   is that local addresses must not be published in the public DNS.
-
-   To faciliate reverse DNS (if desired) with local addresses, the stub
-   resolvers must look for DNS information from the local DNS servers,
-   not e.g. starting from the root servers, so that the local
-   information may be provided locally.  Note that the experience of
-   private addresses in IPv4 has shown that the root servers get loaded
-   for requests for private address lookups in any case.  This
-   requirement is discussed in [I-D.ietf-ipv6-unique-local-addr].
-
-Appendix B.  Behaviour of Additional Data in IPv4/IPv6 Environments
-
-   DNS responses do not always fit in a single UDP packet.  We'll
-   examine the cases which happen when this is due to too much data in
-   the Additional Section.
-
-
-
-
-
-
-Durand, et al.          Expires January 17, 2006               [Page 25]
-
-Internet-Draft        Considerations with IPv6 DNS             July 2005
-
-
-B.1  Description of Additional Data Scenarios
-
-   There are two kinds of additional data:
-
-   1.  "critical" additional data; this must be included in all
-       scenarios, with all the RRsets, and
-
-   2.  "courtesy" additional data; this could be sent in full, with only
-       a few RRsets, or with no RRsets, and can be fetched separately as
-       well, but at the cost of additional queries.
-
-   The responding server can algorithmically determine which type the
-   additional data is by checking whether it's at or below a zone cut.
-
-   Only those additional data records (even if sometimes carelessly
-   termed "glue") are considered "critical" or real "glue" if and only
-   if they meet the abovementioned condition, as specified in Section
-   4.2.1 of [RFC1034].
-
-   Remember that resource record sets (RRsets) are never "broken up", so
-   if a name has 4 A records and 5 AAAA records, you can either return
-   all 9, all 4 A records, all 5 AAAA records or nothing.  In
-   particular, notice that for the "critical" additional data getting
-   all the RRsets can be critical.
-
-   In particular, [RFC2181] specifies (in Section 9) that:
-
-   a.  if all the "critical" RRsets do not fit, the sender should set
-       the TC bit, and the recipient should discard the whole response
-       and retry using mechanism allowing larger responses such as TCP.
-
-   b.  "courtesy" additional data should not cause the setting of TC
-       bit, but instead all the non-fitting additional data RRsets
-       should be removed.
-
-   An example of the "courtesy" additional data is A/AAAA records in
-   conjunction with MX records as shown in Section 4.4; an example of
-   the "critical" additional data is shown below (where getting both the
-   A and AAAA RRsets is critical w.r.t. to the NS RR):
-
-      child.example.com.    IN   NS ns.child.example.com.
-      ns.child.example.com. IN    A 192.0.2.1
-      ns.child.example.com. IN AAAA 2001:db8::1
-
-   When there is too much "courtesy" additional data, at least the non-
-   fitting RRsets should be removed [RFC2181]; however, as the
-   additional data is not critical, even all of it could be safely
-   removed.
-
-
-
-Durand, et al.          Expires January 17, 2006               [Page 26]
-
-Internet-Draft        Considerations with IPv6 DNS             July 2005
-
-
-   When there is too much "critical" additional data, TC bit will have
-   to be set, and the recipient should ignore the response and retry
-   using TCP; if some data were to be left in the UDP response, the
-   issue is which data could be retained.
-
-   Failing to discard the response with TC bit or omitting critical
-   information but not setting TC bit lead to an unrecoverable problem.
-   Omitting only some of the RRsets if all would not fit (but not
-   setting TC bit) leads to a performance problem.  These are discussed
-   in the next two subsections.
-
-B.2  Which Additional Data to Keep, If Any?
-
-   If the implementation decides to keep as much data (whether
-   "critical" or "courtesy") as possible in the UDP responses, it might
-   be tempting to use the transport of the DNS query as a hint in either
-   of these cases: return the AAAA records if the query was done over
-   IPv6, or return the A records if the query was done over IPv4.
-   However, this breaks the model of independence of DNS transport and
-   resource records, as noted in Section 1.2.
-
-   With courtesy additional data, as long as enough RRsets will be
-   removed so that TC will not be set, it is allowed to send as many
-   complete RRsets as the implementations prefers.  However, the
-   implementations are also free to omit all such RRsets, even if
-   complete.  Omitting all the RRsets (when removing only some would
-   suffice) may create a performance penalty, whereby the client may
-   need to issue one or more additional queries to obtain necessary
-   and/or consistent information.
-
-   With critical additional data, the alternatives are either returning
-   nothing (and absolutely requiring a retry with TCP) or returning
-   something (working also in the case if the recipient does not discard
-   the response and retry using TCP) in addition to setting the TC bit.
-   If the process for selecting "something" from the critical data would
-   otherwise be practically "flipping the coin" between A and AAAA
-   records, it could be argued that if one looked at the transport of
-   the query, it would have a larger possibility of being right than
-   just 50/50.  In other words, if the returned critical additional data
-   would have to be selected somehow, using something more sophisticated
-   than a random process would seem justifiable.
-
-   That is, leaving in some intelligently selected critical additional
-   data is a tradeoff between creating an optimization for those
-   resolvers which ignore the "should discard" recommendation, and
-   causing a protocol problem by propagating inconsistent information
-   about "critical" records in the caches.
-
-
-
-
-Durand, et al.          Expires January 17, 2006               [Page 27]
-
-Internet-Draft        Considerations with IPv6 DNS             July 2005
-
-
-   Similarly, leaving in the complete courtesy additional data RRsets
-   instead of removing all the RRsets is a performance tradeoff as
-   described in the next section.
-
-B.3  Discussion of the Potential Problems
-
-   As noted above, the temptation for omitting only some of the
-   additional data could be problematic.  This is discussed more below.
-
-   For courtesy additional data, this causes a potential performance
-   problem as this requires that the clients issue re-queries for the
-   potentially omitted RRsets.  For critical additional data, this
-   causes a potential unrecoverable problem if the response is not
-   discarded and the query not re-tried with TCP, as the nameservers
-   might be reachable only through the omitted RRsets.
-
-   If an implementation would look at the transport used for the query,
-   it is worth remembering that often the host using the records is
-   different from the node requesting them from the authoritative DNS
-   server (or even a caching resolver).  So, whichever version the
-   requestor (e.g., a recursive server in the middle) uses makes no
-   difference to the ultimate user of the records, whose transport
-   capabilities might differ from those of the requestor.  This might
-   result in e.g., inappropriately returning A records to an IPv6-only
-   node, going through a translation, or opening up another IP-level
-   session (e.g., a PDP context [I-D.ietf-v6ops-3gpp-analysis]).
-   Therefore, at least in many scenarios, it would be very useful if the
-   information returned would be consistent and complete -- or if that
-   is not feasible, return no misleading information but rather leave it
-   to the client to query again.
-
-   The problem of too much additional data seems to be an operational
-   one: the zone administrator entering too many records which will be
-   returned either truncated (or missing some RRsets, depending on
-   implementations) to the users.  A protocol fix for this is using
-   EDNS0 [RFC2671] to signal the capacity for larger UDP packet sizes,
-   pushing up the relevant threshold.  Further, DNS server
-   implementations should rather omit courtesy additional data
-   completely rather than including only some RRsets [RFC2181].  An
-   operational fix for this is having the DNS server implementations
-   return a warning when the administrators create zones which would
-   result in too much additional data being returned.  Further, DNS
-   server implementations should warn of or disallow such zone
-   configurations which are recursive or otherwise difficult to manage
-   by the protocol.
-
-   Additionally, to avoid the case where an application would not get an
-   address at all due to some of courtesy additional data being omitted,
-
-
-
-Durand, et al.          Expires January 17, 2006               [Page 28]
-
-Internet-Draft        Considerations with IPv6 DNS             July 2005
-
-
-   the resolvers should be able to query the specific records of the
-   desired protocol, not just rely on getting all the required RRsets in
-   the additional section.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Durand, et al.          Expires January 17, 2006               [Page 29]
-
-Internet-Draft        Considerations with IPv6 DNS             July 2005
-
-
-Intellectual Property Statement
-
-   The IETF takes no position regarding the validity or scope of any
-   Intellectual Property Rights or other rights that might be claimed to
-   pertain to the implementation or use of the technology described in
-   this document or the extent to which any license under such rights
-   might or might not be available; nor does it represent that it has
-   made any independent effort to identify any such rights.  Information
-   on the procedures with respect to rights in RFC documents can be
-   found in BCP 78 and BCP 79.
-
-   Copies of IPR disclosures made to the IETF Secretariat and any
-   assurances of licenses to be made available, or the result of an
-   attempt made to obtain a general license or permission for the use of
-   such proprietary rights by implementers or users of this
-   specification can be obtained from the IETF on-line IPR repository at
-   http://www.ietf.org/ipr.
-
-   The IETF invites any interested party to bring to its attention any
-   copyrights, patents or patent applications, or other proprietary
-   rights that may cover technology that may be required to implement
-   this standard.  Please address the information to the IETF at
-   ietf-ipr@ietf.org.
-
-
-Disclaimer of Validity
-
-   This document and the information contained herein are provided on an
-   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
-   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
-   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
-   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
-   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
-   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-
-Copyright Statement
-
-   Copyright (C) The Internet Society (2005).  This document is subject
-   to the rights, licenses and restrictions contained in BCP 78, and
-   except as set forth therein, the authors retain all their rights.
-
-
-Acknowledgment
-
-   Funding for the RFC Editor function is currently provided by the
-   Internet Society.
-
-
-
-
-Durand, et al.          Expires January 17, 2006               [Page 30]
-
-
diff --git a/doc/draft/draft-ietf-dnsop-key-rollover-requirements-00.txt b/doc/draft/draft-ietf-dnsop-key-rollover-requirements-00.txt
new file mode 100644
index 00000000..77e68d91
--- /dev/null
+++ b/doc/draft/draft-ietf-dnsop-key-rollover-requirements-00.txt
@@ -0,0 +1,447 @@
+
+DNSOP                                                          G. Guette
+Internet-Draft                                        IRISA/INRIA Rennes
+Expires: August 8, 2004                                       O. Courtay
+                                                           ENST-Bretagne
+                                                        February 8, 2004
+
+
+            Requirements for Automated Key Rollover in DNSsec
+              draft-ietf-dnsop-key-rollover-requirements-00
+
+Status of this Memo
+
+   This document is an Internet-Draft and is in full conformance with
+   all provisions of Section 10 of RFC2026.
+
+   Internet-Drafts are working documents of the Internet Engineering
+   Task Force (IETF), its areas, and its working groups. Note that
+   other groups may also distribute working documents as
+   Internet-Drafts.
+
+   Internet-Drafts are draft documents valid for a maximum of six months
+   and may be updated, replaced, or obsoleted by other documents at any
+   time. It is inappropriate to use Internet-Drafts as reference
+   material or to cite them other than as "work in progress."
+
+   The list of current Internet-Drafts can be accessed at http://
+   www.ietf.org/ietf/1id-abstracts.txt.
+
+   The list of Internet-Draft Shadow Directories can be accessed at
+   http://www.ietf.org/shadow.html.
+
+   This Internet-Draft will expire on August 8, 2004.
+
+Copyright Notice
+
+   Copyright (C) The Internet Society (2004). All Rights Reserved.
+
+Abstract
+
+   This document describes problems that appear during an automated
+   rollover and gives the requirements for the design of communication
+   between parent zone and child zone in an automated rollover process.
+   This document is essentially about key rollover, the rollover of
+   one other Resource Record present at delegation point (NS RR) is
+   also discussed.
+
+	
+
+	
+
+	
+
+Guette & Courtay             Expires August 8, 2004             [Page 1]
+
+Internet-Draft       Automated Rollover Requirements       February 2004
+
+
+1. Introduction
+
+   The DNS security extensions (DNSsec) [1] uses public-key cryptography
+   and digital signatures. It stores the public keys in KEY Resource
+   Records (RRs). Because old keys and frequently used keys are
+   vulnerable, they must be changed periodically. In DNSsec this is the
+   case for Zone Signing Keys (ZSKs) and Key Signing Keys (KSKs) [2, 4].
+   Automation of key rollover process is necessary for large zones
+   because inside a large zone, there are too many changes to handle for
+   a single administrator.
+   
+   Let us consider for example a zone with one million child zones among
+   which only 10% of secured child zones. If the child zones change their
+   keys once a year on average, that implies 300 changes per day for the
+   parent zone. All these changes are hard to manage manually.
+   
+   Automated rollover is optional and resulting from an agreement 
+   between the administrator of the parent zone and the administrator of
+   the child zone. Of course, key rollover can also be done manually by
+   administrators.
+
+   This document describes the requirements for the design of messages
+   of automated key rollover process.
+
+	 
+2. The Key Rollover Process
+
+   Key rollover consists in replacing the DNSsec keys used to sign
+   resource records in a given DNS zone file. There are two types of
+   rollover, ZSK rollover and KSK rollover.
+   In ZSK rollover, all changes are local to the zone that changes its
+   key: there is no need to contact other zones (e.g. parent zone) to
+   propagate the performed changes because this type of key have no
+   associated DS records in the parent zone.
+   In KSK rollover, new DS RR(s) MUST be created and stored in the
+   parent zone. In consequence, the child zone MUST contact its parent
+   zone and notify it about the KSK change(s).
+	
+   Manual key rollover exists and works [3]. The key rollover is built
+   from two parts of different nature:
+    - An algorithm that generates new keys. It could be local to the
+      zone
+    - The interaction between parent and child zone
+
+   In this document we focus on the interaction between parent and
+   child zone servers.
+   One example of manual key rollover is:
+   Child zone creates a new KSK, waiting for the creation of the DS
+      
+	 
+	
+Guette & Courtay             Expires August 8, 2004             [Page 2]
+
+Internet-Draft       Automated Rollover Requirements       February 2004
+
+
+   record in its parent zone and then child zone deletes old key.
+
+   In manual rollover, communications are managed by the zone
+   administrators and the security of these communications is out of
+   scope of DNSsec.
+
+   Automated key rollover MUST use a secure communication between parent
+   and child zone. In this document we concentrate our efforts on
+   defining interactions between entities present in key rollover
+   process that are not	explicitly defined in manual key rollover
+   method.
+   
+	
+3. Basic Requirements
+
+   The main constraint to respect during a key rollover is that the
+   chain of trust MUST be preserved. Even if a resolver retrieve some RRs
+   from recursive name server. Every RR MUST be verifiable at any time,
+   every message exchanged during rollover MUST be authenticated and
+   data integrity MUST be guaranteed.
+	 
+   Two entities are present during a KSK rollover: the child zone and
+   its parent zone. These zones are generally managed by different
+   administrators. These administrators MUST agree on some parameters
+   like availability of automated rollover, the maximum delay between
+   notification of changes in the child zone and the resigning of the
+   parent zone. The child zone needs to know this delay to schedule its
+   changes.
+   
+   During an automated rollover process, data are transmitted between
+   the primary name server of the parent and the the primary name server
+   of the child zone.
+   The reason is that the IP address of the primary name server is easy
+   to obtain.
+   Other solutions based on machine dedicated to the rollover are not
+   suitable solutions because of the difficulty to obtain the IP
+   addresses of the dedicated machine in an automated manner.
+
+	 
+4. Messages authentication and information exchanged
+
+   Every exchanged message MUST be authenticated and the authentication
+   tool MUST be a DNSsec tool such as TSIG [5], SIG(0) [6] or DNSsec
+   request with verifiable SIG records.
+ 	 
+   Once the changes related to a KSK are made in a child zone, this zone
+     
+   
+
+	 
+Guette & Courtay             Expires August 8, 2004             [Page 3]
+
+Internet-Draft       Automated Rollover Requirements       February 2004
+
+
+   MUST notify its parent zone in order to create the new DS RR and
+   store this DS RR in parent zone file.
+
+   The parent zone MUST receive all the child Keys that needs the
+   creation of an associated DS RRs in the parent zone.
+	 
+   Some errors could occur during transmission between child zone and
+   parent zone. Key rollover solution MUST be fault tolerant, i.e. at
+   any time the rollover MUST be in a consistent state and all RRs MUST
+   be verifiable, even if an error occurs. That is to say that it MUST
+   remains a valid chain of trust.
+	
+
+5. Emergency Rollover
+
+   A key of a zone might be compromised and this key MUST be changed as
+   soon as possible. Fast changes could break the chain of trust. The
+   part of DNS tree having this zone as apex can become unverifiable,
+   but the break of the chain of trust is necessary if we want to no one
+   can use the compromised key to spoof DNS data.
+
+   Parent zone behavior after an emergency rollover in one of its child
+   zone is an open discussion.
+   Should we define:
+	 
+    - an EMERGENCY flag. When a child zone does an emergency KSK change,
+      it uses the EMERGENCY flag to notify its parents that the chain of
+      trust is broken and will stay broken until right DS creation and a
+      parent zone resigning.
+   
+    - a maximum time delay after next parent zone resigning, we ensure
+      that after this delay the parent zone is resigned and the right DS
+      is created.
+   
+    - that no pre-defined behavior for the parent zone is needed
+
+
+6. Other Resource Record concerned by automatic rollover
+
+   NS records are also present at delegation point, so when the child
+   zone changes some NS records, the corresponding records at
+   delegation point in parent zone MUST be updated. NS records are
+   concerned by rollover and this rollover could be automated too. In
+   this case, when the child zone notifies its parent zone that some NS
+   records have been changed, the parent zone MUST verify that these NS
+   records are present in child zone before doing any changes in its own
+   zone file. This allow to avoid inconsistency between NS records at
+   delegation point and NS records present in the child zone.
+	
+   
+
+	 
+Guette & Courtay             Expires August 8, 2004             [Page 4]
+
+Internet-Draft       Automated Rollover Requirements       February 2004
+
+	 
+7. Security consideration
+
+   This document describes requirements to design an automated key
+   rollover in DNSsec based on DNSsec security. In the same way the, as
+   plain DNSsec, the automatic key rollover contains no mechanism
+   protecting against denial of service (DoS) resistant. The security
+   level obtain after an automatic key rollover, is the security level
+   provided by DNSsec.
+
+
+8. Acknowledgments
+   The authors want to acknowledge Mohsen Souissi, Bernard Cousin,
+   Bertrand Leonard and members of IDsA project for their contribution
+   to this document.
+
+
+Normative references
+
+   [1]  Eastlake, D., "Domain Name System Security Extensions", RFC
+        2535, March 1999.
+
+   [2]  Gudmundsson, O., "Delegation Signer Resource Record",
+        draft-ietf-dnsext-delegation-signer-15 (work in progress),
+				June 2003.
+
+   [3]  Kolkman, O. and Gieben, R., "DNSSEC key operations",
+        draft-ietf-dnsext-operational-practices (work in progress),
+				June 2003.
+
+   [4]  Kolkman, O. and Schlyter, J., "KEY RR Secure Entry Point Flag"
+        draft-ietf-dnsext-keyrr-key-signing-flag-10 (work in progress),
+        September 2003.
+
+   [5]  Vixie, P., Gudmundsson, O., Eastlake, D., and Wellington, B.,
+        "Secret Key Transaction Authentication for DNS (TSIG)", RFC
+				2845, May	2000.
+
+   [6]  Eastlake, D., "DNS Request and Transaction Signatures (SIG(0)s)",
+	      RFC 2931, September 2000.
+
+   [7]  Eastlake, D.,"DNS Security Operational Considerations", RFC
+        2541, March 1999.
+
+
+
+
+
+	
+
+
+				
+Guette & Courtay             Expires August 8, 2004             [Page 5]
+
+Internet-Draft       Automated Rollover Requirements        October 2003
+
+
+Author's Addresses
+
+   Gilles Guette
+   IRISA/INRIA Rennes
+   Campus Universitaire de Beaulieu
+   35042 Rennes France
+   Phone : (33) 02 99 84 71 32
+   Fax : (33) 02 99 84 25 29
+   E-mail : gguette@irisa.fr
+
+   Olivier Courtay
+   ENST-Bretagne
+   2, rue de la ch‚taigneraie
+   35512 Cesson C‰vign‰ CEDEX France
+   Phone : (33) 02 99 84 71 31
+   Fax : (33) 02 99 84 25 29
+   olivier.courtay@enst-bretagne.fr
+
+	 
+	 
+	 
+	 
+	 
+	 
+	 
+	 
+	 
+	 
+	 
+	 
+	 
+	 
+	 
+	 
+	 
+	 
+	 
+	 
+	 
+	 
+	 
+	 
+	 
+	 
+	 
+	 
+	 
+	 
+	 
+	 
+	 
+Guette & Courtay             Expires August 8, 2004             [Page 6]
+
+Internet-Draft       Automated Rollover Requirements       February 2004
+
+
+Intellectual Property Statement
+
+   The IETF takes no position regarding the validity or scope of any
+   intellectual property or other rights that might be claimed to
+   pertain to the implementation or use of the technology described in
+   this document or the extent to which any license under such rights
+   might or might not be available; neither does it represent that it
+   has made any effort to identify any such rights. Information on the
+   IETF's procedures with respect to rights in standards-track and
+   standards-related documentation can be found in BCP-11. Copies of
+   claims of rights made available for publication and any assurances of
+   licenses to be made available, or the result of an attempt made to
+   obtain a general license or permission for the use of such
+   proprietary rights by implementors or users of this specification can
+   be obtained from the IETF Secretariat.
+
+   The IETF invites any interested party to bring to its attention any
+   copyrights, patents or patent applications, or other proprietary
+   rights which may cover technology that may be required to practice
+   this standard. Please address the information to the IETF Executive
+   Director.
+
+
+Full Copyright Statement
+
+   Copyright (C) The Internet Society (2003). All Rights Reserved.
+
+   This document and translations of it may be copied and furnished to
+   others, and derivative works that comment on or otherwise explain it
+   or assist in its implementation may be prepared, copied, published
+   and distributed, in whole or in part, without restriction of any
+   kind, provided that the above copyright notice and this paragraph are
+   included on all such copies and derivative works. However, this
+   document itself may not be modified in any way, such as by removing
+   the copyright notice or references to the Internet Society or other
+   Internet organizations, except as needed for the purpose of
+   developing Internet standards in which case the procedures for
+   copyrights defined in the Internet Standards process must be
+   followed, or as required to translate it into languages other than
+   English.
+
+   The limited permissions granted above are perpetual and will not be
+   revoked by the Internet Society or its successors or assignees.
+
+   This document and the information contained herein is provided on an
+   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
+   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
+   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
+
+
+
+Guette & Courtay             Expires August 8, 2004             [Page 7]
+
+Internet-Draft       Automated Rollover Requirements       February 2004
+
+   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
+   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+	 
+Guette & Courtay             Expires August 8, 2004             [Page 8]
+
diff --git a/doc/draft/draft-ietf-dnsop-key-rollover-requirements-02.txt b/doc/draft/draft-ietf-dnsop-key-rollover-requirements-02.txt
deleted file mode 100644
index 6bece561..00000000
--- a/doc/draft/draft-ietf-dnsop-key-rollover-requirements-02.txt
+++ /dev/null
@@ -1,389 +0,0 @@
-
-DNSOP                                                          G. Guette
-Internet-Draft                                             IRISA / INRIA
-Expires: July 19, 2005                                        O. Courtay
-                                                             Thomson R&D
-                                                        January 18, 2005
-
-           Requirements for Automated Key Rollover in DNSSEC
-           draft-ietf-dnsop-key-rollover-requirements-02.txt
-
-Status of this Memo
-
-   By submitting this Internet-Draft, I certify that any applicable 
-   patent or other IPR claims of which I am aware have been disclosed, 
-   and any of which I become aware will be disclosed, in accordance with 
-   RFC 3668.  
-
-   Internet-Drafts are working documents of the Internet Engineering
-   Task Force (IETF), its areas, and its working groups.  Note that
-   other groups may also distribute working documents as
-   Internet-Drafts.
-
-   Internet-Drafts are draft documents valid for a maximum of six months
-   and may be updated, replaced, or obsoleted by other documents at any
-   time.  It is inappropriate to use Internet-Drafts as reference
-   material or to cite them other than as "work in progress."
-
-   The list of current Internet-Drafts can be accessed at
-   http://www.ietf.org/ietf/1id-abstracts.txt.
-
-   The list of Internet-Draft Shadow Directories can be accessed at
-   http://www.ietf.org/shadow.html.
-
-   This Internet-Draft will expire on July 19, 2005.
-
-Copyright Notice
-
-   Copyright (C) The Internet Society (2005).  All Rights Reserved.
-
-Abstract
-
-   This document describes problems that appear during an automated
-   rollover and gives the requirements for the design of communication
-   between parent zone and child zone during an automated rollover
-   process.  This document is essentially about in-band key rollover.
-
-
-
-
-Guette & Courtay         Expires July 19, 2005                  [Page 1]
-Internet-Draft      Automated Rollover Requirements         January 2005
-
-Table of Contents
-
-   1.   Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
-   2.   The Key Rollover Process . . . . . . . . . . . . . . . . . . . 3
-   3.   Basic Requirements . . . . . . . . . . . . . . . . . . . . . . 4
-   4.   Messages authentication and information exchanged  . . . . . . 5
-   5.   Emergency Rollover . . . . . . . . . . . . . . . . . . . . . . 5
-   6.   Security consideration . . . . . . . . . . . . . . . . . . . . 6
-   7.   Acknowledgments  . . . . . . . . . . . . . . . . . . . . . . . 6
-   8.   Normative References . . . . . . . . . . . . . . . . . . . . . 6
-        Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 7
-   A.   Documents details and changes  . . . . . . . . . . . . . . . . 7
-        Intellectual Property and Copyright Statements . . . . . . . . 8
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Guette & Courtay         Expires July 19, 2005                  [Page 2]
-Internet-Draft      Automated Rollover Requirements         January 2005
-
-1.  Introduction
-
-   The DNS security extensions (DNSSEC) [4][6][5][7] uses public-key
-   cryptography and digital signatures.  It stores the public part of
-   keys in DNSKEY Resource Records (RRs).  Because old keys and
-   frequently used keys are vulnerable, they must be renewed
-   periodically.  In DNSSEC, this is the case for Zone Signing Keys
-   (ZSKs) and Key Signing Keys (KSKs) [1][2].  Automation of key
-   exchanges between parents and children is necessary for large zones
-   because there are too many changes to handle.
-
-   Let us consider for example a zone with 100000 secure delegations.
-   If the child zones change their keys once a year on average, that
-   implies 300 changes per day for the parent zone.  This amount of
-   changes is hard to manage manually.
-
-   Automated rollover is optional and resulting from an agreement
-   between the administrator of the parent zone and the administrator of
-   the child zone.  Of course, key rollover can also be done manually by
-   administrators.
-
-   This document describes the requirements for a protocol to perform
-   the automated key rollover process and focusses on interaction
-   between parent and child zone.
-
-2.  The Key Rollover Process
-
-   Key rollover consists of renewing the DNSSEC keys used to sign
-   resource records in a given DNS zone file.  There are two types of
-   rollover, ZSK rollovers and KSK rollovers.
-
-   During a ZSK rollover, all changes are local to the zone that renews
-   its key: there is no need to contact other zones administrators to
-   propagate the performed changes because a ZSK has no associated DS
-   record in the parent zone.
-
-   During a KSK rollover, new DS RR(s) must be created and stored in the
-   parent zone.  In consequence, data must be exchanged between child
-   and parent zones.
-
-   The key rollover is built from two parts of different nature:
-   o  An algorithm that generates new keys and signs the zone file.  It
-      can be local to the zone,
-   o  the interaction between parent and child zones.
-
-   One example of manual key rollover [3] is:
-   o  The child zone creates a new KSK,
-
-
-Guette & Courtay         Expires July 19, 2005                  [Page 3]
-Internet-Draft      Automated Rollover Requirements         January 2005
-
-   o  the child zone waits for the creation of the DS RR in its parent
-      zone,
-   o  the child zone deletes the old key,
-   o  the parent zone deletes the old DS RR.
-
-   This document concentrates on defining interactions between entities
-   present in key rollover process.
-
-3.  Basic Requirements
-
-   This section provides the requirements for automated key rollover in
-   case of normal use.  Exceptional case like emergency rollover is
-   specifically described later in this document.
-
-   The main condition during a key rollover is that the chain of trust
-   must be preserved to every validating DNS client.  No matter if this
-   client retrieves some of the RRs from recursive caching name server
-   or from the authoritative servers for the zone involved in the
-   rollover.
-
-   Automated key rollover solution may be interrupted by a manual
-   intervention.  This manual intervention should not compromise the
-   security state of the chain of trust.  If the chain is safe before
-   the manual intervention, the chain of trust must remain safe during
-   and after the manual intervention
-
-   Two entities act during a KSK rollover: the child zone and its parent
-   zone.  These zones are generally managed by different administrators.
-   These administrators should agree on some parameters like
-   availability of automated rollover, the maximum delay between
-   notification of changes in the child zone and the resigning of the
-   parent zone.  The child zone needs to know this delay to schedule its
-   changes and/or to verify that the changes had been taken into account
-   in the parent zone.  Hence, the child zone can also avoid some
-   critical cases where all child key are changed prior to the DS RR
-   creation.
-
-   By keeping some resource records during a given time, the recursive
-   cache servers can act on the automated rollover.  The existence of
-   recursive cache servers must be taken into account by automated
-   rollover solution.
-
-   Indeed, during an automated key rollover a name server could have to
-   retrieve some DNSSEC data.  An automated key rollover solution must
-   ensure that these data are not old DNSSEC material retrieved from a
-   recursive name server.
-
-
-
-Guette & Courtay         Expires July 19, 2005                  [Page 4]
-Internet-Draft      Automated Rollover Requirements         January 2005
-
-4.  Messages authentication and information exchanged
-
-   This section addresses in-band rollover, security of out-of-band
-   mechanisms is out of scope of this document.
-
-   The security provided by DNSSEC must not be compromised by the key
-   rollover, thus every exchanged message must be authenticated to avoid
-   fake rollover messages from malicious parties.
-
-   Once the changes related to a KSK are made in a child zone, there are
-   two ways for the parent zone to take this changes into account:
-   o  the child zone notify directly or not directly its parent zone in
-      order to create the new DS RR and store this DS RR in parent zone
-      file,
-   o  or the parent zone poll the child zone.
-
-   In both cases, the parent zone must receive all the child keys that
-   need the creation of associated DS RRs in the parent zone.
-
-   Because errors could occur during the transmission of keys between
-   child and parent, the key exchange protocol must be fault tolerant.
-   Should an error occured during the automated key rollover, an
-   automated key rollover solution must be able to keep the zone files
-   in a consistent state.
-
-5.  Emergency Rollover
-
-   Emergency key rollover is a special case of rollover decided by the
-   zone administrator generally for security reasons.  In consequence,
-   emergency key rollover can break some of the requirement described
-   above.
-
-   A zone key might be compromised and an attacker can use the
-   compromised key to create and sign fake records.  To avoid this, the
-   zone administrator may change the compromised key or all its keys as
-   soon as possible, without waiting for the creation of new DS RRs in
-   its parent zone.
-
-   Fast changes may break the chain of trust.  The part of DNS tree
-   having this zone as apex can become unverifiable, but the break of
-   the chain of trust is necessary if the administrator wants to prevent
-   the compromised key from being used (to spoof DNS data).
-
-   Parent and child zones sharing an automated rollover mechanism,
-   should have an out-of-band way to re-establish a consistent state at
-   the delegation point (DS and DNSKEY RRs).  This allows to avoid that
-   a malicious party uses the compromised key to roll the zone keys.
-
-
-Guette & Courtay         Expires July 19, 2005                  [Page 5]
-Internet-Draft      Automated Rollover Requirements         January 2005
-
-6.  Security consideration
-
-   The automated key rollover process in DNSSEC allows automated renewal
-   of any kind of DNS key (ZSK or KSK).  It is essential that parent
-   side and child side can do mutual authentication.  Moreover,
-   integrity of the material exchanged between the parent and child zone
-   must be provided to ensure the right DS are created.
-
-   As in any application using public key cryptography, in DNSSEC a key
-   may be compromised.  What to do in such a case can be describe in the
-   zone local policy and can violate some requirements described in this
-   draft.  The emergency rollover can break the chain of trust in order
-   to protect the zone against the use of the compromised key.
-
-7.  Acknowledgments
-
-   The authors want to thank members of IDsA project for their
-   contribution to this document.
-
-8  Normative References
-
-   [1]  Gudmundsson, O., "Delegation Signer (DS) Resource Record (RR)",
-        RFC 3658, December 2003.
-
-   [2]  Kolkman, O., Schlyter, J. and E. Lewis, "Domain Name System KEY
-        (DNSKEY) Resource Record (RR) Secure Entry Point (SEP) Flag",
-        RFC 3757, May 2004.
-
-   [3]  Kolkman, O., "DNSSEC Operational Practices",
-        draft-ietf-dnsop-dnssec-operational-practice-01 (work in
-        progress), May 2004.
-
-   [4]  Eastlake, D., "Domain Name System Security Extensions", RFC
-        2535, March 1999.
-
-   [5]  Arends, R., Austein, R., Larson, M., Massey, D. and S. Rose,
-        "Resource Records for the DNS Security Extensions",
-        draft-ietf-dnsext-dnssec-records-11 (work in progress), October
-        2004.
-
-   [6]  Arends, R., Austein, R., Larson, M., Massey, D. and S. Rose,
-        "DNS Security Introduction and Requirements",
-        draft-ietf-dnsext-dnssec-intro-13 (work in progress), October
-        2004.
-
-   [7]  Arends, R., Austein, R., Larson, M., Massey, D. and S. Rose,
-        "Protocol Modifications for the DNS Security Extensions",
-        draft-ietf-dnsext-dnssec-protocol-09 (work in progress), October
-
-
-Guette & Courtay         Expires July 19, 2005                  [Page 6]
-Internet-Draft      Automated Rollover Requirements         January 2005
-
-        2004.
-
-Authors' Addresses
-
-   Gilles Guette
-   IRISA / INRIA
-   Campus de Beaulieu
-   35042  Rennes CEDEX
-   FR
-
-   EMail: gilles.guette@irisa.fr
-   URI:   http://www.irisa.fr
-
-   Olivier Courtay
-   Thomson R&D
-   1, avenue Belle Fontaine
-   35510  Cesson S?vign? CEDEX
-   FR
-
-   EMail: olivier.courtay@thomson.net
-
-Appendix A.  Documents details and changes
-
-   This section is to be removed by the RFC editor if and when the
-   document is published.
-
-   Section about NS RR rollover has been removed
-
-   Remarks from Samuel Weiler and Rip Loomis added
-
-   Clarification about in-band rollover and in emergency section
-
-   Section 3, details about recursive cache servers added
-
-
-
-
-
-
-
-
-Guette & Courtay         Expires July 19, 2005                  [Page 7]
-Internet-Draft      Automated Rollover Requirements         January 2005
-
-Intellectual Property Statement
-
-     The IETF takes no position regarding the validity or scope of any 
-     intellectual property or other rights that might be claimed to 
-     pertain to the implementation or use of the technology described 
-     in this document or the extent to which any license under such 
-     rights might or might not be available; neither does it represent 
-     that it has made any effort to identify any such rights. 
-     Information on the IETF's procedures with respect to rights in 
-     IETF Documents can be found in BCP 78 and 79.   
-          
-     Copies of IPR disclosures made to the IETF Secretariat and any 
-     assurances of licenses to be made available, or the result of an 
-     attempt made to obtain a general license or permission for the use 
-     of such proprietary rights by implementers or users of this 
-     specification can be obtained from the IETF on-line IPR repository 
-     at http://www.ietf.org/ipr. 
-      
-     The IETF invites any interested party to bring to its attention 
-     any copyrights, patents or patent applications, or other 
-     proprietary rights which may cover technology that may be required 
-     to implement this standard. Please address the information to the 
-     IETF at ietf-ipr.org. 
-      
-    
- Full Copyright Statement 
-    
-   Copyright (C) The Internet Society (2005).  This document is subject 
-   to the rights, licenses and restrictions contained in BCP 78, and 
-   except as set forth therein, the authors retain all their rights. 
-    
-   This document and the information contained herein are provided on an 
-   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS 
-   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET 
-   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, 
-   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE 
-   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED 
-   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
- Acknowledgment
-
-   Funding for the RFC Editor function is currently provided by the
-   Internet Society.
-
-
-         
-
-
-Guette & Courtay         Expires July 19, 2005                  [Page 8]
diff --git a/doc/draft/draft-ietf-dnsop-misbehavior-against-aaaa-00.txt b/doc/draft/draft-ietf-dnsop-misbehavior-against-aaaa-00.txt
new file mode 100644
index 00000000..1094275d
--- /dev/null
+++ b/doc/draft/draft-ietf-dnsop-misbehavior-against-aaaa-00.txt
@@ -0,0 +1,505 @@
+
+
+IETF DNSOP Working Group                                    Y. Morishita
+Internet-Draft                                                      JPRS
+Expires: July 11, 2004                                         T. Jinmei
+                                                                 Toshiba
+                                                        January 11, 2004
+
+
+       Common Misbehavior against DNS Queries for IPv6 Addresses
+            draft-ietf-dnsop-misbehavior-against-aaaa-00.txt
+
+Status of this Memo
+
+   This document is an Internet-Draft and is in full conformance with
+   all provisions of Section 10 of RFC2026.
+
+   Internet-Drafts are working documents of the Internet Engineering
+   Task Force (IETF), its areas, and its working groups. Note that other
+   groups may also distribute working documents as Internet-Drafts.
+
+   Internet-Drafts are draft documents valid for a maximum of six months
+   and may be updated, replaced, or obsoleted by other documents at any
+   time. It is inappropriate to use Internet-Drafts as reference
+   material or to cite them other than as "work in progress."
+
+   The list of current Internet-Drafts can be accessed at http://
+   www.ietf.org/ietf/1id-abstracts.txt.
+
+   The list of Internet-Draft Shadow Directories can be accessed at
+   http://www.ietf.org/shadow.html.
+
+   This Internet-Draft will expire on July 11, 2004.
+
+Copyright Notice
+
+   Copyright (C) The Internet Society (2004). All Rights Reserved.
+
+Abstract
+
+   There is some known misbehavior of DNS authoritative servers when
+   they are queried for AAAA resource records. Such behavior can block
+   IPv4 communication which should actually be available, cause a
+   significant delay in name resolution, or even make a denial of
+   service attack. This memo describes details of the known cases and
+   discusses the effect of the cases.
+
+1. Introduction
+
+   Many DNS clients (resolvers) that support IPv6 first search for AAAA
+   Resource Records (RRs) of a target host name, and then for A RRs of
+
+
+
+Morishita & Jinmei       Expires July 11, 2004                  [Page 1]
+
+Internet-Draft    Common Misbehavior against AAAA Queries   January 2004
+
+
+   the same name. This fallback mechanism is based on the DNS
+   specifications, which if not obeyed by authoritative servers can
+   produce unpleasant results. In some cases, for example, a web browser
+   fails to connect to a web server it could otherwise. In the following
+   sections, this memo describes some typical cases of the misbehavior
+   and its (bad) effects.
+
+   Note that the misbehavior is not specific to AAAA RRs. In fact, all
+   known examples also apply to the cases of queries for MX, NS, and SOA
+   RRs. The authors even believe this can be generalized for all types
+   of queries other than those for A RRs. In this memo, however, we
+   concentrate on the case for AAAA queries, since the problem is
+   particularly severe for resolvers that support IPv6, which thus
+   affects many end users. Resolvers at end users normally send A and/or
+   AAAA queries only, and so the problem for the other cases is
+   relatively minor.
+
+2. Network Model
+
+   In this memo, we assume a typical network model of name resolution
+   environment using DNS. It consists of three components; stub
+   resolvers, caching servers, and authoritative servers. A stub
+   resolver issues a recursive query to a caching server, which then
+   handles the entire name resolution procedure recursively. The caching
+   server caches the result of the query as well as sends the result to
+   the stub resolver. The authoritative servers respond to queries for
+   names for which they have the authority, normally in a non-recursive
+   manner.
+
+3. Expected Behavior
+
+   Suppose that an authoritative server has an A RR but not a AAAA RR
+   for a host name. Then the server should return a response to a query
+   for a AAAA RR of the name with the RCODE being 0 (indicating no
+   error) and with an empty answer section [1]. Such a response
+   indicates that there is at least one RR of a different type than AAAA
+   for the queried name, and the stub resolver can then look for A RRs.
+
+   This way, the caching server can cache the fact that the queried name
+   does not have a AAAA RR (but may have other types of RRs), and thus
+   can improve the response time to further queries for a AAAA RR of the
+   name.
+
+4. Problematic Behaviors
+
+   There are some known cases at authoritative servers that do not
+   conform to the expected behavior. This section describes those
+   problematic cases.
+
+
+
+Morishita & Jinmei       Expires July 11, 2004                  [Page 2]
+
+Internet-Draft    Common Misbehavior against AAAA Queries   January 2004
+
+
+4.1 Return NXDOMAIN
+
+   This type of server returns a response with the RCODE being 3
+   (NXDOMAIN) to a query for a AAAA RR, indicating it does not have any
+   RRs of any type for the queried name.
+
+   With this response, the stub resolver may immediately give up and
+   never fall back. Even if the resolver retries with a query for an A
+   RR, the negative response for the name has been cached in the caching
+   server, and the caching server will simply return the negative
+   response. As a result, the stub resolver considers this as a fatal
+   error in name resolution.
+
+   There have been several known examples of this behavior, but all the
+   examples that the authors know have changed their behavior as of this
+   writing.
+
+4.2 Return NOTIMP
+
+   Other authoritative servers return a response with the RCODE being 4
+   (NOTIMP), indicating the servers do not support the requested type of
+   query.
+
+   This case is less harmful than the previous one; if the stub resolver
+   falls back to querying for an A RR, the caching server will process
+   the query correctly and return an appropriate response.
+
+   In this case, the caching server does not cache the fact that the
+   queried name has no AAAA RR, resulting in redundant queries for AAAA
+   RRs in the future. The behavior will waste network bandwidth and
+   increase the load of the authoritative server.
+
+   Using SERVFAIL or FORMERR would cause the same effect, though the
+   authors have not seen such implementations yet.
+
+4.3 Return a Broken Response
+
+   Another different type of authoritative servers returns broken
+   responses to AAAA queries. A known behavior of this category is to
+   return a response whose RR type is AAAA, but the length of the RDATA
+   is 4 bytes. The 4-byte data looks like the IPv4 address of the
+   queried host name. That is, the RR in the answer section would be
+   described like this:
+
+     www.bad.example. 600 IN AAAA 192.0.2.1
+
+   which is, of course, bogus (or at least meaningless).
+
+
+
+
+Morishita & Jinmei       Expires July 11, 2004                  [Page 3]
+
+Internet-Draft    Common Misbehavior against AAAA Queries   January 2004
+
+
+   A widely deployed caching server implementation transparently returns
+   the broken response (as well as caches it) to the stub resolver.
+   Another known server implementation parses the response by
+   themselves, and sends a separate response with the RCODE being 2
+   (SERVFAIL).
+
+   In either case, the broken response does not affect queries for an A
+   RR of the same name. If the stub resolver falls back to A queries, it
+   will get an appropriate response.
+
+   The latter case, however, causes the same bad effect as that
+   described in the previous section: redundant queries for AAAA RRs.
+
+4.4 Make Lame Delegation
+
+   Some authoritative servers respond to AAAA queries in a way causing
+   lame delegation. In this case the parent zone specifies that the
+   authoritative server should have the authority of a zone, but the
+   server does not return an authoritative response for AAAA queries
+   within the zone (i.e., the AA bit in the response is not set). On the
+   other hand, the authoritative server returns an authoritative
+   response for A queries.
+
+   When a caching server asks the server for AAAA RRs in the zone, it
+   recognizes the delegation is lame, and return a response with the
+   RCODE being 2 (SERVFAIL) to the stub resolver.
+
+   Furthermore, some caching servers record the authoritative server as
+   lame for the zone and will not use it for a certain period of time.
+   With this type of caching server, even if the stub resolver falls
+   back to querying for an A RR, the caching server will simply return a
+   response with the RCODE being SERVFAIL, since all the servers are
+   known to be "lame."
+
+   There is also an implementation that relaxes the behavior a little
+   bit. It basically tries to avoid using the lame server, but still
+   continues to try it as a last resort. With this type of caching
+   server, the stub resolver will get a correct response if it falls
+   back after SERVFAIL. However, this still causes redundant AAAA
+   queries as explained in the previous sections.
+
+4.5 Ignore Queries for AAAA
+
+   Some authoritative severs seem to ignore queries for a AAAA RR,
+   causing a delay at the stub resolver to fall back to a query for an A
+   RR. This behavior may even cause a fatal timeout at the resolver.
+
+
+
+
+
+Morishita & Jinmei       Expires July 11, 2004                  [Page 4]
+
+Internet-Draft    Common Misbehavior against AAAA Queries   January 2004
+
+
+5. Security Considerations
+
+   The CERT/CC pointed out that the response with NXDOMAIN described in
+   Section 4.1 can be used for a denial of service attack [2]. The same
+   argument applies to the case of "lame delegation" described in
+   Section 4.4 with a certain type of caching server.
+
+6. Acknowledgements
+
+   Erik Nordmark encouraged the authors to publish this document as an
+   Internet Draft. Akira Kato and Paul Vixie reviewed a preliminary
+   version of this document. Pekka Savola carefully reviewed a previous
+   version and provided detailed comments.
+
+Informative References
+
+   [1]  Mockapetris, P., "DOMAIN NAMES - CONCEPTS AND FACILITIES", RFC
+        1034, November 1987.
+
+   [2]  The CERT Coordination Center, "Incorrect NXDOMAIN responses from
+        AAAA queries could cause denial-of-service conditions", March
+        2003, <http://www.kb.cert.org/vuls/id/714121>.
+
+
+Authors' Addresses
+
+   MORISHITA Orange Yasuhiro
+   Research and Development Department, Japan Registry Service Co.,Ltd.
+   Fuundo Bldg 3F, 1-2 Kanda-Ogawamachi
+   Chiyoda-ku, Tokyo  101-0052
+   Japan
+
+   EMail: yasuhiro@jprs.co.jp
+
+
+   JINMEI Tatuya
+   Corporate Research & Development Center, Toshiba Corporation
+   1 Komukai Toshiba-cho, Saiwai-ku
+   Kawasaki-shi, Kanagawa  212-8582
+   Japan
+
+   EMail: jinmei@isl.rdc.toshiba.co.jp
+
+Appendix A. Live Examples
+
+   In this appendix, we show concrete implementations and domain names
+   that may cause problematic cases so that the behavior can be
+   reproduced in a practical environment. The examples are for
+
+
+
+Morishita & Jinmei       Expires July 11, 2004                  [Page 5]
+
+Internet-Draft    Common Misbehavior against AAAA Queries   January 2004
+
+
+   informational purposes only, and the authors do not intend to accuse
+   any implementations or zone administrators.
+
+   The behavior described in Section 4.2 (return NOTIMP) can be found by
+   looking for a AAAA RR of www.css.vtext.com at 66.174.3.4.
+
+   The behavior described in Section 4.3 (broken responses) can be seen
+   by querying for a AAAA RR of "www.gslb.mainichi.co.jp," which is an
+   alias of "www.mainichi.co.jp," at 210.173.172.2. The same behavior
+   can be found with the name "vip.alt.ihp.sony.co.jp," an alias of
+   "www.sony.co.jp," at 210.139.255.204.
+
+   The behavior described in Section 4.4 (lame delegation) can be found
+   by querying for a AAAA RR of "www.ual.com" at 209.87.113.4.
+
+   The behavior described in Section 4.5 (ignore queries) can be seen by
+   trying to ask for a AAAA RR of "ad.3jp.doubleclick.net," which is an
+   alias of "ad.jp.doubleclick.net," at 210.153.90.9.
+
+   Many authoritative server implementations show the expected behavior
+   described in Section 3. Some DNS load balancers reportedly have a
+   problematic behavior shown in Section 4, but the authors do not have
+   a concrete example. The CERT/CC provides a list of implementations
+   that behave as described in Section 4.1 [2].
+
+   The BIND9 caching server implementation is an example of the latter
+   cases described in Section 4.3 and Section 4.4, respectively. The
+   BIND8 caching server implementation is an example of the former case
+   described in Section 4.3. As for the issue shown in Section 4.4,
+   BIND8 caching servers prior to 8.3.5 show the behavior described as
+   the former case in this section. The versions 8.3.5 and later of
+   BIND8 caching server behave like the BIND9 caching server
+   implementation with this matter.
+
+   Regarding resolver implementations, the authors are only familiar
+   with the ones derived from the BIND implementation. These
+   implementations always fall back regardless of the RCODE; NXDOMAIN,
+   NOTIMP, or SERVFAIL. It even falls back when getting a broken
+   response. However, the behavior does not help the situation in the
+   NXDOMAIN case (see Section 4.1). Lame delegation (Section 4.4) also
+   causes a fatal error at the resolver side if the resolver is using
+   some older versions of BIND8 caching server.
+
+   The authors hear that a stub resolver routine implemented in some web
+   browsers interprets the broken response described in Section 4.3 as a
+   fatal error and does not fall back to A queries. However, we have not
+   confirmed this information.
+
+
+
+
+Morishita & Jinmei       Expires July 11, 2004                  [Page 6]
+
+Internet-Draft    Common Misbehavior against AAAA Queries   January 2004
+
+
+Appendix B. Change History
+
+   Changes since draft-morishita-dnsop-misbehavior-against-aaaa-00 are:
+
+   o  Made a separate appendix and moved live examples to appendix so
+      that we can remove them when this document is (ever) officially
+      published.
+
+   o  Revised some live examples based on the recent status.
+
+   o  Noted in introduction that the misbehavior is not specific to AAAA
+      and that this document still concentrates on the AAAA case.
+
+   o  Changed the section title of "delegation loop" to "lame
+      delegation" in order to reflect the essential point of the issue.
+      Wording on this matter was updated accordingly.
+
+   o  Updated the Acknowledgements list.
+
+   o  Changed the reference category from normative to informative (this
+      is an informational document after all).
+
+   o  Changed the draft name to an IETF dnsop working group document (as
+      agreed).
+
+   o  Applied several editorial fixes.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Morishita & Jinmei       Expires July 11, 2004                  [Page 7]
+
+Internet-Draft    Common Misbehavior against AAAA Queries   January 2004
+
+
+Intellectual Property Statement
+
+   The IETF takes no position regarding the validity or scope of any
+   intellectual property or other rights that might be claimed to
+   pertain to the implementation or use of the technology described in
+   this document or the extent to which any license under such rights
+   might or might not be available; neither does it represent that it
+   has made any effort to identify any such rights. Information on the
+   IETF's procedures with respect to rights in standards-track and
+   standards-related documentation can be found in BCP-11. Copies of
+   claims of rights made available for publication and any assurances of
+   licenses to be made available, or the result of an attempt made to
+   obtain a general license or permission for the use of such
+   proprietary rights by implementors or users of this specification can
+   be obtained from the IETF Secretariat.
+
+   The IETF invites any interested party to bring to its attention any
+   copyrights, patents or patent applications, or other proprietary
+   rights which may cover technology that may be required to practice
+   this standard. Please address the information to the IETF Executive
+   Director.
+
+
+Full Copyright Statement
+
+   Copyright (C) The Internet Society (2004). All Rights Reserved.
+
+   This document and translations of it may be copied and furnished to
+   others, and derivative works that comment on or otherwise explain it
+   or assist in its implementation may be prepared, copied, published
+   and distributed, in whole or in part, without restriction of any
+   kind, provided that the above copyright notice and this paragraph are
+   included on all such copies and derivative works. However, this
+   document itself may not be modified in any way, such as by removing
+   the copyright notice or references to the Internet Society or other
+   Internet organizations, except as needed for the purpose of
+   developing Internet standards in which case the procedures for
+   copyrights defined in the Internet Standards process must be
+   followed, or as required to translate it into languages other than
+   English.
+
+   The limited permissions granted above are perpetual and will not be
+   revoked by the Internet Society or its successors or assignees.
+
+   This document and the information contained herein is provided on an
+   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
+   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
+   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
+
+
+
+Morishita & Jinmei       Expires July 11, 2004                  [Page 8]
+
+Internet-Draft    Common Misbehavior against AAAA Queries   January 2004
+
+
+   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
+   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+
+Acknowledgement
+
+   Funding for the RFC Editor function is currently provided by the
+   Internet Society.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Morishita & Jinmei       Expires July 11, 2004                  [Page 9]
+
+
diff --git a/doc/draft/draft-ietf-dnsop-respsize-02.txt b/doc/draft/draft-ietf-dnsop-respsize-02.txt
deleted file mode 100644
index 63fe2de5..00000000
--- a/doc/draft/draft-ietf-dnsop-respsize-02.txt
+++ /dev/null
@@ -1,480 +0,0 @@
-
-
-
-
-
-
-   DNSOP Working Group                                     Paul Vixie, ISC
-   INTERNET-DRAFT                                         Akira Kato, WIDE
-   <draft-ietf-dnsop-respsize-02.txt>                            July 2005
-
-                           DNS Response Size Issues
-
-   Status of this Memo
-      By submitting this Internet-Draft, each author represents that any
-      applicable patent or other IPR claims of which he or she is aware
-      have been or will be disclosed, and any of which he or she becomes
-      aware will be disclosed, in accordance with Section 6 of BCP 79.
-
-      Internet-Drafts are working documents of the Internet Engineering
-      Task Force (IETF), its areas, and its working groups.  Note that
-      other groups may also distribute working documents as Internet-
-      Drafts.
-
-      Internet-Drafts are draft documents valid for a maximum of six months
-      and may be updated, replaced, or obsoleted by other documents at any
-      time.  It is inappropriate to use Internet-Drafts as reference
-      material or to cite them other than as "work in progress."
-
-      The list of current Internet-Drafts can be accessed at
-      http://www.ietf.org/ietf/1id-abstracts.txt
-
-      The list of Internet-Draft Shadow Directories can be accessed at
-      http://www.ietf.org/shadow.html.
-
-   Copyright Notice
-
-      Copyright (C) The Internet Society (2005).  All Rights Reserved.
-
-
-
-
-                                    Abstract
-
-      With a mandated default minimum maximum message size of 512 octets,
-      the DNS protocol presents some special problems for zones wishing to
-      expose a moderate or high number of authority servers (NS RRs).  This
-      document explains the operational issues caused by, or related to
-      this response size limit.
-
-
-
-
-
-
-   Expires December 2005                                           [Page 1]
-
-   INTERNET-DRAFT                  July 2005                       RESPSIZE
-
-
-   1 - Introduction and Overview
-
-   1.1. The DNS standard (see [RFC1035 4.2.1]) limits message size to 512
-   octets.  Even though this limitation was due to the required minimum UDP
-   reassembly limit for IPv4, it is a hard DNS protocol limit and is not
-   implicitly relaxed by changes in transport, for example to IPv6.
-
-   1.2. The EDNS0 standard (see [RFC2671 2.3, 4.5]) permits larger
-   responses by mutual agreement of the requestor and responder.  However,
-   deployment of EDNS0 cannot be expected to reach every Internet resolver
-   in the short or medium term.  The 512 octet message size limit remains
-   in practical effect at this time.
-
-   1.3. Since DNS responses include a copy of the request, the space
-   available for response data is somewhat less than the full 512 octets.
-   For negative responses, there is rarely a space constraint.  For
-   positive and delegation responses, though, every octet must be carefully
-   and sparingly allocated.  This document specifically addresses
-   delegation response sizes.
-
-   2 - Delegation Details
-
-   2.1. A delegation response will include the following elements:
-
-      Header Section: fixed length (12 octets)
-      Question Section: original query (name, class, type)
-      Answer Section: (empty)
-      Authority Section: NS RRset (nameserver names)
-      Additional Section: A and AAAA RRsets (nameserver addresses)
-
-   2.2. If the total response size would exceed 512 octets, and if the data
-   that would not fit belonged in the question, answer, or authority
-   section, then the TC bit will be set (indicating truncation) which may
-   cause the requestor to retry using TCP, depending on what information
-   was desired and what information was omitted.  If a retry using TCP is
-   needed, the total cost of the transaction is much higher.  (See [RFC1123
-   6.1.3.2] for details on the protocol requirement that UDP be attempted
-   before falling back to TCP.)
-
-   2.3. RRsets are never sent partially unless truncation occurs, in which
-   case the final apparent RRset in the final nonempty section must be
-   considered "possibly damaged".  With or without truncation, the glue
-   present in the additional data section should be considered "possibly
-   incomplete", and requestors should be prepared to re-query for any
-   damaged or missing RRsets.  For multi-transport name or mail services,
-
-
-
-   Expires December 2005                                           [Page 2]
-
-   INTERNET-DRAFT                  July 2005                       RESPSIZE
-
-
-   this can mean querying for an IPv6 (AAAA) RRset even when an IPv4 (A)
-   RRset is present.
-
-   2.4. DNS label compression allows a domain name to be instantiated only
-   once per DNS message, and then referenced with a two-octet "pointer"
-   from other locations in that same DNS message.  If all nameserver names
-   in a message are similar (for example, all ending in ".ROOT-
-   SERVERS.NET"), then more space will be available for uncompressable data
-   (such as nameserver addresses).
-
-   2.5. The query name can be as long as 255 characters of presentation
-   data, which can be up to 256 octets of network data.  In this worst case
-   scenario, the question section will be 260 octets in size, which would
-   leave only 240 octets for the authority and additional sections (after
-   deducting 12 octets for the fixed length header.)
-
-   2.6. Average and maximum question section sizes can be predicted by the
-   zone owner, since they will know what names actually exist, and can
-   measure which ones are queried for most often.  For cost and performance
-   reasons, the majority of requests should be satisfied without truncation
-   or TCP retry.
-
-   2.7. Requestors who deliberately send large queries to force truncation
-   are only increasing their own costs, and cannot effectively attack the
-   resources of an authority server since the requestor would have to retry
-   using TCP to complete the attack.  An attack that always used TCP would
-   have a lower cost.
-
-   2.8. The minimum useful number of address records is two, since with
-   only one address, the probability that it would refer to an unreachable
-   server is too high.  Truncation which occurs after two address records
-   have been added to the additional data section is therefore less
-   operationally significant than truncation which occurs earlier.
-
-   2.9. The best case is no truncation.  This is because many requestors
-   will retry using TCP by reflex, or will automatically re-query for
-   RRsets that are "possibly truncated", without considering whether the
-   omitted data was actually necessary.
-
-   2.10. Each added NS RR for a zone will add a minimum of between 16 and
-   44 octets to every untruncated referral or negative response from the
-   zone's authority servers (16 octets for an NS RR, 16 octets for an A RR,
-   and 28 octets for an AAAA RR), in addition to whatever space is taken by
-   the nameserver name (NS NSDNAME and A/AAAA owner name).
-
-
-
-
-   Expires December 2005                                           [Page 3]
-
-   INTERNET-DRAFT                  July 2005                       RESPSIZE
-
-
-   3 - Analysis
-
-   3.1. An instrumented protocol trace of a best case delegation response
-   follows.  Note that 13 servers are named, and 13 addresses are given.
-   This query was artificially designed to exactly reach the 512 octet
-   limit.
-
-      ;; flags: qr rd; QUERY: 1, ANS: 0, AUTH: 13, ADDIT: 13
-      ;; QUERY SECTION:
-      ;;  [23456789.123456789.123456789.\
-           123456789.123456789.123456789.com A IN]        ;; @80
-
-      ;; AUTHORITY SECTION:
-      com.                 86400 NS  E.GTLD-SERVERS.NET.  ;; @112
-      com.                 86400 NS  F.GTLD-SERVERS.NET.  ;; @128
-      com.                 86400 NS  G.GTLD-SERVERS.NET.  ;; @144
-      com.                 86400 NS  H.GTLD-SERVERS.NET.  ;; @160
-      com.                 86400 NS  I.GTLD-SERVERS.NET.  ;; @176
-      com.                 86400 NS  J.GTLD-SERVERS.NET.  ;; @192
-      com.                 86400 NS  K.GTLD-SERVERS.NET.  ;; @208
-      com.                 86400 NS  L.GTLD-SERVERS.NET.  ;; @224
-      com.                 86400 NS  M.GTLD-SERVERS.NET.  ;; @240
-      com.                 86400 NS  A.GTLD-SERVERS.NET.  ;; @256
-      com.                 86400 NS  B.GTLD-SERVERS.NET.  ;; @272
-      com.                 86400 NS  C.GTLD-SERVERS.NET.  ;; @288
-      com.                 86400 NS  D.GTLD-SERVERS.NET.  ;; @304
-
-      ;; ADDITIONAL SECTION:
-      A.GTLD-SERVERS.NET.  86400 A   192.5.6.30           ;; @320
-      B.GTLD-SERVERS.NET.  86400 A   192.33.14.30         ;; @336
-      C.GTLD-SERVERS.NET.  86400 A   192.26.92.30         ;; @352
-      D.GTLD-SERVERS.NET.  86400 A   192.31.80.30         ;; @368
-      E.GTLD-SERVERS.NET.  86400 A   192.12.94.30         ;; @384
-      F.GTLD-SERVERS.NET.  86400 A   192.35.51.30         ;; @400
-      G.GTLD-SERVERS.NET.  86400 A   192.42.93.30         ;; @416
-      H.GTLD-SERVERS.NET.  86400 A   192.54.112.30        ;; @432
-      I.GTLD-SERVERS.NET.  86400 A   192.43.172.30        ;; @448
-      J.GTLD-SERVERS.NET.  86400 A   192.48.79.30         ;; @464
-      K.GTLD-SERVERS.NET.  86400 A   192.52.178.30        ;; @480
-      L.GTLD-SERVERS.NET.  86400 A   192.41.162.30        ;; @496
-      M.GTLD-SERVERS.NET.  86400 A   192.55.83.30         ;; @512
-
-      ;; MSG SIZE  sent: 80  rcvd: 512
-
-
-
-
-
-   Expires December 2005                                           [Page 4]
-
-   INTERNET-DRAFT                  July 2005                       RESPSIZE
-
-
-   3.2. For longer query names, the number of address records supplied will
-   be lower.  Furthermore, it is only by using a common parent name (which
-   is GTLD-SERVERS.NET in this example) that all 13 addresses are able to
-   fit.  The following output from a response simulator demonstrates these
-   properties:
-
-      % perl respsize.pl a.dns.br b.dns.br c.dns.br d.dns.br
-      a.dns.br requires 10 bytes
-      b.dns.br requires 4 bytes
-      c.dns.br requires 4 bytes
-      d.dns.br requires 4 bytes
-      # of NS: 4
-      For maximum size query (255 byte):
-              if only A is considered:     # of A is 4 (green)
-              if A and AAAA are condered:  # of A+AAAA is 3 (yellow)
-              if prefer_glue A is assumed: # of A is 4, # of AAAA is 3 (yellow)
-      For average size query (64 byte):
-              if only A is considered:     # of A is 4 (green)
-              if A and AAAA are condered:  # of A+AAAA is 4 (green)
-              if prefer_glue A is assumed: # of A is 4, # of AAAA is 4 (green)
-
-      % perl respsize.pl ns-ext.isc.org ns.psg.com ns.ripe.net ns.eu.int
-      ns-ext.isc.org requires 16 bytes
-      ns.psg.com requires 12 bytes
-      ns.ripe.net requires 13 bytes
-      ns.eu.int requires 11 bytes
-      # of NS: 4
-      For maximum size query (255 byte):
-              if only A is considered:     # of A is 4 (green)
-              if A and AAAA are condered:  # of A+AAAA is 3 (yellow)
-              if prefer_glue A is assumed: # of A is 4, # of AAAA is 2 (yellow)
-      For average size query (64 byte):
-              if only A is considered:     # of A is 4 (green)
-              if A and AAAA are condered:  # of A+AAAA is 4 (green)
-              if prefer_glue A is assumed: # of A is 4, # of AAAA is 4 (green)
-
-   (Note: The response simulator program is shown in Section 5.)
-
-   Here we use the term "green" if all address records could fit, or
-   "orange" if two or more could fit, or "red" if fewer than two could fit.
-   It's clear that without a common parent for nameserver names, much space
-   would be lost.  For these examples we use an average/common name size of
-   15 octets, befitting our assumption of GTLD-SERVERS.NET as our common
-   parent name.
-
-
-
-
-   Expires December 2005                                           [Page 5]
-
-   INTERNET-DRAFT                  July 2005                       RESPSIZE
-
-
-   We're assuming an average query name size of 64 since that is the
-   typical average maximum size seen in trace data at the time of this
-   writing.  If Internationalized Domain Name (IDN) or any other technology
-   which results in larger query names be deployed significantly in advance
-   of EDNS, then new measurements and new estimates will have to be made.
-
-   4 - Conclusions
-
-   4.1. The current practice of giving all nameserver names a common parent
-   (such as GTLD-SERVERS.NET or ROOT-SERVERS.NET) saves space in DNS
-   responses and allows for more nameservers to be enumerated than would
-   otherwise be possible.  (Note that in this case it is wise to serve the
-   common parent domain's zone from the same servers that are named within
-   it, in order to limit external dependencies when all your eggs are in a
-   single basket.)
-
-   4.2. Thirteen (13) seems to be the effective maximum number of
-   nameserver names usable traditional (non-extended) DNS, assuming a
-   common parent domain name, and given that response truncation is
-   undesirable as an average case, and assuming mostly IPv4-only
-   reachability (only A RRs exist, not AAAA RRs).
-
-   4.3. Adding two to five IPv6 nameserver address records (AAAA RRs) to a
-   prototypical delegation that currently contains thirteen (13) IPv4
-   nameserver addresses (A RRs) for thirteen (13) nameserver names under a
-   common parent, would not have a significant negative operational impact
-   on the domain name system.
-
-   5 - Source Code
-
-   #!/usr/bin/perl
-   #
-   # SYNOPSIS
-   #    repsize.pl [ -z zone ] fqdn_ns1 fqdn_ns2 ...
-   #        if all queries are assumed to have zone suffux, such as "jp" in
-   #     JP TLD servers, specify it in -z option
-   #
-   use strict;
-   use Getopt::Std;
-   my ($sz_msg) = (512);
-   my ($sz_header, $sz_ptr, $sz_rr_a, $sz_rr_aaaa) = (12, 2, 16, 28);
-   my ($sz_type, $sz_class, $sz_ttl, $sz_rdlen) = (2, 2, 4, 2);
-   my (%namedb, $name, $nssect, %opts, $optz);
-   my $n_ns = 0;
-
-
-
-
-   Expires December 2005                                           [Page 6]
-
-   INTERNET-DRAFT                  July 2005                       RESPSIZE
-
-
-   getopt('z', opts);
-   if (defined($opts{'z'})) {
-        server_name_len($opts{'z'}); # just register it
-   }
-
-   foreach $name (@ARGV) {
-        my $len;
-        $n_ns++;
-        $len = server_name_len($name);
-           print "$name requires $len bytes\n";
-        $nssect += $sz_ptr + $sz_type + $sz_class + $sz_ttl + $sz_rdlen + $len;
-   }
-   print "# of NS: $n_ns\n";
-   arsect(255, $nssect, $n_ns, "maximum");
-   arsect(64, $nssect, $n_ns, "average");
-
-   sub server_name_len {
-       my ($name) = @_;
-       my (@labels, $len, $n, $suffix);
-
-       $name =~ tr/A-Z/a-z/;
-       @labels = split(/./, $name);
-       $len = length(join('.', @labels)) + 2;
-       for ($n = 0; $#labels >= 0; $n++, shift @labels) {
-           $suffix = join('.', @labels);
-           return length($name) - length($suffix) + $sz_ptr
-               if (defined($namedb{$suffix}));
-           $namedb{$suffix} = 1;
-       }
-       return $len;
-   }
-
-   sub arsect {
-       my ($sz_query, $nssect, $n_ns, $cond) = @_;
-       my ($space, $n_a, $n_a_aaaa, $n_p_aaaa, $ansect);
-       $ansect = $sz_query + 1 + $sz_type + $sz_class;
-       $space = $sz_msg - $sz_header - $ansect - $nssect;
-       $n_a = atmost(int($space / $sz_rr_a), $n_ns);
-       $n_a_aaaa = atmost(int($space / ($sz_rr_a + $sz_rr_aaaa)), $n_ns);
-       $n_p_aaaa = atmost(int(($space - $sz_rr_a * $n_ns) / $sz_rr_aaaa), $n_ns);
-       printf "For %s size query (%d byte):\n", $cond, $sz_query;
-       printf "if only A is considered:     ";
-       printf "# of A is %d (%s)\n", $n_a, &judge($n_a, $n_ns);
-       printf "if A and AAAA are condered:  ";
-       printf "# of A+AAAA is %d (%s)\n", $n_a_aaaa, &judge($n_a_aaaa, $n_ns);
-
-
-
-   Expires December 2005                                           [Page 7]
-
-   INTERNET-DRAFT                  July 2005                       RESPSIZE
-
-
-       printf "if prefer_glue A is assumed: ";
-       printf "# of A is %d, # of AAAA is %d (%s)\n",
-           $n_a, $n_p_aaaa, &judge($n_p_aaaa, $n_ns);
-   }
-
-   sub judge {
-       my ($n, $n_ns) = @_;
-       return "green" if ($n >= $n_ns);
-       return "yellow" if ($n >= 2);
-       return "orange" if ($n == 1);
-       return "red";
-   }
-
-   sub atmost {
-       my ($a, $b) = @_;
-       return 0 if ($a < 0);
-       return $b if ($a > $b);
-       return $a;
-   }
-
-   Security Considerations
-
-   The recommendations contained in this document have no known security
-   implications.
-
-   IANA Considerations
-
-   This document does not call for changes or additions to any IANA
-   registry.
-
-   IPR Statement
-
-   Copyright (C) The Internet Society (2005).  This document is subject to
-   the rights, licenses and restrictions contained in BCP 78, and except as
-   set forth therein, the authors retain all their rights.
-
-   This document and the information contained herein are provided on an
-   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR
-   IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
-   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
-   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
-   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
-   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-
-
-
-
-   Expires December 2005                                           [Page 8]
-
-   INTERNET-DRAFT                  July 2005                       RESPSIZE
-
-
-   Authors' Addresses
-
-   Paul Vixie
-      950 Charter Street
-      Redwood City, CA 94063
-      +1 650 423 1301
-      vixie@isc.org
-
-   Akira Kato
-      University of Tokyo, Information Technology Center
-      2-11-16 Yayoi Bunkyo
-      Tokyo 113-8658, JAPAN
-      +81 3 5841 2750
-      kato@wide.ad.jp
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-   Expires December 2005                                           [Page 9]
-
\ No newline at end of file
diff --git a/doc/draft/draft-ietf-dnsop-serverid-04.txt b/doc/draft/draft-ietf-dnsop-serverid-04.txt
deleted file mode 100644
index 242aa9ea..00000000
--- a/doc/draft/draft-ietf-dnsop-serverid-04.txt
+++ /dev/null
@@ -1,616 +0,0 @@
-
-
-Network Working Group                                           S. Woolf
-Internet-Draft                         Internet Systems Consortium, Inc.
-Expires: September 14, 2005                                    D. Conrad
-                                                           Nominum, Inc.
-                                                          March 13, 2005
-
-
-                Identifying an Authoritative Name Server
-                      draft-ietf-dnsop-serverid-04
-
-Status of this Memo
-
-   This document is an Internet-Draft and is subject to all provisions
-   of Section 3 of RFC 3667.  By submitting this Internet-Draft, each
-   author represents that any applicable patent or other IPR claims of
-   which he or she is aware have been or will be disclosed, and any of
-   which he or she become aware will be disclosed, in accordance with
-   RFC 3668.
-
-   Internet-Drafts are working documents of the Internet Engineering
-   Task Force (IETF), its areas, and its working groups.  Note that
-   other groups may also distribute working documents as
-   Internet-Drafts.
-
-   Internet-Drafts are draft documents valid for a maximum of six months
-   and may be updated, replaced, or obsoleted by other documents at any
-   time.  It is inappropriate to use Internet-Drafts as reference
-   material or to cite them other than as "work in progress."
-
-   The list of current Internet-Drafts can be accessed at
-   http://www.ietf.org/ietf/1id-abstracts.txt.
-
-   The list of Internet-Draft Shadow Directories can be accessed at
-   http://www.ietf.org/shadow.html.
-
-   This Internet-Draft will expire on September 14, 2005.
-
-Copyright Notice
-
-   Copyright (C) The Internet Society (2005).
-
-Abstract
-
-   With the increased use of DNS anycast, load balancing, and other
-   mechanisms allowing more than one DNS name server to share a single
-   IP address, it is sometimes difficult to tell which of a pool of name
-   servers has answered a particular query.  A standardized mechanism to
-   determine the identity of a name server responding to a particular
-
-
-
-Woolf & Conrad         Expires September 14, 2005               [Page 1]
-
-Internet-Draft    Identifying an Authoritative Name Server    March 2005
-
-
-   query would be useful, particularly as a diagnostic aid.  Existing ad
-   hoc mechanisms for addressing this concern are not adequate.  This
-   document attempts to describe the common ad hoc solution to this
-   problem, including its advantages and disadvantages, and to
-   characterize an improved mechanism.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Woolf & Conrad         Expires September 14, 2005               [Page 2]
-
-Internet-Draft    Identifying an Authoritative Name Server    March 2005
-
-
-1.  Introduction
-
-   With the increased use of DNS anycast, load balancing, and other
-   mechanisms allowing more than one DNS name server to share a single
-   IP address, it is sometimes difficult to tell which of a pool of name
-   servers has answered a particular query.  A standardized mechanism to
-   determine the identity of a name server responding to a particular
-   query would be useful, particularly as a diagnostic aid.
-
-   Unfortunately, existing ad-hoc mechanisms for providing such
-   identification have some shortcomings, not the least of which is the
-   lack of prior analysis of exactly how such a mechanism should be
-   designed and deployed.  This document describes the existing
-   convention used in one widely deployed implementation of the DNS
-   protocol and discusses requirements for an improved solution to the
-   problem.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Woolf & Conrad         Expires September 14, 2005               [Page 3]
-
-Internet-Draft    Identifying an Authoritative Name Server    March 2005
-
-
-2.  Rationale
-
-   Identifying which name server is responding to queries is often
-   useful, particularly in attempting to diagnose name server
-   difficulties.  However, relying on the IP address of the name server
-   has become more problematic due the deployment of various load
-   balancing solutions, including the use of shared unicast addresses as
-   documented in [RFC3258].
-
-   An unfortunate side effect of these load balancing solutions, and
-   some changes in management practices as the public Internet has
-   evolved, is that traditional methods of determining which server is
-   responding can be unreliable.  Specifically, non-DNS methods such as
-   ICMP ping, TCP connections, or non-DNS UDP packets (such as those
-   generated by tools such as "traceroute"), etc., can end up going to a
-   different server than that which receives the DNS queries.
-
-   There is a well-known and frequently-used technique for determining
-   an identity for a nameserver more specific than the
-   possibly-non-unique "server that answered my query".  The widespread
-   use of the existing convention suggests a need for a documented,
-   interoperable means of querying the identity of a nameserver that may
-   be part of an anycast or load-balancing cluster.  At the same time,
-   however, it also has some drawbacks that argue against standardizing
-   it as it's been practiced so far.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Woolf & Conrad         Expires September 14, 2005               [Page 4]
-
-Internet-Draft    Identifying an Authoritative Name Server    March 2005
-
-
-3.  Existing Conventions
-
-   Recent versions of the commonly deployed Berkeley Internet Name
-   Domain implementation of the DNS protocol suite from the Internet
-   Software Consortium [BIND] support a way of identifying a particular
-   server via the use of a standard, if somewhat unusual, DNS query.
-   Specifically, a query to a late model BIND server for a TXT resource
-   record in class 3 (CHAOS) for the domain name "HOSTNAME.BIND." will
-   return a string that can be configured by the name server
-   administrator to provide a unique identifier for the responding
-   server (defaulting to the value of a gethostname() call).  This
-   mechanism, which is an extension of the BIND convention of using
-   CHAOS class TXT RR queries to sub-domains of the "BIND." domain for
-   version information, has been copied by several name server vendors.
-
-   For reference, the other well-known name used by recent versions of
-   BIND within the CHAOS class "BIND." domain is "VERSION.BIND."  A
-   query for a TXT RR for this name will return an administratively
-   defined string which defaults to the version of the server
-   responding.  This is, however, not generally implemented by other
-   vendors.
-
-3.1  Advantages
-
-   There are several valuable attributes to this mechanism, which
-   account for its usefulness.
-   1.  The "hostname.bind" query response mechanism is within the DNS
-       protocol itself.  An identification mechanism that relies on the
-       DNS protocol is more likely to be successful (although not
-       guaranteed) in going to the same machine as a "normal" DNS query.
-   2.  Since the identity information is requested and returned within
-       the DNS protocol, it doesn't require allowing any other query
-       mechanism to the server, such as holes in firewalls for
-       otherwise-unallowed ICMP Echo requests.  Thus it does not require
-       any special exceptions to site security policy.
-   3.  It is simple to configure.  An administrator can easily turn on
-       this feature and control the results of the relevant query.
-   4.  It allows the administrator complete control of what information
-       is given out in the response, minimizing passive leakage of
-       implementation or configuration details.  Such details are often
-       considered sensitive by infrastructure operators.
-
-3.2  Disadvantages
-
-   At the same time, there are some forbidding drawbacks to the
-   VERSION.BIND mechanism that argue against standardizing it as it
-   currently operates.
-
-
-
-
-Woolf & Conrad         Expires September 14, 2005               [Page 5]
-
-Internet-Draft    Identifying an Authoritative Name Server    March 2005
-
-
-   1.  It requires an additional query to correlate between the answer
-       to a DNS query under normal conditions and the supposed identity
-       of the server receiving the query.  There are a number of
-       situations in which this simply isn't reliable.
-   2.  It reserves an entire class in the DNS (CHAOS) for what amounts
-       to one zone.  While CHAOS class is defined in [RFC1034] and
-       [RFC1035], it's not clear that supporting it solely for this
-       purpose is a good use of the namespace or of implementation
-       effort.
-   3.  It is implementation specific.  BIND is one DNS implementation.
-       At the time of this writing, it is probably the most prevalent
-       for authoritative servers.  This does not justify standardizing
-       on its ad hoc solution to a problem shared across many operators
-       and implementors.
-
-   The first of the listed disadvantages is technically the most
-   serious.  It argues for an attempt to design a good answer to the
-   problem that "I need to know what nameserver is answering my
-   queries", not simply a convenient one.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Woolf & Conrad         Expires September 14, 2005               [Page 6]
-
-Internet-Draft    Identifying an Authoritative Name Server    March 2005
-
-
-4.  Characteristics of an Implementation Neutral Convention
-
-   The discussion above of advantages and disadvantages to the
-   HOSTNAME.BIND mechanism suggest some requirements for a better
-   solution to the server identification problem.  These are summarized
-   here as guidelines for any effort to provide appropriate protocol
-   extensions:
-   1.  The mechanism adopted MUST be in-band for the DNS protocol.  That
-       is, it needs to allow the query for the server's identifying
-       information to be part of a normal, operational query.  It SHOULD
-       also permit a separate, dedicated query for the server's
-       identifying information.
-   2.  The new mechanism SHOULD not require dedicated namespaces or
-       other reserved values outside of the existing protocol mechanisms
-       for these, i.e.  the OPT pseudo-RR.  In particular, it should not
-       propagate the existing drawback of requiring support for a CLASS
-       and top level domain in the authoritative server (or the querying
-       tool) to be useful.
-   3.  Support for the identification functionality SHOULD be easy to
-       implement and easy to enable.  It MUST be easy to disable and
-       SHOULD lend itself to access controls on who can query for it.
-   4.  It should be possible to return a unique identifier for a server
-       without requiring the exposure of information that may be
-       non-public and considered sensitive by the operator, such as a
-       hostname or unicast IP address maintained for administrative
-       purposes.
-   5.  The identification mechanism SHOULD NOT be
-       implementation-specific.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Woolf & Conrad         Expires September 14, 2005               [Page 7]
-
-Internet-Draft    Identifying an Authoritative Name Server    March 2005
-
-
-5.  IANA Considerations
-
-   This document proposes no specific IANA action.  Protocol extensions,
-   if any, to meet the requirements described are out of scope for this
-   document.  Should such extensions be specified and adopted by normal
-   IETF process, the specification will include appropriate guidance to
-   IANA.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Woolf & Conrad         Expires September 14, 2005               [Page 8]
-
-Internet-Draft    Identifying an Authoritative Name Server    March 2005
-
-
-6.  Security Considerations
-
-   Providing identifying information as to which server is responding to
-   a particular query from a particular location in the Internet can be
-   seen as information leakage and thus a security risk.  This motivates
-   the suggestion above that a new mechanism for server identification
-   allow the administrator to disable the functionality altogether or
-   partially restrict availability of the data.  It also suggests that
-   the serverid data should not be readily correlated with a hostname or
-   unicast IP address that may be considered private to the nameserver
-   operator's management infrastructure.
-
-   Propagation of protocol or service meta-data can sometimes expose the
-   application to denial of service or other attack.  As DNS is a
-   critically important infrastructure service for the production
-   Internet, extra care needs to be taken against this risk for
-   designers, implementors, and operators of a new mechanism for server
-   identification.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Woolf & Conrad         Expires September 14, 2005               [Page 9]
-
-Internet-Draft    Identifying an Authoritative Name Server    March 2005
-
-
-7.  Acknowledgements
-
-   The technique for host identification documented here was initially
-   implemented by Paul Vixie of the Internet Software Consortium in the
-   Berkeley Internet Name Daemon package.  Comments and questions on
-   earlier drafts were provided by Bob Halley, Brian Wellington, Andreas
-   Gustafsson, Ted Hardie, Chris Yarnell, Randy Bush, and members of the
-   ICANN Root Server System Advisory Committee.  The newest version
-   takes a significantly different direction from previous versions,
-   owing to discussion among contributors to the DNSOP working group and
-   others, particularly Olafur Gudmundsson, Ed Lewis, Bill Manning, Sam
-   Weiler, and Rob Austein.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Woolf & Conrad         Expires September 14, 2005              [Page 10]
-
-Internet-Draft    Identifying an Authoritative Name Server    March 2005
-
-
-Intellectual Property Statement
-
-   The IETF takes no position regarding the validity or scope of any
-   Intellectual Property Rights or other rights that might be claimed to
-   pertain to the implementation or use of the technology described in
-   this document or the extent to which any license under such rights
-   might or might not be available; nor does it represent that it has
-   made any independent effort to identify any such rights.  Information
-   on the procedures with respect to rights in RFC documents can be
-   found in BCP 78 and BCP 79.
-
-   Copies of IPR disclosures made to the IETF Secretariat and any
-   assurances of licenses to be made available, or the result of an
-   attempt made to obtain a general license or permission for the use of
-   such proprietary rights by implementers or users of this
-   specification can be obtained from the IETF on-line IPR repository at
-   http://www.ietf.org/ipr.
-
-   The IETF invites any interested party to bring to its attention any
-   copyrights, patents or patent applications, or other proprietary
-   rights that may cover technology that may be required to implement
-   this standard.  Please address the information to the IETF at
-   ietf-ipr@ietf.org.
-
-
-Disclaimer of Validity
-
-   This document and the information contained herein are provided on an
-   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
-   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
-   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
-   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
-   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
-   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-
-Copyright Statement
-
-   Copyright (C) The Internet Society (2005).  This document is subject
-   to the rights, licenses and restrictions contained in BCP 78, and
-   except as set forth therein, the authors retain all their rights.
-
-
-Acknowledgment
-
-   Funding for the RFC Editor function is currently provided by the
-   Internet Society.
-
-
-
-
-Woolf & Conrad         Expires September 14, 2005              [Page 11]
-
-
diff --git a/doc/draft/draft-ietf-ipseckey-rr-09.txt b/doc/draft/draft-ietf-ipseckey-rr-09.txt
new file mode 100644
index 00000000..423a119f
--- /dev/null
+++ b/doc/draft/draft-ietf-ipseckey-rr-09.txt
@@ -0,0 +1,951 @@
+
+
+IPSECKEY WG                                                M. Richardson
+Internet-Draft                                                       SSW
+|Expires: August 1, 2004                                   February 2004
+
+
+           A Method for Storing IPsec Keying Material in DNS
+|                    draft-ietf-ipseckey-rr-09.txt
+
+Status of this Memo
+
+   This document is an Internet-Draft and is in full conformance with
+   all provisions of Section 10 of RFC2026.
+
+   Internet-Drafts are working documents of the Internet Engineering
+   Task Force (IETF), its areas, and its working groups.  Note that
+   other groups may also distribute working documents as Internet-
+   Drafts.
+
+   Internet-Drafts are draft documents valid for a maximum of six months
+   and may be updated, replaced, or obsoleted by other documents at any
+   time.  It is inappropriate to use Internet-Drafts as reference
+   material or to cite them other than as "work in progress."
+
+   The list of current Internet-Drafts can be accessed at http://
+   www.ietf.org/ietf/1id-abstracts.txt.
+
+   The list of Internet-Draft Shadow Directories can be accessed at
+   http://www.ietf.org/shadow.html.
+
+|  This Internet-Draft will expire on August 1, 2004.
+
+Copyright Notice
+
+|  Copyright (C) The Internet Society (2004).  All Rights Reserved.
+
+Abstract
+
+|  This document describes a new resource record for Domain Name System
+|  (DNS).  This record may be used to store public keys for use in IP
+|  security (IPsec) systems.  The record also includes provisions for
+|  indicating what system should be contacted when establishing an IPsec
+|  tunnel with the entity in question.
+
+   This record replaces the functionality of the sub-type #1 of the KEY
+   Resource Record, which has been obsoleted by RFC3445.
+
+
+
+
+
+
+
+|Richardson              Expires August 1, 2004                 [Page 1]
+
+|Internet-Draft   Storing IPsec keying material in DNS     February 2004
+
+
+Table of Contents
+
+   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
+   1.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . .  3
+|  1.2 Use of reverse (in-addr.arpa) map  . . . . . . . . . . . . . .  3
+|  1.3 Usage Criteria . . . . . . . . . . . . . . . . . . . . . . . .  3
+|  2.  Storage formats  . . . . . . . . . . . . . . . . . . . . . . .  5
+|  2.1 IPSECKEY RDATA format  . . . . . . . . . . . . . . . . . . . .  5
+|  2.2 RDATA format - precedence  . . . . . . . . . . . . . . . . . .  5
+|  2.3 RDATA format - gateway type  . . . . . . . . . . . . . . . . .  5
+|  2.4 RDATA format - algorithm type  . . . . . . . . . . . . . . . .  6
+|  2.5 RDATA format - gateway . . . . . . . . . . . . . . . . . . . .  6
+|  2.6 RDATA format - public keys . . . . . . . . . . . . . . . . . .  6
+|  3.  Presentation formats . . . . . . . . . . . . . . . . . . . . .  8
+|  3.1 Representation of IPSECKEY RRs . . . . . . . . . . . . . . . .  8
+|  3.2 Examples . . . . . . . . . . . . . . . . . . . . . . . . . . .  8
+|  4.  Security Considerations  . . . . . . . . . . . . . . . . . . . 10
+|  4.1 Active attacks against unsecured IPSECKEY resource records . . 10
+|  5.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 12
+|  6.  Intellectual Property Claims . . . . . . . . . . . . . . . . . 13
+|  7.  Acknowledgments  . . . . . . . . . . . . . . . . . . . . . . . 14
+|      Normative references . . . . . . . . . . . . . . . . . . . . . 15
+|      Non-normative references . . . . . . . . . . . . . . . . . . . 16
+|      Author's Address . . . . . . . . . . . . . . . . . . . . . . . 16
+|      Full Copyright Statement . . . . . . . . . . . . . . . . . . . 17
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+|Richardson              Expires August 1, 2004                 [Page 2]
+
+|Internet-Draft   Storing IPsec keying material in DNS     February 2004
+
+
+1. Introduction
+
+   It postulated that there is an end system desiring to establish an
+   IPsec tunnel with some remote entity on the network.  This system,
+   having only a DNS name of some kind (forward, reverse or even
+   user@FQDN) needs a public key to authenticate the remote entity.  It
+   also desires some guidance about whether to contact the entity
+   directly, or whether to contact another entity, as the gateway to
+   that desired entity.
+
+   The IPSECKEY RR provides a storage mechanism for such items as the
+   public key, and the gateway information.
+
+   The type number for the IPSECKEY RR is TBD.
+
+1.1 Overview
+
+   The IPSECKEY resource record (RR) is used to publish a public key
+   that is to be associated with a Domain Name System (DNS) name for use
+   with the IPsec protocol suite.  This can be the  public key of a
+   host, network, or application (in the case of per-port keying).
+
+   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+   "SHOULD", "SHOULD NOT", "RECOMMENDED",  "MAY", and "OPTIONAL" in this
+   document are to be interpreted as described in RFC2119 [7].
+
+|1.2 Use of reverse (in-addr.arpa) map
+
+|  Often a security gateway will only have access to the IP address to
+|  which communication is desired.  It will not know the forward name.
+|  As such, it will frequently be the case that the IP address will be
+|  used an index into the reverse map.
+
+|  The lookup is done in the usual fashion as for PTR records.  The IP
+|  address' octets (IPv4) or nibbles (IPv6) are reversed and looked up
+|  under the .arpa.  zone.  Any CNAMEs or DNAMEs found SHOULD be
+|  followed.
+
+|  Note: even when the IPsec function is the end-host, often only the
+|  application will know the forward name used.  While the case where
+|  the application knows the forward name is common, the user could
+|  easily have typed in a literal IP address.  This storage mechanism
+|  does not preclude using the forward name when it is available, but
+|  does not require it.
+
+|1.3 Usage Criteria
+
+   An IPSECKEY resource record SHOULD be used in combination with DNSSEC
+
+
+
+|Richardson              Expires August 1, 2004                 [Page 3]
+
+|Internet-Draft   Storing IPsec keying material in DNS     February 2004
+
+
+   unless some other means of authenticating the IPSECKEY resource
+   record is available.
+
+   It is expected that there will often be multiple IPSECKEY resource
+   records at the same name.  This will be due to the presence of
+   multiple gateways and the need to rollover keys.
+
+   This resource record is class independent.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+|Richardson              Expires August 1, 2004                 [Page 4]
+
+|Internet-Draft   Storing IPsec keying material in DNS     February 2004
+
+
+2. Storage formats
+
+2.1 IPSECKEY RDATA format
+
+   The RDATA for an IPSECKEY RR consists of a precedence value, a
+   gateway type, a public key, algorithm type, and an optional gateway
+   address.
+
+       0                   1                   2                   3
+       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      |  precedence   | gateway type  |  algorithm  |     gateway     |
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-------------+                 +
+      ~                            gateway                            ~
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      |                                                               /
+      /                          public key                           /
+      /                                                               /
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-|
+
+
+2.2 RDATA format - precedence
+
+   This is an 8-bit precedence for this record.  This is interpreted in
+   the same way as the PREFERENCE field described in section 3.3.9 of
+   RFC1035 [2].
+
+   Gateways listed in IPSECKEY records with  lower precedence are to be
+   attempted first.  Where there is a tie in precedence, the order
+   should be non-deterministic.
+
+2.3 RDATA format - gateway type
+
+   The gateway type field indicates the format of the information that
+   is stored in the gateway field.
+
+   The following values are defined:
+
+   0  No gateway is present
+
+   1  A 4-byte IPv4 address is present
+
+   2  A 16-byte IPv6 address is present
+
+   3  A wire-encoded domain name is present.  The wire-encoded format is
+      self-describing, so the length is implicit.  The domain name MUST
+      NOT be compressed.  (see section 3.3 of RFC1035 [2]).
+
+
+
+
+|Richardson              Expires August 1, 2004                 [Page 5]
+
+|Internet-Draft   Storing IPsec keying material in DNS     February 2004
+
+
+2.4 RDATA format - algorithm type
+
+   The algorithm type field identifies the public key's cryptographic
+   algorithm and determines the format of the public key field.
+
+   A value of 0 indicates that no key is present.
+
+   The following values are defined:
+
+   1  A DSA key is present, in the format defined in RFC2536 [10]
+
+   2  A RSA key is present, in the format defined in RFC3110 [11]
+
+
+2.5 RDATA format - gateway
+
+   The gateway field indicates a gateway to which an IPsec tunnel may be
+   created in order to reach the entity named by this resource record.
+
+   There are three formats:
+
+   A 32-bit IPv4 address is present in the gateway field.  The data
+   portion is an IPv4 address as described in section 3.4.1 of RFC1035
+   [2].  This is a 32-bit number in network byte order.
+
+   A 128-bit IPv6 address is present in the gateway field.  The data
+   portion is an IPv6 address as described in section 2.2 of RFC3596
+   [13].  This is a 128-bit number in network byte order.
+
+   The gateway field is a normal wire-encoded domain name, as described
+   in section 3.3 of RFC1035 [2].  Compression MUST NOT be used.
+
+2.6 RDATA format - public keys
+
+   Both of the public key types defined in this document (RSA and DSA)
+   inherit their public key formats from the corresponding KEY RR
+   formats.  Specifically, the public key field contains the algorithm-
+   specific portion of the KEY RR RDATA, which is all of the KEY RR DATA
+   after the first four octets.  This is the same portion of the KEY RR
+   that must be specified by documents that define a DNSSEC algorithm.
+   Those documents also specify a message digest to be used for
+   generation of SIG RRs; that specification is not relevant for
+   IPSECKEY RR.
+
+   Future algorithms, if they are to be used by both DNSSEC (in the KEY
+   RR) and IPSECKEY, are likely to use the same public key encodings in
+   both records.  Unless otherwise specified, the IPSECKEY public key
+   field will contain the algorithm-specific portion of the KEY RR RDATA
+
+
+
+|Richardson              Expires August 1, 2004                 [Page 6]
+
+|Internet-Draft   Storing IPsec keying material in DNS     February 2004
+
+
+   for the corresponding algorithm.  The algorithm must still be
+   designated for use by IPSECKEY, and an IPSECKEY algorithm type number
+   (which might be different than the DNSSEC algorithm number) must be
+   assigned to it.
+
+   The DSA key format is defined in RFC2536 [10]
+
+   The RSA key format is defined in RFC3110 [11], with the following
+   changes:
+
+   The earlier definition of RSA/MD5 in RFC2065 limited the exponent and
+   modulus to 2552 bits in length.  RFC3110 extended that limit to 4096
+   bits for RSA/SHA1 keys.  The IPSECKEY RR imposes no length limit on
+   RSA public keys, other than the 65535 octet limit imposed by the two-
+   octet length encoding.  This length extension is applicable only to
+   IPSECKEY and not to KEY RRs.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+|Richardson              Expires August 1, 2004                 [Page 7]
+
+|Internet-Draft   Storing IPsec keying material in DNS     February 2004
+
+
+3. Presentation formats
+
+3.1 Representation of IPSECKEY RRs
+
+   IPSECKEY RRs may appear in a zone data master file.  The precedence,
+   gateway type and algorithm and gateway fields are REQUIRED.  The
+   base64 encoded public key block is OPTIONAL; if not present, then the
+   public key field of the resource record MUST be construed as being
+   zero octets in length.
+
+   The algorithm field is an unsigned integer.  No mnemonics are
+   defined.
+
+   If no gateway is to be indicated, then the gateway type field MUST be
+   zero, and the gateway field MUST be "."
+
+   The Public Key field is represented as a Base64 encoding of the
+   Public Key.  Whitespace is allowed within the Base64 text.  For a
+   definition of Base64 encoding, see RFC3548 [6] Section 5.2.
+
+   The general presentation for the record as as follows:
+
+   IN     IPSECKEY ( precedence gateway-type algorithm
+                     gateway base64-encoded-public-key )
+
+
+3.2 Examples
+
+   An example of a node 192.0.2.38 that will accept IPsec tunnels on its
+   own behalf.
+
+   38.2.0.192.in-addr.arpa. 7200 IN     IPSECKEY ( 10 1 2
+                    192.0.2.38
+                    AQNRU3mG7TVTO2BkR47usntb102uFJtugbo6BSGvgqt4AQ== )
+
+   An example of a node, 192.0.2.38 that has published its key only.
+
+   38.2.0.192.in-addr.arpa. 7200 IN     IPSECKEY ( 10 0 2
+                    .
+                    AQNRU3mG7TVTO2BkR47usntb102uFJtugbo6BSGvgqt4AQ== )
+
+   An example of a node, 192.0.2.38 that has delegated authority to the
+   node 192.0.2.3.
+
+   38.2.0.192.in-addr.arpa. 7200 IN     IPSECKEY ( 10 1 2
+                    192.0.2.3
+                    AQNRU3mG7TVTO2BkR47usntb102uFJtugbo6BSGvgqt4AQ== )
+
+
+
+
+|Richardson              Expires August 1, 2004                 [Page 8]
+
+|Internet-Draft   Storing IPsec keying material in DNS     February 2004
+
+
+   An example of a node, 192.0.1.38 that has delegated authority to the
+   node with the identity "mygateway.example.com".
+
+   38.1.0.192.in-addr.arpa. 7200 IN     IPSECKEY ( 10 3 2
+                    mygateway.example.com.
+                    AQNRU3mG7TVTO2BkR47usntb102uFJtugbo6BSGvgqt4AQ== )
+
+   An example of a node, 2001:0DB8:0200:1:210:f3ff:fe03:4d0 that has
+   delegated authority to the node 2001:0DB8:c000:0200:2::1
+
+   $ORIGIN 1.0.0.0.0.0.2.8.B.D.0.1.0.0.2.ip6.arpa.
+   0.d.4.0.3.0.e.f.f.f.3.f.0.1.2.0 7200 IN     IPSECKEY ( 10 2 2
+                    2001:0DB8:0:8002::2000:1
+                    AQNRU3mG7TVTO2BkR47usntb102uFJtugbo6BSGvgqt4AQ== )
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+|Richardson              Expires August 1, 2004                 [Page 9]
+
+|Internet-Draft   Storing IPsec keying material in DNS     February 2004
+
+
+4. Security Considerations
+
+   This entire memo pertains to the provision of public keying material
+   for use by key management protocols such as ISAKMP/IKE (RFC2407) [8].
+
+   The IPSECKEY resource record contains information that SHOULD be
+   communicated to the end client in an integral fashion - i.e.  free
+   from modification.  The form of this channel is up to the consumer of
+   the data - there must be a trust relationship between the end
+   consumer of this resource record and the server.  This relationship
+   may be end-to-end DNSSEC validation, a TSIG or SIG(0) channel to
+   another secure source, a secure local channel on the host, or some
+   combination of the above.
+
+   The keying material provided by the IPSECKEY resource record is not
+   sensitive to passive attacks.  The keying material may be freely
+   disclosed to any party without any impact on the security properties
+   of the resulting IPsec session: IPsec and IKE provide for defense
+   against both active and passive attacks.
+
+   Any derivative standard that makes use of this resource record MUST
+   carefully document their trust model, and why the trust model of
+   DNSSEC is appropriate, if that is the secure channel used.
+
+4.1 Active attacks against unsecured IPSECKEY resource records
+
+   This section deals with active attacks against the DNS.  These
+   attacks require that DNS requests and responses be intercepted and
+   changed.  DNSSEC is designed to defend against attacks of this kind.
+
+   The first kind of active attack is when the attacker replaces the
+   keying material with either a key under its control or with garbage.
+
+   If the attacker is not able to mount a subsequent man-in-the-middle
+   attack on the IKE negotiation after replacing the public key, then
+   this will result in a denial of service, as the authenticator used by
+   IKE would fail.
+
+   If the attacker is able to both to mount active attacks against DNS
+   and is also in a position to perform a man-in-the-middle attack on
+   IKE and IPsec negotiations, then the attacker will be in a position
+   to compromise the resulting IPsec channel.  Note that an attacker
+   must be able to perform active DNS attacks on both sides of the IKE
+   negotiation in order for this to succeed.
+
+   The second kind of active attack is one in which the attacker
+   replaces the the gateway address to point to a node under the
+   attacker's control.  The attacker can then either replace the public
+
+
+
+|Richardson              Expires August 1, 2004                [Page 10]
+
+|Internet-Draft   Storing IPsec keying material in DNS     February 2004
+
+
+   key or remove it, thus providing an IPSECKEY record of its own to
+   match the gateway address.
+
+   This later form creates a simple man-in-the-middle since the attacker
+   can then create a second tunnel to the real destination.  Note that,
+   as before, this requires that the attacker also mount an active
+   attack against the responder.
+
+   Note that the man-in-the-middle can not just forward cleartext
+   packets to the original destination.  While the destination may be
+   willing to speak in the clear, replying to the original sender, the
+   sender will have already created a policy expecting ciphertext.
+   Thus, the attacker will need to intercept traffic from both sides.
+   In some cases, the attacker may be able to accomplish the full
+   intercept by use of Network Addresss/Port Translation (NAT/NAPT)
+   technology.
+
+|  Note that risk of a man-in-the-middle attack mediated by the IPSECKEY
+|  RR only applies to cases where the gateway field of the IPSECKEY RR
+|  indicates a different entity than the owner name of the IPSECKEY RR.
+
+|  An active attack on the DNS that caused the wrong IP address to be
+|  retrieved (via forged A RR), and therefore the wrong QNAME to be
+|  queried would also result in a man-in-the-middle attack.  This
+|  situation exists independantly of whether or not the IPSECKEY RR is
+|  used.
+
+|  In cases where the end-to-end integrity of the IPSECKEY RR is
+|  suspect, the end client MUST restrict its use of the IPSECKEY RR to
+|  cases where the RR owner name matches the content of the gateway
+|  field.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+|Richardson              Expires August 1, 2004                [Page 11]
+
+|Internet-Draft   Storing IPsec keying material in DNS     February 2004
+
+
+5. IANA Considerations
+
+   This document updates the IANA Registry for DNS Resource Record Types
+   by assigning type X to the IPSECKEY record.
+
+   This document creates two new IANA registries, both specific to the
+   IPSECKEY Resource Record:
+
+   This document creates an IANA registry for the algorithm type field.
+
+   Values 0, 1 and 2 are defined in Section 2.4.  Algorithm numbers 3
+   through 255 can be assigned by IETF Consensus (see RFC2434 [5]).
+
+   This document creates an IANA registry for the gateway type field.
+
+   Values 0, 1, 2 and 3 are defined in Section 2.3.  Gateway type
+   numbers 4 through 255 can be assigned by Standards Action (see
+   RFC2434 [5]).
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+|Richardson              Expires August 1, 2004                [Page 12]
+
+|Internet-Draft   Storing IPsec keying material in DNS     February 2004
+
+
+6. Intellectual Property Claims
+
+   The IETF takes no position regarding the validity or scope of any
+   intellectual property or other rights that might be claimed to
+   pertain to the implementation or use of the technology described in
+   this document or the extent to which any license under such rights
+   might or might not be available; neither does it represent that it
+   has made any effort to identify any such rights.  Information on the
+   IETF's procedures with respect to rights in standards-track and
+   standards-related documentation can be found in BCP-11.  Copies of
+   claims of rights made available for publication and any assurances of
+   licenses to be made available, or the result of an attempt made to
+   obtain a general license or permission for the use of such
+   proprietary rights by implementors or users of this specification can
+   be obtained from the IETF Secretariat.
+
+   The IETF invites any interested party to bring to its attention any
+   copyrights, patents or patent applications, or other proprietary
+   rights which may cover technology that may be required to practice
+   this standard.  Please address the information to the IETF Executive
+   Director.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+|Richardson              Expires August 1, 2004                [Page 13]
+
+|Internet-Draft   Storing IPsec keying material in DNS     February 2004
+
+
+7. Acknowledgments
+
+   My thanks to Paul Hoffman, Sam Weiler, Jean-Jacques Puig, Rob
+   Austein, and Olafur Gurmundsson who reviewed this document carefully.
+   Additional thanks to Olafur Gurmundsson for a reference
+   implementation.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+|Richardson              Expires August 1, 2004                [Page 14]
+
+|Internet-Draft   Storing IPsec keying material in DNS     February 2004
+
+
+Normative references
+
+   [1]  Mockapetris, P., "Domain names - concepts and facilities", STD
+        13, RFC 1034, November 1987.
+
+   [2]  Mockapetris, P., "Domain names - implementation and
+        specification", STD 13, RFC 1035, November 1987.
+
+   [3]  Bradner, S., "The Internet Standards Process -- Revision 3", BCP
+        9, RFC 2026, October 1996.
+
+   [4]  Eastlake, D. and C. Kaufman, "Domain Name System Security
+        Extensions", RFC 2065, January 1997.
+
+   [5]  Narten, T. and H. Alvestrand, "Guidelines for Writing an IANA
+        Considerations Section in RFCs", BCP 26, RFC 2434, October 1998.
+
+   [6]  Josefsson, S., "The Base16, Base32, and Base64 Data Encodings",
+        RFC 3548, July 2003.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+|Richardson              Expires August 1, 2004                [Page 15]
+
+|Internet-Draft   Storing IPsec keying material in DNS     February 2004
+
+
+Non-normative references
+
+   [7]   Bradner, S., "Key words for use in RFCs to Indicate Requirement
+         Levels", BCP 14, RFC 2119, March 1997.
+
+   [8]   Piper, D., "The Internet IP Security Domain of Interpretation
+         for ISAKMP", RFC 2407, November 1998.
+
+   [9]   Eastlake, D., "Domain Name System Security Extensions", RFC
+         2535, March 1999.
+
+   [10]  Eastlake, D., "DSA KEYs and SIGs in the Domain Name System
+         (DNS)", RFC 2536, March 1999.
+
+   [11]  Eastlake, D., "RSA/SHA-1 SIGs and RSA KEYs in the Domain Name
+         System (DNS)", RFC 3110, May 2001.
+
+   [12]  Massey, D. and S. Rose, "Limiting the Scope of the KEY Resource
+         Record (RR)", RFC 3445, December 2002.
+
+   [13]  Thomson, S., Huitema, C., Ksinant, V. and M. Souissi, "DNS
+         Extensions to Support IP Version 6", RFC 3596, October 2003.
+
+
+Author's Address
+
+   Michael C. Richardson
+   Sandelman Software Works
+   470 Dawson Avenue
+   Ottawa, ON  K1Z 5V7
+   CA
+
+   EMail: mcr@sandelman.ottawa.on.ca
+   URI:   http://www.sandelman.ottawa.on.ca/
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+|Richardson              Expires August 1, 2004                [Page 16]
+
+|Internet-Draft   Storing IPsec keying material in DNS     February 2004
+
+
+Full Copyright Statement
+
+|  Copyright (C) The Internet Society (2004).  All Rights Reserved.
+
+   This document and translations of it may be copied and furnished to
+   others, and derivative works that comment on or otherwise explain it
+   or assist in its implementation may be prepared, copied, published
+   and distributed, in whole or in part, without restriction of any
+   kind, provided that the above copyright notice and this paragraph are
+   included on all such copies and derivative works.  However, this
+   document itself may not be modified in any way, such as by removing
+   the copyright notice or references to the Internet Society or other
+   Internet organizations, except as needed for the purpose of
+   developing Internet standards in which case the procedures for
+   copyrights defined in the Internet Standards process must be
+   followed, or as required to translate it into languages other than
+   English.
+
+   The limited permissions granted above are perpetual and will not be
+   revoked by the Internet Society or its successors or assigns.
+
+   This document and the information contained herein is provided on an
+   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
+   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
+   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
+   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
+   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+Acknowledgement
+
+   Funding for the RFC Editor function is currently provided by the
+   Internet Society.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+|Richardson              Expires August 1, 2004                [Page 17]
diff --git a/doc/draft/update b/doc/draft/update
index 6ac20904..766f15b0 100644
--- a/doc/draft/update
+++ b/doc/draft/update
@@ -1,5 +1,4 @@
 #!/bin/sh
-commit=
 for i
 do
 	z=`expr "$i" : 'http://www.ietf.org/internet-drafts/\(.*\)'`
@@ -35,12 +34,9 @@ do
 		then
 			rm $old
 			cvs delete $old
-			commit="$commit $old"
+		else
+			old=
 		fi
-		commit="$commit $i"
+		cvs commit -m "new draft" $i $old
 	fi
 done
-if test -n "$commit"
-then
-	cvs commit -m "new draft" $commit
-fi
diff --git a/doc/misc/Makefile.in b/doc/misc/Makefile.in
index 7dc0ecdd..81f13bee 100644
--- a/doc/misc/Makefile.in
+++ b/doc/misc/Makefile.in
@@ -1,4 +1,4 @@
-# Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 2001  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and distribute this software for any
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.1.2.3 2007/01/30 23:52:52 marka Exp $
+# $Id: Makefile.in,v 1.1.12.3 2004/03/08 09:04:25 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
@@ -30,18 +30,7 @@ doc man:: ${MANOBJS}
 docclean manclean maintainer-clean::
 	rm -f options
 
-# Do not make options depend on ../../bin/tests/cfg_test, doing so
-# will cause excessively clever versions of make to attempt to build
-# that program right here, right now, if it is missing, which will
-# cause make doc to bomb.
-
-CFG_TEST = ../../bin/tests/cfg_test
-
-options: FORCE
-	if test -x ${CFG_TEST} && \
-	   ${CFG_TEST} --named --grammar | \
-	   ${PERL} ${srcdir}/format-options.pl >$@.new ; then \
-		mv -f $@.new $@ ; \
-	else \
-		rm -f $@.new ; \
-	fi
+options: ../../bin/tests/cfg_test
+	../../bin/tests/cfg_test --named --grammar | \
+		${PERL} ${srcdir}/format-options.pl >options || \
+		rm -f options
diff --git a/doc/misc/dnssec b/doc/misc/dnssec
index 8f6ee215..79d91cf9 100644
--- a/doc/misc/dnssec
+++ b/doc/misc/dnssec
@@ -1,5 +1,5 @@
 Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
-Copyright (C) 2000-2003  Internet Software Consortium.
+Copyright (C) 2000-2002  Internet Software Consortium.
 See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
 
 DNSSEC Release Notes
@@ -10,11 +10,10 @@ this release of BIND9.
 
 OpenSSL Library Required
 
-To support DNSSEC, BIND 9 must be linked with version 0.9.6e or 0.9.7beta3
-or newer of the OpenSSL library (patched versions of 0.9.5a - 0.9.6d,
-0.9.7beta1 and 0.9.7beta2 will also be accepted: CERT CA-2002-23).
-As of BIND 9.2, the library is no longer included in the distribution - it
-must be provided by the operating system or installed separately.
+To support DNSSEC, BIND 9 must be linked with version 0.9.6e or newer of
+the OpenSSL library.  As of BIND 9.2, the library is no longer
+included in the distribution - it must be provided by the operating
+system or installed separately.
 
 To build BIND 9 with OpenSSL, use "configure --with-openssl".  If
 the OpenSSL library is installed in a nonstandard location, you can
@@ -39,14 +38,6 @@ When acting as an authoritative name server, BIND9 includes KEY, SIG
 and NXT records in responses as specified in RFC2535 when the request
 has the DO flag set in the query.
 
-Response generation for wildcard records in secure zones is not fully
-supported.  Responses indicating the nonexistence of a name include a
-NXT record proving the nonexistence of the name itself, but do not
-include any NXT records to prove the nonexistence of a matching
-wildcard record.  Positive responses resulting from wildcard expansion
-do not include the NXT records to prove the nonexistence of a
-non-wildcard match or a more specific wildcard match.
-
 
 Secure Resolution
 
@@ -90,4 +81,4 @@ future as we consider them inferior to the use of TSIG or SIG(0) to
 ensure the integrity of zone transfers.
 
 
-$Id: dnssec,v 1.14.2.7 2004/03/09 06:10:41 marka Exp $
+$Id: dnssec,v 1.14.2.6.4.4 2004/03/08 09:04:25 marka Exp $
diff --git a/doc/misc/format-options.pl b/doc/misc/format-options.pl
index c50614ea..5f0975ad 100644
--- a/doc/misc/format-options.pl
+++ b/doc/misc/format-options.pl
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: format-options.pl,v 1.1.2.1 2004/03/09 06:10:41 marka Exp $
+# $Id: format-options.pl,v 1.1.206.1 2004/03/06 13:16:19 marka Exp $
 
 print <<END;
 
diff --git a/doc/misc/ipv6 b/doc/misc/ipv6
index e61ca221..2c457504 100644
--- a/doc/misc/ipv6
+++ b/doc/misc/ipv6
@@ -97,4 +97,4 @@ RELEVANT RFCs
 draft-ietf-ipngwg-rfc2292bis-01:  Advanced Sockets API for IPv6 (draft)
 
 
-$Id: ipv6,v 1.5.2.1 2004/03/09 06:10:41 marka Exp $
+$Id: ipv6,v 1.5.206.1 2004/03/06 13:16:19 marka Exp $
diff --git a/doc/misc/migration b/doc/misc/migration
index ebc35b7d..97b645ab 100644
--- a/doc/misc/migration
+++ b/doc/misc/migration
@@ -119,15 +119,6 @@ line.
 $GENERATE: The "$$" construct for getting a literal $ into a domain
 name is deprecated.  Use \$ instead.
 
-2.6. TXT records are no longer automatically split.
-
-Some versions of BIND accepted strings in TXT RDATA consisting of more
-than 255 characters and silently split them to be able to encode the
-strings in a protocol conformant way. You may now see errors like this
-        dns_rdata_fromtext: local.db:119: ran out of space
-if you have TXT RRs with too longs strings. Make sure to split the
-string in the zone data file at or before a single one reaches 255
-characters.
 
 3. Interoperability Impact of New Protocol Features
 
@@ -252,4 +243,4 @@ necessary, the umask should be set explicitly in the script used to
 start the named process.
 
 
-$Id: migration,v 1.37.2.6 2004/11/22 22:33:43 marka Exp $
+$Id: migration,v 1.37.2.3.2.2 2004/03/06 13:16:19 marka Exp $
diff --git a/doc/misc/migration-4to9 b/doc/misc/migration-4to9
index a29ab56d..fa75bacb 100644
--- a/doc/misc/migration-4to9
+++ b/doc/misc/migration-4to9
@@ -2,7 +2,7 @@ Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
 Copyright (C) 2001  Internet Software Consortium.
 See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
 
-$Id: migration-4to9,v 1.3.2.1 2004/03/09 06:10:41 marka Exp $
+$Id: migration-4to9,v 1.3.206.1 2004/03/06 13:16:19 marka Exp $
 
 		   BIND 4 to BIND 9 Migration Notes
 
diff --git a/doc/misc/options b/doc/misc/options
index 7ab8d045..581dadac 100644
--- a/doc/misc/options
+++ b/doc/misc/options
@@ -3,6 +3,8 @@ This is a summary of the named.conf options supported by
 this version of BIND 9.
 
 options {
+        avoid-v4-udp-ports { <port>; ... };
+        avoid-v6-udp-ports { <port>; ... };
         blackhole { <address_match_element>; ... };
         coresize <size>;
         datasize <size>;
@@ -14,26 +16,28 @@ options {
         has-old-clients <boolean>; // obsolete
         heartbeat-interval <integer>;
         host-statistics <boolean>; // not implemented
-        host-statistics-max <integer>; // not implemented
+        hostname ( <quoted_string> | none );
         interface-interval <integer>;
         listen-on [ port <integer> ] { <address_match_element>; ... };
         listen-on-v6 [ port <integer> ] { <address_match_element>; ... };
         match-mapped-addresses <boolean>;
-        memstatistics-file <quoted_string>; // not implemented
+        memstatistics-file <quoted_string>;
         multiple-cnames <boolean>; // obsolete
         named-xfer <quoted_string>; // obsolete
-        pid-file <quoted_string>;
+        pid-file ( <quoted_string> | none );
         port <integer>;
+        querylog <boolean>;
+        recursing-file <quoted_string>;
         random-device <quoted_string>;
         recursive-clients <integer>;
-        rrset-order { [ class <string> ] [ type <string> ] [ name
-            <quoted_string> ] <string> <string>; ... }; // not implemented
         serial-queries <integer>; // obsolete
         serial-query-rate <integer>;
+        server-id ( <quoted_string> | none |;
         stacksize <size>;
         statistics-file <quoted_string>;
         statistics-interval <integer>; // not yet implemented
         tcp-clients <integer>;
+        tcp-listen-queue <integer>;
         tkey-dhkey <quoted_string> <integer>;
         tkey-gssapi-credential <quoted_string>;
         tkey-domain <quoted_string>;
@@ -43,14 +47,16 @@ options {
         treat-cr-as-space <boolean>; // obsolete
         use-id-pool <boolean>; // obsolete
         use-ixfr <boolean>;
-        version <quoted_string>;
+        version ( <quoted_string> | none );
         allow-recursion { <address_match_element>; ... };
-        allow-v6-synthesis { <address_match_element>; ... };
+        allow-v6-synthesis { <address_match_element>; ... }; // obsolete
         sortlist { <address_match_element>; ... };
         topology { <address_match_element>; ... }; // not implemented
         auth-nxdomain <boolean>; // default changed
         minimal-responses <boolean>;
         recursion <boolean>;
+        rrset-order { [ class <string> ] [ type <string> ] [ name
+            <quoted_string> ] <string> <string>; ... };
         provide-ixfr <boolean>;
         request-ixfr <boolean>;
         fetch-glue <boolean>; // obsolete
@@ -66,9 +72,17 @@ options {
         max-cache-ttl <integer>;
         transfer-format ( many-answers | one-answer );
         max-cache-size <size_no_default>;
-        check-names <string> <string>; // not implemented
+        check-names ( master | slave | response ) ( fail | warn | ignore );
         cache-file <quoted_string>;
+        suppress-initial-notify <boolean>; // not yet implemented
+        preferred-glue <string>;
+        dual-stack-servers [ port <integer> ] { ( <quoted_string> [port
+            <integer>] | <ipv4_address> [port <integer>] | <ipv6_address> [port <integer>] ); ... };
+        edns-udp-size <integer>;
         root-delegation-only [ exclude { <quoted_string>; ... } ];
+        disable-algorithms <string> { <string>; ... };
+        dnssec-enable <boolean>;
+        dnssec-lookaside <string>;
         allow-query { <address_match_element>; ... };
         allow-transfer { <address_match_element>; ... };
         allow-update-forwarding { <address_match_element>; ... };
@@ -82,10 +96,10 @@ options {
         forward ( first | only );
         forwarders [ port <integer> ] { ( <ipv4_address> | <ipv6_address> )
             [ port <integer> ]; ... };
+        ixfr-from-differences <boolean>;
         maintain-ixfr-base <boolean>; // obsolete
         max-ixfr-log-size <size>; // obsolete
-        transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ];
-        transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ];
+        max-journal-size <size_no_default>;
         max-transfer-time-in <integer>;
         max-transfer-time-out <integer>;
         max-transfer-idle-in <integer>;
@@ -94,8 +108,17 @@ options {
         min-retry-time <integer>;
         max-refresh-time <integer>;
         min-refresh-time <integer>;
+        multi-master <boolean>;
         sig-validity-interval <integer>;
+        transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ];
+        transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ];
+        alt-transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * )
+            ];
+        alt-transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> |
+            * ) ];
+        use-alt-transfer-source <boolean>;
         zone-statistics <boolean>;
+        key-directory <quoted_string>;
 };
 
 controls {
@@ -106,13 +129,16 @@ controls {
 
 acl <string> { <address_match_element>; ... };
 
+masters <string> [ port <integer> ] { ( <masters> | <ipv4_address> [port
+    <integer>] | <ipv6_address> [port <integer>] ) [ key <string> ]; ... };
+
 logging {
         channel <string> {
-                file <logfile>;
+                file <log_file>;
                 syslog <optional_facility>;
                 null;
                 stderr;
-                severity <logseverity>;
+                severity <log_severity>;
                 print-time <boolean>;
                 print-severity <boolean>;
                 print-category <boolean>;
@@ -135,15 +161,15 @@ view <string> <optional_class> {
                 file <quoted_string>;
                 ixfr-base <quoted_string>; // obsolete
                 ixfr-tmp-file <quoted_string>; // obsolete
-                masters [ port <integer> ] { ( <ipv4_address> |
-                    <ipv6_address> ) [ port <integer> ] [ key <string> ]; ... };
+                masters [ port <integer> ] { ( <masters> | <ipv4_address>
+                    [port <integer>] | <ipv6_address> [port <integer>] ) [ key <string> ]; ... };
                 pubkey <integer> <integer> <integer> <quoted_string>; //
                     obsolete
                 update-policy { ( grant | deny ) <string> ( name |
                     subdomain | wildcard | self ) <string> <rrtypelist>; ... };
                 database <string>;
                 delegation-only <boolean>;
-                check-names <string>; // not implemented
+                check-names ( fail | warn | ignore );
                 allow-query { <address_match_element>; ... };
                 allow-transfer { <address_match_element>; ... };
                 allow-update-forwarding { <address_match_element>; ... };
@@ -159,12 +185,10 @@ view <string> <optional_class> {
                 forward ( first | only );
                 forwarders [ port <integer> ] { ( <ipv4_address> |
                     <ipv6_address> ) [ port <integer> ]; ... };
+                ixfr-from-differences <boolean>;
                 maintain-ixfr-base <boolean>; // obsolete
                 max-ixfr-log-size <size>; // obsolete
-                transfer-source ( <ipv4_address> | * ) [ port ( <integer> |
-                    * ) ];
-                transfer-source-v6 ( <ipv6_address> | * ) [ port (
-                    <integer> | * ) ];
+                max-journal-size <size_no_default>;
                 max-transfer-time-in <integer>;
                 max-transfer-time-out <integer>;
                 max-transfer-idle-in <integer>;
@@ -173,8 +197,19 @@ view <string> <optional_class> {
                 min-retry-time <integer>;
                 max-refresh-time <integer>;
                 min-refresh-time <integer>;
+                multi-master <boolean>;
                 sig-validity-interval <integer>;
+                transfer-source ( <ipv4_address> | * ) [ port ( <integer> |
+                    * ) ];
+                transfer-source-v6 ( <ipv6_address> | * ) [ port (
+                    <integer> | * ) ];
+                alt-transfer-source ( <ipv4_address> | * ) [ port (
+                    <integer> | * ) ];
+                alt-transfer-source-v6 ( <ipv6_address> | * ) [ port (
+                    <integer> | * ) ];
+                use-alt-transfer-source <boolean>;
                 zone-statistics <boolean>;
+                key-directory <quoted_string>;
         };
         server <netaddr> {
                 bogus <boolean>;
@@ -185,16 +220,22 @@ view <string> <optional_class> {
                 transfer-format ( many-answers | one-answer );
                 keys <server_key>;
                 edns <boolean>;
+                transfer-source ( <ipv4_address> | * ) [ port ( <integer> |
+                    * ) ];
+                transfer-source-v6 ( <ipv6_address> | * ) [ port (
+                    <integer> | * ) ];
         };
         trusted-keys { <string> <integer> <integer> <integer>
-            <quoted_string>; ... }; // obsolete
+            <quoted_string>; ... };
         allow-recursion { <address_match_element>; ... };
-        allow-v6-synthesis { <address_match_element>; ... };
+        allow-v6-synthesis { <address_match_element>; ... }; // obsolete
         sortlist { <address_match_element>; ... };
         topology { <address_match_element>; ... }; // not implemented
         auth-nxdomain <boolean>; // default changed
         minimal-responses <boolean>;
         recursion <boolean>;
+        rrset-order { [ class <string> ] [ type <string> ] [ name
+            <quoted_string> ] <string> <string>; ... };
         provide-ixfr <boolean>;
         request-ixfr <boolean>;
         fetch-glue <boolean>; // obsolete
@@ -210,9 +251,17 @@ view <string> <optional_class> {
         max-cache-ttl <integer>;
         transfer-format ( many-answers | one-answer );
         max-cache-size <size_no_default>;
-        check-names <string> <string>; // not implemented
+        check-names ( master | slave | response ) ( fail | warn | ignore );
         cache-file <quoted_string>;
+        suppress-initial-notify <boolean>; // not yet implemented
+        preferred-glue <string>;
+        dual-stack-servers [ port <integer> ] { ( <quoted_string> [port
+            <integer>] | <ipv4_address> [port <integer>] | <ipv6_address> [port <integer>] ); ... };
+        edns-udp-size <integer>;
         root-delegation-only [ exclude { <quoted_string>; ... } ];
+        disable-algorithms <string> { <string>; ... };
+        dnssec-enable <boolean>;
+        dnssec-lookaside <string>;
         allow-query { <address_match_element>; ... };
         allow-transfer { <address_match_element>; ... };
         allow-update-forwarding { <address_match_element>; ... };
@@ -226,10 +275,10 @@ view <string> <optional_class> {
         forward ( first | only );
         forwarders [ port <integer> ] { ( <ipv4_address> | <ipv6_address> )
             [ port <integer> ]; ... };
+        ixfr-from-differences <boolean>;
         maintain-ixfr-base <boolean>; // obsolete
         max-ixfr-log-size <size>; // obsolete
-        transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ];
-        transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ];
+        max-journal-size <size_no_default>;
         max-transfer-time-in <integer>;
         max-transfer-time-out <integer>;
         max-transfer-idle-in <integer>;
@@ -238,8 +287,17 @@ view <string> <optional_class> {
         min-retry-time <integer>;
         max-refresh-time <integer>;
         min-refresh-time <integer>;
+        multi-master <boolean>;
         sig-validity-interval <integer>;
+        transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ];
+        transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ];
+        alt-transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * )
+            ];
+        alt-transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> |
+            * ) ];
+        use-alt-transfer-source <boolean>;
         zone-statistics <boolean>;
+        key-directory <quoted_string>;
 };
 
 lwres {
@@ -261,14 +319,14 @@ zone <string> <optional_class> {
         file <quoted_string>;
         ixfr-base <quoted_string>; // obsolete
         ixfr-tmp-file <quoted_string>; // obsolete
-        masters [ port <integer> ] { ( <ipv4_address> | <ipv6_address> ) [
-            port <integer> ] [ key <string> ]; ... };
+        masters [ port <integer> ] { ( <masters> | <ipv4_address> [port
+            <integer>] | <ipv6_address> [port <integer>] ) [ key <string> ]; ... };
         pubkey <integer> <integer> <integer> <quoted_string>; // obsolete
         update-policy { ( grant | deny ) <string> ( name | subdomain |
             wildcard | self ) <string> <rrtypelist>; ... };
         database <string>;
         delegation-only <boolean>;
-        check-names <string>; // not implemented
+        check-names ( fail | warn | ignore );
         allow-query { <address_match_element>; ... };
         allow-transfer { <address_match_element>; ... };
         allow-update-forwarding { <address_match_element>; ... };
@@ -282,10 +340,10 @@ zone <string> <optional_class> {
         forward ( first | only );
         forwarders [ port <integer> ] { ( <ipv4_address> | <ipv6_address> )
             [ port <integer> ]; ... };
+        ixfr-from-differences <boolean>;
         maintain-ixfr-base <boolean>; // obsolete
         max-ixfr-log-size <size>; // obsolete
-        transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ];
-        transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ];
+        max-journal-size <size_no_default>;
         max-transfer-time-in <integer>;
         max-transfer-time-out <integer>;
         max-transfer-idle-in <integer>;
@@ -294,8 +352,17 @@ zone <string> <optional_class> {
         min-retry-time <integer>;
         max-refresh-time <integer>;
         min-refresh-time <integer>;
+        multi-master <boolean>;
         sig-validity-interval <integer>;
+        transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ];
+        transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ];
+        alt-transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * )
+            ];
+        alt-transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> |
+            * ) ];
+        use-alt-transfer-source <boolean>;
         zone-statistics <boolean>;
+        key-directory <quoted_string>;
 };
 
 server <netaddr> {
@@ -307,6 +374,8 @@ server <netaddr> {
         transfer-format ( many-answers | one-answer );
         keys <server_key>;
         edns <boolean>;
+        transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ];
+        transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ];
 };
 
 trusted-keys { <string> <integer> <integer> <integer> <quoted_string>; ... };
diff --git a/doc/misc/rfc-compliance b/doc/misc/rfc-compliance
index 6f8f49cb..6a3fac12 100644
--- a/doc/misc/rfc-compliance
+++ b/doc/misc/rfc-compliance
@@ -2,7 +2,7 @@ Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
 Copyright (C) 2001  Internet Software Consortium.
 See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
 
-$Id: rfc-compliance,v 1.3.2.1 2004/03/09 06:10:41 marka Exp $
+$Id: rfc-compliance,v 1.3.206.1 2004/03/06 13:16:20 marka Exp $
 
 BIND 9 is striving for strict compliance with IETF standards.  We
 believe this release of BIND 9 complies with the following RFCs, with
diff --git a/doc/misc/roadmap b/doc/misc/roadmap
index 3369d3ee..72021b82 100644
--- a/doc/misc/roadmap
+++ b/doc/misc/roadmap
@@ -2,7 +2,7 @@ Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
 Copyright (C) 2000, 2001  Internet Software Consortium.
 See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
 
-$Id: roadmap,v 1.1.2.1 2004/03/09 06:10:41 marka Exp $
+$Id: roadmap,v 1.1.206.1 2004/03/06 13:16:20 marka Exp $
 
 Road Map to the BIND 9 Source Tree
 
diff --git a/doc/misc/sdb b/doc/misc/sdb
index b916db78..0de0ab89 100644
--- a/doc/misc/sdb
+++ b/doc/misc/sdb
@@ -166,4 +166,4 @@ Future Directions
 A future release may support dynamic loading of sdb drivers.
 
 
-$Id: sdb,v 1.5.2.1 2004/03/09 06:10:42 marka Exp $
+$Id: sdb,v 1.5.206.1 2004/03/06 13:16:20 marka Exp $
diff --git a/doc/rfc/index b/doc/rfc/index
index 990d4a90..fd66d247 100644
--- a/doc/rfc/index
+++ b/doc/rfc/index
@@ -61,9 +61,8 @@
 2929:	Domain Name System (DNS) IANA Considerations
 2930:	Secret Key Establishment for DNS (TKEY RR)
 2931:	DNS Request and Transaction Signatures ( SIG(0)s )
-3007:	Secure Domain Name System (DNS) Dynamic Update
-3008:	Domain Name System Security (DNSSEC) Signing Authority
-3071:	Reflections on the DNS, RFC 1591, and Categories of Domains
+3007:   Secure Domain Name System (DNS) Dynamic Update
+3008:   Domain Name System Security (DNSSEC) Signing Authority
 3090:	DNS Security Extension Clarification on Zone Status
 3110:	RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS)
 3123:	A DNS RR Type for Lists of Address Prefixes (APL RR)
@@ -76,9 +75,9 @@
 	 Addresses in the Domain Name System (DNS)
 3364:	Tradeoffs in Domain Name System (DNS) Support
 	 for Internet Protocol version 6 (IPv6)
+3390:	Internationalizing Domain Names In Applications (IDNA)
 3425:	Obsoleting IQUERY
 3445:	Limiting the Scope of the KEY Resource Record (RR)
-3490:	Internationalizing Domain Names In Applications (IDNA)
 3491:	Nameprep: A Stringprep Profile for Internationalized Domain Names (IDN)
 3492:	Punycode:A Bootstring encoding of Unicode for
 	  Internationalized Domain Names in Applications (IDNA)
@@ -90,25 +89,3 @@
 	  Secret Key Transaction Authentication for DNS (GSS-TSIG)
 3655:	Redefinition of DNS Authenticated Data (AD) bit
 3658:	Delegation Signer (DS) Resource Record (RR)
-3757:	Domain Name System KEY (DNSKEY) Resource Record (RR)
-	  Secure Entry Point (SEP) Flag
-3833:	Threat Analysis of the Domain Name System (DNS)
-3845:	DNS Security (DNSSEC) NextSECure (NSEC) RDATA Format
-3901:	DNS IPv6 Transport Operational Guidelines
-4025:	A Method for Storing IPsec Keying Material in DNS
-4033:	DNS Security Introduction and Requirements
-4034:	Resource Records for the DNS Security Extensions
-4035:	Protocol Modifications for the DNS Security Extensions
-4074:	Common Misbehavior Against DNS Queries for IPv6 Addresses
-4159:	Deprecation of "ip6.int"
-4193:	Unique Local IPv6 Unicast Addresses
-4255:	Using DNS to Securely Publish Secure Shell (SSH) Key Fingerprints
-4343:	Domain Name System (DNS) Case Insensitivity Clarification
-4367:	What's in a Name: False Assumptions about DNS Names
-4398:	Storing Certificates in the Domain Name System (DNS)
-4431:	The DNSSEC Lookaside Validation (DLV) DNS Resource Record
-4408:	Sender Policy Framework (SPF) for Authorizing Use of Domains
-	 in E-Mail, Version 1
-4470:	Minimally Covering NSEC Records and DNSSEC On-line Signing
-4634:	US Secure Hash Algorithms (SHA and HMAC-SHA)
-4641:	DNSSEC Operational Practices
diff --git a/doc/rfc/rfc3757.txt b/doc/rfc/rfc3757.txt
deleted file mode 100644
index 31890a4b..00000000
--- a/doc/rfc/rfc3757.txt
+++ /dev/null
@@ -1,451 +0,0 @@
-
-
-
-
-
-
-Network Working Group                                         O. Kolkman
-Request for Comments: 3757                                      RIPE NCC
-Updates: 3755, 2535                                          J. Schlyter
-Category: Standards Track                                         NIC-SE
-                                                                E. Lewis
-                                                                    ARIN
-                                                              April 2004
-
-
-         Domain Name System KEY (DNSKEY) Resource Record (RR)
-                     Secure Entry Point (SEP) Flag
-
-Status of this Memo
-
-   This document specifies an Internet standards track protocol for the
-   Internet community, and requests discussion and suggestions for
-   improvements.  Please refer to the current edition of the "Internet
-   Official Protocol Standards" (STD 1) for the standardization state
-   and status of this protocol.  Distribution of this memo is unlimited.
-
-Copyright Notice
-
-   Copyright (C) The Internet Society (2004).  All Rights Reserved.
-
-Abstract
-
-   With the Delegation Signer (DS) resource record (RR), the concept of
-   a public key acting as a secure entry point (SEP) has been
-   introduced.  During exchanges of public keys with the parent there is
-   a need to differentiate SEP keys from other public keys in the Domain
-   Name System KEY (DNSKEY) resource record set.  A flag bit in the
-   DNSKEY RR is defined to indicate that DNSKEY is to be used as a SEP.
-   The flag bit is intended to assist in operational procedures to
-   correctly generate DS resource records, or to indicate what DNSKEYs
-   are intended for static configuration.  The flag bit is not to be
-   used in the DNS verification protocol.  This document updates RFC
-   2535 and RFC 3755.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Kolkman, et al.              Standard Track                     [Page 1]
-
-RFC 3757                   DNSKEY RR SEP Flag                 April 2004
-
-
-Table of Contents
-
-   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  2
-   2.  The Secure Entry Point (SEP) Flag. . . . . . . . . . . . . . .  4
-   3.  DNSSEC Protocol Changes. . . . . . . . . . . . . . . . . . . .  4
-   4.  Operational Guidelines . . . . . . . . . . . . . . . . . . . .  4
-   5.  Security Considerations. . . . . . . . . . . . . . . . . . . .  5
-   6.  IANA Considerations. . . . . . . . . . . . . . . . . . . . . .  6
-   7.  Internationalization Considerations. . . . . . . . . . . . . .  6
-   8.  Acknowledgments. . . . . . . . . . . . . . . . . . . . . . . .  6
-   9.  References . . . . . . . . . . . . . . . . . . . . . . . . . .  6
-       9.1.  Normative References . . . . . . . . . . . . . . . . . .  6
-       9.2.  Informative References . . . . . . . . . . . . . . . . .  6
-   10. Authors' Addresses . . . . . . . . . . . . . . . . . . . . . .  7
-   11. Full Copyright Statement . . . . . . . . . . . . . . . . . . .  8
-
-1.  Introduction
-
-   "All keys are equal but some keys are more equal than others" [6].
-
-   With the definition of the Delegation Signer Resource Record (DS RR)
-   [5], it has become important to differentiate between the keys in the
-   DNSKEY RR set that are (to be) pointed to by parental DS RRs and the
-   other keys in the DNSKEY RR set.  We refer to these public keys as
-   Secure Entry Point (SEP) keys.  A SEP key either used to generate a
-   DS RR or is distributed to resolvers that use the key as the root of
-   a trusted subtree [3].
-
-   In early deployment tests, the use of two (kinds of) key pairs for
-   each zone has been prevalent.  For one kind of key pair the private
-   key is used to sign just the zone's DNSKEY resource record (RR) set.
-   Its public key is intended to be referenced by a DS RR at the parent
-   or configured statically in a resolver.  The private key of the other
-   kind of key pair is used to sign the rest of the zone's data sets.
-   The former key pair is called a key-signing key (KSK) and the latter
-   is called a zone-signing key (ZSK).  In practice there have been
-   usually one of each kind of key pair, but there will be multiples of
-   each at times.
-
-   It should be noted that division of keys pairs into KSK's and ZSK's
-   is not mandatory in any definition of DNSSEC, not even with the
-   introduction of the DS RR.  But, in testing, this distinction has
-   been helpful when designing key roll over (key super-cession)
-   schemes.  Given that the distinction has proven helpful, the labels
-   KSK and ZSK have begun to stick.
-
-
-
-
-
-
-Kolkman, et al.              Standard Track                     [Page 2]
-
-RFC 3757                   DNSKEY RR SEP Flag                 April 2004
-
-
-   There is a need to differentiate the public keys for the key pairs
-   that are used for key signing from keys that are not used key signing
-   (KSKs vs ZSKs).  This need is driven by knowing which DNSKEYs are to
-   be sent for generating DS RRs, which DNSKEYs are to be distributed to
-   resolvers, and which keys are fed to the signer application at the
-   appropriate time.
-
-   In other words, the SEP bit provides an in-band method to communicate
-   a DNSKEY RR's intended use to third parties.  As an example we
-   present 3 use cases in which the bit is useful:
-
-      The parent is a registry, the parent and the child use secured DNS
-      queries and responses, with a preexisting trust-relation, or plain
-      DNS over a secured channel to exchange the child's DNSKEY RR sets.
-      Since a DNSKEY RR set will contain a complete DNSKEY RRset the SEP
-      bit can be used to isolate the DNSKEYs for which a DS RR needs to
-      be created.
-
-      An administrator has configured a DNSKEY as root for a trusted
-      subtree into security aware resolver.  Using a special purpose
-      tool that queries for the KEY RRs from that domain's apex, the
-      administrator will be able to notice the roll over of the trusted
-      anchor by a change of the subset of KEY RRs with the DS flag set.
-
-      A signer might use the SEP bit on the public key to determine
-      which private key to use to exclusively sign the DNSKEY RRset and
-      which private key to use to sign the other RRsets in the zone.
-
-   As demonstrated in the above examples it is important to be able to
-   differentiate the SEP keys from the other keys in a DNSKEY RR set in
-   the flow between signer and (parental) key-collector and in the flow
-   between the signer and the resolver configuration.  The SEP flag is
-   to be of no interest to the flow between the verifier and the
-   authoritative data store.
-
-   The reason for the term "SEP" is a result of the observation that the
-   distinction between KSK and ZSK key pairs is made by the signer, a
-   key pair could be used as both a KSK and a ZSK at the same time.  To
-   be clear, the term SEP was coined to lessen the confusion caused by
-   the overlap.  (Once this label was applied, it had the side effect of
-   removing the temptation to have both a KSK flag bit and a ZSK flag
-   bit.)
-
-   The key words "MAY","MAY NOT", "MUST", "MUST NOT", "REQUIRED",
-   "RECOMMENDED", "SHOULD", and "SHOULD NOT" in this document are to be
-   interpreted as described in BCP 14, RFC 2119 [1].
-
-
-
-
-
-Kolkman, et al.              Standard Track                     [Page 3]
-
-RFC 3757                   DNSKEY RR SEP Flag                 April 2004
-
-
-2.  The Secure Entry Point (SEP) Flag
-
-                        1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
-    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
-   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-   |              flags          |S|   protocol    |   algorithm   |
-   |                             |E|               |               |
-   |                             |P|               |               |
-   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-   |                                                               /
-   /                        public key                             /
-   /                                                               /
-   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-
-                          DNSKEY RR Format
-   This document assigns the 15th bit in the flags field as the secure
-   entry point (SEP) bit.  If the bit is set to 1 the key is intended to
-   be used as secure entry point key.  One SHOULD NOT assign special
-   meaning to the key if the bit is set to 0.  Operators can recognize
-   the secure entry point key by the even or odd-ness of the decimal
-   representation of the flag field.
-
-3.  DNSSEC Protocol Changes
-
-   The bit MUST NOT be used during the resolving and verification
-   process.  The SEP flag is only used to provide a hint about the
-   different administrative properties of the key and therefore the use
-   of the SEP flag does not change the DNS resolution protocol or the
-   resolution process.
-
-4.  Operational Guidelines
-
-   The SEP bit is set by the key-pair-generator and MAY be used by the
-   zone signer to decide whether the public part of the key pair is to
-   be prepared for input to a DS RR generation function.  The SEP bit is
-   recommended to be set (to 1) whenever the public key of the key pair
-   will be distributed to the parent zone to build the authentication
-   chain or if the public key is to be distributed for static
-   configuration in verifiers.
-
-   When a key pair is created, the operator needs to indicate whether
-   the SEP bit is to be set in the DNSKEY RR.  As the SEP bit is within
-   the data that is used to compute the 'key tag field' in the SIG RR,
-   changing the SEP bit will change the identity of the key within DNS.
-   In other words, once a key is used to generate signatures, the
-   setting of the SEP bit is to remain constant.  If not, a verifier
-   will not be able to find the relevant KEY RR.
-
-
-
-
-Kolkman, et al.              Standard Track                     [Page 4]
-
-RFC 3757                   DNSKEY RR SEP Flag                 April 2004
-
-
-   When signing a zone, it is intended that the key(s) with the SEP bit
-   set (if such keys exist) are used to sign the KEY RR set of the zone.
-   The same key can be used to sign the rest of the zone data too.  It
-   is conceivable that not all keys with a SEP bit set will sign the
-   DNSKEY RR set, such keys might be pending retirement or not yet in
-   use.
-
-   When verifying a RR set, the SEP bit is not intended to play a role.
-   How the key is used by the verifier is not intended to be a
-   consideration at key creation time.
-
-   Although the SEP flag provides a hint on which public key is to be
-   used as trusted root, administrators can choose to ignore the fact
-   that a DNSKEY has its SEP bit set or not when configuring a trusted
-   root for their resolvers.
-
-   Using the SEP flag a key roll over can be automated.  The parent can
-   use an existing trust relation to verify DNSKEY RR sets in which a
-   new DNSKEY RR with the SEP flag appears.
-
-5.  Security Considerations
-
-   As stated in Section 3 the flag is not to be used in the resolution
-   protocol or to determine the security status of a key.  The flag is
-   to be used for administrative purposes only.
-
-   No trust in a key should be inferred from this flag - trust MUST be
-   inferred from an existing chain of trust or an out-of-band exchange.
-
-   Since this flag might be used for automating public key exchanges, we
-   think the following consideration is in place.
-
-   Automated mechanisms for roll over of the DS RR might be vulnerable
-   to a class of replay attacks.  This might happen after a public key
-   exchange where a DNSKEY RR set, containing two DNSKEY RRs with the
-   SEP flag set, is sent to the parent.  The parent verifies the DNSKEY
-   RR set with the existing trust relation and creates the new DS RR
-   from the DNSKEY RR that the current DS RR is not pointing to.  This
-   key exchange might be replayed.  Parents are encouraged to implement
-   a replay defense.  A simple defense can be based on a registry of
-   keys that have been used to generate DS RRs during the most recent
-   roll over.  These same considerations apply to entities that
-   configure keys in resolvers.
-
-
-
-
-
-
-
-
-Kolkman, et al.              Standard Track                     [Page 5]
-
-RFC 3757                   DNSKEY RR SEP Flag                 April 2004
-
-
-6.  IANA Considerations
-
-   IANA has assigned the 15th bit in the DNSKEY Flags Registry (see
-   Section 4.3 of [4]) as the Secure Entry Point (SEP) bit.
-
-7.  Internationalization Considerations
-
-   Although SEP is a popular acronym in many different languages, there
-   are no internationalization considerations.
-
-8.  Acknowledgments
-
-   The ideas documented in this document are inspired by communications
-   we had with numerous people and ideas published by other folk.  Among
-   others Mark Andrews, Rob Austein, Miek Gieben, Olafur Gudmundsson,
-   Daniel Karrenberg, Dan Massey, Scott Rose, Marcos Sanz and Sam Weiler
-   have contributed ideas and provided feedback.
-
-   This document saw the light during a workshop on DNSSEC operations
-   hosted by USC/ISI in August 2002.
-
-9.  References
-
-9.1.  Normative References
-
-   [1]  Bradner, S., "Key words for use in RFCs to Indicate Requirement
-        Levels", BCP 14, RFC 2119, March 1997.
-
-   [2]  Eastlake, D., "Domain Name System Security Extensions", RFC
-        2535, March 1999.
-
-   [3]  Lewis, E., "DNS Security Extension Clarification on Zone
-        Status", RFC 3090, March 2001.
-
-   [4]  Weiler, S., "Legacy Resolver Compatibility for Delegation Signer
-        (DS)", RFC 3755, April 2004.
-
-9.2.  Informative References
-
-   [5]  Gudmundsson, O., "Delegation Signer (DS) Resource Record (RR)",
-        RFC 3658, December 2003.
-
-   [6]  Orwell, G. and R. Steadman (illustrator), "Animal Farm; a Fairy
-        Story", ISBN 0151002177 (50th anniversary edition), April 1996.
-
-
-
-
-
-
-
-Kolkman, et al.              Standard Track                     [Page 6]
-
-RFC 3757                   DNSKEY RR SEP Flag                 April 2004
-
-
-10.  Authors' Addresses
-
-   Olaf M. Kolkman
-   RIPE NCC
-   Singel 256
-   Amsterdam  1016 AB
-   NL
-
-   Phone: +31 20 535 4444
-   EMail: olaf@ripe.net
-   URI:   http://www.ripe.net/
-
-
-   Jakob Schlyter
-   NIC-SE
-   Box 5774
-   SE-114 87 Stockholm
-   Sweden
-
-   EMail: jakob@nic.se
-   URI:   http://www.nic.se/
-
-
-   Edward P. Lewis
-   ARIN
-   3635 Concorde Parkway Suite 200
-   Chantilly, VA  20151
-   US
-
-   Phone: +1 703 227 9854
-   EMail: edlewis@arin.net
-   URI:   http://www.arin.net/
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Kolkman, et al.              Standard Track                     [Page 7]
-
-RFC 3757                   DNSKEY RR SEP Flag                 April 2004
-
-
-11.  Full Copyright Statement
-
-   Copyright (C) The Internet Society (2004).  This document is subject
-   to the rights, licenses and restrictions contained in BCP 78 and
-   except as set forth therein, the authors retain all their rights.
-
-   This document and the information contained herein are provided on an
-   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE
-   REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE
-   INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR
-   IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
-   THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
-   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-Intellectual Property
-
-   The IETF takes no position regarding the validity or scope of any
-   Intellectual Property Rights or other rights that might be claimed
-   to pertain to the implementation or use of the technology
-   described in this document or the extent to which any license
-   under such rights might or might not be available; nor does it
-   represent that it has made any independent effort to identify any
-   such rights.  Information on the procedures with respect to
-   rights in RFC documents can be found in BCP 78 and BCP 79.
-
-   Copies of IPR disclosures made to the IETF Secretariat and any
-   assurances of licenses to be made available, or the result of an
-   attempt made to obtain a general license or permission for the use
-   of such proprietary rights by implementers or users of this
-   specification can be obtained from the IETF on-line IPR repository
-   at http://www.ietf.org/ipr.
-
-   The IETF invites any interested party to bring to its attention
-   any copyrights, patents or patent applications, or other
-   proprietary rights that may cover technology that may be required
-   to implement this standard.  Please address the information to the
-   IETF at ietf-ipr@ietf.org.
-
-Acknowledgement
-
-   Funding for the RFC Editor function is currently provided by the
-   Internet Society.
-
-
-
-
-
-
-
-
-
-Kolkman, et al.              Standard Track                     [Page 8]
-
diff --git a/doc/rfc/rfc3845.txt b/doc/rfc/rfc3845.txt
deleted file mode 100644
index 9887a20a..00000000
--- a/doc/rfc/rfc3845.txt
+++ /dev/null
@@ -1,395 +0,0 @@
-
-
-
-
-
-
-Network Working Group                                   J. Schlyter, Ed.
-Request for Comments: 3845                                   August 2004
-Updates: 3755, 2535
-Category: Standards Track
-
-
-          DNS Security (DNSSEC) NextSECure (NSEC) RDATA Format
-
-Status of this Memo
-
-   This document specifies an Internet standards track protocol for the
-   Internet community, and requests discussion and suggestions for
-   improvements.  Please refer to the current edition of the "Internet
-   Official Protocol Standards" (STD 1) for the standardization state
-   and status of this protocol.  Distribution of this memo is unlimited.
-
-Copyright Notice
-
-   Copyright (C) The Internet Society (2004).
-
-Abstract
-
-   This document redefines the wire format of the "Type Bit Map" field
-   in the DNS NextSECure (NSEC) resource record RDATA format to cover
-   the full resource record (RR) type space.
-
-Table of Contents
-
-   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  2
-   2.  The NSEC Resource Record . . . . . . . . . . . . . . . . . . .  2
-       2.1.  NSEC RDATA Wire Format . . . . . . . . . . . . . . . . .  3
-             2.1.1.  The Next Domain Name Field . . . . . . . . . . .  3
-             2.1.2.  The List of Type Bit Map(s) Field  . . . . . . .  3
-             2.1.3.  Inclusion of Wildcard Names in NSEC RDATA  . . .  4
-       2.2.  The NSEC RR Presentation Format  . . . . . . . . . . . .  4
-       2.3.  NSEC RR Example  . . . . . . . . . . . . . . . . . . . .  5
-   3.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . .  5
-   4.  Security Considerations  . . . . . . . . . . . . . . . . . . .  5
-   5.  References . . . . . . . . . . . . . . . . . . . . . . . . . .  6
-       5.1.  Normative References . . . . . . . . . . . . . . . . . .  6
-       5.2.  Informative References . . . . . . . . . . . . . . . . .  6
-   6.  Acknowledgements . . . . . . . . . . . . . . . . . . . . . . .  6
-   7.  Author's Address . . . . . . . . . . . . . . . . . . . . . . .  6
-   8.  Full Copyright Statement . . . . . . . . . . . . . . . . . . .  7
-
-
-
-
-
-
-
-Schlyter, Ed.               Standards Track                     [Page 1]
-
-RFC 3845                DNSSEC NSEC RDATA Format             August 2004
-
-
-1.  Introduction
-
-   The DNS [6][7] NSEC [5] Resource Record (RR) is used for
-   authenticated proof of the non-existence of DNS owner names and
-   types.  The NSEC RR is based on the NXT RR as described in RFC 2535
-   [2], and is similar except for the name and typecode.  The RDATA
-   format for the NXT RR has the limitation in that the RDATA could only
-   carry information about the existence of the first 127 types.  RFC
-   2535 did reserve a bit to specify an extension mechanism, but the
-   mechanism was never actually defined.
-
-   In order to avoid needing to develop an extension mechanism into a
-   deployed base of DNSSEC aware servers and resolvers once the first
-   127 type codes are allocated, this document redefines the wire format
-   of the "Type Bit Map" field in the NSEC RDATA to cover the full RR
-   type space.
-
-   This document introduces a new format for the type bit map.  The
-   properties of the type bit map format are that it can cover the full
-   possible range of typecodes, that it is relatively economical in the
-   amount of space it uses for the common case of a few types with an
-   owner name, that it can represent owner names with all possible types
-   present in packets of approximately 8.5 kilobytes, and that the
-   representation is simple to implement.  Efficient searching of the
-   type bitmap for the presence of certain types is not a requirement.
-
-   For convenience and completeness, this document presents the syntax
-   and semantics for the NSEC RR based on the specification in RFC 2535
-   [2] and as updated by RFC 3755 [5], thereby not introducing changes
-   except for the syntax of the type bit map.
-
-   This document updates RFC 2535 [2] and RFC 3755 [5].
-
-   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
-   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
-   document are to be interpreted as described in BCP 14, RFC 2119 [1].
-
-2.  The NSEC Resource Record
-
-   The NSEC resource record lists two separate things: the owner name of
-   the next RRset in the canonical ordering of the zone, and the set of
-   RR types present at the NSEC RR's owner name.  The complete set of
-   NSEC RRs in a zone indicate which RRsets exist in a zone, and form a
-   chain of owner names in the zone.  This information is used to
-   provide authenticated denial of existence for DNS data, as described
-   in RFC 2535 [2].
-
-   The type value for the NSEC RR is 47.
-
-
-
-Schlyter, Ed.               Standards Track                     [Page 2]
-
-RFC 3845                DNSSEC NSEC RDATA Format             August 2004
-
-
-   The NSEC RR RDATA format is class independent and defined for all
-   classes.
-
-   The NSEC RR SHOULD have the same TTL value as the SOA minimum TTL
-   field.  This is in the spirit of negative caching [8].
-
-2.1.  NSEC RDATA Wire Format
-
-   The RDATA of the NSEC RR is as shown below:
-
-                         1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
-     0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
-    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-    /                      Next Domain Name                         /
-    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-    /                   List of Type Bit Map(s)                     /
-    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-
-2.1.1.  The Next Domain Name Field
-
-   The Next Domain Name field contains the owner name of the next RR in
-   the canonical ordering of the zone.  The value of the Next Domain
-   Name field in the last NSEC record in the zone is the name of the
-   zone apex (the owner name of the zone's SOA RR).
-
-   A sender MUST NOT use DNS name compression on the Next Domain Name
-   field when transmitting an NSEC RR.
-
-   Owner names of RRsets that are not authoritative for the given zone
-   (such as glue records) MUST NOT be listed in the Next Domain Name
-   unless at least one authoritative RRset exists at the same owner
-   name.
-
-2.1.2.  The List of Type Bit Map(s) Field
-
-   The RR type space is split into 256 window blocks, each representing
-   the low-order 8 bits of the 16-bit RR type space.  Each block that
-   has at least one active RR type is encoded using a single octet
-   window number (from 0 to 255), a single octet bitmap length (from 1
-   to 32) indicating the number of octets used for the window block's
-   bitmap, and up to 32 octets (256 bits) of bitmap.
-
-   Window blocks are present in the NSEC RR RDATA in increasing
-   numerical order.
-
-   "|" denotes concatenation
-
-   Type Bit Map(s) Field = ( Window Block # | Bitmap Length | Bitmap ) +
-
-
-
-Schlyter, Ed.               Standards Track                     [Page 3]
-
-RFC 3845                DNSSEC NSEC RDATA Format             August 2004
-
-
-   Each bitmap encodes the low-order 8 bits of RR types within the
-   window block, in network bit order.  The first bit is bit 0.  For
-   window block 0, bit 1 corresponds to RR type 1 (A), bit 2 corresponds
-   to RR type 2 (NS), and so forth.  For window block 1, bit 1
-   corresponds to RR type 257, and bit 2 to RR type 258.  If a bit is
-   set to 1, it indicates that an RRset of that type is present for the
-   NSEC RR's owner name.  If a bit is set to 0, it indicates that no
-   RRset of that type is present for the NSEC RR's owner name.
-
-   Since bit 0 in window block 0 refers to the non-existing RR type 0,
-   it MUST be set to 0.  After verification, the validator MUST ignore
-   the value of bit 0 in window block 0.
-
-   Bits representing Meta-TYPEs or QTYPEs, as specified in RFC 2929 [3]
-   (section 3.1), or within the range reserved for assignment only to
-   QTYPEs and Meta-TYPEs MUST be set to 0, since they do not appear in
-   zone data.  If encountered, they must be ignored upon reading.
-
-   Blocks with no types present MUST NOT be included.  Trailing zero
-   octets in the bitmap MUST be omitted.  The length of each block's
-   bitmap is determined by the type code with the largest numerical
-   value within that block, among the set of RR types present at the
-   NSEC RR's owner name.  Trailing zero octets not specified MUST be
-   interpreted as zero octets.
-
-2.1.3.  Inclusion of Wildcard Names in NSEC RDATA
-
-   If a wildcard owner name appears in a zone, the wildcard label ("*")
-   is treated as a literal symbol and is treated the same as any other
-   owner name for purposes of generating NSEC RRs.  Wildcard owner names
-   appear in the Next Domain Name field without any wildcard expansion.
-   RFC 2535 [2] describes the impact of wildcards on authenticated
-   denial of existence.
-
-2.2.  The NSEC RR Presentation Format
-
-   The presentation format of the RDATA portion is as follows:
-
-   The Next Domain Name field is represented as a domain name.
-
-   The List of Type Bit Map(s) Field is represented as a sequence of RR
-   type mnemonics.  When the mnemonic is not known, the TYPE
-   representation as described in RFC 3597 [4] (section 5) MUST be used.
-
-
-
-
-
-
-
-
-Schlyter, Ed.               Standards Track                     [Page 4]
-
-RFC 3845                DNSSEC NSEC RDATA Format             August 2004
-
-
-2.3.  NSEC RR Example
-
-   The following NSEC RR identifies the RRsets associated with
-   alfa.example.com. and the next authoritative name after
-   alfa.example.com.
-
-   alfa.example.com. 86400 IN NSEC host.example.com. A MX RRSIG NSEC
-   TYPE1234
-
-   The first four text fields specify the name, TTL, Class, and RR type
-   (NSEC).  The entry host.example.com. is the next authoritative name
-   after alfa.example.com. in canonical order.  The A, MX, RRSIG, NSEC,
-   and TYPE1234 mnemonics indicate there are A, MX, RRSIG, NSEC, and
-   TYPE1234 RRsets associated with the name alfa.example.com.
-
-   The RDATA section of the NSEC RR above would be encoded as:
-
-      0x04 'h'  'o'  's'  't'
-      0x07 'e'  'x'  'a'  'm'  'p'  'l'  'e'
-      0x03 'c'  'o'  'm'  0x00
-      0x00 0x06 0x40 0x01 0x00 0x00 0x00 0x03
-      0x04 0x1b 0x00 0x00 0x00 0x00 0x00 0x00
-      0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
-      0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
-      0x00 0x00 0x00 0x00 0x20
-
-   Assuming that the resolver can authenticate this NSEC record, it
-   could be used to prove that beta.example.com does not exist, or could
-   be used to prove that there is no AAAA record associated with
-   alfa.example.com.  Authenticated denial of existence is discussed in
-   RFC 2535 [2].
-
-3.  IANA Considerations
-
-   This document introduces no new IANA considerations, because all of
-   the protocol parameters used in this document have already been
-   assigned by RFC 3755 [5].
-
-4.  Security Considerations
-
-   The update of the RDATA format and encoding does not affect the
-   security of the use of NSEC RRs.
-
-
-
-
-
-
-
-
-
-Schlyter, Ed.               Standards Track                     [Page 5]
-
-RFC 3845                DNSSEC NSEC RDATA Format             August 2004
-
-
-5.  References
-
-5.1.  Normative References
-
-   [1]  Bradner, S., "Key words for use in RFCs to Indicate Requirement
-        Levels", BCP 14, RFC 2119, March 1997.
-
-   [2]  Eastlake 3rd, D., "Domain Name System Security Extensions", RFC
-        2535, March 1999.
-
-   [3]  Eastlake 3rd, D., Brunner-Williams, E., and B. Manning, "Domain
-        Name System (DNS) IANA Considerations", BCP 42, RFC 2929,
-        September 2000.
-
-   [4]  Gustafsson, A., "Handling of Unknown DNS Resource Record (RR)
-        Types", RFC 3597, September 2003.
-
-   [5]  Weiler, S., "Legacy Resolver Compatibility for Delegation Signer
-        (DS)", RFC 3755, May 2004.
-
-5.2.  Informative References
-
-   [6]  Mockapetris, P., "Domain names - concepts and facilities", STD
-        13, RFC 1034, November 1987.
-
-   [7]  Mockapetris, P., "Domain names - implementation and
-        specification", STD 13, RFC 1035, November 1987.
-
-   [8]  Andrews, M., "Negative Caching of DNS Queries (DNS NCACHE)", RFC
-        2308, March 1998.
-
-6.  Acknowledgements
-
-   The encoding described in this document was initially proposed by
-   Mark Andrews.  Other encodings where proposed by David Blacka and
-   Michael Graff.
-
-7.  Author's Address
-
-   Jakob Schlyter (editor)
-   NIC-SE
-   Box 5774
-   Stockholm  SE-114 87
-   Sweden
-
-   EMail: jakob@nic.se
-   URI: http://www.nic.se/
-
-
-
-
-Schlyter, Ed.               Standards Track                     [Page 6]
-
-RFC 3845                DNSSEC NSEC RDATA Format             August 2004
-
-
-8.  Full Copyright Statement
-
-   Copyright (C) The Internet Society (2004).
-
-   This document is subject to the rights, licenses and restrictions
-   contained in BCP 78, and except as set forth therein, the authors
-   retain all their rights.
-
-   This document and the information contained herein are provided on an
-   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/S HE
-   REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE
-   INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR
-   IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
-   THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
-   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-Intellectual Property
-
-   The IETF takes no position regarding the validity or scope of any
-   Intellectual Property Rights or other rights that might be claimed to
-   pertain to the implementation or use of the technology described in
-   this document or the extent to which any license under such rights
-   might or might not be available; nor does it represent that it has
-   made any independent effort to identify any such rights.  Information
-   on the IETF's procedures with respect to rights in IETF Documents can
-   be found in BCP 78 and BCP 79.
-
-   Copies of IPR disclosures made to the IETF Secretariat and any
-   assurances of licenses to be made available, or the result of an
-   attempt made to obtain a general license or permission for the use of
-   such proprietary rights by implementers or users of this
-   specification can be obtained from the IETF on-line IPR repository at
-   http://www.ietf.org/ipr.
-
-   The IETF invites any interested party to bring to its attention any
-   copyrights, patents or patent applications, or other proprietary
-   rights that may cover technology that may be required to implement
-   this standard.  Please address the information to the IETF at ietf-
-   ipr@ietf.org.
-
-Acknowledgement
-
-   Funding for the RFC Editor function is currently provided by the
-   Internet Society.
-
-
-
-
-
-
-
-Schlyter, Ed.               Standards Track                     [Page 7]
-
diff --git a/doc/rfc/rfc3901.txt b/doc/rfc/rfc3901.txt
deleted file mode 100644
index 43b7356e..00000000
--- a/doc/rfc/rfc3901.txt
+++ /dev/null
@@ -1,283 +0,0 @@
-
-
-
-
-
-
-Network Working Group                                          A. Durand
-Request for Comments: 3901                        SUN Microsystems, Inc.
-BCP: 91                                                         J. Ihren
-Category: Best Current Practice                               Autonomica
-                                                          September 2004
-
-
-               DNS IPv6 Transport Operational Guidelines
-
-Status of this Memo
-
-   This document specifies an Internet Best Current Practices for the
-   Internet Community, and requests discussion and suggestions for
-   improvements.  Distribution of this memo is unlimited.
-
-Copyright Notice
-
-   Copyright (C) The Internet Society (2004).
-
-Abstract
-
-   This memo provides guidelines and Best Current Practice for operating
-   DNS in a world where queries and responses are carried in a mixed
-   environment of IPv4 and IPv6 networks.
-
-1.  Introduction to the Problem of Name Space Fragmentation:
-    following the referral chain
-
-   A resolver that tries to look up a name starts out at the root, and
-   follows referrals until it is referred to a name server that is
-   authoritative for the name.  If somewhere down the chain of referrals
-   it is referred to a name server that is only accessible over a
-   transport which the resolver cannot use, the resolver is unable to
-   finish the task.
-
-   When the Internet moves from IPv4 to a mixture of IPv4 and IPv6 it is
-   only a matter of time until this starts to happen.  The complete DNS
-   hierarchy then starts to fragment into a graph where authoritative
-   name servers for certain nodes are only accessible over a certain
-   transport.  The concern is that a resolver using only a particular
-   version of IP and querying information about another node using the
-   same version of IP can not do it because somewhere in the chain of
-   servers accessed during the resolution process, one or more of them
-   will only be accessible with the other version of IP.
-
-   With all DNS data only available over IPv4 transport everything is
-   simple.  IPv4 resolvers can use the intended mechanism of following
-   referrals from the root and down while IPv6 resolvers have to work
-
-
-
-Durand & Ihren           Best Current Practice                  [Page 1]
-
-RFC 3901             DNS IPv6 Transport Guidelines        September 2004
-
-
-   through a "translator", i.e., they have to use a recursive name
-   server on a so-called "dual stack" host as a "forwarder" since they
-   cannot access the DNS data directly.
-
-   With all DNS data only available over IPv6 transport everything would
-   be equally simple, with the exception of IPv4 recursive name servers
-   having to switch to a forwarding configuration.
-
-   However, the second situation will not arise in the foreseeable
-   future.  Instead, the transition will be from IPv4 only to a mixture
-   of IPv4 and IPv6, with three categories of DNS data depending on
-   whether the information is available only over IPv4 transport, only
-   over IPv6 or both.
-
-   Having DNS data available on both transports is the best situation.
-   The major question is how to ensure that it becomes the norm as
-   quickly as possible.  However, while it is obvious that some DNS data
-   will only be available over v4 transport for a long time it is also
-   obvious that it is important to avoid fragmenting the name space
-   available to IPv4 only hosts.  For example, during transition it is
-   not acceptable to break the name space that we presently have
-   available for IPv4-only hosts.
-
-2.  Terminology
-
-   The phrase "IPv4 name server" indicates a name server available over
-   IPv4 transport.  It does not imply anything about what DNS [1,2] data
-   is served.  Likewise, "IPv6 [4,5,6] name server" indicates a name
-   server available over IPv6 transport.  The phrase "dual-stack name
-   server" indicates a name server that is actually configured to run
-   both protocols, IPv4 and IPv6, and not merely a server running on a
-   system capable of running both but actually configured to run only
-   one.
-
-3.  Policy Based Avoidance of Name Space Fragmentation
-
-   Today there are only a few DNS "zones" on the public Internet that
-   are available over IPv6 transport, and most of them can be regarded
-   as "experimental".  However, as soon as the root and top level
-   domains are available over IPv6 transport, it is reasonable to expect
-   that it will become more common to have zones served by IPv6 servers.
-
-   Having those zones served only by IPv6-only name server would not be
-   a good development, since this will fragment the previously
-   unfragmented IPv4 name space and there are strong reasons to find a
-   mechanism to avoid it.
-
-
-
-
-
-Durand & Ihren           Best Current Practice                  [Page 2]
-
-RFC 3901             DNS IPv6 Transport Guidelines        September 2004
-
-
-   The recommended approach to maintain name space continuity is to use
-   administrative policies, as described in the next section.
-
-4.  DNS IPv6 Transport recommended Guidelines
-
-   In order to preserve name space continuity, the following
-   administrative policies are recommended:
-
-      - every recursive name server SHOULD be either IPv4-only or dual
-        stack,
-
-         This rules out IPv6-only recursive servers.  However, one might
-         design configurations where a chain of IPv6-only name server
-         forward queries to a set of dual stack recursive name server
-         actually performing those recursive queries.
-
-      - every DNS zone SHOULD be served by at least one IPv4-reachable
-        authoritative name server.
-
-         This rules out DNS zones served only by IPv6-only authoritative
-         name servers.
-
-   Note: zone validation processes SHOULD ensure that there is at least
-   one IPv4 address record available for the name servers of any child
-   delegations within the zone.
-
-5.  Security Considerations
-
-   The guidelines described in this memo introduce no new security
-   considerations into the DNS protocol or associated operational
-   scenarios.
-
-6.  Acknowledgment
-
-   This document is the result of many conversations that happened in
-   the DNS community at IETF and elsewhere since 2001.  During that
-   period of time, a number of Internet drafts have been published to
-   clarify various aspects of the issues at stake.  This document
-   focuses on the conclusion of those discussions.
-
-   The authors would like to acknowledge the role of Pekka Savola in his
-   thorough review of the document.
-
-
-
-
-
-
-
-
-
-Durand & Ihren           Best Current Practice                  [Page 3]
-
-RFC 3901             DNS IPv6 Transport Guidelines        September 2004
-
-
-7.  Normative References
-
-   [1]  Mockapetris, P., "Domain names - concepts and facilities", STD
-        13, RFC 1034, November 1987.
-
-   [2]  Mockapetris, P., "Domain names - implementation and
-        specification", STD 13, RFC 1035, November 1987.
-
-   [3]  Bradner, S., "The Internet Standards Process -- Revision 3", BCP
-        9, RFC 2026, October 1996.
-
-   [4]  Deering, S. and R. Hinden, "Internet Protocol, Version 6 (IPv6)
-        Specification", RFC 2460, December 1998.
-
-   [5]  Hinden, R. and S. Deering, "Internet Protocol Version 6 (IPv6)
-        Addressing Architecture", RFC 3513, April 2003.
-
-   [6]  Thomson, S., Huitema, C., Ksinant, V., and M. Souissi, "DNS
-        Extensions to Support IP Version 6", RFC 3596, October 2003.
-
-8.  Authors' Addresses
-
-   Alain Durand
-   SUN Microsystems, Inc
-   17 Network circle UMPK17-202
-   Menlo Park, CA, 94025
-   USA
-
-   EMail: Alain.Durand@sun.com
-
-
-   Johan Ihren
-   Autonomica
-   Bellmansgatan 30
-   SE-118 47 Stockholm
-   Sweden
-
-   EMail: johani@autonomica.se
-
-
-
-
-
-
-
-
-
-
-
-
-
-Durand & Ihren           Best Current Practice                  [Page 4]
-
-RFC 3901             DNS IPv6 Transport Guidelines        September 2004
-
-
-9.  Full Copyright Statement
-
-   Copyright (C) The Internet Society (2004).
-
-   This document is subject to the rights, licenses and restrictions
-   contained in BCP 78, and except as set forth therein, the authors
-   retain all their rights.
-
-   This document and the information contained herein are provided on an
-   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/S HE
-   REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE
-   INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR
-   IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
-   THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
-   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-Intellectual Property
-
-   The IETF takes no position regarding the validity or scope of any
-   Intellectual Property Rights or other rights that might be claimed to
-   pertain to the implementation or use of the technology described in
-   this document or the extent to which any license under such rights
-   might or might not be available; nor does it represent that it has
-   made any independent effort to identify any such rights.  Information
-   on the IETF's procedures with respect to rights in IETF Documents can
-   be found in BCP 78 and BCP 79.
-
-   Copies of IPR disclosures made to the IETF Secretariat and any
-   assurances of licenses to be made available, or the result of an
-   attempt made to obtain a general license or permission for the use of
-   such proprietary rights by implementers or users of this
-   specification can be obtained from the IETF on-line IPR repository at
-   http://www.ietf.org/ipr.
-
-   The IETF invites any interested party to bring to its attention any
-   copyrights, patents or patent applications, or other proprietary
-   rights that may cover technology that may be required to implement
-   this standard.  Please address the information to the IETF at ietf-
-   ipr@ietf.org.
-
-Acknowledgement
-
-   Funding for the RFC Editor function is currently provided by the
-   Internet Society.
-
-
-
-
-
-
-
-Durand & Ihren           Best Current Practice                  [Page 5]
-
diff --git a/doc/rfc/rfc4025.txt b/doc/rfc/rfc4025.txt
deleted file mode 100644
index 92e7f400..00000000
--- a/doc/rfc/rfc4025.txt
+++ /dev/null
@@ -1,675 +0,0 @@
-
-
-
-
-
-
-Network Working Group                                      M. Richardson
-Request for Comments: 4025                                           SSW
-Category: Standards Track                                   February 2005
-
-
-           A Method for Storing IPsec Keying Material in DNS
-
-Status of This Memo
-
-   This document specifies an Internet standards track protocol for the
-   Internet community, and requests discussion and suggestions for
-   improvements.  Please refer to the current edition of the "Internet
-   Official Protocol Standards" (STD 1) for the standardization state
-   and status of this protocol.  Distribution of this memo is unlimited.
-
-Copyright Notice
-
-   Copyright (C) The Internet Society (2005).
-
-Abstract
-
-   This document describes a new resource record for the Domain Name
-   System (DNS).  This record may be used to store public keys for use
-   in IP security (IPsec) systems.  The record also includes provisions
-   for indicating what system should be contacted when an IPsec tunnel
-   is established with the entity in question.
-
-   This record replaces the functionality of the sub-type #4 of the KEY
-   Resource Record, which has been obsoleted by RFC 3445.
-
-Table of Contents
-
-   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  2
-       1.1.  Overview . . . . . . . . . . . . . . . . . . . . . . . .  2
-       1.2.  Use of DNS Address-to-Name Maps (IN-ADDR.ARPA and
-             IP6.ARPA)  . . . . . . . . . . . . . . . . . . . . . . .  3
-       1.3.  Usage Criteria . . . . . . . . . . . . . . . . . . . . .  3
-   2.  Storage Formats  . . . . . . . . . . . . . . . . . . . . . . .  3
-       2.1.  IPSECKEY RDATA Format  . . . . . . . . . . . . . . . . .  3
-       2.2.  RDATA Format - Precedence  . . . . . . . . . . . . . . .  4
-       2.3.  RDATA Format - Gateway Type  . . . . . . . . . . . . . .  4
-       2.4.  RDATA Format - Algorithm Type  . . . . . . . . . . . . .  4
-       2.5.  RDATA Format - Gateway . . . . . . . . . . . . . . . . .  5
-       2.6.  RDATA Format - Public Keys . . . . . . . . . . . . . . .  5
-   3.  Presentation Formats . . . . . . . . . . . . . . . . . . . . .  6
-       3.1.  Representation of IPSECKEY RRs . . . . . . . . . . . . .  6
-       3.2.  Examples . . . . . . . . . . . . . . . . . . . . . . . .  6
-   4.  Security Considerations  . . . . . . . . . . . . . . . . . . .  7
-
-
-
-Richardson                  Standards Track                     [Page 1]
-
-RFC 4025          Storing IPsec Keying Material in DNS     February 2005
-
-
-       4.1.  Active Attacks Against Unsecured IPSECKEY Resource
-             Records  . . . . . . . . . . . . . . . . . . . . . . . .  8
-             4.1.1.  Active Attacks Against IPSECKEY Keying
-                     Materials. . . . . . . . . . . . . . . . . . . .  8
-             4.1.2.  Active Attacks Against IPSECKEY Gateway
-                     Material. . . . . . . . . . . . . . . . . . . .   8
-   5.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . .  9
-   6.  Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 10
-   7.  References . . . . . . . . . . . . . . . . . . . . . . . . . . 10
-       7.1.  Normative References . . . . . . . . . . . . . . . . . . 10
-       7.2.  Informative References . . . . . . . . . . . . . . . . . 10
-   Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 11
-   Full Copyright Statement . . . . . . . . . . . . . . . . . . . . . 12
-
-1.  Introduction
-
-   Suppose a host wishes (or is required by policy) to establish an
-   IPsec tunnel with some remote entity on the network prior to allowing
-   normal communication to take place.  In many cases, this end system
-   will be able to determine the DNS name for the remote entity (either
-   by having the DNS name given explicitly, by performing a DNS PTR
-   query for a particular IP address, or through some other means, e.g.,
-   by extracting the DNS portion of a "user@FQDN" name for a remote
-   entity).  In these cases, the host will need to obtain a public key
-   to authenticate the remote entity, and may also need some guidance
-   about whether it should contact the entity directly or use another
-   node as a gateway to the target entity.  The IPSECKEY RR provides a
-   mechanism for storing such information.
-
-   The type number for the IPSECKEY RR is 45.
-
-   This record replaces the functionality of the sub-type #4 of the KEY
-   Resource Record, which has been obsoleted by RFC 3445 [11].
-
-1.1.  Overview
-
-   The IPSECKEY resource record (RR) is used to publish a public key
-   that is to be associated with a Domain Name System (DNS) [1] name for
-   use with the IPsec protocol suite.  This can be the public key of a
-   host, network, or application (in the case of per-port keying).
-
-   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
-   "SHOULD", "SHOULD NOT", "RECOMMENDED",  "MAY", and "OPTIONAL" in this
-   document are to be interpreted as described in RFC 2119 [3].
-
-
-
-
-
-
-
-Richardson                  Standards Track                     [Page 2]
-
-RFC 4025          Storing IPsec Keying Material in DNS     February 2005
-
-
-1.2.  Use of DNS Address-to-Name Maps (IN-ADDR.ARPA and IP6.ARPA)
-
-   Often a security gateway will only have access to the IP address of
-   the node with which communication is desired and will not know any
-   other name for the target node.  Because of this, frequently the best
-   way of looking up IPSECKEY RRs will be by using the IP address as an
-   index into one of the reverse mapping trees (IN-ADDR.ARPA for IPv4 or
-   IP6.ARPA for IPv6).
-
-   The lookup is done in the fashion usual for PTR records.  The IP
-   address' octets (IPv4) or nibbles (IPv6) are reversed and looked up
-   with the appropriate suffix.  Any CNAMEs or DNAMEs found MUST be
-   followed.
-
-   Note: even when the IPsec function is contained in the end-host,
-   often only the application will know the forward name used.  Although
-   the case where the application knows the forward name is common, the
-   user could easily have typed in a literal IP address.  This storage
-   mechanism does not preclude using the forward name when it is
-   available but does not require it.
-
-1.3.  Usage Criteria
-
-   An IPSECKEY resource record SHOULD be used in combination with DNSSEC
-   [8] unless some other means of authenticating the IPSECKEY resource
-   record is available.
-
-   It is expected that there will often be multiple IPSECKEY resource
-   records at the same name.  This will be due to the presence of
-   multiple gateways and a need to roll over keys.
-
-   This resource record is class independent.
-
-2.  Storage Formats
-
-2.1.  IPSECKEY RDATA Format
-
-   The RDATA for an IPSECKEY RR consists of a precedence value, a
-   gateway type, a public key, algorithm type, and an optional gateway
-   address.
-
-
-
-
-
-
-
-
-
-
-
-Richardson                  Standards Track                     [Page 3]
-
-RFC 4025          Storing IPsec Keying Material in DNS     February 2005
-
-
-       0                   1                   2                   3
-       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
-      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-      |  precedence   | gateway type  |  algorithm  |     gateway     |
-      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-------------+                 +
-      ~                            gateway                            ~
-      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-      |                                                               /
-      /                          public key                           /
-      /                                                               /
-      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-|
-
-2.2.  RDATA Format - Precedence
-
-   This is an 8-bit precedence for this record.  It is interpreted in
-   the same way as the PREFERENCE field described in section 3.3.9 of
-   RFC 1035 [2].
-
-   Gateways listed in IPSECKEY records with lower precedence are to be
-   attempted first.  Where there is a tie in precedence, the order
-   should be non-deterministic.
-
-2.3.  RDATA Format - Gateway Type
-
-   The gateway type field indicates the format of the information that
-   is stored in the gateway field.
-
-   The following values are defined:
-   0  No gateway is present.
-   1  A 4-byte IPv4 address is present.
-   2  A 16-byte IPv6 address is present.
-   3  A wire-encoded domain name is present.  The wire-encoded format is
-      self-describing, so the length is implicit.  The domain name MUST
-      NOT be compressed.  (See Section 3.3 of RFC 1035 [2].)
-
-2.4.  RDATA Format - Algorithm Type
-
-   The algorithm type field identifies the public key's cryptographic
-   algorithm and determines the format of the public key field.
-
-   A value of 0 indicates that no key is present.
-
-   The following values are defined:
-   1  A DSA key is present, in the format defined in RFC 2536 [9].
-   2  A RSA key is present, in the format defined in RFC 3110 [10].
-
-
-
-
-
-
-Richardson                  Standards Track                     [Page 4]
-
-RFC 4025          Storing IPsec Keying Material in DNS     February 2005
-
-
-2.5.  RDATA Format - Gateway
-
-   The gateway field indicates a gateway to which an IPsec tunnel may be
-   created in order to reach the entity named by this resource record.
-
-   There are three formats:
-
-   A 32-bit IPv4 address is present in the gateway field.  The data
-   portion is an IPv4 address as described in section 3.4.1 of RFC 1035
-   [2].  This is a 32-bit number in network byte order.
-
-   A 128-bit IPv6 address is present in the gateway field.  The data
-   portion is an IPv6 address as described in section 2.2 of RFC 3596
-   [12].  This is a 128-bit number in network byte order.
-
-   The gateway field is a normal wire-encoded domain name, as described
-   in section 3.3 of RFC 1035 [2].  Compression MUST NOT be used.
-
-2.6.  RDATA Format - Public Keys
-
-   Both the public key types defined in this document (RSA and DSA)
-   inherit their public key formats from the corresponding KEY RR
-   formats.  Specifically, the public key field contains the
-   algorithm-specific portion of the KEY RR RDATA, which is all the KEY
-   RR DATA after the first four octets.  This is the same portion of the
-   KEY RR that must be specified by documents that define a DNSSEC
-   algorithm.  Those documents also specify a message digest to be used
-   for generation of SIG RRs; that specification is not relevant for
-   IPSECKEY RRs.
-
-   Future algorithms, if they are to be used by both DNSSEC (in the KEY
-   RR) and IPSECKEY, are likely to use the same public key encodings in
-   both records.  Unless otherwise specified, the IPSECKEY public key
-   field will contain the algorithm-specific portion of the KEY RR RDATA
-   for the corresponding algorithm.  The algorithm must still be
-   designated for use by IPSECKEY, and an IPSECKEY algorithm type number
-   (which might be different from the DNSSEC algorithm number) must be
-   assigned to it.
-
-   The DSA key format is defined in RFC 2536 [9]
-
-   The RSA key format is defined in RFC 3110 [10], with the following
-   changes:
-
-   The earlier definition of RSA/MD5 in RFC 2065 [4] limited the
-   exponent and modulus to 2552 bits in length.  RFC 3110 extended that
-   limit to 4096 bits for RSA/SHA1 keys.  The IPSECKEY RR imposes no
-   length limit on RSA public keys, other than the 65535 octet limit
-
-
-
-Richardson                  Standards Track                     [Page 5]
-
-RFC 4025          Storing IPsec Keying Material in DNS     February 2005
-
-
-   imposed by the two-octet length encoding.  This length extension is
-   applicable only to IPSECKEY; it is not applicable to KEY RRs.
-
-3.  Presentation Formats
-
-3.1.  Representation of IPSECKEY RRs
-
-   IPSECKEY RRs may appear in a zone data master file.  The precedence,
-   gateway type, algorithm, and gateway fields are REQUIRED.  The base64
-   encoded public key block is OPTIONAL; if it is not present, the
-   public key field of the resource record MUST be construed to be zero
-   octets in length.
-
-   The algorithm field is an unsigned integer.  No mnemonics are
-   defined.
-
-   If no gateway is to be indicated, then the gateway type field MUST be
-   zero, and the gateway field MUST be "."
-
-   The Public Key field is represented as a Base64 encoding of the
-   Public Key.  Whitespace is allowed within the Base64 text.  For a
-   definition of Base64 encoding, see RFC 3548 [6], Section 5.2.
-
-   The general presentation for the record is as follows:
-
-   IN     IPSECKEY ( precedence gateway-type algorithm
-                     gateway base64-encoded-public-key )
-
-3.2.  Examples
-
-   An example of a node, 192.0.2.38, that will accept IPsec tunnels on
-   its own behalf.
-
-   38.2.0.192.in-addr.arpa. 7200 IN     IPSECKEY ( 10 1 2
-                    192.0.2.38
-                    AQNRU3mG7TVTO2BkR47usntb102uFJtugbo6BSGvgqt4AQ== )
-
-   An example of a node, 192.0.2.38, that has published its key only.
-
-   38.2.0.192.in-addr.arpa. 7200 IN     IPSECKEY ( 10 0 2
-                    .
-                    AQNRU3mG7TVTO2BkR47usntb102uFJtugbo6BSGvgqt4AQ== )
-
-
-
-
-
-
-
-
-
-Richardson                  Standards Track                     [Page 6]
-
-RFC 4025          Storing IPsec Keying Material in DNS     February 2005
-
-
-   An example of a node, 192.0.2.38, that has delegated authority to the
-   node 192.0.2.3.
-
-   38.2.0.192.in-addr.arpa. 7200 IN     IPSECKEY ( 10 1 2
-                    192.0.2.3
-                    AQNRU3mG7TVTO2BkR47usntb102uFJtugbo6BSGvgqt4AQ== )
-
-   An example of a node, 192.0.1.38 that has delegated authority to the
-   node with the identity "mygateway.example.com".
-
-   38.1.0.192.in-addr.arpa. 7200 IN     IPSECKEY ( 10 3 2
-                    mygateway.example.com.
-                    AQNRU3mG7TVTO2BkR47usntb102uFJtugbo6BSGvgqt4AQ== )
-
-   An example of a node, 2001:0DB8:0200:1:210:f3ff:fe03:4d0, that has
-   delegated authority to the node 2001:0DB8:c000:0200:2::1
-
-   $ORIGIN 1.0.0.0.0.0.2.8.B.D.0.1.0.0.2.ip6.arpa.
-   0.d.4.0.3.0.e.f.f.f.3.f.0.1.2.0 7200 IN     IPSECKEY ( 10 2 2
-                    2001:0DB8:0:8002::2000:1
-                    AQNRU3mG7TVTO2BkR47usntb102uFJtugbo6BSGvgqt4AQ== )
-
-4.  Security Considerations
-
-   This entire memo pertains to the provision of public keying material
-   for use by key management protocols such as ISAKMP/IKE (RFC 2407)
-   [7].
-
-   The IPSECKEY resource record contains information that SHOULD be
-   communicated to the end client in an integral fashion; i.e., free
-   from modification.  The form of this channel is up to the consumer of
-   the data; there must be a trust relationship between the end consumer
-   of this resource record and the server.  This relationship may be
-   end-to-end DNSSEC validation, a TSIG or SIG(0) channel to another
-   secure source, a secure local channel on the host, or some
-   combination of the above.
-
-   The keying material provided by the IPSECKEY resource record is not
-   sensitive to passive attacks.  The keying material may be freely
-   disclosed to any party without any impact on the security properties
-   of the resulting IPsec session.  IPsec and IKE provide defense
-   against both active and passive attacks.
-
-   Any derivative specification that makes use of this resource record
-   MUST carefully document its trust model and why the trust model of
-   DNSSEC is appropriate, if that is the secure channel used.
-
-
-
-
-
-Richardson                  Standards Track                     [Page 7]
-
-RFC 4025          Storing IPsec Keying Material in DNS     February 2005
-
-
-   An active attack on the DNS that caused the wrong IP address to be
-   retrieved (via forged address), and therefore the wrong QNAME to be
-   queried, would also result in a man-in-the-middle attack.  This
-   situation is independent of whether the IPSECKEY RR is used.
-
-4.1.  Active Attacks Against Unsecured IPSECKEY Resource Records
-
-   This section deals with active attacks against the DNS.  These
-   attacks require that DNS requests and responses be intercepted and
-   changed.  DNSSEC is designed to defend against attacks of this kind.
-   This section deals with the situation in which DNSSEC is not
-   available.  This is not the recommended deployment scenario.
-
-4.1.1.  Active Attacks Against IPSECKEY Keying Materials
-
-   The first kind of active attack is when the attacker replaces the
-   keying material with either a key under its control or with garbage.
-
-   The gateway field is either untouched or is null.  The IKE
-   negotiation will therefore occur with the original end-system.  For
-   this attack to succeed, the attacker must perform a man-in-the-middle
-   attack on the IKE negotiation.  This attack requires that the
-   attacker be able to intercept and modify packets on the forwarding
-   path for the IKE and data packets.
-
-   If the attacker is not able to perform this man-in-the-middle attack
-   on the IKE negotiation, then a denial of service will result, as the
-   IKE negotiation will fail.
-
-   If the attacker is not only able to mount active attacks against DNS
-   but also in a position to perform a man-in-the-middle attack on IKE
-   and IPsec negotiations, then the attacker will be able to compromise
-   the resulting IPsec channel.  Note that an attacker must be able to
-   perform active DNS attacks on both sides of the IKE negotiation for
-   this to succeed.
-
-4.1.2.  Active Attacks Against IPSECKEY Gateway Material
-
-   The second kind of active attack is one in which the attacker
-   replaces the gateway address to point to a node under the attacker's
-   control.  The attacker then either replaces the public key or removes
-   it.  If the public key were removed, then the attacker could provide
-   an accurate public key of its own in a second record.
-
-   This second form creates a simple man-in-the-middle attacks since the
-   attacker can then create a second tunnel to the real destination.
-   Note that, as before, this requires that the attacker also mount an
-   active attack against the responder.
-
-
-
-Richardson                  Standards Track                     [Page 8]
-
-RFC 4025          Storing IPsec Keying Material in DNS     February 2005
-
-
-   Note that the man-in-the-middle cannot just forward cleartext packets
-   to the original destination.  While the destination may be willing to
-   speak in the clear, replying to the original sender, the sender will
-   already have created a policy expecting ciphertext.  Thus, the
-   attacker will need to intercept traffic in both directions.  In some
-   cases, the attacker may be able to accomplish the full intercept by
-   use of Network Address/Port Translation (NAT/NAPT) technology.
-
-   This attack is easier than the first one because the attacker does
-   NOT need to be on the end-to-end forwarding path.  The attacker need
-   only be able to modify DNS replies.  This can be done by packet
-   modification, by various kinds of race attacks, or through methods
-   that pollute DNS caches.
-
-   If the end-to-end integrity of the IPSECKEY RR is suspect, the end
-   client MUST restrict its use of the IPSECKEY RR to cases where the RR
-   owner name matches the content of the gateway field.  As the RR owner
-   name is assumed when the gateway field is null, a null gateway field
-   is considered a match.
-
-   Thus, any records obtained under unverified conditions (e.g., no
-   DNSSEC or trusted path to source) that have a non-null gateway field
-   MUST be ignored.
-
-   This restriction eliminates attacks against the gateway field, which
-   are considered much easier, as the attack does not need to be on the
-   forwarding path.
-
-   In the case of an IPSECKEY RR with a value of three in its gateway
-   type field, the gateway field contains a domain name.  The subsequent
-   query required to translate that name into an IP address or IPSECKEY
-   RR will also be subject to man-in-the-middle attacks.  If the
-   end-to-end integrity of this second query is suspect, then the
-   provisions above also apply.  The IPSECKEY RR MUST be ignored
-   whenever the resulting gateway does not match the QNAME of the
-   original IPSECKEY RR query.
-
-5.  IANA Considerations
-
-   This document updates the IANA Registry for DNS Resource Record Types
-   by assigning type 45 to the IPSECKEY record.
-
-   This document creates two new IANA registries, both specific to the
-   IPSECKEY Resource Record:
-
-   This document creates an IANA registry for the algorithm type field.
-
-
-
-
-
-Richardson                  Standards Track                     [Page 9]
-
-RFC 4025          Storing IPsec Keying Material in DNS     February 2005
-
-
-   Values 0, 1, and 2 are defined in Section 2.4.  Algorithm numbers 3
-   through 255 can be assigned by IETF Consensus (see RFC 2434 [5]).
-
-   This document creates an IANA registry for the gateway type field.
-
-   Values 0, 1, 2, and 3 are defined in Section 2.3.  Gateway type
-   numbers 4 through 255 can be assigned by Standards Action (see RFC
-   2434 [5]).
-
-6.  Acknowledgements
-
-   My thanks to Paul Hoffman, Sam Weiler, Jean-Jacques Puig, Rob
-   Austein, and Olafur Gudmundsson, who reviewed this document
-   carefully.  Additional thanks to Olafur Gurmundsson for a reference
-   implementation.
-
-7.  References
-
-7.1.  Normative References
-
-   [1]  Mockapetris, P., "Domain names - concepts and facilities", STD
-        13, RFC 1034, November 1987.
-
-   [2]  Mockapetris, P., "Domain names - implementation and
-        specification", STD 13, RFC 1035, November 1987.
-
-   [3]  Bradner, S., "Key words for use in RFCs to Indicate Requirement
-        Levels", BCP 14, RFC 2119, March 1997.
-
-   [4]  Eastlake 3rd, D. and C. Kaufman, "Domain Name System Security
-        Extensions", RFC 2065, January 1997.
-
-   [5]  Narten, T. and H. Alvestrand, "Guidelines for Writing an IANA
-        Considerations Section in RFCs", BCP 26, RFC 2434, October 1998.
-
-   [6]  Josefsson, S., "The Base16, Base32, and Base64 Data Encodings",
-        RFC 3548, July 2003.
-
-7.2.  Informative References
-
-   [7]  Piper, D., "The Internet IP Security Domain of Interpretation
-        for ISAKMP", RFC 2407, November 1998.
-
-   [8]  Eastlake 3rd, D., "Domain Name System Security Extensions", RFC
-        2535, March 1999.
-
-   [9]  Eastlake 3rd, D., "DSA KEYs and SIGs in the Domain Name System
-        (DNS)", RFC 2536, March 1999.
-
-
-
-Richardson                  Standards Track                    [Page 10]
-
-RFC 4025          Storing IPsec Keying Material in DNS     February 2005
-
-
-   [10] Eastlake 3rd, D., "RSA/SHA-1 SIGs and RSA KEYs in the Domain
-        Name System (DNS)", RFC 3110, May 2001.
-
-   [11] Massey, D. and S. Rose, "Limiting the Scope of the KEY Resource
-        Record (RR)", RFC 3445, December 2002.
-
-   [12] Thomson, S., Huitema, C., Ksinant, V., and M. Souissi, "DNS
-        Extensions to Support IP Version 6", RFC 3596, October 2003.
-
-Author's Address
-
-   Michael C. Richardson
-   Sandelman Software Works
-   470 Dawson Avenue
-   Ottawa, ON  K1Z 5V7
-   CA
-
-   EMail: mcr@sandelman.ottawa.on.ca
-   URI:   http://www.sandelman.ottawa.on.ca/
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Richardson                  Standards Track                    [Page 11]
-
-RFC 4025          Storing IPsec Keying Material in DNS     February 2005
-
-
-Full Copyright Statement
-
-   Copyright (C) The Internet Society (2005).
-
-   This document is subject to the rights, licenses and restrictions
-   contained in BCP 78, and except as set forth therein, the authors
-   retain all their rights.
-
-   This document and the information contained herein are provided on an
-   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
-   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
-   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
-   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
-   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
-   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-Intellectual Property
-
-   The IETF takes no position regarding the validity or scope of any
-   Intellectual Property Rights or other rights that might be claimed to
-   pertain to the implementation or use of the technology described in
-   this document or the extent to which any license under such rights
-   might or might not be available; nor does it represent that it has
-   made any independent effort to identify any such rights.  Information
-   on the IETF's procedures with respect to rights in IETF Documents can
-   be found in BCP 78 and BCP 79.
-
-   Copies of IPR disclosures made to the IETF Secretariat and any
-   assurances of licenses to be made available, or the result of an
-   attempt made to obtain a general license or permission for the use of
-   such proprietary rights by implementers or users of this
-   specification can be obtained from the IETF on-line IPR repository at
-   http://www.ietf.org/ipr.
-
-   The IETF invites any interested party to bring to its attention any
-   copyrights, patents or patent applications, or other proprietary
-   rights that may cover technology that may be required to implement
-   this standard.  Please address the information to the IETF at ietf-
-   ipr@ietf.org.
-
-Acknowledgement
-
-   Funding for the RFC Editor function is currently provided by the
-   Internet Society.
-
-
-
-
-
-
-
-Richardson                  Standards Track                    [Page 12]
-
diff --git a/doc/rfc/rfc4033.txt b/doc/rfc/rfc4033.txt
deleted file mode 100644
index 7f0a4647..00000000
--- a/doc/rfc/rfc4033.txt
+++ /dev/null
@@ -1,1179 +0,0 @@
-
-
-
-
-
-
-Network Working Group                                          R. Arends
-Request for Comments: 4033                          Telematica Instituut
-Obsoletes: 2535, 3008, 3090, 3445, 3655, 3658,                R. Austein
-           3755, 3757, 3845                                          ISC
-Updates: 1034, 1035, 2136, 2181, 2308, 3225,                   M. Larson
-         3007, 3597, 3226                                       VeriSign
-Category: Standards Track                                      D. Massey
-                                               Colorado State University
-                                                                 S. Rose
-                                                                    NIST
-                                                              March 2005
-
-
-               DNS Security Introduction and Requirements
-
-Status of This Memo
-
-   This document specifies an Internet standards track protocol for the
-   Internet community, and requests discussion and suggestions for
-   improvements.  Please refer to the current edition of the "Internet
-   Official Protocol Standards" (STD 1) for the standardization state
-   and status of this protocol.  Distribution of this memo is unlimited.
-
-Copyright Notice
-
-   Copyright (C) The Internet Society (2005).
-
-Abstract
-
-   The Domain Name System Security Extensions (DNSSEC) add data origin
-   authentication and data integrity to the Domain Name System.  This
-   document introduces these extensions and describes their capabilities
-   and limitations.  This document also discusses the services that the
-   DNS security extensions do and do not provide.  Last, this document
-   describes the interrelationships between the documents that
-   collectively describe DNSSEC.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Arends, et al.              Standards Track                     [Page 1]
-
-RFC 4033       DNS Security Introduction and Requirements     March 2005
-
-
-Table of Contents
-
-   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . .   2
-   2.  Definitions of Important DNSSEC Terms  . . . . . . . . . . .   3
-   3.  Services Provided by DNS Security  . . . . . . . . . . . . .   7
-       3.1.  Data Origin Authentication and Data Integrity  . . . .   7
-       3.2.  Authenticating Name and Type Non-Existence . . . . . .   9
-   4.  Services Not Provided by DNS Security  . . . . . . . . . . .   9
-   5.  Scope of the DNSSEC Document Set and Last Hop Issues . . . .   9
-   6.  Resolver Considerations  . . . . . . . . . . . . . . . . . .  10
-   7.  Stub Resolver Considerations . . . . . . . . . . . . . . . .  11
-   8.  Zone Considerations  . . . . . . . . . . . . . . . . . . . .  12
-       8.1.  TTL Values vs. RRSIG Validity Period . . . . . . . . .  13
-       8.2.  New Temporal Dependency Issues for Zones . . . . . . .  13
-   9.  Name Server Considerations . . . . . . . . . . . . . . . . .  13
-   10. DNS Security Document Family . . . . . . . . . . . . . . . .  14
-   11. IANA Considerations  . . . . . . . . . . . . . . . . . . . .  15
-   12. Security Considerations  . . . . . . . . . . . . . . . . . .  15
-   13. Acknowledgements . . . . . . . . . . . . . . . . . . . . . .  17
-   14. References . . . . . . . . . . . . . . . . . . . . . . . . .  17
-       14.1. Normative References . . . . . . . . . . . . . . . . .  17
-       14.2. Informative References . . . . . . . . . . . . . . . .  18
-   Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . .  20
-   Full Copyright Statement . . . . . . . . . . . . . . . . . . . .  21
-
-1.  Introduction
-
-   This document introduces the Domain Name System Security Extensions
-   (DNSSEC).  This document and its two companion documents ([RFC4034]
-   and [RFC4035]) update, clarify, and refine the security extensions
-   defined in [RFC2535] and its predecessors.  These security extensions
-   consist of a set of new resource record types and modifications to
-   the existing DNS protocol ([RFC1035]).  The new records and protocol
-   modifications are not fully described in this document, but are
-   described in a family of documents outlined in Section 10.  Sections
-   3 and 4 describe the capabilities and limitations of the security
-   extensions in greater detail.  Section 5 discusses the scope of the
-   document set.  Sections 6, 7, 8, and 9 discuss the effect that these
-   security extensions will have on resolvers, stub resolvers, zones,
-   and name servers.
-
-   This document and its two companions obsolete [RFC2535], [RFC3008],
-   [RFC3090], [RFC3445], [RFC3655], [RFC3658], [RFC3755], [RFC3757], and
-   [RFC3845].  This document set also updates but does not obsolete
-   [RFC1034], [RFC1035], [RFC2136], [RFC2181], [RFC2308], [RFC3225],
-   [RFC3007], [RFC3597], and the portions of [RFC3226] that deal with
-   DNSSEC.
-
-
-
-
-Arends, et al.              Standards Track                     [Page 2]
-
-RFC 4033       DNS Security Introduction and Requirements     March 2005
-
-
-   The DNS security extensions provide origin authentication and
-   integrity protection for DNS data, as well as a means of public key
-   distribution.  These extensions do not provide confidentiality.
-
-2.  Definitions of Important DNSSEC Terms
-
-   This section defines a number of terms used in this document set.
-   Because this is intended to be useful as a reference while reading
-   the rest of the document set, first-time readers may wish to skim
-   this section quickly, read the rest of this document, and then come
-   back to this section.
-
-   Authentication Chain: An alternating sequence of DNS public key
-      (DNSKEY) RRsets and Delegation Signer (DS) RRsets forms a chain of
-      signed data, with each link in the chain vouching for the next.  A
-      DNSKEY RR is used to verify the signature covering a DS RR and
-      allows the DS RR to be authenticated.  The DS RR contains a hash
-      of another DNSKEY RR and this new DNSKEY RR is authenticated by
-      matching the hash in the DS RR.  This new DNSKEY RR in turn
-      authenticates another DNSKEY RRset and, in turn, some DNSKEY RR in
-      this set may be used to authenticate another DS RR, and so forth
-      until the chain finally ends with a DNSKEY RR whose corresponding
-      private key signs the desired DNS data.  For example, the root
-      DNSKEY RRset can be used to authenticate the DS RRset for
-      "example."  The "example." DS RRset contains a hash that matches
-      some "example." DNSKEY, and this DNSKEY's corresponding private
-      key signs the "example." DNSKEY RRset.  Private key counterparts
-      of the "example." DNSKEY RRset sign data records such as
-      "www.example." and DS RRs for delegations such as
-      "subzone.example."
-
-   Authentication Key: A public key that a security-aware resolver has
-      verified and can therefore use to authenticate data.  A
-      security-aware resolver can obtain authentication keys in three
-      ways.  First, the resolver is generally configured to know about
-      at least one public key; this configured data is usually either
-      the public key itself or a hash of the public key as found in the
-      DS RR (see "trust anchor").  Second, the resolver may use an
-      authenticated public key to verify a DS RR and the DNSKEY RR to
-      which the DS RR refers.  Third, the resolver may be able to
-      determine that a new public key has been signed by the private key
-      corresponding to another public key that the resolver has
-      verified.  Note that the resolver must always be guided by local
-      policy when deciding whether to authenticate a new public key,
-      even if the local policy is simply to authenticate any new public
-      key for which the resolver is able verify the signature.
-
-
-
-
-
-Arends, et al.              Standards Track                     [Page 3]
-
-RFC 4033       DNS Security Introduction and Requirements     March 2005
-
-
-   Authoritative RRset: Within the context of a particular zone, an
-      RRset is "authoritative" if and only if the owner name of the
-      RRset lies within the subset of the name space that is at or below
-      the zone apex and at or above the cuts that separate the zone from
-      its children, if any.  All RRsets at the zone apex are
-      authoritative, except for certain RRsets at this domain name that,
-      if present, belong to this zone's parent.  These RRset could
-      include a DS RRset, the NSEC RRset referencing this DS RRset (the
-      "parental NSEC"), and RRSIG RRs associated with these RRsets, all
-      of which are authoritative in the parent zone.  Similarly, if this
-      zone contains any delegation points, only the parental NSEC RRset,
-      DS RRsets, and any RRSIG RRs associated with these RRsets are
-      authoritative for this zone.
-
-   Delegation Point: Term used to describe the name at the parental side
-      of a zone cut.  That is, the delegation point for "foo.example"
-      would be the foo.example node in the "example" zone (as opposed to
-      the zone apex of the "foo.example" zone).  See also zone apex.
-
-   Island of Security: Term used to describe a signed, delegated zone
-      that does not have an authentication chain from its delegating
-      parent.  That is, there is no DS RR containing a hash of a DNSKEY
-      RR for the island in its delegating parent zone (see [RFC4034]).
-      An island of security is served by security-aware name servers and
-      may provide authentication chains to any delegated child zones.
-      Responses from an island of security or its descendents can only
-      be authenticated if its authentication keys can be authenticated
-      by some trusted means out of band from the DNS protocol.
-
-   Key Signing Key (KSK): An authentication key that corresponds to a
-      private key used to sign one or more other authentication keys for
-      a given zone.  Typically, the private key corresponding to a key
-      signing key will sign a zone signing key, which in turn has a
-      corresponding private key that will sign other zone data.  Local
-      policy may require that the zone signing key be changed
-      frequently, while the key signing key may have a longer validity
-      period in order to provide a more stable secure entry point into
-      the zone.  Designating an authentication key as a key signing key
-      is purely an operational issue: DNSSEC validation does not
-      distinguish between key signing keys and other DNSSEC
-      authentication keys, and it is possible to use a single key as
-      both a key signing key and a zone signing key.  Key signing keys
-      are discussed in more detail in [RFC3757].  Also see zone signing
-      key.
-
-
-
-
-
-
-
-Arends, et al.              Standards Track                     [Page 4]
-
-RFC 4033       DNS Security Introduction and Requirements     March 2005
-
-
-   Non-Validating Security-Aware Stub Resolver: A security-aware stub
-      resolver that trusts one or more security-aware recursive name
-      servers to perform most of the tasks discussed in this document
-      set on its behalf.  In particular, a non-validating security-aware
-      stub resolver is an entity that sends DNS queries, receives DNS
-      responses, and is capable of establishing an appropriately secured
-      channel to a security-aware recursive name server that will
-      provide these services on behalf of the security-aware stub
-      resolver.  See also security-aware stub resolver, validating
-      security-aware stub resolver.
-
-   Non-Validating Stub Resolver: A less tedious term for a
-      non-validating security-aware stub resolver.
-
-   Security-Aware Name Server: An entity acting in the role of a name
-      server (defined in section 2.4 of [RFC1034]) that understands the
-      DNS security extensions defined in this document set.  In
-      particular, a security-aware name server is an entity that
-      receives DNS queries, sends DNS responses, supports the EDNS0
-      ([RFC2671]) message size extension and the DO bit ([RFC3225]), and
-      supports the RR types and message header bits defined in this
-      document set.
-
-   Security-Aware Recursive Name Server: An entity that acts in both the
-      security-aware name server and security-aware resolver roles.  A
-      more cumbersome but equivalent phrase would be "a security-aware
-      name server that offers recursive service".
-
-   Security-Aware Resolver: An entity acting in the role of a resolver
-      (defined in section 2.4 of [RFC1034]) that understands the DNS
-      security extensions defined in this document set.  In particular,
-      a security-aware resolver is an entity that sends DNS queries,
-      receives DNS responses, supports the EDNS0 ([RFC2671]) message
-      size extension and the DO bit ([RFC3225]), and is capable of using
-      the RR types and message header bits defined in this document set
-      to provide DNSSEC services.
-
-   Security-Aware Stub Resolver: An entity acting in the role of a stub
-      resolver (defined in section 5.3.1 of [RFC1034]) that has enough
-      of an understanding the DNS security extensions defined in this
-      document set to provide additional services not available from a
-      security-oblivious stub resolver.  Security-aware stub resolvers
-      may be either "validating" or "non-validating", depending on
-      whether the stub resolver attempts to verify DNSSEC signatures on
-      its own or trusts a friendly security-aware name server to do so.
-      See also validating stub resolver, non-validating stub resolver.
-
-
-
-
-
-Arends, et al.              Standards Track                     [Page 5]
-
-RFC 4033       DNS Security Introduction and Requirements     March 2005
-
-
-   Security-Oblivious <anything>: An <anything> that is not
-      "security-aware".
-
-   Signed Zone: A zone whose RRsets are signed and that contains
-      properly constructed DNSKEY, Resource Record Signature (RRSIG),
-      Next Secure (NSEC), and (optionally) DS records.
-
-   Trust Anchor: A configured DNSKEY RR or DS RR hash of a DNSKEY RR.  A
-      validating security-aware resolver uses this public key or hash as
-      a starting point for building the authentication chain to a signed
-      DNS response.  In general, a validating resolver will have to
-      obtain the initial values of its trust anchors via some secure or
-      trusted means outside the DNS protocol.  Presence of a trust
-      anchor also implies that the resolver should expect the zone to
-      which the trust anchor points to be signed.
-
-   Unsigned Zone: A zone that is not signed.
-
-   Validating Security-Aware Stub Resolver: A security-aware resolver
-      that sends queries in recursive mode but that performs signature
-      validation on its own rather than just blindly trusting an
-      upstream security-aware recursive name server.  See also
-      security-aware stub resolver, non-validating security-aware stub
-      resolver.
-
-   Validating Stub Resolver: A less tedious term for a validating
-      security-aware stub resolver.
-
-   Zone Apex: Term used to describe the name at the child's side of a
-      zone cut.  See also delegation point.
-
-   Zone Signing Key (ZSK): An authentication key that corresponds to a
-      private key used to sign a zone.  Typically, a zone signing key
-      will be part of the same DNSKEY RRset as the key signing key whose
-      corresponding private key signs this DNSKEY RRset, but the zone
-      signing key is used for a slightly different purpose and may
-      differ from the key signing key in other ways, such as validity
-      lifetime.  Designating an authentication key as a zone signing key
-      is purely an operational issue; DNSSEC validation does not
-      distinguish between zone signing keys and other DNSSEC
-      authentication keys, and it is possible to use a single key as
-      both a key signing key and a zone signing key.  See also key
-      signing key.
-
-
-
-
-
-
-
-
-Arends, et al.              Standards Track                     [Page 6]
-
-RFC 4033       DNS Security Introduction and Requirements     March 2005
-
-
-3.  Services Provided by DNS Security
-
-   The Domain Name System (DNS) security extensions provide origin
-   authentication and integrity assurance services for DNS data,
-   including mechanisms for authenticated denial of existence of DNS
-   data.  These mechanisms are described below.
-
-   These mechanisms require changes to the DNS protocol.  DNSSEC adds
-   four new resource record types: Resource Record Signature (RRSIG),
-   DNS Public Key (DNSKEY), Delegation Signer (DS), and Next Secure
-   (NSEC).  It also adds two new message header bits: Checking Disabled
-   (CD) and Authenticated Data (AD).  In order to support the larger DNS
-   message sizes that result from adding the DNSSEC RRs, DNSSEC also
-   requires EDNS0 support ([RFC2671]).  Finally, DNSSEC requires support
-   for the DNSSEC OK (DO) EDNS header bit ([RFC3225]) so that a
-   security-aware resolver can indicate in its queries that it wishes to
-   receive DNSSEC RRs in response messages.
-
-   These services protect against most of the threats to the Domain Name
-   System described in [RFC3833].  Please see Section 12 for a
-   discussion of the limitations of these extensions.
-
-3.1.  Data Origin Authentication and Data Integrity
-
-   DNSSEC provides authentication by associating cryptographically
-   generated digital signatures with DNS RRsets.  These digital
-   signatures are stored in a new resource record, the RRSIG record.
-   Typically, there will be a single private key that signs a zone's
-   data, but multiple keys are possible.  For example, there may be keys
-   for each of several different digital signature algorithms.  If a
-   security-aware resolver reliably learns a zone's public key, it can
-   authenticate that zone's signed data.  An important DNSSEC concept is
-   that the key that signs a zone's data is associated with the zone
-   itself and not with the zone's authoritative name servers.  (Public
-   keys for DNS transaction authentication mechanisms may also appear in
-   zones, as described in [RFC2931], but DNSSEC itself is concerned with
-   object security of DNS data, not channel security of DNS
-   transactions.  The keys associated with transaction security may be
-   stored in different RR types.  See [RFC3755] for details.)
-
-   A security-aware resolver can learn a zone's public key either by
-   having a trust anchor configured into the resolver or by normal DNS
-   resolution.  To allow the latter, public keys are stored in a new
-   type of resource record, the DNSKEY RR.  Note that the private keys
-   used to sign zone data must be kept secure and should be stored
-   offline when practical.  To discover a public key reliably via DNS
-   resolution, the target key itself has to be signed by either a
-   configured authentication key or another key that has been
-
-
-
-Arends, et al.              Standards Track                     [Page 7]
-
-RFC 4033       DNS Security Introduction and Requirements     March 2005
-
-
-   authenticated previously.  Security-aware resolvers authenticate zone
-   information by forming an authentication chain from a newly learned
-   public key back to a previously known authentication public key,
-   which in turn either has been configured into the resolver or must
-   have been learned and verified previously.  Therefore, the resolver
-   must be configured with at least one trust anchor.
-
-   If the configured trust anchor is a zone signing key, then it will
-   authenticate the associated zone; if the configured key is a key
-   signing key, it will authenticate a zone signing key.  If the
-   configured trust anchor is the hash of a key rather than the key
-   itself, the resolver may have to obtain the key via a DNS query.  To
-   help security-aware resolvers establish this authentication chain,
-   security-aware name servers attempt to send the signature(s) needed
-   to authenticate a zone's public key(s) in the DNS reply message along
-   with the public key itself, provided that there is space available in
-   the message.
-
-   The Delegation Signer (DS) RR type simplifies some of the
-   administrative tasks involved in signing delegations across
-   organizational boundaries.  The DS RRset resides at a delegation
-   point in a parent zone and indicates the public key(s) corresponding
-   to the private key(s) used to self-sign the DNSKEY RRset at the
-   delegated child zone's apex.  The administrator of the child zone, in
-   turn, uses the private key(s) corresponding to one or more of the
-   public keys in this DNSKEY RRset to sign the child zone's data.  The
-   typical authentication chain is therefore
-   DNSKEY->[DS->DNSKEY]*->RRset, where "*" denotes zero or more
-   DS->DNSKEY subchains.  DNSSEC permits more complex authentication
-   chains, such as additional layers of DNSKEY RRs signing other DNSKEY
-   RRs within a zone.
-
-   A security-aware resolver normally constructs this authentication
-   chain from the root of the DNS hierarchy down to the leaf zones based
-   on configured knowledge of the public key for the root.  Local
-   policy, however, may also allow a security-aware resolver to use one
-   or more configured public keys (or hashes of public keys) other than
-   the root public key, may not provide configured knowledge of the root
-   public key, or may prevent the resolver from using particular public
-   keys for arbitrary reasons, even if those public keys are properly
-   signed with verifiable signatures.  DNSSEC provides mechanisms by
-   which a security-aware resolver can determine whether an RRset's
-   signature is "valid" within the meaning of DNSSEC.  In the final
-   analysis, however, authenticating both DNS keys and data is a matter
-   of local policy, which may extend or even override the protocol
-   extensions defined in this document set.  See Section 5 for further
-   discussion.
-
-
-
-
-Arends, et al.              Standards Track                     [Page 8]
-
-RFC 4033       DNS Security Introduction and Requirements     March 2005
-
-
-3.2.  Authenticating Name and Type Non-Existence
-
-   The security mechanism described in Section 3.1 only provides a way
-   to sign existing RRsets in a zone.  The problem of providing negative
-   responses with the same level of authentication and integrity
-   requires the use of another new resource record type, the NSEC
-   record.  The NSEC record allows a security-aware resolver to
-   authenticate a negative reply for either name or type non-existence
-   with the same mechanisms used to authenticate other DNS replies.  Use
-   of NSEC records requires a canonical representation and ordering for
-   domain names in zones.  Chains of NSEC records explicitly describe
-   the gaps, or "empty space", between domain names in a zone and list
-   the types of RRsets present at existing names.  Each NSEC record is
-   signed and authenticated using the mechanisms described in Section
-   3.1.
-
-4.  Services Not Provided by DNS Security
-
-   DNS was originally designed with the assumptions that the DNS will
-   return the same answer to any given query regardless of who may have
-   issued the query, and that all data in the DNS is thus visible.
-   Accordingly, DNSSEC is not designed to provide confidentiality,
-   access control lists, or other means of differentiating between
-   inquirers.
-
-   DNSSEC provides no protection against denial of service attacks.
-   Security-aware resolvers and security-aware name servers are
-   vulnerable to an additional class of denial of service attacks based
-   on cryptographic operations.  Please see Section 12 for details.
-
-   The DNS security extensions provide data and origin authentication
-   for DNS data.  The mechanisms outlined above are not designed to
-   protect operations such as zone transfers and dynamic update
-   ([RFC2136], [RFC3007]).  Message authentication schemes described in
-   [RFC2845] and [RFC2931] address security operations that pertain to
-   these transactions.
-
-5.  Scope of the DNSSEC Document Set and Last Hop Issues
-
-   The specification in this document set defines the behavior for zone
-   signers and security-aware name servers and resolvers in such a way
-   that the validating entities can unambiguously determine the state of
-   the data.
-
-   A validating resolver can determine the following 4 states:
-
-   Secure: The validating resolver has a trust anchor, has a chain of
-      trust, and is able to verify all the signatures in the response.
-
-
-
-Arends, et al.              Standards Track                     [Page 9]
-
-RFC 4033       DNS Security Introduction and Requirements     March 2005
-
-
-   Insecure: The validating resolver has a trust anchor, a chain of
-      trust, and, at some delegation point, signed proof of the
-      non-existence of a DS record.  This indicates that subsequent
-      branches in the tree are provably insecure.  A validating resolver
-      may have a local policy to mark parts of the domain space as
-      insecure.
-
-   Bogus: The validating resolver has a trust anchor and a secure
-      delegation indicating that subsidiary data is signed, but the
-      response fails to validate for some reason: missing signatures,
-      expired signatures, signatures with unsupported algorithms, data
-      missing that the relevant NSEC RR says should be present, and so
-      forth.
-
-   Indeterminate: There is no trust anchor that would indicate that a
-      specific portion of the tree is secure.  This is the default
-      operation mode.
-
-   This specification only defines how security-aware name servers can
-   signal non-validating stub resolvers that data was found to be bogus
-   (using RCODE=2, "Server Failure"; see [RFC4035]).
-
-   There is a mechanism for security-aware name servers to signal
-   security-aware stub resolvers that data was found to be secure (using
-   the AD bit; see [RFC4035]).
-
-   This specification does not define a format for communicating why
-   responses were found to be bogus or marked as insecure.  The current
-   signaling mechanism does not distinguish between indeterminate and
-   insecure states.
-
-   A method for signaling advanced error codes and policy between a
-   security-aware stub resolver and security-aware recursive nameservers
-   is a topic for future work, as is the interface between a security-
-   aware resolver and the applications that use it.  Note, however, that
-   the lack of the specification of such communication does not prohibit
-   deployment of signed zones or the deployment of security aware
-   recursive name servers that prohibit propagation of bogus data to the
-   applications.
-
-6.  Resolver Considerations
-
-   A security-aware resolver has to be able to perform cryptographic
-   functions necessary to verify digital signatures using at least the
-   mandatory-to-implement algorithm(s).  Security-aware resolvers must
-   also be capable of forming an authentication chain from a newly
-   learned zone back to an authentication key, as described above.  This
-   process might require additional queries to intermediate DNS zones to
-
-
-
-Arends, et al.              Standards Track                    [Page 10]
-
-RFC 4033       DNS Security Introduction and Requirements     March 2005
-
-
-   obtain necessary DNSKEY, DS, and RRSIG records.  A security-aware
-   resolver should be configured with at least one trust anchor as the
-   starting point from which it will attempt to establish authentication
-   chains.
-
-   If a security-aware resolver is separated from the relevant
-   authoritative name servers by a recursive name server or by any sort
-   of intermediary device that acts as a proxy for DNS, and if the
-   recursive name server or intermediary device is not security-aware,
-   the security-aware resolver may not be capable of operating in a
-   secure mode.  For example, if a security-aware resolver's packets are
-   routed through a network address translation (NAT) device that
-   includes a DNS proxy that is not security-aware, the security-aware
-   resolver may find it difficult or impossible to obtain or validate
-   signed DNS data.  The security-aware resolver may have a particularly
-   difficult time obtaining DS RRs in such a case, as DS RRs do not
-   follow the usual DNS rules for ownership of RRs at zone cuts.  Note
-   that this problem is not specific to NATs: any security-oblivious DNS
-   software of any kind between the security-aware resolver and the
-   authoritative name servers will interfere with DNSSEC.
-
-   If a security-aware resolver must rely on an unsigned zone or a name
-   server that is not security aware, the resolver may not be able to
-   validate DNS responses and will need a local policy on whether to
-   accept unverified responses.
-
-   A security-aware resolver should take a signature's validation period
-   into consideration when determining the TTL of data in its cache, to
-   avoid caching signed data beyond the validity period of the
-   signature.  However, it should also allow for the possibility that
-   the security-aware resolver's own clock is wrong.  Thus, a
-   security-aware resolver that is part of a security-aware recursive
-   name server will have to pay careful attention to the DNSSEC
-   "checking disabled" (CD) bit ([RFC4034]).  This is in order to avoid
-   blocking valid signatures from getting through to other
-   security-aware resolvers that are clients of this recursive name
-   server.  See [RFC4035] for how a secure recursive server handles
-   queries with the CD bit set.
-
-7.  Stub Resolver Considerations
-
-   Although not strictly required to do so by the protocol, most DNS
-   queries originate from stub resolvers.  Stub resolvers, by
-   definition, are minimal DNS resolvers that use recursive query mode
-   to offload most of the work of DNS resolution to a recursive name
-   server.  Given the widespread use of stub resolvers, the DNSSEC
-
-
-
-
-
-Arends, et al.              Standards Track                    [Page 11]
-
-RFC 4033       DNS Security Introduction and Requirements     March 2005
-
-
-   architecture has to take stub resolvers into account, but the
-   security features needed in a stub resolver differ in some respects
-   from those needed in a security-aware iterative resolver.
-
-   Even a security-oblivious stub resolver may benefit from DNSSEC if
-   the recursive name servers it uses are security-aware, but for the
-   stub resolver to place any real reliance on DNSSEC services, the stub
-   resolver must trust both the recursive name servers in question and
-   the communication channels between itself and those name servers.
-   The first of these issues is a local policy issue: in essence, a
-   security-oblivious stub resolver has no choice but to place itself at
-   the mercy of the recursive name servers that it uses, as it does not
-   perform DNSSEC validity checks on its own.  The second issue requires
-   some kind of channel security mechanism; proper use of DNS
-   transaction authentication mechanisms such as SIG(0) ([RFC2931]) or
-   TSIG ([RFC2845]) would suffice, as would appropriate use of IPsec.
-   Particular implementations may have other choices available, such as
-   operating system specific interprocess communication mechanisms.
-   Confidentiality is not needed for this channel, but data integrity
-   and message authentication are.
-
-   A security-aware stub resolver that does trust both its recursive
-   name servers and its communication channel to them may choose to
-   examine the setting of the Authenticated Data (AD) bit in the message
-   header of the response messages it receives.  The stub resolver can
-   use this flag bit as a hint to find out whether the recursive name
-   server was able to validate signatures for all of the data in the
-   Answer and Authority sections of the response.
-
-   There is one more step that a security-aware stub resolver can take
-   if, for whatever reason, it is not able to establish a useful trust
-   relationship with the recursive name servers that it uses: it can
-   perform its own signature validation by setting the Checking Disabled
-   (CD) bit in its query messages.  A validating stub resolver is thus
-   able to treat the DNSSEC signatures as trust relationships between
-   the zone administrators and the stub resolver itself.
-
-8.  Zone Considerations
-
-   There are several differences between signed and unsigned zones.  A
-   signed zone will contain additional security-related records (RRSIG,
-   DNSKEY, DS, and NSEC records).  RRSIG and NSEC records may be
-   generated by a signing process prior to serving the zone.  The RRSIG
-   records that accompany zone data have defined inception and
-   expiration times that establish a validity period for the signatures
-   and the zone data the signatures cover.
-
-
-
-
-
-Arends, et al.              Standards Track                    [Page 12]
-
-RFC 4033       DNS Security Introduction and Requirements     March 2005
-
-
-8.1.  TTL Values vs. RRSIG Validity Period
-
-   It is important to note the distinction between a RRset's TTL value
-   and the signature validity period specified by the RRSIG RR covering
-   that RRset.  DNSSEC does not change the definition or function of the
-   TTL value, which is intended to maintain database coherency in
-   caches.  A caching resolver purges RRsets from its cache no later
-   than the end of the time period specified by the TTL fields of those
-   RRsets, regardless of whether the resolver is security-aware.
-
-   The inception and expiration fields in the RRSIG RR ([RFC4034]), on
-   the other hand, specify the time period during which the signature
-   can be used to validate the covered RRset.  The signatures associated
-   with signed zone data are only valid for the time period specified by
-   these fields in the RRSIG RRs in question.  TTL values cannot extend
-   the validity period of signed RRsets in a resolver's cache, but the
-   resolver may use the time remaining before expiration of the
-   signature validity period of a signed RRset as an upper bound for the
-   TTL of the signed RRset and its associated RRSIG RR in the resolver's
-   cache.
-
-8.2.  New Temporal Dependency Issues for Zones
-
-   Information in a signed zone has a temporal dependency that did not
-   exist in the original DNS protocol.  A signed zone requires regular
-   maintenance to ensure that each RRset in the zone has a current valid
-   RRSIG RR.  The signature validity period of an RRSIG RR is an
-   interval during which the signature for one particular signed RRset
-   can be considered valid, and the signatures of different RRsets in a
-   zone may expire at different times.  Re-signing one or more RRsets in
-   a zone will change one or more RRSIG RRs, which will in turn require
-   incrementing the zone's SOA serial number to indicate that a zone
-   change has occurred and re-signing the SOA RRset itself.  Thus,
-   re-signing any RRset in a zone may also trigger DNS NOTIFY messages
-   and zone transfer operations.
-
-9.  Name Server Considerations
-
-   A security-aware name server should include the appropriate DNSSEC
-   records (RRSIG, DNSKEY, DS, and NSEC) in all responses to queries
-   from resolvers that have signaled their willingness to receive such
-   records via use of the DO bit in the EDNS header, subject to message
-   size limitations.  Because inclusion of these DNSSEC RRs could easily
-   cause UDP message truncation and fallback to TCP, a security-aware
-   name server must also support the EDNS "sender's UDP payload"
-   mechanism.
-
-
-
-
-
-Arends, et al.              Standards Track                    [Page 13]
-
-RFC 4033       DNS Security Introduction and Requirements     March 2005
-
-
-   If possible, the private half of each DNSSEC key pair should be kept
-   offline, but this will not be possible for a zone for which DNS
-   dynamic update has been enabled.  In the dynamic update case, the
-   primary master server for the zone will have to re-sign the zone when
-   it is updated, so the private key corresponding to the zone signing
-   key will have to be kept online.  This is an example of a situation
-   in which the ability to separate the zone's DNSKEY RRset into zone
-   signing key(s) and key signing key(s) may be useful, as the key
-   signing key(s) in such a case can still be kept offline and may have
-   a longer useful lifetime than the zone signing key(s).
-
-   By itself, DNSSEC is not enough to protect the integrity of an entire
-   zone during zone transfer operations, as even a signed zone contains
-   some unsigned, nonauthoritative data if the zone has any children.
-   Therefore, zone maintenance operations will require some additional
-   mechanisms (most likely some form of channel security, such as TSIG,
-   SIG(0), or IPsec).
-
-10.  DNS Security Document Family
-
-   The DNSSEC document set can be partitioned into several main groups,
-   under the larger umbrella of the DNS base protocol documents.
-
-   The "DNSSEC protocol document set" refers to the three documents that
-   form the core of the DNS security extensions:
-
-   1.  DNS Security Introduction and Requirements (this document)
-
-   2.  Resource Records for DNS Security Extensions [RFC4034]
-
-   3.  Protocol Modifications for the DNS Security Extensions [RFC4035]
-
-   Additionally, any document that would add to or change the core DNS
-   Security extensions would fall into this category.  This includes any
-   future work on the communication between security-aware stub
-   resolvers and upstream security-aware recursive name servers.
-
-   The "Digital Signature Algorithm Specification" document set refers
-   to the group of documents that describe how specific digital
-   signature algorithms should be implemented to fit the DNSSEC resource
-   record format.  Each document in this set deals with a specific
-   digital signature algorithm.  Please see the appendix on "DNSSEC
-   Algorithm and Digest Types" in [RFC4034] for a list of the algorithms
-   that were defined when this core specification was written.
-
-   The "Transaction Authentication Protocol" document set refers to the
-   group of documents that deal with DNS message authentication,
-   including secret key establishment and verification.  Although not
-
-
-
-Arends, et al.              Standards Track                    [Page 14]
-
-RFC 4033       DNS Security Introduction and Requirements     March 2005
-
-
-   strictly part of the DNSSEC specification as defined in this set of
-   documents, this group is noted because of its relationship to DNSSEC.
-
-   The final document set, "New Security Uses", refers to documents that
-   seek to use proposed DNS Security extensions for other security
-   related purposes.  DNSSEC does not provide any direct security for
-   these new uses but may be used to support them.  Documents that fall
-   in this category include those describing the use of DNS in the
-   storage and distribution of certificates ([RFC2538]).
-
-11.  IANA Considerations
-
-   This overview document introduces no new IANA considerations.  Please
-   see [RFC4034] for a complete review of the IANA considerations
-   introduced by DNSSEC.
-
-12.  Security Considerations
-
-   This document introduces DNS security extensions and describes the
-   document set that contains the new security records and DNS protocol
-   modifications.  The extensions provide data origin authentication and
-   data integrity using digital signatures over resource record sets.
-   This section discusses the limitations of these extensions.
-
-   In order for a security-aware resolver to validate a DNS response,
-   all zones along the path from the trusted starting point to the zone
-   containing the response zones must be signed, and all name servers
-   and resolvers involved in the resolution process must be
-   security-aware, as defined in this document set.  A security-aware
-   resolver cannot verify responses originating from an unsigned zone,
-   from a zone not served by a security-aware name server, or for any
-   DNS data that the resolver is only able to obtain through a recursive
-   name server that is not security-aware.  If there is a break in the
-   authentication chain such that a security-aware resolver cannot
-   obtain and validate the authentication keys it needs, then the
-   security-aware resolver cannot validate the affected DNS data.
-
-   This document briefly discusses other methods of adding security to a
-   DNS query, such as using a channel secured by IPsec or using a DNS
-   transaction authentication mechanism such as TSIG ([RFC2845]) or
-   SIG(0) ([RFC2931]), but transaction security is not part of DNSSEC
-   per se.
-
-   A non-validating security-aware stub resolver, by definition, does
-   not perform DNSSEC signature validation on its own and thus is
-   vulnerable both to attacks on (and by) the security-aware recursive
-   name servers that perform these checks on its behalf and to attacks
-   on its communication with those security-aware recursive name
-
-
-
-Arends, et al.              Standards Track                    [Page 15]
-
-RFC 4033       DNS Security Introduction and Requirements     March 2005
-
-
-   servers.  Non-validating security-aware stub resolvers should use
-   some form of channel security to defend against the latter threat.
-   The only known defense against the former threat would be for the
-   security-aware stub resolver to perform its own signature validation,
-   at which point, again by definition, it would no longer be a
-   non-validating security-aware stub resolver.
-
-   DNSSEC does not protect against denial of service attacks.  DNSSEC
-   makes DNS vulnerable to a new class of denial of service attacks
-   based on cryptographic operations against security-aware resolvers
-   and security-aware name servers, as an attacker can attempt to use
-   DNSSEC mechanisms to consume a victim's resources.  This class of
-   attacks takes at least two forms.  An attacker may be able to consume
-   resources in a security-aware resolver's signature validation code by
-   tampering with RRSIG RRs in response messages or by constructing
-   needlessly complex signature chains.  An attacker may also be able to
-   consume resources in a security-aware name server that supports DNS
-   dynamic update, by sending a stream of update messages that force the
-   security-aware name server to re-sign some RRsets in the zone more
-   frequently than would otherwise be necessary.
-
-   Due to a deliberate design choice, DNSSEC does not provide
-   confidentiality.
-
-   DNSSEC introduces the ability for a hostile party to enumerate all
-   the names in a zone by following the NSEC chain.  NSEC RRs assert
-   which names do not exist in a zone by linking from existing name to
-   existing name along a canonical ordering of all the names within a
-   zone.  Thus, an attacker can query these NSEC RRs in sequence to
-   obtain all the names in a zone.  Although this is not an attack on
-   the DNS itself, it could allow an attacker to map network hosts or
-   other resources by enumerating the contents of a zone.
-
-   DNSSEC introduces significant additional complexity to the DNS and
-   thus introduces many new opportunities for implementation bugs and
-   misconfigured zones.  In particular, enabling DNSSEC signature
-   validation in a resolver may cause entire legitimate zones to become
-   effectively unreachable due to DNSSEC configuration errors or bugs.
-
-   DNSSEC does not protect against tampering with unsigned zone data.
-   Non-authoritative data at zone cuts (glue and NS RRs in the parent
-   zone) are not signed.  This does not pose a problem when validating
-   the authentication chain, but it does mean that the non-authoritative
-   data itself is vulnerable to tampering during zone transfer
-   operations.  Thus, while DNSSEC can provide data origin
-   authentication and data integrity for RRsets, it cannot do so for
-   zones, and other mechanisms (such as TSIG, SIG(0), or IPsec) must be
-   used to protect zone transfer operations.
-
-
-
-Arends, et al.              Standards Track                    [Page 16]
-
-RFC 4033       DNS Security Introduction and Requirements     March 2005
-
-
-   Please see [RFC4034] and [RFC4035] for additional security
-   considerations.
-
-13.  Acknowledgements
-
-   This document was created from the input and ideas of the members of
-   the DNS Extensions Working Group.  Although explicitly listing
-   everyone who has contributed during the decade in which DNSSEC has
-   been under development would be impossible, the editors would
-   particularly like to thank the following people for their
-   contributions to and comments on this document set: Jaap Akkerhuis,
-   Mark Andrews, Derek Atkins, Roy Badami, Alan Barrett, Dan Bernstein,
-   David Blacka, Len Budney, Randy Bush, Francis Dupont, Donald
-   Eastlake, Robert Elz, Miek Gieben, Michael Graff, Olafur Gudmundsson,
-   Gilles Guette, Andreas Gustafsson, Jun-ichiro Itojun Hagino, Phillip
-   Hallam-Baker, Bob Halley, Ted Hardie, Walter Howard, Greg Hudson,
-   Christian Huitema, Johan Ihren, Stephen Jacob, Jelte Jansen, Simon
-   Josefsson, Andris Kalnozols, Peter Koch, Olaf Kolkman, Mark Kosters,
-   Suresh Krishnaswamy, Ben Laurie, David Lawrence, Ted Lemon, Ed Lewis,
-   Ted Lindgreen, Josh Littlefield, Rip Loomis, Bill Manning, Russ
-   Mundy, Thomas Narten, Mans Nilsson, Masataka Ohta, Mike Patton, Rob
-   Payne, Jim Reid, Michael Richardson, Erik Rozendaal, Marcos Sanz,
-   Pekka Savola, Jakob Schlyter, Mike StJohns, Paul Vixie, Sam Weiler,
-   Brian Wellington, and Suzanne Woolf.
-
-   No doubt the above list is incomplete.  We apologize to anyone we
-   left out.
-
-14.  References
-
-14.1.  Normative References
-
-   [RFC1034]  Mockapetris, P., "Domain names - concepts and facilities",
-              STD 13, RFC 1034, November 1987.
-
-   [RFC1035]  Mockapetris, P., "Domain names - implementation and
-              specification", STD 13, RFC 1035, November 1987.
-
-   [RFC2535]  Eastlake 3rd, D., "Domain Name System Security
-              Extensions", RFC 2535, March 1999.
-
-   [RFC2671]  Vixie, P., "Extension Mechanisms for DNS (EDNS0)", RFC
-              2671, August 1999.
-
-   [RFC3225]  Conrad, D., "Indicating Resolver Support of DNSSEC", RFC
-              3225, December 2001.
-
-
-
-
-
-Arends, et al.              Standards Track                    [Page 17]
-
-RFC 4033       DNS Security Introduction and Requirements     March 2005
-
-
-   [RFC3226]  Gudmundsson, O., "DNSSEC and IPv6 A6 aware server/resolver
-              message size requirements", RFC 3226, December 2001.
-
-   [RFC3445]  Massey, D. and S. Rose, "Limiting the Scope of the KEY
-              Resource Record (RR)", RFC 3445, December 2002.
-
-   [RFC4034]  Arends, R., Austein, R., Larson, M., Massey, D., and S.
-              Rose, "Resource Records for DNS Security Extensions", RFC
-              4034, March 2005.
-
-   [RFC4035]  Arends, R., Austein, R., Larson, M., Massey, D., and S.
-              Rose, "Protocol Modifications for the DNS Security
-              Extensions", RFC 4035, March 2005.
-
-14.2.  Informative References
-
-   [RFC2136]  Vixie, P., Thomson, S., Rekhter, Y., and J. Bound,
-              "Dynamic Updates in the Domain Name System (DNS UPDATE)",
-              RFC 2136, April 1997.
-
-   [RFC2181]  Elz, R. and R. Bush, "Clarifications to the DNS
-              Specification", RFC 2181, July 1997.
-
-   [RFC2308]  Andrews, M., "Negative Caching of DNS Queries (DNS
-              NCACHE)", RFC 2308, March 1998.
-
-   [RFC2538]  Eastlake 3rd, D. and O. Gudmundsson, "Storing Certificates
-              in the Domain Name System (DNS)", RFC 2538, March 1999.
-
-   [RFC2845]  Vixie, P., Gudmundsson, O., Eastlake 3rd, D., and B.
-              Wellington, "Secret Key Transaction Authentication for DNS
-              (TSIG)", RFC 2845, May 2000.
-
-   [RFC2931]  Eastlake 3rd, D., "DNS Request and Transaction Signatures
-              ( SIG(0)s )", RFC 2931, September 2000.
-
-   [RFC3007]  Wellington, B., "Secure Domain Name System (DNS) Dynamic
-              Update", RFC 3007, November 2000.
-
-   [RFC3008]  Wellington, B., "Domain Name System Security (DNSSEC)
-              Signing Authority", RFC 3008, November 2000.
-
-   [RFC3090]  Lewis, E., "DNS Security Extension Clarification on Zone
-              Status", RFC 3090, March 2001.
-
-   [RFC3597]  Gustafsson, A., "Handling of Unknown DNS Resource Record
-              (RR) Types", RFC 3597, September 2003.
-
-
-
-
-Arends, et al.              Standards Track                    [Page 18]
-
-RFC 4033       DNS Security Introduction and Requirements     March 2005
-
-
-   [RFC3655]  Wellington, B. and O. Gudmundsson, "Redefinition of DNS
-              Authenticated Data (AD) bit", RFC 3655, November 2003.
-
-   [RFC3658]  Gudmundsson, O., "Delegation Signer (DS) Resource Record
-              (RR)", RFC 3658, December 2003.
-
-   [RFC3755]  Weiler, S., "Legacy Resolver Compatibility for Delegation
-              Signer (DS)", RFC 3755, May 2004.
-
-   [RFC3757]  Kolkman, O., Schlyter, J., and E. Lewis, "Domain Name
-              System KEY (DNSKEY) Resource Record (RR) Secure Entry
-              Point (SEP) Flag", RFC 3757, April 2004.
-
-   [RFC3833]  Atkins, D. and R. Austein, "Threat Analysis of the Domain
-              Name System (DNS)", RFC 3833, August 2004.
-
-   [RFC3845]  Schlyter, J., "DNS Security (DNSSEC) NextSECure (NSEC)
-              RDATA Format", RFC 3845, August 2004.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Arends, et al.              Standards Track                    [Page 19]
-
-RFC 4033       DNS Security Introduction and Requirements     March 2005
-
-
-Authors' Addresses
-
-   Roy Arends
-   Telematica Instituut
-   Brouwerijstraat 1
-   7523 XC  Enschede
-   NL
-
-   EMail: roy.arends@telin.nl
-
-
-   Rob Austein
-   Internet Systems Consortium
-   950 Charter Street
-   Redwood City, CA  94063
-   USA
-
-   EMail: sra@isc.org
-
-
-   Matt Larson
-   VeriSign, Inc.
-   21345 Ridgetop Circle
-   Dulles, VA  20166-6503
-   USA
-
-   EMail: mlarson@verisign.com
-
-
-   Dan Massey
-   Colorado State University
-   Department of Computer Science
-   Fort Collins, CO 80523-1873
-
-   EMail: massey@cs.colostate.edu
-
-
-   Scott Rose
-   National Institute for Standards and Technology
-   100 Bureau Drive
-   Gaithersburg, MD  20899-8920
-   USA
-
-   EMail: scott.rose@nist.gov
-
-
-
-
-
-
-
-Arends, et al.              Standards Track                    [Page 20]
-
-RFC 4033       DNS Security Introduction and Requirements     March 2005
-
-
-Full Copyright Statement
-
-   Copyright (C) The Internet Society (2005).
-
-   This document is subject to the rights, licenses and restrictions
-   contained in BCP 78, and except as set forth therein, the authors
-   retain all their rights.
-
-   This document and the information contained herein are provided on an
-   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
-   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
-   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
-   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
-   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
-   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-Intellectual Property
-
-   The IETF takes no position regarding the validity or scope of any
-   Intellectual Property Rights or other rights that might be claimed to
-   pertain to the implementation or use of the technology described in
-   this document or the extent to which any license under such rights
-   might or might not be available; nor does it represent that it has
-   made any independent effort to identify any such rights.  Information
-   on the procedures with respect to rights in RFC documents can be
-   found in BCP 78 and BCP 79.
-
-   Copies of IPR disclosures made to the IETF Secretariat and any
-   assurances of licenses to be made available, or the result of an
-   attempt made to obtain a general license or permission for the use of
-   such proprietary rights by implementers or users of this
-   specification can be obtained from the IETF on-line IPR repository at
-   http://www.ietf.org/ipr.
-
-   The IETF invites any interested party to bring to its attention any
-   copyrights, patents or patent applications, or other proprietary
-   rights that may cover technology that may be required to implement
-   this standard.  Please address the information to the IETF at ietf-
-   ipr@ietf.org.
-
-Acknowledgement
-
-   Funding for the RFC Editor function is currently provided by the
-   Internet Society.
-
-
-
-
-
-
-
-Arends, et al.              Standards Track                    [Page 21]
-
diff --git a/doc/rfc/rfc4034.txt b/doc/rfc/rfc4034.txt
deleted file mode 100644
index 6a12c6b8..00000000
--- a/doc/rfc/rfc4034.txt
+++ /dev/null
@@ -1,1627 +0,0 @@
-
-
-
-
-
-
-Network Working Group                                          R. Arends
-Request for Comments: 4034                          Telematica Instituut
-Obsoletes: 2535, 3008, 3090, 3445, 3655, 3658,                R. Austein
-           3755, 3757, 3845                                          ISC
-Updates: 1034, 1035, 2136, 2181, 2308, 3225,                   M. Larson
-         3007, 3597, 3226                                       VeriSign
-Category: Standards Track                                      D. Massey
-                                               Colorado State University
-                                                                 S. Rose
-                                                                    NIST
-                                                              March 2005
-
-
-            Resource Records for the DNS Security Extensions
-
-Status of This Memo
-
-   This document specifies an Internet standards track protocol for the
-   Internet community, and requests discussion and suggestions for
-   improvements.  Please refer to the current edition of the "Internet
-   Official Protocol Standards" (STD 1) for the standardization state
-   and status of this protocol.  Distribution of this memo is unlimited.
-
-Copyright Notice
-
-   Copyright (C) The Internet Society (2005).
-
-Abstract
-
-   This document is part of a family of documents that describe the DNS
-   Security Extensions (DNSSEC).  The DNS Security Extensions are a
-   collection of resource records and protocol modifications that
-   provide source authentication for the DNS.  This document defines the
-   public key (DNSKEY), delegation signer (DS), resource record digital
-   signature (RRSIG), and authenticated denial of existence (NSEC)
-   resource records.  The purpose and format of each resource record is
-   described in detail, and an example of each resource record is given.
-
-   This document obsoletes RFC 2535 and incorporates changes from all
-   updates to RFC 2535.
-
-
-
-
-
-
-
-
-
-
-
-Arends, et al.              Standards Track                     [Page 1]
-
-RFC 4034                DNSSEC Resource Records               March 2005
-
-
-Table of Contents
-
-   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . .  3
-       1.1.  Background and Related Documents . . . . . . . . . . .  3
-       1.2.  Reserved Words . . . . . . . . . . . . . . . . . . . .  3
-   2.  The DNSKEY Resource Record . . . . . . . . . . . . . . . . .  4
-       2.1.  DNSKEY RDATA Wire Format . . . . . . . . . . . . . . .  4
-             2.1.1.  The Flags Field. . . . . . . . . . . . . . . .  4
-             2.1.2.  The Protocol Field . . . . . . . . . . . . . .  5
-             2.1.3.  The Algorithm Field. . . . . . . . . . . . . .  5
-             2.1.4.  The Public Key Field . . . . . . . . . . . . .  5
-             2.1.5.  Notes on DNSKEY RDATA Design . . . . . . . . .  5
-       2.2.  The DNSKEY RR Presentation Format. . . . . . . . . . .  5
-       2.3.  DNSKEY RR Example  . . . . . . . . . . . . . . . . . .  6
-   3.  The RRSIG Resource Record  . . . . . . . . . . . . . . . . .  6
-       3.1.  RRSIG RDATA Wire Format. . . . . . . . . . . . . . . .  7
-             3.1.1.  The Type Covered Field . . . . . . . . . . . .  7
-             3.1.2.  The Algorithm Number Field . . . . . . . . . .  8
-             3.1.3.  The Labels Field . . . . . . . . . . . . . . .  8
-             3.1.4.  Original TTL Field . . . . . . . . . . . . . .  8
-             3.1.5.  Signature Expiration and Inception Fields. . .  9
-             3.1.6.  The Key Tag Field. . . . . . . . . . . . . . .  9
-             3.1.7.  The Signer's Name Field. . . . . . . . . . . .  9
-             3.1.8.  The Signature Field. . . . . . . . . . . . . .  9
-       3.2.  The RRSIG RR Presentation Format . . . . . . . . . . . 10
-       3.3.  RRSIG RR Example . . . . . . . . . . . . . . . . . . . 11
-   4.  The NSEC Resource Record . . . . . . . . . . . . . . . . . . 12
-       4.1.  NSEC RDATA Wire Format . . . . . . . . . . . . . . . . 13
-             4.1.1.  The Next Domain Name Field . . . . . . . . . . 13
-             4.1.2.  The Type Bit Maps Field. . . . . . . . . . . . 13
-             4.1.3.  Inclusion of Wildcard Names in NSEC RDATA. . . 14
-       4.2.  The NSEC RR Presentation Format. . . . . . . . . . . . 14
-       4.3.  NSEC RR Example. . . . . . . . . . . . . . . . . . . . 15
-   5.  The DS Resource Record . . . . . . . . . . . . . . . . . . . 15
-       5.1.  DS RDATA Wire Format . . . . . . . . . . . . . . . . . 16
-             5.1.1.  The Key Tag Field. . . . . . . . . . . . . . . 16
-             5.1.2.  The Algorithm Field. . . . . . . . . . . . . . 16
-             5.1.3.  The Digest Type Field. . . . . . . . . . . . . 17
-             5.1.4.  The Digest Field . . . . . . . . . . . . . . . 17
-       5.2.  Processing of DS RRs When Validating Responses . . . . 17
-       5.3.  The DS RR Presentation Format. . . . . . . . . . . . . 17
-       5.4.  DS RR Example. . . . . . . . . . . . . . . . . . . . . 18
-   6.  Canonical Form and Order of Resource Records . . . . . . . . 18
-       6.1.  Canonical DNS Name Order . . . . . . . . . . . . . . . 18
-       6.2.  Canonical RR Form. . . . . . . . . . . . . . . . . . . 19
-       6.3.  Canonical RR Ordering within an RRset. . . . . . . . . 20
-   7.  IANA Considerations. . . . . . . . . . . . . . . . . . . . . 20
-   8.  Security Considerations. . . . . . . . . . . . . . . . . . . 21
-
-
-
-Arends, et al.              Standards Track                     [Page 2]
-
-RFC 4034                DNSSEC Resource Records               March 2005
-
-
-   9.  Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 22
-   10. References . . . . . . . . . . . . . . . . . . . . . . . . . 22
-       10.1. Normative References . . . . . . . . . . . . . . . . . 22
-       10.2. Informative References . . . . . . . . . . . . . . . . 23
-   A.  DNSSEC Algorithm and Digest Types. . . . . . . . . . . . . . 24
-       A.1.  DNSSEC Algorithm Types . . . . . . . . . . . . . . . . 24
-             A.1.1.  Private Algorithm Types. . . . . . . . . . . . 25
-       A.2.  DNSSEC Digest Types. . . . . . . . . . . . . . . . . . 25
-   B.  Key Tag Calculation. . . . . . . . . . . . . . . . . . . . . 25
-       B.1.  Key Tag for Algorithm 1 (RSA/MD5). . . . . . . . . . . 27
-   Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 28
-   Full Copyright Statement . . . . . . . . . . . . . . . . . . . . 29
-
-1.  Introduction
-
-   The DNS Security Extensions (DNSSEC) introduce four new DNS resource
-   record types: DNS Public Key (DNSKEY), Resource Record Signature
-   (RRSIG), Next Secure (NSEC), and Delegation Signer (DS).  This
-   document defines the purpose of each resource record (RR), the RR's
-   RDATA format, and its presentation format (ASCII representation).
-
-1.1.  Background and Related Documents
-
-   This document is part of a family of documents defining DNSSEC, which
-   should be read together as a set.
-
-   [RFC4033] contains an introduction to DNSSEC and definition of common
-   terms; the reader is assumed to be familiar with this document.
-   [RFC4033] also contains a list of other documents updated by and
-   obsoleted by this document set.
-
-   [RFC4035] defines the DNSSEC protocol operations.
-
-   The reader is also assumed to be familiar with the basic DNS concepts
-   described in [RFC1034], [RFC1035], and the subsequent documents that
-   update them, particularly [RFC2181] and [RFC2308].
-
-   This document defines the DNSSEC resource records.  All numeric DNS
-   type codes given in this document are decimal integers.
-
-1.2.  Reserved Words
-
-   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
-   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
-   document are to be interpreted as described in [RFC2119].
-
-
-
-
-
-
-Arends, et al.              Standards Track                     [Page 3]
-
-RFC 4034                DNSSEC Resource Records               March 2005
-
-
-2.  The DNSKEY Resource Record
-
-   DNSSEC uses public key cryptography to sign and authenticate DNS
-   resource record sets (RRsets).  The public keys are stored in DNSKEY
-   resource records and are used in the DNSSEC authentication process
-   described in [RFC4035]: A zone signs its authoritative RRsets by
-   using a private key and stores the corresponding public key in a
-   DNSKEY RR.  A resolver can then use the public key to validate
-   signatures covering the RRsets in the zone, and thus to authenticate
-   them.
-
-   The DNSKEY RR is not intended as a record for storing arbitrary
-   public keys and MUST NOT be used to store certificates or public keys
-   that do not directly relate to the DNS infrastructure.
-
-   The Type value for the DNSKEY RR type is 48.
-
-   The DNSKEY RR is class independent.
-
-   The DNSKEY RR has no special TTL requirements.
-
-2.1.  DNSKEY RDATA Wire Format
-
-   The RDATA for a DNSKEY RR consists of a 2 octet Flags Field, a 1
-   octet Protocol Field, a 1 octet Algorithm Field, and the Public Key
-   Field.
-
-                        1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
-    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
-   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-   |              Flags            |    Protocol   |   Algorithm   |
-   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-   /                                                               /
-   /                            Public Key                         /
-   /                                                               /
-   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-
-2.1.1.  The Flags Field
-
-   Bit 7 of the Flags field is the Zone Key flag.  If bit 7 has value 1,
-   then the DNSKEY record holds a DNS zone key, and the DNSKEY RR's
-   owner name MUST be the name of a zone.  If bit 7 has value 0, then
-   the DNSKEY record holds some other type of DNS public key and MUST
-   NOT be used to verify RRSIGs that cover RRsets.
-
-   Bit 15 of the Flags field is the Secure Entry Point flag, described
-   in [RFC3757].  If bit 15 has value 1, then the DNSKEY record holds a
-   key intended for use as a secure entry point.  This flag is only
-
-
-
-Arends, et al.              Standards Track                     [Page 4]
-
-RFC 4034                DNSSEC Resource Records               March 2005
-
-
-   intended to be a hint to zone signing or debugging software as to the
-   intended use of this DNSKEY record; validators MUST NOT alter their
-   behavior during the signature validation process in any way based on
-   the setting of this bit.  This also means that a DNSKEY RR with the
-   SEP bit set would also need the Zone Key flag set in order to be able
-   to generate signatures legally.  A DNSKEY RR with the SEP set and the
-   Zone Key flag not set MUST NOT be used to verify RRSIGs that cover
-   RRsets.
-
-   Bits 0-6 and 8-14 are reserved: these bits MUST have value 0 upon
-   creation of the DNSKEY RR and MUST be ignored upon receipt.
-
-2.1.2.  The Protocol Field
-
-   The Protocol Field MUST have value 3, and the DNSKEY RR MUST be
-   treated as invalid during signature verification if it is found to be
-   some value other than 3.
-
-2.1.3.  The Algorithm Field
-
-   The Algorithm field identifies the public key's cryptographic
-   algorithm and determines the format of the Public Key field.  A list
-   of DNSSEC algorithm types can be found in Appendix A.1
-
-2.1.4.  The Public Key Field
-
-   The Public Key Field holds the public key material.  The format
-   depends on the algorithm of the key being stored and is described in
-   separate documents.
-
-2.1.5.  Notes on DNSKEY RDATA Design
-
-   Although the Protocol Field always has value 3, it is retained for
-   backward compatibility with early versions of the KEY record.
-
-2.2.  The DNSKEY RR Presentation Format
-
-   The presentation format of the RDATA portion is as follows:
-
-   The Flag field MUST be represented as an unsigned decimal integer.
-   Given the currently defined flags, the possible values are: 0, 256,
-   and 257.
-
-   The Protocol Field MUST be represented as an unsigned decimal integer
-   with a value of 3.
-
-   The Algorithm field MUST be represented either as an unsigned decimal
-   integer or as an algorithm mnemonic as specified in Appendix A.1.
-
-
-
-Arends, et al.              Standards Track                     [Page 5]
-
-RFC 4034                DNSSEC Resource Records               March 2005
-
-
-   The Public Key field MUST be represented as a Base64 encoding of the
-   Public Key.  Whitespace is allowed within the Base64 text.  For a
-   definition of Base64 encoding, see [RFC3548].
-
-2.3.  DNSKEY RR Example
-
-   The following DNSKEY RR stores a DNS zone key for example.com.
-
-   example.com. 86400 IN DNSKEY 256 3 5 ( AQPSKmynfzW4kyBv015MUG2DeIQ3
-                                          Cbl+BBZH4b/0PY1kxkmvHjcZc8no
-                                          kfzj31GajIQKY+5CptLr3buXA10h
-                                          WqTkF7H6RfoRqXQeogmMHfpftf6z
-                                          Mv1LyBUgia7za6ZEzOJBOztyvhjL
-                                          742iU/TpPSEDhm2SNKLijfUppn1U
-                                          aNvv4w==  )
-
-   The first four text fields specify the owner name, TTL, Class, and RR
-   type (DNSKEY).  Value 256 indicates that the Zone Key bit (bit 7) in
-   the Flags field has value 1.  Value 3 is the fixed Protocol value.
-   Value 5 indicates the public key algorithm.  Appendix A.1 identifies
-   algorithm type 5 as RSA/SHA1 and indicates that the format of the
-   RSA/SHA1 public key field is defined in [RFC3110].  The remaining
-   text is a Base64 encoding of the public key.
-
-3.  The RRSIG Resource Record
-
-   DNSSEC uses public key cryptography to sign and authenticate DNS
-   resource record sets (RRsets).  Digital signatures are stored in
-   RRSIG resource records and are used in the DNSSEC authentication
-   process described in [RFC4035].  A validator can use these RRSIG RRs
-   to authenticate RRsets from the zone.  The RRSIG RR MUST only be used
-   to carry verification material (digital signatures) used to secure
-   DNS operations.
-
-   An RRSIG record contains the signature for an RRset with a particular
-   name, class, and type.  The RRSIG RR specifies a validity interval
-   for the signature and uses the Algorithm, the Signer's Name, and the
-   Key Tag to identify the DNSKEY RR containing the public key that a
-   validator can use to verify the signature.
-
-   Because every authoritative RRset in a zone must be protected by a
-   digital signature, RRSIG RRs must be present for names containing a
-   CNAME RR.  This is a change to the traditional DNS specification
-   [RFC1034], which stated that if a CNAME is present for a name, it is
-   the only type allowed at that name.  A RRSIG and NSEC (see Section 4)
-   MUST exist for the same name as a CNAME resource record in a signed
-   zone.
-
-
-
-
-Arends, et al.              Standards Track                     [Page 6]
-
-RFC 4034                DNSSEC Resource Records               March 2005
-
-
-   The Type value for the RRSIG RR type is 46.
-
-   The RRSIG RR is class independent.
-
-   An RRSIG RR MUST have the same class as the RRset it covers.
-
-   The TTL value of an RRSIG RR MUST match the TTL value of the RRset it
-   covers.  This is an exception to the [RFC2181] rules for TTL values
-   of individual RRs within a RRset: individual RRSIG RRs with the same
-   owner name will have different TTL values if the RRsets they cover
-   have different TTL values.
-
-3.1.  RRSIG RDATA Wire Format
-
-   The RDATA for an RRSIG RR consists of a 2 octet Type Covered field, a
-   1 octet Algorithm field, a 1 octet Labels field, a 4 octet Original
-   TTL field, a 4 octet Signature Expiration field, a 4 octet Signature
-   Inception field, a 2 octet Key tag, the Signer's Name field, and the
-   Signature field.
-
-                        1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
-    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
-   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-   |        Type Covered           |  Algorithm    |     Labels    |
-   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-   |                         Original TTL                          |
-   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-   |                      Signature Expiration                     |
-   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-   |                      Signature Inception                      |
-   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-   |            Key Tag            |                               /
-   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+         Signer's Name         /
-   /                                                               /
-   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-   /                                                               /
-   /                            Signature                          /
-   /                                                               /
-   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-
-3.1.1.  The Type Covered Field
-
-   The Type Covered field identifies the type of the RRset that is
-   covered by this RRSIG record.
-
-
-
-
-
-
-
-Arends, et al.              Standards Track                     [Page 7]
-
-RFC 4034                DNSSEC Resource Records               March 2005
-
-
-3.1.2.  The Algorithm Number Field
-
-   The Algorithm Number field identifies the cryptographic algorithm
-   used to create the signature.  A list of DNSSEC algorithm types can
-   be found in Appendix A.1
-
-3.1.3.  The Labels Field
-
-   The Labels field specifies the number of labels in the original RRSIG
-   RR owner name.  The significance of this field is that a validator
-   uses it to determine whether the answer was synthesized from a
-   wildcard.  If so, it can be used to determine what owner name was
-   used in generating the signature.
-
-   To validate a signature, the validator needs the original owner name
-   that was used to create the signature.  If the original owner name
-   contains a wildcard label ("*"), the owner name may have been
-   expanded by the server during the response process, in which case the
-   validator will have to reconstruct the original owner name in order
-   to validate the signature.  [RFC4035] describes how to use the Labels
-   field to reconstruct the original owner name.
-
-   The value of the Labels field MUST NOT count either the null (root)
-   label that terminates the owner name or the wildcard label (if
-   present).  The value of the Labels field MUST be less than or equal
-   to the number of labels in the RRSIG owner name.  For example,
-   "www.example.com." has a Labels field value of 3, and
-   "*.example.com." has a Labels field value of 2.  Root (".") has a
-   Labels field value of 0.
-
-   Although the wildcard label is not included in the count stored in
-   the Labels field of the RRSIG RR, the wildcard label is part of the
-   RRset's owner name when the signature is generated or verified.
-
-3.1.4.  Original TTL Field
-
-   The Original TTL field specifies the TTL of the covered RRset as it
-   appears in the authoritative zone.
-
-   The Original TTL field is necessary because a caching resolver
-   decrements the TTL value of a cached RRset.  In order to validate a
-   signature, a validator requires the original TTL.  [RFC4035]
-   describes how to use the Original TTL field value to reconstruct the
-   original TTL.
-
-
-
-
-
-
-
-Arends, et al.              Standards Track                     [Page 8]
-
-RFC 4034                DNSSEC Resource Records               March 2005
-
-
-3.1.5.  Signature Expiration and Inception Fields
-
-   The Signature Expiration and Inception fields specify a validity
-   period for the signature.  The RRSIG record MUST NOT be used for
-   authentication prior to the inception date and MUST NOT be used for
-   authentication after the expiration date.
-
-   The Signature Expiration and Inception field values specify a date
-   and time in the form of a 32-bit unsigned number of seconds elapsed
-   since 1 January 1970 00:00:00 UTC, ignoring leap seconds, in network
-   byte order.  The longest interval that can be expressed by this
-   format without wrapping is approximately 136 years.  An RRSIG RR can
-   have an Expiration field value that is numerically smaller than the
-   Inception field value if the expiration field value is near the
-   32-bit wrap-around point or if the signature is long lived.  Because
-   of this, all comparisons involving these fields MUST use "Serial
-   number arithmetic", as defined in [RFC1982].  As a direct
-   consequence, the values contained in these fields cannot refer to
-   dates more than 68 years in either the past or the future.
-
-3.1.6.  The Key Tag Field
-
-   The Key Tag field contains the key tag value of the DNSKEY RR that
-   validates this signature, in network byte order.  Appendix B explains
-   how to calculate Key Tag values.
-
-3.1.7.  The Signer's Name Field
-
-   The Signer's Name field value identifies the owner name of the DNSKEY
-   RR that a validator is supposed to use to validate this signature.
-   The Signer's Name field MUST contain the name of the zone of the
-   covered RRset.  A sender MUST NOT use DNS name compression on the
-   Signer's Name field when transmitting a RRSIG RR.
-
-3.1.8.  The Signature Field
-
-   The Signature field contains the cryptographic signature that covers
-   the RRSIG RDATA (excluding the Signature field) and the RRset
-   specified by the RRSIG owner name, RRSIG class, and RRSIG Type
-   Covered field.  The format of this field depends on the algorithm in
-   use, and these formats are described in separate companion documents.
-
-3.1.8.1.  Signature Calculation
-
-   A signature covers the RRSIG RDATA (excluding the Signature Field)
-   and covers the data RRset specified by the RRSIG owner name, RRSIG
-   class, and RRSIG Type Covered fields.  The RRset is in canonical form
-   (see Section 6), and the set RR(1),...RR(n) is signed as follows:
-
-
-
-Arends, et al.              Standards Track                     [Page 9]
-
-RFC 4034                DNSSEC Resource Records               March 2005
-
-
-         signature = sign(RRSIG_RDATA | RR(1) | RR(2)... ) where
-
-            "|" denotes concatenation;
-
-            RRSIG_RDATA is the wire format of the RRSIG RDATA fields
-               with the Signer's Name field in canonical form and
-               the Signature field excluded;
-
-            RR(i) = owner | type | class | TTL | RDATA length | RDATA
-
-               "owner" is the fully qualified owner name of the RRset in
-               canonical form (for RRs with wildcard owner names, the
-               wildcard label is included in the owner name);
-
-               Each RR MUST have the same owner name as the RRSIG RR;
-
-               Each RR MUST have the same class as the RRSIG RR;
-
-               Each RR in the RRset MUST have the RR type listed in the
-               RRSIG RR's Type Covered field;
-
-               Each RR in the RRset MUST have the TTL listed in the
-               RRSIG Original TTL Field;
-
-               Any DNS names in the RDATA field of each RR MUST be in
-               canonical form; and
-
-               The RRset MUST be sorted in canonical order.
-
-   See Sections 6.2 and 6.3 for details on canonical form and ordering
-   of RRsets.
-
-3.2.  The RRSIG RR Presentation Format
-
-   The presentation format of the RDATA portion is as follows:
-
-   The Type Covered field is represented as an RR type mnemonic.  When
-   the mnemonic is not known, the TYPE representation as described in
-   [RFC3597], Section 5, MUST be used.
-
-   The Algorithm field value MUST be represented either as an unsigned
-   decimal integer or as an algorithm mnemonic, as specified in Appendix
-   A.1.
-
-   The Labels field value MUST be represented as an unsigned decimal
-   integer.
-
-
-
-
-
-Arends, et al.              Standards Track                    [Page 10]
-
-RFC 4034                DNSSEC Resource Records               March 2005
-
-
-   The Original TTL field value MUST be represented as an unsigned
-   decimal integer.
-
-   The Signature Expiration Time and Inception Time field values MUST be
-   represented either as an unsigned decimal integer indicating seconds
-   since 1 January 1970 00:00:00 UTC, or in the form YYYYMMDDHHmmSS in
-   UTC, where:
-
-      YYYY is the year (0001-9999, but see Section 3.1.5);
-      MM is the month number (01-12);
-      DD is the day of the month (01-31);
-      HH is the hour, in 24 hour notation (00-23);
-      mm is the minute (00-59); and
-      SS is the second (00-59).
-
-   Note that it is always possible to distinguish between these two
-   formats because the YYYYMMDDHHmmSS format will always be exactly 14
-   digits, while the decimal representation of a 32-bit unsigned integer
-   can never be longer than 10 digits.
-
-   The Key Tag field MUST be represented as an unsigned decimal integer.
-
-   The Signer's Name field value MUST be represented as a domain name.
-
-   The Signature field is represented as a Base64 encoding of the
-   signature.  Whitespace is allowed within the Base64 text.  See
-   Section 2.2.
-
-3.3.  RRSIG RR Example
-
-   The following RRSIG RR stores the signature for the A RRset of
-   host.example.com:
-
-   host.example.com. 86400 IN RRSIG A 5 3 86400 20030322173103 (
-                                  20030220173103 2642 example.com.
-                                  oJB1W6WNGv+ldvQ3WDG0MQkg5IEhjRip8WTr
-                                  PYGv07h108dUKGMeDPKijVCHX3DDKdfb+v6o
-                                  B9wfuh3DTJXUAfI/M0zmO/zz8bW0Rznl8O3t
-                                  GNazPwQKkRN20XPXV6nwwfoXmJQbsLNrLfkG
-                                  J5D6fwFm8nN+6pBzeDQfsS3Ap3o= )
-
-   The first four fields specify the owner name, TTL, Class, and RR type
-   (RRSIG).  The "A" represents the Type Covered field.  The value 5
-   identifies the algorithm used (RSA/SHA1) to create the signature.
-   The value 3 is the number of Labels in the original owner name.  The
-   value 86400 in the RRSIG RDATA is the Original TTL for the covered A
-   RRset.  20030322173103 and 20030220173103 are the expiration and
-
-
-
-
-Arends, et al.              Standards Track                    [Page 11]
-
-RFC 4034                DNSSEC Resource Records               March 2005
-
-
-   inception dates, respectively.  2642 is the Key Tag, and example.com.
-   is the Signer's Name.  The remaining text is a Base64 encoding of the
-   signature.
-
-   Note that combination of RRSIG RR owner name, class, and Type Covered
-   indicates that this RRSIG covers the "host.example.com" A RRset.  The
-   Label value of 3 indicates that no wildcard expansion was used.  The
-   Algorithm, Signer's Name, and Key Tag indicate that this signature
-   can be authenticated using an example.com zone DNSKEY RR whose
-   algorithm is 5 and whose key tag is 2642.
-
-4.  The NSEC Resource Record
-
-   The NSEC resource record lists two separate things: the next owner
-   name (in the canonical ordering of the zone) that contains
-   authoritative data or a delegation point NS RRset, and the set of RR
-   types present at the NSEC RR's owner name [RFC3845].  The complete
-   set of NSEC RRs in a zone indicates which authoritative RRsets exist
-   in a zone and also form a chain of authoritative owner names in the
-   zone.  This information is used to provide authenticated denial of
-   existence for DNS data, as described in [RFC4035].
-
-   Because every authoritative name in a zone must be part of the NSEC
-   chain, NSEC RRs must be present for names containing a CNAME RR.
-   This is a change to the traditional DNS specification [RFC1034],
-   which stated that if a CNAME is present for a name, it is the only
-   type allowed at that name.  An RRSIG (see Section 3) and NSEC MUST
-   exist for the same name as does a CNAME resource record in a signed
-   zone.
-
-   See [RFC4035] for discussion of how a zone signer determines
-   precisely which NSEC RRs it has to include in a zone.
-
-   The type value for the NSEC RR is 47.
-
-   The NSEC RR is class independent.
-
-   The NSEC RR SHOULD have the same TTL value as the SOA minimum TTL
-   field.  This is in the spirit of negative caching ([RFC2308]).
-
-
-
-
-
-
-
-
-
-
-
-
-Arends, et al.              Standards Track                    [Page 12]
-
-RFC 4034                DNSSEC Resource Records               March 2005
-
-
-4.1.  NSEC RDATA Wire Format
-
-   The RDATA of the NSEC RR is as shown below:
-
-                        1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
-    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
-   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-   /                      Next Domain Name                         /
-   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-   /                       Type Bit Maps                           /
-   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-
-4.1.1.  The Next Domain Name Field
-
-   The Next Domain field contains the next owner name (in the canonical
-   ordering of the zone) that has authoritative data or contains a
-   delegation point NS RRset; see Section 6.1 for an explanation of
-   canonical ordering.  The value of the Next Domain Name field in the
-   last NSEC record in the zone is the name of the zone apex (the owner
-   name of the zone's SOA RR).  This indicates that the owner name of
-   the NSEC RR is the last name in the canonical ordering of the zone.
-
-   A sender MUST NOT use DNS name compression on the Next Domain Name
-   field when transmitting an NSEC RR.
-
-   Owner names of RRsets for which the given zone is not authoritative
-   (such as glue records) MUST NOT be listed in the Next Domain Name
-   unless at least one authoritative RRset exists at the same owner
-   name.
-
-4.1.2.  The Type Bit Maps Field
-
-   The Type Bit Maps field identifies the RRset types that exist at the
-   NSEC RR's owner name.
-
-   The RR type space is split into 256 window blocks, each representing
-   the low-order 8 bits of the 16-bit RR type space.  Each block that
-   has at least one active RR type is encoded using a single octet
-   window number (from 0 to 255), a single octet bitmap length (from 1
-   to 32) indicating the number of octets used for the window block's
-   bitmap, and up to 32 octets (256 bits) of bitmap.
-
-   Blocks are present in the NSEC RR RDATA in increasing numerical
-   order.
-
-      Type Bit Maps Field = ( Window Block # | Bitmap Length | Bitmap )+
-
-      where "|" denotes concatenation.
-
-
-
-Arends, et al.              Standards Track                    [Page 13]
-
-RFC 4034                DNSSEC Resource Records               March 2005
-
-
-   Each bitmap encodes the low-order 8 bits of RR types within the
-   window block, in network bit order.  The first bit is bit 0.  For
-   window block 0, bit 1 corresponds to RR type 1 (A), bit 2 corresponds
-   to RR type 2 (NS), and so forth.  For window block 1, bit 1
-   corresponds to RR type 257, and bit 2 to RR type 258.  If a bit is
-   set, it indicates that an RRset of that type is present for the NSEC
-   RR's owner name.  If a bit is clear, it indicates that no RRset of
-   that type is present for the NSEC RR's owner name.
-
-   Bits representing pseudo-types MUST be clear, as they do not appear
-   in zone data.  If encountered, they MUST be ignored upon being read.
-
-   Blocks with no types present MUST NOT be included.  Trailing zero
-   octets in the bitmap MUST be omitted.  The length of each block's
-   bitmap is determined by the type code with the largest numerical
-   value, within that block, among the set of RR types present at the
-   NSEC RR's owner name.  Trailing zero octets not specified MUST be
-   interpreted as zero octets.
-
-   The bitmap for the NSEC RR at a delegation point requires special
-   attention.  Bits corresponding to the delegation NS RRset and the RR
-   types for which the parent zone has authoritative data MUST be set;
-   bits corresponding to any non-NS RRset for which the parent is not
-   authoritative MUST be clear.
-
-   A zone MUST NOT include an NSEC RR for any domain name that only
-   holds glue records.
-
-4.1.3.  Inclusion of Wildcard Names in NSEC RDATA
-
-   If a wildcard owner name appears in a zone, the wildcard label ("*")
-   is treated as a literal symbol and is treated the same as any other
-   owner name for the purposes of generating NSEC RRs.  Wildcard owner
-   names appear in the Next Domain Name field without any wildcard
-   expansion.  [RFC4035] describes the impact of wildcards on
-   authenticated denial of existence.
-
-4.2.  The NSEC RR Presentation Format
-
-   The presentation format of the RDATA portion is as follows:
-
-   The Next Domain Name field is represented as a domain name.
-
-   The Type Bit Maps field is represented as a sequence of RR type
-   mnemonics.  When the mnemonic is not known, the TYPE representation
-   described in [RFC3597], Section 5, MUST be used.
-
-
-
-
-
-Arends, et al.              Standards Track                    [Page 14]
-
-RFC 4034                DNSSEC Resource Records               March 2005
-
-
-4.3.  NSEC RR Example
-
-   The following NSEC RR identifies the RRsets associated with
-   alfa.example.com. and identifies the next authoritative name after
-   alfa.example.com.
-
-   alfa.example.com. 86400 IN NSEC host.example.com. (
-                                   A MX RRSIG NSEC TYPE1234 )
-
-   The first four text fields specify the name, TTL, Class, and RR type
-   (NSEC).  The entry host.example.com. is the next authoritative name
-   after alfa.example.com. in canonical order.  The A, MX, RRSIG, NSEC,
-   and TYPE1234 mnemonics indicate that there are A, MX, RRSIG, NSEC,
-   and TYPE1234 RRsets associated with the name alfa.example.com.
-
-   The RDATA section of the NSEC RR above would be encoded as:
-
-            0x04 'h'  'o'  's'  't'
-            0x07 'e'  'x'  'a'  'm'  'p'  'l'  'e'
-            0x03 'c'  'o'  'm'  0x00
-            0x00 0x06 0x40 0x01 0x00 0x00 0x00 0x03
-            0x04 0x1b 0x00 0x00 0x00 0x00 0x00 0x00
-            0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
-            0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
-            0x00 0x00 0x00 0x00 0x20
-
-   Assuming that the validator can authenticate this NSEC record, it
-   could be used to prove that beta.example.com does not exist, or to
-   prove that there is no AAAA record associated with alfa.example.com.
-   Authenticated denial of existence is discussed in [RFC4035].
-
-5.  The DS Resource Record
-
-   The DS Resource Record refers to a DNSKEY RR and is used in the DNS
-   DNSKEY authentication process.  A DS RR refers to a DNSKEY RR by
-   storing the key tag, algorithm number, and a digest of the DNSKEY RR.
-   Note that while the digest should be sufficient to identify the
-   public key, storing the key tag and key algorithm helps make the
-   identification process more efficient.  By authenticating the DS
-   record, a resolver can authenticate the DNSKEY RR to which the DS
-   record points.  The key authentication process is described in
-   [RFC4035].
-
-   The DS RR and its corresponding DNSKEY RR have the same owner name,
-   but they are stored in different locations.  The DS RR appears only
-   on the upper (parental) side of a delegation, and is authoritative
-   data in the parent zone.  For example, the DS RR for "example.com" is
-   stored in the "com" zone (the parent zone) rather than in the
-
-
-
-Arends, et al.              Standards Track                    [Page 15]
-
-RFC 4034                DNSSEC Resource Records               March 2005
-
-
-   "example.com" zone (the child zone).  The corresponding DNSKEY RR is
-   stored in the "example.com" zone (the child zone).  This simplifies
-   DNS zone management and zone signing but introduces special response
-   processing requirements for the DS RR; these are described in
-   [RFC4035].
-
-   The type number for the DS record is 43.
-
-   The DS resource record is class independent.
-
-   The DS RR has no special TTL requirements.
-
-5.1.  DS RDATA Wire Format
-
-   The RDATA for a DS RR consists of a 2 octet Key Tag field, a 1 octet
-   Algorithm field, a 1 octet Digest Type field, and a Digest field.
-
-                        1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
-    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
-   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-   |           Key Tag             |  Algorithm    |  Digest Type  |
-   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-   /                                                               /
-   /                            Digest                             /
-   /                                                               /
-   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-
-5.1.1.  The Key Tag Field
-
-   The Key Tag field lists the key tag of the DNSKEY RR referred to by
-   the DS record, in network byte order.
-
-   The Key Tag used by the DS RR is identical to the Key Tag used by
-   RRSIG RRs.  Appendix B describes how to compute a Key Tag.
-
-5.1.2.  The Algorithm Field
-
-   The Algorithm field lists the algorithm number of the DNSKEY RR
-   referred to by the DS record.
-
-   The algorithm number used by the DS RR is identical to the algorithm
-   number used by RRSIG and DNSKEY RRs.  Appendix A.1 lists the
-   algorithm number types.
-
-
-
-
-
-
-
-
-Arends, et al.              Standards Track                    [Page 16]
-
-RFC 4034                DNSSEC Resource Records               March 2005
-
-
-5.1.3.  The Digest Type Field
-
-   The DS RR refers to a DNSKEY RR by including a digest of that DNSKEY
-   RR.  The Digest Type field identifies the algorithm used to construct
-   the digest.  Appendix A.2 lists the possible digest algorithm types.
-
-5.1.4.  The Digest Field
-
-   The DS record refers to a DNSKEY RR by including a digest of that
-   DNSKEY RR.
-
-   The digest is calculated by concatenating the canonical form of the
-   fully qualified owner name of the DNSKEY RR with the DNSKEY RDATA,
-   and then applying the digest algorithm.
-
-     digest = digest_algorithm( DNSKEY owner name | DNSKEY RDATA);
-
-      "|" denotes concatenation
-
-     DNSKEY RDATA = Flags | Protocol | Algorithm | Public Key.
-
-   The size of the digest may vary depending on the digest algorithm and
-   DNSKEY RR size.  As of the time of this writing, the only defined
-   digest algorithm is SHA-1, which produces a 20 octet digest.
-
-5.2.  Processing of DS RRs When Validating Responses
-
-   The DS RR links the authentication chain across zone boundaries, so
-   the DS RR requires extra care in processing.  The DNSKEY RR referred
-   to in the DS RR MUST be a DNSSEC zone key.  The DNSKEY RR Flags MUST
-   have Flags bit 7 set.  If the DNSKEY flags do not indicate a DNSSEC
-   zone key, the DS RR (and the DNSKEY RR it references) MUST NOT be
-   used in the validation process.
-
-5.3.  The DS RR Presentation Format
-
-   The presentation format of the RDATA portion is as follows:
-
-   The Key Tag field MUST be represented as an unsigned decimal integer.
-
-   The Algorithm field MUST be represented either as an unsigned decimal
-   integer or as an algorithm mnemonic specified in Appendix A.1.
-
-   The Digest Type field MUST be represented as an unsigned decimal
-   integer.
-
-
-
-
-
-
-Arends, et al.              Standards Track                    [Page 17]
-
-RFC 4034                DNSSEC Resource Records               March 2005
-
-
-   The Digest MUST be represented as a sequence of case-insensitive
-   hexadecimal digits.  Whitespace is allowed within the hexadecimal
-   text.
-
-5.4.  DS RR Example
-
-   The following example shows a DNSKEY RR and its corresponding DS RR.
-
-   dskey.example.com. 86400 IN DNSKEY 256 3 5 ( AQOeiiR0GOMYkDshWoSKz9Xz
-                                             fwJr1AYtsmx3TGkJaNXVbfi/
-                                             2pHm822aJ5iI9BMzNXxeYCmZ
-                                             DRD99WYwYqUSdjMmmAphXdvx
-                                             egXd/M5+X7OrzKBaMbCVdFLU
-                                             Uh6DhweJBjEVv5f2wwjM9Xzc
-                                             nOf+EPbtG9DMBmADjFDc2w/r
-                                             ljwvFw==
-                                             ) ;  key id = 60485
-
-   dskey.example.com. 86400 IN DS 60485 5 1 ( 2BB183AF5F22588179A53B0A
-                                              98631FAD1A292118 )
-
-   The first four text fields specify the name, TTL, Class, and RR type
-   (DS).  Value 60485 is the key tag for the corresponding
-   "dskey.example.com." DNSKEY RR, and value 5 denotes the algorithm
-   used by this "dskey.example.com." DNSKEY RR.  The value 1 is the
-   algorithm used to construct the digest, and the rest of the RDATA
-   text is the digest in hexadecimal.
-
-6.  Canonical Form and Order of Resource Records
-
-   This section defines a canonical form for resource records, a
-   canonical ordering of DNS names, and a canonical ordering of resource
-   records within an RRset.  A canonical name order is required to
-   construct the NSEC name chain.  A canonical RR form and ordering
-   within an RRset are required in order to construct and verify RRSIG
-   RRs.
-
-6.1.  Canonical DNS Name Order
-
-   For the purposes of DNS security, owner names are ordered by treating
-   individual labels as unsigned left-justified octet strings.  The
-   absence of a octet sorts before a zero value octet, and uppercase
-   US-ASCII letters are treated as if they were lowercase US-ASCII
-   letters.
-
-
-
-
-
-
-
-Arends, et al.              Standards Track                    [Page 18]
-
-RFC 4034                DNSSEC Resource Records               March 2005
-
-
-   To compute the canonical ordering of a set of DNS names, start by
-   sorting the names according to their most significant (rightmost)
-   labels.  For names in which the most significant label is identical,
-   continue sorting according to their next most significant label, and
-   so forth.
-
-   For example, the following names are sorted in canonical DNS name
-   order.  The most significant label is "example".  At this level,
-   "example" sorts first, followed by names ending in "a.example", then
-   by names ending "z.example".  The names within each level are sorted
-   in the same way.
-
-             example
-             a.example
-             yljkjljk.a.example
-             Z.a.example
-             zABC.a.EXAMPLE
-             z.example
-             \001.z.example
-             *.z.example
-             \200.z.example
-
-6.2.  Canonical RR Form
-
-   For the purposes of DNS security, the canonical form of an RR is the
-   wire format of the RR where:
-
-   1.  every domain name in the RR is fully expanded (no DNS name
-       compression) and fully qualified;
-
-   2.  all uppercase US-ASCII letters in the owner name of the RR are
-       replaced by the corresponding lowercase US-ASCII letters;
-
-   3.  if the type of the RR is NS, MD, MF, CNAME, SOA, MB, MG, MR, PTR,
-       HINFO, MINFO, MX, HINFO, RP, AFSDB, RT, SIG, PX, NXT, NAPTR, KX,
-       SRV, DNAME, A6, RRSIG, or NSEC, all uppercase US-ASCII letters in
-       the DNS names contained within the RDATA are replaced by the
-       corresponding lowercase US-ASCII letters;
-
-   4.  if the owner name of the RR is a wildcard name, the owner name is
-       in its original unexpanded form, including the "*" label (no
-       wildcard substitution); and
-
-   5.  the RR's TTL is set to its original value as it appears in the
-       originating authoritative zone or the Original TTL field of the
-       covering RRSIG RR.
-
-
-
-
-
-Arends, et al.              Standards Track                    [Page 19]
-
-RFC 4034                DNSSEC Resource Records               March 2005
-
-
-6.3.  Canonical RR Ordering within an RRset
-
-   For the purposes of DNS security, RRs with the same owner name,
-   class, and type are sorted by treating the RDATA portion of the
-   canonical form of each RR as a left-justified unsigned octet sequence
-   in which the absence of an octet sorts before a zero octet.
-
-   [RFC2181] specifies that an RRset is not allowed to contain duplicate
-   records (multiple RRs with the same owner name, class, type, and
-   RDATA).  Therefore, if an implementation detects duplicate RRs when
-   putting the RRset in canonical form, it MUST treat this as a protocol
-   error.  If the implementation chooses to handle this protocol error
-   in the spirit of the robustness principle (being liberal in what it
-   accepts), it MUST remove all but one of the duplicate RR(s) for the
-   purposes of calculating the canonical form of the RRset.
-
-7.  IANA Considerations
-
-   This document introduces no new IANA considerations, as all of the
-   protocol parameters used in this document have already been assigned
-   by previous specifications.  However, since the evolution of DNSSEC
-   has been long and somewhat convoluted, this section attempts to
-   describe the current state of the IANA registries and other protocol
-   parameters that are (or once were) related to DNSSEC.
-
-   Please refer to [RFC4035] for additional IANA considerations.
-
-   DNS Resource Record Types: [RFC2535] assigned types 24, 25, and 30 to
-      the SIG, KEY, and NXT RRs, respectively.  [RFC3658] assigned DNS
-      Resource Record Type 43 to DS.  [RFC3755] assigned types 46, 47,
-      and 48 to the RRSIG, NSEC, and DNSKEY RRs, respectively.
-      [RFC3755] also marked type 30 (NXT) as Obsolete and restricted use
-      of types 24 (SIG) and 25 (KEY) to the "SIG(0)" transaction
-      security protocol described in [RFC2931] and to the transaction
-      KEY Resource Record described in [RFC2930].
-
-   DNS Security Algorithm Numbers: [RFC2535] created an IANA registry
-      for DNSSEC Resource Record Algorithm field numbers and assigned
-      values 1-4 and 252-255.  [RFC3110] assigned value 5.  [RFC3755]
-      altered this registry to include flags for each entry regarding
-      its use with the DNS security extensions.  Each algorithm entry
-      could refer to an algorithm that can be used for zone signing,
-      transaction security (see [RFC2931]), or both.  Values 6-251 are
-      available for assignment by IETF standards action ([RFC3755]).
-      See Appendix A for a full listing of the DNS Security Algorithm
-      Numbers entries at the time of this writing and their status for
-      use in DNSSEC.
-
-
-
-
-Arends, et al.              Standards Track                    [Page 20]
-
-RFC 4034                DNSSEC Resource Records               March 2005
-
-
-      [RFC3658] created an IANA registry for DNSSEC DS Digest Types and
-      assigned value 0 to reserved and value 1 to SHA-1.
-
-   KEY Protocol Values: [RFC2535] created an IANA Registry for KEY
-      Protocol Values, but [RFC3445] reassigned all values other than 3
-      to reserved and closed this IANA registry.  The registry remains
-      closed, and all KEY and DNSKEY records are required to have a
-      Protocol Octet value of 3.
-
-   Flag bits in the KEY and DNSKEY RRs: [RFC3755] created an IANA
-      registry for the DNSSEC KEY and DNSKEY RR flag bits.  Initially,
-      this registry only contains assignments for bit 7 (the ZONE bit)
-      and bit 15 (the Secure Entry Point flag (SEP) bit; see [RFC3757]).
-      As stated in [RFC3755], bits 0-6 and 8-14 are available for
-      assignment by IETF Standards Action.
-
-8.  Security Considerations
-
-   This document describes the format of four DNS resource records used
-   by the DNS security extensions and presents an algorithm for
-   calculating a key tag for a public key.  Other than the items
-   described below, the resource records themselves introduce no
-   security considerations.  Please see [RFC4033] and [RFC4035] for
-   additional security considerations related to the use of these
-   records.
-
-   The DS record points to a DNSKEY RR by using a cryptographic digest,
-   the key algorithm type, and a key tag.  The DS record is intended to
-   identify an existing DNSKEY RR, but it is theoretically possible for
-   an attacker to generate a DNSKEY that matches all the DS fields.  The
-   probability of constructing a matching DNSKEY depends on the type of
-   digest algorithm in use.  The only currently defined digest algorithm
-   is SHA-1, and the working group believes that constructing a public
-   key that would match the algorithm, key tag, and SHA-1 digest given
-   in a DS record would be a sufficiently difficult problem that such an
-   attack is not a serious threat at this time.
-
-   The key tag is used to help select DNSKEY resource records
-   efficiently, but it does not uniquely identify a single DNSKEY
-   resource record.  It is possible for two distinct DNSKEY RRs to have
-   the same owner name, the same algorithm type, and the same key tag.
-   An implementation that uses only the key tag to select a DNSKEY RR
-   might select the wrong public key in some circumstances.  Please see
-   Appendix B for further details.
-
-
-
-
-
-
-
-Arends, et al.              Standards Track                    [Page 21]
-
-RFC 4034                DNSSEC Resource Records               March 2005
-
-
-   The table of algorithms in Appendix A and the key tag calculation
-   algorithms in Appendix B include the RSA/MD5 algorithm for
-   completeness, but the RSA/MD5 algorithm is NOT RECOMMENDED, as
-   explained in [RFC3110].
-
-9.  Acknowledgements
-
-   This document was created from the input and ideas of the members of
-   the DNS Extensions Working Group and working group mailing list.  The
-   editors would like to express their thanks for the comments and
-   suggestions received during the revision of these security extension
-   specifications.  Although explicitly listing everyone who has
-   contributed during the decade in which DNSSEC has been under
-   development would be impossible, [RFC4033] includes a list of some of
-   the participants who were kind enough to comment on these documents.
-
-10.  References
-
-10.1.  Normative References
-
-   [RFC1034]  Mockapetris, P., "Domain names - concepts and facilities",
-              STD 13, RFC 1034, November 1987.
-
-   [RFC1035]  Mockapetris, P., "Domain names - implementation and
-              specification", STD 13, RFC 1035, November 1987.
-
-   [RFC1982]  Elz, R. and R. Bush, "Serial Number Arithmetic", RFC 1982,
-              August 1996.
-
-   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
-              Requirement Levels", BCP 14, RFC 2119, March 1997.
-
-   [RFC2181]  Elz, R. and R. Bush, "Clarifications to the DNS
-              Specification", RFC 2181, July 1997.
-
-   [RFC2308]  Andrews, M., "Negative Caching of DNS Queries (DNS
-              NCACHE)", RFC 2308, March 1998.
-
-   [RFC2536]  Eastlake 3rd, D., "DSA KEYs and SIGs in the Domain Name
-              System (DNS)", RFC 2536, March 1999.
-
-   [RFC2931]  Eastlake 3rd, D., "DNS Request and Transaction Signatures
-              ( SIG(0)s )", RFC 2931, September 2000.
-
-   [RFC3110]  Eastlake 3rd, D., "RSA/SHA-1 SIGs and RSA KEYs in the
-              Domain Name System (DNS)", RFC 3110, May 2001.
-
-
-
-
-
-Arends, et al.              Standards Track                    [Page 22]
-
-RFC 4034                DNSSEC Resource Records               March 2005
-
-
-   [RFC3445]  Massey, D. and S. Rose, "Limiting the Scope of the KEY
-              Resource Record (RR)", RFC 3445, December 2002.
-
-   [RFC3548]  Josefsson, S., "The Base16, Base32, and Base64 Data
-              Encodings", RFC 3548, July 2003.
-
-   [RFC3597]  Gustafsson, A., "Handling of Unknown DNS Resource Record
-              (RR) Types", RFC 3597, September 2003.
-
-   [RFC3658]  Gudmundsson, O., "Delegation Signer (DS) Resource Record
-              (RR)", RFC 3658, December 2003.
-
-   [RFC3755]  Weiler, S., "Legacy Resolver Compatibility for Delegation
-              Signer (DS)", RFC 3755, May 2004.
-
-   [RFC3757]  Kolkman, O., Schlyter, J., and E. Lewis, "Domain Name
-              System KEY (DNSKEY) Resource Record (RR) Secure Entry
-              Point (SEP) Flag", RFC 3757, April 2004.
-
-   [RFC4033]  Arends, R., Austein, R., Larson, M., Massey, D., and S.
-              Rose, "DNS Security Introduction and Requirements", RFC
-              4033, March 2005.
-
-   [RFC4035]  Arends, R., Austein, R., Larson, M., Massey, D., and S.
-              Rose, "Protocol Modifications for the DNS Security
-              Extensions", RFC 4035, March 2005.
-
-10.2.  Informative References
-
-   [RFC2535]  Eastlake 3rd, D., "Domain Name System Security
-              Extensions", RFC 2535, March 1999.
-
-   [RFC2537]  Eastlake 3rd, D., "RSA/MD5 KEYs and SIGs in the Domain
-              Name System (DNS)", RFC 2537, March 1999.
-
-   [RFC2539]  Eastlake 3rd, D., "Storage of Diffie-Hellman Keys in the
-              Domain Name System (DNS)", RFC 2539, March 1999.
-
-   [RFC2930]  Eastlake 3rd, D., "Secret Key Establishment for DNS (TKEY
-              RR)", RFC 2930, September 2000.
-
-   [RFC3845]  Schlyter, J., "DNS Security (DNSSEC) NextSECure (NSEC)
-              RDATA Format", RFC 3845, August 2004.
-
-
-
-
-
-
-
-
-Arends, et al.              Standards Track                    [Page 23]
-
-RFC 4034                DNSSEC Resource Records               March 2005
-
-
-Appendix A.  DNSSEC Algorithm and Digest Types
-
-   The DNS security extensions are designed to be independent of the
-   underlying cryptographic algorithms.  The DNSKEY, RRSIG, and DS
-   resource records all use a DNSSEC Algorithm Number to identify the
-   cryptographic algorithm in use by the resource record.  The DS
-   resource record also specifies a Digest Algorithm Number to identify
-   the digest algorithm used to construct the DS record.  The currently
-   defined Algorithm and Digest Types are listed below.  Additional
-   Algorithm or Digest Types could be added as advances in cryptography
-   warrant them.
-
-   A DNSSEC aware resolver or name server MUST implement all MANDATORY
-   algorithms.
-
-A.1.  DNSSEC Algorithm Types
-
-   The DNSKEY, RRSIG, and DS RRs use an 8-bit number to identify the
-   security algorithm being used.  These values are stored in the
-   "Algorithm number" field in the resource record RDATA.
-
-   Some algorithms are usable only for zone signing (DNSSEC), some only
-   for transaction security mechanisms (SIG(0) and TSIG), and some for
-   both.  Those usable for zone signing may appear in DNSKEY, RRSIG, and
-   DS RRs.  Those usable for transaction security would be present in
-   SIG(0) and KEY RRs, as described in [RFC2931].
-
-                                Zone
-   Value Algorithm [Mnemonic]  Signing  References   Status
-   ----- -------------------- --------- ----------  ---------
-     0   reserved
-     1   RSA/MD5 [RSAMD5]         n      [RFC2537]  NOT RECOMMENDED
-     2   Diffie-Hellman [DH]      n      [RFC2539]   -
-     3   DSA/SHA-1 [DSA]          y      [RFC2536]  OPTIONAL
-     4   Elliptic Curve [ECC]              TBA       -
-     5   RSA/SHA-1 [RSASHA1]      y      [RFC3110]  MANDATORY
-   252   Indirect [INDIRECT]      n                  -
-   253   Private [PRIVATEDNS]     y      see below  OPTIONAL
-   254   Private [PRIVATEOID]     y      see below  OPTIONAL
-   255   reserved
-
-   6 - 251  Available for assignment by IETF Standards Action.
-
-
-
-
-
-
-
-
-
-Arends, et al.              Standards Track                    [Page 24]
-
-RFC 4034                DNSSEC Resource Records               March 2005
-
-
-A.1.1.  Private Algorithm Types
-
-   Algorithm number 253 is reserved for private use and will never be
-   assigned to a specific algorithm.  The public key area in the DNSKEY
-   RR and the signature area in the RRSIG RR begin with a wire encoded
-   domain name, which MUST NOT be compressed.  The domain name indicates
-   the private algorithm to use, and the remainder of the public key
-   area is determined by that algorithm.  Entities should only use
-   domain names they control to designate their private algorithms.
-
-   Algorithm number 254 is reserved for private use and will never be
-   assigned to a specific algorithm.  The public key area in the DNSKEY
-   RR and the signature area in the RRSIG RR begin with an unsigned
-   length byte followed by a BER encoded Object Identifier (ISO OID) of
-   that length.  The OID indicates the private algorithm in use, and the
-   remainder of the area is whatever is required by that algorithm.
-   Entities should only use OIDs they control to designate their private
-   algorithms.
-
-A.2.  DNSSEC Digest Types
-
-   A "Digest Type" field in the DS resource record types identifies the
-   cryptographic digest algorithm used by the resource record.  The
-   following table lists the currently defined digest algorithm types.
-
-              VALUE   Algorithm                 STATUS
-                0      Reserved                   -
-                1      SHA-1                   MANDATORY
-              2-255    Unassigned                 -
-
-Appendix B.  Key Tag Calculation
-
-   The Key Tag field in the RRSIG and DS resource record types provides
-   a mechanism for selecting a public key efficiently.  In most cases, a
-   combination of owner name, algorithm, and key tag can efficiently
-   identify a DNSKEY record.  Both the RRSIG and DS resource records
-   have corresponding DNSKEY records.  The Key Tag field in the RRSIG
-   and DS records can be used to help select the corresponding DNSKEY RR
-   efficiently when more than one candidate DNSKEY RR is available.
-
-   However, it is essential to note that the key tag is not a unique
-   identifier.  It is theoretically possible for two distinct DNSKEY RRs
-   to have the same owner name, the same algorithm, and the same key
-   tag.  The key tag is used to limit the possible candidate keys, but
-   it does not uniquely identify a DNSKEY record.  Implementations MUST
-   NOT assume that the key tag uniquely identifies a DNSKEY RR.
-
-
-
-
-
-Arends, et al.              Standards Track                    [Page 25]
-
-RFC 4034                DNSSEC Resource Records               March 2005
-
-
-   The key tag is the same for all DNSKEY algorithm types except
-   algorithm 1 (please see Appendix B.1 for the definition of the key
-   tag for algorithm 1).  The key tag algorithm is the sum of the wire
-   format of the DNSKEY RDATA broken into 2 octet groups.  First, the
-   RDATA (in wire format) is treated as a series of 2 octet groups.
-   These groups are then added together, ignoring any carry bits.
-
-   A reference implementation of the key tag algorithm is as an ANSI C
-   function is given below, with the RDATA portion of the DNSKEY RR is
-   used as input.  It is not necessary to use the following reference
-   code verbatim, but the numerical value of the Key Tag MUST be
-   identical to what the reference implementation would generate for the
-   same input.
-
-   Please note that the algorithm for calculating the Key Tag is almost
-   but not completely identical to the familiar ones-complement checksum
-   used in many other Internet protocols.  Key Tags MUST be calculated
-   using the algorithm described here rather than the ones complement
-   checksum.
-
-   The following ANSI C reference implementation calculates the value of
-   a Key Tag.  This reference implementation applies to all algorithm
-   types except algorithm 1 (see Appendix B.1).  The input is the wire
-   format of the RDATA portion of the DNSKEY RR.  The code is written
-   for clarity, not efficiency.
-
-   /*
-    * Assumes that int is at least 16 bits.
-    * First octet of the key tag is the most significant 8 bits of the
-    * return value;
-    * Second octet of the key tag is the least significant 8 bits of the
-    * return value.
-    */
-
-   unsigned int
-   keytag (
-           unsigned char key[],  /* the RDATA part of the DNSKEY RR */
-           unsigned int keysize  /* the RDLENGTH */
-          )
-   {
-           unsigned long ac;     /* assumed to be 32 bits or larger */
-           int i;                /* loop index */
-
-           for ( ac = 0, i = 0; i < keysize; ++i )
-                   ac += (i & 1) ? key[i] : key[i] << 8;
-           ac += (ac >> 16) & 0xFFFF;
-           return ac & 0xFFFF;
-   }
-
-
-
-Arends, et al.              Standards Track                    [Page 26]
-
-RFC 4034                DNSSEC Resource Records               March 2005
-
-
-B.1.  Key Tag for Algorithm 1 (RSA/MD5)
-
-   The key tag for algorithm 1 (RSA/MD5) is defined differently from the
-   key tag for all other algorithms, for historical reasons.  For a
-   DNSKEY RR with algorithm 1, the key tag is defined to be the most
-   significant 16 bits of the least significant 24 bits in the public
-   key modulus (in other words, the 4th to last and 3rd to last octets
-   of the public key modulus).
-
-   Please note that Algorithm 1 is NOT RECOMMENDED.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Arends, et al.              Standards Track                    [Page 27]
-
-RFC 4034                DNSSEC Resource Records               March 2005
-
-
-Authors' Addresses
-
-   Roy Arends
-   Telematica Instituut
-   Brouwerijstraat 1
-   7523 XC  Enschede
-   NL
-
-   EMail: roy.arends@telin.nl
-
-
-   Rob Austein
-   Internet Systems Consortium
-   950 Charter Street
-   Redwood City, CA  94063
-   USA
-
-   EMail: sra@isc.org
-
-
-   Matt Larson
-   VeriSign, Inc.
-   21345 Ridgetop Circle
-   Dulles, VA  20166-6503
-   USA
-
-   EMail: mlarson@verisign.com
-
-
-   Dan Massey
-   Colorado State University
-   Department of Computer Science
-   Fort Collins, CO 80523-1873
-
-   EMail: massey@cs.colostate.edu
-
-
-   Scott Rose
-   National Institute for Standards and Technology
-   100 Bureau Drive
-   Gaithersburg, MD  20899-8920
-   USA
-
-   EMail: scott.rose@nist.gov
-
-
-
-
-
-
-
-Arends, et al.              Standards Track                    [Page 28]
-
-RFC 4034                DNSSEC Resource Records               March 2005
-
-
-Full Copyright Statement
-
-   Copyright (C) The Internet Society (2005).
-
-   This document is subject to the rights, licenses and restrictions
-   contained in BCP 78, and except as set forth therein, the authors
-   retain all their rights.
-
-   This document and the information contained herein are provided on an
-   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
-   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
-   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
-   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
-   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
-   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-Intellectual Property
-
-   The IETF takes no position regarding the validity or scope of any
-   Intellectual Property Rights or other rights that might be claimed to
-   pertain to the implementation or use of the technology described in
-   this document or the extent to which any license under such rights
-   might or might not be available; nor does it represent that it has
-   made any independent effort to identify any such rights.  Information
-   on the procedures with respect to rights in RFC documents can be
-   found in BCP 78 and BCP 79.
-
-   Copies of IPR disclosures made to the IETF Secretariat and any
-   assurances of licenses to be made available, or the result of an
-   attempt made to obtain a general license or permission for the use of
-   such proprietary rights by implementers or users of this
-   specification can be obtained from the IETF on-line IPR repository at
-   http://www.ietf.org/ipr.
-
-   The IETF invites any interested party to bring to its attention any
-   copyrights, patents or patent applications, or other proprietary
-   rights that may cover technology that may be required to implement
-   this standard.  Please address the information to the IETF at ietf-
-   ipr@ietf.org.
-
-Acknowledgement
-
-   Funding for the RFC Editor function is currently provided by the
-   Internet Society.
-
-
-
-
-
-
-
-Arends, et al.              Standards Track                    [Page 29]
-
diff --git a/doc/rfc/rfc4035.txt b/doc/rfc/rfc4035.txt
deleted file mode 100644
index b701cd2f..00000000
--- a/doc/rfc/rfc4035.txt
+++ /dev/null
@@ -1,2971 +0,0 @@
-
-
-
-
-
-
-Network Working Group                                          R. Arends
-Request for Comments: 4035                          Telematica Instituut
-Obsoletes: 2535, 3008, 3090, 3445, 3655, 3658,                R. Austein
-           3755, 3757, 3845                                          ISC
-Updates: 1034, 1035, 2136, 2181, 2308, 3225,                   M. Larson
-         3007, 3597, 3226                                       VeriSign
-Category: Standards Track                                      D. Massey
-                                               Colorado State University
-                                                                 S. Rose
-                                                                    NIST
-                                                              March 2005
-
-
-         Protocol Modifications for the DNS Security Extensions
-
-Status of This Memo
-
-   This document specifies an Internet standards track protocol for the
-   Internet community, and requests discussion and suggestions for
-   improvements.  Please refer to the current edition of the "Internet
-   Official Protocol Standards" (STD 1) for the standardization state
-   and status of this protocol.  Distribution of this memo is unlimited.
-
-Copyright Notice
-
-   Copyright (C) The Internet Society (2005).
-
-Abstract
-
-   This document is part of a family of documents that describe the DNS
-   Security Extensions (DNSSEC).  The DNS Security Extensions are a
-   collection of new resource records and protocol modifications that
-   add data origin authentication and data integrity to the DNS.  This
-   document describes the DNSSEC protocol modifications.  This document
-   defines the concept of a signed zone, along with the requirements for
-   serving and resolving by using DNSSEC.  These techniques allow a
-   security-aware resolver to authenticate both DNS resource records and
-   authoritative DNS error indications.
-
-   This document obsoletes RFC 2535 and incorporates changes from all
-   updates to RFC 2535.
-
-
-
-
-
-
-
-
-
-
-Arends, et al.              Standards Track                     [Page 1]
-
-RFC 4035             DNSSEC Protocol Modifications            March 2005
-
-
-Table of Contents
-
-   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
-       1.1.  Background and Related Documents . . . . . . . . . . . .  4
-       1.2.  Reserved Words . . . . . . . . . . . . . . . . . . . . .  4
-   2.  Zone Signing . . . . . . . . . . . . . . . . . . . . . . . . .  4
-       2.1.  Including DNSKEY RRs in a Zone . . . . . . . . . . . . .  5
-       2.2.  Including RRSIG RRs in a Zone  . . . . . . . . . . . . .  5
-       2.3.  Including NSEC RRs in a Zone . . . . . . . . . . . . . .  6
-       2.4.  Including DS RRs in a Zone . . . . . . . . . . . . . . .  7
-       2.5.  Changes to the CNAME Resource Record.  . . . . . . . . .  7
-       2.6.  DNSSEC RR Types Appearing at Zone Cuts.  . . . . . . . .  8
-       2.7.  Example of a Secure Zone . . . . . . . . . . . . . . . .  8
-   3.  Serving  . . . . . . . . . . . . . . . . . . . . . . . . . . .  8
-       3.1.  Authoritative Name Servers . . . . . . . . . . . . . . .  9
-             3.1.1.  Including RRSIG RRs in a Response  . . . . . . . 10
-             3.1.2.  Including DNSKEY RRs in a Response . . . . . . . 11
-             3.1.3.  Including NSEC RRs in a Response . . . . . . . . 11
-             3.1.4.  Including DS RRs in a Response . . . . . . . . . 14
-             3.1.5.  Responding to Queries for Type AXFR or IXFR  . . 15
-             3.1.6.  The AD and CD Bits in an Authoritative Response. 16
-       3.2.  Recursive Name Servers . . . . . . . . . . . . . . . . . 17
-             3.2.1.  The DO Bit . . . . . . . . . . . . . . . . . . . 17
-             3.2.2.  The CD Bit . . . . . . . . . . . . . . . . . . . 17
-             3.2.3.  The AD Bit . . . . . . . . . . . . . . . . . . . 18
-       3.3.  Example DNSSEC Responses . . . . . . . . . . . . . . . . 19
-   4.  Resolving  . . . . . . . . . . . . . . . . . . . . . . . . . . 19
-       4.1.  EDNS Support . . . . . . . . . . . . . . . . . . . . . . 19
-       4.2.  Signature Verification Support . . . . . . . . . . . . . 19
-       4.3.  Determining Security Status of Data  . . . . . . . . . . 20
-       4.4.  Configured Trust Anchors . . . . . . . . . . . . . . . . 21
-       4.5.  Response Caching . . . . . . . . . . . . . . . . . . . . 21
-       4.6.  Handling of the CD and AD Bits . . . . . . . . . . . . . 22
-       4.7.  Caching BAD Data . . . . . . . . . . . . . . . . . . . . 22
-       4.8.  Synthesized CNAMEs . . . . . . . . . . . . . . . . . . . 23
-       4.9.  Stub Resolvers . . . . . . . . . . . . . . . . . . . . . 23
-             4.9.1.  Handling of the DO Bit . . . . . . . . . . . . . 24
-             4.9.2.  Handling of the CD Bit . . . . . . . . . . . . . 24
-             4.9.3.  Handling of the AD Bit . . . . . . . . . . . . . 24
-   5.  Authenticating DNS Responses . . . . . . . . . . . . . . . . . 25
-       5.1.  Special Considerations for Islands of Security . . . . . 26
-       5.2.  Authenticating Referrals . . . . . . . . . . . . . . . . 26
-       5.3.  Authenticating an RRset with an RRSIG RR . . . . . . . . 28
-             5.3.1.  Checking the RRSIG RR Validity . . . . . . . . . 28
-             5.3.2.  Reconstructing the Signed Data . . . . . . . . . 29
-             5.3.3.  Checking the Signature . . . . . . . . . . . . . 31
-             5.3.4.  Authenticating a Wildcard Expanded RRset
-                     Positive Response. . . . . . . . . . . . . . . . 32
-
-
-
-Arends, et al.              Standards Track                     [Page 2]
-
-RFC 4035             DNSSEC Protocol Modifications            March 2005
-
-
-       5.4.  Authenticated Denial of Existence  . . . . . . . . . . . 32
-       5.5.  Resolver Behavior When Signatures Do Not Validate  . . . 33
-       5.6.  Authentication Example . . . . . . . . . . . . . . . . . 33
-   6.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 33
-   7.  Security Considerations  . . . . . . . . . . . . . . . . . . . 33
-   8.  Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 34
-   9.  References . . . . . . . . . . . . . . . . . . . . . . . . . . 34
-       9.1.  Normative References . . . . . . . . . . . . . . . . . . 34
-       9.2.  Informative References . . . . . . . . . . . . . . . . . 35
-   A.  Signed Zone Example  . . . . . . . . . . . . . . . . . . . . . 36
-   B.  Example Responses  . . . . . . . . . . . . . . . . . . . . . . 41
-       B.1.  Answer . . . . . . . . . . . . . . . . . . . . . . . . . 41
-       B.2.  Name Error . . . . . . . . . . . . . . . . . . . . . . . 43
-       B.3.  No Data Error  . . . . . . . . . . . . . . . . . . . . . 44
-       B.4.  Referral to Signed Zone  . . . . . . . . . . . . . . . . 44
-       B.5.  Referral to Unsigned Zone  . . . . . . . . . . . . . . . 45
-       B.6.  Wildcard Expansion . . . . . . . . . . . . . . . . . . . 46
-       B.7.  Wildcard No Data Error . . . . . . . . . . . . . . . . . 47
-       B.8.  DS Child Zone No Data Error  . . . . . . . . . . . . . . 48
-   C.  Authentication Examples  . . . . . . . . . . . . . . . . . . . 49
-       C.1.  Authenticating an Answer . . . . . . . . . . . . . . . . 49
-             C.1.1.  Authenticating the Example DNSKEY RR . . . . . . 49
-       C.2.  Name Error . . . . . . . . . . . . . . . . . . . . . . . 50
-       C.3.  No Data Error  . . . . . . . . . . . . . . . . . . . . . 50
-       C.4.  Referral to Signed Zone  . . . . . . . . . . . . . . . . 50
-       C.5.  Referral to Unsigned Zone  . . . . . . . . . . . . . . . 51
-       C.6.  Wildcard Expansion . . . . . . . . . . . . . . . . . . . 51
-       C.7.  Wildcard No Data Error . . . . . . . . . . . . . . . . . 51
-       C.8.  DS Child Zone No Data Error  . . . . . . . . . . . . . . 51
-   Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 52
-   Full Copyright Statement . . . . . . . . . . . . . . . . . . . . . 53
-
-1.  Introduction
-
-   The DNS Security Extensions (DNSSEC) are a collection of new resource
-   records and protocol modifications that add data origin
-   authentication and data integrity to the DNS.  This document defines
-   the DNSSEC protocol modifications.  Section 2 of this document
-   defines the concept of a signed zone and lists the requirements for
-   zone signing.  Section 3 describes the modifications to authoritative
-   name server behavior necessary for handling signed zones.  Section 4
-   describes the behavior of entities that include security-aware
-   resolver functions.  Finally, Section 5 defines how to use DNSSEC RRs
-   to authenticate a response.
-
-
-
-
-
-
-
-Arends, et al.              Standards Track                     [Page 3]
-
-RFC 4035             DNSSEC Protocol Modifications            March 2005
-
-
-1.1.  Background and Related Documents
-
-   This document is part of a family of documents defining DNSSEC that
-   should be read together as a set.
-
-   [RFC4033] contains an introduction to DNSSEC and definitions of
-   common terms; the reader is assumed to be familiar with this
-   document.  [RFC4033] also contains a list of other documents updated
-   by and obsoleted by this document set.
-
-   [RFC4034] defines the DNSSEC resource records.
-
-   The reader is also assumed to be familiar with the basic DNS concepts
-   described in [RFC1034], [RFC1035], and the subsequent documents that
-   update them; particularly, [RFC2181] and [RFC2308].
-
-   This document defines the DNSSEC protocol operations.
-
-1.2.  Reserved Words
-
-   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
-   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
-   document are to be interpreted as described in [RFC2119].
-
-2.  Zone Signing
-
-   DNSSEC introduces the concept of signed zones.  A signed zone
-   includes DNS Public Key (DNSKEY), Resource Record Signature (RRSIG),
-   Next Secure (NSEC), and (optionally) Delegation Signer (DS) records
-   according to the rules specified in Sections 2.1, 2.2, 2.3, and 2.4,
-   respectively.  A zone that does not include these records according
-   to the rules in this section is an unsigned zone.
-
-   DNSSEC requires a change to the definition of the CNAME resource
-   record ([RFC1035]).  Section 2.5 changes the CNAME RR to allow RRSIG
-   and NSEC RRs to appear at the same owner name as does a CNAME RR.
-
-   DNSSEC specifies the placement of two new RR types, NSEC and DS,
-   which can be placed at the parental side of a zone cut (that is, at a
-   delegation point).  This is an exception to the general prohibition
-   against putting data in the parent zone at a zone cut.  Section 2.6
-   describes this change.
-
-
-
-
-
-
-
-
-
-Arends, et al.              Standards Track                     [Page 4]
-
-RFC 4035             DNSSEC Protocol Modifications            March 2005
-
-
-2.1.  Including DNSKEY RRs in a Zone
-
-   To sign a zone, the zone's administrator generates one or more
-   public/private key pairs and uses the private key(s) to sign
-   authoritative RRsets in the zone.  For each private key used to
-   create RRSIG RRs in a zone, the zone SHOULD include a zone DNSKEY RR
-   containing the corresponding public key.  A zone key DNSKEY RR MUST
-   have the Zone Key bit of the flags RDATA field set (see Section 2.1.1
-   of [RFC4034]).  Public keys associated with other DNS operations MAY
-   be stored in DNSKEY RRs that are not marked as zone keys but MUST NOT
-   be used to verify RRSIGs.
-
-   If the zone administrator intends a signed zone to be usable other
-   than as an island of security, the zone apex MUST contain at least
-   one DNSKEY RR to act as a secure entry point into the zone.  This
-   secure entry point could then be used as the target of a secure
-   delegation via a corresponding DS RR in the parent zone (see
-   [RFC4034]).
-
-2.2.  Including RRSIG RRs in a Zone
-
-   For each authoritative RRset in a signed zone, there MUST be at least
-   one RRSIG record that meets the following requirements:
-
-   o  The RRSIG owner name is equal to the RRset owner name.
-
-   o  The RRSIG class is equal to the RRset class.
-
-   o  The RRSIG Type Covered field is equal to the RRset type.
-
-   o  The RRSIG Original TTL field is equal to the TTL of the RRset.
-
-   o  The RRSIG RR's TTL is equal to the TTL of the RRset.
-
-   o  The RRSIG Labels field is equal to the number of labels in the
-      RRset owner name, not counting the null root label and not
-      counting the leftmost label if it is a wildcard.
-
-   o  The RRSIG Signer's Name field is equal to the name of the zone
-      containing the RRset.
-
-   o  The RRSIG Algorithm, Signer's Name, and Key Tag fields identify a
-      zone key DNSKEY record at the zone apex.
-
-   The process for constructing the RRSIG RR for a given RRset is
-   described in [RFC4034].  An RRset MAY have multiple RRSIG RRs
-   associated with it.  Note that as RRSIG RRs are closely tied to the
-   RRsets whose signatures they contain, RRSIG RRs, unlike all other DNS
-
-
-
-Arends, et al.              Standards Track                     [Page 5]
-
-RFC 4035             DNSSEC Protocol Modifications            March 2005
-
-
-   RR types, do not form RRsets.  In particular, the TTL values among
-   RRSIG RRs with a common owner name do not follow the RRset rules
-   described in [RFC2181].
-
-   An RRSIG RR itself MUST NOT be signed, as signing an RRSIG RR would
-   add no value and would create an infinite loop in the signing
-   process.
-
-   The NS RRset that appears at the zone apex name MUST be signed, but
-   the NS RRsets that appear at delegation points (that is, the NS
-   RRsets in the parent zone that delegate the name to the child zone's
-   name servers) MUST NOT be signed.  Glue address RRsets associated
-   with delegations MUST NOT be signed.
-
-   There MUST be an RRSIG for each RRset using at least one DNSKEY of
-   each algorithm in the zone apex DNSKEY RRset.  The apex DNSKEY RRset
-   itself MUST be signed by each algorithm appearing in the DS RRset
-   located at the delegating parent (if any).
-
-2.3.  Including NSEC RRs in a Zone
-
-   Each owner name in the zone that has authoritative data or a
-   delegation point NS RRset MUST have an NSEC resource record.  The
-   format of NSEC RRs and the process for constructing the NSEC RR for a
-   given name is described in [RFC4034].
-
-   The TTL value for any NSEC RR SHOULD be the same as the minimum TTL
-   value field in the zone SOA RR.
-
-   An NSEC record (and its associated RRSIG RRset) MUST NOT be the only
-   RRset at any particular owner name.  That is, the signing process
-   MUST NOT create NSEC or RRSIG RRs for owner name nodes that were not
-   the owner name of any RRset before the zone was signed.  The main
-   reasons for this are a desire for namespace consistency between
-   signed and unsigned versions of the same zone and a desire to reduce
-   the risk of response inconsistency in security oblivious recursive
-   name servers.
-
-   The type bitmap of every NSEC resource record in a signed zone MUST
-   indicate the presence of both the NSEC record itself and its
-   corresponding RRSIG record.
-
-   The difference between the set of owner names that require RRSIG
-   records and the set of owner names that require NSEC records is
-   subtle and worth highlighting.  RRSIG records are present at the
-   owner names of all authoritative RRsets.  NSEC records are present at
-   the owner names of all names for which the signed zone is
-   authoritative and also at the owner names of delegations from the
-
-
-
-Arends, et al.              Standards Track                     [Page 6]
-
-RFC 4035             DNSSEC Protocol Modifications            March 2005
-
-
-   signed zone to its children.  Neither NSEC nor RRSIG records are
-   present (in the parent zone) at the owner names of glue address
-   RRsets.  Note, however, that this distinction is for the most part
-   visible only during the zone signing process, as NSEC RRsets are
-   authoritative data and are therefore signed.  Thus, any owner name
-   that has an NSEC RRset will have RRSIG RRs as well in the signed
-   zone.
-
-   The bitmap for the NSEC RR at a delegation point requires special
-   attention.  Bits corresponding to the delegation NS RRset and any
-   RRsets for which the parent zone has authoritative data MUST be set;
-   bits corresponding to any non-NS RRset for which the parent is not
-   authoritative MUST be clear.
-
-2.4.  Including DS RRs in a Zone
-
-   The DS resource record establishes authentication chains between DNS
-   zones.  A DS RRset SHOULD be present at a delegation point when the
-   child zone is signed.  The DS RRset MAY contain multiple records,
-   each referencing a public key in the child zone used to verify the
-   RRSIGs in that zone.  All DS RRsets in a zone MUST be signed, and DS
-   RRsets MUST NOT appear at a zone's apex.
-
-   A DS RR SHOULD point to a DNSKEY RR that is present in the child's
-   apex DNSKEY RRset, and the child's apex DNSKEY RRset SHOULD be signed
-   by the corresponding private key.  DS RRs that fail to meet these
-   conditions are not useful for validation, but because the DS RR and
-   its corresponding DNSKEY RR are in different zones, and because the
-   DNS is only loosely consistent, temporary mismatches can occur.
-
-   The TTL of a DS RRset SHOULD match the TTL of the delegating NS RRset
-   (that is, the NS RRset from the same zone containing the DS RRset).
-
-   Construction of a DS RR requires knowledge of the corresponding
-   DNSKEY RR in the child zone, which implies communication between the
-   child and parent zones.  This communication is an operational matter
-   not covered by this document.
-
-2.5.  Changes to the CNAME Resource Record
-
-   If a CNAME RRset is present at a name in a signed zone, appropriate
-   RRSIG and NSEC RRsets are REQUIRED at that name.  A KEY RRset at that
-   name for secure dynamic update purposes is also allowed ([RFC3007]).
-   Other types MUST NOT be present at that name.
-
-   This is a modification to the original CNAME definition given in
-   [RFC1034].  The original definition of the CNAME RR did not allow any
-   other types to coexist with a CNAME record, but a signed zone
-
-
-
-Arends, et al.              Standards Track                     [Page 7]
-
-RFC 4035             DNSSEC Protocol Modifications            March 2005
-
-
-   requires NSEC and RRSIG RRs for every authoritative name.  To resolve
-   this conflict, this specification modifies the definition of the
-   CNAME resource record to allow it to coexist with NSEC and RRSIG RRs.
-
-2.6.  DNSSEC RR Types Appearing at Zone Cuts
-
-   DNSSEC introduced two new RR types that are unusual in that they can
-   appear at the parental side of a zone cut.  At the parental side of a
-   zone cut (that is, at a delegation point), NSEC RRs are REQUIRED at
-   the owner name.  A DS RR could also be present if the zone being
-   delegated is signed and seeks to have a chain of authentication to
-   the parent zone.  This is an exception to the original DNS
-   specification ([RFC1034]), which states that only NS RRsets could
-   appear at the parental side of a zone cut.
-
-   This specification updates the original DNS specification to allow
-   NSEC and DS RR types at the parent side of a zone cut.  These RRsets
-   are authoritative for the parent when they appear at the parent side
-   of a zone cut.
-
-2.7.  Example of a Secure Zone
-
-   Appendix A shows a complete example of a small signed zone.
-
-3.  Serving
-
-   This section describes the behavior of entities that include
-   security-aware name server functions.  In many cases such functions
-   will be part of a security-aware recursive name server, but a
-   security-aware authoritative name server has some of the same
-   requirements.  Functions specific to security-aware recursive name
-   servers are described in Section 3.2; functions specific to
-   authoritative servers are described in Section 3.1.
-
-   In the following discussion, the terms "SNAME", "SCLASS", and "STYPE"
-   are as used in [RFC1034].
-
-   A security-aware name server MUST support the EDNS0 ([RFC2671])
-   message size extension, MUST support a message size of at least 1220
-   octets, and SHOULD support a message size of 4000 octets.  As IPv6
-   packets can only be fragmented by the source host, a security aware
-   name server SHOULD take steps to ensure that UDP datagrams it
-   transmits over IPv6 are fragmented, if necessary, at the minimum IPv6
-   MTU, unless the path MTU is known.  Please see [RFC1122], [RFC2460],
-   and [RFC3226] for further discussion of packet size and fragmentation
-   issues.
-
-
-
-
-
-Arends, et al.              Standards Track                     [Page 8]
-
-RFC 4035             DNSSEC Protocol Modifications            March 2005
-
-
-   A security-aware name server that receives a DNS query that does not
-   include the EDNS OPT pseudo-RR or that has the DO bit clear MUST
-   treat the RRSIG, DNSKEY, and NSEC RRs as it would any other RRset and
-   MUST NOT perform any of the additional processing described below.
-   Because the DS RR type has the peculiar property of only existing in
-   the parent zone at delegation points, DS RRs always require some
-   special processing, as described in Section 3.1.4.1.
-
-   Security aware name servers that receive explicit queries for
-   security RR types that match the content of more than one zone that
-   it serves (for example, NSEC and RRSIG RRs above and below a
-   delegation point where the server is authoritative for both zones)
-   should behave self-consistently.  As long as the response is always
-   consistent for each query to the name server, the name server MAY
-   return one of the following:
-
-   o  The above-delegation RRsets.
-   o  The below-delegation RRsets.
-   o  Both above and below-delegation RRsets.
-   o  Empty answer section (no records).
-   o  Some other response.
-   o  An error.
-
-   DNSSEC allocates two new bits in the DNS message header: the CD
-   (Checking Disabled) bit and the AD (Authentic Data) bit.  The CD bit
-   is controlled by resolvers; a security-aware name server MUST copy
-   the CD bit from a query into the corresponding response.  The AD bit
-   is controlled by name servers; a security-aware name server MUST
-   ignore the setting of the AD bit in queries.  See Sections 3.1.6,
-   3.2.2, 3.2.3, 4, and 4.9 for details on the behavior of these bits.
-
-   A security aware name server that synthesizes CNAME RRs from DNAME
-   RRs as described in [RFC2672] SHOULD NOT generate signatures for the
-   synthesized CNAME RRs.
-
-3.1.  Authoritative Name Servers
-
-   Upon receiving a relevant query that has the EDNS ([RFC2671]) OPT
-   pseudo-RR DO bit ([RFC3225]) set, a security-aware authoritative name
-   server for a signed zone MUST include additional RRSIG, NSEC, and DS
-   RRs, according to the following rules:
-
-   o  RRSIG RRs that can be used to authenticate a response MUST be
-      included in the response according to the rules in Section 3.1.1.
-
-
-
-
-
-
-
-Arends, et al.              Standards Track                     [Page 9]
-
-RFC 4035             DNSSEC Protocol Modifications            March 2005
-
-
-   o  NSEC RRs that can be used to provide authenticated denial of
-      existence MUST be included in the response automatically according
-      to the rules in Section 3.1.3.
-
-   o  Either a DS RRset or an NSEC RR proving that no DS RRs exist MUST
-      be included in referrals automatically according to the rules in
-      Section 3.1.4.
-
-   These rules only apply to responses where the semantics convey
-   information about the presence or absence of resource records.  That
-   is, these rules are not intended to rule out responses such as RCODE
-   4 ("Not Implemented") or RCODE 5 ("Refused").
-
-   DNSSEC does not change the DNS zone transfer protocol.  Section 3.1.5
-   discusses zone transfer requirements.
-
-3.1.1.  Including RRSIG RRs in a Response
-
-   When responding to a query that has the DO bit set, a security-aware
-   authoritative name server SHOULD attempt to send RRSIG RRs that a
-   security-aware resolver can use to authenticate the RRsets in the
-   response.  A name server SHOULD make every attempt to keep the RRset
-   and its associated RRSIG(s) together in a response.  Inclusion of
-   RRSIG RRs in a response is subject to the following rules:
-
-   o  When placing a signed RRset in the Answer section, the name server
-      MUST also place its RRSIG RRs in the Answer section.  The RRSIG
-      RRs have a higher priority for inclusion than any other RRsets
-      that may have to be included.  If space does not permit inclusion
-      of these RRSIG RRs, the name server MUST set the TC bit.
-
-   o  When placing a signed RRset in the Authority section, the name
-      server MUST also place its RRSIG RRs in the Authority section.
-      The RRSIG RRs have a higher priority for inclusion than any other
-      RRsets that may have to be included.  If space does not permit
-      inclusion of these RRSIG RRs, the name server MUST set the TC bit.
-
-   o  When placing a signed RRset in the Additional section, the name
-      server MUST also place its RRSIG RRs in the Additional section.
-      If space does not permit inclusion of both the RRset and its
-      associated RRSIG RRs, the name server MAY retain the RRset while
-      dropping the RRSIG RRs.  If this happens, the name server MUST NOT
-      set the TC bit solely because these RRSIG RRs didn't fit.
-
-
-
-
-
-
-
-
-Arends, et al.              Standards Track                    [Page 10]
-
-RFC 4035             DNSSEC Protocol Modifications            March 2005
-
-
-3.1.2.  Including DNSKEY RRs in a Response
-
-   When responding to a query that has the DO bit set and that requests
-   the SOA or NS RRs at the apex of a signed zone, a security-aware
-   authoritative name server for that zone MAY return the zone apex
-   DNSKEY RRset in the Additional section.  In this situation, the
-   DNSKEY RRset and associated RRSIG RRs have lower priority than does
-   any other information that would be placed in the additional section.
-   The name server SHOULD NOT include the DNSKEY RRset unless there is
-   enough space in the response message for both the DNSKEY RRset and
-   its associated RRSIG RR(s).  If there is not enough space to include
-   these DNSKEY and RRSIG RRs, the name server MUST omit them and MUST
-   NOT set the TC bit solely because these RRs didn't fit (see Section
-   3.1.1).
-
-3.1.3.  Including NSEC RRs in a Response
-
-   When responding to a query that has the DO bit set, a security-aware
-   authoritative name server for a signed zone MUST include NSEC RRs in
-   each of the following cases:
-
-   No Data: The zone contains RRsets that exactly match <SNAME, SCLASS>
-      but does not contain any RRsets that exactly match <SNAME, SCLASS,
-      STYPE>.
-
-   Name Error: The zone does not contain any RRsets that match <SNAME,
-      SCLASS> either exactly or via wildcard name expansion.
-
-   Wildcard Answer: The zone does not contain any RRsets that exactly
-      match <SNAME, SCLASS> but does contain an RRset that matches
-      <SNAME, SCLASS, STYPE> via wildcard name expansion.
-
-   Wildcard No Data: The zone does not contain any RRsets that exactly
-      match <SNAME, SCLASS> and does contain one or more RRsets that
-      match <SNAME, SCLASS> via wildcard name expansion, but does not
-      contain any RRsets that match <SNAME, SCLASS, STYPE> via wildcard
-      name expansion.
-
-   In each of these cases, the name server includes NSEC RRs in the
-   response to prove that an exact match for <SNAME, SCLASS, STYPE> was
-   not present in the zone and that the response that the name server is
-   returning is correct given the data in the zone.
-
-
-
-
-
-
-
-
-
-Arends, et al.              Standards Track                    [Page 11]
-
-RFC 4035             DNSSEC Protocol Modifications            March 2005
-
-
-3.1.3.1.  Including NSEC RRs: No Data Response
-
-   If the zone contains RRsets matching <SNAME, SCLASS> but contains no
-   RRset matching <SNAME, SCLASS, STYPE>, then the name server MUST
-   include the NSEC RR for <SNAME, SCLASS> along with its associated
-   RRSIG RR(s) in the Authority section of the response (see Section
-   3.1.1).  If space does not permit inclusion of the NSEC RR or its
-   associated RRSIG RR(s), the name server MUST set the TC bit (see
-   Section 3.1.1).
-
-   Since the search name exists, wildcard name expansion does not apply
-   to this query, and a single signed NSEC RR suffices to prove that the
-   requested RR type does not exist.
-
-3.1.3.2.  Including NSEC RRs: Name Error Response
-
-   If the zone does not contain any RRsets matching <SNAME, SCLASS>
-   either exactly or via wildcard name expansion, then the name server
-   MUST include the following NSEC RRs in the Authority section, along
-   with their associated RRSIG RRs:
-
-   o  An NSEC RR proving that there is no exact match for <SNAME,
-      SCLASS>.
-
-   o  An NSEC RR proving that the zone contains no RRsets that would
-      match <SNAME, SCLASS> via wildcard name expansion.
-
-   In some cases, a single NSEC RR may prove both of these points.  If
-   it does, the name server SHOULD only include the NSEC RR and its
-   RRSIG RR(s) once in the Authority section.
-
-   If space does not permit inclusion of these NSEC and RRSIG RRs, the
-   name server MUST set the TC bit (see Section 3.1.1).
-
-   The owner names of these NSEC and RRSIG RRs are not subject to
-   wildcard name expansion when these RRs are included in the Authority
-   section of the response.
-
-   Note that this form of response includes cases in which SNAME
-   corresponds to an empty non-terminal name within the zone (a name
-   that is not the owner name for any RRset but that is the parent name
-   of one or more RRsets).
-
-3.1.3.3.  Including NSEC RRs: Wildcard Answer Response
-
-   If the zone does not contain any RRsets that exactly match <SNAME,
-   SCLASS> but does contain an RRset that matches <SNAME, SCLASS, STYPE>
-   via wildcard name expansion, the name server MUST include the
-
-
-
-Arends, et al.              Standards Track                    [Page 12]
-
-RFC 4035             DNSSEC Protocol Modifications            March 2005
-
-
-   wildcard-expanded answer and the corresponding wildcard-expanded
-   RRSIG RRs in the Answer section and MUST include in the Authority
-   section an NSEC RR and associated RRSIG RR(s) proving that the zone
-   does not contain a closer match for <SNAME, SCLASS>.  If space does
-   not permit inclusion of the answer, NSEC and RRSIG RRs, the name
-   server MUST set the TC bit (see Section 3.1.1).
-
-3.1.3.4.  Including NSEC RRs: Wildcard No Data Response
-
-   This case is a combination of the previous cases.  The zone does not
-   contain an exact match for <SNAME, SCLASS>, and although the zone
-   does contain RRsets that match <SNAME, SCLASS> via wildcard
-   expansion, none of those RRsets matches STYPE.  The name server MUST
-   include the following NSEC RRs in the Authority section, along with
-   their associated RRSIG RRs:
-
-   o  An NSEC RR proving that there are no RRsets matching STYPE at the
-      wildcard owner name that matched <SNAME, SCLASS> via wildcard
-      expansion.
-
-   o  An NSEC RR proving that there are no RRsets in the zone that would
-      have been a closer match for <SNAME, SCLASS>.
-
-   In some cases, a single NSEC RR may prove both of these points.  If
-   it does, the name server SHOULD only include the NSEC RR and its
-   RRSIG RR(s) once in the Authority section.
-
-   The owner names of these NSEC and RRSIG RRs are not subject to
-   wildcard name expansion when these RRs are included in the Authority
-   section of the response.
-
-   If space does not permit inclusion of these NSEC and RRSIG RRs, the
-   name server MUST set the TC bit (see Section 3.1.1).
-
-3.1.3.5.  Finding the Right NSEC RRs
-
-   As explained above, there are several situations in which a
-   security-aware authoritative name server has to locate an NSEC RR
-   that proves that no RRsets matching a particular SNAME exist.
-   Locating such an NSEC RR within an authoritative zone is relatively
-   simple, at least in concept.  The following discussion assumes that
-   the name server is authoritative for the zone that would have held
-   the non-existent RRsets matching SNAME.  The algorithm below is
-   written for clarity, not for efficiency.
-
-   To find the NSEC that proves that no RRsets matching name N exist in
-   the zone Z that would have held them, construct a sequence, S,
-   consisting of the owner names of every RRset in Z, sorted into
-
-
-
-Arends, et al.              Standards Track                    [Page 13]
-
-RFC 4035             DNSSEC Protocol Modifications            March 2005
-
-
-   canonical order ([RFC4034]), with no duplicate names.  Find the name
-   M that would have immediately preceded N in S if any RRsets with
-   owner name N had existed.  M is the owner name of the NSEC RR that
-   proves that no RRsets exist with owner name N.
-
-   The algorithm for finding the NSEC RR that proves that a given name
-   is not covered by any applicable wildcard is similar but requires an
-   extra step.  More precisely, the algorithm for finding the NSEC
-   proving that no RRsets exist with the applicable wildcard name is
-   precisely the same as the algorithm for finding the NSEC RR that
-   proves that RRsets with any other owner name do not exist.  The part
-   that's missing is a method of determining the name of the non-
-   existent applicable wildcard.  In practice, this is easy, because the
-   authoritative name server has already checked for the presence of
-   precisely this wildcard name as part of step (1)(c) of the normal
-   lookup algorithm described in Section 4.3.2 of [RFC1034].
-
-3.1.4.  Including DS RRs in a Response
-
-   When responding to a query that has the DO bit set, a security-aware
-   authoritative name server returning a referral includes DNSSEC data
-   along with the NS RRset.
-
-   If a DS RRset is present at the delegation point, the name server
-   MUST return both the DS RRset and its associated RRSIG RR(s) in the
-   Authority section along with the NS RRset.
-
-   If no DS RRset is present at the delegation point, the name server
-   MUST return both the NSEC RR that proves that the DS RRset is not
-   present and the NSEC RR's associated RRSIG RR(s) along with the NS
-   RRset.  The name server MUST place the NS RRset before the NSEC RRset
-   and its associated RRSIG RR(s).
-
-   Including these DS, NSEC, and RRSIG RRs increases the size of
-   referral messages and may cause some or all glue RRs to be omitted.
-   If space does not permit inclusion of the DS or NSEC RRset and
-   associated RRSIG RRs, the name server MUST set the TC bit (see
-   Section 3.1.1).
-
-3.1.4.1.  Responding to Queries for DS RRs
-
-   The DS resource record type is unusual in that it appears only on the
-   parent zone's side of a zone cut.  For example, the DS RRset for the
-   delegation of "foo.example" is stored in the "example" zone rather
-   than in the "foo.example" zone.  This requires special processing
-   rules for both name servers and resolvers, as the name server for the
-   child zone is authoritative for the name at the zone cut by the
-   normal DNS rules but the child zone does not contain the DS RRset.
-
-
-
-Arends, et al.              Standards Track                    [Page 14]
-
-RFC 4035             DNSSEC Protocol Modifications            March 2005
-
-
-   A security-aware resolver sends queries to the parent zone when
-   looking for a needed DS RR at a delegation point (see Section 4.2).
-   However, special rules are necessary to avoid confusing
-   security-oblivious resolvers which might become involved in
-   processing such a query (for example, in a network configuration that
-   forces a security-aware resolver to channel its queries through a
-   security-oblivious recursive name server).  The rest of this section
-   describes how a security-aware name server processes DS queries in
-   order to avoid this problem.
-
-   The need for special processing by a security-aware name server only
-   arises when all the following conditions are met:
-
-   o  The name server has received a query for the DS RRset at a zone
-      cut.
-
-   o  The name server is authoritative for the child zone.
-
-   o  The name server is not authoritative for the parent zone.
-
-   o  The name server does not offer recursion.
-
-   In all other cases, the name server either has some way of obtaining
-   the DS RRset or could not have been expected to have the DS RRset
-   even by the pre-DNSSEC processing rules, so the name server can
-   return either the DS RRset or an error response according to the
-   normal processing rules.
-
-   If all the above conditions are met, however, the name server is
-   authoritative for SNAME but cannot supply the requested RRset.  In
-   this case, the name server MUST return an authoritative "no data"
-   response showing that the DS RRset does not exist in the child zone's
-   apex.  See Appendix B.8 for an example of such a response.
-
-3.1.5.  Responding to Queries for Type AXFR or IXFR
-
-   DNSSEC does not change the DNS zone transfer process.  A signed zone
-   will contain RRSIG, DNSKEY, NSEC, and DS resource records, but these
-   records have no special meaning with respect to a zone transfer
-   operation.
-
-   An authoritative name server is not required to verify that a zone is
-   properly signed before sending or accepting a zone transfer.
-   However, an authoritative name server MAY choose to reject the entire
-   zone transfer if the zone fails to meet any of the signing
-   requirements described in Section 2.  The primary objective of a zone
-   transfer is to ensure that all authoritative name servers have
-   identical copies of the zone.  An authoritative name server that
-
-
-
-Arends, et al.              Standards Track                    [Page 15]
-
-RFC 4035             DNSSEC Protocol Modifications            March 2005
-
-
-   chooses to perform its own zone validation MUST NOT selectively
-   reject some RRs and accept others.
-
-   DS RRsets appear only on the parental side of a zone cut and are
-   authoritative data in the parent zone.  As with any other
-   authoritative RRset, the DS RRset MUST be included in zone transfers
-   of the zone in which the RRset is authoritative data.  In the case of
-   the DS RRset, this is the parent zone.
-
-   NSEC RRs appear in both the parent and child zones at a zone cut and
-   are authoritative data in both the parent and child zones.  The
-   parental and child NSEC RRs at a zone cut are never identical to each
-   other, as the NSEC RR in the child zone's apex will always indicate
-   the presence of the child zone's SOA RR whereas the parental NSEC RR
-   at the zone cut will never indicate the presence of an SOA RR.  As
-   with any other authoritative RRs, NSEC RRs MUST be included in zone
-   transfers of the zone in which they are authoritative data.  The
-   parental NSEC RR at a zone cut MUST be included in zone transfers of
-   the parent zone, and the NSEC at the zone apex of the child zone MUST
-   be included in zone transfers of the child zone.
-
-   RRSIG RRs appear in both the parent and child zones at a zone cut and
-   are authoritative in whichever zone contains the authoritative RRset
-   for which the RRSIG RR provides the signature.  That is, the RRSIG RR
-   for a DS RRset or a parental NSEC RR at a zone cut will be
-   authoritative in the parent zone, and the RRSIG for any RRset in the
-   child zone's apex will be authoritative in the child zone.  Parental
-   and child RRSIG RRs at a zone cut will never be identical to each
-   other, as the Signer's Name field of an RRSIG RR in the child zone's
-   apex will indicate a DNSKEY RR in the child zone's apex whereas the
-   same field of a parental RRSIG RR at the zone cut will indicate a
-   DNSKEY RR in the parent zone's apex.  As with any other authoritative
-   RRs, RRSIG RRs MUST be included in zone transfers of the zone in
-   which they are authoritative data.
-
-3.1.6.  The AD and CD Bits in an Authoritative Response
-
-   The CD and AD bits are designed for use in communication between
-   security-aware resolvers and security-aware recursive name servers.
-   These bits are for the most part not relevant to query processing by
-   security-aware authoritative name servers.
-
-   A security-aware name server does not perform signature validation
-   for authoritative data during query processing, even when the CD bit
-   is clear.  A security-aware name server SHOULD clear the CD bit when
-   composing an authoritative response.
-
-
-
-
-
-Arends, et al.              Standards Track                    [Page 16]
-
-RFC 4035             DNSSEC Protocol Modifications            March 2005
-
-
-   A security-aware name server MUST NOT set the AD bit in a response
-   unless the name server considers all RRsets in the Answer and
-   Authority sections of the response to be authentic.  A security-aware
-   name server's local policy MAY consider data from an authoritative
-   zone to be authentic without further validation.  However, the name
-   server MUST NOT do so unless the name server obtained the
-   authoritative zone via secure means (such as a secure zone transfer
-   mechanism) and MUST NOT do so unless this behavior has been
-   configured explicitly.
-
-   A security-aware name server that supports recursion MUST follow the
-   rules for the CD and AD bits given in Section 3.2 when generating a
-   response that involves data obtained via recursion.
-
-3.2.  Recursive Name Servers
-
-   As explained in [RFC4033], a security-aware recursive name server is
-   an entity that acts in both the security-aware name server and
-   security-aware resolver roles.  This section uses the terms "name
-   server side" and "resolver side" to refer to the code within a
-   security-aware recursive name server that implements the
-   security-aware name server role and the code that implements the
-   security-aware resolver role, respectively.
-
-   The resolver side follows the usual rules for caching and negative
-   caching that would apply to any security-aware resolver.
-
-3.2.1.  The DO Bit
-
-   The resolver side of a security-aware recursive name server MUST set
-   the DO bit when sending requests, regardless of the state of the DO
-   bit in the initiating request received by the name server side.  If
-   the DO bit in an initiating query is not set, the name server side
-   MUST strip any authenticating DNSSEC RRs from the response but MUST
-   NOT strip any DNSSEC RR types that the initiating query explicitly
-   requested.
-
-3.2.2.  The CD Bit
-
-   The CD bit exists in order to allow a security-aware resolver to
-   disable signature validation in a security-aware name server's
-   processing of a particular query.
-
-   The name server side MUST copy the setting of the CD bit from a query
-   to the corresponding response.
-
-   The name server side of a security-aware recursive name server MUST
-   pass the state of the CD bit to the resolver side along with the rest
-
-
-
-Arends, et al.              Standards Track                    [Page 17]
-
-RFC 4035             DNSSEC Protocol Modifications            March 2005
-
-
-   of an initiating query, so that the resolver side will know whether
-   it is required to verify the response data it returns to the name
-   server side.  If the CD bit is set, it indicates that the originating
-   resolver is willing to perform whatever authentication its local
-   policy requires.  Thus, the resolver side of the recursive name
-   server need not perform authentication on the RRsets in the response.
-   When the CD bit is set, the recursive name server SHOULD, if
-   possible, return the requested data to the originating resolver, even
-   if the recursive name server's local authentication policy would
-   reject the records in question.  That is, by setting the CD bit, the
-   originating resolver has indicated that it takes responsibility for
-   performing its own authentication, and the recursive name server
-   should not interfere.
-
-   If the resolver side implements a BAD cache (see Section 4.7) and the
-   name server side receives a query that matches an entry in the
-   resolver side's BAD cache, the name server side's response depends on
-   the state of the CD bit in the original query.  If the CD bit is set,
-   the name server side SHOULD return the data from the BAD cache; if
-   the CD bit is not set, the name server side MUST return RCODE 2
-   (server failure).
-
-   The intent of the above rule is to provide the raw data to clients
-   that are capable of performing their own signature verification
-   checks while protecting clients that depend on the resolver side of a
-   security-aware recursive name server to perform such checks.  Several
-   of the possible reasons why signature validation might fail involve
-   conditions that may not apply equally to the recursive name server
-   and the client that invoked it.  For example, the recursive name
-   server's clock may be set incorrectly, or the client may have
-   knowledge of a relevant island of security that the recursive name
-   server does not share.  In such cases, "protecting" a client that is
-   capable of performing its own signature validation from ever seeing
-   the "bad" data does not help the client.
-
-3.2.3.  The AD Bit
-
-   The name server side of a security-aware recursive name server MUST
-   NOT set the AD bit in a response unless the name server considers all
-   RRsets in the Answer and Authority sections of the response to be
-   authentic.  The name server side SHOULD set the AD bit if and only if
-   the resolver side considers all RRsets in the Answer section and any
-   relevant negative response RRs in the Authority section to be
-   authentic.  The resolver side MUST follow the procedure described in
-   Section 5 to determine whether the RRs in question are authentic.
-   However, for backward compatibility, a recursive name server MAY set
-   the AD bit when a response includes unsigned CNAME RRs if those CNAME
-
-
-
-
-Arends, et al.              Standards Track                    [Page 18]
-
-RFC 4035             DNSSEC Protocol Modifications            March 2005
-
-
-   RRs demonstrably could have been synthesized from an authentic DNAME
-   RR that is also included in the response according to the synthesis
-   rules described in [RFC2672].
-
-3.3.  Example DNSSEC Responses
-
-   See Appendix B for example response packets.
-
-4.  Resolving
-
-   This section describes the behavior of entities that include
-   security-aware resolver functions.  In many cases such functions will
-   be part of a security-aware recursive name server, but a stand-alone
-   security-aware resolver has many of the same requirements.  Functions
-   specific to security-aware recursive name servers are described in
-   Section 3.2.
-
-4.1.  EDNS Support
-
-   A security-aware resolver MUST include an EDNS ([RFC2671]) OPT
-   pseudo-RR with the DO ([RFC3225]) bit set when sending queries.
-
-   A security-aware resolver MUST support a message size of at least
-   1220 octets, SHOULD support a message size of 4000 octets, and MUST
-   use the "sender's UDP payload size" field in the EDNS OPT pseudo-RR
-   to advertise the message size that it is willing to accept.  A
-   security-aware resolver's IP layer MUST handle fragmented UDP packets
-   correctly regardless of whether any such fragmented packets were
-   received via IPv4 or IPv6.  Please see [RFC1122], [RFC2460], and
-   [RFC3226] for discussion of these requirements.
-
-4.2.  Signature Verification Support
-
-   A security-aware resolver MUST support the signature verification
-   mechanisms described in Section 5 and SHOULD apply them to every
-   received response, except when:
-
-   o  the security-aware resolver is part of a security-aware recursive
-      name server, and the response is the result of recursion on behalf
-      of a query received with the CD bit set;
-
-   o  the response is the result of a query generated directly via some
-      form of application interface that instructed the security-aware
-      resolver not to perform validation for this query; or
-
-   o  validation for this query has been disabled by local policy.
-
-
-
-
-
-Arends, et al.              Standards Track                    [Page 19]
-
-RFC 4035             DNSSEC Protocol Modifications            March 2005
-
-
-   A security-aware resolver's support for signature verification MUST
-   include support for verification of wildcard owner names.
-
-   Security-aware resolvers MAY query for missing security RRs in an
-   attempt to perform validation; implementations that choose to do so
-   must be aware that the answers received may not be sufficient to
-   validate the original response.  For example, a zone update may have
-   changed (or deleted) the desired information between the original and
-   follow-up queries.
-
-   When attempting to retrieve missing NSEC RRs that reside on the
-   parental side at a zone cut, a security-aware iterative-mode resolver
-   MUST query the name servers for the parent zone, not the child zone.
-
-   When attempting to retrieve a missing DS, a security-aware
-   iterative-mode resolver MUST query the name servers for the parent
-   zone, not the child zone.  As explained in Section 3.1.4.1,
-   security-aware name servers need to apply special processing rules to
-   handle the DS RR, and in some situations the resolver may also need
-   to apply special rules to locate the name servers for the parent zone
-   if the resolver does not already have the parent's NS RRset.  To
-   locate the parent NS RRset, the resolver can start with the
-   delegation name, strip off the leftmost label, and query for an NS
-   RRset by that name.  If no NS RRset is present at that name, the
-   resolver then strips off the leftmost remaining label and retries the
-   query for that name, repeating this process of walking up the tree
-   until it either finds the NS RRset or runs out of labels.
-
-4.3.  Determining Security Status of Data
-
-   A security-aware resolver MUST be able to determine whether it should
-   expect a particular RRset to be signed.  More precisely, a
-   security-aware resolver must be able to distinguish between four
-   cases:
-
-   Secure: An RRset for which the resolver is able to build a chain of
-      signed DNSKEY and DS RRs from a trusted security anchor to the
-      RRset.  In this case, the RRset should be signed and is subject to
-      signature validation, as described above.
-
-   Insecure: An RRset for which the resolver knows that it has no chain
-      of signed DNSKEY and DS RRs from any trusted starting point to the
-      RRset.  This can occur when the target RRset lies in an unsigned
-      zone or in a descendent of an unsigned zone.  In this case, the
-      RRset may or may not be signed, but the resolver will not be able
-      to verify the signature.
-
-
-
-
-
-Arends, et al.              Standards Track                    [Page 20]
-
-RFC 4035             DNSSEC Protocol Modifications            March 2005
-
-
-   Bogus: An RRset for which the resolver believes that it ought to be
-      able to establish a chain of trust but for which it is unable to
-      do so, either due to signatures that for some reason fail to
-      validate or due to missing data that the relevant DNSSEC RRs
-      indicate should be present.  This case may indicate an attack but
-      may also indicate a configuration error or some form of data
-      corruption.
-
-   Indeterminate: An RRset for which the resolver is not able to
-      determine whether the RRset should be signed, as the resolver is
-      not able to obtain the necessary DNSSEC RRs.  This can occur when
-      the security-aware resolver is not able to contact security-aware
-      name servers for the relevant zones.
-
-4.4.  Configured Trust Anchors
-
-   A security-aware resolver MUST be capable of being configured with at
-   least one trusted public key or DS RR and SHOULD be capable of being
-   configured with multiple trusted public keys or DS RRs.  Since a
-   security-aware resolver will not be able to validate signatures
-   without such a configured trust anchor, the resolver SHOULD have some
-   reasonably robust mechanism for obtaining such keys when it boots;
-   examples of such a mechanism would be some form of non-volatile
-   storage (such as a disk drive) or some form of trusted local network
-   configuration mechanism.
-
-   Note that trust anchors also cover key material that is updated in a
-   secure manner.  This secure manner could be through physical media, a
-   key exchange protocol, or some other out-of-band means.
-
-4.5.  Response Caching
-
-   A security-aware resolver SHOULD cache each response as a single
-   atomic entry containing the entire answer, including the named RRset
-   and any associated DNSSEC RRs.  The resolver SHOULD discard the
-   entire atomic entry when any of the RRs contained in it expire.  In
-   most cases the appropriate cache index for the atomic entry will be
-   the triple <QNAME, QTYPE, QCLASS>, but in cases such as the response
-   form described in Section 3.1.3.2 the appropriate cache index will be
-   the double <QNAME,QCLASS>.
-
-   The reason for these recommendations is that, between the initial
-   query and the expiration of the data from the cache, the
-   authoritative data might have been changed (for example, via dynamic
-   update).
-
-
-
-
-
-
-Arends, et al.              Standards Track                    [Page 21]
-
-RFC 4035             DNSSEC Protocol Modifications            March 2005
-
-
-   There are two situations for which this is relevant:
-
-   1.  By using the RRSIG record, it is possible to deduce that an
-       answer was synthesized from a wildcard.  A security-aware
-       recursive name server could store this wildcard data and use it
-       to generate positive responses to queries other than the name for
-       which the original answer was first received.
-
-   2.  NSEC RRs received to prove the non-existence of a name could be
-       reused by a security-aware resolver to prove the non-existence of
-       any name in the name range it spans.
-
-   In theory, a resolver could use wildcards or NSEC RRs to generate
-   positive and negative responses (respectively) until the TTL or
-   signatures on the records in question expire.  However, it seems
-   prudent for resolvers to avoid blocking new authoritative data or
-   synthesizing new data on their own.  Resolvers that follow this
-   recommendation will have a more consistent view of the namespace.
-
-4.6.  Handling of the CD and AD Bits
-
-   A security-aware resolver MAY set a query's CD bit in order to
-   indicate that the resolver takes responsibility for performing
-   whatever authentication its local policy requires on the RRsets in
-   the response.  See Section 3.2 for the effect this bit has on the
-   behavior of security-aware recursive name servers.
-
-   A security-aware resolver MUST clear the AD bit when composing query
-   messages to protect against buggy name servers that blindly copy
-   header bits that they do not understand from the query message to the
-   response message.
-
-   A resolver MUST disregard the meaning of the CD and AD bits in a
-   response unless the response was obtained by using a secure channel
-   or the resolver was specifically configured to regard the message
-   header bits without using a secure channel.
-
-4.7.  Caching BAD Data
-
-   While many validation errors will be transient, some are likely to be
-   more persistent, such as those caused by administrative error
-   (failure to re-sign a zone, clock skew, and so forth).  Since
-   requerying will not help in these cases, validating resolvers might
-   generate a significant amount of unnecessary DNS traffic as a result
-   of repeated queries for RRsets with persistent validation failures.
-
-   To prevent such unnecessary DNS traffic, security-aware resolvers MAY
-   cache data with invalid signatures, with some restrictions.
-
-
-
-Arends, et al.              Standards Track                    [Page 22]
-
-RFC 4035             DNSSEC Protocol Modifications            March 2005
-
-
-   Conceptually, caching such data is similar to negative caching
-   ([RFC2308]), except that instead of caching a valid negative
-   response, the resolver is caching the fact that a particular answer
-   failed to validate.  This document refers to a cache of data with
-   invalid signatures as a "BAD cache".
-
-   Resolvers that implement a BAD cache MUST take steps to prevent the
-   cache from being useful as a denial-of-service attack amplifier,
-   particularly the following:
-
-   o  Since RRsets that fail to validate do not have trustworthy TTLs,
-      the implementation MUST assign a TTL.  This TTL SHOULD be small,
-      in order to mitigate the effect of caching the results of an
-      attack.
-
-   o  In order to prevent caching of a transient validation failure
-      (which might be the result of an attack), resolvers SHOULD track
-      queries that result in validation failures and SHOULD only answer
-      from the BAD cache after the number of times that responses to
-      queries for that particular <QNAME, QTYPE, QCLASS> have failed to
-      validate exceeds a threshold value.
-
-   Resolvers MUST NOT return RRsets from the BAD cache unless the
-   resolver is not required to validate the signatures of the RRsets in
-   question under the rules given in Section 4.2 of this document.  See
-   Section 3.2.2 for discussion of how the responses returned by a
-   security-aware recursive name server interact with a BAD cache.
-
-4.8.  Synthesized CNAMEs
-
-   A validating security-aware resolver MUST treat the signature of a
-   valid signed DNAME RR as also covering unsigned CNAME RRs that could
-   have been synthesized from the DNAME RR, as described in [RFC2672],
-   at least to the extent of not rejecting a response message solely
-   because it contains such CNAME RRs.  The resolver MAY retain such
-   CNAME RRs in its cache or in the answers it hands back, but is not
-   required to do so.
-
-4.9.  Stub Resolvers
-
-   A security-aware stub resolver MUST support the DNSSEC RR types, at
-   least to the extent of not mishandling responses just because they
-   contain DNSSEC RRs.
-
-
-
-
-
-
-
-
-Arends, et al.              Standards Track                    [Page 23]
-
-RFC 4035             DNSSEC Protocol Modifications            March 2005
-
-
-4.9.1.  Handling of the DO Bit
-
-   A non-validating security-aware stub resolver MAY include the DNSSEC
-   RRs returned by a security-aware recursive name server as part of the
-   data that the stub resolver hands back to the application that
-   invoked it, but is not required to do so.  A non-validating stub
-   resolver that seeks to do this will need to set the DO bit in order
-   to receive DNSSEC RRs from the recursive name server.
-
-   A validating security-aware stub resolver MUST set the DO bit,
-   because otherwise it will not receive the DNSSEC RRs it needs to
-   perform signature validation.
-
-4.9.2.  Handling of the CD Bit
-
-   A non-validating security-aware stub resolver SHOULD NOT set the CD
-   bit when sending queries unless it is requested by the application
-   layer, as by definition, a non-validating stub resolver depends on
-   the security-aware recursive name server to perform validation on its
-   behalf.
-
-   A validating security-aware stub resolver SHOULD set the CD bit,
-   because otherwise the security-aware recursive name server will
-   answer the query using the name server's local policy, which may
-   prevent the stub resolver from receiving data that would be
-   acceptable to the stub resolver's local policy.
-
-4.9.3.  Handling of the AD Bit
-
-   A non-validating security-aware stub resolver MAY chose to examine
-   the setting of the AD bit in response messages that it receives in
-   order to determine whether the security-aware recursive name server
-   that sent the response claims to have cryptographically verified the
-   data in the Answer and Authority sections of the response message.
-   Note, however, that the responses received by a security-aware stub
-   resolver are heavily dependent on the local policy of the
-   security-aware recursive name server.  Therefore, there may be little
-   practical value in checking the status of the AD bit, except perhaps
-   as a debugging aid.  In any case, a security-aware stub resolver MUST
-   NOT place any reliance on signature validation allegedly performed on
-   its behalf, except when the security-aware stub resolver obtained the
-   data in question from a trusted security-aware recursive name server
-   via a secure channel.
-
-   A validating security-aware stub resolver SHOULD NOT examine the
-   setting of the AD bit in response messages, as, by definition, the
-   stub resolver performs its own signature validation regardless of the
-   setting of the AD bit.
-
-
-
-Arends, et al.              Standards Track                    [Page 24]
-
-RFC 4035             DNSSEC Protocol Modifications            March 2005
-
-
-5.  Authenticating DNS Responses
-
-   To use DNSSEC RRs for authentication, a security-aware resolver
-   requires configured knowledge of at least one authenticated DNSKEY or
-   DS RR.  The process for obtaining and authenticating this initial
-   trust anchor is achieved via some external mechanism.  For example, a
-   resolver could use some off-line authenticated exchange to obtain a
-   zone's DNSKEY RR or to obtain a DS RR that identifies and
-   authenticates a zone's DNSKEY RR.  The remainder of this section
-   assumes that the resolver has somehow obtained an initial set of
-   trust anchors.
-
-   An initial DNSKEY RR can be used to authenticate a zone's apex DNSKEY
-   RRset.  To authenticate an apex DNSKEY RRset by using an initial key,
-   the resolver MUST:
-
-   1.  verify that the initial DNSKEY RR appears in the apex DNSKEY
-       RRset, and that the DNSKEY RR has the Zone Key Flag (DNSKEY RDATA
-       bit 7) set; and
-
-   2.  verify that there is some RRSIG RR that covers the apex DNSKEY
-       RRset, and that the combination of the RRSIG RR and the initial
-       DNSKEY RR authenticates the DNSKEY RRset.  The process for using
-       an RRSIG RR to authenticate an RRset is described in Section 5.3.
-
-   Once the resolver has authenticated the apex DNSKEY RRset by using an
-   initial DNSKEY RR, delegations from that zone can be authenticated by
-   using DS RRs.  This allows a resolver to start from an initial key
-   and use DS RRsets to proceed recursively down the DNS tree, obtaining
-   other apex DNSKEY RRsets.  If the resolver were configured with a
-   root DNSKEY RR, and if every delegation had a DS RR associated with
-   it, then the resolver could obtain and validate any apex DNSKEY
-   RRset.  The process of using DS RRs to authenticate referrals is
-   described in Section 5.2.
-
-   Section 5.3 shows how the resolver can use DNSKEY RRs in the apex
-   DNSKEY RRset and RRSIG RRs from the zone to authenticate any other
-   RRsets in the zone once the resolver has authenticated a zone's apex
-   DNSKEY RRset.  Section 5.4 shows how the resolver can use
-   authenticated NSEC RRsets from the zone to prove that an RRset is not
-   present in the zone.
-
-   When a resolver indicates support for DNSSEC (by setting the DO bit),
-   a security-aware name server should attempt to provide the necessary
-   DNSKEY, RRSIG, NSEC, and DS RRsets in a response (see Section 3).
-   However, a security-aware resolver may still receive a response that
-   lacks the appropriate DNSSEC RRs, whether due to configuration issues
-   such as an upstream security-oblivious recursive name server that
-
-
-
-Arends, et al.              Standards Track                    [Page 25]
-
-RFC 4035             DNSSEC Protocol Modifications            March 2005
-
-
-   accidentally interferes with DNSSEC RRs or due to a deliberate attack
-   in which an adversary forges a response, strips DNSSEC RRs from a
-   response, or modifies a query so that DNSSEC RRs appear not to be
-   requested.  The absence of DNSSEC data in a response MUST NOT by
-   itself be taken as an indication that no authentication information
-   exists.
-
-   A resolver SHOULD expect authentication information from signed
-   zones.  A resolver SHOULD believe that a zone is signed if the
-   resolver has been configured with public key information for the
-   zone, or if the zone's parent is signed and the delegation from the
-   parent contains a DS RRset.
-
-5.1.  Special Considerations for Islands of Security
-
-   Islands of security (see [RFC4033]) are signed zones for which it is
-   not possible to construct an authentication chain to the zone from
-   its parent.  Validating signatures within an island of security
-   requires that the validator have some other means of obtaining an
-   initial authenticated zone key for the island.  If a validator cannot
-   obtain such a key, it SHOULD switch to operating as if the zones in
-   the island of security are unsigned.
-
-   All the normal processes for validating responses apply to islands of
-   security.  The only difference between normal validation and
-   validation within an island of security is in how the validator
-   obtains a trust anchor for the authentication chain.
-
-5.2.  Authenticating Referrals
-
-   Once the apex DNSKEY RRset for a signed parent zone has been
-   authenticated, DS RRsets can be used to authenticate the delegation
-   to a signed child zone.  A DS RR identifies a DNSKEY RR in the child
-   zone's apex DNSKEY RRset and contains a cryptographic digest of the
-   child zone's DNSKEY RR.  Use of a strong cryptographic digest
-   algorithm ensures that it is computationally infeasible for an
-   adversary to generate a DNSKEY RR that matches the digest.  Thus,
-   authenticating the digest allows a resolver to authenticate the
-   matching DNSKEY RR.  The resolver can then use this child DNSKEY RR
-   to authenticate the entire child apex DNSKEY RRset.
-
-   Given a DS RR for a delegation, the child zone's apex DNSKEY RRset
-   can be authenticated if all of the following hold:
-
-   o  The DS RR has been authenticated using some DNSKEY RR in the
-      parent's apex DNSKEY RRset (see Section 5.3).
-
-
-
-
-
-Arends, et al.              Standards Track                    [Page 26]
-
-RFC 4035             DNSSEC Protocol Modifications            March 2005
-
-
-   o  The Algorithm and Key Tag in the DS RR match the Algorithm field
-      and the key tag of a DNSKEY RR in the child zone's apex DNSKEY
-      RRset, and, when the DNSKEY RR's owner name and RDATA are hashed
-      using the digest algorithm specified in the DS RR's Digest Type
-      field, the resulting digest value matches the Digest field of the
-      DS RR.
-
-   o  The matching DNSKEY RR in the child zone has the Zone Flag bit
-      set, the corresponding private key has signed the child zone's
-      apex DNSKEY RRset, and the resulting RRSIG RR authenticates the
-      child zone's apex DNSKEY RRset.
-
-   If the referral from the parent zone did not contain a DS RRset, the
-   response should have included a signed NSEC RRset proving that no DS
-   RRset exists for the delegated name (see Section 3.1.4).  A
-   security-aware resolver MUST query the name servers for the parent
-   zone for the DS RRset if the referral includes neither a DS RRset nor
-   a NSEC RRset proving that the DS RRset does not exist (see Section
-   4).
-
-   If the validator authenticates an NSEC RRset that proves that no DS
-   RRset is present for this zone, then there is no authentication path
-   leading from the parent to the child.  If the resolver has an initial
-   DNSKEY or DS RR that belongs to the child zone or to any delegation
-   below the child zone, this initial DNSKEY or DS RR MAY be used to
-   re-establish an authentication path.  If no such initial DNSKEY or DS
-   RR exists, the validator cannot authenticate RRsets in or below the
-   child zone.
-
-   If the validator does not support any of the algorithms listed in an
-   authenticated DS RRset, then the resolver has no supported
-   authentication path leading from the parent to the child.  The
-   resolver should treat this case as it would the case of an
-   authenticated NSEC RRset proving that no DS RRset exists, as
-   described above.
-
-   Note that, for a signed delegation, there are two NSEC RRs associated
-   with the delegated name.  One NSEC RR resides in the parent zone and
-   can be used to prove whether a DS RRset exists for the delegated
-   name.  The second NSEC RR resides in the child zone and identifies
-   which RRsets are present at the apex of the child zone.  The parent
-   NSEC RR and child NSEC RR can always be distinguished because the SOA
-   bit will be set in the child NSEC RR and clear in the parent NSEC RR.
-   A security-aware resolver MUST use the parent NSEC RR when attempting
-   to prove that a DS RRset does not exist.
-
-
-
-
-
-
-Arends, et al.              Standards Track                    [Page 27]
-
-RFC 4035             DNSSEC Protocol Modifications            March 2005
-
-
-   If the resolver does not support any of the algorithms listed in an
-   authenticated DS RRset, then the resolver will not be able to verify
-   the authentication path to the child zone.  In this case, the
-   resolver SHOULD treat the child zone as if it were unsigned.
-
-5.3.  Authenticating an RRset with an RRSIG RR
-
-   A validator can use an RRSIG RR and its corresponding DNSKEY RR to
-   attempt to authenticate RRsets.  The validator first checks the RRSIG
-   RR to verify that it covers the RRset, has a valid time interval, and
-   identifies a valid DNSKEY RR.  The validator then constructs the
-   canonical form of the signed data by appending the RRSIG RDATA
-   (excluding the Signature Field) with the canonical form of the
-   covered RRset.  Finally, the validator uses the public key and
-   signature to authenticate the signed data.  Sections 5.3.1, 5.3.2,
-   and 5.3.3 describe each step in detail.
-
-5.3.1.  Checking the RRSIG RR Validity
-
-   A security-aware resolver can use an RRSIG RR to authenticate an
-   RRset if all of the following conditions hold:
-
-   o  The RRSIG RR and the RRset MUST have the same owner name and the
-      same class.
-
-   o  The RRSIG RR's Signer's Name field MUST be the name of the zone
-      that contains the RRset.
-
-   o  The RRSIG RR's Type Covered field MUST equal the RRset's type.
-
-   o  The number of labels in the RRset owner name MUST be greater than
-      or equal to the value in the RRSIG RR's Labels field.
-
-   o  The validator's notion of the current time MUST be less than or
-      equal to the time listed in the RRSIG RR's Expiration field.
-
-   o  The validator's notion of the current time MUST be greater than or
-      equal to the time listed in the RRSIG RR's Inception field.
-
-   o  The RRSIG RR's Signer's Name, Algorithm, and Key Tag fields MUST
-      match the owner name, algorithm, and key tag for some DNSKEY RR in
-      the zone's apex DNSKEY RRset.
-
-   o  The matching DNSKEY RR MUST be present in the zone's apex DNSKEY
-      RRset, and MUST have the Zone Flag bit (DNSKEY RDATA Flag bit 7)
-      set.
-
-
-
-
-
-Arends, et al.              Standards Track                    [Page 28]
-
-RFC 4035             DNSSEC Protocol Modifications            March 2005
-
-
-   It is possible for more than one DNSKEY RR to match the conditions
-   above.  In this case, the validator cannot predetermine which DNSKEY
-   RR to use to authenticate the signature, and it MUST try each
-   matching DNSKEY RR until either the signature is validated or the
-   validator has run out of matching public keys to try.
-
-   Note that this authentication process is only meaningful if the
-   validator authenticates the DNSKEY RR before using it to validate
-   signatures.  The matching DNSKEY RR is considered to be authentic if:
-
-   o  the apex DNSKEY RRset containing the DNSKEY RR is considered
-      authentic; or
-
-   o  the RRset covered by the RRSIG RR is the apex DNSKEY RRset itself,
-      and the DNSKEY RR either matches an authenticated DS RR from the
-      parent zone or matches a trust anchor.
-
-5.3.2.  Reconstructing the Signed Data
-
-   Once the RRSIG RR has met the validity requirements described in
-   Section 5.3.1, the validator has to reconstruct the original signed
-   data.  The original signed data includes RRSIG RDATA (excluding the
-   Signature field) and the canonical form of the RRset.  Aside from
-   being ordered, the canonical form of the RRset might also differ from
-   the received RRset due to DNS name compression, decremented TTLs, or
-   wildcard expansion.  The validator should use the following to
-   reconstruct the original signed data:
-
-         signed_data = RRSIG_RDATA | RR(1) | RR(2)...  where
-
-            "|" denotes concatenation
-
-            RRSIG_RDATA is the wire format of the RRSIG RDATA fields
-               with the Signature field excluded and the Signer's Name
-               in canonical form.
-
-            RR(i) = name | type | class | OrigTTL | RDATA length | RDATA
-
-               name is calculated according to the function below
-
-               class is the RRset's class
-
-               type is the RRset type and all RRs in the class
-
-               OrigTTL is the value from the RRSIG Original TTL field
-
-               All names in the RDATA field are in canonical form
-
-
-
-
-Arends, et al.              Standards Track                    [Page 29]
-
-RFC 4035             DNSSEC Protocol Modifications            March 2005
-
-
-               The set of all RR(i) is sorted into canonical order.
-
-            To calculate the name:
-               let rrsig_labels = the value of the RRSIG Labels field
-
-               let fqdn = RRset's fully qualified domain name in
-                               canonical form
-
-               let fqdn_labels = Label count of the fqdn above.
-
-               if rrsig_labels = fqdn_labels,
-                   name = fqdn
-
-               if rrsig_labels < fqdn_labels,
-                  name = "*." | the rightmost rrsig_label labels of the
-                                fqdn
-
-               if rrsig_labels > fqdn_labels
-                  the RRSIG RR did not pass the necessary validation
-                  checks and MUST NOT be used to authenticate this
-                  RRset.
-
-   The canonical forms for names and RRsets are defined in [RFC4034].
-
-   NSEC RRsets at a delegation boundary require special processing.
-   There are two distinct NSEC RRsets associated with a signed delegated
-   name.  One NSEC RRset resides in the parent zone, and specifies which
-   RRsets are present at the parent zone.  The second NSEC RRset resides
-   at the child zone and identifies which RRsets are present at the apex
-   in the child zone.  The parent NSEC RRset and child NSEC RRset can
-   always be distinguished as only a child NSEC RR will indicate that an
-   SOA RRset exists at the name.  When reconstructing the original NSEC
-   RRset for the delegation from the parent zone, the NSEC RRs MUST NOT
-   be combined with NSEC RRs from the child zone.  When reconstructing
-   the original NSEC RRset for the apex of the child zone, the NSEC RRs
-   MUST NOT be combined with NSEC RRs from the parent zone.
-
-   Note that each of the two NSEC RRsets at a delegation point has a
-   corresponding RRSIG RR with an owner name matching the delegated
-   name, and each of these RRSIG RRs is authoritative data associated
-   with the same zone that contains the corresponding NSEC RRset.  If
-   necessary, a resolver can tell these RRSIG RRs apart by checking the
-   Signer's Name field.
-
-
-
-
-
-
-
-
-Arends, et al.              Standards Track                    [Page 30]
-
-RFC 4035             DNSSEC Protocol Modifications            March 2005
-
-
-5.3.3.  Checking the Signature
-
-   Once the resolver has validated the RRSIG RR as described in Section
-   5.3.1 and reconstructed the original signed data as described in
-   Section 5.3.2, the validator can attempt to use the cryptographic
-   signature to authenticate the signed data, and thus (finally!)
-   authenticate the RRset.
-
-   The Algorithm field in the RRSIG RR identifies the cryptographic
-   algorithm used to generate the signature.  The signature itself is
-   contained in the Signature field of the RRSIG RDATA, and the public
-   key used to verify the signature is contained in the Public Key field
-   of the matching DNSKEY RR(s) (found in Section 5.3.1).  [RFC4034]
-   provides a list of algorithm types and provides pointers to the
-   documents that define each algorithm's use.
-
-   Note that it is possible for more than one DNSKEY RR to match the
-   conditions in Section 5.3.1.  In this case, the validator can only
-   determine which DNSKEY RR is correct by trying each matching public
-   key until the validator either succeeds in validating the signature
-   or runs out of keys to try.
-
-   If the Labels field of the RRSIG RR is not equal to the number of
-   labels in the RRset's fully qualified owner name, then the RRset is
-   either invalid or the result of wildcard expansion.  The resolver
-   MUST verify that wildcard expansion was applied properly before
-   considering the RRset to be authentic.  Section 5.3.4 describes how
-   to determine whether a wildcard was applied properly.
-
-   If other RRSIG RRs also cover this RRset, the local resolver security
-   policy determines whether the resolver also has to test these RRSIG
-   RRs and how to resolve conflicts if these RRSIG RRs lead to differing
-   results.
-
-   If the resolver accepts the RRset as authentic, the validator MUST
-   set the TTL of the RRSIG RR and each RR in the authenticated RRset to
-   a value no greater than the minimum of:
-
-   o  the RRset's TTL as received in the response;
-
-   o  the RRSIG RR's TTL as received in the response;
-
-   o  the value in the RRSIG RR's Original TTL field; and
-
-   o  the difference of the RRSIG RR's Signature Expiration time and the
-      current time.
-
-
-
-
-
-Arends, et al.              Standards Track                    [Page 31]
-
-RFC 4035             DNSSEC Protocol Modifications            March 2005
-
-
-5.3.4.  Authenticating a Wildcard Expanded RRset Positive Response
-
-   If the number of labels in an RRset's owner name is greater than the
-   Labels field of the covering RRSIG RR, then the RRset and its
-   covering RRSIG RR were created as a result of wildcard expansion.
-   Once the validator has verified the signature, as described in
-   Section 5.3, it must take additional steps to verify the non-
-   existence of an exact match or closer wildcard match for the query.
-   Section 5.4 discusses these steps.
-
-   Note that the response received by the resolver should include all
-   NSEC RRs needed to authenticate the response (see Section 3.1.3).
-
-5.4.  Authenticated Denial of Existence
-
-   A resolver can use authenticated NSEC RRs to prove that an RRset is
-   not present in a signed zone.  Security-aware name servers should
-   automatically include any necessary NSEC RRs for signed zones in
-   their responses to security-aware resolvers.
-
-   Denial of existence is determined by the following rules:
-
-   o  If the requested RR name matches the owner name of an
-      authenticated NSEC RR, then the NSEC RR's type bit map field lists
-      all RR types present at that owner name, and a resolver can prove
-      that the requested RR type does not exist by checking for the RR
-      type in the bit map.  If the number of labels in an authenticated
-      NSEC RR's owner name equals the Labels field of the covering RRSIG
-      RR, then the existence of the NSEC RR proves that wildcard
-      expansion could not have been used to match the request.
-
-   o  If the requested RR name would appear after an authenticated NSEC
-      RR's owner name and before the name listed in that NSEC RR's Next
-      Domain Name field according to the canonical DNS name order
-      defined in [RFC4034], then no RRsets with the requested name exist
-      in the zone.  However, it is possible that a wildcard could be
-      used to match the requested RR owner name and type, so proving
-      that the requested RRset does not exist also requires proving that
-      no possible wildcard RRset exists that could have been used to
-      generate a positive response.
-
-   In addition, security-aware resolvers MUST authenticate the NSEC
-   RRsets that comprise the non-existence proof as described in Section
-   5.3.
-
-   To prove the non-existence of an RRset, the resolver must be able to
-   verify both that the queried RRset does not exist and that no
-   relevant wildcard RRset exists.  Proving this may require more than
-
-
-
-Arends, et al.              Standards Track                    [Page 32]
-
-RFC 4035             DNSSEC Protocol Modifications            March 2005
-
-
-   one NSEC RRset from the zone.  If the complete set of necessary NSEC
-   RRsets is not present in a response (perhaps due to message
-   truncation), then a security-aware resolver MUST resend the query in
-   order to attempt to obtain the full collection of NSEC RRs necessary
-   to verify the non-existence of the requested RRset.  As with all DNS
-   operations, however, the resolver MUST bound the work it puts into
-   answering any particular query.
-
-   Since a validated NSEC RR proves the existence of both itself and its
-   corresponding RRSIG RR, a validator MUST ignore the settings of the
-   NSEC and RRSIG bits in an NSEC RR.
-
-5.5.  Resolver Behavior When Signatures Do Not Validate
-
-   If for whatever reason none of the RRSIGs can be validated, the
-   response SHOULD be considered BAD.  If the validation was being done
-   to service a recursive query, the name server MUST return RCODE 2 to
-   the originating client.  However, it MUST return the full response if
-   and only if the original query had the CD bit set.  Also see Section
-   4.7 on caching responses that do not validate.
-
-5.6.  Authentication Example
-
-   Appendix C shows an example of the authentication process.
-
-6.  IANA Considerations
-
-   [RFC4034] contains a review of the IANA considerations introduced by
-   DNSSEC.  The following are additional IANA considerations discussed
-   in this document:
-
-   [RFC2535] reserved the CD and AD bits in the message header.  The
-   meaning of the AD bit was redefined in [RFC3655], and the meaning of
-   both the CD and AD bit are restated in this document.  No new bits in
-   the DNS message header are defined in this document.
-
-   [RFC2671] introduced EDNS, and [RFC3225] reserved the DNSSEC OK bit
-   and defined its use.  The use is restated but not altered in this
-   document.
-
-7.  Security Considerations
-
-   This document describes how the DNS security extensions use public
-   key cryptography to sign and authenticate DNS resource record sets.
-   Please see [RFC4033] for terminology and general security
-   considerations related to DNSSEC; see [RFC4034] for considerations
-   specific to the DNSSEC resource record types.
-
-
-
-
-Arends, et al.              Standards Track                    [Page 33]
-
-RFC 4035             DNSSEC Protocol Modifications            March 2005
-
-
-   An active attacker who can set the CD bit in a DNS query message or
-   the AD bit in a DNS response message can use these bits to defeat the
-   protection that DNSSEC attempts to provide to security-oblivious
-   recursive-mode resolvers.  For this reason, use of these control bits
-   by a security-aware recursive-mode resolver requires a secure
-   channel.  See Sections 3.2.2 and 4.9 for further discussion.
-
-   The protocol described in this document attempts to extend the
-   benefits of DNSSEC to security-oblivious stub resolvers.  However, as
-   recovery from validation failures is likely to be specific to
-   particular applications, the facilities that DNSSEC provides for stub
-   resolvers may prove inadequate.  Operators of security-aware
-   recursive name servers will have to pay close attention to the
-   behavior of the applications that use their services when choosing a
-   local validation policy; failure to do so could easily result in the
-   recursive name server accidentally denying service to the clients it
-   is intended to support.
-
-8.  Acknowledgements
-
-   This document was created from the input and ideas of the members of
-   the DNS Extensions Working Group and working group mailing list.  The
-   editors would like to express their thanks for the comments and
-   suggestions received during the revision of these security extension
-   specifications.  Although explicitly listing everyone who has
-   contributed during the decade in which DNSSEC has been under
-   development would be impossible, [RFC4033] includes a list of some of
-   the participants who were kind enough to comment on these documents.
-
-9.  References
-
-9.1.  Normative References
-
-   [RFC1034]  Mockapetris, P., "Domain names - concepts and facilities",
-              STD 13, RFC 1034, November 1987.
-
-   [RFC1035]  Mockapetris, P., "Domain names - implementation and
-              specification", STD 13, RFC 1035, November 1987.
-
-   [RFC1122]  Braden, R., "Requirements for Internet Hosts -
-              Communication Layers", STD 3, RFC 1122, October 1989.
-
-   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
-              Requirement Levels", BCP 14, RFC 2119, March 1997.
-
-   [RFC2181]  Elz, R. and R. Bush, "Clarifications to the DNS
-              Specification", RFC 2181, July 1997.
-
-
-
-
-Arends, et al.              Standards Track                    [Page 34]
-
-RFC 4035             DNSSEC Protocol Modifications            March 2005
-
-
-   [RFC2460]  Deering, S. and R. Hinden, "Internet Protocol, Version 6
-              (IPv6) Specification", RFC 2460, December 1998.
-
-   [RFC2671]  Vixie, P., "Extension Mechanisms for DNS (EDNS0)", RFC
-              2671, August 1999.
-
-   [RFC2672]  Crawford, M., "Non-Terminal DNS Name Redirection", RFC
-              2672, August 1999.
-
-   [RFC3225]  Conrad, D., "Indicating Resolver Support of DNSSEC", RFC
-              3225, December 2001.
-
-   [RFC3226]  Gudmundsson, O., "DNSSEC and IPv6 A6 aware server/resolver
-              message size requirements", RFC 3226, December 2001.
-
-   [RFC4033]  Arends, R., Austein, R., Larson, M., Massey, D., and S.
-              Rose, "DNS Security Introduction and Requirements", RFC
-              4033, March 2005.
-
-   [RFC4034]  Arends, R., Austein, R., Larson, M., Massey, D., and S.
-              Rose, "Resource Records for DNS Security Extensions", RFC
-              4034, March 2005.
-
-9.2.  Informative References
-
-   [RFC2308]  Andrews, M., "Negative Caching of DNS Queries (DNS
-              NCACHE)", RFC 2308, March 1998.
-
-   [RFC2535]  Eastlake 3rd, D., "Domain Name System Security
-              Extensions", RFC 2535, March 1999.
-
-   [RFC3007]  Wellington, B., "Secure Domain Name System (DNS) Dynamic
-              Update", RFC 3007, November 2000.
-
-   [RFC3655]  Wellington, B. and O. Gudmundsson, "Redefinition of DNS
-              Authenticated Data (AD) bit", RFC 3655, November 2003.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Arends, et al.              Standards Track                    [Page 35]
-
-RFC 4035             DNSSEC Protocol Modifications            March 2005
-
-
-Appendix A.  Signed Zone Example
-
-   The following example shows a (small) complete signed zone.
-
-   example.       3600 IN SOA ns1.example. bugs.x.w.example. (
-                              1081539377
-                              3600
-                              300
-                              3600000
-                              3600
-                              )
-                  3600 RRSIG  SOA 5 1 3600 20040509183619 (
-                              20040409183619 38519 example.
-                              ONx0k36rcjaxYtcNgq6iQnpNV5+drqYAsC9h
-                              7TSJaHCqbhE67Sr6aH2xDUGcqQWu/n0UVzrF
-                              vkgO9ebarZ0GWDKcuwlM6eNB5SiX2K74l5LW
-                              DA7S/Un/IbtDq4Ay8NMNLQI7Dw7n4p8/rjkB
-                              jV7j86HyQgM5e7+miRAz8V01b0I= )
-                  3600 NS     ns1.example.
-                  3600 NS     ns2.example.
-                  3600 RRSIG  NS 5 1 3600 20040509183619 (
-                              20040409183619 38519 example.
-                              gl13F00f2U0R+SWiXXLHwsMY+qStYy5k6zfd
-                              EuivWc+wd1fmbNCyql0Tk7lHTX6UOxc8AgNf
-                              4ISFve8XqF4q+o9qlnqIzmppU3LiNeKT4FZ8
-                              RO5urFOvoMRTbQxW3U0hXWuggE4g3ZpsHv48
-                              0HjMeRaZB/FRPGfJPajngcq6Kwg= )
-                  3600 MX     1 xx.example.
-                  3600 RRSIG  MX 5 1 3600 20040509183619 (
-                              20040409183619 38519 example.
-                              HyDHYVT5KHSZ7HtO/vypumPmSZQrcOP3tzWB
-                              2qaKkHVPfau/DgLgS/IKENkYOGL95G4N+NzE
-                              VyNU8dcTOckT+ChPcGeVjguQ7a3Ao9Z/ZkUO
-                              6gmmUW4b89rz1PUxW4jzUxj66PTwoVtUU/iM
-                              W6OISukd1EQt7a0kygkg+PEDxdI= )
-                  3600 NSEC   a.example. NS SOA MX RRSIG NSEC DNSKEY
-                  3600 RRSIG  NSEC 5 1 3600 20040509183619 (
-                              20040409183619 38519 example.
-                              O0k558jHhyrC97ISHnislm4kLMW48C7U7cBm
-                              FTfhke5iVqNRVTB1STLMpgpbDIC9hcryoO0V
-                              Z9ME5xPzUEhbvGnHd5sfzgFVeGxr5Nyyq4tW
-                              SDBgIBiLQUv1ivy29vhXy7WgR62dPrZ0PWvm
-                              jfFJ5arXf4nPxp/kEowGgBRzY/U= )
-                  3600 DNSKEY 256 3 5 (
-                              AQOy1bZVvpPqhg4j7EJoM9rI3ZmyEx2OzDBV
-                              rZy/lvI5CQePxXHZS4i8dANH4DX3tbHol61e
-                              k8EFMcsGXxKciJFHyhl94C+NwILQdzsUlSFo
-                              vBZsyl/NX6yEbtw/xN9ZNcrbYvgjjZ/UVPZI
-
-
-
-Arends, et al.              Standards Track                    [Page 36]
-
-RFC 4035             DNSSEC Protocol Modifications            March 2005
-
-
-                              ySFNsgEYvh0z2542lzMKR4Dh8uZffQ==
-                              )
-                  3600 DNSKEY 257 3 5 (
-                              AQOeX7+baTmvpVHb2CcLnL1dMRWbuscRvHXl
-                              LnXwDzvqp4tZVKp1sZMepFb8MvxhhW3y/0QZ
-                              syCjczGJ1qk8vJe52iOhInKROVLRwxGpMfzP
-                              RLMlGybr51bOV/1se0ODacj3DomyB4QB5gKT
-                              Yot/K9alk5/j8vfd4jWCWD+E1Sze0Q==
-                              )
-                  3600 RRSIG  DNSKEY 5 1 3600 20040509183619 (
-                              20040409183619 9465 example.
-                              ZxgauAuIj+k1YoVEOSlZfx41fcmKzTFHoweZ
-                              xYnz99JVQZJ33wFS0Q0jcP7VXKkaElXk9nYJ
-                              XevO/7nAbo88iWsMkSpSR6jWzYYKwfrBI/L9
-                              hjYmyVO9m6FjQ7uwM4dCP/bIuV/DKqOAK9NY
-                              NC3AHfvCV1Tp4VKDqxqG7R5tTVM= )
-                  3600 RRSIG  DNSKEY 5 1 3600 20040509183619 (
-                              20040409183619 38519 example.
-                              eGL0s90glUqcOmloo/2y+bSzyEfKVOQViD9Z
-                              DNhLz/Yn9CQZlDVRJffACQDAUhXpU/oP34ri
-                              bKBpysRXosczFrKqS5Oa0bzMOfXCXup9qHAp
-                              eFIku28Vqfr8Nt7cigZLxjK+u0Ws/4lIRjKk
-                              7z5OXogYVaFzHKillDt3HRxHIZM= )
-   a.example.     3600 IN NS  ns1.a.example.
-                  3600 IN NS  ns2.a.example.
-                  3600 DS     57855 5 1 (
-                              B6DCD485719ADCA18E5F3D48A2331627FDD3
-                              636B )
-                  3600 RRSIG  DS 5 2 3600 20040509183619 (
-                              20040409183619 38519 example.
-                              oXIKit/QtdG64J/CB+Gi8dOvnwRvqrto1AdQ
-                              oRkAN15FP3iZ7suB7gvTBmXzCjL7XUgQVcoH
-                              kdhyCuzp8W9qJHgRUSwKKkczSyuL64nhgjuD
-                              EML8l9wlWVsl7PR2VnZduM9bLyBhaaPmRKX/
-                              Fm+v6ccF2EGNLRiY08kdkz+XHHo= )
-                  3600 NSEC   ai.example. NS DS RRSIG NSEC
-                  3600 RRSIG  NSEC 5 2 3600 20040509183619 (
-                              20040409183619 38519 example.
-                              cOlYgqJLqlRqmBQ3iap2SyIsK4O5aqpKSoba
-                              U9fQ5SMApZmHfq3AgLflkrkXRXvgxTQSKkG2
-                              039/cRUs6Jk/25+fi7Xr5nOVJsb0lq4zsB3I
-                              BBdjyGDAHE0F5ROJj87996vJupdm1fbH481g
-                              sdkOW6Zyqtz3Zos8N0BBkEx+2G4= )
-   ns1.a.example. 3600 IN A   192.0.2.5
-   ns2.a.example. 3600 IN A   192.0.2.6
-   ai.example.    3600 IN A   192.0.2.9
-                  3600 RRSIG  A 5 2 3600 20040509183619 (
-                              20040409183619 38519 example.
-
-
-
-Arends, et al.              Standards Track                    [Page 37]
-
-RFC 4035             DNSSEC Protocol Modifications            March 2005
-
-
-                              pAOtzLP2MU0tDJUwHOKE5FPIIHmdYsCgTb5B
-                              ERGgpnJluA9ixOyf6xxVCgrEJW0WNZSsJicd
-                              hBHXfDmAGKUajUUlYSAH8tS4ZnrhyymIvk3u
-                              ArDu2wfT130e9UHnumaHHMpUTosKe22PblOy
-                              6zrTpg9FkS0XGVmYRvOTNYx2HvQ= )
-                  3600 HINFO  "KLH-10" "ITS"
-                  3600 RRSIG  HINFO 5 2 3600 20040509183619 (
-                              20040409183619 38519 example.
-                              Iq/RGCbBdKzcYzlGE4ovbr5YcB+ezxbZ9W0l
-                              e/7WqyvhOO9J16HxhhL7VY/IKmTUY0GGdcfh
-                              ZEOCkf4lEykZF9NPok1/R/fWrtzNp8jobuY7
-                              AZEcZadp1WdDF3jc2/ndCa5XZhLKD3JzOsBw
-                              FvL8sqlS5QS6FY/ijFEDnI4RkZA= )
-                  3600 AAAA   2001:db8::f00:baa9
-                  3600 RRSIG  AAAA 5 2 3600 20040509183619 (
-                              20040409183619 38519 example.
-                              nLcpFuXdT35AcE+EoafOUkl69KB+/e56XmFK
-                              kewXG2IadYLKAOBIoR5+VoQV3XgTcofTJNsh
-                              1rnF6Eav2zpZB3byI6yo2bwY8MNkr4A7cL9T
-                              cMmDwV/hWFKsbGBsj8xSCN/caEL2CWY/5XP2
-                              sZM6QjBBLmukH30+w1z3h8PUP2o= )
-                  3600 NSEC   b.example. A HINFO AAAA RRSIG NSEC
-                  3600 RRSIG  NSEC 5 2 3600 20040509183619 (
-                              20040409183619 38519 example.
-                              QoshyPevLcJ/xcRpEtMft1uoIrcrieVcc9pG
-                              CScIn5Glnib40T6ayVOimXwdSTZ/8ISXGj4p
-                              P8Sh0PlA6olZQ84L453/BUqB8BpdOGky4hsN
-                              3AGcLEv1Gr0QMvirQaFcjzOECfnGyBm+wpFL
-                              AhS+JOVfDI/79QtyTI0SaDWcg8U= )
-   b.example.     3600 IN NS  ns1.b.example.
-                  3600 IN NS  ns2.b.example.
-                  3600 NSEC   ns1.example. NS RRSIG NSEC
-                  3600 RRSIG  NSEC 5 2 3600 20040509183619 (
-                              20040409183619 38519 example.
-                              GNuxHn844wfmUhPzGWKJCPY5ttEX/RfjDoOx
-                              9ueK1PtYkOWKOOdiJ/PJKCYB3hYX+858dDWS
-                              xb2qnV/LSTCNVBnkm6owOpysY97MVj5VQEWs
-                              0lm9tFoqjcptQkmQKYPrwUnCSNwvvclSF1xZ
-                              vhRXgWT7OuFXldoCG6TfVFMs9xE= )
-   ns1.b.example. 3600 IN A   192.0.2.7
-   ns2.b.example. 3600 IN A   192.0.2.8
-   ns1.example.   3600 IN A   192.0.2.1
-                  3600 RRSIG  A 5 2 3600 20040509183619 (
-                              20040409183619 38519 example.
-                              F1C9HVhIcs10cZU09G5yIVfKJy5yRQQ3qVet
-                              5pGhp82pzhAOMZ3K22JnmK4c+IjUeFp/to06
-                              im5FVpHtbFisdjyPq84bhTv8vrXt5AB1wNB+
-                              +iAqvIfdgW4sFNC6oADb1hK8QNauw9VePJhK
-
-
-
-Arends, et al.              Standards Track                    [Page 38]
-
-RFC 4035             DNSSEC Protocol Modifications            March 2005
-
-
-                              v/iVXSYC0b7mPSU+EOlknFpVECs= )
-                  3600 NSEC   ns2.example. A RRSIG NSEC
-                  3600 RRSIG  NSEC 5 2 3600 20040509183619 (
-                              20040409183619 38519 example.
-                              I4hj+Kt6+8rCcHcUdolks2S+Wzri9h3fHas8
-                              1rGN/eILdJHN7JpV6lLGPIh/8fIBkfvdyWnB
-                              jjf1q3O7JgYO1UdI7FvBNWqaaEPJK3UkddBq
-                              ZIaLi8Qr2XHkjq38BeQsbp8X0+6h4ETWSGT8
-                              IZaIGBLryQWGLw6Y6X8dqhlnxJM= )
-   ns2.example.   3600 IN A   192.0.2.2
-                  3600 RRSIG  A 5 2 3600 20040509183619 (
-                              20040409183619 38519 example.
-                              V7cQRw1TR+knlaL1z/psxlS1PcD37JJDaCMq
-                              Qo6/u1qFQu6x+wuDHRH22Ap9ulJPQjFwMKOu
-                              yfPGQPC8KzGdE3vt5snFEAoE1Vn3mQqtu7SO
-                              6amIjk13Kj/jyJ4nGmdRIc/3cM3ipXFhNTKq
-                              rdhx8SZ0yy4ObIRzIzvBFLiSS8o= )
-                  3600 NSEC   *.w.example. A RRSIG NSEC
-                  3600 RRSIG  NSEC 5 2 3600 20040509183619 (
-                              20040409183619 38519 example.
-                              N0QzHvaJf5NRw1rE9uxS1Ltb2LZ73Qb9bKGE
-                              VyaISkqzGpP3jYJXZJPVTq4UVEsgT3CgeHvb
-                              3QbeJ5Dfb2V9NGCHj/OvF/LBxFFWwhLwzngH
-                              l+bQAgAcMsLu/nL3nDi1y/JSQjAcdZNDl4bw
-                              Ymx28EtgIpo9A0qmP08rMBqs1Jw= )
-   *.w.example.   3600 IN MX  1 ai.example.
-                  3600 RRSIG  MX 5 2 3600 20040509183619 (
-                              20040409183619 38519 example.
-                              OMK8rAZlepfzLWW75Dxd63jy2wswESzxDKG2
-                              f9AMN1CytCd10cYISAxfAdvXSZ7xujKAtPbc
-                              tvOQ2ofO7AZJ+d01EeeQTVBPq4/6KCWhqe2X
-                              TjnkVLNvvhnc0u28aoSsG0+4InvkkOHknKxw
-                              4kX18MMR34i8lC36SR5xBni8vHI= )
-                  3600 NSEC   x.w.example. MX RRSIG NSEC
-                  3600 RRSIG  NSEC 5 2 3600 20040509183619 (
-                              20040409183619 38519 example.
-                              r/mZnRC3I/VIcrelgIcteSxDhtsdlTDt8ng9
-                              HSBlABOlzLxQtfgTnn8f+aOwJIAFe1Ee5RvU
-                              5cVhQJNP5XpXMJHfyps8tVvfxSAXfahpYqtx
-                              91gsmcV/1V9/bZAG55CefP9cM4Z9Y9NT9XQ8
-                              s1InQ2UoIv6tJEaaKkP701j8OLA= )
-   x.w.example.   3600 IN MX  1 xx.example.
-                  3600 RRSIG  MX 5 3 3600 20040509183619 (
-                              20040409183619 38519 example.
-                              Il2WTZ+Bkv+OytBx4LItNW5mjB4RCwhOO8y1
-                              XzPHZmZUTVYL7LaA63f6T9ysVBzJRI3KRjAP
-                              H3U1qaYnDoN1DrWqmi9RJe4FoObkbcdm7P3I
-                              kx70ePCoFgRz1Yq+bVVXCvGuAU4xALv3W/Y1
-
-
-
-Arends, et al.              Standards Track                    [Page 39]
-
-RFC 4035             DNSSEC Protocol Modifications            March 2005
-
-
-                              jNSlwZ2mSWKHfxFQxPtLj8s32+k= )
-                  3600 NSEC   x.y.w.example. MX RRSIG NSEC
-                  3600 RRSIG  NSEC 5 3 3600 20040509183619 (
-                              20040409183619 38519 example.
-                              aRbpHftxggzgMXdDlym9SsADqMZovZZl2QWK
-                              vw8J0tZEUNQByH5Qfnf5N1FqH/pS46UA7A4E
-                              mcWBN9PUA1pdPY6RVeaRlZlCr1IkVctvbtaI
-                              NJuBba/VHm+pebTbKcAPIvL9tBOoh+to1h6e
-                              IjgiM8PXkBQtxPq37wDKALkyn7Q= )
-   x.y.w.example. 3600 IN MX  1 xx.example.
-                  3600 RRSIG  MX 5 4 3600 20040509183619 (
-                              20040409183619 38519 example.
-                              k2bJHbwP5LH5qN4is39UiPzjAWYmJA38Hhia
-                              t7i9t7nbX/e0FPnvDSQXzcK7UL+zrVA+3MDj
-                              q1ub4q3SZgcbLMgexxIW3Va//LVrxkP6Xupq
-                              GtOB9prkK54QTl/qZTXfMQpW480YOvVknhvb
-                              +gLcMZBnHJ326nb/TOOmrqNmQQE= )
-                  3600 NSEC   xx.example. MX RRSIG NSEC
-                  3600 RRSIG  NSEC 5 4 3600 20040509183619 (
-                              20040409183619 38519 example.
-                              OvE6WUzN2ziieJcvKPWbCAyXyP6ef8cr6Csp
-                              ArVSTzKSquNwbezZmkU7E34o5lmb6CWSSSpg
-                              xw098kNUFnHcQf/LzY2zqRomubrNQhJTiDTX
-                              a0ArunJQCzPjOYq5t0SLjm6qp6McJI1AP5Vr
-                              QoKqJDCLnoAlcPOPKAm/jJkn3jk= )
-   xx.example.    3600 IN A   192.0.2.10
-                  3600 RRSIG  A 5 2 3600 20040509183619 (
-                              20040409183619 38519 example.
-                              kBF4YxMGWF0D8r0cztL+2fWWOvN1U/GYSpYP
-                              7SoKoNQ4fZKyk+weWGlKLIUM+uE1zjVTPXoa
-                              0Z6WG0oZp46rkl1EzMcdMgoaeUzzAJ2BMq+Y
-                              VdxG9IK1yZkYGY9AgbTOGPoAgbJyO9EPULsx
-                              kbIDV6GPPSZVusnZU6OMgdgzHV4= )
-                  3600 HINFO  "KLH-10" "TOPS-20"
-                  3600 RRSIG  HINFO 5 2 3600 20040509183619 (
-                              20040409183619 38519 example.
-                              GY2PLSXmMHkWHfLdggiox8+chWpeMNJLkML0
-                              t+U/SXSUsoUdR91KNdNUkTDWamwcF8oFRjhq
-                              BcPZ6EqrF+vl5v5oGuvSF7U52epfVTC+wWF8
-                              3yCUeUw8YklhLWlvk8gQ15YKth0ITQy8/wI+
-                              RgNvuwbioFSEuv2pNlkq0goYxNY= )
-                  3600 AAAA   2001:db8::f00:baaa
-                  3600 RRSIG  AAAA 5 2 3600 20040509183619 (
-                              20040409183619 38519 example.
-                              Zzj0yodDxcBLnnOIwDsuKo5WqiaK24DlKg9C
-                              aGaxDFiKgKobUj2jilYQHpGFn2poFRetZd4z
-                              ulyQkssz2QHrVrPuTMS22knudCiwP4LWpVTr
-                              U4zfeA+rDz9stmSBP/4PekH/x2IoAYnwctd/
-
-
-
-Arends, et al.              Standards Track                    [Page 40]
-
-RFC 4035             DNSSEC Protocol Modifications            March 2005
-
-
-                              xS9cL2QgW7FChw16mzlkH6/vsfs= )
-                  3600 NSEC   example. A HINFO AAAA RRSIG NSEC
-                  3600 RRSIG  NSEC 5 2 3600 20040509183619 (
-                              20040409183619 38519 example.
-                              ZFWUln6Avc8bmGl5GFjD3BwT530DUZKHNuoY
-                              9A8lgXYyrxu+pqgFiRVbyZRQvVB5pccEOT3k
-                              mvHgEa/HzbDB4PIYY79W+VHrgOxzdQGGCZzi
-                              asXrpSGOWwSOElghPnMIi8xdF7qtCntr382W
-                              GghLahumFIpg4MO3LS/prgzVVWo= )
-
-   The apex DNSKEY set includes two DNSKEY RRs, and the DNSKEY RDATA
-   Flags indicate that each of these DNSKEY RRs is a zone key.  One of
-   these DNSKEY RRs also has the SEP flag set and has been used to sign
-   the apex DNSKEY RRset; this is the key that should be hashed to
-   generate a DS record to be inserted into the parent zone.  The other
-   DNSKEY is used to sign all the other RRsets in the zone.
-
-   The zone includes a wildcard entry, "*.w.example".  Note that the
-   name "*.w.example" is used in constructing NSEC chains, and that the
-   RRSIG covering the "*.w.example" MX RRset has a label count of 2.
-
-   The zone also includes two delegations.  The delegation to
-   "b.example" includes an NS RRset, glue address records, and an NSEC
-   RR; note that only the NSEC RRset is signed.  The delegation to
-   "a.example" provides a DS RR; note that only the NSEC and DS RRsets
-   are signed.
-
-Appendix B.  Example Responses
-
-   The examples in this section show response messages using the signed
-   zone example in Appendix A.
-
-B.1.  Answer
-
-   A successful query to an authoritative server.
-
-   ;; Header: QR AA DO RCODE=0
-   ;;
-   ;; Question
-   x.w.example.        IN MX
-
-   ;; Answer
-   x.w.example.   3600 IN MX  1 xx.example.
-   x.w.example.   3600 RRSIG  MX 5 3 3600 20040509183619 (
-                              20040409183619 38519 example.
-                              Il2WTZ+Bkv+OytBx4LItNW5mjB4RCwhOO8y1
-                              XzPHZmZUTVYL7LaA63f6T9ysVBzJRI3KRjAP
-                              H3U1qaYnDoN1DrWqmi9RJe4FoObkbcdm7P3I
-
-
-
-Arends, et al.              Standards Track                    [Page 41]
-
-RFC 4035             DNSSEC Protocol Modifications            March 2005
-
-
-                              kx70ePCoFgRz1Yq+bVVXCvGuAU4xALv3W/Y1
-                              jNSlwZ2mSWKHfxFQxPtLj8s32+k= )
-
-   ;; Authority
-   example.       3600 NS     ns1.example.
-   example.       3600 NS     ns2.example.
-   example.       3600 RRSIG  NS 5 1 3600 20040509183619 (
-                              20040409183619 38519 example.
-                              gl13F00f2U0R+SWiXXLHwsMY+qStYy5k6zfd
-                              EuivWc+wd1fmbNCyql0Tk7lHTX6UOxc8AgNf
-                              4ISFve8XqF4q+o9qlnqIzmppU3LiNeKT4FZ8
-                              RO5urFOvoMRTbQxW3U0hXWuggE4g3ZpsHv48
-                              0HjMeRaZB/FRPGfJPajngcq6Kwg= )
-
-   ;; Additional
-   xx.example.    3600 IN A   192.0.2.10
-   xx.example.    3600 RRSIG  A 5 2 3600 20040509183619 (
-                              20040409183619 38519 example.
-                              kBF4YxMGWF0D8r0cztL+2fWWOvN1U/GYSpYP
-                              7SoKoNQ4fZKyk+weWGlKLIUM+uE1zjVTPXoa
-                              0Z6WG0oZp46rkl1EzMcdMgoaeUzzAJ2BMq+Y
-                              VdxG9IK1yZkYGY9AgbTOGPoAgbJyO9EPULsx
-                              kbIDV6GPPSZVusnZU6OMgdgzHV4= )
-   xx.example.    3600 AAAA   2001:db8::f00:baaa
-   xx.example.    3600 RRSIG  AAAA 5 2 3600 20040509183619 (
-                              20040409183619 38519 example.
-                              Zzj0yodDxcBLnnOIwDsuKo5WqiaK24DlKg9C
-                              aGaxDFiKgKobUj2jilYQHpGFn2poFRetZd4z
-                              ulyQkssz2QHrVrPuTMS22knudCiwP4LWpVTr
-                              U4zfeA+rDz9stmSBP/4PekH/x2IoAYnwctd/
-                              xS9cL2QgW7FChw16mzlkH6/vsfs= )
-   ns1.example.   3600 IN A   192.0.2.1
-   ns1.example.   3600 RRSIG  A 5 2 3600 20040509183619 (
-                              20040409183619 38519 example.
-                              F1C9HVhIcs10cZU09G5yIVfKJy5yRQQ3qVet
-                              5pGhp82pzhAOMZ3K22JnmK4c+IjUeFp/to06
-                              im5FVpHtbFisdjyPq84bhTv8vrXt5AB1wNB+
-                              +iAqvIfdgW4sFNC6oADb1hK8QNauw9VePJhK
-                              v/iVXSYC0b7mPSU+EOlknFpVECs= )
-   ns2.example.   3600 IN A   192.0.2.2
-   ns2.example.   3600 RRSIG  A 5 2 3600 20040509183619 (
-                              20040409183619 38519 example.
-                              V7cQRw1TR+knlaL1z/psxlS1PcD37JJDaCMq
-                              Qo6/u1qFQu6x+wuDHRH22Ap9ulJPQjFwMKOu
-                              yfPGQPC8KzGdE3vt5snFEAoE1Vn3mQqtu7SO
-                              6amIjk13Kj/jyJ4nGmdRIc/3cM3ipXFhNTKq
-                              rdhx8SZ0yy4ObIRzIzvBFLiSS8o= )
-
-
-
-
-Arends, et al.              Standards Track                    [Page 42]
-
-RFC 4035             DNSSEC Protocol Modifications            March 2005
-
-
-B.2.  Name Error
-
-   An authoritative name error.  The NSEC RRs prove that the name does
-   not exist and that no covering wildcard exists.
-
-   ;; Header: QR AA DO RCODE=3
-   ;;
-   ;; Question
-   ml.example.         IN A
-
-   ;; Answer
-   ;; (empty)
-
-   ;; Authority
-   example.       3600 IN SOA ns1.example. bugs.x.w.example. (
-                              1081539377
-                              3600
-                              300
-                              3600000
-                              3600
-                              )
-   example.       3600 RRSIG  SOA 5 1 3600 20040509183619 (
-                              20040409183619 38519 example.
-                              ONx0k36rcjaxYtcNgq6iQnpNV5+drqYAsC9h
-                              7TSJaHCqbhE67Sr6aH2xDUGcqQWu/n0UVzrF
-                              vkgO9ebarZ0GWDKcuwlM6eNB5SiX2K74l5LW
-                              DA7S/Un/IbtDq4Ay8NMNLQI7Dw7n4p8/rjkB
-                              jV7j86HyQgM5e7+miRAz8V01b0I= )
-   b.example.     3600 NSEC   ns1.example. NS RRSIG NSEC
-   b.example.     3600 RRSIG  NSEC 5 2 3600 20040509183619 (
-                              20040409183619 38519 example.
-                              GNuxHn844wfmUhPzGWKJCPY5ttEX/RfjDoOx
-                              9ueK1PtYkOWKOOdiJ/PJKCYB3hYX+858dDWS
-                              xb2qnV/LSTCNVBnkm6owOpysY97MVj5VQEWs
-                              0lm9tFoqjcptQkmQKYPrwUnCSNwvvclSF1xZ
-                              vhRXgWT7OuFXldoCG6TfVFMs9xE= )
-   example.       3600 NSEC   a.example. NS SOA MX RRSIG NSEC DNSKEY
-   example.       3600 RRSIG  NSEC 5 1 3600 20040509183619 (
-                              20040409183619 38519 example.
-                              O0k558jHhyrC97ISHnislm4kLMW48C7U7cBm
-                              FTfhke5iVqNRVTB1STLMpgpbDIC9hcryoO0V
-                              Z9ME5xPzUEhbvGnHd5sfzgFVeGxr5Nyyq4tW
-                              SDBgIBiLQUv1ivy29vhXy7WgR62dPrZ0PWvm
-                              jfFJ5arXf4nPxp/kEowGgBRzY/U= )
-
-   ;; Additional
-   ;; (empty)
-
-
-
-
-Arends, et al.              Standards Track                    [Page 43]
-
-RFC 4035             DNSSEC Protocol Modifications            March 2005
-
-
-B.3.  No Data Error
-
-   A "no data" response.  The NSEC RR proves that the name exists and
-   that the requested RR type does not.
-
-   ;; Header: QR AA DO RCODE=0
-   ;;
-   ;; Question
-   ns1.example.        IN MX
-
-   ;; Answer
-   ;; (empty)
-
-   ;; Authority
-   example.       3600 IN SOA ns1.example. bugs.x.w.example. (
-                              1081539377
-                              3600
-                              300
-                              3600000
-                              3600
-                              )
-   example.       3600 RRSIG  SOA 5 1 3600 20040509183619 (
-                              20040409183619 38519 example.
-                              ONx0k36rcjaxYtcNgq6iQnpNV5+drqYAsC9h
-                              7TSJaHCqbhE67Sr6aH2xDUGcqQWu/n0UVzrF
-                              vkgO9ebarZ0GWDKcuwlM6eNB5SiX2K74l5LW
-                              DA7S/Un/IbtDq4Ay8NMNLQI7Dw7n4p8/rjkB
-                              jV7j86HyQgM5e7+miRAz8V01b0I= )
-   ns1.example.   3600 NSEC   ns2.example. A RRSIG NSEC
-   ns1.example.   3600 RRSIG  NSEC 5 2 3600 20040509183619 (
-                              20040409183619 38519 example.
-                              I4hj+Kt6+8rCcHcUdolks2S+Wzri9h3fHas8
-                              1rGN/eILdJHN7JpV6lLGPIh/8fIBkfvdyWnB
-                              jjf1q3O7JgYO1UdI7FvBNWqaaEPJK3UkddBq
-                              ZIaLi8Qr2XHkjq38BeQsbp8X0+6h4ETWSGT8
-                              IZaIGBLryQWGLw6Y6X8dqhlnxJM= )
-
-   ;; Additional
-   ;; (empty)
-
-B.4.  Referral to Signed Zone
-
-   Referral to a signed zone.  The DS RR contains the data which the
-   resolver will need to validate the corresponding DNSKEY RR in the
-   child zone's apex.
-
-   ;; Header: QR DO RCODE=0
-   ;;
-
-
-
-Arends, et al.              Standards Track                    [Page 44]
-
-RFC 4035             DNSSEC Protocol Modifications            March 2005
-
-
-   ;; Question
-   mc.a.example.       IN MX
-
-   ;; Answer
-   ;; (empty)
-
-   ;; Authority
-   a.example.     3600 IN NS  ns1.a.example.
-   a.example.     3600 IN NS  ns2.a.example.
-   a.example.     3600 DS     57855 5 1 (
-                              B6DCD485719ADCA18E5F3D48A2331627FDD3
-                              636B )
-   a.example.     3600 RRSIG  DS 5 2 3600 20040509183619 (
-                              20040409183619 38519 example.
-                              oXIKit/QtdG64J/CB+Gi8dOvnwRvqrto1AdQ
-                              oRkAN15FP3iZ7suB7gvTBmXzCjL7XUgQVcoH
-                              kdhyCuzp8W9qJHgRUSwKKkczSyuL64nhgjuD
-                              EML8l9wlWVsl7PR2VnZduM9bLyBhaaPmRKX/
-                              Fm+v6ccF2EGNLRiY08kdkz+XHHo= )
-
-   ;; Additional
-   ns1.a.example. 3600 IN A   192.0.2.5
-   ns2.a.example. 3600 IN A   192.0.2.6
-
-B.5.  Referral to Unsigned Zone
-
-   Referral to an unsigned zone.  The NSEC RR proves that no DS RR for
-   this delegation exists in the parent zone.
-
-   ;; Header: QR DO RCODE=0
-   ;;
-   ;; Question
-   mc.b.example.       IN MX
-
-   ;; Answer
-   ;; (empty)
-
-   ;; Authority
-   b.example.     3600 IN NS  ns1.b.example.
-   b.example.     3600 IN NS  ns2.b.example.
-   b.example.     3600 NSEC   ns1.example. NS RRSIG NSEC
-   b.example.     3600 RRSIG  NSEC 5 2 3600 20040509183619 (
-                              20040409183619 38519 example.
-                              GNuxHn844wfmUhPzGWKJCPY5ttEX/RfjDoOx
-                              9ueK1PtYkOWKOOdiJ/PJKCYB3hYX+858dDWS
-                              xb2qnV/LSTCNVBnkm6owOpysY97MVj5VQEWs
-                              0lm9tFoqjcptQkmQKYPrwUnCSNwvvclSF1xZ
-                              vhRXgWT7OuFXldoCG6TfVFMs9xE= )
-
-
-
-Arends, et al.              Standards Track                    [Page 45]
-
-RFC 4035             DNSSEC Protocol Modifications            March 2005
-
-
-   ;; Additional
-   ns1.b.example. 3600 IN A   192.0.2.7
-   ns2.b.example. 3600 IN A   192.0.2.8
-
-B.6.  Wildcard Expansion
-
-   A successful query that was answered via wildcard expansion.  The
-   label count in the answer's RRSIG RR indicates that a wildcard RRset
-   was expanded to produce this response, and the NSEC RR proves that no
-   closer match exists in the zone.
-
-   ;; Header: QR AA DO RCODE=0
-   ;;
-   ;; Question
-   a.z.w.example.      IN MX
-
-   ;; Answer
-   a.z.w.example. 3600 IN MX  1 ai.example.
-   a.z.w.example. 3600 RRSIG  MX 5 2 3600 20040509183619 (
-                              20040409183619 38519 example.
-                              OMK8rAZlepfzLWW75Dxd63jy2wswESzxDKG2
-                              f9AMN1CytCd10cYISAxfAdvXSZ7xujKAtPbc
-                              tvOQ2ofO7AZJ+d01EeeQTVBPq4/6KCWhqe2X
-                              TjnkVLNvvhnc0u28aoSsG0+4InvkkOHknKxw
-                              4kX18MMR34i8lC36SR5xBni8vHI= )
-
-   ;; Authority
-   example.       3600 NS     ns1.example.
-   example.       3600 NS     ns2.example.
-   example.       3600 RRSIG  NS 5 1 3600 20040509183619 (
-                              20040409183619 38519 example.
-                              gl13F00f2U0R+SWiXXLHwsMY+qStYy5k6zfd
-                              EuivWc+wd1fmbNCyql0Tk7lHTX6UOxc8AgNf
-                              4ISFve8XqF4q+o9qlnqIzmppU3LiNeKT4FZ8
-                              RO5urFOvoMRTbQxW3U0hXWuggE4g3ZpsHv48
-                              0HjMeRaZB/FRPGfJPajngcq6Kwg= )
-   x.y.w.example. 3600 NSEC   xx.example. MX RRSIG NSEC
-   x.y.w.example. 3600 RRSIG  NSEC 5 4 3600 20040509183619 (
-                              20040409183619 38519 example.
-                              OvE6WUzN2ziieJcvKPWbCAyXyP6ef8cr6Csp
-                              ArVSTzKSquNwbezZmkU7E34o5lmb6CWSSSpg
-                              xw098kNUFnHcQf/LzY2zqRomubrNQhJTiDTX
-                              a0ArunJQCzPjOYq5t0SLjm6qp6McJI1AP5Vr
-                              QoKqJDCLnoAlcPOPKAm/jJkn3jk= )
-
-   ;; Additional
-   ai.example.    3600 IN A   192.0.2.9
-   ai.example.    3600 RRSIG  A 5 2 3600 20040509183619 (
-
-
-
-Arends, et al.              Standards Track                    [Page 46]
-
-RFC 4035             DNSSEC Protocol Modifications            March 2005
-
-
-                              20040409183619 38519 example.
-                              pAOtzLP2MU0tDJUwHOKE5FPIIHmdYsCgTb5B
-                              ERGgpnJluA9ixOyf6xxVCgrEJW0WNZSsJicd
-                              hBHXfDmAGKUajUUlYSAH8tS4ZnrhyymIvk3u
-                              ArDu2wfT130e9UHnumaHHMpUTosKe22PblOy
-                              6zrTpg9FkS0XGVmYRvOTNYx2HvQ= )
-   ai.example.    3600 AAAA   2001:db8::f00:baa9
-   ai.example.    3600 RRSIG  AAAA 5 2 3600 20040509183619 (
-                              20040409183619 38519 example.
-                              nLcpFuXdT35AcE+EoafOUkl69KB+/e56XmFK
-                              kewXG2IadYLKAOBIoR5+VoQV3XgTcofTJNsh
-                              1rnF6Eav2zpZB3byI6yo2bwY8MNkr4A7cL9T
-                              cMmDwV/hWFKsbGBsj8xSCN/caEL2CWY/5XP2
-                              sZM6QjBBLmukH30+w1z3h8PUP2o= )
-
-B.7.  Wildcard No Data Error
-
-   A "no data" response for a name covered by a wildcard.  The NSEC RRs
-   prove that the matching wildcard name does not have any RRs of the
-   requested type and that no closer match exists in the zone.
-
-   ;; Header: QR AA DO RCODE=0
-   ;;
-   ;; Question
-   a.z.w.example.      IN AAAA
-
-   ;; Answer
-   ;; (empty)
-
-   ;; Authority
-   example.       3600 IN SOA ns1.example. bugs.x.w.example. (
-                              1081539377
-                              3600
-                              300
-                              3600000
-                              3600
-                              )
-   example.       3600 RRSIG  SOA 5 1 3600 20040509183619 (
-                              20040409183619 38519 example.
-                              ONx0k36rcjaxYtcNgq6iQnpNV5+drqYAsC9h
-                              7TSJaHCqbhE67Sr6aH2xDUGcqQWu/n0UVzrF
-                              vkgO9ebarZ0GWDKcuwlM6eNB5SiX2K74l5LW
-                              DA7S/Un/IbtDq4Ay8NMNLQI7Dw7n4p8/rjkB
-                              jV7j86HyQgM5e7+miRAz8V01b0I= )
-   x.y.w.example. 3600 NSEC   xx.example. MX RRSIG NSEC
-   x.y.w.example. 3600 RRSIG  NSEC 5 4 3600 20040509183619 (
-                              20040409183619 38519 example.
-                              OvE6WUzN2ziieJcvKPWbCAyXyP6ef8cr6Csp
-
-
-
-Arends, et al.              Standards Track                    [Page 47]
-
-RFC 4035             DNSSEC Protocol Modifications            March 2005
-
-
-                              ArVSTzKSquNwbezZmkU7E34o5lmb6CWSSSpg
-                              xw098kNUFnHcQf/LzY2zqRomubrNQhJTiDTX
-                              a0ArunJQCzPjOYq5t0SLjm6qp6McJI1AP5Vr
-                              QoKqJDCLnoAlcPOPKAm/jJkn3jk= )
-   *.w.example.   3600 NSEC   x.w.example. MX RRSIG NSEC
-   *.w.example.   3600 RRSIG  NSEC 5 2 3600 20040509183619 (
-                              20040409183619 38519 example.
-                              r/mZnRC3I/VIcrelgIcteSxDhtsdlTDt8ng9
-                              HSBlABOlzLxQtfgTnn8f+aOwJIAFe1Ee5RvU
-                              5cVhQJNP5XpXMJHfyps8tVvfxSAXfahpYqtx
-                              91gsmcV/1V9/bZAG55CefP9cM4Z9Y9NT9XQ8
-                              s1InQ2UoIv6tJEaaKkP701j8OLA= )
-
-   ;; Additional
-   ;; (empty)
-
-B.8.  DS Child Zone No Data Error
-
-   A "no data" response for a QTYPE=DS query that was mistakenly sent to
-   a name server for the child zone.
-
-   ;; Header: QR AA DO RCODE=0
-   ;;
-   ;; Question
-   example.            IN DS
-
-   ;; Answer
-   ;; (empty)
-
-   ;; Authority
-   example.       3600 IN SOA ns1.example. bugs.x.w.example. (
-                              1081539377
-                              3600
-                              300
-                              3600000
-                              3600
-                              )
-   example.       3600 RRSIG  SOA 5 1 3600 20040509183619 (
-                              20040409183619 38519 example.
-                              ONx0k36rcjaxYtcNgq6iQnpNV5+drqYAsC9h
-                              7TSJaHCqbhE67Sr6aH2xDUGcqQWu/n0UVzrF
-                              vkgO9ebarZ0GWDKcuwlM6eNB5SiX2K74l5LW
-                              DA7S/Un/IbtDq4Ay8NMNLQI7Dw7n4p8/rjkB
-                              jV7j86HyQgM5e7+miRAz8V01b0I= )
-   example.       3600 NSEC   a.example. NS SOA MX RRSIG NSEC DNSKEY
-   example.       3600 RRSIG  NSEC 5 1 3600 20040509183619 (
-                              20040409183619 38519 example.
-                              O0k558jHhyrC97ISHnislm4kLMW48C7U7cBm
-
-
-
-Arends, et al.              Standards Track                    [Page 48]
-
-RFC 4035             DNSSEC Protocol Modifications            March 2005
-
-
-                              FTfhke5iVqNRVTB1STLMpgpbDIC9hcryoO0V
-                              Z9ME5xPzUEhbvGnHd5sfzgFVeGxr5Nyyq4tW
-                              SDBgIBiLQUv1ivy29vhXy7WgR62dPrZ0PWvm
-                              jfFJ5arXf4nPxp/kEowGgBRzY/U= )
-
-   ;; Additional
-   ;; (empty)
-
-Appendix C.  Authentication Examples
-
-   The examples in this section show how the response messages in
-   Appendix B are authenticated.
-
-C.1.  Authenticating an Answer
-
-   The query in Appendix B.1 returned an MX RRset for "x.w.example.com".
-   The corresponding RRSIG indicates that the MX RRset was signed by an
-   "example" DNSKEY with algorithm 5 and key tag 38519.  The resolver
-   needs the corresponding DNSKEY RR in order to authenticate this
-   answer.  The discussion below describes how a resolver might obtain
-   this DNSKEY RR.
-
-   The RRSIG indicates the original TTL of the MX RRset was 3600, and,
-   for the purpose of authentication, the current TTL is replaced by
-   3600.  The RRSIG labels field value of 3 indicates that the answer
-   was not the result of wildcard expansion.  The "x.w.example.com" MX
-   RRset is placed in canonical form, and, assuming the current time
-   falls between the signature inception and expiration dates, the
-   signature is authenticated.
-
-C.1.1.  Authenticating the Example DNSKEY RR
-
-   This example shows the logical authentication process that starts
-   from the a configured root DNSKEY (or DS RR) and moves down the tree
-   to authenticate the desired "example" DNSKEY RR.  Note that the
-   logical order is presented for clarity.  An implementation may choose
-   to construct the authentication as referrals are received or to
-   construct the authentication chain only after all RRsets have been
-   obtained, or in any other combination it sees fit.  The example here
-   demonstrates only the logical process and does not dictate any
-   implementation rules.
-
-   We assume the resolver starts with a configured DNSKEY RR for the
-   root zone (or a configured DS RR for the root zone).  The resolver
-   checks whether this configured DNSKEY RR is present in the root
-   DNSKEY RRset (or whether the DS RR matches some DNSKEY in the root
-   DNSKEY RRset), whether this DNSKEY RR has signed the root DNSKEY
-   RRset, and whether the signature lifetime is valid.  If all these
-
-
-
-Arends, et al.              Standards Track                    [Page 49]
-
-RFC 4035             DNSSEC Protocol Modifications            March 2005
-
-
-   conditions are met, all keys in the DNSKEY RRset are considered
-   authenticated.  The resolver then uses one (or more) of the root
-   DNSKEY RRs to authenticate the "example" DS RRset.  Note that the
-   resolver may have to query the root zone to obtain the root DNSKEY
-   RRset or "example" DS RRset.
-
-   Once the DS RRset has been authenticated using the root DNSKEY, the
-   resolver checks the "example" DNSKEY RRset for some "example" DNSKEY
-   RR that matches one of the authenticated "example" DS RRs.  If such a
-   matching "example" DNSKEY is found, the resolver checks whether this
-   DNSKEY RR has signed the "example" DNSKEY RRset and the signature
-   lifetime is valid.  If these conditions are met, all keys in the
-   "example" DNSKEY RRset are considered authenticated.
-
-   Finally, the resolver checks that some DNSKEY RR in the "example"
-   DNSKEY RRset uses algorithm 5 and has a key tag of 38519.  This
-   DNSKEY is used to authenticate the RRSIG included in the response.
-   If multiple "example" DNSKEY RRs match this algorithm and key tag,
-   then each DNSKEY RR is tried, and the answer is authenticated if any
-   of the matching DNSKEY RRs validate the signature as described above.
-
-C.2.  Name Error
-
-   The query in Appendix B.2 returned NSEC RRs that prove that the
-   requested data does not exist and no wildcard applies.  The negative
-   reply is authenticated by verifying both NSEC RRs.  The NSEC RRs are
-   authenticated in a manner identical to that of the MX RRset discussed
-   above.
-
-C.3.  No Data Error
-
-   The query in Appendix B.3 returned an NSEC RR that proves that the
-   requested name exists, but the requested RR type does not exist.  The
-   negative reply is authenticated by verifying the NSEC RR.  The NSEC
-   RR is authenticated in a manner identical to that of the MX RRset
-   discussed above.
-
-C.4.  Referral to Signed Zone
-
-   The query in Appendix B.4 returned a referral to the signed
-   "a.example." zone.  The DS RR is authenticated in a manner identical
-   to that of the MX RRset discussed above.  This DS RR is used to
-   authenticate the "a.example" DNSKEY RRset.
-
-   Once the "a.example" DS RRset has been authenticated using the
-   "example" DNSKEY, the resolver checks the "a.example" DNSKEY RRset
-   for some "a.example" DNSKEY RR that matches the DS RR.  If such a
-   matching "a.example" DNSKEY is found, the resolver checks whether
-
-
-
-Arends, et al.              Standards Track                    [Page 50]
-
-RFC 4035             DNSSEC Protocol Modifications            March 2005
-
-
-   this DNSKEY RR has signed the "a.example" DNSKEY RRset and whether
-   the signature lifetime is valid.  If all these conditions are met,
-   all keys in the "a.example" DNSKEY RRset are considered
-   authenticated.
-
-C.5.  Referral to Unsigned Zone
-
-   The query in Appendix B.5 returned a referral to an unsigned
-   "b.example." zone.  The NSEC proves that no authentication leads from
-   "example" to "b.example", and the NSEC RR is authenticated in a
-   manner identical to that of the MX RRset discussed above.
-
-C.6.  Wildcard Expansion
-
-   The query in Appendix B.6 returned an answer that was produced as a
-   result of wildcard expansion.  The answer section contains a wildcard
-   RRset expanded as it would be in a traditional DNS response, and the
-   corresponding RRSIG indicates that the expanded wildcard MX RRset was
-   signed by an "example" DNSKEY with algorithm 5 and key tag 38519.
-   The RRSIG indicates that the original TTL of the MX RRset was 3600,
-   and, for the purpose of authentication, the current TTL is replaced
-   by 3600.  The RRSIG labels field value of 2 indicates that the answer
-   is the result of wildcard expansion, as the "a.z.w.example" name
-   contains 4 labels.  The name "a.z.w.w.example" is replaced by
-   "*.w.example", the MX RRset is placed in canonical form, and,
-   assuming that the current time falls between the signature inception
-   and expiration dates, the signature is authenticated.
-
-   The NSEC proves that no closer match (exact or closer wildcard) could
-   have been used to answer this query, and the NSEC RR must also be
-   authenticated before the answer is considered valid.
-
-C.7.  Wildcard No Data Error
-
-   The query in Appendix B.7 returned NSEC RRs that prove that the
-   requested data does not exist and no wildcard applies.  The negative
-   reply is authenticated by verifying both NSEC RRs.
-
-C.8.  DS Child Zone No Data Error
-
-   The query in Appendix B.8 returned NSEC RRs that shows the requested
-   was answered by a child server ("example" server).  The NSEC RR
-   indicates the presence of an SOA RR, showing that the answer is from
-   the child .  Queries for the "example" DS RRset should be sent to the
-   parent servers ("root" servers).
-
-
-
-
-
-
-Arends, et al.              Standards Track                    [Page 51]
-
-RFC 4035             DNSSEC Protocol Modifications            March 2005
-
-
-Authors' Addresses
-
-   Roy Arends
-   Telematica Instituut
-   Brouwerijstraat 1
-   7523 XC  Enschede
-   NL
-
-   EMail: roy.arends@telin.nl
-
-
-   Rob Austein
-   Internet Systems Consortium
-   950 Charter Street
-   Redwood City, CA  94063
-   USA
-
-   EMail: sra@isc.org
-
-
-   Matt Larson
-   VeriSign, Inc.
-   21345 Ridgetop Circle
-   Dulles, VA  20166-6503
-   USA
-
-   EMail: mlarson@verisign.com
-
-
-   Dan Massey
-   Colorado State University
-   Department of Computer Science
-   Fort Collins, CO 80523-1873
-
-   EMail: massey@cs.colostate.edu
-
-
-   Scott Rose
-   National Institute for Standards and Technology
-   100 Bureau Drive
-   Gaithersburg, MD  20899-8920
-   USA
-
-   EMail: scott.rose@nist.gov
-
-
-
-
-
-
-
-Arends, et al.              Standards Track                    [Page 52]
-
-RFC 4035             DNSSEC Protocol Modifications            March 2005
-
-
-Full Copyright Statement
-
-   Copyright (C) The Internet Society (2005).
-
-   This document is subject to the rights, licenses and restrictions
-   contained in BCP 78, and except as set forth therein, the authors
-   retain all their rights.
-
-   This document and the information contained herein are provided on an
-   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
-   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
-   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
-   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
-   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
-   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-Intellectual Property
-
-   The IETF takes no position regarding the validity or scope of any
-   Intellectual Property Rights or other rights that might be claimed to
-   pertain to the implementation or use of the technology described in
-   this document or the extent to which any license under such rights
-   might or might not be available; nor does it represent that it has
-   made any independent effort to identify any such rights.  Information
-   on the procedures with respect to rights in RFC documents can be
-   found in BCP 78 and BCP 79.
-
-   Copies of IPR disclosures made to the IETF Secretariat and any
-   assurances of licenses to be made available, or the result of an
-   attempt made to obtain a general license or permission for the use of
-   such proprietary rights by implementers or users of this
-   specification can be obtained from the IETF on-line IPR repository at
-   http://www.ietf.org/ipr.
-
-   The IETF invites any interested party to bring to its attention any
-   copyrights, patents or patent applications, or other proprietary
-   rights that may cover technology that may be required to implement
-   this standard.  Please address the information to the IETF at ietf-
-   ipr@ietf.org.
-
-Acknowledgement
-
-   Funding for the RFC Editor function is currently provided by the
-   Internet Society.
-
-
-
-
-
-
-
-Arends, et al.              Standards Track                    [Page 53]
-
diff --git a/doc/rfc/rfc4074.txt b/doc/rfc/rfc4074.txt
deleted file mode 100644
index d9252b39..00000000
--- a/doc/rfc/rfc4074.txt
+++ /dev/null
@@ -1,339 +0,0 @@
-
-
-
-
-
-
-Network Working Group                                       Y. Morishita
-Request for Comments: 4074                                          JPRS
-Category: Informational                                        T. Jinmei
-                                                                 Toshiba
-                                                                May 2005
-
-
-       Common Misbehavior Against DNS Queries for IPv6 Addresses
-
-Status of This Memo
-
-   This memo provides information for the Internet community.  It does
-   not specify an Internet standard of any kind.  Distribution of this
-   memo is unlimited.
-
-Copyright Notice
-
-   Copyright (C) The Internet Society (2005).
-
-Abstract
-
-   There is some known misbehavior of DNS authoritative servers when
-   they are queried for AAAA resource records.  Such behavior can block
-   IPv4 communication that should actually be available, cause a
-   significant delay in name resolution, or even make a denial of
-   service attack.  This memo describes details of known cases and
-   discusses their effects.
-
-1.  Introduction
-
-   Many existing DNS clients (resolvers) that support IPv6 first search
-   for AAAA Resource Records (RRs) of a target host name, and then for A
-   RRs of the same name.  This fallback mechanism is based on the DNS
-   specifications, which if not obeyed by authoritative servers, can
-   produce unpleasant results.  In some cases, for example, a web
-   browser fails to connect to a web server it could otherwise reach.
-   In the following sections, this memo describes some typical cases of
-   such misbehavior and its (bad) effects.
-
-   Note that the misbehavior is not specific to AAAA RRs.  In fact, all
-   known examples also apply to the cases of queries for MX, NS, and SOA
-   RRs.  The authors believe this can be generalized for all types of
-   queries other than those for A RRs.  In this memo, however, we
-   concentrate on the case for AAAA queries, since the problem is
-   particularly severe for resolvers that support IPv6, which thus
-   affects many end users.  Resolvers at end users normally send A
-   and/or AAAA queries only, so the problem for the other cases is
-   relatively minor.
-
-
-
-Morishita & Jinmei           Informational                      [Page 1]
-
-RFC 4074         Common Misbehavior Against DNS Queries         May 2005
-
-
-2.  Network Model
-
-   In this memo, we assume a typical network model of name resolution
-   environment using DNS.  It consists of three components: stub
-   resolvers, caching servers, and authoritative servers.  A stub
-   resolver issues a recursive query to a caching server, which then
-   handles the entire name resolution procedure recursively.  The
-   caching server caches the result of the query and sends the result to
-   the stub resolver.  The authoritative servers respond to queries for
-   names for which they have the authority, normally in a non-recursive
-   manner.
-
-3.  Expected Behavior
-
-   Suppose that an authoritative server has an A RR but has no AAAA RR
-   for a host name.  Then, the server should return a response to a
-   query for an AAAA RR of the name with the response code (RCODE) being
-   0 (indicating no error) and with an empty answer section (see
-   Sections 4.3.2 and 6.2.4 of [1]).  Such a response indicates that
-   there is at least one RR of a different type than AAAA for the
-   queried name, and the stub resolver can then look for A RRs.
-
-   This way, the caching server can cache the fact that the queried name
-   has no AAAA RR (but may have other types of RRs), and thus improve
-   the response time to further queries for an AAAA RR of the name.
-
-4.  Problematic Behaviors
-
-   There are some known cases at authoritative servers that do not
-   conform to the expected behavior.  This section describes those
-   problematic cases.
-
-4.1.  Ignore Queries for AAAA
-
-   Some authoritative servers seem to ignore queries for an AAAA RR,
-   causing a delay at the stub resolver to fall back to a query for an A
-   RR.  This behavior may cause a fatal timeout at the resolver or at
-   the application that calls the resolver.  Even if the resolver
-   eventually falls back, the result can be an unacceptable delay for
-   the application user, especially with interactive applications like
-   web browsing.
-
-4.2.  Return "Name Error"
-
-   This type of server returns a response with RCODE 3 ("Name Error") to
-   a query for an AAAA RR, indicating that it does not have any RRs of
-   any type for the queried name.
-
-
-
-
-Morishita & Jinmei           Informational                      [Page 2]
-
-RFC 4074         Common Misbehavior Against DNS Queries         May 2005
-
-
-   With this response, the stub resolver may immediately give up and
-   never fall back.  Even if the resolver retries with a query for an A
-   RR, the negative response for the name has been cached in the caching
-   server, and the caching server will simply return the negative
-   response.  As a result, the stub resolver considers this to be a
-   fatal error in name resolution.
-
-   Several examples of this behavior are known to the authors.  As of
-   this writing, all have been fixed.
-
-4.3.  Return Other Erroneous Codes
-
-   Other authoritative servers return a response with erroneous response
-   codes other than RCODE 3 ("Name Error").  One such RCODE is 4 ("Not
-   Implemented"), indicating that the servers do not support the
-   requested type of query.
-
-   These cases are less harmful than the previous one; if the stub
-   resolver falls back to querying for an A RR, the caching server will
-   process the query correctly and return an appropriate response.
-
-   However, these can still cause a serious effect.  There was an
-   authoritative server implementation that returned RCODE 2 ("Server
-   failure") to queries for AAAA RRs.  One widely deployed mail server
-   implementation with a certain type of resolver library interpreted
-   this result as an indication of retry and did not fall back to
-   queries for A RRs, causing message delivery failure.
-
-   If the caching server receives a response with these response codes,
-   it does not cache the fact that the queried name has no AAAA RR,
-   resulting in redundant queries for AAAA RRs in the future.  The
-   behavior will waste network bandwidth and increase the load of the
-   authoritative server.
-
-   Using RCODE 1 ("Format error") would cause a similar effect, though
-   the authors have not seen such implementations yet.
-
-4.4.  Return a Broken Response
-
-   Another type of authoritative servers returns broken responses to
-   AAAA queries.  Returning a response whose RR type is AAAA with the
-   length of the RDATA being 4 bytes is a known behavior of this
-   category.  The 4-byte data looks like the IPv4 address of the queried
-   host name.
-
-
-
-
-
-
-
-Morishita & Jinmei           Informational                      [Page 3]
-
-RFC 4074         Common Misbehavior Against DNS Queries         May 2005
-
-
-   That is, the RR in the answer section would be described as follows:
-
-     www.bad.example. 600 IN AAAA 192.0.2.1
-
-   which is, of course, bogus (or at least meaningless).
-
-   A widely deployed caching server implementation transparently returns
-   the broken response (and caches it) to the stub resolver.  Another
-   known server implementation parses the response by itself, and sends
-   a separate response with RCODE 2 ("Server failure").
-
-   In either case, the broken response does not affect queries for an A
-   RR of the same name.  If the stub resolver falls back to A queries,
-   it will get an appropriate response.
-
-   The latter case, however, causes the same bad effect as that
-   described in the previous section: redundant queries for AAAA RRs.
-
-4.5.  Make Lame Delegation
-
-   Some authoritative servers respond to AAAA queries in a way that
-   causes lame delegation.  In this case, the parent zone specifies that
-   the authoritative server should have the authority of a zone, but the
-   server should not return an authoritative response for AAAA queries
-   within the zone (i.e., the AA bit in the response is not set).  On
-   the other hand, the authoritative server returns an authoritative
-   response for A queries.
-
-   When a caching server asks the server for AAAA RRs in the zone, it
-   recognizes the delegation is lame, and returns a response with RCODE
-   2 ("Server failure") to the stub resolver.
-
-   Furthermore, some caching servers record the authoritative server as
-   lame for the zone and will not use it for a certain period of time.
-   With this type of caching server, even if the stub resolver falls
-   back to querying for an A RR, the caching server will simply return a
-   response with RCODE 2, since all the servers are known to be "lame."
-
-   There is also an implementation that relaxes the behavior a little
-   bit.  It tries to avoid using the lame server, but continues to try
-   it as a last resort.  With this type of caching server, the stub
-   resolver will get a correct response if it falls back after Server
-   failure.  However, this still causes redundant AAAA queries, as
-   explained in the previous sections.
-
-
-
-
-
-
-
-Morishita & Jinmei           Informational                      [Page 4]
-
-RFC 4074         Common Misbehavior Against DNS Queries         May 2005
-
-
-5.  Security Considerations
-
-   The CERT/CC pointed out that the response with RCODE 3 ("Name
-   Error"), described in Section 4.2, can be used for a denial of
-   service attack [2].  The same argument applies to the case of "lame
-   delegation", described in Section 4.5, with a certain type of caching
-   server.
-
-6.  Acknowledgements
-
-   Erik Nordmark encouraged the authors to publish this document as an
-   RFC.  Akira Kato and Paul Vixie reviewed a preliminary version of
-   this document.  Pekka Savola carefully reviewed a previous version
-   and provided detailed comments.  Bill Fenner, Scott Hollenbeck,
-   Thomas Narten, and Alex Zinin reviewed and helped improve the
-   document at the last stage for publication.
-
-7.  Informative References
-
-   [1]  Mockapetris, P., "Domain names - concepts and facilities", STD
-        13, RFC 1034, November 1987.
-
-   [2]  The CERT Coordination Center, "Incorrect NXDOMAIN responses from
-        AAAA queries could cause denial-of-service conditions",
-        March 2003, <http://www.kb.cert.org/vuls/id/714121>.
-
-Authors' Addresses
-
-   MORISHITA Orange Yasuhiro
-   Research and Development Department, Japan Registry Services Co.,Ltd.
-   Chiyoda First Bldg. East 13F, 3-8-1 Nishi-Kanda
-   Chiyoda-ku, Tokyo  101-0065
-   Japan
-
-   EMail: yasuhiro@jprs.co.jp
-
-
-   JINMEI Tatuya
-   Corporate Research & Development Center, Toshiba Corporation
-   1 Komukai Toshiba-cho, Saiwai-ku
-   Kawasaki-shi, Kanagawa  212-8582
-   Japan
-
-   EMail: jinmei@isl.rdc.toshiba.co.jp
-
-
-
-
-
-
-
-Morishita & Jinmei           Informational                      [Page 5]
-
-RFC 4074         Common Misbehavior Against DNS Queries         May 2005
-
-
-Full Copyright Statement
-
-   Copyright (C) The Internet Society (2005).
-
-   This document is subject to the rights, licenses and restrictions
-   contained in BCP 78, and except as set forth therein, the authors
-   retain all their rights.
-
-   This document and the information contained herein are provided on an
-   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
-   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
-   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
-   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
-   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
-   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-Intellectual Property
-
-   The IETF takes no position regarding the validity or scope of any
-   Intellectual Property Rights or other rights that might be claimed to
-   pertain to the implementation or use of the technology described in
-   this document or the extent to which any license under such rights
-   might or might not be available; nor does it represent that it has
-   made any independent effort to identify any such rights.  Information
-   on the procedures with respect to rights in RFC documents can be
-   found in BCP 78 and BCP 79.
-
-   Copies of IPR disclosures made to the IETF Secretariat and any
-   assurances of licenses to be made available, or the result of an
-   attempt made to obtain a general license or permission for the use of
-   such proprietary rights by implementers or users of this
-   specification can be obtained from the IETF on-line IPR repository at
-   http://www.ietf.org/ipr.
-
-   The IETF invites any interested party to bring to its attention any
-   copyrights, patents or patent applications, or other proprietary
-   rights that may cover technology that may be required to implement
-   this standard.  Please address the information to the IETF at ietf-
-   ipr@ietf.org.
-
-Acknowledgement
-
-   Funding for the RFC Editor function is currently provided by the
-   Internet Society.
-
-
-
-
-
-
-
-Morishita & Jinmei           Informational                      [Page 6]
-
diff --git a/doc/rfc/rfc4159.txt b/doc/rfc/rfc4159.txt
deleted file mode 100644
index 1ab4bd1a..00000000
--- a/doc/rfc/rfc4159.txt
+++ /dev/null
@@ -1,171 +0,0 @@
-
-
-
-
-
-
-Network Working Group                                          G. Huston
-Request for Comments: 4159                                         APNIC
-BCP: 109                                                     August 2005
-Category: Best Current Practice
-
-
-                        Deprecation of "ip6.int"
-
-Status of This Memo
-
-   This document specifies an Internet Best Current Practices for the
-   Internet Community, and requests discussion and suggestions for
-   improvements.  Distribution of this memo is unlimited.
-
-Copyright Notice
-
-   Copyright (C) The Internet Society (2005).
-
-Abstract
-
-   This document advises of the deprecation of the use of "ip6.int" for
-   Standards Conformant IPv6 implementations.
-
-1.  IPv6 Standards Action
-
-   In August 2001 the IETF published [RFC3152], which advised that the
-   use of "ip6.int" as the domain for reverse-mapping of IPv6 addresses
-   to DNS names was deprecated.  The document noted that the use of
-   "ip6.int" would be phased out in an orderly fashion.
-
-   As of 1 September 2005, the IETF advises the community that the DNS
-   domain "ip6.int" should no longer be used to perform reverse mapping
-   of IPv6 addresses to domain names, and that the domain "ip6.arpa"
-   should be used henceforth, in accordance with the IANA Considerations
-   described in [RFC3596].  The domain "ip6.int" is deprecated, and its
-   use in IPv6 implementations that conform to the IPv6 Internet
-   Standards is discontinued.
-
-   The Regional Internet Registries (RIRs) are advised that maintenance
-   of delegation of entries in "ip6.int" is no longer required as part
-   of infrastructure services in support of Internet Standards
-   Conformant IPv6 implementations as of 1 September 2005.  The RIRs are
-   requested to work with their communities to adopt a schedule
-   regarding the cessation of support of registration services for the
-   "ip6.int" domain.
-
-
-
-
-
-
-Huston                   Best Current Practice                  [Page 1]
-
-RFC 4159                        ip6.int                      August 2005
-
-
-2.  IANA Considerations
-
-   IANA is advised that the "ip6.int" domain for reverse mapping of IPv6
-   addresses to domain names is no longer part of Internet Standards
-   Conformant support of IPv6 as of 1 September 2005.
-
-3.  Security Considerations
-
-   While DNS spoofing of address to name mapping has been exploited in
-   IPv4, removal of the "ip6.int" zone from the standard IPv6
-   specification creates no new threats to the security of the internet.
-
-4.  Acknowledgements
-
-   The document was prepared with the assistance of Kurt Lindqvist,
-   Thomas Narten, Paul Wilson, David Kessens, Bob Hinden, Brian
-   Haberman, and Bill Manning.
-
-5.  Normative References
-
-   [RFC3152] Bush, R., "Delegation of IP6.ARPA", BCP 49, RFC 3152,
-             August 2001.
-
-   [RFC3596] Thomson, S., Huitema, C., Ksinant, V., and M. Souissi, "DNS
-             Extensions to Support IP Version 6", RFC 3596, October
-             2003.
-
-Author's Address
-
-   Geoff Huston
-   APNIC
-
-   EMail: gih@apnic.net
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Huston                   Best Current Practice                  [Page 2]
-
-RFC 4159                        ip6.int                      August 2005
-
-
-Full Copyright Statement
-
-   Copyright (C) The Internet Society (2005).
-
-   This document is subject to the rights, licenses and restrictions
-   contained in BCP 78, and except as set forth therein, the authors
-   retain all their rights.
-
-   This document and the information contained herein are provided on an
-   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
-   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
-   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
-   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
-   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
-   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-Intellectual Property
-
-   The IETF takes no position regarding the validity or scope of any
-   Intellectual Property Rights or other rights that might be claimed to
-   pertain to the implementation or use of the technology described in
-   this document or the extent to which any license under such rights
-   might or might not be available; nor does it represent that it has
-   made any independent effort to identify any such rights.  Information
-   on the procedures with respect to rights in RFC documents can be
-   found in BCP 78 and BCP 79.
-
-   Copies of IPR disclosures made to the IETF Secretariat and any
-   assurances of licenses to be made available, or the result of an
-   attempt made to obtain a general license or permission for the use of
-   such proprietary rights by implementers or users of this
-   specification can be obtained from the IETF on-line IPR repository at
-   http://www.ietf.org/ipr.
-
-   The IETF invites any interested party to bring to its attention any
-   copyrights, patents or patent applications, or other proprietary
-   rights that may cover technology that may be required to implement
-   this standard.  Please address the information to the IETF at ietf-
-   ipr@ietf.org.
-
-Acknowledgement
-
-   Funding for the RFC Editor function is currently provided by the
-   Internet Society.
-
-
-
-
-
-
-
-Huston                   Best Current Practice                  [Page 3]
-
diff --git a/doc/rfc/rfc4193.txt b/doc/rfc/rfc4193.txt
deleted file mode 100644
index 17e2c0b4..00000000
--- a/doc/rfc/rfc4193.txt
+++ /dev/null
@@ -1,899 +0,0 @@
-
-
-
-
-
-
-Network Working Group                                          R. Hinden
-Request for Comments: 4193                                         Nokia
-Category: Standards Track                                    B. Haberman
-                                                                 JHU-APL
-                                                            October 2005
-
-
-                  Unique Local IPv6 Unicast Addresses
-
-Status of This Memo
-
-   This document specifies an Internet standards track protocol for the
-   Internet community, and requests discussion and suggestions for
-   improvements.  Please refer to the current edition of the "Internet
-   Official Protocol Standards" (STD 1) for the standardization state
-   and status of this protocol.  Distribution of this memo is unlimited.
-
-Copyright Notice
-
-   Copyright (C) The Internet Society (2005).
-
-Abstract
-
-   This document defines an IPv6 unicast address format that is globally
-   unique and is intended for local communications, usually inside of a
-   site.  These addresses are not expected to be routable on the global
-   Internet.
-
-Table of Contents
-
-   1. Introduction ....................................................2
-   2. Acknowledgements ................................................3
-   3. Local IPv6 Unicast Addresses ....................................3
-      3.1. Format .....................................................3
-           3.1.1. Background ..........................................4
-      3.2. Global ID ..................................................4
-           3.2.1. Locally Assigned Global IDs .........................5
-           3.2.2. Sample Code for Pseudo-Random Global ID Algorithm ...5
-           3.2.3. Analysis of the Uniqueness of Global IDs ............6
-      3.3. Scope Definition ...........................................6
-   4. Operational Guidelines ..........................................7
-      4.1. Routing ....................................................7
-      4.2. Renumbering and Site Merging ...............................7
-      4.3. Site Border Router and Firewall Packet Filtering ...........8
-      4.4. DNS Issues .................................................8
-      4.5. Application and Higher Level Protocol Issues ...............9
-      4.6. Use of Local IPv6 Addresses for Local Communication ........9
-      4.7. Use of Local IPv6 Addresses with VPNs .....................10
-
-
-
-Hinden & Haberman           Standards Track                     [Page 1]
-
-RFC 4193          Unique Local IPv6 Unicast Addresses       October 2005
-
-
-   5. Global Routing Considerations ..................................11
-      5.1. From the Standpoint of the Internet .......................11
-      5.2. From the Standpoint of a Site .............................11
-   6. Advantages and Disadvantages ...................................12
-      6.1. Advantages ................................................12
-      6.2. Disadvantages .............................................13
-   7. Security Considerations ........................................13
-   8. IANA Considerations ............................................13
-   9. References .....................................................13
-      9.1. Normative References ......................................13
-      9.2. Informative References ....................................14
-
-1.  Introduction
-
-   This document defines an IPv6 unicast address format that is globally
-   unique and is intended for local communications [IPV6].  These
-   addresses are called Unique Local IPv6 Unicast Addresses and are
-   abbreviated in this document as Local IPv6 addresses.  They are not
-   expected to be routable on the global Internet.  They are routable
-   inside of a more limited area such as a site.  They may also be
-   routed between a limited set of sites.
-
-   Local IPv6 unicast addresses have the following characteristics:
-
-      - Globally unique prefix (with high probability of uniqueness).
-
-      - Well-known prefix to allow for easy filtering at site
-        boundaries.
-
-      - Allow sites to be combined or privately interconnected without
-        creating any address conflicts or requiring renumbering of
-        interfaces that use these prefixes.
-
-      - Internet Service Provider independent and can be used for
-        communications inside of a site without having any permanent or
-        intermittent Internet connectivity.
-
-      - If accidentally leaked outside of a site via routing or DNS,
-        there is no conflict with any other addresses.
-
-      - In practice, applications may treat these addresses like global
-        scoped addresses.
-
-   This document defines the format of Local IPv6 addresses, how to
-   allocate them, and usage considerations including routing, site
-   border routers, DNS, application support, VPN usage, and guidelines
-   for how to use for local communication inside a site.
-
-
-
-
-Hinden & Haberman           Standards Track                     [Page 2]
-
-RFC 4193          Unique Local IPv6 Unicast Addresses       October 2005
-
-
-   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
-   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
-   document are to be interpreted as described in [RFC2119].
-
-2.  Acknowledgements
-
-   The underlying idea of creating Local IPv6 addresses described in
-   this document has been proposed a number of times by a variety of
-   people.  The authors of this document do not claim exclusive credit.
-   Credit goes to Brian Carpenter, Christian Huitema, Aidan Williams,
-   Andrew White, Charlie Perkins, and many others.  The authors would
-   also like to thank Brian Carpenter, Charlie Perkins, Harald
-   Alvestrand, Keith Moore, Margaret Wasserman, Shannon Behrens, Alan
-   Beard, Hans Kruse, Geoff Huston, Pekka Savola, Christian Huitema, Tim
-   Chown, Steve Bellovin, Alex Zinin, Tony Hain, Bill Fenner, Sam
-   Hartman, and Elwyn Davies for their comments and suggestions on this
-   document.
-
-3.  Local IPv6 Unicast Addresses
-
-3.1.  Format
-
-   The Local IPv6 addresses are created using a pseudo-randomly
-   allocated global ID.  They have the following format:
-
-      | 7 bits |1|  40 bits   |  16 bits  |          64 bits           |
-      +--------+-+------------+-----------+----------------------------+
-      | Prefix |L| Global ID  | Subnet ID |        Interface ID        |
-      +--------+-+------------+-----------+----------------------------+
-
-   Where:
-
-      Prefix            FC00::/7 prefix to identify Local IPv6 unicast
-                        addresses.
-
-      L                 Set to 1 if the prefix is locally assigned.
-                        Set to 0 may be defined in the future.  See
-                        Section 3.2 for additional information.
-
-      Global ID         40-bit global identifier used to create a
-                        globally unique prefix.  See Section 3.2 for
-                        additional information.
-
-      Subnet ID         16-bit Subnet ID is an identifier of a subnet
-                        within the site.
-
-      Interface ID      64-bit Interface ID as defined in [ADDARCH].
-
-
-
-
-Hinden & Haberman           Standards Track                     [Page 3]
-
-RFC 4193          Unique Local IPv6 Unicast Addresses       October 2005
-
-
-3.1.1.  Background
-
-   There were a range of choices available when choosing the size of the
-   prefix and Global ID field length.  There is a direct tradeoff
-   between having a Global ID field large enough to support foreseeable
-   future growth and not using too much of the IPv6 address space
-   needlessly.  A reasonable way of evaluating a specific field length
-   is to compare it to a projected 2050 world population of 9.3 billion
-   [POPUL] and the number of resulting /48 prefixes per person.  A range
-   of prefix choices is shown in the following table:
-
-    Prefix  Global ID     Number of          Prefixes    % of IPv6
-            Length        /48 Prefixes       per Person  Address Space
-
-    /11       37           137,438,953,472     15         0.049%
-    /10       38           274,877,906,944     30         0.098%
-    /9        39           549,755,813,888     59         0.195%
-    /8        40         1,099,511,627,776    118         0.391%
-    /7        41         2,199,023,255,552    236         0.781%
-    /6        42         4,398,046,511,104    473         1.563%
-
-   A very high utilization ratio of these allocations can be assumed
-   because the Global ID field does not require internal structure, and
-   there is no reason to be able to aggregate the prefixes.
-
-   The authors believe that a /7 prefix resulting in a 41-bit Global ID
-   space (including the L bit) is a good choice.  It provides for a
-   large number of assignments (i.e., 2.2 trillion) and at the same time
-   uses less than .8% of the total IPv6 address space.  It is unlikely
-   that this space will be exhausted.  If more than this were to be
-   needed, then additional IPv6 address space could be allocated for
-   this purpose.
-
-3.2.  Global ID
-
-   The allocation of Global IDs is pseudo-random [RANDOM].  They MUST
-   NOT be assigned sequentially or with well-known numbers.  This is to
-   ensure that there is not any relationship between allocations and to
-   help clarify that these prefixes are not intended to be routed
-   globally.  Specifically, these prefixes are not designed to
-   aggregate.
-
-   This document defines a specific local method to allocate Global IDs,
-   indicated by setting the L bit to 1.  Another method, indicated by
-   clearing the L bit, may be defined later.  Apart from the allocation
-   method, all Local IPv6 addresses behave and are treated identically.
-
-
-
-
-
-Hinden & Haberman           Standards Track                     [Page 4]
-
-RFC 4193          Unique Local IPv6 Unicast Addresses       October 2005
-
-
-   The local assignments are self-generated and do not need any central
-   coordination or assignment, but have an extremely high probability of
-   being unique.
-
-3.2.1.  Locally Assigned Global IDs
-
-   Locally assigned Global IDs MUST be generated with a pseudo-random
-   algorithm consistent with [RANDOM].  Section 3.2.2 describes a
-   suggested algorithm.  It is important that all sites generating
-   Global IDs use a functionally similar algorithm to ensure there is a
-   high probability of uniqueness.
-
-   The use of a pseudo-random algorithm to generate Global IDs in the
-   locally assigned prefix gives an assurance that any network numbered
-   using such a prefix is highly unlikely to have that address space
-   clash with any other network that has another locally assigned prefix
-   allocated to it.  This is a particularly useful property when
-   considering a number of scenarios including networks that merge,
-   overlapping VPN address space, or hosts mobile between such networks.
-
-3.2.2.  Sample Code for Pseudo-Random Global ID Algorithm
-
-   The algorithm described below is intended to be used for locally
-   assigned Global IDs.  In each case the resulting global ID will be
-   used in the appropriate prefix as defined in Section 3.2.
-
-     1) Obtain the current time of day in 64-bit NTP format [NTP].
-
-     2) Obtain an EUI-64 identifier from the system running this
-        algorithm.  If an EUI-64 does not exist, one can be created from
-        a 48-bit MAC address as specified in [ADDARCH].  If an EUI-64
-        cannot be obtained or created, a suitably unique identifier,
-        local to the node, should be used (e.g., system serial number).
-
-     3) Concatenate the time of day with the system-specific identifier
-        in order to create a key.
-
-     4) Compute an SHA-1 digest on the key as specified in [FIPS, SHA1];
-        the resulting value is 160 bits.
-
-     5) Use the least significant 40 bits as the Global ID.
-
-     6) Concatenate FC00::/7, the L bit set to 1, and the 40-bit Global
-        ID to create a Local IPv6 address prefix.
-
-   This algorithm will result in a Global ID that is reasonably unique
-   and can be used to create a locally assigned Local IPv6 address
-   prefix.
-
-
-
-Hinden & Haberman           Standards Track                     [Page 5]
-
-RFC 4193          Unique Local IPv6 Unicast Addresses       October 2005
-
-
-3.2.3.  Analysis of the Uniqueness of Global IDs
-
-   The selection of a pseudo random Global ID is similar to the
-   selection of an SSRC identifier in RTP/RTCP defined in Section 8.1 of
-   [RTP].  This analysis is adapted from that document.
-
-   Since Global IDs are chosen randomly (and independently), it is
-   possible that separate networks have chosen the same Global ID.  For
-   any given network, with one or more random Global IDs, that has
-   inter-connections to other such networks, having a total of N such
-   IDs, the probability that two or more of these IDs will collide can
-   be approximated using the formula:
-
-      P = 1 - exp(-N**2 / 2**(L+1))
-
-   where P is the probability of collision, N is the number of
-   interconnected Global IDs, and L is the length of the Global ID.
-
-   The following table shows the probability of a collision for a range
-   of connections using a 40-bit Global ID field.
-
-      Connections      Probability of Collision
-
-          2                1.81*10^-12
-         10                4.54*10^-11
-        100                4.54*10^-09
-       1000                4.54*10^-07
-      10000                4.54*10^-05
-
-   Based on this analysis, the uniqueness of locally generated Global
-   IDs is adequate for sites planning a small to moderate amount of
-   inter-site communication using locally generated Global IDs.
-
-3.3.  Scope Definition
-
-   By default, the scope of these addresses is global.  That is, they
-   are not limited by ambiguity like the site-local addresses defined in
-   [ADDARCH].  Rather, these prefixes are globally unique, and as such,
-   their applicability is greater than site-local addresses.  Their
-   limitation is in the routability of the prefixes, which is limited to
-   a site and any explicit routing agreements with other sites to
-   propagate them (also see Section 4.1).  Also, unlike site-locals, a
-   site may have more than one of these prefixes and use them at the
-   same time.
-
-
-
-
-
-
-
-Hinden & Haberman           Standards Track                     [Page 6]
-
-RFC 4193          Unique Local IPv6 Unicast Addresses       October 2005
-
-
-4.  Operational Guidelines
-
-   The guidelines in this section do not require any change to the
-   normal routing and forwarding functionality in an IPv6 host or
-   router.  These are configuration and operational usage guidelines.
-
-4.1.  Routing
-
-   Local IPv6 addresses are designed to be routed inside of a site in
-   the same manner as other types of unicast addresses.  They can be
-   carried in any IPv6 routing protocol without any change.
-
-   It is expected that they would share the same Subnet IDs with
-   provider-based global unicast addresses, if they were being used
-   concurrently [GLOBAL].
-
-   The default behavior of exterior routing protocol sessions between
-   administrative routing regions must be to ignore receipt of and not
-   advertise prefixes in the FC00::/7 block.  A network operator may
-   specifically configure prefixes longer than FC00::/7 for inter-site
-   communication.
-
-   If BGP is being used at the site border with an ISP, the default BGP
-   configuration must filter out any Local IPv6 address prefixes, both
-   incoming and outgoing.  It must be set both to keep any Local IPv6
-   address prefixes from being advertised outside of the site as well as
-   to keep these prefixes from being learned from another site.  The
-   exception to this is if there are specific /48 or longer routes
-   created for one or more Local IPv6 prefixes.
-
-   For link-state IGPs, it is suggested that a site utilizing IPv6 local
-   address prefixes be contained within one IGP domain or area.  By
-   containing an IPv6 local address prefix to a single link-state area
-   or domain, the distribution of prefixes can be controlled.
-
-4.2.  Renumbering and Site Merging
-
-   The use of Local IPv6 addresses in a site results in making
-   communication that uses these addresses independent of renumbering a
-   site's provider-based global addresses.
-
-   When merging multiple sites, the addresses created with these
-   prefixes are unlikely to need to be renumbered because all of the
-   addresses have a high probability of being unique.  Routes for each
-   specific prefix would have to be configured to allow routing to work
-   correctly between the formerly separate sites.
-
-
-
-
-
-Hinden & Haberman           Standards Track                     [Page 7]
-
-RFC 4193          Unique Local IPv6 Unicast Addresses       October 2005
-
-
-4.3.  Site Border Router and Firewall Packet Filtering
-
-   While no serious harm will be done if packets with these addresses
-   are sent outside of a site via a default route, it is recommended
-   that routers be configured by default to keep any packets with Local
-   IPv6 addresses from leaking outside of the site and to keep any site
-   prefixes from being advertised outside of their site.
-
-   Site border routers and firewalls should be configured to not forward
-   any packets with Local IPv6 source or destination addresses outside
-   of the site, unless they have been explicitly configured with routing
-   information about specific /48 or longer Local IPv6 prefixes.  This
-   will ensure that packets with Local IPv6 destination addresses will
-   not be forwarded outside of the site via a default route.  The
-   default behavior of these devices should be to install a "reject"
-   route for these prefixes.  Site border routers should respond with
-   the appropriate ICMPv6 Destination Unreachable message to inform the
-   source that the packet was not forwarded. [ICMPV6].  This feedback is
-   important to avoid transport protocol timeouts.
-
-   Routers that maintain peering arrangements between Autonomous Systems
-   throughout the Internet should obey the recommendations for site
-   border routers, unless configured otherwise.
-
-4.4.  DNS Issues
-
-   At the present time, AAAA and PTR records for locally assigned local
-   IPv6 addresses are not recommended to be installed in the global DNS.
-
-   For background on this recommendation, one of the concerns about
-   adding AAAA and PTR records to the global DNS for locally assigned
-   Local IPv6 addresses stems from the lack of complete assurance that
-   the prefixes are unique.  There is a small possibility that the same
-   locally assigned IPv6 Local addresses will be used by two different
-   organizations both claiming to be authoritative with different
-   contents.  In this scenario, it is likely there will be a connection
-   attempt to the closest host with the corresponding locally assigned
-   IPv6 Local address.  This may result in connection timeouts,
-   connection failures indicated by ICMP Destination Unreachable
-   messages, or successful connections to the wrong host.  Due to this
-   concern, adding AAAA records for these addresses to the global DNS is
-   thought to be unwise.
-
-   Reverse (address-to-name) queries for locally assigned IPv6 Local
-   addresses MUST NOT be sent to name servers for the global DNS, due to
-   the load that such queries would create for the authoritative name
-   servers for the ip6.arpa zone.  This form of query load is not
-   specific to locally assigned Local IPv6 addresses; any current form
-
-
-
-Hinden & Haberman           Standards Track                     [Page 8]
-
-RFC 4193          Unique Local IPv6 Unicast Addresses       October 2005
-
-
-   of local addressing creates additional load of this kind, due to
-   reverse queries leaking out of the site.  However, since allowing
-   such queries to escape from the site serves no useful purpose, there
-   is no good reason to make the existing load problems worse.
-
-   The recommended way to avoid sending such queries to nameservers for
-   the global DNS is for recursive name server implementations to act as
-   if they were authoritative for an empty d.f.ip6.arpa zone and return
-   RCODE 3 for any such query.  Implementations that choose this
-   strategy should allow it to be overridden, but returning an RCODE 3
-   response for such queries should be the default, both because this
-   will reduce the query load problem and also because, if the site
-   administrator has not set up the reverse tree corresponding to the
-   locally assigned IPv6 Local addresses in use, returning RCODE 3 is in
-   fact the correct answer.
-
-4.5.  Application and Higher Level Protocol Issues
-
-   Application and other higher level protocols can treat Local IPv6
-   addresses in the same manner as other types of global unicast
-   addresses.  No special handling is required.  This type of address
-   may not be reachable, but that is no different from other types of
-   IPv6 global unicast address.  Applications need to be able to handle
-   multiple addresses that may or may not be reachable at any point in
-   time.  In most cases, this complexity should be hidden in APIs.
-
-   From a host's perspective, the difference between Local IPv6 and
-   other types of global unicast addresses shows up as different
-   reachability and could be handled by default in that way.  In some
-   cases, it is better for nodes and applications to treat them
-   differently from global unicast addresses.  A starting point might be
-   to give them preference over global unicast, but fall back to global
-   unicast if a particular destination is found to be unreachable.  Much
-   of this behavior can be controlled by how they are allocated to nodes
-   and put into the DNS.  However, it is useful if a host can have both
-   types of addresses and use them appropriately.
-
-   Note that the address selection mechanisms of [ADDSEL], and in
-   particular the policy override mechanism replacing default address
-   selection, are expected to be used on a site where Local IPv6
-   addresses are configured.
-
-4.6.  Use of Local IPv6 Addresses for Local Communication
-
-   Local IPv6 addresses, like global scope unicast addresses, are only
-   assigned to nodes if their use has been enabled (via IPv6 address
-   autoconfiguration [ADDAUTO], DHCPv6 [DHCP6], or manually).  They are
-
-
-
-
-Hinden & Haberman           Standards Track                     [Page 9]
-
-RFC 4193          Unique Local IPv6 Unicast Addresses       October 2005
-
-
-   not created automatically in the way that IPv6 link-local addresses
-   are and will not appear or be used unless they are purposely
-   configured.
-
-   In order for hosts to autoconfigure Local IPv6 addresses, routers
-   have to be configured to advertise Local IPv6 /64 prefixes in router
-   advertisements, or a DHCPv6 server must have been configured to
-   assign them.  In order for a node to learn the Local IPv6 address of
-   another node, the Local IPv6 address must have been installed in a
-   naming system (e.g., DNS, proprietary naming system, etc.)  For these
-   reasons, controlling their usage in a site is straightforward.
-
-   To limit the use of Local IPv6 addresses the following guidelines
-   apply:
-
-      - Nodes that are to only be reachable inside of a site:  The local
-        DNS should be configured to only include the Local IPv6
-        addresses of these nodes.  Nodes with only Local IPv6 addresses
-        must not be installed in the global DNS.
-
-      - Nodes that are to be limited to only communicate with other
-        nodes in the site:  These nodes should be set to only
-        autoconfigure Local IPv6 addresses via [ADDAUTO] or to only
-        receive Local IPv6 addresses via [DHCP6].  Note: For the case
-        where both global and Local IPv6 prefixes are being advertised
-        on a subnet, this will require a switch in the devices to only
-        autoconfigure Local IPv6 addresses.
-
-      - Nodes that are to be reachable from inside of the site and from
-        outside of the site:  The DNS should be configured to include
-        the global addresses of these nodes.  The local DNS may be
-        configured to also include the Local IPv6 addresses of these
-        nodes.
-
-      - Nodes that can communicate with other nodes inside of the site
-        and outside of the site: These nodes should autoconfigure global
-        addresses via [ADDAUTO] or receive global address via [DHCP6].
-        They may also obtain Local IPv6 addresses via the same
-        mechanisms.
-
-4.7.  Use of Local IPv6 Addresses with VPNs
-
-   Local IPv6 addresses can be used for inter-site Virtual Private
-   Networks (VPN) if appropriate routes are set up.  Because the
-   addresses are unique, these VPNs will work reliably and without the
-   need for translation.  They have the additional property that they
-   will continue to work if the individual sites are renumbered or
-   merged.
-
-
-
-Hinden & Haberman           Standards Track                    [Page 10]
-
-RFC 4193          Unique Local IPv6 Unicast Addresses       October 2005
-
-
-5.  Global Routing Considerations
-
-   Section 4.1 provides operational guidelines that forbid default
-   routing of local addresses between sites.  Concerns were raised to
-   the IPv6 working group and to the IETF as a whole that sites may
-   attempt to use local addresses as globally routed provider-
-   independent addresses.  This section describes why using local
-   addresses as globally-routed provider-independent addresses is
-   unadvisable.
-
-5.1.  From the Standpoint of the Internet
-
-   There is a mismatch between the structure of IPv6 local addresses and
-   the normal IPv6 wide area routing model.  The /48 prefix of an IPv6
-   local addresses fits nowhere in the normal hierarchy of IPv6 unicast
-   addresses.  Normal IPv6 unicast addresses can be routed
-   hierarchically down to physical subnet (link) level and only have to
-   be flat-routed on the physical subnet.  IPv6 local addresses would
-   have to be flat-routed even over the wide area Internet.
-
-   Thus, packets whose destination address is an IPv6 local address
-   could be routed over the wide area only if the corresponding /48
-   prefix were carried by the wide area routing protocol in use, such as
-   BGP.  This contravenes the operational assumption that long prefixes
-   will be aggregated into many fewer short prefixes, to limit the table
-   size and convergence time of the routing protocol.  If a network uses
-   both normal IPv6 addresses [ADDARCH] and IPv6 local addresses, these
-   types of addresses will certainly not aggregate with each other,
-   since they differ from the most significant bit onwards.  Neither
-   will IPv6 local addresses aggregate with each other, due to their
-   random bit patterns.  This means that there would be a very
-   significant operational penalty for attempting to use IPv6 local
-   address prefixes generically with currently known wide area routing
-   technology.
-
-5.2.  From the Standpoint of a Site
-
-   There are a number of design factors in IPv6 local addresses that
-   reduce the likelihood that IPv6 local addresses will be used as
-   arbitrary global unicast addresses.  These include:
-
-      - The default rules to filter packets and routes make it very
-        difficult to use IPv6 local addresses for arbitrary use across
-        the Internet.  For a site to use them as general purpose unicast
-        addresses, it would have to make sure that the default rules
-        were not being used by all other sites and intermediate ISPs
-        used for their current and future communication.
-
-
-
-
-Hinden & Haberman           Standards Track                    [Page 11]
-
-RFC 4193          Unique Local IPv6 Unicast Addresses       October 2005
-
-
-      - They are not mathematically guaranteed to be unique and are not
-        registered in public databases.  Collisions, while highly
-        unlikely, are possible and a collision can compromise the
-        integrity of the communications.  The lack of public
-        registration creates operational problems.
-
-      - The addresses are allocated randomly.  If a site had multiple
-        prefixes that it wanted to be used globally, the cost of
-        advertising them would be very high because they could not be
-        aggregated.
-
-      - They have a long prefix (i.e., /48) so a single local address
-        prefix doesn't provide enough address space to be used
-        exclusively by the largest organizations.
-
-6.  Advantages and Disadvantages
-
-6.1.  Advantages
-
-   This approach has the following advantages:
-
-      - Provides Local IPv6 prefixes that can be used independently of
-        any provider-based IPv6 unicast address allocations.  This is
-        useful for sites not always connected to the Internet or sites
-        that wish to have a distinct prefix that can be used to localize
-        traffic inside of the site.
-
-      - Applications can treat these addresses in an identical manner as
-        any other type of global IPv6 unicast addresses.
-
-      - Sites can be merged without any renumbering of the Local IPv6
-        addresses.
-
-      - Sites can change their provider-based IPv6 unicast address
-        without disrupting any communication that uses Local IPv6
-        addresses.
-
-      - Well-known prefix that allows for easy filtering at site
-        boundary.
-
-      - Can be used for inter-site VPNs.
-
-      - If accidently leaked outside of a site via routing or DNS, there
-        is no conflict with any other addresses.
-
-
-
-
-
-
-
-Hinden & Haberman           Standards Track                    [Page 12]
-
-RFC 4193          Unique Local IPv6 Unicast Addresses       October 2005
-
-
-6.2.  Disadvantages
-
-   This approach has the following disadvantages:
-
-      - Not possible to route Local IPv6 prefixes on the global Internet
-        with current routing technology.  Consequentially, it is
-        necessary to have the default behavior of site border routers to
-        filter these addresses.
-
-      - There is a very low probability of non-unique locally assigned
-        Global IDs being generated by the algorithm in Section 3.2.3.
-        This risk can be ignored for all practical purposes, but it
-        leads to a theoretical risk of clashing address prefixes.
-
-7.  Security Considerations
-
-   Local IPv6 addresses do not provide any inherent security to the
-   nodes that use them.  They may be used with filters at site
-   boundaries to keep Local IPv6 traffic inside of the site, but this is
-   no more or less secure than filtering any other type of global IPv6
-   unicast addresses.
-
-   Local IPv6 addresses do allow for address-based security mechanisms,
-   including IPsec, across end to end VPN connections.
-
-8.  IANA Considerations
-
-   The IANA has assigned the FC00::/7 prefix to "Unique Local Unicast".
-
-9.  References
-
-9.1.  Normative References
-
-   [ADDARCH]  Hinden, R. and S. Deering, "Internet Protocol Version 6
-             (IPv6) Addressing Architecture", RFC 3513, April 2003.
-
-   [FIPS]    "Federal Information Processing Standards Publication",
-             (FIPS PUB) 180-1, Secure Hash Standard, 17 April 1995.
-
-   [GLOBAL]  Hinden, R., Deering, S., and E. Nordmark, "IPv6 Global
-             Unicast Address Format", RFC 3587, August 2003.
-
-   [ICMPV6]  Conta, A. and S. Deering, "Internet Control Message
-             Protocol (ICMPv6) for the Internet Protocol Version 6
-             (IPv6) Specification", RFC 2463, December 1998.
-
-
-
-
-
-
-Hinden & Haberman           Standards Track                    [Page 13]
-
-RFC 4193          Unique Local IPv6 Unicast Addresses       October 2005
-
-
-   [IPV6]    Deering, S. and R. Hinden, "Internet Protocol, Version 6
-             (IPv6) Specification", RFC 2460, December 1998.
-
-   [NTP]     Mills, D., "Network Time Protocol (Version 3)
-             Specification, Implementation and Analysis", RFC 1305,
-             March 1992.
-
-   [RANDOM]  Eastlake, D., 3rd, Schiller, J., and S. Crocker,
-             "Randomness Requirements for Security", BCP 106, RFC 4086,
-             June 2005.
-
-   [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
-             Requirement Levels", BCP 14, RFC 2119, March 1997.
-
-   [SHA1]    Eastlake 3rd, D. and P. Jones, "US Secure Hash Algorithm 1
-             (SHA1)", RFC 3174, September 2001.
-
-9.2.  Informative References
-
-   [ADDAUTO] Thomson, S. and T. Narten, "IPv6 Stateless Address
-             Autoconfiguration", RFC 2462, December 1998.
-
-   [ADDSEL]  Draves, R., "Default Address Selection for Internet
-             Protocol version 6 (IPv6)", RFC 3484, February 2003.
-
-   [DHCP6]   Droms, R., Bound, J., Volz, B., Lemon, T., Perkins, C., and
-             M. Carney, "Dynamic Host Configuration Protocol for IPv6
-             (DHCPv6)", RFC 3315, July 2003.
-
-   [POPUL]   Population Reference Bureau, "World Population Data Sheet
-             of the Population Reference Bureau 2002",  August 2002.
-
-   [RTP]     Schulzrinne, H.,  Casner, S., Frederick, R., and V.
-             Jacobson, "RTP: A Transport Protocol for Real-Time
-             Applications", STD 64, RFC 3550, July 2003.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Hinden & Haberman           Standards Track                    [Page 14]
-
-RFC 4193          Unique Local IPv6 Unicast Addresses       October 2005
-
-
-Authors' Addresses
-
-   Robert M. Hinden
-   Nokia
-   313 Fairchild Drive
-   Mountain View, CA 94043
-   USA
-
-   Phone: +1 650 625-2004
-   EMail: bob.hinden@nokia.com
-
-
-   Brian Haberman
-   Johns Hopkins University
-   Applied Physics Lab
-   11100 Johns Hopkins Road
-   Laurel, MD 20723
-   USA
-
-   Phone: +1 443 778 1319
-   EMail: brian@innovationslab.net
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Hinden & Haberman           Standards Track                    [Page 15]
-
-RFC 4193          Unique Local IPv6 Unicast Addresses       October 2005
-
-
-Full Copyright Statement
-
-   Copyright (C) The Internet Society (2005).
-
-   This document is subject to the rights, licenses and restrictions
-   contained in BCP 78, and except as set forth therein, the authors
-   retain all their rights.
-
-   This document and the information contained herein are provided on an
-   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
-   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
-   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
-   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
-   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
-   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-Intellectual Property
-
-   The IETF takes no position regarding the validity or scope of any
-   Intellectual Property Rights or other rights that might be claimed to
-   pertain to the implementation or use of the technology described in
-   this document or the extent to which any license under such rights
-   might or might not be available; nor does it represent that it has
-   made any independent effort to identify any such rights.  Information
-   on the procedures with respect to rights in RFC documents can be
-   found in BCP 78 and BCP 79.
-
-   Copies of IPR disclosures made to the IETF Secretariat and any
-   assurances of licenses to be made available, or the result of an
-   attempt made to obtain a general license or permission for the use of
-   such proprietary rights by implementers or users of this
-   specification can be obtained from the IETF on-line IPR repository at
-   http://www.ietf.org/ipr.
-
-   The IETF invites any interested party to bring to its attention any
-   copyrights, patents or patent applications, or other proprietary
-   rights that may cover technology that may be required to implement
-   this standard.  Please address the information to the IETF at ietf-
-   ipr@ietf.org.
-
-Acknowledgement
-
-   Funding for the RFC Editor function is currently provided by the
-   Internet Society.
-
-
-
-
-
-
-
-Hinden & Haberman           Standards Track                    [Page 16]
-
diff --git a/doc/rfc/rfc4255.txt b/doc/rfc/rfc4255.txt
deleted file mode 100644
index f350b7af..00000000
--- a/doc/rfc/rfc4255.txt
+++ /dev/null
@@ -1,507 +0,0 @@
-
-
-
-
-
-
-Network Working Group                                        J. Schlyter
-Request for Comments: 4255                                       OpenSSH
-Category: Standards Track                                     W. Griffin
-                                                                  SPARTA
-                                                            January 2006
-
-
-   Using DNS to Securely Publish Secure Shell (SSH) Key Fingerprints
-
-Status of This Memo
-
-   This document specifies an Internet standards track protocol for the
-   Internet community, and requests discussion and suggestions for
-   improvements.  Please refer to the current edition of the "Internet
-   Official Protocol Standards" (STD 1) for the standardization state
-   and status of this protocol.  Distribution of this memo is unlimited.
-
-Copyright Notice
-
-   Copyright (C) The Internet Society (2006).
-
-Abstract
-
-   This document describes a method of verifying Secure Shell (SSH) host
-   keys using Domain Name System Security (DNSSEC).  The document
-   defines a new DNS resource record that contains a standard SSH key
-   fingerprint.
-
-Table of Contents
-
-   1. Introduction ....................................................2
-   2. SSH Host Key Verification .......................................2
-      2.1. Method .....................................................2
-      2.2. Implementation Notes .......................................2
-      2.3. Fingerprint Matching .......................................3
-      2.4. Authentication .............................................3
-   3. The SSHFP Resource Record .......................................3
-      3.1. The SSHFP RDATA Format .....................................4
-           3.1.1. Algorithm Number Specification ......................4
-           3.1.2. Fingerprint Type Specification ......................4
-           3.1.3. Fingerprint .........................................5
-      3.2. Presentation Format of the SSHFP RR ........................5
-   4. Security Considerations .........................................5
-   5. IANA Considerations .............................................6
-   6. Normative References ............................................7
-   7. Informational References ........................................7
-   8. Acknowledgements ................................................8
-
-
-
-
-Schlyter & Griffin          Standards Track                     [Page 1]
-
-RFC 4255                DNS and SSH Fingerprints            January 2006
-
-
-1.  Introduction
-
-   The SSH [6] protocol provides secure remote login and other secure
-   network services over an insecure network.  The security of the
-   connection relies on the server authenticating itself to the client
-   as well as the user authenticating itself to the server.
-
-   If a connection is established to a server whose public key is not
-   already known to the client, a fingerprint of the key is presented to
-   the user for verification.  If the user decides that the fingerprint
-   is correct and accepts the key, the key is saved locally and used for
-   verification for all following connections.  While some security-
-   conscious users verify the fingerprint out-of-band before accepting
-   the key, many users blindly accept the presented key.
-
-   The method described here can provide out-of-band verification by
-   looking up a fingerprint of the server public key in the DNS [1][2]
-   and using DNSSEC [5] to verify the lookup.
-
-   In order to distribute the fingerprint using DNS, this document
-   defines a new DNS resource record, "SSHFP", to carry the fingerprint.
-
-   Basic understanding of the DNS system [1][2] and the DNS security
-   extensions [5] is assumed by this document.
-
-   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
-   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
-   document are to be interpreted as described in RFC 2119 [3].
-
-2.  SSH Host Key Verification
-
-2.1.  Method
-
-   Upon connection to an SSH server, the SSH client MAY look up the
-   SSHFP resource record(s) for the host it is connecting to.  If the
-   algorithm and fingerprint of the key received from the SSH server
-   match the algorithm and fingerprint of one of the SSHFP resource
-   record(s) returned from DNS, the client MAY accept the identity of
-   the server.
-
-2.2.  Implementation Notes
-
-   Client implementors SHOULD provide a configurable policy used to
-   select the order of methods used to verify a host key.  This document
-   defines one method: Fingerprint storage in DNS.  Another method
-   defined in the SSH Architecture [6] uses local files to store keys
-   for comparison.  Other methods that could be defined in the future
-   might include storing fingerprints in LDAP or other databases.  A
-
-
-
-Schlyter & Griffin          Standards Track                     [Page 2]
-
-RFC 4255                DNS and SSH Fingerprints            January 2006
-
-
-   configurable policy will allow administrators to determine which
-   methods they want to use and in what order the methods should be
-   prioritized.  This will allow administrators to determine how much
-   trust they want to place in the different methods.
-
-   One specific scenario for having a configurable policy is where
-   clients do not use fully qualified host names to connect to servers.
-   In this scenario, the implementation SHOULD verify the host key
-   against a local database before verifying the key via the fingerprint
-   returned from DNS.  This would help prevent an attacker from
-   injecting a DNS search path into the local resolver and forcing the
-   client to connect to a different host.
-
-2.3.  Fingerprint Matching
-
-   The public key and the SSHFP resource record are matched together by
-   comparing algorithm number and fingerprint.
-
-      The public key algorithm and the SSHFP algorithm number MUST
-      match.
-
-      A message digest of the public key, using the message digest
-      algorithm specified in the SSHFP fingerprint type, MUST match the
-      SSHFP fingerprint.
-
-2.4.  Authentication
-
-   A public key verified using this method MUST NOT be trusted if the
-   SSHFP resource record (RR) used for verification was not
-   authenticated by a trusted SIG RR.
-
-   Clients that do validate the DNSSEC signatures themselves SHOULD use
-   standard DNSSEC validation procedures.
-
-   Clients that do not validate the DNSSEC signatures themselves MUST
-   use a secure transport (e.g., TSIG [9], SIG(0) [10], or IPsec [8])
-   between themselves and the entity performing the signature
-   validation.
-
-3.  The SSHFP Resource Record
-
-   The SSHFP resource record (RR) is used to store a fingerprint of an
-   SSH public host key that is associated with a Domain Name System
-   (DNS) name.
-
-   The RR type code for the SSHFP RR is 44.
-
-
-
-
-
-Schlyter & Griffin          Standards Track                     [Page 3]
-
-RFC 4255                DNS and SSH Fingerprints            January 2006
-
-
-3.1.  The SSHFP RDATA Format
-
-   The RDATA for a SSHFP RR consists of an algorithm number, fingerprint
-   type and the fingerprint of the public host key.
-
-       1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
-       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
-       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-       |   algorithm   |    fp type    |                               /
-       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+                               /
-       /                                                               /
-       /                          fingerprint                          /
-       /                                                               /
-       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-
-3.1.1.  Algorithm Number Specification
-
-   This algorithm number octet describes the algorithm of the public
-   key.  The following values are assigned:
-
-          Value    Algorithm name
-          -----    --------------
-          0        reserved
-          1        RSA
-          2        DSS
-
-   Reserving other types requires IETF consensus [4].
-
-3.1.2.  Fingerprint Type Specification
-
-   The fingerprint type octet describes the message-digest algorithm
-   used to calculate the fingerprint of the public key.  The following
-   values are assigned:
-
-          Value    Fingerprint type
-          -----    ----------------
-          0        reserved
-          1        SHA-1
-
-   Reserving other types requires IETF consensus [4].
-
-   For interoperability reasons, as few fingerprint types as possible
-   should be reserved.  The only reason to reserve additional types is
-   to increase security.
-
-
-
-
-
-
-
-Schlyter & Griffin          Standards Track                     [Page 4]
-
-RFC 4255                DNS and SSH Fingerprints            January 2006
-
-
-3.1.3.  Fingerprint
-
-   The fingerprint is calculated over the public key blob as described
-   in [7].
-
-   The message-digest algorithm is presumed to produce an opaque octet
-   string output, which is placed as-is in the RDATA fingerprint field.
-
-3.2.  Presentation Format of the SSHFP RR
-
-   The RDATA of the presentation format of the SSHFP resource record
-   consists of two numbers (algorithm and fingerprint type) followed by
-   the fingerprint itself, presented in hex, e.g.:
-
-       host.example.  SSHFP 2 1 123456789abcdef67890123456789abcdef67890
-
-   The use of mnemonics instead of numbers is not allowed.
-
-4.  Security Considerations
-
-   Currently, the amount of trust a user can realistically place in a
-   server key is proportional to the amount of attention paid to
-   verifying that the public key presented actually corresponds to the
-   private key of the server.  If a user accepts a key without verifying
-   the fingerprint with something learned through a secured channel, the
-   connection is vulnerable to a man-in-the-middle attack.
-
-   The overall security of using SSHFP for SSH host key verification is
-   dependent on the security policies of the SSH host administrator and
-   DNS zone administrator (in transferring the fingerprint), detailed
-   aspects of how verification is done in the SSH implementation, and in
-   the client's diligence in accessing the DNS in a secure manner.
-
-   One such aspect is in which order fingerprints are looked up (e.g.,
-   first checking local file and then SSHFP).  We note that, in addition
-   to protecting the first-time transfer of host keys, SSHFP can
-   optionally be used for stronger host key protection.
-
-      If SSHFP is checked first, new SSH host keys may be distributed by
-      replacing the corresponding SSHFP in DNS.
-
-      If SSH host key verification can be configured to require SSHFP,
-      SSH host key revocation can be implemented by removing the
-      corresponding SSHFP from DNS.
-
-
-
-
-
-
-
-Schlyter & Griffin          Standards Track                     [Page 5]
-
-RFC 4255                DNS and SSH Fingerprints            January 2006
-
-
-   As stated in Section 2.2, we recommend that SSH implementors provide
-   a policy mechanism to control the order of methods used for host key
-   verification.  One specific scenario for having a configurable policy
-   is where clients use unqualified host names to connect to servers.
-   In this case, we recommend that SSH implementations check the host
-   key against a local database before verifying the key via the
-   fingerprint returned from DNS.  This would help prevent an attacker
-   from injecting a DNS search path into the local resolver and forcing
-   the client to connect to a different host.
-
-   A different approach to solve the DNS search path issue would be for
-   clients to use a trusted DNS search path, i.e., one not acquired
-   through DHCP or other autoconfiguration mechanisms.  Since there is
-   no way with current DNS lookup APIs to tell whether a search path is
-   from a trusted source, the entire client system would need to be
-   configured with this trusted DNS search path.
-
-   Another dependency is on the implementation of DNSSEC itself.  As
-   stated in Section 2.4, we mandate the use of secure methods for
-   lookup and that SSHFP RRs are authenticated by trusted SIG RRs.  This
-   is especially important if SSHFP is to be used as a basis for host
-   key rollover and/or revocation, as described above.
-
-   Since DNSSEC only protects the integrity of the host key fingerprint
-   after it is signed by the DNS zone administrator, the fingerprint
-   must be transferred securely from the SSH host administrator to the
-   DNS zone administrator.  This could be done manually between the
-   administrators or automatically using secure DNS dynamic update [11]
-   between the SSH server and the nameserver.  We note that this is no
-   different from other key enrollment situations, e.g., a client
-   sending a certificate request to a certificate authority for signing.
-
-5.  IANA Considerations
-
-   IANA has allocated the RR type code 44 for SSHFP from the standard RR
-   type space.
-
-   IANA has opened a new registry for the SSHFP RR type for public key
-   algorithms.  The defined types are:
-
-      0 is reserved
-      1 is RSA
-      2 is DSA
-
-   Adding new reservations requires IETF consensus [4].
-
-
-
-
-
-
-Schlyter & Griffin          Standards Track                     [Page 6]
-
-RFC 4255                DNS and SSH Fingerprints            January 2006
-
-
-   IANA has opened a new registry for the SSHFP RR type for fingerprint
-   types.  The defined types are:
-
-      0 is reserved
-      1 is SHA-1
-
-   Adding new reservations requires IETF consensus [4].
-
-6.  Normative References
-
-   [1]   Mockapetris, P., "Domain names - concepts and facilities", STD
-         13, RFC 1034, November 1987.
-
-   [2]   Mockapetris, P., "Domain names - implementation and
-         specification", STD 13, RFC 1035, November 1987.
-
-   [3]   Bradner, S., "Key words for use in RFCs to Indicate Requirement
-         Levels", BCP 14, RFC 2119, March 1997.
-
-   [4]   Narten, T. and H. Alvestrand, "Guidelines for Writing an IANA
-         Considerations Section in RFCs", BCP 26, RFC 2434, October
-         1998.
-
-   [5]   Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
-         "DNS Security Introduction and Requirements", RFC 4033, March
-         2005.
-
-         Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
-         "Resource Records for the DNS Security Extensions", RFC 4034,
-         March 2005.
-
-         Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
-         "Protocol Modifications for the DNS Security Extensions", RFC
-         4035, March 2005.
-
-   [6]   Ylonen, T. and C. Lonvick, Ed., "The Secure Shell (SSH)
-         Protocol Architecture", RFC 4251, January 2006.
-
-   [7]   Ylonen, T. and C. Lonvick, Ed., "The Secure Shell (SSH)
-         Transport Layer Protocol", RFC 4253, January 2006.
-
-7.  Informational References
-
-   [8]   Thayer, R., Doraswamy, N., and R. Glenn, "IP Security Document
-         Roadmap", RFC 2411, November 1998.
-
-
-
-
-
-
-Schlyter & Griffin          Standards Track                     [Page 7]
-
-RFC 4255                DNS and SSH Fingerprints            January 2006
-
-
-   [9]   Vixie, P., Gudmundsson, O., Eastlake 3rd, D., and B.
-         Wellington, "Secret Key Transaction Authentication for DNS
-         (TSIG)", RFC 2845, May 2000.
-
-   [10]  Eastlake 3rd, D., "DNS Request and Transaction Signatures
-         ( SIG(0)s )", RFC 2931, September 2000.
-
-   [11]  Wellington, B., "Secure Domain Name System (DNS) Dynamic
-         Update", RFC 3007, November 2000.
-
-8.  Acknowledgements
-
-   The authors gratefully acknowledge, in no particular order, the
-   contributions of the following persons:
-
-      Martin Fredriksson
-
-      Olafur Gudmundsson
-
-      Edward Lewis
-
-      Bill Sommerfeld
-
-Authors' Addresses
-
-   Jakob Schlyter
-   OpenSSH
-   812 23rd Avenue SE
-   Calgary, Alberta  T2G 1N8
-   Canada
-
-   EMail: jakob@openssh.com
-   URI:   http://www.openssh.com/
-
-
-   Wesley Griffin
-   SPARTA
-   7075 Samuel Morse Drive
-   Columbia, MD  21046
-   USA
-
-   EMail: wgriffin@sparta.com
-   URI:   http://www.sparta.com/
-
-
-
-
-
-
-
-
-Schlyter & Griffin          Standards Track                     [Page 8]
-
-RFC 4255                DNS and SSH Fingerprints            January 2006
-
-
-Full Copyright Statement
-
-   Copyright (C) The Internet Society (2006).
-
-   This document is subject to the rights, licenses and restrictions
-   contained in BCP 78, and except as set forth therein, the authors
-   retain all their rights.
-
-   This document and the information contained herein are provided on an
-   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
-   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
-   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
-   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
-   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
-   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-Intellectual Property
-
-   The IETF takes no position regarding the validity or scope of any
-   Intellectual Property Rights or other rights that might be claimed to
-   pertain to the implementation or use of the technology described in
-   this document or the extent to which any license under such rights
-   might or might not be available; nor does it represent that it has
-   made any independent effort to identify any such rights.  Information
-   on the procedures with respect to rights in RFC documents can be
-   found in BCP 78 and BCP 79.
-
-   Copies of IPR disclosures made to the IETF Secretariat and any
-   assurances of licenses to be made available, or the result of an
-   attempt made to obtain a general license or permission for the use of
-   such proprietary rights by implementers or users of this
-   specification can be obtained from the IETF on-line IPR repository at
-   http://www.ietf.org/ipr.
-
-   The IETF invites any interested party to bring to its attention any
-   copyrights, patents or patent applications, or other proprietary
-   rights that may cover technology that may be required to implement
-   this standard.  Please address the information to the IETF at
-   ietf-ipr@ietf.org.
-
-Acknowledgement
-
-   Funding for the RFC Editor function is provided by the IETF
-   Administrative Support Activity (IASA).
-
-
-
-
-
-
-
-Schlyter & Griffin          Standards Track                     [Page 9]
-
diff --git a/doc/rfc/rfc4343.txt b/doc/rfc/rfc4343.txt
deleted file mode 100644
index 621420a4..00000000
--- a/doc/rfc/rfc4343.txt
+++ /dev/null
@@ -1,563 +0,0 @@
-
-
-
-
-
-
-Network Working Group                                    D. Eastlake 3rd
-Request for Comments: 4343                         Motorola Laboratories
-Updates: 1034, 1035, 2181                                   January 2006
-Category: Standards Track
-
-
-       Domain Name System (DNS) Case Insensitivity Clarification
-
-Status of This Memo
-
-   This document specifies an Internet standards track protocol for the
-   Internet community, and requests discussion and suggestions for
-   improvements.  Please refer to the current edition of the "Internet
-   Official Protocol Standards" (STD 1) for the standardization state
-   and status of this protocol.  Distribution of this memo is unlimited.
-
-Copyright Notice
-
-   Copyright (C) The Internet Society (2006).
-
-Abstract
-
-   Domain Name System (DNS) names are "case insensitive".  This document
-   explains exactly what that means and provides a clear specification
-   of the rules.  This clarification updates RFCs 1034, 1035, and 2181.
-
-Table of Contents
-
-   1. Introduction ....................................................2
-   2. Case Insensitivity of DNS Labels ................................2
-      2.1. Escaping Unusual DNS Label Octets ..........................2
-      2.2. Example Labels with Escapes ................................3
-   3. Name Lookup, Label Types, and CLASS .............................3
-      3.1. Original DNS Label Types ...................................4
-      3.2. Extended Label Type Case Insensitivity Considerations ......4
-      3.3. CLASS Case Insensitivity Considerations ....................4
-   4. Case on Input and Output ........................................5
-      4.1. DNS Output Case Preservation ...............................5
-      4.2. DNS Input Case Preservation ................................5
-   5. Internationalized Domain Names ..................................6
-   6. Security Considerations .........................................6
-   7. Acknowledgements ................................................7
-   Normative References................................................7
-   Informative References..............................................8
-
-
-
-
-
-
-
-Eastlake 3rd                Standards Track                     [Page 1]
-
-RFC 4343          DNS Case Insensitivity Clarification      January 2006
-
-
-1.  Introduction
-
-   The Domain Name System (DNS) is the global hierarchical replicated
-   distributed database system for Internet addressing, mail proxy, and
-   other information.  Each node in the DNS tree has a name consisting
-   of zero or more labels [STD13, RFC1591, RFC2606] that are treated in
-   a case insensitive fashion.  This document clarifies the meaning of
-   "case insensitive" for the DNS.  This clarification updates RFCs
-   1034, 1035 [STD13], and [RFC2181].
-
-   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
-   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
-   document are to be interpreted as described in [RFC2119].
-
-2.  Case Insensitivity of DNS Labels
-
-   DNS was specified in the era of [ASCII].  DNS names were expected to
-   look like most host names or Internet email address right halves (the
-   part after the at-sign, "@") or to be numeric, as in the in-addr.arpa
-   part of the DNS name space.  For example,
-
-       foo.example.net.
-       aol.com.
-       www.gnu.ai.mit.edu.
-   or  69.2.0.192.in-addr.arpa.
-
-   Case-varied alternatives to the above [RFC3092] would be DNS names
-   like
-
-       Foo.ExamplE.net.
-       AOL.COM.
-       WWW.gnu.AI.mit.EDU.
-   or  69.2.0.192.in-ADDR.ARPA.
-
-   However, the individual octets of which DNS names consist are not
-   limited to valid ASCII character codes.  They are 8-bit bytes, and
-   all values are allowed.  Many applications, however, interpret them
-   as ASCII characters.
-
-2.1.  Escaping Unusual DNS Label Octets
-
-   In Master Files [STD13] and other human-readable and -writable ASCII
-   contexts, an escape is needed for the byte value for period (0x2E,
-   ".") and all octet values outside of the inclusive range from 0x21
-   ("!") to 0x7E ("~").  That is to say, 0x2E and all octet values in
-   the two inclusive ranges from 0x00 to 0x20 and from 0x7F to 0xFF.
-
-
-
-
-
-Eastlake 3rd                Standards Track                     [Page 2]
-
-RFC 4343          DNS Case Insensitivity Clarification      January 2006
-
-
-   One typographic convention for octets that do not correspond to an
-   ASCII printing graphic is to use a back-slash followed by the value
-   of the octet as an unsigned integer represented by exactly three
-   decimal digits.
-
-   The same convention can be used for printing ASCII characters so that
-   they will be treated as a normal label character.  This includes the
-   back-slash character used in this convention itself, which can be
-   expressed as \092 or \\, and the special label separator period
-   ("."), which can be expressed as and \046 or \.  It is advisable to
-   avoid using a backslash to quote an immediately following non-
-   printing ASCII character code to avoid implementation difficulties.
-
-   A back-slash followed by only one or two decimal digits is undefined.
-   A back-slash followed by four decimal digits produces two octets, the
-   first octet having the value of the first three digits considered as
-   a decimal number, and the second octet being the character code for
-   the fourth decimal digit.
-
-2.2.  Example Labels with Escapes
-
-   The first example below shows embedded spaces and a period (".")
-   within a label.  The second one shows a 5-octet label where the
-   second octet has all bits zero, the third is a backslash, and the
-   fourth octet has all bits one.
-
-         Donald\032E\.\032Eastlake\0323rd.example.
-   and   a\000\\\255z.example.
-
-3.  Name Lookup, Label Types, and CLASS
-
-   According to the original DNS design decision, comparisons on name
-   lookup for DNS queries should be case insensitive [STD13].  That is
-   to say, a lookup string octet with a value in the inclusive range
-   from 0x41 to 0x5A, the uppercase ASCII letters, MUST match the
-   identical value and also match the corresponding value in the
-   inclusive range from 0x61 to 0x7A, the lowercase ASCII letters.  A
-   lookup string octet with a lowercase ASCII letter value MUST
-   similarly match the identical value and also match the corresponding
-   value in the uppercase ASCII letter range.
-
-   (Historical note: The terms "uppercase" and "lowercase" were invented
-   after movable type.  The terms originally referred to the two font
-   trays for storing, in partitioned areas, the different physical type
-   elements.  Before movable type, the nearest equivalent terms were
-   "majuscule" and "minuscule".)
-
-
-
-
-
-Eastlake 3rd                Standards Track                     [Page 3]
-
-RFC 4343          DNS Case Insensitivity Clarification      January 2006
-
-
-   One way to implement this rule would be to subtract 0x20 from all
-   octets in the inclusive range from 0x61 to 0x7A before comparing
-   octets.  Such an operation is commonly known as "case folding", but
-   implementation via case folding is not required.  Note that the DNS
-   case insensitivity does NOT correspond to the case folding specified
-   in [ISO-8859-1] or [ISO-8859-2].  For example, the octets 0xDD (\221)
-   and 0xFD (\253) do NOT match, although in other contexts, where they
-   are interpreted as the upper- and lower-case version of "Y" with an
-   acute accent, they might.
-
-3.1.  Original DNS Label Types
-
-   DNS labels in wire-encoded names have a type associated with them.
-   The original DNS standard [STD13] had only two types: ASCII labels,
-   with a length from zero to 63 octets, and indirect (or compression)
-   labels, which consist of an offset pointer to a name location
-   elsewhere in the wire encoding on a DNS message.  (The ASCII label of
-   length zero is reserved for use as the name of the root node of the
-   name tree.)  ASCII labels follow the ASCII case conventions described
-   herein and, as stated above, can actually contain arbitrary byte
-   values.  Indirect labels are, in effect, replaced by the name to
-   which they point, which is then treated with the case insensitivity
-   rules in this document.
-
-3.2.  Extended Label Type Case Insensitivity Considerations
-
-   DNS was extended by [RFC2671] so that additional label type numbers
-   would be available.  (The only such type defined so far is the BINARY
-   type [RFC2673], which is now Experimental [RFC3363].)
-
-   The ASCII case insensitivity conventions only apply to ASCII labels;
-   that is to say, label type 0x0, whether appearing directly or invoked
-   by indirect labels.
-
-3.3.  CLASS Case Insensitivity Considerations
-
-   As described in [STD13] and [RFC2929], DNS has an additional axis for
-   data location called CLASS.  The only CLASS in global use at this
-   time is the "IN" (Internet) CLASS.
-
-   The handling of DNS label case is not CLASS dependent.  With the
-   original design of DNS, it was intended that a recursive DNS resolver
-   be able to handle new CLASSes that were unknown at the time of its
-   implementation.  This requires uniform handling of label case
-   insensitivity.  Should it become desirable, for example, to allocate
-   a CLASS with "case sensitive ASCII labels", it would be necessary to
-   allocate a new label type for these labels.
-
-
-
-
-Eastlake 3rd                Standards Track                     [Page 4]
-
-RFC 4343          DNS Case Insensitivity Clarification      January 2006
-
-
-4.  Case on Input and Output
-
-   While ASCII label comparisons are case insensitive, [STD13] says case
-   MUST be preserved on output and preserved when convenient on input.
-   However, this means less than it would appear, since the preservation
-   of case on output is NOT required when output is optimized by the use
-   of indirect labels, as explained below.
-
-4.1.  DNS Output Case Preservation
-
-   [STD13] views the DNS namespace as a node tree.  ASCII output is as
-   if a name were marshaled by taking the label on the node whose name
-   is to be output, converting it to a typographically encoded ASCII
-   string, walking up the tree outputting each label encountered, and
-   preceding all labels but the first with a period (".").  Wire output
-   follows the same sequence, but each label is wire encoded, and no
-   periods are inserted.  No "case conversion" or "case folding" is done
-   during such output operations, thus "preserving" case.  However, to
-   optimize output, indirect labels may be used to point to names
-   elsewhere in the DNS answer.  In determining whether the name to be
-   pointed to (for example, the QNAME) is the "same" as the remainder of
-   the name being optimized, the case insensitive comparison specified
-   above is done.  Thus, such optimization may easily destroy the output
-   preservation of case.  This type of optimization is commonly called
-   "name compression".
-
-4.2.  DNS Input Case Preservation
-
-   Originally, DNS data came from an ASCII Master File as defined in
-   [STD13] or a zone transfer.  DNS Dynamic update and incremental zone
-   transfers [RFC1995] have been added as a source of DNS data [RFC2136,
-   RFC3007].  When a node in the DNS name tree is created by any of such
-   inputs, no case conversion is done.  Thus, the case of ASCII labels
-   is preserved if they are for nodes being created.  However, when a
-   name label is input for a node that already exists in DNS data being
-   held, the situation is more complex.  Implementations are free to
-   retain the case first loaded for such a label, to allow new input to
-   override the old case, or even to maintain separate copies preserving
-   the input case.
-
-   For example, if data with owner name "foo.bar.example" [RFC3092] is
-   loaded and then later data with owner name "xyz.BAR.example" is
-   input, the name of the label on the "bar.example" node (i.e., "bar")
-   might or might not be changed to "BAR" in the DNS stored data.  Thus,
-   later retrieval of data stored under "xyz.bar.example" in this case
-   can use "xyz.BAR.example" in all returned data, use "xyz.bar.example"
-   in all returned data, or even, when more than one RR is being
-   returned, use a mixture of these two capitalizations.  This last case
-
-
-
-Eastlake 3rd                Standards Track                     [Page 5]
-
-RFC 4343          DNS Case Insensitivity Clarification      January 2006
-
-
-   is unlikely, as optimization of answer length through indirect labels
-   tends to cause only one copy of the name tail ("bar.example" or
-   "BAR.example") to be used for all returned RRs.  Note that none of
-   this has any effect on the number or completeness of the RR set
-   returned, only on the case of the names in the RR set returned.
-
-   The same considerations apply when inputting multiple data records
-   with owner names differing only in case.  For example, if an "A"
-   record is the first resource record stored under owner name
-   "xyz.BAR.example" and then a second "A" record is stored under
-   "XYZ.BAR.example", the second MAY be stored with the first (lower
-   case initial label) name, the second MAY override the first so that
-   only an uppercase initial label is retained, or both capitalizations
-   MAY be kept in the DNS stored data.  In any case, a retrieval with
-   either capitalization will retrieve all RRs with either
-   capitalization.
-
-   Note that the order of insertion into a server database of the DNS
-   name tree nodes that appear in a Master File is not defined so that
-   the results of inconsistent capitalization in a Master File are
-   unpredictable output capitalization.
-
-5.  Internationalized Domain Names
-
-   A scheme has been adopted for "internationalized domain names" and
-   "internationalized labels" as described in [RFC3490, RFC3454,
-   RFC3491, and RFC3492].  It makes most of [UNICODE] available through
-   a separate application level transformation from internationalized
-   domain name to DNS domain name and from DNS domain name to
-   internationalized domain name.  Any case insensitivity that
-   internationalized domain names and labels have varies depending on
-   the script and is handled entirely as part of the transformation
-   described in [RFC3454] and [RFC3491], which should be seen for
-   further details.  This is not a part of the DNS as standardized in
-   STD 13.
-
-6.  Security Considerations
-
-   The equivalence of certain DNS label types with case differences, as
-   clarified in this document, can lead to security problems.  For
-   example, a user could be confused by believing that two domain names
-   differing only in case were actually different names.
-
-   Furthermore, a domain name may be used in contexts other than the
-   DNS.  It could be used as a case sensitive index into some database
-   or file system.  Or it could be interpreted as binary data by some
-   integrity or authentication code system.  These problems can usually
-   be handled by using a standardized or "canonical" form of the DNS
-
-
-
-Eastlake 3rd                Standards Track                     [Page 6]
-
-RFC 4343          DNS Case Insensitivity Clarification      January 2006
-
-
-   ASCII type labels; that is, always mapping the ASCII letter value
-   octets in ASCII labels to some specific pre-chosen case, either
-   uppercase or lower case.  An example of a canonical form for domain
-   names (and also a canonical ordering for them) appears in Section 6
-   of [RFC4034].  See also [RFC3597].
-
-   Finally, a non-DNS name may be stored into DNS with the false
-   expectation that case will always be preserved.  For example,
-   although this would be quite rare, on a system with case sensitive
-   email address local parts, an attempt to store two Responsible Person
-   (RP) [RFC1183] records that differed only in case would probably
-   produce unexpected results that might have security implications.
-   That is because the entire email address, including the possibly case
-   sensitive local or left-hand part, is encoded into a DNS name in a
-   readable fashion where the case of some letters might be changed on
-   output as described above.
-
-7.  Acknowledgements
-
-   The contributions to this document by Rob Austein, Olafur
-   Gudmundsson, Daniel J. Anderson, Alan Barrett, Marc Blanchet, Dana,
-   Andreas Gustafsson, Andrew Main, Thomas Narten, and Scott Seligman
-   are gratefully acknowledged.
-
-Normative References
-
-   [ASCII]      ANSI, "USA Standard Code for Information Interchange",
-                X3.4, American National Standards Institute: New York,
-                1968.
-
-   [RFC1995]    Ohta, M., "Incremental Zone Transfer in DNS", RFC 1995,
-                August 1996.
-
-   [RFC2119]    Bradner, S., "Key words for use in RFCs to Indicate
-                Requirement Levels", BCP 14, RFC 2119, March 1997.
-
-   [RFC2136]    Vixie, P., Thomson,  S., Rekhter, Y., and J. Bound,
-                "Dynamic Updates in the Domain Name System (DNS
-                UPDATE)", RFC 2136, April 1997.
-
-   [RFC2181]     Elz, R. and R. Bush, "Clarifications to the DNS
-                Specification", RFC 2181, July 1997.
-
-   [RFC3007]    Wellington, B., "Secure Domain Name System (DNS) Dynamic
-                Update", RFC 3007, November 2000.
-
-
-
-
-
-
-Eastlake 3rd                Standards Track                     [Page 7]
-
-RFC 4343          DNS Case Insensitivity Clarification      January 2006
-
-
-   [RFC3597]    Gustafsson, A., "Handling of Unknown DNS Resource Record
-                (RR) Types", RFC 3597, September 2003.
-
-   [RFC4034]    Arends, R., Austein, R., Larson, M., Massey, D., and S.
-                Rose, "Resource Records for the DNS Security
-                Extensions", RFC 4034, March 2005.
-
-   [STD13]      Mockapetris, P., "Domain names - concepts and
-                facilities", STD 13, RFC 1034, November 1987.
-
-                Mockapetris, P., "Domain names - implementation and
-                specification", STD 13, RFC 1035, November 1987.
-
-Informative References
-
-   [ISO-8859-1] International Standards Organization, Standard for
-                Character Encodings, Latin-1.
-
-   [ISO-8859-2] International Standards Organization, Standard for
-                Character Encodings, Latin-2.
-
-   [RFC1183]    Everhart, C., Mamakos, L., Ullmann, R., and P.
-                Mockapetris, "New DNS RR Definitions", RFC 1183, October
-                1990.
-
-   [RFC1591]    Postel, J., "Domain Name System Structure and
-                Delegation", RFC 1591, March 1994.
-
-   [RFC2606]    Eastlake 3rd, D. and A. Panitz, "Reserved Top Level DNS
-                Names", BCP 32, RFC 2606, June 1999.
-
-   [RFC2929]    Eastlake 3rd, D., Brunner-Williams, E., and B. Manning,
-                "Domain Name System (DNS) IANA Considerations", BCP 42,
-                RFC 2929, September 2000.
-
-   [RFC2671]    Vixie, P., "Extension Mechanisms for DNS (EDNS0)", RFC
-                2671, August 1999.
-
-   [RFC2673]    Crawford, M., "Binary Labels in the Domain Name System",
-                RFC 2673, August 1999.
-
-   [RFC3092]    Eastlake 3rd, D., Manros, C., and E. Raymond, "Etymology
-                of "Foo"", RFC 3092, 1 April 2001.
-
-   [RFC3363]    Bush, R., Durand, A., Fink, B., Gudmundsson, O., and T.
-                Hain, "Representing Internet Protocol version 6 (IPv6)
-                Addresses in the Domain Name System (DNS)", RFC 3363,
-                August 2002.
-
-
-
-Eastlake 3rd                Standards Track                     [Page 8]
-
-RFC 4343          DNS Case Insensitivity Clarification      January 2006
-
-
-   [RFC3454]    Hoffman, P. and M. Blanchet, "Preparation of
-                Internationalized Strings ("stringprep")", RFC 3454,
-                December 2002.
-
-   [RFC3490]    Faltstrom, P., Hoffman, P., and A. Costello,
-                "Internationalizing Domain Names in Applications
-                (IDNA)", RFC 3490, March 2003.
-
-   [RFC3491]    Hoffman, P. and M. Blanchet, "Nameprep: A Stringprep
-                Profile for Internationalized Domain Names (IDN)", RFC
-                3491, March 2003.
-
-   [RFC3492]    Costello, A., "Punycode: A Bootstring encoding of
-                Unicode for Internationalized Domain Names in
-                Applications (IDNA)", RFC 3492, March 2003.
-
-   [UNICODE]    The Unicode Consortium, "The Unicode Standard",
-                <http://www.unicode.org/unicode/standard/standard.html>.
-
-Author's Address
-
-   Donald E. Eastlake 3rd
-   Motorola Laboratories
-   155 Beaver Street
-   Milford, MA 01757 USA
-
-   Phone: +1 508-786-7554 (w)
-   EMail: Donald.Eastlake@motorola.com
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Eastlake 3rd                Standards Track                     [Page 9]
-
-RFC 4343          DNS Case Insensitivity Clarification      January 2006
-
-
-Full Copyright Statement
-
-   Copyright (C) The Internet Society (2006).
-
-   This document is subject to the rights, licenses and restrictions
-   contained in BCP 78, and except as set forth therein, the authors
-   retain all their rights.
-
-   This document and the information contained herein are provided on an
-   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
-   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
-   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
-   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
-   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
-   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-Intellectual Property
-
-   The IETF takes no position regarding the validity or scope of any
-   Intellectual Property Rights or other rights that might be claimed to
-   pertain to the implementation or use of the technology described in
-   this document or the extent to which any license under such rights
-   might or might not be available; nor does it represent that it has
-   made any independent effort to identify any such rights.  Information
-   on the procedures with respect to rights in RFC documents can be
-   found in BCP 78 and BCP 79.
-
-   Copies of IPR disclosures made to the IETF Secretariat and any
-   assurances of licenses to be made available, or the result of an
-   attempt made to obtain a general license or permission for the use of
-   such proprietary rights by implementers or users of this
-   specification can be obtained from the IETF on-line IPR repository at
-   http://www.ietf.org/ipr.
-
-   The IETF invites any interested party to bring to its attention any
-   copyrights, patents or patent applications, or other proprietary
-   rights that may cover technology that may be required to implement
-   this standard.  Please address the information to the IETF at
-   ietf-ipr@ietf.org.
-
-Acknowledgement
-
-   Funding for the RFC Editor function is provided by the IETF
-   Administrative Support Activity (IASA).
-
-
-
-
-
-
-
-Eastlake 3rd                Standards Track                    [Page 10]
-
diff --git a/doc/rfc/rfc4367.txt b/doc/rfc/rfc4367.txt
deleted file mode 100644
index f066b646..00000000
--- a/doc/rfc/rfc4367.txt
+++ /dev/null
@@ -1,955 +0,0 @@
-
-
-
-
-
-
-Network Working Group                                  J. Rosenberg, Ed.
-Request for Comments: 4367                                           IAB
-Category: Informational                                    February 2006
-
-
-          What's in a Name: False Assumptions about DNS Names
-
-Status of This Memo
-
-   This memo provides information for the Internet community.  It does
-   not specify an Internet standard of any kind.  Distribution of this
-   memo is unlimited.
-
-Copyright Notice
-
-   Copyright (C) The Internet Society (2006).
-
-Abstract
-
-   The Domain Name System (DNS) provides an essential service on the
-   Internet, mapping structured names to a variety of data, usually IP
-   addresses.  These names appear in email addresses, Uniform Resource
-   Identifiers (URIs), and other application-layer identifiers that are
-   often rendered to human users.  Because of this, there has been a
-   strong demand to acquire names that have significance to people,
-   through equivalence to registered trademarks, company names, types of
-   services, and so on.  There is a danger in this trend; the humans and
-   automata that consume and use such names will associate specific
-   semantics with some names and thereby make assumptions about the
-   services that are, or should be, provided by the hosts associated
-   with the names.  Those assumptions can often be false, resulting in a
-   variety of failure conditions.  This document discusses this problem
-   in more detail and makes recommendations on how it can be avoided.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Rosenberg                    Informational                      [Page 1]
-
-RFC 4367                    Name Assumptions               February 2006
-
-
-Table of Contents
-
-   1. Introduction ....................................................2
-   2. Target Audience .................................................4
-   3. Modeling Usage of the DNS .......................................4
-   4. Possible Assumptions ............................................5
-      4.1. By the User ................................................5
-      4.2. By the Client ..............................................6
-      4.3. By the Server ..............................................7
-   5. Consequences of False Assumptions ...............................8
-   6. Reasons Why the Assumptions Can Be False ........................9
-      6.1. Evolution ..................................................9
-      6.2. Leakage ...................................................10
-      6.3. Sub-Delegation ............................................10
-      6.4. Mobility ..................................................12
-      6.5. Human Error ...............................................12
-   7. Recommendations ................................................12
-   8. A Note on RFC 2219 and RFC 2782 ................................13
-   9. Security Considerations ........................................14
-   10. Acknowledgements ..............................................14
-   11. IAB Members ...................................................14
-   12. Informative References ........................................15
-
-1.  Introduction
-
-   The Domain Name System (DNS) [1] provides an essential service on the
-   Internet, mapping structured names to a variety of different types of
-   data.  Most often it is used to obtain the IP address of a host
-   associated with that name [2] [1] [3].  However, it can be used to
-   obtain other information, and proposals have been made for nearly
-   everything, including geographic information [4].
-
-   Domain names are most often used in identifiers used by application
-   protocols.  The most well known include email addresses and URIs,
-   such as the HTTP URL [5], Real Time Streaming Protocol (RTSP) URL
-   [6], and SIP URI [7].  These identifiers are ubiquitous, appearing on
-   business cards, web pages, street signs, and so on.  Because of this,
-   there has been a strong demand to acquire domain names that have
-   significance to people through equivalence to registered trademarks,
-   company names, types of services, and so on.  Such identifiers serve
-   many business purposes, including extension of brand, advertising,
-   and so on.
-
-   People often make assumptions about the type of service that is or
-   should be provided by a host associated with that name, based on
-   their expectations and understanding of what the name implies.  This,
-   in turn, triggers attempts by organizations to register domain names
-   based on that presumed user expectation.  Examples of this are the
-
-
-
-Rosenberg                    Informational                      [Page 2]
-
-RFC 4367                    Name Assumptions               February 2006
-
-
-   various proposals for a Top-Level Domain (TLD) that could be
-   associated with adult content [8], the requests for creation of TLDs
-   associated with mobile devices and services, and even phishing
-   attacks.
-
-   When these assumptions are codified into the behavior of an
-   automaton, such as an application client or server, as a result of
-   implementor choice, management directive, or domain owner policy, the
-   overall system can fail in various ways.  This document describes a
-   number of typical ways in which these assumptions can be codified,
-   how they can be wrong, the consequences of those mistakes, and the
-   recommended ways in which they can be avoided.
-
-   Section 4 describes some of the possible assumptions that clients,
-   servers, and people can make about a domain name.  In this context,
-   an "assumption" is defined as any behavior that is expected when
-   accessing a service at a domain name, even though the behavior is not
-   explicitly codified in protocol specifications.  Frequently, these
-   assumptions involve ignoring parts of a specification based on an
-   assumption that the client or server is deployed in an environment
-   that is more rigid than the specification allows.  Section 5
-   overviews some of the consequences of these false assumptions.
-   Generally speaking, these consequences can include a variety of
-   different interoperability failures, user experience failures, and
-   system failures.  Section 6 discusses why these assumptions can be
-   false from the very beginning or become false at some point in the
-   future.  Most commonly, they become false because the environment
-   changes in unexpected ways over time, and what was a valid assumption
-   before, no longer is.  Other times, the assumptions prove wrong
-   because they were based on the belief that a specific community of
-   clients and servers was participating, and an element outside of that
-   community began participating.
-
-   Section 7 then provides some recommendations.  These recommendations
-   encapsulate some of the engineering mantras that have been at the
-   root of Internet protocol design for decades.  These include:
-
-      Follow the specifications.
-
-      Use the capability negotiation techniques provided in the
-      protocols.
-
-      Be liberal in what you accept, and conservative in what you send.
-      [18]
-
-   Overall, automata should not change their behavior within a protocol
-   based on the domain name, or some component of the domain name, of
-   the host they are communicating with.
-
-
-
-Rosenberg                    Informational                      [Page 3]
-
-RFC 4367                    Name Assumptions               February 2006
-
-
-2.  Target Audience
-
-   This document has several audiences.  Firstly, it is aimed at
-   implementors who ultimately develop the software that make the false
-   assumptions that are the subject of this document.  The
-   recommendations described here are meant to reinforce the engineering
-   guidelines that are often understood by implementors, but frequently
-   forgotten as deadlines near and pressures mount.
-
-   The document is also aimed at technology managers, who often develop
-   the requirements that lead to these false assumptions.  For them,
-   this document serves as a vehicle for emphasizing the importance of
-   not taking shortcuts in the scope of applicability of a project.
-
-   Finally, this document is aimed at domain name policy makers and
-   administrators.  For them, it points out the perils in establishing
-   domain policies that get codified into the operation of applications
-   running within that domain.
-
-3.  Modeling Usage of the DNS
-
-
-                       +--------+
-                       |        |
-                       |        |
-                       |  DNS   |
-                       |Service |
-                       |        |
-                       +--------+
-                         ^   |
-                         |   |
-                         |   |
-                         |   |
-          /--\           |   |
-         |    |          |   V
-         |    |        +--------+                     +--------+
-          \--/         |        |                     |        |
-            |          |        |                     |        |
-         ---+---       | Client |-------------------->| Server |
-            |          |        |                     |        |
-            |          |        |                     |        |
-           /\          +--------+                     +--------+
-          /  \
-         /    \
-
-         User
-                                 Figure 1
-
-
-
-
-Rosenberg                    Informational                      [Page 4]
-
-RFC 4367                    Name Assumptions               February 2006
-
-
-   Figure 1 shows a simple conceptual model of how the DNS is used by
-   applications.  A user of the application obtains an identifier for
-   particular content or service it wishes to obtain.  This identifier
-   is often a URL or URI that contains a domain name.  The user enters
-   this identifier into its client application (for example, by typing
-   in the URL in a web browser window).  The client is the automaton (a
-   software and/or hardware system) that contacts a server for that
-   application in order to provide service to the user.  To do that, it
-   contacts a DNS server to resolve the domain name in the identifier to
-   an IP address.  It then contacts the server at that IP address.  This
-   simple model applies to application protocols such as HTTP [5], SIP
-   [7], RTSP [6], and SMTP [9].
-
-   >From this model, it is clear that three entities in the system can
-   potentially make false assumptions about the service provided by the
-   server.  The human user may form expectations relating to the content
-   of the service based on a parsing of the host name from which the
-   content originated.  The server might assume that the client
-   connecting to it supports protocols that it does not, can process
-   content that it cannot, or has capabilities that it does not.
-   Similarly, the client might assume that the server supports
-   protocols, content, or capabilities that it does not.  Furthermore,
-   applications can potentially contain a multiplicity of humans,
-   clients, and servers, all of which can independently make these false
-   assumptions.
-
-4.  Possible Assumptions
-
-   For each of the three elements, there are many types of false
-   assumptions that can be made.
-
-4.1.  By the User
-
-   The set of possible assumptions here is nearly boundless.  Users
-   might assume that an HTTP URL that looks like a company name maps to
-   a server run by that company.  They might assume that an email from a
-   email address in the .gov TLD is actually from a government employee.
-   They might assume that the content obtained from a web server within
-   a TLD labeled as containing adult materials (for example, .sex)
-   actually contains adult content [8].  These assumptions are
-   unavoidable, may all be false, and are not the focus of this
-   document.
-
-
-
-
-
-
-
-
-
-Rosenberg                    Informational                      [Page 5]
-
-RFC 4367                    Name Assumptions               February 2006
-
-
-4.2.  By the Client
-
-   Even though the client is an automaton, it can make some of the same
-   assumptions that a human user might make.  For example, many clients
-   assume that any host with a hostname that begins with "www" is a web
-   server, even though this assumption may be false.
-
-   In addition, the client concerns itself with the protocols needed to
-   communicate with the server.  As a result, it might make assumptions
-   about the operation of the protocols for communicating with the
-   server.  These assumptions manifest themselves in an implementation
-   when a standardized protocol negotiation technique defined by the
-   protocol is ignored, and instead, some kind of rule is coded into the
-   software that comes to its own conclusion about what the negotiation
-   would have determined.  The result is often a loss of
-   interoperability, degradation in reliability, and worsening of user
-   experience.
-
-   Authentication Algorithm: Though a protocol might support a
-      multiplicity of authentication techniques, a client might assume
-      that a server always supports one that is only optional according
-      to the protocol.  For example, a SIP client contacting a SIP
-      server in a domain that is apparently used to identify mobile
-      devices (for example, www.example.cellular) might assume that the
-      server supports the optional Authentication and Key Agreement
-      (AKA) digest technique [10], just because of the domain name that
-      was used to access the server.  As another example, a web client
-      might assume that a server with the name https.example.com
-      supports HTTP over Transport Layer Security (TLS) [16].
-
-   Data Formats: Though a protocol might allow a multiplicity of data
-      formats to be sent from the server to the client, the client might
-      assume a specific one, rather than using the content labeling and
-      negotiation capabilities of the underlying protocol.  For example,
-      an RTSP client might assume that all audio content delivered to it
-      from media.example.cellular uses a low-bandwidth codec.  As
-      another example, a mail client might assume that the contents of
-      messages it retrieves from a mail server at mail.example.cellular
-      are always text, instead of checking the MIME headers [11] in the
-      message in order to determine the actual content type.
-
-   Protocol Extensions: A client may attempt an operation on the server
-      that requires the server to support an optional protocol
-      extension.  However, rather than implementing the necessary
-      fallback logic, the client may falsely assume that the extension
-      is supported.  As an example, a SIP client that requires reliable
-      provisional responses to its request (RFC 3262 [17]) might assume
-      that this extension is supported on servers in the domain
-
-
-
-Rosenberg                    Informational                      [Page 6]
-
-RFC 4367                    Name Assumptions               February 2006
-
-
-      sip.example.telecom.  Furthermore, the client would not implement
-      the fallback behavior defined in RFC 3262, since it would assume
-      that all servers it will communicate with are in this domain and
-      that all therefore support this extension.  However, if the
-      assumptions prove wrong, the client is unable to make any phone
-      calls.
-
-   Languages: A client may support facilities for processing text
-      content differently depending on the language of the text.  Rather
-      than determining the language from markers in the message from the
-      server, the client might assume a language based on the domain
-      name.  This assumption can easily be wrong.  For example, a client
-      might assume that any text in a web page retrieved from a server
-      within the .de country code TLD (ccTLD) is in German, and attempt
-      a translation to Finnish.  This would fail dramatically if the
-      text was actually in French.  Unfortunately, this client behavior
-      is sometimes exhibited because the server has not properly labeled
-      the language of the content in the first place, often because the
-      server assumed such a labeling was not needed.  This is an example
-      of how these false assumptions can create vicious cycles.
-
-4.3.  By the Server
-
-   The server, like the client, is an automaton.  Let us consider one
-   servicing a particular domain -- www.company.cellular, for example.
-   It might assume that all clients connecting to this domain support
-   particular capabilities, rather than using the underlying protocol to
-   make this determination.  Some examples include:
-
-   Authentication Algorithm: The server can assume that a client
-      supports a particular, optional, authentication technique, and it
-      therefore does not support the mandatory one.
-
-   Language: The server can serve content in a particular language,
-      based on an assumption that clients accessing the domain speak a
-      particular language, or based on an assumption that clients coming
-      from a particular IP address speak a certain language.
-
-   Data Formats: The server can assume that the client supports a
-      particular set of MIME types and is only capable of sending ones
-      within that set.  When it generates content in a protocol
-      response, it ignores any content negotiation headers that were
-      present in the request.  For example, a web server might ignore
-      the Accept HTTP header field and send a specific image format.
-
-
-
-
-
-
-
-Rosenberg                    Informational                      [Page 7]
-
-RFC 4367                    Name Assumptions               February 2006
-
-
-   Protocol Extensions: The server might assume that the client supports
-      a particular optional protocol extension, and so it does not
-      support the fallback behavior necessary in the case where the
-      client does not.
-
-   Client Characteristics: The server might assume certain things about
-      the physical characteristics of its clients, such as memory
-      footprint, processing power, screen sizes, screen colors, pointing
-      devices, and so on.  Based on these assumptions, it might choose
-      specific behaviors when processing a request.  For example, a web
-      server might always assume that clients connect through cell
-      phones, and therefore return content that lacks images and is
-      tuned for such devices.
-
-5.  Consequences of False Assumptions
-
-   There are numerous negative outcomes that can arise from the various
-   false assumptions that users, servers, and clients can make.  These
-   include:
-
-   Interoperability Failure: In these cases, the client or server
-      assumed some kind of protocol operation, and this assumption was
-      wrong.  The result is that the two are unable to communicate, and
-      the user receives some kind of an error.  This represents a total
-      interoperability failure, manifesting itself as a lack of service
-      to users of the system.  Unfortunately, this kind of failure
-      persists.  Repeated attempts over time by the client to access the
-      service will fail.  Only a change in the server or client software
-      can fix this problem.
-
-   System Failure: In these cases, the client or server misinterpreted a
-      protocol operation, and this misinterpretation was serious enough
-      to uncover a bug in the implementation.  The bug causes a system
-      crash or some kind of outage, either transient or permanent (until
-      user reset).  If this failure occurs in a server, not only will
-      the connecting client lose service, but other clients attempting
-      to connect will not get service.  As an example, if a web server
-      assumes that content passed to it from a client (created, for
-      example, by a digital camera) is of a particular content type, and
-      it always passes image content to a codec for decompression prior
-      to storage, the codec might crash when it unexpectedly receives an
-      image compressed in a different format.  Of course, it might crash
-      even if the Content-Type was correct, but the compressed bitstream
-      was invalid.  False assumptions merely introduce additional
-      failure cases.
-
-
-
-
-
-
-Rosenberg                    Informational                      [Page 8]
-
-RFC 4367                    Name Assumptions               February 2006
-
-
-   Poor User Experience: In these cases, the client and server
-      communicate, but the user receives a diminished user experience.
-      For example, if a client on a PC connects to a web site that
-      provides content for mobile devices, the content may be
-      underwhelming when viewed on the PC.  Or, a client accessing a
-      streaming media service may receive content of very low bitrate,
-      even though the client supported better codecs.  Indeed, if a user
-      wishes to access content from both a cellular device and a PC
-      using a shared address book (that is, an address book shared
-      across multiple devices), the user would need two entries in that
-      address book, and would need to use the right one from the right
-      device.  This is a poor user experience.
-
-   Degraded Security: In these cases, a weaker security mechanism is
-      used than the one that ought to have been used.  As an example, a
-      server in a domain might assume that it is only contacted by
-      clients with a limited set of authentication algorithms, even
-      though the clients have been recently upgraded to support a
-      stronger set.
-
-6.  Reasons Why the Assumptions Can Be False
-
-   Assumptions made by clients and servers about the operation of
-   protocols when contacting a particular domain are brittle, and can be
-   wrong for many reasons.  On the server side, many of the assumptions
-   are based on the notion that a domain name will only be given to, or
-   used by, a restricted set of clients.  If the holder of the domain
-   name assumes something about those clients, and can assume that only
-   those clients use the domain name, then it can configure or program
-   the server to operate specifically for those clients.  Both parts of
-   this assumption can be wrong, as discussed in more detail below.
-
-   On the client side, the notion is similar, being based on the
-   assumption that a server within a particular domain will provide a
-   specific type of service.  Sub-delegation and evolution, both
-   discussed below, can make these assumptions wrong.
-
-6.1.  Evolution
-
-   The Internet and the devices that access it are constantly evolving,
-   often at a rapid pace.  Unfortunately, there is a tendency to build
-   for the here and now, and then worry about the future at a later
-   time.  Many of the assumptions above are predicated on
-   characteristics of today's clients and servers.  Support for specific
-   protocols, authentication techniques, or content are based on today's
-   standards and today's devices.  Even though they may, for the most
-   part, be true, they won't always be.  An excellent example is mobile
-   devices.  A server servicing a domain accessed by mobile devices
-
-
-
-Rosenberg                    Informational                      [Page 9]
-
-RFC 4367                    Name Assumptions               February 2006
-
-
-   might try to make assumptions about the protocols, protocol
-   extensions, security mechanisms, screen sizes, or processor power of
-   such devices.  However, all of these characteristics can and will
-   change over time.
-
-   When they do change, the change is usually evolutionary.  The result
-   is that the assumptions remain valid in some cases, but not in
-   others.  It is difficult to fix such systems, since it requires the
-   server to detect what type of client is connecting, and what its
-   capabilities are.  Unless the system is built and deployed with these
-   capability negotiation techniques built in to begin with, such
-   detection can be extremely difficult.  In fact, fixing it will often
-   require the addition of such capability negotiation features that, if
-   they had been in place and used to begin with, would have avoided the
-   problem altogether.
-
-6.2.  Leakage
-
-   Servers also make assumptions because of the belief that they will
-   only be accessed by specific clients, and in particular, those that
-   are configured or provisioned to use the domain name.  In essence,
-   there is an assumption of community -- that a specific community
-   knows and uses the domain name, while others outside of the community
-   do not.
-
-   The problem is that this notion of community is a false one.  The
-   Internet is global.  The DNS is global.  There is no technical
-   barrier that separates those inside of the community from those
-   outside.  The ease with which information propagates across the
-   Internet makes it extremely likely that such domain names will
-   eventually find their way into clients outside of the presumed
-   community.  The ubiquitous presence of domain names in various URI
-   formats, coupled with the ease of conveyance of URIs, makes such
-   leakage merely a matter of time.  Furthermore, since the DNS is
-   global, and since it can only have one root [12], it becomes possible
-   for clients outside of the community to search and find and use such
-   "special" domain names.
-
-   Indeed, this leakage is a strength of the Internet architecture, not
-   a weakness.  It enables global access to services from any client
-   with a connection to the Internet.  That, in turn, allows for rapid
-   growth in the number of customers for any particular service.
-
-6.3.  Sub-Delegation
-
-   Clients and users make assumptions about domains because of the
-   notion that there is some kind of centralized control that can
-   enforce those assumptions.  However, the DNS is not centralized; it
-
-
-
-Rosenberg                    Informational                     [Page 10]
-
-RFC 4367                    Name Assumptions               February 2006
-
-
-   is distributed.  If a domain doesn't delegate its sub-domains and has
-   its records within a single zone, it is possible to maintain a
-   centralized policy about operation of its domain.  However, once a
-   domain gets sufficiently large that the domain administrators begin
-   to delegate sub-domains to other authorities, it becomes increasingly
-   difficult to maintain any kind of central control on the nature of
-   the service provided in each sub-domain.
-
-   Similarly, the usage of domain names with human semantic connotation
-   tends to lead to a registration of multiple domains in which a
-   particular service is to run.  As an example, a service provider with
-   the name "example" might register and set up its services in
-   "example.com", "example.net", and generally example.foo for each foo
-   that is a valid TLD.  This, like sub-delegation, results in a growth
-   in the number of domains over which it is difficult to maintain
-   centralized control.
-
-   Not that it is not possible, since there are many examples of
-   successful administration of policies across sub-domains many levels
-   deep.  However, it takes an increasing amount of effort to ensure
-   this result, as it requires human intervention and the creation of
-   process and procedure.  Automated validation of adherence to policies
-   is very difficult to do, as there is no way to automatically verify
-   many policies that might be put into place.
-
-   A less costly process for providing centralized management of
-   policies is to just hope that any centralized policies are being
-   followed, and then wait for complaints or perform random audits.
-   Those approaches have many problems.
-
-   The invalidation of assumptions due to sub-delegation is discussed in
-   further detail in Section 4.1.3 of [8] and in Section 3.3 of [20].
-
-   As a result of the fragility of policy continuity across sub-
-   delegations, if a client or user assumes some kind of property
-   associated with a TLD (such as ".wifi"), it becomes increasingly more
-   likely with the number of sub-domains that this property will not
-   exist in a server identified by a particular name.  For example, in
-   "store.chain.company.provider.wifi", there may be four levels of
-   delegation from ".wifi", making it quite likely that, unless the
-   holder of ".wifi" is working diligently, the properties that the
-   holder of ".wifi" wishes to enforce are not present.  These
-   properties may not be present due to human error or due to a willful
-   decision not to adhere to them.
-
-
-
-
-
-
-
-Rosenberg                    Informational                     [Page 11]
-
-RFC 4367                    Name Assumptions               February 2006
-
-
-6.4.  Mobility
-
-   One of the primary value propositions of a hostname as an identifier
-   is its persistence.  A client can change IP addresses, yet still
-   retain a persistent identifier used by other hosts to reach it.
-   Because their value derives from their persistence, hostnames tend to
-   move with a host not just as it changes IP addresses, but as it
-   changes access network providers and technologies.  For this reason,
-   assumptions made about a host based on the presumed access network
-   corresponding to that hostname tend to be wrong over time.  As an
-   example, a PC might normally be connected to its broadband provider,
-   and through dynamic DNS have a hostname within the domain of that
-   provider.  However, one cannot assume that any host within that
-   network has access over a broadband link; the user could connect
-   their PC over a low-bandwidth wireless access network and still
-   retain its domain name.
-
-6.5.  Human Error
-
-   Of course, human error can be the source of errors in any system, and
-   the same is true here.  There are many examples relevant to the
-   problem under discussion.
-
-   A client implementation may make the assumption that, just because a
-   DNS SRV record exists for a particular protocol in a particular
-   domain, indicating that the service is available on some port, that
-   the service is, in fact, running there.  This assumption could be
-   wrong because the SRV records haven't been updated by the system
-   administrators to reflect the services currently running.  As another
-   example, a client might assume that a particular domain policy
-   applies to all sub-domains.  However, a system administrator might
-   have omitted to apply the policy to servers running in one of those
-   sub-domains.
-
-7.  Recommendations
-
-   Based on these problems, the clear conclusion is that clients,
-   servers, and users should not make assumptions on the nature of the
-   service provided to, or by, a domain.  More specifically, however,
-   the following can be said:
-
-   Follow the specifications: When specifications define mandatory
-      baseline procedures and formats, those should be implemented and
-      supported, even if the expectation is that optional procedures
-      will most often be used.  For example, if a specification mandates
-      a particular baseline authentication technique, but allows others
-      to be negotiated and used, implementations need to implement the
-      baseline authentication algorithm even if the other ones are used
-
-
-
-Rosenberg                    Informational                     [Page 12]
-
-RFC 4367                    Name Assumptions               February 2006
-
-
-      most of the time.  Put more simply, the behavior of the protocol
-      machinery should never change based on the domain name of the
-      host.
-
-   Use capability negotiation: Many protocols are engineered with
-      capability negotiation mechanisms.  For example, a content
-      negotiation framework has been defined for protocols using MIME
-      content [13] [14] [15].  SIP allows for clients to negotiate the
-      media types used in the multimedia session, as well as protocol
-      parameters.  HTTP allows for clients to negotiate the media types
-      returned in requests for content.  When such features are
-      available in a protocol, client and servers should make use of
-      them rather than making assumptions about supported capabilities.
-      A corollary is that protocol designers should include such
-      mechanisms when evolution is expected in the usage of the
-      protocol.
-
-   "Be liberal in what you accept, and conservative in what you send"
-      [18]:  This axiom of Internet protocol design is applicable here
-      as well.  Implementations should be prepared for the full breadth
-      of what a protocol allows another entity to send, rather than be
-      limiting in what it is willing to receive.
-
-   To summarize -- there is never a need to make assumptions.  Rather
-   than doing so, utilize the specifications and the negotiation
-   capabilities they provide, and the overall system will be robust and
-   interoperable.
-
-8.  A Note on RFC 2219 and RFC 2782
-
-   Based on the definition of an assumption given here, the behavior
-   hinted at by records in the DNS also represents an assumption.  RFC
-   2219 [19] defines well-known aliases that can be used to construct
-   domain names for reaching various well-known services in a domain.
-   This approach was later followed by the definition of a new resource
-   record, the SRV record [2], which specifies that a particular service
-   is running on a server in a domain.  Although both of these
-   mechanisms are useful as a hint that a particular service is running
-   in a domain, both of them represent assumptions that may be false.
-   However, they differ in the set of reasons why those assumptions
-   might be false.
-
-   A client that assumes that "ftp.example.com" is an FTP server may be
-   wrong because the presumed naming convention in RFC 2219 was not
-   known by, or not followed by, the owner of domain.com.  With RFC
-   2782, an SRV record for a particular service would be present only by
-   explicit choice of the domain administrator, and thus a client that
-
-
-
-
-Rosenberg                    Informational                     [Page 13]
-
-RFC 4367                    Name Assumptions               February 2006
-
-
-   assumes that the corresponding host provides this service would be
-   wrong only because of human error in configuration.  In this case,
-   the assumption is less likely to be wrong, but it certainly can be.
-
-   The only way to determine with certainty that a service is running on
-   a host is to initiate a connection to the port for that service, and
-   check.  Implementations need to be careful not to codify any
-   behaviors that cause failures should the information provided in the
-   record actually be false.  This borders on common sense for robust
-   implementations, but it is valuable to raise this point explicitly.
-
-9.  Security Considerations
-
-   One of the assumptions that can be made by clients or servers is the
-   availability and usage (or lack thereof) of certain security
-   protocols and algorithms.  For example, a client accessing a service
-   in a particular domain might assume a specific authentication
-   algorithm or hash function in the application protocol.  It is
-   possible that, over time, weaknesses are found in such a technique,
-   requiring usage of a different mechanism.  Similarly, a system might
-   start with an insecure mechanism, and then decide later on to use a
-   secure one.  In either case, assumptions made on security properties
-   can result in interoperability failures, or worse yet, providing
-   service in an insecure way, even though the client asked for, and
-   thought it would get, secure service.  These kinds of assumptions are
-   fundamentally unsound even if the records themselves are secured with
-   DNSSEC.
-
-10.  Acknowledgements
-
-   The IAB would like to thank John Klensin, Keith Moore and Peter Koch
-   for their comments.
-
-11.  IAB Members
-
-   Internet Architecture Board members at the time of writing of this
-   document are:
-
-      Bernard Aboba
-
-      Loa Andersson
-
-      Brian Carpenter
-
-      Leslie Daigle
-
-      Patrik Faltstrom
-
-
-
-
-Rosenberg                    Informational                     [Page 14]
-
-RFC 4367                    Name Assumptions               February 2006
-
-
-      Bob Hinden
-
-      Kurtis Lindqvist
-
-      David Meyer
-
-      Pekka Nikander
-
-      Eric Rescorla
-
-      Pete Resnick
-
-      Jonathan Rosenberg
-
-12.  Informative References
-
-   [1]   Mockapetris, P., "Domain names - concepts and facilities",
-         STD 13, RFC 1034, November 1987.
-
-   [2]   Gulbrandsen, A., Vixie, P., and L. Esibov, "A DNS RR for
-         specifying the location of services (DNS SRV)", RFC 2782,
-         February 2000.
-
-   [3]   Mealling, M., "Dynamic Delegation Discovery System (DDDS) Part
-         Three: The Domain Name System (DNS) Database", RFC 3403,
-         October 2002.
-
-   [4]   Davis, C., Vixie, P., Goodwin, T., and I. Dickinson, "A Means
-         for Expressing Location Information in the Domain Name System",
-         RFC 1876, January 1996.
-
-   [5]   Fielding, R., Gettys, J., Mogul, J., Frystyk, H., Masinter, L.,
-         Leach, P., and T. Berners-Lee, "Hypertext Transfer Protocol --
-         HTTP/1.1", RFC 2616, June 1999.
-
-   [6]   Schulzrinne, H., Rao, A., and R. Lanphier, "Real Time Streaming
-         Protocol (RTSP)", RFC 2326, April 1998.
-
-   [7]   Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, A.,
-         Peterson, J., Sparks, R., Handley, M., and E. Schooler, "SIP:
-         Session Initiation Protocol", RFC 3261, June 2002.
-
-   [8]   Eastlake, D., ".sex Considered Dangerous", RFC 3675,
-         February 2004.
-
-   [9]   Klensin, J., "Simple Mail Transfer Protocol", RFC 2821,
-         April 2001.
-
-
-
-
-Rosenberg                    Informational                     [Page 15]
-
-RFC 4367                    Name Assumptions               February 2006
-
-
-   [10]  Niemi, A., Arkko, J., and V. Torvinen, "Hypertext Transfer
-         Protocol (HTTP) Digest Authentication Using Authentication and
-         Key Agreement (AKA)", RFC 3310, September 2002.
-
-   [11]  Freed, N. and N. Borenstein, "Multipurpose Internet Mail
-         Extensions (MIME) Part One: Format of Internet Message Bodies",
-         RFC 2045, November 1996.
-
-   [12]  Internet Architecture Board, "IAB Technical Comment on the
-         Unique DNS Root", RFC 2826, May 2000.
-
-   [13]  Klyne, G., "Indicating Media Features for MIME Content",
-         RFC 2912, September 2000.
-
-   [14]  Klyne, G., "A Syntax for Describing Media Feature Sets",
-         RFC 2533, March 1999.
-
-   [15]  Klyne, G., "Protocol-independent Content Negotiation
-         Framework", RFC 2703, September 1999.
-
-   [16]  Rescorla, E., "HTTP Over TLS", RFC 2818, May 2000.
-
-   [17]  Rosenberg, J. and H. Schulzrinne, "Reliability of Provisional
-         Responses in Session Initiation Protocol (SIP)", RFC 3262,
-         June 2002.
-
-   [18]  Braden, R., "Requirements for Internet Hosts - Communication
-         Layers", STD 3, RFC 1122, October 1989.
-
-   [19]  Hamilton, M. and R. Wright, "Use of DNS Aliases for Network
-         Services", BCP 17, RFC 2219, October 1997.
-
-   [20]  Faltstrom, P., "Design Choices When Expanding DNS", Work in
-         Progress, June 2005.
-
-Author's Address
-
-   Jonathan Rosenberg, Editor
-   IAB
-   600 Lanidex Plaza
-   Parsippany, NJ  07054
-   US
-
-   Phone: +1 973 952-5000
-   EMail: jdrosen@cisco.com
-   URI:   http://www.jdrosen.net
-
-
-
-
-
-Rosenberg                    Informational                     [Page 16]
-
-RFC 4367                    Name Assumptions               February 2006
-
-
-Full Copyright Statement
-
-   Copyright (C) The Internet Society (2006).
-
-   This document is subject to the rights, licenses and restrictions
-   contained in BCP 78, and except as set forth therein, the authors
-   retain all their rights.
-
-   This document and the information contained herein are provided on an
-   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
-   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
-   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
-   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
-   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
-   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-Intellectual Property
-
-   The IETF takes no position regarding the validity or scope of any
-   Intellectual Property Rights or other rights that might be claimed to
-   pertain to the implementation or use of the technology described in
-   this document or the extent to which any license under such rights
-   might or might not be available; nor does it represent that it has
-   made any independent effort to identify any such rights.  Information
-   on the procedures with respect to rights in RFC documents can be
-   found in BCP 78 and BCP 79.
-
-   Copies of IPR disclosures made to the IETF Secretariat and any
-   assurances of licenses to be made available, or the result of an
-   attempt made to obtain a general license or permission for the use of
-   such proprietary rights by implementers or users of this
-   specification can be obtained from the IETF on-line IPR repository at
-   http://www.ietf.org/ipr.
-
-   The IETF invites any interested party to bring to its attention any
-   copyrights, patents or patent applications, or other proprietary
-   rights that may cover technology that may be required to implement
-   this standard.  Please address the information to the IETF at
-   ietf-ipr@ietf.org.
-
-Acknowledgement
-
-   Funding for the RFC Editor function is provided by the IETF
-   Administrative Support Activity (IASA).
-
-
-
-
-
-
-
-Rosenberg                    Informational                     [Page 17]
-
diff --git a/doc/rfc/rfc4398.txt b/doc/rfc/rfc4398.txt
deleted file mode 100644
index 6437436e..00000000
--- a/doc/rfc/rfc4398.txt
+++ /dev/null
@@ -1,955 +0,0 @@
-
-
-
-
-
-
-Network Working Group                                       S. Josefsson
-Request for Comments: 4398                                    March 2006
-Obsoletes: 2538
-Category: Standards Track
-
-
-          Storing Certificates in the Domain Name System (DNS)
-
-Status of This Memo
-
-   This document specifies an Internet standards track protocol for the
-   Internet community, and requests discussion and suggestions for
-   improvements.  Please refer to the current edition of the "Internet
-   Official Protocol Standards" (STD 1) for the standardization state
-   and status of this protocol.  Distribution of this memo is unlimited.
-
-Copyright Notice
-
-   Copyright (C) The Internet Society (2006).
-
-Abstract
-
-   Cryptographic public keys are frequently published, and their
-   authenticity is demonstrated by certificates.  A CERT resource record
-   (RR) is defined so that such certificates and related certificate
-   revocation lists can be stored in the Domain Name System (DNS).
-
-   This document obsoletes RFC 2538.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Josefsson                   Standards Track                     [Page 1]
-
-RFC 4398            Storing Certificates in the DNS        February 2006
-
-
-Table of Contents
-
-   1. Introduction ....................................................3
-   2. The CERT Resource Record ........................................3
-      2.1. Certificate Type Values ....................................4
-      2.2. Text Representation of CERT RRs ............................6
-      2.3. X.509 OIDs .................................................6
-   3. Appropriate Owner Names for CERT RRs ............................7
-      3.1. Content-Based X.509 CERT RR Names ..........................8
-      3.2. Purpose-Based X.509 CERT RR Names ..........................9
-      3.3. Content-Based OpenPGP CERT RR Names ........................9
-      3.4. Purpose-Based OpenPGP CERT RR Names .......................10
-      3.5. Owner Names for IPKIX, ISPKI, IPGP, and IACPKIX ...........10
-   4. Performance Considerations .....................................11
-   5. Contributors ...................................................11
-   6. Acknowledgements ...............................................11
-   7. Security Considerations ........................................12
-   8. IANA Considerations ............................................12
-   9. Changes since RFC 2538 .........................................13
-   10. References ....................................................14
-      10.1. Normative References .....................................14
-      10.2. Informative References ...................................15
-   Appendix A.  Copying Conditions ...................................16
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Josefsson                   Standards Track                     [Page 2]
-
-RFC 4398            Storing Certificates in the DNS        February 2006
-
-
-1.  Introduction
-
-   Public keys are frequently published in the form of a certificate,
-   and their authenticity is commonly demonstrated by certificates and
-   related certificate revocation lists (CRLs).  A certificate is a
-   binding, through a cryptographic digital signature, of a public key,
-   a validity interval and/or conditions, and identity, authorization,
-   or other information.  A certificate revocation list is a list of
-   certificates that are revoked, and of incidental information, all
-   signed by the signer (issuer) of the revoked certificates.  Examples
-   are X.509 certificates/CRLs in the X.500 directory system or OpenPGP
-   certificates/revocations used by OpenPGP software.
-
-   Section 2 specifies a CERT resource record (RR) for the storage of
-   certificates in the Domain Name System [1] [2].
-
-   Section 3 discusses appropriate owner names for CERT RRs.
-
-   Sections 4, 7, and 8 cover performance, security, and IANA
-   considerations, respectively.
-
-   Section 9 explains the changes in this document compared to RFC 2538.
-
-   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
-   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
-   document are to be interpreted as described in [3].
-
-2.  The CERT Resource Record
-
-   The CERT resource record (RR) has the structure given below.  Its RR
-   type code is 37.
-
-                       1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
-   0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
-   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-   |             type              |             key tag           |
-   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-   |   algorithm   |                                               /
-   +---------------+            certificate or CRL                 /
-   /                                                               /
-   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-|
-
-   The type field is the certificate type as defined in Section 2.1
-   below.
-
-   The key tag field is the 16-bit value computed for the key embedded
-   in the certificate, using the RRSIG Key Tag algorithm described in
-   Appendix B of [12].  This field is used as an efficiency measure to
-
-
-
-Josefsson                   Standards Track                     [Page 3]
-
-RFC 4398            Storing Certificates in the DNS        February 2006
-
-
-   pick which CERT RRs may be applicable to a particular key.  The key
-   tag can be calculated for the key in question, and then only CERT RRs
-   with the same key tag need to be examined.  Note that two different
-   keys can have the same key tag.  However, the key MUST be transformed
-   to the format it would have as the public key portion of a DNSKEY RR
-   before the key tag is computed.  This is only possible if the key is
-   applicable to an algorithm and complies to limits (such as key size)
-   defined for DNS security.  If it is not, the algorithm field MUST be
-   zero and the tag field is meaningless and SHOULD be zero.
-
-   The algorithm field has the same meaning as the algorithm field in
-   DNSKEY and RRSIG RRs [12], except that a zero algorithm field
-   indicates that the algorithm is unknown to a secure DNS, which may
-   simply be the result of the algorithm not having been standardized
-   for DNSSEC [11].
-
-2.1.  Certificate Type Values
-
-   The following values are defined or reserved:
-
-         Value  Mnemonic  Certificate Type
-         -----  --------  ----------------
-             0            Reserved
-             1  PKIX      X.509 as per PKIX
-             2  SPKI      SPKI certificate
-             3  PGP       OpenPGP packet
-             4  IPKIX     The URL of an X.509 data object
-             5  ISPKI     The URL of an SPKI certificate
-             6  IPGP      The fingerprint and URL of an OpenPGP packet
-             7  ACPKIX    Attribute Certificate
-             8  IACPKIX   The URL of an Attribute Certificate
-         9-252            Available for IANA assignment
-           253  URI       URI private
-           254  OID       OID private
-           255            Reserved
-     256-65279            Available for IANA assignment
-   65280-65534            Experimental
-         65535            Reserved
-
-   These values represent the initial content of the IANA registry; see
-   Section 8.
-
-   The PKIX type is reserved to indicate an X.509 certificate conforming
-   to the profile defined by the IETF PKIX working group [8].  The
-   certificate section will start with a one-octet unsigned OID length
-   and then an X.500 OID indicating the nature of the remainder of the
-
-
-
-
-
-Josefsson                   Standards Track                     [Page 4]
-
-RFC 4398            Storing Certificates in the DNS        February 2006
-
-
-   certificate section (see Section 2.3, below).  (NOTE: X.509
-   certificates do not include their X.500 directory-type-designating
-   OID as a prefix.)
-
-   The SPKI and ISPKI types are reserved to indicate the SPKI
-   certificate format [15], for use when the SPKI documents are moved
-   from experimental status.  The format for these two CERT RR types
-   will need to be specified later.
-
-   The PGP type indicates an OpenPGP packet as described in [5] and its
-   extensions and successors.  This is used to transfer public key
-   material and revocation signatures.  The data is binary and MUST NOT
-   be encoded into an ASCII armor.  An implementation SHOULD process
-   transferable public keys as described in Section 10.1 of [5], but it
-   MAY handle additional OpenPGP packets.
-
-   The ACPKIX type indicates an Attribute Certificate format [9].
-
-   The IPKIX and IACPKIX types indicate a URL that will serve the
-   content that would have been in the "certificate, CRL, or URL" field
-   of the corresponding type (PKIX or ACPKIX, respectively).
-
-   The IPGP type contains both an OpenPGP fingerprint for the key in
-   question, as well as a URL.  The certificate portion of the IPGP CERT
-   RR is defined as a one-octet fingerprint length, followed by the
-   OpenPGP fingerprint, followed by the URL.  The OpenPGP fingerprint is
-   calculated as defined in RFC 2440 [5].  A zero-length fingerprint or
-   a zero-length URL are legal, and indicate URL-only IPGP data or
-   fingerprint-only IPGP data, respectively.  A zero-length fingerprint
-   and a zero-length URL are meaningless and invalid.
-
-   The IPKIX, ISPKI, IPGP, and IACPKIX types are known as "indirect".
-   These types MUST be used when the content is too large to fit in the
-   CERT RR and MAY be used at the implementer's discretion.  They SHOULD
-   NOT be used where the DNS message is 512 octets or smaller and could
-   thus be expected to fit a UDP packet.
-
-   The URI private type indicates a certificate format defined by an
-   absolute URI.  The certificate portion of the CERT RR MUST begin with
-   a null-terminated URI [10], and the data after the null is the
-   private format certificate itself.  The URI SHOULD be such that a
-   retrieval from it will lead to documentation on the format of the
-   certificate.  Recognition of private certificate types need not be
-   based on URI equality but can use various forms of pattern matching
-   so that, for example, subtype or version information can also be
-   encoded into the URI.
-
-
-
-
-
-Josefsson                   Standards Track                     [Page 5]
-
-RFC 4398            Storing Certificates in the DNS        February 2006
-
-
-   The OID private type indicates a private format certificate specified
-   by an ISO OID prefix.  The certificate section will start with a
-   one-octet unsigned OID length and then a BER-encoded OID indicating
-   the nature of the remainder of the certificate section.  This can be
-   an X.509 certificate format or some other format.  X.509 certificates
-   that conform to the IETF PKIX profile SHOULD be indicated by the PKIX
-   type, not the OID private type.  Recognition of private certificate
-   types need not be based on OID equality but can use various forms of
-   pattern matching such as OID prefix.
-
-2.2.  Text Representation of CERT RRs
-
-   The RDATA portion of a CERT RR has the type field as an unsigned
-   decimal integer or as a mnemonic symbol as listed in Section 2.1,
-   above.
-
-   The key tag field is represented as an unsigned decimal integer.
-
-   The algorithm field is represented as an unsigned decimal integer or
-   a mnemonic symbol as listed in [12].
-
-   The certificate/CRL portion is represented in base 64 [16] and may be
-   divided into any number of white-space-separated substrings, down to
-   single base-64 digits, which are concatenated to obtain the full
-   signature.  These substrings can span lines using the standard
-   parenthesis.
-
-   Note that the certificate/CRL portion may have internal sub-fields,
-   but these do not appear in the master file representation.  For
-   example, with type 254, there will be an OID size, an OID, and then
-   the certificate/CRL proper.  However, only a single logical base-64
-   string will appear in the text representation.
-
-2.3.  X.509 OIDs
-
-   OIDs have been defined in connection with the X.500 directory for
-   user certificates, certification authority certificates, revocations
-   of certification authority, and revocations of user certificates.
-   The following table lists the OIDs, their BER encoding, and their
-   length-prefixed hex format for use in CERT RRs:
-
-
-
-
-
-
-
-
-
-
-
-Josefsson                   Standards Track                     [Page 6]
-
-RFC 4398            Storing Certificates in the DNS        February 2006
-
-
-       id-at-userCertificate
-           = { joint-iso-ccitt(2) ds(5) at(4) 36 }
-              == 0x 03 55 04 24
-       id-at-cACertificate
-           = { joint-iso-ccitt(2) ds(5) at(4) 37 }
-              == 0x 03 55 04 25
-       id-at-authorityRevocationList
-           = { joint-iso-ccitt(2) ds(5) at(4) 38 }
-              == 0x 03 55 04 26
-       id-at-certificateRevocationList
-           = { joint-iso-ccitt(2) ds(5) at(4) 39 }
-              == 0x 03 55 04 27
-
-3.  Appropriate Owner Names for CERT RRs
-
-   It is recommended that certificate CERT RRs be stored under a domain
-   name related to their subject, i.e., the name of the entity intended
-   to control the private key corresponding to the public key being
-   certified.  It is recommended that certificate revocation list CERT
-   RRs be stored under a domain name related to their issuer.
-
-   Following some of the guidelines below may result in DNS names with
-   characters that require DNS quoting as per Section 5.1 of RFC 1035
-   [2].
-
-   The choice of name under which CERT RRs are stored is important to
-   clients that perform CERT queries.  In some situations, the clients
-   may not know all information about the CERT RR object it wishes to
-   retrieve.  For example, a client may not know the subject name of an
-   X.509 certificate, or the email address of the owner of an OpenPGP
-   key.  Further, the client might only know the hostname of a service
-   that uses X.509 certificates or the Key ID of an OpenPGP key.
-
-   Therefore, two owner name guidelines are defined: content-based owner
-   names and purpose-based owner names.  A content-based owner name is
-   derived from the content of the CERT RR data; for example, the
-   Subject field in an X.509 certificate or the User ID field in OpenPGP
-   keys.  A purpose-based owner name is a name that a client retrieving
-   CERT RRs ought to know already; for example, the host name of an
-   X.509 protected service or the Key ID of an OpenPGP key.  The
-   content-based and purpose-based owner name may be the same; for
-   example, when a client looks up a key based on the From: address of
-   an incoming email.
-
-   Implementations SHOULD use the purpose-based owner name guidelines
-   described in this document and MAY use CNAME RRs at content-based
-   owner names (or other names), pointing to the purpose-based owner
-   name.
-
-
-
-Josefsson                   Standards Track                     [Page 7]
-
-RFC 4398            Storing Certificates in the DNS        February 2006
-
-
-   Note that this section describes an application-based mapping from
-   the name space used in a certificate to the name space used by DNS.
-   The DNS does not infer any relationship amongst CERT resource records
-   based on similarities or differences of the DNS owner name(s) of CERT
-   resource records.  For example, if multiple labels are used when
-   mapping from a CERT identifier to a domain name, then care must be
-   taken in understanding wildcard record synthesis.
-
-3.1.  Content-Based X.509 CERT RR Names
-
-   Some X.509 versions, such as the PKIX profile of X.509 [8], permit
-   multiple names to be associated with subjects and issuers under
-   "Subject Alternative Name" and "Issuer Alternative Name".  For
-   example, the PKIX profile has such Alternate Names with an ASN.1
-   specification as follows:
-
-      GeneralName ::= CHOICE {
-           otherName                       [0]     OtherName,
-           rfc822Name                      [1]     IA5String,
-           dNSName                         [2]     IA5String,
-           x400Address                     [3]     ORAddress,
-           directoryName                   [4]     Name,
-           ediPartyName                    [5]     EDIPartyName,
-           uniformResourceIdentifier       [6]     IA5String,
-           iPAddress                       [7]     OCTET STRING,
-           registeredID                    [8]     OBJECT IDENTIFIER }
-
-   The recommended locations of CERT storage are as follows, in priority
-   order:
-
-   1.  If a domain name is included in the identification in the
-       certificate or CRL, that ought to be used.
-   2.  If a domain name is not included but an IP address is included,
-       then the translation of that IP address into the appropriate
-       inverse domain name ought to be used.
-   3.  If neither of the above is used, but a URI containing a domain
-       name is present, that domain name ought to be used.
-   4.  If none of the above is included but a character string name is
-       included, then it ought to be treated as described below for
-       OpenPGP names.
-   5.  If none of the above apply, then the distinguished name (DN)
-       ought to be mapped into a domain name as specified in [4].
-
-   Example 1: An X.509v3 certificate is issued to /CN=John Doe /DC=Doe/
-   DC=com/DC=xy/O=Doe Inc/C=XY/ with Subject Alternative Names of (a)
-   string "John (the Man) Doe", (b) domain name john-doe.com, and (c)
-   URI <https://www.secure.john-doe.com:8080/>.  The storage locations
-   recommended, in priority order, would be
-
-
-
-Josefsson                   Standards Track                     [Page 8]
-
-RFC 4398            Storing Certificates in the DNS        February 2006
-
-
-   1.  john-doe.com,
-   2.  www.secure.john-doe.com, and
-   3.  Doe.com.xy.
-
-   Example 2: An X.509v3 certificate is issued to /CN=James Hacker/
-   L=Basingstoke/O=Widget Inc/C=GB/ with Subject Alternate names of (a)
-   domain name widget.foo.example, (b) IPv4 address 10.251.13.201, and
-   (c) string "James Hacker <hacker@mail.widget.foo.example>".  The
-   storage locations recommended, in priority order, would be
-
-   1.  widget.foo.example,
-   2.  201.13.251.10.in-addr.arpa, and
-   3.  hacker.mail.widget.foo.example.
-
-3.2.  Purpose-Based X.509 CERT RR Names
-
-   Due to the difficulty for clients that do not already possess a
-   certificate to reconstruct the content-based owner name,
-   purpose-based owner names are recommended in this section.
-   Recommendations for purpose-based owner names vary per scenario.  The
-   following table summarizes the purpose-based X.509 CERT RR owner name
-   guidelines for use with S/MIME [17], SSL/TLS [13], and IPsec [14]:
-
-    Scenario             Owner name
-    ------------------   ----------------------------------------------
-    S/MIME Certificate   Standard translation of an RFC 2822 email
-                         address.  Example: An S/MIME certificate for
-                         "postmaster@example.org" will use a standard
-                         hostname translation of the owner name,
-                         "postmaster.example.org".
-
-    TLS Certificate      Hostname of the TLS server.
-
-    IPsec Certificate    Hostname of the IPsec machine and/or, for IPv4
-                         or IPv6 addresses, the fully qualified domain
-                         name in the appropriate reverse domain.
-
-   An alternate approach for IPsec is to store raw public keys [18].
-
-3.3.  Content-Based OpenPGP CERT RR Names
-
-   OpenPGP signed keys (certificates) use a general character string
-   User ID [5].  However, it is recommended by OpenPGP that such names
-   include the RFC 2822 [7] email address of the party, as in "Leslie
-   Example <Leslie@host.example>".  If such a format is used, the CERT
-   ought to be under the standard translation of the email address into
-
-
-
-
-
-Josefsson                   Standards Track                     [Page 9]
-
-RFC 4398            Storing Certificates in the DNS        February 2006
-
-
-   a domain name, which would be leslie.host.example in this case.  If
-   no RFC 2822 name can be extracted from the string name, no specific
-   domain name is recommended.
-
-   If a user has more than one email address, the CNAME type can be used
-   to reduce the amount of data stored in the DNS.  For example:
-
-      $ORIGIN example.org.
-      smith        IN CERT PGP 0 0 <OpenPGP binary>
-      john.smith   IN CNAME smith
-      js           IN CNAME smith
-
-3.4.  Purpose-Based OpenPGP CERT RR Names
-
-   Applications that receive an OpenPGP packet containing encrypted or
-   signed data but do not know the email address of the sender will have
-   difficulties constructing the correct owner name and cannot use the
-   content-based owner name guidelines.  However, these clients commonly
-   know the key fingerprint or the Key ID.  The key ID is found in
-   OpenPGP packets, and the key fingerprint is commonly found in
-   auxiliary data that may be available.  In this case, use of an owner
-   name identical to the key fingerprint and the key ID expressed in
-   hexadecimal [16] is recommended.  For example:
-
-      $ORIGIN example.org.
-      0424D4EE81A0E3D119C6F835EDA21E94B565716F IN CERT PGP ...
-      F835EDA21E94B565716F                     IN CERT PGP ...
-      B565716F                                 IN CERT PGP ...
-
-   If the same key material is stored for several owner names, the use
-   of CNAME may help avoid data duplication.  Note that CNAME is not
-   always applicable, because it maps one owner name to the other for
-   all purposes, which may be sub-optimal when two keys with the same
-   Key ID are stored.
-
-3.5.  Owner Names for IPKIX, ISPKI, IPGP, and IACPKIX
-
-   These types are stored under the same owner names, both purpose- and
-   content-based, as the PKIX, SPKI, PGP, and ACPKIX types.
-
-
-
-
-
-
-
-
-
-
-
-
-Josefsson                   Standards Track                    [Page 10]
-
-RFC 4398            Storing Certificates in the DNS        February 2006
-
-
-4.  Performance Considerations
-
-   The Domain Name System (DNS) protocol was designed for small
-   transfers, typically below 512 octets.  While larger transfers will
-   perform correctly and work is underway to make larger transfers more
-   efficient, it is still advisable at this time that every reasonable
-   effort be made to minimize the size of certificates stored within the
-   DNS.  Steps that can be taken may include using the fewest possible
-   optional or extension fields and using short field values for
-   necessary variable-length fields.
-
-   The RDATA field in the DNS protocol may only hold data of size 65535
-   octets (64kb) or less.  This means that each CERT RR MUST NOT contain
-   more than 64kb of payload, even if the corresponding certificate or
-   certificate revocation list is larger.  This document addresses this
-   by defining "indirect" data types for each normal type.
-
-   Deploying CERT RRs to support digitally signed email changes the
-   access patterns of DNS lookups from per-domain to per-user.  If
-   digitally signed email and a key/certificate lookup based on CERT RRs
-   are deployed on a wide scale, this may lead to an increased DNS load,
-   with potential performance and cache effectiveness consequences.
-   Whether or not this load increase will be noticeable is not known.
-
-5.  Contributors
-
-   The majority of this document is copied verbatim from RFC 2538, by
-   Donald Eastlake 3rd and Olafur Gudmundsson.
-
-6.  Acknowledgements
-
-   Thanks to David Shaw and Michael Graff for their contributions to
-   earlier works that motivated, and served as inspiration for, this
-   document.
-
-   This document was improved by suggestions and comments from Olivier
-   Dubuisson, Scott Hollenbeck, Russ Housley, Peter Koch, Olaf M.
-   Kolkman, Ben Laurie, Edward Lewis, John Loughney, Allison Mankin,
-   Douglas Otis, Marcos Sanz, Pekka Savola, Jason Sloderbeck, Samuel
-   Weiler, and Florian Weimer.  No doubt the list is incomplete.  We
-   apologize to anyone we left out.
-
-
-
-
-
-
-
-
-
-
-Josefsson                   Standards Track                    [Page 11]
-
-RFC 4398            Storing Certificates in the DNS        February 2006
-
-
-7.  Security Considerations
-
-   By definition, certificates contain their own authenticating
-   signatures.  Thus, it is reasonable to store certificates in
-   non-secure DNS zones or to retrieve certificates from DNS with DNS
-   security checking not implemented or deferred for efficiency.  The
-   results may be trusted if the certificate chain is verified back to a
-   known trusted key and this conforms with the user's security policy.
-
-   Alternatively, if certificates are retrieved from a secure DNS zone
-   with DNS security checking enabled and are verified by DNS security,
-   the key within the retrieved certificate may be trusted without
-   verifying the certificate chain if this conforms with the user's
-   security policy.
-
-   If an organization chooses to issue certificates for its employees,
-   placing CERT RRs in the DNS by owner name, and if DNSSEC (with NSEC)
-   is in use, it is possible for someone to enumerate all employees of
-   the organization.  This is usually not considered desirable, for the
-   same reason that enterprise phone listings are not often publicly
-   published and are even marked confidential.
-
-   Using the URI type introduces another level of indirection that may
-   open a new vulnerability.  One method of securing that indirection is
-   to include a hash of the certificate in the URI itself.
-
-   If DNSSEC is used, then the non-existence of a CERT RR and,
-   consequently, certificates or revocation lists can be securely
-   asserted.  Without DNSSEC, this is not possible.
-
-8.  IANA Considerations
-
-   The IANA has created a new registry for CERT RR: certificate types.
-   The initial contents of this registry is:
-
-       Decimal   Type     Meaning                           Reference
-       -------   ----     -------                           ---------
-             0            Reserved                          RFC 4398
-             1   PKIX     X.509 as per PKIX                 RFC 4398
-             2   SPKI     SPKI certificate                  RFC 4398
-             3   PGP      OpenPGP packet                    RFC 4398
-             4   IPKIX    The URL of an X.509 data object   RFC 4398
-             5   ISPKI    The URL of an SPKI certificate    RFC 4398
-             6   IPGP     The fingerprint and URL           RFC 4398
-                          of an OpenPGP packet
-             7   ACPKIX   Attribute Certificate             RFC 4398
-             8   IACPKIX  The URL of an Attribute           RFC 4398
-                             Certificate
-
-
-
-Josefsson                   Standards Track                    [Page 12]
-
-RFC 4398            Storing Certificates in the DNS        February 2006
-
-
-         9-252            Available for IANA assignment
-                             by IETF Standards action
-           253   URI      URI private                       RFC 4398
-           254   OID      OID private                       RFC 4398
-           255            Reserved                          RFC 4398
-     256-65279            Available for IANA assignment
-                          by IETF Consensus
-   65280-65534            Experimental                      RFC 4398
-         65535            Reserved                          RFC 4398
-
-   Certificate types 0x0000 through 0x00FF and 0xFF00 through 0xFFFF can
-   only be assigned by an IETF standards action [6].  This document
-   assigns 0x0001 through 0x0008 and 0x00FD and 0x00FE.  Certificate
-   types 0x0100 through 0xFEFF are assigned through IETF Consensus [6]
-   based on RFC documentation of the certificate type.  The availability
-   of private types under 0x00FD and 0x00FE ought to satisfy most
-   requirements for proprietary or private types.
-
-   The CERT RR reuses the DNS Security Algorithm Numbers registry.  In
-   particular, the CERT RR requires that algorithm number 0 remain
-   reserved, as described in Section 2.  The IANA will reference the
-   CERT RR as a user of this registry and value 0, in particular.
-
-9.  Changes since RFC 2538
-
-   1.   Editorial changes to conform with new document requirements,
-        including splitting reference section into two parts and
-        updating the references to point at latest versions, and to add
-        some additional references.
-   2.   Improve terminology.  For example replace "PGP" with "OpenPGP",
-        to align with RFC 2440.
-   3.   In Section 2.1, clarify that OpenPGP public key data are binary,
-        not the ASCII armored format, and reference 10.1 in RFC 2440 on
-        how to deal with OpenPGP keys, and acknowledge that
-        implementations may handle additional packet types.
-   4.   Clarify that integers in the representation format are decimal.
-   5.   Replace KEY/SIG with DNSKEY/RRSIG etc, to align with DNSSECbis
-        terminology.  Improve reference for Key Tag Algorithm
-        calculations.
-   6.   Add examples that suggest use of CNAME to reduce bandwidth.
-   7.   In Section 3, appended the last paragraphs that discuss
-        "content-based" vs "purpose-based" owner names.  Add Section 3.2
-        for purpose-based X.509 CERT owner names, and Section 3.4 for
-        purpose-based OpenPGP CERT owner names.
-   8.   Added size considerations.
-   9.   The SPKI types has been reserved, until RFC 2692/2693 is moved
-        from the experimental status.
-   10.  Added indirect types IPKIX, ISPKI, IPGP, and IACPKIX.
-
-
-
-Josefsson                   Standards Track                    [Page 13]
-
-RFC 4398            Storing Certificates in the DNS        February 2006
-
-
-   11.  An IANA registry of CERT type values was created.
-
-10.  References
-
-10.1.  Normative References
-
-   [1]   Mockapetris, P., "Domain names - concepts and facilities",
-         STD 13, RFC 1034, November 1987.
-
-   [2]   Mockapetris, P., "Domain names - implementation and
-         specification", STD 13, RFC 1035, November 1987.
-
-   [3]   Bradner, S., "Key words for use in RFCs to Indicate Requirement
-         Levels", BCP 14, RFC 2119, March 1997.
-
-   [4]   Kille, S., Wahl, M., Grimstad, A., Huber, R., and S. Sataluri,
-         "Using Domains in LDAP/X.500 Distinguished Names", RFC 2247,
-         January 1998.
-
-   [5]   Callas, J., Donnerhacke, L., Finney, H., and R. Thayer,
-         "OpenPGP Message Format", RFC 2440, November 1998.
-
-   [6]   Narten, T. and H. Alvestrand, "Guidelines for Writing an IANA
-         Considerations Section in RFCs", BCP 26, RFC 2434,
-         October 1998.
-
-   [7]   Resnick, P., "Internet Message Format", RFC 2822, April 2001.
-
-   [8]   Housley, R., Polk, W., Ford, W., and D. Solo, "Internet X.509
-         Public Key Infrastructure Certificate and Certificate
-         Revocation List (CRL) Profile", RFC 3280, April 2002.
-
-   [9]   Farrell, S. and R. Housley, "An Internet Attribute Certificate
-         Profile for Authorization", RFC 3281, April 2002.
-
-   [10]  Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
-         Resource Identifier (URI): Generic Syntax", STD 66, RFC 3986,
-         January 2005.
-
-   [11]  Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
-         "DNS Security Introduction and Requirements", RFC 4033,
-         March 2005.
-
-   [12]  Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
-         "Resource Records for the DNS Security Extensions", RFC 4034,
-         March 2005.
-
-
-
-
-
-Josefsson                   Standards Track                    [Page 14]
-
-RFC 4398            Storing Certificates in the DNS        February 2006
-
-
-10.2.  Informative References
-
-   [13]  Dierks, T. and C. Allen, "The TLS Protocol Version 1.0",
-         RFC 2246, January 1999.
-
-   [14]  Kent, S. and K. Seo, "Security Architecture for the Internet
-         Protocol", RFC 4301, December 2005.
-
-   [15]  Ellison, C., Frantz, B., Lampson, B., Rivest, R., Thomas, B.,
-         and T. Ylonen, "SPKI Certificate Theory", RFC 2693,
-         September 1999.
-
-   [16]  Josefsson, S., "The Base16, Base32, and Base64 Data Encodings",
-         RFC 3548, July 2003.
-
-   [17]  Ramsdell, B., "Secure/Multipurpose Internet Mail Extensions
-         (S/MIME) Version 3.1 Message Specification", RFC 3851,
-         July 2004.
-
-   [18]  Richardson, M., "A Method for Storing IPsec Keying Material in
-         DNS", RFC 4025, March 2005.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Josefsson                   Standards Track                    [Page 15]
-
-RFC 4398            Storing Certificates in the DNS        February 2006
-
-
-Appendix A.  Copying Conditions
-
-   Regarding the portion of this document that was written by Simon
-   Josefsson ("the author", for the remainder of this section), the
-   author makes no guarantees and is not responsible for any damage
-   resulting from its use.  The author grants irrevocable permission to
-   anyone to use, modify, and distribute it in any way that does not
-   diminish the rights of anyone else to use, modify, and distribute it,
-   provided that redistributed derivative works do not contain
-   misleading author or version information.  Derivative works need not
-   be licensed under similar terms.
-
-Author's Address
-
-   Simon Josefsson
-
-   EMail: simon@josefsson.org
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Josefsson                   Standards Track                    [Page 16]
-
-RFC 4398            Storing Certificates in the DNS        February 2006
-
-
-Full Copyright Statement
-
-   Copyright (C) The Internet Society (2006).
-
-   This document is subject to the rights, licenses and restrictions
-   contained in BCP 78, and except as set forth therein, the authors
-   retain all their rights.
-
-   This document and the information contained herein are provided on an
-   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
-   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
-   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
-   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
-   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
-   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-Intellectual Property
-
-   The IETF takes no position regarding the validity or scope of any
-   Intellectual Property Rights or other rights that might be claimed to
-   pertain to the implementation or use of the technology described in
-   this document or the extent to which any license under such rights
-   might or might not be available; nor does it represent that it has
-   made any independent effort to identify any such rights.  Information
-   on the procedures with respect to rights in RFC documents can be
-   found in BCP 78 and BCP 79.
-
-   Copies of IPR disclosures made to the IETF Secretariat and any
-   assurances of licenses to be made available, or the result of an
-   attempt made to obtain a general license or permission for the use of
-   such proprietary rights by implementers or users of this
-   specification can be obtained from the IETF on-line IPR repository at
-   http://www.ietf.org/ipr.
-
-   The IETF invites any interested party to bring to its attention any
-   copyrights, patents or patent applications, or other proprietary
-   rights that may cover technology that may be required to implement
-   this standard.  Please address the information to the IETF at
-   ietf-ipr@ietf.org.
-
-Acknowledgement
-
-   Funding for the RFC Editor function is provided by the IETF
-   Administrative Support Activity (IASA).
-
-
-
-
-
-
-
-Josefsson                   Standards Track                    [Page 17]
-
diff --git a/doc/rfc/rfc4408.txt b/doc/rfc/rfc4408.txt
deleted file mode 100644
index bc1b3f53..00000000
--- a/doc/rfc/rfc4408.txt
+++ /dev/null
@@ -1,2691 +0,0 @@
-
-
-
-
-
-
-Network Working Group                                            M. Wong
-Request for Comments: 4408                                    W. Schlitt
-Category: Experimental                                        April 2006
-
-
-                   Sender Policy Framework (SPF) for
-            Authorizing Use of Domains in E-Mail, Version 1
-
-Status of This Memo
-
-   This memo defines an Experimental Protocol for the Internet
-   community.  It does not specify an Internet standard of any kind.
-   Discussion and suggestions for improvement are requested.
-   Distribution of this memo is unlimited.
-
-Copyright Notice
-
-   Copyright (C) The Internet Society (2006).
-
-IESG Note
-
-   The following documents  (RFC 4405, RFC 4406, RFC 4407, and RFC 4408)
-   are published simultaneously as Experimental RFCs, although there is
-   no general technical consensus and efforts to reconcile the two
-   approaches have failed.  As such, these documents have not received
-   full IETF review and are published "AS-IS" to document the different
-   approaches as they were considered in the MARID working group.
-
-   The IESG takes no position about which approach is to be preferred
-   and cautions the reader that there are serious open issues for each
-   approach and concerns about using them in tandem.  The IESG believes
-   that documenting the different approaches does less harm than not
-   documenting them.
-
-   Note that the Sender ID experiment may use DNS records that may have
-   been created for the current SPF experiment or earlier versions in
-   this set of experiments.  Depending on the content of the record,
-   this may mean that Sender-ID heuristics would be applied incorrectly
-   to a message.  Depending on the actions associated by the recipient
-   with those heuristics, the message may not be delivered or may be
-   discarded on receipt.
-
-   Participants relying on Sender ID experiment DNS records are warned
-   that they may lose valid messages in this set of circumstances.
-   aParticipants publishing SPF experiment DNS records should consider
-   the advice given in section 3.4 of RFC 4406 and may wish to publish
-   both v=spf1 and spf2.0 records to avoid the conflict.
-
-
-
-
-Wong & Schlitt                Experimental                      [Page 1]
-
-RFC 4408             Sender Policy Framework (SPF)            April 2006
-
-
-   Participants in the Sender-ID experiment need to be aware that the
-   way Resent-* header fields are used will result in failure to receive
-   legitimate email when interacting with standards-compliant systems
-   (specifically automatic forwarders which comply with the standards by
-   not adding Resent-* headers, and systems which comply with RFC 822
-   but have not yet implemented RFC 2822 Resent-* semantics).  It would
-   be inappropriate to advance Sender-ID on the standards track without
-   resolving this interoperability problem.
-
-   The community is invited to observe the success or failure of the two
-   approaches during the two years following publication, in order that
-   a community consensus can be reached in the future.
-
-Abstract
-
-   E-mail on the Internet can be forged in a number of ways.  In
-   particular, existing protocols place no restriction on what a sending
-   host can use as the reverse-path of a message or the domain given on
-   the SMTP HELO/EHLO commands.  This document describes version 1 of
-   the Sender Policy Framework (SPF) protocol, whereby a domain may
-   explicitly authorize the hosts that are allowed to use its domain
-   name, and a receiving host may check such authorization.
-
-Table of Contents
-
-   1. Introduction ....................................................4
-      1.1. Protocol Status ............................................4
-      1.2. Terminology ................................................5
-   2. Operation .......................................................5
-      2.1. The HELO Identity ..........................................5
-      2.2. The MAIL FROM Identity .....................................5
-      2.3. Publishing Authorization ...................................6
-      2.4. Checking Authorization .....................................6
-      2.5. Interpreting the Result ....................................7
-           2.5.1. None ................................................8
-           2.5.2. Neutral .............................................8
-           2.5.3. Pass ................................................8
-           2.5.4. Fail ................................................8
-           2.5.5. SoftFail ............................................9
-           2.5.6. TempError ...........................................9
-           2.5.7. PermError ...........................................9
-   3. SPF Records .....................................................9
-      3.1. Publishing ................................................10
-           3.1.1. DNS Resource Record Types ..........................10
-           3.1.2. Multiple DNS Records ...............................11
-           3.1.3. Multiple Strings in a Single DNS record ............11
-           3.1.4. Record Size ........................................11
-           3.1.5. Wildcard Records ...................................11
-
-
-
-Wong & Schlitt                Experimental                      [Page 2]
-
-RFC 4408             Sender Policy Framework (SPF)            April 2006
-
-
-   4. The check_host() Function ......................................12
-      4.1. Arguments .................................................12
-      4.2. Results ...................................................13
-      4.3. Initial Processing ........................................13
-      4.4. Record Lookup .............................................13
-      4.5. Selecting Records .........................................13
-      4.6. Record Evaluation .........................................14
-           4.6.1. Term Evaluation ....................................14
-           4.6.2. Mechanisms .........................................15
-           4.6.3. Modifiers ..........................................15
-      4.7. Default Result ............................................16
-      4.8. Domain Specification ......................................16
-   5. Mechanism Definitions ..........................................16
-      5.1. "all" .....................................................17
-      5.2. "include" .................................................18
-      5.3. "a" .......................................................19
-      5.4. "mx" ......................................................20
-      5.5. "ptr" .....................................................20
-      5.6. "ip4" and "ip6" ...........................................21
-      5.7. "exists" ..................................................22
-   6. Modifier Definitions ...........................................22
-      6.1. redirect: Redirected Query ................................23
-      6.2. exp: Explanation ..........................................23
-   7. The Received-SPF Header Field ..................................25
-   8. Macros .........................................................27
-      8.1. Macro Definitions .........................................27
-      8.2. Expansion Examples ........................................30
-   9. Implications ...................................................31
-      9.1. Sending Domains ...........................................31
-      9.2. Mailing Lists .............................................32
-      9.3. Forwarding Services and Aliases ...........................32
-      9.4. Mail Services .............................................34
-      9.5. MTA Relays ................................................34
-   10. Security Considerations .......................................35
-      10.1. Processing Limits ........................................35
-      10.2. SPF-Authorized E-Mail May Contain Other False
-            Identities ...............................................37
-      10.3. Spoofed DNS and IP Data ..................................37
-      10.4. Cross-User Forgery .......................................37
-      10.5. Untrusted Information Sources ............................38
-      10.6. Privacy Exposure .........................................38
-   11. Contributors and Acknowledgements .............................38
-   12. IANA Considerations ...........................................39
-      12.1. The SPF DNS Record Type ..................................39
-      12.2. The Received-SPF Mail Header Field .......................39
-   13. References ....................................................39
-      13.1. Normative References .....................................39
-      13.2. Informative References ...................................40
-
-
-
-Wong & Schlitt                Experimental                      [Page 3]
-
-RFC 4408             Sender Policy Framework (SPF)            April 2006
-
-
-   Appendix A.  Collected ABNF .......................................42
-   Appendix B.  Extended Examples ....................................44
-      B.1.  Simple Examples ..........................................44
-      B.2.  Multiple Domain Example ..................................45
-      B.3.  DNSBL Style Example ......................................46
-      B.4.  Multiple Requirements Example ............................46
-
-1.  Introduction
-
-   The current E-Mail infrastructure has the property that any host
-   injecting mail into the mail system can identify itself as any domain
-   name it wants.  Hosts can do this at a variety of levels: in
-   particular, the session, the envelope, and the mail headers.
-   Although this feature is desirable in some circumstances, it is a
-   major obstacle to reducing Unsolicited Bulk E-Mail (UBE, aka spam).
-   Furthermore, many domain name holders are understandably concerned
-   about the ease with which other entities may make use of their domain
-   names, often with malicious intent.
-
-   This document defines a protocol by which domain owners may authorize
-   hosts to use their domain name in the "MAIL FROM" or "HELO" identity.
-   Compliant domain holders publish Sender Policy Framework (SPF)
-   records specifying which hosts are permitted to use their names, and
-   compliant mail receivers use the published SPF records to test the
-   authorization of sending Mail Transfer Agents (MTAs) using a given
-   "HELO" or "MAIL FROM" identity during a mail transaction.
-
-   An additional benefit to mail receivers is that after the use of an
-   identity is verified, local policy decisions about the mail can be
-   made based on the sender's domain, rather than the host's IP address.
-   This is advantageous because reputation of domain names is likely to
-   be more accurate than reputation of host IP addresses.  Furthermore,
-   if a claimed identity fails verification, local policy can take
-   stronger action against such E-Mail, such as rejecting it.
-
-1.1.  Protocol Status
-
-   SPF has been in development since the summer of 2003 and has seen
-   deployment beyond the developers beginning in December 2003.  The
-   design of SPF slowly evolved until the spring of 2004 and has since
-   stabilized.  There have been quite a number of forms of SPF, some
-   written up as documents, some submitted as Internet Drafts, and many
-   discussed and debated in development forums.
-
-   The goal of this document is to clearly document the protocol defined
-   by earlier draft specifications of SPF as used in existing
-   implementations.  This conception of SPF is sometimes called "SPF
-   Classic".  It is understood that particular implementations and
-
-
-
-Wong & Schlitt                Experimental                      [Page 4]
-
-RFC 4408             Sender Policy Framework (SPF)            April 2006
-
-
-   deployments may differ from, and build upon, this work.  It is hoped
-   that we have nonetheless captured the common understanding of SPF
-   version 1.
-
-1.2.  Terminology
-
-   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
-   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
-   document are to be interpreted as described in [RFC2119].
-
-   This document is concerned with the portion of a mail message
-   commonly called "envelope sender", "return path", "reverse path",
-   "bounce address", "2821 FROM", or "MAIL FROM".  Since these terms are
-   either not well defined or often used casually, this document defines
-   the "MAIL FROM" identity in Section 2.2.  Note that other terms that
-   may superficially look like the common terms, such as "reverse-path",
-   are used only with the defined meanings from normative documents.
-
-2.  Operation
-
-2.1.  The HELO Identity
-
-   The "HELO" identity derives from either the SMTP HELO or EHLO command
-   (see [RFC2821]).  These commands supply the SMTP client (sending
-   host) for the SMTP session.  Note that requirements for the domain
-   presented in the EHLO or HELO command are not always clear to the
-   sending party, and SPF clients must be prepared for the "HELO"
-   identity to be malformed or an IP address literal.  At the time of
-   this writing, many legitimate E-Mails are delivered with invalid HELO
-   domains.
-
-   It is RECOMMENDED that SPF clients not only check the "MAIL FROM"
-   identity, but also separately check the "HELO" identity by applying
-   the check_host() function (Section 4) to the "HELO" identity as the
-   <sender>.
-
-2.2.  The MAIL FROM Identity
-
-   The "MAIL FROM" identity derives from the SMTP MAIL command (see
-   [RFC2821]).  This command supplies the "reverse-path" for a message,
-   which generally consists of the sender mailbox, and is the mailbox to
-   which notification messages are to be sent if there are problems
-   delivering the message.
-
-   [RFC2821] allows the reverse-path to be null (see Section 4.5.5 in
-   RFC 2821).  In this case, there is no explicit sender mailbox, and
-   such a message can be assumed to be a notification message from the
-   mail system itself.  When the reverse-path is null, this document
-
-
-
-Wong & Schlitt                Experimental                      [Page 5]
-
-RFC 4408             Sender Policy Framework (SPF)            April 2006
-
-
-   defines the "MAIL FROM" identity to be the mailbox composed of the
-   localpart "postmaster" and the "HELO" identity (which may or may not
-   have been checked separately before).
-
-   SPF clients MUST check the "MAIL FROM" identity.  SPF clients check
-   the "MAIL FROM" identity by applying the check_host() function to the
-   "MAIL FROM" identity as the <sender>.
-
-2.3.  Publishing Authorization
-
-   An SPF-compliant domain MUST publish a valid SPF record as described
-   in Section 3.  This record authorizes the use of the domain name in
-   the "HELO" and "MAIL FROM" identities by the MTAs it specifies.
-
-   If domain owners choose to publish SPF records, it is RECOMMENDED
-   that they end in "-all", or redirect to other records that do, so
-   that a definitive determination of authorization can be made.
-
-   Domain holders may publish SPF records that explicitly authorize no
-   hosts if mail should never originate using that domain.
-
-   When changing SPF records, care must be taken to ensure that there is
-   a transition period so that the old policy remains valid until all
-   legitimate E-Mail has been checked.
-
-2.4.  Checking Authorization
-
-   A mail receiver can perform a set of SPF checks for each mail message
-   it receives.  An SPF check tests the authorization of a client host
-   to emit mail with a given identity.  Typically, such checks are done
-   by a receiving MTA, but can be performed elsewhere in the mail
-   processing chain so long as the required information is available and
-   reliable.  At least the "MAIL FROM" identity MUST be checked, but it
-   is RECOMMENDED that the "HELO" identity also be checked beforehand.
-
-   Without explicit approval of the domain owner, checking other
-   identities against SPF version 1 records is NOT RECOMMENDED because
-   there are cases that are known to give incorrect results.  For
-   example, almost all mailing lists rewrite the "MAIL FROM" identity
-   (see Section 9.2), but some do not change any other identities in the
-   message.  The scenario described in Section 9.3, sub-section 1.2, is
-   another example.  Documents that define other identities should
-   define the method for explicit approval.
-
-   It is possible that mail receivers will use the SPF check as part of
-   a larger set of tests on incoming mail.  The results of other tests
-   may influence whether or not a particular SPF check is performed.
-   For example, finding the sending host's IP address on a local white
-
-
-
-Wong & Schlitt                Experimental                      [Page 6]
-
-RFC 4408             Sender Policy Framework (SPF)            April 2006
-
-
-   list may cause all other tests to be skipped and all mail from that
-   host to be accepted.
-
-   When a mail receiver decides to perform an SPF check, it MUST use a
-   correctly-implemented check_host() function (Section 4) evaluated
-   with the correct parameters.  Although the test as a whole is
-   optional, once it has been decided to perform a test it must be
-   performed as specified so that the correct semantics are preserved
-   between publisher and receiver.
-
-   To make the test, the mail receiver MUST evaluate the check_host()
-   function with the arguments set as follows:
-
-   <ip>     - the IP address of the SMTP client that is emitting the
-              mail, either IPv4 or IPv6.
-
-   <domain> - the domain portion of the "MAIL FROM" or "HELO" identity.
-
-   <sender> - the "MAIL FROM" or "HELO" identity.
-
-   Note that the <domain> argument may not be a well-formed domain name.
-   For example, if the reverse-path was null, then the EHLO/HELO domain
-   is used, with its associated problems (see Section 2.1).  In these
-   cases, check_host() is defined in Section 4.3 to return a "None"
-   result.
-
-   Although invalid, malformed, or non-existent domains cause SPF checks
-   to return "None" because no SPF record can be found, it has long been
-   the policy of many MTAs to reject E-Mail from such domains,
-   especially in the case of invalid "MAIL FROM".  In order to prevent
-   the circumvention of SPF records, rejecting E-Mail from invalid
-   domains should be considered.
-
-   Implementations must take care to correctly extract the <domain> from
-   the data given with the SMTP MAIL FROM command as many MTAs will
-   still accept such things as source routes (see [RFC2821], Appendix
-   C), the %-hack (see [RFC1123]), and bang paths (see [RFC1983]).
-   These archaic features have been maliciously used to bypass security
-   systems.
-
-2.5.  Interpreting the Result
-
-   This section describes how software that performs the authorization
-   should interpret the results of the check_host() function.  The
-   authorization check SHOULD be performed during the processing of the
-   SMTP transaction that sends the mail.  This allows errors to be
-   returned directly to the sending MTA by way of SMTP replies.
-
-
-
-
-Wong & Schlitt                Experimental                      [Page 7]
-
-RFC 4408             Sender Policy Framework (SPF)            April 2006
-
-
-   Performing the authorization after the SMTP transaction has finished
-   may cause problems, such as the following: (1) It may be difficult to
-   accurately extract the required information from potentially
-   deceptive headers; (2) legitimate E-Mail may fail because the
-   sender's policy may have since changed.
-
-   Generating non-delivery notifications to forged identities that have
-   failed the authorization check is generally abusive and against the
-   explicit wishes of the identity owner.
-
-2.5.1.  None
-
-   A result of "None" means that no records were published by the domain
-   or that no checkable sender domain could be determined from the given
-   identity.  The checking software cannot ascertain whether or not the
-   client host is authorized.
-
-2.5.2.  Neutral
-
-   The domain owner has explicitly stated that he cannot or does not
-   want to assert whether or not the IP address is authorized.  A
-   "Neutral" result MUST be treated exactly like the "None" result; the
-   distinction exists only for informational purposes.  Treating
-   "Neutral" more harshly than "None" would discourage domain owners
-   from testing the use of SPF records (see Section 9.1).
-
-2.5.3.  Pass
-
-   A "Pass" result means that the client is authorized to inject mail
-   with the given identity.  The domain can now, in the sense of
-   reputation, be considered responsible for sending the message.
-   Further policy checks can now proceed with confidence in the
-   legitimate use of the identity.
-
-2.5.4.  Fail
-
-   A "Fail" result is an explicit statement that the client is not
-   authorized to use the domain in the given identity.  The checking
-   software can choose to mark the mail based on this or to reject the
-   mail outright.
-
-   If the checking software chooses to reject the mail during the SMTP
-   transaction, then it SHOULD use an SMTP reply code of 550 (see
-   [RFC2821]) and, if supported, the 5.7.1 Delivery Status Notification
-   (DSN) code (see [RFC3464]), in addition to an appropriate reply text.
-   The check_host() function may return either a default explanation
-   string or one from the domain that published the SPF records (see
-   Section 6.2).  If the information does not originate with the
-
-
-
-Wong & Schlitt                Experimental                      [Page 8]
-
-RFC 4408             Sender Policy Framework (SPF)            April 2006
-
-
-   checking software, it should be made clear that the text is provided
-   by the sender's domain.  For example:
-
-       550-5.7.1 SPF MAIL FROM check failed:
-       550-5.7.1 The domain example.com explains:
-       550 5.7.1 Please see http://www.example.com/mailpolicy.html
-
-2.5.5.  SoftFail
-
-   A "SoftFail" result should be treated as somewhere between a "Fail"
-   and a "Neutral".  The domain believes the host is not authorized but
-   is not willing to make that strong of a statement.  Receiving
-   software SHOULD NOT reject the message based solely on this result,
-   but MAY subject the message to closer scrutiny than normal.
-
-   The domain owner wants to discourage the use of this host and thus
-   desires limited feedback when a "SoftFail" result occurs.  For
-   example, the recipient's Mail User Agent (MUA) could highlight the
-   "SoftFail" status, or the receiving MTA could give the sender a
-   message using a technique called "greylisting" whereby the MTA can
-   issue an SMTP reply code of 451 (4.3.0 DSN code) with a note the
-   first time the message is received, but accept it the second time.
-
-2.5.6.  TempError
-
-   A "TempError" result means that the SPF client encountered a
-   transient error while performing the check.  Checking software can
-   choose to accept or temporarily reject the message.  If the message
-   is rejected during the SMTP transaction for this reason, the software
-   SHOULD use an SMTP reply code of 451 and, if supported, the 4.4.3 DSN
-   code.
-
-2.5.7.  PermError
-
-   A "PermError" result means that the domain's published records could
-   not be correctly interpreted.  This signals an error condition that
-   requires manual intervention to be resolved, as opposed to the
-   TempError result.  Be aware that if the domain owner uses macros
-   (Section 8), it is possible that this result is due to the checked
-   identities having an unexpected format.
-
-3.  SPF Records
-
-   An SPF record is a DNS Resource Record (RR) that declares which hosts
-   are, and are not, authorized to use a domain name for the "HELO" and
-   "MAIL FROM" identities.  Loosely, the record partitions all hosts
-   into permitted and not-permitted sets (though some hosts might fall
-   into neither category).
-
-
-
-Wong & Schlitt                Experimental                      [Page 9]
-
-RFC 4408             Sender Policy Framework (SPF)            April 2006
-
-
-   The SPF record is a single string of text.  An example record is the
-   following:
-
-      v=spf1 +mx a:colo.example.com/28 -all
-
-   This record has a version of "spf1" and three directives: "+mx",
-   "a:colo.example.com/28" (the + is implied), and "-all".
-
-3.1.  Publishing
-
-   Domain owners wishing to be SPF compliant must publish SPF records
-   for the hosts that are used in the "MAIL FROM" and "HELO" identities.
-   The SPF records are placed in the DNS tree at the host name it
-   pertains to, not a subdomain under it, such as is done with SRV
-   records.  This is the same whether the TXT or SPF RR type (see
-   Section 3.1.1) is used.
-
-   The example above in Section 3 might be published via these lines in
-   a domain zone file:
-
-      example.com.          TXT "v=spf1 +mx a:colo.example.com/28 -all"
-      smtp-out.example.com. TXT "v=spf1 a -all"
-
-   When publishing via TXT records, beware of other TXT records
-   published there for other purposes.  They may cause problems with
-   size limits (see Section 3.1.4).
-
-3.1.1.  DNS Resource Record Types
-
-   This document defines a new DNS RR of type SPF, code 99.  The format
-   of this type is identical to the TXT RR [RFC1035].  For either type,
-   the character content of the record is encoded as [US-ASCII].
-
-   It is recognized that the current practice (using a TXT record) is
-   not optimal, but it is necessary because there are a number of DNS
-   server and resolver implementations in common use that cannot handle
-   the new RR type.  The two-record-type scheme provides a forward path
-   to the better solution of using an RR type reserved for this purpose.
-
-   An SPF-compliant domain name SHOULD have SPF records of both RR
-   types.  A compliant domain name MUST have a record of at least one
-   type.  If a domain has records of both types, they MUST have
-   identical content.  For example, instead of publishing just one
-   record as in Section 3.1 above, it is better to publish:
-
-      example.com. IN TXT "v=spf1 +mx a:colo.example.com/28 -all"
-      example.com. IN SPF "v=spf1 +mx a:colo.example.com/28 -all"
-
-
-
-
-Wong & Schlitt                Experimental                     [Page 10]
-
-RFC 4408             Sender Policy Framework (SPF)            April 2006
-
-
-   Example RRs in this document are shown with the TXT record type;
-   however, they could be published with the SPF type or with both
-   types.
-
-3.1.2.  Multiple DNS Records
-
-   A domain name MUST NOT have multiple records that would cause an
-   authorization check to select more than one record.  See Section 4.5
-   for the selection rules.
-
-3.1.3.  Multiple Strings in a Single DNS record
-
-   As defined in [RFC1035] sections 3.3.14 and 3.3, a single text DNS
-   record (either TXT or SPF RR types) can be composed of more than one
-   string.  If a published record contains multiple strings, then the
-   record MUST be treated as if those strings are concatenated together
-   without adding spaces.  For example:
-
-      IN TXT "v=spf1 .... first" "second string..."
-
-   MUST be treated as equivalent to
-
-      IN TXT "v=spf1 .... firstsecond string..."
-
-   SPF or TXT records containing multiple strings are useful in
-   constructing records that would exceed the 255-byte maximum length of
-   a string within a single TXT or SPF RR record.
-
-3.1.4.  Record Size
-
-   The published SPF record for a given domain name SHOULD remain small
-   enough that the results of a query for it will fit within 512 octets.
-   This will keep even older DNS implementations from falling over to
-   TCP.  Since the answer size is dependent on many things outside the
-   scope of this document, it is only possible to give this guideline:
-   If the combined length of the DNS name and the text of all the
-   records of a given type (TXT or SPF) is under 450 characters, then
-   DNS answers should fit in UDP packets.  Note that when computing the
-   sizes for queries of the TXT format, one must take into account any
-   other TXT records published at the domain name.  Records that are too
-   long to fit in a single UDP packet MAY be silently ignored by SPF
-   clients.
-
-3.1.5.  Wildcard Records
-
-   Use of wildcard records for publishing is not recommended.  Care must
-   be taken if wildcard records are used.  If a domain publishes
-   wildcard MX records, it may want to publish wildcard declarations,
-
-
-
-Wong & Schlitt                Experimental                     [Page 11]
-
-RFC 4408             Sender Policy Framework (SPF)            April 2006
-
-
-   subject to the same requirements and problems.  In particular, the
-   declaration must be repeated for any host that has any RR records at
-   all, and for subdomains thereof.  For example, the example given in
-   [RFC1034], Section 4.3.3, could be extended with the following:
-
-       X.COM.          MX      10      A.X.COM
-       X.COM.          TXT     "v=spf1 a:A.X.COM -all"
-
-       *.X.COM.        MX      10      A.X.COM
-       *.X.COM.        TXT     "v=spf1 a:A.X.COM -all"
-
-       A.X.COM.        A       1.2.3.4
-       A.X.COM.        MX      10      A.X.COM
-       A.X.COM.        TXT     "v=spf1 a:A.X.COM -all"
-
-       *.A.X.COM.      MX      10      A.X.COM
-       *.A.X.COM.      TXT     "v=spf1 a:A.X.COM -all"
-
-   Notice that SPF records must be repeated twice for every name within
-   the domain: once for the name, and once with a wildcard to cover the
-   tree under the name.
-
-   Use of wildcards is discouraged in general as they cause every name
-   under the domain to exist and queries against arbitrary names will
-   never return RCODE 3 (Name Error).
-
-4.  The check_host() Function
-
-   The check_host() function fetches SPF records, parses them, and
-   interprets them to determine whether a particular host is or is not
-   permitted to send mail with a given identity.  Mail receivers that
-   perform this check MUST correctly evaluate the check_host() function
-   as described here.
-
-   Implementations MAY use a different algorithm than the canonical
-   algorithm defined here, so long as the results are the same in all
-   cases.
-
-4.1.  Arguments
-
-   The check_host() function takes these arguments:
-
-   <ip>     - the IP address of the SMTP client that is emitting the
-              mail, either IPv4 or IPv6.
-
-   <domain> - the domain that provides the sought-after authorization
-              information; initially, the domain portion of the "MAIL
-              FROM" or "HELO" identity.
-
-
-
-Wong & Schlitt                Experimental                     [Page 12]
-
-RFC 4408             Sender Policy Framework (SPF)            April 2006
-
-
-   <sender> - the "MAIL FROM" or "HELO" identity.
-
-   The domain portion of <sender> will usually be the same as the
-   <domain> argument when check_host() is initially evaluated.  However,
-   this will generally not be true for recursive evaluations (see
-   Section 5.2 below).
-
-   Actual implementations of the check_host() function may need
-   additional arguments.
-
-4.2.  Results
-
-   The function check_host() can return one of several results described
-   in Section 2.5.  Based on the result, the action to be taken is
-   determined by the local policies of the receiver.
-
-4.3.  Initial Processing
-
-   If the <domain> is malformed (label longer than 63 characters, zero-
-   length label not at the end, etc.) or is not a fully qualified domain
-   name, or if the DNS lookup returns "domain does not exist" (RCODE 3),
-   check_host() immediately returns the result "None".
-
-   If the <sender> has no localpart, substitute the string "postmaster"
-   for the localpart.
-
-4.4.  Record Lookup
-
-   In accordance with how the records are published (see Section 3.1
-   above), a DNS query needs to be made for the <domain> name, querying
-   for either RR type TXT, SPF, or both.  If both SPF and TXT RRs are
-   looked up, the queries MAY be done in parallel.
-
-   If all DNS lookups that are made return a server failure (RCODE 2),
-   or other error (RCODE other than 0 or 3), or time out, then
-   check_host() exits immediately with the result "TempError".
-
-4.5.  Selecting Records
-
-   Records begin with a version section:
-
-   record           = version terms *SP
-   version          = "v=spf1"
-
-   Starting with the set of records that were returned by the lookup,
-   record selection proceeds in two steps:
-
-
-
-
-
-Wong & Schlitt                Experimental                     [Page 13]
-
-RFC 4408             Sender Policy Framework (SPF)            April 2006
-
-
-   1. Records that do not begin with a version section of exactly
-      "v=spf1" are discarded.  Note that the version section is
-      terminated either by an SP character or the end of the record.  A
-      record with a version section of "v=spf10" does not match and must
-      be discarded.
-
-   2. If any records of type SPF are in the set, then all records of
-      type TXT are discarded.
-
-   After the above steps, there should be exactly one record remaining
-   and evaluation can proceed.  If there are two or more records
-   remaining, then check_host() exits immediately with the result of
-   "PermError".
-
-   If no matching records are returned, an SPF client MUST assume that
-   the domain makes no SPF declarations.  SPF processing MUST stop and
-   return "None".
-
-4.6.  Record Evaluation
-
-   After one SPF record has been selected, the check_host() function
-   parses and interprets it to find a result for the current test.  If
-   there are any syntax errors, check_host() returns immediately with
-   the result "PermError".
-
-   Implementations MAY choose to parse the entire record first and
-   return "PermError" if the record is not syntactically well formed.
-   However, in all cases, any syntax errors anywhere in the record MUST
-   be detected.
-
-4.6.1.  Term Evaluation
-
-   There are two types of terms: mechanisms and modifiers.  A record
-   contains an ordered list of these as specified in the following
-   Augmented Backus-Naur Form (ABNF).
-
-   terms            = *( 1*SP ( directive / modifier ) )
-
-   directive        = [ qualifier ] mechanism
-   qualifier        = "+" / "-" / "?" / "~"
-   mechanism        = ( all / include
-                      / A / MX / PTR / IP4 / IP6 / exists )
-   modifier         = redirect / explanation / unknown-modifier
-   unknown-modifier = name "=" macro-string
-
-   name             = ALPHA *( ALPHA / DIGIT / "-" / "_" / "." )
-
-   Most mechanisms allow a ":" or "/" character after the name.
-
-
-
-Wong & Schlitt                Experimental                     [Page 14]
-
-RFC 4408             Sender Policy Framework (SPF)            April 2006
-
-
-   Modifiers always contain an equals ('=') character immediately after
-   the name, and before any ":" or "/" characters that may be part of
-   the macro-string.
-
-   Terms that do not contain any of "=", ":", or "/" are mechanisms, as
-   defined in Section 5.
-
-   As per the definition of the ABNF notation in [RFC4234], mechanism
-   and modifier names are case-insensitive.
-
-4.6.2.  Mechanisms
-
-   Each mechanism is considered in turn from left to right.  If there
-   are no more mechanisms, the result is specified in Section 4.7.
-
-   When a mechanism is evaluated, one of three things can happen: it can
-   match, not match, or throw an exception.
-
-   If it matches, processing ends and the qualifier value is returned as
-   the result of that record.  If it does not match, processing
-   continues with the next mechanism.  If it throws an exception,
-   mechanism processing ends and the exception value is returned.
-
-   The possible qualifiers, and the results they return are as follows:
-
-      "+" Pass
-      "-" Fail
-      "~" SoftFail
-      "?" Neutral
-
-   The qualifier is optional and defaults to "+".
-
-   When a mechanism matches and the qualifier is "-", then a "Fail"
-   result is returned and the explanation string is computed as
-   described in Section 6.2.
-
-   The specific mechanisms are described in Section 5.
-
-4.6.3.  Modifiers
-
-   Modifiers are not mechanisms: they do not return match or not-match.
-   Instead they provide additional information.  Although modifiers do
-   not directly affect the evaluation of the record, the "redirect"
-   modifier has an effect after all the mechanisms have been evaluated.
-
-
-
-
-
-
-
-Wong & Schlitt                Experimental                     [Page 15]
-
-RFC 4408             Sender Policy Framework (SPF)            April 2006
-
-
-4.7.  Default Result
-
-   If none of the mechanisms match and there is no "redirect" modifier,
-   then the check_host() returns a result of "Neutral", just as if
-   "?all" were specified as the last directive.  If there is a
-   "redirect" modifier, check_host() proceeds as defined in Section 6.1.
-
-   Note that records SHOULD always use either a "redirect" modifier or
-   an "all" mechanism to explicitly terminate processing.
-
-   For example:
-
-      v=spf1 +mx -all
-   or
-      v=spf1 +mx redirect=_spf.example.com
-
-4.8.  Domain Specification
-
-   Several of these mechanisms and modifiers have a <domain-spec>
-   section.  The <domain-spec> string is macro expanded (see Section 8).
-   The resulting string is the common presentation form of a fully-
-   qualified DNS name: a series of labels separated by periods.  This
-   domain is called the <target-name> in the rest of this document.
-
-   Note: The result of the macro expansion is not subject to any further
-   escaping.  Hence, this facility cannot produce all characters that
-   are legal in a DNS label (e.g., the control characters).  However,
-   this facility is powerful enough to express legal host names and
-   common utility labels (such as "_spf") that are used in DNS.
-
-   For several mechanisms, the <domain-spec> is optional.  If it is not
-   provided, the <domain> is used as the <target-name>.
-
-5.  Mechanism Definitions
-
-   This section defines two types of mechanisms.
-
-   Basic mechanisms contribute to the language framework.  They do not
-   specify a particular type of authorization scheme.
-
-      all
-      include
-
-   Designated sender mechanisms are used to designate a set of <ip>
-   addresses as being permitted or not permitted to use the <domain> for
-   sending mail.
-
-
-
-
-
-Wong & Schlitt                Experimental                     [Page 16]
-
-RFC 4408             Sender Policy Framework (SPF)            April 2006
-
-
-      a
-      mx
-      ptr
-      ip4
-      ip6
-      exists
-
-   The following conventions apply to all mechanisms that perform a
-   comparison between <ip> and an IP address at any point:
-
-   If no CIDR-length is given in the directive, then <ip> and the IP
-   address are compared for equality. (Here, CIDR is Classless Inter-
-   Domain Routing.)
-
-   If a CIDR-length is specified, then only the specified number of
-   high-order bits of <ip> and the IP address are compared for equality.
-
-   When any mechanism fetches host addresses to compare with <ip>, when
-   <ip> is an IPv4 address, A records are fetched, when <ip> is an IPv6
-   address, AAAA records are fetched.  Even if the SMTP connection is
-   via IPv6, an IPv4-mapped IPv6 IP address (see [RFC3513], Section
-   2.5.5) MUST still be considered an IPv4 address.
-
-   Several mechanisms rely on information fetched from DNS.  For these
-   DNS queries, except where noted, if the DNS server returns an error
-   (RCODE other than 0 or 3) or the query times out, the mechanism
-   throws the exception "TempError".  If the server returns "domain does
-   not exist" (RCODE 3), then evaluation of the mechanism continues as
-   if the server returned no error (RCODE 0) and zero answer records.
-
-5.1.  "all"
-
-   all              = "all"
-
-   The "all" mechanism is a test that always matches.  It is used as the
-   rightmost mechanism in a record to provide an explicit default.
-
-   For example:
-
-      v=spf1 a mx -all
-
-   Mechanisms after "all" will never be tested.  Any "redirect" modifier
-   (Section 6.1) has no effect when there is an "all" mechanism.
-
-
-
-
-
-
-
-
-Wong & Schlitt                Experimental                     [Page 17]
-
-RFC 4408             Sender Policy Framework (SPF)            April 2006
-
-
-5.2.  "include"
-
-      include          = "include"  ":" domain-spec
-
-   The "include" mechanism triggers a recursive evaluation of
-   check_host().  The domain-spec is expanded as per Section 8.  Then
-   check_host() is evaluated with the resulting string as the <domain>.
-   The <ip> and <sender> arguments remain the same as in the current
-   evaluation of check_host().
-
-   In hindsight, the name "include" was poorly chosen.  Only the
-   evaluated result of the referenced SPF record is used, rather than
-   acting as if the referenced SPF record was literally included in the
-   first.  For example, evaluating a "-all" directive in the referenced
-   record does not terminate the overall processing and does not
-   necessarily result in an overall "Fail".  (Better names for this
-   mechanism would have been "if-pass", "on-pass", etc.)
-
-   The "include" mechanism makes it possible for one domain to designate
-   multiple administratively-independent domains.  For example, a vanity
-   domain "example.net" might send mail using the servers of
-   administratively-independent domains example.com and example.org.
-
-   Example.net could say
-
-      IN TXT "v=spf1 include:example.com include:example.org -all"
-
-   This would direct check_host() to, in effect, check the records of
-   example.com and example.org for a "Pass" result.  Only if the host
-   were not permitted for either of those domains would the result be
-   "Fail".
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Wong & Schlitt                Experimental                     [Page 18]
-
-RFC 4408             Sender Policy Framework (SPF)            April 2006
-
-
-   Whether this mechanism matches, does not match, or throws an
-   exception depends on the result of the recursive evaluation of
-   check_host():
-
-   +---------------------------------+---------------------------------+
-   | A recursive check_host() result | Causes the "include" mechanism  |
-   | of:                             | to:                             |
-   +---------------------------------+---------------------------------+
-   | Pass                            | match                           |
-   |                                 |                                 |
-   | Fail                            | not match                       |
-   |                                 |                                 |
-   | SoftFail                        | not match                       |
-   |                                 |                                 |
-   | Neutral                         | not match                       |
-   |                                 |                                 |
-   | TempError                       | throw TempError                 |
-   |                                 |                                 |
-   | PermError                       | throw PermError                 |
-   |                                 |                                 |
-   | None                            | throw PermError                 |
-   +---------------------------------+---------------------------------+
-
-   The "include" mechanism is intended for crossing administrative
-   boundaries.  Although it is possible to use includes to consolidate
-   multiple domains that share the same set of designated hosts, domains
-   are encouraged to use redirects where possible, and to minimize the
-   number of includes within a single administrative domain.  For
-   example, if example.com and example.org were managed by the same
-   entity, and if the permitted set of hosts for both domains was
-   "mx:example.com", it would be possible for example.org to specify
-   "include:example.com", but it would be preferable to specify
-   "redirect=example.com" or even "mx:example.com".
-
-5.3.  "a"
-
-   This mechanism matches if <ip> is one of the <target-name>'s IP
-   addresses.
-
-   A                = "a"      [ ":" domain-spec ] [ dual-cidr-length ]
-
-   An address lookup is done on the <target-name>.  The <ip> is compared
-   to the returned address(es).  If any address matches, the mechanism
-   matches.
-
-
-
-
-
-
-
-Wong & Schlitt                Experimental                     [Page 19]
-
-RFC 4408             Sender Policy Framework (SPF)            April 2006
-
-
-5.4.  "mx"
-
-   This mechanism matches if <ip> is one of the MX hosts for a domain
-   name.
-
-   MX               = "mx"     [ ":" domain-spec ] [ dual-cidr-length ]
-
-   check_host() first performs an MX lookup on the <target-name>.  Then
-   it performs an address lookup on each MX name returned.  The <ip> is
-   compared to each returned IP address.  To prevent Denial of Service
-   (DoS) attacks, more than 10 MX names MUST NOT be looked up during the
-   evaluation of an "mx" mechanism (see Section 10).  If any address
-   matches, the mechanism matches.
-
-   Note regarding implicit MXs: If the <target-name> has no MX records,
-   check_host() MUST NOT pretend the target is its single MX, and MUST
-   NOT default to an A lookup on the <target-name> directly.  This
-   behavior breaks with the legacy "implicit MX" rule.  See [RFC2821],
-   Section 5.  If such behavior is desired, the publisher should specify
-   an "a" directive.
-
-5.5.  "ptr"
-
-   This mechanism tests whether the DNS reverse-mapping for <ip> exists
-   and correctly points to a domain name within a particular domain.
-
-   PTR              = "ptr"    [ ":" domain-spec ]
-
-   First, the <ip>'s name is looked up using this procedure: perform a
-   DNS reverse-mapping for <ip>, looking up the corresponding PTR record
-   in "in-addr.arpa." if the address is an IPv4 one and in "ip6.arpa."
-   if it is an IPv6 address.  For each record returned, validate the
-   domain name by looking up its IP address.  To prevent DoS attacks,
-   more than 10 PTR names MUST NOT be looked up during the evaluation of
-   a "ptr" mechanism (see Section 10).  If <ip> is among the returned IP
-   addresses, then that domain name is validated.  In pseudocode:
-
-   sending-domain_names := ptr_lookup(sending-host_IP); if more than 10
-   sending-domain_names are found, use at most 10.  for each name in
-   (sending-domain_names) {
-     IP_addresses := a_lookup(name);
-     if the sending-domain_IP is one of the IP_addresses {
-       validated-sending-domain_names += name;
-     } }
-
-   Check all validated domain names to see if they end in the
-   <target-name> domain.  If any do, this mechanism matches.  If no
-   validated domain name can be found, or if none of the validated
-
-
-
-Wong & Schlitt                Experimental                     [Page 20]
-
-RFC 4408             Sender Policy Framework (SPF)            April 2006
-
-
-   domain names end in the <target-name>, this mechanism fails to match.
-   If a DNS error occurs while doing the PTR RR lookup, then this
-   mechanism fails to match.  If a DNS error occurs while doing an A RR
-   lookup, then that domain name is skipped and the search continues.
-
-   Pseudocode:
-
-   for each name in (validated-sending-domain_names) {
-     if name ends in <domain-spec>, return match.
-     if name is <domain-spec>, return match.
-   }
-   return no-match.
-
-   This mechanism matches if the <target-name> is either an ancestor of
-   a validated domain name or if the <target-name> and a validated
-   domain name are the same.  For example: "mail.example.com" is within
-   the domain "example.com", but "mail.bad-example.com" is not.
-
-   Note: Use of this mechanism is discouraged because it is slow, it is
-   not as reliable as other mechanisms in cases of DNS errors, and it
-   places a large burden on the arpa name servers.  If used, proper PTR
-   records must be in place for the domain's hosts and the "ptr"
-   mechanism should be one of the last mechanisms checked.
-
-5.6.  "ip4" and "ip6"
-
-   These mechanisms test whether <ip> is contained within a given IP
-   network.
-
-   IP4              = "ip4"      ":" ip4-network   [ ip4-cidr-length ]
-   IP6              = "ip6"      ":" ip6-network   [ ip6-cidr-length ]
-
-   ip4-cidr-length  = "/" 1*DIGIT
-   ip6-cidr-length  = "/" 1*DIGIT
-   dual-cidr-length = [ ip4-cidr-length ] [ "/" ip6-cidr-length ]
-
-   ip4-network      = qnum "." qnum "." qnum "." qnum
-   qnum             = DIGIT                 ; 0-9
-                      / %x31-39 DIGIT       ; 10-99
-                      / "1" 2DIGIT          ; 100-199
-                      / "2" %x30-34 DIGIT   ; 200-249
-                      / "25" %x30-35        ; 250-255
-            ; as per conventional dotted quad notation.  e.g., 192.0.2.0
-   ip6-network      = <as per [RFC 3513], section 2.2>
-            ; e.g., 2001:DB8::CD30
-
-   The <ip> is compared to the given network.  If CIDR-length high-order
-   bits match, the mechanism matches.
-
-
-
-Wong & Schlitt                Experimental                     [Page 21]
-
-RFC 4408             Sender Policy Framework (SPF)            April 2006
-
-
-   If ip4-cidr-length is omitted, it is taken to be "/32".  If
-   ip6-cidr-length is omitted, it is taken to be "/128".  It is not
-   permitted to omit parts of the IP address instead of using CIDR
-   notations.  That is, use 192.0.2.0/24 instead of 192.0.2.
-
-5.7.  "exists"
-
-   This mechanism is used to construct an arbitrary domain name that is
-   used for a DNS A record query.  It allows for complicated schemes
-   involving arbitrary parts of the mail envelope to determine what is
-   permitted.
-
-   exists           = "exists"   ":" domain-spec
-
-   The domain-spec is expanded as per Section 8.  The resulting domain
-   name is used for a DNS A RR lookup.  If any A record is returned,
-   this mechanism matches.  The lookup type is A even when the
-   connection type is IPv6.
-
-   Domains can use this mechanism to specify arbitrarily complex
-   queries.  For example, suppose example.com publishes the record:
-
-      v=spf1 exists:%{ir}.%{l1r+-}._spf.%{d} -all
-
-   The <target-name> might expand to
-   "1.2.0.192.someuser._spf.example.com".  This makes fine-grained
-   decisions possible at the level of the user and client IP address.
-
-   This mechanism enables queries that mimic the style of tests that
-   existing anti-spam DNS blacklists (DNSBL) use.
-
-6.  Modifier Definitions
-
-   Modifiers are name/value pairs that provide additional information.
-   Modifiers always have an "=" separating the name and the value.
-
-   The modifiers defined in this document ("redirect" and "exp") MAY
-   appear anywhere in the record, but SHOULD appear at the end, after
-   all mechanisms.  Ordering of these two modifiers does not matter.
-   These two modifiers MUST NOT appear in a record more than once each.
-   If they do, then check_host() exits with a result of "PermError".
-
-   Unrecognized modifiers MUST be ignored no matter where in a record,
-   or how often.  This allows implementations of this document to
-   gracefully handle records with modifiers that are defined in other
-   specifications.
-
-
-
-
-
-Wong & Schlitt                Experimental                     [Page 22]
-
-RFC 4408             Sender Policy Framework (SPF)            April 2006
-
-
-6.1.  redirect: Redirected Query
-
-   If all mechanisms fail to match, and a "redirect" modifier is
-   present, then processing proceeds as follows:
-
-   redirect         = "redirect" "=" domain-spec
-
-   The domain-spec portion of the redirect section is expanded as per
-   the macro rules in Section 8.  Then check_host() is evaluated with
-   the resulting string as the <domain>.  The <ip> and <sender>
-   arguments remain the same as current evaluation of check_host().
-
-   The result of this new evaluation of check_host() is then considered
-   the result of the current evaluation with the exception that if no
-   SPF record is found, or if the target-name is malformed, the result
-   is a "PermError" rather than "None".
-
-   Note that the newly-queried domain may itself specify redirect
-   processing.
-
-   This facility is intended for use by organizations that wish to apply
-   the same record to multiple domains.  For example:
-
-     la.example.com. TXT "v=spf1 redirect=_spf.example.com"
-     ny.example.com. TXT "v=spf1 redirect=_spf.example.com"
-     sf.example.com. TXT "v=spf1 redirect=_spf.example.com"
-   _spf.example.com. TXT "v=spf1 mx:example.com -all"
-
-   In this example, mail from any of the three domains is described by
-   the same record.  This can be an administrative advantage.
-
-   Note: In general, the domain "A" cannot reliably use a redirect to
-   another domain "B" not under the same administrative control.  Since
-   the <sender> stays the same, there is no guarantee that the record at
-   domain "B" will correctly work for mailboxes in domain "A",
-   especially if domain "B" uses mechanisms involving localparts.  An
-   "include" directive may be more appropriate.
-
-   For clarity, it is RECOMMENDED that any "redirect" modifier appear as
-   the very last term in a record.
-
-6.2.  exp: Explanation
-
-   explanation      = "exp" "=" domain-spec
-
-   If check_host() results in a "Fail" due to a mechanism match (such as
-   "-all"), and the "exp" modifier is present, then the explanation
-   string returned is computed as described below.  If no "exp" modifier
-
-
-
-Wong & Schlitt                Experimental                     [Page 23]
-
-RFC 4408             Sender Policy Framework (SPF)            April 2006
-
-
-   is present, then either a default explanation string or an empty
-   explanation string may be returned.
-
-   The <domain-spec> is macro expanded (see Section 8) and becomes the
-   <target-name>.  The DNS TXT record for the <target-name> is fetched.
-
-   If <domain-spec> is empty, or there are any DNS processing errors
-   (any RCODE other than 0), or if no records are returned, or if more
-   than one record is returned, or if there are syntax errors in the
-   explanation string, then proceed as if no exp modifier was given.
-
-   The fetched TXT record's strings are concatenated with no spaces, and
-   then treated as an <explain-string>, which is macro-expanded.  This
-   final result is the explanation string.  Implementations MAY limit
-   the length of the resulting explanation string to allow for other
-   protocol constraints and/or reasonable processing limits.  Since the
-   explanation string is intended for an SMTP response and [RFC2821]
-   Section 2.4 says that responses are in [US-ASCII], the explanation
-   string is also limited to US-ASCII.
-
-   Software evaluating check_host() can use this string to communicate
-   information from the publishing domain in the form of a short message
-   or URL.  Software SHOULD make it clear that the explanation string
-   comes from a third party.  For example, it can prepend the macro
-   string "%{o} explains: " to the explanation, such as shown in Section
-   2.5.4.
-
-   Suppose example.com has this record:
-
-      v=spf1 mx -all exp=explain._spf.%{d}
-
-   Here are some examples of possible explanation TXT records at
-   explain._spf.example.com:
-
-      "Mail from example.com should only be sent by its own servers."
-         -- a simple, constant message
-
-      "%{i} is not one of %{d}'s designated mail servers."
-         -- a message with a little more information, including the IP
-            address that failed the check
-
-      "See http://%{d}/why.html?s=%{S}&i=%{I}"
-         -- a complicated example that constructs a URL with the
-            arguments to check_host() so that a web page can be
-            generated with detailed, custom instructions
-
-   Note: During recursion into an "include" mechanism, an exp= modifier
-   from the <target-name> MUST NOT be used.  In contrast, when executing
-
-
-
-Wong & Schlitt                Experimental                     [Page 24]
-
-RFC 4408             Sender Policy Framework (SPF)            April 2006
-
-
-   a "redirect" modifier, an exp= modifier from the original domain MUST
-   NOT be used.
-
-7.  The Received-SPF Header Field
-
-   It is RECOMMENDED that SMTP receivers record the result of SPF
-   processing in the message header.  If an SMTP receiver chooses to do
-   so, it SHOULD use the "Received-SPF" header field defined here for
-   each identity that was checked.  This information is intended for the
-   recipient.  (Information intended for the sender is described in
-   Section 6.2, Explanation.)
-
-   The Received-SPF header field is a trace field (see [RFC2822] Section
-   3.6.7) and SHOULD be prepended to the existing header, above the
-   Received: field that is generated by the SMTP receiver.  It MUST
-   appear above all other Received-SPF fields in the message.  The
-   header field has the following format:
-
-   header-field     = "Received-SPF:" [CFWS] result FWS [comment FWS]
-                      [ key-value-list ] CRLF
-
-   result           = "Pass" / "Fail" / "SoftFail" / "Neutral" /
-                      "None" / "TempError" / "PermError"
-
-   key-value-list   = key-value-pair *( ";" [CFWS] key-value-pair )
-                      [";"]
-
-   key-value-pair   = key [CFWS] "=" ( dot-atom / quoted-string )
-
-   key              = "client-ip" / "envelope-from" / "helo" /
-                      "problem" / "receiver" / "identity" /
-                       mechanism / "x-" name / name
-
-   identity         = "mailfrom"   ; for the "MAIL FROM" identity
-                      / "helo"     ; for the "HELO" identity
-                      / name       ; other identities
-
-   dot-atom         = <unquoted word as per [RFC2822]>
-   quoted-string    = <quoted string as per [RFC2822]>
-   comment          = <comment string as per [RFC2822]>
-   CFWS             = <comment or folding white space as per [RFC2822]>
-   FWS              = <folding white space as per [RFC2822]>
-   CRLF             = <standard end-of-line token as per [RFC2822]>
-
-   The header field SHOULD include a "(...)" style <comment> after the
-   result, conveying supporting information for the result, such as
-   <ip>, <sender>, and <domain>.
-
-
-
-
-Wong & Schlitt                Experimental                     [Page 25]
-
-RFC 4408             Sender Policy Framework (SPF)            April 2006
-
-
-   The following key-value pairs are designed for later machine parsing.
-   SPF clients SHOULD give enough information so that the SPF results
-   can be verified.  That is, at least "client-ip", "helo", and, if the
-   "MAIL FROM" identity was checked, "envelope-from".
-
-   client-ip      the IP address of the SMTP client
-
-   envelope-from  the envelope sender mailbox
-
-   helo           the host name given in the HELO or EHLO command
-
-   mechanism      the mechanism that matched (if no mechanisms matched,
-                  substitute the word "default")
-
-   problem        if an error was returned, details about the error
-
-   receiver       the host name of the SPF client
-
-   identity       the identity that was checked; see the <identity> ABNF
-                  rule
-
-   Other keys may be defined by SPF clients.  Until a new key name
-   becomes widely accepted, new key names should start with "x-".
-
-   SPF clients MUST make sure that the Received-SPF header field does
-   not contain invalid characters, is not excessively long, and does not
-   contain malicious data that has been provided by the sender.
-
-   Examples of various header styles that could be generated are the
-   following:
-
-   Received-SPF: Pass (mybox.example.org: domain of
-    myname@example.com designates 192.0.2.1 as permitted sender)
-       receiver=mybox.example.org; client-ip=192.0.2.1;
-       envelope-from=<myname@example.com>; helo=foo.example.com;
-
-   Received-SPF: Fail (mybox.example.org: domain of
-                     myname@example.com does not designate
-                     192.0.2.1 as permitted sender)
-                     identity=mailfrom; client-ip=192.0.2.1;
-                     envelope-from=<myname@example.com>;
-
-
-
-
-
-
-
-
-
-
-Wong & Schlitt                Experimental                     [Page 26]
-
-RFC 4408             Sender Policy Framework (SPF)            April 2006
-
-
-8.  Macros
-
-8.1.  Macro Definitions
-
-   Many mechanisms and modifiers perform macro expansion on part of the
-   term.
-
-   domain-spec      = macro-string domain-end
-   domain-end       = ( "." toplabel [ "." ] ) / macro-expand
-
-   toplabel         = ( *alphanum ALPHA *alphanum ) /
-                      ( 1*alphanum "-" *( alphanum / "-" ) alphanum )
-                      ; LDH rule plus additional TLD restrictions
-                      ; (see [RFC3696], Section 2)
-   alphanum         = ALPHA / DIGIT
-
-   explain-string   = *( macro-string / SP )
-
-   macro-string     = *( macro-expand / macro-literal )
-   macro-expand     = ( "%{" macro-letter transformers *delimiter "}" )
-                      / "%%" / "%_" / "%-"
-   macro-literal    = %x21-24 / %x26-7E
-                      ; visible characters except "%"
-   macro-letter     = "s" / "l" / "o" / "d" / "i" / "p" / "h" /
-                      "c" / "r" / "t"
-   transformers     = *DIGIT [ "r" ]
-   delimiter        = "." / "-" / "+" / "," / "/" / "_" / "="
-
-   A literal "%" is expressed by "%%".
-
-      "%_" expands to a single " " space.
-      "%-" expands to a URL-encoded space, viz., "%20".
-
-   The following macro letters are expanded in term arguments:
-
-      s = <sender>
-      l = local-part of <sender>
-      o = domain of <sender>
-      d = <domain>
-      i = <ip>
-      p = the validated domain name of <ip>
-      v = the string "in-addr" if <ip> is ipv4, or "ip6" if <ip> is ipv6
-      h = HELO/EHLO domain
-
-
-
-
-
-
-
-
-Wong & Schlitt                Experimental                     [Page 27]
-
-RFC 4408             Sender Policy Framework (SPF)            April 2006
-
-
-   The following macro letters are allowed only in "exp" text:
-
-      c = SMTP client IP (easily readable format)
-      r = domain name of host performing the check
-      t = current timestamp
-
-   A '%' character not followed by a '{', '%', '-', or '_' character is
-   a syntax error.  So
-
-      -exists:%(ir).sbl.spamhaus.example.org
-
-   is incorrect and will cause check_host() to return a "PermError".
-   Instead, say
-
-      -exists:%{ir}.sbl.spamhaus.example.org
-
-   Optional transformers are the following:
-
-      *DIGIT = zero or more digits
-      'r'    = reverse value, splitting on dots by default
-
-   If transformers or delimiters are provided, the replacement value for
-   a macro letter is split into parts.  After performing any reversal
-   operation and/or removal of left-hand parts, the parts are rejoined
-   using "." and not the original splitting characters.
-
-   By default, strings are split on "." (dots).  Note that no special
-   treatment is given to leading, trailing, or consecutive delimiters,
-   and so the list of parts may contain empty strings.  Older
-   implementations of SPF prohibit trailing dots in domain names, so
-   trailing dots should not be published by domain owners, although they
-   must be accepted by implementations conforming to this document.
-   Macros may specify delimiter characters that are used instead of ".".
-
-   The 'r' transformer indicates a reversal operation: if the client IP
-   address were 192.0.2.1, the macro %{i} would expand to "192.0.2.1"
-   and the macro %{ir} would expand to "1.2.0.192".
-
-   The DIGIT transformer indicates the number of right-hand parts to
-   use, after optional reversal.  If a DIGIT is specified, the value
-   MUST be nonzero.  If no DIGITs are specified, or if the value
-   specifies more parts than are available, all the available parts are
-   used.  If the DIGIT was 5, and only 3 parts were available, the macro
-   interpreter would pretend the DIGIT was 3.  Implementations MUST
-   support at least a value of 128, as that is the maximum number of
-   labels in a domain name.
-
-
-
-
-
-Wong & Schlitt                Experimental                     [Page 28]
-
-RFC 4408             Sender Policy Framework (SPF)            April 2006
-
-
-   The "s" macro expands to the <sender> argument.  It is an E-Mail
-   address with a localpart, an "@" character, and a domain.  The "l"
-   macro expands to just the localpart.  The "o" macro expands to just
-   the domain part.  Note that these values remain the same during
-   recursive and chained evaluations due to "include" and/or "redirect".
-   Note also that if the original <sender> had no localpart, the
-   localpart was set to "postmaster" in initial processing (see Section
-   4.3).
-
-   For IPv4 addresses, both the "i" and "c" macros expand to the
-   standard dotted-quad format.
-
-   For IPv6 addresses, the "i" macro expands to a dot-format address; it
-   is intended for use in %{ir}.  The "c" macro may expand to any of the
-   hexadecimal colon-format addresses specified in [RFC3513], Section
-   2.2.  It is intended for humans to read.
-
-   The "p" macro expands to the validated domain name of <ip>.  The
-   procedure for finding the validated domain name is defined in Section
-   5.5.  If the <domain> is present in the list of validated domains, it
-   SHOULD be used.  Otherwise, if a subdomain of the <domain> is
-   present, it SHOULD be used.  Otherwise, any name from the list may be
-   used.  If there are no validated domain names or if a DNS error
-   occurs, the string "unknown" is used.
-
-   The "r" macro expands to the name of the receiving MTA.  This SHOULD
-   be a fully qualified domain name, but if one does not exist (as when
-   the checking is done by a MUA) or if policy restrictions dictate
-   otherwise, the word "unknown" SHOULD be substituted.  The domain name
-   may be different from the name found in the MX record that the client
-   MTA used to locate the receiving MTA.
-
-   The "t" macro expands to the decimal representation of the
-   approximate number of seconds since the Epoch (Midnight, January 1,
-   1970, UTC).  This is the same value as is returned by the POSIX
-   time() function in most standards-compliant libraries.
-
-   When the result of macro expansion is used in a domain name query, if
-   the expanded domain name exceeds 253 characters (the maximum length
-   of a domain name), the left side is truncated to fit, by removing
-   successive domain labels until the total length does not exceed 253
-   characters.
-
-   Uppercased macros expand exactly as their lowercased equivalents, and
-   are then URL escaped.  URL escaping must be performed for characters
-   not in the "uric" set, which is defined in [RFC3986].
-
-
-
-
-
-Wong & Schlitt                Experimental                     [Page 29]
-
-RFC 4408             Sender Policy Framework (SPF)            April 2006
-
-
-   Note: Care must be taken so that macro expansion for legitimate
-   E-Mail does not exceed the 63-character limit on DNS labels.  The
-   localpart of E-Mail addresses, in particular, can have more than 63
-   characters between dots.
-
-   Note: Domains should avoid using the "s", "l", "o", or "h" macros in
-   conjunction with any mechanism directive.  Although these macros are
-   powerful and allow per-user records to be published, they severely
-   limit the ability of implementations to cache results of check_host()
-   and they reduce the effectiveness of DNS caches.
-
-   Implementations should be aware that if no directive processed during
-   the evaluation of check_host() contains an "s", "l", "o", or "h"
-   macro, then the results of the evaluation can be cached on the basis
-   of <domain> and <ip> alone for as long as the shortest Time To Live
-   (TTL) of all the DNS records involved.
-
-8.2.  Expansion Examples
-
-      The <sender> is strong-bad@email.example.com.
-      The IPv4 SMTP client IP is 192.0.2.3.
-      The IPv6 SMTP client IP is 2001:DB8::CB01.
-      The PTR domain name of the client IP is mx.example.org.
-
-   macro                       expansion
-   -------  ----------------------------
-   %{s}     strong-bad@email.example.com
-   %{o}                email.example.com
-   %{d}                email.example.com
-   %{d4}               email.example.com
-   %{d3}               email.example.com
-   %{d2}                     example.com
-   %{d1}                             com
-   %{dr}               com.example.email
-   %{d2r}                  example.email
-   %{l}                       strong-bad
-   %{l-}                      strong.bad
-   %{lr}                      strong-bad
-   %{lr-}                     bad.strong
-   %{l1r-}                        strong
-
-
-
-
-
-
-
-
-
-
-
-Wong & Schlitt                Experimental                     [Page 30]
-
-RFC 4408             Sender Policy Framework (SPF)            April 2006
-
-
-   macro-string                                               expansion
-   --------------------------------------------------------------------
-   %{ir}.%{v}._spf.%{d2}             3.2.0.192.in-addr._spf.example.com
-   %{lr-}.lp._spf.%{d2}                  bad.strong.lp._spf.example.com
-
-   %{lr-}.lp.%{ir}.%{v}._spf.%{d2}
-                       bad.strong.lp.3.2.0.192.in-addr._spf.example.com
-
-   %{ir}.%{v}.%{l1r-}.lp._spf.%{d2}
-                           3.2.0.192.in-addr.strong.lp._spf.example.com
-
-   %{d2}.trusted-domains.example.net
-                                example.com.trusted-domains.example.net
-
-   IPv6:
-   %{ir}.%{v}._spf.%{d2}                               1.0.B.C.0.0.0.0.
-   0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.B.D.0.1.0.0.2.ip6._spf.example.com
-
-9.  Implications
-
-   This section outlines the major implications that adoption of this
-   document will have on various entities involved in Internet E-Mail.
-   It is intended to make clear to the reader where this document
-   knowingly affects the operation of such entities.  This section is
-   not a "how-to" manual, or a "best practices" document, and it is not
-   a comprehensive list of what such entities should do in light of this
-   document.
-
-   This section is non-normative.
-
-9.1.  Sending Domains
-
-   Domains that wish to be compliant with this specification will need
-   to determine the list of hosts that they allow to use their domain
-   name in the "HELO" and "MAIL FROM" identities.  It is recognized that
-   forming such a list is not just a simple technical exercise, but
-   involves policy decisions with both technical and administrative
-   considerations.
-
-   It can be helpful to publish records that include a "tracking
-   exists:" mechanism.  By looking at the name server logs, a rough list
-   may then be generated.  For example:
-
-      v=spf1 exists:_h.%{h}._l.%{l}._o.%{o}._i.%{i}._spf.%{d} ?all
-
-
-
-
-
-
-
-Wong & Schlitt                Experimental                     [Page 31]
-
-RFC 4408             Sender Policy Framework (SPF)            April 2006
-
-
-9.2.  Mailing Lists
-
-   Mailing lists must be aware of how they re-inject mail that is sent
-   to the list.  Mailing lists MUST comply with the requirements in
-   [RFC2821], Section 3.10, and [RFC1123], Section 5.3.6, that say that
-   the reverse-path MUST be changed to be the mailbox of a person or
-   other entity who administers the list.  Whereas the reasons for
-   changing the reverse-path are many and long-standing, SPF adds
-   enforcement to this requirement.
-
-   In practice, almost all mailing list software in use already complies
-   with this requirement.  Mailing lists that do not comply may or may
-   not encounter problems depending on how access to the list is
-   restricted.  Such lists that are entirely internal to a domain (only
-   people in the domain can send to or receive from the list) are not
-   affected.
-
-9.3.  Forwarding Services and Aliases
-
-   Forwarding services take mail that is received at a mailbox and
-   direct it to some external mailbox.  At the time of this writing, the
-   near-universal practice of such services is to use the original "MAIL
-   FROM" of a message when re-injecting it for delivery to the external
-   mailbox.  [RFC1123] and [RFC2821] describe this action as an "alias"
-   rather than a "mail list".  This means that the external mailbox's
-   MTA sees all such mail in a connection from a host of the forwarding
-   service, and so the "MAIL FROM" identity will not, in general, pass
-   authorization.
-
-   There are three places that techniques can be used to ameliorate this
-   problem.
-
-   1. The beginning, when E-Mail is first sent.
-
-       1. "Neutral" results could be given for IP addresses that may be
-          forwarders, instead of "Fail" results.  For example:
-
-             "v=spf1 mx -exists:%{ir}.sbl.spamhaus.example.org ?all"
-
-          This would cause a lookup on an anti-spam DNS blacklist
-          (DNSBL) and cause a result of "Fail" only for E-Mail coming
-          from listed sources.  All other E-Mail, including E-Mail sent
-          through forwarders, would receive a "Neutral" result.  By
-          checking the DNSBL after the known good sources, problems with
-          incorrect listing on the DNSBL are greatly reduced.
-
-
-
-
-
-
-Wong & Schlitt                Experimental                     [Page 32]
-
-RFC 4408             Sender Policy Framework (SPF)            April 2006
-
-
-       2. The "MAIL FROM" identity could have additional information in
-          the localpart that cryptographically identifies the mail as
-          coming from an authorized source.  In this case, such an SPF
-          record could be used:
-
-             "v=spf1 mx exists:%{l}._spf_verify.%{d} -all"
-
-          Then, a specialized DNS server can be set up to serve the
-          _spf_verify subdomain that validates the localpart.  Although
-          this requires an extra DNS lookup, this happens only when the
-          E-Mail would otherwise be rejected as not coming from a known
-          good source.
-
-          Note that due to the 63-character limit for domain labels,
-          this approach only works reliably if the localpart signature
-          scheme is guaranteed either to only produce localparts with a
-          maximum of 63 characters or to gracefully handle truncated
-          localparts.
-
-       3. Similarly, a specialized DNS server could be set up that will
-          rate-limit the E-Mail coming from unexpected IP addresses.
-
-             "v=spf1 mx exists:%{ir}._spf_rate.%{d} -all"
-
-       4. SPF allows the creation of per-user policies for special
-          cases.  For example, the following SPF record and appropriate
-          wildcard DNS records can be used:
-
-                 "v=spf1 mx redirect=%{l1r+}._at_.%{o}._spf.%{d}"
-
-   2.  The middle, when E-Mail is forwarded.
-
-       1. Forwarding services can solve the problem by rewriting the
-          "MAIL FROM" to be in their own domain.  This means that mail
-          bounced from the external mailbox will have to be re-bounced
-          by the forwarding service.  Various schemes to do this exist
-          though they vary widely in complexity and resource
-          requirements on the part of the forwarding service.
-
-       2. Several popular MTAs can be forced from "alias" semantics to
-          "mailing list" semantics by configuring an additional alias
-          with "owner-" prepended to the original alias name (e.g., an
-          alias of "friends: george@example.com, fred@example.org" would
-          need another alias of the form "owner-friends:  localowner").
-
-
-
-
-
-
-
-Wong & Schlitt                Experimental                     [Page 33]
-
-RFC 4408             Sender Policy Framework (SPF)            April 2006
-
-
-   3. The end, when E-Mail is received.
-
-       1. If the owner of the external mailbox wishes to trust the
-          forwarding service, he can direct the external mailbox's MTA
-          to skip SPF tests when the client host belongs to the
-          forwarding service.
-
-       2. Tests against other identities, such as the "HELO" identity,
-          may be used to override a failed test against the "MAIL FROM"
-          identity.
-
-       3. For larger domains, it may not be possible to have a complete
-          or accurate list of forwarding services used by the owners of
-          the domain's mailboxes.  In such cases, whitelists of
-          generally-recognized forwarding services could be employed.
-
-9.4.  Mail Services
-
-   Service providers that offer mail services to third-party domains,
-   such as sending of bulk mail, may want to adjust their setup in light
-   of the authorization check described in this document.  If the "MAIL
-   FROM" identity used for such E-Mail uses the domain of the service
-   provider, then the provider needs only to ensure that its sending
-   host is authorized by its own SPF record, if any.
-
-   If the "MAIL FROM" identity does not use the mail service provider's
-   domain, then extra care must be taken.  The SPF record format has
-   several options for the third-party domain to authorize the service
-   provider's MTAs to send mail on its behalf.  For mail service
-   providers, such as ISPs, that have a wide variety of customers using
-   the same MTA, steps should be taken to prevent cross-customer forgery
-   (see Section 10.4).
-
-9.5.  MTA Relays
-
-   The authorization check generally precludes the use of arbitrary MTA
-   relays between sender and receiver of an E-Mail message.
-
-   Within an organization, MTA relays can be effectively deployed.
-   However, for purposes of this document, such relays are effectively
-   transparent.  The SPF authorization check is a check between border
-   MTAs of different domains.
-
-   For mail senders, this means that published SPF records must
-   authorize any MTAs that actually send across the Internet.  Usually,
-   these are just the border MTAs as internal MTAs simply forward mail
-   to these MTAs for delivery.
-
-
-
-
-Wong & Schlitt                Experimental                     [Page 34]
-
-RFC 4408             Sender Policy Framework (SPF)            April 2006
-
-
-   Mail receivers will generally want to perform the authorization check
-   at the border MTAs, specifically including all secondary MXs.  This
-   allows mail that fails to be rejected during the SMTP session rather
-   than bounced.  Internal MTAs then do not perform the authorization
-   test.  To perform the authorization test other than at the border,
-   the host that first transferred the message to the organization must
-   be determined, which can be difficult to extract from the message
-   header.  Testing other than at the border is not recommended.
-
-10.  Security Considerations
-
-10.1.  Processing Limits
-
-   As with most aspects of E-Mail, there are a number of ways that
-   malicious parties could use the protocol as an avenue for a
-   Denial-of-Service (DoS) attack.  The processing limits outlined here
-   are designed to prevent attacks such as the following:
-
-   o  A malicious party could create an SPF record with many references
-      to a victim's domain and send many E-Mails to different SPF
-      clients; those SPF clients would then create a DoS attack.  In
-      effect, the SPF clients are being used to amplify the attacker's
-      bandwidth by using fewer bytes in the SMTP session than are used
-      by the DNS queries.  Using SPF clients also allows the attacker to
-      hide the true source of the attack.
-
-   o  Whereas implementations of check_host() are supposed to limit the
-      number of DNS lookups, malicious domains could publish records
-      that exceed these limits in an attempt to waste computation effort
-      at their targets when they send them mail.  Malicious domains
-      could also design SPF records that cause particular
-      implementations to use excessive memory or CPU usage, or to
-      trigger bugs.
-
-   o  Malicious parties could send a large volume of mail purporting to
-      come from the intended target to a wide variety of legitimate mail
-      hosts.  These legitimate machines would then present a DNS load on
-      the target as they fetched the relevant records.
-
-   Of these, the case of a third party referenced in the SPF record is
-   the easiest for a DoS attack to effectively exploit.  As a result,
-   limits that may seem reasonable for an individual mail server can
-   still allow an unreasonable amount of bandwidth amplification.
-   Therefore, the processing limits need to be quite low.
-
-   SPF implementations MUST limit the number of mechanisms and modifiers
-   that do DNS lookups to at most 10 per SPF check, including any
-   lookups caused by the use of the "include" mechanism or the
-
-
-
-Wong & Schlitt                Experimental                     [Page 35]
-
-RFC 4408             Sender Policy Framework (SPF)            April 2006
-
-
-   "redirect" modifier.  If this number is exceeded during a check, a
-   PermError MUST be returned.  The "include", "a", "mx", "ptr", and
-   "exists" mechanisms as well as the "redirect" modifier do count
-   against this limit.  The "all", "ip4", and "ip6" mechanisms do not
-   require DNS lookups and therefore do not count against this limit.
-   The "exp" modifier does not count against this limit because the DNS
-   lookup to fetch the explanation string occurs after the SPF record
-   has been evaluated.
-
-   When evaluating the "mx" and "ptr" mechanisms, or the %{p} macro,
-   there MUST be a limit of no more than 10 MX or PTR RRs looked up and
-   checked.
-
-   SPF implementations SHOULD limit the total amount of data obtained
-   from the DNS queries.  For example, when DNS over TCP or EDNS0 are
-   available, there may need to be an explicit limit to how much data
-   will be accepted to prevent excessive bandwidth usage or memory usage
-   and DoS attacks.
-
-   MTAs or other processors MAY also impose a limit on the maximum
-   amount of elapsed time to evaluate check_host().  Such a limit SHOULD
-   allow at least 20 seconds.  If such a limit is exceeded, the result
-   of authorization SHOULD be "TempError".
-
-   Domains publishing records SHOULD try to keep the number of "include"
-   mechanisms and chained "redirect" modifiers to a minimum.  Domains
-   SHOULD also try to minimize the amount of other DNS information
-   needed to evaluate a record.  This can be done by choosing directives
-   that require less DNS information and placing lower-cost mechanisms
-   earlier in the SPF record.
-
-   For example, consider a domain set up as follows:
-
-   example.com.      IN MX   10 mx.example.com.
-   mx.example.com.   IN A    192.0.2.1
-   a.example.com.    IN TXT  "v=spf1 mx:example.com -all"
-   b.example.com.    IN TXT  "v=spf1 a:mx.example.com -all"
-   c.example.com.    IN TXT  "v=spf1 ip4:192.0.2.1 -all"
-
-   Evaluating check_host() for the domain "a.example.com" requires the
-   MX records for "example.com", and then the A records for the listed
-   hosts.  Evaluating for "b.example.com" requires only the A records.
-   Evaluating for "c.example.com" requires none.
-
-   However, there may be administrative considerations: using "a" over
-   "ip4" allows hosts to be renumbered easily.  Using "mx" over "a"
-   allows the set of mail hosts to be changed easily.
-
-
-
-
-Wong & Schlitt                Experimental                     [Page 36]
-
-RFC 4408             Sender Policy Framework (SPF)            April 2006
-
-
-10.2.  SPF-Authorized E-Mail May Contain Other False Identities
-
-   The "MAIL FROM" and "HELO" identity authorizations must not be
-   construed to provide more assurance than they do.  It is entirely
-   possible for a malicious sender to inject a message using his own
-   domain in the identities used by SPF, to have that domain's SPF
-   record authorize the sending host, and yet the message can easily
-   list other identities in its header.  Unless the user or the MUA
-   takes care to note that the authorized identity does not match the
-   other more commonly-presented identities (such as the From:  header
-   field), the user may be lulled into a false sense of security.
-
-10.3.  Spoofed DNS and IP Data
-
-   There are two aspects of this protocol that malicious parties could
-   exploit to undermine the validity of the check_host() function:
-
-   o  The evaluation of check_host() relies heavily on DNS.  A malicious
-      attacker could attack the DNS infrastructure and cause
-      check_host() to see spoofed DNS data, and then return incorrect
-      results.  This could include returning "Pass" for an <ip> value
-      where the actual domain's record would evaluate to "Fail".  See
-      [RFC3833] for a description of DNS weaknesses.
-
-   o  The client IP address, <ip>, is assumed to be correct.  A
-      malicious attacker could spoof TCP sequence numbers to make mail
-      appear to come from a permitted host for a domain that the
-      attacker is impersonating.
-
-10.4.  Cross-User Forgery
-
-   By definition, SPF policies just map domain names to sets of
-   authorized MTAs, not whole E-Mail addresses to sets of authorized
-   users.  Although the "l" macro (Section 8) provides a limited way to
-   define individual sets of authorized MTAs for specific E-Mail
-   addresses, it is generally impossible to verify, through SPF, the use
-   of specific E-Mail addresses by individual users of the same MTA.
-
-   It is up to mail services and their MTAs to directly prevent
-   cross-user forgery: based on SMTP AUTH ([RFC2554]), users should be
-   restricted to using only those E-Mail addresses that are actually
-   under their control (see [RFC4409], Section 6.1).  Another means to
-   verify the identity of individual users is message cryptography such
-   as PGP ([RFC2440]) or S/MIME ([RFC3851]).
-
-
-
-
-
-
-
-Wong & Schlitt                Experimental                     [Page 37]
-
-RFC 4408             Sender Policy Framework (SPF)            April 2006
-
-
-10.5.  Untrusted Information Sources
-
-   SPF uses information supplied by third parties, such as the "HELO"
-   domain name, the "MAIL FROM" address, and SPF records.  This
-   information is then passed to the receiver in the Received-SPF: trace
-   fields and possibly returned to the client MTA in the form of an SMTP
-   rejection message.  This information must be checked for invalid
-   characters and excessively long lines.
-
-   When the authorization check fails, an explanation string may be
-   included in the reject response.  Both the sender and the rejecting
-   receiver need to be aware that the explanation was determined by the
-   publisher of the SPF record checked and, in general, not the
-   receiver.  The explanation may contain malicious URLs, or it may be
-   offensive or misleading.
-
-   This is probably less of a concern than it may initially seem since
-   such messages are returned to the sender, and the explanation strings
-   come from the sender policy published by the domain in the identity
-   claimed by that very sender.  As long as the DSN is not redirected to
-   someone other than the actual sender, the only people who see
-   malicious explanation strings are people whose messages claim to be
-   from domains that publish such strings in their SPF records.  In
-   practice, DSNs can be misdirected, such as when an MTA accepts an
-   E-Mail and then later generates a DSN to a forged address, or when an
-   E-Mail forwarder does not direct the DSN back to the original sender.
-
-10.6.  Privacy Exposure
-
-   Checking SPF records causes DNS queries to be sent to the domain
-   owner.  These DNS queries, especially if they are caused by the
-   "exists" mechanism, can contain information about who is sending
-   E-Mail and likely to which MTA the E-Mail is being sent.  This can
-   introduce some privacy concerns, which may be more or less of an
-   issue depending on local laws and the relationship between the domain
-   owner and the person sending the E-Mail.
-
-11.  Contributors and Acknowledgements
-
-   This document is largely based on the work of Meng Weng Wong and Mark
-   Lentczner.  Although, as this section acknowledges, many people have
-   contributed to this document, a very large portion of the writing and
-   editing are due to Meng and Mark.
-
-   This design owes a debt of parentage to [RMX] by Hadmut Danisch and
-   to [DMP] by Gordon Fecyk.  The idea of using a DNS record to check
-   the legitimacy of an E-Mail address traces its ancestry further back
-   through messages on the namedroppers mailing list by Paul Vixie
-
-
-
-Wong & Schlitt                Experimental                     [Page 38]
-
-RFC 4408             Sender Policy Framework (SPF)            April 2006
-
-
-   [Vixie] (based on suggestion by Jim Miller) and by David Green
-   [Green].
-
-   Philip Gladstone contributed the concept of macros to the
-   specification, multiplying the expressiveness of the language and
-   making per-user and per-IP lookups possible.
-
-   The authors would also like to thank the literally hundreds of
-   individuals who have participated in the development of this design.
-   They are far too numerous to name, but they include the following:
-
-      The folks on the spf-discuss mailing list.
-      The folks on the SPAM-L mailing list.
-      The folks on the IRTF ASRG mailing list.
-      The folks on the IETF MARID mailing list.
-      The folks on #perl.
-
-12.  IANA Considerations
-
-12.1.  The SPF DNS Record Type
-
-   The IANA has assigned a new Resource Record Type and Qtype from the
-   DNS Parameters Registry for the SPF RR type with code 99.
-
-12.2.  The Received-SPF Mail Header Field
-
-   Per [RFC3864], the "Received-SPF:" header field is added to the IANA
-   Permanent Message Header Field Registry.  The following is the
-   registration template:
-
-      Header field name: Received-SPF
-      Applicable protocol: mail ([RFC2822])
-      Status: Experimental
-      Author/Change controller: IETF
-      Specification document(s): RFC 4408
-      Related information:
-      Requesting SPF Council review of any proposed changes and
-      additions to this field are recommended.  For information about
-      the SPF Council see http://www.openspf.org/Council
-
-13.  References
-
-13.1.  Normative References
-
-   [RFC1035]  Mockapetris, P., "Domain names - implementation and
-              specification", STD 13, RFC 1035, November 1987.
-
-
-
-
-
-Wong & Schlitt                Experimental                     [Page 39]
-
-RFC 4408             Sender Policy Framework (SPF)            April 2006
-
-
-   [RFC1123]  Braden, R., "Requirements for Internet Hosts - Application
-              and Support", STD 3, RFC 1123, October 1989.
-
-   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
-              Requirement Levels", BCP 14, RFC 2119, March 1997.
-
-   [RFC2821]  Klensin, J., "Simple Mail Transfer Protocol", RFC 2821,
-              April 2001.
-
-   [RFC2822]  Resnick, P., "Internet Message Format", RFC 2822, April
-              2001.
-
-   [RFC3464]  Moore, K. and G. Vaudreuil, "An Extensible Message Format
-              for Delivery Status Notifications", RFC 3464, January
-              2003.
-
-   [RFC3513]  Hinden, R. and S. Deering, "Internet Protocol Version 6
-              (IPv6) Addressing Architecture", RFC 3513, April 2003.
-
-   [RFC3864]  Klyne, G., Nottingham, M., and J. Mogul, "Registration
-              Procedures for Message Header Fields", BCP 90, RFC 3864,
-              September 2004.
-
-   [RFC3986]  Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
-              Resource Identifier (URI): Generic Syntax", STD 66, RFC
-              3986, January 2005.
-
-   [RFC4234]  Crocker, D. and P. Overell, "Augmented BNF for Syntax
-              Specifications: ABNF", RFC 4234, October 2005.
-
-   [US-ASCII] American National Standards Institute (formerly United
-              States of America Standards Institute), "USA Code for
-              Information Interchange, X3.4", 1968.
-
-   ANSI X3.4-1968 has been replaced by newer versions with slight
-              modifications, but the 1968 version remains definitive for
-              the Internet.
-
-13.2  Informative References
-
-   [RFC1034]  Mockapetris, P., "Domain names - concepts and facilities",
-              STD 13, RFC 1034, November 1987.
-
-   [RFC1983]  Malkin, G., "Internet Users' Glossary", RFC 1983, August
-              1996.
-
-   [RFC2440]  Callas, J., Donnerhacke, L., Finney, H., and R. Thayer,
-              "OpenPGP Message Format", RFC 2440, November 1998.
-
-
-
-Wong & Schlitt                Experimental                     [Page 40]
-
-RFC 4408             Sender Policy Framework (SPF)            April 2006
-
-
-   [RFC2554]  Myers, J., "SMTP Service Extension for Authentication",
-              RFC 2554, March 1999.
-
-   [RFC3696]  Klensin, J., "Application Techniques for Checking and
-              Transformation of Names", RFC 3696, February 2004.
-
-   [RFC3833]  Atkins, D. and R. Austein, "Threat Analysis of the Domain
-              Name System (DNS)", RFC 3833, August 2004.
-
-   [RFC3851]  Ramsdell, B., "Secure/Multipurpose Internet Mail
-              Extensions (S/MIME) Version 3.1 Message Specification",
-              RFC 3851, July 2004.
-
-   [RFC4409]  Gellens, R. and J. Klensin, "Message Submission for Mail",
-              RFC 4409, April 2006.
-
-   [RMX]      Danish, H., "The RMX DNS RR Type for light weight sender
-              authentication", Work In Progress
-
-   [DMP]      Fecyk, G., "Designated Mailers Protocol", Work In Progress
-
-   [Vixie]    Vixie, P., "Repudiating MAIL FROM", 2002.
-
-   [Green]    Green, D., "Domain-Authorized SMTP Mail", 2002.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Wong & Schlitt                Experimental                     [Page 41]
-
-RFC 4408             Sender Policy Framework (SPF)            April 2006
-
-
-Appendix A.  Collected ABNF
-
-   This section is normative and any discrepancies with the ABNF
-   fragments in the preceding text are to be resolved in favor of this
-   grammar.
-
-   See [RFC4234] for ABNF notation.  Please note that as per this ABNF
-   definition, literal text strings (those in quotes) are case-
-   insensitive.  Hence, "mx" matches "mx", "MX", "mX", and "Mx".
-
-   record           = version terms *SP
-   version          = "v=spf1"
-
-   terms            = *( 1*SP ( directive / modifier ) )
-
-   directive        = [ qualifier ] mechanism
-   qualifier        = "+" / "-" / "?" / "~"
-   mechanism        = ( all / include
-                      / A / MX / PTR / IP4 / IP6 / exists )
-
-   all              = "all"
-   include          = "include"  ":" domain-spec
-   A                = "a"      [ ":" domain-spec ] [ dual-cidr-length ]
-   MX               = "mx"     [ ":" domain-spec ] [ dual-cidr-length ]
-   PTR              = "ptr"    [ ":" domain-spec ]
-   IP4              = "ip4"      ":" ip4-network   [ ip4-cidr-length ]
-   IP6              = "ip6"      ":" ip6-network   [ ip6-cidr-length ]
-   exists           = "exists"   ":" domain-spec
-
-   modifier         = redirect / explanation / unknown-modifier
-   redirect         = "redirect" "=" domain-spec
-   explanation      = "exp" "=" domain-spec
-   unknown-modifier = name "=" macro-string
-
-   ip4-cidr-length  = "/" 1*DIGIT
-   ip6-cidr-length  = "/" 1*DIGIT
-   dual-cidr-length = [ ip4-cidr-length ] [ "/" ip6-cidr-length ]
-
-   ip4-network      = qnum "." qnum "." qnum "." qnum
-   qnum             = DIGIT                 ; 0-9
-                      / %x31-39 DIGIT       ; 10-99
-                      / "1" 2DIGIT          ; 100-199
-                      / "2" %x30-34 DIGIT   ; 200-249
-                      / "25" %x30-35        ; 250-255
-             ; conventional dotted quad notation.  e.g., 192.0.2.0
-   ip6-network      = <as per [RFC 3513], section 2.2>
-             ; e.g., 2001:DB8::CD30
-
-
-
-
-Wong & Schlitt                Experimental                     [Page 42]
-
-RFC 4408             Sender Policy Framework (SPF)            April 2006
-
-
-   domain-spec      = macro-string domain-end
-   domain-end       = ( "." toplabel [ "." ] ) / macro-expand
-   toplabel         = ( *alphanum ALPHA *alphanum ) /
-                      ( 1*alphanum "-" *( alphanum / "-" ) alphanum )
-                      ; LDH rule plus additional TLD restrictions
-                      ; (see [RFC3696], Section 2)
-
-   alphanum         = ALPHA / DIGIT
-
-   explain-string   = *( macro-string / SP )
-
-   macro-string     = *( macro-expand / macro-literal )
-   macro-expand     = ( "%{" macro-letter transformers *delimiter "}" )
-                      / "%%" / "%_" / "%-"
-   macro-literal    = %x21-24 / %x26-7E
-                      ; visible characters except "%"
-   macro-letter     = "s" / "l" / "o" / "d" / "i" / "p" / "h" /
-                      "c" / "r" / "t"
-   transformers     = *DIGIT [ "r" ]
-   delimiter        = "." / "-" / "+" / "," / "/" / "_" / "="
-
-   name             = ALPHA *( ALPHA / DIGIT / "-" / "_" / "." )
-
-   header-field     = "Received-SPF:" [CFWS] result FWS [comment FWS]
-                      [ key-value-list ] CRLF
-
-   result           = "Pass" / "Fail" / "SoftFail" / "Neutral" /
-                      "None" / "TempError" / "PermError"
-
-   key-value-list   = key-value-pair *( ";" [CFWS] key-value-pair )
-                      [";"]
-
-   key-value-pair   = key [CFWS] "=" ( dot-atom / quoted-string )
-
-   key              = "client-ip" / "envelope-from" / "helo" /
-                      "problem" / "receiver" / "identity" /
-                       mechanism / "x-" name / name
-
-   identity         = "mailfrom"   ; for the "MAIL FROM" identity
-                      / "helo"     ; for the "HELO" identity
-                      / name       ; other identities
-
-   dot-atom         = <unquoted word as per [RFC2822]>
-   quoted-string    = <quoted string as per [RFC2822]>
-   comment          = <comment string as per [RFC2822]>
-   CFWS             = <comment or folding white space as per [RFC2822]>
-   FWS              = <folding white space as per [RFC2822]>
-   CRLF             = <standard end-of-line token as per [RFC2822]>
-
-
-
-Wong & Schlitt                Experimental                     [Page 43]
-
-RFC 4408             Sender Policy Framework (SPF)            April 2006
-
-
-Appendix B.  Extended Examples
-
-   These examples are based on the following DNS setup:
-
-   ; A domain with two mail servers, two hosts
-   ; and two servers at the domain name
-   $ORIGIN example.com.
-   @           MX  10 mail-a
-               MX  20 mail-b
-               A   192.0.2.10
-               A   192.0.2.11
-   amy         A   192.0.2.65
-   bob         A   192.0.2.66
-   mail-a      A   192.0.2.129
-   mail-b      A   192.0.2.130
-   www         CNAME example.com.
-
-   ; A related domain
-   $ORIGIN example.org.
-   @           MX  10 mail-c
-   mail-c      A   192.0.2.140
-
-   ; The reverse IP for those addresses
-   $ORIGIN 2.0.192.in-addr.arpa.
-   10          PTR example.com.
-   11          PTR example.com.
-   65          PTR amy.example.com.
-   66          PTR bob.example.com.
-   129         PTR mail-a.example.com.
-   130         PTR mail-b.example.com.
-   140         PTR mail-c.example.org.
-
-   ; A rogue reverse IP domain that claims to be
-   ; something it's not
-   $ORIGIN 0.0.10.in-addr.arpa.
-   4           PTR bob.example.com.
-
-B.1.  Simple Examples
-
-   These examples show various possible published records for
-   example.com and which values if <ip> would cause check_host() to
-   return "Pass".  Note that <domain> is "example.com".
-
-   v=spf1 +all
-      -- any <ip> passes
-
-   v=spf1 a -all
-      -- hosts 192.0.2.10 and 192.0.2.11 pass
-
-
-
-Wong & Schlitt                Experimental                     [Page 44]
-
-RFC 4408             Sender Policy Framework (SPF)            April 2006
-
-
-   v=spf1 a:example.org -all
-      -- no sending hosts pass since example.org has no A records
-
-   v=spf1 mx -all
-      -- sending hosts 192.0.2.129 and 192.0.2.130 pass
-
-   v=spf1 mx:example.org -all
-      -- sending host 192.0.2.140 passes
-
-   v=spf1 mx mx:example.org -all
-      -- sending hosts 192.0.2.129, 192.0.2.130, and 192.0.2.140 pass
-
-   v=spf1 mx/30 mx:example.org/30 -all
-      -- any sending host in 192.0.2.128/30 or 192.0.2.140/30 passes
-
-   v=spf1 ptr -all
-      -- sending host 192.0.2.65 passes (reverse DNS is valid and is in
-         example.com)
-      -- sending host 192.0.2.140 fails (reverse DNS is valid, but not
-         in example.com)
-      -- sending host 10.0.0.4 fails (reverse IP is not valid)
-
-   v=spf1 ip4:192.0.2.128/28 -all
-      -- sending host 192.0.2.65 fails
-      -- sending host 192.0.2.129 passes
-
-B.2.  Multiple Domain Example
-
-   These examples show the effect of related records:
-
-      example.org: "v=spf1 include:example.com include:example.net -all"
-
-   This record would be used if mail from example.org actually came
-   through servers at example.com and example.net.  Example.org's
-   designated servers are the union of example.com's and example.net's
-   designated servers.
-
-      la.example.org: "v=spf1 redirect=example.org"
-      ny.example.org: "v=spf1 redirect=example.org"
-      sf.example.org: "v=spf1 redirect=example.org"
-
-   These records allow a set of domains that all use the same mail
-   system to make use of that mail system's record.  In this way, only
-   the mail system's record needs to be updated when the mail setup
-   changes.  These domains' records never have to change.
-
-
-
-
-
-
-Wong & Schlitt                Experimental                     [Page 45]
-
-RFC 4408             Sender Policy Framework (SPF)            April 2006
-
-
-B.3.  DNSBL Style Example
-
-   Imagine that, in addition to the domain records listed above, there
-   are these:
-
-   $ORIGIN _spf.example.com.  mary.mobile-users                   A
-   127.0.0.2 fred.mobile-users                   A 127.0.0.2
-   15.15.168.192.joel.remote-users     A 127.0.0.2
-   16.15.168.192.joel.remote-users     A 127.0.0.2
-
-   The following records describe users at example.com who mail from
-   arbitrary servers, or who mail from personal servers.
-
-   example.com:
-
-   v=spf1 mx
-          include:mobile-users._spf.%{d}
-          include:remote-users._spf.%{d}
-          -all
-
-   mobile-users._spf.example.com:
-
-   v=spf1 exists:%{l1r+}.%{d}
-
-   remote-users._spf.example.com:
-
-   v=spf1 exists:%{ir}.%{l1r+}.%{d}
-
-B.4.  Multiple Requirements Example
-
-   Say that your sender policy requires both that the IP address is
-   within a certain range and that the reverse DNS for the IP matches.
-   This can be done several ways, including the following:
-
-   example.com.           SPF  ( "v=spf1 "
-                                 "-include:ip4._spf.%{d} "
-                                 "-include:ptr._spf.%{d} "
-                                 "+all" )
-   ip4._spf.example.com.  SPF  "v=spf1 -ip4:192.0.2.0/24 +all"
-   ptr._spf.example.com.  SPF  "v=spf1 -ptr +all"
-
-   This example shows how the "-include" mechanism can be useful, how an
-   SPF record that ends in "+all" can be very restrictive, and the use
-   of De Morgan's Law.
-
-
-
-
-
-
-
-Wong & Schlitt                Experimental                     [Page 46]
-
-RFC 4408             Sender Policy Framework (SPF)            April 2006
-
-
-Authors' Addresses
-
-   Meng Weng Wong
-   Singapore
-
-   EMail: mengwong+spf@pobox.com
-
-
-   Wayne Schlitt
-   4615 Meredeth #9
-   Lincoln Nebraska, NE  68506
-   United States of America
-
-   EMail: wayne@schlitt.net
-   URI:   http://www.schlitt.net/spf/
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Wong & Schlitt                Experimental                     [Page 47]
-
-RFC 4408             Sender Policy Framework (SPF)            April 2006
-
-
-Full Copyright Statement
-
-   Copyright (C) The Internet Society (2006).
-
-   This document is subject to the rights, licenses and restrictions
-   contained in BCP 78, and except as set forth therein, the authors
-   retain all their rights.
-
-   This document and the information contained herein are provided on an
-   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
-   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
-   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
-   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
-   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
-   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-Intellectual Property
-
-   The IETF takes no position regarding the validity or scope of any
-   Intellectual Property Rights or other rights that might be claimed to
-   pertain to the implementation or use of the technology described in
-   this document or the extent to which any license under such rights
-   might or might not be available; nor does it represent that it has
-   made any independent effort to identify any such rights.  Information
-   on the procedures with respect to rights in RFC documents can be
-   found in BCP 78 and BCP 79.
-
-   Copies of IPR disclosures made to the IETF Secretariat and any
-   assurances of licenses to be made available, or the result of an
-   attempt made to obtain a general license or permission for the use of
-   such proprietary rights by implementers or users of this
-   specification can be obtained from the IETF on-line IPR repository at
-   http://www.ietf.org/ipr.
-
-   The IETF invites any interested party to bring to its attention any
-   copyrights, patents or patent applications, or other proprietary
-   rights that may cover technology that may be required to implement
-   this standard.  Please address the information to the IETF at
-   ietf-ipr@ietf.org.
-
-Acknowledgement
-
-   Funding for the RFC Editor function is provided by the IETF
-   Administrative Support Activity (IASA).
-
-
-
-
-
-
-
-Wong & Schlitt                Experimental                     [Page 48]
-
diff --git a/doc/rfc/rfc4431.txt b/doc/rfc/rfc4431.txt
deleted file mode 100644
index 8b388722..00000000
--- a/doc/rfc/rfc4431.txt
+++ /dev/null
@@ -1,227 +0,0 @@
-
-
-
-
-
-
-Network Working Group                                         M. Andrews
-Request for Comments: 4431                   Internet Systems Consortium
-Category: Informational                                        S. Weiler
-                                                            SPARTA, Inc.
-                                                           February 2006
-
-
-       The DNSSEC Lookaside Validation (DLV) DNS Resource Record
-
-Status of This Memo
-
-   This memo provides information for the Internet community.  It does
-   not specify an Internet standard of any kind.  Distribution of this
-   memo is unlimited.
-
-Copyright Notice
-
-   Copyright (C) The Internet Society (2006).
-
-Abstract
-
-   This document defines a new DNS resource record, called the DNSSEC
-   Lookaside Validation (DLV) RR, for publishing DNSSEC trust anchors
-   outside of the DNS delegation chain.
-
-1.  Introduction
-
-   DNSSEC [1] [2] [3] authenticates DNS data by building public-key
-   signature chains along the DNS delegation chain from a trust anchor,
-   ideally a trust anchor for the DNS root.
-
-   This document defines a new resource record for publishing such trust
-   anchors outside of the DNS's normal delegation chain.  Use of these
-   records by DNSSEC validators is outside the scope of this document,
-   but it is expected that these records will help resolvers validate
-   DNSSEC-signed data from zones whose ancestors either aren't signed or
-   refuse to publish delegation signer (DS) records for their children.
-
-2.  DLV Resource Record
-
-   The DLV resource record has exactly the same wire and presentation
-   formats as the DS resource record, defined in RFC 4034, Section 5.
-   It uses the same IANA-assigned values in the algorithm and digest
-   type fields as the DS record.  (Those IANA registries are known as
-   the "DNS Security Algorithm Numbers" and "DS RR Type Algorithm
-   Numbers" registries.)
-
-
-
-
-
-Andrews & Weiler             Informational                      [Page 1]
-
-RFC 4431                  DLV Resource Record              February 2006
-
-
-   The DLV record is a normal DNS record type without any special
-   processing requirements.  In particular, the DLV record does not
-   inherit any of the special processing or handling requirements of the
-   DS record type (described in Section 3.1.4.1 of RFC 4035).  Unlike
-   the DS record, the DLV record may not appear on the parent's side of
-   a zone cut.  A DLV record may, however, appear at the apex of a zone.
-
-3.  Security Considerations
-
-   For authoritative servers and resolvers that do not attempt to use
-   DLV RRs as part of DNSSEC validation, there are no particular
-   security concerns -- DLV RRs are just like any other DNS data.
-
-   Software using DLV RRs as part of DNSSEC validation will almost
-   certainly want to impose constraints on their use, but those
-   constraints are best left to be described by the documents that more
-   fully describe the particulars of how the records are used.  At a
-   minimum, it would be unwise to use the records without some sort of
-   cryptographic authentication.  More likely than not, DNSSEC itself
-   will be used to authenticate the DLV RRs.  Depending on how a DLV RR
-   is used, failure to properly authenticate it could lead to
-   significant additional security problems including failure to detect
-   spoofed DNS data.
-
-   RFC 4034, Section 8, describes security considerations specific to
-   the DS RR.  Those considerations are equally applicable to DLV RRs.
-   Of particular note, the key tag field is used to help select DNSKEY
-   RRs efficiently, but it does not uniquely identify a single DNSKEY
-   RR.  It is possible for two distinct DNSKEY RRs to have the same
-   owner name, the same algorithm type, and the same key tag.  An
-   implementation that uses only the key tag to select a DNSKEY RR might
-   select the wrong public key in some circumstances.
-
-   For further discussion of the security implications of DNSSEC, see
-   RFC 4033, RFC 4034, and RFC 4035.
-
-4.  IANA Considerations
-
-   IANA has assigned DNS type code 32769 to the DLV resource record from
-   the Specification Required portion of the DNS Resource Record Type
-   registry, as defined in [4].
-
-   The DLV resource record reuses the same algorithm and digest type
-   registries already used for the DS resource record, currently known
-   as the "DNS Security Algorithm Numbers" and "DS RR Type Algorithm
-   Numbers" registries.
-
-
-
-
-
-Andrews & Weiler             Informational                      [Page 2]
-
-RFC 4431                  DLV Resource Record              February 2006
-
-
-5.  Normative References
-
-   [1]  Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
-        "DNS Security Introduction and Requirements", RFC 4033,
-        March 2005.
-
-   [2]  Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
-        "Resource Records for the DNS Security Extensions", RFC 4034,
-        March 2005.
-
-   [3]  Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
-        "Protocol Modifications for the DNS Security Extensions",
-        RFC 4035, March 2005.
-
-   [4]  Eastlake, D., Brunner-Williams, E., and B. Manning, "Domain Name
-        System (DNS) IANA Considerations", BCP 42, RFC 2929,
-        September 2000.
-
-Authors' Addresses
-
-   Mark Andrews
-   Internet Systems Consortium
-   950 Charter St.
-   Redwood City, CA  94063
-   US
-
-   EMail: Mark_Andrews@isc.org
-
-
-   Samuel Weiler
-   SPARTA, Inc.
-   7075 Samuel Morse Drive
-   Columbia, Maryland  21046
-   US
-
-   EMail: weiler@tislabs.com
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Andrews & Weiler             Informational                      [Page 3]
-
-RFC 4431                  DLV Resource Record              February 2006
-
-
-Full Copyright Statement
-
-   Copyright (C) The Internet Society (2006).
-
-   This document is subject to the rights, licenses and restrictions
-   contained in BCP 78, and except as set forth therein, the authors
-   retain all their rights.
-
-   This document and the information contained herein are provided on an
-   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
-   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
-   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
-   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
-   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
-   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-Intellectual Property
-
-   The IETF takes no position regarding the validity or scope of any
-   Intellectual Property Rights or other rights that might be claimed to
-   pertain to the implementation or use of the technology described in
-   this document or the extent to which any license under such rights
-   might or might not be available; nor does it represent that it has
-   made any independent effort to identify any such rights.  Information
-   on the procedures with respect to rights in RFC documents can be
-   found in BCP 78 and BCP 79.
-
-   Copies of IPR disclosures made to the IETF Secretariat and any
-   assurances of licenses to be made available, or the result of an
-   attempt made to obtain a general license or permission for the use of
-   such proprietary rights by implementers or users of this
-   specification can be obtained from the IETF on-line IPR repository at
-   http://www.ietf.org/ipr.
-
-   The IETF invites any interested party to bring to its attention any
-   copyrights, patents or patent applications, or other proprietary
-   rights that may cover technology that may be required to implement
-   this standard.  Please address the information to the IETF at
-   ietf-ipr@ietf.org.
-
-Acknowledgement
-
-   Funding for the RFC Editor function is provided by the IETF
-   Administrative Support Activity (IASA).
-
-
-
-
-
-
-
-Andrews & Weiler             Informational                      [Page 4]
-
diff --git a/doc/rfc/rfc4470.txt b/doc/rfc/rfc4470.txt
deleted file mode 100644
index ac12d65c..00000000
--- a/doc/rfc/rfc4470.txt
+++ /dev/null
@@ -1,451 +0,0 @@
-
-
-
-
-
-
-Network Working Group                                          S. Weiler
-Request for Comments: 4470                                  SPARTA, Inc.
-Updates: 4035, 4034                                             J. Ihren
-Category: Standards Track                                  Autonomica AB
-                                                              April 2006
-
-
-       Minimally Covering NSEC Records and DNSSEC On-line Signing
-
-
-Status of This Memo
-
-   This document specifies an Internet standards track protocol for the
-   Internet community, and requests discussion and suggestions for
-   improvements.  Please refer to the current edition of the "Internet
-   Official Protocol Standards" (STD 1) for the standardization state
-   and status of this protocol.  Distribution of this memo is unlimited.
-
-Copyright Notice
-
-   Copyright (C) The Internet Society (2006).
-
-Abstract
-
-   This document describes how to construct DNSSEC NSEC resource records
-   that cover a smaller range of names than called for by RFC 4034.  By
-   generating and signing these records on demand, authoritative name
-   servers can effectively stop the disclosure of zone contents
-   otherwise made possible by walking the chain of NSEC records in a
-   signed zone.
-
-Table of Contents
-
-   1. Introduction ....................................................1
-   2. Applicability of This Technique .................................2
-   3. Minimally Covering NSEC Records .................................2
-   4. Better Epsilon Functions ........................................4
-   5. Security Considerations .........................................5
-   6. Acknowledgements ................................................6
-   7. Normative References ............................................6
-
-1.  Introduction
-
-   With DNSSEC [1], an NSEC record lists the next instantiated name in
-   its zone, proving that no names exist in the "span" between the
-   NSEC's owner name and the name in the "next name" field.  In this
-   document, an NSEC record is said to "cover" the names between its
-   owner name and next name.
-
-
-
-Weiler & Ihren              Standards Track                     [Page 1]
-
-RFC 4470                      NSEC Epsilon                    April 2006
-
-
-   Through repeated queries that return NSEC records, it is possible to
-   retrieve all of the names in the zone, a process commonly called
-   "walking" the zone.  Some zone owners have policies forbidding zone
-   transfers by arbitrary clients; this side effect of the NSEC
-   architecture subverts those policies.
-
-   This document presents a way to prevent zone walking by constructing
-   NSEC records that cover fewer names.  These records can make zone
-   walking take approximately as many queries as simply asking for all
-   possible names in a zone, making zone walking impractical.  Some of
-   these records must be created and signed on demand, which requires
-   on-line private keys.  Anyone contemplating use of this technique is
-   strongly encouraged to review the discussion of the risks of on-line
-   signing in Section 5.
-
-1.2.  Keywords
-
-   The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
-   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
-   document are to be interpreted as described in RFC 2119 [4].
-
-2.  Applicability of This Technique
-
-   The technique presented here may be useful to a zone owner that wants
-   to use DNSSEC, is concerned about exposure of its zone contents via
-   zone walking, and is willing to bear the costs of on-line signing.
-
-   As discussed in Section 5, on-line signing has several security
-   risks, including an increased likelihood of private keys being
-   disclosed and an increased risk of denial of service attack.  Anyone
-   contemplating use of this technique is strongly encouraged to review
-   the discussion of the risks of on-line signing in Section 5.
-
-   Furthermore, at the time this document was published, the DNSEXT
-   working group was actively working on a mechanism to prevent zone
-   walking that does not require on-line signing (tentatively called
-   NSEC3).  The new mechanism is likely to expose slightly more
-   information about the zone than this technique (e.g., the number of
-   instantiated names), but it may be preferable to this technique.
-
-3.  Minimally Covering NSEC Records
-
-   This mechanism involves changes to NSEC records for instantiated
-   names, which can still be generated and signed in advance, as well as
-   the on-demand generation and signing of new NSEC records whenever a
-   name must be proven not to exist.
-
-
-
-
-
-Weiler & Ihren              Standards Track                     [Page 2]
-
-RFC 4470                      NSEC Epsilon                    April 2006
-
-
-   In the "next name" field of instantiated names' NSEC records, rather
-   than list the next instantiated name in the zone, list any name that
-   falls lexically after the NSEC's owner name and before the next
-   instantiated name in the zone, according to the ordering function in
-   RFC 4034 [2] Section 6.1.  This relaxes the requirement in Section
-   4.1.1 of RFC 4034 that the "next name" field contains the next owner
-   name in the zone.  This change is expected to be fully compatible
-   with all existing DNSSEC validators.  These NSEC records are returned
-   whenever proving something specifically about the owner name (e.g.,
-   that no resource records of a given type appear at that name).
-
-   Whenever an NSEC record is needed to prove the non-existence of a
-   name, a new NSEC record is dynamically produced and signed.  The new
-   NSEC record has an owner name lexically before the QNAME but
-   lexically following any existing name and a "next name" lexically
-   following the QNAME but before any existing name.
-
-   The generated NSEC record's type bitmap MUST have the RRSIG and NSEC
-   bits set and SHOULD NOT have any other bits set.  This relaxes the
-   requirement in Section 2.3 of RFC4035 that NSEC RRs not appear at
-   names that did not exist before the zone was signed.
-
-   The functions to generate the lexically following and proceeding
-   names need not be perfect or consistent, but the generated NSEC
-   records must not cover any existing names.  Furthermore, this
-   technique works best when the generated NSEC records cover as few
-   names as possible.  In this document, the functions that generate the
-   nearby names are called "epsilon" functions, a reference to the
-   mathematical convention of using the greek letter epsilon to
-   represent small deviations.
-
-   An NSEC record denying the existence of a wildcard may be generated
-   in the same way.  Since the NSEC record covering a non-existent
-   wildcard is likely to be used in response to many queries,
-   authoritative name servers using the techniques described here may
-   want to pregenerate or cache that record and its corresponding RRSIG.
-
-   For example, a query for an A record at the non-instantiated name
-   example.com might produce the following two NSEC records, the first
-   denying the existence of the name example.com and the second denying
-   the existence of a wildcard:
-
-          exampld.com 3600 IN NSEC example-.com ( RRSIG NSEC )
-
-          \).com 3600 IN NSEC +.com ( RRSIG NSEC )
-
-
-
-
-
-
-Weiler & Ihren              Standards Track                     [Page 3]
-
-RFC 4470                      NSEC Epsilon                    April 2006
-
-
-   Before answering a query with these records, an authoritative server
-   must test for the existence of names between these endpoints.  If the
-   generated NSEC would cover existing names (e.g., exampldd.com or
-   *bizarre.example.com), a better epsilon function may be used or the
-   covered name closest to the QNAME could be used as the NSEC owner
-   name or next name, as appropriate.  If an existing name is used as
-   the NSEC owner name, that name's real NSEC record MUST be returned.
-   Using the same example, assuming an exampldd.com delegation exists,
-   this record might be returned from the parent:
-
-          exampldd.com 3600 IN NSEC example-.com ( NS DS RRSIG NSEC )
-
-   Like every authoritative record in the zone, each generated NSEC
-   record MUST have corresponding RRSIGs generated using each algorithm
-   (but not necessarily each DNSKEY) in the zone's DNSKEY RRset, as
-   described in RFC 4035 [3] Section 2.2.  To minimize the number of
-   signatures that must be generated, a zone may wish to limit the
-   number of algorithms in its DNSKEY RRset.
-
-4.  Better Epsilon Functions
-
-   Section 6.1 of RFC 4034 defines a strict ordering of DNS names.
-   Working backward from that definition, it should be possible to
-   define epsilon functions that generate the immediately following and
-   preceding names, respectively.  This document does not define such
-   functions.  Instead, this section presents functions that come
-   reasonably close to the perfect ones.  As described above, an
-   authoritative server should still ensure than no generated NSEC
-   covers any existing name.
-
-   To increment a name, add a leading label with a single null (zero-
-   value) octet.
-
-   To decrement a name, decrement the last character of the leftmost
-   label, then fill that label to a length of 63 octets with octets of
-   value 255.  To decrement a null (zero-value) octet, remove the octet
-   -- if an empty label is left, remove the label.  Defining this
-   function numerically: fill the leftmost label to its maximum length
-   with zeros (numeric, not ASCII zeros) and subtract one.
-
-   In response to a query for the non-existent name foo.example.com,
-   these functions produce NSEC records of the following:
-
-
-
-
-
-
-
-
-
-Weiler & Ihren              Standards Track                     [Page 4]
-
-RFC 4470                      NSEC Epsilon                    April 2006
-
-
-     fon\255\255\255\255\255\255\255\255\255\255\255\255\255\255
-     \255\255\255\255\255\255\255\255\255\255\255\255\255\255\255
-     \255\255\255\255\255\255\255\255\255\255\255\255\255\255\255
-     \255\255\255\255\255\255\255\255\255\255\255\255\255\255\255
-     \255.example.com 3600 IN NSEC \000.foo.example.com ( NSEC RRSIG )
-
-     \)\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255
-     \255\255\255\255\255\255\255\255\255\255\255\255\255\255\255
-     \255\255\255\255\255\255\255\255\255\255\255\255\255\255\255
-     \255\255\255\255\255\255\255\255\255\255\255\255\255\255\255
-     \255\255.example.com 3600 IN NSEC \000.*.example.com ( NSEC RRSIG )
-
-   The first of these NSEC RRs proves that no exact match for
-   foo.example.com exists, and the second proves that there is no
-   wildcard in example.com.
-
-   Both of these functions are imperfect: they do not take into account
-   constraints on number of labels in a name nor total length of a name.
-   As noted in the previous section, though, this technique does not
-   depend on the use of perfect epsilon functions: it is sufficient to
-   test whether any instantiated names fall into the span covered by the
-   generated NSEC and, if so, substitute those instantiated owner names
-   for the NSEC owner name or next name, as appropriate.
-
-5.  Security Considerations
-
-   This approach requires on-demand generation of RRSIG records.  This
-   creates several new vulnerabilities.
-
-   First, on-demand signing requires that a zone's authoritative servers
-   have access to its private keys.  Storing private keys on well-known
-   Internet-accessible servers may make them more vulnerable to
-   unintended disclosure.
-
-   Second, since generation of digital signatures tends to be
-   computationally demanding, the requirement for on-demand signing
-   makes authoritative servers vulnerable to a denial of service attack.
-
-   Last, if the epsilon functions are predictable, on-demand signing may
-   enable a chosen-plaintext attack on a zone's private keys.  Zones
-   using this approach should attempt to use cryptographic algorithms
-   that are resistant to chosen-plaintext attacks.  It is worth noting
-   that although DNSSEC has a "mandatory to implement" algorithm, that
-   is a requirement on resolvers and validators -- there is no
-   requirement that a zone be signed with any given algorithm.
-
-   The success of using minimally covering NSEC records to prevent zone
-   walking depends greatly on the quality of the epsilon functions
-
-
-
-Weiler & Ihren              Standards Track                     [Page 5]
-
-RFC 4470                      NSEC Epsilon                    April 2006
-
-
-   chosen.  An increment function that chooses a name obviously derived
-   from the next instantiated name may be easily reverse engineered,
-   destroying the value of this technique.  An increment function that
-   always returns a name close to the next instantiated name is likewise
-   a poor choice.  Good choices of epsilon functions are the ones that
-   produce the immediately following and preceding names, respectively,
-   though zone administrators may wish to use less perfect functions
-   that return more human-friendly names than the functions described in
-   Section 4 above.
-
-   Another obvious but misguided concern is the danger from synthesized
-   NSEC records being replayed.  It is possible for an attacker to
-   replay an old but still validly signed NSEC record after a new name
-   has been added in the span covered by that NSEC, incorrectly proving
-   that there is no record at that name.  This danger exists with DNSSEC
-   as defined in [3].  The techniques described here actually decrease
-   the danger, since the span covered by any NSEC record is smaller than
-   before.  Choosing better epsilon functions will further reduce this
-   danger.
-
-6.  Acknowledgements
-
-   Many individuals contributed to this design.  They include, in
-   addition to the authors of this document, Olaf Kolkman, Ed Lewis,
-   Peter Koch, Matt Larson, David Blacka, Suzanne Woolf, Jaap Akkerhuis,
-   Jakob Schlyter, Bill Manning, and Joao Damas.
-
-   In addition, the editors would like to thank Ed Lewis, Scott Rose,
-   and David Blacka for their careful review of the document.
-
-7.  Normative References
-
-   [1]  Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
-        "DNS Security Introduction and Requirements", RFC 4033, March
-        2005.
-
-   [2]  Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
-        "Resource Records for the DNS Security Extensions", RFC 4034,
-        March 2005.
-
-   [3]  Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
-        "Protocol Modifications for the DNS Security Extensions", RFC
-        4035, March 2005.
-
-   [4]  Bradner, S., "Key words for use in RFCs to Indicate Requirement
-        Levels", BCP 14, RFC 2119, March 1997.
-
-
-
-
-
-Weiler & Ihren              Standards Track                     [Page 6]
-
-RFC 4470                      NSEC Epsilon                    April 2006
-
-
-Authors' Addresses
-
-   Samuel Weiler
-   SPARTA, Inc.
-   7075 Samuel Morse Drive
-   Columbia, Maryland  21046
-   US
-
-   EMail: weiler@tislabs.com
-
-
-   Johan Ihren
-   Autonomica AB
-   Bellmansgatan 30
-   Stockholm  SE-118 47
-   Sweden
-
-   EMail: johani@autonomica.se
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Weiler & Ihren              Standards Track                     [Page 7]
-
-RFC 4470                      NSEC Epsilon                    April 2006
-
-
-Full Copyright Statement
-
-   Copyright (C) The Internet Society (2006).
-
-   This document is subject to the rights, licenses and restrictions
-   contained in BCP 78, and except as set forth therein, the authors
-   retain all their rights.
-
-   This document and the information contained herein are provided on an
-   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
-   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
-   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
-   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
-   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
-   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-Intellectual Property
-
-   The IETF takes no position regarding the validity or scope of any
-   Intellectual Property Rights or other rights that might be claimed to
-   pertain to the implementation or use of the technology described in
-   this document or the extent to which any license under such rights
-   might or might not be available; nor does it represent that it has
-   made any independent effort to identify any such rights.  Information
-   on the procedures with respect to rights in RFC documents can be
-   found in BCP 78 and BCP 79.
-
-   Copies of IPR disclosures made to the IETF Secretariat and any
-   assurances of licenses to be made available, or the result of an
-   attempt made to obtain a general license or permission for the use of
-   such proprietary rights by implementers or users of this
-   specification can be obtained from the IETF on-line IPR repository at
-   http://www.ietf.org/ipr.
-
-   The IETF invites any interested party to bring to its attention any
-   copyrights, patents or patent applications, or other proprietary
-   rights that may cover technology that may be required to implement
-   this standard.  Please address the information to the IETF at
-   ietf-ipr@ietf.org.
-
-Acknowledgement
-
-   Funding for the RFC Editor function is provided by the IETF
-   Administrative Support Activity (IASA).
-
-
-
-
-
-
-
-Weiler & Ihren              Standards Track                     [Page 8]
-
diff --git a/doc/rfc/rfc4634.txt b/doc/rfc/rfc4634.txt
deleted file mode 100644
index b672df8a..00000000
--- a/doc/rfc/rfc4634.txt
+++ /dev/null
@@ -1,6051 +0,0 @@
-
-
-
-
-
-
-Network Working Group                                    D. Eastlake 3rd
-Request for Comments: 4634                                 Motorola Labs
-Updates: 3174                                                  T. Hansen
-Category: Informational                                        AT&T Labs
-                                                               July 2006
-
-
-              US Secure Hash Algorithms (SHA and HMAC-SHA)
-
-Status of This Memo
-
-   This memo provides information for the Internet community.  It does
-   not specify an Internet standard of any kind.  Distribution of this
-   memo is unlimited.
-
-Copyright Notice
-
-   Copyright (C) The Internet Society (2006).
-
-Abstract
-
-   The United States of America has adopted a suite of Secure Hash
-   Algorithms (SHAs), including four beyond SHA-1, as part of a Federal
-   Information Processing Standard (FIPS), specifically SHA-224 (RFC
-   3874), SHA-256, SHA-384, and SHA-512.  The purpose of this document
-   is to make source code performing these hash functions conveniently
-   available to the Internet community.  The sample code supports input
-   strings of arbitrary bit length.  SHA-1's sample code from RFC 3174
-   has also been updated to handle input strings of arbitrary bit
-   length.  Most of the text herein was adapted by the authors from FIPS
-   180-2.
-
-   Code to perform SHA-based HMACs, with arbitrary bit length text, is
-   also included.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Eastlake 3rd & Hansen        Informational                      [Page 1]
-
-RFC 4634                   SHAs and HMAC-SHAs                  July 2006
-
-
-Table of Contents
-
-   1. Overview of Contents ............................................3
-      1.1. License ....................................................4
-   2. Notation for Bit Strings and Integers ...........................4
-   3. Operations on Words .............................................5
-   4. Message Padding and Parsing .....................................6
-      4.1. SHA-224 and SHA-256 ........................................7
-      4.2. SHA-384 and SHA-512 ........................................8
-   5. Functions and Constants Used ....................................9
-      5.1. SHA-224 and SHA-256 ........................................9
-      5.2. SHA-384 and SHA-512 .......................................10
-   6. Computing the Message Digest ...................................11
-      6.1. SHA-224 and SHA-256 Initialization ........................11
-      6.2. SHA-224 and SHA-256 Processing ............................11
-      6.3. SHA-384 and SHA-512 Initialization ........................13
-      6.4. SHA-384 and SHA-512 Processing ............................14
-   7. SHA-Based HMACs ................................................15
-   8. C Code for SHAs ................................................15
-      8.1. The .h File ...............................................18
-      8.2. The SHA Code ..............................................24
-           8.2.1. sha1.c .............................................24
-           8.2.2. sha224-256.c .......................................33
-           8.2.3. sha384-512.c .......................................45
-           8.2.4. usha.c .............................................67
-           8.2.5. sha-private.h ......................................72
-      8.3. The HMAC Code .............................................73
-      8.4. The Test Driver ...........................................78
-   9. Security Considerations .......................................106
-   10. Normative References .........................................106
-   11. Informative References .......................................106
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Eastlake 3rd & Hansen        Informational                      [Page 2]
-
-RFC 4634                   SHAs and HMAC-SHAs                  July 2006
-
-
-1.  Overview of Contents
-
-   NOTE: Much of the text below is taken from [FIPS180-2] and assertions
-   therein of the security of the algorithms described are made by the
-   US Government, the author of [FIPS180-2], and not by the authors of
-   this document.
-
-   The text below specifies Secure Hash Algorithms, SHA-224 [RFC3874],
-   SHA-256, SHA-384, and SHA-512, for computing a condensed
-   representation of a message or a data file. (SHA-1 is specified in
-   [RFC3174].)  When a message of any length < 2^64 bits (for SHA-224
-   and SHA-256) or < 2^128 bits (for SHA-384 and SHA-512) is input to
-   one of these algorithms, the result is an output called a message
-   digest.  The message digests range in length from 224 to 512 bits,
-   depending on the algorithm.  Secure hash algorithms are typically
-   used with other cryptographic algorithms, such as digital signature
-   algorithms and keyed hash authentication codes, or in the generation
-   of random numbers [RFC4086].
-
-   The four algorithms specified in this document are called secure
-   because it is computationally infeasible to (1) find a message that
-   corresponds to a given message digest, or (2) find two different
-   messages that produce the same message digest.  Any change to a
-   message in transit will, with very high probability, result in a
-   different message digest.  This will result in a verification failure
-   when the secure hash algorithm is used with a digital signature
-   algorithm or a keyed-hash message authentication algorithm.
-
-   The code provided herein supports input strings of arbitrary bit
-   length.  SHA-1's sample code from [RFC3174] has also been updated to
-   handle input strings of arbitrary bit length.  See Section 1.1 for
-   license information for this code.
-
-   Section 2 below defines the terminology and functions used as
-   building blocks to form these algorithms.  Section 3 describes the
-   fundamental operations on words from which these algorithms are
-   built.  Section 4 describes how messages are padded up to an integral
-   multiple of the required block size and then parsed into blocks.
-   Section 5 defines the constants and the composite functions used to
-   specify these algorithms.  Section 6 gives the actual specification
-   for the SHA-224, SHA-256, SHA-384, and SHA-512 functions.  Section 7
-   provides pointers to the specification of HMAC keyed message
-   authentication codes based on the SHA algorithms.  Section 8 gives
-   sample code for the SHA algorithms and Section 9 code for SHA-based
-   HMACs.  The SHA-based HMACs will accept arbitrary bit length text.
-
-
-
-
-
-
-Eastlake 3rd & Hansen        Informational                      [Page 3]
-
-RFC 4634                   SHAs and HMAC-SHAs                  July 2006
-
-
-1.1.  License
-
-   Permission is granted for all uses, commercial and non-commercial, of
-   the sample code found in Section 8.  Royalty free license to use,
-   copy, modify and distribute the software found in Section 8 is
-   granted, provided that this document is identified in all material
-   mentioning or referencing this software, and provided that
-   redistributed derivative works do not contain misleading author or
-   version information.
-
-   The authors make no representations concerning either the
-   merchantability of this software or the suitability of this software
-   for any particular purpose.  It is provided "as is" without express
-   or implied warranty of any kind.
-
-2.  Notation for Bit Strings and Integers
-
-   The following terminology related to bit strings and integers will be
-   used:
-
-    a.  A hex digit is an element of the set {0, 1, ... , 9, A, ... ,
-        F}.  A hex digit is the representation of a 4-bit string.
-        Examples: 7 = 0111, A = 1010.
-
-    b.  A word equals a 32-bit or 64-bit string, which may be
-        represented as a sequence of 8 or 16 hex digits, respectively.
-        To convert a word to hex digits, each 4-bit string is converted
-        to its hex equivalent as described in (a) above.  Example:
-
-        1010 0001 0000 0011 1111 1110 0010 0011 = A103FE23.
-
-        Throughout this document, the "big-endian" convention is used
-        when expressing both 32-bit and 64-bit words, so that within
-        each word the most significant bit is shown in the left-most bit
-        position.
-
-    c.  An integer may be represented as a word or pair of words.
-
-        An integer between 0 and 2^32 - 1 inclusive may be represented
-        as a 32-bit word.  The least significant four bits of the
-        integer are represented by the right-most hex digit of the word
-        representation.  Example: the integer 291 = 2^8+2^5+2^1+2^0 =
-        256+32+2+1 is represented by the hex word 00000123.
-
-        The same holds true for an integer between 0 and 2^64-1
-        inclusive, which may be represented as a 64-bit word.
-
-
-
-
-
-Eastlake 3rd & Hansen        Informational                      [Page 4]
-
-RFC 4634                   SHAs and HMAC-SHAs                  July 2006
-
-
-        If Z is an integer, 0 <= z < 2^64, then z = (2^32)x + y where 0
-        <= x < 2^32 and 0 <= y < 2^32.  Since x and y can be represented
-        as words X and Y, respectively, z can be represented as the pair
-        of words (X,Y).
-
-    d.  block = 512-bit or 1024-bit string.  A block (e.g., B) may be
-        represented as a sequence of 32-bit or 64-bit words.
-
-3.  Operations on Words
-
-   The following logical operators will be applied to words in all four
-   hash operations specified herein.  SHA-224 and SHA-256 operate on
-   32-bit words, while SHA-384 and SHA-512 operate on 64-bit words.
-
-   In the operations below, x<<n is obtained as follows: discard the
-   left-most n bits of x and then pad the result with n zeroed bits on
-   the right (the result will still be the same number of bits).
-
-    a.  Bitwise logical word operations
-
-        X AND Y  =  bitwise logical "and" of  X and Y.
-
-        X OR Y   =  bitwise logical "inclusive-or" of X and Y.
-
-        X XOR Y  =  bitwise logical "exclusive-or" of X and Y.
-
-        NOT X    =  bitwise logical "complement" of X.
-
-        Example:
-                 01101100101110011101001001111011
-           XOR   01100101110000010110100110110111
-                 --------------------------------
-             =   00001001011110001011101111001100
-
-    b.  The operation X + Y is defined as follows: words X and Y
-        represent w-bit integers x and y, where 0 <= x < 2^w and
-        0 <= y < 2^w.  For positive integers n and m, let
-
-             n mod m
-
-        be the remainder upon dividing n by m.  Compute
-
-             z  =  (x + y) mod 2^w.
-
-        Then 0 <= z < 2^w.  Convert z to a word, Z, and define Z = X +
-        Y.
-
-
-
-
-
-Eastlake 3rd & Hansen        Informational                      [Page 5]
-
-RFC 4634                   SHAs and HMAC-SHAs                  July 2006
-
-
-    c.  The right shift operation SHR^n(x), where x is a w-bit word and
-        n is an integer with 0 <= n < w, is defined by
-
-             SHR^n(x) = x>>n
-
-    d.  The rotate right (circular right shift) operation ROTR^n(x),
-        where x is a w-bit word and n is an integer with 0 <= n < w, is
-        defined by
-
-             ROTR^n(x) = (x>>n) OR (x<<(w-n))
-
-    e.  The rotate left (circular left shift) operation ROTL^n(x), where
-        x is a w-bit word and n is an integer with 0 <= n < w, is
-        defined by
-
-             ROTL^n(X)  =  (x<<n) OR (x>>w-n)
-
-        Note the following equivalence relationships, where w is fixed
-        in each relationship:
-
-             ROTL^n(x) = ROTR^(w-x)(x)
-
-             ROTR^n(x) = ROTL^(w-n)(x)
-
-4.  Message Padding and Parsing
-
-   The hash functions specified herein are used to compute a message
-   digest for a message or data file that is provided as input.  The
-   message or data file should be considered to be a bit string.  The
-   length of the message is the number of bits in the message (the empty
-   message has length 0).  If the number of bits in a message is a
-   multiple of 8, for compactness we can represent the message in hex.
-   The purpose of message padding is to make the total length of a
-   padded message a multiple of 512 for SHA-224 and SHA-256 or a
-   multiple of 1024 for SHA-384 and SHA-512.
-
-   The following specifies how this padding shall be performed.  As a
-   summary, a "1" followed by a number of "0"s followed by a 64-bit or
-   128-bit integer are appended to the end of the message to produce a
-   padded message of length 512*n or 1024*n.  The minimum number of "0"s
-   necessary to meet this criterion is used.  The appended integer is
-   the length of the original message.  The padded message is then
-   processed by the hash function as n 512-bit or 1024-bit blocks.
-
-
-
-
-
-
-
-
-Eastlake 3rd & Hansen        Informational                      [Page 6]
-
-RFC 4634                   SHAs and HMAC-SHAs                  July 2006
-
-
-4.1.  SHA-224 and SHA-256
-
-   Suppose a message has length L < 2^64.  Before it is input to the
-   hash function, the message is padded on the right as follows:
-
-    a.  "1" is appended.  Example: if the original message is
-        "01010000", this is padded to "010100001".
-
-    b.  K "0"s are appended where K is the smallest, non-negative
-        solution to the equation
-
-             L + 1 + K = 448 (mod 512)
-
-    c.  Then append the 64-bit block that is L in binary representation.
-        After appending this block, the length of the message will be a
-        multiple of 512 bits.
-
-        Example:  Suppose the original message is the bit string
-
-             01100001 01100010 01100011 01100100 01100101
-
-        After step (a), this gives
-
-             01100001 01100010 01100011 01100100 01100101 1
-
-        Since L = 40, the number of bits in the above is 41 and K = 407
-        "0"s are appended, making the total now 448.  This gives the
-        following in hex:
-
-             61626364 65800000 00000000 00000000
-             00000000 00000000 00000000 00000000
-             00000000 00000000 00000000 00000000
-             00000000 00000000
-
-        The 64-bit representation of L = 40 is hex 00000000 00000028.
-        Hence the final padded message is the following hex:
-
-             61626364 65800000 00000000 00000000
-             00000000 00000000 00000000 00000000
-             00000000 00000000 00000000 00000000
-             00000000 00000000 00000000 00000028
-
-
-
-
-
-
-
-
-
-
-Eastlake 3rd & Hansen        Informational                      [Page 7]
-
-RFC 4634                   SHAs and HMAC-SHAs                  July 2006
-
-
-4.2.  SHA-384 and SHA-512
-
-   Suppose a message has length L < 2^128.  Before it is input to the
-   hash function, the message is padded on the right as follows:
-
-    a.  "1" is appended.  Example: if the original message is
-        "01010000", this is padded to "010100001".
-
-    b.  K "0"s are appended where K is the smallest, non-negative
-        solution to the equation
-
-             L + 1 + K = 896 (mod 1024)
-
-    c.  Then append the 128-bit block that is L in binary
-        representation.  After appending this block, the length of the
-        message will be a multiple of 1024 bits.
-
-        Example:  Suppose the original message is the bit string
-
-             01100001 01100010 01100011 01100100 01100101
-
-        After step (a) this gives
-
-             01100001 01100010 01100011 01100100 01100101 1
-
-        Since L = 40, the number of bits in the above is 41 and K = 855
-        "0"s are appended, making the total now 896.  This gives the
-        following in hex:
-
-             61626364 65800000 00000000 00000000
-             00000000 00000000 00000000 00000000
-             00000000 00000000 00000000 00000000
-             00000000 00000000 00000000 00000000
-             00000000 00000000 00000000 00000000
-             00000000 00000000 00000000 00000000
-             00000000 00000000 00000000 00000000
-
-        The 128-bit representation of L = 40 is hex 00000000 00000000
-        00000000 00000028.  Hence the final padded message is the
-        following hex:
-
-             61626364 65800000 00000000 00000000
-             00000000 00000000 00000000 00000000
-             00000000 00000000 00000000 00000000
-             00000000 00000000 00000000 00000000
-             00000000 00000000 00000000 00000000
-
-
-
-
-
-Eastlake 3rd & Hansen        Informational                      [Page 8]
-
-RFC 4634                   SHAs and HMAC-SHAs                  July 2006
-
-
-             00000000 00000000 00000000 00000000
-             00000000 00000000 00000000 00000000
-             00000000 00000000 00000000 00000028
-
-5.  Functions and Constants Used
-
-   The following subsections give the six logical functions and the
-   table of constants used in each of the hash functions.
-
-5.1.  SHA-224 and SHA-256
-
-   SHA-224 and SHA-256 use six logical functions, where each function
-   operates on 32-bit words, which are represented as x, y, and z.  The
-   result of each function is a new 32-bit word.
-
-        CH( x, y, z) = (x AND y) XOR ( (NOT x) AND z)
-
-        MAJ( x, y, z) = (x AND y) XOR (x AND z) XOR (y AND z)
-
-        BSIG0(x) = ROTR^2(x) XOR ROTR^13(x) XOR ROTR^22(x)
-
-        BSIG1(x) = ROTR^6(x) XOR ROTR^11(x) XOR ROTR^25(x)
-
-        SSIG0(x) = ROTR^7(x) XOR ROTR^18(x) XOR SHR^3(x)
-
-        SSIG1(x) = ROTR^17(x) XOR ROTR^19(x) XOR SHR^10(x)
-
-   SHA-224 and SHA-256 use the same sequence of sixty-four constant
-   32-bit words, K0, K1, ..., K63.  These words represent the first
-   thirty-two bits of the fractional parts of the cube roots of the
-   first sixty-four prime numbers.  In hex, these constant words are as
-   follows (from left to right):
-
-        428a2f98 71374491 b5c0fbcf e9b5dba5
-        3956c25b 59f111f1 923f82a4 ab1c5ed5
-        d807aa98 12835b01 243185be 550c7dc3
-        72be5d74 80deb1fe 9bdc06a7 c19bf174
-        e49b69c1 efbe4786 0fc19dc6 240ca1cc
-        2de92c6f 4a7484aa 5cb0a9dc 76f988da
-        983e5152 a831c66d b00327c8 bf597fc7
-        c6e00bf3 d5a79147 06ca6351 14292967
-        27b70a85 2e1b2138 4d2c6dfc 53380d13
-        650a7354 766a0abb 81c2c92e 92722c85
-        a2bfe8a1 a81a664b c24b8b70 c76c51a3
-        d192e819 d6990624 f40e3585 106aa070
-        19a4c116 1e376c08 2748774c 34b0bcb5
-
-
-
-
-
-Eastlake 3rd & Hansen        Informational                      [Page 9]
-
-RFC 4634                   SHAs and HMAC-SHAs                  July 2006
-
-
-        391c0cb3 4ed8aa4a 5b9cca4f 682e6ff3
-        748f82ee 78a5636f 84c87814 8cc70208
-        90befffa a4506ceb bef9a3f7 c67178f2
-
-5.2.  SHA-384 and SHA-512
-
-   SHA-384 and SHA-512 each use six logical functions, where each
-   function operates on 64-bit words, which are represented as x, y, and
-   z.  The result of each function is a new 64-bit word.
-
-        CH( x, y, z) = (x AND y) XOR ( (NOT x) AND z)
-
-        MAJ( x, y, z) = (x AND y) XOR (x AND z) XOR (y AND z)
-
-        BSIG0(x) = ROTR^28(x) XOR ROTR^34(x) XOR ROTR^39(x)
-
-        BSIG1(x) = ROTR^14(x) XOR ROTR^18(x) XOR ROTR^41(x)
-
-        SSIG0(x) = ROTR^1(x) XOR ROTR^8(x) XOR SHR^7(x)
-
-        SSIG1(x) = ROTR^19(x) XOR ROTR^61(x) XOR SHR^6(x)
-
-   SHA-384 and SHA-512 use the same sequence of eighty constant 64-bit
-   words, K0, K1, ... K79.  These words represent the first sixty-four
-   bits of the fractional parts of the cube roots of the first eighty
-   prime numbers.  In hex, these constant words are as follows (from
-   left to right):
-
-   428a2f98d728ae22 7137449123ef65cd b5c0fbcfec4d3b2f e9b5dba58189dbbc
-   3956c25bf348b538 59f111f1b605d019 923f82a4af194f9b ab1c5ed5da6d8118
-   d807aa98a3030242 12835b0145706fbe 243185be4ee4b28c 550c7dc3d5ffb4e2
-   72be5d74f27b896f 80deb1fe3b1696b1 9bdc06a725c71235 c19bf174cf692694
-   e49b69c19ef14ad2 efbe4786384f25e3 0fc19dc68b8cd5b5 240ca1cc77ac9c65
-   2de92c6f592b0275 4a7484aa6ea6e483 5cb0a9dcbd41fbd4 76f988da831153b5
-   983e5152ee66dfab a831c66d2db43210 b00327c898fb213f bf597fc7beef0ee4
-   c6e00bf33da88fc2 d5a79147930aa725 06ca6351e003826f 142929670a0e6e70
-   27b70a8546d22ffc 2e1b21385c26c926 4d2c6dfc5ac42aed 53380d139d95b3df
-   650a73548baf63de 766a0abb3c77b2a8 81c2c92e47edaee6 92722c851482353b
-   a2bfe8a14cf10364 a81a664bbc423001 c24b8b70d0f89791 c76c51a30654be30
-   d192e819d6ef5218 d69906245565a910 f40e35855771202a 106aa07032bbd1b8
-   19a4c116b8d2d0c8 1e376c085141ab53 2748774cdf8eeb99 34b0bcb5e19b48a8
-   391c0cb3c5c95a63 4ed8aa4ae3418acb 5b9cca4f7763e373 682e6ff3d6b2b8a3
-   748f82ee5defb2fc 78a5636f43172f60 84c87814a1f0ab72 8cc702081a6439ec
-   90befffa23631e28 a4506cebde82bde9 bef9a3f7b2c67915 c67178f2e372532b
-   ca273eceea26619c d186b8c721c0c207 eada7dd6cde0eb1e f57d4f7fee6ed178
-   06f067aa72176fba 0a637dc5a2c898a6 113f9804bef90dae 1b710b35131c471b
-   28db77f523047d84 32caab7b40c72493 3c9ebe0a15c9bebc 431d67c49c100d4c
-   4cc5d4becb3e42b6 597f299cfc657e2a 5fcb6fab3ad6faec 6c44198c4a475817
-
-
-
-Eastlake 3rd & Hansen        Informational                     [Page 10]
-
-RFC 4634                   SHAs and HMAC-SHAs                  July 2006
-
-
-6.  Computing the Message Digest
-
-   The output of each of the secure hash functions, after being applied
-   to a message of N blocks, is the hash quantity H(N).  For SHA-224 and
-   SHA-256, H(i) can be considered to be eight 32-bit words, H(i)0,
-   H(i)1, ... H(i)7.  For SHA-384 and SHA-512, it can be considered to
-   be eight 64-bit words, H(i)0, H(i)1, ..., H(i)7.
-
-   As described below, the hash words are initialized, modified as each
-   message block is processed, and finally concatenated after processing
-   the last block to yield the output.  For SHA-256 and SHA-512, all of
-   the H(N) variables are concatenated while the SHA-224 and SHA-384
-   hashes are produced by omitting some from the final concatenation.
-
-6.1.  SHA-224 and SHA-256 Initialization
-
-   For SHA-224, the initial hash value, H(0), consists of the following
-   32-bit words in hex:
-
-        H(0)0 = c1059ed8
-        H(0)1 = 367cd507
-        H(0)2 = 3070dd17
-        H(0)3 = f70e5939
-        H(0)4 = ffc00b31
-        H(0)5 = 68581511
-        H(0)6 = 64f98fa7
-        H(0)7 = befa4fa4
-
-   For SHA-256, the initial hash value, H(0), consists of the following
-   eight 32-bit words, in hex.  These words were obtained by taking the
-   first thirty-two bits of the fractional parts of the square roots of
-   the first eight prime numbers.
-
-        H(0)0 = 6a09e667
-        H(0)1 = bb67ae85
-        H(0)2 = 3c6ef372
-        H(0)3 = a54ff53a
-        H(0)4 = 510e527f
-        H(0)5 = 9b05688c
-        H(0)6 = 1f83d9ab
-        H(0)7 = 5be0cd19
-
-6.2.  SHA-224 and SHA-256 Processing
-
-   SHA-224 and SHA-256 perform identical processing on messages blocks
-   and differ only in how H(0) is initialized and how they produce their
-   final output.  They may be used to hash a message, M, having a length
-   of L bits, where 0 <= L < 2^64.  The algorithm uses (1) a message
-
-
-
-Eastlake 3rd & Hansen        Informational                     [Page 11]
-
-RFC 4634                   SHAs and HMAC-SHAs                  July 2006
-
-
-   schedule of sixty-four 32-bit words, (2) eight working variables of
-   32 bits each, and (3) a hash value of eight 32-bit words.
-
-   The words of the message schedule are labeled W0, W1, ..., W63.  The
-   eight working variables are labeled a, b, c, d, e, f, g, and h.  The
-   words of the hash value are labeled H(i)0, H(i)1, ..., H(i)7, which
-   will hold the initial hash value, H(0), replaced by each successive
-   intermediate hash value (after each message block is processed),
-   H(i), and ending with the final hash value, H(N), after all N blocks
-   are processed.  They also use two temporary words, T1 and T2.
-
-   The input message is padded as described in Section 4.1 above then
-   parsed into 512-bit blocks, which are considered to be composed of 16
-   32-bit words M(i)0, M(i)1, ..., M(i)15.  The following computations
-   are then performed for each of the N message blocks.  All addition is
-   performed modulo 2^32.
-
-   For i = 1 to N
-
-      1. Prepare the message schedule W:
-         For t = 0 to 15
-            Wt = M(i)t
-         For t = 16 to 63
-            Wt = SSIG1(W(t-2)) + W(t-7) + SSIG0(t-15) + W(t-16)
-
-      2. Initialize the working variables:
-         a = H(i-1)0
-         b = H(i-1)1
-         c = H(i-1)2
-         d = H(i-1)3
-         e = H(i-1)4
-         f = H(i-1)5
-         g = H(i-1)6
-         h = H(i-1)7
-
-      3. Perform the main hash computation:
-         For t = 0 to 63
-            T1 = h + BSIG1(e) + CH(e,f,g) + Kt + Wt
-            T2 = BSIG0(a) + MAJ(a,b,c)
-            h = g
-            g = f
-            f = e
-            e = d + T1
-            d = c
-            c = b
-            b = a
-            a = T1 + T2
-
-
-
-
-Eastlake 3rd & Hansen        Informational                     [Page 12]
-
-RFC 4634                   SHAs and HMAC-SHAs                  July 2006
-
-
-      4. Compute the intermediate hash value H(i):
-         H(i)0 = a + H(i-1)0
-         H(i)1 = b + H(i-1)1
-         H(i)2 = c + H(i-1)2
-         H(i)3 = d + H(i-1)3
-         H(i)4 = e + H(i-1)4
-         H(i)5 = f + H(i-1)5
-         H(i)6 = g + H(i-1)6
-         H(i)7 = h + H(i-1)7
-
-   After the above computations have been sequentially performed for all
-   of the blocks in the message, the final output is calculated.  For
-   SHA-256, this is the concatenation of all of H(N)0, H(N)1, through
-   H(N)7.  For SHA-224, this is the concatenation of H(N)0, H(N)1,
-   through H(N)6.
-
-6.3.  SHA-384 and SHA-512 Initialization
-
-   For SHA-384, the initial hash value, H(0), consists of the following
-   eight 64-bit words, in hex.  These words were obtained by taking the
-   first sixty-four bits of the fractional parts of the square roots of
-   the ninth through sixteenth prime numbers.
-
-        H(0)0 = cbbb9d5dc1059ed8
-        H(0)1 = 629a292a367cd507
-        H(0)2 = 9159015a3070dd17
-        H(0)3 = 152fecd8f70e5939
-        H(0)4 = 67332667ffc00b31
-        H(0)5 = 8eb44a8768581511
-        H(0)6 = db0c2e0d64f98fa7
-        H(0)7 = 47b5481dbefa4fa4
-
-   For SHA-512, the initial hash value, H(0), consists of the following
-   eight 64-bit words, in hex.  These words were obtained by taking the
-   first sixty-four bits of the fractional parts of the square roots of
-   the first eight prime numbers.
-
-        H(0)0 = 6a09e667f3bcc908
-        H(0)1 = bb67ae8584caa73b
-        H(0)2 = 3c6ef372fe94f82b
-        H(0)3 = a54ff53a5f1d36f1
-        H(0)4 = 510e527fade682d1
-        H(0)5 = 9b05688c2b3e6c1f
-        H(0)6 = 1f83d9abfb41bd6b
-        H(0)7 = 5be0cd19137e2179
-
-
-
-
-
-
-Eastlake 3rd & Hansen        Informational                     [Page 13]
-
-RFC 4634                   SHAs and HMAC-SHAs                  July 2006
-
-
-6.4.  SHA-384 and SHA-512 Processing
-
-   SHA-384 and SHA-512 perform identical processing on message blocks
-   and differ only in how H(0) is initialized and how they produce their
-   final output.  They may be used to hash a message, M, having a length
-   of L bits, where 0 <= L < 2^128.  The algorithm uses (1) a message
-   schedule of eighty 64-bit words, (2) eight working variables of 64
-   bits each, and (3) a hash value of eight 64-bit words.
-
-   The words of the message schedule are labeled W0, W1, ..., W79.  The
-   eight working variables are labeled a, b, c, d, e, f, g, and h.  The
-   words of the hash value are labeled H(i)0, H(i)1, ..., H(i)7, which
-   will hold the initial hash value, H(0), replaced by each successive
-   intermediate hash value (after each message block is processed),
-   H(i), and ending with the final hash value, H(N) after all N blocks
-   are processed.
-
-   The input message is padded as described in Section 4.2 above, then
-   parsed into 1024-bit blocks, which are considered to be composed of
-   16 64-bit words M(i)0, M(i)1, ..., M(i)15.  The following
-   computations are then performed for each of the N message blocks.
-   All addition is performed modulo 2^64.
-
-   For i = 1 to N
-
-      1. Prepare the message schedule W:
-         For t = 0 to 15
-            Wt = M(i)t
-         For t = 16 to 79
-            Wt = SSIG1(W(t-2)) + W(t-7) + SSIG0(t-15) + W(t-16)
-
-      2. Initialize the working variables:
-         a = H(i-1)0
-         b = H(i-1)1
-         c = H(i-1)2
-         d = H(i-1)3
-         e = H(i-1)4
-         f = H(i-1)5
-         g = H(i-1)6
-         h = H(i-1)7
-
-      3. Perform the main hash computation:
-         For t = 0 to 79
-            T1 = h + BSIG1(e) + CH(e,f,g) + Kt + Wt
-            T2 = BSIG0(a) + MAJ(a,b,c)
-            h = g
-            g = f
-            f = e
-
-
-
-Eastlake 3rd & Hansen        Informational                     [Page 14]
-
-RFC 4634                   SHAs and HMAC-SHAs                  July 2006
-
-
-            e = d + T1
-            d = c
-            c = b
-            b = a
-            a = T1 + T2
-
-      4. Compute the intermediate hash value H(i):
-         H(i)0 = a + H(i-1)0
-         H(i)1 = b + H(i-1)1
-         H(i)2 = c + H(i-1)2
-         H(i)3 = d + H(i-1)3
-         H(i)4 = e + H(i-1)4
-         H(i)5 = f + H(i-1)5
-         H(i)6 = g + H(i-1)6
-         H(i)7 = h + H(i-1)7
-
-   After the above computations have been sequentially performed for all
-   of the blocks in the message, the final output is calculated.  For
-   SHA-512, this is the concatenation of all of H(N)0, H(N)1, through
-   H(N)7.  For SHA-384, this is the concatenation of H(N)0, H(N)1,
-   through H(N)5.
-
-7.  SHA-Based HMACs
-
-   HMAC is a method for computing a keyed MAC (message authentication
-   code) using a hash function as described in [RFC2104].  It uses a key
-   to mix in with the input text to produce the final hash.
-
-   Sample code is also provided, in Section 8.3 below, to perform HMAC
-   based on any of the SHA algorithms described herein.  The sample code
-   found in [RFC2104] was written in terms of a specified text size.
-   Since SHA is defined in terms of an arbitrary number of bits, the
-   sample HMAC code has been written to allow the text input to HMAC to
-   have an arbitrary number of octets and bits.  A fixed-length
-   interface is also provided.
-
-8.  C Code for SHAs
-
-   Below is a demonstration implementation of these secure hash
-   functions in C.  Section 8.1 contains the header file sha.h, which
-   declares all constants, structures, and functions used by the sha and
-   hmac functions.  Section 8.2 contains the C code for sha1.c,
-   sha224-256.c, sha384-512.c, and usha.c along with sha-private.h,
-   which provides some declarations common to all the sha functions.
-   Section 8.3 contains the C code for the hmac functions.  Section 8.4
-   contains a test driver to exercise the code.
-
-
-
-
-
-Eastlake 3rd & Hansen        Informational                     [Page 15]
-
-RFC 4634                   SHAs and HMAC-SHAs                  July 2006
-
-
-   For each of the digest length $$$, there is the following set of
-   constants, a structure, and functions:
-
-   Constants:
-      SHA$$$HashSize      number of octets in the hash
-      SHA$$$HashSizeBits  number of bits in the hash
-      SHA$$$_Message_Block_Size
-                          number of octets used in the intermediate
-                          message blocks
-      shaSuccess = 0      constant returned by each function on success
-      shaNull = 1         constant returned by each function when
-                          presented with a null pointer parameter
-      shaInputTooLong = 2  constant returned by each function when the
-                          input data is too long
-      shaStateError       constant returned by each function when
-                          SHA$$$Input is called after SHA$$$FinalBits or
-                          SHA$$$Result.
-
-   Structure:
-      typedef SHA$$$Context
-                          an opaque structure holding the complete state
-                          for producing the hash
-
-   Functions:
-                  int SHA$$$Reset(SHA$$$Context *);
-            Reset the hash context state
-      int SHA$$$Input(SHA$$$Context *, const uint8_t *octets,
-                  unsigned int bytecount);
-            Incorporate bytecount octets into the hash.
-      int SHA$$$FinalBits(SHA$$$Context *, const uint8_t octet,
-                  unsigned int bitcount);
-            Incorporate bitcount bits into the hash.  The bits are in
-            the upper portion of the octet.  SHA$$$Input() cannot be
-            called after this.
-      int SHA$$$Result(SHA$$$Context *,
-                  uint8_t Message_Digest[SHA$$$HashSize]);
-            Do the final calculations on the hash and copy the value
-            into Message_Digest.
-
-   In addition, functions with the prefix USHA are provided that take a
-   SHAversion value (SHA$$$) to select the SHA function suite.  They add
-   the following constants, structure, and functions:
-
-   Constants:
-      shaBadParam         constant returned by USHA functions when
-                          presented with a bad SHAversion (SHA$$$)
-                          parameter
-
-
-
-
-Eastlake 3rd & Hansen        Informational                     [Page 16]
-
-RFC 4634                   SHAs and HMAC-SHAs                  July 2006
-
-
-      SHA$$$              SHAversion enumeration values, used by usha
-                          and hmac functions to select the SHA function
-                          suite
-
-   Structure:
-      typedef USHAContext
-                          an opaque structure holding the complete state
-                          for producing the hash
-
-   Functions:
-      int USHAReset(USHAContext *, SHAversion whichSha);
-            Reset the hash context state.
-      int USHAInput(USHAContext *,
-                  const uint8_t *bytes, unsigned int bytecount);
-            Incorporate bytecount octets into the hash.
-      int USHAFinalBits(USHAContext *,
-                  const uint8_t bits, unsigned int bitcount);
-                  Incorporate bitcount bits into the hash.
-      int USHAResult(USHAContext *,
-                  uint8_t Message_Digest[USHAMaxHashSize]);
-            Do the final calculations on the hash and copy the value
-            into Message_Digest.  Octets in Message_Digest beyond
-      USHAHashSize(whichSha) are left untouched.
-                  int USHAHashSize(enum SHAversion whichSha);
-            The number of octets in the given hash.
-      int USHAHashSizeBits(enum SHAversion whichSha);
-            The number of bits in the given hash.
-      int USHABlockSize(enum SHAversion whichSha);
-            The internal block size for the given hash.
-
-   The hmac functions follow the same pattern to allow any length of
-   text input to be used.
-
-   Structure:
-      typedef HMACContext an opaque structure holding the complete state
-                          for producing the hash
-
-   Functions:
-      int hmacReset(HMACContext *ctx, enum SHAversion whichSha,
-                  const unsigned char *key, int key_len);
-            Reset the hash context state.
-      int hmacInput(HMACContext *ctx, const unsigned char *text,
-                  int text_len);
-            Incorporate text_len octets into the hash.
-      int hmacFinalBits(HMACContext *ctx, const uint8_t bits,
-                  unsigned int bitcount);
-            Incorporate bitcount bits into the hash.
-
-
-
-
-Eastlake 3rd & Hansen        Informational                     [Page 17]
-
-RFC 4634                   SHAs and HMAC-SHAs                  July 2006
-
-
-      int hmacResult(HMACContext *ctx,
-                  uint8_t Message_Digest[USHAMaxHashSize]);
-            Do the final calculations on the hash and copy the value
-            into Message_Digest.  Octets in Message_Digest beyond
-            USHAHashSize(whichSha) are left untouched.
-
-   In addition, a combined interface is provided, similar to that shown
-   in RFC 2104, that allows a fixed-length text input to be used.
-
-      int hmac(SHAversion whichSha,
-                  const unsigned char *text, int text_len,
-                  const unsigned char *key, int key_len,
-                  uint8_t Message_Digest[USHAMaxHashSize]);
-            Calculate the given digest for the given text and key, and
-            return the resulting hash.  Octets in Message_Digest beyond
-            USHAHashSize(whichSha) are left untouched.
-
-8.1.  The .h File
-
-/**************************** sha.h ****************************/
-/******************* See RFC 4634 for details ******************/
-#ifndef _SHA_H_
-#define _SHA_H_
-
-/*
- *  Description:
- *      This file implements the Secure Hash Signature Standard
- *      algorithms as defined in the National Institute of Standards
- *      and Technology Federal Information Processing Standards
- *      Publication (FIPS PUB) 180-1 published on April 17, 1995, 180-2
- *      published on August 1, 2002, and the FIPS PUB 180-2 Change
- *      Notice published on February 28, 2004.
- *
- *      A combined document showing all algorithms is available at
- *              http://csrc.nist.gov/publications/fips/
- *              fips180-2/fips180-2withchangenotice.pdf
- *
- *      The five hashes are defined in these sizes:
- *              SHA-1           20 byte / 160 bit
- *              SHA-224         28 byte / 224 bit
- *              SHA-256         32 byte / 256 bit
- *              SHA-384         48 byte / 384 bit
- *              SHA-512         64 byte / 512 bit
- */
-
-#include <stdint.h>
-/*
- * If you do not have the ISO standard stdint.h header file, then you
-
-
-
-Eastlake 3rd & Hansen        Informational                     [Page 18]
-
-RFC 4634                   SHAs and HMAC-SHAs                  July 2006
-
-
- * must typedef the following:
- *    name              meaning
- *  uint64_t         unsigned 64 bit integer
- *  uint32_t         unsigned 32 bit integer
- *  uint8_t          unsigned 8 bit integer (i.e., unsigned char)
- *  int_least16_t    integer of >= 16 bits
- *
- */
-
-#ifndef _SHA_enum_
-#define _SHA_enum_
-/*
- *  All SHA functions return one of these values.
- */
-enum {
-    shaSuccess = 0,
-    shaNull,            /* Null pointer parameter */
-    shaInputTooLong,    /* input data too long */
-    shaStateError,      /* called Input after FinalBits or Result */
-    shaBadParam         /* passed a bad parameter */
-};
-#endif /* _SHA_enum_ */
-
-/*
- *  These constants hold size information for each of the SHA
- *  hashing operations
- */
-enum {
-    SHA1_Message_Block_Size = 64, SHA224_Message_Block_Size = 64,
-    SHA256_Message_Block_Size = 64, SHA384_Message_Block_Size = 128,
-    SHA512_Message_Block_Size = 128,
-    USHA_Max_Message_Block_Size = SHA512_Message_Block_Size,
-
-    SHA1HashSize = 20, SHA224HashSize = 28, SHA256HashSize = 32,
-    SHA384HashSize = 48, SHA512HashSize = 64,
-    USHAMaxHashSize = SHA512HashSize,
-
-    SHA1HashSizeBits = 160, SHA224HashSizeBits = 224,
-    SHA256HashSizeBits = 256, SHA384HashSizeBits = 384,
-    SHA512HashSizeBits = 512, USHAMaxHashSizeBits = SHA512HashSizeBits
-};
-
-/*
- *  These constants are used in the USHA (unified sha) functions.
- */
-typedef enum SHAversion {
-    SHA1, SHA224, SHA256, SHA384, SHA512
-} SHAversion;
-
-
-
-Eastlake 3rd & Hansen        Informational                     [Page 19]
-
-RFC 4634                   SHAs and HMAC-SHAs                  July 2006
-
-
-/*
- *  This structure will hold context information for the SHA-1
- *  hashing operation.
- */
-typedef struct SHA1Context {
-    uint32_t Intermediate_Hash[SHA1HashSize/4]; /* Message Digest */
-
-    uint32_t Length_Low;                /* Message length in bits */
-    uint32_t Length_High;               /* Message length in bits */
-
-    int_least16_t Message_Block_Index;  /* Message_Block array index */
-                                        /* 512-bit message blocks */
-    uint8_t Message_Block[SHA1_Message_Block_Size];
-
-    int Computed;                       /* Is the digest computed? */
-    int Corrupted;                      /* Is the digest corrupted? */
-} SHA1Context;
-
-/*
- *  This structure will hold context information for the SHA-256
- *  hashing operation.
- */
-typedef struct SHA256Context {
-    uint32_t Intermediate_Hash[SHA256HashSize/4]; /* Message Digest */
-
-    uint32_t Length_Low;                /* Message length in bits */
-    uint32_t Length_High;               /* Message length in bits */
-
-    int_least16_t Message_Block_Index;  /* Message_Block array index */
-                                        /* 512-bit message blocks */
-    uint8_t Message_Block[SHA256_Message_Block_Size];
-
-    int Computed;                       /* Is the digest computed? */
-    int Corrupted;                      /* Is the digest corrupted? */
-} SHA256Context;
-
-/*
- *  This structure will hold context information for the SHA-512
- *  hashing operation.
- */
-typedef struct SHA512Context {
-#ifdef USE_32BIT_ONLY
-    uint32_t Intermediate_Hash[SHA512HashSize/4]; /* Message Digest  */
-    uint32_t Length[4];                 /* Message length in bits */
-#else /* !USE_32BIT_ONLY */
-    uint64_t Intermediate_Hash[SHA512HashSize/8]; /* Message Digest */
-    uint64_t Length_Low, Length_High;   /* Message length in bits */
-#endif /* USE_32BIT_ONLY */
-
-
-
-Eastlake 3rd & Hansen        Informational                     [Page 20]
-
-RFC 4634                   SHAs and HMAC-SHAs                  July 2006
-
-
-    int_least16_t Message_Block_Index;  /* Message_Block array index */
-                                        /* 1024-bit message blocks */
-    uint8_t Message_Block[SHA512_Message_Block_Size];
-
-    int Computed;                       /* Is the digest computed?*/
-    int Corrupted;                      /* Is the digest corrupted? */
-} SHA512Context;
-
-/*
- *  This structure will hold context information for the SHA-224
- *  hashing operation. It uses the SHA-256 structure for computation.
- */
-typedef struct SHA256Context SHA224Context;
-
-/*
- *  This structure will hold context information for the SHA-384
- *  hashing operation. It uses the SHA-512 structure for computation.
- */
-typedef struct SHA512Context SHA384Context;
-
-/*
- *  This structure holds context information for all SHA
- *  hashing operations.
- */
-typedef struct USHAContext {
-    int whichSha;               /* which SHA is being used */
-    union {
-      SHA1Context sha1Context;
-      SHA224Context sha224Context; SHA256Context sha256Context;
-      SHA384Context sha384Context; SHA512Context sha512Context;
-    } ctx;
-} USHAContext;
-
-/*
- *  This structure will hold context information for the HMAC
- *  keyed hashing operation.
- */
-typedef struct HMACContext {
-    int whichSha;               /* which SHA is being used */
-    int hashSize;               /* hash size of SHA being used */
-    int blockSize;              /* block size of SHA being used */
-    USHAContext shaContext;     /* SHA context */
-    unsigned char k_opad[USHA_Max_Message_Block_Size];
-                        /* outer padding - key XORd with opad */
-} HMACContext;
-
-
-
-
-
-
-Eastlake 3rd & Hansen        Informational                     [Page 21]
-
-RFC 4634                   SHAs and HMAC-SHAs                  July 2006
-
-
-/*
- *  Function Prototypes
- */
-
-/* SHA-1 */
-extern int SHA1Reset(SHA1Context *);
-extern int SHA1Input(SHA1Context *, const uint8_t *bytes,
-                     unsigned int bytecount);
-extern int SHA1FinalBits(SHA1Context *, const uint8_t bits,
-                         unsigned int bitcount);
-extern int SHA1Result(SHA1Context *,
-                      uint8_t Message_Digest[SHA1HashSize]);
-
-/* SHA-224 */
-extern int SHA224Reset(SHA224Context *);
-extern int SHA224Input(SHA224Context *, const uint8_t *bytes,
-                       unsigned int bytecount);
-extern int SHA224FinalBits(SHA224Context *, const uint8_t bits,
-                           unsigned int bitcount);
-extern int SHA224Result(SHA224Context *,
-                        uint8_t Message_Digest[SHA224HashSize]);
-
-/* SHA-256 */
-extern int SHA256Reset(SHA256Context *);
-extern int SHA256Input(SHA256Context *, const uint8_t *bytes,
-                       unsigned int bytecount);
-extern int SHA256FinalBits(SHA256Context *, const uint8_t bits,
-                           unsigned int bitcount);
-extern int SHA256Result(SHA256Context *,
-                        uint8_t Message_Digest[SHA256HashSize]);
-
-/* SHA-384 */
-extern int SHA384Reset(SHA384Context *);
-extern int SHA384Input(SHA384Context *, const uint8_t *bytes,
-                       unsigned int bytecount);
-extern int SHA384FinalBits(SHA384Context *, const uint8_t bits,
-                           unsigned int bitcount);
-extern int SHA384Result(SHA384Context *,
-                        uint8_t Message_Digest[SHA384HashSize]);
-
-/* SHA-512 */
-extern int SHA512Reset(SHA512Context *);
-extern int SHA512Input(SHA512Context *, const uint8_t *bytes,
-                       unsigned int bytecount);
-extern int SHA512FinalBits(SHA512Context *, const uint8_t bits,
-                           unsigned int bitcount);
-extern int SHA512Result(SHA512Context *,
-                        uint8_t Message_Digest[SHA512HashSize]);
-
-
-
-Eastlake 3rd & Hansen        Informational                     [Page 22]
-
-RFC 4634                   SHAs and HMAC-SHAs                  July 2006
-
-
-/* Unified SHA functions, chosen by whichSha */
-extern int USHAReset(USHAContext *, SHAversion whichSha);
-extern int USHAInput(USHAContext *,
-                     const uint8_t *bytes, unsigned int bytecount);
-extern int USHAFinalBits(USHAContext *,
-                         const uint8_t bits, unsigned int bitcount);
-extern int USHAResult(USHAContext *,
-                      uint8_t Message_Digest[USHAMaxHashSize]);
-extern int USHABlockSize(enum SHAversion whichSha);
-extern int USHAHashSize(enum SHAversion whichSha);
-extern int USHAHashSizeBits(enum SHAversion whichSha);
-
-/*
- * HMAC Keyed-Hashing for Message Authentication, RFC2104,
- * for all SHAs.
- * This interface allows a fixed-length text input to be used.
- */
-extern int hmac(SHAversion whichSha, /* which SHA algorithm to use */
-    const unsigned char *text,     /* pointer to data stream */
-    int text_len,                  /* length of data stream */
-    const unsigned char *key,      /* pointer to authentication key */
-    int key_len,                   /* length of authentication key */
-    uint8_t digest[USHAMaxHashSize]); /* caller digest to fill in */
-
-/*
- * HMAC Keyed-Hashing for Message Authentication, RFC2104,
- * for all SHAs.
- * This interface allows any length of text input to be used.
- */
-extern int hmacReset(HMACContext *ctx, enum SHAversion whichSha,
-                     const unsigned char *key, int key_len);
-extern int hmacInput(HMACContext *ctx, const unsigned char *text,
-                     int text_len);
-
-extern int hmacFinalBits(HMACContext *ctx, const uint8_t bits,
-                         unsigned int bitcount);
-extern int hmacResult(HMACContext *ctx,
-                      uint8_t digest[USHAMaxHashSize]);
-
-#endif /* _SHA_H_ */
-
-
-
-
-
-
-
-
-
-
-
-Eastlake 3rd & Hansen        Informational                     [Page 23]
-
-RFC 4634                   SHAs and HMAC-SHAs                  July 2006
-
-
-8.2.  The SHA Code
-
-   This code is primarily intended as expository and could be optimized
-   further.  For example, the assignment rotations through the variables
-   a, b, ..., h could be treated as a cycle and the loop unrolled,
-   rather than doing the explicit copying.
-
-   Note that there are alternative representations of the Ch() and Maj()
-   functions controlled by an ifdef.
-
-8.2.1.  sha1.c
-
-/**************************** sha1.c ****************************/
-/******************** See RFC 4634 for details ******************/
-/*
- *  Description:
- *      This file implements the Secure Hash Signature Standard
- *      algorithms as defined in the National Institute of Standards
- *      and Technology Federal Information Processing Standards
- *      Publication (FIPS PUB) 180-1 published on April 17, 1995, 180-2
- *      published on August 1, 2002, and the FIPS PUB 180-2 Change
- *      Notice published on February 28, 2004.
- *
- *      A combined document showing all algorithms is available at
- *              http://csrc.nist.gov/publications/fips/
- *              fips180-2/fips180-2withchangenotice.pdf
- *
- *      The SHA-1 algorithm produces a 160-bit message digest for a
- *      given data stream.  It should take about 2**n steps to find a
- *      message with the same digest as a given message and
- *      2**(n/2) to find any two messages with the same digest,
- *      when n is the digest size in bits.  Therefore, this
- *      algorithm can serve as a means of providing a
- *      "fingerprint" for a message.
- *
- *  Portability Issues:
- *      SHA-1 is defined in terms of 32-bit "words".  This code
- *      uses <stdint.h> (included via "sha.h") to define 32 and 8
- *      bit unsigned integer types.  If your C compiler does not
- *      support 32 bit unsigned integers, this code is not
- *      appropriate.
- *
- *  Caveats:
- *      SHA-1 is designed to work with messages less than 2^64 bits
- *      long. This implementation uses SHA1Input() to hash the bits
- *      that are a multiple of the size of an 8-bit character, and then
- *      uses SHA1FinalBits() to hash the final few bits of the input.
- */
-
-
-
-Eastlake 3rd & Hansen        Informational                     [Page 24]
-
-RFC 4634                   SHAs and HMAC-SHAs                  July 2006
-
-
-#include "sha.h"
-#include "sha-private.h"
-
-/*
- *  Define the SHA1 circular left shift macro
- */
-#define SHA1_ROTL(bits,word) \
-                (((word) << (bits)) | ((word) >> (32-(bits))))
-
-/*
- * add "length" to the length
- */
-static uint32_t addTemp;
-#define SHA1AddLength(context, length)                     \
-    (addTemp = (context)->Length_Low,                      \
-     (context)->Corrupted =                                \
-        (((context)->Length_Low += (length)) < addTemp) && \
-        (++(context)->Length_High == 0) ? 1 : 0)
-
-/* Local Function Prototypes */
-static void SHA1Finalize(SHA1Context *context, uint8_t Pad_Byte);
-static void SHA1PadMessage(SHA1Context *, uint8_t Pad_Byte);
-static void SHA1ProcessMessageBlock(SHA1Context *);
-
-/*
- *  SHA1Reset
- *
- *  Description:
- *      This function will initialize the SHA1Context in preparation
- *      for computing a new SHA1 message digest.
- *
- *  Parameters:
- *      context: [in/out]
- *          The context to reset.
- *
- *  Returns:
- *      sha Error Code.
- *
- */
-int SHA1Reset(SHA1Context *context)
-{
-    if (!context)
-        return shaNull;
-
-    context->Length_Low             = 0;
-    context->Length_High            = 0;
-    context->Message_Block_Index    = 0;
-
-
-
-
-Eastlake 3rd & Hansen        Informational                     [Page 25]
-
-RFC 4634                   SHAs and HMAC-SHAs                  July 2006
-
-
-    /* Initial Hash Values: FIPS-180-2 section 5.3.1 */
-    context->Intermediate_Hash[0]   = 0x67452301;
-    context->Intermediate_Hash[1]   = 0xEFCDAB89;
-    context->Intermediate_Hash[2]   = 0x98BADCFE;
-    context->Intermediate_Hash[3]   = 0x10325476;
-    context->Intermediate_Hash[4]   = 0xC3D2E1F0;
-
-    context->Computed   = 0;
-    context->Corrupted  = 0;
-
-    return shaSuccess;
-}
-
-/*
- *  SHA1Input
- *
- *  Description:
- *      This function accepts an array of octets as the next portion
- *      of the message.
- *
- *  Parameters:
- *      context: [in/out]
- *          The SHA context to update
- *      message_array: [in]
- *          An array of characters representing the next portion of
- *          the message.
- *      length: [in]
- *          The length of the message in message_array
- *
- *  Returns:
- *      sha Error Code.
- *
- */
-int SHA1Input(SHA1Context *context,
-    const uint8_t *message_array, unsigned length)
-{
-  if (!length)
-    return shaSuccess;
-
-  if (!context || !message_array)
-    return shaNull;
-
-  if (context->Computed) {
-    context->Corrupted = shaStateError;
-    return shaStateError;
-  }
-
-  if (context->Corrupted)
-
-
-
-Eastlake 3rd & Hansen        Informational                     [Page 26]
-
-RFC 4634                   SHAs and HMAC-SHAs                  July 2006
-
-
-     return context->Corrupted;
-
-  while (length-- && !context->Corrupted) {
-    context->Message_Block[context->Message_Block_Index++] =
-      (*message_array & 0xFF);
-
-    if (!SHA1AddLength(context, 8) &&
-      (context->Message_Block_Index == SHA1_Message_Block_Size))
-      SHA1ProcessMessageBlock(context);
-
-    message_array++;
-  }
-
-  return shaSuccess;
-}
-
-/*
- * SHA1FinalBits
- *
- * Description:
- *   This function will add in any final bits of the message.
- *
- * Parameters:
- *   context: [in/out]
- *     The SHA context to update
- *   message_bits: [in]
- *     The final bits of the message, in the upper portion of the
- *     byte. (Use 0b###00000 instead of 0b00000### to input the
- *     three bits ###.)
- *   length: [in]
- *     The number of bits in message_bits, between 1 and 7.
- *
- * Returns:
- *   sha Error Code.
- */
-int SHA1FinalBits(SHA1Context *context, const uint8_t message_bits,
-    unsigned int length)
-{
-  uint8_t masks[8] = {
-      /* 0 0b00000000 */ 0x00, /* 1 0b10000000 */ 0x80,
-      /* 2 0b11000000 */ 0xC0, /* 3 0b11100000 */ 0xE0,
-      /* 4 0b11110000 */ 0xF0, /* 5 0b11111000 */ 0xF8,
-      /* 6 0b11111100 */ 0xFC, /* 7 0b11111110 */ 0xFE
-  };
-  uint8_t markbit[8] = {
-      /* 0 0b10000000 */ 0x80, /* 1 0b01000000 */ 0x40,
-      /* 2 0b00100000 */ 0x20, /* 3 0b00010000 */ 0x10,
-      /* 4 0b00001000 */ 0x08, /* 5 0b00000100 */ 0x04,
-
-
-
-Eastlake 3rd & Hansen        Informational                     [Page 27]
-
-RFC 4634                   SHAs and HMAC-SHAs                  July 2006
-
-
-      /* 6 0b00000010 */ 0x02, /* 7 0b00000001 */ 0x01
-  };
-
-  if (!length)
-    return shaSuccess;
-
-  if (!context)
-    return shaNull;
-
-  if (context->Computed || (length >= 8) || (length == 0)) {
-    context->Corrupted = shaStateError;
-    return shaStateError;
-  }
-
-  if (context->Corrupted)
-     return context->Corrupted;
-
-  SHA1AddLength(context, length);
-  SHA1Finalize(context,
-    (uint8_t) ((message_bits & masks[length]) | markbit[length]));
-
-  return shaSuccess;
-}
-
-/*
- * SHA1Result
- *
- * Description:
- *   This function will return the 160-bit message digest into the
- *   Message_Digest array provided by the caller.
- *   NOTE: The first octet of hash is stored in the 0th element,
- *      the last octet of hash in the 19th element.
- *
- * Parameters:
- *   context: [in/out]
- *     The context to use to calculate the SHA-1 hash.
- *   Message_Digest: [out]
- *     Where the digest is returned.
- *
- * Returns:
- *   sha Error Code.
- *
- */
-int SHA1Result(SHA1Context *context,
-    uint8_t Message_Digest[SHA1HashSize])
-{
-  int i;
-
-
-
-
-Eastlake 3rd & Hansen        Informational                     [Page 28]
-
-RFC 4634                   SHAs and HMAC-SHAs                  July 2006
-
-
-  if (!context || !Message_Digest)
-    return shaNull;
-
-  if (context->Corrupted)
-    return context->Corrupted;
-
-  if (!context->Computed)
-    SHA1Finalize(context, 0x80);
-
-  for (i = 0; i < SHA1HashSize; ++i)
-    Message_Digest[i] = (uint8_t) (context->Intermediate_Hash[i>>2]
-              >> 8 * ( 3 - ( i & 0x03 ) ));
-
-  return shaSuccess;
-}
-
-/*
- * SHA1Finalize
- *
- * Description:
- *   This helper function finishes off the digest calculations.
- *
- * Parameters:
- *   context: [in/out]
- *     The SHA context to update
- *   Pad_Byte: [in]
- *     The last byte to add to the digest before the 0-padding
- *     and length. This will contain the last bits of the message
- *     followed by another single bit. If the message was an
- *     exact multiple of 8-bits long, Pad_Byte will be 0x80.
- *
- * Returns:
- *   sha Error Code.
- *
- */
-static void SHA1Finalize(SHA1Context *context, uint8_t Pad_Byte)
-{
-  int i;
-  SHA1PadMessage(context, Pad_Byte);
-  /* message may be sensitive, clear it out */
-  for (i = 0; i < SHA1_Message_Block_Size; ++i)
-    context->Message_Block[i] = 0;
-  context->Length_Low = 0;  /* and clear length */
-  context->Length_High = 0;
-  context->Computed = 1;
-}
-
-/*
-
-
-
-Eastlake 3rd & Hansen        Informational                     [Page 29]
-
-RFC 4634                   SHAs and HMAC-SHAs                  July 2006
-
-
- * SHA1PadMessage
- *
- * Description:
- *   According to the standard, the message must be padded to an
- *   even 512 bits. The first padding bit must be a '1'. The last
- *   64 bits represent the length of the original message. All bits
- *   in between should be 0. This helper function will pad the
- *   message according to those rules by filling the Message_Block
- *   array accordingly. When it returns, it can be assumed that the
- *   message digest has been computed.
- *
- * Parameters:
- *   context: [in/out]
- *     The context to pad
- *   Pad_Byte: [in]
- *     The last byte to add to the digest before the 0-padding
- *     and length. This will contain the last bits of the message
- *     followed by another single bit. If the message was an
- *     exact multiple of 8-bits long, Pad_Byte will be 0x80.
- *
- * Returns:
- *   Nothing.
- */
-static void SHA1PadMessage(SHA1Context *context, uint8_t Pad_Byte)
-{
-  /*
-   * Check to see if the current message block is too small to hold
-   * the initial padding bits and length. If so, we will pad the
-   * block, process it, and then continue padding into a second
-   * block.
-   */
-  if (context->Message_Block_Index >= (SHA1_Message_Block_Size - 8)) {
-    context->Message_Block[context->Message_Block_Index++] = Pad_Byte;
-    while (context->Message_Block_Index < SHA1_Message_Block_Size)
-      context->Message_Block[context->Message_Block_Index++] = 0;
-
-    SHA1ProcessMessageBlock(context);
-  } else
-    context->Message_Block[context->Message_Block_Index++] = Pad_Byte;
-
-  while (context->Message_Block_Index < (SHA1_Message_Block_Size - 8))
-    context->Message_Block[context->Message_Block_Index++] = 0;
-
-  /*
-   * Store the message length as the last 8 octets
-   */
-  context->Message_Block[56] = (uint8_t) (context->Length_High >> 24);
-  context->Message_Block[57] = (uint8_t) (context->Length_High >> 16);
-
-
-
-Eastlake 3rd & Hansen        Informational                     [Page 30]
-
-RFC 4634                   SHAs and HMAC-SHAs                  July 2006
-
-
-  context->Message_Block[58] = (uint8_t) (context->Length_High >> 8);
-  context->Message_Block[59] = (uint8_t) (context->Length_High);
-  context->Message_Block[60] = (uint8_t) (context->Length_Low >> 24);
-  context->Message_Block[61] = (uint8_t) (context->Length_Low >> 16);
-  context->Message_Block[62] = (uint8_t) (context->Length_Low >> 8);
-  context->Message_Block[63] = (uint8_t) (context->Length_Low);
-
-  SHA1ProcessMessageBlock(context);
-}
-
-/*
- * SHA1ProcessMessageBlock
- *
- * Description:
- *   This helper function will process the next 512 bits of the
- *   message stored in the Message_Block array.
- *
- * Parameters:
- *   None.
- *
- * Returns:
- *   Nothing.
- *
- * Comments:
- *   Many of the variable names in this code, especially the
- *   single character names, were used because those were the
- *   names used in the publication.
- */
-static void SHA1ProcessMessageBlock(SHA1Context *context)
-{
-  /* Constants defined in FIPS-180-2, section 4.2.1 */
-  const uint32_t K[4] = {
-      0x5A827999, 0x6ED9EBA1, 0x8F1BBCDC, 0xCA62C1D6
-  };
-  int        t;               /* Loop counter */
-  uint32_t   temp;            /* Temporary word value */
-  uint32_t   W[80];           /* Word sequence */
-  uint32_t   A, B, C, D, E;   /* Word buffers */
-
-  /*
-   * Initialize the first 16 words in the array W
-   */
-  for (t = 0; t < 16; t++) {
-    W[t]  = ((uint32_t)context->Message_Block[t * 4]) << 24;
-    W[t] |= ((uint32_t)context->Message_Block[t * 4 + 1]) << 16;
-    W[t] |= ((uint32_t)context->Message_Block[t * 4 + 2]) << 8;
-    W[t] |= ((uint32_t)context->Message_Block[t * 4 + 3]);
-  }
-
-
-
-Eastlake 3rd & Hansen        Informational                     [Page 31]
-
-RFC 4634                   SHAs and HMAC-SHAs                  July 2006
-
-
-  for (t = 16; t < 80; t++)
-    W[t] = SHA1_ROTL(1, W[t-3] ^ W[t-8] ^ W[t-14] ^ W[t-16]);
-
-  A = context->Intermediate_Hash[0];
-  B = context->Intermediate_Hash[1];
-  C = context->Intermediate_Hash[2];
-  D = context->Intermediate_Hash[3];
-  E = context->Intermediate_Hash[4];
-
-  for (t = 0; t < 20; t++) {
-    temp = SHA1_ROTL(5,A) + SHA_Ch(B, C, D) + E + W[t] + K[0];
-    E = D;
-    D = C;
-    C = SHA1_ROTL(30,B);
-    B = A;
-    A = temp;
-  }
-
-  for (t = 20; t < 40; t++) {
-    temp = SHA1_ROTL(5,A) + SHA_Parity(B, C, D) + E + W[t] + K[1];
-    E = D;
-    D = C;
-    C = SHA1_ROTL(30,B);
-    B = A;
-    A = temp;
-  }
-
-  for (t = 40; t < 60; t++) {
-    temp = SHA1_ROTL(5,A) + SHA_Maj(B, C, D) + E + W[t] + K[2];
-    E = D;
-    D = C;
-    C = SHA1_ROTL(30,B);
-    B = A;
-    A = temp;
-  }
-
-  for (t = 60; t < 80; t++) {
-    temp = SHA1_ROTL(5,A) + SHA_Parity(B, C, D) + E + W[t] + K[3];
-    E = D;
-    D = C;
-    C = SHA1_ROTL(30,B);
-    B = A;
-    A = temp;
-  }
-
-  context->Intermediate_Hash[0] += A;
-  context->Intermediate_Hash[1] += B;
-  context->Intermediate_Hash[2] += C;
-
-
-
-Eastlake 3rd & Hansen        Informational                     [Page 32]
-
-RFC 4634                   SHAs and HMAC-SHAs                  July 2006
-
-
-  context->Intermediate_Hash[3] += D;
-  context->Intermediate_Hash[4] += E;
-
-  context->Message_Block_Index = 0;
-}
-
-8.2.2.  sha224-256.c
-
-/*************************** sha224-256.c ***************************/
-/********************* See RFC 4634 for details *********************/
-/*
- * Description:
- *   This file implements the Secure Hash Signature Standard
- *   algorithms as defined in the National Institute of Standards
- *   and Technology Federal Information Processing Standards
- *   Publication (FIPS PUB) 180-1 published on April 17, 1995, 180-2
- *   published on August 1, 2002, and the FIPS PUB 180-2 Change
- *   Notice published on February 28, 2004.
- *
- *   A combined document showing all algorithms is available at
- *       http://csrc.nist.gov/publications/fips/
- *       fips180-2/fips180-2withchangenotice.pdf
- *
- *   The SHA-224 and SHA-256 algorithms produce 224-bit and 256-bit
- *   message digests for a given data stream. It should take about
- *   2**n steps to find a message with the same digest as a given
- *   message and 2**(n/2) to find any two messages with the same
- *   digest, when n is the digest size in bits. Therefore, this
- *   algorithm can serve as a means of providing a
- *   "fingerprint" for a message.
- *
- * Portability Issues:
- *   SHA-224 and SHA-256 are defined in terms of 32-bit "words".
- *   This code uses <stdint.h> (included via "sha.h") to define 32
- *   and 8 bit unsigned integer types. If your C compiler does not
- *   support 32 bit unsigned integers, this code is not
- *   appropriate.
- *
- * Caveats:
- *   SHA-224 and SHA-256 are designed to work with messages less
- *   than 2^64 bits long. This implementation uses SHA224/256Input()
- *   to hash the bits that are a multiple of the size of an 8-bit
- *   character, and then uses SHA224/256FinalBits() to hash the
- *   final few bits of the input.
- */
-
-#include "sha.h"
-#include "sha-private.h"
-
-
-
-Eastlake 3rd & Hansen        Informational                     [Page 33]
-
-RFC 4634                   SHAs and HMAC-SHAs                  July 2006
-
-
-/* Define the SHA shift, rotate left and rotate right macro */
-#define SHA256_SHR(bits,word)      ((word) >> (bits))
-#define SHA256_ROTL(bits,word)                         \
-  (((word) << (bits)) | ((word) >> (32-(bits))))
-#define SHA256_ROTR(bits,word)                         \
-  (((word) >> (bits)) | ((word) << (32-(bits))))
-
-/* Define the SHA SIGMA and sigma macros */
-#define SHA256_SIGMA0(word)   \
-  (SHA256_ROTR( 2,word) ^ SHA256_ROTR(13,word) ^ SHA256_ROTR(22,word))
-#define SHA256_SIGMA1(word)   \
-  (SHA256_ROTR( 6,word) ^ SHA256_ROTR(11,word) ^ SHA256_ROTR(25,word))
-#define SHA256_sigma0(word)   \
-  (SHA256_ROTR( 7,word) ^ SHA256_ROTR(18,word) ^ SHA256_SHR( 3,word))
-#define SHA256_sigma1(word)   \
-  (SHA256_ROTR(17,word) ^ SHA256_ROTR(19,word) ^ SHA256_SHR(10,word))
-
-/*
- * add "length" to the length
- */
-static uint32_t addTemp;
-#define SHA224_256AddLength(context, length)               \
-  (addTemp = (context)->Length_Low, (context)->Corrupted = \
-    (((context)->Length_Low += (length)) < addTemp) &&     \
-    (++(context)->Length_High == 0) ? 1 : 0)
-
-/* Local Function Prototypes */
-static void SHA224_256Finalize(SHA256Context *context,
-  uint8_t Pad_Byte);
-static void SHA224_256PadMessage(SHA256Context *context,
-  uint8_t Pad_Byte);
-static void SHA224_256ProcessMessageBlock(SHA256Context *context);
-static int SHA224_256Reset(SHA256Context *context, uint32_t *H0);
-static int SHA224_256ResultN(SHA256Context *context,
-  uint8_t Message_Digest[], int HashSize);
-
-/* Initial Hash Values: FIPS-180-2 Change Notice 1 */
-static uint32_t SHA224_H0[SHA256HashSize/4] = {
-    0xC1059ED8, 0x367CD507, 0x3070DD17, 0xF70E5939,
-    0xFFC00B31, 0x68581511, 0x64F98FA7, 0xBEFA4FA4
-};
-
-/* Initial Hash Values: FIPS-180-2 section 5.3.2 */
-static uint32_t SHA256_H0[SHA256HashSize/4] = {
-  0x6A09E667, 0xBB67AE85, 0x3C6EF372, 0xA54FF53A,
-  0x510E527F, 0x9B05688C, 0x1F83D9AB, 0x5BE0CD19
-};
-
-
-
-
-Eastlake 3rd & Hansen        Informational                     [Page 34]
-
-RFC 4634                   SHAs and HMAC-SHAs                  July 2006
-
-
-/*
- * SHA224Reset
- *
- * Description:
- *   This function will initialize the SHA384Context in preparation
- *   for computing a new SHA224 message digest.
- *
- * Parameters:
- *   context: [in/out]
- *     The context to reset.
- *
- * Returns:
- *   sha Error Code.
- */
-int SHA224Reset(SHA224Context *context)
-{
-  return SHA224_256Reset(context, SHA224_H0);
-}
-
-/*
- * SHA224Input
- *
- * Description:
- *   This function accepts an array of octets as the next portion
- *   of the message.
- *
- * Parameters:
- *   context: [in/out]
- *     The SHA context to update
- *   message_array: [in]
- *     An array of characters representing the next portion of
- *     the message.
- *   length: [in]
- *     The length of the message in message_array
- *
- * Returns:
- *   sha Error Code.
- *
- */
-int SHA224Input(SHA224Context *context, const uint8_t *message_array,
-    unsigned int length)
-{
-  return SHA256Input(context, message_array, length);
-}
-
-/*
- * SHA224FinalBits
- *
-
-
-
-Eastlake 3rd & Hansen        Informational                     [Page 35]
-
-RFC 4634                   SHAs and HMAC-SHAs                  July 2006
-
-
- * Description:
- *   This function will add in any final bits of the message.
- *
- * Parameters:
- *   context: [in/out]
- *     The SHA context to update
- *   message_bits: [in]
- *     The final bits of the message, in the upper portion of the
- *     byte. (Use 0b###00000 instead of 0b00000### to input the
- *     three bits ###.)
- *   length: [in]
- *     The number of bits in message_bits, between 1 and 7.
- *
- * Returns:
- *   sha Error Code.
- */
-int SHA224FinalBits( SHA224Context *context,
-    const uint8_t message_bits, unsigned int length)
-{
-  return SHA256FinalBits(context, message_bits, length);
-}
-
-/*
- * SHA224Result
- *
- * Description:
- *   This function will return the 224-bit message
- *   digest into the Message_Digest array provided by the caller.
- *   NOTE: The first octet of hash is stored in the 0th element,
- *      the last octet of hash in the 28th element.
- *
- * Parameters:
- *   context: [in/out]
- *     The context to use to calculate the SHA hash.
- *   Message_Digest: [out]
- *     Where the digest is returned.
- *
- * Returns:
- *   sha Error Code.
- */
-int SHA224Result(SHA224Context *context,
-    uint8_t Message_Digest[SHA224HashSize])
-{
-  return SHA224_256ResultN(context, Message_Digest, SHA224HashSize);
-}
-
-/*
- * SHA256Reset
-
-
-
-Eastlake 3rd & Hansen        Informational                     [Page 36]
-
-RFC 4634                   SHAs and HMAC-SHAs                  July 2006
-
-
- *
- * Description:
- *   This function will initialize the SHA256Context in preparation
- *   for computing a new SHA256 message digest.
- *
- * Parameters:
- *   context: [in/out]
- *     The context to reset.
- *
- * Returns:
- *   sha Error Code.
- */
-int SHA256Reset(SHA256Context *context)
-{
-  return SHA224_256Reset(context, SHA256_H0);
-}
-
-/*
- * SHA256Input
- *
- * Description:
- *   This function accepts an array of octets as the next portion
- *   of the message.
- *
- * Parameters:
- *   context: [in/out]
- *     The SHA context to update
- *   message_array: [in]
- *     An array of characters representing the next portion of
- *     the message.
- *   length: [in]
- *     The length of the message in message_array
- *
- * Returns:
- *   sha Error Code.
- */
-int SHA256Input(SHA256Context *context, const uint8_t *message_array,
-    unsigned int length)
-{
-  if (!length)
-    return shaSuccess;
-
-  if (!context || !message_array)
-    return shaNull;
-
-  if (context->Computed) {
-    context->Corrupted = shaStateError;
-    return shaStateError;
-
-
-
-Eastlake 3rd & Hansen        Informational                     [Page 37]
-
-RFC 4634                   SHAs and HMAC-SHAs                  July 2006
-
-
-  }
-
-  if (context->Corrupted)
-     return context->Corrupted;
-
-  while (length-- && !context->Corrupted) {
-    context->Message_Block[context->Message_Block_Index++] =
-            (*message_array & 0xFF);
-
-    if (!SHA224_256AddLength(context, 8) &&
-      (context->Message_Block_Index == SHA256_Message_Block_Size))
-      SHA224_256ProcessMessageBlock(context);
-
-    message_array++;
-  }
-
-  return shaSuccess;
-
-}
-
-/*
- * SHA256FinalBits
- *
- * Description:
- *   This function will add in any final bits of the message.
- *
- * Parameters:
- *   context: [in/out]
- *     The SHA context to update
- *   message_bits: [in]
- *     The final bits of the message, in the upper portion of the
- *     byte. (Use 0b###00000 instead of 0b00000### to input the
- *     three bits ###.)
- *   length: [in]
- *     The number of bits in message_bits, between 1 and 7.
- *
- * Returns:
- *   sha Error Code.
- */
-int SHA256FinalBits(SHA256Context *context,
-    const uint8_t message_bits, unsigned int length)
-{
-  uint8_t masks[8] = {
-      /* 0 0b00000000 */ 0x00, /* 1 0b10000000 */ 0x80,
-      /* 2 0b11000000 */ 0xC0, /* 3 0b11100000 */ 0xE0,
-      /* 4 0b11110000 */ 0xF0, /* 5 0b11111000 */ 0xF8,
-      /* 6 0b11111100 */ 0xFC, /* 7 0b11111110 */ 0xFE
-  };
-
-
-
-Eastlake 3rd & Hansen        Informational                     [Page 38]
-
-RFC 4634                   SHAs and HMAC-SHAs                  July 2006
-
-
-  uint8_t markbit[8] = {
-      /* 0 0b10000000 */ 0x80, /* 1 0b01000000 */ 0x40,
-      /* 2 0b00100000 */ 0x20, /* 3 0b00010000 */ 0x10,
-      /* 4 0b00001000 */ 0x08, /* 5 0b00000100 */ 0x04,
-      /* 6 0b00000010 */ 0x02, /* 7 0b00000001 */ 0x01
-  };
-
-  if (!length)
-    return shaSuccess;
-
-  if (!context)
-    return shaNull;
-
-  if ((context->Computed) || (length >= 8) || (length == 0)) {
-    context->Corrupted = shaStateError;
-    return shaStateError;
-  }
-
-  if (context->Corrupted)
-    return context->Corrupted;
-
-  SHA224_256AddLength(context, length);
-  SHA224_256Finalize(context, (uint8_t)
-    ((message_bits & masks[length]) | markbit[length]));
-
-  return shaSuccess;
-}
-
-/*
- * SHA256Result
- *
- * Description:
- *   This function will return the 256-bit message
- *   digest into the Message_Digest array provided by the caller.
- *   NOTE: The first octet of hash is stored in the 0th element,
- *      the last octet of hash in the 32nd element.
- *
- * Parameters:
- *   context: [in/out]
- *     The context to use to calculate the SHA hash.
- *   Message_Digest: [out]
- *     Where the digest is returned.
- *
- * Returns:
- *   sha Error Code.
- */
-int SHA256Result(SHA256Context *context, uint8_t Message_Digest[])
-{
-
-
-
-Eastlake 3rd & Hansen        Informational                     [Page 39]
-
-RFC 4634                   SHAs and HMAC-SHAs                  July 2006
-
-
-  return SHA224_256ResultN(context, Message_Digest, SHA256HashSize);
-}
-
-/*
- * SHA224_256Finalize
- *
- * Description:
- *   This helper function finishes off the digest calculations.
- *
- * Parameters:
- *   context: [in/out]
- *     The SHA context to update
- *   Pad_Byte: [in]
- *     The last byte to add to the digest before the 0-padding
- *     and length. This will contain the last bits of the message
- *     followed by another single bit. If the message was an
- *     exact multiple of 8-bits long, Pad_Byte will be 0x80.
- *
- * Returns:
- *   sha Error Code.
- */
-static void SHA224_256Finalize(SHA256Context *context,
-    uint8_t Pad_Byte)
-{
-  int i;
-  SHA224_256PadMessage(context, Pad_Byte);
-  /* message may be sensitive, so clear it out */
-  for (i = 0; i < SHA256_Message_Block_Size; ++i)
-    context->Message_Block[i] = 0;
-  context->Length_Low = 0;  /* and clear length */
-  context->Length_High = 0;
-  context->Computed = 1;
-}
-
-/*
- * SHA224_256PadMessage
- *
- * Description:
- *   According to the standard, the message must be padded to an
- *   even 512 bits. The first padding bit must be a '1'. The
- *   last 64 bits represent the length of the original message.
- *   All bits in between should be 0. This helper function will pad
- *   the message according to those rules by filling the
- *   Message_Block array accordingly. When it returns, it can be
- *   assumed that the message digest has been computed.
- *
- * Parameters:
- *   context: [in/out]
-
-
-
-Eastlake 3rd & Hansen        Informational                     [Page 40]
-
-RFC 4634                   SHAs and HMAC-SHAs                  July 2006
-
-
- *     The context to pad
- *   Pad_Byte: [in]
- *     The last byte to add to the digest before the 0-padding
- *     and length. This will contain the last bits of the message
- *     followed by another single bit. If the message was an
- *     exact multiple of 8-bits long, Pad_Byte will be 0x80.
- *
- * Returns:
- *   Nothing.
- */
-static void SHA224_256PadMessage(SHA256Context *context,
-    uint8_t Pad_Byte)
-{
-  /*
-   * Check to see if the current message block is too small to hold
-   * the initial padding bits and length. If so, we will pad the
-   * block, process it, and then continue padding into a second
-   * block.
-   */
-  if (context->Message_Block_Index >= (SHA256_Message_Block_Size-8)) {
-    context->Message_Block[context->Message_Block_Index++] = Pad_Byte;
-    while (context->Message_Block_Index < SHA256_Message_Block_Size)
-      context->Message_Block[context->Message_Block_Index++] = 0;
-    SHA224_256ProcessMessageBlock(context);
-  } else
-    context->Message_Block[context->Message_Block_Index++] = Pad_Byte;
-
-  while (context->Message_Block_Index < (SHA256_Message_Block_Size-8))
-    context->Message_Block[context->Message_Block_Index++] = 0;
-
-  /*
-   * Store the message length as the last 8 octets
-   */
-  context->Message_Block[56] = (uint8_t)(context->Length_High >> 24);
-  context->Message_Block[57] = (uint8_t)(context->Length_High >> 16);
-  context->Message_Block[58] = (uint8_t)(context->Length_High >> 8);
-  context->Message_Block[59] = (uint8_t)(context->Length_High);
-  context->Message_Block[60] = (uint8_t)(context->Length_Low >> 24);
-  context->Message_Block[61] = (uint8_t)(context->Length_Low >> 16);
-  context->Message_Block[62] = (uint8_t)(context->Length_Low >> 8);
-  context->Message_Block[63] = (uint8_t)(context->Length_Low);
-
-  SHA224_256ProcessMessageBlock(context);
-}
-
-/*
- * SHA224_256ProcessMessageBlock
- *
-
-
-
-Eastlake 3rd & Hansen        Informational                     [Page 41]
-
-RFC 4634                   SHAs and HMAC-SHAs                  July 2006
-
-
- * Description:
- *   This function will process the next 512 bits of the message
- *   stored in the Message_Block array.
- *
- * Parameters:
- *   context: [in/out]
- *     The SHA context to update
- *
- * Returns:
- *   Nothing.
- *
- * Comments:
- *   Many of the variable names in this code, especially the
- *   single character names, were used because those were the
- *   names used in the publication.
- */
-static void SHA224_256ProcessMessageBlock(SHA256Context *context)
-{
-  /* Constants defined in FIPS-180-2, section 4.2.2 */
-  static const uint32_t K[64] = {
-      0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5, 0x3956c25b,
-      0x59f111f1, 0x923f82a4, 0xab1c5ed5, 0xd807aa98, 0x12835b01,
-      0x243185be, 0x550c7dc3, 0x72be5d74, 0x80deb1fe, 0x9bdc06a7,
-      0xc19bf174, 0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc,
-      0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da, 0x983e5152,
-      0xa831c66d, 0xb00327c8, 0xbf597fc7, 0xc6e00bf3, 0xd5a79147,
-      0x06ca6351, 0x14292967, 0x27b70a85, 0x2e1b2138, 0x4d2c6dfc,
-      0x53380d13, 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85,
-      0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3, 0xd192e819,
-      0xd6990624, 0xf40e3585, 0x106aa070, 0x19a4c116, 0x1e376c08,
-      0x2748774c, 0x34b0bcb5, 0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f,
-      0x682e6ff3, 0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208,
-      0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2
-  };
-  int        t, t4;                   /* Loop counter */
-  uint32_t   temp1, temp2;            /* Temporary word value */
-  uint32_t   W[64];                   /* Word sequence */
-  uint32_t   A, B, C, D, E, F, G, H;  /* Word buffers */
-
-  /*
-   * Initialize the first 16 words in the array W
-   */
-  for (t = t4 = 0; t < 16; t++, t4 += 4)
-    W[t] = (((uint32_t)context->Message_Block[t4]) << 24) |
-           (((uint32_t)context->Message_Block[t4 + 1]) << 16) |
-           (((uint32_t)context->Message_Block[t4 + 2]) << 8) |
-           (((uint32_t)context->Message_Block[t4 + 3]));
-
-
-
-
-Eastlake 3rd & Hansen        Informational                     [Page 42]
-
-RFC 4634                   SHAs and HMAC-SHAs                  July 2006
-
-
-  for (t = 16; t < 64; t++)
-    W[t] = SHA256_sigma1(W[t-2]) + W[t-7] +
-        SHA256_sigma0(W[t-15]) + W[t-16];
-
-  A = context->Intermediate_Hash[0];
-  B = context->Intermediate_Hash[1];
-  C = context->Intermediate_Hash[2];
-  D = context->Intermediate_Hash[3];
-  E = context->Intermediate_Hash[4];
-  F = context->Intermediate_Hash[5];
-  G = context->Intermediate_Hash[6];
-  H = context->Intermediate_Hash[7];
-
-  for (t = 0; t < 64; t++) {
-    temp1 = H + SHA256_SIGMA1(E) + SHA_Ch(E,F,G) + K[t] + W[t];
-    temp2 = SHA256_SIGMA0(A) + SHA_Maj(A,B,C);
-    H = G;
-    G = F;
-    F = E;
-    E = D + temp1;
-    D = C;
-    C = B;
-    B = A;
-    A = temp1 + temp2;
-  }
-
-  context->Intermediate_Hash[0] += A;
-  context->Intermediate_Hash[1] += B;
-  context->Intermediate_Hash[2] += C;
-  context->Intermediate_Hash[3] += D;
-  context->Intermediate_Hash[4] += E;
-  context->Intermediate_Hash[5] += F;
-  context->Intermediate_Hash[6] += G;
-  context->Intermediate_Hash[7] += H;
-
-  context->Message_Block_Index = 0;
-}
-
-/*
- * SHA224_256Reset
- *
- * Description:
- *   This helper function will initialize the SHA256Context in
- *   preparation for computing a new SHA256 message digest.
- *
- * Parameters:
- *   context: [in/out]
- *     The context to reset.
-
-
-
-Eastlake 3rd & Hansen        Informational                     [Page 43]
-
-RFC 4634                   SHAs and HMAC-SHAs                  July 2006
-
-
- *   H0
- *     The initial hash value to use.
- *
- * Returns:
- *   sha Error Code.
- */
-static int SHA224_256Reset(SHA256Context *context, uint32_t *H0)
-{
-  if (!context)
-    return shaNull;
-
-  context->Length_Low           = 0;
-  context->Length_High          = 0;
-  context->Message_Block_Index  = 0;
-
-  context->Intermediate_Hash[0] = H0[0];
-  context->Intermediate_Hash[1] = H0[1];
-  context->Intermediate_Hash[2] = H0[2];
-  context->Intermediate_Hash[3] = H0[3];
-  context->Intermediate_Hash[4] = H0[4];
-  context->Intermediate_Hash[5] = H0[5];
-  context->Intermediate_Hash[6] = H0[6];
-  context->Intermediate_Hash[7] = H0[7];
-
-  context->Computed  = 0;
-  context->Corrupted = 0;
-
-  return shaSuccess;
-}
-
-/*
- * SHA224_256ResultN
- *
- * Description:
- *   This helper function will return the 224-bit or 256-bit message
- *   digest into the Message_Digest array provided by the caller.
- *   NOTE: The first octet of hash is stored in the 0th element,
- *      the last octet of hash in the 28th/32nd element.
- *
- * Parameters:
- *   context: [in/out]
- *     The context to use to calculate the SHA hash.
- *   Message_Digest: [out]
- *     Where the digest is returned.
- *   HashSize: [in]
- *     The size of the hash, either 28 or 32.
- *
- * Returns:
-
-
-
-Eastlake 3rd & Hansen        Informational                     [Page 44]
-
-RFC 4634                   SHAs and HMAC-SHAs                  July 2006
-
-
- *   sha Error Code.
- */
-static int SHA224_256ResultN(SHA256Context *context,
-    uint8_t Message_Digest[], int HashSize)
-{
-  int i;
-
-  if (!context || !Message_Digest)
-    return shaNull;
-
-  if (context->Corrupted)
-    return context->Corrupted;
-
-  if (!context->Computed)
-    SHA224_256Finalize(context, 0x80);
-
-  for (i = 0; i < HashSize; ++i)
-    Message_Digest[i] = (uint8_t)
-      (context->Intermediate_Hash[i>>2] >> 8 * ( 3 - ( i & 0x03 ) ));
-
-  return shaSuccess;
-}
-
-8.2.3.  sha384-512.c
-
-/*************************** sha384-512.c ***************************/
-/********************* See RFC 4634 for details *********************/
-/*
- * Description:
- *   This file implements the Secure Hash Signature Standard
- *   algorithms as defined in the National Institute of Standards
- *   and Technology Federal Information Processing Standards
- *   Publication (FIPS PUB) 180-1 published on April 17, 1995, 180-2
- *   published on August 1, 2002, and the FIPS PUB 180-2 Change
- *   Notice published on February 28, 2004.
- *
- *   A combined document showing all algorithms is available at
- *       http://csrc.nist.gov/publications/fips/
- *       fips180-2/fips180-2withchangenotice.pdf
- *
- *   The SHA-384 and SHA-512 algorithms produce 384-bit and 512-bit
- *   message digests for a given data stream. It should take about
- *   2**n steps to find a message with the same digest as a given
- *   message and 2**(n/2) to find any two messages with the same
- *   digest, when n is the digest size in bits. Therefore, this
- *   algorithm can serve as a means of providing a
- *   "fingerprint" for a message.
- *
-
-
-
-Eastlake 3rd & Hansen        Informational                     [Page 45]
-
-RFC 4634                   SHAs and HMAC-SHAs                  July 2006
-
-
- * Portability Issues:
- *   SHA-384 and SHA-512 are defined in terms of 64-bit "words",
- *   but if USE_32BIT_ONLY is #defined, this code is implemented in
- *   terms of 32-bit "words". This code uses <stdint.h> (included
- *   via "sha.h") to define the 64, 32 and 8 bit unsigned integer
- *   types. If your C compiler does not support 64 bit unsigned
- *   integers, and you do not #define USE_32BIT_ONLY, this code is
- *   not appropriate.
- *
- * Caveats:
- *   SHA-384 and SHA-512 are designed to work with messages less
- *   than 2^128 bits long. This implementation uses
- *   SHA384/512Input() to hash the bits that are a multiple of the
- *   size of an 8-bit character, and then uses SHA384/256FinalBits()
- *   to hash the final few bits of the input.
- *
- */
-
-#include "sha.h"
-#include "sha-private.h"
-
-#ifdef USE_32BIT_ONLY
-/*
- * Define 64-bit arithmetic in terms of 32-bit arithmetic.
- * Each 64-bit number is represented in a 2-word array.
- * All macros are defined such that the result is the last parameter.
- */
-
-/*
- * Define shift, rotate left and rotate right functions
- */
-#define SHA512_SHR(bits, word, ret) (                          \
-    /* (((uint64_t)((word))) >> (bits)) */                     \
-    (ret)[0] = (((bits) < 32) && ((bits) >= 0)) ?              \
-      ((word)[0] >> (bits)) : 0,                               \
-    (ret)[1] = ((bits) > 32) ? ((word)[0] >> ((bits) - 32)) :  \
-      ((bits) == 32) ? (word)[0] :                             \
-      ((bits) >= 0) ?                                          \
-        (((word)[0] << (32 - (bits))) |                        \
-        ((word)[1] >> (bits))) : 0 )
-
-#define SHA512_SHL(bits, word, ret) (                          \
-    /* (((uint64_t)(word)) << (bits)) */                       \
-    (ret)[0] = ((bits) > 32) ? ((word)[1] << ((bits) - 32)) :  \
-         ((bits) == 32) ? (word)[1] :                          \
-         ((bits) >= 0) ?                                       \
-           (((word)[0] << (bits)) |                            \
-           ((word)[1] >> (32 - (bits)))) :                     \
-
-
-
-Eastlake 3rd & Hansen        Informational                     [Page 46]
-
-RFC 4634                   SHAs and HMAC-SHAs                  July 2006
-
-
-         0,                                                    \
-    (ret)[1] = (((bits) < 32) && ((bits) >= 0)) ?              \
-        ((word)[1] << (bits)) : 0 )
-
-/*
- * Define 64-bit OR
- */
-#define SHA512_OR(word1, word2, ret) (                         \
-    (ret)[0] = (word1)[0] | (word2)[0],                        \
-    (ret)[1] = (word1)[1] | (word2)[1] )
-
-/*
- * Define 64-bit XOR
- */
-#define SHA512_XOR(word1, word2, ret) (                        \
-    (ret)[0] = (word1)[0] ^ (word2)[0],                        \
-    (ret)[1] = (word1)[1] ^ (word2)[1] )
-
-/*
- * Define 64-bit AND
- */
-#define SHA512_AND(word1, word2, ret) (                        \
-    (ret)[0] = (word1)[0] & (word2)[0],                        \
-    (ret)[1] = (word1)[1] & (word2)[1] )
-
-/*
- * Define 64-bit TILDA
- */
-#define SHA512_TILDA(word, ret)                                \
-  ( (ret)[0] = ~(word)[0], (ret)[1] = ~(word)[1] )
-
-/*
- * Define 64-bit ADD
- */
-#define SHA512_ADD(word1, word2, ret) (                        \
-    (ret)[1] = (word1)[1], (ret)[1] += (word2)[1],             \
-    (ret)[0] = (word1)[0] + (word2)[0] + ((ret)[1] < (word1)[1]) )
-
-/*
- * Add the 4word value in word2 to word1.
- */
-static uint32_t ADDTO4_temp, ADDTO4_temp2;
-#define SHA512_ADDTO4(word1, word2) (                          \
-    ADDTO4_temp = (word1)[3],                                  \
-    (word1)[3] += (word2)[3],                                  \
-    ADDTO4_temp2 = (word1)[2],                                 \
-    (word1)[2] += (word2)[2] + ((word1)[3] < ADDTO4_temp),     \
-    ADDTO4_temp = (word1)[1],                                  \
-
-
-
-Eastlake 3rd & Hansen        Informational                     [Page 47]
-
-RFC 4634                   SHAs and HMAC-SHAs                  July 2006
-
-
-    (word1)[1] += (word2)[1] + ((word1)[2] < ADDTO4_temp2),    \
-    (word1)[0] += (word2)[0] + ((word1)[1] < ADDTO4_temp) )
-
-/*
- * Add the 2word value in word2 to word1.
- */
-static uint32_t ADDTO2_temp;
-#define SHA512_ADDTO2(word1, word2) (                          \
-    ADDTO2_temp = (word1)[1],                                  \
-    (word1)[1] += (word2)[1],                                  \
-    (word1)[0] += (word2)[0] + ((word1)[1] < ADDTO2_temp) )
-
-/*
- * SHA rotate   ((word >> bits) | (word << (64-bits)))
- */
-static uint32_t ROTR_temp1[2], ROTR_temp2[2];
-#define SHA512_ROTR(bits, word, ret) (                         \
-    SHA512_SHR((bits), (word), ROTR_temp1),                    \
-    SHA512_SHL(64-(bits), (word), ROTR_temp2),                 \
-    SHA512_OR(ROTR_temp1, ROTR_temp2, (ret)) )
-
-/*
- * Define the SHA SIGMA and sigma macros
- *  SHA512_ROTR(28,word) ^ SHA512_ROTR(34,word) ^ SHA512_ROTR(39,word)
- */
-static uint32_t SIGMA0_temp1[2], SIGMA0_temp2[2],
-  SIGMA0_temp3[2], SIGMA0_temp4[2];
-#define SHA512_SIGMA0(word, ret) (                             \
-    SHA512_ROTR(28, (word), SIGMA0_temp1),                     \
-    SHA512_ROTR(34, (word), SIGMA0_temp2),                     \
-    SHA512_ROTR(39, (word), SIGMA0_temp3),                     \
-    SHA512_XOR(SIGMA0_temp2, SIGMA0_temp3, SIGMA0_temp4),      \
-    SHA512_XOR(SIGMA0_temp1, SIGMA0_temp4, (ret)) )
-
-/*
- * SHA512_ROTR(14,word) ^ SHA512_ROTR(18,word) ^ SHA512_ROTR(41,word)
- */
-static uint32_t SIGMA1_temp1[2], SIGMA1_temp2[2],
-  SIGMA1_temp3[2], SIGMA1_temp4[2];
-#define SHA512_SIGMA1(word, ret) (                             \
-    SHA512_ROTR(14, (word), SIGMA1_temp1),                     \
-    SHA512_ROTR(18, (word), SIGMA1_temp2),                     \
-    SHA512_ROTR(41, (word), SIGMA1_temp3),                     \
-    SHA512_XOR(SIGMA1_temp2, SIGMA1_temp3, SIGMA1_temp4),      \
-    SHA512_XOR(SIGMA1_temp1, SIGMA1_temp4, (ret)) )
-
-/*
- * (SHA512_ROTR( 1,word) ^ SHA512_ROTR( 8,word) ^ SHA512_SHR( 7,word))
-
-
-
-Eastlake 3rd & Hansen        Informational                     [Page 48]
-
-RFC 4634                   SHAs and HMAC-SHAs                  July 2006
-
-
- */
-static uint32_t sigma0_temp1[2], sigma0_temp2[2],
-  sigma0_temp3[2], sigma0_temp4[2];
-#define SHA512_sigma0(word, ret) (                             \
-    SHA512_ROTR( 1, (word), sigma0_temp1),                     \
-    SHA512_ROTR( 8, (word), sigma0_temp2),                     \
-    SHA512_SHR( 7, (word), sigma0_temp3),                      \
-    SHA512_XOR(sigma0_temp2, sigma0_temp3, sigma0_temp4),      \
-    SHA512_XOR(sigma0_temp1, sigma0_temp4, (ret)) )
-
-/*
- * (SHA512_ROTR(19,word) ^ SHA512_ROTR(61,word) ^ SHA512_SHR( 6,word))
- */
-static uint32_t sigma1_temp1[2], sigma1_temp2[2],
-  sigma1_temp3[2], sigma1_temp4[2];
-#define SHA512_sigma1(word, ret) (                             \
-    SHA512_ROTR(19, (word), sigma1_temp1),                     \
-    SHA512_ROTR(61, (word), sigma1_temp2),                     \
-    SHA512_SHR( 6, (word), sigma1_temp3),                      \
-    SHA512_XOR(sigma1_temp2, sigma1_temp3, sigma1_temp4),      \
-    SHA512_XOR(sigma1_temp1, sigma1_temp4, (ret)) )
-
-#undef SHA_Ch
-#undef SHA_Maj
-
-#ifndef USE_MODIFIED_MACROS
-/*
- * These definitions are the ones used in FIPS-180-2, section 4.1.3
- *  Ch(x,y,z)   ((x & y) ^ (~x & z))
- */
-static uint32_t Ch_temp1[2], Ch_temp2[2], Ch_temp3[2];
-#define SHA_Ch(x, y, z, ret) (                                 \
-    SHA512_AND(x, y, Ch_temp1),                                \
-    SHA512_TILDA(x, Ch_temp2),                                 \
-    SHA512_AND(Ch_temp2, z, Ch_temp3),                         \
-    SHA512_XOR(Ch_temp1, Ch_temp3, (ret)) )
-/*
- *  Maj(x,y,z)  (((x)&(y)) ^ ((x)&(z)) ^ ((y)&(z)))
- */
-static uint32_t Maj_temp1[2], Maj_temp2[2],
-  Maj_temp3[2], Maj_temp4[2];
-#define SHA_Maj(x, y, z, ret) (                                \
-    SHA512_AND(x, y, Maj_temp1),                               \
-    SHA512_AND(x, z, Maj_temp2),                               \
-    SHA512_AND(y, z, Maj_temp3),                               \
-    SHA512_XOR(Maj_temp2, Maj_temp3, Maj_temp4),               \
-    SHA512_XOR(Maj_temp1, Maj_temp4, (ret)) )
-
-
-
-
-Eastlake 3rd & Hansen        Informational                     [Page 49]
-
-RFC 4634                   SHAs and HMAC-SHAs                  July 2006
-
-
-#else /* !USE_32BIT_ONLY */
-/*
- * These definitions are potentially faster equivalents for the ones
- * used in FIPS-180-2, section 4.1.3.
- *   ((x & y) ^ (~x & z)) becomes
- *   ((x & (y ^ z)) ^ z)
- */
-#define SHA_Ch(x, y, z, ret) (                                 \
-   (ret)[0] = (((x)[0] & ((y)[0] ^ (z)[0])) ^ (z)[0]),         \
-   (ret)[1] = (((x)[1] & ((y)[1] ^ (z)[1])) ^ (z)[1]) )
-
-/*
- *   ((x & y) ^ (x & z) ^ (y & z)) becomes
- *   ((x & (y | z)) | (y & z))
- */
-#define SHA_Maj(x, y, z, ret) (                                 \
-   ret[0] = (((x)[0] & ((y)[0] | (z)[0])) | ((y)[0] & (z)[0])), \
-   ret[1] = (((x)[1] & ((y)[1] | (z)[1])) | ((y)[1] & (z)[1])) )
-#endif /* USE_MODIFIED_MACROS */
-
-/*
- * add "length" to the length
- */
-static uint32_t addTemp[4] = { 0, 0, 0, 0 };
-#define SHA384_512AddLength(context, length) (                        \
-    addTemp[3] = (length), SHA512_ADDTO4((context)->Length, addTemp), \
-    (context)->Corrupted = (((context)->Length[3] == 0) &&            \
-       ((context)->Length[2] == 0) && ((context)->Length[1] == 0) &&  \
-       ((context)->Length[0] < 8)) ? 1 : 0 )
-
-/* Local Function Prototypes */
-static void SHA384_512Finalize(SHA512Context *context,
-  uint8_t Pad_Byte);
-static void SHA384_512PadMessage(SHA512Context *context,
-  uint8_t Pad_Byte);
-static void SHA384_512ProcessMessageBlock(SHA512Context *context);
-static int SHA384_512Reset(SHA512Context *context, uint32_t H0[]);
-static int SHA384_512ResultN( SHA512Context *context,
-  uint8_t Message_Digest[], int HashSize);
-
-/* Initial Hash Values: FIPS-180-2 sections 5.3.3 and 5.3.4 */
-static uint32_t SHA384_H0[SHA512HashSize/4] = {
-    0xCBBB9D5D, 0xC1059ED8, 0x629A292A, 0x367CD507, 0x9159015A,
-    0x3070DD17, 0x152FECD8, 0xF70E5939, 0x67332667, 0xFFC00B31,
-    0x8EB44A87, 0x68581511, 0xDB0C2E0D, 0x64F98FA7, 0x47B5481D,
-    0xBEFA4FA4
-};
-
-
-
-
-Eastlake 3rd & Hansen        Informational                     [Page 50]
-
-RFC 4634                   SHAs and HMAC-SHAs                  July 2006
-
-
-static uint32_t SHA512_H0[SHA512HashSize/4] = {
-    0x6A09E667, 0xF3BCC908, 0xBB67AE85, 0x84CAA73B, 0x3C6EF372,
-    0xFE94F82B, 0xA54FF53A, 0x5F1D36F1, 0x510E527F, 0xADE682D1,
-    0x9B05688C, 0x2B3E6C1F, 0x1F83D9AB, 0xFB41BD6B, 0x5BE0CD19,
-    0x137E2179
-};
-
-#else /* !USE_32BIT_ONLY */
-
-/* Define the SHA shift, rotate left and rotate right macro */
-#define SHA512_SHR(bits,word)  (((uint64_t)(word)) >> (bits))
-#define SHA512_ROTR(bits,word) ((((uint64_t)(word)) >> (bits)) | \
-                                (((uint64_t)(word)) << (64-(bits))))
-
-/* Define the SHA SIGMA and sigma macros */
-#define SHA512_SIGMA0(word)   \
- (SHA512_ROTR(28,word) ^ SHA512_ROTR(34,word) ^ SHA512_ROTR(39,word))
-#define SHA512_SIGMA1(word)   \
- (SHA512_ROTR(14,word) ^ SHA512_ROTR(18,word) ^ SHA512_ROTR(41,word))
-#define SHA512_sigma0(word)   \
- (SHA512_ROTR( 1,word) ^ SHA512_ROTR( 8,word) ^ SHA512_SHR( 7,word))
-#define SHA512_sigma1(word)   \
- (SHA512_ROTR(19,word) ^ SHA512_ROTR(61,word) ^ SHA512_SHR( 6,word))
-
-/*
- * add "length" to the length
- */
-static uint64_t addTemp;
-#define SHA384_512AddLength(context, length)                   \
-   (addTemp = context->Length_Low, context->Corrupted =        \
-    ((context->Length_Low += length) < addTemp) &&             \
-    (++context->Length_High == 0) ? 1 : 0)
-
-/* Local Function Prototypes */
-static void SHA384_512Finalize(SHA512Context *context,
-  uint8_t Pad_Byte);
-static void SHA384_512PadMessage(SHA512Context *context,
-  uint8_t Pad_Byte);
-static void SHA384_512ProcessMessageBlock(SHA512Context *context);
-static int SHA384_512Reset(SHA512Context *context, uint64_t H0[]);
-static int SHA384_512ResultN(SHA512Context *context,
-  uint8_t Message_Digest[], int HashSize);
-
-/* Initial Hash Values: FIPS-180-2 sections 5.3.3 and 5.3.4 */
-static uint64_t SHA384_H0[] = {
-    0xCBBB9D5DC1059ED8ll, 0x629A292A367CD507ll, 0x9159015A3070DD17ll,
-    0x152FECD8F70E5939ll, 0x67332667FFC00B31ll, 0x8EB44A8768581511ll,
-    0xDB0C2E0D64F98FA7ll, 0x47B5481DBEFA4FA4ll
-
-
-
-Eastlake 3rd & Hansen        Informational                     [Page 51]
-
-RFC 4634                   SHAs and HMAC-SHAs                  July 2006
-
-
-};
-static uint64_t SHA512_H0[] = {
-    0x6A09E667F3BCC908ll, 0xBB67AE8584CAA73Bll, 0x3C6EF372FE94F82Bll,
-    0xA54FF53A5F1D36F1ll, 0x510E527FADE682D1ll, 0x9B05688C2B3E6C1Fll,
-    0x1F83D9ABFB41BD6Bll, 0x5BE0CD19137E2179ll
-};
-
-#endif /* USE_32BIT_ONLY */
-
-/*
- * SHA384Reset
- *
- * Description:
- *   This function will initialize the SHA384Context in preparation
- *   for computing a new SHA384 message digest.
- *
- * Parameters:
- *   context: [in/out]
- *     The context to reset.
- *
- * Returns:
- *   sha Error Code.
- *
- */
-int SHA384Reset(SHA384Context *context)
-{
-  return SHA384_512Reset(context, SHA384_H0);
-}
-
-/*
- * SHA384Input
- *
- * Description:
- *   This function accepts an array of octets as the next portion
- *   of the message.
- *
- * Parameters:
- *   context: [in/out]
- *     The SHA context to update
- *   message_array: [in]
- *     An array of characters representing the next portion of
- *     the message.
- *   length: [in]
- *     The length of the message in message_array
- *
- * Returns:
- *   sha Error Code.
- *
-
-
-
-Eastlake 3rd & Hansen        Informational                     [Page 52]
-
-RFC 4634                   SHAs and HMAC-SHAs                  July 2006
-
-
- */
-int SHA384Input(SHA384Context *context,
-    const uint8_t *message_array, unsigned int length)
-{
-  return SHA512Input(context, message_array, length);
-}
-
-/*
- * SHA384FinalBits
- *
- * Description:
- *   This function will add in any final bits of the message.
- *
- * Parameters:
- *   context: [in/out]
- *     The SHA context to update
- *   message_bits: [in]
- *     The final bits of the message, in the upper portion of the
- *     byte. (Use 0b###00000 instead of 0b00000### to input the
- *     three bits ###.)
- *   length: [in]
- *     The number of bits in message_bits, between 1 and 7.
- *
- * Returns:
- *   sha Error Code.
- *
- */
-int SHA384FinalBits(SHA384Context *context,
-    const uint8_t message_bits, unsigned int length)
-{
-  return SHA512FinalBits(context, message_bits, length);
-}
-
-/*
- * SHA384Result
- *
- * Description:
- *   This function will return the 384-bit message
- *   digest into the Message_Digest array provided by the caller.
- *   NOTE: The first octet of hash is stored in the 0th element,
- *      the last octet of hash in the 48th element.
- *
- * Parameters:
- *   context: [in/out]
- *     The context to use to calculate the SHA hash.
- *   Message_Digest: [out]
- *     Where the digest is returned.
- *
-
-
-
-Eastlake 3rd & Hansen        Informational                     [Page 53]
-
-RFC 4634                   SHAs and HMAC-SHAs                  July 2006
-
-
- * Returns:
- *   sha Error Code.
- *
- */
-int SHA384Result(SHA384Context *context,
-    uint8_t Message_Digest[SHA384HashSize])
-{
-  return SHA384_512ResultN(context, Message_Digest, SHA384HashSize);
-}
-
-/*
- * SHA512Reset
- *
- * Description:
- *   This function will initialize the SHA512Context in preparation
- *   for computing a new SHA512 message digest.
- *
- * Parameters:
- *   context: [in/out]
- *     The context to reset.
- *
- * Returns:
- *   sha Error Code.
- *
- */
-int SHA512Reset(SHA512Context *context)
-{
-  return SHA384_512Reset(context, SHA512_H0);
-}
-
-/*
- * SHA512Input
- *
- * Description:
- *   This function accepts an array of octets as the next portion
- *   of the message.
- *
- * Parameters:
- *   context: [in/out]
- *     The SHA context to update
- *   message_array: [in]
- *     An array of characters representing the next portion of
- *     the message.
- *   length: [in]
- *     The length of the message in message_array
- *
- * Returns:
- *   sha Error Code.
-
-
-
-Eastlake 3rd & Hansen        Informational                     [Page 54]
-
-RFC 4634                   SHAs and HMAC-SHAs                  July 2006
-
-
- *
- */
-int SHA512Input(SHA512Context *context,
-        const uint8_t *message_array,
-        unsigned int length)
-{
-  if (!length)
-    return shaSuccess;
-
-  if (!context || !message_array)
-    return shaNull;
-
-  if (context->Computed) {
-    context->Corrupted = shaStateError;
-    return shaStateError;
-  }
-
-  if (context->Corrupted)
-     return context->Corrupted;
-
-  while (length-- && !context->Corrupted) {
-    context->Message_Block[context->Message_Block_Index++] =
-            (*message_array & 0xFF);
-
-    if (!SHA384_512AddLength(context, 8) &&
-      (context->Message_Block_Index == SHA512_Message_Block_Size))
-      SHA384_512ProcessMessageBlock(context);
-
-    message_array++;
-  }
-
-  return shaSuccess;
-}
-
-/*
- * SHA512FinalBits
- *
- * Description:
- *   This function will add in any final bits of the message.
- *
- * Parameters:
- *   context: [in/out]
- *     The SHA context to update
- *   message_bits: [in]
- *     The final bits of the message, in the upper portion of the
- *     byte. (Use 0b###00000 instead of 0b00000### to input the
- *     three bits ###.)
- *   length: [in]
-
-
-
-Eastlake 3rd & Hansen        Informational                     [Page 55]
-
-RFC 4634                   SHAs and HMAC-SHAs                  July 2006
-
-
- *     The number of bits in message_bits, between 1 and 7.
- *
- * Returns:
- *   sha Error Code.
- *
- */
-int SHA512FinalBits(SHA512Context *context,
-    const uint8_t message_bits, unsigned int length)
-{
-  uint8_t masks[8] = {
-      /* 0 0b00000000 */ 0x00, /* 1 0b10000000 */ 0x80,
-      /* 2 0b11000000 */ 0xC0, /* 3 0b11100000 */ 0xE0,
-      /* 4 0b11110000 */ 0xF0, /* 5 0b11111000 */ 0xF8,
-      /* 6 0b11111100 */ 0xFC, /* 7 0b11111110 */ 0xFE
-  };
-  uint8_t markbit[8] = {
-      /* 0 0b10000000 */ 0x80, /* 1 0b01000000 */ 0x40,
-      /* 2 0b00100000 */ 0x20, /* 3 0b00010000 */ 0x10,
-      /* 4 0b00001000 */ 0x08, /* 5 0b00000100 */ 0x04,
-      /* 6 0b00000010 */ 0x02, /* 7 0b00000001 */ 0x01
-  };
-
-  if (!length)
-    return shaSuccess;
-
-  if (!context)
-    return shaNull;
-
-  if ((context->Computed) || (length >= 8) || (length == 0)) {
-    context->Corrupted = shaStateError;
-    return shaStateError;
-  }
-
-  if (context->Corrupted)
-     return context->Corrupted;
-
-  SHA384_512AddLength(context, length);
-  SHA384_512Finalize(context, (uint8_t)
-    ((message_bits & masks[length]) | markbit[length]));
-
-  return shaSuccess;
-}
-
-/*
- * SHA384_512Finalize
- *
- * Description:
- *   This helper function finishes off the digest calculations.
-
-
-
-Eastlake 3rd & Hansen        Informational                     [Page 56]
-
-RFC 4634                   SHAs and HMAC-SHAs                  July 2006
-
-
- *
- * Parameters:
- *   context: [in/out]
- *     The SHA context to update
- *   Pad_Byte: [in]
- *     The last byte to add to the digest before the 0-padding
- *     and length. This will contain the last bits of the message
- *     followed by another single bit. If the message was an
- *     exact multiple of 8-bits long, Pad_Byte will be 0x80.
- *
- * Returns:
- *   sha Error Code.
- *
- */
-static void SHA384_512Finalize(SHA512Context *context,
-    uint8_t Pad_Byte)
-{
-  int_least16_t i;
-  SHA384_512PadMessage(context, Pad_Byte);
-  /* message may be sensitive, clear it out */
-  for (i = 0; i < SHA512_Message_Block_Size; ++i)
-    context->Message_Block[i] = 0;
-#ifdef USE_32BIT_ONLY    /* and clear length */
-  context->Length[0] = context->Length[1] = 0;
-  context->Length[2] = context->Length[3] = 0;
-#else /* !USE_32BIT_ONLY */
-  context->Length_Low = 0;
-  context->Length_High = 0;
-#endif /* USE_32BIT_ONLY */
-  context->Computed = 1;
-}
-
-/*
- * SHA512Result
- *
- * Description:
- *   This function will return the 512-bit message
- *   digest into the Message_Digest array provided by the caller.
- *   NOTE: The first octet of hash is stored in the 0th element,
- *      the last octet of hash in the 64th element.
- *
- * Parameters:
- *   context: [in/out]
- *     The context to use to calculate the SHA hash.
- *   Message_Digest: [out]
- *     Where the digest is returned.
- *
- * Returns:
-
-
-
-Eastlake 3rd & Hansen        Informational                     [Page 57]
-
-RFC 4634                   SHAs and HMAC-SHAs                  July 2006
-
-
- *   sha Error Code.
- *
- */
-int SHA512Result(SHA512Context *context,
-    uint8_t Message_Digest[SHA512HashSize])
-{
-  return SHA384_512ResultN(context, Message_Digest, SHA512HashSize);
-}
-
-/*
- * SHA384_512PadMessage
- *
- * Description:
- *   According to the standard, the message must be padded to an
- *   even 1024 bits. The first padding bit must be a '1'. The
- *   last 128 bits represent the length of the original message.
- *   All bits in between should be 0. This helper function will
- *   pad the message according to those rules by filling the
- *   Message_Block array accordingly. When it returns, it can be
- *   assumed that the message digest has been computed.
- *
- * Parameters:
- *   context: [in/out]
- *     The context to pad
- *   Pad_Byte: [in]
- *     The last byte to add to the digest before the 0-padding
- *     and length. This will contain the last bits of the message
- *     followed by another single bit. If the message was an
- *     exact multiple of 8-bits long, Pad_Byte will be 0x80.
- *
- * Returns:
- *   Nothing.
- *
- */
-static void SHA384_512PadMessage(SHA512Context *context,
-    uint8_t Pad_Byte)
-{
-  /*
-   * Check to see if the current message block is too small to hold
-   * the initial padding bits and length. If so, we will pad the
-   * block, process it, and then continue padding into a second
-   * block.
-   */
-  if (context->Message_Block_Index >= (SHA512_Message_Block_Size-16)) {
-    context->Message_Block[context->Message_Block_Index++] = Pad_Byte;
-    while (context->Message_Block_Index < SHA512_Message_Block_Size)
-      context->Message_Block[context->Message_Block_Index++] = 0;
-
-
-
-
-Eastlake 3rd & Hansen        Informational                     [Page 58]
-
-RFC 4634                   SHAs and HMAC-SHAs                  July 2006
-
-
-    SHA384_512ProcessMessageBlock(context);
-  } else
-    context->Message_Block[context->Message_Block_Index++] = Pad_Byte;
-
-  while (context->Message_Block_Index < (SHA512_Message_Block_Size-16))
-    context->Message_Block[context->Message_Block_Index++] = 0;
-
-  /*
-   * Store the message length as the last 16 octets
-   */
-#ifdef USE_32BIT_ONLY
-  context->Message_Block[112] = (uint8_t)(context->Length[0] >> 24);
-  context->Message_Block[113] = (uint8_t)(context->Length[0] >> 16);
-  context->Message_Block[114] = (uint8_t)(context->Length[0] >> 8);
-  context->Message_Block[115] = (uint8_t)(context->Length[0]);
-  context->Message_Block[116] = (uint8_t)(context->Length[1] >> 24);
-  context->Message_Block[117] = (uint8_t)(context->Length[1] >> 16);
-  context->Message_Block[118] = (uint8_t)(context->Length[1] >> 8);
-  context->Message_Block[119] = (uint8_t)(context->Length[1]);
-
-  context->Message_Block[120] = (uint8_t)(context->Length[2] >> 24);
-  context->Message_Block[121] = (uint8_t)(context->Length[2] >> 16);
-  context->Message_Block[122] = (uint8_t)(context->Length[2] >> 8);
-  context->Message_Block[123] = (uint8_t)(context->Length[2]);
-  context->Message_Block[124] = (uint8_t)(context->Length[3] >> 24);
-  context->Message_Block[125] = (uint8_t)(context->Length[3] >> 16);
-  context->Message_Block[126] = (uint8_t)(context->Length[3] >> 8);
-  context->Message_Block[127] = (uint8_t)(context->Length[3]);
-#else /* !USE_32BIT_ONLY */
-  context->Message_Block[112] = (uint8_t)(context->Length_High >> 56);
-  context->Message_Block[113] = (uint8_t)(context->Length_High >> 48);
-  context->Message_Block[114] = (uint8_t)(context->Length_High >> 40);
-  context->Message_Block[115] = (uint8_t)(context->Length_High >> 32);
-  context->Message_Block[116] = (uint8_t)(context->Length_High >> 24);
-  context->Message_Block[117] = (uint8_t)(context->Length_High >> 16);
-  context->Message_Block[118] = (uint8_t)(context->Length_High >> 8);
-  context->Message_Block[119] = (uint8_t)(context->Length_High);
-
-  context->Message_Block[120] = (uint8_t)(context->Length_Low >> 56);
-  context->Message_Block[121] = (uint8_t)(context->Length_Low >> 48);
-  context->Message_Block[122] = (uint8_t)(context->Length_Low >> 40);
-  context->Message_Block[123] = (uint8_t)(context->Length_Low >> 32);
-  context->Message_Block[124] = (uint8_t)(context->Length_Low >> 24);
-  context->Message_Block[125] = (uint8_t)(context->Length_Low >> 16);
-  context->Message_Block[126] = (uint8_t)(context->Length_Low >> 8);
-  context->Message_Block[127] = (uint8_t)(context->Length_Low);
-#endif /* USE_32BIT_ONLY */
-
-
-
-
-Eastlake 3rd & Hansen        Informational                     [Page 59]
-
-RFC 4634                   SHAs and HMAC-SHAs                  July 2006
-
-
-  SHA384_512ProcessMessageBlock(context);
-}
-
-/*
- * SHA384_512ProcessMessageBlock
- *
- * Description:
- *   This helper function will process the next 1024 bits of the
- *   message stored in the Message_Block array.
- *
- * Parameters:
- *   context: [in/out]
- *     The SHA context to update
- *
- * Returns:
- *   Nothing.
- *
- * Comments:
- *   Many of the variable names in this code, especially the
- *   single character names, were used because those were the
- *   names used in the publication.
- *
- *
- */
-static void SHA384_512ProcessMessageBlock(SHA512Context *context)
-{
-  /* Constants defined in FIPS-180-2, section 4.2.3 */
-#ifdef USE_32BIT_ONLY
-  static const uint32_t K[80*2] = {
-      0x428A2F98, 0xD728AE22, 0x71374491, 0x23EF65CD, 0xB5C0FBCF,
-      0xEC4D3B2F, 0xE9B5DBA5, 0x8189DBBC, 0x3956C25B, 0xF348B538,
-      0x59F111F1, 0xB605D019, 0x923F82A4, 0xAF194F9B, 0xAB1C5ED5,
-      0xDA6D8118, 0xD807AA98, 0xA3030242, 0x12835B01, 0x45706FBE,
-      0x243185BE, 0x4EE4B28C, 0x550C7DC3, 0xD5FFB4E2, 0x72BE5D74,
-      0xF27B896F, 0x80DEB1FE, 0x3B1696B1, 0x9BDC06A7, 0x25C71235,
-      0xC19BF174, 0xCF692694, 0xE49B69C1, 0x9EF14AD2, 0xEFBE4786,
-      0x384F25E3, 0x0FC19DC6, 0x8B8CD5B5, 0x240CA1CC, 0x77AC9C65,
-      0x2DE92C6F, 0x592B0275, 0x4A7484AA, 0x6EA6E483, 0x5CB0A9DC,
-      0xBD41FBD4, 0x76F988DA, 0x831153B5, 0x983E5152, 0xEE66DFAB,
-      0xA831C66D, 0x2DB43210, 0xB00327C8, 0x98FB213F, 0xBF597FC7,
-      0xBEEF0EE4, 0xC6E00BF3, 0x3DA88FC2, 0xD5A79147, 0x930AA725,
-      0x06CA6351, 0xE003826F, 0x14292967, 0x0A0E6E70, 0x27B70A85,
-      0x46D22FFC, 0x2E1B2138, 0x5C26C926, 0x4D2C6DFC, 0x5AC42AED,
-      0x53380D13, 0x9D95B3DF, 0x650A7354, 0x8BAF63DE, 0x766A0ABB,
-      0x3C77B2A8, 0x81C2C92E, 0x47EDAEE6, 0x92722C85, 0x1482353B,
-      0xA2BFE8A1, 0x4CF10364, 0xA81A664B, 0xBC423001, 0xC24B8B70,
-      0xD0F89791, 0xC76C51A3, 0x0654BE30, 0xD192E819, 0xD6EF5218,
-      0xD6990624, 0x5565A910, 0xF40E3585, 0x5771202A, 0x106AA070,
-
-
-
-Eastlake 3rd & Hansen        Informational                     [Page 60]
-
-RFC 4634                   SHAs and HMAC-SHAs                  July 2006
-
-
-      0x32BBD1B8, 0x19A4C116, 0xB8D2D0C8, 0x1E376C08, 0x5141AB53,
-      0x2748774C, 0xDF8EEB99, 0x34B0BCB5, 0xE19B48A8, 0x391C0CB3,
-      0xC5C95A63, 0x4ED8AA4A, 0xE3418ACB, 0x5B9CCA4F, 0x7763E373,
-      0x682E6FF3, 0xD6B2B8A3, 0x748F82EE, 0x5DEFB2FC, 0x78A5636F,
-      0x43172F60, 0x84C87814, 0xA1F0AB72, 0x8CC70208, 0x1A6439EC,
-      0x90BEFFFA, 0x23631E28, 0xA4506CEB, 0xDE82BDE9, 0xBEF9A3F7,
-      0xB2C67915, 0xC67178F2, 0xE372532B, 0xCA273ECE, 0xEA26619C,
-      0xD186B8C7, 0x21C0C207, 0xEADA7DD6, 0xCDE0EB1E, 0xF57D4F7F,
-      0xEE6ED178, 0x06F067AA, 0x72176FBA, 0x0A637DC5, 0xA2C898A6,
-      0x113F9804, 0xBEF90DAE, 0x1B710B35, 0x131C471B, 0x28DB77F5,
-      0x23047D84, 0x32CAAB7B, 0x40C72493, 0x3C9EBE0A, 0x15C9BEBC,
-      0x431D67C4, 0x9C100D4C, 0x4CC5D4BE, 0xCB3E42B6, 0x597F299C,
-      0xFC657E2A, 0x5FCB6FAB, 0x3AD6FAEC, 0x6C44198C, 0x4A475817
-  };
-  int     t, t2, t8;                  /* Loop counter */
-  uint32_t  temp1[2], temp2[2],       /* Temporary word values */
-        temp3[2], temp4[2], temp5[2];
-  uint32_t  W[2*80];                  /* Word sequence */
-  uint32_t  A[2], B[2], C[2], D[2],   /* Word buffers */
-        E[2], F[2], G[2], H[2];
-
-  /* Initialize the first 16 words in the array W */
-  for (t = t2 = t8 = 0; t < 16; t++, t8 += 8) {
-    W[t2++] = ((((uint32_t)context->Message_Block[t8    ])) << 24) |
-              ((((uint32_t)context->Message_Block[t8 + 1])) << 16) |
-              ((((uint32_t)context->Message_Block[t8 + 2])) << 8) |
-              ((((uint32_t)context->Message_Block[t8 + 3])));
-    W[t2++] = ((((uint32_t)context->Message_Block[t8 + 4])) << 24) |
-              ((((uint32_t)context->Message_Block[t8 + 5])) << 16) |
-              ((((uint32_t)context->Message_Block[t8 + 6])) << 8) |
-              ((((uint32_t)context->Message_Block[t8 + 7])));
-  }
-
-  for (t = 16; t < 80; t++, t2 += 2) {
-    /* W[t] = SHA512_sigma1(W[t-2]) + W[t-7] +
-      SHA512_sigma0(W[t-15]) + W[t-16]; */
-    uint32_t *Wt2 = &W[t2-2*2];
-    uint32_t *Wt7 = &W[t2-7*2];
-    uint32_t *Wt15 = &W[t2-15*2];
-    uint32_t *Wt16 = &W[t2-16*2];
-    SHA512_sigma1(Wt2, temp1);
-    SHA512_ADD(temp1, Wt7, temp2);
-    SHA512_sigma0(Wt15, temp1);
-    SHA512_ADD(temp1, Wt16, temp3);
-    SHA512_ADD(temp2, temp3, &W[t2]);
-  }
-
-  A[0] = context->Intermediate_Hash[0];
-
-
-
-Eastlake 3rd & Hansen        Informational                     [Page 61]
-
-RFC 4634                   SHAs and HMAC-SHAs                  July 2006
-
-
-  A[1] = context->Intermediate_Hash[1];
-  B[0] = context->Intermediate_Hash[2];
-  B[1] = context->Intermediate_Hash[3];
-  C[0] = context->Intermediate_Hash[4];
-  C[1] = context->Intermediate_Hash[5];
-  D[0] = context->Intermediate_Hash[6];
-  D[1] = context->Intermediate_Hash[7];
-  E[0] = context->Intermediate_Hash[8];
-  E[1] = context->Intermediate_Hash[9];
-  F[0] = context->Intermediate_Hash[10];
-  F[1] = context->Intermediate_Hash[11];
-  G[0] = context->Intermediate_Hash[12];
-  G[1] = context->Intermediate_Hash[13];
-  H[0] = context->Intermediate_Hash[14];
-  H[1] = context->Intermediate_Hash[15];
-
-  for (t = t2 = 0; t < 80; t++, t2 += 2) {
-    /*
-     * temp1 = H + SHA512_SIGMA1(E) + SHA_Ch(E,F,G) + K[t] + W[t];
-     */
-    SHA512_SIGMA1(E,temp1);
-    SHA512_ADD(H, temp1, temp2);
-    SHA_Ch(E,F,G,temp3);
-    SHA512_ADD(temp2, temp3, temp4);
-    SHA512_ADD(&K[t2], &W[t2], temp5);
-    SHA512_ADD(temp4, temp5, temp1);
-    /*
-     * temp2 = SHA512_SIGMA0(A) + SHA_Maj(A,B,C);
-     */
-    SHA512_SIGMA0(A,temp3);
-    SHA_Maj(A,B,C,temp4);
-    SHA512_ADD(temp3, temp4, temp2);
-    H[0] = G[0]; H[1] = G[1];
-    G[0] = F[0]; G[1] = F[1];
-    F[0] = E[0]; F[1] = E[1];
-    SHA512_ADD(D, temp1, E);
-    D[0] = C[0]; D[1] = C[1];
-    C[0] = B[0]; C[1] = B[1];
-    B[0] = A[0]; B[1] = A[1];
-    SHA512_ADD(temp1, temp2, A);
-  }
-
-  SHA512_ADDTO2(&context->Intermediate_Hash[0], A);
-  SHA512_ADDTO2(&context->Intermediate_Hash[2], B);
-  SHA512_ADDTO2(&context->Intermediate_Hash[4], C);
-  SHA512_ADDTO2(&context->Intermediate_Hash[6], D);
-  SHA512_ADDTO2(&context->Intermediate_Hash[8], E);
-  SHA512_ADDTO2(&context->Intermediate_Hash[10], F);
-
-
-
-Eastlake 3rd & Hansen        Informational                     [Page 62]
-
-RFC 4634                   SHAs and HMAC-SHAs                  July 2006
-
-
-  SHA512_ADDTO2(&context->Intermediate_Hash[12], G);
-  SHA512_ADDTO2(&context->Intermediate_Hash[14], H);
-
-#else /* !USE_32BIT_ONLY */
-  static const uint64_t K[80] = {
-      0x428A2F98D728AE22ll, 0x7137449123EF65CDll, 0xB5C0FBCFEC4D3B2Fll,
-      0xE9B5DBA58189DBBCll, 0x3956C25BF348B538ll, 0x59F111F1B605D019ll,
-      0x923F82A4AF194F9Bll, 0xAB1C5ED5DA6D8118ll, 0xD807AA98A3030242ll,
-      0x12835B0145706FBEll, 0x243185BE4EE4B28Cll, 0x550C7DC3D5FFB4E2ll,
-      0x72BE5D74F27B896Fll, 0x80DEB1FE3B1696B1ll, 0x9BDC06A725C71235ll,
-      0xC19BF174CF692694ll, 0xE49B69C19EF14AD2ll, 0xEFBE4786384F25E3ll,
-      0x0FC19DC68B8CD5B5ll, 0x240CA1CC77AC9C65ll, 0x2DE92C6F592B0275ll,
-      0x4A7484AA6EA6E483ll, 0x5CB0A9DCBD41FBD4ll, 0x76F988DA831153B5ll,
-      0x983E5152EE66DFABll, 0xA831C66D2DB43210ll, 0xB00327C898FB213Fll,
-      0xBF597FC7BEEF0EE4ll, 0xC6E00BF33DA88FC2ll, 0xD5A79147930AA725ll,
-      0x06CA6351E003826Fll, 0x142929670A0E6E70ll, 0x27B70A8546D22FFCll,
-      0x2E1B21385C26C926ll, 0x4D2C6DFC5AC42AEDll, 0x53380D139D95B3DFll,
-      0x650A73548BAF63DEll, 0x766A0ABB3C77B2A8ll, 0x81C2C92E47EDAEE6ll,
-      0x92722C851482353Bll, 0xA2BFE8A14CF10364ll, 0xA81A664BBC423001ll,
-      0xC24B8B70D0F89791ll, 0xC76C51A30654BE30ll, 0xD192E819D6EF5218ll,
-      0xD69906245565A910ll, 0xF40E35855771202All, 0x106AA07032BBD1B8ll,
-      0x19A4C116B8D2D0C8ll, 0x1E376C085141AB53ll, 0x2748774CDF8EEB99ll,
-      0x34B0BCB5E19B48A8ll, 0x391C0CB3C5C95A63ll, 0x4ED8AA4AE3418ACBll,
-      0x5B9CCA4F7763E373ll, 0x682E6FF3D6B2B8A3ll, 0x748F82EE5DEFB2FCll,
-      0x78A5636F43172F60ll, 0x84C87814A1F0AB72ll, 0x8CC702081A6439ECll,
-      0x90BEFFFA23631E28ll, 0xA4506CEBDE82BDE9ll, 0xBEF9A3F7B2C67915ll,
-      0xC67178F2E372532Bll, 0xCA273ECEEA26619Cll, 0xD186B8C721C0C207ll,
-      0xEADA7DD6CDE0EB1Ell, 0xF57D4F7FEE6ED178ll, 0x06F067AA72176FBAll,
-      0x0A637DC5A2C898A6ll, 0x113F9804BEF90DAEll, 0x1B710B35131C471Bll,
-      0x28DB77F523047D84ll, 0x32CAAB7B40C72493ll, 0x3C9EBE0A15C9BEBCll,
-      0x431D67C49C100D4Cll, 0x4CC5D4BECB3E42B6ll, 0x597F299CFC657E2All,
-      0x5FCB6FAB3AD6FAECll, 0x6C44198C4A475817ll
-  };
-  int        t, t8;                   /* Loop counter */
-  uint64_t   temp1, temp2;            /* Temporary word value */
-  uint64_t   W[80];                   /* Word sequence */
-  uint64_t   A, B, C, D, E, F, G, H;  /* Word buffers */
-
-  /*
-   * Initialize the first 16 words in the array W
-   */
-  for (t = t8 = 0; t < 16; t++, t8 += 8)
-    W[t] = ((uint64_t)(context->Message_Block[t8  ]) << 56) |
-           ((uint64_t)(context->Message_Block[t8 + 1]) << 48) |
-           ((uint64_t)(context->Message_Block[t8 + 2]) << 40) |
-           ((uint64_t)(context->Message_Block[t8 + 3]) << 32) |
-           ((uint64_t)(context->Message_Block[t8 + 4]) << 24) |
-           ((uint64_t)(context->Message_Block[t8 + 5]) << 16) |
-
-
-
-Eastlake 3rd & Hansen        Informational                     [Page 63]
-
-RFC 4634                   SHAs and HMAC-SHAs                  July 2006
-
-
-           ((uint64_t)(context->Message_Block[t8 + 6]) << 8) |
-           ((uint64_t)(context->Message_Block[t8 + 7]));
-
-  for (t = 16; t < 80; t++)
-    W[t] = SHA512_sigma1(W[t-2]) + W[t-7] +
-        SHA512_sigma0(W[t-15]) + W[t-16];
-
-  A = context->Intermediate_Hash[0];
-  B = context->Intermediate_Hash[1];
-  C = context->Intermediate_Hash[2];
-  D = context->Intermediate_Hash[3];
-  E = context->Intermediate_Hash[4];
-  F = context->Intermediate_Hash[5];
-  G = context->Intermediate_Hash[6];
-  H = context->Intermediate_Hash[7];
-
-  for (t = 0; t < 80; t++) {
-    temp1 = H + SHA512_SIGMA1(E) + SHA_Ch(E,F,G) + K[t] + W[t];
-    temp2 = SHA512_SIGMA0(A) + SHA_Maj(A,B,C);
-    H = G;
-    G = F;
-    F = E;
-    E = D + temp1;
-    D = C;
-    C = B;
-    B = A;
-    A = temp1 + temp2;
-  }
-
-  context->Intermediate_Hash[0] += A;
-  context->Intermediate_Hash[1] += B;
-  context->Intermediate_Hash[2] += C;
-  context->Intermediate_Hash[3] += D;
-  context->Intermediate_Hash[4] += E;
-  context->Intermediate_Hash[5] += F;
-  context->Intermediate_Hash[6] += G;
-  context->Intermediate_Hash[7] += H;
-#endif /* USE_32BIT_ONLY */
-
-  context->Message_Block_Index = 0;
-}
-
-/*
- * SHA384_512Reset
- *
- * Description:
- *   This helper function will initialize the SHA512Context in
- *   preparation for computing a new SHA384 or SHA512 message
-
-
-
-Eastlake 3rd & Hansen        Informational                     [Page 64]
-
-RFC 4634                   SHAs and HMAC-SHAs                  July 2006
-
-
- *   digest.
- *
- * Parameters:
- *   context: [in/out]
- *     The context to reset.
- *   H0
- *     The initial hash value to use.
- *
- * Returns:
- *   sha Error Code.
- *
- */
-#ifdef USE_32BIT_ONLY
-static int SHA384_512Reset(SHA512Context *context, uint32_t H0[])
-#else /* !USE_32BIT_ONLY */
-static int SHA384_512Reset(SHA512Context *context, uint64_t H0[])
-#endif /* USE_32BIT_ONLY */
-{
-  int i;
-  if (!context)
-    return shaNull;
-
-  context->Message_Block_Index = 0;
-
-#ifdef USE_32BIT_ONLY
-  context->Length[0] = context->Length[1] = 0;
-  context->Length[2] = context->Length[3] = 0;
-
-  for (i = 0; i < SHA512HashSize/4; i++)
-    context->Intermediate_Hash[i] = H0[i];
-#else /* !USE_32BIT_ONLY */
-  context->Length_High = context->Length_Low = 0;
-
-  for (i = 0; i < SHA512HashSize/8; i++)
-    context->Intermediate_Hash[i] = H0[i];
-#endif /* USE_32BIT_ONLY */
-
-  context->Computed = 0;
-  context->Corrupted = 0;
-
-  return shaSuccess;
-}
-
-/*
- * SHA384_512ResultN
- *
- * Description:
- *   This helper function will return the 384-bit or 512-bit message
-
-
-
-Eastlake 3rd & Hansen        Informational                     [Page 65]
-
-RFC 4634                   SHAs and HMAC-SHAs                  July 2006
-
-
- *   digest into the Message_Digest array provided by the caller.
- *   NOTE: The first octet of hash is stored in the 0th element,
- *      the last octet of hash in the 48th/64th element.
- *
- * Parameters:
- *   context: [in/out]
- *     The context to use to calculate the SHA hash.
- *   Message_Digest: [out]
- *     Where the digest is returned.
- *   HashSize: [in]
- *     The size of the hash, either 48 or 64.
- *
- * Returns:
- *   sha Error Code.
- *
- */
-static int SHA384_512ResultN(SHA512Context *context,
-    uint8_t Message_Digest[], int HashSize)
-{
-  int i;
-
-#ifdef USE_32BIT_ONLY
-  int i2;
-#endif /* USE_32BIT_ONLY */
-
-  if (!context || !Message_Digest)
-    return shaNull;
-
-  if (context->Corrupted)
-    return context->Corrupted;
-
-  if (!context->Computed)
-    SHA384_512Finalize(context, 0x80);
-
-#ifdef USE_32BIT_ONLY
-  for (i = i2 = 0; i < HashSize; ) {
-    Message_Digest[i++]=(uint8_t)(context->Intermediate_Hash[i2]>>24);
-    Message_Digest[i++]=(uint8_t)(context->Intermediate_Hash[i2]>>16);
-    Message_Digest[i++]=(uint8_t)(context->Intermediate_Hash[i2]>>8);
-    Message_Digest[i++]=(uint8_t)(context->Intermediate_Hash[i2++]);
-    Message_Digest[i++]=(uint8_t)(context->Intermediate_Hash[i2]>>24);
-    Message_Digest[i++]=(uint8_t)(context->Intermediate_Hash[i2]>>16);
-    Message_Digest[i++]=(uint8_t)(context->Intermediate_Hash[i2]>>8);
-    Message_Digest[i++]=(uint8_t)(context->Intermediate_Hash[i2++]);
-  }
-#else /* !USE_32BIT_ONLY */
-  for (i = 0; i < HashSize; ++i)
-    Message_Digest[i] = (uint8_t)
-
-
-
-Eastlake 3rd & Hansen        Informational                     [Page 66]
-
-RFC 4634                   SHAs and HMAC-SHAs                  July 2006
-
-
-      (context->Intermediate_Hash[i>>3] >> 8 * ( 7 - ( i % 8 ) ));
-#endif /* USE_32BIT_ONLY */
-
-  return shaSuccess;
-}
-
-8.2.4.  usha.c
-
-/**************************** usha.c ****************************/
-/******************** See RFC 4634 for details ******************/
-/*
- *  Description:
- *     This file implements a unified interface to the SHA algorithms.
- */
-
-#include "sha.h"
-
-/*
- *  USHAReset
- *
- *  Description:
- *      This function will initialize the SHA Context in preparation
- *      for computing a new SHA message digest.
- *
- *  Parameters:
- *      context: [in/out]
- *          The context to reset.
- *      whichSha: [in]
- *          Selects which SHA reset to call
- *
- *  Returns:
- *      sha Error Code.
- *
- */
-int USHAReset(USHAContext *ctx, enum SHAversion whichSha)
-{
-  if (ctx) {
-    ctx->whichSha = whichSha;
-    switch (whichSha) {
-      case SHA1:   return SHA1Reset((SHA1Context*)&ctx->ctx);
-      case SHA224: return SHA224Reset((SHA224Context*)&ctx->ctx);
-      case SHA256: return SHA256Reset((SHA256Context*)&ctx->ctx);
-      case SHA384: return SHA384Reset((SHA384Context*)&ctx->ctx);
-      case SHA512: return SHA512Reset((SHA512Context*)&ctx->ctx);
-      default: return shaBadParam;
-    }
-  } else {
-    return shaNull;
-
-
-
-Eastlake 3rd & Hansen        Informational                     [Page 67]
-
-RFC 4634                   SHAs and HMAC-SHAs                  July 2006
-
-
-  }
-}
-
-/*
- *  USHAInput
- *
- *  Description:
- *      This function accepts an array of octets as the next portion
- *      of the message.
- *
- *  Parameters:
- *      context: [in/out]
- *          The SHA context to update
- *      message_array: [in]
- *          An array of characters representing the next portion of
- *          the message.
- *      length: [in]
- *          The length of the message in message_array
- *
- *  Returns:
- *      sha Error Code.
- *
- */
-int USHAInput(USHAContext *ctx,
-              const uint8_t *bytes, unsigned int bytecount)
-{
-  if (ctx) {
-    switch (ctx->whichSha) {
-      case SHA1:
-        return SHA1Input((SHA1Context*)&ctx->ctx, bytes, bytecount);
-      case SHA224:
-        return SHA224Input((SHA224Context*)&ctx->ctx, bytes,
-            bytecount);
-      case SHA256:
-        return SHA256Input((SHA256Context*)&ctx->ctx, bytes,
-            bytecount);
-      case SHA384:
-        return SHA384Input((SHA384Context*)&ctx->ctx, bytes,
-            bytecount);
-      case SHA512:
-        return SHA512Input((SHA512Context*)&ctx->ctx, bytes,
-            bytecount);
-      default: return shaBadParam;
-    }
-  } else {
-    return shaNull;
-  }
-}
-
-
-
-Eastlake 3rd & Hansen        Informational                     [Page 68]
-
-RFC 4634                   SHAs and HMAC-SHAs                  July 2006
-
-
-/*
- * USHAFinalBits
- *
- * Description:
- *   This function will add in any final bits of the message.
- *
- * Parameters:
- *   context: [in/out]
- *     The SHA context to update
- *   message_bits: [in]
- *     The final bits of the message, in the upper portion of the
- *     byte. (Use 0b###00000 instead of 0b00000### to input the
- *     three bits ###.)
- *   length: [in]
- *     The number of bits in message_bits, between 1 and 7.
- *
- * Returns:
- *   sha Error Code.
- */
-int USHAFinalBits(USHAContext *ctx,
-                  const uint8_t bits, unsigned int bitcount)
-{
-  if (ctx) {
-    switch (ctx->whichSha) {
-      case SHA1:
-        return SHA1FinalBits((SHA1Context*)&ctx->ctx, bits, bitcount);
-      case SHA224:
-        return SHA224FinalBits((SHA224Context*)&ctx->ctx, bits,
-            bitcount);
-      case SHA256:
-        return SHA256FinalBits((SHA256Context*)&ctx->ctx, bits,
-            bitcount);
-      case SHA384:
-        return SHA384FinalBits((SHA384Context*)&ctx->ctx, bits,
-            bitcount);
-      case SHA512:
-        return SHA512FinalBits((SHA512Context*)&ctx->ctx, bits,
-            bitcount);
-      default: return shaBadParam;
-    }
-  } else {
-    return shaNull;
-  }
-}
-
-/*
- * USHAResult
- *
-
-
-
-Eastlake 3rd & Hansen        Informational                     [Page 69]
-
-RFC 4634                   SHAs and HMAC-SHAs                  July 2006
-
-
- * Description:
- *   This function will return the 160-bit message digest into the
- *   Message_Digest array provided by the caller.
- *   NOTE: The first octet of hash is stored in the 0th element,
- *      the last octet of hash in the 19th element.
- *
- * Parameters:
- *   context: [in/out]
- *     The context to use to calculate the SHA-1 hash.
- *   Message_Digest: [out]
- *     Where the digest is returned.
- *
- * Returns:
- *   sha Error Code.
- *
- */
-int USHAResult(USHAContext *ctx,
-               uint8_t Message_Digest[USHAMaxHashSize])
-{
-  if (ctx) {
-    switch (ctx->whichSha) {
-      case SHA1:
-        return SHA1Result((SHA1Context*)&ctx->ctx, Message_Digest);
-      case SHA224:
-        return SHA224Result((SHA224Context*)&ctx->ctx, Message_Digest);
-      case SHA256:
-        return SHA256Result((SHA256Context*)&ctx->ctx, Message_Digest);
-      case SHA384:
-        return SHA384Result((SHA384Context*)&ctx->ctx, Message_Digest);
-      case SHA512:
-        return SHA512Result((SHA512Context*)&ctx->ctx, Message_Digest);
-      default: return shaBadParam;
-    }
-  } else {
-    return shaNull;
-  }
-}
-
-/*
- * USHABlockSize
- *
- * Description:
- *   This function will return the blocksize for the given SHA
- *   algorithm.
- *
- * Parameters:
- *   whichSha:
- *     which SHA algorithm to query
-
-
-
-Eastlake 3rd & Hansen        Informational                     [Page 70]
-
-RFC 4634                   SHAs and HMAC-SHAs                  July 2006
-
-
- *
- * Returns:
- *   block size
- *
- */
-int USHABlockSize(enum SHAversion whichSha)
-{
-  switch (whichSha) {
-    case SHA1:   return SHA1_Message_Block_Size;
-    case SHA224: return SHA224_Message_Block_Size;
-    case SHA256: return SHA256_Message_Block_Size;
-    case SHA384: return SHA384_Message_Block_Size;
-    default:
-    case SHA512: return SHA512_Message_Block_Size;
-  }
-}
-
-/*
- * USHAHashSize
- *
- * Description:
- *   This function will return the hashsize for the given SHA
- *   algorithm.
- *
- * Parameters:
- *   whichSha:
- *     which SHA algorithm to query
- *
- * Returns:
- *   hash size
- *
- */
-int USHAHashSize(enum SHAversion whichSha)
-{
-  switch (whichSha) {
-    case SHA1:   return SHA1HashSize;
-    case SHA224: return SHA224HashSize;
-    case SHA256: return SHA256HashSize;
-    case SHA384: return SHA384HashSize;
-    default:
-    case SHA512: return SHA512HashSize;
-  }
-}
-
-/*
- * USHAHashSizeBits
- *
- * Description:
-
-
-
-Eastlake 3rd & Hansen        Informational                     [Page 71]
-
-RFC 4634                   SHAs and HMAC-SHAs                  July 2006
-
-
- *   This function will return the hashsize for the given SHA
- *   algorithm, expressed in bits.
- *
- * Parameters:
- *   whichSha:
- *     which SHA algorithm to query
- *
- * Returns:
- *   hash size in bits
- *
- */
-int USHAHashSizeBits(enum SHAversion whichSha)
-{
-  switch (whichSha) {
-    case SHA1:   return SHA1HashSizeBits;
-    case SHA224: return SHA224HashSizeBits;
-    case SHA256: return SHA256HashSizeBits;
-    case SHA384: return SHA384HashSizeBits;
-    default:
-    case SHA512: return SHA512HashSizeBits;
-  }
-}
-
-8.2.5.  sha-private.h
-
-/*************************** sha-private.h ***************************/
-/********************** See RFC 4634 for details *********************/
-#ifndef _SHA_PRIVATE__H
-#define _SHA_PRIVATE__H
-/*
- * These definitions are defined in FIPS-180-2, section 4.1.
- * Ch() and Maj() are defined identically in sections 4.1.1,
- * 4.1.2 and 4.1.3.
- *
- * The definitions used in FIPS-180-2 are as follows:
- */
-
-#ifndef USE_MODIFIED_MACROS
-#define SHA_Ch(x,y,z)        (((x) & (y)) ^ ((~(x)) & (z)))
-#define SHA_Maj(x,y,z)       (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)))
-
-#else /* USE_MODIFIED_MACROS */
-/*
- * The following definitions are equivalent and potentially faster.
- */
-
-#define SHA_Ch(x, y, z)      (((x) & ((y) ^ (z))) ^ (z))
-#define SHA_Maj(x, y, z)     (((x) & ((y) | (z))) | ((y) & (z)))
-
-
-
-Eastlake 3rd & Hansen        Informational                     [Page 72]
-
-RFC 4634                   SHAs and HMAC-SHAs                  July 2006
-
-
-#endif /* USE_MODIFIED_MACROS */
-
-#define SHA_Parity(x, y, z)  ((x) ^ (y) ^ (z))
-
-#endif /* _SHA_PRIVATE__H */
-
-8.3 The HMAC Code
-
-/**************************** hmac.c ****************************/
-/******************** See RFC 4634 for details ******************/
-/*
- *  Description:
- *      This file implements the HMAC algorithm (Keyed-Hashing for
- *      Message Authentication, RFC2104), expressed in terms of the
- *      various SHA algorithms.
- */
-
-#include "sha.h"
-
-/*
- *  hmac
- *
- *  Description:
- *      This function will compute an HMAC message digest.
- *
- *  Parameters:
- *      whichSha: [in]
- *          One of SHA1, SHA224, SHA256, SHA384, SHA512
- *      key: [in]
- *          The secret shared key.
- *      key_len: [in]
- *          The length of the secret shared key.
- *      message_array: [in]
- *          An array of characters representing the message.
- *      length: [in]
- *          The length of the message in message_array
- *      digest: [out]
- *          Where the digest is returned.
- *          NOTE: The length of the digest is determined by
- *              the value of whichSha.
- *
- *  Returns:
- *      sha Error Code.
- *
- */
-int hmac(SHAversion whichSha, const unsigned char *text, int text_len,
-    const unsigned char *key, int key_len,
-    uint8_t digest[USHAMaxHashSize])
-
-
-
-Eastlake 3rd & Hansen        Informational                     [Page 73]
-
-RFC 4634                   SHAs and HMAC-SHAs                  July 2006
-
-
-{
-  HMACContext ctx;
-  return hmacReset(&ctx, whichSha, key, key_len) ||
-         hmacInput(&ctx, text, text_len) ||
-         hmacResult(&ctx, digest);
-}
-
-/*
- *  hmacReset
- *
- *  Description:
- *      This function will initialize the hmacContext in preparation
- *      for computing a new HMAC message digest.
- *
- *  Parameters:
- *      context: [in/out]
- *          The context to reset.
- *      whichSha: [in]
- *          One of SHA1, SHA224, SHA256, SHA384, SHA512
- *      key: [in]
- *          The secret shared key.
- *      key_len: [in]
- *          The length of the secret shared key.
- *
- *  Returns:
- *      sha Error Code.
- *
- */
-int hmacReset(HMACContext *ctx, enum SHAversion whichSha,
-    const unsigned char *key, int key_len)
-{
-  int i, blocksize, hashsize;
-
-  /* inner padding - key XORd with ipad */
-  unsigned char k_ipad[USHA_Max_Message_Block_Size];
-
-  /* temporary buffer when keylen > blocksize */
-  unsigned char tempkey[USHAMaxHashSize];
-
-  if (!ctx) return shaNull;
-
-  blocksize = ctx->blockSize = USHABlockSize(whichSha);
-  hashsize = ctx->hashSize = USHAHashSize(whichSha);
-
-  ctx->whichSha = whichSha;
-
-  /*
-   * If key is longer than the hash blocksize,
-
-
-
-Eastlake 3rd & Hansen        Informational                     [Page 74]
-
-RFC 4634                   SHAs and HMAC-SHAs                  July 2006
-
-
-   * reset it to key = HASH(key).
-   */
-  if (key_len > blocksize) {
-    USHAContext tctx;
-    int err = USHAReset(&tctx, whichSha) ||
-              USHAInput(&tctx, key, key_len) ||
-              USHAResult(&tctx, tempkey);
-    if (err != shaSuccess) return err;
-
-    key = tempkey;
-    key_len = hashsize;
-  }
-
-  /*
-   * The HMAC transform looks like:
-   *
-   * SHA(K XOR opad, SHA(K XOR ipad, text))
-   *
-   * where K is an n byte key.
-   * ipad is the byte 0x36 repeated blocksize times
-   * opad is the byte 0x5c repeated blocksize times
-   * and text is the data being protected.
-   */
-
-  /* store key into the pads, XOR'd with ipad and opad values */
-  for (i = 0; i < key_len; i++) {
-    k_ipad[i] = key[i] ^ 0x36;
-    ctx->k_opad[i] = key[i] ^ 0x5c;
-  }
-  /* remaining pad bytes are '\0' XOR'd with ipad and opad values */
-  for ( ; i < blocksize; i++) {
-    k_ipad[i] = 0x36;
-    ctx->k_opad[i] = 0x5c;
-  }
-
-  /* perform inner hash */
-  /* init context for 1st pass */
-  return USHAReset(&ctx->shaContext, whichSha) ||
-         /* and start with inner pad */
-         USHAInput(&ctx->shaContext, k_ipad, blocksize);
-}
-
-/*
- *  hmacInput
- *
- *  Description:
- *      This function accepts an array of octets as the next portion
- *      of the message.
-
-
-
-Eastlake 3rd & Hansen        Informational                     [Page 75]
-
-RFC 4634                   SHAs and HMAC-SHAs                  July 2006
-
-
- *
- *  Parameters:
- *      context: [in/out]
- *          The HMAC context to update
- *      message_array: [in]
- *          An array of characters representing the next portion of
- *          the message.
- *      length: [in]
- *          The length of the message in message_array
- *
- *  Returns:
- *      sha Error Code.
- *
- */
-int hmacInput(HMACContext *ctx, const unsigned char *text,
-    int text_len)
-{
-  if (!ctx) return shaNull;
-  /* then text of datagram */
-  return USHAInput(&ctx->shaContext, text, text_len);
-}
-
-/*
- * HMACFinalBits
- *
- * Description:
- *   This function will add in any final bits of the message.
- *
- * Parameters:
- *   context: [in/out]
- *     The HMAC context to update
- *   message_bits: [in]
- *     The final bits of the message, in the upper portion of the
- *     byte. (Use 0b###00000 instead of 0b00000### to input the
- *     three bits ###.)
- *   length: [in]
- *     The number of bits in message_bits, between 1 and 7.
- *
- * Returns:
- *   sha Error Code.
- */
-int hmacFinalBits(HMACContext *ctx,
-    const uint8_t bits,
-    unsigned int bitcount)
-{
-  if (!ctx) return shaNull;
-  /* then final bits of datagram */
-  return USHAFinalBits(&ctx->shaContext, bits, bitcount);
-
-
-
-Eastlake 3rd & Hansen        Informational                     [Page 76]
-
-RFC 4634                   SHAs and HMAC-SHAs                  July 2006
-
-
-}
-
-/*
- * HMACResult
- *
- * Description:
- *   This function will return the N-byte message digest into the
- *   Message_Digest array provided by the caller.
- *   NOTE: The first octet of hash is stored in the 0th element,
- *      the last octet of hash in the Nth element.
- *
- * Parameters:
- *   context: [in/out]
- *     The context to use to calculate the HMAC hash.
- *   digest: [out]
- *     Where the digest is returned.
- *   NOTE 2: The length of the hash is determined by the value of
- *      whichSha that was passed to hmacReset().
- *
- * Returns:
- *   sha Error Code.
- *
- */
-int hmacResult(HMACContext *ctx, uint8_t *digest)
-{
-  if (!ctx) return shaNull;
-
-  /* finish up 1st pass */
-  /* (Use digest here as a temporary buffer.) */
-  return USHAResult(&ctx->shaContext, digest) ||
-
-         /* perform outer SHA */
-         /* init context for 2nd pass */
-         USHAReset(&ctx->shaContext, ctx->whichSha) ||
-
-         /* start with outer pad */
-         USHAInput(&ctx->shaContext, ctx->k_opad, ctx->blockSize) ||
-
-         /* then results of 1st hash */
-         USHAInput(&ctx->shaContext, digest, ctx->hashSize) ||
-
-         /* finish up 2nd pass */
-         USHAResult(&ctx->shaContext, digest);
-}
-
-
-
-
-
-
-
-Eastlake 3rd & Hansen        Informational                     [Page 77]
-
-RFC 4634                   SHAs and HMAC-SHAs                  July 2006
-
-
-8.4.  The Test Driver
-
-   The following code is a main program test driver to exercise the code
-   in sha1.c, sha224-256.c, and sha384-512.c.  The test driver can also
-   be used as a stand-alone program for generating the hashes.
-
-   See also [RFC2202], [RFC4231], and [SHAVS].
-
-/**************************** shatest.c ****************************/
-/********************* See RFC 4634 for details ********************/
-/*
- *  Description:
- *    This file will exercise the SHA code performing
- *      the three tests documented in FIPS PUB 180-2
- *        (http://csrc.nist.gov/publications/fips/
- *         fips180-2/fips180-2withchangenotice.pdf)
- *      one that calls SHAInput with an exact multiple of 512 bits
- *      the seven tests documented for each algorithm in
- *        "The Secure Hash Algorithm Validation System (SHAVS)",
- *        three of which are bit-level tests
- *        (http://csrc.nist.gov/cryptval/shs/SHAVS.pdf)
- *
- *    This file will exercise the HMAC SHA1 code performing
- *      the seven tests documented in RFCs 2202 and 4231.
- *
- *    To run the tests and just see PASSED/FAILED, use the -p option.
- *
- *    Other options exercise:
- *      hashing an arbitrary string
- *      hashing a file's contents
- *      a few error test checks
- *      printing the results in raw format
- *
- *  Portability Issues:
- *    None.
- *
- */
-
-#include <stdint.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <ctype.h>
-#include "sha.h"
-
-static int xgetopt(int argc, char **argv, const char *optstring);
-extern char *xoptarg;
-static int scasecmp(const char *s1, const char *s2);
-
-
-
-Eastlake 3rd & Hansen        Informational                     [Page 78]
-
-RFC 4634                   SHAs and HMAC-SHAs                  July 2006
-
-
-/*
- *  Define patterns for testing
- */
-#define TEST1    "abc"
-#define TEST2_1  \
-        "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq"
-#define TEST2_2a \
-        "abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmn"
-#define TEST2_2b \
-        "hijklmnoijklmnopjklmnopqklmnopqrlmnopqrsmnopqrstnopqrstu"
-#define TEST2_2  TEST2_2a TEST2_2b
-#define TEST3    "a"                            /* times 1000000 */
-#define TEST4a   "01234567012345670123456701234567"
-#define TEST4b   "01234567012345670123456701234567"
-    /* an exact multiple of 512 bits */
-#define TEST4   TEST4a TEST4b                   /* times 10 */
-
-#define TEST7_1 \
-  "\x49\xb2\xae\xc2\x59\x4b\xbe\x3a\x3b\x11\x75\x42\xd9\x4a\xc8"
-#define TEST8_1 \
-  "\x9a\x7d\xfd\xf1\xec\xea\xd0\x6e\xd6\x46\xaa\x55\xfe\x75\x71\x46"
-#define TEST9_1 \
-  "\x65\xf9\x32\x99\x5b\xa4\xce\x2c\xb1\xb4\xa2\xe7\x1a\xe7\x02\x20" \
-  "\xaa\xce\xc8\x96\x2d\xd4\x49\x9c\xbd\x7c\x88\x7a\x94\xea\xaa\x10" \
-  "\x1e\xa5\xaa\xbc\x52\x9b\x4e\x7e\x43\x66\x5a\x5a\xf2\xcd\x03\xfe" \
-  "\x67\x8e\xa6\xa5\x00\x5b\xba\x3b\x08\x22\x04\xc2\x8b\x91\x09\xf4" \
-  "\x69\xda\xc9\x2a\xaa\xb3\xaa\x7c\x11\xa1\xb3\x2a"
-#define TEST10_1 \
-  "\xf7\x8f\x92\x14\x1b\xcd\x17\x0a\xe8\x9b\x4f\xba\x15\xa1\xd5\x9f" \
-  "\x3f\xd8\x4d\x22\x3c\x92\x51\xbd\xac\xbb\xae\x61\xd0\x5e\xd1\x15" \
-  "\xa0\x6a\x7c\xe1\x17\xb7\xbe\xea\xd2\x44\x21\xde\xd9\xc3\x25\x92" \
-  "\xbd\x57\xed\xea\xe3\x9c\x39\xfa\x1f\xe8\x94\x6a\x84\xd0\xcf\x1f" \
-  "\x7b\xee\xad\x17\x13\xe2\xe0\x95\x98\x97\x34\x7f\x67\xc8\x0b\x04" \
-  "\x00\xc2\x09\x81\x5d\x6b\x10\xa6\x83\x83\x6f\xd5\x56\x2a\x56\xca" \
-  "\xb1\xa2\x8e\x81\xb6\x57\x66\x54\x63\x1c\xf1\x65\x66\xb8\x6e\x3b" \
-  "\x33\xa1\x08\xb0\x53\x07\xc0\x0a\xff\x14\xa7\x68\xed\x73\x50\x60" \
-  "\x6a\x0f\x85\xe6\xa9\x1d\x39\x6f\x5b\x5c\xbe\x57\x7f\x9b\x38\x80" \
-  "\x7c\x7d\x52\x3d\x6d\x79\x2f\x6e\xbc\x24\xa4\xec\xf2\xb3\xa4\x27" \
-  "\xcd\xbb\xfb"
-#define TEST7_224 \
-  "\xf0\x70\x06\xf2\x5a\x0b\xea\x68\xcd\x76\xa2\x95\x87\xc2\x8d"
-#define TEST8_224 \
-  "\x18\x80\x40\x05\xdd\x4f\xbd\x15\x56\x29\x9d\x6f\x9d\x93\xdf\x62"
-#define TEST9_224 \
-  "\xa2\xbe\x6e\x46\x32\x81\x09\x02\x94\xd9\xce\x94\x82\x65\x69\x42" \
-  "\x3a\x3a\x30\x5e\xd5\xe2\x11\x6c\xd4\xa4\xc9\x87\xfc\x06\x57\x00" \
-  "\x64\x91\xb1\x49\xcc\xd4\xb5\x11\x30\xac\x62\xb1\x9d\xc2\x48\xc7" \
-  "\x44\x54\x3d\x20\xcd\x39\x52\xdc\xed\x1f\x06\xcc\x3b\x18\xb9\x1f" \
-
-
-
-Eastlake 3rd & Hansen        Informational                     [Page 79]
-
-RFC 4634                   SHAs and HMAC-SHAs                  July 2006
-
-
-  "\x3f\x55\x63\x3e\xcc\x30\x85\xf4\x90\x70\x60\xd2"
-#define TEST10_224 \
-  "\x55\xb2\x10\x07\x9c\x61\xb5\x3a\xdd\x52\x06\x22\xd1\xac\x97\xd5" \
-  "\xcd\xbe\x8c\xb3\x3a\xa0\xae\x34\x45\x17\xbe\xe4\xd7\xba\x09\xab" \
-  "\xc8\x53\x3c\x52\x50\x88\x7a\x43\xbe\xbb\xac\x90\x6c\x2e\x18\x37" \
-  "\xf2\x6b\x36\xa5\x9a\xe3\xbe\x78\x14\xd5\x06\x89\x6b\x71\x8b\x2a" \
-  "\x38\x3e\xcd\xac\x16\xb9\x61\x25\x55\x3f\x41\x6f\xf3\x2c\x66\x74" \
-  "\xc7\x45\x99\xa9\x00\x53\x86\xd9\xce\x11\x12\x24\x5f\x48\xee\x47" \
-  "\x0d\x39\x6c\x1e\xd6\x3b\x92\x67\x0c\xa5\x6e\xc8\x4d\xee\xa8\x14" \
-  "\xb6\x13\x5e\xca\x54\x39\x2b\xde\xdb\x94\x89\xbc\x9b\x87\x5a\x8b" \
-  "\xaf\x0d\xc1\xae\x78\x57\x36\x91\x4a\xb7\xda\xa2\x64\xbc\x07\x9d" \
-  "\x26\x9f\x2c\x0d\x7e\xdd\xd8\x10\xa4\x26\x14\x5a\x07\x76\xf6\x7c" \
-  "\x87\x82\x73"
-#define TEST7_256 \
-  "\xbe\x27\x46\xc6\xdb\x52\x76\x5f\xdb\x2f\x88\x70\x0f\x9a\x73"
-#define TEST8_256 \
-  "\xe3\xd7\x25\x70\xdc\xdd\x78\x7c\xe3\x88\x7a\xb2\xcd\x68\x46\x52"
-#define TEST9_256 \
-  "\x3e\x74\x03\x71\xc8\x10\xc2\xb9\x9f\xc0\x4e\x80\x49\x07\xef\x7c" \
-  "\xf2\x6b\xe2\x8b\x57\xcb\x58\xa3\xe2\xf3\xc0\x07\x16\x6e\x49\xc1" \
-  "\x2e\x9b\xa3\x4c\x01\x04\x06\x91\x29\xea\x76\x15\x64\x25\x45\x70" \
-  "\x3a\x2b\xd9\x01\xe1\x6e\xb0\xe0\x5d\xeb\xa0\x14\xeb\xff\x64\x06" \
-  "\xa0\x7d\x54\x36\x4e\xff\x74\x2d\xa7\x79\xb0\xb3"
-#define TEST10_256 \
-  "\x83\x26\x75\x4e\x22\x77\x37\x2f\x4f\xc1\x2b\x20\x52\x7a\xfe\xf0" \
-  "\x4d\x8a\x05\x69\x71\xb1\x1a\xd5\x71\x23\xa7\xc1\x37\x76\x00\x00" \
-  "\xd7\xbe\xf6\xf3\xc1\xf7\xa9\x08\x3a\xa3\x9d\x81\x0d\xb3\x10\x77" \
-  "\x7d\xab\x8b\x1e\x7f\x02\xb8\x4a\x26\xc7\x73\x32\x5f\x8b\x23\x74" \
-  "\xde\x7a\x4b\x5a\x58\xcb\x5c\x5c\xf3\x5b\xce\xe6\xfb\x94\x6e\x5b" \
-  "\xd6\x94\xfa\x59\x3a\x8b\xeb\x3f\x9d\x65\x92\xec\xed\xaa\x66\xca" \
-  "\x82\xa2\x9d\x0c\x51\xbc\xf9\x33\x62\x30\xe5\xd7\x84\xe4\xc0\xa4" \
-  "\x3f\x8d\x79\xa3\x0a\x16\x5c\xba\xbe\x45\x2b\x77\x4b\x9c\x71\x09" \
-  "\xa9\x7d\x13\x8f\x12\x92\x28\x96\x6f\x6c\x0a\xdc\x10\x6a\xad\x5a" \
-  "\x9f\xdd\x30\x82\x57\x69\xb2\xc6\x71\xaf\x67\x59\xdf\x28\xeb\x39" \
-  "\x3d\x54\xd6"
-#define TEST7_384 \
-  "\x8b\xc5\x00\xc7\x7c\xee\xd9\x87\x9d\xa9\x89\x10\x7c\xe0\xaa"
-#define TEST8_384 \
-  "\xa4\x1c\x49\x77\x79\xc0\x37\x5f\xf1\x0a\x7f\x4e\x08\x59\x17\x39"
-#define TEST9_384 \
-  "\x68\xf5\x01\x79\x2d\xea\x97\x96\x76\x70\x22\xd9\x3d\xa7\x16\x79" \
-  "\x30\x99\x20\xfa\x10\x12\xae\xa3\x57\xb2\xb1\x33\x1d\x40\xa1\xd0" \
-  "\x3c\x41\xc2\x40\xb3\xc9\xa7\x5b\x48\x92\xf4\xc0\x72\x4b\x68\xc8" \
-  "\x75\x32\x1a\xb8\xcf\xe5\x02\x3b\xd3\x75\xbc\x0f\x94\xbd\x89\xfe" \
-  "\x04\xf2\x97\x10\x5d\x7b\x82\xff\xc0\x02\x1a\xeb\x1c\xcb\x67\x4f" \
-  "\x52\x44\xea\x34\x97\xde\x26\xa4\x19\x1c\x5f\x62\xe5\xe9\xa2\xd8" \
-  "\x08\x2f\x05\x51\xf4\xa5\x30\x68\x26\xe9\x1c\xc0\x06\xce\x1b\xf6" \
-  "\x0f\xf7\x19\xd4\x2f\xa5\x21\xc8\x71\xcd\x23\x94\xd9\x6e\xf4\x46" \
-
-
-
-Eastlake 3rd & Hansen        Informational                     [Page 80]
-
-RFC 4634                   SHAs and HMAC-SHAs                  July 2006
-
-
-  "\x8f\x21\x96\x6b\x41\xf2\xba\x80\xc2\x6e\x83\xa9"
-#define TEST10_384 \
-  "\x39\x96\x69\xe2\x8f\x6b\x9c\x6d\xbc\xbb\x69\x12\xec\x10\xff\xcf" \
-  "\x74\x79\x03\x49\xb7\xdc\x8f\xbe\x4a\x8e\x7b\x3b\x56\x21\xdb\x0f" \
-  "\x3e\x7d\xc8\x7f\x82\x32\x64\xbb\xe4\x0d\x18\x11\xc9\xea\x20\x61" \
-  "\xe1\xc8\x4a\xd1\x0a\x23\xfa\xc1\x72\x7e\x72\x02\xfc\x3f\x50\x42" \
-  "\xe6\xbf\x58\xcb\xa8\xa2\x74\x6e\x1f\x64\xf9\xb9\xea\x35\x2c\x71" \
-  "\x15\x07\x05\x3c\xf4\xe5\x33\x9d\x52\x86\x5f\x25\xcc\x22\xb5\xe8" \
-  "\x77\x84\xa1\x2f\xc9\x61\xd6\x6c\xb6\xe8\x95\x73\x19\x9a\x2c\xe6" \
-  "\x56\x5c\xbd\xf1\x3d\xca\x40\x38\x32\xcf\xcb\x0e\x8b\x72\x11\xe8" \
-  "\x3a\xf3\x2a\x11\xac\x17\x92\x9f\xf1\xc0\x73\xa5\x1c\xc0\x27\xaa" \
-  "\xed\xef\xf8\x5a\xad\x7c\x2b\x7c\x5a\x80\x3e\x24\x04\xd9\x6d\x2a" \
-  "\x77\x35\x7b\xda\x1a\x6d\xae\xed\x17\x15\x1c\xb9\xbc\x51\x25\xa4" \
-  "\x22\xe9\x41\xde\x0c\xa0\xfc\x50\x11\xc2\x3e\xcf\xfe\xfd\xd0\x96" \
-  "\x76\x71\x1c\xf3\xdb\x0a\x34\x40\x72\x0e\x16\x15\xc1\xf2\x2f\xbc" \
-  "\x3c\x72\x1d\xe5\x21\xe1\xb9\x9b\xa1\xbd\x55\x77\x40\x86\x42\x14" \
-  "\x7e\xd0\x96"
-#define TEST7_512 \
-  "\x08\xec\xb5\x2e\xba\xe1\xf7\x42\x2d\xb6\x2b\xcd\x54\x26\x70"
-#define TEST8_512 \
-  "\x8d\x4e\x3c\x0e\x38\x89\x19\x14\x91\x81\x6e\x9d\x98\xbf\xf0\xa0"
-#define TEST9_512 \
-  "\x3a\xdd\xec\x85\x59\x32\x16\xd1\x61\x9a\xa0\x2d\x97\x56\x97\x0b" \
-  "\xfc\x70\xac\xe2\x74\x4f\x7c\x6b\x27\x88\x15\x10\x28\xf7\xb6\xa2" \
-  "\x55\x0f\xd7\x4a\x7e\x6e\x69\xc2\xc9\xb4\x5f\xc4\x54\x96\x6d\xc3" \
-  "\x1d\x2e\x10\xda\x1f\x95\xce\x02\xbe\xb4\xbf\x87\x65\x57\x4c\xbd" \
-  "\x6e\x83\x37\xef\x42\x0a\xdc\x98\xc1\x5c\xb6\xd5\xe4\xa0\x24\x1b" \
-  "\xa0\x04\x6d\x25\x0e\x51\x02\x31\xca\xc2\x04\x6c\x99\x16\x06\xab" \
-  "\x4e\xe4\x14\x5b\xee\x2f\xf4\xbb\x12\x3a\xab\x49\x8d\x9d\x44\x79" \
-  "\x4f\x99\xcc\xad\x89\xa9\xa1\x62\x12\x59\xed\xa7\x0a\x5b\x6d\xd4" \
-  "\xbd\xd8\x77\x78\xc9\x04\x3b\x93\x84\xf5\x49\x06"
-#define TEST10_512 \
-  "\xa5\x5f\x20\xc4\x11\xaa\xd1\x32\x80\x7a\x50\x2d\x65\x82\x4e\x31" \
-  "\xa2\x30\x54\x32\xaa\x3d\x06\xd3\xe2\x82\xa8\xd8\x4e\x0d\xe1\xde" \
-  "\x69\x74\xbf\x49\x54\x69\xfc\x7f\x33\x8f\x80\x54\xd5\x8c\x26\xc4" \
-  "\x93\x60\xc3\xe8\x7a\xf5\x65\x23\xac\xf6\xd8\x9d\x03\xe5\x6f\xf2" \
-  "\xf8\x68\x00\x2b\xc3\xe4\x31\xed\xc4\x4d\xf2\xf0\x22\x3d\x4b\xb3" \
-  "\xb2\x43\x58\x6e\x1a\x7d\x92\x49\x36\x69\x4f\xcb\xba\xf8\x8d\x95" \
-  "\x19\xe4\xeb\x50\xa6\x44\xf8\xe4\xf9\x5e\xb0\xea\x95\xbc\x44\x65" \
-  "\xc8\x82\x1a\xac\xd2\xfe\x15\xab\x49\x81\x16\x4b\xbb\x6d\xc3\x2f" \
-  "\x96\x90\x87\xa1\x45\xb0\xd9\xcc\x9c\x67\xc2\x2b\x76\x32\x99\x41" \
-  "\x9c\xc4\x12\x8b\xe9\xa0\x77\xb3\xac\xe6\x34\x06\x4e\x6d\x99\x28" \
-  "\x35\x13\xdc\x06\xe7\x51\x5d\x0d\x73\x13\x2e\x9a\x0d\xc6\xd3\xb1" \
-  "\xf8\xb2\x46\xf1\xa9\x8a\x3f\xc7\x29\x41\xb1\xe3\xbb\x20\x98\xe8" \
-  "\xbf\x16\xf2\x68\xd6\x4f\x0b\x0f\x47\x07\xfe\x1e\xa1\xa1\x79\x1b" \
-  "\xa2\xf3\xc0\xc7\x58\xe5\xf5\x51\x86\x3a\x96\xc9\x49\xad\x47\xd7" \
-  "\xfb\x40\xd2"
-#define SHA1_SEED "\xd0\x56\x9c\xb3\x66\x5a\x8a\x43\xeb\x6e\xa2\x3d" \
-
-
-
-Eastlake 3rd & Hansen        Informational                     [Page 81]
-
-RFC 4634                   SHAs and HMAC-SHAs                  July 2006
-
-
-  "\x75\xa3\xc4\xd2\x05\x4a\x0d\x7d"
-#define SHA224_SEED "\xd0\x56\x9c\xb3\x66\x5a\x8a\x43\xeb\x6e\xa2" \
-  "\x3d\x75\xa3\xc4\xd2\x05\x4a\x0d\x7d\x66\xa9\xca\x99\xc9\xce\xb0" \
-  "\x27"
-#define SHA256_SEED "\xf4\x1e\xce\x26\x13\xe4\x57\x39\x15\x69\x6b" \
-  "\x5a\xdc\xd5\x1c\xa3\x28\xbe\x3b\xf5\x66\xa9\xca\x99\xc9\xce\xb0" \
-  "\x27\x9c\x1c\xb0\xa7"
-#define SHA384_SEED "\x82\x40\xbc\x51\xe4\xec\x7e\xf7\x6d\x18\xe3" \
-  "\x52\x04\xa1\x9f\x51\xa5\x21\x3a\x73\xa8\x1d\x6f\x94\x46\x80\xd3" \
-  "\x07\x59\x48\xb7\xe4\x63\x80\x4e\xa3\xd2\x6e\x13\xea\x82\x0d\x65" \
-  "\xa4\x84\xbe\x74\x53"
-#define SHA512_SEED "\x47\x3f\xf1\xb9\xb3\xff\xdf\xa1\x26\x69\x9a" \
-  "\xc7\xef\x9e\x8e\x78\x77\x73\x09\x58\x24\xc6\x42\x55\x7c\x13\x99" \
-  "\xd9\x8e\x42\x20\x44\x8d\xc3\x5b\x99\xbf\xdd\x44\x77\x95\x43\x92" \
-  "\x4c\x1c\xe9\x3b\xc5\x94\x15\x38\x89\x5d\xb9\x88\x26\x1b\x00\x77" \
-  "\x4b\x12\x27\x20\x39"
-
-#define TESTCOUNT 10
-#define HASHCOUNT 5
-#define RANDOMCOUNT 4
-#define HMACTESTCOUNT 7
-
-#define PRINTNONE 0
-#define PRINTTEXT 1
-#define PRINTRAW 2
-#define PRINTHEX 3
-#define PRINTBASE64 4
-
-#define PRINTPASSFAIL 1
-#define PRINTFAIL 2
-
-#define length(x) (sizeof(x)-1)
-
-/* Test arrays for hashes. */
-struct hash {
-    const char *name;
-    SHAversion whichSha;
-    int hashsize;
-    struct {
-        const char *testarray;
-        int length;
-        long repeatcount;
-        int extrabits;
-        int numberExtrabits;
-        const char *resultarray;
-    } tests[TESTCOUNT];
-    const char *randomtest;
-    const char *randomresults[RANDOMCOUNT];
-
-
-
-Eastlake 3rd & Hansen        Informational                     [Page 82]
-
-RFC 4634                   SHAs and HMAC-SHAs                  July 2006
-
-
-} hashes[HASHCOUNT] = {
-  { "SHA1", SHA1, SHA1HashSize,
-    {
-      /* 1 */ { TEST1, length(TEST1), 1, 0, 0,
-        "A9993E364706816ABA3E25717850C26C9CD0D89D" },
-      /* 2 */ { TEST2_1, length(TEST2_1), 1, 0, 0,
-        "84983E441C3BD26EBAAE4AA1F95129E5E54670F1" },
-      /* 3 */ { TEST3, length(TEST3), 1000000, 0, 0,
-        "34AA973CD4C4DAA4F61EEB2BDBAD27316534016F" },
-      /* 4 */ { TEST4, length(TEST4), 10, 0, 0,
-        "DEA356A2CDDD90C7A7ECEDC5EBB563934F460452" },
-      /* 5 */ { "", 0, 0, 0x98, 5,
-        "29826B003B906E660EFF4027CE98AF3531AC75BA" },
-      /* 6 */ { "\x5e", 1, 1, 0, 0,
-        "5E6F80A34A9798CAFC6A5DB96CC57BA4C4DB59C2" },
-      /* 7 */ { TEST7_1, length(TEST7_1), 1, 0x80, 3,
-        "6239781E03729919C01955B3FFA8ACB60B988340" },
-      /* 8 */ { TEST8_1, length(TEST8_1), 1, 0, 0,
-        "82ABFF6605DBE1C17DEF12A394FA22A82B544A35" },
-      /* 9 */ { TEST9_1, length(TEST9_1), 1, 0xE0, 3,
-        "8C5B2A5DDAE5A97FC7F9D85661C672ADBF7933D4" },
-      /* 10 */ { TEST10_1, length(TEST10_1), 1, 0, 0,
-        "CB0082C8F197D260991BA6A460E76E202BAD27B3" }
-    }, SHA1_SEED, { "E216836819477C7F78E0D843FE4FF1B6D6C14CD4",
-        "A2DBC7A5B1C6C0A8BCB7AAA41252A6A7D0690DBC",
-        "DB1F9050BB863DFEF4CE37186044E2EEB17EE013",
-        "127FDEDF43D372A51D5747C48FBFFE38EF6CDF7B"
-     } },
-  { "SHA224", SHA224, SHA224HashSize,
-    {
-      /* 1 */ { TEST1, length(TEST1), 1, 0, 0,
-        "23097D223405D8228642A477BDA255B32AADBCE4BDA0B3F7E36C9DA7" },
-      /* 2 */ { TEST2_1, length(TEST2_1), 1, 0, 0,
-        "75388B16512776CC5DBA5DA1FD890150B0C6455CB4F58B1952522525" },
-      /* 3 */ { TEST3, length(TEST3), 1000000, 0, 0,
-        "20794655980C91D8BBB4C1EA97618A4BF03F42581948B2EE4EE7AD67" },
-      /* 4 */ { TEST4, length(TEST4), 10, 0, 0,
-        "567F69F168CD7844E65259CE658FE7AADFA25216E68ECA0EB7AB8262" },
-      /* 5 */ { "", 0, 0, 0x68, 5,
-        "E3B048552C3C387BCAB37F6EB06BB79B96A4AEE5FF27F51531A9551C" },
-      /* 6 */ { "\x07", 1, 1, 0, 0,
-        "00ECD5F138422B8AD74C9799FD826C531BAD2FCABC7450BEE2AA8C2A" },
-      /* 7 */ { TEST7_224, length(TEST7_224), 1, 0xA0, 3,
-        "1B01DB6CB4A9E43DED1516BEB3DB0B87B6D1EA43187462C608137150" },
-      /* 8 */ { TEST8_224, length(TEST8_224), 1, 0, 0,
-        "DF90D78AA78821C99B40BA4C966921ACCD8FFB1E98AC388E56191DB1" },
-      /* 9 */ { TEST9_224, length(TEST9_224), 1, 0xE0, 3,
-        "54BEA6EAB8195A2EB0A7906A4B4A876666300EEFBD1F3B8474F9CD57" },
-
-
-
-Eastlake 3rd & Hansen        Informational                     [Page 83]
-
-RFC 4634                   SHAs and HMAC-SHAs                  July 2006
-
-
-      /* 10 */ { TEST10_224, length(TEST10_224), 1, 0, 0,
-        "0B31894EC8937AD9B91BDFBCBA294D9ADEFAA18E09305E9F20D5C3A4" }
-    }, SHA224_SEED, { "100966A5B4FDE0B42E2A6C5953D4D7F41BA7CF79FD"
-        "2DF431416734BE", "1DCA396B0C417715DEFAAE9641E10A2E99D55A"
-        "BCB8A00061EB3BE8BD", "1864E627BDB2319973CD5ED7D68DA71D8B"
-        "F0F983D8D9AB32C34ADB34", "A2406481FC1BCAF24DD08E6752E844"
-        "709563FB916227FED598EB621F"
-     } },
-  { "SHA256", SHA256, SHA256HashSize,
-  {
-      /* 1 */ { TEST1, length(TEST1), 1, 0, 0, "BA7816BF8F01CFEA4141"
-        "40DE5DAE2223B00361A396177A9CB410FF61F20015AD" },
-      /* 2 */ { TEST2_1, length(TEST2_1), 1, 0, 0, "248D6A61D20638B8"
-        "E5C026930C3E6039A33CE45964FF2167F6ECEDD419DB06C1" },
-      /* 3 */ { TEST3, length(TEST3), 1000000, 0, 0, "CDC76E5C9914FB92"
-        "81A1C7E284D73E67F1809A48A497200E046D39CCC7112CD0" },
-      /* 4 */ { TEST4, length(TEST4), 10, 0, 0, "594847328451BDFA"
-        "85056225462CC1D867D877FB388DF0CE35F25AB5562BFBB5" },
-      /* 5 */ { "", 0, 0, 0x68, 5, "D6D3E02A31A84A8CAA9718ED6C2057BE"
-        "09DB45E7823EB5079CE7A573A3760F95" },
-      /* 6 */ { "\x19", 1, 1, 0, 0, "68AA2E2EE5DFF96E3355E6C7EE373E3D"
-        "6A4E17F75F9518D843709C0C9BC3E3D4" },
-      /* 7 */ { TEST7_256, length(TEST7_256), 1, 0x60, 3, "77EC1DC8"
-        "9C821FF2A1279089FA091B35B8CD960BCAF7DE01C6A7680756BEB972" },
-      /* 8 */ { TEST8_256, length(TEST8_256), 1, 0, 0, "175EE69B02BA"
-        "9B58E2B0A5FD13819CEA573F3940A94F825128CF4209BEABB4E8" },
-      /* 9 */ { TEST9_256, length(TEST9_256), 1, 0xA0, 3, "3E9AD646"
-        "8BBBAD2AC3C2CDC292E018BA5FD70B960CF1679777FCE708FDB066E9" },
-      /* 10 */ { TEST10_256, length(TEST10_256), 1, 0, 0, "97DBCA7D"
-        "F46D62C8A422C941DD7E835B8AD3361763F7E9B2D95F4F0DA6E1CCBC" },
-    }, SHA256_SEED, { "83D28614D49C3ADC1D6FC05DB5F48037C056F8D2A4CE44"
-        "EC6457DEA5DD797CD1", "99DBE3127EF2E93DD9322D6A07909EB33B6399"
-        "5E529B3F954B8581621BB74D39", "8D4BE295BB64661CA3C7EFD129A2F7"
-        "25B33072DBDDE32385B9A87B9AF88EA76F", "40AF5D3F9716B040DF9408"
-        "E31536B70FF906EC51B00447CA97D7DD97C12411F4"
-    } },
-  { "SHA384", SHA384, SHA384HashSize,
-    {
-      /* 1 */ { TEST1, length(TEST1), 1, 0, 0,
-        "CB00753F45A35E8BB5A03D699AC65007272C32AB0EDED163"
-        "1A8B605A43FF5BED8086072BA1E7CC2358BAECA134C825A7" },
-      /* 2 */ { TEST2_2, length(TEST2_2), 1, 0, 0,
-        "09330C33F71147E83D192FC782CD1B4753111B173B3B05D2"
-        "2FA08086E3B0F712FCC7C71A557E2DB966C3E9FA91746039" },
-      /* 3 */ { TEST3, length(TEST3), 1000000, 0, 0,
-        "9D0E1809716474CB086E834E310A4A1CED149E9C00F24852"
-        "7972CEC5704C2A5B07B8B3DC38ECC4EBAE97DDD87F3D8985" },
-      /* 4 */ { TEST4, length(TEST4), 10, 0, 0,
-
-
-
-Eastlake 3rd & Hansen        Informational                     [Page 84]
-
-RFC 4634                   SHAs and HMAC-SHAs                  July 2006
-
-
-        "2FC64A4F500DDB6828F6A3430B8DD72A368EB7F3A8322A70"
-        "BC84275B9C0B3AB00D27A5CC3C2D224AA6B61A0D79FB4596" },
-      /* 5 */ { "", 0, 0, 0x10, 5,
-        "8D17BE79E32B6718E07D8A603EB84BA0478F7FCFD1BB9399"
-        "5F7D1149E09143AC1FFCFC56820E469F3878D957A15A3FE4" },
-      /* 6 */ { "\xb9", 1, 1, 0, 0,
-        "BC8089A19007C0B14195F4ECC74094FEC64F01F90929282C"
-        "2FB392881578208AD466828B1C6C283D2722CF0AD1AB6938" },
-      /* 7 */ { TEST7_384, length(TEST7_384), 1, 0xA0, 3,
-        "D8C43B38E12E7C42A7C9B810299FD6A770BEF30920F17532"
-        "A898DE62C7A07E4293449C0B5FA70109F0783211CFC4BCE3" },
-      /* 8 */ { TEST8_384, length(TEST8_384), 1, 0, 0,
-        "C9A68443A005812256B8EC76B00516F0DBB74FAB26D66591"
-        "3F194B6FFB0E91EA9967566B58109CBC675CC208E4C823F7" },
-      /* 9 */ { TEST9_384, length(TEST9_384), 1, 0xE0, 3,
-        "5860E8DE91C21578BB4174D227898A98E0B45C4C760F0095"
-        "49495614DAEDC0775D92D11D9F8CE9B064EEAC8DAFC3A297" },
-      /* 10 */ { TEST10_384, length(TEST10_384), 1, 0, 0,
-        "4F440DB1E6EDD2899FA335F09515AA025EE177A79F4B4AAF"
-        "38E42B5C4DE660F5DE8FB2A5B2FBD2A3CBFFD20CFF1288C0" }
-    }, SHA384_SEED, { "CE44D7D63AE0C91482998CF662A51EC80BF6FC68661A3C"
-        "57F87566112BD635A743EA904DEB7D7A42AC808CABE697F38F", "F9C6D2"
-        "61881FEE41ACD39E67AA8D0BAD507C7363EB67E2B81F45759F9C0FD7B503"
-        "DF1A0B9E80BDE7BC333D75B804197D", "D96512D8C9F4A7A4967A366C01"
-        "C6FD97384225B58343A88264847C18E4EF8AB7AEE4765FFBC3E30BD485D3"
-        "638A01418F", "0CA76BD0813AF1509E170907A96005938BC985628290B2"
-        "5FEF73CF6FAD68DDBA0AC8920C94E0541607B0915A7B4457F7"
-    } },
-  { "SHA512", SHA512, SHA512HashSize,
-    {
-      /* 1 */ { TEST1, length(TEST1), 1, 0, 0,
-        "DDAF35A193617ABACC417349AE20413112E6FA4E89A97EA2"
-        "0A9EEEE64B55D39A2192992A274FC1A836BA3C23A3FEEBBD"
-        "454D4423643CE80E2A9AC94FA54CA49F" },
-      /* 2 */ { TEST2_2, length(TEST2_2), 1, 0, 0,
-        "8E959B75DAE313DA8CF4F72814FC143F8F7779C6EB9F7FA1"
-        "7299AEADB6889018501D289E4900F7E4331B99DEC4B5433A"
-        "C7D329EEB6DD26545E96E55B874BE909" },
-       /* 3 */ { TEST3, length(TEST3), 1000000, 0, 0,
-        "E718483D0CE769644E2E42C7BC15B4638E1F98B13B204428"
-        "5632A803AFA973EBDE0FF244877EA60A4CB0432CE577C31B"
-        "EB009C5C2C49AA2E4EADB217AD8CC09B" },
-      /* 4 */ { TEST4, length(TEST4), 10, 0, 0,
-        "89D05BA632C699C31231DED4FFC127D5A894DAD412C0E024"
-        "DB872D1ABD2BA8141A0F85072A9BE1E2AA04CF33C765CB51"
-        "0813A39CD5A84C4ACAA64D3F3FB7BAE9" },
-      /* 5 */ { "", 0, 0, 0xB0, 5,
-        "D4EE29A9E90985446B913CF1D1376C836F4BE2C1CF3CADA0"
-
-
-
-Eastlake 3rd & Hansen        Informational                     [Page 85]
-
-RFC 4634                   SHAs and HMAC-SHAs                  July 2006
-
-
-        "720A6BF4857D886A7ECB3C4E4C0FA8C7F95214E41DC1B0D2"
-        "1B22A84CC03BF8CE4845F34DD5BDBAD4" },
-      /* 6 */ { "\xD0", 1, 1, 0, 0,
-        "9992202938E882E73E20F6B69E68A0A7149090423D93C81B"
-        "AB3F21678D4ACEEEE50E4E8CAFADA4C85A54EA8306826C4A"
-        "D6E74CECE9631BFA8A549B4AB3FBBA15" },
-      /* 7 */ { TEST7_512, length(TEST7_512), 1, 0x80, 3,
-        "ED8DC78E8B01B69750053DBB7A0A9EDA0FB9E9D292B1ED71"
-        "5E80A7FE290A4E16664FD913E85854400C5AF05E6DAD316B"
-        "7359B43E64F8BEC3C1F237119986BBB6" },
-      /* 8 */ { TEST8_512, length(TEST8_512), 1, 0, 0,
-        "CB0B67A4B8712CD73C9AABC0B199E9269B20844AFB75ACBD"
-        "D1C153C9828924C3DDEDAAFE669C5FDD0BC66F630F677398"
-        "8213EB1B16F517AD0DE4B2F0C95C90F8" },
-      /* 9 */ { TEST9_512, length(TEST9_512), 1, 0x80, 3,
-        "32BA76FC30EAA0208AEB50FFB5AF1864FDBF17902A4DC0A6"
-        "82C61FCEA6D92B783267B21080301837F59DE79C6B337DB2"
-        "526F8A0A510E5E53CAFED4355FE7C2F1" },
-      /* 10 */ { TEST10_512, length(TEST10_512), 1, 0, 0,
-        "C665BEFB36DA189D78822D10528CBF3B12B3EEF726039909"
-        "C1A16A270D48719377966B957A878E720584779A62825C18"
-        "DA26415E49A7176A894E7510FD1451F5" }
-    }, SHA512_SEED, { "2FBB1E7E00F746BA514FBC8C421F36792EC0E11FF5EFC3"
-        "78E1AB0C079AA5F0F66A1E3EDBAEB4F9984BE14437123038A452004A5576"
-        "8C1FD8EED49E4A21BEDCD0", "25CBE5A4F2C7B1D7EF07011705D50C62C5"
-        "000594243EAFD1241FC9F3D22B58184AE2FEE38E171CF8129E29459C9BC2"
-        "EF461AF5708887315F15419D8D17FE7949", "5B8B1F2687555CE2D7182B"
-        "92E5C3F6C36547DA1C13DBB9EA4F73EA4CBBAF89411527906D35B1B06C1B"
-        "6A8007D05EC66DF0A406066829EAB618BDE3976515AAFC", "46E36B007D"
-        "19876CDB0B29AD074FE3C08CDD174D42169D6ABE5A1414B6E79707DF5877"
-        "6A98091CF431854147BB6D3C66D43BFBC108FD715BDE6AA127C2B0E79F"
-    }
-  }
-};
-
-/* Test arrays for HMAC. */
-struct hmachash {
-    const char *keyarray[5];
-    int keylength[5];
-    const char *dataarray[5];
-    int datalength[5];
-    const char *resultarray[5];
-    int resultlength[5];
-} hmachashes[HMACTESTCOUNT] = {
-  { /* 1 */ {
-      "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b"
-      "\x0b\x0b\x0b\x0b\x0b"
-    }, { 20 }, {
-
-
-
-Eastlake 3rd & Hansen        Informational                     [Page 86]
-
-RFC 4634                   SHAs and HMAC-SHAs                  July 2006
-
-
-      "\x48\x69\x20\x54\x68\x65\x72\x65" /* "Hi There" */
-    }, { 8 }, {
-      /* HMAC-SHA-1 */
-      "B617318655057264E28BC0B6FB378C8EF146BE00",
-      /* HMAC-SHA-224 */
-      "896FB1128ABBDF196832107CD49DF33F47B4B1169912BA4F53684B22",
-      /* HMAC-SHA-256 */
-      "B0344C61D8DB38535CA8AFCEAF0BF12B881DC200C9833DA726E9376C2E32"
-      "CFF7",
-      /* HMAC-SHA-384 */
-      "AFD03944D84895626B0825F4AB46907F15F9DADBE4101EC682AA034C7CEB"
-      "C59CFAEA9EA9076EDE7F4AF152E8B2FA9CB6",
-      /* HMAC-SHA-512 */
-      "87AA7CDEA5EF619D4FF0B4241A1D6CB02379F4E2CE4EC2787AD0B30545E1"
-      "7CDEDAA833B7D6B8A702038B274EAEA3F4E4BE9D914EEB61F1702E696C20"
-      "3A126854"
-    }, { SHA1HashSize, SHA224HashSize, SHA256HashSize,
-      SHA384HashSize, SHA512HashSize }
-  },
-  { /* 2 */ {
-      "\x4a\x65\x66\x65" /* "Jefe" */
-    }, { 4 }, {
-      "\x77\x68\x61\x74\x20\x64\x6f\x20\x79\x61\x20\x77\x61\x6e\x74"
-      "\x20\x66\x6f\x72\x20\x6e\x6f\x74\x68\x69\x6e\x67\x3f"
-      /* "what do ya want for nothing?" */
-    }, { 28 }, {
-      /* HMAC-SHA-1 */
-      "EFFCDF6AE5EB2FA2D27416D5F184DF9C259A7C79",
-      /* HMAC-SHA-224 */
-      "A30E01098BC6DBBF45690F3A7E9E6D0F8BBEA2A39E6148008FD05E44",
-      /* HMAC-SHA-256 */
-      "5BDCC146BF60754E6A042426089575C75A003F089D2739839DEC58B964EC"
-      "3843",
-      /* HMAC-SHA-384 */
-      "AF45D2E376484031617F78D2B58A6B1B9C7EF464F5A01B47E42EC3736322"
-      "445E8E2240CA5E69E2C78B3239ECFAB21649",
-      /* HMAC-SHA-512 */
-      "164B7A7BFCF819E2E395FBE73B56E0A387BD64222E831FD610270CD7EA25"
-      "05549758BF75C05A994A6D034F65F8F0E6FDCAEAB1A34D4A6B4B636E070A"
-      "38BCE737"
-    }, { SHA1HashSize, SHA224HashSize, SHA256HashSize,
-      SHA384HashSize, SHA512HashSize }
-  },
-  { /* 3 */
-    {
-      "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
-      "\xaa\xaa\xaa\xaa\xaa"
-    }, { 20 }, {
-
-
-
-Eastlake 3rd & Hansen        Informational                     [Page 87]
-
-RFC 4634                   SHAs and HMAC-SHAs                  July 2006
-
-
-      "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
-      "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
-      "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
-      "\xdd\xdd\xdd\xdd\xdd"
-    }, { 50 }, {
-      /* HMAC-SHA-1 */
-      "125D7342B9AC11CD91A39AF48AA17B4F63F175D3",
-      /* HMAC-SHA-224 */
-      "7FB3CB3588C6C1F6FFA9694D7D6AD2649365B0C1F65D69D1EC8333EA",
-      /* HMAC-SHA-256 */
-      "773EA91E36800E46854DB8EBD09181A72959098B3EF8C122D9635514CED5"
-      "65FE",
-      /* HMAC-SHA-384 */
-      "88062608D3E6AD8A0AA2ACE014C8A86F0AA635D947AC9FEBE83EF4E55966"
-      "144B2A5AB39DC13814B94E3AB6E101A34F27",
-      /* HMAC-SHA-512 */
-      "FA73B0089D56A284EFB0F0756C890BE9B1B5DBDD8EE81A3655F83E33B227"
-      "9D39BF3E848279A722C806B485A47E67C807B946A337BEE8942674278859"
-      "E13292FB"
-    }, { SHA1HashSize, SHA224HashSize, SHA256HashSize,
-      SHA384HashSize, SHA512HashSize }
-  },
-  { /* 4 */ {
-      "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f"
-      "\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19"
-    }, { 25 }, {
-      "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd"
-      "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd"
-      "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd"
-      "\xcd\xcd\xcd\xcd\xcd"
-    }, { 50 }, {
-      /* HMAC-SHA-1 */
-      "4C9007F4026250C6BC8414F9BF50C86C2D7235DA",
-      /* HMAC-SHA-224 */
-      "6C11506874013CAC6A2ABC1BB382627CEC6A90D86EFC012DE7AFEC5A",
-      /* HMAC-SHA-256 */
-      "82558A389A443C0EA4CC819899F2083A85F0FAA3E578F8077A2E3FF46729"
-      "665B",
-      /* HMAC-SHA-384 */
-      "3E8A69B7783C25851933AB6290AF6CA77A9981480850009CC5577C6E1F57"
-      "3B4E6801DD23C4A7D679CCF8A386C674CFFB",
-      /* HMAC-SHA-512 */
-      "B0BA465637458C6990E5A8C5F61D4AF7E576D97FF94B872DE76F8050361E"
-      "E3DBA91CA5C11AA25EB4D679275CC5788063A5F19741120C4F2DE2ADEBEB"
-      "10A298DD"
-    }, { SHA1HashSize, SHA224HashSize, SHA256HashSize,
-      SHA384HashSize, SHA512HashSize }
-  },
-
-
-
-Eastlake 3rd & Hansen        Informational                     [Page 88]
-
-RFC 4634                   SHAs and HMAC-SHAs                  July 2006
-
-
-  { /* 5 */ {
-      "\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c"
-      "\x0c\x0c\x0c\x0c\x0c"
-    }, { 20 }, {
-      "Test With Truncation"
-    }, { 20 }, {
-      /* HMAC-SHA-1 */
-      "4C1A03424B55E07FE7F27BE1",
-      /* HMAC-SHA-224 */
-      "0E2AEA68A90C8D37C988BCDB9FCA6FA8",
-      /* HMAC-SHA-256 */
-      "A3B6167473100EE06E0C796C2955552B",
-      /* HMAC-SHA-384 */
-      "3ABF34C3503B2A23A46EFC619BAEF897",
-      /* HMAC-SHA-512 */
-      "415FAD6271580A531D4179BC891D87A6"
-    }, { 12, 16, 16, 16, 16 }
-  },
-  { /* 6 */ {
-      "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
-      "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
-      "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
-      "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
-      "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
-      "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
-      "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
-      "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
-      "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
-    }, { 80, 131 }, {
-      "Test Using Larger Than Block-Size Key - Hash Key First"
-    }, { 54 }, {
-      /* HMAC-SHA-1 */
-      "AA4AE5E15272D00E95705637CE8A3B55ED402112",
-      /* HMAC-SHA-224 */
-      "95E9A0DB962095ADAEBE9B2D6F0DBCE2D499F112F2D2B7273FA6870E",
-      /* HMAC-SHA-256 */
-      "60E431591EE0B67F0D8A26AACBF5B77F8E0BC6213728C5140546040F0EE3"
-      "7F54",
-      /* HMAC-SHA-384 */
-      "4ECE084485813E9088D2C63A041BC5B44F9EF1012A2B588F3CD11F05033A"
-      "C4C60C2EF6AB4030FE8296248DF163F44952",
-      /* HMAC-SHA-512 */
-      "80B24263C7C1A3EBB71493C1DD7BE8B49B46D1F41B4AEEC1121B013783F8"
-      "F3526B56D037E05F2598BD0FD2215D6A1E5295E64F73F63F0AEC8B915A98"
-      "5D786598"
-    }, { SHA1HashSize, SHA224HashSize, SHA256HashSize,
-      SHA384HashSize, SHA512HashSize }
-  },
-
-
-
-Eastlake 3rd & Hansen        Informational                     [Page 89]
-
-RFC 4634                   SHAs and HMAC-SHAs                  July 2006
-
-
-  { /* 7 */ {
-      "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
-      "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
-      "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
-      "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
-      "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
-      "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
-      "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
-      "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
-      "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
-    }, { 80, 131 }, {
-      "Test Using Larger Than Block-Size Key and "
-      "Larger Than One Block-Size Data",
-      "\x54\x68\x69\x73\x20\x69\x73\x20\x61\x20\x74\x65\x73\x74\x20"
-      "\x75\x73\x69\x6e\x67\x20\x61\x20\x6c\x61\x72\x67\x65\x72\x20"
-      "\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73\x69\x7a\x65"
-      "\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x61\x20\x6c\x61\x72\x67"
-      "\x65\x72\x20\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73"
-      "\x69\x7a\x65\x20\x64\x61\x74\x61\x2e\x20\x54\x68\x65\x20\x6b"
-      "\x65\x79\x20\x6e\x65\x65\x64\x73\x20\x74\x6f\x20\x62\x65\x20"
-      "\x68\x61\x73\x68\x65\x64\x20\x62\x65\x66\x6f\x72\x65\x20\x62"
-      "\x65\x69\x6e\x67\x20\x75\x73\x65\x64\x20\x62\x79\x20\x74\x68"
-      "\x65\x20\x48\x4d\x41\x43\x20\x61\x6c\x67\x6f\x72\x69\x74\x68"
-      "\x6d\x2e"
-      /* "This is a test using a larger than block-size key and a "
-          "larger than block-size data. The key needs to be hashed "
-          "before being used by the HMAC algorithm." */
-    }, { 73, 152 }, {
-      /* HMAC-SHA-1 */
-      "E8E99D0F45237D786D6BBAA7965C7808BBFF1A91",
-      /* HMAC-SHA-224 */
-      "3A854166AC5D9F023F54D517D0B39DBD946770DB9C2B95C9F6F565D1",
-      /* HMAC-SHA-256 */
-      "9B09FFA71B942FCB27635FBCD5B0E944BFDC63644F0713938A7F51535C3A"
-      "35E2",
-      /* HMAC-SHA-384 */
-      "6617178E941F020D351E2F254E8FD32C602420FEB0B8FB9ADCCEBB82461E"
-      "99C5A678CC31E799176D3860E6110C46523E",
-      /* HMAC-SHA-512 */
-      "E37B6A775DC87DBAA4DFA9F96E5E3FFDDEBD71F8867289865DF5A32D20CD"
-      "C944B6022CAC3C4982B10D5EEB55C3E4DE15134676FB6DE0446065C97440"
-      "FA8C6A58"
-    }, { SHA1HashSize, SHA224HashSize, SHA256HashSize,
-      SHA384HashSize, SHA512HashSize }
-  }
-};
-
-/*
-
-
-
-Eastlake 3rd & Hansen        Informational                     [Page 90]
-
-RFC 4634                   SHAs and HMAC-SHAs                  July 2006
-
-
- * Check the hash value against the expected string, expressed in hex
- */
-static const char hexdigits[] = "0123456789ABCDEF";
-int checkmatch(const unsigned char *hashvalue,
-  const char *hexstr, int hashsize)
-{
-  int i;
-  for (i = 0; i < hashsize; ++i) {
-    if (*hexstr++ != hexdigits[(hashvalue[i] >> 4) & 0xF])
-      return 0;
-    if (*hexstr++ != hexdigits[hashvalue[i] & 0xF]) return 0;
-  }
-  return 1;
-}
-
-/*
- * Print the string, converting non-printable characters to "."
- */
-void printstr(const char *str, int len)
-{
-  for ( ; len-- > 0; str++)
-    putchar(isprint((unsigned char)*str) ? *str : '.');
-}
-
-/*
- * Print the string, converting non-printable characters to hex "## ".
- */
-void printxstr(const char *str, int len)
-{
-  for ( ; len-- > 0; str++)
-    printf("%c%c ", hexdigits[(*str >> 4) & 0xF],
-      hexdigits[*str & 0xF]);
-}
-
-/*
- * Print a usage message.
- */
-void usage(const char *argv0)
-{
-  fprintf(stderr,
-    "Usage:\n"
-    "Common options: [-h hash] [-w|-x] [-H]\n"
-    "Standard tests:\n"
-      "\t%s [-m] [-l loopcount] [-t test#] [-e]\n"
-      "\t\t[-r randomseed] [-R randomloop-count] "
-        "[-p] [-P|-X]\n"
-    "Hash a string:\n"
-      "\t%s [-S expectedresult] -s hashstr [-k key]\n"
-
-
-
-Eastlake 3rd & Hansen        Informational                     [Page 91]
-
-RFC 4634                   SHAs and HMAC-SHAs                  July 2006
-
-
-    "Hash a file:\n"
-      "\t%s [-S expectedresult] -f file [-k key]\n"
-    "Hash a file, ignoring whitespace:\n"
-      "\t%s [-S expectedresult] -F file [-k key]\n"
-    "Additional bits to add in: [-B bitcount -b bits]\n"
-    "-h\thash to test: "
-      "0|SHA1, 1|SHA224, 2|SHA256, 3|SHA384, 4|SHA512\n"
-    "-m\tperform hmac test\n"
-    "-k\tkey for hmac test\n"
-    "-t\ttest case to run, 1-10\n"
-    "-l\thow many times to run the test\n"
-    "-e\ttest error returns\n"
-    "-p\tdo not print results\n"
-    "-P\tdo not print PASSED/FAILED\n"
-    "-X\tprint FAILED, but not PASSED\n"
-    "-r\tseed for random test\n"
-    "-R\thow many times to run random test\n"
-    "-s\tstring to hash\n"
-    "-S\texpected result of hashed string, in hex\n"
-    "-w\toutput hash in raw format\n"
-    "-x\toutput hash in hex format\n"
-    "-B\t# extra bits to add in after string or file input\n"
-    "-b\textra bits to add (high order bits of #, 0# or 0x#)\n"
-    "-H\tinput hashstr or randomseed is in hex\n"
-    , argv0, argv0, argv0, argv0);
-  exit(1);
-}
-
-/*
- * Print the results and PASS/FAIL.
- */
-void printResult(uint8_t *Message_Digest, int hashsize,
-    const char *hashname, const char *testtype, const char *testname,
-    const char *resultarray, int printResults, int printPassFail)
-{
-  int i, k;
-  if (printResults == PRINTTEXT) {
-    putchar('\t');
-    for (i = 0; i < hashsize ; ++i) {
-      putchar(hexdigits[(Message_Digest[i] >> 4) & 0xF]);
-      putchar(hexdigits[Message_Digest[i] & 0xF]);
-      putchar(' ');
-    }
-    putchar('\n');
-  } else if (printResults == PRINTRAW) {
-    fwrite(Message_Digest, 1, hashsize, stdout);
-  } else if (printResults == PRINTHEX) {
-    for (i = 0; i < hashsize ; ++i) {
-
-
-
-Eastlake 3rd & Hansen        Informational                     [Page 92]
-
-RFC 4634                   SHAs and HMAC-SHAs                  July 2006
-
-
-      putchar(hexdigits[(Message_Digest[i] >> 4) & 0xF]);
-      putchar(hexdigits[Message_Digest[i] & 0xF]);
-    }
-    putchar('\n');
-  }
-
-  if (printResults && resultarray) {
-    printf("    Should match:\n\t");
-    for (i = 0, k = 0; i < hashsize; i++, k += 2) {
-      putchar(resultarray[k]);
-      putchar(resultarray[k+1]);
-      putchar(' ');
-    }
-    putchar('\n');
-  }
-
-  if (printPassFail && resultarray) {
-    int ret = checkmatch(Message_Digest, resultarray, hashsize);
-    if ((printPassFail == PRINTPASSFAIL) || !ret)
-      printf("%s %s %s: %s\n", hashname, testtype, testname,
-        ret ? "PASSED" : "FAILED");
-  }
-}
-
-/*
- * Exercise a hash series of functions. The input is the testarray,
- * repeated repeatcount times, followed by the extrabits. If the
- * result is known, it is in resultarray in uppercase hex.
- */
-int hash(int testno, int loopno, int hashno,
-  const char *testarray, int length, long repeatcount,
-  int numberExtrabits, int extrabits, const unsigned char *keyarray,
-  int keylen, const char *resultarray, int hashsize, int printResults,
-  int printPassFail)
-{
-  USHAContext sha;
-  HMACContext hmac;
-  int err, i;
-  uint8_t Message_Digest[USHAMaxHashSize];
-  char buf[20];
-
-  if (printResults == PRINTTEXT) {
-    printf("\nTest %d: Iteration %d, Repeat %ld\n\t'", testno+1,
-      loopno, repeatcount);
-    printstr(testarray, length);
-    printf("'\n\t'");
-    printxstr(testarray, length);
-    printf("'\n");
-
-
-
-Eastlake 3rd & Hansen        Informational                     [Page 93]
-
-RFC 4634                   SHAs and HMAC-SHAs                  July 2006
-
-
-    printf("    Length=%d bytes (%d bits), ", length, length * 8);
-    printf("ExtraBits %d: %2.2x\n", numberExtrabits, extrabits);
-  }
-
-  memset(&sha, '\343', sizeof(sha)); /* force bad data into struct */
-  memset(&hmac, '\343', sizeof(hmac));
-  err = keyarray ? hmacReset(&hmac, hashes[hashno].whichSha,
-                             keyarray, keylen) :
-                   USHAReset(&sha, hashes[hashno].whichSha);
-  if (err != shaSuccess) {
-    fprintf(stderr, "hash(): %sReset Error %d.\n",
-            keyarray ? "hmac" : "sha", err);
-    return err;
-  }
-
-  for (i = 0; i < repeatcount; ++i) {
-    err = keyarray ? hmacInput(&hmac, (const uint8_t *) testarray,
-                               length) :
-                     USHAInput(&sha, (const uint8_t *) testarray,
-                               length);
-    if (err != shaSuccess) {
-      fprintf(stderr, "hash(): %sInput Error %d.\n",
-              keyarray ? "hmac" : "sha", err);
-      return err;
-    }
-  }
-
-  if (numberExtrabits > 0) {
-    err = keyarray ? hmacFinalBits(&hmac, (uint8_t) extrabits,
-                                   numberExtrabits) :
-                     USHAFinalBits(&sha, (uint8_t) extrabits,
-                                   numberExtrabits);
-    if (err != shaSuccess) {
-      fprintf(stderr, "hash(): %sFinalBits Error %d.\n",
-              keyarray ? "hmac" : "sha", err);
-      return err;
-    }
-  }
-
-  err = keyarray ? hmacResult(&hmac, Message_Digest) :
-                   USHAResult(&sha, Message_Digest);
-  if (err != shaSuccess) {
-    fprintf(stderr, "hash(): %s Result Error %d, could not "
-      "compute message digest.\n", keyarray ? "hmac" : "sha", err);
-    return err;
-  }
-
-  sprintf(buf, "%d", testno+1);
-
-
-
-Eastlake 3rd & Hansen        Informational                     [Page 94]
-
-RFC 4634                   SHAs and HMAC-SHAs                  July 2006
-
-
-  printResult(Message_Digest, hashsize, hashes[hashno].name,
-    keyarray ? "hmac standard test" : "sha standard test", buf,
-    resultarray, printResults, printPassFail);
-
-  return err;
-}
-
-/*
- * Exercise a hash series of functions. The input is a filename.
- * If the result is known, it is in resultarray in uppercase hex.
- */
-int hashfile(int hashno, const char *hashfilename, int bits,
-  int bitcount, int skipSpaces, const unsigned char *keyarray,
-  int keylen, const char *resultarray, int hashsize,
-  int printResults, int printPassFail)
-{
-  USHAContext sha;
-  HMACContext hmac;
-  int err, nread, c;
-  unsigned char buf[4096];
-  uint8_t Message_Digest[USHAMaxHashSize];
-  unsigned char cc;
-  FILE *hashfp = (strcmp(hashfilename, "-") == 0) ? stdin :
-    fopen(hashfilename, "r");
-
-  if (!hashfp) {
-    fprintf(stderr, "cannot open file '%s'\n", hashfilename);
-    return shaStateError;
-  }
-
-  memset(&sha, '\343', sizeof(sha)); /* force bad data into struct */
-  memset(&hmac, '\343', sizeof(hmac));
-  err = keyarray ? hmacReset(&hmac, hashes[hashno].whichSha,
-                             keyarray, keylen) :
-                   USHAReset(&sha, hashes[hashno].whichSha);
-
-  if (err != shaSuccess) {
-    fprintf(stderr, "hashfile(): %sReset Error %d.\n",
-            keyarray ? "hmac" : "sha", err);
-    return err;
-  }
-
-  if (skipSpaces)
-    while ((c = getc(hashfp)) != EOF) {
-      if (!isspace(c)) {
-        cc = (unsigned char)c;
-        err = keyarray ? hmacInput(&hmac, &cc, 1) :
-                         USHAInput(&sha, &cc, 1);
-
-
-
-Eastlake 3rd & Hansen        Informational                     [Page 95]
-
-RFC 4634                   SHAs and HMAC-SHAs                  July 2006
-
-
-        if (err != shaSuccess) {
-          fprintf(stderr, "hashfile(): %sInput Error %d.\n",
-                  keyarray ? "hmac" : "sha", err);
-          if (hashfp != stdin) fclose(hashfp);
-          return err;
-        }
-      }
-    }
-  else
-    while ((nread = fread(buf, 1, sizeof(buf), hashfp)) > 0) {
-      err = keyarray ? hmacInput(&hmac, buf, nread) :
-                       USHAInput(&sha, buf, nread);
-      if (err != shaSuccess) {
-        fprintf(stderr, "hashfile(): %s Error %d.\n",
-                keyarray ? "hmacInput" : "shaInput", err);
-        if (hashfp != stdin) fclose(hashfp);
-        return err;
-      }
-    }
-
-  if (bitcount > 0)
-    err = keyarray ? hmacFinalBits(&hmac, bits, bitcount) :
-                   USHAFinalBits(&sha, bits, bitcount);
-  if (err != shaSuccess) {
-    fprintf(stderr, "hashfile(): %s Error %d.\n",
-            keyarray ? "hmacResult" : "shaResult", err);
-    if (hashfp != stdin) fclose(hashfp);
-    return err;
-  }
-
-  err = keyarray ? hmacResult(&hmac, Message_Digest) :
-                   USHAResult(&sha, Message_Digest);
-  if (err != shaSuccess) {
-    fprintf(stderr, "hashfile(): %s Error %d.\n",
-            keyarray ? "hmacResult" : "shaResult", err);
-    if (hashfp != stdin) fclose(hashfp);
-    return err;
-  }
-
-  printResult(Message_Digest, hashsize, hashes[hashno].name, "file",
-    hashfilename, resultarray, printResults, printPassFail);
-
-  if (hashfp != stdin) fclose(hashfp);
-  return err;
-}
-
-/*
- * Exercise a hash series of functions through multiple permutations.
-
-
-
-Eastlake 3rd & Hansen        Informational                     [Page 96]
-
-RFC 4634                   SHAs and HMAC-SHAs                  July 2006
-
-
- * The input is an initial seed. That seed is replicated 3 times.
- * For 1000 rounds, the previous three results are used as the input.
- * This result is then checked, and used to seed the next cycle.
- * If the result is known, it is in resultarrays in uppercase hex.
- */
-void randomtest(int hashno, const char *seed, int hashsize,
-    const char **resultarrays, int randomcount,
-    int printResults, int printPassFail)
-{
-  int i, j; char buf[20];
-  unsigned char SEED[USHAMaxHashSize], MD[1003][USHAMaxHashSize];
-
-  /* INPUT: Seed - A random seed n bits long */
-  memcpy(SEED, seed, hashsize);
-  if (printResults == PRINTTEXT) {
-    printf("%s random test seed= '", hashes[hashno].name);
-    printxstr(seed, hashsize);
-    printf("'\n");
-  }
-
-  for (j = 0; j < randomcount; j++) {
-    /* MD0 = MD1 = MD2 = Seed; */
-    memcpy(MD[0], SEED, hashsize);
-    memcpy(MD[1], SEED, hashsize);
-    memcpy(MD[2], SEED, hashsize);
-    for (i=3; i<1003; i++) {
-      /* Mi = MDi-3 || MDi-2 || MDi-1; */
-      USHAContext Mi;
-      memset(&Mi, '\343', sizeof(Mi)); /* force bad data into struct */
-      USHAReset(&Mi, hashes[hashno].whichSha);
-      USHAInput(&Mi, MD[i-3], hashsize);
-      USHAInput(&Mi, MD[i-2], hashsize);
-      USHAInput(&Mi, MD[i-1], hashsize);
-      /* MDi = SHA(Mi); */
-      USHAResult(&Mi, MD[i]);
-    }
-
-    /* MDj = Seed = MDi; */
-    memcpy(SEED, MD[i-1], hashsize);
-
-    /* OUTPUT: MDj */
-    sprintf(buf, "%d", j);
-    printResult(SEED, hashsize, hashes[hashno].name, "random test",
-      buf, resultarrays ? resultarrays[j] : 0, printResults,
-      (j < RANDOMCOUNT) ? printPassFail : 0);
-  }
-}
-
-
-
-
-Eastlake 3rd & Hansen        Informational                     [Page 97]
-
-RFC 4634                   SHAs and HMAC-SHAs                  July 2006
-
-
-/*
- * Look up a hash name.
- */
-int findhash(const char *argv0, const char *opt)
-{
-  int i;
-  const char *names[HASHCOUNT][2] = {
-    { "0", "sha1" }, { "1", "sha224" }, { "2", "sha256" },
-    { "3", "sha384" }, { "4", "sha512" }
-  };
-
-  for (i = 0; i < HASHCOUNT; i++)
-    if ((strcmp(opt, names[i][0]) == 0) ||
-        (scasecmp(opt, names[i][1]) == 0))
-      return i;
-
-  fprintf(stderr, "%s: Unknown hash name: '%s'\n", argv0, opt);
-  usage(argv0);
-  return 0;
-}
-
-/*
- * Run some tests that should invoke errors.
- */
-void testErrors(int hashnolow, int hashnohigh, int printResults,
-    int printPassFail)
-{
-  USHAContext usha;
-  uint8_t Message_Digest[USHAMaxHashSize];
-  int hashno, err;
-
-  for (hashno = hashnolow; hashno <= hashnohigh; hashno++) {
-    memset(&usha, '\343', sizeof(usha)); /* force bad data */
-    USHAReset(&usha, hashno);
-    USHAResult(&usha, Message_Digest);
-    err = USHAInput(&usha, (const unsigned char *)"foo", 3);
-    if (printResults == PRINTTEXT)
-      printf ("\nError %d. Should be %d.\n", err, shaStateError);
-    if ((printPassFail == PRINTPASSFAIL) ||
-        ((printPassFail == PRINTFAIL) && (err != shaStateError)))
-      printf("%s se: %s\n", hashes[hashno].name,
-        (err == shaStateError) ? "PASSED" : "FAILED");
-
-    err = USHAFinalBits(&usha, 0x80, 3);
-    if (printResults == PRINTTEXT)
-      printf ("\nError %d. Should be %d.\n", err, shaStateError);
-    if ((printPassFail == PRINTPASSFAIL) ||
-        ((printPassFail == PRINTFAIL) && (err != shaStateError)))
-
-
-
-Eastlake 3rd & Hansen        Informational                     [Page 98]
-
-RFC 4634                   SHAs and HMAC-SHAs                  July 2006
-
-
-      printf("%s se: %s\n", hashes[hashno].name,
-        (err == shaStateError) ? "PASSED" : "FAILED");
-
-    err = USHAReset(0, hashes[hashno].whichSha);
-    if (printResults == PRINTTEXT)
-       printf("\nError %d. Should be %d.\n", err, shaNull);
-    if ((printPassFail == PRINTPASSFAIL) ||
-        ((printPassFail == PRINTFAIL) && (err != shaNull)))
-       printf("%s usha null: %s\n", hashes[hashno].name,
-        (err == shaNull) ? "PASSED" : "FAILED");
-
-    switch (hashno) {
-      case SHA1: err = SHA1Reset(0); break;
-      case SHA224: err = SHA224Reset(0); break;
-      case SHA256: err = SHA256Reset(0); break;
-      case SHA384: err = SHA384Reset(0); break;
-      case SHA512: err = SHA512Reset(0); break;
-    }
-    if (printResults == PRINTTEXT)
-       printf("\nError %d. Should be %d.\n", err, shaNull);
-    if ((printPassFail == PRINTPASSFAIL) ||
-        ((printPassFail == PRINTFAIL) && (err != shaNull)))
-       printf("%s sha null: %s\n", hashes[hashno].name,
-        (err == shaNull) ? "PASSED" : "FAILED");
-  }
-}
-
-/* replace a hex string in place with its value */
-int unhexStr(char *hexstr)
-{
-  char *o = hexstr;
-  int len = 0, nibble1 = 0, nibble2 = 0;
-  if (!hexstr) return 0;
-  for ( ; *hexstr; hexstr++) {
-    if (isalpha((int)(unsigned char)(*hexstr))) {
-      nibble1 = tolower(*hexstr) - 'a' + 10;
-    } else if (isdigit((int)(unsigned char)(*hexstr))) {
-      nibble1 = *hexstr - '0';
-    } else {
-      printf("\nError: bad hex character '%c'\n", *hexstr);
-    }
-    if (!*++hexstr) break;
-    if (isalpha((int)(unsigned char)(*hexstr))) {
-      nibble2 = tolower(*hexstr) - 'a' + 10;
-    } else if (isdigit((int)(unsigned char)(*hexstr))) {
-      nibble2 = *hexstr - '0';
-    } else {
-      printf("\nError: bad hex character '%c'\n", *hexstr);
-
-
-
-Eastlake 3rd & Hansen        Informational                     [Page 99]
-
-RFC 4634                   SHAs and HMAC-SHAs                  July 2006
-
-
-    }
-    *o++ = (char)((nibble1 << 4) | nibble2);
-    len++;
-  }
-  return len;
-}
-
-int main(int argc, char **argv)
-{
-  int i, err;
-  int loopno, loopnohigh = 1;
-  int hashno, hashnolow = 0, hashnohigh = HASHCOUNT - 1;
-  int testno, testnolow = 0, testnohigh;
-  int ntestnohigh = 0;
-  int printResults = PRINTTEXT;
-  int printPassFail = 1;
-  int checkErrors = 0;
-  char *hashstr = 0;
-  int hashlen = 0;
-  const char *resultstr = 0;
-  char *randomseedstr = 0;
-  int runHmacTests = 0;
-  char *hmacKey = 0;
-  int hmaclen = 0;
-  int randomcount = RANDOMCOUNT;
-  const char *hashfilename = 0;
-  const char *hashFilename = 0;
-  int extrabits = 0, numberExtrabits = 0;
-  int strIsHex = 0;
-
-  while ((i = xgetopt(argc, argv, "b:B:ef:F:h:Hk:l:mpPr:R:s:S:t:wxX"))
-         != -1)
-    switch (i) {
-      case 'b': extrabits = strtol(xoptarg, 0, 0); break;
-      case 'B': numberExtrabits = atoi(xoptarg); break;
-      case 'e': checkErrors = 1; break;
-      case 'f': hashfilename = xoptarg; break;
-      case 'F': hashFilename = xoptarg; break;
-      case 'h': hashnolow = hashnohigh = findhash(argv[0], xoptarg);
-        break;
-      case 'H': strIsHex = 1; break;
-      case 'k': hmacKey = xoptarg; hmaclen = strlen(xoptarg); break;
-      case 'l': loopnohigh = atoi(xoptarg); break;
-      case 'm': runHmacTests = 1; break;
-      case 'P': printPassFail = 0; break;
-      case 'p': printResults = PRINTNONE; break;
-      case 'R': randomcount = atoi(xoptarg); break;
-      case 'r': randomseedstr = xoptarg; break;
-
-
-
-Eastlake 3rd & Hansen        Informational                    [Page 100]
-
-RFC 4634                   SHAs and HMAC-SHAs                  July 2006
-
-
-      case 's': hashstr = xoptarg; hashlen = strlen(hashstr); break;
-      case 'S': resultstr = xoptarg; break;
-      case 't': testnolow = ntestnohigh = atoi(xoptarg) - 1; break;
-      case 'w': printResults = PRINTRAW; break;
-      case 'x': printResults = PRINTHEX; break;
-      case 'X': printPassFail = 2; break;
-      default: usage(argv[0]);
-      }
-
-  if (strIsHex) {
-    hashlen = unhexStr(hashstr);
-    unhexStr(randomseedstr);
-    hmaclen = unhexStr(hmacKey);
-  }
-  testnohigh = (ntestnohigh != 0) ? ntestnohigh:
-               runHmacTests ? (HMACTESTCOUNT-1) : (TESTCOUNT-1);
-  if ((testnolow < 0) ||
-      (testnohigh >= (runHmacTests ? HMACTESTCOUNT : TESTCOUNT)) ||
-      (hashnolow < 0) || (hashnohigh >= HASHCOUNT) ||
-      (hashstr && (testnolow == testnohigh)) ||
-      (randomcount < 0) ||
-      (resultstr && (!hashstr && !hashfilename && !hashFilename)) ||
-      ((runHmacTests || hmacKey) && randomseedstr) ||
-      (hashfilename && hashFilename))
-    usage(argv[0]);
-
-  /*
-   *  Perform SHA/HMAC tests
-   */
-  for (hashno = hashnolow; hashno <= hashnohigh; ++hashno) {
-    if (printResults == PRINTTEXT)
-      printf("Hash %s\n", hashes[hashno].name);
-    err = shaSuccess;
-
-    for (loopno = 1; (loopno <= loopnohigh) && (err == shaSuccess);
-         ++loopno) {
-      if (hashstr)
-        err = hash(0, loopno, hashno, hashstr, hashlen, 1,
-          numberExtrabits, extrabits, (const unsigned char *)hmacKey,
-          hmaclen, resultstr, hashes[hashno].hashsize, printResults,
-          printPassFail);
-
-      else if (randomseedstr)
-        randomtest(hashno, randomseedstr, hashes[hashno].hashsize, 0,
-          randomcount, printResults, printPassFail);
-
-      else if (hashfilename)
-        err = hashfile(hashno, hashfilename, extrabits,
-
-
-
-Eastlake 3rd & Hansen        Informational                    [Page 101]
-
-RFC 4634                   SHAs and HMAC-SHAs                  July 2006
-
-
-                       numberExtrabits, 0,
-                       (const unsigned char *)hmacKey, hmaclen,
-                       resultstr, hashes[hashno].hashsize,
-                       printResults, printPassFail);
-
-      else if (hashFilename)
-        err = hashfile(hashno, hashFilename, extrabits,
-                       numberExtrabits, 1,
-                       (const unsigned char *)hmacKey, hmaclen,
-                       resultstr, hashes[hashno].hashsize,
-                       printResults, printPassFail);
-
-      else /* standard tests */ {
-        for (testno = testnolow;
-             (testno <= testnohigh) && (err == shaSuccess); ++testno) {
-          if (runHmacTests) {
-            err = hash(testno, loopno, hashno,
-                       hmachashes[testno].dataarray[hashno] ?
-                       hmachashes[testno].dataarray[hashno] :
-                       hmachashes[testno].dataarray[1] ?
-                       hmachashes[testno].dataarray[1] :
-                       hmachashes[testno].dataarray[0],
-                       hmachashes[testno].datalength[hashno] ?
-                       hmachashes[testno].datalength[hashno] :
-                       hmachashes[testno].datalength[1] ?
-                       hmachashes[testno].datalength[1] :
-                       hmachashes[testno].datalength[0],
-                       1, 0, 0,
-                       (const unsigned char *)(
-                        hmachashes[testno].keyarray[hashno] ?
-                        hmachashes[testno].keyarray[hashno] :
-                        hmachashes[testno].keyarray[1] ?
-                        hmachashes[testno].keyarray[1] :
-                        hmachashes[testno].keyarray[0]),
-                       hmachashes[testno].keylength[hashno] ?
-                       hmachashes[testno].keylength[hashno] :
-                       hmachashes[testno].keylength[1] ?
-                       hmachashes[testno].keylength[1] :
-                       hmachashes[testno].keylength[0],
-                       hmachashes[testno].resultarray[hashno],
-                       hmachashes[testno].resultlength[hashno],
-                       printResults, printPassFail);
-          } else {
-            err = hash(testno, loopno, hashno,
-                       hashes[hashno].tests[testno].testarray,
-                       hashes[hashno].tests[testno].length,
-                       hashes[hashno].tests[testno].repeatcount,
-                       hashes[hashno].tests[testno].numberExtrabits,
-
-
-
-Eastlake 3rd & Hansen        Informational                    [Page 102]
-
-RFC 4634                   SHAs and HMAC-SHAs                  July 2006
-
-
-                       hashes[hashno].tests[testno].extrabits, 0, 0,
-                       hashes[hashno].tests[testno].resultarray,
-                       hashes[hashno].hashsize,
-                       printResults, printPassFail);
-          }
-        }
-
-        if (!runHmacTests) {
-          randomtest(hashno, hashes[hashno].randomtest,
-            hashes[hashno].hashsize, hashes[hashno].randomresults,
-            RANDOMCOUNT, printResults, printPassFail);
-        }
-      }
-    }
-  }
-
-  /* Test some error returns */
-  if (checkErrors) {
-    testErrors(hashnolow, hashnohigh, printResults, printPassFail);
-  }
-
-  return 0;
-}
-
-/*
- * Compare two strings, case independently.
- * Equivalent to strcasecmp() found on some systems.
- */
-int scasecmp(const char *s1, const char *s2)
-{
-  for (;;) {
-    char u1 = tolower(*s1++);
-    char u2 = tolower(*s2++);
-    if (u1 != u2)
-      return u1 - u2;
-    if (u1 == '\0')
-      return 0;
-   }
-}
-
-/*
- * This is a copy of getopt provided for those systems that do not
- * have it. The name was changed to xgetopt to not conflict on those
- * systems that do have it. Similarly, optarg, optind and opterr
- * were renamed to xoptarg, xoptind and xopterr.
- *
- * Copyright 1990, 1991, 1992 by the Massachusetts Institute of
- * Technology and UniSoft Group Limited.
-
-
-
-Eastlake 3rd & Hansen        Informational                    [Page 103]
-
-RFC 4634                   SHAs and HMAC-SHAs                  July 2006
-
-
- *
- * Permission to use, copy, modify, distribute, and sell this software
- * and its documentation for any purpose is hereby granted without fee,
- * provided that the above copyright notice appear in all copies and
- * that both that copyright notice and this permission notice appear in
- * supporting documentation, and that the names of MIT and UniSoft not
- * be used in advertising or publicity pertaining to distribution of
- * the software without specific, written prior permission.  MIT and
- * UniSoft make no representations about the suitability of this
- * software for any purpose.  It is provided "as is" without express
- * or implied warranty.
- *
- * $XConsortium: getopt.c,v 1.2 92/07/01 11:59:04 rws Exp $
- * NB: Reformatted to match above style.
- */
-
-char    *xoptarg;
-int     xoptind = 1;
-int     xopterr = 1;
-
-static int xgetopt(int argc, char **argv, const char *optstring)
-{
-  static int avplace;
-  char    *ap;
-  char    *cp;
-  int     c;
-
-  if (xoptind >= argc)
-    return EOF;
-
-  ap = argv[xoptind] + avplace;
-
-  /* At beginning of arg but not an option */
-  if (avplace == 0) {
-    if (ap[0] != '-')
-      return EOF;
-    else if (ap[1] == '-') {
-      /* Special end of options option */
-      xoptind++;
-      return EOF;
-    } else if (ap[1] == '\0')
-      return EOF;  /* single '-' is not allowed */
-  }
-
-  /* Get next letter */
-  avplace++;
-  c = *++ap;
-
-
-
-
-Eastlake 3rd & Hansen        Informational                    [Page 104]
-
-RFC 4634                   SHAs and HMAC-SHAs                  July 2006
-
-
-  cp = strchr(optstring, c);
-  if (cp == NULL || c == ':') {
-    if (xopterr)
-      fprintf(stderr, "Unrecognised option -- %c\n", c);
-    return '?';
-  }
-
-  if (cp[1] == ':') {
-    /* There should be an option arg */
-    avplace = 0;
-    if (ap[1] == '\0') {
-      /* It is a separate arg */
-      if (++xoptind >= argc) {
-        if (xopterr)
-          fprintf(stderr, "Option requires an argument\n");
-        return '?';
-      }
-      xoptarg = argv[xoptind++];
-    } else {
-      /* is attached to option letter */
-      xoptarg = ap + 1;
-      ++xoptind;
-    }
-  } else {
-    /* If we are out of letters then go to next arg */
-    if (ap[1] == '\0') {
-      ++xoptind;
-      avplace = 0;
-    }
-
-    xoptarg = NULL;
-  }
-  return c;
-}
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Eastlake 3rd & Hansen        Informational                    [Page 105]
-
-RFC 4634                   SHAs and HMAC-SHAs                  July 2006
-
-
-9.  Security Considerations
-
-   This document is intended to provides the Internet community
-   convenient access to source code that implements the United States of
-   America Federal Information Processing Standard Secure Hash
-   Algorithms (SHAs) [FIPS180-2] and HMACs based upon these one-way hash
-   functions.  See license in Section 1.1.  No independent assertion of
-   the security of this hash function by the authors for any particular
-   use is intended.
-
-10.  Normative References
-
-   [FIPS180-2] "Secure Hash Standard", United States of America,
-               National Institute of Standards and Technology, Federal
-               Information Processing Standard (FIPS) 180-2,
-               http://csrc.nist.gov/publications/fips/fips180-2/
-               fips180-2withchangenotice.pdf.
-
-   [RFC2104]   Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed-
-               Hashing for Message Authentication", RFC 2104, February
-               1997.
-
-11.  Informative References
-
-   [RFC2202]   Cheng, P. and R. Glenn, "Test Cases for HMAC-MD5 and
-               HMAC-SHA-1", RFC 2202, September 1997.
-
-   [RFC3174]   Eastlake 3rd, D. and P. Jones, "US Secure Hash Algorithm
-               1 (SHA1)", RFC 3174, September 2001.
-
-   [RFC3874]   Housley, R., "A 224-bit One-way Hash Function: SHA-224",
-               RFC 3874, September 2004.
-
-   [RFC4086]   Eastlake, D., 3rd, Schiller, J., and S. Crocker,
-               "Randomness Requirements for Security", BCP 106, RFC
-               4086, June 2005.
-
-   [RFC4231]   Nystrom, M., "Identifiers and Test Vectors for HMAC-SHA-
-               224, HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512", RFC
-               4231, December 2005.
-
-   [SHAVS]     "The Secure Hash Algorithm Validation System (SHAVS)",
-               http://csrc.nist.gov/cryptval/shs/SHAVS.pdf.
-
-
-
-
-
-
-
-
-Eastlake 3rd & Hansen        Informational                    [Page 106]
-
-RFC 4634                   SHAs and HMAC-SHAs                  July 2006
-
-
-Authors' Addresses
-
-   Donald E. Eastlake, 3rd
-   Motorola Laboratories
-   155 Beaver Street
-   Milford, MA 01757 USA
-
-   Phone: +1-508-786-7554 (w)
-   EMail: donald.eastlake@motorola.com
-
-
-   Tony Hansen
-   AT&T Laboratories
-   200 Laurel Ave.
-   Middletown, NJ 07748 USA
-
-   Phone: +1-732-420-8934 (w)
-   EMail: tony+shs@maillennium.att.com
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Eastlake 3rd & Hansen        Informational                    [Page 107]
-
-RFC 4634                   SHAs and HMAC-SHAs                  July 2006
-
-
-Full Copyright Statement
-
-   Copyright (C) The Internet Society (2006).
-
-   This document is subject to the rights, licenses and restrictions
-   contained in BCP 78, and except as set forth therein, the authors
-   retain all their rights.
-
-   This document and the information contained herein are provided on an
-   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
-   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
-   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
-   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
-   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
-   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-Intellectual Property
-
-   The IETF takes no position regarding the validity or scope of any
-   Intellectual Property Rights or other rights that might be claimed to
-   pertain to the implementation or use of the technology described in
-   this document or the extent to which any license under such rights
-   might or might not be available; nor does it represent that it has
-   made any independent effort to identify any such rights.  Information
-   on the procedures with respect to rights in RFC documents can be
-   found in BCP 78 and BCP 79.
-
-   Copies of IPR disclosures made to the IETF Secretariat and any
-   assurances of licenses to be made available, or the result of an
-   attempt made to obtain a general license or permission for the use of
-   such proprietary rights by implementers or users of this
-   specification can be obtained from the IETF on-line IPR repository at
-   http://www.ietf.org/ipr.
-
-   The IETF invites any interested party to bring to its attention any
-   copyrights, patents or patent applications, or other proprietary
-   rights that may cover technology that may be required to implement
-   this standard.  Please address the information to the IETF at
-   ietf-ipr@ietf.org.
-
-Acknowledgement
-
-   Funding for the RFC Editor function is provided by the IETF
-   Administrative Support Activity (IASA).
-
-
-
-
-
-
-
-Eastlake 3rd & Hansen        Informational                    [Page 108]
-
diff --git a/doc/rfc/rfc4641.txt b/doc/rfc/rfc4641.txt
deleted file mode 100644
index 0a013bcb..00000000
--- a/doc/rfc/rfc4641.txt
+++ /dev/null
@@ -1,1963 +0,0 @@
-
-
-
-
-
-
-Network Working Group                                         O. Kolkman
-Request for Comments: 4641                                     R. Gieben
-Obsoletes: 2541                                               NLnet Labs
-Category: Informational                                   September 2006
-
-
-                      DNSSEC Operational Practices
-
-Status of This Memo
-
-   This memo provides information for the Internet community.  It does
-   not specify an Internet standard of any kind.  Distribution of this
-   memo is unlimited.
-
-Copyright Notice
-
-   Copyright (C) The Internet Society (2006).
-
-Abstract
-
-   This document describes a set of practices for operating the DNS with
-   security extensions (DNSSEC).  The target audience is zone
-   administrators deploying DNSSEC.
-
-   The document discusses operational aspects of using keys and
-   signatures in the DNS.  It discusses issues of key generation, key
-   storage, signature generation, key rollover, and related policies.
-
-   This document obsoletes RFC 2541, as it covers more operational
-   ground and gives more up-to-date requirements with respect to key
-   sizes and the new DNSSEC specification.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Kolkman & Gieben             Informational                      [Page 1]
-
-RFC 4641              DNSSEC Operational Practices        September 2006
-
-
-Table of Contents
-
-   1. Introduction ....................................................3
-      1.1. The Use of the Term 'key' ..................................4
-      1.2. Time Definitions ...........................................4
-   2. Keeping the Chain of Trust Intact ...............................5
-   3. Keys Generation and Storage .....................................6
-      3.1. Zone and Key Signing Keys ..................................6
-           3.1.1. Motivations for the KSK and ZSK Separation ..........6
-           3.1.2. KSKs for High-Level Zones ...........................7
-      3.2. Key Generation .............................................8
-      3.3. Key Effectivity Period .....................................8
-      3.4. Key Algorithm ..............................................9
-      3.5. Key Sizes ..................................................9
-      3.6. Private Key Storage .......................................11
-   4. Signature Generation, Key Rollover, and Related Policies .......12
-      4.1. Time in DNSSEC ............................................12
-           4.1.1. Time Considerations ................................12
-      4.2. Key Rollovers .............................................14
-           4.2.1. Zone Signing Key Rollovers .........................14
-                  4.2.1.1. Pre-Publish Key Rollover ..................15
-                  4.2.1.2. Double Signature Zone Signing Key
-                           Rollover ..................................17
-                  4.2.1.3. Pros and Cons of the Schemes ..............18
-           4.2.2. Key Signing Key Rollovers ..........................18
-           4.2.3. Difference Between ZSK and KSK Rollovers ...........20
-           4.2.4. Automated Key Rollovers ............................21
-      4.3. Planning for Emergency Key Rollover .......................21
-           4.3.1. KSK Compromise .....................................22
-                  4.3.1.1. Keeping the Chain of Trust Intact .........22
-                  4.3.1.2. Breaking the Chain of Trust ...............23
-           4.3.2. ZSK Compromise .....................................23
-           4.3.3. Compromises of Keys Anchored in Resolvers ..........24
-      4.4. Parental Policies .........................................24
-           4.4.1. Initial Key Exchanges and Parental Policies
-                  Considerations .....................................24
-           4.4.2. Storing Keys or Hashes? ............................25
-           4.4.3. Security Lameness ..................................25
-           4.4.4. DS Signature Validity Period .......................26
-   5. Security Considerations ........................................26
-   6. Acknowledgments ................................................26
-   7. References .....................................................27
-      7.1. Normative References ......................................27
-      7.2. Informative References ....................................28
-   Appendix A. Terminology ...........................................30
-   Appendix B. Zone Signing Key Rollover How-To ......................31
-   Appendix C. Typographic Conventions ...............................32
-
-
-
-
-Kolkman & Gieben             Informational                      [Page 2]
-
-RFC 4641              DNSSEC Operational Practices        September 2006
-
-
-1.  Introduction
-
-   This document describes how to run a DNS Security (DNSSEC)-enabled
-   environment.  It is intended for operators who have knowledge of the
-   DNS (see RFC 1034 [1] and RFC 1035 [2]) and want to deploy DNSSEC.
-   See RFC 4033 [4] for an introduction to DNSSEC, RFC 4034 [5] for the
-   newly introduced Resource Records (RRs), and RFC 4035 [6] for the
-   protocol changes.
-
-   During workshops and early operational deployment tests, operators
-   and system administrators have gained experience about operating the
-   DNS with security extensions (DNSSEC).  This document translates
-   these experiences into a set of practices for zone administrators.
-   At the time of writing, there exists very little experience with
-   DNSSEC in production environments; this document should therefore
-   explicitly not be seen as representing 'Best Current Practices'.
-
-   The procedures herein are focused on the maintenance of signed zones
-   (i.e., signing and publishing zones on authoritative servers).  It is
-   intended that maintenance of zones such as re-signing or key
-   rollovers be transparent to any verifying clients on the Internet.
-
-   The structure of this document is as follows.  In Section 2, we
-   discuss the importance of keeping the "chain of trust" intact.
-   Aspects of key generation and storage of private keys are discussed
-   in Section 3; the focus in this section is mainly on the private part
-   of the key(s).  Section 4 describes considerations concerning the
-   public part of the keys.  Since these public keys appear in the DNS
-   one has to take into account all kinds of timing issues, which are
-   discussed in Section 4.1.  Section 4.2 and Section 4.3 deal with the
-   rollover, or supercession, of keys.  Finally, Section 4.4 discusses
-   considerations on how parents deal with their children's public keys
-   in order to maintain chains of trust.
-
-   The typographic conventions used in this document are explained in
-   Appendix C.
-
-   Since this is a document with operational suggestions and there are
-   no protocol specifications, the RFC 2119 [7] language does not apply.
-
-   This document obsoletes RFC 2541 [12] to reflect the evolution of the
-   underlying DNSSEC protocol since then.  Changes in the choice of
-   cryptographic algorithms, DNS record types and type names, and the
-   parent-child key and signature exchange demanded a major rewrite and
-   additional information and explanation.
-
-
-
-
-
-
-Kolkman & Gieben             Informational                      [Page 3]
-
-RFC 4641              DNSSEC Operational Practices        September 2006
-
-
-1.1.  The Use of the Term 'key'
-
-   It is assumed that the reader is familiar with the concept of
-   asymmetric keys on which DNSSEC is based (public key cryptography
-   [17]).  Therefore, this document will use the term 'key' rather
-   loosely.  Where it is written that 'a key is used to sign data' it is
-   assumed that the reader understands that it is the private part of
-   the key pair that is used for signing.  It is also assumed that the
-   reader understands that the public part of the key pair is published
-   in the DNSKEY Resource Record and that it is the public part that is
-   used in key exchanges.
-
-1.2.  Time Definitions
-
-   In this document, we will be using a number of time-related terms.
-   The following definitions apply:
-
-   o  "Signature validity period" The period that a signature is valid.
-      It starts at the time specified in the signature inception field
-      of the RRSIG RR and ends at the time specified in the expiration
-      field of the RRSIG RR.
-
-   o  "Signature publication period" Time after which a signature (made
-      with a specific key) is replaced with a new signature (made with
-      the same key).  This replacement takes place by publishing the
-      relevant RRSIG in the master zone file.  After one stops
-      publishing an RRSIG in a zone, it may take a while before the
-      RRSIG has expired from caches and has actually been removed from
-      the DNS.
-
-   o  "Key effectivity period" The period during which a key pair is
-      expected to be effective.  This period is defined as the time
-      between the first inception time stamp and the last expiration
-      date of any signature made with this key, regardless of any
-      discontinuity in the use of the key.  The key effectivity period
-      can span multiple signature validity periods.
-
-   o  "Maximum/Minimum Zone Time to Live (TTL)" The maximum or minimum
-      value of the TTLs from the complete set of RRs in a zone.  Note
-      that the minimum TTL is not the same as the MINIMUM field in the
-      SOA RR.  See [11] for more information.
-
-
-
-
-
-
-
-
-
-
-Kolkman & Gieben             Informational                      [Page 4]
-
-RFC 4641              DNSSEC Operational Practices        September 2006
-
-
-2.  Keeping the Chain of Trust Intact
-
-   Maintaining a valid chain of trust is important because broken chains
-   of trust will result in data being marked as Bogus (as defined in [4]
-   Section 5), which may cause entire (sub)domains to become invisible
-   to verifying clients.  The administrators of secured zones have to
-   realize that their zone is, to verifying clients, part of a chain of
-   trust.
-
-   As mentioned in the introduction, the procedures herein are intended
-   to ensure that maintenance of zones, such as re-signing or key
-   rollovers, will be transparent to the verifying clients on the
-   Internet.
-
-   Administrators of secured zones will have to keep in mind that data
-   published on an authoritative primary server will not be immediately
-   seen by verifying clients; it may take some time for the data to be
-   transferred to other secondary authoritative nameservers and clients
-   may be fetching data from caching non-authoritative servers.  In this
-   light, note that the time for a zone transfer from master to slave is
-   negligible when using NOTIFY [9] and incremental transfer (IXFR) [8].
-   It increases when full zone transfers (AXFR) are used in combination
-   with NOTIFY.  It increases even more if you rely on full zone
-   transfers based on only the SOA timing parameters for refresh.
-
-   For the verifying clients, it is important that data from secured
-   zones can be used to build chains of trust regardless of whether the
-   data came directly from an authoritative server, a caching
-   nameserver, or some middle box.  Only by carefully using the
-   available timing parameters can a zone administrator ensure that the
-   data necessary for verification can be obtained.
-
-   The responsibility for maintaining the chain of trust is shared by
-   administrators of secured zones in the chain of trust.  This is most
-   obvious in the case of a 'key compromise' when a trade-off between
-   maintaining a valid chain of trust and replacing the compromised keys
-   as soon as possible must be made.  Then zone administrators will have
-   to make a trade-off, between keeping the chain of trust intact --
-   thereby allowing for attacks with the compromised key -- or
-   deliberately breaking the chain of trust and making secured
-   subdomains invisible to security-aware resolvers.  Also see Section
-   4.3.
-
-
-
-
-
-
-
-
-
-Kolkman & Gieben             Informational                      [Page 5]
-
-RFC 4641              DNSSEC Operational Practices        September 2006
-
-
-3.  Keys Generation and Storage
-
-   This section describes a number of considerations with respect to the
-   security of keys.  It deals with the generation, effectivity period,
-   size, and storage of private keys.
-
-3.1.  Zone and Key Signing Keys
-
-   The DNSSEC validation protocol does not distinguish between different
-   types of DNSKEYs.  All DNSKEYs can be used during the validation.  In
-   practice, operators use Key Signing and Zone Signing Keys and use the
-   so-called Secure Entry Point (SEP) [3] flag to distinguish between
-   them during operations.  The dynamics and considerations are
-   discussed below.
-
-   To make zone re-signing and key rollover procedures easier to
-   implement, it is possible to use one or more keys as Key Signing Keys
-   (KSKs).  These keys will only sign the apex DNSKEY RRSet in a zone.
-   Other keys can be used to sign all the RRSets in a zone and are
-   referred to as Zone Signing Keys (ZSKs).  In this document, we assume
-   that KSKs are the subset of keys that are used for key exchanges with
-   the parent and potentially for configuration as trusted anchors --
-   the SEP keys.  In this document, we assume a one-to-one mapping
-   between KSK and SEP keys and we assume the SEP flag to be set on all
-   KSKs.
-
-3.1.1.  Motivations for the KSK and ZSK Separation
-
-   Differentiating between the KSK and ZSK functions has several
-   advantages:
-
-   o  No parent/child interaction is required when ZSKs are updated.
-
-   o  The KSK can be made stronger (i.e., using more bits in the key
-      material).  This has little operational impact since it is only
-      used to sign a small fraction of the zone data.  Also, the KSK is
-      only used to verify the zone's key set, not for other RRSets in
-      the zone.
-
-   o  As the KSK is only used to sign a key set, which is most probably
-      updated less frequently than other data in the zone, it can be
-      stored separately from and in a safer location than the ZSK.
-
-   o  A KSK can have a longer key effectivity period.
-
-   For almost any method of key management and zone signing, the KSK is
-   used less frequently than the ZSK.  Once a key set is signed with the
-   KSK, all the keys in the key set can be used as ZSKs.  If a ZSK is
-
-
-
-Kolkman & Gieben             Informational                      [Page 6]
-
-RFC 4641              DNSSEC Operational Practices        September 2006
-
-
-   compromised, it can be simply dropped from the key set.  The new key
-   set is then re-signed with the KSK.
-
-   Given the assumption that for KSKs the SEP flag is set, the KSK can
-   be distinguished from a ZSK by examining the flag field in the DNSKEY
-   RR.  If the flag field is an odd number it is a KSK.  If it is an
-   even number it is a ZSK.
-
-   The Zone Signing Key can be used to sign all the data in a zone on a
-   regular basis.  When a Zone Signing Key is to be rolled, no
-   interaction with the parent is needed.  This allows for signature
-   validity periods on the order of days.
-
-   The Key Signing Key is only to be used to sign the DNSKEY RRs in a
-   zone.  If a Key Signing Key is to be rolled over, there will be
-   interactions with parties other than the zone administrator.  These
-   can include the registry of the parent zone or administrators of
-   verifying resolvers that have the particular key configured as secure
-   entry points.  Hence, the key effectivity period of these keys can
-   and should be made much longer.  Although, given a long enough key,
-   the key effectivity period can be on the order of years, we suggest
-   planning for a key effectivity on the order of a few months so that a
-   key rollover remains an operational routine.
-
-3.1.2.  KSKs for High-Level Zones
-
-   Higher-level zones are generally more sensitive than lower-level
-   zones.  Anyone controlling or breaking the security of a zone thereby
-   obtains authority over all of its subdomains (except in the case of
-   resolvers that have locally configured the public key of a subdomain,
-   in which case this, and only this, subdomain wouldn't be affected by
-   the compromise of the parent zone).  Therefore, extra care should be
-   taken with high-level zones, and strong keys should be used.
-
-   The root zone is the most critical of all zones.  Someone controlling
-   or compromising the security of the root zone would control the
-   entire DNS namespace of all resolvers using that root zone (except in
-   the case of resolvers that have locally configured the public key of
-   a subdomain).  Therefore, the utmost care must be taken in the
-   securing of the root zone.  The strongest and most carefully handled
-   keys should be used.  The root zone private key should always be kept
-   off-line.
-
-   Many resolvers will start at a root server for their access to and
-   authentication of DNS data.  Securely updating the trust anchors in
-   an enormous population of resolvers around the world will be
-   extremely difficult.
-
-
-
-
-Kolkman & Gieben             Informational                      [Page 7]
-
-RFC 4641              DNSSEC Operational Practices        September 2006
-
-
-3.2.  Key Generation
-
-   Careful generation of all keys is a sometimes overlooked but
-   absolutely essential element in any cryptographically secure system.
-   The strongest algorithms used with the longest keys are still of no
-   use if an adversary can guess enough to lower the size of the likely
-   key space so that it can be exhaustively searched.  Technical
-   suggestions for the generation of random keys will be found in RFC
-   4086 [14].  One should carefully assess if the random number
-   generator used during key generation adheres to these suggestions.
-
-   Keys with a long effectivity period are particularly sensitive as
-   they will represent a more valuable target and be subject to attack
-   for a longer time than short-period keys.  It is strongly recommended
-   that long-term key generation occur off-line in a manner isolated
-   from the network via an air gap or, at a minimum, high-level secure
-   hardware.
-
-3.3.  Key Effectivity Period
-
-   For various reasons, keys in DNSSEC need to be changed once in a
-   while.  The longer a key is in use, the greater the probability that
-   it will have been compromised through carelessness, accident,
-   espionage, or cryptanalysis.  Furthermore, when key rollovers are too
-   rare an event, they will not become part of the operational habit and
-   there is risk that nobody on-site will remember the procedure for
-   rollover when the need is there.
-
-   From a purely operational perspective, a reasonable key effectivity
-   period for Key Signing Keys is 13 months, with the intent to replace
-   them after 12 months.  An intended key effectivity period of a month
-   is reasonable for Zone Signing Keys.
-
-   For key sizes that match these effectivity periods, see Section 3.5.
-
-   As argued in Section 3.1.2, securely updating trust anchors will be
-   extremely difficult.  On the other hand, the "operational habit"
-   argument does also apply to trust anchor reconfiguration.  If a short
-   key effectivity period is used and the trust anchor configuration has
-   to be revisited on a regular basis, the odds that the configuration
-   tends to be forgotten is smaller.  The trade-off is against a system
-   that is so dynamic that administrators of the validating clients will
-   not be able to follow the modifications.
-
-   Key effectivity periods can be made very short, as in a few minutes.
-   But when replacing keys one has to take the considerations from
-   Section 4.1 and Section 4.2 into account.
-
-
-
-
-Kolkman & Gieben             Informational                      [Page 8]
-
-RFC 4641              DNSSEC Operational Practices        September 2006
-
-
-3.4.  Key Algorithm
-
-   There are currently three different types of algorithms that can be
-   used in DNSSEC: RSA, DSA, and elliptic curve cryptography.  The
-   latter is fairly new and has yet to be standardized for usage in
-   DNSSEC.
-
-   RSA has been developed in an open and transparent manner.  As the
-   patent on RSA expired in 2000, its use is now also free.
-
-   DSA has been developed by the National Institute of Standards and
-   Technology (NIST).  The creation of signatures takes roughly the same
-   time as with RSA, but is 10 to 40 times as slow for verification
-   [17].
-
-   We suggest the use of RSA/SHA-1 as the preferred algorithm for the
-   key.  The current known attacks on RSA can be defeated by making your
-   key longer.  As the MD5 hashing algorithm is showing cracks, we
-   recommend the usage of SHA-1.
-
-   At the time of publication, it is known that the SHA-1 hash has
-   cryptanalysis issues.  There is work in progress on addressing these
-   issues.  We recommend the use of public key algorithms based on
-   hashes stronger than SHA-1 (e.g., SHA-256), as soon as these
-   algorithms are available in protocol specifications (see [19] and
-   [20]) and implementations.
-
-3.5.  Key Sizes
-
-   When choosing key sizes, zone administrators will need to take into
-   account how long a key will be used, how much data will be signed
-   during the key publication period (see Section 8.10 of [17]), and,
-   optionally, how large the key size of the parent is.  As the chain of
-   trust really is "a chain", there is not much sense in making one of
-   the keys in the chain several times larger then the others.  As
-   always, it's the weakest link that defines the strength of the entire
-   chain.  Also see Section 3.1.1 for a discussion of how keys serving
-   different roles (ZSK vs. KSK) may need different key sizes.
-
-   Generating a key of the correct size is a difficult problem; RFC 3766
-   [13] tries to deal with that problem.  The first part of the
-   selection procedure in Section 1 of the RFC states:
-
-      1. Determine the attack resistance necessary to satisfy the
-         security requirements of the application.  Do this by
-         estimating the minimum number of computer operations that the
-         attacker will be forced to do in order to compromise the
-
-
-
-
-Kolkman & Gieben             Informational                      [Page 9]
-
-RFC 4641              DNSSEC Operational Practices        September 2006
-
-
-         security of the system and then take the logarithm base two of
-         that number.  Call that logarithm value "n".
-
-         A 1996 report recommended 90 bits as a good all-around choice
-         for system security.  The 90 bit number should be increased by
-         about 2/3 bit/year, or about 96 bits in 2005.
-
-   [13] goes on to explain how this number "n" can be used to calculate
-   the key sizes in public key cryptography.  This culminated in the
-   table given below (slightly modified for our purpose):
-
-      +-------------+-----------+--------------+
-      | System      |           |              |
-      | requirement | Symmetric | RSA or DSA   |
-      | for attack  | key size  | modulus size |
-      | resistance  | (bits)    | (bits)       |
-      | (bits)      |           |              |
-      +-------------+-----------+--------------+
-      |     70      |     70    |      947     |
-      |     80      |     80    |     1228     |
-      |     90      |     90    |     1553     |
-      |    100      |    100    |     1926     |
-      |    150      |    150    |     4575     |
-      |    200      |    200    |     8719     |
-      |    250      |    250    |    14596     |
-      +-------------+-----------+--------------+
-
-   The key sizes given are rather large.  This is because these keys are
-   resilient against a trillionaire attacker.  Assuming this rich
-   attacker will not attack your key and that the key is rolled over
-   once a year, we come to the following recommendations about KSK
-   sizes: 1024 bits for low-value domains, 1300 bits for medium-value
-   domains, and 2048 bits for high-value domains.
-
-   Whether a domain is of low, medium, or high value depends solely on
-   the views of the zone owner.  One could, for instance, view leaf
-   nodes in the DNS as of low value, and top-level domains (TLDs) or the
-   root zone of high value.  The suggested key sizes should be safe for
-   the next 5 years.
-
-   As ZSKs can be rolled over more easily (and thus more often), the key
-   sizes can be made smaller.  But as said in the introduction of this
-   paragraph, making the ZSKs' key sizes too small (in relation to the
-   KSKs' sizes) doesn't make much sense.  Try to limit the difference in
-   size to about 100 bits.
-
-
-
-
-
-
-Kolkman & Gieben             Informational                     [Page 10]
-
-RFC 4641              DNSSEC Operational Practices        September 2006
-
-
-   Note that nobody can see into the future and that these key sizes are
-   only provided here as a guide.  Further information can be found in
-   [16] and Section 7.5 of [17].  It should be noted though that [16] is
-   already considered overly optimistic about what key sizes are
-   considered safe.
-
-   One final note concerning key sizes.  Larger keys will increase the
-   sizes of the RRSIG and DNSKEY records and will therefore increase the
-   chance of DNS UDP packet overflow.  Also, the time it takes to
-   validate and create RRSIGs increases with larger keys, so don't
-   needlessly double your key sizes.
-
-3.6.  Private Key Storage
-
-   It is recommended that, where possible, zone private keys and the
-   zone file master copy that is to be signed be kept and used in off-
-   line, non-network-connected, physically secure machines only.
-   Periodically, an application can be run to add authentication to a
-   zone by adding RRSIG and NSEC RRs.  Then the augmented file can be
-   transferred.
-
-   When relying on dynamic update to manage a signed zone [10], be aware
-   that at least one private key of the zone will have to reside on the
-   master server.  This key is only as secure as the amount of exposure
-   the server receives to unknown clients and the security of the host.
-   Although not mandatory, one could administer the DNS in the following
-   way.  The master that processes the dynamic updates is unavailable
-   from generic hosts on the Internet, it is not listed in the NS RR
-   set, although its name appears in the SOA RRs MNAME field.  The
-   nameservers in the NS RRSet are able to receive zone updates through
-   NOTIFY, IXFR, AXFR, or an out-of-band distribution mechanism.  This
-   approach is known as the "hidden master" setup.
-
-   The ideal situation is to have a one-way information flow to the
-   network to avoid the possibility of tampering from the network.
-   Keeping the zone master file on-line on the network and simply
-   cycling it through an off-line signer does not do this.  The on-line
-   version could still be tampered with if the host it resides on is
-   compromised.  For maximum security, the master copy of the zone file
-   should be off-net and should not be updated based on an unsecured
-   network mediated communication.
-
-   In general, keeping a zone file off-line will not be practical and
-   the machines on which zone files are maintained will be connected to
-   a network.  Operators are advised to take security measures to shield
-   unauthorized access to the master copy.
-
-
-
-
-
-Kolkman & Gieben             Informational                     [Page 11]
-
-RFC 4641              DNSSEC Operational Practices        September 2006
-
-
-   For dynamically updated secured zones [10], both the master copy and
-   the private key that is used to update signatures on updated RRs will
-   need to be on-line.
-
-4.  Signature Generation, Key Rollover, and Related Policies
-
-4.1.  Time in DNSSEC
-
-   Without DNSSEC, all times in the DNS are relative.  The SOA fields
-   REFRESH, RETRY, and EXPIRATION are timers used to determine the time
-   elapsed after a slave server synchronized with a master server.  The
-   Time to Live (TTL) value and the SOA RR minimum TTL parameter [11]
-   are used to determine how long a forwarder should cache data after it
-   has been fetched from an authoritative server.  By using a signature
-   validity period, DNSSEC introduces the notion of an absolute time in
-   the DNS.  Signatures in DNSSEC have an expiration date after which
-   the signature is marked as invalid and the signed data is to be
-   considered Bogus.
-
-4.1.1.  Time Considerations
-
-   Because of the expiration of signatures, one should consider the
-   following:
-
-   o  We suggest the Maximum Zone TTL of your zone data to be a fraction
-      of your signature validity period.
-
-         If the TTL would be of similar order as the signature validity
-         period, then all RRSets fetched during the validity period
-         would be cached until the signature expiration time.  Section
-         7.1 of [4] suggests that "the resolver may use the time
-         remaining before expiration of the signature validity period of
-         a signed RRSet as an upper bound for the TTL".  As a result,
-         query load on authoritative servers would peak at signature
-         expiration time, as this is also the time at which records
-         simultaneously expire from caches.
-
-         To avoid query load peaks, we suggest the TTL on all the RRs in
-         your zone to be at least a few times smaller than your
-         signature validity period.
-
-   o  We suggest the signature publication period to end at least one
-      Maximum Zone TTL duration before the end of the signature validity
-      period.
-
-
-
-
-
-
-
-Kolkman & Gieben             Informational                     [Page 12]
-
-RFC 4641              DNSSEC Operational Practices        September 2006
-
-
-         Re-signing a zone shortly before the end of the signature
-         validity period may cause simultaneous expiration of data from
-         caches.  This in turn may lead to peaks in the load on
-         authoritative servers.
-
-   o  We suggest the Minimum Zone TTL to be long enough to both fetch
-      and verify all the RRs in the trust chain.  In workshop
-      environments, it has been demonstrated [18] that a low TTL (under
-      5 to 10 minutes) caused disruptions because of the following two
-      problems:
-
-         1.  During validation, some data may expire before the
-             validation is complete.  The validator should be able to
-             keep all data until it is completed.  This applies to all
-             RRs needed to complete the chain of trust: DSes, DNSKEYs,
-             RRSIGs, and the final answers, i.e., the RRSet that is
-             returned for the initial query.
-
-         2.  Frequent verification causes load on recursive nameservers.
-             Data at delegation points, DSes, DNSKEYs, and RRSIGs
-             benefit from caching.  The TTL on those should be
-             relatively long.
-
-   o  Slave servers will need to be able to fetch newly signed zones
-      well before the RRSIGs in the zone served by the slave server pass
-      their signature expiration time.
-
-         When a slave server is out of sync with its master and data in
-         a zone is signed by expired signatures, it may be better for
-         the slave server not to give out any answer.
-
-         Normally, a slave server that is not able to contact a master
-         server for an extended period will expire a zone.  When that
-         happens, the server will respond differently to queries for
-         that zone.  Some servers issue SERVFAIL, whereas others turn
-         off the 'AA' bit in the answers.  The time of expiration is set
-         in the SOA record and is relative to the last successful
-         refresh between the master and the slave servers.  There exists
-         no coupling between the signature expiration of RRSIGs in the
-         zone and the expire parameter in the SOA.
-
-         If the server serves a DNSSEC zone, then it may well happen
-         that the signatures expire well before the SOA expiration timer
-         counts down to zero.  It is not possible to completely prevent
-         this from happening by tweaking the SOA parameters.  However,
-         the effects can be minimized where the SOA expiration time is
-         equal to or shorter than the signature validity period.  The
-         consequence of an authoritative server not being able to update
-
-
-
-Kolkman & Gieben             Informational                     [Page 13]
-
-RFC 4641              DNSSEC Operational Practices        September 2006
-
-
-         a zone, whilst that zone includes expired signatures, is that
-         non-secure resolvers will continue to be able to resolve data
-         served by the particular slave servers while security-aware
-         resolvers will experience problems because of answers being
-         marked as Bogus.
-
-         We suggest the SOA expiration timer being approximately one
-         third or one fourth of the signature validity period.  It will
-         allow problems with transfers from the master server to be
-         noticed before the actual signature times out.  We also suggest
-         that operators of nameservers that supply secondary services
-         develop 'watch dogs' to spot upcoming signature expirations in
-         zones they slave, and take appropriate action.
-
-         When determining the value for the expiration parameter one has
-         to take the following into account: What are the chances that
-         all my secondaries expire the zone? How quickly can I reach an
-         administrator of secondary servers to load a valid zone?  These
-         questions are not DNSSEC specific but may influence the choice
-         of your signature validity intervals.
-
-4.2.  Key Rollovers
-
-   A DNSSEC key cannot be used forever (see Section 3.3).  So key
-   rollovers -- or supercessions, as they are sometimes called -- are a
-   fact of life when using DNSSEC.  Zone administrators who are in the
-   process of rolling their keys have to take into account that data
-   published in previous versions of their zone still lives in caches.
-   When deploying DNSSEC, this becomes an important consideration;
-   ignoring data that may be in caches may lead to loss of service for
-   clients.
-
-   The most pressing example of this occurs when zone material signed
-   with an old key is being validated by a resolver that does not have
-   the old zone key cached.  If the old key is no longer present in the
-   current zone, this validation fails, marking the data "Bogus".
-   Alternatively, an attempt could be made to validate data that is
-   signed with a new key against an old key that lives in a local cache,
-   also resulting in data being marked "Bogus".
-
-4.2.1.  Zone Signing Key Rollovers
-
-   For "Zone Signing Key rollovers", there are two ways to make sure
-   that during the rollover data still cached can be verified with the
-   new key sets or newly generated signatures can be verified with the
-   keys still in caches.  One schema, described in Section 4.2.1.2, uses
-
-
-
-
-
-Kolkman & Gieben             Informational                     [Page 14]
-
-RFC 4641              DNSSEC Operational Practices        September 2006
-
-
-   double signatures; the other uses key pre-publication (Section
-   4.2.1.1).  The pros, cons, and recommendations are described in
-   Section 4.2.1.3.
-
-4.2.1.1.  Pre-Publish Key Rollover
-
-   This section shows how to perform a ZSK rollover without the need to
-   sign all the data in a zone twice -- the "pre-publish key rollover".
-   This method has advantages in the case of a key compromise.  If the
-   old key is compromised, the new key has already been distributed in
-   the DNS.  The zone administrator is then able to quickly switch to
-   the new key and remove the compromised key from the zone.  Another
-   major advantage is that the zone size does not double, as is the case
-   with the double signature ZSK rollover.  A small "how-to" for this
-   kind of rollover can be found in Appendix B.
-
-   Pre-publish key rollover involves four stages as follows:
-
-      ----------------------------------------------------------------
-      initial         new DNSKEY       new RRSIGs      DNSKEY removal
-      ----------------------------------------------------------------
-      SOA0            SOA1             SOA2            SOA3
-      RRSIG10(SOA0)   RRSIG10(SOA1)    RRSIG11(SOA2)   RRSIG11(SOA3)
-
-      DNSKEY1         DNSKEY1          DNSKEY1         DNSKEY1
-      DNSKEY10        DNSKEY10         DNSKEY10        DNSKEY11
-      DNSKEY11         DNSKEY11
-      RRSIG1 (DNSKEY) RRSIG1 (DNSKEY)  RRSIG1(DNSKEY)  RRSIG1 (DNSKEY)
-      RRSIG10(DNSKEY) RRSIG10(DNSKEY)  RRSIG11(DNSKEY) RRSIG11(DNSKEY)
-      ----------------------------------------------------------------
-
-                         Pre-Publish Key Rollover
-
-   initial: Initial version of the zone: DNSKEY 1 is the Key Signing
-      Key.  DNSKEY 10 is used to sign all the data of the zone, the Zone
-      Signing Key.
-
-   new DNSKEY: DNSKEY 11 is introduced into the key set.  Note that no
-      signatures are generated with this key yet, but this does not
-      secure against brute force attacks on the public key.  The minimum
-      duration of this pre-roll phase is the time it takes for the data
-      to propagate to the authoritative servers plus TTL value of the
-      key set.
-
-   new RRSIGs: At the "new RRSIGs" stage (SOA serial 2), DNSKEY 11 is
-      used to sign the data in the zone exclusively (i.e., all the
-      signatures from DNSKEY 10 are removed from the zone).  DNSKEY 10
-      remains published in the key set.  This way data that was loaded
-
-
-
-Kolkman & Gieben             Informational                     [Page 15]
-
-RFC 4641              DNSSEC Operational Practices        September 2006
-
-
-      into caches from version 1 of the zone can still be verified with
-      key sets fetched from version 2 of the zone.  The minimum time
-      that the key set including DNSKEY 10 is to be published is the
-      time that it takes for zone data from the previous version of the
-      zone to expire from old caches, i.e., the time it takes for this
-      zone to propagate to all authoritative servers plus the Maximum
-      Zone TTL value of any of the data in the previous version of the
-      zone.
-
-   DNSKEY removal: DNSKEY 10 is removed from the zone.  The key set, now
-      only containing DNSKEY 1 and DNSKEY 11, is re-signed with the
-      DNSKEY 1.
-
-   The above scheme can be simplified by always publishing the "future"
-   key immediately after the rollover.  The scheme would look as follows
-   (we show two rollovers); the future key is introduced in "new DNSKEY"
-   as DNSKEY 12 and again a newer one, numbered 13, in "new DNSKEY
-   (II)":
-
-      ----------------------------------------------------------------
-      initial             new RRSIGs          new DNSKEY
-      ----------------------------------------------------------------
-      SOA0                SOA1                SOA2
-      RRSIG10(SOA0)       RRSIG11(SOA1)       RRSIG11(SOA2)
-
-      DNSKEY1             DNSKEY1             DNSKEY1
-      DNSKEY10            DNSKEY10            DNSKEY11
-      DNSKEY11            DNSKEY11            DNSKEY12
-      RRSIG1(DNSKEY)      RRSIG1 (DNSKEY)     RRSIG1(DNSKEY)
-      RRSIG10(DNSKEY)     RRSIG11(DNSKEY)     RRSIG11(DNSKEY)
-      ----------------------------------------------------------------
-
-      ----------------------------------------------------------------
-      new RRSIGs (II)     new DNSKEY (II)
-      ----------------------------------------------------------------
-      SOA3                SOA4
-      RRSIG12(SOA3)       RRSIG12(SOA4)
-
-      DNSKEY1             DNSKEY1
-      DNSKEY11            DNSKEY12
-      DNSKEY12            DNSKEY13
-      RRSIG1(DNSKEY)      RRSIG1(DNSKEY)
-      RRSIG12(DNSKEY)     RRSIG12(DNSKEY)
-      ----------------------------------------------------------------
-
-              Pre-Publish Key Rollover, Showing Two Rollovers
-
-
-
-
-
-Kolkman & Gieben             Informational                     [Page 16]
-
-RFC 4641              DNSSEC Operational Practices        September 2006
-
-
-   Note that the key introduced in the "new DNSKEY" phase is not used
-   for production yet; the private key can thus be stored in a
-   physically secure manner and does not need to be 'fetched' every time
-   a zone needs to be signed.
-
-4.2.1.2.  Double Signature Zone Signing Key Rollover
-
-   This section shows how to perform a ZSK key rollover using the double
-   zone data signature scheme, aptly named "double signature rollover".
-
-   During the "new DNSKEY" stage the new version of the zone file will
-   need to propagate to all authoritative servers and the data that
-   exists in (distant) caches will need to expire, requiring at least
-   the Maximum Zone TTL.
-
-   Double signature ZSK rollover involves three stages as follows:
-
-      ----------------------------------------------------------------
-      initial             new DNSKEY         DNSKEY removal
-      ----------------------------------------------------------------
-      SOA0                SOA1               SOA2
-      RRSIG10(SOA0)       RRSIG10(SOA1)      RRSIG11(SOA2)
-      RRSIG11(SOA1)
-
-      DNSKEY1             DNSKEY1            DNSKEY1
-      DNSKEY10            DNSKEY10           DNSKEY11
-      DNSKEY11
-      RRSIG1(DNSKEY)      RRSIG1(DNSKEY)     RRSIG1(DNSKEY)
-      RRSIG10(DNSKEY)     RRSIG10(DNSKEY)    RRSIG11(DNSKEY)
-      RRSIG11(DNSKEY)
-      ----------------------------------------------------------------
-
-                Double Signature Zone Signing Key Rollover
-
-   initial: Initial Version of the zone: DNSKEY 1 is the Key Signing
-      Key.  DNSKEY 10 is used to sign all the data of the zone, the Zone
-      Signing Key.
-
-   new DNSKEY: At the "New DNSKEY" stage (SOA serial 1) DNSKEY 11 is
-      introduced into the key set and all the data in the zone is signed
-      with DNSKEY 10 and DNSKEY 11.  The rollover period will need to
-      continue until all data from version 0 of the zone has expired
-      from remote caches.  This will take at least the Maximum Zone TTL
-      of version 0 of the zone.
-
-   DNSKEY removal: DNSKEY 10 is removed from the zone.  All the
-      signatures from DNSKEY 10 are removed from the zone.  The key set,
-      now only containing DNSKEY 11, is re-signed with DNSKEY 1.
-
-
-
-Kolkman & Gieben             Informational                     [Page 17]
-
-RFC 4641              DNSSEC Operational Practices        September 2006
-
-
-   At every instance, RRSIGs from the previous version of the zone can
-   be verified with the DNSKEY RRSet from the current version and the
-   other way around.  The data from the current version can be verified
-   with the data from the previous version of the zone.  The duration of
-   the "new DNSKEY" phase and the period between rollovers should be at
-   least the Maximum Zone TTL.
-
-   Making sure that the "new DNSKEY" phase lasts until the signature
-   expiration time of the data in initial version of the zone is
-   recommended.  This way all caches are cleared of the old signatures.
-   However, this duration could be considerably longer than the Maximum
-   Zone TTL, making the rollover a lengthy procedure.
-
-   Note that in this example we assumed that the zone was not modified
-   during the rollover.  New data can be introduced in the zone as long
-   as it is signed with both keys.
-
-4.2.1.3.  Pros and Cons of the Schemes
-
-   Pre-publish key rollover: This rollover does not involve signing the
-      zone data twice.  Instead, before the actual rollover, the new key
-      is published in the key set and thus is available for
-      cryptanalysis attacks.  A small disadvantage is that this process
-      requires four steps.  Also the pre-publish scheme involves more
-      parental work when used for KSK rollovers as explained in Section
-      4.2.3.
-
-   Double signature ZSK rollover: The drawback of this signing scheme is
-      that during the rollover the number of signatures in your zone
-      doubles; this may be prohibitive if you have very big zones.  An
-      advantage is that it only requires three steps.
-
-4.2.2.  Key Signing Key Rollovers
-
-   For the rollover of a Key Signing Key, the same considerations as for
-   the rollover of a Zone Signing Key apply.  However, we can use a
-   double signature scheme to guarantee that old data (only the apex key
-   set) in caches can be verified with a new key set and vice versa.
-   Since only the key set is signed with a KSK, zone size considerations
-   do not apply.
-
-
-
-
-
-
-
-
-
-
-
-Kolkman & Gieben             Informational                     [Page 18]
-
-RFC 4641              DNSSEC Operational Practices        September 2006
-
-
-   --------------------------------------------------------------------
-       initial        new DNSKEY        DS change       DNSKEY removal
-   --------------------------------------------------------------------
-     Parent:
-       SOA0           -------->         SOA1            -------->
-       RRSIGpar(SOA0) -------->         RRSIGpar(SOA1)  -------->
-       DS1            -------->         DS2             -------->
-       RRSIGpar(DS)   -------->         RRSIGpar(DS)    -------->
-
-
-     Child:
-       SOA0            SOA1             -------->       SOA2
-       RRSIG10(SOA0)   RRSIG10(SOA1)    -------->       RRSIG10(SOA2)
-                                        -------->
-       DNSKEY1         DNSKEY1          -------->       DNSKEY2
-                       DNSKEY2          -------->
-       DNSKEY10        DNSKEY10         -------->       DNSKEY10
-       RRSIG1 (DNSKEY) RRSIG1 (DNSKEY)  -------->       RRSIG2 (DNSKEY)
-                       RRSIG2 (DNSKEY)  -------->
-       RRSIG10(DNSKEY) RRSIG10(DNSKEY)  -------->       RRSIG10(DNSKEY)
-   --------------------------------------------------------------------
-
-   Stages of Deployment for a Double Signature Key Signing Key Rollover
-
-   initial: Initial version of the zone.  The parental DS points to
-      DNSKEY1.  Before the rollover starts, the child will have to
-      verify what the TTL is of the DS RR that points to DNSKEY1 -- it
-      is needed during the rollover and we refer to the value as TTL_DS.
-
-   new DNSKEY: During the "new DNSKEY" phase, the zone administrator
-      generates a second KSK, DNSKEY2.  The key is provided to the
-      parent, and the child will have to wait until a new DS RR has been
-      generated that points to DNSKEY2.  After that DS RR has been
-      published on all servers authoritative for the parent's zone, the
-      zone administrator has to wait at least TTL_DS to make sure that
-      the old DS RR has expired from caches.
-
-   DS change: The parent replaces DS1 with DS2.
-
-   DNSKEY removal: DNSKEY1 has been removed.
-
-   The scenario above puts the responsibility for maintaining a valid
-   chain of trust with the child.  It also is based on the premise that
-   the parent only has one DS RR (per algorithm) per zone.  An
-   alternative mechanism has been considered.  Using an established
-   trust relation, the interaction can be performed in-band, and the
-   removal of the keys by the child can possibly be signaled by the
-   parent.  In this mechanism, there are periods where there are two DS
-
-
-
-Kolkman & Gieben             Informational                     [Page 19]
-
-RFC 4641              DNSSEC Operational Practices        September 2006
-
-
-   RRs at the parent.  Since at the moment of writing the protocol for
-   this interaction has not been developed, further discussion is out of
-   scope for this document.
-
-4.2.3.  Difference Between ZSK and KSK Rollovers
-
-   Note that KSK rollovers and ZSK rollovers are different in the sense
-   that a KSK rollover requires interaction with the parent (and
-   possibly replacing of trust anchors) and the ensuing delay while
-   waiting for it.
-
-   A zone key rollover can be handled in two different ways: pre-publish
-   (Section 4.2.1.1) and double signature (Section 4.2.1.2).
-
-   As the KSK is used to validate the key set and because the KSK is not
-   changed during a ZSK rollover, a cache is able to validate the new
-   key set of the zone.  The pre-publish method would also work for a
-   KSK rollover.  The records that are to be pre-published are the
-   parental DS RRs.  The pre-publish method has some drawbacks for KSKs.
-   We first describe the rollover scheme and then indicate these
-   drawbacks.
-
-   --------------------------------------------------------------------
-     initial         new DS           new DNSKEY      DS/DNSKEY removal
-   --------------------------------------------------------------------
-   Parent:
-     SOA0            SOA1             -------->       SOA2
-     RRSIGpar(SOA0)  RRSIGpar(SOA1)   -------->       RRSIGpar(SOA2)
-     DS1             DS1              -------->       DS2
-                     DS2              -------->
-     RRSIGpar(DS)    RRSIGpar(DS)     -------->       RRSIGpar(DS)
-
-
-   Child:
-     SOA0            -------->        SOA1            SOA1
-     RRSIG10(SOA0)   -------->        RRSIG10(SOA1)   RRSIG10(SOA1)
-                     -------->
-     DNSKEY1         -------->        DNSKEY2         DNSKEY2
-                     -------->
-     DNSKEY10        -------->        DNSKEY10        DNSKEY10
-     RRSIG1 (DNSKEY) -------->        RRSIG2(DNSKEY)  RRSIG2 (DNSKEY)
-     RRSIG10(DNSKEY) -------->        RRSIG10(DNSKEY) RRSIG10(DNSKEY)
-   --------------------------------------------------------------------
-
-      Stages of Deployment for a Pre-Publish Key Signing Key Rollover
-
-
-
-
-
-
-Kolkman & Gieben             Informational                     [Page 20]
-
-RFC 4641              DNSSEC Operational Practices        September 2006
-
-
-   When the child zone wants to roll, it notifies the parent during the
-   "new DS" phase and submits the new key (or the corresponding DS) to
-   the parent.  The parent publishes DS1 and DS2, pointing to DNSKEY1
-   and DNSKEY2, respectively.  During the rollover ("new DNSKEY" phase),
-   which can take place as soon as the new DS set propagated through the
-   DNS, the child replaces DNSKEY1 with DNSKEY2.  Immediately after that
-   ("DS/DNSKEY removal" phase), it can notify the parent that the old DS
-   record can be deleted.
-
-   The drawbacks of this scheme are that during the "new DS" phase the
-   parent cannot verify the match between the DS2 RR and DNSKEY2 using
-   the DNS -- as DNSKEY2 is not yet published.  Besides, we introduce a
-   "security lame" key (see Section 4.4.3).  Finally, the child-parent
-   interaction consists of two steps.  The "double signature" method
-   only needs one interaction.
-
-4.2.4.  Automated Key Rollovers
-
-   As keys must be renewed periodically, there is some motivation to
-   automate the rollover process.  Consider the following:
-
-   o  ZSK rollovers are easy to automate as only the child zone is
-      involved.
-
-   o  A KSK rollover needs interaction between parent and child.  Data
-      exchange is needed to provide the new keys to the parent;
-      consequently, this data must be authenticated and integrity must
-      be guaranteed in order to avoid attacks on the rollover.
-
-4.3.  Planning for Emergency Key Rollover
-
-   This section deals with preparation for a possible key compromise.
-   Our advice is to have a documented procedure ready for when a key
-   compromise is suspected or confirmed.
-
-   When the private material of one of your keys is compromised it can
-   be used for as long as a valid trust chain exists.  A trust chain
-   remains intact for
-
-   o  as long as a signature over the compromised key in the trust chain
-      is valid,
-
-   o  as long as a parental DS RR (and signature) points to the
-      compromised key,
-
-   o  as long as the key is anchored in a resolver and is used as a
-      starting point for validation (this is generally the hardest to
-      update).
-
-
-
-Kolkman & Gieben             Informational                     [Page 21]
-
-RFC 4641              DNSSEC Operational Practices        September 2006
-
-
-   While a trust chain to your compromised key exists, your namespace is
-   vulnerable to abuse by anyone who has obtained illegitimate
-   possession of the key.  Zone operators have to make a trade-off if
-   the abuse of the compromised key is worse than having data in caches
-   that cannot be validated.  If the zone operator chooses to break the
-   trust chain to the compromised key, data in caches signed with this
-   key cannot be validated.  However, if the zone administrator chooses
-   to take the path of a regular rollover, the malicious key holder can
-   spoof data so that it appears to be valid.
-
-4.3.1.  KSK Compromise
-
-   A zone containing a DNSKEY RRSet with a compromised KSK is vulnerable
-   as long as the compromised KSK is configured as trust anchor or a
-   parental DS points to it.
-
-   A compromised KSK can be used to sign the key set of an attacker's
-   zone.  That zone could be used to poison the DNS.
-
-   Therefore, when the KSK has been compromised, the trust anchor or the
-   parental DS should be replaced as soon as possible.  It is local
-   policy whether to break the trust chain during the emergency
-   rollover.  The trust chain would be broken when the compromised KSK
-   is removed from the child's zone while the parent still has a DS
-   pointing to the compromised KSK (the assumption is that there is only
-   one DS at the parent.  If there are multiple DSes this does not apply
-   -- however the chain of trust of this particular key is broken).
-
-   Note that an attacker's zone still uses the compromised KSK and the
-   presence of a parental DS would cause the data in this zone to appear
-   as valid.  Removing the compromised key would cause the attacker's
-   zone to appear as valid and the child's zone as Bogus.  Therefore, we
-   advise not to remove the KSK before the parent has a DS to a new KSK
-   in place.
-
-4.3.1.1.  Keeping the Chain of Trust Intact
-
-   If we follow this advice, the timing of the replacement of the KSK is
-   somewhat critical.  The goal is to remove the compromised KSK as soon
-   as the new DS RR is available at the parent.  And also make sure that
-   the signature made with a new KSK over the key set with the
-   compromised KSK in it expires just after the new DS appears at the
-   parent, thus removing the old cruft in one swoop.
-
-   The procedure is as follows:
-
-   1.  Introduce a new KSK into the key set, keep the compromised KSK in
-       the key set.
-
-
-
-Kolkman & Gieben             Informational                     [Page 22]
-
-RFC 4641              DNSSEC Operational Practices        September 2006
-
-
-   2.  Sign the key set, with a short validity period.  The validity
-       period should expire shortly after the DS is expected to appear
-       in the parent and the old DSes have expired from caches.
-
-   3.  Upload the DS for this new key to the parent.
-
-   4.  Follow the procedure of the regular KSK rollover: Wait for the DS
-       to appear in the authoritative servers and then wait as long as
-       the TTL of the old DS RRs.  If necessary re-sign the DNSKEY RRSet
-       and modify/extend the expiration time.
-
-   5.  Remove the compromised DNSKEY RR from the zone and re-sign the
-       key set using your "normal" validity interval.
-
-   An additional danger of a key compromise is that the compromised key
-   could be used to facilitate a legitimate DNSKEY/DS rollover and/or
-   nameserver changes at the parent.  When that happens, the domain may
-   be in dispute.  An authenticated out-of-band and secure notify
-   mechanism to contact a parent is needed in this case.
-
-   Note that this is only a problem when the DNSKEY and or DS records
-   are used for authentication at the parent.
-
-4.3.1.2.  Breaking the Chain of Trust
-
-   There are two methods to break the chain of trust.  The first method
-   causes the child zone to appear 'Bogus' to validating resolvers.  The
-   other causes the child zone to appear 'insecure'.  These are
-   described below.
-
-   In the method that causes the child zone to appear 'Bogus' to
-   validating resolvers, the child zone replaces the current KSK with a
-   new one and re-signs the key set.  Next it sends the DS of the new
-   key to the parent.  Only after the parent has placed the new DS in
-   the zone is the child's chain of trust repaired.
-
-   An alternative method of breaking the chain of trust is by removing
-   the DS RRs from the parent zone altogether.  As a result, the child
-   zone would become insecure.
-
-4.3.2.  ZSK Compromise
-
-   Primarily because there is no parental interaction required when a
-   ZSK is compromised, the situation is less severe than with a KSK
-   compromise.  The zone must still be re-signed with a new ZSK as soon
-   as possible.  As this is a local operation and requires no
-   communication between the parent and child, this can be achieved
-   fairly quickly.  However, one has to take into account that just as
-
-
-
-Kolkman & Gieben             Informational                     [Page 23]
-
-RFC 4641              DNSSEC Operational Practices        September 2006
-
-
-   with a normal rollover the immediate disappearance of the old
-   compromised key may lead to verification problems.  Also note that as
-   long as the RRSIG over the compromised ZSK is not expired the zone
-   may be still at risk.
-
-4.3.3.  Compromises of Keys Anchored in Resolvers
-
-   A key can also be pre-configured in resolvers.  For instance, if
-   DNSSEC is successfully deployed the root key may be pre-configured in
-   most security aware resolvers.
-
-   If trust-anchor keys are compromised, the resolvers using these keys
-   should be notified of this fact.  Zone administrators may consider
-   setting up a mailing list to communicate the fact that a SEP key is
-   about to be rolled over.  This communication will of course need to
-   be authenticated, e.g., by using digital signatures.
-
-   End-users faced with the task of updating an anchored key should
-   always validate the new key.  New keys should be authenticated out-
-   of-band, for example, through the use of an announcement website that
-   is secured using secure sockets (TLS) [21].
-
-4.4.  Parental Policies
-
-4.4.1.  Initial Key Exchanges and Parental Policies Considerations
-
-   The initial key exchange is always subject to the policies set by the
-   parent.  When designing a key exchange policy one should take into
-   account that the authentication and authorization mechanisms used
-   during a key exchange should be as strong as the authentication and
-   authorization mechanisms used for the exchange of delegation
-   information between parent and child.  That is, there is no implicit
-   need in DNSSEC to make the authentication process stronger than it
-   was in DNS.
-
-   Using the DNS itself as the source for the actual DNSKEY material,
-   with an out-of-band check on the validity of the DNSKEY, has the
-   benefit that it reduces the chances of user error.  A DNSKEY query
-   tool can make use of the SEP bit [3] to select the proper key from a
-   DNSSEC key set, thereby reducing the chance that the wrong DNSKEY is
-   sent.  It can validate the self-signature over a key; thereby
-   verifying the ownership of the private key material.  Fetching the
-   DNSKEY from the DNS ensures that the chain of trust remains intact
-   once the parent publishes the DS RR indicating the child is secure.
-
-   Note: the out-of-band verification is still needed when the key
-   material is fetched via the DNS.  The parent can never be sure
-   whether or not the DNSKEY RRs have been spoofed.
-
-
-
-Kolkman & Gieben             Informational                     [Page 24]
-
-RFC 4641              DNSSEC Operational Practices        September 2006
-
-
-4.4.2.  Storing Keys or Hashes?
-
-   When designing a registry system one should consider which of the
-   DNSKEYs and/or the corresponding DSes to store.  Since a child zone
-   might wish to have a DS published using a message digest algorithm
-   not yet understood by the registry, the registry can't count on being
-   able to generate the DS record from a raw DNSKEY.  Thus, we recommend
-   that registry systems at least support storing DS records.
-
-   It may also be useful to store DNSKEYs, since having them may help
-   during troubleshooting and, as long as the child's chosen message
-   digest is supported, the overhead of generating DS records from them
-   is minimal.  Having an out-of-band mechanism, such as a registry
-   directory (e.g., Whois), to find out which keys are used to generate
-   DS Resource Records for specific owners and/or zones may also help
-   with troubleshooting.
-
-   The storage considerations also relate to the design of the customer
-   interface and the method by which data is transferred between
-   registrant and registry; Will the child zone administrator be able to
-   upload DS RRs with unknown hash algorithms or does the interface only
-   allow DNSKEYs?  In the registry-registrar model, one can use the
-   DNSSEC extensions to the Extensible Provisioning Protocol (EPP) [15],
-   which allows transfer of DS RRs and optionally DNSKEY RRs.
-
-4.4.3.  Security Lameness
-
-   Security lameness is defined as what happens when a parent has a DS
-   RR pointing to a non-existing DNSKEY RR.  When this happens, the
-   child's zone may be marked "Bogus" by verifying DNS clients.
-
-   As part of a comprehensive delegation check, the parent could, at key
-   exchange time, verify that the child's key is actually configured in
-   the DNS.  However, if a parent does not understand the hashing
-   algorithm used by child, the parental checks are limited to only
-   comparing the key id.
-
-   Child zones should be very careful in removing DNSKEY material,
-   specifically SEP keys, for which a DS RR exists.
-
-   Once a zone is "security lame", a fix (e.g., removing a DS RR) will
-   take time to propagate through the DNS.
-
-
-
-
-
-
-
-
-
-Kolkman & Gieben             Informational                     [Page 25]
-
-RFC 4641              DNSSEC Operational Practices        September 2006
-
-
-4.4.4.  DS Signature Validity Period
-
-   Since the DS can be replayed as long as it has a valid signature, a
-   short signature validity period over the DS minimizes the time a
-   child is vulnerable in the case of a compromise of the child's
-   KSK(s).  A signature validity period that is too short introduces the
-   possibility that a zone is marked "Bogus" in case of a configuration
-   error in the signer.  There may not be enough time to fix the
-   problems before signatures expire.  Something as mundane as operator
-   unavailability during weekends shows the need for DS signature
-   validity periods longer than 2 days.  We recommend an absolute
-   minimum for a DS signature validity period of a few days.
-
-   The maximum signature validity period of the DS record depends on how
-   long child zones are willing to be vulnerable after a key compromise.
-   On the other hand, shortening the DS signature validity interval
-   increases the operational risk for the parent.  Therefore, the parent
-   may have policy to use a signature validity interval that is
-   considerably longer than the child would hope for.
-
-   A compromise between the operational constraints of the parent and
-   minimizing damage for the child may result in a DS signature validity
-   period somewhere between a week and months.
-
-   In addition to the signature validity period, which sets a lower
-   bound on the number of times the zone owner will need to sign the
-   zone data and which sets an upper bound to the time a child is
-   vulnerable after key compromise, there is the TTL value on the DS
-   RRs.  Shortening the TTL means that the authoritative servers will
-   see more queries.  But on the other hand, a short TTL lowers the
-   persistence of DS RRSets in caches thereby increasing the speed with
-   which updated DS RRSets propagate through the DNS.
-
-5.  Security Considerations
-
-   DNSSEC adds data integrity to the DNS.  This document tries to assess
-   the operational considerations to maintain a stable and secure DNSSEC
-   service.  Not taking into account the 'data propagation' properties
-   in the DNS will cause validation failures and may make secured zones
-   unavailable to security-aware resolvers.
-
-6.  Acknowledgments
-
-   Most of the ideas in this document were the result of collective
-   efforts during workshops, discussions, and tryouts.
-
-   At the risk of forgetting individuals who were the original
-   contributors of the ideas, we would like to acknowledge people who
-
-
-
-Kolkman & Gieben             Informational                     [Page 26]
-
-RFC 4641              DNSSEC Operational Practices        September 2006
-
-
-   were actively involved in the compilation of this document.  In
-   random order: Rip Loomis, Olafur Gudmundsson, Wesley Griffin, Michael
-   Richardson, Scott Rose, Rick van Rein, Tim McGinnis, Gilles Guette
-   Olivier Courtay, Sam Weiler, Jelte Jansen, Niall O'Reilly, Holger
-   Zuleger, Ed Lewis, Hilarie Orman, Marcos Sanz, and Peter Koch.
-
-   Some material in this document has been copied from RFC 2541 [12].
-
-   Mike StJohns designed the key exchange between parent and child
-   mentioned in the last paragraph of Section 4.2.2
-
-   Section 4.2.4 was supplied by G. Guette and O. Courtay.
-
-   Emma Bretherick, Adrian Bedford, and Lindy Foster corrected many of
-   the spelling and style issues.
-
-   Kolkman and Gieben take the blame for introducing all miscakes (sic).
-
-   While working on this document, Kolkman was employed by the RIPE NCC
-   and Gieben was employed by NLnet Labs.
-
-7.  References
-
-7.1.  Normative References
-
-   [1]   Mockapetris, P., "Domain names - concepts and facilities", STD
-         13, RFC 1034, November 1987.
-
-   [2]   Mockapetris, P., "Domain names - implementation and
-         specification", STD 13, RFC 1035, November 1987.
-
-   [3]   Kolkman, O., Schlyter, J., and E. Lewis, "Domain Name System
-         KEY (DNSKEY) Resource Record (RR) Secure Entry Point (SEP)
-         Flag", RFC 3757, May 2004.
-
-   [4]   Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
-         "DNS Security Introduction and Requirements", RFC 4033, March
-         2005.
-
-   [5]   Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
-         "Resource Records for the DNS Security Extensions", RFC 4034,
-         March 2005.
-
-   [6]   Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
-         "Protocol Modifications for the DNS Security Extensions", RFC
-         4035, March 2005.
-
-
-
-
-
-Kolkman & Gieben             Informational                     [Page 27]
-
-RFC 4641              DNSSEC Operational Practices        September 2006
-
-
-7.2.  Informative References
-
-   [7]   Bradner, S., "Key words for use in RFCs to Indicate Requirement
-         Levels", BCP 14, RFC 2119, March 1997.
-
-   [8]   Ohta, M., "Incremental Zone Transfer in DNS", RFC 1995, August
-         1996.
-
-   [9]   Vixie, P., "A Mechanism for Prompt Notification of Zone Changes
-         (DNS NOTIFY)", RFC 1996, August 1996.
-
-   [10]  Wellington, B., "Secure Domain Name System (DNS) Dynamic
-         Update", RFC 3007, November 2000.
-
-   [11]  Andrews, M., "Negative Caching of DNS Queries (DNS NCACHE)",
-         RFC 2308, March 1998.
-
-   [12]  Eastlake, D., "DNS Security Operational Considerations", RFC
-         2541, March 1999.
-
-   [13]  Orman, H. and P. Hoffman, "Determining Strengths For Public
-         Keys Used For Exchanging Symmetric Keys", BCP 86, RFC 3766,
-         April 2004.
-
-   [14]  Eastlake, D., Schiller, J., and S. Crocker, "Randomness
-         Requirements for Security", BCP 106, RFC 4086, June 2005.
-
-   [15]  Hollenbeck, S., "Domain Name System (DNS) Security Extensions
-         Mapping for the Extensible Provisioning Protocol (EPP)", RFC
-         4310, December 2005.
-
-   [16]  Lenstra, A. and E. Verheul, "Selecting Cryptographic Key
-         Sizes", The Journal of Cryptology 14 (255-293), 2001.
-
-   [17]  Schneier, B., "Applied Cryptography: Protocols, Algorithms, and
-         Source Code in C", ISBN (hardcover) 0-471-12845-7, ISBN
-         (paperback) 0-471-59756-2, Published by John Wiley & Sons Inc.,
-         1996.
-
-   [18]  Rose, S., "NIST DNSSEC workshop notes", June 2001.
-
-   [19]  Jansen, J., "Use of RSA/SHA-256 DNSKEY and RRSIG Resource
-         Records in DNSSEC", Work in Progress, January 2006.
-
-   [20]  Hardaker, W., "Use of SHA-256 in DNSSEC Delegation Signer (DS)
-         Resource Records (RRs)", RFC 4509, May 2006.
-
-
-
-
-
-Kolkman & Gieben             Informational                     [Page 28]
-
-RFC 4641              DNSSEC Operational Practices        September 2006
-
-
-   [21]  Blake-Wilson, S., Nystrom, M., Hopwood, D., Mikkelsen, J., and
-         T. Wright, "Transport Layer Security (TLS) Extensions", RFC
-         4366, April 2006.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Kolkman & Gieben             Informational                     [Page 29]
-
-RFC 4641              DNSSEC Operational Practices        September 2006
-
-
-Appendix A.  Terminology
-
-   In this document, there is some jargon used that is defined in other
-   documents.  In most cases, we have not copied the text from the
-   documents defining the terms but have given a more elaborate
-   explanation of the meaning.  Note that these explanations should not
-   be seen as authoritative.
-
-   Anchored key: A DNSKEY configured in resolvers around the globe.
-      This key is hard to update, hence the term anchored.
-
-   Bogus: Also see Section 5 of [4].  An RRSet in DNSSEC is marked
-      "Bogus" when a signature of an RRSet does not validate against a
-      DNSKEY.
-
-   Key Signing Key or KSK: A Key Signing Key (KSK) is a key that is used
-      exclusively for signing the apex key set.  The fact that a key is
-      a KSK is only relevant to the signing tool.
-
-   Key size: The term 'key size' can be substituted by 'modulus size'
-      throughout the document.  It is mathematically more correct to use
-      modulus size, but as this is a document directed at operators we
-      feel more at ease with the term key size.
-
-   Private and public keys: DNSSEC secures the DNS through the use of
-      public key cryptography.  Public key cryptography is based on the
-      existence of two (mathematically related) keys, a public key and a
-      private key.  The public keys are published in the DNS by use of
-      the DNSKEY Resource Record (DNSKEY RR).  Private keys should
-      remain private.
-
-   Key rollover: A key rollover (also called key supercession in some
-      environments) is the act of replacing one key pair with another at
-      the end of a key effectivity period.
-
-   Secure Entry Point (SEP) key: A KSK that has a parental DS record
-      pointing to it or is configured as a trust anchor.  Although not
-      required by the protocol, we recommend that the SEP flag [3] is
-      set on these keys.
-
-   Self-signature: This only applies to signatures over DNSKEYs; a
-      signature made with DNSKEY x, over DNSKEY x is called a self-
-      signature.  Note: without further information, self-signatures
-      convey no trust.  They are useful to check the authenticity of the
-      DNSKEY, i.e., they can be used as a hash.
-
-
-
-
-
-
-Kolkman & Gieben             Informational                     [Page 30]
-
-RFC 4641              DNSSEC Operational Practices        September 2006
-
-
-   Singing the zone file: The term used for the event where an
-      administrator joyfully signs its zone file while producing melodic
-      sound patterns.
-
-   Signer: The system that has access to the private key material and
-      signs the Resource Record sets in a zone.  A signer may be
-      configured to sign only parts of the zone, e.g., only those RRSets
-      for which existing signatures are about to expire.
-
-   Zone Signing Key (ZSK): A key that is used for signing all data in a
-      zone.  The fact that a key is a ZSK is only relevant to the
-      signing tool.
-
-   Zone administrator: The 'role' that is responsible for signing a zone
-      and publishing it on the primary authoritative server.
-
-Appendix B.  Zone Signing Key Rollover How-To
-
-   Using the pre-published signature scheme and the most conservative
-   method to assure oneself that data does not live in caches, here
-   follows the "how-to".
-
-   Step 0: The preparation: Create two keys and publish both in your key
-      set.  Mark one of the keys "active" and the other "published".
-      Use the "active" key for signing your zone data.  Store the
-      private part of the "published" key, preferably off-line.  The
-      protocol does not provide for attributes to mark a key as active
-      or published.  This is something you have to do on your own,
-      through the use of a notebook or key management tool.
-
-   Step 1: Determine expiration: At the beginning of the rollover make a
-      note of the highest expiration time of signatures in your zone
-      file created with the current key marked as active.  Wait until
-      the expiration time marked in Step 1 has passed.
-
-   Step 2: Then start using the key that was marked "published" to sign
-      your data (i.e., mark it "active").  Stop using the key that was
-      marked "active"; mark it "rolled".
-
-   Step 3: It is safe to engage in a new rollover (Step 1) after at
-      least one signature validity period.
-
-
-
-
-
-
-
-
-
-
-Kolkman & Gieben             Informational                     [Page 31]
-
-RFC 4641              DNSSEC Operational Practices        September 2006
-
-
-Appendix C.  Typographic Conventions
-
-   The following typographic conventions are used in this document:
-
-   Key notation: A key is denoted by DNSKEYx, where x is a number or an
-   identifier, x could be thought of as the key id.
-
-   RRSet notations: RRs are only denoted by the type.  All other
-   information -- owner, class, rdata, and TTL--is left out.  Thus:
-   "example.com 3600 IN A 192.0.2.1" is reduced to "A".  RRSets are a
-   list of RRs.  A example of this would be "A1, A2", specifying the
-   RRSet containing two "A" records.  This could again be abbreviated to
-   just "A".
-
-   Signature notation: Signatures are denoted as RRSIGx(RRSet), which
-   means that RRSet is signed with DNSKEYx.
-
-   Zone representation: Using the above notation we have simplified the
-   representation of a signed zone by leaving out all unnecessary
-   details such as the names and by representing all data by "SOAx"
-
-   SOA representation: SOAs are represented as SOAx, where x is the
-   serial number.
-
-   Using this notation the following signed zone:
-
-   example.net.      86400  IN SOA  ns.example.net. bert.example.net. (
-                            2006022100   ; serial
-                            86400        ; refresh (  24 hours)
-                            7200         ; retry   (   2 hours)
-                            3600000      ; expire  (1000 hours)
-                            28800 )      ; minimum (   8 hours)
-                     86400  RRSIG   SOA 5 2 86400 20130522213204 (
-                                  20130422213204 14 example.net.
-                                  cmL62SI6iAX46xGNQAdQ... )
-                     86400  NS      a.iana-servers.net.
-                     86400  NS      b.iana-servers.net.
-                     86400  RRSIG   NS 5 2 86400 20130507213204 (
-                                  20130407213204 14 example.net.
-                                  SO5epiJei19AjXoUpFnQ ... )
-                     86400  DNSKEY  256 3 5 (
-                                  EtRB9MP5/AvOuVO0I8XDxy0... ) ; id = 14
-                     86400  DNSKEY  257 3 5 (
-                                  gsPW/Yy19GzYIY+Gnr8HABU... ) ; id = 15
-                     86400  RRSIG   DNSKEY 5 2 86400 20130522213204 (
-                                  20130422213204 14 example.net.
-                                  J4zCe8QX4tXVGjV4e1r9... )
-
-
-
-
-Kolkman & Gieben             Informational                     [Page 32]
-
-RFC 4641              DNSSEC Operational Practices        September 2006
-
-
-                     86400  RRSIG   DNSKEY 5 2 86400 20130522213204 (
-                                  20130422213204 15 example.net.
-                                  keVDCOpsSeDReyV6O... )
-                     86400  RRSIG   NSEC 5 2 86400 20130507213204 (
-                                  20130407213204 14 example.net.
-                                  obj3HEp1GjnmhRjX... )
-   a.example.net.    86400  IN TXT  "A label"
-                     86400  RRSIG   TXT 5 3 86400 20130507213204 (
-                                  20130407213204 14 example.net.
-                                  IkDMlRdYLmXH7QJnuF3v... )
-                     86400  NSEC    b.example.com. TXT RRSIG NSEC
-                     86400  RRSIG   NSEC 5 3 86400 20130507213204 (
-                                  20130407213204 14 example.net.
-                                  bZMjoZ3bHjnEz0nIsPMM... )
-                     ...
-
-   is reduced to the following representation:
-
-       SOA2006022100
-       RRSIG14(SOA2006022100)
-       DNSKEY14
-       DNSKEY15
-
-       RRSIG14(KEY)
-       RRSIG15(KEY)
-
-   The rest of the zone data has the same signature as the SOA record,
-   i.e., an RRSIG created with DNSKEY 14.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Kolkman & Gieben             Informational                     [Page 33]
-
-RFC 4641              DNSSEC Operational Practices        September 2006
-
-
-Authors' Addresses
-
-   Olaf M. Kolkman
-   NLnet Labs
-   Kruislaan 419
-   Amsterdam  1098 VA
-   The Netherlands
-
-   EMail: olaf@nlnetlabs.nl
-   URI:   http://www.nlnetlabs.nl
-
-
-   R. (Miek) Gieben
-
-   EMail: miek@miek.nl
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Kolkman & Gieben             Informational                     [Page 34]
-
-RFC 4641              DNSSEC Operational Practices        September 2006
-
-
-Full Copyright Statement
-
-   Copyright (C) The Internet Society (2006).
-
-   This document is subject to the rights, licenses and restrictions
-   contained in BCP 78, and except as set forth therein, the authors
-   retain all their rights.
-
-   This document and the information contained herein are provided on an
-   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
-   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
-   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
-   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
-   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
-   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-Intellectual Property
-
-   The IETF takes no position regarding the validity or scope of any
-   Intellectual Property Rights or other rights that might be claimed to
-   pertain to the implementation or use of the technology described in
-   this document or the extent to which any license under such rights
-   might or might not be available; nor does it represent that it has
-   made any independent effort to identify any such rights.  Information
-   on the procedures with respect to rights in RFC documents can be
-   found in BCP 78 and BCP 79.
-
-   Copies of IPR disclosures made to the IETF Secretariat and any
-   assurances of licenses to be made available, or the result of an
-   attempt made to obtain a general license or permission for the use of
-   such proprietary rights by implementers or users of this
-   specification can be obtained from the IETF on-line IPR repository at
-   http://www.ietf.org/ipr.
-
-   The IETF invites any interested party to bring to its attention any
-   copyrights, patents or patent applications, or other proprietary
-   rights that may cover technology that may be required to implement
-   this standard.  Please address the information to the IETF at
-   ietf-ipr@ietf.org.
-
-Acknowledgement
-
-   Funding for the RFC Editor function is provided by the IETF
-   Administrative Support Activity (IASA).
-
-
-
-
-
-
-
-Kolkman & Gieben             Informational                     [Page 35]
-
diff --git a/doc/xsl/copyright.xsl b/doc/xsl/copyright.xsl
deleted file mode 100644
index 7d7251b7..00000000
--- a/doc/xsl/copyright.xsl
+++ /dev/null
@@ -1,71 +0,0 @@
-<!--
- - Copyright (C) 2005  Internet Systems Consortium, Inc. ("ISC")
- -
- - Permission to use, copy, modify, and distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- -
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-
-<!-- $Id: copyright.xsl,v 1.2.8.2 2005/05/13 01:21:57 marka Exp $ -->
-
-<!-- Generate ISC copyright comments from Docbook copyright metadata. -->
-
-<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="1.0">
-
-  <xsl:template name="isc.copyright.format">
-    <xsl:param name="text"/>
-    <xsl:value-of select="$isc.copyright.leader"/>
-    <xsl:value-of select="normalize-space(substring-before($text, '&#10;'))"/>
-    <xsl:text>&#10;</xsl:text>
-    <xsl:variable name="rest" select="substring-after($text, '&#10;')"/>
-    <xsl:if test="translate($rest, '&#9;&#32;', '')">
-      <xsl:call-template name="isc.copyright.format">
-        <xsl:with-param name="text" select="$rest"/>
-      </xsl:call-template>
-    </xsl:if>
-  </xsl:template>
-
-  <xsl:variable name="isc.copyright">
-    <xsl:call-template name="isc.copyright.format">
-      <xsl:with-param name="text">
-	<xsl:for-each select="/refentry/docinfo/copyright | /book/bookinfo/copyright">
-	  <xsl:text>Copyright (C) </xsl:text>
-	  <xsl:call-template name="copyright.years">
-	    <xsl:with-param name="years" select="year"/>
-	  </xsl:call-template>
-	  <xsl:text> </xsl:text>
-	  <xsl:value-of select="holder"/>
-	  <xsl:text>&#10;</xsl:text>
-	</xsl:for-each>
-	<xsl:text>
-	  Permission to use, copy, modify, and distribute this software for any
-	  purpose with or without fee is hereby granted, provided that the above
-	  copyright notice and this permission notice appear in all copies.
-
-	  THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-	  REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-	  AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-	  INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-	  LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-	  OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-	  PERFORMANCE OF THIS SOFTWARE.
-	</xsl:text>
-      </xsl:with-param>
-    </xsl:call-template>
-  </xsl:variable>
-
-</xsl:stylesheet>
-
-<!-- 
-  - Local variables:
-  - mode: sgml
-  - End:
- -->
diff --git a/doc/xsl/isc-docbook-chunk.xsl.in b/doc/xsl/isc-docbook-chunk.xsl.in
deleted file mode 100644
index 3005be3b..00000000
--- a/doc/xsl/isc-docbook-chunk.xsl.in
+++ /dev/null
@@ -1,65 +0,0 @@
-<!--
- - Copyright (C) 2005  Internet Systems Consortium, Inc. ("ISC")
- -
- - Permission to use, copy, modify, and distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- -
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-
-<!-- $Id: isc-docbook-chunk.xsl.in,v 1.3.2.2 2005/05/13 01:21:57 marka Exp $ -->
-
-<!-- ISC customizations for Docbook-XSL chunked HTML generator --> 
-
-<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="1.0">
-
-  <!-- Import the Docbook HTML stuff -->
-  <xsl:import href="@XSLT_DOCBOOK_CHUNK_HTML@"/>
-
-  <!-- Readable HTML output, please -->
-  <xsl:output indent="yes"/>
-  <xsl:param name="chunker.output.indent" select="'yes'"/>
-
-  <!-- Chunk at section level, please -->
-  <xsl:param name="chunk.section.depth" select="0"/>
-
-  <!-- Generate chunk filenames from id attribute values -->
-  <xsl:param name="use.id.as.filename" select="1"/>
-
-  <!-- ANSI C function prototypes, please -->
-  <xsl:param name="funcsynopsis.style">ansi</xsl:param>
-
-  <!-- Use ranges when constructing copyrights -->
-  <xsl:param name="make.year.ranges" select="1"/>
-
-  <!-- Include our copyright generator -->
-  <xsl:include href="copyright.xsl"/>
-
-  <!-- Set comment convention for this output format -->
-  <xsl:param name="isc.copyright.leader"> - </xsl:param>
-
-  <!-- Override Docbook template to insert copyright -->
-  <xsl:template name="user.preroot">
-    <xsl:comment>
-      <xsl:text>&#10;</xsl:text>
-      <xsl:value-of select="$isc.copyright"/>
-    </xsl:comment>
-    <xsl:text>&#10;</xsl:text>
-    <xsl:comment> &#36;Id&#36; </xsl:comment>
-    <xsl:text>&#10;</xsl:text>
-  </xsl:template>
-
-</xsl:stylesheet>
-
-<!-- 
-  - Local variables:
-  - mode: sgml
-  - End:
- -->
diff --git a/doc/xsl/isc-docbook-html.xsl.in b/doc/xsl/isc-docbook-html.xsl.in
deleted file mode 100644
index 8beac217..00000000
--- a/doc/xsl/isc-docbook-html.xsl.in
+++ /dev/null
@@ -1,58 +0,0 @@
-<!--
- - Copyright (C) 2005  Internet Systems Consortium, Inc. ("ISC")
- -
- - Permission to use, copy, modify, and distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- -
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-
-<!-- $Id: isc-docbook-html.xsl.in,v 1.3.2.2 2005/05/13 01:21:57 marka Exp $ -->
-
-<!-- ISC customizations for Docbook-XSL HTML generator --> 
-
-<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="1.0">
-
-  <!-- Import the Docbook HTML stuff -->
-  <xsl:import href="@XSLT_DOCBOOK_STYLE_HTML@"/>
-
-  <!-- Readable HTML output, please -->
-  <xsl:output indent="yes"/>
-
-  <!-- ANSI C function prototypes, please -->
-  <xsl:param name="funcsynopsis.style">ansi</xsl:param>
-
-  <!-- Use ranges when constructing copyrights -->
-  <xsl:param name="make.year.ranges" select="1"/>
-
-  <!-- Include our copyright generator -->
-  <xsl:include href="copyright.xsl"/>
-
-  <!-- Set comment convention for this output format -->
-  <xsl:param name="isc.copyright.leader"> - </xsl:param>
-
-  <!-- Override Docbook template to insert copyright -->
-  <xsl:template name="user.preroot">
-    <xsl:comment>
-      <xsl:text>&#10;</xsl:text>
-      <xsl:value-of select="$isc.copyright"/>
-    </xsl:comment>
-    <xsl:text>&#10;</xsl:text>
-    <xsl:comment> &#36;Id&#36; </xsl:comment>
-    <xsl:text>&#10;</xsl:text>
-  </xsl:template>
-
-</xsl:stylesheet>
-
-<!-- 
-  - Local variables:
-  - mode: sgml
-  - End:
- -->
diff --git a/doc/xsl/isc-docbook-latex.xsl.in b/doc/xsl/isc-docbook-latex.xsl.in
deleted file mode 100644
index 37a1d39b..00000000
--- a/doc/xsl/isc-docbook-latex.xsl.in
+++ /dev/null
@@ -1,82 +0,0 @@
-<!--
- - Copyright (C) 2005  Internet Systems Consortium, Inc. ("ISC")
- -
- - Permission to use, copy, modify, and distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- -
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-
-<!-- $Id: isc-docbook-latex.xsl.in,v 1.2.8.2 2005/05/13 01:21:57 marka Exp $ -->
-
-<!-- ISC customizations for db2latex generator -->
-
-<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="1.0">
-
-  <!-- Import the db2latex stuff -->
-  <xsl:import href="@XSLT_DB2LATEX_STYLE@"/>
-
-  <!-- Blank lines between paragraphs, please -->
-  <xsl:param name="latex.use.parskip" select="1"/>
-
-  <!-- Least bad current option for constructing tables -->
-  <xsl:param name="latex.use.ltxtable" select="1"/>
-  <xsl:param name="latex.use.longtable" select="1"/>
-
-  <!-- LaTeX2e documentclass options. -->
-  <xsl:param name="latex.documentclass.common" select="''"/>
-
-  <!-- This documentation is in English (or maybe Bad English) -->
-  <xsl:param name="latex.babel.language" select="'english'"/>
-  <xsl:param name="l10n.gentext.default.language" select="'en'"/>
-
-  <!-- Where to find "admonition" graphics -->
-  <xsl:param name="admon.graphics.path" select="'@XSLT_DB2LATEX_ADMONITIONS@'"/>
-
-  <!-- ANSI C function prototypes, please -->
-  <xsl:param name="funcsynopsis.style">ansi</xsl:param>
-
-  <!-- Patch around db2latex (0.8pre1) bug -->
-  <xsl:template match="copyright/year">
-    <xsl:apply-templates />
-    <xsl:if test="position() != last()">
-      <xsl:text>, </xsl:text>
-    </xsl:if>
-  </xsl:template>
-
-  <!-- Include our copyright generator -->
-  <xsl:include href="copyright.xsl"/>
-
-  <!-- Set comment convention for this output format -->
-  <xsl:param name="isc.copyright.leader">% </xsl:param>
-
-  <!-- Intercept top level to prepend copyright -->
-  <xsl:template match="/">
-    <xsl:value-of select="$isc.copyright"/>
-    <xsl:apply-imports/>
-  </xsl:template>
-
-  <!--
-    - Add support for multiple <para/> elements in a table entry.
-    - db2latex is already typesetting the table entry as a parbox,
-    - so we just have to insert the paragraph breaks.
-    -->
-  <xsl:template match="tbody/row/entry/para[position() != last()]">
-    <xsl:apply-imports/>
-    <xsl:text> \par </xsl:text>
-  </xsl:template>
-
-</xsl:stylesheet>
-
-<!-- 
-  - Local variables:
-  - mode: sgml
-  - End:
- -->
diff --git a/doc/xsl/isc-manpage.xsl.in b/doc/xsl/isc-manpage.xsl.in
deleted file mode 100644
index 20fc1d0a..00000000
--- a/doc/xsl/isc-manpage.xsl.in
+++ /dev/null
@@ -1,145 +0,0 @@
-<!--
- - Copyright (C) 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- -
- - Permission to use, copy, modify, and distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- -
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-
-<!-- $Id: isc-manpage.xsl.in,v 1.4.2.5 2007/01/27 00:22:46 marka Exp $ -->
-
-<!-- ISC customizations for Docbook-XSL manual page generator. -->
-
-<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="1.0">
-
-  <!-- Import the Docbook manpages stuff -->
-  <xsl:import href="@XSLT_DOCBOOK_STYLE_MAN@"/>
-  
-  <!-- Include our copyright generator -->
-  <xsl:include href="copyright.xsl"/>
-
-  <!-- Set comment string for this output format -->
-  <xsl:param name="isc.copyright.leader">.\" </xsl:param>
-
-  <!-- We're not writing any kind of SGML, thanks -->
-  <xsl:output method="text" encoding="us-ascii"/>
-
-  <!-- ANSI C function prototypes, please -->
-  <xsl:param name="funcsynopsis.style">ansi</xsl:param>
-
-  <!-- Use ranges when constructing copyrights -->
-  <xsl:param name="make.year.ranges" select="1"/>
-
-  <!-- Stuff we want in our nroff preamble. -->
-  <xsl:variable name="isc.nroff.preamble">
-    <xsl:text>.\"&#10;</xsl:text>
-    <xsl:text>.\" &#36;Id&#36;&#10;</xsl:text>
-    <xsl:text>.\"&#10;</xsl:text>
-    <xsl:text>.hy 0&#10;</xsl:text>
-    <xsl:text>.ad l&#10;</xsl:text>
-  </xsl:variable>
-
-  <!-- 
-    - Override Docbook template to insert our copyright,
-    - disable chunking, and suppress output of .so files.
-   -->
-  <xsl:template name="write.text.chunk">
-    <xsl:param name="content"/>
-    <xsl:if test="substring($content, 1, 4) != '.so ' or
-		  substring-after($content, '&#10;') != ''">
-      <xsl:call-template name="isc.no.blanks">
-        <xsl:with-param name="text" select="
-		concat($isc.copyright,
-		       $isc.nroff.preamble,
-		       $content)"/>
-      </xsl:call-template>
-    </xsl:if>
-  </xsl:template>
-
-  <!--
-    - Suppress blank lines in nroff source we output.
-   -->
-  <xsl:template name="isc.no.blanks">
-    <xsl:param name="text"/>
-    <xsl:choose>
-      <xsl:when test="contains($text, '&#10;')">
-        <xsl:call-template name="isc.no.blanks">
-	  <xsl:with-param name="text"
-	                  select="substring-before($text, '&#10;')"/>
-        </xsl:call-template>
-	<xsl:call-template name="isc.no.blanks">
-	  <xsl:with-param name="text"
-			  select="substring-after($text, '&#10;')"/>
-        </xsl:call-template>
-      </xsl:when>
-      <xsl:when test="translate($text, '&#9;&#32;', '')">
-        <xsl:value-of select="$text"/>
-	<xsl:text>&#10;</xsl:text>
-      </xsl:when>
-    </xsl:choose>
-  </xsl:template>
-
-  <!-- 
-    - Override Docbook template to change formatting.
-    - We just want the element name in boldface, no subsection header.
-   -->
-  <xsl:template match="caution|important|note|tip|warning">
-    <xsl:text>&#10;.RS&#10;.B "</xsl:text>
-    <!-- capitalize word -->
-    <xsl:value-of
-      select="translate (substring (name(.), 1, 1), 'cintw', 'CINTW')" />
-    <xsl:value-of select="substring (name(), 2)" />
-    <xsl:if test="title">
-      <xsl:text>: </xsl:text>
-      <xsl:value-of select="title[1]"/>
-    </xsl:if>
-    <xsl:text>:"&#10;</xsl:text>
-    <xsl:apply-templates/>
-    <xsl:text>&#10;.RE&#10;</xsl:text>
-  </xsl:template>
-
-  <!--
-    - Override template to change formatting.
-    - We don't want hyphenation or justification.
-   -->
-  <xsl:template match="cmdsynopsis">
-    <xsl:text>.HP </xsl:text>
-    <xsl:value-of select="string-length (normalize-space (command)) + 1"/>
-    <xsl:text>&#10;</xsl:text>
-    <xsl:apply-templates/>
-    <xsl:text>&#10;</xsl:text>
-  </xsl:template>
-
-  <!--
-    - Override template to change formatting.
-    - We don't want hyphenation or justification.
-   -->
-  <xsl:template match="funcsynopsis">
-    <xsl:apply-templates/>
-  </xsl:template>
-
-  <!--
-    - Override template to change formatting.
-    - Line breaks in funcsynopsisinfo are significant.
-   -->
-  <xsl:template match="funcsynopsisinfo">
-    <xsl:text>&#10;.nf&#10;</xsl:text>
-    <xsl:apply-templates/>
-    <xsl:text>&#10;.fi&#10;</xsl:text>
-  </xsl:template>
-
-</xsl:stylesheet>
-
-<!-- 
-  - Local variables:
-  - mode: sgml
-  - End:
- -->
diff --git a/doc/xsl/pre-latex.xsl b/doc/xsl/pre-latex.xsl
deleted file mode 100644
index 0ff54a9b..00000000
--- a/doc/xsl/pre-latex.xsl
+++ /dev/null
@@ -1,55 +0,0 @@
-<!--
- - Copyright (C) 2005  Internet Systems Consortium, Inc. ("ISC")
- -
- - Permission to use, copy, modify, and distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- -
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-
-<!-- $Id: pre-latex.xsl,v 1.2.8.3 2005/09/15 02:28:43 marka Exp $ -->
-
-<!--
-  - Whack &mdash; into something that won't choke LaTeX.
-  - There's probably a better way to do this, but this will work for now.
-  --> 
-
-<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="1.0">
-
-  <xsl:variable name="mdash" select="'&#8212;'"/>
-
-  <xsl:template name="fix-mdash" match="text()[contains(., '&#8212;')]">
-    <xsl:param name="s" select="."/>
-    <xsl:choose>
-      <xsl:when test="contains($s, $mdash)">
-        <xsl:value-of select="substring-before($s, $mdash)"/>
-	<xsl:text>---</xsl:text>
-        <xsl:call-template name="fix-mdash">
-	  <xsl:with-param name="s" select="substring-after($s, $mdash)"/>
-	</xsl:call-template>
-      </xsl:when>
-      <xsl:otherwise>
-        <xsl:value-of select="$s"/>
-      </xsl:otherwise>
-    </xsl:choose>
-  </xsl:template>
-
-  <xsl:template match="@*|node()">
-    <xsl:copy>
-      <xsl:copy-of select="@*"/>
-      <xsl:apply-templates/>
-    </xsl:copy>
-  </xsl:template>
-
-  <xsl:template match="/">
-    <xsl:apply-templates/>
-  </xsl:template>
-
-</xsl:stylesheet>
diff --git a/docutil/docbook2man-wrapper.sh.in b/docutil/docbook2man-wrapper.sh.in
index 46bcb66e..bf3d3843 100644
--- a/docutil/docbook2man-wrapper.sh.in
+++ b/docutil/docbook2man-wrapper.sh.in
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: docbook2man-wrapper.sh.in,v 1.2.2.4 2004/03/09 06:10:43 marka Exp $
+# $Id: docbook2man-wrapper.sh.in,v 1.2.2.3.8.1 2004/03/06 13:16:20 marka Exp $
 
 case $# in
   3) ;;
diff --git a/isc-config.sh.in b/isc-config.sh.in
index fa9ad770..737e31d2 100644
--- a/isc-config.sh.in
+++ b/isc-config.sh.in
@@ -1,7 +1,7 @@
 #!/bin/sh
 #
 # Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 2000, 2001  Internet Software Consortium.
+# Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: isc-config.sh.in,v 1.10.2.1 2004/03/09 06:09:08 marka Exp $
+# $Id: isc-config.sh.in,v 1.10.12.3 2004/03/08 04:04:12 marka Exp $
 
 prefix=@prefix@
 exec_prefix=@exec_prefix@
@@ -37,6 +37,7 @@ Libraries:
 	isccfg
 	dns
 	lwres
+	bind9
 EOF
 	exit $1
 }
@@ -95,6 +96,12 @@ while test $# -gt 0; do
 	lwres)
 		liblwres=true;
 		;;
+	bind9)
+		libdns=true;
+		libisc=true;
+		libisccfg=true;
+		libbind9=true;
+		;;
 	*)
 		usage 1 1>&2
 	esac
@@ -119,8 +126,11 @@ if test x"$echo_libs" = x"true"; then
 	if test x"$liblwres" = x"true" ; then
 		libs="$libs -llwres"
 	fi
+	if test x"$libbind9" = x"true" ; then
+		libs="$libs -lbind9"
+	fi
 	if test x"$libdns" = x"true" ; then
-		libs="$libs -ldns @DNS_OPENSSL_LIBS@"
+		libs="$libs -ldns @DNS_CRYPTO_LIBS@"
 	fi
 	if test x"$libisccfg" = x"true" ; then
 		libs="$libs -lisccfg"
diff --git a/lib/Makefile.in b/lib/Makefile.in
index 97e839d7..c72b3e77 100644
--- a/lib/Makefile.in
+++ b/lib/Makefile.in
@@ -1,5 +1,5 @@
 # Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 1998-2002  Internet Software Consortium.
+# Copyright (C) 1998-2001, 2003  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.15.2.3 2004/03/09 06:10:43 marka Exp $
+# $Id: Makefile.in,v 1.15.2.2.8.4 2004/03/08 09:04:25 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
@@ -23,7 +23,7 @@ top_srcdir =	@top_srcdir@
 # Attempt to disable parallel processing.
 .NOTPARALLEL:
 .NO_PARALLEL:
-SUBDIRS =	isc isccc dns isccfg lwres tests
+SUBDIRS =	isc isccc dns isccfg bind9 lwres tests
 TARGETS =
 
 @BIND9_MAKE_RULES@
diff --git a/lib/bind/Makefile.in b/lib/bind/Makefile.in
index ad1c0f4e..acfda222 100644
--- a/lib/bind/Makefile.in
+++ b/lib/bind/Makefile.in
@@ -1,4 +1,4 @@
-# Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 2001-2003  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and distribute this software for any
@@ -13,13 +13,12 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.12.2.16 2006/06/24 00:25:37 marka Exp $
+# $Id: Makefile.in,v 1.12.2.5.2.4 2004/03/06 08:13:21 marka Exp $
 
 srcdir =        @srcdir@
 VPATH =         @srcdir@
 top_srcdir =    @top_srcdir@
 
-
 @LIBBIND_API@
 
 LIBS =		@LIBS@
@@ -41,8 +40,8 @@ INETOBJS= inet/inet_addr.@O@ inet/inet_cidr_ntop.@O@ inet/inet_cidr_pton.@O@ \
 	inet/inet_netof.@O@ inet/inet_network.@O@ inet/inet_ntoa.@O@ \
 	inet/inet_ntop.@O@ inet/inet_pton.@O@ inet/nsap_addr.@O@
 
-WANT_IRS_THREADS_OBJS=	irs/gethostent_r.@O@ irs/getnetent_r.@O@ \
-	irs/getnetgrent_r.@O@ irs/getprotoent_r.@O@ irs/getservent_r.@O@
+WANT_IRS_THREADS_OBJS=	irs/gethostent_r.@O@ irs/getnetgrent_r.@O@ \
+	irs/getprotoent_r.@O@ irs/getservent_r.@O@
 
 WANT_IRS_NISGR_OBJS= irs/nis_gr.@O@ 
 WANT_IRS_GR_OBJS= irs/dns_gr.@O@ irs/irp_gr.@O@ irs/lcl_gr.@O@ irs/gen_gr.@O@ \
@@ -63,7 +62,7 @@ IRSOBJS= @WANT_IRS_GR_OBJS@ @WANT_IRS_NIS_OBJS@ @WANT_IRS_THREADS_OBJS@ \
 	irs/dns_sv.@O@ irs/gai_strerror.@O@ irs/gen.@O@ irs/gen_ho.@O@ \
 	irs/gen_ng.@O@ irs/gen_nw.@O@ irs/gen_pr.@O@ irs/gen_sv.@O@ \
 	irs/getaddrinfo.@O@ irs/gethostent.@O@  irs/getnameinfo.@O@ \
-	irs/getnetent.@O@ irs/getnetgrent.@O@ \
+	irs/getnetent.@O@ irs/getnetent_r.@O@ irs/getnetgrent.@O@ \
 	irs/getprotoent.@O@ irs/getservent.@O@ irs/hesiod.@O@ \
 	irs/irp.@O@ irs/irp_ho.@O@ irs/irp_ng.@O@ irs/irp_nw.@O@ \
 	irs/irp_pr.@O@ irs/irp_sv.@O@ irs/irpmarshall.@O@ irs/irs_data.@O@ \
@@ -82,11 +81,10 @@ NAMESEROBJS= nameser/ns_date.@O@ nameser/ns_name.@O@ nameser/ns_netint.@O@ \
 	nameser/ns_parse.@O@ nameser/ns_print.@O@  nameser/ns_samedomain.@O@ \
 	nameser/ns_sign.@O@ nameser/ns_ttl.@O@ nameser/ns_verify.@O@
 
-RESOLVOBJS= resolv/herror.@O@ resolv/mtctxres.@O@ resolv/res_comp.@O@ \
-	resolv/res_data.@O@ resolv/res_debug.@O@ resolv/res_findzonecut.@O@ \
-	resolv/res_init.@O@ resolv/res_mkquery.@O@ resolv/res_mkupdate.@O@ \
-	resolv/res_query.@O@ resolv/res_send.@O@ resolv/res_sendsigned.@O@ \
-	resolv/res_update.@O@
+RESOLVOBJS= resolv/herror.@O@ resolv/res_comp.@O@ resolv/res_data.@O@ \
+	resolv/res_debug.@O@ resolv/res_findzonecut.@O@ resolv/res_init.@O@ \
+	resolv/res_mkquery.@O@ resolv/res_mkupdate.@O@ resolv/res_query.@O@ \
+	resolv/res_send.@O@ resolv/res_sendsigned.@O@ resolv/res_update.@O@
 
 SUBDIRS = bsd dst include inet irs isc nameser resolv @PORT_INCLUDE@
 
@@ -96,17 +94,13 @@ OBJS=	${BSDOBJS} ${DSTOBJS} ${INETOBJS} ${IRSOBJS} ${ISCOBJS} \
 
 @BIND9_MAKE_RULES@
 
-# Attempt to disable parallel processing.
-.NOTPARALLEL:
-.NO_PARALLEL:
-
 libbind.@SA@: ${OBJS}
 	${AR} ${ARFLAGS} $@ ${OBJS}
 	${RANLIB} $@
 
 libbind.la: ${OBJS}
 	${LIBTOOL_MODE_LINK} \
-	${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libbind.la -rpath ${libdir} \
+	${CC} ${ALL_CFLAGS} -o libbind.la -rpath ${libdir} \
 		-version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \
 		${OBJS} ${LIBS}
 
diff --git a/lib/bind/aclocal.m4 b/lib/bind/aclocal.m4
index 110ed878..c1a594c1 100644
--- a/lib/bind/aclocal.m4
+++ b/lib/bind/aclocal.m4
@@ -1,2 +1,2 @@
-sinclude(../../libtool.m4)dnl
+sinclude(./libtool.m4)dnl
 
diff --git a/lib/bind/api b/lib/bind/api
index d4b1ecd3..8d3f5f7c 100644
--- a/lib/bind/api
+++ b/lib/bind/api
@@ -1,3 +1,3 @@
-LIBINTERFACE = 4
-LIBREVISION = 9
+LIBINTERFACE = 3
+LIBREVISION = 1
 LIBAGE = 0
diff --git a/lib/bind/bsd/Makefile.in b/lib/bind/bsd/Makefile.in
index 807b7a6e..dd7b616e 100644
--- a/lib/bind/bsd/Makefile.in
+++ b/lib/bind/bsd/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.6.2.1 2004/03/09 06:10:44 marka Exp $
+# $Id: Makefile.in,v 1.6.206.1 2004/03/06 08:13:22 marka Exp $
 
 srcdir=         @srcdir@
 VPATH =         @srcdir@
diff --git a/lib/bind/config.h.in b/lib/bind/config.h.in
index 69ea2854..46de822b 100644
--- a/lib/bind/config.h.in
+++ b/lib/bind/config.h.in
@@ -1,18 +1,13 @@
 #undef _SOCKADDR_LEN
 #undef HAVE_FCNTL_H
 #undef HAVE_PATHS_H
-#undef HAVE_INTTYPES_H
-#undef HAVE_STROPTS_H
 #undef HAVE_SYS_TIMERS_H
-#undef HAVE_SYS_SELECT_H
 #undef SYS_CDEFS_H
 #undef _POSIX_PTHREAD_SEMANTICS
 #undef POSIX_GETPWUID_R
 #undef POSIX_GETPWNAM_R
 #undef POSIX_GETGRGID_R
 #undef POSIX_GETGRNAM_R
-#undef HAVE_MEMMOVE
-#undef HAVE_MEMCHR
 
 #undef NEED_SETGROUPENT
 #undef NEED_GETGROUPLIST
@@ -40,9 +35,6 @@
 
 #undef HAS_PW_CLASS
 
-#undef ssize_t
-#undef uintptr_t
-
 /* Shut up warnings about sputaux in stdio.h on BSD/OS pre-4.1 */ 
 #undef SHUTUP_SPUTAUX
 #ifdef SHUTUP_SPUTAUX
@@ -51,11 +43,3 @@ extern __inline int __sputaux(int _c, struct __sFILE *_p);
 #endif
 #undef BROKEN_IN6ADDR_INIT_MACROS
 #undef HAVE_STRLCAT
-/* Shut up warnings about missing braces */
-#undef SHUTUP_MUTEX_INITIALIZER
-#ifdef SHUTUP_MUTEX_INITIALIZER
-#define LIBBIND_MUTEX_INITIALIZER { PTHREAD_MUTEX_INITIALIZER }
-#else
-#define LIBBIND_MUTEX_INITIALIZER PTHREAD_MUTEX_INITIALIZER
-#endif
-
diff --git a/lib/bind/configure b/lib/bind/configure
index 002120e5..dd7cddb6 100755..100644
--- a/lib/bind/configure
+++ b/lib/bind/configure
@@ -1,5 +1,5 @@
 #! /bin/sh
-# From configure.in Revision: 1.83.2.40 .
+# From configure.in Revision: 1.83.2.5.2.1 .
 # Guess values for system-dependent variables and create Makefiles.
 # Generated by GNU Autoconf 2.59.
 #
@@ -279,7 +279,7 @@ fi
 
 # The HP-UX ksh and POSIX shell print the target directory to stdout
 # if CDPATH is set.
-(unset CDPATH) >/dev/null 2>&1 && unset CDPATH
+if test "X${CDPATH+set}" = Xset; then CDPATH=:; export CDPATH; fi
 
 if test -z "$ECHO"; then
 if test "X${echo_test_string+set}" != Xset; then
@@ -464,7 +464,7 @@ ac_includes_default="\
 # include <unistd.h>
 #endif"
 
-ac_subst_vars='SHELL PATH_SEPARATOR PACKAGE_NAME PACKAGE_TARNAME PACKAGE_VERSION PACKAGE_STRING PACKAGE_BUGREPORT exec_prefix prefix program_transform_name bindir sbindir libexecdir datadir sysconfdir sharedstatedir localstatedir libdir includedir oldincludedir infodir mandir build_alias host_alias target_alias DEFS ECHO_C ECHO_N ECHO_T LIBS build build_cpu build_vendor build_os host host_cpu host_vendor host_os SET_MAKE RANLIB ac_ct_RANLIB INSTALL_PROGRAM INSTALL_SCRIPT INSTALL_DATA STD_CINCLUDES STD_CDEFINES STD_CWARNINGS CCOPT AR ARFLAGS LN ETAGS PERL CC CFLAGS LDFLAGS CPPFLAGS ac_ct_CC EXEEXT OBJEXT CPP EGREP ISC_PLATFORM_NEEDSYSSELECTH WANT_IRS_GR WANT_IRS_GR_OBJS WANT_IRS_PW WANT_IRS_PW_OBJS WANT_IRS_NIS WANT_IRS_NIS_OBJS WANT_IRS_NISGR_OBJS WANT_IRS_NISPW_OBJS WANT_IRS_DBPW_OBJS ALWAYS_DEFINES DO_PTHREADS WANT_IRS_THREADSGR_OBJS WANT_IRS_THREADSPW_OBJS WANT_IRS_THREADS_OBJS WANT_THREADS_OBJS USE_IFNAMELINKID ISC_THREAD_DIR DAEMON_OBJS NEED_DAEMON STRSEP_OBJS NEED_STRSEP NEED_STRERROR MKDEPCC MKDEPCFLAGS MKDEPPROG IRIX_DNSSEC_WARNINGS_HACK purify_path PURIFY LN_S ECHO ac_ct_AR STRIP ac_ct_STRIP CXX CXXFLAGS ac_ct_CXX CXXCPP F77 FFLAGS ac_ct_F77 LIBTOOL O A SA LIBTOOL_MKDEP_SED LIBTOOL_MODE_COMPILE LIBTOOL_MODE_INSTALL LIBTOOL_MODE_LINK HAS_INET6_STRUCTS ISC_PLATFORM_NEEDNETINETIN6H ISC_PLATFORM_NEEDNETINET6IN6H HAS_IN_ADDR6 NEED_IN6ADDR_ANY ISC_PLATFORM_HAVEIN6PKTINFO ISC_PLATFORM_FIXIN6ISADDR ISC_IPV6_H ISC_IPV6_O ISC_ISCIPV6_O ISC_IPV6_C HAVE_SIN6_SCOPE_ID HAVE_SOCKADDR_STORAGE ISC_PLATFORM_NEEDNTOP ISC_PLATFORM_NEEDPTON ISC_PLATFORM_NEEDATON HAVE_SA_LEN HAVE_MINIMUM_IFREQ BSD_COMP SOLARIS_BITTYPES USE_FIONBIO_IOCTL PORT_NONBLOCK PORT_DIR USE_POLL HAVE_MD5 SOLARIS2 PORT_INCLUDE ISC_PLATFORM_MSGHDRFLAVOR ISC_PLATFORM_NEEDPORTT ISC_PLATFORM_NEEDTIMESPEC ISC_LWRES_ENDHOSTENTINT ISC_LWRES_SETNETENTINT ISC_LWRES_ENDNETENTINT ISC_LWRES_GETHOSTBYADDRVOID ISC_LWRES_NEEDHERRNO ISC_LWRES_GETIPNODEPROTO ISC_LWRES_GETADDRINFOPROTO ISC_LWRES_GETNAMEINFOPROTO NEED_PSELECT NEED_GETTIMEOFDAY HAVE_STRNDUP ISC_PLATFORM_NEEDSTRSEP ISC_PLATFORM_NEEDVSNPRINTF ISC_EXTRA_OBJS ISC_EXTRA_SRCS USE_SYSERROR_LIST ISC_PLATFORM_QUADFORMAT ISC_SOCKLEN_T GETGROUPLIST_ARGS NET_R_ARGS NET_R_BAD NET_R_COPY NET_R_COPY_ARGS NET_R_OK NET_R_SETANSWER NET_R_RETURN GETNETBYADDR_ADDR_T NETENT_DATA NET_R_ENT_ARGS NET_R_SET_RESULT NET_R_SET_RETURN NET_R_END_RESULT NET_R_END_RETURN GROUP_R_ARGS GROUP_R_BAD GROUP_R_OK GROUP_R_RETURN GROUP_R_END_RESULT GROUP_R_END_RETURN GROUP_R_ENT_ARGS GROUP_R_SET_RESULT GROUP_R_SET_RETURN HOST_R_ARGS HOST_R_BAD HOST_R_COPY HOST_R_COPY_ARGS HOST_R_ERRNO HOST_R_OK HOST_R_RETURN HOST_R_SETANSWER HOSTENT_DATA HOST_R_END_RESULT HOST_R_END_RETURN HOST_R_ENT_ARGS HOST_R_SET_RESULT HOST_R_SET_RETURN SETPWENT_VOID SETGRENT_VOID NGR_R_ARGS NGR_R_BAD NGR_R_COPY NGR_R_COPY_ARGS NGR_R_OK NGR_R_RETURN NGR_R_PRIVATE NGR_R_END_RESULT NGR_R_END_RETURN NGR_R_ENT_ARGS NGR_R_SET_RESULT NGR_R_SET_RETURN PROTO_R_ARGS PROTO_R_BAD PROTO_R_COPY PROTO_R_COPY_ARGS PROTO_R_OK PROTO_R_SETANSWER PROTO_R_RETURN PROTOENT_DATA PROTO_R_END_RESULT PROTO_R_END_RETURN PROTO_R_ENT_ARGS PROTO_R_ENT_UNUSED PROTO_R_SET_RESULT PROTO_R_SET_RETURN PASS_R_ARGS PASS_R_BAD PASS_R_COPY PASS_R_COPY_ARGS PASS_R_OK PASS_R_RETURN PASS_R_END_RESULT PASS_R_END_RETURN PASS_R_ENT_ARGS PASS_R_SET_RESULT PASS_R_SET_RETURN SERV_R_ARGS SERV_R_BAD SERV_R_COPY SERV_R_COPY_ARGS SERV_R_OK SERV_R_SETANSWER SERV_R_RETURN SERVENT_DATA SERV_R_END_RESULT SERV_R_END_RETURN SERV_R_ENT_ARGS SERV_R_ENT_UNUSED SERV_R_SET_RESULT SERV_R_SET_RETURN SETNETGRENT_ARGS INNETGR_ARGS BIND9_TOP_BUILDDIR BIND9_VERSION LIBOBJS LTLIBOBJS'
+ac_subst_vars='SHELL PATH_SEPARATOR PACKAGE_NAME PACKAGE_TARNAME PACKAGE_VERSION PACKAGE_STRING PACKAGE_BUGREPORT exec_prefix prefix program_transform_name bindir sbindir libexecdir datadir sysconfdir sharedstatedir localstatedir libdir includedir oldincludedir infodir mandir build_alias host_alias target_alias DEFS ECHO_C ECHO_N ECHO_T LIBS build build_cpu build_vendor build_os host host_cpu host_vendor host_os SET_MAKE RANLIB ac_ct_RANLIB INSTALL_PROGRAM INSTALL_SCRIPT INSTALL_DATA STD_CINCLUDES STD_CDEFINES STD_CWARNINGS CCOPT AR ARFLAGS LN ETAGS PERL CC CFLAGS LDFLAGS CPPFLAGS ac_ct_CC EXEEXT OBJEXT CPP EGREP ISC_PLATFORM_NEEDSYSSELECTH WANT_IRS_GR WANT_IRS_GR_OBJS WANT_IRS_PW WANT_IRS_PW_OBJS WANT_IRS_NIS WANT_IRS_NIS_OBJS WANT_IRS_NISGR_OBJS WANT_IRS_NISPW_OBJS WANT_IRS_DBPW_OBJS ALWAYS_DEFINES DO_PTHREADS WANT_IRS_THREADSGR_OBJS WANT_IRS_THREADSPW_OBJS WANT_IRS_THREADS_OBJS ISC_THREAD_DIR DAEMON_OBJS NEED_DAEMON STRSEP_OBJS NEED_STRSEP NEED_STRERROR MKDEPCC MKDEPCFLAGS MKDEPPROG IRIX_DNSSEC_WARNINGS_HACK purify_path PURIFY LN_S ECHO ac_ct_AR STRIP ac_ct_STRIP CXX CXXFLAGS ac_ct_CXX CXXCPP F77 FFLAGS ac_ct_F77 LIBTOOL O A SA LIBTOOL_MKDEP_SED LIBTOOL_MODE_COMPILE LIBTOOL_MODE_INSTALL LIBTOOL_MODE_LINK HAS_INET6_STRUCTS ISC_PLATFORM_NEEDNETINETIN6H ISC_PLATFORM_NEEDNETINET6IN6H HAS_IN_ADDR6 NEED_IN6ADDR_ANY ISC_PLATFORM_HAVEIN6PKTINFO ISC_PLATFORM_FIXIN6ISADDR ISC_IPV6_H ISC_IPV6_O ISC_ISCIPV6_O ISC_IPV6_C HAVE_SIN6_SCOPE_ID HAVE_SOCKADDR_STORAGE ISC_PLATFORM_NEEDNTOP ISC_PLATFORM_NEEDPTON ISC_PLATFORM_NEEDATON HAVE_SA_LEN HAVE_MINIMUM_IFREQ BSD_COMP SOLARIS_BITTYPES USE_FIONBIO_IOCTL PORT_DIR PORT_INCLUDE ISC_PLATFORM_MSGHDRFLAVOR ISC_PLATFORM_NEEDPORTT ISC_LWRES_ENDHOSTENTINT ISC_LWRES_SETNETENTINT ISC_LWRES_ENDNETENTINT ISC_LWRES_GETHOSTBYADDRVOID ISC_LWRES_NEEDHERRNO ISC_LWRES_GETIPNODEPROTO ISC_LWRES_GETADDRINFOPROTO ISC_LWRES_GETNAMEINFOPROTO NEED_PSELECT NEED_GETTIMEOFDAY HAVE_STRNDUP ISC_PLATFORM_NEEDSTRSEP ISC_PLATFORM_NEEDVSNPRINTF ISC_EXTRA_OBJS ISC_EXTRA_SRCS USE_SYSERROR_LIST ISC_PLATFORM_QUADFORMAT ISC_SOCKLEN_T GETGROUPLIST_ARGS NET_R_ARGS NET_R_BAD NET_R_COPY NET_R_COPY_ARGS NET_R_OK NET_R_SETANSWER NET_R_RETURN GETNETBYADDR_ADDR_T NETENT_DATA NET_R_ENT_ARGS NET_R_SET_RESULT NET_R_SET_RETURN NET_R_END_RESULT NET_R_END_RETURN GROUP_R_ARGS GROUP_R_BAD GROUP_R_OK GROUP_R_RETURN GROUP_R_END_RESULT GROUP_R_END_RETURN GROUP_R_ENT_ARGS GROUP_R_SET_RESULT GROUP_R_SET_RETURN HOST_R_ARGS HOST_R_BAD HOST_R_COPY HOST_R_COPY_ARGS HOST_R_ERRNO HOST_R_OK HOST_R_RETURN HOST_R_SETANSWER HOSTENT_DATA HOST_R_END_RESULT HOST_R_END_RETURN HOST_R_ENT_ARGS HOST_R_SET_RESULT HOST_R_SET_RETURN SETPWENT_VOID SETGRENT_VOID NGR_R_ARGS NGR_R_BAD NGR_R_COPY NGR_R_COPY_ARGS NGR_R_OK NGR_R_RETURN NGR_R_PRIVATE NGR_R_END_RESULT NGR_R_END_RETURN NGR_R_ENT_ARGS NGR_R_SET_RESULT NGR_R_SET_RETURN PROTO_R_ARGS PROTO_R_BAD PROTO_R_COPY PROTO_R_COPY_ARGS PROTO_R_OK PROTO_R_SETANSWER PROTO_R_RETURN PROTO_R_END_RESULT PROTO_R_END_RETURN PROTO_R_ENT_ARGS PROTO_R_SET_RESULT PROTO_R_SET_RETURN PASS_R_ARGS PASS_R_BAD PASS_R_COPY PASS_R_COPY_ARGS PASS_R_OK PASS_R_RETURN PASS_R_END_RESULT PASS_R_END_RETURN PASS_R_ENT_ARGS PASS_R_SET_RESULT PASS_R_SET_RETURN SERV_R_ARGS SERV_R_BAD SERV_R_COPY SERV_R_COPY_ARGS SERV_R_OK SERV_R_SETANSWER SERV_R_RETURN SERV_R_END_RESULT SERV_R_END_RETURN SERV_R_ENT_ARGS SERV_R_SET_RESULT SERV_R_SET_RETURN SETNETGRENT_ARGS INNETGR_ARGS ISC_PLATFORM_BRACEPTHREADONCEINIT BIND9_TOP_BUILDDIR BIND9_VERSION LIBOBJS LTLIBOBJS'
 ac_subst_files='BIND9_INCLUDES BIND9_MAKE_RULES LIBBIND_API'
 
 # Initialize some variables set by options.
@@ -1019,7 +1019,7 @@ if test -n "$ac_init_help"; then
 Optional Features:
   --disable-FEATURE       do not include FEATURE (same as --enable-FEATURE=no)
   --enable-FEATURE[=ARG]  include FEATURE [ARG=yes]
-  --enable-threads	enable multithreading
+  --disable-threads	disable multithreading
   --enable-shared[=PKGS]
                           build shared libraries [default=yes]
   --enable-static[=PKGS]
@@ -3472,8 +3472,7 @@ done
 
 
 
-
-for ac_header in fcntl.h db.h paths.h sys/time.h unistd.h sys/sockio.h sys/select.h sys/timers.h stropts.h
+for ac_header in fcntl.h db.h paths.h sys/time.h unistd.h sys/sockio.h sys/select.h sys/timers.h
 do
 as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh`
 if eval "test \"\${$as_ac_Header+set}\" = set"; then
@@ -3623,6 +3622,7 @@ fi
 done
 
 
+
 echo "$as_me:$LINENO: checking for an ANSI C-conforming const" >&5
 echo $ECHO_N "checking for an ANSI C-conforming const... $ECHO_C" >&6
 if test "${ac_cv_c_const+set}" = set; then
@@ -3867,138 +3867,6 @@ _ACEOF
 
 fi
 
-echo "$as_me:$LINENO: checking for ssize_t" >&5
-echo $ECHO_N "checking for ssize_t... $ECHO_C" >&6
-if test "${ac_cv_type_ssize_t+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-$ac_includes_default
-int
-main ()
-{
-if ((ssize_t *) 0)
-  return 0;
-if (sizeof (ssize_t))
-  return 0;
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_type_ssize_t=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-ac_cv_type_ssize_t=no
-fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-fi
-echo "$as_me:$LINENO: result: $ac_cv_type_ssize_t" >&5
-echo "${ECHO_T}$ac_cv_type_ssize_t" >&6
-if test $ac_cv_type_ssize_t = yes; then
-  :
-else
-
-cat >>confdefs.h <<_ACEOF
-#define ssize_t signed
-_ACEOF
-
-fi
-
-echo "$as_me:$LINENO: checking for uintptr_t" >&5
-echo $ECHO_N "checking for uintptr_t... $ECHO_C" >&6
-if test "${ac_cv_type_uintptr_t+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-$ac_includes_default
-int
-main ()
-{
-if ((uintptr_t *) 0)
-  return 0;
-if (sizeof (uintptr_t))
-  return 0;
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_type_uintptr_t=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-ac_cv_type_uintptr_t=no
-fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-fi
-echo "$as_me:$LINENO: result: $ac_cv_type_uintptr_t" >&5
-echo "${ECHO_T}$ac_cv_type_uintptr_t" >&6
-if test $ac_cv_type_uintptr_t = yes; then
-  :
-else
-
-cat >>confdefs.h <<_ACEOF
-#define uintptr_t unsigned long
-_ACEOF
-
-fi
-
 echo "$as_me:$LINENO: checking whether time.h and sys/time.h may both be included" >&5
 echo $ECHO_N "checking whether time.h and sys/time.h may both be included... $ECHO_C" >&6
 if test "${ac_cv_header_time+set}" = set; then
@@ -4567,81 +4435,24 @@ esac
 #
 # First, decide whether to use multithreading or not.
 #
-# Enable multithreading by default on systems where it is known
-# to work well, and where debugging of multithreaded programs
-# is supported.
-#
-
-echo "$as_me:$LINENO: checking whether to build with thread support" >&5
-echo $ECHO_N "checking whether to build with thread support... $ECHO_C" >&6
-
-case $host in
-*-dec-osf*)
-	use_threads=true ;;
-*-solaris2.[0-6])
-	# Thread signals are broken on Solaris 2.6; they are sometimes
-	# delivered to the wrong thread.
-	use_threads=false ;;
-*-solaris*)
-	use_threads=true ;;
-*-ibm-aix*)
-	use_threads=true ;;
-*-hp-hpux10*)
-	use_threads=false ;;
-*-hp-hpux11*)
-	use_threads=true ;;
-*-sgi-irix*)
-	use_threads=true ;;
-*-sco-sysv*uw*|*-*-sysv*UnixWare*)
-        # UnixWare
-	use_threads=false ;;
-*-*-sysv*OpenUNIX*)
-        # UnixWare
-	use_threads=true ;;
-*-netbsd*)
-	if test -r /usr/lib/libpthread.so ; then
-	    use_threads=true
-	else
-	    # Socket I/O optimizations introduced in 9.2 expose a
-	    # bug in unproven-pthreads; see PR #12650
-	    use_threads=false
-	fi
-	;;
-*-openbsd*)
-	# OpenBSD users have reported that named dumps core on
-	# startup when built with threads.
-	use_threads=false ;;
-*-freebsd*)
-	use_threads=false ;;
-*-bsdi234*)
-	# Thread signals do not work reliably on some versions of BSD/OS.
-	use_threads=false ;;
-*-bsdi5*)
-	use_threads=true ;;
-*-linux*)
-   	# Threads are disabled on Linux by default because most
-	# Linux kernels produce unusable core dumps from multithreaded
-	# programs, and because of limitations in setuid().
-	use_threads=false ;;
-*)
-	use_threads=false ;;
-esac
-
+echo "$as_me:$LINENO: checking whether to look for thread support" >&5
+echo $ECHO_N "checking whether to look for thread support... $ECHO_C" >&6
 # Check whether --enable-threads or --disable-threads was given.
 if test "${enable_threads+set}" = set; then
   enableval="$enable_threads"
 
 fi;
 case "$enable_threads" in
-	yes)
+	yes|'')
+		echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6
 		use_threads=true
 		;;
 	no)
+		echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6
 		use_threads=false
 		;;
-	'')
-		# Use system-dependent default
-		;;
 	*)
 	    	{ { echo "$as_me:$LINENO: error: --enable-threads takes yes or no" >&5
 echo "$as_me: error: --enable-threads takes yes or no" >&2;}
@@ -4651,15 +4462,6 @@ esac
 
 if $use_threads
 then
-	echo "$as_me:$LINENO: result: yes" >&5
-echo "${ECHO_T}yes" >&6
-else
-	echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
-fi
-
-if $use_threads
-then
 	#
 	# Search for / configure pthreads in a system-dependent fashion.
 	#
@@ -4695,403 +4497,26 @@ echo "${ECHO_T}PTL2" >&6
 echo "$as_me: WARNING: linking with PTL2 is highly experimental and not expected to work" >&2;}
 			CC=ptlgcc
 		else
-			if test -r /usr/lib/libpthread.so
+			if test ! -d $LOCALBASE/pthreads
 			then
-				echo "$as_me:$LINENO: result: native" >&5
-echo "${ECHO_T}native" >&6
-				LIBS="-lpthread $LIBS"
-			else
-				if test ! -d $LOCALBASE/pthreads
-				then
-					echo "$as_me:$LINENO: result: none" >&5
+				echo "$as_me:$LINENO: result: none" >&5
 echo "${ECHO_T}none" >&6
-					{ { echo "$as_me:$LINENO: error: \"could not find thread libraries\"" >&5
-echo "$as_me: error: \"could not find thread libraries\"" >&2;}
-   { (exit 1); exit 1; }; }
-				fi
+				use_threads=false
+			fi
 
-				if $use_threads
-				then
-					echo "$as_me:$LINENO: result: mit-pthreads/unproven-pthreads" >&5
+			if $use_threads
+			then
+				echo "$as_me:$LINENO: result: mit-pthreads/unproven-pthreads" >&5
 echo "${ECHO_T}mit-pthreads/unproven-pthreads" >&6
-					pkg="$LOCALBASE/pthreads"
-					lib1="-L$pkg/lib -Wl,-R$pkg/lib"
-					lib2="-lpthread -lm -lgcc -lpthread"
-					LIBS="$lib1 $lib2 $LIBS"
-					CPPFLAGS="$CPPFLAGS -I$pkg/include"
-					STD_CINCLUDES="$STD_CINCLUDES -I$pkg/include"
-				fi
+				pkg="$LOCALBASE/pthreads"
+				lib1="-L$pkg/lib -Wl,-R$pkg/lib"
+				lib2="-lpthread -lm -lgcc -lpthread"
+				LIBS="$lib1 $lib2 $LIBS"
+				CPPFLAGS="$CPPFLAGS -I$pkg/include"
+				STD_CINCLUDES="$STD_CINCLUDES -I$pkg/include"
 			fi
 		fi
 		;;
-		*-freebsd*)
-			# We don't want to set -lpthread as that break
-			# the ability to choose threads library at final
-			# link time and is not valid for all architectures.
-
-			PTHREAD=
-			if test "X$GCC" = "Xyes"; then
-				saved_cc="$CC"
-				CC="$CC -pthread"
-				echo "$as_me:$LINENO: checking for gcc -pthread support" >&5
-echo $ECHO_N "checking for gcc -pthread support... $ECHO_C" >&6;
-				cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-#include <pthread.h>
-int
-main ()
-{
-printf("%x\n", pthread_create);
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  PTHREAD="yes"
-					    echo "$as_me:$LINENO: result: yes" >&5
-echo "${ECHO_T}yes" >&6
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
-fi
-rm -f conftest.err conftest.$ac_objext \
-      conftest$ac_exeext conftest.$ac_ext
-				CC="$saved_cc"
-			fi
-			if test "X$PTHREAD" != "Xyes"; then
-
-echo "$as_me:$LINENO: checking for pthread_create in -lpthread" >&5
-echo $ECHO_N "checking for pthread_create in -lpthread... $ECHO_C" >&6
-if test "${ac_cv_lib_pthread_pthread_create+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  ac_check_lib_save_LIBS=$LIBS
-LIBS="-lpthread  $LIBS"
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-/* Override any gcc2 internal prototype to avoid an error.  */
-#ifdef __cplusplus
-extern "C"
-#endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
-char pthread_create ();
-int
-main ()
-{
-pthread_create ();
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_lib_pthread_pthread_create=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-ac_cv_lib_pthread_pthread_create=no
-fi
-rm -f conftest.err conftest.$ac_objext \
-      conftest$ac_exeext conftest.$ac_ext
-LIBS=$ac_check_lib_save_LIBS
-fi
-echo "$as_me:$LINENO: result: $ac_cv_lib_pthread_pthread_create" >&5
-echo "${ECHO_T}$ac_cv_lib_pthread_pthread_create" >&6
-if test $ac_cv_lib_pthread_pthread_create = yes; then
-  cat >>confdefs.h <<_ACEOF
-#define HAVE_LIBPTHREAD 1
-_ACEOF
-
-  LIBS="-lpthread $LIBS"
-
-else
-
-echo "$as_me:$LINENO: checking for thread_create in -lthr" >&5
-echo $ECHO_N "checking for thread_create in -lthr... $ECHO_C" >&6
-if test "${ac_cv_lib_thr_thread_create+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  ac_check_lib_save_LIBS=$LIBS
-LIBS="-lthr  $LIBS"
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-/* Override any gcc2 internal prototype to avoid an error.  */
-#ifdef __cplusplus
-extern "C"
-#endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
-char thread_create ();
-int
-main ()
-{
-thread_create ();
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_lib_thr_thread_create=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-ac_cv_lib_thr_thread_create=no
-fi
-rm -f conftest.err conftest.$ac_objext \
-      conftest$ac_exeext conftest.$ac_ext
-LIBS=$ac_check_lib_save_LIBS
-fi
-echo "$as_me:$LINENO: result: $ac_cv_lib_thr_thread_create" >&5
-echo "${ECHO_T}$ac_cv_lib_thr_thread_create" >&6
-if test $ac_cv_lib_thr_thread_create = yes; then
-  cat >>confdefs.h <<_ACEOF
-#define HAVE_LIBTHR 1
-_ACEOF
-
-  LIBS="-lthr $LIBS"
-
-else
-
-echo "$as_me:$LINENO: checking for pthread_create in -lc_r" >&5
-echo $ECHO_N "checking for pthread_create in -lc_r... $ECHO_C" >&6
-if test "${ac_cv_lib_c_r_pthread_create+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  ac_check_lib_save_LIBS=$LIBS
-LIBS="-lc_r  $LIBS"
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-/* Override any gcc2 internal prototype to avoid an error.  */
-#ifdef __cplusplus
-extern "C"
-#endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
-char pthread_create ();
-int
-main ()
-{
-pthread_create ();
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_lib_c_r_pthread_create=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-ac_cv_lib_c_r_pthread_create=no
-fi
-rm -f conftest.err conftest.$ac_objext \
-      conftest$ac_exeext conftest.$ac_ext
-LIBS=$ac_check_lib_save_LIBS
-fi
-echo "$as_me:$LINENO: result: $ac_cv_lib_c_r_pthread_create" >&5
-echo "${ECHO_T}$ac_cv_lib_c_r_pthread_create" >&6
-if test $ac_cv_lib_c_r_pthread_create = yes; then
-  cat >>confdefs.h <<_ACEOF
-#define HAVE_LIBC_R 1
-_ACEOF
-
-  LIBS="-lc_r $LIBS"
-
-else
-
-echo "$as_me:$LINENO: checking for pthread_create in -lc" >&5
-echo $ECHO_N "checking for pthread_create in -lc... $ECHO_C" >&6
-if test "${ac_cv_lib_c_pthread_create+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  ac_check_lib_save_LIBS=$LIBS
-LIBS="-lc  $LIBS"
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-/* Override any gcc2 internal prototype to avoid an error.  */
-#ifdef __cplusplus
-extern "C"
-#endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
-char pthread_create ();
-int
-main ()
-{
-pthread_create ();
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_lib_c_pthread_create=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-ac_cv_lib_c_pthread_create=no
-fi
-rm -f conftest.err conftest.$ac_objext \
-      conftest$ac_exeext conftest.$ac_ext
-LIBS=$ac_check_lib_save_LIBS
-fi
-echo "$as_me:$LINENO: result: $ac_cv_lib_c_pthread_create" >&5
-echo "${ECHO_T}$ac_cv_lib_c_pthread_create" >&6
-if test $ac_cv_lib_c_pthread_create = yes; then
-  cat >>confdefs.h <<_ACEOF
-#define HAVE_LIBC 1
-_ACEOF
-
-  LIBS="-lc $LIBS"
-
-else
-  { { echo "$as_me:$LINENO: error: \"could not find thread libraries\"" >&5
-echo "$as_me: error: \"could not find thread libraries\"" >&2;}
-   { (exit 1); exit 1; }; }
-fi
-
-fi
-
-fi
-
-fi
-
-			fi
-			;;
 		*)
 
 echo "$as_me:$LINENO: checking for pthread_create in -lpthread" >&5
@@ -5458,9 +4883,7 @@ _ACEOF
   LIBS="-lc $LIBS"
 
 else
-  { { echo "$as_me:$LINENO: error: \"could not find thread libraries\"" >&5
-echo "$as_me: error: \"could not find thread libraries\"" >&2;}
-   { (exit 1); exit 1; }; }
+  use_threads=false
 fi
 
 fi
@@ -5477,160 +4900,10 @@ fi
 
 if $use_threads
 then
-	if test "X$GCC" = "Xyes"; then
-		case "$host" in
-		*-freebsd*)
-			CC="$CC -pthread"
-			CCOPT="$CCOPT -pthread"
-			STD_CDEFINES="$STD_CDEFINES -D_THREAD_SAFE"
-			;;
-		*-openbsd*)
-			CC="$CC -pthread"
-			CCOPT="$CCOPT -pthread"
-			;;
-		*-solaris*)
-			LIBS="$LIBS -lthread"
-			;;
-		*-ibm-aix*)
-			STD_CDEFINES="$STD_CDEFINES -D_THREAD_SAFE"
-			;;
-		esac
-	else
-		case $host in
-		*-dec-osf*)
-			CC="$CC -pthread"
-			CCOPT="$CCOPT -pthread"
-			;;
-		*-solaris*)
-			CC="$CC -mt"
-			CCOPT="$CCOPT -mt"
-			;;
-		*-ibm-aix*)
-			STD_CDEFINES="$STD_CDEFINES -D_THREAD_SAFE"
-			;;
-		*-UnixWare*)
-			CC="$CC -Kthread"
-			CCOPT="$CCOPT -Kthread"
-			;;
-		esac
-	fi
-	cat >>confdefs.h <<\_ACEOF
-#define _REENTRANT 1
-_ACEOF
-
-	ALWAYS_DEFINES="-D_REENTRANT"
-	DO_PTHREADS="#define DO_PTHREADS 1"
-	WANT_IRS_THREADSGR_OBJS="\${WANT_IRS_THREADSGR_OBJS}"
-	WANT_IRS_THREADSPW_OBJS="\${WANT_IRS_THREADSPW_OBJS}"
-	case $host in
-	ia64-hp-hpux11.*)
-		WANT_IRS_THREADS_OBJS="";;
-	*)
-		WANT_IRS_THREADS_OBJS="\${WANT_IRS_THREADS_OBJS}";;
-	esac
-	WANT_THREADS_OBJS="\${WANT_THREADS_OBJS}"
-	thread_dir=pthreads
-
 	#
 	# We'd like to use sigwait() too
 	#
-	echo "$as_me:$LINENO: checking for sigwait" >&5
-echo $ECHO_N "checking for sigwait... $ECHO_C" >&6
-if test "${ac_cv_func_sigwait+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-/* Define sigwait to an innocuous variant, in case <limits.h> declares sigwait.
-   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
-#define sigwait innocuous_sigwait
-
-/* System header to define __stub macros and hopefully few prototypes,
-    which can conflict with char sigwait (); below.
-    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
-    <limits.h> exists even on freestanding compilers.  */
-
-#ifdef __STDC__
-# include <limits.h>
-#else
-# include <assert.h>
-#endif
-
-#undef sigwait
-
-/* Override any gcc2 internal prototype to avoid an error.  */
-#ifdef __cplusplus
-extern "C"
-{
-#endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
-char sigwait ();
-/* The GNU C library defines this for functions which it implements
-    to always fail with ENOSYS.  Some functions are actually named
-    something starting with __ and the normal name is an alias.  */
-#if defined (__stub_sigwait) || defined (__stub___sigwait)
-choke me
-#else
-char (*f) () = sigwait;
-#endif
-#ifdef __cplusplus
-}
-#endif
-
-int
-main ()
-{
-return f != sigwait;
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_func_sigwait=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-ac_cv_func_sigwait=no
-fi
-rm -f conftest.err conftest.$ac_objext \
-      conftest$ac_exeext conftest.$ac_ext
-fi
-echo "$as_me:$LINENO: result: $ac_cv_func_sigwait" >&5
-echo "${ECHO_T}$ac_cv_func_sigwait" >&6
-if test $ac_cv_func_sigwait = yes; then
-  cat >>confdefs.h <<\_ACEOF
-#define HAVE_SIGWAIT 1
-_ACEOF
-
-else
-  echo "$as_me:$LINENO: checking for sigwait in -lc" >&5
+	echo "$as_me:$LINENO: checking for sigwait in -lc" >&5
 echo $ECHO_N "checking for sigwait in -lc... $ECHO_C" >&6
 if test "${ac_cv_lib_c_sigwait+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
@@ -5843,7 +5116,6 @@ fi
 
 fi
 
-fi
 
 fi
 
@@ -6172,10 +5444,6 @@ _ACEOF
 			;;
 		*hpux11*)
 			cat >>confdefs.h <<\_ACEOF
-#define NEED_ENDNETGRENT_R 1
-_ACEOF
-
-			cat >>confdefs.h <<\_ACEOF
 #define _PTHREADS_DRAFT4 1
 _ACEOF
 
@@ -6292,23 +5560,58 @@ _ACEOF
 fi
 
 
+	if test "X$GCC" = "Xyes"; then
+		case "$host" in
+		*-freebsd*)
+			CC="$CC -pthread"
+			CCOPT="$CCOPT -pthread"
+			STD_CDEFINES="$STD_CDEFINES -D_THREAD_SAFE"
+			;;
+		*-openbsd*)
+			CC="$CC -pthread"
+			CCOPT="$CCOPT -pthread"
+			;;
+		*-solaris*)
+			LIBS="$LIBS -lthread"
+			;;
+		*-ibm-aix*)
+			STD_CDEFINES="$STD_CDEFINES -D_THREAD_SAFE"
+			;;
+		esac
+	else
+		case $host in
+		*-dec-osf*)
+			CC="$CC -pthread"
+			CCOPT="$CCOPT -pthread"
+			;;
+		*-solaris*)
+			CC="$CC -mt"
+			CCOPT="$CCOPT -mt"
+			;;
+		*-ibm-aix*)
+			STD_CDEFINES="$STD_CDEFINES -D_THREAD_SAFE"
+			;;
+		*-UnixWare*)
+			CC="$CC -Kthread"
+			CCOPT="$CCOPT -Kthread"
+			;;
+		esac
+	fi
+	ALWAYS_DEFINES="-D_REENTRANT"
+	DO_PTHREADS="#define DO_PTHREADS 1"
+	WANT_IRS_THREADSGR_OBJS="\${WANT_IRS_THREADSGR_OBJS}"
+	WANT_IRS_THREADSPW_OBJS="\${WANT_IRS_THREADSPW_OBJS}"
+	WANT_IRS_THREADS_OBJS="\${WANT_IRS_THREADS_OBJS}"
+	thread_dir=pthreads
 else
 	ALWAYS_DEFINES=""
 	DO_PTHREADS="#undef DO_PTHREADS"
 	WANT_IRS_THREADSGR_OBJS=""
 	WANT_IRS_THREADSPW_OBJS=""
 	WANT_IRS_THREADS_OBJS=""
-	WANT_THREADS_OBJS=""
 	thread_dir=nothreads
 fi
 
-
-
-
-
-
-
-
 echo "$as_me:$LINENO: checking for strlcat" >&5
 echo $ECHO_N "checking for strlcat... $ECHO_C" >&6
 if test "${ac_cv_func_strlcat+set}" = set; then
@@ -6406,296 +5709,10 @@ _ACEOF
 
 fi
 
-echo "$as_me:$LINENO: checking for memmove" >&5
-echo $ECHO_N "checking for memmove... $ECHO_C" >&6
-if test "${ac_cv_func_memmove+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-/* Define memmove to an innocuous variant, in case <limits.h> declares memmove.
-   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
-#define memmove innocuous_memmove
-
-/* System header to define __stub macros and hopefully few prototypes,
-    which can conflict with char memmove (); below.
-    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
-    <limits.h> exists even on freestanding compilers.  */
-
-#ifdef __STDC__
-# include <limits.h>
-#else
-# include <assert.h>
-#endif
-
-#undef memmove
-
-/* Override any gcc2 internal prototype to avoid an error.  */
-#ifdef __cplusplus
-extern "C"
-{
-#endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
-char memmove ();
-/* The GNU C library defines this for functions which it implements
-    to always fail with ENOSYS.  Some functions are actually named
-    something starting with __ and the normal name is an alias.  */
-#if defined (__stub_memmove) || defined (__stub___memmove)
-choke me
-#else
-char (*f) () = memmove;
-#endif
-#ifdef __cplusplus
-}
-#endif
-
-int
-main ()
-{
-return f != memmove;
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_func_memmove=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-ac_cv_func_memmove=no
-fi
-rm -f conftest.err conftest.$ac_objext \
-      conftest$ac_exeext conftest.$ac_ext
-fi
-echo "$as_me:$LINENO: result: $ac_cv_func_memmove" >&5
-echo "${ECHO_T}$ac_cv_func_memmove" >&6
-if test $ac_cv_func_memmove = yes; then
-  cat >>confdefs.h <<\_ACEOF
-#define HAVE_MEMMOVE 1
-_ACEOF
-
-fi
-
-echo "$as_me:$LINENO: checking for memchr" >&5
-echo $ECHO_N "checking for memchr... $ECHO_C" >&6
-if test "${ac_cv_func_memchr+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-/* Define memchr to an innocuous variant, in case <limits.h> declares memchr.
-   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
-#define memchr innocuous_memchr
-
-/* System header to define __stub macros and hopefully few prototypes,
-    which can conflict with char memchr (); below.
-    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
-    <limits.h> exists even on freestanding compilers.  */
-
-#ifdef __STDC__
-# include <limits.h>
-#else
-# include <assert.h>
-#endif
-
-#undef memchr
-
-/* Override any gcc2 internal prototype to avoid an error.  */
-#ifdef __cplusplus
-extern "C"
-{
-#endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
-char memchr ();
-/* The GNU C library defines this for functions which it implements
-    to always fail with ENOSYS.  Some functions are actually named
-    something starting with __ and the normal name is an alias.  */
-#if defined (__stub_memchr) || defined (__stub___memchr)
-choke me
-#else
-char (*f) () = memchr;
-#endif
-#ifdef __cplusplus
-}
-#endif
-
-int
-main ()
-{
-return f != memchr;
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_func_memchr=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-ac_cv_func_memchr=no
-fi
-rm -f conftest.err conftest.$ac_objext \
-      conftest$ac_exeext conftest.$ac_ext
-fi
-echo "$as_me:$LINENO: result: $ac_cv_func_memchr" >&5
-echo "${ECHO_T}$ac_cv_func_memchr" >&6
-if test $ac_cv_func_memchr = yes; then
-  cat >>confdefs.h <<\_ACEOF
-#define HAVE_MEMCHR 1
-_ACEOF
-
-fi
-
-
-echo "$as_me:$LINENO: checking for if_nametoindex" >&5
-echo $ECHO_N "checking for if_nametoindex... $ECHO_C" >&6
-if test "${ac_cv_func_if_nametoindex+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-/* Define if_nametoindex to an innocuous variant, in case <limits.h> declares if_nametoindex.
-   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
-#define if_nametoindex innocuous_if_nametoindex
-
-/* System header to define __stub macros and hopefully few prototypes,
-    which can conflict with char if_nametoindex (); below.
-    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
-    <limits.h> exists even on freestanding compilers.  */
 
-#ifdef __STDC__
-# include <limits.h>
-#else
-# include <assert.h>
-#endif
 
-#undef if_nametoindex
 
-/* Override any gcc2 internal prototype to avoid an error.  */
-#ifdef __cplusplus
-extern "C"
-{
-#endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
-char if_nametoindex ();
-/* The GNU C library defines this for functions which it implements
-    to always fail with ENOSYS.  Some functions are actually named
-    something starting with __ and the normal name is an alias.  */
-#if defined (__stub_if_nametoindex) || defined (__stub___if_nametoindex)
-choke me
-#else
-char (*f) () = if_nametoindex;
-#endif
-#ifdef __cplusplus
-}
-#endif
-
-int
-main ()
-{
-return f != if_nametoindex;
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_func_if_nametoindex=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_func_if_nametoindex=no
-fi
-rm -f conftest.err conftest.$ac_objext \
-      conftest$ac_exeext conftest.$ac_ext
-fi
-echo "$as_me:$LINENO: result: $ac_cv_func_if_nametoindex" >&5
-echo "${ECHO_T}$ac_cv_func_if_nametoindex" >&6
-if test $ac_cv_func_if_nametoindex = yes; then
-  USE_IFNAMELINKID="#define USE_IFNAMELINKID 1"
-else
-  USE_IFNAMELINKID="#undef USE_IFNAMELINKID"
-fi
 
 
 
@@ -7129,65 +6146,7 @@ MKDEPCFLAGS="-M"
 IRIX_DNSSEC_WARNINGS_HACK=""
 
 if test "X$GCC" = "Xyes"; then
-        echo "$as_me:$LINENO: checking if \"$CC\" supports -fno-strict-aliasing" >&5
-echo $ECHO_N "checking if \"$CC\" supports -fno-strict-aliasing... $ECHO_C" >&6
-        SAVE_CFLAGS=$CFLAGS
-        CFLAGS=-fno-strict-aliasing
-        cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-int
-main ()
-{
-
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  FNOSTRICTALIASING=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-FNOSTRICTALIASING=no
-fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-        CFLAGS=$SAVE_CFLAGS
-        if test "$FNOSTRICTALIASING" = "yes"; then
-                echo "$as_me:$LINENO: result: yes" >&5
-echo "${ECHO_T}yes" >&6
-		STD_CWARNINGS="$STD_CWARNINGS -W -Wall -Wmissing-prototypes -Wcast-qual -Wwrite-strings -Wformat -Wpointer-arith -fno-strict-aliasing"
-        else
-                echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
-		STD_CWARNINGS="$STD_CWARNINGS -W -Wall -Wmissing-prototypes -Wcast-qual -Wwrite-strings -Wformat -Wpointer-arith"
-        fi
+	STD_CWARNINGS="$STD_CWARNINGS -W -Wall -Wmissing-prototypes -Wcast-qual -Wwrite-strings"
 else
 	case $host in
 	*-dec-osf*)
@@ -7207,7 +6166,7 @@ else
 			;;
 		*)
 			# Turn off the pointlessly noisy warnings.
-			STD_CWARNINGS="+w1 +W 474,530,2193,2236"
+			STD_CWARNINGS="+w1 +W 474,530"
 			;;
 		esac
 		CCOPT="$CCOPT -Ae -z"
@@ -7364,156 +6323,6 @@ fi
 case "$host" in
 	mips-sgi-irix*)
 		;;
-	ia64-hp-hpux11.*)
-
-echo "$as_me:$LINENO: checking for socket in -lsocket" >&5
-echo $ECHO_N "checking for socket in -lsocket... $ECHO_C" >&6
-if test "${ac_cv_lib_socket_socket+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  ac_check_lib_save_LIBS=$LIBS
-LIBS="-lsocket  $LIBS"
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-/* Override any gcc2 internal prototype to avoid an error.  */
-#ifdef __cplusplus
-extern "C"
-#endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
-char socket ();
-int
-main ()
-{
-socket ();
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_lib_socket_socket=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-ac_cv_lib_socket_socket=no
-fi
-rm -f conftest.err conftest.$ac_objext \
-      conftest$ac_exeext conftest.$ac_ext
-LIBS=$ac_check_lib_save_LIBS
-fi
-echo "$as_me:$LINENO: result: $ac_cv_lib_socket_socket" >&5
-echo "${ECHO_T}$ac_cv_lib_socket_socket" >&6
-if test $ac_cv_lib_socket_socket = yes; then
-  cat >>confdefs.h <<_ACEOF
-#define HAVE_LIBSOCKET 1
-_ACEOF
-
-  LIBS="-lsocket $LIBS"
-
-fi
-
-
-echo "$as_me:$LINENO: checking for inet_ntoa in -lnsl" >&5
-echo $ECHO_N "checking for inet_ntoa in -lnsl... $ECHO_C" >&6
-if test "${ac_cv_lib_nsl_inet_ntoa+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  ac_check_lib_save_LIBS=$LIBS
-LIBS="-lnsl  $LIBS"
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-/* Override any gcc2 internal prototype to avoid an error.  */
-#ifdef __cplusplus
-extern "C"
-#endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
-char inet_ntoa ();
-int
-main ()
-{
-inet_ntoa ();
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_lib_nsl_inet_ntoa=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-ac_cv_lib_nsl_inet_ntoa=no
-fi
-rm -f conftest.err conftest.$ac_objext \
-      conftest$ac_exeext conftest.$ac_ext
-LIBS=$ac_check_lib_save_LIBS
-fi
-echo "$as_me:$LINENO: result: $ac_cv_lib_nsl_inet_ntoa" >&5
-echo "${ECHO_T}$ac_cv_lib_nsl_inet_ntoa" >&6
-if test $ac_cv_lib_nsl_inet_ntoa = yes; then
-  cat >>confdefs.h <<_ACEOF
-#define HAVE_LIBNSL 1
-_ACEOF
-
-  LIBS="-lnsl $LIBS"
-
-fi
-
-		;;
 	*)
 
 echo "$as_me:$LINENO: checking for gethostbyname_r in -ld4r" >&5
@@ -7972,10 +6781,10 @@ for lt_ac_sed in $lt_ac_sed_list /usr/xpg4/bin/sed; do
     fi
   done
 done
+SED=$lt_cv_path_SED
 
 fi
 
-SED=$lt_cv_path_SED
 echo "$as_me:$LINENO: result: $SED" >&5
 echo "${ECHO_T}$SED" >&6
 
@@ -8101,15 +6910,6 @@ case $reload_flag in
 *) reload_flag=" $reload_flag" ;;
 esac
 reload_cmds='$LD$reload_flag -o $output$reload_objs'
-case $host_os in
-  darwin*)
-    if test "$GCC" = yes; then
-      reload_cmds='$CC -nostdlib ${wl}-r -o $output$reload_objs'
-    else
-      reload_cmds='$LD$reload_flag -o $output$reload_objs'
-    fi
-    ;;
-esac
 
 echo "$as_me:$LINENO: checking for BSD-compatible nm" >&5
 echo $ECHO_N "checking for BSD-compatible nm... $ECHO_C" >&6
@@ -8196,21 +6996,21 @@ beos*)
   lt_cv_deplibs_check_method=pass_all
   ;;
 
-bsdi[45]*)
+bsdi4*)
   lt_cv_deplibs_check_method='file_magic ELF [0-9][0-9]*-bit [ML]SB (shared object|dynamic lib)'
   lt_cv_file_magic_cmd='/usr/bin/file -L'
   lt_cv_file_magic_test_file=/shlib/libc.so
   ;;
 
 cygwin*)
-  # func_win32_libid is a shell function defined in ltmain.sh
+  # win32_libid is a shell function defined in ltmain.sh
   lt_cv_deplibs_check_method='file_magic ^x86 archive import|^x86 DLL'
-  lt_cv_file_magic_cmd='func_win32_libid'
+  lt_cv_file_magic_cmd='win32_libid'
   ;;
 
 mingw* | pw32*)
   # Base MSYS/MinGW do not provide the 'file' command needed by
-  # func_win32_libid shell function, so use a weaker test based on 'objdump'.
+  # win32_libid shell function, so use a weaker test based on 'objdump'.
   lt_cv_deplibs_check_method='file_magic file format pei*-i386(.*architecture: i386)?'
   lt_cv_file_magic_cmd='$OBJDUMP -f'
   ;;
@@ -8269,6 +7069,15 @@ irix5* | irix6* | nonstopux*)
 
 # This must be Linux ELF.
 linux*)
+  case $host_cpu in
+  alpha*|hppa*|i*86|ia64*|m68*|mips*|powerpc*|sparc*|s390*|sh*)
+    lt_cv_deplibs_check_method=pass_all ;;
+  *)
+    # glibc up to 2.1.1 does not perform some relocations on ARM
+    # this will be overridden with pass_all, but let us keep it just in case
+    lt_cv_deplibs_check_method='file_magic ELF [0-9][0-9]*-bit [LM]SB (shared object|dynamic lib )' ;;
+  esac
+  lt_cv_file_magic_test_file=`echo /lib/libc.so* /lib/libc-*.so`
   lt_cv_deplibs_check_method=pass_all
   ;;
 
@@ -8291,10 +7100,12 @@ nto-qnx*)
   ;;
 
 openbsd*)
+  lt_cv_file_magic_cmd=/usr/bin/file
+  lt_cv_file_magic_test_file=`echo /usr/lib/libc.so.*`
   if test -z "`echo __ELF__ | $CC -E - | grep __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then
-    lt_cv_deplibs_check_method='match_pattern /lib[^/]+(\.so\.[0-9]+\.[0-9]+|\.so|_pic\.a)$'
+    lt_cv_deplibs_check_method='file_magic ELF [0-9][0-9]*-bit [LM]SB shared object'
   else
-    lt_cv_deplibs_check_method='match_pattern /lib[^/]+(\.so\.[0-9]+\.[0-9]+|_pic\.a)$'
+    lt_cv_deplibs_check_method='file_magic OpenBSD.* shared library'
   fi
   ;;
 
@@ -8386,7 +7197,7 @@ ia64-*-hpux*)
   ;;
 *-*-irix6*)
   # Find out which ABI we are using.
-  echo '#line 8389 "configure"' > conftest.$ac_ext
+  echo '#line 7200 "configure"' > conftest.$ac_ext
   if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
   (eval $ac_compile) 2>&5
   ac_status=$?
@@ -9053,12 +7864,7 @@ ac_compile='$CXX -c $CXXFLAGS $CPPFLAGS conftest.$ac_ext >&5'
 ac_link='$CXX -o conftest$ac_exeext $CXXFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
 ac_compiler_gnu=$ac_cv_cxx_compiler_gnu
 
-
-
-if test -n "$CXX" && ( test "X$CXX" != "Xno" &&
-    ( (test "X$CXX" = "Xg++" && `g++ -v >/dev/null 2>&1` ) ||
-    (test "X$CXX" != "Xg++"))) ; then
-  ac_ext=cc
+ac_ext=cc
 ac_cpp='$CXXCPP $CPPFLAGS'
 ac_compile='$CXX -c $CXXFLAGS $CPPFLAGS conftest.$ac_ext >&5'
 ac_link='$CXX -o conftest$ac_exeext $CXXFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
@@ -9288,8 +8094,6 @@ ac_compile='$CXX -c $CXXFLAGS $CPPFLAGS conftest.$ac_ext >&5'
 ac_link='$CXX -o conftest$ac_exeext $CXXFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
 ac_compiler_gnu=$ac_cv_cxx_compiler_gnu
 
-fi
-
 
 ac_ext=f
 ac_compile='$F77 -c $FFLAGS conftest.$ac_ext >&5'
@@ -9383,7 +8187,7 @@ fi
 
 
 # Provide some information about the compiler.
-echo "$as_me:9386:" \
+echo "$as_me:8190:" \
      "checking for Fortran 77 compiler version" >&5
 ac_compiler=`set X $ac_compile; echo $2`
 { (eval echo "$as_me:$LINENO: \"$ac_compiler --version </dev/null >&5\"") >&5
@@ -9538,7 +8342,7 @@ if test "${lt_cv_sys_max_cmd_len+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
     i=0
-  teststring="ABCD"
+  testring="ABCD"
 
   case $build_os in
   msdosdjgpp*)
@@ -9573,34 +8377,20 @@ else
     lt_cv_sys_max_cmd_len=8192;
     ;;
 
-  netbsd* | freebsd* | openbsd* | darwin* )
-    # This has been around since 386BSD, at least.  Likely further.
-    if test -x /sbin/sysctl; then
-      lt_cv_sys_max_cmd_len=`/sbin/sysctl -n kern.argmax`
-    elif test -x /usr/sbin/sysctl; then
-      lt_cv_sys_max_cmd_len=`/usr/sbin/sysctl -n kern.argmax`
-    else
-      lt_cv_sys_max_cmd_len=65536 # usable default for *BSD
-    fi
-    # And add a safety zone
-    lt_cv_sys_max_cmd_len=`expr $lt_cv_sys_max_cmd_len \/ 4`
-    ;;
-
  *)
     # If test is not a shell built-in, we'll probably end up computing a
     # maximum length that is only half of the actual maximum length, but
     # we can't tell.
-    SHELL=${SHELL-${CONFIG_SHELL-/bin/sh}}
-    while (test "X"`$SHELL $0 --fallback-echo "X$teststring" 2>/dev/null` \
-	       = "XX$teststring") >/dev/null 2>&1 &&
-	    new_result=`expr "X$teststring" : ".*" 2>&1` &&
+    while (test "X"`$CONFIG_SHELL $0 --fallback-echo "X$testring" 2>/dev/null` \
+	       = "XX$testring") >/dev/null 2>&1 &&
+	    new_result=`expr "X$testring" : ".*" 2>&1` &&
 	    lt_cv_sys_max_cmd_len=$new_result &&
 	    test $i != 17 # 1/2 MB should be enough
     do
       i=`expr $i + 1`
-      teststring=$teststring$teststring
+      testring=$testring$testring
     done
-    teststring=
+    testring=
     # Add a significant safety factor because C++ compilers can tack on massive
     # amounts of additional arguments before passing them to the linker.
     # It appears as though 1/2 is a usable value.
@@ -9661,13 +8451,6 @@ hpux*) # Its linker distinguishes data from code symbols
   lt_cv_sys_global_symbol_to_cdecl="sed -n -e 's/^T .* \(.*\)$/extern int \1();/p' -e 's/^$symcode* .* \(.*\)$/extern char \1;/p'"
   lt_cv_sys_global_symbol_to_c_name_address="sed -n -e 's/^: \([^ ]*\) $/  {\\\"\1\\\", (lt_ptr) 0},/p' -e 's/^$symcode* \([^ ]*\) \([^ ]*\)$/  {\"\2\", (lt_ptr) \&\2},/p'"
   ;;
-linux*)
-  if test "$host_cpu" = ia64; then
-    symcode='[ABCDGIRSTW]'
-    lt_cv_sys_global_symbol_to_cdecl="sed -n -e 's/^T .* \(.*\)$/extern int \1();/p' -e 's/^$symcode* .* \(.*\)$/extern char \1;/p'"
-    lt_cv_sys_global_symbol_to_c_name_address="sed -n -e 's/^: \([^ ]*\) $/  {\\\"\1\\\", (lt_ptr) 0},/p' -e 's/^$symcode* \([^ ]*\) \([^ ]*\)$/  {\"\2\", (lt_ptr) \&\2},/p'"
-  fi
-  ;;
 irix* | nonstopux*)
   symcode='[BCDEGRST]'
   ;;
@@ -10167,8 +8950,6 @@ if test -n "$RANLIB"; then
   old_archive_cmds="$old_archive_cmds~\$RANLIB \$oldlib"
 fi
 
-cc_basename=`$echo X"$compiler" | $Xsed -e 's%^.*/%%'`
-
 # Only perform the check for file, if the check method requires it
 case $deplibs_check_method in
 file_magic*)
@@ -10444,11 +9225,11 @@ else
    -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:10447: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:9228: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:10451: \$? = $ac_status" >&5
+   echo "$as_me:9232: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings
@@ -10555,16 +9336,6 @@ echo $ECHO_N "checking for $compiler option to produce PIC... $ECHO_C" >&6
 	lt_prog_compiler_static='-bnso -bI:/lib/syscalls.exp'
       fi
       ;;
-      darwin*)
-        # PIC is the default on this platform
-        # Common symbols not allowed in MH_DYLIB files
-       case "$cc_basename" in
-         xlc*)
-         lt_prog_compiler_pic='-qnocommon'
-         lt_prog_compiler_wl='-Wl,'
-         ;;
-       esac
-       ;;
 
     mingw* | pw32* | os2*)
       # This hack is so that the source file can tell whether it is being
@@ -10687,11 +9458,11 @@ else
    -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:10690: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:9461: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:10694: \$? = $ac_status" >&5
+   echo "$as_me:9465: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings
@@ -10747,11 +9518,11 @@ else
    -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:10750: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:9521: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>out/conftest.err)
    ac_status=$?
    cat out/conftest.err >&5
-   echo "$as_me:10754: \$? = $ac_status" >&5
+   echo "$as_me:9525: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s out/conftest2.$ac_objext
    then
      # The compiler can only warn and ignore the option if not recognized
@@ -10963,7 +9734,7 @@ EOF
       ;;
 
   linux*)
-    if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
+    if $LD --help 2>&1 | egrep ': supported targets:.* elf' > /dev/null; then
         tmp_archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
 	archive_cmds="$tmp_archive_cmds"
       supports_anon_versioning=no
@@ -11251,7 +10022,7 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
       ld_shlibs=no
       ;;
 
-    bsdi[45]*)
+    bsdi4*)
       export_dynamic_flag_spec=-rdynamic
       ;;
 
@@ -11265,7 +10036,7 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
       # Tell ltmain to make .lib files, not .a files.
       libext=lib
       # Tell ltmain to make .dll files, not .so files.
-      shrext_cmds=".dll"
+      shrext=".dll"
       # FIXME: Setting linknames here is a bad hack.
       archive_cmds='$CC -o $lib $libobjs $compiler_flags `echo "$deplibs" | $SED -e '\''s/ -lc$//'\''` -link -dll~linknames='
       # The linker will automatically build a .lib file if we build a DLL.
@@ -11277,52 +10048,52 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
       ;;
 
     darwin* | rhapsody*)
+    if test "$GXX" = yes ; then
+      archive_cmds_need_lc=no
       case "$host_os" in
-        rhapsody* | darwin1.[012])
-         allow_undefined_flag='${wl}-undefined ${wl}suppress'
-         ;;
-       *) # Darwin 1.3 on
-         if test -z ${MACOSX_DEPLOYMENT_TARGET} ; then
-           allow_undefined_flag='${wl}-flat_namespace ${wl}-undefined ${wl}suppress'
-         else
-           case ${MACOSX_DEPLOYMENT_TARGET} in
-             10.[012])
-               allow_undefined_flag='${wl}-flat_namespace ${wl}-undefined ${wl}suppress'
-               ;;
-             10.*)
-               allow_undefined_flag='${wl}-undefined ${wl}dynamic_lookup'
-               ;;
-           esac
-         fi
-         ;;
+      rhapsody* | darwin1.[012])
+	allow_undefined_flag='-undefined suppress'
+	;;
+      *) # Darwin 1.3 on
+      if test -z ${MACOSX_DEPLOYMENT_TARGET} ; then
+      	allow_undefined_flag='-flat_namespace -undefined suppress'
+      else
+        case ${MACOSX_DEPLOYMENT_TARGET} in
+          10.[012])
+            allow_undefined_flag='-flat_namespace -undefined suppress'
+            ;;
+          10.*)
+            allow_undefined_flag='-undefined dynamic_lookup'
+            ;;
+        esac
+      fi
+	;;
       esac
-      archive_cmds_need_lc=no
+    	lt_int_apple_cc_single_mod=no
+    	output_verbose_link_cmd='echo'
+    	if $CC -dumpspecs 2>&1 | grep 'single_module' >/dev/null ; then
+    	  lt_int_apple_cc_single_mod=yes
+    	fi
+    	if test "X$lt_int_apple_cc_single_mod" = Xyes ; then
+    	  archive_cmds='$CC -dynamiclib -single_module $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags -install_name $rpath/$soname $verstring'
+    	else
+        archive_cmds='$CC -r ${wl}-bind_at_load -keep_private_externs -nostdlib -o ${lib}-master.o $libobjs~$CC -dynamiclib $allow_undefined_flag -o $lib ${lib}-master.o $deplibs $compiler_flags -install_name $rpath/$soname $verstring'
+      fi
+      module_cmds='$CC ${wl}-bind_at_load $allow_undefined_flag -o $lib -bundle $libobjs $deplibs$compiler_flags'
+      # Don't fix this by using the ld -exported_symbols_list flag, it doesn't exist in older darwin ld's
+        if test "X$lt_int_apple_cc_single_mod" = Xyes ; then
+          archive_expsym_cmds='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -dynamiclib -single_module $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags -install_name $rpath/$soname $verstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
+        else
+          archive_expsym_cmds='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -r ${wl}-bind_at_load -keep_private_externs -nostdlib -o ${lib}-master.o $libobjs~$CC -dynamiclib $allow_undefined_flag -o $lib ${lib}-master.o $deplibs $compiler_flags -install_name $rpath/$soname $verstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
+        fi
+          module_expsym_cmds='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC $allow_undefined_flag  -o $lib -bundle $libobjs $deplibs$compiler_flags~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
       hardcode_direct=no
       hardcode_automatic=yes
       hardcode_shlibpath_var=unsupported
-      whole_archive_flag_spec=''
+      whole_archive_flag_spec='-all_load $convenience'
       link_all_deplibs=yes
-    if test "$GCC" = yes ; then
-    	output_verbose_link_cmd='echo'
-        archive_cmds='$CC -dynamiclib $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags -install_name $rpath/$soname $verstring'
-      module_cmds='$CC $allow_undefined_flag -o $lib -bundle $libobjs $deplibs$compiler_flags'
-      # Don't fix this by using the ld -exported_symbols_list flag, it doesn't exist in older darwin ld's
-      archive_expsym_cmds='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -dynamiclib $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags -install_name $rpath/$soname $verstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
-      module_expsym_cmds='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC $allow_undefined_flag  -o $lib -bundle $libobjs $deplibs$compiler_flags~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
     else
-      case "$cc_basename" in
-        xlc*)
-         output_verbose_link_cmd='echo'
-         archive_cmds='$CC -qmkshrobj $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-install_name ${wl}`echo $rpath/$soname` $verstring'
-         module_cmds='$CC $allow_undefined_flag -o $lib -bundle $libobjs $deplibs$compiler_flags'
-          # Don't fix this by using the ld -exported_symbols_list flag, it doesn't exist in older darwin ld's
-         archive_expsym_cmds='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -qmkshrobj $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-install_name ${wl}$rpath/$soname $verstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
-          module_expsym_cmds='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC $allow_undefined_flag  -o $lib -bundle $libobjs $deplibs$compiler_flags~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
-          ;;
-       *)
-         ld_shlibs=no
-          ;;
-      esac
+      ld_shlibs=no
     fi
       ;;
 
@@ -11467,7 +10238,6 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
       hardcode_shlibpath_var=no
       if test -z "`echo __ELF__ | $CC -E - | grep __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then
 	archive_cmds='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags'
-	archive_expsym_cmds='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-retain-symbols-file,$export_symbols'
 	hardcode_libdir_flag_spec='${wl}-rpath,$libdir'
 	export_dynamic_flag_spec='${wl}-E'
       else
@@ -11722,7 +10492,7 @@ echo $ECHO_N "checking dynamic linker characteristics... $ECHO_C" >&6
 library_names_spec=
 libname_spec='lib$name'
 soname_spec=
-shrext_cmds=".so"
+shrext=".so"
 postinstall_cmds=
 postuninstall_cmds=
 finish_cmds=
@@ -11819,7 +10589,7 @@ beos*)
   shlibpath_var=LIBRARY_PATH
   ;;
 
-bsdi[45]*)
+bsdi4*)
   version_type=linux
   need_version=no
   library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
@@ -11835,7 +10605,7 @@ bsdi[45]*)
 
 cygwin* | mingw* | pw32*)
   version_type=windows
-  shrext_cmds=".dll"
+  shrext=".dll"
   need_version=no
   need_lib_prefix=no
 
@@ -11900,7 +10670,7 @@ darwin* | rhapsody*)
   soname_spec='${libname}${release}${major}$shared_ext'
   shlibpath_overrides_runpath=yes
   shlibpath_var=DYLD_LIBRARY_PATH
-  shrext_cmds='$(test .$module = .yes && echo .so || echo .dylib)'
+  shrext='$(test .$module = .yes && echo .so || echo .dylib)'
   # Apple's gcc prints 'gcc -print-search-dirs' doesn't operate the same.
   if test "$GCC" = yes; then
     sys_lib_search_path_spec=`$CC -print-search-dirs | tr "\n" "$PATH_SEPARATOR" | sed -e 's/libraries:/@libraries:/' | tr "@" "\n" | grep "^libraries:" | sed -e "s/^libraries://" -e "s,=/,/,g" -e "s,$PATH_SEPARATOR, ,g" -e "s,.*,& /lib /usr/lib /usr/local/lib,g"`
@@ -11983,7 +10753,7 @@ hpux9* | hpux10* | hpux11*)
   need_version=no
   case "$host_cpu" in
   ia64*)
-    shrext_cmds='.so'
+    shrext='.so'
     hardcode_into_libs=yes
     dynamic_linker="$host_os dld.so"
     shlibpath_var=LD_LIBRARY_PATH
@@ -11998,7 +10768,7 @@ hpux9* | hpux10* | hpux11*)
     sys_lib_dlsearch_path_spec=$sys_lib_search_path_spec
     ;;
    hppa*64*)
-     shrext_cmds='.sl'
+     shrext='.sl'
      hardcode_into_libs=yes
      dynamic_linker="$host_os dld.sl"
      shlibpath_var=LD_LIBRARY_PATH # How should we handle SHLIB_PATH
@@ -12009,7 +10779,7 @@ hpux9* | hpux10* | hpux11*)
      sys_lib_dlsearch_path_spec=$sys_lib_search_path_spec
      ;;
    *)
-    shrext_cmds='.sl'
+    shrext='.sl'
     dynamic_linker="$host_os dld.sl"
     shlibpath_var=SHLIB_PATH
     shlibpath_overrides_runpath=no # +s is required to enable SHLIB_PATH
@@ -12080,8 +10850,8 @@ linux*)
 
   # Append ld.so.conf contents to the search path
   if test -f /etc/ld.so.conf; then
-    lt_ld_extra=`$SED -e 's/:,\t/ /g;s/=^=*$//;s/=^= * / /g' /etc/ld.so.conf | tr '\n' ' '`
-    sys_lib_dlsearch_path_spec="/lib /usr/lib $lt_ld_extra"
+    ld_extra=`$SED -e 's/:,\t/ /g;s/=^=*$//;s/=^= * / /g' /etc/ld.so.conf`
+    sys_lib_dlsearch_path_spec="/lib /usr/lib $ld_extra"
   fi
 
   # We used to test for /lib/ld.so.1 and disable shared libraries on
@@ -12143,7 +10913,7 @@ nto-qnx*)
 openbsd*)
   version_type=sunos
   need_lib_prefix=no
-  need_version=no
+  need_version=yes
   library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${shared_ext}$versuffix'
   finish_cmds='PATH="\$PATH:/sbin" ldconfig -m $libdir'
   shlibpath_var=LD_LIBRARY_PATH
@@ -12163,7 +10933,7 @@ openbsd*)
 
 os2*)
   libname_spec='$name'
-  shrext_cmds=".dll"
+  shrext=".dll"
   need_lib_prefix=no
   library_names_spec='$libname${shared_ext} $libname.a'
   dynamic_linker='OS/2 ld.exe'
@@ -12265,8 +11035,8 @@ echo "$as_me:$LINENO: checking how to hardcode library paths into programs" >&5
 echo $ECHO_N "checking how to hardcode library paths into programs... $ECHO_C" >&6
 hardcode_action=
 if test -n "$hardcode_libdir_flag_spec" || \
-   test -n "$runpath_var" || \
-   test "X$hardcode_automatic" = "Xyes" ; then
+   test -n "$runpath_var " || \
+   test "X$hardcode_automatic"="Xyes" ; then
 
   # We can hardcode non-existant directories.
   if test "$hardcode_direct" != no &&
@@ -12932,7 +11702,7 @@ else
   lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
   lt_status=$lt_dlunknown
   cat > conftest.$ac_ext <<EOF
-#line 12935 "configure"
+#line 11705 "configure"
 #include "confdefs.h"
 
 #if HAVE_DLFCN_H
@@ -13030,7 +11800,7 @@ else
   lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
   lt_status=$lt_dlunknown
   cat > conftest.$ac_ext <<EOF
-#line 13033 "configure"
+#line 11803 "configure"
 #include "confdefs.h"
 
 #if HAVE_DLFCN_H
@@ -13134,7 +11904,7 @@ echo "${ECHO_T}$lt_cv_dlopen_self_static" >&6
 fi
 
 
-# Report which libraries types will actually be built
+# Report which librarie types wil actually be built
 echo "$as_me:$LINENO: checking if libtool supports shared libraries" >&5
 echo $ECHO_N "checking if libtool supports shared libraries... $ECHO_C" >&6
 echo "$as_me:$LINENO: result: $can_build_shared" >&5
@@ -13155,10 +11925,47 @@ aix3*)
   fi
   ;;
 
-aix4* | aix5*)
+aix4*)
   if test "$host_cpu" != ia64 && test "$aix_use_runtimelinking" = no ; then
     test "$enable_shared" = yes && enable_static=no
   fi
+  ;;
+  darwin* | rhapsody*)
+  if test "$GCC" = yes; then
+    archive_cmds_need_lc=no
+    case "$host_os" in
+    rhapsody* | darwin1.[012])
+      allow_undefined_flag='-undefined suppress'
+      ;;
+    *) # Darwin 1.3 on
+      if test -z ${MACOSX_DEPLOYMENT_TARGET} ; then
+      	allow_undefined_flag='-flat_namespace -undefined suppress'
+      else
+        case ${MACOSX_DEPLOYMENT_TARGET} in
+          10.[012])
+            allow_undefined_flag='-flat_namespace -undefined suppress'
+            ;;
+          10.*)
+            allow_undefined_flag='-undefined dynamic_lookup'
+            ;;
+        esac
+      fi
+      ;;
+    esac
+    output_verbose_link_cmd='echo'
+    archive_cmds='$CC -dynamiclib $allow_undefined_flag -o $lib $libobjs $deplibs$compiler_flags -install_name $rpath/$soname $verstring'
+    module_cmds='$CC $allow_undefined_flag -o $lib -bundle $libobjs $deplibs$compiler_flags'
+    # Don't fix this by using the ld -exported_symbols_list flag, it doesn't exist in older darwin ld's
+    archive_expsym_cmds='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -dynamiclib $allow_undefined_flag  -o $lib $libobjs $deplibs$compiler_flags -install_name $rpath/$soname $verstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
+    module_expsym_cmds='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC $allow_undefined_flag  -o $lib -bundle $libobjs $deplibs$compiler_flags~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
+    hardcode_direct=no
+    hardcode_automatic=yes
+    hardcode_shlibpath_var=unsupported
+    whole_archive_flag_spec='-all_load $convenience'
+    link_all_deplibs=yes
+  else
+    ld_shlibs=no
+  fi
     ;;
 esac
 echo "$as_me:$LINENO: result: $enable_shared" >&5
@@ -13303,7 +12110,7 @@ Xsed="$SED -e s/^X//"
 
 # The HP-UX ksh and POSIX shell print the target directory to stdout
 # if CDPATH is set.
-(unset CDPATH) >/dev/null 2>&1 && unset CDPATH
+if test "X\${CDPATH+set}" = Xset; then CDPATH=:; export CDPATH; fi
 
 # The names of the tagged configurations supported by this script.
 available_tags=
@@ -13394,7 +12201,7 @@ objext="$ac_objext"
 libext="$libext"
 
 # Shared library suffix (normally ".so").
-shrext_cmds='$shrext_cmds'
+shrext='$shrext'
 
 # Executable file suffix (normally "").
 exeext="$exeext"
@@ -13704,9 +12511,7 @@ echo "$as_me: error: tag name \"$tagname\" already exists" >&2;}
 
       case $tagname in
       CXX)
-	if test -n "$CXX" && ( test "X$CXX" != "Xno" &&
-	    ( (test "X$CXX" = "Xg++" && `g++ -v >/dev/null 2>&1` ) ||
-	    (test "X$CXX" != "Xg++"))) ; then
+	if test -n "$CXX" && test "X$CXX" != "Xno"; then
 	  ac_ext=cc
 ac_cpp='$CXXCPP $CPPFLAGS'
 ac_compile='$CXX -c $CXXFLAGS $CPPFLAGS conftest.$ac_ext >&5'
@@ -14181,7 +12986,6 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
     esac
     ;;
 
-
   cygwin* | mingw* | pw32*)
     # _LT_AC_TAGVAR(hardcode_libdir_flag_spec, CXX) is actually meaningless,
     # as there is no search path for DLLs.
@@ -14205,68 +13009,57 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
       ld_shlibs_CXX=no
     fi
   ;;
-      darwin* | rhapsody*)
-        case "$host_os" in
-        rhapsody* | darwin1.[012])
-         allow_undefined_flag_CXX='${wl}-undefined ${wl}suppress'
-         ;;
-       *) # Darwin 1.3 on
-         if test -z ${MACOSX_DEPLOYMENT_TARGET} ; then
-           allow_undefined_flag_CXX='${wl}-flat_namespace ${wl}-undefined ${wl}suppress'
-         else
-           case ${MACOSX_DEPLOYMENT_TARGET} in
-             10.[012])
-               allow_undefined_flag_CXX='${wl}-flat_namespace ${wl}-undefined ${wl}suppress'
-               ;;
-             10.*)
-               allow_undefined_flag_CXX='${wl}-undefined ${wl}dynamic_lookup'
-               ;;
-           esac
-         fi
-         ;;
-        esac
-      archive_cmds_need_lc_CXX=no
-      hardcode_direct_CXX=no
-      hardcode_automatic_CXX=yes
-      hardcode_shlibpath_var_CXX=unsupported
-      whole_archive_flag_spec_CXX=''
-      link_all_deplibs_CXX=yes
 
-    if test "$GXX" = yes ; then
-      lt_int_apple_cc_single_mod=no
-      output_verbose_link_cmd='echo'
-      if $CC -dumpspecs 2>&1 | $EGREP 'single_module' >/dev/null ; then
-       lt_int_apple_cc_single_mod=yes
-      fi
-      if test "X$lt_int_apple_cc_single_mod" = Xyes ; then
-       archive_cmds_CXX='$CC -dynamiclib -single_module $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags -install_name $rpath/$soname $verstring'
-      else
-          archive_cmds_CXX='$CC -r -keep_private_externs -nostdlib -o ${lib}-master.o $libobjs~$CC -dynamiclib $allow_undefined_flag -o $lib ${lib}-master.o $deplibs $compiler_flags -install_name $rpath/$soname $verstring'
-        fi
-        module_cmds_CXX='$CC $allow_undefined_flag -o $lib -bundle $libobjs $deplibs$compiler_flags'
-        # Don't fix this by using the ld -exported_symbols_list flag, it doesn't exist in older darwin ld's
-          if test "X$lt_int_apple_cc_single_mod" = Xyes ; then
-            archive_expsym_cmds_CXX='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -dynamiclib -single_module $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags -install_name $rpath/$soname $verstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
-          else
-            archive_expsym_cmds_CXX='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -r -keep_private_externs -nostdlib -o ${lib}-master.o $libobjs~$CC -dynamiclib $allow_undefined_flag -o $lib ${lib}-master.o $deplibs $compiler_flags -install_name $rpath/$soname $verstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
-          fi
-            module_expsym_cmds_CXX='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC $allow_undefined_flag  -o $lib -bundle $libobjs $deplibs$compiler_flags~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
+  darwin* | rhapsody*)
+  if test "$GXX" = yes; then
+    archive_cmds_need_lc_CXX=no
+    case "$host_os" in
+    rhapsody* | darwin1.[012])
+      allow_undefined_flag_CXX='-undefined suppress'
+      ;;
+    *) # Darwin 1.3 on
+      if test -z ${MACOSX_DEPLOYMENT_TARGET} ; then
+      	allow_undefined_flag_CXX='-flat_namespace -undefined suppress'
       else
-      case "$cc_basename" in
-        xlc*)
-         output_verbose_link_cmd='echo'
-          archive_cmds_CXX='$CC -qmkshrobj ${wl}-single_module $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-install_name ${wl}`echo $rpath/$soname` $verstring'
-          module_cmds_CXX='$CC $allow_undefined_flag -o $lib -bundle $libobjs $deplibs$compiler_flags'
-          # Don't fix this by using the ld -exported_symbols_list flag, it doesn't exist in older darwin ld's
-          archive_expsym_cmds_CXX='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -qmkshrobj ${wl}-single_module $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-install_name ${wl}$rpath/$soname $verstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
-          module_expsym_cmds_CXX='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC $allow_undefined_flag  -o $lib -bundle $libobjs $deplibs$compiler_flags~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
-          ;;
-       *)
-         ld_shlibs_CXX=no
-          ;;
-      esac
+        case ${MACOSX_DEPLOYMENT_TARGET} in
+          10.[012])
+            allow_undefined_flag_CXX='-flat_namespace -undefined suppress'
+            ;;
+          10.*)
+            allow_undefined_flag_CXX='-undefined dynamic_lookup'
+            ;;
+        esac
       fi
-        ;;
+      ;;
+    esac
+    lt_int_apple_cc_single_mod=no
+    output_verbose_link_cmd='echo'
+    if $CC -dumpspecs 2>&1 | grep 'single_module' >/dev/null ; then
+      lt_int_apple_cc_single_mod=yes
+    fi
+    if test "X$lt_int_apple_cc_single_mod" = Xyes ; then
+      archive_cmds_CXX='$CC -dynamiclib -single_module $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags -install_name $rpath/$soname $verstring'
+    else
+      archive_cmds_CXX='$CC -r ${wl}-bind_at_load -keep_private_externs -nostdlib -o ${lib}-master.o $libobjs~$CC -dynamiclib $allow_undefined_flag -o $lib ${lib}-master.o $deplibs $compiler_flags -install_name $rpath/$soname $verstring'
+    fi
+    module_cmds_CXX='$CC ${wl}-bind_at_load $allow_undefined_flag -o $lib -bundle $libobjs $deplibs$compiler_flags'
+
+    # Don't fix this by using the ld -exported_symbols_list flag, it doesn't exist in older darwin ld's
+    if test "X$lt_int_apple_cc_single_mod" = Xyes ; then
+      archive_expsym_cmds_CXX='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -dynamiclib -single_module $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags -install_name $rpath/$soname $verstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
+    else
+      archive_expsym_cmds_CXX='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -r ${wl}-bind_at_load -keep_private_externs -nostdlib -o ${lib}-master.o $libobjs~$CC -dynamiclib $allow_undefined_flag -o $lib ${lib}-master.o $deplibs $compiler_flags -install_name $rpath/$soname $verstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
+    fi
+    module_expsym_cmds_CXX='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC $allow_undefined_flag  -o $lib -bundle $libobjs $deplibs$compiler_flags~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
+    hardcode_direct_CXX=no
+    hardcode_automatic_CXX=yes
+    hardcode_shlibpath_var_CXX=unsupported
+    whole_archive_flag_spec_CXX='-all_load $convenience'
+    link_all_deplibs_CXX=yes
+  else
+    ld_shlibs_CXX=no
+  fi
+    ;;
 
   dgux*)
     case $cc_basename in
@@ -14323,7 +13116,7 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
       # explicitly linking system object files so we need to strip them
       # from the output so that they don't get included in the library
       # dependencies.
-      output_verbose_link_cmd='templist=`($CC -b $CFLAGS -v conftest.$objext 2>&1) | grep "-L"`; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; echo $list'
+      output_verbose_link_cmd='templist=`($CC -b $CFLAGS -v conftest.$objext 2>&1) | egrep "\-L"`; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; echo $list'
       ;;
     *)
       if test "$GXX" = yes; then
@@ -14472,20 +13265,9 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
       icpc)
 	# Intel C++
 	with_gnu_ld=yes
-	# version 8.0 and above of icpc choke on multiply defined symbols
-	# if we add $predep_objects and $postdep_objects, however 7.1 and
-	# earlier do not add the objects themselves.
-	case `$CC -V 2>&1` in
-	*"Version 7."*)
-  	  archive_cmds_CXX='$CC -shared $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname -o $lib'
-  	  archive_expsym_cmds_CXX='$CC -shared $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
-	  ;;
-	*)  # Version 8.0 or newer
-  	  archive_cmds_CXX='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
-  	archive_expsym_cmds_CXX='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
-	  ;;
-	esac
 	archive_cmds_need_lc_CXX=no
+	archive_cmds_CXX='$CC -shared $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname -o $lib'
+	archive_expsym_cmds_CXX='$CC -shared $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
 	hardcode_libdir_flag_spec_CXX='${wl}-rpath,$libdir'
 	export_dynamic_flag_spec_CXX='${wl}--export-dynamic'
 	whole_archive_flag_spec_CXX='${wl}--whole-archive$convenience ${wl}--no-whole-archive'
@@ -14542,22 +13324,6 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
     # Workaround some broken pre-1.5 toolchains
     output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | grep conftest.$objext | $SED -e "s:-lgcc -lc -lgcc::"'
     ;;
-  openbsd2*)
-    # C++ shared libraries are fairly broken
-    ld_shlibs_CXX=no
-    ;;
-  openbsd*)
-    hardcode_direct_CXX=yes
-    hardcode_shlibpath_var_CXX=no
-    archive_cmds_CXX='$CC -shared $pic_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -o $lib'
-    hardcode_libdir_flag_spec_CXX='${wl}-rpath,$libdir'
-    if test -z "`echo __ELF__ | $CC -E - | grep __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then
-      archive_expsym_cmds_CXX='$CC -shared $pic_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-retain-symbols-file,$export_symbols -o $lib'
-      export_dynamic_flag_spec_CXX='${wl}-E'
-      whole_archive_flag_spec_CXX="$wlarc"'--whole-archive$convenience '"$wlarc"'--no-whole-archive'
-    fi
-    output_verbose_link_cmd='echo'
-    ;;
   osf3*)
     case $cc_basename in
       KCC)
@@ -15017,16 +13783,6 @@ echo $ECHO_N "checking for $compiler option to produce PIC... $ECHO_C" >&6
 	  ;;
 	esac
 	;;
-       darwin*)
-         # PIC is the default on this platform
-         # Common symbols not allowed in MH_DYLIB files
-         case "$cc_basename" in
-           xlc*)
-           lt_prog_compiler_pic_CXX='-qnocommon'
-           lt_prog_compiler_wl_CXX='-Wl,'
-           ;;
-         esac
-       ;;
       dgux*)
 	case $cc_basename in
 	  ec++)
@@ -15227,11 +13983,11 @@ else
    -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:15230: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:13986: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:15234: \$? = $ac_status" >&5
+   echo "$as_me:13990: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings
@@ -15287,11 +14043,11 @@ else
    -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:15290: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:14046: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>out/conftest.err)
    ac_status=$?
    cat out/conftest.err >&5
-   echo "$as_me:15294: \$? = $ac_status" >&5
+   echo "$as_me:14050: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s out/conftest2.$ac_objext
    then
      # The compiler can only warn and ignore the option if not recognized
@@ -15438,7 +14194,7 @@ echo $ECHO_N "checking dynamic linker characteristics... $ECHO_C" >&6
 library_names_spec=
 libname_spec='lib$name'
 soname_spec=
-shrext_cmds=".so"
+shrext=".so"
 postinstall_cmds=
 postuninstall_cmds=
 finish_cmds=
@@ -15535,7 +14291,7 @@ beos*)
   shlibpath_var=LIBRARY_PATH
   ;;
 
-bsdi[45]*)
+bsdi4*)
   version_type=linux
   need_version=no
   library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
@@ -15551,7 +14307,7 @@ bsdi[45]*)
 
 cygwin* | mingw* | pw32*)
   version_type=windows
-  shrext_cmds=".dll"
+  shrext=".dll"
   need_version=no
   need_lib_prefix=no
 
@@ -15616,7 +14372,7 @@ darwin* | rhapsody*)
   soname_spec='${libname}${release}${major}$shared_ext'
   shlibpath_overrides_runpath=yes
   shlibpath_var=DYLD_LIBRARY_PATH
-  shrext_cmds='$(test .$module = .yes && echo .so || echo .dylib)'
+  shrext='$(test .$module = .yes && echo .so || echo .dylib)'
   # Apple's gcc prints 'gcc -print-search-dirs' doesn't operate the same.
   if test "$GCC" = yes; then
     sys_lib_search_path_spec=`$CC -print-search-dirs | tr "\n" "$PATH_SEPARATOR" | sed -e 's/libraries:/@libraries:/' | tr "@" "\n" | grep "^libraries:" | sed -e "s/^libraries://" -e "s,=/,/,g" -e "s,$PATH_SEPARATOR, ,g" -e "s,.*,& /lib /usr/lib /usr/local/lib,g"`
@@ -15699,7 +14455,7 @@ hpux9* | hpux10* | hpux11*)
   need_version=no
   case "$host_cpu" in
   ia64*)
-    shrext_cmds='.so'
+    shrext='.so'
     hardcode_into_libs=yes
     dynamic_linker="$host_os dld.so"
     shlibpath_var=LD_LIBRARY_PATH
@@ -15714,7 +14470,7 @@ hpux9* | hpux10* | hpux11*)
     sys_lib_dlsearch_path_spec=$sys_lib_search_path_spec
     ;;
    hppa*64*)
-     shrext_cmds='.sl'
+     shrext='.sl'
      hardcode_into_libs=yes
      dynamic_linker="$host_os dld.sl"
      shlibpath_var=LD_LIBRARY_PATH # How should we handle SHLIB_PATH
@@ -15725,7 +14481,7 @@ hpux9* | hpux10* | hpux11*)
      sys_lib_dlsearch_path_spec=$sys_lib_search_path_spec
      ;;
    *)
-    shrext_cmds='.sl'
+    shrext='.sl'
     dynamic_linker="$host_os dld.sl"
     shlibpath_var=SHLIB_PATH
     shlibpath_overrides_runpath=no # +s is required to enable SHLIB_PATH
@@ -15796,8 +14552,8 @@ linux*)
 
   # Append ld.so.conf contents to the search path
   if test -f /etc/ld.so.conf; then
-    lt_ld_extra=`$SED -e 's/:,\t/ /g;s/=^=*$//;s/=^= * / /g' /etc/ld.so.conf | tr '\n' ' '`
-    sys_lib_dlsearch_path_spec="/lib /usr/lib $lt_ld_extra"
+    ld_extra=`$SED -e 's/:,\t/ /g;s/=^=*$//;s/=^= * / /g' /etc/ld.so.conf`
+    sys_lib_dlsearch_path_spec="/lib /usr/lib $ld_extra"
   fi
 
   # We used to test for /lib/ld.so.1 and disable shared libraries on
@@ -15859,7 +14615,7 @@ nto-qnx*)
 openbsd*)
   version_type=sunos
   need_lib_prefix=no
-  need_version=no
+  need_version=yes
   library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${shared_ext}$versuffix'
   finish_cmds='PATH="\$PATH:/sbin" ldconfig -m $libdir'
   shlibpath_var=LD_LIBRARY_PATH
@@ -15879,7 +14635,7 @@ openbsd*)
 
 os2*)
   libname_spec='$name'
-  shrext_cmds=".dll"
+  shrext=".dll"
   need_lib_prefix=no
   library_names_spec='$libname${shared_ext} $libname.a'
   dynamic_linker='OS/2 ld.exe'
@@ -15981,8 +14737,8 @@ echo "$as_me:$LINENO: checking how to hardcode library paths into programs" >&5
 echo $ECHO_N "checking how to hardcode library paths into programs... $ECHO_C" >&6
 hardcode_action_CXX=
 if test -n "$hardcode_libdir_flag_spec_CXX" || \
-   test -n "$runpath_var_CXX" || \
-   test "X$hardcode_automatic_CXX" = "Xyes" ; then
+   test -n "$runpath_var CXX" || \
+   test "X$hardcode_automatic_CXX"="Xyes" ; then
 
   # We can hardcode non-existant directories.
   if test "$hardcode_direct_CXX" != no &&
@@ -16648,7 +15404,7 @@ else
   lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
   lt_status=$lt_dlunknown
   cat > conftest.$ac_ext <<EOF
-#line 16651 "configure"
+#line 15407 "configure"
 #include "confdefs.h"
 
 #if HAVE_DLFCN_H
@@ -16746,7 +15502,7 @@ else
   lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
   lt_status=$lt_dlunknown
   cat > conftest.$ac_ext <<EOF
-#line 16749 "configure"
+#line 15505 "configure"
 #include "confdefs.h"
 
 #if HAVE_DLFCN_H
@@ -17025,7 +15781,7 @@ objext="$ac_objext"
 libext="$libext"
 
 # Shared library suffix (normally ".so").
-shrext_cmds='$shrext_cmds'
+shrext='$shrext'
 
 # Executable file suffix (normally "").
 exeext="$exeext"
@@ -17347,7 +16103,7 @@ aix3*)
     postinstall_cmds='$RANLIB $lib'
   fi
   ;;
-aix4* | aix5*)
+aix4*)
   test "$enable_shared" = yes && enable_static=no
   ;;
 esac
@@ -17451,16 +16207,6 @@ echo $ECHO_N "checking for $compiler option to produce PIC... $ECHO_C" >&6
 	lt_prog_compiler_static_F77='-bnso -bI:/lib/syscalls.exp'
       fi
       ;;
-      darwin*)
-        # PIC is the default on this platform
-        # Common symbols not allowed in MH_DYLIB files
-       case "$cc_basename" in
-         xlc*)
-         lt_prog_compiler_pic_F77='-qnocommon'
-         lt_prog_compiler_wl_F77='-Wl,'
-         ;;
-       esac
-       ;;
 
     mingw* | pw32* | os2*)
       # This hack is so that the source file can tell whether it is being
@@ -17583,11 +16329,11 @@ else
    -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:17586: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:16332: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:17590: \$? = $ac_status" >&5
+   echo "$as_me:16336: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings
@@ -17643,11 +16389,11 @@ else
    -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:17646: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:16392: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>out/conftest.err)
    ac_status=$?
    cat out/conftest.err >&5
-   echo "$as_me:17650: \$? = $ac_status" >&5
+   echo "$as_me:16396: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s out/conftest2.$ac_objext
    then
      # The compiler can only warn and ignore the option if not recognized
@@ -17859,7 +16605,7 @@ EOF
       ;;
 
   linux*)
-    if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
+    if $LD --help 2>&1 | egrep ': supported targets:.* elf' > /dev/null; then
         tmp_archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
 	archive_cmds_F77="$tmp_archive_cmds"
       supports_anon_versioning=no
@@ -18127,7 +16873,7 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
       ld_shlibs_F77=no
       ;;
 
-    bsdi[45]*)
+    bsdi4*)
       export_dynamic_flag_spec_F77=-rdynamic
       ;;
 
@@ -18141,7 +16887,7 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
       # Tell ltmain to make .lib files, not .a files.
       libext=lib
       # Tell ltmain to make .dll files, not .so files.
-      shrext_cmds=".dll"
+      shrext=".dll"
       # FIXME: Setting linknames here is a bad hack.
       archive_cmds_F77='$CC -o $lib $libobjs $compiler_flags `echo "$deplibs" | $SED -e '\''s/ -lc$//'\''` -link -dll~linknames='
       # The linker will automatically build a .lib file if we build a DLL.
@@ -18153,52 +16899,52 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
       ;;
 
     darwin* | rhapsody*)
+    if test "$GXX" = yes ; then
+      archive_cmds_need_lc_F77=no
       case "$host_os" in
-        rhapsody* | darwin1.[012])
-         allow_undefined_flag_F77='${wl}-undefined ${wl}suppress'
-         ;;
-       *) # Darwin 1.3 on
-         if test -z ${MACOSX_DEPLOYMENT_TARGET} ; then
-           allow_undefined_flag_F77='${wl}-flat_namespace ${wl}-undefined ${wl}suppress'
-         else
-           case ${MACOSX_DEPLOYMENT_TARGET} in
-             10.[012])
-               allow_undefined_flag_F77='${wl}-flat_namespace ${wl}-undefined ${wl}suppress'
-               ;;
-             10.*)
-               allow_undefined_flag_F77='${wl}-undefined ${wl}dynamic_lookup'
-               ;;
-           esac
-         fi
-         ;;
+      rhapsody* | darwin1.[012])
+	allow_undefined_flag_F77='-undefined suppress'
+	;;
+      *) # Darwin 1.3 on
+      if test -z ${MACOSX_DEPLOYMENT_TARGET} ; then
+      	allow_undefined_flag_F77='-flat_namespace -undefined suppress'
+      else
+        case ${MACOSX_DEPLOYMENT_TARGET} in
+          10.[012])
+            allow_undefined_flag_F77='-flat_namespace -undefined suppress'
+            ;;
+          10.*)
+            allow_undefined_flag_F77='-undefined dynamic_lookup'
+            ;;
+        esac
+      fi
+	;;
       esac
-      archive_cmds_need_lc_F77=no
+    	lt_int_apple_cc_single_mod=no
+    	output_verbose_link_cmd='echo'
+    	if $CC -dumpspecs 2>&1 | grep 'single_module' >/dev/null ; then
+    	  lt_int_apple_cc_single_mod=yes
+    	fi
+    	if test "X$lt_int_apple_cc_single_mod" = Xyes ; then
+    	  archive_cmds_F77='$CC -dynamiclib -single_module $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags -install_name $rpath/$soname $verstring'
+    	else
+        archive_cmds_F77='$CC -r ${wl}-bind_at_load -keep_private_externs -nostdlib -o ${lib}-master.o $libobjs~$CC -dynamiclib $allow_undefined_flag -o $lib ${lib}-master.o $deplibs $compiler_flags -install_name $rpath/$soname $verstring'
+      fi
+      module_cmds_F77='$CC ${wl}-bind_at_load $allow_undefined_flag -o $lib -bundle $libobjs $deplibs$compiler_flags'
+      # Don't fix this by using the ld -exported_symbols_list flag, it doesn't exist in older darwin ld's
+        if test "X$lt_int_apple_cc_single_mod" = Xyes ; then
+          archive_expsym_cmds_F77='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -dynamiclib -single_module $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags -install_name $rpath/$soname $verstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
+        else
+          archive_expsym_cmds_F77='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -r ${wl}-bind_at_load -keep_private_externs -nostdlib -o ${lib}-master.o $libobjs~$CC -dynamiclib $allow_undefined_flag -o $lib ${lib}-master.o $deplibs $compiler_flags -install_name $rpath/$soname $verstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
+        fi
+          module_expsym_cmds_F77='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC $allow_undefined_flag  -o $lib -bundle $libobjs $deplibs$compiler_flags~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
       hardcode_direct_F77=no
       hardcode_automatic_F77=yes
       hardcode_shlibpath_var_F77=unsupported
-      whole_archive_flag_spec_F77=''
+      whole_archive_flag_spec_F77='-all_load $convenience'
       link_all_deplibs_F77=yes
-    if test "$GCC" = yes ; then
-    	output_verbose_link_cmd='echo'
-        archive_cmds_F77='$CC -dynamiclib $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags -install_name $rpath/$soname $verstring'
-      module_cmds_F77='$CC $allow_undefined_flag -o $lib -bundle $libobjs $deplibs$compiler_flags'
-      # Don't fix this by using the ld -exported_symbols_list flag, it doesn't exist in older darwin ld's
-      archive_expsym_cmds_F77='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -dynamiclib $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags -install_name $rpath/$soname $verstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
-      module_expsym_cmds_F77='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC $allow_undefined_flag  -o $lib -bundle $libobjs $deplibs$compiler_flags~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
     else
-      case "$cc_basename" in
-        xlc*)
-         output_verbose_link_cmd='echo'
-         archive_cmds_F77='$CC -qmkshrobj $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-install_name ${wl}`echo $rpath/$soname` $verstring'
-         module_cmds_F77='$CC $allow_undefined_flag -o $lib -bundle $libobjs $deplibs$compiler_flags'
-          # Don't fix this by using the ld -exported_symbols_list flag, it doesn't exist in older darwin ld's
-         archive_expsym_cmds_F77='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -qmkshrobj $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-install_name ${wl}$rpath/$soname $verstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
-          module_expsym_cmds_F77='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC $allow_undefined_flag  -o $lib -bundle $libobjs $deplibs$compiler_flags~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
-          ;;
-       *)
-         ld_shlibs_F77=no
-          ;;
-      esac
+      ld_shlibs_F77=no
     fi
       ;;
 
@@ -18343,7 +17089,6 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
       hardcode_shlibpath_var_F77=no
       if test -z "`echo __ELF__ | $CC -E - | grep __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then
 	archive_cmds_F77='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags'
-	archive_expsym_cmds_F77='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-retain-symbols-file,$export_symbols'
 	hardcode_libdir_flag_spec_F77='${wl}-rpath,$libdir'
 	export_dynamic_flag_spec_F77='${wl}-E'
       else
@@ -18598,7 +17343,7 @@ echo $ECHO_N "checking dynamic linker characteristics... $ECHO_C" >&6
 library_names_spec=
 libname_spec='lib$name'
 soname_spec=
-shrext_cmds=".so"
+shrext=".so"
 postinstall_cmds=
 postuninstall_cmds=
 finish_cmds=
@@ -18695,7 +17440,7 @@ beos*)
   shlibpath_var=LIBRARY_PATH
   ;;
 
-bsdi[45]*)
+bsdi4*)
   version_type=linux
   need_version=no
   library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
@@ -18711,7 +17456,7 @@ bsdi[45]*)
 
 cygwin* | mingw* | pw32*)
   version_type=windows
-  shrext_cmds=".dll"
+  shrext=".dll"
   need_version=no
   need_lib_prefix=no
 
@@ -18776,7 +17521,7 @@ darwin* | rhapsody*)
   soname_spec='${libname}${release}${major}$shared_ext'
   shlibpath_overrides_runpath=yes
   shlibpath_var=DYLD_LIBRARY_PATH
-  shrext_cmds='$(test .$module = .yes && echo .so || echo .dylib)'
+  shrext='$(test .$module = .yes && echo .so || echo .dylib)'
   # Apple's gcc prints 'gcc -print-search-dirs' doesn't operate the same.
   if test "$GCC" = yes; then
     sys_lib_search_path_spec=`$CC -print-search-dirs | tr "\n" "$PATH_SEPARATOR" | sed -e 's/libraries:/@libraries:/' | tr "@" "\n" | grep "^libraries:" | sed -e "s/^libraries://" -e "s,=/,/,g" -e "s,$PATH_SEPARATOR, ,g" -e "s,.*,& /lib /usr/lib /usr/local/lib,g"`
@@ -18859,7 +17604,7 @@ hpux9* | hpux10* | hpux11*)
   need_version=no
   case "$host_cpu" in
   ia64*)
-    shrext_cmds='.so'
+    shrext='.so'
     hardcode_into_libs=yes
     dynamic_linker="$host_os dld.so"
     shlibpath_var=LD_LIBRARY_PATH
@@ -18874,7 +17619,7 @@ hpux9* | hpux10* | hpux11*)
     sys_lib_dlsearch_path_spec=$sys_lib_search_path_spec
     ;;
    hppa*64*)
-     shrext_cmds='.sl'
+     shrext='.sl'
      hardcode_into_libs=yes
      dynamic_linker="$host_os dld.sl"
      shlibpath_var=LD_LIBRARY_PATH # How should we handle SHLIB_PATH
@@ -18885,7 +17630,7 @@ hpux9* | hpux10* | hpux11*)
      sys_lib_dlsearch_path_spec=$sys_lib_search_path_spec
      ;;
    *)
-    shrext_cmds='.sl'
+    shrext='.sl'
     dynamic_linker="$host_os dld.sl"
     shlibpath_var=SHLIB_PATH
     shlibpath_overrides_runpath=no # +s is required to enable SHLIB_PATH
@@ -18956,8 +17701,8 @@ linux*)
 
   # Append ld.so.conf contents to the search path
   if test -f /etc/ld.so.conf; then
-    lt_ld_extra=`$SED -e 's/:,\t/ /g;s/=^=*$//;s/=^= * / /g' /etc/ld.so.conf | tr '\n' ' '`
-    sys_lib_dlsearch_path_spec="/lib /usr/lib $lt_ld_extra"
+    ld_extra=`$SED -e 's/:,\t/ /g;s/=^=*$//;s/=^= * / /g' /etc/ld.so.conf`
+    sys_lib_dlsearch_path_spec="/lib /usr/lib $ld_extra"
   fi
 
   # We used to test for /lib/ld.so.1 and disable shared libraries on
@@ -19019,7 +17764,7 @@ nto-qnx*)
 openbsd*)
   version_type=sunos
   need_lib_prefix=no
-  need_version=no
+  need_version=yes
   library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${shared_ext}$versuffix'
   finish_cmds='PATH="\$PATH:/sbin" ldconfig -m $libdir'
   shlibpath_var=LD_LIBRARY_PATH
@@ -19039,7 +17784,7 @@ openbsd*)
 
 os2*)
   libname_spec='$name'
-  shrext_cmds=".dll"
+  shrext=".dll"
   need_lib_prefix=no
   library_names_spec='$libname${shared_ext} $libname.a'
   dynamic_linker='OS/2 ld.exe'
@@ -19141,8 +17886,8 @@ echo "$as_me:$LINENO: checking how to hardcode library paths into programs" >&5
 echo $ECHO_N "checking how to hardcode library paths into programs... $ECHO_C" >&6
 hardcode_action_F77=
 if test -n "$hardcode_libdir_flag_spec_F77" || \
-   test -n "$runpath_var_F77" || \
-   test "X$hardcode_automatic_F77" = "Xyes" ; then
+   test -n "$runpath_var F77" || \
+   test "X$hardcode_automatic_F77"="Xyes" ; then
 
   # We can hardcode non-existant directories.
   if test "$hardcode_direct_F77" != no &&
@@ -19380,7 +18125,7 @@ objext="$ac_objext"
 libext="$libext"
 
 # Shared library suffix (normally ".so").
-shrext_cmds='$shrext_cmds'
+shrext='$shrext'
 
 # Executable file suffix (normally "").
 exeext="$exeext"
@@ -19682,11 +18427,11 @@ else
    -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:19685: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:18430: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:19689: \$? = $ac_status" >&5
+   echo "$as_me:18434: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings
@@ -19793,16 +18538,6 @@ echo $ECHO_N "checking for $compiler option to produce PIC... $ECHO_C" >&6
 	lt_prog_compiler_static_GCJ='-bnso -bI:/lib/syscalls.exp'
       fi
       ;;
-      darwin*)
-        # PIC is the default on this platform
-        # Common symbols not allowed in MH_DYLIB files
-       case "$cc_basename" in
-         xlc*)
-         lt_prog_compiler_pic_GCJ='-qnocommon'
-         lt_prog_compiler_wl_GCJ='-Wl,'
-         ;;
-       esac
-       ;;
 
     mingw* | pw32* | os2*)
       # This hack is so that the source file can tell whether it is being
@@ -19925,11 +18660,11 @@ else
    -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:19928: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:18663: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:19932: \$? = $ac_status" >&5
+   echo "$as_me:18667: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings
@@ -19985,11 +18720,11 @@ else
    -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:19988: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:18723: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>out/conftest.err)
    ac_status=$?
    cat out/conftest.err >&5
-   echo "$as_me:19992: \$? = $ac_status" >&5
+   echo "$as_me:18727: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s out/conftest2.$ac_objext
    then
      # The compiler can only warn and ignore the option if not recognized
@@ -20201,7 +18936,7 @@ EOF
       ;;
 
   linux*)
-    if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
+    if $LD --help 2>&1 | egrep ': supported targets:.* elf' > /dev/null; then
         tmp_archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
 	archive_cmds_GCJ="$tmp_archive_cmds"
       supports_anon_versioning=no
@@ -20489,7 +19224,7 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
       ld_shlibs_GCJ=no
       ;;
 
-    bsdi[45]*)
+    bsdi4*)
       export_dynamic_flag_spec_GCJ=-rdynamic
       ;;
 
@@ -20503,7 +19238,7 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
       # Tell ltmain to make .lib files, not .a files.
       libext=lib
       # Tell ltmain to make .dll files, not .so files.
-      shrext_cmds=".dll"
+      shrext=".dll"
       # FIXME: Setting linknames here is a bad hack.
       archive_cmds_GCJ='$CC -o $lib $libobjs $compiler_flags `echo "$deplibs" | $SED -e '\''s/ -lc$//'\''` -link -dll~linknames='
       # The linker will automatically build a .lib file if we build a DLL.
@@ -20515,52 +19250,52 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
       ;;
 
     darwin* | rhapsody*)
+    if test "$GXX" = yes ; then
+      archive_cmds_need_lc_GCJ=no
       case "$host_os" in
-        rhapsody* | darwin1.[012])
-         allow_undefined_flag_GCJ='${wl}-undefined ${wl}suppress'
-         ;;
-       *) # Darwin 1.3 on
-         if test -z ${MACOSX_DEPLOYMENT_TARGET} ; then
-           allow_undefined_flag_GCJ='${wl}-flat_namespace ${wl}-undefined ${wl}suppress'
-         else
-           case ${MACOSX_DEPLOYMENT_TARGET} in
-             10.[012])
-               allow_undefined_flag_GCJ='${wl}-flat_namespace ${wl}-undefined ${wl}suppress'
-               ;;
-             10.*)
-               allow_undefined_flag_GCJ='${wl}-undefined ${wl}dynamic_lookup'
-               ;;
-           esac
-         fi
-         ;;
+      rhapsody* | darwin1.[012])
+	allow_undefined_flag_GCJ='-undefined suppress'
+	;;
+      *) # Darwin 1.3 on
+      if test -z ${MACOSX_DEPLOYMENT_TARGET} ; then
+      	allow_undefined_flag_GCJ='-flat_namespace -undefined suppress'
+      else
+        case ${MACOSX_DEPLOYMENT_TARGET} in
+          10.[012])
+            allow_undefined_flag_GCJ='-flat_namespace -undefined suppress'
+            ;;
+          10.*)
+            allow_undefined_flag_GCJ='-undefined dynamic_lookup'
+            ;;
+        esac
+      fi
+	;;
       esac
-      archive_cmds_need_lc_GCJ=no
+    	lt_int_apple_cc_single_mod=no
+    	output_verbose_link_cmd='echo'
+    	if $CC -dumpspecs 2>&1 | grep 'single_module' >/dev/null ; then
+    	  lt_int_apple_cc_single_mod=yes
+    	fi
+    	if test "X$lt_int_apple_cc_single_mod" = Xyes ; then
+    	  archive_cmds_GCJ='$CC -dynamiclib -single_module $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags -install_name $rpath/$soname $verstring'
+    	else
+        archive_cmds_GCJ='$CC -r ${wl}-bind_at_load -keep_private_externs -nostdlib -o ${lib}-master.o $libobjs~$CC -dynamiclib $allow_undefined_flag -o $lib ${lib}-master.o $deplibs $compiler_flags -install_name $rpath/$soname $verstring'
+      fi
+      module_cmds_GCJ='$CC ${wl}-bind_at_load $allow_undefined_flag -o $lib -bundle $libobjs $deplibs$compiler_flags'
+      # Don't fix this by using the ld -exported_symbols_list flag, it doesn't exist in older darwin ld's
+        if test "X$lt_int_apple_cc_single_mod" = Xyes ; then
+          archive_expsym_cmds_GCJ='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -dynamiclib -single_module $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags -install_name $rpath/$soname $verstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
+        else
+          archive_expsym_cmds_GCJ='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -r ${wl}-bind_at_load -keep_private_externs -nostdlib -o ${lib}-master.o $libobjs~$CC -dynamiclib $allow_undefined_flag -o $lib ${lib}-master.o $deplibs $compiler_flags -install_name $rpath/$soname $verstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
+        fi
+          module_expsym_cmds_GCJ='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC $allow_undefined_flag  -o $lib -bundle $libobjs $deplibs$compiler_flags~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
       hardcode_direct_GCJ=no
       hardcode_automatic_GCJ=yes
       hardcode_shlibpath_var_GCJ=unsupported
-      whole_archive_flag_spec_GCJ=''
+      whole_archive_flag_spec_GCJ='-all_load $convenience'
       link_all_deplibs_GCJ=yes
-    if test "$GCC" = yes ; then
-    	output_verbose_link_cmd='echo'
-        archive_cmds_GCJ='$CC -dynamiclib $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags -install_name $rpath/$soname $verstring'
-      module_cmds_GCJ='$CC $allow_undefined_flag -o $lib -bundle $libobjs $deplibs$compiler_flags'
-      # Don't fix this by using the ld -exported_symbols_list flag, it doesn't exist in older darwin ld's
-      archive_expsym_cmds_GCJ='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -dynamiclib $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags -install_name $rpath/$soname $verstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
-      module_expsym_cmds_GCJ='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC $allow_undefined_flag  -o $lib -bundle $libobjs $deplibs$compiler_flags~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
     else
-      case "$cc_basename" in
-        xlc*)
-         output_verbose_link_cmd='echo'
-         archive_cmds_GCJ='$CC -qmkshrobj $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-install_name ${wl}`echo $rpath/$soname` $verstring'
-         module_cmds_GCJ='$CC $allow_undefined_flag -o $lib -bundle $libobjs $deplibs$compiler_flags'
-          # Don't fix this by using the ld -exported_symbols_list flag, it doesn't exist in older darwin ld's
-         archive_expsym_cmds_GCJ='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -qmkshrobj $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-install_name ${wl}$rpath/$soname $verstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
-          module_expsym_cmds_GCJ='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC $allow_undefined_flag  -o $lib -bundle $libobjs $deplibs$compiler_flags~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
-          ;;
-       *)
-         ld_shlibs_GCJ=no
-          ;;
-      esac
+      ld_shlibs_GCJ=no
     fi
       ;;
 
@@ -20705,7 +19440,6 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
       hardcode_shlibpath_var_GCJ=no
       if test -z "`echo __ELF__ | $CC -E - | grep __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then
 	archive_cmds_GCJ='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags'
-	archive_expsym_cmds_GCJ='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-retain-symbols-file,$export_symbols'
 	hardcode_libdir_flag_spec_GCJ='${wl}-rpath,$libdir'
 	export_dynamic_flag_spec_GCJ='${wl}-E'
       else
@@ -20960,7 +19694,7 @@ echo $ECHO_N "checking dynamic linker characteristics... $ECHO_C" >&6
 library_names_spec=
 libname_spec='lib$name'
 soname_spec=
-shrext_cmds=".so"
+shrext=".so"
 postinstall_cmds=
 postuninstall_cmds=
 finish_cmds=
@@ -21057,7 +19791,7 @@ beos*)
   shlibpath_var=LIBRARY_PATH
   ;;
 
-bsdi[45]*)
+bsdi4*)
   version_type=linux
   need_version=no
   library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
@@ -21073,7 +19807,7 @@ bsdi[45]*)
 
 cygwin* | mingw* | pw32*)
   version_type=windows
-  shrext_cmds=".dll"
+  shrext=".dll"
   need_version=no
   need_lib_prefix=no
 
@@ -21138,7 +19872,7 @@ darwin* | rhapsody*)
   soname_spec='${libname}${release}${major}$shared_ext'
   shlibpath_overrides_runpath=yes
   shlibpath_var=DYLD_LIBRARY_PATH
-  shrext_cmds='$(test .$module = .yes && echo .so || echo .dylib)'
+  shrext='$(test .$module = .yes && echo .so || echo .dylib)'
   # Apple's gcc prints 'gcc -print-search-dirs' doesn't operate the same.
   if test "$GCC" = yes; then
     sys_lib_search_path_spec=`$CC -print-search-dirs | tr "\n" "$PATH_SEPARATOR" | sed -e 's/libraries:/@libraries:/' | tr "@" "\n" | grep "^libraries:" | sed -e "s/^libraries://" -e "s,=/,/,g" -e "s,$PATH_SEPARATOR, ,g" -e "s,.*,& /lib /usr/lib /usr/local/lib,g"`
@@ -21221,7 +19955,7 @@ hpux9* | hpux10* | hpux11*)
   need_version=no
   case "$host_cpu" in
   ia64*)
-    shrext_cmds='.so'
+    shrext='.so'
     hardcode_into_libs=yes
     dynamic_linker="$host_os dld.so"
     shlibpath_var=LD_LIBRARY_PATH
@@ -21236,7 +19970,7 @@ hpux9* | hpux10* | hpux11*)
     sys_lib_dlsearch_path_spec=$sys_lib_search_path_spec
     ;;
    hppa*64*)
-     shrext_cmds='.sl'
+     shrext='.sl'
      hardcode_into_libs=yes
      dynamic_linker="$host_os dld.sl"
      shlibpath_var=LD_LIBRARY_PATH # How should we handle SHLIB_PATH
@@ -21247,7 +19981,7 @@ hpux9* | hpux10* | hpux11*)
      sys_lib_dlsearch_path_spec=$sys_lib_search_path_spec
      ;;
    *)
-    shrext_cmds='.sl'
+    shrext='.sl'
     dynamic_linker="$host_os dld.sl"
     shlibpath_var=SHLIB_PATH
     shlibpath_overrides_runpath=no # +s is required to enable SHLIB_PATH
@@ -21318,8 +20052,8 @@ linux*)
 
   # Append ld.so.conf contents to the search path
   if test -f /etc/ld.so.conf; then
-    lt_ld_extra=`$SED -e 's/:,\t/ /g;s/=^=*$//;s/=^= * / /g' /etc/ld.so.conf | tr '\n' ' '`
-    sys_lib_dlsearch_path_spec="/lib /usr/lib $lt_ld_extra"
+    ld_extra=`$SED -e 's/:,\t/ /g;s/=^=*$//;s/=^= * / /g' /etc/ld.so.conf`
+    sys_lib_dlsearch_path_spec="/lib /usr/lib $ld_extra"
   fi
 
   # We used to test for /lib/ld.so.1 and disable shared libraries on
@@ -21381,7 +20115,7 @@ nto-qnx*)
 openbsd*)
   version_type=sunos
   need_lib_prefix=no
-  need_version=no
+  need_version=yes
   library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${shared_ext}$versuffix'
   finish_cmds='PATH="\$PATH:/sbin" ldconfig -m $libdir'
   shlibpath_var=LD_LIBRARY_PATH
@@ -21401,7 +20135,7 @@ openbsd*)
 
 os2*)
   libname_spec='$name'
-  shrext_cmds=".dll"
+  shrext=".dll"
   need_lib_prefix=no
   library_names_spec='$libname${shared_ext} $libname.a'
   dynamic_linker='OS/2 ld.exe'
@@ -21503,8 +20237,8 @@ echo "$as_me:$LINENO: checking how to hardcode library paths into programs" >&5
 echo $ECHO_N "checking how to hardcode library paths into programs... $ECHO_C" >&6
 hardcode_action_GCJ=
 if test -n "$hardcode_libdir_flag_spec_GCJ" || \
-   test -n "$runpath_var_GCJ" || \
-   test "X$hardcode_automatic_GCJ" = "Xyes" ; then
+   test -n "$runpath_var GCJ" || \
+   test "X$hardcode_automatic_GCJ"="Xyes" ; then
 
   # We can hardcode non-existant directories.
   if test "$hardcode_direct_GCJ" != no &&
@@ -22170,7 +20904,7 @@ else
   lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
   lt_status=$lt_dlunknown
   cat > conftest.$ac_ext <<EOF
-#line 22173 "configure"
+#line 20907 "configure"
 #include "confdefs.h"
 
 #if HAVE_DLFCN_H
@@ -22268,7 +21002,7 @@ else
   lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
   lt_status=$lt_dlunknown
   cat > conftest.$ac_ext <<EOF
-#line 22271 "configure"
+#line 21005 "configure"
 #include "confdefs.h"
 
 #if HAVE_DLFCN_H
@@ -22547,7 +21281,7 @@ objext="$ac_objext"
 libext="$libext"
 
 # Shared library suffix (normally ".so").
-shrext_cmds='$shrext_cmds'
+shrext='$shrext'
 
 # Executable file suffix (normally "").
 exeext="$exeext"
@@ -22992,7 +21726,7 @@ objext="$ac_objext"
 libext="$libext"
 
 # Shared library suffix (normally ".so").
-shrext_cmds='$shrext_cmds'
+shrext='$shrext'
 
 # Executable file suffix (normally "").
 exeext="$exeext"
@@ -23733,22 +22467,10 @@ echo "${ECHO_T}no -- disabling runtime ipv6 support" >&6
 			 ISC_PLATFORM_HAVEIN6PKTINFO="#undef ISC_PLATFORM_HAVEIN6PKTINFO"
 fi
 rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-		;;
-	no)
-		HAS_INET6_STRUCTS="#undef HAS_INET6_STRUCTS"
-		NEED_IN6ADDR_ANY="#undef NEED_IN6ADDR_ANY"
-		ISC_PLATFORM_HAVEIN6PKTINFO="#undef ISC_PLATFORM_HAVEIN6PKTINFO"
-		HAVE_SIN6_SCOPE_ID="#define HAVE_SIN6_SCOPE_ID 1"
-		ISC_IPV6_H="ipv6.h"
-		ISC_IPV6_O="ipv6.$O"
-		ISC_ISCIPV6_O="unix/ipv6.$O"
-		ISC_IPV6_C="ipv6.c"
-		;;
-esac
 
-echo "$as_me:$LINENO: checking for sockaddr_storage" >&5
+		echo "$as_me:$LINENO: checking for sockaddr_storage" >&5
 echo $ECHO_N "checking for sockaddr_storage... $ECHO_C" >&6
-cat >conftest.$ac_ext <<_ACEOF
+		cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
 cat confdefs.h >>conftest.$ac_ext
@@ -23758,6 +22480,8 @@ cat >>conftest.$ac_ext <<_ACEOF
 #include <sys/types.h>
 #include <sys/socket.h>
 #include <netinet/in.h>
+$isc_netinetin6_hack
+$isc_netinet6in6_hack
 
 int
 main ()
@@ -23791,16 +22515,29 @@ if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
   (exit $ac_status); }; }; then
   echo "$as_me:$LINENO: result: yes" >&5
 echo "${ECHO_T}yes" >&6
-	 HAVE_SOCKADDR_STORAGE="#define HAVE_SOCKADDR_STORAGE 1"
+			 HAVE_SOCKADDR_STORAGE="#define HAVE_SOCKADDR_STORAGE 1"
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
 echo "$as_me:$LINENO: result: no" >&5
 echo "${ECHO_T}no" >&6
-	 HAVE_SOCKADDR_STORAGE="#undef HAVE_SOCKADDR_STORAGE"
+			 HAVE_SOCKADDR_STORAGE="#undef HAVE_SOCKADDR_STORAGE"
 fi
 rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+		;;
+	no)
+		HAS_INET6_STRUCTS="#undef HAS_INET6_STRUCTS"
+		NEED_IN6ADDR_ANY="#undef NEED_IN6ADDR_ANY"
+		ISC_PLATFORM_HAVEIN6PKTINFO="#undef ISC_PLATFORM_HAVEIN6PKTINFO"
+		HAVE_SIN6_SCOPE_ID="#define HAVE_SIN6_SCOPE_ID 1"
+		HAVE_SOCKADDR_STORAGE="#undef HAVE_SOCKADDR_STORAGE"
+		ISC_IPV6_H="ipv6.h"
+		ISC_IPV6_O="ipv6.$O"
+		ISC_ISCIPV6_O="unix/ipv6.$O"
+		ISC_IPV6_C="ipv6.c"
+		;;
+esac
 
 
 
@@ -24094,20 +22831,13 @@ PORT_DIR=port/unknown
 SOLARIS_BITTYPES="#undef NEED_SOLARIS_BITTYPES"
 BSD_COMP="#undef BSD_COMP"
 USE_FIONBIO_IOCTL="#undef USE_FIONBIO_IOCTL"
-PORT_NONBLOCK="#define PORT_NONBLOCK O_NONBLOCK"
-HAVE_MD5="#undef HAVE_MD5"
-USE_POLL="#undef HAVE_POLL"
-SOLARIS2="#undef SOLARIS2"
 case "$host" in
 	*aix3.2*)	PORT_DIR="port/aix32";;
 	*aix4*)		PORT_DIR="port/aix4";;
-	*aix5*)		PORT_DIR="port/aix5";;
 	*aux3*)		PORT_DIR="port/aux3";;
 	*-bsdi2*)	PORT_DIR="port/bsdos2";;
 	*-bsdi*)	PORT_DIR="port/bsdos";;
-	*-cygwin*)
-			PORT_NONBLOCK="#define PORT_NONBLOCK O_NDELAY"
-			PORT_DIR="port/cygwin";;
+	*-cygwin*)	PORT_DIR="port/cygwin";;
 	*-darwin*)	PORT_DIR="port/darwin";;
 	*-osf*)		PORT_DIR="port/decunix";;
 	*-freebsd*)	PORT_DIR="port/freebsd";;
@@ -24123,28 +22853,16 @@ case "$host" in
 	*-openbsd*)	PORT_DIR="port/openbsd";;
 	*-qnx*)		PORT_DIR="port/qnx";;
 	*-rhapsody*)	PORT_DIR="port/rhapsody";;
-	*-sunos4*)
-			PORT_NONBLOCK="#define PORT_NONBLOCK O_NDELAY"
-			PORT_DIR="port/sunos";;
-	*-solaris2.[01234])
+	*-solaris2.[01234]*)
 			BSD_COMP="#define BSD_COMP 1"
 			SOLARIS_BITTYPES="#define NEED_SOLARIS_BITTYPES 1"
 			USE_FIONBIO_IOCTL="#define USE_FIONBIO_IOCTL 1"
-			SOLARIS2="#define SOLARIS2 1"
 			PORT_DIR="port/solaris";;
-	*-solaris2.5)
+	*-solaris2.5*)
 			BSD_COMP="#define BSD_COMP 1"
 			SOLARIS_BITTYPES="#define NEED_SOLARIS_BITTYPES 1"
-			SOLARIS2="#define SOLARIS2 1"
-			PORT_DIR="port/solaris";;
-	*-solaris2.[67])
-			BSD_COMP="#define BSD_COMP 1"
-			SOLARIS2="#define SOLARIS2 1"
 			PORT_DIR="port/solaris";;
 	*-solaris2*)	BSD_COMP="#define BSD_COMP 1"
-			USE_POLL="#define USE_POLL 1"
-			HAVE_MD5="#define HAVE_MD5 1"
-			SOLARIS2="#define SOLARIS2 1"
 			PORT_DIR="port/solaris";;
 	*-ultrix*)	PORT_DIR="port/ultrix";;
 	*-sco-sysv*uw2.0*)	PORT_DIR="port/unixware20";;
@@ -24155,14 +22873,10 @@ esac
 
 
 
-
-
-
-
-
 PORT_INCLUDE=${PORT_DIR}/include
 
 
+
 #
 # Look for a 4.4BSD or 4.3BSD struct msghdr
 #
@@ -24279,61 +22993,6 @@ fi
 rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
 
 
-echo "$as_me:$LINENO: checking for struct timespec" >&5
-echo $ECHO_N "checking for struct timespec... $ECHO_C" >&6
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-#include <sys/types.h>
-#include <time.h>
-int
-main ()
-{
-struct timespec ts = { 0, 0 }; return (0);
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  echo "$as_me:$LINENO: result: yes" >&5
-echo "${ECHO_T}yes" >&6
-	ISC_PLATFORM_NEEDTIMESPEC="#undef ISC_PLATFORM_NEEDTIMESPEC"
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
-	ISC_PLATFORM_NEEDTIMESPEC="#define ISC_PLATFORM_NEEDTIMESPEC 1"
-fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-
-
 #
 # Check for addrinfo
 #
@@ -26352,10 +25011,6 @@ _ACEOF
 fi
 
 
-case $host in
-ia64-hp-hpux11.*)
-;;
-*)
 echo "$as_me:$LINENO: checking for getnetbyaddr_r" >&5
 echo $ECHO_N "checking for getnetbyaddr_r... $ECHO_C" >&6
 if test "${ac_cv_func_getnetbyaddr_r+set}" = set; then
@@ -26639,62 +25294,6 @@ cat >>conftest.$ac_ext <<_ACEOF
 #undef __USE_MISC
 #define __USE_MISC
 #include <netdb.h>
-int getnetbyaddr_r (in_addr_t, int, struct netent *, struct netent_data *);
-
-int
-main ()
-{
-return (0)
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-
-NET_R_ARGS="#define NET_R_ARGS struct netent_data *ndptr"
-NET_R_BAD="#define NET_R_BAD (-1)"
-NET_R_COPY="#define NET_R_COPY ndptr"
-NET_R_COPY_ARGS="#define NET_R_COPY_ARGS struct netent_data *ndptr"
-NET_R_OK="#define NET_R_OK 0"
-NET_R_SETANSWER="#undef NET_R_SETANSWER"
-NET_R_RETURN="#define NET_R_RETURN int"
-GETNETBYADDR_ADDR_T="#define GETNETBYADDR_ADDR_T long"
-NETENT_DATA="#define NETENT_DATA 1"
-
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-#undef __USE_MISC
-#define __USE_MISC
-#include <netdb.h>
 int getnetbyaddr_r (long, int, struct netent *, struct netent_data *);
 
 int
@@ -26742,69 +25341,6 @@ else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-#undef __USE_MISC
-#define __USE_MISC
-#include <netdb.h>
-int getnetbyaddr_r (uint32_t, int, struct netent *,
-                    char *, size_t, struct netent **, int *);
-
-int
-main ()
-{
-return (0)
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-
-NET_R_ARGS="#define NET_R_ARGS char *buf, size_t buflen, struct netent **answerp, int *h_errnop"
-NET_R_BAD="#define NET_R_BAD ERANGE"
-NET_R_COPY="#define NET_R_COPY buf, buflen"
-NET_R_COPY_ARGS="#define NET_R_COPY_ARGS char *buf, size_t buflen"
-NET_R_OK="#define NET_R_OK 0"
-NET_R_SETANSWER="#define NET_R_SETANSWER 1"
-NET_R_RETURN="#define NET_R_RETURN int"
-GETNETBYADDR_ADDR_T="#define GETNETBYADDR_ADDR_T unsigned long int"
-NETENT_DATA="#undef NETENT_DATA"
-
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-
-fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-
 fi
 rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
 
@@ -26830,8 +25366,6 @@ NETENT_DATA="#undef NETENT_DATA"
 
 fi
 
-esac
-
 case "$host" in
 *dec-osf*) GETNETBYADDR_ADDR_T="#define GETNETBYADDR_ADDR_T int" ;;
 esac
@@ -27056,11 +25590,6 @@ fi
 
 
 
-
-case $host in
-ia64-hp-hpux11.*)
-;;
-*)
 echo "$as_me:$LINENO: checking for endnetent_r" >&5
 echo $ECHO_N "checking for endnetent_r... $ECHO_C" >&6
 if test "${ac_cv_func_endnetent_r+set}" = set; then
@@ -27323,7 +25852,6 @@ NET_R_END_RETURN="#define NET_R_END_RETURN void"
 
 fi
 
-esac
 
 
 
@@ -27901,10 +26429,6 @@ fi
 
 
 
-case $host in
-ia64-hp-hpux11.*)
-;;
-*)
 echo "$as_me:$LINENO: checking for gethostbyname_r" >&5
 echo $ECHO_N "checking for gethostbyname_r... $ECHO_C" >&6
 if test "${ac_cv_func_gethostbyname_r+set}" = set; then
@@ -28104,7 +26628,7 @@ HOST_R_ARGS="#define HOST_R_ARGS struct hostent_data *hdptr"
 HOST_R_BAD="#define HOST_R_BAD (-1)"
 HOST_R_COPY="#define HOST_R_COPY hdptr"
 HOST_R_COPY_ARGS="#define HOST_R_COPY_ARGS HOST_R_ARGS"
-HOST_R_ERRNO="#undef HOST_R_ERRNO"
+HOST_R_ERRNO="#define HOST_R_ERRNO NULL"
 HOST_R_OK="#define HOST_R_OK 0"
 HOST_R_RETURN="#define HOST_R_RETURN int"
 HOST_R_SETANSWER="#undef HOST_R_SETANSWER"
@@ -28195,7 +26719,6 @@ HOSTENT_DATA="#undef HOSTENT_DATA"
 
 fi
 
-esac
 
 
 
@@ -28206,10 +26729,6 @@ esac
 
 
 
-case $host in
-ia64-hp-hpux11.*)
-;;
-*)
 echo "$as_me:$LINENO: checking for endhostent_r" >&5
 echo $ECHO_N "checking for endhostent_r... $ECHO_C" >&6
 if test "${ac_cv_func_endhostent_r+set}" = set; then
@@ -28475,15 +26994,10 @@ HOST_R_ENT_ARGS="#undef HOST_R_ENT_ARGS /*empty*/"
 
 fi
 
-esac;
 
 
 
 
-case $host in
-ia64-hp-hpux11.*)
-;;
-*)
 echo "$as_me:$LINENO: checking for sethostent_r" >&5
 echo $ECHO_N "checking for sethostent_r... $ECHO_C" >&6
 if test "${ac_cv_func_sethostent_r+set}" = set; then
@@ -28737,7 +27251,6 @@ HOST_R_SET_RETURN="#define HOST_R_SET_RETURN void"
 
 fi
 
-esac
 
 
 
@@ -28909,10 +27422,6 @@ fi
 rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
 
 
-case $host in
-ia64-hp-hpux11.*)
-;;
-*)
 echo "$as_me:$LINENO: checking for getnetgrent_r" >&5
 echo $ECHO_N "checking for getnetgrent_r... $ECHO_C" >&6
 if test "${ac_cv_func_getnetgrent_r+set}" = set; then
@@ -29192,7 +27701,6 @@ NGR_R_RETURN="#define NGR_R_RETURN int"
 
 fi
 
-esac
 
 
 
@@ -29292,69 +27800,10 @@ fi
 echo "$as_me:$LINENO: result: $ac_cv_func_endnetgrent_r" >&5
 echo "${ECHO_T}$ac_cv_func_endnetgrent_r" >&6
 if test $ac_cv_func_endnetgrent_r = yes; then
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-#undef __USE_MISC
-#define __USE_MISC
-#include <netdb.h>
-void endnetgrent_r(void **ptr);
-
-
-int
-main ()
-{
-return (0);
-
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-
-NGR_R_END_RESULT="#define NGR_R_END_RESULT(x)  /* empty */"
-NGR_R_END_RETURN="#define NGR_R_END_RETURN void"
-NGR_R_ENT_ARGS="#define NGR_R_ENT_ARGS NGR_R_ARGS"
-
-
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-
-NGR_R_END_RESULT="#define NGR_R_END_RESULT(x)  return (x)"
+  NGR_R_END_RESULT="#define NGR_R_END_RESULT(x)  return (x)"
 NGR_R_END_RETURN="#define NGR_R_END_RETURN int"
 NGR_R_ENT_ARGS="#define NGR_R_ENT_ARGS NGR_R_ARGS"
 
-
-fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-
 else
   NGR_R_END_RESULT="#define NGR_R_END_RESULT(x)  /*empty*/"
 NGR_R_END_RETURN="#define NGR_R_END_RETURN void"
@@ -29583,10 +28032,6 @@ _ACEOF
 fi
 
 
-case $host in
-ia64-hp-hpux11.*)
-;;
-*)
 echo "$as_me:$LINENO: checking for getprotoent_r" >&5
 echo $ECHO_N "checking for getprotoent_r... $ECHO_C" >&6
 if test "${ac_cv_func_getprotoent_r+set}" = set; then
@@ -29731,7 +28176,6 @@ PROTO_R_COPY_ARGS="#define PROTO_R_COPY_ARGS PROTO_R_ARGS"
 PROTO_R_OK="#define PROTO_R_OK pptr"
 PROTO_R_SETANSWER="#undef PROTO_R_SETANSWER"
 PROTO_R_RETURN="#define PROTO_R_RETURN struct protoent *"
-PROTOENT_DATA="#undef PROTOENT_DATA"
 
 
 else
@@ -29791,67 +28235,6 @@ PROTO_R_COPY_ARGS="#define PROTO_R_COPY_ARGS char *buf, size_t buflen"
 PROTO_R_OK="#define PROTO_R_OK 0"
 PROTO_R_SETANSWER="#define PROTO_R_SETANSWER 1"
 PROTO_R_RETURN="#define PROTO_R_RETURN int"
-PROTOENT_DATA="#undef PROTOENT_DATA"
-
-
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-#undef __USE_MISC
-#define __USE_MISC
-#include <netdb.h>
-int getprotoent_r (struct protoent *, struct protoent_data *prot_data);
-
-
-
-int
-main ()
-{
-return (0);
-
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-
-PROTO_R_ARGS="#define PROTO_R_ARGS struct protoent_data *prot_data"
-PROTO_R_BAD="#define PROTO_R_BAD (-1)"
-PROTO_R_COPY="#define PROTO_R_COPY prot_data"
-PROTO_R_COPY_ARGS="#define PROTO_R_COPY_ARGS struct protoent_data *pdptr"
-PROTO_R_OK="#define PROTO_R_OK 0"
-PROTO_R_SETANSWER="#undef PROTO_R_SETANSWER"
-PROTO_R_RETURN="#define PROTO_R_RETURN int"
-PROTOENT_DATA="#define PROTOENT_DATA 1"
 
 
 else
@@ -29864,9 +28247,6 @@ rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
 rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
 
-fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-
 else
   PROTO_R_ARGS="#define PROTO_R_ARGS char *buf, int buflen"
 PROTO_R_BAD="#define PROTO_R_BAD NULL"
@@ -29875,12 +28255,9 @@ PROTO_R_COPY_ARGS="#define PROTO_R_COPY_ARGS PROTO_R_ARGS"
 PROTO_R_OK="#define PROTO_R_OK pptr"
 PROTO_R_SETANSWER="#undef PROTO_R_SETANSWER"
 PROTO_R_RETURN="#define PROTO_R_RETURN struct protoent *"
-PROTOENT_DATA="#undef PROTOENT_DATA"
 
 fi
 
-;;
-esac
 
 
 
@@ -29889,11 +28266,6 @@ esac
 
 
 
-
-case $host in
-ia64-hp-hpux11.*)
-;;
-*)
 echo "$as_me:$LINENO: checking for endprotoent_r" >&5
 echo $ECHO_N "checking for endprotoent_r... $ECHO_C" >&6
 if test "${ac_cv_func_endprotoent_r+set}" = set; then
@@ -30034,119 +28406,6 @@ if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
 PROTO_R_END_RESULT="#define PROTO_R_END_RESULT(x) /*empty*/"
 PROTO_R_END_RETURN="#define PROTO_R_END_RETURN void"
 PROTO_R_ENT_ARGS="#undef PROTO_R_ENT_ARGS"
-PROTO_R_ENT_UNUSED="#undef PROTO_R_ENT_UNUSED"
-
-
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-#undef _REENTRANT
-#define _REENTRANT
-#undef __USE_MISC
-#define __USE_MISC
-#include <netdb.h>
-void endprotoent_r(struct protoent_data *);
-
-
-int
-main ()
-{
-
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-
-PROTO_R_END_RESULT="#define PROTO_R_END_RESULT(x) /*empty*/"
-PROTO_R_END_RETURN="#define PROTO_R_END_RETURN void"
-PROTO_R_ENT_ARGS="#define PROTO_R_ENT_ARGS struct protoent_data *proto_data"
-PROTO_R_ENT_UNUSED="#define PROTO_R_ENT_UNUSED UNUSED(proto_data)"
-
-
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-#undef _REENTRANT
-#define _REENTRANT
-#undef __USE_MISC
-#define __USE_MISC
-#include <netdb.h>
-int endprotoent_r(struct protoent_data *);
-
-
-int
-main ()
-{
-
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-
-PROTO_R_END_RESULT="#define PROTO_R_END_RESULT(x) return(0)"
-PROTO_R_END_RETURN="#define PROTO_R_END_RETURN int"
-PROTO_R_ENT_ARGS="#define PROTO_R_ENT_ARGS struct protoent_data *proto_data"
-PROTO_R_ENT_UNUSED="#define PROTO_R_ENT_UNUSED UNUSED(proto_data)"
 
 
 else
@@ -30156,30 +28415,17 @@ sed 's/^/| /' conftest.$ac_ext >&5
 fi
 rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
 
-fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-
-fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-
 else
   PROTO_R_END_RESULT="#define PROTO_R_END_RESULT(x) /*empty*/"
 PROTO_R_END_RETURN="#define PROTO_R_END_RETURN void"
 PROTO_R_ENT_ARGS="#undef PROTO_R_ENT_ARGS /*empty*/"
-PROTO_R_ENT_UNUSED="#undef PROTO_R_ENT_UNUSED"
 
 fi
 
-esac
-
 
 
 
 
-case $host in
-ia64-hp-hpux11.*)
-;;
-*)
 echo "$as_me:$LINENO: checking for setprotoent_r" >&5
 echo $ECHO_N "checking for setprotoent_r... $ECHO_C" >&6
 if test "${ac_cv_func_setprotoent_r+set}" = set; then
@@ -30322,60 +28568,6 @@ else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-#undef _REENTRANT
-#define _REENTRANT
-#undef __USE_MISC
-#define __USE_MISC
-#include <netdb.h>
-int setprotoent_r (int, struct protoent_data *);
-
-int
-main ()
-{
-
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  PROTO_R_SET_RESULT="#define PROTO_R_SET_RESULT (0)"
-PROTO_R_SET_RETURN="#define PROTO_R_SET_RETURN int"
-
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-
 fi
 rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
 
@@ -30385,7 +28577,6 @@ PROTO_R_SET_RETURN="#define PROTO_R_SET_RETURN void"
 
 fi
 
-esac
 
 
 
@@ -31317,10 +29508,6 @@ _ACEOF
 fi
 
 
-case $host in
-ia64-hp-hpux11.*)
-;;
-*)
 echo "$as_me:$LINENO: checking for getservent_r" >&5
 echo $ECHO_N "checking for getservent_r... $ECHO_C" >&6
 if test "${ac_cv_func_getservent_r+set}" = set; then
@@ -31526,67 +29713,6 @@ else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-#undef __USE_MISC
-#define __USE_MISC
-#include <netdb.h>
-int
-getservent_r (struct servent *, struct servent_data *serv_data);
-
-int
-main ()
-{
-return (0);
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-
-SERV_R_ARGS="#define SERV_R_ARGS struct servent_data *serv_data"
-SERV_R_BAD="#define SERV_R_BAD (-1)"
-SERV_R_COPY="#define SERV_R_COPY serv_data"
-SERV_R_COPY_ARGS="#define SERV_R_COPY_ARGS struct servent_data *sdptr"
-SERV_R_OK="#define SERV_R_OK (0)"
-SERV_R_SETANSWER="#undef SERV_R_SETANSWER"
-SERV_R_RETURN="#define SERV_R_RETURN int"
-SERVENT_DATA="#define SERVENT_DATA 1"
-
-
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-
 fi
 rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
 
@@ -31604,8 +29730,6 @@ SERV_R_RETURN="#define SERV_R_RETURN struct servent *"
 
 fi
 
-esac
-
 
 
 
@@ -31614,10 +29738,6 @@ esac
 
 
 
-case $host in
-ia64-hp-hpux11.*)
-;;
-*)
 echo "$as_me:$LINENO: checking for endservent_r" >&5
 echo $ECHO_N "checking for endservent_r... $ECHO_C" >&6
 if test "${ac_cv_func_endservent_r+set}" = set; then
@@ -31758,119 +29878,6 @@ if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
 SERV_R_END_RESULT="#define SERV_R_END_RESULT(x) /*empty*/"
 SERV_R_END_RETURN="#define SERV_R_END_RETURN void "
 SERV_R_ENT_ARGS="#undef SERV_R_ENT_ARGS /*empty*/"
-SERV_R_ENT_UNUSED="#undef SERV_R_ENT_UNUSED /*empty*/"
-
-
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-#undef _REENTRANT
-#define _REENTRANT
-#undef __USE_MISC
-#define __USE_MISC
-#include <netdb.h>
-void endservent_r(struct servent_data *serv_data);
-
-
-int
-main ()
-{
-
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-
-SERV_R_END_RESULT="#define SERV_R_END_RESULT(x) /*empty*/"
-SERV_R_END_RETURN="#define SERV_R_END_RETURN void "
-SERV_R_ENT_ARGS="#define SERV_R_ENT_ARGS struct servent_data *serv_data"
-SERV_R_ENT_UNUSED="#define SERV_R_ENT_UNUSED UNUSED(serv_data)"
-
-
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-#undef _REENTRANT
-#define _REENTRANT
-#undef __USE_MISC
-#define __USE_MISC
-#include <netdb.h>
-int endservent_r(struct servent_data *serv_data);
-
-
-int
-main ()
-{
-
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-
-SERV_R_END_RESULT="#define SERV_R_END_RESULT(x) return(x)"
-SERV_R_END_RETURN="#define SERV_R_END_RETURN int "
-SERV_R_ENT_ARGS="#define SERV_R_ENT_ARGS struct servent_data *serv_data"
-SERV_R_ENT_UNUSED="#define SERV_R_ENT_UNUSED UNUSED(serv_data)"
 
 
 else
@@ -31880,30 +29887,17 @@ sed 's/^/| /' conftest.$ac_ext >&5
 fi
 rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
 
-fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-
-fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-
 else
   SERV_R_END_RESULT="#define SERV_R_END_RESULT(x) /*empty*/"
 SERV_R_END_RETURN="#define SERV_R_END_RETURN void "
 SERV_R_ENT_ARGS="#undef SERV_R_ENT_ARGS /*empty*/"
-SERV_R_ENT_UNUSED="#undef SERV_R_ENT_UNUSED /*empty*/"
 
 fi
 
-esac
 
 
 
 
-
-case $host in
-ia64-hp-hpux11.*)
-;;
-*)
 echo "$as_me:$LINENO: checking for setservent_r" >&5
 echo $ECHO_N "checking for setservent_r... $ECHO_C" >&6
 if test "${ac_cv_func_setservent_r+set}" = set; then
@@ -32007,7 +30001,7 @@ cat >>conftest.$ac_ext <<_ACEOF
 #undef __USE_MISC
 #define __USE_MISC
 #include <netdb.h>
-void setservent_r(int);
+void            setservent_r(int);
 
 
 int
@@ -32049,63 +30043,6 @@ else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-#undef _REENTRANT
-#define _REENTRANT
-#undef __USE_MISC
-#define __USE_MISC
-#include <netdb.h>
-int setservent_r(int, struct servent_data *);
-
-
-int
-main ()
-{
-
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-
-SERV_R_SET_RESULT="#define SERV_R_SET_RESULT (0)"
-SERV_R_SET_RETURN="#define SERV_R_SET_RETURN int"
-
-
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-
 fi
 rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
 
@@ -32115,7 +30052,6 @@ SERV_R_SET_RETURN="#define SERV_R_SET_RETURN void"
 
 fi
 
-esac
 
 
 
@@ -32351,16 +30287,11 @@ rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
 # Random remaining OS-specific issues involving compiler warnings.
 # XXXDCL print messages to indicate some compensation is being done?
 #
+
+ISC_PLATFORM_BRACEPTHREADONCEINIT="#undef ISC_PLATFORM_BRACEPTHREADONCEINIT"
 BROKEN_IN6ADDR_INIT_MACROS="#undef BROKEN_IN6ADDR_INIT_MACROS"
 
 case "$host" in
-	*-aix5.1.*)
-		hack_shutup_pthreadmutexinit=yes
-		hack_shutup_in6addr_init_macros=yes
-		;;
-	*-aix5.[23].*)
-		hack_shutup_in6addr_init_macros=yes
-		;;
 	*-bsdi3.1*)
 		hack_shutup_sputaux=yes
 		;;
@@ -32372,33 +30303,18 @@ case "$host" in
 	*-bsdi4.1*)
 		hack_shutup_stdargcast=yes
 		;;
-	*-hpux11.11)
-		hack_shutup_in6addr_init_macros=yes
-		;;
-	*-osf5.1|*-osf5.1b)
-		hack_shutup_in6addr_init_macros=yes
-		;;
 	*-solaris2.8)
-		hack_shutup_in6addr_init_macros=yes
-		;;
-	*-solaris2.9)
-		hack_shutup_in6addr_init_macros=yes
-		;;
-	*-solaris2.10)
+		hack_shutup_pthreadonceinit=yes
 		hack_shutup_in6addr_init_macros=yes
 		;;
 esac
 
-case "$hack_shutup_pthreadmutexinit" in
+case "$hack_shutup_pthreadonceinit" in
 	yes)
 		#
-		# Shut up PTHREAD_MUTEX_INITIALIZER unbraced
-		# initializer warnings.
+		# Shut up PTHREAD_ONCE_INIT unbraced initializer warnings.
 		#
-		cat >>confdefs.h <<\_ACEOF
-#define SHUTUP_MUTEX_INITIALIZER 1
-_ACEOF
-
+		ISC_PLATFORM_BRACEPTHREADONCEINIT="#define ISC_PLATFORM_BRACEPTHREADONCEINIT 1"
 		;;
 esac
 
@@ -32440,8 +30356,7 @@ esac
 
 case "$hack_shutup_in6addr_init_macros" in
 	yes)
-
-cat >>confdefs.h <<\_ACEOF
+		cat >>confdefs.h <<\_ACEOF
 #define BROKEN_IN6ADDR_INIT_MACROS 1
 _ACEOF
 
@@ -33142,8 +31057,6 @@ s,@DO_PTHREADS@,$DO_PTHREADS,;t t
 s,@WANT_IRS_THREADSGR_OBJS@,$WANT_IRS_THREADSGR_OBJS,;t t
 s,@WANT_IRS_THREADSPW_OBJS@,$WANT_IRS_THREADSPW_OBJS,;t t
 s,@WANT_IRS_THREADS_OBJS@,$WANT_IRS_THREADS_OBJS,;t t
-s,@WANT_THREADS_OBJS@,$WANT_THREADS_OBJS,;t t
-s,@USE_IFNAMELINKID@,$USE_IFNAMELINKID,;t t
 s,@ISC_THREAD_DIR@,$ISC_THREAD_DIR,;t t
 s,@DAEMON_OBJS@,$DAEMON_OBJS,;t t
 s,@NEED_DAEMON@,$NEED_DAEMON,;t t
@@ -33197,15 +31110,10 @@ s,@HAVE_MINIMUM_IFREQ@,$HAVE_MINIMUM_IFREQ,;t t
 s,@BSD_COMP@,$BSD_COMP,;t t
 s,@SOLARIS_BITTYPES@,$SOLARIS_BITTYPES,;t t
 s,@USE_FIONBIO_IOCTL@,$USE_FIONBIO_IOCTL,;t t
-s,@PORT_NONBLOCK@,$PORT_NONBLOCK,;t t
 s,@PORT_DIR@,$PORT_DIR,;t t
-s,@USE_POLL@,$USE_POLL,;t t
-s,@HAVE_MD5@,$HAVE_MD5,;t t
-s,@SOLARIS2@,$SOLARIS2,;t t
 s,@PORT_INCLUDE@,$PORT_INCLUDE,;t t
 s,@ISC_PLATFORM_MSGHDRFLAVOR@,$ISC_PLATFORM_MSGHDRFLAVOR,;t t
 s,@ISC_PLATFORM_NEEDPORTT@,$ISC_PLATFORM_NEEDPORTT,;t t
-s,@ISC_PLATFORM_NEEDTIMESPEC@,$ISC_PLATFORM_NEEDTIMESPEC,;t t
 s,@ISC_LWRES_ENDHOSTENTINT@,$ISC_LWRES_ENDHOSTENTINT,;t t
 s,@ISC_LWRES_SETNETENTINT@,$ISC_LWRES_SETNETENTINT,;t t
 s,@ISC_LWRES_ENDNETENTINT@,$ISC_LWRES_ENDNETENTINT,;t t
@@ -33283,11 +31191,9 @@ s,@PROTO_R_COPY_ARGS@,$PROTO_R_COPY_ARGS,;t t
 s,@PROTO_R_OK@,$PROTO_R_OK,;t t
 s,@PROTO_R_SETANSWER@,$PROTO_R_SETANSWER,;t t
 s,@PROTO_R_RETURN@,$PROTO_R_RETURN,;t t
-s,@PROTOENT_DATA@,$PROTOENT_DATA,;t t
 s,@PROTO_R_END_RESULT@,$PROTO_R_END_RESULT,;t t
 s,@PROTO_R_END_RETURN@,$PROTO_R_END_RETURN,;t t
 s,@PROTO_R_ENT_ARGS@,$PROTO_R_ENT_ARGS,;t t
-s,@PROTO_R_ENT_UNUSED@,$PROTO_R_ENT_UNUSED,;t t
 s,@PROTO_R_SET_RESULT@,$PROTO_R_SET_RESULT,;t t
 s,@PROTO_R_SET_RETURN@,$PROTO_R_SET_RETURN,;t t
 s,@PASS_R_ARGS@,$PASS_R_ARGS,;t t
@@ -33308,15 +31214,14 @@ s,@SERV_R_COPY_ARGS@,$SERV_R_COPY_ARGS,;t t
 s,@SERV_R_OK@,$SERV_R_OK,;t t
 s,@SERV_R_SETANSWER@,$SERV_R_SETANSWER,;t t
 s,@SERV_R_RETURN@,$SERV_R_RETURN,;t t
-s,@SERVENT_DATA@,$SERVENT_DATA,;t t
 s,@SERV_R_END_RESULT@,$SERV_R_END_RESULT,;t t
 s,@SERV_R_END_RETURN@,$SERV_R_END_RETURN,;t t
 s,@SERV_R_ENT_ARGS@,$SERV_R_ENT_ARGS,;t t
-s,@SERV_R_ENT_UNUSED@,$SERV_R_ENT_UNUSED,;t t
 s,@SERV_R_SET_RESULT@,$SERV_R_SET_RESULT,;t t
 s,@SERV_R_SET_RETURN@,$SERV_R_SET_RETURN,;t t
 s,@SETNETGRENT_ARGS@,$SETNETGRENT_ARGS,;t t
 s,@INNETGR_ARGS@,$INNETGR_ARGS,;t t
+s,@ISC_PLATFORM_BRACEPTHREADONCEINIT@,$ISC_PLATFORM_BRACEPTHREADONCEINIT,;t t
 s,@BIND9_TOP_BUILDDIR@,$BIND9_TOP_BUILDDIR,;t t
 s,@BIND9_VERSION@,$BIND9_VERSION,;t t
 s,@LIBOBJS@,$LIBOBJS,;t t
diff --git a/lib/bind/configure.in b/lib/bind/configure.in
index ada926ca..ee7a7f9e 100644
--- a/lib/bind/configure.in
+++ b/lib/bind/configure.in
@@ -1,5 +1,5 @@
-# Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 2001-2003  Internet Software Consortium.
+# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2001  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-AC_REVISION($Revision: 1.83.2.40 $)
+AC_REVISION($Revision: 1.83.2.5.2.2 $)
 
 AC_INIT(resolv/herror.c)
 AC_PREREQ(2.13)
@@ -169,13 +169,12 @@ AC_PROG_CC
 AC_HEADER_STDC
 
 
-AC_CHECK_HEADERS(fcntl.h db.h paths.h sys/time.h unistd.h sys/sockio.h sys/select.h sys/timers.h stropts.h)
+AC_CHECK_HEADERS(fcntl.h db.h paths.h sys/time.h unistd.h sys/sockio.h sys/select.h sys/timers.h)
+
 
 AC_C_CONST
 AC_C_INLINE
 AC_TYPE_SIZE_T
-AC_CHECK_TYPE(ssize_t,signed)
-AC_CHECK_TYPE(uintptr_t,unsigned long)
 AC_HEADER_TIME
 #
 # check if we need to #include sys/select.h explicitly
@@ -316,72 +315,99 @@ case "$use_randomdev" in
 		;;
 esac
 
-sinclude(../../config.threads.in)dnl
+#
+# Begin pthreads checking.
+#
+# First, decide whether to use multithreading or not.
+#
+AC_MSG_CHECKING(whether to look for thread support)
+AC_ARG_ENABLE(threads,
+	[  --disable-threads	disable multithreading])
+case "$enable_threads" in
+	yes|'')
+		AC_MSG_RESULT(yes)
+		use_threads=true
+		;;
+	no)
+		AC_MSG_RESULT(no)	
+		use_threads=false
+		;;
+	*)
+	    	AC_MSG_ERROR([--enable-threads takes yes or no])
+		;;
+esac
 
 if $use_threads
 then
-	if test "X$GCC" = "Xyes"; then
-		case "$host" in
-		*-freebsd*)
-			CC="$CC -pthread"
-			CCOPT="$CCOPT -pthread"
-			STD_CDEFINES="$STD_CDEFINES -D_THREAD_SAFE"
-			;;
-		*-openbsd*)
-			CC="$CC -pthread"
-			CCOPT="$CCOPT -pthread"
-			;;
-		*-solaris*)
-			LIBS="$LIBS -lthread"
-			;;
-		*-ibm-aix*)
-			STD_CDEFINES="$STD_CDEFINES -D_THREAD_SAFE"
-			;;
-		esac
-	else
-		case $host in
-		*-dec-osf*)
-			CC="$CC -pthread"
-			CCOPT="$CCOPT -pthread"
-			;;
-		*-solaris*)
-			CC="$CC -mt"
-			CCOPT="$CCOPT -mt"
-			;;
-		*-ibm-aix*)
-			STD_CDEFINES="$STD_CDEFINES -D_THREAD_SAFE"
-			;;
-		*-UnixWare*)
-			CC="$CC -Kthread"
-			CCOPT="$CCOPT -Kthread"
-			;;
-		esac
-	fi
-	AC_DEFINE(_REENTRANT)
-	ALWAYS_DEFINES="-D_REENTRANT"
-	DO_PTHREADS="#define DO_PTHREADS 1"
-	WANT_IRS_THREADSGR_OBJS="\${WANT_IRS_THREADSGR_OBJS}"
-	WANT_IRS_THREADSPW_OBJS="\${WANT_IRS_THREADSPW_OBJS}"
-	case $host in
-	ia64-hp-hpux11.*)
-		WANT_IRS_THREADS_OBJS="";;
-	*)
-		WANT_IRS_THREADS_OBJS="\${WANT_IRS_THREADS_OBJS}";;
+	#
+	# Search for / configure pthreads in a system-dependent fashion.
+	#
+	case "$host" in
+	  *-netbsd*)
+		# NetBSD has multiple pthreads implementations.	 The
+		# recommended one to use is "unproven-pthreads".  The
+		# older "mit-pthreads" may also work on some NetBSD
+		# versions.  The PTL2 thread library does not
+		# currently work with bind9, but can be chosen with
+		# the --with-ptl2 option for those who wish to
+		# experiment with it.
+		CC="gcc"
+		AC_MSG_CHECKING(which NetBSD thread library to use)
+
+		AC_ARG_WITH(ptl2,
+[  --with-ptl2		on NetBSD, use the ptl2 thread library (experimental)],
+		    use_ptl2="$withval", use_ptl2="no")
+
+		: ${LOCALBASE:=/usr/pkg}
+
+		if test "X$use_ptl2" = "Xyes"
+		then
+			AC_MSG_RESULT(PTL2)
+			AC_MSG_WARN(
+[linking with PTL2 is highly experimental and not expected to work])
+			CC=ptlgcc
+		else
+			if test ! -d $LOCALBASE/pthreads
+			then
+				AC_MSG_RESULT(none)
+				use_threads=false
+			fi
+
+			if $use_threads
+			then
+				AC_MSG_RESULT(mit-pthreads/unproven-pthreads)
+				pkg="$LOCALBASE/pthreads"
+				lib1="-L$pkg/lib -Wl,-R$pkg/lib"
+				lib2="-lpthread -lm -lgcc -lpthread"
+				LIBS="$lib1 $lib2 $LIBS"
+				CPPFLAGS="$CPPFLAGS -I$pkg/include"
+				STD_CINCLUDES="$STD_CINCLUDES -I$pkg/include"
+			fi
+		fi
+		;;
+		*)
+			AC_CHECK_LIB(pthread, pthread_create,,
+				AC_CHECK_LIB(pthread, __pthread_create,,
+				AC_CHECK_LIB(pthread, __pthread_create_system,,
+				AC_CHECK_LIB(c_r, pthread_create,,
+				AC_CHECK_LIB(c, pthread_create,,
+				use_threads=false)))))
+		;;
 	esac
-	WANT_THREADS_OBJS="\${WANT_THREADS_OBJS}"
-	thread_dir=pthreads
+fi
 
+if $use_threads
+then
 	#
 	# We'd like to use sigwait() too
 	#
-	AC_CHECK_FUNC(sigwait,
-		      AC_DEFINE(HAVE_SIGWAIT),
-		      AC_CHECK_LIB(c, sigwait,
-		      AC_DEFINE(HAVE_SIGWAIT),
-		      AC_CHECK_LIB(pthread, sigwait,
-				   AC_DEFINE(HAVE_SIGWAIT),
-				   AC_CHECK_LIB(pthread, _Psigwait,
-					        AC_DEFINE(HAVE_SIGWAIT),))))
+	AC_CHECK_LIB(c, sigwait,
+		     AC_DEFINE(HAVE_SIGWAIT),
+		     AC_CHECK_LIB(pthread, sigwait,
+				  AC_DEFINE(HAVE_SIGWAIT),
+				  AC_CHECK_LIB(pthread, _Psigwait,
+					       AC_DEFINE(HAVE_SIGWAIT),))
+	)
 
 	AC_CHECK_FUNC(pthread_attr_getstacksize,
 		      AC_DEFINE(HAVE_PTHREAD_ATTR_GETSTACKSIZE),)
@@ -425,7 +451,6 @@ then
 			AC_DEFINE(POSIX_GETGRNAM_R)
 			;;
 		*hpux11*)
-			AC_DEFINE(NEED_ENDNETGRENT_R)
 			AC_DEFINE(_PTHREADS_DRAFT4)
 			;;
 		#
@@ -441,31 +466,65 @@ then
 	#
 	AC_CHECK_FUNC(sysconf, AC_DEFINE(HAVE_SYSCONF),)
 
+	if test "X$GCC" = "Xyes"; then
+		case "$host" in
+		*-freebsd*)
+			CC="$CC -pthread"
+			CCOPT="$CCOPT -pthread"
+			STD_CDEFINES="$STD_CDEFINES -D_THREAD_SAFE"
+			;;
+		*-openbsd*)
+			CC="$CC -pthread"
+			CCOPT="$CCOPT -pthread"
+			;;
+		*-solaris*)
+			LIBS="$LIBS -lthread"
+			;;
+		*-ibm-aix*)
+			STD_CDEFINES="$STD_CDEFINES -D_THREAD_SAFE"
+			;;
+		esac
+	else
+		case $host in
+		*-dec-osf*)
+			CC="$CC -pthread"
+			CCOPT="$CCOPT -pthread"
+			;;
+		*-solaris*)
+			CC="$CC -mt"
+			CCOPT="$CCOPT -mt"
+			;;
+		*-ibm-aix*)
+			STD_CDEFINES="$STD_CDEFINES -D_THREAD_SAFE"
+			;;
+		*-UnixWare*)
+			CC="$CC -Kthread"
+			CCOPT="$CCOPT -Kthread"
+			;;
+		esac
+	fi
+	ALWAYS_DEFINES="-D_REENTRANT"
+	DO_PTHREADS="#define DO_PTHREADS 1"
+	WANT_IRS_THREADSGR_OBJS="\${WANT_IRS_THREADSGR_OBJS}"
+	WANT_IRS_THREADSPW_OBJS="\${WANT_IRS_THREADSPW_OBJS}"
+	WANT_IRS_THREADS_OBJS="\${WANT_IRS_THREADS_OBJS}"
+	thread_dir=pthreads
 else
 	ALWAYS_DEFINES=""
 	DO_PTHREADS="#undef DO_PTHREADS"
 	WANT_IRS_THREADSGR_OBJS=""
 	WANT_IRS_THREADSPW_OBJS=""
 	WANT_IRS_THREADS_OBJS=""
-	WANT_THREADS_OBJS=""
 	thread_dir=nothreads
 fi
 
+AC_CHECK_FUNC(strlcat, AC_DEFINE(HAVE_STRLCAT))
+
 AC_SUBST(ALWAYS_DEFINES)
 AC_SUBST(DO_PTHREADS)
 AC_SUBST(WANT_IRS_THREADSGR_OBJS)
 AC_SUBST(WANT_IRS_THREADSPW_OBJS)
 AC_SUBST(WANT_IRS_THREADS_OBJS)
-AC_SUBST(WANT_THREADS_OBJS)
-
-AC_CHECK_FUNC(strlcat, AC_DEFINE(HAVE_STRLCAT))
-AC_CHECK_FUNC(memmove, AC_DEFINE(HAVE_MEMMOVE))
-AC_CHECK_FUNC(memchr, AC_DEFINE(HAVE_MEMCHR))
-
-AC_CHECK_FUNC(if_nametoindex,
-	[USE_IFNAMELINKID="#define USE_IFNAMELINKID 1"],
-	[USE_IFNAMELINKID="#undef USE_IFNAMELINKID"])
-AC_SUBST(USE_IFNAMELINKID)
 
 ISC_THREAD_DIR=$thread_dir
 AC_SUBST(ISC_THREAD_DIR)
@@ -518,18 +577,7 @@ MKDEPCFLAGS="-M"
 IRIX_DNSSEC_WARNINGS_HACK=""
 
 if test "X$GCC" = "Xyes"; then
-        AC_MSG_CHECKING(if "$CC" supports -fno-strict-aliasing)
-        SAVE_CFLAGS=$CFLAGS
-        CFLAGS=-fno-strict-aliasing
-        AC_TRY_COMPILE(,, [FNOSTRICTALIASING=yes],[FNOSTRICTALIASING=no])
-        CFLAGS=$SAVE_CFLAGS
-        if test "$FNOSTRICTALIASING" = "yes"; then
-                AC_MSG_RESULT(yes)
-		STD_CWARNINGS="$STD_CWARNINGS -W -Wall -Wmissing-prototypes -Wcast-qual -Wwrite-strings -Wformat -Wpointer-arith -fno-strict-aliasing"
-        else
-                AC_MSG_RESULT(no)
-		STD_CWARNINGS="$STD_CWARNINGS -W -Wall -Wmissing-prototypes -Wcast-qual -Wwrite-strings -Wformat -Wpointer-arith"
-        fi
+	STD_CWARNINGS="$STD_CWARNINGS -W -Wall -Wmissing-prototypes -Wcast-qual -Wwrite-strings"
 else
 	case $host in
 	*-dec-osf*)
@@ -549,7 +597,7 @@ else
 			;;
 		*)
 			# Turn off the pointlessly noisy warnings.
-			STD_CWARNINGS="+w1 +W 474,530,2193,2236"
+			STD_CWARNINGS="+w1 +W 474,530"
 			;;
 		esac
 		CCOPT="$CCOPT -Ae -z"
@@ -610,10 +658,6 @@ AC_CHECK_FUNC(catgets, AC_DEFINE(HAVE_CATGETS),)
 case "$host" in
 	mips-sgi-irix*)
 		;;
-	ia64-hp-hpux11.*)
-		AC_CHECK_LIB(socket, socket)
-		AC_CHECK_LIB(nsl, inet_ntoa)
-		;;
 	*)
 		AC_CHECK_LIB(d4r, gethostbyname_r)
 		AC_CHECK_LIB(socket, socket)
@@ -882,12 +926,27 @@ $isc_netinet6in6_hack
 			 ISC_PLATFORM_HAVEIN6PKTINFO="#define ISC_PLATFORM_HAVEIN6PKTINFO 1"],
 			[AC_MSG_RESULT(no -- disabling runtime ipv6 support)
 			 ISC_PLATFORM_HAVEIN6PKTINFO="#undef ISC_PLATFORM_HAVEIN6PKTINFO"])
+
+		AC_MSG_CHECKING(for sockaddr_storage)
+		AC_TRY_COMPILE([
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+$isc_netinetin6_hack
+$isc_netinet6in6_hack
+],
+		[struct sockaddr_storage xyzzy; return (0);],
+			[AC_MSG_RESULT(yes)
+			 HAVE_SOCKADDR_STORAGE="#define HAVE_SOCKADDR_STORAGE 1"],
+			[AC_MSG_RESULT(no)
+			 HAVE_SOCKADDR_STORAGE="#undef HAVE_SOCKADDR_STORAGE"])
 		;;
 	no)
 		HAS_INET6_STRUCTS="#undef HAS_INET6_STRUCTS"
 		NEED_IN6ADDR_ANY="#undef NEED_IN6ADDR_ANY"
 		ISC_PLATFORM_HAVEIN6PKTINFO="#undef ISC_PLATFORM_HAVEIN6PKTINFO"
 		HAVE_SIN6_SCOPE_ID="#define HAVE_SIN6_SCOPE_ID 1"
+		HAVE_SOCKADDR_STORAGE="#undef HAVE_SOCKADDR_STORAGE"
 		ISC_IPV6_H="ipv6.h"
 		ISC_IPV6_O="ipv6.$O"
 		ISC_ISCIPV6_O="unix/ipv6.$O"
@@ -895,18 +954,6 @@ $isc_netinet6in6_hack
 		;;
 esac
 
-AC_MSG_CHECKING(for sockaddr_storage)
-AC_TRY_COMPILE([
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <netinet/in.h>
-],
-[struct sockaddr_storage xyzzy; return (0);],
-	[AC_MSG_RESULT(yes)
-	 HAVE_SOCKADDR_STORAGE="#define HAVE_SOCKADDR_STORAGE 1"],
-	[AC_MSG_RESULT(no)
-	 HAVE_SOCKADDR_STORAGE="#undef HAVE_SOCKADDR_STORAGE"])
-
 AC_SUBST(HAS_INET6_STRUCTS)
 AC_SUBST(ISC_PLATFORM_NEEDNETINETIN6H)
 AC_SUBST(ISC_PLATFORM_NEEDNETINET6IN6H)
@@ -1020,20 +1067,13 @@ PORT_DIR=port/unknown
 SOLARIS_BITTYPES="#undef NEED_SOLARIS_BITTYPES"
 BSD_COMP="#undef BSD_COMP"
 USE_FIONBIO_IOCTL="#undef USE_FIONBIO_IOCTL"
-PORT_NONBLOCK="#define PORT_NONBLOCK O_NONBLOCK"
-HAVE_MD5="#undef HAVE_MD5"
-USE_POLL="#undef HAVE_POLL"
-SOLARIS2="#undef SOLARIS2"
 case "$host" in
 	*aix3.2*)	PORT_DIR="port/aix32";;
 	*aix4*)		PORT_DIR="port/aix4";;
-	*aix5*)		PORT_DIR="port/aix5";;
 	*aux3*)		PORT_DIR="port/aux3";;
 	*-bsdi2*)	PORT_DIR="port/bsdos2";;
 	*-bsdi*)	PORT_DIR="port/bsdos";;
-	*-cygwin*)
-			PORT_NONBLOCK="#define PORT_NONBLOCK O_NDELAY"
-			PORT_DIR="port/cygwin";;
+	*-cygwin*)	PORT_DIR="port/cygwin";;
 	*-darwin*)	PORT_DIR="port/darwin";;
 	*-osf*)		PORT_DIR="port/decunix";;
 	*-freebsd*)	PORT_DIR="port/freebsd";;
@@ -1049,46 +1089,30 @@ case "$host" in
 	*-openbsd*)	PORT_DIR="port/openbsd";;
 	*-qnx*)		PORT_DIR="port/qnx";;
 	*-rhapsody*)	PORT_DIR="port/rhapsody";;
-	*-sunos4*)
-			PORT_NONBLOCK="#define PORT_NONBLOCK O_NDELAY"
-			PORT_DIR="port/sunos";;
-	*-solaris2.[[01234]])
+	*-solaris2.[[01234]]*)
 			BSD_COMP="#define BSD_COMP 1"
 			SOLARIS_BITTYPES="#define NEED_SOLARIS_BITTYPES 1"
 			USE_FIONBIO_IOCTL="#define USE_FIONBIO_IOCTL 1"
-			SOLARIS2="#define SOLARIS2 1"
 			PORT_DIR="port/solaris";;
-	*-solaris2.5)
+	*-solaris2.5*)
 			BSD_COMP="#define BSD_COMP 1"
 			SOLARIS_BITTYPES="#define NEED_SOLARIS_BITTYPES 1"
-			SOLARIS2="#define SOLARIS2 1"
-			PORT_DIR="port/solaris";;
-	*-solaris2.[[67]])
-			BSD_COMP="#define BSD_COMP 1"
-			SOLARIS2="#define SOLARIS2 1"
 			PORT_DIR="port/solaris";;
 	*-solaris2*)	BSD_COMP="#define BSD_COMP 1"
-			USE_POLL="#define USE_POLL 1"
-			HAVE_MD5="#define HAVE_MD5 1"
-			SOLARIS2="#define SOLARIS2 1"
 			PORT_DIR="port/solaris";;
 	*-ultrix*)	PORT_DIR="port/ultrix";;
 	*-sco-sysv*uw2.0*)	PORT_DIR="port/unixware20";;
 	*-sco-sysv*uw2.1.2*)	PORT_DIR="port/unixware212";;
 	*-sco-sysv*uw7*)	PORT_DIR="port/unixware7";;
 esac
-
 AC_SUBST(BSD_COMP)
 AC_SUBST(SOLARIS_BITTYPES)
 AC_SUBST(USE_FIONBIO_IOCTL)
-AC_SUBST(PORT_NONBLOCK)
 AC_SUBST(PORT_DIR)
-AC_SUBST(USE_POLL)
-AC_SUBST(HAVE_MD5)
-AC_SUBST(SOLARIS2)
 PORT_INCLUDE=${PORT_DIR}/include
 AC_SUBST(PORT_INCLUDE)
 
+
 #
 # Look for a 4.4BSD or 4.3BSD struct msghdr
 #
@@ -1117,17 +1141,6 @@ AC_TRY_COMPILE([
 	ISC_PLATFORM_NEEDPORTT="#define ISC_PLATFORM_NEEDPORTT 1"])
 AC_SUBST(ISC_PLATFORM_NEEDPORTT)
 
-AC_MSG_CHECKING(for struct timespec)
-AC_TRY_COMPILE([
-#include <sys/types.h>
-#include <time.h>],
-[struct timespec ts = { 0, 0 }; return (0);],
-	[AC_MSG_RESULT(yes)
-	ISC_PLATFORM_NEEDTIMESPEC="#undef ISC_PLATFORM_NEEDTIMESPEC"],
-        [AC_MSG_RESULT(no)
-	ISC_PLATFORM_NEEDTIMESPEC="#define ISC_PLATFORM_NEEDTIMESPEC 1"])
-AC_SUBST(ISC_PLATFORM_NEEDTIMESPEC)
-
 #
 # Check for addrinfo
 #
@@ -1343,10 +1356,6 @@ AC_SUBST(GETGROUPLIST_ARGS)
 
 AC_CHECK_FUNC(setgroupent,,AC_DEFINE(NEED_SETGROUPENT))
 
-case $host in
-ia64-hp-hpux11.*)
-;;
-*)
 AC_CHECK_FUNC(getnetbyaddr_r,
 AC_TRY_COMPILE(
 [
@@ -1421,24 +1430,6 @@ AC_TRY_COMPILE(
 #undef __USE_MISC
 #define __USE_MISC
 [#include <netdb.h>
-int getnetbyaddr_r (in_addr_t, int, struct netent *, struct netent_data *);
-],
-[return (0)],
-[
-NET_R_ARGS="#define NET_R_ARGS struct netent_data *ndptr"
-NET_R_BAD="#define NET_R_BAD (-1)"
-NET_R_COPY="#define NET_R_COPY ndptr"
-NET_R_COPY_ARGS="#define NET_R_COPY_ARGS struct netent_data *ndptr"
-NET_R_OK="#define NET_R_OK 0"
-NET_R_SETANSWER="#undef NET_R_SETANSWER"
-NET_R_RETURN="#define NET_R_RETURN int"
-GETNETBYADDR_ADDR_T="#define GETNETBYADDR_ADDR_T long"
-NETENT_DATA="#define NETENT_DATA 1"
-],
-AC_TRY_COMPILE(
-#undef __USE_MISC
-#define __USE_MISC
-[#include <netdb.h>
 int getnetbyaddr_r (long, int, struct netent *, struct netent_data *);
 ],
 [return (0)],
@@ -1453,27 +1444,6 @@ NET_R_RETURN="#define NET_R_RETURN int"
 GETNETBYADDR_ADDR_T="#define GETNETBYADDR_ADDR_T long"
 NETENT_DATA="#define NETENT_DATA 1"
 ],
-AC_TRY_COMPILE(
-#undef __USE_MISC
-#define __USE_MISC
-[#include <netdb.h>
-int getnetbyaddr_r (uint32_t, int, struct netent *,
-                    char *, size_t, struct netent **, int *);
-],
-[return (0)],
-[
-NET_R_ARGS="#define NET_R_ARGS char *buf, size_t buflen, struct netent **answerp, int *h_errnop"
-NET_R_BAD="#define NET_R_BAD ERANGE"
-NET_R_COPY="#define NET_R_COPY buf, buflen"
-NET_R_COPY_ARGS="#define NET_R_COPY_ARGS char *buf, size_t buflen"
-NET_R_OK="#define NET_R_OK 0"
-NET_R_SETANSWER="#define NET_R_SETANSWER 1"
-NET_R_RETURN="#define NET_R_RETURN int"
-GETNETBYADDR_ADDR_T="#define GETNETBYADDR_ADDR_T unsigned long int"
-NETENT_DATA="#undef NETENT_DATA"
-],
-)
-)
 )
 )
 )
@@ -1489,8 +1459,6 @@ NET_R_RETURN="#define NET_R_RETURN struct netent *"
 GETNETBYADDR_ADDR_T="#define GETNETBYADDR_ADDR_T long"
 NETENT_DATA="#undef NETENT_DATA"
 )
-esac
-
 case "$host" in
 *dec-osf*) GETNETBYADDR_ADDR_T="#define GETNETBYADDR_ADDR_T int" ;;
 esac
@@ -1539,11 +1507,6 @@ AC_SUBST(NET_R_ENT_ARGS)
 AC_SUBST(NET_R_SET_RESULT)
 AC_SUBST(NET_R_SET_RETURN)
 
-
-case $host in
-ia64-hp-hpux11.*)
-;;
-*)
 AC_CHECK_FUNC(endnetent_r,
 AC_TRY_COMPILE(
 [
@@ -1588,7 +1551,6 @@ NET_R_END_RETURN="#define NET_R_END_RETURN void"
 NET_R_END_RESULT="#define NET_R_END_RESULT(x) /*empty*/"
 NET_R_END_RETURN="#define NET_R_END_RETURN void"
 )
-esac
 AC_SUBST(NET_R_END_RESULT)
 AC_SUBST(NET_R_END_RETURN)
 
@@ -1641,10 +1603,6 @@ AC_SUBST(GROUP_R_SET_RESULT)
 AC_SUBST(GROUP_R_SET_RETURN)
 
 
-case $host in
-ia64-hp-hpux11.*)
-;;
-*)
 AC_CHECK_FUNC(gethostbyname_r,
 AC_TRY_COMPILE(
 [
@@ -1679,7 +1637,7 @@ HOST_R_ARGS="#define HOST_R_ARGS struct hostent_data *hdptr"
 HOST_R_BAD="#define HOST_R_BAD (-1)"
 HOST_R_COPY="#define HOST_R_COPY hdptr"
 HOST_R_COPY_ARGS="#define HOST_R_COPY_ARGS HOST_R_ARGS"
-HOST_R_ERRNO="#undef HOST_R_ERRNO"
+HOST_R_ERRNO="#define HOST_R_ERRNO NULL"
 HOST_R_OK="#define HOST_R_OK 0"
 HOST_R_RETURN="#define HOST_R_RETURN int"
 HOST_R_SETANSWER="#undef HOST_R_SETANSWER"
@@ -1717,7 +1675,6 @@ HOST_R_RETURN="#define HOST_R_RETURN struct hostent *"
 HOST_R_SETANSWER="#undef HOST_R_SETANSWER"
 HOSTENT_DATA="#undef HOSTENT_DATA"
 )
-esac
 AC_SUBST(HOST_R_ARGS)
 AC_SUBST(HOST_R_BAD)
 AC_SUBST(HOST_R_COPY)
@@ -1728,10 +1685,6 @@ AC_SUBST(HOST_R_RETURN)
 AC_SUBST(HOST_R_SETANSWER)
 AC_SUBST(HOSTENT_DATA)
 
-case $host in
-ia64-hp-hpux11.*)
-;;
-*)
 AC_CHECK_FUNC(endhostent_r,
 AC_TRY_COMPILE([
 #undef _REENTRANT
@@ -1777,15 +1730,10 @@ HOST_R_END_RESULT="#define HOST_R_END_RESULT(x) /*empty*/"
 HOST_R_END_RETURN="#define HOST_R_END_RETURN void"
 HOST_R_ENT_ARGS="#undef HOST_R_ENT_ARGS /*empty*/"
 )
-esac;
 AC_SUBST(HOST_R_END_RESULT)
 AC_SUBST(HOST_R_END_RETURN)
 AC_SUBST(HOST_R_ENT_ARGS)
 
-case $host in
-ia64-hp-hpux11.*)
-;;
-*)
 AC_CHECK_FUNC(sethostent_r,
 AC_TRY_COMPILE([
 #undef _REENTRANT
@@ -1821,7 +1769,6 @@ HOST_R_SET_RETURN="#define HOST_R_SET_RETURN void"],
 HOST_R_SET_RESULT="#undef HOST_R_SET_RESULT"
 HOST_R_SET_RETURN="#define HOST_R_SET_RETURN void"
 )
-esac
 AC_SUBST(HOST_R_SET_RESULT)
 AC_SUBST(HOST_R_SET_RETURN)
 
@@ -1863,10 +1810,6 @@ SETGRENT_VOID="#undef SETGRENT_VOID"
 )
 AC_SUBST(SETGRENT_VOID)
 
-case $host in
-ia64-hp-hpux11.*)
-;;
-*)
 AC_CHECK_FUNC(getnetgrent_r,
 AC_TRY_COMPILE(
 [
@@ -1934,7 +1877,6 @@ NGR_R_COPY_ARGS="#define NGR_R_COPY_ARGS NGR_R_ARGS"
 NGR_R_OK="#define NGR_R_OK 1"
 NGR_R_RETURN="#define NGR_R_RETURN int"
 )
-esac
 AC_SUBST(NGR_R_ARGS)
 AC_SUBST(NGR_R_BAD)
 AC_SUBST(NGR_R_COPY)
@@ -1944,28 +1886,9 @@ AC_SUBST(NGR_R_RETURN)
 AC_SUBST(NGR_R_PRIVATE)
 
 AC_CHECK_FUNC(endnetgrent_r,
-AC_TRY_COMPILE(
-[
-#undef __USE_MISC
-#define __USE_MISC
-#include <netdb.h>
-void endnetgrent_r(void **ptr);
-]
-,
-[return (0);]
-,
-[
-NGR_R_END_RESULT="#define NGR_R_END_RESULT(x)  /* empty */"
-NGR_R_END_RETURN="#define NGR_R_END_RETURN void"
-NGR_R_ENT_ARGS="#define NGR_R_ENT_ARGS NGR_R_ARGS"
-]
-,
-[
 NGR_R_END_RESULT="#define NGR_R_END_RESULT(x)  return (x)"
 NGR_R_END_RETURN="#define NGR_R_END_RETURN int"
 NGR_R_ENT_ARGS="#define NGR_R_ENT_ARGS NGR_R_ARGS"
-]
-)
 ,
 NGR_R_END_RESULT="#define NGR_R_END_RESULT(x)  /*empty*/"
 NGR_R_END_RETURN="#define NGR_R_END_RETURN void"
@@ -1998,10 +1921,6 @@ AC_SUBST(NGR_R_SET_RETURN)
 
 AC_CHECK_FUNC(innetgr_r,,AC_DEFINE(NEED_INNETGR_R))
 
-case $host in
-ia64-hp-hpux11.*)
-;;
-*)
 AC_CHECK_FUNC(getprotoent_r,
 AC_TRY_COMPILE(
 [
@@ -2022,7 +1941,6 @@ PROTO_R_COPY_ARGS="#define PROTO_R_COPY_ARGS PROTO_R_ARGS"
 PROTO_R_OK="#define PROTO_R_OK pptr"
 PROTO_R_SETANSWER="#undef PROTO_R_SETANSWER"
 PROTO_R_RETURN="#define PROTO_R_RETURN struct protoent *"
-PROTOENT_DATA="#undef PROTOENT_DATA"
 ]
 ,
 AC_TRY_COMPILE(
@@ -2044,32 +1962,8 @@ PROTO_R_COPY_ARGS="#define PROTO_R_COPY_ARGS char *buf, size_t buflen"
 PROTO_R_OK="#define PROTO_R_OK 0"
 PROTO_R_SETANSWER="#define PROTO_R_SETANSWER 1"
 PROTO_R_RETURN="#define PROTO_R_RETURN int"
-PROTOENT_DATA="#undef PROTOENT_DATA"
 ]
 ,
-AC_TRY_COMPILE(
-[
-#undef __USE_MISC
-#define __USE_MISC
-#include <netdb.h>
-int getprotoent_r (struct protoent *, struct protoent_data *prot_data);
-
-]
-,
-[return (0);]
-,
-[
-PROTO_R_ARGS="#define PROTO_R_ARGS struct protoent_data *prot_data"
-PROTO_R_BAD="#define PROTO_R_BAD (-1)"
-PROTO_R_COPY="#define PROTO_R_COPY prot_data"
-PROTO_R_COPY_ARGS="#define PROTO_R_COPY_ARGS struct protoent_data *pdptr"
-PROTO_R_OK="#define PROTO_R_OK 0"
-PROTO_R_SETANSWER="#undef PROTO_R_SETANSWER"
-PROTO_R_RETURN="#define PROTO_R_RETURN int"
-PROTOENT_DATA="#define PROTOENT_DATA 1"
-]
-,
-)
 )
 )
 ,
@@ -2080,10 +1974,7 @@ PROTO_R_COPY_ARGS="#define PROTO_R_COPY_ARGS PROTO_R_ARGS"
 PROTO_R_OK="#define PROTO_R_OK pptr"
 PROTO_R_SETANSWER="#undef PROTO_R_SETANSWER"
 PROTO_R_RETURN="#define PROTO_R_RETURN struct protoent *"
-PROTOENT_DATA="#undef PROTOENT_DATA"
 )
-;;
-esac
 AC_SUBST(PROTO_R_ARGS)
 AC_SUBST(PROTO_R_BAD)
 AC_SUBST(PROTO_R_COPY)
@@ -2091,12 +1982,7 @@ AC_SUBST(PROTO_R_COPY_ARGS)
 AC_SUBST(PROTO_R_OK)
 AC_SUBST(PROTO_R_SETANSWER)
 AC_SUBST(PROTO_R_RETURN)
-AC_SUBST(PROTOENT_DATA)
 
-case $host in
-ia64-hp-hpux11.*)
-;;
-*)
 AC_CHECK_FUNC(endprotoent_r,
 AC_TRY_COMPILE(
 [
@@ -2112,62 +1998,18 @@ void endprotoent_r(void);
 PROTO_R_END_RESULT="#define PROTO_R_END_RESULT(x) /*empty*/"
 PROTO_R_END_RETURN="#define PROTO_R_END_RETURN void"
 PROTO_R_ENT_ARGS="#undef PROTO_R_ENT_ARGS"
-PROTO_R_ENT_UNUSED="#undef PROTO_R_ENT_UNUSED"
-]
-,
-AC_TRY_COMPILE(
-[
-#undef _REENTRANT
-#define _REENTRANT
-#undef __USE_MISC
-#define __USE_MISC
-#include <netdb.h>
-void endprotoent_r(struct protoent_data *);
-]
-,,
-[
-PROTO_R_END_RESULT="#define PROTO_R_END_RESULT(x) /*empty*/"
-PROTO_R_END_RETURN="#define PROTO_R_END_RETURN void"
-PROTO_R_ENT_ARGS="#define PROTO_R_ENT_ARGS struct protoent_data *proto_data"
-PROTO_R_ENT_UNUSED="#define PROTO_R_ENT_UNUSED UNUSED(proto_data)"
-]
-,
-AC_TRY_COMPILE(
-[
-#undef _REENTRANT
-#define _REENTRANT
-#undef __USE_MISC
-#define __USE_MISC
-#include <netdb.h>
-int endprotoent_r(struct protoent_data *);
-]
-,,
-[
-PROTO_R_END_RESULT="#define PROTO_R_END_RESULT(x) return(0)"
-PROTO_R_END_RETURN="#define PROTO_R_END_RETURN int"
-PROTO_R_ENT_ARGS="#define PROTO_R_ENT_ARGS struct protoent_data *proto_data"
-PROTO_R_ENT_UNUSED="#define PROTO_R_ENT_UNUSED UNUSED(proto_data)"
 ]
 ,
 )
-)
-)
 ,
 PROTO_R_END_RESULT="#define PROTO_R_END_RESULT(x) /*empty*/"
 PROTO_R_END_RETURN="#define PROTO_R_END_RETURN void"
 PROTO_R_ENT_ARGS="#undef PROTO_R_ENT_ARGS /*empty*/"
-PROTO_R_ENT_UNUSED="#undef PROTO_R_ENT_UNUSED"
 )
-esac
 AC_SUBST(PROTO_R_END_RESULT)
 AC_SUBST(PROTO_R_END_RETURN)
 AC_SUBST(PROTO_R_ENT_ARGS)
-AC_SUBST(PROTO_R_ENT_UNUSED)
 
-case $host in
-ia64-hp-hpux11.*)
-;;
-*)
 AC_CHECK_FUNC(setprotoent_r,
 AC_TRY_COMPILE(
 [
@@ -2181,25 +2023,11 @@ void               setprotoent_r __P((int));
 PROTO_R_SET_RESULT="#undef PROTO_R_SET_RESULT"
 PROTO_R_SET_RETURN="#define PROTO_R_SET_RETURN void"
 ,
-AC_TRY_COMPILE(
-[
-#undef _REENTRANT
-#define _REENTRANT
-#undef __USE_MISC
-#define __USE_MISC
-#include <netdb.h>
-int setprotoent_r (int, struct protoent_data *);
-],[],
-PROTO_R_SET_RESULT="#define PROTO_R_SET_RESULT (0)"
-PROTO_R_SET_RETURN="#define PROTO_R_SET_RETURN int"
-,
-)
 )
 ,
 PROTO_R_SET_RESULT="#undef PROTO_R_SET_RESULT"
 PROTO_R_SET_RETURN="#define PROTO_R_SET_RETURN void"
 )
-esac
 AC_SUBST(PROTO_R_SET_RESULT)
 AC_SUBST(PROTO_R_SET_RETURN)
 
@@ -2289,10 +2117,6 @@ AC_SUBST(PASS_R_SET_RETURN)
 AC_CHECK_FUNC(getpwnam_r,,AC_DEFINE(NEED_GETPWNAM_R))
 AC_CHECK_FUNC(getpwuid_r,,AC_DEFINE(NEED_GETPWUID_R))
 
-case $host in
-ia64-hp-hpux11.*)
-;;
-*)
 AC_CHECK_FUNC(getservent_r,
 AC_TRY_COMPILE([
 #undef __USE_MISC
@@ -2328,25 +2152,6 @@ SERV_R_SETANSWER="#define SERV_R_SETANSWER 1"
 SERV_R_RETURN="#define SERV_R_RETURN int"
 ]
 ,
-AC_TRY_COMPILE([
-#undef __USE_MISC
-#define __USE_MISC
-#include <netdb.h>
-int
-getservent_r (struct servent *, struct servent_data *serv_data);
-],[return (0);],
-[
-SERV_R_ARGS="#define SERV_R_ARGS struct servent_data *serv_data"
-SERV_R_BAD="#define SERV_R_BAD (-1)"
-SERV_R_COPY="#define SERV_R_COPY serv_data"
-SERV_R_COPY_ARGS="#define SERV_R_COPY_ARGS struct servent_data *sdptr"
-SERV_R_OK="#define SERV_R_OK (0)"
-SERV_R_SETANSWER="#undef SERV_R_SETANSWER"
-SERV_R_RETURN="#define SERV_R_RETURN int"
-SERVENT_DATA="#define SERVENT_DATA 1"
-]
-,
-)
 )
 )
 ,
@@ -2358,7 +2163,6 @@ SERV_R_OK="#define SERV_R_OK sptr"
 SERV_R_SETANSWER="#undef SERV_R_SETANSWER"
 SERV_R_RETURN="#define SERV_R_RETURN struct servent *"
 )
-esac
 AC_SUBST(SERV_R_ARGS)
 AC_SUBST(SERV_R_BAD)
 AC_SUBST(SERV_R_COPY)
@@ -2366,12 +2170,7 @@ AC_SUBST(SERV_R_COPY_ARGS)
 AC_SUBST(SERV_R_OK)
 AC_SUBST(SERV_R_SETANSWER)
 AC_SUBST(SERV_R_RETURN)
-AC_SUBST(SERVENT_DATA)
 
-case $host in
-ia64-hp-hpux11.*)
-;;
-*)
 AC_CHECK_FUNC(endservent_r,
 AC_TRY_COMPILE(
 [
@@ -2388,64 +2187,18 @@ void endservent_r(void);
 SERV_R_END_RESULT="#define SERV_R_END_RESULT(x) /*empty*/"
 SERV_R_END_RETURN="#define SERV_R_END_RETURN void "
 SERV_R_ENT_ARGS="#undef SERV_R_ENT_ARGS /*empty*/"
-SERV_R_ENT_UNUSED="#undef SERV_R_ENT_UNUSED /*empty*/"
-]
-,
-AC_TRY_COMPILE(
-[
-#undef _REENTRANT
-#define _REENTRANT
-#undef __USE_MISC
-#define __USE_MISC
-#include <netdb.h>
-void endservent_r(struct servent_data *serv_data);
-]
-,
-,
-[
-SERV_R_END_RESULT="#define SERV_R_END_RESULT(x) /*empty*/"
-SERV_R_END_RETURN="#define SERV_R_END_RETURN void "
-SERV_R_ENT_ARGS="#define SERV_R_ENT_ARGS struct servent_data *serv_data"
-SERV_R_ENT_UNUSED="#define SERV_R_ENT_UNUSED UNUSED(serv_data)"
 ]
 ,
-AC_TRY_COMPILE(
-[
-#undef _REENTRANT
-#define _REENTRANT
-#undef __USE_MISC
-#define __USE_MISC
-#include <netdb.h>
-int endservent_r(struct servent_data *serv_data);
-]
-,
-,
-[
-SERV_R_END_RESULT="#define SERV_R_END_RESULT(x) return(x)"
-SERV_R_END_RETURN="#define SERV_R_END_RETURN int "
-SERV_R_ENT_ARGS="#define SERV_R_ENT_ARGS struct servent_data *serv_data"
-SERV_R_ENT_UNUSED="#define SERV_R_ENT_UNUSED UNUSED(serv_data)"
-]
-,
-)
-)
 )
 ,
 SERV_R_END_RESULT="#define SERV_R_END_RESULT(x) /*empty*/"
 SERV_R_END_RETURN="#define SERV_R_END_RETURN void "
 SERV_R_ENT_ARGS="#undef SERV_R_ENT_ARGS /*empty*/"
-SERV_R_ENT_UNUSED="#undef SERV_R_ENT_UNUSED /*empty*/"
 )
-esac
 AC_SUBST(SERV_R_END_RESULT)
 AC_SUBST(SERV_R_END_RETURN)
 AC_SUBST(SERV_R_ENT_ARGS)
-AC_SUBST(SERV_R_ENT_UNUSED)
 
-case $host in
-ia64-hp-hpux11.*)
-;;
-*)
 AC_CHECK_FUNC(setservent_r,
 AC_TRY_COMPILE(
 [
@@ -2454,7 +2207,7 @@ AC_TRY_COMPILE(
 #undef __USE_MISC
 #define __USE_MISC
 #include <netdb.h>
-void setservent_r(int);
+void            setservent_r(int);
 ]
 ,,
 [
@@ -2462,28 +2215,11 @@ SERV_R_SET_RESULT="#undef SERV_R_SET_RESULT"
 SERV_R_SET_RETURN="#define SERV_R_SET_RETURN void"
 ]
 ,
-AC_TRY_COMPILE(
-[
-#undef _REENTRANT
-#define _REENTRANT
-#undef __USE_MISC
-#define __USE_MISC
-#include <netdb.h>
-int setservent_r(int, struct servent_data *);
-]
-,,
-[
-SERV_R_SET_RESULT="#define SERV_R_SET_RESULT (0)"
-SERV_R_SET_RETURN="#define SERV_R_SET_RETURN int"
-]
-,
-)
 )
 ,
 SERV_R_SET_RESULT="#undef SERV_R_SET_RESULT"
 SERV_R_SET_RETURN="#define SERV_R_SET_RETURN void"
 )
-esac
 AC_SUBST(SERV_R_SET_RESULT)
 AC_SUBST(SERV_R_SET_RETURN)
 
@@ -2557,16 +2293,11 @@ AC_SUBST(INNETGR_ARGS)
 # Random remaining OS-specific issues involving compiler warnings.
 # XXXDCL print messages to indicate some compensation is being done?
 #
+AC_SUBST(ISC_PLATFORM_BRACEPTHREADONCEINIT)
+ISC_PLATFORM_BRACEPTHREADONCEINIT="#undef ISC_PLATFORM_BRACEPTHREADONCEINIT"
 BROKEN_IN6ADDR_INIT_MACROS="#undef BROKEN_IN6ADDR_INIT_MACROS"
 
 case "$host" in
-	*-aix5.1.*)
-		hack_shutup_pthreadmutexinit=yes
-		hack_shutup_in6addr_init_macros=yes
-		;;
-	*-aix5.[[23]].*)
-		hack_shutup_in6addr_init_macros=yes
-		;;
 	*-bsdi3.1*)
 		hack_shutup_sputaux=yes
 		;;
@@ -2578,30 +2309,18 @@ case "$host" in
 	*-bsdi4.1*)
 		hack_shutup_stdargcast=yes
 		;;
-	*-hpux11.11)
-		hack_shutup_in6addr_init_macros=yes
-		;;
-	*-osf5.1|*-osf5.1b)
-		hack_shutup_in6addr_init_macros=yes
-		;;
 	*-solaris2.8)
-		hack_shutup_in6addr_init_macros=yes
-		;;
-	*-solaris2.9)
-		hack_shutup_in6addr_init_macros=yes
-		;;
-	*-solaris2.10)
+		hack_shutup_pthreadonceinit=yes
 		hack_shutup_in6addr_init_macros=yes
 		;;
 esac
 
-case "$hack_shutup_pthreadmutexinit" in
+case "$hack_shutup_pthreadonceinit" in
 	yes)
 		#
-		# Shut up PTHREAD_MUTEX_INITIALIZER unbraced
-		# initializer warnings.
+		# Shut up PTHREAD_ONCE_INIT unbraced initializer warnings.
 		#
-		AC_DEFINE(SHUTUP_MUTEX_INITIALIZER)
+		ISC_PLATFORM_BRACEPTHREADONCEINIT="#define ISC_PLATFORM_BRACEPTHREADONCEINIT 1"
 		;;
 esac
 
@@ -2634,7 +2353,7 @@ esac
 
 case "$hack_shutup_in6addr_init_macros" in
 	yes)
-		AC_DEFINE(BROKEN_IN6ADDR_INIT_MACROS, 1, [Defined if IN6ADDR_ANY_INIT and IN6ADDR_LOOPBACK_INIT need to be redefined.] )
+		AC_DEFINE(BROKEN_IN6ADDR_INIT_MACROS)
 		;;
 esac
 
diff --git a/lib/bind/dst/Makefile.in b/lib/bind/dst/Makefile.in
index 7ce858ea..8b306591 100644
--- a/lib/bind/dst/Makefile.in
+++ b/lib/bind/dst/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.5.2.1 2004/03/09 06:10:44 marka Exp $
+# $Id: Makefile.in,v 1.5.206.1 2004/03/06 08:13:22 marka Exp $
  
 srcdir=		@srcdir@
 VPATH =         @srcdir@
diff --git a/lib/bind/dst/dst_api.c b/lib/bind/dst/dst_api.c
index 0b122068..9b787389 100644
--- a/lib/bind/dst/dst_api.c
+++ b/lib/bind/dst/dst_api.c
@@ -1,5 +1,5 @@
 #ifndef LINT
-static const char rcsid[] = "$Header: /proj/cvs/prod/bind9/lib/bind/dst/dst_api.c,v 1.4.2.10 2006/03/10 00:18:22 marka Exp $";
+static const char rcsid[] = "$Header: /proj/cvs/prod/bind9/lib/bind/dst/dst_api.c,v 1.4.2.6 2002/07/12 00:17:19 marka Exp $";
 #endif
 
 /*
@@ -170,10 +170,6 @@ dst_s_get_key_struct(const char *name, const int alg, const int flags,
 
 	memset(new_key, 0, sizeof(*new_key));
 	new_key->dk_key_name = strdup(name);
-	if (new_key->dk_key_name == NULL) {
-		free(new_key);
-		return (NULL);
-	}
 	new_key->dk_alg = alg;
 	new_key->dk_flags = flags;
 	new_key->dk_proto = protocol;
@@ -340,10 +336,7 @@ dst_read_key(const char *in_keyname, const u_int16_t in_id,
 	if (in_keyname == NULL) {
 		EREPORT(("dst_read_private_key(): Null key name passed in\n"));
 		return (NULL);
-	} else if (strlen(in_keyname) >= sizeof(keyname)) {
-		EREPORT(("dst_read_private_key(): keyname too big\n"));
-		return (NULL);
-	} else 
+	} else
 		strcpy(keyname, in_keyname);
 
 	/* before I read in the public key, check if it is allowed to sign */
@@ -354,7 +347,7 @@ dst_read_key(const char *in_keyname, const u_int16_t in_id,
 		return pubkey; 
 
 	if (!(dg_key = dst_s_get_key_struct(keyname, pubkey->dk_alg,
-					    pubkey->dk_flags, pubkey->dk_proto,
+					 pubkey->dk_flags, pubkey->dk_proto,
 					    0)))
 		return (dg_key);
 	/* Fill in private key and some fields in the general key structure */
@@ -659,13 +652,11 @@ dst_dnskey_to_key(const char *in_name, const u_char *rdata, const int len)
 			 alg));
 		return (NULL);
 	}
-
-	if (in_name == NULL)
-		return (NULL);
-
 	if ((key_st = dst_s_get_key_struct(in_name, alg, 0, 0, 0)) == NULL)
 		return (NULL);
 
+	if (in_name == NULL)
+		return (NULL);
 	key_st->dk_id = dst_s_dns_key_id(rdata, len);
 	key_st->dk_flags = dst_s_get_int16(rdata);
 	key_st->dk_proto = (u_int16_t) rdata[DST_KEY_PROT];
@@ -778,11 +769,13 @@ dst_buffer_to_key(const char *key_name,		/* name of the key */
 		return (NULL);
 	}
 
-	dkey = dst_s_get_key_struct(key_name, alg, flags, protocol, -1);
+	dkey = dst_s_get_key_struct(key_name, alg, flags, 
+					     protocol, -1);
 
-	if (dkey == NULL || dkey->dk_func == NULL ||
-	    dkey->dk_func->from_dns_key == NULL) 
-		return (dst_free_key(dkey));
+	if (dkey == NULL)
+		return (NULL);
+	if (dkey->dk_func == NULL || dkey->dk_func->from_dns_key == NULL)
+		return NULL;
 
 	if (dkey->dk_func->from_dns_key(dkey, key_buf, key_len) < 0) {
 		EREPORT(("dst_buffer_to_key(): dst_buffer_to_hmac failed\n"));
@@ -868,8 +861,7 @@ dst_s_read_private_key_file(char *name, DST_KEY *pk_key, u_int16_t in_id,
 	len = cnt;
 	p = in_buff;
 
-	if (!dst_s_verify_str((const char **) (void *)&p,
-			       "Private-key-format: v")) {
+	if (!dst_s_verify_str((const char **) &p, "Private-key-format: v")) {
 		EREPORT(("dst_s_read_private_key_file(): Not a Key file/Decrypt failed %s\n", name));
 		goto fail;
 	}
@@ -887,7 +879,7 @@ dst_s_read_private_key_file(char *name, DST_KEY *pk_key, u_int16_t in_id,
 
 	while (*p++ != '\n') ;	/* skip to end of line */
 
-	if (!dst_s_verify_str((const char **) (void *)&p, "Algorithm: "))
+	if (!dst_s_verify_str((const char **) &p, "Algorithm: "))
 		goto fail;
 
 	if (sscanf((char *)p, "%d", &alg) != 1)
@@ -960,6 +952,7 @@ dst_generate_key(const char *name, const int bits, const int exp,
 		 const int flags, const int protocol, const int alg)
 {
 	DST_KEY *new_key = NULL;
+	int res;
 	int dnslen;
 	u_char dns[2048];
 
@@ -981,7 +974,7 @@ dst_generate_key(const char *name, const int bits, const int exp,
 			 alg));
 		return (dst_free_key(new_key));
 	}
-	if (new_key->dk_func->generate(new_key, exp) <= 0) {
+	if ((res = new_key->dk_func->generate(new_key, exp)) <= 0) {
 		EREPORT(("dst_generate_key_pair(): Key generation failure %s %d %d %d\n",
 			 new_key->dk_key_name, new_key->dk_alg,
 			 new_key->dk_key_size, exp));
@@ -1017,6 +1010,7 @@ dst_free_key(DST_KEY *f_key)
 	else {
 		EREPORT(("dst_free_key(): Unknown key alg %d\n",
 			 f_key->dk_alg));
+		free(f_key->dk_KEY_struct);	/* SHOULD NOT happen */
 	}
 	if (f_key->dk_KEY_struct) {
 		free(f_key->dk_KEY_struct);
diff --git a/lib/bind/dst/hmac_link.c b/lib/bind/dst/hmac_link.c
index 0b523280..8a641d0b 100644
--- a/lib/bind/dst/hmac_link.c
+++ b/lib/bind/dst/hmac_link.c
@@ -1,6 +1,6 @@
 #ifdef HMAC_MD5
 #ifndef LINT
-static const char rcsid[] = "$Header: /proj/cvs/prod/bind9/lib/bind/dst/hmac_link.c,v 1.2.2.4 2007/02/26 02:00:13 marka Exp $";
+static const char rcsid[] = "$Header: /proj/cvs/prod/bind9/lib/bind/dst/hmac_link.c,v 1.2.2.1 2003/06/27 03:51:36 marka Exp $";
 #endif
 /*
  * Portions Copyright (c) 1995-1998 by Trusted Information Systems, Inc.
@@ -36,15 +36,8 @@ static const char rcsid[] = "$Header: /proj/cvs/prod/bind9/lib/bind/dst/hmac_lin
 #include <resolv.h>
 
 #include "dst_internal.h"
-
 #ifdef USE_MD5
-# ifndef HAVE_MD5
-#  include "md5.h"
-# else
-#  ifdef SOLARIS2
-#   include <sys/md5.h>
-#  endif
-# endif
+# include "md5.h"
 # ifndef _MD5_H_
 #  define _MD5_H_ 1	/* make sure we do not include rsaref md5.h file */
 # endif
@@ -93,9 +86,6 @@ dst_hmac_md5_sign(const int mode, DST_KEY *d_key, void **context,
 	int sign_len = 0;
 	MD5_CTX *ctx = NULL;
 
-	if (d_key == NULL || d_key->dk_KEY_struct == NULL)
-		return (-1);
-
 	if (mode & SIG_MODE_INIT) 
 		ctx = (MD5_CTX *) malloc(sizeof(*ctx));
 	else if (context)
@@ -103,6 +93,8 @@ dst_hmac_md5_sign(const int mode, DST_KEY *d_key, void **context,
 	if (ctx == NULL) 
 		return (-1);
 
+	if (d_key == NULL || d_key->dk_KEY_struct == NULL)
+		return (-1);
 	key = (HMAC_Key *) d_key->dk_KEY_struct;
 
 	if (mode & SIG_MODE_INIT) {
@@ -161,9 +153,6 @@ dst_hmac_md5_verify(const int mode, DST_KEY *d_key, void **context,
 	HMAC_Key *key;
 	MD5_CTX *ctx = NULL;
 
-	if (d_key == NULL || d_key->dk_KEY_struct == NULL)
-		return (-1);
-
 	if (mode & SIG_MODE_INIT) 
 		ctx = (MD5_CTX *) malloc(sizeof(*ctx));
 	else if (context)
@@ -171,6 +160,9 @@ dst_hmac_md5_verify(const int mode, DST_KEY *d_key, void **context,
 	if (ctx == NULL) 
 		return (-1);
 
+	if (d_key == NULL || d_key->dk_KEY_struct == NULL)
+		return (-1);
+
 	key = (HMAC_Key *) d_key->dk_KEY_struct;
 	if (mode & SIG_MODE_INIT) {
 		MD5Init(ctx);
@@ -273,21 +265,16 @@ dst_buffer_to_hmac_md5(DST_KEY *dkey, const u_char *key, const int keylen)
 
 static int
 dst_hmac_md5_key_to_file_format(const DST_KEY *dkey, char *buff,
-			        const int buff_len)
+			    const int buff_len)
 {
 	char *bp;
-	int len, i, key_len;
+	int len, b_len, i, key_len;
 	u_char key[HMAC_LEN];
 	HMAC_Key *hkey;
 
 	if (dkey == NULL || dkey->dk_KEY_struct == NULL) 
 		return (0);
-	/*
-	 * Using snprintf() would be so much simpler here.
-	 */
-	if (buff == NULL ||
-	    buff_len <= (int)(strlen(key_file_fmt_str) +
-			      strlen(KEY_FILE_FORMAT) + 4))
+	if (buff == NULL || buff_len <= (int) strlen(key_file_fmt_str))
 		return (-1);	/* no OR not enough space in output area */
 
 	hkey = (HMAC_Key *) dkey->dk_KEY_struct;
@@ -295,7 +282,8 @@ dst_hmac_md5_key_to_file_format(const DST_KEY *dkey, char *buff,
 	/* write file header */
 	sprintf(buff, key_file_fmt_str, KEY_FILE_FORMAT, KEY_HMAC_MD5, "HMAC");
 
-	bp = buff + strlen(buff);
+	bp = (char *) strchr(buff, '\0');
+	b_len = buff_len - (bp - buff);
 
 	memset(key, 0, HMAC_LEN);
 	for (i = 0; i < HMAC_LEN; i++)
@@ -305,21 +293,19 @@ dst_hmac_md5_key_to_file_format(const DST_KEY *dkey, char *buff,
 			break;
 	key_len = i + 1;
 
-	if (buff_len - (bp - buff) < 6)
-		return (-1);
 	strcat(bp, "Key: ");
 	bp += strlen("Key: ");
+	b_len = buff_len - (bp - buff);
 
-	len = b64_ntop(key, key_len, bp, buff_len - (bp - buff));
+	len = b64_ntop(key, key_len, bp, b_len);
 	if (len < 0) 
 		return (-1);
 	bp += len;
-	if (buff_len - (bp - buff) < 2)
-		return (-1);
 	*(bp++) = '\n';
 	*bp = '\0';
+	b_len = buff_len - (bp - buff);
 
-	return (bp - buff);
+	return (buff_len - b_len);
 }
 
 
@@ -341,9 +327,9 @@ dst_hmac_md5_key_from_file_format(DST_KEY *dkey, const char *buff,
 {
 	const char *p = buff, *eol;
 	u_char key[HMAC_LEN+1];	/* b64_pton needs more than 64 bytes do decode
-				 * it should probably be fixed rather than doing
-				 * this
-				 */
+							 * it should probably be fixed rather than doing
+							 * this
+							 */
 	u_char *tmp;
 	int key_len, len;
 
@@ -362,8 +348,6 @@ dst_hmac_md5_key_from_file_format(DST_KEY *dkey, const char *buff,
 		return (-4);
 	len = eol - p;
 	tmp = malloc(len + 2);
-	if (tmp == NULL)
-		return (-5);
 	memcpy(tmp, p, len);
 	*(tmp + len) = 0x0;
 	key_len = b64_pton((char *)tmp, key, HMAC_LEN+1);	/* see above */
@@ -454,11 +438,7 @@ dst_hmac_md5_generate_key(DST_KEY *key, const int nothing)
  *	   related functions 
  */
 int
-#ifdef	SUNW_LIBMD5
-dst_md5_hmac_init()
-#else
 dst_hmac_md5_init()
-#endif
 {
 	if (dst_t_func[KEY_HMAC_MD5] != NULL)
 		return (1);
diff --git a/lib/bind/dst/md5.h b/lib/bind/dst/md5.h
index 6525662b..c886d17b 100644
--- a/lib/bind/dst/md5.h
+++ b/lib/bind/dst/md5.h
@@ -59,8 +59,6 @@
 #ifndef HEADER_MD5_H
 #define HEADER_MD5_H
 
-#ifndef	HAVE_MD5
-
 #ifdef  __cplusplus
 extern "C" {
 #endif
@@ -101,6 +99,3 @@ unsigned char *MD5();
 #endif
 
 #endif
-#else 
-#include <sys/md5.h>
-#endif /* HAVE_MD5 */
diff --git a/lib/bind/dst/md5_dgst.c b/lib/bind/dst/md5_dgst.c
index ba0a5a13..48c327ea 100644
--- a/lib/bind/dst/md5_dgst.c
+++ b/lib/bind/dst/md5_dgst.c
@@ -58,7 +58,6 @@
 
 #ifdef USE_MD5 /* Added by ogud@tis.com 1998/1/26 */
 #include <port_before.h>
-#ifndef HAVE_MD5
 #include <stdio.h>
 #include "md5_locl.h"
 #include <port_after.h>
@@ -368,5 +367,4 @@ unsigned long *l;
 		}
 	}
 #endif
-#endif /* HAVE_MD5 */
 #endif /* USE_MD5 */
diff --git a/lib/bind/dst/support.c b/lib/bind/dst/support.c
index c8a0a307..7b86ea98 100644
--- a/lib/bind/dst/support.c
+++ b/lib/bind/dst/support.c
@@ -1,4 +1,4 @@
-static const char rcsid[] = "$Header: /proj/cvs/prod/bind9/lib/bind/dst/support.c,v 1.2.2.3 2005/10/11 00:56:04 marka Exp $";
+static const char rcsid[] = "$Header: /proj/cvs/prod/bind9/lib/bind/dst/support.c,v 1.2.2.1 2001/11/02 22:25:29 gson Exp $";
 
 
 /*
@@ -103,7 +103,7 @@ dst_s_id_calc(const u_char *key, const int keysize)
 	int size = keysize;
 
 	if (!key || (keysize <= 0))
-		return (0xffffU);
+		return (-1);
  
 	for (ac = 0; size > 1; size -= 2, kp += 2)
 		ac += ((*kp) << 8) + *(kp + 1);
@@ -311,15 +311,19 @@ dst_s_fopen(const char *filename, const char *mode, int perm)
 {
 	FILE *fp;
 	char pathname[PATH_MAX];
-
-	if (strlen(filename) + strlen(dst_path) >= sizeof(pathname))
-		return (NULL);
+	size_t plen = sizeof(pathname);
 
 	if (*dst_path != '\0') {
 		strcpy(pathname, dst_path);
-		strcat(pathname, filename);
-	} else
-		strcpy(pathname, filename);
+		plen -= strlen(pathname);
+	}
+	else 
+		pathname[0] = '\0';
+
+	if (plen > strlen(filename))
+		strncpy(&pathname[PATH_MAX - plen], filename, plen-1);
+	else 
+		return (NULL);
 	
 	fp = fopen(pathname, mode);
 	if (perm)
diff --git a/lib/bind/include/Makefile.in b/lib/bind/include/Makefile.in
index 5dc969a9..a6e5553f 100644
--- a/lib/bind/include/Makefile.in
+++ b/lib/bind/include/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.3.2.1 2004/03/09 06:10:44 marka Exp $
+# $Id: Makefile.in,v 1.3.206.1 2004/03/06 08:13:22 marka Exp $
 
 srcdir =        @srcdir@
 VPATH =         @srcdir@
diff --git a/lib/bind/include/arpa/inet.h b/lib/bind/include/arpa/inet.h
index e5b4c34a..46caa49f 100644
--- a/lib/bind/include/arpa/inet.h
+++ b/lib/bind/include/arpa/inet.h
@@ -55,7 +55,7 @@
 
 /*
  *	@(#)inet.h	8.1 (Berkeley) 6/2/93
- *	$Id: inet.h,v 1.1.2.1 2004/03/09 09:17:24 marka Exp $
+ *	$Id: inet.h,v 1.1.206.1 2004/03/09 08:33:30 marka Exp $
  */
 
 #ifndef _INET_H_
diff --git a/lib/bind/include/arpa/nameser.h b/lib/bind/include/arpa/nameser.h
index d5cd4fce..23db4987 100644
--- a/lib/bind/include/arpa/nameser.h
+++ b/lib/bind/include/arpa/nameser.h
@@ -49,7 +49,7 @@
  */
 
 /*
- *	$Id: nameser.h,v 1.2.2.5 2004/03/09 09:17:25 marka Exp $
+ *	$Id: nameser.h,v 1.2.2.4.4.1 2004/03/09 08:33:30 marka Exp $
  */
 
 #ifndef _ARPA_NAMESER_H_
diff --git a/lib/bind/include/arpa/nameser_compat.h b/lib/bind/include/arpa/nameser_compat.h
index 0291c243..03d46248 100644
--- a/lib/bind/include/arpa/nameser_compat.h
+++ b/lib/bind/include/arpa/nameser_compat.h
@@ -32,7 +32,7 @@
 
 /*
  *      from nameser.h	8.1 (Berkeley) 6/2/93
- *	$Id: nameser_compat.h,v 1.1.2.6 2006/05/19 02:38:58 marka Exp $
+ *	$Id: nameser_compat.h,v 1.1.2.3.4.1 2004/03/09 08:33:30 marka Exp $
  */
 
 #ifndef _ARPA_NAMESER_COMPAT_
@@ -52,9 +52,8 @@
 #define	PDP_ENDIAN	3412	/* LSB first in word, MSW first in long (pdp)*/
 
 #if defined(vax) || defined(ns32000) || defined(sun386) || defined(i386) || \
-    defined(__i386__) || defined(__i386) || defined(__amd64__) || \
-    defined(__x86_64__) || defined(MIPSEL) || defined(_MIPSEL) || \
-    defined(BIT_ZERO_ON_RIGHT) || defined(__alpha__) || defined(__alpha) || \
+    defined(MIPSEL) || defined(_MIPSEL) || defined(BIT_ZERO_ON_RIGHT) || \
+    defined(__alpha__) || defined(__alpha) || \
     (defined(__Lynx__) && defined(__x86__))
 #define BYTE_ORDER	LITTLE_ENDIAN
 #endif
@@ -66,7 +65,7 @@
     defined(__hppa) || defined(__hp9000) || \
     defined(__hp9000s300) || defined(__hp9000s700) || \
     defined(__hp3000s900) || defined(__hpux) || defined(MPE) || \
-    defined (BIT_ZERO_ON_LEFT) || defined(m68k) || defined(__sparc) ||  \
+    defined (BIT_ZERO_ON_LEFT) || defined(m68k) || \
     (defined(__Lynx__) && \
      (defined(__68k__) || defined(__sparc__) || defined(__powerpc__)))
 #define BYTE_ORDER	BIG_ENDIAN
diff --git a/lib/bind/include/hesiod.h b/lib/bind/include/hesiod.h
index d8297b4a..7165d486 100644
--- a/lib/bind/include/hesiod.h
+++ b/lib/bind/include/hesiod.h
@@ -20,7 +20,7 @@
  */
 
 /*
- * $Id: hesiod.h,v 1.1.2.2 2004/03/09 09:17:24 marka Exp $
+ * $Id: hesiod.h,v 1.1.2.1.4.1 2004/03/09 08:33:29 marka Exp $
  */
 
 #ifndef _HESIOD_H_INCLUDED
diff --git a/lib/bind/include/irp.h b/lib/bind/include/irp.h
index 8246fff8..4462f208 100644
--- a/lib/bind/include/irp.h
+++ b/lib/bind/include/irp.h
@@ -16,7 +16,7 @@
  */
 
 /*
- * $Id: irp.h,v 1.1.2.2 2004/03/09 09:17:24 marka Exp $
+ * $Id: irp.h,v 1.1.2.1.4.1 2004/03/09 08:33:29 marka Exp $
  */
 
 #ifndef _IRP_H_INCLUDED
diff --git a/lib/bind/include/irs.h b/lib/bind/include/irs.h
index 00d3da2c..a3b7903d 100644
--- a/lib/bind/include/irs.h
+++ b/lib/bind/include/irs.h
@@ -16,7 +16,7 @@
  */
 
 /*
- * $Id: irs.h,v 1.2.2.2 2004/03/09 09:17:24 marka Exp $
+ * $Id: irs.h,v 1.2.2.1.4.1 2004/03/09 08:33:29 marka Exp $
  */
 
 #ifndef _IRS_H_INCLUDED
diff --git a/lib/bind/include/isc/assertions.h b/lib/bind/include/isc/assertions.h
index ca0268c5..9a9b9dec 100644
--- a/lib/bind/include/isc/assertions.h
+++ b/lib/bind/include/isc/assertions.h
@@ -16,7 +16,7 @@
  */
 
 /*
- * $Id: assertions.h,v 1.1.2.1 2004/03/09 09:17:25 marka Exp $
+ * $Id: assertions.h,v 1.1.206.1 2004/03/09 08:33:30 marka Exp $
  */
 
 #ifndef ASSERTIONS_H
diff --git a/lib/bind/include/isc/ctl.h b/lib/bind/include/isc/ctl.h
index cd7f7f70..74957bcb 100644
--- a/lib/bind/include/isc/ctl.h
+++ b/lib/bind/include/isc/ctl.h
@@ -19,7 +19,7 @@
  */
 
 /*
- * $Id: ctl.h,v 1.1.2.3 2004/03/09 09:17:25 marka Exp $
+ * $Id: ctl.h,v 1.1.2.2.4.1 2004/03/09 08:33:30 marka Exp $
  */
 
 #include <sys/types.h>
diff --git a/lib/bind/include/isc/eventlib.h b/lib/bind/include/isc/eventlib.h
index 77ff0f73..6750e4d2 100644
--- a/lib/bind/include/isc/eventlib.h
+++ b/lib/bind/include/isc/eventlib.h
@@ -18,7 +18,7 @@
 /* eventlib.h - exported interfaces for eventlib
  * vix 09sep95 [initial]
  *
- * $Id: eventlib.h,v 1.1.2.3 2005/07/28 07:48:17 marka Exp $
+ * $Id: eventlib.h,v 1.1.2.1.4.1 2004/03/09 08:33:31 marka Exp $
  */
 
 #ifndef _EVENTLIB_H
@@ -76,8 +76,6 @@ typedef	struct { unsigned char mask[256/8]; } evByteMask;
 #define	EV_WRITE	2
 #define	EV_EXCEPT	4
 
-#define EV_WASNONBLOCKING 8	/* Internal library use. */
-
 /* eventlib.c */
 #define evCreate	__evCreate
 #define evSetDebug	__evSetDebug
diff --git a/lib/bind/include/isc/irpmarshall.h b/lib/bind/include/isc/irpmarshall.h
index 2da3952b..e672f979 100644
--- a/lib/bind/include/isc/irpmarshall.h
+++ b/lib/bind/include/isc/irpmarshall.h
@@ -16,7 +16,7 @@
  */
 
 /*
- * $Id: irpmarshall.h,v 1.1.2.2 2004/03/09 09:17:26 marka Exp $
+ * $Id: irpmarshall.h,v 1.1.2.1.4.1 2004/03/09 08:33:31 marka Exp $
  */
 
 #ifndef _IRPMARSHALL_H_INCLUDED
diff --git a/lib/bind/include/isc/list.h b/lib/bind/include/isc/list.h
index 4e27eb19..ad574ac2 100644
--- a/lib/bind/include/isc/list.h
+++ b/lib/bind/include/isc/list.h
@@ -66,16 +66,12 @@
 		INSIST(LINKED(elt, link));\
 		if ((elt)->link.next != NULL) \
 			(elt)->link.next->link.prev = (elt)->link.prev; \
-		else { \
-			INSIST((list).tail == (elt)); \
+		else \
 			(list).tail = (elt)->link.prev; \
-		} \
 		if ((elt)->link.prev != NULL) \
 			(elt)->link.prev->link.next = (elt)->link.next; \
-		else { \
-			INSIST((list).head == (elt)); \
+		else \
 			(list).head = (elt)->link.next; \
-		} \
 		INIT_LINK_TYPE(elt, link, type); \
 	} while (0)
 #define UNLINK(list, elt, link) \
diff --git a/lib/bind/include/isc/misc.h b/lib/bind/include/isc/misc.h
index a597e1fa..b08b02d2 100644
--- a/lib/bind/include/isc/misc.h
+++ b/lib/bind/include/isc/misc.h
@@ -16,7 +16,7 @@
  */
 
 /*
- * $Id: misc.h,v 1.2.2.2 2004/03/09 09:17:26 marka Exp $
+ * $Id: misc.h,v 1.2.2.1.4.1 2004/03/09 08:33:31 marka Exp $
  */
 
 #ifndef _ISC_MISC_H
diff --git a/lib/bind/include/netdb.h b/lib/bind/include/netdb.h
index 2d5bead3..a8a9f5fc 100644
--- a/lib/bind/include/netdb.h
+++ b/lib/bind/include/netdb.h
@@ -86,7 +86,7 @@
 
 /*
  *      @(#)netdb.h	8.1 (Berkeley) 6/2/93
- *	$Id: netdb.h,v 1.12.2.10 2006/10/02 01:18:51 marka Exp $
+ *	$Id: netdb.h,v 1.12.2.1.4.4 2004/03/16 02:19:19 marka Exp $
  */
 
 #ifndef _NETDB_H_
@@ -175,7 +175,7 @@ struct	addrinfo {
 	int		ai_socktype;	/* SOCK_xxx */
 	int		ai_protocol;	/* 0 or IPPROTO_xxx for IPv4 and IPv6 */
 #if defined(sun) && defined(_SOCKLEN_T)
-#ifdef __sparcv9
+#ifdef __sparc9
 	int		_ai_pad;
 #endif
 	socklen_t	ai_addrlen;
@@ -291,7 +291,7 @@ struct hostent_data {
 
 struct  netent_data {
 	FILE	*net_fp;
-#if defined(__osf__) || defined(_AIX)
+#ifdef __osf__
 	char	line[_MAXLINELEN];
 #endif
 #ifdef __hpux
@@ -308,21 +308,10 @@ struct  netent_data {
 	char	*current;
 	int	currentlen;
 #endif
-#ifdef _AIX
-        int     _net_stayopen;
-        char    *current;
-        int     currentlen;
-        void    *_net_reserv1;          /* reserved for future use */
-        void    *_net_reserv2;          /* reserved for future use */
-#endif
 };
 
 struct	protoent_data {
 	FILE	*proto_fp;
-#ifdef _AIX
-	int     _proto_stayopen;
-	char	line[_MAXLINELEN];
-#endif
 #ifdef __osf__
 	char	line[1024];
 #endif
@@ -340,17 +329,11 @@ struct	protoent_data {
 	char	*current;
 	int	currentlen;
 #endif
-#ifdef _AIX
-        int     currentlen;
-        char    *current;
-        void    *_proto_reserv1;        /* reserved for future use */
-        void    *_proto_reserv2;        /* reserved for future use */
-#endif
 };
 
 struct	servent_data {
 	FILE	*serv_fp;
-#if defined(__osf__) || defined(_AIX)
+#ifdef __osf__
 	char	line[_MAXLINELEN];
 #endif
 #ifdef __hpux
@@ -367,13 +350,6 @@ struct	servent_data {
 	char	*current;
 	int	currentlen;
 #endif
-#ifdef _AIX
-	int     _serv_stayopen;
-	char     *current;
-	int     currentlen;
-	void    *_serv_reserv1;         /* reserved for future use */
-	void    *_serv_reserv2;         /* reserved for future use */
-#endif
 };
 #endif
 #endif
@@ -481,19 +457,9 @@ int		endservent_r __P((struct servent_data *));
 #else
 void		endservent_r __P((struct servent_data *));
 #endif
-#ifdef _AIX
-int		setnetgrent_r __P((const char *, void **));
-void		endnetgrent_r __P((void **));
-/*
- * Note: AIX's netdb.h declares innetgr_r() as: 
- *	int innetgr_r(char *, char *, char *, char *, struct innetgr_data *);
- */
-int		innetgr_r __P((const char *, const char *, const char *,
-			       const char *));
-#endif
 #else
  /* defined(sun) || defined(bsdi) */
-#if defined(__GLIBC__) || defined(__FreeBSD__) && (__FreeBSD_version + 0 >= 601103)
+#ifdef __GLIBC__
 int gethostbyaddr_r __P((const char *, int, int, struct hostent *,
 		         char *, size_t, struct hostent **, int *));
 int gethostbyname_r __P((const char *, struct hostent *,
@@ -510,7 +476,7 @@ struct hostent	*gethostent_r __P((struct hostent *, char *, int, int *));
 void		sethostent_r __P((int));
 void		endhostent_r __P((void));
 
-#if defined(__GLIBC__) || defined(__FreeBSD__) && (__FreeBSD_version + 0 >= 601103)
+#ifdef __GLIBC__
 int getnetbyname_r __P((const char *, struct netent *,
 			char *, size_t, struct netent **, int*));
 int getnetbyaddr_r __P((unsigned long int, int, struct netent *,
@@ -526,7 +492,7 @@ struct netent	*getnetent_r __P((struct netent *, char *, int));
 void		setnetent_r __P((int));
 void		endnetent_r __P((void));
 
-#if defined(__GLIBC__) || defined(__FreeBSD__) && (__FreeBSD_version + 0 >= 601103)
+#ifdef __GLIBC__
 int getprotobyname_r __P((const char *, struct protoent *, char *,
 			  size_t, struct protoent **));
 int getprotobynumber_r __P((int, struct protoent *, char *, size_t,
@@ -542,7 +508,7 @@ struct protoent	*getprotoent_r __P((struct protoent *, char *, int));
 void		setprotoent_r __P((int));
 void		endprotoent_r __P((void));
 
-#if defined(__GLIBC__) || defined(__FreeBSD__) && (__FreeBSD_version + 0 >= 601103)
+#ifdef __GLIBC__
 int getservbyname_r __P((const char *name, const char *,
 			 struct servent *, char *, size_t, struct servent **));
 int getservbyport_r __P((int port, const char *,
diff --git a/lib/bind/include/res_update.h b/lib/bind/include/res_update.h
index 53925736..07a37f34 100644
--- a/lib/bind/include/res_update.h
+++ b/lib/bind/include/res_update.h
@@ -16,7 +16,7 @@
  */
 
 /*
- *	$Id: res_update.h,v 1.1.2.1 2004/03/09 09:17:24 marka Exp $
+ *	$Id: res_update.h,v 1.1.206.1 2004/03/09 08:33:29 marka Exp $
  */
 
 #ifndef __RES_UPDATE_H
diff --git a/lib/bind/include/resolv.h b/lib/bind/include/resolv.h
index 99635501..c43c6a69 100644
--- a/lib/bind/include/resolv.h
+++ b/lib/bind/include/resolv.h
@@ -50,7 +50,7 @@
 
 /*
  *	@(#)resolv.h	8.1 (Berkeley) 6/2/93
- *	$Id: resolv.h,v 1.7.2.14 2005/08/25 04:44:38 marka Exp $
+ *	$Id: resolv.h,v 1.7.2.11.4.1 2004/03/09 08:33:29 marka Exp $
  */
 
 #ifndef _RESOLV_H_
@@ -254,7 +254,6 @@ union res_sockaddr_union {
 #define	RES_BLAST	0x00020000	/* blast all recursive servers */
 #define RES_NOTLDQUERY	0x00100000	/* don't unqualified name as a tld */
 #define RES_USE_DNSSEC	0x00200000	/* use DNSSEC using OK bit in OPT */
-/* #define RES_DEBUG2	0x00400000 */	/* nslookup internal */
 /* KAME extensions: use higher bit to avoid conflict with ISC use */
 #define RES_USE_DNAME	0x10000000	/* use DNAME */
 #define RES_USE_EDNS0	0x40000000	/* use EDNS0 if configured */
@@ -291,11 +290,6 @@ extern struct __res_state *__res_state(void);
 __END_DECLS
 #define _res (*__res_state())
 #else
-#ifdef __linux
-__BEGIN_DECLS
-extern struct __res_state * __res_state(void);
-__END_DECLS
-#endif
 #ifndef __BIND_NOSTATIC
 extern struct __res_state _res;
 #endif
diff --git a/lib/bind/include/resolv_mt.h b/lib/bind/include/resolv_mt.h
deleted file mode 100644
index 27963a12..00000000
--- a/lib/bind/include/resolv_mt.h
+++ /dev/null
@@ -1,47 +0,0 @@
-#ifndef _RESOLV_MT_H
-#define _RESOLV_MT_H
-
-#include <sys/types.h>
-#include <netinet/in.h>
-#include <arpa/nameser.h>
-#include <resolv.h>
-
-/* Access functions for the libresolv private interface */
-
-int	__res_enable_mt(void);
-int	__res_disable_mt(void);
-
-/* Per-thread context */
-
-typedef struct {
-int	no_hosts_fallback_private;
-int	retry_save;
-int	retry_private;
-char	inet_nsap_ntoa_tmpbuf[255*3];
-char	sym_ntos_unname[20];
-char	sym_ntop_unname[20];
-char	p_option_nbuf[40];
-char	p_time_nbuf[40];
-char	precsize_ntoa_retbuf[sizeof "90000000.00"];
-char	loc_ntoa_tmpbuf[sizeof
-"1000 60 60.000 N 1000 60 60.000 W -12345678.00m 90000000.00m 90000000.00m 90000000.00m"];
-char	p_secstodate_output[15];
-} mtctxres_t;
-
-/* Thread-specific data (TSD) */
-
-mtctxres_t	*___mtctxres(void);
-#define mtctxres	(___mtctxres())
-
-/* Various static data that should be TSD */
-
-#define sym_ntos_unname		(mtctxres->sym_ntos_unname)
-#define sym_ntop_unname		(mtctxres->sym_ntop_unname)
-#define inet_nsap_ntoa_tmpbuf	(mtctxres->inet_nsap_ntoa_tmpbuf)
-#define p_option_nbuf		(mtctxres->p_option_nbuf)
-#define p_time_nbuf		(mtctxres->p_time_nbuf)
-#define precsize_ntoa_retbuf	(mtctxres->precsize_ntoa_retbuf)
-#define loc_ntoa_tmpbuf		(mtctxres->loc_ntoa_tmpbuf)
-#define p_secstodate_output	(mtctxres->p_secstodate_output)
-
-#endif /* _RESOLV_MT_H */
diff --git a/lib/bind/inet/Makefile.in b/lib/bind/inet/Makefile.in
index 73ad8dbe..96698fde 100644
--- a/lib/bind/inet/Makefile.in
+++ b/lib/bind/inet/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.4.2.1 2004/03/09 06:10:45 marka Exp $
+# $Id: Makefile.in,v 1.4.206.1 2004/03/06 08:13:23 marka Exp $
 
 srcdir=		@srcdir@
 VPATH =         @srcdir@
diff --git a/lib/bind/inet/inet_addr.c b/lib/bind/inet/inet_addr.c
index f6867fa0..b967dc22 100644
--- a/lib/bind/inet/inet_addr.c
+++ b/lib/bind/inet/inet_addr.c
@@ -70,7 +70,7 @@
 
 #if defined(LIBC_SCCS) && !defined(lint)
 static const char sccsid[] = "@(#)inet_addr.c	8.1 (Berkeley) 6/17/93";
-static const char rcsid[] = "$Id: inet_addr.c,v 1.2.2.2 2004/03/17 00:40:10 marka Exp $";
+static const char rcsid[] = "$Id: inet_addr.c,v 1.2.206.2 2004/03/17 00:29:45 marka Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 #include "port_before.h"
diff --git a/lib/bind/inet/inet_cidr_ntop.c b/lib/bind/inet/inet_cidr_ntop.c
index aec69235..184ad7c5 100644
--- a/lib/bind/inet/inet_cidr_ntop.c
+++ b/lib/bind/inet/inet_cidr_ntop.c
@@ -16,7 +16,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: inet_cidr_ntop.c,v 1.1.2.5 2006/10/11 02:32:34 marka Exp $";
+static const char rcsid[] = "$Id: inet_cidr_ntop.c,v 1.1.2.1.8.2 2004/03/17 00:29:46 marka Exp $";
 #endif
 
 #include "port_before.h"
@@ -40,10 +40,10 @@ static const char rcsid[] = "$Id: inet_cidr_ntop.c,v 1.1.2.5 2006/10/11 02:32:34
 # define SPRINTF(x) ((size_t)sprintf x)
 #endif
 
-static char *
-inet_cidr_ntop_ipv4(const u_char *src, int bits, char *dst, size_t size);
-static char *
-inet_cidr_ntop_ipv6(const u_char *src, int bits, char *dst, size_t size);
+static char *	inet_cidr_ntop_ipv4 __P((const u_char *src, int bits,
+					 char *dst, size_t size));
+static char *	inet_cidr_ntop_ipv6 __P((const u_char *src, int bits,
+					 char *dst, size_t size));
 
 /*
  * char *
@@ -178,9 +178,7 @@ inet_cidr_ntop_ipv6(const u_char *src, int bits, char *dst, size_t size) {
 	for (i = 0; i < NS_IN6ADDRSZ; i++)
 		words[i / 2] |= (src[i] << ((1 - (i % 2)) << 3));
 	best.base = -1;
-	best.len = 0;
 	cur.base = -1;
-	cur.len = 0;
 	for (i = 0; i < (NS_IN6ADDRSZ / NS_INT16SZ); i++) {
 		if (words[i] == 0) {
 			if (cur.base == -1)
diff --git a/lib/bind/inet/inet_cidr_pton.c b/lib/bind/inet/inet_cidr_pton.c
index 6fe5f7b0..5bfef71b 100644
--- a/lib/bind/inet/inet_cidr_pton.c
+++ b/lib/bind/inet/inet_cidr_pton.c
@@ -16,7 +16,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: inet_cidr_pton.c,v 1.2.2.3 2004/03/17 00:40:11 marka Exp $";
+static const char rcsid[] = "$Id: inet_cidr_pton.c,v 1.2.2.1.8.2 2004/03/17 00:29:46 marka Exp $";
 #endif
 
 #include "port_before.h"
diff --git a/lib/bind/inet/inet_data.c b/lib/bind/inet/inet_data.c
index cc086fe8..e5862971 100644
--- a/lib/bind/inet/inet_data.c
+++ b/lib/bind/inet/inet_data.c
@@ -16,7 +16,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static char rcsid[] = "$Id: inet_data.c,v 1.2.2.1 2004/03/09 09:17:27 marka Exp $";
+static char rcsid[] = "$Id: inet_data.c,v 1.2.206.1 2004/03/09 08:33:32 marka Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 #include "port_before.h"
diff --git a/lib/bind/inet/inet_makeaddr.c b/lib/bind/inet/inet_makeaddr.c
index 6e4ecc37..1d20619b 100644
--- a/lib/bind/inet/inet_makeaddr.c
+++ b/lib/bind/inet/inet_makeaddr.c
@@ -51,16 +51,16 @@ struct in_addr
 inet_makeaddr(net, host)
 	u_long net, host;
 {
-	struct in_addr a;
+	u_long addr;
 
 	if (net < 128U)
-		a.s_addr = (net << IN_CLASSA_NSHIFT) | (host & IN_CLASSA_HOST);
+		addr = (net << IN_CLASSA_NSHIFT) | (host & IN_CLASSA_HOST);
 	else if (net < 65536U)
-		a.s_addr = (net << IN_CLASSB_NSHIFT) | (host & IN_CLASSB_HOST);
+		addr = (net << IN_CLASSB_NSHIFT) | (host & IN_CLASSB_HOST);
 	else if (net < 16777216L)
-		a.s_addr = (net << IN_CLASSC_NSHIFT) | (host & IN_CLASSC_HOST);
+		addr = (net << IN_CLASSC_NSHIFT) | (host & IN_CLASSC_HOST);
 	else
-		a.s_addr = net | host;
-	a.s_addr = htonl(a.s_addr);
-	return (a);
+		addr = net | host;
+	addr = htonl(addr);
+	return (*(struct in_addr *)&addr);
 }
diff --git a/lib/bind/inet/inet_net_ntop.c b/lib/bind/inet/inet_net_ntop.c
index 4ae220f5..f508629d 100644
--- a/lib/bind/inet/inet_net_ntop.c
+++ b/lib/bind/inet/inet_net_ntop.c
@@ -16,7 +16,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: inet_net_ntop.c,v 1.1.2.3 2006/06/20 02:53:42 marka Exp $";
+static const char rcsid[] = "$Id: inet_net_ntop.c,v 1.1.2.1.8.1 2004/03/09 08:33:32 marka Exp $";
 #endif
 
 #include "port_before.h"
@@ -264,7 +264,7 @@ inet_net_ntop_ipv6(const u_char *src, int bits, char *dst, size_t size) {
 		}
 	}
 	/* Format CIDR /width. */
-	sprintf(cp, "/%u", bits);
+	SPRINTF((cp, "/%u", bits));
 	if (strlen(outbuf) + 1 > size)
 		goto emsgsize;
 	strcpy(dst, outbuf);
diff --git a/lib/bind/inet/inet_net_pton.c b/lib/bind/inet/inet_net_pton.c
index 44a6f92c..abecfc79 100644
--- a/lib/bind/inet/inet_net_pton.c
+++ b/lib/bind/inet/inet_net_pton.c
@@ -16,7 +16,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: inet_net_pton.c,v 1.4.2.3 2004/03/17 00:40:11 marka Exp $";
+static const char rcsid[] = "$Id: inet_net_pton.c,v 1.4.2.1.8.2 2004/03/17 00:29:47 marka Exp $";
 #endif
 
 #include "port_before.h"
diff --git a/lib/bind/inet/inet_neta.c b/lib/bind/inet/inet_neta.c
index 9b5a71a3..325b7ce8 100644
--- a/lib/bind/inet/inet_neta.c
+++ b/lib/bind/inet/inet_neta.c
@@ -16,7 +16,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: inet_neta.c,v 1.1.2.1 2004/03/09 09:17:27 marka Exp $";
+static const char rcsid[] = "$Id: inet_neta.c,v 1.1.206.1 2004/03/09 08:33:33 marka Exp $";
 #endif
 
 #include "port_before.h"
diff --git a/lib/bind/inet/inet_ntop.c b/lib/bind/inet/inet_ntop.c
index e95125f6..6141407f 100644
--- a/lib/bind/inet/inet_ntop.c
+++ b/lib/bind/inet/inet_ntop.c
@@ -16,7 +16,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: inet_ntop.c,v 1.1.2.3 2005/11/03 23:41:22 marka Exp $";
+static const char rcsid[] = "$Id: inet_ntop.c,v 1.1.2.1.8.1 2004/03/09 08:33:33 marka Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 #include "port_before.h"
@@ -137,9 +137,7 @@ inet_ntop6(src, dst, size)
 	for (i = 0; i < NS_IN6ADDRSZ; i++)
 		words[i / 2] |= (src[i] << ((1 - (i % 2)) << 3));
 	best.base = -1;
-	best.len = 0;
 	cur.base = -1;
-	cur.len = 0;
 	for (i = 0; i < (NS_IN6ADDRSZ / NS_INT16SZ); i++) {
 		if (words[i] == 0) {
 			if (cur.base == -1)
diff --git a/lib/bind/inet/inet_pton.c b/lib/bind/inet/inet_pton.c
index d0515c4e..c7813f83 100644
--- a/lib/bind/inet/inet_pton.c
+++ b/lib/bind/inet/inet_pton.c
@@ -16,7 +16,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: inet_pton.c,v 1.2.2.2 2005/07/28 07:48:18 marka Exp $";
+static const char rcsid[] = "$Id: inet_pton.c,v 1.2.206.1 2004/03/09 08:33:33 marka Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 #include "port_before.h"
@@ -141,7 +141,7 @@ inet_pton6(src, dst)
 			  xdigits_u[] = "0123456789ABCDEF";
 	u_char tmp[NS_IN6ADDRSZ], *tp, *endp, *colonp;
 	const char *xdigits, *curtok;
-	int ch, seen_xdigits;
+	int ch, saw_xdigit;
 	u_int val;
 
 	memset((tp = tmp), '\0', NS_IN6ADDRSZ);
@@ -152,7 +152,7 @@ inet_pton6(src, dst)
 		if (*++src != ':')
 			return (0);
 	curtok = src;
-	seen_xdigits = 0;
+	saw_xdigit = 0;
 	val = 0;
 	while ((ch = *src++) != '\0') {
 		const char *pch;
@@ -162,13 +162,14 @@ inet_pton6(src, dst)
 		if (pch != NULL) {
 			val <<= 4;
 			val |= (pch - xdigits);
-			if (++seen_xdigits > 4)
+			if (val > 0xffff)
 				return (0);
+			saw_xdigit = 1;
 			continue;
 		}
 		if (ch == ':') {
 			curtok = src;
-			if (!seen_xdigits) {
+			if (!saw_xdigit) {
 				if (colonp)
 					return (0);
 				colonp = tp;
@@ -180,19 +181,19 @@ inet_pton6(src, dst)
 				return (0);
 			*tp++ = (u_char) (val >> 8) & 0xff;
 			*tp++ = (u_char) val & 0xff;
-			seen_xdigits = 0;
+			saw_xdigit = 0;
 			val = 0;
 			continue;
 		}
 		if (ch == '.' && ((tp + NS_INADDRSZ) <= endp) &&
 		    inet_pton4(curtok, tp) > 0) {
 			tp += NS_INADDRSZ;
-			seen_xdigits = 0;
+			saw_xdigit = 0;
 			break;	/* '\0' was seen by inet_pton4(). */
 		}
 		return (0);
 	}
-	if (seen_xdigits) {
+	if (saw_xdigit) {
 		if (tp + NS_INT16SZ > endp)
 			return (0);
 		*tp++ = (u_char) (val >> 8) & 0xff;
diff --git a/lib/bind/inet/nsap_addr.c b/lib/bind/inet/nsap_addr.c
index 10cb1ebe..0b9108a9 100644
--- a/lib/bind/inet/nsap_addr.c
+++ b/lib/bind/inet/nsap_addr.c
@@ -16,7 +16,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: nsap_addr.c,v 1.2.2.2 2005/07/28 07:48:18 marka Exp $";
+static const char rcsid[] = "$Id: nsap_addr.c,v 1.2.206.1 2004/03/09 08:33:33 marka Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 #include "port_before.h"
@@ -31,7 +31,6 @@ static const char rcsid[] = "$Id: nsap_addr.c,v 1.2.2.2 2005/07/28 07:48:18 mark
 
 #include <ctype.h>
 #include <resolv.h>
-#include <resolv_mt.h>
 
 #include "port_after.h"
 
@@ -80,7 +79,7 @@ char *
 inet_nsap_ntoa(int binlen, const u_char *binary, char *ascii) {
 	int nib;
 	int i;
-	char *tmpbuf = inet_nsap_ntoa_tmpbuf;
+	static char tmpbuf[2+255*3];
 	char *start;
 
 	if (ascii)
diff --git a/lib/bind/irs/Makefile.in b/lib/bind/irs/Makefile.in
index 6e9209fb..ed387d74 100644
--- a/lib/bind/irs/Makefile.in
+++ b/lib/bind/irs/Makefile.in
@@ -13,12 +13,12 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.7.2.3 2004/12/07 00:37:30 marka Exp $
+# $Id: Makefile.in,v 1.7.206.1 2004/03/06 08:13:23 marka Exp $
 
 srcdir=		@srcdir@
 VPATH =         @srcdir@
 
-WANT_IRS_THREADS_OBJS=	gethostent_r.@O@ getnetent_r.@O@ getnetgrent_r.@O@ \
+WANT_IRS_THREADS_OBJS=	gethostent_r.@O@ getnetgrent_r.@O@ \
 	getprotoent_r.@O@ getservent_r.@O@
 
 WANT_IRS_NISGR_OBJS= nis_gr.@O@ 
@@ -40,7 +40,7 @@ OBJS=	@WANT_IRS_GR_OBJS@ @WANT_IRS_NIS_OBJS@ @WANT_IRS_THREADS_OBJS@ \
 	dns_sv.@O@ gai_strerror.@O@ gen.@O@ gen_ho.@O@ \
 	gen_ng.@O@ gen_nw.@O@ gen_pr.@O@ gen_sv.@O@ \
 	getaddrinfo.@O@ gethostent.@O@ \
-	getnameinfo.@O@ getnetent.@O@ \
+	getnameinfo.@O@ getnetent.@O@ getnetent_r.@O@ \
 	getnetgrent.@O@ getprotoent.@O@ getservent.@O@ \
 	hesiod.@O@ irp.@O@ irp_ho.@O@ irp_ng.@O@ irp_nw.@O@ \
 	irp_pr.@O@ irp_sv.@O@ irpmarshall.@O@ irs_data.@O@ \
diff --git a/lib/bind/irs/dns.c b/lib/bind/irs/dns.c
index b8f8aed1..ab83b3e4 100644
--- a/lib/bind/irs/dns.c
+++ b/lib/bind/irs/dns.c
@@ -16,7 +16,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: dns.c,v 1.1.2.3 2006/03/10 00:18:22 marka Exp $";
+static const char rcsid[] = "$Id: dns.c,v 1.1.206.2 2004/03/17 00:29:47 marka Exp $";
 #endif
 
 /*
@@ -114,7 +114,7 @@ dns_res_get(struct irs_acc *this) {
 		res = (struct __res_state *)malloc(sizeof *res);
 		if (res == NULL)
 			return (NULL);
-		memset(res, 0, sizeof *res);
+		memset(dns->res, 0, sizeof *dns->res);
 		dns_res_set(this, res, free);
 	}
 
diff --git a/lib/bind/irs/dns_gr.c b/lib/bind/irs/dns_gr.c
index 18994b6d..a35b10ca 100644
--- a/lib/bind/irs/dns_gr.c
+++ b/lib/bind/irs/dns_gr.c
@@ -16,7 +16,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: dns_gr.c,v 1.1.2.2 2004/03/09 09:17:28 marka Exp $";
+static const char rcsid[] = "$Id: dns_gr.c,v 1.1.2.1.4.1 2004/03/09 08:33:34 marka Exp $";
 #endif
 
 /*
diff --git a/lib/bind/irs/dns_ho.c b/lib/bind/irs/dns_ho.c
index 423a70c8..9211ca5e 100644
--- a/lib/bind/irs/dns_ho.c
+++ b/lib/bind/irs/dns_ho.c
@@ -52,7 +52,7 @@
 /* BIND Id: gethnamaddr.c,v 8.15 1996/05/22 04:56:30 vixie Exp $ */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: dns_ho.c,v 1.5.2.16 2006/12/07 04:00:29 marka Exp $";
+static const char rcsid[] = "$Id: dns_ho.c,v 1.5.2.7.4.3 2004/03/17 01:13:34 marka Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 /* Imports. */
@@ -218,7 +218,8 @@ ho_close(struct irs_ho *this) {
 	ho_minimize(this);
 	if (pvt->res && pvt->free_res)
 		(*pvt->free_res)(pvt->res);
-	memput(pvt, sizeof *pvt);
+	if (pvt)
+		memput(pvt, sizeof *pvt);
 	memput(this, sizeof *this);
 }
 
@@ -259,7 +260,7 @@ ho_byname2(struct irs_ho *this, const char *name, int af)
 		errno = ENOMEM;
 		goto cleanup;
 	}
-	memset(q, 0, sizeof(*q));
+	memset(q, 0, sizeof(q));
 
 	switch (af) {
 	case AF_INET:
@@ -351,8 +352,8 @@ ho_byaddr(struct irs_ho *this, const void *addr, int len, int af)
 		errno = ENOMEM;
 		goto cleanup;
 	}
-	memset(q, 0, sizeof(*q));
-	memset(q2, 0, sizeof(*q2));
+	memset(q, 0, sizeof(q));
+	memset(q2, 0, sizeof(q2));
 
 	if (af == AF_INET6 && len == IN6ADDRSZ &&
 	    (!memcmp(uaddr, mapped, sizeof mapped) ||
@@ -413,44 +414,38 @@ ho_byaddr(struct irs_ho *this, const void *addr, int len, int af)
 		break;
 	case AF_INET6:
 		if (q->action != RESTGT_IGNORE) {
-			const char *nibsuff = res_get_nibblesuffix(pvt->res);
 			qp = q->qname;
 			for (n = IN6ADDRSZ - 1; n >= 0; n--) {
 				i = SPRINTF((qp, "%x.%x.",
 					       uaddr[n] & 0xf,
 					       (uaddr[n] >> 4) & 0xf));
-				if (i != 4)
+				if (i < 0)
 					abort();
 				qp += i;
 			}
-			if (strlen(q->qname) + strlen(nibsuff) + 1 >
-			    sizeof q->qname) {
-				errno = ENAMETOOLONG;
-				RES_SET_H_ERRNO(pvt->res, NETDB_INTERNAL);
-				hp = NULL;
-				goto cleanup;
-			}
-			strcpy(qp, nibsuff);	/* (checked) */
+#ifdef HAVE_STRLCAT
+			strlcat(q->qname, res_get_nibblesuffix(pvt->res),
+			    sizeof(q->qname));
+#else
+			strcpy(qp, res_get_nibblesuffix(pvt->res));
+#endif
 		}
 		if (q2->action != RESTGT_IGNORE) {
-			const char *nibsuff2 = res_get_nibblesuffix2(pvt->res);
 			qp = q2->qname;
 			for (n = IN6ADDRSZ - 1; n >= 0; n--) {
 				i = SPRINTF((qp, "%x.%x.",
 					       uaddr[n] & 0xf,
 					       (uaddr[n] >> 4) & 0xf));
-				if (i != 4)
+				if (i < 0)
 					abort();
 				qp += i;
 			}
-			if (strlen(q2->qname) + strlen(nibsuff2) + 1 >
-			    sizeof q2->qname) {
-				errno = ENAMETOOLONG;
-				RES_SET_H_ERRNO(pvt->res, NETDB_INTERNAL);
-				hp = NULL;
-				goto cleanup;
-			}
-			strcpy(qp, nibsuff2);	/* (checked) */
+#ifdef HAVE_STRLCAT
+			strlcat(q->qname, res_get_nibblesuffix2(pvt->res),
+			    sizeof(q->qname));
+#else
+			strcpy(qp, res_get_nibblesuffix2(pvt->res));
+#endif
 		}
 		break;
 	default:
@@ -577,8 +572,8 @@ ho_addrinfo(struct irs_ho *this, const char *name, const struct addrinfo *pai)
 		errno = ENOMEM;
 		goto cleanup;
 	}
-	memset(q, 0, sizeof(*q2));
-	memset(q2, 0, sizeof(*q2));
+	memset(q, 0, sizeof(q2));
+	memset(q2, 0, sizeof(q2));
 
 	switch (pai->ai_family) {
 	case AF_UNSPEC:
@@ -648,9 +643,10 @@ ho_addrinfo(struct irs_ho *this, const char *name, const struct addrinfo *pai)
 		if (ai) {
 			querystate = RESQRY_SUCCESS;
 			cur->ai_next = ai;
-			while (cur->ai_next)
+			while (cur && cur->ai_next)
 				cur = cur->ai_next;
-		} else
+		}
+		else
 			querystate = RESQRY_FAIL;
 	}
 
@@ -686,7 +682,7 @@ gethostans(struct irs_ho *this,
 {
 	struct pvt *pvt = (struct pvt *)this->private;
 	int type, class, ancount, qdcount, n, haveanswer, had_error;
-	int error = NETDB_SUCCESS;
+	int error = NETDB_SUCCESS, arcount;
 	int (*name_ok)(const char *);
 	const HEADER *hp;
 	const u_char *eom;
@@ -733,6 +729,7 @@ gethostans(struct irs_ho *this,
 	hp = (const HEADER *)ansbuf;
 	ancount = ntohs(hp->ancount);
 	qdcount = ntohs(hp->qdcount);
+	arcount = ntohs(hp->arcount);
 	bp = pvt->hostbuf;
 	ep = pvt->hostbuf + sizeof(pvt->hostbuf);
 	cp = ansbuf + HFIXEDSZ;
@@ -823,7 +820,11 @@ gethostans(struct irs_ho *this,
 				had_error++;
 				continue;
 			}
-			strcpy(bp, tbuf);	/* (checked) */
+#ifdef HAVE_STRLCPY
+			strlcpy(bp, tbuf, ep - bp);
+#else
+			strcpy(bp, tbuf);
+#endif
 			pvt->host.h_name = bp;
 			hname = bp;
 			bp += n;
@@ -855,7 +856,11 @@ gethostans(struct irs_ho *this,
 				had_error++;
 				continue;
 			}
-			strcpy(bp, tbuf);	/* (checked) */
+#ifdef HAVE_STRLCPY
+			strlcpy(bp, tbuf, ep - bp);
+#else
+			strcpy(bp, tbuf);
+#endif
 			tname = bp;
 			bp += n;
 			continue;
@@ -941,12 +946,12 @@ gethostans(struct irs_ho *this,
 			bp = (char *)(((u_long)bp + (sizeof(align) - 1)) &
 				      ~(sizeof(align) - 1));
 			/* Avoid overflows. */
-			if (bp + n > &pvt->hostbuf[sizeof(pvt->hostbuf) - 1]) {
+			if (bp + n >= &pvt->hostbuf[sizeof pvt->hostbuf]) {
 				had_error++;
 				continue;
 			}
 			if (ret_aip) { /* need addrinfo. keep it. */
-				while (cur->ai_next)
+				while (cur && cur->ai_next)
 					cur = cur->ai_next;
 			} else if (cur->ai_next) { /* need hostent */
 				struct addrinfo *aip = cur->ai_next;
@@ -991,7 +996,11 @@ gethostans(struct irs_ho *this,
 				n = strlen(qname) + 1;	/* for the \0 */
 				if (n > (ep - bp) || n >= MAXHOSTNAMELEN)
 					goto no_recovery;
-				strcpy(bp, qname);	/* (checked) */
+#ifdef HAVE_STRLCPY
+				strlcpy(bp, qname, ep - bp);
+#else
+				strcpy(bp, qname);
+#endif
 				pvt->host.h_name = bp;
 				bp += n;
 			}
@@ -1051,7 +1060,7 @@ add_hostent(struct pvt *pvt, char *bp, char **hap, struct addrinfo *ai)
 	bp = (char *)(((u_long)bp + (sizeof(align) - 1)) &
 		      ~(sizeof(align) - 1));
 	/* Avoid overflows. */
-	if (bp + addrlen > &pvt->hostbuf[sizeof(pvt->hostbuf) - 1])
+	if (bp + addrlen >= &pvt->hostbuf[sizeof pvt->hostbuf])
 		return(-1);
 	if (hap >= &pvt->h_addr_ptrs[MAXADDRS-1])
 		return(0); /* fail, but not treat it as an error. */
diff --git a/lib/bind/irs/dns_nw.c b/lib/bind/irs/dns_nw.c
index 9d9659bf..34f1f58d 100644
--- a/lib/bind/irs/dns_nw.c
+++ b/lib/bind/irs/dns_nw.c
@@ -16,7 +16,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: dns_nw.c,v 1.3.2.8 2004/09/16 00:57:45 marka Exp $";
+static const char rcsid[] = "$Id: dns_nw.c,v 1.3.2.4.4.2 2004/03/17 00:29:48 marka Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 /* Imports. */
@@ -349,7 +349,12 @@ get1101answer(struct irs_nw *this,
 				RES_SET_H_ERRNO(pvt->res, NO_RECOVERY);
 				return (NULL);
 			}
-			pvt->net.n_name = strcpy(bp, name);	/* (checked) */
+#ifdef HAVE_STRLCPY
+			strlcpy(bp, name, ep - bp);
+			pvt->net.n_name = bp;
+#else
+			pvt->net.n_name = strcpy(bp, name);
+#endif
 			bp += n;
 		}
 		break;
@@ -569,7 +574,7 @@ normalize_name(char *name) {
 	/* Make lower case. */
 	for (t = name; *t; t++)
 		if (isascii((unsigned char)*t) && isupper((unsigned char)*t))
-			*t = tolower((*t)&0xff);
+			*t = tolower(*t);
 
 	/* Remove trailing dots. */
 	while (t > name && t[-1] == '.')
diff --git a/lib/bind/irs/dns_p.h b/lib/bind/irs/dns_p.h
index 54d1b143..f984c1cd 100644
--- a/lib/bind/irs/dns_p.h
+++ b/lib/bind/irs/dns_p.h
@@ -16,7 +16,7 @@
  */
 
 /*
- * $Id: dns_p.h,v 1.1.2.2 2004/03/17 00:40:12 marka Exp $
+ * $Id: dns_p.h,v 1.1.206.2 2004/03/17 00:29:48 marka Exp $
  */
 
 #ifndef _DNS_P_H_INCLUDED
diff --git a/lib/bind/irs/dns_pr.c b/lib/bind/irs/dns_pr.c
index 12fc9d04..ffcca152 100644
--- a/lib/bind/irs/dns_pr.c
+++ b/lib/bind/irs/dns_pr.c
@@ -16,7 +16,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: dns_pr.c,v 1.3.2.1 2004/03/09 09:17:28 marka Exp $";
+static const char rcsid[] = "$Id: dns_pr.c,v 1.3.206.1 2004/03/09 08:33:34 marka Exp $";
 #endif
 
 /* Imports */
diff --git a/lib/bind/irs/dns_pw.c b/lib/bind/irs/dns_pw.c
index 027947ca..41b3795f 100644
--- a/lib/bind/irs/dns_pw.c
+++ b/lib/bind/irs/dns_pw.c
@@ -16,7 +16,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: dns_pw.c,v 1.1.2.1 2004/03/09 09:17:28 marka Exp $";
+static const char rcsid[] = "$Id: dns_pw.c,v 1.1.206.1 2004/03/09 08:33:34 marka Exp $";
 #endif
 
 #include "port_before.h"
diff --git a/lib/bind/irs/dns_sv.c b/lib/bind/irs/dns_sv.c
index 49698077..a2aafde8 100644
--- a/lib/bind/irs/dns_sv.c
+++ b/lib/bind/irs/dns_sv.c
@@ -16,7 +16,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: dns_sv.c,v 1.3.2.1 2004/03/09 09:17:28 marka Exp $";
+static const char rcsid[] = "$Id: dns_sv.c,v 1.3.206.1 2004/03/09 08:33:34 marka Exp $";
 #endif
 
 /* Imports */
diff --git a/lib/bind/irs/gai_strerror.c b/lib/bind/irs/gai_strerror.c
index 06eeeb36..7355b93c 100644
--- a/lib/bind/irs/gai_strerror.c
+++ b/lib/bind/irs/gai_strerror.c
@@ -52,10 +52,7 @@ gai_strerror(int ecode) {
 #ifndef DO_PTHREADS
 	static char buf[EAI_BUFSIZE];
 #else	/* DO_PTHREADS */
-#ifndef LIBBIND_MUTEX_INITIALIZER
-#define LIBBIND_MUTEX_INITIALIZER PTHREAD_MUTEX_INITIALIZER
-#endif
-	static pthread_mutex_t lock = LIBBIND_MUTEX_INITIALIZER;
+	static pthread_mutex_t lock = PTHREAD_MUTEX_INITIALIZER;
 	static pthread_key_t key;
 	static int once = 0;
 	char *buf;
@@ -66,28 +63,18 @@ gai_strerror(int ecode) {
 
 #ifdef DO_PTHREADS
         if (!once) {
-                if (pthread_mutex_lock(&lock) != 0)
-			goto unknown;
-                if (!once) {
-                        if (pthread_key_create(&key, free) != 0) {
-				pthread_mutex_unlock(&lock);
-				goto unknown;
-			}
-			once = 1;
-		}
-                if (pthread_mutex_unlock(&lock) != 0)
-			goto unknown;
+                pthread_mutex_lock(&lock);
+                if (!once++)
+                        pthread_key_create(&key, free);
+                pthread_mutex_unlock(&lock);
         }
 
 	buf = pthread_getspecific(key);
         if (buf == NULL) {
 		buf = malloc(EAI_BUFSIZE);
                 if (buf == NULL)
-                        goto unknown;
-                if (pthread_setspecific(key, buf) != 0) {
-			free(buf);
-			goto unknown;
-		}
+                        return ("unknown error");
+                pthread_setspecific(key, buf);
         }
 #endif
 	/* 
@@ -96,9 +83,4 @@ gai_strerror(int ecode) {
 	 */
 	sprintf(buf, "%s: %d", gai_errlist[gai_nerr - 1], ecode);
 	return (buf);
-
-#ifdef DO_PTHREADS
- unknown:
-	return ("unknown error");
-#endif
 }
diff --git a/lib/bind/irs/gen.c b/lib/bind/irs/gen.c
index b9802b0e..5317821b 100644
--- a/lib/bind/irs/gen.c
+++ b/lib/bind/irs/gen.c
@@ -16,7 +16,7 @@
  */
 
 #if !defined(LINT) && !defined(CODECENTER)
-static const char rcsid[] = "$Id: gen.c,v 1.3.2.3 2004/09/16 00:57:46 marka Exp $";
+static const char rcsid[] = "$Id: gen.c,v 1.3.206.2 2004/03/17 00:29:48 marka Exp $";
 #endif
 
 /*
@@ -391,10 +391,8 @@ init_map_rules(struct gen_p *irs, const char *conf_file) {
 		default_map_rules(irs);
 		return;
 	}
-	(void) sprintf(pattern, "%%%lus %%%lus %%%lus\n",
-		       (unsigned long)sizeof mapname,
-		       (unsigned long)sizeof accname,
-		       (unsigned long)sizeof options);
+	(void) sprintf(pattern, "%%%ds %%%ds %%%ds\n",
+		       sizeof mapname, sizeof accname, sizeof options);
 	while (fgets(line, sizeof line, conf)) {
 		enum irs_map_id map;
 		enum irs_acc_id acc;
diff --git a/lib/bind/irs/gen_gr.c b/lib/bind/irs/gen_gr.c
index a97a56f2..89610da0 100644
--- a/lib/bind/irs/gen_gr.c
+++ b/lib/bind/irs/gen_gr.c
@@ -16,7 +16,7 @@
  */
 
 #if !defined(LINT) && !defined(CODECENTER)
-static const char rcsid[] = "$Id: gen_gr.c,v 1.4.2.3 2004/05/17 07:46:43 marka Exp $";
+static const char rcsid[] = "$Id: gen_gr.c,v 1.4.2.1.4.1 2004/03/09 08:33:35 marka Exp $";
 #endif
 
 /* Imports */
@@ -83,7 +83,7 @@ static void		gr_res_set(struct irs_gr *,
 				      struct __res_state *,
 				      void (*)(void *));
 
-static int		grmerge(struct irs_gr *gr, const struct group *src,
+static void		grmerge(struct irs_gr *gr, const struct group *src,
 				int preserve);
 
 static int		countvec(char **vec);
@@ -92,10 +92,6 @@ static int		countnew(char **old, char **new);
 static size_t		sizenew(char **old, char **new);
 static int		newgid(int, gid_t *, gid_t);
 
-/* Macros */
-
-#define FREE_IF(x) do { if ((x) != NULL) { free(x); (x) = NULL; } } while (0)
-
 /* Public */
 
 struct irs_gr *
@@ -175,8 +171,7 @@ gr_byname(struct irs_gr *this, const char *name) {
 		gr = rule->inst->gr;
 		tval = (*gr->byname)(gr, name);
 		if (tval) {
-			if (!grmerge(this, tval, dirty++))
-				return (NULL);
+			grmerge(this, tval, dirty++);
 			if (!(rule->flags & IRS_MERGE))
 				break;
 		} else {
@@ -202,8 +197,7 @@ gr_bygid(struct irs_gr *this, gid_t gid) {
 		gr = rule->inst->gr;
 		tval = (*gr->bygid)(gr, gid);
 		if (tval) {
-			if (!grmerge(this, tval, dirty++))
-				return (NULL);
+			grmerge(this, tval, dirty++);
 			if (!(rule->flags & IRS_MERGE))
 				break;
 		} else {
@@ -327,7 +321,7 @@ gr_res_set(struct irs_gr *this, struct __res_state *res,
 
 /* Private. */
 
-static int
+static void
 grmerge(struct irs_gr *this, const struct group *src, int preserve) {
 	struct pvt *pvt = (struct pvt *)this->private;
 	char *cp, **m, **p, *oldmembuf, *ep;
@@ -338,9 +332,9 @@ grmerge(struct irs_gr *this, const struct group *src, int preserve) {
 		pvt->group.gr_gid = src->gr_gid;
 		if (pvt->nmemb < 1) {
 			m = malloc(sizeof *m);
-			if (m == NULL) {
+			if (!m) {
 				/* No harm done, no work done. */
-				return (0);
+				return;
 			}
 			pvt->group.gr_mem = m;
 			pvt->nmemb = 1;
@@ -357,9 +351,9 @@ grmerge(struct irs_gr *this, const struct group *src, int preserve) {
 	n = ndst + nnew + 1;
 	if ((size_t)n > pvt->nmemb) {
 		m = realloc(pvt->group.gr_mem, n * sizeof *m);
-		if (m == NULL) {
+		if (!m) {
 			/* No harm done, no work done. */
-			return (0);
+			return;
 		}
 		pvt->group.gr_mem = m;
 		pvt->nmemb = n;
@@ -377,13 +371,13 @@ grmerge(struct irs_gr *this, const struct group *src, int preserve) {
 	}
 	if (n == 0) {
 		/* No work to do. */
-		return (1);
+		return;
 	}
 	used = preserve ? pvt->membufsize : 0;
 	cp = malloc(used + n);
-	if (cp == NULL) {
+	if (!cp) {
 		/* No harm done, no work done. */
-		return (0);
+		return;
 	}
 	ep = cp + used + n;
 	if (used != 0)
@@ -407,13 +401,12 @@ grmerge(struct irs_gr *this, const struct group *src, int preserve) {
 		if (isnew(pvt->group.gr_mem, *m)) {
 			*p++ = cp;
 			*p = NULL;
-			n = strlen(*m) + 1;
-			if (n > ep - cp) {
-				FREE_IF(oldmembuf);
-				return (0);
-			}
-			strcpy(cp, *m);		/* (checked) */
-			cp += n;
+#ifdef HAVE_STRLCPY
+			strlcpy(cp, *m, ep - cp);
+#else
+			strcpy(cp, *m);
+#endif
+			cp += strlen(cp) + 1;
 		}
 	if (preserve) {
 		pvt->group.gr_name = pvt->membuf + 
@@ -422,26 +415,23 @@ grmerge(struct irs_gr *this, const struct group *src, int preserve) {
 				       (pvt->group.gr_passwd - oldmembuf);
 	} else {
 		pvt->group.gr_name = cp;
-		n = strlen(src->gr_name) + 1;
-		if (n > ep - cp) {
-			FREE_IF(oldmembuf);
-			return (0);
-		}
-		strcpy(cp, src->gr_name);	/* (checked) */
-		cp += n;
-
+#ifdef HAVE_STRLCPY
+		strlcpy(cp, src->gr_name, ep - cp);
+#else
+		strcpy(cp, src->gr_name);
+#endif
+		cp += strlen(src->gr_name) + 1;
 		pvt->group.gr_passwd = cp;
-		n = strlen(src->gr_passwd) + 1;
-		if (n > ep - cp) {
-			FREE_IF(oldmembuf);
-			return (0);
-		}
-		strcpy(cp, src->gr_passwd);	/* (checked) */
-		cp += n;
+#ifdef HAVE_STRLCPY
+		strlcpy(cp, src->gr_passwd, ep - cp);
+#else
+		strcpy(cp, src->gr_passwd);
+#endif
+		cp += strlen(src->gr_passwd) + 1;
 	}
-	FREE_IF(oldmembuf);
+	if (oldmembuf != NULL)
+		free(oldmembuf);
 	INSIST(cp >= pvt->membuf && cp <= &pvt->membuf[pvt->membufsize]);
-	return (1);
 }
 
 static int
diff --git a/lib/bind/irs/gen_ho.c b/lib/bind/irs/gen_ho.c
index ba5667c7..e9e2c890 100644
--- a/lib/bind/irs/gen_ho.c
+++ b/lib/bind/irs/gen_ho.c
@@ -16,7 +16,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: gen_ho.c,v 1.1.2.3 2006/03/10 00:18:22 marka Exp $";
+static const char rcsid[] = "$Id: gen_ho.c,v 1.1.206.2 2004/03/17 01:49:39 marka Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 /* Imports */
@@ -371,6 +371,8 @@ ho_addrinfo(struct irs_ho *this, const char *name, const struct addrinfo *pai)
 	}
 	if (softerror != 0 && pvt->res->res_h_errno == HOST_NOT_FOUND)
 		RES_SET_H_ERRNO(pvt->res, therrno);
+	if (rval)
+		freeaddrinfo(rval);
 	return (NULL);
 }
 
diff --git a/lib/bind/irs/gen_ng.c b/lib/bind/irs/gen_ng.c
index 11f71179..9f3ecad9 100644
--- a/lib/bind/irs/gen_ng.c
+++ b/lib/bind/irs/gen_ng.c
@@ -16,7 +16,7 @@
  */
 
 #if !defined(LINT) && !defined(CODECENTER)
-static const char rcsid[] = "$Id: gen_ng.c,v 1.1.2.1 2004/03/09 09:17:29 marka Exp $";
+static const char rcsid[] = "$Id: gen_ng.c,v 1.1.206.1 2004/03/09 08:33:35 marka Exp $";
 #endif
 
 /* Imports */
diff --git a/lib/bind/irs/gen_nw.c b/lib/bind/irs/gen_nw.c
index 96f4be59..cb41f5db 100644
--- a/lib/bind/irs/gen_nw.c
+++ b/lib/bind/irs/gen_nw.c
@@ -16,7 +16,7 @@
  */
 
 #if !defined(LINT) && !defined(CODECENTER)
-static const char rcsid[] = "$Id: gen_nw.c,v 1.1.2.2 2004/03/17 01:54:20 marka Exp $";
+static const char rcsid[] = "$Id: gen_nw.c,v 1.1.206.2 2004/03/17 01:49:40 marka Exp $";
 #endif
 
 /* Imports */
diff --git a/lib/bind/irs/gen_p.h b/lib/bind/irs/gen_p.h
index 5f908793..0a7ea2b3 100644
--- a/lib/bind/irs/gen_p.h
+++ b/lib/bind/irs/gen_p.h
@@ -16,7 +16,7 @@
  */
 
 /*
- * $Id: gen_p.h,v 1.1.2.1 2004/03/09 09:17:29 marka Exp $
+ * $Id: gen_p.h,v 1.1.206.1 2004/03/09 08:33:35 marka Exp $
  */
 
 /* Notes:
diff --git a/lib/bind/irs/gen_pr.c b/lib/bind/irs/gen_pr.c
index d75a78bc..465fee3c 100644
--- a/lib/bind/irs/gen_pr.c
+++ b/lib/bind/irs/gen_pr.c
@@ -16,7 +16,7 @@
  */
 
 #if !defined(LINT) && !defined(CODECENTER)
-static const char rcsid[] = "$Id: gen_pr.c,v 1.1.2.1 2004/03/09 09:17:29 marka Exp $";
+static const char rcsid[] = "$Id: gen_pr.c,v 1.1.206.1 2004/03/09 08:33:35 marka Exp $";
 #endif
 
 /* Imports */
diff --git a/lib/bind/irs/gen_pw.c b/lib/bind/irs/gen_pw.c
index a0c97a0c..ca313021 100644
--- a/lib/bind/irs/gen_pw.c
+++ b/lib/bind/irs/gen_pw.c
@@ -16,7 +16,7 @@
  */
 
 #if !defined(LINT) && !defined(CODECENTER)
-static const char rcsid[] = "$Id: gen_pw.c,v 1.1.2.1 2004/03/09 09:17:29 marka Exp $";
+static const char rcsid[] = "$Id: gen_pw.c,v 1.1.206.1 2004/03/09 08:33:35 marka Exp $";
 #endif
 
 /* Imports */
diff --git a/lib/bind/irs/gen_sv.c b/lib/bind/irs/gen_sv.c
index fbe8d5fa..e8f61142 100644
--- a/lib/bind/irs/gen_sv.c
+++ b/lib/bind/irs/gen_sv.c
@@ -16,7 +16,7 @@
  */
 
 #if !defined(LINT) && !defined(CODECENTER)
-static const char rcsid[] = "$Id: gen_sv.c,v 1.1.2.1 2004/03/09 09:17:29 marka Exp $";
+static const char rcsid[] = "$Id: gen_sv.c,v 1.1.206.1 2004/03/09 08:33:35 marka Exp $";
 #endif
 
 /* Imports */
diff --git a/lib/bind/irs/getaddrinfo.c b/lib/bind/irs/getaddrinfo.c
index c8d1ab3b..89db519f 100644
--- a/lib/bind/irs/getaddrinfo.c
+++ b/lib/bind/irs/getaddrinfo.c
@@ -244,24 +244,13 @@ do { \
 		goto free; \
 } while (/*CONSTCOND*/0)
 
-#ifndef SOLARIS2
-#define SETERROR(err) \
+#define ERR(err) \
 do { \
 	/* external reference: error, and label bad */ \
 	error = (err); \
 	goto bad; \
 	/*NOTREACHED*/ \
 } while (/*CONSTCOND*/0)
-#else
-#define SETERROR(err) \
-do { \
-	/* external reference: error, and label bad */ \
-	error = (err); \
-	if (error == error) \
-		goto bad; \
-} while (/*CONSTCOND*/0)
-#endif
-
 
 #define MATCH_FAMILY(x, y, w) \
 	((x) == (y) || (/*CONSTCOND*/(w) && ((x) == PF_UNSPEC || (y) == PF_UNSPEC)))
@@ -332,15 +321,6 @@ getaddrinfo(hostname, servname, hints, res)
 	pai->ai_family = PF_UNSPEC;
 	pai->ai_socktype = ANY;
 	pai->ai_protocol = ANY;
-#if defined(sun) && defined(_SOCKLEN_T) && defined(__sparcv9)
-	/*
-	 * clear _ai_pad to preserve binary
-	 * compatibility with previously compiled 64-bit
-	 * applications in a pre-SUSv3 environment by
-	 * guaranteeing the upper 32-bits are empty.
-	 */
-	pai->_ai_pad = 0;
-#endif
 	pai->ai_addrlen = 0;
 	pai->ai_canonname = NULL;
 	pai->ai_addr = NULL;
@@ -352,26 +332,19 @@ getaddrinfo(hostname, servname, hints, res)
 		/* error check for hints */
 		if (hints->ai_addrlen || hints->ai_canonname ||
 		    hints->ai_addr || hints->ai_next)
-			SETERROR(EAI_BADHINTS); /* xxx */
+			ERR(EAI_BADHINTS); /* xxx */
 		if (hints->ai_flags & ~AI_MASK)
-			SETERROR(EAI_BADFLAGS);
+			ERR(EAI_BADFLAGS);
 		switch (hints->ai_family) {
 		case PF_UNSPEC:
 		case PF_INET:
 		case PF_INET6:
 			break;
 		default:
-			SETERROR(EAI_FAMILY);
+			ERR(EAI_FAMILY);
 		}
 		memcpy(pai, hints, sizeof(*pai));
 
-#if defined(sun) && defined(_SOCKLEN_T) && defined(__sparcv9)
-		/*
-		 * We need to clear _ai_pad to preserve binary
-		 * compatibility.  See prior comment.
-		 */
-		pai->_ai_pad = 0;
-#endif
 		/*
 		 * if both socktype/protocol are specified, check if they
 		 * are meaningful combination.
@@ -386,7 +359,7 @@ getaddrinfo(hostname, servname, hints, res)
 					continue;
 				if (pai->ai_socktype == ex->e_socktype &&
 				    pai->ai_protocol != ex->e_protocol) {
-					SETERROR(EAI_BADHINTS);
+					ERR(EAI_BADHINTS);
 				}
 			}
 		}
@@ -406,7 +379,7 @@ getaddrinfo(hostname, servname, hints, res)
 	case AI_ALL:
 #if 1
 		/* illegal */
-		SETERROR(EAI_BADFLAGS);
+		ERR(EAI_BADFLAGS);
 #else
 		pai->ai_flags &= ~(AI_ALL | AI_V4MAPPED);
 		break;
@@ -434,7 +407,7 @@ getaddrinfo(hostname, servname, hints, res)
 		}
 		error = get_portmatch(pai, servname);
 		if (error)
-			SETERROR(error);
+			ERR(error);
 
 		*pai = ai0;
 	}
@@ -493,9 +466,9 @@ getaddrinfo(hostname, servname, hints, res)
 		goto good;
 
 	if (pai->ai_flags & AI_NUMERICHOST)
-		SETERROR(EAI_NONAME);
+		ERR(EAI_NONAME);
 	if (hostname == NULL)
-		SETERROR(EAI_NONAME);
+		ERR(EAI_NONAME);
 
 	/*
 	 * hostname as alphabetical name.
@@ -576,6 +549,10 @@ getaddrinfo(hostname, servname, hints, res)
 
 	freeaddrinfo(afai);	/* afai must not be NULL at this point. */
 
+	/* we must not have got any errors. */
+	if (error != 0) /* just for diagnosis */
+		abort();
+
 	if (sentinel.ai_next) {
 good:
 		*res = sentinel.ai_next;
@@ -800,10 +777,10 @@ explore_numeric(pai, hostname, servname, res)
 			    pai->ai_family == PF_UNSPEC /*?*/) {
 				GET_AI(cur->ai_next, afd, pton);
 				GET_PORT(cur->ai_next, servname);
-				while (cur->ai_next)
+				while (cur && cur->ai_next)
 					cur = cur->ai_next;
 			} else
-				SETERROR(EAI_FAMILY);	/*xxx*/
+				ERR(EAI_FAMILY);	/*xxx*/
 		}
 		break;
 #endif
@@ -813,10 +790,10 @@ explore_numeric(pai, hostname, servname, res)
 			    pai->ai_family == PF_UNSPEC /*?*/) {
 				GET_AI(cur->ai_next, afd, pton);
 				GET_PORT(cur->ai_next, servname);
-				while (cur->ai_next)
+				while (cur && cur->ai_next)
 					cur = cur->ai_next;
 			} else
-				SETERROR(EAI_FAMILY);	/*xxx*/
+				ERR(EAI_FAMILY);	/*xxx*/
 		}
 		break;
 	}
@@ -960,7 +937,11 @@ copy_ai(pai)
 			free(ai);
 			return NULL;
 		}
-		strcpy(ai->ai_canonname, pai->ai_canonname);	/* (checked) */
+#ifdef HAVE_STRLCPY
+		strlcpy(ai->ai_canonname, pai->ai_canonname, l);
+#else
+		strncpy(ai->ai_canonname, pai->ai_canonname, l);
+#endif
 	} else {
 		/* just to make sure */
 		ai->ai_canonname = NULL;
@@ -1115,8 +1096,7 @@ ip6_str2scopeid(char *scope, struct sockaddr_in6 *sin6,
 		return (0);
 
 #ifdef USE_IFNAMELINKID
-	if (IN6_IS_ADDR_LINKLOCAL(a6) || IN6_IS_ADDR_MC_LINKLOCAL(a6) ||
-	    IN6_IS_ADDR_MC_NODELOCAL(a6)) {
+	if (IN6_IS_ADDR_LINKLOCAL(a6) || IN6_IS_ADDR_MC_LINKLOCAL(a6)) {
 		/*
 		 * Using interface names as link indices can be allowed
 		 * only when we can assume a one-to-one mappings between
@@ -1124,7 +1104,6 @@ ip6_str2scopeid(char *scope, struct sockaddr_in6 *sin6,
 		 */
 		scopeid = if_nametoindex(scope);
 		if (scopeid == 0)
-			goto trynumeric;
 		*scopeidp = scopeid;
 		return (1);
 	}
@@ -1198,7 +1177,7 @@ hostent2addrinfo(hp, pai)
 			 */
 			GET_CANONNAME(cur->ai_next, hp->h_name);
 		}
-		while (cur->ai_next) /* no need to loop, actually. */
+		while (cur && cur->ai_next) /* no need to loop, actually. */
 			cur = cur->ai_next;
 		continue;
 
diff --git a/lib/bind/irs/getgrent.c b/lib/bind/irs/getgrent.c
index 1dd7ce04..7c394f27 100644
--- a/lib/bind/irs/getgrent.c
+++ b/lib/bind/irs/getgrent.c
@@ -16,7 +16,7 @@
  */
 
 #if !defined(LINT) && !defined(CODECENTER)
-static const char rcsid[] = "$Id: getgrent.c,v 1.3.2.1 2004/03/09 09:17:29 marka Exp $";
+static const char rcsid[] = "$Id: getgrent.c,v 1.3.206.1 2004/03/09 08:33:35 marka Exp $";
 #endif
 
 /* Imports */
diff --git a/lib/bind/irs/getgrent_r.c b/lib/bind/irs/getgrent_r.c
index e7770146..1e8b1a63 100644
--- a/lib/bind/irs/getgrent_r.c
+++ b/lib/bind/irs/getgrent_r.c
@@ -16,7 +16,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: getgrent_r.c,v 1.5.2.1 2004/03/09 09:17:29 marka Exp $";
+static const char rcsid[] = "$Id: getgrent_r.c,v 1.5.206.1 2004/03/09 08:33:35 marka Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 #include <port_before.h>
diff --git a/lib/bind/irs/gethostent.c b/lib/bind/irs/gethostent.c
index c09e8fe6..b471c529 100644
--- a/lib/bind/irs/gethostent.c
+++ b/lib/bind/irs/gethostent.c
@@ -16,7 +16,7 @@
  */
 
 #if !defined(LINT) && !defined(CODECENTER)
-static const char rcsid[] = "$Id: gethostent.c,v 1.1.2.5 2006/01/10 05:10:24 marka Exp $";
+static const char rcsid[] = "$Id: gethostent.c,v 1.1.2.2.4.2 2004/03/17 01:49:40 marka Exp $";
 #endif
 
 /* Imports */
@@ -608,7 +608,7 @@ scan_interfaces6(int *have_v4, int *have_v6) {
 }
 #endif
 
-#if ( defined(__linux__) || defined(__linux) || defined(LINUX) )
+#ifdef __linux
 #ifndef IF_NAMESIZE
 # ifdef IFNAMSIZ
 #  define IF_NAMESIZE  IFNAMSIZ
diff --git a/lib/bind/irs/gethostent_r.c b/lib/bind/irs/gethostent_r.c
index 0b59c85e..faf1cfbb 100644
--- a/lib/bind/irs/gethostent_r.c
+++ b/lib/bind/irs/gethostent_r.c
@@ -16,7 +16,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: gethostent_r.c,v 1.4.2.4 2005/09/03 12:49:47 marka Exp $";
+static const char rcsid[] = "$Id: gethostent_r.c,v 1.4.206.1 2004/03/09 08:33:35 marka Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 #include <port_before.h>
@@ -44,12 +44,10 @@ gethostbyname_r(const char *name,  struct hostent *hptr, HOST_R_ARGS) {
 	int n = 0;
 #endif
 
-#ifdef HOST_R_ERRNO
 	HOST_R_ERRNO;
-#endif
 
 #ifdef HOST_R_SETANSWER
-	if (he == NULL || (n = copy_hostent(he, hptr, HOST_R_COPY)) != 0)
+	if (he == NULL || (n = copy_hostent(he, hptr, HOST_R_COPY)) == 0)
 		*answerp = NULL;
 	else
 		*answerp = hptr;
@@ -71,12 +69,10 @@ gethostbyaddr_r(const char *addr, int len, int type,
 	int n = 0;
 #endif
 
-#ifdef HOST_R_ERRNO
 	HOST_R_ERRNO;
-#endif
 
 #ifdef HOST_R_SETANSWER
-	if (he == NULL || (n = copy_hostent(he, hptr, HOST_R_COPY)) != 0)
+	if (he == NULL || (n = copy_hostent(he, hptr, HOST_R_COPY)) == 0)
 		*answerp = NULL;
 	else
 		*answerp = hptr;
@@ -103,12 +99,10 @@ gethostent_r(struct hostent *hptr, HOST_R_ARGS) {
 	int n = 0;
 #endif
 
-#ifdef HOST_R_ERRNO
 	HOST_R_ERRNO;
-#endif
 
 #ifdef HOST_R_SETANSWER
-	if (he == NULL || (n = copy_hostent(he, hptr, HOST_R_COPY)) != 0)
+	if (he == NULL || (n = copy_hostent(he, hptr, HOST_R_COPY)) == 0)
 		*answerp = NULL;
 	else
 		*answerp = hptr;
@@ -129,9 +123,6 @@ sethostent_r(int stay_open, HOST_R_ENT_ARGS)
 sethostent_r(int stay_open)
 #endif
 {
-#ifdef HOST_R_ENT_ARGS
-	UNUSED(hdptr);
-#endif
 	sethostent(stay_open);
 #ifdef	HOST_R_SET_RESULT
 	return (HOST_R_SET_RESULT);
@@ -145,9 +136,6 @@ endhostent_r(HOST_R_ENT_ARGS)
 endhostent_r(void)
 #endif
 {
-#ifdef HOST_R_ENT_ARGS
-	UNUSED(hdptr);
-#endif
 	endhostent();
 	HOST_R_END_RESULT(HOST_R_OK);
 }
@@ -226,8 +214,8 @@ copy_hostent(struct hostent *he, struct hostent *hptr, HOST_R_COPY_ARGS) {
 
 	/* copy up to first 35 addresses */
 	i = 0;
-	cp = hdptr->hostbuf;
-	eob = hdptr->hostbuf + sizeof(hdptr->hostbuf);
+	cp = hdptr->hostaddr;
+	eob = hdptr->hostaddr + sizeof(hdptr->hostaddr);
 	hptr->h_addr_list = hdptr->h_addr_ptrs;
 	while (he->h_addr_list[i] && i < (_MAXADDRS)) {
 		if (n < (eob - cp)) {
@@ -242,6 +230,8 @@ copy_hostent(struct hostent *he, struct hostent *hptr, HOST_R_COPY_ARGS) {
 	hptr->h_addr_list[i] = NULL;
 
 	/* copy official name */
+	cp = hdptr->hostbuf;
+	eob = hdptr->hostbuf + sizeof(hdptr->hostbuf);
 	if ((n = strlen(he->h_name) + 1) < (eob - cp)) {
 		strcpy(cp, he->h_name);
 		hptr->h_name = cp;
diff --git a/lib/bind/irs/getnameinfo.c b/lib/bind/irs/getnameinfo.c
index d6d89f3e..dd8c14b4 100644
--- a/lib/bind/irs/getnameinfo.c
+++ b/lib/bind/irs/getnameinfo.c
@@ -3,16 +3,6 @@
  * - Thread safe-ness must be checked
  */
 
-#if ( defined(__linux__) || defined(__linux) || defined(LINUX) )
-#ifndef IF_NAMESIZE
-# ifdef IFNAMSIZ
-#  define IF_NAMESIZE  IFNAMSIZ
-# else
-#  define IF_NAMESIZE 16
-# endif
-#endif
-#endif
-
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
  * All rights reserved.
@@ -164,7 +154,7 @@ getnameinfo(sa, salen, host, hostlen, serv, servlen, flags)
 
 	switch (sa->sa_family) {
 	case AF_INET:
-		if (ntohl(*(const u_int32_t *)addr) >> IN_CLASSA_NSHIFT == 0)
+		if (ntohl(*(const u_long *)addr) >> IN_CLASSA_NSHIFT == 0)
 			flags |= NI_NUMERICHOST;			
 		break;
 	case AF_INET6:
diff --git a/lib/bind/irs/getnetent.c b/lib/bind/irs/getnetent.c
index 6be115ed..4d1cd1e7 100644
--- a/lib/bind/irs/getnetent.c
+++ b/lib/bind/irs/getnetent.c
@@ -16,7 +16,7 @@
  */
 
 #if !defined(LINT) && !defined(CODECENTER)
-static const char rcsid[] = "$Id: getnetent.c,v 1.4.2.2 2004/03/17 01:54:21 marka Exp $";
+static const char rcsid[] = "$Id: getnetent.c,v 1.4.206.2 2004/03/17 01:49:40 marka Exp $";
 #endif
 
 /* Imports */
diff --git a/lib/bind/irs/getnetent_r.c b/lib/bind/irs/getnetent_r.c
index 4e5042ff..0b540b00 100644
--- a/lib/bind/irs/getnetent_r.c
+++ b/lib/bind/irs/getnetent_r.c
@@ -16,7 +16,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: getnetent_r.c,v 1.3.2.2 2005/09/03 12:49:47 marka Exp $";
+static const char rcsid[] = "$Id: getnetent_r.c,v 1.3.206.1 2004/03/09 08:33:36 marka Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 #include <port_before.h>
@@ -118,9 +118,6 @@ setnetent_r(int stay_open, NET_R_ENT_ARGS)
 setnetent_r(int stay_open)
 #endif
 {
-#ifdef NET_R_ENT_ARGS
-	UNUSED(ndptr);
-#endif
 	setnetent(stay_open);
 #ifdef NET_R_SET_RESULT
 	return (NET_R_SET_RESULT);
@@ -134,9 +131,6 @@ endnetent_r(NET_R_ENT_ARGS)
 endnetent_r()
 #endif
 {
-#ifdef NET_R_ENT_ARGS
-	UNUSED(ndptr);
-#endif
 	endnetent();
 	NET_R_END_RESULT(NET_R_OK);
 }
diff --git a/lib/bind/irs/getnetgrent.c b/lib/bind/irs/getnetgrent.c
index 815d28fd..b2751536 100644
--- a/lib/bind/irs/getnetgrent.c
+++ b/lib/bind/irs/getnetgrent.c
@@ -16,7 +16,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: getnetgrent.c,v 1.1.2.2 2004/03/09 09:17:30 marka Exp $";
+static const char rcsid[] = "$Id: getnetgrent.c,v 1.1.2.1.4.1 2004/03/09 08:33:36 marka Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 /* Imports */
diff --git a/lib/bind/irs/getnetgrent_r.c b/lib/bind/irs/getnetgrent_r.c
index 17dea778..0e2a34f9 100644
--- a/lib/bind/irs/getnetgrent_r.c
+++ b/lib/bind/irs/getnetgrent_r.c
@@ -16,7 +16,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: getnetgrent_r.c,v 1.5.2.5 2005/09/03 12:49:48 marka Exp $";
+static const char rcsid[] = "$Id: getnetgrent_r.c,v 1.5.2.1.4.2 2004/04/13 04:59:29 marka Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 #include <port_before.h>
@@ -29,6 +29,7 @@ static const char rcsid[] = "$Id: getnetgrent_r.c,v 1.5.2.5 2005/09/03 12:49:48
 #include <sys/types.h>
 #include <netinet/in.h>
 #include <netdb.h>
+#include <netgroup.h>
 #include <stdlib.h>
 #include <port_after.h>
 
@@ -77,14 +78,8 @@ setnetgrent_r(const char *netgroup)
 #endif
 {
 	char *tmp;
-#if defined(NGR_R_ENT_ARGS) && !defined(NGR_R_PRIVATE)
-	UNUSED(buf);
-	UNUSED(buflen);
-#endif
-
 	DE_CONST(netgroup, tmp);
 	setnetgrent(tmp);
-
 #ifdef NGR_R_PRIVATE
 	*buf = NULL;
 #endif
@@ -100,11 +95,6 @@ endnetgrent_r(NGR_R_ENT_ARGS)
 endnetgrent_r(void)
 #endif
 {
-#if defined(NGR_R_ENT_ARGS) && !defined(NGR_R_PRIVATE)
-	UNUSED(buf);
-	UNUSED(buflen);
-#endif
-
 	endnetgrent();
 #ifdef NGR_R_PRIVATE
 	if (*buf != NULL)
diff --git a/lib/bind/irs/getprotoent.c b/lib/bind/irs/getprotoent.c
index db9dc11b..145062fd 100644
--- a/lib/bind/irs/getprotoent.c
+++ b/lib/bind/irs/getprotoent.c
@@ -16,7 +16,7 @@
  */
 
 #if !defined(LINT) && !defined(CODECENTER)
-static const char rcsid[] = "$Id: getprotoent.c,v 1.2.2.1 2004/03/09 09:17:30 marka Exp $";
+static const char rcsid[] = "$Id: getprotoent.c,v 1.2.206.1 2004/03/09 08:33:36 marka Exp $";
 #endif
 
 /* Imports */
diff --git a/lib/bind/irs/getprotoent_r.c b/lib/bind/irs/getprotoent_r.c
index 897587c1..96bb4e32 100644
--- a/lib/bind/irs/getprotoent_r.c
+++ b/lib/bind/irs/getprotoent_r.c
@@ -16,7 +16,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: getprotoent_r.c,v 1.3.2.2 2006/08/01 01:19:33 marka Exp $";
+static const char rcsid[] = "$Id: getprotoent_r.c,v 1.3.206.1 2004/03/09 08:33:36 marka Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 #include <port_before.h>
@@ -109,9 +109,6 @@ setprotoent_r(int stay_open, PROTO_R_ENT_ARGS)
 setprotoent_r(int stay_open)
 #endif
 {
-#ifdef PROTO_R_ENT_UNUSED
-        PROTO_R_ENT_UNUSED;
-#endif
 	setprotoent(stay_open);
 #ifdef PROTO_R_SET_RESULT
 	return (PROTO_R_SET_RESULT);
@@ -125,9 +122,6 @@ endprotoent_r(PROTO_R_ENT_ARGS)
 endprotoent_r()
 #endif
 {
-#ifdef PROTO_R_ENT_UNUSED
-        PROTO_R_ENT_UNUSED;
-#endif
 	endprotoent();
 	PROTO_R_END_RESULT(PROTO_R_OK);
 }
diff --git a/lib/bind/irs/getpwent.c b/lib/bind/irs/getpwent.c
index 1e13df69..10c237ed 100644
--- a/lib/bind/irs/getpwent.c
+++ b/lib/bind/irs/getpwent.c
@@ -16,7 +16,7 @@
  */
 
 #if !defined(LINT) && !defined(CODECENTER)
-static const char rcsid[] = "$Id: getpwent.c,v 1.1.2.1 2004/03/09 09:17:30 marka Exp $";
+static const char rcsid[] = "$Id: getpwent.c,v 1.1.206.1 2004/03/09 08:33:36 marka Exp $";
 #endif
 
 /* Imports */
diff --git a/lib/bind/irs/getpwent_r.c b/lib/bind/irs/getpwent_r.c
index 3d7696e4..689f677d 100644
--- a/lib/bind/irs/getpwent_r.c
+++ b/lib/bind/irs/getpwent_r.c
@@ -16,7 +16,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: getpwent_r.c,v 1.5.2.2 2004/09/17 13:32:07 marka Exp $";
+static const char rcsid[] = "$Id: getpwent_r.c,v 1.5.206.1 2004/03/09 08:33:36 marka Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 #include <port_before.h>
@@ -130,7 +130,7 @@ getpwuid_r(uid_t uid,  struct passwd *pwptr, char *buf, int buflen) {
 PASS_R_RETURN
 getpwent_r(struct passwd *pwptr, PASS_R_ARGS) {
 	struct passwd *pw = getpwent();
-	int res = 0;
+	int res;
 
 	if (pw == NULL)
 		return (PASS_R_BAD);
@@ -184,7 +184,7 @@ endpwent_r(void)
 PASS_R_RETURN
 fgetpwent_r(FILE *f, struct passwd *pwptr, PASS_R_COPY_ARGS) {
 	struct passwd *pw = fgetpwent(f);
-	int res = 0;
+	int res;
 
 	if (pw == NULL)
 		return (PASS_R_BAD);
diff --git a/lib/bind/irs/getservent.c b/lib/bind/irs/getservent.c
index 300d9ca8..a13e36fe 100644
--- a/lib/bind/irs/getservent.c
+++ b/lib/bind/irs/getservent.c
@@ -16,7 +16,7 @@
  */
 
 #if !defined(LINT) && !defined(CODECENTER)
-static const char rcsid[] = "$Id: getservent.c,v 1.2.2.1 2004/03/09 09:17:31 marka Exp $";
+static const char rcsid[] = "$Id: getservent.c,v 1.2.206.1 2004/03/09 08:33:36 marka Exp $";
 #endif
 
 /* Imports */
diff --git a/lib/bind/irs/getservent_r.c b/lib/bind/irs/getservent_r.c
index a53707cb..b24f468a 100644
--- a/lib/bind/irs/getservent_r.c
+++ b/lib/bind/irs/getservent_r.c
@@ -16,7 +16,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: getservent_r.c,v 1.3.2.2 2006/08/01 01:19:33 marka Exp $";
+static const char rcsid[] = "$Id: getservent_r.c,v 1.3.206.1 2004/03/09 08:33:36 marka Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 #include <port_before.h>
@@ -112,9 +112,7 @@ setservent_r(int stay_open, SERV_R_ENT_ARGS)
 setservent_r(int stay_open)
 #endif
 {
-#ifdef SERV_R_ENT_UNUSED
-	SERV_R_ENT_UNUSED;
-#endif
+
 	setservent(stay_open);
 #ifdef SERV_R_SET_RESULT
 	return (SERV_R_SET_RESULT);
@@ -128,9 +126,7 @@ endservent_r(SERV_R_ENT_ARGS)
 endservent_r()
 #endif
 {
-#ifdef SERV_R_ENT_UNUSED
-	SERV_R_ENT_UNUSED;
-#endif
+
 	endservent();
 	SERV_R_END_RESULT(SERV_R_OK);
 }
@@ -198,8 +194,8 @@ copy_servent(struct servent *se, struct servent *sptr, SERV_R_COPY_ARGS) {
 	sptr->s_port = se->s_port;
 
 	/* copy official name */
-	cp = sdptr->line;
-	eob = sdptr->line + sizeof(sdptr->line);
+	cp = ndptr->line;
+	eob = ndptr->line + sizeof(ndptr->line);
 	if ((n = strlen(se->s_name) + 1) < (eob - cp)) {
 		strcpy(cp, se->s_name);
 		sptr->s_name = cp;
@@ -210,7 +206,7 @@ copy_servent(struct servent *se, struct servent *sptr, SERV_R_COPY_ARGS) {
 
 	/* copy aliases */
 	i = 0;
-	sptr->s_aliases = sdptr->serv_aliases;
+	sptr->s_aliases = ndptr->serv_aliases;
 	while (se->s_aliases[i] && i < (_MAXALIASES-1)) {
 		if ((n = strlen(se->s_aliases[i]) + 1) < (eob - cp)) {
 			strcpy(cp, se->s_aliases[i]);
diff --git a/lib/bind/irs/hesiod.c b/lib/bind/irs/hesiod.c
index cab4aef4..a0b45c54 100644
--- a/lib/bind/irs/hesiod.c
+++ b/lib/bind/irs/hesiod.c
@@ -1,5 +1,5 @@
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: hesiod.c,v 1.1.2.5 2005/07/28 07:48:19 marka Exp $";
+static const char rcsid[] = "$Id: hesiod.c,v 1.1.2.1.4.2 2004/03/17 01:49:41 marka Exp $";
 #endif
 
 /*
@@ -83,21 +83,28 @@ hesiod_init(void **context) {
 		return (-1);
 	}
 
-	memset(ctx, 0, sizeof (*ctx));
+	ctx->LHS = NULL;
+	ctx->RHS = NULL;
+	ctx->res = NULL;
 
 	if (parse_config_file(ctx, _PATH_HESIOD_CONF) < 0) {
 #ifdef DEF_RHS
 		/*
 		 * Use compiled in defaults.
 		 */
-		ctx->LHS = malloc(strlen(DEF_LHS) + 1);
-		ctx->RHS = malloc(strlen(DEF_RHS) + 1);
-		if (ctx->LHS == NULL || ctx->RHS == NULL) {
+		ctx->LHS = malloc(strlen(DEF_LHS)+1);
+		ctx->RHS = malloc(strlen(DEF_RHS)+1);
+		if (ctx->LHS == 0 || ctx->RHS == 0) {
 			errno = ENOMEM;
 			goto cleanup;
 		}
-		strcpy(ctx->LHS, DEF_LHS);	/* (checked) */
-		strcpy(ctx->RHS, DEF_RHS);	/* (checked) */
+#ifdef HAVE_STRLCPY
+		strlcpy(ctx->LHS, DEF_LHS, strlen(DEF_LHS) + 1);
+		strlcpy(ctx->RHS, DEF_RHS, strlen(DEF_RHS) + 1);
+#else
+		strcpy(ctx->LHS, DEF_LHS);
+		strcpy(ctx->RHS, DEF_RHS);
+#endif
 #else
 		goto cleanup;
 #endif
@@ -116,10 +123,22 @@ hesiod_init(void **context) {
 			goto cleanup;
 		}
 		if (cp[0] == '.') {
-			strcpy(ctx->RHS, cp);	/* (checked) */
+#ifdef HAVE_STRLCPY
+			strlcpy(ctx->RHS, cp, RHSlen);
+#else
+			strcpy(ctx->RHS, cp);
+#endif
 		} else {
-			strcpy(ctx->RHS, ".");	/* (checked) */
-			strcat(ctx->RHS, cp);	/* (checked) */
+#ifdef HAVE_STRLCPY
+			strlcpy(ctx->RHS, ".", RHSlen);
+#else
+			strcpy(ctx->RHS, ".");
+#endif
+#ifdef HAVE_STRLCAT
+			strlcat(ctx->RHS, cp, RHSlen);
+#else
+			strcat(ctx->RHS, cp);
+#endif
 		}
 	}
 
diff --git a/lib/bind/irs/hesiod_p.h b/lib/bind/irs/hesiod_p.h
index ba72b96e..5af70a79 100644
--- a/lib/bind/irs/hesiod_p.h
+++ b/lib/bind/irs/hesiod_p.h
@@ -20,7 +20,7 @@
  */
 
 /*
- * $Id: hesiod_p.h,v 1.1.2.1 2004/03/09 09:17:31 marka Exp $
+ * $Id: hesiod_p.h,v 1.1.206.1 2004/03/09 08:33:36 marka Exp $
  */
 
 /*
diff --git a/lib/bind/irs/irp.c b/lib/bind/irs/irp.c
index bc0ecb41..e5620db3 100644
--- a/lib/bind/irs/irp.c
+++ b/lib/bind/irs/irp.c
@@ -16,7 +16,7 @@
  */
 
 #if !defined(LINT) && !defined(CODECENTER)
-static const char rcsid[] = "$Id: irp.c,v 1.3.2.5 2006/03/10 00:18:22 marka Exp $";
+static const char rcsid[] = "$Id: irp.c,v 1.3.2.1.10.2 2004/03/17 01:49:41 marka Exp $";
 #endif
 
 /* Imports */
@@ -425,9 +425,6 @@ irs_irp_read_body(struct irp_p *pvt, size_t *size) {
 	char *buffer = memget(len);
 	int idx = 0;
 
-	if (buffer == NULL)
-		return (NULL);
-
 	for (;;) {
 		if (irs_irp_read_line(pvt, line, sizeof line) <= 0 ||
 		    strchr(line, '\n') == NULL)
@@ -520,7 +517,7 @@ irs_irp_get_full_response(struct irp_p *pvt, int *code, char *text,
  * int irs_irp_send_command(struct irp_p *pvt, const char *fmt, ...);
  *
  *	Sends command to remote connected via the PVT
- *	structure. FMT and args after it are fprintf-like
+ *	struture. FMT and args after it are fprintf-like
  *	arguments for formatting.
  *
  * Returns:
diff --git a/lib/bind/irs/irp_gr.c b/lib/bind/irs/irp_gr.c
index fa17c411..f7e3a2fa 100644
--- a/lib/bind/irs/irp_gr.c
+++ b/lib/bind/irs/irp_gr.c
@@ -16,7 +16,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: irp_gr.c,v 1.2.2.1 2004/03/09 09:17:31 marka Exp $";
+static const char rcsid[] = "$Id: irp_gr.c,v 1.2.206.1 2004/03/09 08:33:36 marka Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 /* extern */
diff --git a/lib/bind/irs/irp_ho.c b/lib/bind/irs/irp_ho.c
index 37949b2a..90566125 100644
--- a/lib/bind/irs/irp_ho.c
+++ b/lib/bind/irs/irp_ho.c
@@ -16,7 +16,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: irp_ho.c,v 1.1.2.1 2004/03/09 09:17:31 marka Exp $";
+static const char rcsid[] = "$Id: irp_ho.c,v 1.1.206.1 2004/03/09 08:33:36 marka Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 /* Imports. */
diff --git a/lib/bind/irs/irp_ng.c b/lib/bind/irs/irp_ng.c
index d12a0a74..cf7bc7c3 100644
--- a/lib/bind/irs/irp_ng.c
+++ b/lib/bind/irs/irp_ng.c
@@ -16,7 +16,7 @@
  */
 
 #if !defined(LINT) && !defined(CODECENTER)
-static const char rcsid[] = "$Id: irp_ng.c,v 1.1.2.2 2006/12/07 04:52:57 marka Exp $";
+static const char rcsid[] = "$Id: irp_ng.c,v 1.1.206.1 2004/03/09 08:33:37 marka Exp $";
 #endif
 
 /* Imports */
@@ -239,14 +239,14 @@ ng_test(struct irs_ng *this, const char *name,
 	}
 
 	if (irs_irp_send_command(pvt->girpdata, "innetgr %s", body) == 0) {
+		memput(body, bodylen);
+
 		code = irs_irp_read_response(pvt->girpdata, text, sizeof text);
 		if (code == IRPD_GETNETGR_MATCHES) {
 			rval = 1;
 		}
 	}
 
-	memput(body, bodylen);
-
 	return (rval);
 }
 
diff --git a/lib/bind/irs/irp_nw.c b/lib/bind/irs/irp_nw.c
index 1815557b..346e5a4d 100644
--- a/lib/bind/irs/irp_nw.c
+++ b/lib/bind/irs/irp_nw.c
@@ -16,7 +16,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: irp_nw.c,v 1.1.2.2 2006/03/10 00:18:22 marka Exp $";
+static const char rcsid[] = "$Id: irp_nw.c,v 1.1.206.1 2004/03/09 08:33:37 marka Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 #if 0
@@ -319,8 +319,6 @@ nw_next(struct irs_nw *this) {
 		nw = NULL;
 	}
 
-	if (body != NULL)
-		memput(body, bodylen);
 	return (nw);
 }
 
diff --git a/lib/bind/irs/irp_p.h b/lib/bind/irs/irp_p.h
index 872d5e91..fa2858db 100644
--- a/lib/bind/irs/irp_p.h
+++ b/lib/bind/irs/irp_p.h
@@ -16,7 +16,7 @@
  */
 
 /*
- * $Id: irp_p.h,v 1.1.2.3 2004/03/09 09:17:31 marka Exp $
+ * $Id: irp_p.h,v 1.1.2.2.4.1 2004/03/09 08:33:37 marka Exp $
  */
 
 #ifndef _IRP_P_H_INCLUDED
diff --git a/lib/bind/irs/irp_pr.c b/lib/bind/irs/irp_pr.c
index 84152ed0..07d739d6 100644
--- a/lib/bind/irs/irp_pr.c
+++ b/lib/bind/irs/irp_pr.c
@@ -16,7 +16,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: irp_pr.c,v 1.1.2.1 2004/03/09 09:17:31 marka Exp $";
+static const char rcsid[] = "$Id: irp_pr.c,v 1.1.206.1 2004/03/09 08:33:37 marka Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 /* extern */
diff --git a/lib/bind/irs/irp_pw.c b/lib/bind/irs/irp_pw.c
index ef728e97..069f5887 100644
--- a/lib/bind/irs/irp_pw.c
+++ b/lib/bind/irs/irp_pw.c
@@ -16,7 +16,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: irp_pw.c,v 1.2.2.1 2004/03/09 09:17:32 marka Exp $";
+static const char rcsid[] = "$Id: irp_pw.c,v 1.2.206.1 2004/03/09 08:33:37 marka Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 /* Extern */
diff --git a/lib/bind/irs/irp_sv.c b/lib/bind/irs/irp_sv.c
index 316bec34..0c4d6a18 100644
--- a/lib/bind/irs/irp_sv.c
+++ b/lib/bind/irs/irp_sv.c
@@ -16,7 +16,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: irp_sv.c,v 1.1.2.1 2004/03/09 09:17:32 marka Exp $";
+static const char rcsid[] = "$Id: irp_sv.c,v 1.1.206.1 2004/03/09 08:33:37 marka Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 /* extern */
diff --git a/lib/bind/irs/irpmarshall.c b/lib/bind/irs/irpmarshall.c
index a08163c9..6d2ebd48 100644
--- a/lib/bind/irs/irpmarshall.c
+++ b/lib/bind/irs/irpmarshall.c
@@ -49,7 +49,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: irpmarshall.c,v 1.3.2.4 2006/03/10 00:18:22 marka Exp $";
+static const char rcsid[] = "$Id: irpmarshall.c,v 1.3.206.3 2004/03/17 01:13:34 marka Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 #if 0
@@ -1020,7 +1020,7 @@ irp_unmarshall_ho(struct hostent *ho, char *buffer) {
 	int hoaddrtype;
 	int holength;
 	long t;
-	char *name;
+	char *name = NULL;
 	char **aliases = NULL;
 	char **hohaddrlist = NULL;
 	size_t hoaddrsize;
@@ -1143,7 +1143,6 @@ irp_unmarshall_ho(struct hostent *ho, char *buffer) {
 	errno = myerrno;
 
 	if (name != NULL) free(name);
-	free_array(hohaddrlist, 0);
 	free_array(aliases, 0);
 
 	return (-1);
@@ -1314,6 +1313,7 @@ irp_unmarshall_ng(const char **hostp, const char **userp, const char **domainp,
 
 	if (host != NULL) free(host);
 	if (user != NULL) free(user);
+	if (domain != NULL) free(domain);
 
 	return (-1);
 }
diff --git a/lib/bind/irs/irs_data.c b/lib/bind/irs/irs_data.c
index 47963f1e..dbe51774 100644
--- a/lib/bind/irs/irs_data.c
+++ b/lib/bind/irs/irs_data.c
@@ -16,7 +16,7 @@
  */
 
 #if !defined(LINT) && !defined(CODECENTER)
-static const char rcsid[] = "$Id: irs_data.c,v 1.3.2.7 2007/02/26 00:05:23 marka Exp $";
+static const char rcsid[] = "$Id: irs_data.c,v 1.3.2.2.4.2 2004/03/17 00:29:49 marka Exp $";
 #endif
 
 #include "port_before.h"
@@ -121,24 +121,14 @@ net_data_destroy(void *p) {
 struct net_data *
 net_data_init(const char *conf_file) {
 #ifdef	DO_PTHREADS
-#ifndef LIBBIND_MUTEX_INITIALIZER
-#define LIBBIND_MUTEX_INITIALIZER PTHREAD_MUTEX_INITIALIZER
-#endif
-	static pthread_mutex_t keylock = LIBBIND_MUTEX_INITIALIZER;
+	static pthread_mutex_t keylock = PTHREAD_MUTEX_INITIALIZER;
 	struct net_data *net_data;
 
 	if (!once) {
-		if (pthread_mutex_lock(&keylock) != 0)
-			return (NULL);
-		if (!once) {
-			if (pthread_key_create(&key, net_data_destroy) != 0) {
-				pthread_mutex_unlock(&keylock);
-				return (NULL);
-			}
-			once = 1;
-		}
-		if (pthread_mutex_unlock(&keylock) != 0)
-			return (NULL);
+		pthread_mutex_lock(&keylock);
+		if (!once++)
+			pthread_key_create(&key, net_data_destroy);
+		pthread_mutex_unlock(&keylock);
 	}
 	net_data = pthread_getspecific(key);
 #endif
@@ -148,10 +138,7 @@ net_data_init(const char *conf_file) {
 		if (net_data == NULL)
 			return (NULL);
 #ifdef	DO_PTHREADS
-		if (pthread_setspecific(key, net_data) != 0) {
-			net_data_destroy(net_data);
-			return (NULL);
-		}
+		pthread_setspecific(key, net_data);
 #endif
 	}
 
diff --git a/lib/bind/irs/irs_data.h b/lib/bind/irs/irs_data.h
index 6318bd4b..90eb78c5 100644
--- a/lib/bind/irs/irs_data.h
+++ b/lib/bind/irs/irs_data.h
@@ -16,7 +16,7 @@
  */
 
 /*
- * $Id: irs_data.h,v 1.1.2.1 2004/03/09 09:17:32 marka Exp $
+ * $Id: irs_data.h,v 1.1.206.1 2004/03/09 08:33:37 marka Exp $
  */
 
 #ifndef __BIND_NOSTATIC
diff --git a/lib/bind/irs/irs_p.h b/lib/bind/irs/irs_p.h
index d997b606..6d340f21 100644
--- a/lib/bind/irs/irs_p.h
+++ b/lib/bind/irs/irs_p.h
@@ -16,7 +16,7 @@
  */
 
 /*
- * $Id: irs_p.h,v 1.1.2.1 2004/03/09 09:17:32 marka Exp $
+ * $Id: irs_p.h,v 1.1.206.1 2004/03/09 08:33:37 marka Exp $
  */
 
 #ifndef _IRS_P_H_INCLUDED
diff --git a/lib/bind/irs/lcl.c b/lib/bind/irs/lcl.c
index e14ed522..e02c90d1 100644
--- a/lib/bind/irs/lcl.c
+++ b/lib/bind/irs/lcl.c
@@ -16,7 +16,7 @@
  */
 
 #if !defined(LINT) && !defined(CODECENTER)
-static const char rcsid[] = "$Id: lcl.c,v 1.1.2.2 2004/03/17 00:40:13 marka Exp $";
+static const char rcsid[] = "$Id: lcl.c,v 1.1.206.2 2004/03/17 00:29:49 marka Exp $";
 #endif
 
 /* Imports */
diff --git a/lib/bind/irs/lcl_gr.c b/lib/bind/irs/lcl_gr.c
index 5564c08b..ccf7b797 100644
--- a/lib/bind/irs/lcl_gr.c
+++ b/lib/bind/irs/lcl_gr.c
@@ -49,7 +49,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: lcl_gr.c,v 1.1.2.1 2004/03/09 09:17:32 marka Exp $";
+static const char rcsid[] = "$Id: lcl_gr.c,v 1.1.206.1 2004/03/09 08:33:37 marka Exp $";
 /* from getgrent.c 8.2 (Berkeley) 3/21/94"; */
 /* from BSDI Id: getgrent.c,v 2.8 1996/05/28 18:15:14 bostic Exp $	*/
 #endif /* LIBC_SCCS and not lint */
diff --git a/lib/bind/irs/lcl_ho.c b/lib/bind/irs/lcl_ho.c
index 4d91dcc8..45d26778 100644
--- a/lib/bind/irs/lcl_ho.c
+++ b/lib/bind/irs/lcl_ho.c
@@ -52,7 +52,7 @@
 /* BIND Id: gethnamaddr.c,v 8.15 1996/05/22 04:56:30 vixie Exp $ */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: lcl_ho.c,v 1.1.2.3 2006/03/10 00:18:22 marka Exp $";
+static const char rcsid[] = "$Id: lcl_ho.c,v 1.1.206.2 2004/03/17 00:29:50 marka Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 /* Imports. */
@@ -541,7 +541,7 @@ ho_addrinfo(struct irs_ho *this, const char *name, const struct addrinfo *pai)
 		ai = hostent2addrinfo(hp, pai);
 		if (ai) {
 			cur->ai_next = ai;
-			while (cur->ai_next)
+			while (cur && cur->ai_next)
 				cur = cur->ai_next;
 		}
 	}
diff --git a/lib/bind/irs/lcl_ng.c b/lib/bind/irs/lcl_ng.c
index 756a790f..3c678f27 100644
--- a/lib/bind/irs/lcl_ng.c
+++ b/lib/bind/irs/lcl_ng.c
@@ -16,7 +16,7 @@
  */
 
 #if !defined(LINT) && !defined(CODECENTER)
-static const char rcsid[] = "$Id: lcl_ng.c,v 1.1.2.1 2004/03/09 09:17:32 marka Exp $";
+static const char rcsid[] = "$Id: lcl_ng.c,v 1.1.206.1 2004/03/09 08:33:38 marka Exp $";
 #endif
 
 /* Imports */
diff --git a/lib/bind/irs/lcl_nw.c b/lib/bind/irs/lcl_nw.c
index b31f785a..7d04672c 100644
--- a/lib/bind/irs/lcl_nw.c
+++ b/lib/bind/irs/lcl_nw.c
@@ -49,7 +49,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: lcl_nw.c,v 1.1.2.2 2004/03/17 00:40:13 marka Exp $";
+static const char rcsid[] = "$Id: lcl_nw.c,v 1.1.206.2 2004/03/17 00:29:50 marka Exp $";
 /* from getgrent.c 8.2 (Berkeley) 3/21/94"; */
 /* from BSDI Id: getgrent.c,v 2.8 1996/05/28 18:15:14 bostic Exp $	*/
 #endif /* LIBC_SCCS and not lint */
diff --git a/lib/bind/irs/lcl_p.h b/lib/bind/irs/lcl_p.h
index 0f6b011c..44dd621e 100644
--- a/lib/bind/irs/lcl_p.h
+++ b/lib/bind/irs/lcl_p.h
@@ -16,7 +16,7 @@
  */
 
 /*
- * $Id: lcl_p.h,v 1.1.2.1 2004/03/09 09:17:33 marka Exp $
+ * $Id: lcl_p.h,v 1.1.206.1 2004/03/09 08:33:38 marka Exp $
  */
 
 /*
diff --git a/lib/bind/irs/lcl_pr.c b/lib/bind/irs/lcl_pr.c
index a291b83b..d8f909e8 100644
--- a/lib/bind/irs/lcl_pr.c
+++ b/lib/bind/irs/lcl_pr.c
@@ -49,7 +49,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: lcl_pr.c,v 1.1.2.2 2006/03/10 00:18:22 marka Exp $";
+static const char rcsid[] = "$Id: lcl_pr.c,v 1.1.206.1 2004/03/09 08:33:38 marka Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 /* extern */
@@ -85,7 +85,6 @@ static const char rcsid[] = "$Id: lcl_pr.c,v 1.1.2.2 2006/03/10 00:18:22 marka E
 struct pvt {
 	FILE *		fp;
 	char		line[BUFSIZ+1];
-	char *		dbuf;
 	struct protoent	proto;
 	char *		proto_aliases[MAXALIASES];
 };
@@ -142,8 +141,6 @@ pr_close(struct irs_pr *this) {
 
 	if (pvt->fp)
 		(void) fclose(pvt->fp);
-	if (pvt->dbuf)
-		free(pvt->dbuf);
 	memput(pvt, sizeof *pvt);
 	memput(this, sizeof *this);
 }
@@ -205,10 +202,6 @@ pr_next(struct irs_pr *this) {
 		pr_rewind(this);
 	if (!pvt->fp)
 		return (NULL);
-	if (pvt->dbuf) {
-		free(pvt->dbuf);
-		pvt->dbuf = NULL;
-	}
 	bufp = pvt->line;
 	bufsiz = BUFSIZ;
 	offset = 0;
@@ -277,7 +270,6 @@ pr_next(struct irs_pr *this) {
 		}
 	}
 	*q = NULL;
-	pvt->dbuf = dbuf;
 	return (&pvt->proto);
 }
 
diff --git a/lib/bind/irs/lcl_pw.c b/lib/bind/irs/lcl_pw.c
index 6b15fbfc..dc31dd22 100644
--- a/lib/bind/irs/lcl_pw.c
+++ b/lib/bind/irs/lcl_pw.c
@@ -49,7 +49,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: lcl_pw.c,v 1.1.2.1 2004/03/09 09:17:33 marka Exp $";
+static const char rcsid[] = "$Id: lcl_pw.c,v 1.1.206.1 2004/03/09 08:33:38 marka Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 /* Extern */
diff --git a/lib/bind/irs/lcl_sv.c b/lib/bind/irs/lcl_sv.c
index 9015b2fa..b407d7f8 100644
--- a/lib/bind/irs/lcl_sv.c
+++ b/lib/bind/irs/lcl_sv.c
@@ -49,7 +49,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: lcl_sv.c,v 1.2.2.1 2004/03/09 09:17:33 marka Exp $";
+static const char rcsid[] = "$Id: lcl_sv.c,v 1.2.206.1 2004/03/09 08:33:38 marka Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 /* extern */
diff --git a/lib/bind/irs/nis.c b/lib/bind/irs/nis.c
index 828128e1..70eaaedb 100644
--- a/lib/bind/irs/nis.c
+++ b/lib/bind/irs/nis.c
@@ -16,7 +16,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: nis.c,v 1.1.2.1 2004/03/09 09:17:33 marka Exp $";
+static const char rcsid[] = "$Id: nis.c,v 1.1.206.1 2004/03/09 08:33:38 marka Exp $";
 #endif
 
 /* Imports */
diff --git a/lib/bind/irs/nis_gr.c b/lib/bind/irs/nis_gr.c
index bee0b2ed..e06861f0 100644
--- a/lib/bind/irs/nis_gr.c
+++ b/lib/bind/irs/nis_gr.c
@@ -49,7 +49,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: nis_gr.c,v 1.1.2.2 2004/03/09 09:17:33 marka Exp $";
+static const char rcsid[] = "$Id: nis_gr.c,v 1.1.2.1.4.1 2004/03/09 08:33:38 marka Exp $";
 /* from getgrent.c 8.2 (Berkeley) 3/21/94"; */
 /* from BSDI Id: getgrent.c,v 2.8 1996/05/28 18:15:14 bostic Exp $	*/
 #endif /* LIBC_SCCS and not lint */
diff --git a/lib/bind/irs/nis_ho.c b/lib/bind/irs/nis_ho.c
index 5f86a004..7f0b125b 100644
--- a/lib/bind/irs/nis_ho.c
+++ b/lib/bind/irs/nis_ho.c
@@ -16,7 +16,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: nis_ho.c,v 1.2.2.2 2004/03/09 09:17:33 marka Exp $";
+static const char rcsid[] = "$Id: nis_ho.c,v 1.2.2.1.4.1 2004/03/09 08:33:38 marka Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 /* Imports */
diff --git a/lib/bind/irs/nis_ng.c b/lib/bind/irs/nis_ng.c
index ad9bdf31..4ee700c5 100644
--- a/lib/bind/irs/nis_ng.c
+++ b/lib/bind/irs/nis_ng.c
@@ -16,7 +16,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: nis_ng.c,v 1.2.2.1 2004/03/09 09:17:33 marka Exp $";
+static const char rcsid[] = "$Id: nis_ng.c,v 1.2.206.1 2004/03/09 08:33:38 marka Exp $";
 #endif
 
 /* Imports */
diff --git a/lib/bind/irs/nis_nw.c b/lib/bind/irs/nis_nw.c
index 1504f081..669b29d4 100644
--- a/lib/bind/irs/nis_nw.c
+++ b/lib/bind/irs/nis_nw.c
@@ -16,7 +16,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: nis_nw.c,v 1.2.2.1 2004/03/09 09:17:33 marka Exp $";
+static const char rcsid[] = "$Id: nis_nw.c,v 1.2.206.1 2004/03/09 08:33:38 marka Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 /* Imports */
diff --git a/lib/bind/irs/nis_p.h b/lib/bind/irs/nis_p.h
index bef2e030..95f5851a 100644
--- a/lib/bind/irs/nis_p.h
+++ b/lib/bind/irs/nis_p.h
@@ -16,7 +16,7 @@
  */
 
 /*
- * $Id: nis_p.h,v 1.1.2.1 2004/03/09 09:17:33 marka Exp $
+ * $Id: nis_p.h,v 1.1.206.1 2004/03/09 08:33:38 marka Exp $
  */
 
 /*
diff --git a/lib/bind/irs/nis_pr.c b/lib/bind/irs/nis_pr.c
index 6fe55a5e..8173f3ef 100644
--- a/lib/bind/irs/nis_pr.c
+++ b/lib/bind/irs/nis_pr.c
@@ -16,7 +16,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: nis_pr.c,v 1.2.2.1 2004/03/09 09:17:33 marka Exp $";
+static const char rcsid[] = "$Id: nis_pr.c,v 1.2.206.1 2004/03/09 08:33:38 marka Exp $";
 #endif
 
 /* Imports */
diff --git a/lib/bind/irs/nis_pw.c b/lib/bind/irs/nis_pw.c
index d44033c8..889d97ff 100644
--- a/lib/bind/irs/nis_pw.c
+++ b/lib/bind/irs/nis_pw.c
@@ -16,7 +16,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: nis_pw.c,v 1.2.2.1 2004/03/09 09:17:33 marka Exp $";
+static const char rcsid[] = "$Id: nis_pw.c,v 1.2.206.1 2004/03/09 08:33:38 marka Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 /* Imports */
diff --git a/lib/bind/irs/nis_sv.c b/lib/bind/irs/nis_sv.c
index d4822469..b8c1c6b3 100644
--- a/lib/bind/irs/nis_sv.c
+++ b/lib/bind/irs/nis_sv.c
@@ -16,7 +16,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: nis_sv.c,v 1.2.2.1 2004/03/09 09:17:34 marka Exp $";
+static const char rcsid[] = "$Id: nis_sv.c,v 1.2.206.1 2004/03/09 08:33:38 marka Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 /* Imports */
diff --git a/lib/bind/irs/nul_ng.c b/lib/bind/irs/nul_ng.c
index e93be8b1..828bebe0 100644
--- a/lib/bind/irs/nul_ng.c
+++ b/lib/bind/irs/nul_ng.c
@@ -16,7 +16,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: nul_ng.c,v 1.1.2.1 2004/03/09 09:17:34 marka Exp $";
+static const char rcsid[] = "$Id: nul_ng.c,v 1.1.206.1 2004/03/09 08:33:39 marka Exp $";
 #endif
 
 /*
diff --git a/lib/bind/irs/pathnames.h b/lib/bind/irs/pathnames.h
index cea4a0be..412dc76f 100644
--- a/lib/bind/irs/pathnames.h
+++ b/lib/bind/irs/pathnames.h
@@ -16,7 +16,7 @@
  */
 
 /*
- * $Id: pathnames.h,v 1.1.2.1 2004/03/09 09:17:34 marka Exp $
+ * $Id: pathnames.h,v 1.1.206.1 2004/03/09 08:33:39 marka Exp $
  */
 
 #ifndef _PATH_IRS_CONF
diff --git a/lib/bind/irs/util.c b/lib/bind/irs/util.c
index 6ee2c621..095e7ad5 100644
--- a/lib/bind/irs/util.c
+++ b/lib/bind/irs/util.c
@@ -16,7 +16,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: util.c,v 1.1.2.1 2004/03/09 09:17:34 marka Exp $";
+static const char rcsid[] = "$Id: util.c,v 1.1.206.1 2004/03/09 08:33:39 marka Exp $";
 #endif
 
 #include "port_before.h"
diff --git a/lib/bind/isc/Makefile.in b/lib/bind/isc/Makefile.in
index 2b8cf6a3..d8e8889a 100644
--- a/lib/bind/isc/Makefile.in
+++ b/lib/bind/isc/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.6.2.1 2004/03/09 06:10:45 marka Exp $
+# $Id: Makefile.in,v 1.6.206.1 2004/03/06 08:13:23 marka Exp $
 
 srcdir=		@srcdir@
 VPATH =         @srcdir@
diff --git a/lib/bind/isc/assertions.c b/lib/bind/isc/assertions.c
index b8a38e3e..f1fb2efe 100644
--- a/lib/bind/isc/assertions.c
+++ b/lib/bind/isc/assertions.c
@@ -16,7 +16,7 @@
  */
 
 #if !defined(LINT) && !defined(CODECENTER)
-static const char rcsid[] = "$Id: assertions.c,v 1.1.2.1 2004/03/09 09:17:34 marka Exp $";
+static const char rcsid[] = "$Id: assertions.c,v 1.1.206.1 2004/03/09 08:33:39 marka Exp $";
 #endif
 
 #include "port_before.h"
diff --git a/lib/bind/isc/assertions.mdoc b/lib/bind/isc/assertions.mdoc
index 7ca055df..c2144531 100644
--- a/lib/bind/isc/assertions.mdoc
+++ b/lib/bind/isc/assertions.mdoc
@@ -1,4 +1,4 @@
-.\" $Id: assertions.mdoc,v 1.1.2.2 2004/03/09 09:17:34 marka Exp $
+.\" $Id: assertions.mdoc,v 1.1.2.1.10.1 2004/03/09 08:33:39 marka Exp $
 .\"
 .\" Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
 .\" Copyright (c) 1997,1999 by Internet Software Consortium.
diff --git a/lib/bind/isc/base64.c b/lib/bind/isc/base64.c
index a21c73dd..51676f37 100644
--- a/lib/bind/isc/base64.c
+++ b/lib/bind/isc/base64.c
@@ -41,7 +41,7 @@
  */
 
 #if !defined(LINT) && !defined(CODECENTER)
-static const char rcsid[] = "$Id: base64.c,v 1.1.2.2 2004/03/17 00:40:13 marka Exp $";
+static const char rcsid[] = "$Id: base64.c,v 1.1.206.2 2004/03/17 00:29:50 marka Exp $";
 #endif /* not lint */
 
 #include "port_before.h"
diff --git a/lib/bind/isc/bitncmp.c b/lib/bind/isc/bitncmp.c
index 1223f8b1..fcff9f71 100644
--- a/lib/bind/isc/bitncmp.c
+++ b/lib/bind/isc/bitncmp.c
@@ -16,7 +16,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: bitncmp.c,v 1.1.2.1 2004/03/09 09:17:34 marka Exp $";
+static const char rcsid[] = "$Id: bitncmp.c,v 1.1.206.1 2004/03/09 08:33:39 marka Exp $";
 #endif
 
 #include "port_before.h"
diff --git a/lib/bind/isc/bitncmp.mdoc b/lib/bind/isc/bitncmp.mdoc
index 9938fb8d..5462c2fd 100644
--- a/lib/bind/isc/bitncmp.mdoc
+++ b/lib/bind/isc/bitncmp.mdoc
@@ -1,4 +1,4 @@
-.\" $Id: bitncmp.mdoc,v 1.1.2.2 2004/03/09 09:17:34 marka Exp $
+.\" $Id: bitncmp.mdoc,v 1.1.2.1.10.1 2004/03/09 08:33:39 marka Exp $
 .\"
 .\" Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
 .\" Copyright (c) 1996,1999 by Internet Software Consortium.
diff --git a/lib/bind/isc/ctl_clnt.c b/lib/bind/isc/ctl_clnt.c
index 32b7710f..e1fa7e79 100644
--- a/lib/bind/isc/ctl_clnt.c
+++ b/lib/bind/isc/ctl_clnt.c
@@ -1,5 +1,5 @@
 #if !defined(lint) && !defined(SABER)
-static const char rcsid[] = "$Id: ctl_clnt.c,v 1.4.2.5 2007/05/18 06:25:47 marka Exp $";
+static const char rcsid[] = "$Id: ctl_clnt.c,v 1.4.2.1.4.3 2004/03/17 01:13:35 marka Exp $";
 #endif /* not lint */
 
 /*
@@ -114,19 +114,6 @@ static void		touch_timer(struct ctl_cctx *);
 static void		timer(evContext, void *,
 			      struct timespec, struct timespec);
 
-#ifndef HAVE_MEMCHR
-static void *
-memchr(const void *b, int c, size_t len) {
-	const unsigned char *p = b;
-	size_t i;
-
-	for (i = 0; i < len; i++, p++)
-		if (*p == (unsigned char)c)
-			return ((void *)p); 
-	return (NULL);
-}
-#endif
-
 /* Private data. */
 
 static const char * const state_names[] = {
diff --git a/lib/bind/isc/ctl_p.c b/lib/bind/isc/ctl_p.c
index deb461f7..bc45004c 100644
--- a/lib/bind/isc/ctl_p.c
+++ b/lib/bind/isc/ctl_p.c
@@ -1,5 +1,5 @@
 #if !defined(lint) && !defined(SABER)
-static const char rcsid[] = "$Id: ctl_p.c,v 1.1.2.2 2004/03/17 00:40:14 marka Exp $";
+static const char rcsid[] = "$Id: ctl_p.c,v 1.1.206.2 2004/03/17 00:29:51 marka Exp $";
 #endif /* not lint */
 
 /*
diff --git a/lib/bind/isc/ctl_srvr.c b/lib/bind/isc/ctl_srvr.c
index 377065b1..56c76848 100644
--- a/lib/bind/isc/ctl_srvr.c
+++ b/lib/bind/isc/ctl_srvr.c
@@ -1,5 +1,5 @@
 #if !defined(lint) && !defined(SABER)
-static const char rcsid[] = "$Id: ctl_srvr.c,v 1.3.2.5 2006/12/07 04:52:57 marka Exp $";
+static const char rcsid[] = "$Id: ctl_srvr.c,v 1.3.2.1.4.3 2004/03/17 01:13:35 marka Exp $";
 #endif /* not lint */
 
 /*
@@ -564,7 +564,7 @@ static void
 ctl_readable(evContext lev, void *uap, int fd, int evmask) {
 	static const char me[] = "ctl_readable";
 	struct ctl_sess *sess = uap;
-	struct ctl_sctx *ctx;
+	struct ctl_sctx *ctx = sess->ctx;
 	char *eos, tmp[MAX_NTOP];
 	ssize_t n;
 
@@ -572,8 +572,6 @@ ctl_readable(evContext lev, void *uap, int fd, int evmask) {
 	REQUIRE(fd >= 0);
 	REQUIRE(evmask == EV_READ);
 	REQUIRE(sess->state == reading || sess->state == reading_data);
-
-	ctx = sess->ctx;
 	evTouchIdleTimer(lev, sess->rdtiID);
 	if (!allocated_p(sess->inbuf) &&
 	    ctl_bufget(&sess->inbuf, ctx->logger) < 0) {
diff --git a/lib/bind/isc/ev_connects.c b/lib/bind/isc/ev_connects.c
index ddb49932..043e5f49 100644
--- a/lib/bind/isc/ev_connects.c
+++ b/lib/bind/isc/ev_connects.c
@@ -20,7 +20,7 @@
  */
 
 #if !defined(LINT) && !defined(CODECENTER)
-static const char rcsid[] = "$Id: ev_connects.c,v 1.4.2.3 2006/03/10 00:18:22 marka Exp $";
+static const char rcsid[] = "$Id: ev_connects.c,v 1.4.206.1 2004/03/09 08:33:40 marka Exp $";
 #endif
 
 /* Import. */
@@ -69,7 +69,7 @@ evListen(evContext opaqueCtx, int fd, int maxconn,
 
 	OKNEW(new);
 	new->flags = EV_CONN_LISTEN;
-	OKFREE(mode = fcntl(fd, F_GETFL, NULL), new);	/* side effect: validate fd. */
+	OK(mode = fcntl(fd, F_GETFL, NULL));	/* side effect: validate fd. */
 	/*
 	 * Remember the nonblocking status.  We assume that either evSelectFD
 	 * has not been done to this fd, or that if it has then the caller
@@ -80,13 +80,13 @@ evListen(evContext opaqueCtx, int fd, int maxconn,
 	if ((mode & PORT_NONBLOCK) == 0) {
 #ifdef USE_FIONBIO_IOCTL
 		int on = 1;
-		OKFREE(ioctl(fd, FIONBIO, (char *)&on), new);
+		OK(ioctl(fd, FIONBIO, (char *)&on));
 #else
-		OKFREE(fcntl(fd, F_SETFL, mode | PORT_NONBLOCK), new);
+		OK(fcntl(fd, F_SETFL, mode | PORT_NONBLOCK));
 #endif
 		new->flags |= EV_CONN_BLOCK;
 	}
-	OKFREE(listen(fd, maxconn), new);
+	OK(listen(fd, maxconn));
 	if (evSelectFD(opaqueCtx, fd, EV_READ, listener, new, &new->file) < 0){
 		int save = errno;
 
@@ -168,10 +168,10 @@ evCancelConn(evContext opaqueCtx, evConnID id) {
 				return (-1);
 		} else {
 #ifdef USE_FIONBIO_IOCTL
-			int off = 0;
-			OK(ioctl(this->fd, FIONBIO, (char *)&off));
+			int on = 1;
+			OK(ioctl(this->fd, FIONBIO, (char *)&on));
 #else
-			OK(fcntl(this->fd, F_SETFL, mode & ~PORT_NONBLOCK));
+			OK(fcntl(this->fd, F_SETFL, mode | PORT_NONBLOCK));
 #endif
 		}
 	}
diff --git a/lib/bind/isc/ev_files.c b/lib/bind/isc/ev_files.c
index 7d5b5615..4d5eb55a 100644
--- a/lib/bind/isc/ev_files.c
+++ b/lib/bind/isc/ev_files.c
@@ -20,7 +20,7 @@
  */
 
 #if !defined(LINT) && !defined(CODECENTER)
-static const char rcsid[] = "$Id: ev_files.c,v 1.3.2.4 2005/07/28 07:48:19 marka Exp $";
+static const char rcsid[] = "$Id: ev_files.c,v 1.3.2.1.4.1 2004/03/09 08:33:42 marka Exp $";
 #endif
 
 #include "port_before.h"
@@ -58,10 +58,8 @@ evSelectFD(evContext opaqueCtx,
 		 ctx, fd, eventmask, func, uap);
 	if (eventmask == 0 || (eventmask & ~EV_MASK_ALL) != 0)
 		EV_ERR(EINVAL);
-#ifndef USE_POLL
 	if (fd > ctx->highestFD)
 		EV_ERR(EINVAL);
-#endif
 	OK(mode = fcntl(fd, F_GETFL, NULL));	/* side effect: validate fd. */
 
 	/*
@@ -70,11 +68,6 @@ evSelectFD(evContext opaqueCtx,
 	 * of our deselect()'s have to leave it in O_NONBLOCK.  If not, then
 	 * all but our last deselect() has to leave it in O_NONBLOCK.
 	 */
-#ifdef USE_POLL
-	/* Make sure both ctx->pollfds[] and ctx->fdTable[] are large enough */
-	if (fd >= ctx->maxnfds && evPollfdRealloc(ctx, 1, fd) != 0)
-		EV_ERR(ENOMEM);
-#endif /* USE_POLL */
 	id = FindFD(ctx, fd, EV_MASK_ALL);
 	if (id == NULL) {
 		if (mode & PORT_NONBLOCK)
@@ -150,6 +143,13 @@ evSelectFD(evContext opaqueCtx,
 	if (opaqueID)
 		opaqueID->opaque = id;
 
+	evPrintf(ctx, 5,
+		"evSelectFD(fd %d, mask 0x%x): new masks: 0x%lx 0x%lx 0x%lx\n",
+		 fd, eventmask,
+		 (u_long)ctx->rdNext.fds_bits[0],
+		 (u_long)ctx->wrNext.fds_bits[0],
+		 (u_long)ctx->exNext.fds_bits[0]);
+
 	return (0);
 }
 
@@ -204,7 +204,7 @@ evDeselectFD(evContext opaqueCtx, evFileID opaqueID) {
 		 * and (b) the caller didn't ask us anything about O_NONBLOCK.
 		 */
 #ifdef USE_FIONBIO_IOCTL
-		int off = 0;
+		int off = 1;
 		(void) ioctl(del->fd, FIONBIO, (char *)&off);
 #else
 		(void) fcntl(del->fd, F_SETFL, mode & ~PORT_NONBLOCK);
@@ -259,6 +259,13 @@ evDeselectFD(evContext opaqueCtx, evFileID opaqueID) {
 	if (del == ctx->fdNext)
 		ctx->fdNext = del->next;
 
+	evPrintf(ctx, 5,
+	      "evDeselectFD(fd %d, mask 0x%x): new masks: 0x%lx 0x%lx 0x%lx\n",
+		 del->fd, eventmask,
+		 (u_long)ctx->rdNext.fds_bits[0],
+		 (u_long)ctx->wrNext.fds_bits[0],
+		 (u_long)ctx->exNext.fds_bits[0]);
+
 	/* Couldn't free it before now since we were using fields out of it. */
 	FREE(del);
 
diff --git a/lib/bind/isc/ev_streams.c b/lib/bind/isc/ev_streams.c
index 9fb05f4c..64e88b0c 100644
--- a/lib/bind/isc/ev_streams.c
+++ b/lib/bind/isc/ev_streams.c
@@ -20,7 +20,7 @@
  */
 
 #if !defined(LINT) && !defined(CODECENTER)
-static const char rcsid[] = "$Id: ev_streams.c,v 1.2.2.2 2004/03/17 00:40:14 marka Exp $";
+static const char rcsid[] = "$Id: ev_streams.c,v 1.2.206.2 2004/03/17 00:29:51 marka Exp $";
 #endif
 
 #include "port_before.h"
diff --git a/lib/bind/isc/ev_timers.c b/lib/bind/isc/ev_timers.c
index 076eb3b4..11433fbf 100644
--- a/lib/bind/isc/ev_timers.c
+++ b/lib/bind/isc/ev_timers.c
@@ -20,7 +20,7 @@
  */
 
 #if !defined(LINT) && !defined(CODECENTER)
-static const char rcsid[] = "$Id: ev_timers.c,v 1.2.2.6 2004/03/17 02:33:17 marka Exp $";
+static const char rcsid[] = "$Id: ev_timers.c,v 1.2.2.1.4.5 2004/03/17 02:39:13 marka Exp $";
 #endif
 
 /* Import. */
diff --git a/lib/bind/isc/ev_waits.c b/lib/bind/isc/ev_waits.c
index f5250889..f30280d4 100644
--- a/lib/bind/isc/ev_waits.c
+++ b/lib/bind/isc/ev_waits.c
@@ -20,7 +20,7 @@
  */
 
 #if !defined(LINT) && !defined(CODECENTER)
-static const char rcsid[] = "$Id: ev_waits.c,v 1.1.2.2 2004/03/09 09:17:35 marka Exp $";
+static const char rcsid[] = "$Id: ev_waits.c,v 1.1.2.1.4.1 2004/03/09 08:33:43 marka Exp $";
 #endif
 
 #include "port_before.h"
diff --git a/lib/bind/isc/eventlib.c b/lib/bind/isc/eventlib.c
index ff84da8c..527fec15 100644
--- a/lib/bind/isc/eventlib.c
+++ b/lib/bind/isc/eventlib.c
@@ -20,7 +20,7 @@
  */
 
 #if !defined(LINT) && !defined(CODECENTER)
-static const char rcsid[] = "$Id: eventlib.c,v 1.2.2.7 2006/03/10 00:18:22 marka Exp $";
+static const char rcsid[] = "$Id: eventlib.c,v 1.2.2.1.4.2 2004/03/17 01:49:41 marka Exp $";
 #endif
 
 #include "port_before.h"
@@ -29,9 +29,6 @@ static const char rcsid[] = "$Id: eventlib.c,v 1.2.2.7 2006/03/10 00:18:22 marka
 #include <sys/types.h>
 #include <sys/time.h>
 #include <sys/stat.h>
-#ifdef SOLARIS2
-#include <limits.h>
-#endif /* SOLARIS2 */
 
 #include <errno.h>
 #include <signal.h>
@@ -45,22 +42,14 @@ static const char rcsid[] = "$Id: eventlib.c,v 1.2.2.7 2006/03/10 00:18:22 marka
 
 #include "port_after.h"
 
-int      __evOptMonoTime;
-
-#ifdef USE_POLL
-#define pselect Pselect
-#endif /* USE_POLL */
-
 /* Forward. */
 
-#if defined(NEED_PSELECT) || defined(USE_POLL)
+#ifdef NEED_PSELECT
 static int		pselect(int, void *, void *, void *,
 				struct timespec *,
 				const sigset_t *);
 #endif
 
-int    __evOptMonoTime;
-
 /* Public. */
 
 int
@@ -85,18 +74,6 @@ evCreate(evContext *opaqueCtx) {
 	INIT_LIST(ctx->accepts);
 
 	/* Files. */
-#ifdef USE_POLL
-	ctx->pollfds = NULL;
-	ctx->maxnfds = 0;
-	ctx->firstfd = 0;
-	emulMaskInit(ctx, rdLast, EV_READ, 1);
-	emulMaskInit(ctx, rdNext, EV_READ, 0);
-	emulMaskInit(ctx, wrLast, EV_WRITE, 1);
-	emulMaskInit(ctx, wrNext, EV_WRITE, 0);
-	emulMaskInit(ctx, exLast, EV_EXCEPT, 1);
-	emulMaskInit(ctx, exNext, EV_EXCEPT, 0);
-	emulMaskInit(ctx, nonblockBefore, EV_WASNONBLOCKING, 0);
-#endif /* USE_POLL */
 	ctx->files = NULL;
 	FD_ZERO(&ctx->rdNext);
 	FD_ZERO(&ctx->wrNext);
@@ -105,16 +82,11 @@ evCreate(evContext *opaqueCtx) {
 	ctx->fdMax = -1;
 	ctx->fdNext = NULL;
 	ctx->fdCount = 0;	/* Invalidate {rd,wr,ex}Last. */
-#ifndef USE_POLL
 	ctx->highestFD = FD_SETSIZE - 1;
-	memset(ctx->fdTable, 0, sizeof ctx->fdTable);
-#else
-	ctx->highestFD = INT_MAX / sizeof(struct pollfd);
-	ctx->fdTable = NULL;
-#endif
 #ifdef EVENTLIB_TIME_CHECKS
 	ctx->lastFdCount = 0;
 #endif
+	memset(ctx->fdTable, 0, sizeof ctx->fdTable);
 
 	/* Streams. */
 	ctx->streams = NULL;
@@ -308,37 +280,34 @@ evGetNext(evContext opaqueCtx, evEvent *opaqueEv, int options) {
 		}
 #endif
 		do {
-#ifndef USE_POLL
 			/* XXX need to copy only the bits we are using. */
 			ctx->rdLast = ctx->rdNext;
 			ctx->wrLast = ctx->wrNext;
 			ctx->exLast = ctx->exNext;
-#else
-			/*
-			 * The pollfd structure uses separate fields for
-			 * the input and output events (corresponding to
-			 * the ??Next and ??Last fd sets), so there's no
-			 * need to copy one to the other.
-			 */
-#endif /* USE_POLL */
+
 			if (m == Timer) {
 				INSIST(tp == &t);
 				t = evSubTime(nextTime, ctx->lastEventTime);
 			}
 
+			evPrintf(ctx, 4,
+				"pselect(%d, 0x%lx, 0x%lx, 0x%lx, %ld.%09ld)\n",
+				 ctx->fdMax+1,
+				 (u_long)ctx->rdLast.fds_bits[0],
+				 (u_long)ctx->wrLast.fds_bits[0],
+				 (u_long)ctx->exLast.fds_bits[0],
+				 tp ? (long)tp->tv_sec : -1L,
+				 tp ? tp->tv_nsec : -1);
+
 			/* XXX should predict system's earliness and adjust. */
 			x = pselect(ctx->fdMax+1,
 				    &ctx->rdLast, &ctx->wrLast, &ctx->exLast,
 				    tp, NULL);
 			pselect_errno = errno;
 
-#ifndef USE_POLL
 			evPrintf(ctx, 4, "select() returns %d (err: %s)\n",
 				 x, (x == -1) ? strerror(errno) : "none");
-#else
-			evPrintf(ctx, 4, "poll() returns %d (err: %s)\n",
-				x, (x == -1) ? strerror(errno) : "none");
-#endif /* USE_POLL */
+
 			/* Anything but a poll can change the time. */
 			if (m != JustPoll)
 				ctx->lastEventTime = evNowTime();
@@ -731,7 +700,7 @@ evGetOption(evContext *opaqueCtx, const char *option, int *value) {
 	return (-1);
 }
 
-#if defined(NEED_PSELECT) || defined(USE_POLL)
+#ifdef NEED_PSELECT
 /* XXX needs to move to the porting library. */
 static int
 pselect(int nfds, void *rfds, void *wfds, void *efds,
@@ -741,66 +710,15 @@ pselect(int nfds, void *rfds, void *wfds, void *efds,
 	struct timeval tv, *tvp;
 	sigset_t sigs;
 	int n;
-#ifdef USE_POLL
-	int polltimeout = INFTIM;
-	evContext_p *ctx;
-	struct pollfd *fds;
-	nfds_t pnfds;
-
-	UNUSED(nfds);
-#endif /* USE_POLL */
 
 	if (tsp) {
 		tvp = &tv;
 		tv = evTimeVal(*tsp);
-#ifdef USE_POLL
-		polltimeout = 1000 * tv.tv_sec + tv.tv_usec / 1000;
-#endif /* USE_POLL */
 	} else
 		tvp = NULL;
 	if (sigmask)
 		sigprocmask(SIG_SETMASK, sigmask, &sigs);
-#ifndef USE_POLL
 	n = select(nfds, rfds, wfds, efds, tvp);
-#else
-	/*
-	 * rfds, wfds, and efds should all be from the same evContext_p,
-	 * so any of them will do. If they're all NULL, the caller is
-	 * presumably calling us to block.
-	 */
-	if (rfds != NULL)
-		ctx = ((__evEmulMask *)rfds)->ctx;
-	else if (wfds != NULL)
-		ctx = ((__evEmulMask *)wfds)->ctx;
-	else if (efds != NULL)
-		ctx = ((__evEmulMask *)efds)->ctx;
-	else
-		ctx = NULL;
-	if (ctx != NULL && ctx->fdMax != -1) {
-		fds = &(ctx->pollfds[ctx->firstfd]);
-		pnfds = ctx->fdMax - ctx->firstfd + 1;
-	} else {
-		fds = NULL;
-		pnfds = 0;
-	}
-	n = poll(fds, pnfds, polltimeout);
-	if (n > 0) {
-		int     i, e;
-
-		INSIST(ctx != NULL);
-		for (e = 0, i = ctx->firstfd; i <= ctx->fdMax; i++) {
-			if (ctx->pollfds[i].fd < 0)
-				continue;
-			if (FD_ISSET(i, &ctx->rdLast))
-				e++;
-			if (FD_ISSET(i, &ctx->wrLast))
-				e++;
-			if (FD_ISSET(i, &ctx->exLast))
-				e++;
-			}
-		n = e;
-	}
-#endif /* USE_POLL */
 	if (sigmask)
 		sigprocmask(SIG_SETMASK, &sigs, NULL);
 	if (tsp)
@@ -808,127 +726,3 @@ pselect(int nfds, void *rfds, void *wfds, void *efds,
 	return (n);
 }
 #endif
-
-#ifdef USE_POLL
-int
-evPollfdRealloc(evContext_p *ctx, int pollfd_chunk_size, int fd) {
- 
-	int     i, maxnfds;
-	void	*pollfds, *fdTable;
- 
-	if (fd < ctx->maxnfds)
-		return (0);
- 
-	/* Don't allow ridiculously small values for pollfd_chunk_size */
-	if (pollfd_chunk_size < 20)
-		pollfd_chunk_size = 20;
- 
-	maxnfds = (1 + (fd/pollfd_chunk_size)) * pollfd_chunk_size;
- 
-	pollfds = realloc(ctx->pollfds, maxnfds * sizeof(*ctx->pollfds));
-	if (pollfds != NULL)
-		ctx->pollfds = pollfds;
-	fdTable = realloc(ctx->fdTable, maxnfds * sizeof(*ctx->fdTable));
-	if (fdTable != NULL)
-		ctx->fdTable = fdTable;
- 
-	if (pollfds == NULL || fdTable == NULL) {
-		evPrintf(ctx, 2, "pollfd() realloc (%ld) failed\n",
-			 (long)maxnfds*sizeof(struct pollfd));
-		return (-1);
-	}
- 
-	for (i = ctx->maxnfds; i < maxnfds; i++) {
-		ctx->pollfds[i].fd = -1;
-		ctx->pollfds[i].events = 0;
-		ctx->fdTable[i] = 0;
-	}
-
-	ctx->maxnfds = maxnfds;
-
-	return (0);
-}
- 
-/* Find the appropriate 'events' or 'revents' field in the pollfds array */
-short *
-__fd_eventfield(int fd, __evEmulMask *maskp) {
- 
-	evContext_p     *ctx = (evContext_p *)maskp->ctx;
- 
-	if (!maskp->result || maskp->type == EV_WASNONBLOCKING)
-		return (&(ctx->pollfds[fd].events));
-	else
-		return (&(ctx->pollfds[fd].revents));
-}
- 
-/* Translate to poll(2) event */
-short
-__poll_event(__evEmulMask *maskp) {
- 
-	switch ((maskp)->type) {
-	case EV_READ:
-		return (POLLRDNORM);
-	case EV_WRITE:
-		return (POLLWRNORM);
-	case EV_EXCEPT:
-		return (POLLRDBAND | POLLPRI | POLLWRBAND);
-	case EV_WASNONBLOCKING:
-		return (POLLHUP);
-	default:
-		return (0);
-	}
-}
- 
-/*
- * Clear the events corresponding to the specified mask. If this leaves
- * the events mask empty (apart from the POLLHUP bit), set the fd field
- * to -1 so that poll(2) will ignore this fd.
- */
-void
-__fd_clr(int fd, __evEmulMask *maskp) {
- 
-	evContext_p     *ctx = maskp->ctx;
- 
-	*__fd_eventfield(fd, maskp) &= ~__poll_event(maskp);
-	if ((ctx->pollfds[fd].events & ~POLLHUP) == 0) {
-		ctx->pollfds[fd].fd = -1;
-		if (fd == ctx->fdMax)
-			while (ctx->fdMax > ctx->firstfd &&
-			       ctx->pollfds[ctx->fdMax].fd < 0)
-				ctx->fdMax--;
-		if (fd == ctx->firstfd)
-			while (ctx->firstfd <= ctx->fdMax &&
-			       ctx->pollfds[ctx->firstfd].fd < 0)
-				ctx->firstfd++;
-		/*
-		 * Do we have a empty set of descriptors?
-		 */
-		if (ctx->firstfd > ctx->fdMax) {
-			ctx->fdMax = -1;
-			ctx->firstfd = 0;
-		}
-	}
-}
- 
-/*
- * Set the events bit(s) corresponding to the specified mask. If the events
- * field has any other bits than POLLHUP set, also set the fd field so that
- * poll(2) will watch this fd.
- */
-void
-__fd_set(int fd, __evEmulMask *maskp) {
- 
-	evContext_p     *ctx = maskp->ctx;
-
-	*__fd_eventfield(fd, maskp) |= __poll_event(maskp);
-	if ((ctx->pollfds[fd].events & ~POLLHUP) != 0) {
-		ctx->pollfds[fd].fd = fd;
-		if (fd < ctx->firstfd || ctx->fdMax == -1)
-			ctx->firstfd = fd;
-		if (fd > ctx->fdMax)
-			ctx->fdMax = fd;
-	}
-}
-#endif /* USE_POLL */
-
-/*! \file */
diff --git a/lib/bind/isc/eventlib.mdoc b/lib/bind/isc/eventlib.mdoc
index d274692d..3bf6ffbc 100644
--- a/lib/bind/isc/eventlib.mdoc
+++ b/lib/bind/isc/eventlib.mdoc
@@ -1,4 +1,4 @@
-.\" $Id: eventlib.mdoc,v 1.1.2.2 2004/03/09 09:17:35 marka Exp $
+.\" $Id: eventlib.mdoc,v 1.1.2.1.10.1 2004/03/09 08:33:43 marka Exp $
 .\"
 .\" Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
 .\" Copyright (c) 1995-1999 by Internet Software Consortium
diff --git a/lib/bind/isc/eventlib_p.h b/lib/bind/isc/eventlib_p.h
index e8d24430..506ec5d8 100644
--- a/lib/bind/isc/eventlib_p.h
+++ b/lib/bind/isc/eventlib_p.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2005 by Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
  * Copyright (c) 1995-1999 by Internet Software Consortium
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -18,7 +18,7 @@
 /* eventlib_p.h - private interfaces for eventlib
  * vix 09sep95 [initial]
  *
- * $Id: eventlib_p.h,v 1.3.2.5 2006/03/10 00:18:22 marka Exp $
+ * $Id: eventlib_p.h,v 1.3.2.1.4.1 2004/03/09 08:33:43 marka Exp $
  */
 
 #ifndef _EVENTLIB_P_H
@@ -45,8 +45,6 @@
 #define	EV_MASK_ALL	(EV_READ | EV_WRITE | EV_EXCEPT)
 #define EV_ERR(e)		return (errno = (e), -1)
 #define OK(x)		if ((x) < 0) EV_ERR(errno); else (void)NULL
-#define OKFREE(x, y)	if ((x) < 0) { FREE((y)); EV_ERR(errno); } \
-			else (void)NULL
 
 #define	NEW(p)		if (((p) = memget(sizeof *(p))) != NULL) \
 				FILL(p); \
@@ -65,13 +63,6 @@
 #define FILL(p)
 #endif
 
-#ifdef USE_POLL
-#ifdef HAVE_STROPTS_H
-#include <stropts.h>
-#endif
-#include <poll.h>
-#endif /* USE_POLL */
-
 typedef struct evConn {
 	evConnFunc	func;
 	void *		uap;
@@ -175,40 +166,6 @@ typedef struct evEvent_p {
 	} u;
 } evEvent_p;
 
-#ifdef USE_POLL
-typedef struct { 
-	void		*ctx;	/* pointer to the evContext_p   */ 
-	uint32_t	type;	/* READ, WRITE, EXCEPT, nonblk  */ 
-	uint32_t	result;	/* 1 => revents, 0 => events    */ 
-} __evEmulMask; 
-
-#define emulMaskInit(ctx, field, ev, lastnext) \
-	ctx->field.ctx = ctx; \
-	ctx->field.type = ev; \
-	ctx->field.result = lastnext; 
-  
-extern short	*__fd_eventfield(int fd, __evEmulMask *maskp); 
-extern short	__poll_event(__evEmulMask *maskp); 
-extern void		__fd_clr(int fd, __evEmulMask *maskp); 
-extern void		__fd_set(int fd, __evEmulMask *maskp); 
-
-#undef  FD_ZERO 
-#define FD_ZERO(maskp) 
-  
-#undef  FD_SET 
-#define FD_SET(fd, maskp) \
-	__fd_set(fd, maskp) 
-
-#undef  FD_CLR 
-#define FD_CLR(fd, maskp) \
-	__fd_clr(fd, maskp) 
-
-#undef  FD_ISSET 
-#define FD_ISSET(fd, maskp) \
-	((*__fd_eventfield(fd, maskp) & __poll_event(maskp)) != 0) 
-
-#endif /* USE_POLL */
-
 typedef struct {
 	/* Global. */
 	const evEvent_p	*cur;
@@ -220,26 +177,12 @@ typedef struct {
 	LIST(evAccept)	accepts;
 	/* Files. */
 	evFile		*files, *fdNext;
-#ifndef USE_POLL
 	fd_set		rdLast, rdNext;
 	fd_set		wrLast, wrNext;
 	fd_set		exLast, exNext;
 	fd_set		nonblockBefore;
 	int		fdMax, fdCount, highestFD;
 	evFile		*fdTable[FD_SETSIZE];
-#else
-	struct pollfd	*pollfds;	/* Allocated as needed  */ 
-	evFile		**fdTable;	/* Ditto                */ 
-	int		maxnfds;	/* # elements in above  */ 
-	int		firstfd;	/* First active fd      */ 
-	int		fdMax;		/* Last active fd       */ 
-	int		fdCount;	/* # fd:s with I/O      */ 
-	int		highestFD;	/* max fd allowed by OS */ 
-	__evEmulMask	rdLast, rdNext; 
-	__evEmulMask	wrLast, wrNext; 
-	__evEmulMask	exLast, exNext; 
-	__evEmulMask	nonblockBefore; 
-#endif /* USE_POLL */
 #ifdef EVENTLIB_TIME_CHECKS
 	struct timespec	lastSelectTime;
 	int		lastFdCount;
@@ -260,10 +203,6 @@ typedef struct {
 void evPrintf(const evContext_p *ctx, int level, const char *fmt, ...)
      ISC_FORMAT_PRINTF(3, 4);
 
-#ifdef USE_POLL
-extern int evPollfdRealloc(evContext_p *ctx, int pollfd_chunk_size, int fd);
-#endif /* USE_POLL */
-
 /* ev_timers.c */
 #define evCreateTimers __evCreateTimers
 heap_context evCreateTimers(const evContext_p *);
@@ -275,6 +214,6 @@ void evDestroyTimers(const evContext_p *);
 evWait *evFreeWait(evContext_p *ctx, evWait *old);
 
 /* Global options */
-extern int	__evOptMonoTime;
+int		__evOptMonoTime;
 
 #endif /*_EVENTLIB_P_H*/
diff --git a/lib/bind/isc/heap.c b/lib/bind/isc/heap.c
index c998e75b..f63619f5 100644
--- a/lib/bind/isc/heap.c
+++ b/lib/bind/isc/heap.c
@@ -26,7 +26,7 @@
  */
 
 #if !defined(LINT) && !defined(CODECENTER)
-static const char rcsid[] = "$Id: heap.c,v 1.1.2.2 2006/03/10 00:18:22 marka Exp $";
+static const char rcsid[] = "$Id: heap.c,v 1.1.206.1 2004/03/09 08:33:43 marka Exp $";
 #endif /* not lint */
 
 #include "port_before.h"
@@ -54,13 +54,9 @@ heap_new(heap_higher_priority_func higher_priority, heap_index_func index,
 	 int array_size_increment) {
 	heap_context ctx;
 
-	if (higher_priority == NULL)
-		return (NULL);
-
 	ctx = (heap_context)malloc(sizeof (struct heap_context));
-	if (ctx == NULL)
+	if (ctx == NULL || higher_priority == NULL)
 		return (NULL);
-
 	ctx->array_size = 0;
 	if (array_size_increment == 0)
 		ctx->array_size_increment = ARRAY_SIZE_INCREMENT;
diff --git a/lib/bind/isc/heap.mdoc b/lib/bind/isc/heap.mdoc
index bccdc9a9..95c9444f 100644
--- a/lib/bind/isc/heap.mdoc
+++ b/lib/bind/isc/heap.mdoc
@@ -1,4 +1,4 @@
-.\" $Id: heap.mdoc,v 1.1.2.2 2004/03/09 09:17:35 marka Exp $
+.\" $Id: heap.mdoc,v 1.1.2.1.10.1 2004/03/09 08:33:43 marka Exp $
 .\"
 .\" Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
 .\" Copyright (c) 1997,1999 by Internet Software Consortium.
diff --git a/lib/bind/isc/hex.c b/lib/bind/isc/hex.c
index 70312597..c177ca0f 100644
--- a/lib/bind/isc/hex.c
+++ b/lib/bind/isc/hex.c
@@ -45,9 +45,8 @@ isc_gethexstring(unsigned char *buf, size_t len, int count, FILE *fp,
 			goto formerr;
 		/* comment */
 		if (c == ';') {
-			do {
-				c = fgetc(fp);
-			} while (c != EOF && c != '\n');
+			while ((c = fgetc(fp)) != EOF && c != '\n')
+				/* empty */
 			if (c == '\n' && *multiline)
 				continue;
 			goto formerr;
diff --git a/lib/bind/isc/logging.c b/lib/bind/isc/logging.c
index 1ed56d8f..d4c7be28 100644
--- a/lib/bind/isc/logging.c
+++ b/lib/bind/isc/logging.c
@@ -16,7 +16,7 @@
  */
 
 #if !defined(LINT) && !defined(CODECENTER)
-static const char rcsid[] = "$Id: logging.c,v 1.3.2.3 2004/03/17 01:54:23 marka Exp $";
+static const char rcsid[] = "$Id: logging.c,v 1.3.2.1.4.2 2004/03/17 01:49:42 marka Exp $";
 #endif /* not lint */
 
 #include "port_before.h"
diff --git a/lib/bind/isc/logging.mdoc b/lib/bind/isc/logging.mdoc
index c52a81b9..fc6351fa 100644
--- a/lib/bind/isc/logging.mdoc
+++ b/lib/bind/isc/logging.mdoc
@@ -1,4 +1,4 @@
-.\" $Id: logging.mdoc,v 1.1.2.2 2004/03/09 09:17:36 marka Exp $
+.\" $Id: logging.mdoc,v 1.1.2.1.10.1 2004/03/09 08:33:43 marka Exp $
 .\"
 .\" Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
 .\" Copyright (c) 1995-1999 by Internet Software Consortium
diff --git a/lib/bind/isc/memcluster.c b/lib/bind/isc/memcluster.c
index 349d7451..8874181f 100644
--- a/lib/bind/isc/memcluster.c
+++ b/lib/bind/isc/memcluster.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2005 by Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
  * Copyright (c) 1997,1999 by Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -24,7 +24,7 @@
 
 
 #if !defined(LINT) && !defined(CODECENTER)
-static const char rcsid[] = "$Id: memcluster.c,v 1.3.2.8 2006/08/30 23:34:59 marka Exp $";
+static const char rcsid[] = "$Id: memcluster.c,v 1.3.206.3 2004/03/17 00:29:52 marka Exp $";
 #endif /* not lint */
 
 #include "port_before.h"
@@ -90,28 +90,12 @@ struct stats {
 	u_long			freefrags;
 };
 
-#ifdef DO_PTHREADS
-#include <pthread.h>
-static pthread_mutex_t	memlock = PTHREAD_MUTEX_INITIALIZER;
-#define MEMLOCK		(void)pthread_mutex_lock(&memlock)
-#define MEMUNLOCK	(void)pthread_mutex_unlock(&memlock)
-#else
-/*
- * Catch bad lock usage in non threaded build.
- */
-static unsigned int	memlock = 0;
-#define MEMLOCK		do { INSIST(memlock == 0); memlock = 1; } while (0)
-#define MEMUNLOCK	do { INSIST(memlock == 1); memlock = 0; } while (0)
-#endif  /* DO_PTHEADS */
-
 /* Private data. */
 
 static size_t			max_size;
 static size_t			mem_target;
-#ifndef MEMCLUSTER_BIG_MALLOC
 static size_t			mem_target_half;
 static size_t			mem_target_fudge;
-#endif
 static memcluster_element **	freelists;
 #ifdef MEMCLUSTER_RECORD
 static memcluster_element **	activelists;
@@ -148,10 +132,8 @@ meminit(size_t init_max_size, size_t target_size) {
 		mem_target = DEF_MEM_TARGET;
 	else
 		mem_target = target_size;
-#ifndef MEMCLUSTER_BIG_MALLOC
 	mem_target_half = mem_target / 2;
 	mem_target_fudge = mem_target + mem_target / 4;
-#endif
 	freelists = malloc(max_size * sizeof (memcluster_element *));
 	stats = malloc((max_size+1) * sizeof (struct stats));
 	if (freelists == NULL || stats == NULL) {
@@ -191,20 +173,14 @@ __memget_record(size_t size, const char *file, int line) {
 #endif
 	void *ret;
 
-	MEMLOCK;
-
 #if !defined(MEMCLUSTER_RECORD)
 	UNUSED(file);
 	UNUSED(line);
 #endif
-	if (freelists == NULL) {
-		if (meminit(0, 0) == -1) {
-			MEMUNLOCK;
+	if (freelists == NULL)
+		if (meminit(0, 0) == -1)
 			return (NULL);
-		}
-	}
 	if (size == 0U) {
-		MEMUNLOCK;
 		errno = EINVAL;
 		return (NULL);
 	}
@@ -215,7 +191,6 @@ __memget_record(size_t size, const char *file, int line) {
 #if defined(DEBUGGING_MEMCLUSTER)
 		e = malloc(new_size);
 		if (e == NULL) {
-			MEMUNLOCK;
 			errno = ENOMEM;
 			return (NULL);
 		}
@@ -227,13 +202,11 @@ __memget_record(size_t size, const char *file, int line) {
 		e->next = activelists[max_size];
 		activelists[max_size] = e;
 #endif
-		MEMUNLOCK;
 		e->fencepost = FRONT_FENCEPOST;
 		p = (char *)e + sizeof *e + size;
 		memcpy(p, &fp, sizeof fp);
 		return ((char *)e + sizeof *e);
 #else
-		MEMUNLOCK;
 		return (malloc(size));
 #endif
 	}
@@ -253,7 +226,6 @@ __memget_record(size_t size, const char *file, int line) {
 		if (basic_blocks == NULL) {
 			new = malloc(NUM_BASIC_BLOCKS * mem_target);
 			if (new == NULL) {
-				MEMUNLOCK;
 				errno = ENOMEM;
 				return (NULL);
 			}
@@ -281,7 +253,6 @@ __memget_record(size_t size, const char *file, int line) {
 			total_size = mem_target;
 		new = malloc(total_size);
 		if (new == NULL) {
-			MEMUNLOCK;
 			errno = ENOMEM;
 			return (NULL);
 		}
@@ -347,7 +318,6 @@ __memget_record(size_t size, const char *file, int line) {
 	stats[size].gets++;
 	stats[size].totalgets++;
 	stats[new_size].freefrags--;
-	MEMUNLOCK;
 #if defined(DEBUGGING_MEMCLUSTER)
 	return ((char *)e + sizeof *e);
 #else
@@ -377,8 +347,6 @@ __memput_record(void *mem, size_t size, const char *file, int line) {
 	char *p;
 #endif
 
-	MEMLOCK;
-
 #if !defined (MEMCLUSTER_RECORD)
 	UNUSED(file);
 	UNUSED(line);
@@ -387,7 +355,6 @@ __memput_record(void *mem, size_t size, const char *file, int line) {
 	REQUIRE(freelists != NULL);
 
 	if (size == 0U) {
-		MEMUNLOCK;
 		errno = EINVAL;
 		return;
 	}
@@ -399,7 +366,7 @@ __memput_record(void *mem, size_t size, const char *file, int line) {
 	p = (char *)e + sizeof *e + size;
 	memcpy(&fp, p, sizeof fp);
 	INSIST(fp == BACK_FENCEPOST);
-	INSIST(((u_long)mem % 4) == 0);
+	INSIST(((int)mem % 4) == 0);
 #ifdef MEMCLUSTER_RECORD
 	prev = NULL;
 	if (size == max_size || new_size >= max_size)
@@ -431,7 +398,6 @@ __memput_record(void *mem, size_t size, const char *file, int line) {
 
 		INSIST(stats[max_size].gets != 0U);
 		stats[max_size].gets--;
-		MEMUNLOCK;
 		return;
 	}
 
@@ -470,7 +436,6 @@ __memput_record(void *mem, size_t size, const char *file, int line) {
 	INSIST(stats[size].gets != 0U);
 	stats[size].gets--;
 	stats[new_size].freefrags++;
-	MEMUNLOCK;
 }
 
 void *
@@ -499,20 +464,16 @@ memstats(FILE *out) {
 	memcluster_element *e;
 #endif
 
-	MEMLOCK;
-
-	if (freelists == NULL) {
-		MEMUNLOCK;
+	if (freelists == NULL)
 		return;
-	}
 	for (i = 1; i <= max_size; i++) {
 		const struct stats *s = &stats[i];
 
 		if (s->totalgets == 0U && s->gets == 0U)
 			continue;
-		fprintf(out, "%s%5lu: %11lu gets, %11lu rem",
+		fprintf(out, "%s%5d: %11lu gets, %11lu rem",
 			(i == max_size) ? ">=" : "  ",
-			(unsigned long)i, s->totalgets, s->gets);
+			i, s->totalgets, s->gets);
 		if (s->blocks != 0U)
 			fprintf(out, " (%lu bl, %lu ff)",
 				s->blocks, s->freefrags);
@@ -523,16 +484,14 @@ memstats(FILE *out) {
 	for (i = 1; i <= max_size; i++) {
 		if ((e = activelists[i]) != NULL)
 			while (e != NULL) {
-				fprintf(out, "%s:%d %p:%lu\n",
+				fprintf(out, "%s:%d %p:%d\n",
 				        e->file != NULL ? e->file :
 						"<UNKNOWN>", e->line,
-					(char *)e + sizeof *e,
-					(u_long)e->size);
+					(char *)e + sizeof *e, e->size);
 				e = e->next;
 			}
 	}
 #endif
-	MEMUNLOCK;
 }
 
 int
diff --git a/lib/bind/isc/memcluster.mdoc b/lib/bind/isc/memcluster.mdoc
index ce75bae1..cd4e6fbf 100644
--- a/lib/bind/isc/memcluster.mdoc
+++ b/lib/bind/isc/memcluster.mdoc
@@ -1,4 +1,4 @@
-.\" $Id: memcluster.mdoc,v 1.1.2.2 2004/03/09 09:17:36 marka Exp $
+.\" $Id: memcluster.mdoc,v 1.1.2.1.10.1 2004/03/09 08:33:43 marka Exp $
 .\"
 .\" Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
 .\" Copyright (c) 1995-1999 by Internet Software Consortium
diff --git a/lib/bind/isc/tree.c b/lib/bind/isc/tree.c
index b308b1cd..9bdf6d62 100644
--- a/lib/bind/isc/tree.c
+++ b/lib/bind/isc/tree.c
@@ -1,5 +1,5 @@
 #ifndef LINT
-static const char rcsid[] = "$Id: tree.c,v 1.2.2.1 2004/03/09 09:17:36 marka Exp $";
+static const char rcsid[] = "$Id: tree.c,v 1.2.206.1 2004/03/09 08:33:43 marka Exp $";
 #endif
 
 /*
diff --git a/lib/bind/isc/tree.mdoc b/lib/bind/isc/tree.mdoc
index 4f3abb7b..c46fa7dc 100644
--- a/lib/bind/isc/tree.mdoc
+++ b/lib/bind/isc/tree.mdoc
@@ -1,4 +1,4 @@
-.\" $Id: tree.mdoc,v 1.1.2.2 2004/03/09 09:17:36 marka Exp $
+.\" $Id: tree.mdoc,v 1.1.2.1.10.1 2004/03/09 08:33:44 marka Exp $
 .\"
 .\" Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
 .\" Copyright (c) 1995-1999 by Internet Software Consortium
diff --git a/lib/bind/libtool.m4 b/lib/bind/libtool.m4
new file mode 100644
index 00000000..bbcc5f25
--- /dev/null
+++ b/lib/bind/libtool.m4
@@ -0,0 +1,5943 @@
+# libtool.m4 - Configure libtool for the host system. -*-Autoconf-*-
+## Copyright 1996, 1997, 1998, 1999, 2000, 2001
+## Free Software Foundation, Inc.
+## Originally by Gordon Matzigkeit <gord@gnu.ai.mit.edu>, 1996
+##
+## This program is free software; you can redistribute it and/or modify
+## it under the terms of the GNU General Public License as published by
+## the Free Software Foundation; either version 2 of the License, or
+## (at your option) any later version.
+##
+## This program is distributed in the hope that it will be useful, but
+## WITHOUT ANY WARRANTY; without even the implied warranty of
+## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+## General Public License for more details.
+##
+## You should have received a copy of the GNU General Public License
+## along with this program; if not, write to the Free Software
+## Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+##
+## As a special exception to the GNU General Public License, if you
+## distribute this file as part of a program that contains a
+## configuration script generated by Autoconf, you may include it under
+## the same distribution terms that you use for the rest of that program.
+
+# serial 47 AC_PROG_LIBTOOL
+
+
+# AC_PROVIDE_IFELSE(MACRO-NAME, IF-PROVIDED, IF-NOT-PROVIDED)
+# -----------------------------------------------------------
+# If this macro is not defined by Autoconf, define it here.
+m4_ifdef([AC_PROVIDE_IFELSE],
+         [],
+         [m4_define([AC_PROVIDE_IFELSE],
+	         [m4_ifdef([AC_PROVIDE_$1],
+		           [$2], [$3])])])
+
+
+# AC_PROG_LIBTOOL
+# ---------------
+AC_DEFUN([AC_PROG_LIBTOOL],
+[AC_REQUIRE([_AC_PROG_LIBTOOL])dnl
+dnl If AC_PROG_CXX has already been expanded, run AC_LIBTOOL_CXX
+dnl immediately, otherwise, hook it in at the end of AC_PROG_CXX.
+  AC_PROVIDE_IFELSE([AC_PROG_CXX],
+    [AC_LIBTOOL_CXX],
+    [define([AC_PROG_CXX], defn([AC_PROG_CXX])[AC_LIBTOOL_CXX
+  ])])
+dnl And a similar setup for Fortran 77 support
+  AC_PROVIDE_IFELSE([AC_PROG_F77],
+    [AC_LIBTOOL_F77],
+    [define([AC_PROG_F77], defn([AC_PROG_F77])[AC_LIBTOOL_F77
+])])
+
+dnl Quote A][M_PROG_GCJ so that aclocal doesn't bring it in needlessly.
+dnl If either AC_PROG_GCJ or A][M_PROG_GCJ have already been expanded, run
+dnl AC_LIBTOOL_GCJ immediately, otherwise, hook it in at the end of both.
+  AC_PROVIDE_IFELSE([AC_PROG_GCJ],
+    [AC_LIBTOOL_GCJ],
+    [AC_PROVIDE_IFELSE([A][M_PROG_GCJ],
+      [AC_LIBTOOL_GCJ],
+      [AC_PROVIDE_IFELSE([LT_AC_PROG_GCJ],
+	[AC_LIBTOOL_GCJ],
+      [ifdef([AC_PROG_GCJ],
+	     [define([AC_PROG_GCJ], defn([AC_PROG_GCJ])[AC_LIBTOOL_GCJ])])
+       ifdef([A][M_PROG_GCJ],
+	     [define([A][M_PROG_GCJ], defn([A][M_PROG_GCJ])[AC_LIBTOOL_GCJ])])
+       ifdef([LT_AC_PROG_GCJ],
+	     [define([LT_AC_PROG_GCJ],
+		defn([LT_AC_PROG_GCJ])[AC_LIBTOOL_GCJ])])])])
+])])# AC_PROG_LIBTOOL
+
+
+# _AC_PROG_LIBTOOL
+# ----------------
+AC_DEFUN([_AC_PROG_LIBTOOL],
+[AC_REQUIRE([AC_LIBTOOL_SETUP])dnl
+AC_BEFORE([$0],[AC_LIBTOOL_CXX])dnl
+AC_BEFORE([$0],[AC_LIBTOOL_F77])dnl
+AC_BEFORE([$0],[AC_LIBTOOL_GCJ])dnl
+
+# This can be used to rebuild libtool when needed
+LIBTOOL_DEPS="$ac_aux_dir/ltmain.sh"
+
+# Always use our own libtool.
+LIBTOOL='$(SHELL) $(top_builddir)/libtool'
+AC_SUBST(LIBTOOL)dnl
+
+# Prevent multiple expansion
+define([AC_PROG_LIBTOOL], [])
+])# _AC_PROG_LIBTOOL
+
+
+# AC_LIBTOOL_SETUP
+# ----------------
+AC_DEFUN([AC_LIBTOOL_SETUP],
+[AC_PREREQ(2.50)dnl
+AC_REQUIRE([AC_ENABLE_SHARED])dnl
+AC_REQUIRE([AC_ENABLE_STATIC])dnl
+AC_REQUIRE([AC_ENABLE_FAST_INSTALL])dnl
+AC_REQUIRE([AC_CANONICAL_HOST])dnl
+AC_REQUIRE([AC_CANONICAL_BUILD])dnl
+AC_REQUIRE([AC_PROG_CC])dnl
+AC_REQUIRE([AC_PROG_LD])dnl
+AC_REQUIRE([AC_PROG_LD_RELOAD_FLAG])dnl
+AC_REQUIRE([AC_PROG_NM])dnl
+
+AC_REQUIRE([AC_PROG_LN_S])dnl
+AC_REQUIRE([AC_DEPLIBS_CHECK_METHOD])dnl
+# Autoconf 2.13's AC_OBJEXT and AC_EXEEXT macros only works for C compilers!
+AC_REQUIRE([AC_OBJEXT])dnl
+AC_REQUIRE([AC_EXEEXT])dnl
+dnl
+
+AC_LIBTOOL_SYS_MAX_CMD_LEN
+AC_LIBTOOL_SYS_GLOBAL_SYMBOL_PIPE
+AC_LIBTOOL_OBJDIR
+
+AC_REQUIRE([_LT_AC_SYS_COMPILER])dnl
+_LT_AC_PROG_ECHO_BACKSLASH
+
+case $host_os in
+aix3*)
+  # AIX sometimes has problems with the GCC collect2 program.  For some
+  # reason, if we set the COLLECT_NAMES environment variable, the problems
+  # vanish in a puff of smoke.
+  if test "X${COLLECT_NAMES+set}" != Xset; then
+    COLLECT_NAMES=
+    export COLLECT_NAMES
+  fi
+  ;;
+esac
+
+# Sed substitution that helps us do robust quoting.  It backslashifies
+# metacharacters that are still active within double-quoted strings.
+Xsed='sed -e s/^X//'
+[sed_quote_subst='s/\([\\"\\`$\\\\]\)/\\\1/g']
+
+# Same as above, but do not quote variable references.
+[double_quote_subst='s/\([\\"\\`\\\\]\)/\\\1/g']
+
+# Sed substitution to delay expansion of an escaped shell variable in a
+# double_quote_subst'ed string.
+delay_variable_subst='s/\\\\\\\\\\\$/\\\\\\$/g'
+
+# Sed substitution to avoid accidental globbing in evaled expressions
+no_glob_subst='s/\*/\\\*/g'
+
+# Constants:
+rm="rm -f"
+
+# Global variables:
+default_ofile=libtool
+can_build_shared=yes
+
+# All known linkers require a `.a' archive for static linking (except M$VC,
+# which needs '.lib').
+libext=a
+ltmain="$ac_aux_dir/ltmain.sh"
+ofile="$default_ofile"
+with_gnu_ld="$lt_cv_prog_gnu_ld"
+
+AC_CHECK_TOOL(AR, ar, false)
+AC_CHECK_TOOL(RANLIB, ranlib, :)
+AC_CHECK_TOOL(STRIP, strip, :)
+
+old_CC="$CC"
+old_CFLAGS="$CFLAGS"
+
+# Set sane defaults for various variables
+test -z "$AR" && AR=ar
+test -z "$AR_FLAGS" && AR_FLAGS=cru
+test -z "$AS" && AS=as
+test -z "$CC" && CC=cc
+test -z "$LTCC" && LTCC=$CC
+test -z "$DLLTOOL" && DLLTOOL=dlltool
+test -z "$LD" && LD=ld
+test -z "$LN_S" && LN_S="ln -s"
+test -z "$MAGIC_CMD" && MAGIC_CMD=file
+test -z "$NM" && NM=nm
+test -z "$SED" && SED=sed
+test -z "$OBJDUMP" && OBJDUMP=objdump
+test -z "$RANLIB" && RANLIB=:
+test -z "$STRIP" && STRIP=:
+test -z "$ac_objext" && ac_objext=o
+
+# Determine commands to create old-style static archives.
+old_archive_cmds='$AR $AR_FLAGS $oldlib$oldobjs$old_deplibs'
+old_postinstall_cmds='chmod 644 $oldlib'
+old_postuninstall_cmds=
+
+if test -n "$RANLIB"; then
+  case $host_os in
+  openbsd*)
+    old_postinstall_cmds="\$RANLIB -t \$oldlib~$old_postinstall_cmds"
+    ;;
+  *)
+    old_postinstall_cmds="\$RANLIB \$oldlib~$old_postinstall_cmds"
+    ;;
+  esac
+  old_archive_cmds="$old_archive_cmds~\$RANLIB \$oldlib"
+fi
+
+# Only perform the check for file, if the check method requires it
+case $deplibs_check_method in
+file_magic*)
+  if test "$file_magic_cmd" = '$MAGIC_CMD'; then
+    AC_PATH_MAGIC
+  fi
+  ;;
+esac
+
+AC_PROVIDE_IFELSE([AC_LIBTOOL_DLOPEN], enable_dlopen=yes, enable_dlopen=no)
+AC_PROVIDE_IFELSE([AC_LIBTOOL_WIN32_DLL],
+enable_win32_dll=yes, enable_win32_dll=no)
+
+AC_ARG_ENABLE([libtool-lock],
+    [AC_HELP_STRING([--disable-libtool-lock],
+	[avoid locking (might break parallel builds)])])
+test "x$enable_libtool_lock" != xno && enable_libtool_lock=yes
+
+AC_ARG_WITH([pic],
+    [AC_HELP_STRING([--with-pic],
+	[try to use only PIC/non-PIC objects @<:@default=use both@:>@])],
+    [pic_mode="$withval"],
+    [pic_mode=default])
+test -z "$pic_mode" && pic_mode=default
+
+# Use C for the default configuration in the libtool script
+tagname=
+AC_LIBTOOL_LANG_C_CONFIG
+_LT_AC_TAGCONFIG
+])# AC_LIBTOOL_SETUP
+
+
+# _LT_AC_SYS_COMPILER
+# -------------------
+AC_DEFUN([_LT_AC_SYS_COMPILER],
+[AC_REQUIRE([AC_PROG_CC])dnl
+
+# If no C compiler was specified, use CC.
+LTCC=${LTCC-"$CC"}
+
+# Allow CC to be a program name with arguments.
+compiler=$CC
+])# _LT_AC_SYS_COMPILER
+
+
+# _LT_AC_SYS_LIBPATH_AIX
+# ----------------------
+# Links a minimal program and checks the executable
+# for the system default hardcoded library path. In most cases,
+# this is /usr/lib:/lib, but when the MPI compilers are used
+# the location of the communication and MPI libs are included too.
+# If we don't find anything, use the default library path according
+# to the aix ld manual.
+AC_DEFUN([_LT_AC_SYS_LIBPATH_AIX],
+[AC_LINK_IFELSE(AC_LANG_PROGRAM,[
+aix_libpath=`dump -H conftest$ac_exeext 2>/dev/null | $SED -n -e '/Import File Strings/,/^$/ { /^0/ { s/^0  *\(.*\)$/\1/; p; }
+}'`
+# Check for a 64-bit object if we didn't find anything.
+if test -z "$aix_libpath"; then aix_libpath=`dump -HX64 conftest$ac_exeext 2>/dev/null | $SED -n -e '/Import File Strings/,/^$/ { /^0/ { s/^0  *\(.*\)$/\1/; p; }
+}'`; fi],[])
+if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
+])# _LT_AC_SYS_LIBPATH_AIX
+
+
+# _LT_AC_SHELL_INIT(ARG)
+# ----------------------
+AC_DEFUN([_LT_AC_SHELL_INIT],
+[ifdef([AC_DIVERSION_NOTICE],
+	     [AC_DIVERT_PUSH(AC_DIVERSION_NOTICE)],
+	 [AC_DIVERT_PUSH(NOTICE)])
+$1
+AC_DIVERT_POP
+])# _LT_AC_SHELL_INIT
+
+
+# _LT_AC_PROG_ECHO_BACKSLASH
+# --------------------------
+# Add some code to the start of the generated configure script which
+# will find an echo command which doesn't interpret backslashes.
+AC_DEFUN([_LT_AC_PROG_ECHO_BACKSLASH],
+[_LT_AC_SHELL_INIT([
+# Check that we are running under the correct shell.
+SHELL=${CONFIG_SHELL-/bin/sh}
+
+case X$ECHO in
+X*--fallback-echo)
+  # Remove one level of quotation (which was required for Make).
+  ECHO=`echo "$ECHO" | sed 's,\\\\\[$]\\[$]0,'[$]0','`
+  ;;
+esac
+
+echo=${ECHO-echo}
+if test "X[$]1" = X--no-reexec; then
+  # Discard the --no-reexec flag, and continue.
+  shift
+elif test "X[$]1" = X--fallback-echo; then
+  # Avoid inline document here, it may be left over
+  :
+elif test "X`($echo '\t') 2>/dev/null`" = 'X\t' ; then
+  # Yippee, $echo works!
+  :
+else
+  # Restart under the correct shell.
+  exec $SHELL "[$]0" --no-reexec ${1+"[$]@"}
+fi
+
+if test "X[$]1" = X--fallback-echo; then
+  # used as fallback echo
+  shift
+  cat <<EOF
+[$]*
+EOF
+  exit 0
+fi
+
+# The HP-UX ksh and POSIX shell print the target directory to stdout
+# if CDPATH is set.
+if test "X${CDPATH+set}" = Xset; then CDPATH=:; export CDPATH; fi
+
+if test -z "$ECHO"; then
+if test "X${echo_test_string+set}" != Xset; then
+# find a string as large as possible, as long as the shell can cope with it
+  for cmd in 'sed 50q "[$]0"' 'sed 20q "[$]0"' 'sed 10q "[$]0"' 'sed 2q "[$]0"' 'echo test'; do
+    # expected sizes: less than 2Kb, 1Kb, 512 bytes, 16 bytes, ...
+    if (echo_test_string="`eval $cmd`") 2>/dev/null &&
+       echo_test_string="`eval $cmd`" &&
+       (test "X$echo_test_string" = "X$echo_test_string") 2>/dev/null
+    then
+      break
+    fi
+  done
+fi
+
+if test "X`($echo '\t') 2>/dev/null`" = 'X\t' &&
+   echo_testing_string=`($echo "$echo_test_string") 2>/dev/null` &&
+   test "X$echo_testing_string" = "X$echo_test_string"; then
+  :
+else
+  # The Solaris, AIX, and Digital Unix default echo programs unquote
+  # backslashes.  This makes it impossible to quote backslashes using
+  #   echo "$something" | sed 's/\\/\\\\/g'
+  #
+  # So, first we look for a working echo in the user's PATH.
+
+  lt_save_ifs="$IFS"; IFS=$PATH_SEPARATOR
+  for dir in $PATH /usr/ucb; do
+    IFS="$lt_save_ifs"
+    if (test -f $dir/echo || test -f $dir/echo$ac_exeext) &&
+       test "X`($dir/echo '\t') 2>/dev/null`" = 'X\t' &&
+       echo_testing_string=`($dir/echo "$echo_test_string") 2>/dev/null` &&
+       test "X$echo_testing_string" = "X$echo_test_string"; then
+      echo="$dir/echo"
+      break
+    fi
+  done
+  IFS="$lt_save_ifs"
+
+  if test "X$echo" = Xecho; then
+    # We didn't find a better echo, so look for alternatives.
+    if test "X`(print -r '\t') 2>/dev/null`" = 'X\t' &&
+       echo_testing_string=`(print -r "$echo_test_string") 2>/dev/null` &&
+       test "X$echo_testing_string" = "X$echo_test_string"; then
+      # This shell has a builtin print -r that does the trick.
+      echo='print -r'
+    elif (test -f /bin/ksh || test -f /bin/ksh$ac_exeext) &&
+	 test "X$CONFIG_SHELL" != X/bin/ksh; then
+      # If we have ksh, try running configure again with it.
+      ORIGINAL_CONFIG_SHELL=${CONFIG_SHELL-/bin/sh}
+      export ORIGINAL_CONFIG_SHELL
+      CONFIG_SHELL=/bin/ksh
+      export CONFIG_SHELL
+      exec $CONFIG_SHELL "[$]0" --no-reexec ${1+"[$]@"}
+    else
+      # Try using printf.
+      echo='printf %s\n'
+      if test "X`($echo '\t') 2>/dev/null`" = 'X\t' &&
+	 echo_testing_string=`($echo "$echo_test_string") 2>/dev/null` &&
+	 test "X$echo_testing_string" = "X$echo_test_string"; then
+	# Cool, printf works
+	:
+      elif echo_testing_string=`($ORIGINAL_CONFIG_SHELL "[$]0" --fallback-echo '\t') 2>/dev/null` &&
+	   test "X$echo_testing_string" = 'X\t' &&
+	   echo_testing_string=`($ORIGINAL_CONFIG_SHELL "[$]0" --fallback-echo "$echo_test_string") 2>/dev/null` &&
+	   test "X$echo_testing_string" = "X$echo_test_string"; then
+	CONFIG_SHELL=$ORIGINAL_CONFIG_SHELL
+	export CONFIG_SHELL
+	SHELL="$CONFIG_SHELL"
+	export SHELL
+	echo="$CONFIG_SHELL [$]0 --fallback-echo"
+      elif echo_testing_string=`($CONFIG_SHELL "[$]0" --fallback-echo '\t') 2>/dev/null` &&
+	   test "X$echo_testing_string" = 'X\t' &&
+	   echo_testing_string=`($CONFIG_SHELL "[$]0" --fallback-echo "$echo_test_string") 2>/dev/null` &&
+	   test "X$echo_testing_string" = "X$echo_test_string"; then
+	echo="$CONFIG_SHELL [$]0 --fallback-echo"
+      else
+	# maybe with a smaller string...
+	prev=:
+
+	for cmd in 'echo test' 'sed 2q "[$]0"' 'sed 10q "[$]0"' 'sed 20q "[$]0"' 'sed 50q "[$]0"'; do
+	  if (test "X$echo_test_string" = "X`eval $cmd`") 2>/dev/null
+	  then
+	    break
+	  fi
+	  prev="$cmd"
+	done
+
+	if test "$prev" != 'sed 50q "[$]0"'; then
+	  echo_test_string=`eval $prev`
+	  export echo_test_string
+	  exec ${ORIGINAL_CONFIG_SHELL-${CONFIG_SHELL-/bin/sh}} "[$]0" ${1+"[$]@"}
+	else
+	  # Oops.  We lost completely, so just stick with echo.
+	  echo=echo
+	fi
+      fi
+    fi
+  fi
+fi
+fi
+
+# Copy echo and quote the copy suitably for passing to libtool from
+# the Makefile, instead of quoting the original, which is used later.
+ECHO=$echo
+if test "X$ECHO" = "X$CONFIG_SHELL [$]0 --fallback-echo"; then
+   ECHO="$CONFIG_SHELL \\\$\[$]0 --fallback-echo"
+fi
+
+AC_SUBST(ECHO)
+])])# _LT_AC_PROG_ECHO_BACKSLASH
+
+
+# _LT_AC_LOCK
+# -----------
+AC_DEFUN([_LT_AC_LOCK],
+[AC_ARG_ENABLE([libtool-lock],
+    [AC_HELP_STRING([--disable-libtool-lock],
+	[avoid locking (might break parallel builds)])])
+test "x$enable_libtool_lock" != xno && enable_libtool_lock=yes
+
+# Some flags need to be propagated to the compiler or linker for good
+# libtool support.
+case $host in
+ia64-*-hpux*)
+  # Find out which ABI we are using.
+  echo 'int i;' > conftest.$ac_ext
+  if AC_TRY_EVAL(ac_compile); then
+    case `/usr/bin/file conftest.$ac_objext` in
+    *ELF-32*)
+      HPUX_IA64_MODE="32"
+      ;;
+    *ELF-64*)
+      HPUX_IA64_MODE="64"
+      ;;
+    esac
+  fi
+  rm -rf conftest*
+  ;;
+*-*-irix6*)
+  # Find out which ABI we are using.
+  echo '[#]line __oline__ "configure"' > conftest.$ac_ext
+  if AC_TRY_EVAL(ac_compile); then
+   if test "$lt_cv_prog_gnu_ld" = yes; then
+    case `/usr/bin/file conftest.$ac_objext` in
+    *32-bit*)
+      LD="${LD-ld} -melf32bsmip"
+      ;;
+    *N32*)
+      LD="${LD-ld} -melf32bmipn32"
+      ;;
+    *64-bit*)
+      LD="${LD-ld} -melf64bmip"
+      ;;
+    esac
+   else
+    case `/usr/bin/file conftest.$ac_objext` in
+    *32-bit*)
+      LD="${LD-ld} -32"
+      ;;
+    *N32*)
+      LD="${LD-ld} -n32"
+      ;;
+    *64-bit*)
+      LD="${LD-ld} -64"
+      ;;
+    esac
+   fi
+  fi
+  rm -rf conftest*
+  ;;
+
+x86_64-*linux*|ppc*-*linux*|powerpc*-*linux*|s390*-*linux*|sparc*-*linux*)
+  # Find out which ABI we are using.
+  echo 'int i;' > conftest.$ac_ext
+  if AC_TRY_EVAL(ac_compile); then
+    case "`/usr/bin/file conftest.o`" in
+    *32-bit*)
+      case $host in
+        x86_64-*linux*)
+          LD="${LD-ld} -m elf_i386"
+          ;;
+        ppc64-*linux*|powerpc64-*linux*)
+          LD="${LD-ld} -m elf32ppclinux"
+          ;;
+        s390x-*linux*)
+          LD="${LD-ld} -m elf_s390"
+          ;;
+        sparc64-*linux*)
+          LD="${LD-ld} -m elf32_sparc"
+          ;;
+      esac
+      ;;
+    *64-bit*)
+      case $host in
+        x86_64-*linux*)
+          LD="${LD-ld} -m elf_x86_64"
+          ;;
+        ppc*-*linux*|powerpc*-*linux*)
+          LD="${LD-ld} -m elf64ppc"
+          ;;
+        s390*-*linux*)
+          LD="${LD-ld} -m elf64_s390"
+          ;;
+        sparc*-*linux*)
+          LD="${LD-ld} -m elf64_sparc"
+          ;;
+      esac
+      ;;
+    esac
+  fi
+  rm -rf conftest*
+  ;;
+
+*-*-sco3.2v5*)
+  # On SCO OpenServer 5, we need -belf to get full-featured binaries.
+  SAVE_CFLAGS="$CFLAGS"
+  CFLAGS="$CFLAGS -belf"
+  AC_CACHE_CHECK([whether the C compiler needs -belf], lt_cv_cc_needs_belf,
+    [AC_LANG_PUSH(C)
+     AC_TRY_LINK([],[],[lt_cv_cc_needs_belf=yes],[lt_cv_cc_needs_belf=no])
+     AC_LANG_POP])
+  if test x"$lt_cv_cc_needs_belf" != x"yes"; then
+    # this is probably gcc 2.8.0, egcs 1.0 or newer; no need for -belf
+    CFLAGS="$SAVE_CFLAGS"
+  fi
+  ;;
+AC_PROVIDE_IFELSE([AC_LIBTOOL_WIN32_DLL],
+[*-*-cygwin* | *-*-mingw* | *-*-pw32*)
+  AC_CHECK_TOOL(DLLTOOL, dlltool, false)
+  AC_CHECK_TOOL(AS, as, false)
+  AC_CHECK_TOOL(OBJDUMP, objdump, false)
+  ;;
+  ])
+esac
+
+need_locks="$enable_libtool_lock"
+
+])# _LT_AC_LOCK
+
+
+# AC_LIBTOOL_COMPILER_OPTION(MESSAGE, VARIABLE-NAME, FLAGS,
+#		[OUTPUT-FILE], [ACTION-SUCCESS], [ACTION-FAILURE])
+# ----------------------------------------------------------------
+# Check whether the given compiler option works
+AC_DEFUN([AC_LIBTOOL_COMPILER_OPTION],
+[AC_REQUIRE([LT_AC_PROG_SED])
+AC_CACHE_CHECK([$1], [$2],
+  [$2=no
+  ifelse([$4], , [ac_outfile=conftest.$ac_objext], [ac_outfile=$4])
+   printf "$lt_simple_compile_test_code" > conftest.$ac_ext
+   lt_compiler_flag="$3"
+   # Insert the option either (1) after the last *FLAGS variable, or
+   # (2) before a word containing "conftest.", or (3) at the end.
+   # Note that $ac_compile itself does not contain backslashes and begins
+   # with a dollar sign (not a hyphen), so the echo should work correctly.
+   # The option is referenced via a variable to avoid confusing sed.
+   lt_compile=`echo "$ac_compile" | $SED \
+   -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \
+   -e 's: [[^ ]]*conftest\.: $lt_compiler_flag&:; t' \
+   -e 's:$: $lt_compiler_flag:'`
+   (eval echo "\"\$as_me:__oline__: $lt_compile\"" >&AS_MESSAGE_LOG_FD)
+   (eval "$lt_compile" 2>conftest.err)
+   ac_status=$?
+   cat conftest.err >&AS_MESSAGE_LOG_FD
+   echo "$as_me:__oline__: \$? = $ac_status" >&AS_MESSAGE_LOG_FD
+   if (exit $ac_status) && test -s "$ac_outfile"; then
+     # The compiler can only warn and ignore the option if not recognized
+     # So say no if there are warnings
+     if test ! -s conftest.err; then
+       $2=yes
+     fi
+   fi
+   $rm conftest*
+])
+
+if test x"[$]$2" = xyes; then
+    ifelse([$5], , :, [$5])
+else
+    ifelse([$6], , :, [$6])
+fi
+])# AC_LIBTOOL_COMPILER_OPTION
+
+
+# AC_LIBTOOL_LINKER_OPTION(MESSAGE, VARIABLE-NAME, FLAGS,
+#                          [ACTION-SUCCESS], [ACTION-FAILURE])
+# ------------------------------------------------------------
+# Check whether the given compiler option works
+AC_DEFUN([AC_LIBTOOL_LINKER_OPTION],
+[AC_CACHE_CHECK([$1], [$2],
+  [$2=no
+   save_LDFLAGS="$LDFLAGS"
+   LDFLAGS="$LDFLAGS $3"
+   printf "$lt_simple_link_test_code" > conftest.$ac_ext
+   if (eval $ac_link 2>conftest.err) && test -s conftest$ac_exeext; then
+     # The compiler can only warn and ignore the option if not recognized
+     # So say no if there are warnings
+     if test -s conftest.err; then
+       # Append any errors to the config.log.
+       cat conftest.err 1>&AS_MESSAGE_LOG_FD
+     else
+       $2=yes
+     fi
+   fi
+   $rm conftest*
+   LDFLAGS="$save_LDFLAGS"
+])
+
+if test x"[$]$2" = xyes; then
+    ifelse([$4], , :, [$4])
+else
+    ifelse([$5], , :, [$5])
+fi
+])# AC_LIBTOOL_LINKER_OPTION
+
+
+# AC_LIBTOOL_SYS_MAX_CMD_LEN
+# --------------------------
+AC_DEFUN([AC_LIBTOOL_SYS_MAX_CMD_LEN],
+[# find the maximum length of command line arguments
+AC_MSG_CHECKING([the maximum length of command line arguments])
+AC_CACHE_VAL([lt_cv_sys_max_cmd_len], [dnl
+  i=0
+  testring="ABCD"
+
+  case $build_os in
+  msdosdjgpp*)
+    # On DJGPP, this test can blow up pretty badly due to problems in libc
+    # (any single argument exceeding 2000 bytes causes a buffer overrun
+    # during glob expansion).  Even if it were fixed, the result of this
+    # check would be larger than it should be.
+    lt_cv_sys_max_cmd_len=12288;    # 12K is about right
+    ;;
+
+  gnu*)
+    # Under GNU Hurd, this test is not required because there is
+    # no limit to the length of command line arguments.
+    # Libtool will interpret -1 as no limit whatsoever
+    lt_cv_sys_max_cmd_len=-1;
+    ;;
+
+  cygwin* | mingw*)
+    # On Win9x/ME, this test blows up -- it succeeds, but takes
+    # about 5 minutes as the teststring grows exponentially.
+    # Worse, since 9x/ME are not pre-emptively multitasking,
+    # you end up with a "frozen" computer, even though with patience
+    # the test eventually succeeds (with a max line length of 256k).
+    # Instead, let's just punt: use the minimum linelength reported by
+    # all of the supported platforms: 8192 (on NT/2K/XP).
+    lt_cv_sys_max_cmd_len=8192;
+    ;;
+
+  amigaos*)
+    # On AmigaOS with pdksh, this test takes hours, literally.
+    # So we just punt and use a minimum line length of 8192.
+    lt_cv_sys_max_cmd_len=8192;
+    ;;
+
+ *)
+    # If test is not a shell built-in, we'll probably end up computing a
+    # maximum length that is only half of the actual maximum length, but
+    # we can't tell.
+    while (test "X"`$CONFIG_SHELL [$]0 --fallback-echo "X$testring" 2>/dev/null` \
+	       = "XX$testring") >/dev/null 2>&1 &&
+	    new_result=`expr "X$testring" : ".*" 2>&1` &&
+	    lt_cv_sys_max_cmd_len=$new_result &&
+	    test $i != 17 # 1/2 MB should be enough
+    do
+      i=`expr $i + 1`
+      testring=$testring$testring
+    done
+    testring=
+    # Add a significant safety factor because C++ compilers can tack on massive
+    # amounts of additional arguments before passing them to the linker.
+    # It appears as though 1/2 is a usable value.
+    lt_cv_sys_max_cmd_len=`expr $lt_cv_sys_max_cmd_len \/ 2`
+    ;;
+  esac
+])
+if test -n $lt_cv_sys_max_cmd_len ; then
+  AC_MSG_RESULT($lt_cv_sys_max_cmd_len)
+else
+  AC_MSG_RESULT(none)
+fi
+])# AC_LIBTOOL_SYS_MAX_CMD_LEN
+
+
+# _LT_AC_CHECK_DLFCN
+# --------------------
+AC_DEFUN([_LT_AC_CHECK_DLFCN],
+[AC_CHECK_HEADERS(dlfcn.h)dnl
+])# _LT_AC_CHECK_DLFCN
+
+
+# _LT_AC_TRY_DLOPEN_SELF (ACTION-IF-TRUE, ACTION-IF-TRUE-W-USCORE,
+#                           ACTION-IF-FALSE, ACTION-IF-CROSS-COMPILING)
+# ------------------------------------------------------------------
+AC_DEFUN([_LT_AC_TRY_DLOPEN_SELF],
+[AC_REQUIRE([_LT_AC_CHECK_DLFCN])dnl
+if test "$cross_compiling" = yes; then :
+  [$4]
+else
+  lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
+  lt_status=$lt_dlunknown
+  cat > conftest.$ac_ext <<EOF
+[#line __oline__ "configure"
+#include "confdefs.h"
+
+#if HAVE_DLFCN_H
+#include <dlfcn.h>
+#endif
+
+#include <stdio.h>
+
+#ifdef RTLD_GLOBAL
+#  define LT_DLGLOBAL		RTLD_GLOBAL
+#else
+#  ifdef DL_GLOBAL
+#    define LT_DLGLOBAL		DL_GLOBAL
+#  else
+#    define LT_DLGLOBAL		0
+#  endif
+#endif
+
+/* We may have to define LT_DLLAZY_OR_NOW in the command line if we
+   find out it does not work in some platform. */
+#ifndef LT_DLLAZY_OR_NOW
+#  ifdef RTLD_LAZY
+#    define LT_DLLAZY_OR_NOW		RTLD_LAZY
+#  else
+#    ifdef DL_LAZY
+#      define LT_DLLAZY_OR_NOW		DL_LAZY
+#    else
+#      ifdef RTLD_NOW
+#        define LT_DLLAZY_OR_NOW	RTLD_NOW
+#      else
+#        ifdef DL_NOW
+#          define LT_DLLAZY_OR_NOW	DL_NOW
+#        else
+#          define LT_DLLAZY_OR_NOW	0
+#        endif
+#      endif
+#    endif
+#  endif
+#endif
+
+#ifdef __cplusplus
+extern "C" void exit (int);
+#endif
+
+void fnord() { int i=42;}
+int main ()
+{
+  void *self = dlopen (0, LT_DLGLOBAL|LT_DLLAZY_OR_NOW);
+  int status = $lt_dlunknown;
+
+  if (self)
+    {
+      if (dlsym (self,"fnord"))       status = $lt_dlno_uscore;
+      else if (dlsym( self,"_fnord")) status = $lt_dlneed_uscore;
+      /* dlclose (self); */
+    }
+
+    exit (status);
+}]
+EOF
+  if AC_TRY_EVAL(ac_link) && test -s conftest${ac_exeext} 2>/dev/null; then
+    (./conftest; exit; ) 2>/dev/null
+    lt_status=$?
+    case x$lt_status in
+      x$lt_dlno_uscore) $1 ;;
+      x$lt_dlneed_uscore) $2 ;;
+      x$lt_unknown|x*) $3 ;;
+    esac
+  else :
+    # compilation failed
+    $3
+  fi
+fi
+rm -fr conftest*
+])# _LT_AC_TRY_DLOPEN_SELF
+
+
+# AC_LIBTOOL_DLOPEN_SELF
+# -------------------
+AC_DEFUN([AC_LIBTOOL_DLOPEN_SELF],
+[AC_REQUIRE([_LT_AC_CHECK_DLFCN])dnl
+if test "x$enable_dlopen" != xyes; then
+  enable_dlopen=unknown
+  enable_dlopen_self=unknown
+  enable_dlopen_self_static=unknown
+else
+  lt_cv_dlopen=no
+  lt_cv_dlopen_libs=
+
+  case $host_os in
+  beos*)
+    lt_cv_dlopen="load_add_on"
+    lt_cv_dlopen_libs=
+    lt_cv_dlopen_self=yes
+    ;;
+
+  mingw* | pw32*)
+    lt_cv_dlopen="LoadLibrary"
+    lt_cv_dlopen_libs=
+   ;;
+
+  cygwin*)
+    lt_cv_dlopen="dlopen"
+    lt_cv_dlopen_libs=
+   ;;
+
+  darwin*)
+  # if libdl is installed we need to link against it
+    AC_CHECK_LIB([dl], [dlopen],
+		[lt_cv_dlopen="dlopen" lt_cv_dlopen_libs="-ldl"],[
+    lt_cv_dlopen="dyld"
+    lt_cv_dlopen_libs=
+    lt_cv_dlopen_self=yes
+    ])
+   ;;
+
+  *)
+    AC_CHECK_FUNC([shl_load],
+	  [lt_cv_dlopen="shl_load"],
+      [AC_CHECK_LIB([dld], [shl_load],
+	    [lt_cv_dlopen="shl_load" lt_cv_dlopen_libs="-dld"],
+	[AC_CHECK_FUNC([dlopen],
+	      [lt_cv_dlopen="dlopen"],
+	  [AC_CHECK_LIB([dl], [dlopen],
+		[lt_cv_dlopen="dlopen" lt_cv_dlopen_libs="-ldl"],
+	    [AC_CHECK_LIB([svld], [dlopen],
+		  [lt_cv_dlopen="dlopen" lt_cv_dlopen_libs="-lsvld"],
+	      [AC_CHECK_LIB([dld], [dld_link],
+		    [lt_cv_dlopen="dld_link" lt_cv_dlopen_libs="-dld"])
+	      ])
+	    ])
+	  ])
+	])
+      ])
+    ;;
+  esac
+
+  if test "x$lt_cv_dlopen" != xno; then
+    enable_dlopen=yes
+  else
+    enable_dlopen=no
+  fi
+
+  case $lt_cv_dlopen in
+  dlopen)
+    save_CPPFLAGS="$CPPFLAGS"
+    test "x$ac_cv_header_dlfcn_h" = xyes && CPPFLAGS="$CPPFLAGS -DHAVE_DLFCN_H"
+
+    save_LDFLAGS="$LDFLAGS"
+    eval LDFLAGS=\"\$LDFLAGS $export_dynamic_flag_spec\"
+
+    save_LIBS="$LIBS"
+    LIBS="$lt_cv_dlopen_libs $LIBS"
+
+    AC_CACHE_CHECK([whether a program can dlopen itself],
+	  lt_cv_dlopen_self, [dnl
+	  _LT_AC_TRY_DLOPEN_SELF(
+	    lt_cv_dlopen_self=yes, lt_cv_dlopen_self=yes,
+	    lt_cv_dlopen_self=no, lt_cv_dlopen_self=cross)
+    ])
+
+    if test "x$lt_cv_dlopen_self" = xyes; then
+      LDFLAGS="$LDFLAGS $link_static_flag"
+      AC_CACHE_CHECK([whether a statically linked program can dlopen itself],
+    	  lt_cv_dlopen_self_static, [dnl
+	  _LT_AC_TRY_DLOPEN_SELF(
+	    lt_cv_dlopen_self_static=yes, lt_cv_dlopen_self_static=yes,
+	    lt_cv_dlopen_self_static=no,  lt_cv_dlopen_self_static=cross)
+      ])
+    fi
+
+    CPPFLAGS="$save_CPPFLAGS"
+    LDFLAGS="$save_LDFLAGS"
+    LIBS="$save_LIBS"
+    ;;
+  esac
+
+  case $lt_cv_dlopen_self in
+  yes|no) enable_dlopen_self=$lt_cv_dlopen_self ;;
+  *) enable_dlopen_self=unknown ;;
+  esac
+
+  case $lt_cv_dlopen_self_static in
+  yes|no) enable_dlopen_self_static=$lt_cv_dlopen_self_static ;;
+  *) enable_dlopen_self_static=unknown ;;
+  esac
+fi
+])# AC_LIBTOOL_DLOPEN_SELF
+
+
+# AC_LIBTOOL_PROG_CC_C_O([TAGNAME])
+# ---------------------------------
+# Check to see if options -c and -o are simultaneously supported by compiler
+AC_DEFUN([AC_LIBTOOL_PROG_CC_C_O],
+[AC_REQUIRE([_LT_AC_SYS_COMPILER])dnl
+AC_CACHE_CHECK([if $compiler supports -c -o file.$ac_objext],
+  [_LT_AC_TAGVAR(lt_cv_prog_compiler_c_o, $1)],
+  [_LT_AC_TAGVAR(lt_cv_prog_compiler_c_o, $1)=no
+   $rm -r conftest 2>/dev/null
+   mkdir conftest
+   cd conftest
+   mkdir out
+   printf "$lt_simple_compile_test_code" > conftest.$ac_ext
+
+   lt_compiler_flag="-o out/conftest2.$ac_objext"
+   # Insert the option either (1) after the last *FLAGS variable, or
+   # (2) before a word containing "conftest.", or (3) at the end.
+   # Note that $ac_compile itself does not contain backslashes and begins
+   # with a dollar sign (not a hyphen), so the echo should work correctly.
+   lt_compile=`echo "$ac_compile" | $SED \
+   -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \
+   -e 's: [[^ ]]*conftest\.: $lt_compiler_flag&:; t' \
+   -e 's:$: $lt_compiler_flag:'`
+   (eval echo "\"\$as_me:__oline__: $lt_compile\"" >&AS_MESSAGE_LOG_FD)
+   (eval "$lt_compile" 2>out/conftest.err)
+   ac_status=$?
+   cat out/conftest.err >&AS_MESSAGE_LOG_FD
+   echo "$as_me:__oline__: \$? = $ac_status" >&AS_MESSAGE_LOG_FD
+   if (exit $ac_status) && test -s out/conftest2.$ac_objext
+   then
+     # The compiler can only warn and ignore the option if not recognized
+     # So say no if there are warnings
+     if test ! -s out/conftest.err; then
+       _LT_AC_TAGVAR(lt_cv_prog_compiler_c_o, $1)=yes
+     fi
+   fi
+   chmod u+w .
+   $rm conftest*
+   # SGI C++ compiler will create directory out/ii_files/ for
+   # template instantiation
+   test -d out/ii_files && $rm out/ii_files/* && rmdir out/ii_files
+   $rm out/* && rmdir out
+   cd ..
+   rmdir conftest
+   $rm conftest*
+])
+])# AC_LIBTOOL_PROG_CC_C_O
+
+
+# AC_LIBTOOL_SYS_HARD_LINK_LOCKS([TAGNAME])
+# -----------------------------------------
+# Check to see if we can do hard links to lock some files if needed
+AC_DEFUN([AC_LIBTOOL_SYS_HARD_LINK_LOCKS],
+[AC_REQUIRE([_LT_AC_LOCK])dnl
+
+hard_links="nottested"
+if test "$_LT_AC_TAGVAR(lt_cv_prog_compiler_c_o, $1)" = no && test "$need_locks" != no; then
+  # do not overwrite the value of need_locks provided by the user
+  AC_MSG_CHECKING([if we can lock with hard links])
+  hard_links=yes
+  $rm conftest*
+  ln conftest.a conftest.b 2>/dev/null && hard_links=no
+  touch conftest.a
+  ln conftest.a conftest.b 2>&5 || hard_links=no
+  ln conftest.a conftest.b 2>/dev/null && hard_links=no
+  AC_MSG_RESULT([$hard_links])
+  if test "$hard_links" = no; then
+    AC_MSG_WARN([`$CC' does not support `-c -o', so `make -j' may be unsafe])
+    need_locks=warn
+  fi
+else
+  need_locks=no
+fi
+])# AC_LIBTOOL_SYS_HARD_LINK_LOCKS
+
+
+# AC_LIBTOOL_OBJDIR
+# -----------------
+AC_DEFUN([AC_LIBTOOL_OBJDIR],
+[AC_CACHE_CHECK([for objdir], [lt_cv_objdir],
+[rm -f .libs 2>/dev/null
+mkdir .libs 2>/dev/null
+if test -d .libs; then
+  lt_cv_objdir=.libs
+else
+  # MS-DOS does not allow filenames that begin with a dot.
+  lt_cv_objdir=_libs
+fi
+rmdir .libs 2>/dev/null])
+objdir=$lt_cv_objdir
+])# AC_LIBTOOL_OBJDIR
+
+
+# AC_LIBTOOL_PROG_LD_HARDCODE_LIBPATH([TAGNAME])
+# ----------------------------------------------
+# Check hardcoding attributes.
+AC_DEFUN([AC_LIBTOOL_PROG_LD_HARDCODE_LIBPATH],
+[AC_MSG_CHECKING([how to hardcode library paths into programs])
+_LT_AC_TAGVAR(hardcode_action, $1)=
+if test -n "$_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)" || \
+   test -n "$_LT_AC_TAGVAR(runpath_var $1)" || \
+   test "X$_LT_AC_TAGVAR(hardcode_automatic, $1)"="Xyes" ; then
+
+  # We can hardcode non-existant directories.
+  if test "$_LT_AC_TAGVAR(hardcode_direct, $1)" != no &&
+     # If the only mechanism to avoid hardcoding is shlibpath_var, we
+     # have to relink, otherwise we might link with an installed library
+     # when we should be linking with a yet-to-be-installed one
+     ## test "$_LT_AC_TAGVAR(hardcode_shlibpath_var, $1)" != no &&
+     test "$_LT_AC_TAGVAR(hardcode_minus_L, $1)" != no; then
+    # Linking always hardcodes the temporary library directory.
+    _LT_AC_TAGVAR(hardcode_action, $1)=relink
+  else
+    # We can link without hardcoding, and we can hardcode nonexisting dirs.
+    _LT_AC_TAGVAR(hardcode_action, $1)=immediate
+  fi
+else
+  # We cannot hardcode anything, or else we can only hardcode existing
+  # directories.
+  _LT_AC_TAGVAR(hardcode_action, $1)=unsupported
+fi
+AC_MSG_RESULT([$_LT_AC_TAGVAR(hardcode_action, $1)])
+
+if test "$_LT_AC_TAGVAR(hardcode_action, $1)" = relink; then
+  # Fast installation is not supported
+  enable_fast_install=no
+elif test "$shlibpath_overrides_runpath" = yes ||
+     test "$enable_shared" = no; then
+  # Fast installation is not necessary
+  enable_fast_install=needless
+fi
+])# AC_LIBTOOL_PROG_LD_HARDCODE_LIBPATH
+
+
+# AC_LIBTOOL_SYS_LIB_STRIP
+# ------------------------
+AC_DEFUN([AC_LIBTOOL_SYS_LIB_STRIP],
+[striplib=
+old_striplib=
+AC_MSG_CHECKING([whether stripping libraries is possible])
+if test -n "$STRIP" && $STRIP -V 2>&1 | grep "GNU strip" >/dev/null; then
+  test -z "$old_striplib" && old_striplib="$STRIP --strip-debug"
+  test -z "$striplib" && striplib="$STRIP --strip-unneeded"
+  AC_MSG_RESULT([yes])
+else
+# FIXME - insert some real tests, host_os isn't really good enough
+  case $host_os in
+   darwin*)
+       if test -n "$STRIP" ; then
+         striplib="$STRIP -x"
+         AC_MSG_RESULT([yes])
+       else
+  AC_MSG_RESULT([no])
+fi
+       ;;
+   *)
+  AC_MSG_RESULT([no])
+    ;;
+  esac
+fi
+])# AC_LIBTOOL_SYS_LIB_STRIP
+
+
+# AC_LIBTOOL_SYS_DYNAMIC_LINKER
+# -----------------------------
+# PORTME Fill in your ld.so characteristics
+AC_DEFUN([AC_LIBTOOL_SYS_DYNAMIC_LINKER],
+[AC_MSG_CHECKING([dynamic linker characteristics])
+library_names_spec=
+libname_spec='lib$name'
+soname_spec=
+shrext=".so"
+postinstall_cmds=
+postuninstall_cmds=
+finish_cmds=
+finish_eval=
+shlibpath_var=
+shlibpath_overrides_runpath=unknown
+version_type=none
+dynamic_linker="$host_os ld.so"
+sys_lib_dlsearch_path_spec="/lib /usr/lib"
+if test "$GCC" = yes; then
+  sys_lib_search_path_spec=`$CC -print-search-dirs | grep "^libraries:" | $SED -e "s/^libraries://" -e "s,=/,/,g"`
+  if echo "$sys_lib_search_path_spec" | grep ';' >/dev/null ; then
+    # if the path contains ";" then we assume it to be the separator
+    # otherwise default to the standard path separator (i.e. ":") - it is
+    # assumed that no part of a normal pathname contains ";" but that should
+    # okay in the real world where ";" in dirpaths is itself problematic.
+    sys_lib_search_path_spec=`echo "$sys_lib_search_path_spec" | $SED -e 's/;/ /g'`
+  else
+    sys_lib_search_path_spec=`echo "$sys_lib_search_path_spec" | $SED  -e "s/$PATH_SEPARATOR/ /g"`
+  fi
+else
+  sys_lib_search_path_spec="/lib /usr/lib /usr/local/lib"
+fi
+need_lib_prefix=unknown
+hardcode_into_libs=no
+
+# when you set need_version to no, make sure it does not cause -set_version
+# flags to be left without arguments
+need_version=unknown
+
+case $host_os in
+aix3*)
+  version_type=linux
+  library_names_spec='${libname}${release}${shared_ext}$versuffix $libname.a'
+  shlibpath_var=LIBPATH
+
+  # AIX 3 has no versioning support, so we append a major version to the name.
+  soname_spec='${libname}${release}${shared_ext}$major'
+  ;;
+
+aix4* | aix5*)
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  hardcode_into_libs=yes
+  if test "$host_cpu" = ia64; then
+    # AIX 5 supports IA64
+    library_names_spec='${libname}${release}${shared_ext}$major ${libname}${release}${shared_ext}$versuffix $libname${shared_ext}'
+    shlibpath_var=LD_LIBRARY_PATH
+  else
+    # With GCC up to 2.95.x, collect2 would create an import file
+    # for dependence libraries.  The import file would start with
+    # the line `#! .'.  This would cause the generated library to
+    # depend on `.', always an invalid library.  This was fixed in
+    # development snapshots of GCC prior to 3.0.
+    case $host_os in
+      aix4 | aix4.[[01]] | aix4.[[01]].*)
+      if { echo '#if __GNUC__ > 2 || (__GNUC__ == 2 && __GNUC_MINOR__ >= 97)'
+	   echo ' yes '
+	   echo '#endif'; } | ${CC} -E - | grep yes > /dev/null; then
+	:
+      else
+	can_build_shared=no
+      fi
+      ;;
+    esac
+    # AIX (on Power*) has no versioning support, so currently we can not hardcode correct
+    # soname into executable. Probably we can add versioning support to
+    # collect2, so additional links can be useful in future.
+    if test "$aix_use_runtimelinking" = yes; then
+      # If using run time linking (on AIX 4.2 or later) use lib<name>.so
+      # instead of lib<name>.a to let people know that these are not
+      # typical AIX shared libraries.
+      library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+    else
+      # We preserve .a as extension for shared libraries through AIX4.2
+      # and later when we are not doing run time linking.
+      library_names_spec='${libname}${release}.a $libname.a'
+      soname_spec='${libname}${release}${shared_ext}$major'
+    fi
+    shlibpath_var=LIBPATH
+  fi
+  ;;
+
+amigaos*)
+  library_names_spec='$libname.ixlibrary $libname.a'
+  # Create ${libname}_ixlibrary.a entries in /sys/libs.
+  finish_eval='for lib in `ls $libdir/*.ixlibrary 2>/dev/null`; do libname=`$echo "X$lib" | $Xsed -e '\''s%^.*/\([[^/]]*\)\.ixlibrary$%\1%'\''`; test $rm /sys/libs/${libname}_ixlibrary.a; $show "cd /sys/libs && $LN_S $lib ${libname}_ixlibrary.a"; cd /sys/libs && $LN_S $lib ${libname}_ixlibrary.a || exit 1; done'
+  ;;
+
+beos*)
+  library_names_spec='${libname}${shared_ext}'
+  dynamic_linker="$host_os ld.so"
+  shlibpath_var=LIBRARY_PATH
+  ;;
+
+bsdi4*)
+  version_type=linux
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  finish_cmds='PATH="\$PATH:/sbin" ldconfig $libdir'
+  shlibpath_var=LD_LIBRARY_PATH
+  sys_lib_search_path_spec="/shlib /usr/lib /usr/X11/lib /usr/contrib/lib /lib /usr/local/lib"
+  sys_lib_dlsearch_path_spec="/shlib /usr/lib /usr/local/lib"
+  # the default ld.so.conf also contains /usr/contrib/lib and
+  # /usr/X11R6/lib (/usr/X11 is a link to /usr/X11R6), but let us allow
+  # libtool to hard-code these into programs
+  ;;
+
+cygwin* | mingw* | pw32*)
+  version_type=windows
+  shrext=".dll"
+  need_version=no
+  need_lib_prefix=no
+
+  case $GCC,$host_os in
+  yes,cygwin* | yes,mingw* | yes,pw32*)
+    library_names_spec='$libname.dll.a'
+    # DLL is installed to $(libdir)/../bin by postinstall_cmds
+    postinstall_cmds='base_file=`basename \${file}`~
+      dlpath=`$SHELL 2>&1 -c '\''. $dir/'\''\${base_file}'\''i;echo \$dlname'\''`~
+      dldir=$destdir/`dirname \$dlpath`~
+      test -d \$dldir || mkdir -p \$dldir~
+      $install_prog $dir/$dlname \$dldir/$dlname'
+    postuninstall_cmds='dldll=`$SHELL 2>&1 -c '\''. $file; echo \$dlname'\''`~
+      dlpath=$dir/\$dldll~
+       $rm \$dlpath'
+    shlibpath_overrides_runpath=yes
+
+    case $host_os in
+    cygwin*)
+      # Cygwin DLLs use 'cyg' prefix rather than 'lib'
+      soname_spec='`echo ${libname} | sed -e 's/^lib/cyg/'``echo ${release} | $SED -e 's/[[.]]/-/g'`${versuffix}${shared_ext}'
+      sys_lib_search_path_spec="/usr/lib /lib/w32api /lib /usr/local/lib"
+      ;;
+    mingw*)
+      # MinGW DLLs use traditional 'lib' prefix
+      soname_spec='${libname}`echo ${release} | $SED -e 's/[[.]]/-/g'`${versuffix}${shared_ext}'
+      sys_lib_search_path_spec=`$CC -print-search-dirs | grep "^libraries:" | $SED -e "s/^libraries://" -e "s,=/,/,g"`
+      if echo "$sys_lib_search_path_spec" | [grep ';[c-zC-Z]:/' >/dev/null]; then
+        # It is most probably a Windows format PATH printed by
+        # mingw gcc, but we are running on Cygwin. Gcc prints its search
+        # path with ; separators, and with drive letters. We can handle the
+        # drive letters (cygwin fileutils understands them), so leave them,
+        # especially as we might pass files found there to a mingw objdump,
+        # which wouldn't understand a cygwinified path. Ahh.
+        sys_lib_search_path_spec=`echo "$sys_lib_search_path_spec" | $SED -e 's/;/ /g'`
+      else
+        sys_lib_search_path_spec=`echo "$sys_lib_search_path_spec" | $SED  -e "s/$PATH_SEPARATOR/ /g"`
+      fi
+      ;;
+    pw32*)
+      # pw32 DLLs use 'pw' prefix rather than 'lib'
+      library_names_spec='`echo ${libname} | sed -e 's/^lib/pw/'``echo ${release} | $SED -e 's/[.]/-/g'`${versuffix}${shared_ext}'
+      ;;
+    esac
+    ;;
+
+  *)
+    library_names_spec='${libname}`echo ${release} | $SED -e 's/[[.]]/-/g'`${versuffix}${shared_ext} $libname.lib'
+    ;;
+  esac
+  dynamic_linker='Win32 ld.exe'
+  # FIXME: first we should search . and the directory the executable is in
+  shlibpath_var=PATH
+  ;;
+
+darwin* | rhapsody*)
+  dynamic_linker="$host_os dyld"
+  version_type=darwin
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${versuffix}$shared_ext ${libname}${release}${major}$shared_ext ${libname}$shared_ext'
+  soname_spec='${libname}${release}${major}$shared_ext'
+  shlibpath_overrides_runpath=yes
+  shlibpath_var=DYLD_LIBRARY_PATH
+  shrext='$(test .$module = .yes && echo .so || echo .dylib)'
+  # Apple's gcc prints 'gcc -print-search-dirs' doesn't operate the same.
+  if test "$GCC" = yes; then
+    sys_lib_search_path_spec=`$CC -print-search-dirs | tr "\n" "$PATH_SEPARATOR" | sed -e 's/libraries:/@libraries:/' | tr "@" "\n" | grep "^libraries:" | sed -e "s/^libraries://" -e "s,=/,/,g" -e "s,$PATH_SEPARATOR, ,g" -e "s,.*,& /lib /usr/lib /usr/local/lib,g"`
+  else
+    sys_lib_search_path_spec='/lib /usr/lib /usr/local/lib'
+  fi
+  sys_lib_dlsearch_path_spec='/usr/local/lib /lib /usr/lib'
+  ;;
+
+dgux*)
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname$shared_ext'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  ;;
+
+freebsd1*)
+  dynamic_linker=no
+  ;;
+
+kfreebsd*-gnu)
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=no
+  hardcode_into_libs=yes
+  dynamic_linker='GNU ld.so'
+  ;;
+
+freebsd*)
+  objformat=`test -x /usr/bin/objformat && /usr/bin/objformat || echo aout`
+  version_type=freebsd-$objformat
+  case $version_type in
+    freebsd-elf*)
+      library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext} $libname${shared_ext}'
+      need_version=no
+      need_lib_prefix=no
+      ;;
+    freebsd-*)
+      library_names_spec='${libname}${release}${shared_ext}$versuffix $libname${shared_ext}$versuffix'
+      need_version=yes
+      ;;
+  esac
+  shlibpath_var=LD_LIBRARY_PATH
+  case $host_os in
+  freebsd2*)
+    shlibpath_overrides_runpath=yes
+    ;;
+  freebsd3.[01]* | freebsdelf3.[01]*)
+    shlibpath_overrides_runpath=yes
+    hardcode_into_libs=yes
+    ;;
+  *) # from 3.2 on
+    shlibpath_overrides_runpath=no
+    hardcode_into_libs=yes
+    ;;
+  esac
+  ;;
+
+gnu*)
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}${major} ${libname}${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  hardcode_into_libs=yes
+  ;;
+
+hpux9* | hpux10* | hpux11*)
+  # Give a soname corresponding to the major version so that dld.sl refuses to
+  # link against other versions.
+  version_type=sunos
+  need_lib_prefix=no
+  need_version=no
+  case "$host_cpu" in
+  ia64*)
+    shrext='.so'
+    hardcode_into_libs=yes
+    dynamic_linker="$host_os dld.so"
+    shlibpath_var=LD_LIBRARY_PATH
+    shlibpath_overrides_runpath=yes # Unless +noenvvar is specified.
+    library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+    soname_spec='${libname}${release}${shared_ext}$major'
+    if test "X$HPUX_IA64_MODE" = X32; then
+      sys_lib_search_path_spec="/usr/lib/hpux32 /usr/local/lib/hpux32 /usr/local/lib"
+    else
+      sys_lib_search_path_spec="/usr/lib/hpux64 /usr/local/lib/hpux64"
+    fi
+    sys_lib_dlsearch_path_spec=$sys_lib_search_path_spec
+    ;;
+   hppa*64*)
+     shrext='.sl'
+     hardcode_into_libs=yes
+     dynamic_linker="$host_os dld.sl"
+     shlibpath_var=LD_LIBRARY_PATH # How should we handle SHLIB_PATH
+     shlibpath_overrides_runpath=yes # Unless +noenvvar is specified.
+     library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+     soname_spec='${libname}${release}${shared_ext}$major'
+     sys_lib_search_path_spec="/usr/lib/pa20_64 /usr/ccs/lib/pa20_64"
+     sys_lib_dlsearch_path_spec=$sys_lib_search_path_spec
+     ;;
+   *)
+    shrext='.sl'
+    dynamic_linker="$host_os dld.sl"
+    shlibpath_var=SHLIB_PATH
+    shlibpath_overrides_runpath=no # +s is required to enable SHLIB_PATH
+    library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+    soname_spec='${libname}${release}${shared_ext}$major'
+    ;;
+  esac
+  # HP-UX runs *really* slowly unless shared libraries are mode 555.
+  postinstall_cmds='chmod 555 $lib'
+  ;;
+
+irix5* | irix6* | nonstopux*)
+  case $host_os in
+    nonstopux*) version_type=nonstopux ;;
+    *)
+	if test "$lt_cv_prog_gnu_ld" = yes; then
+		version_type=linux
+	else
+		version_type=irix
+	fi ;;
+  esac
+  need_lib_prefix=no
+  need_version=no
+  soname_spec='${libname}${release}${shared_ext}$major'
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${release}${shared_ext} $libname${shared_ext}'
+  case $host_os in
+  irix5* | nonstopux*)
+    libsuff= shlibsuff=
+    ;;
+  *)
+    case $LD in # libtool.m4 will add one of these switches to LD
+    *-32|*"-32 "|*-melf32bsmip|*"-melf32bsmip ")
+      libsuff= shlibsuff= libmagic=32-bit;;
+    *-n32|*"-n32 "|*-melf32bmipn32|*"-melf32bmipn32 ")
+      libsuff=32 shlibsuff=N32 libmagic=N32;;
+    *-64|*"-64 "|*-melf64bmip|*"-melf64bmip ")
+      libsuff=64 shlibsuff=64 libmagic=64-bit;;
+    *) libsuff= shlibsuff= libmagic=never-match;;
+    esac
+    ;;
+  esac
+  shlibpath_var=LD_LIBRARY${shlibsuff}_PATH
+  shlibpath_overrides_runpath=no
+  sys_lib_search_path_spec="/usr/lib${libsuff} /lib${libsuff} /usr/local/lib${libsuff}"
+  sys_lib_dlsearch_path_spec="/usr/lib${libsuff} /lib${libsuff}"
+  hardcode_into_libs=yes
+  ;;
+
+# No shared lib support for Linux oldld, aout, or coff.
+linux*oldld* | linux*aout* | linux*coff*)
+  dynamic_linker=no
+  ;;
+
+# This must be Linux ELF.
+linux*)
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  finish_cmds='PATH="\$PATH:/sbin" ldconfig -n $libdir'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=no
+  # This implies no fast_install, which is unacceptable.
+  # Some rework will be needed to allow for fast_install
+  # before this can be enabled.
+  hardcode_into_libs=yes
+
+  # Append ld.so.conf contents to the search path
+  if test -f /etc/ld.so.conf; then
+    ld_extra=`$SED -e 's/[:,\t]/ /g;s/=[^=]*$//;s/=[^= ]* / /g' /etc/ld.so.conf`
+    sys_lib_dlsearch_path_spec="/lib /usr/lib $ld_extra"
+  fi
+
+  # We used to test for /lib/ld.so.1 and disable shared libraries on
+  # powerpc, because MkLinux only supported shared libraries with the
+  # GNU dynamic linker.  Since this was broken with cross compilers,
+  # most powerpc-linux boxes support dynamic linking these days and
+  # people can always --disable-shared, the test was removed, and we
+  # assume the GNU/Linux dynamic linker is in use.
+  dynamic_linker='GNU/Linux ld.so'
+  ;;
+
+knetbsd*-gnu)
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=no
+  hardcode_into_libs=yes
+  dynamic_linker='GNU ld.so'
+  ;;
+
+netbsd*)
+  version_type=sunos
+  need_lib_prefix=no
+  need_version=no
+  if echo __ELF__ | $CC -E - | grep __ELF__ >/dev/null; then
+    library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${shared_ext}$versuffix'
+    finish_cmds='PATH="\$PATH:/sbin" ldconfig -m $libdir'
+    dynamic_linker='NetBSD (a.out) ld.so'
+  else
+    library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}'
+    soname_spec='${libname}${release}${shared_ext}$major'
+    dynamic_linker='NetBSD ld.elf_so'
+  fi
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=yes
+  hardcode_into_libs=yes
+  ;;
+
+newsos6)
+  version_type=linux
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=yes
+  ;;
+
+nto-qnx*)
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=yes
+  ;;
+
+openbsd*)
+  version_type=sunos
+  need_lib_prefix=no
+  need_version=yes
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${shared_ext}$versuffix'
+  finish_cmds='PATH="\$PATH:/sbin" ldconfig -m $libdir'
+  shlibpath_var=LD_LIBRARY_PATH
+  if test -z "`echo __ELF__ | $CC -E - | grep __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then
+    case $host_os in
+      openbsd2.[[89]] | openbsd2.[[89]].*)
+	shlibpath_overrides_runpath=no
+	;;
+      *)
+	shlibpath_overrides_runpath=yes
+	;;
+      esac
+  else
+    shlibpath_overrides_runpath=yes
+  fi
+  ;;
+
+os2*)
+  libname_spec='$name'
+  shrext=".dll"
+  need_lib_prefix=no
+  library_names_spec='$libname${shared_ext} $libname.a'
+  dynamic_linker='OS/2 ld.exe'
+  shlibpath_var=LIBPATH
+  ;;
+
+osf3* | osf4* | osf5*)
+  version_type=osf
+  need_lib_prefix=no
+  need_version=no
+  soname_spec='${libname}${release}${shared_ext}$major'
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+  shlibpath_var=LD_LIBRARY_PATH
+  sys_lib_search_path_spec="/usr/shlib /usr/ccs/lib /usr/lib/cmplrs/cc /usr/lib /usr/local/lib /var/shlib"
+  sys_lib_dlsearch_path_spec="$sys_lib_search_path_spec"
+  ;;
+
+sco3.2v5*)
+  version_type=osf
+  soname_spec='${libname}${release}${shared_ext}$major'
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+  shlibpath_var=LD_LIBRARY_PATH
+  ;;
+
+solaris*)
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=yes
+  hardcode_into_libs=yes
+  # ldd complains unless libraries are executable
+  postinstall_cmds='chmod +x $lib'
+  ;;
+
+sunos4*)
+  version_type=sunos
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${shared_ext}$versuffix'
+  finish_cmds='PATH="\$PATH:/usr/etc" ldconfig $libdir'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=yes
+  if test "$with_gnu_ld" = yes; then
+    need_lib_prefix=no
+  fi
+  need_version=yes
+  ;;
+
+sysv4 | sysv4.2uw2* | sysv4.3* | sysv5*)
+  version_type=linux
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  case $host_vendor in
+    sni)
+      shlibpath_overrides_runpath=no
+      need_lib_prefix=no
+      export_dynamic_flag_spec='${wl}-Blargedynsym'
+      runpath_var=LD_RUN_PATH
+      ;;
+    siemens)
+      need_lib_prefix=no
+      ;;
+    motorola)
+      need_lib_prefix=no
+      need_version=no
+      shlibpath_overrides_runpath=no
+      sys_lib_search_path_spec='/lib /usr/lib /usr/ccs/lib'
+      ;;
+  esac
+  ;;
+
+sysv4*MP*)
+  if test -d /usr/nec ;then
+    version_type=linux
+    library_names_spec='$libname${shared_ext}.$versuffix $libname${shared_ext}.$major $libname${shared_ext}'
+    soname_spec='$libname${shared_ext}.$major'
+    shlibpath_var=LD_LIBRARY_PATH
+  fi
+  ;;
+
+uts4*)
+  version_type=linux
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  ;;
+
+*)
+  dynamic_linker=no
+  ;;
+esac
+AC_MSG_RESULT([$dynamic_linker])
+test "$dynamic_linker" = no && can_build_shared=no
+])# AC_LIBTOOL_SYS_DYNAMIC_LINKER
+
+
+# _LT_AC_TAGCONFIG
+# ----------------
+AC_DEFUN([_LT_AC_TAGCONFIG],
+[AC_ARG_WITH([tags],
+    [AC_HELP_STRING([--with-tags@<:@=TAGS@:>@],
+        [include additional configurations @<:@automatic@:>@])],
+    [tagnames="$withval"])
+
+if test -f "$ltmain" && test -n "$tagnames"; then
+  if test ! -f "${ofile}"; then
+    AC_MSG_WARN([output file `$ofile' does not exist])
+  fi
+
+  if test -z "$LTCC"; then
+    eval "`$SHELL ${ofile} --config | grep '^LTCC='`"
+    if test -z "$LTCC"; then
+      AC_MSG_WARN([output file `$ofile' does not look like a libtool script])
+    else
+      AC_MSG_WARN([using `LTCC=$LTCC', extracted from `$ofile'])
+    fi
+  fi
+
+  # Extract list of available tagged configurations in $ofile.
+  # Note that this assumes the entire list is on one line.
+  available_tags=`grep "^available_tags=" "${ofile}" | $SED -e 's/available_tags=\(.*$\)/\1/' -e 's/\"//g'`
+
+  lt_save_ifs="$IFS"; IFS="${IFS}$PATH_SEPARATOR,"
+  for tagname in $tagnames; do
+    IFS="$lt_save_ifs"
+    # Check whether tagname contains only valid characters
+    case `$echo "X$tagname" | $Xsed -e 's:[[-_ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz1234567890,/]]::g'` in
+    "") ;;
+    *)  AC_MSG_ERROR([invalid tag name: $tagname])
+	;;
+    esac
+
+    if grep "^# ### BEGIN LIBTOOL TAG CONFIG: $tagname$" < "${ofile}" > /dev/null
+    then
+      AC_MSG_ERROR([tag name \"$tagname\" already exists])
+    fi
+
+    # Update the list of available tags.
+    if test -n "$tagname"; then
+      echo appending configuration tag \"$tagname\" to $ofile
+
+      case $tagname in
+      CXX)
+	if test -n "$CXX" && test "X$CXX" != "Xno"; then
+	  AC_LIBTOOL_LANG_CXX_CONFIG
+	else
+	  tagname=""
+	fi
+	;;
+
+      F77)
+	if test -n "$F77" && test "X$F77" != "Xno"; then
+	  AC_LIBTOOL_LANG_F77_CONFIG
+	else
+	  tagname=""
+	fi
+	;;
+
+      GCJ)
+	if test -n "$GCJ" && test "X$GCJ" != "Xno"; then
+	  AC_LIBTOOL_LANG_GCJ_CONFIG
+	else
+	  tagname=""
+	fi
+	;;
+
+      RC)
+	AC_LIBTOOL_LANG_RC_CONFIG
+	;;
+
+      *)
+	AC_MSG_ERROR([Unsupported tag name: $tagname])
+	;;
+      esac
+
+      # Append the new tag name to the list of available tags.
+      if test -n "$tagname" ; then
+      available_tags="$available_tags $tagname"
+    fi
+    fi
+  done
+  IFS="$lt_save_ifs"
+
+  # Now substitute the updated list of available tags.
+  if eval "sed -e 's/^available_tags=.*\$/available_tags=\"$available_tags\"/' \"$ofile\" > \"${ofile}T\""; then
+    mv "${ofile}T" "$ofile"
+    chmod +x "$ofile"
+  else
+    rm -f "${ofile}T"
+    AC_MSG_ERROR([unable to update list of available tagged configurations.])
+  fi
+fi
+])# _LT_AC_TAGCONFIG
+
+
+# AC_LIBTOOL_DLOPEN
+# -----------------
+# enable checks for dlopen support
+AC_DEFUN([AC_LIBTOOL_DLOPEN],
+ [AC_BEFORE([$0],[AC_LIBTOOL_SETUP])
+])# AC_LIBTOOL_DLOPEN
+
+
+# AC_LIBTOOL_WIN32_DLL
+# --------------------
+# declare package support for building win32 dll's
+AC_DEFUN([AC_LIBTOOL_WIN32_DLL],
+[AC_BEFORE([$0], [AC_LIBTOOL_SETUP])
+])# AC_LIBTOOL_WIN32_DLL
+
+
+# AC_ENABLE_SHARED([DEFAULT])
+# ---------------------------
+# implement the --enable-shared flag
+# DEFAULT is either `yes' or `no'.  If omitted, it defaults to `yes'.
+AC_DEFUN([AC_ENABLE_SHARED],
+[define([AC_ENABLE_SHARED_DEFAULT], ifelse($1, no, no, yes))dnl
+AC_ARG_ENABLE([shared],
+    [AC_HELP_STRING([--enable-shared@<:@=PKGS@:>@],
+	[build shared libraries @<:@default=]AC_ENABLE_SHARED_DEFAULT[@:>@])],
+    [p=${PACKAGE-default}
+    case $enableval in
+    yes) enable_shared=yes ;;
+    no) enable_shared=no ;;
+    *)
+      enable_shared=no
+      # Look at the argument we got.  We use all the common list separators.
+      lt_save_ifs="$IFS"; IFS="${IFS}$PATH_SEPARATOR,"
+      for pkg in $enableval; do
+	IFS="$lt_save_ifs"
+	if test "X$pkg" = "X$p"; then
+	  enable_shared=yes
+	fi
+      done
+      IFS="$lt_save_ifs"
+      ;;
+    esac],
+    [enable_shared=]AC_ENABLE_SHARED_DEFAULT)
+])# AC_ENABLE_SHARED
+
+
+# AC_DISABLE_SHARED
+# -----------------
+#- set the default shared flag to --disable-shared
+AC_DEFUN([AC_DISABLE_SHARED],
+[AC_BEFORE([$0],[AC_LIBTOOL_SETUP])dnl
+AC_ENABLE_SHARED(no)
+])# AC_DISABLE_SHARED
+
+
+# AC_ENABLE_STATIC([DEFAULT])
+# ---------------------------
+# implement the --enable-static flag
+# DEFAULT is either `yes' or `no'.  If omitted, it defaults to `yes'.
+AC_DEFUN([AC_ENABLE_STATIC],
+[define([AC_ENABLE_STATIC_DEFAULT], ifelse($1, no, no, yes))dnl
+AC_ARG_ENABLE([static],
+    [AC_HELP_STRING([--enable-static@<:@=PKGS@:>@],
+	[build static libraries @<:@default=]AC_ENABLE_STATIC_DEFAULT[@:>@])],
+    [p=${PACKAGE-default}
+    case $enableval in
+    yes) enable_static=yes ;;
+    no) enable_static=no ;;
+    *)
+     enable_static=no
+      # Look at the argument we got.  We use all the common list separators.
+      lt_save_ifs="$IFS"; IFS="${IFS}$PATH_SEPARATOR,"
+      for pkg in $enableval; do
+	IFS="$lt_save_ifs"
+	if test "X$pkg" = "X$p"; then
+	  enable_static=yes
+	fi
+      done
+      IFS="$lt_save_ifs"
+      ;;
+    esac],
+    [enable_static=]AC_ENABLE_STATIC_DEFAULT)
+])# AC_ENABLE_STATIC
+
+
+# AC_DISABLE_STATIC
+# -----------------
+# set the default static flag to --disable-static
+AC_DEFUN([AC_DISABLE_STATIC],
+[AC_BEFORE([$0],[AC_LIBTOOL_SETUP])dnl
+AC_ENABLE_STATIC(no)
+])# AC_DISABLE_STATIC
+
+
+# AC_ENABLE_FAST_INSTALL([DEFAULT])
+# ---------------------------------
+# implement the --enable-fast-install flag
+# DEFAULT is either `yes' or `no'.  If omitted, it defaults to `yes'.
+AC_DEFUN([AC_ENABLE_FAST_INSTALL],
+[define([AC_ENABLE_FAST_INSTALL_DEFAULT], ifelse($1, no, no, yes))dnl
+AC_ARG_ENABLE([fast-install],
+    [AC_HELP_STRING([--enable-fast-install@<:@=PKGS@:>@],
+    [optimize for fast installation @<:@default=]AC_ENABLE_FAST_INSTALL_DEFAULT[@:>@])],
+    [p=${PACKAGE-default}
+    case $enableval in
+    yes) enable_fast_install=yes ;;
+    no) enable_fast_install=no ;;
+    *)
+      enable_fast_install=no
+      # Look at the argument we got.  We use all the common list separators.
+      lt_save_ifs="$IFS"; IFS="${IFS}$PATH_SEPARATOR,"
+      for pkg in $enableval; do
+	IFS="$lt_save_ifs"
+	if test "X$pkg" = "X$p"; then
+	  enable_fast_install=yes
+	fi
+      done
+      IFS="$lt_save_ifs"
+      ;;
+    esac],
+    [enable_fast_install=]AC_ENABLE_FAST_INSTALL_DEFAULT)
+])# AC_ENABLE_FAST_INSTALL
+
+
+# AC_DISABLE_FAST_INSTALL
+# -----------------------
+# set the default to --disable-fast-install
+AC_DEFUN([AC_DISABLE_FAST_INSTALL],
+[AC_BEFORE([$0],[AC_LIBTOOL_SETUP])dnl
+AC_ENABLE_FAST_INSTALL(no)
+])# AC_DISABLE_FAST_INSTALL
+
+
+# AC_LIBTOOL_PICMODE([MODE])
+# --------------------------
+# implement the --with-pic flag
+# MODE is either `yes' or `no'.  If omitted, it defaults to `both'.
+AC_DEFUN([AC_LIBTOOL_PICMODE],
+[AC_BEFORE([$0],[AC_LIBTOOL_SETUP])dnl
+pic_mode=ifelse($#,1,$1,default)
+])# AC_LIBTOOL_PICMODE
+
+
+# AC_PROG_EGREP
+# -------------
+# This is predefined starting with Autoconf 2.54, so this conditional
+# definition can be removed once we require Autoconf 2.54 or later.
+m4_ifndef([AC_PROG_EGREP], [AC_DEFUN([AC_PROG_EGREP],
+[AC_CACHE_CHECK([for egrep], [ac_cv_prog_egrep],
+   [if echo a | (grep -E '(a|b)') >/dev/null 2>&1
+    then ac_cv_prog_egrep='grep -E'
+    else ac_cv_prog_egrep='egrep'
+    fi])
+ EGREP=$ac_cv_prog_egrep
+ AC_SUBST([EGREP])
+])])
+
+
+# AC_PATH_TOOL_PREFIX
+# -------------------
+# find a file program which can recognise shared library
+AC_DEFUN([AC_PATH_TOOL_PREFIX],
+[AC_REQUIRE([AC_PROG_EGREP])dnl
+AC_MSG_CHECKING([for $1])
+AC_CACHE_VAL(lt_cv_path_MAGIC_CMD,
+[case $MAGIC_CMD in
+[[\\/*] |  ?:[\\/]*])
+  lt_cv_path_MAGIC_CMD="$MAGIC_CMD" # Let the user override the test with a path.
+  ;;
+*)
+  lt_save_MAGIC_CMD="$MAGIC_CMD"
+  lt_save_ifs="$IFS"; IFS=$PATH_SEPARATOR
+dnl $ac_dummy forces splitting on constant user-supplied paths.
+dnl POSIX.2 word splitting is done only on the output of word expansions,
+dnl not every word.  This closes a longstanding sh security hole.
+  ac_dummy="ifelse([$2], , $PATH, [$2])"
+  for ac_dir in $ac_dummy; do
+    IFS="$lt_save_ifs"
+    test -z "$ac_dir" && ac_dir=.
+    if test -f $ac_dir/$1; then
+      lt_cv_path_MAGIC_CMD="$ac_dir/$1"
+      if test -n "$file_magic_test_file"; then
+	case $deplibs_check_method in
+	"file_magic "*)
+	  file_magic_regex="`expr \"$deplibs_check_method\" : \"file_magic \(.*\)\"`"
+	  MAGIC_CMD="$lt_cv_path_MAGIC_CMD"
+	  if eval $file_magic_cmd \$file_magic_test_file 2> /dev/null |
+	    $EGREP "$file_magic_regex" > /dev/null; then
+	    :
+	  else
+	    cat <<EOF 1>&2
+
+*** Warning: the command libtool uses to detect shared libraries,
+*** $file_magic_cmd, produces output that libtool cannot recognize.
+*** The result is that libtool may fail to recognize shared libraries
+*** as such.  This will affect the creation of libtool libraries that
+*** depend on shared libraries, but programs linked with such libtool
+*** libraries will work regardless of this problem.  Nevertheless, you
+*** may want to report the problem to your system manager and/or to
+*** bug-libtool@gnu.org
+
+EOF
+	  fi ;;
+	esac
+      fi
+      break
+    fi
+  done
+  IFS="$lt_save_ifs"
+  MAGIC_CMD="$lt_save_MAGIC_CMD"
+  ;;
+esac])
+MAGIC_CMD="$lt_cv_path_MAGIC_CMD"
+if test -n "$MAGIC_CMD"; then
+  AC_MSG_RESULT($MAGIC_CMD)
+else
+  AC_MSG_RESULT(no)
+fi
+])# AC_PATH_TOOL_PREFIX
+
+
+# AC_PATH_MAGIC
+# -------------
+# find a file program which can recognise a shared library
+AC_DEFUN([AC_PATH_MAGIC],
+[AC_PATH_TOOL_PREFIX(${ac_tool_prefix}file, /usr/bin$PATH_SEPARATOR$PATH)
+if test -z "$lt_cv_path_MAGIC_CMD"; then
+  if test -n "$ac_tool_prefix"; then
+    AC_PATH_TOOL_PREFIX(file, /usr/bin$PATH_SEPARATOR$PATH)
+  else
+    MAGIC_CMD=:
+  fi
+fi
+])# AC_PATH_MAGIC
+
+
+# AC_PROG_LD
+# ----------
+# find the pathname to the GNU or non-GNU linker
+AC_DEFUN([AC_PROG_LD],
+[AC_ARG_WITH([gnu-ld],
+    [AC_HELP_STRING([--with-gnu-ld],
+	[assume the C compiler uses GNU ld @<:@default=no@:>@])],
+    [test "$withval" = no || with_gnu_ld=yes],
+    [with_gnu_ld=no])
+AC_REQUIRE([LT_AC_PROG_SED])dnl
+AC_REQUIRE([AC_PROG_CC])dnl
+AC_REQUIRE([AC_CANONICAL_HOST])dnl
+AC_REQUIRE([AC_CANONICAL_BUILD])dnl
+ac_prog=ld
+if test "$GCC" = yes; then
+  # Check if gcc -print-prog-name=ld gives a path.
+  AC_MSG_CHECKING([for ld used by $CC])
+  case $host in
+  *-*-mingw*)
+    # gcc leaves a trailing carriage return which upsets mingw
+    ac_prog=`($CC -print-prog-name=ld) 2>&5 | tr -d '\015'` ;;
+  *)
+    ac_prog=`($CC -print-prog-name=ld) 2>&5` ;;
+  esac
+  case $ac_prog in
+    # Accept absolute paths.
+    [[\\/]]* | ?:[[\\/]]*)
+      re_direlt='/[[^/]][[^/]]*/\.\./'
+      # Canonicalize the pathname of ld
+      ac_prog=`echo $ac_prog| $SED 's%\\\\%/%g'`
+      while echo $ac_prog | grep "$re_direlt" > /dev/null 2>&1; do
+	ac_prog=`echo $ac_prog| $SED "s%$re_direlt%/%"`
+      done
+      test -z "$LD" && LD="$ac_prog"
+      ;;
+  "")
+    # If it fails, then pretend we aren't using GCC.
+    ac_prog=ld
+    ;;
+  *)
+    # If it is relative, then search for the first ld in PATH.
+    with_gnu_ld=unknown
+    ;;
+  esac
+elif test "$with_gnu_ld" = yes; then
+  AC_MSG_CHECKING([for GNU ld])
+else
+  AC_MSG_CHECKING([for non-GNU ld])
+fi
+AC_CACHE_VAL(lt_cv_path_LD,
+[if test -z "$LD"; then
+  lt_save_ifs="$IFS"; IFS=$PATH_SEPARATOR
+  for ac_dir in $PATH; do
+    IFS="$lt_save_ifs"
+    test -z "$ac_dir" && ac_dir=.
+    if test -f "$ac_dir/$ac_prog" || test -f "$ac_dir/$ac_prog$ac_exeext"; then
+      lt_cv_path_LD="$ac_dir/$ac_prog"
+      # Check to see if the program is GNU ld.  I'd rather use --version,
+      # but apparently some GNU ld's only accept -v.
+      # Break only if it was the GNU/non-GNU ld that we prefer.
+      case `"$lt_cv_path_LD" -v 2>&1 </dev/null` in
+      *GNU* | *'with BFD'*)
+	test "$with_gnu_ld" != no && break
+	;;
+      *)
+	test "$with_gnu_ld" != yes && break
+	;;
+      esac
+    fi
+  done
+  IFS="$lt_save_ifs"
+else
+  lt_cv_path_LD="$LD" # Let the user override the test with a path.
+fi])
+LD="$lt_cv_path_LD"
+if test -n "$LD"; then
+  AC_MSG_RESULT($LD)
+else
+  AC_MSG_RESULT(no)
+fi
+test -z "$LD" && AC_MSG_ERROR([no acceptable ld found in \$PATH])
+AC_PROG_LD_GNU
+])# AC_PROG_LD
+
+
+# AC_PROG_LD_GNU
+# --------------
+AC_DEFUN([AC_PROG_LD_GNU],
+[AC_REQUIRE([AC_PROG_EGREP])dnl
+AC_CACHE_CHECK([if the linker ($LD) is GNU ld], lt_cv_prog_gnu_ld,
+[# I'd rather use --version here, but apparently some GNU ld's only accept -v.
+case `$LD -v 2>&1 </dev/null` in
+*GNU* | *'with BFD'*)
+  lt_cv_prog_gnu_ld=yes
+  ;;
+*)
+  lt_cv_prog_gnu_ld=no
+  ;;
+esac])
+with_gnu_ld=$lt_cv_prog_gnu_ld
+])# AC_PROG_LD_GNU
+
+
+# AC_PROG_LD_RELOAD_FLAG
+# ----------------------
+# find reload flag for linker
+#   -- PORTME Some linkers may need a different reload flag.
+AC_DEFUN([AC_PROG_LD_RELOAD_FLAG],
+[AC_CACHE_CHECK([for $LD option to reload object files],
+  lt_cv_ld_reload_flag,
+  [lt_cv_ld_reload_flag='-r'])
+reload_flag=$lt_cv_ld_reload_flag
+case $reload_flag in
+"" | " "*) ;;
+*) reload_flag=" $reload_flag" ;;
+esac
+reload_cmds='$LD$reload_flag -o $output$reload_objs'
+])# AC_PROG_LD_RELOAD_FLAG
+
+
+# AC_DEPLIBS_CHECK_METHOD
+# -----------------------
+# how to check for library dependencies
+#  -- PORTME fill in with the dynamic library characteristics
+AC_DEFUN([AC_DEPLIBS_CHECK_METHOD],
+[AC_CACHE_CHECK([how to recognise dependent libraries],
+lt_cv_deplibs_check_method,
+[lt_cv_file_magic_cmd='$MAGIC_CMD'
+lt_cv_file_magic_test_file=
+lt_cv_deplibs_check_method='unknown'
+# Need to set the preceding variable on all platforms that support
+# interlibrary dependencies.
+# 'none' -- dependencies not supported.
+# `unknown' -- same as none, but documents that we really don't know.
+# 'pass_all' -- all dependencies passed with no checks.
+# 'test_compile' -- check by making test program.
+# 'file_magic [[regex]]' -- check by looking for files in library path
+# which responds to the $file_magic_cmd with a given extended regex.
+# If you have `file' or equivalent on your system and you're not sure
+# whether `pass_all' will *always* work, you probably want this one.
+
+case $host_os in
+aix4* | aix5*)
+  lt_cv_deplibs_check_method=pass_all
+  ;;
+
+beos*)
+  lt_cv_deplibs_check_method=pass_all
+  ;;
+
+bsdi4*)
+  lt_cv_deplibs_check_method='file_magic ELF [[0-9]][[0-9]]*-bit [[ML]]SB (shared object|dynamic lib)'
+  lt_cv_file_magic_cmd='/usr/bin/file -L'
+  lt_cv_file_magic_test_file=/shlib/libc.so
+  ;;
+
+cygwin*)
+  # win32_libid is a shell function defined in ltmain.sh
+  lt_cv_deplibs_check_method='file_magic ^x86 archive import|^x86 DLL'
+  lt_cv_file_magic_cmd='win32_libid'
+  ;;
+
+mingw* | pw32*)
+  # Base MSYS/MinGW do not provide the 'file' command needed by
+  # win32_libid shell function, so use a weaker test based on 'objdump'.
+  lt_cv_deplibs_check_method='file_magic file format pei*-i386(.*architecture: i386)?'
+  lt_cv_file_magic_cmd='$OBJDUMP -f'
+  ;;
+
+darwin* | rhapsody*)
+  lt_cv_deplibs_check_method=pass_all
+  ;;
+
+freebsd* | kfreebsd*-gnu)
+  if echo __ELF__ | $CC -E - | grep __ELF__ > /dev/null; then
+    case $host_cpu in
+    i*86 )
+      # Not sure whether the presence of OpenBSD here was a mistake.
+      # Let's accept both of them until this is cleared up.
+      lt_cv_deplibs_check_method='file_magic (FreeBSD|OpenBSD)/i[[3-9]]86 (compact )?demand paged shared library'
+      lt_cv_file_magic_cmd=/usr/bin/file
+      lt_cv_file_magic_test_file=`echo /usr/lib/libc.so.*`
+      ;;
+    esac
+  else
+    lt_cv_deplibs_check_method=pass_all
+  fi
+  ;;
+
+gnu*)
+  lt_cv_deplibs_check_method=pass_all
+  ;;
+
+hpux10.20* | hpux11*)
+  lt_cv_file_magic_cmd=/usr/bin/file
+  case "$host_cpu" in
+  ia64*)
+    lt_cv_deplibs_check_method='file_magic (s[[0-9]][[0-9]][[0-9]]|ELF-[[0-9]][[0-9]]) shared object file - IA64'
+    lt_cv_file_magic_test_file=/usr/lib/hpux32/libc.so
+    ;;
+  hppa*64*)
+    [lt_cv_deplibs_check_method='file_magic (s[0-9][0-9][0-9]|ELF-[0-9][0-9]) shared object file - PA-RISC [0-9].[0-9]']
+    lt_cv_file_magic_test_file=/usr/lib/pa20_64/libc.sl
+    ;;
+  *)
+    lt_cv_deplibs_check_method='file_magic (s[[0-9]][[0-9]][[0-9]]|PA-RISC[[0-9]].[[0-9]]) shared library'
+    lt_cv_file_magic_test_file=/usr/lib/libc.sl
+    ;;
+  esac
+  ;;
+
+irix5* | irix6* | nonstopux*)
+  case $LD in
+  *-32|*"-32 ") libmagic=32-bit;;
+  *-n32|*"-n32 ") libmagic=N32;;
+  *-64|*"-64 ") libmagic=64-bit;;
+  *) libmagic=never-match;;
+  esac
+  lt_cv_deplibs_check_method=pass_all
+  ;;
+
+# This must be Linux ELF.
+linux*)
+  case $host_cpu in
+  alpha*|hppa*|i*86|ia64*|m68*|mips*|powerpc*|sparc*|s390*|sh*)
+    lt_cv_deplibs_check_method=pass_all ;;
+  *)
+    # glibc up to 2.1.1 does not perform some relocations on ARM
+    # this will be overridden with pass_all, but let us keep it just in case
+    lt_cv_deplibs_check_method='file_magic ELF [[0-9]][[0-9]]*-bit [[LM]]SB (shared object|dynamic lib )' ;;
+  esac
+  lt_cv_file_magic_test_file=`echo /lib/libc.so* /lib/libc-*.so`
+  lt_cv_deplibs_check_method=pass_all
+  ;;
+
+netbsd*)
+  if echo __ELF__ | $CC -E - | grep __ELF__ > /dev/null; then
+    lt_cv_deplibs_check_method='match_pattern /lib[[^/]]+(\.so\.[[0-9]]+\.[[0-9]]+|_pic\.a)$'
+  else
+    lt_cv_deplibs_check_method='match_pattern /lib[[^/]]+(\.so|_pic\.a)$'
+  fi
+  ;;
+
+newos6*)
+  lt_cv_deplibs_check_method='file_magic ELF [[0-9]][[0-9]]*-bit [[ML]]SB (executable|dynamic lib)'
+  lt_cv_file_magic_cmd=/usr/bin/file
+  lt_cv_file_magic_test_file=/usr/lib/libnls.so
+  ;;
+
+nto-qnx*)
+  lt_cv_deplibs_check_method=unknown
+  ;;
+
+openbsd*)
+  lt_cv_file_magic_cmd=/usr/bin/file
+  lt_cv_file_magic_test_file=`echo /usr/lib/libc.so.*`
+  if test -z "`echo __ELF__ | $CC -E - | grep __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then
+    lt_cv_deplibs_check_method='file_magic ELF [[0-9]][[0-9]]*-bit [[LM]]SB shared object'
+  else
+    lt_cv_deplibs_check_method='file_magic OpenBSD.* shared library'
+  fi
+  ;;
+
+osf3* | osf4* | osf5*)
+  lt_cv_deplibs_check_method=pass_all
+  ;;
+
+sco3.2v5*)
+  lt_cv_deplibs_check_method=pass_all
+  ;;
+
+solaris*)
+  lt_cv_deplibs_check_method=pass_all
+  ;;
+
+sysv4 | sysv4.2uw2* | sysv4.3* | sysv5*)
+  case $host_vendor in
+  motorola)
+    lt_cv_deplibs_check_method='file_magic ELF [[0-9]][[0-9]]*-bit [[ML]]SB (shared object|dynamic lib) M[[0-9]][[0-9]]* Version [[0-9]]'
+    lt_cv_file_magic_test_file=`echo /usr/lib/libc.so*`
+    ;;
+  ncr)
+    lt_cv_deplibs_check_method=pass_all
+    ;;
+  sequent)
+    lt_cv_file_magic_cmd='/bin/file'
+    lt_cv_deplibs_check_method='file_magic ELF [[0-9]][[0-9]]*-bit [[LM]]SB (shared object|dynamic lib )'
+    ;;
+  sni)
+    lt_cv_file_magic_cmd='/bin/file'
+    lt_cv_deplibs_check_method="file_magic ELF [[0-9]][[0-9]]*-bit [[LM]]SB dynamic lib"
+    lt_cv_file_magic_test_file=/lib/libc.so
+    ;;
+  siemens)
+    lt_cv_deplibs_check_method=pass_all
+    ;;
+  esac
+  ;;
+
+sysv5OpenUNIX8* | sysv5UnixWare7* | sysv5uw[[78]]* | unixware7* | sysv4*uw2*)
+  lt_cv_deplibs_check_method=pass_all
+  ;;
+esac
+])
+file_magic_cmd=$lt_cv_file_magic_cmd
+deplibs_check_method=$lt_cv_deplibs_check_method
+test -z "$deplibs_check_method" && deplibs_check_method=unknown
+])# AC_DEPLIBS_CHECK_METHOD
+
+
+# AC_PROG_NM
+# ----------
+# find the pathname to a BSD-compatible name lister
+AC_DEFUN([AC_PROG_NM],
+[AC_CACHE_CHECK([for BSD-compatible nm], lt_cv_path_NM,
+[if test -n "$NM"; then
+  # Let the user override the test.
+  lt_cv_path_NM="$NM"
+else
+  lt_save_ifs="$IFS"; IFS=$PATH_SEPARATOR
+  for ac_dir in $PATH /usr/ccs/bin /usr/ucb /bin; do
+    IFS="$lt_save_ifs"
+    test -z "$ac_dir" && ac_dir=.
+    tmp_nm="$ac_dir/${ac_tool_prefix}nm"
+    if test -f "$tmp_nm" || test -f "$tmp_nm$ac_exeext" ; then
+      # Check to see if the nm accepts a BSD-compat flag.
+      # Adding the `sed 1q' prevents false positives on HP-UX, which says:
+      #   nm: unknown option "B" ignored
+      # Tru64's nm complains that /dev/null is an invalid object file
+      case `"$tmp_nm" -B /dev/null 2>&1 | sed '1q'` in
+      */dev/null* | *'Invalid file or object type'*)
+	lt_cv_path_NM="$tmp_nm -B"
+	break
+        ;;
+      *)
+	case `"$tmp_nm" -p /dev/null 2>&1 | sed '1q'` in
+	*/dev/null*)
+	  lt_cv_path_NM="$tmp_nm -p"
+	  break
+	  ;;
+	*)
+	  lt_cv_path_NM=${lt_cv_path_NM="$tmp_nm"} # keep the first match, but
+	  continue # so that we can try to find one that supports BSD flags
+	  ;;
+	esac
+      esac
+    fi
+  done
+  IFS="$lt_save_ifs"
+  test -z "$lt_cv_path_NM" && lt_cv_path_NM=nm
+fi])
+NM="$lt_cv_path_NM"
+])# AC_PROG_NM
+
+
+# AC_CHECK_LIBM
+# -------------
+# check for math library
+AC_DEFUN([AC_CHECK_LIBM],
+[AC_REQUIRE([AC_CANONICAL_HOST])dnl
+LIBM=
+case $host in
+*-*-beos* | *-*-cygwin* | *-*-pw32* | *-*-darwin*)
+  # These system don't have libm, or don't need it
+  ;;
+*-ncr-sysv4.3*)
+  AC_CHECK_LIB(mw, _mwvalidcheckl, LIBM="-lmw")
+  AC_CHECK_LIB(m, cos, LIBM="$LIBM -lm")
+  ;;
+*)
+  AC_CHECK_LIB(m, cos, LIBM="-lm")
+  ;;
+esac
+])# AC_CHECK_LIBM
+
+
+# AC_LIBLTDL_CONVENIENCE([DIRECTORY])
+# -----------------------------------
+# sets LIBLTDL to the link flags for the libltdl convenience library and
+# LTDLINCL to the include flags for the libltdl header and adds
+# --enable-ltdl-convenience to the configure arguments.  Note that LIBLTDL
+# and LTDLINCL are not AC_SUBSTed, nor is AC_CONFIG_SUBDIRS called.  If
+# DIRECTORY is not provided, it is assumed to be `libltdl'.  LIBLTDL will
+# be prefixed with '${top_builddir}/' and LTDLINCL will be prefixed with
+# '${top_srcdir}/' (note the single quotes!).  If your package is not
+# flat and you're not using automake, define top_builddir and
+# top_srcdir appropriately in the Makefiles.
+AC_DEFUN([AC_LIBLTDL_CONVENIENCE],
+[AC_BEFORE([$0],[AC_LIBTOOL_SETUP])dnl
+  case $enable_ltdl_convenience in
+  no) AC_MSG_ERROR([this package needs a convenience libltdl]) ;;
+  "") enable_ltdl_convenience=yes
+      ac_configure_args="$ac_configure_args --enable-ltdl-convenience" ;;
+  esac
+  LIBLTDL='${top_builddir}/'ifelse($#,1,[$1],['libltdl'])/libltdlc.la
+  LTDLINCL='-I${top_srcdir}/'ifelse($#,1,[$1],['libltdl'])
+  # For backwards non-gettext consistent compatibility...
+  INCLTDL="$LTDLINCL"
+])# AC_LIBLTDL_CONVENIENCE
+
+
+# AC_LIBLTDL_INSTALLABLE([DIRECTORY])
+# -----------------------------------
+# sets LIBLTDL to the link flags for the libltdl installable library and
+# LTDLINCL to the include flags for the libltdl header and adds
+# --enable-ltdl-install to the configure arguments.  Note that LIBLTDL
+# and LTDLINCL are not AC_SUBSTed, nor is AC_CONFIG_SUBDIRS called.  If
+# DIRECTORY is not provided and an installed libltdl is not found, it is
+# assumed to be `libltdl'.  LIBLTDL will be prefixed with '${top_builddir}/'
+# and LTDLINCL will be prefixed with '${top_srcdir}/' (note the single
+# quotes!).  If your package is not flat and you're not using automake,
+# define top_builddir and top_srcdir appropriately in the Makefiles.
+# In the future, this macro may have to be called after AC_PROG_LIBTOOL.
+AC_DEFUN([AC_LIBLTDL_INSTALLABLE],
+[AC_BEFORE([$0],[AC_LIBTOOL_SETUP])dnl
+  AC_CHECK_LIB(ltdl, lt_dlinit,
+  [test x"$enable_ltdl_install" != xyes && enable_ltdl_install=no],
+  [if test x"$enable_ltdl_install" = xno; then
+     AC_MSG_WARN([libltdl not installed, but installation disabled])
+   else
+     enable_ltdl_install=yes
+   fi
+  ])
+  if test x"$enable_ltdl_install" = x"yes"; then
+    ac_configure_args="$ac_configure_args --enable-ltdl-install"
+    LIBLTDL='${top_builddir}/'ifelse($#,1,[$1],['libltdl'])/libltdl.la
+    LTDLINCL='-I${top_srcdir}/'ifelse($#,1,[$1],['libltdl'])
+  else
+    ac_configure_args="$ac_configure_args --enable-ltdl-install=no"
+    LIBLTDL="-lltdl"
+    LTDLINCL=
+  fi
+  # For backwards non-gettext consistent compatibility...
+  INCLTDL="$LTDLINCL"
+])# AC_LIBLTDL_INSTALLABLE
+
+
+# AC_LIBTOOL_CXX
+# --------------
+# enable support for C++ libraries
+AC_DEFUN([AC_LIBTOOL_CXX],
+[AC_REQUIRE([_LT_AC_LANG_CXX])
+])# AC_LIBTOOL_CXX
+
+
+# _LT_AC_LANG_CXX
+# ---------------
+AC_DEFUN([_LT_AC_LANG_CXX],
+[AC_REQUIRE([AC_PROG_CXX])
+AC_REQUIRE([AC_PROG_CXXCPP])
+_LT_AC_SHELL_INIT([tagnames=${tagnames+${tagnames},}CXX])
+])# _LT_AC_LANG_CXX
+
+
+# AC_LIBTOOL_F77
+# --------------
+# enable support for Fortran 77 libraries
+AC_DEFUN([AC_LIBTOOL_F77],
+[AC_REQUIRE([_LT_AC_LANG_F77])
+])# AC_LIBTOOL_F77
+
+
+# _LT_AC_LANG_F77
+# ---------------
+AC_DEFUN([_LT_AC_LANG_F77],
+[AC_REQUIRE([AC_PROG_F77])
+_LT_AC_SHELL_INIT([tagnames=${tagnames+${tagnames},}F77])
+])# _LT_AC_LANG_F77
+
+
+# AC_LIBTOOL_GCJ
+# --------------
+# enable support for GCJ libraries
+AC_DEFUN([AC_LIBTOOL_GCJ],
+[AC_REQUIRE([_LT_AC_LANG_GCJ])
+])# AC_LIBTOOL_GCJ
+
+
+# _LT_AC_LANG_GCJ
+# ---------------
+AC_DEFUN([_LT_AC_LANG_GCJ],
+[AC_PROVIDE_IFELSE([AC_PROG_GCJ],[],
+  [AC_PROVIDE_IFELSE([A][M_PROG_GCJ],[],
+    [AC_PROVIDE_IFELSE([LT_AC_PROG_GCJ],[],
+      [ifdef([AC_PROG_GCJ],[AC_REQUIRE([AC_PROG_GCJ])],
+	 [ifdef([A][M_PROG_GCJ],[AC_REQUIRE([A][M_PROG_GCJ])],
+	   [AC_REQUIRE([A][C_PROG_GCJ_OR_A][M_PROG_GCJ])])])])])])
+_LT_AC_SHELL_INIT([tagnames=${tagnames+${tagnames},}GCJ])
+])# _LT_AC_LANG_GCJ
+
+
+# AC_LIBTOOL_RC
+# --------------
+# enable support for Windows resource files
+AC_DEFUN([AC_LIBTOOL_RC],
+[AC_REQUIRE([LT_AC_PROG_RC])
+_LT_AC_SHELL_INIT([tagnames=${tagnames+${tagnames},}RC])
+])# AC_LIBTOOL_RC
+
+
+# AC_LIBTOOL_LANG_C_CONFIG
+# ------------------------
+# Ensure that the configuration vars for the C compiler are
+# suitably defined.  Those variables are subsequently used by
+# AC_LIBTOOL_CONFIG to write the compiler configuration to `libtool'.
+AC_DEFUN([AC_LIBTOOL_LANG_C_CONFIG], [_LT_AC_LANG_C_CONFIG])
+AC_DEFUN([_LT_AC_LANG_C_CONFIG],
+[lt_save_CC="$CC"
+AC_LANG_PUSH(C)
+
+# Source file extension for C test sources.
+ac_ext=c
+
+# Object file extension for compiled C test sources.
+objext=o
+_LT_AC_TAGVAR(objext, $1)=$objext
+
+# Code to be used in simple compile tests
+lt_simple_compile_test_code="int some_variable = 0;\n"
+
+# Code to be used in simple link tests
+lt_simple_link_test_code='int main(){return(0);}\n'
+
+_LT_AC_SYS_COMPILER
+
+#
+# Check for any special shared library compilation flags.
+#
+_LT_AC_TAGVAR(lt_prog_cc_shlib, $1)=
+if test "$GCC" = no; then
+  case $host_os in
+  sco3.2v5*)
+    _LT_AC_TAGVAR(lt_prog_cc_shlib, $1)='-belf'
+    ;;
+  esac
+fi
+if test -n "$_LT_AC_TAGVAR(lt_prog_cc_shlib, $1)"; then
+  AC_MSG_WARN([`$CC' requires `$_LT_AC_TAGVAR(lt_prog_cc_shlib, $1)' to build shared libraries])
+  if echo "$old_CC $old_CFLAGS " | grep "[[ 	]]$_LT_AC_TAGVAR(lt_prog_cc_shlib, $1)[[ 	]]" >/dev/null; then :
+  else
+    AC_MSG_WARN([add `$_LT_AC_TAGVAR(lt_prog_cc_shlib, $1)' to the CC or CFLAGS env variable and reconfigure])
+    _LT_AC_TAGVAR(lt_cv_prog_cc_can_build_shared, $1)=no
+  fi
+fi
+
+
+#
+# Check to make sure the static flag actually works.
+#
+AC_LIBTOOL_LINKER_OPTION([if $compiler static flag $_LT_AC_TAGVAR(lt_prog_compiler_static, $1) works],
+  _LT_AC_TAGVAR(lt_prog_compiler_static_works, $1),
+  $_LT_AC_TAGVAR(lt_prog_compiler_static, $1),
+  [],
+  [_LT_AC_TAGVAR(lt_prog_compiler_static, $1)=])
+
+
+## CAVEAT EMPTOR:
+## There is no encapsulation within the following macros, do not change
+## the running order or otherwise move them around unless you know exactly
+## what you are doing...
+AC_LIBTOOL_PROG_COMPILER_NO_RTTI($1)
+AC_LIBTOOL_PROG_COMPILER_PIC($1)
+AC_LIBTOOL_PROG_CC_C_O($1)
+AC_LIBTOOL_SYS_HARD_LINK_LOCKS($1)
+AC_LIBTOOL_PROG_LD_SHLIBS($1)
+AC_LIBTOOL_SYS_DYNAMIC_LINKER($1)
+AC_LIBTOOL_PROG_LD_HARDCODE_LIBPATH($1)
+AC_LIBTOOL_SYS_LIB_STRIP
+AC_LIBTOOL_DLOPEN_SELF($1)
+
+# Report which librarie types wil actually be built
+AC_MSG_CHECKING([if libtool supports shared libraries])
+AC_MSG_RESULT([$can_build_shared])
+
+AC_MSG_CHECKING([whether to build shared libraries])
+test "$can_build_shared" = "no" && enable_shared=no
+
+# On AIX, shared libraries and static libraries use the same namespace, and
+# are all built from PIC.
+case "$host_os" in
+aix3*)
+  test "$enable_shared" = yes && enable_static=no
+  if test -n "$RANLIB"; then
+    archive_cmds="$archive_cmds~\$RANLIB \$lib"
+    postinstall_cmds='$RANLIB $lib'
+  fi
+  ;;
+
+aix4*)
+  if test "$host_cpu" != ia64 && test "$aix_use_runtimelinking" = no ; then
+    test "$enable_shared" = yes && enable_static=no
+  fi
+  ;;
+  darwin* | rhapsody*)
+  if test "$GCC" = yes; then
+    _LT_AC_TAGVAR(archive_cmds_need_lc, $1)=no
+    case "$host_os" in
+    rhapsody* | darwin1.[[012]])
+      _LT_AC_TAGVAR(allow_undefined_flag, $1)='-undefined suppress'
+      ;;
+    *) # Darwin 1.3 on
+      if test -z ${MACOSX_DEPLOYMENT_TARGET} ; then
+      	_LT_AC_TAGVAR(allow_undefined_flag, $1)='-flat_namespace -undefined suppress'
+      else
+        case ${MACOSX_DEPLOYMENT_TARGET} in
+          10.[[012]])
+            _LT_AC_TAGVAR(allow_undefined_flag, $1)='-flat_namespace -undefined suppress'
+            ;;
+          10.*)
+            _LT_AC_TAGVAR(allow_undefined_flag, $1)='-undefined dynamic_lookup'
+            ;;
+        esac
+      fi
+      ;;
+    esac
+    output_verbose_link_cmd='echo'
+    _LT_AC_TAGVAR(archive_cmds, $1)='$CC -dynamiclib $allow_undefined_flag -o $lib $libobjs $deplibs$compiler_flags -install_name $rpath/$soname $verstring'
+    _LT_AC_TAGVAR(module_cmds, $1)='$CC $allow_undefined_flag -o $lib -bundle $libobjs $deplibs$compiler_flags'
+    # Don't fix this by using the ld -exported_symbols_list flag, it doesn't exist in older darwin ld's
+    _LT_AC_TAGVAR(archive_expsym_cmds, $1)='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -dynamiclib $allow_undefined_flag  -o $lib $libobjs $deplibs$compiler_flags -install_name $rpath/$soname $verstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
+    _LT_AC_TAGVAR(module_expsym_cmds, $1)='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC $allow_undefined_flag  -o $lib -bundle $libobjs $deplibs$compiler_flags~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
+    _LT_AC_TAGVAR(hardcode_direct, $1)=no
+    _LT_AC_TAGVAR(hardcode_automatic, $1)=yes
+    _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=unsupported
+    _LT_AC_TAGVAR(whole_archive_flag_spec, $1)='-all_load $convenience'
+    _LT_AC_TAGVAR(link_all_deplibs, $1)=yes
+  else
+    _LT_AC_TAGVAR(ld_shlibs, $1)=no
+  fi
+    ;;
+esac
+AC_MSG_RESULT([$enable_shared])
+
+AC_MSG_CHECKING([whether to build static libraries])
+# Make sure either enable_shared or enable_static is yes.
+test "$enable_shared" = yes || enable_static=yes
+AC_MSG_RESULT([$enable_static])
+
+AC_LIBTOOL_CONFIG($1)
+
+AC_LANG_POP
+CC="$lt_save_CC"
+])# AC_LIBTOOL_LANG_C_CONFIG
+
+
+# AC_LIBTOOL_LANG_CXX_CONFIG
+# --------------------------
+# Ensure that the configuration vars for the C compiler are
+# suitably defined.  Those variables are subsequently used by
+# AC_LIBTOOL_CONFIG to write the compiler configuration to `libtool'.
+AC_DEFUN([AC_LIBTOOL_LANG_CXX_CONFIG], [_LT_AC_LANG_CXX_CONFIG(CXX)])
+AC_DEFUN([_LT_AC_LANG_CXX_CONFIG],
+[AC_LANG_PUSH(C++)
+AC_REQUIRE([AC_PROG_CXX])
+AC_REQUIRE([AC_PROG_CXXCPP])
+
+_LT_AC_TAGVAR(archive_cmds_need_lc, $1)=no
+_LT_AC_TAGVAR(allow_undefined_flag, $1)=
+_LT_AC_TAGVAR(always_export_symbols, $1)=no
+_LT_AC_TAGVAR(archive_expsym_cmds, $1)=
+_LT_AC_TAGVAR(export_dynamic_flag_spec, $1)=
+_LT_AC_TAGVAR(hardcode_direct, $1)=no
+_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)=
+_LT_AC_TAGVAR(hardcode_libdir_flag_spec_ld, $1)=
+_LT_AC_TAGVAR(hardcode_libdir_separator, $1)=
+_LT_AC_TAGVAR(hardcode_minus_L, $1)=no
+_LT_AC_TAGVAR(hardcode_automatic, $1)=no
+_LT_AC_TAGVAR(module_cmds, $1)=
+_LT_AC_TAGVAR(module_expsym_cmds, $1)=
+_LT_AC_TAGVAR(link_all_deplibs, $1)=unknown
+_LT_AC_TAGVAR(old_archive_cmds, $1)=$old_archive_cmds
+_LT_AC_TAGVAR(no_undefined_flag, $1)=
+_LT_AC_TAGVAR(whole_archive_flag_spec, $1)=
+_LT_AC_TAGVAR(enable_shared_with_static_runtimes, $1)=no
+
+# Dependencies to place before and after the object being linked:
+_LT_AC_TAGVAR(predep_objects, $1)=
+_LT_AC_TAGVAR(postdep_objects, $1)=
+_LT_AC_TAGVAR(predeps, $1)=
+_LT_AC_TAGVAR(postdeps, $1)=
+_LT_AC_TAGVAR(compiler_lib_search_path, $1)=
+
+# Source file extension for C++ test sources.
+ac_ext=cc
+
+# Object file extension for compiled C++ test sources.
+objext=o
+_LT_AC_TAGVAR(objext, $1)=$objext
+
+# Code to be used in simple compile tests
+lt_simple_compile_test_code="int some_variable = 0;\n"
+
+# Code to be used in simple link tests
+lt_simple_link_test_code='int main(int, char *[]) { return(0); }\n'
+
+# ltmain only uses $CC for tagged configurations so make sure $CC is set.
+_LT_AC_SYS_COMPILER
+
+# Allow CC to be a program name with arguments.
+lt_save_CC=$CC
+lt_save_LD=$LD
+lt_save_GCC=$GCC
+GCC=$GXX
+lt_save_with_gnu_ld=$with_gnu_ld
+lt_save_path_LD=$lt_cv_path_LD
+if test -n "${lt_cv_prog_gnu_ldcxx+set}"; then
+  lt_cv_prog_gnu_ld=$lt_cv_prog_gnu_ldcxx
+else
+  unset lt_cv_prog_gnu_ld
+fi
+if test -n "${lt_cv_path_LDCXX+set}"; then
+  lt_cv_path_LD=$lt_cv_path_LDCXX
+else
+  unset lt_cv_path_LD
+fi
+test -z "${LDCXX+set}" || LD=$LDCXX
+CC=${CXX-"c++"}
+compiler=$CC
+_LT_AC_TAGVAR(compiler, $1)=$CC
+cc_basename=`$echo X"$compiler" | $Xsed -e 's%^.*/%%'`
+
+# We don't want -fno-exception wen compiling C++ code, so set the
+# no_builtin_flag separately
+if test "$GXX" = yes; then
+  _LT_AC_TAGVAR(lt_prog_compiler_no_builtin_flag, $1)=' -fno-builtin'
+else
+  _LT_AC_TAGVAR(lt_prog_compiler_no_builtin_flag, $1)=
+fi
+
+if test "$GXX" = yes; then
+  # Set up default GNU C++ configuration
+
+  AC_PROG_LD
+
+  # Check if GNU C++ uses GNU ld as the underlying linker, since the
+  # archiving commands below assume that GNU ld is being used.
+  if test "$with_gnu_ld" = yes; then
+    _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname -o $lib'
+    _LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
+
+    _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}--rpath ${wl}$libdir'
+    _LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}--export-dynamic'
+
+    # If archive_cmds runs LD, not CC, wlarc should be empty
+    # XXX I think wlarc can be eliminated in ltcf-cxx, but I need to
+    #     investigate it a little bit more. (MM)
+    wlarc='${wl}'
+
+    # ancient GNU ld didn't support --whole-archive et. al.
+    if eval "`$CC -print-prog-name=ld` --help 2>&1" | \
+	grep 'no-whole-archive' > /dev/null; then
+      _LT_AC_TAGVAR(whole_archive_flag_spec, $1)="$wlarc"'--whole-archive$convenience '"$wlarc"'--no-whole-archive'
+    else
+      _LT_AC_TAGVAR(whole_archive_flag_spec, $1)=
+    fi
+  else
+    with_gnu_ld=no
+    wlarc=
+
+    # A generic and very simple default shared library creation
+    # command for GNU C++ for the case where it uses the native
+    # linker, instead of GNU ld.  If possible, this setting should
+    # overridden to take advantage of the native linker features on
+    # the platform it is being used on.
+    _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -o $lib'
+  fi
+
+  # Commands to make compiler produce verbose output that lists
+  # what "hidden" libraries, object files and flags are used when
+  # linking a shared library.
+  output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | grep "\-L"'
+
+else
+  GXX=no
+  with_gnu_ld=no
+  wlarc=
+fi
+
+# PORTME: fill in a description of your system's C++ link characteristics
+AC_MSG_CHECKING([whether the $compiler linker ($LD) supports shared libraries])
+_LT_AC_TAGVAR(ld_shlibs, $1)=yes
+case $host_os in
+  aix3*)
+    # FIXME: insert proper C++ library support
+    _LT_AC_TAGVAR(ld_shlibs, $1)=no
+    ;;
+  aix4* | aix5*)
+    if test "$host_cpu" = ia64; then
+      # On IA64, the linker does run time linking by default, so we don't
+      # have to do anything special.
+      aix_use_runtimelinking=no
+      exp_sym_flag='-Bexport'
+      no_entry_flag=""
+    else
+      aix_use_runtimelinking=no
+
+      # Test if we are trying to use run time linking or normal
+      # AIX style linking. If -brtl is somewhere in LDFLAGS, we
+      # need to do runtime linking.
+      case $host_os in aix4.[[23]]|aix4.[[23]].*|aix5*)
+	for ld_flag in $LDFLAGS; do
+	  case $ld_flag in
+	  *-brtl*)
+	    aix_use_runtimelinking=yes
+	    break
+	    ;;
+	  esac
+	done
+      esac
+
+      exp_sym_flag='-bexport'
+      no_entry_flag='-bnoentry'
+    fi
+
+    # When large executables or shared objects are built, AIX ld can
+    # have problems creating the table of contents.  If linking a library
+    # or program results in "error TOC overflow" add -mminimal-toc to
+    # CXXFLAGS/CFLAGS for g++/gcc.  In the cases where that is not
+    # enough to fix the problem, add -Wl,-bbigtoc to LDFLAGS.
+
+    _LT_AC_TAGVAR(archive_cmds, $1)=''
+    _LT_AC_TAGVAR(hardcode_direct, $1)=yes
+    _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=':'
+    _LT_AC_TAGVAR(link_all_deplibs, $1)=yes
+
+    if test "$GXX" = yes; then
+      case $host_os in aix4.[012]|aix4.[012].*)
+      # We only want to do this on AIX 4.2 and lower, the check
+      # below for broken collect2 doesn't work under 4.3+
+	collect2name=`${CC} -print-prog-name=collect2`
+	if test -f "$collect2name" && \
+	   strings "$collect2name" | grep resolve_lib_name >/dev/null
+	then
+	  # We have reworked collect2
+	  _LT_AC_TAGVAR(hardcode_direct, $1)=yes
+	else
+	  # We have old collect2
+	  _LT_AC_TAGVAR(hardcode_direct, $1)=unsupported
+	  # It fails to find uninstalled libraries when the uninstalled
+	  # path is not listed in the libpath.  Setting hardcode_minus_L
+	  # to unsupported forces relinking
+	  _LT_AC_TAGVAR(hardcode_minus_L, $1)=yes
+	  _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir'
+	  _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=
+	fi
+      esac
+      shared_flag='-shared'
+    else
+      # not using gcc
+      if test "$host_cpu" = ia64; then
+	# VisualAge C++, Version 5.5 for AIX 5L for IA-64, Beta 3 Release
+	# chokes on -Wl,-G. The following line is correct:
+	shared_flag='-G'
+      else
+	if test "$aix_use_runtimelinking" = yes; then
+	  shared_flag='${wl}-G'
+	else
+	  shared_flag='${wl}-bM:SRE'
+	fi
+      fi
+    fi
+
+    # It seems that -bexpall does not export symbols beginning with
+    # underscore (_), so it is better to generate a list of symbols to export.
+    _LT_AC_TAGVAR(always_export_symbols, $1)=yes
+    if test "$aix_use_runtimelinking" = yes; then
+      # Warning - without using the other runtime loading flags (-brtl),
+      # -berok will link without error, but may produce a broken library.
+      _LT_AC_TAGVAR(allow_undefined_flag, $1)='-berok'
+      # Determine the default libpath from the value encoded in an empty executable.
+      _LT_AC_SYS_LIBPATH_AIX
+      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-blibpath:$libdir:'"$aix_libpath"
+
+      _LT_AC_TAGVAR(archive_expsym_cmds, $1)="\$CC"' -o $output_objdir/$soname $libobjs $deplibs $compiler_flags `if test "x${allow_undefined_flag}" != "x"; then echo "${wl}${allow_undefined_flag}"; else :; fi` '"\${wl}$no_entry_flag \${wl}$exp_sym_flag:\$export_symbols $shared_flag"
+     else
+      if test "$host_cpu" = ia64; then
+	_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-R $libdir:/usr/lib:/lib'
+	_LT_AC_TAGVAR(allow_undefined_flag, $1)="-z nodefs"
+	_LT_AC_TAGVAR(archive_expsym_cmds, $1)="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs $compiler_flags ${wl}${allow_undefined_flag} '"\${wl}$no_entry_flag \${wl}$exp_sym_flag:\$export_symbols"
+      else
+	# Determine the default libpath from the value encoded in an empty executable.
+	_LT_AC_SYS_LIBPATH_AIX
+	_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-blibpath:$libdir:'"$aix_libpath"
+	# Warning - without using the other run time loading flags,
+	# -berok will link without error, but may produce a broken library.
+	_LT_AC_TAGVAR(no_undefined_flag, $1)=' ${wl}-bernotok'
+	_LT_AC_TAGVAR(allow_undefined_flag, $1)=' ${wl}-berok'
+	# -bexpall does not export symbols beginning with underscore (_)
+	_LT_AC_TAGVAR(always_export_symbols, $1)=yes
+	# Exported symbols can be pulled into shared objects from archives
+	_LT_AC_TAGVAR(whole_archive_flag_spec, $1)=' '
+	_LT_AC_TAGVAR(archive_cmds_need_lc, $1)=yes
+	# This is similar to how AIX traditionally builds it's shared libraries.
+	_LT_AC_TAGVAR(archive_expsym_cmds, $1)="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs $compiler_flags ${wl}-bE:$export_symbols ${wl}-bnoentry${allow_undefined_flag}~$AR $AR_FLAGS $output_objdir/$libname$release.a $output_objdir/$soname'
+      fi
+    fi
+    ;;
+  chorus*)
+    case $cc_basename in
+      *)
+	# FIXME: insert proper C++ library support
+	_LT_AC_TAGVAR(ld_shlibs, $1)=no
+	;;
+    esac
+    ;;
+
+  cygwin* | mingw* | pw32*)
+    # _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1) is actually meaningless,
+    # as there is no search path for DLLs.
+    _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir'
+    _LT_AC_TAGVAR(allow_undefined_flag, $1)=unsupported
+    _LT_AC_TAGVAR(always_export_symbols, $1)=no
+    _LT_AC_TAGVAR(enable_shared_with_static_runtimes, $1)=yes
+
+    if $LD --help 2>&1 | grep 'auto-import' > /dev/null; then
+      _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -o $output_objdir/$soname ${wl}--image-base=0x10000000 ${wl}--out-implib,$lib'
+      # If the export-symbols file already is a .def file (1st line
+      # is EXPORTS), use it as is; otherwise, prepend...
+      _LT_AC_TAGVAR(archive_expsym_cmds, $1)='if test "x`$SED 1q $export_symbols`" = xEXPORTS; then
+	cp $export_symbols $output_objdir/$soname.def;
+      else
+	echo EXPORTS > $output_objdir/$soname.def;
+	cat $export_symbols >> $output_objdir/$soname.def;
+      fi~
+      $CC -shared -nostdlib $output_objdir/$soname.def $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -o $output_objdir/$soname ${wl}--image-base=0x10000000 ${wl}--out-implib,$lib'
+    else
+      _LT_AC_TAGVAR(ld_shlibs, $1)=no
+    fi
+  ;;
+
+  darwin* | rhapsody*)
+  if test "$GXX" = yes; then
+    _LT_AC_TAGVAR(archive_cmds_need_lc, $1)=no
+    case "$host_os" in
+    rhapsody* | darwin1.[[012]])
+      _LT_AC_TAGVAR(allow_undefined_flag, $1)='-undefined suppress'
+      ;;
+    *) # Darwin 1.3 on
+      if test -z ${MACOSX_DEPLOYMENT_TARGET} ; then
+      	_LT_AC_TAGVAR(allow_undefined_flag, $1)='-flat_namespace -undefined suppress'
+      else
+        case ${MACOSX_DEPLOYMENT_TARGET} in
+          10.[[012]])
+            _LT_AC_TAGVAR(allow_undefined_flag, $1)='-flat_namespace -undefined suppress'
+            ;;
+          10.*)
+            _LT_AC_TAGVAR(allow_undefined_flag, $1)='-undefined dynamic_lookup'
+            ;;
+        esac
+      fi
+      ;;
+    esac
+    lt_int_apple_cc_single_mod=no
+    output_verbose_link_cmd='echo'
+    if $CC -dumpspecs 2>&1 | grep 'single_module' >/dev/null ; then
+      lt_int_apple_cc_single_mod=yes
+    fi
+    if test "X$lt_int_apple_cc_single_mod" = Xyes ; then
+      _LT_AC_TAGVAR(archive_cmds, $1)='$CC -dynamiclib -single_module $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags -install_name $rpath/$soname $verstring'
+    else
+      _LT_AC_TAGVAR(archive_cmds, $1)='$CC -r ${wl}-bind_at_load -keep_private_externs -nostdlib -o ${lib}-master.o $libobjs~$CC -dynamiclib $allow_undefined_flag -o $lib ${lib}-master.o $deplibs $compiler_flags -install_name $rpath/$soname $verstring'
+    fi
+    _LT_AC_TAGVAR(module_cmds, $1)='$CC ${wl}-bind_at_load $allow_undefined_flag -o $lib -bundle $libobjs $deplibs$compiler_flags'
+
+    # Don't fix this by using the ld -exported_symbols_list flag, it doesn't exist in older darwin ld's
+    if test "X$lt_int_apple_cc_single_mod" = Xyes ; then
+      _LT_AC_TAGVAR(archive_expsym_cmds, $1)='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -dynamiclib -single_module $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags -install_name $rpath/$soname $verstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
+    else
+      _LT_AC_TAGVAR(archive_expsym_cmds, $1)='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -r ${wl}-bind_at_load -keep_private_externs -nostdlib -o ${lib}-master.o $libobjs~$CC -dynamiclib $allow_undefined_flag -o $lib ${lib}-master.o $deplibs $compiler_flags -install_name $rpath/$soname $verstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
+    fi
+    _LT_AC_TAGVAR(module_expsym_cmds, $1)='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC $allow_undefined_flag  -o $lib -bundle $libobjs $deplibs$compiler_flags~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
+    _LT_AC_TAGVAR(hardcode_direct, $1)=no
+    _LT_AC_TAGVAR(hardcode_automatic, $1)=yes
+    _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=unsupported
+    _LT_AC_TAGVAR(whole_archive_flag_spec, $1)='-all_load $convenience'
+    _LT_AC_TAGVAR(link_all_deplibs, $1)=yes
+  else
+    _LT_AC_TAGVAR(ld_shlibs, $1)=no
+  fi
+    ;;
+
+  dgux*)
+    case $cc_basename in
+      ec++)
+	# FIXME: insert proper C++ library support
+	_LT_AC_TAGVAR(ld_shlibs, $1)=no
+	;;
+      ghcx)
+	# Green Hills C++ Compiler
+	# FIXME: insert proper C++ library support
+	_LT_AC_TAGVAR(ld_shlibs, $1)=no
+	;;
+      *)
+	# FIXME: insert proper C++ library support
+	_LT_AC_TAGVAR(ld_shlibs, $1)=no
+	;;
+    esac
+    ;;
+  freebsd[12]*)
+    # C++ shared libraries reported to be fairly broken before switch to ELF
+    _LT_AC_TAGVAR(ld_shlibs, $1)=no
+    ;;
+  freebsd-elf*)
+    _LT_AC_TAGVAR(archive_cmds_need_lc, $1)=no
+    ;;
+  freebsd* | kfreebsd*-gnu)
+    # FreeBSD 3 and later use GNU C++ and GNU ld with standard ELF
+    # conventions
+    _LT_AC_TAGVAR(ld_shlibs, $1)=yes
+    ;;
+  gnu*)
+    ;;
+  hpux9*)
+    _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}+b ${wl}$libdir'
+    _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=:
+    _LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-E'
+    _LT_AC_TAGVAR(hardcode_direct, $1)=yes
+    _LT_AC_TAGVAR(hardcode_minus_L, $1)=yes # Not in the search PATH,
+				# but as the default
+				# location of the library.
+
+    case $cc_basename in
+    CC)
+      # FIXME: insert proper C++ library support
+      _LT_AC_TAGVAR(ld_shlibs, $1)=no
+      ;;
+    aCC)
+      _LT_AC_TAGVAR(archive_cmds, $1)='$rm $output_objdir/$soname~$CC -b ${wl}+b ${wl}$install_libdir -o $output_objdir/$soname $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags~test $output_objdir/$soname = $lib || mv $output_objdir/$soname $lib'
+      # Commands to make compiler produce verbose output that lists
+      # what "hidden" libraries, object files and flags are used when
+      # linking a shared library.
+      #
+      # There doesn't appear to be a way to prevent this compiler from
+      # explicitly linking system object files so we need to strip them
+      # from the output so that they don't get included in the library
+      # dependencies.
+      output_verbose_link_cmd='templist=`($CC -b $CFLAGS -v conftest.$objext 2>&1) | egrep "\-L"`; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; echo $list'
+      ;;
+    *)
+      if test "$GXX" = yes; then
+        _LT_AC_TAGVAR(archive_cmds, $1)='$rm $output_objdir/$soname~$CC -shared -nostdlib -fPIC ${wl}+b ${wl}$install_libdir -o $output_objdir/$soname $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags~test $output_objdir/$soname = $lib || mv $output_objdir/$soname $lib'
+      else
+        # FIXME: insert proper C++ library support
+        _LT_AC_TAGVAR(ld_shlibs, $1)=no
+      fi
+      ;;
+    esac
+    ;;
+  hpux10*|hpux11*)
+    if test $with_gnu_ld = no; then
+      case "$host_cpu" in
+      hppa*64*)
+	_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}+b ${wl}$libdir'
+	_LT_AC_TAGVAR(hardcode_libdir_flag_spec_ld, $1)='+b $libdir'
+	_LT_AC_TAGVAR(hardcode_libdir_separator, $1)=:
+        ;;
+      ia64*)
+	_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir'
+        ;;
+      *)
+	_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}+b ${wl}$libdir'
+	_LT_AC_TAGVAR(hardcode_libdir_separator, $1)=:
+	_LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-E'
+        ;;
+      esac
+    fi
+    case "$host_cpu" in
+    hppa*64*)
+      _LT_AC_TAGVAR(hardcode_direct, $1)=no
+      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
+      ;;
+    ia64*)
+      _LT_AC_TAGVAR(hardcode_direct, $1)=no
+      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
+      _LT_AC_TAGVAR(hardcode_minus_L, $1)=yes # Not in the search PATH,
+					      # but as the default
+					      # location of the library.
+      ;;
+    *)
+      _LT_AC_TAGVAR(hardcode_direct, $1)=yes
+      _LT_AC_TAGVAR(hardcode_minus_L, $1)=yes # Not in the search PATH,
+					      # but as the default
+					      # location of the library.
+      ;;
+    esac
+
+    case $cc_basename in
+      CC)
+	# FIXME: insert proper C++ library support
+	_LT_AC_TAGVAR(ld_shlibs, $1)=no
+	;;
+      aCC)
+	case "$host_cpu" in
+	hppa*64*|ia64*)
+	  _LT_AC_TAGVAR(archive_cmds, $1)='$LD -b +h $soname -o $lib $linker_flags $libobjs $deplibs'
+	  ;;
+	*)
+	  _LT_AC_TAGVAR(archive_cmds, $1)='$CC -b ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags'
+	  ;;
+	esac
+	# Commands to make compiler produce verbose output that lists
+	# what "hidden" libraries, object files and flags are used when
+	# linking a shared library.
+	#
+	# There doesn't appear to be a way to prevent this compiler from
+	# explicitly linking system object files so we need to strip them
+	# from the output so that they don't get included in the library
+	# dependencies.
+	output_verbose_link_cmd='templist=`($CC -b $CFLAGS -v conftest.$objext 2>&1) | grep "\-L"`; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; echo $list'
+	;;
+      *)
+	if test "$GXX" = yes; then
+	  if test $with_gnu_ld = no; then
+	    case "$host_cpu" in
+	    ia64*|hppa*64*)
+	      _LT_AC_TAGVAR(archive_cmds, $1)='$LD -b +h $soname -o $lib $linker_flags $libobjs $deplibs'
+	      ;;
+	    *)
+	      _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib -fPIC ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags'
+	      ;;
+	    esac
+	  fi
+	else
+	  # FIXME: insert proper C++ library support
+	  _LT_AC_TAGVAR(ld_shlibs, $1)=no
+	fi
+	;;
+    esac
+    ;;
+  irix5* | irix6*)
+    case $cc_basename in
+      CC)
+	# SGI C++
+	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared -all -multigot $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${objdir}/so_locations -o $lib'
+
+	# Archives containing C++ object files must be created using
+	# "CC -ar", where "CC" is the IRIX C++ compiler.  This is
+	# necessary to make sure instantiated templates are included
+	# in the archive.
+	_LT_AC_TAGVAR(old_archive_cmds, $1)='$CC -ar -WR,-u -o $oldlib $oldobjs'
+	;;
+      *)
+	if test "$GXX" = yes; then
+	  if test "$with_gnu_ld" = no; then
+	    _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${objdir}/so_locations -o $lib'
+	  else
+	    _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` -o $lib'
+	  fi
+	fi
+	_LT_AC_TAGVAR(link_all_deplibs, $1)=yes
+	;;
+    esac
+    _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir'
+    _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=:
+    ;;
+  linux*)
+    case $cc_basename in
+      KCC)
+	# Kuck and Associates, Inc. (KAI) C++ Compiler
+
+	# KCC will only create a shared library if the output file
+	# ends with ".so" (or ".sl" for HP-UX), so rename the library
+	# to its proper name (with version) after linking.
+	_LT_AC_TAGVAR(archive_cmds, $1)='tempext=`echo $shared_ext | $SED -e '\''s/\([[^()0-9A-Za-z{}]]\)/\\\\\1/g'\''`; templib=`echo $lib | $SED -e "s/\${tempext}\..*/.so/"`; $CC $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags --soname $soname -o \$templib; mv \$templib $lib'
+	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='tempext=`echo $shared_ext | $SED -e '\''s/\([[^()0-9A-Za-z{}]]\)/\\\\\1/g'\''`; templib=`echo $lib | $SED -e "s/\${tempext}\..*/.so/"`; $CC $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags --soname $soname -o \$templib ${wl}-retain-symbols-file,$export_symbols; mv \$templib $lib'
+	# Commands to make compiler produce verbose output that lists
+	# what "hidden" libraries, object files and flags are used when
+	# linking a shared library.
+	#
+	# There doesn't appear to be a way to prevent this compiler from
+	# explicitly linking system object files so we need to strip them
+	# from the output so that they don't get included in the library
+	# dependencies.
+	output_verbose_link_cmd='templist=`$CC $CFLAGS -v conftest.$objext -o libconftest$shared_ext 2>&1 | grep "ld"`; rm -f libconftest$shared_ext; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; echo $list'
+
+	_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}--rpath,$libdir'
+	_LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}--export-dynamic'
+
+	# Archives containing C++ object files must be created using
+	# "CC -Bstatic", where "CC" is the KAI C++ compiler.
+	_LT_AC_TAGVAR(old_archive_cmds, $1)='$CC -Bstatic -o $oldlib $oldobjs'
+	;;
+      icpc)
+	# Intel C++
+	with_gnu_ld=yes
+	_LT_AC_TAGVAR(archive_cmds_need_lc, $1)=no
+	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname -o $lib'
+	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
+	_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath,$libdir'
+	_LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}--export-dynamic'
+	_LT_AC_TAGVAR(whole_archive_flag_spec, $1)='${wl}--whole-archive$convenience ${wl}--no-whole-archive'
+	;;
+      cxx)
+	# Compaq C++
+	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname -o $lib'
+	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname  -o $lib ${wl}-retain-symbols-file $wl$export_symbols'
+
+	runpath_var=LD_RUN_PATH
+	_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-rpath $libdir'
+	_LT_AC_TAGVAR(hardcode_libdir_separator, $1)=:
+
+	# Commands to make compiler produce verbose output that lists
+	# what "hidden" libraries, object files and flags are used when
+	# linking a shared library.
+	#
+	# There doesn't appear to be a way to prevent this compiler from
+	# explicitly linking system object files so we need to strip them
+	# from the output so that they don't get included in the library
+	# dependencies.
+	output_verbose_link_cmd='templist=`$CC -shared $CFLAGS -v conftest.$objext 2>&1 | grep "ld"`; templist=`echo $templist | $SED "s/\(^.*ld.*\)\( .*ld .*$\)/\1/"`; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; echo $list'
+	;;
+    esac
+    ;;
+  lynxos*)
+    # FIXME: insert proper C++ library support
+    _LT_AC_TAGVAR(ld_shlibs, $1)=no
+    ;;
+  m88k*)
+    # FIXME: insert proper C++ library support
+    _LT_AC_TAGVAR(ld_shlibs, $1)=no
+    ;;
+  mvs*)
+    case $cc_basename in
+      cxx)
+	# FIXME: insert proper C++ library support
+	_LT_AC_TAGVAR(ld_shlibs, $1)=no
+	;;
+      *)
+	# FIXME: insert proper C++ library support
+	_LT_AC_TAGVAR(ld_shlibs, $1)=no
+	;;
+    esac
+    ;;
+  netbsd*)
+    if echo __ELF__ | $CC -E - | grep __ELF__ >/dev/null; then
+      _LT_AC_TAGVAR(archive_cmds, $1)='$LD -Bshareable  -o $lib $predep_objects $libobjs $deplibs $postdep_objects $linker_flags'
+      wlarc=
+      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-R$libdir'
+      _LT_AC_TAGVAR(hardcode_direct, $1)=yes
+      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
+    fi
+    # Workaround some broken pre-1.5 toolchains
+    output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | grep conftest.$objext | $SED -e "s:-lgcc -lc -lgcc::"'
+    ;;
+  osf3*)
+    case $cc_basename in
+      KCC)
+	# Kuck and Associates, Inc. (KAI) C++ Compiler
+
+	# KCC will only create a shared library if the output file
+	# ends with ".so" (or ".sl" for HP-UX), so rename the library
+	# to its proper name (with version) after linking.
+	_LT_AC_TAGVAR(archive_cmds, $1)='tempext=`echo $shared_ext | $SED -e '\''s/\([[^()0-9A-Za-z{}]]\)/\\\\\1/g'\''`; templib=`echo $lib | $SED -e "s/\${tempext}\..*/.so/"`; $CC $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags --soname $soname -o \$templib; mv \$templib $lib'
+
+	_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath,$libdir'
+	_LT_AC_TAGVAR(hardcode_libdir_separator, $1)=:
+
+	# Archives containing C++ object files must be created using
+	# "CC -Bstatic", where "CC" is the KAI C++ compiler.
+	_LT_AC_TAGVAR(old_archive_cmds, $1)='$CC -Bstatic -o $oldlib $oldobjs'
+
+	;;
+      RCC)
+	# Rational C++ 2.4.1
+	# FIXME: insert proper C++ library support
+	_LT_AC_TAGVAR(ld_shlibs, $1)=no
+	;;
+      cxx)
+	_LT_AC_TAGVAR(allow_undefined_flag, $1)=' ${wl}-expect_unresolved ${wl}\*'
+	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared${allow_undefined_flag} $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $soname `test -n "$verstring" && echo ${wl}-set_version $verstring` -update_registry ${objdir}/so_locations -o $lib'
+
+	_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir'
+	_LT_AC_TAGVAR(hardcode_libdir_separator, $1)=:
+
+	# Commands to make compiler produce verbose output that lists
+	# what "hidden" libraries, object files and flags are used when
+	# linking a shared library.
+	#
+	# There doesn't appear to be a way to prevent this compiler from
+	# explicitly linking system object files so we need to strip them
+	# from the output so that they don't get included in the library
+	# dependencies.
+	output_verbose_link_cmd='templist=`$CC -shared $CFLAGS -v conftest.$objext 2>&1 | grep "ld" | grep -v "ld:"`; templist=`echo $templist | $SED "s/\(^.*ld.*\)\( .*ld.*$\)/\1/"`; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; echo $list'
+	;;
+      *)
+	if test "$GXX" = yes && test "$with_gnu_ld" = no; then
+	  _LT_AC_TAGVAR(allow_undefined_flag, $1)=' ${wl}-expect_unresolved ${wl}\*'
+	  _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib ${allow_undefined_flag} $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${objdir}/so_locations -o $lib'
+
+	  _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir'
+	  _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=:
+
+	  # Commands to make compiler produce verbose output that lists
+	  # what "hidden" libraries, object files and flags are used when
+	  # linking a shared library.
+	  output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | grep "\-L"'
+
+	else
+	  # FIXME: insert proper C++ library support
+	  _LT_AC_TAGVAR(ld_shlibs, $1)=no
+	fi
+	;;
+    esac
+    ;;
+  osf4* | osf5*)
+    case $cc_basename in
+      KCC)
+	# Kuck and Associates, Inc. (KAI) C++ Compiler
+
+	# KCC will only create a shared library if the output file
+	# ends with ".so" (or ".sl" for HP-UX), so rename the library
+	# to its proper name (with version) after linking.
+	_LT_AC_TAGVAR(archive_cmds, $1)='tempext=`echo $shared_ext | $SED -e '\''s/\([[^()0-9A-Za-z{}]]\)/\\\\\1/g'\''`; templib=`echo $lib | $SED -e "s/\${tempext}\..*/.so/"`; $CC $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags --soname $soname -o \$templib; mv \$templib $lib'
+
+	_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath,$libdir'
+	_LT_AC_TAGVAR(hardcode_libdir_separator, $1)=:
+
+	# Archives containing C++ object files must be created using
+	# the KAI C++ compiler.
+	_LT_AC_TAGVAR(old_archive_cmds, $1)='$CC -o $oldlib $oldobjs'
+	;;
+      RCC)
+	# Rational C++ 2.4.1
+	# FIXME: insert proper C++ library support
+	_LT_AC_TAGVAR(ld_shlibs, $1)=no
+	;;
+      cxx)
+	_LT_AC_TAGVAR(allow_undefined_flag, $1)=' -expect_unresolved \*'
+	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared${allow_undefined_flag} $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -msym -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${objdir}/so_locations -o $lib'
+	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='for i in `cat $export_symbols`; do printf "%s %s\\n" -exported_symbol "\$i" >> $lib.exp; done~
+	  echo "-hidden">> $lib.exp~
+	  $CC -shared$allow_undefined_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -msym -soname $soname -Wl,-input -Wl,$lib.exp  `test -n "$verstring" && echo -set_version	$verstring` -update_registry $objdir/so_locations -o $lib~
+	  $rm $lib.exp'
+
+	_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-rpath $libdir'
+	_LT_AC_TAGVAR(hardcode_libdir_separator, $1)=:
+
+	# Commands to make compiler produce verbose output that lists
+	# what "hidden" libraries, object files and flags are used when
+	# linking a shared library.
+	#
+	# There doesn't appear to be a way to prevent this compiler from
+	# explicitly linking system object files so we need to strip them
+	# from the output so that they don't get included in the library
+	# dependencies.
+	output_verbose_link_cmd='templist=`$CC -shared $CFLAGS -v conftest.$objext 2>&1 | grep "ld" | grep -v "ld:"`; templist=`echo $templist | $SED "s/\(^.*ld.*\)\( .*ld.*$\)/\1/"`; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; echo $list'
+	;;
+      *)
+	if test "$GXX" = yes && test "$with_gnu_ld" = no; then
+	  _LT_AC_TAGVAR(allow_undefined_flag, $1)=' ${wl}-expect_unresolved ${wl}\*'
+	 _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib ${allow_undefined_flag} $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-msym ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${objdir}/so_locations -o $lib'
+
+	  _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir'
+	  _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=:
+
+	  # Commands to make compiler produce verbose output that lists
+	  # what "hidden" libraries, object files and flags are used when
+	  # linking a shared library.
+	  output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | grep "\-L"'
+
+	else
+	  # FIXME: insert proper C++ library support
+	  _LT_AC_TAGVAR(ld_shlibs, $1)=no
+	fi
+	;;
+    esac
+    ;;
+  psos*)
+    # FIXME: insert proper C++ library support
+    _LT_AC_TAGVAR(ld_shlibs, $1)=no
+    ;;
+  sco*)
+    _LT_AC_TAGVAR(archive_cmds_need_lc, $1)=no
+    case $cc_basename in
+      CC)
+	# FIXME: insert proper C++ library support
+	_LT_AC_TAGVAR(ld_shlibs, $1)=no
+	;;
+      *)
+	# FIXME: insert proper C++ library support
+	_LT_AC_TAGVAR(ld_shlibs, $1)=no
+	;;
+    esac
+    ;;
+  sunos4*)
+    case $cc_basename in
+      CC)
+	# Sun C++ 4.x
+	# FIXME: insert proper C++ library support
+	_LT_AC_TAGVAR(ld_shlibs, $1)=no
+	;;
+      lcc)
+	# Lucid
+	# FIXME: insert proper C++ library support
+	_LT_AC_TAGVAR(ld_shlibs, $1)=no
+	;;
+      *)
+	# FIXME: insert proper C++ library support
+	_LT_AC_TAGVAR(ld_shlibs, $1)=no
+	;;
+    esac
+    ;;
+  solaris*)
+    case $cc_basename in
+      CC)
+	# Sun C++ 4.2, 5.x and Centerline C++
+	_LT_AC_TAGVAR(no_undefined_flag, $1)=' -zdefs'
+	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -G${allow_undefined_flag} -nolib -h$soname -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags'
+	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='$echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~$echo "local: *; };" >> $lib.exp~
+	$CC -G${allow_undefined_flag} -nolib ${wl}-M ${wl}$lib.exp -h$soname -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags~$rm $lib.exp'
+
+	_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-R$libdir'
+	_LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
+	case $host_os in
+	  solaris2.[0-5] | solaris2.[0-5].*) ;;
+	  *)
+	    # The C++ compiler is used as linker so we must use $wl
+	    # flag to pass the commands to the underlying system
+	    # linker.
+	    # Supported since Solaris 2.6 (maybe 2.5.1?)
+	    _LT_AC_TAGVAR(whole_archive_flag_spec, $1)='${wl}-z ${wl}allextract$convenience ${wl}-z ${wl}defaultextract'
+	    ;;
+	esac
+	_LT_AC_TAGVAR(link_all_deplibs, $1)=yes
+
+	# Commands to make compiler produce verbose output that lists
+	# what "hidden" libraries, object files and flags are used when
+	# linking a shared library.
+	#
+	# There doesn't appear to be a way to prevent this compiler from
+	# explicitly linking system object files so we need to strip them
+	# from the output so that they don't get included in the library
+	# dependencies.
+	output_verbose_link_cmd='templist=`$CC -G $CFLAGS -v conftest.$objext 2>&1 | grep "\-[[LR]]"`; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; echo $list'
+
+	# Archives containing C++ object files must be created using
+	# "CC -xar", where "CC" is the Sun C++ compiler.  This is
+	# necessary to make sure instantiated templates are included
+	# in the archive.
+	_LT_AC_TAGVAR(old_archive_cmds, $1)='$CC -xar -o $oldlib $oldobjs'
+	;;
+      gcx)
+	# Green Hills C++ Compiler
+	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-h $wl$soname -o $lib'
+
+	# The C++ compiler must be used to create the archive.
+	_LT_AC_TAGVAR(old_archive_cmds, $1)='$CC $LDFLAGS -archive -o $oldlib $oldobjs'
+	;;
+      *)
+	# GNU C++ compiler with Solaris linker
+	if test "$GXX" = yes && test "$with_gnu_ld" = no; then
+	  _LT_AC_TAGVAR(no_undefined_flag, $1)=' ${wl}-z ${wl}defs'
+	  if $CC --version | grep -v '^2\.7' > /dev/null; then
+	    _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib $LDFLAGS $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-h $wl$soname -o $lib'
+	    _LT_AC_TAGVAR(archive_expsym_cmds, $1)='$echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~$echo "local: *; };" >> $lib.exp~
+		$CC -shared -nostdlib ${wl}-M $wl$lib.exp -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags~$rm $lib.exp'
+
+	    # Commands to make compiler produce verbose output that lists
+	    # what "hidden" libraries, object files and flags are used when
+	    # linking a shared library.
+	    output_verbose_link_cmd="$CC -shared $CFLAGS -v conftest.$objext 2>&1 | grep \"\-L\""
+	  else
+	    # g++ 2.7 appears to require `-G' NOT `-shared' on this
+	    # platform.
+	    _LT_AC_TAGVAR(archive_cmds, $1)='$CC -G -nostdlib $LDFLAGS $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-h $wl$soname -o $lib'
+	    _LT_AC_TAGVAR(archive_expsym_cmds, $1)='$echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~$echo "local: *; };" >> $lib.exp~
+		$CC -G -nostdlib ${wl}-M $wl$lib.exp -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags~$rm $lib.exp'
+
+	    # Commands to make compiler produce verbose output that lists
+	    # what "hidden" libraries, object files and flags are used when
+	    # linking a shared library.
+	    output_verbose_link_cmd="$CC -G $CFLAGS -v conftest.$objext 2>&1 | grep \"\-L\""
+	  fi
+
+	  _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-R $wl$libdir'
+	fi
+	;;
+    esac
+    ;;
+  sysv5OpenUNIX8* | sysv5UnixWare7* | sysv5uw[[78]]* | unixware7*)
+    _LT_AC_TAGVAR(archive_cmds_need_lc, $1)=no
+    ;;
+  tandem*)
+    case $cc_basename in
+      NCC)
+	# NonStop-UX NCC 3.20
+	# FIXME: insert proper C++ library support
+	_LT_AC_TAGVAR(ld_shlibs, $1)=no
+	;;
+      *)
+	# FIXME: insert proper C++ library support
+	_LT_AC_TAGVAR(ld_shlibs, $1)=no
+	;;
+    esac
+    ;;
+  vxworks*)
+    # FIXME: insert proper C++ library support
+    _LT_AC_TAGVAR(ld_shlibs, $1)=no
+    ;;
+  *)
+    # FIXME: insert proper C++ library support
+    _LT_AC_TAGVAR(ld_shlibs, $1)=no
+    ;;
+esac
+AC_MSG_RESULT([$_LT_AC_TAGVAR(ld_shlibs, $1)])
+test "$_LT_AC_TAGVAR(ld_shlibs, $1)" = no && can_build_shared=no
+
+_LT_AC_TAGVAR(GCC, $1)="$GXX"
+_LT_AC_TAGVAR(LD, $1)="$LD"
+
+## CAVEAT EMPTOR:
+## There is no encapsulation within the following macros, do not change
+## the running order or otherwise move them around unless you know exactly
+## what you are doing...
+AC_LIBTOOL_POSTDEP_PREDEP($1)
+AC_LIBTOOL_PROG_COMPILER_PIC($1)
+AC_LIBTOOL_PROG_CC_C_O($1)
+AC_LIBTOOL_SYS_HARD_LINK_LOCKS($1)
+AC_LIBTOOL_PROG_LD_SHLIBS($1)
+AC_LIBTOOL_SYS_DYNAMIC_LINKER($1)
+AC_LIBTOOL_PROG_LD_HARDCODE_LIBPATH($1)
+AC_LIBTOOL_SYS_LIB_STRIP
+AC_LIBTOOL_DLOPEN_SELF($1)
+
+AC_LIBTOOL_CONFIG($1)
+
+AC_LANG_POP
+CC=$lt_save_CC
+LDCXX=$LD
+LD=$lt_save_LD
+GCC=$lt_save_GCC
+with_gnu_ldcxx=$with_gnu_ld
+with_gnu_ld=$lt_save_with_gnu_ld
+lt_cv_path_LDCXX=$lt_cv_path_LD
+lt_cv_path_LD=$lt_save_path_LD
+lt_cv_prog_gnu_ldcxx=$lt_cv_prog_gnu_ld
+lt_cv_prog_gnu_ld=$lt_save_with_gnu_ld
+])# AC_LIBTOOL_LANG_CXX_CONFIG
+
+# AC_LIBTOOL_POSTDEP_PREDEP([TAGNAME])
+# ------------------------
+# Figure out "hidden" library dependencies from verbose
+# compiler output when linking a shared library.
+# Parse the compiler output and extract the necessary
+# objects, libraries and library flags.
+AC_DEFUN([AC_LIBTOOL_POSTDEP_PREDEP],[
+dnl we can't use the lt_simple_compile_test_code here,
+dnl because it contains code intended for an executable,
+dnl not a library.  It's possible we should let each
+dnl tag define a new lt_????_link_test_code variable,
+dnl but it's only used here...
+ifelse([$1],[],[cat > conftest.$ac_ext <<EOF
+int a;
+void foo (void) { a = 0; }
+EOF
+],[$1],[CXX],[cat > conftest.$ac_ext <<EOF
+class Foo
+{
+public:
+  Foo (void) { a = 0; }
+private:
+  int a;
+};
+EOF
+],[$1],[F77],[cat > conftest.$ac_ext <<EOF
+      subroutine foo
+      implicit none
+      integer*4 a
+      a=0
+      return
+      end
+EOF
+],[$1],[GCJ],[cat > conftest.$ac_ext <<EOF
+public class foo {
+  private int a;
+  public void bar (void) {
+    a = 0;
+  }
+};
+EOF
+])
+dnl Parse the compiler output and extract the necessary
+dnl objects, libraries and library flags.
+if AC_TRY_EVAL(ac_compile); then
+  # Parse the compiler output and extract the necessary
+  # objects, libraries and library flags.
+
+  # Sentinel used to keep track of whether or not we are before
+  # the conftest object file.
+  pre_test_object_deps_done=no
+
+  # The `*' in the case matches for architectures that use `case' in
+  # $output_verbose_cmd can trigger glob expansion during the loop
+  # eval without this substitution.
+  output_verbose_link_cmd="`$echo \"X$output_verbose_link_cmd\" | $Xsed -e \"$no_glob_subst\"`"
+
+  for p in `eval $output_verbose_link_cmd`; do
+    case $p in
+
+    -L* | -R* | -l*)
+       # Some compilers place space between "-{L,R}" and the path.
+       # Remove the space.
+       if test $p = "-L" \
+	  || test $p = "-R"; then
+	 prev=$p
+	 continue
+       else
+	 prev=
+       fi
+
+       if test "$pre_test_object_deps_done" = no; then
+	 case $p in
+	 -L* | -R*)
+	   # Internal compiler library paths should come after those
+	   # provided the user.  The postdeps already come after the
+	   # user supplied libs so there is no need to process them.
+	   if test -z "$_LT_AC_TAGVAR(compiler_lib_search_path, $1)"; then
+	     _LT_AC_TAGVAR(compiler_lib_search_path, $1)="${prev}${p}"
+	   else
+	     _LT_AC_TAGVAR(compiler_lib_search_path, $1)="${_LT_AC_TAGVAR(compiler_lib_search_path, $1)} ${prev}${p}"
+	   fi
+	   ;;
+	 # The "-l" case would never come before the object being
+	 # linked, so don't bother handling this case.
+	 esac
+       else
+	 if test -z "$_LT_AC_TAGVAR(postdeps, $1)"; then
+	   _LT_AC_TAGVAR(postdeps, $1)="${prev}${p}"
+	 else
+	   _LT_AC_TAGVAR(postdeps, $1)="${_LT_AC_TAGVAR(postdeps, $1)} ${prev}${p}"
+	 fi
+       fi
+       ;;
+
+    *.$objext)
+       # This assumes that the test object file only shows up
+       # once in the compiler output.
+       if test "$p" = "conftest.$objext"; then
+	 pre_test_object_deps_done=yes
+	 continue
+       fi
+
+       if test "$pre_test_object_deps_done" = no; then
+	 if test -z "$_LT_AC_TAGVAR(predep_objects, $1)"; then
+	   _LT_AC_TAGVAR(predep_objects, $1)="$p"
+	 else
+	   _LT_AC_TAGVAR(predep_objects, $1)="$_LT_AC_TAGVAR(predep_objects, $1) $p"
+	 fi
+       else
+	 if test -z "$_LT_AC_TAGVAR(postdep_objects, $1)"; then
+	   _LT_AC_TAGVAR(postdep_objects, $1)="$p"
+	 else
+	   _LT_AC_TAGVAR(postdep_objects, $1)="$_LT_AC_TAGVAR(postdep_objects, $1) $p"
+	 fi
+       fi
+       ;;
+
+    *) ;; # Ignore the rest.
+
+    esac
+  done
+
+  # Clean up.
+  rm -f a.out a.exe
+else
+  echo "libtool.m4: error: problem compiling $1 test program"
+fi
+
+$rm -f confest.$objext
+
+case " $_LT_AC_TAGVAR(postdeps, $1) " in
+*" -lc "*) _LT_AC_TAGVAR(archive_cmds_need_lc, $1)=no ;;
+esac
+])# AC_LIBTOOL_POSTDEP_PREDEP
+
+# AC_LIBTOOL_LANG_F77_CONFIG
+# ------------------------
+# Ensure that the configuration vars for the C compiler are
+# suitably defined.  Those variables are subsequently used by
+# AC_LIBTOOL_CONFIG to write the compiler configuration to `libtool'.
+AC_DEFUN([AC_LIBTOOL_LANG_F77_CONFIG], [_LT_AC_LANG_F77_CONFIG(F77)])
+AC_DEFUN([_LT_AC_LANG_F77_CONFIG],
+[AC_REQUIRE([AC_PROG_F77])
+AC_LANG_PUSH(Fortran 77)
+
+_LT_AC_TAGVAR(archive_cmds_need_lc, $1)=no
+_LT_AC_TAGVAR(allow_undefined_flag, $1)=
+_LT_AC_TAGVAR(always_export_symbols, $1)=no
+_LT_AC_TAGVAR(archive_expsym_cmds, $1)=
+_LT_AC_TAGVAR(export_dynamic_flag_spec, $1)=
+_LT_AC_TAGVAR(hardcode_direct, $1)=no
+_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)=
+_LT_AC_TAGVAR(hardcode_libdir_flag_spec_ld, $1)=
+_LT_AC_TAGVAR(hardcode_libdir_separator, $1)=
+_LT_AC_TAGVAR(hardcode_minus_L, $1)=no
+_LT_AC_TAGVAR(hardcode_automatic, $1)=no
+_LT_AC_TAGVAR(module_cmds, $1)=
+_LT_AC_TAGVAR(module_expsym_cmds, $1)=
+_LT_AC_TAGVAR(link_all_deplibs, $1)=unknown
+_LT_AC_TAGVAR(old_archive_cmds, $1)=$old_archive_cmds
+_LT_AC_TAGVAR(no_undefined_flag, $1)=
+_LT_AC_TAGVAR(whole_archive_flag_spec, $1)=
+_LT_AC_TAGVAR(enable_shared_with_static_runtimes, $1)=no
+
+# Source file extension for f77 test sources.
+ac_ext=f
+
+# Object file extension for compiled f77 test sources.
+objext=o
+_LT_AC_TAGVAR(objext, $1)=$objext
+
+# Code to be used in simple compile tests
+lt_simple_compile_test_code="      subroutine t\n      return\n      end\n"
+
+# Code to be used in simple link tests
+lt_simple_link_test_code="      program t\n      end\n"
+
+# ltmain only uses $CC for tagged configurations so make sure $CC is set.
+_LT_AC_SYS_COMPILER
+
+# Allow CC to be a program name with arguments.
+lt_save_CC="$CC"
+CC=${F77-"f77"}
+compiler=$CC
+_LT_AC_TAGVAR(compiler, $1)=$CC
+cc_basename=`$echo X"$compiler" | $Xsed -e 's%^.*/%%'`
+
+AC_MSG_CHECKING([if libtool supports shared libraries])
+AC_MSG_RESULT([$can_build_shared])
+
+AC_MSG_CHECKING([whether to build shared libraries])
+test "$can_build_shared" = "no" && enable_shared=no
+
+# On AIX, shared libraries and static libraries use the same namespace, and
+# are all built from PIC.
+case "$host_os" in
+aix3*)
+  test "$enable_shared" = yes && enable_static=no
+  if test -n "$RANLIB"; then
+    archive_cmds="$archive_cmds~\$RANLIB \$lib"
+    postinstall_cmds='$RANLIB $lib'
+  fi
+  ;;
+aix4*)
+  test "$enable_shared" = yes && enable_static=no
+  ;;
+esac
+AC_MSG_RESULT([$enable_shared])
+
+AC_MSG_CHECKING([whether to build static libraries])
+# Make sure either enable_shared or enable_static is yes.
+test "$enable_shared" = yes || enable_static=yes
+AC_MSG_RESULT([$enable_static])
+
+test "$_LT_AC_TAGVAR(ld_shlibs, $1)" = no && can_build_shared=no
+
+_LT_AC_TAGVAR(GCC, $1)="$G77"
+_LT_AC_TAGVAR(LD, $1)="$LD"
+
+AC_LIBTOOL_PROG_COMPILER_PIC($1)
+AC_LIBTOOL_PROG_CC_C_O($1)
+AC_LIBTOOL_SYS_HARD_LINK_LOCKS($1)
+AC_LIBTOOL_PROG_LD_SHLIBS($1)
+AC_LIBTOOL_SYS_DYNAMIC_LINKER($1)
+AC_LIBTOOL_PROG_LD_HARDCODE_LIBPATH($1)
+AC_LIBTOOL_SYS_LIB_STRIP
+
+
+AC_LIBTOOL_CONFIG($1)
+
+AC_LANG_POP
+CC="$lt_save_CC"
+])# AC_LIBTOOL_LANG_F77_CONFIG
+
+
+# AC_LIBTOOL_LANG_GCJ_CONFIG
+# --------------------------
+# Ensure that the configuration vars for the C compiler are
+# suitably defined.  Those variables are subsequently used by
+# AC_LIBTOOL_CONFIG to write the compiler configuration to `libtool'.
+AC_DEFUN([AC_LIBTOOL_LANG_GCJ_CONFIG], [_LT_AC_LANG_GCJ_CONFIG(GCJ)])
+AC_DEFUN([_LT_AC_LANG_GCJ_CONFIG],
+[AC_LANG_SAVE
+
+# Source file extension for Java test sources.
+ac_ext=java
+
+# Object file extension for compiled Java test sources.
+objext=o
+_LT_AC_TAGVAR(objext, $1)=$objext
+
+# Code to be used in simple compile tests
+lt_simple_compile_test_code="class foo {}\n"
+
+# Code to be used in simple link tests
+lt_simple_link_test_code='public class conftest { public static void main(String[] argv) {}; }\n'
+
+# ltmain only uses $CC for tagged configurations so make sure $CC is set.
+_LT_AC_SYS_COMPILER
+
+# Allow CC to be a program name with arguments.
+lt_save_CC="$CC"
+CC=${GCJ-"gcj"}
+compiler=$CC
+_LT_AC_TAGVAR(compiler, $1)=$CC
+
+# GCJ did not exist at the time GCC didn't implicitly link libc in.
+_LT_AC_TAGVAR(archive_cmds_need_lc, $1)=no
+
+## CAVEAT EMPTOR:
+## There is no encapsulation within the following macros, do not change
+## the running order or otherwise move them around unless you know exactly
+## what you are doing...
+AC_LIBTOOL_PROG_COMPILER_NO_RTTI($1)
+AC_LIBTOOL_PROG_COMPILER_PIC($1)
+AC_LIBTOOL_PROG_CC_C_O($1)
+AC_LIBTOOL_SYS_HARD_LINK_LOCKS($1)
+AC_LIBTOOL_PROG_LD_SHLIBS($1)
+AC_LIBTOOL_SYS_DYNAMIC_LINKER($1)
+AC_LIBTOOL_PROG_LD_HARDCODE_LIBPATH($1)
+AC_LIBTOOL_SYS_LIB_STRIP
+AC_LIBTOOL_DLOPEN_SELF($1)
+
+AC_LIBTOOL_CONFIG($1)
+
+AC_LANG_RESTORE
+CC="$lt_save_CC"
+])# AC_LIBTOOL_LANG_GCJ_CONFIG
+
+
+# AC_LIBTOOL_LANG_RC_CONFIG
+# --------------------------
+# Ensure that the configuration vars for the Windows resource compiler are
+# suitably defined.  Those variables are subsequently used by
+# AC_LIBTOOL_CONFIG to write the compiler configuration to `libtool'.
+AC_DEFUN([AC_LIBTOOL_LANG_RC_CONFIG], [_LT_AC_LANG_RC_CONFIG(RC)])
+AC_DEFUN([_LT_AC_LANG_RC_CONFIG],
+[AC_LANG_SAVE
+
+# Source file extension for RC test sources.
+ac_ext=rc
+
+# Object file extension for compiled RC test sources.
+objext=o
+_LT_AC_TAGVAR(objext, $1)=$objext
+
+# Code to be used in simple compile tests
+lt_simple_compile_test_code='sample MENU { MENUITEM "&Soup", 100, CHECKED }\n'
+
+# Code to be used in simple link tests
+lt_simple_link_test_code="$lt_simple_compile_test_code"
+
+# ltmain only uses $CC for tagged configurations so make sure $CC is set.
+_LT_AC_SYS_COMPILER
+
+# Allow CC to be a program name with arguments.
+lt_save_CC="$CC"
+CC=${RC-"windres"}
+compiler=$CC
+_LT_AC_TAGVAR(compiler, $1)=$CC
+_LT_AC_TAGVAR(lt_cv_prog_compiler_c_o, $1)=yes
+
+AC_LIBTOOL_CONFIG($1)
+
+AC_LANG_RESTORE
+CC="$lt_save_CC"
+])# AC_LIBTOOL_LANG_RC_CONFIG
+
+
+# AC_LIBTOOL_CONFIG([TAGNAME])
+# ----------------------------
+# If TAGNAME is not passed, then create an initial libtool script
+# with a default configuration from the untagged config vars.  Otherwise
+# add code to config.status for appending the configuration named by
+# TAGNAME from the matching tagged config vars.
+AC_DEFUN([AC_LIBTOOL_CONFIG],
+[# The else clause should only fire when bootstrapping the
+# libtool distribution, otherwise you forgot to ship ltmain.sh
+# with your package, and you will get complaints that there are
+# no rules to generate ltmain.sh.
+if test -f "$ltmain"; then
+  # See if we are running on zsh, and set the options which allow our commands through
+  # without removal of \ escapes.
+  if test -n "${ZSH_VERSION+set}" ; then
+    setopt NO_GLOB_SUBST
+  fi
+  # Now quote all the things that may contain metacharacters while being
+  # careful not to overquote the AC_SUBSTed values.  We take copies of the
+  # variables and quote the copies for generation of the libtool script.
+  for var in echo old_CC old_CFLAGS AR AR_FLAGS EGREP RANLIB LN_S LTCC NM \
+    SED SHELL STRIP \
+    libname_spec library_names_spec soname_spec extract_expsyms_cmds \
+    old_striplib striplib file_magic_cmd finish_cmds finish_eval \
+    deplibs_check_method reload_flag reload_cmds need_locks \
+    lt_cv_sys_global_symbol_pipe lt_cv_sys_global_symbol_to_cdecl \
+    lt_cv_sys_global_symbol_to_c_name_address \
+    sys_lib_search_path_spec sys_lib_dlsearch_path_spec \
+    old_postinstall_cmds old_postuninstall_cmds \
+    _LT_AC_TAGVAR(compiler, $1) \
+    _LT_AC_TAGVAR(CC, $1) \
+    _LT_AC_TAGVAR(LD, $1) \
+    _LT_AC_TAGVAR(lt_prog_compiler_wl, $1) \
+    _LT_AC_TAGVAR(lt_prog_compiler_pic, $1) \
+    _LT_AC_TAGVAR(lt_prog_compiler_static, $1) \
+    _LT_AC_TAGVAR(lt_prog_compiler_no_builtin_flag, $1) \
+    _LT_AC_TAGVAR(export_dynamic_flag_spec, $1) \
+    _LT_AC_TAGVAR(thread_safe_flag_spec, $1) \
+    _LT_AC_TAGVAR(whole_archive_flag_spec, $1) \
+    _LT_AC_TAGVAR(enable_shared_with_static_runtimes, $1) \
+    _LT_AC_TAGVAR(old_archive_cmds, $1) \
+    _LT_AC_TAGVAR(old_archive_from_new_cmds, $1) \
+    _LT_AC_TAGVAR(predep_objects, $1) \
+    _LT_AC_TAGVAR(postdep_objects, $1) \
+    _LT_AC_TAGVAR(predeps, $1) \
+    _LT_AC_TAGVAR(postdeps, $1) \
+    _LT_AC_TAGVAR(compiler_lib_search_path, $1) \
+    _LT_AC_TAGVAR(archive_cmds, $1) \
+    _LT_AC_TAGVAR(archive_expsym_cmds, $1) \
+    _LT_AC_TAGVAR(postinstall_cmds, $1) \
+    _LT_AC_TAGVAR(postuninstall_cmds, $1) \
+    _LT_AC_TAGVAR(old_archive_from_expsyms_cmds, $1) \
+    _LT_AC_TAGVAR(allow_undefined_flag, $1) \
+    _LT_AC_TAGVAR(no_undefined_flag, $1) \
+    _LT_AC_TAGVAR(export_symbols_cmds, $1) \
+    _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1) \
+    _LT_AC_TAGVAR(hardcode_libdir_flag_spec_ld, $1) \
+    _LT_AC_TAGVAR(hardcode_libdir_separator, $1) \
+    _LT_AC_TAGVAR(hardcode_automatic, $1) \
+    _LT_AC_TAGVAR(module_cmds, $1) \
+    _LT_AC_TAGVAR(module_expsym_cmds, $1) \
+    _LT_AC_TAGVAR(lt_cv_prog_compiler_c_o, $1) \
+    _LT_AC_TAGVAR(exclude_expsyms, $1) \
+    _LT_AC_TAGVAR(include_expsyms, $1); do
+
+    case $var in
+    _LT_AC_TAGVAR(old_archive_cmds, $1) | \
+    _LT_AC_TAGVAR(old_archive_from_new_cmds, $1) | \
+    _LT_AC_TAGVAR(archive_cmds, $1) | \
+    _LT_AC_TAGVAR(archive_expsym_cmds, $1) | \
+    _LT_AC_TAGVAR(module_cmds, $1) | \
+    _LT_AC_TAGVAR(module_expsym_cmds, $1) | \
+    _LT_AC_TAGVAR(old_archive_from_expsyms_cmds, $1) | \
+    _LT_AC_TAGVAR(export_symbols_cmds, $1) | \
+    extract_expsyms_cmds | reload_cmds | finish_cmds | \
+    postinstall_cmds | postuninstall_cmds | \
+    old_postinstall_cmds | old_postuninstall_cmds | \
+    sys_lib_search_path_spec | sys_lib_dlsearch_path_spec)
+      # Double-quote double-evaled strings.
+      eval "lt_$var=\\\"\`\$echo \"X\$$var\" | \$Xsed -e \"\$double_quote_subst\" -e \"\$sed_quote_subst\" -e \"\$delay_variable_subst\"\`\\\""
+      ;;
+    *)
+      eval "lt_$var=\\\"\`\$echo \"X\$$var\" | \$Xsed -e \"\$sed_quote_subst\"\`\\\""
+      ;;
+    esac
+  done
+
+  case $lt_echo in
+  *'\[$]0 --fallback-echo"')
+    lt_echo=`$echo "X$lt_echo" | $Xsed -e 's/\\\\\\\[$]0 --fallback-echo"[$]/[$]0 --fallback-echo"/'`
+    ;;
+  esac
+
+ifelse([$1], [],
+  [cfgfile="${ofile}T"
+  trap "$rm \"$cfgfile\"; exit 1" 1 2 15
+  $rm -f "$cfgfile"
+  AC_MSG_NOTICE([creating $ofile])],
+  [cfgfile="$ofile"])
+
+  cat <<__EOF__ >> "$cfgfile"
+ifelse([$1], [],
+[#! $SHELL
+
+# `$echo "$cfgfile" | sed 's%^.*/%%'` - Provide generalized library-building support services.
+# Generated automatically by $PROGRAM (GNU $PACKAGE $VERSION$TIMESTAMP)
+# NOTE: Changes made to this file will be lost: look at ltmain.sh.
+#
+# Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001
+# Free Software Foundation, Inc.
+#
+# This file is part of GNU Libtool:
+# Originally by Gordon Matzigkeit <gord@gnu.ai.mit.edu>, 1996
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+#
+# As a special exception to the GNU General Public License, if you
+# distribute this file as part of a program that contains a
+# configuration script generated by Autoconf, you may include it under
+# the same distribution terms that you use for the rest of that program.
+
+# A sed program that does not truncate output.
+SED=$lt_SED
+
+# Sed that helps us avoid accidentally triggering echo(1) options like -n.
+Xsed="$SED -e s/^X//"
+
+# The HP-UX ksh and POSIX shell print the target directory to stdout
+# if CDPATH is set.
+if test "X\${CDPATH+set}" = Xset; then CDPATH=:; export CDPATH; fi
+
+# The names of the tagged configurations supported by this script.
+available_tags=
+
+# ### BEGIN LIBTOOL CONFIG],
+[# ### BEGIN LIBTOOL TAG CONFIG: $tagname])
+
+# Libtool was configured on host `(hostname || uname -n) 2>/dev/null | sed 1q`:
+
+# Shell to use when invoking shell scripts.
+SHELL=$lt_SHELL
+
+# Whether or not to build shared libraries.
+build_libtool_libs=$enable_shared
+
+# Whether or not to build static libraries.
+build_old_libs=$enable_static
+
+# Whether or not to add -lc for building shared libraries.
+build_libtool_need_lc=$_LT_AC_TAGVAR(archive_cmds_need_lc, $1)
+
+# Whether or not to disallow shared libs when runtime libs are static
+allow_libtool_libs_with_static_runtimes=$_LT_AC_TAGVAR(enable_shared_with_static_runtimes, $1)
+
+# Whether or not to optimize for fast installation.
+fast_install=$enable_fast_install
+
+# The host system.
+host_alias=$host_alias
+host=$host
+
+# An echo program that does not interpret backslashes.
+echo=$lt_echo
+
+# The archiver.
+AR=$lt_AR
+AR_FLAGS=$lt_AR_FLAGS
+
+# A C compiler.
+LTCC=$lt_LTCC
+
+# A language-specific compiler.
+CC=$lt_[]_LT_AC_TAGVAR(compiler, $1)
+
+# Is the compiler the GNU C compiler?
+with_gcc=$_LT_AC_TAGVAR(GCC, $1)
+
+# An ERE matcher.
+EGREP=$lt_EGREP
+
+# The linker used to build libraries.
+LD=$lt_[]_LT_AC_TAGVAR(LD, $1)
+
+# Whether we need hard or soft links.
+LN_S=$lt_LN_S
+
+# A BSD-compatible nm program.
+NM=$lt_NM
+
+# A symbol stripping program
+STRIP=$lt_STRIP
+
+# Used to examine libraries when file_magic_cmd begins "file"
+MAGIC_CMD=$MAGIC_CMD
+
+# Used on cygwin: DLL creation program.
+DLLTOOL="$DLLTOOL"
+
+# Used on cygwin: object dumper.
+OBJDUMP="$OBJDUMP"
+
+# Used on cygwin: assembler.
+AS="$AS"
+
+# The name of the directory that contains temporary libtool files.
+objdir=$objdir
+
+# How to create reloadable object files.
+reload_flag=$lt_reload_flag
+reload_cmds=$lt_reload_cmds
+
+# How to pass a linker flag through the compiler.
+wl=$lt_[]_LT_AC_TAGVAR(lt_prog_compiler_wl, $1)
+
+# Object file suffix (normally "o").
+objext="$ac_objext"
+
+# Old archive suffix (normally "a").
+libext="$libext"
+
+# Shared library suffix (normally ".so").
+shrext='$shrext'
+
+# Executable file suffix (normally "").
+exeext="$exeext"
+
+# Additional compiler flags for building library objects.
+pic_flag=$lt_[]_LT_AC_TAGVAR(lt_prog_compiler_pic, $1)
+pic_mode=$pic_mode
+
+# What is the maximum length of a command?
+max_cmd_len=$lt_cv_sys_max_cmd_len
+
+# Does compiler simultaneously support -c and -o options?
+compiler_c_o=$lt_[]_LT_AC_TAGVAR(lt_cv_prog_compiler_c_o, $1)
+
+# Must we lock files when doing compilation ?
+need_locks=$lt_need_locks
+
+# Do we need the lib prefix for modules?
+need_lib_prefix=$need_lib_prefix
+
+# Do we need a version for libraries?
+need_version=$need_version
+
+# Whether dlopen is supported.
+dlopen_support=$enable_dlopen
+
+# Whether dlopen of programs is supported.
+dlopen_self=$enable_dlopen_self
+
+# Whether dlopen of statically linked programs is supported.
+dlopen_self_static=$enable_dlopen_self_static
+
+# Compiler flag to prevent dynamic linking.
+link_static_flag=$lt_[]_LT_AC_TAGVAR(lt_prog_compiler_static, $1)
+
+# Compiler flag to turn off builtin functions.
+no_builtin_flag=$lt_[]_LT_AC_TAGVAR(lt_prog_compiler_no_builtin_flag, $1)
+
+# Compiler flag to allow reflexive dlopens.
+export_dynamic_flag_spec=$lt_[]_LT_AC_TAGVAR(export_dynamic_flag_spec, $1)
+
+# Compiler flag to generate shared objects directly from archives.
+whole_archive_flag_spec=$lt_[]_LT_AC_TAGVAR(whole_archive_flag_spec, $1)
+
+# Compiler flag to generate thread-safe objects.
+thread_safe_flag_spec=$lt_[]_LT_AC_TAGVAR(thread_safe_flag_spec, $1)
+
+# Library versioning type.
+version_type=$version_type
+
+# Format of library name prefix.
+libname_spec=$lt_libname_spec
+
+# List of archive names.  First name is the real one, the rest are links.
+# The last name is the one that the linker finds with -lNAME.
+library_names_spec=$lt_library_names_spec
+
+# The coded name of the library, if different from the real name.
+soname_spec=$lt_soname_spec
+
+# Commands used to build and install an old-style archive.
+RANLIB=$lt_RANLIB
+old_archive_cmds=$lt_[]_LT_AC_TAGVAR(old_archive_cmds, $1)
+old_postinstall_cmds=$lt_old_postinstall_cmds
+old_postuninstall_cmds=$lt_old_postuninstall_cmds
+
+# Create an old-style archive from a shared archive.
+old_archive_from_new_cmds=$lt_[]_LT_AC_TAGVAR(old_archive_from_new_cmds, $1)
+
+# Create a temporary old-style archive to link instead of a shared archive.
+old_archive_from_expsyms_cmds=$lt_[]_LT_AC_TAGVAR(old_archive_from_expsyms_cmds, $1)
+
+# Commands used to build and install a shared archive.
+archive_cmds=$lt_[]_LT_AC_TAGVAR(archive_cmds, $1)
+archive_expsym_cmds=$lt_[]_LT_AC_TAGVAR(archive_expsym_cmds, $1)
+postinstall_cmds=$lt_postinstall_cmds
+postuninstall_cmds=$lt_postuninstall_cmds
+
+# Commands used to build a loadable module (assumed same as above if empty)
+module_cmds=$lt_[]_LT_AC_TAGVAR(module_cmds, $1)
+module_expsym_cmds=$lt_[]_LT_AC_TAGVAR(module_expsym_cmds, $1)
+
+# Commands to strip libraries.
+old_striplib=$lt_old_striplib
+striplib=$lt_striplib
+
+# Dependencies to place before the objects being linked to create a
+# shared library.
+predep_objects=$lt_[]_LT_AC_TAGVAR(predep_objects, $1)
+
+# Dependencies to place after the objects being linked to create a
+# shared library.
+postdep_objects=$lt_[]_LT_AC_TAGVAR(postdep_objects, $1)
+
+# Dependencies to place before the objects being linked to create a
+# shared library.
+predeps=$lt_[]_LT_AC_TAGVAR(predeps, $1)
+
+# Dependencies to place after the objects being linked to create a
+# shared library.
+postdeps=$lt_[]_LT_AC_TAGVAR(postdeps, $1)
+
+# The library search path used internally by the compiler when linking
+# a shared library.
+compiler_lib_search_path=$lt_[]_LT_AC_TAGVAR(compiler_lib_search_path, $1)
+
+# Method to check whether dependent libraries are shared objects.
+deplibs_check_method=$lt_deplibs_check_method
+
+# Command to use when deplibs_check_method == file_magic.
+file_magic_cmd=$lt_file_magic_cmd
+
+# Flag that allows shared libraries with undefined symbols to be built.
+allow_undefined_flag=$lt_[]_LT_AC_TAGVAR(allow_undefined_flag, $1)
+
+# Flag that forces no undefined symbols.
+no_undefined_flag=$lt_[]_LT_AC_TAGVAR(no_undefined_flag, $1)
+
+# Commands used to finish a libtool library installation in a directory.
+finish_cmds=$lt_finish_cmds
+
+# Same as above, but a single script fragment to be evaled but not shown.
+finish_eval=$lt_finish_eval
+
+# Take the output of nm and produce a listing of raw symbols and C names.
+global_symbol_pipe=$lt_lt_cv_sys_global_symbol_pipe
+
+# Transform the output of nm in a proper C declaration
+global_symbol_to_cdecl=$lt_lt_cv_sys_global_symbol_to_cdecl
+
+# Transform the output of nm in a C name address pair
+global_symbol_to_c_name_address=$lt_lt_cv_sys_global_symbol_to_c_name_address
+
+# This is the shared library runtime path variable.
+runpath_var=$runpath_var
+
+# This is the shared library path variable.
+shlibpath_var=$shlibpath_var
+
+# Is shlibpath searched before the hard-coded library search path?
+shlibpath_overrides_runpath=$shlibpath_overrides_runpath
+
+# How to hardcode a shared library path into an executable.
+hardcode_action=$_LT_AC_TAGVAR(hardcode_action, $1)
+
+# Whether we should hardcode library paths into libraries.
+hardcode_into_libs=$hardcode_into_libs
+
+# Flag to hardcode \$libdir into a binary during linking.
+# This must work even if \$libdir does not exist.
+hardcode_libdir_flag_spec=$lt_[]_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)
+
+# If ld is used when linking, flag to hardcode \$libdir into
+# a binary during linking. This must work even if \$libdir does
+# not exist.
+hardcode_libdir_flag_spec_ld=$lt_[]_LT_AC_TAGVAR(hardcode_libdir_flag_spec_ld, $1)
+
+# Whether we need a single -rpath flag with a separated argument.
+hardcode_libdir_separator=$lt_[]_LT_AC_TAGVAR(hardcode_libdir_separator, $1)
+
+# Set to yes if using DIR/libNAME${shared_ext} during linking hardcodes DIR into the
+# resulting binary.
+hardcode_direct=$_LT_AC_TAGVAR(hardcode_direct, $1)
+
+# Set to yes if using the -LDIR flag during linking hardcodes DIR into the
+# resulting binary.
+hardcode_minus_L=$_LT_AC_TAGVAR(hardcode_minus_L, $1)
+
+# Set to yes if using SHLIBPATH_VAR=DIR during linking hardcodes DIR into
+# the resulting binary.
+hardcode_shlibpath_var=$_LT_AC_TAGVAR(hardcode_shlibpath_var, $1)
+
+# Set to yes if building a shared library automatically hardcodes DIR into the library
+# and all subsequent libraries and executables linked against it.
+hardcode_automatic=$_LT_AC_TAGVAR(hardcode_automatic, $1)
+
+# Variables whose values should be saved in libtool wrapper scripts and
+# restored at relink time.
+variables_saved_for_relink="$variables_saved_for_relink"
+
+# Whether libtool must link a program against all its dependency libraries.
+link_all_deplibs=$_LT_AC_TAGVAR(link_all_deplibs, $1)
+
+# Compile-time system search path for libraries
+sys_lib_search_path_spec=$lt_sys_lib_search_path_spec
+
+# Run-time system search path for libraries
+sys_lib_dlsearch_path_spec=$lt_sys_lib_dlsearch_path_spec
+
+# Fix the shell variable \$srcfile for the compiler.
+fix_srcfile_path="$_LT_AC_TAGVAR(fix_srcfile_path, $1)"
+
+# Set to yes if exported symbols are required.
+always_export_symbols=$_LT_AC_TAGVAR(always_export_symbols, $1)
+
+# The commands to list exported symbols.
+export_symbols_cmds=$lt_[]_LT_AC_TAGVAR(export_symbols_cmds, $1)
+
+# The commands to extract the exported symbol list from a shared archive.
+extract_expsyms_cmds=$lt_extract_expsyms_cmds
+
+# Symbols that should not be listed in the preloaded symbols.
+exclude_expsyms=$lt_[]_LT_AC_TAGVAR(exclude_expsyms, $1)
+
+# Symbols that must always be exported.
+include_expsyms=$lt_[]_LT_AC_TAGVAR(include_expsyms, $1)
+
+ifelse([$1],[],
+[# ### END LIBTOOL CONFIG],
+[# ### END LIBTOOL TAG CONFIG: $tagname])
+
+__EOF__
+
+ifelse([$1],[], [
+  case $host_os in
+  aix3*)
+    cat <<\EOF >> "$cfgfile"
+
+# AIX sometimes has problems with the GCC collect2 program.  For some
+# reason, if we set the COLLECT_NAMES environment variable, the problems
+# vanish in a puff of smoke.
+if test "X${COLLECT_NAMES+set}" != Xset; then
+  COLLECT_NAMES=
+  export COLLECT_NAMES
+fi
+EOF
+    ;;
+  esac
+
+  # We use sed instead of cat because bash on DJGPP gets confused if
+  # if finds mixed CR/LF and LF-only lines.  Since sed operates in
+  # text mode, it properly converts lines to CR/LF.  This bash problem
+  # is reportedly fixed, but why not run on old versions too?
+  sed '$q' "$ltmain" >> "$cfgfile" || (rm -f "$cfgfile"; exit 1)
+
+  mv -f "$cfgfile" "$ofile" || \
+    (rm -f "$ofile" && cp "$cfgfile" "$ofile" && rm -f "$cfgfile")
+  chmod +x "$ofile"
+])
+else
+  # If there is no Makefile yet, we rely on a make rule to execute
+  # `config.status --recheck' to rerun these tests and create the
+  # libtool script then.
+  ltmain_in=`echo $ltmain | sed -e 's/\.sh$/.in/'`
+  if test -f "$ltmain_in"; then
+    test -f Makefile && make "$ltmain"
+  fi
+fi
+])# AC_LIBTOOL_CONFIG
+
+
+# AC_LIBTOOL_PROG_COMPILER_NO_RTTI([TAGNAME])
+# -------------------------------------------
+AC_DEFUN([AC_LIBTOOL_PROG_COMPILER_NO_RTTI],
+[AC_REQUIRE([_LT_AC_SYS_COMPILER])dnl
+
+_LT_AC_TAGVAR(lt_prog_compiler_no_builtin_flag, $1)=
+
+if test "$GCC" = yes; then
+  _LT_AC_TAGVAR(lt_prog_compiler_no_builtin_flag, $1)=' -fno-builtin'
+
+  AC_LIBTOOL_COMPILER_OPTION([if $compiler supports -fno-rtti -fno-exceptions],
+    lt_cv_prog_compiler_rtti_exceptions,
+    [-fno-rtti -fno-exceptions], [],
+    [_LT_AC_TAGVAR(lt_prog_compiler_no_builtin_flag, $1)="$_LT_AC_TAGVAR(lt_prog_compiler_no_builtin_flag, $1) -fno-rtti -fno-exceptions"])
+fi
+])# AC_LIBTOOL_PROG_COMPILER_NO_RTTI
+
+
+# AC_LIBTOOL_SYS_GLOBAL_SYMBOL_PIPE
+# ---------------------------------
+AC_DEFUN([AC_LIBTOOL_SYS_GLOBAL_SYMBOL_PIPE],
+[AC_REQUIRE([AC_CANONICAL_HOST])
+AC_REQUIRE([AC_PROG_NM])
+AC_REQUIRE([AC_OBJEXT])
+# Check for command to grab the raw symbol name followed by C symbol from nm.
+AC_MSG_CHECKING([command to parse $NM output from $compiler object])
+AC_CACHE_VAL([lt_cv_sys_global_symbol_pipe],
+[
+# These are sane defaults that work on at least a few old systems.
+# [They come from Ultrix.  What could be older than Ultrix?!! ;)]
+
+# Character class describing NM global symbol codes.
+symcode='[[BCDEGRST]]'
+
+# Regexp to match symbols that can be accessed directly from C.
+sympat='\([[_A-Za-z]][[_A-Za-z0-9]]*\)'
+
+# Transform the above into a raw symbol and a C symbol.
+symxfrm='\1 \2\3 \3'
+
+# Transform an extracted symbol line into a proper C declaration
+lt_cv_sys_global_symbol_to_cdecl="sed -n -e 's/^. .* \(.*\)$/extern int \1;/p'"
+
+# Transform an extracted symbol line into symbol name and symbol address
+lt_cv_sys_global_symbol_to_c_name_address="sed -n -e 's/^: \([[^ ]]*\) $/  {\\\"\1\\\", (lt_ptr) 0},/p' -e 's/^$symcode \([[^ ]]*\) \([[^ ]]*\)$/  {\"\2\", (lt_ptr) \&\2},/p'"
+
+# Define system-specific variables.
+case $host_os in
+aix*)
+  symcode='[[BCDT]]'
+  ;;
+cygwin* | mingw* | pw32*)
+  symcode='[[ABCDGISTW]]'
+  ;;
+hpux*) # Its linker distinguishes data from code symbols
+  if test "$host_cpu" = ia64; then
+    symcode='[[ABCDEGRST]]'
+  fi
+  lt_cv_sys_global_symbol_to_cdecl="sed -n -e 's/^T .* \(.*\)$/extern int \1();/p' -e 's/^$symcode* .* \(.*\)$/extern char \1;/p'"
+  lt_cv_sys_global_symbol_to_c_name_address="sed -n -e 's/^: \([[^ ]]*\) $/  {\\\"\1\\\", (lt_ptr) 0},/p' -e 's/^$symcode* \([[^ ]]*\) \([[^ ]]*\)$/  {\"\2\", (lt_ptr) \&\2},/p'"
+  ;;
+irix* | nonstopux*)
+  symcode='[[BCDEGRST]]'
+  ;;
+osf*)
+  symcode='[[BCDEGQRST]]'
+  ;;
+solaris* | sysv5*)
+  symcode='[[BDRT]]'
+  ;;
+sysv4)
+  symcode='[[DFNSTU]]'
+  ;;
+esac
+
+# Handle CRLF in mingw tool chain
+opt_cr=
+case $build_os in
+mingw*)
+  opt_cr=`echo 'x\{0,1\}' | tr x '\015'` # option cr in regexp
+  ;;
+esac
+
+# If we're using GNU nm, then use its standard symbol codes.
+case `$NM -V 2>&1` in
+*GNU* | *'with BFD'*)
+  symcode='[[ABCDGIRSTW]]' ;;
+esac
+
+# Try without a prefix undercore, then with it.
+for ac_symprfx in "" "_"; do
+
+  # Write the raw and C identifiers.
+  lt_cv_sys_global_symbol_pipe="sed -n -e 's/^.*[[ 	]]\($symcode$symcode*\)[[ 	]][[ 	]]*\($ac_symprfx\)$sympat$opt_cr$/$symxfrm/p'"
+
+  # Check to see that the pipe works correctly.
+  pipe_works=no
+
+  rm -f conftest*
+  cat > conftest.$ac_ext <<EOF
+#ifdef __cplusplus
+extern "C" {
+#endif
+char nm_test_var;
+void nm_test_func(){}
+#ifdef __cplusplus
+}
+#endif
+int main(){nm_test_var='a';nm_test_func();return(0);}
+EOF
+
+  if AC_TRY_EVAL(ac_compile); then
+    # Now try to grab the symbols.
+    nlist=conftest.nm
+    if AC_TRY_EVAL(NM conftest.$ac_objext \| $lt_cv_sys_global_symbol_pipe \> $nlist) && test -s "$nlist"; then
+      # Try sorting and uniquifying the output.
+      if sort "$nlist" | uniq > "$nlist"T; then
+	mv -f "$nlist"T "$nlist"
+      else
+	rm -f "$nlist"T
+      fi
+
+      # Make sure that we snagged all the symbols we need.
+      if grep ' nm_test_var$' "$nlist" >/dev/null; then
+	if grep ' nm_test_func$' "$nlist" >/dev/null; then
+	  cat <<EOF > conftest.$ac_ext
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+EOF
+	  # Now generate the symbol file.
+	  eval "$lt_cv_sys_global_symbol_to_cdecl"' < "$nlist" | grep -v main >> conftest.$ac_ext'
+
+	  cat <<EOF >> conftest.$ac_ext
+#if defined (__STDC__) && __STDC__
+# define lt_ptr_t void *
+#else
+# define lt_ptr_t char *
+# define const
+#endif
+
+/* The mapping between symbol names and symbols. */
+const struct {
+  const char *name;
+  lt_ptr_t address;
+}
+lt_preloaded_symbols[[]] =
+{
+EOF
+	  $SED "s/^$symcode$symcode* \(.*\) \(.*\)$/  {\"\2\", (lt_ptr_t) \&\2},/" < "$nlist" | grep -v main >> conftest.$ac_ext
+	  cat <<\EOF >> conftest.$ac_ext
+  {0, (lt_ptr_t) 0}
+};
+
+#ifdef __cplusplus
+}
+#endif
+EOF
+	  # Now try linking the two files.
+	  mv conftest.$ac_objext conftstm.$ac_objext
+	  lt_save_LIBS="$LIBS"
+	  lt_save_CFLAGS="$CFLAGS"
+	  LIBS="conftstm.$ac_objext"
+	  CFLAGS="$CFLAGS$_LT_AC_TAGVAR(lt_prog_compiler_no_builtin_flag, $1)"
+	  if AC_TRY_EVAL(ac_link) && test -s conftest${ac_exeext}; then
+	    pipe_works=yes
+	  fi
+	  LIBS="$lt_save_LIBS"
+	  CFLAGS="$lt_save_CFLAGS"
+	else
+	  echo "cannot find nm_test_func in $nlist" >&AS_MESSAGE_LOG_FD
+	fi
+      else
+	echo "cannot find nm_test_var in $nlist" >&AS_MESSAGE_LOG_FD
+      fi
+    else
+      echo "cannot run $lt_cv_sys_global_symbol_pipe" >&AS_MESSAGE_LOG_FD
+    fi
+  else
+    echo "$progname: failed program was:" >&AS_MESSAGE_LOG_FD
+    cat conftest.$ac_ext >&5
+  fi
+  rm -f conftest* conftst*
+
+  # Do not use the global_symbol_pipe unless it works.
+  if test "$pipe_works" = yes; then
+    break
+  else
+    lt_cv_sys_global_symbol_pipe=
+  fi
+done
+])
+if test -z "$lt_cv_sys_global_symbol_pipe"; then
+  lt_cv_sys_global_symbol_to_cdecl=
+fi
+if test -z "$lt_cv_sys_global_symbol_pipe$lt_cv_sys_global_symbol_to_cdecl"; then
+  AC_MSG_RESULT(failed)
+else
+  AC_MSG_RESULT(ok)
+fi
+]) # AC_LIBTOOL_SYS_GLOBAL_SYMBOL_PIPE
+
+
+# AC_LIBTOOL_PROG_COMPILER_PIC([TAGNAME])
+# ---------------------------------------
+AC_DEFUN([AC_LIBTOOL_PROG_COMPILER_PIC],
+[_LT_AC_TAGVAR(lt_prog_compiler_wl, $1)=
+_LT_AC_TAGVAR(lt_prog_compiler_pic, $1)=
+_LT_AC_TAGVAR(lt_prog_compiler_static, $1)=
+
+AC_MSG_CHECKING([for $compiler option to produce PIC])
+ ifelse([$1],[CXX],[
+  # C++ specific cases for pic, static, wl, etc.
+  if test "$GXX" = yes; then
+    _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+    _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-static'
+
+    case $host_os in
+    aix*)
+      # All AIX code is PIC.
+      if test "$host_cpu" = ia64; then
+	# AIX 5 now supports IA64 processor
+	_LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
+      fi
+      ;;
+    amigaos*)
+      # FIXME: we need at least 68020 code to build shared libraries, but
+      # adding the `-m68020' flag to GCC prevents building anything better,
+      # like `-m68040'.
+      _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-m68020 -resident32 -malways-restore-a4'
+      ;;
+    beos* | cygwin* | irix5* | irix6* | nonstopux* | osf3* | osf4* | osf5*)
+      # PIC is the default for these OSes.
+      ;;
+    mingw* | os2* | pw32*)
+      # This hack is so that the source file can tell whether it is being
+      # built for inclusion in a dll (and should export symbols for example).
+      _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-DDLL_EXPORT'
+      ;;
+    darwin* | rhapsody*)
+      # PIC is the default on this platform
+      # Common symbols not allowed in MH_DYLIB files
+      _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-fno-common'
+      ;;
+    *djgpp*)
+      # DJGPP does not support shared libraries at all
+      _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)=
+      ;;
+    sysv4*MP*)
+      if test -d /usr/nec; then
+	_LT_AC_TAGVAR(lt_prog_compiler_pic, $1)=-Kconform_pic
+      fi
+      ;;
+    hpux*)
+      # PIC is the default for IA64 HP-UX and 64-bit HP-UX, but
+      # not for PA HP-UX.
+      case "$host_cpu" in
+      hppa*64*|ia64*)
+	;;
+      *)
+	_LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC'
+	;;
+      esac
+      ;;
+    *)
+      _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC'
+      ;;
+    esac
+  else
+    case $host_os in
+      aix4* | aix5*)
+	# All AIX code is PIC.
+	if test "$host_cpu" = ia64; then
+	  # AIX 5 now supports IA64 processor
+	  _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
+	else
+	  _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-bnso -bI:/lib/syscalls.exp'
+	fi
+	;;
+      chorus*)
+	case $cc_basename in
+	cxch68)
+	  # Green Hills C++ Compiler
+	  # _LT_AC_TAGVAR(lt_prog_compiler_static, $1)="--no_auto_instantiation -u __main -u __premain -u _abort -r $COOL_DIR/lib/libOrb.a $MVME_DIR/lib/CC/libC.a $MVME_DIR/lib/classix/libcx.s.a"
+	  ;;
+	esac
+	;;
+      dgux*)
+	case $cc_basename in
+	  ec++)
+	    _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
+	    ;;
+	  ghcx)
+	    # Green Hills C++ Compiler
+	    _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-pic'
+	    ;;
+	  *)
+	    ;;
+	esac
+	;;
+      freebsd* | kfreebsd*-gnu)
+	# FreeBSD uses GNU C++
+	;;
+      hpux9* | hpux10* | hpux11*)
+	case $cc_basename in
+	  CC)
+	    _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+	    _LT_AC_TAGVAR(lt_prog_compiler_static, $1)="${ac_cv_prog_cc_wl}-a ${ac_cv_prog_cc_wl}archive"
+	    if test "$host_cpu" != ia64; then
+	      _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='+Z'
+	    fi
+	    ;;
+	  aCC)
+	    _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+	    _LT_AC_TAGVAR(lt_prog_compiler_static, $1)="${ac_cv_prog_cc_wl}-a ${ac_cv_prog_cc_wl}archive"
+	    case "$host_cpu" in
+	    hppa*64*|ia64*)
+	      # +Z the default
+	      ;;
+	    *)
+	      _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='+Z'
+	      ;;
+	    esac
+	    ;;
+	  *)
+	    ;;
+	esac
+	;;
+      irix5* | irix6* | nonstopux*)
+	case $cc_basename in
+	  CC)
+	    _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+	    _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-non_shared'
+	    # CC pic flag -KPIC is the default.
+	    ;;
+	  *)
+	    ;;
+	esac
+	;;
+      linux*)
+	case $cc_basename in
+	  KCC)
+	    # KAI C++ Compiler
+	    _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='--backend -Wl,'
+	    _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC'
+	    ;;
+	  icpc)
+	    # Intel C++
+	    _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+	    _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
+	    _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-static'
+	    ;;
+	  cxx)
+	    # Compaq C++
+	    # Make sure the PIC flag is empty.  It appears that all Alpha
+	    # Linux and Compaq Tru64 Unix objects are PIC.
+	    _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)=
+	    _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-non_shared'
+	    ;;
+	  *)
+	    ;;
+	esac
+	;;
+      lynxos*)
+	;;
+      m88k*)
+	;;
+      mvs*)
+	case $cc_basename in
+	  cxx)
+	    _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-W c,exportall'
+	    ;;
+	  *)
+	    ;;
+	esac
+	;;
+      netbsd*)
+	;;
+      osf3* | osf4* | osf5*)
+	case $cc_basename in
+	  KCC)
+	    _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='--backend -Wl,'
+	    ;;
+	  RCC)
+	    # Rational C++ 2.4.1
+	    _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-pic'
+	    ;;
+	  cxx)
+	    # Digital/Compaq C++
+	    _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+	    # Make sure the PIC flag is empty.  It appears that all Alpha
+	    # Linux and Compaq Tru64 Unix objects are PIC.
+	    _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)=
+	    _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-non_shared'
+	    ;;
+	  *)
+	    ;;
+	esac
+	;;
+      psos*)
+	;;
+      sco*)
+	case $cc_basename in
+	  CC)
+	    _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC'
+	    ;;
+	  *)
+	    ;;
+	esac
+	;;
+      solaris*)
+	case $cc_basename in
+	  CC)
+	    # Sun C++ 4.2, 5.x and Centerline C++
+	    _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
+	    _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
+	    _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Qoption ld '
+	    ;;
+	  gcx)
+	    # Green Hills C++ Compiler
+	    _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-PIC'
+	    ;;
+	  *)
+	    ;;
+	esac
+	;;
+      sunos4*)
+	case $cc_basename in
+	  CC)
+	    # Sun C++ 4.x
+	    _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-pic'
+	    _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
+	    ;;
+	  lcc)
+	    # Lucid
+	    _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-pic'
+	    ;;
+	  *)
+	    ;;
+	esac
+	;;
+      tandem*)
+	case $cc_basename in
+	  NCC)
+	    # NonStop-UX NCC 3.20
+	    _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
+	    ;;
+	  *)
+	    ;;
+	esac
+	;;
+      unixware*)
+	;;
+      vxworks*)
+	;;
+      *)
+	_LT_AC_TAGVAR(lt_prog_compiler_can_build_shared, $1)=no
+	;;
+    esac
+  fi
+],
+[
+  if test "$GCC" = yes; then
+    _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+    _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-static'
+
+    case $host_os in
+      aix*)
+      # All AIX code is PIC.
+      if test "$host_cpu" = ia64; then
+	# AIX 5 now supports IA64 processor
+	_LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
+      fi
+      ;;
+
+    amigaos*)
+      # FIXME: we need at least 68020 code to build shared libraries, but
+      # adding the `-m68020' flag to GCC prevents building anything better,
+      # like `-m68040'.
+      _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-m68020 -resident32 -malways-restore-a4'
+      ;;
+
+    beos* | cygwin* | irix5* | irix6* | nonstopux* | osf3* | osf4* | osf5*)
+      # PIC is the default for these OSes.
+      ;;
+
+    mingw* | pw32* | os2*)
+      # This hack is so that the source file can tell whether it is being
+      # built for inclusion in a dll (and should export symbols for example).
+      _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-DDLL_EXPORT'
+      ;;
+
+    darwin* | rhapsody*)
+      # PIC is the default on this platform
+      # Common symbols not allowed in MH_DYLIB files
+      _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-fno-common'
+      ;;
+
+    msdosdjgpp*)
+      # Just because we use GCC doesn't mean we suddenly get shared libraries
+      # on systems that don't support them.
+      _LT_AC_TAGVAR(lt_prog_compiler_can_build_shared, $1)=no
+      enable_shared=no
+      ;;
+
+    sysv4*MP*)
+      if test -d /usr/nec; then
+	_LT_AC_TAGVAR(lt_prog_compiler_pic, $1)=-Kconform_pic
+      fi
+      ;;
+
+    hpux*)
+      # PIC is the default for IA64 HP-UX and 64-bit HP-UX, but
+      # not for PA HP-UX.
+      case "$host_cpu" in
+      hppa*64*|ia64*)
+	# +Z the default
+	;;
+      *)
+	_LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC'
+	;;
+      esac
+      ;;
+
+    *)
+      _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC'
+      ;;
+    esac
+  else
+    # PORTME Check for flag to pass linker flags through the system compiler.
+    case $host_os in
+    aix*)
+      _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+      if test "$host_cpu" = ia64; then
+	# AIX 5 now supports IA64 processor
+	_LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
+      else
+	_LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-bnso -bI:/lib/syscalls.exp'
+      fi
+      ;;
+
+    mingw* | pw32* | os2*)
+      # This hack is so that the source file can tell whether it is being
+      # built for inclusion in a dll (and should export symbols for example).
+      _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-DDLL_EXPORT'
+      ;;
+
+    hpux9* | hpux10* | hpux11*)
+      _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+      # PIC is the default for IA64 HP-UX and 64-bit HP-UX, but
+      # not for PA HP-UX.
+      case "$host_cpu" in
+      hppa*64*|ia64*)
+	# +Z the default
+	;;
+      *)
+	_LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='+Z'
+	;;
+      esac
+      # Is there a better lt_prog_compiler_static that works with the bundled CC?
+      _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='${wl}-a ${wl}archive'
+      ;;
+
+    irix5* | irix6* | nonstopux*)
+      _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+      # PIC (with -KPIC) is the default.
+      _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-non_shared'
+      ;;
+
+    newsos6)
+      _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
+      _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
+      ;;
+
+    linux*)
+      case $CC in
+      icc* | ecc*)
+	_LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+	_LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
+	_LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-static'
+        ;;
+      ccc*)
+        _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+        # All Alpha code is PIC.
+        _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-non_shared'
+        ;;
+      esac
+      ;;
+
+    osf3* | osf4* | osf5*)
+      _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+      # All OSF/1 code is PIC.
+      _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-non_shared'
+      ;;
+
+    sco3.2v5*)
+      _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-Kpic'
+      _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-dn'
+      ;;
+
+    solaris*)
+      _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+      _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
+      _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
+      ;;
+
+    sunos4*)
+      _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Qoption ld '
+      _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-PIC'
+      _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
+      ;;
+
+    sysv4 | sysv4.2uw2* | sysv4.3* | sysv5*)
+      _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+      _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
+      _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
+      ;;
+
+    sysv4*MP*)
+      if test -d /usr/nec ;then
+	_LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-Kconform_pic'
+	_LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
+      fi
+      ;;
+
+    uts4*)
+      _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-pic'
+      _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
+      ;;
+
+    *)
+      _LT_AC_TAGVAR(lt_prog_compiler_can_build_shared, $1)=no
+      ;;
+    esac
+  fi
+])
+AC_MSG_RESULT([$_LT_AC_TAGVAR(lt_prog_compiler_pic, $1)])
+
+#
+# Check to make sure the PIC flag actually works.
+#
+if test -n "$_LT_AC_TAGVAR(lt_prog_compiler_pic, $1)"; then
+  AC_LIBTOOL_COMPILER_OPTION([if $compiler PIC flag $_LT_AC_TAGVAR(lt_prog_compiler_pic, $1) works],
+    _LT_AC_TAGVAR(lt_prog_compiler_pic_works, $1),
+    [$_LT_AC_TAGVAR(lt_prog_compiler_pic, $1)ifelse([$1],[],[ -DPIC],[ifelse([$1],[CXX],[ -DPIC],[])])], [],
+    [case $_LT_AC_TAGVAR(lt_prog_compiler_pic, $1) in
+     "" | " "*) ;;
+     *) _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)=" $_LT_AC_TAGVAR(lt_prog_compiler_pic, $1)" ;;
+     esac],
+    [_LT_AC_TAGVAR(lt_prog_compiler_pic, $1)=
+     _LT_AC_TAGVAR(lt_prog_compiler_can_build_shared, $1)=no])
+fi
+case "$host_os" in
+  # For platforms which do not support PIC, -DPIC is meaningless:
+  *djgpp*)
+    _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)=
+    ;;
+  *)
+    _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)="$_LT_AC_TAGVAR(lt_prog_compiler_pic, $1)ifelse([$1],[],[ -DPIC],[ifelse([$1],[CXX],[ -DPIC],[])])"
+    ;;
+esac
+])
+
+
+# AC_LIBTOOL_PROG_LD_SHLIBS([TAGNAME])
+# ------------------------------------
+# See if the linker supports building shared libraries.
+AC_DEFUN([AC_LIBTOOL_PROG_LD_SHLIBS],
+[AC_MSG_CHECKING([whether the $compiler linker ($LD) supports shared libraries])
+ifelse([$1],[CXX],[
+  _LT_AC_TAGVAR(export_symbols_cmds, $1)='$NM $libobjs $convenience | $global_symbol_pipe | $SED '\''s/.* //'\'' | sort | uniq > $export_symbols'
+  case $host_os in
+  aix4* | aix5*)
+    # If we're using GNU nm, then we don't want the "-C" option.
+    # -C means demangle to AIX nm, but means don't demangle with GNU nm
+    if $NM -V 2>&1 | grep 'GNU' > /dev/null; then
+      _LT_AC_TAGVAR(export_symbols_cmds, $1)='$NM -Bpg $libobjs $convenience | awk '\''{ if (((\[$]2 == "T") || (\[$]2 == "D") || (\[$]2 == "B")) && ([substr](\[$]3,1,1) != ".")) { print \[$]3 } }'\'' | sort -u > $export_symbols'
+    else
+      _LT_AC_TAGVAR(export_symbols_cmds, $1)='$NM -BCpg $libobjs $convenience | awk '\''{ if (((\[$]2 == "T") || (\[$]2 == "D") || (\[$]2 == "B")) && ([substr](\[$]3,1,1) != ".")) { print \[$]3 } }'\'' | sort -u > $export_symbols'
+    fi
+    ;;
+  pw32*)
+    _LT_AC_TAGVAR(export_symbols_cmds, $1)="$ltdll_cmds"
+  ;;
+  cygwin* | mingw*)
+    _LT_AC_TAGVAR(export_symbols_cmds, $1)='$NM $libobjs $convenience | $global_symbol_pipe | $SED -e '\''/^[[BCDGS]] /s/.* \([[^ ]]*\)/\1 DATA/'\'' | $SED -e '\''/^[[AITW]] /s/.* //'\'' | sort | uniq > $export_symbols'
+  ;;
+  *)
+    _LT_AC_TAGVAR(export_symbols_cmds, $1)='$NM $libobjs $convenience | $global_symbol_pipe | $SED '\''s/.* //'\'' | sort | uniq > $export_symbols'
+  ;;
+  esac
+],[
+  runpath_var=
+  _LT_AC_TAGVAR(allow_undefined_flag, $1)=
+  _LT_AC_TAGVAR(enable_shared_with_static_runtimes, $1)=no
+  _LT_AC_TAGVAR(archive_cmds, $1)=
+  _LT_AC_TAGVAR(archive_expsym_cmds, $1)=
+  _LT_AC_TAGVAR(old_archive_From_new_cmds, $1)=
+  _LT_AC_TAGVAR(old_archive_from_expsyms_cmds, $1)=
+  _LT_AC_TAGVAR(export_dynamic_flag_spec, $1)=
+  _LT_AC_TAGVAR(whole_archive_flag_spec, $1)=
+  _LT_AC_TAGVAR(thread_safe_flag_spec, $1)=
+  _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)=
+  _LT_AC_TAGVAR(hardcode_libdir_flag_spec_ld, $1)=
+  _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=
+  _LT_AC_TAGVAR(hardcode_direct, $1)=no
+  _LT_AC_TAGVAR(hardcode_minus_L, $1)=no
+  _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=unsupported
+  _LT_AC_TAGVAR(link_all_deplibs, $1)=unknown
+  _LT_AC_TAGVAR(hardcode_automatic, $1)=no
+  _LT_AC_TAGVAR(module_cmds, $1)=
+  _LT_AC_TAGVAR(module_expsym_cmds, $1)=
+  _LT_AC_TAGVAR(always_export_symbols, $1)=no
+  _LT_AC_TAGVAR(export_symbols_cmds, $1)='$NM $libobjs $convenience | $global_symbol_pipe | $SED '\''s/.* //'\'' | sort | uniq > $export_symbols'
+  # include_expsyms should be a list of space-separated symbols to be *always*
+  # included in the symbol list
+  _LT_AC_TAGVAR(include_expsyms, $1)=
+  # exclude_expsyms can be an extended regexp of symbols to exclude
+  # it will be wrapped by ` (' and `)$', so one must not match beginning or
+  # end of line.  Example: `a|bc|.*d.*' will exclude the symbols `a' and `bc',
+  # as well as any symbol that contains `d'.
+  _LT_AC_TAGVAR(exclude_expsyms, $1)="_GLOBAL_OFFSET_TABLE_"
+  # Although _GLOBAL_OFFSET_TABLE_ is a valid symbol C name, most a.out
+  # platforms (ab)use it in PIC code, but their linkers get confused if
+  # the symbol is explicitly referenced.  Since portable code cannot
+  # rely on this symbol name, it's probably fine to never include it in
+  # preloaded symbol tables.
+  extract_expsyms_cmds=
+
+  case $host_os in
+  cygwin* | mingw* | pw32*)
+    # FIXME: the MSVC++ port hasn't been tested in a loooong time
+    # When not using gcc, we currently assume that we are using
+    # Microsoft Visual C++.
+    if test "$GCC" != yes; then
+      with_gnu_ld=no
+    fi
+    ;;
+  openbsd*)
+    with_gnu_ld=no
+    ;;
+  esac
+
+  _LT_AC_TAGVAR(ld_shlibs, $1)=yes
+  if test "$with_gnu_ld" = yes; then
+    # If archive_cmds runs LD, not CC, wlarc should be empty
+    wlarc='${wl}'
+
+    # See if GNU ld supports shared libraries.
+    case $host_os in
+    aix3* | aix4* | aix5*)
+      # On AIX/PPC, the GNU linker is very broken
+      if test "$host_cpu" != ia64; then
+	_LT_AC_TAGVAR(ld_shlibs, $1)=no
+	cat <<EOF 1>&2
+
+*** Warning: the GNU linker, at least up to release 2.9.1, is reported
+*** to be unable to reliably create shared libraries on AIX.
+*** Therefore, libtool is disabling shared libraries support.  If you
+*** really care for shared libraries, you may want to modify your PATH
+*** so that a non-GNU linker is found, and then restart.
+
+EOF
+      fi
+      ;;
+
+    amigaos*)
+      _LT_AC_TAGVAR(archive_cmds, $1)='$rm $output_objdir/a2ixlibrary.data~$echo "#define NAME $libname" > $output_objdir/a2ixlibrary.data~$echo "#define LIBRARY_ID 1" >> $output_objdir/a2ixlibrary.data~$echo "#define VERSION $major" >> $output_objdir/a2ixlibrary.data~$echo "#define REVISION $revision" >> $output_objdir/a2ixlibrary.data~$AR $AR_FLAGS $lib $libobjs~$RANLIB $lib~(cd $output_objdir && a2ixlibrary -32)'
+      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir'
+      _LT_AC_TAGVAR(hardcode_minus_L, $1)=yes
+
+      # Samuel A. Falvo II <kc5tja@dolphin.openprojects.net> reports
+      # that the semantics of dynamic libraries on AmigaOS, at least up
+      # to version 4, is to share data among multiple programs linked
+      # with the same dynamic library.  Since this doesn't match the
+      # behavior of shared libraries on other platforms, we can't use
+      # them.
+      _LT_AC_TAGVAR(ld_shlibs, $1)=no
+      ;;
+
+    beos*)
+      if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
+	_LT_AC_TAGVAR(allow_undefined_flag, $1)=unsupported
+	# Joseph Beckenbach <jrb3@best.com> says some releases of gcc
+	# support --undefined.  This deserves some investigation.  FIXME
+	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -nostart $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
+      else
+	_LT_AC_TAGVAR(ld_shlibs, $1)=no
+      fi
+      ;;
+
+    cygwin* | mingw* | pw32*)
+      # _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1) is actually meaningless,
+      # as there is no search path for DLLs.
+      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir'
+      _LT_AC_TAGVAR(allow_undefined_flag, $1)=unsupported
+      _LT_AC_TAGVAR(always_export_symbols, $1)=no
+      _LT_AC_TAGVAR(enable_shared_with_static_runtimes, $1)=yes
+      _LT_AC_TAGVAR(export_symbols_cmds, $1)='$NM $libobjs $convenience | $global_symbol_pipe | $SED -e '\''/^[[BCDGS]] /s/.* \([[^ ]]*\)/\1 DATA/'\'' | $SED -e '\''/^[[AITW]] /s/.* //'\'' | sort | uniq > $export_symbols'
+
+      if $LD --help 2>&1 | grep 'auto-import' > /dev/null; then
+        _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags -o $output_objdir/$soname ${wl}--image-base=0x10000000 ${wl}--out-implib,$lib'
+	# If the export-symbols file already is a .def file (1st line
+	# is EXPORTS), use it as is; otherwise, prepend...
+	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='if test "x`$SED 1q $export_symbols`" = xEXPORTS; then
+	  cp $export_symbols $output_objdir/$soname.def;
+	else
+	  echo EXPORTS > $output_objdir/$soname.def;
+	  cat $export_symbols >> $output_objdir/$soname.def;
+	fi~
+	$CC -shared $output_objdir/$soname.def $libobjs $deplibs $compiler_flags -o $output_objdir/$soname ${wl}--image-base=0x10000000  ${wl}--out-implib,$lib'
+      else
+	ld_shlibs=no
+      fi
+      ;;
+
+    netbsd*)
+      if echo __ELF__ | $CC -E - | grep __ELF__ >/dev/null; then
+	_LT_AC_TAGVAR(archive_cmds, $1)='$LD -Bshareable $libobjs $deplibs $linker_flags -o $lib'
+	wlarc=
+      else
+	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
+	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
+      fi
+      ;;
+
+    solaris* | sysv5*)
+      if $LD -v 2>&1 | grep 'BFD 2\.8' > /dev/null; then
+	_LT_AC_TAGVAR(ld_shlibs, $1)=no
+	cat <<EOF 1>&2
+
+*** Warning: The releases 2.8.* of the GNU linker cannot reliably
+*** create shared libraries on Solaris systems.  Therefore, libtool
+*** is disabling shared libraries support.  We urge you to upgrade GNU
+*** binutils to release 2.9.1 or newer.  Another option is to modify
+*** your PATH or compiler configuration so that the native linker is
+*** used, and then restart.
+
+EOF
+      elif $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
+	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
+	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
+      else
+	_LT_AC_TAGVAR(ld_shlibs, $1)=no
+      fi
+      ;;
+
+    sunos4*)
+      _LT_AC_TAGVAR(archive_cmds, $1)='$LD -assert pure-text -Bshareable -o $lib $libobjs $deplibs $linker_flags'
+      wlarc=
+      _LT_AC_TAGVAR(hardcode_direct, $1)=yes
+      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
+      ;;
+
+  linux*)
+    if $LD --help 2>&1 | egrep ': supported targets:.* elf' > /dev/null; then
+        tmp_archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
+	_LT_AC_TAGVAR(archive_cmds, $1)="$tmp_archive_cmds"
+      supports_anon_versioning=no
+      case `$LD -v 2>/dev/null` in
+        *\ [01].* | *\ 2.[[0-9]].* | *\ 2.10.*) ;; # catch versions < 2.11
+        *\ 2.11.93.0.2\ *) supports_anon_versioning=yes ;; # RH7.3 ...
+        *\ 2.11.92.0.12\ *) supports_anon_versioning=yes ;; # Mandrake 8.2 ...
+        *\ 2.11.*) ;; # other 2.11 versions
+        *) supports_anon_versioning=yes ;;
+      esac
+      if test $supports_anon_versioning = yes; then
+        _LT_AC_TAGVAR(archive_expsym_cmds, $1)='$echo "{ global:" > $output_objdir/$libname.ver~
+cat $export_symbols | sed -e "s/\(.*\)/\1;/" >> $output_objdir/$libname.ver~
+$echo "local: *; };" >> $output_objdir/$libname.ver~
+        $CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-version-script ${wl}$output_objdir/$libname.ver -o $lib'
+      else
+        _LT_AC_TAGVAR(archive_expsym_cmds, $1)="$tmp_archive_cmds"
+      fi
+    else
+      _LT_AC_TAGVAR(ld_shlibs, $1)=no
+    fi
+    ;;
+
+    *)
+      if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
+	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
+	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
+      else
+	_LT_AC_TAGVAR(ld_shlibs, $1)=no
+      fi
+      ;;
+    esac
+
+    if test "$_LT_AC_TAGVAR(ld_shlibs, $1)" = yes; then
+      runpath_var=LD_RUN_PATH
+      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}--rpath ${wl}$libdir'
+      _LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}--export-dynamic'
+      # ancient GNU ld didn't support --whole-archive et. al.
+      if $LD --help 2>&1 | grep 'no-whole-archive' > /dev/null; then
+ 	_LT_AC_TAGVAR(whole_archive_flag_spec, $1)="$wlarc"'--whole-archive$convenience '"$wlarc"'--no-whole-archive'
+      else
+  	_LT_AC_TAGVAR(whole_archive_flag_spec, $1)=
+      fi
+    fi
+  else
+    # PORTME fill in a description of your system's linker (not GNU ld)
+    case $host_os in
+    aix3*)
+      _LT_AC_TAGVAR(allow_undefined_flag, $1)=unsupported
+      _LT_AC_TAGVAR(always_export_symbols, $1)=yes
+      _LT_AC_TAGVAR(archive_expsym_cmds, $1)='$LD -o $output_objdir/$soname $libobjs $deplibs $linker_flags -bE:$export_symbols -T512 -H512 -bM:SRE~$AR $AR_FLAGS $lib $output_objdir/$soname'
+      # Note: this linker hardcodes the directories in LIBPATH if there
+      # are no directories specified by -L.
+      _LT_AC_TAGVAR(hardcode_minus_L, $1)=yes
+      if test "$GCC" = yes && test -z "$link_static_flag"; then
+	# Neither direct hardcoding nor static linking is supported with a
+	# broken collect2.
+	_LT_AC_TAGVAR(hardcode_direct, $1)=unsupported
+      fi
+      ;;
+
+    aix4* | aix5*)
+      if test "$host_cpu" = ia64; then
+	# On IA64, the linker does run time linking by default, so we don't
+	# have to do anything special.
+	aix_use_runtimelinking=no
+	exp_sym_flag='-Bexport'
+	no_entry_flag=""
+      else
+	# If we're using GNU nm, then we don't want the "-C" option.
+	# -C means demangle to AIX nm, but means don't demangle with GNU nm
+	if $NM -V 2>&1 | grep 'GNU' > /dev/null; then
+	  _LT_AC_TAGVAR(export_symbols_cmds, $1)='$NM -Bpg $libobjs $convenience | awk '\''{ if (((\[$]2 == "T") || (\[$]2 == "D") || (\[$]2 == "B")) && ([substr](\[$]3,1,1) != ".")) { print \[$]3 } }'\'' | sort -u > $export_symbols'
+	else
+	  _LT_AC_TAGVAR(export_symbols_cmds, $1)='$NM -BCpg $libobjs $convenience | awk '\''{ if (((\[$]2 == "T") || (\[$]2 == "D") || (\[$]2 == "B")) && ([substr](\[$]3,1,1) != ".")) { print \[$]3 } }'\'' | sort -u > $export_symbols'
+	fi
+	aix_use_runtimelinking=no
+
+	# Test if we are trying to use run time linking or normal
+	# AIX style linking. If -brtl is somewhere in LDFLAGS, we
+	# need to do runtime linking.
+	case $host_os in aix4.[[23]]|aix4.[[23]].*|aix5*)
+	  for ld_flag in $LDFLAGS; do
+  	  if (test $ld_flag = "-brtl" || test $ld_flag = "-Wl,-brtl"); then
+  	    aix_use_runtimelinking=yes
+  	    break
+  	  fi
+	  done
+	esac
+
+	exp_sym_flag='-bexport'
+	no_entry_flag='-bnoentry'
+      fi
+
+      # When large executables or shared objects are built, AIX ld can
+      # have problems creating the table of contents.  If linking a library
+      # or program results in "error TOC overflow" add -mminimal-toc to
+      # CXXFLAGS/CFLAGS for g++/gcc.  In the cases where that is not
+      # enough to fix the problem, add -Wl,-bbigtoc to LDFLAGS.
+
+      _LT_AC_TAGVAR(archive_cmds, $1)=''
+      _LT_AC_TAGVAR(hardcode_direct, $1)=yes
+      _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=':'
+      _LT_AC_TAGVAR(link_all_deplibs, $1)=yes
+
+      if test "$GCC" = yes; then
+	case $host_os in aix4.[012]|aix4.[012].*)
+	# We only want to do this on AIX 4.2 and lower, the check
+	# below for broken collect2 doesn't work under 4.3+
+	  collect2name=`${CC} -print-prog-name=collect2`
+	  if test -f "$collect2name" && \
+  	   strings "$collect2name" | grep resolve_lib_name >/dev/null
+	  then
+  	  # We have reworked collect2
+  	  _LT_AC_TAGVAR(hardcode_direct, $1)=yes
+	  else
+  	  # We have old collect2
+  	  _LT_AC_TAGVAR(hardcode_direct, $1)=unsupported
+  	  # It fails to find uninstalled libraries when the uninstalled
+  	  # path is not listed in the libpath.  Setting hardcode_minus_L
+  	  # to unsupported forces relinking
+  	  _LT_AC_TAGVAR(hardcode_minus_L, $1)=yes
+  	  _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir'
+  	  _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=
+	  fi
+	esac
+	shared_flag='-shared'
+      else
+	# not using gcc
+	if test "$host_cpu" = ia64; then
+  	# VisualAge C++, Version 5.5 for AIX 5L for IA-64, Beta 3 Release
+  	# chokes on -Wl,-G. The following line is correct:
+	  shared_flag='-G'
+	else
+  	if test "$aix_use_runtimelinking" = yes; then
+	    shared_flag='${wl}-G'
+	  else
+	    shared_flag='${wl}-bM:SRE'
+  	fi
+	fi
+      fi
+
+      # It seems that -bexpall does not export symbols beginning with
+      # underscore (_), so it is better to generate a list of symbols to export.
+      _LT_AC_TAGVAR(always_export_symbols, $1)=yes
+      if test "$aix_use_runtimelinking" = yes; then
+	# Warning - without using the other runtime loading flags (-brtl),
+	# -berok will link without error, but may produce a broken library.
+	_LT_AC_TAGVAR(allow_undefined_flag, $1)='-berok'
+       # Determine the default libpath from the value encoded in an empty executable.
+       _LT_AC_SYS_LIBPATH_AIX
+       _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-blibpath:$libdir:'"$aix_libpath"
+	_LT_AC_TAGVAR(archive_expsym_cmds, $1)="\$CC"' -o $output_objdir/$soname $libobjs $deplibs $compiler_flags `if test "x${allow_undefined_flag}" != "x"; then echo "${wl}${allow_undefined_flag}"; else :; fi` '"\${wl}$no_entry_flag \${wl}$exp_sym_flag:\$export_symbols $shared_flag"
+       else
+	if test "$host_cpu" = ia64; then
+	  _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-R $libdir:/usr/lib:/lib'
+	  _LT_AC_TAGVAR(allow_undefined_flag, $1)="-z nodefs"
+	  _LT_AC_TAGVAR(archive_expsym_cmds, $1)="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs $compiler_flags ${wl}${allow_undefined_flag} '"\${wl}$no_entry_flag \${wl}$exp_sym_flag:\$export_symbols"
+	else
+	 # Determine the default libpath from the value encoded in an empty executable.
+	 _LT_AC_SYS_LIBPATH_AIX
+	 _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-blibpath:$libdir:'"$aix_libpath"
+	  # Warning - without using the other run time loading flags,
+	  # -berok will link without error, but may produce a broken library.
+	  _LT_AC_TAGVAR(no_undefined_flag, $1)=' ${wl}-bernotok'
+	  _LT_AC_TAGVAR(allow_undefined_flag, $1)=' ${wl}-berok'
+	  # -bexpall does not export symbols beginning with underscore (_)
+	  _LT_AC_TAGVAR(always_export_symbols, $1)=yes
+	  # Exported symbols can be pulled into shared objects from archives
+	  _LT_AC_TAGVAR(whole_archive_flag_spec, $1)=' '
+	  _LT_AC_TAGVAR(archive_cmds_need_lc, $1)=yes
+	  # This is similar to how AIX traditionally builds it's shared libraries.
+	  _LT_AC_TAGVAR(archive_expsym_cmds, $1)="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs $compiler_flags ${wl}-bE:$export_symbols ${wl}-bnoentry${allow_undefined_flag}~$AR $AR_FLAGS $output_objdir/$libname$release.a $output_objdir/$soname'
+	fi
+      fi
+      ;;
+
+    amigaos*)
+      _LT_AC_TAGVAR(archive_cmds, $1)='$rm $output_objdir/a2ixlibrary.data~$echo "#define NAME $libname" > $output_objdir/a2ixlibrary.data~$echo "#define LIBRARY_ID 1" >> $output_objdir/a2ixlibrary.data~$echo "#define VERSION $major" >> $output_objdir/a2ixlibrary.data~$echo "#define REVISION $revision" >> $output_objdir/a2ixlibrary.data~$AR $AR_FLAGS $lib $libobjs~$RANLIB $lib~(cd $output_objdir && a2ixlibrary -32)'
+      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir'
+      _LT_AC_TAGVAR(hardcode_minus_L, $1)=yes
+      # see comment about different semantics on the GNU ld section
+      _LT_AC_TAGVAR(ld_shlibs, $1)=no
+      ;;
+
+    bsdi4*)
+      _LT_AC_TAGVAR(export_dynamic_flag_spec, $1)=-rdynamic
+      ;;
+
+    cygwin* | mingw* | pw32*)
+      # When not using gcc, we currently assume that we are using
+      # Microsoft Visual C++.
+      # hardcode_libdir_flag_spec is actually meaningless, as there is
+      # no search path for DLLs.
+      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)=' '
+      _LT_AC_TAGVAR(allow_undefined_flag, $1)=unsupported
+      # Tell ltmain to make .lib files, not .a files.
+      libext=lib
+      # Tell ltmain to make .dll files, not .so files.
+      shrext=".dll"
+      # FIXME: Setting linknames here is a bad hack.
+      _LT_AC_TAGVAR(archive_cmds, $1)='$CC -o $lib $libobjs $compiler_flags `echo "$deplibs" | $SED -e '\''s/ -lc$//'\''` -link -dll~linknames='
+      # The linker will automatically build a .lib file if we build a DLL.
+      _LT_AC_TAGVAR(old_archive_From_new_cmds, $1)='true'
+      # FIXME: Should let the user specify the lib program.
+      _LT_AC_TAGVAR(old_archive_cmds, $1)='lib /OUT:$oldlib$oldobjs$old_deplibs'
+      fix_srcfile_path='`cygpath -w "$srcfile"`'
+      _LT_AC_TAGVAR(enable_shared_with_static_runtimes, $1)=yes
+      ;;
+
+    darwin* | rhapsody*)
+    if test "$GXX" = yes ; then
+      _LT_AC_TAGVAR(archive_cmds_need_lc, $1)=no
+      case "$host_os" in
+      rhapsody* | darwin1.[[012]])
+	_LT_AC_TAGVAR(allow_undefined_flag, $1)='-undefined suppress'
+	;;
+      *) # Darwin 1.3 on
+      if test -z ${MACOSX_DEPLOYMENT_TARGET} ; then
+      	_LT_AC_TAGVAR(allow_undefined_flag, $1)='-flat_namespace -undefined suppress'
+      else
+        case ${MACOSX_DEPLOYMENT_TARGET} in
+          10.[[012]])
+            _LT_AC_TAGVAR(allow_undefined_flag, $1)='-flat_namespace -undefined suppress'
+            ;;
+          10.*)
+            _LT_AC_TAGVAR(allow_undefined_flag, $1)='-undefined dynamic_lookup'
+            ;;
+        esac
+      fi
+	;;
+      esac
+    	lt_int_apple_cc_single_mod=no
+    	output_verbose_link_cmd='echo'
+    	if $CC -dumpspecs 2>&1 | grep 'single_module' >/dev/null ; then
+    	  lt_int_apple_cc_single_mod=yes
+    	fi
+    	if test "X$lt_int_apple_cc_single_mod" = Xyes ; then
+    	  _LT_AC_TAGVAR(archive_cmds, $1)='$CC -dynamiclib -single_module $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags -install_name $rpath/$soname $verstring'
+    	else
+        _LT_AC_TAGVAR(archive_cmds, $1)='$CC -r ${wl}-bind_at_load -keep_private_externs -nostdlib -o ${lib}-master.o $libobjs~$CC -dynamiclib $allow_undefined_flag -o $lib ${lib}-master.o $deplibs $compiler_flags -install_name $rpath/$soname $verstring'
+      fi
+      _LT_AC_TAGVAR(module_cmds, $1)='$CC ${wl}-bind_at_load $allow_undefined_flag -o $lib -bundle $libobjs $deplibs$compiler_flags'
+      # Don't fix this by using the ld -exported_symbols_list flag, it doesn't exist in older darwin ld's
+        if test "X$lt_int_apple_cc_single_mod" = Xyes ; then
+          _LT_AC_TAGVAR(archive_expsym_cmds, $1)='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -dynamiclib -single_module $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags -install_name $rpath/$soname $verstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
+        else
+          _LT_AC_TAGVAR(archive_expsym_cmds, $1)='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -r ${wl}-bind_at_load -keep_private_externs -nostdlib -o ${lib}-master.o $libobjs~$CC -dynamiclib $allow_undefined_flag -o $lib ${lib}-master.o $deplibs $compiler_flags -install_name $rpath/$soname $verstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
+        fi
+          _LT_AC_TAGVAR(module_expsym_cmds, $1)='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC $allow_undefined_flag  -o $lib -bundle $libobjs $deplibs$compiler_flags~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
+      _LT_AC_TAGVAR(hardcode_direct, $1)=no
+      _LT_AC_TAGVAR(hardcode_automatic, $1)=yes
+      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=unsupported
+      _LT_AC_TAGVAR(whole_archive_flag_spec, $1)='-all_load $convenience'
+      _LT_AC_TAGVAR(link_all_deplibs, $1)=yes
+    else
+      _LT_AC_TAGVAR(ld_shlibs, $1)=no
+    fi
+      ;;
+
+    dgux*)
+      _LT_AC_TAGVAR(archive_cmds, $1)='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
+      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir'
+      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
+      ;;
+
+    freebsd1*)
+      _LT_AC_TAGVAR(ld_shlibs, $1)=no
+      ;;
+
+    # FreeBSD 2.2.[012] allows us to include c++rt0.o to get C++ constructor
+    # support.  Future versions do this automatically, but an explicit c++rt0.o
+    # does not break anything, and helps significantly (at the cost of a little
+    # extra space).
+    freebsd2.2*)
+      _LT_AC_TAGVAR(archive_cmds, $1)='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags /usr/lib/c++rt0.o'
+      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-R$libdir'
+      _LT_AC_TAGVAR(hardcode_direct, $1)=yes
+      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
+      ;;
+
+    # Unfortunately, older versions of FreeBSD 2 do not have this feature.
+    freebsd2*)
+      _LT_AC_TAGVAR(archive_cmds, $1)='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags'
+      _LT_AC_TAGVAR(hardcode_direct, $1)=yes
+      _LT_AC_TAGVAR(hardcode_minus_L, $1)=yes
+      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
+      ;;
+
+    # FreeBSD 3 and greater uses gcc -shared to do shared libraries.
+    freebsd* | kfreebsd*-gnu)
+      _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared -o $lib $libobjs $deplibs $compiler_flags'
+      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-R$libdir'
+      _LT_AC_TAGVAR(hardcode_direct, $1)=yes
+      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
+      ;;
+
+    hpux9*)
+      if test "$GCC" = yes; then
+	_LT_AC_TAGVAR(archive_cmds, $1)='$rm $output_objdir/$soname~$CC -shared -fPIC ${wl}+b ${wl}$install_libdir -o $output_objdir/$soname $libobjs $deplibs $compiler_flags~test $output_objdir/$soname = $lib || mv $output_objdir/$soname $lib'
+      else
+	_LT_AC_TAGVAR(archive_cmds, $1)='$rm $output_objdir/$soname~$LD -b +b $install_libdir -o $output_objdir/$soname $libobjs $deplibs $linker_flags~test $output_objdir/$soname = $lib || mv $output_objdir/$soname $lib'
+      fi
+      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}+b ${wl}$libdir'
+      _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=:
+      _LT_AC_TAGVAR(hardcode_direct, $1)=yes
+
+      # hardcode_minus_L: Not really in the search PATH,
+      # but as the default location of the library.
+      _LT_AC_TAGVAR(hardcode_minus_L, $1)=yes
+      _LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-E'
+      ;;
+
+    hpux10* | hpux11*)
+      if test "$GCC" = yes -a "$with_gnu_ld" = no; then
+	case "$host_cpu" in
+	hppa*64*|ia64*)
+	  _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared ${wl}+h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags'
+	  ;;
+	*)
+	  _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared -fPIC ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $libobjs $deplibs $compiler_flags'
+	  ;;
+	esac
+      else
+	case "$host_cpu" in
+	hppa*64*|ia64*)
+	  _LT_AC_TAGVAR(archive_cmds, $1)='$LD -b +h $soname -o $lib $libobjs $deplibs $linker_flags'
+	  ;;
+	*)
+	  _LT_AC_TAGVAR(archive_cmds, $1)='$LD -b +h $soname +b $install_libdir -o $lib $libobjs $deplibs $linker_flags'
+	  ;;
+	esac
+      fi
+      if test "$with_gnu_ld" = no; then
+	case "$host_cpu" in
+	hppa*64*)
+	  _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}+b ${wl}$libdir'
+	  _LT_AC_TAGVAR(hardcode_libdir_flag_spec_ld, $1)='+b $libdir'
+	  _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=:
+	  _LT_AC_TAGVAR(hardcode_direct, $1)=no
+	  _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
+	  ;;
+	ia64*)
+	  _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir'
+	  _LT_AC_TAGVAR(hardcode_direct, $1)=no
+	  _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
+
+	  # hardcode_minus_L: Not really in the search PATH,
+	  # but as the default location of the library.
+	  _LT_AC_TAGVAR(hardcode_minus_L, $1)=yes
+	  ;;
+	*)
+	  _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}+b ${wl}$libdir'
+	  _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=:
+	  _LT_AC_TAGVAR(hardcode_direct, $1)=yes
+	  _LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-E'
+
+	  # hardcode_minus_L: Not really in the search PATH,
+	  # but as the default location of the library.
+	  _LT_AC_TAGVAR(hardcode_minus_L, $1)=yes
+	  ;;
+	esac
+      fi
+      ;;
+
+    irix5* | irix6* | nonstopux*)
+      if test "$GCC" = yes; then
+	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
+      else
+	_LT_AC_TAGVAR(archive_cmds, $1)='$LD -shared $libobjs $deplibs $linker_flags -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib'
+	_LT_AC_TAGVAR(hardcode_libdir_flag_spec_ld, $1)='-rpath $libdir'
+      fi
+      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir'
+      _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=:
+      _LT_AC_TAGVAR(link_all_deplibs, $1)=yes
+      ;;
+
+    netbsd*)
+      if echo __ELF__ | $CC -E - | grep __ELF__ >/dev/null; then
+	_LT_AC_TAGVAR(archive_cmds, $1)='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags'  # a.out
+      else
+	_LT_AC_TAGVAR(archive_cmds, $1)='$LD -shared -o $lib $libobjs $deplibs $linker_flags'      # ELF
+      fi
+      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-R$libdir'
+      _LT_AC_TAGVAR(hardcode_direct, $1)=yes
+      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
+      ;;
+
+    newsos6)
+      _LT_AC_TAGVAR(archive_cmds, $1)='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
+      _LT_AC_TAGVAR(hardcode_direct, $1)=yes
+      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir'
+      _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=:
+      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
+      ;;
+
+    openbsd*)
+      _LT_AC_TAGVAR(hardcode_direct, $1)=yes
+      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
+      if test -z "`echo __ELF__ | $CC -E - | grep __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then
+	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags'
+	_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath,$libdir'
+	_LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-E'
+      else
+       case $host_os in
+	 openbsd[[01]].* | openbsd2.[[0-7]] | openbsd2.[[0-7]].*)
+	   _LT_AC_TAGVAR(archive_cmds, $1)='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags'
+	   _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-R$libdir'
+	   ;;
+	 *)
+	   _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags'
+	   _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath,$libdir'
+	   ;;
+       esac
+      fi
+      ;;
+
+    os2*)
+      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir'
+      _LT_AC_TAGVAR(hardcode_minus_L, $1)=yes
+      _LT_AC_TAGVAR(allow_undefined_flag, $1)=unsupported
+      _LT_AC_TAGVAR(archive_cmds, $1)='$echo "LIBRARY $libname INITINSTANCE" > $output_objdir/$libname.def~$echo "DESCRIPTION \"$libname\"" >> $output_objdir/$libname.def~$echo DATA >> $output_objdir/$libname.def~$echo " SINGLE NONSHARED" >> $output_objdir/$libname.def~$echo EXPORTS >> $output_objdir/$libname.def~emxexp $libobjs >> $output_objdir/$libname.def~$CC -Zdll -Zcrtdll -o $lib $libobjs $deplibs $compiler_flags $output_objdir/$libname.def'
+      _LT_AC_TAGVAR(old_archive_From_new_cmds, $1)='emximp -o $output_objdir/$libname.a $output_objdir/$libname.def'
+      ;;
+
+    osf3*)
+      if test "$GCC" = yes; then
+	_LT_AC_TAGVAR(allow_undefined_flag, $1)=' ${wl}-expect_unresolved ${wl}\*'
+	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared${allow_undefined_flag} $libobjs $deplibs $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
+      else
+	_LT_AC_TAGVAR(allow_undefined_flag, $1)=' -expect_unresolved \*'
+	_LT_AC_TAGVAR(archive_cmds, $1)='$LD -shared${allow_undefined_flag} $libobjs $deplibs $linker_flags -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib'
+      fi
+      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir'
+      _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=:
+      ;;
+
+    osf4* | osf5*)	# as osf3* with the addition of -msym flag
+      if test "$GCC" = yes; then
+	_LT_AC_TAGVAR(allow_undefined_flag, $1)=' ${wl}-expect_unresolved ${wl}\*'
+	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared${allow_undefined_flag} $libobjs $deplibs $compiler_flags ${wl}-msym ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
+	_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir'
+      else
+	_LT_AC_TAGVAR(allow_undefined_flag, $1)=' -expect_unresolved \*'
+	_LT_AC_TAGVAR(archive_cmds, $1)='$LD -shared${allow_undefined_flag} $libobjs $deplibs $linker_flags -msym -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib'
+	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='for i in `cat $export_symbols`; do printf "%s %s\\n" -exported_symbol "\$i" >> $lib.exp; done; echo "-hidden">> $lib.exp~
+	$LD -shared${allow_undefined_flag} -input $lib.exp $linker_flags $libobjs $deplibs -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${objdir}/so_locations -o $lib~$rm $lib.exp'
+
+	# Both c and cxx compiler support -rpath directly
+	_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-rpath $libdir'
+      fi
+      _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=:
+      ;;
+
+    sco3.2v5*)
+      _LT_AC_TAGVAR(archive_cmds, $1)='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
+      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
+      _LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-Bexport'
+      runpath_var=LD_RUN_PATH
+      hardcode_runpath_var=yes
+      ;;
+
+    solaris*)
+      _LT_AC_TAGVAR(no_undefined_flag, $1)=' -z text'
+      if test "$GCC" = yes; then
+	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared ${wl}-h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags'
+	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='$echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~$echo "local: *; };" >> $lib.exp~
+	  $CC -shared ${wl}-M ${wl}$lib.exp ${wl}-h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags~$rm $lib.exp'
+      else
+	_LT_AC_TAGVAR(archive_cmds, $1)='$LD -G${allow_undefined_flag} -h $soname -o $lib $libobjs $deplibs $linker_flags'
+	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='$echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~$echo "local: *; };" >> $lib.exp~
+  	$LD -G${allow_undefined_flag} -M $lib.exp -h $soname -o $lib $libobjs $deplibs $linker_flags~$rm $lib.exp'
+      fi
+      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-R$libdir'
+      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
+      case $host_os in
+      solaris2.[[0-5]] | solaris2.[[0-5]].*) ;;
+      *) # Supported since Solaris 2.6 (maybe 2.5.1?)
+	_LT_AC_TAGVAR(whole_archive_flag_spec, $1)='-z allextract$convenience -z defaultextract' ;;
+      esac
+      _LT_AC_TAGVAR(link_all_deplibs, $1)=yes
+      ;;
+
+    sunos4*)
+      if test "x$host_vendor" = xsequent; then
+	# Use $CC to link under sequent, because it throws in some extra .o
+	# files that make .init and .fini sections work.
+	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -G ${wl}-h $soname -o $lib $libobjs $deplibs $compiler_flags'
+      else
+	_LT_AC_TAGVAR(archive_cmds, $1)='$LD -assert pure-text -Bstatic -o $lib $libobjs $deplibs $linker_flags'
+      fi
+      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir'
+      _LT_AC_TAGVAR(hardcode_direct, $1)=yes
+      _LT_AC_TAGVAR(hardcode_minus_L, $1)=yes
+      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
+      ;;
+
+    sysv4)
+      case $host_vendor in
+	sni)
+	  _LT_AC_TAGVAR(archive_cmds, $1)='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
+	  _LT_AC_TAGVAR(hardcode_direct, $1)=yes # is this really true???
+	;;
+	siemens)
+	  ## LD is ld it makes a PLAMLIB
+	  ## CC just makes a GrossModule.
+	  _LT_AC_TAGVAR(archive_cmds, $1)='$LD -G -o $lib $libobjs $deplibs $linker_flags'
+	  _LT_AC_TAGVAR(reload_cmds, $1)='$CC -r -o $output$reload_objs'
+	  _LT_AC_TAGVAR(hardcode_direct, $1)=no
+        ;;
+	motorola)
+	  _LT_AC_TAGVAR(archive_cmds, $1)='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
+	  _LT_AC_TAGVAR(hardcode_direct, $1)=no #Motorola manual says yes, but my tests say they lie
+	;;
+      esac
+      runpath_var='LD_RUN_PATH'
+      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
+      ;;
+
+    sysv4.3*)
+      _LT_AC_TAGVAR(archive_cmds, $1)='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
+      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
+      _LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='-Bexport'
+      ;;
+
+    sysv4*MP*)
+      if test -d /usr/nec; then
+	_LT_AC_TAGVAR(archive_cmds, $1)='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
+	_LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
+	runpath_var=LD_RUN_PATH
+	hardcode_runpath_var=yes
+	_LT_AC_TAGVAR(ld_shlibs, $1)=yes
+      fi
+      ;;
+
+    sysv4.2uw2*)
+      _LT_AC_TAGVAR(archive_cmds, $1)='$LD -G -o $lib $libobjs $deplibs $linker_flags'
+      _LT_AC_TAGVAR(hardcode_direct, $1)=yes
+      _LT_AC_TAGVAR(hardcode_minus_L, $1)=no
+      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
+      hardcode_runpath_var=yes
+      runpath_var=LD_RUN_PATH
+      ;;
+
+   sysv5OpenUNIX8* | sysv5UnixWare7* |  sysv5uw[[78]]* | unixware7*)
+      _LT_AC_TAGVAR(no_undefined_flag, $1)='${wl}-z ${wl}text'
+      if test "$GCC" = yes; then
+	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared ${wl}-h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags'
+      else
+	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -G ${wl}-h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags'
+      fi
+      runpath_var='LD_RUN_PATH'
+      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
+      ;;
+
+    sysv5*)
+      _LT_AC_TAGVAR(no_undefined_flag, $1)=' -z text'
+      # $CC -shared without GNU ld will not create a library from C++
+      # object files and a static libstdc++, better avoid it by now
+      _LT_AC_TAGVAR(archive_cmds, $1)='$LD -G${allow_undefined_flag} -h $soname -o $lib $libobjs $deplibs $linker_flags'
+      _LT_AC_TAGVAR(archive_expsym_cmds, $1)='$echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~$echo "local: *; };" >> $lib.exp~
+  		$LD -G${allow_undefined_flag} -M $lib.exp -h $soname -o $lib $libobjs $deplibs $linker_flags~$rm $lib.exp'
+      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)=
+      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
+      runpath_var='LD_RUN_PATH'
+      ;;
+
+    uts4*)
+      _LT_AC_TAGVAR(archive_cmds, $1)='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
+      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir'
+      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
+      ;;
+
+    *)
+      _LT_AC_TAGVAR(ld_shlibs, $1)=no
+      ;;
+    esac
+  fi
+])
+AC_MSG_RESULT([$_LT_AC_TAGVAR(ld_shlibs, $1)])
+test "$_LT_AC_TAGVAR(ld_shlibs, $1)" = no && can_build_shared=no
+
+variables_saved_for_relink="PATH $shlibpath_var $runpath_var"
+if test "$GCC" = yes; then
+  variables_saved_for_relink="$variables_saved_for_relink GCC_EXEC_PREFIX COMPILER_PATH LIBRARY_PATH"
+fi
+
+#
+# Do we need to explicitly link libc?
+#
+case "x$_LT_AC_TAGVAR(archive_cmds_need_lc, $1)" in
+x|xyes)
+  # Assume -lc should be added
+  _LT_AC_TAGVAR(archive_cmds_need_lc, $1)=yes
+
+  if test "$enable_shared" = yes && test "$GCC" = yes; then
+    case $_LT_AC_TAGVAR(archive_cmds, $1) in
+    *'~'*)
+      # FIXME: we may have to deal with multi-command sequences.
+      ;;
+    '$CC '*)
+      # Test whether the compiler implicitly links with -lc since on some
+      # systems, -lgcc has to come before -lc. If gcc already passes -lc
+      # to ld, don't add -lc before -lgcc.
+      AC_MSG_CHECKING([whether -lc should be explicitly linked in])
+      $rm conftest*
+      printf "$lt_simple_compile_test_code" > conftest.$ac_ext
+
+      if AC_TRY_EVAL(ac_compile) 2>conftest.err; then
+        soname=conftest
+        lib=conftest
+        libobjs=conftest.$ac_objext
+        deplibs=
+        wl=$_LT_AC_TAGVAR(lt_prog_compiler_wl, $1)
+        compiler_flags=-v
+        linker_flags=-v
+        verstring=
+        output_objdir=.
+        libname=conftest
+        lt_save_allow_undefined_flag=$_LT_AC_TAGVAR(allow_undefined_flag, $1)
+        _LT_AC_TAGVAR(allow_undefined_flag, $1)=
+        if AC_TRY_EVAL(_LT_AC_TAGVAR(archive_cmds, $1) 2\>\&1 \| grep \" -lc \" \>/dev/null 2\>\&1)
+        then
+	  _LT_AC_TAGVAR(archive_cmds_need_lc, $1)=no
+        else
+	  _LT_AC_TAGVAR(archive_cmds_need_lc, $1)=yes
+        fi
+        _LT_AC_TAGVAR(allow_undefined_flag, $1)=$lt_save_allow_undefined_flag
+      else
+        cat conftest.err 1>&5
+      fi
+      $rm conftest*
+      AC_MSG_RESULT([$_LT_AC_TAGVAR(archive_cmds_need_lc, $1)])
+      ;;
+    esac
+  fi
+  ;;
+esac
+])# AC_LIBTOOL_PROG_LD_SHLIBS
+
+
+# _LT_AC_FILE_LTDLL_C
+# -------------------
+# Be careful that the start marker always follows a newline.
+AC_DEFUN([_LT_AC_FILE_LTDLL_C], [
+# /* ltdll.c starts here */
+# #define WIN32_LEAN_AND_MEAN
+# #include <windows.h>
+# #undef WIN32_LEAN_AND_MEAN
+# #include <stdio.h>
+#
+# #ifndef __CYGWIN__
+# #  ifdef __CYGWIN32__
+# #    define __CYGWIN__ __CYGWIN32__
+# #  endif
+# #endif
+#
+# #ifdef __cplusplus
+# extern "C" {
+# #endif
+# BOOL APIENTRY DllMain (HINSTANCE hInst, DWORD reason, LPVOID reserved);
+# #ifdef __cplusplus
+# }
+# #endif
+#
+# #ifdef __CYGWIN__
+# #include <cygwin/cygwin_dll.h>
+# DECLARE_CYGWIN_DLL( DllMain );
+# #endif
+# HINSTANCE __hDllInstance_base;
+#
+# BOOL APIENTRY
+# DllMain (HINSTANCE hInst, DWORD reason, LPVOID reserved)
+# {
+#   __hDllInstance_base = hInst;
+#   return TRUE;
+# }
+# /* ltdll.c ends here */
+])# _LT_AC_FILE_LTDLL_C
+
+
+# _LT_AC_TAGVAR(VARNAME, [TAGNAME])
+# ---------------------------------
+AC_DEFUN([_LT_AC_TAGVAR], [ifelse([$2], [], [$1], [$1_$2])])
+
+
+# old names
+AC_DEFUN([AM_PROG_LIBTOOL],   [AC_PROG_LIBTOOL])
+AC_DEFUN([AM_ENABLE_SHARED],  [AC_ENABLE_SHARED($@)])
+AC_DEFUN([AM_ENABLE_STATIC],  [AC_ENABLE_STATIC($@)])
+AC_DEFUN([AM_DISABLE_SHARED], [AC_DISABLE_SHARED($@)])
+AC_DEFUN([AM_DISABLE_STATIC], [AC_DISABLE_STATIC($@)])
+AC_DEFUN([AM_PROG_LD],        [AC_PROG_LD])
+AC_DEFUN([AM_PROG_NM],        [AC_PROG_NM])
+
+# This is just to silence aclocal about the macro not being used
+ifelse([AC_DISABLE_FAST_INSTALL])
+
+AC_DEFUN([LT_AC_PROG_GCJ],
+[AC_CHECK_TOOL(GCJ, gcj, no)
+  test "x${GCJFLAGS+set}" = xset || GCJFLAGS="-g -O2"
+  AC_SUBST(GCJFLAGS)
+])
+
+AC_DEFUN([LT_AC_PROG_RC],
+[AC_CHECK_TOOL(RC, windres, no)
+])
+
+############################################################
+# NOTE: This macro has been submitted for inclusion into   #
+#  GNU Autoconf as AC_PROG_SED.  When it is available in   #
+#  a released version of Autoconf we should remove this    #
+#  macro and use it instead.                               #
+############################################################
+# LT_AC_PROG_SED
+# --------------
+# Check for a fully-functional sed program, that truncates
+# as few characters as possible.  Prefer GNU sed if found.
+AC_DEFUN([LT_AC_PROG_SED],
+[AC_MSG_CHECKING([for a sed that does not truncate output])
+AC_CACHE_VAL(lt_cv_path_SED,
+[# Loop through the user's path and test for sed and gsed.
+# Then use that list of sed's as ones to test for truncation.
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  for lt_ac_prog in sed gsed; do
+    for ac_exec_ext in '' $ac_executable_extensions; do
+      if $as_executable_p "$as_dir/$lt_ac_prog$ac_exec_ext"; then
+        lt_ac_sed_list="$lt_ac_sed_list $as_dir/$lt_ac_prog$ac_exec_ext"
+      fi
+    done
+  done
+done
+lt_ac_max=0
+lt_ac_count=0
+# Add /usr/xpg4/bin/sed as it is typically found on Solaris
+# along with /bin/sed that truncates output.
+for lt_ac_sed in $lt_ac_sed_list /usr/xpg4/bin/sed; do
+  test ! -f $lt_ac_sed && break
+  cat /dev/null > conftest.in
+  lt_ac_count=0
+  echo $ECHO_N "0123456789$ECHO_C" >conftest.in
+  # Check for GNU sed and select it if it is found.
+  if "$lt_ac_sed" --version 2>&1 < /dev/null | grep 'GNU' > /dev/null; then
+    lt_cv_path_SED=$lt_ac_sed
+    break
+  fi
+  while true; do
+    cat conftest.in conftest.in >conftest.tmp
+    mv conftest.tmp conftest.in
+    cp conftest.in conftest.nl
+    echo >>conftest.nl
+    $lt_ac_sed -e 's/a$//' < conftest.nl >conftest.out || break
+    cmp -s conftest.out conftest.nl || break
+    # 10000 chars as input seems more than enough
+    test $lt_ac_count -gt 10 && break
+    lt_ac_count=`expr $lt_ac_count + 1`
+    if test $lt_ac_count -gt $lt_ac_max; then
+      lt_ac_max=$lt_ac_count
+      lt_cv_path_SED=$lt_ac_sed
+    fi
+  done
+done
+SED=$lt_cv_path_SED
+])
+AC_MSG_RESULT([$SED])
+])
diff --git a/lib/bind/ltmain.sh b/lib/bind/ltmain.sh
new file mode 100644
index 00000000..96c58359
--- /dev/null
+++ b/lib/bind/ltmain.sh
@@ -0,0 +1,4950 @@
+# ltmain.sh - Provide generalized library-building support services.
+# NOTE: Changing this file will not affect anything until you rerun configure.
+#
+# Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001
+# Free Software Foundation, Inc.
+# Originally by Gordon Matzigkeit <gord@gnu.ai.mit.edu>, 1996
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+#
+# As a special exception to the GNU General Public License, if you
+# distribute this file as part of a program that contains a
+# configuration script generated by Autoconf, you may include it under
+# the same distribution terms that you use for the rest of that program.
+
+# Check that we have a working $echo.
+if test "X$1" = X--no-reexec; then
+  # Discard the --no-reexec flag, and continue.
+  shift
+elif test "X$1" = X--fallback-echo; then
+  # Avoid inline document here, it may be left over
+  :
+elif test "X`($echo '\t') 2>/dev/null`" = 'X\t'; then
+  # Yippee, $echo works!
+  :
+else
+  # Restart under the correct shell, and then maybe $echo will work.
+  exec $SHELL "$0" --no-reexec ${1+"$@"}
+fi
+
+if test "X$1" = X--fallback-echo; then
+  # used as fallback echo
+  shift
+  cat <<EOF
+$*
+EOF
+  exit 0
+fi
+
+# The name of this program.
+progname=`$echo "$0" | sed 's%^.*/%%'`
+modename="$progname"
+
+# Constants.
+PROGRAM=ltmain.sh
+PACKAGE=libtool
+VERSION=1.4
+TIMESTAMP=" (1.920 2001/04/24 23:26:18)"
+
+default_mode=
+help="Try \`$progname --help' for more information."
+magic="%%%MAGIC variable%%%"
+mkdir="mkdir"
+mv="mv -f"
+rm="rm -f"
+
+# Sed substitution that helps us do robust quoting.  It backslashifies
+# metacharacters that are still active within double-quoted strings.
+Xsed='sed -e 1s/^X//'
+sed_quote_subst='s/\([\\`\\"$\\\\]\)/\\\1/g'
+SP2NL='tr \040 \012'
+NL2SP='tr \015\012 \040\040'
+
+# NLS nuisances.
+# Only set LANG and LC_ALL to C if already set.
+# These must not be set unconditionally because not all systems understand
+# e.g. LANG=C (notably SCO).
+# We save the old values to restore during execute mode.
+if test "${LC_ALL+set}" = set; then
+  save_LC_ALL="$LC_ALL"; LC_ALL=C; export LC_ALL
+fi
+if test "${LANG+set}" = set; then
+  save_LANG="$LANG"; LANG=C; export LANG
+fi
+
+if test "$build_libtool_libs" != yes && test "$build_old_libs" != yes; then
+  echo "$modename: not configured to build any kind of library" 1>&2
+  echo "Fatal configuration error.  See the $PACKAGE docs for more information." 1>&2
+  exit 1
+fi
+
+# Global variables.
+mode=$default_mode
+nonopt=
+prev=
+prevopt=
+run=
+show="$echo"
+show_help=
+execute_dlfiles=
+lo2o="s/\\.lo\$/.${objext}/"
+o2lo="s/\\.${objext}\$/.lo/"
+
+# Parse our command line options once, thoroughly.
+while test $# -gt 0
+do
+  arg="$1"
+  shift
+
+  case $arg in
+  -*=*) optarg=`$echo "X$arg" | $Xsed -e 's/[-_a-zA-Z0-9]*=//'` ;;
+  *) optarg= ;;
+  esac
+
+  # If the previous option needs an argument, assign it.
+  if test -n "$prev"; then
+    case $prev in
+    execute_dlfiles)
+      execute_dlfiles="$execute_dlfiles $arg"
+      ;;
+    *)
+      eval "$prev=\$arg"
+      ;;
+    esac
+
+    prev=
+    prevopt=
+    continue
+  fi
+
+  # Have we seen a non-optional argument yet?
+  case $arg in
+  --help)
+    show_help=yes
+    ;;
+
+  --version)
+    echo "$PROGRAM (GNU $PACKAGE) $VERSION$TIMESTAMP"
+    exit 0
+    ;;
+
+  --config)
+    sed -e '1,/^# ### BEGIN LIBTOOL CONFIG/d' -e '/^# ### END LIBTOOL CONFIG/,$d' $0
+    exit 0
+    ;;
+
+  --debug)
+    echo "$progname: enabling shell trace mode"
+    set -x
+    ;;
+
+  --dry-run | -n)
+    run=:
+    ;;
+
+  --features)
+    echo "host: $host"
+    if test "$build_libtool_libs" = yes; then
+      echo "enable shared libraries"
+    else
+      echo "disable shared libraries"
+    fi
+    if test "$build_old_libs" = yes; then
+      echo "enable static libraries"
+    else
+      echo "disable static libraries"
+    fi
+    exit 0
+    ;;
+
+  --finish) mode="finish" ;;
+
+  --mode) prevopt="--mode" prev=mode ;;
+  --mode=*) mode="$optarg" ;;
+
+  --quiet | --silent)
+    show=:
+    ;;
+
+  -dlopen)
+    prevopt="-dlopen"
+    prev=execute_dlfiles
+    ;;
+
+  -*)
+    $echo "$modename: unrecognized option \`$arg'" 1>&2
+    $echo "$help" 1>&2
+    exit 1
+    ;;
+
+  *)
+    nonopt="$arg"
+    break
+    ;;
+  esac
+done
+
+if test -n "$prevopt"; then
+  $echo "$modename: option \`$prevopt' requires an argument" 1>&2
+  $echo "$help" 1>&2
+  exit 1
+fi
+
+if test -z "$show_help"; then
+
+  # Infer the operation mode.
+  if test -z "$mode"; then
+    case $nonopt in
+    *cc | *++ | gcc* | *-gcc*)
+      mode=link
+      for arg
+      do
+	case $arg in
+	-c)
+	   mode=compile
+	   break
+	   ;;
+	esac
+      done
+      ;;
+    *db | *dbx | *strace | *truss)
+      mode=execute
+      ;;
+    *install*|cp|mv)
+      mode=install
+      ;;
+    *rm)
+      mode=uninstall
+      ;;
+    *)
+      # If we have no mode, but dlfiles were specified, then do execute mode.
+      test -n "$execute_dlfiles" && mode=execute
+
+      # Just use the default operation mode.
+      if test -z "$mode"; then
+	if test -n "$nonopt"; then
+	  $echo "$modename: warning: cannot infer operation mode from \`$nonopt'" 1>&2
+	else
+	  $echo "$modename: warning: cannot infer operation mode without MODE-ARGS" 1>&2
+	fi
+      fi
+      ;;
+    esac
+  fi
+
+  # Only execute mode is allowed to have -dlopen flags.
+  if test -n "$execute_dlfiles" && test "$mode" != execute; then
+    $echo "$modename: unrecognized option \`-dlopen'" 1>&2
+    $echo "$help" 1>&2
+    exit 1
+  fi
+
+  # Change the help message to a mode-specific one.
+  generic_help="$help"
+  help="Try \`$modename --help --mode=$mode' for more information."
+
+  # These modes are in order of execution frequency so that they run quickly.
+  case $mode in
+  # libtool compile mode
+  compile)
+    modename="$modename: compile"
+    # Get the compilation command and the source file.
+    base_compile=
+    prev=
+    lastarg=
+    srcfile="$nonopt"
+    suppress_output=
+
+    user_target=no
+    for arg
+    do
+      case $prev in
+      "") ;;
+      xcompiler)
+	# Aesthetically quote the previous argument.
+	prev=
+	lastarg=`$echo "X$arg" | $Xsed -e "$sed_quote_subst"`
+
+	case $arg in
+	# Double-quote args containing other shell metacharacters.
+	# Many Bourne shells cannot handle close brackets correctly
+	# in scan sets, so we specify it separately.
+	*[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \	]*|*]*|"")
+	  arg="\"$arg\""
+	  ;;
+	esac
+
+	# Add the previous argument to base_compile.
+	if test -z "$base_compile"; then
+	  base_compile="$lastarg"
+	else
+	  base_compile="$base_compile $lastarg"
+	fi
+	continue
+	;;
+      esac
+
+      # Accept any command-line options.
+      case $arg in
+      -o)
+	if test "$user_target" != "no"; then
+	  $echo "$modename: you cannot specify \`-o' more than once" 1>&2
+	  exit 1
+	fi
+	user_target=next
+	;;
+
+      -static)
+	build_old_libs=yes
+	continue
+	;;
+
+      -prefer-pic)
+	pic_mode=yes
+	continue
+	;;
+
+      -prefer-non-pic)
+	pic_mode=no
+	continue
+	;;
+
+      -Xcompiler)
+	prev=xcompiler
+	continue
+	;;
+
+      -Wc,*)
+	args=`$echo "X$arg" | $Xsed -e "s/^-Wc,//"`
+	lastarg=
+	IFS="${IFS= 	}"; save_ifs="$IFS"; IFS=','
+	for arg in $args; do
+	  IFS="$save_ifs"
+
+	  # Double-quote args containing other shell metacharacters.
+	  # Many Bourne shells cannot handle close brackets correctly
+	  # in scan sets, so we specify it separately.
+	  case $arg in
+	    *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \	]*|*]*|"")
+	    arg="\"$arg\""
+	    ;;
+	  esac
+	  lastarg="$lastarg $arg"
+	done
+	IFS="$save_ifs"
+	lastarg=`$echo "X$lastarg" | $Xsed -e "s/^ //"`
+
+	# Add the arguments to base_compile.
+	if test -z "$base_compile"; then
+	  base_compile="$lastarg"
+	else
+	  base_compile="$base_compile $lastarg"
+	fi
+	continue
+	;;
+      esac
+
+      case $user_target in
+      next)
+	# The next one is the -o target name
+	user_target=yes
+	continue
+	;;
+      yes)
+	# We got the output file
+	user_target=set
+	libobj="$arg"
+	continue
+	;;
+      esac
+
+      # Accept the current argument as the source file.
+      lastarg="$srcfile"
+      srcfile="$arg"
+
+      # Aesthetically quote the previous argument.
+
+      # Backslashify any backslashes, double quotes, and dollar signs.
+      # These are the only characters that are still specially
+      # interpreted inside of double-quoted scrings.
+      lastarg=`$echo "X$lastarg" | $Xsed -e "$sed_quote_subst"`
+
+      # Double-quote args containing other shell metacharacters.
+      # Many Bourne shells cannot handle close brackets correctly
+      # in scan sets, so we specify it separately.
+      case $lastarg in
+      *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \	]*|*]*|"")
+	lastarg="\"$lastarg\""
+	;;
+      esac
+
+      # Add the previous argument to base_compile.
+      if test -z "$base_compile"; then
+	base_compile="$lastarg"
+      else
+	base_compile="$base_compile $lastarg"
+      fi
+    done
+
+    case $user_target in
+    set)
+      ;;
+    no)
+      # Get the name of the library object.
+      libobj=`$echo "X$srcfile" | $Xsed -e 's%^.*/%%'`
+      ;;
+    *)
+      $echo "$modename: you must specify a target with \`-o'" 1>&2
+      exit 1
+      ;;
+    esac
+
+    # Recognize several different file suffixes.
+    # If the user specifies -o file.o, it is replaced with file.lo
+    xform='[cCFSfmso]'
+    case $libobj in
+    *.ada) xform=ada ;;
+    *.adb) xform=adb ;;
+    *.ads) xform=ads ;;
+    *.asm) xform=asm ;;
+    *.c++) xform=c++ ;;
+    *.cc) xform=cc ;;
+    *.cpp) xform=cpp ;;
+    *.cxx) xform=cxx ;;
+    *.f90) xform=f90 ;;
+    *.for) xform=for ;;
+    esac
+
+    libobj=`$echo "X$libobj" | $Xsed -e "s/\.$xform$/.lo/"`
+
+    case $libobj in
+    *.lo) obj=`$echo "X$libobj" | $Xsed -e "$lo2o"` ;;
+    *)
+      $echo "$modename: cannot determine name of library object from \`$libobj'" 1>&2
+      exit 1
+      ;;
+    esac
+
+    if test -z "$base_compile"; then
+      $echo "$modename: you must specify a compilation command" 1>&2
+      $echo "$help" 1>&2
+      exit 1
+    fi
+
+    # Delete any leftover library objects.
+    if test "$build_old_libs" = yes; then
+      removelist="$obj $libobj"
+    else
+      removelist="$libobj"
+    fi
+
+    $run $rm $removelist
+    trap "$run $rm $removelist; exit 1" 1 2 15
+
+    # On Cygwin there's no "real" PIC flag so we must build both object types
+    case $host_os in
+    cygwin* | mingw* | pw32* | os2*)
+      pic_mode=default
+      ;;
+    esac
+    if test $pic_mode = no && test "$deplibs_check_method" != pass_all; then
+      # non-PIC code in shared libraries is not supported
+      pic_mode=default
+    fi
+
+    # Calculate the filename of the output object if compiler does
+    # not support -o with -c
+    if test "$compiler_c_o" = no; then
+      output_obj=`$echo "X$srcfile" | $Xsed -e 's%^.*/%%' -e 's%\.[^.]*$%%'`.${objext}
+      lockfile="$output_obj.lock"
+      removelist="$removelist $output_obj $lockfile"
+      trap "$run $rm $removelist; exit 1" 1 2 15
+    else
+      need_locks=no
+      lockfile=
+    fi
+
+    # Lock this critical section if it is needed
+    # We use this script file to make the link, it avoids creating a new file
+    if test "$need_locks" = yes; then
+      until $run ln "$0" "$lockfile" 2>/dev/null; do
+	$show "Waiting for $lockfile to be removed"
+	sleep 2
+      done
+    elif test "$need_locks" = warn; then
+      if test -f "$lockfile"; then
+	echo "\
+*** ERROR, $lockfile exists and contains:
+`cat $lockfile 2>/dev/null`
+
+This indicates that another process is trying to use the same
+temporary object file, and libtool could not work around it because
+your compiler does not support \`-c' and \`-o' together.  If you
+repeat this compilation, it may succeed, by chance, but you had better
+avoid parallel builds (make -j) in this platform, or get a better
+compiler."
+
+	$run $rm $removelist
+	exit 1
+      fi
+      echo $srcfile > "$lockfile"
+    fi
+
+    if test -n "$fix_srcfile_path"; then
+      eval srcfile=\"$fix_srcfile_path\"
+    fi
+
+    # Only build a PIC object if we are building libtool libraries.
+    if test "$build_libtool_libs" = yes; then
+      # Without this assignment, base_compile gets emptied.
+      fbsd_hideous_sh_bug=$base_compile
+
+      if test "$pic_mode" != no; then
+	# All platforms use -DPIC, to notify preprocessed assembler code.
+	command="$base_compile $srcfile $pic_flag -DPIC"
+      else
+	# Don't build PIC code
+	command="$base_compile $srcfile"
+      fi
+      if test "$build_old_libs" = yes; then
+	lo_libobj="$libobj"
+	dir=`$echo "X$libobj" | $Xsed -e 's%/[^/]*$%%'`
+	if test "X$dir" = "X$libobj"; then
+	  dir="$objdir"
+	else
+	  dir="$dir/$objdir"
+	fi
+	libobj="$dir/"`$echo "X$libobj" | $Xsed -e 's%^.*/%%'`
+
+	if test -d "$dir"; then
+	  $show "$rm $libobj"
+	  $run $rm $libobj
+	else
+	  $show "$mkdir $dir"
+	  $run $mkdir $dir
+	  status=$?
+	  if test $status -ne 0 && test ! -d $dir; then
+	    exit $status
+	  fi
+	fi
+      fi
+      if test "$compiler_o_lo" = yes; then
+	output_obj="$libobj"
+	command="$command -o $output_obj"
+      elif test "$compiler_c_o" = yes; then
+	output_obj="$obj"
+	command="$command -o $output_obj"
+      fi
+
+      $run $rm "$output_obj"
+      $show "$command"
+      if $run eval "$command"; then :
+      else
+	test -n "$output_obj" && $run $rm $removelist
+	exit 1
+      fi
+
+      if test "$need_locks" = warn &&
+	 test x"`cat $lockfile 2>/dev/null`" != x"$srcfile"; then
+	echo "\
+*** ERROR, $lockfile contains:
+`cat $lockfile 2>/dev/null`
+
+but it should contain:
+$srcfile
+
+This indicates that another process is trying to use the same
+temporary object file, and libtool could not work around it because
+your compiler does not support \`-c' and \`-o' together.  If you
+repeat this compilation, it may succeed, by chance, but you had better
+avoid parallel builds (make -j) in this platform, or get a better
+compiler."
+
+	$run $rm $removelist
+	exit 1
+      fi
+
+      # Just move the object if needed, then go on to compile the next one
+      if test x"$output_obj" != x"$libobj"; then
+	$show "$mv $output_obj $libobj"
+	if $run $mv $output_obj $libobj; then :
+	else
+	  error=$?
+	  $run $rm $removelist
+	  exit $error
+	fi
+      fi
+
+      # If we have no pic_flag, then copy the object into place and finish.
+      if (test -z "$pic_flag" || test "$pic_mode" != default) &&
+	 test "$build_old_libs" = yes; then
+	# Rename the .lo from within objdir to obj
+	if test -f $obj; then
+	  $show $rm $obj
+	  $run $rm $obj
+	fi
+
+	$show "$mv $libobj $obj"
+	if $run $mv $libobj $obj; then :
+	else
+	  error=$?
+	  $run $rm $removelist
+	  exit $error
+	fi
+
+	xdir=`$echo "X$obj" | $Xsed -e 's%/[^/]*$%%'`
+	if test "X$xdir" = "X$obj"; then
+	  xdir="."
+	else
+	  xdir="$xdir"
+	fi
+	baseobj=`$echo "X$obj" | $Xsed -e "s%.*/%%"`
+	libobj=`$echo "X$baseobj" | $Xsed -e "$o2lo"`
+	# Now arrange that obj and lo_libobj become the same file
+	$show "(cd $xdir && $LN_S $baseobj $libobj)"
+	if $run eval '(cd $xdir && $LN_S $baseobj $libobj)'; then
+	  exit 0
+	else
+	  error=$?
+	  $run $rm $removelist
+	  exit $error
+	fi
+      fi
+
+      # Allow error messages only from the first compilation.
+      suppress_output=' >/dev/null 2>&1'
+    fi
+
+    # Only build a position-dependent object if we build old libraries.
+    if test "$build_old_libs" = yes; then
+      if test "$pic_mode" != yes; then
+	# Don't build PIC code
+	command="$base_compile $srcfile"
+      else
+	# All platforms use -DPIC, to notify preprocessed assembler code.
+	command="$base_compile $srcfile $pic_flag -DPIC"
+      fi
+      if test "$compiler_c_o" = yes; then
+	command="$command -o $obj"
+	output_obj="$obj"
+      fi
+
+      # Suppress compiler output if we already did a PIC compilation.
+      command="$command$suppress_output"
+      $run $rm "$output_obj"
+      $show "$command"
+      if $run eval "$command"; then :
+      else
+	$run $rm $removelist
+	exit 1
+      fi
+
+      if test "$need_locks" = warn &&
+	 test x"`cat $lockfile 2>/dev/null`" != x"$srcfile"; then
+	echo "\
+*** ERROR, $lockfile contains:
+`cat $lockfile 2>/dev/null`
+
+but it should contain:
+$srcfile
+
+This indicates that another process is trying to use the same
+temporary object file, and libtool could not work around it because
+your compiler does not support \`-c' and \`-o' together.  If you
+repeat this compilation, it may succeed, by chance, but you had better
+avoid parallel builds (make -j) in this platform, or get a better
+compiler."
+
+	$run $rm $removelist
+	exit 1
+      fi
+
+      # Just move the object if needed
+      if test x"$output_obj" != x"$obj"; then
+	$show "$mv $output_obj $obj"
+	if $run $mv $output_obj $obj; then :
+	else
+	  error=$?
+	  $run $rm $removelist
+	  exit $error
+	fi
+      fi
+
+      # Create an invalid libtool object if no PIC, so that we do not
+      # accidentally link it into a program.
+      if test "$build_libtool_libs" != yes; then
+	$show "echo timestamp > $libobj"
+	$run eval "echo timestamp > \$libobj" || exit $?
+      else
+	# Move the .lo from within objdir
+	$show "$mv $libobj $lo_libobj"
+	if $run $mv $libobj $lo_libobj; then :
+	else
+	  error=$?
+	  $run $rm $removelist
+	  exit $error
+	fi
+      fi
+    fi
+
+    # Unlock the critical section if it was locked
+    if test "$need_locks" != no; then
+      $run $rm "$lockfile"
+    fi
+
+    exit 0
+    ;;
+
+  # libtool link mode
+  link | relink)
+    modename="$modename: link"
+    case $host in
+    *-*-cygwin* | *-*-mingw* | *-*-pw32* | *-*-os2*)
+      # It is impossible to link a dll without this setting, and
+      # we shouldn't force the makefile maintainer to figure out
+      # which system we are compiling for in order to pass an extra
+      # flag for every libtool invokation.
+      # allow_undefined=no
+
+      # FIXME: Unfortunately, there are problems with the above when trying
+      # to make a dll which has undefined symbols, in which case not
+      # even a static library is built.  For now, we need to specify
+      # -no-undefined on the libtool link line when we can be certain
+      # that all symbols are satisfied, otherwise we get a static library.
+      allow_undefined=yes
+      ;;
+    *-*-aix*)
+      allow_undefined=no
+      ;;
+    *)
+      allow_undefined=yes
+      ;;
+    esac
+    libtool_args="$nonopt"
+    compile_command="$nonopt"
+    finalize_command="$nonopt"
+
+    compile_rpath=
+    finalize_rpath=
+    compile_shlibpath=
+    finalize_shlibpath=
+    convenience=
+    old_convenience=
+    deplibs=
+    old_deplibs=
+    compiler_flags=
+    linker_flags=
+    dllsearchpath=
+    lib_search_path=`pwd`
+
+    avoid_version=no
+    dlfiles=
+    dlprefiles=
+    dlself=no
+    export_dynamic=no
+    export_symbols=
+    export_symbols_regex=
+    generated=
+    libobjs=
+    ltlibs=
+    module=no
+    no_install=no
+    objs=
+    prefer_static_libs=no
+    preload=no
+    prev=
+    prevarg=
+    release=
+    rpath=
+    xrpath=
+    perm_rpath=
+    temp_rpath=
+    thread_safe=no
+    vinfo=
+
+    # We need to know -static, to get the right output filenames.
+    for arg
+    do
+      case $arg in
+      -all-static | -static)
+	if test "X$arg" = "X-all-static"; then
+	  if test "$build_libtool_libs" = yes && test -z "$link_static_flag"; then
+	    $echo "$modename: warning: complete static linking is impossible in this configuration" 1>&2
+	  fi
+	  if test -n "$link_static_flag"; then
+	    dlopen_self=$dlopen_self_static
+	  fi
+	else
+	  if test -z "$pic_flag" && test -n "$link_static_flag"; then
+	    dlopen_self=$dlopen_self_static
+	  fi
+	fi
+	build_libtool_libs=no
+	build_old_libs=yes
+	prefer_static_libs=yes
+	break
+	;;
+      esac
+    done
+
+    # See if our shared archives depend on static archives.
+    test -n "$old_archive_from_new_cmds" && build_old_libs=yes
+
+    # Go through the arguments, transforming them on the way.
+    while test $# -gt 0; do
+      arg="$1"
+      shift
+      case $arg in
+      *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \	]*|*]*|"")
+	qarg=\"`$echo "X$arg" | $Xsed -e "$sed_quote_subst"`\" ### testsuite: skip nested quoting test
+	;;
+      *) qarg=$arg ;;
+      esac
+      libtool_args="$libtool_args $qarg"
+
+      # If the previous option needs an argument, assign it.
+      if test -n "$prev"; then
+	case $prev in
+	output)
+	  compile_command="$compile_command @OUTPUT@"
+	  finalize_command="$finalize_command @OUTPUT@"
+	  ;;
+	esac
+
+	case $prev in
+	dlfiles|dlprefiles)
+	  if test "$preload" = no; then
+	    # Add the symbol object into the linking commands.
+	    compile_command="$compile_command @SYMFILE@"
+	    finalize_command="$finalize_command @SYMFILE@"
+	    preload=yes
+	  fi
+	  case $arg in
+	  *.la | *.lo) ;;  # We handle these cases below.
+	  force)
+	    if test "$dlself" = no; then
+	      dlself=needless
+	      export_dynamic=yes
+	    fi
+	    prev=
+	    continue
+	    ;;
+	  self)
+	    if test "$prev" = dlprefiles; then
+	      dlself=yes
+	    elif test "$prev" = dlfiles && test "$dlopen_self" != yes; then
+	      dlself=yes
+	    else
+	      dlself=needless
+	      export_dynamic=yes
+	    fi
+	    prev=
+	    continue
+	    ;;
+	  *)
+	    if test "$prev" = dlfiles; then
+	      dlfiles="$dlfiles $arg"
+	    else
+	      dlprefiles="$dlprefiles $arg"
+	    fi
+	    prev=
+	    continue
+	    ;;
+	  esac
+	  ;;
+	expsyms)
+	  export_symbols="$arg"
+	  if test ! -f "$arg"; then
+	    $echo "$modename: symbol file \`$arg' does not exist"
+	    exit 1
+	  fi
+	  prev=
+	  continue
+	  ;;
+	expsyms_regex)
+	  export_symbols_regex="$arg"
+	  prev=
+	  continue
+	  ;;
+	release)
+	  release="-$arg"
+	  prev=
+	  continue
+	  ;;
+	rpath | xrpath)
+	  # We need an absolute path.
+	  case $arg in
+	  [\\/]* | [A-Za-z]:[\\/]*) ;;
+	  *)
+	    $echo "$modename: only absolute run-paths are allowed" 1>&2
+	    exit 1
+	    ;;
+	  esac
+	  if test "$prev" = rpath; then
+	    case "$rpath " in
+	    *" $arg "*) ;;
+	    *) rpath="$rpath $arg" ;;
+	    esac
+	  else
+	    case "$xrpath " in
+	    *" $arg "*) ;;
+	    *) xrpath="$xrpath $arg" ;;
+	    esac
+	  fi
+	  prev=
+	  continue
+	  ;;
+	xcompiler)
+	  compiler_flags="$compiler_flags $qarg"
+	  prev=
+	  compile_command="$compile_command $qarg"
+	  finalize_command="$finalize_command $qarg"
+	  continue
+	  ;;
+	xlinker)
+	  linker_flags="$linker_flags $qarg"
+	  compiler_flags="$compiler_flags $wl$qarg"
+	  prev=
+	  compile_command="$compile_command $wl$qarg"
+	  finalize_command="$finalize_command $wl$qarg"
+	  continue
+	  ;;
+	*)
+	  eval "$prev=\"\$arg\""
+	  prev=
+	  continue
+	  ;;
+	esac
+      fi # test -n $prev
+
+      prevarg="$arg"
+
+      case $arg in
+      -all-static)
+	if test -n "$link_static_flag"; then
+	  compile_command="$compile_command $link_static_flag"
+	  finalize_command="$finalize_command $link_static_flag"
+	fi
+	continue
+	;;
+
+      -allow-undefined)
+	# FIXME: remove this flag sometime in the future.
+	$echo "$modename: \`-allow-undefined' is deprecated because it is the default" 1>&2
+	allow_undefined=yes
+	continue
+	;;
+
+      -avoid-version)
+	avoid_version=yes
+	continue
+	;;
+
+      -dlopen)
+	prev=dlfiles
+	continue
+	;;
+
+      -dlpreopen)
+	prev=dlprefiles
+	continue
+	;;
+
+      -export-dynamic)
+	export_dynamic=yes
+	continue
+	;;
+
+      -export-symbols | -export-symbols-regex)
+	if test -n "$export_symbols" || test -n "$export_symbols_regex"; then
+	  $echo "$modename: more than one -exported-symbols argument is not allowed"
+	  exit 1
+	fi
+	if test "X$arg" = "X-export-symbols"; then
+	  prev=expsyms
+	else
+	  prev=expsyms_regex
+	fi
+	continue
+	;;
+
+      # The native IRIX linker understands -LANG:*, -LIST:* and -LNO:*
+      # so, if we see these flags be careful not to treat them like -L
+      -L[A-Z][A-Z]*:*)
+	case $with_gcc/$host in
+	no/*-*-irix*)
+	  compile_command="$compile_command $arg"
+	  finalize_command="$finalize_command $arg"
+	  ;;
+	esac
+	continue
+	;;
+
+      -L*)
+	dir=`$echo "X$arg" | $Xsed -e 's/^-L//'`
+	# We need an absolute path.
+	case $dir in
+	[\\/]* | [A-Za-z]:[\\/]*) ;;
+	*)
+	  absdir=`cd "$dir" && pwd`
+	  if test -z "$absdir"; then
+	    $echo "$modename: cannot determine absolute directory name of \`$dir'" 1>&2
+	    exit 1
+	  fi
+	  dir="$absdir"
+	  ;;
+	esac
+	case "$deplibs " in
+	*" -L$dir "*) ;;
+	*)
+	  deplibs="$deplibs -L$dir"
+	  lib_search_path="$lib_search_path $dir"
+	  ;;
+	esac
+	case $host in
+	*-*-cygwin* | *-*-mingw* | *-*-pw32* | *-*-os2*)
+	  case :$dllsearchpath: in
+	  *":$dir:"*) ;;
+	  *) dllsearchpath="$dllsearchpath:$dir";;
+	  esac
+	  ;;
+	esac
+	continue
+	;;
+
+      -l*)
+	if test "X$arg" = "X-lc" || test "X$arg" = "X-lm"; then
+	  case $host in
+	  *-*-cygwin* | *-*-pw32* | *-*-beos*)
+	    # These systems don't actually have a C or math library (as such)
+	    continue
+	    ;;
+	  *-*-mingw* | *-*-os2*)
+	    # These systems don't actually have a C library (as such)
+	    test "X$arg" = "X-lc" && continue
+	    ;;
+	  esac
+	fi
+	deplibs="$deplibs $arg"
+	continue
+	;;
+
+      -module)
+	module=yes
+	continue
+	;;
+
+      -no-fast-install)
+	fast_install=no
+	continue
+	;;
+
+      -no-install)
+	case $host in
+	*-*-cygwin* | *-*-mingw* | *-*-pw32* | *-*-os2*)
+	  # The PATH hackery in wrapper scripts is required on Windows
+	  # in order for the loader to find any dlls it needs.
+	  $echo "$modename: warning: \`-no-install' is ignored for $host" 1>&2
+	  $echo "$modename: warning: assuming \`-no-fast-install' instead" 1>&2
+	  fast_install=no
+	  ;;
+	*) no_install=yes ;;
+	esac
+	continue
+	;;
+
+      -no-undefined)
+	allow_undefined=no
+	continue
+	;;
+
+      -o) prev=output ;;
+
+      -release)
+	prev=release
+	continue
+	;;
+
+      -rpath)
+	prev=rpath
+	continue
+	;;
+
+      -R)
+	prev=xrpath
+	continue
+	;;
+
+      -R*)
+	dir=`$echo "X$arg" | $Xsed -e 's/^-R//'`
+	# We need an absolute path.
+	case $dir in
+	[\\/]* | [A-Za-z]:[\\/]*) ;;
+	*)
+	  $echo "$modename: only absolute run-paths are allowed" 1>&2
+	  exit 1
+	  ;;
+	esac
+	case "$xrpath " in
+	*" $dir "*) ;;
+	*) xrpath="$xrpath $dir" ;;
+	esac
+	continue
+	;;
+
+      -static)
+	# The effects of -static are defined in a previous loop.
+	# We used to do the same as -all-static on platforms that
+	# didn't have a PIC flag, but the assumption that the effects
+	# would be equivalent was wrong.  It would break on at least
+	# Digital Unix and AIX.
+	continue
+	;;
+
+      -thread-safe)
+	thread_safe=yes
+	continue
+	;;
+
+      -version-info)
+	prev=vinfo
+	continue
+	;;
+
+      -Wc,*)
+	args=`$echo "X$arg" | $Xsed -e "$sed_quote_subst" -e 's/^-Wc,//'`
+	arg=
+	IFS="${IFS= 	}"; save_ifs="$IFS"; IFS=','
+	for flag in $args; do
+	  IFS="$save_ifs"
+	  case $flag in
+	    *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \	]*|*]*|"")
+	    flag="\"$flag\""
+	    ;;
+	  esac
+	  arg="$arg $wl$flag"
+	  compiler_flags="$compiler_flags $flag"
+	done
+	IFS="$save_ifs"
+	arg=`$echo "X$arg" | $Xsed -e "s/^ //"`
+	;;
+
+      -Wl,*)
+	args=`$echo "X$arg" | $Xsed -e "$sed_quote_subst" -e 's/^-Wl,//'`
+	arg=
+	IFS="${IFS= 	}"; save_ifs="$IFS"; IFS=','
+	for flag in $args; do
+	  IFS="$save_ifs"
+	  case $flag in
+	    *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \	]*|*]*|"")
+	    flag="\"$flag\""
+	    ;;
+	  esac
+	  arg="$arg $wl$flag"
+	  compiler_flags="$compiler_flags $wl$flag"
+	  linker_flags="$linker_flags $flag"
+	done
+	IFS="$save_ifs"
+	arg=`$echo "X$arg" | $Xsed -e "s/^ //"`
+	;;
+
+      -Xcompiler)
+	prev=xcompiler
+	continue
+	;;
+
+      -Xlinker)
+	prev=xlinker
+	continue
+	;;
+
+      # Some other compiler flag.
+      -* | +*)
+	# Unknown arguments in both finalize_command and compile_command need
+	# to be aesthetically quoted because they are evaled later.
+	arg=`$echo "X$arg" | $Xsed -e "$sed_quote_subst"`
+	case $arg in
+	*[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \	]*|*]*|"")
+	  arg="\"$arg\""
+	  ;;
+	esac
+	;;
+
+      *.lo | *.$objext)
+	# A library or standard object.
+	if test "$prev" = dlfiles; then
+	  # This file was specified with -dlopen.
+	  if test "$build_libtool_libs" = yes && test "$dlopen_support" = yes; then
+	    dlfiles="$dlfiles $arg"
+	    prev=
+	    continue
+	  else
+	    # If libtool objects are unsupported, then we need to preload.
+	    prev=dlprefiles
+	  fi
+	fi
+
+	if test "$prev" = dlprefiles; then
+	  # Preload the old-style object.
+	  dlprefiles="$dlprefiles "`$echo "X$arg" | $Xsed -e "$lo2o"`
+	  prev=
+	else
+	  case $arg in
+	  *.lo) libobjs="$libobjs $arg" ;;
+	  *) objs="$objs $arg" ;;
+	  esac
+	fi
+	;;
+
+      *.$libext)
+	# An archive.
+	deplibs="$deplibs $arg"
+	old_deplibs="$old_deplibs $arg"
+	continue
+	;;
+
+      *.la)
+	# A libtool-controlled library.
+
+	if test "$prev" = dlfiles; then
+	  # This library was specified with -dlopen.
+	  dlfiles="$dlfiles $arg"
+	  prev=
+	elif test "$prev" = dlprefiles; then
+	  # The library was specified with -dlpreopen.
+	  dlprefiles="$dlprefiles $arg"
+	  prev=
+	else
+	  deplibs="$deplibs $arg"
+	fi
+	continue
+	;;
+
+      # Some other compiler argument.
+      *)
+	# Unknown arguments in both finalize_command and compile_command need
+	# to be aesthetically quoted because they are evaled later.
+	arg=`$echo "X$arg" | $Xsed -e "$sed_quote_subst"`
+	case $arg in
+	*[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \	]*|*]*|"")
+	  arg="\"$arg\""
+	  ;;
+	esac
+	;;
+      esac # arg
+
+      # Now actually substitute the argument into the commands.
+      if test -n "$arg"; then
+	compile_command="$compile_command $arg"
+	finalize_command="$finalize_command $arg"
+      fi
+    done # argument parsing loop
+
+    if test -n "$prev"; then
+      $echo "$modename: the \`$prevarg' option requires an argument" 1>&2
+      $echo "$help" 1>&2
+      exit 1
+    fi
+
+    if test "$export_dynamic" = yes && test -n "$export_dynamic_flag_spec"; then
+      eval arg=\"$export_dynamic_flag_spec\"
+      compile_command="$compile_command $arg"
+      finalize_command="$finalize_command $arg"
+    fi
+
+    # calculate the name of the file, without its directory
+    outputname=`$echo "X$output" | $Xsed -e 's%^.*/%%'`
+    libobjs_save="$libobjs"
+
+    if test -n "$shlibpath_var"; then
+      # get the directories listed in $shlibpath_var
+      eval shlib_search_path=\`\$echo \"X\${$shlibpath_var}\" \| \$Xsed -e \'s/:/ /g\'\`
+    else
+      shlib_search_path=
+    fi
+    eval sys_lib_search_path=\"$sys_lib_search_path_spec\"
+    eval sys_lib_dlsearch_path=\"$sys_lib_dlsearch_path_spec\"
+
+    output_objdir=`$echo "X$output" | $Xsed -e 's%/[^/]*$%%'`
+    if test "X$output_objdir" = "X$output"; then
+      output_objdir="$objdir"
+    else
+      output_objdir="$output_objdir/$objdir"
+    fi
+    # Create the object directory.
+    if test ! -d $output_objdir; then
+      $show "$mkdir $output_objdir"
+      $run $mkdir $output_objdir
+      status=$?
+      if test $status -ne 0 && test ! -d $output_objdir; then
+	exit $status
+      fi
+    fi
+
+    # Determine the type of output
+    case $output in
+    "")
+      $echo "$modename: you must specify an output file" 1>&2
+      $echo "$help" 1>&2
+      exit 1
+      ;;
+    *.$libext) linkmode=oldlib ;;
+    *.lo | *.$objext) linkmode=obj ;;
+    *.la) linkmode=lib ;;
+    *) linkmode=prog ;; # Anything else should be a program.
+    esac
+
+    specialdeplibs=
+    libs=
+    # Find all interdependent deplibs by searching for libraries
+    # that are linked more than once (e.g. -la -lb -la)
+    for deplib in $deplibs; do
+      case "$libs " in
+      *" $deplib "*) specialdeplibs="$specialdeplibs $deplib" ;;
+      esac
+      libs="$libs $deplib"
+    done
+    deplibs=
+    newdependency_libs=
+    newlib_search_path=
+    need_relink=no # whether we're linking any uninstalled libtool libraries
+    notinst_deplibs= # not-installed libtool libraries
+    notinst_path= # paths that contain not-installed libtool libraries
+    case $linkmode in
+    lib)
+	passes="conv link"
+	for file in $dlfiles $dlprefiles; do
+	  case $file in
+	  *.la) ;;
+	  *)
+	    $echo "$modename: libraries can \`-dlopen' only libtool libraries: $file" 1>&2
+	    exit 1
+	    ;;
+	  esac
+	done
+	;;
+    prog)
+	compile_deplibs=
+	finalize_deplibs=
+	alldeplibs=no
+	newdlfiles=
+	newdlprefiles=
+	passes="conv scan dlopen dlpreopen link"
+	;;
+    *)  passes="conv"
+	;;
+    esac
+    for pass in $passes; do
+      if test $linkmode = prog; then
+	# Determine which files to process
+	case $pass in
+	dlopen)
+	  libs="$dlfiles"
+	  save_deplibs="$deplibs" # Collect dlpreopened libraries
+	  deplibs=
+	  ;;
+	dlpreopen) libs="$dlprefiles" ;;
+	link) libs="$deplibs %DEPLIBS% $dependency_libs" ;;
+	esac
+      fi
+      for deplib in $libs; do
+	lib=
+	found=no
+	case $deplib in
+	-l*)
+	  if test $linkmode = oldlib && test $linkmode = obj; then
+	    $echo "$modename: warning: \`-l' is ignored for archives/objects: $deplib" 1>&2
+	    continue
+	  fi
+	  if test $pass = conv; then
+	    deplibs="$deplib $deplibs"
+	    continue
+	  fi
+	  name=`$echo "X$deplib" | $Xsed -e 's/^-l//'`
+	  for searchdir in $newlib_search_path $lib_search_path $sys_lib_search_path $shlib_search_path; do
+	    # Search the libtool library
+	    lib="$searchdir/lib${name}.la"
+	    if test -f "$lib"; then
+	      found=yes
+	      break
+	    fi
+	  done
+	  if test "$found" != yes; then
+	    # deplib doesn't seem to be a libtool library
+	    if test "$linkmode,$pass" = "prog,link"; then
+	      compile_deplibs="$deplib $compile_deplibs"
+	      finalize_deplibs="$deplib $finalize_deplibs"
+	    else
+	      deplibs="$deplib $deplibs"
+	      test $linkmode = lib && newdependency_libs="$deplib $newdependency_libs"
+	    fi
+	    continue
+	  fi
+	  ;; # -l
+	-L*)
+	  case $linkmode in
+	  lib)
+	    deplibs="$deplib $deplibs"
+	    test $pass = conv && continue
+	    newdependency_libs="$deplib $newdependency_libs"
+	    newlib_search_path="$newlib_search_path "`$echo "X$deplib" | $Xsed -e 's/^-L//'`
+	    ;;
+	  prog)
+	    if test $pass = conv; then
+	      deplibs="$deplib $deplibs"
+	      continue
+	    fi
+	    if test $pass = scan; then
+	      deplibs="$deplib $deplibs"
+	      newlib_search_path="$newlib_search_path "`$echo "X$deplib" | $Xsed -e 's/^-L//'`
+	    else
+	      compile_deplibs="$deplib $compile_deplibs"
+	      finalize_deplibs="$deplib $finalize_deplibs"
+	    fi
+	    ;;
+	  *)
+	    $echo "$modename: warning: \`-L' is ignored for archives/objects: $deplib" 1>&2
+	    ;;
+	  esac # linkmode
+	  continue
+	  ;; # -L
+	-R*)
+	  if test $pass = link; then
+	    dir=`$echo "X$deplib" | $Xsed -e 's/^-R//'`
+	    # Make sure the xrpath contains only unique directories.
+	    case "$xrpath " in
+	    *" $dir "*) ;;
+	    *) xrpath="$xrpath $dir" ;;
+	    esac
+	  fi
+	  deplibs="$deplib $deplibs"
+	  continue
+	  ;;
+	*.la) lib="$deplib" ;;
+	*.$libext)
+	  if test $pass = conv; then
+	    deplibs="$deplib $deplibs"
+	    continue
+	  fi
+	  case $linkmode in
+	  lib)
+	    if test "$deplibs_check_method" != pass_all; then
+	      echo
+	      echo "*** Warning: This library needs some functionality provided by $deplib."
+	      echo "*** I have the capability to make that library automatically link in when"
+	      echo "*** you link to this library.  But I can only do this if you have a"
+	      echo "*** shared version of the library, which you do not appear to have."
+	    else
+	      echo
+	      echo "*** Warning: Linking the shared library $output against the"
+	      echo "*** static library $deplib is not portable!"
+	      deplibs="$deplib $deplibs"
+	    fi
+	    continue
+	    ;;
+	  prog)
+	    if test $pass != link; then
+	      deplibs="$deplib $deplibs"
+	    else
+	      compile_deplibs="$deplib $compile_deplibs"
+	      finalize_deplibs="$deplib $finalize_deplibs"
+	    fi
+	    continue
+	    ;;
+	  esac # linkmode
+	  ;; # *.$libext
+	*.lo | *.$objext)
+	  if test $pass = dlpreopen || test "$dlopen_support" != yes || test "$build_libtool_libs" = no; then
+	    # If there is no dlopen support or we're linking statically,
+	    # we need to preload.
+	    newdlprefiles="$newdlprefiles $deplib"
+	    compile_deplibs="$deplib $compile_deplibs"
+	    finalize_deplibs="$deplib $finalize_deplibs"
+	  else
+	    newdlfiles="$newdlfiles $deplib"
+	  fi
+	  continue
+	  ;;
+	%DEPLIBS%)
+	  alldeplibs=yes
+	  continue
+	  ;;
+	esac # case $deplib
+	if test $found = yes || test -f "$lib"; then :
+	else
+	  $echo "$modename: cannot find the library \`$lib'" 1>&2
+	  exit 1
+	fi
+
+	# Check to see that this really is a libtool archive.
+	if (sed -e '2q' $lib | egrep "^# Generated by .*$PACKAGE") >/dev/null 2>&1; then :
+	else
+	  $echo "$modename: \`$lib' is not a valid libtool archive" 1>&2
+	  exit 1
+	fi
+
+	ladir=`$echo "X$lib" | $Xsed -e 's%/[^/]*$%%'`
+	test "X$ladir" = "X$lib" && ladir="."
+
+	dlname=
+	dlopen=
+	dlpreopen=
+	libdir=
+	library_names=
+	old_library=
+	# If the library was installed with an old release of libtool,
+	# it will not redefine variable installed.
+	installed=yes
+
+	# Read the .la file
+	case $lib in
+	*/* | *\\*) . $lib ;;
+	*) . ./$lib ;;
+	esac
+
+	if test "$linkmode,$pass" = "lib,link" ||
+	   test "$linkmode,$pass" = "prog,scan" ||
+	   { test $linkmode = oldlib && test $linkmode = obj; }; then
+	   # Add dl[pre]opened files of deplib
+	  test -n "$dlopen" && dlfiles="$dlfiles $dlopen"
+	  test -n "$dlpreopen" && dlprefiles="$dlprefiles $dlpreopen"
+	fi
+
+	if test $pass = conv; then
+	  # Only check for convenience libraries
+	  deplibs="$lib $deplibs"
+	  if test -z "$libdir"; then
+	    if test -z "$old_library"; then
+	      $echo "$modename: cannot find name of link library for \`$lib'" 1>&2
+	      exit 1
+	    fi
+	    # It is a libtool convenience library, so add in its objects.
+	    convenience="$convenience $ladir/$objdir/$old_library"
+	    old_convenience="$old_convenience $ladir/$objdir/$old_library"
+	    tmp_libs=
+	    for deplib in $dependency_libs; do
+	      deplibs="$deplib $deplibs"
+	      case "$tmp_libs " in
+	      *" $deplib "*) specialdeplibs="$specialdeplibs $deplib" ;;
+	      esac
+	      tmp_libs="$tmp_libs $deplib"
+	    done
+	  elif test $linkmode != prog && test $linkmode != lib; then
+	    $echo "$modename: \`$lib' is not a convenience library" 1>&2
+	    exit 1
+	  fi
+	  continue
+	fi # $pass = conv
+
+	# Get the name of the library we link against.
+	linklib=
+	for l in $old_library $library_names; do
+	  linklib="$l"
+	done
+	if test -z "$linklib"; then
+	  $echo "$modename: cannot find name of link library for \`$lib'" 1>&2
+	  exit 1
+	fi
+
+	# This library was specified with -dlopen.
+	if test $pass = dlopen; then
+	  if test -z "$libdir"; then
+	    $echo "$modename: cannot -dlopen a convenience library: \`$lib'" 1>&2
+	    exit 1
+	  fi
+	  if test -z "$dlname" || test "$dlopen_support" != yes || test "$build_libtool_libs" = no; then
+	    # If there is no dlname, no dlopen support or we're linking
+	    # statically, we need to preload.
+	    dlprefiles="$dlprefiles $lib"
+	  else
+	    newdlfiles="$newdlfiles $lib"
+	  fi
+	  continue
+	fi # $pass = dlopen
+
+	# We need an absolute path.
+	case $ladir in
+	[\\/]* | [A-Za-z]:[\\/]*) abs_ladir="$ladir" ;;
+	*)
+	  abs_ladir=`cd "$ladir" && pwd`
+	  if test -z "$abs_ladir"; then
+	    $echo "$modename: warning: cannot determine absolute directory name of \`$ladir'" 1>&2
+	    $echo "$modename: passing it literally to the linker, although it might fail" 1>&2
+	    abs_ladir="$ladir"
+	  fi
+	  ;;
+	esac
+	laname=`$echo "X$lib" | $Xsed -e 's%^.*/%%'`
+
+	# Find the relevant object directory and library name.
+	if test "X$installed" = Xyes; then
+	  if test ! -f "$libdir/$linklib" && test -f "$abs_ladir/$linklib"; then
+	    $echo "$modename: warning: library \`$lib' was moved." 1>&2
+	    dir="$ladir"
+	    absdir="$abs_ladir"
+	    libdir="$abs_ladir"
+	  else
+	    dir="$libdir"
+	    absdir="$libdir"
+	  fi
+	else
+	  dir="$ladir/$objdir"
+	  absdir="$abs_ladir/$objdir"
+	  # Remove this search path later
+	  notinst_path="$notinst_path $abs_ladir"
+	fi # $installed = yes
+	name=`$echo "X$laname" | $Xsed -e 's/\.la$//' -e 's/^lib//'`
+
+	# This library was specified with -dlpreopen.
+	if test $pass = dlpreopen; then
+	  if test -z "$libdir"; then
+	    $echo "$modename: cannot -dlpreopen a convenience library: \`$lib'" 1>&2
+	    exit 1
+	  fi
+	  # Prefer using a static library (so that no silly _DYNAMIC symbols
+	  # are required to link).
+	  if test -n "$old_library"; then
+	    newdlprefiles="$newdlprefiles $dir/$old_library"
+	  # Otherwise, use the dlname, so that lt_dlopen finds it.
+	  elif test -n "$dlname"; then
+	    newdlprefiles="$newdlprefiles $dir/$dlname"
+	  else
+	    newdlprefiles="$newdlprefiles $dir/$linklib"
+	  fi
+	fi # $pass = dlpreopen
+
+	if test -z "$libdir"; then
+	  # Link the convenience library
+	  if test $linkmode = lib; then
+	    deplibs="$dir/$old_library $deplibs"
+	  elif test "$linkmode,$pass" = "prog,link"; then
+	    compile_deplibs="$dir/$old_library $compile_deplibs"
+	    finalize_deplibs="$dir/$old_library $finalize_deplibs"
+	  else
+	    deplibs="$lib $deplibs"
+	  fi
+	  continue
+	fi
+
+	if test $linkmode = prog && test $pass != link; then
+	  newlib_search_path="$newlib_search_path $ladir"
+	  deplibs="$lib $deplibs"
+
+	  linkalldeplibs=no
+	  if test "$link_all_deplibs" != no || test -z "$library_names" ||
+	     test "$build_libtool_libs" = no; then
+	    linkalldeplibs=yes
+	  fi
+
+	  tmp_libs=
+	  for deplib in $dependency_libs; do
+	    case $deplib in
+	    -L*) newlib_search_path="$newlib_search_path "`$echo "X$deplib" | $Xsed -e 's/^-L//'`;; ### testsuite: skip nested quoting test
+	    esac
+	    # Need to link against all dependency_libs?
+	    if test $linkalldeplibs = yes; then
+	      deplibs="$deplib $deplibs"
+	    else
+	      # Need to hardcode shared library paths
+	      # or/and link against static libraries
+	      newdependency_libs="$deplib $newdependency_libs"
+	    fi
+	    case "$tmp_libs " in
+	    *" $deplib "*) specialdeplibs="$specialdeplibs $deplib" ;;
+	    esac
+	    tmp_libs="$tmp_libs $deplib"
+	  done # for deplib
+	  continue
+	fi # $linkmode = prog...
+
+	link_static=no # Whether the deplib will be linked statically
+	if test -n "$library_names" &&
+	   { test "$prefer_static_libs" = no || test -z "$old_library"; }; then
+	  # Link against this shared library
+
+	  if test "$linkmode,$pass" = "prog,link" ||
+	   { test $linkmode = lib && test $hardcode_into_libs = yes; }; then
+	    # Hardcode the library path.
+	    # Skip directories that are in the system default run-time
+	    # search path.
+	    case " $sys_lib_dlsearch_path " in
+	    *" $absdir "*) ;;
+	    *)
+	      case "$compile_rpath " in
+	      *" $absdir "*) ;;
+	      *) compile_rpath="$compile_rpath $absdir"
+	      esac
+	      ;;
+	    esac
+	    case " $sys_lib_dlsearch_path " in
+	    *" $libdir "*) ;;
+	    *)
+	      case "$finalize_rpath " in
+	      *" $libdir "*) ;;
+	      *) finalize_rpath="$finalize_rpath $libdir"
+	      esac
+	      ;;
+	    esac
+	    if test $linkmode = prog; then
+	      # We need to hardcode the library path
+	      if test -n "$shlibpath_var"; then
+		# Make sure the rpath contains only unique directories.
+		case "$temp_rpath " in
+		*" $dir "*) ;;
+		*" $absdir "*) ;;
+		*) temp_rpath="$temp_rpath $dir" ;;
+		esac
+	      fi
+	    fi
+	  fi # $linkmode,$pass = prog,link...
+
+	  if test "$alldeplibs" = yes &&
+	     { test "$deplibs_check_method" = pass_all ||
+	       { test "$build_libtool_libs" = yes &&
+		 test -n "$library_names"; }; }; then
+	    # We only need to search for static libraries
+	    continue
+	  fi
+
+	  if test "$installed" = no; then
+	    notinst_deplibs="$notinst_deplibs $lib"
+	    need_relink=yes
+	  fi
+
+	  if test -n "$old_archive_from_expsyms_cmds"; then
+	    # figure out the soname
+	    set dummy $library_names
+	    realname="$2"
+	    shift; shift
+	    libname=`eval \\$echo \"$libname_spec\"`
+	    # use dlname if we got it. it's perfectly good, no?
+	    if test -n "$dlname"; then
+	      soname="$dlname"
+	    elif test -n "$soname_spec"; then
+	      # bleh windows
+	      case $host in
+	      *cygwin*)
+		major=`expr $current - $age`
+		versuffix="-$major"
+		;;
+	      esac
+	      eval soname=\"$soname_spec\"
+	    else
+	      soname="$realname"
+	    fi
+
+	    # Make a new name for the extract_expsyms_cmds to use
+	    soroot="$soname"
+	    soname=`echo $soroot | sed -e 's/^.*\///'`
+	    newlib="libimp-`echo $soname | sed 's/^lib//;s/\.dll$//'`.a"
+
+	    # If the library has no export list, then create one now
+	    if test -f "$output_objdir/$soname-def"; then :
+	    else
+	      $show "extracting exported symbol list from \`$soname'"
+	      IFS="${IFS= 	}"; save_ifs="$IFS"; IFS='~'
+	      eval cmds=\"$extract_expsyms_cmds\"
+	      for cmd in $cmds; do
+		IFS="$save_ifs"
+		$show "$cmd"
+		$run eval "$cmd" || exit $?
+	      done
+	      IFS="$save_ifs"
+	    fi
+
+	    # Create $newlib
+	    if test -f "$output_objdir/$newlib"; then :; else
+	      $show "generating import library for \`$soname'"
+	      IFS="${IFS= 	}"; save_ifs="$IFS"; IFS='~'
+	      eval cmds=\"$old_archive_from_expsyms_cmds\"
+	      for cmd in $cmds; do
+		IFS="$save_ifs"
+		$show "$cmd"
+		$run eval "$cmd" || exit $?
+	      done
+	      IFS="$save_ifs"
+	    fi
+	    # make sure the library variables are pointing to the new library
+	    dir=$output_objdir
+	    linklib=$newlib
+	  fi # test -n $old_archive_from_expsyms_cmds
+
+	  if test $linkmode = prog || test "$mode" != relink; then
+	    add_shlibpath=
+	    add_dir=
+	    add=
+	    lib_linked=yes
+	    case $hardcode_action in
+	    immediate | unsupported)
+	      if test "$hardcode_direct" = no; then
+		add="$dir/$linklib"
+	      elif test "$hardcode_minus_L" = no; then
+		case $host in
+		*-*-sunos*) add_shlibpath="$dir" ;;
+		esac
+		add_dir="-L$dir"
+		add="-l$name"
+	      elif test "$hardcode_shlibpath_var" = no; then
+		add_shlibpath="$dir"
+		add="-l$name"
+	      else
+		lib_linked=no
+	      fi
+	      ;;
+	    relink)
+	      if test "$hardcode_direct" = yes; then
+		add="$dir/$linklib"
+	      elif test "$hardcode_minus_L" = yes; then
+		add_dir="-L$dir"
+		add="-l$name"
+	      elif test "$hardcode_shlibpath_var" = yes; then
+		add_shlibpath="$dir"
+		add="-l$name"
+	      else
+		lib_linked=no
+	      fi
+	      ;;
+	    *) lib_linked=no ;;
+	    esac
+
+	    if test "$lib_linked" != yes; then
+	      $echo "$modename: configuration error: unsupported hardcode properties"
+	      exit 1
+	    fi
+
+	    if test -n "$add_shlibpath"; then
+	      case :$compile_shlibpath: in
+	      *":$add_shlibpath:"*) ;;
+	      *) compile_shlibpath="$compile_shlibpath$add_shlibpath:" ;;
+	      esac
+	    fi
+	    if test $linkmode = prog; then
+	      test -n "$add_dir" && compile_deplibs="$add_dir $compile_deplibs"
+	      test -n "$add" && compile_deplibs="$add $compile_deplibs"
+	    else
+	      test -n "$add_dir" && deplibs="$add_dir $deplibs"
+	      test -n "$add" && deplibs="$add $deplibs"
+	      if test "$hardcode_direct" != yes && \
+		 test "$hardcode_minus_L" != yes && \
+		 test "$hardcode_shlibpath_var" = yes; then
+		case :$finalize_shlibpath: in
+		*":$libdir:"*) ;;
+		*) finalize_shlibpath="$finalize_shlibpath$libdir:" ;;
+		esac
+	      fi
+	    fi
+	  fi
+
+	  if test $linkmode = prog || test "$mode" = relink; then
+	    add_shlibpath=
+	    add_dir=
+	    add=
+	    # Finalize command for both is simple: just hardcode it.
+	    if test "$hardcode_direct" = yes; then
+	      add="$libdir/$linklib"
+	    elif test "$hardcode_minus_L" = yes; then
+	      add_dir="-L$libdir"
+	      add="-l$name"
+	    elif test "$hardcode_shlibpath_var" = yes; then
+	      case :$finalize_shlibpath: in
+	      *":$libdir:"*) ;;
+	      *) finalize_shlibpath="$finalize_shlibpath$libdir:" ;;
+	      esac
+	      add="-l$name"
+	    else
+	      # We cannot seem to hardcode it, guess we'll fake it.
+	      add_dir="-L$libdir"
+	      add="-l$name"
+	    fi
+
+	    if test $linkmode = prog; then
+	      test -n "$add_dir" && finalize_deplibs="$add_dir $finalize_deplibs"
+	      test -n "$add" && finalize_deplibs="$add $finalize_deplibs"
+	    else
+	      test -n "$add_dir" && deplibs="$add_dir $deplibs"
+	      test -n "$add" && deplibs="$add $deplibs"
+	    fi
+	  fi
+	elif test $linkmode = prog; then
+	  if test "$alldeplibs" = yes &&
+	     { test "$deplibs_check_method" = pass_all ||
+	       { test "$build_libtool_libs" = yes &&
+		 test -n "$library_names"; }; }; then
+	    # We only need to search for static libraries
+	    continue
+	  fi
+
+	  # Try to link the static library
+	  # Here we assume that one of hardcode_direct or hardcode_minus_L
+	  # is not unsupported.  This is valid on all known static and
+	  # shared platforms.
+	  if test "$hardcode_direct" != unsupported; then
+	    test -n "$old_library" && linklib="$old_library"
+	    compile_deplibs="$dir/$linklib $compile_deplibs"
+	    finalize_deplibs="$dir/$linklib $finalize_deplibs"
+	  else
+	    compile_deplibs="-l$name -L$dir $compile_deplibs"
+	    finalize_deplibs="-l$name -L$dir $finalize_deplibs"
+	  fi
+	elif test "$build_libtool_libs" = yes; then
+	  # Not a shared library
+	  if test "$deplibs_check_method" != pass_all; then
+	    # We're trying link a shared library against a static one
+	    # but the system doesn't support it.
+
+	    # Just print a warning and add the library to dependency_libs so
+	    # that the program can be linked against the static library.
+	    echo
+	    echo "*** Warning: This library needs some functionality provided by $lib."
+	    echo "*** I have the capability to make that library automatically link in when"
+	    echo "*** you link to this library.  But I can only do this if you have a"
+	    echo "*** shared version of the library, which you do not appear to have."
+	    if test "$module" = yes; then
+	      echo "*** Therefore, libtool will create a static module, that should work "
+	      echo "*** as long as the dlopening application is linked with the -dlopen flag."
+	      if test -z "$global_symbol_pipe"; then
+	        echo
+	        echo "*** However, this would only work if libtool was able to extract symbol"
+	        echo "*** lists from a program, using \`nm' or equivalent, but libtool could"
+	        echo "*** not find such a program.  So, this module is probably useless."
+	        echo "*** \`nm' from GNU binutils and a full rebuild may help."
+	      fi
+	      if test "$build_old_libs" = no; then
+	        build_libtool_libs=module
+	        build_old_libs=yes
+	      else
+	        build_libtool_libs=no
+	      fi
+	    fi
+	  else
+	    convenience="$convenience $dir/$old_library"
+	    old_convenience="$old_convenience $dir/$old_library"
+	    deplibs="$dir/$old_library $deplibs"
+	    link_static=yes
+	  fi
+	fi # link shared/static library?
+
+	if test $linkmode = lib; then
+	  if test -n "$dependency_libs" &&
+	     { test $hardcode_into_libs != yes || test $build_old_libs = yes ||
+	       test $link_static = yes; }; then
+	    # Extract -R from dependency_libs
+	    temp_deplibs=
+	    for libdir in $dependency_libs; do
+	      case $libdir in
+	      -R*) temp_xrpath=`$echo "X$libdir" | $Xsed -e 's/^-R//'`
+		   case " $xrpath " in
+		   *" $temp_xrpath "*) ;;
+		   *) xrpath="$xrpath $temp_xrpath";;
+		   esac;;
+	      *) temp_deplibs="$temp_deplibs $libdir";;
+	      esac
+	    done
+	    dependency_libs="$temp_deplibs"
+	  fi
+
+	  newlib_search_path="$newlib_search_path $absdir"
+	  # Link against this library
+	  test "$link_static" = no && newdependency_libs="$abs_ladir/$laname $newdependency_libs"
+	  # ... and its dependency_libs
+	  tmp_libs=
+	  for deplib in $dependency_libs; do
+	    newdependency_libs="$deplib $newdependency_libs"
+	    case "$tmp_libs " in
+	    *" $deplib "*) specialdeplibs="$specialdeplibs $deplib" ;;
+	    esac
+	    tmp_libs="$tmp_libs $deplib"
+	  done
+
+	  if test $link_all_deplibs != no; then
+	    # Add the search paths of all dependency libraries
+	    for deplib in $dependency_libs; do
+	      case $deplib in
+	      -L*) path="$deplib" ;;
+	      *.la)
+		dir=`$echo "X$deplib" | $Xsed -e 's%/[^/]*$%%'`
+		test "X$dir" = "X$deplib" && dir="."
+		# We need an absolute path.
+		case $dir in
+		[\\/]* | [A-Za-z]:[\\/]*) absdir="$dir" ;;
+		*)
+		  absdir=`cd "$dir" && pwd`
+		  if test -z "$absdir"; then
+		    $echo "$modename: warning: cannot determine absolute directory name of \`$dir'" 1>&2
+		    absdir="$dir"
+		  fi
+		  ;;
+		esac
+		if grep "^installed=no" $deplib > /dev/null; then
+		  path="-L$absdir/$objdir"
+		else
+		  eval libdir=`sed -n -e 's/^libdir=\(.*\)$/\1/p' $deplib`
+		  if test -z "$libdir"; then
+		    $echo "$modename: \`$deplib' is not a valid libtool archive" 1>&2
+		    exit 1
+		  fi
+		  if test "$absdir" != "$libdir"; then
+		    $echo "$modename: warning: \`$deplib' seems to be moved" 1>&2
+		  fi
+		  path="-L$absdir"
+		fi
+		;;
+	      *) continue ;;
+	      esac
+	      case " $deplibs " in
+	      *" $path "*) ;;
+	      *) deplibs="$deplibs $path" ;;
+	      esac
+	    done
+	  fi # link_all_deplibs != no
+	fi # linkmode = lib
+      done # for deplib in $libs
+      if test $pass = dlpreopen; then
+	# Link the dlpreopened libraries before other libraries
+	for deplib in $save_deplibs; do
+	  deplibs="$deplib $deplibs"
+	done
+      fi
+      if test $pass != dlopen; then
+	test $pass != scan && dependency_libs="$newdependency_libs"
+	if test $pass != conv; then
+	  # Make sure lib_search_path contains only unique directories.
+	  lib_search_path=
+	  for dir in $newlib_search_path; do
+	    case "$lib_search_path " in
+	    *" $dir "*) ;;
+	    *) lib_search_path="$lib_search_path $dir" ;;
+	    esac
+	  done
+	  newlib_search_path=
+	fi
+
+	if test "$linkmode,$pass" != "prog,link"; then
+	  vars="deplibs"
+	else
+	  vars="compile_deplibs finalize_deplibs"
+	fi
+	for var in $vars dependency_libs; do
+	  # Add libraries to $var in reverse order
+	  eval tmp_libs=\"\$$var\"
+	  new_libs=
+	  for deplib in $tmp_libs; do
+	    case $deplib in
+	    -L*) new_libs="$deplib $new_libs" ;;
+	    *)
+	      case " $specialdeplibs " in
+	      *" $deplib "*) new_libs="$deplib $new_libs" ;;
+	      *)
+		case " $new_libs " in
+		*" $deplib "*) ;;
+		*) new_libs="$deplib $new_libs" ;;
+		esac
+		;;
+	      esac
+	      ;;
+	    esac
+	  done
+	  tmp_libs=
+	  for deplib in $new_libs; do
+	    case $deplib in
+	    -L*)
+	      case " $tmp_libs " in
+	      *" $deplib "*) ;;
+	      *) tmp_libs="$tmp_libs $deplib" ;;
+	      esac
+	      ;;
+	    *) tmp_libs="$tmp_libs $deplib" ;;
+	    esac
+	  done
+	  eval $var=\"$tmp_libs\"
+	done # for var
+      fi
+      if test "$pass" = "conv" &&
+       { test "$linkmode" = "lib" || test "$linkmode" = "prog"; }; then
+	libs="$deplibs" # reset libs
+	deplibs=
+      fi
+    done # for pass
+    if test $linkmode = prog; then
+      dlfiles="$newdlfiles"
+      dlprefiles="$newdlprefiles"
+    fi
+
+    case $linkmode in
+    oldlib)
+      if test -n "$dlfiles$dlprefiles" || test "$dlself" != no; then
+	$echo "$modename: warning: \`-dlopen' is ignored for archives" 1>&2
+      fi
+
+      if test -n "$rpath"; then
+	$echo "$modename: warning: \`-rpath' is ignored for archives" 1>&2
+      fi
+
+      if test -n "$xrpath"; then
+	$echo "$modename: warning: \`-R' is ignored for archives" 1>&2
+      fi
+
+      if test -n "$vinfo"; then
+	$echo "$modename: warning: \`-version-info' is ignored for archives" 1>&2
+      fi
+
+      if test -n "$release"; then
+	$echo "$modename: warning: \`-release' is ignored for archives" 1>&2
+      fi
+
+      if test -n "$export_symbols" || test -n "$export_symbols_regex"; then
+	$echo "$modename: warning: \`-export-symbols' is ignored for archives" 1>&2
+      fi
+
+      # Now set the variables for building old libraries.
+      build_libtool_libs=no
+      oldlibs="$output"
+      objs="$objs$old_deplibs"
+      ;;
+
+    lib)
+      # Make sure we only generate libraries of the form `libNAME.la'.
+      case $outputname in
+      lib*)
+	name=`$echo "X$outputname" | $Xsed -e 's/\.la$//' -e 's/^lib//'`
+	eval libname=\"$libname_spec\"
+	;;
+      *)
+	if test "$module" = no; then
+	  $echo "$modename: libtool library \`$output' must begin with \`lib'" 1>&2
+	  $echo "$help" 1>&2
+	  exit 1
+	fi
+	if test "$need_lib_prefix" != no; then
+	  # Add the "lib" prefix for modules if required
+	  name=`$echo "X$outputname" | $Xsed -e 's/\.la$//'`
+	  eval libname=\"$libname_spec\"
+	else
+	  libname=`$echo "X$outputname" | $Xsed -e 's/\.la$//'`
+	fi
+	;;
+      esac
+
+      if test -n "$objs"; then
+	if test "$deplibs_check_method" != pass_all; then
+	  $echo "$modename: cannot build libtool library \`$output' from non-libtool objects on this host:$objs" 2>&1
+	  exit 1
+	else
+	  echo
+	  echo "*** Warning: Linking the shared library $output against the non-libtool"
+	  echo "*** objects $objs is not portable!"
+	  libobjs="$libobjs $objs"
+	fi
+      fi
+
+      if test "$dlself" != no; then
+	$echo "$modename: warning: \`-dlopen self' is ignored for libtool libraries" 1>&2
+      fi
+
+      set dummy $rpath
+      if test $# -gt 2; then
+	$echo "$modename: warning: ignoring multiple \`-rpath's for a libtool library" 1>&2
+      fi
+      install_libdir="$2"
+
+      oldlibs=
+      if test -z "$rpath"; then
+	if test "$build_libtool_libs" = yes; then
+	  # Building a libtool convenience library.
+	  libext=al
+	  oldlibs="$output_objdir/$libname.$libext $oldlibs"
+	  build_libtool_libs=convenience
+	  build_old_libs=yes
+	fi
+
+	if test -n "$vinfo"; then
+	  $echo "$modename: warning: \`-version-info' is ignored for convenience libraries" 1>&2
+	fi
+
+	if test -n "$release"; then
+	  $echo "$modename: warning: \`-release' is ignored for convenience libraries" 1>&2
+	fi
+      else
+
+	# Parse the version information argument.
+	IFS="${IFS= 	}"; save_ifs="$IFS"; IFS=':'
+	set dummy $vinfo 0 0 0
+	IFS="$save_ifs"
+
+	if test -n "$8"; then
+	  $echo "$modename: too many parameters to \`-version-info'" 1>&2
+	  $echo "$help" 1>&2
+	  exit 1
+	fi
+
+	current="$2"
+	revision="$3"
+	age="$4"
+
+	# Check that each of the things are valid numbers.
+	case $current in
+	0 | [1-9] | [1-9][0-9] | [1-9][0-9][0-9]) ;;
+	*)
+	  $echo "$modename: CURRENT \`$current' is not a nonnegative integer" 1>&2
+	  $echo "$modename: \`$vinfo' is not valid version information" 1>&2
+	  exit 1
+	  ;;
+	esac
+
+	case $revision in
+	0 | [1-9] | [1-9][0-9] | [1-9][0-9][0-9]) ;;
+	*)
+	  $echo "$modename: REVISION \`$revision' is not a nonnegative integer" 1>&2
+	  $echo "$modename: \`$vinfo' is not valid version information" 1>&2
+	  exit 1
+	  ;;
+	esac
+
+	case $age in
+	0 | [1-9] | [1-9][0-9] | [1-9][0-9][0-9]) ;;
+	*)
+	  $echo "$modename: AGE \`$age' is not a nonnegative integer" 1>&2
+	  $echo "$modename: \`$vinfo' is not valid version information" 1>&2
+	  exit 1
+	  ;;
+	esac
+
+	if test $age -gt $current; then
+	  $echo "$modename: AGE \`$age' is greater than the current interface number \`$current'" 1>&2
+	  $echo "$modename: \`$vinfo' is not valid version information" 1>&2
+	  exit 1
+	fi
+
+	# Calculate the version variables.
+	major=
+	versuffix=
+	verstring=
+	case $version_type in
+	none) ;;
+
+	darwin)
+	  # Like Linux, but with the current version available in
+	  # verstring for coding it into the library header
+	  major=.`expr $current - $age`
+	  versuffix="$major.$age.$revision"
+	  # Darwin ld doesn't like 0 for these options...
+	  minor_current=`expr $current + 1`
+	  verstring="-compatibility_version $minor_current -current_version $minor_current.$revision"
+	  ;;
+
+	freebsd-aout)
+	  major=".$current"
+	  versuffix=".$current.$revision";
+	  ;;
+
+	freebsd-elf)
+	  major=".$current"
+	  versuffix=".$current";
+	  ;;
+
+	irix)
+	  major=`expr $current - $age + 1`
+	  verstring="sgi$major.$revision"
+
+	  # Add in all the interfaces that we are compatible with.
+	  loop=$revision
+	  while test $loop != 0; do
+	    iface=`expr $revision - $loop`
+	    loop=`expr $loop - 1`
+	    verstring="sgi$major.$iface:$verstring"
+	  done
+
+	  # Before this point, $major must not contain `.'.
+	  major=.$major
+	  versuffix="$major.$revision"
+	  ;;
+
+	linux)
+	  major=.`expr $current - $age`
+	  versuffix="$major.$age.$revision"
+	  ;;
+
+	osf)
+	  major=`expr $current - $age`
+	  versuffix=".$current.$age.$revision"
+	  verstring="$current.$age.$revision"
+
+	  # Add in all the interfaces that we are compatible with.
+	  loop=$age
+	  while test $loop != 0; do
+	    iface=`expr $current - $loop`
+	    loop=`expr $loop - 1`
+	    verstring="$verstring:${iface}.0"
+	  done
+
+	  # Make executables depend on our current version.
+	  verstring="$verstring:${current}.0"
+	  ;;
+
+	sunos)
+	  major=".$current"
+	  versuffix=".$current.$revision"
+	  ;;
+
+	windows)
+	  # Use '-' rather than '.', since we only want one
+	  # extension on DOS 8.3 filesystems.
+	  major=`expr $current - $age`
+	  versuffix="-$major"
+	  ;;
+
+	*)
+	  $echo "$modename: unknown library version type \`$version_type'" 1>&2
+	  echo "Fatal configuration error.  See the $PACKAGE docs for more information." 1>&2
+	  exit 1
+	  ;;
+	esac
+
+	# Clear the version info if we defaulted, and they specified a release.
+	if test -z "$vinfo" && test -n "$release"; then
+	  major=
+	  verstring="0.0"
+	  if test "$need_version" = no; then
+	    versuffix=
+	  else
+	    versuffix=".0.0"
+	  fi
+	fi
+
+	# Remove version info from name if versioning should be avoided
+	if test "$avoid_version" = yes && test "$need_version" = no; then
+	  major=
+	  versuffix=
+	  verstring=""
+	fi
+
+	# Check to see if the archive will have undefined symbols.
+	if test "$allow_undefined" = yes; then
+	  if test "$allow_undefined_flag" = unsupported; then
+	    $echo "$modename: warning: undefined symbols not allowed in $host shared libraries" 1>&2
+	    build_libtool_libs=no
+	    build_old_libs=yes
+	  fi
+	else
+	  # Don't allow undefined symbols.
+	  allow_undefined_flag="$no_undefined_flag"
+	fi
+      fi
+
+      if test "$mode" != relink; then
+	# Remove our outputs.
+	$show "${rm}r $output_objdir/$outputname $output_objdir/$libname.* $output_objdir/${libname}${release}.*"
+	$run ${rm}r $output_objdir/$outputname $output_objdir/$libname.* $output_objdir/${libname}${release}.*
+      fi
+
+      # Now set the variables for building old libraries.
+      if test "$build_old_libs" = yes && test "$build_libtool_libs" != convenience ; then
+	oldlibs="$oldlibs $output_objdir/$libname.$libext"
+
+	# Transform .lo files to .o files.
+	oldobjs="$objs "`$echo "X$libobjs" | $SP2NL | $Xsed -e '/\.'${libext}'$/d' -e "$lo2o" | $NL2SP`
+      fi
+
+      # Eliminate all temporary directories.
+      for path in $notinst_path; do
+	lib_search_path=`echo "$lib_search_path " | sed -e 's% $path % %g'`
+	deplibs=`echo "$deplibs " | sed -e 's% -L$path % %g'`
+	dependency_libs=`echo "$dependency_libs " | sed -e 's% -L$path % %g'`
+      done
+
+      if test -n "$xrpath"; then
+	# If the user specified any rpath flags, then add them.
+	temp_xrpath=
+	for libdir in $xrpath; do
+	  temp_xrpath="$temp_xrpath -R$libdir"
+	  case "$finalize_rpath " in
+	  *" $libdir "*) ;;
+	  *) finalize_rpath="$finalize_rpath $libdir" ;;
+	  esac
+	done
+	if test $hardcode_into_libs != yes || test $build_old_libs = yes; then
+	  dependency_libs="$temp_xrpath $dependency_libs"
+	fi
+      fi
+
+      # Make sure dlfiles contains only unique files that won't be dlpreopened
+      old_dlfiles="$dlfiles"
+      dlfiles=
+      for lib in $old_dlfiles; do
+	case " $dlprefiles $dlfiles " in
+	*" $lib "*) ;;
+	*) dlfiles="$dlfiles $lib" ;;
+	esac
+      done
+
+      # Make sure dlprefiles contains only unique files
+      old_dlprefiles="$dlprefiles"
+      dlprefiles=
+      for lib in $old_dlprefiles; do
+	case "$dlprefiles " in
+	*" $lib "*) ;;
+	*) dlprefiles="$dlprefiles $lib" ;;
+	esac
+      done
+
+      if test "$build_libtool_libs" = yes; then
+	if test -n "$rpath"; then
+	  case $host in
+	  *-*-cygwin* | *-*-mingw* | *-*-pw32* | *-*-os2* | *-*-beos*)
+	    # these systems don't actually have a c library (as such)!
+	    ;;
+	  *-*-rhapsody* | *-*-darwin1.[012])
+	    # Rhapsody C library is in the System framework
+	    deplibs="$deplibs -framework System"
+	    ;;
+	  *-*-netbsd*)
+	    # Don't link with libc until the a.out ld.so is fixed.
+	    ;;
+	  *)
+	    # Add libc to deplibs on all other systems if necessary.
+	    if test $build_libtool_need_lc = "yes"; then
+	      deplibs="$deplibs -lc"
+	    fi
+	    ;;
+	  esac
+	fi
+
+	# Transform deplibs into only deplibs that can be linked in shared.
+	name_save=$name
+	libname_save=$libname
+	release_save=$release
+	versuffix_save=$versuffix
+	major_save=$major
+	# I'm not sure if I'm treating the release correctly.  I think
+	# release should show up in the -l (ie -lgmp5) so we don't want to
+	# add it in twice.  Is that correct?
+	release=""
+	versuffix=""
+	major=""
+	newdeplibs=
+	droppeddeps=no
+	case $deplibs_check_method in
+	pass_all)
+	  # Don't check for shared/static.  Everything works.
+	  # This might be a little naive.  We might want to check
+	  # whether the library exists or not.  But this is on
+	  # osf3 & osf4 and I'm not really sure... Just
+	  # implementing what was already the behaviour.
+	  newdeplibs=$deplibs
+	  ;;
+	test_compile)
+	  # This code stresses the "libraries are programs" paradigm to its
+	  # limits. Maybe even breaks it.  We compile a program, linking it
+	  # against the deplibs as a proxy for the library.  Then we can check
+	  # whether they linked in statically or dynamically with ldd.
+	  $rm conftest.c
+	  cat > conftest.c <<EOF
+	  int main() { return 0; }
+EOF
+	  $rm conftest
+	  $CC -o conftest conftest.c $deplibs
+	  if test $? -eq 0 ; then
+	    ldd_output=`ldd conftest`
+	    for i in $deplibs; do
+	      name="`expr $i : '-l\(.*\)'`"
+	      # If $name is empty we are operating on a -L argument.
+	      if test -n "$name" && test "$name" != "0"; then
+		libname=`eval \\$echo \"$libname_spec\"`
+		deplib_matches=`eval \\$echo \"$library_names_spec\"`
+		set dummy $deplib_matches
+		deplib_match=$2
+		if test `expr "$ldd_output" : ".*$deplib_match"` -ne 0 ; then
+		  newdeplibs="$newdeplibs $i"
+		else
+		  droppeddeps=yes
+		  echo
+		  echo "*** Warning: This library needs some functionality provided by $i."
+		  echo "*** I have the capability to make that library automatically link in when"
+		  echo "*** you link to this library.  But I can only do this if you have a"
+		  echo "*** shared version of the library, which you do not appear to have."
+		fi
+	      else
+		newdeplibs="$newdeplibs $i"
+	      fi
+	    done
+	  else
+	    # Error occured in the first compile.  Let's try to salvage the situation:
+	    # Compile a seperate program for each library.
+	    for i in $deplibs; do
+	      name="`expr $i : '-l\(.*\)'`"
+	     # If $name is empty we are operating on a -L argument.
+	      if test -n "$name" && test "$name" != "0"; then
+		$rm conftest
+		$CC -o conftest conftest.c $i
+		# Did it work?
+		if test $? -eq 0 ; then
+		  ldd_output=`ldd conftest`
+		  libname=`eval \\$echo \"$libname_spec\"`
+		  deplib_matches=`eval \\$echo \"$library_names_spec\"`
+		  set dummy $deplib_matches
+		  deplib_match=$2
+		  if test `expr "$ldd_output" : ".*$deplib_match"` -ne 0 ; then
+		    newdeplibs="$newdeplibs $i"
+		  else
+		    droppeddeps=yes
+		    echo
+		    echo "*** Warning: This library needs some functionality provided by $i."
+		    echo "*** I have the capability to make that library automatically link in when"
+		    echo "*** you link to this library.  But I can only do this if you have a"
+		    echo "*** shared version of the library, which you do not appear to have."
+		  fi
+		else
+		  droppeddeps=yes
+		  echo
+		  echo "*** Warning!  Library $i is needed by this library but I was not able to"
+		  echo "***  make it link in!  You will probably need to install it or some"
+		  echo "*** library that it depends on before this library will be fully"
+		  echo "*** functional.  Installing it before continuing would be even better."
+		fi
+	      else
+		newdeplibs="$newdeplibs $i"
+	      fi
+	    done
+	  fi
+	  ;;
+	file_magic*)
+	  set dummy $deplibs_check_method
+	  file_magic_regex=`expr "$deplibs_check_method" : "$2 \(.*\)"`
+	  for a_deplib in $deplibs; do
+	    name="`expr $a_deplib : '-l\(.*\)'`"
+	    # If $name is empty we are operating on a -L argument.
+	    if test -n "$name" && test "$name" != "0"; then
+	      libname=`eval \\$echo \"$libname_spec\"`
+	      for i in $lib_search_path $sys_lib_search_path $shlib_search_path; do
+		    potential_libs=`ls $i/$libname[.-]* 2>/dev/null`
+		    for potent_lib in $potential_libs; do
+		      # Follow soft links.
+		      if ls -lLd "$potent_lib" 2>/dev/null \
+			 | grep " -> " >/dev/null; then
+			continue
+		      fi
+		      # The statement above tries to avoid entering an
+		      # endless loop below, in case of cyclic links.
+		      # We might still enter an endless loop, since a link
+		      # loop can be closed while we follow links,
+		      # but so what?
+		      potlib="$potent_lib"
+		      while test -h "$potlib" 2>/dev/null; do
+			potliblink=`ls -ld $potlib | sed 's/.* -> //'`
+			case $potliblink in
+			[\\/]* | [A-Za-z]:[\\/]*) potlib="$potliblink";;
+			*) potlib=`$echo "X$potlib" | $Xsed -e 's,[^/]*$,,'`"$potliblink";;
+			esac
+		      done
+		      if eval $file_magic_cmd \"\$potlib\" 2>/dev/null \
+			 | sed 10q \
+			 | egrep "$file_magic_regex" > /dev/null; then
+			newdeplibs="$newdeplibs $a_deplib"
+			a_deplib=""
+			break 2
+		      fi
+		    done
+	      done
+	      if test -n "$a_deplib" ; then
+		droppeddeps=yes
+		echo
+		echo "*** Warning: This library needs some functionality provided by $a_deplib."
+		echo "*** I have the capability to make that library automatically link in when"
+		echo "*** you link to this library.  But I can only do this if you have a"
+		echo "*** shared version of the library, which you do not appear to have."
+	      fi
+	    else
+	      # Add a -L argument.
+	      newdeplibs="$newdeplibs $a_deplib"
+	    fi
+	  done # Gone through all deplibs.
+	  ;;
+	match_pattern*)
+	  set dummy $deplibs_check_method
+	  match_pattern_regex=`expr "$deplibs_check_method" : "$2 \(.*\)"`
+	  for a_deplib in $deplibs; do
+	    name="`expr $a_deplib : '-l\(.*\)'`"
+	    # If $name is empty we are operating on a -L argument.
+	    if test -n "$name" && test "$name" != "0"; then
+	      libname=`eval \\$echo \"$libname_spec\"`
+	      for i in $lib_search_path $sys_lib_search_path $shlib_search_path; do
+		potential_libs=`ls $i/$libname[.-]* 2>/dev/null`
+		for potent_lib in $potential_libs; do
+		  if eval echo \"$potent_lib\" 2>/dev/null \
+		      | sed 10q \
+		      | egrep "$match_pattern_regex" > /dev/null; then
+		    newdeplibs="$newdeplibs $a_deplib"
+		    a_deplib=""
+		    break 2
+		  fi
+		done
+	      done
+	      if test -n "$a_deplib" ; then
+		droppeddeps=yes
+		echo
+		echo "*** Warning: This library needs some functionality provided by $a_deplib."
+		echo "*** I have the capability to make that library automatically link in when"
+		echo "*** you link to this library.  But I can only do this if you have a"
+		echo "*** shared version of the library, which you do not appear to have."
+	      fi
+	    else
+	      # Add a -L argument.
+	      newdeplibs="$newdeplibs $a_deplib"
+	    fi
+	  done # Gone through all deplibs.
+	  ;;
+	none | unknown | *)
+	  newdeplibs=""
+	  if $echo "X $deplibs" | $Xsed -e 's/ -lc$//' \
+	       -e 's/ -[LR][^ ]*//g' -e 's/[ 	]//g' |
+	     grep . >/dev/null; then
+	    echo
+	    if test "X$deplibs_check_method" = "Xnone"; then
+	      echo "*** Warning: inter-library dependencies are not supported in this platform."
+	    else
+	      echo "*** Warning: inter-library dependencies are not known to be supported."
+	    fi
+	    echo "*** All declared inter-library dependencies are being dropped."
+	    droppeddeps=yes
+	  fi
+	  ;;
+	esac
+	versuffix=$versuffix_save
+	major=$major_save
+	release=$release_save
+	libname=$libname_save
+	name=$name_save
+
+	case $host in
+	*-*-rhapsody* | *-*-darwin1.[012])
+	  # On Rhapsody replace the C library is the System framework
+	  newdeplibs=`$echo "X $newdeplibs" | $Xsed -e 's/ -lc / -framework System /'`
+	  ;;
+	esac
+
+	if test "$droppeddeps" = yes; then
+	  if test "$module" = yes; then
+	    echo
+	    echo "*** Warning: libtool could not satisfy all declared inter-library"
+	    echo "*** dependencies of module $libname.  Therefore, libtool will create"
+	    echo "*** a static module, that should work as long as the dlopening"
+	    echo "*** application is linked with the -dlopen flag."
+	    if test -z "$global_symbol_pipe"; then
+	      echo
+	      echo "*** However, this would only work if libtool was able to extract symbol"
+	      echo "*** lists from a program, using \`nm' or equivalent, but libtool could"
+	      echo "*** not find such a program.  So, this module is probably useless."
+	      echo "*** \`nm' from GNU binutils and a full rebuild may help."
+	    fi
+	    if test "$build_old_libs" = no; then
+	      oldlibs="$output_objdir/$libname.$libext"
+	      build_libtool_libs=module
+	      build_old_libs=yes
+	    else
+	      build_libtool_libs=no
+	    fi
+	  else
+	    echo "*** The inter-library dependencies that have been dropped here will be"
+	    echo "*** automatically added whenever a program is linked with this library"
+	    echo "*** or is declared to -dlopen it."
+
+	    if test $allow_undefined = no; then
+	      echo
+	      echo "*** Since this library must not contain undefined symbols,"
+	      echo "*** because either the platform does not support them or"
+	      echo "*** it was explicitly requested with -no-undefined,"
+	      echo "*** libtool will only create a static version of it."
+	      if test "$build_old_libs" = no; then
+		oldlibs="$output_objdir/$libname.$libext"
+		build_libtool_libs=module
+		build_old_libs=yes
+	      else
+		build_libtool_libs=no
+	      fi
+	    fi
+	  fi
+	fi
+	# Done checking deplibs!
+	deplibs=$newdeplibs
+      fi
+
+      # All the library-specific variables (install_libdir is set above).
+      library_names=
+      old_library=
+      dlname=
+
+      # Test again, we may have decided not to build it any more
+      if test "$build_libtool_libs" = yes; then
+	if test $hardcode_into_libs = yes; then
+	  # Hardcode the library paths
+	  hardcode_libdirs=
+	  dep_rpath=
+	  rpath="$finalize_rpath"
+	  test "$mode" != relink && rpath="$compile_rpath$rpath"
+	  for libdir in $rpath; do
+	    if test -n "$hardcode_libdir_flag_spec"; then
+	      if test -n "$hardcode_libdir_separator"; then
+		if test -z "$hardcode_libdirs"; then
+		  hardcode_libdirs="$libdir"
+		else
+		  # Just accumulate the unique libdirs.
+		  case $hardcode_libdir_separator$hardcode_libdirs$hardcode_libdir_separator in
+		  *"$hardcode_libdir_separator$libdir$hardcode_libdir_separator"*)
+		    ;;
+		  *)
+		    hardcode_libdirs="$hardcode_libdirs$hardcode_libdir_separator$libdir"
+		    ;;
+		  esac
+		fi
+	      else
+		eval flag=\"$hardcode_libdir_flag_spec\"
+		dep_rpath="$dep_rpath $flag"
+	      fi
+	    elif test -n "$runpath_var"; then
+	      case "$perm_rpath " in
+	      *" $libdir "*) ;;
+	      *) perm_rpath="$perm_rpath $libdir" ;;
+	      esac
+	    fi
+	  done
+	  # Substitute the hardcoded libdirs into the rpath.
+	  if test -n "$hardcode_libdir_separator" &&
+	     test -n "$hardcode_libdirs"; then
+	    libdir="$hardcode_libdirs"
+	    eval dep_rpath=\"$hardcode_libdir_flag_spec\"
+	  fi
+	  if test -n "$runpath_var" && test -n "$perm_rpath"; then
+	    # We should set the runpath_var.
+	    rpath=
+	    for dir in $perm_rpath; do
+	      rpath="$rpath$dir:"
+	    done
+	    eval "$runpath_var='$rpath\$$runpath_var'; export $runpath_var"
+	  fi
+	  test -n "$dep_rpath" && deplibs="$dep_rpath $deplibs"
+	fi
+
+	shlibpath="$finalize_shlibpath"
+	test "$mode" != relink && shlibpath="$compile_shlibpath$shlibpath"
+	if test -n "$shlibpath"; then
+	  eval "$shlibpath_var='$shlibpath\$$shlibpath_var'; export $shlibpath_var"
+	fi
+
+	# Get the real and link names of the library.
+	eval library_names=\"$library_names_spec\"
+	set dummy $library_names
+	realname="$2"
+	shift; shift
+
+	if test -n "$soname_spec"; then
+	  eval soname=\"$soname_spec\"
+	else
+	  soname="$realname"
+	fi
+	test -z "$dlname" && dlname=$soname
+
+	lib="$output_objdir/$realname"
+	for link
+	do
+	  linknames="$linknames $link"
+	done
+
+	# Ensure that we have .o objects for linkers which dislike .lo
+	# (e.g. aix) in case we are running --disable-static
+	for obj in $libobjs; do
+	  xdir=`$echo "X$obj" | $Xsed -e 's%/[^/]*$%%'`
+	  if test "X$xdir" = "X$obj"; then
+	    xdir="."
+	  else
+	    xdir="$xdir"
+	  fi
+	  baseobj=`$echo "X$obj" | $Xsed -e 's%^.*/%%'`
+	  oldobj=`$echo "X$baseobj" | $Xsed -e "$lo2o"`
+	  if test ! -f $xdir/$oldobj; then
+	    $show "(cd $xdir && ${LN_S} $baseobj $oldobj)"
+	    $run eval '(cd $xdir && ${LN_S} $baseobj $oldobj)' || exit $?
+	  fi
+	done
+
+	# Use standard objects if they are pic
+	test -z "$pic_flag" && libobjs=`$echo "X$libobjs" | $SP2NL | $Xsed -e "$lo2o" | $NL2SP`
+
+	# Prepare the list of exported symbols
+	if test -z "$export_symbols"; then
+	  if test "$always_export_symbols" = yes || test -n "$export_symbols_regex"; then
+	    $show "generating symbol list for \`$libname.la'"
+	    export_symbols="$output_objdir/$libname.exp"
+	    $run $rm $export_symbols
+	    eval cmds=\"$export_symbols_cmds\"
+	    IFS="${IFS= 	}"; save_ifs="$IFS"; IFS='~'
+	    for cmd in $cmds; do
+	      IFS="$save_ifs"
+	      $show "$cmd"
+	      $run eval "$cmd" || exit $?
+	    done
+	    IFS="$save_ifs"
+	    if test -n "$export_symbols_regex"; then
+	      $show "egrep -e \"$export_symbols_regex\" \"$export_symbols\" > \"${export_symbols}T\""
+	      $run eval 'egrep -e "$export_symbols_regex" "$export_symbols" > "${export_symbols}T"'
+	      $show "$mv \"${export_symbols}T\" \"$export_symbols\""
+	      $run eval '$mv "${export_symbols}T" "$export_symbols"'
+	    fi
+	  fi
+	fi
+
+	if test -n "$export_symbols" && test -n "$include_expsyms"; then
+	  $run eval '$echo "X$include_expsyms" | $SP2NL >> "$export_symbols"'
+	fi
+
+	if test -n "$convenience"; then
+	  if test -n "$whole_archive_flag_spec"; then
+	    eval libobjs=\"\$libobjs $whole_archive_flag_spec\"
+	  else
+	    gentop="$output_objdir/${outputname}x"
+	    $show "${rm}r $gentop"
+	    $run ${rm}r "$gentop"
+	    $show "mkdir $gentop"
+	    $run mkdir "$gentop"
+	    status=$?
+	    if test $status -ne 0 && test ! -d "$gentop"; then
+	      exit $status
+	    fi
+	    generated="$generated $gentop"
+
+	    for xlib in $convenience; do
+	      # Extract the objects.
+	      case $xlib in
+	      [\\/]* | [A-Za-z]:[\\/]*) xabs="$xlib" ;;
+	      *) xabs=`pwd`"/$xlib" ;;
+	      esac
+	      xlib=`$echo "X$xlib" | $Xsed -e 's%^.*/%%'`
+	      xdir="$gentop/$xlib"
+
+	      $show "${rm}r $xdir"
+	      $run ${rm}r "$xdir"
+	      $show "mkdir $xdir"
+	      $run mkdir "$xdir"
+	      status=$?
+	      if test $status -ne 0 && test ! -d "$xdir"; then
+		exit $status
+	      fi
+	      $show "(cd $xdir && $AR x $xabs)"
+	      $run eval "(cd \$xdir && $AR x \$xabs)" || exit $?
+
+	      libobjs="$libobjs "`find $xdir -name \*.o -print -o -name \*.lo -print | $NL2SP`
+	    done
+	  fi
+	fi
+
+	if test "$thread_safe" = yes && test -n "$thread_safe_flag_spec"; then
+	  eval flag=\"$thread_safe_flag_spec\"
+	  linker_flags="$linker_flags $flag"
+	fi
+
+	# Make a backup of the uninstalled library when relinking
+	if test "$mode" = relink; then
+	  $run eval '(cd $output_objdir && $rm ${realname}U && $mv $realname ${realname}U)' || exit $?
+	fi
+
+	# Do each of the archive commands.
+	if test -n "$export_symbols" && test -n "$archive_expsym_cmds"; then
+	  eval cmds=\"$archive_expsym_cmds\"
+	else
+	  eval cmds=\"$archive_cmds\"
+	fi
+	IFS="${IFS= 	}"; save_ifs="$IFS"; IFS='~'
+	for cmd in $cmds; do
+	  IFS="$save_ifs"
+	  $show "$cmd"
+	  $run eval "$cmd" || exit $?
+	done
+	IFS="$save_ifs"
+
+	# Restore the uninstalled library and exit
+	if test "$mode" = relink; then
+	  $run eval '(cd $output_objdir && $rm ${realname}T && $mv $realname ${realname}T && $mv "$realname"U $realname)' || exit $?
+	  exit 0
+	fi
+
+	# Create links to the real library.
+	for linkname in $linknames; do
+	  if test "$realname" != "$linkname"; then
+	    $show "(cd $output_objdir && $rm $linkname && $LN_S $realname $linkname)"
+	    $run eval '(cd $output_objdir && $rm $linkname && $LN_S $realname $linkname)' || exit $?
+	  fi
+	done
+
+	# If -module or -export-dynamic was specified, set the dlname.
+	if test "$module" = yes || test "$export_dynamic" = yes; then
+	  # On all known operating systems, these are identical.
+	  dlname="$soname"
+	fi
+      fi
+      ;;
+
+    obj)
+      if test -n "$deplibs"; then
+	$echo "$modename: warning: \`-l' and \`-L' are ignored for objects" 1>&2
+      fi
+
+      if test -n "$dlfiles$dlprefiles" || test "$dlself" != no; then
+	$echo "$modename: warning: \`-dlopen' is ignored for objects" 1>&2
+      fi
+
+      if test -n "$rpath"; then
+	$echo "$modename: warning: \`-rpath' is ignored for objects" 1>&2
+      fi
+
+      if test -n "$xrpath"; then
+	$echo "$modename: warning: \`-R' is ignored for objects" 1>&2
+      fi
+
+      if test -n "$vinfo"; then
+	$echo "$modename: warning: \`-version-info' is ignored for objects" 1>&2
+      fi
+
+      if test -n "$release"; then
+	$echo "$modename: warning: \`-release' is ignored for objects" 1>&2
+      fi
+
+      case $output in
+      *.lo)
+	if test -n "$objs$old_deplibs"; then
+	  $echo "$modename: cannot build library object \`$output' from non-libtool objects" 1>&2
+	  exit 1
+	fi
+	libobj="$output"
+	obj=`$echo "X$output" | $Xsed -e "$lo2o"`
+	;;
+      *)
+	libobj=
+	obj="$output"
+	;;
+      esac
+
+      # Delete the old objects.
+      $run $rm $obj $libobj
+
+      # Objects from convenience libraries.  This assumes
+      # single-version convenience libraries.  Whenever we create
+      # different ones for PIC/non-PIC, this we'll have to duplicate
+      # the extraction.
+      reload_conv_objs=
+      gentop=
+      # reload_cmds runs $LD directly, so let us get rid of
+      # -Wl from whole_archive_flag_spec
+      wl=
+
+      if test -n "$convenience"; then
+	if test -n "$whole_archive_flag_spec"; then
+	  eval reload_conv_objs=\"\$reload_objs $whole_archive_flag_spec\"
+	else
+	  gentop="$output_objdir/${obj}x"
+	  $show "${rm}r $gentop"
+	  $run ${rm}r "$gentop"
+	  $show "mkdir $gentop"
+	  $run mkdir "$gentop"
+	  status=$?
+	  if test $status -ne 0 && test ! -d "$gentop"; then
+	    exit $status
+	  fi
+	  generated="$generated $gentop"
+
+	  for xlib in $convenience; do
+	    # Extract the objects.
+	    case $xlib in
+	    [\\/]* | [A-Za-z]:[\\/]*) xabs="$xlib" ;;
+	    *) xabs=`pwd`"/$xlib" ;;
+	    esac
+	    xlib=`$echo "X$xlib" | $Xsed -e 's%^.*/%%'`
+	    xdir="$gentop/$xlib"
+
+	    $show "${rm}r $xdir"
+	    $run ${rm}r "$xdir"
+	    $show "mkdir $xdir"
+	    $run mkdir "$xdir"
+	    status=$?
+	    if test $status -ne 0 && test ! -d "$xdir"; then
+	      exit $status
+	    fi
+	    $show "(cd $xdir && $AR x $xabs)"
+	    $run eval "(cd \$xdir && $AR x \$xabs)" || exit $?
+
+	    reload_conv_objs="$reload_objs "`find $xdir -name \*.o -print -o -name \*.lo -print | $NL2SP`
+	  done
+	fi
+      fi
+
+      # Create the old-style object.
+      reload_objs="$objs$old_deplibs "`$echo "X$libobjs" | $SP2NL | $Xsed -e '/\.'${libext}$'/d' -e '/\.lib$/d' -e "$lo2o" | $NL2SP`" $reload_conv_objs" ### testsuite: skip nested quoting test
+
+      output="$obj"
+      eval cmds=\"$reload_cmds\"
+      IFS="${IFS= 	}"; save_ifs="$IFS"; IFS='~'
+      for cmd in $cmds; do
+	IFS="$save_ifs"
+	$show "$cmd"
+	$run eval "$cmd" || exit $?
+      done
+      IFS="$save_ifs"
+
+      # Exit if we aren't doing a library object file.
+      if test -z "$libobj"; then
+	if test -n "$gentop"; then
+	  $show "${rm}r $gentop"
+	  $run ${rm}r $gentop
+	fi
+
+	exit 0
+      fi
+
+      if test "$build_libtool_libs" != yes; then
+	if test -n "$gentop"; then
+	  $show "${rm}r $gentop"
+	  $run ${rm}r $gentop
+	fi
+
+	# Create an invalid libtool object if no PIC, so that we don't
+	# accidentally link it into a program.
+	$show "echo timestamp > $libobj"
+	$run eval "echo timestamp > $libobj" || exit $?
+	exit 0
+      fi
+
+      if test -n "$pic_flag" || test "$pic_mode" != default; then
+	# Only do commands if we really have different PIC objects.
+	reload_objs="$libobjs $reload_conv_objs"
+	output="$libobj"
+	eval cmds=\"$reload_cmds\"
+	IFS="${IFS= 	}"; save_ifs="$IFS"; IFS='~'
+	for cmd in $cmds; do
+	  IFS="$save_ifs"
+	  $show "$cmd"
+	  $run eval "$cmd" || exit $?
+	done
+	IFS="$save_ifs"
+      else
+	# Just create a symlink.
+	$show $rm $libobj
+	$run $rm $libobj
+	xdir=`$echo "X$libobj" | $Xsed -e 's%/[^/]*$%%'`
+	if test "X$xdir" = "X$libobj"; then
+	  xdir="."
+	else
+	  xdir="$xdir"
+	fi
+	baseobj=`$echo "X$libobj" | $Xsed -e 's%^.*/%%'`
+	oldobj=`$echo "X$baseobj" | $Xsed -e "$lo2o"`
+	$show "(cd $xdir && $LN_S $oldobj $baseobj)"
+	$run eval '(cd $xdir && $LN_S $oldobj $baseobj)' || exit $?
+      fi
+
+      if test -n "$gentop"; then
+	$show "${rm}r $gentop"
+	$run ${rm}r $gentop
+      fi
+
+      exit 0
+      ;;
+
+    prog)
+      case $host in
+	*cygwin*) output=`echo $output | sed -e 's,.exe$,,;s,$,.exe,'` ;;
+      esac
+      if test -n "$vinfo"; then
+	$echo "$modename: warning: \`-version-info' is ignored for programs" 1>&2
+      fi
+
+      if test -n "$release"; then
+	$echo "$modename: warning: \`-release' is ignored for programs" 1>&2
+      fi
+
+      if test "$preload" = yes; then
+	if test "$dlopen_support" = unknown && test "$dlopen_self" = unknown &&
+	   test "$dlopen_self_static" = unknown; then
+	  $echo "$modename: warning: \`AC_LIBTOOL_DLOPEN' not used. Assuming no dlopen support."
+	fi
+      fi
+
+      case $host in
+      *-*-rhapsody* | *-*-darwin1.[012])
+	# On Rhapsody replace the C library is the System framework
+	compile_deplibs=`$echo "X $compile_deplibs" | $Xsed -e 's/ -lc / -framework System /'`
+	finalize_deplibs=`$echo "X $finalize_deplibs" | $Xsed -e 's/ -lc / -framework System /'`
+	;;
+      esac
+
+      compile_command="$compile_command $compile_deplibs"
+      finalize_command="$finalize_command $finalize_deplibs"
+
+      if test -n "$rpath$xrpath"; then
+	# If the user specified any rpath flags, then add them.
+	for libdir in $rpath $xrpath; do
+	  # This is the magic to use -rpath.
+	  case "$finalize_rpath " in
+	  *" $libdir "*) ;;
+	  *) finalize_rpath="$finalize_rpath $libdir" ;;
+	  esac
+	done
+      fi
+
+      # Now hardcode the library paths
+      rpath=
+      hardcode_libdirs=
+      for libdir in $compile_rpath $finalize_rpath; do
+	if test -n "$hardcode_libdir_flag_spec"; then
+	  if test -n "$hardcode_libdir_separator"; then
+	    if test -z "$hardcode_libdirs"; then
+	      hardcode_libdirs="$libdir"
+	    else
+	      # Just accumulate the unique libdirs.
+	      case $hardcode_libdir_separator$hardcode_libdirs$hardcode_libdir_separator in
+	      *"$hardcode_libdir_separator$libdir$hardcode_libdir_separator"*)
+		;;
+	      *)
+		hardcode_libdirs="$hardcode_libdirs$hardcode_libdir_separator$libdir"
+		;;
+	      esac
+	    fi
+	  else
+	    eval flag=\"$hardcode_libdir_flag_spec\"
+	    rpath="$rpath $flag"
+	  fi
+	elif test -n "$runpath_var"; then
+	  case "$perm_rpath " in
+	  *" $libdir "*) ;;
+	  *) perm_rpath="$perm_rpath $libdir" ;;
+	  esac
+	fi
+	case $host in
+	*-*-cygwin* | *-*-mingw* | *-*-pw32* | *-*-os2*)
+	  case :$dllsearchpath: in
+	  *":$libdir:"*) ;;
+	  *) dllsearchpath="$dllsearchpath:$libdir";;
+	  esac
+	  ;;
+	esac
+      done
+      # Substitute the hardcoded libdirs into the rpath.
+      if test -n "$hardcode_libdir_separator" &&
+	 test -n "$hardcode_libdirs"; then
+	libdir="$hardcode_libdirs"
+	eval rpath=\" $hardcode_libdir_flag_spec\"
+      fi
+      compile_rpath="$rpath"
+
+      rpath=
+      hardcode_libdirs=
+      for libdir in $finalize_rpath; do
+	if test -n "$hardcode_libdir_flag_spec"; then
+	  if test -n "$hardcode_libdir_separator"; then
+	    if test -z "$hardcode_libdirs"; then
+	      hardcode_libdirs="$libdir"
+	    else
+	      # Just accumulate the unique libdirs.
+	      case $hardcode_libdir_separator$hardcode_libdirs$hardcode_libdir_separator in
+	      *"$hardcode_libdir_separator$libdir$hardcode_libdir_separator"*)
+		;;
+	      *)
+		hardcode_libdirs="$hardcode_libdirs$hardcode_libdir_separator$libdir"
+		;;
+	      esac
+	    fi
+	  else
+	    eval flag=\"$hardcode_libdir_flag_spec\"
+	    rpath="$rpath $flag"
+	  fi
+	elif test -n "$runpath_var"; then
+	  case "$finalize_perm_rpath " in
+	  *" $libdir "*) ;;
+	  *) finalize_perm_rpath="$finalize_perm_rpath $libdir" ;;
+	  esac
+	fi
+      done
+      # Substitute the hardcoded libdirs into the rpath.
+      if test -n "$hardcode_libdir_separator" &&
+	 test -n "$hardcode_libdirs"; then
+	libdir="$hardcode_libdirs"
+	eval rpath=\" $hardcode_libdir_flag_spec\"
+      fi
+      finalize_rpath="$rpath"
+
+      if test -n "$libobjs" && test "$build_old_libs" = yes; then
+	# Transform all the library objects into standard objects.
+	compile_command=`$echo "X$compile_command" | $SP2NL | $Xsed -e "$lo2o" | $NL2SP`
+	finalize_command=`$echo "X$finalize_command" | $SP2NL | $Xsed -e "$lo2o" | $NL2SP`
+      fi
+
+      dlsyms=
+      if test -n "$dlfiles$dlprefiles" || test "$dlself" != no; then
+	if test -n "$NM" && test -n "$global_symbol_pipe"; then
+	  dlsyms="${outputname}S.c"
+	else
+	  $echo "$modename: not configured to extract global symbols from dlpreopened files" 1>&2
+	fi
+      fi
+
+      if test -n "$dlsyms"; then
+	case $dlsyms in
+	"") ;;
+	*.c)
+	  # Discover the nlist of each of the dlfiles.
+	  nlist="$output_objdir/${outputname}.nm"
+
+	  $show "$rm $nlist ${nlist}S ${nlist}T"
+	  $run $rm "$nlist" "${nlist}S" "${nlist}T"
+
+	  # Parse the name list into a source file.
+	  $show "creating $output_objdir/$dlsyms"
+
+	  test -z "$run" && $echo > "$output_objdir/$dlsyms" "\
+/* $dlsyms - symbol resolution table for \`$outputname' dlsym emulation. */
+/* Generated by $PROGRAM - GNU $PACKAGE $VERSION$TIMESTAMP */
+
+#ifdef __cplusplus
+extern \"C\" {
+#endif
+
+/* Prevent the only kind of declaration conflicts we can make. */
+#define lt_preloaded_symbols some_other_symbol
+
+/* External symbol declarations for the compiler. */\
+"
+
+	  if test "$dlself" = yes; then
+	    $show "generating symbol list for \`$output'"
+
+	    test -z "$run" && $echo ': @PROGRAM@ ' > "$nlist"
+
+	    # Add our own program objects to the symbol list.
+	    progfiles=`$echo "X$objs$old_deplibs" | $SP2NL | $Xsed -e "$lo2o" | $NL2SP`
+	    for arg in $progfiles; do
+	      $show "extracting global C symbols from \`$arg'"
+	      $run eval "$NM $arg | $global_symbol_pipe >> '$nlist'"
+	    done
+
+	    if test -n "$exclude_expsyms"; then
+	      $run eval 'egrep -v " ($exclude_expsyms)$" "$nlist" > "$nlist"T'
+	      $run eval '$mv "$nlist"T "$nlist"'
+	    fi
+
+	    if test -n "$export_symbols_regex"; then
+	      $run eval 'egrep -e "$export_symbols_regex" "$nlist" > "$nlist"T'
+	      $run eval '$mv "$nlist"T "$nlist"'
+	    fi
+
+	    # Prepare the list of exported symbols
+	    if test -z "$export_symbols"; then
+	      export_symbols="$output_objdir/$output.exp"
+	      $run $rm $export_symbols
+	      $run eval "sed -n -e '/^: @PROGRAM@$/d' -e 's/^.* \(.*\)$/\1/p' "'< "$nlist" > "$export_symbols"'
+	    else
+	      $run eval "sed -e 's/\([][.*^$]\)/\\\1/g' -e 's/^/ /' -e 's/$/$/'"' < "$export_symbols" > "$output_objdir/$output.exp"'
+	      $run eval 'grep -f "$output_objdir/$output.exp" < "$nlist" > "$nlist"T'
+	      $run eval 'mv "$nlist"T "$nlist"'
+	    fi
+	  fi
+
+	  for arg in $dlprefiles; do
+	    $show "extracting global C symbols from \`$arg'"
+	    name=`echo "$arg" | sed -e 's%^.*/%%'`
+	    $run eval 'echo ": $name " >> "$nlist"'
+	    $run eval "$NM $arg | $global_symbol_pipe >> '$nlist'"
+	  done
+
+	  if test -z "$run"; then
+	    # Make sure we have at least an empty file.
+	    test -f "$nlist" || : > "$nlist"
+
+	    if test -n "$exclude_expsyms"; then
+	      egrep -v " ($exclude_expsyms)$" "$nlist" > "$nlist"T
+	      $mv "$nlist"T "$nlist"
+	    fi
+
+	    # Try sorting and uniquifying the output.
+	    if grep -v "^: " < "$nlist" | sort +2 | uniq > "$nlist"S; then
+	      :
+	    else
+	      grep -v "^: " < "$nlist" > "$nlist"S
+	    fi
+
+	    if test -f "$nlist"S; then
+	      eval "$global_symbol_to_cdecl"' < "$nlist"S >> "$output_objdir/$dlsyms"'
+	    else
+	      echo '/* NONE */' >> "$output_objdir/$dlsyms"
+	    fi
+
+	    $echo >> "$output_objdir/$dlsyms" "\
+
+#undef lt_preloaded_symbols
+
+#if defined (__STDC__) && __STDC__
+# define lt_ptr_t void *
+#else
+# define lt_ptr_t char *
+# define const
+#endif
+
+/* The mapping between symbol names and symbols. */
+const struct {
+  const char *name;
+  lt_ptr_t address;
+}
+lt_preloaded_symbols[] =
+{\
+"
+
+	    sed -n -e 's/^: \([^ ]*\) $/  {\"\1\", (lt_ptr_t) 0},/p' \
+		-e 's/^. \([^ ]*\) \([^ ]*\)$/  {"\2", (lt_ptr_t) \&\2},/p' \
+		  < "$nlist" >> "$output_objdir/$dlsyms"
+
+	    $echo >> "$output_objdir/$dlsyms" "\
+  {0, (lt_ptr_t) 0}
+};
+
+/* This works around a problem in FreeBSD linker */
+#ifdef FREEBSD_WORKAROUND
+static const void *lt_preloaded_setup() {
+  return lt_preloaded_symbols;
+}
+#endif
+
+#ifdef __cplusplus
+}
+#endif\
+"
+	  fi
+
+	  pic_flag_for_symtable=
+	  case $host in
+	  # compiling the symbol table file with pic_flag works around
+	  # a FreeBSD bug that causes programs to crash when -lm is
+	  # linked before any other PIC object.  But we must not use
+	  # pic_flag when linking with -static.  The problem exists in
+	  # FreeBSD 2.2.6 and is fixed in FreeBSD 3.1.
+	  *-*-freebsd2*|*-*-freebsd3.0*|*-*-freebsdelf3.0*)
+	    case "$compile_command " in
+	    *" -static "*) ;;
+	    *) pic_flag_for_symtable=" $pic_flag -DPIC -DFREEBSD_WORKAROUND";;
+	    esac;;
+	  *-*-hpux*)
+	    case "$compile_command " in
+	    *" -static "*) ;;
+	    *) pic_flag_for_symtable=" $pic_flag -DPIC";;
+	    esac
+	  esac
+
+	  # Now compile the dynamic symbol file.
+	  $show "(cd $output_objdir && $CC -c$no_builtin_flag$pic_flag_for_symtable \"$dlsyms\")"
+	  $run eval '(cd $output_objdir && $CC -c$no_builtin_flag$pic_flag_for_symtable "$dlsyms")' || exit $?
+
+	  # Clean up the generated files.
+	  $show "$rm $output_objdir/$dlsyms $nlist ${nlist}S ${nlist}T"
+	  $run $rm "$output_objdir/$dlsyms" "$nlist" "${nlist}S" "${nlist}T"
+
+	  # Transform the symbol file into the correct name.
+	  compile_command=`$echo "X$compile_command" | $Xsed -e "s%@SYMFILE@%$output_objdir/${outputname}S.${objext}%"`
+	  finalize_command=`$echo "X$finalize_command" | $Xsed -e "s%@SYMFILE@%$output_objdir/${outputname}S.${objext}%"`
+	  ;;
+	*)
+	  $echo "$modename: unknown suffix for \`$dlsyms'" 1>&2
+	  exit 1
+	  ;;
+	esac
+      else
+	# We keep going just in case the user didn't refer to
+	# lt_preloaded_symbols.  The linker will fail if global_symbol_pipe
+	# really was required.
+
+	# Nullify the symbol file.
+	compile_command=`$echo "X$compile_command" | $Xsed -e "s% @SYMFILE@%%"`
+	finalize_command=`$echo "X$finalize_command" | $Xsed -e "s% @SYMFILE@%%"`
+      fi
+
+      if test $need_relink = no || test "$build_libtool_libs" != yes; then
+	# Replace the output file specification.
+	compile_command=`$echo "X$compile_command" | $Xsed -e 's%@OUTPUT@%'"$output"'%g'`
+	link_command="$compile_command$compile_rpath"
+
+	# We have no uninstalled library dependencies, so finalize right now.
+	$show "$link_command"
+	$run eval "$link_command"
+	status=$?
+
+	# Delete the generated files.
+	if test -n "$dlsyms"; then
+	  $show "$rm $output_objdir/${outputname}S.${objext}"
+	  $run $rm "$output_objdir/${outputname}S.${objext}"
+	fi
+
+	exit $status
+      fi
+
+      if test -n "$shlibpath_var"; then
+	# We should set the shlibpath_var
+	rpath=
+	for dir in $temp_rpath; do
+	  case $dir in
+	  [\\/]* | [A-Za-z]:[\\/]*)
+	    # Absolute path.
+	    rpath="$rpath$dir:"
+	    ;;
+	  *)
+	    # Relative path: add a thisdir entry.
+	    rpath="$rpath\$thisdir/$dir:"
+	    ;;
+	  esac
+	done
+	temp_rpath="$rpath"
+      fi
+
+      if test -n "$compile_shlibpath$finalize_shlibpath"; then
+	compile_command="$shlibpath_var=\"$compile_shlibpath$finalize_shlibpath\$$shlibpath_var\" $compile_command"
+      fi
+      if test -n "$finalize_shlibpath"; then
+	finalize_command="$shlibpath_var=\"$finalize_shlibpath\$$shlibpath_var\" $finalize_command"
+      fi
+
+      compile_var=
+      finalize_var=
+      if test -n "$runpath_var"; then
+	if test -n "$perm_rpath"; then
+	  # We should set the runpath_var.
+	  rpath=
+	  for dir in $perm_rpath; do
+	    rpath="$rpath$dir:"
+	  done
+	  compile_var="$runpath_var=\"$rpath\$$runpath_var\" "
+	fi
+	if test -n "$finalize_perm_rpath"; then
+	  # We should set the runpath_var.
+	  rpath=
+	  for dir in $finalize_perm_rpath; do
+	    rpath="$rpath$dir:"
+	  done
+	  finalize_var="$runpath_var=\"$rpath\$$runpath_var\" "
+	fi
+      fi
+
+      if test "$no_install" = yes; then
+	# We don't need to create a wrapper script.
+	link_command="$compile_var$compile_command$compile_rpath"
+	# Replace the output file specification.
+	link_command=`$echo "X$link_command" | $Xsed -e 's%@OUTPUT@%'"$output"'%g'`
+	# Delete the old output file.
+	$run $rm $output
+	# Link the executable and exit
+	$show "$link_command"
+	$run eval "$link_command" || exit $?
+	exit 0
+      fi
+
+      if test "$hardcode_action" = relink; then
+	# Fast installation is not supported
+	link_command="$compile_var$compile_command$compile_rpath"
+	relink_command="$finalize_var$finalize_command$finalize_rpath"
+
+	$echo "$modename: warning: this platform does not like uninstalled shared libraries" 1>&2
+	$echo "$modename: \`$output' will be relinked during installation" 1>&2
+      else
+	if test "$fast_install" != no; then
+	  link_command="$finalize_var$compile_command$finalize_rpath"
+	  if test "$fast_install" = yes; then
+	    relink_command=`$echo "X$compile_var$compile_command$compile_rpath" | $Xsed -e 's%@OUTPUT@%\$progdir/\$file%g'`
+	  else
+	    # fast_install is set to needless
+	    relink_command=
+	  fi
+	else
+	  link_command="$compile_var$compile_command$compile_rpath"
+	  relink_command="$finalize_var$finalize_command$finalize_rpath"
+	fi
+      fi
+
+      # Replace the output file specification.
+      link_command=`$echo "X$link_command" | $Xsed -e 's%@OUTPUT@%'"$output_objdir/$outputname"'%g'`
+
+      # Delete the old output files.
+      $run $rm $output $output_objdir/$outputname $output_objdir/lt-$outputname
+
+      $show "$link_command"
+      $run eval "$link_command" || exit $?
+
+      # Now create the wrapper script.
+      $show "creating $output"
+
+      # Quote the relink command for shipping.
+      if test -n "$relink_command"; then
+	# Preserve any variables that may affect compiler behavior
+	for var in $variables_saved_for_relink; do
+	  if eval test -z \"\${$var+set}\"; then
+	    relink_command="{ test -z \"\${$var+set}\" || unset $var || { $var=; export $var; }; }; $relink_command"
+	  elif eval var_value=\$$var; test -z "$var_value"; then
+	    relink_command="$var=; export $var; $relink_command"
+	  else
+	    var_value=`$echo "X$var_value" | $Xsed -e "$sed_quote_subst"`
+	    relink_command="$var=\"$var_value\"; export $var; $relink_command"
+	  fi
+	done
+	relink_command="cd `pwd`; $relink_command"
+	relink_command=`$echo "X$relink_command" | $Xsed -e "$sed_quote_subst"`
+      fi
+
+      # Quote $echo for shipping.
+      if test "X$echo" = "X$SHELL $0 --fallback-echo"; then
+	case $0 in
+	[\\/]* | [A-Za-z]:[\\/]*) qecho="$SHELL $0 --fallback-echo";;
+	*) qecho="$SHELL `pwd`/$0 --fallback-echo";;
+	esac
+	qecho=`$echo "X$qecho" | $Xsed -e "$sed_quote_subst"`
+      else
+	qecho=`$echo "X$echo" | $Xsed -e "$sed_quote_subst"`
+      fi
+
+      # Only actually do things if our run command is non-null.
+      if test -z "$run"; then
+	# win32 will think the script is a binary if it has
+	# a .exe suffix, so we strip it off here.
+	case $output in
+	  *.exe) output=`echo $output|sed 's,.exe$,,'` ;;
+	esac
+	# test for cygwin because mv fails w/o .exe extensions
+	case $host in
+	  *cygwin*) exeext=.exe ;;
+	  *) exeext= ;;
+	esac
+	$rm $output
+	trap "$rm $output; exit 1" 1 2 15
+
+	$echo > $output "\
+#! $SHELL
+
+# $output - temporary wrapper script for $objdir/$outputname
+# Generated by $PROGRAM - GNU $PACKAGE $VERSION$TIMESTAMP
+#
+# The $output program cannot be directly executed until all the libtool
+# libraries that it depends on are installed.
+#
+# This wrapper script should never be moved out of the build directory.
+# If it is, it will not operate correctly.
+
+# Sed substitution that helps us do robust quoting.  It backslashifies
+# metacharacters that are still active within double-quoted strings.
+Xsed='sed -e 1s/^X//'
+sed_quote_subst='$sed_quote_subst'
+
+# The HP-UX ksh and POSIX shell print the target directory to stdout
+# if CDPATH is set.
+if test \"\${CDPATH+set}\" = set; then CDPATH=:; export CDPATH; fi
+
+relink_command=\"$relink_command\"
+
+# This environment variable determines our operation mode.
+if test \"\$libtool_install_magic\" = \"$magic\"; then
+  # install mode needs the following variable:
+  notinst_deplibs='$notinst_deplibs'
+else
+  # When we are sourced in execute mode, \$file and \$echo are already set.
+  if test \"\$libtool_execute_magic\" != \"$magic\"; then
+    echo=\"$qecho\"
+    file=\"\$0\"
+    # Make sure echo works.
+    if test \"X\$1\" = X--no-reexec; then
+      # Discard the --no-reexec flag, and continue.
+      shift
+    elif test \"X\`(\$echo '\t') 2>/dev/null\`\" = 'X\t'; then
+      # Yippee, \$echo works!
+      :
+    else
+      # Restart under the correct shell, and then maybe \$echo will work.
+      exec $SHELL \"\$0\" --no-reexec \${1+\"\$@\"}
+    fi
+  fi\
+"
+	$echo >> $output "\
+
+  # Find the directory that this script lives in.
+  thisdir=\`\$echo \"X\$file\" | \$Xsed -e 's%/[^/]*$%%'\`
+  test \"x\$thisdir\" = \"x\$file\" && thisdir=.
+
+  # Follow symbolic links until we get to the real thisdir.
+  file=\`ls -ld \"\$file\" | sed -n 's/.*-> //p'\`
+  while test -n \"\$file\"; do
+    destdir=\`\$echo \"X\$file\" | \$Xsed -e 's%/[^/]*\$%%'\`
+
+    # If there was a directory component, then change thisdir.
+    if test \"x\$destdir\" != \"x\$file\"; then
+      case \"\$destdir\" in
+      [\\\\/]* | [A-Za-z]:[\\\\/]*) thisdir=\"\$destdir\" ;;
+      *) thisdir=\"\$thisdir/\$destdir\" ;;
+      esac
+    fi
+
+    file=\`\$echo \"X\$file\" | \$Xsed -e 's%^.*/%%'\`
+    file=\`ls -ld \"\$thisdir/\$file\" | sed -n 's/.*-> //p'\`
+  done
+
+  # Try to get the absolute directory name.
+  absdir=\`cd \"\$thisdir\" && pwd\`
+  test -n \"\$absdir\" && thisdir=\"\$absdir\"
+"
+
+	if test "$fast_install" = yes; then
+	  echo >> $output "\
+  program=lt-'$outputname'$exeext
+  progdir=\"\$thisdir/$objdir\"
+
+  if test ! -f \"\$progdir/\$program\" || \\
+     { file=\`ls -1dt \"\$progdir/\$program\" \"\$progdir/../\$program\" 2>/dev/null | sed 1q\`; \\
+       test \"X\$file\" != \"X\$progdir/\$program\"; }; then
+
+    file=\"\$\$-\$program\"
+
+    if test ! -d \"\$progdir\"; then
+      $mkdir \"\$progdir\"
+    else
+      $rm \"\$progdir/\$file\"
+    fi"
+
+	  echo >> $output "\
+
+    # relink executable if necessary
+    if test -n \"\$relink_command\"; then
+      if (eval \$relink_command); then :
+      else
+	$rm \"\$progdir/\$file\"
+	exit 1
+      fi
+    fi
+
+    $mv \"\$progdir/\$file\" \"\$progdir/\$program\" 2>/dev/null ||
+    { $rm \"\$progdir/\$program\";
+      $mv \"\$progdir/\$file\" \"\$progdir/\$program\"; }
+    $rm \"\$progdir/\$file\"
+  fi"
+	else
+	  echo >> $output "\
+  program='$outputname'
+  progdir=\"\$thisdir/$objdir\"
+"
+	fi
+
+	echo >> $output "\
+
+  if test -f \"\$progdir/\$program\"; then"
+
+	# Export our shlibpath_var if we have one.
+	if test "$shlibpath_overrides_runpath" = yes && test -n "$shlibpath_var" && test -n "$temp_rpath"; then
+	  $echo >> $output "\
+    # Add our own library path to $shlibpath_var
+    $shlibpath_var=\"$temp_rpath\$$shlibpath_var\"
+
+    # Some systems cannot cope with colon-terminated $shlibpath_var
+    # The second colon is a workaround for a bug in BeOS R4 sed
+    $shlibpath_var=\`\$echo \"X\$$shlibpath_var\" | \$Xsed -e 's/::*\$//'\`
+
+    export $shlibpath_var
+"
+	fi
+
+	# fixup the dll searchpath if we need to.
+	if test -n "$dllsearchpath"; then
+	  $echo >> $output "\
+    # Add the dll search path components to the executable PATH
+    PATH=$dllsearchpath:\$PATH
+"
+	fi
+
+	$echo >> $output "\
+    if test \"\$libtool_execute_magic\" != \"$magic\"; then
+      # Run the actual program with our arguments.
+"
+	case $host in
+	# win32 systems need to use the prog path for dll
+	# lookup to work
+	*-*-cygwin* | *-*-pw32*)
+	  $echo >> $output "\
+      exec \$progdir/\$program \${1+\"\$@\"}
+"
+	  ;;
+
+	# Backslashes separate directories on plain windows
+	*-*-mingw | *-*-os2*)
+	  $echo >> $output "\
+      exec \$progdir\\\\\$program \${1+\"\$@\"}
+"
+	  ;;
+
+	*)
+	  $echo >> $output "\
+      # Export the path to the program.
+      PATH=\"\$progdir:\$PATH\"
+      export PATH
+
+      exec \$program \${1+\"\$@\"}
+"
+	  ;;
+	esac
+	$echo >> $output "\
+      \$echo \"\$0: cannot exec \$program \${1+\"\$@\"}\"
+      exit 1
+    fi
+  else
+    # The program doesn't exist.
+    \$echo \"\$0: error: \$progdir/\$program does not exist\" 1>&2
+    \$echo \"This script is just a wrapper for \$program.\" 1>&2
+    echo \"See the $PACKAGE documentation for more information.\" 1>&2
+    exit 1
+  fi
+fi\
+"
+	chmod +x $output
+      fi
+      exit 0
+      ;;
+    esac
+
+    # See if we need to build an old-fashioned archive.
+    for oldlib in $oldlibs; do
+
+      if test "$build_libtool_libs" = convenience; then
+	oldobjs="$libobjs_save"
+	addlibs="$convenience"
+	build_libtool_libs=no
+      else
+	if test "$build_libtool_libs" = module; then
+	  oldobjs="$libobjs_save"
+	  build_libtool_libs=no
+	else
+	  oldobjs="$objs$old_deplibs "`$echo "X$libobjs_save" | $SP2NL | $Xsed -e '/\.'${libext}'$/d' -e '/\.lib$/d' -e "$lo2o" | $NL2SP`
+	fi
+	addlibs="$old_convenience"
+      fi
+
+      if test -n "$addlibs"; then
+	gentop="$output_objdir/${outputname}x"
+	$show "${rm}r $gentop"
+	$run ${rm}r "$gentop"
+	$show "mkdir $gentop"
+	$run mkdir "$gentop"
+	status=$?
+	if test $status -ne 0 && test ! -d "$gentop"; then
+	  exit $status
+	fi
+	generated="$generated $gentop"
+
+	# Add in members from convenience archives.
+	for xlib in $addlibs; do
+	  # Extract the objects.
+	  case $xlib in
+	  [\\/]* | [A-Za-z]:[\\/]*) xabs="$xlib" ;;
+	  *) xabs=`pwd`"/$xlib" ;;
+	  esac
+	  xlib=`$echo "X$xlib" | $Xsed -e 's%^.*/%%'`
+	  xdir="$gentop/$xlib"
+
+	  $show "${rm}r $xdir"
+	  $run ${rm}r "$xdir"
+	  $show "mkdir $xdir"
+	  $run mkdir "$xdir"
+	  status=$?
+	  if test $status -ne 0 && test ! -d "$xdir"; then
+	    exit $status
+	  fi
+	  $show "(cd $xdir && $AR x $xabs)"
+	  $run eval "(cd \$xdir && $AR x \$xabs)" || exit $?
+
+	  oldobjs="$oldobjs "`find $xdir -name \*.${objext} -print -o -name \*.lo -print | $NL2SP`
+	done
+      fi
+
+      # Do each command in the archive commands.
+      if test -n "$old_archive_from_new_cmds" && test "$build_libtool_libs" = yes; then
+	eval cmds=\"$old_archive_from_new_cmds\"
+      else
+	# Ensure that we have .o objects in place in case we decided
+	# not to build a shared library, and have fallen back to building
+	# static libs even though --disable-static was passed!
+	for oldobj in $oldobjs; do
+	  if test ! -f $oldobj; then
+	    xdir=`$echo "X$oldobj" | $Xsed -e 's%/[^/]*$%%'`
+	    if test "X$xdir" = "X$oldobj"; then
+	      xdir="."
+	    else
+	      xdir="$xdir"
+	    fi
+	    baseobj=`$echo "X$oldobj" | $Xsed -e 's%^.*/%%'`
+	    obj=`$echo "X$baseobj" | $Xsed -e "$o2lo"`
+	    $show "(cd $xdir && ${LN_S} $obj $baseobj)"
+	    $run eval '(cd $xdir && ${LN_S} $obj $baseobj)' || exit $?
+	  fi
+	done
+
+	eval cmds=\"$old_archive_cmds\"
+      fi
+      IFS="${IFS= 	}"; save_ifs="$IFS"; IFS='~'
+      for cmd in $cmds; do
+	IFS="$save_ifs"
+	$show "$cmd"
+	$run eval "$cmd" || exit $?
+      done
+      IFS="$save_ifs"
+    done
+
+    if test -n "$generated"; then
+      $show "${rm}r$generated"
+      $run ${rm}r$generated
+    fi
+
+    # Now create the libtool archive.
+    case $output in
+    *.la)
+      old_library=
+      test "$build_old_libs" = yes && old_library="$libname.$libext"
+      $show "creating $output"
+
+      # Preserve any variables that may affect compiler behavior
+      for var in $variables_saved_for_relink; do
+	if eval test -z \"\${$var+set}\"; then
+	  relink_command="{ test -z \"\${$var+set}\" || unset $var || { $var=; export $var; }; }; $relink_command"
+	elif eval var_value=\$$var; test -z "$var_value"; then
+	  relink_command="$var=; export $var; $relink_command"
+	else
+	  var_value=`$echo "X$var_value" | $Xsed -e "$sed_quote_subst"`
+	  relink_command="$var=\"$var_value\"; export $var; $relink_command"
+	fi
+      done
+      # Quote the link command for shipping.
+      relink_command="cd `pwd`; $SHELL $0 --mode=relink $libtool_args"
+      relink_command=`$echo "X$relink_command" | $Xsed -e "$sed_quote_subst"`
+
+      # Only create the output if not a dry run.
+      if test -z "$run"; then
+	for installed in no yes; do
+	  if test "$installed" = yes; then
+	    if test -z "$install_libdir"; then
+	      break
+	    fi
+	    output="$output_objdir/$outputname"i
+	    # Replace all uninstalled libtool libraries with the installed ones
+	    newdependency_libs=
+	    for deplib in $dependency_libs; do
+	      case $deplib in
+	      *.la)
+		name=`$echo "X$deplib" | $Xsed -e 's%^.*/%%'`
+		eval libdir=`sed -n -e 's/^libdir=\(.*\)$/\1/p' $deplib`
+		if test -z "$libdir"; then
+		  $echo "$modename: \`$deplib' is not a valid libtool archive" 1>&2
+		  exit 1
+		fi
+		newdependency_libs="$newdependency_libs $libdir/$name"
+		;;
+	      *) newdependency_libs="$newdependency_libs $deplib" ;;
+	      esac
+	    done
+	    dependency_libs="$newdependency_libs"
+	    newdlfiles=
+	    for lib in $dlfiles; do
+	      name=`$echo "X$lib" | $Xsed -e 's%^.*/%%'`
+	      eval libdir=`sed -n -e 's/^libdir=\(.*\)$/\1/p' $lib`
+	      if test -z "$libdir"; then
+		$echo "$modename: \`$lib' is not a valid libtool archive" 1>&2
+		exit 1
+	      fi
+	      newdlfiles="$newdlfiles $libdir/$name"
+	    done
+	    dlfiles="$newdlfiles"
+	    newdlprefiles=
+	    for lib in $dlprefiles; do
+	      name=`$echo "X$lib" | $Xsed -e 's%^.*/%%'`
+	      eval libdir=`sed -n -e 's/^libdir=\(.*\)$/\1/p' $lib`
+	      if test -z "$libdir"; then
+		$echo "$modename: \`$lib' is not a valid libtool archive" 1>&2
+		exit 1
+	      fi
+	      newdlprefiles="$newdlprefiles $libdir/$name"
+	    done
+	    dlprefiles="$newdlprefiles"
+	  fi
+	  $rm $output
+	  # place dlname in correct position for cygwin
+	  tdlname=$dlname
+	  case $host,$output,$installed,$module,$dlname in
+	    *cygwin*,*lai,yes,no,*.dll) tdlname=../bin/$dlname ;;
+	  esac
+	  $echo > $output "\
+# $outputname - a libtool library file
+# Generated by $PROGRAM - GNU $PACKAGE $VERSION$TIMESTAMP
+#
+# Please DO NOT delete this file!
+# It is necessary for linking the library.
+
+# The name that we can dlopen(3).
+dlname='$tdlname'
+
+# Names of this library.
+library_names='$library_names'
+
+# The name of the static archive.
+old_library='$old_library'
+
+# Libraries that this one depends upon.
+dependency_libs='$dependency_libs'
+
+# Version information for $libname.
+current=$current
+age=$age
+revision=$revision
+
+# Is this an already installed library?
+installed=$installed
+
+# Files to dlopen/dlpreopen
+dlopen='$dlfiles'
+dlpreopen='$dlprefiles'
+
+# Directory that this library needs to be installed in:
+libdir='$install_libdir'"
+	  if test "$installed" = no && test $need_relink = yes; then
+	    $echo >> $output "\
+relink_command=\"$relink_command\""
+	  fi
+	done
+      fi
+
+      # Do a symbolic link so that the libtool archive can be found in
+      # LD_LIBRARY_PATH before the program is installed.
+      $show "(cd $output_objdir && $rm $outputname && $LN_S ../$outputname $outputname)"
+      $run eval '(cd $output_objdir && $rm $outputname && $LN_S ../$outputname $outputname)' || exit $?
+      ;;
+    esac
+    exit 0
+    ;;
+
+  # libtool install mode
+  install)
+    modename="$modename: install"
+
+    # There may be an optional sh(1) argument at the beginning of
+    # install_prog (especially on Windows NT).
+    if test "$nonopt" = "$SHELL" || test "$nonopt" = /bin/sh ||
+       # Allow the use of GNU shtool's install command.
+       $echo "X$nonopt" | $Xsed | grep shtool > /dev/null; then
+      # Aesthetically quote it.
+      arg=`$echo "X$nonopt" | $Xsed -e "$sed_quote_subst"`
+      case $arg in
+      *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \	]*|*]*)
+	arg="\"$arg\""
+	;;
+      esac
+      install_prog="$arg "
+      arg="$1"
+      shift
+    else
+      install_prog=
+      arg="$nonopt"
+    fi
+
+    # The real first argument should be the name of the installation program.
+    # Aesthetically quote it.
+    arg=`$echo "X$arg" | $Xsed -e "$sed_quote_subst"`
+    case $arg in
+    *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \	]*|*]*)
+      arg="\"$arg\""
+      ;;
+    esac
+    install_prog="$install_prog$arg"
+
+    # We need to accept at least all the BSD install flags.
+    dest=
+    files=
+    opts=
+    prev=
+    install_type=
+    isdir=no
+    stripme=
+    for arg
+    do
+      if test -n "$dest"; then
+	files="$files $dest"
+	dest="$arg"
+	continue
+      fi
+
+      case $arg in
+      -d) isdir=yes ;;
+      -f) prev="-f" ;;
+      -g) prev="-g" ;;
+      -m) prev="-m" ;;
+      -o) prev="-o" ;;
+      -s)
+	stripme=" -s"
+	continue
+	;;
+      -*) ;;
+
+      *)
+	# If the previous option needed an argument, then skip it.
+	if test -n "$prev"; then
+	  prev=
+	else
+	  dest="$arg"
+	  continue
+	fi
+	;;
+      esac
+
+      # Aesthetically quote the argument.
+      arg=`$echo "X$arg" | $Xsed -e "$sed_quote_subst"`
+      case $arg in
+      *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \	]*|*]*)
+	arg="\"$arg\""
+	;;
+      esac
+      install_prog="$install_prog $arg"
+    done
+
+    if test -z "$install_prog"; then
+      $echo "$modename: you must specify an install program" 1>&2
+      $echo "$help" 1>&2
+      exit 1
+    fi
+
+    if test -n "$prev"; then
+      $echo "$modename: the \`$prev' option requires an argument" 1>&2
+      $echo "$help" 1>&2
+      exit 1
+    fi
+
+    if test -z "$files"; then
+      if test -z "$dest"; then
+	$echo "$modename: no file or destination specified" 1>&2
+      else
+	$echo "$modename: you must specify a destination" 1>&2
+      fi
+      $echo "$help" 1>&2
+      exit 1
+    fi
+
+    # Strip any trailing slash from the destination.
+    dest=`$echo "X$dest" | $Xsed -e 's%/$%%'`
+
+    # Check to see that the destination is a directory.
+    test -d "$dest" && isdir=yes
+    if test "$isdir" = yes; then
+      destdir="$dest"
+      destname=
+    else
+      destdir=`$echo "X$dest" | $Xsed -e 's%/[^/]*$%%'`
+      test "X$destdir" = "X$dest" && destdir=.
+      destname=`$echo "X$dest" | $Xsed -e 's%^.*/%%'`
+
+      # Not a directory, so check to see that there is only one file specified.
+      set dummy $files
+      if test $# -gt 2; then
+	$echo "$modename: \`$dest' is not a directory" 1>&2
+	$echo "$help" 1>&2
+	exit 1
+      fi
+    fi
+    case $destdir in
+    [\\/]* | [A-Za-z]:[\\/]*) ;;
+    *)
+      for file in $files; do
+	case $file in
+	*.lo) ;;
+	*)
+	  $echo "$modename: \`$destdir' must be an absolute directory name" 1>&2
+	  $echo "$help" 1>&2
+	  exit 1
+	  ;;
+	esac
+      done
+      ;;
+    esac
+
+    # This variable tells wrapper scripts just to set variables rather
+    # than running their programs.
+    libtool_install_magic="$magic"
+
+    staticlibs=
+    future_libdirs=
+    current_libdirs=
+    for file in $files; do
+
+      # Do each installation.
+      case $file in
+      *.$libext)
+	# Do the static libraries later.
+	staticlibs="$staticlibs $file"
+	;;
+
+      *.la)
+	# Check to see that this really is a libtool archive.
+	if (sed -e '2q' $file | egrep "^# Generated by .*$PACKAGE") >/dev/null 2>&1; then :
+	else
+	  $echo "$modename: \`$file' is not a valid libtool archive" 1>&2
+	  $echo "$help" 1>&2
+	  exit 1
+	fi
+
+	library_names=
+	old_library=
+	relink_command=
+	# If there is no directory component, then add one.
+	case $file in
+	*/* | *\\*) . $file ;;
+	*) . ./$file ;;
+	esac
+
+	# Add the libdir to current_libdirs if it is the destination.
+	if test "X$destdir" = "X$libdir"; then
+	  case "$current_libdirs " in
+	  *" $libdir "*) ;;
+	  *) current_libdirs="$current_libdirs $libdir" ;;
+	  esac
+	else
+	  # Note the libdir as a future libdir.
+	  case "$future_libdirs " in
+	  *" $libdir "*) ;;
+	  *) future_libdirs="$future_libdirs $libdir" ;;
+	  esac
+	fi
+
+	dir=`$echo "X$file" | $Xsed -e 's%/[^/]*$%%'`/
+	test "X$dir" = "X$file/" && dir=
+	dir="$dir$objdir"
+
+	if test -n "$relink_command"; then
+	  $echo "$modename: warning: relinking \`$file'" 1>&2
+	  $show "$relink_command"
+	  if $run eval "$relink_command"; then :
+	  else
+	    $echo "$modename: error: relink \`$file' with the above command before installing it" 1>&2
+	    continue
+	  fi
+	fi
+
+	# See the names of the shared library.
+	set dummy $library_names
+	if test -n "$2"; then
+	  realname="$2"
+	  shift
+	  shift
+
+	  srcname="$realname"
+	  test -n "$relink_command" && srcname="$realname"T
+
+	  # Install the shared library and build the symlinks.
+	  $show "$install_prog $dir/$srcname $destdir/$realname"
+	  $run eval "$install_prog $dir/$srcname $destdir/$realname" || exit $?
+	  if test -n "$stripme" && test -n "$striplib"; then
+	    $show "$striplib $destdir/$realname"
+	    $run eval "$striplib $destdir/$realname" || exit $?
+	  fi
+
+	  if test $# -gt 0; then
+	    # Delete the old symlinks, and create new ones.
+	    for linkname
+	    do
+	      if test "$linkname" != "$realname"; then
+		$show "(cd $destdir && $rm $linkname && $LN_S $realname $linkname)"
+		$run eval "(cd $destdir && $rm $linkname && $LN_S $realname $linkname)"
+	      fi
+	    done
+	  fi
+
+	  # Do each command in the postinstall commands.
+	  lib="$destdir/$realname"
+	  eval cmds=\"$postinstall_cmds\"
+	  IFS="${IFS= 	}"; save_ifs="$IFS"; IFS='~'
+	  for cmd in $cmds; do
+	    IFS="$save_ifs"
+	    $show "$cmd"
+	    $run eval "$cmd" || exit $?
+	  done
+	  IFS="$save_ifs"
+	fi
+
+	# Install the pseudo-library for information purposes.
+	name=`$echo "X$file" | $Xsed -e 's%^.*/%%'`
+	instname="$dir/$name"i
+	$show "$install_prog $instname $destdir/$name"
+	$run eval "$install_prog $instname $destdir/$name" || exit $?
+
+	# Maybe install the static library, too.
+	test -n "$old_library" && staticlibs="$staticlibs $dir/$old_library"
+	;;
+
+      *.lo)
+	# Install (i.e. copy) a libtool object.
+
+	# Figure out destination file name, if it wasn't already specified.
+	if test -n "$destname"; then
+	  destfile="$destdir/$destname"
+	else
+	  destfile=`$echo "X$file" | $Xsed -e 's%^.*/%%'`
+	  destfile="$destdir/$destfile"
+	fi
+
+	# Deduce the name of the destination old-style object file.
+	case $destfile in
+	*.lo)
+	  staticdest=`$echo "X$destfile" | $Xsed -e "$lo2o"`
+	  ;;
+	*.$objext)
+	  staticdest="$destfile"
+	  destfile=
+	  ;;
+	*)
+	  $echo "$modename: cannot copy a libtool object to \`$destfile'" 1>&2
+	  $echo "$help" 1>&2
+	  exit 1
+	  ;;
+	esac
+
+	# Install the libtool object if requested.
+	if test -n "$destfile"; then
+	  $show "$install_prog $file $destfile"
+	  $run eval "$install_prog $file $destfile" || exit $?
+	fi
+
+	# Install the old object if enabled.
+	if test "$build_old_libs" = yes; then
+	  # Deduce the name of the old-style object file.
+	  staticobj=`$echo "X$file" | $Xsed -e "$lo2o"`
+
+	  $show "$install_prog $staticobj $staticdest"
+	  $run eval "$install_prog \$staticobj \$staticdest" || exit $?
+	fi
+	exit 0
+	;;
+
+      *)
+	# Figure out destination file name, if it wasn't already specified.
+	if test -n "$destname"; then
+	  destfile="$destdir/$destname"
+	else
+	  destfile=`$echo "X$file" | $Xsed -e 's%^.*/%%'`
+	  destfile="$destdir/$destfile"
+	fi
+
+	# Do a test to see if this is really a libtool program.
+	if (sed -e '4q' $file | egrep "^# Generated by .*$PACKAGE") >/dev/null 2>&1; then
+	  notinst_deplibs=
+	  relink_command=
+
+	  # If there is no directory component, then add one.
+	  case $file in
+	  */* | *\\*) . $file ;;
+	  *) . ./$file ;;
+	  esac
+
+	  # Check the variables that should have been set.
+	  if test -z "$notinst_deplibs"; then
+	    $echo "$modename: invalid libtool wrapper script \`$file'" 1>&2
+	    exit 1
+	  fi
+
+	  finalize=yes
+	  for lib in $notinst_deplibs; do
+	    # Check to see that each library is installed.
+	    libdir=
+	    if test -f "$lib"; then
+	      # If there is no directory component, then add one.
+	      case $lib in
+	      */* | *\\*) . $lib ;;
+	      *) . ./$lib ;;
+	      esac
+	    fi
+	    libfile="$libdir/"`$echo "X$lib" | $Xsed -e 's%^.*/%%g'` ### testsuite: skip nested quoting test
+	    if test -n "$libdir" && test ! -f "$libfile"; then
+	      $echo "$modename: warning: \`$lib' has not been installed in \`$libdir'" 1>&2
+	      finalize=no
+	    fi
+	  done
+
+	  relink_command=
+	  # If there is no directory component, then add one.
+	  case $file in
+	  */* | *\\*) . $file ;;
+	  *) . ./$file ;;
+	  esac
+
+	  outputname=
+	  if test "$fast_install" = no && test -n "$relink_command"; then
+	    if test "$finalize" = yes && test -z "$run"; then
+	      tmpdir="/tmp"
+	      test -n "$TMPDIR" && tmpdir="$TMPDIR"
+	      tmpdir="$tmpdir/libtool-$$"
+	      if $mkdir -p "$tmpdir" && chmod 700 "$tmpdir"; then :
+	      else
+		$echo "$modename: error: cannot create temporary directory \`$tmpdir'" 1>&2
+		continue
+	      fi
+	      file=`$echo "X$file" | $Xsed -e 's%^.*/%%'`
+	      outputname="$tmpdir/$file"
+	      # Replace the output file specification.
+	      relink_command=`$echo "X$relink_command" | $Xsed -e 's%@OUTPUT@%'"$outputname"'%g'`
+
+	      $show "$relink_command"
+	      if $run eval "$relink_command"; then :
+	      else
+		$echo "$modename: error: relink \`$file' with the above command before installing it" 1>&2
+		${rm}r "$tmpdir"
+		continue
+	      fi
+	      file="$outputname"
+	    else
+	      $echo "$modename: warning: cannot relink \`$file'" 1>&2
+	    fi
+	  else
+	    # Install the binary that we compiled earlier.
+	    file=`$echo "X$file" | $Xsed -e "s%\([^/]*\)$%$objdir/\1%"`
+	  fi
+	fi
+
+	# remove .exe since cygwin /usr/bin/install will append another
+	# one anyways
+	case $install_prog,$host in
+	/usr/bin/install*,*cygwin*)
+	  case $file:$destfile in
+	  *.exe:*.exe)
+	    # this is ok
+	    ;;
+	  *.exe:*)
+	    destfile=$destfile.exe
+	    ;;
+	  *:*.exe)
+	    destfile=`echo $destfile | sed -e 's,.exe$,,'`
+	    ;;
+	  esac
+	  ;;
+	esac
+	$show "$install_prog$stripme $file $destfile"
+	$run eval "$install_prog\$stripme \$file \$destfile" || exit $?
+	test -n "$outputname" && ${rm}r "$tmpdir"
+	;;
+      esac
+    done
+
+    for file in $staticlibs; do
+      name=`$echo "X$file" | $Xsed -e 's%^.*/%%'`
+
+      # Set up the ranlib parameters.
+      oldlib="$destdir/$name"
+
+      $show "$install_prog $file $oldlib"
+      $run eval "$install_prog \$file \$oldlib" || exit $?
+
+      if test -n "$stripme" && test -n "$striplib"; then
+	$show "$old_striplib $oldlib"
+	$run eval "$old_striplib $oldlib" || exit $?
+      fi
+
+      # Do each command in the postinstall commands.
+      eval cmds=\"$old_postinstall_cmds\"
+      IFS="${IFS= 	}"; save_ifs="$IFS"; IFS='~'
+      for cmd in $cmds; do
+	IFS="$save_ifs"
+	$show "$cmd"
+	$run eval "$cmd" || exit $?
+      done
+      IFS="$save_ifs"
+    done
+
+    if test -n "$future_libdirs"; then
+      $echo "$modename: warning: remember to run \`$progname --finish$future_libdirs'" 1>&2
+    fi
+
+    if test -n "$current_libdirs"; then
+      # Maybe just do a dry run.
+      test -n "$run" && current_libdirs=" -n$current_libdirs"
+      exec $SHELL $0 --finish$current_libdirs
+      exit 1
+    fi
+
+    exit 0
+    ;;
+
+  # libtool finish mode
+  finish)
+    modename="$modename: finish"
+    libdirs="$nonopt"
+    admincmds=
+
+    if test -n "$finish_cmds$finish_eval" && test -n "$libdirs"; then
+      for dir
+      do
+	libdirs="$libdirs $dir"
+      done
+
+      for libdir in $libdirs; do
+	if test -n "$finish_cmds"; then
+	  # Do each command in the finish commands.
+	  eval cmds=\"$finish_cmds\"
+	  IFS="${IFS= 	}"; save_ifs="$IFS"; IFS='~'
+	  for cmd in $cmds; do
+	    IFS="$save_ifs"
+	    $show "$cmd"
+	    $run eval "$cmd" || admincmds="$admincmds
+       $cmd"
+	  done
+	  IFS="$save_ifs"
+	fi
+	if test -n "$finish_eval"; then
+	  # Do the single finish_eval.
+	  eval cmds=\"$finish_eval\"
+	  $run eval "$cmds" || admincmds="$admincmds
+       $cmds"
+	fi
+      done
+    fi
+
+    # Exit here if they wanted silent mode.
+    test "$show" = ":" && exit 0
+
+    echo "----------------------------------------------------------------------"
+    echo "Libraries have been installed in:"
+    for libdir in $libdirs; do
+      echo "   $libdir"
+    done
+    echo
+    echo "If you ever happen to want to link against installed libraries"
+    echo "in a given directory, LIBDIR, you must either use libtool, and"
+    echo "specify the full pathname of the library, or use the \`-LLIBDIR'"
+    echo "flag during linking and do at least one of the following:"
+    if test -n "$shlibpath_var"; then
+      echo "   - add LIBDIR to the \`$shlibpath_var' environment variable"
+      echo "     during execution"
+    fi
+    if test -n "$runpath_var"; then
+      echo "   - add LIBDIR to the \`$runpath_var' environment variable"
+      echo "     during linking"
+    fi
+    if test -n "$hardcode_libdir_flag_spec"; then
+      libdir=LIBDIR
+      eval flag=\"$hardcode_libdir_flag_spec\"
+
+      echo "   - use the \`$flag' linker flag"
+    fi
+    if test -n "$admincmds"; then
+      echo "   - have your system administrator run these commands:$admincmds"
+    fi
+    if test -f /etc/ld.so.conf; then
+      echo "   - have your system administrator add LIBDIR to \`/etc/ld.so.conf'"
+    fi
+    echo
+    echo "See any operating system documentation about shared libraries for"
+    echo "more information, such as the ld(1) and ld.so(8) manual pages."
+    echo "----------------------------------------------------------------------"
+    exit 0
+    ;;
+
+  # libtool execute mode
+  execute)
+    modename="$modename: execute"
+
+    # The first argument is the command name.
+    cmd="$nonopt"
+    if test -z "$cmd"; then
+      $echo "$modename: you must specify a COMMAND" 1>&2
+      $echo "$help"
+      exit 1
+    fi
+
+    # Handle -dlopen flags immediately.
+    for file in $execute_dlfiles; do
+      if test ! -f "$file"; then
+	$echo "$modename: \`$file' is not a file" 1>&2
+	$echo "$help" 1>&2
+	exit 1
+      fi
+
+      dir=
+      case $file in
+      *.la)
+	# Check to see that this really is a libtool archive.
+	if (sed -e '2q' $file | egrep "^# Generated by .*$PACKAGE") >/dev/null 2>&1; then :
+	else
+	  $echo "$modename: \`$lib' is not a valid libtool archive" 1>&2
+	  $echo "$help" 1>&2
+	  exit 1
+	fi
+
+	# Read the libtool library.
+	dlname=
+	library_names=
+
+	# If there is no directory component, then add one.
+	case $file in
+	*/* | *\\*) . $file ;;
+	*) . ./$file ;;
+	esac
+
+	# Skip this library if it cannot be dlopened.
+	if test -z "$dlname"; then
+	  # Warn if it was a shared library.
+	  test -n "$library_names" && $echo "$modename: warning: \`$file' was not linked with \`-export-dynamic'"
+	  continue
+	fi
+
+	dir=`$echo "X$file" | $Xsed -e 's%/[^/]*$%%'`
+	test "X$dir" = "X$file" && dir=.
+
+	if test -f "$dir/$objdir/$dlname"; then
+	  dir="$dir/$objdir"
+	else
+	  $echo "$modename: cannot find \`$dlname' in \`$dir' or \`$dir/$objdir'" 1>&2
+	  exit 1
+	fi
+	;;
+
+      *.lo)
+	# Just add the directory containing the .lo file.
+	dir=`$echo "X$file" | $Xsed -e 's%/[^/]*$%%'`
+	test "X$dir" = "X$file" && dir=.
+	;;
+
+      *)
+	$echo "$modename: warning \`-dlopen' is ignored for non-libtool libraries and objects" 1>&2
+	continue
+	;;
+      esac
+
+      # Get the absolute pathname.
+      absdir=`cd "$dir" && pwd`
+      test -n "$absdir" && dir="$absdir"
+
+      # Now add the directory to shlibpath_var.
+      if eval "test -z \"\$$shlibpath_var\""; then
+	eval "$shlibpath_var=\"\$dir\""
+      else
+	eval "$shlibpath_var=\"\$dir:\$$shlibpath_var\""
+      fi
+    done
+
+    # This variable tells wrapper scripts just to set shlibpath_var
+    # rather than running their programs.
+    libtool_execute_magic="$magic"
+
+    # Check if any of the arguments is a wrapper script.
+    args=
+    for file
+    do
+      case $file in
+      -*) ;;
+      *)
+	# Do a test to see if this is really a libtool program.
+	if (sed -e '4q' $file | egrep "^# Generated by .*$PACKAGE") >/dev/null 2>&1; then
+	  # If there is no directory component, then add one.
+	  case $file in
+	  */* | *\\*) . $file ;;
+	  *) . ./$file ;;
+	  esac
+
+	  # Transform arg to wrapped name.
+	  file="$progdir/$program"
+	fi
+	;;
+      esac
+      # Quote arguments (to preserve shell metacharacters).
+      file=`$echo "X$file" | $Xsed -e "$sed_quote_subst"`
+      args="$args \"$file\""
+    done
+
+    if test -z "$run"; then
+      if test -n "$shlibpath_var"; then
+	# Export the shlibpath_var.
+	eval "export $shlibpath_var"
+      fi
+
+      # Restore saved enviroment variables
+      if test "${save_LC_ALL+set}" = set; then
+	LC_ALL="$save_LC_ALL"; export LC_ALL
+      fi
+      if test "${save_LANG+set}" = set; then
+	LANG="$save_LANG"; export LANG
+      fi
+
+      # Now actually exec the command.
+      eval "exec \$cmd$args"
+
+      $echo "$modename: cannot exec \$cmd$args"
+      exit 1
+    else
+      # Display what would be done.
+      if test -n "$shlibpath_var"; then
+	eval "\$echo \"\$shlibpath_var=\$$shlibpath_var\""
+	$echo "export $shlibpath_var"
+      fi
+      $echo "$cmd$args"
+      exit 0
+    fi
+    ;;
+
+  # libtool clean and uninstall mode
+  clean | uninstall)
+    modename="$modename: $mode"
+    rm="$nonopt"
+    files=
+    rmforce=
+    exit_status=0
+
+    # This variable tells wrapper scripts just to set variables rather
+    # than running their programs.
+    libtool_install_magic="$magic"
+
+    for arg
+    do
+      case $arg in
+      -f) rm="$rm $arg"; rmforce=yes ;;
+      -*) rm="$rm $arg" ;;
+      *) files="$files $arg" ;;
+      esac
+    done
+
+    if test -z "$rm"; then
+      $echo "$modename: you must specify an RM program" 1>&2
+      $echo "$help" 1>&2
+      exit 1
+    fi
+
+    rmdirs=
+
+    for file in $files; do
+      dir=`$echo "X$file" | $Xsed -e 's%/[^/]*$%%'`
+      if test "X$dir" = "X$file"; then
+	dir=.
+	objdir="$objdir"
+      else
+	objdir="$dir/$objdir"
+      fi
+      name=`$echo "X$file" | $Xsed -e 's%^.*/%%'`
+      test $mode = uninstall && objdir="$dir"
+
+      # Remember objdir for removal later, being careful to avoid duplicates
+      if test $mode = clean; then
+	case " $rmdirs " in
+	  *" $objdir "*) ;;
+	  *) rmdirs="$rmdirs $objdir" ;;
+	esac
+      fi
+
+      # Don't error if the file doesn't exist and rm -f was used.
+      if (test -L "$file") >/dev/null 2>&1 \
+        || (test -h "$file") >/dev/null 2>&1 \
+	|| test -f "$file"; then
+        :
+      elif test -d "$file"; then
+        exit_status=1
+	continue
+      elif test "$rmforce" = yes; then
+        continue
+      fi
+
+      rmfiles="$file"
+
+      case $name in
+      *.la)
+	# Possibly a libtool archive, so verify it.
+	if (sed -e '2q' $file | egrep "^# Generated by .*$PACKAGE") >/dev/null 2>&1; then
+	  . $dir/$name
+
+	  # Delete the libtool libraries and symlinks.
+	  for n in $library_names; do
+	    rmfiles="$rmfiles $objdir/$n"
+	  done
+	  test -n "$old_library" && rmfiles="$rmfiles $objdir/$old_library"
+	  test $mode = clean && rmfiles="$rmfiles $objdir/$name $objdir/${name}i"
+
+	  if test $mode = uninstall; then
+	    if test -n "$library_names"; then
+	      # Do each command in the postuninstall commands.
+	      eval cmds=\"$postuninstall_cmds\"
+	      IFS="${IFS= 	}"; save_ifs="$IFS"; IFS='~'
+	      for cmd in $cmds; do
+		IFS="$save_ifs"
+		$show "$cmd"
+		$run eval "$cmd"
+		if test $? != 0 && test "$rmforce" != yes; then
+		  exit_status=1
+		fi
+	      done
+	      IFS="$save_ifs"
+	    fi
+
+	    if test -n "$old_library"; then
+	      # Do each command in the old_postuninstall commands.
+	      eval cmds=\"$old_postuninstall_cmds\"
+	      IFS="${IFS= 	}"; save_ifs="$IFS"; IFS='~'
+	      for cmd in $cmds; do
+		IFS="$save_ifs"
+		$show "$cmd"
+		$run eval "$cmd"
+		if test $? != 0 && test "$rmforce" != yes; then
+		  exit_status=1
+		fi
+	      done
+	      IFS="$save_ifs"
+	    fi
+	    # FIXME: should reinstall the best remaining shared library.
+	  fi
+	fi
+	;;
+
+      *.lo)
+	if test "$build_old_libs" = yes; then
+	  oldobj=`$echo "X$name" | $Xsed -e "$lo2o"`
+	  rmfiles="$rmfiles $dir/$oldobj"
+	fi
+	;;
+
+      *)
+	# Do a test to see if this is a libtool program.
+	if test $mode = clean &&
+	   (sed -e '4q' $file | egrep "^# Generated by .*$PACKAGE") >/dev/null 2>&1; then
+	  relink_command=
+	  . $dir/$file
+
+	  rmfiles="$rmfiles $objdir/$name $objdir/${name}S.${objext}"
+	  if test "$fast_install" = yes && test -n "$relink_command"; then
+	    rmfiles="$rmfiles $objdir/lt-$name"
+	  fi
+	fi
+	;;
+      esac
+      $show "$rm $rmfiles"
+      $run $rm $rmfiles || exit_status=1
+    done
+
+    # Try to remove the ${objdir}s in the directories where we deleted files
+    for dir in $rmdirs; do
+      if test -d "$dir"; then
+	$show "rmdir $dir"
+	$run rmdir $dir >/dev/null 2>&1
+      fi
+    done
+
+    exit $exit_status
+    ;;
+
+  "")
+    $echo "$modename: you must specify a MODE" 1>&2
+    $echo "$generic_help" 1>&2
+    exit 1
+    ;;
+  esac
+
+  $echo "$modename: invalid operation mode \`$mode'" 1>&2
+  $echo "$generic_help" 1>&2
+  exit 1
+fi # test -z "$show_help"
+
+# We need to display help for each of the modes.
+case $mode in
+"") $echo \
+"Usage: $modename [OPTION]... [MODE-ARG]...
+
+Provide generalized library-building support services.
+
+    --config          show all configuration variables
+    --debug           enable verbose shell tracing
+-n, --dry-run         display commands without modifying any files
+    --features        display basic configuration information and exit
+    --finish          same as \`--mode=finish'
+    --help            display this help message and exit
+    --mode=MODE       use operation mode MODE [default=inferred from MODE-ARGS]
+    --quiet           same as \`--silent'
+    --silent          don't print informational messages
+    --version         print version information
+
+MODE must be one of the following:
+
+      clean           remove files from the build directory
+      compile         compile a source file into a libtool object
+      execute         automatically set library path, then run a program
+      finish          complete the installation of libtool libraries
+      install         install libraries or executables
+      link            create a library or an executable
+      uninstall       remove libraries from an installed directory
+
+MODE-ARGS vary depending on the MODE.  Try \`$modename --help --mode=MODE' for
+a more detailed description of MODE."
+  exit 0
+  ;;
+
+clean)
+  $echo \
+"Usage: $modename [OPTION]... --mode=clean RM [RM-OPTION]... FILE...
+
+Remove files from the build directory.
+
+RM is the name of the program to use to delete files associated with each FILE
+(typically \`/bin/rm').  RM-OPTIONS are options (such as \`-f') to be passed
+to RM.
+
+If FILE is a libtool library, object or program, all the files associated
+with it are deleted. Otherwise, only FILE itself is deleted using RM."
+  ;;
+
+compile)
+  $echo \
+"Usage: $modename [OPTION]... --mode=compile COMPILE-COMMAND... SOURCEFILE
+
+Compile a source file into a libtool library object.
+
+This mode accepts the following additional options:
+
+  -o OUTPUT-FILE    set the output file name to OUTPUT-FILE
+  -prefer-pic       try to building PIC objects only
+  -prefer-non-pic   try to building non-PIC objects only
+  -static           always build a \`.o' file suitable for static linking
+
+COMPILE-COMMAND is a command to be used in creating a \`standard' object file
+from the given SOURCEFILE.
+
+The output file name is determined by removing the directory component from
+SOURCEFILE, then substituting the C source code suffix \`.c' with the
+library object suffix, \`.lo'."
+  ;;
+
+execute)
+  $echo \
+"Usage: $modename [OPTION]... --mode=execute COMMAND [ARGS]...
+
+Automatically set library path, then run a program.
+
+This mode accepts the following additional options:
+
+  -dlopen FILE      add the directory containing FILE to the library path
+
+This mode sets the library path environment variable according to \`-dlopen'
+flags.
+
+If any of the ARGS are libtool executable wrappers, then they are translated
+into their corresponding uninstalled binary, and any of their required library
+directories are added to the library path.
+
+Then, COMMAND is executed, with ARGS as arguments."
+  ;;
+
+finish)
+  $echo \
+"Usage: $modename [OPTION]... --mode=finish [LIBDIR]...
+
+Complete the installation of libtool libraries.
+
+Each LIBDIR is a directory that contains libtool libraries.
+
+The commands that this mode executes may require superuser privileges.  Use
+the \`--dry-run' option if you just want to see what would be executed."
+  ;;
+
+install)
+  $echo \
+"Usage: $modename [OPTION]... --mode=install INSTALL-COMMAND...
+
+Install executables or libraries.
+
+INSTALL-COMMAND is the installation command.  The first component should be
+either the \`install' or \`cp' program.
+
+The rest of the components are interpreted as arguments to that command (only
+BSD-compatible install options are recognized)."
+  ;;
+
+link)
+  $echo \
+"Usage: $modename [OPTION]... --mode=link LINK-COMMAND...
+
+Link object files or libraries together to form another library, or to
+create an executable program.
+
+LINK-COMMAND is a command using the C compiler that you would use to create
+a program from several object files.
+
+The following components of LINK-COMMAND are treated specially:
+
+  -all-static       do not do any dynamic linking at all
+  -avoid-version    do not add a version suffix if possible
+  -dlopen FILE      \`-dlpreopen' FILE if it cannot be dlopened at runtime
+  -dlpreopen FILE   link in FILE and add its symbols to lt_preloaded_symbols
+  -export-dynamic   allow symbols from OUTPUT-FILE to be resolved with dlsym(3)
+  -export-symbols SYMFILE
+		    try to export only the symbols listed in SYMFILE
+  -export-symbols-regex REGEX
+		    try to export only the symbols matching REGEX
+  -LLIBDIR          search LIBDIR for required installed libraries
+  -lNAME            OUTPUT-FILE requires the installed library libNAME
+  -module           build a library that can dlopened
+  -no-fast-install  disable the fast-install mode
+  -no-install       link a not-installable executable
+  -no-undefined     declare that a library does not refer to external symbols
+  -o OUTPUT-FILE    create OUTPUT-FILE from the specified objects
+  -release RELEASE  specify package release information
+  -rpath LIBDIR     the created library will eventually be installed in LIBDIR
+  -R[ ]LIBDIR       add LIBDIR to the runtime path of programs and libraries
+  -static           do not do any dynamic linking of libtool libraries
+  -version-info CURRENT[:REVISION[:AGE]]
+		    specify library version info [each variable defaults to 0]
+
+All other options (arguments beginning with \`-') are ignored.
+
+Every other argument is treated as a filename.  Files ending in \`.la' are
+treated as uninstalled libtool libraries, other files are standard or library
+object files.
+
+If the OUTPUT-FILE ends in \`.la', then a libtool library is created,
+only library objects (\`.lo' files) may be specified, and \`-rpath' is
+required, except when creating a convenience library.
+
+If OUTPUT-FILE ends in \`.a' or \`.lib', then a standard library is created
+using \`ar' and \`ranlib', or on Windows using \`lib'.
+
+If OUTPUT-FILE ends in \`.lo' or \`.${objext}', then a reloadable object file
+is created, otherwise an executable program is created."
+  ;;
+
+uninstall)
+  $echo \
+"Usage: $modename [OPTION]... --mode=uninstall RM [RM-OPTION]... FILE...
+
+Remove libraries from an installation directory.
+
+RM is the name of the program to use to delete files associated with each FILE
+(typically \`/bin/rm').  RM-OPTIONS are options (such as \`-f') to be passed
+to RM.
+
+If FILE is a libtool library, all the files associated with it are deleted.
+Otherwise, only FILE itself is deleted using RM."
+  ;;
+
+*)
+  $echo "$modename: invalid operation mode \`$mode'" 1>&2
+  $echo "$help" 1>&2
+  exit 1
+  ;;
+esac
+
+echo
+$echo "Try \`$modename --help' for more information about other modes."
+
+exit 0
+
+# Local Variables:
+# mode:shell-script
+# sh-indentation:2
+# End:
diff --git a/lib/bind/make/includes.in b/lib/bind/make/includes.in
index b8265d56..f0802028 100644
--- a/lib/bind/make/includes.in
+++ b/lib/bind/make/includes.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: includes.in,v 1.1.2.1 2004/03/15 04:44:47 marka Exp $
+# $Id: includes.in,v 1.1.206.1 2004/03/15 01:02:44 marka Exp $
 
 # Search for machine-generated header files in the build tree,
 # and for normal headers in the source tree (${top_srcdir}).
diff --git a/lib/bind/make/rules.in b/lib/bind/make/rules.in
index 12e94599..15edddbb 100644
--- a/lib/bind/make/rules.in
+++ b/lib/bind/make/rules.in
@@ -1,5 +1,5 @@
-# Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 2001-2003  Internet Software Consortium.
+# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2001  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: rules.in,v 1.3.2.9 2007/01/18 00:06:02 marka Exp $
+# $Id: rules.in,v 1.3.2.3.4.3 2004/03/15 01:02:44 marka Exp $
 
 ###
 ### Common Makefile rules for BIND 9.
@@ -69,7 +69,7 @@ subdirs:
 		if [ "$$i" != "nulldir" -a -d $$i ]; then \
 			echo "making all in `pwd`/$$i"; \
 			(cd $$i; ${MAKE} ${MAKEDEFS} all) || exit 1; \
-		fi; \
+		fi \
 	done
 
 install clean distclean docclean manclean::
diff --git a/lib/bind/mkinstalldirs b/lib/bind/mkinstalldirs
index 74a611ae..74a611ae 100755..100644
--- a/lib/bind/mkinstalldirs
+++ b/lib/bind/mkinstalldirs
diff --git a/lib/bind/nameser/Makefile.in b/lib/bind/nameser/Makefile.in
index 925a3c3c..aa4bc6cf 100644
--- a/lib/bind/nameser/Makefile.in
+++ b/lib/bind/nameser/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.4.2.1 2004/03/15 04:44:47 marka Exp $
+# $Id: Makefile.in,v 1.4.206.1 2004/03/15 01:02:45 marka Exp $
 
 srcdir=		@srcdir@
 VPATH =         @srcdir@
diff --git a/lib/bind/nameser/ns_date.c b/lib/bind/nameser/ns_date.c
index 9ecf5ac4..d6b347a9 100644
--- a/lib/bind/nameser/ns_date.c
+++ b/lib/bind/nameser/ns_date.c
@@ -16,7 +16,7 @@
  */
 
 #ifndef lint
-static const char rcsid[] = "$Id: ns_date.c,v 1.3.2.2 2004/03/16 12:35:32 marka Exp $";
+static const char rcsid[] = "$Id: ns_date.c,v 1.3.206.2 2004/03/16 12:34:16 marka Exp $";
 #endif
 
 /* Import. */
diff --git a/lib/bind/nameser/ns_name.c b/lib/bind/nameser/ns_name.c
index 27b031bd..c26cebca 100644
--- a/lib/bind/nameser/ns_name.c
+++ b/lib/bind/nameser/ns_name.c
@@ -16,7 +16,7 @@
  */
 
 #ifndef lint
-static const char rcsid[] = "$Id: ns_name.c,v 1.3.2.6 2004/05/04 03:26:16 marka Exp $";
+static const char rcsid[] = "$Id: ns_name.c,v 1.3.2.4.4.1 2004/03/09 08:33:44 marka Exp $";
 #endif
 
 #include "port_before.h"
@@ -75,11 +75,9 @@ static int		dn_find(const u_char *, const u_char *,
 				const u_char * const *,
 				const u_char * const *);
 static int		encode_bitsring(const char **, const char *,
-					unsigned char **, unsigned char **,
-					unsigned const char *);
+					char **, char **, const char *);
 static int		labellen(const u_char *);
-static int		decode_bitstring(const unsigned char **,
-					 char *, const char *);
+static int		decode_bitstring(const char **, char *, const char *);
 
 /* Public. */
 
@@ -134,7 +132,7 @@ ns_name_ntop(const u_char *src, char *dst, size_t dstsiz)
 				errno = EINVAL;
 				return(-1);
 			}
-			if ((m = decode_bitstring(&cp, dn, eom)) < 0)
+			if ((m = decode_bitstring((const char **)&cp, dn, eom)) < 0)
 			{
 				errno = EMSGSIZE;
 				return(-1);
@@ -214,8 +212,11 @@ ns_name_pton(const char *src, u_char *dst, size_t dstsiz)
 					errno = EINVAL; /* ??? */
 					return(-1);
 				}
-				if ((e = encode_bitsring(&src, cp + 2,
-							 &label, &bp, eom))
+				if ((e = encode_bitsring(&src,
+							 cp + 2,
+							 (char **)&label,
+							 (char **)&bp,
+							 (const char *)eom))
 				    != 0) {
 					errno = e;
 					return(-1);
@@ -787,9 +788,9 @@ dn_find(const u_char *domain, const u_char *msg,
 }
 
 static int
-decode_bitstring(const unsigned char **cpp, char *dn, const char *eom)
+decode_bitstring(const char **cpp, char *dn, const char *eom)
 {
-	const unsigned char *cp = *cpp;
+	const char *cp = *cpp;
 	char *beg = dn, tc;
 	int b, blen, plen, i;
 
@@ -835,13 +836,12 @@ decode_bitstring(const unsigned char **cpp, char *dn, const char *eom)
 }
 
 static int
-encode_bitsring(const char **bp, const char *end, unsigned char **labelp,
-	        unsigned char ** dst, unsigned const char *eom)
+encode_bitsring(const char **bp, const char *end, char **labelp,
+	        char ** dst, const char *eom)
 {
 	int afterslash = 0;
 	const char *cp = *bp;
-	unsigned char *tp;
-	char c;
+	char *tp, c;
 	const char *beg_blen;
 	char *end_blen = NULL;
 	int value = 0, count = 0, tbcount = 0, blen = 0;
diff --git a/lib/bind/nameser/ns_netint.c b/lib/bind/nameser/ns_netint.c
index 9441f42f..15fc93e4 100644
--- a/lib/bind/nameser/ns_netint.c
+++ b/lib/bind/nameser/ns_netint.c
@@ -16,7 +16,7 @@
  */
 
 #ifndef lint
-static const char rcsid[] = "$Id: ns_netint.c,v 1.1.2.1 2004/03/09 09:17:37 marka Exp $";
+static const char rcsid[] = "$Id: ns_netint.c,v 1.1.206.1 2004/03/09 08:33:44 marka Exp $";
 #endif
 
 /* Import. */
diff --git a/lib/bind/nameser/ns_parse.c b/lib/bind/nameser/ns_parse.c
index 5f62a04b..34ebd3de 100644
--- a/lib/bind/nameser/ns_parse.c
+++ b/lib/bind/nameser/ns_parse.c
@@ -16,7 +16,7 @@
  */
 
 #ifndef lint
-static const char rcsid[] = "$Id: ns_parse.c,v 1.3.2.4 2005/10/11 00:56:05 marka Exp $";
+static const char rcsid[] = "$Id: ns_parse.c,v 1.3.2.1.4.1 2004/03/09 08:33:44 marka Exp $";
 #endif
 
 /* Import. */
@@ -40,12 +40,7 @@ static void	setsection(ns_msg *msg, ns_sect sect);
 
 /* Macros. */
 
-#ifndef SOLARIS2
 #define RETERR(err) do { errno = (err); return (-1); } while (0)
-#else
-#define RETERR(err) \
-	do { errno = (err); if (errno == errno) return (-1); } while (0)
-#endif
 
 /* Public. */
 
@@ -140,8 +135,7 @@ ns_parserr(ns_msg *handle, ns_sect section, int rrnum, ns_rr *rr) {
 	int tmp;
 
 	/* Make section right. */
-	tmp = section;
-	if (tmp < 0 || section >= ns_s_max)
+	if ((tmp = section) < 0 || section >= ns_s_max)
 		RETERR(ENODEV);
 	if (section != handle->_sect)
 		setsection(handle, section);
diff --git a/lib/bind/nameser/ns_print.c b/lib/bind/nameser/ns_print.c
index ceadc528..2a7c9186 100644
--- a/lib/bind/nameser/ns_print.c
+++ b/lib/bind/nameser/ns_print.c
@@ -16,7 +16,7 @@
  */
 
 #ifndef lint
-static const char rcsid[] = "$Id: ns_print.c,v 1.3.2.8 2004/09/16 07:01:53 marka Exp $";
+static const char rcsid[] = "$Id: ns_print.c,v 1.3.2.1.4.4 2004/03/17 01:13:36 marka Exp $";
 #endif
 
 /* Import. */
@@ -145,6 +145,8 @@ ns_sprintrrf(const u_char *msg, size_t msglen,
 	addlen(x, &buf, &buflen);
 	len = SPRINTF((tmp, " %s %s", p_class(class), p_type(type)));
 	T(addstr(tmp, len, &buf, &buflen));
+	if (rdlen == 0U)
+		return (buf - obuf);
 	T(spaced = addtab(x + len, 16, spaced, &buf, &buflen));
 
 	/*
@@ -705,8 +707,7 @@ ns_sprintrrf(const u_char *msg, size_t msglen,
 	int n, m;
 	char *p;
 
-	len = SPRINTF((tmp, "\\# %u%s\t; %s", (unsigned)(edata - rdata),
-		       rdlen != 0U ? " (" : "", comment));
+	len = SPRINTF((tmp, "\\# %u (\t; %s", edata - rdata, comment));
 	T(addstr(tmp, len, &buf, &buflen));
 	while (rdata < edata) {
 		p = tmp;
diff --git a/lib/bind/nameser/ns_samedomain.c b/lib/bind/nameser/ns_samedomain.c
index fc4b9d97..d4ca550a 100644
--- a/lib/bind/nameser/ns_samedomain.c
+++ b/lib/bind/nameser/ns_samedomain.c
@@ -16,7 +16,7 @@
  */
 
 #ifndef lint
-static const char rcsid[] = "$Id: ns_samedomain.c,v 1.1.2.4 2004/03/16 12:35:33 marka Exp $";
+static const char rcsid[] = "$Id: ns_samedomain.c,v 1.1.2.2.4.2 2004/03/16 12:34:17 marka Exp $";
 #endif
 
 #include "port_before.h"
diff --git a/lib/bind/nameser/ns_sign.c b/lib/bind/nameser/ns_sign.c
index b1f77fc3..56248a59 100644
--- a/lib/bind/nameser/ns_sign.c
+++ b/lib/bind/nameser/ns_sign.c
@@ -16,7 +16,7 @@
  */
 
 #ifndef lint
-static const char rcsid[] = "$Id: ns_sign.c,v 1.1.2.4 2006/03/10 00:18:22 marka Exp $";
+static const char rcsid[] = "$Id: ns_sign.c,v 1.1.2.2.4.1 2004/03/09 08:33:45 marka Exp $";
 #endif
 
 /* Import. */
@@ -89,7 +89,7 @@ ns_sign2(u_char *msg, int *msglen, int msgsize, int error, void *k,
 {
 	HEADER *hp = (HEADER *)msg;
 	DST_KEY *key = (DST_KEY *)k;
-	u_char *cp, *eob;
+	u_char *cp = msg + *msglen, *eob = msg + msgsize;
 	u_char *lenp;
 	u_char *alg;
 	int n;
@@ -100,9 +100,6 @@ ns_sign2(u_char *msg, int *msglen, int msgsize, int error, void *k,
 	if (msg == NULL || msglen == NULL || sig == NULL || siglen == NULL)
 		return (-1);
 
-	cp = msg + *msglen;
-	eob = msg + msgsize;
-
 	/* Name. */
 	if (key != NULL && error != ns_r_badsig && error != ns_r_badkey) {
 		n = ns_name_pton(key->dk_key_name, name, sizeof name);
diff --git a/lib/bind/nameser/ns_ttl.c b/lib/bind/nameser/ns_ttl.c
index 7c2812aa..368b05a3 100644
--- a/lib/bind/nameser/ns_ttl.c
+++ b/lib/bind/nameser/ns_ttl.c
@@ -16,7 +16,7 @@
  */
 
 #ifndef lint
-static const char rcsid[] = "$Id: ns_ttl.c,v 1.1.2.2 2005/07/28 07:48:20 marka Exp $";
+static const char rcsid[] = "$Id: ns_ttl.c,v 1.1.206.1 2004/03/09 08:33:45 marka Exp $";
 #endif
 
 /* Import. */
@@ -133,8 +133,7 @@ ns_parse_ttl(const char *src, u_long *dst) {
 			goto einval;
 		else
 			ttl += tmp;
-	} else if (!dirty)
-		goto einval;
+	}
 	*dst = ttl;
 	return (0);
 
diff --git a/lib/bind/nameser/ns_verify.c b/lib/bind/nameser/ns_verify.c
index 964edd89..7ee00a61 100644
--- a/lib/bind/nameser/ns_verify.c
+++ b/lib/bind/nameser/ns_verify.c
@@ -16,7 +16,7 @@
  */
 
 #ifndef lint
-static const char rcsid[] = "$Id: ns_verify.c,v 1.1.2.3 2006/03/10 00:18:22 marka Exp $";
+static const char rcsid[] = "$Id: ns_verify.c,v 1.1.206.1 2004/03/09 08:33:45 marka Exp $";
 #endif
 
 /* Import. */
@@ -144,7 +144,7 @@ ns_verify(u_char *msg, int *msglen, void *k,
 	int n;
 	int error;
 	u_int16_t type, length;
-	u_int16_t fudge, sigfieldlen, otherfieldlen;
+	u_int16_t fudge, sigfieldlen, id, otherfieldlen;
 
 	dst_init();
 	if (msg == NULL || msglen == NULL || *msglen < 0)
@@ -198,9 +198,9 @@ ns_verify(u_char *msg, int *msglen, void *k,
 	sigstart = cp;
 	cp += sigfieldlen;
 
-	/* Skip id and read error. */
+	/* Read the original id and error. */
 	BOUNDS_CHECK(cp, 2*INT16SZ);
-	cp += INT16SZ;
+	GETSHORT(id, cp);
 	GETSHORT(error, cp);
 
 	/* Parse the other data. */
@@ -341,19 +341,17 @@ ns_verify_tcp(u_char *msg, int *msglen, ns_tcp_tsig_state *state,
 	      int required)
 {
 	HEADER *hp = (HEADER *)msg;
-	u_char *recstart, *sigstart;
+	u_char *recstart, *rdatastart, *sigstart;
 	unsigned int sigfieldlen, otherfieldlen;
-	u_char *cp, *eom, *cp2;
+	u_char *cp, *eom = msg + *msglen, *cp2;
 	char name[MAXDNAME], alg[MAXDNAME];
 	u_char buf[MAXDNAME];
-	int n, type, length, fudge, error;
+	int n, type, length, fudge, id, error;
 	time_t timesigned;
 
 	if (msg == NULL || msglen == NULL || state == NULL)
 		return (-1);
 
-	eom = msg + *msglen;
-
 	state->counter++;
 	if (state->counter == 0)
 		return (ns_verify(msg, msglen, state->key,
@@ -405,6 +403,7 @@ ns_verify_tcp(u_char *msg, int *msglen, ns_tcp_tsig_state *state,
 		return (NS_TSIG_ERROR_FORMERR);
 
 	/* Read the algorithm name. */
+	rdatastart = cp;
 	n = dn_expand(msg, eom, cp, alg, MAXDNAME);
 	if (n < 0)
 		return (NS_TSIG_ERROR_FORMERR);
@@ -430,9 +429,9 @@ ns_verify_tcp(u_char *msg, int *msglen, ns_tcp_tsig_state *state,
 	sigstart = cp;
 	cp += sigfieldlen;
 
-	/* Skip id and read error. */
+	/* Read the original id and error. */
 	BOUNDS_CHECK(cp, 2*INT16SZ);
-	cp += INT16SZ;
+	GETSHORT(id, cp);
 	GETSHORT(error, cp);
 
 	/* Parse the other data. */
diff --git a/lib/bind/port/aix32/include/Makefile.in b/lib/bind/port/aix32/include/Makefile.in
index 18f7ab7c..c4f95986 100644
--- a/lib/bind/port/aix32/include/Makefile.in
+++ b/lib/bind/port/aix32/include/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.1.2.1 2004/03/15 04:44:48 marka Exp $
+# $Id: Makefile.in,v 1.1.206.1 2004/03/15 01:02:45 marka Exp $
 
 srcdir =        @srcdir@
 VPATH =         @srcdir@
diff --git a/lib/bind/port/aix32/include/sys/cdefs.h b/lib/bind/port/aix32/include/sys/cdefs.h
index be524ed4..0c7c9906 100644
--- a/lib/bind/port/aix32/include/sys/cdefs.h
+++ b/lib/bind/port/aix32/include/sys/cdefs.h
@@ -55,7 +55,7 @@
 
 /*
  *	@(#)cdefs.h	8.1 (Berkeley) 6/2/93
- *	$Id: cdefs.h,v 1.1.2.1 2004/07/19 05:54:33 marka Exp $
+ *	$Id: cdefs.h,v 1.1 2001/04/11 01:30:12 marka Exp $
  */
 
 #ifndef	_CDEFS_H_
@@ -127,7 +127,7 @@
  * these work for GNU C++ (modulo a slight glitch in the C++ grammar
  * in the distribution version of 2.5.5).
  */
-#if !defined(__GNUC__) || __GNUC__ < 2 || (__GNUC__ == 2 && __GNUC_MINOR__ < 5)
+#if !defined(__GNUC__) || __GNUC__ < 2 || __GNUC_MINOR__ < 5
 #define	__attribute__(x)	/* delete __attribute__ if non-gcc or gcc1 */
 #if defined(__GNUC__) && !defined(__STRICT_ANSI__)
 #define	__dead		__volatile
diff --git a/lib/bind/port/aix4/include/Makefile.in b/lib/bind/port/aix4/include/Makefile.in
index 18f7ab7c..c4f95986 100644
--- a/lib/bind/port/aix4/include/Makefile.in
+++ b/lib/bind/port/aix4/include/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.1.2.1 2004/03/15 04:44:48 marka Exp $
+# $Id: Makefile.in,v 1.1.206.1 2004/03/15 01:02:45 marka Exp $
 
 srcdir =        @srcdir@
 VPATH =         @srcdir@
diff --git a/lib/bind/port/aix4/include/sys/cdefs.h b/lib/bind/port/aix4/include/sys/cdefs.h
index 87d79ac2..61fe4dcd 100644
--- a/lib/bind/port/aix4/include/sys/cdefs.h
+++ b/lib/bind/port/aix4/include/sys/cdefs.h
@@ -55,7 +55,7 @@
 
 /*
  *	@(#)cdefs.h	8.1 (Berkeley) 6/2/93
- *	$Id: cdefs.h,v 1.1.2.1 2004/07/19 05:54:33 marka Exp $
+ *	$Id: cdefs.h,v 1.1 2001/05/10 04:23:15 marka Exp $
  */
 
 #ifndef	_CDEFS_H_
@@ -130,7 +130,7 @@
  * these work for GNU C++ (modulo a slight glitch in the C++ grammar
  * in the distribution version of 2.5.5).
  */
-#if !defined(__GNUC__) || __GNUC__ < 2 || (__GNUC__ == 2 && __GNUC_MINOR__ < 5)
+#if !defined(__GNUC__) || __GNUC__ < 2 || __GNUC_MINOR__ < 5
 #define	__attribute__(x)	/* delete __attribute__ if non-gcc or gcc1 */
 #if defined(__GNUC__) && !defined(__STRICT_ANSI__)
 #define	__dead		__volatile
diff --git a/lib/bind/port/aix5/include/sys/bitypes.h b/lib/bind/port/aix5/include/sys/bitypes.h
deleted file mode 100644
index f16608cb..00000000
--- a/lib/bind/port/aix5/include/sys/bitypes.h
+++ /dev/null
@@ -1,37 +0,0 @@
-/*
- * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
- * Copyright (c) 1996,1999 by Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
- * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-#if !defined(__BIT_TYPES_DEFINED__) && !defined(_H_INTTYPES)
-#define __BIT_TYPES_DEFINED__
-
-	/*
-	 * Basic integral types.  Omit the typedef if
-	 * not possible for a machine/compiler combination.
-	 */
-	typedef /*signed*/ char            int8_t;
-	typedef unsigned char            u_int8_t;
-	typedef short                     int16_t;
-	typedef unsigned short          u_int16_t;
-	typedef int                       int32_t;
-	typedef unsigned int            u_int32_t;
-
-# if 0	/* don't fight with these unless you need them */
-	typedef long long                 int64_t;
-	typedef unsigned long long      u_int64_t;
-# endif
-
-#endif	/* __BIT_TYPES_DEFINED__ */
diff --git a/lib/bind/port/aix5/include/sys/cdefs.h b/lib/bind/port/aix5/include/sys/cdefs.h
deleted file mode 100644
index 69cbb61d..00000000
--- a/lib/bind/port/aix5/include/sys/cdefs.h
+++ /dev/null
@@ -1,159 +0,0 @@
-/*
- * ++Copyright++ 1991, 1993
- * -
- * Copyright (c) 1991, 1993
- *    The Regents of the University of California.  All rights reserved.
- * 
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- * 	This product includes software developed by the University of
- * 	California, Berkeley and its contributors.
- * 4. Neither the name of the University nor the names of its contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
- * 
- * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- * -
- * Portions Copyright (c) 1993 by Digital Equipment Corporation.
- * 
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies, and that
- * the name of Digital Equipment Corporation not be used in advertising or
- * publicity pertaining to distribution of the document or software without
- * specific, written prior permission.
- * 
- * THE SOFTWARE IS PROVIDED "AS IS" AND DIGITAL EQUIPMENT CORP. DISCLAIMS ALL
- * WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS.   IN NO EVENT SHALL DIGITAL EQUIPMENT
- * CORPORATION BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
- * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
- * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
- * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
- * SOFTWARE.
- * -
- * --Copyright--
- */
-
-/*
- *	@(#)cdefs.h	8.1 (Berkeley) 6/2/93
- *	$Id: cdefs.h,v 1.1.6.3 2006/12/07 04:00:29 marka Exp $
- */
-
-#ifndef	_CDEFS_H_
-#define	_CDEFS_H_
-
-#if defined(__cplusplus)
-#define	__BEGIN_DECLS	extern "C" {
-#define	__END_DECLS	};
-#else
-#define	__BEGIN_DECLS
-#define	__END_DECLS
-#endif
-
-/*
- * The __CONCAT macro is used to concatenate parts of symbol names, e.g.
- * with "#define OLD(foo) __CONCAT(old,foo)", OLD(foo) produces oldfoo.
- * The __CONCAT macro is a bit tricky -- make sure you don't put spaces
- * in between its arguments.  __CONCAT can also concatenate double-quoted
- * strings produced by the __STRING macro, but this only works with ANSI C.
- */
-#ifdef __P
-#undef __P	/* /usr/include/net/radix.h may have defined it */
-#endif
-#if defined(__STDC__) || defined(__cplusplus)
-#define	__P(protos)	protos		/* full-blown ANSI C */
-#define	__CONCAT(x,y)	x ## y
-#define	__STRING(x)	#x
-
-#define	__const		const		/* define reserved names to standard */
-#define	__signed	signed
-#define	__volatile	volatile
-#if defined(__cplusplus)
-#define	__inline	inline		/* convert to C++ keyword */
-#else
-#ifndef __GNUC__
-#define	__inline			/* delete GCC keyword */
-#endif /* !__GNUC__ */
-#endif /* !__cplusplus */
-
-#else	/* !(__STDC__ || __cplusplus) */
-#ifdef _NO_PROTO
-#define	__P(protos)	()		/* traditional C preprocessor */
-#else
-#define	__P(protos)	protos
-#endif
-#define	__CONCAT(x,y)	x/**/y
-#define	__STRING(x)	"x"
-
-#ifndef __GNUC__
-#ifndef __const
-#define	__const				/* delete pseudo-ANSI C keywords */
-#endif
-#ifndef __inline
-#define	__inline
-#endif
-#ifndef __signed
-#define	__signed
-#endif
-#ifndef __volatile
-#define	__volatile
-#endif
-/*
- * In non-ANSI C environments, new programs will want ANSI-only C keywords
- * deleted from the program and old programs will want them left alone.
- * When using a compiler other than gcc, programs using the ANSI C keywords
- * const, inline etc. as normal identifiers should define -DNO_ANSI_KEYWORDS.
- * When using "gcc -traditional", we assume that this is the intent; if
- * __GNUC__ is defined but __STDC__ is not, we leave the new keywords alone.
- */
-#ifndef	NO_ANSI_KEYWORDS
-#define	const				/* delete ANSI C keywords */
-#define	inline
-#define	signed
-#define	volatile
-#endif
-#endif	/* !__GNUC__ */
-#endif	/* !(__STDC__ || __cplusplus) */
-
-/*
- * GCC1 and some versions of GCC2 declare dead (non-returning) and
- * pure (no side effects) functions using "volatile" and "const";
- * unfortunately, these then cause warnings under "-ansi -pedantic".
- * GCC2 uses a new, peculiar __attribute__((attrs)) style.  All of
- * these work for GNU C++ (modulo a slight glitch in the C++ grammar
- * in the distribution version of 2.5.5).
- */
-#if !defined(__GNUC__) || __GNUC__ < 2 || (__GNUC__ == 2 && __GNUC_MINOR__ < 5)
-#define	__attribute__(x)	/* delete __attribute__ if non-gcc or gcc1 */
-#if defined(__GNUC__) && !defined(__STRICT_ANSI__)
-#define	__dead		__volatile
-#define	__pure		__const
-#endif
-#endif
-
-/* Delete pseudo-keywords wherever they are not available or needed. */
-#ifndef __dead
-#define	__dead
-#define	__pure
-#endif
-
-#endif /* !_CDEFS_H_ */
diff --git a/lib/bind/port/aux3/include/Makefile.in b/lib/bind/port/aux3/include/Makefile.in
index 6f87ab84..0474573a 100644
--- a/lib/bind/port/aux3/include/Makefile.in
+++ b/lib/bind/port/aux3/include/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.1.2.1 2004/03/15 04:44:49 marka Exp $
+# $Id: Makefile.in,v 1.1.206.1 2004/03/15 01:02:45 marka Exp $
 
 srcdir =        @srcdir@
 VPATH =         @srcdir@
diff --git a/lib/bind/port/aux3/include/sys/cdefs.h b/lib/bind/port/aux3/include/sys/cdefs.h
index 7c9d2412..965883ce 100644
--- a/lib/bind/port/aux3/include/sys/cdefs.h
+++ b/lib/bind/port/aux3/include/sys/cdefs.h
@@ -114,7 +114,7 @@
  * these work for GNU C++ (modulo a slight glitch in the C++ grammar
  * in the distribution version of 2.5.5).
  */
-#if !defined(__GNUC__) || __GNUC__ < 2 || (__GNUC__ == 2 && __GNUC_MINOR__ < 5)
+#if !defined(__GNUC__) || __GNUC__ < 2 || __GNUC_MINOR__ < 5
 #define	__attribute__(x)	/* delete __attribute__ if non-gcc or gcc1 */
 #if defined(__GNUC__) && !defined(__STRICT_ANSI__)
 #define	__dead		__volatile
diff --git a/lib/bind/port/bsdos/include/Makefile.in b/lib/bind/port/bsdos/include/Makefile.in
index 90f13b7e..543272a7 100644
--- a/lib/bind/port/bsdos/include/Makefile.in
+++ b/lib/bind/port/bsdos/include/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.1.2.1 2004/03/15 04:44:49 marka Exp $
+# $Id: Makefile.in,v 1.1.206.1 2004/03/15 01:02:46 marka Exp $
 
 srcdir =        @srcdir@
 VPATH =         @srcdir@
diff --git a/lib/bind/port/bsdos2/include/Makefile.in b/lib/bind/port/bsdos2/include/Makefile.in
index 90f13b7e..543272a7 100644
--- a/lib/bind/port/bsdos2/include/Makefile.in
+++ b/lib/bind/port/bsdos2/include/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.1.2.1 2004/03/15 04:44:49 marka Exp $
+# $Id: Makefile.in,v 1.1.206.1 2004/03/15 01:02:46 marka Exp $
 
 srcdir =        @srcdir@
 VPATH =         @srcdir@
diff --git a/lib/bind/port/cygwin/Makefile.in b/lib/bind/port/cygwin/Makefile.in
index 3131f26a..bf8977ab 100644
--- a/lib/bind/port/cygwin/Makefile.in
+++ b/lib/bind/port/cygwin/Makefile.in
@@ -1,4 +1,5 @@
 # Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2002  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
diff --git a/lib/bind/port/cygwin/include/Makefile.in b/lib/bind/port/cygwin/include/Makefile.in
index ac5114bf..e8f54c20 100644
--- a/lib/bind/port/cygwin/include/Makefile.in
+++ b/lib/bind/port/cygwin/include/Makefile.in
@@ -1,4 +1,5 @@
 # Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2002  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
@@ -12,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.2.2.2 2004/03/15 04:44:50 marka Exp $
+# $Id: Makefile.in,v 1.1.150.3 2004/03/08 09:04:26 marka Exp $
 
 srcdir =        @srcdir@
 VPATH =         @srcdir@
diff --git a/lib/bind/port/cygwin/include/sys/cdefs.h b/lib/bind/port/cygwin/include/sys/cdefs.h
index a3040e7e..e33d90d0 100644
--- a/lib/bind/port/cygwin/include/sys/cdefs.h
+++ b/lib/bind/port/cygwin/include/sys/cdefs.h
@@ -55,7 +55,7 @@
 
 /*
  *	@(#)cdefs.h	8.1 (Berkeley) 6/2/93
- *	$Id: cdefs.h,v 1.1.242.2 2004/07/19 05:54:34 marka Exp $
+ *	$Id: cdefs.h,v 1.1.150.1 2003/10/21 05:21:08 marka Exp $
  */
 
 #ifndef	_CDEFS_H_
@@ -127,7 +127,7 @@
  * these work for GNU C++ (modulo a slight glitch in the C++ grammar
  * in the distribution version of 2.5.5).
  */
-#if !defined(__GNUC__) || __GNUC__ < 2 || (__GNUC__ == 2 && __GNUC_MINOR__ < 5)
+#if !defined(__GNUC__) || __GNUC__ < 2 || __GNUC_MINOR__ < 5
 #define	__attribute__(x)	/* delete __attribute__ if non-gcc or gcc1 */
 #if defined(__GNUC__) && !defined(__STRICT_ANSI__)
 #define	__dead		__volatile
diff --git a/lib/bind/port/cygwin/include/sys/un.h b/lib/bind/port/cygwin/include/sys/un.h
new file mode 100644
index 00000000..e69de29b
--- /dev/null
+++ b/lib/bind/port/cygwin/include/sys/un.h
diff --git a/lib/bind/port/darwin/include/Makefile.in b/lib/bind/port/darwin/include/Makefile.in
index a60e6c7a..543272a7 100644
--- a/lib/bind/port/darwin/include/Makefile.in
+++ b/lib/bind/port/darwin/include/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.1.2.1 2004/03/15 04:44:50 marka Exp $
+# $Id: Makefile.in,v 1.1.206.1 2004/03/15 01:02:46 marka Exp $
 
 srcdir =        @srcdir@
 VPATH =         @srcdir@
diff --git a/lib/bind/port/decunix/include/Makefile.in b/lib/bind/port/decunix/include/Makefile.in
index b036d7dd..19203356 100644
--- a/lib/bind/port/decunix/include/Makefile.in
+++ b/lib/bind/port/decunix/include/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.1.2.1 2004/03/15 04:44:50 marka Exp $
+# $Id: Makefile.in,v 1.1.206.1 2004/03/15 01:02:47 marka Exp $
 
 srcdir =        @srcdir@
 VPATH =         @srcdir@
diff --git a/lib/bind/port/freebsd/include/Makefile.in b/lib/bind/port/freebsd/include/Makefile.in
index adebba91..c18acf29 100644
--- a/lib/bind/port/freebsd/include/Makefile.in
+++ b/lib/bind/port/freebsd/include/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.1.2.1 2004/03/15 04:44:51 marka Exp $
+# $Id: Makefile.in,v 1.1.206.1 2004/03/15 01:02:47 marka Exp $
 
 srcdir =        @srcdir@
 VPATH =         @srcdir@
diff --git a/lib/bind/port/hpux/include/Makefile.in b/lib/bind/port/hpux/include/Makefile.in
index b4431cd1..312979ce 100644
--- a/lib/bind/port/hpux/include/Makefile.in
+++ b/lib/bind/port/hpux/include/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.1.2.1 2004/03/15 04:44:51 marka Exp $
+# $Id: Makefile.in,v 1.1.206.1 2004/03/15 01:02:47 marka Exp $
 
 srcdir =        @srcdir@
 VPATH =         @srcdir@
diff --git a/lib/bind/port/hpux/include/sys/cdefs.h b/lib/bind/port/hpux/include/sys/cdefs.h
index f6630047..aca6f0a2 100644
--- a/lib/bind/port/hpux/include/sys/cdefs.h
+++ b/lib/bind/port/hpux/include/sys/cdefs.h
@@ -55,7 +55,7 @@
 
 /*
  *	@(#)cdefs.h	8.1 (Berkeley) 6/2/93
- *	$Id: cdefs.h,v 1.1.2.1 2004/07/19 05:54:34 marka Exp $
+ *	$Id: cdefs.h,v 1.1 2001/04/09 09:17:16 marka Exp $
  */
 
 #ifndef	_CDEFS_H_
@@ -127,7 +127,7 @@
  * these work for GNU C++ (modulo a slight glitch in the C++ grammar
  * in the distribution version of 2.5.5).
  */
-#if !defined(__GNUC__) || __GNUC__ < 2 || (__GNUC__ == 2 && __GNUC_MINOR__ < 5)
+#if !defined(__GNUC__) || __GNUC__ < 2 || __GNUC_MINOR__ < 5
 #define	__attribute__(x)	/* delete __attribute__ if non-gcc or gcc1 */
 #if defined(__GNUC__) && !defined(__STRICT_ANSI__)
 #define	__dead		__volatile
diff --git a/lib/bind/port/hpux10/include/Makefile.in b/lib/bind/port/hpux10/include/Makefile.in
index fad5be53..894bd6d1 100644
--- a/lib/bind/port/hpux10/include/Makefile.in
+++ b/lib/bind/port/hpux10/include/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.1.2.1 2004/03/15 04:44:51 marka Exp $
+# $Id: Makefile.in,v 1.1.206.1 2004/03/15 01:02:47 marka Exp $
 
 srcdir =        @srcdir@
 VPATH =         @srcdir@
diff --git a/lib/bind/port/hpux10/include/sys/cdefs.h b/lib/bind/port/hpux10/include/sys/cdefs.h
index e5903da4..868f9bfa 100644
--- a/lib/bind/port/hpux10/include/sys/cdefs.h
+++ b/lib/bind/port/hpux10/include/sys/cdefs.h
@@ -55,7 +55,7 @@
 
 /*
  *	@(#)cdefs.h	8.1 (Berkeley) 6/2/93
- *	$Id: cdefs.h,v 1.1.2.1 2004/07/19 05:54:36 marka Exp $
+ *	$Id: cdefs.h,v 1.1 2001/05/17 06:25:49 marka Exp $
  */
 
 #ifndef	_CDEFS_H_
@@ -127,7 +127,7 @@
  * these work for GNU C++ (modulo a slight glitch in the C++ grammar
  * in the distribution version of 2.5.5).
  */
-#if !defined(__GNUC__) || __GNUC__ < 2 || (__GNUC__ == 2 && __GNUC_MINOR__ < 5)
+#if !defined(__GNUC__) || __GNUC__ < 2 || __GNUC_MINOR__ < 5
 #define	__attribute__(x)	/* delete __attribute__ if non-gcc or gcc1 */
 #if defined(__GNUC__) && !defined(__STRICT_ANSI__)
 #define	__dead		__volatile
diff --git a/lib/bind/port/hpux9/include/Makefile.in b/lib/bind/port/hpux9/include/Makefile.in
index 59578bc1..f59f08af 100644
--- a/lib/bind/port/hpux9/include/Makefile.in
+++ b/lib/bind/port/hpux9/include/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.1.2.1 2004/03/15 04:44:52 marka Exp $
+# $Id: Makefile.in,v 1.1.206.1 2004/03/15 01:02:48 marka Exp $
 
 srcdir =        @srcdir@
 VPATH =         @srcdir@
diff --git a/lib/bind/port/hpux9/include/sys/cdefs.h b/lib/bind/port/hpux9/include/sys/cdefs.h
index e5903da4..d298c13c 100644
--- a/lib/bind/port/hpux9/include/sys/cdefs.h
+++ b/lib/bind/port/hpux9/include/sys/cdefs.h
@@ -55,7 +55,7 @@
 
 /*
  *	@(#)cdefs.h	8.1 (Berkeley) 6/2/93
- *	$Id: cdefs.h,v 1.1.2.1 2004/07/19 05:54:36 marka Exp $
+ *	$Id: cdefs.h,v 1.1 2001/05/17 06:25:50 marka Exp $
  */
 
 #ifndef	_CDEFS_H_
@@ -127,7 +127,7 @@
  * these work for GNU C++ (modulo a slight glitch in the C++ grammar
  * in the distribution version of 2.5.5).
  */
-#if !defined(__GNUC__) || __GNUC__ < 2 || (__GNUC__ == 2 && __GNUC_MINOR__ < 5)
+#if !defined(__GNUC__) || __GNUC__ < 2 || __GNUC_MINOR__ < 5
 #define	__attribute__(x)	/* delete __attribute__ if non-gcc or gcc1 */
 #if defined(__GNUC__) && !defined(__STRICT_ANSI__)
 #define	__dead		__volatile
diff --git a/lib/bind/port/irix/include/Makefile.in b/lib/bind/port/irix/include/Makefile.in
index ea65cba2..dde00caa 100644
--- a/lib/bind/port/irix/include/Makefile.in
+++ b/lib/bind/port/irix/include/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.1.2.2 2004/03/15 04:44:52 marka Exp $
+# $Id: Makefile.in,v 1.1.2.1.10.1 2004/03/15 01:02:48 marka Exp $
 
 srcdir =        @srcdir@
 VPATH =         @srcdir@
diff --git a/lib/bind/port/irix/include/sys/cdefs.h b/lib/bind/port/irix/include/sys/cdefs.h
index e5903da4..d298c13c 100644
--- a/lib/bind/port/irix/include/sys/cdefs.h
+++ b/lib/bind/port/irix/include/sys/cdefs.h
@@ -55,7 +55,7 @@
 
 /*
  *	@(#)cdefs.h	8.1 (Berkeley) 6/2/93
- *	$Id: cdefs.h,v 1.1.2.1 2004/07/19 05:54:36 marka Exp $
+ *	$Id: cdefs.h,v 1.1 2001/05/17 06:25:50 marka Exp $
  */
 
 #ifndef	_CDEFS_H_
@@ -127,7 +127,7 @@
  * these work for GNU C++ (modulo a slight glitch in the C++ grammar
  * in the distribution version of 2.5.5).
  */
-#if !defined(__GNUC__) || __GNUC__ < 2 || (__GNUC__ == 2 && __GNUC_MINOR__ < 5)
+#if !defined(__GNUC__) || __GNUC__ < 2 || __GNUC_MINOR__ < 5
 #define	__attribute__(x)	/* delete __attribute__ if non-gcc or gcc1 */
 #if defined(__GNUC__) && !defined(__STRICT_ANSI__)
 #define	__dead		__volatile
diff --git a/lib/bind/port/linux/include/Makefile.in b/lib/bind/port/linux/include/Makefile.in
index 5172285f..600f4115 100644
--- a/lib/bind/port/linux/include/Makefile.in
+++ b/lib/bind/port/linux/include/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.2.2.1 2004/03/15 04:44:52 marka Exp $
+# $Id: Makefile.in,v 1.2.206.1 2004/03/15 01:02:48 marka Exp $
 
 srcdir =        @srcdir@
 VPATH =         @srcdir@
diff --git a/lib/bind/port/lynxos/include/Makefile.in b/lib/bind/port/lynxos/include/Makefile.in
index 02485489..7b467097 100644
--- a/lib/bind/port/lynxos/include/Makefile.in
+++ b/lib/bind/port/lynxos/include/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.1.2.1 2004/03/15 04:44:53 marka Exp $
+# $Id: Makefile.in,v 1.1.206.1 2004/03/15 01:02:49 marka Exp $
 
 srcdir =        @srcdir@
 VPATH =         @srcdir@
diff --git a/lib/bind/port/lynxos/include/sys/cdefs.h b/lib/bind/port/lynxos/include/sys/cdefs.h
index d9512b15..213e34e1 100644
--- a/lib/bind/port/lynxos/include/sys/cdefs.h
+++ b/lib/bind/port/lynxos/include/sys/cdefs.h
@@ -55,7 +55,7 @@
 
 /*
  *	@(#)cdefs.h	8.1 (Berkeley) 6/2/93
- *	$Id: cdefs.h,v 1.1.2.1 2004/07/19 05:54:37 marka Exp $
+ *	$Id: cdefs.h,v 1.1 2001/05/17 06:25:51 marka Exp $
  */
 
 #ifndef	_CDEFS_H_
@@ -129,7 +129,7 @@
  * these work for GNU C++ (modulo a slight glitch in the C++ grammar
  * in the distribution version of 2.5.5).
  */
-#if !defined(__GNUC__) || __GNUC__ < 2 || (__GNUC__ == 2 && __GNUC_MINOR__ < 5)
+#if !defined(__GNUC__) || __GNUC__ < 2 || __GNUC_MINOR__ < 5
 #define	__attribute__(x)	/* delete __attribute__ if non-gcc or gcc1 */
 #if defined(__GNUC__) && !defined(__STRICT_ANSI__)
 #define	__dead		__volatile
diff --git a/lib/bind/port/mpe/include/Makefile.in b/lib/bind/port/mpe/include/Makefile.in
index a387d964..6c79e2a7 100644
--- a/lib/bind/port/mpe/include/Makefile.in
+++ b/lib/bind/port/mpe/include/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.2.2.1 2004/03/15 04:44:53 marka Exp $
+# $Id: Makefile.in,v 1.2.206.1 2004/03/15 01:02:49 marka Exp $
 
 srcdir =        @srcdir@
 VPATH =         @srcdir@
diff --git a/lib/bind/port/mpe/include/sys/cdefs.h b/lib/bind/port/mpe/include/sys/cdefs.h
index e81cd654..5c626438 100644
--- a/lib/bind/port/mpe/include/sys/cdefs.h
+++ b/lib/bind/port/mpe/include/sys/cdefs.h
@@ -55,7 +55,7 @@
 
 /*
  *	@(#)cdefs.h	8.1 (Berkeley) 6/2/93
- *	$Id: cdefs.h,v 1.1.2.1 2004/07/19 05:54:37 marka Exp $
+ *	$Id: cdefs.h,v 1.1 2001/05/17 06:25:51 marka Exp $
  */
 
 #ifndef	_CDEFS_H_
@@ -127,7 +127,7 @@
  * these work for GNU C++ (modulo a slight glitch in the C++ grammar
  * in the distribution version of 2.5.5).
  */
-#if !defined(__GNUC__) || __GNUC__ < 2 || (__GNUC__ == 2 && __GNUC_MINOR__ < 5)
+#if !defined(__GNUC__) || __GNUC__ < 2 || __GNUC_MINOR__ < 5
 #define	__attribute__(x)	/* delete __attribute__ if non-gcc or gcc1 */
 #if defined(__GNUC__) && !defined(__STRICT_ANSI__)
 #define	__dead		__volatile
diff --git a/lib/bind/port/netbsd/include/Makefile.in b/lib/bind/port/netbsd/include/Makefile.in
index ab300148..a8035254 100644
--- a/lib/bind/port/netbsd/include/Makefile.in
+++ b/lib/bind/port/netbsd/include/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.1.2.1 2004/03/15 04:44:53 marka Exp $
+# $Id: Makefile.in,v 1.1.206.1 2004/03/15 01:02:49 marka Exp $
 
 srcdir =        @srcdir@
 VPATH =         @srcdir@
diff --git a/lib/bind/port/next/include/Makefile.in b/lib/bind/port/next/include/Makefile.in
index 05a31b36..a1cb9fbe 100644
--- a/lib/bind/port/next/include/Makefile.in
+++ b/lib/bind/port/next/include/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.1.2.1 2004/03/15 04:44:54 marka Exp $
+# $Id: Makefile.in,v 1.1.206.1 2004/03/15 01:02:50 marka Exp $
 
 srcdir =        @srcdir@
 VPATH =         @srcdir@
diff --git a/lib/bind/port/next/include/sys/cdefs.h b/lib/bind/port/next/include/sys/cdefs.h
index 69a57639..8f5d38ef 100644
--- a/lib/bind/port/next/include/sys/cdefs.h
+++ b/lib/bind/port/next/include/sys/cdefs.h
@@ -55,7 +55,7 @@
 
 /*
  *	@(#)cdefs.h	8.1 (Berkeley) 6/2/93
- *	$Id: cdefs.h,v 1.1.2.1 2004/07/19 05:54:38 marka Exp $
+ *	$Id: cdefs.h,v 1.1 2001/05/17 06:25:55 marka Exp $
  */
 
 #ifndef	_CDEFS_H_
@@ -127,7 +127,7 @@
  * these work for GNU C++ (modulo a slight glitch in the C++ grammar
  * in the distribution version of 2.5.5).
  */
-#if !defined(__GNUC__) || __GNUC__ < 2 || (__GNUC__ == 2 && __GNUC_MINOR__ < 5)
+#if !defined(__GNUC__) || __GNUC__ < 2 || __GNUC_MINOR__ < 5
 #define	__attribute__(x)	/* delete __attribute__ if non-gcc or gcc1 */
 #if defined(__GNUC__) && !defined(__STRICT_ANSI__)
 #define	__dead		__volatile
diff --git a/lib/bind/port/openbsd/include/Makefile.in b/lib/bind/port/openbsd/include/Makefile.in
index 576861ea..8b2ab825 100644
--- a/lib/bind/port/openbsd/include/Makefile.in
+++ b/lib/bind/port/openbsd/include/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.1.2.1 2004/03/15 04:44:54 marka Exp $
+# $Id: Makefile.in,v 1.1.206.1 2004/03/15 01:02:50 marka Exp $
 
 srcdir =        @srcdir@
 VPATH =         @srcdir@
diff --git a/lib/bind/port/qnx/include/Makefile.in b/lib/bind/port/qnx/include/Makefile.in
index 2046164a..b994550e 100644
--- a/lib/bind/port/qnx/include/Makefile.in
+++ b/lib/bind/port/qnx/include/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.2.2.1 2004/03/15 04:44:54 marka Exp $
+# $Id: Makefile.in,v 1.2.206.1 2004/03/15 01:02:50 marka Exp $
 
 srcdir =        @srcdir@
 VPATH =         @srcdir@
diff --git a/lib/bind/port/qnx/include/sys/cdefs.h b/lib/bind/port/qnx/include/sys/cdefs.h
index 2b3f9ec5..f814b0c0 100644
--- a/lib/bind/port/qnx/include/sys/cdefs.h
+++ b/lib/bind/port/qnx/include/sys/cdefs.h
@@ -108,7 +108,8 @@
  * these work for GNU C++ (modulo a slight glitch in the C++ grammar
  * in the distribution version of 2.5.5).
  */
-#if !defined(__GNUC__) || __GNUC__ < 2 || (__GNUC__ == 2 && __GNUC_MINOR__ < 5)
+#if !defined(__GNUC__) || __GNUC__ < 2 || \
+	(__GNUC__ == 2 && __GNUC_MINOR__ < 5)
 #define	__attribute__(x)	/* delete __attribute__ if non-gcc or gcc1 */
 #if defined(__GNUC__) && !defined(__STRICT_ANSI__)
 #define	__dead		__volatile
diff --git a/lib/bind/port/rhapsody/include/Makefile.in b/lib/bind/port/rhapsody/include/Makefile.in
index 6e655c02..e2d4c20b 100644
--- a/lib/bind/port/rhapsody/include/Makefile.in
+++ b/lib/bind/port/rhapsody/include/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.1.2.1 2004/03/15 04:44:55 marka Exp $
+# $Id: Makefile.in,v 1.1.206.1 2004/03/15 01:02:51 marka Exp $
 
 srcdir =        @srcdir@
 VPATH =         @srcdir@
diff --git a/lib/bind/port/sco42/include/Makefile.in b/lib/bind/port/sco42/include/Makefile.in
index 08ad6069..f55f89b4 100644
--- a/lib/bind/port/sco42/include/Makefile.in
+++ b/lib/bind/port/sco42/include/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.1.2.1 2004/03/15 04:44:56 marka Exp $
+# $Id: Makefile.in,v 1.1.206.1 2004/03/15 01:02:51 marka Exp $
 
 srcdir =        @srcdir@
 VPATH =         @srcdir@
diff --git a/lib/bind/port/sco42/include/sys/cdefs.h b/lib/bind/port/sco42/include/sys/cdefs.h
index 69a57639..274057c6 100644
--- a/lib/bind/port/sco42/include/sys/cdefs.h
+++ b/lib/bind/port/sco42/include/sys/cdefs.h
@@ -55,7 +55,7 @@
 
 /*
  *	@(#)cdefs.h	8.1 (Berkeley) 6/2/93
- *	$Id: cdefs.h,v 1.1.2.1 2004/07/19 05:54:38 marka Exp $
+ *	$Id: cdefs.h,v 1.1 2001/05/17 06:25:57 marka Exp $
  */
 
 #ifndef	_CDEFS_H_
@@ -127,7 +127,7 @@
  * these work for GNU C++ (modulo a slight glitch in the C++ grammar
  * in the distribution version of 2.5.5).
  */
-#if !defined(__GNUC__) || __GNUC__ < 2 || (__GNUC__ == 2 && __GNUC_MINOR__ < 5)
+#if !defined(__GNUC__) || __GNUC__ < 2 || __GNUC_MINOR__ < 5
 #define	__attribute__(x)	/* delete __attribute__ if non-gcc or gcc1 */
 #if defined(__GNUC__) && !defined(__STRICT_ANSI__)
 #define	__dead		__volatile
diff --git a/lib/bind/port/sco50/include/Makefile.in b/lib/bind/port/sco50/include/Makefile.in
index afd498a1..bd639416 100644
--- a/lib/bind/port/sco50/include/Makefile.in
+++ b/lib/bind/port/sco50/include/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.1.2.1 2004/03/15 04:44:56 marka Exp $
+# $Id: Makefile.in,v 1.1.206.1 2004/03/15 01:02:51 marka Exp $
 
 srcdir =        @srcdir@
 VPATH =         @srcdir@
diff --git a/lib/bind/port/solaris/include/Makefile.in b/lib/bind/port/solaris/include/Makefile.in
index ec6c03ec..8a452599 100644
--- a/lib/bind/port/solaris/include/Makefile.in
+++ b/lib/bind/port/solaris/include/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.1.2.1 2004/03/15 04:44:57 marka Exp $
+# $Id: Makefile.in,v 1.1.206.1 2004/03/15 01:02:52 marka Exp $
 
 srcdir =        @srcdir@
 VPATH =         @srcdir@
diff --git a/lib/bind/port/solaris/include/sys/bitypes.h b/lib/bind/port/solaris/include/sys/bitypes.h
index c9ba1f47..b9c162f8 100644
--- a/lib/bind/port/solaris/include/sys/bitypes.h
+++ b/lib/bind/port/solaris/include/sys/bitypes.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: bitypes.h,v 1.2.2.1 2004/03/15 04:44:57 marka Exp $ */
+/* $Id: bitypes.h,v 1.2.206.1 2004/03/15 01:02:52 marka Exp $ */
 
 #ifndef __BIT_TYPES_DEFINED__
 #define __BIT_TYPES_DEFINED__
diff --git a/lib/bind/port/solaris/include/sys/cdefs.h b/lib/bind/port/solaris/include/sys/cdefs.h
index 24b1e24f..66950406 100644
--- a/lib/bind/port/solaris/include/sys/cdefs.h
+++ b/lib/bind/port/solaris/include/sys/cdefs.h
@@ -55,7 +55,7 @@
 
 /*
  *	@(#)cdefs.h	8.1 (Berkeley) 6/2/93
- *	$Id: cdefs.h,v 1.1.2.1 2004/07/19 05:54:39 marka Exp $
+ *	$Id: cdefs.h,v 1.1 2001/04/02 06:29:20 marka Exp $
  */
 
 #ifndef	_CDEFS_H_
@@ -127,7 +127,7 @@
  * these work for GNU C++ (modulo a slight glitch in the C++ grammar
  * in the distribution version of 2.5.5).
  */
-#if !defined(__GNUC__) || __GNUC__ < 2 || (__GNUC__ == 2 && __GNUC_MINOR__ < 5)
+#if !defined(__GNUC__) || __GNUC__ < 2 || __GNUC_MINOR__ < 5
 #define	__attribute__(x)	/* delete __attribute__ if non-gcc or gcc1 */
 #if defined(__GNUC__) && !defined(__STRICT_ANSI__)
 #define	__dead		__volatile
diff --git a/lib/bind/port/sunos/include/Makefile.in b/lib/bind/port/sunos/include/Makefile.in
index 9a4762c4..35bf43b7 100644
--- a/lib/bind/port/sunos/include/Makefile.in
+++ b/lib/bind/port/sunos/include/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.1.2.1 2004/03/15 04:44:57 marka Exp $
+# $Id: Makefile.in,v 1.1.206.1 2004/03/15 01:02:52 marka Exp $
 
 srcdir =        @srcdir@
 VPATH =         @srcdir@
diff --git a/lib/bind/port/sunos/include/sys/cdefs.h b/lib/bind/port/sunos/include/sys/cdefs.h
index 24b1e24f..ce95a0e0 100644
--- a/lib/bind/port/sunos/include/sys/cdefs.h
+++ b/lib/bind/port/sunos/include/sys/cdefs.h
@@ -55,7 +55,7 @@
 
 /*
  *	@(#)cdefs.h	8.1 (Berkeley) 6/2/93
- *	$Id: cdefs.h,v 1.1.2.1 2004/07/19 05:54:39 marka Exp $
+ *	$Id: cdefs.h,v 1.1 2001/05/17 06:25:58 marka Exp $
  */
 
 #ifndef	_CDEFS_H_
@@ -127,7 +127,7 @@
  * these work for GNU C++ (modulo a slight glitch in the C++ grammar
  * in the distribution version of 2.5.5).
  */
-#if !defined(__GNUC__) || __GNUC__ < 2 || (__GNUC__ == 2 && __GNUC_MINOR__ < 5)
+#if !defined(__GNUC__) || __GNUC__ < 2 || __GNUC_MINOR__ < 5
 #define	__attribute__(x)	/* delete __attribute__ if non-gcc or gcc1 */
 #if defined(__GNUC__) && !defined(__STRICT_ANSI__)
 #define	__dead		__volatile
diff --git a/lib/bind/port/ultrix/include/Makefile.in b/lib/bind/port/ultrix/include/Makefile.in
index b89da464..a20f57e5 100644
--- a/lib/bind/port/ultrix/include/Makefile.in
+++ b/lib/bind/port/ultrix/include/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.1.2.1 2004/03/15 04:44:58 marka Exp $
+# $Id: Makefile.in,v 1.1.206.1 2004/03/15 01:02:53 marka Exp $
 
 srcdir =        @srcdir@
 VPATH =         @srcdir@
diff --git a/lib/bind/port/unixware20/include/Makefile.in b/lib/bind/port/unixware20/include/Makefile.in
index 50f0e9d5..cc7cda82 100644
--- a/lib/bind/port/unixware20/include/Makefile.in
+++ b/lib/bind/port/unixware20/include/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.1.2.1 2004/03/15 04:44:58 marka Exp $
+# $Id: Makefile.in,v 1.1.206.1 2004/03/15 01:02:53 marka Exp $
 
 srcdir =        @srcdir@
 VPATH =         @srcdir@
diff --git a/lib/bind/port/unixware20/include/sys/cdefs.h b/lib/bind/port/unixware20/include/sys/cdefs.h
index f865564c..8b662a1c 100644
--- a/lib/bind/port/unixware20/include/sys/cdefs.h
+++ b/lib/bind/port/unixware20/include/sys/cdefs.h
@@ -55,7 +55,7 @@
 
 /*
  *	@(#)cdefs.h	8.1 (Berkeley) 6/2/93
- *	$Id: cdefs.h,v 1.1.2.1 2004/07/19 05:54:40 marka Exp $
+ *	$Id: cdefs.h,v 1.1 2001/05/17 06:26:00 marka Exp $
  */
 
 #ifndef	_CDEFS_H_
@@ -127,7 +127,7 @@
  * these work for GNU C++ (modulo a slight glitch in the C++ grammar
  * in the distribution version of 2.5.5).
  */
-#if !defined(__GNUC__) || __GNUC__ < 2 || (__GNUC__ == 2 && __GNUC_MINOR__ < 5)
+#if !defined(__GNUC__) || __GNUC__ < 2 || __GNUC_MINOR__ < 5
 #define	__attribute__(x)	/* delete __attribute__ if non-gcc or gcc1 */
 #if defined(__GNUC__) && !defined(__STRICT_ANSI__)
 #define	__dead		__volatile
diff --git a/lib/bind/port/unixware212/include/Makefile.in b/lib/bind/port/unixware212/include/Makefile.in
index 50f0e9d5..cc7cda82 100644
--- a/lib/bind/port/unixware212/include/Makefile.in
+++ b/lib/bind/port/unixware212/include/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.1.2.1 2004/03/15 04:44:58 marka Exp $
+# $Id: Makefile.in,v 1.1.206.1 2004/03/15 01:02:53 marka Exp $
 
 srcdir =        @srcdir@
 VPATH =         @srcdir@
diff --git a/lib/bind/port/unixware212/include/sys/cdefs.h b/lib/bind/port/unixware212/include/sys/cdefs.h
index f865564c..fa97a4f2 100644
--- a/lib/bind/port/unixware212/include/sys/cdefs.h
+++ b/lib/bind/port/unixware212/include/sys/cdefs.h
@@ -55,7 +55,7 @@
 
 /*
  *	@(#)cdefs.h	8.1 (Berkeley) 6/2/93
- *	$Id: cdefs.h,v 1.1.2.1 2004/07/19 05:54:40 marka Exp $
+ *	$Id: cdefs.h,v 1.1 2001/05/17 06:26:01 marka Exp $
  */
 
 #ifndef	_CDEFS_H_
@@ -127,7 +127,7 @@
  * these work for GNU C++ (modulo a slight glitch in the C++ grammar
  * in the distribution version of 2.5.5).
  */
-#if !defined(__GNUC__) || __GNUC__ < 2 || (__GNUC__ == 2 && __GNUC_MINOR__ < 5)
+#if !defined(__GNUC__) || __GNUC__ < 2 || __GNUC_MINOR__ < 5
 #define	__attribute__(x)	/* delete __attribute__ if non-gcc or gcc1 */
 #if defined(__GNUC__) && !defined(__STRICT_ANSI__)
 #define	__dead		__volatile
diff --git a/lib/bind/port/unixware7/include/Makefile.in b/lib/bind/port/unixware7/include/Makefile.in
index be27f5ec..fac1958f 100644
--- a/lib/bind/port/unixware7/include/Makefile.in
+++ b/lib/bind/port/unixware7/include/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.1.2.1 2004/03/15 04:44:59 marka Exp $
+# $Id: Makefile.in,v 1.1.206.1 2004/03/15 01:02:53 marka Exp $
 
 srcdir =        @srcdir@
 VPATH =         @srcdir@
diff --git a/lib/bind/port/unknown/include/Makefile.in b/lib/bind/port/unknown/include/Makefile.in
index 463894be..e69de29b 100644
--- a/lib/bind/port/unknown/include/Makefile.in
+++ b/lib/bind/port/unknown/include/Makefile.in
@@ -1,21 +0,0 @@
-# Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 2001  Internet Software Consortium.
-#
-# Permission to use, copy, modify, and distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id: Makefile.in,v 1.1.2.3 2005/03/16 00:57:41 marka Exp $
-
-all:
-	exit 1
-
-@BIND9_MAKE_RULES@
diff --git a/lib/bind/port_after.h.in b/lib/bind/port_after.h.in
index f248d23f..9095982e 100644
--- a/lib/bind/port_after.h.in
+++ b/lib/bind/port_after.h.in
@@ -5,16 +5,9 @@
 #include <sys/types.h>
 #include <sys/socket.h>
 #include <sys/param.h>
-#include <sys/time.h>
 #if (!defined(BSD)) || (BSD < 199306)
 #include <sys/bitypes.h>
 #endif
-#ifdef HAVE_INTTYPES_H
-#include <inttypes.h>
-#endif
-#ifdef HAVE_SYS_SELECT_H
-#include <sys/select.h>
-#endif /* HAVE_SYS_SELECT_H */
 
 @NEED_PSELECT@
 @HAVE_SA_LEN@
@@ -33,8 +26,9 @@
 @USE_SYSERROR_LIST@
 @INNETGR_ARGS@
 @SETNETGRENT_ARGS@
-@USE_IFNAMELINKID@
-@PORT_NONBLOCK@
+
+/* XXX sunos and cygwin needs O_NDELAY */
+#define PORT_NONBLOCK O_NONBLOCK
 
 /*
  * We need to know the IPv6 address family number even on IPv4-only systems.
@@ -91,19 +85,6 @@ struct sockaddr_in6 {
 #undef IN6ADDR_LOOPBACK_INIT
 #endif
 
-#ifdef _AIX
-#ifndef IN6ADDR_ANY_INIT
-#define IN6ADDR_ANY_INIT {{{ 0, 0, 0, 0 }}}
-#endif
-#ifndef IN6ADDR_LOOPBACK_INIT
-#if BYTE_ORDER == BIG_ENDIAN
-#define IN6ADDR_LOOPBACK_INIT {{{ 0, 0, 0, 1 }}}
-#else
-#define IN6ADDR_LOOPBACK_INIT {{{0, 0, 0, 0x01000000}}}
-#endif
-#endif
-#endif
-
 #ifndef IN6ADDR_ANY_INIT
 #ifdef s6_addr
 #define IN6ADDR_ANY_INIT \
@@ -260,7 +241,7 @@ char * strsep(char **stringp, const char *delim);
 #endif
 
 #ifndef ALIGN
-#define ALIGN(p) (((uintptr_t)(p) + (sizeof(long) - 1)) & ~(sizeof(long) - 1))
+#define ALIGN(p) (((unsigned int)(p) + (sizeof(int) - 1)) & ~(sizeof(int) - 1))
 #endif
 
 #ifdef NEED_SETGROUPENT
@@ -303,7 +284,7 @@ GROUP_R_SET_RETURN setgrent_r(GROUP_R_ENT_ARGS);
 GROUP_R_END_RETURN endgrent_r(GROUP_R_ENT_ARGS);
 #endif
 
-#if defined(NEED_INNETGR_R) && defined(NGR_R_RETURN)
+#ifdef NEED_INNETGR_R
 NGR_R_RETURN
 innetgr_r(const char *, const char *, const char *, const char *);
 #endif
@@ -386,9 +367,7 @@ int isc__gettimeofday(struct timeval *tp, struct timezone *tzp);
 
 int getnetgrent(char **machinep, char **userp, char **domainp);
 
-#ifdef NGR_R_ARGS
 int getnetgrent_r(char **machinep, char **userp, char **domainp, NGR_R_ARGS);
-#endif
 
 #ifdef SETNETGRENT_ARGS
 void setnetgrent(SETNETGRENT_ARGS);
diff --git a/lib/bind/port_before.h.in b/lib/bind/port_before.h.in
index 0b00821b..d6fbe86a 100644
--- a/lib/bind/port_before.h.in
+++ b/lib/bind/port_before.h.in
@@ -12,25 +12,12 @@ struct timezone;        /* silence warning */
 #endif
 #include <limits.h>
 
-#ifdef ISC_PLATFORM_NEEDTIMESPEC
-#include <time.h>		/* For time_t */
-struct timespec {
-        time_t  tv_sec;         /* seconds */
-        long    tv_nsec;        /* nanoseconds */
-};
-#endif
-#ifndef HAVE_MEMMOVE
-#define memmove(a,b,c) bcopy(b,a,c)
-#endif
 
 @WANT_IRS_GR@
 @WANT_IRS_NIS@
 @WANT_IRS_PW@
 
 @BSD_COMP@
-@USE_POLL@
-@HAVE_MD5@
-@SOLARIS2@
 
 @DO_PTHREADS@
 @GETGROUPLIST_ARGS@
@@ -97,13 +84,11 @@ struct timespec {
 @PROTO_R_END_RESULT@
 @PROTO_R_END_RETURN@
 @PROTO_R_ENT_ARGS@
-@PROTO_R_ENT_UNUSED@
 @PROTO_R_OK@
 @PROTO_R_SETANSWER@
 @PROTO_R_RETURN@
 @PROTO_R_SET_RESULT@
 @PROTO_R_SET_RETURN@
-@PROTOENT_DATA@
 
 @PASS_R_ARGS@
 @PASS_R_BAD@
@@ -124,13 +109,11 @@ struct timespec {
 @SERV_R_END_RESULT@
 @SERV_R_END_RETURN@
 @SERV_R_ENT_ARGS@
-@SERV_R_ENT_UNUSED@
 @SERV_R_OK@
 @SERV_R_SETANSWER@
 @SERV_R_RETURN@
 @SERV_R_SET_RESULT@
 @SERV_R_SET_RETURN@
-@SERVENT_DATA@
 
 
 #define DE_CONST(konst, var) \
@@ -152,9 +135,4 @@ struct timespec {
 #define ISC_FORMAT_PRINTF(fmt, args)
 #endif
 
-/* Pull in host order macros when _XOPEN_SOURCE_EXTENDED is defined. */
-#if defined(__hpux) && defined(_XOPEN_SOURCE_EXTENDED)
-#include <sys/byteorder.h>
-#endif
-
 #endif
diff --git a/lib/bind/resolv/Makefile.in b/lib/bind/resolv/Makefile.in
index 6411e373..74a20e74 100644
--- a/lib/bind/resolv/Makefile.in
+++ b/lib/bind/resolv/Makefile.in
@@ -1,4 +1,4 @@
-# Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 2001  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and distribute this software for any
@@ -13,16 +13,16 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.3.2.3 2005/07/29 00:13:52 marka Exp $
+# $Id: Makefile.in,v 1.3.206.1 2004/03/15 01:02:54 marka Exp $
 
 srcdir=		@srcdir@
 VPATH =         @srcdir@
 
-OBJS=	herror.@O@ mtctxres.@O@ res_comp.@O@ res_data.@O@ res_debug.@O@ \
+OBJS=	herror.@O@ res_comp.@O@ res_data.@O@ res_debug.@O@ \
 	res_findzonecut.@O@ res_init.@O@ res_mkquery.@O@ res_mkupdate.@O@ \
 	res_query.@O@ res_send.@O@ res_sendsigned.@O@ res_update.@O@
 
-SRCS=	herror.c mtctxres.c res_comp.c res_data.c res_debug.c \
+SRCS=	herror.c res_comp.c res_data.c res_debug.c \
 	res_findzonecut.c res_init.c res_mkquery.c res_mkupdate.c \
 	res_query.c res_send.c res_sendsigned.c res_update.c
 
diff --git a/lib/bind/resolv/herror.c b/lib/bind/resolv/herror.c
index cacba8b4..58807e96 100644
--- a/lib/bind/resolv/herror.c
+++ b/lib/bind/resolv/herror.c
@@ -50,7 +50,7 @@
 
 #if defined(LIBC_SCCS) && !defined(lint)
 static const char sccsid[] = "@(#)herror.c	8.1 (Berkeley) 6/4/93";
-static const char rcsid[] = "$Id: herror.c,v 1.2.2.1 2004/03/09 09:17:48 marka Exp $";
+static const char rcsid[] = "$Id: herror.c,v 1.2.206.1 2004/03/09 08:33:54 marka Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 #include "port_before.h"
diff --git a/lib/bind/resolv/mtctxres.c b/lib/bind/resolv/mtctxres.c
deleted file mode 100644
index 635bbd44..00000000
--- a/lib/bind/resolv/mtctxres.c
+++ /dev/null
@@ -1,129 +0,0 @@
-#include <port_before.h>
-#ifdef DO_PTHREADS
-#include <pthread.h>
-#endif
-#include <errno.h>
-#include <netdb.h>
-#include <stdlib.h>
-#include <string.h>
-#include <resolv_mt.h>
-#include <irs.h>
-#include <port_after.h>
-
-#ifdef DO_PTHREADS
-static pthread_key_t	key;
-static int		mt_key_initialized = 0;
-
-static int		__res_init_ctx(void);
-static void		__res_destroy_ctx(void *);
-
-#if defined(sun) && !defined(__GNUC__)
-#pragma init	(_mtctxres_init)
-#endif
-#endif
-
-static mtctxres_t	sharedctx;
-
-#ifdef DO_PTHREADS
-/*
- * Initialize the TSD key. By doing this at library load time, we're
- * implicitly running without interference from other threads, so there's
- * no need for locking.
- */
-static void
-_mtctxres_init(void) {
-	int pthread_keycreate_ret;
-
-	pthread_keycreate_ret = pthread_key_create(&key, __res_destroy_ctx);
-	if (pthread_keycreate_ret == 0)
-		mt_key_initialized = 1;
-}
-#endif
-
-/*
- * To support binaries that used the private MT-safe interface in
- * Solaris 8, we still need to provide the __res_enable_mt()
- * and __res_disable_mt() entry points. They're do-nothing routines.
- */
-int
-__res_enable_mt(void) {
-	return (-1);
-}
-
-int
-__res_disable_mt(void) {
-	return (0);
-}
-
-#ifdef DO_PTHREADS
-static int
-__res_init_ctx(void) {
-
-	mtctxres_t	*mt;
-	int		ret;
-
-
-	if (pthread_getspecific(key) != 0) {
-		/* Already exists */
-		return (0);
-	}
-
-	if ((mt = malloc(sizeof (mtctxres_t))) == 0) {
-		errno = ENOMEM;
-		return (-1);
-	}
-
-	memset(mt, 0, sizeof (mtctxres_t));
-
-	if ((ret = pthread_setspecific(key, mt)) != 0) {
-		free(mt);
-		errno = ret;
-		return (-1);
-	}
-
-	return (0);
-}
-
-static void
-__res_destroy_ctx(void *value) {
-
-	mtctxres_t	*mt = (mtctxres_t *)value;
-
-	if (mt != 0)
-		free(mt);
-}
-#endif
-
-mtctxres_t *
-___mtctxres(void) {
-#ifdef DO_PTHREADS
-	mtctxres_t	*mt;
-
-	/*
-	 * This if clause should only be executed if we are linking
-	 * statically.  When linked dynamically _mtctxres_init() should
-	 * be called at binding time due the #pragma above.
-	 */
-	if (!mt_key_initialized) {
-		static pthread_mutex_t keylock = PTHREAD_MUTEX_INITIALIZER;
-                if (pthread_mutex_lock(&keylock) == 0) {
-			_mtctxres_init();
-			(void) pthread_mutex_unlock(&keylock);
-		}
-	}
-
-	/*
-	 * If we have already been called in this thread return the existing
-	 * context.  Otherwise recreat a new context and return it.  If
-	 * that fails return a global context.
-	 */
-	if (mt_key_initialized) {
-		if (((mt = pthread_getspecific(key)) != 0) ||
-		    (__res_init_ctx() == 0 &&
-		     (mt = pthread_getspecific(key)) != 0)) {
-			return (mt);
-		}
-	}
-#endif
-	return (&sharedctx);
-}
diff --git a/lib/bind/resolv/res_comp.c b/lib/bind/resolv/res_comp.c
index b806fba8..6468dbc2 100644
--- a/lib/bind/resolv/res_comp.c
+++ b/lib/bind/resolv/res_comp.c
@@ -70,7 +70,7 @@
 
 #if defined(LIBC_SCCS) && !defined(lint)
 static const char sccsid[] = "@(#)res_comp.c	8.1 (Berkeley) 6/4/93";
-static const char rcsid[] = "$Id: res_comp.c,v 1.1.2.3 2005/07/28 07:48:21 marka Exp $";
+static const char rcsid[] = "$Id: res_comp.c,v 1.1.2.1.4.1 2004/03/09 08:33:54 marka Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 #include "port_before.h"
@@ -242,18 +242,6 @@ res_dnok(const char *dn) {
  *	__getshort
  * Note that one _ comes from C and the others come from us.
  */
-
-#ifdef SOLARIS2
-#ifdef  __putlong
-#undef  __putlong
-#endif
-#ifdef  __putshort
-#undef  __putshort
-#endif
-#pragma weak    putlong         =       __putlong
-#pragma weak    putshort        =       __putshort
-#endif /* SOLARIS2 */
-
 void __putlong(u_int32_t src, u_char *dst) { ns_put32(src, dst); }
 void __putshort(u_int16_t src, u_char *dst) { ns_put16(src, dst); }
 #ifndef __ultrix__
diff --git a/lib/bind/resolv/res_data.c b/lib/bind/resolv/res_data.c
index a9ecf848..204e03d6 100644
--- a/lib/bind/resolv/res_data.c
+++ b/lib/bind/resolv/res_data.c
@@ -16,7 +16,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: res_data.c,v 1.1.2.2 2004/03/16 12:35:33 marka Exp $";
+static const char rcsid[] = "$Id: res_data.c,v 1.1.206.2 2004/03/16 12:34:18 marka Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 #include "port_before.h"
diff --git a/lib/bind/resolv/res_debug.c b/lib/bind/resolv/res_debug.c
index 35ba54b8..89a18d9c 100644
--- a/lib/bind/resolv/res_debug.c
+++ b/lib/bind/resolv/res_debug.c
@@ -95,7 +95,7 @@
 
 #if defined(LIBC_SCCS) && !defined(lint)
 static const char sccsid[] = "@(#)res_debug.c	8.1 (Berkeley) 6/4/93";
-static const char rcsid[] = "$Id: res_debug.c,v 1.3.2.11 2005/07/28 07:48:21 marka Exp $";
+static const char rcsid[] = "$Id: res_debug.c,v 1.3.2.5.4.4 2004/04/13 06:53:20 marka Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 #include "port_before.h"
@@ -113,7 +113,6 @@ static const char rcsid[] = "$Id: res_debug.c,v 1.3.2.11 2005/07/28 07:48:21 mar
 #include <math.h>
 #include <netdb.h>
 #include <resolv.h>
-#include <resolv_mt.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
@@ -505,7 +504,7 @@ sym_ston(const struct res_sym *syms, const char *name, int *success) {
 
 const char *
 sym_ntos(const struct res_sym *syms, int number, int *success) {
-	char *unname = sym_ntos_unname;
+	static char unname[20];
 
 	for ((void)NULL; syms->name != 0; syms++) {
 		if (number == syms->number) {
@@ -523,7 +522,7 @@ sym_ntos(const struct res_sym *syms, int number, int *success) {
 
 const char *
 sym_ntop(const struct res_sym *syms, int number, int *success) {
-	char *unname = sym_ntop_unname;
+	static char unname[20];
 
 	for ((void)NULL; syms->name != 0; syms++) {
 		if (number == syms->number) {
@@ -550,7 +549,7 @@ p_type(int type) {
 	result = sym_ntos(__p_type_syms, type, &success);
 	if (success)
 		return (result);
-	if (type < 0 || type > 0xffff)
+	if (type < 0 || type > 0xfff)
 		return ("BADTYPE");
 	sprintf(typebuf, "TYPE%d", type);
 	return (typebuf);
@@ -586,7 +585,7 @@ p_class(int class) {
 	result = sym_ntos(__p_class_syms, class, &success);
 	if (success)
 		return (result);
-	if (class < 0 || class > 0xffff)
+	if (class < 0 || class > 0xfff)
 		return ("BADCLASS");
 	sprintf(classbuf, "CLASS%d", class);
 	return (classbuf);
@@ -597,7 +596,7 @@ p_class(int class) {
  */
 const char *
 p_option(u_long option) {
-	char *nbuf = p_option_nbuf;
+	static char nbuf[40];
 
 	switch (option) {
 	case RES_INIT:		return "init";
@@ -640,7 +639,7 @@ p_option(u_long option) {
  */
 const char *
 p_time(u_int32_t value) {
-	char *nbuf = p_time_nbuf;
+	static char nbuf[40];		/* XXX nonreentrant */
 
 	if (ns_format_ttl(value, nbuf, sizeof nbuf) < 0)
 		sprintf(nbuf, "%u", value);
@@ -696,7 +695,7 @@ static const char *
 precsize_ntoa(prec)
 	u_int8_t prec;
 {
-	char *retbuf = precsize_ntoa_retbuf;
+	static char retbuf[sizeof "90000000.00"];	/* XXX nonreentrant */
 	unsigned long val;
 	int mantissa, exponent;
 
@@ -1098,7 +1097,8 @@ dn_count_labels(const char *name) {
  */
 char *
 p_secstodate (u_long secs) {
-	char *output = p_secstodate_output;
+	/* XXX nonreentrant */
+	static char output[15];		/* YYYYMMDDHHMMSS and null */
 	time_t clock = secs;
 	struct tm *time;
 #ifdef HAVE_TIME_R
diff --git a/lib/bind/resolv/res_findzonecut.c b/lib/bind/resolv/res_findzonecut.c
index 2649bdcd..d462228d 100644
--- a/lib/bind/resolv/res_findzonecut.c
+++ b/lib/bind/resolv/res_findzonecut.c
@@ -1,5 +1,5 @@
 #if !defined(lint) && !defined(SABER)
-static const char rcsid[] = "$Id: res_findzonecut.c,v 1.2.2.7 2005/10/11 00:56:05 marka Exp $";
+static const char rcsid[] = "$Id: res_findzonecut.c,v 1.2.2.3.4.2 2004/03/16 12:34:18 marka Exp $";
 #endif /* not lint */
 
 /*
@@ -319,6 +319,7 @@ get_soa(res_state statp, const char *dname, ns_class class, int opts,
 		for (i = 0; i < n; i++) {
 			const char *t;
 			const u_char *rdata;
+			int rdlen;
 			ns_rr rr;
 
 			if (ns_parserr(&msg, sect, i, &rr) < 0) {
@@ -359,14 +360,14 @@ get_soa(res_state statp, const char *dname, ns_class class, int opts,
 				abort();
 			}
 			if (strlen(t) + 1 > zsize) {
-				DPRINTF(("get_soa: zname(%lu) too small (%lu)",
-					 (unsigned long)zsize,
-					 (unsigned long)strlen(t) + 1));
+				DPRINTF(("get_soa: zname(%d) too small (%d)",
+					 zsize, strlen(t) + 1));
 				errno = EMSGSIZE;
 				goto cleanup;
 			}
 			strcpy(zname, t);
 			rdata = ns_rr_rdata(rr);
+			rdlen = ns_rr_rdlen(rr);
 			if (ns_name_uncompress(resp, ns_msg_end(msg), rdata,
 					       mname, msize) < 0) {
 				DPRINTF(("get_soa: ns_name_uncompress failed")
@@ -524,6 +525,7 @@ save_ns(res_state statp, ns_msg *msg, ns_sect sect,
 		const u_char *rdata;
 		rr_ns *nsrr;
 		ns_rr rr;
+		int rdlen;
 
 		if (ns_parserr(msg, sect, i, &rr) < 0) {
 			DPRINTF(("save_ns: ns_parserr(%s, %d) failed",
@@ -542,6 +544,7 @@ save_ns(res_state statp, ns_msg *msg, ns_sect sect,
 				return (-1);
 			}
 			rdata = ns_rr_rdata(rr);
+			rdlen = ns_rr_rdlen(rr);
 			if (ns_name_uncompress(ns_msg_base(*msg),
 					       ns_msg_end(*msg), rdata,
 					       tname, sizeof tname) < 0) {
diff --git a/lib/bind/resolv/res_init.c b/lib/bind/resolv/res_init.c
index 639f2776..241f5f7c 100644
--- a/lib/bind/resolv/res_init.c
+++ b/lib/bind/resolv/res_init.c
@@ -70,7 +70,7 @@
 
 #if defined(LIBC_SCCS) && !defined(lint)
 static const char sccsid[] = "@(#)res_init.c	8.1 (Berkeley) 6/7/93";
-static const char rcsid[] = "$Id: res_init.c,v 1.9.2.13 2007/07/09 01:54:50 marka Exp $";
+static const char rcsid[] = "$Id: res_init.c,v 1.9.2.5.4.2 2004/03/16 12:34:18 marka Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 #include "port_before.h"
@@ -102,10 +102,6 @@ static const char rcsid[] = "$Id: res_init.c,v 1.9.2.13 2007/07/09 01:54:50 mark
 #define RESOLVSORT
 #define DEBUG
 
-#ifdef SOLARIS2
-#include <sys/systeminfo.h>
-#endif
-
 static void res_setoptions __P((res_state, const char *, const char *));
 
 #ifdef RESOLVSORT
@@ -166,11 +162,6 @@ __res_vinit(res_state statp, int preinit) {
 #endif
 	int dots;
 	union res_sockaddr_union u[2];
-	int maxns = MAXNS;
-
-	RES_SET_H_ERRNO(statp, 0);
-	if (statp->_u._ext.ext != NULL)
-		res_ndestroy(statp);
 
 	if (!preinit) {
 		statp->retrans = RES_TIMEOUT;
@@ -179,6 +170,9 @@ __res_vinit(res_state statp, int preinit) {
 		statp->id = res_randomid();
 	}
 
+	if ((statp->options & RES_INIT) != 0U)
+		res_ndestroy(statp);
+
 	memset(u, 0, sizeof(u));
 #ifdef USELOOPBACK
 	u[nserv].sin.sin_addr = inet_makeaddr(IN_LOOPBACKNET, 1);
@@ -218,49 +212,12 @@ __res_vinit(res_state statp, int preinit) {
 		statp->_u._ext.ext->nsaddrs[0].sin = statp->nsaddr;
 		strcpy(statp->_u._ext.ext->nsuffix, "ip6.arpa");
 		strcpy(statp->_u._ext.ext->nsuffix2, "ip6.int");
-	} else {
-		/*
-		 * Historically res_init() rarely, if at all, failed.
-		 * Examples and applications exist which do not check
-		 * our return code.  Furthermore several applications
-		 * simply call us to get the systems domainname.  So
-		 * rather then immediately fail here we store the
-		 * failure, which is returned later, in h_errno.  And
-		 * prevent the collection of 'nameserver' information
-		 * by setting maxns to 0.  Thus applications that fail
-		 * to check our return code wont be able to make
-		 * queries anyhow.
-		 */
-		RES_SET_H_ERRNO(statp, NETDB_INTERNAL);
-		maxns = 0;
 	}
 #ifdef RESOLVSORT
 	statp->nsort = 0;
 #endif
 	res_setservers(statp, u, nserv);
 
-#ifdef	SOLARIS2
-	/*
-	 * The old libresolv derived the defaultdomain from NIS/NIS+.
-	 * We want to keep this behaviour
-	 */
-	{
-		char buf[sizeof(statp->defdname)], *cp;
-		int ret;
-
-		if ((ret = sysinfo(SI_SRPC_DOMAIN, buf, sizeof(buf))) > 0 &&
-			(unsigned int)ret <= sizeof(buf)) {
-			if (buf[0] == '+')
-				buf[0] = '.';
-			cp = strchr(buf, '.');
-			cp = (cp == NULL) ? buf : (cp + 1);
-			strncpy(statp->defdname, cp,
-				sizeof(statp->defdname) - 1);
-			statp->defdname[sizeof(statp->defdname) - 1] = '\0';
-		}
-	}
-#endif	/* SOLARIS2 */
-
 	/* Allow user to override the local domain definition */
 	if ((cp = getenv("LOCALDOMAIN")) != NULL) {
 		(void)strncpy(statp->defdname, cp, sizeof(statp->defdname) - 1);
@@ -362,7 +319,7 @@ __res_vinit(res_state statp, int preinit) {
 		    continue;
 		}
 		/* read nameservers to query */
-		if (MATCH(buf, "nameserver") && nserv < maxns) {
+		if (MATCH(buf, "nameserver") && nserv < MAXNS) {
 		    struct addrinfo hints, *ai;
 		    char sbuf[NI_MAXSERV];
 		    const size_t minsiz =
@@ -498,7 +455,7 @@ __res_vinit(res_state statp, int preinit) {
 	if ((cp = getenv("RES_OPTIONS")) != NULL)
 		res_setoptions(statp, cp, "env");
 	statp->options |= RES_INIT;
-	return (statp->res_h_errno);
+	return (0);
 }
 
 static void
@@ -538,22 +495,6 @@ res_setoptions(res_state statp, const char *options, const char *source)
 			if (statp->options & RES_DEBUG)
 				printf(";;\ttimeout=%d\n", statp->retrans);
 #endif
-#ifdef	SOLARIS2
-		} else if (!strncmp(cp, "retrans:", sizeof("retrans:") - 1)) {
-			/*
-		 	 * For backward compatibility, 'retrans' is
-		 	 * supported as an alias for 'timeout', though
-		 	 * without an imposed maximum.
-		 	 */
-			statp->retrans = atoi(cp + sizeof("retrans:") - 1);
-		} else if (!strncmp(cp, "retry:", sizeof("retry:") - 1)){
-			/*
-			 * For backward compatibility, 'retry' is
-			 * supported as an alias for 'attempts', though
-			 * without an imposed maximum.
-			 */
-			statp->retry = atoi(cp + sizeof("retry:") - 1);
-#endif	/* SOLARIS2 */
 		} else if (!strncmp(cp, "attempts:", sizeof("attempts:") - 1)){
 			i = atoi(cp + sizeof("attempts:") - 1);
 			if (i <= RES_MAXRETRY)
diff --git a/lib/bind/resolv/res_mkquery.c b/lib/bind/resolv/res_mkquery.c
index dad848d6..89000edf 100644
--- a/lib/bind/resolv/res_mkquery.c
+++ b/lib/bind/resolv/res_mkquery.c
@@ -70,7 +70,7 @@
 
 #if defined(LIBC_SCCS) && !defined(lint)
 static const char sccsid[] = "@(#)res_mkquery.c	8.1 (Berkeley) 6/4/93";
-static const char rcsid[] = "$Id: res_mkquery.c,v 1.1.2.4 2004/03/16 12:35:35 marka Exp $";
+static const char rcsid[] = "$Id: res_mkquery.c,v 1.1.2.2.4.2 2004/03/16 12:34:18 marka Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 #include "port_before.h"
diff --git a/lib/bind/resolv/res_mkupdate.c b/lib/bind/resolv/res_mkupdate.c
index 12269705..f15c6137 100644
--- a/lib/bind/resolv/res_mkupdate.c
+++ b/lib/bind/resolv/res_mkupdate.c
@@ -21,7 +21,7 @@
  */
 
 #if !defined(lint) && !defined(SABER)
-static const char rcsid[] = "$Id: res_mkupdate.c,v 1.1.2.6 2005/10/14 05:43:07 marka Exp $";
+static const char rcsid[] = "$Id: res_mkupdate.c,v 1.1.2.1.4.2 2004/03/16 12:34:19 marka Exp $";
 #endif /* not lint */
 
 #include "port_before.h"
@@ -78,7 +78,7 @@ int
 res_nmkupdate(res_state statp, ns_updrec *rrecp_in, u_char *buf, int buflen) {
 	ns_updrec *rrecp_start = rrecp_in;
 	HEADER *hp;
-	u_char *cp, *sp2, *startp, *endp;
+	u_char *cp, *sp1, *sp2, *startp, *endp;
 	int n, i, soanum, multiline;
 	ns_updrec *rrecp;
 	struct in_addr ina;
@@ -101,6 +101,7 @@ res_nmkupdate(res_state statp, ns_updrec *rrecp_in, u_char *buf, int buflen) {
 	hp->id = htons(++statp->id);
 	hp->opcode = ns_o_update;
 	hp->rcode = NOERROR;
+	sp1 = buf + 2*INT16SZ;  /* save pointer to zocount */
 	cp = buf + HFIXEDSZ;
 	buflen -= HFIXEDSZ;
 	dpp = dnptrs;
@@ -349,13 +350,13 @@ res_nmkupdate(res_state statp, ns_updrec *rrecp_in, u_char *buf, int buflen) {
 				bm[i] = 0;
 
 			while (getword_str(buf2, sizeof buf2, &startp, endp)) {
-				if ((n = res_servicenumber(buf2)) <= 0)
+				if ((n1 = res_servicenumber(buf2)) <= 0)
 					return (-1);
 
-				if (n < MAXPORT) {
-					bm[n/8] |= (0x80>>(n%8));
-					if ((unsigned)n > maxbm)
-						maxbm = n;
+				if (n1 < MAXPORT) {
+					bm[n1/8] |= (0x80>>(n1%8));
+					if (n1 > maxbm)
+						maxbm = n1;
 				} else
 					return (-1);
 			}
@@ -921,10 +922,10 @@ res_mkupdrec(int section, const char *dname,
 	}
 	INIT_LINK(rrecp, r_link);
 	INIT_LINK(rrecp, r_glink);
- 	rrecp->r_class = (ns_class)class;
-	rrecp->r_type = (ns_type)type;
+ 	rrecp->r_class = class;
+	rrecp->r_type = type;
 	rrecp->r_ttl = ttl;
-	rrecp->r_section = (ns_sect)section;
+	rrecp->r_section = section;
 	return (rrecp);
 }
 
diff --git a/lib/bind/resolv/res_query.c b/lib/bind/resolv/res_query.c
index 57abb62f..5156ce84 100644
--- a/lib/bind/resolv/res_query.c
+++ b/lib/bind/resolv/res_query.c
@@ -70,7 +70,7 @@
 
 #if defined(LIBC_SCCS) && !defined(lint)
 static const char sccsid[] = "@(#)res_query.c	8.1 (Berkeley) 6/4/93";
-static const char rcsid[] = "$Id: res_query.c,v 1.2.2.5 2004/03/16 12:35:36 marka Exp $";
+static const char rcsid[] = "$Id: res_query.c,v 1.2.2.3.4.2 2004/03/16 12:34:19 marka Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 #include "port_before.h"
diff --git a/lib/bind/resolv/res_send.c b/lib/bind/resolv/res_send.c
index d85098b1..f38979d3 100644
--- a/lib/bind/resolv/res_send.c
+++ b/lib/bind/resolv/res_send.c
@@ -52,7 +52,7 @@
  */
 
 /*
- * Copyright (c) 2005 by Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
  * Portions Copyright (c) 1996-1999 by Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -70,7 +70,7 @@
 
 #if defined(LIBC_SCCS) && !defined(lint)
 static const char sccsid[] = "@(#)res_send.c	8.1 (Berkeley) 6/4/93";
-static const char rcsid[] = "$Id: res_send.c,v 1.5.2.11 2006/10/16 23:02:41 marka Exp $";
+static const char rcsid[] = "$Id: res_send.c,v 1.5.2.2.4.3 2004/04/12 06:54:59 marka Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 /*
@@ -103,13 +103,6 @@ static const char rcsid[] = "$Id: res_send.c,v 1.5.2.11 2006/10/16 23:02:41 mark
 
 #include "port_after.h"
 
-#ifdef USE_POLL
-#ifdef HAVE_STROPTS_H
-#include <stropts.h>
-#endif
-#include <poll.h>
-#endif /* USE_POLL */
-
 /* Options.  Leave them on. */
 #define DEBUG
 #include "res_debug.h"
@@ -117,11 +110,7 @@ static const char rcsid[] = "$Id: res_send.c,v 1.5.2.11 2006/10/16 23:02:41 mark
 
 #define EXT(res) ((res)->_u._ext)
 
-#ifndef USE_POLL
 static const int highestFD = FD_SETSIZE - 1;
-#else
-static int highestFD = 0;
-#endif
 
 /* Forward. */
 
@@ -130,13 +119,13 @@ static struct sockaddr * get_nsaddr __P((res_state, size_t));
 static int		send_vc(res_state, const u_char *, int,
 				u_char *, int, int *, int);
 static int		send_dg(res_state, const u_char *, int,
-				u_char *, int, int *, int, int,
+				u_char *, int, int *, int,
 				int *, int *);
 static void		Aerror(const res_state, FILE *, const char *, int,
 			       const struct sockaddr *, int);
 static void		Perror(const res_state, FILE *, const char *, int);
 static int		sock_eq(struct sockaddr *, struct sockaddr *);
-#if defined(NEED_PSELECT) && !defined(USE_POLL)
+#ifdef NEED_PSELECT
 static int		pselect(int, void *, void *, void *,
 				struct timespec *,
 				const sigset_t *);
@@ -183,8 +172,7 @@ res_ourserver_p(const res_state statp, const struct sockaddr *sa) {
 			if (srv6->sin6_family == in6p->sin6_family &&
 			    srv6->sin6_port == in6p->sin6_port &&
 #ifdef HAVE_SIN6_SCOPE_ID
-			    (srv6->sin6_scope_id == 0 ||
-			     srv6->sin6_scope_id == in6p->sin6_scope_id) &&
+			    srv6->sin6_scope_id == in6p->sin6_scope_id &&
 #endif
 			    (IN6_IS_ADDR_UNSPECIFIED(&srv6->sin6_addr) ||
 			     IN6_ARE_ADDR_EQUAL(&srv6->sin6_addr, &in6p->sin6_addr)))
@@ -291,12 +279,7 @@ res_nsend(res_state statp,
 	int gotsomewhere, terrno, try, v_circuit, resplen, ns, n;
 	char abuf[NI_MAXHOST];
 
-#ifdef USE_POLL
-	highestFD = sysconf(_SC_OPEN_MAX) - 1;
-#endif
-
-	/* No name servers or res_init() failure */
-	if (statp->nscount == 0 || EXT(statp).ext == NULL) {
+	if (statp->nscount == 0) {
 		errno = ESRCH;
 		return (-1);
 	}
@@ -459,7 +442,7 @@ res_nsend(res_state statp,
 		} else {
 			/* Use datagrams. */
 			n = send_dg(statp, buf, buflen, ans, anssiz, &terrno,
-				    ns, try, &v_circuit, &gotsomewhere);
+				    ns, &v_circuit, &gotsomewhere);
 			if (n < 0)
 				goto fail;
 			if (n == 0)
@@ -673,7 +656,7 @@ send_vc(res_state statp,
 	len = INT16SZ;
 	while ((n = read(statp->_vcsock, (char *)cp, (int)len)) > 0) {
 		cp += n;
-		if ((len -= n) == 0)
+		if ((len -= n) <= 0)
 			break;
 	}
 	if (n <= 0) {
@@ -767,24 +750,19 @@ send_vc(res_state statp,
 }
 
 static int
-send_dg(res_state statp, const u_char *buf, int buflen, u_char *ans,
-	int anssiz, int *terrno, int ns, int try, int *v_circuit,
-	int *gotsomewhere)
+send_dg(res_state statp,
+	const u_char *buf, int buflen, u_char *ans, int anssiz,
+	int *terrno, int ns, int *v_circuit, int *gotsomewhere)
 {
 	const HEADER *hp = (const HEADER *) buf;
 	HEADER *anhp = (HEADER *) ans;
 	const struct sockaddr *nsap;
 	int nsaplen;
 	struct timespec now, timeout, finish;
+	fd_set dsmask;
 	struct sockaddr_storage from;
 	ISC_SOCKLEN_T fromlen;
 	int resplen, seconds, n, s;
-#ifdef USE_POLL
-	int     polltimeout;
-	struct pollfd   pollfd;
-#else
-	fd_set dsmask;
-#endif
 
 	nsap = get_nsaddr(statp, ns);
 	nsaplen = get_salen(nsap);
@@ -850,7 +828,7 @@ send_dg(res_state statp, const u_char *buf, int buflen, u_char *ans,
 	/*
 	 * Wait for reply.
 	 */
-	seconds = (statp->retrans << try);
+	seconds = (statp->retrans << ns);
 	if (ns > 0)
 		seconds /= statp->nscount;
 	if (seconds <= 0)
@@ -862,7 +840,6 @@ send_dg(res_state statp, const u_char *buf, int buflen, u_char *ans,
  wait:
 	now = evNowTime();
  nonow:
-#ifndef USE_POLL
 	FD_ZERO(&dsmask);
 	FD_SET(s, &dsmask);
 	if (evCmpTime(finish, now) > 0)
@@ -870,17 +847,6 @@ send_dg(res_state statp, const u_char *buf, int buflen, u_char *ans,
 	else
 		timeout = evConsTime(0, 0);
 	n = pselect(s + 1, &dsmask, NULL, NULL, &timeout, NULL);
-#else
-	timeout = evSubTime(finish, now);
-	if (timeout.tv_sec < 0)
-		timeout = evConsTime(0, 0);
-	polltimeout = 1000*timeout.tv_sec +
-		timeout.tv_nsec/1000000;
-	pollfd.fd = s;
-	pollfd.events = POLLRDNORM;
-	n = poll(&pollfd, 1, polltimeout);
-#endif /* USE_POLL */
-
 	if (n == 0) {
 		Dprint(statp->options & RES_DEBUG, (stdout, ";; timeout\n"));
 		*gotsomewhere = 1;
@@ -889,11 +855,7 @@ send_dg(res_state statp, const u_char *buf, int buflen, u_char *ans,
 	if (n < 0) {
 		if (errno == EINTR)
 			goto wait;
-#ifndef USE_POLL
 		Perror(statp, stderr, "select", errno);
-#else
-		Perror(statp, stderr, "poll", errno);
-#endif /* USE_POLL */
 		res_nclose(statp);
 		return (0);
 	}
@@ -1062,7 +1024,7 @@ sock_eq(struct sockaddr *a, struct sockaddr *b) {
 	}
 }
 
-#if defined(NEED_PSELECT) && !defined(USE_POLL)
+#ifdef NEED_PSELECT
 /* XXX needs to move to the porting library. */
 static int
 pselect(int nfds, void *rfds, void *wfds, void *efds,
diff --git a/lib/bind/resolv/res_sendsigned.c b/lib/bind/resolv/res_sendsigned.c
index 93ad5c97..1984377a 100644
--- a/lib/bind/resolv/res_sendsigned.c
+++ b/lib/bind/resolv/res_sendsigned.c
@@ -52,7 +52,6 @@ res_nsendsigned(res_state statp, const u_char *msg, int msglen,
 	bufsize = msglen + 1024;
 	newmsg = (u_char *) malloc(bufsize);
 	if (newmsg == NULL) {
-		free(nstatp);
 		errno = ENOMEM;
 		return (-1);
 	}
@@ -103,11 +102,11 @@ res_nsendsigned(res_state statp, const u_char *msg, int msglen,
 retry:
 
 	len = res_nsend(nstatp, newmsg, newmsglen, answer, anslen);
-	if (len < 0) {
+	if (ret < 0) {
 		free (nstatp);
 		free (newmsg);
 		dst_free_key(dstkey);
-		return (len);
+		return (ret);
 	}
 
 	ret = ns_verify(answer, &len, dstkey, sig, siglen,
@@ -123,16 +122,8 @@ retry:
 			(stdout, "%s", ""),
 			answer, (anslen > len) ? len : anslen);
 
-		if (ret > 0) {
-			Dprint(statp->pfcode & RES_PRF_REPLY,
-			       (stdout, ";; server rejected TSIG (%s)\n",
-				p_rcode(ret)));
-		} else {
-			Dprint(statp->pfcode & RES_PRF_REPLY,
-			       (stdout, ";; TSIG invalid (%s)\n",
-				p_rcode(-ret)));
-		}
-
+		Dprint(statp->pfcode & RES_PRF_REPLY,
+		       (stdout, ";; TSIG invalid (%s)\n", p_rcode(ret)));
 		free (nstatp);
 		free (newmsg);
 		dst_free_key(dstkey);
diff --git a/lib/bind/resolv/res_update.c b/lib/bind/resolv/res_update.c
index c3229fd3..8783d8a7 100644
--- a/lib/bind/resolv/res_update.c
+++ b/lib/bind/resolv/res_update.c
@@ -1,5 +1,5 @@
 #if !defined(lint) && !defined(SABER)
-static const char rcsid[] = "$Id: res_update.c,v 1.6.2.6 2004/03/16 12:35:37 marka Exp $";
+static const char rcsid[] = "$Id: res_update.c,v 1.6.2.4.4.2 2004/03/16 12:34:20 marka Exp $";
 #endif /* not lint */
 
 /*
diff --git a/lib/bind9/Makefile.in b/lib/bind9/Makefile.in
new file mode 100644
index 00000000..9880478e
--- /dev/null
+++ b/lib/bind9/Makefile.in
@@ -0,0 +1,76 @@
+# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2001  Internet Software Consortium.
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: Makefile.in,v 1.2.200.5 2004/03/08 09:04:26 marka Exp $
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+@BIND9_VERSION@
+
+@LIBBIND9_API@
+
+@BIND9_MAKE_INCLUDES@
+
+CINCLUDES =	-I. ${BIND9_INCLUDES} ${DNS_INCLUDES} ${ISC_INCLUDES} \
+		${ISCCFG_INCLUDES}
+
+CDEFINES =
+CWARNINGS =
+
+LIBS =		@LIBS@
+
+SUBDIRS =	include
+
+# Alphabetically
+OBJS =		check.@O@ getaddresses.@O@ version.@O@
+
+# Alphabetically
+SRCS =		check.c getaddresses.c version.c
+
+TARGETS = 	timestamp
+
+@BIND9_MAKE_RULES@
+
+version.@O@: version.c
+	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
+		-DVERSION=\"${VERSION}\" \
+		-DLIBINTERFACE=${LIBINTERFACE} \
+		-DLIBREVISION=${LIBREVISION} \
+		-DLIBAGE=${LIBAGE} \
+		-c ${srcdir}/version.c
+
+libbind9.@SA@: ${OBJS}
+	${AR} ${ARFLAGS} $@ ${OBJS}
+	${RANLIB} $@
+
+libbind9.la: ${OBJS}
+	${LIBTOOL_MODE_LINK} \
+		${CC} ${ALL_CFLAGS} -o libbind9.la -rpath ${libdir} \
+		-version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \
+		${OBJS} ${LIBS}
+
+timestamp: libbind9.@A@
+	touch timestamp
+
+installdirs:
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${libdir}
+
+install:: timestamp installdirs
+	${LIBTOOL_MODE_INSTALL} ${INSTALL_DATA} libbind9.@A@ ${DESTDIR}${libdir}
+
+clean distclean::
+	rm -f libbind9.@A@ timestamp
diff --git a/lib/bind9/api b/lib/bind9/api
new file mode 100644
index 00000000..494278e7
--- /dev/null
+++ b/lib/bind9/api
@@ -0,0 +1,3 @@
+LIBINTERFACE = 0
+LIBREVISION = 0
+LIBAGE = 0
diff --git a/lib/bind9/check.c b/lib/bind9/check.c
new file mode 100644
index 00000000..a215be76
--- /dev/null
+++ b/lib/bind9/check.c
@@ -0,0 +1,1261 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2001-2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: check.c,v 1.37.6.24 2004/03/10 02:55:57 marka Exp $ */
+
+#include <config.h>
+
+#include <stdlib.h>
+#include <string.h>
+
+#include <isc/buffer.h>
+#include <isc/log.h>
+#include <isc/mem.h>
+#include <isc/netaddr.h>
+#include <isc/parseint.h>
+#include <isc/region.h>
+#include <isc/result.h>
+#include <isc/sockaddr.h>
+#include <isc/symtab.h>
+#include <isc/util.h>
+
+#include <dns/fixedname.h>
+#include <dns/rdataclass.h>
+#include <dns/rdatatype.h>
+#include <dns/secalg.h>
+
+#include <isccfg/cfg.h>
+
+#include <bind9/check.h>
+
+static isc_result_t
+check_orderent(cfg_obj_t *ent, isc_log_t *logctx) {
+	isc_result_t result = ISC_R_SUCCESS;
+	isc_result_t tresult;
+	isc_textregion_t r;
+	dns_fixedname_t fixed;
+	cfg_obj_t *obj;
+	dns_rdataclass_t rdclass;
+	dns_rdatatype_t rdtype;
+	isc_buffer_t b;
+	const char *str;
+
+	dns_fixedname_init(&fixed);
+	obj = cfg_tuple_get(ent, "class");
+	if (cfg_obj_isstring(obj)) {
+
+		DE_CONST(cfg_obj_asstring(obj), r.base);
+		r.length = strlen(r.base);
+		tresult = dns_rdataclass_fromtext(&rdclass, &r);
+		if (tresult != ISC_R_SUCCESS) {
+			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+				    "rrset-order: invalid class '%s'",
+				    r.base);
+			result = ISC_R_FAILURE;
+		}
+	}
+
+	obj = cfg_tuple_get(ent, "type");
+	if (cfg_obj_isstring(obj)) {
+
+		DE_CONST(cfg_obj_asstring(obj), r.base);
+		r.length = strlen(r.base);
+		tresult = dns_rdatatype_fromtext(&rdtype, &r);
+		if (tresult != ISC_R_SUCCESS) {
+			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+				    "rrset-order: invalid type '%s'",
+				    r.base);
+			result = ISC_R_FAILURE;
+		}
+	}
+
+	obj = cfg_tuple_get(ent, "name");
+	if (cfg_obj_isstring(obj)) {
+		str = cfg_obj_asstring(obj);
+		isc_buffer_init(&b, str, strlen(str));
+		isc_buffer_add(&b, strlen(str));
+		tresult = dns_name_fromtext(dns_fixedname_name(&fixed), &b,
+					    dns_rootname, ISC_FALSE, NULL);
+		if (tresult != ISC_R_SUCCESS) {
+			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+				    "rrset-order: invalid name '%s'", str);
+			result = ISC_R_FAILURE;
+		}
+	}
+
+	obj = cfg_tuple_get(ent, "order");
+	if (!cfg_obj_isstring(obj) ||
+	    strcasecmp("order", cfg_obj_asstring(obj)) != 0) {
+		cfg_obj_log(ent, logctx, ISC_LOG_ERROR,
+			    "rrset-order: keyword 'order' missing");
+		result = ISC_R_FAILURE;
+	}
+
+	obj = cfg_tuple_get(ent, "ordering");
+	if (!cfg_obj_isstring(obj)) {
+	    cfg_obj_log(ent, logctx, ISC_LOG_ERROR,
+			"rrset-order: missing ordering");
+		result = ISC_R_FAILURE;
+	} else if (strcasecmp(cfg_obj_asstring(obj), "fixed") == 0) {
+		cfg_obj_log(obj, logctx, ISC_LOG_WARNING,
+			    "rrset-order: order 'fixed' not implemented");
+	} else if (/* strcasecmp(cfg_obj_asstring(obj), "fixed") != 0 && */
+		   strcasecmp(cfg_obj_asstring(obj), "random") != 0 &&
+		   strcasecmp(cfg_obj_asstring(obj), "cyclic") != 0) {
+		cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+			    "rrset-order: invalid order '%s'",
+			    cfg_obj_asstring(obj));
+		result = ISC_R_FAILURE;
+	}
+	return (result);
+}
+
+static isc_result_t
+check_order(cfg_obj_t *options, isc_log_t *logctx) {
+	isc_result_t result = ISC_R_SUCCESS;
+	isc_result_t tresult;
+	cfg_listelt_t *element;
+	cfg_obj_t *obj = NULL;
+
+	if (cfg_map_get(options, "rrset-order", &obj) != ISC_R_SUCCESS)
+		return (result);
+
+	for (element = cfg_list_first(obj);
+	     element != NULL;
+	     element = cfg_list_next(element))
+	{
+		tresult = check_orderent(cfg_listelt_value(element), logctx);
+		if (tresult != ISC_R_SUCCESS)
+			result = tresult;
+	}
+	return (result);
+}
+
+static isc_result_t
+check_dual_stack(cfg_obj_t *options, isc_log_t *logctx) {
+	cfg_listelt_t *element;
+	cfg_obj_t *alternates = NULL;
+	cfg_obj_t *value;
+	cfg_obj_t *obj;
+	char *str;
+	dns_fixedname_t fixed;
+	dns_name_t *name;
+	isc_buffer_t buffer;
+	isc_result_t result = ISC_R_SUCCESS;
+	isc_result_t tresult;
+
+	(void)cfg_map_get(options, "dual-stack-servers", &alternates);
+
+	if (alternates == NULL)
+		return (ISC_R_SUCCESS);
+
+	obj = cfg_tuple_get(alternates, "port");
+	if (cfg_obj_isuint32(obj)) {
+		isc_uint32_t val = cfg_obj_asuint32(obj);
+		if (val > ISC_UINT16_MAX) {
+			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+				    "port '%u' out of range", val);
+			result = ISC_R_FAILURE;
+		}
+	}
+	obj = cfg_tuple_get(alternates, "addresses");
+	for (element = cfg_list_first(obj);
+	     element != NULL;
+	     element = cfg_list_next(element)) {
+		value = cfg_listelt_value(element);
+		if (cfg_obj_issockaddr(value))
+			continue;
+		obj = cfg_tuple_get(value, "name");
+		str = cfg_obj_asstring(obj);
+		isc_buffer_init(&buffer, str, strlen(str));
+		isc_buffer_add(&buffer, strlen(str));
+		dns_fixedname_init(&fixed);
+		name = dns_fixedname_name(&fixed);
+		tresult = dns_name_fromtext(name, &buffer, dns_rootname,
+					   ISC_FALSE, NULL);
+		if (tresult != ISC_R_SUCCESS) {
+			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+				    "bad name '%s'", str);
+			result = ISC_R_FAILURE;
+		}
+		obj = cfg_tuple_get(value, "port");
+		if (cfg_obj_isuint32(obj)) {
+			isc_uint32_t val = cfg_obj_asuint32(obj);
+			if (val > ISC_UINT16_MAX) {
+				cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+					    "port '%u' out of range", val);
+				result = ISC_R_FAILURE;
+			}
+		}
+	}
+	return (result);
+}
+
+static isc_result_t
+check_forward(cfg_obj_t *options, isc_log_t *logctx) {
+	cfg_obj_t *forward = NULL;
+	cfg_obj_t *forwarders = NULL;
+
+	(void)cfg_map_get(options, "forward", &forward);
+	(void)cfg_map_get(options, "forwarders", &forwarders);
+
+	if (forward != NULL && forwarders == NULL) {
+		cfg_obj_log(forward, logctx, ISC_LOG_ERROR,
+			    "no matching 'forwarders' statement");
+		return (ISC_R_FAILURE);
+	}
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+disabled_algorithms(cfg_obj_t *disabled, isc_log_t *logctx) {
+	isc_result_t result = ISC_R_SUCCESS;
+	isc_result_t tresult;
+	cfg_listelt_t *element;
+	const char *str;
+	isc_buffer_t b;
+	dns_fixedname_t fixed;
+	dns_name_t *name;
+	cfg_obj_t *obj;
+
+	dns_fixedname_init(&fixed);
+	name = dns_fixedname_name(&fixed);
+	obj = cfg_tuple_get(disabled, "name");
+	str = cfg_obj_asstring(obj);
+	isc_buffer_init(&b, str, strlen(str));
+	isc_buffer_add(&b, strlen(str));
+	tresult = dns_name_fromtext(name, &b, dns_rootname, ISC_FALSE, NULL);
+	if (tresult != ISC_R_SUCCESS) {
+		cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+			    "bad domain name '%s'", str);
+		result = tresult;
+	}
+
+	obj = cfg_tuple_get(disabled, "algorithms");
+
+	for (element = cfg_list_first(obj);
+	     element != NULL;
+	     element = cfg_list_next(element))
+	{
+		isc_textregion_t r;
+		dns_secalg_t alg;
+		isc_result_t tresult;
+
+		r.base = cfg_obj_asstring(cfg_listelt_value(element));
+		r.length = strlen(r.base);
+
+		tresult = dns_secalg_fromtext(&alg, &r);
+		if (tresult != ISC_R_SUCCESS) {
+			isc_uint8_t ui;
+			result = isc_parse_uint8(&ui, r.base, 10);
+		}
+		if (tresult != ISC_R_SUCCESS) {
+			cfg_obj_log(cfg_listelt_value(element), logctx,
+				    ISC_LOG_ERROR, "invalid algorithm");
+			result = tresult;
+		}
+	}
+	return (result);
+}
+
+typedef struct {
+	const char *name;
+	unsigned int scale;
+	unsigned int max;
+} intervaltable;
+
+static isc_result_t
+check_options(cfg_obj_t *options, isc_log_t *logctx) {
+	isc_result_t result = ISC_R_SUCCESS;
+	isc_result_t tresult;
+	unsigned int i;
+	cfg_obj_t *obj = NULL;
+	cfg_listelt_t *element;
+
+	static intervaltable intervals[] = {
+	{ "cleaning-interval", 60, 28 * 24 * 60 },	/* 28 days */
+	{ "heartbeat-interval", 60, 28 * 24 * 60 },	/* 28 days */
+	{ "interface-interval", 60, 28 * 24 * 60 },	/* 28 days */
+	{ "max-transfer-idle-in", 60, 28 * 24 * 60 },	/* 28 days */
+	{ "max-transfer-idle-out", 60, 28 * 24 * 60 },	/* 28 days */
+	{ "max-transfer-time-in", 60, 28 * 24 * 60 },	/* 28 days */
+	{ "max-transfer-time-out", 60, 28 * 24 * 60 },	/* 28 days */
+	{ "sig-validity-interval", 86400, 10 * 366 },	/* 10 years */
+	{ "statistics-interval", 60, 28 * 24 * 60 },	/* 28 days */
+	};
+
+	/*
+	 * Check that fields specified in units of time other than seconds
+	 * have reasonable values.
+	 */
+	for (i = 0; i < sizeof(intervals) / sizeof(intervals[0]); i++) {
+		isc_uint32_t val;
+		obj = NULL;
+		(void)cfg_map_get(options, intervals[i].name, &obj);
+		if (obj == NULL)
+			continue;
+		val = cfg_obj_asuint32(obj);
+		if (val > intervals[i].max) {
+			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+				    "%s '%u' is out of range (0..%u)",
+				    intervals[i].name, val,
+				    intervals[i].max);
+			result = ISC_R_RANGE;
+		} else if (val > (ISC_UINT32_MAX / intervals[i].scale)) {
+			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+				    "%s '%d' is out of range",
+				    intervals[i].name, val);
+			result = ISC_R_RANGE;
+		}
+	}
+	obj = NULL;
+	(void)cfg_map_get(options, "preferred-glue", &obj);
+	if (obj != NULL) {
+		const char *str;
+                str = cfg_obj_asstring(obj);
+                if (strcasecmp(str, "a") != 0 &&
+		    strcasecmp(str, "aaaa") != 0 &&
+		    strcasecmp(str, "none") != 0)
+			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+				    "preferred-glue unexpected value '%s'",
+				    str);
+	}
+	obj = NULL;
+	(void)cfg_map_get(options, "root-delegation-only", &obj);
+	if (obj != NULL) {
+		if (!cfg_obj_isvoid(obj)) {
+			cfg_listelt_t *element;
+			cfg_obj_t *exclude;
+			char *str;
+			dns_fixedname_t fixed;
+			dns_name_t *name;
+			isc_buffer_t b;
+
+			dns_fixedname_init(&fixed);
+			name = dns_fixedname_name(&fixed);
+			for (element = cfg_list_first(obj);
+			     element != NULL;
+			     element = cfg_list_next(element)) {
+				exclude = cfg_listelt_value(element);
+				str = cfg_obj_asstring(exclude);
+				isc_buffer_init(&b, str, strlen(str));
+				isc_buffer_add(&b, strlen(str));
+				tresult = dns_name_fromtext(name, &b,
+							   dns_rootname,
+                                                           ISC_FALSE, NULL);
+				if (tresult != ISC_R_SUCCESS) {
+					cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+						    "bad domain name '%s'",
+						    str);
+					result = tresult;
+				}
+			}
+		}
+	}
+       
+	/*
+	 * Set supported DNSSEC algorithms.
+	 */
+	obj = NULL;
+	(void)cfg_map_get(options, "disable-algorithms", &obj);
+	if (obj != NULL) {
+		for (element = cfg_list_first(obj);
+		     element != NULL;
+		     element = cfg_list_next(element))
+		{
+			obj = cfg_listelt_value(element);
+			tresult = disabled_algorithms(obj, logctx);
+			if (tresult != ISC_R_SUCCESS)
+				result = tresult;
+		}
+	}
+
+	/*
+	 * Check the DLV zone name.
+	 */
+	obj = NULL;
+	(void)cfg_map_get(options, "dnssec-lookaside", &obj);
+	if (obj != NULL) {
+		dns_fixedname_t fixedname;
+		const char *dlv;
+		isc_buffer_t b;
+
+		dlv = cfg_obj_asstring(obj);
+		dns_fixedname_init(&fixedname);
+		isc_buffer_init(&b, dlv, strlen(dlv));
+		isc_buffer_add(&b, strlen(dlv));
+		tresult = dns_name_fromtext(dns_fixedname_name(&fixedname), &b,
+					   dns_rootname, ISC_TRUE, NULL);
+		if (tresult != ISC_R_SUCCESS) {
+			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+				    "bad domain name '%s'", dlv);
+			result = tresult;
+		}
+	}
+	return (result);
+}
+
+static isc_result_t
+get_masters_def(cfg_obj_t *cctx, char *name, cfg_obj_t **ret) {
+	isc_result_t result;
+	cfg_obj_t *masters = NULL;
+	cfg_listelt_t *elt;
+
+	result = cfg_map_get(cctx, "masters", &masters);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	for (elt = cfg_list_first(masters);
+	     elt != NULL;
+	     elt = cfg_list_next(elt)) {
+		cfg_obj_t *list;
+		const char *listname;
+
+		list = cfg_listelt_value(elt);
+		listname = cfg_obj_asstring(cfg_tuple_get(list, "name"));
+
+		if (strcasecmp(listname, name) == 0) {
+			*ret = list;
+			return (ISC_R_SUCCESS);
+		}
+	}
+	return (ISC_R_NOTFOUND);
+}
+
+static isc_result_t
+validate_masters(cfg_obj_t *obj, cfg_obj_t *config, isc_uint32_t *countp,
+		 isc_log_t *logctx, isc_mem_t *mctx)
+{
+	isc_result_t result = ISC_R_SUCCESS;
+	isc_result_t tresult;
+	isc_uint32_t count = 0;
+	isc_symtab_t *symtab = NULL;
+	isc_symvalue_t symvalue;
+	cfg_listelt_t *element;
+	cfg_listelt_t **stack = NULL;
+	isc_uint32_t stackcount = 0, pushed = 0;
+	cfg_obj_t *list;
+
+	REQUIRE(countp != NULL);
+	result = isc_symtab_create(mctx, 100, NULL, NULL, ISC_FALSE, &symtab);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+ newlist:
+	list = cfg_tuple_get(obj, "addresses");
+	element = cfg_list_first(list);
+ resume:	
+	for ( ;
+	     element != NULL;
+	     element = cfg_list_next(element))
+	{
+		char *listname;
+		cfg_obj_t *addr;
+		cfg_obj_t *key;
+
+		addr = cfg_tuple_get(cfg_listelt_value(element),
+				     "masterselement");
+		key = cfg_tuple_get(cfg_listelt_value(element), "key");
+
+		if (cfg_obj_issockaddr(addr)) {
+			count++;
+			continue;
+		}
+		if (!cfg_obj_isvoid(key)) {
+			cfg_obj_log(key, logctx, ISC_LOG_ERROR,
+				    "unexpected token '%s'",
+				    cfg_obj_asstring(key));
+			if (result == ISC_R_SUCCESS)
+				result = ISC_R_FAILURE;
+		}
+		listname = cfg_obj_asstring(addr);
+		symvalue.as_pointer = addr;
+		tresult = isc_symtab_define(symtab, listname, 1, symvalue,
+					    isc_symexists_reject);
+		if (tresult == ISC_R_EXISTS)
+			continue;
+		tresult = get_masters_def(config, listname, &obj);
+		if (tresult != ISC_R_SUCCESS) {
+			if (result == ISC_R_SUCCESS)
+				result = tresult;
+			cfg_obj_log(addr, logctx, ISC_LOG_ERROR,
+				    "unable to find masters list '%s'",
+				    listname);
+			continue;
+		}
+		/* Grow stack? */
+		if (stackcount == pushed) {
+			void * new;
+			isc_uint32_t newlen = stackcount + 16;
+			size_t newsize, oldsize;
+
+			newsize = newlen * sizeof(*stack);
+			oldsize = stackcount * sizeof(*stack);
+			new = isc_mem_get(mctx, newsize);
+			if (new == NULL)
+				goto cleanup;
+			if (stackcount != 0) {
+				memcpy(new, stack, oldsize);
+				isc_mem_put(mctx, stack, oldsize);
+			}
+			stack = new;
+			stackcount = newlen;
+		}
+		stack[pushed++] = cfg_list_next(element);
+		goto newlist;
+	}
+	if (pushed != 0) {
+		element = stack[--pushed];
+		goto resume;
+	}
+ cleanup:
+	if (stack != NULL)
+		isc_mem_put(mctx, stack, stackcount * sizeof(*stack));
+	isc_symtab_destroy(&symtab);
+	*countp = count;
+	return (result);
+}
+
+#define MASTERZONE	1
+#define SLAVEZONE	2
+#define STUBZONE	4
+#define HINTZONE	8
+#define FORWARDZONE	16
+#define DELEGATIONZONE	32
+
+typedef struct {
+	const char *name;
+	int allowed;
+} optionstable;
+
+static isc_result_t
+check_zoneconf(cfg_obj_t *zconfig, cfg_obj_t *config, isc_symtab_t *symtab,
+	       dns_rdataclass_t defclass, isc_log_t *logctx, isc_mem_t *mctx)
+{
+	const char *zname;
+	const char *typestr;
+	unsigned int ztype;
+	cfg_obj_t *zoptions;
+	cfg_obj_t *obj = NULL;
+	isc_symvalue_t symvalue;
+	isc_result_t result = ISC_R_SUCCESS;
+	isc_result_t tresult;
+	unsigned int i;
+	dns_rdataclass_t zclass;
+	dns_fixedname_t fixedname;
+	isc_buffer_t b;
+
+	static optionstable options[] = {
+	{ "allow-query", MASTERZONE | SLAVEZONE | STUBZONE },
+	{ "allow-notify", SLAVEZONE },
+	{ "allow-transfer", MASTERZONE | SLAVEZONE },
+	{ "notify", MASTERZONE | SLAVEZONE },
+	{ "also-notify", MASTERZONE | SLAVEZONE },
+	{ "dialup", MASTERZONE | SLAVEZONE | STUBZONE },
+	{ "delegation-only", HINTZONE | STUBZONE },
+	{ "forward", MASTERZONE | SLAVEZONE | STUBZONE | FORWARDZONE},
+	{ "forwarders", MASTERZONE | SLAVEZONE | STUBZONE | FORWARDZONE},
+	{ "maintain-ixfr-base", MASTERZONE | SLAVEZONE },
+	{ "max-ixfr-log-size", MASTERZONE | SLAVEZONE },
+	{ "notify-source", MASTERZONE | SLAVEZONE },
+	{ "notify-source-v6", MASTERZONE | SLAVEZONE },
+	{ "transfer-source", SLAVEZONE | STUBZONE },
+	{ "transfer-source-v6", SLAVEZONE | STUBZONE },
+	{ "max-transfer-time-in", SLAVEZONE | STUBZONE },
+	{ "max-transfer-time-out", MASTERZONE | SLAVEZONE },
+	{ "max-transfer-idle-in", SLAVEZONE | STUBZONE },
+	{ "max-transfer-idle-out", MASTERZONE | SLAVEZONE },
+	{ "max-retry-time", SLAVEZONE | STUBZONE },
+	{ "min-retry-time", SLAVEZONE | STUBZONE },
+	{ "max-refresh-time", SLAVEZONE | STUBZONE },
+	{ "min-refresh-time", SLAVEZONE | STUBZONE },
+	{ "sig-validity-interval", MASTERZONE },
+	{ "zone-statistics", MASTERZONE | SLAVEZONE | STUBZONE },
+	{ "allow-update", MASTERZONE },
+	{ "allow-update-forwarding", SLAVEZONE },
+	{ "file", MASTERZONE | SLAVEZONE | STUBZONE | HINTZONE},
+	{ "ixfr-base", MASTERZONE | SLAVEZONE },
+	{ "ixfr-tmp-file", MASTERZONE | SLAVEZONE },
+	{ "masters", SLAVEZONE | STUBZONE },
+	{ "pubkey", MASTERZONE | SLAVEZONE | STUBZONE },
+	{ "update-policy", MASTERZONE },
+	{ "database", MASTERZONE | SLAVEZONE | STUBZONE },
+	{ "key-directory", MASTERZONE },
+	};
+
+	static optionstable dialups[] = {
+	{ "notify", MASTERZONE | SLAVEZONE },
+	{ "notify-passive", SLAVEZONE },
+	{ "refresh", SLAVEZONE | STUBZONE },
+	{ "passive", SLAVEZONE | STUBZONE },
+	};
+
+	zname = cfg_obj_asstring(cfg_tuple_get(zconfig, "name"));
+
+	zoptions = cfg_tuple_get(zconfig, "options");
+
+	obj = NULL;
+	(void)cfg_map_get(zoptions, "type", &obj);
+	if (obj == NULL) {
+		cfg_obj_log(zconfig, logctx, ISC_LOG_ERROR,
+			    "zone '%s': type not present", zname);
+		return (ISC_R_FAILURE);
+	}
+
+	typestr = cfg_obj_asstring(obj);
+	if (strcasecmp(typestr, "master") == 0)
+		ztype = MASTERZONE;
+	else if (strcasecmp(typestr, "slave") == 0)
+		ztype = SLAVEZONE;
+	else if (strcasecmp(typestr, "stub") == 0)
+		ztype = STUBZONE;
+	else if (strcasecmp(typestr, "forward") == 0)
+		ztype = FORWARDZONE;
+	else if (strcasecmp(typestr, "hint") == 0)
+		ztype = HINTZONE;
+	else if (strcasecmp(typestr, "delegation-only") == 0)
+		ztype = DELEGATIONZONE;
+	else {
+		cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+			    "zone '%s': invalid type %s",
+			    zname, typestr);
+		return (ISC_R_FAILURE);
+	}
+
+	obj = cfg_tuple_get(zconfig, "class");
+	if (cfg_obj_isstring(obj)) {
+		isc_textregion_t r;
+
+		DE_CONST(cfg_obj_asstring(obj), r.base);
+		r.length = strlen(r.base);
+		result = dns_rdataclass_fromtext(&zclass, &r);
+		if (result != ISC_R_SUCCESS) {
+			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+				    "zone '%s': invalid class %s",
+				    zname, r.base);
+			return (ISC_R_FAILURE);
+		}
+		if (zclass != defclass) {
+			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+				    "zone '%s': class '%s' does not "
+				    "match view/default class",
+				    zname, r.base);
+			return (ISC_R_FAILURE);
+		}
+	}
+
+	/*
+	 * Look for an already existing zone.
+	 * We need to make this cannonical as isc_symtab_define()
+	 * deals with strings.
+	 */
+	dns_fixedname_init(&fixedname);
+	isc_buffer_init(&b, zname, strlen(zname));
+	isc_buffer_add(&b, strlen(zname));
+	result = dns_name_fromtext(dns_fixedname_name(&fixedname), &b,
+				   dns_rootname, ISC_TRUE, NULL);
+	if (result != ISC_R_SUCCESS) {
+		cfg_obj_log(zconfig, logctx, ISC_LOG_ERROR,
+			    "zone '%s': is not a valid name", zname);
+		result = ISC_R_FAILURE;
+	} else {
+		char namebuf[DNS_NAME_FORMATSIZE];
+		char *key;
+
+		dns_name_format(dns_fixedname_name(&fixedname),
+				namebuf, sizeof(namebuf));
+		key = isc_mem_strdup(mctx, namebuf);
+		if (key == NULL)
+			return (ISC_R_NOMEMORY);
+		symvalue.as_pointer = zconfig;
+		tresult = isc_symtab_define(symtab, key,
+					    ztype == HINTZONE ? 1 : 2,
+					    symvalue, isc_symexists_reject);
+		if (tresult == ISC_R_EXISTS) {
+			const char *file;
+			unsigned int line;
+
+			RUNTIME_CHECK(isc_symtab_lookup(symtab, key,
+					    ztype == HINTZONE ? 1 : 2,
+					    &symvalue) == ISC_R_SUCCESS);
+			isc_mem_free(mctx, key);
+			file = cfg_obj_file(symvalue.as_pointer);
+			line = cfg_obj_line(symvalue.as_pointer);
+
+			if (file == NULL)
+				file = "<unknown file>";
+			cfg_obj_log(zconfig, logctx, ISC_LOG_ERROR,
+				    "zone '%s': already exists "
+				    "previous definition: %s:%u",
+				    zname, file, line);
+			result = ISC_R_FAILURE;
+		} else if (tresult != ISC_R_SUCCESS) {
+			isc_mem_strdup(mctx, key);
+			return (tresult);
+		}
+	}
+
+	/*
+	 * Look for inappropriate options for the given zone type.
+	 */
+	for (i = 0; i < sizeof(options) / sizeof(options[0]); i++) {
+		obj = NULL;
+		if ((options[i].allowed & ztype) == 0 &&
+		    cfg_map_get(zoptions, options[i].name, &obj) ==
+		    ISC_R_SUCCESS)
+		{
+			if (strcmp(options[i].name, "allow-update") != 0 ||
+			    ztype != SLAVEZONE) {
+				cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+					    "option '%s' is not allowed "
+					    "in '%s' zone '%s'",
+					    options[i].name, typestr, zname);
+					result = ISC_R_FAILURE;
+			} else
+				cfg_obj_log(obj, logctx, ISC_LOG_WARNING,
+					    "option '%s' is not allowed "
+					    "in '%s' zone '%s'",
+					    options[i].name, typestr, zname);
+		}
+	}
+
+	/*
+	 * Slave & stub zones must have a "masters" field.
+	 */
+	if (ztype == SLAVEZONE || ztype == STUBZONE) {
+		obj = NULL;
+		if (cfg_map_get(zoptions, "masters", &obj) != ISC_R_SUCCESS) {
+			cfg_obj_log(zoptions, logctx, ISC_LOG_ERROR,
+				    "zone '%s': missing 'masters' entry",
+				    zname);
+			result = ISC_R_FAILURE;
+		} else {
+			isc_uint32_t count;
+			tresult = validate_masters(obj, config, &count,
+						   logctx, mctx);
+			if (tresult != ISC_R_SUCCESS && result == ISC_R_SUCCESS)
+				result = tresult;
+			if (tresult == ISC_R_SUCCESS && count == 0) {
+				cfg_obj_log(zoptions, logctx, ISC_LOG_ERROR,
+					    "zone '%s': empty 'masters' entry",
+					    zname);
+				result = ISC_R_FAILURE;
+			}
+		}
+	}
+
+	/*
+	 * Master zones can't have both "allow-update" and "update-policy".
+	 */
+	if (ztype == MASTERZONE) {
+		isc_result_t res1, res2;
+		obj = NULL;
+		res1 = cfg_map_get(zoptions, "allow-update", &obj);
+		obj = NULL;
+		res2 = cfg_map_get(zoptions, "update-policy", &obj);
+		if (res1 == ISC_R_SUCCESS && res2 == ISC_R_SUCCESS) {
+			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+				    "zone '%s': 'allow-update' is ignored "
+				    "when 'update-policy' is present",
+				    zname);
+			result = ISC_R_FAILURE;
+		}
+	}
+
+	/*
+	 * Check the excessively complicated "dialup" option.
+	 */
+	if (ztype == MASTERZONE || ztype == SLAVEZONE || ztype == STUBZONE) {
+		cfg_obj_t *dialup = NULL;
+		(void)cfg_map_get(zoptions, "dialup", &dialup);
+		if (dialup != NULL && cfg_obj_isstring(dialup)) {
+			char *str = cfg_obj_asstring(dialup);
+			for (i = 0;
+			     i < sizeof(dialups) / sizeof(dialups[0]);
+			     i++)
+			{
+				if (strcasecmp(dialups[i].name, str) != 0)
+					continue;
+				if ((dialups[i].allowed & ztype) == 0) {
+					cfg_obj_log(obj, logctx,
+						    ISC_LOG_ERROR,
+						    "dialup type '%s' is not "
+						    "allowed in '%s' "
+						    "zone '%s'",
+						    str, typestr, zname);
+					result = ISC_R_FAILURE;
+				}
+				break;
+			}
+			if (i == sizeof(dialups) / sizeof(dialups[0])) {
+				cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+					    "invalid dialup type '%s' in zone "
+					    "'%s'", str, zname);
+				result = ISC_R_FAILURE;
+			}
+		}
+	}
+
+	/*
+	 * Check that forwarding is reasonable.
+	 */
+	if (check_forward(zoptions, logctx) != ISC_R_SUCCESS)
+		result = ISC_R_FAILURE;
+
+	/*
+	 * Check various options.
+	 */
+	tresult = check_options(zoptions, logctx);
+	if (tresult != ISC_R_SUCCESS)
+		result = tresult;
+
+	return (result);
+}
+
+isc_result_t
+bind9_check_key(cfg_obj_t *key, isc_log_t *logctx) {
+	cfg_obj_t *algobj = NULL;
+	cfg_obj_t *secretobj = NULL;
+	const char *keyname = cfg_obj_asstring(cfg_map_getname(key));
+	
+	(void)cfg_map_get(key, "algorithm", &algobj);
+	(void)cfg_map_get(key, "secret", &secretobj);
+	if (secretobj == NULL || algobj == NULL) {
+		cfg_obj_log(key, logctx, ISC_LOG_ERROR,
+			    "key '%s' must have both 'secret' and "
+			    "'algorithm' defined",
+			    keyname);
+		return (ISC_R_FAILURE);
+	}
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+check_keylist(cfg_obj_t *keys, isc_symtab_t *symtab, isc_log_t *logctx) {
+	isc_result_t result = ISC_R_SUCCESS;
+	isc_result_t tresult;
+	cfg_listelt_t *element;
+
+	for (element = cfg_list_first(keys);
+	     element != NULL;
+	     element = cfg_list_next(element))
+	{
+		cfg_obj_t *key = cfg_listelt_value(element);
+		const char *keyname = cfg_obj_asstring(cfg_map_getname(key));
+		isc_symvalue_t symvalue;
+
+		symvalue.as_pointer = key;
+		tresult = isc_symtab_define(symtab, keyname, 1,
+					    symvalue, isc_symexists_reject);
+		if (tresult == ISC_R_EXISTS) {
+			const char *file;
+			unsigned int line;
+
+			RUNTIME_CHECK(isc_symtab_lookup(symtab, keyname,
+					    1, &symvalue) == ISC_R_SUCCESS);
+			file = cfg_obj_file(symvalue.as_pointer);
+			line = cfg_obj_line(symvalue.as_pointer);
+
+			if (file == NULL)
+				file = "<unknown file>";
+			cfg_obj_log(key, logctx, ISC_LOG_ERROR,
+				    "key '%s': already exists "
+				    "previous definition: %s:%u",
+				    keyname, file, line);
+			result = tresult;
+		} else if (tresult != ISC_R_SUCCESS)
+			return (tresult);
+
+		tresult = bind9_check_key(key, logctx);
+		if (tresult != ISC_R_SUCCESS)
+			return (tresult);
+	}
+	return (result);
+}
+
+static void
+freekey(char *key, unsigned int type, isc_symvalue_t value, void *userarg) {
+	UNUSED(type);
+	UNUSED(value);
+	isc_mem_free(userarg, key);
+}
+
+static isc_result_t
+check_servers(cfg_obj_t *servers, isc_log_t *logctx) {
+	isc_result_t result = ISC_R_SUCCESS;
+	cfg_listelt_t *e1, *e2;
+	cfg_obj_t *v1, *v2;
+	isc_sockaddr_t *s1, *s2;
+	isc_netaddr_t na;
+	cfg_obj_t *ts;
+	char buf[128];
+	const char *xfr;
+	isc_buffer_t target;
+
+	for (e1 = cfg_list_first(servers); e1 != NULL; e1 = cfg_list_next(e1)) {
+		v1 = cfg_listelt_value(e1);
+		s1 = cfg_obj_assockaddr(cfg_map_getname(v1));
+		ts = NULL;
+		if (isc_sockaddr_pf(s1) == AF_INET)
+			xfr = "transfer-source-v6";
+		else
+			xfr = "transfer-source";
+		(void)cfg_map_get(v1, xfr, &ts);
+		if (ts != NULL) {
+			isc_netaddr_fromsockaddr(&na, s1);
+			isc_buffer_init(&target, buf, sizeof(buf) - 1);
+			RUNTIME_CHECK(isc_netaddr_totext(&na, &target)
+				      == ISC_R_SUCCESS);
+			buf[isc_buffer_usedlength(&target)] = '\0';
+			cfg_obj_log(v1, logctx, ISC_LOG_ERROR,
+				    "server '%s': %s not valid", buf, xfr);
+			result = ISC_R_FAILURE;
+		}
+		e2 = e1;
+		while ((e2 = cfg_list_next(e2)) != NULL) {
+			v2 = cfg_listelt_value(e2);
+			s2 = cfg_obj_assockaddr(cfg_map_getname(v2));
+			if (isc_sockaddr_eqaddr(s1, s2)) {
+				const char *file = cfg_obj_file(v1);
+				unsigned int line = cfg_obj_line(v1);
+
+				if (file == NULL)
+					file = "<unknown file>";
+
+				isc_netaddr_fromsockaddr(&na, s2);
+				isc_buffer_init(&target, buf, sizeof(buf) - 1);
+				RUNTIME_CHECK(isc_netaddr_totext(&na, &target)
+					      == ISC_R_SUCCESS);
+				buf[isc_buffer_usedlength(&target)] = '\0';
+
+				cfg_obj_log(v2, logctx, ISC_LOG_ERROR,
+					    "server '%s': already exists "
+					    "previous definition: %s:%u",
+					    buf, file, line);
+				result = ISC_R_FAILURE;
+			}
+		}
+	}
+	return (result);
+}
+		
+static isc_result_t
+check_viewconf(cfg_obj_t *config, cfg_obj_t *vconfig, dns_rdataclass_t vclass,
+	       isc_log_t *logctx, isc_mem_t *mctx)
+{
+	cfg_obj_t *servers = NULL;
+	cfg_obj_t *zones = NULL;
+	cfg_obj_t *keys = NULL;
+	cfg_listelt_t *element;
+	isc_symtab_t *symtab = NULL;
+	isc_result_t result = ISC_R_SUCCESS;
+	isc_result_t tresult = ISC_R_SUCCESS;
+
+	/*
+	 * Check that all zone statements are syntactically correct and
+	 * there are no duplicate zones.
+	 */
+	tresult = isc_symtab_create(mctx, 100, freekey, mctx,
+				    ISC_TRUE, &symtab);
+	if (tresult != ISC_R_SUCCESS)
+		return (ISC_R_NOMEMORY);
+
+	if (vconfig != NULL)
+		(void)cfg_map_get(vconfig, "zone", &zones);
+	else
+		(void)cfg_map_get(config, "zone", &zones);
+
+	for (element = cfg_list_first(zones);
+	     element != NULL;
+	     element = cfg_list_next(element))
+	{
+		isc_result_t tresult;
+		cfg_obj_t *zone = cfg_listelt_value(element);
+
+		tresult = check_zoneconf(zone, config, symtab, vclass,
+					 logctx, mctx);
+		if (tresult != ISC_R_SUCCESS)
+			result = ISC_R_FAILURE;
+	}
+
+	isc_symtab_destroy(&symtab);
+
+	/*
+	 * Check that all key statements are syntactically correct and
+	 * there are no duplicate keys.
+	 */
+	tresult = isc_symtab_create(mctx, 100, NULL, NULL, ISC_TRUE, &symtab);
+	if (tresult != ISC_R_SUCCESS)
+		return (ISC_R_NOMEMORY);
+
+	(void)cfg_map_get(config, "key", &keys);
+	tresult = check_keylist(keys, symtab, logctx);
+	if (tresult == ISC_R_EXISTS)
+		result = ISC_R_FAILURE;
+	else if (tresult != ISC_R_SUCCESS) {
+		isc_symtab_destroy(&symtab);
+		return (tresult);
+	}
+	
+	if (vconfig != NULL) {
+		keys = NULL;
+		(void)cfg_map_get(vconfig, "key", &keys);
+		tresult = check_keylist(keys, symtab, logctx);
+		if (tresult == ISC_R_EXISTS)
+			result = ISC_R_FAILURE;
+		else if (tresult != ISC_R_SUCCESS) {
+			isc_symtab_destroy(&symtab);
+			return (tresult);
+		}
+	}
+
+	isc_symtab_destroy(&symtab);
+
+	/*
+	 * Check that forwarding is reasonable.
+	 */
+	if (vconfig == NULL) {
+		cfg_obj_t *options = NULL;
+		(void)cfg_map_get(config, "options", &options);
+		if (options != NULL)
+			if (check_forward(options, logctx) != ISC_R_SUCCESS)
+				result = ISC_R_FAILURE;
+	} else {
+		if (check_forward(vconfig, logctx) != ISC_R_SUCCESS)
+			result = ISC_R_FAILURE;
+	}
+	/*
+	 * Check that dual-stack-servers is reasonable.
+	 */
+	if (vconfig == NULL) {
+		cfg_obj_t *options = NULL;
+		(void)cfg_map_get(config, "options", &options);
+		if (options != NULL)
+			if (check_dual_stack(options, logctx) != ISC_R_SUCCESS)
+				result = ISC_R_FAILURE;
+	} else {
+		if (check_dual_stack(vconfig, logctx) != ISC_R_SUCCESS)
+			result = ISC_R_FAILURE;
+	}
+
+	/*
+	 * Check that rrset-order is reasonable.
+	 */
+	if (vconfig != NULL) {
+		if (check_order(vconfig, logctx) != ISC_R_SUCCESS)
+			result = ISC_R_FAILURE;
+	}
+
+	if (vconfig != NULL) {
+		(void)cfg_map_get(vconfig, "server", &servers);
+		if (servers != NULL &&
+		    check_servers(servers, logctx) != ISC_R_SUCCESS)
+			result = ISC_R_FAILURE;
+	}
+
+	if (vconfig != NULL)
+		tresult = check_options(vconfig, logctx);
+	else
+		tresult = check_options(config, logctx);
+	if (tresult != ISC_R_SUCCESS)
+		result = tresult;
+
+	return (result);
+}
+
+
+isc_result_t
+bind9_check_namedconf(cfg_obj_t *config, isc_log_t *logctx, isc_mem_t *mctx) {
+	cfg_obj_t *options = NULL;
+	cfg_obj_t *servers = NULL;
+	cfg_obj_t *views = NULL;
+	cfg_obj_t *acls = NULL;
+	cfg_obj_t *kals = NULL;
+	cfg_obj_t *obj;
+	cfg_listelt_t *velement;
+	isc_result_t result = ISC_R_SUCCESS;
+	isc_result_t tresult;
+
+	static const char *builtin[] = { "localhost", "localnets",
+					 "any", "none"};
+
+	(void)cfg_map_get(config, "options", &options);
+
+	if (options != NULL &&
+	    check_options(options, logctx) != ISC_R_SUCCESS)
+		result = ISC_R_FAILURE;
+
+	(void)cfg_map_get(config, "server", &servers);
+	if (servers != NULL &&
+	    check_servers(servers, logctx) != ISC_R_SUCCESS)
+		result = ISC_R_FAILURE;
+
+	if (options != NULL && 
+	    check_order(options, logctx) != ISC_R_SUCCESS)
+		result = ISC_R_FAILURE;
+
+	(void)cfg_map_get(config, "view", &views);
+
+	if (views != NULL && options != NULL)
+		if (check_dual_stack(options, logctx) != ISC_R_SUCCESS)
+			result = ISC_R_FAILURE;
+
+	if (views == NULL) {
+		if (check_viewconf(config, NULL, dns_rdataclass_in,
+				   logctx, mctx) != ISC_R_SUCCESS)
+			result = ISC_R_FAILURE;
+	} else {
+		cfg_obj_t *zones = NULL;
+
+		(void)cfg_map_get(config, "zone", &zones);
+		if (zones != NULL) {
+			cfg_obj_log(zones, logctx, ISC_LOG_ERROR,
+				    "when using 'view' statements, "
+				    "all zones must be in views");
+			result = ISC_R_FAILURE;
+		}
+	}
+
+	for (velement = cfg_list_first(views);
+	     velement != NULL;
+	     velement = cfg_list_next(velement))
+	{
+		cfg_obj_t *view = cfg_listelt_value(velement);
+		cfg_obj_t *vname = cfg_tuple_get(view, "name");
+		cfg_obj_t *voptions = cfg_tuple_get(view, "options");
+		cfg_obj_t *vclassobj = cfg_tuple_get(view, "class");
+		dns_rdataclass_t vclass = dns_rdataclass_in;
+		isc_result_t tresult = ISC_R_SUCCESS;
+
+		if (cfg_obj_isstring(vclassobj)) {
+			isc_textregion_t r;
+
+			DE_CONST(cfg_obj_asstring(vclassobj), r.base);
+			r.length = strlen(r.base);
+			tresult = dns_rdataclass_fromtext(&vclass, &r);
+			if (tresult != ISC_R_SUCCESS)
+				cfg_obj_log(vclassobj, logctx, ISC_LOG_ERROR,
+					    "view '%s': invalid class %s",
+					    cfg_obj_asstring(vname), r.base);
+		}
+		if (tresult == ISC_R_SUCCESS)
+			tresult = check_viewconf(config, voptions,
+						 vclass, logctx, mctx);
+		if (tresult != ISC_R_SUCCESS)
+			result = ISC_R_FAILURE;
+	}
+
+	if (views != NULL && options != NULL) {
+		obj = NULL;
+		tresult = cfg_map_get(options, "cache-file", &obj);
+		if (tresult == ISC_R_SUCCESS) {
+			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+				    "'cache-file' cannot be a global "
+				    "option if views are present");
+			result = ISC_R_FAILURE;
+		}
+	}
+
+        tresult = cfg_map_get(config, "acl", &acls);
+        if (tresult == ISC_R_SUCCESS) {
+		cfg_listelt_t *elt;
+		cfg_listelt_t *elt2;
+		const char *aclname;
+
+		for (elt = cfg_list_first(acls);
+		     elt != NULL;
+		     elt = cfg_list_next(elt)) {
+			cfg_obj_t *acl = cfg_listelt_value(elt);
+			unsigned int i;
+
+			aclname = cfg_obj_asstring(cfg_tuple_get(acl, "name"));
+			for (i = 0;
+			     i < sizeof(builtin) / sizeof(builtin[0]);
+			     i++)
+				if (strcasecmp(aclname, builtin[i]) == 0) {
+					cfg_obj_log(acl, logctx, ISC_LOG_ERROR,
+						    "attempt to redefine "
+						    "builtin acl '%s'",
+				    		    aclname);
+					result = ISC_R_FAILURE;
+					break;
+				}
+
+			for (elt2 = cfg_list_next(elt);
+			     elt2 != NULL;
+			     elt2 = cfg_list_next(elt2)) {
+				cfg_obj_t *acl2 = cfg_listelt_value(elt2);
+				const char *name;
+				name = cfg_obj_asstring(cfg_tuple_get(acl2,
+								      "name"));
+				if (strcasecmp(aclname, name) == 0) {
+					const char *file = cfg_obj_file(acl);
+					unsigned int line = cfg_obj_line(acl);
+
+					if (file == NULL)
+						file = "<unknown file>";
+
+					cfg_obj_log(acl2, logctx, ISC_LOG_ERROR,
+						    "attempt to redefine "
+						    "acl '%s' previous "
+						    "definition: %s:%u",
+						     name, file, line);
+					result = ISC_R_FAILURE;
+				}
+			}
+		}
+	}
+
+        tresult = cfg_map_get(config, "kal", &kals);
+        if (tresult == ISC_R_SUCCESS) {
+		cfg_listelt_t *elt;
+		cfg_listelt_t *elt2;
+		const char *aclname;
+
+		for (elt = cfg_list_first(kals);
+		     elt != NULL;
+		     elt = cfg_list_next(elt)) {
+			cfg_obj_t *acl = cfg_listelt_value(elt);
+
+			aclname = cfg_obj_asstring(cfg_tuple_get(acl, "name"));
+
+			for (elt2 = cfg_list_next(elt);
+			     elt2 != NULL;
+			     elt2 = cfg_list_next(elt2)) {
+				cfg_obj_t *acl2 = cfg_listelt_value(elt2);
+				const char *name;
+				name = cfg_obj_asstring(cfg_tuple_get(acl2,
+								      "name"));
+				if (strcasecmp(aclname, name) == 0) {
+					const char *file = cfg_obj_file(acl);
+					unsigned int line = cfg_obj_line(acl);
+
+					if (file == NULL)
+						file = "<unknown file>";
+
+					cfg_obj_log(acl2, logctx, ISC_LOG_ERROR,
+						    "attempt to redefine "
+						    "kal '%s' previous "
+						    "definition: %s:%u",
+						     name, file, line);
+					result = ISC_R_FAILURE;
+				}
+			}
+		}
+	}
+
+	return (result);
+}
diff --git a/lib/bind9/getaddresses.c b/lib/bind9/getaddresses.c
new file mode 100644
index 00000000..7acd282d
--- /dev/null
+++ b/lib/bind9/getaddresses.c
@@ -0,0 +1,180 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2001, 2002  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: getaddresses.c,v 1.13.126.4 2004/03/08 09:04:27 marka Exp $ */
+
+#include <config.h>
+#include <string.h>
+
+#include <isc/net.h>
+#include <isc/netaddr.h>
+#include <isc/netdb.h>
+#include <isc/result.h>
+#include <isc/sockaddr.h>
+#include <isc/util.h>
+
+#include <bind9/getaddresses.h>
+
+#ifdef HAVE_ADDRINFO
+#ifdef HAVE_GETADDRINFO
+#ifdef HAVE_GAISTRERROR
+#define USE_GETADDRINFO
+#endif
+#endif
+#endif
+
+#ifndef USE_GETADDRINFO
+#ifndef ISC_PLATFORM_NONSTDHERRNO
+extern int h_errno;
+#endif
+#endif
+
+isc_result_t
+bind9_getaddresses(const char *hostname, in_port_t port,
+		   isc_sockaddr_t *addrs, int addrsize, int *addrcount)
+{
+	struct in_addr in4;
+	struct in6_addr in6;
+	isc_boolean_t have_ipv4, have_ipv6;
+	int i;
+
+#ifdef USE_GETADDRINFO
+	struct addrinfo *ai = NULL, *tmpai, hints;
+	int result;
+#else
+	struct hostent *he;
+#endif
+
+	REQUIRE(hostname != NULL);
+	REQUIRE(addrs != NULL);
+	REQUIRE(addrcount != NULL);
+	REQUIRE(addrsize > 0);
+
+	have_ipv4 = (isc_net_probeipv4() == ISC_R_SUCCESS);
+	have_ipv6 = (isc_net_probeipv6() == ISC_R_SUCCESS);
+
+	if (inet_pton(AF_INET6, hostname, &in6) == 1) {
+		if (!have_ipv6)
+			return (ISC_R_FAMILYNOSUPPORT);
+		isc_sockaddr_fromin6(&addrs[0], &in6, port);
+		*addrcount = 1;
+		return (ISC_R_SUCCESS);
+	} else if (inet_pton(AF_INET, hostname, &in4) == 1) {
+		if (have_ipv4)
+			isc_sockaddr_fromin(&addrs[0], &in4, port);
+		else
+			isc_sockaddr_v6fromin(&addrs[0], &in4, port);
+		*addrcount = 1;
+		return (ISC_R_SUCCESS);
+	}
+#ifdef USE_GETADDRINFO
+	memset(&hints, 0, sizeof(hints));
+	if (!have_ipv6)
+		hints.ai_family = PF_INET;
+	else if (!have_ipv4)
+		hints.ai_family = PF_INET6;
+	else {
+		hints.ai_family = PF_UNSPEC;
+#ifdef AI_ADDRCONFIG
+		hints.ai_flags = AI_ADDRCONFIG;
+#endif
+	}
+	hints.ai_socktype = SOCK_STREAM;
+#ifdef AI_ADDRCONFIG
+ again:
+#endif
+	result = getaddrinfo(hostname, NULL, &hints, &ai);
+	switch (result) {
+	case 0:
+		break;
+	case EAI_NONAME:
+#if defined(EAI_NODATA) && (EAI_NODATA != EAI_NONAME)
+	case EAI_NODATA:
+#endif
+		return (ISC_R_NOTFOUND);
+#ifdef AI_ADDRCONFIG
+	case EAI_BADFLAGS:
+		if ((hints.ai_flags & AI_ADDRCONFIG) != 0) {
+			hints.ai_flags &= ~AI_ADDRCONFIG;
+			goto again;
+		}
+#endif
+	default:
+		return (ISC_R_FAILURE);
+	}
+	for (tmpai = ai, i = 0;
+	     tmpai != NULL && i < addrsize;
+	     tmpai = tmpai->ai_next)
+	{
+		if (tmpai->ai_family != AF_INET &&
+		    tmpai->ai_family != AF_INET6)
+			continue;
+		if (tmpai->ai_family == AF_INET) {
+			struct sockaddr_in *sin;
+			sin = (struct sockaddr_in *)tmpai->ai_addr;
+			isc_sockaddr_fromin(&addrs[i], &sin->sin_addr, port);
+		} else {
+			struct sockaddr_in6 *sin6;
+			sin6 = (struct sockaddr_in6 *)tmpai->ai_addr;
+			isc_sockaddr_fromin6(&addrs[i], &sin6->sin6_addr,
+					     port);
+		}
+		i++;
+
+	}
+	freeaddrinfo(ai);
+	*addrcount = i;
+#else
+	he = gethostbyname(hostname);
+	if (he == NULL) {
+		switch (h_errno) {
+		case HOST_NOT_FOUND:
+#ifdef NO_DATA
+		case NO_DATA:
+#endif
+#if defined(NO_ADDRESS) && (!defined(NO_DATA) || (NO_DATA != NO_ADDRESS))
+		case NO_ADDRESS:
+#endif
+			return (ISC_R_NOTFOUND);
+		default:
+			return (ISC_R_FAILURE);
+		}
+	}
+	if (he->h_addrtype != AF_INET && he->h_addrtype != AF_INET6)
+		return (ISC_R_NOTFOUND);
+	for (i = 0; i < addrsize; i++) {
+		if (he->h_addrtype == AF_INET) {
+			struct in_addr *inp;
+			inp = (struct in_addr *)(he->h_addr_list[i]);
+			if (inp == NULL)
+				break;
+			isc_sockaddr_fromin(&addrs[i], inp, port);
+		} else {
+			struct in6_addr *in6p;
+			in6p = (struct in6_addr *)(he->h_addr_list[i]);
+			if (in6p == NULL)
+				break;
+			isc_sockaddr_fromin6(&addrs[i], in6p, port);
+		}
+	}
+	*addrcount = i;
+#endif
+	if (*addrcount == 0)
+		return (ISC_R_NOTFOUND);
+	else
+		return (ISC_R_SUCCESS);
+}
diff --git a/lib/bind/port/aix5/Makefile.in b/lib/bind9/include/Makefile.in
index 99e59854..9081d9ec 100644
--- a/lib/bind/port/aix5/Makefile.in
+++ b/lib/bind9/include/Makefile.in
@@ -12,3 +12,14 @@
 # LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: Makefile.in,v 1.1.200.3 2004/03/08 09:04:27 marka Exp $
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+SUBDIRS =	bind9
+TARGETS =
+
+@BIND9_MAKE_RULES@
diff --git a/lib/bind/port/aix5/include/Makefile.in b/lib/bind9/include/bind9/Makefile.in
index 4b9695d7..dec29827 100644
--- a/lib/bind/port/aix5/include/Makefile.in
+++ b/lib/bind9/include/bind9/Makefile.in
@@ -13,22 +13,30 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.1.6.1 2004/09/24 06:04:49 marka Exp $
+# $Id: Makefile.in,v 1.5.200.4 2004/03/08 09:04:28 marka Exp $
 
-srcdir =        @srcdir@
-VPATH =         @srcdir@
-top_srcdir =    @top_srcdir@
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
 
-HEADERS= sys/bitypes.h sys/cdefs.h
+@BIND9_VERSION@
 
-all:
+#
+# Only list headers that are to be installed and are not
+# machine generated.  The latter are handled specially in the
+# install target below.
+#
+HEADERS =	check.h getaddresses.h version.h
+
+SUBDIRS =
+TARGETS =
 
 @BIND9_MAKE_RULES@
 
 installdirs:
-	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${includedir}/sys 
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${includedir}/bind9
 
 install:: installdirs
 	for i in ${HEADERS}; do \
-		${INSTALL_DATA} ${srcdir}/$$i ${DESTDIR}${includedir}/sys; \
+		${INSTALL_DATA} ${srcdir}/$$i ${DESTDIR}${includedir}/bind9 ; \
 	done
diff --git a/lib/isccfg/include/isccfg/check.h b/lib/bind9/include/bind9/check.h
index 741584c3..dcda517b 100644
--- a/lib/isccfg/include/isccfg/check.h
+++ b/lib/bind9/include/bind9/check.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,10 +15,10 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: check.h,v 1.4.2.3 2006/03/02 00:37:18 marka Exp $ */
+/* $Id: check.h,v 1.1.200.4 2004/03/08 09:04:28 marka Exp $ */
 
-#ifndef ISCCFG_CHECK_H
-#define ISCCFG_CHECK_H 1
+#ifndef BIND9_CHECK_H
+#define BIND9_CHECK_H 1
 
 #include <isc/lang.h>
 #include <isc/types.h>
@@ -28,8 +28,7 @@
 ISC_LANG_BEGINDECLS
 
 isc_result_t
-cfg_check_namedconf(const cfg_obj_t *config, isc_log_t *logctx,
-		    isc_mem_t *mctx);
+bind9_check_namedconf(cfg_obj_t *config, isc_log_t *logctx, isc_mem_t *mctx);
 /*
  * Check the syntactic validity of a configuration parse tree generated from
  * a named.conf file.
@@ -45,11 +44,11 @@ cfg_check_namedconf(const cfg_obj_t *config, isc_log_t *logctx,
  */
 
 isc_result_t
-cfg_check_key(const cfg_obj_t *config, isc_log_t *logctx);
+bind9_check_key(cfg_obj_t *config, isc_log_t *logctx);
 /*
  * As above, but for a single 'key' statement.
  */
 
 ISC_LANG_ENDDECLS
 
-#endif /* ISCCFG_CHECK_H */
+#endif /* BIND9_CHECK_H */
diff --git a/lib/bind9/include/bind9/getaddresses.h b/lib/bind9/include/bind9/getaddresses.h
new file mode 100644
index 00000000..4a3a5466
--- /dev/null
+++ b/lib/bind9/include/bind9/getaddresses.h
@@ -0,0 +1,59 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: getaddresses.h,v 1.2.200.3 2004/03/08 09:04:28 marka Exp $ */
+
+#ifndef BIND9_GETADDRESSES_H
+#define BIND9_GETADDRESSES_H 1
+
+#include <isc/lang.h>
+#include <isc/types.h>
+
+#include <isc/net.h>
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+bind9_getaddresses(const char *hostname, in_port_t port,
+		   isc_sockaddr_t *addrs, int addrsize, int *addrcount);
+/*
+ * Use the system resolver to get the addresses associated with a hostname.
+ * If successful, the number of addresses found is returned in 'addrcount'.
+ * If a hostname lookup is performed and addresses of an unknown family is
+ * seen, it is ignored.  If more than 'addrsize' addresses are seen, the
+ * first 'addrsize' are returned and the remainder silently truncated.
+ *
+ * This routine may block.  If called by a program using the isc_app
+ * framework, it should be surounded by isc_app_block()/isc_app_unblock().
+ *
+ *  Requires:
+ *	'hostname' is not NULL.
+ *	'addrs' is not NULL.
+ *	'addrsize' > 0
+ *	'addrcount' is not NULL.
+ *
+ * 
+ * Returns:
+ *	ISC_R_SUCCESS
+ *	ISC_R_NOTFOUND
+ *	ISC_R_NOFAMILYSUPPORT - 'hostname' is an IPv6 address, and IPv6 is
+ *		not supported.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* BIND9_GETADDRESSES_H */
diff --git a/lib/bind9/include/bind9/version.h b/lib/bind9/include/bind9/version.h
new file mode 100644
index 00000000..a3b812ea
--- /dev/null
+++ b/lib/bind9/include/bind9/version.h
@@ -0,0 +1,26 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: version.h,v 1.2.208.3 2004/03/08 09:04:28 marka Exp $ */
+
+#include <isc/platform.h>
+
+LIBBIND9_EXTERNAL_DATA extern const char bind9_version[];
+
+LIBBIND9_EXTERNAL_DATA extern const unsigned int bind9_libinterface;
+LIBBIND9_EXTERNAL_DATA extern const unsigned int bind9_librevision;
+LIBBIND9_EXTERNAL_DATA extern const unsigned int bind9_libage;
diff --git a/lib/bind9/version.c b/lib/bind9/version.c
new file mode 100644
index 00000000..5fee2cf4
--- /dev/null
+++ b/lib/bind9/version.c
@@ -0,0 +1,26 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: version.c,v 1.3.200.4 2004/03/08 09:04:27 marka Exp $ */
+
+#include <bind9/version.h>
+
+const char bind9_version[] = VERSION;
+
+const unsigned int bind9_libinterface = LIBINTERFACE;
+const unsigned int bind9_librevision = LIBREVISION;
+const unsigned int bind9_libage = LIBAGE;
diff --git a/lib/bind9/win32/DLLMain.c b/lib/bind9/win32/DLLMain.c
new file mode 100644
index 00000000..62c62c92
--- /dev/null
+++ b/lib/bind9/win32/DLLMain.c
@@ -0,0 +1,59 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: DLLMain.c,v 1.1.222.3 2004/03/08 09:04:28 marka Exp $ */
+
+#include <windows.h>
+#include <signal.h>
+
+BOOL InitSockets(void);
+
+/*
+ * Called when we enter the DLL
+ */
+__declspec(dllexport) BOOL WINAPI DllMain(HINSTANCE hinstDLL,
+					  DWORD fdwReason, LPVOID lpvReserved)
+{
+	switch (fdwReason) { 
+	/*
+	 * The DLL is loading due to process 
+	 * initialization or a call to LoadLibrary. 
+	 */
+	case DLL_PROCESS_ATTACH: 
+		break; 
+ 
+	/* The attached process creates a new thread.  */
+	case DLL_THREAD_ATTACH: 
+		break; 
+ 
+	/* The thread of the attached process terminates. */
+	case DLL_THREAD_DETACH: 
+		break; 
+ 
+	/*
+	 * The DLL is unloading from a process due to 
+	 * process termination or a call to FreeLibrary. 
+	 */
+	case DLL_PROCESS_DETACH: 
+		break; 
+
+	default: 
+		break; 
+	} 
+	return (TRUE);
+}
+
diff --git a/lib/bind9/win32/libbind9.def b/lib/bind9/win32/libbind9.def
new file mode 100644
index 00000000..b9a14ad3
--- /dev/null
+++ b/lib/bind9/win32/libbind9.def
@@ -0,0 +1,8 @@
+LIBRARY libbind9
+
+; Exported Functions
+EXPORTS
+bind9_check_namedconf
+bind9_check_key
+bind9_getaddresses
+
diff --git a/lib/bind9/win32/libbind9.dsp b/lib/bind9/win32/libbind9.dsp
new file mode 100644
index 00000000..9a7a14a6
--- /dev/null
+++ b/lib/bind9/win32/libbind9.dsp
@@ -0,0 +1,133 @@
+# Microsoft Developer Studio Project File - Name="libbind9" - Package Owner=<4>
+# Microsoft Developer Studio Generated Build File, Format Version 6.00
+# ** DO NOT EDIT **
+
+# TARGTYPE "Win32 (x86) Dynamic-Link Library" 0x0102
+
+CFG=libbind9 - Win32 Release
+!MESSAGE This is not a valid makefile. To build this project using NMAKE,
+!MESSAGE use the Export Makefile command and run
+!MESSAGE 
+!MESSAGE NMAKE /f "libbind9.mak".
+!MESSAGE 
+!MESSAGE You can specify a configuration when running NMAKE
+!MESSAGE by defining the macro CFG on the command line. For example:
+!MESSAGE 
+!MESSAGE NMAKE /f "libbind9.mak" CFG="libbind9 - Win32 Release"
+!MESSAGE 
+!MESSAGE Possible choices for configuration are:
+!MESSAGE 
+!MESSAGE "libbind9 - Win32 Release" (based on "Win32 (x86) Dynamic-Link Library")
+!MESSAGE "libbind9 - Win32 Debug" (based on "Win32 (x86) Dynamic-Link Library")
+!MESSAGE 
+
+# Begin Project
+# PROP AllowPerConfigDependencies 0
+# PROP Scc_ProjName ""
+# PROP Scc_LocalPath ""
+CPP=cl.exe
+MTL=midl.exe
+RSC=rc.exe
+
+!IF  "$(CFG)" == "libbind9 - Win32 Release"
+
+# PROP BASE Use_MFC 0
+# PROP BASE Use_Debug_Libraries 0
+# PROP BASE Output_Dir "Release"
+# PROP BASE Intermediate_Dir "Release"
+# PROP BASE Target_Dir ""
+# PROP Use_MFC 0
+# PROP Use_Debug_Libraries 0
+# PROP Output_Dir "Release"
+# PROP Intermediate_Dir "Release"
+# PROP Ignore_Export_Lib 0
+# PROP Target_Dir ""
+# ADD BASE CPP /nologo /MT /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "libbind9_EXPORTS" /YX /FD /c
+# ADD CPP /nologo /MD /W3 /GX /O2 /I "../../../lib/dns/win32/include" /I "../..../lib/dns/sec/openssl/include" /I "../../../lib/dns/sec/dst/include" /I "./" /I "../../../" /I "include" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isccfg/include" /I "../../../lib/dns/include" /I "../../../lib/isc/include" /D "NDEBUG" /D "WIN32" /D "__STDC__" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" /D "OPENSSL" /D "DST_USE_PRIVATE_OPENSSL" /D "LIBBIND9_EXPORTS" /YX /FD /c
+# SUBTRACT CPP /X
+# ADD BASE MTL /nologo /D "NDEBUG" /mktyplib203 /win32
+# ADD MTL /nologo /D "NDEBUG" /mktyplib203 /win32
+# ADD BASE RSC /l 0x409 /d "NDEBUG"
+# ADD RSC /l 0x409 /d "NDEBUG"
+BSC32=bscmake.exe
+# ADD BASE BSC32 /nologo
+# ADD BSC32 /nologo
+LINK32=link.exe
+# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /machine:I386
+# ADD LINK32 user32.lib advapi32.lib ws2_32.lib ../../isc/win32/Release/libisc.lib  ../../dns/win32/Release/libdns.lib ../../isccfg/win32/Release/libisccfg.lib /nologo /dll /machine:I386 /out:"../../../Build/Release/libbind9.dll"
+
+!ELSEIF  "$(CFG)" == "libbind9 - Win32 Debug"
+
+# PROP BASE Use_MFC 0
+# PROP BASE Use_Debug_Libraries 1
+# PROP BASE Output_Dir "Debug"
+# PROP BASE Intermediate_Dir "Debug"
+# PROP BASE Target_Dir ""
+# PROP Use_MFC 0
+# PROP Use_Debug_Libraries 1
+# PROP Output_Dir "Debug"
+# PROP Intermediate_Dir "Debug"
+# PROP Ignore_Export_Lib 0
+# PROP Target_Dir ""
+# ADD BASE CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "libbind9_EXPORTS" /YX /FD /GZ /c
+# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "../../../lib/isccfg/include" /I "./" /I "../../../" /I "include" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/dns/include" /I "../../../lib/isc/include" /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" /D "OPENSSL" /D "DST_USE_PRIVATE_OPENSSL" /D "LIBBIND9_EXPORTS" /FR /YX /FD /GZ /c
+# SUBTRACT CPP /X
+# ADD BASE MTL /nologo /D "_DEBUG" /mktyplib203 /win32
+# ADD MTL /nologo /D "_DEBUG" /mktyplib203 /win32
+# ADD BASE RSC /l 0x409 /d "_DEBUG"
+# ADD RSC /l 0x409 /d "_DEBUG"
+BSC32=bscmake.exe
+# ADD BASE BSC32 /nologo
+# ADD BSC32 /nologo
+LINK32=link.exe
+# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /debug /machine:I386 /pdbtype:sept
+# ADD LINK32 user32.lib advapi32.lib ws2_32.lib ../../isc/win32/debug/libisc.lib ../../dns/win32/debug/libdns.lib ../../isccfg/win32/debug/libisccfg.lib /nologo /dll /debug /machine:I386 /out:"../../../Build/Debug/libbind9.dll" /pdbtype:sept
+
+!ENDIF 
+
+# Begin Target
+
+# Name "libbind9 - Win32 Release"
+# Name "libbind9 - Win32 Debug"
+# Begin Group "Source Files"
+
+# PROP Default_Filter "cpp;c;cxx;rc;def;r;odl;idl;hpj;bat"
+# Begin Source File
+
+SOURCE=..\check.c
+# End Source File
+# Begin Source File
+
+SOURCE=.\DLLMain.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\getaddresses.c
+# End Source File
+# Begin Source File
+
+SOURCE=.\version.c
+# End Source File
+# End Group
+# Begin Group "Header Files"
+
+# PROP Default_Filter "h;hpp;hxx;hm;inl"
+# Begin Source File
+
+SOURCE=..\include\bind9\check.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\bind9\version.h
+# End Source File
+# End Group
+# Begin Group "Resource Files"
+
+# PROP Default_Filter "ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe"
+# End Group
+# Begin Source File
+
+SOURCE=.\libbind9.def
+# End Source File
+# End Target
+# End Project
diff --git a/bin/dig/win32/dighost.dsw b/lib/bind9/win32/libbind9.dsw
index fdae6d47..b7f4664f 100644
--- a/bin/dig/win32/dighost.dsw
+++ b/lib/bind9/win32/libbind9.dsw
@@ -1,29 +1,29 @@
-Microsoft Developer Studio Workspace File, Format Version 6.00

-# WARNING: DO NOT EDIT OR DELETE THIS WORKSPACE FILE!

-

-###############################################################################

-

-Project: "dighost"=".\dighost.dsp" - Package Owner=<4>

-

-Package=<5>

-{{{

-}}}

-

-Package=<4>

-{{{

-}}}

-

-###############################################################################

-

-Global:

-

-Package=<5>

-{{{

-}}}

-

-Package=<3>

-{{{

-}}}

-

-###############################################################################

-

+Microsoft Developer Studio Workspace File, Format Version 6.00
+# WARNING: DO NOT EDIT OR DELETE THIS WORKSPACE FILE!
+
+###############################################################################
+
+Project: "libbind9"=.\libbind9.dsp - Package Owner=<4>
+
+Package=<5>
+{{{
+}}}
+
+Package=<4>
+{{{
+}}}
+
+###############################################################################
+
+Global:
+
+Package=<5>
+{{{
+}}}
+
+Package=<3>
+{{{
+}}}
+
+###############################################################################
+
diff --git a/lib/bind9/win32/libbind9.mak b/lib/bind9/win32/libbind9.mak
new file mode 100644
index 00000000..49e5cdd9
--- /dev/null
+++ b/lib/bind9/win32/libbind9.mak
@@ -0,0 +1,355 @@
+# Microsoft Developer Studio Generated NMAKE File, Based on libbind9.dsp
+!IF "$(CFG)" == ""
+CFG=libbind9 - Win32 Release
+!MESSAGE No configuration specified. Defaulting to libbind9 - Win32 Release.
+!ENDIF 
+
+!IF "$(CFG)" != "libbind9 - Win32 Release" && "$(CFG)" != "libbind9 - Win32 Debug"
+!MESSAGE Invalid configuration "$(CFG)" specified.
+!MESSAGE You can specify a configuration when running NMAKE
+!MESSAGE by defining the macro CFG on the command line. For example:
+!MESSAGE 
+!MESSAGE NMAKE /f "libbind9.mak" CFG="libbind9 - Win32 Release"
+!MESSAGE 
+!MESSAGE Possible choices for configuration are:
+!MESSAGE 
+!MESSAGE "libbind9 - Win32 Release" (based on "Win32 (x86) Dynamic-Link Library")
+!MESSAGE "libbind9 - Win32 Debug" (based on "Win32 (x86) Dynamic-Link Library")
+!MESSAGE 
+!ERROR An invalid configuration is specified.
+!ENDIF 
+
+!IF "$(OS)" == "Windows_NT"
+NULL=
+!ELSE 
+NULL=nul
+!ENDIF 
+
+CPP=cl.exe
+MTL=midl.exe
+RSC=rc.exe
+
+!IF  "$(CFG)" == "libbind9 - Win32 Release"
+
+OUTDIR=.\Release
+INTDIR=.\Release
+
+!IF "$(RECURSE)" == "0" 
+
+ALL : "..\..\..\Build\Release\libbind9.dll"
+
+!ELSE 
+
+ALL : "libisccfg - Win32 Release" "libisc - Win32 Release" "libdns - Win32 Release" "..\..\..\Build\Release\libbind9.dll"
+
+!ENDIF 
+
+!IF "$(RECURSE)" == "1" 
+CLEAN :"libdns - Win32 ReleaseCLEAN" "libisc - Win32 ReleaseCLEAN" "libisccfg - Win32 ReleaseCLEAN" 
+!ELSE 
+CLEAN :
+!ENDIF 
+	-@erase "$(INTDIR)\check.obj"
+	-@erase "$(INTDIR)\DLLMain.obj"
+	-@erase "$(INTDIR)\getaddresses.obj"
+	-@erase "$(INTDIR)\vc60.idb"
+	-@erase "$(INTDIR)\version.obj"
+	-@erase "$(OUTDIR)\libbind9.exp"
+	-@erase "$(OUTDIR)\libbind9.lib"
+	-@erase "..\..\..\Build\Release\libbind9.dll"
+
+"$(OUTDIR)" :
+    if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
+
+CPP_PROJ=/nologo /MD /W3 /GX /O2 /I "../../../lib/dns/win32/include" /I "../..../lib/dns/sec/openssl/include" /I "../../../lib/dns/sec/dst/include" /I "./" /I "../../../" /I "include" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isccfg/include" /I "../../../lib/dns/include" /I "../../../lib/isc/include" /D "NDEBUG" /D "WIN32" /D "__STDC__" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" /D "OPENSSL" /D "DST_USE_PRIVATE_OPENSSL" /D "LIBBIND9_EXPORTS" /Fp"$(INTDIR)\libbind9.pch" /YX /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c 
+MTL_PROJ=/nologo /D "NDEBUG" /mktyplib203 /win32 
+BSC32=bscmake.exe
+BSC32_FLAGS=/nologo /o"$(OUTDIR)\libbind9.bsc" 
+BSC32_SBRS= \
+	
+LINK32=link.exe
+LINK32_FLAGS=user32.lib advapi32.lib ws2_32.lib ../../isc/win32/Release/libisc.lib  ../../dns/win32/Release/libdns.lib ../../isccfg/win32/Release/libisccfg.lib /nologo /dll /incremental:no /pdb:"$(OUTDIR)\libbind9.pdb" /machine:I386 /def:".\libbind9.def" /out:"../../../Build/Release/libbind9.dll" /implib:"$(OUTDIR)\libbind9.lib" 
+DEF_FILE= \
+	".\libbind9.def"
+LINK32_OBJS= \
+	"$(INTDIR)\check.obj" \
+	"$(INTDIR)\DLLMain.obj" \
+	"$(INTDIR)\getaddresses.obj" \
+	"$(INTDIR)\version.obj" \
+	"..\..\dns\win32\Release\libdns.lib" \
+	"..\..\isc\win32\Release\libisc.lib" \
+	"..\..\isccfg\win32\Release\libisccfg.lib"
+
+"..\..\..\Build\Release\libbind9.dll" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)
+    $(LINK32) @<<
+  $(LINK32_FLAGS) $(LINK32_OBJS)
+<<
+
+!ELSEIF  "$(CFG)" == "libbind9 - Win32 Debug"
+
+OUTDIR=.\Debug
+INTDIR=.\Debug
+# Begin Custom Macros
+OutDir=.\Debug
+# End Custom Macros
+
+!IF "$(RECURSE)" == "0" 
+
+ALL : "..\..\..\Build\Debug\libbind9.dll" "$(OUTDIR)\libbind9.bsc"
+
+!ELSE 
+
+ALL : "libisccfg - Win32 Debug" "libisc - Win32 Debug" "libdns - Win32 Debug" "..\..\..\Build\Debug\libbind9.dll" "$(OUTDIR)\libbind9.bsc"
+
+!ENDIF 
+
+!IF "$(RECURSE)" == "1" 
+CLEAN :"libdns - Win32 DebugCLEAN" "libisc - Win32 DebugCLEAN" "libisccfg - Win32 DebugCLEAN" 
+!ELSE 
+CLEAN :
+!ENDIF 
+	-@erase "$(INTDIR)\check.obj"
+	-@erase "$(INTDIR)\check.sbr"
+	-@erase "$(INTDIR)\DLLMain.obj"
+	-@erase "$(INTDIR)\DLLMain.sbr"
+	-@erase "$(INTDIR)\getaddresses.obj"
+	-@erase "$(INTDIR)\getaddresses.sbr"
+	-@erase "$(INTDIR)\vc60.idb"
+	-@erase "$(INTDIR)\vc60.pdb"
+	-@erase "$(INTDIR)\version.obj"
+	-@erase "$(INTDIR)\version.sbr"
+	-@erase "$(OUTDIR)\libbind9.bsc"
+	-@erase "$(OUTDIR)\libbind9.exp"
+	-@erase "$(OUTDIR)\libbind9.lib"
+	-@erase "$(OUTDIR)\libbind9.pdb"
+	-@erase "..\..\..\Build\Debug\libbind9.dll"
+	-@erase "..\..\..\Build\Debug\libbind9.ilk"
+
+"$(OUTDIR)" :
+    if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
+
+CPP_PROJ=/nologo /MDd /W3 /Gm /GX /ZI /Od /I "../../../lib/isccfg/include" /I "./" /I "../../../" /I "include" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/dns/include" /I "../../../lib/isc/include" /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" /D "OPENSSL" /D "DST_USE_PRIVATE_OPENSSL" /D "LIBBIND9_EXPORTS" /FR"$(INTDIR)\\" /Fp"$(INTDIR)\libbind9.pch" /YX /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c 
+MTL_PROJ=/nologo /D "_DEBUG" /mktyplib203 /win32 
+BSC32=bscmake.exe
+BSC32_FLAGS=/nologo /o"$(OUTDIR)\libbind9.bsc" 
+BSC32_SBRS= \
+	"$(INTDIR)\check.sbr" \
+	"$(INTDIR)\DLLMain.sbr" \
+	"$(INTDIR)\getaddresses.sbr" \
+	"$(INTDIR)\version.sbr"
+
+"$(OUTDIR)\libbind9.bsc" : "$(OUTDIR)" $(BSC32_SBRS)
+    $(BSC32) @<<
+  $(BSC32_FLAGS) $(BSC32_SBRS)
+<<
+
+LINK32=link.exe
+LINK32_FLAGS=user32.lib advapi32.lib ws2_32.lib ../../isc/win32/debug/libisc.lib ../../dns/win32/debug/libdns.lib ../../isccfg/win32/debug/libisccfg.lib /nologo /dll /incremental:yes /pdb:"$(OUTDIR)\libbind9.pdb" /debug /machine:I386 /def:".\libbind9.def" /out:"../../../Build/Debug/libbind9.dll" /implib:"$(OUTDIR)\libbind9.lib" /pdbtype:sept 
+DEF_FILE= \
+	".\libbind9.def"
+LINK32_OBJS= \
+	"$(INTDIR)\check.obj" \
+	"$(INTDIR)\DLLMain.obj" \
+	"$(INTDIR)\getaddresses.obj" \
+	"$(INTDIR)\version.obj" \
+	"..\..\dns\win32\Debug\libdns.lib" \
+	"..\..\isc\win32\Debug\libisc.lib" \
+	"..\..\isccfg\win32\Debug\libisccfg.lib"
+
+"..\..\..\Build\Debug\libbind9.dll" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)
+    $(LINK32) @<<
+  $(LINK32_FLAGS) $(LINK32_OBJS)
+<<
+
+!ENDIF 
+
+.c{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cpp{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cxx{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.c{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cpp{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cxx{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+
+!IF "$(NO_EXTERNAL_DEPS)" != "1"
+!IF EXISTS("libbind9.dep")
+!INCLUDE "libbind9.dep"
+!ELSE 
+!MESSAGE Warning: cannot find "libbind9.dep"
+!ENDIF 
+!ENDIF 
+
+
+!IF "$(CFG)" == "libbind9 - Win32 Release" || "$(CFG)" == "libbind9 - Win32 Debug"
+SOURCE=..\check.c
+
+!IF  "$(CFG)" == "libbind9 - Win32 Release"
+
+
+"$(INTDIR)\check.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libbind9 - Win32 Debug"
+
+
+"$(INTDIR)\check.obj"	"$(INTDIR)\check.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=.\DLLMain.c
+
+!IF  "$(CFG)" == "libbind9 - Win32 Release"
+
+
+"$(INTDIR)\DLLMain.obj" : $(SOURCE) "$(INTDIR)"
+
+
+!ELSEIF  "$(CFG)" == "libbind9 - Win32 Debug"
+
+
+"$(INTDIR)\DLLMain.obj"	"$(INTDIR)\DLLMain.sbr" : $(SOURCE) "$(INTDIR)"
+
+
+!ENDIF 
+
+SOURCE=..\getaddresses.c
+
+!IF  "$(CFG)" == "libbind9 - Win32 Release"
+
+
+"$(INTDIR)\getaddresses.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libbind9 - Win32 Debug"
+
+
+"$(INTDIR)\getaddresses.obj"	"$(INTDIR)\getaddresses.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=.\version.c
+
+!IF  "$(CFG)" == "libbind9 - Win32 Release"
+
+
+"$(INTDIR)\version.obj" : $(SOURCE) "$(INTDIR)"
+
+
+!ELSEIF  "$(CFG)" == "libbind9 - Win32 Debug"
+
+
+"$(INTDIR)\version.obj"	"$(INTDIR)\version.sbr" : $(SOURCE) "$(INTDIR)"
+
+
+!ENDIF 
+
+!IF  "$(CFG)" == "libbind9 - Win32 Release"
+
+"libdns - Win32 Release" : 
+   cd "..\..\dns\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\libdns.mak" CFG="libdns - Win32 Release" 
+   cd "..\..\bind9\win32"
+
+"libdns - Win32 ReleaseCLEAN" : 
+   cd "..\..\dns\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\libdns.mak" CFG="libdns - Win32 Release" RECURSE=1 CLEAN 
+   cd "..\..\bind9\win32"
+
+!ELSEIF  "$(CFG)" == "libbind9 - Win32 Debug"
+
+"libdns - Win32 Debug" : 
+   cd "..\..\dns\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\libdns.mak" CFG="libdns - Win32 Debug" 
+   cd "..\..\bind9\win32"
+
+"libdns - Win32 DebugCLEAN" : 
+   cd "..\..\dns\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\libdns.mak" CFG="libdns - Win32 Debug" RECURSE=1 CLEAN 
+   cd "..\..\bind9\win32"
+
+!ENDIF 
+
+!IF  "$(CFG)" == "libbind9 - Win32 Release"
+
+"libisc - Win32 Release" : 
+   cd "..\..\isc\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\libisc.mak" CFG="libisc - Win32 Release" 
+   cd "..\..\bind9\win32"
+
+"libisc - Win32 ReleaseCLEAN" : 
+   cd "..\..\isc\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\libisc.mak" CFG="libisc - Win32 Release" RECURSE=1 CLEAN 
+   cd "..\..\bind9\win32"
+
+!ELSEIF  "$(CFG)" == "libbind9 - Win32 Debug"
+
+"libisc - Win32 Debug" : 
+   cd "..\..\isc\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\libisc.mak" CFG="libisc - Win32 Debug" 
+   cd "..\..\bind9\win32"
+
+"libisc - Win32 DebugCLEAN" : 
+   cd "..\..\isc\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\libisc.mak" CFG="libisc - Win32 Debug" RECURSE=1 CLEAN 
+   cd "..\..\bind9\win32"
+
+!ENDIF 
+
+!IF  "$(CFG)" == "libbind9 - Win32 Release"
+
+"libisccfg - Win32 Release" : 
+   cd "..\..\isccfg\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\libisccfg.mak" CFG="libisccfg - Win32 Release" 
+   cd "..\..\bind9\win32"
+
+"libisccfg - Win32 ReleaseCLEAN" : 
+   cd "..\..\isccfg\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\libisccfg.mak" CFG="libisccfg - Win32 Release" RECURSE=1 CLEAN 
+   cd "..\..\bind9\win32"
+
+!ELSEIF  "$(CFG)" == "libbind9 - Win32 Debug"
+
+"libisccfg - Win32 Debug" : 
+   cd "..\..\isccfg\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\libisccfg.mak" CFG="libisccfg - Win32 Debug" 
+   cd "..\..\bind9\win32"
+
+"libisccfg - Win32 DebugCLEAN" : 
+   cd "..\..\isccfg\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\libisccfg.mak" CFG="libisccfg - Win32 Debug" RECURSE=1 CLEAN 
+   cd "..\..\bind9\win32"
+
+!ENDIF 
+
+
+!ENDIF 
+
diff --git a/lib/bind9/win32/version.c b/lib/bind9/win32/version.c
new file mode 100644
index 00000000..ae94569d
--- /dev/null
+++ b/lib/bind9/win32/version.c
@@ -0,0 +1,28 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1998-2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: version.c,v 1.2.222.3 2004/03/08 09:04:28 marka Exp $ */
+
+#include <versions.h>
+
+#include <bind9/version.h>
+
+LIBBIND9_EXTERNAL_DATA const char bind9_version[] = VERSION;
+
+LIBBIND9_EXTERNAL_DATA const unsigned int bind9_libinterface = LIBINTERFACE;
+LIBBIND9_EXTERNAL_DATA const unsigned int bind9_librevision = LIBREVISION;
+LIBBIND9_EXTERNAL_DATA const unsigned int bind9_libage = LIBAGE;
diff --git a/lib/dns/Makefile.in b/lib/dns/Makefile.in
index 67e27c0d..904be91f 100644
--- a/lib/dns/Makefile.in
+++ b/lib/dns/Makefile.in
@@ -1,5 +1,5 @@
-# Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 1998-2001, 2003  Internet Software Consortium.
+# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 1998-2003  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
@@ -13,26 +13,21 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.126.2.15 2006/01/06 00:01:41 marka Exp $
+# $Id: Makefile.in,v 1.126.2.3.2.13 2004/03/12 10:31:24 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
 top_srcdir =	@top_srcdir@
 
-# Attempt to disable parallel processing.
-.NOTPARALLEL:
-.NO_PARALLEL:
-
 @BIND9_VERSION@
 
 @LIBDNS_API@
 
-@BIND9_INCLUDES@
+@BIND9_MAKE_INCLUDES@
 
-CINCLUDES =	-I. -Iinclude ${DNS_INCLUDES} \
-		${ISC_INCLUDES} @DST_OPENSSL_INC@ @DST_GSSAPI_INC@
+CINCLUDES =	-I. ${DNS_INCLUDES} ${ISC_INCLUDES}
 
-CDEFINES =	-DUSE_MD5 @USE_OPENSSL@ @USE_GSSAPI@
+CDEFINES =
 CWARNINGS =
 
 ISCLIBS =	../../lib/isc/libisc.@A@
@@ -43,54 +38,49 @@ LIBS =		@LIBS@
 
 # Alphabetically
 
-DSTOBJS =	dst_api.@O@ dst_lib.@O@ dst_parse.@O@ \
-		dst_result.@O@ hmac_link.@O@ key.@O@
-
-OPENSSLOBJS =	openssl_link.@O@ openssldh_link.@O@ \
-		openssldsa_link.@O@ opensslrsa_link.@O@
-
-GSSAPIOBJS =	gssapi_link.@O@ gssapictx.@O@
+DSTOBJS =	sec/dst/dst_api.@O@ \
+		sec/dst/dst_lib.@O@ sec/dst/dst_parse.@O@ \
+		sec/dst/dst_result.@O@ sec/dst/gssapi_link.@O@ \
+		sec/dst/gssapictx.@O@ sec/dst/hmac_link.@O@ \
+		sec/dst/key.@O@ sec/dst/openssl_link.@O@ \
+		sec/dst/openssldh_link.@O@ sec/dst/openssldsa_link.@O@ \
+		sec/dst/opensslrsa_link.@O@
 
 # Alphabetically
-DNSOBJS =	a6.@O@ acl.@O@ adb.@O@ byaddr.@O@ \
+DNSOBJS =	acl.@O@ adb.@O@ byaddr.@O@ \
 		cache.@O@ callbacks.@O@ compress.@O@ \
 		db.@O@ dbiterator.@O@ dbtable.@O@ diff.@O@ dispatch.@O@ \
-		dnssec.@O@ forward.@O@ journal.@O@ keytable.@O@ \
+		dnssec.@O@ ds.@O@ forward.@O@ journal.@O@ keytable.@O@ \
 		lib.@O@ log.@O@ lookup.@O@ \
 		master.@O@ masterdump.@O@ message.@O@ \
-		name.@O@ ncache.@O@ nxt.@O@ peer.@O@ \
-		rbt.@O@ rbtdb.@O@ rbtdb64.@O@ rdata.@O@ rdatalist.@O@ \
+		name.@O@ ncache.@O@ nsec.@O@ order.@O@ peer.@O@ portlist.@O@ \
+		rbt.@O@ rbtdb.@O@ rbtdb64.@O@ rcode.@O@ rdata.@O@ \
+		rdatalist.@O@ \
 		rdataset.@O@ rdatasetiter.@O@ rdataslab.@O@ request.@O@ \
 		resolver.@O@ result.@O@ rootns.@O@ sdb.@O@ soa.@O@ ssu.@O@ \
 		stats.@O@ tcpmsg.@O@ time.@O@ timer.@O@ tkey.@O@ \
 		tsig.@O@ ttl.@O@ validator.@O@ \
 		version.@O@ view.@O@ xfrin.@O@ zone.@O@ zonekey.@O@ zt.@O@
 
-OBJS =		${DNSOBJS} ${OTHEROBJS} ${DSTOBJS} ${OPENSSLOBJS} ${GSSAPIOBJS}
+OBJS=		${DNSOBJS} ${OTHEROBJS} ${DSTOBJS}
 
 # Alphabetically
-DSTSRCS =	dst_api.c dst_lib.c dst_parse.c \
-		dst_result.c gssapi_link.c gssapictx.c \
-		hmac_link.c key.c \
-		openssl_link.c openssldh_link.c \
-		openssldsa_link.c opensslrsa_link.c
-
-DNSSRCS =	a6.c acl.c adb.c byaddr.c \
+SRCS =		acl.c adb.c byaddr.c \
 		cache.c callbacks.c compress.c \
 		db.c dbiterator.c dbtable.c diff.c dispatch.c \
-		dnssec.c forward.c journal.c keytable.c \
+		dnssec.c ds.c forward.c journal.c keytable.c \
 		lib.c log.c lookup.c \
 		master.c masterdump.c message.c \
-		name.c ncache.c nxt.c peer.c \
-		rbt.c rbtdb.c rbtdb64.c rdata.c rdatalist.c \
+		name.c ncache.c nsec.c order.c peer.c portlist.c \
+		rbt.c rbtdb.c rbtdb64.c rcode.c rdata.c \
+		rdatalist.c \
 		rdataset.c rdatasetiter.c rdataslab.c request.c \
 		resolver.c result.c rootns.c sdb.c soa.c ssu.c \
 		stats.c tcpmsg.c time.c timer.c tkey.c \
 		tsig.c ttl.c validator.c \
 		version.c view.c xfrin.c zone.c zonekey.c zt.c ${OTHERSRCS}
-SRCS = ${DSTSRCS} ${DNSSRCS}
 
-SUBDIRS =	include 
+SUBDIRS =	include sec
 TARGETS =	include/dns/enumtype.h include/dns/enumclass.h \
 		include/dns/rdatastruct.h timestamp
 
@@ -113,29 +103,9 @@ libdns.@SA@: ${OBJS}
 
 libdns.la: ${OBJS}
 	${LIBTOOL_MODE_LINK} \
-		${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libdns.la -rpath ${libdir} \
+		${CC} ${ALL_CFLAGS} -o libdns.la -rpath ${libdir} \
 		-version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \
-		${OBJS} ${ISCLIBS} @DNS_OPENSSL_LIBS@ ${LIBS}
-
-libdstcypto.@SA@: ${OPENSSLOBJS}
-	${AR} ${ARFLAGS} $@ ${OPENSSLOBJS}
-	${RANLIB} $@
-
-libdstcypto.la: ${OPENSSLOBJS}
-	${LIBTOOL_MODE_LINK} \
-		${CC} ${ALL_CFLAGS} ${LDFLAGS} -o $@ -rpath ${libdir} \
-		-version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \
-		${OPENSSLOBJS} ${LIBS}
-
-libdstgssapi.@SA@: ${GSSAPIOBJS}
-	${AR} ${ARFLAGS} $@ ${GSSAPIOBJS}
-	${RANLIB} $@
-
-libdstgssapi.la: ${GSSAPIOBJS}
-	${LIBTOOL_MODE_LINK} \
-		${CC} ${ALL_CFLAGS} ${LDFLAGS} -o $@ -rpath ${libdir} \
-		-version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \
-		${GSSAPIOBJS} ${LIBS}
+		${OBJS} ${ISCLIBS} @DNS_CRYPTO_LIBS@ ${LIBS}
 
 timestamp: libdns.@A@
 	touch timestamp
@@ -177,8 +147,7 @@ code.h:	gen
 	./gen -s ${srcdir} > code.h
 
 gen: gen.c
-	${BUILD_CC} ${BUILD_CFLAGS} -I${top_srcdir}/lib/isc/include \
-	${BUILD_CPPFLAGS} ${BUILD_LDFLAGS} -o $@ ${srcdir}/gen.c ${BUILD_LIBS}
+	${CC} ${ALL_CFLAGS} -o $@ ${srcdir}/gen.c ${LIBS}
 
 rbtdb64.@O@: rbtdb.c
 
@@ -186,5 +155,6 @@ depend: include/dns/enumtype.h include/dns/enumclass.h \
 	include/dns/rdatastruct.h code.h
 subdirs: include/dns/enumtype.h include/dns/enumclass.h \
 	include/dns/rdatastruct.h code.h
-${OBJS}: include/dns/enumtype.h include/dns/enumclass.h \
-        include/dns/rdatastruct.h
+${DNSOBJS}: include/dns/enumtype.h include/dns/enumclass.h \
+	include/dns/rdatastruct.h
+rdata.${0}: code.h
diff --git a/lib/dns/a6.c b/lib/dns/a6.c
deleted file mode 100644
index 850cc4b0..00000000
--- a/lib/dns/a6.c
+++ /dev/null
@@ -1,237 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: a6.c,v 1.20.2.1 2004/03/09 06:10:59 marka Exp $ */
-
-#include <config.h>
-
-#include <isc/util.h>
-
-#include <dns/a6.h>
-#include <dns/name.h>
-#include <dns/rdata.h>
-#include <dns/rdataset.h>
-
-#define A6CONTEXT_MAGIC		ISC_MAGIC('A', '6', 'X', 'X')
-#define VALID_A6CONTEXT(ac)	ISC_MAGIC_VALID(ac, A6CONTEXT_MAGIC)
-
-#define MAX_CHAINS	8
-#define MAX_DEPTH	16
-
-static inline void
-maybe_disassociate(dns_rdataset_t *rdataset) {
-	if (dns_rdataset_isassociated(rdataset))
-		dns_rdataset_disassociate(rdataset);
-}
-
-static isc_result_t
-foreach(dns_a6context_t *a6ctx, dns_rdataset_t *parent, unsigned int depth,
-	unsigned int oprefixlen)
-{
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	isc_region_t r;
-	dns_name_t name;
-	dns_rdataset_t child;
-	dns_rdataset_t childsig;
-	isc_result_t result;
-	isc_uint8_t prefixlen, octets;
-	isc_bitstring_t bitstring;
-	isc_stdtime_t expiration;
-
-	expiration = a6ctx->now + parent->ttl;
-	if (expiration < a6ctx->expiration || a6ctx->expiration == 0)
-		a6ctx->expiration = expiration;
-
-	depth++;
-	result = dns_rdataset_first(parent);
-	while (result == ISC_R_SUCCESS) {
-		dns_rdataset_current(parent, &rdata);
-		dns_rdata_toregion(&rdata, &r);
-		prefixlen = r.base[0];
-		if (prefixlen > oprefixlen) {
-			/*
-			 * Trying to go to a longer prefix is illegal.
-			 */
-			goto next_a6;
-		}
-		if (prefixlen < 128) {
-			isc_bitstring_init(&bitstring, &r.base[1],
-					   128 - prefixlen, 128 - prefixlen,
-					   ISC_TRUE);
-			isc_bitstring_copy(&bitstring, 128 - oprefixlen,
-					   &a6ctx->bitstring, 128 - oprefixlen,
-					   oprefixlen - prefixlen);
-		}
-		octets = 16 - prefixlen / 8;
-		if (prefixlen != 0) {
-			if (depth < MAX_DEPTH) {
-				isc_region_consume(&r, octets + 1);
-				dns_name_init(&name, NULL);
-				dns_name_fromregion(&name, &r);
-				dns_rdataset_init(&child);
-				dns_rdataset_init(&childsig);
-				result = (a6ctx->find)(a6ctx->arg, &name,
-						       dns_rdatatype_a6,
-						       a6ctx->now,
-						       &child, &childsig);
-				if (result == ISC_R_SUCCESS) {
-					/*
-					 * We've found a new A6 rrset.
-					 */
-					if (a6ctx->rrset != NULL)
-						(a6ctx->rrset)(a6ctx->arg,
-							       &name,
-							       &child,
-							       &childsig);
-					/*
-					 * Keep following the chain.
-					 */
-					result = foreach(a6ctx, &child, depth,
-							 prefixlen);
-					dns_rdataset_disassociate(&child);
-					maybe_disassociate(&childsig);
-					if (result != ISC_R_SUCCESS)
-						break;
-				} else if (result == ISC_R_NOTFOUND &&
-					   a6ctx->missing != NULL) {
-					/*
-					 * We can't follow this chain, because
-					 * we don't know the next link.
-					 *
-					 * We update the 'depth' and
-					 * 'prefixlen' values so that the
-					 * missing function can make a copy
-					 * of the a6context and resume
-					 * processing after it has found the
-					 * missing a6 context.
-					 */
-					a6ctx->depth = depth;
-					a6ctx->prefixlen = prefixlen;
-					(a6ctx->missing)(a6ctx, &name);
-				} else {
-					/*
-					 * Either something went wrong, or
-					 * we got a negative cache response.
-					 * In either case, we can't follow
-					 * this chain further, and we don't
-					 * want to call the 'missing'
-					 * function.
-					 *
-					 * Note that we currently require that
-					 * the target of an A6 record is
-					 * a canonical domain name.  If the
-					 * find routine returns DNS_R_CNAME or
-					 * DNS_R_DNAME, we do NOT follow the
-					 * chain.
-					 *
-					 * We do want to clean up...
-					 */
-					maybe_disassociate(&child);
-					maybe_disassociate(&childsig);
-				}
-			}
-		} else {
-			/*
-			 * We have a complete chain.
-			 */
-			if (a6ctx->address != NULL)
-				(a6ctx->address)(a6ctx);
-		}
-	next_a6:
-		dns_rdata_reset(&rdata);
-		result = dns_rdataset_next(parent);
-		if (result == ISC_R_SUCCESS) {
-			a6ctx->chains++;
-			if (a6ctx->chains > MAX_CHAINS)
-				return (ISC_R_QUOTA);
-		}
-	}
-	if (result != ISC_R_NOMORE)
-		return (result);
-	return (ISC_R_SUCCESS);
-}
-
-void
-dns_a6_init(dns_a6context_t *a6ctx, dns_findfunc_t find, dns_rrsetfunc_t rrset,
-	    dns_in6addrfunc_t address, dns_a6missingfunc_t missing, void *arg)
-{
-	REQUIRE(a6ctx != NULL);
-	REQUIRE(find != NULL);
-
-	a6ctx->magic = A6CONTEXT_MAGIC;
-	a6ctx->find = find;
-	a6ctx->rrset = rrset;
-	a6ctx->missing = missing;
-	a6ctx->address = address;
-	a6ctx->arg = arg;
-	a6ctx->chains = 1;
-	a6ctx->depth = 0;
-	a6ctx->now = 0;
-	a6ctx->expiration = 0;
-	a6ctx->prefixlen = 128;
-	isc_bitstring_init(&a6ctx->bitstring,
-			   (unsigned char *)a6ctx->in6addr.s6_addr,
-			   128, 128, ISC_TRUE);
-}
-
-void
-dns_a6_reset(dns_a6context_t *a6ctx) {
-	REQUIRE(VALID_A6CONTEXT(a6ctx));
-
-	a6ctx->chains = 1;
-	a6ctx->depth = 0;
-	a6ctx->expiration = 0;
-	a6ctx->prefixlen = 128;
-}
-
-void
-dns_a6_invalidate(dns_a6context_t *a6ctx) {
-	REQUIRE(VALID_A6CONTEXT(a6ctx));
-
-	a6ctx->magic = 0;
-}
-
-void
-dns_a6_copy(dns_a6context_t *source, dns_a6context_t *target) {
-	REQUIRE(VALID_A6CONTEXT(source));
-	REQUIRE(VALID_A6CONTEXT(target));
-
-	*target = *source;
-	isc_bitstring_init(&target->bitstring,
-			   (unsigned char *)target->in6addr.s6_addr,
-			   128, 128, ISC_TRUE);
-}
-
-isc_result_t
-dns_a6_foreach(dns_a6context_t *a6ctx, dns_rdataset_t *rdataset,
-	       isc_stdtime_t now)
-{
-	isc_result_t result;
-
-	REQUIRE(VALID_A6CONTEXT(a6ctx));
-	REQUIRE(rdataset->type == dns_rdatatype_a6);
-
-	if (now == 0)
-		isc_stdtime_get(&now);
-	a6ctx->now = now;
-
-	result = foreach(a6ctx, rdataset, a6ctx->depth, a6ctx->prefixlen);
-	if (result == ISC_R_QUOTA)
-		result = ISC_R_SUCCESS;
-
-	return (result);
-}
diff --git a/lib/dns/acl.c b/lib/dns/acl.c
index 73deb9ba..d2814405 100644
--- a/lib/dns/acl.c
+++ b/lib/dns/acl.c
@@ -1,6 +1,6 @@
 /*
- * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: acl.c,v 1.23.2.3 2006/03/02 00:37:17 marka Exp $ */
+/* $Id: acl.c,v 1.23.52.4 2004/03/09 05:21:08 marka Exp $ */
 
 #include <config.h>
 
@@ -68,7 +68,7 @@ dns_acl_create(isc_mem_t *mctx, int n, dns_acl_t **target) {
 }
 
 isc_result_t
-dns_acl_appendelement(dns_acl_t *acl, const dns_aclelement_t *elt) {
+dns_acl_appendelement(dns_acl_t *acl, dns_aclelement_t *elt) {
 	if (acl->length + 1 > acl->alloc) {
 		/*
 		 * Resize the ACL.
@@ -123,12 +123,12 @@ dns_acl_none(isc_mem_t *mctx, dns_acl_t **target) {
 }
 
 isc_result_t
-dns_acl_match(const isc_netaddr_t *reqaddr,
-	      const dns_name_t *reqsigner,
-	      const dns_acl_t *acl,
-	      const dns_aclenv_t *env,
+dns_acl_match(isc_netaddr_t *reqaddr,
+	      dns_name_t *reqsigner,
+	      dns_acl_t *acl,
+	      dns_aclenv_t *env,
 	      int *match,
-	      dns_aclelement_t const**matchelt)
+	      dns_aclelement_t **matchelt)
 {
 	unsigned int i;
 
@@ -149,15 +149,38 @@ dns_acl_match(const isc_netaddr_t *reqaddr,
 	return (ISC_R_SUCCESS);
 }
 
+isc_result_t
+dns_acl_elementmatch(dns_acl_t *acl,
+		     dns_aclelement_t *elt,
+		     dns_aclelement_t **matchelt)
+{
+	unsigned int i;
+
+	REQUIRE(elt != NULL);
+	REQUIRE(matchelt == NULL || *matchelt == NULL);
+	
+	for (i = 0; i < acl->length; i++) {
+		dns_aclelement_t *e = &acl->elements[i];
+
+		if (dns_aclelement_equal(e, elt) == ISC_TRUE) {
+			if (matchelt != NULL)
+				*matchelt = e;
+			return (ISC_R_SUCCESS);
+		}
+	}
+
+	return (ISC_R_NOTFOUND);
+}
+
 isc_boolean_t
-dns_aclelement_match(const isc_netaddr_t *reqaddr,
-		     const dns_name_t *reqsigner,
-		     const dns_aclelement_t *e,
-		     const dns_aclenv_t *env,
-		     const dns_aclelement_t **matchelt)
+dns_aclelement_match(isc_netaddr_t *reqaddr,
+		     dns_name_t *reqsigner,
+		     dns_aclelement_t *e,
+		     dns_aclenv_t *env,
+		     dns_aclelement_t **matchelt)
 {
 	dns_acl_t *inner = NULL;
-	const isc_netaddr_t *addr;
+	isc_netaddr_t *addr;
 	isc_netaddr_t v4addr;
 	int indirectmatch;
 	isc_result_t result;
@@ -289,7 +312,7 @@ dns_acl_detach(dns_acl_t **aclp) {
 }
 
 isc_boolean_t
-dns_aclelement_equal(const dns_aclelement_t *ea, const dns_aclelement_t *eb) {
+dns_aclelement_equal(dns_aclelement_t *ea, dns_aclelement_t *eb) {
 	if (ea->type != eb->type)
 		return (ISC_FALSE);
 	switch (ea->type) {
@@ -297,8 +320,9 @@ dns_aclelement_equal(const dns_aclelement_t *ea, const dns_aclelement_t *eb) {
 		if (ea->u.ip_prefix.prefixlen !=
 		    eb->u.ip_prefix.prefixlen)
 			return (ISC_FALSE);
-		return (isc_netaddr_equal(&ea->u.ip_prefix.address,
-					  &eb->u.ip_prefix.address));
+		return (isc_netaddr_eqprefix(&ea->u.ip_prefix.address,
+					     &eb->u.ip_prefix.address,
+					     ea->u.ip_prefix.prefixlen));
 	case dns_aclelementtype_keyname:
 		return (dns_name_equal(&ea->u.keyname, &eb->u.keyname));
 	case dns_aclelementtype_nestedacl:
@@ -314,7 +338,7 @@ dns_aclelement_equal(const dns_aclelement_t *ea, const dns_aclelement_t *eb) {
 }
 
 isc_boolean_t
-dns_acl_equal(const dns_acl_t *a, const dns_acl_t *b) {
+dns_acl_equal(dns_acl_t *a, dns_acl_t *b) {
 	unsigned int i;
 	if (a == b)
 		return (ISC_TRUE);
@@ -329,7 +353,7 @@ dns_acl_equal(const dns_acl_t *a, const dns_acl_t *b) {
 }
 
 static isc_boolean_t
-is_loopback(const dns_aclipprefix_t *p) {
+is_loopback(dns_aclipprefix_t *p) {
 	switch (p->address.family) {
 	case AF_INET:
 		if (p->prefixlen == 32 &&
@@ -348,7 +372,7 @@ is_loopback(const dns_aclipprefix_t *p) {
 }
 
 isc_boolean_t
-dns_acl_isinsecure(const dns_acl_t *a) {
+dns_acl_isinsecure(dns_acl_t *a) {
 	unsigned int i;
 	for (i = 0; i < a->length; i++) {
 		dns_aclelement_t *e = &a->elements[i];
diff --git a/lib/dns/adb.c b/lib/dns/adb.c
index 0638dddd..c13198f5 100644
--- a/lib/dns/adb.c
+++ b/lib/dns/adb.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: adb.c,v 1.181.2.26 2007/02/26 23:45:24 tbox Exp $ */
+/* $Id: adb.c,v 1.181.2.11.2.17 2004/03/10 02:55:57 marka Exp $ */
 
 /*
  * Implementation notes
@@ -46,7 +46,6 @@
 #include <isc/timer.h>
 #include <isc/util.h>
 
-#include <dns/a6.h>
 #include <dns/adb.h>
 #include <dns/db.h>
 #include <dns/events.h>
@@ -82,12 +81,12 @@
 /*
  * For type 3 negative cache entries, we will remember that the address is
  * broken for this long.  XXXMLG This is also used for actual addresses, too.
- * The intent is to keep us from constantly asking about A/A6/AAAA records
+ * The intent is to keep us from constantly asking about A/AAAA records
  * if the zone has extremely low TTLs.
  */
 #define ADB_CACHE_MINIMUM	10	/* seconds */
 #define ADB_CACHE_MAXIMUM	86400	/* seconds (86400 = 24 hours) */
-#define ADB_ENTRY_WINDOW	1800	/* seconds  */
+#define ADB_ENTRY_WINDOW	1800	/* seconds */
 
 /*
  * Wake up every CLEAN_SECONDS and clean CLEAN_BUCKETS buckets, so that all
@@ -102,6 +101,8 @@
 
 #define DNS_ADB_INVALIDBUCKET (-1)	/* invalid bucket address */
 
+#define DNS_ADB_MINADBSIZE	(1024*1024)	/* 1 Megabyte */
+
 typedef ISC_LIST(dns_adbname_t) dns_adbnamelist_t;
 typedef struct dns_adbnamehook dns_adbnamehook_t;
 typedef ISC_LIST(dns_adbnamehook_t) dns_adbnamehooklist_t;
@@ -121,6 +122,7 @@ struct dns_adb {
 	isc_timer_t		       *timer;
 	isc_taskmgr_t		       *taskmgr;
 	isc_task_t		       *task;
+	isc_boolean_t			overmem;
 
 	isc_interval_t			tick_interval;
 	int				next_cleanbucket;
@@ -136,7 +138,6 @@ struct dns_adb {
 	isc_mempool_t		       *ahmp;	/* dns_adbfind_t */
 	isc_mempool_t		       *aimp;	/* dns_adbaddrinfo_t */
 	isc_mempool_t		       *afmp;	/* dns_adbfetch_t */
-	isc_mempool_t		       *af6mp;	/* dns_adbfetch6_t */
 
 	/*
 	 * Bucketized locks and lists for names.
@@ -184,7 +185,6 @@ struct dns_adbname {
 	dns_adbnamehooklist_t		v6;
 	dns_adbfetch_t		       *fetch_a;
 	dns_adbfetch_t		       *fetch_aaaa;
-	ISC_LIST(dns_adbfetch6_t)	fetches_a6;
 	unsigned int			fetch_err;
 	unsigned int			fetch6_err;
 	dns_adbfindlist_t		finds;
@@ -199,17 +199,6 @@ struct dns_adbfetch {
 	dns_rdataset_t			rdataset;
 };
 
-struct dns_adbfetch6 {
-	unsigned int			magic;
-	unsigned int			flags;
-	dns_adbnamehook_t	       *namehook;
-	dns_adbentry_t		       *entry;
-	dns_fetch_t		       *fetch;
-	dns_rdataset_t			rdataset;
-	dns_a6context_t			a6ctx;
-	ISC_LINK(dns_adbfetch6_t)	plink;
-};
-
 /*
  * dns_adbnamehook_t
  *
@@ -253,7 +242,7 @@ struct dns_adbentry {
 	unsigned int			flags;
 	unsigned int			srtt;
 	isc_sockaddr_t			sockaddr;
-	
+
 	isc_stdtime_t			expires;
 	/*
 	 * A nonzero 'expires' field indicates that the entry should
@@ -285,9 +274,6 @@ static inline dns_adbaddrinfo_t *new_adbaddrinfo(dns_adb_t *, dns_adbentry_t *,
 						 in_port_t);
 static inline dns_adbfetch_t *new_adbfetch(dns_adb_t *);
 static inline void free_adbfetch(dns_adb_t *, dns_adbfetch_t **);
-static inline dns_adbfetch6_t *new_adbfetch6(dns_adb_t *, dns_adbname_t *,
-					     dns_a6context_t *);
-static inline void free_adbfetch6(dns_adb_t *, dns_adbfetch6_t **);
 static inline dns_adbname_t *find_name_and_lock(dns_adb_t *, dns_name_t *,
 						unsigned int, int *);
 static inline dns_adbentry_t *find_entry_and_lock(dns_adb_t *,
@@ -296,27 +282,29 @@ static void dump_adb(dns_adb_t *, FILE *, isc_boolean_t debug);
 static void print_dns_name(FILE *, dns_name_t *);
 static void print_namehook_list(FILE *, const char *legend,
 				dns_adbnamehooklist_t *list,
-				isc_boolean_t debug);
+				isc_boolean_t debug,
+				isc_stdtime_t now);
 static void print_find_list(FILE *, dns_adbname_t *);
 static void print_fetch_list(FILE *, dns_adbname_t *);
 static inline isc_boolean_t dec_adb_irefcnt(dns_adb_t *);
+static inline void inc_adb_irefcnt(dns_adb_t *);
 static inline void inc_adb_erefcnt(dns_adb_t *);
 static inline void inc_entry_refcnt(dns_adb_t *, dns_adbentry_t *,
 				    isc_boolean_t);
 static inline isc_boolean_t dec_entry_refcnt(dns_adb_t *, dns_adbentry_t *,
-				    isc_boolean_t);
+					     isc_boolean_t);
 static inline void violate_locking_hierarchy(isc_mutex_t *, isc_mutex_t *);
 static isc_boolean_t clean_namehooks(dns_adb_t *, dns_adbnamehooklist_t *);
 static void clean_target(dns_adb_t *, dns_name_t *);
 static void clean_finds_at_name(dns_adbname_t *, isc_eventtype_t,
 				unsigned int);
-static isc_boolean_t check_expire_namehooks(dns_adbname_t *, isc_stdtime_t);
+static isc_boolean_t check_expire_namehooks(dns_adbname_t *, isc_stdtime_t,
+					    isc_boolean_t);
 static void cancel_fetches_at_name(dns_adbname_t *);
 static isc_result_t dbfind_name(dns_adbname_t *, isc_stdtime_t,
 				dns_rdatatype_t);
-static isc_result_t fetch_name_v4(dns_adbname_t *, isc_boolean_t);
-static isc_result_t fetch_name_aaaa(dns_adbname_t *);
-static isc_result_t fetch_name_a6(dns_adbname_t *, isc_boolean_t);
+static isc_result_t fetch_name(dns_adbname_t *, isc_boolean_t,
+			       dns_rdatatype_t);
 static inline void check_exit(dns_adb_t *);
 static void timer_cleanup(isc_task_t *, isc_event_t *);
 static void destroy(dns_adb_t *);
@@ -327,8 +315,7 @@ static inline isc_boolean_t unlink_name(dns_adb_t *, dns_adbname_t *);
 static inline void link_entry(dns_adb_t *, int, dns_adbentry_t *);
 static inline isc_boolean_t unlink_entry(dns_adb_t *, dns_adbentry_t *);
 static isc_boolean_t kill_name(dns_adbname_t **, isc_eventtype_t);
-static void fetch_callback_a6(isc_task_t *, isc_event_t *);
-static isc_result_t dbfind_a6(dns_adbname_t *, isc_stdtime_t);
+static void water(void *arg, int mark);
 
 /*
  * MUST NOT overlap DNS_ADBFIND_* flags!
@@ -350,33 +337,26 @@ static isc_result_t dbfind_a6(dns_adbname_t *, isc_stdtime_t);
 
 /*
  * To the name, address classes are all that really exist.  If it has a
- * V6 address it doesn't care if it came from an A6 chain or an AAAA query.
+ * V6 address it doesn't care if it came from a AAAA query.
  */
 #define NAME_HAS_V4(n)		(!ISC_LIST_EMPTY((n)->v4))
 #define NAME_HAS_V6(n)		(!ISC_LIST_EMPTY((n)->v6))
 #define NAME_HAS_ADDRS(n)	(NAME_HAS_V4(n) || NAME_HAS_V6(n))
 
 /*
- * Fetches are broken out into A, AAAA, and A6 types.  In some cases,
+ * Fetches are broken out into A and AAAA types.  In some cases,
  * however, it makes more sense to test for a particular class of fetches,
  * like V4 or V6 above.
+ * Note: since we have removed the support of A6 in adb, FETCH_A and FETCH_AAAA
+ * are now equal to FETCH_V4 and FETCH_V6, respectively.
  */
 #define NAME_FETCH_A(n)		((n)->fetch_a != NULL)
 #define NAME_FETCH_AAAA(n)	((n)->fetch_aaaa != NULL)
-#define NAME_FETCH_A6(n)	(!ISC_LIST_EMPTY((n)->fetches_a6))
 #define NAME_FETCH_V4(n)	(NAME_FETCH_A(n))
-#define NAME_FETCH_V6(n)	(NAME_FETCH_AAAA(n) || NAME_FETCH_A6(n))
+#define NAME_FETCH_V6(n)	(NAME_FETCH_AAAA(n))
 #define NAME_FETCH(n)		(NAME_FETCH_V4(n) || NAME_FETCH_V6(n))
 
 /*
- * Was this fetch started using the hints database?
- * Was this the initial fetch for the A6 record?  If so, we might want to
- * start AAAA queries if it fails.
- */
-#define FETCH_FIRST_A6		0x80000000
-#define FETCH_FIRSTA6(f)	(((f)->flags & FETCH_FIRST_A6) != 0)
-
-/*
  * Find options and tests to see if there are addresses on the list.
  */
 #define FIND_WANTEVENT(fn)	(((fn)->options & DNS_ADBFIND_WANTEVENT) != 0)
@@ -410,11 +390,11 @@ static isc_result_t dbfind_a6(dns_adbname_t *, isc_stdtime_t);
 #define STARTATZONE_MATCHES(nf, o) (((nf)->flags & NAME_STARTATZONE) == \
 				    ((o) & DNS_ADBFIND_STARTATZONE))
 
-#define ENTER_LEVEL		50
+#define ENTER_LEVEL		ISC_LOG_DEBUG(50)
 #define EXIT_LEVEL		ENTER_LEVEL
-#define CLEAN_LEVEL		100
-#define DEF_LEVEL		5
-#define NCACHE_LEVEL		20
+#define CLEAN_LEVEL		ISC_LOG_DEBUG(100)
+#define DEF_LEVEL		ISC_LOG_DEBUG(5)
+#define NCACHE_LEVEL		ISC_LOG_DEBUG(20)
 
 #define NCACHE_RESULT(r)	((r) == DNS_R_NCACHENXDOMAIN || \
 				 (r) == DNS_R_NCACHENXRRSET)
@@ -471,7 +451,7 @@ DP(int level, const char *format, ...) {
 	va_start(args, format);
 	isc_log_vwrite(dns_lctx,
 		       DNS_LOGCATEGORY_DATABASE, DNS_LOGMODULE_ADB,
-		       ISC_LOG_DEBUG(level), format, args);
+		       level, format, args);
 	va_end(args);
 }
 
@@ -622,67 +602,6 @@ import_rdataset(dns_adbname_t *adbname, dns_rdataset_t *rdataset,
 	return (result);
 }
 
-static void
-import_a6(dns_a6context_t *a6ctx) {
-	dns_adbname_t *name;
-	dns_adb_t *adb;
-	dns_adbnamehook_t *nh;
-	dns_adbentry_t *foundentry;  /* NO CLEAN UP! */
-	int addr_bucket;
-	isc_sockaddr_t sockaddr;
-
-	name = a6ctx->arg;
-	INSIST(DNS_ADBNAME_VALID(name));
-	adb = name->adb;
-	INSIST(DNS_ADB_VALID(adb));
-
-	addr_bucket = DNS_ADB_INVALIDBUCKET;
-
-	DP(ENTER_LEVEL, "ENTER: import_a6() name %p", name);
-
-	nh = new_adbnamehook(adb, NULL);
-	if (nh == NULL) {
-		name->partial_result |= DNS_ADBFIND_INET6; /* clear for AAAA */
-		goto fail;
-	}
-
-	isc_sockaddr_fromin6(&sockaddr, &a6ctx->in6addr, 0);
-
-	foundentry = find_entry_and_lock(adb, &sockaddr, &addr_bucket);
-	if (foundentry == NULL) {
-		dns_adbentry_t *entry;
-		entry = new_adbentry(adb);
-		if (entry == NULL) {
-			name->partial_result |= DNS_ADBFIND_INET6;
-			goto fail;
-		}
-
-		entry->sockaddr = sockaddr;
-		entry->refcnt = 1;
-		nh->entry = entry;
-		link_entry(adb, addr_bucket, entry);
-	} else {
-		foundentry->refcnt++;
-		nh->entry = foundentry;
-	}
-
-	ISC_LIST_APPEND(name->v6, nh, plink);
-	nh = NULL;
-
- fail:
-	DP(NCACHE_LEVEL, "expire_v6 set to MIN(%u,%u) in import_v6",
-	   name->expire_v6, a6ctx->expiration);
-	name->expire_v6 = ISC_MIN(name->expire_v6, a6ctx->expiration);
-
-	name->flags |= NAME_NEEDS_POKE;
-
-	if (nh != NULL)
-		free_adbnamehook(adb, &nh);
-
-	if (addr_bucket != DNS_ADB_INVALIDBUCKET)
-		UNLOCK(&adb->entrylocks[addr_bucket]);
-}
-
 /*
  * Requires the name's bucket be locked.
  */
@@ -745,8 +664,11 @@ kill_name(dns_adbname_t **n, isc_eventtype_t ev) {
  * Requires the name's bucket be locked and no entry buckets be locked.
  */
 static isc_boolean_t
-check_expire_namehooks(dns_adbname_t *name, isc_stdtime_t now) {
+check_expire_namehooks(dns_adbname_t *name, isc_stdtime_t now,
+		       isc_boolean_t overmem)
+{
 	dns_adb_t *adb;
+	isc_boolean_t expire;
 	isc_boolean_t result4 = ISC_FALSE;
 	isc_boolean_t result6 = ISC_FALSE;
 
@@ -754,10 +676,20 @@ check_expire_namehooks(dns_adbname_t *name, isc_stdtime_t now) {
 	adb = name->adb;
 	INSIST(DNS_ADB_VALID(adb));
 
+	if (overmem) {
+		isc_uint32_t val;
+
+		isc_random_get(&val);
+
+		expire = ISC_TF((val % 4) == 0);
+	} else
+		expire = ISC_FALSE;
+
 	/*
 	 * Check to see if we need to remove the v4 addresses
 	 */
-	if (!NAME_FETCH_V4(name) && EXPIRE_OK(name->expire_v4, now)) {
+	if (!NAME_FETCH_V4(name) &&
+	    (expire || EXPIRE_OK(name->expire_v4, now))) {
 		if (NAME_HAS_V4(name)) {
 			DP(DEF_LEVEL, "expiring v4 for name %p", name);
 			result4 = clean_namehooks(adb, &name->v4);
@@ -770,7 +702,8 @@ check_expire_namehooks(dns_adbname_t *name, isc_stdtime_t now) {
 	/*
 	 * Check to see if we need to remove the v6 addresses
 	 */
-	if (!NAME_FETCH_V6(name) && EXPIRE_OK(name->expire_v6, now)) {
+	if (!NAME_FETCH_V6(name) &&
+	    (expire || EXPIRE_OK(name->expire_v6, now))) {
 		if (NAME_HAS_V6(name)) {
 			DP(DEF_LEVEL, "expiring v6 for name %p", name);
 			result6 = clean_namehooks(adb, &name->v6);
@@ -783,7 +716,7 @@ check_expire_namehooks(dns_adbname_t *name, isc_stdtime_t now) {
 	/*
 	 * Check to see if we need to remove the alias target.
 	 */
-	if (EXPIRE_OK(name->expire_target, now)) {
+	if (expire || EXPIRE_OK(name->expire_target, now)) {
 		clean_target(adb, &name->target);
 		name->expire_target = INT_MAX;
 	}
@@ -872,7 +805,7 @@ shutdown_names(dns_adb_t *adb) {
 	dns_adbname_t *name;
 	dns_adbname_t *next_name;
 
-	for (bucket = 0 ; bucket < NBUCKETS ; bucket++) {
+	for (bucket = 0; bucket < NBUCKETS; bucket++) {
 		LOCK(&adb->namelocks[bucket]);
 		adb->name_sd[bucket] = ISC_TRUE;
 
@@ -917,7 +850,7 @@ shutdown_entries(dns_adb_t *adb) {
 	dns_adbentry_t *entry;
 	dns_adbentry_t *next_entry;
 
-	for (bucket = 0 ; bucket < NBUCKETS ; bucket++) {
+	for (bucket = 0; bucket < NBUCKETS; bucket++) {
 		LOCK(&adb->entrylocks[bucket]);
 		adb->entry_sd[bucket] = ISC_TRUE;
 
@@ -957,21 +890,11 @@ shutdown_entries(dns_adb_t *adb) {
  */
 static void
 cancel_fetches_at_name(dns_adbname_t *name) {
-	dns_adbfetch6_t *fetch6;
-
 	if (NAME_FETCH_A(name))
 	    dns_resolver_cancelfetch(name->fetch_a->fetch);
 
-
 	if (NAME_FETCH_AAAA(name))
 	    dns_resolver_cancelfetch(name->fetch_aaaa->fetch);
-
-
-	fetch6 = ISC_LIST_HEAD(name->fetches_a6);
-	while (fetch6 != NULL) {
-		dns_resolver_cancelfetch(fetch6->fetch);
-		fetch6 = ISC_LIST_NEXT(fetch6, plink);
-	}
 }
 
 /*
@@ -1035,7 +958,7 @@ set_target(dns_adb_t *adb, dns_name_t *name, dns_name_t *fname,
 {
 	isc_result_t result;
 	dns_namereln_t namereln;
-	unsigned int nlabels, nbits;
+	unsigned int nlabels;
 	int order;
 	dns_rdata_t rdata = DNS_RDATA_INIT;
 	dns_fixedname_t fixed1, fixed2;
@@ -1064,8 +987,7 @@ set_target(dns_adb_t *adb, dns_name_t *name, dns_name_t *fname,
 		dns_rdata_dname_t dname;
 
 		INSIST(rdataset->type == dns_rdatatype_dname);
-		namereln = dns_name_fullcompare(name, fname, &order,
-						&nlabels, &nbits);
+		namereln = dns_name_fullcompare(name, fname, &order, &nlabels);
 		INSIST(namereln == dns_namereln_subdomain);
 		/*
 		 * Get the target name of the DNAME.
@@ -1084,13 +1006,7 @@ set_target(dns_adb_t *adb, dns_name_t *name, dns_name_t *fname,
 		prefix = dns_fixedname_name(&fixed1);
 		dns_fixedname_init(&fixed2);
 		new_target = dns_fixedname_name(&fixed2);
-		result = dns_name_split(name, nlabels, nbits, prefix, NULL);
-		if (result != ISC_R_SUCCESS) {
-			dns_rdata_freestruct(&dname);
-			return (result);
-		}
-		result = dns_name_concatenate(prefix, &dname.dname, new_target,
-					      NULL);
+		dns_name_split(name, nlabels, prefix, NULL);
 		dns_rdata_freestruct(&dname);
 		if (result != ISC_R_SUCCESS)
 			return (result);
@@ -1148,14 +1064,14 @@ clean_finds_at_name(dns_adbname_t *name, isc_eventtype_t evtype,
 
 		switch (evtype) {
 		case DNS_EVENT_ADBMOREADDRESSES:
-			DP(3, "DNS_EVENT_ADBMOREADDRESSES");
+			DP(ISC_LOG_DEBUG(3), "DNS_EVENT_ADBMOREADDRESSES");
 			if ((notify) != 0) {
 				find->flags &= ~addrs;
 				process = ISC_TRUE;
 			}
 			break;
 		case DNS_EVENT_ADBNOMOREADDRESSES:
-			DP(3, "DNS_EVENT_ADBNOMOREADDRESSES");
+			DP(ISC_LOG_DEBUG(3), "DNS_EVENT_ADBNOMOREADDRESSES");
 			find->flags &= ~addrs;
 			wanted = find->flags & DNS_ADBFIND_ADDRESSMASK;
 			if (wanted == 0)
@@ -1189,7 +1105,7 @@ clean_finds_at_name(dns_adbname_t *name, isc_eventtype_t evtype,
 			ev->ev_destroy_arg = find;
 
 			DP(DEF_LEVEL,
-			   "Sending event %p to task %p for find %p",
+			   "sending event %p to task %p for find %p",
 			   ev, task, find);
 
 			isc_task_sendanddetach(&task, (isc_event_t **)&ev);
@@ -1311,7 +1227,7 @@ dec_entry_refcnt(dns_adb_t *adb, dns_adbentry_t *entry, isc_boolean_t lock) {
 	free_adbentry(adb, &entry);
 	if (result)
 		result =dec_adb_irefcnt(adb);
-	
+
 	return (result);
 }
 
@@ -1342,7 +1258,6 @@ new_adbname(dns_adb_t *adb, dns_name_t *dnsname) {
 	ISC_LIST_INIT(name->v6);
 	name->fetch_a = NULL;
 	name->fetch_aaaa = NULL;
-	ISC_LIST_INIT(name->fetches_a6);
 	name->fetch_err = FIND_ERR_UNEXPECTED;
 	name->fetch6_err = FIND_ERR_UNEXPECTED;
 	ISC_LIST_INIT(name->finds);
@@ -1524,7 +1439,7 @@ new_adbfind(dns_adb_t *adb) {
 		return (NULL);
 	}
 
-	ISC_EVENT_INIT(&h->event, sizeof (isc_event_t), 0, 0, 0, NULL, NULL,
+	ISC_EVENT_INIT(&h->event, sizeof(isc_event_t), 0, 0, 0, NULL, NULL,
 		       NULL, NULL, h);
 
 	inc_adb_irefcnt(adb);
@@ -1589,134 +1504,6 @@ free_adbfetch(dns_adb_t *adb, dns_adbfetch_t **fetch) {
 	isc_mempool_put(adb->afmp, f);
 }
 
-/*
- * Caller must be holding the name lock.
- */
-static isc_result_t
-a6find(void *arg, dns_name_t *a6name, dns_rdatatype_t type, isc_stdtime_t now,
-       dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset)
-{
-	dns_adbname_t *name;
-	dns_adb_t *adb;
-	isc_result_t result;
-
-	name = arg;
-	INSIST(DNS_ADBNAME_VALID(name));
-	adb = name->adb;
-	INSIST(DNS_ADB_VALID(adb));
-
-	result = dns_view_simplefind(adb->view, a6name, type, now,
-				     DNS_DBFIND_GLUEOK, ISC_FALSE,
-				     rdataset, sigrdataset);
-	if (result == DNS_R_GLUE)
-		result = ISC_R_SUCCESS;
-	return (result);
-}
-
-/*
- * Caller must be holding the name lock.
- */
-static void
-a6missing(dns_a6context_t *a6ctx, dns_name_t *a6name) {
-	dns_adbname_t *name;
-	dns_adb_t *adb;
-	dns_adbfetch6_t *fetch;
-	isc_result_t result;
-
-	name = a6ctx->arg;
-	INSIST(DNS_ADBNAME_VALID(name));
-	adb = name->adb;
-	INSIST(DNS_ADB_VALID(adb));
-
-	fetch = new_adbfetch6(adb, name, a6ctx);
-	if (fetch == NULL) {
-		name->partial_result |= DNS_ADBFIND_INET6;
-		return;
-	}
-
-	result = dns_resolver_createfetch(adb->view->resolver, a6name,
-					  dns_rdatatype_a6,
-					  NULL, NULL, NULL, 0,
-					  adb->task, fetch_callback_a6,
-					  name, &fetch->rdataset, NULL,
-					  &fetch->fetch);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-
-	name->chains = a6ctx->chains;
-	ISC_LIST_APPEND(name->fetches_a6, fetch, plink);
-
- cleanup:
-	if (result != ISC_R_SUCCESS) {
-		free_adbfetch6(adb, &fetch);
-		name->partial_result |= DNS_ADBFIND_INET6;
-	}
-}
-
-static inline dns_adbfetch6_t *
-new_adbfetch6(dns_adb_t *adb, dns_adbname_t *name, dns_a6context_t *a6ctx) {
-	dns_adbfetch6_t *f;
-
-	f = isc_mempool_get(adb->af6mp);
-	if (f == NULL)
-		return (NULL);
-
-	f->magic = 0;
-	f->namehook = NULL;
-	f->entry = NULL;
-	f->fetch = NULL;
-	f->flags = 0;
-
-	f->namehook = new_adbnamehook(adb, NULL);
-	if (f->namehook == NULL)
-		goto err;
-
-	f->entry = new_adbentry(adb);
-	if (f->entry == NULL)
-		goto err;
-
-	dns_rdataset_init(&f->rdataset);
-
-	dns_a6_init(&f->a6ctx, a6find, NULL, import_a6,
-		    a6missing, name);
-	if (a6ctx != NULL)
-		dns_a6_copy(a6ctx, &f->a6ctx);
-
-	ISC_LINK_INIT(f, plink);
-	f->magic = DNS_ADBFETCH6_MAGIC;
-
-	return (f);
-
- err:
-	if (f->namehook != NULL)
-		free_adbnamehook(adb, &f->namehook);
-	if (f->entry != NULL)
-		free_adbentry(adb, &f->entry);
-	isc_mempool_put(adb->af6mp, f);
-	return (NULL);
-}
-
-static inline void
-free_adbfetch6(dns_adb_t *adb, dns_adbfetch6_t **fetch) {
-	dns_adbfetch6_t *f;
-
-	INSIST(fetch != NULL && DNS_ADBFETCH6_VALID(*fetch));
-	f = *fetch;
-	*fetch = NULL;
-
-	f->magic = 0;
-
-	if (f->namehook != NULL)
-		free_adbnamehook(adb, &f->namehook);
-	if (f->entry != NULL)
-		free_adbentry(adb, &f->entry);
-
-	if (dns_rdataset_isassociated(&f->rdataset))
-		dns_rdataset_disassociate(&f->rdataset);
-
-	isc_mempool_put(adb->af6mp, f);
-}
-
 static inline isc_boolean_t
 free_adbfind(dns_adb_t *adb, dns_adbfind_t **findp) {
 	dns_adbfind_t *find;
@@ -1792,7 +1579,7 @@ find_name_and_lock(dns_adb_t *adb, dns_name_t *name,
 	dns_adbname_t *adbname;
 	int bucket;
 
-	bucket = dns_name_fullhash(name, ISC_FALSE) % NBUCKETS;
+	bucket = dns_fullname_hash(name, ISC_FALSE) % NBUCKETS;
 
 	if (*bucketp == DNS_ADB_INVALIDBUCKET) {
 		LOCK(&adb->namelocks[bucket]);
@@ -1989,12 +1776,12 @@ shutdown_task(isc_task_t *task, isc_event_t *ev) {
 }
 
 /*
- * name bucket must be locked; adb may be locked; no other locks held.
+ * Name bucket must be locked; adb may be locked; no other locks held.
  */
 static isc_boolean_t
 check_expire_name(dns_adbname_t **namep, isc_stdtime_t now) {
 	dns_adbname_t *name;
-	isc_boolean_t result = ISC_FALSE;
+	isc_result_t result = ISC_FALSE;
 
 	INSIST(namep != NULL && DNS_ADBNAME_VALID(*namep));
 	name = *namep;
@@ -2024,12 +1811,13 @@ check_expire_name(dns_adbname_t **namep, isc_stdtime_t now) {
 }
 
 /*
- * entry bucket must be locked; adb may be locked; no other locks held.
+ * Entry bucket must be locked; adb may be locked; no other locks held.
  */
 static isc_boolean_t
 check_expire_entry(dns_adb_t *adb, dns_adbentry_t **entryp, isc_stdtime_t now)
 {
 	dns_adbentry_t *entry;
+	isc_boolean_t expire;
 	isc_boolean_t result = ISC_FALSE;
 
 	INSIST(entryp != NULL && DNS_ADBENTRY_VALID(*entryp));
@@ -2037,7 +1825,17 @@ check_expire_entry(dns_adb_t *adb, dns_adbentry_t **entryp, isc_stdtime_t now)
 
 	if (entry->refcnt != 0)
 		return (result);
-	if (entry->expires == 0 || entry->expires > now)
+
+	if (adb->overmem) {
+		isc_uint32_t val;
+
+		isc_random_get(&val);
+
+		expire = ISC_TF((val % 4) == 0);
+	} else
+		expire = ISC_FALSE;
+
+	if (entry->expires == 0 || (! expire && entry->expires > now))
 		return (result);
 
 	/*
@@ -2060,7 +1858,7 @@ static isc_boolean_t
 cleanup_names(dns_adb_t *adb, int bucket, isc_stdtime_t now) {
 	dns_adbname_t *name;
 	dns_adbname_t *next_name;
-	isc_boolean_t result = ISC_FALSE;
+	isc_result_t result = ISC_FALSE;
 
 	DP(CLEAN_LEVEL, "cleaning name bucket %d", bucket);
 
@@ -2074,7 +1872,7 @@ cleanup_names(dns_adb_t *adb, int bucket, isc_stdtime_t now) {
 	while (name != NULL) {
 		next_name = ISC_LIST_NEXT(name, plink);
 		INSIST(result == ISC_FALSE);
-		result = check_expire_namehooks(name, now);
+		result = check_expire_namehooks(name, now, adb->overmem);
 		if (!result)
 			result = check_expire_name(&name, now);
 		name = next_name;
@@ -2110,6 +1908,7 @@ timer_cleanup(isc_task_t *task, isc_event_t *ev) {
 	dns_adb_t *adb;
 	isc_stdtime_t now;
 	unsigned int i;
+	isc_interval_t interval;
 
 	UNUSED(task);
 
@@ -2120,7 +1919,7 @@ timer_cleanup(isc_task_t *task, isc_event_t *ev) {
 
 	isc_stdtime_get(&now);
 
-	for (i = 0 ; i < CLEAN_BUCKETS ; i++) {
+	for (i = 0; i < CLEAN_BUCKETS; i++) {
 		/*
 		 * Call our cleanup routines.
 		 */
@@ -2147,8 +1946,11 @@ timer_cleanup(isc_task_t *task, isc_event_t *ev) {
 	 * ISC_R_NOMEMORY, but it isn't clear what could be done here
 	 * if either one of those things happened.
 	 */
+	interval = adb->tick_interval;
+	if (adb->overmem)
+		isc_interval_set(&interval, 0, 1);
 	(void)isc_timer_reset(adb->timer, isc_timertype_once, NULL,
-			      &adb->tick_interval, ISC_FALSE);
+			      &interval, ISC_FALSE);
 
 	UNLOCK(&adb->lock);
 
@@ -2171,16 +1973,15 @@ destroy(dns_adb_t *adb) {
 	isc_mempool_destroy(&adb->ahmp);
 	isc_mempool_destroy(&adb->aimp);
 	isc_mempool_destroy(&adb->afmp);
-	isc_mempool_destroy(&adb->af6mp);
 
-	isc_mutexblock_destroy(adb->entrylocks, NBUCKETS);
-	isc_mutexblock_destroy(adb->namelocks, NBUCKETS);
+	DESTROYMUTEXBLOCK(adb->entrylocks, NBUCKETS);
+	DESTROYMUTEXBLOCK(adb->namelocks, NBUCKETS);
 
 	DESTROYLOCK(&adb->reflock);
 	DESTROYLOCK(&adb->lock);
 	DESTROYLOCK(&adb->mplock);
 
-	isc_mem_put(adb->mctx, adb, sizeof (dns_adb_t));
+	isc_mem_putanddetach(&adb->mctx, adb, sizeof(dns_adb_t));
 }
 
 
@@ -2202,7 +2003,7 @@ dns_adb_create(isc_mem_t *mem, dns_view_t *view, isc_timermgr_t *timermgr,
 	REQUIRE(taskmgr != NULL);
 	REQUIRE(newadb != NULL && *newadb == NULL);
 
-	adb = isc_mem_get(mem, sizeof (dns_adb_t));
+	adb = isc_mem_get(mem, sizeof(dns_adb_t));
 	if (adb == NULL)
 		return (ISC_R_NOMEMORY);
 
@@ -2220,21 +2021,23 @@ dns_adb_create(isc_mem_t *mem, dns_view_t *view, isc_timermgr_t *timermgr,
 	adb->ahmp = NULL;
 	adb->aimp = NULL;
 	adb->afmp = NULL;
-	adb->af6mp = NULL;
 	adb->task = NULL;
 	adb->timer = NULL;
-	adb->mctx = mem;
+	adb->mctx = NULL;
 	adb->view = view;
 	adb->timermgr = timermgr;
 	adb->taskmgr = taskmgr;
 	adb->next_cleanbucket = 0;
-	ISC_EVENT_INIT(&adb->cevent, sizeof adb->cevent, 0, NULL,
+	ISC_EVENT_INIT(&adb->cevent, sizeof(adb->cevent), 0, NULL,
 		       DNS_EVENT_ADBCONTROL, shutdown_task, adb,
 		       adb, NULL, NULL);
 	adb->cevent_sent = ISC_FALSE;
 	adb->shutting_down = ISC_FALSE;
+	adb->overmem = ISC_FALSE;
 	ISC_LIST_INIT(adb->whenshutdown);
 
+	isc_mem_attach(mem, &adb->mctx);
+
 	result = isc_mutex_init(&adb->lock);
 	if (result != ISC_R_SUCCESS)
 		goto fail0b;
@@ -2254,13 +2057,13 @@ dns_adb_create(isc_mem_t *mem, dns_view_t *view, isc_timermgr_t *timermgr,
 	result = isc_mutexblock_init(adb->namelocks, NBUCKETS);
 	if (result != ISC_R_SUCCESS)
 		goto fail1;
-	for (i = 0 ; i < NBUCKETS ; i++) {
+	for (i = 0; i < NBUCKETS; i++) {
 		ISC_LIST_INIT(adb->names[i]);
 		adb->name_sd[i] = ISC_FALSE;
 		adb->name_refcnt[i] = 0;
 		adb->irefcnt++;
 	}
-	for (i = 0 ; i < NBUCKETS ; i++) {
+	for (i = 0; i < NBUCKETS; i++) {
 		ISC_LIST_INIT(adb->entries[i]);
 		adb->entry_sd[i] = ISC_FALSE;
 		adb->entry_refcnt[i] = 0;
@@ -2274,7 +2077,7 @@ dns_adb_create(isc_mem_t *mem, dns_view_t *view, isc_timermgr_t *timermgr,
 	 * Memory pools
 	 */
 #define MPINIT(t, p, n) do { \
-	result = isc_mempool_create(mem, sizeof (t), &(p)); \
+	result = isc_mempool_create(mem, sizeof(t), &(p)); \
 	if (result != ISC_R_SUCCESS) \
 		goto fail3; \
 	isc_mempool_setfreemax((p), FREE_ITEMS); \
@@ -2290,7 +2093,6 @@ dns_adb_create(isc_mem_t *mem, dns_view_t *view, isc_timermgr_t *timermgr,
 	MPINIT(dns_adbfind_t, adb->ahmp, "adbfind");
 	MPINIT(dns_adbaddrinfo_t, adb->aimp, "adbaddrinfo");
 	MPINIT(dns_adbfetch_t, adb->afmp, "adbfetch");
-	MPINIT(dns_adbfetch6_t, adb->af6mp, "adbfetch6");
 
 #undef MPINIT
 
@@ -2311,8 +2113,7 @@ dns_adb_create(isc_mem_t *mem, dns_view_t *view, isc_timermgr_t *timermgr,
 	if (result != ISC_R_SUCCESS)
 		goto fail3;
 
-	DP(5,
-	   "Cleaning interval for adb:  "
+	DP(ISC_LOG_DEBUG(5), "cleaning interval for adb: "
 	   "%u buckets every %u seconds, %u buckets in system, %u cl.interval",
 	   CLEAN_BUCKETS, CLEAN_SECONDS, NBUCKETS, CLEAN_PERIOD);
 
@@ -2330,10 +2131,10 @@ dns_adb_create(isc_mem_t *mem, dns_view_t *view, isc_timermgr_t *timermgr,
 		isc_timer_detach(&adb->timer);
 
 	/* clean up entrylocks */
-	isc_mutexblock_destroy(adb->entrylocks, NBUCKETS);
+	DESTROYMUTEXBLOCK(adb->entrylocks, NBUCKETS);
 
  fail2: /* clean up namelocks */
-	isc_mutexblock_destroy(adb->namelocks, NBUCKETS);
+	DESTROYMUTEXBLOCK(adb->namelocks, NBUCKETS);
 
  fail1: /* clean up only allocated memory */
 	if (adb->nmp != NULL)
@@ -2350,8 +2151,6 @@ dns_adb_create(isc_mem_t *mem, dns_view_t *view, isc_timermgr_t *timermgr,
 		isc_mempool_destroy(&adb->aimp);
 	if (adb->afmp != NULL)
 		isc_mempool_destroy(&adb->afmp);
-	if (adb->af6mp != NULL)
-		isc_mempool_destroy(&adb->af6mp);
 
 	DESTROYLOCK(&adb->reflock);
  fail0d:
@@ -2359,7 +2158,7 @@ dns_adb_create(isc_mem_t *mem, dns_view_t *view, isc_timermgr_t *timermgr,
  fail0c:
 	DESTROYLOCK(&adb->lock);
  fail0b:
-	isc_mem_put(mem, adb, sizeof (dns_adb_t));
+	isc_mem_putanddetach(&adb->mctx, adb, sizeof(dns_adb_t));
 
 	return (result);
 }
@@ -2450,6 +2249,7 @@ dns_adb_shutdown(dns_adb_t *adb) {
 
 	if (!adb->shutting_down) {
 		adb->shutting_down = ISC_TRUE;
+		isc_mem_setwater(adb->mctx, water, adb, 0, 0);
 		need_check_exit = shutdown_names(adb);
 		if (!need_check_exit)
 			need_check_exit = shutdown_entries(adb);
@@ -2568,7 +2368,8 @@ dns_adb_createfind(dns_adb_t *adb, isc_task_t *task, isc_taskaction_t action,
 	/*
 	 * Expire old entries, etc.
 	 */
-	RUNTIME_CHECK(check_expire_namehooks(adbname, now) == ISC_FALSE);
+	RUNTIME_CHECK(check_expire_namehooks(adbname, now, adb->overmem) ==
+		      ISC_FALSE);
 
 	/*
 	 * Do we know that the name is an alias?
@@ -2615,7 +2416,7 @@ dns_adb_createfind(dns_adb_t *adb, isc_task_t *task, isc_taskaction_t action,
 		 * v6 queries; they won't work.
 		 *
 		 * If the name does exist but we didn't get our data, go
-		 * ahead and try a6.
+		 * ahead and try AAAA.
 		 *
 		 * If the result is neither of these, try a fetch for A.
 		 */
@@ -2631,32 +2432,6 @@ dns_adb_createfind(dns_adb_t *adb, isc_task_t *task, isc_taskaction_t action,
  v6:
 	if (!NAME_HAS_V6(adbname) && EXPIRE_OK(adbname->expire_v6, now)
 	    && WANT_INET6(wanted_addresses)) {
-		result = dbfind_a6(adbname, now);
-		if (result == ISC_R_SUCCESS) {
-			DP(DEF_LEVEL,
-			   "dns_adb_createfind: found A6 for name %p",
-			   adbname);
-			goto fetch;
-		}
-
-		/*
-		 * Did we get a CNAME or DNAME?
-		 */
-		if (result == DNS_R_ALIAS) {
-			DP(DEF_LEVEL,
-			   "dns_adb_createfind: name %p is an alias",
-			   adbname);
-			alias = ISC_TRUE;
-			goto post_copy;
-		}
-
-		/*
-		 * If the name doesn't exist at all, jump to the fetch
-		 * code.  Otherwise, we'll try AAAA.
-		 */
-		if (NXDOMAIN_RESULT(result))
-			goto fetch;
-
 		result = dbfind_name(adbname, now, dns_rdatatype_aaaa);
 		if (result == ISC_R_SUCCESS) {
 			DP(DEF_LEVEL,
@@ -2666,9 +2441,7 @@ dns_adb_createfind(dns_adb_t *adb, isc_task_t *task, isc_taskaction_t action,
 		}
 
 		/*
-		 * Did we get a CNAME or DNAME?  This should have hit
-		 * during the A6 query, but we'll reproduce it here Just
-		 * In Case.
+		 * Did we get a CNAME or DNAME?
 		 */
 		if (result == DNS_R_ALIAS) {
 			DP(DEF_LEVEL,
@@ -2711,7 +2484,8 @@ dns_adb_createfind(dns_adb_t *adb, isc_task_t *task, isc_taskaction_t action,
 		 * Start V4.
 		 */
 		if (WANT_INET(wanted_fetches) &&
-		    fetch_name_v4(adbname, start_at_zone) == ISC_R_SUCCESS) {
+		    fetch_name(adbname, start_at_zone,
+			       dns_rdatatype_a) == ISC_R_SUCCESS) {
 			DP(DEF_LEVEL,
 			   "dns_adb_createfind: started A fetch for name %p",
 			   adbname);
@@ -2721,9 +2495,11 @@ dns_adb_createfind(dns_adb_t *adb, isc_task_t *task, isc_taskaction_t action,
 		 * Start V6.
 		 */
 		if (WANT_INET6(wanted_fetches) &&
-		    fetch_name_a6(adbname, start_at_zone) == ISC_R_SUCCESS) {
+		    fetch_name(adbname, start_at_zone,
+			       dns_rdatatype_aaaa) == ISC_R_SUCCESS) {
 			DP(DEF_LEVEL,
-			   "dns_adb_createfind: started A6 fetch for name %p",
+			   "dns_adb_createfind: "
+			   "started AAAA fetch for name %p",
 			   adbname);
 		}
 	}
@@ -2808,7 +2584,8 @@ dns_adb_createfind(dns_adb_t *adb, isc_task_t *task, isc_taskaction_t action,
 		}
 	}
 
-	UNLOCK(&adb->namelocks[bucket]);
+	if (bucket != DNS_ADB_INVALIDBUCKET)
+		UNLOCK(&adb->namelocks[bucket]);
 
 	return (result);
 }
@@ -2917,7 +2694,7 @@ dns_adb_cancelfind(dns_adbfind_t *find) {
 		find->result_v4 = ISC_R_CANCELED;
 		find->result_v6 = ISC_R_CANCELED;
 
-		DP(DEF_LEVEL, "Sending event %p to task %p for find %p",
+		DP(DEF_LEVEL, "sending event %p to task %p for find %p",
 		   ev, task, find);
 
 		isc_task_sendanddetach(&task, (isc_event_t **)&ev);
@@ -2964,15 +2741,15 @@ dump_adb(dns_adb_t *adb, FILE *f, isc_boolean_t debug) {
 			adb, adb->erefcnt, adb->irefcnt,
 			isc_mempool_getallocated(adb->nhmp));
 
-	for (i = 0 ; i < NBUCKETS ; i++)
+	for (i = 0; i < NBUCKETS; i++)
 		LOCK(&adb->namelocks[i]);
-	for (i = 0 ; i < NBUCKETS ; i++)
+	for (i = 0; i < NBUCKETS; i++)
 		LOCK(&adb->entrylocks[i]);
 
 	/*
 	 * Dump the names
 	 */
-	for (i = 0 ; i < NBUCKETS ; i++) {
+	for (i = 0; i < NBUCKETS; i++) {
 		name = ISC_LIST_HEAD(adb->names[i]);
 		if (name == NULL)
 			continue;
@@ -3003,8 +2780,8 @@ dump_adb(dns_adb_t *adb, FILE *f, isc_boolean_t debug) {
 
 			fprintf(f, "\n");
 
-			print_namehook_list(f, "v4", &name->v4, debug);
-			print_namehook_list(f, "v6", &name->v6, debug);
+			print_namehook_list(f, "v4", &name->v4, debug, now);
+			print_namehook_list(f, "v6", &name->v6, debug, now);
 
 			if (debug)
 				print_fetch_list(f, name);
@@ -3024,20 +2801,29 @@ dump_adb(dns_adb_t *adb, FILE *f, isc_boolean_t debug) {
 }
 
 static void
-dump_entry(FILE *f, dns_adbentry_t *entry, isc_boolean_t debug)
+dump_entry(FILE *f, dns_adbentry_t *entry, isc_boolean_t debug,
+	   isc_stdtime_t now)
 {
 	char addrbuf[ISC_NETADDR_FORMATSIZE];
 	isc_netaddr_t netaddr;
+	dns_adbzoneinfo_t *zi;
 
 	isc_netaddr_fromsockaddr(&netaddr, &entry->sockaddr);
-	isc_netaddr_format(&netaddr, addrbuf, sizeof addrbuf);
+	isc_netaddr_format(&netaddr, addrbuf, sizeof(addrbuf));
 
 	if (debug)
-		fprintf(f, ";\t%p: refcnt %u flags %08x \n",
-			entry, entry->refcnt, entry->flags);
-			
-	fprintf(f, ";\t%s [srtt %u]", addrbuf, entry->srtt);
+		fprintf(f, ";\t%p: refcnt %u\n", entry, entry->refcnt);
+
+	fprintf(f, ";\t%s [srtt %u] [flags %08x]",
+		addrbuf, entry->srtt, entry->flags);
 	fprintf(f, "\n");
+	for (zi = ISC_LIST_HEAD(entry->zoneinfo);
+	     zi != NULL;
+	     zi = ISC_LIST_NEXT(zi, plink)) {
+		fprintf(f, ";\t\t");
+		print_dns_name(f, &zi->zone);
+		fprintf(f, " [lame TTL %d]\n", zi->lame_timer - now);
+	}
 }
 
 void
@@ -3069,11 +2855,11 @@ dns_adb_dumpfind(dns_adbfind_t *find, FILE *f) {
 		switch (sa->type.sa.sa_family) {
 		case AF_INET:
 			tmpp = inet_ntop(AF_INET, &sa->type.sin.sin_addr,
-					 tmp, sizeof tmp);
+					 tmp, sizeof(tmp));
 			break;
 		case AF_INET6:
 			tmpp = inet_ntop(AF_INET6, &sa->type.sin6.sin6_addr,
-					 tmp, sizeof tmp);
+					 tmp, sizeof(tmp));
 			break;
 		default:
 			tmpp = "UnkFamily";
@@ -3104,7 +2890,7 @@ print_dns_name(FILE *f, dns_name_t *name) {
 
 static void
 print_namehook_list(FILE *f, const char *legend, dns_adbnamehooklist_t *list,
-		    isc_boolean_t debug)
+		    isc_boolean_t debug, isc_stdtime_t now)
 {
 	dns_adbnamehook_t *nh;
 
@@ -3114,7 +2900,7 @@ print_namehook_list(FILE *f, const char *legend, dns_adbnamehooklist_t *list,
 	{
 		if (debug)
 			fprintf(f, ";\tHook(%s) %p\n", legend, nh);
-		dump_entry(f, nh->entry, debug);
+		dump_entry(f, nh->entry, debug, now);
 	}
 }
 
@@ -3124,26 +2910,12 @@ print_fetch(FILE *f, dns_adbfetch_t *ft, const char *type) {
 		type, ft, ft->namehook, ft->entry, ft->fetch);
 }
 
-static inline void
-print_fetch6(FILE *f, dns_adbfetch6_t *ft) {
-	fprintf(f, "\t\tFetch(A6): %p -> { nh %p, entry %p, fetch %p }\n",
-		ft, ft->namehook, ft->entry, ft->fetch);
-}
-
 static void
 print_fetch_list(FILE *f, dns_adbname_t *n) {
-	dns_adbfetch6_t *fetch6;
-
 	if (NAME_FETCH_A(n))
 		print_fetch(f, n->fetch_a, "A");
 	if (NAME_FETCH_AAAA(n))
 		print_fetch(f, n->fetch_aaaa, "AAAA");
-
-	fetch6 = ISC_LIST_HEAD(n->fetches_a6);
-	while (fetch6 != NULL) {
-		print_fetch6(f, fetch6);
-		fetch6 = ISC_LIST_NEXT(fetch6, plink);
-	}
 }
 
 static void
@@ -3181,7 +2953,7 @@ dbfind_name(dns_adbname_t *adbname, isc_stdtime_t now, dns_rdatatype_t rdtype)
 		adbname->fetch6_err = FIND_ERR_UNEXPECTED;
 
 	result = dns_view_find(adb->view, &adbname->name, rdtype, now,
-			       NAME_GLUEOK(adbname) ? DNS_DBFIND_GLUEOK : 0,
+			       NAME_GLUEOK(adbname),
 			       ISC_TF(NAME_HINTOK(adbname)),
 			       NULL, NULL, fname, &rdataset, NULL);
 
@@ -3291,106 +3063,6 @@ dbfind_name(dns_adbname_t *adbname, isc_stdtime_t now, dns_rdatatype_t rdtype)
 	return (result);
 }
 
-static isc_result_t
-dbfind_a6(dns_adbname_t *adbname, isc_stdtime_t now) {
-	isc_result_t result;
-	dns_rdataset_t rdataset;
-	dns_adb_t *adb;
-	dns_a6context_t a6ctx;
-	dns_fixedname_t foundname;
-	dns_name_t *fname;
-
-	INSIST(DNS_ADBNAME_VALID(adbname));
-	adb = adbname->adb;
-	INSIST(DNS_ADB_VALID(adb));
-
-	result = ISC_R_UNEXPECTED;
-
-	dns_fixedname_init(&foundname);
-	fname =	dns_fixedname_name(&foundname);
-	dns_rdataset_init(&rdataset);
-
-	adbname->fetch6_err = FIND_ERR_UNEXPECTED;
-
-	result = dns_view_find(adb->view, &adbname->name, dns_rdatatype_a6,
-			       now, NAME_GLUEOK(adbname),
-			       ISC_TF(NAME_HINTOK(adbname)),
-			       NULL, NULL, fname, &rdataset, NULL);
-
-	switch (result) {
-	case DNS_R_GLUE:
-	case DNS_R_HINT:
-	case ISC_R_SUCCESS:
-		/*
-		 * Start a6 chain follower.  There is no need to poke people
-		 * who might be waiting, since this is call requires there
-		 * are none.
-		 */
-		adbname->fetch6_err = FIND_ERR_SUCCESS;
-		dns_a6_init(&a6ctx, a6find, NULL, import_a6,
-			    a6missing, adbname);
-		(void)dns_a6_foreach(&a6ctx, &rdataset, now);
-		adbname->flags &= ~NAME_NEEDS_POKE;
-		result = ISC_R_SUCCESS;
-		break;
-	case DNS_R_NXDOMAIN:
-	case DNS_R_NXRRSET:
-		/*
-		 * We're authoritative and the data doesn't exist.
-		 * Make up a negative cache entry so we don't ask again
-		 * for a while.
-		 *
-		 * XXXRTH  What time should we use?  I'm putting in 30 seconds
-		 * for now.
-		 */
-		DP(NCACHE_LEVEL,
-		   "adb name %p: Caching auth negative entry for A6",
-		   adbname);
-		adbname->expire_v6 = now + 30;
-		if (result == DNS_R_NXDOMAIN)
-			adbname->fetch6_err = FIND_ERR_NXDOMAIN;
-		else
-			adbname->fetch6_err = FIND_ERR_NXRRSET;
-		break;
-	case DNS_R_NCACHENXDOMAIN:
-	case DNS_R_NCACHENXRRSET:
-		/*
-		 * We found a negative cache entry.  Pull the TTL from it
-		 * so we won't ask again for a while.
-		 */
-		DP(NCACHE_LEVEL,
-		   "adb name %p: Caching negative entry for A6 (ttl %u)",
-		   adbname, rdataset.ttl);
-		adbname->expire_v6 = ISC_MIN(rdataset.ttl + now,
-					     adbname->expire_v6);
-		if (result == DNS_R_NCACHENXDOMAIN)
-			adbname->fetch6_err = FIND_ERR_NXDOMAIN;
-		else
-			adbname->fetch6_err = FIND_ERR_NXRRSET;
-		break;
-	case DNS_R_CNAME:
-	case DNS_R_DNAME:
-		rdataset.ttl = ttlclamp(rdataset.ttl);
-		clean_target(adb, &adbname->target);
-		adbname->expire_target = INT_MAX;
-		result = set_target(adb, &adbname->name, fname, &rdataset,
-				    &adbname->target);
-		if (result == ISC_R_SUCCESS) {
-			result = DNS_R_ALIAS;
-			DP(NCACHE_LEVEL,
-			   "adb name %p: caching alias target",
-			   adbname);
-			adbname->expire_target = rdataset.ttl + now;
-		}
-		break;
-	}
-
-	if (dns_rdataset_isassociated(&rdataset))
-		dns_rdataset_disassociate(&rdataset);
-
-	return (result);
-}
-
 static void
 fetch_callback(isc_task_t *task, isc_event_t *ev) {
 	dns_fetchevent_t *dev;
@@ -3473,7 +3145,7 @@ fetch_callback(isc_task_t *task, isc_event_t *ev) {
 		dev->rdataset->ttl = ttlclamp(dev->rdataset->ttl);
 		if (address_type == DNS_ADBFIND_INET) {
 			DP(NCACHE_LEVEL, "adb fetch name %p: "
-			   "Caching negative entry for A (ttl %u)",
+			   "caching negative entry for A (ttl %u)",
 			   name, dev->rdataset->ttl);
 			name->expire_v4 = ISC_MIN(name->expire_v4,
 						  dev->rdataset->ttl + now);
@@ -3483,7 +3155,7 @@ fetch_callback(isc_task_t *task, isc_event_t *ev) {
 				name->fetch_err = FIND_ERR_NXRRSET;
 		} else {
 			DP(NCACHE_LEVEL, "adb fetch name %p: "
-			   "Caching negative entry for AAAA (ttl %u)",
+			   "caching negative entry for AAAA (ttl %u)",
 			   name, dev->rdataset->ttl);
 			name->expire_v6 = ISC_MIN(name->expire_v6,
 						  dev->rdataset->ttl + now);
@@ -3520,6 +3192,12 @@ fetch_callback(isc_task_t *task, isc_event_t *ev) {
 	 * sitting out there, tell all the finds about it.
 	 */
 	if (dev->result != ISC_R_SUCCESS) {
+		char buf[DNS_NAME_FORMATSIZE];
+
+		dns_name_format(&name->name, buf, sizeof(buf));
+		DP(DEF_LEVEL, "adb: fetch of '%s' %s failed: %s",
+		   buf, address_type == DNS_ADBFIND_INET ? "A" : "AAAA",
+		   dns_result_totext(dev->result));
 		/* XXXMLG Don't pound on bad servers. */
 		if (address_type == DNS_ADBFIND_INET) {
 			name->expire_v4 = ISC_MIN(name->expire_v4, now + 300);
@@ -3554,201 +3232,11 @@ fetch_callback(isc_task_t *task, isc_event_t *ev) {
 	UNLOCK(&adb->namelocks[bucket]);
 }
 
-static void
-fetch_callback_a6(isc_task_t *task, isc_event_t *ev) {
-	dns_fetchevent_t *dev;
-	dns_adbname_t *name;
-	dns_adb_t *adb;
-	dns_adbfetch6_t *fetch;
-	int bucket;
-	isc_stdtime_t now;
-	isc_result_t result;
-	isc_boolean_t want_check_exit = ISC_FALSE;
-
-	UNUSED(task);
-
-	INSIST(ev->ev_type == DNS_EVENT_FETCHDONE);
-	dev = (dns_fetchevent_t *)ev;
-	name = ev->ev_arg;
-	INSIST(DNS_ADBNAME_VALID(name));
-	adb = name->adb;
-	INSIST(DNS_ADB_VALID(adb));
-
-	bucket = name->lock_bucket;
-	LOCK(&adb->namelocks[bucket]);
-
-	INSIST(!NAME_NEEDSPOKE(name));
-
-	for (fetch = ISC_LIST_HEAD(name->fetches_a6);
-	     fetch != NULL;
-	     fetch = ISC_LIST_NEXT(fetch, plink))
-		if (fetch->fetch == dev->fetch)
-			break;
-	INSIST(fetch != NULL);
-	ISC_LIST_UNLINK(name->fetches_a6, fetch, plink);
-
-	DP(ENTER_LEVEL, "ENTER: fetch_callback_a6() name %p", name);
-
-	dns_resolver_destroyfetch(&fetch->fetch);
-	dev->fetch = NULL;
-
-	/*
-	 * Cleanup things we don't care about.
-	 */
-	if (dev->node != NULL)
-		dns_db_detachnode(dev->db, &dev->node);
-	if (dev->db != NULL)
-		dns_db_detach(&dev->db);
-
-	/*
-	 * If this name is marked as dead, clean up, throwing away
-	 * potentially good data.
-	 */
-	if (NAME_DEAD(name)) {
-		free_adbfetch6(adb, &fetch);
-		isc_event_free(&ev);
-
-		want_check_exit = kill_name(&name, DNS_EVENT_ADBCANCELED);
-
-		UNLOCK(&adb->namelocks[bucket]);
-
-		if (want_check_exit) {
-			LOCK(&adb->lock);
-			check_exit(adb);
-			UNLOCK(&adb->lock);
-		}
-
-		return;
-	}
-
-	isc_stdtime_get(&now);
-
-	/*
-	 * If the A6 query didn't succeed, and this is the first query
-	 * in the A6 chain, try AAAA records instead.  For later failures,
-	 * don't do this.
-	 */
-	if (dev->result != ISC_R_SUCCESS) {
-		DP(DEF_LEVEL, "name %p: A6 failed: %s",
-		   name, isc_result_totext(dev->result));
-
-		/*
-		 * If we got a negative cache response, remember it.
-		 */
-		if (NCACHE_RESULT(dev->result)) {
-			dev->rdataset->ttl = ttlclamp(dev->rdataset->ttl);
-			DP(NCACHE_LEVEL, "adb fetch name %p: "
-			   "Caching negative entry for A6 (ttl %u)",
-			   name, dev->rdataset->ttl);
-			name->expire_v6 = ISC_MIN(name->expire_v6,
-						  dev->rdataset->ttl + now);
-			if (dev->result == DNS_R_NCACHENXDOMAIN)
-				name->fetch6_err = FIND_ERR_NXDOMAIN;
-			else
-				name->fetch6_err = FIND_ERR_NXRRSET;
-		}
-
-		/*
-		 * Handle CNAME/DNAME.
-		 */
-		if (dev->result == DNS_R_CNAME || dev->result == DNS_R_DNAME) {
-			dev->rdataset->ttl = ttlclamp(dev->rdataset->ttl);
-			clean_target(adb, &name->target);
-			name->expire_target = INT_MAX;
-			result = set_target(adb, &name->name,
-					  dns_fixedname_name(&dev->foundname),
-					    dev->rdataset,
-					    &name->target);
-			if (result == ISC_R_SUCCESS) {
-				DP(NCACHE_LEVEL,
-				  "adb A6 fetch name %p: caching alias target",
-				   name);
-				name->expire_target = dev->rdataset->ttl + now;
-				if (FETCH_FIRSTA6(fetch)) {
-					/*
-					 * Make this name 'pokeable', since
-					 * we've learned that this name is an
-					 * alias.
-					 */
-					name->flags |= NAME_NEEDS_POKE;
-				}
-			}
-			goto out;
-		}
-
-		if (FETCH_FIRSTA6(fetch) && !NAME_HAS_V6(name)) {
-			DP(DEF_LEVEL,
-			   "name %p: A6 query failed, starting AAAA", name);
-
-			/*
-			 * Since this is the very first fetch, and it
-			 * failed, we know there are no more running.
-			 */
-			result = dbfind_name(name, now, dns_rdatatype_aaaa);
-			if (result == ISC_R_SUCCESS) {
-				DP(DEF_LEVEL,
-				   "name %p: callback_a6: Found AAAA for",
-				   name);
-				name->flags |= NAME_NEEDS_POKE;
-				goto out;
-			}
-
-			/*
-			 * Listen to negative cache hints, and don't start
-			 * another query.
-			 */
-			if (NCACHE_RESULT(result) || AUTH_NX(result)) {
-				if (NXDOMAIN_RESULT(result))
-					name->fetch6_err = NEWERR(name->fetch6_err, FIND_ERR_NXDOMAIN);
-				else
-					name->fetch6_err = NEWERR(name->fetch6_err, FIND_ERR_NXRRSET);
-				goto out;
-			}
-
-			/*
-			 * Try to start fetches for AAAA.
-			 */
-			result = fetch_name_aaaa(name);
-			if (result == ISC_R_SUCCESS) {
-				DP(DEF_LEVEL,
-				   "name %p: callback_a6: Started AAAA fetch",
-				   name);
-				goto out;
-			}
-		}
-
-		goto out;
-	}
-
-	/*
-	 * We got something potentially useful.  Run the A6 chain
-	 * follower on this A6 rdataset.
-	 */
-
-	fetch->a6ctx.chains = name->chains;
-	(void)dns_a6_foreach(&fetch->a6ctx, dev->rdataset, now);
-
- out:
-	free_adbfetch6(adb, &fetch);
-	isc_event_free(&ev);
-
-	if (NAME_NEEDSPOKE(name)) {
-		clean_finds_at_name(name, DNS_EVENT_ADBMOREADDRESSES,
-				    DNS_ADBFIND_INET6);
-			name->fetch6_err = FIND_ERR_SUCCESS;
-	} else if (!NAME_FETCH_V6(name))
-		clean_finds_at_name(name, DNS_EVENT_ADBNOMOREADDRESSES,
-				    DNS_ADBFIND_INET6);
-
-	name->flags &= ~NAME_NEEDS_POKE;
-
-	UNLOCK(&adb->namelocks[bucket]);
-
-	return;
-}
-
 static isc_result_t
-fetch_name_v4(dns_adbname_t *adbname, isc_boolean_t start_at_zone) {
+fetch_name(dns_adbname_t *adbname,
+	   isc_boolean_t start_at_zone,
+	   dns_rdatatype_t type)
+{
 	isc_result_t result;
 	dns_adbfetch_t *fetch = NULL;
 	dns_adb_t *adb;
@@ -3762,7 +3250,8 @@ fetch_name_v4(dns_adbname_t *adbname, isc_boolean_t start_at_zone) {
 	adb = adbname->adb;
 	INSIST(DNS_ADB_VALID(adb));
 
-	INSIST(!NAME_FETCH_V4(adbname));
+	INSIST((type == dns_rdatatype_a && !NAME_FETCH_V4(adbname)) ||
+	       (type == dns_rdatatype_aaaa && !NAME_FETCH_V6(adbname)));
 
 	adbname->fetch_err = FIND_ERR_NOTFOUND;
 
@@ -3770,9 +3259,10 @@ fetch_name_v4(dns_adbname_t *adbname, isc_boolean_t start_at_zone) {
 	nameservers = NULL;
 	dns_rdataset_init(&rdataset);
 
-	options = 0;
+	options = DNS_FETCHOPT_NOVALIDATE;
 	if (start_at_zone) {
-		DP(50, "fetch_name_v4: starting at zone for name %p",
+		DP(ENTER_LEVEL,
+		   "fetch_name: starting at zone for name %p",
 		   adbname);
 		dns_fixedname_init(&fixed);
 		name = dns_fixedname_name(&fixed);
@@ -3792,16 +3282,18 @@ fetch_name_v4(dns_adbname_t *adbname, isc_boolean_t start_at_zone) {
 	}
 
 	result = dns_resolver_createfetch(adb->view->resolver, &adbname->name,
-					  dns_rdatatype_a,
-					  name, nameservers, NULL, options,
-					  adb->task, fetch_callback,
+					  type, name, nameservers, NULL,
+					  options, adb->task, fetch_callback,
 					  adbname, &fetch->rdataset, NULL,
 					  &fetch->fetch);
 	if (result != ISC_R_SUCCESS)
 		goto cleanup;
 
-	adbname->fetch_a = fetch;
-	fetch = NULL;  /* keep us from cleaning this up below */
+	if (type == dns_rdatatype_a)
+		adbname->fetch_a = fetch;
+	else
+		adbname->fetch_aaaa = fetch;
+	fetch = NULL;  /* Keep us from cleaning this up below. */
 
  cleanup:
 	if (fetch != NULL)
@@ -3812,113 +3304,7 @@ fetch_name_v4(dns_adbname_t *adbname, isc_boolean_t start_at_zone) {
 	return (result);
 }
 
-/* XXXMLG Why doesn't this look a lot like fetch_name_a and fetch_name_a6? */
-static isc_result_t
-fetch_name_aaaa(dns_adbname_t *adbname) {
-	isc_result_t result;
-	dns_adbfetch_t *fetch;
-	dns_adb_t *adb;
-
-	INSIST(DNS_ADBNAME_VALID(adbname));
-	adb = adbname->adb;
-	INSIST(DNS_ADB_VALID(adb));
-
-	INSIST(!NAME_FETCH_AAAA(adbname));
-
-	adbname->fetch6_err = FIND_ERR_NOTFOUND;
-
-	fetch = new_adbfetch(adb);
-	if (fetch == NULL) {
-		result = ISC_R_NOMEMORY;
-		goto cleanup;
-	}
-
-	result = dns_resolver_createfetch(adb->view->resolver, &adbname->name,
-					  dns_rdatatype_aaaa,
-					  NULL, NULL, NULL, 0,
-					  adb->task, fetch_callback,
-					  adbname, &fetch->rdataset, NULL,
-					  &fetch->fetch);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-
-	adbname->fetch_aaaa = fetch;
-	fetch = NULL;  /* keep us from cleaning this up below */
-
- cleanup:
-	if (fetch != NULL)
-		free_adbfetch(adb, &fetch);
-
-	return (result);
-}
-
-static isc_result_t
-fetch_name_a6(dns_adbname_t *adbname, isc_boolean_t start_at_zone) {
-	isc_result_t result;
-	dns_adbfetch6_t *fetch = NULL;
-	dns_adb_t *adb;
-	dns_fixedname_t fixed;
-	dns_name_t *name;
-	dns_rdataset_t rdataset;
-	dns_rdataset_t *nameservers;
-	unsigned int options;
-
-	INSIST(DNS_ADBNAME_VALID(adbname));
-	adb = adbname->adb;
-	INSIST(DNS_ADB_VALID(adb));
-
-	INSIST(!NAME_FETCH_V6(adbname));
-
-	adbname->fetch6_err = FIND_ERR_NOTFOUND;
-
-	name = NULL;
-	nameservers = NULL;
-	dns_rdataset_init(&rdataset);
-
-	options = 0;
-	if (start_at_zone) {
-		DP(50, "fetch_name_a6: starting at zone for name %p",
-		   adbname);
-		dns_fixedname_init(&fixed);
-		name = dns_fixedname_name(&fixed);
-		result = dns_view_findzonecut2(adb->view, &adbname->name, name,
-					       0, 0, ISC_TRUE, ISC_FALSE,
-					       &rdataset, NULL);
-		if (result != ISC_R_SUCCESS && result != DNS_R_HINT)
-			goto cleanup;
-		nameservers = &rdataset;
-		options |= DNS_FETCHOPT_UNSHARED;
-	}
-
-	fetch = new_adbfetch6(adb, adbname, NULL);
-	if (fetch == NULL) {
-		result = ISC_R_NOMEMORY;
-		goto cleanup;
-	}
-	fetch->flags |= FETCH_FIRST_A6;
-
-	result = dns_resolver_createfetch(adb->view->resolver, &adbname->name,
-					  dns_rdatatype_a6,
-					  name, nameservers, NULL, options,
-					  adb->task, fetch_callback_a6,
-					  adbname, &fetch->rdataset, NULL,
-					  &fetch->fetch);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-
-	ISC_LIST_APPEND(adbname->fetches_a6, fetch, plink);
-	fetch = NULL;  /* keep us from cleaning this up below */
-
- cleanup:
-	if (fetch != NULL)
-		free_adbfetch6(adb, &fetch);
-	if (dns_rdataset_isassociated(&rdataset))
-		dns_rdataset_disassociate(&rdataset);
-
-	return (result);
-}
-
-/* 
+/*
  * XXXMLG Needs to take a find argument and an address info, no zone or adb,
  * since these can be extracted from the find itself.
  */
@@ -3937,7 +3323,7 @@ dns_adb_marklame(dns_adb_t *adb, dns_adbaddrinfo_t *addr, dns_name_t *zone,
 	bucket = addr->entry->lock_bucket;
 	LOCK(&adb->entrylocks[bucket]);
 	zi = ISC_LIST_HEAD(addr->entry->zoneinfo);
-	while (zi != NULL && !dns_name_equal(zone, &zi->zone))
+	while (zi != NULL && dns_name_equal(zone, &zi->zone))
 		zi = ISC_LIST_NEXT(zi, plink);
 	if (zi != NULL) {
 		if (expire_time > zi->lame_timer)
@@ -3956,7 +3342,7 @@ dns_adb_marklame(dns_adb_t *adb, dns_adbaddrinfo_t *addr, dns_name_t *zone,
  unlock:
 	UNLOCK(&adb->entrylocks[bucket]);
 
-	return (result);
+	return (ISC_R_SUCCESS);
 }
 
 void
@@ -4044,9 +3430,9 @@ dns_adb_findaddrinfo(dns_adb_t *adb, isc_sockaddr_t *sa,
 		}
 		entry->sockaddr = *sa;
 		link_entry(adb, bucket, entry);
-		DP(50, "findaddrinfo: new entry %p", entry);
+		DP(ENTER_LEVEL, "findaddrinfo: new entry %p", entry);
 	} else
-		DP(50, "findaddrinfo: found entry %p", entry);
+		DP(ENTER_LEVEL, "findaddrinfo: found entry %p", entry);
 
 	port = isc_sockaddr_getport(sa);
 	addr = new_adbaddrinfo(adb, entry, port);
@@ -4107,7 +3493,7 @@ dns_adb_flush(dns_adb_t *adb) {
 
 	LOCK(&adb->lock);
 
-	for (i = 0 ; i < NBUCKETS ; i++) {
+	for (i = 0; i < NBUCKETS; i++) {
 		/*
 		 * Call our cleanup routines.
 		 */
@@ -4121,3 +3507,67 @@ dns_adb_flush(dns_adb_t *adb) {
 
 	UNLOCK(&adb->lock);
 }
+
+void
+dns_adb_flushname(dns_adb_t *adb, dns_name_t *name) {
+	dns_adbname_t *adbname;
+	dns_adbname_t *nextname;
+	int bucket;
+
+	INSIST(DNS_ADB_VALID(adb));
+
+	LOCK(&adb->lock);
+	bucket = dns_name_hash(name, ISC_FALSE) % NBUCKETS;
+	LOCK(&adb->namelocks[bucket]);
+	adbname = ISC_LIST_HEAD(adb->names[bucket]);
+	while (adbname != NULL) {
+		nextname = ISC_LIST_NEXT(adbname, plink);
+		if (!NAME_DEAD(adbname) &&
+		    dns_name_equal(name, &adbname->name)) {
+			RUNTIME_CHECK(kill_name(&adbname,
+						DNS_EVENT_ADBCANCELED) ==
+				      ISC_FALSE);
+		}
+		adbname = nextname;
+	}
+	UNLOCK(&adb->namelocks[bucket]);
+	UNLOCK(&adb->lock);
+}
+
+static void
+water(void *arg, int mark) {
+	dns_adb_t *adb = arg;
+	isc_boolean_t overmem = ISC_TF(mark == ISC_MEM_HIWATER);
+	isc_interval_t interval;
+
+	REQUIRE(DNS_ADB_VALID(adb));
+
+	DP(ISC_LOG_DEBUG(1),
+	   "adb reached %s water mark", overmem ? "high" : "low");
+
+	adb->overmem = overmem;
+	if (overmem) {
+		isc_interval_set(&interval, 0, 1);
+		(void)isc_timer_reset(adb->timer, isc_timertype_once, NULL,
+				      &interval, ISC_TRUE);
+	}
+}
+
+void
+dns_adb_setadbsize(dns_adb_t *adb, isc_uint32_t size) {
+	isc_uint32_t hiwater;
+	isc_uint32_t lowater;
+
+	INSIST(DNS_ADB_VALID(adb));
+
+	if (size != 0 && size < DNS_ADB_MINADBSIZE)
+		size = DNS_ADB_MINADBSIZE;
+
+	hiwater = size - (size >> 3);   /* Approximately 7/8ths. */
+	lowater = size - (size >> 2);   /* Approximately 3/4ths. */
+
+	if (size == 0 || hiwater == 0 || lowater == 0)
+		isc_mem_setwater(adb->mctx, water, adb, 0, 0);
+	else
+		isc_mem_setwater(adb->mctx, water, adb, hiwater, lowater);
+}
diff --git a/lib/dns/api b/lib/dns/api
index 901d1f20..dbc00c16 100644
--- a/lib/dns/api
+++ b/lib/dns/api
@@ -1,3 +1,3 @@
-LIBINTERFACE = 19
+LIBINTERFACE = 13
 LIBREVISION = 1
-LIBAGE = 3
+LIBAGE = 0
diff --git a/lib/dns/byaddr.c b/lib/dns/byaddr.c
index 92e1047e..daae7559 100644
--- a/lib/dns/byaddr.c
+++ b/lib/dns/byaddr.c
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
+ * Copyright (C) 2000-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: byaddr.c,v 1.29.2.3 2004/03/09 06:10:59 marka Exp $ */
+/* $Id: byaddr.c,v 1.29.2.1.2.7 2004/03/09 05:21:08 marka Exp $ */
 
 #include <config.h>
 
@@ -68,12 +68,13 @@ isc_result_t
 dns_byaddr_createptrname(isc_netaddr_t *address, isc_boolean_t nibble,
 			 dns_name_t *name)
 {
-	unsigned int options = DNS_BYADDROPT_IPV6INT;
-	
-	if (nibble)
-		options |= DNS_BYADDROPT_IPV6NIBBLE;
+	/*
+	 * We dropped bitstring labels, so all lookups will use nibbles.
+	 */
+	UNUSED(nibble);
 
-	return (dns_byaddr_createptrname2(address, options, name));
+	return (dns_byaddr_createptrname2(address,
+					  DNS_BYADDROPT_IPV6INT, name));
 }
 
 isc_result_t
@@ -97,37 +98,24 @@ dns_byaddr_createptrname2(isc_netaddr_t *address, unsigned int options,
 
 	bytes = (unsigned char *)(&address->type);
 	if (address->family == AF_INET) {
-		(void)sprintf(textname, "%u.%u.%u.%u.in-addr.arpa.",
-			      (bytes[3] & 0xff),
-			      (bytes[2] & 0xff),
-			      (bytes[1] & 0xff),
-			      (bytes[0] & 0xff));
+		(void)snprintf(textname, sizeof(textname),
+			       "%u.%u.%u.%u.in-addr.arpa.",
+			       (bytes[3] & 0xff),
+			       (bytes[2] & 0xff),
+			       (bytes[1] & 0xff),
+			       (bytes[0] & 0xff));
 	} else if (address->family == AF_INET6) {
-		if ((options & DNS_BYADDROPT_IPV6NIBBLE) != 0) {
-			cp = textname;
-			for (i = 15; i >= 0; i--) {
-				*cp++ = hex_digits[bytes[i] & 0x0f];
-				*cp++ = '.';
-				*cp++ = hex_digits[(bytes[i] >> 4) & 0x0f];
-				*cp++ = '.';
-			}
-			if ((options & DNS_BYADDROPT_IPV6INT) != 0)
-				strcpy(cp, "ip6.int.");
-			else
-				strcpy(cp, "ip6.arpa.");
-		} else {
-			cp = textname;
-			*cp++ = '\\';
-			*cp++ = '[';
-			*cp++ = 'x';
-			for (i = 0; i < 16; i += 2) {
-				*cp++ = hex_digits[(bytes[i] >> 4) & 0x0f];
-				*cp++ = hex_digits[bytes[i] & 0x0f];
-				*cp++ = hex_digits[(bytes[i+1] >> 4) & 0x0f];
-				*cp++ = hex_digits[bytes[i+1] & 0x0f];
-			}
-			strcpy(cp, "].ip6.arpa.");
+		cp = textname;
+		for (i = 15; i >= 0; i--) {
+			*cp++ = hex_digits[bytes[i] & 0x0f];
+			*cp++ = '.';
+			*cp++ = hex_digits[(bytes[i] >> 4) & 0x0f];
+			*cp++ = '.';
 		}
+		if ((options & DNS_BYADDROPT_IPV6INT) != 0)
+			strcpy(cp, "ip6.int.");
+		else
+			strcpy(cp, "ip6.arpa.");
 	} else
 		return (ISC_R_NOTIMPLEMENTED);
 
@@ -155,7 +143,7 @@ copy_ptr_targets(dns_byaddr_t *byaddr, dns_rdataset_t *rdataset) {
 		result = dns_rdata_tostruct(&rdata, &ptr, NULL);
 		if (result != ISC_R_SUCCESS)
 			return (result);
-		name = isc_mem_get(byaddr->mctx, sizeof *name);
+		name = isc_mem_get(byaddr->mctx, sizeof(*name));
 		if (name == NULL) {
 			dns_rdata_freestruct(&ptr);
 			return (ISC_R_NOMEMORY);
@@ -164,7 +152,7 @@ copy_ptr_targets(dns_byaddr_t *byaddr, dns_rdataset_t *rdataset) {
 		result = dns_name_dup(&ptr.ptr, byaddr->mctx, name);
 		dns_rdata_freestruct(&ptr);
 		if (result != ISC_R_SUCCESS) {
-			isc_mem_put(byaddr->mctx, name, sizeof *name);
+			isc_mem_put(byaddr->mctx, name, sizeof(*name));
 			return (ISC_R_NOMEMORY);
 		}
 		ISC_LIST_APPEND(byaddr->event->names, name, link);
@@ -216,7 +204,7 @@ bevent_destroy(isc_event_t *event) {
 		next_name = ISC_LIST_NEXT(name, link);
 		ISC_LIST_UNLINK(bevent->names, name, link);
 		dns_name_free(name, mctx);
-		isc_mem_put(mctx, name, sizeof *name);
+		isc_mem_put(mctx, name, sizeof(*name));
 	}
 	isc_mem_put(mctx, event, event->ev_size);
 }
@@ -230,18 +218,18 @@ dns_byaddr_create(isc_mem_t *mctx, isc_netaddr_t *address, dns_view_t *view,
 	dns_byaddr_t *byaddr;
 	isc_event_t *ievent;
 
-	byaddr = isc_mem_get(mctx, sizeof *byaddr);
+	byaddr = isc_mem_get(mctx, sizeof(*byaddr));
 	if (byaddr == NULL)
 		return (ISC_R_NOMEMORY);
 	byaddr->mctx = mctx;
 	byaddr->options = options;
 
-	byaddr->event = isc_mem_get(mctx, sizeof *byaddr->event);
+	byaddr->event = isc_mem_get(mctx, sizeof(*byaddr->event));
 	if (byaddr->event == NULL) {
 		result = ISC_R_NOMEMORY;
 		goto cleanup_byaddr;
 	}
-	ISC_EVENT_INIT(byaddr->event, sizeof *byaddr->event, 0, NULL,
+	ISC_EVENT_INIT(byaddr->event, sizeof(*byaddr->event), 0, NULL,
 		       DNS_EVENT_BYADDRDONE, action, arg, byaddr,
 		       bevent_destroy, mctx);
 	byaddr->event->result = ISC_R_FAILURE;
@@ -256,7 +244,7 @@ dns_byaddr_create(isc_mem_t *mctx, isc_netaddr_t *address, dns_view_t *view,
 
 	dns_fixedname_init(&byaddr->name);
 
-	result = dns_byaddr_createptrname2(address, byaddr->options,
+	result = dns_byaddr_createptrname2(address, options,
 					   dns_fixedname_name(&byaddr->name));
 	if (result != ISC_R_SUCCESS)
 		goto cleanup_lock;
@@ -286,7 +274,7 @@ dns_byaddr_create(isc_mem_t *mctx, isc_netaddr_t *address, dns_view_t *view,
 	isc_task_detach(&byaddr->task);
 
  cleanup_byaddr:
-	isc_mem_put(mctx, byaddr, sizeof *byaddr);
+	isc_mem_put(mctx, byaddr, sizeof(*byaddr));
 
 	return (result);
 }
@@ -319,7 +307,7 @@ dns_byaddr_destroy(dns_byaddr_t **byaddrp) {
 
 	DESTROYLOCK(&byaddr->lock);
 	byaddr->magic = 0;
-	isc_mem_put(byaddr->mctx, byaddr, sizeof *byaddr);
+	isc_mem_put(byaddr->mctx, byaddr, sizeof(*byaddr));
 
 	*byaddrp = NULL;
 }
diff --git a/lib/dns/cache.c b/lib/dns/cache.c
index 99253d33..b148f602 100644
--- a/lib/dns/cache.c
+++ b/lib/dns/cache.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: cache.c,v 1.45.2.13 2006/08/01 01:07:32 marka Exp $ */
+/* $Id: cache.c,v 1.45.2.4.8.7 2004/03/08 02:07:52 marka Exp $ */
 
 #include <config.h>
 
@@ -31,6 +31,9 @@
 #include <dns/events.h>
 #include <dns/log.h>
 #include <dns/masterdump.h>
+#include <dns/rdata.h>
+#include <dns/rdataset.h>
+#include <dns/rdatasetiter.h>
 #include <dns/result.h>
 
 #define CACHE_MAGIC		ISC_MAGIC('$', '$', '$', '$')
@@ -65,6 +68,7 @@ typedef enum {
  * Convenience macros for comprehensive assertion checking.
  */
 #define CLEANER_IDLE(c) ((c)->state == cleaner_s_idle && \
+			 (c)->iterator == NULL && \
 			 (c)->resched_event != NULL)
 #define CLEANER_BUSY(c) ((c)->state == cleaner_s_busy && \
 			 (c)->iterator != NULL && \
@@ -97,7 +101,6 @@ struct cache_cleaner {
 					   clean in one increment */
 	cleaner_state_t  state;		/* Idle/Busy. */
 	isc_boolean_t	 overmem;	/* The cache is in an overmem state. */
-	isc_boolean_t	 replaceiterator;
 };
 
 /*
@@ -167,7 +170,7 @@ dns_cache_create(isc_mem_t *mctx, isc_taskmgr_t *taskmgr,
 	REQUIRE(*cachep == NULL);
 	REQUIRE(mctx != NULL);
 
-	cache = isc_mem_get(mctx, sizeof *cache);
+	cache = isc_mem_get(mctx, sizeof(*cache));
 	if (cache == NULL)
 		return (ISC_R_NOMEMORY);
 
@@ -255,7 +258,7 @@ dns_cache_create(isc_mem_t *mctx, isc_taskmgr_t *taskmgr,
  cleanup_lock:
 	DESTROYLOCK(&cache->lock);
  cleanup_mem:
-	isc_mem_put(mctx, cache, sizeof *cache);
+	isc_mem_put(mctx, cache, sizeof(*cache));
 	isc_mem_detach(&mctx);
 	return (result);
 }
@@ -307,7 +310,7 @@ cache_free(dns_cache_t *cache) {
 	DESTROYLOCK(&cache->filelock);
 	cache->magic = 0;
 	mctx = cache->mctx;
-	isc_mem_put(cache->mctx, cache, sizeof *cache);
+	isc_mem_put(cache->mctx, cache, sizeof(*cache));
 	isc_mem_detach(&mctx);
 }
 
@@ -349,7 +352,12 @@ dns_cache_detach(dns_cache_t **cachep) {
 		 * When the cache is shut down, dump it to a file if one is
 		 * specified.
 		 */
-		dns_cache_dump(cache);
+		isc_result_t result = dns_cache_dump(cache);
+		if (result != ISC_R_SUCCESS)
+			isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+				      DNS_LOGMODULE_CACHE, ISC_LOG_WARNING,
+				      "error dumping cache: %s ",
+				      isc_result_totext(result));
 
 		/*
 		 * If the cleaner task exists, let it free the cache.
@@ -379,7 +387,7 @@ dns_cache_attachdb(dns_cache_t *cache, dns_db_t **dbp) {
 }
 
 isc_result_t
-dns_cache_setfilename(dns_cache_t *cache, const char *filename) {
+dns_cache_setfilename(dns_cache_t *cache, char *filename) {
 	char *newname;
 
 	REQUIRE(VALID_CACHE(cache));
@@ -434,6 +442,7 @@ dns_cache_dump(dns_cache_t *cache) {
 void
 dns_cache_setcleaninginterval(dns_cache_t *cache, unsigned int t) {
 	isc_interval_t interval;
+	isc_result_t result;
 
 	LOCK(&cache->lock);
 
@@ -447,15 +456,22 @@ dns_cache_setcleaninginterval(dns_cache_t *cache, unsigned int t) {
 	cache->cleaner.cleaning_interval = t;
 
 	if (t == 0) {
-		isc_timer_reset(cache->cleaner.cleaning_timer,
-				isc_timertype_inactive, NULL, NULL, ISC_TRUE);
+		result = isc_timer_reset(cache->cleaner.cleaning_timer,
+					 isc_timertype_inactive,
+					 NULL, NULL, ISC_TRUE);
 	} else {
 		isc_interval_set(&interval, cache->cleaner.cleaning_interval,
 				 0);
-		isc_timer_reset(cache->cleaner.cleaning_timer,
-				isc_timertype_ticker,
-				NULL, &interval, ISC_FALSE);
+		result = isc_timer_reset(cache->cleaner.cleaning_timer,
+					 isc_timertype_ticker,
+					 NULL, &interval, ISC_FALSE);
 	}
+	if (result != ISC_R_SUCCESS)	
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+			      DNS_LOGMODULE_CACHE, ISC_LOG_WARNING,
+			      "could not set cache cleaning interval: %s",
+			      isc_result_totext(result));
+
  unlock:
 	UNLOCK(&cache->lock);
 }
@@ -485,18 +501,12 @@ cache_cleaner_init(dns_cache_t *cache, isc_taskmgr_t *taskmgr,
 	cleaner->cache = cache;
 	cleaner->iterator = NULL;
 	cleaner->overmem = ISC_FALSE;
-	cleaner->replaceiterator = ISC_FALSE;
 
 	cleaner->task = NULL;
 	cleaner->cleaning_timer = NULL;
 	cleaner->resched_event = NULL;
 	cleaner->overmem_event = NULL;
 
-	result = dns_db_createiterator(cleaner->cache->db, ISC_FALSE,
-				       &cleaner->iterator);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-
 	if (taskmgr != NULL && timermgr != NULL) {
 		result = isc_task_create(taskmgr, 1, &cleaner->task);
 		if (result != ISC_R_SUCCESS) {
@@ -565,8 +575,6 @@ cache_cleaner_init(dns_cache_t *cache, isc_taskmgr_t *taskmgr,
 		isc_timer_detach(&cleaner->cleaning_timer);
 	if (cleaner->task != NULL)
 		isc_task_detach(&cleaner->task);
-	if (cleaner->iterator != NULL)
-		dns_dbiterator_destroy(&cleaner->iterator);
 	DESTROYLOCK(&cleaner->lock);
  fail:
 	return (result);
@@ -574,17 +582,15 @@ cache_cleaner_init(dns_cache_t *cache, isc_taskmgr_t *taskmgr,
 
 static void
 begin_cleaning(cache_cleaner_t *cleaner) {
-	isc_result_t result = ISC_R_SUCCESS;
+	isc_result_t result;
 
 	REQUIRE(CLEANER_IDLE(cleaner));
 
 	/*
-	 * Create an iterator, if it does not already exist, and
-         * position it at the beginning of the cache.
+	 * Create an iterator and position it at the beginning of the cache.
 	 */
-	if (cleaner->iterator == NULL)
-		result = dns_db_createiterator(cleaner->cache->db, ISC_FALSE,
-					       &cleaner->iterator);
+	result = dns_db_createiterator(cleaner->cache->db, ISC_FALSE,
+				       &cleaner->iterator);
 	if (result != ISC_R_SUCCESS)
 		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
 			      DNS_LOGMODULE_CACHE, ISC_LOG_WARNING,
@@ -594,21 +600,20 @@ begin_cleaning(cache_cleaner_t *cleaner) {
 		dns_dbiterator_setcleanmode(cleaner->iterator, ISC_TRUE);
 		result = dns_dbiterator_first(cleaner->iterator);
 	}
+
 	if (result != ISC_R_SUCCESS) {
 		/*
 		 * If the result is ISC_R_NOMORE, the database is empty,
 		 * so there is nothing to be cleaned.
 		 */
-		if (result != ISC_R_NOMORE && cleaner->iterator != NULL) {
+		if (result != ISC_R_NOMORE)
 			UNEXPECTED_ERROR(__FILE__, __LINE__,
 					 "cache cleaner: "
 					 "dns_dbiterator_first() failed: %s",
 					 dns_result_totext(result));
+
+		if (cleaner->iterator != NULL)
 			dns_dbiterator_destroy(&cleaner->iterator);
-		} else if (cleaner->iterator != NULL) {
-			result = dns_dbiterator_pause(cleaner->iterator);
-			RUNTIME_CHECK(result == ISC_R_SUCCESS);
-		}
 	} else {
 		/*
 		 * Pause the iterator to free its lock.
@@ -629,14 +634,10 @@ begin_cleaning(cache_cleaner_t *cleaner) {
 
 static void
 end_cleaning(cache_cleaner_t *cleaner, isc_event_t *event) {
-	isc_result_t result;
-
 	REQUIRE(CLEANER_BUSY(cleaner));
 	REQUIRE(event != NULL);
 
-	result = dns_dbiterator_pause(cleaner->iterator);
-	if (result != ISC_R_SUCCESS)
-		dns_dbiterator_destroy(&cleaner->iterator);
+	dns_dbiterator_destroy(&cleaner->iterator);
 
 	dns_cache_setcleaninginterval(cleaner->cache,
 				      cleaner->cleaning_interval);
@@ -661,6 +662,10 @@ cleaning_timer_action(isc_task_t *task, isc_event_t *event) {
 	INSIST(task == cleaner->task);
 	INSIST(event->ev_type == ISC_TIMEREVENT_TICK);
 
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE, DNS_LOGMODULE_CACHE,
+		      ISC_LOG_DEBUG(1), "cache cleaning timer fired, "
+		      "cleaner state = %d", cleaner->state);
+
 	if (cleaner->state == cleaner_s_idle)
 		begin_cleaning(cleaner);
 
@@ -682,6 +687,11 @@ overmem_cleaning_action(isc_task_t *task, isc_event_t *event) {
 	INSIST(event->ev_type == DNS_EVENT_CACHEOVERMEM);
 	INSIST(cleaner->overmem_event == NULL);
 
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE, DNS_LOGMODULE_CACHE,
+		      ISC_LOG_DEBUG(1), "overmem_cleaning_action called, "
+		      "overmem = %d, state = %d", cleaner->overmem,
+		      cleaner->state);
+
 	LOCK(&cleaner->lock);
 
 	if (cleaner->overmem) {
@@ -725,17 +735,6 @@ incremental_cleaning_action(isc_task_t *task, isc_event_t *event) {
 	if (cleaner->state == cleaner_s_done) {
 		cleaner->state = cleaner_s_busy;
 		end_cleaning(cleaner, event);
-		LOCK(&cleaner->cache->lock);
-		LOCK(&cleaner->lock);
-		if (cleaner->replaceiterator) {
-			dns_dbiterator_destroy(&cleaner->iterator);
-			(void) dns_db_createiterator(cleaner->cache->db,
-						     ISC_FALSE,
-						     &cleaner->iterator);
-			cleaner->replaceiterator = ISC_FALSE;
-		}
-		UNLOCK(&cleaner->lock);
-		UNLOCK(&cleaner->cache->lock);
 		return;
 	}
 
@@ -775,7 +774,7 @@ incremental_cleaning_action(isc_task_t *task, isc_event_t *event) {
 			 * Either the end was reached (ISC_R_NOMORE) or
 			 * some error was signaled.  If the cache is still
 			 * overmem and no error was encountered,
-			 * keep trying to clean it, otherwise stop cleaning.
+			 * keep trying to clean it, otherwise stop cleanng.
 			 */
 			if (result != ISC_R_NOMORE)
 				UNEXPECTED_ERROR(__FILE__, __LINE__,
@@ -966,7 +965,7 @@ cleaner_shutdown_action(isc_task_t *task, isc_event_t *event) {
 		isc_timer_detach(&cache->cleaner.cleaning_timer);
 
 	/* Make sure we don't reschedule anymore. */
-	isc_task_purge(task, NULL, DNS_EVENT_CACHECLEAN, NULL);
+	(void)isc_task_purge(task, NULL, DNS_EVENT_CACHECLEAN, NULL);
 
 	UNLOCK(&cache->lock);
 
@@ -983,22 +982,77 @@ dns_cache_flush(dns_cache_t *cache) {
 	if (result != ISC_R_SUCCESS)
 		return (result);
 
-	LOCK(&cache->lock);
-	LOCK(&cache->cleaner.lock);
-	if (cache->cleaner.state == cleaner_s_idle) {
-		if (cache->cleaner.iterator != NULL)
-			dns_dbiterator_destroy(&cache->cleaner.iterator);
-		(void) dns_db_createiterator(db, ISC_FALSE,
-					     &cache->cleaner.iterator);
-	} else {
-		if (cache->cleaner.state == cleaner_s_busy)
-			cache->cleaner.state = cleaner_s_done;
-		cache->cleaner.replaceiterator = ISC_TRUE;
-	}
 	dns_db_detach(&cache->db);
 	cache->db = db;
-	UNLOCK(&cache->cleaner.lock);
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_cache_flushname(dns_cache_t *cache, dns_name_t *name) {
+	isc_result_t result;
+	dns_rdatasetiter_t *iter = NULL;
+	dns_dbnode_t *node = NULL;
+	dns_db_t *db = NULL;
+	
+	LOCK(&cache->lock);
+	if (cache->db != NULL)
+		dns_db_attach(cache->db, &db);
 	UNLOCK(&cache->lock);
+	if (db == NULL)
+		return (ISC_R_SUCCESS);
+	result = dns_db_findnode(cache->db, name, ISC_FALSE, &node);
+	if (result == ISC_R_NOTFOUND) {
+		result = ISC_R_SUCCESS;
+		goto cleanup_db;
+	}
+	if (result != ISC_R_SUCCESS)
+		goto cleanup_db;
 
-	return (ISC_R_SUCCESS);
+	result = dns_db_allrdatasets(cache->db, node, NULL,
+				     (isc_stdtime_t)0, &iter);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup_node;
+
+	for (result = dns_rdatasetiter_first(iter);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdatasetiter_next(iter))
+	{
+		dns_rdataset_t rdataset;
+		dns_rdataset_init(&rdataset);
+
+		dns_rdatasetiter_current(iter, &rdataset);
+
+		for (result = dns_rdataset_first(&rdataset);
+		     result == ISC_R_SUCCESS;
+		     result = dns_rdataset_next(&rdataset))
+		{
+			dns_rdata_t rdata = DNS_RDATA_INIT;
+			dns_rdatatype_t covers;
+
+			dns_rdataset_current(&rdataset, &rdata);
+			if (rdata.type == dns_rdatatype_rrsig)
+				covers = dns_rdata_covers(&rdata);
+			else
+				covers = 0;
+			result = dns_db_deleterdataset(cache->db, node, NULL,
+						       rdata.type, covers);
+			if (result != ISC_R_SUCCESS &&
+			    result != DNS_R_UNCHANGED)
+				break;
+		}
+		dns_rdataset_disassociate(&rdataset);
+		if (result != ISC_R_NOMORE)
+			break;
+	}
+	if (result == ISC_R_NOMORE)
+		result = ISC_R_SUCCESS;
+
+	dns_rdatasetiter_destroy(&iter);
+
+ cleanup_node:
+	dns_db_detachnode(cache->db, &node);
+
+ cleanup_db:
+	dns_db_detach(&db);
+	return (result);
 }
diff --git a/lib/dns/callbacks.c b/lib/dns/callbacks.c
index f99b7ad1..431c7ef4 100644
--- a/lib/dns/callbacks.c
+++ b/lib/dns/callbacks.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,12 +15,10 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: callbacks.c,v 1.12.2.3 2006/10/03 23:50:49 marka Exp $ */
+/* $Id: callbacks.c,v 1.12.206.1 2004/03/06 08:13:36 marka Exp $ */
 
 #include <config.h>
 
-#include <isc/file.h>
-
 #include <isc/util.h>
 
 #include <dns/callbacks.h>
diff --git a/lib/dns/compress.c b/lib/dns/compress.c
index d09e37dd..e0fe8c27 100644
--- a/lib/dns/compress.c
+++ b/lib/dns/compress.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: compress.c,v 1.50.2.4 2006/03/02 00:37:17 marka Exp $ */
+/* $Id: compress.c,v 1.50.206.2 2004/03/06 08:13:37 marka Exp $ */
 
 #define DNS_NAME_USEINLINE 1
 
@@ -111,7 +111,7 @@ do { \
  * If no match is found return ISC_FALSE.
  */
 isc_boolean_t
-dns_compress_findglobal(dns_compress_t *cctx, const dns_name_t *name,
+dns_compress_findglobal(dns_compress_t *cctx, dns_name_t *name,
 			dns_name_t *prefix, isc_uint16_t *offset)
 {
 	dns_name_t tname, nname;
@@ -161,15 +161,15 @@ dns_compress_findglobal(dns_compress_t *cctx, const dns_name_t *name,
 }
 
 static inline unsigned int
-name_length(const dns_name_t *name) {
+name_length(dns_name_t *name) {
 	isc_region_t r;
 	dns_name_toregion(name, &r);
 	return (r.length);
 }
 
 void
-dns_compress_add(dns_compress_t *cctx, const dns_name_t *name,
-		 const dns_name_t *prefix, isc_uint16_t offset)
+dns_compress_add(dns_compress_t *cctx, dns_name_t *name, dns_name_t *prefix,
+		 isc_uint16_t offset)
 {
 	dns_name_t tname;
 	unsigned int start;
diff --git a/lib/dns/db.c b/lib/dns/db.c
index 098e6bb2..347ce1e4 100644
--- a/lib/dns/db.c
+++ b/lib/dns/db.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: db.c,v 1.69.2.5 2004/03/09 06:11:00 marka Exp $ */
+/* $Id: db.c,v 1.69.2.1.10.4 2004/03/08 02:07:52 marka Exp $ */
 
 /***
  *** Imports
@@ -446,7 +446,7 @@ dns_db_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
 	 */
 
 	REQUIRE(DNS_DB_VALID(db));
-	REQUIRE(type != dns_rdatatype_sig);
+	REQUIRE(type != dns_rdatatype_rrsig);
 	REQUIRE(nodep == NULL || (nodep != NULL && *nodep == NULL));
 	REQUIRE(dns_name_hasbuffer(foundname));
 	REQUIRE(rdataset == NULL ||
@@ -575,7 +575,7 @@ dns_db_findrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
 	REQUIRE(node != NULL);
 	REQUIRE(DNS_RDATASET_VALID(rdataset));
 	REQUIRE(! dns_rdataset_isassociated(rdataset));
-	REQUIRE(covers == 0 || type == dns_rdatatype_sig);
+	REQUIRE(covers == 0 || type == dns_rdatatype_rrsig);
 	REQUIRE(type != dns_rdatatype_any);
 	REQUIRE(sigrdataset == NULL ||
 		(DNS_RDATASET_VALID(sigrdataset) &&
diff --git a/lib/dns/dbiterator.c b/lib/dns/dbiterator.c
index ccc3ff35..0bf354bd 100644
--- a/lib/dns/dbiterator.c
+++ b/lib/dns/dbiterator.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dbiterator.c,v 1.13.2.1 2004/03/09 06:11:00 marka Exp $ */
+/* $Id: dbiterator.c,v 1.13.206.1 2004/03/06 08:13:37 marka Exp $ */
 
 #include <config.h>
 
diff --git a/lib/dns/dbtable.c b/lib/dns/dbtable.c
index e814722d..d027fa3f 100644
--- a/lib/dns/dbtable.c
+++ b/lib/dns/dbtable.c
@@ -16,7 +16,7 @@
  */
 
 /*
- * $Id: dbtable.c,v 1.25.2.2 2004/04/15 01:38:06 marka Exp $
+ * $Id: dbtable.c,v 1.25.12.4 2004/03/09 05:21:08 marka Exp $
  */
 
 /*
@@ -216,7 +216,7 @@ dns_dbtable_remove(dns_dbtable_t *dbtable, dns_db_t *db) {
 	if (result == ISC_R_SUCCESS) {
 		INSIST(stored_data == db);
 
-		dns_rbt_deletename(dbtable->rbt, name, ISC_FALSE);
+		(void)dns_rbt_deletename(dbtable->rbt, name, ISC_FALSE);
 	}
 
 	RWUNLOCK(&dbtable->tree_lock, isc_rwlocktype_write);
diff --git a/lib/dns/diff.c b/lib/dns/diff.c
index 38d3fd5b..8cd56436 100644
--- a/lib/dns/diff.c
+++ b/lib/dns/diff.c
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000-2002  Internet Software Consortium.
+ * Copyright (C) 2000-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: diff.c,v 1.4.2.3 2004/03/09 06:11:01 marka Exp $ */
+/* $Id: diff.c,v 1.4.2.1.8.4 2004/03/08 02:07:52 marka Exp $ */
 
 #include <config.h>
 
@@ -44,7 +44,7 @@
 
 static dns_rdatatype_t
 rdata_covers(dns_rdata_t *rdata) {
-	return (rdata->type == dns_rdatatype_sig ?
+	return (rdata->type == dns_rdatatype_rrsig ?
 		dns_rdata_covers(rdata) : 0);
 }
 
@@ -188,8 +188,9 @@ dns_diff_appendminimal(dns_diff_t *diff, dns_difftuple_t **tuplep)
 	ENSURE(*tuplep == NULL);
 }
 
-isc_result_t
-dns_diff_apply(dns_diff_t *diff, dns_db_t *db, dns_dbversion_t *ver)
+static isc_result_t
+diff_apply(dns_diff_t *diff, dns_db_t *db, dns_dbversion_t *ver,
+	   isc_boolean_t warn)
 {
 	dns_difftuple_t *t;
 	dns_dbnode_t *node = NULL;
@@ -253,14 +254,13 @@ dns_diff_apply(dns_diff_t *diff, dns_db_t *db, dns_dbversion_t *ver)
 			       t->rdata.type == type &&
 			       rdata_covers(&t->rdata) == covers)
 			{
-				if (t->ttl != rdl.ttl) {
+				if (t->ttl != rdl.ttl && warn)
 					isc_log_write(DIFF_COMMON_LOGARGS,
 					      	ISC_LOG_WARNING,
 						"TTL differs in rdataset, "
 						"adjusting %lu -> %lu",
 						(unsigned long) t->ttl,
 						(unsigned long) rdl.ttl);
-				}
 				ISC_LIST_APPEND(rdl.rdata, &t->rdata, link);
 				t = ISC_LIST_NEXT(t, link);
 			}
@@ -299,9 +299,10 @@ dns_diff_apply(dns_diff_t *diff, dns_db_t *db, dns_dbversion_t *ver)
 				 * from a server that is not as careful.
 				 * Issue a warning and continue.
 				 */
-				isc_log_write(DIFF_COMMON_LOGARGS,
-					      ISC_LOG_WARNING,
-					      "update with no effect");
+				if (warn)
+					isc_log_write(DIFF_COMMON_LOGARGS,
+						      ISC_LOG_WARNING,
+						      "update with no effect");
 			} else if (result == ISC_R_SUCCESS ||
 				   result == DNS_R_NXRRSET) {
 				/*
@@ -321,7 +322,17 @@ dns_diff_apply(dns_diff_t *diff, dns_db_t *db, dns_dbversion_t *ver)
 	return (result);
 }
 
-/* XXX this duplicates lots of code in dns_diff_apply(). */
+isc_result_t
+dns_diff_apply(dns_diff_t *diff, dns_db_t *db, dns_dbversion_t *ver) {
+	return (diff_apply(diff, db, ver, ISC_TRUE));
+}
+
+isc_result_t
+dns_diff_applysilently(dns_diff_t *diff, dns_db_t *db, dns_dbversion_t *ver) {
+	return (diff_apply(diff, db, ver, ISC_FALSE));
+}
+
+/* XXX this duplicates lots of code in diff_apply(). */
 
 isc_result_t
 dns_diff_load(dns_diff_t *diff, dns_addrdatasetfunc_t addfunc,
diff --git a/lib/dns/dispatch.c b/lib/dns/dispatch.c
index d3c690b9..d7cb2c92 100644
--- a/lib/dns/dispatch.c
+++ b/lib/dns/dispatch.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2006, 2007  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,21 +15,19 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dispatch.c,v 1.101.2.21 2007/06/27 04:21:27 marka Exp $ */
+/* $Id: dispatch.c,v 1.101.2.6.2.6 2004/03/08 21:06:25 marka Exp $ */
 
 #include <config.h>
 
 #include <stdlib.h>
-#include <sys/types.h>
-#include <unistd.h>
 
 #include <isc/entropy.h>
+#include <isc/lfsr.h>
 #include <isc/mem.h>
 #include <isc/mutex.h>
 #include <isc/print.h>
 #include <isc/string.h>
 #include <isc/task.h>
-#include <isc/time.h>
 #include <isc/util.h>
 
 #include <dns/acl.h>
@@ -37,27 +35,19 @@
 #include <dns/events.h>
 #include <dns/log.h>
 #include <dns/message.h>
+#include <dns/portlist.h>
 #include <dns/tcpmsg.h>
 #include <dns/types.h>
 
 typedef ISC_LIST(dns_dispentry_t)	dns_displist_t;
 
-typedef struct dns_nsid {
-	isc_uint16_t	nsid_state;
-	isc_uint16_t	*nsid_vtable;
-	isc_uint16_t	*nsid_pool;
-	isc_uint16_t	nsid_a1, nsid_a2, nsid_a3;
-	isc_uint16_t	nsid_c1, nsid_c2, nsid_c3;
-	isc_uint16_t	nsid_state2;
-	isc_boolean_t	nsid_usepool;
-} dns_nsid_t;
-
 typedef struct dns_qid {
 	unsigned int	magic;
 	unsigned int	qid_nbuckets;	/* hash table size */
 	unsigned int	qid_increment;	/* id increment on collision */
 	isc_mutex_t	lock;
-	dns_nsid_t	nsid;
+	isc_lfsr_t	qid_lfsr1;	/* state generator info */
+	isc_lfsr_t	qid_lfsr2;	/* state generator info */
 	dns_displist_t	*qid_table;	/* the table itself */
 } dns_qid_t;
 
@@ -66,6 +56,7 @@ struct dns_dispatchmgr {
 	unsigned int			magic;
 	isc_mem_t		       *mctx;
 	dns_acl_t		       *blackhole;
+	dns_portlist_t		       *portlist;
 
 	/* Locked by "lock". */
 	isc_mutex_t			lock;
@@ -164,14 +155,14 @@ static isc_boolean_t destroy_disp_ok(dns_dispatch_t *);
 static void destroy_disp(isc_task_t *task, isc_event_t *event);
 static void udp_recv(isc_task_t *, isc_event_t *);
 static void tcp_recv(isc_task_t *, isc_event_t *);
-static void startrecv(dns_dispatch_t *);
-static dns_messageid_t dns_randomid(dns_nsid_t *);
+static inline void startrecv(dns_dispatch_t *);
+static dns_messageid_t dns_randomid(dns_qid_t *);
 static isc_uint32_t dns_hash(dns_qid_t *, isc_sockaddr_t *, dns_messageid_t);
 static void free_buffer(dns_dispatch_t *disp, void *buf, unsigned int len);
 static void *allocate_udp_buffer(dns_dispatch_t *disp);
 static inline void free_event(dns_dispatch_t *disp, dns_dispatchevent_t *ev);
 static inline dns_dispatchevent_t *allocate_event(dns_dispatch_t *disp);
-static void do_cancel(dns_dispatch_t *disp);
+static void do_cancel(dns_dispatch_t *disp, dns_dispentry_t *resp);
 static dns_dispentry_t *linear_first(dns_qid_t *disp);
 static dns_dispentry_t *linear_next(dns_qid_t *disp,
 				    dns_dispentry_t *resp);
@@ -186,12 +177,8 @@ static isc_result_t dispatch_createudp(dns_dispatchmgr_t *mgr,
 static isc_boolean_t destroy_mgr_ok(dns_dispatchmgr_t *mgr);
 static void destroy_mgr(dns_dispatchmgr_t **mgrp);
 static isc_result_t qid_allocate(dns_dispatchmgr_t *mgr, unsigned int buckets,
-				 unsigned int increment, isc_boolean_t usepool,
-				 dns_qid_t **qidp);
+				 unsigned int increment, dns_qid_t **qidp);
 static void qid_destroy(isc_mem_t *mctx, dns_qid_t **qidp);
-static isc_uint16_t nsid_next(dns_nsid_t *nsid);
-static isc_result_t nsid_init(isc_mem_t *mctx, dns_nsid_t *nsid, isc_boolean_t usepool);
-static void nsid_destroy(isc_mem_t *mctx, dns_nsid_t *nsid);
 
 #define LVL(x) ISC_LOG_DEBUG(x)
 
@@ -258,7 +245,7 @@ request_log(dns_dispatch_t *disp, dns_dispentry_t *resp,
 	va_end(ap);
 
 	if (VALID_RESPONSE(resp)) {
-		isc_sockaddr_format(&resp->host, peerbuf, sizeof peerbuf);
+		isc_sockaddr_format(&resp->host, peerbuf, sizeof(peerbuf));
 		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DISPATCH,
 			      DNS_LOGMODULE_DISPATCH, level,
 			      "dispatch %p response %p %s: %s", disp, resp,
@@ -271,16 +258,38 @@ request_log(dns_dispatch_t *disp, dns_dispentry_t *resp,
 	}
 }
 
+static void
+reseed_lfsr(isc_lfsr_t *lfsr, void *arg)
+{
+	dns_dispatchmgr_t *mgr = arg;
+	isc_result_t result;
+	isc_uint32_t val;
+
+	REQUIRE(VALID_DISPATCHMGR(mgr));
+
+	if (mgr->entropy != NULL) {
+		result = isc_entropy_getdata(mgr->entropy, &val, sizeof(val),
+					     NULL, 0);
+		INSIST(result == ISC_R_SUCCESS);
+		lfsr->count = (val & 0x1f) + 32;
+		lfsr->state = val;
+		return;
+	}
+
+	lfsr->count = (random() & 0x1f) + 32;	/* From 32 to 63 states */
+	lfsr->state = random();
+}
+
 /*
  * Return an unpredictable message ID.
  */
 static dns_messageid_t
-dns_randomid(dns_nsid_t *nsid) {
-	isc_uint16_t id;
+dns_randomid(dns_qid_t *qid) {
+	isc_uint32_t id;
 
-	id = nsid_next(nsid);
+	id = isc_lfsr_generate32(&qid->qid_lfsr1, &qid->qid_lfsr2);
 
-	return ((dns_messageid_t)id);
+	return (dns_messageid_t)(id & 0xFFFF);
 }
 
 /*
@@ -618,74 +627,28 @@ udp_recv(isc_task_t *task, isc_event_t *ev_in) {
 		/* query */
 		free_buffer(disp, ev->region.base, ev->region.length);
 		goto restart;
-	}
-
-	dns_dispatch_hash(&ev->timestamp, sizeof(&ev->timestamp));
-	dns_dispatch_hash(ev->region.base, ev->region.length);
-
-	/* response */
-	bucket = dns_hash(qid, &ev->address, id);
-	LOCK(&qid->lock);
-	resp = bucket_search(qid, &ev->address, id, bucket);
-	dispatch_log(disp, LVL(90),
-		     "search for response in bucket %d: %s",
-		     bucket, (resp == NULL ? "not found" : "found"));
-
-	if (resp == NULL) {
-		free_buffer(disp, ev->region.base, ev->region.length);
-		goto unlock;
-	} 
-
-	/*
-	 * Now that we have the original dispatch the query was sent
-	 * from check that the address and port the response was
-	 * sent to make sense.
-	 */
-	if (disp != resp->disp) {
-		isc_sockaddr_t a1;
-		isc_sockaddr_t a2;
-		
-		/*
-		 * Check that the socket types and ports match.
-		 */
-		if (disp->socktype != resp->disp->socktype ||
-		    isc_sockaddr_getport(&disp->local) !=
-		    isc_sockaddr_getport(&resp->disp->local)) {
-			free_buffer(disp, ev->region.base, ev->region.length);
-			goto unlock;
-		}
+	} else {
+ 		/* response */
+		bucket = dns_hash(qid, &ev->address, id);
+		LOCK(&qid->lock);
+		resp = bucket_search(qid, &ev->address, id, bucket);
+		UNLOCK(&qid->lock);
+		dispatch_log(disp, LVL(90),
+			     "search for response in bucket %d: %s",
+			     bucket, (resp == NULL ? "not found" : "found"));
 
-		/*
-		 * If both dispatches are bound to an address then fail as
-		 * the addresses can't be equal (enforced by the IP stack).  
-		 *
-		 * Note under Linux a packet can be sent out via IPv4 socket
-		 * and the response be received via a IPv6 socket.
-		 * 
-		 * Requests sent out via IPv6 should always come back in
-		 * via IPv6.
-		 */
-		if (isc_sockaddr_pf(&resp->disp->local) == PF_INET6 &&
-		    isc_sockaddr_pf(&disp->local) != PF_INET6) {
+		if (resp == NULL) {
 			free_buffer(disp, ev->region.base, ev->region.length);
-			goto unlock;
-		}
-		isc_sockaddr_anyofpf(&a1, isc_sockaddr_pf(&resp->disp->local));
-		isc_sockaddr_anyofpf(&a2, isc_sockaddr_pf(&disp->local));
-		if (!isc_sockaddr_eqaddr(&a1, &resp->disp->local) &&
-		    !isc_sockaddr_eqaddr(&a2, &disp->local)) {
+			goto restart;
+		} 
+		queue_response = resp->item_out;
+		rev = allocate_event(resp->disp);
+		if (rev == NULL) {
 			free_buffer(disp, ev->region.base, ev->region.length);
-			goto unlock;
+			goto restart;
 		}
 	}
 
-	queue_response = resp->item_out;
-	rev = allocate_event(resp->disp);
-	if (rev == NULL) {
-		free_buffer(disp, ev->region.base, ev->region.length);
-		goto unlock;
-	}
-
 	/*
 	 * At this point, rev contains the event we want to fill in, and
 	 * resp contains the information on the place to send it to.
@@ -709,10 +672,8 @@ udp_recv(isc_task_t *task, isc_event_t *ev_in) {
 			    rev, rev->buffer.base, rev->buffer.length,
 			    resp->task);
 		resp->item_out = ISC_TRUE;
-		isc_task_send(resp->task, ISC_EVENT_PTR(&rev));
+		isc_task_send(resp->task, (isc_event_t **) (void *)&rev);
 	}
- unlock:
-	UNLOCK(&qid->lock);
 
 	/*
 	 * Restart recv() to get the next packet.
@@ -753,6 +714,8 @@ tcp_recv(isc_task_t *task, isc_event_t *ev_in) {
 	isc_boolean_t killit;
 	isc_boolean_t queue_response;
 	dns_qid_t *qid;
+	int level;
+	char buf[ISC_SOCKADDR_FORMATSIZE];
 
 	UNUSED(task);
 
@@ -783,15 +746,21 @@ tcp_recv(isc_task_t *task, isc_event_t *ev_in) {
 			
 		case ISC_R_EOF:
 			dispatch_log(disp, LVL(90), "shutting down on EOF");
-			do_cancel(disp);
+			do_cancel(disp, NULL);
 			break;
 
+		case ISC_R_CONNECTIONRESET:
+			level = ISC_LOG_INFO;
+			goto logit;
+
 		default:
-			dispatch_log(disp, ISC_LOG_ERROR,
-				     "shutting down due to TCP "
-				     "receive error: %s",
+			level = ISC_LOG_ERROR;
+		logit:
+			isc_sockaddr_format(&tcpmsg->address, buf, sizeof(buf));
+			dispatch_log(disp, level, "shutting down due to TCP "
+				     "receive error: %s: %s", buf,
 				     isc_result_totext(tcpmsg->result));
-			do_cancel(disp);
+			do_cancel(disp, NULL);
 			break;
 		}
 
@@ -847,27 +816,26 @@ tcp_recv(isc_task_t *task, isc_event_t *ev_in) {
 		 * Query.
 		 */
 		goto restart;
+	} else {
+ 		/*
+		 * Response.
+		 */
+		bucket = dns_hash(qid, &tcpmsg->address, id);
+		LOCK(&qid->lock);
+		resp = bucket_search(qid, &tcpmsg->address, id, bucket);
+		UNLOCK(&qid->lock);
+		dispatch_log(disp, LVL(90),
+			     "search for response in bucket %d: %s",
+			     bucket, (resp == NULL ? "not found" : "found"));
+
+		if (resp == NULL)
+			goto restart;
+		queue_response = resp->item_out;
+		rev = allocate_event(disp);
+		if (rev == NULL)
+			goto restart;
 	}
 
-	dns_dispatch_hash(tcpmsg->buffer.base, tcpmsg->buffer.length);
-
-	/*
-	 * Response.
-	 */
-	bucket = dns_hash(qid, &tcpmsg->address, id);
-	LOCK(&qid->lock);
-	resp = bucket_search(qid, &tcpmsg->address, id, bucket);
-	dispatch_log(disp, LVL(90),
-		     "search for response in bucket %d: %s",
-		     bucket, (resp == NULL ? "not found" : "found"));
-
-	if (resp == NULL)
-		goto unlock;
-	queue_response = resp->item_out;
-	rev = allocate_event(disp);
-	if (rev == NULL)
-		goto unlock;
-
 	/*
 	 * At this point, rev contains the event we want to fill in, and
 	 * resp contains the information on the place to send it to.
@@ -888,10 +856,8 @@ tcp_recv(isc_task_t *task, isc_event_t *ev_in) {
 			    rev, rev->buffer.base, rev->buffer.length,
 			    resp->task);
 		resp->item_out = ISC_TRUE;
-		isc_task_send(resp->task, ISC_EVENT_PTR(&rev));
+		isc_task_send(resp->task, (isc_event_t **) (void *)&rev);
 	}
- unlock:
-	UNLOCK(&qid->lock);
 
 	/*
 	 * Restart recv() to get the next packet.
@@ -939,9 +905,10 @@ startrecv(dns_dispatch_t *disp) {
 			free_buffer(disp, region.base, region.length);
 			disp->shutdown_why = res;
 			disp->shutting_down = 1;
-			do_cancel(disp);
+			do_cancel(disp, NULL);
 			return;
 		}
+		INSIST(disp->recv_pending == 0);
 		disp->recv_pending = 1;
 		break;
 
@@ -951,9 +918,10 @@ startrecv(dns_dispatch_t *disp) {
 		if (res != ISC_R_SUCCESS) {
 			disp->shutdown_why = res;
 			disp->shutting_down = 1;
-			do_cancel(disp);
+			do_cancel(disp, NULL);
 			return;
 		}
+		INSIST(disp->recv_pending == 0);
 		disp->recv_pending = 1;
 		break;
 	}
@@ -1020,6 +988,9 @@ destroy_mgr(dns_dispatchmgr_t **mgrp) {
 	if (mgr->blackhole != NULL)
 		dns_acl_detach(&mgr->blackhole);
 
+	if (mgr->portlist != NULL)
+		dns_portlist_detach(&mgr->portlist);
+
 	isc_mem_put(mctx, mgr, sizeof(dns_dispatchmgr_t));
 	isc_mem_detach(&mctx);
 }
@@ -1037,6 +1008,9 @@ create_socket(isc_socketmgr_t *mgr, isc_sockaddr_t *local,
 	if (result != ISC_R_SUCCESS)
 		return (result);
 
+#ifndef ISC_ALLOW_MAPPED
+	isc_socket_ipv6only(sock, ISC_TRUE);
+#endif
 	result = isc_socket_bind(sock, local);
 	if (result != ISC_R_SUCCESS) {
 		isc_socket_detach(&sock);
@@ -1069,6 +1043,7 @@ dns_dispatchmgr_create(isc_mem_t *mctx, isc_entropy_t *entropy,
 	isc_mem_attach(mctx, &mgr->mctx);
 
 	mgr->blackhole = NULL;
+	mgr->portlist = NULL;
 
 	result = isc_mutex_init(&mgr->lock);
 	if (result != ISC_R_SUCCESS)
@@ -1162,6 +1137,23 @@ dns_dispatchmgr_getblackhole(dns_dispatchmgr_t *mgr) {
 	return (mgr->blackhole);
 }
 
+void
+dns_dispatchmgr_setblackportlist(dns_dispatchmgr_t *mgr,
+				 dns_portlist_t *portlist)
+{
+	REQUIRE(VALID_DISPATCHMGR(mgr));
+	if (mgr->portlist != NULL)
+		dns_portlist_detach(&mgr->portlist);
+	if (portlist != NULL)
+		dns_portlist_attach(portlist, &mgr->portlist);
+}
+
+dns_portlist_t *
+dns_dispatchmgr_getblackportlist(dns_dispatchmgr_t *mgr) {
+	REQUIRE(VALID_DISPATCHMGR(mgr));
+	return (mgr->portlist);
+}
+
 static isc_result_t
 dns_dispatchmgr_setudp(dns_dispatchmgr_t *mgr,
 			unsigned int buffersize, unsigned int maxbuffers,
@@ -1201,7 +1193,6 @@ dns_dispatchmgr_setudp(dns_dispatchmgr_t *mgr,
 
 	if (isc_mempool_create(mgr->mctx, buffersize,
 			       &mgr->bpool) != ISC_R_SUCCESS) {
-		UNLOCK(&mgr->buffer_lock);
 		return (ISC_R_NOMEMORY);
 	}
 
@@ -1209,7 +1200,7 @@ dns_dispatchmgr_setudp(dns_dispatchmgr_t *mgr,
 	isc_mempool_setmaxalloc(mgr->bpool, maxbuffers);
 	isc_mempool_associatelock(mgr->bpool, &mgr->pool_lock);
 
-	result = qid_allocate(mgr, buckets, increment, ISC_TRUE, &mgr->qid);
+	result = qid_allocate(mgr, buckets, increment, &mgr->qid);
 	if (result != ISC_R_SUCCESS)
 		goto cleanup;
 
@@ -1247,16 +1238,63 @@ dns_dispatchmgr_destroy(dns_dispatchmgr_t **mgrp) {
 		destroy_mgr(&mgr);
 }
 
+static isc_boolean_t
+blacklisted(dns_dispatchmgr_t *mgr, isc_socket_t *sock) {
+	isc_sockaddr_t sockaddr;
+	isc_result_t result;
+
+	if (mgr->portlist == NULL)
+		return (ISC_FALSE);
+
+	result = isc_socket_getsockname(sock, &sockaddr);
+	if (result != ISC_R_SUCCESS)
+		return (ISC_FALSE);
+
+	if (mgr->portlist != NULL &&
+	    dns_portlist_match(mgr->portlist, isc_sockaddr_pf(&sockaddr),
+			       isc_sockaddr_getport(&sockaddr)))
+		return (ISC_TRUE);
+	return (ISC_FALSE);
+}
 
 #define ATTRMATCH(_a1, _a2, _mask) (((_a1) & (_mask)) == ((_a2) & (_mask)))
 
 static isc_boolean_t
 local_addr_match(dns_dispatch_t *disp, isc_sockaddr_t *addr) {
+	isc_sockaddr_t sockaddr;
+	isc_result_t result;
 
 	if (addr == NULL)
 		return (ISC_TRUE);
 
-	return (isc_sockaddr_equal(&disp->local, addr));
+	/*
+	 * Don't match wildcard ports against newly blacklisted ports.
+	 */
+	if (disp->mgr->portlist != NULL &&
+	    isc_sockaddr_getport(addr) == 0 &&
+	    isc_sockaddr_getport(&disp->local) == 0 &&
+	    blacklisted(disp->mgr, disp->socket))
+		return (ISC_FALSE);
+
+	/*
+	 * Check if we match the binding <address,port>.
+	 * Wildcard ports match/fail here.
+	 */
+	if (isc_sockaddr_equal(&disp->local, addr))
+		return (ISC_TRUE);
+	if (isc_sockaddr_getport(addr) == 0)
+		return (ISC_FALSE);
+
+	/*
+	 * Check if we match a bound wildcard port <address,port>.
+	 */
+	if (!isc_sockaddr_eqaddr(&disp->local, addr))
+		return (ISC_FALSE);
+	result = isc_socket_getsockname(disp->socket, &sockaddr);
+	if (result != ISC_R_SUCCESS)
+		return (ISC_FALSE);
+
+	return (isc_sockaddr_equal(&disp->local, &sockaddr));
 }
 
 /*
@@ -1308,7 +1346,7 @@ dispatch_find(dns_dispatchmgr_t *mgr, isc_sockaddr_t *local,
 
 static isc_result_t
 qid_allocate(dns_dispatchmgr_t *mgr, unsigned int buckets,
-	     unsigned int increment, isc_boolean_t usepool, dns_qid_t **qidp)
+	     unsigned int increment, dns_qid_t **qidp)
 {
 	dns_qid_t *qid;
 	unsigned int i;
@@ -1329,28 +1367,35 @@ qid_allocate(dns_dispatchmgr_t *mgr, unsigned int buckets,
 		return (ISC_R_NOMEMORY);
 	}
 
-	if (nsid_init(mgr->mctx, &qid->nsid, usepool) != ISC_R_SUCCESS) {
-		isc_mem_put(mgr->mctx, qid->qid_table,
-			    buckets * sizeof(dns_displist_t));
-		isc_mem_put(mgr->mctx, qid, sizeof(*qid));
-		return (ISC_R_NOMEMORY);
-	}
-
 	if (isc_mutex_init(&qid->lock) != ISC_R_SUCCESS) {
 		UNEXPECTED_ERROR(__FILE__, __LINE__, "isc_mutex_init failed");
-		nsid_destroy(mgr->mctx, &qid->nsid);
 		isc_mem_put(mgr->mctx, qid->qid_table,
 			    buckets * sizeof(dns_displist_t));
 		isc_mem_put(mgr->mctx, qid, sizeof(*qid));
 		return (ISC_R_UNEXPECTED);
 	}
 
-	for (i = 0 ; i < buckets ; i++)
+	for (i = 0; i < buckets; i++)
 		ISC_LIST_INIT(qid->qid_table[i]);
 
 	qid->qid_nbuckets = buckets;
 	qid->qid_increment = increment;
 	qid->magic = QID_MAGIC;
+
+	/*
+	 * Initialize to a 32-bit LFSR.  Both of these are from Applied
+	 * Cryptography.
+	 *
+	 * lfsr1:
+	 *	x^32 + x^7 + x^5 + x^3 + x^2 + x + 1
+	 *
+	 * lfsr2:
+	 *	x^32 + x^7 + x^6 + x^2 + 1
+	 */
+	isc_lfsr_init(&qid->qid_lfsr1, 0, 32, 0x80000057U,
+		      0, reseed_lfsr, mgr);
+	isc_lfsr_init(&qid->qid_lfsr2, 0, 32, 0x80000062U,
+		      0, reseed_lfsr, mgr);
 	*qidp = qid;
 	return (ISC_R_SUCCESS);
 }
@@ -1366,7 +1411,6 @@ qid_destroy(isc_mem_t *mctx, dns_qid_t **qidp) {
 
 	*qidp = NULL;
 	qid->magic = 0;
-	nsid_destroy(mctx, &qid->nsid);
 	isc_mem_put(mctx, qid->qid_table,
 		    qid->qid_nbuckets * sizeof(dns_displist_t));
 	DESTROYLOCK(&qid->lock);
@@ -1402,7 +1446,7 @@ dispatch_allocate(dns_dispatchmgr_t *mgr, unsigned int maxrequests,
 	ISC_LINK_INIT(disp, link);
 	disp->refcount = 1;
 	disp->recv_pending = 0;
-	memset(&disp->local, 0, sizeof disp->local);
+	memset(&disp->local, 0, sizeof(disp->local));
 	disp->shutting_down = 0;
 	disp->shutdown_out = 0;
 	disp->connected = 0;
@@ -1510,7 +1554,7 @@ dns_dispatch_createtcp(dns_dispatchmgr_t *mgr, isc_socket_t *sock,
 		return (result);
 	}
 
-	result = qid_allocate(mgr, buckets, increment, ISC_FALSE, &disp->qid);
+	result = qid_allocate(mgr, buckets, increment, &disp->qid);
 	if (result != ISC_R_SUCCESS)
 		goto deallocate_dispatch;
 
@@ -1527,10 +1571,8 @@ dns_dispatch_createtcp(dns_dispatchmgr_t *mgr, isc_socket_t *sock,
 					    DNS_EVENT_DISPATCHCONTROL,
 					    destroy_disp, disp,
 					    sizeof(isc_event_t));
-	if (disp->ctlevent == NULL) {
-		result = ISC_R_NOMEMORY;
+	if (disp->ctlevent == NULL)
 		goto kill_task;
-	}
 
 	isc_task_setname(disp->task, "tcpdispatch", disp);
 
@@ -1663,9 +1705,20 @@ dispatch_createudp(dns_dispatchmgr_t *mgr, isc_socketmgr_t *sockmgr,
 	if (result != ISC_R_SUCCESS)
 		return (result);
 
+	/*
+	 * This assumes that the IP stack will *not* quickly reallocate
+	 * the same port.  If it does continually reallocate the same port
+	 * then we need a mechanism to hold all the blacklisted sockets
+	 * until we find a usable socket.
+	 */
+ getsocket:
 	result = create_socket(sockmgr, localaddr, &sock);
 	if (result != ISC_R_SUCCESS)
 		goto deallocate_dispatch;
+	if (isc_sockaddr_getport(localaddr) == 0 && blacklisted(mgr, sock)) {
+		isc_socket_detach(&sock);
+		goto getsocket;
+	}
 
 	disp->socktype = isc_sockettype_udp;
 	disp->socket = sock;
@@ -1680,10 +1733,8 @@ dispatch_createudp(dns_dispatchmgr_t *mgr, isc_socketmgr_t *sockmgr,
 					    DNS_EVENT_DISPATCHCONTROL,
 					    destroy_disp, disp,
 					    sizeof(isc_event_t));
-	if (disp->ctlevent == NULL) {
-		result = ISC_R_NOMEMORY;
+	if (disp->ctlevent == NULL)
 		goto kill_task;
-	}
 
 	isc_task_setname(disp->task, "udpdispatch", disp);
 
@@ -1801,10 +1852,10 @@ dns_dispatch_addresponse(dns_dispatch_t *disp, isc_sockaddr_t *dest,
 	 */
 	qid = DNS_QID(disp);
 	LOCK(&qid->lock);
-	id = dns_randomid(&qid->nsid);
+	id = dns_randomid(qid);
 	bucket = dns_hash(qid, dest, id);
 	ok = ISC_FALSE;
-	for (i = 0 ; i < 64 ; i++) {
+	for (i = 0; i < 64; i++) {
 		if (bucket_search(qid, dest, id, bucket) == NULL) {
 			ok = ISC_TRUE;
 			break;
@@ -1967,7 +2018,7 @@ dns_dispatch_removeresponse(dns_dispentry_t **resp,
 	res->magic = 0;
 	isc_mempool_put(disp->mgr->rpool, res);
 	if (disp->shutting_down == 1)
-		do_cancel(disp);
+		do_cancel(disp, NULL);
 	else
 		startrecv(disp);
 
@@ -1978,9 +2029,8 @@ dns_dispatch_removeresponse(dns_dispentry_t **resp,
 }
 
 static void
-do_cancel(dns_dispatch_t *disp) {
+do_cancel(dns_dispatch_t *disp, dns_dispentry_t *resp) {
 	dns_dispatchevent_t *ev;
-	dns_dispentry_t *resp;
 	dns_qid_t *qid;
 
 	if (disp->shutdown_out == 1)
@@ -1991,22 +2041,34 @@ do_cancel(dns_dispatch_t *disp) {
 	/*
 	 * Search for the first response handler without packets outstanding.
 	 */
-	LOCK(&qid->lock);
-	for (resp = linear_first(qid);
-	     resp != NULL && resp->item_out != ISC_FALSE;
-	     /* Empty. */)
-		resp = linear_next(qid, resp);
+	if (resp == NULL) {
+		LOCK(&qid->lock);
+		resp = linear_first(qid);
+		if (resp == NULL) {
+			/* no first item? */
+			UNLOCK(&qid->lock);
+			return;
+		}
+		do {
+			if (resp->item_out == ISC_FALSE)
+				break;
+
+			resp = linear_next(qid, resp);
+		} while (resp != NULL);
+		UNLOCK(&qid->lock);
+	}
+
 	/*
 	 * No one to send the cancel event to, so nothing to do.
 	 */
 	if (resp == NULL)
-		goto unlock;
+		return;
 
 	/*
 	 * Send the shutdown failsafe event to this resp.
 	 */
 	ev = disp->failsafe_ev;
-	ISC_EVENT_INIT(ev, sizeof (*ev), 0, NULL, DNS_EVENT_DISPATCH,
+	ISC_EVENT_INIT(ev, sizeof(*ev), 0, NULL, DNS_EVENT_DISPATCH,
 		       resp->action, resp->arg, resp, NULL, NULL);
 	ev->result = disp->shutdown_why;
 	ev->buffer.base = NULL;
@@ -2016,9 +2078,7 @@ do_cancel(dns_dispatch_t *disp) {
 		    "cancel: failsafe event %p -> task %p",
 		    ev, resp->task);
 	resp->item_out = ISC_TRUE;
-	isc_task_send(resp->task, ISC_EVENT_PTR(&ev));
- unlock:
-	UNLOCK(&qid->lock);
+	isc_task_send(resp->task, (isc_event_t **) (void *)&ev);
 }
 
 isc_socket_t *
@@ -2054,7 +2114,7 @@ dns_dispatch_cancel(dns_dispatch_t *disp) {
 
 	disp->shutdown_why = ISC_R_CANCELED;
 	disp->shutting_down = 1;
-	do_cancel(disp);
+	do_cancel(disp, NULL);
 
 	UNLOCK(&disp->lock);
 
@@ -2114,7 +2174,7 @@ dns_dispatch_importrecv(dns_dispatch_t *disp, isc_event_t *event) {
 
 	buf = allocate_udp_buffer(disp);
 	if (buf == NULL) {
-		isc_event_free(ISC_EVENT_PTR(&newsevent));
+		isc_event_free((isc_event_t **) (void *)&newsevent);
 		return;
 	}
 	memcpy(buf, sevent->region.base, sevent->n);
@@ -2127,7 +2187,7 @@ dns_dispatch_importrecv(dns_dispatch_t *disp, isc_event_t *event) {
 	newsevent->pktinfo = sevent->pktinfo;
 	newsevent->attributes = sevent->attributes;
 	
-	isc_task_send(disp->task, ISC_EVENT_PTR(&newsevent));
+	isc_task_send(disp->task, (isc_event_t **) (void*)&newsevent);
 }
 
 #if 0
@@ -2138,415 +2198,9 @@ dns_dispatchmgr_dump(dns_dispatchmgr_t *mgr) {
 
 	disp = ISC_LIST_HEAD(mgr->list);
 	while (disp != NULL) {
-		isc_sockaddr_format(&disp->local, foo, sizeof foo);
+		isc_sockaddr_format(&disp->local, foo, sizeof(foo));
 		printf("\tdispatch %p, addr %s\n", disp, foo);
 		disp = ISC_LIST_NEXT(disp, link);
 	}
 }
 #endif
-
-/*
- * Allow the user to pick one of two ID randomization algorithms.
- *
- * The first algorithm is an adaptation of the sequence shuffling
- * algorithm discovered by Carter Bays and S. D. Durham [ACM Trans. Math.
- * Software 2 (1976), 59-64], as documented as Algorithm B in Chapter
- * 3.2.2 in Volume 2 of Knuth's "The Art of Computer Programming".  We use
- * a randomly selected linear congruential random number generator with a
- * modulus of 2^16, whose increment is a randomly picked odd number, and
- * whose multiplier is picked from a set which meets the following
- * criteria:
- *     Is of the form 8*n+5, which ensures "high potency" according to
- *     principle iii in the summary chapter 3.6.  This form also has a
- *     gcd(a-1,m) of 4 which is good according to principle iv.
- *
- *     Is between 0.01 and 0.99 times the modulus as specified by
- *     principle iv.
- *
- *     Passes the spectral test "with flying colors" (ut >= 1) in
- *     dimensions 2 through 6 as calculated by Algorithm S in Chapter
- *     3.3.4 and the ratings calculated by formula 35 in section E.
- *
- *     Of the multipliers that pass this test, pick the set that is
- *     best according to the theoretical bounds of the serial
- *     correlation test.  This was calculated using a simplified
- *     version of Knuth's Theorem K in Chapter 3.3.3.
- *
- * These criteria may not be important for this use, but we might as well
- * pick from the best generators since there are so many possible ones and
- * we don't have that many random bits to do the picking.
- *
- * We use a modulus of 2^16 instead of something bigger so that we will
- * tend to cycle through all the possible IDs before repeating any,
- * however the shuffling will perturb this somewhat.  Theoretically there
- * is no minimimum interval between two uses of the same ID, but in
- * practice it seems to be >64000.
- *
- * Our adaptatation  of Algorithm B mixes the hash state which has
- * captured various random events into the shuffler to perturb the
- * sequence.
- *
- * One disadvantage of this algorithm is that if the generator parameters
- * were to be guessed, it would be possible to mount a limited brute force
- * attack on the ID space since the IDs are only shuffled within a limited
- * range.
- *
- * The second algorithm uses the same random number generator to populate
- * a pool of 65536 IDs.  The hash state is used to pick an ID from a window
- * of 4096 IDs in this pool, then the chosen ID is swapped with the ID
- * at the beginning of the window and the window position is advanced.
- * This means that the interval between uses of the ID will be no less
- * than 65536-4096.  The ID sequence in the pool will become more random
- * over time.
- *
- * For both algorithms, two more linear congruential random number generators
- * are selected.  The ID from the first part of algorithm is used to seed
- * the first of these generators, and its output is used to seed the second.
- * The strategy is use these generators as 1 to 1 hashes to obfuscate the
- * properties of the generator used in the first part of either algorithm.
- *
- * The first algorithm may be suitable for use in a client resolver since
- * its memory requirements are fairly low and it's pretty random out of
- * the box.  It is somewhat succeptible to a limited brute force attack,
- * so the second algorithm is probably preferable for a longer running
- * program that issues a large number of queries and has time to randomize
- * the pool.
- */
-
-#define NSID_SHUFFLE_TABLE_SIZE 100 /* Suggested by Knuth */
-/*
- * Pick one of the next 4096 IDs in the pool.
- * There is a tradeoff here between randomness and how often and ID is reused.
- */
-#define NSID_LOOKAHEAD 4096     /* Must be a power of 2 */
-#define NSID_SHUFFLE_ONLY 1     /* algorithm 1 */
-#define NSID_USE_POOL 2         /* algorithm 2 */
-#define NSID_HASHSHIFT       3
-#define NSID_HASHROTATE(v) \
-        (((v) << NSID_HASHSHIFT) | ((v) >> ((sizeof(v) * 8) - NSID_HASHSHIFT)))
-
-static isc_uint32_t	nsid_hash_state;
-
-/*
- * Keep a running hash of various bits of data that we'll use to
- * stir the ID pool or perturb the ID generator
- */
-static void
-nsid_hash(void *data, size_t len) {
-	unsigned char *p = data;
-	/*
-	 * Hash function similar to the one we use for hashing names.
-	 * We don't fold case or toss the upper bit here, though.
-	 * This hash doesn't do much interesting when fed binary zeros,
-	 * so there may be a better hash function.
-	 * This function doesn't need to be very strong since we're
-	 * only using it to stir the pool, but it should be reasonably
-	 * fast.
-	 */
-	/*
-	 * We don't care about locking access to nsid_hash_state.
-	 * In fact races make the result even more non deteministic.
-	 */
-	while (len-- > 0U) {
-		nsid_hash_state = NSID_HASHROTATE(nsid_hash_state);
-		nsid_hash_state += *p++;
-	}
-}
-
-/*
- * Table of good linear congruential multipliers for modulus 2^16
- * in order of increasing serial correlation bounds (so trim from
- * the end).
- */
-static const isc_uint16_t nsid_multiplier_table[] = {
-	17565, 25013, 11733, 19877, 23989, 23997, 24997, 25421,
-	26781, 27413, 35901, 35917, 35973, 36229, 38317, 38437,
-	39941, 40493, 41853, 46317, 50581, 51429, 53453, 53805,
-	11317, 11789, 12045, 12413, 14277, 14821, 14917, 18989,
-	19821, 23005, 23533, 23573, 23693, 27549, 27709, 28461,
-	29365, 35605, 37693, 37757, 38309, 41285, 45261, 47061,
-	47269, 48133, 48597, 50277, 50717, 50757, 50805, 51341,
-	51413, 51581, 51597, 53445, 11493, 14229, 20365, 20653,
-	23485, 25541, 27429, 29421, 30173, 35445, 35653, 36789,
-	36797, 37109, 37157, 37669, 38661, 39773, 40397, 41837,
-	41877, 45293, 47277, 47845, 49853, 51085, 51349, 54085,
-	56933,  8877,  8973,  9885, 11365, 11813, 13581, 13589,
-	13613, 14109, 14317, 15765, 15789, 16925, 17069, 17205,
-	17621, 17941, 19077, 19381, 20245, 22845, 23733, 24869,
-	25453, 27213, 28381, 28965, 29245, 29997, 30733, 30901,
-	34877, 35485, 35613, 36133, 36661, 36917, 38597, 40285,
-	40693, 41413, 41541, 41637, 42053, 42349, 45245, 45469,
-	46493, 48205, 48613, 50861, 51861, 52877, 53933, 54397,
-	55669, 56453, 56965, 58021,  7757,  7781,  8333,  9661,
-	12229, 14373, 14453, 17549, 18141, 19085, 20773, 23701,
-	24205, 24333, 25261, 25317, 27181, 30117, 30477, 34757,
-	34885, 35565, 35885, 36541, 37957, 39733, 39813, 41157,
-	41893, 42317, 46621, 48117, 48181, 49525, 55261, 55389,
-	56845,  7045,  7749,  7965,  8469,  9133,  9549,  9789,
-	10173, 11181, 11285, 12253, 13453, 13533, 13757, 14477,
-	15053, 16901, 17213, 17269, 17525, 17629, 18605, 19013,
-	19829, 19933, 20069, 20093, 23261, 23333, 24949, 25309,
-	27613, 28453, 28709, 29301, 29541, 34165, 34413, 37301,
-	37773, 38045, 38405, 41077, 41781, 41925, 42717, 44437,
-	44525, 44613, 45933, 45941, 47077, 50077, 50893, 52117,
-	 5293, 55069, 55989, 58125, 59205,  6869, 14685, 15453,
-	16821, 17045, 17613, 18437, 21029, 22773, 22909, 25445,
-	25757, 26541, 30709, 30909, 31093, 31149, 37069, 37725,
-	37925, 38949, 39637, 39701, 40765, 40861, 42965, 44813,
-	45077, 45733, 47045, 50093, 52861, 52957, 54181, 56325,
-	56365, 56381, 56877, 57013,  5741, 58101, 58669,  8613,
-	10045, 10261, 10653, 10733, 11461, 12261, 14069, 15877,
-	17757, 21165, 23885, 24701, 26429, 26645, 27925, 28765,
-	29197, 30189, 31293, 39781, 39909, 40365, 41229, 41453,
-	41653, 42165, 42365, 47421, 48029, 48085, 52773,  5573,
-	57037, 57637, 58341, 58357, 58901,  6357,  7789,  9093,
-	10125, 10709, 10765, 11957, 12469, 13437, 13509, 14773,
-	15437, 15773, 17813, 18829, 19565, 20237, 23461, 23685,
-	23725, 23941, 24877, 25461, 26405, 29509, 30285, 35181,
-	37229, 37893, 38565, 40293, 44189, 44581, 45701, 47381,
-	47589, 48557,  4941, 51069,  5165, 52797, 53149,  5341,
-	56301, 56765, 58581, 59493, 59677,  6085,  6349,  8293,
-	 8501,  8517, 11597, 11709, 12589, 12693, 13517, 14909,
-	17397, 18085, 21101, 21269, 22717, 25237, 25661, 29189,
-	30101, 31397, 33933, 34213, 34661, 35533, 36493, 37309,
-	40037,  4189, 42909, 44309, 44357, 44389,  4541, 45461,
-	46445, 48237, 54149, 55301, 55853, 56621, 56717, 56901,
-	 5813, 58437, 12493, 15365, 15989, 17829, 18229, 19341,
-	21013, 21357, 22925, 24885, 26053, 27581, 28221, 28485,
-	30605, 30613, 30789, 35437, 36285, 37189,  3941, 41797,
-	 4269, 42901, 43293, 44645, 45221, 46893,  4893, 50301,
-	50325,  5189, 52109, 53517, 54053, 54485,  5525, 55949,
-	56973, 59069, 59421, 60733, 61253,  6421,  6701,  6709,
-	 7101,  8669, 15797, 19221, 19837, 20133, 20957, 21293,
-	21461, 22461, 29085, 29861, 30869, 34973, 36469, 37565,
-	38125, 38829, 39469, 40061, 40117, 44093, 47429, 48341,
-	50597, 51757,  5541, 57629, 58405, 59621, 59693, 59701,
-	61837,  7061, 10421, 11949, 15405, 20861, 25397, 25509,
-	25893, 26037, 28629, 28869, 29605, 30213, 34205, 35637,
-	36365, 37285,  3773, 39117,  4021, 41061, 42653, 44509,
-	 4461, 44829,  4725,  5125, 52269, 56469, 59085,  5917,
-	60973,  8349, 17725, 18637, 19773, 20293, 21453, 22533,
-	24285, 26333, 26997, 31501, 34541, 34805, 37509, 38477,
-	41333, 44125, 46285, 46997, 47637, 48173,  4925, 50253,
-	50381, 50917, 51205, 51325, 52165, 52229,  5253,  5269,
-	53509, 56253, 56341,  5821, 58373, 60301, 61653, 61973,
-	62373,  8397, 11981, 14341, 14509, 15077, 22261, 22429,
-	24261, 28165, 28685, 30661, 34021, 34445, 39149,  3917,
-	43013, 43317, 44053, 44101,  4533, 49541, 49981,  5277,
-	54477, 56357, 57261, 57765, 58573, 59061, 60197, 61197,
-	62189,  7725,  8477,  9565, 10229, 11437, 14613, 14709,
-	16813, 20029, 20677, 31445,  3165, 31957,  3229, 33541,
-	36645,  3805, 38973,  3965,  4029, 44293, 44557, 46245,
-	48917,  4909, 51749, 53709, 55733, 56445,  5925,  6093,
-	61053, 62637,  8661,  9109, 10821, 11389, 13813, 14325,
-	15501, 16149, 18845, 22669, 26437, 29869, 31837, 33709,
-	33973, 34173,  3677,  3877,  3981, 39885, 42117,  4421,
-	44221, 44245, 44693, 46157, 47309,  5005, 51461, 52037,
-	55333, 55693, 56277, 58949,  6205, 62141, 62469,  6293,
-	10101, 12509, 14029, 17997, 20469, 21149, 25221, 27109,
-	 2773,  2877, 29405, 31493, 31645,  4077, 42005, 42077,
-	42469, 42501, 44013, 48653, 49349,  4997, 50101, 55405,
-	56957, 58037, 59429, 60749, 61797, 62381, 62837,  6605,
-	10541, 23981, 24533,  2701, 27333, 27341, 31197, 33805,
-	 3621, 37381,  3749,  3829, 38533, 42613, 44381, 45901,
-	48517, 51269, 57725, 59461, 60045, 62029, 13805, 14013,
-	15461, 16069, 16157, 18573,  2309, 23501, 28645,  3077,
-	31541, 36357, 36877,  3789, 39429, 39805, 47685, 47949,
-	49413,  5485, 56757, 57549, 57805, 58317, 59549, 62213,
-	62613, 62853, 62933,  8909, 12941, 16677, 20333, 21541,
-	24429, 26077, 26421,  2885, 31269, 33381,  3661, 40925,
-	42925, 45173,  4525,  4709, 53133, 55941, 57413, 57797,
-	62125, 62237, 62733,  6773, 12317, 13197, 16533, 16933,
-	18245,  2213,  2477, 29757, 33293, 35517, 40133, 40749,
-	 4661, 49941, 62757,  7853,  8149,  8573, 11029, 13421,
-	21549, 22709, 22725, 24629,  2469, 26125,  2669, 34253,
-	36709, 41013, 45597, 46637, 52285, 52333, 54685, 59013,
-	60997, 61189, 61981, 62605, 62821,  7077,  7525,  8781,
-	10861, 15277,  2205, 22077, 28517, 28949, 32109, 33493,
-	 4661, 49941, 62757,  7853,  8149,  8573, 11029, 13421,
-	21549, 22709, 22725, 24629,  2469, 26125,  2669, 34253,
-	36709, 41013, 45597, 46637, 52285, 52333, 54685, 59013,
-	60997, 61189, 61981, 62605, 62821,  7077,  7525,  8781,
-	10861, 15277,  2205, 22077, 28517, 28949, 32109, 33493,
-	 3685, 39197, 39869, 42621, 44997, 48565,  5221, 57381,
-	61749, 62317, 63245, 63381, 23149,  2549, 28661, 31653,
-	33885, 36341, 37053, 39517, 42805, 45853, 48997, 59349,
-	60053, 62509, 63069,  6525,  1893, 20181,  2365, 24893,
-	27397, 31357, 32277, 33357, 34437, 36677, 37661, 43469,
-	43917, 50997, 53869,  5653, 13221, 16741, 17893,  2157,
-	28653, 31789, 35301, 35821, 61613, 62245, 12405, 14517,
-	17453, 18421,  3149,  3205, 40341,  4109, 43941, 46869,
-	48837, 50621, 57405, 60509, 62877,  8157, 12933, 12957,
-	16501, 19533,  3461, 36829, 52357, 58189, 58293, 63053,
-	17109,  1933, 32157, 37701, 59005, 61621, 13029, 15085,
-	16493, 32317, 35093,  5061, 51557, 62221, 20765, 24613,
-	 2629, 30861, 33197, 33749, 35365, 37933, 40317, 48045,
-	56229, 61157, 63797,  7917, 17965,  1917,  1973, 20301,
-	 2253, 33157, 58629, 59861, 61085, 63909,  8141,  9221,
-	14757,  1581, 21637, 26557, 33869, 34285, 35733, 40933,
-	42517, 43501, 53653, 61885, 63805,  7141, 21653, 54973,
-	31189, 60061, 60341, 63357, 16045,  2053, 26069, 33997,
-	43901, 54565, 63837,  8949, 17909, 18693, 32349, 33125,
-	37293, 48821, 49053, 51309, 64037,  7117,  1445, 20405,
-	23085, 26269, 26293, 27349, 32381, 33141, 34525, 36461,
-	37581, 43525,  4357, 43877,  5069, 55197, 63965,  9845,
-	12093,  2197,  2229, 32165, 33469, 40981, 42397,  8749,
-	10853,  1453, 18069, 21693, 30573, 36261, 37421, 42533
-};
-
-#define NSID_MULT_TABLE_SIZE \
-        ((sizeof nsid_multiplier_table)/(sizeof nsid_multiplier_table[0]))
-#define NSID_RANGE_MASK (NSID_LOOKAHEAD - 1)
-#define NSID_POOL_MASK 0xFFFF /* used to wrap the pool index */
-#define NSID_SHUFFLE_ONLY 1
-#define NSID_USE_POOL 2
-
-static isc_uint16_t
-nsid_next(dns_nsid_t *nsid) {
-        isc_uint16_t id, compressed_hash;
-	isc_uint16_t j;
-
-        compressed_hash = ((nsid_hash_state >> 16) ^
-			   (nsid_hash_state)) & 0xFFFF;
-
-	if (nsid->nsid_usepool) {
-	        isc_uint16_t pick;
-
-                pick = compressed_hash & NSID_RANGE_MASK;
-		pick = (nsid->nsid_state + pick) & NSID_POOL_MASK;
-                id = nsid->nsid_pool[pick];
-                if (pick != 0) {
-                        /* Swap two IDs to stir the pool */
-                        nsid->nsid_pool[pick] =
-                                nsid->nsid_pool[nsid->nsid_state];
-                        nsid->nsid_pool[nsid->nsid_state] = id;
-                }
-
-                /* increment the base pointer into the pool */
-                if (nsid->nsid_state == 65535)
-                        nsid->nsid_state = 0;
-                else
-                        nsid->nsid_state++;
-	} else {
-		/*
-		 * This is the original Algorithm B
-		 * j = ((u_long) NSID_SHUFFLE_TABLE_SIZE * nsid_state2) >> 16;
-		 *
-		 * We'll perturb it with some random stuff  ...
-		 */
-		j = ((isc_uint32_t) NSID_SHUFFLE_TABLE_SIZE *
-		     (nsid->nsid_state2 ^ compressed_hash)) >> 16;
-		nsid->nsid_state2 = id = nsid->nsid_vtable[j];
-		nsid->nsid_state = (((isc_uint32_t) nsid->nsid_a1 * nsid->nsid_state) +
-				      nsid->nsid_c1) & 0xFFFF;
-		nsid->nsid_vtable[j] = nsid->nsid_state;
-	}
-
-        /* Now lets obfuscate ... */
-        id = (((isc_uint32_t) nsid->nsid_a2 * id) + nsid->nsid_c2) & 0xFFFF;
-        id = (((isc_uint32_t) nsid->nsid_a3 * id) + nsid->nsid_c3) & 0xFFFF;
-
-        return (id);
-}
-
-static isc_result_t
-nsid_init(isc_mem_t *mctx, dns_nsid_t *nsid, isc_boolean_t usepool) {
-        isc_time_t now;
-        pid_t mypid;
-        isc_uint16_t a1ndx, a2ndx, a3ndx, c1ndx, c2ndx, c3ndx;
-        int i;
-
-	isc_time_now(&now);
-        mypid = getpid();
-
-        /* Initialize the state */
-	memset(nsid, 0, sizeof(*nsid));
-        nsid_hash(&now, sizeof now);
-        nsid_hash(&mypid, sizeof mypid);
-
-        /*
-         * Select our random number generators and initial seed.
-         * We could really use more random bits at this point,
-         * but we'll try to make a silk purse out of a sows ear ...
-         */
-        /* generator 1 */
-        a1ndx = ((isc_uint32_t) NSID_MULT_TABLE_SIZE *
-                 (nsid_hash_state & 0xFFFF)) >> 16;
-        nsid->nsid_a1 = nsid_multiplier_table[a1ndx];
-        c1ndx = (nsid_hash_state >> 9) & 0x7FFF;
-        nsid->nsid_c1 = 2 * c1ndx + 1;
-
-        /* generator 2, distinct from 1 */
-        a2ndx = ((isc_uint32_t) (NSID_MULT_TABLE_SIZE - 1) *
-                 ((nsid_hash_state >> 10) & 0xFFFF)) >> 16;
-        if (a2ndx >= a1ndx)
-                a2ndx++;
-        nsid->nsid_a2 = nsid_multiplier_table[a2ndx];
-        c2ndx = nsid_hash_state % 32767;
-        if (c2ndx >= c1ndx)
-                c2ndx++;
-        nsid->nsid_c2 = 2*c2ndx + 1;
-
-        /* generator 3, distinct from 1 and 2 */
-        a3ndx = ((isc_uint32_t) (NSID_MULT_TABLE_SIZE - 2) *
-                 ((nsid_hash_state >> 20) & 0xFFFF)) >> 16;
-        if (a3ndx >= a1ndx || a3ndx >= a2ndx)
-                a3ndx++;
-        if (a3ndx >= a1ndx && a3ndx >= a2ndx)
-                a3ndx++;
-        nsid->nsid_a3 = nsid_multiplier_table[a3ndx];
-        c3ndx = nsid_hash_state % 32766;
-        if (c3ndx >= c1ndx || c3ndx >= c2ndx)
-                c3ndx++;
-        if (c3ndx >= c1ndx && c3ndx >= c2ndx)
-                c3ndx++;
-        nsid->nsid_c3 = 2*c3ndx + 1;
-
-        nsid->nsid_state =
-		((nsid_hash_state >> 16) ^ (nsid_hash_state)) & 0xFFFF;
-
-	nsid->nsid_usepool = usepool;
-	if (nsid->nsid_usepool) {
-                nsid->nsid_pool = isc_mem_get(mctx, 0x10000 * sizeof(isc_uint16_t));
-		if (nsid->nsid_pool == NULL)
-			return (ISC_R_NOMEMORY);
-                for (i = 0; ; i++) {
-                        nsid->nsid_pool[i] = nsid->nsid_state;
-                        nsid->nsid_state =
-				 (((u_long) nsid->nsid_a1 * nsid->nsid_state) +
-				   nsid->nsid_c1) & 0xFFFF;
-                        if (i == 0xFFFF)
-                                break;
-                }
-	} else {
-		nsid->nsid_vtable = isc_mem_get(mctx, NSID_SHUFFLE_TABLE_SIZE *
-						(sizeof(isc_uint16_t)) );
-		if (nsid->nsid_vtable == NULL)
-			return (ISC_R_NOMEMORY);
-
-		for (i = 0; i < NSID_SHUFFLE_TABLE_SIZE; i++) {
-			nsid->nsid_vtable[i] = nsid->nsid_state;
-			nsid->nsid_state =
-				   (((isc_uint32_t) nsid->nsid_a1 * nsid->nsid_state) +
-					 nsid->nsid_c1) & 0xFFFF;
-		}
-		nsid->nsid_state2 = nsid->nsid_state;
-	} 
-	return (ISC_R_SUCCESS);
-}
-
-static void
-nsid_destroy(isc_mem_t *mctx, dns_nsid_t *nsid) {
-	if (nsid->nsid_usepool)
-		isc_mem_put(mctx, nsid->nsid_pool,
-			    0x10000 * sizeof(isc_uint16_t));
-	else
-		isc_mem_put(mctx, nsid->nsid_vtable,
-			    NSID_SHUFFLE_TABLE_SIZE * (sizeof(isc_uint16_t)) );
-	memset(nsid, 0, sizeof(*nsid));
-}
-
-void
-dns_dispatch_hash(void *data, size_t len) {
-	nsid_hash(data, len);
-}
diff --git a/lib/dns/dnssec.c b/lib/dns/dnssec.c
index 7bb215ae..6d78ee42 100644
--- a/lib/dns/dnssec.c
+++ b/lib/dns/dnssec.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -16,7 +16,7 @@
  */
 
 /*
- * $Id: dnssec.c,v 1.69.2.9 2006/01/04 23:50:17 marka Exp $
+ * $Id: dnssec.c,v 1.69.2.5.2.6 2004/03/08 21:06:26 marka Exp $
  */
 
 
@@ -142,7 +142,7 @@ dns_dnssec_keyfromrdata(dns_name_t *name, dns_rdata_t *rdata, isc_mem_t *mctx,
 }
 
 static isc_result_t
-digest_sig(dst_context_t *ctx, dns_rdata_t *sigrdata, dns_rdata_sig_t *sig) {
+digest_sig(dst_context_t *ctx, dns_rdata_t *sigrdata, dns_rdata_rrsig_t *sig) {
 	isc_region_t r;
 	isc_result_t ret;
 	dns_fixedname_t fname;
@@ -155,7 +155,9 @@ digest_sig(dst_context_t *ctx, dns_rdata_t *sigrdata, dns_rdata_sig_t *sig) {
 	if (ret != ISC_R_SUCCESS)
 		return (ret);
 	dns_fixedname_init(&fname);
-	dns_name_downcase(&sig->signer, dns_fixedname_name(&fname), NULL);
+	RUNTIME_CHECK(dns_name_downcase(&sig->signer,
+					dns_fixedname_name(&fname), NULL)
+		      == ISC_R_SUCCESS);
 	dns_name_toregion(dns_fixedname_name(&fname), &r);
 	return (dst_context_adddata(ctx, &r));
 }
@@ -165,7 +167,7 @@ dns_dnssec_sign(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key,
 		isc_stdtime_t *inception, isc_stdtime_t *expire,
 		isc_mem_t *mctx, isc_buffer_t *buffer, dns_rdata_t *sigrdata)
 {
-	dns_rdata_sig_t sig;
+	dns_rdata_rrsig_t sig;
 	dns_rdata_t tmpsigrdata;
 	dns_rdata_t *rdatas;
 	int nrdatas, i;
@@ -180,7 +182,7 @@ dns_dnssec_sign(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key,
 	dns_fixedname_t fnewname;
 
 	REQUIRE(name != NULL);
-	REQUIRE(dns_name_depth(name) <= 255);
+	REQUIRE(dns_name_countlabels(name) <= 255);
 	REQUIRE(set != NULL);
 	REQUIRE(key != NULL);
 	REQUIRE(inception != NULL);
@@ -202,7 +204,7 @@ dns_dnssec_sign(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key,
 
 	sig.mctx = mctx;
 	sig.common.rdclass = set->rdclass;
-	sig.common.rdtype = dns_rdatatype_sig;
+	sig.common.rdtype = dns_rdatatype_rrsig;
 	ISC_LINK_INIT(&sig.common, link);
 
 	dns_name_init(&sig.signer, NULL);
@@ -210,7 +212,7 @@ dns_dnssec_sign(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key,
 
 	sig.covered = set->type;
 	sig.algorithm = dst_key_alg(key);
-	sig.labels = dns_name_depth(name) - 1;
+	sig.labels = dns_name_countlabels(name) - 1;
 	if (dns_name_iswildcard(name))
 		sig.labels--;
 	sig.originalttl = set->ttl;
@@ -251,7 +253,8 @@ dns_dnssec_sign(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key,
 		goto cleanup_context;
 
 	dns_fixedname_init(&fnewname);
-	dns_name_downcase(name, dns_fixedname_name(&fnewname), NULL);
+	RUNTIME_CHECK(dns_name_downcase(name, dns_fixedname_name(&fnewname),
+					NULL) == ISC_R_SUCCESS);
 	dns_name_toregion(dns_fixedname_name(&fnewname), &r);
 
 	/*
@@ -325,7 +328,8 @@ cleanup_array:
 cleanup_context:
 	dst_context_destroy(&ctx);
 cleanup_databuf:
-	isc_buffer_free(&databuf);
+	if (databuf != NULL)
+		isc_buffer_free(&databuf);
 cleanup_signature:
 	isc_mem_put(mctx, sig.signature, sig.siglen);
 
@@ -333,11 +337,11 @@ cleanup_signature:
 }
 
 isc_result_t
-dns_dnssec_verify(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key,
-		  isc_boolean_t ignoretime, isc_mem_t *mctx,
-		  dns_rdata_t *sigrdata)
+dns_dnssec_verify2(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key,
+		   isc_boolean_t ignoretime, isc_mem_t *mctx,
+		   dns_rdata_t *sigrdata, dns_name_t *wild)
 {
-	dns_rdata_sig_t sig;
+	dns_rdata_rrsig_t sig;
 	dns_fixedname_t fnewname;
 	isc_region_t r;
 	isc_buffer_t envbuf;
@@ -347,14 +351,14 @@ dns_dnssec_verify(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key,
 	isc_result_t ret;
 	unsigned char data[300];
 	dst_context_t *ctx = NULL;
-	int labels;
+	int labels = 0;
 	isc_uint32_t flags;
 
 	REQUIRE(name != NULL);
 	REQUIRE(set != NULL);
 	REQUIRE(key != NULL);
 	REQUIRE(mctx != NULL);
-	REQUIRE(sigrdata != NULL && sigrdata->type == dns_rdatatype_sig);
+	REQUIRE(sigrdata != NULL && sigrdata->type == dns_rdatatype_rrsig);
 
 	ret = dns_rdata_tostruct(sigrdata, &sig, NULL);
 	if (ret != ISC_R_SUCCESS)
@@ -399,13 +403,14 @@ dns_dnssec_verify(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key,
 	 * If the name is an expanded wildcard, use the wildcard name.
 	 */
 	dns_fixedname_init(&fnewname);
-	labels = dns_name_depth(name) - 1;
+	labels = dns_name_countlabels(name) - 1;
 	if (labels - sig.labels > 0) {
-		dns_name_splitatdepth(name, sig.labels + 1, NULL,
-				      dns_fixedname_name(&fnewname));
-		dns_name_downcase(dns_fixedname_name(&fnewname),
-				  dns_fixedname_name(&fnewname),
-				  NULL);
+		dns_name_split(name, sig.labels + 1, NULL,
+			       dns_fixedname_name(&fnewname));
+		RUNTIME_CHECK(dns_name_downcase(dns_fixedname_name(&fnewname),
+						dns_fixedname_name(&fnewname),
+						NULL)
+			      == ISC_R_SUCCESS);
 	}
 	else
 		dns_name_downcase(name, dns_fixedname_name(&fnewname), NULL);
@@ -484,15 +489,37 @@ cleanup_context:
 cleanup_struct:
 	dns_rdata_freestruct(&sig);
 
+	if (ret == ISC_R_SUCCESS && labels - sig.labels > 0) {
+		if (wild != NULL) 
+			RUNTIME_CHECK(dns_name_concatenate(dns_wildcardname,
+					         dns_fixedname_name(&fnewname),
+						 wild, NULL) == ISC_R_SUCCESS);
+		ret = DNS_R_FROMWILDCARD;
+	}
 	return (ret);
 }
 
+isc_result_t
+dns_dnssec_verify(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key,
+		  isc_boolean_t ignoretime, isc_mem_t *mctx,
+		  dns_rdata_t *sigrdata)
+{
+	isc_result_t result;
+
+	result = dns_dnssec_verify2(name, set, key, ignoretime, mctx,
+				    sigrdata, NULL);
+	if (result == DNS_R_FROMWILDCARD)
+		result = ISC_R_SUCCESS;
+	return (result);
+}
+
 #define is_zone_key(key) ((dst_key_flags(key) & DNS_KEYFLAG_OWNERMASK) \
 			  == DNS_KEYOWNER_ZONE)
 
 isc_result_t
-dns_dnssec_findzonekeys(dns_db_t *db, dns_dbversion_t *ver,
-			dns_dbnode_t *node, dns_name_t *name, isc_mem_t *mctx,
+dns_dnssec_findzonekeys2(dns_db_t *db, dns_dbversion_t *ver,
+			dns_dbnode_t *node, dns_name_t *name,
+			const char *directory, isc_mem_t *mctx,
 			unsigned int maxkeys, dst_key_t **keys,
 			unsigned int *nkeys)
 {
@@ -504,7 +531,7 @@ dns_dnssec_findzonekeys(dns_db_t *db, dns_dbversion_t *ver,
 
 	*nkeys = 0;
 	dns_rdataset_init(&rdataset);
-	RETERR(dns_db_findrdataset(db, node, ver, dns_rdatatype_key, 0, 0,
+	RETERR(dns_db_findrdataset(db, node, ver, dns_rdatatype_dnskey, 0, 0,
 				   &rdataset, NULL));
 	RETERR(dns_rdataset_first(&rdataset));
 	while (result == ISC_R_SUCCESS && count < maxkeys) {
@@ -518,7 +545,7 @@ dns_dnssec_findzonekeys(dns_db_t *db, dns_dbversion_t *ver,
 					  dst_key_id(pubkey),
 					  dst_key_alg(pubkey),
 					  DST_TYPE_PUBLIC|DST_TYPE_PRIVATE,
-					  NULL,
+					  directory,
 					  mctx, &keys[count]);
 		if (result == ISC_R_FILENOTFOUND)
 			goto next;
@@ -551,8 +578,18 @@ dns_dnssec_findzonekeys(dns_db_t *db, dns_dbversion_t *ver,
 }
 
 isc_result_t
+dns_dnssec_findzonekeys(dns_db_t *db, dns_dbversion_t *ver,
+			dns_dbnode_t *node, dns_name_t *name, isc_mem_t *mctx,
+			unsigned int maxkeys, dst_key_t **keys,
+			unsigned int *nkeys)
+{
+	return (dns_dnssec_findzonekeys2(db, ver, node, name, NULL, mctx,
+					 maxkeys, keys, nkeys));
+}
+
+isc_result_t
 dns_dnssec_signmessage(dns_message_t *msg, dst_key_t *key) {
-	dns_rdata_sig_t sig;
+	dns_rdata_sig_t sig;	/* SIG(0) */
 	unsigned char data[512];
 	unsigned char header[DNS_MESSAGE_HEADERLEN];
 	isc_buffer_t headerbuf, databuf, sigbuf;
@@ -576,11 +613,11 @@ dns_dnssec_signmessage(dns_message_t *msg, dst_key_t *key) {
 
 	mctx = msg->mctx;
 
-	memset(&sig, 0, sizeof(dns_rdata_sig_t));
+	memset(&sig, 0, sizeof(sig));
 
 	sig.mctx = mctx;
 	sig.common.rdclass = dns_rdataclass_any;
-	sig.common.rdtype = dns_rdatatype_sig;
+	sig.common.rdtype = dns_rdatatype_sig;	/* SIG(0) */
 	ISC_LINK_INIT(&sig.common, link);
 
 	sig.covered = 0;
@@ -610,7 +647,8 @@ dns_dnssec_signmessage(dns_message_t *msg, dst_key_t *key) {
 	 * is identical to dns format.
 	 */
 	RETERR(dns_rdata_fromstruct(NULL, dns_rdataclass_any,
-				    dns_rdatatype_sig, &sig, &databuf));
+				    dns_rdatatype_sig /* SIG(0) */,
+				    &sig, &databuf));
 	isc_buffer_usedregion(&databuf, &r);
 	RETERR(dst_context_adddata(ctx, &r));
 
@@ -651,7 +689,8 @@ dns_dnssec_signmessage(dns_message_t *msg, dst_key_t *key) {
 	RETERR(dns_message_gettemprdata(msg, &rdata));
 	RETERR(isc_buffer_allocate(msg->mctx, &dynbuf, 1024));
 	RETERR(dns_rdata_fromstruct(rdata, dns_rdataclass_any,
-				    dns_rdatatype_sig, &sig, dynbuf));
+				    dns_rdatatype_sig /* SIG(0) */,
+				    &sig, dynbuf));
 
 	isc_mem_put(mctx, sig.signature, sig.siglen);
 	signeedsfree = ISC_FALSE;
@@ -661,7 +700,7 @@ dns_dnssec_signmessage(dns_message_t *msg, dst_key_t *key) {
 	datalist = NULL;
 	RETERR(dns_message_gettemprdatalist(msg, &datalist));
 	datalist->rdclass = dns_rdataclass_any;
-	datalist->type = dns_rdatatype_sig;
+	datalist->type = dns_rdatatype_sig;	/* SIG(0) */
 	datalist->covers = 0;
 	datalist->ttl = 0;
 	ISC_LIST_INIT(datalist->rdata);
@@ -669,7 +708,7 @@ dns_dnssec_signmessage(dns_message_t *msg, dst_key_t *key) {
 	dataset = NULL;
 	RETERR(dns_message_gettemprdataset(msg, &dataset));
 	dns_rdataset_init(dataset);
-	dns_rdatalist_tordataset(datalist, dataset);
+	RUNTIME_CHECK(dns_rdatalist_tordataset(datalist, dataset) == ISC_R_SUCCESS);
 	msg->sig0 = dataset;
 
 	return (ISC_R_SUCCESS);
@@ -689,7 +728,7 @@ isc_result_t
 dns_dnssec_verifymessage(isc_buffer_t *source, dns_message_t *msg,
 			 dst_key_t *key)
 {
-	dns_rdata_sig_t sig;
+	dns_rdata_sig_t sig;	/* SIG(0) */
 	unsigned char header[DNS_MESSAGE_HEADERLEN];
 	dns_rdata_t rdata = DNS_RDATA_INIT;
 	isc_region_t r, source_r, sig_r, header_r;
diff --git a/lib/dns/ds.c b/lib/dns/ds.c
new file mode 100644
index 00000000..b0ca5234
--- /dev/null
+++ b/lib/dns/ds.c
@@ -0,0 +1,83 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2002, 2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: ds.c,v 1.4.2.1 2004/03/08 02:07:53 marka Exp $ */
+
+#include <config.h>
+
+#include <string.h>
+
+#include <isc/buffer.h>
+#include <isc/region.h>
+#include <isc/sha1.h>
+#include <isc/util.h>
+
+#include <dns/ds.h>
+#include <dns/fixedname.h>
+#include <dns/name.h>
+#include <dns/rdata.h>
+#include <dns/rdatastruct.h>
+#include <dns/result.h>
+
+#include <dst/dst.h>
+
+isc_result_t
+dns_ds_buildrdata(dns_name_t *owner, dns_rdata_t *key,
+		  unsigned int digest_type, unsigned char *buffer,
+		  dns_rdata_t *rdata)
+{
+	isc_sha1_t sha1;
+	dns_fixedname_t fname;
+	dns_name_t *name;
+	unsigned char digest[ISC_SHA1_DIGESTLENGTH];
+	isc_region_t r;
+	isc_buffer_t b;
+	dns_rdata_ds_t ds;
+
+	REQUIRE(key != NULL);
+	REQUIRE(key->type == dns_rdatatype_dnskey);
+
+	if (digest_type != DNS_DSDIGEST_SHA1)
+		return (ISC_R_NOTIMPLEMENTED);
+
+	dns_fixedname_init(&fname);
+	name = dns_fixedname_name(&fname);
+	(void)dns_name_downcase(owner, name, NULL);
+
+	memset(buffer, 0, DNS_DS_BUFFERSIZE);
+	isc_buffer_init(&b, buffer, DNS_DS_BUFFERSIZE);
+
+	isc_sha1_init(&sha1);
+	dns_name_toregion(name, &r);
+	isc_sha1_update(&sha1, r.base, r.length);
+	dns_rdata_toregion(key, &r);
+	INSIST(r.length >= 4);
+	isc_sha1_update(&sha1, r.base, r.length);
+	isc_sha1_final(&sha1, digest);
+
+	ds.mctx = NULL;
+	ds.common.rdclass = key->rdclass;
+	ds.common.rdtype = dns_rdatatype_ds;
+	ds.algorithm = r.base[3];
+	ds.key_tag = dst_region_computeid(&r, ds.algorithm);
+	ds.digest_type = DNS_DSDIGEST_SHA1;
+	ds.length = ISC_SHA1_DIGESTLENGTH;
+	ds.digest = digest;
+
+	return (dns_rdata_fromstruct(rdata, key->rdclass, dns_rdatatype_ds,
+				     &ds, &b));
+}
diff --git a/lib/dns/forward.c b/lib/dns/forward.c
index 5fb03be2..f94abfe1 100644
--- a/lib/dns/forward.c
+++ b/lib/dns/forward.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: forward.c,v 1.5.2.3 2005/03/17 03:59:32 marka Exp $ */
+/* $Id: forward.c,v 1.5.206.1 2004/03/06 08:13:38 marka Exp $ */
 
 #include <config.h>
 
@@ -139,20 +139,13 @@ isc_result_t
 dns_fwdtable_find(dns_fwdtable_t *fwdtable, dns_name_t *name,
 		  dns_forwarders_t **forwardersp)
 {
-	return (dns_fwdtable_find2(fwdtable, name, NULL, forwardersp));
-} 
-
-isc_result_t
-dns_fwdtable_find2(dns_fwdtable_t *fwdtable, dns_name_t *name,
-		   dns_name_t *foundname, dns_forwarders_t **forwardersp)
-{
 	isc_result_t result;
 
 	REQUIRE(VALID_FWDTABLE(fwdtable));
 
 	RWLOCK(&fwdtable->rwlock, isc_rwlocktype_read);
 
-	result = dns_rbt_findname(fwdtable->table, name, 0, foundname,
+	result = dns_rbt_findname(fwdtable->table, name, 0, NULL,
 				  (void **)forwardersp);
 	if (result == DNS_R_PARTIALMATCH)
 		result = ISC_R_SUCCESS;
diff --git a/lib/dns/gen-unix.h b/lib/dns/gen-unix.h
index 54c5b317..8c1818dd 100644
--- a/lib/dns/gen-unix.h
+++ b/lib/dns/gen-unix.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: gen-unix.h,v 1.12.2.1 2004/03/09 06:11:01 marka Exp $ */
+/* $Id: gen-unix.h,v 1.12.12.3 2004/03/08 09:04:29 marka Exp $ */
 
 /*
  * This file is responsible for defining two operations that are not
@@ -82,7 +82,7 @@ next_file(isc_dir_t *dir) {
 static void
 end_directory(isc_dir_t *dir) {
 	if (dir->handle != NULL)
-		closedir(dir->handle);
+		(void)closedir(dir->handle);
 
 	dir->handle = NULL;
 }
diff --git a/lib/dns/gen-win32.h b/lib/dns/gen-win32.h
index 24d579e1..d24c92e9 100644
--- a/lib/dns/gen-win32.h
+++ b/lib/dns/gen-win32.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -48,7 +48,7 @@
  * SUCH DAMAGE.
  */
 
-/* $Id: gen-win32.h,v 1.14.2.4 2006/10/03 23:50:49 marka Exp $ */
+/* $Id: gen-win32.h,v 1.14.12.3 2004/03/08 09:04:30 marka Exp $ */
 
 /*
  * Principal Authors: Computer Systems Research Group at UC Berkeley
@@ -89,7 +89,7 @@ int isc_commandline_option;		/* Character checked for validity. */
 char *isc_commandline_argument;		/* Argument associated with option. */
 char *isc_commandline_progname;		/* For printing error messages. */
 
-isc_boolean_t isc_commandline_errprint = ISC_TRUE;/* Print error messages. */
+isc_boolean_t isc_commandline_errprint = ISC_TRUE; /* Print error messages. */
 isc_boolean_t isc_commandline_reset = ISC_TRUE; /* Reset processing. */
 
 #define BADOPT	'?'
diff --git a/lib/dns/gen.c b/lib/dns/gen.c
index 894da25f..4a6cc0d7 100644
--- a/lib/dns/gen.c
+++ b/lib/dns/gen.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,14 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: gen.c,v 1.65.2.11 2006/10/02 06:15:47 marka Exp $ */
+/* $Id: gen.c,v 1.65.2.5.2.6 2004/03/15 01:02:54 marka Exp $ */
 
-#ifdef WIN32
-/*
- * Silence compiler warnings about using strcpy and friends.
- */
-#define _CRT_SECURE_NO_DEPRECATE 1
-#endif
+#include <config.h>
 
 #include <sys/types.h>
 
@@ -39,7 +34,7 @@
 #include "gen-unix.h"
 #endif
 
-#define FROMTEXTARGS "rdclass, type, lexer, origin, downcase, target, callbacks"
+#define FROMTEXTARGS "rdclass, type, lexer, origin, options, target, callbacks"
 #define FROMTEXTCLASS "rdclass"
 #define FROMTEXTTYPE "type"
 #define FROMTEXTDEF "result = DNS_R_UNKNOWN"
@@ -49,7 +44,7 @@
 #define TOTEXTTYPE "rdata->type"
 #define TOTEXTDEF "use_default = ISC_TRUE"
 
-#define FROMWIREARGS "rdclass, type, source, dctx, downcase, target"
+#define FROMWIREARGS "rdclass, type, source, dctx, options, target"
 #define FROMWIRECLASS "rdclass"
 #define FROMWIRETYPE "type"
 #define FROMWIREDEF "use_default = ISC_TRUE"
@@ -89,10 +84,20 @@
 #define DIGESTTYPE "rdata->type"
 #define DIGESTDEF "use_default = ISC_TRUE"
 
+#define CHECKOWNERARGS "name, rdclass, type, wildcard"
+#define CHECKOWNERCLASS "rdclass"
+#define CHECKOWNERTYPE "type"
+#define CHECKOWNERDEF "result = ISC_TRUE"
+
+#define CHECKNAMESARGS "rdata, owner, bad"
+#define CHECKNAMESCLASS "rdata->rdclass"
+#define CHECKNAMESTYPE "rdata->type"
+#define CHECKNAMESDEF "result = ISC_TRUE"
+
 const char copyright[] =
 "/*\n"
-" * Copyright (C) 2004%s  Internet Systems Consortium, Inc. (\"ISC\")\n"
-" * Copyright (C) 1998-2003  Internet Software Consortium.\n"
+" * Copyright (C) 2004%s Internet Systems Consortium, Inc. (\"ISC\")\n"
+" * Copyright (C) 1998-2003 Internet Software Consortium.\n"
 " *\n"
 " * Permission to use, copy, modify, and distribute this software for any\n"
 " * purpose with or without fee is hereby granted, provided that the above\n"
@@ -207,7 +212,7 @@ doswitch(const char *name, const char *function, const char *args,
 	if (res == NULL)
 		result = "";
 
-	for (tt = types; tt != NULL ; tt = tt->next) {
+	for (tt = types; tt != NULL; tt = tt->next) {
 		if (first) {
 			fprintf(stdout, "\n#define %s \\\n", name);
 			fprintf(stdout, "\tswitch (%s) { \\\n" /*}*/, tsw);
@@ -270,7 +275,7 @@ dodecl(char *type, char *function, char *args) {
 	char buf1[11], buf2[11];
 
 	fputs("\n", stdout);
-	for (tt = types; tt ; tt = tt->next)
+	for (tt = types; tt; tt = tt->next)
 		if (tt->rdclass)
 			fprintf(stdout,
 				"static inline %s %s_%s_%s(%s);\n",
@@ -361,7 +366,7 @@ void
 add(int rdclass, const char *classname, int type, const char *typename,
     const char *dirname)
 {
-	struct tt *newtt = (struct tt *)malloc(sizeof *newtt);
+	struct tt *newtt = (struct tt *)malloc(sizeof(*newtt));
 	struct tt *tt, *oldtt;
 	struct cc *newcc;
 	struct cc *cc, *oldcc;
@@ -410,7 +415,7 @@ add(int rdclass, const char *classname, int type, const char *typename,
 	if (rdclass == 0)
 		return;
 
-	newcc = (struct cc *)malloc(sizeof *newcc);
+	newcc = (struct cc *)malloc(sizeof(*newcc));
 	newcc->rdclass = rdclass;
 	strcpy(newcc->classname, classname);
 	cc = classes;
@@ -435,8 +440,8 @@ add(int rdclass, const char *classname, int type, const char *typename,
 
 void
 sd(int rdclass, const char *classname, const char *dirname, char filetype) {
-	char buf[sizeof "0123456789_65535.h"];
-	char fmt[sizeof "%10[-0-9a-z]_%d.h"];
+	char buf[sizeof("0123456789_65535.h")];
+	char fmt[sizeof("%10[-0-9a-z]_%d.h")];
 	int type;
 	char typename[11];
 	isc_dir_t dir;
@@ -504,7 +509,7 @@ main(int argc, char **argv) {
 	char *file = NULL;
 	isc_dir_t dir;
 
-	for (i = 0; i < TYPENAMES ; i++)
+	for (i = 0; i < TYPENAMES; i++)
 		memset(&typenames[i], 0, sizeof(typenames[i]));
 
 	strcpy(srcdir, "");
@@ -580,7 +585,7 @@ main(int argc, char **argv) {
 	sd(0, "", buf, filetype);
 
 	if (time(&now) != -1) {
-		if ((tm = localtime(&now)) != NULL && tm->tm_year > 104)
+		if ((tm = localtime(&now)) != NULL && tm->tm_year > 104) 
 			sprintf(year, "-%d", tm->tm_year + 1900);
 		else
 			year[0] = 0;
@@ -597,7 +602,7 @@ main(int argc, char **argv) {
 		fputs("#include <isc/result.h>\n\n", stdout);
 		fputs("#include <dns/name.h>\n\n", stdout);
 
-		for (tt = types; tt != NULL ; tt = tt->next)
+		for (tt = types; tt != NULL; tt = tt->next)
 			fprintf(stdout, "#include \"%s/%s_%d.c\"\n",
 				tt->dirname, tt->typename, tt->type);
 
@@ -625,6 +630,12 @@ main(int argc, char **argv) {
 		doswitch("DIGESTSWITCH", "digest",
 			 DIGESTARGS, DIGESTTYPE,
 			 DIGESTCLASS, DIGESTDEF);
+		doswitch("CHECKOWNERSWITCH", "checkowner",
+			CHECKOWNERARGS, CHECKOWNERTYPE,
+			CHECKOWNERCLASS, CHECKOWNERDEF);
+		doswitch("CHECKNAMESSWITCH", "checknames",
+			CHECKNAMESARGS, CHECKNAMESTYPE,
+			CHECKNAMESCLASS, CHECKNAMESDEF);
 
 		/*
 		 * From here down, we are processing the rdata names and
@@ -656,31 +667,6 @@ main(int argc, char **argv) {
 		insert_into_typenames(254, "maila", METAQUESTIONONLY);
 		insert_into_typenames(255, "any", METAQUESTIONONLY);
 
-		fprintf(stdout, "\ntypedef struct {\n");
-		fprintf(stdout, "\tconst char *name;\n");
-		fprintf(stdout, "\tunsigned int flags;\n");
-		fprintf(stdout, "} typeattr_t;\n");
-		fprintf(stdout, "static typeattr_t typeattr[] = {\n");
-		for (i = 0; i <= maxtype ; i++) {
-			ttn = find_typename(i);
-			if (ttn == NULL) {
-				const char *attrs;
-				if (i >= 128 && i < 255)
-					attrs = "DNS_RDATATYPEATTR_UNKNOWN | "
-						"DNS_RDATATYPEATTR_META";
-				else
-					attrs = "DNS_RDATATYPEATTR_UNKNOWN";
-				fprintf(stdout, "\t{ \"TYPE%d\", %s}%s\n",
-					i, attrs, PRINT_COMMA(i));
-			} else {
-				fprintf(stdout, "\t{ \"%s\", %s }%s\n",
-				       upper(ttn->typename),
-				       upper(ttn->attr),
-				       PRINT_COMMA(i));
-			}
-		}
-		fprintf(stdout, "};\n");
-
 		/*
 		 * Spit out a quick and dirty hash function.  Here,
 		 * we walk through the list of type names, and calculate
@@ -696,7 +682,7 @@ main(int argc, char **argv) {
 		fprintf(stdout, "\t\tif (sizeof(_s) - 1 == _n && \\\n"
 				"\t\t    strncasecmp(_s,(_tn),"
 				"(sizeof(_s) - 1)) == 0) { \\\n");
-		fprintf(stdout, "\t\t\tif ((typeattr[_d].flags & "
+		fprintf(stdout, "\t\t\tif ((dns_rdatatype_attributes(_d) & "
 		       		  "DNS_RDATATYPEATTR_RESERVED) != 0) \\\n");
 		fprintf(stdout, "\t\t\t\treturn (ISC_R_NOTIMPLEMENTED); \\\n");
 		fprintf(stdout, "\t\t\t*(_tp) = _d; \\\n");
@@ -707,7 +693,7 @@ main(int argc, char **argv) {
 		fprintf(stdout, "#define RDATATYPE_FROMTEXT_SW(_hash,"
 				"_typename,_length,_typep) \\\n");
 		fprintf(stdout, "\tswitch (_hash) { \\\n");
-		for (i = 0; i <= maxtype ; i++) {
+		for (i = 0; i <= maxtype; i++) {
 			ttn = find_typename(i);
 			if (ttn == NULL)
 				continue;
@@ -725,7 +711,7 @@ main(int argc, char **argv) {
 			 * Find all other entries that happen to match
 			 * this hash.
 			 */
-			for (j = 0; j <= maxtype ; j++) {
+			for (j = 0; j <= maxtype; j++) {
 				ttn2 = find_typename(j);
 				if (ttn2 == NULL)
 					continue;
@@ -741,6 +727,29 @@ main(int argc, char **argv) {
 		}
 		fprintf(stdout, "\t}\n");
 
+		fprintf(stdout, "#define RDATATYPE_ATTRIBUTE_SW \\\n");
+		fprintf(stdout, "\tswitch (type) { \\\n");
+		for (i = 0; i <= maxtype; i++) {
+			ttn = find_typename(i);
+			if (ttn == NULL)
+				continue;
+			fprintf(stdout, "\tcase %u: return (%s); \\\n",
+			        i, upper(ttn->attr));
+		}
+		fprintf(stdout, "\t}\n");
+
+		fprintf(stdout, "#define RDATATYPE_TOTEXT_SW \\\n");
+		fprintf(stdout, "\tswitch (type) { \\\n");
+		for (i = 0; i <= maxtype; i++) {
+			ttn = find_typename(i);
+			if (ttn == NULL)
+				continue;
+			fprintf(stdout, "\tcase %u: return "
+				"(str_totext(\"%s\", target)); \\\n",
+			        i, upper(ttn->typename));
+		}
+		fprintf(stdout, "\t}\n");
+
 		fputs("#endif /* DNS_CODE_H */\n", stdout);
 	} else if (type_enum) {
 		char *s;
@@ -752,7 +761,7 @@ main(int argc, char **argv) {
 		fprintf(stdout, "\tdns_rdatatype_none = 0,\n");
 
 		lasttype = 0;
-		for (tt = types; tt != NULL ; tt = tt->next)
+		for (tt = types; tt != NULL; tt = tt->next)
 			if (tt->type != lasttype)
 				fprintf(stdout,
 					"\tdns_rdatatype_%s = %d,\n",
@@ -770,7 +779,7 @@ main(int argc, char **argv) {
 		fprintf(stdout, "#define dns_rdatatype_none\t"
 			"((dns_rdatatype_t)dns_rdatatype_none)\n");
 
-		for (tt = types; tt != NULL ; tt = tt->next)
+		for (tt = types; tt != NULL; tt = tt->next)
 			if (tt->type != lasttype) {
 				s = funname(tt->typename, buf1);
 				fprintf(stdout,
@@ -835,29 +844,29 @@ main(int argc, char **argv) {
 	} else if (structs) {
 		if (prefix != NULL) {
 			if ((fd = fopen(prefix,"r")) != NULL) {
-				while (fgets(buf, sizeof buf, fd) != NULL)
+				while (fgets(buf, sizeof(buf), fd) != NULL)
 					fputs(buf, stdout);
 				fclose(fd);
 			}
 		}
-		for (tt = types; tt != NULL ; tt = tt->next) {
+		for (tt = types; tt != NULL; tt = tt->next) {
 			sprintf(buf, "%s/%s_%d.h",
 				tt->dirname, tt->typename, tt->type);
 			if ((fd = fopen(buf,"r")) != NULL) {
-				while (fgets(buf, sizeof buf, fd) != NULL)
+				while (fgets(buf, sizeof(buf), fd) != NULL)
 					fputs(buf, stdout);
 				fclose(fd);
 			}
 		}
 		if (suffix != NULL) {
 			if ((fd = fopen(suffix,"r")) != NULL) {
-				while (fgets(buf, sizeof buf, fd) != NULL)
+				while (fgets(buf, sizeof(buf), fd) != NULL)
 					fputs(buf, stdout);
 				fclose(fd);
 			}
 		}
 	} else if (depend) {
-		for (tt = types; tt != NULL ; tt = tt->next)
+		for (tt = types; tt != NULL; tt = tt->next)
 			fprintf(stdout, "%s:\t%s/%s_%d.h\n", file,
 				tt->dirname, tt->typename, tt->type);
 	}
diff --git a/lib/dns/include/Makefile.in b/lib/dns/include/Makefile.in
index 28ca2d0d..0e411dae 100644
--- a/lib/dns/include/Makefile.in
+++ b/lib/dns/include/Makefile.in
@@ -13,13 +13,13 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.11.2.2 2004/12/09 03:18:22 marka Exp $
+# $Id: Makefile.in,v 1.11.206.1 2004/03/06 08:13:50 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
 top_srcdir =	@top_srcdir@
 
-SUBDIRS =	dns dst
+SUBDIRS =	dns
 TARGETS =
 
 @BIND9_MAKE_RULES@
diff --git a/lib/dns/include/dns/Makefile.in b/lib/dns/include/dns/Makefile.in
index dc39ad6a..267bc8d0 100644
--- a/lib/dns/include/dns/Makefile.in
+++ b/lib/dns/include/dns/Makefile.in
@@ -1,5 +1,5 @@
 # Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 1998-2001  Internet Software Consortium.
+# Copyright (C) 1998-2003  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.43.2.2 2004/03/09 06:11:12 marka Exp $
+# $Id: Makefile.in,v 1.43.2.1.10.6 2004/03/08 09:04:34 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
@@ -21,18 +21,18 @@ top_srcdir =	@top_srcdir@
 
 @BIND9_VERSION@
 
-HEADERS =	a6.h acl.h adb.h byaddr.h cache.h callbacks.h \
+HEADERS =	acl.h adb.h byaddr.h cache.h callbacks.h \
 		cert.h compress.h \
 		db.h dbiterator.h dbtable.h diff.h dispatch.h \
-		dnssec.h events.h fixedname.h journal.h keyflags.h \
+		dnssec.h ds.h events.h fixedname.h journal.h keyflags.h \
 		keytable.h keyvalues.h lib.h log.h master.h masterdump.h \
 		message.h name.h ncache.h \
-		nxt.h peer.h rbt.h rcode.h \
+		nsec.h peer.h portlist.h rbt.h rcode.h \
 		rdata.h rdataclass.h rdatalist.h rdataset.h rdatasetiter.h \
 		rdataslab.h rdatatype.h request.h resolver.h result.h \
 		rootns.h sdb.h secalg.h secproto.h soa.h ssu.h \
 		tcpmsg.h time.h tkey.h \
-		tsig.h ttl.h types.h validator.h view.h xfrin.h \
+		tsig.h ttl.h types.h validator.h version.h view.h xfrin.h \
 		zone.h zonekey.h zt.h
 
 GENHEADERS =	enumclass.h enumtype.h rdatastruct.h
diff --git a/lib/dns/include/dns/a6.h b/lib/dns/include/dns/a6.h
deleted file mode 100644
index 2ab1e746..00000000
--- a/lib/dns/include/dns/a6.h
+++ /dev/null
@@ -1,82 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: a6.h,v 1.11.2.1 2004/03/09 06:11:12 marka Exp $ */
-
-#ifndef DNS_A6_H
-#define DNS_A6_H 1
-
-#include <isc/lang.h>
-#include <isc/stdtime.h>
-#include <isc/bitstring.h>
-#include <isc/net.h>
-
-#include <dns/types.h>
-
-typedef isc_result_t (*dns_findfunc_t)(void *arg, dns_name_t *name,
-				       dns_rdatatype_t type,
-				       isc_stdtime_t now,
-				       dns_rdataset_t *rdataset,
-				       dns_rdataset_t *sigrdataset);
-
-typedef void (*dns_rrsetfunc_t)(void *arg, dns_name_t *name,
-				dns_rdataset_t *rdataset,
-				dns_rdataset_t *sigrdataset);
-
-typedef void (*dns_in6addrfunc_t)(dns_a6context_t *a6ctx);
-
-typedef void (*dns_a6missingfunc_t)(dns_a6context_t *a6ctx, dns_name_t *name);
-
-struct dns_a6context {
-	unsigned int			magic;
-	/* Public. */
-	dns_findfunc_t			find;
-	dns_rrsetfunc_t			rrset;
-	dns_in6addrfunc_t		address;
-	dns_a6missingfunc_t		missing;
-	void *				arg;
-	unsigned int			chains;
-	unsigned int			depth;
-	isc_stdtime_t			now;
-	isc_stdtime_t			expiration;
-	unsigned int			prefixlen;
-	struct in6_addr			in6addr;
-	isc_bitstring_t			bitstring;
-};
-
-ISC_LANG_BEGINDECLS
-
-void
-dns_a6_init(dns_a6context_t *a6ctx, dns_findfunc_t find, dns_rrsetfunc_t rrset,
-	    dns_in6addrfunc_t address, dns_a6missingfunc_t missing, void *arg);
-
-void
-dns_a6_reset(dns_a6context_t *a6ctx);
-
-void
-dns_a6_invalidate(dns_a6context_t *a6ctx);
-
-void
-dns_a6_copy(dns_a6context_t *source, dns_a6context_t *target);
-
-isc_result_t
-dns_a6_foreach(dns_a6context_t *a6ctx, dns_rdataset_t *rdataset,
-	       isc_stdtime_t now);
-
-ISC_LANG_ENDDECLS
-
-#endif /* DNS_A6_H */
diff --git a/lib/dns/include/dns/acl.h b/lib/dns/include/dns/acl.h
index 538f2bd2..bc723f43 100644
--- a/lib/dns/include/dns/acl.h
+++ b/lib/dns/include/dns/acl.h
@@ -1,6 +1,6 @@
 /*
- * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: acl.h,v 1.20.2.3 2006/03/02 00:37:17 marka Exp $ */
+/* $Id: acl.h,v 1.20.52.3 2004/03/08 09:04:34 marka Exp $ */
 
 #ifndef DNS_ACL_H
 #define DNS_ACL_H 1
@@ -104,7 +104,7 @@ dns_acl_create(isc_mem_t *mctx, int n, dns_acl_t **target);
  */
 
 isc_result_t
-dns_acl_appendelement(dns_acl_t *acl, const dns_aclelement_t *elt);
+dns_acl_appendelement(dns_acl_t *acl, dns_aclelement_t *elt);
 /*
  * Append an element to an existing ACL.
  */
@@ -128,13 +128,13 @@ void
 dns_acl_detach(dns_acl_t **aclp);
 
 isc_boolean_t
-dns_aclelement_equal(const dns_aclelement_t *ea, const dns_aclelement_t *eb);
+dns_aclelement_equal(dns_aclelement_t *ea, dns_aclelement_t *eb);
 
 isc_boolean_t
-dns_acl_equal(const dns_acl_t *a, const dns_acl_t *b);
+dns_acl_equal(dns_acl_t *a, dns_acl_t *b);
 
 isc_boolean_t
-dns_acl_isinsecure(const dns_acl_t *a);
+dns_acl_isinsecure(dns_acl_t *a);
 /*
  * Return ISC_TRUE iff the acl 'a' is considered insecure, that is,
  * if it contains IP addresses other than those of the local host.
@@ -154,12 +154,12 @@ void
 dns_aclenv_destroy(dns_aclenv_t *env);
 
 isc_result_t
-dns_acl_match(const isc_netaddr_t *reqaddr,
-	      const dns_name_t *reqsigner,
-	      const dns_acl_t *acl,
-	      const dns_aclenv_t *env,
+dns_acl_match(isc_netaddr_t *reqaddr,
+	      dns_name_t *reqsigner,
+	      dns_acl_t *acl,
+	      dns_aclenv_t *env,
 	      int *match,
-	      const dns_aclelement_t **matchelt);
+	      dns_aclelement_t **matchelt);
 /*
  * General, low-level ACL matching.  This is expected to
  * be useful even for weird stuff like the topology and sortlist statements.
@@ -185,11 +185,11 @@ dns_acl_match(const isc_netaddr_t *reqaddr,
  */
 
 isc_boolean_t
-dns_aclelement_match(const isc_netaddr_t *reqaddr,
-		     const dns_name_t *reqsigner,
-		     const dns_aclelement_t *e,
-		     const dns_aclenv_t *env,		     
-		     const dns_aclelement_t **matchelt);
+dns_aclelement_match(isc_netaddr_t *reqaddr,
+		     dns_name_t *reqsigner,
+		     dns_aclelement_t *e,
+		     dns_aclenv_t *env,		     
+		     dns_aclelement_t **matchelt);
 /*
  * Like dns_acl_match, but matches against the single ACL element 'e'
  * rather than a complete list and returns ISC_TRUE iff it matched.
@@ -199,6 +199,23 @@ dns_aclelement_match(const isc_netaddr_t *reqaddr,
  * returned through 'matchelt' is not necessarily 'e' itself.
  */
 
+isc_result_t
+dns_acl_elementmatch(dns_acl_t *acl,
+		     dns_aclelement_t *elt,
+		     dns_aclelement_t **matchelt);
+/*
+ * Search for an ACL element in 'acl' which is exactly the same as 'elt'.
+ * If there is one, and 'matchelt' is non NULL, then '*matchelt' will point
+ * to the entry.
+ *
+ * This function is intended to be used for avoiding duplicated ACL entries
+ * before adding an entry.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS		Match succeeds.
+ *	ISC_R_NOTFOUND		Match fails.
+ */
+
 ISC_LANG_ENDDECLS
 
 #endif /* DNS_ACL_H */
diff --git a/lib/dns/include/dns/adb.h b/lib/dns/include/dns/adb.h
index 83458293..7a17eff0 100644
--- a/lib/dns/include/dns/adb.h
+++ b/lib/dns/include/dns/adb.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: adb.h,v 1.66.2.6 2004/03/09 06:11:13 marka Exp $ */
+/* $Id: adb.h,v 1.66.2.5.2.4 2004/03/06 08:13:50 marka Exp $ */
 
 #ifndef DNS_ADB_H
 #define DNS_ADB_H 1
@@ -47,9 +47,7 @@
  * sent instead.
  *
  * Records are stored internally until a timer expires. The timer is the
- * smaller of the TTL or signature validity period. For A6 records, the timer
- * is the smallest of all the TTL or signature validity periods in the A6
- * chain.
+ * smaller of the TTL or signature validity period.
  *
  * Lameness is stored per-zone, and this data hangs off each address field.
  * When an address is marked lame for a given zone the address will not
@@ -255,7 +253,7 @@ dns_adb_attach(dns_adb_t *adb, dns_adb_t **adbp);
  * Requires:
  *	'adb' to be a valid dns_adb_t, created via dns_adb_create().
  *	'adbp' to be a valid pointer to a *dns_adb_t which is initialized
- *		to NULL.
+ *	to NULL.
  */
 
 void
@@ -569,6 +567,30 @@ dns_adb_flush(dns_adb_t *adb);
  * 	adb is valid.
  */
 
+void
+dns_adb_setadbsize(dns_adb_t *adb, isc_uint32_t size);
+/*
+ * Set a target memory size.  If memory usage exceeds the target
+ * size entries will be removed before they would have expired on
+ * a random basis.
+ *
+ * If 'size' is 0 then memory usage is unlimited.
+ *
+ * Requires:
+ *	'adb' is valid.
+ */
+
+void
+dns_adb_flushname(dns_adb_t *adb, dns_name_t *name);
+/*
+ * Flush 'name' from the adb cache.
+ * 
+ * Requires:
+ *	'adb' is valid.
+ *	'name' is valid.
+ */
+
+
 ISC_LANG_ENDDECLS
 
 #endif /* DNS_ADB_H */
diff --git a/lib/dns/include/dns/bit.h b/lib/dns/include/dns/bit.h
index 72431a6b..e4a7d20a 100644
--- a/lib/dns/include/dns/bit.h
+++ b/lib/dns/include/dns/bit.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: bit.h,v 1.7.2.1 2004/03/09 06:11:13 marka Exp $ */
+/* $Id: bit.h,v 1.7.206.1 2004/03/06 08:13:51 marka Exp $ */
 
 #ifndef DNS_BIT_H
 #define DNS_BIT_H 1
diff --git a/lib/dns/include/dns/byaddr.h b/lib/dns/include/dns/byaddr.h
index 9bc39aa1..8f69cd9e 100644
--- a/lib/dns/include/dns/byaddr.h
+++ b/lib/dns/include/dns/byaddr.h
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
+ * Copyright (C) 2000-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: byaddr.h,v 1.12.2.3 2004/03/09 06:11:13 marka Exp $ */
+/* $Id: byaddr.h,v 1.12.2.1.2.4 2004/03/08 09:04:34 marka Exp $ */
 
 #ifndef DNS_BYADDR_H
 #define DNS_BYADDR_H 1
@@ -68,8 +68,11 @@ typedef struct dns_byaddrevent {
 	dns_namelist_t			names;
 } dns_byaddrevent_t;
 
+/*
+ * This option is deprecated since we now only consider nibbles.
 #define DNS_BYADDROPT_IPV6NIBBLE	0x0001
-#define DNS_BYADDROPT_IPV6INT		0x0002	/* Use IP6.INT nibble lookups */
+ */
+#define DNS_BYADDROPT_IPV6INT		0x0002
 
 isc_result_t
 dns_byaddr_create(isc_mem_t *mctx, isc_netaddr_t *address, dns_view_t *view,
@@ -151,8 +154,9 @@ dns_byaddr_createptrname2(isc_netaddr_t *address, unsigned int options,
 /*
  * Creates a name that would be used in a PTR query for this address.  The
  * nibble flag indicates that the 'nibble' format is to be used if an IPv6
- * address is provided, instead of the 'bitstring' format.  'options' are
- * the same as for dns_byaddr_create().
+ * address is provided, instead of the 'bitstring' format.  Since we dropped
+ * the support of the bitstring labels, it is expected that the flag is always
+ * set.  'options' are the same as for dns_byaddr_create().
  *
  * Requires:
  * 
diff --git a/lib/dns/include/dns/cache.h b/lib/dns/include/dns/cache.h
index 66594553..79c53de8 100644
--- a/lib/dns/include/dns/cache.h
+++ b/lib/dns/include/dns/cache.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: cache.h,v 1.17.2.4 2006/05/26 04:01:57 marka Exp $ */
+/* $Id: cache.h,v 1.17.12.3 2004/03/08 09:04:34 marka Exp $ */
 
 #ifndef DNS_CACHE_H
 #define DNS_CACHE_H 1
@@ -151,7 +151,7 @@ dns_cache_attachdb(dns_cache_t *cache, dns_db_t **dbp);
 
 
 isc_result_t
-dns_cache_setfilename(dns_cache_t *cache, const char *filename);
+dns_cache_setfilename(dns_cache_t *cahce, char *filename);
 /*
  * If 'filename' is non-NULL, make the cache persistent.
  * The cache's data will be stored in the given file.
@@ -235,6 +235,21 @@ dns_cache_flush(dns_cache_t *cache);
  *	ISC_R_NOMEMORY
  */
 
+isc_result_t
+dns_cache_flushname(dns_cache_t *cache, dns_name_t *name);
+/*
+ * Flushes a given name from the cache.
+ *
+ * Requires:
+ *	'cache' to be valid.
+ *	'name' to be valid.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS
+ *	ISC_R_NOMEMORY
+ *	other error returns.
+ */
+
 ISC_LANG_ENDDECLS
 
 #endif /* DNS_CACHE_H */
diff --git a/lib/dns/include/dns/callbacks.h b/lib/dns/include/dns/callbacks.h
index 927f6e2f..9c2710a5 100644
--- a/lib/dns/include/dns/callbacks.h
+++ b/lib/dns/include/dns/callbacks.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: callbacks.h,v 1.15.2.3 2004/03/09 06:11:14 marka Exp $ */
+/* $Id: callbacks.h,v 1.15.2.2.8.1 2004/03/06 08:13:51 marka Exp $ */
 
 #ifndef DNS_CALLBACKS_H
 #define DNS_CALLBACKS_H 1
diff --git a/lib/dns/include/dns/cert.h b/lib/dns/include/dns/cert.h
index c419599d..28a3d4c4 100644
--- a/lib/dns/include/dns/cert.h
+++ b/lib/dns/include/dns/cert.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: cert.h,v 1.12.2.1 2004/03/09 06:11:14 marka Exp $ */
+/* $Id: cert.h,v 1.12.206.1 2004/03/06 08:13:51 marka Exp $ */
 
 #ifndef DNS_CERT_H
 #define DNS_CERT_H 1
diff --git a/lib/dns/include/dns/compress.h b/lib/dns/include/dns/compress.h
index 529c02dc..0f6451cc 100644
--- a/lib/dns/include/dns/compress.h
+++ b/lib/dns/include/dns/compress.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: compress.h,v 1.29.2.5 2006/03/02 00:37:17 marka Exp $ */
+/* $Id: compress.h,v 1.29.2.2.8.1 2004/03/06 08:13:51 marka Exp $ */
 
 #ifndef DNS_COMPRESS_H
 #define DNS_COMPRESS_H 1
@@ -136,7 +136,7 @@ dns_compress_getedns(dns_compress_t *cctx);
  */
 
 isc_boolean_t
-dns_compress_findglobal(dns_compress_t *cctx, const dns_name_t *name,
+dns_compress_findglobal(dns_compress_t *cctx, dns_name_t *name,
 			dns_name_t *prefix, isc_uint16_t *offset);
 /*
  *	Finds longest possible match of 'name' in the global compression table.
@@ -155,8 +155,8 @@ dns_compress_findglobal(dns_compress_t *cctx, const dns_name_t *name,
  */
 
 void
-dns_compress_add(dns_compress_t *cctx, const dns_name_t *name,
-		 const dns_name_t *prefix, isc_uint16_t offset);
+dns_compress_add(dns_compress_t *cctx, dns_name_t *name, dns_name_t *prefix,
+		 isc_uint16_t offset);
 /*
  *	Add compression pointers for 'name' to the compression table,
  *	not replacing existing pointers.
diff --git a/lib/dns/include/dns/db.h b/lib/dns/include/dns/db.h
index 2ed6c8dd..8ae25b78 100644
--- a/lib/dns/include/dns/db.h
+++ b/lib/dns/include/dns/db.h
@@ -1,6 +1,6 @@
 /*
- * Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: db.h,v 1.67.2.6 2007/03/06 02:10:58 tbox Exp $ */
+/* $Id: db.h,v 1.67.12.7 2004/03/08 09:04:35 marka Exp $ */
 
 #ifndef DNS_DB_H
 #define DNS_DB_H 1
@@ -187,6 +187,7 @@ struct dns_db {
 #define DNS_DBFIND_NOWILD		0x04
 #define DNS_DBFIND_PENDINGOK		0x08
 #define DNS_DBFIND_NOEXACT		0x10
+#define DNS_DBFIND_FORCENSEC		0x20
 
 /*
  * Options that can be specified for dns_db_addrdataset().
@@ -288,7 +289,7 @@ dns_db_ondestroy(dns_db_t *db, isc_task_t *task, isc_event_t **eventp);
  * Causes 'eventp' to be sent to be sent to 'task' when the database is
  * destroyed.
  *
- * Note; ownrship of the eventp is taken from the caller (and *eventp is
+ * Note; ownership of the eventp is taken from the caller (and *eventp is
  * set to NULL). The sender field of the event is set to 'db' before it is
  * sent to the task.
  */
@@ -641,6 +642,11 @@ dns_db_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
  *	If the DNS_DBFIND_NOWILD option is set, then wildcard matching will
  *	be disabled.  This option is only meaningful for zone databases.
  *
+ *	If the DNS_DBFIND_FORCENSEC option is set, the database is assumed to
+ *	have NSEC records, and these will be returned when appropriate.  This
+ *	is only necessary when querying a database that was not secure
+ *	when created.
+ *
  *	To respond to a query for SIG records, the caller should create a
  *	rdataset iterator and extract the signatures from each rdataset.
  *
@@ -684,6 +690,14 @@ dns_db_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
  *		ISC_R_SUCCESS			The desired node and type were
  *						found.
  *
+ *		DNS_R_WILDCARD			The desired node and type were
+ *						found after performing
+ *						wildcard matching.  This is
+ *						only returned if the
+ *						DNS_DBFIND_INDICATEWILD
+ *						option is set; otherwise
+ *						ISC_R_SUCCESS is returned.
+ *
  *		DNS_R_GLUE			The desired node and type were
  *						found, but are glue.  This
  *						result can only occur if
@@ -753,12 +767,15 @@ dns_db_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
  *						name, and 'rdataset' contains
  *						the negative caching proof.
  *
+ *		DNS_R_EMPTYNAME			The name exists but there is
+ *						no data at the name. 
+ *
  *	Error results:
  *
  *		ISC_R_NOMEMORY
  *
  *		DNS_R_BADDB			Data that is required to be
- *						present in the DB, e.g. an NXT
+ *						present in the DB, e.g. an NSEC
  *						record in a secure zone, is not
  *						present.
  *
@@ -825,7 +842,7 @@ dns_db_attachnode(dns_db_t *db, dns_dbnode_t *source, dns_dbnode_t **targetp);
  *
  *	'source' is a valid node.
  *
- *	'targetp' points to a NULL dns_dbnode_t *.
+ *	'targetp' points to a NULL dns_node_t *.
  *
  * Ensures:
  *
diff --git a/lib/dns/include/dns/dbiterator.h b/lib/dns/include/dns/dbiterator.h
index 613201f0..8b8cb1b3 100644
--- a/lib/dns/include/dns/dbiterator.h
+++ b/lib/dns/include/dns/dbiterator.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dbiterator.h,v 1.18.2.1 2004/03/09 06:11:14 marka Exp $ */
+/* $Id: dbiterator.h,v 1.18.206.1 2004/03/06 08:13:54 marka Exp $ */
 
 #ifndef DNS_DBITERATOR_H
 #define DNS_DBITERATOR_H 1
diff --git a/lib/dns/include/dns/dbtable.h b/lib/dns/include/dns/dbtable.h
index 6422398d..3874b46c 100644
--- a/lib/dns/include/dns/dbtable.h
+++ b/lib/dns/include/dns/dbtable.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dbtable.h,v 1.16.2.1 2004/03/09 06:11:15 marka Exp $ */
+/* $Id: dbtable.h,v 1.16.206.1 2004/03/06 08:13:55 marka Exp $ */
 
 #ifndef DNS_DBTABLE_H
 #define DNS_DBTABLE_H 1
diff --git a/lib/dns/include/dns/diff.h b/lib/dns/include/dns/diff.h
index 239ec661..604f702c 100644
--- a/lib/dns/include/dns/diff.h
+++ b/lib/dns/include/dns/diff.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: diff.h,v 1.4.2.1 2004/03/09 06:11:15 marka Exp $ */
+/* $Id: diff.h,v 1.4.12.3 2004/03/08 09:04:35 marka Exp $ */
 
 #ifndef DNS_DIFF_H
 #define DNS_DIFF_H 1
@@ -221,9 +221,14 @@ dns_diff_sort(dns_diff_t *diff, dns_diff_compare_func *compare);
 
 isc_result_t
 dns_diff_apply(dns_diff_t *diff, dns_db_t *db, dns_dbversion_t *ver);
+isc_result_t
+dns_diff_applysilently(dns_diff_t *diff, dns_db_t *db, dns_dbversion_t *ver);
 /*
  * Apply 'diff' to the database 'db'.
  *
+ * dns_diff_apply() logs warnings about updates with no effect or
+ * with inconsistent TTLs; dns_diff_applysilently() does not.
+ *
  * For efficiency, the diff should be sorted by owner name.
  * If it is not sorted, operation will still be correct,
  * but less efficient.
diff --git a/lib/dns/include/dns/dispatch.h b/lib/dns/include/dns/dispatch.h
index 74b95f89..201a65a6 100644
--- a/lib/dns/include/dns/dispatch.h
+++ b/lib/dns/include/dns/dispatch.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dispatch.h,v 1.45.2.5 2007/06/26 23:45:22 tbox Exp $ */
+/* $Id: dispatch.h,v 1.45.2.2.4.2 2004/03/06 08:13:55 marka Exp $ */
 
 #ifndef DNS_DISPATCH_H
 #define DNS_DISPATCH_H 1
@@ -179,6 +179,28 @@ dns_dispatchmgr_getblackhole(dns_dispatchmgr_t *mgr);
  *	A pointer to the current blackhole list, or NULL.
  */
 
+void
+dns_dispatchmgr_setblackportlist(dns_dispatchmgr_t *mgr,
+                                 dns_portlist_t *portlist);
+/*
+ * Sets a list of UDP ports that won't be used when creating a udp
+ * dispatch with a wildcard port.
+ *
+ * Requires:
+ *	mgr is a valid dispatchmgr
+ *	portlist to be NULL or a valid port list.
+ */
+
+dns_portlist_t *
+dns_dispatchmgr_getblackportlist(dns_dispatchmgr_t *mgr);
+/*
+ * Return the current port list.
+ *
+ * Requires:
+ *	mgr is a valid dispatchmgr
+ */
+
+
 
 isc_result_t
 dns_dispatch_getudp(dns_dispatchmgr_t *mgr, isc_socketmgr_t *sockmgr,
@@ -415,13 +437,6 @@ dns_dispatch_importrecv(dns_dispatch_t *disp, isc_event_t *event);
  * 	event != NULL
  */
 
-void
-dns_dispatch_hash(void *data, size_t len);
-/*%<
- * Feed 'data' to the dispatch query id generator where 'len' is the size
- * of 'data'.
- */
-
 ISC_LANG_ENDDECLS
 
 #endif /* DNS_DISPATCH_H */
diff --git a/lib/dns/include/dns/dnssec.h b/lib/dns/include/dns/dnssec.h
index bb61a3e3..5f86178a 100644
--- a/lib/dns/include/dns/dnssec.h
+++ b/lib/dns/include/dns/dnssec.h
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
+ * Copyright (C) 1999-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssec.h,v 1.21.2.1 2004/03/09 06:11:15 marka Exp $ */
+/* $Id: dnssec.h,v 1.21.12.5 2004/03/08 09:04:35 marka Exp $ */
 
 #ifndef DNS_DNSSEC_H
 #define DNS_DNSSEC_H 1
@@ -83,6 +83,11 @@ isc_result_t
 dns_dnssec_verify(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key,
 		  isc_boolean_t ignoretime, isc_mem_t *mctx,
 		  dns_rdata_t *sigrdata);
+
+isc_result_t
+dns_dnssec_verify2(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key,
+		   isc_boolean_t ignoretime, isc_mem_t *mctx,
+		   dns_rdata_t *sigrdata, dns_name_t *wild);
 /*
  *	Verifies the SIG record covering this rdataset signed by a specific
  *	key.  This does not determine if the key's owner is authorized to
@@ -95,10 +100,14 @@ dns_dnssec_verify(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key,
  *		'key' is a valid key
  *		'mctx' is not NULL
  *		'sigrdata' is a valid rdata containing a SIG record
+ *		'wild' if non-NULL then is a valid and has a buffer.
  *
  *	Returns:
  *		ISC_R_SUCCESS
  *		ISC_R_NOMEMORY
+ *		DNS_R_FROMWILDCARD - the signature is valid and is from
+ *			a wildcard expansion.  dns_dnssec_verify2() only.
+ *			'wild' contains the name of the wildcard if non-NULL.
  *		DNS_R_SIGINVALID - the signature fails to verify
  *		DNS_R_SIGEXPIRED - the signature has expired
  *		DNS_R_SIGFUTURE - the signature's validity period has not begun
@@ -113,6 +122,12 @@ dns_dnssec_findzonekeys(dns_db_t *db, dns_dbversion_t *ver, dns_dbnode_t *node,
 			dns_name_t *name, isc_mem_t *mctx,
 			unsigned int maxkeys, dst_key_t **keys,
 			unsigned int *nkeys);
+isc_result_t
+dns_dnssec_findzonekeys2(dns_db_t *db, dns_dbversion_t *ver,
+			 dns_dbnode_t *node, dns_name_t *name,
+			 const char *directory, isc_mem_t *mctx,
+			 unsigned int maxkeys, dst_key_t **keys,
+			 unsigned int *nkeys);
 /*
  * 	Finds a set of zone keys.
  * 	XXX temporary - this should be handled in dns_zone_t.
@@ -141,7 +156,7 @@ dns_dnssec_verifymessage(isc_buffer_t *source, dns_message_t *msg,
  *	Verifies a message signed by a SIG(0) record.  This is not
  *	called implicitly by dns_message_parse().  If dns_message_signer()
  *	is called before dns_dnssec_verifymessage(), it will return
- *	DNS_R_SIGNOTVERIFIEDYET.  dns_dnssec_verifymessage() will set
+ *	DNS_R_NOTVERIFIEDYET.  dns_dnssec_verifymessage() will set
  *	the verified_sig0 flag in msg if the verify succeeds, and
  *	the sig0status field otherwise.
  *
diff --git a/lib/dns/include/dns/ds.h b/lib/dns/include/dns/ds.h
new file mode 100644
index 00000000..979ac9f6
--- /dev/null
+++ b/lib/dns/include/dns/ds.h
@@ -0,0 +1,56 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2002  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: ds.h,v 1.3.2.1 2004/03/08 02:08:00 marka Exp $ */
+
+#ifndef DNS_DS_H
+#define DNS_DS_H 1
+
+#include <isc/lang.h>
+
+#include <dns/types.h>
+
+#define DNS_DSDIGEST_SHA1 (1)
+
+/*
+ * Assuming SHA-1 digest type.
+ */
+#define DNS_DS_BUFFERSIZE (24)
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+dns_ds_buildrdata(dns_name_t *owner, dns_rdata_t *key,
+		  unsigned int digest_type, unsigned char *buffer,
+		  dns_rdata_t *rdata);
+/*
+ * Build the rdata of a DS record.
+ *
+ * Requires:
+ *	key	Points to a valid DNS KEY record.
+ *	buffer	Points to a temporary buffer of at least
+ * 		DNS_DS_BUFFERSIZE bytes.
+ *	rdata	Points to an initialized dns_rdata_t.
+ *
+ * Ensures:
+ *      *rdata	Contains a valid DS rdata.  The 'data' member refers
+ *		to 'buffer'.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_DS_H */
diff --git a/lib/dns/include/dns/events.h b/lib/dns/include/dns/events.h
index 00cf590b..1e66139e 100644
--- a/lib/dns/include/dns/events.h
+++ b/lib/dns/include/dns/events.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: events.h,v 1.37.2.3 2004/03/09 06:11:15 marka Exp $ */
+/* $Id: events.h,v 1.37.2.1.4.4 2004/03/08 09:04:36 marka Exp $ */
 
 #ifndef DNS_EVENTS_H
 #define DNS_EVENTS_H 1
@@ -57,9 +57,10 @@
 #define DNS_EVENT_MASTERNEXTZONE		(ISC_EVENTCLASS_DNS + 28)
 #define DNS_EVENT_IOREADY			(ISC_EVENTCLASS_DNS + 29)
 #define DNS_EVENT_LOOKUPDONE			(ISC_EVENTCLASS_DNS + 30)
-#define DNS_EVENT_QUERYABORTED			(ISC_EVENTCLASS_DNS + 31)
+/* #define DNS_EVENT_unused			(ISC_EVENTCLASS_DNS + 31) */
 #define DNS_EVENT_DISPATCHCONTROL		(ISC_EVENTCLASS_DNS + 32)
 #define DNS_EVENT_REQUESTCONTROL		(ISC_EVENTCLASS_DNS + 33)
+#define DNS_EVENT_DUMPQUANTUM			(ISC_EVENTCLASS_DNS + 34)
 #define DNS_EVENT_IMPORTRECVDONE		(ISC_EVENTCLASS_DNS + 35)
 #define DNS_EVENT_FREESTORAGE			(ISC_EVENTCLASS_DNS + 36)
 
diff --git a/lib/dns/include/dns/fixedname.h b/lib/dns/include/dns/fixedname.h
index 20f676c0..3ee306fc 100644
--- a/lib/dns/include/dns/fixedname.h
+++ b/lib/dns/include/dns/fixedname.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: fixedname.h,v 1.12.2.1 2004/03/09 06:11:15 marka Exp $ */
+/* $Id: fixedname.h,v 1.12.206.1 2004/03/06 08:13:55 marka Exp $ */
 
 #ifndef DNS_FIXEDNAME_H
 #define DNS_FIXEDNAME_H 1
diff --git a/lib/dns/include/dns/forward.h b/lib/dns/include/dns/forward.h
index 025ec877..f1bf5abf 100644
--- a/lib/dns/include/dns/forward.h
+++ b/lib/dns/include/dns/forward.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: forward.h,v 1.2.2.3 2005/03/17 03:59:32 marka Exp $ */
+/* $Id: forward.h,v 1.2.206.1 2004/03/06 08:13:56 marka Exp $ */
 
 #ifndef DNS_FORWARD_H
 #define DNS_FORWARD_H 1
@@ -67,10 +67,6 @@ dns_fwdtable_add(dns_fwdtable_t *fwdtable, dns_name_t *name,
 isc_result_t
 dns_fwdtable_find(dns_fwdtable_t *fwdtable, dns_name_t *name,
 		  dns_forwarders_t **forwardersp);
-
-isc_result_t
-dns_fwdtable_find2(dns_fwdtable_t *fwdtable, dns_name_t *name,
-		   dns_name_t *foundname, dns_forwarders_t **forwardersp);
 /*
  * Finds a domain in the forwarding table.  The closest matching parent
  * domain is returned.
@@ -79,7 +75,6 @@ dns_fwdtable_find2(dns_fwdtable_t *fwdtable, dns_name_t *name,
  * 	fwdtable is a valid forwarding table.
  * 	name is a valid name
  * 	forwardersp != NULL && *forwardersp == NULL
- *	foundname to be NULL or a valid name with buffer.
  *
  * Returns:
  * 	ISC_R_SUCCESS
diff --git a/lib/dns/include/dns/journal.h b/lib/dns/include/dns/journal.h
index 41e7e0e5..fdf60940 100644
--- a/lib/dns/include/dns/journal.h
+++ b/lib/dns/include/dns/journal.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: journal.h,v 1.23.2.1 2004/03/09 06:11:16 marka Exp $ */
+/* $Id: journal.h,v 1.23.12.3 2004/03/08 09:04:36 marka Exp $ */
 
 #ifndef DNS_JOURNAL_H
 #define DNS_JOURNAL_H 1
@@ -257,6 +257,14 @@ dns_db_diff(isc_mem_t *mctx,
  * entry to the journal file specified by 'journal_filename'.
  */
 
+isc_result_t
+dns_journal_compact(isc_mem_t *mctx, char *filename, isc_uint32_t serial,
+                    isc_uint32_t target_size);
+/*
+ * Attempt to compact the journal if it is greater that 'target_size'.
+ * Changes from 'serial' onwards will be preserved.  If the journal
+ * exists and is non-empty 'serial' must exist in the journal.
+ */
 
 ISC_LANG_ENDDECLS
 
diff --git a/lib/dns/include/dns/keyflags.h b/lib/dns/include/dns/keyflags.h
index e32f44af..025b137e 100644
--- a/lib/dns/include/dns/keyflags.h
+++ b/lib/dns/include/dns/keyflags.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: keyflags.h,v 1.9.2.1 2004/03/09 06:11:16 marka Exp $ */
+/* $Id: keyflags.h,v 1.9.206.1 2004/03/06 08:13:56 marka Exp $ */
 
 #ifndef DNS_KEYFLAGS_H
 #define DNS_KEYFLAGS_H 1
diff --git a/lib/dns/include/dns/keytable.h b/lib/dns/include/dns/keytable.h
index 73578643..a07c0520 100644
--- a/lib/dns/include/dns/keytable.h
+++ b/lib/dns/include/dns/keytable.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: keytable.h,v 1.10.2.1 2004/03/09 06:11:16 marka Exp $ */
+/* $Id: keytable.h,v 1.10.206.1 2004/03/06 08:13:56 marka Exp $ */
 
 #ifndef DNS_KEYTABLE_H
 #define DNS_KEYTABLE_H 1
diff --git a/lib/dns/include/dns/keyvalues.h b/lib/dns/include/dns/keyvalues.h
index cb0ebccb..ef9e8210 100644
--- a/lib/dns/include/dns/keyvalues.h
+++ b/lib/dns/include/dns/keyvalues.h
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
+ * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: keyvalues.h,v 1.11.2.1 2004/03/09 06:11:16 marka Exp $ */
+/* $Id: keyvalues.h,v 1.11.12.3 2004/03/06 08:13:56 marka Exp $ */
 
 #ifndef DNS_KEYVALUES_H
 #define DNS_KEYVALUES_H 1
@@ -31,7 +31,7 @@
 #define DNS_KEYTYPE_NOAUTH	DNS_KEYTYPE_CONFONLY
 #define DNS_KEYTYPE_NOCONF	DNS_KEYTYPE_AUTHONLY
 
-#define DNS_KEYFLAG_RESERVED2	0x2000	/* Security is *mandatory* if bit=0 */
+#define DNS_KEYFLAG_RESERVED2	0x2000	/* reserved - must be zero */
 #define DNS_KEYFLAG_EXTENDED	0x1000	/* key has extended flags */
 #define DNS_KEYFLAG_RESERVED4	0x0800	/* reserved - must be zero */
 #define DNS_KEYFLAG_RESERVED5	0x0400	/* reserved - must be zero */
@@ -53,6 +53,7 @@
 				  DNS_KEYFLAG_RESERVED9 | \
 				  DNS_KEYFLAG_RESERVED10 | \
 				  DNS_KEYFLAG_RESERVED11 )
+#define DNS_KEYFLAG_KSK		0x0001	/* key signing key */
 
 #define DNS_KEYFLAG_RESERVEDMASK2 0xFFFF	/* no bits defined here */
 
@@ -62,7 +63,10 @@
 #define DNS_KEYALG_DH		2       /* Diffie Hellman KEY */
 #define DNS_KEYALG_DSA		3       /* DSA KEY */
 #define DNS_KEYALG_DSS		NS_ALG_DSA
-#define DNS_KEYALG_EXPIREONLY	253     /* No alg, no security */
+#define DNS_KEYALG_ECC		4
+#define DNS_KEYALG_RSASHA1	5
+#define DNS_KEYALG_INDIRECT	252
+#define DNS_KEYALG_PRIVATEDNS	253
 #define DNS_KEYALG_PRIVATEOID	254     /* Key begins with OID giving alg */
 
 /* Protocol values  */
diff --git a/lib/dns/include/dns/lib.h b/lib/dns/include/dns/lib.h
index 6ac6391d..e53dd2b7 100644
--- a/lib/dns/include/dns/lib.h
+++ b/lib/dns/include/dns/lib.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lib.h,v 1.6.2.1 2004/03/09 06:11:16 marka Exp $ */
+/* $Id: lib.h,v 1.6.12.3 2004/03/08 09:04:36 marka Exp $ */
 
 #ifndef DNS_LIB_H
 #define DNS_LIB_H 1
@@ -25,7 +25,7 @@
 
 ISC_LANG_BEGINDECLS
 
-extern isc_msgcat_t *dns_msgcat;
+LIBDNS_EXTERNAL_DATA extern isc_msgcat_t *dns_msgcat;
 
 void
 dns_lib_initmsgcat(void);
diff --git a/lib/dns/include/dns/log.h b/lib/dns/include/dns/log.h
index b077dc24..9901fc9b 100644
--- a/lib/dns/include/dns/log.h
+++ b/lib/dns/include/dns/log.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: log.h,v 1.30.2.4 2004/03/09 06:11:16 marka Exp $ */
+/* $Id: log.h,v 1.30.2.1.10.2 2004/03/06 08:13:57 marka Exp $ */
 
 /* Principal Authors: DCL */
 
diff --git a/lib/dns/include/dns/lookup.h b/lib/dns/include/dns/lookup.h
index 9b707235..2be254c7 100644
--- a/lib/dns/include/dns/lookup.h
+++ b/lib/dns/include/dns/lookup.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lookup.h,v 1.5.2.1 2004/03/09 06:11:17 marka Exp $ */
+/* $Id: lookup.h,v 1.5.206.1 2004/03/06 08:13:57 marka Exp $ */
 
 #ifndef DNS_LOOKUP_H
 #define DNS_LOOKUP_H 1
diff --git a/lib/dns/include/dns/master.h b/lib/dns/include/dns/master.h
index ec342d3c..0b861c67 100644
--- a/lib/dns/include/dns/master.h
+++ b/lib/dns/include/dns/master.h
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
+ * Copyright (C) 1999-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: master.h,v 1.31.2.4 2004/03/09 06:11:17 marka Exp $ */
+/* $Id: master.h,v 1.31.2.3.2.7 2004/03/08 09:04:36 marka Exp $ */
 
 #ifndef DNS_MASTER_H
 #define DNS_MASTER_H 1
@@ -37,7 +37,14 @@
 #define DNS_MASTER_MANYERRORS 	0x00000002	/* Continue processing on errors. */
 #define DNS_MASTER_NOINCLUDE 	0x00000004	/* Disallow $INCLUDE directives. */
 #define DNS_MASTER_ZONE 	0x00000008	/* Loading a zone master file. */
-#define DNS_MASTER_SLAVE	0x00000020	/* Loading a slave master file. */
+#define DNS_MASTER_HINT 	0x00000010	/* Loading a hint master file. */
+#define DNS_MASTER_SLAVE 	0x00000020	/* Loading a slave master file. */
+#define DNS_MASTER_CHECKNS 	0x00000040	/* Check NS records to see if
+						 * they are an address */
+#define DNS_MASTER_FATALNS 	0x00000080	/* Treat DNS_MASTER_CHECKNS
+						 * matches as fatal */
+#define DNS_MASTER_CHECKNAMES   0x00000100
+#define DNS_MASTER_CHECKNAMESFAIL 0x00000200
 
 ISC_LANG_BEGINDECLS
 
@@ -73,6 +80,15 @@ dns_master_loadbuffer(isc_buffer_t *buffer,
 		      isc_mem_t *mctx);
 
 isc_result_t
+dns_master_loadlexer(isc_lex_t *lex,
+		     dns_name_t *top,
+		     dns_name_t *origin,
+		     dns_rdataclass_t zclass,
+		     unsigned int options,
+		     dns_rdatacallbacks_t *callbacks,
+		     isc_mem_t *mctx);
+
+isc_result_t
 dns_master_loadfileinc(const char *master_file,
 		       dns_name_t *top,
 		       dns_name_t *origin,
@@ -105,12 +121,23 @@ dns_master_loadbufferinc(isc_buffer_t *buffer,
 			 dns_loaddonefunc_t done, void *done_arg,
 			 dns_loadctx_t **ctxp, isc_mem_t *mctx);
 
+isc_result_t
+dns_master_loadlexerinc(isc_lex_t *lex,
+			dns_name_t *top,
+			dns_name_t *origin,
+			dns_rdataclass_t zclass,
+			unsigned int options,
+			dns_rdatacallbacks_t *callbacks,
+			isc_task_t *task,
+			dns_loaddonefunc_t done, void *done_arg,
+			dns_loadctx_t **ctxp, isc_mem_t *mctx);
+
 /*
- * Loads a RFC 1305 master file from a file, stream, or buffer into rdatasets
- * and then calls 'callbacks->commit' to commit the rdatasets.  Rdata memory
- * belongs to dns_master_load and will be reused / released when the callback
- * completes.  dns_load_master will abort if callbacks->commit returns
- * any value other than ISC_R_SUCCESS.
+ * Loads a RFC 1305 master file from a file, stream, buffer, or existing
+ * lexer into rdatasets and then calls 'callbacks->commit' to commit the
+ * rdatasets.  Rdata memory belongs to dns_master_load and will be
+ * reused / released when the callback completes.  dns_load_master will
+ * abort if callbacks->commit returns any value other than ISC_R_SUCCESS.
  *
  * If 'DNS_MASTER_AGETTL' is set and the master file contains one or more
  * $DATE directives, the TTLs of the data will be aged accordingly.
@@ -124,6 +151,7 @@ dns_master_loadbufferinc(isc_buffer_t *buffer,
  *
  * Requires:
  *	'master_file' points to a valid string.
+ *	'lexer' points to a valid lexer.
  *	'top' points to a valid name.
  *	'origin' points to a valid name.
  *	'callbacks->commit' points to a valid function.
diff --git a/lib/dns/include/dns/masterdump.h b/lib/dns/include/dns/masterdump.h
index 72317785..50589454 100644
--- a/lib/dns/include/dns/masterdump.h
+++ b/lib/dns/include/dns/masterdump.h
@@ -1,6 +1,6 @@
 /*
- * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: masterdump.h,v 1.22.2.5 2006/03/02 00:37:17 marka Exp $ */
+/* $Id: masterdump.h,v 1.22.12.8 2004/03/19 05:00:49 marka Exp $ */
 
 #ifndef DNS_MASTERDUMP_H
 #define DNS_MASTERDUMP_H 1
@@ -34,14 +34,66 @@
  *** Types
  ***/
 
+typedef struct dns_master_style dns_master_style_t;
+
+/***
+ *** Definitions
+ ***/
+
 /*
- * Style options for masterfile dumps.  This struct is currently
- * opaque, so applications cannot define their own style but have
- * to choose a predefined style.  A more flexible interface may
- * be exported in the future.
+ * Flags affecting master file formatting.  Flags 0x0000FFFF
+ * define the formatting of the rdata part and are defined in
+ * rdata.h.
  */
 
-typedef struct dns_master_style dns_master_style_t;
+/* Omit the owner name when possible. */
+#define	DNS_STYLEFLAG_OMIT_OWNER        0x00010000U
+
+/*
+ * Omit the TTL when possible.  If DNS_STYLEFLAG_TTL is
+ * also set, this means no TTLs are ever printed
+ * because $TTL directives are generated before every
+ * change in the TTL.  In this case, no columns need to
+ * be reserved for the TTL.  Master files generated with
+ * these options will be rejected by BIND 4.x because it
+ * does not recognize the $TTL directive.
+ *
+ * If DNS_STYLEFLAG_TTL is not also set, the TTL will be
+ * omitted when it is equal to the previous TTL.
+ * This is correct according to RFC1035, but the
+ * TTLs may be silently misinterpreted by older
+ * versions of BIND which use the SOA MINTTL as a
+ * default TTL value.
+ */
+#define	DNS_STYLEFLAG_OMIT_TTL		0x00020000U
+
+/* Omit the class when possible. */
+#define	DNS_STYLEFLAG_OMIT_CLASS	0x00040000U
+
+/* Output $TTL directives. */
+#define	DNS_STYLEFLAG_TTL		0x00080000U
+
+/*
+ * Output $ORIGIN directives and print owner names relative to
+ * the origin when possible.
+ */
+#define	DNS_STYLEFLAG_REL_OWNER		0x00100000U
+
+/* Print domain names in RR data in relative form when possible.
+   For this to take effect, DNS_STYLEFLAG_REL_OWNER must also be set. */
+#define	DNS_STYLEFLAG_REL_DATA		0x00200000U
+
+/* Print the trust level of each rdataset. */
+#define	DNS_STYLEFLAG_TRUST		0x00400000U
+
+/* Print negative caching entries. */
+#define	DNS_STYLEFLAG_NCACHE		0x00800000U
+
+/* Never print the TTL */
+#define	DNS_STYLEFLAG_NO_TTL		0x01000000U
+                    
+/* Never print the CLASS */
+#define	DNS_STYLEFLAG_NO_CLASS		0x02000000U 
 
 ISC_LANG_BEGINDECLS
 
@@ -59,18 +111,24 @@ ISC_LANG_BEGINDECLS
 LIBDNS_EXTERNAL_DATA extern const dns_master_style_t dns_master_style_default;
 
 /*
+ * A master file style that dumps zones to a very generic format easily
+ * imported/checked with external tools.
+ */
+LIBDNS_EXTERNAL_DATA extern const dns_master_style_t dns_master_style_full;
+
+/*
  * A master file style that prints explicit TTL values on each 
  * record line, never using $TTL statements.  The TTL has a tab 
  * stop of its own, but the class and type share one.
  */
 LIBDNS_EXTERNAL_DATA extern const dns_master_style_t
-					dns_master_style_explicitttl;
+				  dns_master_style_explicitttl;
 
 /*
  * A master style format designed for cache files.  It prints explicit TTL
  * values on each record line and never uses $ORIGIN or relative names.
  */
-extern const dns_master_style_t dns_master_style_cache;
+LIBDNS_EXTERNAL_DATA extern const dns_master_style_t dns_master_style_cache;
 
 /*
  * A master style that prints name, ttl, class, type, and value on 
@@ -78,7 +136,7 @@ extern const dns_master_style_t dns_master_style_cache;
  * Intended for generating master files which can be easily parsed 
  * by perl scripts and similar applications.
  */
-extern const dns_master_style_t dns_master_style_simple;
+LIBDNS_EXTERNAL_DATA extern const dns_master_style_t dns_master_style_simple;
 
 /*
  * The style used for debugging, "dig" output, etc.
@@ -89,6 +147,63 @@ LIBDNS_EXTERNAL_DATA extern const dns_master_style_t dns_master_style_debug;
  ***	Functions
  ***/
 
+void
+dns_dumpctx_attach(dns_dumpctx_t *source, dns_dumpctx_t **target);
+/*
+ * Attach to a dump context.
+ *
+ * Require:
+ *	'source' to be valid.
+ *	'target' to be non NULL and '*target' to be NULL.
+ */
+
+void
+dns_dumpctx_detach(dns_dumpctx_t **dctxp);
+/*
+ * Detach from a dump context.
+ *
+ * Require:
+ *	'dctxp' to point to a valid dump context.
+ *
+ * Ensures:
+ *	'*dctxp' is NULL.
+ */
+
+void
+dns_dumpctx_cancel(dns_dumpctx_t *dctx);
+/*
+ * Cancel a in progress dump.
+ *
+ * Require:
+ *	'dctx' to be valid.
+ */
+
+dns_dbversion_t *
+dns_dumpctx_version(dns_dumpctx_t *dctx);
+/*
+ * Return the version handle (if any) of the database being dumped.
+ *
+ * Require:
+ *	'dctx' to be valid.
+ */
+
+dns_db_t *
+dns_dumpctx_db(dns_dumpctx_t *dctx);
+/*
+ * Return the database being dumped.
+ *
+ * Require:
+ *	'dctx' to be valid.
+ */
+
+
+isc_result_t
+dns_master_dumptostreaminc(isc_mem_t *mctx, dns_db_t *db,
+			   dns_dbversion_t *version,
+			   const dns_master_style_t *style, FILE *f,
+			   isc_task_t *task, dns_dumpdonefunc_t done,
+			   void *done_arg, dns_dumpctx_t **dctxp);
+
 isc_result_t
 dns_master_dumptostream(isc_mem_t *mctx, dns_db_t *db,
 			dns_dbversion_t *version,
@@ -100,14 +215,26 @@ dns_master_dumptostream(isc_mem_t *mctx, dns_db_t *db,
  *
  * Temporary dynamic memory may be allocated from 'mctx'.
  *
+ * Require:
+ *	'task' to be valid.
+ *	'done' to be non NULL.
+ *	'dctxp' to be non NULL && '*dctxp' to be NULL.
+ * 
  * Returns:
  *	ISC_R_SUCCESS
+ *	DNS_R_CONTINUE	dns_master_dumptostreaminc() only.
  *	ISC_R_NOMEMORY
  * 	Any database or rrset iterator error.
  *	Any dns_rdata_totext() error code.
  */
 
 isc_result_t
+dns_master_dumpinc(isc_mem_t *mctx, dns_db_t *db, dns_dbversion_t *version,
+		   const dns_master_style_t *style, const char *filename,
+		   isc_task_t *task, dns_dumpdonefunc_t done, void *done_arg,
+		   dns_dumpctx_t **dctxp);
+
+isc_result_t
 dns_master_dump(isc_mem_t *mctx, dns_db_t *db,
 		dns_dbversion_t *version,
 		const dns_master_style_t *style, const char *filename);
@@ -120,6 +247,7 @@ dns_master_dump(isc_mem_t *mctx, dns_db_t *db,
  *
  * Returns:
  *	ISC_R_SUCCESS
+ *	DNS_R_CONTINUE	dns_master_dumpinc() only.
  *	ISC_R_NOMEMORY
  * 	Any database or rrset iterator error.
  *	Any dns_rdata_totext() error code.
@@ -147,22 +275,6 @@ dns_master_questiontotext(dns_name_t *owner_name,
 			  dns_rdataset_t *rdataset,
 			  const dns_master_style_t *style,
 			  isc_buffer_t *target);
-/*
- * Print a text representation of 'rdataset', a pseudo-rdataset
- * representing a questino.
- *
- * Requires:
- *	'rdataset' is a valid question rdataset.
- *
- *	'rdataset' is not empty.
- */
-
-isc_result_t
-dns_rdataset_towire(dns_rdataset_t *rdataset,
-		    const dns_name_t *owner_name,
-		    dns_compress_t *cctx,
-		    isc_buffer_t *target,
-		    unsigned int *countp);
 
 isc_result_t
 dns_master_dumpnodetostream(isc_mem_t *mctx, dns_db_t *db,
@@ -176,6 +288,16 @@ dns_master_dumpnode(isc_mem_t *mctx, dns_db_t *db, dns_dbversion_t *version,
 		    dns_dbnode_t *node, dns_name_t *name,
 		    const dns_master_style_t *style, const char *filename);
 
+isc_result_t
+dns_master_stylecreate(dns_master_style_t **style, unsigned int flags,
+		       unsigned int ttl_column, unsigned int class_column,
+		       unsigned int type_column, unsigned int rdata_column,
+		       unsigned int line_length, unsigned int tab_width,
+		       isc_mem_t *mctx);
+
+void
+dns_master_styledestroy(dns_master_style_t **style, isc_mem_t *mctx);
+
 ISC_LANG_ENDDECLS
 
 #endif /* DNS_MASTERDUMP_H */
diff --git a/lib/dns/include/dns/message.h b/lib/dns/include/dns/message.h
index b49db0c5..c8273221 100644
--- a/lib/dns/include/dns/message.h
+++ b/lib/dns/include/dns/message.h
@@ -1,6 +1,6 @@
 /*
- * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2002  Internet Software Consortium.
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: message.h,v 1.100.2.7 2006/03/01 01:34:05 marka Exp $ */
+/* $Id: message.h,v 1.100.2.3.8.7 2004/03/08 02:08:00 marka Exp $ */
 
 #ifndef DNS_MESSAGE_H
 #define DNS_MESSAGE_H 1
@@ -99,7 +99,7 @@
 
 #define DNS_MESSAGEEXTFLAG_DO		0x8000U
 
-#define DNS_MESSAGE_REPLYPRESERVE	(DNS_MESSAGEFLAG_RD)
+#define DNS_MESSAGE_REPLYPRESERVE	(DNS_MESSAGEFLAG_RD|DNS_MESSAGEFLAG_CD)
 #define DNS_MESSAGEEXTFLAG_REPLYPRESERVE (DNS_MESSAGEEXTFLAG_DO)
 
 #define DNS_MESSAGE_HEADERLEN		12 /* 6 isc_uint16_t's */
@@ -161,6 +161,11 @@ typedef int dns_messagetextflag_t;
  */
 #define DNS_MESSAGERENDER_ORDERED	0x0001	/* don't change order */
 #define DNS_MESSAGERENDER_PARTIAL	0x0002	/* allow a partial rdataset */
+#define DNS_MESSAGERENDER_OMITDNSSEC	0x0004	/* omit DNSSEC records */
+#define DNS_MESSAGERENDER_PREFER_A	0x0008	/* prefer A records in
+						 * additional section. */
+#define DNS_MESSAGERENDER_PREFER_AAAA	0x0010	/* prefer AAAA records in
+						 * additional section. */
 
 typedef struct dns_msgblock dns_msgblock_t;
 
@@ -217,21 +222,21 @@ struct dns_message {
 
 	dns_rcode_t			tsigstatus;
 	dns_rcode_t			querytsigstatus;
-	dns_name_t		       *tsigname;
+	dns_name_t		       *tsigname; /* Owner name of TSIG, if any */
 	dns_rdataset_t		       *querytsig;
 	dns_tsigkey_t		       *tsigkey;
 	dst_context_t		       *tsigctx;
 	int				sigstart;
 	int				timeadjust;
 
-	dns_name_t		       *sig0name;
+	dns_name_t		       *sig0name; /* Owner name of SIG0, if any */
 	dst_key_t		       *sig0key;
 	dns_rcode_t			sig0status;
 	isc_region_t			query;
 	isc_region_t			saved;
 
 	dns_rdatasetorderfunc_t		order;
-	const void *			order_arg;
+	void *				order_arg;
 };
 
 /***
@@ -623,7 +628,7 @@ dns_message_nextname(dns_message_t *msg, dns_section_t section);
  *
  * Returns:
  *	ISC_R_SUCCESS		-- All is well.
- *	ISC_R_NOMORE		-- No names in given section.
+ *	ISC_R_NOMORE		-- No more names in given section.
  */
 
 void
@@ -675,7 +680,7 @@ dns_message_findname(dns_message_t *msg, dns_section_t section,
  *
  *	'type' be a valid type.
  *
- *	If 'type' is dns_rdatatype_sig, 'covers' must be a valid type.
+ *	If 'type' is dns_rdatatype_rrsig, 'covers' must be a valid type.
  *	Otherwise it should be 0.
  *
  * Returns:
@@ -697,7 +702,7 @@ dns_message_findtype(dns_name_t *name, dns_rdatatype_t type,
  *
  *	'type' be a valid type, and NOT dns_rdatatype_any.
  *
- *	If 'type' is dns_rdatatype_sig, 'covers' must be a valid type.
+ *	If 'type' is dns_rdatatype_rrsig, 'covers' must be a valid type.
  *	Otherwise it should be 0.
  *
  * Returns:
@@ -705,27 +710,6 @@ dns_message_findtype(dns_name_t *name, dns_rdatatype_t type,
  *	ISC_R_NOTFOUND		-- the desired type does not exist.
  */
 
-isc_result_t
-dns_message_find(dns_name_t *name, dns_rdataclass_t rdclass,
-		 dns_rdatatype_t type, dns_rdatatype_t covers,
-		 dns_rdataset_t **rdataset);
-/*%<
- * Search the name for the specified rdclass and type.  If it is found,
- * *rdataset is filled in with a pointer to that rdataset.
- *
- * Requires:
- *\li	if '**rdataset' is non-NULL, *rdataset needs to be NULL.
- *
- *\li	'type' be a valid type, and NOT dns_rdatatype_any.
- *
- *\li	If 'type' is dns_rdatatype_rrsig, 'covers' must be a valid type.
- *	Otherwise it should be 0.
- *
- * Returns:
- *\li	#ISC_R_SUCCESS		-- all is well.
- *\li	#ISC_R_NOTFOUND		-- the desired type does not exist.
- */
-
 void
 dns_message_movename(dns_message_t *msg, dns_name_t *name,
 		     dns_section_t fromsection,
@@ -757,7 +741,7 @@ dns_message_addname(dns_message_t *msg, dns_name_t *name,
  *
  *	'msg' be valid, and be a renderable message.
  *
- *	'name' be a valid name.
+ *	'name' be a valid absolute name.
  *
  *	'section' be a named section.
  */
@@ -995,9 +979,8 @@ dns_message_setopt(dns_message_t *msg, dns_rdataset_t *opt);
  *
  * Requires:
  *
- *	'msg' is a valid message with rendering intent,
- *	dns_message_renderbegin() has been called, and no sections have been
- *	rendered.
+ *	'msg' is a valid message with rendering intent
+ *	and no sections have been rendered.
  *
  *	'opt' is a valid OPT record.
  *
@@ -1207,7 +1190,7 @@ dns_message_signer(dns_message_t *msg, dns_name_t *signer);
  *	DNS_R_SIGINVALID	- the message was signed by a SIG(0), but
  *				  the signature failed to verify
  *
- *	DNS_R_SIGNOTVERIFIEDYET	- the message was signed by a TSIG or SIG(0),
+ *	DNS_R_NOTVERIFIEDYET	- the message was signed by a TSIG or SIG(0),
  *				  but the signature has not been verified yet
  */
 
@@ -1231,6 +1214,36 @@ dns_message_checksig(dns_message_t *msg, dns_view_t *view);
  *	DNS_R_TSIGVERIFYFAILURE - The TSIG failed to verify
  */
 
+isc_result_t
+dns_message_rechecksig(dns_message_t *msg, dns_view_t *view);
+/*
+ * Reset the signature state and then if the message was signed,
+ * verify the message.
+ *
+ * Requires:
+ *
+ *	msg is a valid parsed message.
+ *	view is a valid view or NULL
+ *
+ * Returns:
+ *
+ *	ISC_R_SUCCESS		- the message was unsigned, or the message
+ *				  was signed correctly.
+ *
+ *	DNS_R_EXPECTEDTSIG	- A TSIG was expected, but not seen
+ *	DNS_R_UNEXPECTEDTSIG	- A TSIG was seen but not expected
+ *	DNS_R_TSIGVERIFYFAILURE - The TSIG failed to verify
+ */
+
+void
+dns_message_resetsig(dns_message_t *msg);
+/*
+ * Reset the signature state.
+ *
+ * Requires:
+ *	'msg' is a valid parsed message.
+ */
+
 isc_region_t *
 dns_message_getrawmessage(dns_message_t *msg);
 /*
@@ -1247,7 +1260,7 @@ dns_message_getrawmessage(dns_message_t *msg);
 
 void
 dns_message_setsortorder(dns_message_t *msg, dns_rdatasetorderfunc_t order,
-			 const void *order_arg);
+			 void *order_arg);
 /*
  * Define the order in which RR sets get rendered by
  * dns_message_rendersection() to be the ascending order
diff --git a/lib/dns/include/dns/name.h b/lib/dns/include/dns/name.h
index 8507a5b4..8e5a25c0 100644
--- a/lib/dns/include/dns/name.h
+++ b/lib/dns/include/dns/name.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: name.h,v 1.95.2.11 2006/03/02 00:37:17 marka Exp $ */
+/* $Id: name.h,v 1.95.2.3.2.8 2004/03/16 12:57:17 marka Exp $ */
 
 #ifndef DNS_NAME_H
 #define DNS_NAME_H 1
@@ -87,86 +87,16 @@ ISC_LANG_BEGINDECLS
  ***** Labels
  *****
  ***** A 'label' is basically a region.  It contains one DNS wire format
- ***** label of either type 00 (ordinary) or type 01000001 (bitstring).
+ ***** label of type 00 (ordinary).
  *****/
 
-/***
- *** Extended Label Types
- ***/
-
-#define DNS_LABELTYPE_BITSTRING		0x41
-
-/***
- *** Properties
- ***/
-
-dns_labeltype_t
-dns_label_type(dns_label_t *label);
-/*
- * Get the type of 'label'.
- *
- * Requires:
- *	'label' is a valid label (i.e. not NULL, points to a
- *	struct dns_label)
- *	'label' is a type 00 or type 01000001 label (i.e. not compressed).
- *
- * Returns:
- *	dns_labeltype_ordinary		type 00 label
- *	dns_labeltype_bitstring		type 01000001 label
- */
-
-/***
- *** Bitstring Labels
- ***/
-
-unsigned int
-dns_label_countbits(dns_label_t *label);
-/*
- * The number of bits in a bitstring label.
- *
- * Requires:
- *	'label' is a valid label
- *
- *	dns_label_type(label) == dns_labeltype_bitstring
- *
- * Ensures:
- *	Result is <= 256.
- *
- * Returns:
- *	The number of bits in the bitstring label.
- */
-
-dns_bitlabel_t
-dns_label_getbit(dns_label_t *label, unsigned int n);
-/*
- * The 'n'th most significant bit of 'label'.
- *
- * Notes:
- *	Numbering starts at 0.
- *
- * Require:
- *	n < dns_label_countbits(label)
- *
- * Returns:
- *	dns_bitlabel_0		The bit was 0.
- *	dns_bitlabel_1		The bit was 1.
- */
-
-/***
- *** Note
- ***
- *** Some provision still needs to be made for splitting bitstring labels.
- ***/
-
-
-
 /*****
  ***** Names
  *****
  ***** A 'name' is a handle to a binary region.  It contains a sequence of one
- ***** or more DNS wire format labels of either type 00 (ordinary) or type
- ***** 01000001 (bitstring).  Note that all names are not required to end
- ***** with the root label, as they are in the actual DNS wire protocol.
+ ***** or more DNS wire format labels of type 00 (ordinary).
+ ***** Note that all names are not required to end with the root label,
+ ***** as they are in the actual DNS wire protocol.
  *****/
 
 /***
@@ -210,9 +140,15 @@ struct dns_name {
 #define DNS_NAMEATTR_NCACHE		0x0400		/* Used by resolver. */
 #define DNS_NAMEATTR_CHAINING		0x0800		/* Used by resolver. */
 #define DNS_NAMEATTR_CHASE		0x1000		/* Used by resolver. */
+#define DNS_NAMEATTR_WILDCARD		0x2000		/* Used by server. */
+
+#define DNS_NAME_DOWNCASE		0x0001
+#define DNS_NAME_CHECKNAMES		0x0002		/* Used by rdata. */
+#define DNS_NAME_CHECKNAMESFAIL		0x0004		/* Used by rdata. */
+#define DNS_NAME_CHECKREVERSE		0x0008		/* Used by rdata. */
 
 LIBDNS_EXTERNAL_DATA extern dns_name_t *dns_rootname;
-extern dns_name_t *dns_wildcardname;
+LIBDNS_EXTERNAL_DATA extern dns_name_t *dns_wildcardname;
 
 /*
  * Standard size of a wire format name
@@ -360,25 +296,26 @@ dns_name_iswildcard(const dns_name_t *name);
  *	FALSE		The least significant label of 'name' is not '*'.
  */
 
-isc_boolean_t
-dns_name_requiresedns(const dns_name_t *name);
+unsigned int
+dns_name_hash(dns_name_t *name, isc_boolean_t case_sensitive);
 /*
- * Does 'name' require EDNS for transmission?
+ * Provide a hash value for 'name'.
+ *
+ * Note: if 'case_sensitive' is ISC_FALSE, then names which differ only in
+ * case will have the same hash value.
  *
  * Requires:
  *	'name' is a valid name
  *
- *	dns_name_countlabels(name) > 0
- *
  * Returns:
- *	TRUE		The name requires EDNS to be transmitted.
- *	FALSE		The name does not require EDNS to be transmitted.
+ *	A hash value
  */
 
 unsigned int
-dns_name_hash(dns_name_t *name, isc_boolean_t case_sensitive);
+dns_fullname_hash(dns_name_t *name, isc_boolean_t case_sensitive);
 /*
- * Provide a hash value for 'name'.
+ * Provide a hash value for 'name'.  Unlike dns_name_hash(), this function
+ * always takes into account of the entire name to calculate the hash value.
  *
  * Note: if 'case_sensitive' is ISC_FALSE, then names which differ only in
  * case will have the same hash value.
@@ -391,10 +328,10 @@ dns_name_hash(dns_name_t *name, isc_boolean_t case_sensitive);
  */
 
 unsigned int
-dns_name_fullhash(dns_name_t *name, isc_boolean_t case_sensitive);
+dns_name_hashbylabel(dns_name_t *name, isc_boolean_t case_sensitive);
 /*
- * Provide a hash value for 'name'.  Unlike dns_name_hash(), this function
- * always takes into account of the entire name to calculate the hash value.
+ * Provide a hash value for 'name', where the hash value is the sum
+ * of the hash values of each label.
  *
  * Note: if 'case_sensitive' is ISC_FALSE, then names which differ only in
  * case will have the same hash value.
@@ -412,8 +349,7 @@ dns_name_fullhash(dns_name_t *name, isc_boolean_t case_sensitive);
 
 dns_namereln_t
 dns_name_fullcompare(const dns_name_t *name1, const dns_name_t *name2,
-		     int *orderp,
-		     unsigned int *nlabelsp, unsigned int *nbitsp);
+		     int *orderp, unsigned int *nlabelsp);
 /*
  * Determine the relative ordering under the DNSSEC order relation of
  * 'name1' and 'name2', and also determine the hierarchical
@@ -433,7 +369,7 @@ dns_name_fullcompare(const dns_name_t *name1, const dns_name_t *name2,
  *
  *	dns_name_countlabels(name2) > 0
  *
- *	orderp, nlabelsp, and nbitsp are valid pointers.
+ *	orderp and nlabelsp are valid pointers.
  *
  *	Either name1 is absolute and name2 is absolute, or neither is.
  *
@@ -444,10 +380,6 @@ dns_name_fullcompare(const dns_name_t *name1, const dns_name_t *name2,
  *
  *	*nlabelsp is the number of common significant labels.
  *
- *	If *nbitsp is non-zero, then the least-signficant of the
- *	common significant labels is a bitstring label, and the
- *	two names have *nbitsp significant bits in common.
- *
  * Returns:
  *	dns_namereln_none		There's no hierarchical relationship
  *					between name1 and name2.
@@ -591,26 +523,6 @@ dns_name_matcheswildcard(const dns_name_t *name, const dns_name_t *wname);
  *	FALSE		'name' does not match the wildcard specified in 'wname'
  */
 
-unsigned int
-dns_name_depth(const dns_name_t *name);
-/*
- * The depth of 'name'.
- *
- * Notes:
- *	The "depth" of a name represents how far down the DNS tree of trees
- *	the name is.  For each wire-encoding label in name, the depth is
- *	increased by 1 for an ordinary label, and by the number of bits in
- *	a bitstring label.
- *
- *	Depth is used when creating or validating DNSSEC signatures.
- *
- * Requires:
- *	'name' is a valid name
- *
- * Returns:
- *	The depth of 'name'.
- */
-
 /***
  *** Labels
  ***/
@@ -621,9 +533,7 @@ dns_name_countlabels(const dns_name_t *name);
  * How many labels does 'name' have?
  *
  * Notes:
- *	In this case, as in other places, a 'label' is an ordinary label
- *	or a bitstring label.  The term is not meant to refer to individual
- *	bit labels.  For that purpose, use dns_name_depth().
+ *	In this case, as in other places, a 'label' is an ordinary label.
  *
  * Requires:
  *	'name' is a valid name
@@ -650,7 +560,7 @@ dns_name_getlabel(const dns_name_t *name, unsigned int n, dns_label_t *label);
  *	be changed while 'label' is still in use.
  *
  * Requires:
- *	n < dns_name_countlabels(name)
+ *	n < dns_label_countlabels(name)
  */
 
 void
@@ -663,23 +573,20 @@ dns_name_getlabelsequence(const dns_name_t *source, unsigned int first,
  * Notes:
  *	Numbering starts at 0.
  *
- *	Given "rc.vix.com.", the label 0 is "rc", and label 3 is the
- *	root label.
- *
  *	'target' refers to the same memory as 'source', so 'source'
  *	must not be changed while 'target' is still in use.
  *
  * Requires:
  *	'source' and 'target' are valid names.
  *
- *	first < dns_name_countlabels(name)
+ *	first < dns_label_countlabels(name)
  *
- *	first + n <= dns_name_countlabels(name)
+ *	first + n <= dns_label_countlabels(name)
  */
 
 
 void
-dns_name_clone(const dns_name_t *source, dns_name_t *target);
+dns_name_clone(dns_name_t *source, dns_name_t *target);
 /*
  * Make 'target' refer to the same name as 'source'.
  *
@@ -691,7 +598,7 @@ dns_name_clone(const dns_name_t *source, dns_name_t *target);
  *	This call is functionally equivalent to:
  *
  *		dns_name_getlabelsequence(source, 0,
- *					  dns_name_countlabels(source),
+ *					  dns_label_countlabels(source),
  *					  target);
  *
  *	but is more efficient.  Also, dns_name_clone() works even if 'source'
@@ -709,7 +616,7 @@ dns_name_clone(const dns_name_t *source, dns_name_t *target);
  ***/
 
 void
-dns_name_fromregion(dns_name_t *name, isc_region_t *r);
+dns_name_fromregion(dns_name_t *name, const isc_region_t *r);
 /*
  * Make 'name' refer to region 'r'.
  *
@@ -737,7 +644,7 @@ dns_name_toregion(dns_name_t *name, isc_region_t *r);
 
 isc_result_t
 dns_name_fromwire(dns_name_t *name, isc_buffer_t *source,
-		  dns_decompress_t *dctx, isc_boolean_t downcase,
+		  dns_decompress_t *dctx, unsigned int options,
 		  isc_buffer_t *target);
 /*
  * Copy the possibly-compressed name at source (active region) into target,
@@ -746,7 +653,7 @@ dns_name_fromwire(dns_name_t *name, isc_buffer_t *source,
  * Notes:
  *	Decompression policy is controlled by 'dctx'.
  *
- *	If 'downcase' is true, any uppercase letters in 'source' will be
+ *	If DNS_NAME_DOWNCASE is set, any uppercase letters in 'source' will be
  *	downcased when they are copied into 'target'.
  *
  * Security:
@@ -774,11 +681,8 @@ dns_name_fromwire(dns_name_t *name, isc_buffer_t *source,
  *	If result is success:
  *	 	If 'target' is not NULL, 'name' is attached to it.
  *
- *		Uppercase letters are downcased in the copy iff. 'downcase' is
- *		true.
- *
- *		Any bitstring labels in source are canonicalized.
- *		(i.e. maximally packed and any padding bits zeroed.)
+ *		Uppercase letters are downcased in the copy iff
+ *		DNS_NAME_DOWNCASE is set in options.
  *
  *		The current location in source is advanced, and the used space
  *		in target is updated.
@@ -796,8 +700,7 @@ dns_name_fromwire(dns_name_t *name, isc_buffer_t *source,
  */
 
 isc_result_t
-dns_name_towire(const dns_name_t *name, dns_compress_t *cctx,
-		isc_buffer_t *target);
+dns_name_towire(dns_name_t *name, dns_compress_t *cctx, isc_buffer_t *target);
 /*
  * Convert 'name' into wire format, compressing it as specified by the
  * compression context 'cctx', and storing the result in 'target'.
@@ -831,7 +734,7 @@ dns_name_towire(const dns_name_t *name, dns_compress_t *cctx,
 
 isc_result_t
 dns_name_fromtext(dns_name_t *name, isc_buffer_t *source,
-		  dns_name_t *origin, isc_boolean_t downcase,
+		  dns_name_t *origin, unsigned int options,
 		  isc_buffer_t *target);
 /*
  * Convert the textual representation of a DNS name at source
@@ -842,8 +745,8 @@ dns_name_fromtext(dns_name_t *name, isc_buffer_t *source,
  *	unless 'origin' is NULL, in which case relative domain names
  *	will remain relative.
  *
- *	If 'downcase' is true, any uppercase letters in 'source' will be
- *	downcased when they are copied into 'target'.
+ *	If DNS_NAME_DOWNCASE is set in 'options', any uppercase letters
+ *	in 'source' will be downcased when they are copied into 'target'.
  *
  * Requires:
  *
@@ -859,10 +762,8 @@ dns_name_fromtext(dns_name_t *name, isc_buffer_t *source,
  *	If result is success:
  *	 	If 'target' is not NULL, 'name' is attached to it.
  *
- *		Any bitstring labels in source are canonicalized.
- *
- *		Uppercase letters are downcased in the copy iff. 'downcase' is
- *		true.
+ *		Uppercase letters are downcased in the copy iff
+ *		DNS_NAME_DOWNCASE is set in 'options'.
  *
  *		The current location in source is advanced, and the used space
  *		in target is updated.
@@ -872,8 +773,8 @@ dns_name_fromtext(dns_name_t *name, isc_buffer_t *source,
  *	DNS_R_EMPTYLABEL
  *	DNS_R_LABELTOOLONG
  *	DNS_R_BADESCAPE
- *	DNS_R_BADBITSTRING
- *	DNS_R_BITSTRINGTOOLONG
+ *	(DNS_R_BADBITSTRING: should not be returned)
+ *	(DNS_R_BITSTRINGTOOLONG: should not be returned)
  *	DNS_R_BADDOTTEDQUAD
  *	ISC_R_NOSPACE
  *	ISC_R_UNEXPECTEDEND
@@ -1018,8 +919,6 @@ dns_name_concatenate(dns_name_t *prefix, dns_name_t *suffix,
  *	 	If 'target' is not NULL and 'name' is not NULL, then 'name'
  *		is attached to it.
  *
- *		Any bitstring labels are in canonical form.
- *
  *		The used space in target is updated.
  *
  * Returns:
@@ -1028,45 +927,32 @@ dns_name_concatenate(dns_name_t *prefix, dns_name_t *suffix,
  *	DNS_R_NAMETOOLONG
  */
 
-isc_result_t
-dns_name_split(dns_name_t *name,
-	       unsigned int suffixlabels, unsigned int nbits,
+void
+dns_name_split(dns_name_t *name, unsigned int suffixlabels,
 	       dns_name_t *prefix, dns_name_t *suffix);
 /*
  *
- * Split 'name' into two pieces on a label or bitlabel boundary.
+ * Split 'name' into two pieces on a label boundary.
  *
  * Notes:
  *      'name' is split such that 'suffix' holds the most significant
- *      'suffixlabels' labels, except that if the least significant
- *      suffix label is a bitstring label, then only the 'nbits' most
- *      significant bits of that label are included in 'suffix'.  All 
- *      other labels and bits are stored in 'prefix'.
+ *      'suffixlabels' labels.  All other labels are stored in 'prefix'. 
  *
  *	Copying name data is avoided as much as possible, so 'prefix'
- *	and 'suffix' will usually end up pointing at the data for 'name',
- *	except when 'nbits' > 0.  The name data is copied to the
- *	the dedicated buffers when splitting on bitlabel boundaries
- *	because of the bit fiddling that must be done.
+ *	and 'suffix' will end up pointing at the data for 'name'.
  *
  *	It is legitimate to pass a 'prefix' or 'suffix' that has
  *	its name data stored someplace other than the dedicated buffer.
  *	This is useful to avoid name copying in the calling function.
  *
  *	It is also legitimate to pass a 'prefix' or 'suffix' that is
- *	the same dns_name_t as 'name', but note well the requirement
- *	below if splitting on a bitlabel boundary.
+ *	the same dns_name_t as 'name'.
  *
  * Requires:
  *	'name' is a valid name.
  *
  * 	'suffixlabels' cannot exceed the number of labels in 'name'.
  *
- *	'nbits' can be greater than zero only when the least significant
- *	label of 'suffix' is a bitstring label.
- *
- *	'nbits' cannot exceed the number of bits in the bitstring label.
- *
  *	'prefix' is a valid name or NULL, and cannot be read-only.
  *
  *	'suffix' is a valid name or NULL, and cannot be read-only.
@@ -1075,65 +961,26 @@ dns_name_split(dns_name_t *name,
  *
  *	'prefix' and 'suffix' cannot point to the same buffer.
  *
- *	If 'nbits' > 0 and 'prefix' and 'suffix' are both non-NULL,
- *	the buffer for 'prefix' cannot be storing the labels for 'name'.
- *
  * Ensures:
  *
  *	On success:
  *		If 'prefix' is not NULL it will contain the least significant
- *		labels and bits.
+ *		labels.
  *
  *		If 'suffix' is not NULL it will contain the most significant
- *		labels and bits.  dns_name_countlabels(suffix) will be
- *		equal to suffixlabels.
+ *		labels.  dns_name_countlabels(suffix) will be equal to
+ *		suffixlabels.
  *
  *	On failure:
  *		Either 'prefix' or 'suffix' is invalidated (depending
  *		on which one the problem was encountered with).
  *
  * Returns:
- *	ISC_R_SUCCESS	No worries.
- *	ISC_R_NOSPACE	An attempt was made to split a name on a bitlabel
- *			boundary but either 'prefix' or 'suffix' did not
- *			have enough room to receive the split name.
+ *	ISC_R_SUCCESS	No worries.  (This function should always success).
  */
 
 isc_result_t
-dns_name_splitatdepth(dns_name_t *name, unsigned int depth,
-		      dns_name_t *prefix, dns_name_t *suffix);
-/*
- * Split 'name' into two pieces at a certain depth.
- *
- * Requires:
- *	'name' is a valid non-empty name.
- *
- *	depth > 0
- *
- *	depth <= dns_name_depth(name)
- *
- *	The preconditions of dns_name_split() apply to 'prefix' and 'suffix'.
- *
- * Ensures:
- *
- *	On success:
- *		If 'prefix' is not NULL it will contain the least significant
- *		labels and bits.
- *
- *		If 'suffix' is not NULL it will contain the most significant
- *		labels and bits.  dns_name_countlabels(suffix) will be
- *		equal to suffixlabels.
- *
- *	On failure:
- *		Either 'prefix' or 'suffix' is invalidated (depending
- *		on which one the problem was encountered with).
- *
- * Returns:
- *	The possible result codes are the same as those of dns_name_split().
- */
-
-isc_result_t
-dns_name_dup(const dns_name_t *source, isc_mem_t *mctx, dns_name_t *target);
+dns_name_dup(dns_name_t *source, isc_mem_t *mctx, dns_name_t *target);
 /*
  * Make 'target' a dynamically allocated copy of 'source'.
  *
@@ -1295,6 +1142,28 @@ dns_name_copy(dns_name_t *source, dns_name_t *dest, isc_buffer_t *target);
  *	ISC_R_NOSPACE
  */
 
+isc_boolean_t
+dns_name_ishostname(const dns_name_t *name, isc_boolean_t wildcard);
+/*
+ * Return if 'name' is a valid hostname.  RFC 952 / RFC 1123.
+ * If 'wildcard' is ISC_TRUE then allow the first label of name to
+ * be a wildcard.
+ * The root is also accepted.
+ *
+ * Requires:
+ *	'name' to be valid.
+ */
+ 
+
+isc_boolean_t
+dns_name_ismailbox(const dns_name_t *name);
+/*
+ * Return if 'name' is a valid mailbox.  RFC 821.
+ *
+ * Requires:
+ *	'name' to be valid.
+ */
+
 ISC_LANG_ENDDECLS
 
 /***
@@ -1345,8 +1214,19 @@ do { \
 do { \
 	(r)->base = (n)->ndata; \
 	(r)->length = (n)->length; \
-} while (0)
+} while (0);
 
+#define DNS_NAME_SPLIT(n, l, p, s) \
+do { \
+	dns_name_t *_n = (n); \
+	dns_name_t *_p = (p); \
+	dns_name_t *_s = (s); \
+	unsigned int _l = (l); \
+	if (_p != NULL) \
+		dns_name_getlabelsequence(_n, 0, _n->labels - _l, _p); \
+	if (_s != NULL) \
+		dns_name_getlabelsequence(_n, _n->labels - _l, _l, _s); \
+} while (0);
 
 #ifdef DNS_NAME_USEINLINE
 
@@ -1356,6 +1236,7 @@ do { \
 #define dns_name_countlabels(n)		DNS_NAME_COUNTLABELS(n)
 #define dns_name_isabsolute(n)		DNS_NAME_ISABSOLUTE(n)
 #define dns_name_toregion(n, r)		DNS_NAME_TOREGION(n, r)
+#define dns_name_split(n, l, p, s)	DNS_NAME_SPLIT(n, l, p, s)
 
 #endif /* DNS_NAME_USEINLINE */
 
diff --git a/lib/dns/include/dns/ncache.h b/lib/dns/include/dns/ncache.h
index 33af26d2..6bf60037 100644
--- a/lib/dns/include/dns/ncache.h
+++ b/lib/dns/include/dns/ncache.h
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
+ * Copyright (C) 1999-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: ncache.h,v 1.12.2.1 2004/03/09 06:11:19 marka Exp $ */
+/* $Id: ncache.h,v 1.12.12.5 2004/03/08 09:04:37 marka Exp $ */
 
 #ifndef DNS_NCACHE_H
 #define DNS_NCACHE_H 1
@@ -52,6 +52,12 @@
 
 ISC_LANG_BEGINDECLS
 
+/*
+ * _OMITDNSSEC:
+ *      Omit DNSSEC records when rendering.
+ */
+#define DNS_NCACHETOWIRE_OMITDNSSEC   0x0001
+
 isc_result_t
 dns_ncache_add(dns_message_t *message, dns_db_t *cache, dns_dbnode_t *node,
 	       dns_rdatatype_t covers, isc_stdtime_t now, dns_ttl_t maxttl,
@@ -85,11 +91,13 @@ dns_ncache_add(dns_message_t *message, dns_db_t *cache, dns_dbnode_t *node,
 
 isc_result_t
 dns_ncache_towire(dns_rdataset_t *rdataset, dns_compress_t *cctx,
-		  isc_buffer_t *target, unsigned int *countp);
+		  isc_buffer_t *target, unsigned int options,
+		  unsigned int *countp);
 /*
  * Convert the negative caching rdataset 'rdataset' to wire format,
  * compressing names as specified in 'cctx', and storing the result in
- * 'target'.
+ * 'target'.  If 'omit_dnssec' is set, DNSSEC records will not
+ * be added to 'target'.
  *
  * Notes:
  *	The number of RRs added to target will be added to *countp.
@@ -117,6 +125,34 @@ dns_ncache_towire(dns_rdataset_t *rdataset, dns_compress_t *cctx,
  *	dns_name_towire().
  */
 
+isc_result_t
+dns_ncache_getrdataset(dns_rdataset_t *ncacherdataset, dns_name_t *name,
+		       dns_rdatatype_t type, dns_rdataset_t *rdataset);
+/*
+ * Search the negative caching rdataset for an rdataset with the
+ * specified name and type.
+ *
+ * Requires:
+ *	'ncacherdataset' is a valid negative caching rdataset.
+ *
+ *	'ncacherdataset' is not empty.
+ *
+ *	'name' is a valid name.
+ *
+ *	'type' is not SIG, or a meta-RR type.
+ *
+ *	'rdataset' is a valid disassociated rdataset.
+ *
+ * Ensures:
+ *	On a return of ISC_R_SUCCESS, 'rdataset' is bound to the found
+ *	rdataset.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS		- the rdataset was found.
+ *	ISC_R_NOTFOUND		- the rdataset was not found.
+ *
+ */
+
 ISC_LANG_ENDDECLS
 
 #endif /* DNS_NCACHE_H */
diff --git a/lib/dns/include/dns/nxt.h b/lib/dns/include/dns/nsec.h
index ab3b4c37..68a58336 100644
--- a/lib/dns/include/dns/nxt.h
+++ b/lib/dns/include/dns/nsec.h
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
+ * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,54 +15,53 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: nxt.h,v 1.12.2.1 2004/03/09 06:11:19 marka Exp $ */
+/* $Id: nsec.h,v 1.4.2.1 2004/03/08 02:08:00 marka Exp $ */
 
-#ifndef DNS_NXT_H
-#define DNS_NXT_H 1
+#ifndef DNS_NSEC_H
+#define DNS_NSEC_H 1
 
 #include <isc/lang.h>
 
 #include <dns/types.h>
+#include <dns/name.h>
 
-#define DNS_NXT_BUFFERSIZE (256 + 16)
+#define DNS_NSEC_BUFFERSIZE (DNS_NAME_MAXWIRE + 8192 + 512)
 
 ISC_LANG_BEGINDECLS
 
 isc_result_t
-dns_nxt_buildrdata(dns_db_t *db, dns_dbversion_t *version,
-		   dns_dbnode_t *node, dns_name_t *target,
-		   unsigned char *buffer, dns_rdata_t *rdata);
+dns_nsec_buildrdata(dns_db_t *db, dns_dbversion_t *version,
+		    dns_dbnode_t *node, dns_name_t *target,
+		    unsigned char *buffer, dns_rdata_t *rdata);
 /*
- * Build the rdata of a NXT record.
+ * Build the rdata of a NSEC record.
  *
  * Requires:
  *	buffer	Points to a temporary buffer of at least
- * 		DNS_NXT_BUFFERSIZE bytes.
+ * 		DNS_NSEC_BUFFERSIZE bytes.
  *	rdata	Points to an initialized dns_rdata_t.
  *
  * Ensures:
- *      *rdata	Contains a valid NXT rdata.  The 'data' member refers
+ *      *rdata	Contains a valid NSEC rdata.  The 'data' member refers
  *		to 'buffer'.
  */
 
 isc_result_t
-dns_nxt_build(dns_db_t *db, dns_dbversion_t *version, dns_dbnode_t *node,
-	      dns_name_t *target, dns_ttl_t ttl);
+dns_nsec_build(dns_db_t *db, dns_dbversion_t *version, dns_dbnode_t *node,
+	       dns_name_t *target, dns_ttl_t ttl);
 /*
- * Build a NXT record and add it to a database.
+ * Build a NSEC record and add it to a database.
  */
 
 isc_boolean_t
-dns_nxt_typepresent(dns_rdata_t *nxt, dns_rdatatype_t type);
+dns_nsec_typepresent(dns_rdata_t *nsec, dns_rdatatype_t type);
 /*
- * Determine if a type is marked as present in an NXT record.
+ * Determine if a type is marked as present in an NSEC record.
  *
  * Requires:
- *	'nxt' points to a valid rdataset of type NXT
- *	'type' < 128
- *
+ *	'nsec' points to a valid rdataset of type NSEC
  */
 
 ISC_LANG_ENDDECLS
 
-#endif /* DNS_NXT_H */
+#endif /* DNS_NSEC_H */
diff --git a/lib/dns/include/dns/opcode.h b/lib/dns/include/dns/opcode.h
new file mode 100644
index 00000000..4d656b82
--- /dev/null
+++ b/lib/dns/include/dns/opcode.h
@@ -0,0 +1,49 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2002  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: opcode.h,v 1.1.200.3 2004/03/08 09:04:37 marka Exp $ */
+
+#ifndef DNS_OPCODE_H
+#define DNS_OPCODE_H 1
+
+#include <isc/lang.h>
+
+#include <dns/types.h>
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t dns_opcode_totext(dns_opcode_t opcode, isc_buffer_t *target);
+/*
+ * Put a textual representation of error 'opcode' into 'target'.
+ *
+ * Requires:
+ *	'opcode' is a valid opcode.
+ *
+ *	'target' is a valid text buffer.
+ *
+ * Ensures:
+ *	If the result is success:
+ *		The used space in 'target' is updated.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS			on success
+ *	ISC_R_NOSPACE			target buffer is too small
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_OPCODE_H */
diff --git a/lib/dns/include/dns/order.h b/lib/dns/include/dns/order.h
new file mode 100644
index 00000000..e28e3ca6
--- /dev/null
+++ b/lib/dns/include/dns/order.h
@@ -0,0 +1,97 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2002  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: order.h,v 1.2.202.3 2004/03/08 09:04:37 marka Exp $ */
+
+#ifndef DNS_ORDER_H
+#define DNS_ORDER_H 1
+
+#include <isc/lang.h>
+#include <isc/types.h>
+
+#include <dns/types.h>
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+dns_order_create(isc_mem_t *mctx, dns_order_t **orderp);
+/*
+ * Create a order object.
+ *
+ * Requires:
+ * 	'orderp' to be non NULL and '*orderp == NULL'.
+ *	'mctx' to be valid.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS
+ *	ISC_R_NOMEMORY
+ */
+
+isc_result_t
+dns_order_add(dns_order_t *order, dns_name_t *name,
+	      dns_rdatatype_t rdtype, dns_rdataclass_t rdclass,
+	      unsigned int mode);
+/*
+ * Add a entry to the end of the order list.
+ *
+ * Requires:
+ * 	'order' to be valid.
+ *	'name' to be valid.
+ *	'mode' to be one of DNS_RDATASERATTR_RANDOMIZE,
+ *		DNS_RDATASERATTR_RANDOMIZE or zero (DNS_RDATASERATTR_CYCLIC).
+ *
+ * Returns:
+ *	ISC_R_SUCCESS
+ *	ISC_R_NOMEMORY
+ */
+
+unsigned int
+dns_order_find(dns_order_t *order, dns_name_t *name,
+	       dns_rdatatype_t rdtype, dns_rdataclass_t rdclass);
+/*
+ * Find the first matching entry on the list.
+ *
+ * Requires:
+ *	'order' to be valid.
+ *	'name' to be valid.
+ *
+ * Returns the mode set by dns_order_add() or zero.
+ */
+
+void
+dns_order_attach(dns_order_t *source, dns_order_t **target);
+/*
+ * Attach to the 'source' object.
+ *
+ * Requires:
+ * 	'source' to be valid.
+ *	'target' to be non NULL and '*target == NULL'.
+ */
+
+void
+dns_order_detach(dns_order_t **orderp);
+/*
+ * Detach from the object.  Clean up if last this was the last
+ * reference.
+ *
+ * Requires:
+ *	'*orderp' to be valid.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_ORDER_H */
diff --git a/lib/dns/include/dns/peer.h b/lib/dns/include/dns/peer.h
index 7049b568..03f720af 100644
--- a/lib/dns/include/dns/peer.h
+++ b/lib/dns/include/dns/peer.h
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
+ * Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: peer.h,v 1.16.2.2 2004/03/09 06:11:19 marka Exp $ */
+/* $Id: peer.h,v 1.16.2.1.10.3 2004/03/06 08:13:58 marka Exp $ */
 
 #ifndef DNS_PEER_H
 #define DNS_PEER_H 1
@@ -72,6 +72,7 @@ struct dns_peer {
 	isc_boolean_t		request_ixfr;
 	isc_boolean_t		support_edns;
 	dns_name_t	       *key;
+	isc_sockaddr_t	       *transfer_source;
 
 	isc_uint32_t		bitflags;
 
@@ -114,10 +115,10 @@ dns_peerlist_currpeer(dns_peerlist_t *peers, dns_peer_t **retval);
 isc_result_t
 dns_peer_new(isc_mem_t *mem, isc_netaddr_t *ipaddr, dns_peer_t **peer);
 
-isc_result_t
+void
 dns_peer_attach(dns_peer_t *source, dns_peer_t **target);
 
-isc_result_t
+void
 dns_peer_detach(dns_peer_t **list);
 
 isc_result_t
@@ -165,6 +166,12 @@ dns_peer_getkey(dns_peer_t *peer, dns_name_t **retval);
 isc_result_t
 dns_peer_setkey(dns_peer_t *peer, dns_name_t **keyval);
 
+isc_result_t
+dns_peer_settransfersource(dns_peer_t *peer, isc_sockaddr_t *transfer_source);
+
+isc_result_t
+dns_peer_gettransfersource(dns_peer_t *peer, isc_sockaddr_t *transfer_source);
+
 ISC_LANG_ENDDECLS
 
 #endif /* DNS_PEER_H */
diff --git a/lib/dns/include/dns/portlist.h b/lib/dns/include/dns/portlist.h
new file mode 100644
index 00000000..ea672a91
--- /dev/null
+++ b/lib/dns/include/dns/portlist.h
@@ -0,0 +1,99 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: portlist.h,v 1.2.84.2 2004/03/06 08:13:58 marka Exp $ */
+
+#include <isc/lang.h>
+#include <isc/net.h>
+#include <isc/types.h>
+
+#include <dns/types.h>
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+dns_portlist_create(isc_mem_t *mctx, dns_portlist_t **portlistp);
+/*
+ * Create a port list.
+ * 
+ * Requires:
+ *	'mctx' to be valid.
+ *	'portlistp' to be non NULL and '*portlistp' to be NULL;
+ *
+ * Returns:
+ *	ISC_R_SUCCESS
+ *	ISC_R_NOMEMORY
+ *	ISC_R_UNEXPECTED
+ */
+
+isc_result_t
+dns_portlist_add(dns_portlist_t *portlist, int af, in_port_t port);
+/*
+ * Add the given <port,af> tuple to the portlist.
+ *
+ * Requires:
+ *	'portlist' to be valid.
+ *	'af' to be AF_INET or AF_INET6
+ *
+ * Returns:
+ *	ISC_R_SUCCESS
+ *	ISC_R_NOMEMORY
+ */
+
+void
+dns_portlist_remove(dns_portlist_t *portlist, int af, in_port_t port);
+/*
+ * Remove the given <port,af> tuple to the portlist.
+ *
+ * Requires:
+ *	'portlist' to be valid.
+ *	'af' to be AF_INET or AF_INET6
+ */
+
+isc_boolean_t
+dns_portlist_match(dns_portlist_t *portlist, int af, in_port_t port);
+/*
+ * Find the given <port,af> tuple to the portlist.
+ *
+ * Requires:
+ *	'portlist' to be valid.
+ *	'af' to be AF_INET or AF_INET6
+ *
+ * Returns
+ * 	ISC_TRUE if the tuple is found, ISC_FALSE otherwise.
+ */
+
+void
+dns_portlist_attach(dns_portlist_t *portlist, dns_portlist_t **portlistp);
+/*
+ * Attach to a port list.
+ *
+ * Requires:
+ *	'portlist' to be valid.
+ *	'portlistp' to be non NULL and '*portlistp' to be NULL;
+ */
+
+void
+dns_portlist_detach(dns_portlist_t **portlistp);
+/*
+ * Detach from a port list.
+ *
+ * Requires:
+ *	'*portlistp' to be valid.
+ */
+
+ISC_LANG_ENDDECLS
diff --git a/lib/dns/include/dns/rbt.h b/lib/dns/include/dns/rbt.h
index 63c554ab..de2d3096 100644
--- a/lib/dns/include/dns/rbt.h
+++ b/lib/dns/include/dns/rbt.h
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
+ * Copyright (C) 1999-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,12 +15,13 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rbt.h,v 1.55.2.3 2004/10/11 05:55:36 marka Exp $ */
+/* $Id: rbt.h,v 1.55.12.5 2004/03/08 09:04:38 marka Exp $ */
 
 #ifndef DNS_RBT_H
 #define DNS_RBT_H 1
 
 #include <isc/lang.h>
+#include <isc/magic.h>
 
 #include <dns/types.h>
 
@@ -43,6 +44,13 @@ ISC_LANG_BEGINDECLS
 #define DNS_RBT_LOCKLENGTH			10
 #define DNS_RBT_REFLENGTH			20
 
+#define DNS_RBTNODE_MAGIC		ISC_MAGIC('R','B','N','O')
+#if DNS_RBT_USEMAGIC
+#define DNS_RBTNODE_VALID(n)		ISC_MAGIC_VALID(n, DNS_RBTNODE_MAGIC)
+#else
+#define DNS_RBTNODE_VALID(n)		ISC_TRUE
+#endif
+
 /*
  * This is the structure that is used for each node in the red/black
  * tree of trees.  NOTE WELL:  the implementation manages this as a variable
@@ -51,6 +59,9 @@ ISC_LANG_BEGINDECLS
  * multiple dns_rbtnode structures will not work.
  */
 typedef struct dns_rbtnode {
+#if DNS_RBT_USEMAGIC
+	unsigned int magic;
+#endif
 	struct dns_rbtnode *parent;
 	struct dns_rbtnode *left;
 	struct dns_rbtnode *right;
@@ -137,7 +148,8 @@ typedef isc_result_t (*dns_rbtfindcallback_t)(dns_rbtnode_t *node,
  * definition of "@" as the current origin.
  *
  * dns_rbtnodechain_current is similar to the _first, _last, _prev and _next
- * functions but additionally can provide the node to which the chain points.  */
+ * functions but additionally can provide the node to which the chain points.
+ */
 
 /*
  * The number of level blocks to allocate at a time.  Currently the maximum
@@ -591,18 +603,15 @@ dns_rbt_destroy(dns_rbt_t **rbtp);
 isc_result_t
 dns_rbt_destroy2(dns_rbt_t **rbtp, unsigned int quantum);
 /*
- * Stop working with a red-black tree of trees. 
- * If 'quantum' is zero then the entire tree will be destroyed.
- * If 'quantum' is non zero then up to 'quantum' nodes will be destroyed
- * allowing the rbt to be incrementally destroyed by repeated calls to
- * dns_rbt_destroy2().  Once dns_rbt_destroy2() has been called no other
- * operations than dns_rbt_destroy()/dns_rbt_destroy2() should be
- * performed on the tree of trees.
- * 
+ * Stop working with a red-black tree of trees.  Once dns_rbt_destroy2()
+ * has been called on a 'rbt' only dns_rbt_destroy() or dns_rbt_destroy2()
+ * may be used on the tree.  If 'quantum' is zero then the entire tree will
+ * be destroyed.
+ *
  * Requires:
  * 	*rbt is a valid rbt manager.
  *
- * Ensures on ISC_R_SUCCESS:
+ * Ensures:
  *	All space allocated by the RBT library has been returned.
  *
  *	*rbt is invalidated as an rbt manager.
diff --git a/lib/dns/include/dns/rcode.h b/lib/dns/include/dns/rcode.h
index 27e6d573..b2494f73 100644
--- a/lib/dns/include/dns/rcode.h
+++ b/lib/dns/include/dns/rcode.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rcode.h,v 1.12.2.1 2004/03/09 06:11:20 marka Exp $ */
+/* $Id: rcode.h,v 1.12.206.1 2004/03/06 08:13:59 marka Exp $ */
 
 #ifndef DNS_RCODE_H
 #define DNS_RCODE_H 1
diff --git a/lib/dns/include/dns/rdata.h b/lib/dns/include/dns/rdata.h
index 8943f705..b006b178 100644
--- a/lib/dns/include/dns/rdata.h
+++ b/lib/dns/include/dns/rdata.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rdata.h,v 1.51.2.5 2004/03/09 06:11:20 marka Exp $ */
+/* $Id: rdata.h,v 1.51.2.3.2.4 2004/03/08 02:08:01 marka Exp $ */
 
 #ifndef DNS_RDATA_H
 #define DNS_RDATA_H 1
@@ -96,6 +96,7 @@
 #include <isc/lang.h>
 
 #include <dns/types.h>
+#include <dns/name.h>
 
 ISC_LANG_BEGINDECLS
 
@@ -142,6 +143,11 @@ struct dns_rdata {
 /* Output explanatory comments. */
 #define DNS_STYLEFLAG_COMMENT		0x00000002U
 
+#define DNS_RDATA_DOWNCASE		DNS_NAME_DOWNCASE
+#define DNS_RDATA_CHECKNAMES		DNS_NAME_CHECKNAMES
+#define DNS_RDATA_CHECKNAMESFAIL	DNS_NAME_CHECKNAMESFAIL
+#define DNS_RDATA_CHECKREVERSE		DNS_NAME_CHECKREVERSE
+
 /***
  *** Initialization
  ***/
@@ -220,8 +226,7 @@ dns_rdata_toregion(const dns_rdata_t *rdata, isc_region_t *r);
 isc_result_t
 dns_rdata_fromwire(dns_rdata_t *rdata, dns_rdataclass_t rdclass,
 		   dns_rdatatype_t type, isc_buffer_t *source,
-		   dns_decompress_t *dctx,
-		   isc_boolean_t downcase,
+		   dns_decompress_t *dctx, unsigned int options,
 		   isc_buffer_t *target);
 /*
  * Copy the possibly-compressed rdata at source into the target region.
@@ -229,8 +234,9 @@ dns_rdata_fromwire(dns_rdata_t *rdata, dns_rdataclass_t rdclass,
  * Notes:
  *	Name decompression policy is controlled by 'dctx'.
  *
- *	If 'downcase' is true, any uppercase letters in domain names in
- * 	'source' will be downcased when they are copied into 'target'.
+ *	'options'
+ *	DNS_RDATA_DOWNCASE	downcase domain names when they are copied
+ *				into target.
  *
  * Requires:
  *
@@ -294,7 +300,7 @@ dns_rdata_towire(dns_rdata_t *rdata, dns_compress_t *cctx,
 isc_result_t
 dns_rdata_fromtext(dns_rdata_t *rdata, dns_rdataclass_t rdclass,
 		   dns_rdatatype_t type, isc_lex_t *lexer, dns_name_t *origin,
-		   isc_boolean_t downcase, isc_mem_t *mctx,
+		   unsigned int options, isc_mem_t *mctx,
 		   isc_buffer_t *target, dns_rdatacallbacks_t *callbacks);
 /*
  * Convert the textual representation of a DNS rdata into uncompressed wire
@@ -305,8 +311,15 @@ dns_rdata_fromtext(dns_rdata_t *rdata, dns_rdataclass_t rdclass,
  *	Relative domain names in the rdata will have 'origin' appended to them.
  *	A NULL origin implies "origin == dns_rootname".
  *
- *	If 'downcase' is true, any uppercase letters in domain names in
- * 	'source' will be downcased when they are copied into 'target'.
+ *
+ *	'options'
+ *	DNS_RDATA_DOWNCASE	downcase domain names when they are copied
+ *				into target.
+ *	DNS_RDATA_CHECKNAMES 	perform checknames checks.
+ *	DNS_RDATA_CHECKNAMESFAIL fail if the checknames check fail.  If
+ *				not set a warning will be issued.
+ *	DNS_RDATA_CHECKREVERSE  this should set if the owner name ends
+ *				in IP6.ARPA, IP6.INT or IN-ADDR.ARPA.
  *
  * Requires:
  *
@@ -502,7 +515,7 @@ isc_boolean_t
 dns_rdatatype_iszonecutauth(dns_rdatatype_t type);
 /*
  * Return true iff rdata of type 'type' is considered authoritative
- * data (not glue) in the NXT chain when it occurs in the parent zone
+ * data (not glue) in the NSEC chain when it occurs in the parent zone
  * at a zone cut.
  *
  * Requires:
@@ -602,6 +615,17 @@ dns_rdatatype_notquestion(dns_rdatatype_t type);
  *
  */
 
+isc_boolean_t
+dns_rdatatype_atparent(dns_rdatatype_t type);
+/*
+ * Return true iff rdata of type 'type' should appear at the parent of
+ * a zone cut.
+ *
+ * Requires:
+ * 	'type' is a valid rdata type.
+ *
+ */
+
 unsigned int
 dns_rdatatype_attributes(dns_rdatatype_t rdtype);
 /*
@@ -620,7 +644,7 @@ dns_rdatatype_attributes(dns_rdatatype_t rdtype);
 #define DNS_RDATATYPEATTR_EXCLUSIVE		0x00000002U
 /* Is a meta type */
 #define DNS_RDATATYPEATTR_META			0x00000004U
-/* Is a DNSSEC type, like SIG or NXT */
+/* Is a DNSSEC type, like RRSIG or NSEC */
 #define DNS_RDATATYPEATTR_DNSSEC		0x00000008U
 /* Is a zone cut authority type */
 #define DNS_RDATATYPEATTR_ZONECUTAUTH		0x00000010U
@@ -632,6 +656,8 @@ dns_rdatatype_attributes(dns_rdatatype_t rdtype);
 #define DNS_RDATATYPEATTR_QUESTIONONLY		0x00000080U
 /* is META, and can NOT be in a question section */
 #define DNS_RDATATYPEATTR_NOTQUESTION		0x00000100U
+/* Is present at zone cuts in the parent, not the child */
+#define DNS_RDATATYPEATTR_ATPARENT		0x00000200U
 
 dns_rdatatype_t
 dns_rdata_covers(dns_rdata_t *rdata);
@@ -647,6 +673,34 @@ dns_rdata_covers(dns_rdata_t *rdata);
  *	The type covered.
  */
 
+isc_boolean_t
+dns_rdata_checkowner(dns_name_t* name, dns_rdataclass_t rdclass,
+		     dns_rdatatype_t type, isc_boolean_t wildcard);
+/*
+ * Returns whether this is a valid ownername for this <type,class>.
+ * If wildcard is true allow the first label to be a wildcard if
+ * appropriate.
+ *
+ * Requires:
+ *	'name' is a valid name.
+ */
+
+isc_boolean_t
+dns_rdata_checknames(dns_rdata_t *rdata, dns_name_t *owner, dns_name_t *bad);
+/*
+ * Returns whether 'rdata' contains valid domain names.  The checks are
+ * sensitive to the owner name.
+ *
+ * If 'bad' is non-NULL and a domain name fails the check the
+ * the offending name will be return in 'bad' by cloning from
+ * the 'rdata' contents.
+ *
+ * Requires:
+ *	'rdata' to be valid.
+ *	'owner' to be valid.
+ *	'bad'	to be NULL or valid.
+ */
+
 ISC_LANG_ENDDECLS
 
 #endif /* DNS_RDATA_H */
diff --git a/lib/dns/include/dns/rdataclass.h b/lib/dns/include/dns/rdataclass.h
index c70f5b83..359a2be6 100644
--- a/lib/dns/include/dns/rdataclass.h
+++ b/lib/dns/include/dns/rdataclass.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rdataclass.h,v 1.17.2.1 2004/03/09 06:11:20 marka Exp $ */
+/* $Id: rdataclass.h,v 1.17.206.1 2004/03/06 08:13:59 marka Exp $ */
 
 #ifndef DNS_RDATACLASS_H
 #define DNS_RDATACLASS_H 1
diff --git a/lib/dns/include/dns/rdatalist.h b/lib/dns/include/dns/rdatalist.h
index d632201b..a846c898 100644
--- a/lib/dns/include/dns/rdatalist.h
+++ b/lib/dns/include/dns/rdatalist.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rdatalist.h,v 1.13.2.1 2004/03/09 06:11:20 marka Exp $ */
+/* $Id: rdatalist.h,v 1.13.206.1 2004/03/06 08:13:59 marka Exp $ */
 
 #ifndef DNS_RDATALIST_H
 #define DNS_RDATALIST_H 1
diff --git a/lib/dns/include/dns/rdataset.h b/lib/dns/include/dns/rdataset.h
index 829e6009..e2b0753a 100644
--- a/lib/dns/include/dns/rdataset.h
+++ b/lib/dns/include/dns/rdataset.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rdataset.h,v 1.41.2.10 2006/03/02 00:37:17 marka Exp $ */
+/* $Id: rdataset.h,v 1.41.2.5.2.6 2004/03/08 02:08:01 marka Exp $ */
 
 #ifndef DNS_RDATASET_H
 #define DNS_RDATASET_H 1
@@ -68,6 +68,12 @@ typedef struct dns_rdatasetmethods {
 	void			(*clone)(dns_rdataset_t *source,
 					 dns_rdataset_t *target);
 	unsigned int		(*count)(dns_rdataset_t *rdataset);
+	isc_result_t		(*addnoqname)(dns_rdataset_t *rdataset,
+					      dns_name_t *name);
+	isc_result_t		(*getnoqname)(dns_rdataset_t *rdataset,
+					      dns_name_t *name,
+					      dns_rdataset_t *nsec,
+					      dns_rdataset_t *nsecsig);
 } dns_rdatasetmethods_t;
 
 #define DNS_RDATASET_MAGIC	       ISC_MAGIC('D','N','S','R')
@@ -98,6 +104,13 @@ struct dns_rdataset {
 	 */
 	unsigned int			attributes;
 	/*
+	 * the counter provides the starting point in the "cyclic" order.
+	 * The value ISC_UINT32_MAX has a special meaning of "picking up a
+	 * random value." in order to take care of databases that do not
+	 * increment the counter.
+	 */
+	isc_uint32_t			count;
+	/*
 	 * These are for use by the rdataset implementation, and MUST NOT
 	 * be changed by clients.
 	 */
@@ -106,6 +119,7 @@ struct dns_rdataset {
 	void *				private3;
 	unsigned int			privateuint4;
 	void *				private5;
+	void *				private6;
 };
 
 /*
@@ -116,23 +130,28 @@ struct dns_rdataset {
  *	Used by message.c to indicate that the rdataset's rdata had differing
  *	TTL values, and the rdataset->ttl holds the smallest.
  */
-#define DNS_RDATASETATTR_QUESTION	0x00000001
-#define DNS_RDATASETATTR_RENDERED	0x00000002	/* Used by message.c */
-#define DNS_RDATASETATTR_ANSWERED	0x00000004	/* Used by server. */
-#define DNS_RDATASETATTR_CACHE		0x00000008	/* Used by resolver. */
-#define DNS_RDATASETATTR_ANSWER		0x00000010	/* Used by resolver. */
-#define DNS_RDATASETATTR_ANSWERSIG	0x00000020	/* Used by resolver. */
-#define DNS_RDATASETATTR_EXTERNAL	0x00000040	/* Used by resolver. */
-#define DNS_RDATASETATTR_NCACHE		0x00000080	/* Used by resolver. */
-#define DNS_RDATASETATTR_CHAINING	0x00000100	/* Used by resolver. */
-#define DNS_RDATASETATTR_TTLADJUSTED	0x00000200	/* Used by message.c */
-#define DNS_RDATASETATTR_FIXEDORDER	0x00000400
-#define DNS_RDATASETATTR_RANDOMIZE	0x00000800
-#define DNS_RDATASETATTR_CHASE		0x00001000	/* Used by resolver. */
-#define DNS_RDATASETATTR_NXDOMAIN	0x00002000
-#define DNS_RDATASETATTR_NOQNAME	0x00004000	/* Reserved for 9.3 */
-#define DNS_RDATASETATTR_CHECKNAMES	0x00008000	/* Reserved for 9.3 */
-#define DNS_RDATASETATTR_REQUIREDGLUE	0x00010000
+#define DNS_RDATASETATTR_QUESTION	0x0001
+#define DNS_RDATASETATTR_RENDERED	0x0002		/* Used by message.c */
+#define DNS_RDATASETATTR_ANSWERED	0x0004		/* Used by server. */
+#define DNS_RDATASETATTR_CACHE		0x0008		/* Used by resolver. */
+#define DNS_RDATASETATTR_ANSWER		0x0010		/* Used by resolver. */
+#define DNS_RDATASETATTR_ANSWERSIG	0x0020		/* Used by resolver. */
+#define DNS_RDATASETATTR_EXTERNAL	0x0040		/* Used by resolver. */
+#define DNS_RDATASETATTR_NCACHE		0x0080		/* Used by resolver. */
+#define DNS_RDATASETATTR_CHAINING	0x0100		/* Used by resolver. */
+#define DNS_RDATASETATTR_TTLADJUSTED	0x0200		/* Used by message.c */
+#define DNS_RDATASETATTR_FIXEDORDER	0x0400
+#define DNS_RDATASETATTR_RANDOMIZE	0x0800
+#define DNS_RDATASETATTR_CHASE		0x1000		/* Used by resolver. */
+#define DNS_RDATASETATTR_NXDOMAIN	0x2000
+#define DNS_RDATASETATTR_NOQNAME	0x4000
+#define DNS_RDATASETATTR_CHECKNAMES	0x8000		/* Used by resolver. */
+
+/*
+ * _OMITDNSSEC:
+ * 	Omit DNSSEC records when rendering ncache records.
+ */
+#define DNS_RDATASETTOWIRE_OMITDNSSEC	0x0001
 
 void
 dns_rdataset_init(dns_rdataset_t *rdataset);
@@ -306,9 +325,10 @@ dns_rdataset_totext(dns_rdataset_t *rdataset,
 
 isc_result_t
 dns_rdataset_towire(dns_rdataset_t *rdataset,
-		    const dns_name_t *owner_name,
+		    dns_name_t *owner_name,
 		    dns_compress_t *cctx,
 		    isc_buffer_t *target,
+		    unsigned int options,
 		    unsigned int *countp);
 /*
  * Convert 'rdataset' to wire format, compressing names as specified
@@ -344,11 +364,12 @@ dns_rdataset_towire(dns_rdataset_t *rdataset,
 
 isc_result_t
 dns_rdataset_towiresorted(dns_rdataset_t *rdataset,
-			  const dns_name_t *owner_name,
+			  dns_name_t *owner_name,
 			  dns_compress_t *cctx,
 			  isc_buffer_t *target,
 			  dns_rdatasetorderfunc_t order,
-			  const void *order_arg,
+			  void *order_arg,
+			  unsigned int options,
 			  unsigned int *countp);
 /*
  * Like dns_rdataset_towire(), but sorting the rdatasets according to
@@ -362,11 +383,12 @@ dns_rdataset_towiresorted(dns_rdataset_t *rdataset,
 
 isc_result_t
 dns_rdataset_towirepartial(dns_rdataset_t *rdataset,
-			   const dns_name_t *owner_name,
+			   dns_name_t *owner_name,
 			   dns_compress_t *cctx,
 			   isc_buffer_t *target,
 			   dns_rdatasetorderfunc_t order,
-			   const void *order_arg,
+			   void *order_arg,
+			   unsigned int options,
 			   unsigned int *countp,
 			   void **state);
 /*
@@ -416,6 +438,31 @@ dns_rdataset_additionaldata(dns_rdataset_t *rdataset,
  *	Any error that dns_rdata_additionaldata() can return.
  */
 
+isc_result_t
+dns_rdataset_getnoqname(dns_rdataset_t *rdataset, dns_name_t *name,
+			dns_rdataset_t *nsec, dns_rdataset_t *nsecsig);
+/*
+ * Return the noqname proof for this record.
+ *
+ * Requires:
+ *	'rdataset' to be valid and DNS_RDATASETATTR_NOQNAME to be set.
+ *	'name' to be valid.
+ *	'nsec' and 'nsecsig' to be valid and not associated.
+ */
+
+isc_result_t
+dns_rdataset_addnoqname(dns_rdataset_t *rdataset, dns_name_t *name);
+/*
+ * Associate a noqname proof with this record.
+ * Sets DNS_RDATASETATTR_NOQNAME if successful.
+ * Adjusts the 'rdataset->ttl' to minimum of the 'rdataset->ttl' and
+ * the 'nsec' and 'rrsig(nsec)' ttl.
+ *
+ * Requires:
+ *	'rdataset' to be valid and DNS_RDATASETATTR_NOQNAME to be set.
+ *	'name' to be valid and have NSEC and RRSIG(NSEC) rdatasets.
+ */
+
 ISC_LANG_ENDDECLS
 
 #endif /* DNS_RDATASET_H */
diff --git a/lib/dns/include/dns/rdatasetiter.h b/lib/dns/include/dns/rdatasetiter.h
index c50246c0..198aebb3 100644
--- a/lib/dns/include/dns/rdatasetiter.h
+++ b/lib/dns/include/dns/rdatasetiter.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rdatasetiter.h,v 1.14.2.1 2004/03/09 06:11:20 marka Exp $ */
+/* $Id: rdatasetiter.h,v 1.14.206.1 2004/03/06 08:13:59 marka Exp $ */
 
 #ifndef DNS_RDATASETITER_H
 #define DNS_RDATASETITER_H 1
diff --git a/lib/dns/include/dns/rdataslab.h b/lib/dns/include/dns/rdataslab.h
index 9ab325bb..a0912db3 100644
--- a/lib/dns/include/dns/rdataslab.h
+++ b/lib/dns/include/dns/rdataslab.h
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
+ * Copyright (C) 1999-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rdataslab.h,v 1.20.2.3 2004/03/09 06:11:21 marka Exp $ */
+/* $Id: rdataslab.h,v 1.20.2.2.2.4 2004/03/08 09:04:39 marka Exp $ */
 
 #ifndef DNS_RDATASLAB_H
 #define DNS_RDATASLAB_H 1
@@ -79,10 +79,26 @@ dns_rdataslab_fromrdataset(dns_rdataset_t *rdataset, isc_mem_t *mctx,
  *
  * Returns:
  *	ISC_R_SUCCESS		- successful completion
- *	DNS_R_NOMEM		- no memory.
+ *	ISC_R_NOMEMORY		- no memory.
  *	<XXX others>
  */
 
+void
+dns_rdataslab_tordataset(unsigned char *slab, unsigned int reservelen,
+			 dns_rdataclass_t rdclass, dns_rdatatype_t rdtype,
+			 dns_rdatatype_t covers, dns_ttl_t ttl,
+			 dns_rdataset_t *rdataset);
+/*
+ * Construct an rdataset from a slab.
+ *
+ * Requires:
+ *	'slab' points to a slab.
+ *	'rdataset' is disassociated.
+ *
+ * Ensures:
+ *	'rdataset' is associated and points to a valid rdataest.
+ */
+
 unsigned int
 dns_rdataslab_size(unsigned char *slab, unsigned int reservelen);
 /*
diff --git a/lib/dns/include/dns/rdatatype.h b/lib/dns/include/dns/rdatatype.h
index 9b22ae65..0fa865dc 100644
--- a/lib/dns/include/dns/rdatatype.h
+++ b/lib/dns/include/dns/rdatatype.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rdatatype.h,v 1.17.2.1 2004/03/09 06:11:21 marka Exp $ */
+/* $Id: rdatatype.h,v 1.17.206.1 2004/03/06 08:13:59 marka Exp $ */
 
 #ifndef DNS_RDATATYPE_H
 #define DNS_RDATATYPE_H 1
diff --git a/lib/dns/include/dns/request.h b/lib/dns/include/dns/request.h
index 8a641f1b..b3e7bcd7 100644
--- a/lib/dns/include/dns/request.h
+++ b/lib/dns/include/dns/request.h
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
+ * Copyright (C) 2000-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: request.h,v 1.17.2.1 2004/03/09 06:11:21 marka Exp $ */
+/* $Id: request.h,v 1.17.12.5 2004/03/08 09:04:39 marka Exp $ */
 
 #ifndef DNS_REQUEST_H
 #define DNS_REQUEST_H 1
@@ -199,6 +199,23 @@ dns_request_createvia(dns_requestmgr_t *requestmgr, dns_message_t *message,
 		      unsigned int timeout, isc_task_t *task,
 		      isc_taskaction_t action, void *arg,
 		      dns_request_t **requestp);
+
+isc_result_t
+dns_request_createvia2(dns_requestmgr_t *requestmgr, dns_message_t *message,
+		       isc_sockaddr_t *srcaddr, isc_sockaddr_t *destaddr,
+		       unsigned int options, dns_tsigkey_t *key,
+		       unsigned int timeout, unsigned int udptimeout,
+		       isc_task_t *task, isc_taskaction_t action, void *arg,
+		       dns_request_t **requestp);
+
+isc_result_t
+dns_request_createvia3(dns_requestmgr_t *requestmgr, dns_message_t *message,
+		       isc_sockaddr_t *srcaddr, isc_sockaddr_t *destaddr,
+		       unsigned int options, dns_tsigkey_t *key,
+		       unsigned int timeout, unsigned int udptimeout,
+		       unsigned int udpretries, isc_task_t *task,
+		       isc_taskaction_t action, void *arg,
+		       dns_request_t **requestp);
 /*
  * Create and send a request.
  *
@@ -206,7 +223,8 @@ dns_request_createvia(dns_requestmgr_t *requestmgr, dns_message_t *message,
  *
  *	'message' will be rendered and sent to 'address'.  If the
  *	DNS_REQUESTOPT_TCP option is set, TCP will be used.  The request
- *	will timeout after 'timeout' seconds.
+ *	will timeout after 'timeout' seconds.  UDP requests will be resent
+ *	at 'udptimeout' intervals if non-zero or 'udpretries' is non-zero.
  *
  *	When the request completes, successfully, due to a timeout, or
  *	because it was canceled, a completion event will be sent to 'task'.
@@ -234,6 +252,22 @@ dns_request_createraw(dns_requestmgr_t *requestmgr, isc_buffer_t *msgbuf,
 		      unsigned int options, unsigned int timeout,
 		      isc_task_t *task, isc_taskaction_t action, void *arg,
 		      dns_request_t **requestp);
+
+isc_result_t
+dns_request_createraw2(dns_requestmgr_t *requestmgr, isc_buffer_t *msgbuf,
+		       isc_sockaddr_t *srcaddr, isc_sockaddr_t *destaddr,
+		       unsigned int options, unsigned int timeout,
+		       unsigned int udptimeout, isc_task_t *task,
+		       isc_taskaction_t action, void *arg,
+		       dns_request_t **requestp);
+
+isc_result_t
+dns_request_createraw3(dns_requestmgr_t *requestmgr, isc_buffer_t *msgbuf,
+		       isc_sockaddr_t *srcaddr, isc_sockaddr_t *destaddr,
+		       unsigned int options, unsigned int timeout,
+		       unsigned int udptimeout, unsigned int udpretries,
+		       isc_task_t *task, isc_taskaction_t action, void *arg,
+		       dns_request_t **requestp);
 /*
  * Create and send a request.
  *
@@ -241,8 +275,9 @@ dns_request_createraw(dns_requestmgr_t *requestmgr, isc_buffer_t *msgbuf,
  *
  *	'msgbuf' will be sent to 'destaddr' after setting the id.  If the
  *	DNS_REQUESTOPT_TCP option is set, TCP will be used.  The request
- *	will timeout after 'timeout' seconds.
- *
+ *	will timeout after 'timeout' seconds.   UDP requests will be resent
+ *	at 'udptimeout' intervals if non-zero or if 'udpretries' is not zero.
+ *	
  *	When the request completes, successfully, due to a timeout, or
  *	because it was canceled, a completion event will be sent to 'task'.
  *
@@ -263,7 +298,7 @@ dns_request_createraw(dns_requestmgr_t *requestmgr, isc_buffer_t *msgbuf,
  *	requestp != NULL && *requestp == NULL
  */
 
-isc_result_t
+void
 dns_request_cancel(dns_request_t *request);
 /*
  * Cancel 'request'.
diff --git a/lib/dns/include/dns/resolver.h b/lib/dns/include/dns/resolver.h
index 7baf7580..be2273a7 100644
--- a/lib/dns/include/dns/resolver.h
+++ b/lib/dns/include/dns/resolver.h
@@ -1,6 +1,6 @@
 /*
- * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: resolver.h,v 1.34.2.3 2006/02/01 23:48:50 marka Exp $ */
+/* $Id: resolver.h,v 1.34.12.6 2004/03/08 02:08:01 marka Exp $ */
 
 #ifndef DNS_RESOLVER_H
 #define DNS_RESOLVER_H 1
@@ -96,6 +96,9 @@ typedef struct dns_fetchevent {
  * _dns_resolver_create()).
  */
 
+#define DNS_RESOLVER_CHECKNAMES		0x01
+#define DNS_RESOLVER_CHECKNAMESFAIL	0x02
+
 isc_result_t
 dns_resolver_create(dns_view_t *view,
 		    isc_taskmgr_t *taskmgr, unsigned int ntasks,
@@ -106,6 +109,7 @@ dns_resolver_create(dns_view_t *view,
 		    dns_dispatch_t *dispatchv4,
 		    dns_dispatch_t *dispatchv6,
 		    dns_resolver_t **resp);
+
 /*
  * Create a resolver.
  *
@@ -132,7 +136,7 @@ dns_resolver_create(dns_view_t *view,
  *
  *	'dispatchv6' is a valid dispatcher with an IPv6 UDP socket, or is NULL.
  *
- *	resp != NULL && *resp == NULL.
+ *	*resp != NULL && *resp == NULL.
  *
  * Returns:
  *
@@ -349,6 +353,69 @@ dns_resolver_setlamettl(dns_resolver_t *resolver, isc_uint32_t lame_ttl);
  *	'resolver' to be valid.
  */
 
+unsigned int
+dns_resolver_nrunning(dns_resolver_t *resolver);
+/*
+ * Return the number of currently running resolutions in this
+ * resolver.  This is may be less than the number of outstanding
+ * fetches due to multiple identical fetches, or more than the
+ * number of of outstanding fetches due to the fact that resolution
+ * can continue even though a fetch has been canceled.
+ */
+
+isc_result_t
+dns_resolver_addalternate(dns_resolver_t *resolver, isc_sockaddr_t *alt,
+			  dns_name_t *name, in_port_t port);
+/*
+ * Add alternate addresses to be tried in the event that the nameservers
+ * for a zone are not available in the address families supported by the
+ * operating system.
+ *
+ * Require:
+ * 	only one of 'name' or 'alt' to be valid.
+ */
+
+void
+dns_resolver_setudpsize(dns_resolver_t *resolver, isc_uint16_t udpsize);
+/*
+ * Set the EDNS UDP buffer size advertised by the server.
+ */
+
+isc_uint16_t
+dns_resolver_getudpsize(dns_resolver_t *resolver);
+/*
+ * Get the current EDNS UDP buffer size.
+ */
+
+void
+dns_resolver_reset_algorithms(dns_resolver_t *resolver);
+/*
+ * Clear the disabled DNSSEC algorithms.
+ */
+
+isc_result_t
+dns_resolver_disable_algorithm(dns_resolver_t *resolver, dns_name_t *name,
+			       unsigned int alg);
+/*
+ * Mark the give DNSSEC algorithm as disabled and below 'name'.
+ * Valid algorithms are less than 256.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS
+ *	ISC_R_RANGE
+ *	ISC_R_NOMEMORY
+ */
+
+isc_boolean_t
+dns_resolver_algorithm_supported(dns_resolver_t *resolver, dns_name_t *name,
+				 unsigned int alg);
+/*
+ * Check if the given algorithm is supported by this resolver.
+ * This checks if the algorithm has been disabled via
+ * dns_resolver_disable_algorithm() then the underlying
+ * crypto libraries if not specifically disabled.
+ */
+
 ISC_LANG_ENDDECLS
 
 #endif /* DNS_RESOLVER_H */
diff --git a/lib/dns/include/dns/result.h b/lib/dns/include/dns/result.h
index bb4a9c22..a4a19e53 100644
--- a/lib/dns/include/dns/result.h
+++ b/lib/dns/include/dns/result.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: result.h,v 1.81.2.10 2004/04/06 01:38:47 marka Exp $ */
+/* $Id: result.h,v 1.81.2.7.2.11 2004/03/22 01:52:23 marka Exp $ */
 
 #ifndef DNS_RESULT_H
 #define DNS_RESULT_H 1
@@ -38,8 +38,13 @@
  */
 #define DNS_R_LABELTOOLONG		(ISC_RESULTCLASS_DNS + 0)
 #define DNS_R_BADESCAPE			(ISC_RESULTCLASS_DNS + 1)
+/*
+ * Since we dropped the support of bitstring labels, deprecate the related
+ * result codes too.
+
 #define DNS_R_BADBITSTRING		(ISC_RESULTCLASS_DNS + 2)
 #define DNS_R_BITSTRINGTOOLONG		(ISC_RESULTCLASS_DNS + 3)
+*/
 #define DNS_R_EMPTYLABEL		(ISC_RESULTCLASS_DNS + 4)
 #define DNS_R_BADDOTTEDQUAD		(ISC_RESULTCLASS_DNS + 5)
 #define DNS_R_INVALIDNS			(ISC_RESULTCLASS_DNS + 6)
@@ -96,7 +101,7 @@
 #define DNS_R_ALIAS			(ISC_RESULTCLASS_DNS + 57)
 #define DNS_R_USETCP			(ISC_RESULTCLASS_DNS + 58)
 #define DNS_R_NOVALIDSIG		(ISC_RESULTCLASS_DNS + 59)
-#define DNS_R_NOVALIDNXT		(ISC_RESULTCLASS_DNS + 60)
+#define DNS_R_NOVALIDNSEC		(ISC_RESULTCLASS_DNS + 60)
 #define DNS_R_NOTINSECURE		(ISC_RESULTCLASS_DNS + 61)
 #define DNS_R_UNKNOWNSERVICE		(ISC_RESULTCLASS_DNS + 62)
 #define DNS_R_RECOVERABLE		(ISC_RESULTCLASS_DNS + 63)
@@ -114,12 +119,20 @@
 #define DNS_R_UNKNOWNPROTO		(ISC_RESULTCLASS_DNS + 75)
 #define DNS_R_CLOCKSKEW			(ISC_RESULTCLASS_DNS + 76)
 #define DNS_R_BADIXFR			(ISC_RESULTCLASS_DNS + 77)
-/* #define DNS_R_unused			(ISC_RESULTCLASS_DNS + 78) */
+#define DNS_R_NOTAUTHORITATIVE		(ISC_RESULTCLASS_DNS + 78)
 #define DNS_R_NOVALIDKEY		(ISC_RESULTCLASS_DNS + 79)
 #define DNS_R_OBSOLETE			(ISC_RESULTCLASS_DNS + 80)
 #define DNS_R_FROZEN			(ISC_RESULTCLASS_DNS + 81)
 #define DNS_R_UNKNOWNFLAG		(ISC_RESULTCLASS_DNS + 82)
 #define DNS_R_EXPECTEDRESPONSE		(ISC_RESULTCLASS_DNS + 83)
+#define DNS_R_NOVALIDDS			(ISC_RESULTCLASS_DNS + 84)
+#define DNS_R_NSISADDRESS		(ISC_RESULTCLASS_DNS + 85)
+#define DNS_R_REMOTEFORMERR		(ISC_RESULTCLASS_DNS + 86)
+#define DNS_R_TRUNCATEDTCP		(ISC_RESULTCLASS_DNS + 87)
+#define DNS_R_LAME			(ISC_RESULTCLASS_DNS + 88)
+#define DNS_R_UNEXPECTEDRCODE		(ISC_RESULTCLASS_DNS + 89)
+#define DNS_R_UNEXPECTEDOPCODE		(ISC_RESULTCLASS_DNS + 90)
+#define DNS_R_CHASEDSSERVERS		(ISC_RESULTCLASS_DNS + 91)
 #define DNS_R_EMPTYNAME			(ISC_RESULTCLASS_DNS + 92)
 #define DNS_R_EMPTYWILD			(ISC_RESULTCLASS_DNS + 93)
 #define DNS_R_BADBITMAP			(ISC_RESULTCLASS_DNS + 94)
diff --git a/lib/dns/include/dns/rootns.h b/lib/dns/include/dns/rootns.h
index 3fd89fdf..02da556c 100644
--- a/lib/dns/include/dns/rootns.h
+++ b/lib/dns/include/dns/rootns.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rootns.h,v 1.8.2.1 2004/03/09 06:11:21 marka Exp $ */
+/* $Id: rootns.h,v 1.8.206.1 2004/03/06 08:14:00 marka Exp $ */
 
 #ifndef DNS_ROOTNS_H
 #define DNS_ROOTNS_H 1
diff --git a/lib/dns/include/dns/sdb.h b/lib/dns/include/dns/sdb.h
index 154ee027..5fdeace1 100644
--- a/lib/dns/include/dns/sdb.h
+++ b/lib/dns/include/dns/sdb.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: sdb.h,v 1.12.2.1 2004/03/09 06:11:22 marka Exp $ */
+/* $Id: sdb.h,v 1.12.12.3 2004/03/08 09:04:39 marka Exp $ */
 
 #ifndef DNS_SDB_H
 #define DNS_SDB_H 1
@@ -112,7 +112,10 @@ dns_sdb_register(const char *drivername, const dns_sdbmethods_t *methods,
  * ns_sdb_putrr().
  *
  * The lookup function returns the lookup results to the name server
- * by calling ns_sdb_putrr() once for each record found.
+ * by calling ns_sdb_putrr() once for each record found.  On success,
+ * the return value of the lookup function should be ISC_R_SUCCESS.
+ * If the domain name 'name' does not exist, the lookup function should
+ * ISC_R_NOTFOUND.  Any other return value is treated as an error.
  *
  * Lookups at the zone apex will cause the server to also call the
  * function 'authority' (if non-NULL), which must provide an SOA record
@@ -162,17 +165,28 @@ dns_sdb_unregister(dns_sdbimplementation_t **sdbimp);
 isc_result_t
 dns_sdb_putrr(dns_sdblookup_t *lookup, const char *type, dns_ttl_t ttl,
 	      const char *data);
+isc_result_t
+dns_sdb_putrdata(dns_sdblookup_t *lookup, dns_rdatatype_t type, dns_ttl_t ttl,
+		 const unsigned char *rdata, unsigned int rdlen);
 /*
- * Add a single resource record to the lookup structure to be later
- * parsed into a query response.
+ * Add a single resource record to the lookup structure to be
+ * returned in the query response.  dns_sdb_putrr() takes the
+ * resource record in master file text format as a null-terminated
+ * string, and dns_sdb_putrdata() takes the raw RDATA in
+ * uncompressed wire format.
  */
 
 isc_result_t
 dns_sdb_putnamedrr(dns_sdballnodes_t *allnodes, const char *name,
 		   const char *type, dns_ttl_t ttl, const char *data);
+isc_result_t
+dns_sdb_putnamedrdata(dns_sdballnodes_t *allnodes, const char *name,
+		      dns_rdatatype_t type, dns_ttl_t ttl,
+		      const void *rdata, unsigned int rdlen);
 /*
- * Add a single resource record to the allnodes structure to be later
- * parsed into a zone transfer response.
+ * Add a single resource record to the allnodes structure to be
+ * included in a zone transfer response, in text or wire
+ * format as above.
  */
 
 isc_result_t
diff --git a/lib/dns/include/dns/secalg.h b/lib/dns/include/dns/secalg.h
index fea96088..3f7a16f0 100644
--- a/lib/dns/include/dns/secalg.h
+++ b/lib/dns/include/dns/secalg.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: secalg.h,v 1.12.2.1 2004/03/09 06:11:22 marka Exp $ */
+/* $Id: secalg.h,v 1.12.206.1 2004/03/06 08:14:00 marka Exp $ */
 
 #ifndef DNS_SECALG_H
 #define DNS_SECALG_H 1
diff --git a/lib/dns/include/dns/secproto.h b/lib/dns/include/dns/secproto.h
index 42112135..da8c1dd0 100644
--- a/lib/dns/include/dns/secproto.h
+++ b/lib/dns/include/dns/secproto.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: secproto.h,v 1.9.2.1 2004/03/09 06:11:22 marka Exp $ */
+/* $Id: secproto.h,v 1.9.206.1 2004/03/06 08:14:00 marka Exp $ */
 
 #ifndef DNS_SECPROTO_H
 #define DNS_SECPROTO_H 1
diff --git a/lib/dns/include/dns/soa.h b/lib/dns/include/dns/soa.h
index a26a25d6..304ae15e 100644
--- a/lib/dns/include/dns/soa.h
+++ b/lib/dns/include/dns/soa.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: soa.h,v 1.2.2.1 2004/03/09 06:11:22 marka Exp $ */
+/* $Id: soa.h,v 1.2.206.1 2004/03/06 08:14:00 marka Exp $ */
 
 #ifndef DNS_SOA_H
 #define DNS_SOA_H 1
diff --git a/lib/dns/include/dns/ssu.h b/lib/dns/include/dns/ssu.h
index 2622596c..f26a039a 100644
--- a/lib/dns/include/dns/ssu.h
+++ b/lib/dns/include/dns/ssu.h
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
+ * Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: ssu.h,v 1.11.2.1 2004/03/09 06:11:22 marka Exp $ */
+/* $Id: ssu.h,v 1.11.206.3 2004/03/08 09:04:39 marka Exp $ */
 
 #ifndef DNS_SSU_H
 #define DNS_SSU_H 1
@@ -89,10 +89,10 @@ dns_ssutable_addrule(dns_ssutable_t *table, isc_boolean_t grant,
  *		to be updated matches the signing identity.
  *
  *		If 'ntypes' is 0, this rule applies to all types except
- *		NS, SOA, SIG, and NXT.
+ *		NS, SOA, RRSIG, and NSEC.
  *
  *		If 'types' includes ANY, this rule applies to all types
- *		except NXT.
+ *		except NSEC.
  *
  *	Requires:
  *		'table' is a valid SSU table
diff --git a/lib/dns/include/dns/stats.h b/lib/dns/include/dns/stats.h
index 5bf95fbb..db94b529 100644
--- a/lib/dns/include/dns/stats.h
+++ b/lib/dns/include/dns/stats.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: stats.h,v 1.4.2.1 2004/03/09 06:11:22 marka Exp $ */
+/* $Id: stats.h,v 1.4.206.1 2004/03/06 08:14:00 marka Exp $ */
 
 #ifndef DNS_STATS_H
 #define DNS_STATS_H 1
diff --git a/lib/dns/include/dns/tcpmsg.h b/lib/dns/include/dns/tcpmsg.h
index 1651126c..ae1d7048 100644
--- a/lib/dns/include/dns/tcpmsg.h
+++ b/lib/dns/include/dns/tcpmsg.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: tcpmsg.h,v 1.15.2.1 2004/03/09 06:11:23 marka Exp $ */
+/* $Id: tcpmsg.h,v 1.15.206.1 2004/03/06 08:14:00 marka Exp $ */
 
 #ifndef DNS_TCPMSG_H
 #define DNS_TCPMSG_H 1
diff --git a/lib/dns/include/dns/time.h b/lib/dns/include/dns/time.h
index 1f3b473b..0b82443a 100644
--- a/lib/dns/include/dns/time.h
+++ b/lib/dns/include/dns/time.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: time.h,v 1.9.2.1 2004/03/09 06:11:23 marka Exp $ */
+/* $Id: time.h,v 1.9.12.3 2004/03/08 09:04:39 marka Exp $ */
 
 #ifndef DNS_TIME_H
 #define DNS_TIME_H 1
@@ -34,7 +34,7 @@ ISC_LANG_BEGINDECLS
  ***/
 
 isc_result_t
-dns_time64_fromtext(char *source, isc_int64_t *target);
+dns_time64_fromtext(const char *source, isc_int64_t *target);
 /*
  * Convert a date and time in YYYYMMDDHHMMSS text format at 'source'
  * into to a 64-bit count of seconds since Jan 1 1970 0:00 GMT.
@@ -42,7 +42,7 @@ dns_time64_fromtext(char *source, isc_int64_t *target);
  */
 
 isc_result_t
-dns_time32_fromtext(char *source, isc_uint32_t *target);
+dns_time32_fromtext(const char *source, isc_uint32_t *target);
 /*
  * Like dns_time64_fromtext, but returns the second count modulo 2^32
  * as per RFC2535.
diff --git a/lib/dns/include/dns/timer.h b/lib/dns/include/dns/timer.h
index b2013c49..36e2ac3c 100644
--- a/lib/dns/include/dns/timer.h
+++ b/lib/dns/include/dns/timer.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: timer.h,v 1.2.2.1 2004/03/09 06:11:23 marka Exp $ */
+/* $Id: timer.h,v 1.2.206.1 2004/03/06 08:14:00 marka Exp $ */
 
 #ifndef DNS_TIMER_H
 #define DNS_TIMER_H 1
diff --git a/lib/dns/include/dns/tkey.h b/lib/dns/include/dns/tkey.h
index 57b9477c..e5ca3b3b 100644
--- a/lib/dns/include/dns/tkey.h
+++ b/lib/dns/include/dns/tkey.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: tkey.h,v 1.18.2.1 2004/03/09 06:11:23 marka Exp $ */
+/* $Id: tkey.h,v 1.18.206.1 2004/03/06 08:14:00 marka Exp $ */
 
 #ifndef DNS_TKEY_H
 #define DNS_TKEY_H 1
diff --git a/lib/dns/include/dns/tsig.h b/lib/dns/include/dns/tsig.h
index 1cfae3ea..7b5b4585 100644
--- a/lib/dns/include/dns/tsig.h
+++ b/lib/dns/include/dns/tsig.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: tsig.h,v 1.40.2.3 2004/03/09 06:11:23 marka Exp $ */
+/* $Id: tsig.h,v 1.40.2.2.8.3 2004/03/08 09:04:39 marka Exp $ */
 
 #ifndef DNS_TSIG_H
 #define DNS_TSIG_H 1
@@ -35,9 +35,9 @@
  */
 LIBDNS_EXTERNAL_DATA extern dns_name_t *dns_tsig_hmacmd5_name;
 #define DNS_TSIG_HMACMD5_NAME		dns_tsig_hmacmd5_name
-extern dns_name_t *dns_tsig_gssapi_name;
+LIBDNS_EXTERNAL_DATA extern dns_name_t *dns_tsig_gssapi_name;
 #define DNS_TSIG_GSSAPI_NAME		dns_tsig_gssapi_name
-extern dns_name_t *dns_tsig_gssapims_name;
+LIBDNS_EXTERNAL_DATA extern dns_name_t *dns_tsig_gssapims_name;
 #define DNS_TSIG_GSSAPIMS_NAME		dns_tsig_gssapims_name
 
 /*
diff --git a/lib/dns/include/dns/ttl.h b/lib/dns/include/dns/ttl.h
index ca16746b..dc7167d6 100644
--- a/lib/dns/include/dns/ttl.h
+++ b/lib/dns/include/dns/ttl.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: ttl.h,v 1.12.2.1 2004/03/09 06:11:24 marka Exp $ */
+/* $Id: ttl.h,v 1.12.206.1 2004/03/06 08:14:01 marka Exp $ */
 
 #ifndef DNS_TTL_H
 #define DNS_TTL_H 1
diff --git a/lib/dns/include/dns/types.h b/lib/dns/include/dns/types.h
index 3340724e..2bad7ea0 100644
--- a/lib/dns/include/dns/types.h
+++ b/lib/dns/include/dns/types.h
@@ -1,6 +1,6 @@
 /*
- * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001  Internet Software Consortium.
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1998-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: types.h,v 1.103.2.3 2006/03/02 00:37:17 marka Exp $ */
+/* $Id: types.h,v 1.103.12.7 2004/03/08 09:04:39 marka Exp $ */
 
 #ifndef DNS_TYPES_H
 #define DNS_TYPES_H 1
@@ -30,7 +30,6 @@
 
 #include <isc/types.h>
 
-typedef struct dns_a6context			dns_a6context_t;
 typedef struct dns_acl 				dns_acl_t;
 typedef struct dns_aclelement 			dns_aclelement_t;
 typedef struct dns_aclenv			dns_aclenv_t;
@@ -57,6 +56,7 @@ typedef struct dns_dispatchevent		dns_dispatchevent_t;
 typedef struct dns_dispatchlist			dns_dispatchlist_t;
 typedef struct dns_dispatchmgr			dns_dispatchmgr_t;
 typedef struct dns_dispentry			dns_dispentry_t;
+typedef struct dns_dumpctx			dns_dumpctx_t;
 typedef struct dns_fetch			dns_fetch_t;
 typedef struct dns_fixedname			dns_fixedname_t;
 typedef struct dns_forwarders			dns_forwarders_t;
@@ -75,8 +75,10 @@ typedef struct dns_name				dns_name_t;
 typedef ISC_LIST(dns_name_t)			dns_namelist_t;
 typedef isc_uint16_t				dns_opcode_t;
 typedef unsigned char				dns_offsets_t[128];
+typedef struct dns_order			dns_order_t;
 typedef struct dns_peer				dns_peer_t;
 typedef struct dns_peerlist			dns_peerlist_t;
+typedef struct dns_portlist			dns_portlist_t;
 typedef struct dns_rbt				dns_rbt_t;
 typedef isc_uint16_t				dns_rcode_t;
 typedef struct dns_rdata			dns_rdata_t;
@@ -110,22 +112,12 @@ typedef struct dns_zonemgr			dns_zonemgr_t;
 typedef struct dns_zt				dns_zt_t;
 
 typedef enum {
-	dns_bitlabel_0 = 0,
-	dns_bitlabel_1 = 1
-} dns_bitlabel_t;
-
-typedef enum {
 	dns_fwdpolicy_none = 0,
 	dns_fwdpolicy_first = 1,
 	dns_fwdpolicy_only = 2
 } dns_fwdpolicy_t;
 
 typedef enum {
-	dns_labeltype_ordinary = 0,
-	dns_labeltype_bitstring = 1
-} dns_labeltype_t;
-
-typedef enum {
 	dns_namereln_none = 0,
 	dns_namereln_contains = 1,
 	dns_namereln_subdomain = 2,
@@ -281,6 +273,9 @@ typedef enum {
  * Functions.
  */
 typedef void
+(*dns_dumpdonefunc_t)(void *, isc_result_t);
+
+typedef void
 (*dns_loaddonefunc_t)(void *, isc_result_t);
 
 typedef isc_result_t
@@ -299,6 +294,6 @@ typedef void
 (*dns_updatecallback_t)(void *, isc_result_t, dns_message_t *);
 
 typedef int 
-(*dns_rdatasetorderfunc_t)(const dns_rdata_t *rdata, const void *arg);
+(*dns_rdatasetorderfunc_t)(dns_rdata_t *rdata, void *arg);
 
 #endif /* DNS_TYPES_H */
diff --git a/lib/dns/include/dns/validator.h b/lib/dns/include/dns/validator.h
index 3af3deac..4c854eb1 100644
--- a/lib/dns/include/dns/validator.h
+++ b/lib/dns/include/dns/validator.h
@@ -1,6 +1,6 @@
 /*
- * Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: validator.h,v 1.18.2.3 2007/01/08 02:45:02 marka Exp $ */
+/* $Id: validator.h,v 1.18.12.5 2004/03/10 02:55:58 marka Exp $ */
 
 #ifndef DNS_VALIDATOR_H
 #define DNS_VALIDATOR_H 1
@@ -51,9 +51,10 @@
 #include <isc/event.h>
 #include <isc/mutex.h>
 
+#include <dns/fixedname.h>
 #include <dns/types.h>
 #include <dns/rdataset.h>
-#include <dns/rdatastruct.h> /* for dns_rdata_sig_t */
+#include <dns/rdatastruct.h> /* for dns_rdata_rrsig_t */
 
 #include <dst/dst.h>
 
@@ -73,8 +74,12 @@ typedef struct dns_validatorevent {
 	dns_rdataset_t *		rdataset;
 	dns_rdataset_t *		sigrdataset;
 	dns_message_t *			message;
+	dns_name_t *			proofs[3];
 } dns_validatorevent_t;
 
+#define DNS_VALIDATOR_NOQNAMEPROOF 0
+#define DNS_VALIDATOR_NODATAPROOF 1
+#define DNS_VALIDATOR_NOWILDCARDPROOF 2
 
 /*
  * A validator object represents a validation in procgress.
@@ -93,12 +98,12 @@ struct dns_validator {
 	unsigned int			attributes;
 	dns_validatorevent_t *		event;
 	dns_fetch_t *			fetch;
-	dns_validator_t *		keyvalidator;
-	dns_validator_t *		authvalidator;
+	dns_validator_t *		subvalidator;
+	dns_validator_t *		parent;
 	dns_keytable_t *		keytable;
 	dns_keynode_t *			keynode;
 	dst_key_t *			key;
-	dns_rdata_sig_t *		siginfo;
+	dns_rdata_rrsig_t *		siginfo;
 	isc_task_t *			task;
 	isc_taskaction_t		action;
 	void *				arg;
@@ -106,16 +111,18 @@ struct dns_validator {
 	dns_rdataset_t *		currentset;
 	isc_boolean_t			seensig;
 	dns_rdataset_t *		keyset;
+	dns_rdataset_t *		dsset;
+	dns_rdataset_t *		soaset;
+	dns_rdataset_t *		nsecset;
+	dns_name_t *			soaname;
 	dns_rdataset_t			frdataset;
 	dns_rdataset_t			fsigrdataset;
+	dns_fixedname_t			fname;
+	dns_fixedname_t			wild;
 	ISC_LINK(dns_validator_t)	link;
+	dns_rdataset_t *		dlv;
 };
 
-/*%
- * dns_validator_create() options.
- */
-#define DNS_VALIDATOR_DEFER 2U
-
 ISC_LANG_BEGINDECLS
 
 isc_result_t
@@ -137,7 +144,7 @@ dns_validator_create(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type,
  * null key.
  *
  * The complete response message may be given in 'message',
- * to make available any authority section NXTs that may be
+ * to make available any authority section NSECs that may be
  * needed for validation of a response resulting from a
  * wildcard expansion (though no such wildcard validation
  * is implemented yet).  If the complete response message
@@ -159,15 +166,6 @@ dns_validator_create(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type,
  */
 
 void
-dns_validator_send(dns_validator_t *validator);
-/*%<
- * Send a deferred validation request
- *
- * Requires:
- *	'validator' to points to a valid DNSSEC validator.
- */
-
-void
 dns_validator_cancel(dns_validator_t *validator);
 /*
  * Cancel a DNSSEC validation in progress.
diff --git a/lib/dns/include/dns/version.h b/lib/dns/include/dns/version.h
new file mode 100644
index 00000000..28c83be1
--- /dev/null
+++ b/lib/dns/include/dns/version.h
@@ -0,0 +1,26 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: version.h,v 1.2.224.3 2004/03/08 09:04:40 marka Exp $ */
+
+#include <isc/platform.h>
+
+LIBDNS_EXTERNAL_DATA extern const char dns_version[];
+
+LIBDNS_EXTERNAL_DATA extern const unsigned int dns_libinterface;
+LIBDNS_EXTERNAL_DATA extern const unsigned int dns_librevision;
+LIBDNS_EXTERNAL_DATA extern const unsigned int dns_libage;
diff --git a/lib/dns/include/dns/view.h b/lib/dns/include/dns/view.h
index bb64bb61..a3cd935c 100644
--- a/lib/dns/include/dns/view.h
+++ b/lib/dns/include/dns/view.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: view.h,v 1.73.2.8 2004/03/09 06:11:24 marka Exp $ */
+/* $Id: view.h,v 1.73.2.4.2.12 2004/03/10 02:55:58 marka Exp $ */
 
 #ifndef DNS_VIEW_H
 #define DNS_VIEW_H 1
@@ -71,6 +71,7 @@
 #include <isc/stdtime.h>
 
 #include <dns/acl.h>
+#include <dns/fixedname.h>
 #include <dns/types.h>
 
 ISC_LANG_BEGINDECLS
@@ -100,16 +101,17 @@ struct dns_view {
 	dns_tsig_keyring_t *		statickeys;
 	dns_tsig_keyring_t *		dynamickeys;
 	dns_peerlist_t *		peers;
+	dns_order_t *			order;
 	dns_fwdtable_t *		fwdtable;
 	isc_boolean_t			recursion;
 	isc_boolean_t			auth_nxdomain;
 	isc_boolean_t			additionalfromcache;
 	isc_boolean_t			additionalfromauth;
 	isc_boolean_t			minimalresponses;
+	isc_boolean_t			enablednssec;
 	dns_transfer_format_t		transfer_format;
 	dns_acl_t *			queryacl;
 	dns_acl_t *			recursionacl;
-	dns_acl_t *			v6synthesisacl;
 	dns_acl_t *			sortlist;
 	isc_boolean_t			requestixfr;
 	isc_boolean_t			provideixfr;
@@ -117,10 +119,14 @@ struct dns_view {
 	dns_ttl_t			maxncachettl;
 	in_port_t			dstport;
 	dns_aclenv_t			aclenv;
+	dns_rdatatype_t			preferred_glue;
 	isc_boolean_t			flush;
 	dns_namelist_t *		delonly;
 	isc_boolean_t			rootdelonly;
 	dns_namelist_t *		rootexclude;
+	isc_boolean_t			checknames;
+	dns_name_t *			dlv;
+	dns_fixedname_t			dlv_fixed;
 
 	/*
 	 * Configurable data for server use only,
@@ -486,7 +492,7 @@ dns_view_simplefind(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type,
  *	'name' is valid name.
  *
  *	'type' is a valid dns_rdatatype_t, and is not a meta query type
- *	(e.g. dns_rdatatype_any), or dns_rdatatype_sig.
+ *	(e.g. dns_rdatatype_any), or dns_rdatatype_rrsig.
  *
  *	'rdataset' is a valid, disassociated rdataset.
  *
@@ -704,6 +710,20 @@ dns_view_flushcache(dns_view_t *view);
  */
 
 isc_result_t
+dns_view_flushname(dns_view_t *view, dns_name_t *);
+/*
+ * Flush the given name from the view's cache (and ADB).
+ *
+ * Requires:
+ *	'view' is valid.
+ *	'name' is valid.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS
+ *	other returns are failures.
+ */
+
+isc_result_t
 dns_view_adddelegationonly(dns_view_t *view, dns_name_t *name);
 /*
  * Add the given name to the delegation only table.
diff --git a/lib/dns/include/dns/xfrin.h b/lib/dns/include/dns/xfrin.h
index d4dfd300..0050238f 100644
--- a/lib/dns/include/dns/xfrin.h
+++ b/lib/dns/include/dns/xfrin.h
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
+ * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: xfrin.h,v 1.18.2.1 2004/03/09 06:11:24 marka Exp $ */
+/* $Id: xfrin.h,v 1.18.136.2 2004/03/06 08:14:01 marka Exp $ */
 
 #ifndef DNS_XFRIN_H
 #define DNS_XFRIN_H 1
@@ -57,6 +57,14 @@ dns_xfrin_create(dns_zone_t *zone, dns_rdatatype_t xfrtype,
 		 isc_mem_t *mctx, isc_timermgr_t *timermgr,
 		 isc_socketmgr_t *socketmgr, isc_task_t *task,
 		 dns_xfrindone_t done, dns_xfrin_ctx_t **xfrp);
+
+isc_result_t
+dns_xfrin_create2(dns_zone_t *zone, dns_rdatatype_t xfrtype,
+		  isc_sockaddr_t *masteraddr, isc_sockaddr_t *sourceaddr,
+		  dns_tsigkey_t *tsigkey, isc_mem_t *mctx,
+		  isc_timermgr_t *timermgr, isc_socketmgr_t *socketmgr,
+		  isc_task_t *task, dns_xfrindone_t done,
+		  dns_xfrin_ctx_t **xfrp);
 /*
  * Attempt to start an incoming zone transfer of 'zone'
  * from 'masteraddr', creating a dns_xfrin_ctx_t object to
diff --git a/lib/dns/include/dns/zone.h b/lib/dns/include/dns/zone.h
index 9e8551fe..ebd8d8ce 100644
--- a/lib/dns/include/dns/zone.h
+++ b/lib/dns/include/dns/zone.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: zone.h,v 1.106.2.12 2006/08/01 03:44:38 marka Exp $ */
+/* $Id: zone.h,v 1.106.2.7.4.14 2004/03/06 08:14:01 marka Exp $ */
 
 #ifndef DNS_ZONE_H
 #define DNS_ZONE_H 1
@@ -39,12 +39,19 @@ typedef enum {
 	dns_zone_stub
 } dns_zonetype_t;
 
-#define DNS_ZONEOPT_SERVERS	0x00000001U	/* perform server checks */
-#define DNS_ZONEOPT_PARENTS	0x00000002U	/* perform parent checks */
-#define DNS_ZONEOPT_CHILDREN	0x00000004U	/* perform child checks */
-#define DNS_ZONEOPT_NOTIFY	0x00000008U	/* perform NOTIFY */
-#define DNS_ZONEOPT_MANYERRORS	0x00000010U	/* return many errors on load */
-#define DNS_ZONEOPT_NOMERGE	0x00000040U	/* don't merge journal */
+#define DNS_ZONEOPT_SERVERS	  0x00000001U	/* perform server checks */
+#define DNS_ZONEOPT_PARENTS	  0x00000002U	/* perform parent checks */
+#define DNS_ZONEOPT_CHILDREN	  0x00000004U	/* perform child checks */
+#define DNS_ZONEOPT_NOTIFY	  0x00000008U	/* perform NOTIFY */
+#define DNS_ZONEOPT_MANYERRORS	  0x00000010U	/* return many errors on load */
+#define DNS_ZONEOPT_IXFRFROMDIFFS 0x00000020U	/* calculate differences */
+#define DNS_ZONEOPT_NOMERGE	  0x00000040U	/* don't merge journal */
+#define DNS_ZONEOPT_CHECKNS	  0x00000080U	/* check if NS's are addresses */
+#define DNS_ZONEOPT_FATALNS	  0x00000100U	/* DNS_ZONEOPT_CHECKNS is fatal */
+#define DNS_ZONEOPT_MULTIMASTER	  0x00000200U	/* this zone has multiple masters */
+#define DNS_ZONEOPT_USEALTXFRSRC  0x00000400U	/* use alternate transfer sources */
+#define DNS_ZONEOPT_CHECKNAMES	  0x00000800U	/* check-names */
+#define DNS_ZONEOPT_CHECKNAMESFAIL 0x00001000U	/* fatal check-name failures */
 
 #ifndef NOMINUM_PUBLIC
 /*
@@ -156,7 +163,7 @@ dns_zone_getview(dns_zone_t *zone);
  */
 
 isc_result_t
-dns_zone_setorigin(dns_zone_t *zone, const dns_name_t *origin);
+dns_zone_setorigin(dns_zone_t *zone, dns_name_t *origin);
 /*
  *	Sets the zones origin to 'origin'.
  *
@@ -228,6 +235,9 @@ dns_zone_loadnew(dns_zone_t *zone);
  * Returns:
  *	ISC_R_UNEXPECTED
  *	ISC_R_SUCCESS
+ *	DNS_R_CONTINUE	  Incremental load has been queued.
+ *	DNS_R_UPTODATE	  The zone has already been loaded based on
+ *			  file system timestamps.
  *	DNS_R_BADZONE
  *	Any result value from dns_db_load().
  */
@@ -382,6 +392,17 @@ dns_zone_dumptostream(dns_zone_t *zone, FILE *fd);
  *	'fd' to be a stream open for writing.
  */
 
+isc_result_t
+dns_zone_fulldumptostream(dns_zone_t *zone, FILE *fd);
+/*
+ *	The same as dns_zone_dumptostream, but dumps the zone with
+ *	different dump settings (dns_master_style_full).
+ *
+ * Require:
+ *	'zone' to be a valid zone.
+ *	'fd' to be a stream open for writing.
+ */
+
 void
 dns_zone_maintenance(dns_zone_t *zone);
 /*
@@ -393,13 +414,11 @@ dns_zone_maintenance(dns_zone_t *zone);
  */
 
 isc_result_t
-dns_zone_setmasters(dns_zone_t *zone, const isc_sockaddr_t *masters,
+dns_zone_setmasters(dns_zone_t *zone, isc_sockaddr_t *masters,
 		    isc_uint32_t count);
 isc_result_t
-dns_zone_setmasterswithkeys(dns_zone_t *zone,
-			    const isc_sockaddr_t *masters,
-			    dns_name_t **keynames,
-			    isc_uint32_t count);
+dns_zone_setmasterswithkeys(dns_zone_t *zone, isc_sockaddr_t *masters,
+			    dns_name_t **keynames, isc_uint32_t count);
 /*
  *	Set the list of master servers for the zone.
  *
@@ -421,7 +440,7 @@ dns_zone_setmasterswithkeys(dns_zone_t *zone,
  */
 
 isc_result_t
-dns_zone_setalsonotify(dns_zone_t *zone, const isc_sockaddr_t *notify,
+dns_zone_setalsonotify(dns_zone_t *zone, isc_sockaddr_t *notify,
 		       isc_uint32_t count);
 /*
  *	Set the list of additional servers to be notified when
@@ -430,7 +449,7 @@ dns_zone_setalsonotify(dns_zone_t *zone, const isc_sockaddr_t *notify,
  * Require:
  *	'zone' to be a valid zone.
  *	'notify' to be non-NULL if count != 0.
- *	'count' to be the number of notifyees
+ *	'count' to be the number of notifyees.
  *
  * Returns:
  *	ISC_R_SUCCESS
@@ -506,7 +525,9 @@ dns_zone_setmaxretrytime(dns_zone_t *zone, isc_uint32_t val);
  */
 
 isc_result_t
-dns_zone_setxfrsource4(dns_zone_t *zone, const isc_sockaddr_t *xfrsource);
+dns_zone_setxfrsource4(dns_zone_t *zone, isc_sockaddr_t *xfrsource);
+isc_result_t
+dns_zone_setaltxfrsource4(dns_zone_t *zone, isc_sockaddr_t *xfrsource);
 /*
  * 	Set the source address to be used in IPv4 zone transfers.
  *
@@ -520,6 +541,8 @@ dns_zone_setxfrsource4(dns_zone_t *zone, const isc_sockaddr_t *xfrsource);
 
 isc_sockaddr_t *
 dns_zone_getxfrsource4(dns_zone_t *zone);
+isc_sockaddr_t *
+dns_zone_getaltxfrsource4(dns_zone_t *zone);
 /*
  *	Returns the source address set by a previous dns_zone_setxfrsource4
  *	call, or the default of inaddr_any, port 0.
@@ -529,7 +552,9 @@ dns_zone_getxfrsource4(dns_zone_t *zone);
  */
 
 isc_result_t
-dns_zone_setxfrsource6(dns_zone_t *zone, const isc_sockaddr_t *xfrsource);
+dns_zone_setxfrsource6(dns_zone_t *zone, isc_sockaddr_t *xfrsource);
+isc_result_t
+dns_zone_setaltxfrsource6(dns_zone_t *zone, isc_sockaddr_t *xfrsource);
 /*
  * 	Set the source address to be used in IPv6 zone transfers.
  *
@@ -543,6 +568,8 @@ dns_zone_setxfrsource6(dns_zone_t *zone, const isc_sockaddr_t *xfrsource);
 
 isc_sockaddr_t *
 dns_zone_getxfrsource6(dns_zone_t *zone);
+isc_sockaddr_t *
+dns_zone_getaltxfrsource6(dns_zone_t *zone);
 /*
  *	Returns the source address set by a previous dns_zone_setxfrsource6
  *	call, or the default of in6addr_any, port 0.
@@ -552,7 +579,7 @@ dns_zone_getxfrsource6(dns_zone_t *zone);
  */
 
 isc_result_t
-dns_zone_setnotifysrc4(dns_zone_t *zone, const isc_sockaddr_t *notifysrc);
+dns_zone_setnotifysrc4(dns_zone_t *zone, isc_sockaddr_t *notifysrc);
 /*
  * 	Set the source address to be used with IPv4 NOTIFY messages.
  *
@@ -575,7 +602,7 @@ dns_zone_getnotifysrc4(dns_zone_t *zone);
  */
 
 isc_result_t
-dns_zone_setnotifysrc6(dns_zone_t *zone, const isc_sockaddr_t *notifysrc);
+dns_zone_setnotifysrc6(dns_zone_t *zone, isc_sockaddr_t *notifysrc);
 /*
  * 	Set the source address to be used with IPv6 NOTIFY messages.
  *
@@ -757,6 +784,12 @@ dns_zone_clearxfracl(dns_zone_t *zone);
  *	'zone' to be a valid zone.
  */
 
+isc_boolean_t
+dns_zone_getupdatedisabled(dns_zone_t *zone);
+
+void
+dns_zone_setupdatedisabled(dns_zone_t *zone, isc_boolean_t state);
+
 void
 dns_zone_setchecknames(dns_zone_t *zone, dns_severity_t severity);
 /*
@@ -958,13 +991,6 @@ dns_zone_setidlein(dns_zone_t *zone, isc_uint32_t idlein);
  *
  * Requires:
  *	'zone' to be a valid zone.
- *
- * Returns:
- *	DNS_R_SUCCESS
- *	DNS_R_BADZONE	zone failed basic consistancy checks:
- *			* a single SOA must exist
- *			* some NS records must exist.
- *	Others
  */
 
 isc_uint32_t
@@ -1105,6 +1131,34 @@ dns_zone_first(dns_zonemgr_t *zmgr, dns_zone_t **first);
  */
 
 isc_result_t
+dns_zone_setkeydirectory(dns_zone_t *zone, const char *directory);
+/*
+ *	Sets the name of the directory where private keys used for
+ *	online signing of dynamic zones are found.
+ *
+ * Require:
+ *	'zone' to be a valid zone.
+ *
+ * Returns:
+ *	ISC_R_NOMEMORY
+ *	ISC_R_SUCCESS
+ */
+
+const char *
+dns_zone_getkeydirectory(dns_zone_t *zone);
+/*
+ * 	Gets the name of the directory where private keys used for
+ *	online signing of dynamic zones are found.
+ *
+ * Requires:
+ *	'zone' to be valid initialised zone.
+ *
+ * Returns:
+ *	Pointer to null-terminated file name, or NULL.
+ */
+
+
+isc_result_t
 dns_zonemgr_create(isc_mem_t *mctx, isc_taskmgr_t *taskmgr,
 		   isc_timermgr_t *timermgr, isc_socketmgr_t *socketmgr,
 		   dns_zonemgr_t **zmgrp);
@@ -1136,6 +1190,12 @@ dns_zonemgr_forcemaint(dns_zonemgr_t *zmgr);
  */
 
 void
+dns_zonemgr_resumexfrs(dns_zonemgr_t *zmgr);
+/*
+ * Attempt to start any stalled zone transfers.
+ */
+
+void
 dns_zonemgr_shutdown(dns_zonemgr_t *zmgr);
 /*
  *	Shut down the zone manager.
@@ -1185,7 +1245,7 @@ dns_zonemgr_releasezone(dns_zonemgr_t *zmgr, dns_zone_t *zone);
 void
 dns_zonemgr_settransfersin(dns_zonemgr_t *zmgr, isc_uint32_t value);
 /*
- *	Set the maximum number of simultaneous transfers in allowed by
+ *	Set the maximum number of simultanious transfers in allowed by
  *	the zone manager.
  *
  * Requires:
@@ -1195,7 +1255,7 @@ dns_zonemgr_settransfersin(dns_zonemgr_t *zmgr, isc_uint32_t value);
 isc_uint32_t
 dns_zonemgr_getttransfersin(dns_zonemgr_t *zmgr);
 /*
- *	Return the the maximum number of simultaneous transfers in allowed.
+ *	Return the the maximum number of simultanious transfers in allowed.
  *
  * Requires:
  *	'zmgr' to be a valid zone manager.
@@ -1331,6 +1391,40 @@ dns_zone_log(dns_zone_t *zone, int level, const char *msg, ...)
  * the message as applying to 'zone'.
  */
 
+void
+dns_zone_logc(dns_zone_t *zone, isc_logcategory_t *category, int level,
+	      const char *msg, ...) ISC_FORMAT_PRINTF(4, 5);
+/*
+ * Log the message 'msg...' at 'level', including text that identifies
+ * the message as applying to 'zone'.
+ */
+
+void
+dns_zone_name(dns_zone_t *zone, char *buf, size_t len);
+/*
+ * Return the name of the zone with class and view.
+ * 
+ * Requires:
+ *	'zone' to be valid.
+ *	'buf' to be non NULL.
+ */
+
+isc_result_t
+dns_zone_checknames(dns_zone_t *zone, dns_name_t *name, dns_rdata_t *rdata);
+/*
+ * Check if this record meets the check-names policy.
+ *
+ * Requires:
+ *	'zone' to be valid.
+ *	'name' to be valid.
+ *	'rdata' to be valid.
+ *
+ * Returns:
+ *	DNS_R_SUCCESS		passed checks.
+ *	DNS_R_BADOWNERNAME	failed ownername checks.
+ *	DNS_R_BADNAME		failed rdata checks.
+ */
+
 ISC_LANG_ENDDECLS
 
 #endif /* DNS_ZONE_H */
diff --git a/lib/dns/include/dns/zonekey.h b/lib/dns/include/dns/zonekey.h
index 857c3142..1ac90664 100644
--- a/lib/dns/include/dns/zonekey.h
+++ b/lib/dns/include/dns/zonekey.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: zonekey.h,v 1.3.2.1 2004/03/09 06:11:25 marka Exp $ */
+/* $Id: zonekey.h,v 1.3.206.1 2004/03/06 08:14:01 marka Exp $ */
 
 #ifndef DNS_ZONEKEY_H
 #define DNS_ZONEKEY_H 1
diff --git a/lib/dns/include/dns/zt.h b/lib/dns/include/dns/zt.h
index e1de070b..fb435905 100644
--- a/lib/dns/include/dns/zt.h
+++ b/lib/dns/include/dns/zt.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: zt.h,v 1.27.2.3 2004/03/09 06:11:25 marka Exp $ */
+/* $Id: zt.h,v 1.27.2.2.8.1 2004/03/06 08:14:01 marka Exp $ */
 
 #ifndef DNS_ZT_H
 #define DNS_ZT_H 1
diff --git a/lib/dns/journal.c b/lib/dns/journal.c
index 3a505ce0..76dfbc24 100644
--- a/lib/dns/journal.c
+++ b/lib/dns/journal.c
@@ -1,6 +1,6 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: journal.c,v 1.77.2.5 2005/11/04 00:16:32 marka Exp $ */
+/* $Id: journal.c,v 1.77.2.1.10.6 2004/03/08 09:04:30 marka Exp $ */
 
 #include <config.h>
 
@@ -72,6 +72,8 @@ static isc_boolean_t bind8_compat = ISC_TRUE; /* XXX config */
 		if (result != ISC_R_SUCCESS) goto failure; 	\
 	} while (0)
 
+static isc_result_t index_to_disk(dns_journal_t *);
+
 static inline isc_uint32_t
 decode_uint32(unsigned char *p) {
 	return ((p[0] << 24) +
@@ -538,10 +540,9 @@ journal_file_create(isc_mem_t *mctx, const char *filename) {
 	return (ISC_R_SUCCESS);
 }
 
-
-isc_result_t
-dns_journal_open(isc_mem_t *mctx, const char *filename, isc_boolean_t write,
-		 dns_journal_t **journalp) {
+static isc_result_t
+journal_open(isc_mem_t *mctx, const char *filename, isc_boolean_t write,
+	     isc_boolean_t create, dns_journal_t **journalp) {
 	FILE *fp = NULL;
 	isc_result_t result;
 	journal_rawheader_t rawheader;
@@ -562,7 +563,7 @@ dns_journal_open(isc_mem_t *mctx, const char *filename, isc_boolean_t write,
 	result = isc_stdio_open(j->filename, write ? "rb+" : "rb", &fp);
 
 	if (result == ISC_R_FILENOTFOUND) {
-		if (write) {
+		if (create) {
 			isc_log_write(JOURNAL_COMMON_LOGARGS,
 				      ISC_LOG_INFO,
 				      "journal file %s does not exist, "
@@ -669,6 +670,12 @@ dns_journal_open(isc_mem_t *mctx, const char *filename, isc_boolean_t write,
 	return (result);
 }
 
+isc_result_t
+dns_journal_open(isc_mem_t *mctx, const char *filename, isc_boolean_t write,
+		 dns_journal_t **journalp) {
+	return (journal_open(mctx, filename, write, write, journalp));
+}
+
 /*
  * A comparison function defining the sorting order for
  * entries in the IXFR-style journal file.
@@ -728,6 +735,8 @@ journal_next(dns_journal_t *j, journal_pos_t *pos) {
 	if (result != ISC_R_SUCCESS)
 		return (result);
 
+	if (pos->serial == j->header.end.serial)
+		return (ISC_R_NOMORE);
 	/*
 	 * Read the header of the current transaction.
 	 * This will return ISC_R_NOMORE if we are at EOF.
@@ -942,7 +951,7 @@ dns_journal_writediff(dns_journal_t *j, dns_diff_t *diff) {
 	REQUIRE(j->state == JOURNAL_STATE_TRANSACTION);
 
 	isc_log_write(JOURNAL_DEBUG_LOGARGS(3), "writing to journal");
-	dns_diff_print(diff, NULL);
+	(void)dns_diff_print(diff, NULL);
 
 	/*
 	 * Pass 1: determine the buffer size needed, and
@@ -1026,8 +1035,8 @@ dns_journal_commit(dns_journal_t *j) {
 	 */
 	if (j->x.n_soa != 2) {
 		isc_log_write(JOURNAL_COMMON_LOGARGS, ISC_LOG_ERROR,
-			      "%s: malformed transaction: %d SOAs",
-			      j->filename, j->x.n_soa);
+			      "malformed transaction: %d SOAs",
+			      j->x.n_soa);
 		return (ISC_R_UNEXPECTED);
 	}
 	if (! (DNS_SERIAL_GT(j->x.pos[1].serial, j->x.pos[0].serial) ||
@@ -1035,8 +1044,8 @@ dns_journal_commit(dns_journal_t *j) {
 		j->x.pos[1].serial == j->x.pos[0].serial)))
 	{
 		isc_log_write(JOURNAL_COMMON_LOGARGS, ISC_LOG_ERROR,
-			      "%s: malformed transaction: serial number "
-			      "would decrease", j->filename);
+			      "malformed transaction: serial number "
+			      "would decrease");
 		return (ISC_R_UNEXPECTED);
 	}
 	if (! JOURNAL_EMPTY(&j->header)) {
@@ -1104,24 +1113,7 @@ dns_journal_commit(dns_journal_t *j) {
 	 * Convert the index into on-disk format and write
 	 * it to disk.
 	 */
-	if (j->header.index_size != 0) {
-		unsigned int i;
-		unsigned char *p;
-		unsigned int rawbytes;
-
-		rawbytes = j->header.index_size * sizeof(journal_rawpos_t);
-
-		p = j->rawindex;
-		for (i = 0; i < j->header.index_size; i++) {
-			encode_uint32(j->index[i].serial, p);
-			p += 4;
-			encode_uint32(j->index[i].offset, p);
-			p += 4;
-		}
-		INSIST(p == j->rawindex + rawbytes);
-
-		CHECK(journal_write(j, j->rawindex, rawbytes));
-	}
+	CHECK(index_to_disk(j));
 
 	/*
 	 * Commit the header to stable storage.
@@ -1253,8 +1245,11 @@ roll_forward(dns_journal_t *j, dns_db_t *db) {
 		rdata = NULL;
 		dns_journal_current_rr(j, &name, &ttl, &rdata);
 
-		if (rdata->type == dns_rdatatype_soa)
+		if (rdata->type == dns_rdatatype_soa) {
 			n_soa++;
+			if (n_soa == 2)
+				db_serial = j->it.current_serial;
+		}
 
 		if (n_soa == 3)
 			n_soa = 1;
@@ -1271,9 +1266,9 @@ roll_forward(dns_journal_t *j, dns_db_t *db) {
 
 		if (++n_put > 100)  {
 			isc_log_write(JOURNAL_DEBUG_LOGARGS(3),
-				      "%s: applying diff to database",
-				      j->filename);
-			dns_diff_print(&diff, NULL);
+				      "applying diff to database (%u)",
+				      db_serial);
+			(void)dns_diff_print(&diff, NULL);
 			CHECK(dns_diff_apply(&diff, db, ver));
 			dns_diff_clear(&diff);
 			n_put = 0;
@@ -1285,9 +1280,9 @@ roll_forward(dns_journal_t *j, dns_db_t *db) {
 
 	if (n_put != 0) {
 		isc_log_write(JOURNAL_DEBUG_LOGARGS(3),
-			      "%s: applying final diff to database",
-			      j->filename);
-		dns_diff_print(&diff, NULL);
+			      "applying final diff to database (%u)",
+			      db_serial);
+		(void)dns_diff_print(&diff, NULL);
 		CHECK(dns_diff_apply(&diff, db, ver));
 		dns_diff_clear(&diff);
 	}
@@ -1357,8 +1352,7 @@ dns_journal_print(isc_mem_t *mctx, const char *filename, FILE *file) {
 
 	if (result != ISC_R_SUCCESS) {
 		isc_log_write(JOURNAL_COMMON_LOGARGS, ISC_LOG_ERROR,
-			      "journal open failure: %s: %s",
-			      isc_result_totext(result), j->filename);
+			      "journal open failure");
 		return (result);
 	}
 
@@ -1551,8 +1545,7 @@ read_one_rr(dns_journal_t *j) {
 		CHECK(journal_read_xhdr(j, &xhdr));
 		if (xhdr.size == 0) {
 			isc_log_write(JOURNAL_COMMON_LOGARGS, ISC_LOG_ERROR,
-				      "%s: journal corrupt: empty transaction",
-				      j->filename);
+				      "journal corrupt: empty transaction");
 			FAIL(ISC_R_UNEXPECTED);
 		}
 		if (xhdr.serial0 != j->it.current_serial) {
@@ -1569,7 +1562,7 @@ read_one_rr(dns_journal_t *j) {
 	/*
 	 * Read an RR.
 	 */
-	CHECK(journal_read_rrhdr(j, &rrhdr));
+	result = journal_read_rrhdr(j, &rrhdr);
 	/*
 	 * Perform a sanity check on the journal RR size.
 	 * The smallest possible RR has a 1-byte owner name
@@ -1604,7 +1597,7 @@ read_one_rr(dns_journal_t *j) {
 	isc_buffer_setactive(&j->it.source,
 			     j->it.source.used - j->it.source.current);
 	CHECK(dns_name_fromwire(&j->it.name, &j->it.source,
-				&j->it.dctx, ISC_FALSE, &j->it.target));
+				&j->it.dctx, 0, &j->it.target));
 
 	/*
 	 * Check that the RR header is there, and parse it.
@@ -1624,7 +1617,7 @@ read_one_rr(dns_journal_t *j) {
 	dns_rdata_reset(&j->it.rdata);
 	CHECK(dns_rdata_fromwire(&j->it.rdata, rdclass,
 				 rdtype, &j->it.source, &j->it.dctx,
-				 ISC_FALSE, &j->it.target));
+				 0, &j->it.target));
 	j->it.ttl = ttl;
 
 	j->it.xpos += sizeof(journal_rawrrhdr_t) + rrhdr.size;
@@ -1902,11 +1895,228 @@ dns_db_diff(isc_mem_t *mctx,
 	}
 	INSIST(ISC_LIST_EMPTY(diff[0].tuples));
 	INSIST(ISC_LIST_EMPTY(diff[1].tuples));
-	dns_diff_clear(&resultdiff);
 
  failure:
+	dns_diff_clear(&resultdiff);
 	dns_dbiterator_destroy(&dbit[0]);
 	dns_dbiterator_destroy(&dbit[1]);
 	dns_journal_destroy(&journal);
 	return (result);
 }
+
+isc_result_t
+dns_journal_compact(isc_mem_t *mctx, char *filename, isc_uint32_t serial,
+		    isc_uint32_t target_size)
+{
+	unsigned int i;
+	journal_pos_t best_guess;
+	journal_pos_t current_pos;
+	dns_journal_t *j = NULL;
+	journal_rawheader_t rawheader;
+	unsigned int copy_length;
+	unsigned int len;
+	char *buf = NULL;
+	unsigned int size = 0;
+	isc_result_t result;
+	unsigned int indexend;
+
+	CHECK(journal_open(mctx, filename, ISC_TRUE, ISC_FALSE, &j));
+
+	if (JOURNAL_EMPTY(&j->header)) {
+		dns_journal_destroy(&j);
+		return (ISC_R_SUCCESS);
+	}
+		
+	if (DNS_SERIAL_GT(j->header.begin.serial, serial) ||
+	    DNS_SERIAL_GT(serial, j->header.end.serial)) {
+		dns_journal_destroy(&j);
+		return (ISC_R_RANGE);
+	}
+
+	/*
+	 * Cope with very small target sizes.
+	 */
+	indexend = sizeof(journal_rawheader_t) +
+		   j->header.index_size * sizeof(journal_rawpos_t);
+	if (target_size < indexend * 2)
+		target_size = target_size/2 + indexend;
+
+	/*
+	 * See if there is any work to do.
+	 */
+	if ((isc_uint32_t) j->header.end.offset < target_size) {
+		dns_journal_destroy(&j);
+		return (ISC_R_SUCCESS);
+	}
+	
+	/*
+	 * Remove overhead so space test below can succeed.
+	 */
+	if (target_size >= indexend)
+		target_size -= indexend;
+
+	/*
+	 * Find if we can create enough free space.
+	 */
+	best_guess = j->header.begin;
+	for (i = 0; i < j->header.index_size; i++) {
+		if (POS_VALID(j->index[i]) &&
+		    DNS_SERIAL_GE(serial, j->index[i].serial) &&
+		    ((isc_uint32_t)(j->header.end.offset - j->index[i].offset)
+		     >= target_size / 2) &&
+		    j->index[i].offset > best_guess.offset)
+			best_guess = j->index[i];
+	}
+
+	current_pos = best_guess;
+	while (current_pos.serial != serial) {
+		CHECK(journal_next(j, &current_pos));
+		if (current_pos.serial == j->header.end.serial)
+			break;
+
+		if (DNS_SERIAL_GE(serial, current_pos.serial) &&
+		   ((isc_uint32_t)(j->header.end.offset - current_pos.offset)
+		     >= (target_size / 2)) &&
+		    current_pos.offset > best_guess.offset)
+			best_guess = current_pos;
+		else
+			break;
+	}
+
+	INSIST(best_guess.serial != j->header.end.serial);
+	if (best_guess.serial != serial)
+		CHECK(journal_next(j, &best_guess));
+
+	/*
+	 * Enough space to proceed?
+	 */
+	if ((isc_uint32_t) (j->header.end.offset - best_guess.offset) >
+	     (isc_uint32_t) (best_guess.offset - indexend)) {
+		dns_journal_destroy(&j);
+		return (ISC_R_NOSPACE);
+	}
+
+	copy_length = j->header.end.offset - best_guess.offset;
+
+	/*
+	 * Invalidate entire index, will be rebuilt at end.
+	 */
+	for (i = 0; i < j->header.index_size; i++) {
+		if (POS_VALID(j->index[i]))
+			POS_INVALIDATE(j->index[i]);
+	}
+
+	/*
+	 * Convert the index into on-disk format and write
+	 * it to disk.
+	 */
+	CHECK(index_to_disk(j));
+	CHECK(journal_fsync(j));
+
+	/*
+	 * Update the journal header.
+	 */
+	if (copy_length == 0) {
+		j->header.begin.serial = 0;
+		j->header.end.serial = 0;
+		j->header.begin.offset = 0;
+		j->header.end.offset = 0;
+	} else {
+		j->header.begin = best_guess;
+	}
+	journal_header_encode(&j->header, &rawheader);
+	CHECK(journal_seek(j, 0));
+	CHECK(journal_write(j, &rawheader, sizeof(rawheader)));
+	CHECK(journal_fsync(j));
+
+	if (copy_length != 0) {
+		/*
+		 * Copy best_guess to end into space just freed.
+		 */
+		size = 64*1024;
+		if (copy_length < size)
+			size = copy_length;
+		buf = isc_mem_get(mctx, size);
+		if (buf == NULL) {
+			result = ISC_R_NOMEMORY;
+			goto failure;
+		}
+	
+		for (i = 0; i < copy_length; i += size) {
+			len = (copy_length - i) > size ? size :
+							 (copy_length - i);
+			CHECK(journal_seek(j, best_guess.offset + i));
+			CHECK(journal_read(j, buf, len));
+			CHECK(journal_seek(j, indexend + i));
+			CHECK(journal_write(j, buf, len));
+		}
+
+		CHECK(journal_fsync(j));
+
+		/*
+		 * Compute new header.
+		 */
+		j->header.begin.offset = indexend;
+		j->header.end.offset = indexend + copy_length;
+		/*
+		 * Update the journal header.
+		 */
+		journal_header_encode(&j->header, &rawheader);
+		CHECK(journal_seek(j, 0));
+		CHECK(journal_write(j, &rawheader, sizeof(rawheader)));
+		CHECK(journal_fsync(j));
+
+		/*
+		 * Build new index.
+		 */
+		current_pos = j->header.begin;
+		while (current_pos.serial != j->header.end.serial) {
+			index_add(j, &current_pos);
+			CHECK(journal_next(j, &current_pos));
+		}
+
+		/*
+		 * Write index.
+		 */
+		CHECK(index_to_disk(j));
+		CHECK(journal_fsync(j));
+
+		indexend = j->header.end.offset;
+	}
+	dns_journal_destroy(&j);
+	(void)isc_file_truncate(filename, (isc_offset_t)indexend);
+	result = ISC_R_SUCCESS;
+
+ failure:
+	if (buf != NULL)
+		isc_mem_put(mctx, buf, size);
+	if (j != NULL)
+		dns_journal_destroy(&j);
+	return (result);
+}
+
+static isc_result_t
+index_to_disk(dns_journal_t *j) {
+	isc_result_t result = ISC_R_SUCCESS;
+
+	if (j->header.index_size != 0) {
+		unsigned int i;
+		unsigned char *p;
+		unsigned int rawbytes;
+
+		rawbytes = j->header.index_size * sizeof(journal_rawpos_t);
+
+		p = j->rawindex;
+		for (i = 0; i < j->header.index_size; i++) {
+			encode_uint32(j->index[i].serial, p);
+			p += 4;
+			encode_uint32(j->index[i].offset, p);
+			p += 4;
+		}
+		INSIST(p == j->rawindex + rawbytes);
+
+		CHECK(journal_write(j, j->rawindex, rawbytes));
+	}
+failure:
+	return (result);
+}
diff --git a/lib/dns/keytable.c b/lib/dns/keytable.c
index 5ff8911a..922c09af 100644
--- a/lib/dns/keytable.c
+++ b/lib/dns/keytable.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: keytable.c,v 1.26.2.1 2004/03/09 06:11:02 marka Exp $ */
+/* $Id: keytable.c,v 1.26.12.3 2004/03/08 09:04:30 marka Exp $ */
 
 #include <config.h>
 
@@ -77,7 +77,7 @@ dns_keytable_create(isc_mem_t *mctx, dns_keytable_t **keytablep) {
 
 	REQUIRE(keytablep != NULL && *keytablep == NULL);
 
-	keytable = isc_mem_get(mctx, sizeof *keytable);
+	keytable = isc_mem_get(mctx, sizeof(*keytable));
 	if (keytable == NULL)
 		return (ISC_R_NOMEMORY);
 
@@ -119,7 +119,7 @@ dns_keytable_create(isc_mem_t *mctx, dns_keytable_t **keytablep) {
 	dns_rbt_destroy(&keytable->table);
 
    cleanup_keytable:
-	isc_mem_put(mctx, keytable, sizeof *keytable);
+	isc_mem_put(mctx, keytable, sizeof(*keytable));
 
 	return (result);
 }
@@ -175,7 +175,7 @@ dns_keytable_detach(dns_keytable_t **keytablep) {
 		isc_rwlock_destroy(&keytable->rwlock);
 		DESTROYLOCK(&keytable->lock);
 		keytable->magic = 0;
-		isc_mem_put(keytable->mctx, keytable, sizeof *keytable);
+		isc_mem_put(keytable->mctx, keytable, sizeof(*keytable));
 	}
 
 	*keytablep = NULL;
@@ -197,7 +197,7 @@ dns_keytable_add(dns_keytable_t *keytable, dst_key_t **keyp) {
 
 	keyname = dst_key_name(*keyp);
 
-	knode = isc_mem_get(keytable->mctx, sizeof *knode);
+	knode = isc_mem_get(keytable->mctx, sizeof(*knode));
 	if (knode == NULL)
 		return (ISC_R_NOMEMORY);
 
@@ -219,7 +219,7 @@ dns_keytable_add(dns_keytable_t *keytable, dst_key_t **keyp) {
 	RWUNLOCK(&keytable->rwlock, isc_rwlocktype_write);
 
 	if (knode != NULL)
-		isc_mem_put(keytable->mctx, knode, sizeof *knode);
+		isc_mem_put(keytable->mctx, knode, sizeof(*knode));
 
 	return (result);
 }
diff --git a/lib/dns/lib.c b/lib/dns/lib.c
index 1601b646..44490675 100644
--- a/lib/dns/lib.c
+++ b/lib/dns/lib.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lib.c,v 1.9.2.1 2004/03/09 06:11:02 marka Exp $ */
+/* $Id: lib.c,v 1.9.12.3 2004/03/08 09:04:30 marka Exp $ */
 
 #include <config.h>
 
@@ -31,7 +31,7 @@
  *** Globals
  ***/
 
-isc_msgcat_t *			dns_msgcat = NULL;
+LIBDNS_EXTERNAL_DATA isc_msgcat_t *			dns_msgcat = NULL;
 
 
 /***
diff --git a/lib/dns/log.c b/lib/dns/log.c
index 0c54e506..d240767c 100644
--- a/lib/dns/log.c
+++ b/lib/dns/log.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: log.c,v 1.33.2.5 2004/03/09 06:11:02 marka Exp $ */
+/* $Id: log.c,v 1.33.2.2.10.3 2004/03/06 08:13:39 marka Exp $ */
 
 /* Principal Authors: DCL */
 
@@ -33,7 +33,7 @@ LIBDNS_EXTERNAL_DATA isc_logcategory_t dns_categories[] = {
 	{ "notify", 	0 },
 	{ "database", 	0 },
 	{ "security", 	0 },
-	{ "oldconfig",  0 }, /* Placeholder */
+	{ "_placeholder", 0 },
 	{ "dnssec",	0 },
 	{ "resolver",	0 },
 	{ "xfer-in",	0 },
diff --git a/lib/dns/lookup.c b/lib/dns/lookup.c
index 70aad6b3..eb30b42d 100644
--- a/lib/dns/lookup.c
+++ b/lib/dns/lookup.c
@@ -1,6 +1,6 @@
 /*
- * Copyright (C) 2004, 2006, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lookup.c,v 1.9.2.7 2007/03/06 02:10:58 tbox Exp $ */
+/* $Id: lookup.c,v 1.9.12.4 2004/03/08 21:06:26 marka Exp $ */
 
 #include <config.h>
 
@@ -154,6 +154,11 @@ build_event(dns_lookup_t *lookup) {
 			dns_rdataset_disassociate(rdataset);
 		isc_mem_put(lookup->mctx, rdataset, sizeof(dns_rdataset_t));
 	}
+	if (sigrdataset != NULL) {
+		if (dns_rdataset_isassociated(sigrdataset))
+			dns_rdataset_disassociate(sigrdataset);
+		isc_mem_put(lookup->mctx, sigrdataset, sizeof(dns_rdataset_t));
+	}
 	return (result);
 }
 
@@ -163,7 +168,7 @@ view_find(dns_lookup_t *lookup, dns_name_t *foundname) {
 	dns_name_t *name = dns_fixedname_name(&lookup->name);
 	dns_rdatatype_t type;
 
-	if (lookup->type == dns_rdatatype_sig)
+	if (lookup->type == dns_rdatatype_rrsig)
 		type = dns_rdatatype_any;
 	else
 		type = lookup->type;
@@ -179,11 +184,11 @@ static void
 lookup_find(dns_lookup_t *lookup, dns_fetchevent_t *event) {
 	isc_result_t result;
 	isc_boolean_t want_restart;
-	isc_boolean_t send_event;
+	isc_boolean_t send_event = ISC_FALSE;
 	dns_name_t *name, *fname, *prefix;
 	dns_fixedname_t foundname, fixed;
 	dns_rdata_t rdata = DNS_RDATA_INIT;
-	unsigned int nlabels, nbits;
+	unsigned int nlabels;
 	int order;
 	dns_namereln_t namereln;
 	dns_rdata_cname_t cname;
@@ -199,7 +204,6 @@ lookup_find(dns_lookup_t *lookup, dns_fetchevent_t *event) {
 	do {
 		lookup->restarts++;
 		want_restart = ISC_FALSE;
-		send_event = ISC_TRUE;
 
 		if (event == NULL && !lookup->canceled) {
 			dns_fixedname_init(&foundname);
@@ -207,15 +211,6 @@ lookup_find(dns_lookup_t *lookup, dns_fetchevent_t *event) {
 			INSIST(!dns_rdataset_isassociated(&lookup->rdataset));
 			INSIST(!dns_rdataset_isassociated
 						(&lookup->sigrdataset));
-			/*
-			 * If we have restarted then clear the old node.				 */
-			if  (lookup->event->node != NULL) {
-				INSIST(lookup->event->db != NULL);
-				dns_db_detachnode(lookup->event->db,
-						 &lookup->event->node);
-			}
-			if (lookup->event->db != NULL)
-				dns_db_detach(&lookup->event->db);
 			result = view_find(lookup, fname);
 			if (result == ISC_R_NOTFOUND) {
 				/*
@@ -230,18 +225,17 @@ lookup_find(dns_lookup_t *lookup, dns_fetchevent_t *event) {
 				if (lookup->event->db != NULL)
 					dns_db_detach(&lookup->event->db);
 				result = start_fetch(lookup);
-				if (result == ISC_R_SUCCESS)
-					send_event = ISC_FALSE;
+				if (result != ISC_R_SUCCESS)
+					send_event = ISC_TRUE;
 				goto done;
 			}
-		} else if (event != NULL) {
+		} else {
 			result = event->result;
 			fname = dns_fixedname_name(&event->foundname);
 			dns_resolver_destroyfetch(&lookup->fetch);
 			INSIST(event->rdataset == &lookup->rdataset);
 			INSIST(event->sigrdataset == &lookup->sigrdataset);
-		} else
-			fname = NULL;	/* Silence compiler warning. */
+		}
 
 		/*
 		 * If we've been canceled, forget about the result.
@@ -252,6 +246,7 @@ lookup_find(dns_lookup_t *lookup, dns_fetchevent_t *event) {
 		switch (result) {
 		case ISC_R_SUCCESS:
 			result = build_event(lookup);
+			send_event = ISC_TRUE;
 			if (event == NULL)
 				break;
 			if (event->db != NULL)
@@ -276,14 +271,12 @@ lookup_find(dns_lookup_t *lookup, dns_fetchevent_t *event) {
 				break;
 			result = dns_name_copy(&cname.cname, name, NULL);
 			dns_rdata_freestruct(&cname);
-			if (result == ISC_R_SUCCESS) {
+			if (result == ISC_R_SUCCESS)
 				want_restart = ISC_TRUE;
-				send_event = ISC_FALSE;
-			}
 			break;
 		case DNS_R_DNAME:
 			namereln = dns_name_fullcompare(name, fname, &order,
-							&nlabels, &nbits);
+							&nlabels);
 			INSIST(namereln == dns_namereln_subdomain);
 			/*
 			 * Get the target name of the DNAME.
@@ -301,19 +294,12 @@ lookup_find(dns_lookup_t *lookup, dns_fetchevent_t *event) {
 			 */
 			dns_fixedname_init(&fixed);
 			prefix = dns_fixedname_name(&fixed);
-			result = dns_name_split(name, nlabels, nbits, prefix,
-						NULL);
-			if (result != ISC_R_SUCCESS) {
-				dns_rdata_freestruct(&dname);
-				break;
-			}
+			dns_name_split(name, nlabels, prefix, NULL);
 			result = dns_name_concatenate(prefix, &dname.dname,
 						      name, NULL);
 			dns_rdata_freestruct(&dname);
-			if (result == ISC_R_SUCCESS) {
+			if (result == ISC_R_SUCCESS)
 				want_restart = ISC_TRUE;
-				send_event = ISC_FALSE;
-			}
 			break;
 		default:
 			send_event = ISC_TRUE;
@@ -330,7 +316,7 @@ lookup_find(dns_lookup_t *lookup, dns_fetchevent_t *event) {
 				dns_db_detachnode(event->db, &event->node);
 			if (event->db != NULL)
 				dns_db_detach(&event->db);
-			isc_event_free(ISC_EVENT_PTR(&event));
+			isc_event_free((isc_event_t **) (void *)&event);
 		}
 
 		/*
@@ -384,6 +370,7 @@ levent_destroy(isc_event_t *event) {
 	isc_mem_put(mctx, event, event->ev_size);
 }
 
+
 isc_result_t
 dns_lookup_create(isc_mem_t *mctx, dns_name_t *name, dns_rdatatype_t type,
 		  dns_view_t *view, unsigned int options, isc_task_t *task,
@@ -393,14 +380,14 @@ dns_lookup_create(isc_mem_t *mctx, dns_name_t *name, dns_rdatatype_t type,
 	dns_lookup_t *lookup;
 	isc_event_t *ievent;
 
-	lookup = isc_mem_get(mctx, sizeof *lookup);
+	lookup = isc_mem_get(mctx, sizeof(*lookup));
 	if (lookup == NULL)
 		return (ISC_R_NOMEMORY);
 	lookup->mctx = mctx;
 	lookup->options = options;
 
 	ievent = isc_event_allocate(mctx, lookup, DNS_EVENT_LOOKUPDONE,
-				    action, arg, sizeof *lookup->event);
+				    action, arg, sizeof(*lookup->event));
 	if (ievent == NULL) {
 		result = ISC_R_NOMEMORY;
 		goto cleanup_lookup;
@@ -455,7 +442,7 @@ dns_lookup_create(isc_mem_t *mctx, dns_name_t *name, dns_rdatatype_t type,
 	isc_task_detach(&lookup->task);
 
  cleanup_lookup:
-	isc_mem_put(mctx, lookup, sizeof *lookup);
+	isc_mem_put(mctx, lookup, sizeof(*lookup));
 
 	return (result);
 }
@@ -494,7 +481,7 @@ dns_lookup_destroy(dns_lookup_t **lookupp) {
 
 	DESTROYLOCK(&lookup->lock);
 	lookup->magic = 0;
-	isc_mem_put(lookup->mctx, lookup, sizeof *lookup);
+	isc_mem_put(lookup->mctx, lookup, sizeof(*lookup));
 
 	*lookupp = NULL;
 }
diff --git a/lib/dns/master.c b/lib/dns/master.c
index 1e3aae63..db578f05 100644
--- a/lib/dns/master.c
+++ b/lib/dns/master.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2006, 2007  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: master.c,v 1.122.2.14 2007/05/16 07:00:23 marka Exp $ */
+/* $Id: master.c,v 1.122.2.8.2.13 2004/03/08 02:07:53 marka Exp $ */
 
 #include <config.h>
 
@@ -95,6 +95,7 @@ struct dns_loadctx {
 	unsigned int		magic;
 	isc_mem_t		*mctx;
 	isc_lex_t		*lex;
+	isc_boolean_t		keep_lex;
 	dns_rdatacallbacks_t	*callbacks;
 	isc_task_t		*task;
 	dns_loaddonefunc_t	done;
@@ -103,6 +104,7 @@ struct dns_loadctx {
 	isc_boolean_t		ttl_known;
 	isc_boolean_t		default_ttl_known;
 	isc_boolean_t		warn_1035;
+	isc_boolean_t		warn_tcr;
 	isc_boolean_t		warn_sigexpired;
 	isc_boolean_t		seen_include;
 	isc_uint32_t		ttl;
@@ -139,6 +141,8 @@ struct dns_incctx {
 #define DNS_LCTX_MAGIC ISC_MAGIC('L','c','t','x')
 #define DNS_LCTX_VALID(lctx) ISC_MAGIC_VALID(lctx, DNS_LCTX_MAGIC)
 
+#define DNS_AS_STR(t) ((t).value.as_textregion.base)
+
 static isc_result_t
 pushfile(const char *master_file, dns_name_t *origin, dns_loadctx_t *lctx);
 
@@ -242,8 +246,7 @@ loadctx_destroy(dns_loadctx_t *lctx);
 
 #define MANYERRS(lctx, result) \
 		((result != ISC_R_SUCCESS) && \
-		 (result != ISC_R_IOERROR) && \
-		 ((lctx)->options & DNS_MASTER_MANYERRORS) != 0)
+		((lctx)->options & DNS_MASTER_MANYERRORS) != 0)
 
 #define SETRESULT(lctx, r) \
 		do { \
@@ -269,6 +272,44 @@ loadctx_destroy(dns_loadctx_t *lctx);
 				    "dns_master_load", \
 				    source, line, dns_result_totext(result))
 
+
+static unsigned char in_addr_arpa_data[]  = "\007IN-ADDR\004ARPA";
+static unsigned char in_addr_arpa_offsets[] = { 0, 8, 13 };
+static const dns_name_t in_addr_arpa =
+{
+	DNS_NAME_MAGIC,
+	in_addr_arpa_data, 14, 3,
+	DNS_NAMEATTR_READONLY | DNS_NAMEATTR_ABSOLUTE,
+	in_addr_arpa_offsets, NULL,
+	{(void *)-1, (void *)-1},
+	{NULL, NULL}
+};
+
+static unsigned char ip6_int_data[]  = "\003IP6\003INT";
+static unsigned char ip6_int_offsets[] = { 0, 4, 8 };
+static const dns_name_t ip6_int =
+{
+	DNS_NAME_MAGIC,
+	ip6_int_data, 9, 3,
+	DNS_NAMEATTR_READONLY | DNS_NAMEATTR_ABSOLUTE,
+	ip6_int_offsets, NULL,
+	{(void *)-1, (void *)-1},
+	{NULL, NULL}
+};
+
+static unsigned char ip6_arpa_data[]  = "\003IP6\004ARPA";
+static unsigned char ip6_arpa_offsets[] = { 0, 4, 9 };
+static const dns_name_t ip6_arpa =
+{
+	DNS_NAME_MAGIC,
+	ip6_arpa_data, 10, 3,
+	DNS_NAMEATTR_READONLY | DNS_NAMEATTR_ABSOLUTE,
+	ip6_arpa_offsets, NULL,
+	{(void *)-1, (void *)-1},
+	{NULL, NULL}
+};
+
+
 static inline isc_result_t
 gettoken(isc_lex_t *lex, unsigned int options, isc_token_t *token,
 	 isc_boolean_t eol, dns_rdatacallbacks_t *callbacks)
@@ -353,7 +394,7 @@ incctx_destroy(isc_mem_t *mctx, dns_incctx_t *ictx) {
 	parent = ictx->parent;
 	ictx->parent = NULL;
 
-	isc_mem_put(mctx, ictx, sizeof *ictx);
+	isc_mem_put(mctx, ictx, sizeof(*ictx));
 
 	if (parent != NULL) {
 		ictx = parent;
@@ -371,10 +412,10 @@ loadctx_destroy(dns_loadctx_t *lctx) {
 	if (lctx->inc != NULL)
 		incctx_destroy(lctx->mctx, lctx->inc);
 
-	if (lctx->lex != NULL) {
-		/* isc_lex_destroy() will close all open streams */
+	/* isc_lex_destroy() will close all open streams */
+	if (lctx->lex != NULL && !lctx->keep_lex)
 		isc_lex_destroy(&lctx->lex);
-	}
+
 	if (lctx->task != NULL)
 		isc_task_detach(&lctx->task);
 	DESTROYLOCK(&lctx->lock);
@@ -391,7 +432,7 @@ incctx_create(isc_mem_t *mctx, dns_name_t *origin, dns_incctx_t **ictxp) {
 	isc_region_t r;
 	int i;
 
-	ictx = isc_mem_get(mctx, sizeof *ictx);
+	ictx = isc_mem_get(mctx, sizeof(*ictx));
 	if (ictx == NULL)
 		return (ISC_R_NOMEMORY);
 
@@ -423,7 +464,7 @@ static isc_result_t
 loadctx_create(isc_mem_t *mctx, unsigned int options, dns_name_t *top,
 	       dns_rdataclass_t zclass, dns_name_t *origin,
 	       dns_rdatacallbacks_t *callbacks, isc_task_t *task,
-	       dns_loaddonefunc_t done, void *done_arg,
+	       dns_loaddonefunc_t done, void *done_arg, isc_lex_t *lex,
 	       dns_loadctx_t **lctxp)
 {
 	dns_loadctx_t *lctx;
@@ -447,7 +488,7 @@ loadctx_create(isc_mem_t *mctx, unsigned int options, dns_name_t *top,
 		return (ISC_R_NOMEMORY);
 	result = isc_mutex_init(&lctx->lock);
 	if (result != ISC_R_SUCCESS) {
-		isc_mem_put(mctx, lctx, sizeof *lctx);
+		isc_mem_put(mctx, lctx, sizeof(*lctx));
 		UNEXPECTED_ERROR(__FILE__, __LINE__,
 				 "isc_mutex_init() failed: %s",
 				 isc_result_totext(result));
@@ -459,22 +500,29 @@ loadctx_create(isc_mem_t *mctx, unsigned int options, dns_name_t *top,
 	if (result != ISC_R_SUCCESS) 
 		goto cleanup_ctx;
 
-	lctx->lex = NULL;
-	result = isc_lex_create(mctx, TOKENSIZ, &lctx->lex);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup_inc;
-	memset(specials, 0, sizeof specials);
-	specials['('] = 1;
-	specials[')'] = 1;
-	specials['"'] = 1;
-	isc_lex_setspecials(lctx->lex, specials);
-	isc_lex_setcomments(lctx->lex, ISC_LEXCOMMENT_DNSMASTERFILE);
+	if (lex != NULL) {
+		lctx->lex = lex;
+		lctx->keep_lex = ISC_TRUE;
+	} else {
+		lctx->lex = NULL;
+		result = isc_lex_create(mctx, TOKENSIZ, &lctx->lex);
+		if (result != ISC_R_SUCCESS)
+			goto cleanup_inc;
+		lctx->keep_lex = ISC_FALSE;
+		memset(specials, 0, sizeof(specials));
+		specials['('] = 1;
+		specials[')'] = 1;
+		specials['"'] = 1;
+		isc_lex_setspecials(lctx->lex, specials);
+		isc_lex_setcomments(lctx->lex, ISC_LEXCOMMENT_DNSMASTERFILE);
+	}
 
 	lctx->ttl_known = ISC_FALSE;
 	lctx->ttl = 0;
 	lctx->default_ttl_known = ISC_FALSE;
 	lctx->default_ttl = 0;
 	lctx->warn_1035 = ISC_TRUE;	/* XXX Argument? */
+	lctx->warn_tcr = ISC_TRUE;	/* XXX Argument? */
 	lctx->warn_sigexpired = ISC_TRUE;	/* XXX Argument? */
 	lctx->options = options;
 	lctx->seen_include = ISC_FALSE;
@@ -688,7 +736,7 @@ generate(dns_loadctx_t *lctx, char *range, char *lhs, char *gtype, char *rhs,
 		isc_buffer_add(&buffer, strlen(lhsbuf));
 		isc_buffer_setactive(&buffer, strlen(lhsbuf));
 		result = dns_name_fromtext(owner, &buffer, ictx->origin,
-					   ISC_FALSE, NULL);
+					   0, NULL);
 		if (result != ISC_R_SUCCESS)
 			goto error_cleanup;
 
@@ -702,7 +750,7 @@ generate(dns_loadctx_t *lctx, char *range, char *lhs, char *gtype, char *rhs,
 			 * Ignore out-of-zone data.
 			 */
 			(*callbacks->warn)(callbacks,
-					   "dns_master_load: %s:%lu: "
+					   "%s:%lu: "
 					   "ignoring out-of-zone data (%s)",
 					   source, line, namebuf);
 			continue;
@@ -718,9 +766,9 @@ generate(dns_loadctx_t *lctx, char *range, char *lhs, char *gtype, char *rhs,
 
 		isc_buffer_init(&target, target_mem, target_size);
 		result = dns_rdata_fromtext(&rdata, lctx->zclass, type,
-					    lctx->lex, ictx->origin, ISC_FALSE,
+					    lctx->lex, ictx->origin, 0,
 					    lctx->mctx, &target, callbacks);
-		isc_lex_close(lctx->lex);
+		RUNTIME_CHECK(isc_lex_close(lctx->lex) == ISC_R_SUCCESS);
 		if (result != ISC_R_SUCCESS)
 			goto error_cleanup;
 
@@ -777,6 +825,44 @@ limit_ttl(dns_rdatacallbacks_t *callbacks, const char *source, unsigned int line
 }
 
 static isc_result_t
+check_ns(dns_loadctx_t *lctx, isc_token_t *token, const char *source,
+	 unsigned long line)
+{
+	char *tmp = NULL;
+	isc_result_t result = ISC_R_SUCCESS;
+	void (*callback)(struct dns_rdatacallbacks *, const char *, ...);
+
+	if ((lctx->options & DNS_MASTER_FATALNS) != 0)
+		callback = lctx->callbacks->error;
+	else
+		callback = lctx->callbacks->warn;
+		
+	if (token->type == isc_tokentype_string) {
+		struct in_addr addr;
+		struct in6_addr addr6;
+
+		tmp = isc_mem_strdup(lctx->mctx, DNS_AS_STR(*token));
+		if (tmp == NULL)
+			return (ISC_R_NOMEMORY);
+		/*
+		 * Catch both "1.2.3.4" and "1.2.3.4."
+		 */
+		if (tmp[strlen(tmp) - 1] == '.')
+			tmp[strlen(tmp) - 1] = '\0';
+		if (inet_aton(tmp, &addr) == 1 ||
+		    inet_pton(AF_INET6, tmp, &addr6) == 1)
+			result = DNS_R_NSISADDRESS;
+	}
+	if (result != ISC_R_SUCCESS)
+		(*callback)(lctx->callbacks, "%s:%lu: NS record '%s' "
+			    "appears to be an address",
+			    source, line, DNS_AS_STR(*token));
+	if (tmp != NULL)
+		isc_mem_free(lctx->mctx, tmp);
+	return (result);
+}
+
+static isc_result_t
 load(dns_loadctx_t *lctx) {
 	dns_rdataclass_t rdclass;
 	dns_rdatatype_t type, covers;
@@ -823,6 +909,9 @@ load(dns_loadctx_t *lctx) {
 	unsigned long line = 0;
 	isc_boolean_t explicit_ttl;
 	isc_stdtime_t now;
+	char classname1[DNS_RDATACLASS_FORMATSIZE];
+	char classname2[DNS_RDATACLASS_FORMATSIZE];
+	unsigned int options = 0;
 
 	REQUIRE(DNS_LCTX_VALID(lctx));
 	callbacks = lctx->callbacks;
@@ -846,6 +935,10 @@ load(dns_loadctx_t *lctx) {
 	isc_buffer_init(&target, target_mem, target_size);
 	target_save = target;
 
+	if ((lctx->options & DNS_MASTER_CHECKNAMES) != 0)
+		options |= DNS_RDATA_CHECKNAMES;
+	if ((lctx->options & DNS_MASTER_CHECKNAMESFAIL) != 0)
+		options |= DNS_RDATA_CHECKNAMESFAIL;
 	source = isc_lex_getsourcename(lctx->lex);
 	do {
 		initialws = ISC_FALSE;
@@ -862,7 +955,7 @@ load(dns_loadctx_t *lctx) {
 				lctx->inc = ictx->parent;
 				ictx->parent = NULL;
 				incctx_destroy(lctx->mctx, ictx);
-				isc_lex_close(lctx->lex);
+				RUNTIME_CHECK(isc_lex_close(lctx->lex) == ISC_R_SUCCESS);
 				line = isc_lex_getsourceline(lctx->lex);
 				source = isc_lex_getsourcename(lctx->lex);
 				ictx = lctx->inc;
@@ -896,11 +989,10 @@ load(dns_loadctx_t *lctx) {
 			 * across the normal domain name processing.
 			 */
 
-			if (strcasecmp(token.value.as_pointer,
-				       "$ORIGIN") == 0) {
+			if (strcasecmp(DNS_AS_STR(token), "$ORIGIN") == 0) {
 				GETTOKEN(lctx->lex, 0, &token, ISC_FALSE);
 				finish_origin = ISC_TRUE;
-			} else if (strcasecmp(token.value.as_pointer,
+			} else if (strcasecmp(DNS_AS_STR(token),
 					      "$TTL") == 0) {
 				GETTOKEN(lctx->lex, 0, &token, ISC_FALSE);
 				result =
@@ -916,10 +1008,12 @@ load(dns_loadctx_t *lctx) {
 				lctx->default_ttl_known = ISC_TRUE;
 				EXPECTEOL;
 				continue;
-			} else if (strcasecmp(token.value.as_pointer,
+			} else if (strcasecmp(DNS_AS_STR(token),
 					      "$INCLUDE") == 0) {
 				COMMITALL;
-				if ((lctx->options & DNS_MASTER_NOINCLUDE) != 0) {
+				if ((lctx->options & DNS_MASTER_NOINCLUDE)
+				    != 0)
+				{
 					(callbacks->error)(callbacks,
 					   "%s: %s:%lu: $INCLUDE not allowed",
 					   "dns_master_load",
@@ -941,7 +1035,7 @@ load(dns_loadctx_t *lctx) {
 				if (include_file != NULL)
 					isc_mem_free(mctx, include_file);
 				include_file = isc_mem_strdup(mctx,
-						token.value.as_pointer);
+							   DNS_AS_STR(token));
 				if (include_file == NULL) {
 					result = ISC_R_NOMEMORY;
 					goto log_and_cleanup;
@@ -978,14 +1072,14 @@ load(dns_loadctx_t *lctx) {
 				 * the actual inclusion later.
 				 */
 				finish_include = ISC_TRUE;
-			} else if (strcasecmp(token.value.as_pointer,
+			} else if (strcasecmp(DNS_AS_STR(token),
 					      "$DATE") == 0) {
 				isc_int64_t dump_time64;
 				isc_stdtime_t dump_time, current_time;
 				GETTOKEN(lctx->lex, 0, &token, ISC_FALSE);
 				isc_stdtime_get(&current_time);
-				result = dns_time64_fromtext(token.value.
-					     as_pointer, &dump_time64);
+				result = dns_time64_fromtext(DNS_AS_STR(token),
+							     &dump_time64);
 				if (MANYERRS(lctx, result)) {
 					SETRESULT(lctx, result);
 					LOGIT(result);
@@ -1010,27 +1104,9 @@ load(dns_loadctx_t *lctx) {
 				ttl_offset = current_time - dump_time;
 				EXPECTEOL;
 				continue;
-			} else if (strcasecmp(token.value.as_pointer,
+			} else if (strcasecmp(DNS_AS_STR(token),
 					      "$GENERATE") == 0) {
 				/*
-				 * Use default ttl if known otherwise
-				 * inherit or error.
-				 */
-				if (!lctx->ttl_known &&
-				    !lctx->default_ttl_known) {
-					(*callbacks->error)(callbacks,
-					    "%s: %s:%lu: no TTL specified",
-					    "dns_master_load", source, line);
-					result = DNS_R_NOTTL;
-					if (MANYERRS(lctx, result)) {
-						SETRESULT(lctx, result);
-						lctx->ttl = 0;
-					} else if (result != ISC_R_SUCCESS)
-						goto insist_and_cleanup;
-				} else if (lctx->default_ttl_known) {
-					lctx->ttl = lctx->default_ttl;
-				}
-				/*
 				 * Lazy cleanup.
 				 */
 				if (range != NULL)
@@ -1041,39 +1117,86 @@ load(dns_loadctx_t *lctx) {
 					isc_mem_free(mctx, gtype);
 				if (rhs != NULL)
 					isc_mem_free(mctx, rhs);
-				range = lhs = gtype = rhs = NULL;
 				/* RANGE */
 				GETTOKEN(lctx->lex, 0, &token, ISC_FALSE);
 				range = isc_mem_strdup(mctx,
-						     token.value.as_pointer);
+						     DNS_AS_STR(token));
 				if (range == NULL) {
 					result = ISC_R_NOMEMORY;
 					goto log_and_cleanup;
 				}
 				/* LHS */
 				GETTOKEN(lctx->lex, 0, &token, ISC_FALSE);
-				lhs = isc_mem_strdup(mctx,
-						    token.value.as_pointer);
+				lhs = isc_mem_strdup(mctx, DNS_AS_STR(token));
 				if (lhs == NULL) {
 					result = ISC_R_NOMEMORY;
 					goto log_and_cleanup;
 				}
-				/* TYPE */
+				rdclass = 0;
+				explicit_ttl = ISC_FALSE;
+				/* CLASS? */
 				GETTOKEN(lctx->lex, 0, &token, ISC_FALSE);
+				if (dns_rdataclass_fromtext(&rdclass,
+                                            &token.value.as_textregion)
+						== ISC_R_SUCCESS) {
+					GETTOKEN(lctx->lex, 0, &token,
+						 ISC_FALSE);
+				}
+				/* TTL? */
+				if (dns_ttl_fromtext(&token.value.as_textregion,
+						     &lctx->ttl)
+						== ISC_R_SUCCESS) {
+					limit_ttl(callbacks, source, line,
+						  &lctx->ttl);
+					lctx->ttl_known = ISC_TRUE;
+					explicit_ttl = ISC_TRUE;
+					GETTOKEN(lctx->lex, 0, &token,
+						 ISC_FALSE);
+				}
+				/* CLASS? */
+				if (rdclass == 0 &&
+				    dns_rdataclass_fromtext(&rdclass,
+						    &token.value.as_textregion)
+						== ISC_R_SUCCESS)
+					GETTOKEN(lctx->lex, 0, &token,
+						 ISC_FALSE);
+				/* TYPE */
 				gtype = isc_mem_strdup(mctx,
-						       token.value.as_pointer);
+						       DNS_AS_STR(token));
 				if (gtype == NULL) {
 					result = ISC_R_NOMEMORY;
 					goto log_and_cleanup;
 				}
 				/* RHS */
 				GETTOKEN(lctx->lex, 0, &token, ISC_FALSE);
-				rhs = isc_mem_strdup(mctx,
-						     token.value.as_pointer);
+				rhs = isc_mem_strdup(mctx, DNS_AS_STR(token));
 				if (rhs == NULL) {
 					result = ISC_R_NOMEMORY;
 					goto log_and_cleanup;
 				}
+				if (!lctx->ttl_known &&
+				    !lctx->default_ttl_known) {
+					(*callbacks->error)(callbacks,
+					    "%s: %s:%lu: no TTL specified",
+					    "dns_master_load", source, line);
+					result = DNS_R_NOTTL;
+					if (MANYERRS(lctx, result)) {
+						SETRESULT(lctx, result);
+						lctx->ttl = 0;
+					} else if (result != ISC_R_SUCCESS)
+						goto insist_and_cleanup;
+				} else if (!explicit_ttl &&
+					   lctx->default_ttl_known) {
+					lctx->ttl = lctx->default_ttl;
+				}
+				/*
+				 * If the class specified does not match the
+				 * zone's class print out a error message and
+				 * exit.
+				 */
+				if (rdclass != 0 && rdclass != lctx->zclass) {
+					goto bad_class;
+				}
 				result = generate(lctx, range, lhs, gtype, rhs,
 						  source, line);
 				if (MANYERRS(lctx, result)) {
@@ -1082,13 +1205,13 @@ load(dns_loadctx_t *lctx) {
 					goto insist_and_cleanup;
 				EXPECTEOL;
 				continue;
-			} else if (strncasecmp(token.value.as_pointer,
+			} else if (strncasecmp(DNS_AS_STR(token),
 					       "$", 1) == 0) {
 				(callbacks->error)(callbacks,
 					   "%s: %s:%lu: "
 					   "unknown $ directive '%s'",
 					   "dns_master_load", source, line,
-					   token.value.as_pointer);
+					   DNS_AS_STR(token));
 				result = DNS_R_SYNTAX;
 				if (MANYERRS(lctx, result)) {
 					SETRESULT(lctx, result);
@@ -1101,7 +1224,7 @@ load(dns_loadctx_t *lctx) {
 			 *
 			 * Find a free name buffer.
 			 */
-			for (new_in_use = 0; new_in_use < NBUFS ; new_in_use++)
+			for (new_in_use = 0; new_in_use < NBUFS; new_in_use++)
 				if (!ictx->in_use[new_in_use])
 					break;
 			INSIST(new_in_use < NBUFS);
@@ -1116,7 +1239,7 @@ load(dns_loadctx_t *lctx) {
 					  ictx->origin, ISC_FALSE, NULL);
 			if (MANYERRS(lctx, result)) {
 				SETRESULT(lctx, result);
-				LOGITFILE(result, include_file);
+				LOGIT(result);
 				read_till_eol = ISC_TRUE;
 				continue;
 			} else if (result != ISC_R_SUCCESS)
@@ -1235,7 +1358,7 @@ load(dns_loadctx_t *lctx) {
 				 * Ignore out-of-zone data.
 				 */
 				(*callbacks->warn)(callbacks,
-				       "dns_master_load: %s:%lu: "
+				       "%s:%lu: "
 				       "ignoring out-of-zone data (%s)",
 				       source, line, namebuf);
 				ictx->drop = ISC_TRUE;
@@ -1244,7 +1367,7 @@ load(dns_loadctx_t *lctx) {
 		} else {
 			UNEXPECTED_ERROR(__FILE__, __LINE__,
 					 "%s:%lu: isc_lex_gettoken() returned "
-					 "unexpected token type (%d)",
+					 "unexpeced token type (%d)",
 					 source, line, token.type);
 			result = ISC_R_UNEXPECTED;
 			if (MANYERRS(lctx, result)) {
@@ -1284,8 +1407,7 @@ load(dns_loadctx_t *lctx) {
 
 			if (ictx->current == NULL) {
 				(*callbacks->error)(callbacks,
-					"%s: %s:%lu: no current owner name",
-					"dns_master_load",
+					"%s:%lu: no current owner name",
 					source, line);
 				result = DNS_R_NOOWNER;
 				if (MANYERRS(lctx, result)) {
@@ -1345,8 +1467,8 @@ load(dns_loadctx_t *lctx) {
 						&token.value.as_textregion);
 		if (result != ISC_R_SUCCESS) {
 			(*callbacks->warn)(callbacks,
-				   "%s: %s:%lu: unknown RR type '%.*s'",
-				   "dns_master_load", source, line,
+				   "%s:%lu: unknown RR type '%.*s'",
+				   source, line,
 				   token.value.as_textregion.length,
 				   token.value.as_textregion.base);
 			if (MANYERRS(lctx, result)) {
@@ -1362,17 +1484,16 @@ load(dns_loadctx_t *lctx) {
 		 * print out a error message and exit.
 		 */
 		if (rdclass != 0 && rdclass != lctx->zclass) {
-			char classname1[DNS_RDATACLASS_FORMATSIZE];
-			char classname2[DNS_RDATACLASS_FORMATSIZE];
+  bad_class:
 
 			dns_rdataclass_format(rdclass, classname1,
 					      sizeof(classname1));
 			dns_rdataclass_format(lctx->zclass, classname2,
 					      sizeof(classname2));
 			(*callbacks->error)(callbacks,
-					    "%s: %s:%lu: class '%s' != "
+					    "%s:%lu: class '%s' != "
 					    "zone class '%s'",
-					    "dns_master_load", source, line,
+					    source, line,
 					    classname1, classname2);
 			result = DNS_R_BADCLASS;
 			if (MANYERRS(lctx, result)) {
@@ -1387,6 +1508,29 @@ load(dns_loadctx_t *lctx) {
 			current_has_delegation = ISC_TRUE;
 
 		/*
+		 * RFC 1123: MD and MF are not allowed to be loaded from
+		 * master files.
+		 */
+		if ((lctx->options & DNS_MASTER_ZONE) != 0 &&
+		    (lctx->options & DNS_MASTER_SLAVE) == 0 &&
+		    (type == dns_rdatatype_md || type == dns_rdatatype_mf)) {
+			char typename[DNS_RDATATYPE_FORMATSIZE];
+
+			result = DNS_R_OBSOLETE;
+
+			dns_rdatatype_format(type, typename, sizeof(typename));
+			(*callbacks->error)(callbacks,
+					    "%s:%lu: %s '%s': %s",
+					    source, line,
+					    "type", typename,
+					    dns_result_totext(result));
+			if (MANYERRS(lctx, result)) {
+				SETRESULT(lctx, result);
+			} else
+				goto insist_and_cleanup;
+		}
+
+		/*
 		 * Find a rdata structure.
 		 */
 		if (rdcount == rdata_size) {
@@ -1402,13 +1546,72 @@ load(dns_loadctx_t *lctx) {
 		}
 
 		/*
+		 * Peek at the NS record.
+		 */
+		if (type == dns_rdatatype_ns &&
+		    lctx->zclass == dns_rdataclass_in &&
+		    (lctx->options & DNS_MASTER_CHECKNS) != 0) {
+
+			GETTOKEN(lctx->lex, 0, &token, ISC_FALSE);
+			result = check_ns(lctx, &token, source, line);
+			isc_lex_ungettoken(lctx->lex, &token);
+			if ((lctx->options & DNS_MASTER_FATALNS) != 0) {
+				if (MANYERRS(lctx, result)) {
+					SETRESULT(lctx, result);
+				} else if (result != ISC_R_SUCCESS)
+					goto insist_and_cleanup;
+			}
+		}
+
+		/*
+		 * Check owner name.
+		 */
+		options &= ~DNS_RDATA_CHECKREVERSE;
+		if ((lctx->options & DNS_MASTER_CHECKNAMES) != 0) {
+			isc_boolean_t ok;
+			dns_name_t *name;
+
+			name = (ictx->glue != NULL) ? ictx-> glue :
+						      ictx->current;
+			ok = dns_rdata_checkowner(name, lctx->zclass, type,
+						  ISC_TRUE);
+			if (!ok) {
+				char namebuf[DNS_NAME_FORMATSIZE];
+				const char *desc;
+				dns_name_format(name, namebuf, sizeof(namebuf));
+				result = DNS_R_BADOWNERNAME;
+				desc = dns_result_totext(result);
+			        if ((lctx->options & DNS_MASTER_CHECKNAMESFAIL) != 0) {
+					(*callbacks->error)(callbacks,
+							    "%s:%lu: %s: %s",
+							    source, line,
+							    namebuf, desc);
+					if (MANYERRS(lctx, result)) {
+						SETRESULT(lctx, result);
+					} else if (result != ISC_R_SUCCESS)
+						goto cleanup;
+				} else {
+					(*callbacks->warn)(callbacks,
+							   "%s:%lu: %s: %s",
+							   source, line,
+							   namebuf, desc);
+				}
+			}
+			if (type == dns_rdatatype_ptr &&
+			    (dns_name_issubdomain(name, &in_addr_arpa) ||
+			     dns_name_issubdomain(name, &ip6_arpa) ||
+			     dns_name_issubdomain(name, &ip6_int)))
+				options |= DNS_RDATA_CHECKREVERSE;
+		}
+
+		/*
 		 * Read rdata contents.
 		 */
 		dns_rdata_init(&rdata[rdcount]);
 		target_ft = target;
 		result = dns_rdata_fromtext(&rdata[rdcount], lctx->zclass,
 					    type, lctx->lex, ictx->origin,
-					    ISC_FALSE, lctx->mctx, &target,
+					    options, lctx->mctx, &target,
 					    callbacks);
 		if (MANYERRS(lctx, result)) {
 			SETRESULT(lctx, result);
@@ -1428,7 +1631,7 @@ load(dns_loadctx_t *lctx) {
 			dns_name_format(ictx->current, namebuf,
 					sizeof(namebuf));
 			(*callbacks->error)(callbacks,
-				            "dns_master_load: %s:%lu: SOA "
+				            "%s:%lu: SOA "
 			                    "record not at top of zone (%s)",
 				            source, line, namebuf);
 			result = DNS_R_NOTZONETOP;
@@ -1442,7 +1645,7 @@ load(dns_loadctx_t *lctx) {
 		}
 
 
-		if (type == dns_rdatatype_sig)
+		if (type == dns_rdatatype_rrsig)
 			covers = dns_rdata_covers(&rdata[rdcount]);
 		else
 			covers = 0;
@@ -1457,6 +1660,13 @@ load(dns_loadctx_t *lctx) {
 				limit_ttl(callbacks, source, line, &lctx->ttl);
 				lctx->default_ttl = lctx->ttl;
 				lctx->default_ttl_known = ISC_TRUE;
+			} else if ((lctx->options & DNS_MASTER_HINT) != 0) {
+				/*
+				 * Zero TTL's are fine for hints.
+				 */
+				lctx->ttl = 0;
+				lctx->default_ttl = lctx->ttl;
+				lctx->default_ttl_known = ISC_TRUE;
 			} else {
 				(*callbacks->warn)(callbacks,
 						   "%s:%lu: no TTL specified; "
@@ -1474,25 +1684,32 @@ load(dns_loadctx_t *lctx) {
 			lctx->ttl = lctx->default_ttl;
 		} else if (!explicit_ttl && lctx->warn_1035) {
 			(*callbacks->warn)(callbacks,
-					   "%s: %s:%lu: "
+					   "%s:%lu: "
 					   "using RFC 1035 TTL semantics",
-					   "dns_master_load", source, line);
+					   source, line);
 			lctx->warn_1035 = ISC_FALSE;
 		}
 
-		if (type == dns_rdatatype_sig && lctx->warn_sigexpired) {
-			dns_rdata_sig_t sig;
+		if (type == dns_rdatatype_rrsig && lctx->warn_sigexpired) {
+			dns_rdata_rrsig_t sig;
 			(void)dns_rdata_tostruct(&rdata[rdcount], &sig, NULL);
 			if (isc_serial_lt(sig.timeexpire, now)) {
 				(*callbacks->warn)(callbacks,
-						   "%s: %s:%lu: "
+						   "%s:%lu: "
 						   "signature has expired",
-						   "dns_master_load",
 						   source, line);
 				lctx->warn_sigexpired = ISC_FALSE;
 			}
 		}
 
+		if ((type == dns_rdatatype_sig || type == dns_rdatatype_nxt) &&
+		    lctx->warn_tcr && (lctx->options & DNS_MASTER_ZONE) != 0 &&
+                    (lctx->options & DNS_MASTER_SLAVE) == 0) {
+			(*callbacks->warn)(callbacks, "%s:%lu: old style DNSSEC "
+					   " zone detected", source, line);
+			lctx->warn_tcr = ISC_FALSE;
+		}
+
 		if ((lctx->options & DNS_MASTER_AGETTL) != 0) {
 			/*
 			 * Adjust the TTL for $DATE.  If the RR has already
@@ -1548,9 +1765,8 @@ load(dns_loadctx_t *lctx) {
 						        link);
 		} else if (this->ttl != lctx->ttl) {
 			(*callbacks->warn)(callbacks,
-					   "%s: %s:%lu: "
+					   "%s:%lu: "
 					   "TTL set to prior TTL (%lu)",
-					   "dns_master_load",
 					   source, line, this->ttl);
 			lctx->ttl = this->ttl;
 		}
@@ -1610,9 +1826,9 @@ load(dns_loadctx_t *lctx) {
 		ISC_LIST_UNLINK(glue_list, this, link);
 	if (rdatalist != NULL)
 		isc_mem_put(mctx, rdatalist,
-			    rdatalist_size * sizeof *rdatalist);
+			    rdatalist_size * sizeof(*rdatalist));
 	if (rdata != NULL)
-		isc_mem_put(mctx, rdata, rdata_size * sizeof *rdata);
+		isc_mem_put(mctx, rdata, rdata_size * sizeof(*rdata));
 	if (target_mem != NULL)
 		isc_mem_put(mctx, target_mem, target_size);
 	if (include_file != NULL)
@@ -1648,7 +1864,7 @@ pushfile(const char *master_file, dns_name_t *origin, dns_loadctx_t *lctx) {
 
 	/* Set current domain. */
 	if (ictx->glue != NULL || ictx->current != NULL) {
-		for (new_in_use = 0; new_in_use < NBUFS ; new_in_use++)
+		for (new_in_use = 0; new_in_use < NBUFS; new_in_use++)
 			if (!new->in_use[new_in_use])
 				break;
 		INSIST(new_in_use < NBUFS);
@@ -1685,7 +1901,7 @@ dns_master_loadfile(const char *master_file, dns_name_t *top,
 	isc_result_t result;
 
 	result = loadctx_create(mctx, options, top, zclass, origin,
-				callbacks, NULL, NULL, NULL, &lctx);
+				callbacks, NULL, NULL, NULL, NULL, &lctx);
 	if (result != ISC_R_SUCCESS)
 		return (result);
 
@@ -1716,7 +1932,7 @@ dns_master_loadfileinc(const char *master_file, dns_name_t *top,
 	REQUIRE(done != NULL);
 
 	result = loadctx_create(mctx, options, top, zclass, origin,
-				callbacks, task, done, done_arg, &lctx);
+				callbacks, task, done, done_arg, NULL, &lctx);
 	if (result != ISC_R_SUCCESS)
 		return (result);
 
@@ -1747,7 +1963,7 @@ dns_master_loadstream(FILE *stream, dns_name_t *top, dns_name_t *origin,
 	REQUIRE(stream != NULL);
 
 	result = loadctx_create(mctx, options, top, zclass, origin,
-				callbacks, NULL, NULL, NULL, &lctx);
+				callbacks, NULL, NULL, NULL, NULL, &lctx);
 	if (result != ISC_R_SUCCESS)
 		goto cleanup;
 
@@ -1779,7 +1995,7 @@ dns_master_loadstreaminc(FILE *stream, dns_name_t *top, dns_name_t *origin,
 	REQUIRE(done != NULL);
 
 	result = loadctx_create(mctx, options, top, zclass, origin,
-				callbacks, task, done, done_arg, &lctx);
+				callbacks, task, done, done_arg, NULL, &lctx);
 	if (result != ISC_R_SUCCESS)
 		goto cleanup;
 
@@ -1811,7 +2027,7 @@ dns_master_loadbuffer(isc_buffer_t *buffer, dns_name_t *top,
 	REQUIRE(buffer != NULL);
 
 	result = loadctx_create(mctx, options, top, zclass, origin,
-				callbacks, NULL, NULL, NULL, &lctx);
+				callbacks, NULL, NULL, NULL, NULL, &lctx);
 	if (result != ISC_R_SUCCESS)
 		return (result);
 
@@ -1844,7 +2060,7 @@ dns_master_loadbufferinc(isc_buffer_t *buffer, dns_name_t *top,
 	REQUIRE(done != NULL);
 
 	result = loadctx_create(mctx, options, top, zclass, origin,
-				callbacks, task, done, done_arg, &lctx);
+				callbacks, task, done, done_arg, NULL, &lctx);
 	if (result != ISC_R_SUCCESS)
 		return (result);
 
@@ -1864,6 +2080,59 @@ dns_master_loadbufferinc(isc_buffer_t *buffer, dns_name_t *top,
 	return (result);
 }
 
+isc_result_t
+dns_master_loadlexer(isc_lex_t *lex, dns_name_t *top,
+		     dns_name_t *origin, dns_rdataclass_t zclass,
+		     unsigned int options,
+		     dns_rdatacallbacks_t *callbacks, isc_mem_t *mctx)
+{
+	isc_result_t result;
+	dns_loadctx_t *lctx = NULL;
+
+	REQUIRE(lex != NULL);
+
+	result = loadctx_create(mctx, options, top, zclass, origin,
+				callbacks, NULL, NULL, NULL, lex, &lctx);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	result = load(lctx);
+	INSIST(result != DNS_R_CONTINUE);
+
+	dns_loadctx_detach(&lctx);
+	return (result);
+}
+
+isc_result_t
+dns_master_loadlexerinc(isc_lex_t *lex, dns_name_t *top,
+			dns_name_t *origin, dns_rdataclass_t zclass,
+			unsigned int options,
+			dns_rdatacallbacks_t *callbacks, isc_task_t *task,
+			dns_loaddonefunc_t done, void *done_arg,
+			dns_loadctx_t **lctxp, isc_mem_t *mctx)
+{
+	isc_result_t result;
+	dns_loadctx_t *lctx = NULL;
+
+	REQUIRE(lex != NULL);
+	REQUIRE(task != NULL);
+	REQUIRE(done != NULL);
+
+	result = loadctx_create(mctx, options, top, zclass, origin,
+				callbacks, task, done, done_arg, lex, &lctx);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	result = task_send(lctx);
+	if (result == ISC_R_SUCCESS) {
+		dns_loadctx_attach(lctx, lctxp);
+		return (DNS_R_CONTINUE);
+	}
+
+	dns_loadctx_detach(&lctx);
+	return (result);
+}
+
 /*
  * Grow the slab of dns_rdatalist_t structures.
  * Re-link glue and current list.
@@ -1878,7 +2147,7 @@ grow_rdatalist(int new_len, dns_rdatalist_t *old, int old_len,
 	ISC_LIST(dns_rdatalist_t) save;
 	dns_rdatalist_t *this;
 
-	new = isc_mem_get(mctx, new_len * sizeof *new);
+	new = isc_mem_get(mctx, new_len * sizeof(*new));
 	if (new == NULL)
 		return (NULL);
 
@@ -1910,7 +2179,7 @@ grow_rdatalist(int new_len, dns_rdatalist_t *old, int old_len,
 
 	INSIST(rdlcount == old_len);
 	if (old != NULL)
-		isc_mem_put(mctx, old, old_len * sizeof *old);
+		isc_mem_put(mctx, old, old_len * sizeof(*old));
 	return (new);
 }
 
@@ -1929,10 +2198,10 @@ grow_rdata(int new_len, dns_rdata_t *old, int old_len,
 	dns_rdatalist_t *this;
 	dns_rdata_t *rdata;
 
-	new = isc_mem_get(mctx, new_len * sizeof *new);
+	new = isc_mem_get(mctx, new_len * sizeof(*new));
 	if (new == NULL)
 		return (NULL);
-	memset(new, 0, new_len * sizeof *new);
+	memset(new, 0, new_len * sizeof(*new));
 
 	/*
 	 * Copy current relinking.
@@ -1973,7 +2242,7 @@ grow_rdata(int new_len, dns_rdata_t *old, int old_len,
 	}
 	INSIST(rdcount == old_len);
 	if (old != NULL)
-		isc_mem_put(mctx, old, old_len * sizeof *old);
+		isc_mem_put(mctx, old, old_len * sizeof(*old));
 	return (new);
 }
 
@@ -1992,17 +2261,16 @@ commit(dns_rdatacallbacks_t *callbacks, dns_loadctx_t *lctx,
 	isc_result_t result;
 	char namebuf[DNS_NAME_FORMATSIZE];
 	void    (*error)(struct dns_rdatacallbacks *, const char *, ...);
-	void    (*warn)(struct dns_rdatacallbacks *, const char *, ...);
 
 	this = ISC_LIST_HEAD(*head);
 	error = callbacks->error;
-	warn = callbacks->warn;
 
 	if (this == NULL)
 		return (ISC_R_SUCCESS);
 	do {
 		dns_rdataset_init(&dataset);
-		dns_rdatalist_tordataset(this, &dataset);
+		RUNTIME_CHECK(dns_rdatalist_tordataset(this, &dataset)
+			      == ISC_R_SUCCESS);
 		dataset.trust = dns_trust_ultimate;
 		result = ((*callbacks->add)(callbacks->add_private, owner,
 					    &dataset));
diff --git a/lib/dns/masterdump.c b/lib/dns/masterdump.c
index 4990a00e..ac5aebb8 100644
--- a/lib/dns/masterdump.c
+++ b/lib/dns/masterdump.c
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
+ * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,20 +15,24 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: masterdump.c,v 1.56.2.6 2004/03/09 06:11:03 marka Exp $ */
+/* $Id: masterdump.c,v 1.56.2.5.2.10 2004/03/08 09:04:30 marka Exp $ */
 
 #include <config.h>
 
 #include <stdlib.h>
 
+#include <isc/event.h>
 #include <isc/file.h>
+#include <isc/magic.h>
 #include <isc/mem.h>
 #include <isc/stdio.h>
 #include <isc/string.h>
+#include <isc/task.h>
 #include <isc/util.h>
 
 #include <dns/db.h>
 #include <dns/dbiterator.h>
+#include <dns/events.h>
 #include <dns/fixedname.h>
 #include <dns/log.h>
 #include <dns/masterdump.h>
@@ -41,6 +45,9 @@
 #include <dns/time.h>
 #include <dns/ttl.h>
 
+#define DNS_DCTX_MAGIC		ISC_MAGIC('D', 'c', 't', 'x')
+#define DNS_DCTX_VALID(d)	ISC_MAGIC_VALID(d, DNS_DCTX_MAGIC)
+
 #define RETERR(x) do { \
 	isc_result_t _r = (x); \
 	if (_r != ISC_R_SUCCESS) \
@@ -58,56 +65,6 @@ struct dns_master_style {
 };
 
 /*
- * Flags affecting master file formatting.  Flags 0x0000FFFF
- * define the formatting of the rdata part and are defined in
- * rdata.h.
- */
-
-/* Omit the owner name when possible. */
-#define DNS_STYLEFLAG_OMIT_OWNER	0x00010000U
-
-/*
- * Omit the TTL when possible.  If DNS_STYLEFLAG_TTL is
- * also set, this means no TTLs are ever printed
- * because $TTL directives are generated before every
- * change in the TTL.  In this case, no columns need to
- * be reserved for the TTL.  Master files generated with
- * these options will be rejected by BIND 4.x because it
- * does not recognize the $TTL directive.
- *
- * If DNS_STYLEFLAG_TTL is not also set, the TTL will be
- * omitted when it is equal to the previous TTL.
- * This is correct according to RFC1035, but the
- * TTLs may be silently misinterpreted by older
- * versions of BIND which use the SOA MINTTL as a
- * default TTL value.
- */
-#define DNS_STYLEFLAG_OMIT_TTL		0x00020000U
-
-/* Omit the class when possible. */
-#define DNS_STYLEFLAG_OMIT_CLASS	0x00040000U
-
-/* Output $TTL directives. */
-#define DNS_STYLEFLAG_TTL		0x00080000U
-
-/*
- * Output $ORIGIN directives and print owner names relative to
- * the origin when possible.
- */
-#define DNS_STYLEFLAG_REL_OWNER		0x00100000U
-
-/* Print domain names in RR data in relative form when possible.
-   For this to take effect, DNS_STYLEFLAG_REL_OWNER must also be set. */
-#define DNS_STYLEFLAG_REL_DATA		0x00200000U
-
-/* Print the trust level of each rdataset. */
-#define DNS_STYLEFLAG_TRUST		0x00400000U
-
-/* Print negative caching entries. */
-#define DNS_STYLEFLAG_NCACHE		0x00800000U
-
-
-/*
  * The maximum length of the newline+indentation that is output
  * when inserting a line break in an RR.  This effectively puts an
  * upper limits on the value of "rdata_column", because if it is
@@ -144,6 +101,12 @@ dns_master_style_default = {
 };
 
 LIBDNS_EXTERNAL_DATA const dns_master_style_t
+dns_master_style_full = {
+	DNS_STYLEFLAG_COMMENT,
+	46, 46, 46, 64, 120, 8
+};
+
+LIBDNS_EXTERNAL_DATA const dns_master_style_t
 dns_master_style_explicitttl = {
 	DNS_STYLEFLAG_OMIT_OWNER |
 	DNS_STYLEFLAG_OMIT_CLASS |
@@ -154,7 +117,7 @@ dns_master_style_explicitttl = {
 	24, 32, 32, 40, 80, 8
 };
 
-const dns_master_style_t
+LIBDNS_EXTERNAL_DATA const dns_master_style_t
 dns_master_style_cache = {
 	DNS_STYLEFLAG_OMIT_OWNER |
 	DNS_STYLEFLAG_OMIT_CLASS |
@@ -164,13 +127,12 @@ dns_master_style_cache = {
 	24, 32, 32, 40, 80, 8
 };
 
-const dns_master_style_t
+LIBDNS_EXTERNAL_DATA const dns_master_style_t
 dns_master_style_simple = {
 	0,
 	24, 32, 32, 40, 80, 8
 };
 
-
 /*
  * A style suitable for dns_rdataset_totext().
  */
@@ -187,7 +149,30 @@ static char spaces[N_SPACES+1] = "          ";
 #define N_TABS 10
 static char tabs[N_TABS+1] = "\t\t\t\t\t\t\t\t\t\t";
 
-#define NXDOMAIN(x) (((x)->attributes & DNS_RDATASETATTR_NXDOMAIN) != 0)
+struct dns_dumpctx {
+	unsigned int		magic;
+	isc_mem_t		*mctx;
+	isc_mutex_t		lock;
+	unsigned int		references;
+	isc_boolean_t		canceled;
+	isc_boolean_t		first;
+	isc_boolean_t		do_date;
+	isc_stdtime_t		now;
+	FILE			*f;
+	dns_db_t		*db;
+	dns_dbversion_t		*version;
+	dns_dbiterator_t	*dbiter;
+	dns_totext_ctx_t	tctx;
+	isc_task_t		*task;
+	dns_dumpdonefunc_t	done;
+	void			*done_arg;
+	unsigned int		nodes;
+	/* dns_master_dumpinc() */
+	char			*file;
+	char 			*tmpfile;
+};
+
+#define NXDOMAIN(x) (((x)->attributes & DNS_RDATASETATTR_NXDOMAIN) != 0) 
 
 /*
  * Output tabs and spaces to go from column '*current' to
@@ -388,17 +373,19 @@ rdataset_totext(dns_rdataset_t *rdataset,
 		/*
 		 * TTL.
 		 */
-		if (! ((ctx->style.flags & DNS_STYLEFLAG_OMIT_TTL) != 0 &&
-		       current_ttl_valid &&
-		       rdataset->ttl == current_ttl))
+		if ((ctx->style.flags & DNS_STYLEFLAG_NO_TTL) == 0 &&
+		    !((ctx->style.flags & DNS_STYLEFLAG_OMIT_TTL) != 0 &&
+		      current_ttl_valid &&
+		      rdataset->ttl == current_ttl))
 		{
 			char ttlbuf[64];
 			isc_region_t r;
 			unsigned int length;
 
 			INDENT_TO(ttl_column);
-			length = sprintf(ttlbuf, "%u", rdataset->ttl);
-			INSIST(length <= sizeof ttlbuf);
+			length = snprintf(ttlbuf, sizeof(ttlbuf), "%u",
+					  rdataset->ttl);
+			INSIST(length <= sizeof(ttlbuf));
 			isc_buffer_availableregion(target, &r);
 			if (r.length < length)
 				return (ISC_R_NOSPACE);
@@ -419,8 +406,9 @@ rdataset_totext(dns_rdataset_t *rdataset,
 		/*
 		 * Class.
 		 */
-		if ((ctx->style.flags & DNS_STYLEFLAG_OMIT_CLASS) == 0 ||
-		    ctx->class_printed == ISC_FALSE)
+		if ((ctx->style.flags & DNS_STYLEFLAG_NO_CLASS) == 0 &&
+		    ((ctx->style.flags & DNS_STYLEFLAG_OMIT_CLASS) == 0 ||
+		     ctx->class_printed == ISC_FALSE))
 		{
 			unsigned int class_start;
 			INDENT_TO(class_column);
@@ -733,7 +721,7 @@ static int
 dump_order(const dns_rdataset_t *rds) {
 	int t;
 	int sig;
-	if (rds->type == dns_rdatatype_sig) {
+	if (rds->type == dns_rdatatype_rrsig) {
 		t = rds->covers;
 		sig = 1;
 	} else {
@@ -872,125 +860,381 @@ dump_rdatasets(isc_mem_t *mctx, dns_name_t *name, dns_rdatasetiter_t *rdsiter,
  */
 static const int initial_buffer_length = 1200;
 
-/*
- * Dump an entire database into a master file.
- */
-isc_result_t
-dns_master_dumptostream(isc_mem_t *mctx, dns_db_t *db,
-			dns_dbversion_t *version,
-			const dns_master_style_t *style,
-			FILE *f)
+static isc_result_t
+dumptostreaminc(dns_dumpctx_t *dctx);
+
+static void
+dumpctx_destroy(dns_dumpctx_t *dctx) {
+
+	dctx->magic = 0;
+	DESTROYLOCK(&dctx->lock);
+	if (dctx->version != NULL)
+		dns_db_closeversion(dctx->db, &dctx->version, ISC_FALSE);
+	dns_dbiterator_destroy(&dctx->dbiter);
+	dns_db_detach(&dctx->db);
+	if (dctx->task != NULL)
+		isc_task_detach(&dctx->task);
+	if (dctx->file != NULL)
+		isc_mem_free(dctx->mctx, dctx->file);
+	if (dctx->tmpfile != NULL)
+		isc_mem_free(dctx->mctx, dctx->tmpfile);
+	isc_mem_putanddetach(&dctx->mctx, dctx, sizeof(*dctx));
+}
+
+void
+dns_dumpctx_attach(dns_dumpctx_t *source, dns_dumpctx_t **target) {
+
+	REQUIRE(DNS_DCTX_VALID(source));
+	REQUIRE(target != NULL && *target == NULL);
+
+	LOCK(&source->lock);
+	INSIST(source->references > 0);
+	source->references++;
+	INSIST(source->references != 0);	/* Overflow? */
+	UNLOCK(&source->lock);
+
+	*target = source;
+}
+
+void
+dns_dumpctx_detach(dns_dumpctx_t **dctxp) {
+	dns_dumpctx_t *dctx;
+	isc_boolean_t need_destroy = ISC_FALSE;
+
+	REQUIRE(dctxp != NULL);
+	dctx = *dctxp;
+	REQUIRE(DNS_DCTX_VALID(dctx));
+
+	*dctxp = NULL;
+
+	LOCK(&dctx->lock);
+	INSIST(dctx->references != 0);
+	dctx->references--;
+	if (dctx->references == 0)
+		need_destroy = ISC_TRUE;
+	UNLOCK(&dctx->lock);
+	if (need_destroy)
+		dumpctx_destroy(dctx);
+}
+
+dns_dbversion_t *
+dns_dumpctx_version(dns_dumpctx_t *dctx) {
+        REQUIRE(DNS_DCTX_VALID(dctx));
+	return (dctx->version);
+}
+
+dns_db_t *
+dns_dumpctx_db(dns_dumpctx_t *dctx) {
+        REQUIRE(DNS_DCTX_VALID(dctx));
+	return (dctx->db);
+}
+
+void
+dns_dumpctx_cancel(dns_dumpctx_t *dctx) {
+	REQUIRE(DNS_DCTX_VALID(dctx));
+
+	LOCK(&dctx->lock);
+	dctx->canceled = ISC_TRUE;
+	UNLOCK(&dctx->lock);
+}
+
+static isc_result_t
+closeandrename(FILE *f, isc_result_t result, const char *temp, const char *file)
 {
-	dns_fixedname_t fixname;
-	dns_name_t *name;
-	dns_dbiterator_t *dbiter = NULL;
+	isc_result_t tresult;
+	isc_boolean_t logit = ISC_TF(result == ISC_R_SUCCESS);
+
+	if (result == ISC_R_SUCCESS)
+		result = isc_stdio_sync(f);
+	if (result != ISC_R_SUCCESS && logit) {
+		isc_log_write(dns_lctx, ISC_LOGCATEGORY_GENERAL,
+			      DNS_LOGMODULE_MASTERDUMP, ISC_LOG_ERROR,
+			      "dumping master file: %s: fsync: %s",
+			      temp, isc_result_totext(result));
+		logit = ISC_FALSE;
+	}
+	tresult = isc_stdio_close(f);
+	if (result == ISC_R_SUCCESS)
+		result = tresult;
+	if (result != ISC_R_SUCCESS && logit) {
+		isc_log_write(dns_lctx, ISC_LOGCATEGORY_GENERAL,
+			      DNS_LOGMODULE_MASTERDUMP, ISC_LOG_ERROR,
+			      "dumping master file: %s: fclose: %s",
+			      temp, isc_result_totext(result));
+		logit = ISC_FALSE;
+	}
+	if (result == ISC_R_SUCCESS)
+		result = isc_file_rename(temp, file);
+	else
+		(void)isc_file_remove(temp);
+	if (result != ISC_R_SUCCESS && logit) {
+		isc_log_write(dns_lctx, ISC_LOGCATEGORY_GENERAL,
+			      DNS_LOGMODULE_MASTERDUMP, ISC_LOG_ERROR,
+			      "dumping master file: rename: %s: %s",
+			      file, isc_result_totext(result));
+	}
+	return (result);
+}
+
+static void
+dump_quantum(isc_task_t *task, isc_event_t *event) {
 	isc_result_t result;
-	isc_buffer_t buffer;
-	char *bufmem;
-	isc_stdtime_t now;
-	isc_region_t r;
-	dns_totext_ctx_t ctx;
+	dns_dumpctx_t *dctx;
 
-	result = totext_ctx_init(style, &ctx);
+	REQUIRE(event != NULL);
+	dctx = event->ev_arg;
+	REQUIRE(DNS_DCTX_VALID(dctx));
+	if (dctx->canceled)
+		result = ISC_R_CANCELED;
+	else
+		result = dumptostreaminc(dctx);
+	if (result == DNS_R_CONTINUE) {
+		event->ev_arg = dctx;
+		isc_task_send(task, &event);
+		return;
+	}
+
+	if (dctx->file != NULL)
+		result = closeandrename(dctx->f, result,
+					dctx->tmpfile, dctx->file);
+	if (dctx->version != NULL)
+		dns_db_closeversion(dctx->db, &dctx->version, ISC_FALSE);
+	(dctx->done)(dctx->done_arg, result);
+	isc_event_free(&event);
+	dns_dumpctx_detach(&dctx);
+}
+
+static isc_result_t
+task_send(dns_dumpctx_t *dctx) {
+	isc_event_t *event;
+
+	event = isc_event_allocate(dctx->mctx, NULL, DNS_EVENT_DUMPQUANTUM,
+				   dump_quantum, dctx, sizeof(*event));
+	if (event == NULL)
+		return (ISC_R_NOMEMORY);
+	isc_task_send(dctx->task, &event);
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+dumpctx_create(isc_mem_t *mctx, dns_db_t *db, dns_dbversion_t *version,
+	       const dns_master_style_t *style, FILE *f, dns_dumpctx_t **dctxp)
+{
+	dns_dumpctx_t *dctx;
+	isc_result_t result;
+	isc_boolean_t relative;
+
+	dctx = isc_mem_get(mctx, sizeof(*dctx));
+	if (dctx == NULL)
+		return (ISC_R_NOMEMORY);
+
+	dctx->mctx = NULL;
+	dctx->f = f;
+	dctx->dbiter = NULL;
+	dctx->db = NULL;
+	dctx->version = NULL;
+	dctx->done = NULL;
+	dctx->done_arg = NULL;
+	dctx->task = NULL;
+	dctx->nodes = 0;
+	dctx->first = ISC_TRUE;
+	dctx->canceled = ISC_FALSE;
+	dctx->file = NULL;
+	dctx->tmpfile = NULL;
+
+	result = totext_ctx_init(style, &dctx->tctx);
 	if (result != ISC_R_SUCCESS) {
 		UNEXPECTED_ERROR(__FILE__, __LINE__,
 				 "could not set master file style");
-		return (ISC_R_UNEXPECTED);
+		goto cleanup;
 	}
 
-	dns_fixedname_init(&fixname);
-	name = dns_fixedname_name(&fixname);
+	isc_stdtime_get(&dctx->now);
+	dns_db_attach(db, &dctx->db);
 
-	isc_stdtime_get(&now);
+	dctx->do_date = dns_db_iscache(dctx->db);
 
-	bufmem = isc_mem_get(mctx, initial_buffer_length);
+	relative = ((dctx->tctx.style.flags & DNS_STYLEFLAG_REL_OWNER) != 0) ?
+			ISC_TRUE : ISC_FALSE;
+	result = dns_db_createiterator(dctx->db, relative, &dctx->dbiter);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	result = isc_mutex_init(&dctx->lock);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+	if (version != NULL)
+		dns_db_attachversion(dctx->db, version, &dctx->version);
+	else if (!dns_db_iscache(db))
+		dns_db_currentversion(dctx->db, &dctx->version);
+	isc_mem_attach(mctx, &dctx->mctx);
+	dctx->references = 1;
+	dctx->magic = DNS_DCTX_MAGIC;
+	*dctxp = dctx;
+	return (ISC_R_SUCCESS);
+
+ cleanup:
+	if (dctx->dbiter != NULL)
+		dns_dbiterator_destroy(&dctx->dbiter);
+	if (dctx->db != NULL)
+		dns_db_detach(&dctx->db);
+	if (dctx != NULL)
+		isc_mem_put(mctx, dctx, sizeof(*dctx));
+	return (result);
+}
+
+static isc_result_t
+dumptostreaminc(dns_dumpctx_t *dctx) {
+	isc_result_t result;
+	isc_buffer_t buffer;
+	char *bufmem;
+	isc_region_t r;
+	dns_name_t *name;
+	dns_fixedname_t fixname;
+	unsigned int nodes;
+
+	bufmem = isc_mem_get(dctx->mctx, initial_buffer_length);
 	if (bufmem == NULL)
 		return (ISC_R_NOMEMORY);
 
 	isc_buffer_init(&buffer, bufmem, initial_buffer_length);
 
-	/*
-	 * If the database has cache semantics, output an RFC2540
-	 * $DATE directive so that the TTLs can be adjusted when
-	 * it is reloaded.  For zones it is not really needed, and
-	 * it would make the file incompatible with pre-RFC2540
-	 * software, so we omit it in the zone case.
-	 */
-	if (dns_db_iscache(db)) {
-		result = dns_time32_totext(now, &buffer);
-		RUNTIME_CHECK(result == ISC_R_SUCCESS);
-		isc_buffer_usedregion(&buffer, &r);
-		fprintf(f, "$DATE %.*s\n", (int) r.length, (char *) r.base);
-	}
-
-	result = dns_db_createiterator(db,
-		       ((ctx.style.flags & DNS_STYLEFLAG_REL_OWNER) != 0) ?
-			   ISC_TRUE : ISC_FALSE,
-		       &dbiter);
-	if (result != ISC_R_SUCCESS)
-		goto create_iter_failure;
+	dns_fixedname_init(&fixname);
+	name = dns_fixedname_name(&fixname);
 
-	result = dns_dbiterator_first(dbiter);
+	if (dctx->first) {
+		/*
+		 * If the database has cache semantics, output an RFC2540
+		 * $DATE directive so that the TTLs can be adjusted when
+		 * it is reloaded.  For zones it is not really needed, and
+		 * it would make the file incompatible with pre-RFC2540
+		 * software, so we omit it in the zone case.
+		 */
+		if (dctx->do_date) {
+			result = dns_time32_totext(dctx->now, &buffer);
+			RUNTIME_CHECK(result == ISC_R_SUCCESS);
+			isc_buffer_usedregion(&buffer, &r);
+			fprintf(dctx->f, "$DATE %.*s\n",
+				(int) r.length, (char *) r.base);
+		}
+		result = dns_dbiterator_first(dctx->dbiter);
+		dctx->first = ISC_FALSE;
+	} else
+		result = ISC_R_SUCCESS;
 
-	while (result == ISC_R_SUCCESS) {
+	nodes = dctx->nodes;
+	while (result == ISC_R_SUCCESS && (dctx->nodes == 0 || nodes--)) {
 		dns_rdatasetiter_t *rdsiter = NULL;
 		dns_dbnode_t *node = NULL;
-		result = dns_dbiterator_current(dbiter, &node, name);
+
+		result = dns_dbiterator_current(dctx->dbiter, &node, name);
 		if (result != ISC_R_SUCCESS && result != DNS_R_NEWORIGIN)
 			break;
 		if (result == DNS_R_NEWORIGIN) {
 			dns_name_t *origin =
-				dns_fixedname_name(&ctx.origin_fixname);
-			result = dns_dbiterator_origin(dbiter, origin);
+				dns_fixedname_name(&dctx->tctx.origin_fixname);
+			result = dns_dbiterator_origin(dctx->dbiter, origin);
 			RUNTIME_CHECK(result == ISC_R_SUCCESS);
-			if ((ctx.style.flags & DNS_STYLEFLAG_REL_DATA) != 0)
-				ctx.origin = origin;
-			ctx.neworigin = origin;
+			if ((dctx->tctx.style.flags & DNS_STYLEFLAG_REL_DATA) != 0)
+				dctx->tctx.origin = origin;
+			dctx->tctx.neworigin = origin;
 		}
-		result = dns_db_allrdatasets(db, node, version, now, &rdsiter);
+		result = dns_db_allrdatasets(dctx->db, node, dctx->version,
+					     dctx->now, &rdsiter);
 		if (result != ISC_R_SUCCESS) {
-			dns_db_detachnode(db, &node);
-			goto iter_failure;
+			dns_db_detachnode(dctx->db, &node);
+			goto fail;
 		}
-		result = dump_rdatasets(mctx, name, rdsiter, &ctx,
-					&buffer, f);
+		result = dump_rdatasets(dctx->mctx, name, rdsiter, &dctx->tctx,
+					&buffer, dctx->f);
+		dns_rdatasetiter_destroy(&rdsiter);
 		if (result != ISC_R_SUCCESS) {
-			dns_db_detachnode(db, &node);
-			goto iter_failure;
+			dns_db_detachnode(dctx->db, &node);
+			goto fail;
 		}
-		dns_rdatasetiter_destroy(&rdsiter);
-		dns_db_detachnode(db, &node);
-		result = dns_dbiterator_next(dbiter);
+		dns_db_detachnode(dctx->db, &node);
+		result = dns_dbiterator_next(dctx->dbiter);
 	}
-	if (result != ISC_R_NOMORE)
-		goto iter_failure;
 
-	result = ISC_R_SUCCESS;
+	if (dctx->nodes != 0 && result == ISC_R_SUCCESS) {
+		dns_dbiterator_pause(dctx->dbiter);
+		result = DNS_R_CONTINUE;
+	} else if (result == ISC_R_NOMORE)
+		result = ISC_R_SUCCESS;
+ fail:
+	isc_mem_put(dctx->mctx, buffer.base, buffer.length);
+	return (result);
+}
+
+isc_result_t
+dns_master_dumptostreaminc(isc_mem_t *mctx, dns_db_t *db,
+			   dns_dbversion_t *version,
+			   const dns_master_style_t *style,
+			   FILE *f, isc_task_t *task,
+			   dns_dumpdonefunc_t done, void *done_arg,
+			   dns_dumpctx_t **dctxp)
+{
+	dns_dumpctx_t *dctx = NULL;
+	isc_result_t result;
 
- iter_failure:
-	dns_dbiterator_destroy(&dbiter);
+	REQUIRE(task != NULL);
+	REQUIRE(f != NULL);
+	REQUIRE(done != NULL);
+
+	result = dumpctx_create(mctx, db, version, style, f, &dctx);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	isc_task_attach(task, &dctx->task);
+	dctx->done = done;
+	dctx->done_arg = done_arg;
+	dctx->nodes = 100;
+
+	result = task_send(dctx);
+	if (result == ISC_R_SUCCESS) {
+		dns_dumpctx_attach(dctx, dctxp);
+		return (DNS_R_CONTINUE);
+	}
+	if (dctx != NULL)
+		dns_dumpctx_detach(&dctx);
 
- create_iter_failure:
-	isc_mem_put(mctx, buffer.base, buffer.length);
 	return (result);
 }
 
-
+/*
+ * Dump an entire database into a master file.
+ */
 isc_result_t
-dns_master_dump(isc_mem_t *mctx, dns_db_t *db, dns_dbversion_t *version,
-		const dns_master_style_t *style, const char *filename)
+dns_master_dumptostream(isc_mem_t *mctx, dns_db_t *db,
+			dns_dbversion_t *version,
+			const dns_master_style_t *style,
+			FILE *f)
 {
+	dns_dumpctx_t *dctx = NULL;
+	isc_result_t result;
+
+	result = dumpctx_create(mctx, db, version, style, f, &dctx);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	result = dumptostreaminc(dctx);
+	INSIST(result != DNS_R_CONTINUE);
+	dns_dumpctx_detach(&dctx);
+	return (result);
+}
+
+static isc_result_t
+opentmp(isc_mem_t *mctx, const char *file, char **tempp, FILE **fp) {
 	FILE *f = NULL;
 	isc_result_t result;
-	char *tempname;
+	char *tempname = NULL;
 	int tempnamelen;
 
-	tempnamelen = strlen(filename) + 20;
-	tempname = isc_mem_get(mctx, tempnamelen);
+	tempnamelen = strlen(file) + 20;
+	tempname = isc_mem_allocate(mctx, tempnamelen);
 	if (tempname == NULL)
 		return (ISC_R_NOMEMORY);
 
-	result = isc_file_mktemplate(filename, tempname, tempnamelen);
+	result = isc_file_mktemplate(file, tempname, tempnamelen);
 	if (result != ISC_R_SUCCESS)
 		goto cleanup;
 
@@ -1002,50 +1246,92 @@ dns_master_dump(isc_mem_t *mctx, dns_db_t *db, dns_dbversion_t *version,
 			      tempname, isc_result_totext(result));
 		goto cleanup;
 	}
+	*tempp = tempname;
+	*fp = f;
+	return (ISC_R_SUCCESS);
 
-	result = dns_master_dumptostream(mctx, db, version, style, f);
-	if (result != ISC_R_SUCCESS) {
-		isc_log_write(dns_lctx, ISC_LOGCATEGORY_GENERAL,
-			      DNS_LOGMODULE_MASTERDUMP, ISC_LOG_ERROR,
-			      "dumping master file: %s: %s",
-			      tempname, isc_result_totext(result));
-		(void)isc_stdio_close(f);
-		(void)isc_file_remove(tempname);
+cleanup:
+	isc_mem_free(mctx, tempname);
+	return (result);
+}
+
+isc_result_t
+dns_master_dumpinc(isc_mem_t *mctx, dns_db_t *db, dns_dbversion_t *version,
+		   const dns_master_style_t *style, const char *filename,
+		   isc_task_t *task, dns_dumpdonefunc_t done, void *done_arg,
+		   dns_dumpctx_t **dctxp)
+{
+	FILE *f = NULL;
+	isc_result_t result;
+	char *tempname = NULL;
+	char *file = NULL;
+	dns_dumpctx_t *dctx = NULL;
+
+	file = isc_mem_strdup(mctx, filename);
+	if (file == NULL)
+		return (ISC_R_NOMEMORY);
+
+	result = opentmp(mctx, filename, &tempname, &f);
+	if (result != ISC_R_SUCCESS)
 		goto cleanup;
-	}
 
-	result = isc_stdio_sync(f);
+	result = dumpctx_create(mctx, db, version, style, f, &dctx);
 	if (result != ISC_R_SUCCESS) {
-		isc_log_write(dns_lctx, ISC_LOGCATEGORY_GENERAL,
-			      DNS_LOGMODULE_MASTERDUMP, ISC_LOG_ERROR,
-			      "dumping master file: %s: fsync: %s",
-			      tempname, isc_result_totext(result));
 		(void)isc_stdio_close(f);
 		(void)isc_file_remove(tempname);
 		goto cleanup;
 	}
 
-	result = isc_stdio_close(f);
-	if (result != ISC_R_SUCCESS) {
-		isc_log_write(dns_lctx, ISC_LOGCATEGORY_GENERAL,
-			      DNS_LOGMODULE_MASTERDUMP, ISC_LOG_ERROR,
-			      "dumping master file: %s: close: %s",
-			      tempname, isc_result_totext(result));
-		(void)isc_file_remove(tempname);
-		goto cleanup;
+	isc_task_attach(task, &dctx->task);
+	dctx->done = done;
+	dctx->done_arg = done_arg;
+	dctx->nodes = 100;
+	dctx->file = file;
+	file = NULL;
+	dctx->tmpfile = tempname;
+	tempname = NULL;
+
+	result = task_send(dctx);
+	if (result == ISC_R_SUCCESS) {
+		dns_dumpctx_attach(dctx, dctxp);
+		return (DNS_R_CONTINUE);
 	}
 
-	result = isc_file_rename(tempname, filename);
-	if (result != ISC_R_SUCCESS) {
-		isc_log_write(dns_lctx, ISC_LOGCATEGORY_GENERAL,
-			      DNS_LOGMODULE_MASTERDUMP, ISC_LOG_ERROR,
-			      "dumping master file: rename: %s: %s",
-			      filename, isc_result_totext(result));
-		goto cleanup;		
-	}
+ cleanup:
+	if (dctx != NULL)
+		dns_dumpctx_detach(&dctx);
+	if (file != NULL)
+		isc_mem_free(mctx, file);
+	if (tempname != NULL)
+		isc_mem_free(mctx, tempname);
+	return (result);
+}
+
+isc_result_t
+dns_master_dump(isc_mem_t *mctx, dns_db_t *db, dns_dbversion_t *version,
+		const dns_master_style_t *style, const char *filename)
+{
+	FILE *f = NULL;
+	isc_result_t result;
+	char *tempname;
+	dns_dumpctx_t *dctx = NULL;
+
+	result = opentmp(mctx, filename, &tempname, &f);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	result = dumpctx_create(mctx, db, version, style, f, &dctx);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	result = dumptostreaminc(dctx);
+	INSIST(result != DNS_R_CONTINUE);
+	dns_dumpctx_detach(&dctx);
+
+	result = closeandrename(f, result, tempname, filename);
 
  cleanup:
-	isc_mem_put(mctx, tempname, tempnamelen);
+	isc_mem_free(mctx, tempname);
 	return (result);
 }
 
@@ -1127,3 +1413,40 @@ dns_master_dumpnode(isc_mem_t *mctx, dns_db_t *db, dns_dbversion_t *version,
 
 	return (result);
 }
+
+isc_result_t
+dns_master_stylecreate(dns_master_style_t **stylep, unsigned int flags,
+                       unsigned int ttl_column, unsigned int class_column,
+                       unsigned int type_column, unsigned int rdata_column,
+                       unsigned int line_length, unsigned int tab_width,
+                       isc_mem_t *mctx)
+{
+	dns_master_style_t *style;
+
+	REQUIRE(stylep != NULL && *stylep == NULL);
+	style = isc_mem_get(mctx, sizeof(*style));
+	if (style == NULL)
+		return (ISC_R_NOMEMORY);
+
+	style->flags = flags;
+	style->ttl_column = ttl_column;
+	style->class_column = class_column;
+	style->type_column = type_column;
+	style->rdata_column = rdata_column;
+	style->line_length = line_length;
+	style->tab_width = tab_width;
+
+	*stylep = style;
+	return (ISC_R_SUCCESS);
+}
+
+void
+dns_master_styledestroy(dns_master_style_t **stylep, isc_mem_t *mctx) {
+	dns_master_style_t *style;
+
+	REQUIRE(stylep != NULL && *stylep != NULL);
+	style = *stylep;
+	*stylep = NULL;
+	isc_mem_put(mctx, style, sizeof(*style));
+}
+
diff --git a/lib/dns/message.c b/lib/dns/message.c
index 9724d18b..f00dda81 100644
--- a/lib/dns/message.c
+++ b/lib/dns/message.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: message.c,v 1.194.2.22 2007/05/15 23:45:26 tbox Exp $ */
+/* $Id: message.c,v 1.194.2.10.2.16 2004/03/10 00:48:49 marka Exp $ */
 
 /***
  *** Imports
@@ -34,6 +34,7 @@
 #include <dns/log.h>
 #include <dns/masterdump.h>
 #include <dns/message.h>
+#include <dns/opcode.h>
 #include <dns/rdata.h>
 #include <dns/rdatalist.h>
 #include <dns/rdataset.h>
@@ -692,7 +693,7 @@ dns_message_create(isc_mem_t *mctx, unsigned int intent, dns_message_t **msgp)
 	m->from_to_wire = intent;
 	msginit(m);
 
-	for (i = 0 ; i < DNS_SECTION_MAX ; i++)
+	for (i = 0; i < DNS_SECTION_MAX; i++)
 		ISC_LIST_INIT(m->sections[i]);
 	m->mctx = mctx;
 
@@ -786,8 +787,8 @@ findname(dns_name_t **foundname, dns_name_t *target,
 {
 	dns_name_t *curr;
 
-	for (curr = ISC_LIST_TAIL(*section) ;
-	     curr != NULL ;
+	for (curr = ISC_LIST_TAIL(*section);
+	     curr != NULL;
 	     curr = ISC_LIST_PREV(curr, link)) {
 		if (dns_name_equal(curr, target)) {
 			if (foundname != NULL)
@@ -800,43 +801,17 @@ findname(dns_name_t **foundname, dns_name_t *target,
 }
 
 isc_result_t
-dns_message_find(dns_name_t *name, dns_rdataclass_t rdclass,
-		 dns_rdatatype_t type, dns_rdatatype_t covers,
-		 dns_rdataset_t **rdataset)
-{
-	dns_rdataset_t *curr;
-
-	if (rdataset != NULL) {
-		REQUIRE(*rdataset == NULL);
-	}
-
-	for (curr = ISC_LIST_TAIL(name->list);
-	     curr != NULL;
-	     curr = ISC_LIST_PREV(curr, link)) {
-		if (curr->rdclass == rdclass &&
-		    curr->type == type && curr->covers == covers) {
-			if (rdataset != NULL)
-				*rdataset = curr;
-			return (ISC_R_SUCCESS);
-		}
-	}
-
-	return (ISC_R_NOTFOUND);
-}
-
-isc_result_t
 dns_message_findtype(dns_name_t *name, dns_rdatatype_t type,
 		     dns_rdatatype_t covers, dns_rdataset_t **rdataset)
 {
 	dns_rdataset_t *curr;
 
-	REQUIRE(name != NULL);
 	if (rdataset != NULL) {
 		REQUIRE(*rdataset == NULL);
 	}
 
-	for (curr = ISC_LIST_TAIL(name->list) ;
-	     curr != NULL ;
+	for (curr = ISC_LIST_TAIL(name->list);
+	     curr != NULL;
 	     curr = ISC_LIST_PREV(curr, link)) {
 		if (curr->type == type && curr->covers == covers) {
 			if (rdataset != NULL)
@@ -914,7 +889,7 @@ getrdata(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx,
 	/* XXX possibly change this to a while (tries < 2) loop */
 	for (;;) {
 		result = dns_rdata_fromwire(rdata, rdclass, rdtype,
-					    source, dctx, ISC_FALSE,
+					    source, dctx, 0,
 					    scratch);
 
 		if (result == ISC_R_NOSPACE) {
@@ -979,7 +954,7 @@ getquestions(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx,
 	rdataset = NULL;
 	rdatalist = NULL;
 
-	for (count = 0 ; count < msg->counts[DNS_SECTION_QUESTION] ; count++) {
+	for (count = 0; count < msg->counts[DNS_SECTION_QUESTION]; count++) {
 		name = isc_mempool_get(msg->namepool);
 		if (name == NULL)
 			return (ISC_R_NOMEMORY);
@@ -1055,7 +1030,7 @@ getquestions(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx,
 		/*
 		 * Can't ask the same question twice.
 		 */
-		result = dns_message_find(name, rdclass, rdtype, 0, NULL);
+		result = dns_message_findtype(name, rdtype, 0, NULL);
 		if (result == ISC_R_SUCCESS)
 			DO_FORMERR;
 
@@ -1148,7 +1123,7 @@ getsection(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx,
 	best_effort = ISC_TF(options & DNS_MESSAGEPARSE_BESTEFFORT);
 	seen_problem = ISC_FALSE;
 
-	for (count = 0 ; count < msg->counts[sectionid] ; count++) {
+	for (count = 0; count < msg->counts[sectionid]; count++) {
 		int recstart = source->current;
 		isc_boolean_t skip_name_search, skip_type_search;
 
@@ -1212,10 +1187,9 @@ getsection(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx,
 		if (msg->opcode != dns_opcode_update
 		    && rdtype != dns_rdatatype_tsig
 		    && rdtype != dns_rdatatype_opt
-		    && rdtype != dns_rdatatype_key /* in a TKEY query */
+		    && rdtype != dns_rdatatype_dnskey /* in a TKEY query */
 		    && rdtype != dns_rdatatype_sig /* SIG(0) */
 		    && rdtype != dns_rdatatype_tkey /* Win2000 TKEY */
-		    && msg->rdclass != dns_rdataclass_any
 		    && msg->rdclass != rdclass)
 			DO_FORMERR;
 
@@ -1305,16 +1279,27 @@ getsection(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx,
 			rdata->type = rdtype;
 			rdata->flags = DNS_RDATA_UPDATE;
 			result = ISC_R_SUCCESS;
-		} else
+		} else if (rdtype == dns_rdatatype_tsig)
 			result = getrdata(source, msg, dctx, rdclass,
 					  rdtype, rdatalen, rdata);
+		else
+			result = getrdata(source, msg, dctx, msg->rdclass,
+					  rdtype, rdatalen, rdata);
 		if (result != ISC_R_SUCCESS)
 			goto cleanup;
 		rdata->rdclass = rdclass;
-		issigzero = ISC_FALSE;
-		if (rdtype == dns_rdatatype_sig && rdata->flags == 0) {
+		if (rdtype == dns_rdatatype_rrsig  &&
+		    rdata->flags == 0) {
 			covers = dns_rdata_covers(rdata);
-			if (covers == 0) {
+			if (covers == 0)
+				DO_FORMERR;
+		} else
+			covers = 0;
+
+		issigzero = ISC_FALSE;
+		if (rdtype == dns_rdatatype_sig /* SIG(0) */ &&
+		    rdata->flags == 0) {
+			if (dns_rdata_covers(rdata) == 0) {
 				if (sectionid != DNS_SECTION_ADDITIONAL ||
 				    count != msg->counts[sectionid]  - 1)
 					DO_FORMERR;
@@ -1323,8 +1308,7 @@ getsection(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx,
 				skip_type_search = ISC_TRUE;
 				issigzero = ISC_TRUE;
 			}
-		} else
-			covers = 0;
+		}
 
 		/*
 		 * If we are doing a dynamic update or this is a meta-type,
@@ -1377,8 +1361,8 @@ getsection(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx,
 				DO_FORMERR;
 
 			rdataset = NULL;
-			result = dns_message_find(name, rdclass, rdtype,
-						   covers, &rdataset);
+			result = dns_message_findtype(name, rdtype, covers,
+						      &rdataset);
 		}
 
 		/*
@@ -1418,7 +1402,9 @@ getsection(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx,
 			ISC_LIST_INIT(rdatalist->rdata);
 
 			dns_rdataset_init(rdataset);
-			dns_rdatalist_tordataset(rdatalist, rdataset);
+			RUNTIME_CHECK(dns_rdatalist_tordataset(rdatalist,
+							       rdataset)
+				      == ISC_R_SUCCESS);
 
 			if (rdtype != dns_rdatatype_opt && 
 			    rdtype != dns_rdatatype_tsig &&
@@ -1483,8 +1469,7 @@ getsection(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx,
 			rdataset = NULL;
 			free_rdataset = ISC_FALSE;
 			free_name = ISC_FALSE;
-		}
-		else if (rdtype == dns_rdatatype_tsig && msg->tsig == NULL) {
+		} else if (rdtype == dns_rdatatype_tsig && msg->tsig == NULL) {
 			msg->tsig = rdataset;
 			msg->tsigname = name;
 			rdataset = NULL;
@@ -1492,13 +1477,6 @@ getsection(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx,
 			free_name = ISC_FALSE;
 		}
 
-		if (seen_problem) {
-			if (free_name)
-				isc_mempool_put(msg->namepool, name);
-			if (free_rdataset)
-				isc_mempool_put(msg->rdspool, rdataset);
-			free_name = free_rdataset = ISC_FALSE;
-		}
 		INSIST(free_name == ISC_FALSE);
 		INSIST(free_rdataset == ISC_FALSE);
 	}
@@ -1608,7 +1586,7 @@ dns_message_parse(dns_message_t *msg, isc_buffer_t *source,
 	isc_buffer_remainingregion(source, &r);
 	if (r.length != 0) {
 		isc_log_write(dns_lctx, ISC_LOGCATEGORY_GENERAL,
-			      DNS_LOGMODULE_MESSAGE, ISC_LOG_DEBUG(1),
+			      DNS_LOGMODULE_MESSAGE, ISC_LOG_DEBUG(3),
 			      "message has %u byte(s) of trailing garbage",
 			      r.length);
 	}
@@ -1727,7 +1705,7 @@ dns_message_renderreserve(dns_message_t *msg, unsigned int space) {
 }
 
 static inline isc_boolean_t
-wrong_priority(dns_rdataset_t *rds, int pass) {
+wrong_priority(dns_rdataset_t *rds, int pass, dns_rdatatype_t preferred_glue) {
 	int pass_needed;
 
 	/*
@@ -1739,11 +1717,13 @@ wrong_priority(dns_rdataset_t *rds, int pass) {
 	switch (rds->type) {
 	case dns_rdatatype_a:
 	case dns_rdatatype_aaaa:
-	case dns_rdatatype_a6:
-		pass_needed = 3;
+		if (preferred_glue == rds->type)
+			pass_needed = 4;
+		else
+			pass_needed = 3;
 		break;
-	case dns_rdatatype_sig:
-	case dns_rdatatype_key:
+	case dns_rdatatype_rrsig:
+	case dns_rdatatype_dnskey:
 		pass_needed = 2;
 		break;
 	default:
@@ -1768,6 +1748,8 @@ dns_message_rendersection(dns_message_t *msg, dns_section_t sectionid,
 	isc_buffer_t st; /* for rollbacks */
 	int pass;
 	isc_boolean_t partial = ISC_FALSE;
+	unsigned int rd_options;
+	dns_rdatatype_t preferred_glue = 0;
 
 	REQUIRE(DNS_MESSAGE_VALID(msg));
 	REQUIRE(msg->buffer != NULL);
@@ -1776,11 +1758,23 @@ dns_message_rendersection(dns_message_t *msg, dns_section_t sectionid,
 	section = &msg->sections[sectionid];
 
 	if ((sectionid == DNS_SECTION_ADDITIONAL)
-	    && (options & DNS_MESSAGERENDER_ORDERED) == 0)
-		pass = 3;
-	else
+	    && (options & DNS_MESSAGERENDER_ORDERED) == 0) {
+		if ((options & DNS_MESSAGERENDER_PREFER_A) != 0) {
+			preferred_glue = dns_rdatatype_a;
+			pass = 4;
+		} else if ((options & DNS_MESSAGERENDER_PREFER_AAAA) != 0) {
+			preferred_glue = dns_rdatatype_aaaa;
+			pass = 4;
+		} else
+			pass = 3;
+	} else
 		pass = 1;
 
+	if ((options & DNS_MESSAGERENDER_OMITDNSSEC) == 0)
+		rd_options = 0;
+	else
+		rd_options = DNS_RDATASETTOWIRE_OMITDNSSEC;
+
 	/*
 	 * Shrink the space in the buffer by the reserved amount.
 	 */
@@ -1790,55 +1784,6 @@ dns_message_rendersection(dns_message_t *msg, dns_section_t sectionid,
 	if (msg->reserved == 0 && (options & DNS_MESSAGERENDER_PARTIAL) != 0)
 		partial = ISC_TRUE;
 
-	/*
-	 * Render required glue first.  Set TC if it won't fit.
-	 */
-	name = ISC_LIST_HEAD(*section);
-	if (name != NULL) {
-		rdataset = ISC_LIST_HEAD(name->list);
-		if (rdataset != NULL &&
-		    (rdataset->attributes & DNS_RDATASETATTR_REQUIREDGLUE) != 0 &&
-		    (rdataset->attributes & DNS_RDATASETATTR_RENDERED) == 0) {
-			const void *order_arg = msg->order_arg;
-			st = *(msg->buffer);
-			count = 0;
-			if (partial)
-				result = dns_rdataset_towirepartial(rdataset,
-								    name,
-								    msg->cctx,
-								    msg->buffer,
-								    msg->order,
-								    order_arg,
-								    &count,
-								    NULL);
-			else
-				result = dns_rdataset_towiresorted(rdataset,
-								   name,
-								   msg->cctx,
-								   msg->buffer,
-								   msg->order,
-								   order_arg,
-								   &count);
-			total += count;
-			if (partial && result == ISC_R_NOSPACE) {
-				msg->flags |= DNS_MESSAGEFLAG_TC;
-				msg->buffer->length += msg->reserved;
-				msg->counts[sectionid] += total;
-				return (result);
-			}
-			if (result != ISC_R_SUCCESS) {
-				INSIST(st.used < 65536);
-				dns_compress_rollback(msg->cctx,
-						      (isc_uint16_t)st.used);
-				*(msg->buffer) = st;  /* rollback */
-				msg->buffer->length += msg->reserved;
-				msg->counts[sectionid] += total;
-				return (result);
-			}
-			rdataset->attributes |= DNS_RDATASETATTR_RENDERED;
-		}
-	}
-
 	do {
 		name = ISC_LIST_HEAD(*section);
 		if (name == NULL) {
@@ -1861,7 +1806,8 @@ dns_message_rendersection(dns_message_t *msg, dns_section_t sectionid,
 				if (((options & DNS_MESSAGERENDER_ORDERED)
 				     == 0)
 				    && (sectionid == DNS_SECTION_ADDITIONAL)
-				    && wrong_priority(rdataset, pass))
+				    && wrong_priority(rdataset, pass,
+						      preferred_glue))
 					goto next;
 
 				st = *(msg->buffer);
@@ -1875,6 +1821,7 @@ dns_message_rendersection(dns_message_t *msg, dns_section_t sectionid,
 							  msg->buffer,
 							  msg->order,
 							  msg->order_arg,
+							  rd_options,
 							  &count,
 							  NULL);
 				else
@@ -1885,6 +1832,7 @@ dns_message_rendersection(dns_message_t *msg, dns_section_t sectionid,
 							  msg->buffer,
 							  msg->order,
 							  msg->order_arg,
+							  rd_options,
 							  &count);
 
 				total += count;
@@ -2011,7 +1959,8 @@ dns_message_renderend(dns_message_t *msg) {
 		 */
 		count = 0;
 		result = dns_rdataset_towire(msg->opt, dns_rootname,
-					     msg->cctx, msg->buffer, &count);
+					     msg->cctx, msg->buffer, 0,
+					     &count);
 		msg->counts[DNS_SECTION_ADDITIONAL] += count;
 		if (result != ISC_R_SUCCESS)
 			return (result);
@@ -2052,7 +2001,8 @@ dns_message_renderend(dns_message_t *msg) {
 			return (result);
 		count = 0;
 		result = dns_rdataset_towire(msg->tsig, msg->tsigname,
-					     msg->cctx, msg->buffer, &count);
+					     msg->cctx, msg->buffer, 0,
+					     &count);
 		msg->counts[DNS_SECTION_ADDITIONAL] += count;
 		if (result != ISC_R_SUCCESS)
 			return (result);
@@ -2074,7 +2024,8 @@ dns_message_renderend(dns_message_t *msg) {
 		 * be set in a message being rendered.
 		 */
 		result = dns_rdataset_towire(msg->sig0, dns_rootname,
-					     msg->cctx, msg->buffer, &count);
+					     msg->cctx, msg->buffer, 0,
+					     &count);
 		msg->counts[DNS_SECTION_ADDITIONAL] += count;
 		if (result != ISC_R_SUCCESS)
 			return (result);
@@ -2479,7 +2430,6 @@ dns_message_setopt(dns_message_t *msg, dns_rdataset_t *opt) {
 	REQUIRE(DNS_MESSAGE_VALID(msg));
 	REQUIRE(opt->type == dns_rdatatype_opt);
 	REQUIRE(msg->from_to_wire == DNS_MESSAGE_INTENTRENDER);
-	REQUIRE(msg->buffer != NULL);
 	REQUIRE(msg->state == DNS_SECTION_ANY);
 
 	msgresetopt(msg);
@@ -2539,12 +2489,14 @@ dns_message_settsigkey(dns_message_t *msg, dns_tsigkey_t *key) {
 		dns_tsigkey_detach(&msg->tsigkey);
 	}
 	if (key != NULL) {
+		REQUIRE(msg->tsigkey == NULL && msg->sig0key == NULL);
 		dns_tsigkey_attach(key, &msg->tsigkey);
 		if (msg->from_to_wire == DNS_MESSAGE_INTENTRENDER) {
 			msg->sig_reserved = spacefortsig(msg->tsigkey, 0);
 			result = dns_message_renderreserve(msg,
 							   msg->sig_reserved);
 			if (result != ISC_R_SUCCESS) {
+				dns_tsigkey_detach(&msg->tsigkey);
 				msg->sig_reserved = 0;
 				return (result);
 			}
@@ -2703,8 +2655,8 @@ dns_message_setsig0key(dns_message_t *msg, dst_key_t *key) {
 	REQUIRE(msg->from_to_wire == DNS_MESSAGE_INTENTRENDER);
 	REQUIRE(msg->state == DNS_SECTION_ANY);
 
-	msg->sig0key = key;
 	if (key != NULL) {
+		REQUIRE(msg->sig0key == NULL && msg->tsigkey == NULL);
 		dns_name_toregion(dst_key_name(key), &r);
 		result = dst_key_sigsize(key, &x);
 		if (result != ISC_R_SUCCESS) {
@@ -2717,6 +2669,7 @@ dns_message_setsig0key(dns_message_t *msg, dst_key_t *key) {
 			msg->sig_reserved = 0;
 			return (result);
 		}
+		msg->sig0key = key;
 	}
 	return (ISC_R_SUCCESS);
 }
@@ -2823,6 +2776,26 @@ dns_message_signer(dns_message_t *msg, dns_name_t *signer) {
 	return (result);
 }
 
+void
+dns_message_resetsig(dns_message_t *msg) {
+	REQUIRE(DNS_MESSAGE_VALID(msg));
+	msg->verified_sig = 0;
+	msg->verify_attempted = 0;
+	msg->tsigstatus = dns_rcode_noerror;
+	msg->sig0status = dns_rcode_noerror;
+	msg->timeadjust = 0;
+	if (msg->tsigkey != NULL) {
+		dns_tsigkey_detach(&msg->tsigkey);
+		msg->tsigkey = NULL;
+	}
+}
+
+isc_result_t
+dns_message_rechecksig(dns_message_t *msg, dns_view_t *view) {
+	dns_message_resetsig(msg);
+	return (dns_message_checksig(msg, view));
+}
+
 isc_result_t
 dns_message_checksig(dns_message_t *msg, dns_view_t *view) {
 	isc_buffer_t b, msgb;
@@ -2867,8 +2840,8 @@ dns_message_checksig(dns_message_t *msg, dns_view_t *view) {
 		if (view == NULL)
 			return (DNS_R_KEYUNAUTHORIZED);
 		result = dns_view_simplefind(view, &sig.signer,
-					     dns_rdatatype_key, 0, 0,
-					     ISC_FALSE, &keyset, NULL);
+					     dns_rdatatype_key /* SIG(0) */,
+					     0, 0, ISC_FALSE, &keyset, NULL);
 
 		if (result != ISC_R_SUCCESS) {
 			/* XXXBEW Should possibly create a fetch here */
@@ -2939,7 +2912,8 @@ dns_message_sectiontotext(dns_message_t *msg, dns_section_t section,
 		ADD_STRING(target, ";; ");
 		if (msg->opcode != dns_opcode_update) {
 			ADD_STRING(target, sectiontext[section]);
-		} else {
+		}
+		else {
 			ADD_STRING(target, updsectiontext[section]);
 		}
 		ADD_STRING(target, " SECTION:\n");
@@ -3051,7 +3025,7 @@ dns_message_pseudosectiontotext(dns_message_t *msg,
 isc_result_t
 dns_message_totext(dns_message_t *msg, const dns_master_style_t *style,
 		   dns_messagetextflag_t flags, isc_buffer_t *target) {
-	char buf[sizeof "1234567890"];
+	char buf[sizeof("1234567890")];
 	isc_result_t result;
 
 	REQUIRE(DNS_MESSAGE_VALID(msg));
@@ -3061,14 +3035,9 @@ dns_message_totext(dns_message_t *msg, const dns_master_style_t *style,
 		ADD_STRING(target, ";; ->>HEADER<<- opcode: ");
 		ADD_STRING(target, opcodetext[msg->opcode]);
 		ADD_STRING(target, ", status: ");
-		if (msg->rcode < (sizeof(rcodetext)/sizeof(rcodetext[0]))) {
-			ADD_STRING(target, rcodetext[msg->rcode]);
-		} else {
-			snprintf(buf, sizeof(buf), "%4u", msg->rcode);
-			ADD_STRING(target, buf);
-		}
+		ADD_STRING(target, rcodetext[msg->rcode]);
 		ADD_STRING(target, ", id: ");
-		sprintf(buf, "%6u", msg->id);
+		snprintf(buf, sizeof(buf), "%6u", msg->id);
 		ADD_STRING(target, buf);
 		ADD_STRING(target, "\n;; flags: ");
 		if ((msg->flags & DNS_MESSAGEFLAG_QR) != 0)
@@ -3090,24 +3059,28 @@ dns_message_totext(dns_message_t *msg, const dns_master_style_t *style,
 		} else {
 			ADD_STRING(target, "; ZONE: ");
 		}
-		sprintf(buf, "%1u", msg->counts[DNS_SECTION_QUESTION]);
+		snprintf(buf, sizeof(buf), "%1u",
+			 msg->counts[DNS_SECTION_QUESTION]);
 		ADD_STRING(target, buf);
 		if (msg->opcode != dns_opcode_update) {
 			ADD_STRING(target, ", ANSWER: ");
 		} else {
 			ADD_STRING(target, ", PREREQ: ");
 		}
-		sprintf(buf, "%1u", msg->counts[DNS_SECTION_ANSWER]);
+		snprintf(buf, sizeof(buf), "%1u",
+			 msg->counts[DNS_SECTION_ANSWER]);
 		ADD_STRING(target, buf);
 		if (msg->opcode != dns_opcode_update) {
 			ADD_STRING(target, ", AUTHORITY: ");
 		} else {
 			ADD_STRING(target, ", UPDATE: ");
 		}
-		sprintf(buf, "%1u", msg->counts[DNS_SECTION_AUTHORITY]);
+		snprintf(buf, sizeof(buf), "%1u",
+			msg->counts[DNS_SECTION_AUTHORITY]);
 		ADD_STRING(target, buf);
 		ADD_STRING(target, ", ADDITIONAL: ");
-		sprintf(buf, "%1u", msg->counts[DNS_SECTION_ADDITIONAL]);
+		snprintf(buf, sizeof(buf), "%1u",
+			msg->counts[DNS_SECTION_ADDITIONAL]);
 		ADD_STRING(target, buf);
 		ADD_STRING(target, "\n");
 	}
@@ -3157,7 +3130,7 @@ dns_message_getrawmessage(dns_message_t *msg) {
 
 void
 dns_message_setsortorder(dns_message_t *msg, dns_rdatasetorderfunc_t order,
-			 const void *order_arg)
+			 void *order_arg)
 {
 	REQUIRE(DNS_MESSAGE_VALID(msg));
 	msg->order = order;
@@ -3175,3 +3148,14 @@ dns_message_gettimeadjust(dns_message_t *msg) {
 	REQUIRE(DNS_MESSAGE_VALID(msg));
 	return (msg->timeadjust);
 }
+
+isc_result_t
+dns_opcode_totext(dns_opcode_t opcode, isc_buffer_t *target) {
+
+	REQUIRE(opcode < 16);
+
+	if (isc_buffer_availablelength(target) < strlen(opcodetext[opcode]))
+		return (ISC_R_NOSPACE);
+	isc_buffer_putstr(target, opcodetext[opcode]);
+	return (ISC_R_SUCCESS);
+}
diff --git a/lib/dns/name.c b/lib/dns/name.c
index 2f868fb3..126eb063 100644
--- a/lib/dns/name.c
+++ b/lib/dns/name.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: name.c,v 1.127.2.15 2006/12/07 07:02:47 marka Exp $ */
+/* $Id: name.c,v 1.127.2.7.2.9 2004/03/08 21:06:26 marka Exp $ */
 
 #include <config.h>
 
@@ -41,16 +41,6 @@ typedef enum {
 	ft_initialescape,
 	ft_escape,
 	ft_escdecimal,
-	ft_bitstring,
-	ft_binary,
-	ft_octal,
-	ft_hex,
-	ft_dottedquad,
-	ft_dqdecimal,
-	ft_maybeslash,
-	ft_finishbitstring,
-	ft_bitlength,
-	ft_eatdot,
 	ft_at
 } ft_state;
 
@@ -58,7 +48,6 @@ typedef enum {
 	fw_start = 0,
 	fw_ordinary,
 	fw_copy,
-	fw_bitstring,
 	fw_newcurrent
 } fw_state;
 
@@ -81,11 +70,6 @@ static char digitvalue[256] = {
 	-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, /*256*/
 };
 
-static char hexdigits[16] = {
-	'0', '1', '2', '3', '4', '5', '6', '7',
-	'8', '9', 'A', 'B', 'C', 'D', 'E', 'F'
-};
-
 static unsigned char maptolower[] = {
 	0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
 	0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
@@ -177,7 +161,7 @@ static dns_name_t root =
 };
 
 /* XXXDCL make const? */
-dns_name_t *dns_rootname = &root;
+LIBDNS_EXTERNAL_DATA dns_name_t *dns_rootname = &root;
 
 static unsigned char wild_ndata[] = { '\001', '*' };
 static unsigned char wild_offsets[] = { 0 };
@@ -193,109 +177,12 @@ static dns_name_t wild =
 };
 
 /* XXXDCL make const? */
-dns_name_t *dns_wildcardname = &wild;
-
-unsigned int
-dns_fullname_hash(dns_name_t *name, isc_boolean_t case_sensitive);
+LIBDNS_EXTERNAL_DATA dns_name_t *dns_wildcardname = &wild;
 
 static void
 set_offsets(const dns_name_t *name, unsigned char *offsets,
 	    dns_name_t *set_name);
 
-static void
-compact(dns_name_t *name, unsigned char *offsets);
-
-/*
- * Yes, get_bit and set_bit are lame.  We define them here so they can
- * be inlined by smart compilers.
- */
-
-static inline unsigned int
-get_bit(unsigned char *array, unsigned int idx) {
-	unsigned int byte, shift;
-
-	byte = array[idx / 8];
-	shift = 7 - (idx % 8);
-
-	return ((byte >> shift) & 0x01);
-}
-
-static inline void
-set_bit(unsigned char *array, unsigned int idx, unsigned int bit) {
-	unsigned int shift, mask;
-
-	shift = 7 - (idx % 8);
-	mask = 1 << shift;
-
-	if (bit != 0)
-		array[idx / 8] |= mask;
-	else
-		array[idx / 8] &= (~mask & 0xFF);
-}
-
-dns_labeltype_t
-dns_label_type(dns_label_t *label) {
-	/*
-	 * Get the type of 'label'.
-	 */
-
-	REQUIRE(label != NULL);
-	REQUIRE(label->length > 0);
-	REQUIRE(label->base[0] <= 63 ||
-		label->base[0] == DNS_LABELTYPE_BITSTRING);
-
-	if (label->base[0] <= 63)
-		return (dns_labeltype_ordinary);
-	else
-		return (dns_labeltype_bitstring);
-}
-
-unsigned int
-dns_label_countbits(dns_label_t *label) {
-	unsigned int count;
-
-	/*
-	 * The number of bits in a bitstring label.
-	 */
-
-	REQUIRE(label != NULL);
-	REQUIRE(label->length > 2);
-	REQUIRE(label->base[0] == DNS_LABELTYPE_BITSTRING);
-
-	count = label->base[1];
-	if (count == 0)
-		count = 256;
-
-	return (count);
-}
-
-dns_bitlabel_t
-dns_label_getbit(dns_label_t *label, unsigned int n) {
-	unsigned int count, bit;
-
-	/*
-	 * The 'n'th most significant bit of 'label'.
-	 *
-	 * Notes:
-	 *	Numbering starts at 0.
-	 */
-
-	REQUIRE(label != NULL);
-	REQUIRE(label->length > 2);
-	REQUIRE(label->base[0] == DNS_LABELTYPE_BITSTRING);
-
-	count = label->base[1];
-	if (count == 0)
-		count = 256;
-
-	REQUIRE(n < count);
-
-	bit = get_bit(&label->base[2], n);
-	if (bit == 0)
-		return (dns_bitlabel_0);
-	return (dns_bitlabel_1);
-}
-
 void
 dns_name_init(dns_name_t *name, unsigned char *offsets) {
 	/*
@@ -371,73 +258,137 @@ dns_name_isabsolute(const dns_name_t *name) {
 	return (ISC_FALSE);
 }
 
+#define hyphenchar(c) ((c) == 0x2d)
+#define asterchar(c) ((c) == 0x2a)
+#define alphachar(c) (((c) >= 0x41 && (c) <= 0x5a) \
+		      || ((c) >= 0x61 && (c) <= 0x7a))
+#define digitchar(c) ((c) >= 0x30 && (c) <= 0x39)
+#define borderchar(c) (alphachar(c) || digitchar(c))
+#define middlechar(c) (borderchar(c) || hyphenchar(c))
+#define domainchar(c) ((c) > 0x20 && (c) < 0x7f)
+
 isc_boolean_t
-dns_name_iswildcard(const dns_name_t *name) {
-	unsigned char *ndata;
+dns_name_ismailbox(const dns_name_t *name) {
+	unsigned char *ndata, ch;
+	unsigned int n;
+	isc_boolean_t first;
+
+	REQUIRE(VALID_NAME(name));
+	REQUIRE(name->labels > 0);
+	REQUIRE(name->attributes & DNS_NAMEATTR_ABSOLUTE);
+
+	/* 
+	 * Root label.
+	 */
+	if (name->length == 1)
+		return (ISC_TRUE);
+
+	ndata = name->ndata;
+	n = *ndata++;
+	INSIST(n < 63);
+	while (n--) {
+		ch = *ndata++;
+		if (!domainchar(ch))
+			return (ISC_FALSE);
+	}
+	
+	if (ndata == name->ndata + name->length)
+		return (ISC_FALSE);
 
 	/*
-	 * Is 'name' a wildcard name?
+	 * RFC292/RFC1123 hostname.
 	 */
+	while (ndata < (name->ndata + name->length)) {
+		n = *ndata++;
+		INSIST(n < 63);
+		first = ISC_TRUE;
+		while (n--) {
+			ch = *ndata++;
+			if (first || n == 0) {
+				if (!borderchar(ch))
+					return (ISC_FALSE);
+			} else {
+				if (!middlechar(ch))
+					return (ISC_FALSE);
+			}
+			first = ISC_FALSE;
+		}
+	}
+	return (ISC_TRUE);
+}
+
+isc_boolean_t
+dns_name_ishostname(const dns_name_t *name, isc_boolean_t wildcard) {
+	unsigned char *ndata, ch;
+	unsigned int n;
+	isc_boolean_t first;
 
 	REQUIRE(VALID_NAME(name));
 	REQUIRE(name->labels > 0);
+	REQUIRE(name->attributes & DNS_NAMEATTR_ABSOLUTE);
+	
+	/* 
+	 * Root label.
+	 */
+	if (name->length == 1)
+		return (ISC_TRUE);
 
-	if (name->length >= 2) {
-		ndata = name->ndata;
-		if (ndata[0] == 1 && ndata[1] == '*')
-			return (ISC_TRUE);
-	}
+	/*
+	 * Skip wildcard if this is a ownername.
+	 */
+	ndata = name->ndata;
+	if (wildcard && ndata[0] == 1 && ndata[1] == '*')
+		ndata += 2;
 
-	return (ISC_FALSE);
+	/*
+	 * RFC292/RFC1123 hostname.
+	 */
+	while (ndata < (name->ndata + name->length)) {
+		n = *ndata++;
+		INSIST(n < 63);
+		first = ISC_TRUE;
+		while (n--) {
+			ch = *ndata++;
+			if (first || n == 0) {
+				if (!borderchar(ch))
+					return (ISC_FALSE);
+			} else {
+				if (!middlechar(ch))
+					return (ISC_FALSE);
+			}
+			first = ISC_FALSE;
+		}
+	}
+	return (ISC_TRUE);
 }
 
 isc_boolean_t
-dns_name_requiresedns(const dns_name_t *name) {
-	unsigned int count, nrem;
+dns_name_iswildcard(const dns_name_t *name) {
 	unsigned char *ndata;
-	isc_boolean_t requiresedns = ISC_FALSE;
 
 	/*
-	 * Does 'name' require EDNS for transmission?
+	 * Is 'name' a wildcard name?
 	 */
 
 	REQUIRE(VALID_NAME(name));
 	REQUIRE(name->labels > 0);
 
-	ndata = name->ndata;
-	nrem = name->length;
-	while (nrem > 0) {
-		count = *ndata++;
-		nrem--;
-		if (count == 0)
-			break;
-		if (count > 63) {
-			INSIST(count == DNS_LABELTYPE_BITSTRING);
-			requiresedns = ISC_TRUE;
-			break;
-		}
-		INSIST(nrem >= count);
-		nrem -= count;
-		ndata += count;
+	if (name->length >= 2) {
+		ndata = name->ndata;
+		if (ndata[0] == 1 && ndata[1] == '*')
+			return (ISC_TRUE);
 	}
 
-	return (requiresedns);
+	return (ISC_FALSE);
 }
 
-unsigned int
-dns_name_hash(dns_name_t *name, isc_boolean_t case_sensitive) {
+static inline unsigned int
+name_hash(dns_name_t *name, isc_boolean_t case_sensitive) {
 	unsigned int length;
 	const unsigned char *s;
 	unsigned int h = 0;
 	unsigned char c;
 
-	/*
-	 * Provide a hash value for 'name'.
-	 */
-	REQUIRE(VALID_NAME(name));
-
-	if (name->labels == 0)
-		return (0);
 	length = name->length;
 	if (length > 16)
 		length = 16;
@@ -466,7 +417,20 @@ dns_name_hash(dns_name_t *name, isc_boolean_t case_sensitive) {
 }
 
 unsigned int
-dns_name_fullhash(dns_name_t *name, isc_boolean_t case_sensitive) {
+dns_name_hash(dns_name_t *name, isc_boolean_t case_sensitive) {
+	/*
+	 * Provide a hash value for 'name'.
+	 */
+	REQUIRE(VALID_NAME(name));
+
+	if (name->labels == 0)
+		return (0);
+
+	return (name_hash(name, case_sensitive));
+}
+
+unsigned int
+dns_fullname_hash(dns_name_t *name, isc_boolean_t case_sensitive) {
 	/*
 	 * Provide a hash value for 'name'.
 	 */
@@ -480,24 +444,44 @@ dns_name_fullhash(dns_name_t *name, isc_boolean_t case_sensitive) {
 }
 
 unsigned int
-dns_fullname_hash(dns_name_t *name, isc_boolean_t case_sensitive) {
+dns_name_hashbylabel(dns_name_t *name, isc_boolean_t case_sensitive) {
+	unsigned char *offsets;
+	dns_offsets_t odata;
+	dns_name_t tname;
+	unsigned int h = 0;
+	unsigned int i;
+
 	/*
-	 * This function was deprecated due to the breakage of the name space
-	 * convention.  We only keep this internally to provide binary backward
-	 * compatibility.
+	 * Provide a hash value for 'name'.
 	 */
 	REQUIRE(VALID_NAME(name));
 
-	return (dns_name_fullhash(name, case_sensitive));
+	if (name->labels == 0)
+		return (0);
+	else if (name->labels == 1)
+		return (name_hash(name, case_sensitive));
+
+	SETUP_OFFSETS(name, offsets, odata);
+	DNS_NAME_INIT(&tname, NULL);
+	tname.labels = 1;
+	h = 0;
+	for (i = 0; i < name->labels; i++) {
+		tname.ndata = name->ndata + offsets[i];
+		if (i == name->labels - 1)
+			tname.length = name->length - offsets[i];
+		else
+			tname.length = offsets[i + 1] - offsets[i];
+		h += name_hash(&tname, case_sensitive);
+	}
+
+	return (h);
 }
 
 dns_namereln_t
 dns_name_fullcompare(const dns_name_t *name1, const dns_name_t *name2,
-		     int *orderp,
-		     unsigned int *nlabelsp, unsigned int *nbitsp)
+		     int *orderp, unsigned int *nlabelsp)
 {
-	unsigned int l1, l2, l, count1, count2, count;
-	unsigned int b1, b2, n, nlabels, nbits;
+	unsigned int l1, l2, l, count1, count2, count, nlabels;
 	int cdiff, ldiff, chdiff;
 	unsigned char *label1, *label2;
 	unsigned char *offsets1, *offsets2;
@@ -519,7 +503,6 @@ dns_name_fullcompare(const dns_name_t *name1, const dns_name_t *name2,
 	REQUIRE(VALID_NAME(name2));
 	REQUIRE(orderp != NULL);
 	REQUIRE(nlabelsp != NULL);
-	REQUIRE(nbitsp != NULL);
 	/*
 	 * Either name1 is absolute and name2 is absolute, or neither is.
 	 */
@@ -530,7 +513,6 @@ dns_name_fullcompare(const dns_name_t *name1, const dns_name_t *name2,
 	SETUP_OFFSETS(name2, offsets2, odata2);
 
 	nlabels = 0;
-	nbits = 0;
 	l1 = name1->labels;
 	l2 = name2->labels;
 	ldiff = (int)l1 - (int)l2;
@@ -547,124 +529,35 @@ dns_name_fullcompare(const dns_name_t *name1, const dns_name_t *name2,
 		label2 = &name2->ndata[offsets2[l2]];
 		count1 = *label1++;
 		count2 = *label2++;
-		if (count1 <= 63 && count2 <= 63) {
-			cdiff = (int)count1 - (int)count2;
-			if (cdiff < 0)
-				count = count1;
-			else
-				count = count2;
 
-			while (count > 0) {
-				chdiff = (int)maptolower[*label1] -
-					(int)maptolower[*label2];
-				if (chdiff != 0) {
-					*orderp = chdiff;
-					goto done;
-				}
-				count--;
-				label1++;
-				label2++;
-			}
-			if (cdiff != 0) {
-				*orderp = cdiff;
+		/*
+		 * We dropped bitstring labels, and we don't support any
+		 * other extended label types.
+		 */
+		INSIST(count1 <= 63 && count2 <= 63);
+
+		cdiff = (int)count1 - (int)count2;
+		if (cdiff < 0)
+			count = count1;
+		else
+			count = count2;
+
+		while (count > 0) {
+			chdiff = (int)maptolower[*label1] -
+			    (int)maptolower[*label2];
+			if (chdiff != 0) {
+				*orderp = chdiff;
 				goto done;
 			}
-			nlabels++;
-		} else if (count1 == DNS_LABELTYPE_BITSTRING && count2 <= 63) {
-			if (count2 == 0)
-				*orderp = 1;
-			else
-				*orderp = -1;
-			goto done;
-		} else if (count2 == DNS_LABELTYPE_BITSTRING && count1 <= 63) {
-			if (count1 == 0)
-				*orderp = -1;
-			else
-				*orderp = 1;
+			count--;
+			label1++;
+			label2++;
+		}
+		if (cdiff != 0) {
+			*orderp = cdiff;
 			goto done;
-		} else {
-			INSIST(count1 == DNS_LABELTYPE_BITSTRING &&
-			       count2 == DNS_LABELTYPE_BITSTRING);
-			count1 = *label1++;
-			if (count1 == 0)
-				count1 = 256;
-			count2 = *label2++;
-			if (count2 == 0)
-				count2 = 256;
-			if (count1 < count2) {
-				cdiff = -1;
-				count = count1;
-			} else {
-				count = count2;
-				if (count1 > count2)
-					cdiff = 1;
-				else
-					cdiff = 0;
-			}
-			/* Yes, this loop is really slow! */
-			for (n = 0; n < count; n++) {
-				b1 = get_bit(label1, n);
-				b2 = get_bit(label2, n);
-				if (b1 < b2) {
-					*orderp = -1;
-					goto done;
-				} else if (b1 > b2) {
-					*orderp = 1;
-					goto done;
-				}
-				if (nbits == 0)
-					nlabels++;
-				nbits++;
-			}
-			if (cdiff != 0) {
-				/*
-				 * If we're here, then we have two bitstrings
-				 * of differing length.
-				 *
-				 * If the name with the shorter bitstring
-				 * has any labels, then it must be greater
-				 * than the longer bitstring.  This is a bit
-				 * counterintuitive.  If the name with the
-				 * shorter bitstring has any more labels, then
-				 * the next label must be an ordinary label.
-				 * It can't be a bitstring label because if it
-				 * were, then there would be room for it in
-				 * the current bitstring label (since all
-				 * bitstrings are canonicalized).  Since
-				 * there's at least one more bit in the
-				 * name with the longer bitstring, and since
-				 * a bitlabel sorts before any ordinary label,
-				 * the name with the longer bitstring must
-				 * be lexically before the one with the shorter
-				 * bitstring.
-				 *
-				 * On the other hand, if there are no more
-				 * labels in the name with the shorter
-				 * bitstring, then that name contains the
-				 * other name.
-				 */
-				namereln = dns_namereln_commonancestor;
-				if (cdiff < 0) {
-					if (l1 > 0)
-						*orderp = 1;
-					else {
-						*orderp = -1;
-						namereln =
-							dns_namereln_contains;
-					}
-				} else {
-					if (l2 > 0)
-						*orderp = -1;
-					else {
-						*orderp = 1;
-						namereln =
-							dns_namereln_subdomain;
-					}
-				}
-				goto done;
-			}
-			nbits = 0;
 		}
+		nlabels++;
 	}
 
 	*orderp = ldiff;
@@ -677,7 +570,6 @@ dns_name_fullcompare(const dns_name_t *name1, const dns_name_t *name2,
 
  done:
 	*nlabelsp = nlabels;
-	*nbitsp = nbits;
 
 	if (nlabels > 0 && namereln == dns_namereln_none)
 		namereln = dns_namereln_commonancestor;
@@ -688,7 +580,7 @@ dns_name_fullcompare(const dns_name_t *name1, const dns_name_t *name2,
 int
 dns_name_compare(const dns_name_t *name1, const dns_name_t *name2) {
 	int order;
-	unsigned int nlabels, nbits;
+	unsigned int nlabels;
 
 	/*
 	 * Determine the relative ordering under the DNSSEC order relation of
@@ -700,7 +592,7 @@ dns_name_compare(const dns_name_t *name1, const dns_name_t *name2) {
 	 * same domain.
 	 */
 
-	(void)dns_name_fullcompare(name1, name2, &order, &nlabels, &nbits);
+	(void)dns_name_fullcompare(name1, name2, &order, &nlabels);
 
 	return (order);
 }
@@ -743,30 +635,14 @@ dns_name_equal(const dns_name_t *name1, const dns_name_t *name2) {
 		count = *label1++;
 		if (count != *label2++)
 			return (ISC_FALSE);
-		if (count <= 63) {
-			while (count > 0) {
-				count--;
-				c = maptolower[*label1++];
-				if (c != maptolower[*label2++])
-					return (ISC_FALSE);
-			}
-		} else {
-			INSIST(count == DNS_LABELTYPE_BITSTRING);
-			count = *label1++;
-			if (count != *label2++)
+
+		INSIST(count <= 63); /* no bitstring support */
+
+		while (count > 0) {
+			count--;
+			c = maptolower[*label1++];
+			if (c != maptolower[*label2++])
 				return (ISC_FALSE);
-			if (count == 0)
-				count = 256;
-			/*
-			 * Number of bytes.
-			 */
-			count = (count + 7) / 8;
-			while (count > 0) {
-				count--;
-				c = *label1++;
-				if (c != *label2++)
-					return (ISC_FALSE);
-			}
 		}
 	}
 
@@ -801,43 +677,21 @@ dns_name_rdatacompare(const dns_name_t *name1, const dns_name_t *name2) {
 		l--;
 		count1 = *label1++;
 		count2 = *label2++;
-		if (count1 <= 63 && count2 <= 63) {
-			if (count1 != count2)
-				return ((count1 < count2) ? -1 : 1);
-			count = count1;
-			while (count > 0) {
-				count--;
-				c1 = maptolower[*label1++];
-				c2 = maptolower[*label2++];
-				if (c1 < c2)
-					return (-1);
-				else if (c1 > c2)
-					return (1);
-			}
-		} else if (count1 == DNS_LABELTYPE_BITSTRING && count2 <= 63) {
-			return (1);
-		} else if (count2 == DNS_LABELTYPE_BITSTRING && count1 <= 63) {
-			return (-1);
-		} else {
-			INSIST(count1 == DNS_LABELTYPE_BITSTRING &&
-			       count2 == DNS_LABELTYPE_BITSTRING);
-			count2 = *label2++;
-			count1 = *label1++;
-			if (count1 != count2)
-				return ((count1 < count2) ? -1 : 1);
-			if (count1 == 0)
-				count1 = 256;
-			if (count2 == 0)
-				count2 = 256;
-			/* number of bytes */
-			count = (count1 + 7) / 8;
-			while (count > 0) {
-				count--;
-				c1 = *label1++;
-				c2 = *label2++;
-				if (c1 != c2)
-					return ((c1 < c2) ? -1 : 1);
-			}
+
+		/* no bitstring support */
+		INSIST(count1 <= 63 && count2 <= 63);
+
+		if (count1 != count2)
+			return ((count1 < count2) ? -1 : 1);
+		count = count1;
+		while (count > 0) {
+			count--;
+			c1 = maptolower[*label1++];
+			c2 = maptolower[*label2++];
+			if (c1 < c2)
+				return (-1);
+			else if (c1 > c2)
+				return (1);
 		}
 	}
 
@@ -856,7 +710,7 @@ dns_name_rdatacompare(const dns_name_t *name1, const dns_name_t *name2) {
 isc_boolean_t
 dns_name_issubdomain(const dns_name_t *name1, const dns_name_t *name2) {
 	int order;
-	unsigned int nlabels, nbits;
+	unsigned int nlabels;
 	dns_namereln_t namereln;
 
 	/*
@@ -868,8 +722,7 @@ dns_name_issubdomain(const dns_name_t *name1, const dns_name_t *name2) {
 	 * same domain.
 	 */
 
-	namereln = dns_name_fullcompare(name1, name2, &order, &nlabels,
-					&nbits);
+	namereln = dns_name_fullcompare(name1, name2, &order, &nlabels);
 	if (namereln == dns_namereln_subdomain ||
 	    namereln == dns_namereln_equal)
 		return (ISC_TRUE);
@@ -880,7 +733,7 @@ dns_name_issubdomain(const dns_name_t *name1, const dns_name_t *name2) {
 isc_boolean_t
 dns_name_matcheswildcard(const dns_name_t *name, const dns_name_t *wname) {
 	int order;
-	unsigned int nlabels, nbits, labels;
+	unsigned int nlabels, labels;
 	dns_name_t tname;
 
 	REQUIRE(VALID_NAME(name));
@@ -892,57 +745,13 @@ dns_name_matcheswildcard(const dns_name_t *name, const dns_name_t *wname) {
 
 	DNS_NAME_INIT(&tname, NULL);
 	dns_name_getlabelsequence(wname, 1, labels - 1, &tname);
-	if (dns_name_fullcompare(name, &tname, &order, &nlabels, &nbits) ==
+	if (dns_name_fullcompare(name, &tname, &order, &nlabels) ==
 	    dns_namereln_subdomain)
 		return (ISC_TRUE);
 	return (ISC_FALSE);
 }
 
 unsigned int
-dns_name_depth(const dns_name_t *name) {
-	unsigned int depth, count, nrem, n;
-	unsigned char *ndata;
-
-	/*
-	 * The depth of 'name'.
-	 */
-
-	REQUIRE(VALID_NAME(name));
-
-	if (name->labels == 0)
-		return (0);
-
-	depth = 0;
-	ndata = name->ndata;
-	nrem = name->length;
-	while (nrem > 0) {
-		count = *ndata++;
-		nrem--;
-		if (count > 63) {
-			INSIST(count == DNS_LABELTYPE_BITSTRING);
-			INSIST(nrem != 0);
-			n = *ndata++;
-			nrem--;
-			if (n == 0)
-				n = 256;
-			depth += n;
-			count = n / 8;
-			if (n % 8 != 0)
-				count++;
-		} else {
-			depth++;
-			if (count == 0)
-				break;
-		}
-		INSIST(nrem >= count);
-		nrem -= count;
-		ndata += count;
-	}
-
-	return (depth);
-}
-
-unsigned int
 dns_name_countlabels(const dns_name_t *name) {
 	/*
 	 * How many labels does 'name' have?
@@ -1032,7 +841,7 @@ dns_name_getlabelsequence(const dns_name_t *source,
 }
 
 void
-dns_name_clone(const dns_name_t *source, dns_name_t *target) {
+dns_name_clone(dns_name_t *source, dns_name_t *target) {
 
 	/*
 	 * Make 'target' refer to the same name as 'source'.
@@ -1058,7 +867,7 @@ dns_name_clone(const dns_name_t *source, dns_name_t *target) {
 }
 
 void
-dns_name_fromregion(dns_name_t *name, isc_region_t *r) {
+dns_name_fromregion(dns_name_t *name, const isc_region_t *r) {
 	unsigned char *offsets;
 	dns_offsets_t odata;
 	unsigned int len;
@@ -1115,7 +924,7 @@ dns_name_toregion(dns_name_t *name, isc_region_t *r) {
 
 isc_result_t
 dns_name_fromtext(dns_name_t *name, isc_buffer_t *source,
-		  dns_name_t *origin, isc_boolean_t downcase,
+		  dns_name_t *origin, unsigned int options,
 		  isc_buffer_t *target)
 {
 	unsigned char *ndata, *label;
@@ -1124,10 +933,10 @@ dns_name_fromtext(dns_name_t *name, isc_buffer_t *source,
 	ft_state state, kind;
 	unsigned int value, count, tbcount, bitlength, maxlength;
 	unsigned int n1, n2, vlen, tlen, nrem, nused, digits, labels, tused;
-	isc_boolean_t done, saw_bitstring;
-	unsigned char dqchars[4];
+	isc_boolean_t done;
 	unsigned char *offsets;
 	dns_offsets_t odata;
+	isc_boolean_t downcase;
 
 	/*
 	 * Convert the textual representation of a DNS name at source
@@ -1143,6 +952,8 @@ dns_name_fromtext(dns_name_t *name, isc_buffer_t *source,
 	REQUIRE(ISC_BUFFER_VALID(source));
 	REQUIRE((target != NULL && ISC_BUFFER_VALID(target)) ||
 		(target == NULL && ISC_BUFFER_VALID(name->buffer)));
+	
+	downcase = ISC_TF((options & DNS_NAME_DOWNCASE) != 0);
 
 	if (target == NULL && name->buffer != NULL) {
 		target = name->buffer;
@@ -1187,7 +998,6 @@ dns_name_fromtext(dns_name_t *name, isc_buffer_t *source,
 	nused = 0;
 	labels = 0;
 	done = ISC_FALSE;
-	saw_bitstring = ISC_FALSE;
 	state = ft_init;
 
 	while (nrem > 0 && tlen > 0 && !done) {
@@ -1195,7 +1005,6 @@ dns_name_fromtext(dns_name_t *name, isc_buffer_t *source,
 		tlen--;
 		tused++;
 
-	no_read:
 		switch (state) {
 		case ft_init:
 			/*
@@ -1264,15 +1073,11 @@ dns_name_fromtext(dns_name_t *name, isc_buffer_t *source,
 			break;
 		case ft_initialescape:
 			if (c == '[') {
-				saw_bitstring = ISC_TRUE;
-				kind = ft_bitstring;
-				state = ft_bitstring;
-				*label = DNS_LABELTYPE_BITSTRING;
-				label = ndata;
-				ndata++;
-				nrem--;
-				nused++;
-				break;
+				/*
+				 * This looks like a bitstring label, which
+				 * was deprecated.  Intentionally drop it.
+				 */
+				return (DNS_R_BADLABELTYPE);
 			}
 			kind = ft_ordinary;
 			state = ft_escape;
@@ -1315,309 +1120,6 @@ dns_name_fromtext(dns_name_t *name, isc_buffer_t *source,
 				state = ft_ordinary;
 			}
 			break;
-		case ft_bitstring:
-			/* count is zero */
-			tbcount = 0;
-			value = 0;
-			if (c == 'b') {
-				vlen = 8;
-				maxlength = 256;
-				kind = ft_binary;
-				state = ft_binary;
-			} else if (c == 'o') {
-				vlen = 8;
-				maxlength = 256;
-				kind = ft_octal;
-				state = ft_octal;
-			} else if (c == 'x') {
-				vlen = 8;
-				maxlength = 256;
-				kind = ft_hex;
-				state = ft_hex;
-			} else if (isdigit(c & 0xff)) {
-				vlen = 32;
-				maxlength = 32;
-				n1 = 0;
-				n2 = 0;
-				digits = 0;
-				kind = ft_dottedquad;
-				state = ft_dqdecimal;
-				goto no_read;
-			} else
-				return (DNS_R_BADBITSTRING);
-			break;
-		case ft_binary:
-			if (c != '0' && c != '1') {
-				state = ft_maybeslash;
-				goto no_read;
-			}
-			value <<= 1;
-			if (c == '1')
-				value |= 1;
-			count++;
-			tbcount++;
-			if (tbcount > 256)
-				return (DNS_R_BITSTRINGTOOLONG);
-			if (count == 8) {
-				*ndata++ = value;
-				nrem--;
-				nused++;
-				count = 0;
-			}
-			break;
-		case ft_octal:
-			if (!isdigit(c & 0xff) || c == '9' || c == '8') {
-				state = ft_maybeslash;
-				goto no_read;
-			}
-			value <<= 3;
-			value += digitvalue[(int)c];
-			count += 3;
-			tbcount += 3;
-			/*
-			 * The total bit count is tested against 258 instead
-			 * of 256 because of the possibility that the bitstring
-			 * label is exactly 256 bits long; on the last octal
-			 * digit (which must be 4) tbcount is incremented
-			 * from 255 to 258.  This case is adequately handled
-			 * later.
-			 */
-			if (tbcount > 258)
-				return (DNS_R_BITSTRINGTOOLONG);
-			if (count == 8) {
-				*ndata++ = value;
-				nrem--;
-				nused++;
-				count = 0;
-			} else if (count == 9) {
-				*ndata++ = (value >> 1);
-				nrem--;
-				nused++;
-				value &= 1;
-				count = 1;
-			} else if (count == 10) {
-				*ndata++ = (value >> 2);
-				nrem--;
-				nused++;
-				value &= 3;
-				count = 2;
-			}
-			break;
-		case ft_hex:
-			if (!isxdigit(c & 0xff)) {
-				state = ft_maybeslash;
-				goto no_read;
-			}
-			value <<= 4;
-			value += digitvalue[(int)c];
-			count += 4;
-			tbcount += 4;
-			if (tbcount > 256)
-				return (DNS_R_BITSTRINGTOOLONG);
-			if (count == 8) {
-				*ndata++ = value;
-				nrem--;
-				nused++;
-				count = 0;
-			}
-			break;
-		case ft_dottedquad:
-			if (c != '.' && n1 < 3)
-				return (DNS_R_BADDOTTEDQUAD);
-			dqchars[n1] = value;
-			n2 *= 256;
-			n2 += value;
-			n1++;
-			if (n1 == 4) {
-				tbcount = 32;
-				value = n2;
-				state = ft_maybeslash;
-				goto no_read;
-			}
-			value = 0;
-			digits = 0;
-			state = ft_dqdecimal;
-			break;
-		case ft_dqdecimal:
-			if (!isdigit(c & 0xff)) {
-				if (digits == 0 || value > 255)
-					return (DNS_R_BADDOTTEDQUAD);
-				state = ft_dottedquad;
-				goto no_read;
-			}
-			digits++;
-			if (digits > 3)
-				return (DNS_R_BADDOTTEDQUAD);
-			value *= 10;
-			value += digitvalue[(int)c];
-			break;
-		case ft_maybeslash:
-			bitlength = 0;
-			if (c == '/') {
-				state = ft_bitlength;
-				break;
-			}
-			/* FALLTHROUGH */
-		case ft_finishbitstring:
-			if (c == ']') {
-				if (tbcount == 0)
-					return (DNS_R_BADBITSTRING);
-
-				if (count > 0) {
-					n1 = count % 8;
-					if (n1 != 0)
-						value <<= (8 - n1);
-				}
-
-				if (bitlength != 0) {
-					if (bitlength > tbcount)
-						return (DNS_R_BADBITSTRING);
-					if (kind == ft_binary &&
-					    bitlength != tbcount) {
-						return (DNS_R_BADBITSTRING);
-					} else if (kind == ft_octal) {
-						/*
-						 * Figure out correct number
-						 * of octal digits for the
-						 * bitlength, and compare to
-						 * what was given.
-						 */
-						n1 = bitlength / 3;
-						if (bitlength % 3 != 0)
-							n1++;
-						n2 = tbcount / 3;
-						/* tbcount % 3 == 0 */
-						if (n1 != n2)
-						  return (DNS_R_BADBITSTRING);
-
-						/*
-						 * Check that no bits extend
-						 * past the end of the last
-						 * byte that is included in
-						 * the bitlength.  Example:
-						 * \[o036/8] == \[b00001111],
-						 * which fits into just one
-						 * byte, but the three octal
-						 * digits actually specified
-						 * two bytes worth of data,
-						 * 9 bits, before the bitlength
-						 * limited it back to one byte.
-						 *
-						 * n1 is the number of bytes
-						 * necessary for the bitlength.
-						 * n2 is the number of bytes
-						 * encompassed by the octal
-						 * digits.  If they are not
-						 * equal, then "value" holds
-						 * the excess bits, which
-						 * must be zero.  If the bits
-						 * are zero, then "count" is
-						 * zero'ed to prevent the
-						 * addition of another byte
-						 * below.
-						 */
-						n1 = (bitlength - 1) / 8;
-						n2 = (tbcount - 1) / 8;
-						if (n1 != n2) {
-						    if (value != 0)
-						       return
-							  (DNS_R_BADBITSTRING);
-						    else
-						       count = 0;
-						}
-					} else if (kind == ft_hex) {
-						/*
-						 * Figure out correct number
-						 * of hex digits for the
-						 * bitlength, and compare to
-						 * what was given.
-						 */
-						n1 = bitlength / 4;
-						if (bitlength % 4 != 0)
-							n1++;
-						n2 = tbcount / 4;
-						/* tbcount % 4 == 0 */
-						if (n1 != n2)
-						  return (DNS_R_BADBITSTRING);
-					}
-					n1 = bitlength % vlen;
-					if (n1 != 0) {
-						/*
-						 * Are the pad bits in the
-						 * last 'vlen' bits zero?
-						 */
-						if ((value &
-						    ~((~0) << (vlen-n1))) != 0)
-						  return (DNS_R_BADBITSTRING);
-					}
-				} else if (kind == ft_dottedquad)
-					bitlength = 32;
-				else if (tbcount > 256)
-					/*
-					 * This can happen when an octal
-					 * bitstring label of 86 octal digits
-					 * is specified; tbcount will be 258.
-					 * This is not trapped above because
-					 * the bitstring label might be limited
-					 * by a "/256" modifier.
-					 */
-					return (DNS_R_BADBITSTRING);
-				else
-					bitlength = tbcount;
-
-				if (count > 0) {
-					*ndata++ = value;
-					nrem--;
-					nused++;
-				}
-
-				if (kind == ft_dottedquad) {
-					n1 = bitlength / 8;
-					if (bitlength % 8 != 0)
-						n1++;
-					if (nrem < n1)
-						return (ISC_R_NOSPACE);
-					for (n2 = 0; n2 < n1; n2++) {
-						*ndata++ = dqchars[n2];
-						nrem--;
-						nused++;
-					}
-				}
-				if (bitlength == 256)
-					*label = 0;
-				else
-					*label = bitlength;
-				labels++;
-				INSIST(labels <= 127);
-				offsets[labels] = nused;
-			} else
-				return (DNS_R_BADBITSTRING);
-			state = ft_eatdot;
-			break;
-		case ft_bitlength:
-			if (!isdigit(c & 0xff)) {
-				if (bitlength == 0)
-					return (DNS_R_BADBITSTRING);
-				state = ft_finishbitstring;
-				goto no_read;
-			}
-			bitlength *= 10;
-			bitlength += digitvalue[(int)c];
-			if (bitlength > maxlength)
-				return (DNS_R_BADBITSTRING);
-			break;
-		case ft_eatdot:
-			if (c != '.')
-				return (DNS_R_BADBITSTRING);
-			if (tlen == 0) {
-				labels++;
-				*ndata++ = 0;
-				nrem--;
-				nused++;
-				done = ISC_TRUE;
-			}
-			state = ft_start;
-			break;
 		default:
 			FATAL_ERROR(__FILE__, __LINE__,
 				    "Unexpected state %d", state);
@@ -1629,8 +1131,7 @@ dns_name_fromtext(dns_name_t *name, isc_buffer_t *source,
 		if (nrem == 0)
 			return (ISC_R_NOSPACE);
 		INSIST(tlen == 0);
-		if (state != ft_ordinary && state != ft_eatdot &&
-		    state != ft_at)
+		if (state != ft_ordinary && state != ft_at)
 			return (ISC_R_UNEXPECTEDEND);
 		if (state == ft_ordinary) {
 			INSIST(count != 0);
@@ -1647,33 +1148,16 @@ dns_name_fromtext(dns_name_t *name, isc_buffer_t *source,
 			nrem -= n1;
 			while (n1 > 0) {
 				n2 = *label++;
-				if (n2 <= 63) {
-					*ndata++ = n2;
-					n1 -= n2 + 1;
-					nused += n2 + 1;
-					while (n2 > 0) {
-						c = *label++;
-						if (downcase)
-							c = maptolower[(int)c];
-						*ndata++ = c;
-						n2--;
-					}
-				} else {
-					INSIST(n2 == DNS_LABELTYPE_BITSTRING);
-					*ndata++ = n2;
-					bitlength = *label++;
-					*ndata++ = bitlength;
-					if (bitlength == 0)
-						bitlength = 256;
-					n2 = bitlength / 8;
-					if (bitlength % 8 != 0)
-						n2++;
-					n1 -= n2 + 2;
-					nused += n2 + 2;
-					while (n2 > 0) {
-						*ndata++ = *label++;
-						n2--;
-					}
+				INSIST(n2 <= 63); /* no bitstring support */
+				*ndata++ = n2;
+				n1 -= n2 + 1;
+				nused += n2 + 1;
+				while (n2 > 0) {
+					c = *label++;
+					if (downcase)
+						c = maptolower[(int)c];
+					*ndata++ = c;
+					n2--;
 				}
 				labels++;
 				if (n1 > 0) {
@@ -1691,9 +1175,6 @@ dns_name_fromtext(dns_name_t *name, isc_buffer_t *source,
 	name->labels = labels;
 	name->length = nused;
 
-	if (saw_bitstring)
-		compact(name, offsets);
-
 	isc_buffer_forward(source, tused);
 	isc_buffer_add(target, name->length);
 
@@ -1709,11 +1190,8 @@ dns_name_totext(dns_name_t *name, isc_boolean_t omit_final_dot,
 	unsigned int nlen, tlen;
 	unsigned char c;
 	unsigned int trem, count;
-	unsigned int bytes, nibbles;
-	size_t i, len;
 	unsigned int labels;
 	isc_boolean_t saw_root = ISC_FALSE;
-	char num[4];
 
 	/*
 	 * This function assumes the name is in proper uncompressed
@@ -1812,14 +1290,13 @@ dns_name_totext(dns_name_t *name, isc_boolean_t omit_final_dot,
 						trem--;
 						nlen--;
 					} else {
+						char buf[5];
 						if (trem < 4)
 							return (ISC_R_NOSPACE);
-						*tdata++ = 0x5c;
-						*tdata++ = 0x30 +
-							   ((c / 100) % 10);
-						*tdata++ = 0x30 +
-							   ((c / 10) % 10);
-						*tdata++ = 0x30 + (c % 10);
+						snprintf(buf, sizeof(buf),
+							 "\\%03u", c);
+						memcpy(tdata, buf, 4);
+						tdata += 4;
 						trem -= 4;
 						ndata++;
 						nlen--;
@@ -1827,47 +1304,6 @@ dns_name_totext(dns_name_t *name, isc_boolean_t omit_final_dot,
 				}
 				count--;
 			}
-		} else if (count == DNS_LABELTYPE_BITSTRING) {
-			if (trem < 3)
-				return (ISC_R_NOSPACE);
-			*tdata++ = '\\';
-			*tdata++ = '[';
-			*tdata++ = 'x';
-			trem -= 3;
-			INSIST(nlen > 0);
-			count = *ndata++;
-			if (count == 0)
-				count = 256;
-			nlen--;
-			len = sprintf(num, "%u", count);	/* XXX */
-			INSIST(len <= 4U);
-			bytes = count / 8;
-			if (count % 8 != 0)
-				bytes++;
-			INSIST(nlen >= bytes);
-			nibbles = count / 4;
-			if (count % 4 != 0)
-				nibbles++;
-			if (trem < nibbles)
-				return (ISC_R_NOSPACE);
-			trem -= nibbles;
-			nlen -= bytes;
-			while (nibbles > 0) {
-				c = *ndata++;
-				*tdata++ = hexdigits[(c >> 4)];
-				nibbles--;
-				if (nibbles != 0) {
-					*tdata++ = hexdigits[c & 0xf];
-					nibbles--;
-				}
-			}
-			if (trem < 2 + len)
-				return (ISC_R_NOSPACE);
-			*tdata++ = '/';
-			for (i = 0; i < len; i++)
-				*tdata++ = num[i];
-			*tdata++ = ']';
-			trem -= 2 + len;
 		} else {
 			FATAL_ERROR(__FILE__, __LINE__,
 				    "Unexpected label type %02x", count);
@@ -1906,10 +1342,7 @@ dns_name_tofilenametext(dns_name_t *name, isc_boolean_t omit_final_dot,
 	unsigned int nlen, tlen;
 	unsigned char c;
 	unsigned int trem, count;
-	unsigned int bytes, nibbles;
-	size_t i, len;
 	unsigned int labels;
-	char num[4];
 
 	/*
 	 * This function assumes the name is in proper uncompressed
@@ -1981,47 +1414,6 @@ dns_name_tofilenametext(dns_name_t *name, isc_boolean_t omit_final_dot,
 				}
 				count--;
 			}
-		} else if (count == DNS_LABELTYPE_BITSTRING) {
-			if (trem < 3)
-				return (ISC_R_NOSPACE);
-			*tdata++ = '%';
-			*tdata++ = 'x';
-			trem -= 2;
-			INSIST(nlen > 0);
-			count = *ndata++;
-			if (count == 0)
-				count = 256;
-			nlen--;
-			len = sprintf(num, "%u", count);	/* XXX */
-			INSIST(len <= 4U);
-			bytes = count / 8;
-			if (count % 8 != 0)
-				bytes++;
-			INSIST(nlen >= bytes);
-			nibbles = count / 4;
-			if (count % 4 != 0)
-				nibbles++;
-			if (trem < nibbles)
-				return (ISC_R_NOSPACE);
-			trem -= nibbles;
-			nlen -= bytes;
-			while (nibbles > 0) {
-				c = *ndata++;
-				*tdata++ = hexdigits[(c >> 4)];
-				nibbles--;
-				if (nibbles != 0) {
-					*tdata++ = hexdigits[c & 0xf];
-					i++;
-					nibbles--;
-				}
-			}
-			if (trem < 2 + len)
-				return (ISC_R_NOSPACE);
-			*tdata++ = '%';
-			for (i = 0; i < len; i++)
-				*tdata++ = num[i];
-			*tdata++ = '%';
-			trem -= 2 + len;
 		} else {
 			FATAL_ERROR(__FILE__, __LINE__,
 				    "Unexpected label type %02x", count);
@@ -2054,7 +1446,7 @@ dns_name_tofilenametext(dns_name_t *name, isc_boolean_t omit_final_dot,
 isc_result_t
 dns_name_downcase(dns_name_t *source, dns_name_t *name, isc_buffer_t *target) {
 	unsigned char *sndata, *ndata;
-	unsigned int nlen, count, bytes, labels;
+	unsigned int nlen, count, labels;
 	isc_buffer_t buffer;
 
 	/*
@@ -2101,24 +1493,6 @@ dns_name_downcase(dns_name_t *source, dns_name_t *name, isc_buffer_t *target) {
 				nlen--;
 				count--;
 			}
-		} else if (count == DNS_LABELTYPE_BITSTRING) {
-			INSIST(nlen > 0);
-			count = *sndata++;
-			*ndata++ = count;
-			if (count == 0)
-				count = 256;
-			nlen--;
-
-			bytes = count / 8;
-			if (count % 8 != 0)
-				bytes++;
-
-			INSIST(nlen >= bytes);
-			nlen -= bytes;
-			while (bytes > 0) {
-				*ndata++ = *sndata++;
-				bytes--;
-			}
 		} else {
 			FATAL_ERROR(__FILE__, __LINE__,
 				    "Unexpected label type %02x", count);
@@ -2146,7 +1520,7 @@ static void
 set_offsets(const dns_name_t *name, unsigned char *offsets,
 	    dns_name_t *set_name)
 {
-	unsigned int offset, count, length, nlabels, n;
+	unsigned int offset, count, length, nlabels;
 	unsigned char *ndata;
 	isc_boolean_t absolute;
 
@@ -2160,26 +1534,13 @@ set_offsets(const dns_name_t *name, unsigned char *offsets,
 		offsets[nlabels++] = offset;
 		count = *ndata++;
 		offset++;
-		if (count <= 63) {
-			offset += count;
-			ndata += count;
-			INSIST(offset <= length);
-			if (count == 0) {
-				absolute = ISC_TRUE;
-				break;
-			}
-		} else {
-			INSIST(count == DNS_LABELTYPE_BITSTRING);
-			n = *ndata++;
-			offset++;
-			if (n == 0)
-				n = 256;
-			count = n / 8;
-			if (n % 8 != 0)
-				count++;
-			offset += count;
-			ndata += count;
-			INSIST(offset <= length);
+		INSIST(count <= 63);
+		offset += count;
+		ndata += count;
+		INSIST(offset <= length);
+		if (count == 0) {
+			absolute = ISC_TRUE;
+			break;
 		}
 	}
 	if (set_name != NULL) {
@@ -2196,176 +1557,33 @@ set_offsets(const dns_name_t *name, unsigned char *offsets,
 	INSIST(offset == name->length);
 }
 
-static void
-compact(dns_name_t *name, unsigned char *offsets) {
-	unsigned char *head, *curr, *last;
-	unsigned int count, n, bit;
-	unsigned int headbits, currbits, tailbits, newbits;
-	unsigned int headrem, newrem;
-	unsigned int headindex, currindex, tailindex, newindex;
-	unsigned char tail[32];
-
-	/*
-	 * The caller MUST ensure that all bitstrings are correctly formatted
-	 * and that the offsets table is valid.
-	 */
-
- again:
-	memset(tail, 0, sizeof tail);
-	INSIST(name->labels != 0);
-	n = name->labels - 1;
-
-	while (n > 0) {
-		head = &name->ndata[offsets[n]];
-		if (head[0] == DNS_LABELTYPE_BITSTRING && head[1] != 0) {
-			if (n != 0) {
-				n--;
-				curr = &name->ndata[offsets[n]];
-				if (curr[0] != DNS_LABELTYPE_BITSTRING)
-					continue;
-				/*
-				 * We have consecutive bitstrings labels, and
-				 * the more significant label ('head') has
-				 * space.
-				 */
-				currbits = curr[1];
-				if (currbits == 0)
-					currbits = 256;
-				currindex = 0;
-				headbits = head[1];
-				if (headbits == 0)
-					headbits = 256;
-				headindex = headbits;
-				count = 256 - headbits;
-				if (count > currbits)
-					count = currbits;
-				headrem = headbits % 8;
-				if (headrem != 0)
-					headrem = 8 - headrem;
-				if (headrem != 0) {
-					if (headrem > count)
-						headrem = count;
-					do {
-						bit = get_bit(&curr[2],
-							      currindex);
-						set_bit(&head[2], headindex,
-							bit);
-						currindex++;
-						headindex++;
-						headbits++;
-						count--;
-						headrem--;
-					} while (headrem != 0);
-				}
-				tailindex = 0;
-				tailbits = 0;
-				while (count > 0) {
-					bit = get_bit(&curr[2], currindex);
-					set_bit(tail, tailindex, bit);
-					currindex++;
-					tailindex++;
-					tailbits++;
-					count--;
-				}
-				newbits = 0;
-				newindex = 0;
-				if (currindex < currbits) {
-					while (currindex < currbits) {
-						bit = get_bit(&curr[2],
-							      currindex);
-						set_bit(&curr[2], newindex,
-							bit);
-						currindex++;
-						newindex++;
-						newbits++;
-					}
-					INSIST(newbits < 256);
-					curr[1] = newbits;
-					count = newbits / 8;
-					newrem = newbits % 8;
-					/* Zero remaining pad bits, if any. */
-					if (newrem != 0) {
-						count++;
-						newrem = 8 - newrem;
-						while (newrem > 0) {
-							set_bit(&curr[2],
-								newindex,
-								0);
-							newrem--;
-							newindex++;
-						}
-					}
-					curr += count + 2;
-				} else {
-					/* We got rid of curr. */
-					name->labels--;
-				}
-				/* copy head, then tail, then rest to curr. */
-				count = headbits + tailbits;
-				INSIST(count <= 256);
-				curr[0] = DNS_LABELTYPE_BITSTRING;
-				if (count == 256)
-					curr[1] = 0;
-				else
-					curr[1] = count;
-				curr += 2;
-				head += 2;
-				count = headbits / 8;
-				if (headbits % 8 != 0)
-					count++;
-				while (count > 0) {
-					*curr++ = *head++;
-					count--;
-				}
-				count = tailbits / 8;
-				if (tailbits % 8 != 0)
-					count++;
-				last = tail;
-				while (count > 0) {
-					*curr++ = *last++;
-					count--;
-				}
-				last = name->ndata + name->length;
-				while (head != last)
-					*curr++ = *head++;
-				name->length = (curr - name->ndata);
-				/*
-				 * The offsets table may now be invalid.
-				 */
-				set_offsets(name, offsets, NULL);
-				goto again;
-			}
-		}
-		n--;
-	}
-}
-
 isc_result_t
 dns_name_fromwire(dns_name_t *name, isc_buffer_t *source,
-		  dns_decompress_t *dctx, isc_boolean_t downcase,
+		  dns_decompress_t *dctx, unsigned int options,
 		  isc_buffer_t *target)
 {
 	unsigned char *cdata, *ndata;
 	unsigned int cused; /* Bytes of compressed name data used */
-	unsigned int nused, labels, n, nmax;
+	unsigned int hops,  nused, labels, n, nmax;
 	unsigned int current, new_current, biggest_pointer;
-	isc_boolean_t saw_bitstring, done;
+	isc_boolean_t done;
 	fw_state state = fw_start;
 	unsigned int c;
 	unsigned char *offsets;
 	dns_offsets_t odata;
-	isc_boolean_t seen_pointer;
+	isc_boolean_t downcase;
 
 	/*
 	 * Copy the possibly-compressed name at source into target,
-	 * decompressing it. Loop prevention is performed by checking
-	 * the new pointer against biggest_pointer.
+	 * decompressing it.
 	 */
 
 	REQUIRE(VALID_NAME(name));
 	REQUIRE((target != NULL && ISC_BUFFER_VALID(target)) ||
 		(target == NULL && ISC_BUFFER_VALID(name->buffer)));
 
+	downcase = ISC_TF((options & DNS_NAME_DOWNCASE) != 0);
+
 	if (target == NULL && name->buffer != NULL) {
 		target = name->buffer;
 		isc_buffer_clear(target);
@@ -2391,12 +1609,11 @@ dns_name_fromwire(dns_name_t *name, isc_buffer_t *source,
 	 * Set up.
 	 */
 	labels = 0;
-	saw_bitstring = ISC_FALSE;
+	hops = 0;
 	done = ISC_FALSE;
 
 	ndata = isc_buffer_used(target);
 	nused = 0;
-	seen_pointer = ISC_FALSE;
 
 	/*
 	 * Find the maximum number of uncompressed target name
@@ -2422,7 +1639,7 @@ dns_name_fromwire(dns_name_t *name, isc_buffer_t *source,
 	while (current < source->active && !done) {
 		c = *cdata++;
 		current++;
-		if (!seen_pointer)
+		if (hops == 0)
 			cused++;
 
 		switch (state) {
@@ -2455,15 +1672,6 @@ dns_name_fromwire(dns_name_t *name, isc_buffer_t *source,
 				new_current = c & 0x3F;
 				n = 1;
 				state = fw_newcurrent;
-			} else if (c == DNS_LABELTYPE_BITSTRING) {
-				offsets[labels] = nused;
-				labels++;
-				if (nused == nmax)
-					goto full;
-				nused++;
-				*ndata++ = c;
-				saw_bitstring = ISC_TRUE;
-				state = fw_bitstring;
 			} else
 				return (DNS_R_BADLABELTYPE);
 			break;
@@ -2477,19 +1685,6 @@ dns_name_fromwire(dns_name_t *name, isc_buffer_t *source,
 			if (n == 0)
 				state = fw_start;
 			break;
-		case fw_bitstring:
-			if (c == 0)
-				n = 256 / 8;
-			else
-				n = c / 8;
-			if ((c % 8) != 0)
-				n++;
-			if (nused + n + 1 > nmax)
-				goto full;
-			nused += n + 1;
-			*ndata++ = c;
-			state = fw_copy;
-			break;
 		case fw_newcurrent:
 			new_current *= 256;
 			new_current += c;
@@ -2500,8 +1695,11 @@ dns_name_fromwire(dns_name_t *name, isc_buffer_t *source,
 				return (DNS_R_BADPOINTER);
 			biggest_pointer = new_current;
 			current = new_current;
-			cdata = (unsigned char *)source->base + current;
-			seen_pointer = ISC_TRUE;
+			cdata = (unsigned char *)source->base +
+				current;
+			hops++;
+			if (hops > DNS_POINTER_MAXHOPS)
+				return (DNS_R_TOOMANYHOPS);
 			state = fw_start;
 			break;
 		default:
@@ -2519,9 +1717,6 @@ dns_name_fromwire(dns_name_t *name, isc_buffer_t *source,
 	name->length = nused;
 	name->attributes |= DNS_NAMEATTR_ABSOLUTE;
 
-	if (saw_bitstring)
-		compact(name, offsets);
-
 	isc_buffer_forward(source, cused);
 	isc_buffer_add(target, name->length);
 
@@ -2540,12 +1735,11 @@ dns_name_fromwire(dns_name_t *name, isc_buffer_t *source,
 		 * big enough buffer.
 		 */
 		return (ISC_R_NOSPACE);
+
 }
 
 isc_result_t
-dns_name_towire(const dns_name_t *name, dns_compress_t *cctx,
-		isc_buffer_t *target)
-{
+dns_name_towire(dns_name_t *name, dns_compress_t *cctx, isc_buffer_t *target) {
 	unsigned int methods;
 	isc_uint16_t offset;
 	dns_name_t gp;	/* Global compression prefix */
@@ -2624,10 +1818,9 @@ dns_name_concatenate(dns_name_t *prefix, dns_name_t *suffix, dns_name_t *name,
 		     isc_buffer_t *target)
 {
 	unsigned char *ndata, *offsets;
-	unsigned int nrem, labels, prefix_length, length, offset;
+	unsigned int nrem, labels, prefix_length, length;
 	isc_boolean_t copy_prefix = ISC_TRUE;
 	isc_boolean_t copy_suffix = ISC_TRUE;
-	isc_boolean_t saw_bitstring = ISC_FALSE;
 	isc_boolean_t absolute = ISC_FALSE;
 	dns_name_t tmp_name;
 	dns_offsets_t odata;
@@ -2663,25 +1856,6 @@ dns_name_concatenate(dns_name_t *prefix, dns_name_t *suffix, dns_name_t *name,
 	REQUIRE(BINDABLE(name));
 
 	/*
-	 * XXX IMPORTANT NOTE
-	 *
-	 * If the most-signficant label in prefix is a bitstring,
-	 * and the least-signficant label in suffix is a bitstring,
-	 * it's possible that compaction could convert them into
-	 * one label.  If this happens, then the final size will
-	 * be three bytes less than nrem.
-	 *
-	 * We do not check for this special case, and handling it is
-	 * a little messy; we can't just concatenate and compact,
-	 * because we may only have 255 bytes but might need 258 bytes
-	 * temporarily.  There are ways to do this with only 255 bytes,
-	 * which will be implemented later.
-	 *
-	 * For now, we simply reject these few cases as being too
-	 * long.
-	 */
-
-	/*
 	 * Set up.
 	 */
 	nrem = target->length - target->used;
@@ -2712,35 +1886,6 @@ dns_name_concatenate(dns_name_t *prefix, dns_name_t *suffix, dns_name_t *name,
 	if (copy_suffix) {
 		if ((suffix->attributes & DNS_NAMEATTR_ABSOLUTE) != 0)
 			absolute = ISC_TRUE;
-		if (copy_prefix &&
-		    suffix->ndata[0] == DNS_LABELTYPE_BITSTRING) {
-			/*
-			 * We only need to call compact() if both the
-			 * least-significant label of the suffix and the
-			 * most-significant label of the prefix are both
-			 * bitstrings.
-			 *
-			 * A further possible optimization, which we don't do,
-			 * is to not compact() if the suffix bitstring is
-			 * full.  It will usually not be full, so I don't
-			 * think this is worth it.
-			 */
-			if (prefix->offsets != NULL) {
-				offset = prefix->offsets[prefix->labels - 1];
-				if (prefix->ndata[offset] ==
-				    DNS_LABELTYPE_BITSTRING)
-					saw_bitstring = ISC_TRUE;
-			} else {
-				/*
-				 * We don't have an offsets table for prefix,
-				 * and rather than spend the effort to make it
-				 * we'll just compact(), which doesn't cost
-				 * more than computing the offsets table if
-				 * there is no bitstring in prefix.
-				 */
-				saw_bitstring = ISC_TRUE;
-			}
-		}
 		if (suffix == name && suffix->buffer == target)
 			memmove(ndata + prefix_length, suffix->ndata,
 				suffix->length);
@@ -2765,11 +1910,9 @@ dns_name_concatenate(dns_name_t *prefix, dns_name_t *suffix, dns_name_t *name,
 	else
 		name->attributes = 0;
 
-	if (name->labels > 0 && (name->offsets != NULL || saw_bitstring)) {
+	if (name->labels > 0 && name->offsets != NULL) {
 		INIT_OFFSETS(name, offsets, odata);
 		set_offsets(name, offsets, NULL);
-		if (saw_bitstring)
-			compact(name, offsets);
 	}
 
 	isc_buffer_add(target, name->length);
@@ -2777,23 +1920,16 @@ dns_name_concatenate(dns_name_t *prefix, dns_name_t *suffix, dns_name_t *name,
 	return (ISC_R_SUCCESS);
 }
 
-isc_result_t
-dns_name_split(dns_name_t *name,
-	       unsigned int suffixlabels, unsigned int nbits,
+void
+dns_name_split(dns_name_t *name, unsigned int suffixlabels,
 	       dns_name_t *prefix, dns_name_t *suffix)
 
 {
-	dns_offsets_t name_odata, prefix_odata, suffix_odata;
-	unsigned char *offsets, *prefix_offsets = NULL, *suffix_offsets;
-	isc_result_t result = ISC_R_SUCCESS;
-	unsigned int splitlabel, bitbytes, mod, len;
-	unsigned char *p, *src, *dst;
-	isc_boolean_t maybe_compact_prefix = ISC_FALSE;
+	unsigned int splitlabel;
 
 	REQUIRE(VALID_NAME(name));
 	REQUIRE(suffixlabels > 0);
-	REQUIRE((nbits == 0 && suffixlabels < name->labels) ||
-		(nbits != 0 && suffixlabels <= name->labels));
+	REQUIRE(suffixlabels < name->labels);
 	REQUIRE(prefix != NULL || suffix != NULL);
 	REQUIRE(prefix == NULL ||
 		(VALID_NAME(prefix) &&
@@ -2804,332 +1940,20 @@ dns_name_split(dns_name_t *name,
 		 suffix->buffer != NULL &&
 		 BINDABLE(suffix)));
 
-	/*
-	 * When splitting bitstring labels, if prefix and suffix have the same
-	 * buffer, suffix will overwrite the ndata of prefix, corrupting it.
-	 * If prefix has the ndata of name, then it modifies the bitstring
-	 * label and suffix doesn't have the original available.  This latter
-	 * problem could be worked around if it is ever deemed desirable.
-	 */
-	REQUIRE(nbits == 0 || prefix == NULL || suffix == NULL ||
-		(prefix->buffer->base != suffix->buffer->base &&
-		 prefix->buffer->base != name->ndata));
-
-	SETUP_OFFSETS(name, offsets, name_odata);
-
 	splitlabel = name->labels - suffixlabels;
 
-	/*
-	 * Make p point at the count byte of the bitstring label,
-	 * if there is one (p will not be used if we are not
-	 * splitting bits).
-	 */
-	p = &name->ndata[offsets[splitlabel] + 1];
-
-	/*
-	 * When a bit count is specified, ensure that the label is a bitstring
-	 * label and it has more bits than the requested slice.
-	 */
-	REQUIRE(nbits == 0 ||
-		(*(p - 1) == DNS_LABELTYPE_BITSTRING && nbits < 256 &&
-		 (*p == 0 || *p > nbits)));
-
-	mod = nbits % 8;
-
-	if (prefix != NULL) {
-		if (nbits > 0) {
-			isc_buffer_clear(prefix->buffer);
-
-			/*
-			 * '2' is for the DNS_LABELTYPE_BITSTRING id
-			 * plus the existing number of bits byte.
-			 */
-			len = offsets[splitlabel] + 2;
-			src = name->ndata;
-			dst = prefix->buffer->base;
-
-			if (src != dst) {
-				/*
-				 * If these are overlapping names ...
-				 * wow.  How bizarre could that be?
-				 */
-				INSIST(! (src <= dst && src + len > dst) ||
-					 (dst <= src && dst + len > src));
-
-				memcpy(dst, src, len);
-
-				p = dst + len - 1;
-			}
-
-			/*
-			 * Set the new bit count.  Also, when a bitstring
-			 * label being split is maximal length, compaction
-			 * might be necessary on the prefix.
-			 */
-			if (*p == 0) {
-				maybe_compact_prefix = ISC_TRUE;
-				*p = 256 - nbits;
-			} else
-				*p = *p - nbits;
-
-			/*
-			 * Calculate the number of bytes necessary to hold
-			 * all of the bits left in the prefix.
-			 */
-			bitbytes = (*p - 1) / 8 + 1;
-
-			prefix->length = len + bitbytes;
-
-			if (prefix->length > prefix->buffer->length ) {
-				dns_name_invalidate(prefix);
-				return (ISC_R_NOSPACE);
-			}
-
-			/*
-			 * All of the bits now need to be shifted to the left
-			 * to fill in the space taken by the removed bits.
-			 * This is wonderfully easy when the number of removed
-			 * bits is an integral multiple of 8, but of course
-			 * life isn't always that easy.
-			 */
-			src += len + nbits / 8;
-			dst = p + 1;
-			len = bitbytes;
-
-			if (mod == 0) {
-				memmove(dst, src, len);
-			} else {
-				/*
-				 * p is adjusted to point to the last byte of
-				 * the starting bitstring label to make it
-				 * cheap to determine when bits from the next
-				 * byte should be shifted into the low order
-				 * bits of the current byte.
-				 */
-				p = src + (mod + *p - 1) / 8;
-
-				while (len--) {
-					*dst = *src++ << mod;
-					/*
-					 * The 0xff subexpression guards
-					 * against arithmetic sign extension
-					 * by the right shift.
-					 */
-					if (src <= p)
-						*dst++ |=
-							(*src >> (8 - mod)) &
-							~(0xFF << mod);
-				}
-
-				/*
-				 * Et voila, the very last byte has
-				 * automatically already had its padding
-				 * fixed by the left shift.
-				 */
-			}
-
-			prefix->buffer->used = prefix->length;
-			prefix->ndata = prefix->buffer->base;
-
-			/*
-			 * Yes, = is meant here, not ==.  The intent is
-			 * to have it set only when INSISTs are turned on,
-			 * to doublecheck the result of set_offsets.
-			 */
-			INSIST(len = prefix->length);
-
-			INIT_OFFSETS(prefix, prefix_offsets, prefix_odata);
-			set_offsets(prefix, prefix_offsets, prefix);
-
-			INSIST(prefix->labels == splitlabel + 1 &&
-			       prefix->length == len);
-
-		} else
-			dns_name_getlabelsequence(name, 0, splitlabel,
-						  prefix);
-
-	}
-
-	if (suffix != NULL && result == ISC_R_SUCCESS) {
-		if (nbits > 0) {
-			bitbytes = (nbits - 1) / 8 + 1;
-
-			isc_buffer_clear(suffix->buffer);
-
-			/*
-			 * The existing bitcount is in src.
-			 * Set len to the number of bytes to be removed,
-			 * and the suffix length to the number of bytes in
-			 * the new name.
-			 */
-			src = &name->ndata[offsets[splitlabel] + 1];
-			len = ((*src == 0 ? 256 : *src) - 1) / 8;
-			len -= (bitbytes - 1);
-			src++;
-
-			suffix->length = name->length -
-				offsets[splitlabel] - len;
-
-			INSIST(suffix->length > 0);
-			if (suffix->length > suffix->buffer->length) {
-				dns_name_invalidate(suffix);
-				return (ISC_R_NOSPACE);
-			}
-
-			/*
-			 * First set up the bitstring label.
-			 */
-			dst = suffix->buffer->base;
-			*dst++ = DNS_LABELTYPE_BITSTRING;
-			*dst++ = nbits;
-
-			if (len > 0) {
-				/*
-				 * Remember where the next label starts.
-				 */
-				p = src + bitbytes + len;
-
-				/*
-				 * Some bytes are being removed from the
-				 * middle of the name because of the truncation
-				 * of bits in the bitstring label.  Copy
-				 * the bytes (whether full with 8 bits or not)
-				 * that are being kept.
-				 */
-				for (len = bitbytes; len > 0; len--)
-					*dst++ = *src++;
-
-				/*
-				 * Now just copy the rest of the labels of
-				 * the name by adjusting src to point to
-				 * the next label.
-				 *
-				 * 2 == label type byte + bitcount byte.
-				 */
-				len = suffix->length - bitbytes - 2;
-				src = p;
-			} else
-				len = suffix->length - 2;
-
-			if (len > 0)
-				memmove(dst, src, len);
-
-			suffix->buffer->used = suffix->length;
-			suffix->ndata = suffix->buffer->base;
-
-			/*
-			 * The byte that contains the end of the
-			 * bitstring has its pad bits (if any) masked
-			 * to zero.
-			 */
-			if (mod != 0)
-				suffix->ndata[bitbytes + 1] &=
-					0xFF << (8 - mod);
-
-			/*
-			 * Yes, = is meant here, not ==.  The intent is
-			 * to have it set only when INSISTs are turned on,
-			 * to doublecheck the result of set_offsets.
-			 */
-			INSIST(len = suffix->length);
-
-			INIT_OFFSETS(suffix, suffix_offsets, suffix_odata);
-			set_offsets(suffix, suffix_offsets, suffix);
-
-			INSIST(suffix->labels == suffixlabels &&
-			       suffix->length == len);
-
-		} else
-			dns_name_getlabelsequence(name, splitlabel,
-						  suffixlabels, suffix);
-
-	}
-
-	/*
-	 * Compacting the prefix can't be done until after the suffix is
-	 * set, because it would screw up the offsets table of 'name'
-	 * when 'name' == 'prefix'.
-	 */
-	if (maybe_compact_prefix && splitlabel > 0 &&
-	    prefix->ndata[prefix_offsets[splitlabel - 1]] ==
-	    DNS_LABELTYPE_BITSTRING)
-		compact(prefix, prefix_offsets);
-
-	return (result);
-}
-
-isc_result_t
-dns_name_splitatdepth(dns_name_t *name, unsigned int depth,
-		      dns_name_t *prefix, dns_name_t *suffix)
-{
-	unsigned int suffixlabels, nbits, label, count, n;
-	unsigned char *offsets, *ndata;
-	dns_offsets_t odata;
-
-	/*
-	 * Split 'name' into two pieces at a certain depth.
-	 */
-
-	REQUIRE(VALID_NAME(name));
-	REQUIRE(name->labels > 0);
-	REQUIRE(depth > 0);
+	if (prefix != NULL)
+		dns_name_getlabelsequence(name, 0, splitlabel, prefix);
 
-	SETUP_OFFSETS(name, offsets, odata);
+	if (suffix != NULL)
+		dns_name_getlabelsequence(name, splitlabel,
+					  suffixlabels, suffix);
 
-	suffixlabels = 0;
-	nbits = 0;
-	label = name->labels;
-	do {
-		label--;
-		ndata = &name->ndata[offsets[label]];
-		count = *ndata++;
-		if (count > 63) {
-			INSIST(count == DNS_LABELTYPE_BITSTRING);
-			/*
-			 * Get the number of bits in the bitstring label.
-			 */
-			n = *ndata++;
-			if (n == 0)
-				n = 256;
-			suffixlabels++;
-			if (n <= depth) {
-				/*
-				 * This entire bitstring is in the suffix.
-				 */
-				depth -= n;
-			} else {
-				/*
-				 * Only the first 'depth' bits of this
-				 * bitstring are in the suffix.
-				 */
-				nbits = depth;
-				depth = 0;
-			}
-		} else {
-			suffixlabels++;
-			depth--;
-		}
-	} while (depth != 0 && label != 0);
-
-	/*
-	 * If depth is not zero, then the caller violated the requirement
-	 * that depth <= dns_name_depth(name).
-	 */
-	if (depth != 0) {
-		REQUIRE(depth <= dns_name_depth(name));
-		/*
-		 * We should never get here!
-		 */
-		INSIST(0);
-	}
-
-	return (dns_name_split(name, suffixlabels, nbits, prefix, suffix));
+	return;
 }
 
 isc_result_t
-dns_name_dup(const dns_name_t *source, isc_mem_t *mctx,
-	     dns_name_t *target)
-{
+dns_name_dup(dns_name_t *source, isc_mem_t *mctx, dns_name_t *target) {
 	/*
 	 * Make 'target' a dynamically allocated copy of 'source'.
 	 */
@@ -3313,8 +2137,7 @@ dns_name_format(dns_name_t *name, char *cp, unsigned int size) {
 
 isc_result_t
 dns_name_copy(dns_name_t *source, dns_name_t *dest, isc_buffer_t *target) {
-	unsigned char *ndata, *offsets;
-	dns_offsets_t odata;
+	unsigned char *ndata;
 
 	/*
 	 * Make dest a copy of source.
@@ -3351,8 +2174,10 @@ dns_name_copy(dns_name_t *source, dns_name_t *dest, isc_buffer_t *target) {
 		dest->attributes = 0;
 
 	if (dest->labels > 0 && dest->offsets != NULL) {
-		INIT_OFFSETS(dest, offsets, odata);
-		set_offsets(dest, offsets, NULL);
+		if (source->offsets != NULL)
+			memcpy(dest->offsets, source->offsets, source->labels);
+		else
+			set_offsets(dest, dest->offsets, NULL);
 	}
 
 	isc_buffer_add(target, dest->length);
diff --git a/lib/dns/ncache.c b/lib/dns/ncache.c
index c9e0a49e..dddde60e 100644
--- a/lib/dns/ncache.c
+++ b/lib/dns/ncache.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: ncache.c,v 1.24.2.6 2004/03/09 06:11:04 marka Exp $ */
+/* $Id: ncache.c,v 1.24.2.4.2.7 2004/03/08 02:07:54 marka Exp $ */
 
 #include <config.h>
 
@@ -137,10 +137,10 @@ dns_ncache_add(dns_message_t *message, dns_db_t *cache, dns_dbnode_t *node,
 				     DNS_RDATASETATTR_NCACHE) == 0)
 					continue;
 				type = rdataset->type;
-				if (type == dns_rdatatype_sig)
+				if (type == dns_rdatatype_rrsig)
 					type = rdataset->covers;
 				if (type == dns_rdatatype_soa ||
-				    type == dns_rdatatype_nxt) {
+				    type == dns_rdatatype_nsec) {
 					if (ttl > rdataset->ttl)
 						ttl = rdataset->ttl;
 					if (trust > rdataset->trust)
@@ -247,7 +247,8 @@ dns_ncache_add(dns_message_t *message, dns_db_t *cache, dns_dbnode_t *node,
 	ISC_LIST_APPEND(ncrdatalist.rdata, &rdata, link);
 
 	dns_rdataset_init(&ncrdataset);
-	dns_rdatalist_tordataset(&ncrdatalist, &ncrdataset);
+	RUNTIME_CHECK(dns_rdatalist_tordataset(&ncrdatalist, &ncrdataset)
+		      == ISC_R_SUCCESS);
 	ncrdataset.trust = trust;
 	if (message->rcode == dns_rcode_nxdomain)
 		ncrdataset.attributes |= DNS_RDATASETATTR_NXDOMAIN;
@@ -258,7 +259,8 @@ dns_ncache_add(dns_message_t *message, dns_db_t *cache, dns_dbnode_t *node,
 
 isc_result_t
 dns_ncache_towire(dns_rdataset_t *rdataset, dns_compress_t *cctx,
-		  isc_buffer_t *target, unsigned int *countp)
+		  isc_buffer_t *target, unsigned int options,
+		  unsigned int *countp)
 {
 	dns_rdata_t rdata = DNS_RDATA_INIT;
 	isc_result_t result;
@@ -316,6 +318,10 @@ dns_ncache_towire(dns_rdataset_t *rdataset, dns_compress_t *cctx,
 			INSIST(remaining.length >= rdata.length);
 			isc_buffer_forward(&source, rdata.length);
 
+			if ((options & DNS_NCACHETOWIRE_OMITDNSSEC) != 0 &&
+			    dns_rdatatype_isdnssec(type))
+				continue;
+
 			/*
 			 * Write the name.
 			 */
@@ -377,3 +383,172 @@ dns_ncache_towire(dns_rdataset_t *rdataset, dns_compress_t *cctx,
 
 	return (result);
 }
+
+static void
+rdataset_disassociate(dns_rdataset_t *rdataset) {
+	UNUSED(rdataset);
+}
+
+static isc_result_t
+rdataset_first(dns_rdataset_t *rdataset) {
+	unsigned char *raw = rdataset->private3;
+	unsigned int count;
+
+	count = raw[0] * 256 + raw[1];
+	if (count == 0) {
+		rdataset->private5 = NULL;
+		return (ISC_R_NOMORE);
+	}
+	raw += 2;
+	/*
+	 * The privateuint4 field is the number of rdata beyond the cursor
+	 * position, so we decrement the total count by one before storing
+	 * it.
+	 */
+	count--;
+	rdataset->privateuint4 = count;
+	rdataset->private5 = raw;
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+rdataset_next(dns_rdataset_t *rdataset) {
+	unsigned int count;
+	unsigned int length;
+	unsigned char *raw;
+
+	count = rdataset->privateuint4;
+	if (count == 0)
+		return (ISC_R_NOMORE);
+	count--;
+	rdataset->privateuint4 = count;
+	raw = rdataset->private5;
+	length = raw[0] * 256 + raw[1];
+	raw += length + 2;
+	rdataset->private5 = raw;
+
+	return (ISC_R_SUCCESS);
+}
+
+static void
+rdataset_current(dns_rdataset_t *rdataset, dns_rdata_t *rdata) {
+	unsigned char *raw = rdataset->private5;
+	isc_region_t r;
+
+	REQUIRE(raw != NULL);
+
+	r.length = raw[0] * 256 + raw[1];
+	raw += 2;
+	r.base = raw;
+	dns_rdata_fromregion(rdata, rdataset->rdclass, rdataset->type, &r);
+}
+
+static void
+rdataset_clone(dns_rdataset_t *source, dns_rdataset_t *target) {
+	*target = *source;
+
+	/*
+	 * Reset iterator state.
+	 */
+	target->privateuint4 = 0;
+	target->private5 = NULL;
+}
+
+static unsigned int
+rdataset_count(dns_rdataset_t *rdataset) {
+	unsigned char *raw = rdataset->private3;
+	unsigned int count;
+
+	count = raw[0] * 256 + raw[1];
+
+	return (count);
+}
+
+static dns_rdatasetmethods_t rdataset_methods = {
+	rdataset_disassociate,
+	rdataset_first,
+	rdataset_next,
+	rdataset_current,
+	rdataset_clone,
+	rdataset_count,
+	NULL,
+	NULL
+};
+
+isc_result_t
+dns_ncache_getrdataset(dns_rdataset_t *ncacherdataset, dns_name_t *name,
+		       dns_rdatatype_t type, dns_rdataset_t *rdataset)
+{
+	isc_result_t result;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	isc_region_t remaining;
+	isc_buffer_t source;
+	dns_name_t tname;
+	dns_rdatatype_t ttype;
+	unsigned int i, rcount;
+	isc_uint16_t length;
+
+	REQUIRE(ncacherdataset != NULL);
+	REQUIRE(ncacherdataset->type == 0);
+	REQUIRE(name != NULL);
+	REQUIRE(!dns_rdataset_isassociated(rdataset));
+	REQUIRE(type != dns_rdatatype_rrsig);
+
+	result = dns_rdataset_first(ncacherdataset);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	dns_rdataset_current(ncacherdataset, &rdata);
+	INSIST(dns_rdataset_next(ncacherdataset) == ISC_R_NOMORE);
+	isc_buffer_init(&source, rdata.data, rdata.length);
+	isc_buffer_add(&source, rdata.length);
+
+	do {
+		dns_name_init(&tname, NULL);
+		isc_buffer_remainingregion(&source, &remaining);
+		dns_name_fromregion(&tname, &remaining);
+		INSIST(remaining.length >= tname.length);
+		isc_buffer_forward(&source, tname.length);
+		remaining.length -= tname.length;
+
+		INSIST(remaining.length >= 4);
+		ttype = isc_buffer_getuint16(&source);
+
+		if (ttype == type && dns_name_equal(&tname, name)) {
+			isc_buffer_remainingregion(&source, &remaining);
+			break;
+		}
+
+		rcount = isc_buffer_getuint16(&source);
+		for (i = 0; i < rcount; i++) {
+			isc_buffer_remainingregion(&source, &remaining);
+			INSIST(remaining.length >= 2);
+			length = isc_buffer_getuint16(&source);
+			isc_buffer_remainingregion(&source, &remaining);
+			INSIST(remaining.length >= length);
+			isc_buffer_forward(&source, length);
+		}
+		isc_buffer_remainingregion(&source, &remaining);
+	} while (remaining.length > 0);
+
+	if (remaining.length == 0)
+		return (ISC_R_NOTFOUND);
+
+	rdataset->methods = &rdataset_methods;
+	rdataset->rdclass = ncacherdataset->rdclass;
+	rdataset->type = type;
+	rdataset->covers = 0;
+	rdataset->ttl = ncacherdataset->ttl;
+	rdataset->trust = ncacherdataset->trust;
+	rdataset->private1 = NULL;
+	rdataset->private2 = NULL;
+
+	rdataset->private3 = remaining.base;
+
+	/*
+	 * Reset iterator state.
+	 */
+	rdataset->privateuint4 = 0;
+	rdataset->private5 = NULL;
+	return (ISC_R_SUCCESS);
+}
diff --git a/lib/dns/nxt.c b/lib/dns/nsec.c
index df352d1b..c259706a 100644
--- a/lib/dns/nxt.c
+++ b/lib/dns/nsec.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: nxt.c,v 1.26.2.3 2004/03/09 06:11:04 marka Exp $ */
+/* $Id: nsec.c,v 1.5.2.1 2004/03/08 02:07:55 marka Exp $ */
 
 #include <config.h>
 
@@ -23,7 +23,7 @@
 #include <isc/util.h>
 
 #include <dns/db.h>
-#include <dns/nxt.h>
+#include <dns/nsec.h>
 #include <dns/rdata.h>
 #include <dns/rdatalist.h>
 #include <dns/rdataset.h>
@@ -62,26 +62,32 @@ bit_isset(unsigned char *array, unsigned int index) {
 }
 
 isc_result_t
-dns_nxt_buildrdata(dns_db_t *db, dns_dbversion_t *version,
-		   dns_dbnode_t *node, dns_name_t *target,
-		   unsigned char *buffer, dns_rdata_t *rdata)
+dns_nsec_buildrdata(dns_db_t *db, dns_dbversion_t *version,
+		    dns_dbnode_t *node, dns_name_t *target,
+		    unsigned char *buffer, dns_rdata_t *rdata)
 {
 	isc_result_t result;
 	dns_rdataset_t rdataset;
 	isc_region_t r;
-	int i;
+	unsigned int i, window;
+	int octet;
 
-	unsigned char *nxt_bits;
+	unsigned char *nsec_bits, *bm;
 	unsigned int max_type;
 	dns_rdatasetiter_t *rdsiter;
 
-	memset(buffer, 0, DNS_NXT_BUFFERSIZE);
+	memset(buffer, 0, DNS_NSEC_BUFFERSIZE);
 	dns_name_toregion(target, &r);
 	memcpy(buffer, r.base, r.length);
 	r.base = buffer;
-	nxt_bits = r.base + r.length;
-	set_bit(nxt_bits, dns_rdatatype_nxt, 1);
-	max_type = dns_rdatatype_nxt;
+	/*
+	 * Use the end of the space for a raw bitmap leaving enough
+	 * space for the window identifiers and length octets.
+	 */
+	bm = r.base + r.length + 512;
+	nsec_bits = r.base + r.length;
+	set_bit(bm, dns_rdatatype_nsec, 1);
+	max_type = dns_rdatatype_nsec;
 	dns_rdataset_init(&rdataset);
 	rdsiter = NULL;
 	result = dns_db_allrdatasets(db, node, version, 0, &rdsiter);
@@ -92,13 +98,10 @@ dns_nxt_buildrdata(dns_db_t *db, dns_dbversion_t *version,
 	     result = dns_rdatasetiter_next(rdsiter))
 	{
 		dns_rdatasetiter_current(rdsiter, &rdataset);
-		if (rdataset.type > 127)
-			/* XXX "rdataset type too large" */
-			return (ISC_R_RANGE);
-		if (rdataset.type != dns_rdatatype_nxt) {
+		if (rdataset.type != dns_rdatatype_nsec) {
 			if (rdataset.type > max_type)
 				max_type = rdataset.type;
-			set_bit(nxt_bits, rdataset.type, 1);
+			set_bit(bm, rdataset.type, 1);
 		}
 		dns_rdataset_disassociate(&rdataset);
 	}
@@ -106,12 +109,12 @@ dns_nxt_buildrdata(dns_db_t *db, dns_dbversion_t *version,
 	/*
 	 * At zone cuts, deny the existence of glue in the parent zone.
 	 */
-	if (bit_isset(nxt_bits, dns_rdatatype_ns) &&
-	    ! bit_isset(nxt_bits, dns_rdatatype_soa)) {
-		for (i = 0; i < 128; i++) {
-			if (bit_isset(nxt_bits, i) &&
+	if (bit_isset(bm, dns_rdatatype_ns) &&
+	    ! bit_isset(bm, dns_rdatatype_soa)) {
+		for (i = 0; i <= max_type; i++) {
+			if (bit_isset(bm, i) &&
 			    ! dns_rdatatype_iszonecutauth((dns_rdatatype_t)i))
-				set_bit(nxt_bits, i, 0);
+				set_bit(bm, i, 0);
 		}
 	}
 
@@ -119,11 +122,27 @@ dns_nxt_buildrdata(dns_db_t *db, dns_dbversion_t *version,
 	if (result != ISC_R_NOMORE)
 		return (result);
 
-	r.length += max_type / 8 + 1;
-	INSIST(r.length <= DNS_NXT_BUFFERSIZE);
+	for (window = 0; window < 256; window++) {
+		if (window * 256 > max_type)
+			break;
+		for (octet = 31; octet >= 0; octet--)
+			if (bm[window * 32 + octet] != 0)
+				break;
+		if (octet < 0)
+			continue;
+		nsec_bits[0] = window;
+		nsec_bits[1] = octet + 1;
+		/*
+		 * Note: potential overlapping move.
+		 */
+		memmove(&nsec_bits[2], &bm[window * 32], octet + 1);
+		nsec_bits += 3 + octet;
+	}
+	r.length = nsec_bits - r.base;
+	INSIST(r.length <= DNS_NSEC_BUFFERSIZE);
 	dns_rdata_fromregion(rdata,
 			     dns_db_class(db),
-			     dns_rdatatype_nxt,
+			     dns_rdatatype_nsec,
 			     &r);
 
 	return (ISC_R_SUCCESS);
@@ -131,22 +150,22 @@ dns_nxt_buildrdata(dns_db_t *db, dns_dbversion_t *version,
 
 
 isc_result_t
-dns_nxt_build(dns_db_t *db, dns_dbversion_t *version, dns_dbnode_t *node,
-	      dns_name_t *target, dns_ttl_t ttl)
+dns_nsec_build(dns_db_t *db, dns_dbversion_t *version, dns_dbnode_t *node,
+	       dns_name_t *target, dns_ttl_t ttl)
 {
 	isc_result_t result;
 	dns_rdata_t rdata = DNS_RDATA_INIT;
-	unsigned char data[DNS_NXT_BUFFERSIZE];
+	unsigned char data[DNS_NSEC_BUFFERSIZE];
 	dns_rdatalist_t rdatalist;
 	dns_rdataset_t rdataset;
 
 	dns_rdataset_init(&rdataset);
 	dns_rdata_init(&rdata);
 
-	RETERR(dns_nxt_buildrdata(db, version, node, target, data, &rdata));
+	RETERR(dns_nsec_buildrdata(db, version, node, target, data, &rdata));
 
 	rdatalist.rdclass = dns_db_class(db);
-	rdatalist.type = dns_rdatatype_nxt;
+	rdatalist.type = dns_rdatatype_nsec;
 	rdatalist.covers = 0;
 	rdatalist.ttl = ttl;
 	ISC_LIST_INIT(rdatalist.rdata);
@@ -164,23 +183,36 @@ dns_nxt_build(dns_db_t *db, dns_dbversion_t *version, dns_dbnode_t *node,
 }
 
 isc_boolean_t
-dns_nxt_typepresent(dns_rdata_t *nxt, dns_rdatatype_t type) {
-	dns_rdata_nxt_t nxtstruct;
+dns_nsec_typepresent(dns_rdata_t *nsec, dns_rdatatype_t type) {
+	dns_rdata_nsec_t nsecstruct;
 	isc_result_t result;
 	isc_boolean_t present;
+	unsigned int i, len, window;
 
-	REQUIRE(nxt != NULL);
-	REQUIRE(nxt->type == dns_rdatatype_nxt);
-	REQUIRE(type < 128);
+	REQUIRE(nsec != NULL);
+	REQUIRE(nsec->type == dns_rdatatype_nsec);
 
 	/* This should never fail */
-	result = dns_rdata_tostruct(nxt, &nxtstruct, NULL);
+	result = dns_rdata_tostruct(nsec, &nsecstruct, NULL);
 	INSIST(result == ISC_R_SUCCESS);
 	
-	if (type >= nxtstruct.len * 8)
-		present = ISC_FALSE;
-	else
-		present = ISC_TF(bit_isset(nxtstruct.typebits, type));
-	dns_rdata_freestruct(&nxt);
+	present = ISC_FALSE;
+	for (i = 0; i < nsecstruct.len; i += len) {
+		INSIST(i + 2 <= nsecstruct.len);
+		window = nsecstruct.typebits[i];
+		len = nsecstruct.typebits[i + 1];
+		INSIST(len > 0 && len <= 32);
+		i += 2;
+		INSIST(i + len <= nsecstruct.len);
+		if (window * 256 > type)
+			break;
+		if ((window + 1) * 256 <= type)
+			continue;
+		if (type < (window * 256) + len * 8)
+			present = ISC_TF(bit_isset(&nsecstruct.typebits[i],
+						   type % 256));
+		break;
+	}
+	dns_rdata_freestruct(&nsec);
 	return (present);
 }
diff --git a/lib/dns/order.c b/lib/dns/order.c
new file mode 100644
index 00000000..f09afedf
--- /dev/null
+++ b/lib/dns/order.c
@@ -0,0 +1,157 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2002  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: order.c,v 1.4.202.4 2004/03/08 09:04:30 marka Exp $ */
+
+#include <config.h>
+
+#include <isc/magic.h>
+#include <isc/mem.h>
+#include <isc/types.h>
+#include <isc/util.h>
+#include <isc/refcount.h>
+
+#include <dns/fixedname.h>
+#include <dns/name.h>
+#include <dns/order.h>
+#include <dns/rdataset.h>
+#include <dns/types.h>
+
+typedef struct dns_order_ent dns_order_ent_t;
+struct dns_order_ent {
+	dns_fixedname_t			name;
+	dns_rdataclass_t		rdclass;
+	dns_rdatatype_t			rdtype;
+	unsigned int			mode;
+	ISC_LINK(dns_order_ent_t)	link;
+};
+
+struct dns_order {
+	unsigned int			magic;
+	isc_refcount_t          	references;
+	ISC_LIST(dns_order_ent_t)	ents;
+	isc_mem_t			*mctx;
+};
+	
+#define DNS_ORDER_MAGIC ISC_MAGIC('O','r','d','r')
+#define DNS_ORDER_VALID(order)	ISC_MAGIC_VALID(order, DNS_ORDER_MAGIC)
+
+isc_result_t
+dns_order_create(isc_mem_t *mctx, dns_order_t **orderp) {
+	dns_order_t *order;
+	REQUIRE(orderp != NULL && *orderp == NULL);
+
+	order = isc_mem_get(mctx, sizeof(*order));
+	if (order == NULL)
+		return (ISC_R_NOMEMORY);
+	
+	ISC_LIST_INIT(order->ents);
+	isc_refcount_init(&order->references, 1);     /* Implicit attach. */
+
+	order->mctx = NULL;
+	isc_mem_attach(mctx, &order->mctx);
+	order->magic = DNS_ORDER_MAGIC;
+	*orderp = order;
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_order_add(dns_order_t *order, dns_name_t *name,
+	      dns_rdatatype_t rdtype, dns_rdataclass_t rdclass,
+	      unsigned int mode)
+{
+	dns_order_ent_t *ent;
+
+	REQUIRE(DNS_ORDER_VALID(order));
+	REQUIRE(mode == DNS_RDATASETATTR_RANDOMIZE ||
+	        mode == DNS_RDATASETATTR_FIXEDORDER ||
+		mode == 0 /* DNS_RDATASETATTR_CYCLIC */ );
+
+	ent = isc_mem_get(order->mctx, sizeof(*ent));
+	if (ent == NULL)
+		return (ISC_R_NOMEMORY);
+
+	dns_fixedname_init(&ent->name);
+	RUNTIME_CHECK(dns_name_copy(name, dns_fixedname_name(&ent->name), NULL)
+		      == ISC_R_SUCCESS);
+	ent->rdtype = rdtype;
+	ent->rdclass = rdclass;
+	ent->mode = mode;
+	ISC_LINK_INIT(ent, link);
+	ISC_LIST_INITANDAPPEND(order->ents, ent, link);
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_boolean_t
+match(dns_name_t *name1, dns_name_t *name2) {
+	
+	if (dns_name_iswildcard(name2))
+		return(dns_name_matcheswildcard(name1, name2));
+	return (dns_name_equal(name1, name2));
+}
+
+unsigned int
+dns_order_find(dns_order_t *order, dns_name_t *name,
+	       dns_rdatatype_t rdtype, dns_rdataclass_t rdclass)
+{
+	dns_order_ent_t *ent;
+	REQUIRE(DNS_ORDER_VALID(order));
+
+	for (ent = ISC_LIST_HEAD(order->ents);
+	     ent != NULL;
+	     ent = ISC_LIST_NEXT(ent, link)) {
+		if (ent->rdtype != rdtype && ent->rdtype != dns_rdatatype_any)
+			continue;
+		if (ent->rdclass != rdclass &&
+		    ent->rdclass != dns_rdataclass_any)
+			continue;
+		if (match(name, dns_fixedname_name(&ent->name)))
+			return (ent->mode);
+	}
+	return (0);
+}
+
+void
+dns_order_attach(dns_order_t *source, dns_order_t **target) {
+	REQUIRE(DNS_ORDER_VALID(source));
+	REQUIRE(target != NULL && *target == NULL);
+	isc_refcount_increment(&source->references, NULL);
+	*target = source;
+}
+
+void
+dns_order_detach(dns_order_t **orderp) {
+	dns_order_t *order;
+	dns_order_ent_t *ent;
+	unsigned int references;
+
+	REQUIRE(orderp != NULL);
+	order = *orderp;
+	REQUIRE(DNS_ORDER_VALID(order));
+	isc_refcount_decrement(&order->references, &references);
+	*orderp = NULL;
+	if (references != 0)
+		return;
+
+	order->magic = 0;
+	while ((ent = ISC_LIST_HEAD(order->ents)) != NULL) {
+		ISC_LIST_UNLINK(order->ents, ent, link);
+		isc_mem_put(order->mctx, ent, sizeof(*ent));
+	}
+	isc_refcount_destroy(&order->references);
+	isc_mem_putanddetach(&order->mctx, order, sizeof(*order));
+}
diff --git a/lib/dns/peer.c b/lib/dns/peer.c
index 206899ea..a50ff0c9 100644
--- a/lib/dns/peer.c
+++ b/lib/dns/peer.c
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
+ * Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,13 +15,14 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: peer.c,v 1.14.2.2 2004/03/09 06:11:04 marka Exp $ */
+/* $Id: peer.c,v 1.14.2.1.10.4 2004/03/06 08:13:41 marka Exp $ */
 
 #include <config.h>
 
 #include <isc/mem.h>
 #include <isc/string.h>
 #include <isc/util.h>
+#include <isc/sockaddr.h>
 
 #include <dns/bit.h>
 #include <dns/fixedname.h>
@@ -38,11 +39,11 @@
 #define REQUEST_IXFR_BIT		4
 #define SUPPORT_EDNS_BIT		5
 
-static isc_result_t
-dns_peerlist_delete(dns_peerlist_t **list);
+static void
+peerlist_delete(dns_peerlist_t **list);
 
-static isc_result_t
-dns_peer_delete(dns_peer_t **peer);
+static void
+peer_delete(dns_peer_t **peer);
 
 isc_result_t
 dns_peerlist_new(isc_mem_t *mem, dns_peerlist_t **list) {
@@ -50,10 +51,9 @@ dns_peerlist_new(isc_mem_t *mem, dns_peerlist_t **list) {
 
 	REQUIRE(list != NULL);
 
-	l = isc_mem_get(mem, sizeof *l);
-	if (l == NULL) {
+	l = isc_mem_get(mem, sizeof(*l));
+	if (l == NULL)
 		return (ISC_R_NOMEMORY);
-	}
 
 	ISC_LIST_INIT(l->elements);
 	l->mem = mem;
@@ -94,16 +94,14 @@ dns_peerlist_detach(dns_peerlist_t **list) {
 
 	plist->refs--;
 
-	if (plist->refs == 0) {
-		dns_peerlist_delete(&plist);
-	}
+	if (plist->refs == 0)
+		peerlist_delete(&plist);
 }
 
-static isc_result_t
-dns_peerlist_delete(dns_peerlist_t **list) {
+static void
+peerlist_delete(dns_peerlist_t **list) {
 	dns_peerlist_t *l;
 	dns_peer_t *server, *stmp;
-	isc_result_t r;
 
 	REQUIRE(list != NULL);
 	REQUIRE(DNS_PEERLIST_VALID(*list));
@@ -116,20 +114,14 @@ dns_peerlist_delete(dns_peerlist_t **list) {
 	while (server != NULL) {
 		stmp = ISC_LIST_NEXT(server, next);
 		ISC_LIST_UNLINK(l->elements, server, next);
-		r = dns_peer_detach(&server);
-		if (r != ISC_R_SUCCESS) {
-			return (r);
-		}
-
+		dns_peer_detach(&server);
 		server = stmp;
 	}
 
 	l->magic = 0;
-	isc_mem_put(l->mem, l, sizeof *l);
+	isc_mem_put(l->mem, l, sizeof(*l));
 
 	*list = NULL;
-
-	return (ISC_R_SUCCESS);
 }
 
 void
@@ -153,9 +145,8 @@ dns_peerlist_peerbyaddr(dns_peerlist_t *servers,
 
 	server = ISC_LIST_HEAD(servers->elements);
 	while (server != NULL) {
-		if (isc_netaddr_equal(addr, &server->address)) {
+		if (isc_netaddr_equal(addr, &server->address))
 			break;
-		}
 
 		server = ISC_LIST_NEXT(server, next);
 	}
@@ -189,10 +180,9 @@ dns_peer_new(isc_mem_t *mem, isc_netaddr_t *addr, dns_peer_t **peerptr) {
 
 	REQUIRE(peerptr != NULL);
 
-	peer = isc_mem_get(mem, sizeof *peer);
-	if (peer == NULL) {
+	peer = isc_mem_get(mem, sizeof(*peer));
+	if (peer == NULL)
 		return (ISC_R_NOMEMORY);
-	}
 
 	peer->magic = DNS_PEER_MAGIC;
 	peer->address = *addr;
@@ -204,8 +194,9 @@ dns_peer_new(isc_mem_t *mem, isc_netaddr_t *addr, dns_peer_t **peerptr) {
 	peer->provide_ixfr = ISC_FALSE;
 	peer->key = NULL;
 	peer->refs = 1;
+	peer->transfer_source = NULL;
 
-	memset(&peer->bitflags, 0x0, sizeof peer->bitflags);
+	memset(&peer->bitflags, 0x0, sizeof(peer->bitflags));
 
 	ISC_LINK_INIT(peer, next);
 
@@ -214,7 +205,7 @@ dns_peer_new(isc_mem_t *mem, isc_netaddr_t *addr, dns_peer_t **peerptr) {
 	return (ISC_R_SUCCESS);
 }
 
-isc_result_t
+void
 dns_peer_attach(dns_peer_t *source, dns_peer_t **target) {
 	REQUIRE(DNS_PEER_VALID(source));
 	REQUIRE(target != NULL);
@@ -225,11 +216,9 @@ dns_peer_attach(dns_peer_t *source, dns_peer_t **target) {
 	ENSURE(source->refs != 0xffffffffU);
 
 	*target = source;
-
-	return (ISC_R_SUCCESS);
 }
 
-isc_result_t
+void
 dns_peer_detach(dns_peer_t **peer) {
 	dns_peer_t *p;
 
@@ -244,15 +233,12 @@ dns_peer_detach(dns_peer_t **peer) {
 	*peer = NULL;
 	p->refs--;
 
-	if (p->refs == 0) {
-		dns_peer_delete(&p);
-	}
-
-	return (ISC_R_SUCCESS);
+	if (p->refs == 0)
+		peer_delete(&p);
 }
 
-static isc_result_t
-dns_peer_delete(dns_peer_t **peer) {
+static void
+peer_delete(dns_peer_t **peer) {
 	dns_peer_t *p;
 	isc_mem_t *mem;
 
@@ -272,11 +258,14 @@ dns_peer_delete(dns_peer_t **peer) {
 		isc_mem_put(mem, p->key, sizeof(dns_name_t));
 	}
 
-	isc_mem_put(mem, p, sizeof *p);
+	if (p->transfer_source != NULL) {
+		isc_mem_put(mem, p->transfer_source,
+			    sizeof(*p->transfer_source));
+	}
 
-	*peer = NULL;
+	isc_mem_put(mem, p, sizeof(*p));
 
-	return (ISC_R_SUCCESS);
+	*peer = NULL;
 }
 
 isc_result_t
@@ -500,3 +489,34 @@ dns_peer_setkeybycharp(dns_peer_t *peer, const char *keyval) {
 
 	return (result);
 }
+
+isc_result_t
+dns_peer_settransfersource(dns_peer_t *peer, isc_sockaddr_t *transfer_source) {
+	REQUIRE(DNS_PEER_VALID(peer));
+
+	if (peer->transfer_source != NULL) {
+		isc_mem_put(peer->mem, peer->transfer_source,
+			    sizeof(*peer->transfer_source));
+		peer->transfer_source = NULL;
+	}
+	if (transfer_source != NULL) {
+		peer->transfer_source = isc_mem_get(peer->mem,
+					        sizeof(*peer->transfer_source));
+		if (peer->transfer_source == NULL)
+			return (ISC_R_NOMEMORY);
+
+		*peer->transfer_source = *transfer_source;
+	}
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_peer_gettransfersource(dns_peer_t *peer, isc_sockaddr_t *transfer_source) {
+	REQUIRE(DNS_PEER_VALID(peer));
+	REQUIRE(transfer_source != NULL);
+
+	if (peer->transfer_source == NULL)
+		return (ISC_R_NOTFOUND);
+	*transfer_source = *peer->transfer_source;
+	return (ISC_R_SUCCESS);
+}
diff --git a/lib/dns/portlist.c b/lib/dns/portlist.c
new file mode 100644
index 00000000..64546e37
--- /dev/null
+++ b/lib/dns/portlist.c
@@ -0,0 +1,260 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: portlist.c,v 1.3.72.4 2004/03/16 05:50:21 marka Exp $ */
+
+#include <stdlib.h>
+
+#include <isc/magic.h>
+#include <isc/mem.h>
+#include <isc/mutex.h>
+#include <isc/net.h>
+#include <isc/refcount.h>
+#include <isc/result.h>
+#include <isc/string.h>
+#include <isc/types.h>
+#include <isc/util.h>
+
+#include <dns/types.h>
+#include <dns/portlist.h>
+
+#define DNS_PORTLIST_MAGIC	ISC_MAGIC('P','L','S','T')
+#define DNS_VALID_PORTLIST(p)	ISC_MAGIC_VALID(p, DNS_PORTLIST_MAGIC)
+
+typedef struct dns_element {
+	in_port_t	port;
+	isc_uint16_t	flags;
+} dns_element_t;
+
+struct dns_portlist {
+	unsigned int	magic;
+	isc_mem_t	*mctx;
+	isc_refcount_t	refcount;
+	isc_mutex_t	lock;
+	dns_element_t 	*list;
+	unsigned int	allocated;
+	unsigned int	active;
+};
+
+#define DNS_PL_INET	0x0001
+#define DNS_PL_INET6	0x0002
+#define DNS_PL_ALLOCATE	16
+
+static int
+compare(const void *arg1, const void *arg2) {
+	const dns_element_t *e1 = (const dns_element_t *)arg1;
+	const dns_element_t *e2 = (const dns_element_t *)arg2;
+
+	if (e1->port < e2->port)
+		return (-1);
+	if (e1->port > e2->port)
+		return (1);
+	return (0);
+}
+
+isc_result_t
+dns_portlist_create(isc_mem_t *mctx, dns_portlist_t **portlistp) {
+	dns_portlist_t *portlist;
+	isc_result_t result;
+
+	REQUIRE(portlistp != NULL && *portlistp == NULL);
+
+	portlist = isc_mem_get(mctx, sizeof(*portlist));
+	if (portlist == NULL)
+		return (ISC_R_NOMEMORY);
+        result = isc_mutex_init(&portlist->lock);
+	if (result != ISC_R_SUCCESS) {
+		isc_mem_put(mctx, portlist, sizeof(*portlist));
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "isc_mutex_init() failed: %s",
+				 isc_result_totext(result));
+		return (ISC_R_UNEXPECTED);
+	}
+	isc_refcount_init(&portlist->refcount, 1);
+	portlist->list = NULL;
+	portlist->allocated = 0;
+	portlist->active = 0;
+	portlist->mctx = NULL;
+	isc_mem_attach(mctx, &portlist->mctx);
+	portlist->magic = DNS_PORTLIST_MAGIC;
+	*portlistp = portlist;
+	return (ISC_R_SUCCESS);
+}
+
+static dns_element_t *
+find_port(dns_element_t *list, unsigned int len, in_port_t port) {
+	unsigned int xtry = len / 2;
+	unsigned int min = 0;
+	unsigned int max = len - 1;
+	unsigned int last = len;
+
+	for (;;) {
+		if (list[xtry].port == port)
+			return (&list[xtry]);
+	        if (port > list[xtry].port) {
+			if (xtry == max)
+				break;
+			min = xtry;
+			xtry = xtry + (max - xtry + 1) / 2;
+			INSIST(xtry <= max);
+			if (xtry == last)
+				break;
+			last = min;
+		} else {
+			if (xtry == min)
+				break;
+			max = xtry;
+			xtry = xtry - (xtry - min + 1) / 2;
+			INSIST(xtry >= min);
+			if (xtry == last)
+				break;
+			last = max;
+		}
+	}
+	return (NULL);
+}
+
+isc_result_t
+dns_portlist_add(dns_portlist_t *portlist, int af, in_port_t port) {
+	dns_element_t *el;
+	isc_result_t result;
+
+	REQUIRE(DNS_VALID_PORTLIST(portlist));
+	REQUIRE(af == AF_INET || af == AF_INET6);
+
+	LOCK(&portlist->lock);
+	if (portlist->active != 0) {
+		el = find_port(portlist->list, portlist->active, port);
+		if (el != NULL) {
+			if (af == AF_INET)
+				el->flags |= DNS_PL_INET;
+			else
+				el->flags |= DNS_PL_INET6;
+			result = ISC_R_SUCCESS;
+			goto unlock;
+		}
+	}
+
+	if (portlist->allocated <= portlist->active) {
+		unsigned int allocated;
+		allocated = portlist->allocated + DNS_PL_ALLOCATE;
+		el = isc_mem_get(portlist->mctx, sizeof(*el) * allocated);
+		if (el == NULL) {
+			result = ISC_R_NOMEMORY;
+			goto unlock;
+		}
+		if (portlist->list != NULL) {
+			memcpy(el, portlist->list,
+			       portlist->allocated * sizeof(*el)); 
+			isc_mem_put(portlist->mctx, portlist->list,
+				    portlist->allocated * sizeof(*el));
+		}
+		portlist->list = el;
+		portlist->allocated = allocated;
+	}
+	portlist->list[portlist->active].port = port;
+	if (af == AF_INET)
+		portlist->list[portlist->active].flags = DNS_PL_INET;
+	else
+		portlist->list[portlist->active].flags = DNS_PL_INET6;
+	portlist->active++;
+	qsort(portlist->list, portlist->active, sizeof(*el), compare);
+	result = ISC_R_SUCCESS;
+ unlock:
+	UNLOCK(&portlist->lock);
+	return (result);
+}
+
+void
+dns_portlist_remove(dns_portlist_t *portlist, int af, in_port_t port) {
+	dns_element_t *el;
+
+	REQUIRE(DNS_VALID_PORTLIST(portlist));
+	REQUIRE(af == AF_INET || af == AF_INET6);
+
+	LOCK(&portlist->lock);
+	if (portlist->active != 0) {
+		el = find_port(portlist->list, portlist->active, port);
+		if (el != NULL) {
+			if (af == AF_INET)
+				el->flags &= ~DNS_PL_INET;
+			else
+				el->flags &= ~DNS_PL_INET6;
+			if (el->flags == 0) {
+				*el = portlist->list[portlist->active];
+				portlist->active--;
+				qsort(portlist->list, portlist->active,
+				      sizeof(*el), compare);
+			}
+		}
+	}
+	UNLOCK(&portlist->lock);
+}
+
+isc_boolean_t
+dns_portlist_match(dns_portlist_t *portlist, int af, in_port_t port) {
+	dns_element_t *el;
+	isc_boolean_t result = ISC_FALSE;
+	
+	REQUIRE(DNS_VALID_PORTLIST(portlist));
+	REQUIRE(af == AF_INET || af == AF_INET6);
+	LOCK(&portlist->lock);
+	if (portlist->active != 0) {
+		el = find_port(portlist->list, portlist->active, port);
+		if (el != NULL) {
+			if (af == AF_INET && (el->flags & DNS_PL_INET) != 0)
+				result = ISC_TRUE;
+			if (af == AF_INET6 && (el->flags & DNS_PL_INET6) != 0)
+				result = ISC_TRUE;
+		}
+	}	
+	UNLOCK(&portlist->lock);
+	return (result);
+}
+
+void
+dns_portlist_attach(dns_portlist_t *portlist, dns_portlist_t **portlistp) {
+
+	REQUIRE(DNS_VALID_PORTLIST(portlist));
+	REQUIRE(portlistp != NULL && *portlistp == NULL);
+
+	isc_refcount_increment(&portlist->refcount, NULL);
+	*portlistp = portlist;
+}
+
+void
+dns_portlist_detach(dns_portlist_t **portlistp) {
+	dns_portlist_t *portlist;
+	unsigned int count;
+
+	REQUIRE(portlistp != NULL);
+	portlist = *portlistp;
+	REQUIRE(DNS_VALID_PORTLIST(portlist));
+	*portlistp = NULL;
+	isc_refcount_decrement(&portlist->refcount, &count);
+	if (count == 0) {
+		portlist->magic = 0;
+		isc_refcount_destroy(&portlist->refcount);
+		if (portlist->list != NULL)
+			isc_mem_put(portlist->mctx, portlist->list,
+				    portlist->allocated *
+				    sizeof(*portlist->list));
+		DESTROYLOCK(&portlist->lock);
+		isc_mem_putanddetach(&portlist->mctx, portlist,
+				     sizeof(*portlist));
+	}
+}
diff --git a/lib/dns/rbt.c b/lib/dns/rbt.c
index 45e2e534..a3608f73 100644
--- a/lib/dns/rbt.c
+++ b/lib/dns/rbt.c
@@ -1,6 +1,6 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rbt.c,v 1.115.2.11 2005/06/18 01:02:59 marka Exp $ */
+/* $Id: rbt.c,v 1.115.2.2.2.9 2004/03/08 21:06:27 marka Exp $ */
 
 /* Principal Authors: DCL */
 
@@ -64,6 +64,7 @@ struct dns_rbt {
 	unsigned int		nodecount;
 	unsigned int		hashsize;
 	dns_rbtnode_t **	hashtable;
+	unsigned int		quantum;
 };
 
 #define RED 0
@@ -176,9 +177,28 @@ find_up(dns_rbtnode_t *node) {
 	for (root = node; ! IS_ROOT(root); root = PARENT(root))
 		; /* Nothing. */
 
-	return(PARENT(root));
+	return (PARENT(root));
 }
 
+#ifdef DNS_RBT_USEHASH
+static inline void
+compute_node_hash(dns_rbtnode_t *node) {
+	unsigned int hash;
+	dns_name_t name;
+	dns_rbtnode_t *up_node;
+
+	dns_name_init(&name, NULL);
+	NODENAME(node, &name);
+	hash = dns_name_hashbylabel(&name, ISC_FALSE);
+
+	up_node = find_up(node);
+	if (up_node != NULL)
+		hash += HASHVAL(up_node);
+
+	HASHVAL(node) = hash;
+}
+#endif
+
 /*
  * Forward declarations.
  */
@@ -187,11 +207,11 @@ create_node(isc_mem_t *mctx, dns_name_t *name, dns_rbtnode_t **nodep);
 
 #ifdef DNS_RBT_USEHASH
 static inline void
-hash_node(dns_rbt_t *rbt, dns_rbtnode_t *node, dns_name_t *name);
+hash_node(dns_rbt_t *rbt, dns_rbtnode_t *node);
 static inline void
 unhash_node(dns_rbt_t *rbt, dns_rbtnode_t *node);
 #else
-#define hash_node(rbt, node, name) (ISC_R_SUCCESS)
+#define hash_node(rbt, node) (ISC_R_SUCCESS)
 #define unhash_node(rbt, node)
 #endif
 
@@ -211,8 +231,7 @@ static isc_result_t
 dns_rbt_deletetree(dns_rbt_t *rbt, dns_rbtnode_t *node);
 
 static void
-dns_rbt_deletetreeflat(dns_rbt_t *rbt, unsigned int quantum,
-		       dns_rbtnode_t **nodep);
+dns_rbt_deletetreeflat(dns_rbt_t *rbt, dns_rbtnode_t **nodep);
 
 /*
  * Initialize a red/black tree of trees.
@@ -249,6 +268,7 @@ dns_rbt_create(isc_mem_t *mctx, void (*deleter)(void *, void *),
 		return (result);
 	}
 #endif
+	rbt->quantum = 0;
 	rbt->magic = RBT_MAGIC;
 
 	*rbtp = rbt;
@@ -272,7 +292,9 @@ dns_rbt_destroy2(dns_rbt_t **rbtp, unsigned int quantum) {
 
 	rbt = *rbtp;
 
-	dns_rbt_deletetreeflat(rbt, quantum, &rbt->root);
+	rbt->quantum = quantum;
+
+	dns_rbt_deletetreeflat(rbt, &rbt->root);
 	if (rbt->root != NULL)
 		return (ISC_R_QUOTA);
 
@@ -355,14 +377,13 @@ dns_rbt_addnode(dns_rbt_t *rbt, dns_name_t *name, dns_rbtnode_t **nodep) {
 	 * Does this thing have too many variables or what?
 	 */
 	dns_rbtnode_t **root, *parent, *child, *current, *new_current;
-	dns_name_t *add_name, *new_name, current_name, *prefix, *suffix;
-	dns_fixedname_t fixedcopy, fixedprefix, fixedsuffix, fnewname;
+	dns_name_t *add_name, current_name, *prefix, *suffix;
+	dns_fixedname_t fixedcopy, fixedprefix, fixedsuffix;
 	dns_offsets_t current_offsets;
 	dns_namereln_t compared;
 	isc_result_t result = ISC_R_SUCCESS;
 	dns_rbtnodechain_t chain;
-	unsigned int common_labels, common_bits, add_bits;
-	unsigned int nlabels;
+	unsigned int common_labels;
 	int order;
 
 	REQUIRE(VALID_RBT(rbt));
@@ -371,8 +392,7 @@ dns_rbt_addnode(dns_rbt_t *rbt, dns_name_t *name, dns_rbtnode_t **nodep) {
 
 	/*
 	 * Create a copy of the name so the original name structure is
-	 * not modified.  The name data needs to be modifiable when
-	 * a node is split on a bitstring label.
+	 * not modified.
 	 */
 	dns_fixedname_init(&fixedcopy);
 	add_name = dns_fixedname_name(&fixedcopy);
@@ -385,7 +405,7 @@ dns_rbt_addnode(dns_rbt_t *rbt, dns_name_t *name, dns_rbtnode_t **nodep) {
 			new_current->is_root = 1;
 			rbt->root = new_current;
 			*nodep = new_current;
-			hash_node(rbt, new_current, name);
+			hash_node(rbt, new_current);
 		}
 		return (result);
 	}
@@ -403,17 +423,13 @@ dns_rbt_addnode(dns_rbt_t *rbt, dns_name_t *name, dns_rbtnode_t **nodep) {
 	current = NULL;
 	child = *root;
 	dns_name_init(&current_name, current_offsets);
-	dns_fixedname_init(&fnewname);
-	new_name = dns_fixedname_name(&fnewname);
-	nlabels = dns_name_countlabels(name);
 
 	do {
 		current = child;
 
 		NODENAME(current, &current_name);
 		compared = dns_name_fullcompare(add_name, &current_name,
-						&order,
-						&common_labels, &common_bits);
+						&order, &common_labels);
 
 		if (compared == dns_namereln_equal) {
 			*nodep = current;
@@ -454,13 +470,8 @@ dns_rbt_addnode(dns_rbt_t *rbt, dns_name_t *name, dns_rbtnode_t **nodep) {
 				 * not-in-common part to be searched for
 				 * in the next level.
 				 */
-				result = dns_name_split(add_name,
-							common_labels,
-							common_bits,
-							add_name, NULL);
-
-				if (result != ISC_R_SUCCESS)
-					break;
+				dns_name_split(add_name, common_labels,
+					       add_name, NULL);
 
 				/*
 				 * Follow the down pointer (possibly NULL).
@@ -514,14 +525,10 @@ dns_rbt_addnode(dns_rbt_t *rbt, dns_name_t *name, dns_rbtnode_t **nodep) {
 				 * two names and a suffix that is the common
 				 * parts of them.
 				 */
-				result = dns_name_split(&current_name,
-							common_labels,
-							common_bits,
-							prefix, suffix);
-
-				if (result == ISC_R_SUCCESS)
-					result = create_node(rbt->mctx, suffix,
-							     &new_current);
+				dns_name_split(&current_name, common_labels,
+					       prefix, suffix);
+				result = create_node(rbt->mctx, suffix,
+						     &new_current);
 
 				if (result != ISC_R_SUCCESS)
 					break;
@@ -554,89 +561,6 @@ dns_rbt_addnode(dns_rbt_t *rbt, dns_name_t *name, dns_rbtnode_t **nodep) {
 				if (*root == current)
 					*root = new_current;
 
-				/*
-				 * Now make the new root of the subtree
-				 * as the not-in-common labels of the current
-				 * node, keeping the same memory location so
-				 * as not to break any external references to
-				 * the node.  The down pointer and name data
-				 * are preserved, while left and right
-				 * pointers are nullified when the node is
-				 * established as the start of the next level.
-				 *
-				 * The name stored at the node is effectively
-				 * truncated in place by setting the shorter
-				 * name length, moving the offsets to the
-				 * end of the truncated name, and then
-				 * updating PADBYTES to reflect the truncation.
-				 *
-				 * When bitstring labels are involved, things
-				 * are just a tad more complicated (aren't
-				 * they always?) because the splitting
-				 * has shifted the bits that this name needs
-				 * from the end of the label they were in
-				 * to either the beginning of the label or
-				 * even to the previous (lesser significance)
-				 * label if the split was done in a maximally
-				 * sized bitstring label.  The bit count has
-				 * been adjusted too, so there are convolutions
-				 * to deal with all the bit movement.  Yay,
-				 * I *love* bit labels.  Grumble grumble.
-				 */
-				if (common_bits > 0) {
-					unsigned char *p;
-					unsigned int skip_width;
-					unsigned int start_label =
-					    dns_name_countlabels(&current_name)
-						- common_labels;
-
-					/*
-					 * If it is not the first label which
-					 * was split, also copy the label
-					 * before it -- which will essentially
-					 * be a NO-OP unless the preceding
-					 * label is a bitstring and the split
-					 * label was 256 bits.  Testing for
-					 * that case is probably roughly
-					 * as expensive as just unconditionally
-					 * copying the preceding label.
-					 */
-					if (start_label > 0)
-						start_label--;
-
-					skip_width =
-						prefix->offsets[start_label];
-
-					memcpy(NAME(current) + skip_width,
-					       prefix->ndata + skip_width,
-					       prefix->length - skip_width);
-
-					/*
-					 * Now add_bits is set to the total
-					 * number of bits in the split label of
-					 * the name being added, and used later
-					 * to determine if the job was
-					 * completed by pushing the
-					 * not-in-common bits down one level.
-					 */
-					start_label =
-						dns_name_countlabels(add_name)
-						- common_labels;
-
-					p = add_name->ndata +
-						add_name->offsets[start_label];
-					INSIST(*p == DNS_LABELTYPE_BITSTRING);
-
-					add_bits = *(p + 1);
-
-					/*
-					 * A bitstring that was split would not
-					 * result in a part of maximal length.
-					 */
-					INSIST(add_bits != 0);
-				} else
-					add_bits = 0;
-
 				NAMELEN(current) = prefix->length;
 				OFFSETLEN(current) = prefix->labels;
 				memcpy(OFFSETS(current), prefix->offsets,
@@ -664,14 +588,10 @@ dns_rbt_addnode(dns_rbt_t *rbt, dns_name_t *name, dns_rbtnode_t **nodep) {
 				ATTRS(current) &= ~DNS_NAMEATTR_ABSOLUTE;
 
 				rbt->nodecount++;
-				result = dns_rbt_fullnamefromnode(new_current,
-								  new_name);
-				RUNTIME_CHECK(result == ISC_R_SUCCESS);
-				hash_node(rbt, new_current, new_name);
+				hash_node(rbt, new_current);
 
 				if (common_labels ==
-				    dns_name_countlabels(add_name) &&
-				    common_bits == add_bits) {
+				    dns_name_countlabels(add_name)) {
 					/*
 					 * The name has been added by pushing
 					 * the not-in-common parts down to
@@ -696,11 +616,9 @@ dns_rbt_addnode(dns_rbt_t *rbt, dns_name_t *name, dns_rbtnode_t **nodep) {
 					 * result != ISC_R_SUCCESS, which
 					 * is tested after the loop ends).
 					 */
-					result = dns_name_split(add_name,
-								common_labels,
-								common_bits,
-								add_name,
-								NULL);
+					dns_name_split(add_name, common_labels,
+						       add_name, NULL);
+
 					break;
 				}
 
@@ -717,7 +635,7 @@ dns_rbt_addnode(dns_rbt_t *rbt, dns_name_t *name, dns_rbtnode_t **nodep) {
 		dns_rbt_addonlevel(new_current, current, order, root);
 		rbt->nodecount++;
 		*nodep = new_current;
-		hash_node(rbt, new_current, name);
+		hash_node(rbt, new_current);
 	}
 
 	return (result);
@@ -768,8 +686,7 @@ dns_rbt_findnode(dns_rbt_t *rbt, dns_name_t *name, dns_name_t *foundname,
 	dns_fixedname_t fixedcallbackname, fixedsearchname;
 	dns_namereln_t compared;
 	isc_result_t result, saved_result;
-	unsigned int common_labels, common_bits;
-	unsigned int hlabels = 0;
+	unsigned int common_labels;
 	int order;
 
 	REQUIRE(VALID_RBT(rbt));
@@ -795,7 +712,7 @@ dns_rbt_findnode(dns_rbt_t *rbt, dns_name_t *name, dns_name_t *foundname,
 	else {
 		/*
 		 * Appease GCC about variables it incorrectly thinks are
-		 * possibly used unitialized.
+		 * possibly used uninitialized.
 		 */
 		compared = dns_namereln_none;
 		last_compared = NULL;
@@ -807,9 +724,9 @@ dns_rbt_findnode(dns_rbt_t *rbt, dns_name_t *name, dns_name_t *foundname,
 	/*
 	 * search_name is the name segment being sought in each tree level.
 	 * By using a fixedname, the search_name will definitely have offsets
-	 * and a buffer for use by any splitting that happens in the middle
-	 * of a bitstring label.  By using dns_name_clone, no name data is
-	 * copied unless a bitstring split occurs.
+	 * for use by any splitting.
+	 * By using dns_name_clone, no name data should be copied thanks to
+	 * the lack of bitstring labels.
 	 */
 	dns_fixedname_init(&fixedsearchname);
 	search_name = dns_fixedname_name(&fixedsearchname);
@@ -824,8 +741,7 @@ dns_rbt_findnode(dns_rbt_t *rbt, dns_name_t *name, dns_name_t *foundname,
 	while (current != NULL) {
 		NODENAME(current, &current_name);
 		compared = dns_name_fullcompare(search_name, &current_name,
-						&order,
-						&common_labels, &common_bits);
+						&order, &common_labels);
 		last_compared = current;
 
 		if (compared == dns_namereln_equal)
@@ -839,20 +755,22 @@ dns_rbt_findnode(dns_rbt_t *rbt, dns_name_t *name, dns_name_t *foundname,
 			unsigned int nlabels;
 			unsigned int tlabels = 1;
 			unsigned int hash;
-			isc_boolean_t has_bitstring = ISC_FALSE;
 
 			/*
 			 * If there is no hash table, hashing can't be done.
-			 * Similarly, when current != current_root, that
-			 * means a left or right pointer was followed, which
+			 */
+			if (rbt->hashtable == NULL)
+				goto nohash;
+
+			/*
+			 * The case of current != current_root, that
+			 * means a left or right pointer was followed,
 			 * only happens when the algorithm fell through to
 			 * the traditional binary search because of a
-			 * bitstring label, so that traditional search
-			 * should be continued.
+			 * bitstring label.  Since we dropped the bitstring
+			 * support, this should not happen.
 			 */
-			if (rbt->hashtable == NULL ||
-			    current != current_root)
-				goto nohash;
+			INSIST(current == current_root);
 
 			nlabels = dns_name_countlabels(search_name);
 
@@ -864,17 +782,11 @@ dns_rbt_findnode(dns_rbt_t *rbt, dns_name_t *name, dns_name_t *foundname,
 			dns_name_init(&hash_name, NULL);
 
 		hashagain:
-			/*
-			 * Hash includes tail.
-			 */
-			dns_name_getlabelsequence(name,
-						  nlabels - tlabels,
-						  hlabels + tlabels,
-						  &hash_name);
-			hash = dns_name_fullhash(&hash_name, ISC_FALSE);
 			dns_name_getlabelsequence(search_name,
 						  nlabels - tlabels,
 						  tlabels, &hash_name);
+			hash = HASHVAL(up_current) +
+			       dns_name_hashbylabel(&hash_name, ISC_FALSE);
 
 			for (hnode = rbt->hashtable[hash % rbt->hashsize];
 			     hnode != NULL;
@@ -909,46 +821,22 @@ dns_rbt_findnode(dns_rbt_t *rbt, dns_name_t *name, dns_name_t *foundname,
 					break;
 				} else {
 					common_labels = tlabels;
-					common_bits = 0;
 					compared = dns_namereln_subdomain;
 					goto subdomain;
 				}
 			}
 
-			/*
-			 * XXXDCL Bitstring labels complicate things, as usual.
-			 * Checking for the situation could be done up by the
-			 * dns_name_getlabelsequence so that they could still
-			 * use the hashing code, but it would be messy to
-			 * repeatedly try various bitstring lengths.  Instead
-			 * just notice when a bitstring label is involved and
-			 * then punt to the traditional binary search if no
-			 * hash node is found after all of the labels are
-			 * tried.
-			 */
-			if (has_bitstring == ISC_FALSE &&
-			    hash_name.ndata[0] ==
-			    DNS_LABELTYPE_BITSTRING)
-				has_bitstring = ISC_TRUE;
-
 			if (tlabels++ < nlabels)
 				goto hashagain;
 
 			/*
 			 * All of the labels have been tried against the hash
-			 * table.  If there wasn't a bitstring label involved,
-			 * the name isn't in the table.  If there was, fall
-			 * through to the traditional search algorithm.
+			 * table.  Since we dropped the support of bitstring
+			 * labels, the name isn't in the table.
 			 */
-			if (! has_bitstring) {
-				/*
-				 * Done with the search.
-				 */
-				current = NULL;
-				continue;
-			}
+			current = NULL;
+			continue;
 			    
-			/* FALLTHROUGH */
 		nohash:
 #endif /* DNS_RBT_USEHASH */
 			/*
@@ -973,17 +861,8 @@ dns_rbt_findnode(dns_rbt_t *rbt, dns_name_t *name, dns_name_t *foundname,
 				 * Whack off the current node's common parts
 				 * for the name to search in the next level.
 				 */
-				result = dns_name_split(search_name,
-							common_labels,
-							common_bits,
-							search_name, NULL);
-				if (result != ISC_R_SUCCESS) {
-					dns_rbtnodechain_reset(chain);
-					return (result);
-				}
-				hlabels += common_labels -
-					   (common_bits != 0 ? 1 : 0);
-
+				dns_name_split(search_name, common_labels,
+					       search_name, NULL);
 				/*
 				 * This might be the closest enclosing name.
 				 */
@@ -1195,8 +1074,7 @@ dns_rbt_findnode(dns_rbt_t *rbt, dns_name_t *name, dns_name_t *foundname,
 								search_name,
 								&current_name,
 								&order,
-								&common_labels,
-								&common_bits);
+								&common_labels);
 
 					last_compared = current;
 
@@ -1281,6 +1159,8 @@ dns_rbt_findnode(dns_rbt_t *rbt, dns_name_t *name, dns_name_t *foundname,
 		}
 	}
 
+	ENSURE(*node == NULL || DNS_RBTNODE_VALID(*node));
+
 	return (result);
 }
 
@@ -1381,14 +1261,15 @@ dns_rbt_deletename(dns_rbt_t *rbt, dns_name_t *name, isc_boolean_t recurse) {
  *
  * The one positive aspect of all of this is that joining used to have a
  * case where it might fail.  Without trying to join, now this function always
- * succeeds. It still returns isc_result_t, though, so the API wouldn't change.  */
+ * succeeds. It still returns isc_result_t, though, so the API wouldn't change.
+ */
 isc_result_t
 dns_rbt_deletenode(dns_rbt_t *rbt, dns_rbtnode_t *node, isc_boolean_t recurse)
 {
 	dns_rbtnode_t *parent;
 
 	REQUIRE(VALID_RBT(rbt));
-	REQUIRE(node != NULL);
+	REQUIRE(DNS_RBTNODE_VALID(node));
 
 	if (DOWN(node) != NULL) {
 		if (recurse)
@@ -1431,6 +1312,9 @@ dns_rbt_deletenode(dns_rbt_t *rbt, dns_rbtnode_t *node, isc_boolean_t recurse)
 		rbt->data_deleter(DATA(node), rbt->deleter_arg);
 
 	unhash_node(rbt, node);
+#if DNS_RBT_USEMAGIC
+	node->magic = 0;
+#endif
 	isc_mem_put(rbt->mctx, node, NODE_SIZE(node));
 	rbt->nodecount--;
 
@@ -1466,7 +1350,7 @@ dns_rbt_deletenode(dns_rbt_t *rbt, dns_rbtnode_t *node, isc_boolean_t recurse)
 void
 dns_rbt_namefromnode(dns_rbtnode_t *node, dns_name_t *name) {
 
-	REQUIRE(node != NULL);
+	REQUIRE(DNS_RBTNODE_VALID(node));
 	REQUIRE(name != NULL);
 	REQUIRE(name->offsets == NULL);
 
@@ -1478,7 +1362,7 @@ dns_rbt_fullnamefromnode(dns_rbtnode_t *node, dns_name_t *name) {
 	dns_name_t current;
 	isc_result_t result;
 
-	REQUIRE(node != NULL);
+	REQUIRE(DNS_RBTNODE_VALID(node));
 	REQUIRE(name != NULL);
 	REQUIRE(name->buffer != NULL);
 
@@ -1507,7 +1391,7 @@ dns_rbt_formatnodename(dns_rbtnode_t *node, char *printname, unsigned int size)
 	dns_name_t *name;
 	isc_result_t result;
 
-	REQUIRE(node != NULL);
+	REQUIRE(DNS_RBTNODE_VALID(node));
 	REQUIRE(printname != NULL);
 
 	dns_fixedname_init(&fixedname);
@@ -1581,6 +1465,9 @@ create_node(isc_mem_t *mctx, dns_name_t *name, dns_rbtnode_t **nodep) {
 	memcpy(NAME(node), region.base, region.length);
 	memcpy(OFFSETS(node), name->offsets, labels);
 
+#if DNS_RBT_USEMAGIC
+	node->magic = DNS_RBTNODE_MAGIC;
+#endif
 	*nodep = node;
 
 	return (ISC_R_SUCCESS);
@@ -1588,10 +1475,10 @@ create_node(isc_mem_t *mctx, dns_name_t *name, dns_rbtnode_t **nodep) {
 
 #ifdef DNS_RBT_USEHASH
 static inline void
-hash_add_node(dns_rbt_t *rbt, dns_rbtnode_t *node, dns_name_t *name) {
+hash_add_node(dns_rbt_t *rbt, dns_rbtnode_t *node) {
 	unsigned int hash;
 
-	HASHVAL(node) = dns_name_fullhash(name, ISC_FALSE);
+	compute_node_hash(node);
 
 	hash = HASHVAL(node) % rbt->hashsize;
 	HASHNEXT(node) = rbt->hashtable[hash];
@@ -1647,17 +1534,19 @@ rehash(dns_rbt_t *rbt) {
 			node = oldtable[i];
 		}
 	}
-	
+
 	isc_mem_put(rbt->mctx, oldtable, oldsize * sizeof(dns_rbtnode_t *));
 }
 
 static inline void
-hash_node(dns_rbt_t *rbt, dns_rbtnode_t *node, dns_name_t *name) {
+hash_node(dns_rbt_t *rbt, dns_rbtnode_t *node) {
+
+	REQUIRE(DNS_RBTNODE_VALID(node));
 
-	if (rbt->nodecount >= (rbt->hashsize * 3))
+	if (rbt->nodecount >= (rbt->hashsize *3))
 		rehash(rbt);
 
-	hash_add_node(rbt, node, name);
+	hash_add_node(rbt, node);
 }
 
 static inline void
@@ -1665,6 +1554,8 @@ unhash_node(dns_rbt_t *rbt, dns_rbtnode_t *node) {
 	unsigned int bucket;
 	dns_rbtnode_t *bucket_node;
 
+	REQUIRE(DNS_RBTNODE_VALID(node));
+
 	if (rbt->hashtable != NULL) {
 		bucket = HASHVAL(node) % rbt->hashsize;
 		bucket_node = rbt->hashtable[bucket];
@@ -1686,7 +1577,7 @@ static inline void
 rotate_left(dns_rbtnode_t *node, dns_rbtnode_t **rootp) {
 	dns_rbtnode_t *child;
 
-	REQUIRE(node != NULL);
+	REQUIRE(DNS_RBTNODE_VALID(node));
 	REQUIRE(rootp != NULL);
 
 	child = RIGHT(node);
@@ -1719,7 +1610,7 @@ static inline void
 rotate_right(dns_rbtnode_t *node, dns_rbtnode_t **rootp) {
 	dns_rbtnode_t *child;
 
-	REQUIRE(node != NULL);
+	REQUIRE(DNS_RBTNODE_VALID(node));
 	REQUIRE(rootp != NULL);
 
 	child = LEFT(node);
@@ -1761,7 +1652,8 @@ dns_rbt_addonlevel(dns_rbtnode_t *node, dns_rbtnode_t *current, int order,
 	dns_offsets_t add_offsets, current_offsets;
 
 	REQUIRE(rootp != NULL);
-	REQUIRE(node != NULL && LEFT(node) == NULL && RIGHT(node) == NULL);
+	REQUIRE(DNS_RBTNODE_VALID(node) && LEFT(node) == NULL &&
+		RIGHT(node) == NULL);
 	REQUIRE(current != NULL);
 
 	root = *rootp;
@@ -1894,7 +1786,6 @@ dns_rbt_deletefromlevel(dns_rbtnode_t *delete, dns_rbtnode_t **rootp) {
 		 * This node has one child, on the left.
 		 */
 		child = LEFT(delete);
-
 	else {
 		dns_rbtnode_t holder, *tmp = &holder;
 
@@ -1915,7 +1806,8 @@ dns_rbt_deletefromlevel(dns_rbtnode_t *delete, dns_rbtnode_t **rootp) {
 		if (RIGHT(successor) != NULL)
 			child = RIGHT(successor);
 
-		/* Swap the two nodes; it would be simpler to just replace
+		/*
+		 * Swap the two nodes; it would be simpler to just replace
 		 * the value being deleted with that of the successor,
 		 * but this rigamarole is done so the caller has complete
 		 * control over the pointers (and memory allocation) of
@@ -2129,14 +2021,13 @@ dns_rbt_deletetree(dns_rbt_t *rbt, dns_rbtnode_t *node) {
  done:
 	if (result != ISC_R_SUCCESS)
 		return (result);
+	if (rbt->quantum != 0 && --rbt->quantum == 0)
+		return (ISC_R_QUOTA);
 
 	if (DATA(node) != NULL && rbt->data_deleter != NULL)
 		rbt->data_deleter(DATA(node), rbt->deleter_arg);
 
-	/*
-	 * Note: we don't call unhash_node() here as we are destroying
-	 * the complete rbt tree. 
-         */
+	unhash_node(rbt, node);
 #if DNS_RBT_USEMAGIC
 	node->magic = 0;
 #endif
@@ -2146,9 +2037,7 @@ dns_rbt_deletetree(dns_rbt_t *rbt, dns_rbtnode_t *node) {
 }
 
 static void
-dns_rbt_deletetreeflat(dns_rbt_t *rbt, unsigned int quantum,
-		       dns_rbtnode_t **nodep)
-{
+dns_rbt_deletetreeflat(dns_rbt_t *rbt, dns_rbtnode_t **nodep) {
 	dns_rbtnode_t *parent;
 	dns_rbtnode_t *node = *nodep;
 	REQUIRE(VALID_RBT(rbt));
@@ -2177,6 +2066,9 @@ dns_rbt_deletetreeflat(dns_rbt_t *rbt, unsigned int quantum,
 		rbt->data_deleter(DATA(node), rbt->deleter_arg);
 
 	unhash_node(rbt, node);
+#if DNS_RBT_USEMAGIC
+	node->magic = 0;
+#endif
 	parent = PARENT(node);
 	if (parent != NULL) {
 		if (LEFT(parent) == node)
@@ -2189,7 +2081,7 @@ dns_rbt_deletetreeflat(dns_rbt_t *rbt, unsigned int quantum,
 	isc_mem_put(rbt->mctx, node, NODE_SIZE(node));
 	rbt->nodecount--;
 	node = parent;
-	if (quantum != 0 && --quantum == 0) {
+	if (rbt->quantum != 0 && --rbt->quantum == 0) {
 		*nodep = node;
 		return;
 	}
@@ -2206,10 +2098,9 @@ dns_rbt_indent(int depth) {
 
 static void
 dns_rbt_printnodename(dns_rbtnode_t *node) {
-	isc_buffer_t target;
 	isc_region_t r;
 	dns_name_t name;
-	char buffer[1024];
+	char buffer[DNS_NAME_FORMATSIZE];
 	dns_offsets_t offsets;
 
 	r.length = NAMELEN(node);
@@ -2218,14 +2109,9 @@ dns_rbt_printnodename(dns_rbtnode_t *node) {
 	dns_name_init(&name, offsets);
 	dns_name_fromregion(&name, &r);
 
-	isc_buffer_init(&target, buffer, 255);
-
-	/*
-	 * ISC_FALSE means absolute names have the final dot added.
-	 */
-	dns_name_totext(&name, ISC_FALSE, &target);
+	dns_name_format(&name, buffer, sizeof(buffer));
 
-	printf("%.*s", (int)target.used, (char *)target.base);
+	printf("%s", buffer);
 }
 
 static void
diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c
index b8297e07..cd01acb9 100644
--- a/lib/dns/rbtdb.c
+++ b/lib/dns/rbtdb.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rbtdb.c,v 1.168.2.28 2007/02/06 00:01:22 marka Exp $ */
+/* $Id: rbtdb.c,v 1.168.2.11.2.12 2004/03/08 02:07:55 marka Exp $ */
 
 /*
  * Principal Author: Bob Halley
@@ -69,14 +69,13 @@
 
 #ifdef DNS_RBTDB_VERSION64
 typedef isc_uint64_t			rbtdb_serial_t;
-/*%
+/*
  * Make casting easier in symbolic debuggers by using different names
  * for the 64 bit version.
  */
 #define dns_rbtdb_t dns_rbtdb64_t
 #define rdatasetheader_t rdatasetheader64_t
 #define rbtdb_version_t rbtdb_version64_t
-#define rbtdb_search_t rbtdb_search64_t
 #else
 typedef isc_uint32_t			rbtdb_serial_t;
 #endif
@@ -87,22 +86,22 @@ typedef isc_uint32_t			rbtdb_rdatatype_t;
 #define RBTDB_RDATATYPE_EXT(type)	((dns_rdatatype_t)((type) >> 16))
 #define RBTDB_RDATATYPE_VALUE(b, e)	(((e) << 16) | (b))
 
-#define RBTDB_RDATATYPE_SIGNXT \
-		RBTDB_RDATATYPE_VALUE(dns_rdatatype_sig, dns_rdatatype_nxt)
+#define RBTDB_RDATATYPE_SIGNSEC \
+		RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_nsec)
 #define RBTDB_RDATATYPE_SIGNS \
-		RBTDB_RDATATYPE_VALUE(dns_rdatatype_sig, dns_rdatatype_ns)
+		RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_ns)
 #define RBTDB_RDATATYPE_SIGCNAME \
-		RBTDB_RDATATYPE_VALUE(dns_rdatatype_sig, dns_rdatatype_cname)
+		RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_cname)
 #define RBTDB_RDATATYPE_SIGDNAME \
-		RBTDB_RDATATYPE_VALUE(dns_rdatatype_sig, dns_rdatatype_dname)
+		RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_dname)
 #define RBTDB_RDATATYPE_NCACHEANY \
 		RBTDB_RDATATYPE_VALUE(0, dns_rdatatype_any)
 
-/*
- * Allow clients with a virtual time of upto 5 minutes in the past to see
- * records that would have otherwise have expired.
- */
-#define RBTDB_VIRTUAL 300
+struct noqname {
+	dns_name_t name;
+	void *	   nsec;
+	void *	   nsecsig;
+};
 
 typedef struct rdatasetheader {
 	/*
@@ -113,12 +112,34 @@ typedef struct rdatasetheader {
 	rbtdb_rdatatype_t		type;
 	isc_uint16_t			attributes;
 	dns_trust_t			trust;
+	struct noqname			*noqname;
 	/*
 	 * We don't use the LIST macros, because the LIST structure has
 	 * both head and tail pointers, and is doubly linked.
 	 */
+
 	struct rdatasetheader		*next;
+	/*
+	 * If this is the top header for an rdataset, 'next' points
+	 * to the top header for the next rdataset (i.e., the next type).
+	 * Otherwise, it points up to the header whose down pointer points
+	 * at this header.
+	 */
+	  
 	struct rdatasetheader		*down;
+	/*
+	 * Points to the header for the next older version of
+	 * this rdataset.
+	 */
+
+	isc_uint32_t			count;
+	/*
+	 * Monotonously increased every time this rdataset is bound so that
+	 * it is used as the base of the starting point in DNS responses
+	 * when the "cyclic" rrset-order is required.  Since the ordering
+	 * should not be so crucial, no lock is set for the counter for
+	 * performance reasons.
+	 */
 } rdatasetheader_t;
 
 #define RDATASET_ATTR_NONEXISTENT	0x0001
@@ -239,6 +260,10 @@ static isc_result_t rdataset_next(dns_rdataset_t *rdataset);
 static void rdataset_current(dns_rdataset_t *rdataset, dns_rdata_t *rdata);
 static void rdataset_clone(dns_rdataset_t *source, dns_rdataset_t *target);
 static unsigned int rdataset_count(dns_rdataset_t *rdataset);
+static isc_result_t rdataset_getnoqname(dns_rdataset_t *rdataset,
+				        dns_name_t *name,
+					dns_rdataset_t *nsec,
+					dns_rdataset_t *nsecsig);
 
 static dns_rdatasetmethods_t rdataset_methods = {
 	rdataset_disassociate,
@@ -246,7 +271,9 @@ static dns_rdatasetmethods_t rdataset_methods = {
 	rdataset_next,
 	rdataset_current,
 	rdataset_clone,
-	rdataset_count
+	rdataset_count,
+	NULL,
+	rdataset_getnoqname
 };
 
 static void rdatasetiter_destroy(dns_rdatasetiter_t **iteratorp);
@@ -382,17 +409,17 @@ free_rbtdb(dns_rbtdb_t *rbtdb, isc_boolean_t log, isc_event_t *event) {
 
 	if (rbtdb->current_version != NULL)
 		isc_mem_put(rbtdb->common.mctx, rbtdb->current_version,
-			    sizeof (rbtdb_version_t));
+			    sizeof(rbtdb_version_t));
  again:
 	if (rbtdb->tree != NULL) {
 		result = dns_rbt_destroy2(&rbtdb->tree,
-					  (rbtdb->task != NULL) ? 1000 : 0);
+					  (rbtdb->task != NULL) ? 5 : 0);
 		if (result == ISC_R_QUOTA) {
 			INSIST(rbtdb->task != NULL);
 			if (event == NULL)
 				event = isc_event_allocate(rbtdb->common.mctx,
 							   NULL,
-							 DNS_EVENT_FREESTORAGE,
+						         DNS_EVENT_FREESTORAGE,
 							   free_rbtdb_callback,
 							   rbtdb,
 							   sizeof(isc_event_t));
@@ -420,7 +447,7 @@ free_rbtdb(dns_rbtdb_t *rbtdb, isc_boolean_t log, isc_event_t *event) {
 	for (i = 0; i < rbtdb->node_lock_count; i++)
 		DESTROYLOCK(&rbtdb->node_locks[i].lock);
 	isc_mem_put(rbtdb->common.mctx, rbtdb->node_locks,
-		    rbtdb->node_lock_count * sizeof (rbtdb_nodelock_t));
+		    rbtdb->node_lock_count * sizeof(rbtdb_nodelock_t));
 	isc_rwlock_destroy(&rbtdb->tree_lock);
 	isc_refcount_destroy(&rbtdb->references);
 	if (rbtdb->task != NULL)
@@ -512,7 +539,7 @@ allocate_version(isc_mem_t *mctx, rbtdb_serial_t serial,
 {
 	rbtdb_version_t *version;
 
-	version = isc_mem_get(mctx, sizeof *version);
+	version = isc_mem_get(mctx, sizeof(*version));
 	if (version == NULL)
 		return (NULL);
 	version->serial = serial;
@@ -583,7 +610,7 @@ add_changed(dns_rbtdb_t *rbtdb, rbtdb_version_t *version,
 	 * Caller must be holding the node lock.
 	 */
 
-	changed = isc_mem_get(rbtdb->common.mctx, sizeof *changed);
+	changed = isc_mem_get(rbtdb->common.mctx, sizeof(*changed));
 
 	LOCK(&rbtdb->lock);
 
@@ -605,14 +632,32 @@ add_changed(dns_rbtdb_t *rbtdb, rbtdb_version_t *version,
 }
 
 static inline void
+free_noqname(isc_mem_t *mctx, struct noqname **noqname) {
+
+	if (dns_name_dynamic(&(*noqname)->name))
+		dns_name_free(&(*noqname)->name, mctx);
+	if ((*noqname)->nsec != NULL)
+		isc_mem_put(mctx, (*noqname)->nsec,
+			    dns_rdataslab_size((*noqname)->nsec, 0));
+	if ((*noqname)->nsec != NULL)
+		isc_mem_put(mctx, (*noqname)->nsecsig,
+			    dns_rdataslab_size((*noqname)->nsecsig, 0));
+	isc_mem_put(mctx, *noqname, sizeof(**noqname));
+	*noqname = NULL;
+}
+
+static inline void
 free_rdataset(isc_mem_t *mctx, rdatasetheader_t *rdataset) {
 	unsigned int size;
 
+	if (rdataset->noqname != NULL)
+		free_noqname(mctx, &rdataset->noqname);
+	
 	if ((rdataset->attributes & RDATASET_ATTR_NONEXISTENT) != 0)
-		size = sizeof *rdataset;
+		size = sizeof(*rdataset);
 	else
 		size = dns_rdataslab_size((unsigned char *)rdataset,
-					  sizeof *rdataset);
+					  sizeof(*rdataset));
 	isc_mem_put(mctx, rdataset, size);
 }
 
@@ -961,47 +1006,6 @@ cleanup_nondirty(rbtdb_version_t *version, rbtdb_changedlist_t *cleanup_list) {
 	}
 }
 
-static isc_boolean_t
-iszonesecure(dns_db_t *db, dns_dbnode_t *origin) {
-	dns_rdataset_t keyset;
-	dns_rdataset_t nxtset, signxtset;
-	isc_boolean_t haszonekey = ISC_FALSE;
-	isc_boolean_t hasnxt = ISC_FALSE;
-	isc_result_t result;
-
-	dns_rdataset_init(&keyset);
-	result = dns_db_findrdataset(db, origin, NULL, dns_rdatatype_key, 0,
-				     0, &keyset, NULL);
-	if (result == ISC_R_SUCCESS) {
-		dns_rdata_t keyrdata = DNS_RDATA_INIT;
-		result = dns_rdataset_first(&keyset);
-		while (result == ISC_R_SUCCESS) {
-			dns_rdataset_current(&keyset, &keyrdata);
-			if (dns_zonekey_iszonekey(&keyrdata)) {
-				haszonekey = ISC_TRUE;
-				break;
-			}
-			result = dns_rdataset_next(&keyset);
-		}
-		dns_rdataset_disassociate(&keyset);
-	}
-	if (!haszonekey)
-		return (ISC_FALSE);
-
-	dns_rdataset_init(&nxtset);
-	dns_rdataset_init(&signxtset);
-	result = dns_db_findrdataset(db, origin, NULL, dns_rdatatype_nxt, 0,
-				     0, &nxtset, &signxtset);
-	if (result == ISC_R_SUCCESS) {
-		if (dns_rdataset_isassociated(&signxtset)) {
-			hasnxt = ISC_TRUE;
-			dns_rdataset_disassociate(&signxtset);
-		}
-		dns_rdataset_disassociate(&nxtset);
-	}
-	return (hasnxt);
-}
-
 static void
 closeversion(dns_db_t *db, dns_dbversion_t **versionp, isc_boolean_t commit) {
 	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db;
@@ -1058,13 +1062,9 @@ closeversion(dns_db_t *db, dns_dbversion_t **versionp, isc_boolean_t commit) {
 				 * isn't being used by anyone, we can clean
 				 * it up.
 				 */
-				if (rbtdb->current_version->references == 0) {
+				if (rbtdb->current_version->references == 0)
 					cleanup_version =
 						rbtdb->current_version;
-					APPENDLIST(version->changed_list,
-						 cleanup_version->changed_list,
-						   link);
-				}
 				/*
 				 * Become the current version.
 				 */
@@ -1077,7 +1077,6 @@ closeversion(dns_db_t *db, dns_dbversion_t **versionp, isc_boolean_t commit) {
 				 * We're rolling back this transaction.
 				 */
 				cleanup_list = version->changed_list;
-				ISC_LIST_INIT(version->changed_list);
 				rollback = ISC_TRUE;
 				cleanup_version = version;
 				rbtdb->future_version = NULL;
@@ -1098,7 +1097,6 @@ closeversion(dns_db_t *db, dns_dbversion_t **versionp, isc_boolean_t commit) {
 				if (least_greater == NULL)
 					least_greater = rbtdb->current_version;
 
-				INSIST(version->serial < least_greater->serial);
 				/*
 				 * Is this the least open version?
 				 */
@@ -1119,25 +1117,16 @@ closeversion(dns_db_t *db, dns_dbversion_t **versionp, isc_boolean_t commit) {
 						   version->changed_list,
 						   link);
 				}
-			} else if (version->serial == rbtdb->least_serial)
-				INSIST(EMPTY(version->changed_list));
+			}
 			UNLINK(rbtdb->open_versions, version, link);
 		}
 	}
 	least_serial = rbtdb->least_serial;
 	UNLOCK(&rbtdb->lock);
 
-	/*
-	 * Update the zone's secure status.
-	 */
-	if (version->writer && commit && !IS_CACHE(rbtdb))
-		rbtdb->secure = iszonesecure(db, rbtdb->origin_node);
-
-	if (cleanup_version != NULL) {
-		INSIST(EMPTY(cleanup_version->changed_list));
+	if (cleanup_version != NULL)
 		isc_mem_put(rbtdb->common.mctx, cleanup_version,
-			    sizeof *cleanup_version);
-	}
+			    sizeof(*cleanup_version));
 
 	if (!EMPTY(cleanup_list)) {
 		for (changed = HEAD(cleanup_list);
@@ -1161,7 +1150,7 @@ closeversion(dns_db_t *db, dns_dbversion_t **versionp, isc_boolean_t commit) {
 			UNLOCK(lock);
 
 			isc_mem_put(rbtdb->common.mctx, changed,
-				    sizeof *changed);
+				    sizeof(*changed));
 		}
 	}
 
@@ -1462,12 +1451,22 @@ bind_rdataset(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node,
 	rdataset->private2 = node;
 	raw = (unsigned char *)header + sizeof(*header);
 	rdataset->private3 = raw;
-	
+	rdataset->count = header->count++;
+	if (header->count == ISC_UINT32_MAX)
+		header->count = 0;
+
 	/*
 	 * Reset iterator state.
 	 */
 	rdataset->privateuint4 = 0;
 	rdataset->private5 = NULL;
+
+	/*
+	 * Add noqname proof.
+	 */
+	rdataset->private6 = header->noqname;
+	if (rdataset->private6 != NULL)
+		rdataset->attributes |=  DNS_RDATASETATTR_NOQNAME;
 }
 
 static inline isc_result_t
@@ -1490,7 +1489,7 @@ setup_delegation(rbtdb_search_t *search, dns_dbnode_t **nodep,
 	/*
 	 * If we have to set foundname, we do it before anything else.
 	 * If we were to set foundname after we had set nodep or bound the
-	 * rdataset, then we'd have to undo that work if dns_name_concatenate()
+	 * rdataset, then we'd have to undo that work if dns_name_copy()
 	 * failed.  By setting foundname first, there's nothing to undo if
 	 * we have trouble.
 	 */
@@ -1556,7 +1555,7 @@ valid_glue(rbtdb_search_t *search, dns_name_t *name, rbtdb_rdatatype_t type,
 	}
 
 	header = search->zonecut_rdataset;
-	raw = (unsigned char *)header + sizeof *header;
+	raw = (unsigned char *)header + sizeof(*header);
 	count = raw[0] * 256 + raw[1];
 	raw += 2;
 
@@ -1893,9 +1892,9 @@ find_wildcard(rbtdb_search_t *search, dns_rbtnode_t **nodep,
 }
 
 static inline isc_result_t
-find_closest_nxt(rbtdb_search_t *search, dns_dbnode_t **nodep,
-		 dns_name_t *foundname, dns_rdataset_t *rdataset,
-		 dns_rdataset_t *sigrdataset)
+find_closest_nsec(rbtdb_search_t *search, dns_dbnode_t **nodep,
+		  dns_name_t *foundname, dns_rdataset_t *rdataset,
+		  dns_rdataset_t *sigrdataset, isc_boolean_t need_sig)
 {
 	dns_rbtnode_t *node;
 	rdatasetheader_t *header, *header_next, *found, *foundsig;
@@ -1923,7 +1922,7 @@ find_closest_nxt(rbtdb_search_t *search, dns_dbnode_t **nodep,
 		     header = header_next) {
 			header_next = header->next;
 			/*
-			 * Look for an active, extant NXT or SIG NXT.
+			 * Look for an active, extant NSEC or RRSIG NSEC.
 			 */
 			do {
 				if (header->serial <= search->serial &&
@@ -1945,12 +1944,12 @@ find_closest_nxt(rbtdb_search_t *search, dns_dbnode_t **nodep,
 				 * active rdataset at this node.
 				 */
 				empty_node = ISC_FALSE;
-				if (header->type == dns_rdatatype_nxt) {
+				if (header->type == dns_rdatatype_nsec) {
 					found = header;
 					if (foundsig != NULL)
 						break;
 				} else if (header->type ==
-					   RBTDB_RDATATYPE_SIGNXT) {
+					   RBTDB_RDATATYPE_SIGNSEC) {
 					foundsig = header;
 					if (found != NULL)
 						break;
@@ -1958,12 +1957,14 @@ find_closest_nxt(rbtdb_search_t *search, dns_dbnode_t **nodep,
 			}
 		}
 		if (!empty_node) {
-			if (found != NULL && foundsig != NULL) {
+			if (found != NULL &&
+			    (foundsig != NULL || !need_sig))
+			{
 				/*
-				 * We've found the right NXT record.
+				 * We've found the right NSEC record.
 				 *
 				 * Note: for this to really be the right
-				 * NXT record, it's essential that the NXT
+				 * NSEC record, it's essential that the NSEC
 				 * records of any nodes obscured by a zone
 				 * cut have been removed; we assume this is
 				 * the case.
@@ -1979,14 +1980,17 @@ find_closest_nxt(rbtdb_search_t *search, dns_dbnode_t **nodep,
 					bind_rdataset(search->rbtdb, node,
 						      found, search->now,
 						      rdataset);
-					bind_rdataset(search->rbtdb, node,
-						      foundsig, search->now,
-						      sigrdataset);
+					if (foundsig != NULL)
+						bind_rdataset(search->rbtdb,
+							      node,
+							      foundsig,
+							      search->now,
+							      sigrdataset);
 				}
 			} else if (found == NULL && foundsig == NULL) {
 				/*
-				 * This node is active, but has no NXT or
-				 * SIG NXT.  That means it's glue or
+				 * This node is active, but has no NSEC or
+				 * RRSIG NSEC.  That means it's glue or
 				 * other obscured zone data that isn't
 				 * relevant for our search.  Treat the
 				 * node as if it were empty and keep looking.
@@ -1997,7 +2001,7 @@ find_closest_nxt(rbtdb_search_t *search, dns_dbnode_t **nodep,
 			} else {
 				/*
 				 * We found an active node, but either the
-				 * NXT or the SIG NXT is missing.  This
+				 * NSEC or the RRSIG NSEC is missing.  This
 				 * shouldn't happen.
 				 */
 				result = DNS_R_BADDB;
@@ -2015,7 +2019,7 @@ find_closest_nxt(rbtdb_search_t *search, dns_dbnode_t **nodep,
 
 	/*
 	 * If the result is ISC_R_NOMORE, then we got to the beginning of
-	 * the database and didn't find a NXT record.  This shouldn't
+	 * the database and didn't find a NSEC record.  This shouldn't
 	 * happen.
 	 */
 	if (result == ISC_R_NOMORE)
@@ -2040,8 +2044,8 @@ zone_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
 	isc_boolean_t wild;
 	isc_boolean_t empty_node;
 	isc_mutex_t *lock;
-	rdatasetheader_t *header, *header_next, *found, *nxtheader;
-	rdatasetheader_t *foundsig, *cnamesig, *nxtsig;
+	rdatasetheader_t *header, *header_next, *found, *nsecheader;
+	rdatasetheader_t *foundsig, *cnamesig, *nsecsig;
 	rbtdb_rdatatype_t sigtype;
 	isc_boolean_t active;
 	dns_rbtnodechain_t chain;
@@ -2126,9 +2130,12 @@ zone_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
 		 * If we're here, then the name does not exist, is not
 		 * beneath a zonecut, and there's no matching wildcard.
 		 */
-		if (search.rbtdb->secure) {
-			result = find_closest_nxt(&search, nodep, foundname,
-						  rdataset, sigrdataset);
+		if (search.rbtdb->secure ||
+		    (search.options & DNS_DBFIND_FORCENSEC) != 0)
+		{
+			result = find_closest_nsec(&search, nodep, foundname,
+						  rdataset, sigrdataset,
+						  search.rbtdb->secure);
 			if (result == ISC_R_SUCCESS)
 				result = active ? DNS_R_EMPTYNAME :
 						  DNS_R_NXDOMAIN;
@@ -2157,7 +2164,8 @@ zone_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
 		 */
 		if (node->find_callback &&
 		    (node != search.rbtdb->origin_node ||
-		     IS_STUB(search.rbtdb)))
+		     IS_STUB(search.rbtdb)) &&
+		    !dns_rdatatype_atparent(type))
 			maybe_zonecut = ISC_TRUE;
 	}
 
@@ -2165,10 +2173,10 @@ zone_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
 	 * Certain DNSSEC types are not subject to CNAME matching
 	 * (RFC 2535, section 2.3.5).
 	 *
-	 * We don't check for SIG, because we don't store SIG records
+	 * We don't check for RRSIG, because we don't store RRSIG records
 	 * directly.
 	 */
-	if (type == dns_rdatatype_key || type == dns_rdatatype_nxt)
+	if (type == dns_rdatatype_dnskey || type == dns_rdatatype_nsec)
 		cname_ok = ISC_FALSE;
 
 	/*
@@ -2179,9 +2187,9 @@ zone_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
 
 	found = NULL;
 	foundsig = NULL;
-	sigtype = RBTDB_RDATATYPE_VALUE(dns_rdatatype_sig, type);
-	nxtheader = NULL;
-	nxtsig = NULL;
+	sigtype = RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, type);
+	nsecheader = NULL;
+	nsecsig = NULL;
 	cnamesig = NULL;
 	empty_node = ISC_TRUE;
 	for (header = node->data; header != NULL; header = header_next) {
@@ -2228,8 +2236,8 @@ zone_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
 				maybe_zonecut = ISC_FALSE;
 				at_zonecut = ISC_TRUE;
 				if ((search.options & DNS_DBFIND_GLUEOK) == 0
-				    && type != dns_rdatatype_nxt
-				    && type != dns_rdatatype_key) {
+				    && type != dns_rdatatype_nsec
+				    && type != dns_rdatatype_dnskey) {
 					/*
 					 * Glue is not OK, but any answer we
 					 * could return would be glue.  Return
@@ -2260,7 +2268,7 @@ zone_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
 					 * We may be finding a CNAME instead
 					 * of the desired type.
 					 *
-					 * If we've already got the CNAME SIG,
+					 * If we've already got the CNAME RRSIG,
 					 * use it, otherwise change sigtype
 					 * so that we find it.
 					 */
@@ -2277,7 +2285,7 @@ zone_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
 					break;
 			} else if (header->type == sigtype) {
 				/*
-				 * We've found the SIG rdataset for our
+				 * We've found the RRSIG rdataset for our
 				 * target type.  Remember it.
 				 */
 				foundsig = header;
@@ -2286,19 +2294,19 @@ zone_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
 				 */
 				if (!maybe_zonecut && found != NULL)
 					break;
-			} else if (header->type == dns_rdatatype_nxt) {
+			} else if (header->type == dns_rdatatype_nsec) {
 				/*
-				 * Remember a NXT rdataset even if we're
+				 * Remember a NSEC rdataset even if we're
 				 * not specifically looking for it, because
 				 * we might need it later.
 				 */
-				nxtheader = header;
-			} else if (header->type == RBTDB_RDATATYPE_SIGNXT) {
+				nsecheader = header;
+			} else if (header->type == RBTDB_RDATATYPE_SIGNSEC) {
 				/*
-				 * If we need the NXT rdataset, we'll also
+				 * If we need the NSEC rdataset, we'll also
 				 * need its signature.
 				 */
-				nxtsig = header;
+				nsecsig = header;
 			} else if (cname_ok &&
 				   header->type == RBTDB_RDATATYPE_SIGCNAME) {
 				/*
@@ -2344,32 +2352,49 @@ zone_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
 		 */
 		result = DNS_R_NXRRSET;
 		if (search.rbtdb->secure &&
-		    (nxtheader == NULL || nxtsig == NULL)) {
+		    (nsecheader == NULL || nsecsig == NULL)) {
 			/*
-			 * The zone is secure but there's no NXT,
-			 * or the NXT has no signature!
+			 * The zone is secure but there's no NSEC,
+			 * or the NSEC has no signature!
 			 */
 			if (!wild) {
 				result = DNS_R_BADDB;
 				goto node_exit;
 			}
+			
 			UNLOCK(&(search.rbtdb->node_locks[node->locknum].lock));
-			result = find_closest_nxt(&search, nodep, foundname,
-						  rdataset, sigrdataset);
+			result = find_closest_nsec(&search, nodep, foundname,
+						  rdataset, sigrdataset,
+						  search.rbtdb->secure);
 			if (result == ISC_R_SUCCESS)
 				result = DNS_R_EMPTYWILD;
 			goto tree_exit;
 		}
+		if ((search.options & DNS_DBFIND_FORCENSEC) != 0 &&
+		    nsecheader == NULL)
+		{
+			/*
+			 * There's no NSEC record, and we were told
+			 * to find one.
+			 */
+			result = DNS_R_BADDB;
+			goto node_exit;
+		}
 		if (nodep != NULL) {
 			new_reference(search.rbtdb, node);
 			*nodep = node;
 		}
-		if (search.rbtdb->secure) {
-			bind_rdataset(search.rbtdb, node, nxtheader,
+		if (search.rbtdb->secure ||
+		    (search.options & DNS_DBFIND_FORCENSEC) != 0)
+		{
+			bind_rdataset(search.rbtdb, node, nsecheader,
 				      0, rdataset);
-			bind_rdataset(search.rbtdb, node, nxtsig,
-				      0, sigrdataset);
+			if (nsecsig != NULL)
+				bind_rdataset(search.rbtdb, node,
+					      nsecsig, 0, sigrdataset);
 		}
+		if (wild)
+			foundname->attributes |= DNS_NAMEATTR_WILDCARD;
 		goto node_exit;
 	}
 
@@ -2390,11 +2415,11 @@ zone_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
 		/*
 		 * If we're beneath a zone cut, we must indicate that the
 		 * result is glue, unless we're actually at the zone cut
-		 * and the type is NXT or KEY.
+		 * and the type is NSEC or KEY.
 		 */
 		if (search.zonecut == node) {
-			if (type == dns_rdatatype_nxt ||
-			    type == dns_rdatatype_key)
+			if (type == dns_rdatatype_nsec ||
+			    type == dns_rdatatype_dnskey)
 				result = ISC_R_SUCCESS;
 			else if (type == dns_rdatatype_any)
 				result = DNS_R_ZONECUT;
@@ -2439,6 +2464,9 @@ zone_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
 				      sigrdataset);
 	}
 
+	if (wild)
+		foundname->attributes |= DNS_NAMEATTR_WILDCARD;
+
  node_exit:
 	UNLOCK(&(search.rbtdb->node_locks[node->locknum].lock));
 
@@ -2510,7 +2538,7 @@ cache_zonecut_callback(dns_rbtnode_t *node, dns_name_t *name, void *arg) {
 	LOCK(&(search->rbtdb->node_locks[node->locknum].lock));
 
 	/*
-	 * Look for a DNAME or SIG DNAME rdataset.
+	 * Look for a DNAME or RRSIG DNAME rdataset.
 	 */
 	dname_header = NULL;
 	sigdname_header = NULL;
@@ -2525,9 +2553,7 @@ cache_zonecut_callback(dns_rbtnode_t *node, dns_name_t *name, void *arg) {
 			 * the node as dirty, so it will get cleaned
 			 * up later.
 			 */
-			if (header->ttl <= search->now - RBTDB_VIRTUAL)
-				header_prev = header;
-			else if (node->references == 0) {
+			if (node->references == 0) {
 				INSIST(header->down == NULL);
 				if (header_prev != NULL)
 					header_prev->next =
@@ -2600,7 +2626,7 @@ find_deepest_zonecut(rbtdb_search_t *search, dns_rbtnode_t *node,
 		LOCK(&(rbtdb->node_locks[node->locknum].lock));
 
 		/*
-		 * Look for NS and SIG NS rdatasets.
+		 * Look for NS and RRSIG NS rdatasets.
 		 */
 		found = NULL;
 		foundsig = NULL;
@@ -2617,9 +2643,7 @@ find_deepest_zonecut(rbtdb_search_t *search, dns_rbtnode_t *node,
 				 * the node as dirty, so it will get cleaned
 				 * up later.
 				 */
-				if (header->ttl > search->now - RBTDB_VIRTUAL)
-					header_prev = header;
-				else if (node->references == 0) {
+				if (node->references == 0) {
 					INSIST(header->down == NULL);
 					if (header_prev != NULL)
 						header_prev->next =
@@ -2726,7 +2750,7 @@ cache_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
 	rdatasetheader_t *header, *header_prev, *header_next;
 	rdatasetheader_t *found, *nsheader;
 	rdatasetheader_t *foundsig, *nssig, *cnamesig;
-	rbtdb_rdatatype_t sigtype, negtype;
+	rbtdb_rdatatype_t sigtype, nsecype;
 
 	UNUSED(version);
 
@@ -2779,10 +2803,10 @@ cache_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
 	 * Certain DNSSEC types are not subject to CNAME matching
 	 * (RFC 2535, section 2.3.5).
 	 *
-	 * We don't check for SIG, because we don't store SIG records
+	 * We don't check for RRSIG, because we don't store RRSIG records
 	 * directly.
 	 */
-	if (type == dns_rdatatype_key || type == dns_rdatatype_nxt)
+	if (type == dns_rdatatype_dnskey || type == dns_rdatatype_nsec)
 		cname_ok = ISC_FALSE;
 
 	/*
@@ -2793,8 +2817,8 @@ cache_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
 
 	found = NULL;
 	foundsig = NULL;
-	sigtype = RBTDB_RDATATYPE_VALUE(dns_rdatatype_sig, type);
-	negtype = RBTDB_RDATATYPE_VALUE(0, type);
+	sigtype = RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, type);
+	nsecype = RBTDB_RDATATYPE_VALUE(0, type);
 	nsheader = NULL;
 	nssig = NULL;
 	cnamesig = NULL;
@@ -2809,9 +2833,7 @@ cache_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
 			 * mark it as stale, and the node as dirty, so it will
 			 * get cleaned up later.
 			 */
-			if (header->ttl > now - RBTDB_VIRTUAL)
-				header_prev = header;
-			else if (node->references == 0) {
+			if (node->references == 0) {
 				INSIST(header->down == NULL);
 				if (header_prev != NULL)
 					header_prev->next = header->next;
@@ -2849,7 +2871,7 @@ cache_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
 				    cname_ok &&
 				    cnamesig != NULL) {
 					/*
-					 * If we've already got the CNAME SIG,
+					 * If we've already got the CNAME RRSIG,
 					 * use it, otherwise change sigtype
 					 * so that we find it.
 					 */
@@ -2862,12 +2884,12 @@ cache_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
 				}
 			} else if (header->type == sigtype) {
 				/*
-				 * We've found the SIG rdataset for our
+				 * We've found the RRSIG rdataset for our
 				 * target type.  Remember it.
 				 */
 				foundsig = header;
 			} else if (header->type == RBTDB_RDATATYPE_NCACHEANY ||
-				   header->type == negtype) {
+				   header->type == nsecype) {
 				/*
 				 * We've found a negative cache entry.
 				 */
@@ -3079,9 +3101,7 @@ cache_findzonecut(dns_db_t *db, dns_name_t *name, unsigned int options,
 			 * mark it as stale, and the node as dirty, so it will
 			 * get cleaned up later.
 			 */
-			if (header->ttl > now - RBTDB_VIRTUAL)
-				header_prev = header;
-			else if (node->references == 0) {
+			if (node->references == 0) {
 				INSIST(header->down == NULL);
 				if (header_prev != NULL)
 					header_prev->next = header->next;
@@ -3269,7 +3289,7 @@ expirenode(dns_db_t *db, dns_dbnode_t *node, isc_stdtime_t now) {
 	LOCK(&rbtdb->node_locks[rbtnode->locknum].lock);
 
 	for (header = rbtnode->data; header != NULL; header = header->next)
-		if (header->ttl <= now - RBTDB_VIRTUAL) {
+		if (header->ttl <= now) {
 			/*
 			 * We don't check if rbtnode->references == 0 and try
 			 * to free like we do in cache_find(), because
@@ -3360,7 +3380,7 @@ createiterator(dns_db_t *db, isc_boolean_t relative_names,
 
 	REQUIRE(VALID_RBTDB(rbtdb));
 
-	rbtdbiter = isc_mem_get(rbtdb->common.mctx, sizeof *rbtdbiter);
+	rbtdbiter = isc_mem_get(rbtdb->common.mctx, sizeof(*rbtdbiter));
 	if (rbtdbiter == NULL)
 		return (ISC_R_NOMEMORY);
 
@@ -3415,7 +3435,7 @@ zone_findrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
 	foundsig = NULL;
 	matchtype = RBTDB_RDATATYPE_VALUE(type, covers);
 	if (covers == 0)
-		sigmatchtype = RBTDB_RDATATYPE_VALUE(dns_rdatatype_sig, type);
+		sigmatchtype = RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, type);
 	else
 		sigmatchtype = 0;
 
@@ -3479,7 +3499,7 @@ cache_findrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
 	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db;
 	dns_rbtnode_t *rbtnode = (dns_rbtnode_t *)node;
 	rdatasetheader_t *header, *header_next, *found, *foundsig;
-	rbtdb_rdatatype_t matchtype, sigmatchtype, negtype;
+	rbtdb_rdatatype_t matchtype, sigmatchtype, nsecype;
 	isc_result_t result;
 
 	REQUIRE(VALID_RBTDB(rbtdb));
@@ -3497,9 +3517,9 @@ cache_findrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
 	found = NULL;
 	foundsig = NULL;
 	matchtype = RBTDB_RDATATYPE_VALUE(type, covers);
-	negtype = RBTDB_RDATATYPE_VALUE(0, type);
+	nsecype = RBTDB_RDATATYPE_VALUE(0, type);
 	if (covers == 0)
-		sigmatchtype = RBTDB_RDATATYPE_VALUE(dns_rdatatype_sig, type);
+		sigmatchtype = RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, type);
 	else
 		sigmatchtype = 0;
 
@@ -3512,16 +3532,14 @@ cache_findrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
 			 * rbtnode->references must be non-zero.  This is so
 			 * because 'node' is an argument to the function.
 			 */
-			if (header->ttl <= now - RBTDB_VIRTUAL) {
-				header->attributes |= RDATASET_ATTR_STALE;
-				rbtnode->dirty = 1;
-			}
+			header->attributes |= RDATASET_ATTR_STALE;
+			rbtnode->dirty = 1;
 		} else if ((header->attributes & RDATASET_ATTR_NONEXISTENT) ==
 			   0) {
 			if (header->type == matchtype)
 				found = header;
 			else if (header->type == RBTDB_RDATATYPE_NCACHEANY ||
-				 header->type == negtype)
+				 header->type == nsecype)
 				found = header;
 			else if (header->type == sigmatchtype)
 				foundsig = header;
@@ -3563,7 +3581,7 @@ allrdatasets(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
 
 	REQUIRE(VALID_RBTDB(rbtdb));
 
-	iterator = isc_mem_get(rbtdb->common.mctx, sizeof *iterator);
+	iterator = isc_mem_get(rbtdb->common.mctx, sizeof(*iterator));
 	if (iterator == NULL)
 		return (ISC_R_NOMEMORY);
 
@@ -3647,17 +3665,18 @@ cname_and_other_data(dns_rbtnode_t *node, rbtdb_serial_t serial) {
 			 * Look for active extant "other data".
 			 *
 			 * "Other data" is any rdataset whose type is not
-			 * KEY, SIG KEY, NXT, SIG NXT, or SIG CNAME.
+			 * DNSKEY, RRSIG DNSKEY, NSEC, RRSIG NSEC,
+			 * or RRSIG CNAME.
 			 */
 			rdtype = RBTDB_RDATATYPE_BASE(header->type);
-			if (rdtype == dns_rdatatype_sig)
+			if (rdtype == dns_rdatatype_rrsig)
 				rdtype = RBTDB_RDATATYPE_EXT(header->type);
-			if (rdtype != dns_rdatatype_nxt &&
-			    rdtype != dns_rdatatype_key &&
+			if (rdtype != dns_rdatatype_nsec &&
+			    rdtype != dns_rdatatype_dnskey &&
 			    rdtype != dns_rdatatype_cname) {
 				/*
 				 * We've found a type that isn't
-				 * NXT, KEY, CNAME, or one of their
+				 * NSEC, KEY, CNAME, or one of their
 				 * signatures.  Is it active and extant?
 				 */
 				do {
@@ -3697,8 +3716,7 @@ add(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
 	isc_boolean_t header_nx;
 	isc_boolean_t newheader_nx;
 	isc_boolean_t merge;
-	dns_rdatatype_t rdtype, covers;
-	rbtdb_rdatatype_t negtype;
+	dns_rdatatype_t nsecype, rdtype, covers;
 	dns_trust_t trust;
 
 	/*
@@ -3736,7 +3754,7 @@ add(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
 	newheader_nx = NONEXISTENT(newheader) ? ISC_TRUE : ISC_FALSE;
 	topheader_prev = NULL;
 
-	negtype = 0;
+	nsecype = 0;
 	if (rbtversion == NULL && !newheader_nx) {
 		rdtype = RBTDB_RDATATYPE_BASE(newheader->type);
 		if (rdtype == 0) {
@@ -3746,13 +3764,12 @@ add(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
 			covers = RBTDB_RDATATYPE_EXT(newheader->type);
 			if (covers == dns_rdatatype_any) {
 				/*
-				 * We're adding an negative cache entry
-				 * which covers all types (NXDOMAIN,
-				 * NODATA(QTYPE=ANY)).
+				 * We're adding an NXDOMAIN negative cache
+				 * entry.
 				 *
 				 * We make all other data stale so that the
 				 * only rdataset that can be found at this
-				 * node is the negative cache entry.
+				 * node is the NXDOMAIN negative cache entry.
 				 */
 				for (topheader = rbtnode->data;
 				     topheader != NULL;
@@ -3764,19 +3781,17 @@ add(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
 				rbtnode->dirty = 1;
 				goto find_header;
 			}
-			negtype = RBTDB_RDATATYPE_VALUE(covers, 0);
+			nsecype = RBTDB_RDATATYPE_VALUE(covers, 0);
 		} else {
 			/*
 			 * We're adding something that isn't a
 			 * negative cache entry.  Look for an extant
-			 * non-stale NXDOMAIN/NODATA(QTYPE=ANY) negative
-			 * cache entry.
+			 * non-stale NXDOMAIN negative cache entry.
 			 */
 			for (topheader = rbtnode->data;
 			     topheader != NULL;
 			     topheader = topheader->next) {
-				if (topheader->type ==
-				    RBTDB_RDATATYPE_NCACHEANY)
+				if (NXDOMAIN(topheader))
 					break;
 			}
 			if (topheader != NULL && EXISTS(topheader) &&
@@ -3786,8 +3801,7 @@ add(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
 				 */
 				if (trust < topheader->trust) {
 					/*
-					 * The NXDOMAIN/NODATA(QTYPE=ANY)
-					 * is more trusted.
+					 * The NXDOMAIN is more trusted.
 					 */
 					free_rdataset(rbtdb->common.mctx,
 						      newheader);
@@ -3799,7 +3813,7 @@ add(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
 				}
 				/*
 				 * The new rdataset is better.  Expire the
-				 * NXDOMAIN/NODATA(QTYPE=ANY).
+				 * NXDOMAIN.
 				 */
 				topheader->ttl = 0;
 				topheader->attributes |= RDATASET_ATTR_STALE;
@@ -3807,7 +3821,7 @@ add(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
 				topheader = NULL;
 				goto find_header;
 			}
-			negtype = RBTDB_RDATATYPE_VALUE(0, rdtype);
+			nsecype = RBTDB_RDATATYPE_VALUE(0, rdtype);
 		}
 	}
 
@@ -3815,7 +3829,7 @@ add(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
 	     topheader != NULL;
 	     topheader = topheader->next) {
 		if (topheader->type == newheader->type ||
-		    topheader->type == negtype)
+		    topheader->type == nsecype)
 			break;
 		topheader_prev = topheader;
 	}
@@ -3880,7 +3894,7 @@ add(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
 				result = dns_rdataslab_merge(
 					     (unsigned char *)header,
 					     (unsigned char *)newheader,
-					     (unsigned int)(sizeof *newheader),
+					     (unsigned int)(sizeof(*newheader)),
 					     rbtdb->common.mctx,
 					     rbtdb->common.rdclass,
 					     (dns_rdatatype_t)header->type,
@@ -3905,11 +3919,13 @@ add(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
 		 * Don't replace existing NS, A and AAAA RRsets
 		 * in the cache if they are already exist.  This
 		 * prevents named being locked to old servers.
+		 * Don't lower trust of existing record if the
+		 * update is forced.
 		 */
 		if (IS_CACHE(rbtdb) && header->ttl > now &&
 		    header->type == dns_rdatatype_ns &&
 		    !header_nx && !newheader_nx &&
-		    header->trust == newheader->trust &&
+		    header->trust >= newheader->trust &&
 		    dns_rdataslab_equalx((unsigned char *)header,
 					 (unsigned char *)newheader,
 				         (unsigned int)(sizeof(*newheader)),
@@ -3921,6 +3937,11 @@ add(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
 			 */
 			if (header->ttl > newheader->ttl)
 				header->ttl = newheader->ttl;
+			if (header->noqname == NULL &&
+			    newheader->noqname != NULL) {
+				header->noqname = newheader->noqname;
+				newheader->noqname = NULL;
+			}
 			free_rdataset(rbtdb->common.mctx, newheader);
 			if (addedrdataset != NULL)
 				bind_rdataset(rbtdb, rbtnode, header, now,
@@ -3931,7 +3952,7 @@ add(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
 		    (header->type == dns_rdatatype_a ||
 		     header->type == dns_rdatatype_aaaa) &&
 		    !header_nx && !newheader_nx &&
-		    header->trust == newheader->trust &&
+		    header->trust >= newheader->trust &&
 		    dns_rdataslab_equal((unsigned char *)header,
 					(unsigned char *)newheader,
 				        (unsigned int)(sizeof(*newheader)))) {
@@ -3941,6 +3962,11 @@ add(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
 			 */
 			if (header->ttl > newheader->ttl)
 				header->ttl = newheader->ttl;
+			if (header->noqname == NULL &&
+			    newheader->noqname != NULL) {
+				header->noqname = newheader->noqname;
+				newheader->noqname = NULL;
+			}
 			free_rdataset(rbtdb->common.mctx, newheader);
 			if (addedrdataset != NULL)
 				bind_rdataset(rbtdb, rbtnode, header, now,
@@ -3969,10 +3995,6 @@ add(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
 			rbtnode->dirty = 1;
 			if (changed != NULL)
 				changed->dirty = ISC_TRUE;
-			if (rbtversion == NULL) {
-				header->ttl = 0;
-				header->attributes |= RDATASET_ATTR_STALE;
-			}
 		}
 	} else {
 		/*
@@ -4049,6 +4071,51 @@ delegating_type(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node,
 	return (ISC_FALSE);
 }
 
+static inline isc_result_t
+addnoqname(dns_rbtdb_t *rbtdb, rdatasetheader_t *newheader,
+	   dns_rdataset_t *rdataset)
+{
+	struct noqname *noqname;
+	isc_mem_t *mctx = rbtdb->common.mctx;
+	dns_name_t name;
+	dns_rdataset_t nsec, nsecsig;
+	isc_result_t result;
+	isc_region_t r;
+
+	dns_name_init(&name, NULL);
+	dns_rdataset_init(&nsec);
+	dns_rdataset_init(&nsecsig);
+
+	result = dns_rdataset_getnoqname(rdataset, &name, &nsec, &nsecsig);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+	noqname = isc_mem_get(mctx, sizeof(*noqname));
+	if (noqname == NULL)
+		return (ISC_R_NOMEMORY);
+	dns_name_init(&noqname->name, NULL);
+	noqname->nsec = NULL;
+	noqname->nsecsig = NULL;
+	result = dns_name_dup(&name, mctx, &noqname->name);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+	result = dns_rdataslab_fromrdataset(&nsec, mctx, &r, 0);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+	noqname->nsec = r.base;
+	result = dns_rdataslab_fromrdataset(&nsecsig, mctx, &r, 0);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+	noqname->nsecsig = r.base;
+	dns_rdataset_disassociate(&nsec);
+	dns_rdataset_disassociate(&nsecsig);
+	newheader->noqname = noqname;
+	return (ISC_R_SUCCESS);
+
+cleanup:
+	free_noqname(mctx, &noqname);
+	return(result);
+}
+
 static isc_result_t
 addrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
 	    isc_stdtime_t now, dns_rdataset_t *rdataset, unsigned int options,
@@ -4072,7 +4139,7 @@ addrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
 
 	result = dns_rdataslab_fromrdataset(rdataset, rbtdb->common.mctx,
 					    &region,
-					    sizeof (rdatasetheader_t));
+					    sizeof(rdatasetheader_t));
 	if (result != ISC_R_SUCCESS)
 		return (result);
 
@@ -4081,6 +4148,8 @@ addrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
 	newheader->type = RBTDB_RDATATYPE_VALUE(rdataset->type,
 						rdataset->covers);
 	newheader->attributes = 0;
+	newheader->noqname = NULL;
+	newheader->count = 0;
 	newheader->trust = rdataset->trust;
 	if (rbtversion != NULL) {
 		newheader->serial = rbtversion->serial;
@@ -4089,6 +4158,13 @@ addrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
 		newheader->serial = 1;
 		if ((rdataset->attributes & DNS_RDATASETATTR_NXDOMAIN) != 0)
 			newheader->attributes |= RDATASET_ATTR_NXDOMAIN;
+		if ((rdataset->attributes & DNS_RDATASETATTR_NOQNAME) != 0) {
+			result = addnoqname(rbtdb, newheader, rdataset);
+			if (result != ISC_R_SUCCESS) {
+				free_rdataset(rbtdb->common.mctx, newheader);
+				return (result);
+			}
+		}
 	}
 
 	/*
@@ -4115,13 +4191,6 @@ addrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
 	if (delegating)
 		RWUNLOCK(&rbtdb->tree_lock, isc_rwlocktype_write);
 
-	/*
-	 * Update the zone's secure status.  If version is non-NULL
-	 * this is defered until closeversion() is called.
-	 */
-	if (result == ISC_R_SUCCESS && version == NULL && !IS_CACHE(rbtdb))
-		rbtdb->secure = iszonesecure(db, rbtdb->origin_node);
-
 	return (result);
 }
 
@@ -4143,7 +4212,7 @@ subtractrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
 
 	result = dns_rdataslab_fromrdataset(rdataset, rbtdb->common.mctx,
 					    &region,
-					    sizeof (rdatasetheader_t));
+					    sizeof(rdatasetheader_t));
 	if (result != ISC_R_SUCCESS)
 		return (result);
 	newheader = (rdatasetheader_t *)region.base;
@@ -4153,13 +4222,14 @@ subtractrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
 	newheader->attributes = 0;
 	newheader->serial = rbtversion->serial;
 	newheader->trust = 0;
+	newheader->noqname = NULL;
+	newheader->count = 0;
 
 	LOCK(&rbtdb->node_locks[rbtnode->locknum].lock);
 
 	changed = add_changed(rbtdb, rbtversion, rbtnode);
 	if (changed == NULL) {
 		free_rdataset(rbtdb->common.mctx, newheader);
-		UNLOCK(&rbtdb->node_locks[rbtnode->locknum].lock);
 		return (ISC_R_NOMEMORY);
 	}
 
@@ -4192,7 +4262,7 @@ subtractrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
 			result = dns_rdataslab_subtract(
 					(unsigned char *)header,
 					(unsigned char *)newheader,
-					(unsigned int)(sizeof *newheader),
+					(unsigned int)(sizeof(*newheader)),
 					rbtdb->common.mctx,
 					rbtdb->common.rdclass,
 					(dns_rdatatype_t)header->type,
@@ -4213,7 +4283,7 @@ subtractrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
 			 */
 			free_rdataset(rbtdb->common.mctx, newheader);
 			newheader = isc_mem_get(rbtdb->common.mctx,
-						sizeof *newheader);
+						sizeof(*newheader));
 			if (newheader == NULL) {
 				result = ISC_R_NOMEMORY;
 				goto unlock;
@@ -4223,6 +4293,8 @@ subtractrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
 			newheader->attributes = RDATASET_ATTR_NONEXISTENT;
 			newheader->trust = 0;
 			newheader->serial = rbtversion->serial;
+			newheader->noqname = NULL;
+			newheader->count = 0;
 		} else {
 			free_rdataset(rbtdb->common.mctx, newheader);
 			goto unlock;
@@ -4260,13 +4332,6 @@ subtractrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
  unlock:
 	UNLOCK(&rbtdb->node_locks[rbtnode->locknum].lock);
 
-	/*
-	 * Update the zone's secure status.  If version is non-NULL
-	 * this is defered until closeversion() is called.
-	 */
-	if (result == ISC_R_SUCCESS && version == NULL && !IS_CACHE(rbtdb))
-		rbtdb->secure = iszonesecure(db, rbtdb->origin_node);
-
 	return (result);
 }
 
@@ -4284,20 +4349,22 @@ deleterdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
 
 	if (type == dns_rdatatype_any)
 		return (ISC_R_NOTIMPLEMENTED);
-	if (type == dns_rdatatype_sig && covers == 0)
+	if (type == dns_rdatatype_rrsig && covers == 0)
 		return (ISC_R_NOTIMPLEMENTED);
 
-	newheader = isc_mem_get(rbtdb->common.mctx, sizeof *newheader);
+	newheader = isc_mem_get(rbtdb->common.mctx, sizeof(*newheader));
 	if (newheader == NULL)
 		return (ISC_R_NOMEMORY);
 	newheader->ttl = 0;
 	newheader->type = RBTDB_RDATATYPE_VALUE(type, covers);
 	newheader->attributes = RDATASET_ATTR_NONEXISTENT;
 	newheader->trust = 0;
+	newheader->noqname = NULL;
 	if (rbtversion != NULL)
 		newheader->serial = rbtversion->serial;
 	else
 		newheader->serial = 0;
+	newheader->count = 0;
 
 	LOCK(&rbtdb->node_locks[rbtnode->locknum].lock);
 
@@ -4306,13 +4373,6 @@ deleterdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
 
 	UNLOCK(&rbtdb->node_locks[rbtnode->locknum].lock);
 
-	/*
-	 * Update the zone's secure status.  If version is non-NULL
-	 * this is defered until closeversion() is called.
-	 */
-	if (result == ISC_R_SUCCESS && version == NULL && !IS_CACHE(rbtdb))
-		rbtdb->secure = iszonesecure(db, rbtdb->origin_node);
-
 	return (result);
 }
 
@@ -4370,7 +4430,7 @@ loading_addrdataset(void *arg, dns_name_t *name, dns_rdataset_t *rdataset) {
 
 	result = dns_rdataslab_fromrdataset(rdataset, rbtdb->common.mctx,
 					    &region,
-					    sizeof (rdatasetheader_t));
+					    sizeof(rdatasetheader_t));
 	if (result != ISC_R_SUCCESS)
 		return (result);
 	newheader = (rdatasetheader_t *)region.base;
@@ -4380,6 +4440,8 @@ loading_addrdataset(void *arg, dns_name_t *name, dns_rdataset_t *rdataset) {
 	newheader->attributes = 0;
 	newheader->trust = rdataset->trust;
 	newheader->serial = 1;
+	newheader->noqname = NULL;
+	newheader->count = 0;
 
 	result = add(rbtdb, node, rbtdb->current_version, newheader,
 		     DNS_DBADD_MERGE, ISC_TRUE, NULL, 0);
@@ -4401,7 +4463,7 @@ beginload(dns_db_t *db, dns_addrdatasetfunc_t *addp, dns_dbload_t **dbloadp) {
 
 	REQUIRE(VALID_RBTDB(rbtdb));
 
-	loadctx = isc_mem_get(rbtdb->common.mctx, sizeof *loadctx);
+	loadctx = isc_mem_get(rbtdb->common.mctx, sizeof(*loadctx));
 	if (loadctx == NULL)
 		return (ISC_R_NOMEMORY);
 
@@ -4425,6 +4487,48 @@ beginload(dns_db_t *db, dns_addrdatasetfunc_t *addp, dns_dbload_t **dbloadp) {
 	return (ISC_R_SUCCESS);
 }
 
+static isc_boolean_t
+iszonesecure(dns_db_t *db, dns_dbnode_t *origin) {
+	dns_rdataset_t keyset;
+	dns_rdataset_t nsecset, signsecset;
+	isc_boolean_t haszonekey = ISC_FALSE;
+	isc_boolean_t hasnsec = ISC_FALSE;
+	isc_result_t result;
+
+	dns_rdataset_init(&keyset);
+	result = dns_db_findrdataset(db, origin, NULL, dns_rdatatype_dnskey, 0,
+				     0, &keyset, NULL);
+	if (result == ISC_R_SUCCESS) {
+		dns_rdata_t keyrdata = DNS_RDATA_INIT;
+		result = dns_rdataset_first(&keyset);
+		while (result == ISC_R_SUCCESS) {
+			dns_rdataset_current(&keyset, &keyrdata);
+			if (dns_zonekey_iszonekey(&keyrdata)) {
+				haszonekey = ISC_TRUE;
+				break;
+			}
+			result = dns_rdataset_next(&keyset);
+		}
+		dns_rdataset_disassociate(&keyset);
+	}
+	if (!haszonekey)
+		return (ISC_FALSE);
+
+	dns_rdataset_init(&nsecset);
+	dns_rdataset_init(&signsecset);
+	result = dns_db_findrdataset(db, origin, NULL, dns_rdatatype_nsec, 0,
+				     0, &nsecset, &signsecset);
+	if (result == ISC_R_SUCCESS) {
+		if (dns_rdataset_isassociated(&signsecset)) {
+			hasnsec = ISC_TRUE;
+			dns_rdataset_disassociate(&signsecset);
+		}
+		dns_rdataset_disassociate(&nsecset);
+	}
+	return (hasnsec);
+
+}
+
 static isc_result_t
 endload(dns_db_t *db, dns_dbload_t **dbloadp) {
 	rbtdb_load_t *loadctx;
@@ -4454,7 +4558,7 @@ endload(dns_db_t *db, dns_dbload_t **dbloadp) {
 
 	*dbloadp = NULL;
 
-	isc_mem_put(rbtdb->common.mctx, loadctx, sizeof *loadctx);
+	isc_mem_put(rbtdb->common.mctx, loadctx, sizeof(*loadctx));
 
 	return (ISC_R_SUCCESS);
 }
@@ -4617,10 +4721,10 @@ dns_rbtdb_create
 	UNUSED(argv);
 	UNUSED(driverarg);
 
-	rbtdb = isc_mem_get(mctx, sizeof *rbtdb);
+	rbtdb = isc_mem_get(mctx, sizeof(*rbtdb));
 	if (rbtdb == NULL)
 		return (ISC_R_NOMEMORY);
-	memset(rbtdb, '\0', sizeof *rbtdb);
+	memset(rbtdb, '\0', sizeof(*rbtdb));
 	dns_name_init(&rbtdb->common.origin, NULL);
 	rbtdb->common.attributes = 0;
 	if (type == dns_dbtype_cache) {
@@ -4636,7 +4740,7 @@ dns_rbtdb_create
 
 	result = isc_mutex_init(&rbtdb->lock);
 	if (result != ISC_R_SUCCESS) {
-		isc_mem_put(mctx, rbtdb, sizeof *rbtdb);
+		isc_mem_put(mctx, rbtdb, sizeof(*rbtdb));
 		UNEXPECTED_ERROR(__FILE__, __LINE__,
 				 "isc_mutex_init() failed: %s",
 				 isc_result_totext(result));
@@ -4646,7 +4750,7 @@ dns_rbtdb_create
 	result = isc_rwlock_init(&rbtdb->tree_lock, 0, 0);
 	if (result != ISC_R_SUCCESS) {
 		DESTROYLOCK(&rbtdb->lock);
-		isc_mem_put(mctx, rbtdb, sizeof *rbtdb);
+		isc_mem_put(mctx, rbtdb, sizeof(*rbtdb));
 		UNEXPECTED_ERROR(__FILE__, __LINE__,
 				 "isc_rwlock_init() failed: %s",
 				 isc_result_totext(result));
@@ -4658,7 +4762,7 @@ dns_rbtdb_create
 	if (rbtdb->node_lock_count == 0)
 		rbtdb->node_lock_count = DEFAULT_NODE_LOCK_COUNT;
 	rbtdb->node_locks = isc_mem_get(mctx, rbtdb->node_lock_count *
-					sizeof (rbtdb_nodelock_t));
+					sizeof(rbtdb_nodelock_t));
 	rbtdb->active = rbtdb->node_lock_count;
 	for (i = 0; i < (int)(rbtdb->node_lock_count); i++) {
 		result = isc_mutex_init(&rbtdb->node_locks[i].lock);
@@ -4670,10 +4774,10 @@ dns_rbtdb_create
 			}
 			isc_mem_put(mctx, rbtdb->node_locks,
 				    rbtdb->node_lock_count *
-				    sizeof (rbtdb_nodelock_t));
+				    sizeof(rbtdb_nodelock_t));
 			isc_rwlock_destroy(&rbtdb->tree_lock);
 			DESTROYLOCK(&rbtdb->lock);
-			isc_mem_put(mctx, rbtdb, sizeof *rbtdb);
+			isc_mem_put(mctx, rbtdb, sizeof(*rbtdb));
 			UNEXPECTED_ERROR(__FILE__, __LINE__,
 					 "isc_mutex_init() failed: %s",
 					 isc_result_totext(result));
@@ -4691,11 +4795,6 @@ dns_rbtdb_create
 	isc_mem_attach(mctx, &rbtdb->common.mctx);
 
 	/*
-	 * Must be initalized before free_rbtdb() is called.
-	 */
-	isc_ondestroy_init(&rbtdb->common.ondest);
-
-	/*
 	 * Make a copy of the origin name.
 	 */
 	result = dns_name_dupwithoffsets(origin, mctx, &rbtdb->common.origin);
@@ -4773,6 +4872,8 @@ dns_rbtdb_create
 	rbtdb->future_version = NULL;
 	ISC_LIST_INIT(rbtdb->open_versions);
 
+	isc_ondestroy_init(&rbtdb->common.ondest);
+
 	rbtdb->common.magic = DNS_DB_MAGIC;
 	rbtdb->common.impmagic = RBTDB_MAGIC;
 
@@ -4875,6 +4976,49 @@ rdataset_count(dns_rdataset_t *rdataset) {
 	return (count);
 }
 
+static isc_result_t
+rdataset_getnoqname(dns_rdataset_t *rdataset, dns_name_t *name,
+		    dns_rdataset_t *nsec, dns_rdataset_t *nsecsig)
+{
+	dns_db_t *db = rdataset->private1;
+	dns_dbnode_t *node = rdataset->private2;
+	dns_dbnode_t *cloned_node;
+	struct noqname *noqname = rdataset->private6;
+
+	attachnode(db, node, &cloned_node);
+	attachnode(db, node, &cloned_node);
+
+	nsec->methods = &rdataset_methods;
+	nsec->rdclass = db->rdclass;
+	nsec->type = dns_rdatatype_nsec;
+	nsec->covers = 0;
+	nsec->ttl = rdataset->ttl;
+	nsec->trust = rdataset->trust;
+	nsec->private1 = rdataset->private1;
+	nsec->private2 = rdataset->private2;
+	nsec->private3 = noqname->nsec;
+	nsec->privateuint4 = 0;
+	nsec->private5 = NULL;
+	nsec->private6 = NULL;
+
+	nsecsig->methods = &rdataset_methods;
+	nsecsig->rdclass = db->rdclass;
+	nsecsig->type = dns_rdatatype_rrsig;
+	nsecsig->covers = dns_rdatatype_nsec;
+	nsecsig->ttl = rdataset->ttl;
+	nsecsig->trust = rdataset->trust;
+	nsecsig->private1 = rdataset->private1;
+	nsecsig->private2 = rdataset->private2;
+	nsecsig->private3 = noqname->nsecsig;
+	nsecsig->privateuint4 = 0;
+	nsecsig->private5 = NULL;
+	nsec->private6 = NULL;
+
+	dns_name_clone(&noqname->name, name);
+
+	return (ISC_R_SUCCESS);
+}
+
 
 /*
  * Rdataset Iterator Methods
@@ -4891,7 +5035,7 @@ rdatasetiter_destroy(dns_rdatasetiter_t **iteratorp) {
 			     &rbtiterator->common.version, ISC_FALSE);
 	detachnode(rbtiterator->common.db, &rbtiterator->common.node);
 	isc_mem_put(rbtiterator->common.db->mctx, rbtiterator,
-		    sizeof *rbtiterator);
+		    sizeof(*rbtiterator));
 
 	*iteratorp = NULL;
 }
@@ -4927,7 +5071,7 @@ rdatasetiter_first(dns_rdatasetiter_t *iterator) {
 				 * Note: unlike everywhere else, we
 				 * check for now > header->ttl instead
 				 * of now >= header->ttl.  This allows
-				 * ANY and SIG queries for 0 TTL
+				 * ANY and RRSIG queries for 0 TTL
 				 * rdatasets to work.
 				 */
 				if (NONEXISTENT(header) ||
@@ -4960,8 +5104,7 @@ rdatasetiter_next(dns_rdatasetiter_t *iterator) {
 	rdatasetheader_t *header, *top_next;
 	rbtdb_serial_t serial;
 	isc_stdtime_t now;
-	rbtdb_rdatatype_t type, negtype;
-	dns_rdatatype_t rdtype, covers;
+	rbtdb_rdatatype_t type;
 
 	header = rbtiterator->current;
 	if (header == NULL)
@@ -4978,18 +5121,9 @@ rdatasetiter_next(dns_rdatasetiter_t *iterator) {
 	LOCK(&rbtdb->node_locks[rbtnode->locknum].lock);
 
 	type = header->type;
-	rdtype = RBTDB_RDATATYPE_BASE(header->type);
-	if (rdtype == 0) {
-		covers = RBTDB_RDATATYPE_EXT(header->type);
-		negtype = RBTDB_RDATATYPE_VALUE(covers, 0);
-	} else 
-		negtype = RBTDB_RDATATYPE_VALUE(0, rdtype);
 	for (header = header->next; header != NULL; header = top_next) {
 		top_next = header->next;
-		/*
-		 * If not walking back up the down list.
-		 */
-		if (header->type != type && header->type != negtype) {
+		if (header->type != type) {
 			do {
 				if (header->serial <= serial &&
 				    !IGNORE(header)) {
@@ -5000,7 +5134,7 @@ rdatasetiter_next(dns_rdatasetiter_t *iterator) {
 					 * Note: unlike everywhere else, we
 					 * check for now > header->ttl instead
 					 * of now >= header->ttl.  This allows
-					 * ANY and SIG queries for 0 TTL
+					 * ANY and RRSIG queries for 0 TTL
 					 * rdatasets to work.
 					 */
 					if ((header->attributes &
diff --git a/lib/dns/rbtdb.h b/lib/dns/rbtdb.h
index fb9af5e4..086b75e9 100644
--- a/lib/dns/rbtdb.h
+++ b/lib/dns/rbtdb.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rbtdb.h,v 1.13.2.1 2004/03/09 06:11:05 marka Exp $ */
+/* $Id: rbtdb.h,v 1.13.206.1 2004/03/06 08:13:42 marka Exp $ */
 
 #ifndef DNS_RBTDB_H
 #define DNS_RBTDB_H 1
diff --git a/lib/dns/rbtdb64.c b/lib/dns/rbtdb64.c
index 09a3c2b3..f41ab37c 100644
--- a/lib/dns/rbtdb64.c
+++ b/lib/dns/rbtdb64.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rbtdb64.c,v 1.6.2.1 2004/03/09 06:11:05 marka Exp $ */
+/* $Id: rbtdb64.c,v 1.6.206.1 2004/03/06 08:13:42 marka Exp $ */
 
 #define DNS_RBTDB_VERSION64 1
 #include "rbtdb.c"
diff --git a/lib/dns/rbtdb64.h b/lib/dns/rbtdb64.h
index 268bf46b..5d426b5e 100644
--- a/lib/dns/rbtdb64.h
+++ b/lib/dns/rbtdb64.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rbtdb64.h,v 1.12.2.1 2004/03/09 06:11:05 marka Exp $ */
+/* $Id: rbtdb64.h,v 1.12.206.1 2004/03/06 08:13:43 marka Exp $ */
 
 #ifndef DNS_RBTDB64_H
 #define DNS_RBTDB64_H 1
diff --git a/lib/dns/rcode.c b/lib/dns/rcode.c
new file mode 100644
index 00000000..337f6491
--- /dev/null
+++ b/lib/dns/rcode.c
@@ -0,0 +1,473 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1998-2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: rcode.c,v 1.1.4.1 2004/03/12 10:31:25 marka Exp $ */
+
+#include <config.h>
+#include <ctype.h>
+
+#include <isc/buffer.h>
+#include <isc/parseint.h>
+#include <isc/print.h>
+#include <isc/region.h>
+#include <isc/result.h>
+#include <isc/stdio.h>
+#include <isc/stdlib.h>
+#include <isc/string.h>
+#include <isc/types.h>
+#include <isc/util.h>
+
+#include <dns/cert.h>
+#include <dns/keyflags.h>
+#include <dns/keyvalues.h>
+#include <dns/rcode.h>
+#include <dns/rdataclass.h>
+#include <dns/result.h>
+#include <dns/secalg.h>
+#include <dns/secproto.h>
+
+#define RETERR(x) \
+	do { \
+		isc_result_t _r = (x); \
+		if (_r != ISC_R_SUCCESS) \
+			return (_r); \
+	} while (0)
+
+#define NUMBERSIZE sizeof("037777777777") /* 2^32-1 octal + NUL */
+
+#define RCODENAMES \
+	/* standard rcodes */ \
+	{ dns_rcode_noerror, "NOERROR", 0}, \
+	{ dns_rcode_formerr, "FORMERR", 0}, \
+	{ dns_rcode_servfail, "SERVFAIL", 0}, \
+	{ dns_rcode_nxdomain, "NXDOMAIN", 0}, \
+	{ dns_rcode_notimp, "NOTIMP", 0}, \
+	{ dns_rcode_refused, "REFUSED", 0}, \
+	{ dns_rcode_yxdomain, "YXDOMAIN", 0}, \
+	{ dns_rcode_yxrrset, "YXRRSET", 0}, \
+	{ dns_rcode_nxrrset, "NXRRSET", 0}, \
+	{ dns_rcode_notauth, "NOTAUTH", 0}, \
+	{ dns_rcode_notzone, "NOTZONE", 0},
+
+#define ERCODENAMES \
+	/* extended rcodes */ \
+	{ dns_rcode_badvers, "BADVERS", 0}, \
+	{ 0, NULL, 0 } 
+
+#define TSIGRCODENAMES \
+	/* extended rcodes */ \
+	{ dns_tsigerror_badsig, "BADSIG", 0}, \
+	{ dns_tsigerror_badkey, "BADKEY", 0}, \
+	{ dns_tsigerror_badtime, "BADTIME", 0}, \
+	{ dns_tsigerror_badmode, "BADMODE", 0}, \
+	{ dns_tsigerror_badname, "BADNAME", 0}, \
+	{ dns_tsigerror_badalg, "BADALG", 0}, \
+	{ 0, NULL, 0 }
+
+/* RFC2538 section 2.1 */
+
+#define CERTNAMES \
+	{ 1, "PKIX", 0}, \
+	{ 2, "SPKI", 0}, \
+	{ 3, "PGP", 0}, \
+	{ 253, "URI", 0}, \
+	{ 254, "OID", 0}, \
+	{ 0, NULL, 0}
+
+/* RFC2535 section 7, RFC3110 */
+
+#define SECALGNAMES \
+	{ DNS_KEYALG_RSAMD5, "RSAMD5", 0 }, \
+	{ DNS_KEYALG_RSAMD5, "RSA", 0 }, \
+	{ DNS_KEYALG_DH, "DH", 0 }, \
+	{ DNS_KEYALG_DSA, "DSA", 0 }, \
+	{ DNS_KEYALG_ECC, "ECC", 0 }, \
+	{ DNS_KEYALG_RSASHA1, "RSASHA1", 0 }, \
+	{ DNS_KEYALG_INDIRECT, "INDIRECT", 0 }, \
+	{ DNS_KEYALG_PRIVATEDNS, "PRIVATEDNS", 0 }, \
+	{ DNS_KEYALG_PRIVATEOID, "PRIVATEOID", 0 }, \
+	{ 0, NULL, 0}
+
+/* RFC2535 section 7.1 */
+
+#define SECPROTONAMES \
+	{   0,    "NONE", 0 }, \
+	{   1,    "TLS", 0 }, \
+	{   2,    "EMAIL", 0 }, \
+	{   3,    "DNSSEC", 0 }, \
+	{   4,    "IPSEC", 0 }, \
+	{ 255,    "ALL", 0 }, \
+	{ 0, NULL, 0}
+
+struct tbl {
+	unsigned int    value;
+	const char      *name;
+	int             flags;
+};
+
+static struct tbl rcodes[] = { RCODENAMES ERCODENAMES };
+static struct tbl tsigrcodes[] = { RCODENAMES TSIGRCODENAMES };
+static struct tbl certs[] = { CERTNAMES };
+static struct tbl secalgs[] = { SECALGNAMES };
+static struct tbl secprotos[] = { SECPROTONAMES };
+
+static struct keyflag {
+	const char *name;
+	unsigned int value;
+	unsigned int mask;
+} keyflags[] = {
+	{ "NOCONF", 0x4000, 0xC000 },
+	{ "NOAUTH", 0x8000, 0xC000 },
+	{ "NOKEY",  0xC000, 0xC000 },
+	{ "FLAG2",  0x2000, 0x2000 },
+	{ "EXTEND", 0x1000, 0x1000 },
+	{ "FLAG4",  0x0800, 0x0800 },
+	{ "FLAG5",  0x0400, 0x0400 },
+	{ "USER",   0x0000, 0x0300 },
+	{ "ZONE",   0x0100, 0x0300 },
+	{ "HOST",   0x0200, 0x0300 },
+	{ "NTYP3",  0x0300, 0x0300 },
+	{ "FLAG8",  0x0080, 0x0080 },
+	{ "FLAG9",  0x0040, 0x0040 },
+	{ "FLAG10", 0x0020, 0x0020 },
+	{ "FLAG11", 0x0010, 0x0010 },
+	{ "SIG0",   0x0000, 0x000F },
+	{ "SIG1",   0x0001, 0x000F },
+	{ "SIG2",   0x0002, 0x000F },
+	{ "SIG3",   0x0003, 0x000F },
+	{ "SIG4",   0x0004, 0x000F },
+	{ "SIG5",   0x0005, 0x000F },
+	{ "SIG6",   0x0006, 0x000F },
+	{ "SIG7",   0x0007, 0x000F },
+	{ "SIG8",   0x0008, 0x000F },
+	{ "SIG9",   0x0009, 0x000F },
+	{ "SIG10",  0x000A, 0x000F },
+	{ "SIG11",  0x000B, 0x000F },
+	{ "SIG12",  0x000C, 0x000F },
+	{ "SIG13",  0x000D, 0x000F },
+	{ "SIG14",  0x000E, 0x000F },
+	{ "SIG15",  0x000F, 0x000F },
+	{ "KSK",  DNS_KEYFLAG_KSK, DNS_KEYFLAG_KSK },
+	{ NULL,     0, 0 }
+};
+
+static isc_result_t
+str_totext(const char *source, isc_buffer_t *target) {
+	unsigned int l;
+	isc_region_t region;
+
+	isc_buffer_availableregion(target, &region);
+	l = strlen(source);
+
+	if (l > region.length)
+		return (ISC_R_NOSPACE);
+
+	memcpy(region.base, source, l);
+	isc_buffer_add(target, l);
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+maybe_numeric(unsigned int *valuep, isc_textregion_t *source,
+	      unsigned int max, isc_boolean_t hex_allowed)
+{
+	isc_result_t result;
+	isc_uint32_t n;
+	char buffer[NUMBERSIZE];
+
+	if (! isdigit(source->base[0] & 0xff) ||
+	    source->length > NUMBERSIZE - 1)
+		return (ISC_R_BADNUMBER);
+
+	/*
+	 * We have a potential number.  Try to parse it with
+	 * isc_parse_uint32().  isc_parse_uint32() requires
+	 * null termination, so we must make a copy.
+	 */
+	strncpy(buffer, source->base, NUMBERSIZE);
+	INSIST(buffer[source->length] == '\0');
+
+	result = isc_parse_uint32(&n, buffer, 10);
+	if (result == ISC_R_BADNUMBER && hex_allowed)
+		result = isc_parse_uint32(&n, buffer, 16);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	if (n > max)
+		return (ISC_R_RANGE);
+	*valuep = n;
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+dns_mnemonic_fromtext(unsigned int *valuep, isc_textregion_t *source,
+		      struct tbl *table, unsigned int max)
+{
+	isc_result_t result;
+	int i;
+
+	result = maybe_numeric(valuep, source, max, ISC_FALSE);
+	if (result != ISC_R_BADNUMBER)
+		return (result);
+
+	for (i = 0; table[i].name != NULL; i++) {
+		unsigned int n;
+		n = strlen(table[i].name);
+		if (n == source->length &&
+		    strncasecmp(source->base, table[i].name, n) == 0) {
+			*valuep = table[i].value;
+			return (ISC_R_SUCCESS);
+		}
+	}
+	return (DNS_R_UNKNOWN);
+}
+
+static isc_result_t
+dns_mnemonic_totext(unsigned int value, isc_buffer_t *target,
+		    struct tbl *table) 
+{
+	int i = 0;
+	char buf[sizeof("4294967296")];
+	while (table[i].name != NULL) {
+		if (table[i].value == value) {
+			return (str_totext(table[i].name, target));
+		}
+		i++;
+	}
+	snprintf(buf, sizeof(buf), "%u", value);
+	return (str_totext(buf, target));
+}
+
+isc_result_t
+dns_rcode_fromtext(dns_rcode_t *rcodep, isc_textregion_t *source) {
+	unsigned int value;
+	RETERR(dns_mnemonic_fromtext(&value, source, rcodes, 0xffff));
+	*rcodep = value;
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_rcode_totext(dns_rcode_t rcode, isc_buffer_t *target) {
+	return (dns_mnemonic_totext(rcode, target, rcodes));
+}
+
+isc_result_t
+dns_tsigrcode_fromtext(dns_rcode_t *rcodep, isc_textregion_t *source) {
+	unsigned int value;
+	RETERR(dns_mnemonic_fromtext(&value, source, tsigrcodes, 0xffff));
+	*rcodep = value;
+	return (ISC_R_SUCCESS);
+} 
+
+isc_result_t
+dns_tsigrcode_totext(dns_rcode_t rcode, isc_buffer_t *target) {
+	return (dns_mnemonic_totext(rcode, target, tsigrcodes));
+}
+
+isc_result_t
+dns_cert_fromtext(dns_cert_t *certp, isc_textregion_t *source) {
+	unsigned int value;
+	RETERR(dns_mnemonic_fromtext(&value, source, certs, 0xffff));
+	*certp = value;
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_cert_totext(dns_cert_t cert, isc_buffer_t *target) {
+	return (dns_mnemonic_totext(cert, target, certs));
+}
+
+isc_result_t
+dns_secalg_fromtext(dns_secalg_t *secalgp, isc_textregion_t *source) {
+	unsigned int value;
+	RETERR(dns_mnemonic_fromtext(&value, source, secalgs, 0xff));
+	*secalgp = value;
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_secalg_totext(dns_secalg_t secalg, isc_buffer_t *target) {
+	return (dns_mnemonic_totext(secalg, target, secalgs));
+}
+
+isc_result_t
+dns_secproto_fromtext(dns_secproto_t *secprotop, isc_textregion_t *source) {
+	unsigned int value;
+	RETERR(dns_mnemonic_fromtext(&value, source, secprotos, 0xff));
+	*secprotop = value;
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_secproto_totext(dns_secproto_t secproto, isc_buffer_t *target) {
+	return (dns_mnemonic_totext(secproto, target, secprotos));
+}
+
+isc_result_t
+dns_keyflags_fromtext(dns_keyflags_t *flagsp, isc_textregion_t *source)
+{
+	isc_result_t result;
+	char *text, *end;
+	unsigned int value, mask;
+
+	result = maybe_numeric(&value, source, 0xffff, ISC_TRUE);
+	if (result == ISC_R_SUCCESS) {
+		*flagsp = value;
+		return (ISC_R_SUCCESS);
+	}
+	if (result != ISC_R_BADNUMBER)
+		return (result);
+
+	text = source->base;
+	end = source->base + source->length;
+	value = mask = 0;
+
+	while (text < end) {
+		struct keyflag *p;
+		unsigned int len;
+		char *delim = memchr(text, '|', end - text);
+		if (delim != NULL)
+			len = delim - text;
+		else
+			len = end - text;
+		for (p = keyflags; p->name != NULL; p++) {
+			if (strncasecmp(p->name, text, len) == 0)
+				break;
+		}
+		if (p->name == NULL)
+			return (DNS_R_UNKNOWNFLAG);
+		value |= p->value;
+#ifdef notyet
+		if ((mask & p->mask) != 0)
+			warn("overlapping key flags");
+#endif
+		mask |= p->mask;
+		text += len;
+		if (delim != NULL)
+			text++; /* Skip "|" */
+	}
+	*flagsp = value;
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * This uses lots of hard coded values, but how often do we actually
+ * add classes?
+ */
+isc_result_t
+dns_rdataclass_fromtext(dns_rdataclass_t *classp, isc_textregion_t *source) {
+#define COMPARE(string, rdclass) \
+	if (((sizeof(string) - 1) == source->length) \
+	    && (strncasecmp(source->base, string, source->length) == 0)) { \
+		*classp = rdclass; \
+		return (ISC_R_SUCCESS); \
+	}
+
+	switch (tolower((unsigned char)source->base[0])) {
+	case 'a':
+		COMPARE("any", dns_rdataclass_any);
+		break;
+	case 'c':
+		/*
+		 * RFC1035 says the mnemonic for the CHAOS class is CH,
+		 * but historical BIND practice is to call it CHAOS.
+		 * We will accept both forms, but only generate CH.
+		 */
+		COMPARE("ch", dns_rdataclass_chaos);
+		COMPARE("chaos", dns_rdataclass_chaos);
+
+		if (source->length > 5 &&
+		    source->length < (5 + sizeof("65000")) &&
+		    strncasecmp("class", source->base, 5) == 0) {
+			char buf[sizeof("65000")];
+			char *endp;
+			unsigned int val;
+
+			strncpy(buf, source->base + 5, source->length - 5);
+			buf[source->length - 5] = '\0';
+			val = strtoul(buf, &endp, 10);
+			if (*endp == '\0' && val <= 0xffff) {
+				*classp = (dns_rdataclass_t)val;
+				return (ISC_R_SUCCESS);
+			}
+		}
+		break;
+	case 'h':
+		COMPARE("hs", dns_rdataclass_hs);
+		COMPARE("hesiod", dns_rdataclass_hs);
+		break;
+	case 'i':
+		COMPARE("in", dns_rdataclass_in);
+		break;
+	case 'n':
+		COMPARE("none", dns_rdataclass_none);
+		break;
+	case 'r':
+		COMPARE("reserved0", dns_rdataclass_reserved0);
+		break;
+	}
+
+#undef COMPARE
+
+	return (DNS_R_UNKNOWN);
+}
+
+isc_result_t
+dns_rdataclass_totext(dns_rdataclass_t rdclass, isc_buffer_t *target) {
+	char buf[sizeof("CLASS65535")];
+
+	switch (rdclass) {
+	case dns_rdataclass_any:
+		return (str_totext("ANY", target));
+	case dns_rdataclass_chaos:
+		return (str_totext("CH", target));
+	case dns_rdataclass_hs:
+		return (str_totext("HS", target));
+	case dns_rdataclass_in:
+		return (str_totext("IN", target));
+	case dns_rdataclass_none:
+		return (str_totext("NONE", target));
+	case dns_rdataclass_reserved0:
+		return (str_totext("RESERVED0", target));
+	default:
+		snprintf(buf, sizeof(buf), "CLASS%u", rdclass);
+		return (str_totext(buf, target));
+	}
+}
+
+void
+dns_rdataclass_format(dns_rdataclass_t rdclass,
+		      char *array, unsigned int size)
+{
+	isc_result_t result;
+	isc_buffer_t buf;
+
+	isc_buffer_init(&buf, array, size);
+	result = dns_rdataclass_totext(rdclass, &buf);
+	/*
+	 * Null terminate.
+	 */
+	if (result == ISC_R_SUCCESS) {
+		if (isc_buffer_availablelength(&buf) >= 1)
+			isc_buffer_putuint8(&buf, 0);
+		else
+			result = ISC_R_NOSPACE;
+	}
+	if (result != ISC_R_SUCCESS) {
+		snprintf(array, size, "<unknown>");
+		array[size - 1] = '\0';
+	}
+}
diff --git a/lib/dns/rdata.c b/lib/dns/rdata.c
index 4114e248..6bf2b66d 100644
--- a/lib/dns/rdata.c
+++ b/lib/dns/rdata.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rdata.c,v 1.147.2.18 2006/07/21 02:05:55 marka Exp $ */
+/* $Id: rdata.c,v 1.147.2.11.2.15 2004/03/12 10:31:25 marka Exp $ */
 
 #include <config.h>
 #include <ctype.h>
@@ -24,14 +24,18 @@
 #include <isc/hex.h>
 #include <isc/lex.h>
 #include <isc/mem.h>
+#include <isc/parseint.h>
 #include <isc/print.h>
 #include <isc/string.h>
+#include <isc/stdlib.h>
 #include <isc/util.h>
 
 #include <dns/callbacks.h>
 #include <dns/cert.h>
 #include <dns/compress.h>
+#include <dns/enumtype.h>
 #include <dns/keyflags.h>
+#include <dns/keyvalues.h>
 #include <dns/rcode.h>
 #include <dns/rdata.h>
 #include <dns/rdataclass.h>
@@ -49,6 +53,7 @@
 		if (_r != ISC_R_SUCCESS) \
 			return (_r); \
 	} while (0)
+
 #define RETTOK(x) \
 	do { \
 		isc_result_t _r = (x); \
@@ -58,9 +63,11 @@
 		} \
 	} while (0)
 
+#define DNS_AS_STR(t) ((t).value.as_textregion.base)
+
 #define ARGS_FROMTEXT	int rdclass, dns_rdatatype_t type, \
 			isc_lex_t *lexer, dns_name_t *origin, \
-			isc_boolean_t downcase, isc_buffer_t *target, \
+			unsigned int options, isc_buffer_t *target, \
 			dns_rdatacallbacks_t *callbacks
 
 #define ARGS_TOTEXT	dns_rdata_t *rdata, dns_rdata_textctx_t *tctx, \
@@ -68,7 +75,7 @@
 
 #define ARGS_FROMWIRE	int rdclass, dns_rdatatype_t type, \
 			isc_buffer_t *source, dns_decompress_t *dctx, \
-			isc_boolean_t downcase, isc_buffer_t *target
+			unsigned int options, isc_buffer_t *target
 
 #define ARGS_TOWIRE	dns_rdata_t *rdata, dns_compress_t *cctx, \
 			isc_buffer_t *target
@@ -87,6 +94,12 @@
 
 #define ARGS_DIGEST	dns_rdata_t *rdata, dns_digestfunc_t digest, void *arg
 
+#define ARGS_CHECKOWNER dns_name_t *name, dns_rdataclass_t rdclass, \
+			dns_rdatatype_t type, isc_boolean_t wildcard
+
+#define ARGS_CHECKNAMES dns_rdata_t *rdata, dns_name_t *owner, dns_name_t *bad
+
+
 /*
  * Context structure for the totext_ functions.
  * Contains formatting options for rdata-to-text
@@ -151,9 +164,6 @@ static isc_result_t
 mem_tobuffer(isc_buffer_t *target, void *base, unsigned int length);
 
 static int
-compare_region(isc_region_t *r1, isc_region_t *r2);
-
-static int
 hexvalue(char value);
 
 static int
@@ -181,6 +191,10 @@ static isc_result_t
 rdata_totext(dns_rdata_t *rdata, dns_rdata_textctx_t *tctx,
 	     isc_buffer_t *target);
 
+static void
+warn_badname(dns_name_t *name, isc_lex_t *lexer,
+	     dns_rdatacallbacks_t *callbacks);
+
 static inline int
 getquad(const void *src, struct in_addr *dst,
 	isc_lex_t *lexer, dns_rdatacallbacks_t *callbacks)
@@ -194,7 +208,7 @@ getquad(const void *src, struct in_addr *dst,
 		const char *name = isc_lex_getsourcename(lexer);
 		if (name == NULL)
 			name = "UNKNOWN";
-		(*callbacks->warn)(callbacks, "%s:%lu: warning \"%s\" "
+		(*callbacks->warn)(callbacks, "%s:%lu: \"%s\" "
 				   "is not a decimal dotted quad", name,
 				   isc_lex_getsourceline(lexer), src);
 	}
@@ -231,119 +245,6 @@ static const char decdigits[] = "0123456789";
 #define META 0x0001
 #define RESERVED 0x0002
 
-#define RCODENAMES \
-	/* standard rcodes */ \
-	{ dns_rcode_noerror, "NOERROR", 0}, \
-	{ dns_rcode_formerr, "FORMERR", 0}, \
-	{ dns_rcode_servfail, "SERVFAIL", 0}, \
-	{ dns_rcode_nxdomain, "NXDOMAIN", 0}, \
-	{ dns_rcode_notimp, "NOTIMP", 0}, \
-	{ dns_rcode_refused, "REFUSED", 0}, \
-	{ dns_rcode_yxdomain, "YXDOMAIN", 0}, \
-	{ dns_rcode_yxrrset, "YXRRSET", 0}, \
-	{ dns_rcode_nxrrset, "NXRRSET", 0}, \
-	{ dns_rcode_notauth, "NOTAUTH", 0}, \
-	{ dns_rcode_notzone, "NOTZONE", 0},
-
-#define ERCODENAMES \
-	/* extended rcodes */ \
-	{ dns_rcode_badvers, "BADVERS", 0}, \
-	{ 0, NULL, 0 }
-
-#define TSIGRCODENAMES \
-	/* extended rcodes */ \
-	{ dns_tsigerror_badsig, "BADSIG", 0}, \
-	{ dns_tsigerror_badkey, "BADKEY", 0}, \
-	{ dns_tsigerror_badtime, "BADTIME", 0}, \
-	{ dns_tsigerror_badmode, "BADMODE", 0}, \
-	{ dns_tsigerror_badname, "BADNAME", 0}, \
-	{ dns_tsigerror_badalg, "BADALG", 0}, \
-	{ 0, NULL, 0 }
-
-/* RFC2538 section 2.1 */
-
-#define CERTNAMES \
-	{ 1, "PKIX", 0}, \
-	{ 2, "SPKI", 0}, \
-	{ 3, "PGP", 0}, \
-	{ 253, "URI", 0}, \
-	{ 254, "OID", 0}, \
-	{ 0, NULL, 0}
-
-/* RFC2535 section 7 */
-
-#define SECALGNAMES \
-	{ 1, "RSAMD5", 0 }, \
-	{ 2, "DH", 0 }, \
-	{ 3, "DSA", 0 }, \
-	{ 4, "ECC", 0 }, \
-	{ 252, "INDIRECT", 0 }, \
-	{ 253, "PRIVATEDNS", 0 }, \
-	{ 254, "PRIVATEOID", 0 }, \
-	{ 0, NULL, 0}
-
-/* RFC2535 section 7.1 */
-
-#define SECPROTONAMES \
-	{   0,    "NONE", 0 }, \
-	{   1,    "TLS", 0 }, \
-	{   2,    "EMAIL", 0 }, \
-	{   3,    "DNSSEC", 0 }, \
-	{   4,    "IPSEC", 0 }, \
-	{ 255,    "ALL", 0 }, \
-	{ 0, NULL, 0}
-
-struct tbl {
-	unsigned int	value;
-	const char	*name;
-	int		flags;
-};
-
-static struct tbl rcodes[] = { RCODENAMES ERCODENAMES };
-static struct tbl tsigrcodes[] = { RCODENAMES TSIGRCODENAMES };
-static struct tbl certs[] = { CERTNAMES };
-static struct tbl secalgs[] = { SECALGNAMES };
-static struct tbl secprotos[] = { SECPROTONAMES };
-
-static struct keyflag {
-	const char *name;
-	unsigned int value;
-	unsigned int mask;
-} keyflags[] = {
-	{ "NOCONF", 0x4000, 0xC000 },
-	{ "NOAUTH", 0x8000, 0xC000 },
-	{ "NOKEY",  0xC000, 0xC000 },
-	{ "FLAG2",  0x2000, 0x2000 },
-	{ "EXTEND", 0x1000, 0x1000 },
-	{ "FLAG4",  0x0800, 0x0800 },
-	{ "FLAG5",  0x0400, 0x0400 },
-	{ "USER",   0x0000, 0x0300 },
-	{ "ZONE",   0x0100, 0x0300 },
-	{ "HOST",   0x0200, 0x0300 },
-	{ "NTYP3",  0x0300, 0x0300 },
-	{ "FLAG8",  0x0080, 0x0080 },
-	{ "FLAG9",  0x0040, 0x0040 },
-	{ "FLAG10", 0x0020, 0x0020 },
-	{ "FLAG11", 0x0010, 0x0010 },
-	{ "SIG0",   0x0000, 0x000F },
-	{ "SIG1",   0x0001, 0x000F },
-	{ "SIG2",   0x0002, 0x000F },
-	{ "SIG3",   0x0003, 0x000F },
-	{ "SIG4",   0x0004, 0x000F },
-	{ "SIG5",   0x0005, 0x000F },
-	{ "SIG6",   0x0006, 0x000F },
-	{ "SIG7",   0x0007, 0x000F },
-	{ "SIG8",   0x0008, 0x000F },
-	{ "SIG9",   0x0009, 0x000F },
-	{ "SIG10",  0x000A, 0x000F },
-	{ "SIG11",  0x000B, 0x000F },
-	{ "SIG12",  0x000C, 0x000F },
-	{ "SIG13",  0x000D, 0x000F },
-	{ "SIG14",  0x000E, 0x000F },
-	{ "SIG15",  0x000F, 0x000F },
-	{ NULL,     0, 0 }
-};
-
 /***
  *** Initialization
  ***/
@@ -446,7 +347,7 @@ dns_rdata_compare(const dns_rdata_t *rdata1, const dns_rdata_t *rdata2) {
 
 		dns_rdata_toregion(rdata1, &r1);
 		dns_rdata_toregion(rdata2, &r2);
-		result = compare_region(&r1, &r2);
+		result = isc_region_compare(&r1, &r2);
 	}
 	return (result);
 }
@@ -487,7 +388,7 @@ dns_rdata_toregion(const dns_rdata_t *rdata, isc_region_t *r) {
 isc_result_t
 dns_rdata_fromwire(dns_rdata_t *rdata, dns_rdataclass_t rdclass,
 		   dns_rdatatype_t type, isc_buffer_t *source,
-		   dns_decompress_t *dctx, isc_boolean_t downcase,
+		   dns_decompress_t *dctx, unsigned int options,
 		   isc_buffer_t *target)
 {
 	isc_result_t result = ISC_R_NOTIMPLEMENTED;
@@ -601,7 +502,7 @@ rdata_validate(isc_buffer_t *src, isc_buffer_t *dest, dns_rdataclass_t rdclass,
 	dns_decompress_init(&dctx, -1, DNS_DECOMPRESS_NONE);
 	isc_buffer_setactive(src, isc_buffer_usedlength(src));
 	result = dns_rdata_fromwire(&rdata, rdclass, type, src,
-				    &dctx, ISC_FALSE, dest);
+				    &dctx, 0, dest);
 	dns_decompress_invalidate(&dctx);
 
 	return (result);
@@ -656,15 +557,15 @@ unknown_fromtext(dns_rdataclass_t rdclass, dns_rdatatype_t type,
 isc_result_t
 dns_rdata_fromtext(dns_rdata_t *rdata, dns_rdataclass_t rdclass,
 		   dns_rdatatype_t type, isc_lex_t *lexer,
-		   dns_name_t *origin, isc_boolean_t downcase, isc_mem_t *mctx,
+		   dns_name_t *origin, unsigned int options, isc_mem_t *mctx,
 		   isc_buffer_t *target, dns_rdatacallbacks_t *callbacks)
 {
 	isc_result_t result = ISC_R_NOTIMPLEMENTED;
 	isc_region_t region;
 	isc_buffer_t st;
 	isc_token_t token;
-	unsigned int options = ISC_LEXOPT_EOL | ISC_LEXOPT_EOF |
-			       ISC_LEXOPT_DNSMULTILINE | ISC_LEXOPT_ESCAPE;
+	unsigned int lexoptions = ISC_LEXOPT_EOL | ISC_LEXOPT_EOF |
+				  ISC_LEXOPT_DNSMULTILINE | ISC_LEXOPT_ESCAPE;
 	char *name;
 	unsigned long line;
 	void (*callback)(dns_rdatacallbacks_t *, const char *, ...);
@@ -697,7 +598,7 @@ dns_rdata_fromtext(dns_rdata_t *rdata, dns_rdataclass_t rdclass,
 		return (result);
 	}
 
-	if (strcmp((char *)token.value.as_pointer, "\\#") == 0)
+	if (strcmp(DNS_AS_STR(token), "\\#") == 0)
 		result = unknown_fromtext(rdclass, type, lexer, mctx, target);
 	else {
 		isc_lex_ungettoken(lexer, &token);
@@ -713,7 +614,7 @@ dns_rdata_fromtext(dns_rdata_t *rdata, dns_rdataclass_t rdclass,
 	do {
 		name = isc_lex_getsourcename(lexer);
 		line = isc_lex_getsourceline(lexer);
-		tresult = isc_lex_gettoken(lexer, options, &token);
+		tresult = isc_lex_gettoken(lexer, lexoptions, &token);
 		if (tresult != ISC_R_SUCCESS) {
 			if (result == ISC_R_SUCCESS)
 				result = tresult;
@@ -759,7 +660,7 @@ rdata_totext(dns_rdata_t *rdata, dns_rdata_textctx_t *tctx,
 {
 	isc_result_t result = ISC_R_NOTIMPLEMENTED;
 	isc_boolean_t use_default = ISC_FALSE;
-	char buf[sizeof("65536")];
+	char buf[sizeof("65535")];
 	isc_region_t sr;
 
 	REQUIRE(rdata != NULL);
@@ -777,11 +678,11 @@ rdata_totext(dns_rdata_t *rdata, dns_rdata_textctx_t *tctx,
 	TOTEXTSWITCH
 
 	if (use_default) {
-		sprintf(buf, "\\# ");
+		strlcpy(buf, "\\# ", sizeof(buf));
 		result = str_totext(buf, target);
 		dns_rdata_toregion(rdata, &sr);
 		INSIST(sr.length < 65536);
-		sprintf(buf, "%u", sr.length);
+		snprintf(buf, sizeof(buf), "%u", sr.length);
 		result = str_totext(buf, target);
 		if (sr.length != 0 && result == ISC_R_SUCCESS) {
 			if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
@@ -949,183 +850,32 @@ dns_rdata_digest(dns_rdata_t *rdata, dns_digestfunc_t digest, void *arg) {
 	return (result);
 }
 
-unsigned int
-dns_rdatatype_attributes(dns_rdatatype_t type)
-{
-	if (type < (sizeof(typeattr)/sizeof(typeattr[0])))
-		return (typeattr[type].flags);
-	return (DNS_RDATATYPEATTR_UNKNOWN);
-}
-
-#define NUMBERSIZE sizeof("037777777777") /* 2^32-1 octal + NUL */
-
-static isc_result_t
-dns_mnemonic_fromtext(unsigned int *valuep, isc_textregion_t *source,
-		      struct tbl *table, unsigned int max)
+isc_boolean_t
+dns_rdata_checkowner(dns_name_t *name, dns_rdataclass_t rdclass,
+		     dns_rdatatype_t type, isc_boolean_t wildcard)
 {
-	int i;
-
-	if (isdigit(source->base[0] & 0xff) &&
-	    source->length <= NUMBERSIZE - 1) {
-		unsigned int n;
-		char *e;
-		char buffer[NUMBERSIZE];
-		/*
-		 * We have a potential number.  Try to parse it with strtoul().
-		 * strtoul() requires null termination, so we must make
-		 * a copy.
-		 */
-		strncpy(buffer, source->base, NUMBERSIZE);
-		INSIST(buffer[source->length] == '\0');
-
-		n = strtoul(buffer, &e, 10);
-		if (*e == 0) {
-			if (n > max)
-				return (ISC_R_RANGE);
-			*valuep = n;
-			return (ISC_R_SUCCESS);
-		}
-		/*
-		 * It was not a number after all; fall through.
-		 */
-	}
+	isc_boolean_t result;
 
-	for (i = 0; table[i].name != NULL; i++) {
-		unsigned int n;
-		n = strlen(table[i].name);
-		if (n == source->length &&
-		    strncasecmp(source->base, table[i].name, n) == 0) {
-			*valuep = table[i].value;
-			return (ISC_R_SUCCESS);
-		}
-	}
-	return (DNS_R_UNKNOWN);
+	CHECKOWNERSWITCH
+	return (result);
 }
 
-static isc_result_t
-dns_mnemonic_totext(unsigned int value, isc_buffer_t *target,
-		    struct tbl *table)
+isc_boolean_t
+dns_rdata_checknames(dns_rdata_t *rdata, dns_name_t *owner, dns_name_t *bad)
 {
-	int i = 0;
-	char buf[sizeof "4294967296"];
-	while (table[i].name != NULL) {
-		if (table[i].value == value) {
-			return (str_totext(table[i].name, target));
-		}
-		i++;
-	}
-	sprintf(buf, "%u", value);
-	return (str_totext(buf, target));
-}
-
+	isc_boolean_t result;
 
-/*
- * This uses lots of hard coded values, but how often do we actually
- * add classes?
- */
-isc_result_t
-dns_rdataclass_fromtext(dns_rdataclass_t *classp, isc_textregion_t *source) {
-#define COMPARE(string, rdclass) \
-	if (((sizeof(string) - 1) == source->length) \
-	    && (strncasecmp(source->base, string, source->length) == 0)) { \
-		*classp = rdclass; \
-		return (ISC_R_SUCCESS); \
-	}
-
-	switch (tolower((unsigned char)source->base[0])) {
-	case 'a':
-		COMPARE("any", dns_rdataclass_any);
-		break;
-	case 'c':
-		/*
-		 * RFC1035 says the mnemonic for the CHAOS class is CH,
-		 * but historical BIND practice is to call it CHAOS.
-		 * We will accept both forms, but only generate CH.
-		 */
-		COMPARE("ch", dns_rdataclass_chaos);
-		COMPARE("chaos", dns_rdataclass_chaos);
-
-		if (source->length > 5 &&
-		    source->length < (5 + sizeof("65000")) &&
-		    strncasecmp("class", source->base, 5) == 0) {
-			char buf[sizeof("65000")];
-			char *endp;
-			unsigned int val;
-
-			strncpy(buf, source->base + 5, source->length - 5);
-			buf[source->length - 5] = '\0';
-			val = strtoul(buf, &endp, 10);
-			if (*endp == '\0' && val <= 0xffff) {
-				*classp = (dns_rdataclass_t)val;
-				return (ISC_R_SUCCESS);
-			}
-		}
-		break;
-	case 'h':
-		COMPARE("hs", dns_rdataclass_hs);
-		COMPARE("hesiod", dns_rdataclass_hs);
-		break;
-	case 'i':
-		COMPARE("in", dns_rdataclass_in);
-		break;
-	case 'n':
-		COMPARE("none", dns_rdataclass_none);
-		break;
-	case 'r':
-		COMPARE("reserved0", dns_rdataclass_reserved0);
-		break;
-	}
-
-#undef COMPARE
-
-	return (DNS_R_UNKNOWN);
-}
-
-isc_result_t
-dns_rdataclass_totext(dns_rdataclass_t rdclass, isc_buffer_t *target) {
-	char buf[sizeof("CLASS65535")];
-
-	switch (rdclass) {
-	case dns_rdataclass_any:
-		return (str_totext("ANY", target));
-	case dns_rdataclass_chaos:
-		return (str_totext("CH", target));
-	case dns_rdataclass_hs:
-		return (str_totext("HS", target));
-	case dns_rdataclass_in:
-		return (str_totext("IN", target));
-	case dns_rdataclass_none:
-		return (str_totext("NONE", target));
-	case dns_rdataclass_reserved0:
-		return (str_totext("RESERVED0", target));
-	default:
-		sprintf(buf, "CLASS%u", rdclass);
-		return (str_totext(buf, target));
-	}
+	CHECKNAMESSWITCH
+	return (result);
 }
 
-void
-dns_rdataclass_format(dns_rdataclass_t rdclass,
-		      char *array, unsigned int size)
+unsigned int
+dns_rdatatype_attributes(dns_rdatatype_t type)
 {
-	isc_result_t result;
-	isc_buffer_t buf;
-
-	isc_buffer_init(&buf, array, size);
-	result = dns_rdataclass_totext(rdclass, &buf);
-	/*
-	 * Null terminate.
-	 */
-	if (result == ISC_R_SUCCESS) {
-		if (isc_buffer_availablelength(&buf) >= 1)
-			isc_buffer_putuint8(&buf, 0);
-		else
-			result = ISC_R_NOSPACE;
-	}
-	if (result != ISC_R_SUCCESS) {
-		snprintf(array, size, "<unknown>");
-		array[size - 1] = '\0';
-	}
+	RDATATYPE_ATTRIBUTE_SW
+	if (type >= (dns_rdatatype_t)128 && type < (dns_rdatatype_t)255)
+		return (DNS_RDATATYPEATTR_UNKNOWN | DNS_RDATATYPEATTR_META);
+	return (DNS_RDATATYPEATTR_UNKNOWN);
 }
 
 isc_result_t
@@ -1171,11 +921,10 @@ dns_rdatatype_fromtext(dns_rdatatype_t *typep, isc_textregion_t *source) {
 
 isc_result_t
 dns_rdatatype_totext(dns_rdatatype_t type, isc_buffer_t *target) {
-	char buf[sizeof("TYPE65536")];
+	char buf[sizeof("TYPE65535")];
 
-	if (type < (sizeof(typeattr)/sizeof(typeattr[0])))
-		return (str_totext(typeattr[type].name, target));
-	snprintf(buf, sizeof buf, "TYPE%u", type);
+	RDATATYPE_TOTEXT_SW
+	snprintf(buf, sizeof(buf), "TYPE%u", type);
 	return (str_totext(buf, target));
 }
 
@@ -1203,135 +952,6 @@ dns_rdatatype_format(dns_rdatatype_t rdtype,
 	}
 }
 
-
-/* XXXRTH  Should we use a hash table here? */
-
-isc_result_t
-dns_rcode_fromtext(dns_rcode_t *rcodep, isc_textregion_t *source) {
-	unsigned int value;
-	RETERR(dns_mnemonic_fromtext(&value, source, rcodes, 0xffff));
-	*rcodep = value;
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-dns_rcode_totext(dns_rcode_t rcode, isc_buffer_t *target) {
-	return (dns_mnemonic_totext(rcode, target, rcodes));
-}
-
-isc_result_t
-dns_tsigrcode_fromtext(dns_rcode_t *rcodep, isc_textregion_t *source) {
-	unsigned int value;
-	RETERR(dns_mnemonic_fromtext(&value, source, tsigrcodes, 0xffff));
-	*rcodep = value;
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-dns_tsigrcode_totext(dns_rcode_t rcode, isc_buffer_t *target) {
-	return (dns_mnemonic_totext(rcode, target, tsigrcodes));
-}
-
-isc_result_t
-dns_cert_fromtext(dns_cert_t *certp, isc_textregion_t *source) {
-	unsigned int value;
-	RETERR(dns_mnemonic_fromtext(&value, source, certs, 0xffff));
-	*certp = value;
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-dns_cert_totext(dns_cert_t cert, isc_buffer_t *target) {
-	return (dns_mnemonic_totext(cert, target, certs));
-}
-
-isc_result_t
-dns_secalg_fromtext(dns_secalg_t *secalgp, isc_textregion_t *source) {
-	unsigned int value;
-	RETERR(dns_mnemonic_fromtext(&value, source, secalgs, 0xff));
-	*secalgp = value;
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-dns_secalg_totext(dns_secalg_t secalg, isc_buffer_t *target) {
-	return (dns_mnemonic_totext(secalg, target, secalgs));
-}
-
-isc_result_t
-dns_secproto_fromtext(dns_secproto_t *secprotop, isc_textregion_t *source) {
-	unsigned int value;
-	RETERR(dns_mnemonic_fromtext(&value, source, secprotos, 0xff));
-	*secprotop = value;
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-dns_secproto_totext(dns_secproto_t secproto, isc_buffer_t *target) {
-	return (dns_mnemonic_totext(secproto, target, secprotos));
-}
-
-isc_result_t
-dns_keyflags_fromtext(dns_keyflags_t *flagsp, isc_textregion_t *source)
-{
-	char *text, *end;
-	unsigned int value, mask;
-
-	if (isdigit(source->base[0] & 0xff) &&
-	    source->length <= NUMBERSIZE - 1) {
-		unsigned int n;
-		char *e;
-		char buffer[NUMBERSIZE];
-		/*
-		 * We have a potential number.  Try to parse it with strtoul().
-		 * strtoul() requires null termination, so we must make
-		 * a copy.
-		 */
-		strncpy(buffer, source->base, NUMBERSIZE);
-		INSIST(buffer[source->length] == '\0');
-
-		n = strtoul(buffer, &e, 0); /* Allow hex/octal. */
-		if (*e == 0) {
-			if (n > 0xffff)
-				return (ISC_R_RANGE);
-			*flagsp = n;
-			return (ISC_R_SUCCESS);
-		}
-		/* It was not a number after all; fall through. */
-	}
-
-	text = source->base;
-	end = source->base + source->length;
-	value = mask = 0;
-
-	while (text < end) {
-		struct keyflag *p;
-		unsigned int len;
-		char *delim = memchr(text, '|', end - text);
-		if (delim != NULL)
-			len = delim - text;
-		else
-			len = end - text;
-		for (p = keyflags; p->name != NULL; p++) {
-			if (strncasecmp(p->name, text, len) == 0)
-				break;
-		}
-		if (p->name == NULL)
-			return (DNS_R_UNKNOWN);
-		value |= p->value;
-#ifdef notyet
-		if ((mask & p->mask) != 0)
-			warn("overlapping key flags");
-#endif
-		mask |= p->mask;
-		text += len;
-		if (delim != NULL)
-			text++;	/* Skip "|" */
-	}
-	*flagsp = value;
-	return (ISC_R_SUCCESS);
-}
-
 /*
  * Private function.
  */
@@ -1366,11 +986,8 @@ txt_totext(isc_region_t *source, isc_buffer_t *target) {
 		if (*sp < 0x20 || *sp >= 0x7f) {
 			if (tl < 4)
 				return (ISC_R_NOSPACE);
-			*tp++ = 0x5c;
-			*tp++ = 0x30 + ((*sp / 100) % 10);
-			*tp++ = 0x30 + ((*sp / 10) % 10);
-			*tp++ = 0x30 + (*sp % 10);
-			sp++;
+			snprintf(tp, 5, "\\%03u", *sp++);
+			tp += 4;
 			tl -= 4;
 			continue;
 		}
@@ -1596,7 +1213,7 @@ name_tobuffer(dns_name_t *name, isc_buffer_t *target) {
 
 static isc_uint32_t
 uint32_fromregion(isc_region_t *region) {
-	isc_uint32_t value;
+	unsigned long value;
 
 	REQUIRE(region->length >= 4);
 	value = region->base[0] << 24;
@@ -1635,20 +1252,6 @@ mem_tobuffer(isc_buffer_t *target, void *base, unsigned int length) {
 }
 
 static int
-compare_region(isc_region_t *r1, isc_region_t *r2) {
-	unsigned int l;
-	int result;
-
-	l = (r1->length < r2->length) ? r1->length : r2->length;
-
-	if ((result = memcmp(r1->base, r2->base, l)) != 0)
-		return ((result < 0) ? -1 : 1);
-	else
-		return ((r1->length == r2->length) ? 0 :
-			(r1->length < r2->length) ? -1 : 1);
-}
-
-static int
 hexvalue(char value) {
 	char *s;
 	unsigned char c;
@@ -1659,7 +1262,7 @@ hexvalue(char value) {
 		return (-1);
 	if (isupper(c))
 		c = tolower(c);
-	if ((s = strchr(hexdigits, c)) == NULL)
+	if ((s = strchr(hexdigits, value)) == NULL)
 		return (-1);
 	return (s - hexdigits);
 }
@@ -1828,7 +1431,7 @@ atob_tobuffer(isc_lex_t *lexer, isc_buffer_t *target) {
 	 */
 	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
 				      ISC_FALSE));
-	oeor = strtol(token.value.as_pointer, &e, 16);
+	oeor = strtol(DNS_AS_STR(token), &e, 16);
 	if (*e != 0)
 		return (DNS_R_SYNTAX);
 
@@ -1837,7 +1440,7 @@ atob_tobuffer(isc_lex_t *lexer, isc_buffer_t *target) {
 	 */
 	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
 				      ISC_FALSE));
-	osum = strtol(token.value.as_pointer, &e, 16);
+	osum = strtol(DNS_AS_STR(token), &e, 16);
 	if (*e != 0)
 		return (DNS_R_SYNTAX);
 
@@ -1846,7 +1449,7 @@ atob_tobuffer(isc_lex_t *lexer, isc_buffer_t *target) {
 	 */
 	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
 				      ISC_FALSE));
-	orot = strtol(token.value.as_pointer, &e, 16);
+	orot = strtol(DNS_AS_STR(token), &e, 16);
 	if (*e != 0)
 		return (DNS_R_SYNTAX);
 
@@ -1929,7 +1532,7 @@ static isc_result_t
 btoa_totext(unsigned char *inbuf, int inbuflen, isc_buffer_t *target) {
 	int inc;
 	struct state statebuf, *state = &statebuf;
-	char buf[sizeof "x 2000000000 ffffffff ffffffff ffffffff"];
+	char buf[sizeof("x 2000000000 ffffffff ffffffff ffffffff")];
 
 	Ceor = Csum = Crot = word = bcount = 0;
 	for (inc = 0; inc < inbuflen; inbuf++, inc++)
@@ -1942,7 +1545,7 @@ btoa_totext(unsigned char *inbuf, int inbuflen, isc_buffer_t *target) {
 	 * Put byte count and checksum information at end of buffer,
 	 * delimited by 'x'
 	 */
-	sprintf(buf, "x %d %x %x %x", inbuflen, Ceor, Csum, Crot);
+	snprintf(buf, sizeof(buf), "x %d %x %x %x", inbuflen, Ceor, Csum, Crot);
 	return (str_totext(buf, target));
 }
 
@@ -1958,6 +1561,7 @@ default_fromtext_callback(dns_rdatacallbacks_t *callbacks, const char *fmt,
 	va_start(ap, fmt);
 	vfprintf(stderr, fmt, ap);
 	va_end(ap);
+	fprintf(stderr, "\n");
 }
 
 static void
@@ -1973,6 +1577,24 @@ fromtext_warneof(isc_lex_t *lexer, dns_rdatacallbacks_t *callbacks) {
 }
 
 static void
+warn_badname(dns_name_t *name, isc_lex_t *lexer,
+	     dns_rdatacallbacks_t *callbacks)
+{
+	const char *file;
+	unsigned long line;
+	char namebuf[DNS_NAME_FORMATSIZE];
+	
+	if (lexer != NULL) {
+		file = isc_lex_getsourcename(lexer);
+		line = isc_lex_getsourceline(lexer);
+		dns_name_format(name, namebuf, sizeof(namebuf));
+		(*callbacks->warn)(callbacks, "%s:%u: %s: %s", 
+				   file, line, namebuf,
+				   dns_result_totext(DNS_R_BADNAME));
+	}
+}
+
+static void
 fromtext_error(void (*callback)(dns_rdatacallbacks_t *, const char *, ...),
 	       dns_rdatacallbacks_t *callbacks, const char *name,
 	       unsigned long line, isc_token_t *token, isc_result_t result)
@@ -2002,7 +1624,7 @@ fromtext_error(void (*callback)(dns_rdatacallbacks_t *, const char *, ...),
 		case isc_tokentype_qstring:
 			(*callback)(callbacks, "%s: %s:%lu: near '%s': %s",
 				    "dns_rdata_fromtext", name, line,
-				    (char *)token->value.as_pointer,
+				    DNS_AS_STR(*token),
 				    dns_result_totext(result));
 			break;
 		default:
@@ -2019,6 +1641,8 @@ fromtext_error(void (*callback)(dns_rdatacallbacks_t *, const char *, ...),
 
 dns_rdatatype_t
 dns_rdata_covers(dns_rdata_t *rdata) {
+	if (rdata->type == 46)
+		return (covers_rrsig(rdata));
 	return (covers_sig(rdata));
 }
 
@@ -2054,6 +1678,13 @@ dns_rdatatype_questiononly(dns_rdatatype_t type) {
 }
 
 isc_boolean_t
+dns_rdatatype_atparent(dns_rdatatype_t type) {
+	if ((dns_rdatatype_attributes(type) & DNS_RDATATYPEATTR_ATPARENT) != 0)
+		return (ISC_TRUE);
+	return (ISC_FALSE);
+}
+
+isc_boolean_t
 dns_rdataclass_ismeta(dns_rdataclass_t rdclass) {
 
 	if (rdclass == dns_rdataclass_reserved0
@@ -2087,4 +1718,3 @@ dns_rdatatype_isknown(dns_rdatatype_t type) {
 		return (ISC_TRUE);
 	return (ISC_FALSE);
 }
-
diff --git a/lib/dns/rdata/any_255/tsig_250.c b/lib/dns/rdata/any_255/tsig_250.c
index 570ef889..6943d824 100644
--- a/lib/dns/rdata/any_255/tsig_250.c
+++ b/lib/dns/rdata/any_255/tsig_250.c
@@ -1,6 +1,6 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: tsig_250.c,v 1.52.2.5 2005/03/20 22:33:29 marka Exp $ */
+/* $Id: tsig_250.c,v 1.52.2.1.2.6 2004/03/08 09:04:40 marka Exp $ */
 
 /* Reviewed: Thu Mar 16 13:39:43 PST 2000 by gson */
 
@@ -50,14 +50,14 @@ fromtext_any_tsig(ARGS_FROMTEXT) {
 	dns_name_init(&name, NULL);
 	buffer_fromregion(&buffer, &token.value.as_region);
 	origin = (origin != NULL) ? origin : dns_rootname;
-	RETTOK(dns_name_fromtext(&name, &buffer, origin, downcase, target));
+	RETTOK(dns_name_fromtext(&name, &buffer, origin, options, target));
 
 	/*
 	 * Time Signed: 48 bits.
 	 */
 	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
 				      ISC_FALSE));
-	sigtime = isc_string_touint64(token.value.as_pointer, &e, 10);
+	sigtime = isc_string_touint64(DNS_AS_STR(token), &e, 10);
 	if (*e != 0)
 		RETTOK(DNS_R_SYNTAX);
 	if ((sigtime >> 48) != 0)
@@ -105,7 +105,7 @@ fromtext_any_tsig(ARGS_FROMTEXT) {
 	if (dns_tsigrcode_fromtext(&rcode, &token.value.as_textregion)
 				!= ISC_R_SUCCESS)
 	{
-		i = strtol(token.value.as_pointer, &e, 10);
+		i = strtol(DNS_AS_STR(token), &e, 10);
 		if (*e != 0)
 			RETTOK(DNS_R_UNKNOWN);
 		if (i < 0 || i > 0xffff)
@@ -133,7 +133,7 @@ static inline isc_result_t
 totext_any_tsig(ARGS_TOTEXT) {
 	isc_region_t sr;
 	isc_region_t sigr;
-	char buf[sizeof "281474976710655 "];
+	char buf[sizeof("281474976710655 ")];
 	char *bufp;
 	dns_name_t name;
 	dns_name_t prefix;
@@ -162,12 +162,10 @@ totext_any_tsig(ARGS_TOTEXT) {
 	 */
 	sigtime = ((isc_uint64_t)sr.base[0] << 40) |
 		  ((isc_uint64_t)sr.base[1] << 32) |
-		  ((isc_uint64_t)sr.base[2] << 24) |
-		  ((isc_uint64_t)sr.base[3] << 16) |
-		  ((isc_uint64_t)sr.base[4] << 8) |
-		  (isc_uint64_t)sr.base[5];
+		  (sr.base[2] << 24) | (sr.base[3] << 16) |
+		  (sr.base[4] << 8) | sr.base[5];
 	isc_region_consume(&sr, 6);
-	bufp = &buf[sizeof buf - 1];
+	bufp = &buf[sizeof(buf) - 1];
 	*bufp-- = 0;
 	*bufp-- = ' ';
 	do {
@@ -262,7 +260,7 @@ fromwire_any_tsig(ARGS_FROMWIRE) {
 	 * Algorithm Name.
 	 */
 	dns_name_init(&name, NULL);
-	RETERR(dns_name_fromwire(&name, source, dctx, downcase, target));
+	RETERR(dns_name_fromwire(&name, source, dctx, options, target));
 
 	isc_buffer_activeregion(source, &sr);
 	/*
@@ -352,7 +350,7 @@ compare_any_tsig(ARGS_COMPARE) {
 		return (order);
 	isc_region_consume(&r1, name_length(&name1));
 	isc_region_consume(&r2, name_length(&name2));
-	return (compare_region(&r1, &r2));
+	return (isc_region_compare(&r1, &r2));
 }
 
 static inline isc_result_t
@@ -459,10 +457,8 @@ tostruct_any_tsig(ARGS_TOSTRUCT) {
 	INSIST(sr.length >= 6);
 	tsig->timesigned = ((isc_uint64_t)sr.base[0] << 40) |
 			   ((isc_uint64_t)sr.base[1] << 32) |
-			   ((isc_uint64_t)sr.base[2] << 24) |
-			   ((isc_uint64_t)sr.base[3] << 16) |
-			   ((isc_uint64_t)sr.base[4] << 8) |
-			   (isc_uint64_t)sr.base[5];
+			   (sr.base[2] << 24) | (sr.base[3] << 16) |
+			   (sr.base[4] << 8) | sr.base[5];
 	isc_region_consume(&sr, 6);
 
 	/*
@@ -567,4 +563,31 @@ digest_any_tsig(ARGS_DIGEST) {
 	return (ISC_R_NOTIMPLEMENTED);
 }
 
+static inline isc_boolean_t
+checkowner_any_tsig(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == 250);
+	REQUIRE(rdclass == 255);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (ISC_TRUE);
+}
+
+static inline isc_boolean_t
+checknames_any_tsig(ARGS_CHECKNAMES) {
+
+	REQUIRE(rdata->type == 250);
+	REQUIRE(rdata->rdclass == 250);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (ISC_TRUE);
+}
+
 #endif	/* RDATA_ANY_255_TSIG_250_C */
diff --git a/lib/dns/rdata/any_255/tsig_250.h b/lib/dns/rdata/any_255/tsig_250.h
index 9c6fe367..7b5ccc26 100644
--- a/lib/dns/rdata/any_255/tsig_250.h
+++ b/lib/dns/rdata/any_255/tsig_250.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: tsig_250.h,v 1.20.2.1 2004/03/09 06:11:26 marka Exp $ */
+/* $Id: tsig_250.h,v 1.20.206.1 2004/03/06 08:14:02 marka Exp $ */
 
 /* RFC 2845 */
 
diff --git a/lib/dns/rdata/generic/afsdb_18.c b/lib/dns/rdata/generic/afsdb_18.c
index d52ce424..f46844a4 100644
--- a/lib/dns/rdata/generic/afsdb_18.c
+++ b/lib/dns/rdata/generic/afsdb_18.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: afsdb_18.c,v 1.39.2.3 2004/03/09 06:11:26 marka Exp $ */
+/* $Id: afsdb_18.c,v 1.39.2.1.2.3 2004/03/06 08:14:03 marka Exp $ */
 
 /* Reviewed: Wed Mar 15 14:59:00 PST 2000 by explorer */
 
@@ -31,6 +31,7 @@ fromtext_afsdb(ARGS_FROMTEXT) {
 	isc_token_t token;
 	isc_buffer_t buffer;
 	dns_name_t name;
+	isc_boolean_t ok;
 
 	REQUIRE(type == 18);
 
@@ -55,7 +56,14 @@ fromtext_afsdb(ARGS_FROMTEXT) {
 	dns_name_init(&name, NULL);
 	buffer_fromregion(&buffer, &token.value.as_region);
 	origin = (origin != NULL) ? origin : dns_rootname;
-	RETTOK(dns_name_fromtext(&name, &buffer, origin, downcase, target));
+	RETTOK(dns_name_fromtext(&name, &buffer, origin, options, target));
+	ok = ISC_TRUE;
+	if ((options & DNS_RDATA_CHECKNAMES) != 0)
+		ok = dns_name_ishostname(&name, ISC_FALSE);
+	if (!ok && (options & DNS_RDATA_CHECKNAMESFAIL) != 0)
+		RETTOK(DNS_R_BADNAME);
+	if (!ok && callbacks != NULL)
+		warn_badname(&name, lexer, callbacks);
 	return (ISC_R_SUCCESS);
 }
 
@@ -64,7 +72,7 @@ totext_afsdb(ARGS_TOTEXT) {
 	dns_name_t name;
 	dns_name_t prefix;
 	isc_region_t region;
-	char buf[sizeof "64000 "];
+	char buf[sizeof("64000 ")];
 	isc_boolean_t sub;
 	unsigned int num;
 
@@ -108,7 +116,7 @@ fromwire_afsdb(ARGS_FROMWIRE) {
 	memcpy(tr.base, sr.base, 2);
 	isc_buffer_forward(source, 2);
 	isc_buffer_add(target, 2);
-	return (dns_name_fromwire(&name, source, dctx, downcase, target));
+	return (dns_name_fromwire(&name, source, dctx, options, target));
 }
 
 static inline isc_result_t
@@ -264,4 +272,38 @@ digest_afsdb(ARGS_DIGEST) {
 	return (dns_name_digest(&name, digest, arg));
 }
 
+static inline isc_boolean_t
+checkowner_afsdb(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == 18);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (ISC_TRUE);
+}
+
+static inline isc_boolean_t
+checknames_afsdb(ARGS_CHECKNAMES) {
+	isc_region_t region;
+	dns_name_t name;
+
+	REQUIRE(rdata->type == 18);
+
+	UNUSED(owner);
+
+	dns_rdata_toregion(rdata, &region);
+	isc_region_consume(&region, 2);
+	dns_name_init(&name, NULL);
+	dns_name_fromregion(&name, &region);
+	if (!dns_name_ishostname(&name, ISC_FALSE)) {
+		if (bad != NULL)
+			dns_name_clone(&name, bad);
+		return (ISC_FALSE);
+	}
+	return (ISC_TRUE);
+}
+
 #endif	/* RDATA_GENERIC_AFSDB_18_C */
diff --git a/lib/dns/rdata/generic/afsdb_18.h b/lib/dns/rdata/generic/afsdb_18.h
index 45818af7..3f89f9df 100644
--- a/lib/dns/rdata/generic/afsdb_18.h
+++ b/lib/dns/rdata/generic/afsdb_18.h
@@ -18,7 +18,7 @@
 #ifndef GENERIC_AFSDB_18_H
 #define GENERIC_AFSDB_18_H 1
 
-/* $Id: afsdb_18.h,v 1.15.2.1 2004/03/09 06:11:26 marka Exp $ */
+/* $Id: afsdb_18.h,v 1.15.206.1 2004/03/06 08:14:03 marka Exp $ */
 
 /* RFC 1183 */
 
diff --git a/lib/dns/rdata/generic/cert_37.c b/lib/dns/rdata/generic/cert_37.c
index b53b71ff..81a1aa74 100644
--- a/lib/dns/rdata/generic/cert_37.c
+++ b/lib/dns/rdata/generic/cert_37.c
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
+ * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: cert_37.c,v 1.40.2.3 2004/03/09 06:11:26 marka Exp $ */
+/* $Id: cert_37.c,v 1.40.2.1.2.5 2004/03/08 09:04:40 marka Exp $ */
 
 /* Reviewed: Wed Mar 15 21:14:32 EST 2000 by tale */
 
@@ -37,7 +37,7 @@ fromtext_cert(ARGS_FROMTEXT) {
 	UNUSED(type);
 	UNUSED(rdclass);
 	UNUSED(origin);
-	UNUSED(downcase);
+	UNUSED(options);
 	UNUSED(callbacks);
 
 	/*
@@ -71,7 +71,7 @@ fromtext_cert(ARGS_FROMTEXT) {
 static inline isc_result_t
 totext_cert(ARGS_TOTEXT) {
 	isc_region_t sr;
-	char buf[sizeof "64000 "];
+	char buf[sizeof("64000 ")];
 	unsigned int n;
 
 	REQUIRE(rdata->type == 37);
@@ -125,7 +125,7 @@ fromwire_cert(ARGS_FROMWIRE) {
 	UNUSED(type);
 	UNUSED(rdclass);
 	UNUSED(dctx);
-	UNUSED(downcase);
+	UNUSED(options);
 
 	isc_buffer_activeregion(source, &sr);
 	if (sr.length < 5)
@@ -161,7 +161,7 @@ compare_cert(ARGS_COMPARE) {
 
 	dns_rdata_toregion(rdata1, &r1);
 	dns_rdata_toregion(rdata2, &r2);
-	return (compare_region(&r1, &r2));
+	return (isc_region_compare(&r1, &r2));
 }
 
 static inline isc_result_t
@@ -251,4 +251,30 @@ digest_cert(ARGS_DIGEST) {
 	return ((digest)(arg, &r));
 }
 
+static inline isc_boolean_t
+checkowner_cert(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == 37);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (ISC_TRUE);
+}
+
+static inline isc_boolean_t
+checknames_cert(ARGS_CHECKNAMES) {
+
+	REQUIRE(rdata->type == 37);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (ISC_TRUE);
+}
+
 #endif	/* RDATA_GENERIC_CERT_37_C */
+
diff --git a/lib/dns/rdata/generic/cert_37.h b/lib/dns/rdata/generic/cert_37.h
index 26ebf202..01ae265a 100644
--- a/lib/dns/rdata/generic/cert_37.h
+++ b/lib/dns/rdata/generic/cert_37.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: cert_37.h,v 1.15.2.1 2004/03/09 06:11:27 marka Exp $ */
+/* $Id: cert_37.h,v 1.15.206.1 2004/03/06 08:14:03 marka Exp $ */
 
 /* RFC 2538 */
 #ifndef GENERIC_CERT_37_H
diff --git a/lib/dns/rdata/generic/cname_5.c b/lib/dns/rdata/generic/cname_5.c
index 345b38ae..0ce7aa25 100644
--- a/lib/dns/rdata/generic/cname_5.c
+++ b/lib/dns/rdata/generic/cname_5.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: cname_5.c,v 1.43.2.1 2004/03/09 06:11:27 marka Exp $ */
+/* $Id: cname_5.c,v 1.43.206.2 2004/03/06 08:14:03 marka Exp $ */
 
 /* reviewed: Wed Mar 15 16:48:45 PST 2000 by brister */
 
@@ -43,7 +43,7 @@ fromtext_cname(ARGS_FROMTEXT) {
 	dns_name_init(&name, NULL);
 	buffer_fromregion(&buffer, &token.value.as_region);
 	origin = (origin != NULL) ? origin : dns_rootname;
-	RETTOK(dns_name_fromtext(&name, &buffer, origin, downcase, target));
+	RETTOK(dns_name_fromtext(&name, &buffer, origin, options, target));
 	return (ISC_R_SUCCESS);
 }
 
@@ -80,7 +80,7 @@ fromwire_cname(ARGS_FROMWIRE) {
 	dns_decompress_setmethods(dctx, DNS_COMPRESS_GLOBAL14);
 
 	dns_name_init(&name, NULL);
-	return (dns_name_fromwire(&name, source, dctx, downcase, target));
+	return (dns_name_fromwire(&name, source, dctx, options, target));
 }
 
 static inline isc_result_t
@@ -204,4 +204,29 @@ digest_cname(ARGS_DIGEST) {
 	return (dns_name_digest(&name, digest, arg));
 }
 
+static inline isc_boolean_t
+checkowner_cname(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == 5);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (ISC_TRUE);
+}
+
+static inline isc_boolean_t
+checknames_cname(ARGS_CHECKNAMES) {
+
+	REQUIRE(rdata->type == 5);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (ISC_TRUE);
+}
+
 #endif	/* RDATA_GENERIC_CNAME_5_C */
diff --git a/lib/dns/rdata/generic/cname_5.h b/lib/dns/rdata/generic/cname_5.h
index 285f29cc..2efee443 100644
--- a/lib/dns/rdata/generic/cname_5.h
+++ b/lib/dns/rdata/generic/cname_5.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: cname_5.h,v 1.23.2.1 2004/03/09 06:11:27 marka Exp $ */
+/* $Id: cname_5.h,v 1.23.206.1 2004/03/06 08:14:04 marka Exp $ */
 
 #ifndef GENERIC_CNAME_5_H
 #define GENERIC_CNAME_5_H 1
diff --git a/lib/dns/rdata/generic/dlv_65323.c b/lib/dns/rdata/generic/dlv_65323.c
new file mode 100644
index 00000000..2d91758b
--- /dev/null
+++ b/lib/dns/rdata/generic/dlv_65323.c
@@ -0,0 +1,281 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: dlv_65323.c,v 1.2.2.4 2004/03/16 12:38:14 marka Exp $ */
+
+/* draft-ietf-dnsext-delegation-signer-05.txt */
+
+#ifndef RDATA_GENERIC_DLV_65323_C
+#define RDATA_GENERIC_DLV_65323_C
+
+#define RRTYPE_DLV_ATTRIBUTES 0
+
+static inline isc_result_t
+fromtext_dlv(ARGS_FROMTEXT) {
+	isc_token_t token;
+
+	REQUIRE(type == 65323);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(origin);
+	UNUSED(options);
+	UNUSED(callbacks);
+
+	/*
+	 * Key tag.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      ISC_FALSE));
+	if (token.value.as_ulong > 0xffffU)
+		RETTOK(ISC_R_RANGE);
+	RETERR(uint16_tobuffer(token.value.as_ulong, target));
+
+	/*
+	 * Algorithm.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      ISC_FALSE));
+	if (token.value.as_ulong > 0xffU)
+		RETTOK(ISC_R_RANGE);
+	RETERR(uint8_tobuffer(token.value.as_ulong, target));
+
+	/*
+	 * Digest type.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      ISC_FALSE));
+	if (token.value.as_ulong > 0xffU)
+		RETTOK(ISC_R_RANGE);
+	RETERR(uint8_tobuffer(token.value.as_ulong, target));
+	type = (isc_uint16_t) token.value.as_ulong;
+
+	/*
+	 * Digest.
+	 */
+	return (isc_hex_tobuffer(lexer, target, -1));
+}
+
+static inline isc_result_t
+totext_dlv(ARGS_TOTEXT) {
+	isc_region_t sr;
+	char buf[sizeof("64000 ")];
+	unsigned int n;
+
+	REQUIRE(rdata->type == 65323);
+	REQUIRE(rdata->length != 0);
+
+	UNUSED(tctx);
+
+	dns_rdata_toregion(rdata, &sr);
+
+	/*
+	 * Key tag.
+	 */
+	n = uint16_fromregion(&sr);
+	isc_region_consume(&sr, 2);
+	sprintf(buf, "%u ", n);
+	RETERR(str_totext(buf, target));
+
+	/*
+	 * Algorithm.
+	 */
+	n = uint8_fromregion(&sr);
+	isc_region_consume(&sr, 1);
+	sprintf(buf, "%u ", n);
+	RETERR(str_totext(buf, target));
+
+	/*
+	 * Digest type.
+	 */
+	n = uint8_fromregion(&sr);
+	isc_region_consume(&sr, 1);
+	sprintf(buf, "%u", n);
+	RETERR(str_totext(buf, target));
+
+	/*
+	 * Digest.
+	 */
+	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
+		RETERR(str_totext(" (", target));
+	RETERR(str_totext(tctx->linebreak, target));
+	RETERR(isc_hex_totext(&sr, tctx->width - 2, tctx->linebreak, target));
+	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
+		RETERR(str_totext(" )", target));
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+fromwire_dlv(ARGS_FROMWIRE) {
+	isc_region_t sr;
+
+	REQUIRE(type == 65323);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(dctx);
+	UNUSED(options);
+
+	isc_buffer_activeregion(source, &sr);
+	if (sr.length < 4)
+		return (ISC_R_UNEXPECTEDEND);
+
+	isc_buffer_forward(source, sr.length);
+	return (mem_tobuffer(target, sr.base, sr.length));
+}
+
+static inline isc_result_t
+towire_dlv(ARGS_TOWIRE) {
+	isc_region_t sr;
+
+	REQUIRE(rdata->type == 65323);
+	REQUIRE(rdata->length != 0);
+
+	UNUSED(cctx);
+
+	dns_rdata_toregion(rdata, &sr);
+	return (mem_tobuffer(target, sr.base, sr.length));
+}
+
+static inline int
+compare_dlv(ARGS_COMPARE) {
+	isc_region_t r1;
+	isc_region_t r2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == 65323);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	dns_rdata_toregion(rdata1, &r1);
+	dns_rdata_toregion(rdata2, &r2);
+	return (isc_region_compare(&r1, &r2));
+}
+
+static inline isc_result_t
+fromstruct_dlv(ARGS_FROMSTRUCT) {
+	dns_rdata_dlv_t *dlv = source;
+
+	REQUIRE(type == 65323);
+	REQUIRE(source != NULL);
+	REQUIRE(dlv->common.rdtype == type);
+	REQUIRE(dlv->common.rdclass == rdclass);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	RETERR(uint16_tobuffer(dlv->key_tag, target));
+	RETERR(uint8_tobuffer(dlv->algorithm, target));
+	RETERR(uint8_tobuffer(dlv->digest_type, target));
+
+	return (mem_tobuffer(target, dlv->digest, dlv->length));
+}
+
+static inline isc_result_t
+tostruct_dlv(ARGS_TOSTRUCT) {
+	dns_rdata_dlv_t *dlv = target;
+	isc_region_t region;
+
+	REQUIRE(rdata->type == 65323);
+	REQUIRE(target != NULL);
+	REQUIRE(rdata->length != 0);
+
+	dlv->common.rdclass = rdata->rdclass;
+	dlv->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&dlv->common, link);
+
+	dns_rdata_toregion(rdata, &region);
+
+	dlv->key_tag = uint16_fromregion(&region);
+	isc_region_consume(&region, 2);
+	dlv->algorithm = uint8_fromregion(&region);
+	isc_region_consume(&region, 1);
+	dlv->digest_type = uint8_fromregion(&region);
+	isc_region_consume(&region, 1);
+	dlv->length = region.length;
+
+	dlv->digest = mem_maybedup(mctx, region.base, region.length);
+	if (dlv->digest == NULL)
+		return (ISC_R_NOMEMORY);
+
+	dlv->mctx = mctx;
+	return (ISC_R_SUCCESS);
+}
+
+static inline void
+freestruct_dlv(ARGS_FREESTRUCT) {
+	dns_rdata_dlv_t *dlv = source;
+
+	REQUIRE(dlv != NULL);
+	REQUIRE(dlv->common.rdtype == 65323);
+
+	if (dlv->mctx == NULL)
+		return;
+
+	if (dlv->digest != NULL)
+		isc_mem_free(dlv->mctx, dlv->digest);
+	dlv->mctx = NULL;
+}
+
+static inline isc_result_t
+additionaldata_dlv(ARGS_ADDLDATA) {
+	REQUIRE(rdata->type == 65323);
+
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+digest_dlv(ARGS_DIGEST) {
+	isc_region_t r;
+
+	REQUIRE(rdata->type == 65323);
+
+	dns_rdata_toregion(rdata, &r);
+
+	return ((digest)(arg, &r));
+}
+
+static inline isc_boolean_t
+checkowner_dlv(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == 65323);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (ISC_TRUE);
+}
+
+static inline isc_boolean_t
+checknames_dlv(ARGS_CHECKNAMES) {
+
+	REQUIRE(rdata->type == 65323);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (ISC_TRUE);
+}
+
+#endif	/* RDATA_GENERIC_DLV_65323_C */
diff --git a/lib/dns/rdata/generic/dlv_65323.h b/lib/dns/rdata/generic/dlv_65323.h
new file mode 100644
index 00000000..689fd4b3
--- /dev/null
+++ b/lib/dns/rdata/generic/dlv_65323.h
@@ -0,0 +1,33 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: dlv_65323.h,v 1.2.2.3 2004/03/15 01:02:55 marka Exp $ */
+
+/* draft-ietf-dnsext-delegation-signer-05.txt */
+#ifndef GENERIC_DLV_65323_H
+#define GENERIC_DLV_65323_H 1
+
+typedef struct dns_rdata_dlv {
+	dns_rdatacommon_t	common;
+	isc_mem_t		*mctx;
+	isc_uint16_t		key_tag;
+	isc_uint8_t		algorithm;
+	isc_uint8_t		digest_type;
+	isc_uint16_t		length;
+	unsigned char		*digest;
+} dns_rdata_dlv_t;
+
+#endif /* GENERIC_DLV_65323_H */
diff --git a/lib/dns/rdata/generic/dname_39.c b/lib/dns/rdata/generic/dname_39.c
index 6d3672b3..b532f2ea 100644
--- a/lib/dns/rdata/generic/dname_39.c
+++ b/lib/dns/rdata/generic/dname_39.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dname_39.c,v 1.34.2.1 2004/03/09 06:11:27 marka Exp $ */
+/* $Id: dname_39.c,v 1.34.206.2 2004/03/06 08:14:04 marka Exp $ */
 
 /* Reviewed: Wed Mar 15 16:52:38 PST 2000 by explorer */
 
@@ -44,7 +44,7 @@ fromtext_dname(ARGS_FROMTEXT) {
 	dns_name_init(&name, NULL);
 	buffer_fromregion(&buffer, &token.value.as_region);
 	origin = (origin != NULL) ? origin : dns_rootname;
-	RETTOK(dns_name_fromtext(&name, &buffer, origin, downcase, target));
+	RETTOK(dns_name_fromtext(&name, &buffer, origin, options, target));
 	return (ISC_R_SUCCESS);
 }
 
@@ -81,7 +81,7 @@ fromwire_dname(ARGS_FROMWIRE) {
 	dns_decompress_setmethods(dctx, DNS_COMPRESS_NONE);
 
 	dns_name_init(&name, NULL);
-	return(dns_name_fromwire(&name, source, dctx, downcase, target));
+	return(dns_name_fromwire(&name, source, dctx, options, target));
 }
 
 static inline isc_result_t
@@ -205,4 +205,29 @@ digest_dname(ARGS_DIGEST) {
 	return (dns_name_digest(&name, digest, arg));
 }
 
+static inline isc_boolean_t
+checkowner_dname(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == 39);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (ISC_TRUE);
+}
+
+static inline isc_boolean_t
+checknames_dname(ARGS_CHECKNAMES) {
+
+	REQUIRE(rdata->type == 39);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (ISC_TRUE);
+}
+
 #endif	/* RDATA_GENERIC_DNAME_39_C */
diff --git a/lib/dns/rdata/generic/dname_39.h b/lib/dns/rdata/generic/dname_39.h
index c97911e8..a1b2192d 100644
--- a/lib/dns/rdata/generic/dname_39.h
+++ b/lib/dns/rdata/generic/dname_39.h
@@ -18,7 +18,7 @@
 #ifndef GENERIC_DNAME_39_H
 #define GENERIC_DNAME_39_H 1
 
-/* $Id: dname_39.h,v 1.16.2.1 2004/03/09 06:11:27 marka Exp $ */
+/* $Id: dname_39.h,v 1.16.206.1 2004/03/06 08:14:04 marka Exp $ */
 
 /* RFC2672 */
 
diff --git a/lib/dns/rdata/generic/dnskey_48.c b/lib/dns/rdata/generic/dnskey_48.c
new file mode 100644
index 00000000..5cf58d54
--- /dev/null
+++ b/lib/dns/rdata/generic/dnskey_48.c
@@ -0,0 +1,312 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: dnskey_48.c,v 1.4.2.1 2004/03/08 02:08:02 marka Exp $ */
+
+/*
+ * Reviewed: Wed Mar 15 16:47:10 PST 2000 by halley.
+ */
+
+/* RFC 2535 */
+
+#ifndef RDATA_GENERIC_DNSKEY_48_C
+#define RDATA_GENERIC_DNSKEY_48_C
+
+#include <dst/dst.h>
+
+#define RRTYPE_DNSKEY_ATTRIBUTES (DNS_RDATATYPEATTR_DNSSEC)
+
+static inline isc_result_t
+fromtext_dnskey(ARGS_FROMTEXT) {
+	isc_token_t token;
+	dns_secalg_t alg;
+	dns_secproto_t proto;
+	dns_keyflags_t flags;
+
+	REQUIRE(type == 48);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(origin);
+	UNUSED(options);
+	UNUSED(callbacks);
+
+	/* flags */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      ISC_FALSE));
+	RETTOK(dns_keyflags_fromtext(&flags, &token.value.as_textregion));
+	RETERR(uint16_tobuffer(flags, target));
+
+	/* protocol */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      ISC_FALSE));
+	RETTOK(dns_secproto_fromtext(&proto, &token.value.as_textregion));
+	RETERR(mem_tobuffer(target, &proto, 1));
+
+	/* algorithm */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      ISC_FALSE));
+	RETTOK(dns_secalg_fromtext(&alg, &token.value.as_textregion));
+	RETERR(mem_tobuffer(target, &alg, 1));
+
+	/* No Key? */
+	if ((flags & 0xc000) == 0xc000)
+		return (ISC_R_SUCCESS);
+
+	return (isc_base64_tobuffer(lexer, target, -1));
+}
+
+static inline isc_result_t
+totext_dnskey(ARGS_TOTEXT) {
+	isc_region_t sr;
+	char buf[sizeof("64000")];
+	unsigned int flags;
+	unsigned char algorithm;
+
+	REQUIRE(rdata->type == 48);
+	REQUIRE(rdata->length != 0);
+
+	dns_rdata_toregion(rdata, &sr);
+
+	/* flags */
+	flags = uint16_fromregion(&sr);
+	isc_region_consume(&sr, 2);
+	sprintf(buf, "%u", flags);
+	RETERR(str_totext(buf, target));
+	RETERR(str_totext(" ", target));
+
+	/* protocol */
+	sprintf(buf, "%u", sr.base[0]);
+	isc_region_consume(&sr, 1);
+	RETERR(str_totext(buf, target));
+	RETERR(str_totext(" ", target));
+
+	/* algorithm */
+	algorithm = sr.base[0];
+	sprintf(buf, "%u", algorithm);
+	isc_region_consume(&sr, 1);
+	RETERR(str_totext(buf, target));
+
+	/* No Key? */
+	if ((flags & 0xc000) == 0xc000)
+		return (ISC_R_SUCCESS);
+
+	/* key */
+	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
+		RETERR(str_totext(" (", target));
+	RETERR(str_totext(tctx->linebreak, target));
+	RETERR(isc_base64_totext(&sr, tctx->width - 2,
+				 tctx->linebreak, target));
+
+	if ((tctx->flags & DNS_STYLEFLAG_COMMENT) != 0)
+		RETERR(str_totext(tctx->linebreak, target));
+	else if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
+		RETERR(str_totext(" ", target));
+
+	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
+		RETERR(str_totext(")", target));
+
+	if ((tctx->flags & DNS_STYLEFLAG_COMMENT) != 0) {
+		isc_region_t tmpr;
+
+		RETERR(str_totext(" ; key id = ", target));
+		dns_rdata_toregion(rdata, &tmpr);
+		sprintf(buf, "%u", dst_region_computeid(&tmpr, algorithm));
+		RETERR(str_totext(buf, target));
+	}
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+fromwire_dnskey(ARGS_FROMWIRE) {
+	isc_region_t sr;
+
+	REQUIRE(type == 48);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(dctx);
+	UNUSED(options);
+
+	isc_buffer_activeregion(source, &sr);
+	if (sr.length < 4)
+		return (ISC_R_UNEXPECTEDEND);
+
+	isc_buffer_forward(source, sr.length);
+	return (mem_tobuffer(target, sr.base, sr.length));
+}
+
+static inline isc_result_t
+towire_dnskey(ARGS_TOWIRE) {
+	isc_region_t sr;
+
+	REQUIRE(rdata->type == 48);
+	REQUIRE(rdata->length != 0);
+
+	UNUSED(cctx);
+
+	dns_rdata_toregion(rdata, &sr);
+	return (mem_tobuffer(target, sr.base, sr.length));
+}
+
+static inline int
+compare_dnskey(ARGS_COMPARE) {
+	isc_region_t r1;
+	isc_region_t r2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == 48);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	dns_rdata_toregion(rdata1, &r1);
+	dns_rdata_toregion(rdata2, &r2);
+	return (isc_region_compare(&r1, &r2));
+}
+
+static inline isc_result_t
+fromstruct_dnskey(ARGS_FROMSTRUCT) {
+	dns_rdata_dnskey_t *dnskey = source;
+
+	REQUIRE(type == 48);
+	REQUIRE(source != NULL);
+	REQUIRE(dnskey->common.rdtype == type);
+	REQUIRE(dnskey->common.rdclass == rdclass);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	/* Flags */
+	RETERR(uint16_tobuffer(dnskey->flags, target));
+
+	/* Protocol */
+	RETERR(uint8_tobuffer(dnskey->protocol, target));
+
+	/* Algorithm */
+	RETERR(uint8_tobuffer(dnskey->algorithm, target));
+
+	/* Data */
+	return (mem_tobuffer(target, dnskey->data, dnskey->datalen));
+}
+
+static inline isc_result_t
+tostruct_dnskey(ARGS_TOSTRUCT) {
+	dns_rdata_dnskey_t *dnskey = target;
+	isc_region_t sr;
+
+	REQUIRE(rdata->type == 48);
+	REQUIRE(target != NULL);
+	REQUIRE(rdata->length != 0);
+
+	dnskey->common.rdclass = rdata->rdclass;
+	dnskey->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&dnskey->common, link);
+
+	dns_rdata_toregion(rdata, &sr);
+
+	/* Flags */
+	if (sr.length < 2)
+		return (ISC_R_UNEXPECTEDEND);
+	dnskey->flags = uint16_fromregion(&sr);
+	isc_region_consume(&sr, 2);
+
+	/* Protocol */
+	if (sr.length < 1)
+		return (ISC_R_UNEXPECTEDEND);
+	dnskey->protocol = uint8_fromregion(&sr);
+	isc_region_consume(&sr, 1);
+
+	/* Algorithm */
+	if (sr.length < 1)
+		return (ISC_R_UNEXPECTEDEND);
+	dnskey->algorithm = uint8_fromregion(&sr);
+	isc_region_consume(&sr, 1);
+
+	/* Data */
+	dnskey->datalen = sr.length;
+	dnskey->data = mem_maybedup(mctx, sr.base, dnskey->datalen);
+	if (dnskey->data == NULL)
+		return (ISC_R_NOMEMORY);
+
+	dnskey->mctx = mctx;
+	return (ISC_R_SUCCESS);
+}
+
+static inline void
+freestruct_dnskey(ARGS_FREESTRUCT) {
+	dns_rdata_dnskey_t *dnskey = (dns_rdata_dnskey_t *) source;
+
+	REQUIRE(source != NULL);
+	REQUIRE(dnskey->common.rdtype == 48);
+
+	if (dnskey->mctx == NULL)
+		return;
+
+	if (dnskey->data != NULL)
+		isc_mem_free(dnskey->mctx, dnskey->data);
+	dnskey->mctx = NULL;
+}
+
+static inline isc_result_t
+additionaldata_dnskey(ARGS_ADDLDATA) {
+	REQUIRE(rdata->type == 48);
+
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+digest_dnskey(ARGS_DIGEST) {
+	isc_region_t r;
+
+	REQUIRE(rdata->type == 48);
+
+	dns_rdata_toregion(rdata, &r);
+
+	return ((digest)(arg, &r));
+}
+
+static inline isc_boolean_t
+checkowner_dnskey(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == 48);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (ISC_TRUE);
+}
+
+static inline isc_boolean_t
+checknames_dnskey(ARGS_CHECKNAMES) {
+
+	REQUIRE(rdata->type == 48);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (ISC_TRUE);
+}
+
+#endif	/* RDATA_GENERIC_DNSKEY_48_C */
diff --git a/lib/dns/rdata/generic/dnskey_48.h b/lib/dns/rdata/generic/dnskey_48.h
new file mode 100644
index 00000000..4dd71d21
--- /dev/null
+++ b/lib/dns/rdata/generic/dnskey_48.h
@@ -0,0 +1,36 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#ifndef GENERIC_DNSKEY_48_H
+#define GENERIC_DNSKEY_48_H 1
+
+/* $Id: dnskey_48.h,v 1.3.2.1 2004/03/08 02:08:02 marka Exp $ */
+
+/* RFC 2535 */
+
+typedef struct dns_rdata_dnskey {
+        dns_rdatacommon_t	common;
+        isc_mem_t *		mctx;
+        isc_uint16_t		flags;
+        isc_uint8_t		protocol;
+        isc_uint8_t		algorithm;
+        isc_uint16_t		datalen;
+        unsigned char *		data;
+} dns_rdata_dnskey_t;
+
+
+#endif /* GENERIC_DNSKEY_48_H */
diff --git a/lib/dns/rdata/generic/ds_43.c b/lib/dns/rdata/generic/ds_43.c
new file mode 100644
index 00000000..538f8657
--- /dev/null
+++ b/lib/dns/rdata/generic/ds_43.c
@@ -0,0 +1,283 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2002  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: ds_43.c,v 1.6.2.2 2004/03/16 12:38:14 marka Exp $ */
+
+/* draft-ietf-dnsext-delegation-signer-05.txt */
+
+#ifndef RDATA_GENERIC_DS_43_C
+#define RDATA_GENERIC_DS_43_C
+
+#define RRTYPE_DS_ATTRIBUTES \
+	(DNS_RDATATYPEATTR_DNSSEC|DNS_RDATATYPEATTR_ATPARENT)
+
+static inline isc_result_t
+fromtext_ds(ARGS_FROMTEXT) {
+	isc_token_t token;
+
+	REQUIRE(type == 43);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(origin);
+	UNUSED(options);
+	UNUSED(callbacks);
+
+	/*
+	 * Key tag.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      ISC_FALSE));
+	if (token.value.as_ulong > 0xffffU)
+		RETTOK(ISC_R_RANGE);
+	RETERR(uint16_tobuffer(token.value.as_ulong, target));
+
+	/*
+	 * Algorithm.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      ISC_FALSE));
+	if (token.value.as_ulong > 0xffU)
+		RETTOK(ISC_R_RANGE);
+	RETERR(uint8_tobuffer(token.value.as_ulong, target));
+
+	/*
+	 * Digest type.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      ISC_FALSE));
+	if (token.value.as_ulong > 0xffU)
+		RETTOK(ISC_R_RANGE);
+	RETERR(uint8_tobuffer(token.value.as_ulong, target));
+	type = (isc_uint16_t) token.value.as_ulong;
+
+	/*
+	 * Digest.
+	 */
+	return (isc_hex_tobuffer(lexer, target, -1));
+}
+
+static inline isc_result_t
+totext_ds(ARGS_TOTEXT) {
+	isc_region_t sr;
+	char buf[sizeof("64000 ")];
+	unsigned int n;
+
+	REQUIRE(rdata->type == 43);
+	REQUIRE(rdata->length != 0);
+
+	UNUSED(tctx);
+
+	dns_rdata_toregion(rdata, &sr);
+
+	/*
+	 * Key tag.
+	 */
+	n = uint16_fromregion(&sr);
+	isc_region_consume(&sr, 2);
+	sprintf(buf, "%u ", n);
+	RETERR(str_totext(buf, target));
+
+	/*
+	 * Algorithm.
+	 */
+	n = uint8_fromregion(&sr);
+	isc_region_consume(&sr, 1);
+	sprintf(buf, "%u ", n);
+	RETERR(str_totext(buf, target));
+
+	/*
+	 * Digest type.
+	 */
+	n = uint8_fromregion(&sr);
+	isc_region_consume(&sr, 1);
+	sprintf(buf, "%u", n);
+	RETERR(str_totext(buf, target));
+
+	/*
+	 * Digest.
+	 */
+	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
+		RETERR(str_totext(" (", target));
+	RETERR(str_totext(tctx->linebreak, target));
+	RETERR(isc_hex_totext(&sr, tctx->width - 2, tctx->linebreak, target));
+	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
+		RETERR(str_totext(" )", target));
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+fromwire_ds(ARGS_FROMWIRE) {
+	isc_region_t sr;
+
+	REQUIRE(type == 43);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(dctx);
+	UNUSED(options);
+
+	isc_buffer_activeregion(source, &sr);
+	if (sr.length < 4)
+		return (ISC_R_UNEXPECTEDEND);
+
+	isc_buffer_forward(source, sr.length);
+	return (mem_tobuffer(target, sr.base, sr.length));
+}
+
+static inline isc_result_t
+towire_ds(ARGS_TOWIRE) {
+	isc_region_t sr;
+
+	REQUIRE(rdata->type == 43);
+	REQUIRE(rdata->length != 0);
+
+	UNUSED(cctx);
+
+	dns_rdata_toregion(rdata, &sr);
+	return (mem_tobuffer(target, sr.base, sr.length));
+}
+
+static inline int
+compare_ds(ARGS_COMPARE) {
+	isc_region_t r1;
+	isc_region_t r2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == 43);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	dns_rdata_toregion(rdata1, &r1);
+	dns_rdata_toregion(rdata2, &r2);
+	return (isc_region_compare(&r1, &r2));
+}
+
+static inline isc_result_t
+fromstruct_ds(ARGS_FROMSTRUCT) {
+	dns_rdata_ds_t *ds = source;
+
+	REQUIRE(type == 43);
+	REQUIRE(source != NULL);
+	REQUIRE(ds->common.rdtype == type);
+	REQUIRE(ds->common.rdclass == rdclass);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	RETERR(uint16_tobuffer(ds->key_tag, target));
+	RETERR(uint8_tobuffer(ds->algorithm, target));
+	RETERR(uint8_tobuffer(ds->digest_type, target));
+
+	return (mem_tobuffer(target, ds->digest, ds->length));
+}
+
+static inline isc_result_t
+tostruct_ds(ARGS_TOSTRUCT) {
+	dns_rdata_ds_t *ds = target;
+	isc_region_t region;
+
+	REQUIRE(rdata->type == 43);
+	REQUIRE(target != NULL);
+	REQUIRE(rdata->length != 0);
+
+	ds->common.rdclass = rdata->rdclass;
+	ds->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&ds->common, link);
+
+	dns_rdata_toregion(rdata, &region);
+
+	ds->key_tag = uint16_fromregion(&region);
+	isc_region_consume(&region, 2);
+	ds->algorithm = uint8_fromregion(&region);
+	isc_region_consume(&region, 1);
+	ds->digest_type = uint8_fromregion(&region);
+	isc_region_consume(&region, 1);
+	ds->length = region.length;
+
+	ds->digest = mem_maybedup(mctx, region.base, region.length);
+	if (ds->digest == NULL)
+		return (ISC_R_NOMEMORY);
+
+	ds->mctx = mctx;
+	return (ISC_R_SUCCESS);
+}
+
+static inline void
+freestruct_ds(ARGS_FREESTRUCT) {
+	dns_rdata_ds_t *ds = source;
+
+	REQUIRE(ds != NULL);
+	REQUIRE(ds->common.rdtype == 43);
+
+	if (ds->mctx == NULL)
+		return;
+
+	if (ds->digest != NULL)
+		isc_mem_free(ds->mctx, ds->digest);
+	ds->mctx = NULL;
+}
+
+static inline isc_result_t
+additionaldata_ds(ARGS_ADDLDATA) {
+	REQUIRE(rdata->type == 43);
+
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+digest_ds(ARGS_DIGEST) {
+	isc_region_t r;
+
+	REQUIRE(rdata->type == 43);
+
+	dns_rdata_toregion(rdata, &r);
+
+	return ((digest)(arg, &r));
+}
+
+static inline isc_boolean_t
+checkowner_ds(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == 43);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (ISC_TRUE);
+}
+
+static inline isc_boolean_t
+checknames_ds(ARGS_CHECKNAMES) {
+
+	REQUIRE(rdata->type == 43);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (ISC_TRUE);
+}
+
+#endif	/* RDATA_GENERIC_DS_43_C */
diff --git a/lib/dns/rdata/generic/ds_43.h b/lib/dns/rdata/generic/ds_43.h
new file mode 100644
index 00000000..cd4a5ca9
--- /dev/null
+++ b/lib/dns/rdata/generic/ds_43.h
@@ -0,0 +1,34 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2002  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: ds_43.h,v 1.3.2.1 2004/03/08 02:08:03 marka Exp $ */
+
+/* draft-ietf-dnsext-delegation-signer-05.txt */
+#ifndef GENERIC_DS_43_H
+#define GENERIC_DS_43_H 1
+
+typedef struct dns_rdata_ds {
+	dns_rdatacommon_t	common;
+	isc_mem_t		*mctx;
+	isc_uint16_t		key_tag;
+	isc_uint8_t		algorithm;
+	isc_uint8_t		digest_type;
+	isc_uint16_t		length;
+	unsigned char		*digest;
+} dns_rdata_ds_t;
+
+#endif /* GENERIC_DS_43_H */
diff --git a/lib/dns/rdata/generic/gpos_27.c b/lib/dns/rdata/generic/gpos_27.c
index 2bc266a2..1768f171 100644
--- a/lib/dns/rdata/generic/gpos_27.c
+++ b/lib/dns/rdata/generic/gpos_27.c
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
+ * Copyright (C) 1999-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: gpos_27.c,v 1.32.2.1 2004/03/09 06:11:27 marka Exp $ */
+/* $Id: gpos_27.c,v 1.32.12.5 2004/03/08 09:04:40 marka Exp $ */
 
 /* reviewed: Wed Mar 15 16:48:45 PST 2000 by brister */
 
@@ -36,10 +36,10 @@ fromtext_gpos(ARGS_FROMTEXT) {
 	UNUSED(type);
 	UNUSED(rdclass);
 	UNUSED(origin);
-	UNUSED(downcase);
+	UNUSED(options);
 	UNUSED(callbacks);
 
-	for (i = 0; i < 3 ; i++) {
+	for (i = 0; i < 3; i++) {
 		RETERR(isc_lex_getmastertoken(lexer, &token,
 					      isc_tokentype_qstring,
 					      ISC_FALSE));
@@ -60,7 +60,7 @@ totext_gpos(ARGS_TOTEXT) {
 
 	dns_rdata_toregion(rdata, &region);
 
-	for (i = 0; i < 3 ; i++) {
+	for (i = 0; i < 3; i++) {
 		RETERR(txt_totext(&region, target));
 		if (i != 2)
 			RETERR(str_totext(" ", target));
@@ -78,9 +78,9 @@ fromwire_gpos(ARGS_FROMWIRE) {
 	UNUSED(type);
 	UNUSED(dctx);
 	UNUSED(rdclass);
-	UNUSED(downcase);
+	UNUSED(options);
 
-	for (i = 0 ; i < 3; i++)
+	for (i = 0; i < 3; i++)
 		RETERR(txt_fromwire(source, target));
 	return (ISC_R_SUCCESS);
 }
@@ -109,7 +109,7 @@ compare_gpos(ARGS_COMPARE) {
 
 	dns_rdata_toregion(rdata1, &r1);
 	dns_rdata_toregion(rdata2, &r2);
-	return (compare_region(&r1, &r2));
+	return (isc_region_compare(&r1, &r2));
 }
 
 static inline isc_result_t
@@ -224,4 +224,29 @@ digest_gpos(ARGS_DIGEST) {
 	return ((digest)(arg, &r));
 }
 
+static inline isc_boolean_t
+checkowner_gpos(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == 27);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (ISC_TRUE);
+}
+
+static inline isc_boolean_t
+checknames_gpos(ARGS_CHECKNAMES) {
+
+	REQUIRE(rdata->type == 27);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (ISC_TRUE);
+}
+
 #endif	/* RDATA_GENERIC_GPOS_27_C */
diff --git a/lib/dns/rdata/generic/gpos_27.h b/lib/dns/rdata/generic/gpos_27.h
index fcc3c0fb..6f9ed375 100644
--- a/lib/dns/rdata/generic/gpos_27.h
+++ b/lib/dns/rdata/generic/gpos_27.h
@@ -18,7 +18,7 @@
 #ifndef GENERIC_GPOS_27_H
 #define GENERIC_GPOS_27_H 1
 
-/* $Id: gpos_27.h,v 1.12.2.1 2004/03/09 06:11:28 marka Exp $ */
+/* $Id: gpos_27.h,v 1.12.206.1 2004/03/06 08:14:04 marka Exp $ */
 
 /* RFC 1712 */
 
diff --git a/lib/dns/rdata/generic/hinfo_13.c b/lib/dns/rdata/generic/hinfo_13.c
index bed4ae73..e432ce57 100644
--- a/lib/dns/rdata/generic/hinfo_13.c
+++ b/lib/dns/rdata/generic/hinfo_13.c
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001  Internet Software Consortium.
+ * Copyright (C) 1998-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: hinfo_13.c,v 1.37.2.1 2004/03/09 06:11:28 marka Exp $ */
+/* $Id: hinfo_13.c,v 1.37.12.5 2004/03/08 09:04:40 marka Exp $ */
 
 /*
  * Reviewed: Wed Mar 15 16:47:10 PST 2000 by halley.
@@ -34,12 +34,12 @@ fromtext_hinfo(ARGS_FROMTEXT) {
 	UNUSED(type);
 	UNUSED(rdclass);
 	UNUSED(origin);
-	UNUSED(downcase);
+	UNUSED(options);
 	UNUSED(callbacks);
 
 	REQUIRE(type == 13);
 
-	for (i = 0; i < 2 ; i++) {
+	for (i = 0; i < 2; i++) {
 		RETERR(isc_lex_getmastertoken(lexer, &token,
 					      isc_tokentype_qstring,
 					      ISC_FALSE));
@@ -71,7 +71,7 @@ fromwire_hinfo(ARGS_FROMWIRE) {
 	UNUSED(type);
 	UNUSED(dctx);
 	UNUSED(rdclass);
-	UNUSED(downcase);
+	UNUSED(options);
 
 	RETERR(txt_fromwire(source, target));
 	return (txt_fromwire(source, target));
@@ -101,7 +101,7 @@ compare_hinfo(ARGS_COMPARE) {
 
 	dns_rdata_toregion(rdata1, &r1);
 	dns_rdata_toregion(rdata2, &r2);
-	return (compare_region(&r1, &r2));
+	return (isc_region_compare(&r1, &r2));
 }
 
 static inline isc_result_t
@@ -196,4 +196,29 @@ digest_hinfo(ARGS_DIGEST) {
 	return ((digest)(arg, &r));
 }
 
+static inline isc_boolean_t
+checkowner_hinfo(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == 13);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (ISC_TRUE);
+}
+
+static inline isc_boolean_t
+checknames_hinfo(ARGS_CHECKNAMES) {
+
+	REQUIRE(rdata->type == 13);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (ISC_TRUE);
+}
+
 #endif	/* RDATA_GENERIC_HINFO_13_C */
diff --git a/lib/dns/rdata/generic/hinfo_13.h b/lib/dns/rdata/generic/hinfo_13.h
index 26866667..61cbdd72 100644
--- a/lib/dns/rdata/generic/hinfo_13.h
+++ b/lib/dns/rdata/generic/hinfo_13.h
@@ -18,7 +18,7 @@
 #ifndef GENERIC_HINFO_13_H
 #define GENERIC_HINFO_13_H 1
 
-/* $Id: hinfo_13.h,v 1.22.2.1 2004/03/09 06:11:28 marka Exp $ */
+/* $Id: hinfo_13.h,v 1.22.206.1 2004/03/06 08:14:05 marka Exp $ */
 
 typedef struct dns_rdata_hinfo {
 	dns_rdatacommon_t	common;
diff --git a/lib/dns/rdata/generic/isdn_20.c b/lib/dns/rdata/generic/isdn_20.c
index b3bab26d..cc141578 100644
--- a/lib/dns/rdata/generic/isdn_20.c
+++ b/lib/dns/rdata/generic/isdn_20.c
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
+ * Copyright (C) 1999-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: isdn_20.c,v 1.30.2.1 2004/03/09 06:11:28 marka Exp $ */
+/* $Id: isdn_20.c,v 1.30.12.4 2004/03/08 09:04:41 marka Exp $ */
 
 /* Reviewed: Wed Mar 15 16:53:11 PST 2000 by bwelling */
 
@@ -35,7 +35,7 @@ fromtext_isdn(ARGS_FROMTEXT) {
 	UNUSED(type);
 	UNUSED(rdclass);
 	UNUSED(origin);
-	UNUSED(downcase);
+	UNUSED(options);
 	UNUSED(callbacks);
 
 	/* ISDN-address */
@@ -79,7 +79,7 @@ fromwire_isdn(ARGS_FROMWIRE) {
 	UNUSED(type);
 	UNUSED(dctx);
 	UNUSED(rdclass);
-	UNUSED(downcase);
+	UNUSED(options);
 
 	RETERR(txt_fromwire(source, target));
 	if (buffer_empty(source))
@@ -110,7 +110,7 @@ compare_isdn(ARGS_COMPARE) {
 
 	dns_rdata_toregion(rdata1, &r1);
 	dns_rdata_toregion(rdata2, &r2);
-	return (compare_region(&r1, &r2));
+	return (isc_region_compare(&r1, &r2));
 }
 
 static inline isc_result_t
@@ -206,4 +206,29 @@ digest_isdn(ARGS_DIGEST) {
 	return ((digest)(arg, &r));
 }
 
+static inline isc_boolean_t
+checkowner_isdn(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == 20);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (ISC_TRUE);
+}
+
+static inline isc_boolean_t
+checknames_isdn(ARGS_CHECKNAMES) {
+
+	REQUIRE(rdata->type == 20);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (ISC_TRUE);
+}
+
 #endif	/* RDATA_GENERIC_ISDN_20_C */
diff --git a/lib/dns/rdata/generic/isdn_20.h b/lib/dns/rdata/generic/isdn_20.h
index ab428faf..3a63971f 100644
--- a/lib/dns/rdata/generic/isdn_20.h
+++ b/lib/dns/rdata/generic/isdn_20.h
@@ -18,7 +18,7 @@
 #ifndef GENERIC_ISDN_20_H
 #define GENERIC_ISDN_20_H 1
 
-/* $Id: isdn_20.h,v 1.13.2.1 2004/03/09 06:11:29 marka Exp $ */
+/* $Id: isdn_20.h,v 1.13.206.1 2004/03/06 08:14:05 marka Exp $ */
 
 /* RFC 1183 */
 
diff --git a/lib/dns/rdata/generic/key_25.c b/lib/dns/rdata/generic/key_25.c
index 066d624c..defbe6df 100644
--- a/lib/dns/rdata/generic/key_25.c
+++ b/lib/dns/rdata/generic/key_25.c
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
+ * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: key_25.c,v 1.41.2.1 2004/03/09 06:11:29 marka Exp $ */
+/* $Id: key_25.c,v 1.41.12.7 2004/03/08 09:04:41 marka Exp $ */
 
 /*
  * Reviewed: Wed Mar 15 16:47:10 PST 2000 by halley.
@@ -28,7 +28,7 @@
 
 #include <dst/dst.h>
 
-#define RRTYPE_KEY_ATTRIBUTES (DNS_RDATATYPEATTR_DNSSEC)
+#define RRTYPE_KEY_ATTRIBUTES (0)
 
 static inline isc_result_t
 fromtext_key(ARGS_FROMTEXT) {
@@ -42,7 +42,7 @@ fromtext_key(ARGS_FROMTEXT) {
 	UNUSED(type);
 	UNUSED(rdclass);
 	UNUSED(origin);
-	UNUSED(downcase);
+	UNUSED(options);
 	UNUSED(callbacks);
 
 	/* flags */
@@ -73,7 +73,7 @@ fromtext_key(ARGS_FROMTEXT) {
 static inline isc_result_t
 totext_key(ARGS_TOTEXT) {
 	isc_region_t sr;
-	char buf[sizeof "64000"];
+	char buf[sizeof("64000")];
 	unsigned int flags;
 	unsigned char algorithm;
 
@@ -140,7 +140,7 @@ fromwire_key(ARGS_FROMWIRE) {
 	UNUSED(type);
 	UNUSED(rdclass);
 	UNUSED(dctx);
-	UNUSED(downcase);
+	UNUSED(options);
 
 	isc_buffer_activeregion(source, &sr);
 	if (sr.length < 4)
@@ -176,7 +176,7 @@ compare_key(ARGS_COMPARE) {
 
 	dns_rdata_toregion(rdata1, &r1);
 	dns_rdata_toregion(rdata2, &r2);
-	return (compare_region(&r1, &r2));
+	return (isc_region_compare(&r1, &r2));
 }
 
 static inline isc_result_t
@@ -284,4 +284,29 @@ digest_key(ARGS_DIGEST) {
 	return ((digest)(arg, &r));
 }
 
+static inline isc_boolean_t
+checkowner_key(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == 25);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (ISC_TRUE);
+}
+
+static inline isc_boolean_t
+checknames_key(ARGS_CHECKNAMES) {
+
+	REQUIRE(rdata->type == 25);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (ISC_TRUE);
+}
+
 #endif	/* RDATA_GENERIC_KEY_25_C */
diff --git a/lib/dns/rdata/generic/key_25.h b/lib/dns/rdata/generic/key_25.h
index 833265fa..e192a1ba 100644
--- a/lib/dns/rdata/generic/key_25.h
+++ b/lib/dns/rdata/generic/key_25.h
@@ -18,7 +18,7 @@
 #ifndef GENERIC_KEY_25_H
 #define GENERIC_KEY_25_H 1
 
-/* $Id: key_25.h,v 1.14.2.1 2004/03/09 06:11:29 marka Exp $ */
+/* $Id: key_25.h,v 1.14.206.1 2004/03/06 08:14:06 marka Exp $ */
 
 /* RFC 2535 */
 
diff --git a/lib/dns/rdata/generic/loc_29.c b/lib/dns/rdata/generic/loc_29.c
index de9aaf29..28003ab3 100644
--- a/lib/dns/rdata/generic/loc_29.c
+++ b/lib/dns/rdata/generic/loc_29.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: loc_29.c,v 1.30.2.5 2004/03/09 06:11:29 marka Exp $ */
+/* $Id: loc_29.c,v 1.30.2.3.2.6 2004/03/06 08:14:06 marka Exp $ */
 
 /* Reviewed: Wed Mar 15 18:13:09 PST 2000 by explorer */
 
@@ -55,8 +55,7 @@ fromtext_loc(ARGS_FROMTEXT) {
 	UNUSED(type);
 	UNUSED(rdclass);
 	UNUSED(origin);
-	UNUSED(downcase);
-	UNUSED(callbacks);
+	UNUSED(options);
 
 	/*
 	 * Defaults.
@@ -81,11 +80,11 @@ fromtext_loc(ARGS_FROMTEXT) {
 	 */
 	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
 				      ISC_FALSE));
-	if (strcasecmp(token.value.as_pointer, "N") == 0)
+	if (strcasecmp(DNS_AS_STR(token), "N") == 0)
 		north = ISC_TRUE;
-	if (north || strcasecmp(token.value.as_pointer, "S") == 0)
+	if (north || strcasecmp(DNS_AS_STR(token), "S") == 0)
 		goto getlong;
-	m1 = strtol(token.value.as_pointer, &e, 10);
+	m1 = strtol(DNS_AS_STR(token), &e, 10);
 	if (*e != 0)
 		RETTOK(DNS_R_SYNTAX);
 	if (m1 < 0 || m1 > 59)
@@ -98,18 +97,19 @@ fromtext_loc(ARGS_FROMTEXT) {
 	 */
 	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
 				      ISC_FALSE));
-	if (strcasecmp(token.value.as_pointer, "N") == 0)
+	if (strcasecmp(DNS_AS_STR(token), "N") == 0)
 		north = ISC_TRUE;
-	if (north || strcasecmp(token.value.as_pointer, "S") == 0)
+	if (north || strcasecmp(DNS_AS_STR(token), "S") == 0)
 		goto getlong;
-	s1 = strtol(token.value.as_pointer, &e, 10);
+	s1 = strtol(DNS_AS_STR(token), &e, 10);
 	if (*e != 0 && *e != '.')
 		RETTOK(DNS_R_SYNTAX);
 	if (s1 < 0 || s1 > 59)
 		RETTOK(ISC_R_RANGE);
 	if (*e == '.') {
+		const char *l;
 		e++;
-		for (i = 0; i < 3 ; i++) {
+		for (i = 0; i < 3; i++) {
 			if (*e == 0)
 				break;
 			if ((tmp = decvalue(*e++)) < 0)
@@ -117,10 +117,24 @@ fromtext_loc(ARGS_FROMTEXT) {
 			s1 *= 10;
 			s1 += tmp;
 		}
-		for ( ; i < 3 ; i++)
+		for (; i < 3; i++)
 			s1 *= 10;
-		if (*e != 0)
-			RETTOK(DNS_R_SYNTAX);
+		l = e;
+		while (*e != 0) {
+			if (decvalue(*e++) < 0)
+				RETTOK(DNS_R_SYNTAX);
+		}
+		if (*l != '\0' && callbacks != NULL) {
+			const char *file = isc_lex_getsourcename(lexer);
+			unsigned long line = isc_lex_getsourceline(lexer);
+
+			if (file == NULL)
+				file = "UNKNOWN";
+			(*callbacks->warn)(callbacks, "%s: %s:%u: '%s' extra "
+					   "precision digits ignored",
+					   "dns_rdata_fromtext", file, line,
+					   DNS_AS_STR(token));
+		}
 	} else
 		s1 *= 1000;
 	if (d1 == 90 && s1 != 0)
@@ -131,9 +145,9 @@ fromtext_loc(ARGS_FROMTEXT) {
 	 */
 	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
 				      ISC_FALSE));
-	if (strcasecmp(token.value.as_pointer, "N") == 0)
+	if (strcasecmp(DNS_AS_STR(token), "N") == 0)
 		north = ISC_TRUE;
-	if (!north && strcasecmp(token.value.as_pointer, "S") != 0)
+	if (!north && strcasecmp(DNS_AS_STR(token), "S") != 0)
 		RETTOK(DNS_R_SYNTAX);
 
  getlong:
@@ -151,11 +165,11 @@ fromtext_loc(ARGS_FROMTEXT) {
 	 */
 	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
 				      ISC_FALSE));
-	if (strcasecmp(token.value.as_pointer, "E") == 0)
+	if (strcasecmp(DNS_AS_STR(token), "E") == 0)
 		east = ISC_TRUE;
-	if (east || strcasecmp(token.value.as_pointer, "W") == 0)
+	if (east || strcasecmp(DNS_AS_STR(token), "W") == 0)
 		goto getalt;
-	m2 = strtol(token.value.as_pointer, &e, 10);
+	m2 = strtol(DNS_AS_STR(token), &e, 10);
 	if (*e != 0)
 		RETTOK(DNS_R_SYNTAX);
 	if (m2 < 0 || m2 > 59)
@@ -168,18 +182,19 @@ fromtext_loc(ARGS_FROMTEXT) {
 	 */
 	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
 				      ISC_FALSE));
-	if (strcasecmp(token.value.as_pointer, "E") == 0)
+	if (strcasecmp(DNS_AS_STR(token), "E") == 0)
 		east = ISC_TRUE;
-	if (east || strcasecmp(token.value.as_pointer, "W") == 0)
+	if (east || strcasecmp(DNS_AS_STR(token), "W") == 0)
 		goto getalt;
-	s2 = strtol(token.value.as_pointer, &e, 10);
+	s2 = strtol(DNS_AS_STR(token), &e, 10);
 	if (*e != 0 && *e != '.')
 		RETTOK(DNS_R_SYNTAX);
 	if (s2 < 0 || s2 > 59)
 		RETTOK(ISC_R_RANGE);
 	if (*e == '.') {
+		const char *l;
 		e++;
-		for (i = 0; i < 3 ; i++) {
+		for (i = 0; i < 3; i++) {
 			if (*e == 0)
 				break;
 			if ((tmp = decvalue(*e++)) < 0)
@@ -187,10 +202,24 @@ fromtext_loc(ARGS_FROMTEXT) {
 			s2 *= 10;
 			s2 += tmp;
 		}
-		for ( ; i < 3 ; i++)
+		for (; i < 3; i++)
 			s2 *= 10;
-		if (*e != 0)
-			RETTOK(DNS_R_SYNTAX);
+		l = e;
+		while (*e != 0) {
+			if (decvalue(*e++) < 0)
+				RETTOK(DNS_R_SYNTAX);
+		}
+		if (*l != '\0' && callbacks != NULL) {
+			const char *file = isc_lex_getsourcename(lexer);
+			unsigned long line = isc_lex_getsourceline(lexer);
+
+			if (file == NULL)
+				file = "UNKNOWN";
+			(*callbacks->warn)(callbacks, "%s: %s:%u: '%s' extra "
+					   "precision digits ignored",
+					   "dns_rdata_fromtext",
+					   file, line, DNS_AS_STR(token));
+		}
 	} else
 		s2 *= 1000;
 	if (d2 == 180 && s2 != 0)
@@ -201,9 +230,9 @@ fromtext_loc(ARGS_FROMTEXT) {
 	 */
 	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
 				      ISC_FALSE));
-	if (strcasecmp(token.value.as_pointer, "E") == 0)
+	if (strcasecmp(DNS_AS_STR(token), "E") == 0)
 		east = ISC_TRUE;
-	if (!east && strcasecmp(token.value.as_pointer, "W") != 0)
+	if (!east && strcasecmp(DNS_AS_STR(token), "W") != 0)
 		RETTOK(DNS_R_SYNTAX);
 
  getalt:
@@ -212,7 +241,7 @@ fromtext_loc(ARGS_FROMTEXT) {
 	 */
 	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
 				      ISC_FALSE));
-	m = strtol(token.value.as_pointer, &e, 10);
+	m = strtol(DNS_AS_STR(token), &e, 10);
 	if (*e != 0 && *e != '.' && *e != 'm')
 		RETTOK(DNS_R_SYNTAX);
 	if (m < -100000 || m > 42849672)
@@ -220,7 +249,7 @@ fromtext_loc(ARGS_FROMTEXT) {
 	cm = 0;
 	if (*e == '.') {
 		e++;
-		for (i = 0; i < 2 ; i++) {
+		for (i = 0; i < 2; i++) {
 			if (*e == 0 || *e == 'm')
 				break;
 			if ((tmp = decvalue(*e++)) < 0)
@@ -231,7 +260,7 @@ fromtext_loc(ARGS_FROMTEXT) {
 			else
 				cm += tmp;
 		}
-		for ( ; i < 2 ; i++)
+		for (; i < 2; i++)
 			cm *= 10;
 	}
 	if (*e == 'm')
@@ -259,7 +288,7 @@ fromtext_loc(ARGS_FROMTEXT) {
 		isc_lex_ungettoken(lexer, &token);
 		goto encode;
 	}
-	m = strtol(token.value.as_pointer, &e, 10);
+	m = strtol(DNS_AS_STR(token), &e, 10);
 	if (*e != 0 && *e != '.' && *e != 'm')
 		RETTOK(DNS_R_SYNTAX);
 	if (m < 0 || m > 90000000)
@@ -267,7 +296,7 @@ fromtext_loc(ARGS_FROMTEXT) {
 	cm = 0;
 	if (*e == '.') {
 		e++;
-		for (i = 0; i < 2 ; i++) {
+		for (i = 0; i < 2; i++) {
 			if (*e == 0 || *e == 'm')
 				break;
 			if ((tmp = decvalue(*e++)) < 0)
@@ -275,7 +304,7 @@ fromtext_loc(ARGS_FROMTEXT) {
 			cm *= 10;
 			cm += tmp;
 		}
-		for ( ; i < 2 ; i++)
+		for (; i < 2; i++)
 			cm *= 10;
 	}
 	if (*e == 'm')
@@ -286,7 +315,7 @@ fromtext_loc(ARGS_FROMTEXT) {
 	 * We don't just multiply out as we will overflow.
 	 */
 	if (m > 0) {
-		for (exp = 0 ; exp < 7 ; exp++)
+		for (exp = 0; exp < 7; exp++)
 			if (m < poweroften[exp+1])
 				break;
 		man = m / poweroften[exp];
@@ -312,7 +341,7 @@ fromtext_loc(ARGS_FROMTEXT) {
 		isc_lex_ungettoken(lexer, &token);
 		goto encode;
 	}
-	m = strtol(token.value.as_pointer, &e, 10);
+	m = strtol(DNS_AS_STR(token), &e, 10);
 	if (*e != 0 && *e != '.' && *e != 'm')
 		RETTOK(DNS_R_SYNTAX);
 	if (m < 0 || m > 90000000)
@@ -320,7 +349,7 @@ fromtext_loc(ARGS_FROMTEXT) {
 	cm = 0;
 	if (*e == '.') {
 		e++;
-		for (i = 0; i < 2 ; i++) {
+		for (i = 0; i < 2; i++) {
 			if (*e == 0 || *e == 'm')
 				break;
 			if ((tmp = decvalue(*e++)) < 0)
@@ -328,7 +357,7 @@ fromtext_loc(ARGS_FROMTEXT) {
 			cm *= 10;
 			cm += tmp;
 		}
-		for ( ; i < 2 ; i++)
+		for (; i < 2; i++)
 			cm *= 10;
 	}
 	if (*e == 'm')
@@ -339,7 +368,7 @@ fromtext_loc(ARGS_FROMTEXT) {
 	 * We don't just multiply out as we will overflow.
 	 */
 	if (m > 0) {
-		for (exp = 0 ; exp < 7 ; exp++)
+		for (exp = 0; exp < 7; exp++)
 			if (m < poweroften[exp+1])
 				break;
 		man = m / poweroften[exp];
@@ -363,7 +392,7 @@ fromtext_loc(ARGS_FROMTEXT) {
 		isc_lex_ungettoken(lexer, &token);
 		goto encode;
 	}
-	m = strtol(token.value.as_pointer, &e, 10);
+	m = strtol(DNS_AS_STR(token), &e, 10);
 	if (*e != 0 && *e != '.' && *e != 'm')
 		RETTOK(DNS_R_SYNTAX);
 	if (m < 0 || m > 90000000)
@@ -371,7 +400,7 @@ fromtext_loc(ARGS_FROMTEXT) {
 	cm = 0;
 	if (*e == '.') {
 		e++;
-		for (i = 0; i < 2 ; i++) {
+		for (i = 0; i < 2; i++) {
 			if (*e == 0 || *e == 'm')
 				break;
 			if ((tmp = decvalue(*e++)) < 0)
@@ -379,7 +408,7 @@ fromtext_loc(ARGS_FROMTEXT) {
 			cm *= 10;
 			cm += tmp;
 		}
-		for ( ; i < 2 ; i++)
+		for (; i < 2; i++)
 			cm *= 10;
 	}
 	if (*e == 'm')
@@ -390,7 +419,7 @@ fromtext_loc(ARGS_FROMTEXT) {
 	 * We don't just multiply out as we will overflow.
 	 */
 	if (m > 0) {
-		for (exp = 0 ; exp < 7 ; exp++)
+		for (exp = 0; exp < 7; exp++)
 			if (m < poweroften[exp+1])
 				break;
 		man = m / poweroften[exp];
@@ -534,7 +563,7 @@ fromwire_loc(ARGS_FROMWIRE) {
 	UNUSED(type);
 	UNUSED(rdclass);
 	UNUSED(dctx);
-	UNUSED(downcase);
+	UNUSED(options);
 
 	isc_buffer_activeregion(source, &sr);
 	if (sr.length < 1)
@@ -619,7 +648,7 @@ compare_loc(ARGS_COMPARE) {
 
 	dns_rdata_toregion(rdata1, &r1);
 	dns_rdata_toregion(rdata2, &r2);
-	return (compare_region(&r1, &r2));
+	return (isc_region_compare(&r1, &r2));
 }
 
 static inline isc_result_t
@@ -737,4 +766,29 @@ digest_loc(ARGS_DIGEST) {
 	return ((digest)(arg, &r));
 }
 
+static inline isc_boolean_t
+checkowner_loc(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == 29);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (ISC_TRUE);
+}
+
+static inline isc_boolean_t
+checknames_loc(ARGS_CHECKNAMES) {
+
+	REQUIRE(rdata->type == 29);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (ISC_TRUE);
+}
+
 #endif	/* RDATA_GENERIC_LOC_29_C */
diff --git a/lib/dns/rdata/generic/loc_29.h b/lib/dns/rdata/generic/loc_29.h
index eddded2f..cdca67b8 100644
--- a/lib/dns/rdata/generic/loc_29.h
+++ b/lib/dns/rdata/generic/loc_29.h
@@ -18,7 +18,7 @@
 #ifndef GENERIC_LOC_29_H
 #define GENERIC_LOC_29_H 1
 
-/* $Id: loc_29.h,v 1.14.2.1 2004/03/09 06:11:29 marka Exp $ */
+/* $Id: loc_29.h,v 1.14.206.1 2004/03/06 08:14:06 marka Exp $ */
 
 /* RFC 1876 */
 
diff --git a/lib/dns/rdata/generic/mb_7.c b/lib/dns/rdata/generic/mb_7.c
index 206e90c2..25627071 100644
--- a/lib/dns/rdata/generic/mb_7.c
+++ b/lib/dns/rdata/generic/mb_7.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: mb_7.c,v 1.41.2.1 2004/03/09 06:11:29 marka Exp $ */
+/* $Id: mb_7.c,v 1.41.206.2 2004/03/06 08:14:06 marka Exp $ */
 
 /* Reviewed: Wed Mar 15 17:31:26 PST 2000 by bwelling */
 
@@ -42,7 +42,7 @@ fromtext_mb(ARGS_FROMTEXT) {
 	dns_name_init(&name, NULL);
 	buffer_fromregion(&buffer, &token.value.as_region);
 	origin = (origin != NULL) ? origin : dns_rootname;
-	RETTOK(dns_name_fromtext(&name, &buffer, origin, downcase, target));
+	RETTOK(dns_name_fromtext(&name, &buffer, origin, options, target));
 	return (ISC_R_SUCCESS);
 }
 
@@ -79,7 +79,7 @@ fromwire_mb(ARGS_FROMWIRE) {
 	dns_decompress_setmethods(dctx, DNS_COMPRESS_GLOBAL14);
 
         dns_name_init(&name, NULL);
-        return (dns_name_fromwire(&name, source, dctx, downcase, target));
+        return (dns_name_fromwire(&name, source, dctx, options, target));
 }
 
 static inline isc_result_t
@@ -207,4 +207,28 @@ digest_mb(ARGS_DIGEST) {
 	return (dns_name_digest(&name, digest, arg));
 }
 
+static inline isc_boolean_t
+checkowner_mb(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == 7);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (dns_name_ismailbox(name));
+}
+
+static inline isc_boolean_t
+checknames_mb(ARGS_CHECKNAMES) {
+
+	REQUIRE(rdata->type == 7);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (ISC_TRUE);
+}
+
 #endif	/* RDATA_GENERIC_MB_7_C */
diff --git a/lib/dns/rdata/generic/mb_7.h b/lib/dns/rdata/generic/mb_7.h
index ad1f140b..115ab49e 100644
--- a/lib/dns/rdata/generic/mb_7.h
+++ b/lib/dns/rdata/generic/mb_7.h
@@ -18,7 +18,7 @@
 #ifndef GENERIC_MB_7_H
 #define GENERIC_MB_7_H 1
 
-/* $Id: mb_7.h,v 1.22.2.1 2004/03/09 06:11:30 marka Exp $ */
+/* $Id: mb_7.h,v 1.22.206.1 2004/03/06 08:14:06 marka Exp $ */
 
 typedef struct dns_rdata_mb {
 	dns_rdatacommon_t	common;
diff --git a/lib/dns/rdata/generic/md_3.c b/lib/dns/rdata/generic/md_3.c
index 683794bb..7488d84f 100644
--- a/lib/dns/rdata/generic/md_3.c
+++ b/lib/dns/rdata/generic/md_3.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: md_3.c,v 1.43.2.1 2004/03/09 06:11:30 marka Exp $ */
+/* $Id: md_3.c,v 1.43.206.2 2004/03/06 08:14:07 marka Exp $ */
 
 /* Reviewed: Wed Mar 15 17:48:20 PST 2000 by bwelling */
 
@@ -42,7 +42,7 @@ fromtext_md(ARGS_FROMTEXT) {
 	dns_name_init(&name, NULL);
 	buffer_fromregion(&buffer, &token.value.as_region);
 	origin = (origin != NULL) ? origin : dns_rootname;
-	RETTOK(dns_name_fromtext(&name, &buffer, origin, downcase, target));
+	RETTOK(dns_name_fromtext(&name, &buffer, origin, options, target));
 	return (ISC_R_SUCCESS);
 }
 
@@ -79,7 +79,7 @@ fromwire_md(ARGS_FROMWIRE) {
 	dns_decompress_setmethods(dctx, DNS_COMPRESS_GLOBAL14);
 
         dns_name_init(&name, NULL);
-        return (dns_name_fromwire(&name, source, dctx, downcase, target));
+        return (dns_name_fromwire(&name, source, dctx, options, target));
 }
 
 static inline isc_result_t
@@ -208,4 +208,29 @@ digest_md(ARGS_DIGEST) {
 	return (dns_name_digest(&name, digest, arg));
 }
 
+static inline isc_boolean_t
+checkowner_md(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == 3);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (ISC_TRUE);
+}
+
+static inline isc_boolean_t
+checknames_md(ARGS_CHECKNAMES) {
+
+	REQUIRE(rdata->type == 3);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (ISC_TRUE);
+}
+
 #endif	/* RDATA_GENERIC_MD_3_C */
diff --git a/lib/dns/rdata/generic/md_3.h b/lib/dns/rdata/generic/md_3.h
index 23477b05..8662829b 100644
--- a/lib/dns/rdata/generic/md_3.h
+++ b/lib/dns/rdata/generic/md_3.h
@@ -18,7 +18,7 @@
 #ifndef GENERIC_MD_3_H
 #define GENERIC_MD_3_H 1
 
-/* $Id: md_3.h,v 1.23.2.1 2004/03/09 06:11:30 marka Exp $ */
+/* $Id: md_3.h,v 1.23.206.1 2004/03/06 08:14:07 marka Exp $ */
 
 typedef struct dns_rdata_md {
 	dns_rdatacommon_t	common;
diff --git a/lib/dns/rdata/generic/mf_4.c b/lib/dns/rdata/generic/mf_4.c
index 32026d99..b6c72d93 100644
--- a/lib/dns/rdata/generic/mf_4.c
+++ b/lib/dns/rdata/generic/mf_4.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: mf_4.c,v 1.41.2.1 2004/03/09 06:11:30 marka Exp $ */
+/* $Id: mf_4.c,v 1.41.206.2 2004/03/06 08:14:07 marka Exp $ */
 
 /* reviewed: Wed Mar 15 17:47:33 PST 2000 by brister */
 
@@ -42,7 +42,7 @@ fromtext_mf(ARGS_FROMTEXT) {
 	dns_name_init(&name, NULL);
 	buffer_fromregion(&buffer, &token.value.as_region);
 	origin = (origin != NULL) ? origin : dns_rootname;
-	RETTOK(dns_name_fromtext(&name, &buffer, origin, downcase, target));
+	RETTOK(dns_name_fromtext(&name, &buffer, origin, options, target));
 	return (ISC_R_SUCCESS);
 }
 
@@ -79,7 +79,7 @@ fromwire_mf(ARGS_FROMWIRE) {
 	dns_decompress_setmethods(dctx, DNS_COMPRESS_GLOBAL14);
 
         dns_name_init(&name, NULL);
-        return (dns_name_fromwire(&name, source, dctx, downcase, target));
+        return (dns_name_fromwire(&name, source, dctx, options, target));
 }
 
 static inline isc_result_t
@@ -207,4 +207,29 @@ digest_mf(ARGS_DIGEST) {
 	return (dns_name_digest(&name, digest, arg));
 }
 
+static inline isc_boolean_t
+checkowner_mf(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == 4);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (ISC_TRUE);
+}
+
+static inline isc_boolean_t
+checknames_mf(ARGS_CHECKNAMES) {
+
+	REQUIRE(rdata->type == 4);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (ISC_TRUE);
+}
+
 #endif	/* RDATA_GENERIC_MF_4_C */
diff --git a/lib/dns/rdata/generic/mf_4.h b/lib/dns/rdata/generic/mf_4.h
index 1ac057d8..adb82545 100644
--- a/lib/dns/rdata/generic/mf_4.h
+++ b/lib/dns/rdata/generic/mf_4.h
@@ -18,7 +18,7 @@
 #ifndef GENERIC_MF_4_H
 #define GENERIC_MF_4_H 1
 
-/* $Id: mf_4.h,v 1.21.2.1 2004/03/09 06:11:30 marka Exp $ */
+/* $Id: mf_4.h,v 1.21.206.1 2004/03/06 08:14:07 marka Exp $ */
 
 typedef struct dns_rdata_mf {
 	dns_rdatacommon_t	common;
diff --git a/lib/dns/rdata/generic/mg_8.c b/lib/dns/rdata/generic/mg_8.c
index 8a80bc74..26eac8dd 100644
--- a/lib/dns/rdata/generic/mg_8.c
+++ b/lib/dns/rdata/generic/mg_8.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: mg_8.c,v 1.39.2.1 2004/03/09 06:11:31 marka Exp $ */
+/* $Id: mg_8.c,v 1.39.206.2 2004/03/06 08:14:07 marka Exp $ */
 
 /* reviewed: Wed Mar 15 17:49:21 PST 2000 by brister */
 
@@ -42,7 +42,7 @@ fromtext_mg(ARGS_FROMTEXT) {
 	dns_name_init(&name, NULL);
 	buffer_fromregion(&buffer, &token.value.as_region);
 	origin = (origin != NULL) ? origin : dns_rootname;
-	RETTOK(dns_name_fromtext(&name, &buffer, origin, downcase, target));
+	RETTOK(dns_name_fromtext(&name, &buffer, origin, options, target));
 	return (ISC_R_SUCCESS);
 }
 
@@ -79,7 +79,7 @@ fromwire_mg(ARGS_FROMWIRE) {
 	dns_decompress_setmethods(dctx, DNS_COMPRESS_GLOBAL14);
 
         dns_name_init(&name, NULL);
-        return (dns_name_fromwire(&name, source, dctx, downcase, target));
+        return (dns_name_fromwire(&name, source, dctx, options, target));
 }
 
 static inline isc_result_t
@@ -203,4 +203,28 @@ digest_mg(ARGS_DIGEST) {
 	return (dns_name_digest(&name, digest, arg));
 }
 
+static inline isc_boolean_t
+checkowner_mg(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == 8);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (dns_name_ismailbox(name));
+}
+
+static inline isc_boolean_t
+checknames_mg(ARGS_CHECKNAMES) {
+
+	REQUIRE(rdata->type == 8);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (ISC_TRUE);
+}
+
 #endif	/* RDATA_GENERIC_MG_8_C */
diff --git a/lib/dns/rdata/generic/mg_8.h b/lib/dns/rdata/generic/mg_8.h
index 4d7e3993..b45c2bf6 100644
--- a/lib/dns/rdata/generic/mg_8.h
+++ b/lib/dns/rdata/generic/mg_8.h
@@ -18,7 +18,7 @@
 #ifndef GENERIC_MG_8_H
 #define GENERIC_MG_8_H 1
 
-/* $Id: mg_8.h,v 1.21.2.1 2004/03/09 06:11:31 marka Exp $ */
+/* $Id: mg_8.h,v 1.21.206.1 2004/03/06 08:14:07 marka Exp $ */
 
 typedef struct dns_rdata_mg {
 	dns_rdatacommon_t	common;
diff --git a/lib/dns/rdata/generic/minfo_14.c b/lib/dns/rdata/generic/minfo_14.c
index 0f7ae508..a3c4a9c5 100644
--- a/lib/dns/rdata/generic/minfo_14.c
+++ b/lib/dns/rdata/generic/minfo_14.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: minfo_14.c,v 1.40.2.1 2004/03/09 06:11:31 marka Exp $ */
+/* $Id: minfo_14.c,v 1.40.12.4 2004/03/08 09:04:41 marka Exp $ */
 
 /* reviewed: Wed Mar 15 17:45:32 PST 2000 by brister */
 
@@ -30,6 +30,7 @@ fromtext_minfo(ARGS_FROMTEXT) {
 	dns_name_t name;
 	isc_buffer_t buffer;
 	int i;
+	isc_boolean_t ok;
 
 	REQUIRE(type == 14);
 
@@ -37,7 +38,7 @@ fromtext_minfo(ARGS_FROMTEXT) {
 	UNUSED(rdclass);
 	UNUSED(callbacks);
 
-	for (i = 0; i < 2 ; i++) {
+	for (i = 0; i < 2; i++) {
 		RETERR(isc_lex_getmastertoken(lexer, &token,
 					      isc_tokentype_string,
 					      ISC_FALSE));
@@ -45,7 +46,14 @@ fromtext_minfo(ARGS_FROMTEXT) {
 		buffer_fromregion(&buffer, &token.value.as_region);
 		origin = (origin != NULL) ? origin : dns_rootname;
 		RETTOK(dns_name_fromtext(&name, &buffer, origin,
-					 downcase, target));
+					 options, target));
+		ok = ISC_TRUE;
+		if ((options & DNS_RDATA_CHECKNAMES) != 0)
+			ok = dns_name_ismailbox(&name);
+		if (!ok && (options & DNS_RDATA_CHECKNAMESFAIL) != 0)
+			RETTOK(DNS_R_BADNAME);
+		if (!ok && callbacks != NULL)
+			warn_badname(&name, lexer, callbacks);
 	}
 	return (ISC_R_SUCCESS);
 }
@@ -98,8 +106,8 @@ fromwire_minfo(ARGS_FROMWIRE) {
         dns_name_init(&rmail, NULL);
         dns_name_init(&email, NULL);
 
-        RETERR(dns_name_fromwire(&rmail, source, dctx, downcase, target));
-        return (dns_name_fromwire(&email, source, dctx, downcase, target));
+        RETERR(dns_name_fromwire(&rmail, source, dctx, options, target));
+        return (dns_name_fromwire(&email, source, dctx, options, target));
 }
 
 static inline isc_result_t
@@ -273,4 +281,44 @@ digest_minfo(ARGS_DIGEST) {
 	return (dns_name_digest(&name, digest, arg));
 }
 
+static inline isc_boolean_t
+checkowner_minfo(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == 14);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (ISC_TRUE);
+}
+
+static inline isc_boolean_t
+checknames_minfo(ARGS_CHECKNAMES) {
+	isc_region_t region;
+	dns_name_t name;
+
+	REQUIRE(rdata->type == 14);
+
+	UNUSED(owner);
+
+	dns_rdata_toregion(rdata, &region);
+	dns_name_init(&name, NULL);
+	dns_name_fromregion(&name, &region);
+	if (!dns_name_ismailbox(&name)) {
+		if (bad != NULL)
+			dns_name_clone(&name, bad);
+		return (ISC_FALSE);
+	}
+	isc_region_consume(&region, name_length(&name));
+	dns_name_fromregion(&name, &region);
+	if (!dns_name_ismailbox(&name)) {
+		if (bad != NULL)
+			dns_name_clone(&name, bad);
+		return (ISC_FALSE);
+	}
+	return (ISC_TRUE);
+}
+
 #endif	/* RDATA_GENERIC_MINFO_14_C */
diff --git a/lib/dns/rdata/generic/minfo_14.h b/lib/dns/rdata/generic/minfo_14.h
index 085ae968..84078b9b 100644
--- a/lib/dns/rdata/generic/minfo_14.h
+++ b/lib/dns/rdata/generic/minfo_14.h
@@ -18,7 +18,7 @@
 #ifndef GENERIC_MINFO_14_H
 #define GENERIC_MINFO_14_H 1
 
-/* $Id: minfo_14.h,v 1.22.2.1 2004/03/09 06:11:31 marka Exp $ */
+/* $Id: minfo_14.h,v 1.22.206.1 2004/03/06 08:14:08 marka Exp $ */
 
 typedef struct dns_rdata_minfo {
 	dns_rdatacommon_t	common;
diff --git a/lib/dns/rdata/generic/mr_9.c b/lib/dns/rdata/generic/mr_9.c
index 6cdf49b1..30da6cb5 100644
--- a/lib/dns/rdata/generic/mr_9.c
+++ b/lib/dns/rdata/generic/mr_9.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: mr_9.c,v 1.38.2.1 2004/03/09 06:11:31 marka Exp $ */
+/* $Id: mr_9.c,v 1.38.206.2 2004/03/06 08:14:08 marka Exp $ */
 
 /* Reviewed: Wed Mar 15 21:30:35 EST 2000 by tale */
 
@@ -42,7 +42,7 @@ fromtext_mr(ARGS_FROMTEXT) {
 	dns_name_init(&name, NULL);
 	buffer_fromregion(&buffer, &token.value.as_region);
 	origin = (origin != NULL) ? origin : dns_rootname;
-	RETTOK(dns_name_fromtext(&name, &buffer, origin, downcase, target));
+	RETTOK(dns_name_fromtext(&name, &buffer, origin, options, target));
 	return (ISC_R_SUCCESS);
 }
 
@@ -79,7 +79,7 @@ fromwire_mr(ARGS_FROMWIRE) {
 	dns_decompress_setmethods(dctx, DNS_COMPRESS_GLOBAL14);
 
         dns_name_init(&name, NULL);
-        return (dns_name_fromwire(&name, source, dctx, downcase, target));
+        return (dns_name_fromwire(&name, source, dctx, options, target));
 }
 
 static inline isc_result_t
@@ -203,4 +203,29 @@ digest_mr(ARGS_DIGEST) {
 	return (dns_name_digest(&name, digest, arg));
 }
 
+static inline isc_boolean_t
+checkowner_mr(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == 9);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (ISC_TRUE);
+}
+
+static inline isc_boolean_t
+checknames_mr(ARGS_CHECKNAMES) {
+
+	REQUIRE(rdata->type == 9);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (ISC_TRUE);
+}
+
 #endif	/* RDATA_GENERIC_MR_9_C */
diff --git a/lib/dns/rdata/generic/mr_9.h b/lib/dns/rdata/generic/mr_9.h
index 3f2f2583..ba6e1540 100644
--- a/lib/dns/rdata/generic/mr_9.h
+++ b/lib/dns/rdata/generic/mr_9.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -18,7 +18,7 @@
 #ifndef GENERIC_MR_9_H
 #define GENERIC_MR_9_H 1
 
-/* $Id: mr_9.h,v 1.21.2.2 2005/04/07 02:22:18 marka Exp $ */
+/* $Id: mr_9.h,v 1.21.206.1 2004/03/06 08:14:08 marka Exp $ */
 
 typedef struct dns_rdata_mr {
 	dns_rdatacommon_t	common;
diff --git a/lib/dns/rdata/generic/mx_15.c b/lib/dns/rdata/generic/mx_15.c
index 54058912..794249c0 100644
--- a/lib/dns/rdata/generic/mx_15.c
+++ b/lib/dns/rdata/generic/mx_15.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: mx_15.c,v 1.48.2.4 2005/04/07 02:22:19 marka Exp $ */
+/* $Id: mx_15.c,v 1.48.2.1.2.3 2004/03/06 08:14:08 marka Exp $ */
 
 /* reviewed: Wed Mar 15 18:05:46 PST 2000 by brister */
 
@@ -29,6 +29,7 @@ fromtext_mx(ARGS_FROMTEXT) {
 	isc_token_t token;
 	dns_name_t name;
 	isc_buffer_t buffer;
+	isc_boolean_t ok;
 
 	REQUIRE(type == 15);
 
@@ -47,7 +48,14 @@ fromtext_mx(ARGS_FROMTEXT) {
 	dns_name_init(&name, NULL);
 	buffer_fromregion(&buffer, &token.value.as_region);
 	origin = (origin != NULL) ? origin : dns_rootname;
-	RETTOK(dns_name_fromtext(&name, &buffer, origin, downcase, target));
+	RETTOK(dns_name_fromtext(&name, &buffer, origin, options, target));
+	ok = ISC_TRUE;
+	if ((options & DNS_RDATA_CHECKNAMES) != 0)
+		ok = dns_name_ishostname(&name, ISC_FALSE);
+	if (!ok && (options & DNS_RDATA_CHECKNAMESFAIL) != 0)
+		RETTOK(DNS_R_BADNAME);
+	if (!ok && callbacks != NULL)
+		warn_badname(&name, lexer, callbacks);
 	return (ISC_R_SUCCESS);
 }
 
@@ -57,7 +65,7 @@ totext_mx(ARGS_TOTEXT) {
 	dns_name_t name;
 	dns_name_t prefix;
 	isc_boolean_t sub;
-	char buf[sizeof "64000"];
+	char buf[sizeof("64000")];
 	unsigned short num;
 
 	REQUIRE(rdata->type == 15);
@@ -98,7 +106,7 @@ fromwire_mx(ARGS_FROMWIRE) {
 		return (ISC_R_UNEXPECTEDEND);
 	RETERR(mem_tobuffer(target, sregion.base, 2));
 	isc_buffer_forward(source, 2);
-	return (dns_name_fromwire(&name, source, dctx, downcase, target));
+	return (dns_name_fromwire(&name, source, dctx, options, target));
 }
 
 static inline isc_result_t
@@ -245,4 +253,36 @@ digest_mx(ARGS_DIGEST) {
 	return (dns_name_digest(&name, digest, arg));
 }
 
+static inline isc_boolean_t
+checkowner_mx(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == 15);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	return (dns_name_ishostname(name, wildcard));
+}
+
+static inline isc_boolean_t
+checknames_mx(ARGS_CHECKNAMES) {
+	isc_region_t region;
+	dns_name_t name;
+
+	REQUIRE(rdata->type == 15);
+
+	UNUSED(owner);
+
+	dns_rdata_toregion(rdata, &region);
+	isc_region_consume(&region, 2);
+	dns_name_init(&name, NULL);
+	dns_name_fromregion(&name, &region);
+	if (!dns_name_ishostname(&name, ISC_FALSE)) {
+		if (bad != NULL)
+			dns_name_clone(&name, bad);
+		return (ISC_FALSE);
+	}
+	return (ISC_TRUE);
+}
+
 #endif	/* RDATA_GENERIC_MX_15_C */
diff --git a/lib/dns/rdata/generic/mx_15.h b/lib/dns/rdata/generic/mx_15.h
index af946d82..01225fa2 100644
--- a/lib/dns/rdata/generic/mx_15.h
+++ b/lib/dns/rdata/generic/mx_15.h
@@ -18,7 +18,7 @@
 #ifndef GENERIC_MX_15_H
 #define GENERIC_MX_15_H 1
 
-/* $Id: mx_15.h,v 1.24.2.1 2004/03/09 06:11:32 marka Exp $ */
+/* $Id: mx_15.h,v 1.24.206.1 2004/03/06 08:14:09 marka Exp $ */
 
 typedef struct dns_rdata_mx {
 	dns_rdatacommon_t	common;
diff --git a/lib/dns/rdata/generic/ns_2.c b/lib/dns/rdata/generic/ns_2.c
index 3268adda..bf32d636 100644
--- a/lib/dns/rdata/generic/ns_2.c
+++ b/lib/dns/rdata/generic/ns_2.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: ns_2.c,v 1.42.2.1 2004/03/09 06:11:32 marka Exp $ */
+/* $Id: ns_2.c,v 1.42.206.2 2004/03/06 08:14:09 marka Exp $ */
 
 /* Reviewed: Wed Mar 15 18:15:00 PST 2000 by bwelling */
 
@@ -29,6 +29,7 @@ fromtext_ns(ARGS_FROMTEXT) {
 	isc_token_t token;
 	dns_name_t name;
 	isc_buffer_t buffer;
+	isc_boolean_t ok;
 
 	REQUIRE(type == 2);
 
@@ -42,7 +43,14 @@ fromtext_ns(ARGS_FROMTEXT) {
 	dns_name_init(&name, NULL);
 	buffer_fromregion(&buffer, &token.value.as_region);
 	origin = (origin != NULL) ? origin : dns_rootname;
-	RETTOK(dns_name_fromtext(&name, &buffer, origin, downcase, target));
+	RETTOK(dns_name_fromtext(&name, &buffer, origin, options, target));
+	ok = ISC_TRUE;
+	if ((options & DNS_RDATA_CHECKNAMES) != 0)
+		ok = dns_name_ishostname(&name, ISC_FALSE);
+	if (!ok && (options & DNS_RDATA_CHECKNAMESFAIL) != 0)
+		RETTOK(DNS_R_BADNAME);
+	if (!ok && callbacks != NULL)
+		warn_badname(&name, lexer, callbacks);
 	return (ISC_R_SUCCESS);
 }
 
@@ -79,7 +87,7 @@ fromwire_ns(ARGS_FROMWIRE) {
 	dns_decompress_setmethods(dctx, DNS_COMPRESS_GLOBAL14);
 
         dns_name_init(&name, NULL);
-        return (dns_name_fromwire(&name, source, dctx, downcase, target));
+        return (dns_name_fromwire(&name, source, dctx, options, target));
 }
 
 static inline isc_result_t
@@ -207,4 +215,37 @@ digest_ns(ARGS_DIGEST) {
 	return (dns_name_digest(&name, digest, arg));
 }
 
+static inline isc_boolean_t
+checkowner_ns(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == 2);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (ISC_TRUE);
+}
+
+static inline isc_boolean_t
+checknames_ns(ARGS_CHECKNAMES) {
+	isc_region_t region;
+	dns_name_t name;
+
+	REQUIRE(rdata->type == 2);
+
+	UNUSED(owner);
+
+	dns_rdata_toregion(rdata, &region);
+	dns_name_init(&name, NULL);
+	dns_name_fromregion(&name, &region);
+	if (!dns_name_ishostname(&name, ISC_FALSE)) {
+		if (bad != NULL)
+			dns_name_clone(&name, bad);
+		return (ISC_FALSE);
+	}
+	return (ISC_TRUE);
+}
+
 #endif	/* RDATA_GENERIC_NS_2_C */
diff --git a/lib/dns/rdata/generic/ns_2.h b/lib/dns/rdata/generic/ns_2.h
index a51bd58d..2bef1f84 100644
--- a/lib/dns/rdata/generic/ns_2.h
+++ b/lib/dns/rdata/generic/ns_2.h
@@ -18,7 +18,7 @@
 #ifndef GENERIC_NS_2_H
 #define GENERIC_NS_2_H 1
 
-/* $Id: ns_2.h,v 1.22.2.1 2004/03/09 06:11:32 marka Exp $ */
+/* $Id: ns_2.h,v 1.22.206.1 2004/03/06 08:14:09 marka Exp $ */
 
 typedef struct dns_rdata_ns {
 	dns_rdatacommon_t	common;
diff --git a/lib/dns/rdata/generic/nsec_47.c b/lib/dns/rdata/generic/nsec_47.c
new file mode 100644
index 00000000..74b7806c
--- /dev/null
+++ b/lib/dns/rdata/generic/nsec_47.c
@@ -0,0 +1,366 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: nsec_47.c,v 1.7.2.1 2004/03/08 02:08:03 marka Exp $ */
+
+/* reviewed: Wed Mar 15 18:21:15 PST 2000 by brister */
+
+/* draft-ietf-dnsext-nsec-rdata-01.txt */
+
+#ifndef RDATA_GENERIC_NSEC_47_C
+#define RDATA_GENERIC_NSEC_47_C
+
+/*
+ * The attributes do not include DNS_RDATATYPEATTR_SINGLETON
+ * because we must be able to handle a parent/child NSEC pair.
+ */
+#define RRTYPE_NSEC_ATTRIBUTES (DNS_RDATATYPEATTR_DNSSEC)
+
+static inline isc_result_t
+fromtext_nsec(ARGS_FROMTEXT) {
+	isc_token_t token;
+	dns_name_t name;
+	isc_buffer_t buffer;
+	unsigned char bm[8*1024]; /* 64k bits */
+	dns_rdatatype_t covered;
+	int octet;
+	int window;
+
+	REQUIRE(type == 47);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(callbacks);
+
+	/*
+	 * Next domain.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      ISC_FALSE));
+	dns_name_init(&name, NULL);
+	buffer_fromregion(&buffer, &token.value.as_region);
+	origin = (origin != NULL) ? origin : dns_rootname;
+	RETTOK(dns_name_fromtext(&name, &buffer, origin, options, target));
+
+	memset(bm, 0, sizeof(bm));
+	do {
+		RETERR(isc_lex_getmastertoken(lexer, &token,
+					      isc_tokentype_string, ISC_TRUE));
+		if (token.type != isc_tokentype_string)
+			break;
+		RETTOK(dns_rdatatype_fromtext(&covered,
+					      &token.value.as_textregion));
+		bm[covered/8] |= (0x80>>(covered%8));
+	} while (1);
+	isc_lex_ungettoken(lexer, &token);
+	for (window = 0; window < 256 ; window++) {
+		/*
+		 * Find if we have a type in this window.
+		 */
+		for (octet = 31; octet >= 0; octet--)
+			if (bm[window * 32 + octet] != 0)
+				break;
+		if (octet < 0)
+			continue;
+		RETERR(uint8_tobuffer(window, target));
+		RETERR(uint8_tobuffer(octet + 1, target));
+		RETERR(mem_tobuffer(target, &bm[window * 32], octet + 1));
+	}
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+totext_nsec(ARGS_TOTEXT) {
+	isc_region_t sr;
+	unsigned int i, j, k;
+	dns_name_t name;
+	dns_name_t prefix;
+	isc_boolean_t sub;
+	unsigned int window, len;
+
+	REQUIRE(rdata->type == 47);
+	REQUIRE(rdata->length != 0);
+
+	dns_name_init(&name, NULL);
+	dns_name_init(&prefix, NULL);
+	dns_rdata_toregion(rdata, &sr);
+	dns_name_fromregion(&name, &sr);
+	isc_region_consume(&sr, name_length(&name));
+	sub = name_prefix(&name, tctx->origin, &prefix);
+	RETERR(dns_name_totext(&prefix, sub, target));
+
+
+	for (i = 0; i < sr.length; i += len) {
+		INSIST(i + 2 <= sr.length);
+		window = sr.base[i];
+		len = sr.base[i + 1];
+		INSIST(len > 0 && len <= 32);
+		i += 2;
+		INSIST(i + len <= sr.length);
+		for (j = 0; j < len; j++) {
+			dns_rdatatype_t t;
+			if (sr.base[i + j] == 0)
+				continue;
+			for (k = 0; k < 8; k++) {
+				if ((sr.base[i + j] & (0x80 >> k)) == 0)
+					continue;
+				t = window * 256 + j * 8 + k;
+				RETERR(str_totext(" ", target));
+				if (dns_rdatatype_isknown(t)) {
+					RETERR(dns_rdatatype_totext(t, target));
+				} else {
+					char buf[sizeof("TYPE65535")];
+					sprintf(buf, "TYPE%u", t);
+					RETERR(str_totext(buf, target));
+				}
+			}
+		}
+	}
+	return (ISC_R_SUCCESS);
+}
+
+static /* inline */ isc_result_t
+fromwire_nsec(ARGS_FROMWIRE) {
+	isc_region_t sr;
+	dns_name_t name;
+	unsigned int window, lastwindow = 0;
+	unsigned int len;
+	isc_boolean_t first = ISC_TRUE;
+	unsigned int i;
+
+	REQUIRE(type == 47);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	dns_decompress_setmethods(dctx, DNS_COMPRESS_NONE);
+
+	dns_name_init(&name, NULL);
+	RETERR(dns_name_fromwire(&name, source, dctx, options, target));
+
+	isc_buffer_activeregion(source, &sr);
+	for (i = 0; i < sr.length; i += len) {
+		/*
+		 * Check for overflow.
+		 */
+		if (i + 2 > sr.length)
+			RETERR(DNS_R_FORMERR);
+		window = sr.base[i];
+		len = sr.base[i + 1];
+		i += 2;
+		/*
+		 * Check that bitmap windows are in the correct order.
+		 */
+		if (!first && window <= lastwindow)
+			RETERR(DNS_R_FORMERR);
+		/*
+		 * Check for legal lengths.
+		 */
+		if (len < 1 || len > 32)
+			RETERR(DNS_R_FORMERR);
+		/*
+		 * Check for overflow.
+		 */
+		if (i + len > sr.length)
+			RETERR(DNS_R_FORMERR);
+		/*
+		 * The last octet of the bitmap must be non zero.
+		 */
+		if (sr.base[i + len - 1] == 0)
+			RETERR(DNS_R_FORMERR);
+		lastwindow = window;
+		first = ISC_FALSE;
+	}
+	if (i != sr.length)
+		return (DNS_R_EXTRADATA);
+	if (first)
+		RETERR(DNS_R_FORMERR);
+	RETERR(mem_tobuffer(target, sr.base, sr.length));
+	isc_buffer_forward(source, sr.length);
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+towire_nsec(ARGS_TOWIRE) {
+	isc_region_t sr;
+	dns_name_t name;
+	dns_offsets_t offsets;
+
+	REQUIRE(rdata->type == 47);
+	REQUIRE(rdata->length != 0);
+
+	dns_compress_setmethods(cctx, DNS_COMPRESS_NONE);
+	dns_name_init(&name, offsets);
+	dns_rdata_toregion(rdata, &sr);
+	dns_name_fromregion(&name, &sr);
+	isc_region_consume(&sr, name_length(&name));
+	RETERR(dns_name_towire(&name, cctx, target));
+
+	return (mem_tobuffer(target, sr.base, sr.length));
+}
+
+static inline int
+compare_nsec(ARGS_COMPARE) {
+	isc_region_t r1;
+	isc_region_t r2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == 47);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	dns_rdata_toregion(rdata1, &r1);
+	dns_rdata_toregion(rdata2, &r2);
+	return (isc_region_compare(&r1, &r2));
+}
+
+static inline isc_result_t
+fromstruct_nsec(ARGS_FROMSTRUCT) {
+	dns_rdata_nsec_t *nsec = source;
+	isc_region_t region;
+	unsigned int i, len, window, lastwindow = 0;
+	isc_boolean_t first = ISC_TRUE;
+
+	REQUIRE(type == 47);
+	REQUIRE(source != NULL);
+	REQUIRE(nsec->common.rdtype == type);
+	REQUIRE(nsec->common.rdclass == rdclass);
+	REQUIRE(nsec->typebits != NULL || nsec->len == 0);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	dns_name_toregion(&nsec->next, &region);
+	RETERR(isc_buffer_copyregion(target, &region));
+	/*
+	 * Perform sanity check.
+	 */
+	for (i = 0; i < nsec->len ; i += len) {
+		INSIST(i + 2 <= nsec->len);
+		window = nsec->typebits[i];
+		len = nsec->typebits[i+1];
+		i += 2;
+		INSIST(first || window > lastwindow); 
+		INSIST(len > 0 && len <= 32);
+		INSIST(i + len <= nsec->len);
+		INSIST(nsec->typebits[i + len - 1] != 0);
+		lastwindow = window;
+		first = ISC_FALSE;
+	}
+	INSIST(!first);
+	return (mem_tobuffer(target, nsec->typebits, nsec->len));
+}
+
+static inline isc_result_t
+tostruct_nsec(ARGS_TOSTRUCT) {
+	isc_region_t region;
+	dns_rdata_nsec_t *nsec = target;
+	dns_name_t name;
+
+	REQUIRE(rdata->type == 47);
+	REQUIRE(target != NULL);
+	REQUIRE(rdata->length != 0);
+
+	nsec->common.rdclass = rdata->rdclass;
+	nsec->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&nsec->common, link);
+
+	dns_name_init(&name, NULL);
+	dns_rdata_toregion(rdata, &region);
+	dns_name_fromregion(&name, &region);
+	isc_region_consume(&region, name_length(&name));
+	dns_name_init(&nsec->next, NULL);
+	RETERR(name_duporclone(&name, mctx, &nsec->next));
+
+	nsec->len = region.length;
+	nsec->typebits = mem_maybedup(mctx, region.base, region.length);
+	if (nsec->typebits == NULL)
+		goto cleanup;
+
+	nsec->mctx = mctx;
+	return (ISC_R_SUCCESS);
+
+ cleanup:
+	if (mctx != NULL)
+		dns_name_free(&nsec->next, mctx);
+	return (ISC_R_NOMEMORY);
+}
+
+static inline void
+freestruct_nsec(ARGS_FREESTRUCT) {
+	dns_rdata_nsec_t *nsec = source;
+
+	REQUIRE(source != NULL);
+	REQUIRE(nsec->common.rdtype == 47);
+
+	if (nsec->mctx == NULL)
+		return;
+
+	dns_name_free(&nsec->next, nsec->mctx);
+	if (nsec->typebits != NULL)
+		isc_mem_free(nsec->mctx, nsec->typebits);
+	nsec->mctx = NULL;
+}
+
+static inline isc_result_t
+additionaldata_nsec(ARGS_ADDLDATA) {
+	REQUIRE(rdata->type == 47);
+
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+digest_nsec(ARGS_DIGEST) {
+	isc_region_t r;
+
+	REQUIRE(rdata->type == 47);
+
+	dns_rdata_toregion(rdata, &r);
+	return ((digest)(arg, &r));
+}
+
+static inline isc_boolean_t
+checkowner_nsec(ARGS_CHECKOWNER) {
+
+       REQUIRE(type == 47);
+
+       UNUSED(name);
+       UNUSED(type);
+       UNUSED(rdclass);
+       UNUSED(wildcard);
+
+       return (ISC_TRUE);
+}
+
+static inline isc_boolean_t
+checknames_nsec(ARGS_CHECKNAMES) {
+
+	REQUIRE(rdata->type == 47);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (ISC_TRUE);
+}
+
+#endif	/* RDATA_GENERIC_NSEC_47_C */
diff --git a/lib/dns/rdata/generic/nsec_47.h b/lib/dns/rdata/generic/nsec_47.h
new file mode 100644
index 00000000..d76a25cc
--- /dev/null
+++ b/lib/dns/rdata/generic/nsec_47.h
@@ -0,0 +1,33 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#ifndef GENERIC_NSEC_47_H
+#define GENERIC_NSEC_47_H 1
+
+/* $Id: nsec_47.h,v 1.4.2.1 2004/03/08 02:08:03 marka Exp $ */
+
+/* draft-ietf-dnsext-nsec-rdata-01.txt */
+
+typedef struct dns_rdata_nsec {
+	dns_rdatacommon_t	common;
+	isc_mem_t		*mctx;
+	dns_name_t		next;
+	unsigned char		*typebits;
+	isc_uint16_t		len;
+} dns_rdata_nsec_t;
+
+#endif /* GENERIC_NSEC_47_H */
diff --git a/lib/dns/rdata/generic/null_10.c b/lib/dns/rdata/generic/null_10.c
index 44bccf24..492044d9 100644
--- a/lib/dns/rdata/generic/null_10.c
+++ b/lib/dns/rdata/generic/null_10.c
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001  Internet Software Consortium.
+ * Copyright (C) 1998-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: null_10.c,v 1.35.2.2 2004/03/09 06:11:32 marka Exp $ */
+/* $Id: null_10.c,v 1.35.2.1.10.4 2004/03/08 09:04:41 marka Exp $ */
 
 /* Reviewed: Thu Mar 16 13:57:50 PST 2000 by explorer */
 
@@ -32,7 +32,7 @@ fromtext_null(ARGS_FROMTEXT) {
 	UNUSED(type);
 	UNUSED(lexer);
 	UNUSED(origin);
-	UNUSED(downcase);
+	UNUSED(options);
 	UNUSED(target);
 	UNUSED(callbacks);
 
@@ -59,7 +59,7 @@ fromwire_null(ARGS_FROMWIRE) {
 	UNUSED(type);
 	UNUSED(rdclass);
 	UNUSED(dctx);
-	UNUSED(downcase);
+	UNUSED(options);
 
 	isc_buffer_activeregion(source, &sr);
 	isc_buffer_forward(source, sr.length);
@@ -86,7 +86,7 @@ compare_null(ARGS_COMPARE) {
 
 	dns_rdata_toregion(rdata1, &r1);
 	dns_rdata_toregion(rdata2, &r2);
-	return (compare_region(&r1, &r2));
+	return (isc_region_compare(&r1, &r2));
 }
 
 static inline isc_result_t
@@ -164,4 +164,29 @@ digest_null(ARGS_DIGEST) {
 	return ((digest)(arg, &r));
 }
 
+static inline isc_boolean_t
+checkowner_null(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == 10);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (ISC_TRUE);
+}
+
+static inline isc_boolean_t
+checknames_null(ARGS_CHECKNAMES) {
+
+	REQUIRE(rdata->type == 10);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (ISC_TRUE);
+}
+
 #endif	/* RDATA_GENERIC_NULL_10_C */
diff --git a/lib/dns/rdata/generic/null_10.h b/lib/dns/rdata/generic/null_10.h
index 4f59cba3..44a9e8f7 100644
--- a/lib/dns/rdata/generic/null_10.h
+++ b/lib/dns/rdata/generic/null_10.h
@@ -18,7 +18,7 @@
 #ifndef GENERIC_NULL_10_H
 #define GENERIC_NULL_10_H 1
 
-/* $Id: null_10.h,v 1.20.2.1 2004/03/09 06:11:32 marka Exp $ */
+/* $Id: null_10.h,v 1.20.206.1 2004/03/06 08:14:09 marka Exp $ */
 
 typedef struct dns_rdata_null {
 	dns_rdatacommon_t	common;
diff --git a/lib/dns/rdata/generic/nxt_30.c b/lib/dns/rdata/generic/nxt_30.c
index a15b699b..e4dba7fb 100644
--- a/lib/dns/rdata/generic/nxt_30.c
+++ b/lib/dns/rdata/generic/nxt_30.c
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
+ * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,11 +15,11 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: nxt_30.c,v 1.49.2.3 2004/03/09 06:11:32 marka Exp $ */
+/* $Id: nxt_30.c,v 1.49.2.2.2.9 2004/03/08 09:04:41 marka Exp $ */
 
 /* reviewed: Wed Mar 15 18:21:15 PST 2000 by brister */
 
-/* RFC 2065 */
+/* RFC 2535 */
 
 #ifndef RDATA_GENERIC_NXT_30_C
 #define RDATA_GENERIC_NXT_30_C
@@ -28,7 +28,7 @@
  * The attributes do not include DNS_RDATATYPEATTR_SINGLETON
  * because we must be able to handle a parent/child NXT pair.
  */
-#define RRTYPE_NXT_ATTRIBUTES (DNS_RDATATYPEATTR_DNSSEC)
+#define RRTYPE_NXT_ATTRIBUTES (0)
 
 static inline isc_result_t
 fromtext_nxt(ARGS_FROMTEXT) {
@@ -56,16 +56,16 @@ fromtext_nxt(ARGS_FROMTEXT) {
 	dns_name_init(&name, NULL);
 	buffer_fromregion(&buffer, &token.value.as_region);
 	origin = (origin != NULL) ? origin : dns_rootname;
-	RETTOK(dns_name_fromtext(&name, &buffer, origin, downcase, target));
+	RETTOK(dns_name_fromtext(&name, &buffer, origin, options, target));
 
-	memset(bm, 0, sizeof bm);
+	memset(bm, 0, sizeof(bm));
 	do {
 		RETERR(isc_lex_getmastertoken(lexer, &token,
 					      isc_tokentype_string, ISC_TRUE));
 		if (token.type != isc_tokentype_string)
 			break;
-		n = strtol(token.value.as_pointer, &e, 10);
-		if (e != (char *)token.value.as_pointer && *e == '\0') {
+		n = strtol(DNS_AS_STR(token), &e, 10);
+		if (e != DNS_AS_STR(token) && *e == '\0') {
 			covered = (dns_rdatatype_t)n;
 		} else if (dns_rdatatype_fromtext(&covered,
 				&token.value.as_textregion) == DNS_R_UNKNOWN)
@@ -106,7 +106,7 @@ totext_nxt(ARGS_TOTEXT) {
 	sub = name_prefix(&name, tctx->origin, &prefix);
 	RETERR(dns_name_totext(&prefix, sub, target));
 
-	for (i = 0 ; i < sr.length ; i++) {
+	for (i = 0; i < sr.length; i++) {
 		if (sr.base[i] != 0)
 			for (j = 0; j < 8; j++)
 				if ((sr.base[i] & (0x80 >> j)) != 0) {
@@ -116,7 +116,7 @@ totext_nxt(ARGS_TOTEXT) {
 						RETERR(dns_rdatatype_totext(t,
 								      target));
 					} else {
-						char buf[sizeof "65535"];
+						char buf[sizeof("65535")];
 						sprintf(buf, "%u", t);
 						RETERR(str_totext(buf,
 								  target));
@@ -139,7 +139,7 @@ fromwire_nxt(ARGS_FROMWIRE) {
 	dns_decompress_setmethods(dctx, DNS_COMPRESS_NONE);
 
 	dns_name_init(&name, NULL);
-	RETERR(dns_name_fromwire(&name, source, dctx, downcase, target));
+	RETERR(dns_name_fromwire(&name, source, dctx, options, target));
 
 	isc_buffer_activeregion(source, &sr);
 	if (sr.length > 0 && (sr.base[0] & 0x80) == 0 &&
@@ -193,7 +193,7 @@ compare_nxt(ARGS_COMPARE) {
 	if (order != 0)
 		return (order);
 
-	return (compare_region(&r1, &r2));
+	return (isc_region_compare(&r1, &r2));
 }
 
 static inline isc_result_t
@@ -301,4 +301,29 @@ digest_nxt(ARGS_DIGEST) {
 	return ((digest)(arg, &r));
 }
 
+static inline isc_boolean_t
+checkowner_nxt(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == 30);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (ISC_TRUE);
+}
+
+static inline isc_boolean_t
+checknames_nxt(ARGS_CHECKNAMES) {
+
+	REQUIRE(rdata->type == 30);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (ISC_TRUE);
+}
+
 #endif	/* RDATA_GENERIC_NXT_30_C */
diff --git a/lib/dns/rdata/generic/nxt_30.h b/lib/dns/rdata/generic/nxt_30.h
index d0822055..540135f7 100644
--- a/lib/dns/rdata/generic/nxt_30.h
+++ b/lib/dns/rdata/generic/nxt_30.h
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
+ * Copyright (C) 1999-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -18,9 +18,9 @@
 #ifndef GENERIC_NXT_30_H
 #define GENERIC_NXT_30_H 1
 
-/* $Id: nxt_30.h,v 1.18.2.1 2004/03/09 06:11:32 marka Exp $ */
+/* $Id: nxt_30.h,v 1.18.12.3 2004/03/08 09:04:41 marka Exp $ */
 
-/* RFC 2065 */
+/* RFC 2535 */
 
 typedef struct dns_rdata_nxt {
 	dns_rdatacommon_t	common;
diff --git a/lib/dns/rdata/generic/opt_41.c b/lib/dns/rdata/generic/opt_41.c
index af75ca97..ac74a285 100644
--- a/lib/dns/rdata/generic/opt_41.c
+++ b/lib/dns/rdata/generic/opt_41.c
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001  Internet Software Consortium.
+ * Copyright (C) 1998-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: opt_41.c,v 1.25.2.1 2004/03/09 06:11:32 marka Exp $ */
+/* $Id: opt_41.c,v 1.25.12.4 2004/03/08 09:04:41 marka Exp $ */
 
 /* Reviewed: Thu Mar 16 14:06:44 PST 2000 by gson */
 
@@ -40,7 +40,7 @@ fromtext_opt(ARGS_FROMTEXT) {
 	UNUSED(rdclass);
 	UNUSED(lexer);
 	UNUSED(origin);
-	UNUSED(downcase);
+	UNUSED(options);
 	UNUSED(target);
 	UNUSED(callbacks);
 
@@ -101,7 +101,7 @@ fromwire_opt(ARGS_FROMWIRE) {
 	UNUSED(type);
 	UNUSED(rdclass);
 	UNUSED(dctx);
-	UNUSED(downcase);
+	UNUSED(options);
 
 	isc_buffer_activeregion(source, &sregion);
 	total = 0;
@@ -154,7 +154,7 @@ compare_opt(ARGS_COMPARE) {
 
 	dns_rdata_toregion(rdata1, &r1);
 	dns_rdata_toregion(rdata2, &r2);
-	return (compare_region(&r1, &r2));
+	return (isc_region_compare(&r1, &r2));
 }
 
 static inline isc_result_t
@@ -253,4 +253,28 @@ digest_opt(ARGS_DIGEST) {
 	return (ISC_R_NOTIMPLEMENTED);
 }
 
+static inline isc_boolean_t
+checkowner_opt(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == 41);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (dns_name_equal(name, dns_rootname));
+}
+
+static inline isc_boolean_t
+checknames_opt(ARGS_CHECKNAMES) {
+
+	REQUIRE(rdata->type == 41);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (ISC_TRUE);
+}
+
 #endif	/* RDATA_GENERIC_OPT_41_C */
diff --git a/lib/dns/rdata/generic/opt_41.h b/lib/dns/rdata/generic/opt_41.h
index abfe02e5..c70ad90f 100644
--- a/lib/dns/rdata/generic/opt_41.h
+++ b/lib/dns/rdata/generic/opt_41.h
@@ -18,7 +18,7 @@
 #ifndef GENERIC_OPT_41_H
 #define GENERIC_OPT_41_H 1
 
-/* $Id: opt_41.h,v 1.13.2.1 2004/03/09 06:11:33 marka Exp $ */
+/* $Id: opt_41.h,v 1.13.206.1 2004/03/06 08:14:10 marka Exp $ */
 
 /* RFC 2671 */
 
diff --git a/lib/dns/rdata/generic/proforma.c b/lib/dns/rdata/generic/proforma.c
index ca3e008d..21c65775 100644
--- a/lib/dns/rdata/generic/proforma.c
+++ b/lib/dns/rdata/generic/proforma.c
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001  Internet Software Consortium.
+ * Copyright (C) 1998-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: proforma.c,v 1.30.2.1 2004/03/09 06:11:33 marka Exp $ */
+/* $Id: proforma.c,v 1.30.12.4 2004/03/08 09:04:41 marka Exp $ */
 
 #ifndef RDATA_GENERIC_#_#_C
 #define RDATA_GENERIC_#_#_C
@@ -84,7 +84,7 @@ compare_#(ARGS_COMPARE) {
 
 	dns_rdata_toregion(rdata1, &r1);
 	dns_rdata_toregion(rdata2, &r2);
-	return (compare_region(&r1, &r2));
+	return (isc_region_compare(&r1, &r2));
 }
 
 static inline isc_result_t
@@ -143,4 +143,31 @@ digest_#(ARGS_DIGEST) {
 	return ((digest)(arg, &r));
 }
 
+static inline isc_boolean_t
+checkowner_#(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == #);
+	REQUIRE(rdclass == #);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (ISC_TRUE);
+}
+
+static inline isc_boolean_t
+checknames_#(ARGS_CHECKNAMES) {
+
+	REQUIRE(rdata->type == #);
+	REQUIRE(rdata->rdclass == #);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (ISC_TRUE);
+}
+
 #endif	/* RDATA_GENERIC_#_#_C */
diff --git a/lib/dns/rdata/generic/proforma.h b/lib/dns/rdata/generic/proforma.h
index 16a04ba8..5d5090e0 100644
--- a/lib/dns/rdata/generic/proforma.h
+++ b/lib/dns/rdata/generic/proforma.h
@@ -18,7 +18,7 @@
 #ifndef GENERIC_PROFORMA_H
 #define GENERIC_PROFORMA_H 1
 
-/* $Id: proforma.h,v 1.18.2.1 2004/03/09 06:11:33 marka Exp $ */
+/* $Id: proforma.h,v 1.18.206.1 2004/03/06 08:14:11 marka Exp $ */
 
 typedef struct dns_rdata_# {
 	dns_rdatacommon_t	common;
diff --git a/lib/dns/rdata/generic/ptr_12.c b/lib/dns/rdata/generic/ptr_12.c
index 88e063e1..9be93b33 100644
--- a/lib/dns/rdata/generic/ptr_12.c
+++ b/lib/dns/rdata/generic/ptr_12.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: ptr_12.c,v 1.39.2.1 2004/03/09 06:11:33 marka Exp $ */
+/* $Id: ptr_12.c,v 1.39.206.2 2004/03/06 08:14:11 marka Exp $ */
 
 /* Reviewed: Thu Mar 16 14:05:12 PST 2000 by explorer */
 
@@ -42,7 +42,17 @@ fromtext_ptr(ARGS_FROMTEXT) {
 	dns_name_init(&name, NULL);
 	buffer_fromregion(&buffer, &token.value.as_region);
 	origin = (origin != NULL) ? origin : dns_rootname;
-	RETTOK(dns_name_fromtext(&name, &buffer, origin, downcase, target));
+	RETTOK(dns_name_fromtext(&name, &buffer, origin, options, target));
+	if (rdclass == dns_rdataclass_in &&
+	    (options & DNS_RDATA_CHECKNAMES) != 0 &&
+	    (options & DNS_RDATA_CHECKREVERSE) != 0) {
+		isc_boolean_t ok;
+		ok = dns_name_ishostname(&name, ISC_FALSE);
+		if (!ok && (options & DNS_RDATA_CHECKNAMESFAIL) != 0)
+			RETTOK(DNS_R_BADNAME);
+		if (!ok && callbacks != NULL)
+			warn_badname(&name, lexer, callbacks);
+	}
 	return (ISC_R_SUCCESS);
 }
 
@@ -79,7 +89,7 @@ fromwire_ptr(ARGS_FROMWIRE) {
 	dns_decompress_setmethods(dctx, DNS_COMPRESS_GLOBAL14);
 
         dns_name_init(&name, NULL);
-        return (dns_name_fromwire(&name, source, dctx, downcase, target));
+        return (dns_name_fromwire(&name, source, dctx, options, target));
 }
 
 static inline isc_result_t
@@ -204,4 +214,78 @@ digest_ptr(ARGS_DIGEST) {
 	return (dns_name_digest(&name, digest, arg));
 }
 
+static inline isc_boolean_t
+checkowner_ptr(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == 12);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (ISC_TRUE);
+}
+
+static unsigned char ip6_arpa_data[]  = "\003IP6\004ARPA";
+static unsigned char ip6_arpa_offsets[] = { 0, 4, 9 };
+static const dns_name_t ip6_arpa =
+{
+	DNS_NAME_MAGIC,
+	ip6_arpa_data, 10, 3,
+	DNS_NAMEATTR_READONLY | DNS_NAMEATTR_ABSOLUTE,
+	ip6_arpa_offsets, NULL,
+	{(void *)-1, (void *)-1},
+	{NULL, NULL}
+};
+
+static unsigned char ip6_int_data[]  = "\003IP6\003INT";
+static unsigned char ip6_int_offsets[] = { 0, 4, 8 };
+static const dns_name_t ip6_int =
+{
+	DNS_NAME_MAGIC,
+	ip6_int_data, 9, 3,
+	DNS_NAMEATTR_READONLY | DNS_NAMEATTR_ABSOLUTE,
+	ip6_int_offsets, NULL,
+	{(void *)-1, (void *)-1},
+	{NULL, NULL}
+};
+
+static unsigned char in_addr_arpa_data[]  = "\007IN-ADDR\004ARPA";
+static unsigned char in_addr_arpa_offsets[] = { 0, 8, 13 };
+static const dns_name_t in_addr_arpa =
+{
+	DNS_NAME_MAGIC,
+	in_addr_arpa_data, 14, 3,
+	DNS_NAMEATTR_READONLY | DNS_NAMEATTR_ABSOLUTE,
+	in_addr_arpa_offsets, NULL,
+	{(void *)-1, (void *)-1},
+	{NULL, NULL}
+};
+
+static inline isc_boolean_t
+checknames_ptr(ARGS_CHECKNAMES) {
+	isc_region_t region;
+	dns_name_t name;
+
+	REQUIRE(rdata->type == 12);
+
+	if (rdata->rdclass != dns_rdataclass_in)
+	    return (ISC_TRUE);
+
+	if (dns_name_issubdomain(owner, &in_addr_arpa) ||
+	    dns_name_issubdomain(owner, &ip6_arpa) ||
+	    dns_name_issubdomain(owner, &ip6_int)) {
+		dns_rdata_toregion(rdata, &region);
+		dns_name_init(&name, NULL);
+		dns_name_fromregion(&name, &region);
+		if (!dns_name_ishostname(&name, ISC_FALSE)) {
+			if (bad != NULL)
+				dns_name_clone(&name, bad);
+			return (ISC_FALSE);
+		}
+	}
+	return (ISC_TRUE);
+}
+
 #endif	/* RDATA_GENERIC_PTR_12_C */
diff --git a/lib/dns/rdata/generic/ptr_12.h b/lib/dns/rdata/generic/ptr_12.h
index f27487c3..53e79200 100644
--- a/lib/dns/rdata/generic/ptr_12.h
+++ b/lib/dns/rdata/generic/ptr_12.h
@@ -18,7 +18,7 @@
 #ifndef GENERIC_PTR_12_H
 #define GENERIC_PTR_12_H 1
 
-/* $Id: ptr_12.h,v 1.22.2.1 2004/03/09 06:11:33 marka Exp $ */
+/* $Id: ptr_12.h,v 1.22.206.1 2004/03/06 08:14:11 marka Exp $ */
 
 typedef struct dns_rdata_ptr {
         dns_rdatacommon_t       common;
diff --git a/lib/dns/rdata/generic/rp_17.c b/lib/dns/rdata/generic/rp_17.c
index 2549512a..27e02ee2 100644
--- a/lib/dns/rdata/generic/rp_17.c
+++ b/lib/dns/rdata/generic/rp_17.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rp_17.c,v 1.35.2.1 2004/03/09 06:11:33 marka Exp $ */
+/* $Id: rp_17.c,v 1.35.12.4 2004/03/08 09:04:42 marka Exp $ */
 
 /* RFC 1183 */
 
@@ -30,6 +30,7 @@ fromtext_rp(ARGS_FROMTEXT) {
 	dns_name_t name;
 	isc_buffer_t buffer;
 	int i;
+	isc_boolean_t ok;
 
 	REQUIRE(type == 17);
 
@@ -39,14 +40,21 @@ fromtext_rp(ARGS_FROMTEXT) {
 
 	origin = (origin != NULL) ? origin : dns_rootname;
 
-	for (i = 0; i < 2 ; i++) {
+	for (i = 0; i < 2; i++) {
 		RETERR(isc_lex_getmastertoken(lexer, &token,
 					      isc_tokentype_string,
 					      ISC_FALSE));
 		dns_name_init(&name, NULL);
 		buffer_fromregion(&buffer, &token.value.as_region);
 		RETTOK(dns_name_fromtext(&name, &buffer, origin,
-					 downcase, target));
+					 options, target));
+		ok = ISC_TRUE;
+		if ((options & DNS_RDATA_CHECKNAMES) != 0 && i == 0)
+			ok = dns_name_ismailbox(&name);
+		if (!ok && (options & DNS_RDATA_CHECKNAMESFAIL) != 0)
+			RETTOK(DNS_R_BADNAME);
+		if (!ok && callbacks != NULL)
+			warn_badname(&name, lexer, callbacks);
 	}
 	return (ISC_R_SUCCESS);
 }
@@ -98,8 +106,8 @@ fromwire_rp(ARGS_FROMWIRE) {
         dns_name_init(&rmail, NULL);
         dns_name_init(&email, NULL);
 
-        RETERR(dns_name_fromwire(&rmail, source, dctx, downcase, target));
-        return (dns_name_fromwire(&email, source, dctx, downcase, target));
+        RETERR(dns_name_fromwire(&rmail, source, dctx, options, target));
+        return (dns_name_fromwire(&email, source, dctx, options, target));
 }
 
 static inline isc_result_t
@@ -270,4 +278,37 @@ digest_rp(ARGS_DIGEST) {
 	return (dns_name_digest(&name, digest, arg));
 }
 
+static inline isc_boolean_t
+checkowner_rp(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == 17);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (ISC_TRUE);
+}
+
+static inline isc_boolean_t
+checknames_rp(ARGS_CHECKNAMES) {
+	isc_region_t region;
+	dns_name_t name;
+
+	REQUIRE(rdata->type == 17);
+
+	UNUSED(owner);
+
+	dns_rdata_toregion(rdata, &region);
+	dns_name_init(&name, NULL);
+	dns_name_fromregion(&name, &region);
+	if (!dns_name_ismailbox(&name)) {
+		if (bad != NULL)
+				dns_name_clone(&name, bad);
+		return (ISC_FALSE);
+	}
+	return (ISC_TRUE);
+}
+
 #endif	/* RDATA_GENERIC_RP_17_C */
diff --git a/lib/dns/rdata/generic/rp_17.h b/lib/dns/rdata/generic/rp_17.h
index 7da9e698..a88b9c00 100644
--- a/lib/dns/rdata/generic/rp_17.h
+++ b/lib/dns/rdata/generic/rp_17.h
@@ -18,7 +18,7 @@
 #ifndef GENERIC_RP_17_H
 #define GENERIC_RP_17_H 1
 
-/* $Id: rp_17.h,v 1.16.2.1 2004/03/09 06:11:33 marka Exp $ */
+/* $Id: rp_17.h,v 1.16.206.1 2004/03/06 08:14:11 marka Exp $ */
 
 /* RFC 1183 */
 
diff --git a/lib/dns/rdata/generic/rrsig_46.c b/lib/dns/rdata/generic/rrsig_46.c
new file mode 100644
index 00000000..a46be6d7
--- /dev/null
+++ b/lib/dns/rdata/generic/rrsig_46.c
@@ -0,0 +1,551 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: rrsig_46.c,v 1.4.2.2 2004/03/16 12:38:14 marka Exp $ */
+
+/* Reviewed: Fri Mar 17 09:05:02 PST 2000 by gson */
+
+/* RFC 2535 */
+
+#ifndef RDATA_GENERIC_RRSIG_46_C
+#define RDATA_GENERIC_RRSIG_46_C
+
+#define RRTYPE_RRSIG_ATTRIBUTES (DNS_RDATATYPEATTR_DNSSEC)
+
+static inline isc_result_t
+fromtext_rrsig(ARGS_FROMTEXT) {
+	isc_token_t token;
+	unsigned char c;
+	long i;
+	dns_rdatatype_t covered;
+	char *e;
+	isc_result_t result;
+	dns_name_t name;
+	isc_buffer_t buffer;
+	isc_uint32_t time_signed, time_expire;
+
+	REQUIRE(type == 46);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(callbacks);
+
+	/*
+	 * Type covered.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      ISC_FALSE));
+	result = dns_rdatatype_fromtext(&covered, &token.value.as_textregion);
+	if (result != ISC_R_SUCCESS && result != ISC_R_NOTIMPLEMENTED) {
+		i = strtol(DNS_AS_STR(token), &e, 10);
+		if (i < 0 || i > 65535)
+			RETTOK(ISC_R_RANGE);
+		if (*e != 0)
+			RETTOK(result);
+		covered = (dns_rdatatype_t)i;
+	}
+	RETERR(uint16_tobuffer(covered, target));
+
+	/*
+	 * Algorithm.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      ISC_FALSE));
+	RETTOK(dns_secalg_fromtext(&c, &token.value.as_textregion));
+	RETERR(mem_tobuffer(target, &c, 1));
+
+	/*
+	 * Labels.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      ISC_FALSE));
+	if (token.value.as_ulong > 0xffU)
+		RETTOK(ISC_R_RANGE);
+	c = (unsigned char)token.value.as_ulong;
+	RETERR(mem_tobuffer(target, &c, 1));
+
+	/*
+	 * Original ttl.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      ISC_FALSE));
+	RETERR(uint32_tobuffer(token.value.as_ulong, target));
+
+	/*
+	 * Signature expiration.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      ISC_FALSE));
+	RETTOK(dns_time32_fromtext(DNS_AS_STR(token), &time_expire));
+	RETERR(uint32_tobuffer(time_expire, target));
+
+	/*
+	 * Time signed.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      ISC_FALSE));
+	RETTOK(dns_time32_fromtext(DNS_AS_STR(token), &time_signed));
+	RETERR(uint32_tobuffer(time_signed, target));
+
+	/*
+	 * Key footprint.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      ISC_FALSE));
+	RETERR(uint16_tobuffer(token.value.as_ulong, target));
+
+	/*
+	 * Signer.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      ISC_FALSE));
+	dns_name_init(&name, NULL);
+	buffer_fromregion(&buffer, &token.value.as_region);
+	origin = (origin != NULL) ? origin : dns_rootname;
+	RETTOK(dns_name_fromtext(&name, &buffer, origin, options, target));
+
+	/*
+	 * Sig.
+	 */
+	return (isc_base64_tobuffer(lexer, target, -1));
+}
+
+static inline isc_result_t
+totext_rrsig(ARGS_TOTEXT) {
+	isc_region_t sr;
+	char buf[sizeof("4294967295")];
+	dns_rdatatype_t covered;
+	unsigned long ttl;
+	unsigned long when;
+	unsigned long exp;
+	unsigned long foot;
+	dns_name_t name;
+	dns_name_t prefix;
+	isc_boolean_t sub;
+
+	REQUIRE(rdata->type == 46);
+	REQUIRE(rdata->length != 0);
+
+	dns_rdata_toregion(rdata, &sr);
+
+	/*
+	 * Type covered.
+	 */
+	covered = uint16_fromregion(&sr);
+	isc_region_consume(&sr, 2);
+	/*
+	 * XXXAG We should have something like dns_rdatatype_isknown()
+	 * that does the right thing with type 0.
+	 */
+	if (dns_rdatatype_isknown(covered) && covered != 0) {
+		RETERR(dns_rdatatype_totext(covered, target));
+	} else {
+		char buf[sizeof("65535")];
+		sprintf(buf, "%u", covered);
+		RETERR(str_totext(buf, target));
+	}
+	RETERR(str_totext(" ", target));
+
+	/*
+	 * Algorithm.
+	 */
+	sprintf(buf, "%u", sr.base[0]);
+	isc_region_consume(&sr, 1);
+	RETERR(str_totext(buf, target));
+	RETERR(str_totext(" ", target));
+
+	/*
+	 * Labels.
+	 */
+	sprintf(buf, "%u", sr.base[0]);
+	isc_region_consume(&sr, 1);
+	RETERR(str_totext(buf, target));
+	RETERR(str_totext(" ", target));
+
+	/*
+	 * Ttl.
+	 */
+	ttl = uint32_fromregion(&sr);
+	isc_region_consume(&sr, 4);
+	sprintf(buf, "%lu", ttl);
+	RETERR(str_totext(buf, target));
+	RETERR(str_totext(" ", target));
+
+	/*
+	 * Sig exp.
+	 */
+	exp = uint32_fromregion(&sr);
+	isc_region_consume(&sr, 4);
+	RETERR(dns_time32_totext(exp, target));
+
+	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
+		RETERR(str_totext(" (", target));
+	RETERR(str_totext(tctx->linebreak, target));
+
+	/*
+	 * Time signed.
+	 */
+	when = uint32_fromregion(&sr);
+	isc_region_consume(&sr, 4);
+	RETERR(dns_time32_totext(when, target));
+	RETERR(str_totext(" ", target));
+
+	/*
+	 * Footprint.
+	 */
+	foot = uint16_fromregion(&sr);
+	isc_region_consume(&sr, 2);
+	sprintf(buf, "%lu", foot);
+	RETERR(str_totext(buf, target));
+	RETERR(str_totext(" ", target));
+
+	/*
+	 * Signer.
+	 */
+	dns_name_init(&name, NULL);
+	dns_name_init(&prefix, NULL);
+	dns_name_fromregion(&name, &sr);
+	isc_region_consume(&sr, name_length(&name));
+	sub = name_prefix(&name, tctx->origin, &prefix);
+	RETERR(dns_name_totext(&prefix, sub, target));
+
+	/*
+	 * Sig.
+	 */
+	RETERR(str_totext(tctx->linebreak, target));
+	RETERR(isc_base64_totext(&sr, tctx->width - 2,
+				    tctx->linebreak, target));
+	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
+		RETERR(str_totext(" )", target));
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+fromwire_rrsig(ARGS_FROMWIRE) {
+	isc_region_t sr;
+	dns_name_t name;
+
+	REQUIRE(type == 46);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	dns_decompress_setmethods(dctx, DNS_COMPRESS_NONE);
+
+	isc_buffer_activeregion(source, &sr);
+	/*
+	 * type covered: 2
+	 * algorithm: 1
+	 * labels: 1
+	 * original ttl: 4
+	 * signature expiration: 4
+	 * time signed: 4
+	 * key footprint: 2
+	 */
+	if (sr.length < 18)
+		return (ISC_R_UNEXPECTEDEND);
+
+	isc_buffer_forward(source, 18);
+	RETERR(mem_tobuffer(target, sr.base, 18));
+
+	/*
+	 * Signer.
+	 */
+	dns_name_init(&name, NULL);
+	RETERR(dns_name_fromwire(&name, source, dctx, options, target));
+
+	/*
+	 * Sig.
+	 */
+	isc_buffer_activeregion(source, &sr);
+	isc_buffer_forward(source, sr.length);
+	return (mem_tobuffer(target, sr.base, sr.length));
+}
+
+static inline isc_result_t
+towire_rrsig(ARGS_TOWIRE) {
+	isc_region_t sr;
+	dns_name_t name;
+	dns_offsets_t offsets;
+
+	REQUIRE(rdata->type == 46);
+	REQUIRE(rdata->length != 0);
+
+	dns_compress_setmethods(cctx, DNS_COMPRESS_NONE);
+	dns_rdata_toregion(rdata, &sr);
+	/*
+	 * type covered: 2
+	 * algorithm: 1
+	 * labels: 1
+	 * original ttl: 4
+	 * signature expiration: 4
+	 * time signed: 4
+	 * key footprint: 2
+	 */
+	RETERR(mem_tobuffer(target, sr.base, 18));
+	isc_region_consume(&sr, 18);
+
+	/*
+	 * Signer.
+	 */
+	dns_name_init(&name, offsets);
+	dns_name_fromregion(&name, &sr);
+	isc_region_consume(&sr, name_length(&name));
+	RETERR(dns_name_towire(&name, cctx, target));
+
+	/*
+	 * Signature.
+	 */
+	return (mem_tobuffer(target, sr.base, sr.length));
+}
+
+static inline int
+compare_rrsig(ARGS_COMPARE) {
+	isc_region_t r1;
+	isc_region_t r2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == 46);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	dns_rdata_toregion(rdata1, &r1);
+	dns_rdata_toregion(rdata2, &r2);
+	return (isc_region_compare(&r1, &r2));
+}
+
+static inline isc_result_t
+fromstruct_rrsig(ARGS_FROMSTRUCT) {
+	dns_rdata_rrsig_t *sig = source;
+
+	REQUIRE(type == 46);
+	REQUIRE(source != NULL);
+	REQUIRE(sig->common.rdtype == type);
+	REQUIRE(sig->common.rdclass == rdclass);
+	REQUIRE(sig->signature != NULL || sig->siglen == 0);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	/*
+	 * Type covered.
+	 */
+	RETERR(uint16_tobuffer(sig->covered, target));
+
+	/*
+	 * Algorithm.
+	 */
+	RETERR(uint8_tobuffer(sig->algorithm, target));
+
+	/*
+	 * Labels.
+	 */
+	RETERR(uint8_tobuffer(sig->labels, target));
+
+	/*
+	 * Original TTL.
+	 */
+	RETERR(uint32_tobuffer(sig->originalttl, target));
+
+	/*
+	 * Expire time.
+	 */
+	RETERR(uint32_tobuffer(sig->timeexpire, target));
+
+	/*
+	 * Time signed.
+	 */
+	RETERR(uint32_tobuffer(sig->timesigned, target));
+
+	/*
+	 * Key ID.
+	 */
+	RETERR(uint16_tobuffer(sig->keyid, target));
+
+	/*
+	 * Signer name.
+	 */
+	RETERR(name_tobuffer(&sig->signer, target));
+
+	/*
+	 * Signature.
+	 */
+	return (mem_tobuffer(target, sig->signature, sig->siglen));
+}
+
+static inline isc_result_t
+tostruct_rrsig(ARGS_TOSTRUCT) {
+	isc_region_t sr;
+	dns_rdata_rrsig_t *sig = target;
+	dns_name_t signer;
+
+	REQUIRE(rdata->type == 46);
+	REQUIRE(target != NULL);
+	REQUIRE(rdata->length != 0);
+
+	sig->common.rdclass = rdata->rdclass;
+	sig->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&sig->common, link);
+
+	dns_rdata_toregion(rdata, &sr);
+
+	/*
+	 * Type covered.
+	 */
+	sig->covered = uint16_fromregion(&sr);
+	isc_region_consume(&sr, 2);
+
+	/*
+	 * Algorithm.
+	 */
+	sig->algorithm = uint8_fromregion(&sr);
+	isc_region_consume(&sr, 1);
+
+	/*
+	 * Labels.
+	 */
+	sig->labels = uint8_fromregion(&sr);
+	isc_region_consume(&sr, 1);
+
+	/*
+	 * Original TTL.
+	 */
+	sig->originalttl = uint32_fromregion(&sr);
+	isc_region_consume(&sr, 4);
+
+	/*
+	 * Expire time.
+	 */
+	sig->timeexpire = uint32_fromregion(&sr);
+	isc_region_consume(&sr, 4);
+
+	/*
+	 * Time signed.
+	 */
+	sig->timesigned = uint32_fromregion(&sr);
+	isc_region_consume(&sr, 4);
+
+	/*
+	 * Key ID.
+	 */
+	sig->keyid = uint16_fromregion(&sr);
+	isc_region_consume(&sr, 2);
+
+	dns_name_init(&signer, NULL);
+	dns_name_fromregion(&signer, &sr);
+	dns_name_init(&sig->signer, NULL);
+	RETERR(name_duporclone(&signer, mctx, &sig->signer));
+	isc_region_consume(&sr, name_length(&sig->signer));
+
+	/*
+	 * Signature.
+	 */
+	sig->siglen = sr.length;
+	sig->signature = mem_maybedup(mctx, sr.base, sig->siglen);
+	if (sig->signature == NULL)
+		goto cleanup;
+
+
+	sig->mctx = mctx;
+	return (ISC_R_SUCCESS);
+
+ cleanup:
+	if (mctx != NULL)
+		dns_name_free(&sig->signer, mctx);
+	return (ISC_R_NOMEMORY);
+}
+
+static inline void
+freestruct_rrsig(ARGS_FREESTRUCT) {
+	dns_rdata_rrsig_t *sig = (dns_rdata_rrsig_t *) source;
+
+	REQUIRE(source != NULL);
+	REQUIRE(sig->common.rdtype == 46);
+
+	if (sig->mctx == NULL)
+		return;
+
+	dns_name_free(&sig->signer, sig->mctx);
+	if (sig->signature != NULL)
+		isc_mem_free(sig->mctx, sig->signature);
+	sig->mctx = NULL;
+}
+
+static inline isc_result_t
+additionaldata_rrsig(ARGS_ADDLDATA) {
+	REQUIRE(rdata->type == 46);
+
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+digest_rrsig(ARGS_DIGEST) {
+
+	REQUIRE(rdata->type == 46);
+
+	UNUSED(rdata);
+	UNUSED(digest);
+	UNUSED(arg);
+
+	return (ISC_R_NOTIMPLEMENTED);
+}
+
+static inline dns_rdatatype_t
+covers_rrsig(dns_rdata_t *rdata) {
+	dns_rdatatype_t type;
+	isc_region_t r;
+
+	REQUIRE(rdata->type == 46);
+
+	dns_rdata_toregion(rdata, &r);
+	type = uint16_fromregion(&r);
+
+	return (type);
+}
+
+static inline isc_boolean_t
+checkowner_rrsig(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == 46);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (ISC_TRUE);
+}
+
+static inline isc_boolean_t
+checknames_rrsig(ARGS_CHECKNAMES) {
+
+	REQUIRE(rdata->type == 46);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (ISC_TRUE);
+}
+
+#endif	/* RDATA_GENERIC_RRSIG_46_C */
diff --git a/lib/dns/rdata/generic/rrsig_46.h b/lib/dns/rdata/generic/rrsig_46.h
new file mode 100644
index 00000000..148604b7
--- /dev/null
+++ b/lib/dns/rdata/generic/rrsig_46.h
@@ -0,0 +1,40 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#ifndef GENERIC_DNSSIG_46_H
+#define GENERIC_DNSSIG_46_H 1
+
+/* $Id: rrsig_46.h,v 1.3.2.1 2004/03/08 02:08:04 marka Exp $ */
+
+/* RFC 2535 */
+typedef struct dns_rdata_rrsig {
+	dns_rdatacommon_t	common;
+	isc_mem_t *		mctx;
+	dns_rdatatype_t		covered;
+	dns_secalg_t		algorithm;
+	isc_uint8_t		labels;
+	isc_uint32_t		originalttl;
+	isc_uint32_t		timeexpire;
+	isc_uint32_t		timesigned;
+	isc_uint16_t		keyid;
+        dns_name_t		signer;
+	isc_uint16_t		siglen;
+	unsigned char *		signature;
+} dns_rdata_rrsig_t;
+
+
+#endif /* GENERIC_DNSSIG_46_H */
diff --git a/lib/dns/rdata/generic/rt_21.c b/lib/dns/rdata/generic/rt_21.c
index 21bceae6..0f568e3b 100644
--- a/lib/dns/rdata/generic/rt_21.c
+++ b/lib/dns/rdata/generic/rt_21.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rt_21.c,v 1.37.2.3 2004/03/09 06:11:33 marka Exp $ */
+/* $Id: rt_21.c,v 1.37.2.1.2.3 2004/03/06 08:14:11 marka Exp $ */
 
 /* reviewed: Thu Mar 16 15:02:31 PST 2000 by brister */
 
@@ -31,6 +31,7 @@ fromtext_rt(ARGS_FROMTEXT) {
 	isc_token_t token;
 	dns_name_t name;
 	isc_buffer_t buffer;
+	isc_boolean_t ok;
 
 	REQUIRE(type == 21);
 
@@ -50,7 +51,14 @@ fromtext_rt(ARGS_FROMTEXT) {
 	dns_name_init(&name, NULL);
 	buffer_fromregion(&buffer, &token.value.as_region);
 	origin = (origin != NULL) ? origin : dns_rootname;
-	RETTOK(dns_name_fromtext(&name, &buffer, origin, downcase, target));
+	RETTOK(dns_name_fromtext(&name, &buffer, origin, options, target));
+	ok = ISC_TRUE;
+	if ((options & DNS_RDATA_CHECKNAMES) != 0)
+		ok = dns_name_ishostname(&name, ISC_FALSE);
+	if (!ok && (options & DNS_RDATA_CHECKNAMESFAIL) != 0)
+		RETTOK(DNS_R_BADNAME);
+	if (!ok && callbacks != NULL)
+		warn_badname(&name, lexer, callbacks);
 	return (ISC_R_SUCCESS);
 }
 
@@ -60,7 +68,7 @@ totext_rt(ARGS_TOTEXT) {
 	dns_name_t name;
 	dns_name_t prefix;
 	isc_boolean_t sub;
-	char buf[sizeof "64000"];
+	char buf[sizeof("64000")];
 	unsigned short num;
 
 	REQUIRE(rdata->type == 21);
@@ -104,7 +112,7 @@ fromwire_rt(ARGS_FROMWIRE) {
 	memcpy(tregion.base, sregion.base, 2);
 	isc_buffer_forward(source, 2);
 	isc_buffer_add(target, 2);
-	return (dns_name_fromwire(&name, source, dctx, downcase, target));
+	return (dns_name_fromwire(&name, source, dctx, options, target));
 }
 
 static inline isc_result_t
@@ -266,4 +274,38 @@ digest_rt(ARGS_DIGEST) {
 	return (dns_name_digest(&name, digest, arg));
 }
 
+static inline isc_boolean_t
+checkowner_rt(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == 21);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (ISC_TRUE);
+}
+
+static inline isc_boolean_t
+checknames_rt(ARGS_CHECKNAMES) {
+	isc_region_t region;
+	dns_name_t name;
+
+	REQUIRE(rdata->type == 21);
+
+	UNUSED(owner);
+
+	dns_rdata_toregion(rdata, &region);
+	isc_region_consume(&region, 2);
+	dns_name_init(&name, NULL);
+	dns_name_fromregion(&name, &region);
+	if (dns_name_ishostname(&name, ISC_FALSE)) {
+		if (bad != NULL)
+			dns_name_clone(&name, bad);
+		return (ISC_FALSE);
+	}
+	return (ISC_TRUE);
+}
+
 #endif	/* RDATA_GENERIC_RT_21_C */
diff --git a/lib/dns/rdata/generic/rt_21.h b/lib/dns/rdata/generic/rt_21.h
index b4feaf84..32b0352d 100644
--- a/lib/dns/rdata/generic/rt_21.h
+++ b/lib/dns/rdata/generic/rt_21.h
@@ -18,7 +18,7 @@
 #ifndef GENERIC_RT_21_H
 #define GENERIC_RT_21_H 1
 
-/* $Id: rt_21.h,v 1.16.2.1 2004/03/09 06:11:33 marka Exp $ */
+/* $Id: rt_21.h,v 1.16.206.1 2004/03/06 08:14:12 marka Exp $ */
 
 /* RFC 1183 */
 
diff --git a/lib/dns/rdata/generic/sig_24.c b/lib/dns/rdata/generic/sig_24.c
index a7bb7331..39cb0644 100644
--- a/lib/dns/rdata/generic/sig_24.c
+++ b/lib/dns/rdata/generic/sig_24.c
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
+ * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: sig_24.c,v 1.54.2.3 2004/03/09 06:11:34 marka Exp $ */
+/* $Id: sig_24.c,v 1.54.2.1.2.7 2004/03/08 09:04:42 marka Exp $ */
 
 /* Reviewed: Fri Mar 17 09:05:02 PST 2000 by gson */
 
@@ -24,7 +24,7 @@
 #ifndef RDATA_GENERIC_SIG_24_C
 #define RDATA_GENERIC_SIG_24_C
 
-#define RRTYPE_SIG_ATTRIBUTES (DNS_RDATATYPEATTR_DNSSEC)
+#define RRTYPE_SIG_ATTRIBUTES (0)
 
 static inline isc_result_t
 fromtext_sig(ARGS_FROMTEXT) {
@@ -51,7 +51,7 @@ fromtext_sig(ARGS_FROMTEXT) {
 				      ISC_FALSE));
 	result = dns_rdatatype_fromtext(&covered, &token.value.as_textregion);
 	if (result != ISC_R_SUCCESS && result != ISC_R_NOTIMPLEMENTED) {
-		i = strtol(token.value.as_pointer, &e, 10);
+		i = strtol(DNS_AS_STR(token), &e, 10);
 		if (i < 0 || i > 65535)
 			RETTOK(ISC_R_RANGE);
 		if (*e != 0)
@@ -90,7 +90,7 @@ fromtext_sig(ARGS_FROMTEXT) {
 	 */
 	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
 				      ISC_FALSE));
-	RETTOK(dns_time32_fromtext(token.value.as_pointer, &time_expire));
+	RETTOK(dns_time32_fromtext(DNS_AS_STR(token), &time_expire));
 	RETERR(uint32_tobuffer(time_expire, target));
 
 	/*
@@ -98,7 +98,7 @@ fromtext_sig(ARGS_FROMTEXT) {
 	 */
 	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
 				      ISC_FALSE));
-	RETTOK(dns_time32_fromtext(token.value.as_pointer, &time_signed));
+	RETTOK(dns_time32_fromtext(DNS_AS_STR(token), &time_signed));
 	RETERR(uint32_tobuffer(time_signed, target));
 
 	/*
@@ -116,7 +116,7 @@ fromtext_sig(ARGS_FROMTEXT) {
 	dns_name_init(&name, NULL);
 	buffer_fromregion(&buffer, &token.value.as_region);
 	origin = (origin != NULL) ? origin : dns_rootname;
-	RETTOK(dns_name_fromtext(&name, &buffer, origin, downcase, target));
+	RETTOK(dns_name_fromtext(&name, &buffer, origin, options, target));
 
 	/*
 	 * Sig.
@@ -127,7 +127,7 @@ fromtext_sig(ARGS_FROMTEXT) {
 static inline isc_result_t
 totext_sig(ARGS_TOTEXT) {
 	isc_region_t sr;
-	char buf[sizeof "4294967295"];
+	char buf[sizeof("4294967295")];
 	dns_rdatatype_t covered;
 	unsigned long ttl;
 	unsigned long when;
@@ -154,7 +154,7 @@ totext_sig(ARGS_TOTEXT) {
 	if (dns_rdatatype_isknown(covered) && covered != 0) {
 		RETERR(dns_rdatatype_totext(covered, target));
 	} else {
-		char buf[sizeof "65535"];
+		char buf[sizeof("65535")];
 		sprintf(buf, "%u", covered);
 		RETERR(str_totext(buf, target));
 	}
@@ -267,7 +267,7 @@ fromwire_sig(ARGS_FROMWIRE) {
 	 * Signer.
 	 */
 	dns_name_init(&name, NULL);
-	RETERR(dns_name_fromwire(&name, source, dctx, downcase, target));
+	RETERR(dns_name_fromwire(&name, source, dctx, options, target));
 
 	/*
 	 * Sig.
@@ -335,7 +335,7 @@ compare_sig(ARGS_COMPARE) {
 	INSIST(r2.length > 18);
 	r1.length = 18;
 	r2.length = 18;
-	order = compare_region(&r1, &r2);
+	order = isc_region_compare(&r1, &r2);
 	if (order != 0)
 		return (order);
 
@@ -354,7 +354,7 @@ compare_sig(ARGS_COMPARE) {
 	isc_region_consume(&r1, name_length(&name1));
 	isc_region_consume(&r2, name_length(&name2));
 
-	return (compare_region(&r1, &r2));
+	return (isc_region_compare(&r1, &r2));
 }
 
 static inline isc_result_t
@@ -550,4 +550,29 @@ covers_sig(dns_rdata_t *rdata) {
 	return (type);
 }
 
+static inline isc_boolean_t
+checkowner_sig(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == 24);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (ISC_TRUE);
+}
+
+static inline isc_boolean_t
+checknames_sig(ARGS_CHECKNAMES) {
+
+	REQUIRE(rdata->type == 24);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (ISC_TRUE);
+}
+
 #endif	/* RDATA_GENERIC_SIG_24_C */
diff --git a/lib/dns/rdata/generic/sig_24.h b/lib/dns/rdata/generic/sig_24.h
index 47bb2a2a..28bcac21 100644
--- a/lib/dns/rdata/generic/sig_24.h
+++ b/lib/dns/rdata/generic/sig_24.h
@@ -18,7 +18,7 @@
 #ifndef GENERIC_SIG_24_H
 #define GENERIC_SIG_24_H 1
 
-/* $Id: sig_24.h,v 1.21.2.1 2004/03/09 06:11:34 marka Exp $ */
+/* $Id: sig_24.h,v 1.21.206.1 2004/03/06 08:14:12 marka Exp $ */
 
 /* RFC 2535 */
 
diff --git a/lib/dns/rdata/generic/soa_6.c b/lib/dns/rdata/generic/soa_6.c
index 98d8e9ff..7eeb36e2 100644
--- a/lib/dns/rdata/generic/soa_6.c
+++ b/lib/dns/rdata/generic/soa_6.c
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001  Internet Software Consortium.
+ * Copyright (C) 1998-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: soa_6.c,v 1.53.2.1 2004/03/09 06:11:34 marka Exp $ */
+/* $Id: soa_6.c,v 1.53.12.6 2004/03/08 09:04:42 marka Exp $ */
 
 /* Reviewed: Thu Mar 16 15:18:32 PST 2000 by explorer */
 
@@ -31,6 +31,7 @@ fromtext_soa(ARGS_FROMTEXT) {
 	isc_buffer_t buffer;
 	int i;
 	isc_uint32_t n;
+	isc_boolean_t ok;
 
 	REQUIRE(type == 6);
 
@@ -40,7 +41,7 @@ fromtext_soa(ARGS_FROMTEXT) {
 
 	origin = (origin != NULL) ? origin : dns_rootname;
 
-	for (i = 0 ; i < 2 ; i++) {
+	for (i = 0; i < 2; i++) {
 		RETERR(isc_lex_getmastertoken(lexer, &token,
 					      isc_tokentype_string,
 					      ISC_FALSE));
@@ -48,7 +49,22 @@ fromtext_soa(ARGS_FROMTEXT) {
 		dns_name_init(&name, NULL);
 		buffer_fromregion(&buffer, &token.value.as_region);
 		RETTOK(dns_name_fromtext(&name, &buffer, origin,
-					 downcase, target));
+					 options, target));
+		ok = ISC_TRUE;
+		if ((options & DNS_RDATA_CHECKNAMES) != 0)
+			switch (i) {
+			case 0:
+				ok = dns_name_ishostname(&name, ISC_FALSE);
+				break;
+			case 1:
+				ok = dns_name_ismailbox(&name);
+				break;
+
+			}
+		if (!ok && (options & DNS_RDATA_CHECKNAMESFAIL) != 0)
+			RETTOK(DNS_R_BADNAME);
+		if (!ok && callbacks != NULL)
+			warn_badname(&name, lexer, callbacks);
 	}
 
 	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
@@ -111,14 +127,14 @@ totext_soa(ARGS_TOTEXT) {
 		RETERR(str_totext(" (" , target));
 	RETERR(str_totext(tctx->linebreak, target));
 
-	for (i = 0; i < 5 ; i++) {
-		char buf[sizeof "2147483647"];
+	for (i = 0; i < 5; i++) {
+		char buf[sizeof("2147483647")];
 		unsigned long num;
 		unsigned int numlen;
 		num = uint32_fromregion(&dregion);
 		isc_region_consume(&dregion, 4);
 		numlen = sprintf(buf, "%lu", num);
-		INSIST(numlen > 0 && numlen < sizeof "2147483647");
+		INSIST(numlen > 0 && numlen < sizeof("2147483647"));
 		RETERR(str_totext(buf, target));
 		if (multiline && comment) {
 			RETERR(str_totext("           ; " + numlen, target));
@@ -158,8 +174,8 @@ fromwire_soa(ARGS_FROMWIRE) {
         dns_name_init(&mname, NULL);
         dns_name_init(&rname, NULL);
 
-        RETERR(dns_name_fromwire(&mname, source, dctx, downcase, target));
-        RETERR(dns_name_fromwire(&rname, source, dctx, downcase, target));
+        RETERR(dns_name_fromwire(&mname, source, dctx, options, target));
+        RETERR(dns_name_fromwire(&rname, source, dctx, options, target));
 
 	isc_buffer_activeregion(source, &sregion);
 	isc_buffer_availableregion(target, &tregion);
@@ -255,7 +271,7 @@ compare_soa(ARGS_COMPARE) {
 	isc_region_consume(&region1, name_length(&name1));
 	isc_region_consume(&region2, name_length(&name2));
 
-	return (compare_region(&region1, &region2));
+	return (isc_region_compare(&region1, &region2));
 }
 
 static inline isc_result_t
@@ -384,4 +400,44 @@ digest_soa(ARGS_DIGEST) {
 	return ((digest)(arg, &r));
 }
 
+static inline isc_boolean_t
+checkowner_soa(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == 6);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (ISC_TRUE);
+}
+
+static inline isc_boolean_t
+checknames_soa(ARGS_CHECKNAMES) {
+	isc_region_t region;
+	dns_name_t name;
+
+	REQUIRE(rdata->type == 6);
+
+	UNUSED(owner);
+
+	dns_rdata_toregion(rdata, &region);
+	dns_name_init(&name, NULL);
+	dns_name_fromregion(&name, &region);
+	if (!dns_name_ishostname(&name, ISC_FALSE)) {
+		if (bad != NULL)
+			dns_name_clone(&name, bad);
+		return (ISC_FALSE);
+	}
+	isc_region_consume(&region, name_length(&name));
+	dns_name_fromregion(&name, &region);
+	if (!dns_name_ismailbox(&name)) {
+		if (bad != NULL)
+			dns_name_clone(&name, bad);
+		return (ISC_FALSE);
+	}
+	return (ISC_TRUE);
+}
+
 #endif	/* RDATA_GENERIC_SOA_6_C */
diff --git a/lib/dns/rdata/generic/soa_6.h b/lib/dns/rdata/generic/soa_6.h
index 4bd6a603..eca6dfd4 100644
--- a/lib/dns/rdata/generic/soa_6.h
+++ b/lib/dns/rdata/generic/soa_6.h
@@ -18,7 +18,7 @@
 #ifndef GENERIC_SOA_6_H
 #define GENERIC_SOA_6_H 1
 
-/* $Id: soa_6.h,v 1.27.2.1 2004/03/09 06:11:34 marka Exp $ */
+/* $Id: soa_6.h,v 1.27.206.1 2004/03/06 08:14:12 marka Exp $ */
 
 typedef struct dns_rdata_soa {
 	dns_rdatacommon_t	common;
diff --git a/lib/dns/rdata/generic/sshfp_44.c b/lib/dns/rdata/generic/sshfp_44.c
new file mode 100644
index 00000000..eabf056d
--- /dev/null
+++ b/lib/dns/rdata/generic/sshfp_44.c
@@ -0,0 +1,262 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: sshfp_44.c,v 1.1.8.3 2004/03/06 08:14:13 marka Exp $ */
+
+/* draft-ietf-secsh-dns-05.txt */
+
+#ifndef RDATA_GENERIC_SSHFP_44_C
+#define RDATA_GENERIC_SSHFP_44_C
+
+#define RRTYPE_SSHFP_ATTRIBUTES (0)
+
+static inline isc_result_t
+fromtext_sshfp(ARGS_FROMTEXT) {
+	isc_token_t token;
+
+	REQUIRE(type == 44);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(origin);
+	UNUSED(options);
+	UNUSED(callbacks);
+
+	/*
+	 * Algorithm.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      ISC_FALSE));
+	if (token.value.as_ulong > 0xffU)
+		RETTOK(ISC_R_RANGE);
+	RETERR(uint8_tobuffer(token.value.as_ulong, target));
+
+	/*
+	 * Digest type.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      ISC_FALSE));
+	if (token.value.as_ulong > 0xffU)
+		RETTOK(ISC_R_RANGE);
+	RETERR(uint8_tobuffer(token.value.as_ulong, target));
+	type = (isc_uint16_t) token.value.as_ulong;
+
+	/*
+	 * Digest.
+	 */
+	return (isc_hex_tobuffer(lexer, target, -1));
+}
+
+static inline isc_result_t
+totext_sshfp(ARGS_TOTEXT) {
+	isc_region_t sr;
+	char buf[sizeof("64000 ")];
+	unsigned int n;
+
+	REQUIRE(rdata->type == 44);
+	REQUIRE(rdata->length != 0);
+
+	UNUSED(tctx);
+
+	dns_rdata_toregion(rdata, &sr);
+
+	/*
+	 * Algorithm.
+	 */
+	n = uint8_fromregion(&sr);
+	isc_region_consume(&sr, 1);
+	sprintf(buf, "%u ", n);
+	RETERR(str_totext(buf, target));
+
+	/*
+	 * Digest type.
+	 */
+	n = uint8_fromregion(&sr);
+	isc_region_consume(&sr, 1);
+	sprintf(buf, "%u", n);
+	RETERR(str_totext(buf, target));
+
+	/*
+	 * Digest.
+	 */
+	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
+		RETERR(str_totext(" (", target));
+	RETERR(str_totext(tctx->linebreak, target));
+	RETERR(isc_hex_totext(&sr, tctx->width - 2, tctx->linebreak, target));
+	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
+		RETERR(str_totext(" )", target));
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+fromwire_sshfp(ARGS_FROMWIRE) {
+	isc_region_t sr;
+
+	REQUIRE(type == 44);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(dctx);
+	UNUSED(options);
+
+	isc_buffer_activeregion(source, &sr);
+	if (sr.length < 4)
+		return (ISC_R_UNEXPECTEDEND);
+
+	isc_buffer_forward(source, sr.length);
+	return (mem_tobuffer(target, sr.base, sr.length));
+}
+
+static inline isc_result_t
+towire_sshfp(ARGS_TOWIRE) {
+	isc_region_t sr;
+
+	REQUIRE(rdata->type == 44);
+	REQUIRE(rdata->length != 0);
+
+	UNUSED(cctx);
+
+	dns_rdata_toregion(rdata, &sr);
+	return (mem_tobuffer(target, sr.base, sr.length));
+}
+
+static inline int
+compare_sshfp(ARGS_COMPARE) {
+	isc_region_t r1;
+	isc_region_t r2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == 44);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	dns_rdata_toregion(rdata1, &r1);
+	dns_rdata_toregion(rdata2, &r2);
+	return (isc_region_compare(&r1, &r2));
+}
+
+static inline isc_result_t
+fromstruct_sshfp(ARGS_FROMSTRUCT) {
+	dns_rdata_sshfp_t *sshfp = source;
+
+	REQUIRE(type == 44);
+	REQUIRE(source != NULL);
+	REQUIRE(sshfp->common.rdtype == type);
+	REQUIRE(sshfp->common.rdclass == rdclass);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	RETERR(uint8_tobuffer(sshfp->algorithm, target));
+	RETERR(uint8_tobuffer(sshfp->digest_type, target));
+
+	return (mem_tobuffer(target, sshfp->digest, sshfp->length));
+}
+
+static inline isc_result_t
+tostruct_sshfp(ARGS_TOSTRUCT) {
+	dns_rdata_sshfp_t *sshfp = target;
+	isc_region_t region;
+
+	REQUIRE(rdata->type == 44);
+	REQUIRE(target != NULL);
+	REQUIRE(rdata->length != 0);
+
+	sshfp->common.rdclass = rdata->rdclass;
+	sshfp->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&sshfp->common, link);
+
+	dns_rdata_toregion(rdata, &region);
+
+	sshfp->algorithm = uint8_fromregion(&region);
+	isc_region_consume(&region, 1);
+	sshfp->digest_type = uint8_fromregion(&region);
+	isc_region_consume(&region, 1);
+	sshfp->length = region.length;
+
+	sshfp->digest = mem_maybedup(mctx, region.base, region.length);
+	if (sshfp->digest == NULL)
+		return (ISC_R_NOMEMORY);
+
+	sshfp->mctx = mctx;
+	return (ISC_R_SUCCESS);
+}
+
+static inline void
+freestruct_sshfp(ARGS_FREESTRUCT) {
+	dns_rdata_sshfp_t *sshfp = source;
+
+	REQUIRE(sshfp != NULL);
+	REQUIRE(sshfp->common.rdtype == 44);
+
+	if (sshfp->mctx == NULL)
+		return;
+
+	if (sshfp->digest != NULL)
+		isc_mem_free(sshfp->mctx, sshfp->digest);
+	sshfp->mctx = NULL;
+}
+
+static inline isc_result_t
+additionaldata_sshfp(ARGS_ADDLDATA) {
+	REQUIRE(rdata->type == 44);
+
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+digest_sshfp(ARGS_DIGEST) {
+	isc_region_t r;
+
+	REQUIRE(rdata->type == 44);
+
+	dns_rdata_toregion(rdata, &r);
+
+	return ((digest)(arg, &r));
+}
+
+static inline isc_boolean_t
+checkowner_sshfp(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == 44);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (ISC_TRUE);
+}
+
+static inline isc_boolean_t
+checknames_sshfp(ARGS_CHECKNAMES) {
+
+	REQUIRE(rdata->type == 44);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (ISC_TRUE);
+}
+
+#endif	/* RDATA_GENERIC_SSHFP_44_C */
diff --git a/lib/dns/rdata/generic/sshfp_44.h b/lib/dns/rdata/generic/sshfp_44.h
new file mode 100644
index 00000000..ccdefd4e
--- /dev/null
+++ b/lib/dns/rdata/generic/sshfp_44.h
@@ -0,0 +1,34 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: sshfp_44.h,v 1.1.8.2 2004/03/06 08:14:13 marka Exp $ */
+
+/* draft-ietf-secsh-dns-05.txt */
+
+#ifndef GENERIC_SSHFP_44_H
+#define GENERIC_SSHFP_44_H 1
+
+typedef struct dns_rdata_sshfp {
+	dns_rdatacommon_t	common;
+	isc_mem_t		*mctx;
+	isc_uint8_t		algorithm;
+	isc_uint8_t		digest_type;
+	isc_uint16_t		length;
+	unsigned char		*digest;
+} dns_rdata_sshfp_t;
+
+#endif /* GENERIC_SSHFP_44_H */
diff --git a/lib/dns/rdata/generic/tkey_249.c b/lib/dns/rdata/generic/tkey_249.c
index 64ff3d1d..da631676 100644
--- a/lib/dns/rdata/generic/tkey_249.c
+++ b/lib/dns/rdata/generic/tkey_249.c
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
+ * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: tkey_249.c,v 1.48.2.3 2004/03/09 06:11:34 marka Exp $ */
+/* $Id: tkey_249.c,v 1.48.2.1.2.6 2004/03/08 09:04:42 marka Exp $ */
 
 /*
  * Reviewed: Thu Mar 16 17:35:30 PST 2000 by halley.
@@ -51,7 +51,7 @@ fromtext_tkey(ARGS_FROMTEXT) {
 	dns_name_init(&name, NULL);
 	buffer_fromregion(&buffer, &token.value.as_region);
 	origin = (origin != NULL) ? origin : dns_rootname;
-	RETTOK(dns_name_fromtext(&name, &buffer, origin, downcase, target));
+	RETTOK(dns_name_fromtext(&name, &buffer, origin, options, target));
 
 
 	/*
@@ -85,7 +85,7 @@ fromtext_tkey(ARGS_FROMTEXT) {
 	if (dns_tsigrcode_fromtext(&rcode, &token.value.as_textregion)
 				!= ISC_R_SUCCESS)
 	{
-		i = strtol(token.value.as_pointer, &e, 10);
+		i = strtol(DNS_AS_STR(token), &e, 10);
 		if (*e != 0)
 			RETTOK(DNS_R_UNKNOWN);
 		if (i < 0 || i > 0xffff)
@@ -126,7 +126,7 @@ fromtext_tkey(ARGS_FROMTEXT) {
 static inline isc_result_t
 totext_tkey(ARGS_TOTEXT) {
 	isc_region_t sr, dr;
-	char buf[sizeof "4294967295 "];
+	char buf[sizeof("4294967295 ")];
 	unsigned long n;
 	dns_name_t name;
 	dns_name_t prefix;
@@ -252,7 +252,7 @@ fromwire_tkey(ARGS_FROMWIRE) {
 	 * Algorithm.
 	 */
 	dns_name_init(&name, NULL);
-	RETERR(dns_name_fromwire(&name, source, dctx, downcase, target));
+	RETERR(dns_name_fromwire(&name, source, dctx, options, target));
 
 	/*
 	 * Inception: 4
@@ -340,7 +340,7 @@ compare_tkey(ARGS_COMPARE) {
 		return (order);
 	isc_region_consume(&r1, name_length(&name1));
 	isc_region_consume(&r2, name_length(&name2));
-	return (compare_region(&r1, &r2));
+	return (isc_region_compare(&r1, &r2));
 }
 
 static inline isc_result_t
@@ -527,4 +527,29 @@ digest_tkey(ARGS_DIGEST) {
 	return (ISC_R_NOTIMPLEMENTED);
 }
 
+static inline isc_boolean_t
+checkowner_tkey(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == 249);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (ISC_TRUE);
+}
+
+static inline isc_boolean_t
+checknames_tkey(ARGS_CHECKNAMES) {
+
+	REQUIRE(rdata->type == 249);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (ISC_TRUE);
+}
+
 #endif	/* RDATA_GENERIC_TKEY_249_C */
diff --git a/lib/dns/rdata/generic/tkey_249.h b/lib/dns/rdata/generic/tkey_249.h
index 20633083..8e0081cf 100644
--- a/lib/dns/rdata/generic/tkey_249.h
+++ b/lib/dns/rdata/generic/tkey_249.h
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
+ * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -18,11 +18,11 @@
 #ifndef GENERIC_TKEY_249_H
 #define GENERIC_TKEY_249_H 1
 
-/* $Id: tkey_249.h,v 1.18.2.1 2004/03/09 06:11:34 marka Exp $ */
+/* $Id: tkey_249.h,v 1.18.206.2 2004/03/06 08:14:13 marka Exp $ */
 
 /* draft-ietf-dnsind-tkey-00.txt */
 
-typedef struct dns_rdata_key {
+typedef struct dns_rdata_tkey {
         dns_rdatacommon_t	common;
         isc_mem_t *		mctx;
         dns_name_t		algorithm;
diff --git a/lib/dns/rdata/generic/txt_16.c b/lib/dns/rdata/generic/txt_16.c
index 66070e64..631d7af5 100644
--- a/lib/dns/rdata/generic/txt_16.c
+++ b/lib/dns/rdata/generic/txt_16.c
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001  Internet Software Consortium.
+ * Copyright (C) 1998-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: txt_16.c,v 1.37.2.1 2004/03/09 06:11:34 marka Exp $ */
+/* $Id: txt_16.c,v 1.37.12.4 2004/03/08 09:04:42 marka Exp $ */
 
 /* Reviewed: Thu Mar 16 15:40:00 PST 2000 by bwelling */
 
@@ -34,7 +34,7 @@ fromtext_txt(ARGS_FROMTEXT) {
 	UNUSED(type);
 	UNUSED(rdclass);
 	UNUSED(origin);
-	UNUSED(downcase);
+	UNUSED(options);
 	UNUSED(callbacks);
 
 	strings = 0;
@@ -81,7 +81,7 @@ fromwire_txt(ARGS_FROMWIRE) {
 	UNUSED(type);
 	UNUSED(dctx);
 	UNUSED(rdclass);
-	UNUSED(downcase);
+	UNUSED(options);
 
 	do {
 		result = txt_fromwire(source, target);
@@ -119,7 +119,7 @@ compare_txt(ARGS_COMPARE) {
 
 	dns_rdata_toregion(rdata1, &r1);
 	dns_rdata_toregion(rdata2, &r2);
-	return (compare_region(&r1, &r2));
+	return (isc_region_compare(&r1, &r2));
 }
 
 static inline isc_result_t
@@ -210,4 +210,29 @@ digest_txt(ARGS_DIGEST) {
 	return ((digest)(arg, &r));
 }
 
+static inline isc_boolean_t
+checkowner_txt(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == 16);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (ISC_TRUE);
+}
+
+static inline isc_boolean_t
+checknames_txt(ARGS_CHECKNAMES) {
+
+	REQUIRE(rdata->type == 16);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (ISC_TRUE);
+}
+
 #endif	/* RDATA_GENERIC_TXT_16_C */
diff --git a/lib/dns/rdata/generic/txt_16.h b/lib/dns/rdata/generic/txt_16.h
index 7c91858f..db5019c1 100644
--- a/lib/dns/rdata/generic/txt_16.h
+++ b/lib/dns/rdata/generic/txt_16.h
@@ -18,7 +18,7 @@
 #ifndef GENERIC_TXT_16_H
 #define GENERIC_TXT_16_H 1
 
-/* $Id: txt_16.h,v 1.23.2.1 2004/03/09 06:11:34 marka Exp $ */
+/* $Id: txt_16.h,v 1.23.206.1 2004/03/06 08:14:14 marka Exp $ */
 
 typedef struct dns_rdata_txt_string {
                 isc_uint8_t    length;
diff --git a/lib/dns/rdata/generic/unspec_103.c b/lib/dns/rdata/generic/unspec_103.c
index 9bb00e6f..157e9a1c 100644
--- a/lib/dns/rdata/generic/unspec_103.c
+++ b/lib/dns/rdata/generic/unspec_103.c
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
+ * Copyright (C) 1999-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: unspec_103.c,v 1.28.2.2 2004/03/09 06:11:34 marka Exp $ */
+/* $Id: unspec_103.c,v 1.28.2.1.10.4 2004/03/08 09:04:43 marka Exp $ */
 
 #ifndef RDATA_GENERIC_UNSPEC_103_C
 #define RDATA_GENERIC_UNSPEC_103_C
@@ -30,7 +30,7 @@ fromtext_unspec(ARGS_FROMTEXT) {
 	UNUSED(type);
 	UNUSED(rdclass);
 	UNUSED(origin);
-	UNUSED(downcase);
+	UNUSED(options);
 	UNUSED(callbacks);
 
 	return (atob_tobuffer(lexer, target));
@@ -55,7 +55,7 @@ fromwire_unspec(ARGS_FROMWIRE) {
 	UNUSED(type);
 	UNUSED(rdclass);
 	UNUSED(dctx);
-	UNUSED(downcase);
+	UNUSED(options);
 
 	isc_buffer_activeregion(source, &sr);
 	isc_buffer_forward(source, sr.length);
@@ -83,7 +83,7 @@ compare_unspec(ARGS_COMPARE) {
 
 	dns_rdata_toregion(rdata1, &r1);
 	dns_rdata_toregion(rdata2, &r2);
-	return (compare_region(&r1, &r2));
+	return (isc_region_compare(&r1, &r2));
 }
 
 static inline isc_result_t
@@ -161,4 +161,29 @@ digest_unspec(ARGS_DIGEST) {
 	return ((digest)(arg, &r));
 }
 
+static inline isc_boolean_t
+checkowner_unspec(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == 103);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (ISC_TRUE);
+}
+
+static inline isc_boolean_t
+checknames_unspec(ARGS_CHECKNAMES) {
+
+	REQUIRE(rdata->type == 103);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (ISC_TRUE);
+}
+
 #endif	/* RDATA_GENERIC_UNSPEC_103_C */
diff --git a/lib/dns/rdata/generic/unspec_103.h b/lib/dns/rdata/generic/unspec_103.h
index ab1314ba..021e308d 100644
--- a/lib/dns/rdata/generic/unspec_103.h
+++ b/lib/dns/rdata/generic/unspec_103.h
@@ -18,7 +18,7 @@
 #ifndef GENERIC_UNSPEC_103_H
 #define GENERIC_UNSPEC_103_H 1
 
-/* $Id: unspec_103.h,v 1.12.2.1 2004/03/09 06:11:35 marka Exp $ */
+/* $Id: unspec_103.h,v 1.12.206.1 2004/03/06 08:14:14 marka Exp $ */
 
 typedef struct dns_rdata_unspec_t {
 	dns_rdatacommon_t	common;
diff --git a/lib/dns/rdata/generic/x25_19.c b/lib/dns/rdata/generic/x25_19.c
index 3b1c374a..2f123ad7 100644
--- a/lib/dns/rdata/generic/x25_19.c
+++ b/lib/dns/rdata/generic/x25_19.c
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
+ * Copyright (C) 1999-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: x25_19.c,v 1.31.2.1 2004/03/09 06:11:35 marka Exp $ */
+/* $Id: x25_19.c,v 1.31.12.4 2004/03/08 09:04:43 marka Exp $ */
 
 /* Reviewed: Thu Mar 16 16:15:57 PST 2000 by bwelling */
 
@@ -36,7 +36,7 @@ fromtext_x25(ARGS_FROMTEXT) {
 	UNUSED(type);
 	UNUSED(rdclass);
 	UNUSED(origin);
-	UNUSED(downcase);
+	UNUSED(options);
 	UNUSED(callbacks);
 
 	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_qstring,
@@ -72,7 +72,7 @@ fromwire_x25(ARGS_FROMWIRE) {
 	UNUSED(type);
 	UNUSED(dctx);
 	UNUSED(rdclass);
-	UNUSED(downcase);
+	UNUSED(options);
 
 	isc_buffer_activeregion(source, &sr);
 	if (sr.length < 5)
@@ -103,7 +103,7 @@ compare_x25(ARGS_COMPARE) {
 
 	dns_rdata_toregion(rdata1, &r1);
 	dns_rdata_toregion(rdata2, &r2);
-	return (compare_region(&r1, &r2));
+	return (isc_region_compare(&r1, &r2));
 }
 
 static inline isc_result_t
@@ -191,4 +191,29 @@ digest_x25(ARGS_DIGEST) {
 	return ((digest)(arg, &r));
 }
 
+static inline isc_boolean_t
+checkowner_x25(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == 19);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (ISC_TRUE);
+}
+
+static inline isc_boolean_t
+checknames_x25(ARGS_CHECKNAMES) {
+
+	REQUIRE(rdata->type == 19);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (ISC_TRUE);
+}
+
 #endif	/* RDATA_GENERIC_X25_19_C */
diff --git a/lib/dns/rdata/generic/x25_19.h b/lib/dns/rdata/generic/x25_19.h
index 9a7bbf1f..bcb74cf6 100644
--- a/lib/dns/rdata/generic/x25_19.h
+++ b/lib/dns/rdata/generic/x25_19.h
@@ -18,7 +18,7 @@
 #ifndef GENERIC_X25_19_H
 #define GENERIC_X25_19_H 1
 
-/* $Id: x25_19.h,v 1.13.2.1 2004/03/09 06:11:35 marka Exp $ */
+/* $Id: x25_19.h,v 1.13.206.1 2004/03/06 08:14:14 marka Exp $ */
 
 /* RFC 1183 */
 
diff --git a/lib/dns/rdata/hs_4/a_1.c b/lib/dns/rdata/hs_4/a_1.c
index 7a1ddd24..07d6adcd 100644
--- a/lib/dns/rdata/hs_4/a_1.c
+++ b/lib/dns/rdata/hs_4/a_1.c
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
+ * Copyright (C) 1999-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: a_1.c,v 1.25.2.1 2004/03/09 06:11:35 marka Exp $ */
+/* $Id: a_1.c,v 1.25.12.4 2004/03/08 09:04:43 marka Exp $ */
 
 /* reviewed: Thu Mar 16 15:58:36 PST 2000 by brister */
 
@@ -37,13 +37,13 @@ fromtext_hs_a(ARGS_FROMTEXT) {
 
 	UNUSED(type);
 	UNUSED(origin);
-	UNUSED(downcase);
+	UNUSED(options);
 	UNUSED(rdclass);
 
 	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
 				      ISC_FALSE));
 
-	if (getquad(token.value.as_pointer, &addr, lexer, callbacks) != 1)
+	if (getquad(DNS_AS_STR(token), &addr, lexer, callbacks) != 1)
 		RETTOK(DNS_R_BADDOTTEDQUAD);
 	isc_buffer_availableregion(target, &region);
 	if (region.length < 4)
@@ -77,7 +77,7 @@ fromwire_hs_a(ARGS_FROMWIRE) {
 
 	UNUSED(type);
 	UNUSED(dctx);
-	UNUSED(downcase);
+	UNUSED(options);
 	UNUSED(rdclass);
 
 	isc_buffer_activeregion(source, &sregion);
@@ -202,4 +202,31 @@ digest_hs_a(ARGS_DIGEST) {
 	return ((digest)(arg, &r));
 }
 
+static inline isc_boolean_t
+checkowner_hs_a(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == 1);
+	REQUIRE(rdclass == 4);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (ISC_TRUE);
+}
+
+static inline isc_boolean_t
+checknames_hs_a(ARGS_CHECKNAMES) {
+
+	REQUIRE(rdata->type == 1);
+	REQUIRE(rdata->rdclass == 4);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (ISC_TRUE);
+}
+
 #endif	/* RDATA_HS_4_A_1_C */
diff --git a/lib/dns/rdata/hs_4/a_1.h b/lib/dns/rdata/hs_4/a_1.h
index f07582f4..c06c648a 100644
--- a/lib/dns/rdata/hs_4/a_1.h
+++ b/lib/dns/rdata/hs_4/a_1.h
@@ -18,7 +18,7 @@
 #ifndef HS_4_A_1_H
 #define HS_4_A_1_H 1
 
-/* $Id: a_1.h,v 1.7.2.1 2004/03/09 06:11:35 marka Exp $ */
+/* $Id: a_1.h,v 1.7.206.1 2004/03/06 08:14:15 marka Exp $ */
 
 typedef struct dns_rdata_hs_a {
 	dns_rdatacommon_t	common;
diff --git a/lib/dns/rdata/in_1/a6_38.c b/lib/dns/rdata/in_1/a6_38.c
index bf9cab30..ded70c12 100644
--- a/lib/dns/rdata/in_1/a6_38.c
+++ b/lib/dns/rdata/in_1/a6_38.c
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
+ * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: a6_38.c,v 1.46.2.3 2004/03/09 06:11:35 marka Exp $ */
+/* $Id: a6_38.c,v 1.46.2.1.2.5 2004/03/08 09:04:43 marka Exp $ */
 
 /* RFC2874 */
 
@@ -35,6 +35,7 @@ fromtext_in_a6(ARGS_FROMTEXT) {
 	unsigned char mask;
 	dns_name_t name;
 	isc_buffer_t buffer;
+	isc_boolean_t ok;
 
 	REQUIRE(type == 38);
 	REQUIRE(rdclass == 1);
@@ -68,7 +69,7 @@ fromtext_in_a6(ARGS_FROMTEXT) {
 		RETERR(isc_lex_getmastertoken(lexer, &token,
 					      isc_tokentype_string,
 					      ISC_FALSE));
-		if (inet_pton(AF_INET6, token.value.as_pointer, addr) != 1)
+		if (inet_pton(AF_INET6, DNS_AS_STR(token), addr) != 1)
 			RETTOK(DNS_R_BADAAAA);
 		mask = 0xff >> (prefixlen % 8);
 		addr[octets] &= mask;
@@ -83,7 +84,14 @@ fromtext_in_a6(ARGS_FROMTEXT) {
 	dns_name_init(&name, NULL);
 	buffer_fromregion(&buffer, &token.value.as_region);
 	origin = (origin != NULL) ? origin : dns_rootname;
-	RETTOK(dns_name_fromtext(&name, &buffer, origin, downcase, target));
+	RETTOK(dns_name_fromtext(&name, &buffer, origin, options, target));
+	ok = ISC_TRUE;
+	if ((options & DNS_RDATA_CHECKNAMES) != 0)
+		ok = dns_name_ishostname(&name, ISC_FALSE);
+	if (!ok && (options & DNS_RDATA_CHECKNAMESFAIL) != 0)
+		RETTOK(DNS_R_BADNAME);
+	if (!ok && callbacks != NULL)
+		warn_badname(&name, lexer, callbacks);
 	return (ISC_R_SUCCESS);
 }
 
@@ -94,7 +102,7 @@ totext_in_a6(ARGS_TOTEXT) {
 	unsigned char prefixlen;
 	unsigned char octets;
 	unsigned char mask;
-	char buf[sizeof "128"];
+	char buf[sizeof("128")];
 	dns_name_t name;
 	dns_name_t prefix;
 	isc_boolean_t sub;
@@ -113,7 +121,7 @@ totext_in_a6(ARGS_TOTEXT) {
 
 	if (prefixlen != 128) {
 		octets = prefixlen/8;
-		memset(addr, 0, sizeof addr);
+		memset(addr, 0, sizeof(addr));
 		memcpy(&addr[octets], sr.base, 16 - octets);
 		mask = 0xff >> (prefixlen % 8);
 		addr[octets] &= mask;
@@ -180,7 +188,7 @@ fromwire_in_a6(ARGS_FROMWIRE) {
 		return (ISC_R_SUCCESS);
 
 	dns_name_init(&name, NULL);
-	return (dns_name_fromwire(&name, source, dctx, downcase, target));
+	return (dns_name_fromwire(&name, source, dctx, options, target));
 }
 
 static inline isc_result_t
@@ -412,4 +420,42 @@ digest_in_a6(ARGS_DIGEST) {
 	return (dns_name_digest(&name, digest, arg));
 }
 
+static inline isc_boolean_t
+checkowner_in_a6(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == 38);
+	REQUIRE(rdclass == 1);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	return (dns_name_ishostname(name, wildcard));
+}
+
+static inline isc_boolean_t
+checknames_in_a6(ARGS_CHECKNAMES) {
+	isc_region_t region;
+	dns_name_t name;
+	unsigned int prefixlen;
+
+	REQUIRE(rdata->type == 38);
+	REQUIRE(rdata->rdclass == 1);
+
+	UNUSED(owner);
+
+	dns_rdata_toregion(rdata, &region);
+	prefixlen = uint8_fromregion(&region);
+	if (prefixlen == 0)
+		return (ISC_TRUE);
+	isc_region_consume(&region, 1 + 16 - prefixlen / 8);
+	dns_name_init(&name, NULL);
+	dns_name_fromregion(&name, &region);
+	if (!dns_name_ishostname(&name, ISC_FALSE)) {
+		if (bad != NULL)
+			dns_name_clone(&name, bad);
+		return (ISC_FALSE);
+	}
+	return (ISC_TRUE);
+}
+
 #endif	/* RDATA_IN_1_A6_38_C */
diff --git a/lib/dns/rdata/in_1/a6_38.h b/lib/dns/rdata/in_1/a6_38.h
index ca172922..9134cedb 100644
--- a/lib/dns/rdata/in_1/a6_38.h
+++ b/lib/dns/rdata/in_1/a6_38.h
@@ -18,7 +18,7 @@
 #ifndef IN_1_A6_38_H
 #define IN_1_A6_38_H 1
 
-/* $Id: a6_38.h,v 1.19.2.1 2004/03/09 06:11:36 marka Exp $ */
+/* $Id: a6_38.h,v 1.19.206.1 2004/03/06 08:14:15 marka Exp $ */
 
 /* RFC2874 */
 
diff --git a/lib/dns/rdata/in_1/a_1.c b/lib/dns/rdata/in_1/a_1.c
index 8037af82..30165c90 100644
--- a/lib/dns/rdata/in_1/a_1.c
+++ b/lib/dns/rdata/in_1/a_1.c
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001  Internet Software Consortium.
+ * Copyright (C) 1998-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: a_1.c,v 1.46.2.1 2004/03/09 06:11:36 marka Exp $ */
+/* $Id: a_1.c,v 1.46.12.5 2004/03/08 09:04:43 marka Exp $ */
 
 /* Reviewed: Thu Mar 16 16:52:50 PST 2000 by bwelling */
 
@@ -39,13 +39,13 @@ fromtext_in_a(ARGS_FROMTEXT) {
 
 	UNUSED(type);
 	UNUSED(origin);
-	UNUSED(downcase);
+	UNUSED(options);
 	UNUSED(rdclass);
 
 	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
 				      ISC_FALSE));
 
-	if (getquad(token.value.as_pointer, &addr, lexer, callbacks) != 1)
+	if (getquad(DNS_AS_STR(token), &addr, lexer, callbacks) != 1)
 		RETTOK(DNS_R_BADDOTTEDQUAD);
 	isc_buffer_availableregion(target, &region);
 	if (region.length < 4)
@@ -79,7 +79,7 @@ fromwire_in_a(ARGS_FROMWIRE) {
 
 	UNUSED(type);
 	UNUSED(dctx);
-	UNUSED(downcase);
+	UNUSED(options);
 	UNUSED(rdclass);
 
 	isc_buffer_activeregion(source, &sregion);
@@ -127,7 +127,7 @@ compare_in_a(ARGS_COMPARE) {
 
 	dns_rdata_toregion(rdata1, &r1);
 	dns_rdata_toregion(rdata2, &r2);
-	return (compare_region(&r1, &r2));
+	return (isc_region_compare(&r1, &r2));
 }
 
 static inline isc_result_t
@@ -208,4 +208,29 @@ digest_in_a(ARGS_DIGEST) {
 	return ((digest)(arg, &r));
 }
 
+static inline isc_boolean_t
+checkowner_in_a(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == 1);
+	REQUIRE(rdclass == 1);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	return (dns_name_ishostname(name, wildcard));
+}
+
+static inline isc_boolean_t
+checknames_in_a(ARGS_CHECKNAMES) {
+
+	REQUIRE(rdata->type == 1);
+	REQUIRE(rdata->rdclass == 1);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (ISC_TRUE);
+}
+
 #endif	/* RDATA_IN_1_A_1_C */
diff --git a/lib/dns/rdata/in_1/a_1.h b/lib/dns/rdata/in_1/a_1.h
index 6eae26f1..34d74697 100644
--- a/lib/dns/rdata/in_1/a_1.h
+++ b/lib/dns/rdata/in_1/a_1.h
@@ -18,7 +18,7 @@
 #ifndef IN_1_A_1_H
 #define IN_1_A_1_H 1
 
-/* $Id: a_1.h,v 1.23.2.1 2004/03/09 06:11:36 marka Exp $ */
+/* $Id: a_1.h,v 1.23.206.1 2004/03/06 08:14:16 marka Exp $ */
 
 typedef struct dns_rdata_in_a {
 	dns_rdatacommon_t	common;
diff --git a/lib/dns/rdata/in_1/aaaa_28.c b/lib/dns/rdata/in_1/aaaa_28.c
index 02bac1fb..489fe015 100644
--- a/lib/dns/rdata/in_1/aaaa_28.c
+++ b/lib/dns/rdata/in_1/aaaa_28.c
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
+ * Copyright (C) 1999-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: aaaa_28.c,v 1.36.2.1 2004/03/09 06:11:36 marka Exp $ */
+/* $Id: aaaa_28.c,v 1.36.12.5 2004/03/08 09:04:44 marka Exp $ */
 
 /* Reviewed: Thu Mar 16 16:52:50 PST 2000 by bwelling */
 
@@ -39,14 +39,14 @@ fromtext_in_aaaa(ARGS_FROMTEXT) {
 
 	UNUSED(type);
 	UNUSED(origin);
-	UNUSED(downcase);
+	UNUSED(options);
 	UNUSED(rdclass);
 	UNUSED(callbacks);
 
 	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
 				      ISC_FALSE));
 
-	if (inet_pton(AF_INET6, token.value.as_pointer, addr) != 1)
+	if (inet_pton(AF_INET6, DNS_AS_STR(token), addr) != 1)
 		RETTOK(DNS_R_BADAAAA);
 	isc_buffer_availableregion(target, &region);
 	if (region.length < 16)
@@ -80,7 +80,7 @@ fromwire_in_aaaa(ARGS_FROMWIRE) {
 
 	UNUSED(type);
 	UNUSED(dctx);
-	UNUSED(downcase);
+	UNUSED(options);
 	UNUSED(rdclass);
 
 	isc_buffer_activeregion(source, &sregion);
@@ -128,7 +128,7 @@ compare_in_aaaa(ARGS_COMPARE) {
 
 	dns_rdata_toregion(rdata1, &r1);
 	dns_rdata_toregion(rdata2, &r2);
-	return (compare_region(&r1, &r2));
+	return (isc_region_compare(&r1, &r2));
 }
 
 static inline isc_result_t
@@ -205,4 +205,29 @@ digest_in_aaaa(ARGS_DIGEST) {
 	return ((digest)(arg, &r));
 }
 
+static inline isc_boolean_t
+checkowner_in_aaaa(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == 28);
+	REQUIRE(rdclass == 1);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	return (dns_name_ishostname(name, wildcard));
+}
+
+static inline isc_boolean_t
+checknames_in_aaaa(ARGS_CHECKNAMES) {
+
+	REQUIRE(rdata->type == 28);
+	REQUIRE(rdata->rdclass == 1);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (ISC_TRUE);
+}
+
 #endif	/* RDATA_IN_1_AAAA_28_C */
diff --git a/lib/dns/rdata/in_1/aaaa_28.h b/lib/dns/rdata/in_1/aaaa_28.h
index ae4d523e..e8a93195 100644
--- a/lib/dns/rdata/in_1/aaaa_28.h
+++ b/lib/dns/rdata/in_1/aaaa_28.h
@@ -18,7 +18,7 @@
 #ifndef IN_1_AAAA_28_H
 #define IN_1_AAAA_28_H 1
 
-/* $Id: aaaa_28.h,v 1.16.2.1 2004/03/09 06:11:36 marka Exp $ */
+/* $Id: aaaa_28.h,v 1.16.206.1 2004/03/06 08:14:16 marka Exp $ */
 
 /* RFC 1886 */
 
diff --git a/lib/dns/rdata/in_1/apl_42.c b/lib/dns/rdata/in_1/apl_42.c
new file mode 100644
index 00000000..ac395698
--- /dev/null
+++ b/lib/dns/rdata/in_1/apl_42.c
@@ -0,0 +1,402 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2002  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: apl_42.c,v 1.4.200.8 2004/03/16 12:38:15 marka Exp $ */
+
+/* RFC 3123 */
+
+#ifndef RDATA_IN_1_APL_42_C
+#define RDATA_IN_1_APL_42_C
+
+#define RRTYPE_APL_ATTRIBUTES (0)
+
+static inline isc_result_t
+fromtext_in_apl(ARGS_FROMTEXT) {
+	isc_token_t token;
+	unsigned char addr[16];
+	unsigned long afi;
+	isc_uint8_t prefix;
+	isc_uint8_t len;
+	isc_boolean_t neg;
+	char *cp, *ap, *slash;
+	int n;
+
+	REQUIRE(type == 42);
+	REQUIRE(rdclass == 1);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(origin);
+	UNUSED(options);
+	UNUSED(callbacks);
+
+	do {
+		RETERR(isc_lex_getmastertoken(lexer, &token,
+					      isc_tokentype_string, ISC_TRUE));
+		if (token.type != isc_tokentype_string)
+			break;
+	
+		cp = DNS_AS_STR(token);
+		neg = ISC_TF(*cp == '!');
+		if (neg)
+			cp++;
+		afi = strtoul(cp, &ap, 10);
+		if (*ap++ != ':' || cp == ap)
+			RETTOK(DNS_R_SYNTAX);
+		if (afi > 0xffffU)
+			RETTOK(ISC_R_RANGE);
+		slash = strchr(ap, '/');
+		if (slash == NULL || slash == ap)
+			RETTOK(DNS_R_SYNTAX);
+		RETTOK(isc_parse_uint8(&prefix, slash + 1, 10));
+		switch (afi) {
+		case 1:
+			*slash = '\0';
+			n = inet_pton(AF_INET, ap, addr);
+			*slash = '/';
+			if (n != 1)
+				RETTOK(DNS_R_BADDOTTEDQUAD);
+			if (prefix > 32)
+				RETTOK(ISC_R_RANGE);
+			for (len = 4; len > 0; len--)
+				if (addr[len - 1] != 0)
+					break;
+			break;
+
+		case 2:
+			*slash = '\0';
+			n = inet_pton(AF_INET6, ap, addr);
+			*slash = '/';
+			if (n != 1)
+				RETTOK(DNS_R_BADAAAA);
+			if (prefix > 128)
+				RETTOK(ISC_R_RANGE);
+			for (len = 16; len > 0; len--)
+				if (addr[len - 1] != 0)
+					break;
+			break;
+
+		default:
+			RETTOK(ISC_R_NOTIMPLEMENTED);
+		}
+		RETERR(uint16_tobuffer(afi, target));
+		RETERR(uint8_tobuffer(prefix, target));
+		RETERR(uint8_tobuffer(len | ((neg) ? 0x80 : 0), target));
+		RETERR(mem_tobuffer(target, addr, len));
+	} while (1);
+
+	/*
+	 * Let upper layer handle eol/eof.
+	 */
+	isc_lex_ungettoken(lexer, &token);
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+totext_in_apl(ARGS_TOTEXT) {
+	isc_region_t sr;
+	isc_region_t ir;
+	isc_uint16_t afi;
+	isc_uint8_t prefix;
+	isc_uint8_t len;
+	isc_boolean_t neg;
+	unsigned char buf[16];
+	char txt[sizeof(" !64000")];
+	const char *sep = "";
+	int n;
+
+	REQUIRE(rdata->type == 42);
+	REQUIRE(rdata->rdclass == 1);
+
+	UNUSED(tctx);
+
+	dns_rdata_toregion(rdata, &sr);
+	ir.base = buf;
+	ir.length = sizeof(buf);
+
+	while (sr.length > 0) {
+		INSIST(sr.length >= 4);
+		afi = uint16_fromregion(&sr);
+		isc_region_consume(&sr, 2);
+		prefix = *sr.base;
+		isc_region_consume(&sr, 1);
+		len = (*sr.base & 0x7f);
+		neg = ISC_TF((*sr.base & 0x80) != 0);
+		isc_region_consume(&sr, 1);
+		INSIST(len <= sr.length);
+		n = snprintf(txt, sizeof(txt), "%s%s%u:", sep,
+			     neg ? "!": "", afi);
+		INSIST(n < (int)sizeof(txt));
+		RETERR(str_totext(txt, target));
+		switch (afi) {
+		case 1:
+			INSIST(len <= 4);
+			INSIST(prefix <= 32);
+			memset(buf, 0, sizeof(buf));
+			memcpy(buf, sr.base, len);
+			RETERR(inet_totext(AF_INET, &ir, target));
+			break;
+
+		case 2:
+			INSIST(len <= 16);
+			INSIST(prefix <= 128);
+			memset(buf, 0, sizeof(buf));
+			memcpy(buf, sr.base, len);
+			RETERR(inet_totext(AF_INET6, &ir, target));
+			break;
+
+		default:
+			return (ISC_R_NOTIMPLEMENTED);
+		}
+		n = snprintf(txt, sizeof(txt), "/%u", prefix);
+		INSIST(n < (int)sizeof(txt));
+		RETERR(str_totext(txt, target));
+		isc_region_consume(&sr, len);
+		sep = " ";
+	}
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+fromwire_in_apl(ARGS_FROMWIRE) {
+	isc_region_t sr, sr2;
+	isc_region_t tr;
+	isc_uint16_t afi;
+	isc_uint8_t prefix;
+	isc_uint8_t len;
+
+	REQUIRE(type == 42);
+	REQUIRE(rdclass == 1);
+
+	UNUSED(type);
+	UNUSED(dctx);
+	UNUSED(rdclass);
+	UNUSED(options);
+
+	isc_buffer_activeregion(source, &sr);
+	isc_buffer_availableregion(target, &tr);
+	if (sr.length > tr.length)
+		return (ISC_R_NOSPACE);
+	sr2 = sr;
+
+	/* Zero or more items */
+	while (sr.length > 0) {
+		if (sr.length < 4)
+			return (ISC_R_UNEXPECTEDEND);
+		afi = uint16_fromregion(&sr);
+		isc_region_consume(&sr, 2);
+		prefix = *sr.base;
+		isc_region_consume(&sr, 1);
+		len = (*sr.base & 0x7f);
+		isc_region_consume(&sr, 1);
+		if (len > sr.length)
+			return (ISC_R_UNEXPECTEDEND);
+		switch (afi) {
+		case 1:
+			if (prefix > 32 || len > 4)
+				return (ISC_R_RANGE);
+			break;
+		case 2:
+			if (prefix > 128 || len > 16)
+				return (ISC_R_RANGE);
+		}
+		if (len > 0 && sr.base[len - 1] == 0)
+			return (DNS_R_FORMERR);
+		isc_region_consume(&sr, len);
+	}
+	isc_buffer_forward(source, sr2.length);
+	return (mem_tobuffer(target, sr2.base, sr2.length));
+}
+
+static inline isc_result_t
+towire_in_apl(ARGS_TOWIRE) {
+	UNUSED(cctx);
+
+	REQUIRE(rdata->type == 42);
+	REQUIRE(rdata->rdclass == 1);
+
+	return (mem_tobuffer(target, rdata->data, rdata->length));
+}
+
+static inline int
+compare_in_apl(ARGS_COMPARE) {
+	isc_region_t r1;
+	isc_region_t r2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == 42);
+	REQUIRE(rdata1->rdclass == 1);
+
+	dns_rdata_toregion(rdata1, &r1);
+	dns_rdata_toregion(rdata2, &r2);
+	return (isc_region_compare(&r1, &r2));
+}
+
+static inline isc_result_t
+fromstruct_in_apl(ARGS_FROMSTRUCT) {
+	dns_rdata_in_apl_t *apl = source;
+	isc_buffer_t b;
+
+	REQUIRE(type == 42);
+	REQUIRE(rdclass == 1);
+	REQUIRE(source != NULL);
+	REQUIRE(apl->common.rdtype == type);
+	REQUIRE(apl->common.rdclass == rdclass);
+	REQUIRE(apl->apl != NULL || apl->apl_len == 0);
+	
+	isc_buffer_init(&b, apl->apl, apl->apl_len);
+	isc_buffer_add(&b, apl->apl_len);
+	isc_buffer_setactive(&b, apl->apl_len);
+	return(fromwire_in_apl(rdclass, type, &b, NULL, ISC_FALSE, target));
+}
+
+static inline isc_result_t
+tostruct_in_apl(ARGS_TOSTRUCT) {
+	dns_rdata_in_apl_t *apl = target;
+	isc_region_t r;
+
+	REQUIRE(rdata->type == 42);
+	REQUIRE(rdata->rdclass == 1);
+
+	apl->common.rdclass = rdata->rdclass;
+	apl->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&apl->common, link);
+
+	dns_rdata_toregion(rdata, &r);
+	apl->apl_len = r.length;
+	apl->apl = mem_maybedup(mctx, r.base, r.length);
+	if (apl->apl == NULL)
+		return (ISC_R_NOMEMORY);
+
+	apl->offset = 0;
+	apl->mctx = mctx;
+	return (ISC_R_SUCCESS);
+}
+
+static inline void
+freestruct_in_apl(ARGS_FREESTRUCT) {
+	dns_rdata_in_apl_t *apl = source;
+
+	REQUIRE(source != NULL);
+	REQUIRE(apl->common.rdtype == 42);
+	REQUIRE(apl->common.rdclass == 1);
+
+	if (apl->mctx == NULL)
+		return;
+	if (apl->apl != NULL)
+		isc_mem_free(apl->mctx, apl->apl);
+	apl->mctx = NULL;
+}
+
+isc_result_t
+dns_rdata_apl_first(dns_rdata_in_apl_t *apl) {
+	REQUIRE(apl->common.rdtype == 42);
+	REQUIRE(apl->common.rdclass == 1);
+	REQUIRE(apl->apl != NULL || apl->apl_len == 0);
+
+	apl->offset = 0;
+	return ((apl->apl_len != 0) ? ISC_R_SUCCESS : ISC_R_NOMORE);
+}
+
+isc_result_t
+dns_rdata_apl_next(dns_rdata_in_apl_t *apl) {
+	REQUIRE(apl->common.rdtype == 42);
+	REQUIRE(apl->common.rdclass == 1);
+	REQUIRE(apl->apl != NULL || apl->apl_len == 0);
+
+	if (apl->offset + 3 < apl->apl_len)
+		return (ISC_R_NOMORE);
+	apl->offset += apl->apl[apl->offset + 3] & 0x7f;
+	return ((apl->offset >= apl->apl_len) ? ISC_R_SUCCESS : ISC_R_NOMORE);
+}
+
+isc_result_t
+dns_rdata_apl_current(dns_rdata_in_apl_t *apl, dns_rdata_apl_ent_t *ent) {
+
+	REQUIRE(apl->common.rdtype == 42);
+	REQUIRE(apl->common.rdclass == 1);
+	REQUIRE(ent != NULL);
+	REQUIRE(apl->apl != NULL || apl->apl_len == 0);
+
+	if (apl->offset >= apl->apl_len)
+		return (ISC_R_NOMORE);
+
+	ent->family = (apl->apl[apl->offset] << 8) + apl->apl[apl->offset + 1];
+	ent->prefix = apl->apl[apl->offset + 2];
+	ent->length = apl->apl[apl->offset + 3] & 0x7f;
+	ent->negative = ISC_TF((apl->apl[apl->offset + 3] & 0x80) != 0);
+	if (ent->length != 0)
+		ent->data = &apl->apl[apl->offset + 4];
+	else
+		ent->data = NULL;
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+additionaldata_in_apl(ARGS_ADDLDATA) {
+	REQUIRE(rdata->type == 42);
+	REQUIRE(rdata->rdclass == 1);
+
+	(void)add;
+	(void)arg;
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+digest_in_apl(ARGS_DIGEST) {
+	isc_region_t r;
+
+	REQUIRE(rdata->type == 42);
+	REQUIRE(rdata->rdclass == 1);
+
+	dns_rdata_toregion(rdata, &r);
+
+	return ((digest)(arg, &r));
+}
+
+static inline isc_boolean_t
+checkowner_in_apl(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == 42);
+	REQUIRE(rdclass == 1);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (ISC_TRUE);
+}
+
+
+static inline isc_boolean_t
+checknames_in_apl(ARGS_CHECKNAMES) {
+
+	REQUIRE(rdata->type == 42);
+	REQUIRE(rdata->rdclass == 1);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (ISC_TRUE);
+}
+
+#endif	/* RDATA_IN_1_APL_42_C */
diff --git a/lib/dns/rdata/in_1/apl_42.h b/lib/dns/rdata/in_1/apl_42.h
new file mode 100644
index 00000000..83309a60
--- /dev/null
+++ b/lib/dns/rdata/in_1/apl_42.h
@@ -0,0 +1,55 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2002  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#ifndef IN_1_APL_42_H
+#define IN_1_APL_42_H 1
+
+/* $Id: apl_42.h,v 1.1.202.3 2004/03/08 09:04:44 marka Exp $ */
+
+typedef struct dns_rdata_apl_ent {
+	isc_boolean_t	negative;
+	isc_uint16_t	family;
+	isc_uint8_t	prefix;
+	isc_uint8_t	length;
+	unsigned char	*data;
+} dns_rdata_apl_ent_t;
+
+typedef struct dns_rdata_in_apl {
+	dns_rdatacommon_t	common;
+	isc_mem_t		*mctx;
+	/* type & class specific elements */
+	unsigned char           *apl;
+        isc_uint16_t            apl_len;
+        /* private */
+        isc_uint16_t            offset;
+} dns_rdata_in_apl_t;
+
+/*
+ * ISC_LANG_BEGINDECLS and ISC_LANG_ENDDECLS are already done
+ * via rdatastructpre.h and rdatastructsuf.h.
+ */
+
+isc_result_t
+dns_rdata_apl_first(dns_rdata_in_apl_t *);
+
+isc_result_t
+dns_rdata_apl_next(dns_rdata_in_apl_t *);
+
+isc_result_t
+dns_rdata_apl_current(dns_rdata_in_apl_t *, dns_rdata_apl_ent_t *);
+
+#endif /* IN_1_APL_42_H */
diff --git a/lib/dns/rdata/in_1/kx_36.c b/lib/dns/rdata/in_1/kx_36.c
index 870d7774..fee1e3d7 100644
--- a/lib/dns/rdata/in_1/kx_36.c
+++ b/lib/dns/rdata/in_1/kx_36.c
@@ -15,14 +15,14 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: kx_36.c,v 1.37.2.3 2004/03/09 06:11:37 marka Exp $ */
+/* $Id: kx_36.c,v 1.37.2.1.2.3 2004/03/06 08:14:17 marka Exp $ */
 
 /* Reviewed: Thu Mar 16 17:24:54 PST 2000 by explorer */
 
 /* RFC 2230 */
 
-#ifndef RDATA_GENERIC_KX_36_C
-#define RDATA_GENERIC_KX_36_C
+#ifndef RDATA_IN_1_KX_36_C
+#define RDATA_IN_1_KX_36_C
 
 #define RRTYPE_KX_ATTRIBUTES (0)
 
@@ -50,7 +50,7 @@ fromtext_in_kx(ARGS_FROMTEXT) {
 	dns_name_init(&name, NULL);
 	buffer_fromregion(&buffer, &token.value.as_region);
 	origin = (origin != NULL) ? origin : dns_rootname;
-	RETTOK(dns_name_fromtext(&name, &buffer, origin, downcase, target));
+	RETTOK(dns_name_fromtext(&name, &buffer, origin, options, target));
 	return (ISC_R_SUCCESS);
 }
 
@@ -60,7 +60,7 @@ totext_in_kx(ARGS_TOTEXT) {
 	dns_name_t name;
 	dns_name_t prefix;
 	isc_boolean_t sub;
-	char buf[sizeof "64000"];
+	char buf[sizeof("64000")];
 	unsigned short num;
 
 	REQUIRE(rdata->type == 36);
@@ -103,7 +103,7 @@ fromwire_in_kx(ARGS_FROMWIRE) {
 		return (ISC_R_UNEXPECTEDEND);
 	RETERR(mem_tobuffer(target, sregion.base, 2));
 	isc_buffer_forward(source, 2);
-	return (dns_name_fromwire(&name, source, dctx, downcase, target));
+	return (dns_name_fromwire(&name, source, dctx, options, target));
 }
 
 static inline isc_result_t
@@ -258,4 +258,31 @@ digest_in_kx(ARGS_DIGEST) {
 	return (dns_name_digest(&name, digest, arg));
 }
 
-#endif	/* RDATA_GENERIC_KX_36_C */
+static inline isc_boolean_t
+checkowner_in_kx(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == 36);
+	REQUIRE(rdclass == 1);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (ISC_TRUE);
+}
+
+static inline isc_boolean_t
+checknames_in_kx(ARGS_CHECKNAMES) {
+
+	REQUIRE(rdata->type == 36);
+	REQUIRE(rdata->rdclass == 1);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (ISC_TRUE);
+}
+
+#endif	/* RDATA_IN_1_KX_36_C */
diff --git a/lib/dns/rdata/in_1/kx_36.h b/lib/dns/rdata/in_1/kx_36.h
index 2fc1c128..5ac328d9 100644
--- a/lib/dns/rdata/in_1/kx_36.h
+++ b/lib/dns/rdata/in_1/kx_36.h
@@ -18,7 +18,7 @@
 #ifndef IN_1_KX_36_H
 #define IN_1_KX_36_H 1
 
-/* $Id: kx_36.h,v 1.15.2.1 2004/03/09 06:11:37 marka Exp $ */
+/* $Id: kx_36.h,v 1.15.206.1 2004/03/06 08:14:17 marka Exp $ */
 
 /* RFC 2230 */
 
diff --git a/lib/dns/rdata/in_1/naptr_35.c b/lib/dns/rdata/in_1/naptr_35.c
index 25726232..f3c93c7c 100644
--- a/lib/dns/rdata/in_1/naptr_35.c
+++ b/lib/dns/rdata/in_1/naptr_35.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: naptr_35.c,v 1.43.2.3 2004/03/09 06:11:37 marka Exp $ */
+/* $Id: naptr_35.c,v 1.43.2.1.2.3 2004/03/06 08:14:17 marka Exp $ */
 
 /* Reviewed: Thu Mar 16 16:52:50 PST 2000 by bwelling */
 
@@ -86,7 +86,7 @@ fromtext_in_naptr(ARGS_FROMTEXT) {
 	dns_name_init(&name, NULL);
 	buffer_fromregion(&buffer, &token.value.as_region);
 	origin = (origin != NULL) ? origin : dns_rootname;
-	RETTOK(dns_name_fromtext(&name, &buffer, origin, downcase, target));
+	RETTOK(dns_name_fromtext(&name, &buffer, origin, options, target));
 	return (ISC_R_SUCCESS);
 }
 
@@ -96,7 +96,7 @@ totext_in_naptr(ARGS_TOTEXT) {
 	dns_name_t name;
 	dns_name_t prefix;
 	isc_boolean_t sub;
-	char buf[sizeof "64000"];
+	char buf[sizeof("64000")];
 	unsigned short num;
 
 	REQUIRE(rdata->type == 35);
@@ -194,7 +194,7 @@ fromwire_in_naptr(ARGS_FROMWIRE) {
 	/*
 	 * Replacement.
 	 */
-	return (dns_name_fromwire(&name, source, dctx, downcase, target));
+	return (dns_name_fromwire(&name, source, dctx, options, target));
 }
 
 static inline isc_result_t
@@ -548,4 +548,31 @@ digest_in_naptr(ARGS_DIGEST) {
 	return (dns_name_digest(&name, digest, arg));
 }
 
+static inline isc_boolean_t
+checkowner_in_naptr(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == 35);
+	REQUIRE(rdclass == 1);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (ISC_TRUE);
+}
+
+static inline isc_boolean_t
+checknames_in_naptr(ARGS_CHECKNAMES) {
+
+	REQUIRE(rdata->type == 35);
+	REQUIRE(rdata->rdclass == 1);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (ISC_TRUE);
+}
+
 #endif	/* RDATA_IN_1_NAPTR_35_C */
diff --git a/lib/dns/rdata/in_1/naptr_35.h b/lib/dns/rdata/in_1/naptr_35.h
index c89d6dad..b1deb2ce 100644
--- a/lib/dns/rdata/in_1/naptr_35.h
+++ b/lib/dns/rdata/in_1/naptr_35.h
@@ -18,7 +18,7 @@
 #ifndef IN_1_NAPTR_35_H
 #define IN_1_NAPTR_35_H 1
 
-/* $Id: naptr_35.h,v 1.18.2.1 2004/03/09 06:11:37 marka Exp $ */
+/* $Id: naptr_35.h,v 1.18.206.1 2004/03/06 08:14:17 marka Exp $ */
 
 /* RFC 2915 */
 
diff --git a/lib/dns/rdata/in_1/nsap-ptr_23.c b/lib/dns/rdata/in_1/nsap-ptr_23.c
index d2bfc4a0..0fa0fb25 100644
--- a/lib/dns/rdata/in_1/nsap-ptr_23.c
+++ b/lib/dns/rdata/in_1/nsap-ptr_23.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: nsap-ptr_23.c,v 1.32.2.1 2004/03/09 06:11:37 marka Exp $ */
+/* $Id: nsap-ptr_23.c,v 1.32.206.2 2004/03/06 08:14:17 marka Exp $ */
 
 /* Reviewed: Fri Mar 17 10:16:02 PST 2000 by gson */
 
@@ -45,7 +45,7 @@ fromtext_in_nsap_ptr(ARGS_FROMTEXT) {
 	dns_name_init(&name, NULL);
 	buffer_fromregion(&buffer, &token.value.as_region);
 	origin = (origin != NULL) ? origin : dns_rootname;
-	RETTOK(dns_name_fromtext(&name, &buffer, origin, downcase, target));
+	RETTOK(dns_name_fromtext(&name, &buffer, origin, options, target));
 	return (ISC_R_SUCCESS);
 }
 
@@ -84,7 +84,7 @@ fromwire_in_nsap_ptr(ARGS_FROMWIRE) {
 	dns_decompress_setmethods(dctx, DNS_COMPRESS_NONE);
 
         dns_name_init(&name, NULL);
-        return (dns_name_fromwire(&name, source, dctx, downcase, target));
+        return (dns_name_fromwire(&name, source, dctx, options, target));
 }
 
 static inline isc_result_t
@@ -215,4 +215,31 @@ digest_in_nsap_ptr(ARGS_DIGEST) {
 	return (dns_name_digest(&name, digest, arg));
 }
 
+static inline isc_boolean_t
+checkowner_in_nsap_ptr(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == 23);
+	REQUIRE(rdclass == 1);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (ISC_TRUE);
+}
+
+static inline isc_boolean_t
+checknames_in_nsap_ptr(ARGS_CHECKNAMES) {
+
+	REQUIRE(rdata->type == 23);
+	REQUIRE(rdata->rdclass == 1);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (ISC_TRUE);
+}
+
 #endif	/* RDATA_IN_1_NSAP_PTR_23_C */
diff --git a/lib/dns/rdata/in_1/nsap-ptr_23.h b/lib/dns/rdata/in_1/nsap-ptr_23.h
index 1144e6ec..9bf3c656 100644
--- a/lib/dns/rdata/in_1/nsap-ptr_23.h
+++ b/lib/dns/rdata/in_1/nsap-ptr_23.h
@@ -18,7 +18,7 @@
 #ifndef IN_1_NSAP_PTR_23_H
 #define IN_1_NSAP_PTR_23_H 1
 
-/* $Id: nsap-ptr_23.h,v 1.14.2.1 2004/03/09 06:11:38 marka Exp $ */
+/* $Id: nsap-ptr_23.h,v 1.14.206.1 2004/03/06 08:14:18 marka Exp $ */
 
 /* RFC 1348.  Obsoleted in RFC 1706 - use PTR instead. */
 
diff --git a/lib/dns/rdata/in_1/nsap_22.c b/lib/dns/rdata/in_1/nsap_22.c
index d3c7c709..594b97fb 100644
--- a/lib/dns/rdata/in_1/nsap_22.c
+++ b/lib/dns/rdata/in_1/nsap_22.c
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
+ * Copyright (C) 1999-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: nsap_22.c,v 1.33.2.1 2004/03/09 06:11:38 marka Exp $ */
+/* $Id: nsap_22.c,v 1.33.12.5 2004/03/08 09:04:44 marka Exp $ */
 
 /* Reviewed: Fri Mar 17 10:41:07 PST 2000 by gson */
 
@@ -39,7 +39,7 @@ fromtext_in_nsap(ARGS_FROMTEXT) {
 
 	UNUSED(type);
 	UNUSED(origin);
-	UNUSED(downcase);
+	UNUSED(options);
 	UNUSED(rdclass);
 	UNUSED(callbacks);
 
@@ -77,7 +77,7 @@ fromtext_in_nsap(ARGS_FROMTEXT) {
 static inline isc_result_t
 totext_in_nsap(ARGS_TOTEXT) {
 	isc_region_t region;
-	char buf[sizeof "xx"];
+	char buf[sizeof("xx")];
 
 	REQUIRE(rdata->type == 22);
 	REQUIRE(rdata->rdclass == 1);
@@ -104,7 +104,7 @@ fromwire_in_nsap(ARGS_FROMWIRE) {
 
 	UNUSED(type);
 	UNUSED(dctx);
-	UNUSED(downcase);
+	UNUSED(options);
 	UNUSED(rdclass);
 
 	isc_buffer_activeregion(source, &region);
@@ -141,7 +141,7 @@ compare_in_nsap(ARGS_COMPARE) {
 
 	dns_rdata_toregion(rdata1, &r1);
 	dns_rdata_toregion(rdata2, &r2);
-	return (compare_region(&r1, &r2));
+	return (isc_region_compare(&r1, &r2));
 }
 
 static inline isc_result_t
@@ -225,4 +225,31 @@ digest_in_nsap(ARGS_DIGEST) {
 	return ((digest)(arg, &r));
 }
 
+static inline isc_boolean_t
+checkowner_in_nsap(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == 22);
+	REQUIRE(rdclass == 1);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (ISC_TRUE);
+}
+
+static inline isc_boolean_t
+checknames_in_nsap(ARGS_CHECKNAMES) {
+
+	REQUIRE(rdata->type == 22);
+	REQUIRE(rdata->rdclass == 1);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (ISC_TRUE);
+}
+
 #endif	/* RDATA_IN_1_NSAP_22_C */
diff --git a/lib/dns/rdata/in_1/nsap_22.h b/lib/dns/rdata/in_1/nsap_22.h
index dc811cae..64674335 100644
--- a/lib/dns/rdata/in_1/nsap_22.h
+++ b/lib/dns/rdata/in_1/nsap_22.h
@@ -18,7 +18,7 @@
 #ifndef IN_1_NSAP_22_H
 #define IN_1_NSAP_22_H 1
 
-/* $Id: nsap_22.h,v 1.13.2.1 2004/03/09 06:11:38 marka Exp $ */
+/* $Id: nsap_22.h,v 1.13.206.1 2004/03/06 08:14:18 marka Exp $ */
 
 /* RFC 1706 */
 
diff --git a/lib/dns/rdata/in_1/px_26.c b/lib/dns/rdata/in_1/px_26.c
index 4b29c8d2..66214dd4 100644
--- a/lib/dns/rdata/in_1/px_26.c
+++ b/lib/dns/rdata/in_1/px_26.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: px_26.c,v 1.34.2.3 2004/03/09 06:11:38 marka Exp $ */
+/* $Id: px_26.c,v 1.34.2.1.2.4 2004/03/06 08:14:18 marka Exp $ */
 
 /* Reviewed: Mon Mar 20 10:44:27 PST 2000 */
 
@@ -56,7 +56,7 @@ fromtext_in_px(ARGS_FROMTEXT) {
 	dns_name_init(&name, NULL);
 	buffer_fromregion(&buffer, &token.value.as_region);
 	origin = (origin != NULL) ? origin : dns_rootname;
-	RETTOK(dns_name_fromtext(&name, &buffer, origin, downcase, target));
+	RETTOK(dns_name_fromtext(&name, &buffer, origin, options, target));
 
 	/*
 	 * MAPX400.
@@ -66,7 +66,7 @@ fromtext_in_px(ARGS_FROMTEXT) {
 	dns_name_init(&name, NULL);
 	buffer_fromregion(&buffer, &token.value.as_region);
 	origin = (origin != NULL) ? origin : dns_rootname;
-	RETTOK(dns_name_fromtext(&name, &buffer, origin, downcase, target));
+	RETTOK(dns_name_fromtext(&name, &buffer, origin, options, target));
 	return (ISC_R_SUCCESS);
 }
 
@@ -76,7 +76,7 @@ totext_in_px(ARGS_TOTEXT) {
 	dns_name_t name;
 	dns_name_t prefix;
 	isc_boolean_t sub;
-	char buf[sizeof "64000"];
+	char buf[sizeof("64000")];
 	unsigned short num;
 
 	REQUIRE(rdata->type == 26);
@@ -140,12 +140,12 @@ fromwire_in_px(ARGS_FROMWIRE) {
 	/*
 	 * MAP822.
 	 */
-	RETERR(dns_name_fromwire(&name, source, dctx, downcase, target));
+	RETERR(dns_name_fromwire(&name, source, dctx, options, target));
 
 	/*
 	 * MAPX400.
 	 */
-	return (dns_name_fromwire(&name, source, dctx, downcase, target));
+	return (dns_name_fromwire(&name, source, dctx, options, target));
 }
 
 static inline isc_result_t
@@ -344,4 +344,31 @@ digest_in_px(ARGS_DIGEST) {
 	return (dns_name_digest(&name, digest, arg));
 }
 
+static inline isc_boolean_t
+checkowner_in_px(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == 26);
+	REQUIRE(rdclass == 1);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (ISC_TRUE);
+}
+
+static inline isc_boolean_t
+checknames_in_px(ARGS_CHECKNAMES) {
+
+	REQUIRE(rdata->type == 26);
+	REQUIRE(rdata->rdclass == 1);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (ISC_TRUE);
+}
+
 #endif	/* RDATA_IN_1_PX_26_C */
diff --git a/lib/dns/rdata/in_1/px_26.h b/lib/dns/rdata/in_1/px_26.h
index 07ae28d6..79d4b189 100644
--- a/lib/dns/rdata/in_1/px_26.h
+++ b/lib/dns/rdata/in_1/px_26.h
@@ -18,7 +18,7 @@
 #ifndef IN_1_PX_26_H
 #define IN_1_PX_26_H 1
 
-/* $Id: px_26.h,v 1.14.2.1 2004/03/09 06:11:38 marka Exp $ */
+/* $Id: px_26.h,v 1.14.206.1 2004/03/06 08:14:18 marka Exp $ */
 
 /* RFC 2163 */
 
diff --git a/lib/dns/rdata/in_1/srv_33.c b/lib/dns/rdata/in_1/srv_33.c
index 8f02fca8..7bcba1b7 100644
--- a/lib/dns/rdata/in_1/srv_33.c
+++ b/lib/dns/rdata/in_1/srv_33.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: srv_33.c,v 1.36.2.3 2004/03/09 06:11:38 marka Exp $ */
+/* $Id: srv_33.c,v 1.36.2.1.2.4 2004/03/06 08:14:18 marka Exp $ */
 
 /* Reviewed: Fri Mar 17 13:01:00 PST 2000 by bwelling */
 
@@ -31,6 +31,7 @@ fromtext_in_srv(ARGS_FROMTEXT) {
 	isc_token_t token;
 	dns_name_t name;
 	isc_buffer_t buffer;
+	isc_boolean_t ok;
 
 	REQUIRE(type == 33);
 	REQUIRE(rdclass == 1);
@@ -74,7 +75,14 @@ fromtext_in_srv(ARGS_FROMTEXT) {
 	dns_name_init(&name, NULL);
 	buffer_fromregion(&buffer, &token.value.as_region);
 	origin = (origin != NULL) ? origin : dns_rootname;
-	RETTOK(dns_name_fromtext(&name, &buffer, origin, downcase, target));
+	RETTOK(dns_name_fromtext(&name, &buffer, origin, options, target));
+	ok = ISC_TRUE;
+	if ((options & DNS_RDATA_CHECKNAMES) != 0)
+		ok = dns_name_ishostname(&name, ISC_FALSE);
+	if (!ok && (options & DNS_RDATA_CHECKNAMESFAIL) != 0)
+		RETTOK(DNS_R_BADNAME);
+	if (!ok && callbacks != NULL)
+		warn_badname(&name, lexer, callbacks);
 	return (ISC_R_SUCCESS);
 }
 
@@ -84,7 +92,7 @@ totext_in_srv(ARGS_TOTEXT) {
 	dns_name_t name;
 	dns_name_t prefix;
 	isc_boolean_t sub;
-	char buf[sizeof "64000"];
+	char buf[sizeof("64000")];
 	unsigned short num;
 
 	REQUIRE(rdata->type == 33);
@@ -157,7 +165,7 @@ fromwire_in_srv(ARGS_FROMWIRE) {
 	/*
 	 * Target.
 	 */
-	return (dns_name_fromwire(&name, source, dctx, downcase, target));
+	return (dns_name_fromwire(&name, source, dctx, options, target));
 }
 
 static inline isc_result_t
@@ -326,4 +334,40 @@ digest_in_srv(ARGS_DIGEST) {
 	return (dns_name_digest(&name, digest, arg));
 }
 
+static inline isc_boolean_t
+checkowner_in_srv(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == 33);
+	REQUIRE(rdclass == 1);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (ISC_TRUE);
+}
+
+static inline isc_boolean_t
+checknames_in_srv(ARGS_CHECKNAMES) {
+	isc_region_t region;
+	dns_name_t name;
+
+	REQUIRE(rdata->type == 33);
+	REQUIRE(rdata->rdclass == 1);
+
+	UNUSED(owner);
+
+	dns_rdata_toregion(rdata, &region);
+	isc_region_consume(&region, 6);
+	dns_name_init(&name, NULL);
+	dns_name_fromregion(&name, &region);
+	if (!dns_name_ishostname(&name, ISC_FALSE)) {
+		if (bad != NULL)
+			dns_name_clone(&name, bad);
+		return (ISC_FALSE);
+	}
+	return (ISC_TRUE);
+}
+
 #endif	/* RDATA_IN_1_SRV_33_C */
diff --git a/lib/dns/rdata/in_1/srv_33.h b/lib/dns/rdata/in_1/srv_33.h
index 1b4fbdc0..91dbf373 100644
--- a/lib/dns/rdata/in_1/srv_33.h
+++ b/lib/dns/rdata/in_1/srv_33.h
@@ -18,7 +18,7 @@
 #ifndef IN_1_SRV_33_H
 #define IN_1_SRV_33_H 1
 
-/* $Id: srv_33.h,v 1.14.2.1 2004/03/09 06:11:38 marka Exp $ */
+/* $Id: srv_33.h,v 1.14.206.1 2004/03/06 08:14:19 marka Exp $ */
 
 /* Reviewed: Fri Mar 17 13:01:00 PST 2000 by bwelling */
 
diff --git a/lib/dns/rdata/in_1/wks_11.c b/lib/dns/rdata/in_1/wks_11.c
index e47cf04d..91b30e4a 100644
--- a/lib/dns/rdata/in_1/wks_11.c
+++ b/lib/dns/rdata/in_1/wks_11.c
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
+ * Copyright (C) 1999-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: wks_11.c,v 1.44.2.2 2004/09/16 01:00:39 marka Exp $ */
+/* $Id: wks_11.c,v 1.44.12.7 2004/03/08 09:04:44 marka Exp $ */
 
 /* Reviewed: Fri Mar 17 15:01:49 PST 2000 by explorer */
 
@@ -52,7 +52,7 @@ fromtext_in_wks(ARGS_FROMTEXT) {
 
 	UNUSED(type);
 	UNUSED(origin);
-	UNUSED(downcase);
+	UNUSED(options);
 	UNUSED(rdclass);
 
 	/*
@@ -62,7 +62,7 @@ fromtext_in_wks(ARGS_FROMTEXT) {
 				      ISC_FALSE));
 
 	isc_buffer_availableregion(target, &region);
-	if (getquad(token.value.as_pointer, &addr, lexer, callbacks) != 1)
+	if (getquad(DNS_AS_STR(token), &addr, lexer, callbacks) != 1)
 		RETTOK(DNS_R_BADDOTTEDQUAD);
 	if (region.length < 4)
 		return (ISC_R_NOSPACE);
@@ -75,10 +75,10 @@ fromtext_in_wks(ARGS_FROMTEXT) {
 	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
 				      ISC_FALSE));
 
-	proto = strtol(token.value.as_pointer, &e, 10);
+	proto = strtol(DNS_AS_STR(token), &e, 10);
 	if (*e == 0)
 		;
-	else if ((pe = getprotobyname(token.value.as_pointer)) != NULL)
+	else if ((pe = getprotobyname(DNS_AS_STR(token))) != NULL)
 		proto = pe->p_proto;
 	else
 		RETTOK(DNS_R_UNKNOWNPROTO);
@@ -92,7 +92,7 @@ fromtext_in_wks(ARGS_FROMTEXT) {
 
 	RETERR(uint8_tobuffer(proto, target));
 
-	memset(bm, 0, sizeof bm);
+	memset(bm, 0, sizeof(bm));
 	do {
 		RETERR(isc_lex_getmastertoken(lexer, &token,
 					      isc_tokentype_string, ISC_TRUE));
@@ -103,18 +103,18 @@ fromtext_in_wks(ARGS_FROMTEXT) {
 		 * Lowercase the service string as some getservbyname() are
 		 * case sensitive and the database is usually in lowercase.
 		 */
-		strncpy(service, token.value.as_pointer, sizeof(service));
+		strncpy(service, DNS_AS_STR(token), sizeof(service));
 		service[sizeof(service)-1] = '\0';
 		for (i = strlen(service) - 1; i >= 0; i--)
 			if (isupper(service[i]&0xff))
-				service[i] = tolower(service[i]&0xff);
+				service[i] = tolower(service[i]);
 
-		port = strtol(token.value.as_pointer, &e, 10);
+		port = strtol(DNS_AS_STR(token), &e, 10);
 		if (*e == 0)
 			;
 		else if ((se = getservbyname(service, ps)) != NULL)
 			port = ntohs(se->s_port);
-		else if ((se = getservbyname(token.value.as_pointer, ps))
+		else if ((se = getservbyname(DNS_AS_STR(token), ps))
 			  != NULL)
 			port = ntohs(se->s_port);
 		else
@@ -139,7 +139,7 @@ static inline isc_result_t
 totext_in_wks(ARGS_TOTEXT) {
 	isc_region_t sr;
 	unsigned short proto;
-	char buf[sizeof "65535"];
+	char buf[sizeof("65535")];
 	unsigned int i, j;
 
 	UNUSED(tctx);
@@ -158,9 +158,9 @@ totext_in_wks(ARGS_TOTEXT) {
 	RETERR(str_totext(buf, target));
 	isc_region_consume(&sr, 1);
 
-	for (i = 0 ; i < sr.length ; i++) {
+	for (i = 0; i < sr.length; i++) {
 		if (sr.base[i] != 0)
-			for (j = 0 ; j < 8 ; j++)
+			for (j = 0; j < 8; j++)
 				if ((sr.base[i] & (0x80 >> j)) != 0) {
 					sprintf(buf, "%u", i * 8 + j);
 					RETERR(str_totext(" ", target));
@@ -181,7 +181,7 @@ fromwire_in_wks(ARGS_FROMWIRE) {
 
 	UNUSED(type);
 	UNUSED(dctx);
-	UNUSED(downcase);
+	UNUSED(options);
 	UNUSED(rdclass);
 
 	isc_buffer_activeregion(source, &sr);
@@ -229,7 +229,7 @@ compare_in_wks(ARGS_COMPARE) {
 
 	dns_rdata_toregion(rdata1, &r1);
 	dns_rdata_toregion(rdata2, &r2);
-	return (compare_region(&r1, &r2));
+	return (isc_region_compare(&r1, &r2));
 }
 
 static inline isc_result_t
@@ -321,4 +321,29 @@ digest_in_wks(ARGS_DIGEST) {
 	return ((digest)(arg, &r));
 }
 
+static inline isc_boolean_t
+checkowner_in_wks(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == 11);
+	REQUIRE(rdclass == 1);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	return (dns_name_ishostname(name, wildcard));
+}
+
+static inline isc_boolean_t
+checknames_in_wks(ARGS_CHECKNAMES) {
+
+	REQUIRE(rdata->type == 11);
+	REQUIRE(rdata->rdclass == 1);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (ISC_TRUE);
+}
+
 #endif	/* RDATA_IN_1_WKS_11_C */
diff --git a/lib/dns/rdata/in_1/wks_11.h b/lib/dns/rdata/in_1/wks_11.h
index 74ab2191..e7342819 100644
--- a/lib/dns/rdata/in_1/wks_11.h
+++ b/lib/dns/rdata/in_1/wks_11.h
@@ -18,7 +18,7 @@
 #ifndef IN_1_WKS_11_H
 #define IN_1_WKS_11_H 1
 
-/* $Id: wks_11.h,v 1.19.2.1 2004/03/09 06:11:39 marka Exp $ */
+/* $Id: wks_11.h,v 1.19.206.1 2004/03/06 08:14:19 marka Exp $ */
 
 typedef	struct dns_rdata_in_wks {
 	dns_rdatacommon_t	common;
diff --git a/lib/dns/rdata/rdatastructpre.h b/lib/dns/rdata/rdatastructpre.h
index 83062a3b..19af8b45 100644
--- a/lib/dns/rdata/rdatastructpre.h
+++ b/lib/dns/rdata/rdatastructpre.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rdatastructpre.h,v 1.13.2.1 2004/03/09 06:11:25 marka Exp $ */
+/* $Id: rdatastructpre.h,v 1.13.206.1 2004/03/06 08:14:02 marka Exp $ */
 
 #ifndef DNS_RDATASTRUCT_H
 #define DNS_RDATASTRUCT_H 1
diff --git a/lib/dns/rdata/rdatastructsuf.h b/lib/dns/rdata/rdatastructsuf.h
index b8e6825e..3eabff24 100644
--- a/lib/dns/rdata/rdatastructsuf.h
+++ b/lib/dns/rdata/rdatastructsuf.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rdatastructsuf.h,v 1.7.2.1 2004/03/09 06:11:25 marka Exp $ */
+/* $Id: rdatastructsuf.h,v 1.7.206.1 2004/03/06 08:14:02 marka Exp $ */
 
 ISC_LANG_ENDDECLS
 
diff --git a/lib/dns/rdatalist.c b/lib/dns/rdatalist.c
index d3cf6aea..baa62e5e 100644
--- a/lib/dns/rdatalist.c
+++ b/lib/dns/rdatalist.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rdatalist.c,v 1.25.2.3 2004/03/09 06:11:06 marka Exp $ */
+/* $Id: rdatalist.c,v 1.25.2.2.2.2 2004/03/08 02:07:56 marka Exp $ */
 
 #include <config.h>
 
@@ -23,6 +23,7 @@
 
 #include <isc/util.h>
 
+#include <dns/name.h>
 #include <dns/rdata.h>
 #include <dns/rdatalist.h>
 #include <dns/rdataset.h>
@@ -35,7 +36,9 @@ static dns_rdatasetmethods_t methods = {
 	isc__rdatalist_next,
 	isc__rdatalist_current,
 	isc__rdatalist_clone,
-	isc__rdatalist_count
+	isc__rdatalist_count,
+	isc__rdatalist_addnoqname,
+	isc__rdatalist_getnoqname
 };
 
 void
@@ -150,3 +153,72 @@ isc__rdatalist_count(dns_rdataset_t *rdataset) {
 
 	return (count);
 }
+
+isc_result_t
+isc__rdatalist_addnoqname(dns_rdataset_t *rdataset, dns_name_t *name) {
+	dns_rdataset_t *nsec = NULL;
+	dns_rdataset_t *nsecsig = NULL;
+	dns_rdataset_t *rdset;
+	dns_ttl_t ttl;
+
+	for (rdset = ISC_LIST_HEAD(name->list);
+	     rdset != NULL;
+	     rdset = ISC_LIST_NEXT(rdset, link))
+	{
+		if (rdset->rdclass != rdataset->rdclass)
+			continue;
+		if (rdset->type == dns_rdatatype_nsec)
+			nsec = rdset;
+		if (rdset->type == dns_rdatatype_rrsig &&
+		    rdset->covers == dns_rdatatype_nsec)
+			nsecsig = rdset;
+	}
+
+	if (nsec == NULL || nsecsig == NULL)
+		return (ISC_R_NOTFOUND);
+	/*
+	 * Minimise ttl.
+	 */
+	ttl = rdataset->ttl;
+	if (nsec->ttl < ttl)
+		ttl = nsec->ttl;
+	if (nsecsig->ttl < ttl)
+		ttl = nsecsig->ttl;
+	rdataset->ttl = nsec->ttl = nsecsig->ttl = ttl;
+	rdataset->attributes |= DNS_RDATASETATTR_NOQNAME;
+	rdataset->private6 = name;
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc__rdatalist_getnoqname(dns_rdataset_t *rdataset, dns_name_t *name,
+			 dns_rdataset_t *nsec, dns_rdataset_t *nsecsig)
+{
+	dns_rdataclass_t rdclass = rdataset->rdclass;
+	dns_rdataset_t *tnsec = NULL;
+	dns_rdataset_t *tnsecsig = NULL;
+	dns_name_t *noqname = rdataset->private6;
+
+	REQUIRE((rdataset->attributes & DNS_RDATASETATTR_NOQNAME) != 0);
+	(void)dns_name_dynamic(noqname);	/* Sanity Check. */
+
+	for (rdataset = ISC_LIST_HEAD(noqname->list);
+	     rdataset != NULL;
+	     rdataset = ISC_LIST_NEXT(rdataset, link))
+	{
+		if (rdataset->rdclass != rdclass)
+			continue;
+		if (rdataset->type == dns_rdatatype_nsec)
+			tnsec = rdataset;
+		if (rdataset->type == dns_rdatatype_rrsig &&
+		    rdataset->covers == dns_rdatatype_nsec)
+			tnsecsig = rdataset;
+	}
+	if (tnsec == NULL || tnsecsig == NULL)
+		return (ISC_R_NOTFOUND);
+
+	dns_name_clone(noqname, name);
+	dns_rdataset_clone(tnsec, nsec);
+	dns_rdataset_clone(tnsecsig, nsecsig);
+	return (ISC_R_SUCCESS);
+}
diff --git a/lib/dns/rdatalist_p.h b/lib/dns/rdatalist_p.h
index ae814e19..3a7b52c2 100644
--- a/lib/dns/rdatalist_p.h
+++ b/lib/dns/rdatalist_p.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rdatalist_p.h,v 1.3.2.1 2004/03/09 06:11:06 marka Exp $ */
+/* $Id: rdatalist_p.h,v 1.3.206.2 2004/03/08 02:07:56 marka Exp $ */
 
 #ifndef DNS_RDATALIST_P_H
 #define DNS_RDATALIST_P_H
@@ -43,6 +43,13 @@ isc__rdatalist_clone(dns_rdataset_t *source, dns_rdataset_t *target);
 unsigned int
 isc__rdatalist_count(dns_rdataset_t *rdataset);
 
+isc_result_t
+isc__rdatalist_addnoqname(dns_rdataset_t *rdataset, dns_name_t *name);
+
+isc_result_t
+isc__rdatalist_getnoqname(dns_rdataset_t *rdataset, dns_name_t *name,
+			  dns_rdataset_t *nsec, dns_rdataset_t *nsecsig);
+
 ISC_LANG_ENDDECLS
 
 #endif /* DNS_RDATALIST_P_H */
diff --git a/lib/dns/rdataset.c b/lib/dns/rdataset.c
index b46eb253..672777b0 100644
--- a/lib/dns/rdataset.c
+++ b/lib/dns/rdataset.c
@@ -1,6 +1,6 @@
 /*
- * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rdataset.c,v 1.58.2.7 2006/03/02 00:37:17 marka Exp $ */
+/* $Id: rdataset.c,v 1.58.2.2.2.10 2004/03/08 09:04:31 marka Exp $ */
 
 #include <config.h>
 
@@ -50,11 +50,13 @@ dns_rdataset_init(dns_rdataset_t *rdataset) {
 	rdataset->trust = 0;
 	rdataset->covers = 0;
 	rdataset->attributes = 0;
+	rdataset->count = ISC_UINT32_MAX;
 	rdataset->private1 = NULL;
 	rdataset->private2 = NULL;
 	rdataset->private3 = NULL;
 	rdataset->privateuint4 = 0;
 	rdataset->private5 = NULL;
+	rdataset->private6 = NULL;
 }
 
 void
@@ -75,6 +77,7 @@ dns_rdataset_invalidate(dns_rdataset_t *rdataset) {
 	rdataset->trust = 0;
 	rdataset->covers = 0;
 	rdataset->attributes = 0;
+	rdataset->count = ISC_UINT32_MAX;
 	rdataset->private1 = NULL;
 	rdataset->private2 = NULL;
 	rdataset->private3 = NULL;
@@ -101,11 +104,13 @@ dns_rdataset_disassociate(dns_rdataset_t *rdataset) {
 	rdataset->trust = 0;
 	rdataset->covers = 0;
 	rdataset->attributes = 0;
+	rdataset->count = ISC_UINT32_MAX;
 	rdataset->private1 = NULL;
 	rdataset->private2 = NULL;
 	rdataset->private3 = NULL;
 	rdataset->privateuint4 = 0;
 	rdataset->private5 = NULL;
+	rdataset->private6 = NULL;
 }
 
 isc_boolean_t
@@ -167,7 +172,9 @@ static dns_rdatasetmethods_t question_methods = {
 	question_cursor,
 	question_current,
 	question_clone,
-	question_count
+	question_count,
+	NULL,
+	NULL
 };
 
 void
@@ -258,6 +265,7 @@ dns_rdataset_current(dns_rdataset_t *rdataset, dns_rdata_t *rdata) {
 
 #define MAX_SHUFFLE	32
 #define WANT_FIXED(r)	(((r)->attributes & DNS_RDATASETATTR_FIXEDORDER) != 0)
+#define WANT_RANDOM(r)	(((r)->attributes & DNS_RDATASETATTR_RANDOMIZE) != 0)
 
 struct towire_sort {
 	int key;
@@ -272,16 +280,16 @@ towire_compare(const void *av, const void *bv) {
 }
 
 static isc_result_t
-towiresorted(dns_rdataset_t *rdataset, const dns_name_t *owner_name,
+towiresorted(dns_rdataset_t *rdataset, dns_name_t *owner_name,
 	     dns_compress_t *cctx, isc_buffer_t *target,
-	     dns_rdatasetorderfunc_t order, const void *order_arg,
-	     isc_boolean_t partial, unsigned int *countp,
-	     void **state)
+	     dns_rdatasetorderfunc_t order, void *order_arg,
+	     isc_boolean_t partial, unsigned int options,
+	     unsigned int *countp, void **state)
 {
 	dns_rdata_t rdata = DNS_RDATA_INIT;
 	isc_region_t r;
 	isc_result_t result;
-	unsigned int i, count, added;
+	unsigned int i, count, added, choice;
 	isc_buffer_t savedbuffer, rdlen, rrbuffer;
 	unsigned int headlen;
 	isc_boolean_t question = ISC_FALSE;
@@ -311,7 +319,11 @@ towiresorted(dns_rdataset_t *rdataset, const dns_name_t *owner_name,
 		/*
 		 * This is a negative caching rdataset.
 		 */
-		return (dns_ncache_towire(rdataset, cctx, target, countp));
+		unsigned int ncache_opts = 0;
+		if ((options & DNS_RDATASETTOWIRE_OMITDNSSEC) != 0)
+			ncache_opts |= DNS_NCACHETOWIRE_OMITDNSSEC;
+		return (dns_ncache_towire(rdataset, cctx, target, ncache_opts,
+					  countp));
 	} else {
 		count = (rdataset->methods->count)(rdataset);
 		result = dns_rdataset_first(rdataset);
@@ -326,7 +338,7 @@ towiresorted(dns_rdataset_t *rdataset, const dns_name_t *owner_name,
 	 */
 	if (!question && count > 1 &&
 	    (!WANT_FIXED(rdataset) || order != NULL) &&
-	    rdataset->type != dns_rdatatype_sig)
+	    rdataset->type != dns_rdatatype_rrsig)
 		shuffle = ISC_TRUE;
 
 	if (shuffle && count > MAX_SHUFFLE) {
@@ -354,20 +366,40 @@ towiresorted(dns_rdataset_t *rdataset, const dns_name_t *owner_name,
 		if (result != ISC_R_NOMORE)
 			goto cleanup;
 		INSIST(i == count);
+
 		/*
 		 * Now we shuffle.
 		 */
-		if (order != NULL) {
+		if (WANT_FIXED(rdataset)) {
 			/*
-			 * Sorted order.
+			 * 'Fixed' order.
 			 */
+			INSIST(order != NULL);
 			for (i = 0; i < count; i++) {
 				sorted[i].key = (*order)(&shuffled[i],
 							 order_arg);
 				sorted[i].rdata = &shuffled[i];
 			}
-			qsort(sorted, count, sizeof(sorted[0]),
-			      towire_compare);
+		} else if (WANT_RANDOM(rdataset)) {
+			/*
+			 * 'Random' order.
+			 */
+			for (i = 0; i < count; i++) {
+				dns_rdata_t rdata;
+				isc_uint32_t val;
+
+				isc_random_get(&val);
+				choice = i + (val % (count - i));
+				rdata = shuffled[i];
+				shuffled[i] = shuffled[choice];
+				shuffled[choice] = rdata;
+				if (order != NULL)
+					sorted[i].key = (*order)(&shuffled[i],
+								 order_arg);
+				else
+					sorted[i].key = 0; /* Unused */
+				sorted[i].rdata = &shuffled[i];
+			}
 		} else {
 			/*
 			 * "Cyclic" order.
@@ -375,16 +407,29 @@ towiresorted(dns_rdataset_t *rdataset, const dns_name_t *owner_name,
 			isc_uint32_t val;
 			unsigned int j;
 
-			isc_random_get(&val);
+			val = rdataset->count;
+			if (val == ISC_UINT32_MAX)
+				isc_random_get(&val);
 			j = val % count;
 			for (i = 0; i < count; i++) {
-				sorted[j].key = 0; /* Unused */
+				if (order != NULL)
+					sorted[j].key = (*order)(&shuffled[i],
+								 order_arg);
+				else
+					sorted[j].key = 0; /* Unused */
 				sorted[j].rdata = &shuffled[i];
 				j++;
 				if (j == count)
 					j = 0; /* Wrap around. */
 			}
 		}
+
+		/*
+		 * Sorted order.
+		 */
+		if (order != NULL)
+			qsort(sorted, count, sizeof(sorted[0]),
+			      towire_compare);
 	}
 
 	savedbuffer = *target;
@@ -460,7 +505,7 @@ towiresorted(dns_rdataset_t *rdataset, const dns_name_t *owner_name,
 	result = ISC_R_SUCCESS;
 	goto cleanup;
 
-	rollback:
+ rollback:
 	if (partial && result == ISC_R_NOSPACE) {
 		INSIST(rrbuffer.used < 65536);
 		dns_compress_rollback(cctx, (isc_uint16_t)rrbuffer.used);
@@ -473,7 +518,7 @@ towiresorted(dns_rdataset_t *rdataset, const dns_name_t *owner_name,
 	*countp = 0;
 	*target = savedbuffer;
 
-	cleanup:
+ cleanup:
 	if (sorted != NULL && sorted != sorted_fixed)
 		isc_mem_put(cctx->mctx, sorted, count * sizeof(*sorted));
 	if (shuffled != NULL && shuffled != shuffled_fixed)
@@ -483,41 +528,46 @@ towiresorted(dns_rdataset_t *rdataset, const dns_name_t *owner_name,
 
 isc_result_t
 dns_rdataset_towiresorted(dns_rdataset_t *rdataset,
-			  const dns_name_t *owner_name,
+			  dns_name_t *owner_name,
 			  dns_compress_t *cctx,
 			  isc_buffer_t *target,
 			  dns_rdatasetorderfunc_t order,
-			  const void *order_arg,
+			  void *order_arg,
+			  unsigned int options,
 			  unsigned int *countp)
 {
 	return (towiresorted(rdataset, owner_name, cctx, target,
-			     order, order_arg, ISC_FALSE, countp, NULL));
+			     order, order_arg, ISC_FALSE, options,
+			     countp, NULL));
 }
 
 isc_result_t
 dns_rdataset_towirepartial(dns_rdataset_t *rdataset,
-			   const dns_name_t *owner_name,
+			   dns_name_t *owner_name,
 			   dns_compress_t *cctx,
 			   isc_buffer_t *target,
 			   dns_rdatasetorderfunc_t order,
-			   const void *order_arg,
+			   void *order_arg,
+			   unsigned int options,
 			   unsigned int *countp,
 			   void **state)
 {
 	REQUIRE(state == NULL);	/* XXX remove when implemented */
 	return (towiresorted(rdataset, owner_name, cctx, target,
-			     order, order_arg, ISC_TRUE, countp, state));
+			     order, order_arg, ISC_TRUE, options,
+			     countp, state));
 }
 
 isc_result_t
 dns_rdataset_towire(dns_rdataset_t *rdataset,
-		    const dns_name_t *owner_name,
+		    dns_name_t *owner_name,
 		    dns_compress_t *cctx,
 		    isc_buffer_t *target,
+		    unsigned int options,
 		    unsigned int *countp)
 {
 	return (towiresorted(rdataset, owner_name, cctx, target,
-			     NULL, NULL, ISC_FALSE, countp, NULL));
+			     NULL, NULL, ISC_FALSE, options, countp, NULL));
 }
 
 isc_result_t
@@ -552,4 +602,25 @@ dns_rdataset_additionaldata(dns_rdataset_t *rdataset,
 
 	return (ISC_R_SUCCESS);
 }
-	
+
+isc_result_t
+dns_rdataset_addnoqname(dns_rdataset_t *rdataset, dns_name_t *name) {
+
+	REQUIRE(DNS_RDATASET_VALID(rdataset));
+	REQUIRE(rdataset->methods != NULL);
+	if (rdataset->methods->addnoqname == NULL)
+		return (ISC_R_NOTIMPLEMENTED);
+	return((rdataset->methods->addnoqname)(rdataset, name));
+}
+
+isc_result_t
+dns_rdataset_getnoqname(dns_rdataset_t *rdataset, dns_name_t *name,
+		        dns_rdataset_t *nsec, dns_rdataset_t *nsecsig)
+{
+	REQUIRE(DNS_RDATASET_VALID(rdataset));
+	REQUIRE(rdataset->methods != NULL);
+
+	if (rdataset->methods->getnoqname == NULL)
+		return (ISC_R_NOTIMPLEMENTED);
+	return((rdataset->methods->getnoqname)(rdataset, name, nsec, nsecsig));
+}
diff --git a/lib/dns/rdatasetiter.c b/lib/dns/rdatasetiter.c
index aaef6977..f3b0f8bf 100644
--- a/lib/dns/rdatasetiter.c
+++ b/lib/dns/rdatasetiter.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rdatasetiter.c,v 1.11.2.1 2004/03/09 06:11:06 marka Exp $ */
+/* $Id: rdatasetiter.c,v 1.11.206.1 2004/03/06 08:13:44 marka Exp $ */
 
 #include <config.h>
 
diff --git a/lib/dns/rdataslab.c b/lib/dns/rdataslab.c
index 61a9d77b..0604cd5d 100644
--- a/lib/dns/rdataslab.c
+++ b/lib/dns/rdataslab.c
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
+ * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rdataslab.c,v 1.29.2.3 2004/03/09 06:11:06 marka Exp $ */
+/* $Id: rdataslab.c,v 1.29.2.2.2.6 2004/03/08 09:04:31 marka Exp $ */
 
 #include <config.h>
 
@@ -152,6 +152,124 @@ dns_rdataslab_fromrdataset(dns_rdataset_t *rdataset, isc_mem_t *mctx,
 	return (result);
 }
 
+static void
+rdataset_disassociate(dns_rdataset_t *rdataset) {
+	UNUSED(rdataset);
+}
+
+static isc_result_t
+rdataset_first(dns_rdataset_t *rdataset) {
+	unsigned char *raw = rdataset->private3;
+	unsigned int count;
+
+	count = raw[0] * 256 + raw[1];
+	if (count == 0) {
+		rdataset->private5 = NULL;
+		return (ISC_R_NOMORE);
+	}
+	raw += 2;
+	/*
+	 * The privateuint4 field is the number of rdata beyond the cursor
+	 * position, so we decrement the total count by one before storing
+	 * it.
+	 */
+	count--;
+	rdataset->privateuint4 = count;
+	rdataset->private5 = raw;
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+rdataset_next(dns_rdataset_t *rdataset) {
+	unsigned int count;
+	unsigned int length;
+	unsigned char *raw;
+
+	count = rdataset->privateuint4;
+	if (count == 0)
+		return (ISC_R_NOMORE);
+	count--;
+	rdataset->privateuint4 = count;
+	raw = rdataset->private5;
+	length = raw[0] * 256 + raw[1];
+	raw += length + 2;
+	rdataset->private5 = raw;
+
+	return (ISC_R_SUCCESS);
+}
+
+static void
+rdataset_current(dns_rdataset_t *rdataset, dns_rdata_t *rdata) {
+	unsigned char *raw = rdataset->private5;
+	isc_region_t r;
+
+	REQUIRE(raw != NULL);
+
+	r.length = raw[0] * 256 + raw[1];
+	raw += 2;
+	r.base = raw;
+	dns_rdata_fromregion(rdata, rdataset->rdclass, rdataset->type, &r);
+}
+
+static void
+rdataset_clone(dns_rdataset_t *source, dns_rdataset_t *target) {
+	*target = *source;
+
+	/*
+	 * Reset iterator state.
+	 */
+	target->privateuint4 = 0;
+	target->private5 = NULL;
+}
+
+static unsigned int
+rdataset_count(dns_rdataset_t *rdataset) {
+	unsigned char *raw = rdataset->private3;
+	unsigned int count;
+
+	count = raw[0] * 256 + raw[1];
+
+	return (count);
+}
+
+static dns_rdatasetmethods_t rdataset_methods = {
+	rdataset_disassociate,
+	rdataset_first,
+	rdataset_next,
+	rdataset_current,
+	rdataset_clone,
+	rdataset_count,
+	NULL,
+	NULL
+};
+
+void
+dns_rdataslab_tordataset(unsigned char *slab, unsigned int reservelen,
+			 dns_rdataclass_t rdclass, dns_rdatatype_t rdtype,
+			 dns_rdatatype_t covers, dns_ttl_t ttl,
+			 dns_rdataset_t *rdataset)
+{
+	REQUIRE(slab != NULL);
+	REQUIRE(!dns_rdataset_isassociated(rdataset));
+
+	rdataset->methods = &rdataset_methods;
+	rdataset->rdclass = rdclass;
+	rdataset->type = rdtype;
+	rdataset->covers = covers;
+	rdataset->ttl = ttl;
+	rdataset->trust = 0;
+	rdataset->private1 = NULL;
+	rdataset->private2 = NULL;
+	rdataset->private3 = slab + reservelen;
+
+	/*
+	 * Reset iterator state.
+	 */
+	rdataset->privateuint4 = 0;
+	rdataset->private5 = NULL;
+}
+
 unsigned int
 dns_rdataslab_size(unsigned char *slab, unsigned int reservelen) {
 	unsigned int count, length;
diff --git a/lib/dns/request.c b/lib/dns/request.c
index 788dfc1f..3ec845f8 100644
--- a/lib/dns/request.c
+++ b/lib/dns/request.c
@@ -1,6 +1,6 @@
 /*
- * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: request.c,v 1.64.2.4 2006/01/04 23:50:17 marka Exp $ */
+/* $Id: request.c,v 1.64.2.1.10.6 2004/03/08 09:04:31 marka Exp $ */
 
 #include <config.h>
 
@@ -85,6 +85,8 @@ struct dns_request {
 	dns_tsigkey_t		       *tsigkey;
 	isc_event_t			ctlevent;
 	isc_boolean_t			canceling; /* ctlevent outstanding */
+	isc_sockaddr_t			destaddr;
+	unsigned int			udpcount;
 };
 
 #define DNS_REQUEST_F_CONNECTING 0x0001
@@ -402,7 +404,7 @@ mgr_destroy(dns_requestmgr_t *requestmgr) {
 		dns_dispatch_detach(&requestmgr->dispatchv6);
 	requestmgr->magic = 0;
 	mctx = requestmgr->mctx;
-	isc_mem_put(mctx, requestmgr, sizeof *requestmgr);
+	isc_mem_put(mctx, requestmgr, sizeof(*requestmgr));
 	isc_mem_detach(&mctx);
 }
 
@@ -462,6 +464,7 @@ new_request(isc_mem_t *mctx, dns_request_t **requestp) {
 		       DNS_EVENT_REQUESTCONTROL, do_cancel, request, NULL,
 		       NULL, NULL);
 	request->canceling = ISC_FALSE;
+	request->udpcount = 0;
 
 	isc_mem_attach(mctx, &request->mctx);
 
@@ -509,7 +512,6 @@ create_tcp_dispatch(dns_requestmgr_t *requestmgr, isc_sockaddr_t *srcaddr,
 				   isc_sockettype_tcp, &socket);
 	if (result != ISC_R_SUCCESS)
 		return (result);
-#ifndef BROKEN_TCP_BIND_BEFORE_CONNECT
 	if (srcaddr == NULL) {
 		isc_sockaddr_anyofpf(&bind_any,
 				     isc_sockaddr_pf(destaddr));
@@ -521,7 +523,6 @@ create_tcp_dispatch(dns_requestmgr_t *requestmgr, isc_sockaddr_t *srcaddr,
 	}
 	if (result != ISC_R_SUCCESS)
 		goto cleanup;
-#endif
 	attrs = 0;
 	attrs |= DNS_DISPATCHATTR_TCP;
 	attrs |= DNS_DISPATCHATTR_PRIVATE;
@@ -608,17 +609,20 @@ get_dispatch(isc_boolean_t tcp, dns_requestmgr_t *requestmgr,
 }
 
 static isc_result_t
-set_timer(isc_timer_t *timer, unsigned int timeout) {
+set_timer(isc_timer_t *timer, unsigned int timeout, unsigned int udpresend) {
 	isc_time_t expires;
 	isc_interval_t interval;
 	isc_result_t result;
+	isc_timertype_t timertype;
 
 	isc_interval_set(&interval, timeout, 0);
 	result = isc_time_nowplusinterval(&expires, &interval);
+	isc_interval_set(&interval, udpresend, 0);
 
+	timertype = udpresend != 0 ? isc_timertype_limited : isc_timertype_once;
 	if (result == ISC_R_SUCCESS)
-		result = isc_timer_reset(timer, isc_timertype_once, &expires,
-					 NULL, ISC_FALSE);
+		result = isc_timer_reset(timer, timertype, &expires,
+					 &interval, ISC_FALSE);
 	return (result);
 }
 
@@ -629,6 +633,38 @@ dns_request_createraw(dns_requestmgr_t *requestmgr, isc_buffer_t *msgbuf,
 		      isc_task_t *task, isc_taskaction_t action, void *arg,
 		      dns_request_t **requestp)
 {
+	return(dns_request_createraw3(requestmgr, msgbuf, srcaddr, destaddr,
+				      options, timeout, 0, 0, task, action,
+				      arg, requestp));
+}
+
+isc_result_t
+dns_request_createraw2(dns_requestmgr_t *requestmgr, isc_buffer_t *msgbuf,
+		       isc_sockaddr_t *srcaddr, isc_sockaddr_t *destaddr,
+		       unsigned int options, unsigned int timeout,
+		       unsigned int udptimeout, isc_task_t *task,
+		       isc_taskaction_t action, void *arg,
+		       dns_request_t **requestp)
+{
+	unsigned int udpretries = 0;
+
+	if (udptimeout != 0)
+		udpretries = timeout / udptimeout;
+
+	return (dns_request_createraw3(requestmgr, msgbuf, srcaddr, destaddr,
+				       options, timeout, udptimeout,
+				       udpretries, task, action, arg,
+				       requestp));
+}
+
+isc_result_t
+dns_request_createraw3(dns_requestmgr_t *requestmgr, isc_buffer_t *msgbuf,
+		       isc_sockaddr_t *srcaddr, isc_sockaddr_t *destaddr,
+		       unsigned int options, unsigned int timeout,
+		       unsigned int udptimeout, unsigned int udpretries,
+		       isc_task_t *task, isc_taskaction_t action, void *arg,
+		       dns_request_t **requestp)
+{
 	dns_request_t *request = NULL;
 	isc_task_t *tclone = NULL;
 	isc_socket_t *socket = NULL;
@@ -660,6 +696,12 @@ dns_request_createraw(dns_requestmgr_t *requestmgr, isc_buffer_t *msgbuf,
 	if (result != ISC_R_SUCCESS)
 		return (result);
 
+	if (udptimeout == 0 && udpretries != 0) {
+		udptimeout = timeout / (udpretries + 1);
+		if (udptimeout == 0)
+			udptimeout = 1;
+	}
+
 	/*
 	 * Create timer now.  We will set it below once.
 	 */
@@ -671,7 +713,7 @@ dns_request_createraw(dns_requestmgr_t *requestmgr, isc_buffer_t *msgbuf,
 
 	request->event = (dns_requestevent_t *)
 		isc_event_allocate(mctx, task, DNS_EVENT_REQUESTDONE,
-				   action, arg, sizeof (dns_requestevent_t));
+				   action, arg, sizeof(dns_requestevent_t));
 	if (request->event == NULL) {
 		result = ISC_R_NOMEMORY;
 		goto cleanup;
@@ -731,11 +773,12 @@ dns_request_createraw(dns_requestmgr_t *requestmgr, isc_buffer_t *msgbuf,
 	ISC_LIST_APPEND(requestmgr->requests, request, link);
 	UNLOCK(&requestmgr->lock);
 
-	result = set_timer(request->timer, timeout);
+	result = set_timer(request->timer, timeout, tcp ? 0 : udptimeout);
 	if (result != ISC_R_SUCCESS)
 		goto unlink;
 
-	if ((options & DNS_REQUESTOPT_TCP) != 0) {
+	request->destaddr = *destaddr;
+	if (tcp) {
 		result = isc_socket_connect(socket, destaddr, task,
 					    req_connected, request);
 		if (result != ISC_R_SUCCESS)
@@ -774,9 +817,9 @@ dns_request_create(dns_requestmgr_t *requestmgr, dns_message_t *message,
 		   isc_taskaction_t action, void *arg,
 		   dns_request_t **requestp)
 {
-	return (dns_request_createvia(requestmgr, message, NULL, address,
-				      options, key, timeout, task, action,
-				      arg, requestp));
+	return (dns_request_createvia3(requestmgr, message, NULL, address,
+				       options, key, timeout, 0, 0, task,
+				       action, arg, requestp));
 }
 
 isc_result_t
@@ -787,6 +830,38 @@ dns_request_createvia(dns_requestmgr_t *requestmgr, dns_message_t *message,
 		      isc_taskaction_t action, void *arg,
 		      dns_request_t **requestp)
 {
+	return(dns_request_createvia3(requestmgr, message, srcaddr, destaddr,
+				      options, key, timeout, 0, 0, task,
+				      action, arg, requestp));
+}
+
+isc_result_t
+dns_request_createvia2(dns_requestmgr_t *requestmgr, dns_message_t *message,
+		       isc_sockaddr_t *srcaddr, isc_sockaddr_t *destaddr,
+		       unsigned int options, dns_tsigkey_t *key,
+		       unsigned int timeout, unsigned int udptimeout,
+		       isc_task_t *task, isc_taskaction_t action, void *arg,
+		       dns_request_t **requestp)
+{
+	unsigned int udpretries = 0;
+
+	if (udptimeout != 0)
+		udpretries = timeout / udptimeout;
+	return (dns_request_createvia3(requestmgr, message, srcaddr, destaddr,
+				       options, key, timeout, udptimeout,
+				       udpretries, task, action, arg,
+				       requestp));
+}
+					
+isc_result_t
+dns_request_createvia3(dns_requestmgr_t *requestmgr, dns_message_t *message,
+		       isc_sockaddr_t *srcaddr, isc_sockaddr_t *destaddr,
+		       unsigned int options, dns_tsigkey_t *key,
+		       unsigned int timeout, unsigned int udptimeout,
+		       unsigned int udpretries, isc_task_t *task,
+		       isc_taskaction_t action, void *arg,
+		       dns_request_t **requestp)
+{
 	dns_request_t *request = NULL;
 	isc_task_t *tclone = NULL;
 	isc_socket_t *socket = NULL;
@@ -818,6 +893,12 @@ dns_request_createvia(dns_requestmgr_t *requestmgr, dns_message_t *message,
 	if (result != ISC_R_SUCCESS)
 		return (result);
 
+	if (udptimeout == 0 && udpretries != 0) {
+		udptimeout = timeout / (udpretries + 1);
+		if (udptimeout == 0)
+			udptimeout = 1;
+	}
+
 	/*
 	 * Create timer now.  We will set it below once.
 	 */
@@ -829,7 +910,7 @@ dns_request_createvia(dns_requestmgr_t *requestmgr, dns_message_t *message,
 
 	request->event = (dns_requestevent_t *)
 		isc_event_allocate(mctx, task, DNS_EVENT_REQUESTDONE,
-				   action, arg, sizeof (dns_requestevent_t));
+				   action, arg, sizeof(dns_requestevent_t));
 	if (request->event == NULL) {
 		result = ISC_R_NOMEMORY;
 		goto cleanup;
@@ -857,8 +938,11 @@ dns_request_createvia(dns_requestmgr_t *requestmgr, dns_message_t *message,
 		goto cleanup;
 
 	message->id = id;
-	if (setkey)
-		dns_message_settsigkey(message, request->tsigkey);
+	if (setkey) {
+		result = dns_message_settsigkey(message, request->tsigkey);
+		if (result != ISC_R_SUCCESS)
+			goto cleanup;
+	}
 	result = req_render(message, &request->query, options, mctx);
 	if (result == DNS_R_USETCP &&
 	    (options & DNS_REQUESTOPT_TCP) == 0) {
@@ -891,11 +975,12 @@ dns_request_createvia(dns_requestmgr_t *requestmgr, dns_message_t *message,
 	ISC_LIST_APPEND(requestmgr->requests, request, link);
 	UNLOCK(&requestmgr->lock);
 
-	result = set_timer(request->timer, timeout);
+	result = set_timer(request->timer, timeout, tcp ? 0 : udptimeout);
 	if (result != ISC_R_SUCCESS)
 		goto unlink;
 
-	if ((options & DNS_REQUESTOPT_TCP) != 0) {
+	request->destaddr = *destaddr;
+	if (tcp) {
 		result = isc_socket_connect(socket, destaddr, task,
 					    req_connected, request);
 		if (result != ISC_R_SUCCESS)
@@ -1049,7 +1134,7 @@ do_cancel(isc_task_t *task, isc_event_t *event) {
 	UNLOCK(&request->requestmgr->locks[request->hash]);	
 }
 
-isc_result_t
+void
 dns_request_cancel(dns_request_t *request) {
 	REQUIRE(VALID_REQUEST(request));
 
@@ -1064,7 +1149,6 @@ dns_request_cancel(dns_request_t *request) {
 		request->canceling = ISC_TRUE;
 	}
 	UNLOCK(&request->requestmgr->locks[request->hash]);
-	return (ISC_R_SUCCESS);
 }
 
 isc_result_t
@@ -1079,8 +1163,12 @@ dns_request_getresponse(dns_request_t *request, dns_message_t *message,
 	req_log(ISC_LOG_DEBUG(3), "dns_request_getresponse: request %p",
 		request);
 
-	dns_message_setquerytsig(message, request->tsig);
-	dns_message_settsigkey(message, request->tsigkey);
+	result = dns_message_setquerytsig(message, request->tsig);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	result = dns_message_settsigkey(message, request->tsigkey);
+	if (result != ISC_R_SUCCESS)
+		return (result);
 	result = dns_message_parse(message, request->answer, options);
 	if (result != ISC_R_SUCCESS)
 		return (result);
@@ -1250,6 +1338,7 @@ req_response(isc_task_t *task, isc_event_t *event) {
 static void
 req_timeout(isc_task_t *task, isc_event_t *event) {
 	dns_request_t *request = event->ev_arg;
+	isc_result_t result;
 
 	REQUIRE(VALID_REQUEST(request));
 
@@ -1257,9 +1346,20 @@ req_timeout(isc_task_t *task, isc_event_t *event) {
 
 	UNUSED(task);
 	LOCK(&request->requestmgr->locks[request->hash]);
-	request->flags |= DNS_REQUEST_F_TIMEDOUT;
-	req_cancel(request);
-	send_if_done(request, ISC_R_TIMEDOUT);
+	if (event->ev_type == ISC_TIMEREVENT_TICK &&
+	    request->udpcount-- != 0) {
+		if (! DNS_REQUEST_SENDING(request)) {
+			result = req_send(request, task, &request->destaddr);
+			if (result != ISC_R_SUCCESS) {
+				req_cancel(request);
+				send_if_done(request, result);
+			}
+		}
+	} else {
+		request->flags |= DNS_REQUEST_F_TIMEDOUT;
+		req_cancel(request);
+		send_if_done(request, ISC_R_TIMEDOUT);
+	}
 	UNLOCK(&request->requestmgr->locks[request->hash]);
 	isc_event_free(&event);
 }
diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
index c00dc159..0a12d130 100644
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: resolver.c,v 1.218.2.50 2007/06/18 02:46:22 marka Exp $ */
+/* $Id: resolver.c,v 1.218.2.18.4.33 2004/03/16 03:18:02 marka Exp $ */
 
 #include <config.h>
 
@@ -34,7 +34,10 @@
 #include <dns/log.h>
 #include <dns/message.h>
 #include <dns/ncache.h>
+#include <dns/opcode.h>
 #include <dns/peer.h>
+#include <dns/rbt.h>
+#include <dns/rcode.h>
 #include <dns/rdata.h>
 #include <dns/rdataclass.h>
 #include <dns/rdatalist.h>
@@ -92,7 +95,7 @@
 /*
  * Maximum EDNS0 input packet size.
  */
-#define SEND_BUFFER_SIZE		2048		/* XXXRTH  Constant. */
+#define RECV_BUFFER_SIZE		4096		/* XXXRTH  Constant. */
 
 /*
  * This defines the maximum number of timeouts we will permit before we
@@ -169,7 +172,10 @@ struct fetchctx {
 	ISC_LIST(resquery_t)		queries;
 	dns_adbfindlist_t		finds;
 	dns_adbfind_t *			find;
+	dns_adbfindlist_t		altfinds;
+	dns_adbfind_t *			altfind;
 	dns_adbaddrinfolist_t		forwaddrs;
+	dns_adbaddrinfolist_t		altaddrs;
 	isc_sockaddrlist_t		forwarders;
 	dns_fwdpolicy_t			fwdpolicy;
 	isc_sockaddrlist_t		bad;
@@ -198,18 +204,26 @@ struct fetchctx {
 	 * is used for EDNS0 black hole detection.
 	 */
 	unsigned int			timeouts;
+	/*
+	 * Look aside state for DS lookups.
+	 */
+	dns_name_t 			nsname; 
+	dns_fetch_t *			nsfetch;
+	dns_rdataset_t			nsrrset;
 };
 
 #define FCTX_MAGIC			ISC_MAGIC('F', '!', '!', '!')
 #define VALID_FCTX(fctx)		ISC_MAGIC_VALID(fctx, FCTX_MAGIC)
 
-#define FCTX_ATTR_HAVEANSWER		0x01
-#define FCTX_ATTR_GLUING		0x02
-#define FCTX_ATTR_ADDRWAIT		0x04
-#define FCTX_ATTR_SHUTTINGDOWN		0x08
-#define FCTX_ATTR_WANTCACHE		0x10
-#define FCTX_ATTR_WANTNCACHE		0x20
-#define FCTX_ATTR_NEEDEDNS0		0x40
+#define FCTX_ATTR_HAVEANSWER		0x0001
+#define FCTX_ATTR_GLUING		0x0002
+#define FCTX_ATTR_ADDRWAIT		0x0004
+#define FCTX_ATTR_SHUTTINGDOWN		0x0008
+#define FCTX_ATTR_WANTCACHE		0x0010
+#define FCTX_ATTR_WANTNCACHE		0x0020
+#define FCTX_ATTR_NEEDEDNS0		0x0040
+#define FCTX_ATTR_TRIEDFIND		0x0080
+#define FCTX_ATTR_TRIEDALT		0x0100
 
 #define HAVE_ANSWER(f)		(((f)->attributes & FCTX_ATTR_HAVEANSWER) != \
 				 0)
@@ -218,10 +232,12 @@ struct fetchctx {
 #define ADDRWAIT(f)		(((f)->attributes & FCTX_ATTR_ADDRWAIT) != \
 				 0)
 #define SHUTTINGDOWN(f)		(((f)->attributes & FCTX_ATTR_SHUTTINGDOWN) \
-				 != 0)
+ 				 != 0)
 #define WANTCACHE(f)		(((f)->attributes & FCTX_ATTR_WANTCACHE) != 0)
 #define WANTNCACHE(f)		(((f)->attributes & FCTX_ATTR_WANTNCACHE) != 0)
 #define NEEDEDNS0(f)		(((f)->attributes & FCTX_ATTR_NEEDEDNS0) != 0)
+#define TRIEDFIND(f)		(((f)->attributes & FCTX_ATTR_TRIEDFIND) != 0)
+#define TRIEDALT(f)		(((f)->attributes & FCTX_ATTR_TRIEDALT) != 0)
 
 struct dns_fetch {
 	unsigned int			magic;
@@ -238,12 +254,25 @@ typedef struct fctxbucket {
 	isc_boolean_t			exiting;
 } fctxbucket_t;
 
+typedef struct alternate {
+	isc_boolean_t			isaddress;
+	union	{
+		isc_sockaddr_t		addr;
+		struct {
+			dns_name_t	name;
+			in_port_t	port;
+		} _n;
+	} _u;
+	ISC_LINK(struct alternate)	link;
+} alternate_t;
+
 struct dns_resolver {
 	/* Unlocked. */
 	unsigned int			magic;
 	isc_mem_t *			mctx;
 	isc_mutex_t			lock;
-	isc_mutex_t			primelock;
+	isc_mutex_t			nlock;	
+	isc_mutex_t			primelock;	
 	dns_rdataclass_t		rdclass;
 	isc_socketmgr_t *		socketmgr;
 	isc_timermgr_t *		timermgr;
@@ -257,6 +286,12 @@ struct dns_resolver {
 	unsigned int			nbuckets;
 	fctxbucket_t *			buckets;
 	isc_uint32_t			lame_ttl;
+	ISC_LIST(alternate_t)		alternates;
+	isc_uint16_t			udpsize;
+#if USE_ALGLOG
+	isc_rwlock_t			alglock;
+#endif
+	dns_rbt_t *			algorithms;
 	/* Locked by lock. */
 	unsigned int			references;
 	isc_boolean_t			exiting;
@@ -265,6 +300,8 @@ struct dns_resolver {
 	isc_boolean_t			priming;
 	/* Locked by primelock. */
 	dns_fetch_t *			primefetch;
+	/* Locked by nlock. */
+	unsigned int			nfctx;
 };
 
 #define RES_MAGIC			ISC_MAGIC('R', 'e', 's', '!')
@@ -283,8 +320,6 @@ struct dns_resolver {
 
 #define NXDOMAIN(r) (((r)->attributes & DNS_RDATASETATTR_NXDOMAIN) != 0)
 
-#define dns_db_transfernode(a,b,c) do { (*c) = (*b); (*b) = NULL; } while (0)
-
 static void destroy(dns_resolver_t *res);
 static void empty_bucket(dns_resolver_t *res);
 static isc_result_t resquery_send(resquery_t *query);
@@ -448,6 +483,8 @@ fctx_cancelquery(resquery_t **queryp, dns_dispatchevent_t **deventp,
 	resquery_t *query;
 	unsigned int rtt;
 	unsigned int factor;
+	dns_adbfind_t *find;
+	dns_adbaddrinfo_t *addrinfo;
 
 	query = *queryp;
 	fctx = query->fctx;
@@ -478,7 +515,7 @@ fctx_cancelquery(resquery_t **queryp, dns_dispatchevent_t **deventp,
 			 */
 			INSIST(no_response);
 			rtt = query->addrinfo->srtt +
-				(200000 * fctx->restarts);
+				(100000 * fctx->restarts);
 			if (rtt > 10000000)
 				rtt = 10000000;
 			/*
@@ -492,11 +529,16 @@ fctx_cancelquery(resquery_t **queryp, dns_dispatchevent_t **deventp,
 	/*
 	 * Age RTTs of servers not tried.
 	 */
-	if (finish != NULL) {
-		dns_adbfind_t *find;
-		dns_adbaddrinfo_t *addrinfo;
+	factor = DNS_ADB_RTTADJAGE;
+	if (finish != NULL)
+		for (addrinfo = ISC_LIST_HEAD(fctx->forwaddrs);
+		     addrinfo != NULL;
+		     addrinfo = ISC_LIST_NEXT(addrinfo, publink))
+			if (UNMARKED(addrinfo))
+				dns_adb_adjustsrtt(fctx->adb, addrinfo,
+						   0, factor);
 
-		factor = DNS_ADB_RTTADJAGE;
+	if (finish != NULL && TRIEDFIND(fctx))
 		for (find = ISC_LIST_HEAD(fctx->finds);
 		     find != NULL;
 		     find = ISC_LIST_NEXT(find, publink))
@@ -506,6 +548,23 @@ fctx_cancelquery(resquery_t **queryp, dns_dispatchevent_t **deventp,
 				if (UNMARKED(addrinfo))
 					dns_adb_adjustsrtt(fctx->adb, addrinfo,
 							   0, factor);
+
+	if (finish != NULL && TRIEDALT(fctx)) {
+		for (addrinfo = ISC_LIST_HEAD(fctx->altaddrs);
+		     addrinfo != NULL;
+		     addrinfo = ISC_LIST_NEXT(addrinfo, publink))
+			if (UNMARKED(addrinfo))
+				dns_adb_adjustsrtt(fctx->adb, addrinfo,
+						   0, factor);
+		for (find = ISC_LIST_HEAD(fctx->altfinds);
+		     find != NULL;
+		     find = ISC_LIST_NEXT(find, publink))
+			for (addrinfo = ISC_LIST_HEAD(find->list);
+			     addrinfo != NULL;
+			     addrinfo = ISC_LIST_NEXT(addrinfo, publink))
+				if (UNMARKED(addrinfo))
+					dns_adb_adjustsrtt(fctx->adb, addrinfo,
+							   0, factor);
 	}
 
 	if (query->dispentry != NULL)
@@ -579,6 +638,22 @@ fctx_cleanupfinds(fetchctx_t *fctx) {
 }
 
 static void
+fctx_cleanupaltfinds(fetchctx_t *fctx) {
+	dns_adbfind_t *find, *next_find;
+
+	REQUIRE(ISC_LIST_EMPTY(fctx->queries));
+
+	for (find = ISC_LIST_HEAD(fctx->altfinds);
+	     find != NULL;
+	     find = next_find) {
+		next_find = ISC_LIST_NEXT(find, publink);
+		ISC_LIST_UNLINK(fctx->altfinds, find, publink);
+		dns_adb_destroyfind(&find);
+	}
+	fctx->altfind = NULL;
+}
+
+static void
 fctx_cleanupforwaddrs(fetchctx_t *fctx) {
 	dns_adbaddrinfo_t *addr, *next_addr;
 
@@ -593,12 +668,29 @@ fctx_cleanupforwaddrs(fetchctx_t *fctx) {
 	}
 }
 
+static void
+fctx_cleanupaltaddrs(fetchctx_t *fctx) {
+	dns_adbaddrinfo_t *addr, *next_addr;
+
+	REQUIRE(ISC_LIST_EMPTY(fctx->queries));
+
+	for (addr = ISC_LIST_HEAD(fctx->altaddrs);
+	     addr != NULL;
+	     addr = next_addr) {
+		next_addr = ISC_LIST_NEXT(addr, publink);
+		ISC_LIST_UNLINK(fctx->altaddrs, addr, publink);
+		dns_adb_freeaddrinfo(fctx->adb, &addr);
+	}
+}
+
 static inline void
 fctx_stopeverything(fetchctx_t *fctx, isc_boolean_t no_response) {
 	FCTXTRACE("stopeverything");
 	fctx_cancelqueries(fctx, no_response);
 	fctx_cleanupfinds(fctx);
+	fctx_cleanupaltfinds(fctx);
 	fctx_cleanupforwaddrs(fctx);
+	fctx_cleanupaltaddrs(fctx);
 	fctx_stoptimer(fctx);
 }
 
@@ -627,18 +719,9 @@ fctx_sendevents(fetchctx_t *fctx, isc_result_t result) {
 		INSIST(result != ISC_R_SUCCESS ||
 		       dns_rdataset_isassociated(event->rdataset) ||
 		       fctx->type == dns_rdatatype_any ||
-		       fctx->type == dns_rdatatype_sig);
-		
-		/*
-		 * Negative results must be indicated in event->result.
-		 */
-		if (dns_rdataset_isassociated(event->rdataset) &&
-		    event->rdataset->type == dns_rdatatype_none) {
-			INSIST(event->result == DNS_R_NCACHENXDOMAIN ||
-			       event->result == DNS_R_NCACHENXRRSET);
-		}
+		       fctx->type == dns_rdatatype_rrsig);
 
-		isc_task_sendanddetach(&task, ISC_EVENT_PTR(&event));
+		isc_task_sendanddetach(&task, (isc_event_t **) (void *)&event);
 	}
 }
 
@@ -670,9 +753,6 @@ static void
 resquery_senddone(isc_task_t *task, isc_event_t *event) {
 	isc_socketevent_t *sevent = (isc_socketevent_t *)event;
 	resquery_t *query = event->ev_arg;
-	isc_boolean_t retry = ISC_FALSE;
-	isc_result_t result;
-	fetchctx_t *fctx;
 
 	REQUIRE(event->ev_type == ISC_SOCKEVENT_SENDDONE);
 
@@ -691,7 +771,6 @@ resquery_senddone(isc_task_t *task, isc_event_t *event) {
 	INSIST(RESQUERY_SENDING(query));
 
 	query->sends--;
-	fctx = query->fctx;
 
 	if (RESQUERY_CANCELED(query)) {
 		if (query->sends == 0) {
@@ -703,47 +782,14 @@ resquery_senddone(isc_task_t *task, isc_event_t *event) {
 				isc_socket_detach(&query->tcpsocket);
 			resquery_destroy(&query);
 		}
-	} else 
-		switch (sevent->result) {
-		case ISC_R_SUCCESS:
-			break;
-
-		case ISC_R_HOSTUNREACH:
-		case ISC_R_NETUNREACH:
-		case ISC_R_NOPERM:
-		case ISC_R_ADDRNOTAVAIL:
-		case ISC_R_CONNREFUSED:
-
-			/*
-			 * No route to remote.
-			 */
-			fctx_cancelquery(&query, NULL, NULL, ISC_TRUE);
-			retry = ISC_TRUE;
-			break;
-
-		default:
-			fctx_cancelquery(&query, NULL, NULL, ISC_FALSE);
-			break;
-		}
+	} else if (sevent->result != ISC_R_SUCCESS)
+		fctx_cancelquery(&query, NULL, NULL, ISC_FALSE);
 
 	isc_event_free(&event);
-
-	if (retry) {
-		/*
-		 * Behave as if the idle timer has expired.  For TCP
-		 * this may not actually reflect the latest timer.
-		 */
-		fctx->attributes &= ~FCTX_ATTR_ADDRWAIT;
-		result = fctx_stopidletimer(fctx);
-		if (result != ISC_R_SUCCESS)
-			fctx_done(fctx, result);
-		else
-			fctx_try(fctx);
-	}
 }
 
 static inline isc_result_t
-fctx_addopt(dns_message_t *message) {
+fctx_addopt(dns_message_t *message, dns_resolver_t *res) {
 	dns_rdataset_t *rdataset;
 	dns_rdatalist_t *rdatalist;
 	dns_rdata_t *rdata;
@@ -769,16 +815,12 @@ fctx_addopt(dns_message_t *message) {
 	/*
 	 * Set Maximum UDP buffer size.
 	 */
-	rdatalist->rdclass = SEND_BUFFER_SIZE;
+	rdatalist->rdclass = res->udpsize;
 
 	/*
 	 * Set EXTENDED-RCODE, VERSION, and Z to 0, and the DO bit to 1.
 	 */
-#ifdef ISC_RFC2535
 	rdatalist->ttl = DNS_MESSAGEEXTFLAG_DO;
-#else
-	rdatalist->ttl = 0;
-#endif
 
 	/*
 	 * No EDNS options.
@@ -791,7 +833,7 @@ fctx_addopt(dns_message_t *message) {
 
 	ISC_LIST_INIT(rdatalist->rdata);
 	ISC_LIST_APPEND(rdatalist->rdata, rdata, link);
-	dns_rdatalist_tordataset(rdatalist, rdataset);
+	RUNTIME_CHECK(dns_rdatalist_tordataset(rdatalist, rdataset) == ISC_R_SUCCESS);
 
 	return (dns_message_setopt(message, rdataset));
 }
@@ -848,11 +890,9 @@ fctx_query(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo,
 	if (result != ISC_R_SUCCESS)
 		return (result);
 
-	INSIST(ISC_LIST_EMPTY(fctx->validators));
-
 	dns_message_reset(fctx->rmessage, DNS_MESSAGE_INTENTPARSE);
 
-	query = isc_mem_get(res->mctx, sizeof *query);
+	query = isc_mem_get(res->mctx, sizeof(*query));
 	if (query == NULL) {
 		result = ISC_R_NOMEMORY;
 		goto stop_idle_timer;
@@ -867,9 +907,7 @@ fctx_query(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo,
 	 * valid until this query is canceled.
 	 */
 	query->addrinfo = addrinfo;
-	result = isc_time_now(&query->start);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup_query;
+	TIME_NOW(&query->start);
 
 	/*
 	 * If this is a TCP query, then we need to make a socket and
@@ -909,11 +947,9 @@ fctx_query(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo,
 		if (result != ISC_R_SUCCESS)
 			goto cleanup_query;
 
-#ifndef BROKEN_TCP_BIND_BEFORE_CONNECT
 		result = isc_socket_bind(query->tcpsocket, &addr);
 		if (result != ISC_R_SUCCESS)
 			goto cleanup_socket;
-#endif
 
 		/*
 		 * A dispatch will be created once the connect succeeds.
@@ -979,10 +1015,10 @@ fctx_query(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo,
 
  cleanup_query:
 	query->magic = 0;
-	isc_mem_put(res->mctx, query, sizeof *query);
+	isc_mem_put(res->mctx, query, sizeof(*query));
 
  stop_idle_timer:
-	fctx_stopidletimer(fctx);
+	RUNTIME_CHECK(fctx_stopidletimer(fctx) == ISC_R_SUCCESS);
 
 	return (result);
 }
@@ -1006,6 +1042,7 @@ resquery_send(resquery_t *query) {
 	isc_boolean_t useedns;
 	dns_compress_t cctx;
 	isc_boolean_t cleanup_cctx = ISC_FALSE;
+	isc_boolean_t secure_domain;
 
 	fctx = query->fctx;
 	QTRACE("send");
@@ -1071,6 +1108,21 @@ resquery_send(resquery_t *query) {
 		fctx->qmessage->flags |= DNS_MESSAGEFLAG_RD;
 
 	/*
+	 * Set CD if the client says don't validate or the question is
+	 * under a secure entry point.
+	 */
+	if ((query->options & DNS_FETCHOPT_NOVALIDATE) == 0) {
+		result = dns_keytable_issecuredomain(res->view->secroots,
+						     &fctx->name,
+						     &secure_domain);
+		if (result != ISC_R_SUCCESS)
+			secure_domain = ISC_FALSE;
+		if (secure_domain)
+			fctx->qmessage->flags |= DNS_MESSAGEFLAG_CD;
+	} else
+		fctx->qmessage->flags |= DNS_MESSAGEFLAG_CD;
+
+	/*
 	 * We don't have to set opcode because it defaults to query.
 	 */
 	fctx->qmessage->id = query->id;
@@ -1125,7 +1177,7 @@ resquery_send(resquery_t *query) {
 
 	if ((query->options & DNS_FETCHOPT_NOEDNS0) == 0) {
 		if ((query->addrinfo->flags & DNS_FETCHOPT_NOEDNS0) == 0) {
-			result = fctx_addopt(fctx->qmessage);
+			result = fctx_addopt(fctx->qmessage, res);
 			if (result != ISC_R_SUCCESS) {
 				/*
 				 * We couldn't add the OPT, but we'll press on.
@@ -1153,20 +1205,6 @@ resquery_send(resquery_t *query) {
 	}
 
 	/*
-	 * If we're using EDNS, set CD.  CD and EDNS aren't really related,
-	 * but if we send a non EDNS query, there's a chance the server
-	 * won't understand CD either.
-	 */
-	if ((query->options & DNS_FETCHOPT_NOEDNS0) == 0)
-		fctx->qmessage->flags |= DNS_MESSAGEFLAG_CD;
-
-	/*
-	 * Clear CD if EDNS is not in use.
-	 */
-	if ((query->options & DNS_FETCHOPT_NOEDNS0) != 0)
-		fctx->qmessage->flags &= ~DNS_MESSAGEFLAG_CD;
-
-	/*
 	 * Add TSIG record tailored to the current recipient.
 	 */
 	result = dns_view_getpeertsig(fctx->res->view, &ipaddr, &tsigkey);
@@ -1174,8 +1212,10 @@ resquery_send(resquery_t *query) {
 		goto cleanup_message;
 
 	if (tsigkey != NULL) {
-		dns_message_settsigkey(fctx->qmessage, tsigkey);
+		result = dns_message_settsigkey(fctx->qmessage, tsigkey);
 		dns_tsigkey_detach(&tsigkey);
+		if (result != ISC_R_SUCCESS)
+			goto cleanup_message;
 	}
 
 	result = dns_message_rendersection(fctx->qmessage,
@@ -1225,7 +1265,7 @@ resquery_send(resquery_t *query) {
 
 	/*
 	 * XXXRTH  Make sure we don't send to ourselves!  We should probably
-	 *         prune out these addresses when we get them from the ADB.
+	 *	   prune out these addresses when we get them from the ADB.
 	 */
 	result = isc_socket_sendto(socket, &r, task, resquery_senddone,
 				   query, address, NULL);
@@ -1260,10 +1300,7 @@ static void
 resquery_connected(isc_task_t *task, isc_event_t *event) {
 	isc_socketevent_t *sevent = (isc_socketevent_t *)event;
 	resquery_t *query = event->ev_arg;
-	isc_boolean_t retry = ISC_FALSE;
 	isc_result_t result;
-	unsigned int attrs;
-	fetchctx_t *fctx;
 
 	REQUIRE(event->ev_type == ISC_SOCKEVENT_CONNECT);
 	REQUIRE(VALID_QUERY(query));
@@ -1281,7 +1318,6 @@ resquery_connected(isc_task_t *task, isc_event_t *event) {
 	 */
 
 	query->connects--;
-	fctx = query->fctx;
 
 	if (RESQUERY_CANCELED(query)) {
 		/*
@@ -1291,8 +1327,9 @@ resquery_connected(isc_task_t *task, isc_event_t *event) {
 		isc_socket_detach(&query->tcpsocket);
 		resquery_destroy(&query);
 	} else {
-		switch (sevent->result) {
-		case ISC_R_SUCCESS:
+		if (sevent->result == ISC_R_SUCCESS) {
+			unsigned int attrs;
+
 			/*
 			 * We are connected.  Create a dispatcher and
 			 * send the query.
@@ -1325,49 +1362,22 @@ resquery_connected(isc_task_t *task, isc_event_t *event) {
 				result = resquery_send(query);
 
 			if (result != ISC_R_SUCCESS) {
+				fetchctx_t *fctx = query->fctx;
 				fctx_cancelquery(&query, NULL, NULL,
 						 ISC_FALSE);
 				fctx_done(fctx, result);
 			}
-			break;
-
-		case ISC_R_NETUNREACH:
-		case ISC_R_HOSTUNREACH:
-		case ISC_R_CONNREFUSED:
-		case ISC_R_NOPERM:
-		case ISC_R_ADDRNOTAVAIL:
-		case ISC_R_CONNECTIONRESET:
-			/*
-			 * No route to remote.
-			 */
-			isc_socket_detach(&query->tcpsocket);
-			fctx_cancelquery(&query, NULL, NULL, ISC_TRUE);
-			retry = ISC_TRUE;
-			break;
-
-		default:
+		} else {
 			isc_socket_detach(&query->tcpsocket);
 			fctx_cancelquery(&query, NULL, NULL, ISC_FALSE);
-			break;
 		}
 	}
 
 	isc_event_free(&event);
-	
-	if (retry) {
-		/*
-		 * Behave as if the idle timer has expired.  For TCP
-		 * connections this may not actually reflect the latest timer.
-		 */
-		fctx->attributes &= ~FCTX_ATTR_ADDRWAIT;
-		result = fctx_stopidletimer(fctx);
-		if (result != ISC_R_SUCCESS)
-			fctx_done(fctx, result);
-		else
-			fctx_try(fctx);
-	}
 }
 
+
+
 static void
 fctx_finddone(isc_task_t *task, isc_event_t *event) {
 	fetchctx_t *fctx;
@@ -1484,12 +1494,44 @@ mark_bad(fetchctx_t *fctx) {
 			all_bad = ISC_FALSE;
 	}
 
+	/*
+	 * Mark any bad alternates.
+	 */
+	for (curr = ISC_LIST_HEAD(fctx->altfinds);
+	     curr != NULL;
+	     curr = ISC_LIST_NEXT(curr, publink)) {
+		for (addrinfo = ISC_LIST_HEAD(curr->list);
+		     addrinfo != NULL;
+		     addrinfo = ISC_LIST_NEXT(addrinfo, publink)) {
+			if (bad_server(fctx, &addrinfo->sockaddr))
+				addrinfo->flags |= FCTX_ADDRINFO_MARK;
+			else
+				all_bad = ISC_FALSE;
+		}
+	}
+
+	for (addrinfo = ISC_LIST_HEAD(fctx->altaddrs);
+	     addrinfo != NULL;
+	     addrinfo = ISC_LIST_NEXT(addrinfo, publink)) {
+		if (bad_server(fctx, &addrinfo->sockaddr))
+			addrinfo->flags |= FCTX_ADDRINFO_MARK;
+		else
+			all_bad = ISC_FALSE;
+	}
+
 	return (all_bad);
 }
 
 static void
-add_bad(fetchctx_t *fctx, isc_sockaddr_t *address) {
+add_bad(fetchctx_t *fctx, isc_sockaddr_t *address, isc_result_t reason) {
+	char namebuf[DNS_NAME_FORMATSIZE];
+	char addrbuf[ISC_SOCKADDR_FORMATSIZE];
+	char classbuf[64];
+	char typebuf[64];
+	char code[64];
+	isc_buffer_t b;
 	isc_sockaddr_t *sa;
+	const char *sep1, *sep2;
 
 	if (bad_server(fctx, address)) {
 		/*
@@ -1500,11 +1542,41 @@ add_bad(fetchctx_t *fctx, isc_sockaddr_t *address) {
 
 	FCTXTRACE("add_bad");
 
-	sa = isc_mem_get(fctx->res->mctx, sizeof *sa);
+	sa = isc_mem_get(fctx->res->mctx, sizeof(*sa));
 	if (sa == NULL)
 		return;
 	*sa = *address;
 	ISC_LIST_INITANDAPPEND(fctx->bad, sa, link);
+
+	if (reason == DNS_R_LAME)	/* already logged */
+		return;
+
+	if (reason == DNS_R_UNEXPECTEDRCODE) {
+		isc_buffer_init(&b, code, sizeof(code) - 1);
+		dns_rcode_totext(fctx->rmessage->rcode, &b);
+		code[isc_buffer_usedlength(&b)] = '\0';
+		sep1 = "(";
+		sep2 = ") ";
+	} else if (reason == DNS_R_UNEXPECTEDOPCODE) {
+		isc_buffer_init(&b, code, sizeof(code) - 1);
+		dns_opcode_totext(fctx->rmessage->opcode, &b);
+		code[isc_buffer_usedlength(&b)] = '\0';
+		sep1 = "(";
+		sep2 = ") ";
+	} else {
+		code[0] = '\0';
+		sep1 = "";
+		sep2 = "";
+	}
+	dns_name_format(&fctx->name, namebuf, sizeof(namebuf));
+	dns_rdatatype_format(fctx->type, typebuf, sizeof(typebuf));
+	dns_rdataclass_format(fctx->res->rdclass, classbuf, sizeof(classbuf));
+	isc_sockaddr_format(address, addrbuf, sizeof(addrbuf));
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_LAME_SERVERS,
+		      DNS_LOGMODULE_RESOLVER, ISC_LOG_INFO,
+		      "%s %s%s%sresolving '%s/%s/%s': %s",
+		      dns_result_totext(reason), sep1, code, sep2,
+		      namebuf, typebuf, classbuf, addrbuf);
 }
 
 static void
@@ -1560,6 +1632,138 @@ sort_finds(fetchctx_t *fctx) {
 		ISC_LIST_APPEND(sorted, best, publink);
 	}
 	fctx->finds = sorted;
+
+	ISC_LIST_INIT(sorted);
+	while (!ISC_LIST_EMPTY(fctx->altfinds)) {
+		best = ISC_LIST_HEAD(fctx->altfinds);
+		bestaddrinfo = ISC_LIST_HEAD(best->list);
+		INSIST(bestaddrinfo != NULL);
+		curr = ISC_LIST_NEXT(best, publink);
+		while (curr != NULL) {
+			addrinfo = ISC_LIST_HEAD(curr->list);
+			INSIST(addrinfo != NULL);
+			if (addrinfo->srtt < bestaddrinfo->srtt) {
+				best = curr;
+				bestaddrinfo = addrinfo;
+			}
+			curr = ISC_LIST_NEXT(curr, publink);
+		}
+		ISC_LIST_UNLINK(fctx->altfinds, best, publink);
+		ISC_LIST_APPEND(sorted, best, publink);
+	}
+	fctx->altfinds = sorted;
+}
+
+static void
+findname(fetchctx_t *fctx, dns_name_t *name, in_port_t port,
+	 unsigned int options, unsigned int flags, isc_stdtime_t now,
+	 isc_boolean_t *pruned, isc_boolean_t *need_alternate)
+{
+	dns_adbaddrinfo_t *ai;
+	dns_adbfind_t *find;
+	dns_resolver_t *res;
+	isc_boolean_t unshared;
+	isc_result_t result;
+
+	res = fctx->res;
+	unshared = ISC_TF((fctx->options | DNS_FETCHOPT_UNSHARED) != 0);
+	/*
+	 * If this name is a subdomain of the query domain, tell
+	 * the ADB to start looking using zone/hint data. This keeps us
+	 * from getting stuck if the nameserver is beneath the zone cut
+	 * and we don't know its address (e.g. because the A record has
+	 * expired).
+	 */
+	if (dns_name_issubdomain(name, &fctx->domain))
+		options |= DNS_ADBFIND_STARTATZONE;
+	options |= DNS_ADBFIND_GLUEOK;
+	options |= DNS_ADBFIND_HINTOK;
+
+	/*
+	 * See what we know about this address.
+	 */
+	find = NULL;
+	result = dns_adb_createfind(fctx->adb,
+				    res->buckets[fctx->bucketnum].task,
+				    fctx_finddone, fctx, name,
+				    &fctx->domain, options, now, NULL,
+				    res->view->dstport, &find);
+	if (result != ISC_R_SUCCESS) {
+		if (result == DNS_R_ALIAS) {
+			/*
+			 * XXXRTH  Follow the CNAME/DNAME chain?
+			 */
+			dns_adb_destroyfind(&find);
+		}
+	} else if (!ISC_LIST_EMPTY(find->list)) {
+		/*
+		 * We have at least some of the addresses for the
+		 * name.
+		 */
+		INSIST((find->options & DNS_ADBFIND_WANTEVENT) == 0);
+		sort_adbfind(find);
+		if (flags != 0 || port != 0) {
+			for (ai = ISC_LIST_HEAD(find->list);
+			     ai != NULL;
+			     ai = ISC_LIST_NEXT(ai, publink)) {
+				ai->flags |= flags;
+				if (port != 0)
+					isc_sockaddr_setport(&ai->sockaddr,
+							     port);
+			}
+		}
+		if ((flags & FCTX_ADDRINFO_FORWARDER) != 0)
+			ISC_LIST_APPEND(fctx->altfinds, find, publink);
+		else
+			ISC_LIST_APPEND(fctx->finds, find, publink);
+	} else {
+		/*
+		 * We don't know any of the addresses for this
+		 * name.
+		 */
+		if ((find->options & DNS_ADBFIND_WANTEVENT) != 0) {
+			/*
+			 * We're looking for them and will get an
+			 * event about it later.
+			 */
+			fctx->pending++;
+			/*
+			 * Bootstrap.
+			 */
+			if (need_alternate != NULL &&
+			    !*need_alternate && unshared &&
+			    ((res->dispatchv4 == NULL &&
+			      find->result_v6 != DNS_R_NXDOMAIN) ||
+			     (res->dispatchv6 == NULL &&
+			      find->result_v4 != DNS_R_NXDOMAIN)))
+				*need_alternate = ISC_TRUE;
+		} else {
+			/*
+			 * If we know there are no addresses for
+			 * the family we are using then try to add
+			 * an alternative server.
+			 */
+			if (need_alternate != NULL && !*need_alternate &&
+			    ((res->dispatchv4 == NULL &&
+			      find->result_v6 == DNS_R_NXRRSET) ||
+			     (res->dispatchv6 == NULL &&
+			      find->result_v4 == DNS_R_NXRRSET)))
+				*need_alternate = ISC_TRUE;
+			/*
+			 * And ADB isn't going to send us any events
+			 * either.  This find loses.
+			 */
+			if ((find->options & DNS_ADBFIND_LAMEPRUNED) != 0) {
+				/*
+				 * The ADB pruned lame servers for
+				 * this name.  Remember that in case
+				 * we get desperate later on.
+				 */
+				*pruned = ISC_TRUE;
+			}
+			dns_adb_destroyfind(&find);
+		}
+	}
 }
 
 static isc_result_t
@@ -1568,12 +1772,13 @@ fctx_getaddresses(fetchctx_t *fctx) {
 	isc_result_t result;
 	dns_resolver_t *res;
 	isc_stdtime_t now;
-	dns_adbfind_t *find;
-	unsigned int stdoptions, options;
+	unsigned int stdoptions;
 	isc_sockaddr_t *sa;
 	dns_adbaddrinfo_t *ai;
 	isc_boolean_t pruned, all_bad;
 	dns_rdata_ns_t ns;
+	isc_boolean_t need_alternate = ISC_FALSE;
+	isc_boolean_t unshared;
 
 	FCTXTRACE("getaddresses");
 
@@ -1589,12 +1794,14 @@ fctx_getaddresses(fetchctx_t *fctx) {
 	res = fctx->res;
 	pruned = ISC_FALSE;
 	stdoptions = 0;		/* Keep compiler happy. */
+	unshared = ISC_TF((fctx->options | DNS_FETCHOPT_UNSHARED) != 0);
 
 	/*
 	 * Forwarders.
 	 */
 
 	INSIST(ISC_LIST_EMPTY(fctx->forwaddrs));
+	INSIST(ISC_LIST_EMPTY(fctx->altaddrs));
 
 	/*
 	 * If this fctx has forwarders, use them; otherwise use any
@@ -1617,8 +1824,16 @@ fctx_getaddresses(fetchctx_t *fctx) {
 		result = dns_adb_findaddrinfo(fctx->adb,
 					      sa, &ai, 0);  /* XXXMLG */
 		if (result == ISC_R_SUCCESS) {
+			dns_adbaddrinfo_t *cur;
 			ai->flags |= FCTX_ADDRINFO_FORWARDER;
-			ISC_LIST_APPEND(fctx->forwaddrs, ai, publink);
+			cur = ISC_LIST_HEAD(fctx->forwaddrs);
+			while (cur != NULL && cur->srtt < ai->srtt)
+				cur = ISC_LIST_NEXT(cur, publink);
+			if (cur != NULL)
+				ISC_LIST_INSERTBEFORE(fctx->forwaddrs, cur,
+						      ai, publink);
+			else
+				ISC_LIST_APPEND(fctx->forwaddrs, ai, publink);
 		}
 		sa = ISC_LIST_NEXT(sa, link);
 	}
@@ -1657,90 +1872,65 @@ fctx_getaddresses(fetchctx_t *fctx) {
 
  restart:
 	INSIST(ISC_LIST_EMPTY(fctx->finds));
+	INSIST(ISC_LIST_EMPTY(fctx->altfinds));
 
-	result = dns_rdataset_first(&fctx->nameservers);
-	while (result == ISC_R_SUCCESS) {
+	for (result = dns_rdataset_first(&fctx->nameservers);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(&fctx->nameservers))
+	{
 		dns_rdataset_current(&fctx->nameservers, &rdata);
 		/*
 		 * Extract the name from the NS record.
 		 */
 		result = dns_rdata_tostruct(&rdata, &ns, NULL);
-		if (result != ISC_R_SUCCESS) {
-			dns_rdataset_next(&fctx->nameservers);
+		if (result != ISC_R_SUCCESS)
 			continue;
-		}
-		options = stdoptions;
-		/*
-		 * If this name is a subdomain of the query domain, tell
-		 * the ADB to start looking using zone/hint data. This keeps
-		 * us from getting stuck if the nameserver is beneath the
-		 * zone cut and we don't know its address (e.g. because the
-		 * A record has expired).
-		 */
-		if (dns_name_issubdomain(&ns.name, &fctx->domain))
-			options |= DNS_ADBFIND_STARTATZONE;
-		options |= DNS_ADBFIND_GLUEOK;
-		options |= DNS_ADBFIND_HINTOK;
 
-		/*
-		 * See what we know about this address.
-		 */
-		find = NULL;
-		result = dns_adb_createfind(fctx->adb,
-					    res->buckets[fctx->bucketnum].task,
-					    fctx_finddone, fctx, &ns.name,
-					    &fctx->domain, options, now, NULL,
-					    res->view->dstport, &find);
-		if (result != ISC_R_SUCCESS) {
-			if (result == DNS_R_ALIAS) {
-				/*
-				 * XXXRTH  Follow the CNAME/DNAME chain?
-				 */
-				dns_adb_destroyfind(&find);
-			}
-		} else if (!ISC_LIST_EMPTY(find->list)) {
-			/*
-			 * We have at least some of the addresses for the
-			 * name.
-			 */
-			INSIST((find->options & DNS_ADBFIND_WANTEVENT) == 0);
-			sort_adbfind(find);
-			ISC_LIST_APPEND(fctx->finds, find, publink);
-		} else {
-			/*
-			 * We don't know any of the addresses for this
-			 * name.
-			 */
-			if ((find->options & DNS_ADBFIND_WANTEVENT) != 0) {
-				/*
-				 * We're looking for them and will get an
-				 * event about it later.
-				 */
-				fctx->pending++;
-			} else {
-				/*
-				 * And ADB isn't going to send us any events
-				 * either.  This find loses.
-				 */
-				if ((find->options & DNS_ADBFIND_LAMEPRUNED)
-				    != 0) {
-					/*
-					 * The ADB pruned lame servers for
-					 * this name.  Remember that in case
-					 * we get desperate later on.
-					 */
-					pruned = ISC_TRUE;
-				}
-				dns_adb_destroyfind(&find);
-			}
-		}
+		findname(fctx, &ns.name, 0, stdoptions, 0, now,
+			 &pruned, &need_alternate);
 		dns_rdata_reset(&rdata);
 		dns_rdata_freestruct(&ns);
-		result = dns_rdataset_next(&fctx->nameservers);
 	}
 	if (result != ISC_R_NOMORE)
 		return (result);
 
+	/*
+	 * Do we need to use 6 to 4?
+	 */
+	if (need_alternate) {
+		int family;
+		alternate_t *a;
+		family = (res->dispatchv6 != NULL) ? AF_INET6 : AF_INET;
+		for (a = ISC_LIST_HEAD(fctx->res->alternates);
+		     a != NULL;
+		     a = ISC_LIST_NEXT(a, link)) {
+			if (!a->isaddress) {
+				findname(fctx, &a->_u._n.name, a->_u._n.port,
+					 stdoptions, FCTX_ADDRINFO_FORWARDER,
+					 now, &pruned, NULL);
+				continue;
+			}
+			if (isc_sockaddr_pf(&a->_u.addr) != family)
+				continue;
+			ai = NULL;
+			result = dns_adb_findaddrinfo(fctx->adb, &a->_u.addr,
+						      &ai, 0);
+			if (result == ISC_R_SUCCESS) {
+				dns_adbaddrinfo_t *cur;
+				ai->flags |= FCTX_ADDRINFO_FORWARDER;
+				cur = ISC_LIST_HEAD(fctx->altaddrs);
+				while (cur != NULL && cur->srtt < ai->srtt)
+					cur = ISC_LIST_NEXT(cur, publink);
+				if (cur != NULL)
+					ISC_LIST_INSERTBEFORE(fctx->altaddrs,
+							      cur, ai, publink);
+				else
+					ISC_LIST_APPEND(fctx->altaddrs, ai,
+							publink);
+			}
+		}
+	}
+
  out:
 	/*
 	 * Mark all known bad servers.
@@ -1769,6 +1959,7 @@ fctx_getaddresses(fetchctx_t *fctx) {
 			INSIST((stdoptions & DNS_ADBFIND_RETURNLAME) == 0);
 			stdoptions |= DNS_ADBFIND_RETURNLAME;
 			pruned = ISC_FALSE;
+			fctx_cleanupaltfinds(fctx);
 			fctx_cleanupfinds(fctx);
 			goto restart;
 		} else {
@@ -1785,11 +1976,6 @@ fctx_getaddresses(fetchctx_t *fctx) {
 		 * We've found some addresses.  We might still be looking
 		 * for more addresses.
 		 */
-		/*
-		 * XXXRTH  We could sort the forwaddrs here if the caller
-		 *         wants to use the forwaddrs in "best order" as
-		 *         opposed to "fixed order".
-		 */
 		sort_finds(fctx);
 		result = ISC_R_SUCCESS;
 	}
@@ -1836,14 +2022,14 @@ possibly_mark(fetchctx_t *fctx, dns_adbaddrinfo_t *addr)
 	if (aborted) {
 		addr->flags |= FCTX_ADDRINFO_MARK;
 		msg = "ignoring blackholed / bogus server: ";
-	} else if (sa->type.sa.sa_family != AF_INET6) {
-		return;
 	} else if (isc_sockaddr_ismulticast(sa)) {
 		addr->flags |= FCTX_ADDRINFO_MARK;
 		msg = "ignoring multicast address: ";
 	} else if (isc_sockaddr_isexperimental(sa)) {
 		addr->flags |= FCTX_ADDRINFO_MARK;
 		msg = "ignoring experimental address: ";
+	} else if (sa->type.sa.sa_family != AF_INET6) {
+		return;
 	} else if (IN6_IS_ADDR_V4MAPPED(&sa->type.sin6.sin6_addr)) {
 		addr->flags |= FCTX_ADDRINFO_MARK;
 		msg = "ignoring IPv6 mapped IPV4 address: ";
@@ -1857,14 +2043,15 @@ possibly_mark(fetchctx_t *fctx, dns_adbaddrinfo_t *addr)
 		return;
 
 	isc_netaddr_fromsockaddr(&na, sa);
-	isc_netaddr_format(&na, buf, sizeof buf);
+	isc_netaddr_format(&na, buf, sizeof(buf));
 	FCTXTRACE2(msg, buf);
 }
 
 static inline dns_adbaddrinfo_t *
 fctx_nextaddress(fetchctx_t *fctx) {
-	dns_adbfind_t *find, *start;
+	dns_adbfind_t *find;
 	dns_adbaddrinfo_t *addrinfo;
+	dns_adbaddrinfo_t *faddrinfo;
 
 	/*
 	 * Return the next untried address, if any.
@@ -1876,6 +2063,8 @@ fctx_nextaddress(fetchctx_t *fctx) {
 	for (addrinfo = ISC_LIST_HEAD(fctx->forwaddrs);
 	     addrinfo != NULL;
 	     addrinfo = ISC_LIST_NEXT(addrinfo, publink)) {
+		if (!UNMARKED(addrinfo))
+			continue;
 		possibly_mark(fctx, addrinfo);
 		if (UNMARKED(addrinfo)) {
 			addrinfo->flags |= FCTX_ADDRINFO_MARK;
@@ -1887,6 +2076,9 @@ fctx_nextaddress(fetchctx_t *fctx) {
 	/*
 	 * No forwarders.  Move to the next find.
 	 */
+
+	fctx->attributes |= FCTX_ATTR_TRIEDFIND;
+
 	find = fctx->find;
 	if (find == NULL)
 		find = ISC_LIST_HEAD(fctx->finds);
@@ -1900,27 +2092,93 @@ fctx_nextaddress(fetchctx_t *fctx) {
 	 * Find the first unmarked addrinfo.
 	 */
 	addrinfo = NULL;
-	if (find != NULL) {
-		start = find;
-		do {
-			for (addrinfo = ISC_LIST_HEAD(find->list);
-			     addrinfo != NULL;
-			     addrinfo = ISC_LIST_NEXT(addrinfo, publink)) {
-				possibly_mark(fctx, addrinfo);
-				if (UNMARKED(addrinfo)) {
-					addrinfo->flags |= FCTX_ADDRINFO_MARK;
-					break;
-				}
-			}
-			if (addrinfo != NULL)
+	while (find != fctx->find) {
+		for (addrinfo = ISC_LIST_HEAD(find->list);
+		     addrinfo != NULL;
+		     addrinfo = ISC_LIST_NEXT(addrinfo, publink)) {
+			if (!UNMARKED(addrinfo))
+				continue;
+			possibly_mark(fctx, addrinfo);
+			if (UNMARKED(addrinfo)) {
+				addrinfo->flags |= FCTX_ADDRINFO_MARK;
 				break;
-			find = ISC_LIST_NEXT(find, publink);
-			if (find == NULL)
-				find = ISC_LIST_HEAD(fctx->finds);
-		} while (find != start);
+			}
+		}
+		if (addrinfo != NULL)
+			break;
+		find = ISC_LIST_NEXT(find, publink);
+		if (find != fctx->find && find == NULL)
+			find = ISC_LIST_HEAD(fctx->finds);
 	}
 
 	fctx->find = find;
+	if (addrinfo != NULL)
+		return (addrinfo);
+
+	/*
+	 * No nameservers left.  Try alternates.
+	 */
+
+	fctx->attributes |= FCTX_ATTR_TRIEDALT;
+
+	find = fctx->altfind;
+	if (find == NULL)
+		find = ISC_LIST_HEAD(fctx->altfinds);
+	else {
+		find = ISC_LIST_NEXT(find, publink);
+		if (find == NULL)
+			find = ISC_LIST_HEAD(fctx->altfinds);
+	}
+
+	/*
+	 * Find the first unmarked addrinfo.
+	 */
+	addrinfo = NULL;
+	while (find != fctx->altfind) {
+		for (addrinfo = ISC_LIST_HEAD(find->list);
+		     addrinfo != NULL;
+		     addrinfo = ISC_LIST_NEXT(addrinfo, publink)) {
+			if (!UNMARKED(addrinfo))
+				continue;
+			possibly_mark(fctx, addrinfo);
+			if (UNMARKED(addrinfo)) {
+				addrinfo->flags |= FCTX_ADDRINFO_MARK;
+				break;
+			}
+		}
+		if (addrinfo != NULL)
+			break;
+		find = ISC_LIST_NEXT(find, publink);
+		if (find != fctx->altfind && find == NULL)
+			find = ISC_LIST_HEAD(fctx->altfinds);
+	}
+
+	faddrinfo = addrinfo;
+
+	/*
+	 * See if we have a better alternate server by address.
+	 */
+
+	for (addrinfo = ISC_LIST_HEAD(fctx->altaddrs);
+	     addrinfo != NULL;
+	     addrinfo = ISC_LIST_NEXT(addrinfo, publink)) {
+		if (!UNMARKED(addrinfo))
+			continue;
+		possibly_mark(fctx, addrinfo);
+		if (UNMARKED(addrinfo) &&
+		    (faddrinfo == NULL ||
+		     addrinfo->srtt < faddrinfo->srtt)) {
+			if (faddrinfo != NULL)
+				faddrinfo->flags &= ~FCTX_ADDRINFO_MARK;
+			addrinfo->flags |= FCTX_ADDRINFO_MARK;
+			break;
+		}
+	}
+
+	if (addrinfo == NULL) {
+		addrinfo = faddrinfo;
+		fctx->altfind = find;
+	}
 
 	return (addrinfo);
 }
@@ -1941,7 +2199,9 @@ fctx_try(fetchctx_t *fctx) {
 		 */
 		fctx_cancelqueries(fctx, ISC_TRUE);
 		fctx_cleanupfinds(fctx);
+		fctx_cleanupaltfinds(fctx);
 		fctx_cleanupforwaddrs(fctx);
+		fctx_cleanupaltaddrs(fctx);
 		result = fctx_getaddresses(fctx);
 		if (result == DNS_R_WAIT) {
 			/*
@@ -1990,6 +2250,7 @@ fctx_destroy(fetchctx_t *fctx) {
 	REQUIRE(ISC_LIST_EMPTY(fctx->events));
 	REQUIRE(ISC_LIST_EMPTY(fctx->queries));
 	REQUIRE(ISC_LIST_EMPTY(fctx->finds));
+	REQUIRE(ISC_LIST_EMPTY(fctx->altfinds));
 	REQUIRE(fctx->pending == 0);
 	REQUIRE(ISC_LIST_EMPTY(fctx->validators));
 	REQUIRE(fctx->references == 0);
@@ -2009,7 +2270,7 @@ fctx_destroy(fetchctx_t *fctx) {
 	     sa = next_sa) {
 		next_sa = ISC_LIST_NEXT(sa, link);
 		ISC_LIST_UNLINK(fctx->bad, sa, link);
-		isc_mem_put(res->mctx, sa, sizeof *sa);
+		isc_mem_put(res->mctx, sa, sizeof(*sa));
 	}
 
 	isc_timer_detach(&fctx->timer);
@@ -2022,7 +2283,11 @@ fctx_destroy(fetchctx_t *fctx) {
 	dns_name_free(&fctx->name, res->mctx);
 	dns_db_detach(&fctx->cache);
 	dns_adb_detach(&fctx->adb);
-	isc_mem_put(res->mctx, fctx, sizeof *fctx);
+	isc_mem_put(res->mctx, fctx, sizeof(*fctx));
+
+	LOCK(&res->nlock);
+	res->nfctx--;
+	UNLOCK(&res->nlock);
 
 	if (res->buckets[bucketnum].exiting &&
 	    ISC_LIST_EMPTY(res->buckets[bucketnum].fctxs))
@@ -2048,6 +2313,8 @@ fctx_timeout(isc_task_t *task, isc_event_t *event) {
 	if (event->ev_type == ISC_TIMEREVENT_LIFE) {
 		fctx_done(fctx, ISC_R_TIMEDOUT);
 	} else {
+		isc_result_t result;
+
 		fctx->timeouts++;
 		/*
 		 * We could cancel the running queries here, or we could let
@@ -2058,11 +2325,14 @@ fctx_timeout(isc_task_t *task, isc_event_t *event) {
 		 * Our timer has triggered.  Reestablish the fctx lifetime
 		 * timer.
 		 */
-		fctx_starttimer(fctx);
-		/*
-		 * Keep trying.
-		 */
-		fctx_try(fctx);
+		result = fctx_starttimer(fctx);
+		if (result != ISC_R_SUCCESS)
+			fctx_done(fctx, result);
+		else
+			/*
+			 * Keep trying.
+			 */
+			fctx_try(fctx);
 	}
 
 	isc_event_free(&event);
@@ -2131,6 +2401,9 @@ fctx_doshutdown(isc_task_t *task, isc_event_t *event) {
 		dns_validator_cancel(validator);
 		validator = ISC_LIST_NEXT(validator, link);
 	}
+	
+	if (fctx->nsfetch != NULL)
+		dns_resolver_cancelfetch(fctx->nsfetch);
 
 	/*
 	 * Shut down anything that is still running on behalf of this
@@ -2219,11 +2492,16 @@ fctx_start(isc_task_t *task, isc_event_t *event) {
 	UNLOCK(&res->buckets[bucketnum].lock);
 
 	if (!done) {
+		isc_result_t result;
+
 		/*
 		 * All is well.  Start working on the fetch.
 		 */
-		fctx_starttimer(fctx);
-		fctx_try(fctx);
+		result = fctx_starttimer(fctx);
+		if (result != ISC_R_SUCCESS)
+			fctx_done(fctx, result);
+		else
+			fctx_try(fctx);
 	} else if (bucket_empty)
 		empty_bucket(res);
 }
@@ -2252,7 +2530,7 @@ fctx_join(fetchctx_t *fctx, isc_task_t *task, isc_taskaction_t action,
 	event = (dns_fetchevent_t *)
 		isc_event_allocate(fctx->res->mctx, clone,
 				   DNS_EVENT_FETCHDONE,
-				   action, arg, sizeof *event);
+				   action, arg, sizeof(*event));
 	if (event == NULL) {
 		isc_task_detach(&clone);
 		return (ISC_R_NOMEMORY);
@@ -2288,10 +2566,10 @@ fctx_create(dns_resolver_t *res, dns_name_t *name, dns_rdatatype_t type,
 	    unsigned int options, unsigned int bucketnum, fetchctx_t **fctxp)
 {
 	fetchctx_t *fctx;
-	isc_result_t result;
+	isc_result_t result = ISC_R_SUCCESS;
 	isc_result_t iresult;
 	isc_interval_t interval;
-	dns_fixedname_t fixed;
+	dns_fixedname_t qdomain;
 	unsigned int findoptions = 0;
 
 	/*
@@ -2299,16 +2577,14 @@ fctx_create(dns_resolver_t *res, dns_name_t *name, dns_rdatatype_t type,
 	 */
 	REQUIRE(fctxp != NULL && *fctxp == NULL);
 
-	fctx = isc_mem_get(res->mctx, sizeof *fctx);
+	fctx = isc_mem_get(res->mctx, sizeof(*fctx));
 	if (fctx == NULL)
 		return (ISC_R_NOMEMORY);
 	FCTXTRACE("create");
 	dns_name_init(&fctx->name, NULL);
 	result = dns_name_dup(name, res->mctx, &fctx->name);
-	if (result != ISC_R_SUCCESS) {
-		result = ISC_R_NOMEMORY;
+	if (result != ISC_R_SUCCESS)
 		goto cleanup_fetch;
-	}
 	dns_name_init(&fctx->domain, NULL);
 	dns_rdataset_init(&fctx->nameservers);
 
@@ -2327,26 +2603,28 @@ fctx_create(dns_resolver_t *res, dns_name_t *name, dns_rdatatype_t type,
 	fctx->cloned = ISC_FALSE;
 	ISC_LIST_INIT(fctx->queries);
 	ISC_LIST_INIT(fctx->finds);
+	ISC_LIST_INIT(fctx->altfinds);
 	ISC_LIST_INIT(fctx->forwaddrs);
+	ISC_LIST_INIT(fctx->altaddrs);
 	ISC_LIST_INIT(fctx->forwarders);
 	fctx->fwdpolicy = dns_fwdpolicy_none;
 	ISC_LIST_INIT(fctx->bad);
 	ISC_LIST_INIT(fctx->validators);
 	fctx->find = NULL;
+	fctx->altfind = NULL;
 	fctx->pending = 0;
 	fctx->restarts = 0;
 	fctx->timeouts = 0;
-	if (dns_name_requiresedns(name))
-		fctx->attributes = FCTX_ATTR_NEEDEDNS0;
-	else
-		fctx->attributes = 0;
+	fctx->attributes = 0;
+
+	dns_name_init(&fctx->nsname, NULL);
+	fctx->nsfetch = NULL;
+	dns_rdataset_init(&fctx->nsrrset);
 
 	if (domain == NULL) {
 		dns_forwarders_t *forwarders = NULL;
-		dns_fixedname_init(&fixed);
-		domain = dns_fixedname_name(&fixed);
-		result = dns_fwdtable_find2(fctx->res->view->fwdtable,
-					    &fctx->name, domain, &forwarders);
+		result = dns_fwdtable_find(fctx->res->view->fwdtable,
+					   &fctx->name, &forwarders);
 		if (result == ISC_R_SUCCESS)
 			fctx->fwdpolicy = forwarders->fwdpolicy;
 
@@ -2356,24 +2634,29 @@ fctx_create(dns_resolver_t *res, dns_name_t *name, dns_rdatatype_t type,
 			 * nameservers, and we're not in forward-only mode,
 			 * so find the best nameservers to use.
 			 */
-			if (type == dns_rdatatype_key)
+			if (dns_rdatatype_atparent(type))
 				findoptions |= DNS_DBFIND_NOEXACT;
-			result = dns_view_findzonecut(res->view, name, domain,
-						      0, findoptions, ISC_TRUE,
+			dns_fixedname_init(&qdomain);
+			result = dns_view_findzonecut(res->view, name,
+					      dns_fixedname_name(&qdomain), 0,
+						      findoptions, ISC_TRUE,
 						      &fctx->nameservers,
 						      NULL);
 			if (result != ISC_R_SUCCESS)
 				goto cleanup_name;
-			result = dns_name_dup(domain, res->mctx, &fctx->domain);
+			result = dns_name_dup(dns_fixedname_name(&qdomain),
+					      res->mctx, &fctx->domain);
 			if (result != ISC_R_SUCCESS) {
 				dns_rdataset_disassociate(&fctx->nameservers);
 				goto cleanup_name;
 			}
 		} else {
 			/*
-			 * We're in forward-only mode.  Set the query domain.
+			 * We're in forward-only mode.  Set the query domain
+			 * to ".".
 			 */
-			result = dns_name_dup(domain, res->mctx, &fctx->domain);
+			result = dns_name_dup(dns_rootname, res->mctx,
+					      &fctx->domain);
 			if (result != ISC_R_SUCCESS)
 				goto cleanup_name;
 		}
@@ -2451,6 +2734,10 @@ fctx_create(dns_resolver_t *res, dns_name_t *name, dns_rdatatype_t type,
 
 	ISC_LIST_APPEND(res->buckets[bucketnum].fctxs, fctx, link);
 
+	LOCK(&res->nlock);
+	res->nfctx++;
+	UNLOCK(&res->nlock);
+
 	*fctxp = fctx;
 
 	return (ISC_R_SUCCESS);
@@ -2471,7 +2758,7 @@ fctx_create(dns_resolver_t *res, dns_name_t *name, dns_rdatatype_t type,
 	dns_name_free(&fctx->name, res->mctx);
 
  cleanup_fetch:
-	isc_mem_put(res->mctx, fctx, sizeof *fctx);
+	isc_mem_put(res->mctx, fctx, sizeof(*fctx));
 
 	return (result);
 }
@@ -2505,11 +2792,11 @@ is_lame(fetchctx_t *fctx) {
 		     rdataset = ISC_LIST_NEXT(rdataset, link)) {
 			dns_namereln_t namereln;
 			int order;
-			unsigned int labels, bits;
+			unsigned int labels;
 			if (rdataset->type != dns_rdatatype_ns)
 				continue;
 			namereln = dns_name_fullcompare(name, &fctx->domain,
-							&order, &labels, &bits);
+				   			&order, &labels);
 			if (namereln == dns_namereln_equal &&
 			    (message->flags & DNS_MESSAGEFLAG_AA) != 0)
 				return (ISC_FALSE);
@@ -2577,6 +2864,8 @@ clone_results(fetchctx_t *fctx) {
 	isc_result_t result;
 	dns_name_t *name, *hname;
 
+	FCTXTRACE("clone_results");
+
 	/*
 	 * Set up any other events to have the same data as the first
 	 * event.
@@ -2620,6 +2909,7 @@ clone_results(fetchctx_t *fctx) {
 #define EXTERNAL(r)	(((r)->attributes & DNS_RDATASETATTR_EXTERNAL) != 0)
 #define CHAINING(r)	(((r)->attributes & DNS_RDATASETATTR_CHAINING) != 0)
 #define CHASE(r)	(((r)->attributes & DNS_RDATASETATTR_CHASE) != 0)
+#define CHECKNAMES(r)	(((r)->attributes & DNS_RDATASETATTR_CHECKNAMES) != 0)
 
 
 /*
@@ -2635,21 +2925,12 @@ maybe_destroy(fetchctx_t *fctx) {
 	unsigned int bucketnum;
 	isc_boolean_t bucket_empty = ISC_FALSE;
 	dns_resolver_t *res = fctx->res;
-	dns_validator_t *validator;
 
 	REQUIRE(SHUTTINGDOWN(fctx));
 
-	if (fctx->pending != 0)
+	if (fctx->pending != 0 || !ISC_LIST_EMPTY(fctx->validators))
 		return;
 
-	for (validator = ISC_LIST_HEAD(fctx->validators);
-	     validator != NULL;
-	     validator = ISC_LIST_HEAD(fctx->validators)) {
-		ISC_LIST_UNLINK(fctx->validators, validator, link);
-		dns_validator_cancel(validator);
-		dns_validator_destroy(&validator);
-	}
-
 	bucketnum = fctx->bucketnum;
 	LOCK(&res->buckets[bucketnum].lock);
 	if (fctx->references == 0)
@@ -2678,6 +2959,10 @@ validated(isc_task_t *task, isc_event_t *event) {
 	isc_boolean_t chaining;
 	isc_boolean_t sentresponse;
 	isc_uint32_t ttl;
+	dns_dbnode_t *nsnode = NULL;
+	dns_name_t *name;
+	dns_rdataset_t *rdataset;
+	dns_rdataset_t *sigrdataset;
 
 	UNUSED(task); /* for now */
 
@@ -2707,7 +2992,7 @@ validated(isc_task_t *task, isc_event_t *event) {
 	 * done waiting for validator completions and ADB pending events; if
 	 * so, destroy the fctx.
 	 */
-	if (SHUTTINGDOWN(fctx) && !sentresponse ) {
+	if (SHUTTINGDOWN(fctx) && !sentresponse) {
 		maybe_destroy(fctx);
 		goto cleanup_event;
 	}
@@ -2741,7 +3026,7 @@ validated(isc_task_t *task, isc_event_t *event) {
 	if (hevent != NULL) {
 		if (!negative && !chaining &&
 		    (fctx->type == dns_rdatatype_any ||
-		     fctx->type == dns_rdatatype_sig)) {
+		     fctx->type == dns_rdatatype_rrsig)) {
 			/*
 			 * Don't bind rdatasets; the caller
 			 * will iterate the node.
@@ -2764,7 +3049,7 @@ validated(isc_task_t *task, isc_event_t *event) {
 			if (vevent->sigrdataset != NULL)
 				(void)dns_db_deleterdataset(fctx->cache,
 							    node, NULL,
-							    dns_rdatatype_sig,
+							    dns_rdatatype_rrsig,
 							    vevent->type);
 		}
 		result = vevent->result;
@@ -2808,6 +3093,14 @@ validated(isc_task_t *task, isc_event_t *event) {
 
 	FCTXTRACE("validation OK");
 
+	if (vevent->proofs[DNS_VALIDATOR_NOQNAMEPROOF] != NULL) {
+
+		result = dns_rdataset_addnoqname(vevent->rdataset,
+				   vevent->proofs[DNS_VALIDATOR_NOQNAMEPROOF]);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+		vevent->sigrdataset->ttl = vevent->rdataset->ttl;
+	}
+
 	/*
 	 * The data was already cached as pending data.
 	 * Re-cache it as secure and bind the cached
@@ -2832,14 +3125,11 @@ validated(isc_task_t *task, isc_event_t *event) {
 			goto noanswer_response;
 	}
 
-	if (!ISC_LIST_EMPTY(fctx->validators))
-		dns_validator_send(ISC_LIST_HEAD(fctx->validators));
-	else if (sentresponse) {
+	if (sentresponse) {
 		/*
 		 * If we only deferred the destroy because we wanted to cache
 		 * the data, destroy now.
 		 */
-		dns_db_detachnode(fctx->cache, &node);
 		if (SHUTTINGDOWN(fctx))
 			maybe_destroy(fctx);
 
@@ -2849,17 +3139,58 @@ validated(isc_task_t *task, isc_event_t *event) {
 	if (!ISC_LIST_EMPTY(fctx->validators)) {
 		INSIST(!negative);
 		INSIST(fctx->type == dns_rdatatype_any ||
-		       fctx->type == dns_rdatatype_sig);
+		       fctx->type == dns_rdatatype_rrsig);
 		/*
 		 * Don't send a response yet - we have
 		 * more rdatasets that still need to
 		 * be validated.
 		 */
-		dns_db_detachnode(fctx->cache, &node);
-		dns_validator_send(ISC_LIST_HEAD(fctx->validators));
 		goto cleanup_event;
 	}
 
+	/*
+	 * Cache any NS records that happened to be validate.
+	 */
+	result = dns_message_firstname(fctx->rmessage, DNS_SECTION_AUTHORITY);
+	while (result == ISC_R_SUCCESS) {
+		name = NULL;
+		dns_message_currentname(fctx->rmessage, DNS_SECTION_AUTHORITY,
+					&name);
+		for (rdataset = ISC_LIST_HEAD(name->list);
+		     rdataset != NULL;
+		     rdataset = ISC_LIST_NEXT(rdataset, link)) {
+			if (rdataset->type != dns_rdatatype_ns ||
+			    rdataset->trust != dns_trust_secure)
+				continue;
+			for (sigrdataset = ISC_LIST_HEAD(name->list);
+			     sigrdataset != NULL;
+			     sigrdataset = ISC_LIST_NEXT(sigrdataset, link)) {
+				if (sigrdataset->type != dns_rdatatype_rrsig ||
+				    sigrdataset->covers != dns_rdatatype_ns)
+					continue;
+				break;
+			}
+			if (sigrdataset == NULL ||
+			    sigrdataset->trust != dns_trust_secure)
+				continue;
+			result = dns_db_findnode(fctx->cache, name, ISC_TRUE,
+						 &nsnode);
+			if (result != ISC_R_SUCCESS)
+				continue;
+
+			result = dns_db_addrdataset(fctx->cache, nsnode, NULL,
+						    now, rdataset, 0, NULL);
+			if (result == ISC_R_SUCCESS)
+				result = dns_db_addrdataset(fctx->cache, nsnode,
+							    NULL, now,
+							    sigrdataset, 0,
+							    NULL);
+			dns_db_detachnode(fctx->cache, &nsnode);
+		}
+		result = dns_message_nextname(fctx->rmessage,
+					      DNS_SECTION_AUTHORITY);
+	}
+
 	result = ISC_R_SUCCESS;
 
  answer_response:
@@ -2872,10 +3203,12 @@ validated(isc_task_t *task, isc_event_t *event) {
 
 	if (hevent != NULL) {
 		hevent->result = eresult;
-		dns_name_copy(vevent->name,
-			      dns_fixedname_name(&hevent->foundname), NULL);
+		RUNTIME_CHECK(dns_name_copy(vevent->name,
+			      dns_fixedname_name(&hevent->foundname), NULL)
+			      == ISC_R_SUCCESS);
 		dns_db_attach(fctx->cache, &hevent->db);
-		dns_db_transfernode(fctx->cache, &node, &hevent->node);
+		hevent->node = node;
+		node = NULL;
 		clone_results(fctx);
 	}
 
@@ -2886,7 +3219,6 @@ validated(isc_task_t *task, isc_event_t *event) {
 	fctx_done(fctx, result);
 
  cleanup_event:
-	INSIST(node == NULL);
 	isc_event_free(&event);
 }
 
@@ -2905,7 +3237,7 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, isc_stdtime_t now) {
 	unsigned int options;
 	isc_task_t *task;
 	dns_validator_t *validator;
-	unsigned int valoptions = 0;
+	isc_boolean_t fail;
 
 	/*
 	 * The appropriate bucket lock must be held.
@@ -2956,7 +3288,7 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, isc_stdtime_t now) {
 			 * and we must set up the rdatasets.
 			 */
 			if ((fctx->type != dns_rdatatype_any &&
-			    fctx->type != dns_rdatatype_sig) ||
+			    fctx->type != dns_rdatatype_rrsig) ||
 			    (name->attributes & DNS_NAMEATTR_CHAINING) != 0) {
 				ardataset = event->rdataset;
 				asigrdataset = event->sigrdataset;
@@ -2975,11 +3307,33 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, isc_stdtime_t now) {
 	/*
 	 * Cache or validate each cacheable rdataset.
 	 */
+	fail = (fctx->res->options & DNS_RESOLVER_CHECKNAMESFAIL) != 0;
 	for (rdataset = ISC_LIST_HEAD(name->list);
 	     rdataset != NULL;
 	     rdataset = ISC_LIST_NEXT(rdataset, link)) {
 		if (!CACHE(rdataset))
 			continue;
+		if (CHECKNAMES(rdataset)) {
+			char namebuf[DNS_NAME_FORMATSIZE];
+			char typebuf[DNS_RDATATYPE_FORMATSIZE];
+			char classbuf[DNS_RDATATYPE_FORMATSIZE];
+
+			dns_name_format(name, namebuf, sizeof(namebuf));
+			dns_rdatatype_format(rdataset->type, typebuf,
+					     sizeof(typebuf));
+			dns_rdataclass_format(rdataset->rdclass, classbuf,
+					      sizeof(classbuf));
+			isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,  
+				      DNS_LOGMODULE_RESOLVER, ISC_LOG_NOTICE,
+				      "check-names %s %s/%s/%s", 
+				      fail ? "failure" : "warning",
+				      namebuf, typebuf, classbuf);
+			if (fail) {
+				if (ANSWER(rdataset))
+					return (DNS_R_BADNAME);
+				continue;
+			}
+		}
 
 		/*
 		 * Enforce the configure maximum cache TTL.
@@ -2996,7 +3350,7 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, isc_stdtime_t now) {
 			 * SIGs are validated as part of validating the
 			 * type they cover.
 			 */
-			if (rdataset->type == dns_rdatatype_sig)
+			if (rdataset->type == dns_rdatatype_rrsig)
 				continue;
 			/*
 			 * Find the SIG for this rdataset, if we have it.
@@ -3004,7 +3358,7 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, isc_stdtime_t now) {
 			for (sigrdataset = ISC_LIST_HEAD(name->list);
 			     sigrdataset != NULL;
 			     sigrdataset = ISC_LIST_NEXT(sigrdataset, link)) {
-				if (sigrdataset->type == dns_rdatatype_sig &&
+				if (sigrdataset->type == dns_rdatatype_rrsig &&
 				    sigrdataset->covers == rdataset->type)
 					break;
 			}
@@ -3063,7 +3417,7 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, isc_stdtime_t now) {
 
 			if (ANSWER(rdataset) && need_validation) {
 				if (fctx->type != dns_rdatatype_any &&
-				    fctx->type != dns_rdatatype_sig) {
+				    fctx->type != dns_rdatatype_rrsig) {
 					/*
 					 * This is The Answer.  We will
 					 * validate it, but first we cache
@@ -3093,18 +3447,15 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, isc_stdtime_t now) {
 						rdataset,
 						sigrdataset,
 						fctx->rmessage,
-						valoptions,
+						0,
 						task,
 						validated,
 						fctx,
 						&validator);
-					if (result == ISC_R_SUCCESS) {
+					if (result == ISC_R_SUCCESS)
 						ISC_LIST_APPEND(
 							fctx->validators,
 							validator, link);
-						valoptions |=
-							 DNS_VALIDATOR_DEFER;
-					}
 				}
 			}
 		} else if (!EXTERNAL(rdataset)) {
@@ -3128,7 +3479,7 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, isc_stdtime_t now) {
 			}
 			if (rdataset->trust == dns_trust_glue &&
 			    (rdataset->type == dns_rdatatype_ns ||
-			     (rdataset->type == dns_rdatatype_sig &&
+			     (rdataset->type == dns_rdatatype_rrsig &&
 			      rdataset->covers == dns_rdatatype_ns))) {
 				/*
 				 * If the trust level is 'dns_trust_glue'
@@ -3179,7 +3530,7 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, isc_stdtime_t now) {
 					      valrdataset,
 					      valsigrdataset,
 					      fctx->rmessage,
-					      valoptions,
+					      0,
 					      task,
 					      validated,
 					      fctx,
@@ -3193,7 +3544,8 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, isc_stdtime_t now) {
 		if (event != NULL) {
 			event->result = eresult;
 			dns_db_attach(fctx->cache, adbp);
-			dns_db_transfernode(fctx->cache, &node, anodep);
+			*anodep = node;
+			node = NULL;
 			clone_results(fctx);
 		}
 	}
@@ -3252,28 +3604,23 @@ ncache_adderesult(dns_message_t *message, dns_db_t *cache, dns_dbnode_t *node,
 		  isc_result_t *eresultp)
 {
 	isc_result_t result;
-	dns_rdataset_t rdataset;
-
-	if (ardataset == NULL) {
-		dns_rdataset_init(&rdataset);
-		ardataset = &rdataset;
-	}
 	result = dns_ncache_add(message, cache, node, covers, now,
 				maxttl, ardataset);
-	if (result == DNS_R_UNCHANGED || result == ISC_R_SUCCESS) {
+	if (result == DNS_R_UNCHANGED) {
 		/*
-		 * If the cache now contains a negative entry and we
-		 * care about whether it is DNS_R_NCACHENXDOMAIN or
-		 * DNS_R_NCACHENXRRSET then extract it.
+		 * The data in the cache are better than the negative cache
+		 * entry we're trying to add.
 		 */
-		if (ardataset->type == 0) {
+		if (ardataset != NULL && ardataset->type == 0) {
 			/*
-			 * The cache data is a negative cache entry.
+			 * The cache data is also a negative cache
+			 * entry.
 			 */
 			if (NXDOMAIN(ardataset))
 				*eresultp = DNS_R_NCACHENXDOMAIN;
 			else
 				*eresultp = DNS_R_NCACHENXRRSET;
+			result = ISC_R_SUCCESS;
 		} else {
 			/*
 			 * Either we don't care about the nature of the
@@ -3285,11 +3632,14 @@ ncache_adderesult(dns_message_t *message, dns_db_t *cache, dns_dbnode_t *node,
 			 * XXXRTH  There's a CNAME/DNAME problem here.
 			 */
 			*eresultp = ISC_R_SUCCESS;
+			result = ISC_R_SUCCESS;
 		}
-		result = ISC_R_SUCCESS;
+	} else if (result == ISC_R_SUCCESS) {
+		if (NXDOMAIN(ardataset))
+			*eresultp = DNS_R_NCACHENXDOMAIN;
+		else
+			*eresultp = DNS_R_NCACHENXRRSET;
 	}
-	if (ardataset == &rdataset && dns_rdataset_isassociated(ardataset))
-		dns_rdataset_disassociate(ardataset);
 
 	return (result);
 }
@@ -3319,6 +3669,12 @@ ncache_message(fetchctx_t *fctx, dns_rdatatype_t covers, isc_stdtime_t now) {
 	node = NULL;
 
 	/*
+	 * XXXMPA remove when we follow cnames and adjust the setting
+	 * of FCTX_ATTR_WANTNCACHE in noanswer_response().
+	 */
+	INSIST(fctx->rmessage->counts[DNS_SECTION_ANSWER] == 0);
+
+	/*
 	 * Is DNSSEC validation required for this name?
 	 */
 	result = dns_keytable_issecuredomain(res->view->secroots, name,
@@ -3424,7 +3780,8 @@ ncache_message(fetchctx_t *fctx, dns_rdatatype_t covers, isc_stdtime_t now) {
 		if (event != NULL) {
 			event->result = eresult;
 			dns_db_attach(fctx->cache, adbp);
-			dns_db_transfernode(fctx->cache, &node, anodep);
+			*anodep = node;
+			node = NULL;
 			clone_results(fctx);
 		}
 	}
@@ -3482,25 +3839,41 @@ check_related(void *arg, dns_name_t *addname, dns_rdatatype_t type) {
 	else
 		gluing = ISC_FALSE;
 	name = NULL;
+	rdataset = NULL;
 	result = dns_message_findname(fctx->rmessage, DNS_SECTION_ADDITIONAL,
 				      addname, dns_rdatatype_any, 0, &name,
 				      NULL);
 	if (result == ISC_R_SUCCESS) {
 		external = ISC_TF(!dns_name_issubdomain(name, &fctx->domain));
-		for (rdataset = ISC_LIST_HEAD(name->list);
-		     rdataset != NULL;
-		     rdataset = ISC_LIST_NEXT(rdataset, link)) {
-			if (rdataset->type == dns_rdatatype_sig)
-				rtype = rdataset->covers;
-			else
-				rtype = rdataset->type;
-			if ((type == dns_rdatatype_a && 
-			     (rtype == dns_rdatatype_a ||
-			      rtype == dns_rdatatype_aaaa ||
-			      rtype == dns_rdatatype_a6)) ||
-			    type == rtype)
-				mark_related(name, rdataset, external,
-					     gluing);
+		if (type == dns_rdatatype_a) {
+			for (rdataset = ISC_LIST_HEAD(name->list);
+			     rdataset != NULL;
+			     rdataset = ISC_LIST_NEXT(rdataset, link)) {
+				if (rdataset->type == dns_rdatatype_rrsig)
+					rtype = rdataset->covers;
+				else
+					rtype = rdataset->type;
+				if (rtype == dns_rdatatype_a ||
+				    rtype == dns_rdatatype_aaaa)
+					mark_related(name, rdataset, external,
+						     gluing);
+			}
+		} else {
+			result = dns_message_findtype(name, type, 0,
+						      &rdataset);
+			if (result == ISC_R_SUCCESS) {
+				mark_related(name, rdataset, external, gluing);
+				/*
+				 * Do we have its SIG too?
+				 */
+				rdataset = NULL;
+				result = dns_message_findtype(name,
+						      dns_rdatatype_rrsig,
+						      type, &rdataset);
+				if (result == ISC_R_SUCCESS)
+					mark_related(name, rdataset, external,
+						     gluing);
+			}
 		}
 	}
 
@@ -3568,7 +3941,7 @@ dname_target(dns_rdataset_t *rdataset, dns_name_t *qname, dns_name_t *oname,
 {
 	isc_result_t result;
 	dns_rdata_t rdata = DNS_RDATA_INIT;
-	unsigned int nlabels, nbits;
+	unsigned int nlabels;
 	int order;
 	dns_namereln_t namereln;
 	dns_rdata_dname_t dname;
@@ -3589,19 +3962,13 @@ dname_target(dns_rdataset_t *rdataset, dns_name_t *qname, dns_name_t *oname,
 	/*
 	 * Get the prefix of qname.
 	 */
-	namereln = dns_name_fullcompare(qname, oname, &order, &nlabels,
-					&nbits);
+	namereln = dns_name_fullcompare(qname, oname, &order, &nlabels);
 	if (namereln != dns_namereln_subdomain) {
 		dns_rdata_freestruct(&dname);
 		return (DNS_R_FORMERR);
 	}
 	dns_fixedname_init(&prefix);
-	result = dns_name_split(qname, nlabels, nbits,
-				dns_fixedname_name(&prefix), NULL);
-	if (result != ISC_R_SUCCESS) {
-		dns_rdata_freestruct(&dname);
-		return (result);
-	}
+	dns_name_split(qname, nlabels, dns_fixedname_name(&prefix), NULL); 
 	dns_fixedname_init(fixeddname);
 	result = dns_name_concatenate(dns_fixedname_name(&prefix),
 				      &dname.dname,
@@ -3610,14 +3977,25 @@ dname_target(dns_rdataset_t *rdataset, dns_name_t *qname, dns_name_t *oname,
 	return (result);
 }
 
+/*
+ * Handle a no-answer response (NXDOMAIN, NXRRSET, or referral).
+ * If bind8_ns_resp is ISC_TRUE, this is a suspected BIND 8
+ * response to an NS query that should be treated as a referral
+ * even though the NS records occur in the answer section
+ * rather than the authority section.
+ */
 static isc_result_t
-noanswer_response(fetchctx_t *fctx, dns_name_t *oqname) {
+noanswer_response(fetchctx_t *fctx, dns_name_t *oqname,
+		  isc_boolean_t bind8_ns_resp)
+{
 	isc_result_t result;
 	dns_message_t *message;
-	dns_name_t *name, *qname, *ns_name, *soa_name;
+	dns_name_t *name, *qname, *ns_name, *soa_name, *ds_name;
 	dns_rdataset_t *rdataset, *ns_rdataset;
 	isc_boolean_t done, aa, negative_response;
 	dns_rdatatype_t type;
+	dns_section_t section =
+		bind8_ns_resp ? DNS_SECTION_ANSWER : DNS_SECTION_AUTHORITY;
 
 	FCTXTRACE("noanswer_response");
 
@@ -3677,20 +4055,25 @@ noanswer_response(fetchctx_t *fctx, dns_name_t *oqname) {
 	ns_name = NULL;
 	ns_rdataset = NULL;
 	soa_name = NULL;
-	result = dns_message_firstname(message, DNS_SECTION_AUTHORITY);
+	ds_name = NULL;
+	result = dns_message_firstname(message, section);
 	while (!done && result == ISC_R_SUCCESS) {
 		name = NULL;
-		dns_message_currentname(message, DNS_SECTION_AUTHORITY, &name);
+		dns_message_currentname(message, section, &name);
 		if (dns_name_issubdomain(name, &fctx->domain)) {
 			/*
-			 * Look for NS/SOA RRset first.
+			 * Look for NS RRset first.
 			 */
 			for (rdataset = ISC_LIST_HEAD(name->list);
 			     rdataset != NULL;
 			     rdataset = ISC_LIST_NEXT(rdataset, link)) {
 				type = rdataset->type;
-				if (type == dns_rdatatype_sig)
+				if (type == dns_rdatatype_rrsig)
 					type = rdataset->covers;
+				if (((type == dns_rdatatype_ns ||
+				      type == dns_rdatatype_soa) &&
+				     !dns_name_issubdomain(qname, name)))
+					return (DNS_R_FORMERR);
 				if (type == dns_rdatatype_ns) {
 					/*
 					 * NS or SIG NS.
@@ -3703,17 +4086,25 @@ noanswer_response(fetchctx_t *fctx, dns_name_t *oqname) {
 						    name != ns_name)
 							return (DNS_R_FORMERR);
 						ns_name = name;
+						ns_rdataset = rdataset;
 					}
 					name->attributes |=
 						DNS_NAMEATTR_CACHE;
 					rdataset->attributes |=
 						DNS_RDATASETATTR_CACHE;
 					rdataset->trust = dns_trust_glue;
-					ns_rdataset = rdataset;
 				}
-				if (type == dns_rdatatype_soa) {
+			}
+			for (rdataset = ISC_LIST_HEAD(name->list);
+			     rdataset != NULL;
+			     rdataset = ISC_LIST_NEXT(rdataset, link)) {
+				type = rdataset->type;
+				if (type == dns_rdatatype_rrsig)
+					type = rdataset->covers;
+				if (type == dns_rdatatype_soa ||
+				    type == dns_rdatatype_nsec) {
 					/*
-					 * SOA or SIG SOA.
+					 * SOA, RRSIG SOA, NSEC, or RRSIG NSEC.
 					 *
 					 * Only one SOA is allowed.
 					 */
@@ -3724,58 +4115,59 @@ noanswer_response(fetchctx_t *fctx, dns_name_t *oqname) {
 							return (DNS_R_FORMERR);
 						soa_name = name;
 					}
-					name->attributes |=
-						DNS_NAMEATTR_NCACHE;
-					rdataset->attributes |=
-						DNS_RDATASETATTR_NCACHE;
+					if (ns_name == NULL) {
+						negative_response = ISC_TRUE;
+						name->attributes |=
+							DNS_NAMEATTR_NCACHE;
+						rdataset->attributes |=
+							DNS_RDATASETATTR_NCACHE;
+					} else {
+						name->attributes |=
+							DNS_NAMEATTR_CACHE;
+						rdataset->attributes |=
+							DNS_RDATASETATTR_CACHE;
+					}
 					if (aa)
 						rdataset->trust =
 						    dns_trust_authauthority;
 					else
 						rdataset->trust =
 							dns_trust_additional;
-				}
-			}
-			/*
-			 * A negative response has a SOA record (Type 2) 
-			 * and a optional NS RRset (Type 1) or it has neither
-			 * a SOA or a NS RRset (Type 3, handled above) or
-			 * rcode is NXDOMAIN (handled above) in which case
-			 * the NS RRset is allowed (Type 4).
-			 */
-			if (soa_name != NULL)
-				negative_response = ISC_TRUE;
-			for (rdataset = ISC_LIST_HEAD(name->list);
-			     rdataset != NULL;
-			     rdataset = ISC_LIST_NEXT(rdataset, link)) {
-				type = rdataset->type;
-				if (type == dns_rdatatype_sig)
-					type = rdataset->covers;
-				if (type != dns_rdatatype_nxt)
-					continue;
-				/*
-				 * NXT or SIG NXT.
-				 */
-
-				if (negative_response) {
-					name->attributes |=
-						DNS_NAMEATTR_NCACHE;
-					rdataset->attributes |=
-						DNS_RDATASETATTR_NCACHE;
-				} else {
+					/*
+					 * No additional data needs to be
+					 * marked.
+					 */
+				} else if (type == dns_rdatatype_ds) {
+					/*
+					 * DS or SIG DS.
+					 *
+					 * These should only be here if
+					 * this is a referral, and there
+					 * should only be one DS.
+					 */
+					if (negative_response)
+						return (DNS_R_FORMERR);
+					if (rdataset->type ==
+					    dns_rdatatype_ds) {
+						if (ds_name != NULL &&
+						    name != ds_name)
+							return (DNS_R_FORMERR);
+						ds_name = name;
+					}
 					name->attributes |=
 						DNS_NAMEATTR_CACHE;
 					rdataset->attributes |=
 						DNS_RDATASETATTR_CACHE;
+					if (aa)
+						rdataset->trust =
+						    dns_trust_authauthority;
+					else
+						rdataset->trust =
+							dns_trust_additional;
 				}
-				if (aa)
-					rdataset->trust =
-					    dns_trust_authauthority;
-				else
-					rdataset->trust = dns_trust_additional;
 			}
 		}
-		result = dns_message_nextname(message, DNS_SECTION_AUTHORITY);
+		result = dns_message_nextname(message, section);
 		if (result == ISC_R_NOMORE)
 			break;
 		else if (result != ISC_R_SUCCESS)
@@ -3783,6 +4175,15 @@ noanswer_response(fetchctx_t *fctx, dns_name_t *oqname) {
 	}
 
 	/*
+	 * Trigger lookups for DNS nameservers.
+	 */
+	if (negative_response && message->rcode == dns_rcode_noerror &&
+	    fctx->type == dns_rdatatype_ds && soa_name != NULL &&
+	    dns_name_equal(soa_name, qname) &&
+	    !dns_name_equal(qname, dns_rootname))
+		return (DNS_R_CHASEDSSERVERS);
+
+	/*
 	 * Did we find anything?
 	 */
 	if (!negative_response && ns_name == NULL) {
@@ -3819,7 +4220,7 @@ noanswer_response(fetchctx_t *fctx, dns_name_t *oqname) {
 		 * We already know ns_name is a subdomain of fctx->domain.
 		 * If ns_name is equal to fctx->domain, we're not making
 		 * progress.  We return DNS_R_FORMERR so that we'll keep
-		 * keep trying other servers.
+		 * trying other servers.
 		 */
 		if (dns_name_equal(ns_name, &fctx->domain))
 			return (DNS_R_FORMERR);
@@ -3856,7 +4257,7 @@ noanswer_response(fetchctx_t *fctx, dns_name_t *oqname) {
 		 * Set the current query domain to the referral name.
 		 *
 		 * XXXRTH  We should check if we're in forward-only mode, and
-		 *         if so we should bail out.
+		 *	   if so we should bail out.
 		 */
 		INSIST(dns_name_countlabels(&fctx->domain) > 0);
 		dns_name_free(&fctx->domain, fctx->res->mctx);
@@ -3945,7 +4346,7 @@ answer_response(fetchctx_t *fctx) {
 					 */
 					found = ISC_TRUE;
 					aflag = DNS_RDATASETATTR_ANSWER;
-				} else if (rdataset->type == dns_rdatatype_sig
+				} else if (rdataset->type == dns_rdatatype_rrsig
 					   && rdataset->covers == type
 					   && !found_cname) {
 					/*
@@ -3965,9 +4366,9 @@ answer_response(fetchctx_t *fctx) {
 					 * Getting a CNAME response for some
 					 * query types is an error.
 					 */
-					if (type == dns_rdatatype_sig ||
-					    type == dns_rdatatype_key ||
-					    type == dns_rdatatype_nxt)
+					if (type == dns_rdatatype_rrsig ||
+					    type == dns_rdatatype_dnskey ||
+					    type == dns_rdatatype_nsec)
 						return (DNS_R_FORMERR);
 					found = ISC_TRUE;
 					found_cname = ISC_TRUE;
@@ -3977,7 +4378,7 @@ answer_response(fetchctx_t *fctx) {
 							      &tname);
 					if (result != ISC_R_SUCCESS)
 						return (result);
-				} else if (rdataset->type == dns_rdatatype_sig
+				} else if (rdataset->type == dns_rdatatype_rrsig
 					   && rdataset->covers ==
 					   dns_rdatatype_cname
 					   && !found_type) {
@@ -4108,7 +4509,7 @@ answer_response(fetchctx_t *fctx) {
 						return (result);
 					else
 						found_dname = ISC_TRUE;
-				} else if (rdataset->type == dns_rdatatype_sig
+				} else if (rdataset->type == dns_rdatatype_rrsig
 					   && rdataset->covers ==
 					   dns_rdatatype_dname) {
 					/*
@@ -4213,7 +4614,7 @@ answer_response(fetchctx_t *fctx) {
 		 * If it isn't a noanswer response, no harm will be
 		 * done.
 		 */
-		return (noanswer_response(fctx, qname));
+		return (noanswer_response(fctx, qname, ISC_FALSE));
 	}
 
 	/*
@@ -4244,7 +4645,7 @@ answer_response(fetchctx_t *fctx) {
 			     rdataset != NULL;
 			     rdataset = ISC_LIST_NEXT(rdataset, link)) {
 				if (rdataset->type == dns_rdatatype_ns ||
-				    (rdataset->type == dns_rdatatype_sig &&
+				    (rdataset->type == dns_rdatatype_rrsig &&
 				     rdataset->covers == dns_rdatatype_ns)) {
 					name->attributes |=
 						DNS_NAMEATTR_CACHE;
@@ -4265,14 +4666,9 @@ answer_response(fetchctx_t *fctx) {
 							rdataset,
 							check_related,
 							fctx);
+					done = ISC_TRUE;
 				}
 			}
-			/*
-			 * Since we've found a non-external name in the
-			 * authority section, we should stop looking, even
-			 * if we didn't find any NS or SIG NS.
-			 */
-			done = ISC_TRUE;
 		}
 		result = dns_message_nextname(message, DNS_SECTION_AUTHORITY);
 	}
@@ -4283,11 +4679,147 @@ answer_response(fetchctx_t *fctx) {
 }
 
 static void
-resquery_response(isc_task_t *task, isc_event_t *event) {
+resume_dslookup(isc_task_t *task, isc_event_t *event) {
+	dns_fetchevent_t *fevent;
+	dns_resolver_t *res;
+	fetchctx_t *fctx;
+	isc_result_t result;
+	isc_boolean_t bucket_empty = ISC_FALSE;
+	isc_boolean_t locked = ISC_FALSE;
+	unsigned int bucketnum;
+
+	REQUIRE(event->ev_type == DNS_EVENT_FETCHDONE);
+	fevent = (dns_fetchevent_t *)event;
+	fctx = event->ev_arg;
+	REQUIRE(VALID_FCTX(fctx));
+	res = fctx->res;
+
+	UNUSED(task);
+	FCTXTRACE("resume_dslookup");
+
+	if (fevent->node != NULL)
+		dns_db_detachnode(fevent->db, &fevent->node);
+	if (fevent->db != NULL)
+		dns_db_detach(&fevent->db);
+
+	dns_resolver_destroyfetch(&fctx->nsfetch);
+
+	bucketnum = fctx->bucketnum;
+	if (fevent->result == ISC_R_CANCELED)
+		fctx_done(fctx, ISC_R_CANCELED);
+	else if (fevent->result == ISC_R_SUCCESS) {
+
+		FCTXTRACE("resuming DS lookup");
+
+		if (dns_rdataset_isassociated(&fctx->nameservers))
+			dns_rdataset_disassociate(&fctx->nameservers);
+		dns_rdataset_clone(fevent->rdataset, &fctx->nameservers);
+		dns_name_free(&fctx->domain, fctx->res->mctx);
+		dns_name_init(&fctx->domain, NULL);
+		result = dns_name_dup(&fctx->nsname, fctx->res->mctx,
+				      &fctx->domain);
+		if (result != ISC_R_SUCCESS) {
+			fctx_done(fctx, DNS_R_SERVFAIL);
+			goto cleanup;
+		}
+		/*
+		 * Try again.
+		 */
+		fctx_try(fctx);
+	} else {
+		unsigned int n;
+
+		n = dns_name_countlabels(&fctx->nsname);
+		dns_name_getlabelsequence(&fctx->nsname, 1, n - 1,
+					  &fctx->nsname);
+
+		if (dns_name_equal(&fctx->nsname, &fctx->domain)) {
+			fctx_done(fctx, DNS_R_SERVFAIL);
+			goto cleanup;
+		}
+		if (dns_rdataset_isassociated(fevent->rdataset))
+			dns_rdataset_disassociate(fevent->rdataset);
+		FCTXTRACE("continuing to look for parent's NS records");
+		result = dns_resolver_createfetch(fctx->res, &fctx->nsname,
+						  dns_rdatatype_ns,
+						  &fctx->domain,
+						  &fctx->nameservers, NULL,
+						  0, task,
+						  resume_dslookup, fctx,
+						  &fctx->nsrrset, NULL,
+						  &fctx->nsfetch);
+		if (result != ISC_R_SUCCESS)
+			fctx_done(fctx, result);
+		else {
+			LOCK(&res->buckets[bucketnum].lock);
+			locked = ISC_TRUE;
+			fctx->references++;
+		}
+	}
+
+ cleanup:
+	if (dns_rdataset_isassociated(fevent->rdataset))
+		dns_rdataset_disassociate(fevent->rdataset);
+	INSIST(fevent->sigrdataset == NULL);
+	isc_event_free(&event);
+	if (!locked)
+		LOCK(&res->buckets[bucketnum].lock);
+	fctx->references--;
+	if (fctx->references == 0)
+		bucket_empty = fctx_destroy(fctx);
+	UNLOCK(&res->buckets[bucketnum].lock);
+	if (bucket_empty)
+		empty_bucket(res);
+}
+
+static inline void
+checknamessection(dns_message_t *message, dns_section_t section) {
 	isc_result_t result;
+	dns_name_t *name;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_rdataset_t *rdataset;
+	
+	for (result = dns_message_firstname(message, section);
+	     result == ISC_R_SUCCESS;
+	     result = dns_message_nextname(message, section))
+	{
+		name = NULL;
+		dns_message_currentname(message, section, &name);
+		for (rdataset = ISC_LIST_HEAD(name->list);
+		     rdataset != NULL;
+		     rdataset = ISC_LIST_NEXT(rdataset, link)) {
+			for (result = dns_rdataset_first(rdataset);
+			     result == ISC_R_SUCCESS;
+			     result = dns_rdataset_next(rdataset)) {
+				dns_rdataset_current(rdataset, &rdata);
+				if (!dns_rdata_checkowner(name, rdata.rdclass,
+							  rdata.type,
+							  ISC_FALSE) ||
+				    !dns_rdata_checknames(&rdata, name, NULL))
+				{
+					rdataset->attributes |= 
+						DNS_RDATASETATTR_CHECKNAMES;
+				}
+				dns_rdata_reset(&rdata);
+			}
+		}
+	}
+}
+
+static void
+checknames(dns_message_t *message) {
+
+	checknamessection(message, DNS_SECTION_ANSWER);
+	checknamessection(message, DNS_SECTION_AUTHORITY);
+	checknamessection(message, DNS_SECTION_ADDITIONAL);
+}
+
+static void
+resquery_response(isc_task_t *task, isc_event_t *event) {
+	isc_result_t result = ISC_R_SUCCESS;
 	resquery_t *query = event->ev_arg;
 	dns_dispatchevent_t *devent = (dns_dispatchevent_t *)event;
-	isc_boolean_t keep_trying, broken_server, get_nameservers, resend;
+	isc_boolean_t keep_trying, get_nameservers, resend;
 	isc_boolean_t truncated;
 	dns_message_t *message;
 	fetchctx_t *fctx;
@@ -4297,6 +4829,8 @@ resquery_response(isc_task_t *task, isc_event_t *event) {
 	isc_time_t tnow, *finish;
 	dns_adbaddrinfo_t *addrinfo;
 	unsigned int options;
+	unsigned int findoptions;
+	isc_result_t broken_server;
 
 	REQUIRE(VALID_QUERY(query));
 	fctx = query->fctx;
@@ -4304,13 +4838,12 @@ resquery_response(isc_task_t *task, isc_event_t *event) {
 	REQUIRE(VALID_FCTX(fctx));
 	REQUIRE(event->ev_type == DNS_EVENT_DISPATCH);
 
-	UNUSED(task);
 	QTRACE("response");
 
 	(void)isc_timer_touch(fctx->timer);
 
 	keep_trying = ISC_FALSE;
-	broken_server = ISC_FALSE;
+	broken_server = ISC_R_SUCCESS;
 	get_nameservers = ISC_FALSE;
 	resend = ISC_FALSE;
 	truncated = ISC_FALSE;
@@ -4325,12 +4858,10 @@ resquery_response(isc_task_t *task, isc_event_t *event) {
 
 	/*
 	 * XXXRTH  We should really get the current time just once.  We
-	 *         need a routine to convert from an isc_time_t to an
+	 *	   need a routine to convert from an isc_time_t to an
 	 *	   isc_stdtime_t.
 	 */
-	result = isc_time_now(&tnow);
-	if (result != ISC_R_SUCCESS)
-		goto done;
+	TIME_NOW(&tnow);
 	finish = &tnow;
 	isc_stdtime_get(&now);
 
@@ -4411,7 +4942,7 @@ resquery_response(isc_task_t *task, isc_event_t *event) {
 							DNS_FETCHOPT_NOEDNS0,
 							DNS_FETCHOPT_NOEDNS0);
 				} else {
-					broken_server = ISC_TRUE;
+					broken_server = result;
 					keep_trying = ISC_TRUE;
 				}
 				goto done;
@@ -4439,7 +4970,7 @@ resquery_response(isc_task_t *task, isc_event_t *event) {
 						    DNS_FETCHOPT_NOEDNS0,
 						    DNS_FETCHOPT_NOEDNS0);
 			} else {
-				broken_server = ISC_TRUE;
+				broken_server = DNS_R_UNEXPECTEDRCODE;
 				keep_trying = ISC_TRUE;
 			}
 			goto done;
@@ -4480,7 +5011,7 @@ resquery_response(isc_task_t *task, isc_event_t *event) {
 
 	if (truncated) {
 		if ((options & DNS_FETCHOPT_TCP) != 0) {
-			broken_server = ISC_TRUE;
+			broken_server = DNS_R_TRUNCATEDTCP;
 			keep_trying = ISC_TRUE;
 		} else {
 			options |= DNS_FETCHOPT_TCP;
@@ -4494,7 +5025,7 @@ resquery_response(isc_task_t *task, isc_event_t *event) {
 	 */
 	if (message->opcode != dns_opcode_query) {
 		/* XXXRTH Log */
-		broken_server = ISC_TRUE;
+		broken_server = DNS_R_UNEXPECTEDOPCODE;
 		keep_trying = ISC_TRUE;
 		goto done;
 	}
@@ -4512,8 +5043,8 @@ resquery_response(isc_task_t *task, isc_event_t *event) {
 			 * It's very likely they don't like EDNS0.
 			 *
 			 * XXXRTH  We should check if the question
-			 *         we're asking requires EDNS0, and
-			 *         if so, we should bail out.
+			 *	   we're asking requires EDNS0, and
+			 *	   if so, we should bail out.
 			 */
 			options |= DNS_FETCHOPT_NOEDNS0;
 			resend = ISC_TRUE;
@@ -4530,7 +5061,7 @@ resquery_response(isc_task_t *task, isc_event_t *event) {
 				 * This forwarder doesn't understand us,
 				 * but other forwarders might.  Keep trying.
 				 */
-				broken_server = ISC_TRUE;
+				broken_server = DNS_R_REMOTEFORMERR;
 				keep_trying = ISC_TRUE;
 			} else {
 				/*
@@ -4554,7 +5085,8 @@ resquery_response(isc_task_t *task, isc_event_t *event) {
 			/*
 			 * XXXRTH log.
 			 */
-			broken_server = ISC_TRUE;
+			broken_server = DNS_R_UNEXPECTEDRCODE;
+			INSIST(broken_server != ISC_R_SUCCESS);
 			keep_trying = ISC_TRUE;
 		}
 		goto done;
@@ -4577,9 +5109,15 @@ resquery_response(isc_task_t *task, isc_event_t *event) {
 	if (fctx->res->lame_ttl != 0 && !ISFORWARDER(query->addrinfo) &&
 	    is_lame(fctx)) {
 		log_lame(fctx, query->addrinfo);
-		dns_adb_marklame(fctx->adb, query->addrinfo,
-				 &fctx->domain, now + fctx->res->lame_ttl);
-		broken_server = ISC_TRUE;
+		result = dns_adb_marklame(fctx->adb, query->addrinfo,
+					  &fctx->domain,
+					  now + fctx->res->lame_ttl);
+		if (result != ISC_R_SUCCESS)
+			isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
+				      DNS_LOGMODULE_RESOLVER, ISC_LOG_ERROR,
+				      "could not mark server as lame: %s",
+				      isc_result_totext(result));
+		broken_server = DNS_R_LAME;
 		keep_trying = ISC_TRUE;
 		goto done;
 	}
@@ -4612,10 +5150,8 @@ resquery_response(isc_task_t *task, isc_event_t *event) {
 			     domainbuf, namebuf, typebuf, classbuf, addrbuf);
 	}
 
-	/*
-	 * Clear cache bits.
-	 */
-	fctx->attributes &= ~(FCTX_ATTR_WANTNCACHE | FCTX_ATTR_WANTCACHE);
+	if ((fctx->res->options | DNS_RESOLVER_CHECKNAMES) != 0)
+		checknames(message);
 
 	/*
 	 * Did we get any answers?
@@ -4624,8 +5160,35 @@ resquery_response(isc_task_t *task, isc_event_t *event) {
 	    (message->rcode == dns_rcode_noerror ||
 	     message->rcode == dns_rcode_nxdomain)) {
 		/*
-		 * We've got answers.
+		 * We've got answers.  However, if we sent
+		 * a BIND 8 server an NS query, it may have
+		 * incorrectly responded with a non-authoritative
+		 * answer instead of a referral.  Since this
+		 * answer lacks the SIGs necessary to do DNSSEC
+		 * validation, we must invoke the following special
+		 * kludge to treat it as a referral.
 		 */
+		if (fctx->type == dns_rdatatype_ns &&
+		    (message->flags & DNS_MESSAGEFLAG_AA) == 0 &&
+		    !ISFORWARDER(query->addrinfo))
+		{
+			result = noanswer_response(fctx, NULL, ISC_TRUE);
+			if (result != DNS_R_DELEGATION) {
+				/*
+				 * The answer section must have contained
+				 * something other than the NS records
+				 * we asked for.  Since AA is not set
+				 * and the server is not a forwarder,
+				 * it is technically lame and it's easier
+				 * to treat it as such than to figure out
+				 * some more elaborate course of action.
+				 */
+				broken_server = DNS_R_LAME;
+				keep_trying = ISC_TRUE;
+				goto done;
+			}
+			goto force_referral;
+		}
 		result = answer_response(fctx);
 		if (result != ISC_R_SUCCESS) {
 			if (result == DNS_R_FORMERR)
@@ -4638,8 +5201,10 @@ resquery_response(isc_task_t *task, isc_event_t *event) {
 		/*
 		 * NXDOMAIN, NXRDATASET, or referral.
 		 */
-		result = noanswer_response(fctx, NULL);
-		if (result == DNS_R_DELEGATION) {
+		result = noanswer_response(fctx, NULL, ISC_FALSE);
+		if (result == DNS_R_CHASEDSSERVERS) {
+		} else if (result == DNS_R_DELEGATION) {
+		force_referral:
 			/*
 			 * We don't have the answer, but we know a better
 			 * place to look.
@@ -4665,13 +5230,13 @@ resquery_response(isc_task_t *task, isc_event_t *event) {
 		 * The server is insane.
 		 */
 		/* XXXRTH Log */
-		broken_server = ISC_TRUE;
+		broken_server = DNS_R_UNEXPECTEDRCODE;
 		keep_trying = ISC_TRUE;
 		goto done;
 	}
 
 	/*
-	 * Follow A6 and other additional section data chains.
+	 * Follow additional section data chains.
 	 */
 	chase_additional(fctx);
 
@@ -4718,13 +5283,13 @@ resquery_response(isc_task_t *task, isc_event_t *event) {
 
 	if (keep_trying) {
 		if (result == DNS_R_FORMERR)
-			broken_server = ISC_TRUE;
-		if (broken_server) {
+			broken_server = DNS_R_FORMERR;
+		if (broken_server != ISC_R_SUCCESS) {
 			/*
 			 * Add this server to the list of bad servers for
 			 * this fctx.
 			 */
-			add_bad(fctx, &addrinfo->sockaddr);
+			add_bad(fctx, &addrinfo->sockaddr, broken_server);
 		}
 
 		if (get_nameservers) {
@@ -4735,6 +5300,7 @@ resquery_response(isc_task_t *task, isc_event_t *event) {
 				fctx_done(fctx, DNS_R_SERVFAIL);
 				return;
 			}
+			findoptions = 0;
 			if ((options & DNS_FETCHOPT_UNSHARED) == 0)
 				name = &fctx->name;
 			else
@@ -4768,7 +5334,9 @@ resquery_response(isc_task_t *task, isc_event_t *event) {
 			}
 			fctx_cancelqueries(fctx, ISC_TRUE);
 			fctx_cleanupfinds(fctx);
+			fctx_cleanupaltfinds(fctx);
 			fctx_cleanupforwaddrs(fctx);
+			fctx_cleanupaltaddrs(fctx);
 		}
 		/*
 		 * Try again.
@@ -4796,6 +5364,32 @@ resquery_response(isc_task_t *task, isc_event_t *event) {
 		result = fctx_stopidletimer(fctx);
 		if (result != ISC_R_SUCCESS)
 			fctx_done(fctx, result);
+	} else if (result == DNS_R_CHASEDSSERVERS) {
+		unsigned int n;
+		add_bad(fctx, &addrinfo->sockaddr, result);
+		fctx_cancelqueries(fctx, ISC_TRUE);
+		fctx_cleanupfinds(fctx);
+		fctx_cleanupforwaddrs(fctx);
+
+		n = dns_name_countlabels(&fctx->name);
+		dns_name_getlabelsequence(&fctx->name, 1, n - 1, &fctx->nsname);
+
+		FCTXTRACE("suspending DS lookup to find parent's NS records");
+
+		result = dns_resolver_createfetch(fctx->res, &fctx->nsname,
+						  dns_rdatatype_ns,
+						  NULL, NULL, NULL, 0, task,
+						  resume_dslookup, fctx,
+						  &fctx->nsrrset, NULL,
+						  &fctx->nsfetch);
+		if (result != ISC_R_SUCCESS)
+			fctx_done(fctx, result);
+		LOCK(&fctx->res->buckets[fctx->bucketnum].lock);
+		fctx->references++;
+		UNLOCK(&fctx->res->buckets[fctx->bucketnum].lock);
+		result = fctx_stopidletimer(fctx);
+		if (result != ISC_R_SUCCESS)
+			fctx_done(fctx, result);
 	} else {
 		/*
 		 * We're done.
@@ -4812,6 +5406,7 @@ resquery_response(isc_task_t *task, isc_event_t *event) {
 static void
 destroy(dns_resolver_t *res) {
 	unsigned int i;
+	alternate_t *a;
 
 	REQUIRE(res->references == 0);
 	REQUIRE(!res->priming);
@@ -4819,7 +5414,10 @@ destroy(dns_resolver_t *res) {
 
 	RTRACE("destroy");
 
+	INSIST(res->nfctx == 0);
+
 	DESTROYLOCK(&res->primelock);
+	DESTROYLOCK(&res->nlock);
 	DESTROYLOCK(&res->lock);
 	for (i = 0; i < res->nbuckets; i++) {
 		INSIST(ISC_LIST_EMPTY(res->buckets[i].fctxs));
@@ -4828,13 +5426,20 @@ destroy(dns_resolver_t *res) {
 		DESTROYLOCK(&res->buckets[i].lock);
 	}
 	isc_mem_put(res->mctx, res->buckets,
-		    res->nbuckets * sizeof (fctxbucket_t));
+		    res->nbuckets * sizeof(fctxbucket_t));
 	if (res->dispatchv4 != NULL)
 		dns_dispatch_detach(&res->dispatchv4);
 	if (res->dispatchv6 != NULL)
 		dns_dispatch_detach(&res->dispatchv6);
+	while ((a = ISC_LIST_HEAD(res->alternates)) != NULL) {
+		ISC_LIST_UNLINK(res->alternates, a, link);
+		if (!a->isaddress)
+			dns_name_free(&a->_u._n.name, res->mctx);
+		isc_mem_put(res->mctx, a, sizeof(*a));
+	}
+	dns_resolver_reset_algorithms(res);
 	res->magic = 0;
-	isc_mem_put(res->mctx, res, sizeof *res);
+	isc_mem_put(res->mctx, res, sizeof(*res));
 }
 
 static void
@@ -4897,7 +5502,7 @@ dns_resolver_create(dns_view_t *view,
 	REQUIRE(dispatchmgr != NULL);
 	REQUIRE(dispatchv4 != NULL || dispatchv6 != NULL);
 
-	res = isc_mem_get(view->mctx, sizeof *res);
+	res = isc_mem_get(view->mctx, sizeof(*res));
 	if (res == NULL)
 		return (ISC_R_NOMEMORY);
 	RTRACE("create");
@@ -4910,11 +5515,14 @@ dns_resolver_create(dns_view_t *view,
 	res->view = view;
 	res->options = options;
 	res->lame_ttl = 0;
+	ISC_LIST_INIT(res->alternates);
+	res->udpsize = RECV_BUFFER_SIZE;
+	res->algorithms = NULL;
 
 	res->nbuckets = ntasks;
 	res->activebuckets = ntasks;
 	res->buckets = isc_mem_get(view->mctx,
-				   ntasks * sizeof (fctxbucket_t));
+				   ntasks * sizeof(fctxbucket_t));
 	if (res->buckets == NULL) {
 		result = ISC_R_NOMEMORY;
 		goto cleanup_res;
@@ -4929,7 +5537,7 @@ dns_resolver_create(dns_view_t *view,
 			DESTROYLOCK(&res->buckets[i].lock);
 			goto cleanup_buckets;
 		}
-		sprintf(name, "res%u", i);
+		snprintf(name, sizeof(name), "res%u", i);
 		isc_task_setname(res->buckets[i].task, name, res);
 		ISC_LIST_INIT(res->buckets[i].fctxs);
 		res->buckets[i].exiting = ISC_FALSE;
@@ -4949,21 +5557,40 @@ dns_resolver_create(dns_view_t *view,
 	ISC_LIST_INIT(res->whenshutdown);
 	res->priming = ISC_FALSE;
 	res->primefetch = NULL;
+	res->nfctx = 0;
 
 	result = isc_mutex_init(&res->lock);
 	if (result != ISC_R_SUCCESS)
 		goto cleanup_dispatches;
 
-	result = isc_mutex_init(&res->primelock);
+	result = isc_mutex_init(&res->nlock);
 	if (result != ISC_R_SUCCESS)
 		goto cleanup_lock;
 
+	result = isc_mutex_init(&res->primelock);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup_nlock;
+
+#if USE_ALGLOCK
+	result = isc_rwlock_init(&res->alglock, 0, 0);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup_primelock;
+#endif
+
 	res->magic = RES_MAGIC;
 
 	*resp = res;
 
 	return (ISC_R_SUCCESS);
 
+#if USE_ALGLOCK
+ cleanup_primelock:
+	DESTROYLOCK(&res->nlock);
+#endif
+
+ cleanup_nlock:
+	DESTROYLOCK(&res->nlock);
+
  cleanup_lock:
 	DESTROYLOCK(&res->lock);
 
@@ -4980,10 +5607,10 @@ dns_resolver_create(dns_view_t *view,
 		isc_task_detach(&res->buckets[i].task);
 	}
 	isc_mem_put(view->mctx, res->buckets,
-		    res->nbuckets * sizeof (fctxbucket_t));
+		    res->nbuckets * sizeof(fctxbucket_t));
 
  cleanup_res:
-	isc_mem_put(view->mctx, res, sizeof *res);
+	isc_mem_put(view->mctx, res, sizeof(*res));
 
 	return (result);
 }
@@ -5020,7 +5647,7 @@ prime_done(isc_task_t *task, isc_event_t *event) {
 		dns_rdataset_disassociate(fevent->rdataset);
 	INSIST(fevent->sigrdataset == NULL);
 
-	isc_mem_put(res->mctx, fevent->rdataset, sizeof *fevent->rdataset);
+	isc_mem_put(res->mctx, fevent->rdataset, sizeof(*fevent->rdataset));
 
 	isc_event_free(&event);
 	dns_resolver_destroyfetch(&fetch);
@@ -5058,7 +5685,7 @@ dns_resolver_prime(dns_resolver_t *res) {
 		 * do nothing.
 		 */
 		RTRACE("priming");
-		rdataset = isc_mem_get(res->mctx, sizeof *rdataset);
+		rdataset = isc_mem_get(res->mctx, sizeof(*rdataset));
 		if (rdataset == NULL) {
 			LOCK(&res->lock);
 			INSIST(res->priming);
@@ -5286,7 +5913,7 @@ dns_resolver_createfetch(dns_resolver_t *res, dns_name_t *name,
 	/*
 	 * XXXRTH  use a mempool?
 	 */
-	fetch = isc_mem_get(res->mctx, sizeof *fetch);
+	fetch = isc_mem_get(res->mctx, sizeof(*fetch));
 	if (fetch == NULL)
 		return (ISC_R_NOMEMORY);
 
@@ -5355,7 +5982,7 @@ dns_resolver_createfetch(dns_resolver_t *res, dns_name_t *name,
 		FTRACE("created");
 		*fetchp = fetch;
 	} else
-		isc_mem_put(res->mctx, fetch, sizeof *fetch);
+		isc_mem_put(res->mctx, fetch, sizeof(*fetch));
 
 	return (result);
 }
@@ -5397,7 +6024,7 @@ dns_resolver_cancelfetch(dns_fetch_t *fetch) {
 		etask = event->ev_sender;
 		event->ev_sender = fctx;
 		event->result = ISC_R_CANCELED;
-		isc_task_sendanddetach(&etask, ISC_EVENT_PTR(&event));
+		isc_task_sendanddetach(&etask, (isc_event_t **) (void *)&event);
 	}
 	/*
 	 * The fctx continues running even if no fetches remain;
@@ -5465,7 +6092,7 @@ dns_resolver_destroyfetch(dns_fetch_t **fetchp) {
 
 	UNLOCK(&res->buckets[bucketnum].lock);
 
-	isc_mem_put(res->mctx, fetch, sizeof *fetch);
+	isc_mem_put(res->mctx, fetch, sizeof(*fetch));
 	*fetchp = NULL;
 
 	if (bucket_empty)
@@ -5513,3 +6140,171 @@ dns_resolver_setlamettl(dns_resolver_t *resolver, isc_uint32_t lame_ttl) {
 	REQUIRE(VALID_RESOLVER(resolver));
 	resolver->lame_ttl = lame_ttl;
 }
+
+unsigned int
+dns_resolver_nrunning(dns_resolver_t *resolver) {
+	unsigned int n;
+	LOCK(&resolver->nlock);
+	n = resolver->nfctx;
+	UNLOCK(&resolver->nlock);
+	return (n);
+}
+
+isc_result_t
+dns_resolver_addalternate(dns_resolver_t *resolver, isc_sockaddr_t *alt,
+			  dns_name_t *name, in_port_t port) {
+	alternate_t *a;
+	isc_result_t result;
+
+	REQUIRE(VALID_RESOLVER(resolver));
+	REQUIRE(!resolver->frozen);
+	REQUIRE((alt == NULL) ^ (name == NULL));
+
+	a = isc_mem_get(resolver->mctx, sizeof(*a));
+	if (a == NULL)
+		return (ISC_R_NOMEMORY);
+	if (alt != NULL) {
+		a->isaddress = ISC_TRUE;
+		a->_u.addr = *alt;
+	} else {
+		a->isaddress = ISC_FALSE;
+		a->_u._n.port = port;
+		dns_name_init(&a->_u._n.name, NULL);
+		result = dns_name_dup(name, resolver->mctx, &a->_u._n.name);
+		if (result != ISC_R_SUCCESS) {
+			isc_mem_put(resolver->mctx, a, sizeof(*a));
+			return (result);
+		}
+	}
+	ISC_LINK_INIT(a, link);
+	ISC_LIST_APPEND(resolver->alternates, a, link);
+
+	return (ISC_R_SUCCESS);
+}
+
+void
+dns_resolver_setudpsize(dns_resolver_t *resolver, isc_uint16_t udpsize) {
+	REQUIRE(VALID_RESOLVER(resolver));
+	resolver->udpsize = udpsize;
+}
+
+isc_uint16_t
+dns_resolver_getudpsize(dns_resolver_t *resolver) {
+	REQUIRE(VALID_RESOLVER(resolver));
+	return (resolver->udpsize);
+}
+
+static void
+free_algorithm(void *node, void *arg) {
+	unsigned char *algorithms = node;
+	isc_mem_t *mctx = arg;
+
+	isc_mem_put(mctx, algorithms, *algorithms);
+}
+ 
+void
+dns_resolver_reset_algorithms(dns_resolver_t *resolver) {
+
+	REQUIRE(VALID_RESOLVER(resolver));
+
+#if USE_ALGLOCK
+	RWLOCK(&resolver->alglock, isc_rwlocktype_write);
+#endif
+	if (resolver->algorithms != NULL)
+		dns_rbt_destroy(&resolver->algorithms);
+#if USE_ALGLOCK
+	RWUNLOCK(&resolver->alglock, isc_rwlocktype_write);
+#endif
+}
+
+isc_result_t
+dns_resolver_disable_algorithm(dns_resolver_t *resolver, dns_name_t *name,
+			       unsigned int alg)
+{
+	unsigned int len, mask;
+	unsigned char *new;
+	unsigned char *algorithms;
+	isc_result_t result;
+	dns_rbtnode_t *node = NULL;
+
+	REQUIRE(VALID_RESOLVER(resolver));
+	if (alg > 255)
+		return (ISC_R_RANGE);
+
+#if USE_ALGLOCK
+	RWLOCK(&resolver->alglock, isc_rwlocktype_write);
+#endif
+	if (resolver->algorithms == NULL) {
+		result = dns_rbt_create(resolver->mctx, free_algorithm,
+					resolver->mctx, &resolver->algorithms);
+		if (result != ISC_R_SUCCESS)
+			goto cleanup;
+	}
+
+	len = alg/8 + 2;
+	mask = 1 << (alg%8);
+
+	result = dns_rbt_addnode(resolver->algorithms, name, &node);
+	
+	if (result == ISC_R_SUCCESS || result == ISC_R_EXISTS) {
+		algorithms = node->data;
+		if (algorithms == NULL || len > *algorithms) {
+			new = isc_mem_get(resolver->mctx, len);
+			if (new == NULL) {
+				result = ISC_R_NOMEMORY;
+				goto cleanup;
+			}
+			memset(new, 0, len);
+			if (algorithms != NULL)
+				memcpy(new, algorithms, *algorithms);
+			new[len-1] |= mask;
+			*new = len;
+			node->data = new;
+			if (algorithms != NULL)
+				isc_mem_put(resolver->mctx, algorithms, 
+					    *algorithms);
+		} else
+			algorithms[len-1] |= mask;
+	}
+	result = ISC_R_SUCCESS;
+ cleanup:
+#if USE_ALGLOCK
+	RWUNLOCK(&resolver->alglock, isc_rwlocktype_write);
+#endif
+	return (result);
+}
+
+isc_boolean_t
+dns_resolver_algorithm_supported(dns_resolver_t *resolver, dns_name_t *name,
+				 unsigned int alg)
+{
+	unsigned int len, mask;
+	unsigned char *algorithms;
+	void *data = NULL;
+	isc_result_t result;
+	isc_boolean_t found = ISC_FALSE;
+
+	REQUIRE(VALID_RESOLVER(resolver));
+
+	if (resolver->algorithms == NULL)
+		return (dst_algorithm_supported(alg));
+	
+#if USE_ALGLOCK
+	RWLOCK(&resolver->alglock, isc_rwlocktype_read)
+#endif
+	result = dns_rbt_findname(resolver->algorithms, name,
+				  DNS_RBTFIND_NOEXACT, NULL, &data);
+	if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH) {
+		len = alg/8 + 2;
+		mask = 1 << (alg%8);
+		algorithms = data;
+		if (len <= *algorithms && (algorithms[len-1] & mask) != 0)
+			found = ISC_TRUE;
+	}
+#if USE_ALGLOCK
+	RWUNLOCK(&resolver->alglock, isc_rwlocktype_read)
+#endif
+	if (found)
+		return (ISC_FALSE);
+	return (dst_algorithm_supported(alg));
+}
diff --git a/lib/dns/result.c b/lib/dns/result.c
index ec17c248..a741e765 100644
--- a/lib/dns/result.c
+++ b/lib/dns/result.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: result.c,v 1.90.2.12 2004/04/06 01:38:47 marka Exp $ */
+/* $Id: result.c,v 1.90.2.9.2.11 2004/03/22 01:52:22 marka Exp $ */
 
 #include <config.h>
 
@@ -28,6 +28,10 @@
 static const char *text[DNS_R_NRESULTS] = {
 	"label too long",		       /*  0 DNS_R_LABELTOOLONG	     */
 	"bad escape",			       /*  1 DNS_R_BADESCAPE	     */
+	/*
+	 * Note that DNS_R_BADBITSTRING and DNS_R_BITSTRINGTOOLONG are
+	 * deprecated.
+	 */
 	"bad bitstring",		       /*  2 DNS_R_BADBITSTRING	     */
 	"bitstring too long",		       /*  3 DNS_R_BITSTRINGTOOLONG  */
 	"empty label",			       /*  4 DNS_R_EMPTYLABEL	     */
@@ -74,9 +78,9 @@ static const char *text[DNS_R_NRESULTS] = {
 	"tsig verify failure",		       /* 38 DNS_R_TSIGVERIFYFAILURE */
 	"tsig indicates error",		       /* 39 DNS_R_TSIGERRORSET	     */
 
-	"SIG failed to verify",		       /* 40 DNS_R_SIGINVALID	     */
-	"SIG has expired",		       /* 41 DNS_R_SIGEXPIRED	     */
-	"SIG validity period has not begun",   /* 42 DNS_R_SIGFUTURE	     */
+	"RRSIG failed to verify",	       /* 40 DNS_R_SIGINVALID	     */
+	"RRSIG has expired",		       /* 41 DNS_R_SIGEXPIRED	     */
+	"RRSIG validity period has not begun", /* 42 DNS_R_SIGFUTURE	     */
 	"key is unauthorized to sign data",    /* 43 DNS_R_KEYUNAUTHORIZED   */
 	"invalid time",			       /* 44 DNS_R_INVALIDTIME	     */
 
@@ -96,9 +100,9 @@ static const char *text[DNS_R_NRESULTS] = {
 	"no journal",			       /* 56 DNS_R_NOJOURNAL	     */
 	"alias",			       /* 57 DNS_R_ALIAS	     */
 	"use TCP",			       /* 58 DNS_R_USETCP	     */
-	"no valid SIG",			       /* 59 DNS_R_NOVALIDSIG	     */
+	"no valid RRSIG",		       /* 59 DNS_R_NOVALIDSIG	     */
 
-	"no valid NXT",			       /* 60 DNS_R_NOVALIDNXT	     */
+	"no valid NSEC",		       /* 60 DNS_R_NOVALIDNSEC	     */
 	"not insecure",			       /* 61 DNS_R_NOTINSECURE	     */
 	"unknown service",		       /* 62 DNS_R_UNKNOWNSERVICE    */
 	"recoverable error occurred",	       /* 63 DNS_R_RECOVERABLE       */
@@ -119,32 +123,32 @@ static const char *text[DNS_R_NRESULTS] = {
 	"unknown protocol",		       /* 75 DNS_R_UNKNOWNPROTO	     */
 	"clocks are unsynchronized",	       /* 76 DNS_R_CLOCKSKEW	     */
 	"IXFR failed",			       /* 77 DNS_R_BADIXFR	     */
-	"<unused 78>",			       /* 78 unused		     */
-	"no valid KEY",			       /* 79 DNS_R_NOVALIDKEY	     */
+	"not authoritative",		       /* 78 DNS_R_NOTAUTHORITATIVE  */
+	"no valid KEY",		       	       /* 79 DNS_R_NOVALIDKEY	     */
 
 	"obsolete",			       /* 80 DNS_R_OBSOLETE	     */
 	"already frozen",		       /* 81 DNS_R_FROZEN	     */
 	"unknown flag",			       /* 82 DNS_R_UNKNOWNFLAG	     */
 	"expected a response",		       /* 83 DNS_R_EXPECTEDRESPONSE  */
-	"<unused 84>",
-
-	"<unused 85>",
-	"<unused 86>",
-	"<unused 87>",
-	"<unused 88>",
-	"<unused 89>",
-
-	"<unused 90>",
-	"<unused 91>",
-	"empty name",				/* 92 DNS_R_EMPTYNAME	     */
-	"empty wild",				/* 93 DNS_R_EMPTYWILD	     */
-	"bad bitmap",				/* 94 DNS_R_BADBITMAP	     */
-
-	"from wildcard",			/* 95 DNS_R_FROMWILDCARD     */
-	"bad owner name (check-names)",		/* 96 DNS_R_BADOWNERNAME     */
-	"bad name (check-names)",		/* 97 DNS_R_BADNAME	     */
-	"dynamic zone",				/* 98 DNS_R_DYNAMIC	     */
-	"unknown command"			/* 99 DNS_R_UNKNOWNCOMMAND   */
+	"no valid DS",			       /* 84 DNS_R_NOVALIDDS	     */
+
+	"NS is an address",		       /* 85 DNS_R_NSISADDRESS	     */
+	"received FORMERR",		       /* 86 DNS_R_REMOTEFORMERR     */
+	"truncated TCP response",	       /* 87 DNS_R_TRUNCATEDTCP	     */
+	"lame server detected",		       /* 88 DNS_R_LAME		     */
+	"unexpected RCODE",		       /* 89 DNS_R_UNEXPECTEDRCODE   */
+
+	"unexpected OPCODE",		       /* 90 DNS_R_UNEXPECTEDOPCODE  */
+	"chase DS servers",		       /* 91 DNS_R_CHASEDSSERVERS    */
+	"empty name",			       /* 92 DNS_R_EMPTYNAME	     */
+	"empty wild",			       /* 93 DNS_R_EMPTYWILD	     */
+	"bad bitmap",			       /* 94 DNS_R_BADBITMAP	     */
+
+	"from wildcard",		       /* 95 DNS_R_FROMWILDCARD	     */
+	"bad owner name (check-names)",	       /* 96 DNS_R_BADOWNERNAME	     */
+	"bad name (check-names)",	       /* 97 DNS_R_BADNAME	     */
+	"dynamic zone",			       /* 98 DNS_R_DYNAMIC	     */
+	"unknown command"		       /* 99 DNS_R_UNKNOWNCOMMAND    */
 };
 
 static const char *rcode_text[DNS_R_NRCODERESULTS] = {
@@ -232,14 +236,14 @@ dns_result_torcode(isc_result_t result) {
 	case ISC_R_RANGE:
 	case ISC_R_UNEXPECTEDEND:
 	case DNS_R_BADAAAA:
-	case DNS_R_BADBITSTRING:
+	/* case DNS_R_BADBITSTRING: deprecated */
 	case DNS_R_BADCKSUM:
 	case DNS_R_BADCLASS:
 	case DNS_R_BADLABELTYPE:
 	case DNS_R_BADPOINTER:
 	case DNS_R_BADTTL:
 	case DNS_R_BADZONE:
-	case DNS_R_BITSTRINGTOOLONG:
+	/* case DNS_R_BITSTRINGTOOLONG: deprecated */
 	case DNS_R_EXTRADATA:
 	case DNS_R_LABELTOOLONG:
 	case DNS_R_NOREDATA:
diff --git a/lib/dns/rootns.c b/lib/dns/rootns.c
index 4aae1f22..9e9c9409 100644
--- a/lib/dns/rootns.c
+++ b/lib/dns/rootns.c
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
+ * Copyright (C) 1999-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rootns.c,v 1.20.2.5 2004/03/09 06:11:07 marka Exp $ */
+/* $Id: rootns.c,v 1.20.2.3.2.5 2004/03/08 09:04:32 marka Exp $ */
 
 #include <config.h>
 
@@ -107,7 +107,6 @@ check_node(dns_rdataset_t *rootns, dns_name_t *name,
 		switch (rdataset.type) {
 		case dns_rdatatype_a:
 		case dns_rdatatype_aaaa:
-		case dns_rdatatype_a6:
 			result = in_rootns(rootns, name);
 			if (result != ISC_R_SUCCESS)
 				goto cleanup;
@@ -215,14 +214,16 @@ dns_rootns_create(isc_mem_t *mctx, dns_rdataclass_t rdclass,
 		 * Load the hints from the specified filename.
 		 */
 		result = dns_master_loadfile(filename, &db->origin,
-					     &db->origin, db->rdclass, 0,
+					     &db->origin, db->rdclass,
+					     DNS_MASTER_HINT,
 					     &callbacks, db->mctx);
 	} else if (rdclass == dns_rdataclass_in) {
 		/*
 		 * Default to using the Internet root servers.
 		 */
 		result = dns_master_loadbuffer(&source, &db->origin,
-					       &db->origin, db->rdclass, 0,
+					       &db->origin, db->rdclass, 
+					       DNS_MASTER_HINT,
 					       &callbacks, db->mctx);
 	} else
 		result = ISC_R_NOTFOUND;
diff --git a/lib/dns/sdb.c b/lib/dns/sdb.c
index 32941823..56a8c51d 100644
--- a/lib/dns/sdb.c
+++ b/lib/dns/sdb.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: sdb.c,v 1.35.2.8 2006/12/07 23:57:55 marka Exp $ */
+/* $Id: sdb.c,v 1.35.12.7 2004/03/08 21:06:27 marka Exp $ */
 
 #include <config.h>
 
@@ -267,8 +267,7 @@ dns_sdb_unregister(dns_sdbimplementation_t **sdbimp) {
 }
 
 static inline unsigned int
-initial_size(const char *data) {
-	unsigned int len = strlen(data);
+initial_size(unsigned int len) {
 	unsigned int size;
 	for (size = 64; size < (64 * 1024); size *= 2)
 		if (len < size)
@@ -277,34 +276,18 @@ initial_size(const char *data) {
 }
 
 isc_result_t
-dns_sdb_putrr(dns_sdblookup_t *lookup, const char *type, dns_ttl_t ttl,
-	      const char *data)
+dns_sdb_putrdata(dns_sdblookup_t *lookup, dns_rdatatype_t typeval, dns_ttl_t ttl,
+		 const unsigned char *rdatap, unsigned int rdlen)
 {
 	dns_rdatalist_t *rdatalist;
 	dns_rdata_t *rdata;
-	dns_rdatatype_t typeval;
-	isc_textregion_t r;
-	isc_buffer_t b;
-	isc_buffer_t *rdatabuf;
-	isc_lex_t *lex;
+	isc_buffer_t *rdatabuf = NULL;
 	isc_result_t result;
-	unsigned int size;
 	isc_mem_t *mctx;
-	dns_sdbimplementation_t *imp;
-	dns_name_t *origin;
-
-	REQUIRE(VALID_SDBLOOKUP(lookup));
-	REQUIRE(type != NULL);
-	REQUIRE(data != NULL);
+	isc_region_t region;
 
 	mctx = lookup->sdb->common.mctx;
 
-	DE_CONST(type, r.base);
-	r.length = strlen(type);
-	result = dns_rdatatype_fromtext(&typeval, &r);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
 	rdatalist = ISC_LIST_HEAD(lookup->lists);
 	while (rdatalist != NULL) {
 		if (rdatalist->type == typeval)
@@ -330,7 +313,56 @@ dns_sdb_putrr(dns_sdblookup_t *lookup, const char *type, dns_ttl_t ttl,
 	rdata = isc_mem_get(mctx, sizeof(dns_rdata_t));
 	if (rdata == NULL)
 		return (ISC_R_NOMEMORY);
+
+	result = isc_buffer_allocate(mctx, &rdatabuf, rdlen);
+	if (result != ISC_R_SUCCESS)
+		goto failure;
+	DE_CONST(rdatap, region.base);
+	region.length = rdlen;
+	isc_buffer_copyregion(rdatabuf, &region);
+	isc_buffer_usedregion(rdatabuf, &region);
 	dns_rdata_init(rdata);
+	dns_rdata_fromregion(rdata, rdatalist->rdclass, rdatalist->type,
+			     &region);
+	ISC_LIST_APPEND(rdatalist->rdata, rdata, link);
+	ISC_LIST_APPEND(lookup->buffers, rdatabuf, link);
+	rdata = NULL;
+
+ failure:
+	if (rdata != NULL)
+		isc_mem_put(mctx, rdata, sizeof(dns_rdata_t));
+	return (result);
+}
+	
+
+isc_result_t
+dns_sdb_putrr(dns_sdblookup_t *lookup, const char *type, dns_ttl_t ttl,
+	      const char *data)
+{
+	unsigned int datalen;
+	dns_rdatatype_t typeval;
+	isc_textregion_t r;
+	isc_lex_t *lex = NULL;
+	isc_result_t result;
+	unsigned char *p = NULL;
+	unsigned int size = 0; /* Init to suppress compiler warning */
+	isc_mem_t *mctx;
+	dns_sdbimplementation_t *imp;
+	dns_name_t *origin;
+	isc_buffer_t b;
+	isc_buffer_t rb;
+
+	REQUIRE(VALID_SDBLOOKUP(lookup));
+	REQUIRE(type != NULL);
+	REQUIRE(data != NULL);
+
+	mctx = lookup->sdb->common.mctx;
+
+	DE_CONST(type, r.base);
+	r.length = strlen(type);
+	result = dns_rdatatype_fromtext(&typeval, &r);
+	if (result != ISC_R_SUCCESS)
+		return (result);
 
 	imp = lookup->sdb->implementation;
 	if ((imp->flags & DNS_SDBFLAG_RELATIVERDATA) != 0)
@@ -338,61 +370,56 @@ dns_sdb_putrr(dns_sdblookup_t *lookup, const char *type, dns_ttl_t ttl,
 	else
 		origin = dns_rootname;
 
-	lex = NULL;
 	result = isc_lex_create(mctx, 64, &lex);
 	if (result != ISC_R_SUCCESS)
 		goto failure;
 
-	size = initial_size(data);
-	do {
-		isc_buffer_init(&b, data, strlen(data));
-		isc_buffer_add(&b, strlen(data));
-
+	datalen = strlen(data);
+	size = initial_size(datalen);
+	for (;;) {
+		isc_buffer_init(&b, data, datalen);
+		isc_buffer_add(&b, datalen);
 		result = isc_lex_openbuffer(lex, &b);
 		if (result != ISC_R_SUCCESS)
 			goto failure;
 
-		rdatabuf = NULL;
-		result = isc_buffer_allocate(mctx, &rdatabuf, size);
-		if (result != ISC_R_SUCCESS)
+		p = isc_mem_get(mctx, size);
+		if (p == NULL) {
+			result = ISC_R_NOMEMORY;
 			goto failure;
-
-		result = dns_rdata_fromtext(rdata, rdatalist->rdclass,
-					    rdatalist->type, lex,
-					    origin, ISC_FALSE,
-					    mctx, rdatabuf,
+		}
+		isc_buffer_init(&rb, p, size);
+		result = dns_rdata_fromtext(NULL,
+					    lookup->sdb->common.rdclass,
+					    typeval, lex,
+					    origin, 0,
+					    mctx, &rb,
 					    &lookup->callbacks);
-		if (result != ISC_R_SUCCESS)
-			isc_buffer_free(&rdatabuf);
+		if (result != ISC_R_NOSPACE)
+			break;
+
+		isc_mem_put(mctx, p, size);
+		p = NULL;
 		size *= 2;
 	} while (result == ISC_R_NOSPACE);
 
 	if (result != ISC_R_SUCCESS)
 		goto failure;
 
-	ISC_LIST_APPEND(rdatalist->rdata, rdata, link);
-	ISC_LIST_APPEND(lookup->buffers, rdatabuf, link);
-
-	if (lex != NULL)
-		isc_lex_destroy(&lex);
-
-	return (ISC_R_SUCCESS);
-
+	result = dns_sdb_putrdata(lookup, typeval, ttl,
+				  isc_buffer_base(&rb),
+				  isc_buffer_usedlength(&rb));
  failure:
-
- 	if (rdatabuf != NULL)
-		isc_buffer_free(&rdatabuf);
+	if (p != NULL)
+		isc_mem_put(mctx, p, size);
 	if (lex != NULL)
 		isc_lex_destroy(&lex);
-	isc_mem_put(mctx, rdata, sizeof(dns_rdata_t));
 
 	return (result);
 }
 
-isc_result_t
-dns_sdb_putnamedrr(dns_sdballnodes_t *allnodes, const char *name,
-		   const char *type, dns_ttl_t ttl, const char *data)
-{
+static isc_result_t
+getnode(dns_sdballnodes_t *allnodes, const char *name, dns_sdbnode_t **nodep) {
 	dns_name_t *newname, *origin;
 	dns_fixedname_t fnewname;
 	dns_sdb_t *sdb = (dns_sdb_t *)allnodes->common.db;
@@ -445,8 +472,33 @@ dns_sdb_putnamedrr(dns_sdballnodes_t *allnodes, const char *name,
 		    dns_name_equal(newname, &sdb->common.origin))
 			allnodes->origin = sdbnode;
 	}
+	*nodep = sdbnode;
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_sdb_putnamedrr(dns_sdballnodes_t *allnodes, const char *name,
+		   const char *type, dns_ttl_t ttl, const char *data)
+{
+	isc_result_t result;
+	dns_sdbnode_t *sdbnode = NULL;
+	result = getnode(allnodes, name, &sdbnode);
+	if (result != ISC_R_SUCCESS)
+		return (result);
 	return (dns_sdb_putrr(sdbnode, type, ttl, data));
+}
 
+isc_result_t
+dns_sdb_putnamedrdata(dns_sdballnodes_t *allnodes, const char *name,
+		      dns_rdatatype_t type, dns_ttl_t ttl,
+		      const void *rdata, unsigned int rdlen)
+{
+	isc_result_t result;
+	dns_sdbnode_t *sdbnode = NULL;
+	result = getnode(allnodes, name, &sdbnode);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	return (dns_sdb_putrdata(sdbnode, type, ttl, rdata, rdlen));
 }
 
 isc_result_t
@@ -459,7 +511,7 @@ dns_sdb_putsoa(dns_sdblookup_t *lookup, const char *mname, const char *rname,
 	REQUIRE(mname != NULL);
 	REQUIRE(rname != NULL);
 
-	n = snprintf(str, sizeof str, "%s %s %u %u %u %u %u",
+	n = snprintf(str, sizeof(str), "%s %s %u %u %u %u %u",
 		     mname, rname, serial,
 		     SDB_DEFAULT_REFRESH, SDB_DEFAULT_RETRY,
 		     SDB_DEFAULT_EXPIRE, SDB_DEFAULT_MINIMUM);
@@ -577,10 +629,10 @@ attachversion(dns_db_t *db, dns_dbversion_t *source,
 	      dns_dbversion_t **targetp)
 {
 	REQUIRE(source != NULL && source == (void *) &dummy);
-	REQUIRE(targetp != NULL && *targetp == NULL);
 
 	UNUSED(db);
-	*targetp = source;
+	UNUSED(source);
+	UNUSED(targetp);
 	return;
 }
 
@@ -713,7 +765,10 @@ findnode(dns_db_t *db, dns_name_t *name, isc_boolean_t create,
 	MAYBE_LOCK(sdb);
 	result = imp->methods->lookup(sdb->zone, namestr, sdb->dbdata, node);
 	MAYBE_UNLOCK(sdb);
-	if (result != ISC_R_SUCCESS && !isorigin) {
+	if (result != ISC_R_SUCCESS &&
+	    !(result == ISC_R_NOTFOUND &&
+	      isorigin && imp->methods->authority != NULL))
+	{
 		destroynode(node);
 		return (result);
 	}
@@ -875,8 +930,7 @@ find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
 
 		xresult = dns_name_copy(xname, foundname, NULL);
 		if (xresult != ISC_R_SUCCESS) {
-			if (node != NULL)
-				destroynode(node);
+			destroynode(node);
 			if (dns_rdataset_isassociated(rdataset))
 				dns_rdataset_disassociate(rdataset);
 			return (DNS_R_BADDB);
@@ -1031,7 +1085,7 @@ findrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
 	UNUSED(now);
 	UNUSED(sigrdataset);
 
-	if (type == dns_rdatatype_sig)
+	if (type == dns_rdatatype_rrsig)
 		return (ISC_R_NOTIMPLEMENTED);
 
 	list = ISC_LIST_HEAD(sdbnode->lists);
@@ -1305,7 +1359,9 @@ static dns_rdatasetmethods_t methods = {
 	isc__rdatalist_next,
 	isc__rdatalist_current,
 	rdataset_clone,
-	isc__rdatalist_count
+	isc__rdatalist_count,
+	isc__rdatalist_addnoqname,
+	isc__rdatalist_getnoqname
 };
 
 static void
diff --git a/doc/xsl/Makefile.in b/lib/dns/sec/Makefile.in
index 69a62bfd..94b50abe 100644
--- a/doc/xsl/Makefile.in
+++ b/lib/dns/sec/Makefile.in
@@ -1,4 +1,5 @@
-# Copyright (C) 2005  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 1998-2001  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
@@ -12,17 +13,13 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.2.38.1 2005/09/12 22:42:07 marka Exp $
+# $Id: Makefile.in,v 1.11.206.1 2004/03/06 08:14:19 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
 top_srcdir =	@top_srcdir@
 
-SUBDIRS =
+SUBDIRS =	dst
 TARGETS =
 
 @BIND9_MAKE_RULES@
-
-distclean::
-	rm -f isc-docbook-chunk.xsl isc-docbook-html.xsl \
-	      isc-docbook-latex.xsl isc-manpage.xsl
diff --git a/lib/dns/sec/dst/Makefile.in b/lib/dns/sec/dst/Makefile.in
new file mode 100644
index 00000000..c9752079
--- /dev/null
+++ b/lib/dns/sec/dst/Makefile.in
@@ -0,0 +1,48 @@
+# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 1998-2002  Internet Software Consortium.
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: Makefile.in,v 1.25.2.2.8.4 2004/03/09 05:21:08 marka Exp $
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+@BIND9_MAKE_INCLUDES@
+
+CINCLUDES =	-I${srcdir} ${DNS_INCLUDES} \
+		${ISC_INCLUDES} @DST_OPENSSL_INC@ @DST_GSSAPI_INC@
+
+CDEFINES =	-DUSE_MD5 @USE_OPENSSL@ @USE_GSSAPI@
+CWARNINGS =
+
+LIBS =		@LIBS@
+
+# Alphabetically
+OBJS =		dst_api.@O@ dst_lib.@O@ dst_parse.@O@ \
+		dst_result.@O@ gssapi_link.@O@ gssapictx.@O@ \
+		hmac_link.@O@ key.@O@ \
+		openssl_link.@O@ openssldh_link.@O@ \
+		openssldsa_link.@O@ opensslrsa_link.@O@
+
+SRCS =		dst_api.c dst_lib.c dst_parse.c \
+		dst_result.c gssapi_link.c gssapictx.c \
+		hmac_link.c key.c \
+		openssl_link.c openssldh_link.c \
+		openssldsa_link.c opensslrsa_link.c
+
+SUBDIRS =	include
+TARGETS =	${OBJS}
+
+@BIND9_MAKE_RULES@
diff --git a/lib/dns/dst_api.c b/lib/dns/sec/dst/dst_api.c
index f816e987..39415a90 100644
--- a/lib/dns/dst_api.c
+++ b/lib/dns/sec/dst/dst_api.c
@@ -1,6 +1,6 @@
 /*
- * Portions Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
- * Portions Copyright (C) 1999-2001, 2003  Internet Software Consortium.
+ * Portions Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 1999-2003  Internet Software Consortium.
  * Portions Copyright (C) 1995-2000 by Network Associates, Inc.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -18,7 +18,7 @@
 
 /*
  * Principal Author: Brian Wellington
- * $Id: dst_api.c,v 1.1.2.3 2006/01/04 23:50:17 marka Exp $
+ * $Id: dst_api.c,v 1.88.2.3.2.12 2004/03/16 05:50:22 marka Exp $
  */
 
 #include <config.h>
@@ -39,22 +39,26 @@
 #include <isc/util.h>
 
 #include <dns/fixedname.h>
+#include <dns/keyvalues.h>
 #include <dns/name.h>
 #include <dns/rdata.h>
 #include <dns/rdataclass.h>
+#include <dns/ttl.h>
 #include <dns/types.h>
-#include <dns/keyvalues.h>
 
 #include <dst/result.h>
 
 #include "dst_internal.h"
 
+#define DST_AS_STR(t) ((t).value.as_textregion.base)
+
 static dst_func_t *dst_t_func[DST_MAX_ALGS];
-static isc_mem_t *dst_memory_pool = NULL;
 static isc_entropy_t *dst_entropy_pool = NULL;
 static unsigned int dst_entropy_flags = 0;
 static isc_boolean_t dst_initialized = ISC_FALSE;
 
+isc_mem_t *dst__memory_pool = NULL;
+
 /*
  * Static functions.
  */
@@ -68,7 +72,7 @@ static dst_key_t *	get_key_struct(dns_name_t *name,
 static isc_result_t	read_public_key(const char *filename,
 					isc_mem_t *mctx,
 					dst_key_t **keyp);
-static isc_result_t	write_public_key(const dst_key_t *key,
+static isc_result_t	write_public_key(const dst_key_t *key, int type,
 					 const char *directory);
 static isc_result_t	buildfilename(dns_name_t *name,
 				      dns_keytag_t id,
@@ -88,6 +92,9 @@ static isc_result_t	frombuffer(dns_name_t *name,
 
 static isc_result_t	algorithm_status(unsigned int alg);
 
+static isc_result_t	addsuffix(char *filename, unsigned int len,
+				  const char *ofilename, const char *suffix);
+
 #define RETERR(x) 				\
 	do {					\
 		result = (x);			\
@@ -110,7 +117,7 @@ dst_lib_init(isc_mem_t *mctx, isc_entropy_t *ectx, unsigned int eflags) {
 	REQUIRE(mctx != NULL && ectx != NULL);
 	REQUIRE(dst_initialized == ISC_FALSE);
 
-	dst_memory_pool = NULL;
+	dst__memory_pool = NULL;
 
 #ifdef OPENSSL
 	UNUSED(mctx);
@@ -120,12 +127,12 @@ dst_lib_init(isc_mem_t *mctx, isc_entropy_t *ectx, unsigned int eflags) {
 	 * Avoid assertions by using a local memory context and not checking
 	 * for leaks on exit.
 	 */
-	result = isc_mem_create(0, 0, &dst_memory_pool);
+	result = isc_mem_create(0, 0, &dst__memory_pool);
 	if (result != ISC_R_SUCCESS)
 		return (result);
-	isc_mem_setdestroycheck(dst_memory_pool, ISC_FALSE);
+	isc_mem_setdestroycheck(dst__memory_pool, ISC_FALSE);
 #else
-	isc_mem_attach(mctx, &dst_memory_pool);
+	isc_mem_attach(mctx, &dst__memory_pool);
 #endif
 	isc_entropy_attach(ectx, &dst_entropy_pool);
 	dst_entropy_flags = eflags;
@@ -137,13 +144,13 @@ dst_lib_init(isc_mem_t *mctx, isc_entropy_t *ectx, unsigned int eflags) {
 #ifdef OPENSSL
 	RETERR(dst__openssl_init());
 	RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_RSAMD5]));
+	RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_RSASHA1]));
 	RETERR(dst__openssldsa_init(&dst_t_func[DST_ALG_DSA]));
 	RETERR(dst__openssldh_init(&dst_t_func[DST_ALG_DH]));
 #endif
 #ifdef GSSAPI
 	RETERR(dst__gssapi_init(&dst_t_func[DST_ALG_GSSAPI]));
 #endif
-
 	dst_initialized = ISC_TRUE;
 	return (ISC_R_SUCCESS);
 
@@ -154,21 +161,18 @@ dst_lib_init(isc_mem_t *mctx, isc_entropy_t *ectx, unsigned int eflags) {
 
 void
 dst_lib_destroy(void) {
+	int i;
 	RUNTIME_CHECK(dst_initialized == ISC_TRUE);
 	dst_initialized = ISC_FALSE;
 
-	dst__hmacmd5_destroy();
+	for (i = 0; i < DST_MAX_ALGS; i++)
+		if (dst_t_func[i] != NULL && dst_t_func[i]->cleanup != NULL)
+			dst_t_func[i]->cleanup();
 #ifdef OPENSSL
-	dst__opensslrsa_destroy();
-	dst__openssldsa_destroy();
-	dst__openssldh_destroy();
 	dst__openssl_destroy();
 #endif
-#ifdef GSSAPI
-	dst__gssapi_destroy();
-#endif
-	if (dst_memory_pool != NULL)
-		isc_mem_detach(&dst_memory_pool);
+	if (dst__memory_pool != NULL)
+		isc_mem_detach(&dst__memory_pool);
 	if (dst_entropy_pool != NULL)
 		isc_entropy_detach(&dst_entropy_pool);
 
@@ -238,16 +242,22 @@ dst_context_adddata(dst_context_t *dctx, const isc_region_t *data) {
 
 isc_result_t
 dst_context_sign(dst_context_t *dctx, isc_buffer_t *sig) {
+	dst_key_t *key;
+
 	REQUIRE(VALID_CTX(dctx));
 	REQUIRE(sig != NULL);
 
-	CHECKALG(dctx->key->key_alg);
-	if (dctx->key->opaque == NULL)
+	key = dctx->key;
+	CHECKALG(key->key_alg);
+	if (key->opaque == NULL)
 		return (DST_R_NULLKEY);
-	if (dctx->key->func->sign == NULL)
+	if (key->func->sign == NULL)
+		return (DST_R_NOTPRIVATEKEY);
+	if (key->func->isprivate == NULL ||
+	    key->func->isprivate(key) == ISC_FALSE)
 		return (DST_R_NOTPRIVATEKEY);
 
-	return (dctx->key->func->sign(dctx, sig));
+	return (key->func->sign(dctx, sig));
 }
 
 isc_result_t
@@ -303,7 +313,7 @@ dst_key_tofile(const dst_key_t *key, int type, const char *directory) {
 		return (DST_R_UNSUPPORTEDALG);
 
 	if (type & DST_TYPE_PUBLIC) {
-		ret = write_public_key(key, directory);
+		ret = write_public_key(key, type, directory);
 		if (ret != ISC_R_SUCCESS)
 			return (ret);
 	}
@@ -333,7 +343,7 @@ dst_key_fromfile(dns_name_t *name, dns_keytag_t id,
 
 	CHECKALG(alg);
 
-	isc_buffer_init(&b, filename, sizeof filename);
+	isc_buffer_init(&b, filename, sizeof(filename));
 	result = buildfilename(name, id, alg, type, directory, &b);
 	if (result != ISC_R_SUCCESS)
 		return (result);
@@ -369,6 +379,9 @@ dst_key_fromnamedfile(const char *filename, int type, isc_mem_t *mctx,
 	isc_result_t result;
 	dst_key_t *pubkey = NULL, *key = NULL;
 	dns_keytag_t id;
+	char *newfilename = NULL;
+	int newfilenamelen = 0;
+	isc_lex_t *lex = NULL;
 
 	REQUIRE(dst_initialized == ISC_TRUE);
 	REQUIRE(filename != NULL);
@@ -380,7 +393,7 @@ dst_key_fromnamedfile(const char *filename, int type, isc_mem_t *mctx,
 	if (result != ISC_R_SUCCESS)
 		return (result);
 
-	if ((type & (DST_TYPE_PRIVATE | DST_TYPE_PUBLIC)) == DST_TYPE_PUBLIC ||
+	if (type == DST_TYPE_PUBLIC ||
 	    (pubkey->key_flags & DNS_KEYFLAG_TYPEMASK) == DNS_KEYTYPE_NOKEY)
 	{
 		result = computeid(pubkey);
@@ -393,6 +406,12 @@ dst_key_fromnamedfile(const char *filename, int type, isc_mem_t *mctx,
 		return (ISC_R_SUCCESS);
 	}
 
+	result = algorithm_status(pubkey->key_alg);
+	if (result != ISC_R_SUCCESS) {
+		dst_key_free(&pubkey);
+		return (result);
+	}
+
 	key = get_key_struct(pubkey->key_name, pubkey->key_alg,
 			     pubkey->key_flags, pubkey->key_proto, 0,
 			     pubkey->key_class, mctx);
@@ -402,30 +421,37 @@ dst_key_fromnamedfile(const char *filename, int type, isc_mem_t *mctx,
 	if (key == NULL)
 		return (ISC_R_NOMEMORY);
 
-	if (key->func->fromfile == NULL) {
-		dst_key_free(&key);
-		return (DST_R_UNSUPPORTEDALG);
-	}
+	if (key->func->parse == NULL)
+		RETERR(DST_R_UNSUPPORTEDALG);
 
-	result = key->func->fromfile(key, filename);
-	if (result != ISC_R_SUCCESS) {
-		dst_key_free(&key);
-		return (result);
-	}
+	newfilenamelen = strlen(filename) + 9;
+	newfilename = isc_mem_get(mctx, newfilenamelen);
+	if (newfilename == NULL)
+		RETERR(ISC_R_NOMEMORY);
+	result = addsuffix(newfilename, newfilenamelen, filename, ".private");
+	INSIST(result == ISC_R_SUCCESS);
 
-	result = computeid(key);
-	if (result != ISC_R_SUCCESS) {
-		dst_key_free(&key);
-		return (result);
-	}
+	RETERR(isc_lex_create(mctx, 1500, &lex));
+	RETERR(isc_lex_openfile(lex, newfilename));
+	isc_mem_put(mctx, newfilename, newfilenamelen);
 
-	if (id != key->key_id) {
-		dst_key_free(&key);
-		return (DST_R_INVALIDPRIVATEKEY);
-	}
+	RETERR(key->func->parse(key, lex));
+	isc_lex_destroy(&lex);
+
+	RETERR(computeid(key));
+
+	if (id != key->key_id)
+		RETERR(DST_R_INVALIDPRIVATEKEY);
 
 	*keyp = key;
 	return (ISC_R_SUCCESS);
+ out:
+	if (newfilename != NULL)
+		isc_mem_put(mctx, newfilename, newfilenamelen);
+	if (lex != NULL)
+		isc_lex_destroy(&lex);
+	dst_key_free(&key);
+	return (result);
 }
 
 isc_result_t
@@ -480,8 +506,6 @@ dst_key_fromdns(dns_name_t *name, dns_rdataclass_t rdclass,
 	proto = isc_buffer_getuint8(source);
 	alg = isc_buffer_getuint8(source);
 
-	CHECKALG(alg);
-
 	id = dst_region_computeid(&r, alg);
 
 	if (flags & DNS_KEYFLAG_EXTENDED) {
@@ -512,8 +536,6 @@ dst_key_frombuffer(dns_name_t *name, unsigned int alg,
 
 	REQUIRE(dst_initialized);
 
-	CHECKALG(alg);
-
 	result = frombuffer(name, alg, flags, protocol, rdclass, source,
 			    mctx, &key);
 	if (result != ISC_R_SUCCESS)
@@ -544,6 +566,28 @@ dst_key_tobuffer(const dst_key_t *key, isc_buffer_t *target) {
 }
 
 isc_result_t
+dst_key_privatefrombuffer(dst_key_t *key, isc_buffer_t *buffer) {
+	isc_lex_t *lex = NULL;
+	isc_result_t result = ISC_R_SUCCESS;
+
+	REQUIRE(dst_initialized == ISC_TRUE);
+	REQUIRE(VALID_KEY(key));
+	REQUIRE(!dst_key_isprivate(key));
+	REQUIRE(buffer != NULL);
+
+	if (key->func->parse == NULL)
+		RETERR(DST_R_UNSUPPORTEDALG);
+
+	RETERR(isc_lex_create(key->mctx, 1500, &lex));
+	RETERR(isc_lex_openbuffer(lex, buffer));
+	RETERR(key->func->parse(key, lex));
+ out:
+	if (lex != NULL)
+		isc_lex_destroy(&lex);
+	return (result);
+}
+
+isc_result_t
 dst_key_fromgssapi(dns_name_t *name, void *opaque, isc_mem_t *mctx,
 		   dst_key_t **keyp)
 {
@@ -657,10 +701,10 @@ dst_key_free(dst_key_t **keyp) {
 	key = *keyp;
 	mctx = key->mctx;
 
-	INSIST(key->func->destroy != NULL);
-
-	if (key->opaque != NULL)
+	if (key->opaque != NULL) {
+		INSIST(key->func->destroy != NULL);
 		key->func->destroy(key);
+	}
 
 	dns_name_free(key->key_name, mctx);
 	isc_mem_put(mctx, key->key_name, sizeof(dns_name_t));
@@ -697,6 +741,7 @@ dst_key_sigsize(const dst_key_t *key, unsigned int *n) {
 	/* XXXVIX this switch statement is too sparse to gen a jump table. */
 	switch (key->key_alg) {
 	case DST_ALG_RSAMD5:
+	case DST_ALG_RSASHA1:
 		*n = (key->key_size + 7) / 8;
 		break;
 	case DST_ALG_DSA:
@@ -744,8 +789,6 @@ get_key_struct(dns_name_t *name, unsigned int alg,
 	dst_key_t *key;
 	isc_result_t result;
 
-	REQUIRE(dst_algorithm_supported(alg) != ISC_FALSE);
-
 	key = (dst_key_t *) isc_mem_get(mctx, sizeof(dst_key_t));
 	if (key == NULL)
 		return (NULL);
@@ -791,15 +834,17 @@ read_public_key(const char *filename, isc_mem_t *mctx, dst_key_t **keyp) {
 	unsigned int opt = ISC_LEXOPT_DNSMULTILINE;
 	char *newfilename;
 	unsigned int newfilenamelen;
-	isc_textregion_t r;
 	dns_rdataclass_t rdclass = dns_rdataclass_in;
+	isc_lexspecials_t specials;
+	isc_uint32_t ttl;
+	isc_result_t result;
+	dns_rdatatype_t type;
 
 	newfilenamelen = strlen(filename) + 5;
 	newfilename = isc_mem_get(mctx, newfilenamelen);
 	if (newfilename == NULL)
 		return (ISC_R_NOMEMORY);
-	ret = dst__file_addsuffix(newfilename, newfilenamelen, filename,
-				  ".key");
+	ret = addsuffix(newfilename, newfilenamelen, filename, ".key");
 	INSIST(ret == ISC_R_SUCCESS);
 
 	/*
@@ -813,6 +858,13 @@ read_public_key(const char *filename, isc_mem_t *mctx, dst_key_t **keyp) {
 	if (ret != ISC_R_SUCCESS)
 		goto cleanup;
 
+	memset(specials, 0, sizeof(specials));
+	specials['('] = 1;
+	specials[')'] = 1;
+	specials['"'] = 1;
+	isc_lex_setspecials(lex, specials);
+	isc_lex_setcomments(lex, ISC_LEXCOMMENT_DNSMASTERFILE);
+
 	ret = isc_lex_openfile(lex, newfilename);
 	if (ret != ISC_R_SUCCESS)
 		goto cleanup;
@@ -833,9 +885,8 @@ read_public_key(const char *filename, isc_mem_t *mctx, dst_key_t **keyp) {
 	if (token.type != isc_tokentype_string)
 		BADTOKEN();
 	dns_fixedname_init(&name);
-	isc_buffer_init(&b, token.value.as_pointer,
-			strlen(token.value.as_pointer));
-	isc_buffer_add(&b, strlen(token.value.as_pointer));
+	isc_buffer_init(&b, DST_AS_STR(token), strlen(DST_AS_STR(token)));
+	isc_buffer_add(&b, strlen(DST_AS_STR(token)));
 	ret = dns_name_fromtext(dns_fixedname_name(&name), &b, dns_rootname,
 				ISC_FALSE, NULL);
 	if (ret != ISC_R_SUCCESS)
@@ -845,27 +896,30 @@ read_public_key(const char *filename, isc_mem_t *mctx, dst_key_t **keyp) {
 	NEXTTOKEN(lex, opt, &token);
 
 	/* If it's a TTL, read the next one */
-	if (token.type == isc_tokentype_number)
+	result = dns_ttl_fromtext(&token.value.as_textregion, &ttl);
+	if (result == ISC_R_SUCCESS)
 		NEXTTOKEN(lex, opt, &token);
 
 	if (token.type != isc_tokentype_string)
 		BADTOKEN();
 
-	r.base = token.value.as_pointer;
-	r.length = strlen(r.base);
-	ret = dns_rdataclass_fromtext(&rdclass, &r);
+	ret = dns_rdataclass_fromtext(&rdclass, &token.value.as_textregion);
 	if (ret == ISC_R_SUCCESS)
 		NEXTTOKEN(lex, opt, &token);
 
 	if (token.type != isc_tokentype_string)
 		BADTOKEN();
 
-	if (strcasecmp(token.value.as_pointer, "KEY") != 0)
+	if (strcasecmp(DST_AS_STR(token), "DNSKEY") == 0)
+		type = dns_rdatatype_dnskey;
+	else if (strcasecmp(DST_AS_STR(token), "KEY") == 0)
+		type = dns_rdatatype_key; /* SIG(0) */
+	else
 		BADTOKEN();
 
 	isc_buffer_init(&b, rdatabuf, sizeof(rdatabuf));
-	ret = dns_rdata_fromtext(&rdata, rdclass, dns_rdatatype_key,
-				 lex, NULL, ISC_FALSE, mctx, &b, NULL);
+	ret = dns_rdata_fromtext(&rdata, rdclass, type, lex, NULL,
+				 ISC_FALSE, mctx, &b, NULL);
 	if (ret != ISC_R_SUCCESS)
 		goto cleanup;
 
@@ -875,20 +929,38 @@ read_public_key(const char *filename, isc_mem_t *mctx, dst_key_t **keyp) {
 		goto cleanup;
 
  cleanup:
-	if (lex != NULL) {
-		isc_lex_close(lex);
+	if (lex != NULL)
 		isc_lex_destroy(&lex);
-	}
 	isc_mem_put(mctx, newfilename, newfilenamelen);
 
 	return (ret);
 }
 
+static isc_boolean_t
+issymmetric(const dst_key_t *key) {
+	REQUIRE(dst_initialized == ISC_TRUE);
+	REQUIRE(VALID_KEY(key));
+
+	/* XXXVIX this switch statement is too sparse to gen a jump table. */
+	switch (key->key_alg) {
+	case DST_ALG_RSAMD5:
+	case DST_ALG_RSASHA1:
+	case DST_ALG_DSA:
+	case DST_ALG_DH:
+		return (ISC_FALSE);
+	case DST_ALG_HMACMD5:
+	case DST_ALG_GSSAPI:
+		return (ISC_TRUE);
+	default:
+		return (ISC_FALSE);
+	}
+}
+
 /*
  * Writes a public key to disk in DNS format.
  */
 static isc_result_t
-write_public_key(const dst_key_t *key, const char *directory) {
+write_public_key(const dst_key_t *key, int type, const char *directory) {
 	FILE *fp;
 	isc_buffer_t keyb, textb, fileb, classb;
 	isc_region_t r;
@@ -911,7 +983,7 @@ write_public_key(const dst_key_t *key, const char *directory) {
 		return (ret);
 
 	isc_buffer_usedregion(&keyb, &r);
-	dns_rdata_fromregion(&rdata, key->key_class, dns_rdatatype_key, &r);
+	dns_rdata_fromregion(&rdata, key->key_class, dns_rdatatype_dnskey, &r);
 
 	ret = dns_rdata_totext(&rdata, (dns_name_t *) NULL, &textb);
 	if (ret != ISC_R_SUCCESS)
@@ -935,7 +1007,7 @@ write_public_key(const dst_key_t *key, const char *directory) {
 	if ((fp = fopen(filename, "w")) == NULL)
 		return (DST_R_WRITEERROR);
 
-	if (key->func->issymmetric()) {
+	if (issymmetric(key)) {
 		access = 0;
 		isc_fsaccess_add(ISC_FSACCESS_OWNER,
 				 ISC_FSACCESS_READ | ISC_FSACCESS_WRITE,
@@ -944,17 +1016,18 @@ write_public_key(const dst_key_t *key, const char *directory) {
 	}
 
 	ret = dns_name_print(key->key_name, fp);
-	if (ret != ISC_R_SUCCESS) {
-		fclose(fp);
+	if (ret != ISC_R_SUCCESS)
 		return (ret);
-	}
 
 	fprintf(fp, " ");
 
 	isc_buffer_usedregion(&classb, &r);
 	fwrite(r.base, 1, r.length, fp);
 
-	fprintf(fp, " KEY ");
+	if ((type & DST_TYPE_KEY) != 0)
+		fprintf(fp, " KEY ");
+	else
+		fprintf(fp, " DNSKEY ");
 
 	isc_buffer_usedregion(&textb, &r);
 	fwrite(r.base, 1, r.length, fp);
@@ -1035,15 +1108,22 @@ frombuffer(dns_name_t *name, unsigned int alg, unsigned int flags,
 	if (key == NULL)
 		return (ISC_R_NOMEMORY);
 
-	if (key->func->fromdns == NULL) {
-		dst_key_free(&key);
-		return (DST_R_UNSUPPORTEDALG);
-	}
+	if (isc_buffer_remaininglength(source) > 0) {
+		ret = algorithm_status(alg);
+		if (ret != ISC_R_SUCCESS) {
+			dst_key_free(&key);
+			return (ret);
+		}
+		if (key->func->fromdns == NULL) {
+			dst_key_free(&key);
+			return (DST_R_UNSUPPORTEDALG);
+		}
 
-	ret = key->func->fromdns(key, source);
-	if (ret != ISC_R_SUCCESS) {
-		dst_key_free(&key);
-		return (ret);
+		ret = key->func->fromdns(key, source);
+		if (ret != ISC_R_SUCCESS) {
+			dst_key_free(&key);
+			return (ret);
+		}
 	}
 
 	*keyp = key;
@@ -1054,18 +1134,18 @@ static isc_result_t
 algorithm_status(unsigned int alg) {
 	REQUIRE(dst_initialized == ISC_TRUE);
 
-#ifndef OPENSSL
-	if (alg == DST_ALG_RSA || alg == DST_ALG_DSA || alg == DST_ALG_DH)
+	if (dst_algorithm_supported(alg))
+		return (ISC_R_SUCCESS);
+	if (alg == DST_ALG_RSAMD5 || alg == DST_ALG_RSASHA1 ||
+	    alg == DST_ALG_DSA || alg == DST_ALG_DH ||
+	    alg == DST_ALG_HMACMD5)
 		return (DST_R_NOCRYPTO);
-#endif
-	if (!dst_algorithm_supported(alg))
-		return (DST_R_UNSUPPORTEDALG);
-	return (ISC_R_SUCCESS);
+	return (DST_R_UNSUPPORTEDALG);
 }
 
-isc_result_t
-dst__file_addsuffix(char *filename, unsigned int len,
-	  const char *ofilename, const char *suffix)
+static isc_result_t
+addsuffix(char *filename, unsigned int len, const char *ofilename,
+	  const char *suffix)
 {
 	int olen = strlen(ofilename);
 	int n;
@@ -1083,35 +1163,6 @@ dst__file_addsuffix(char *filename, unsigned int len,
 	return (ISC_R_SUCCESS);
 }
 
-void *
-dst__mem_alloc(size_t size) {
-	INSIST(dst_memory_pool != NULL);
-	return (isc_mem_allocate(dst_memory_pool, size));
-}
-
-void
-dst__mem_free(void *ptr) {
-	INSIST(dst_memory_pool != NULL);
-	if (ptr != NULL)
-		isc_mem_free(dst_memory_pool, ptr);
-}
-
-void *
-dst__mem_realloc(void *ptr, size_t size) {
-	void *p;
-
-	INSIST(dst_memory_pool != NULL);
-	p = NULL;
-	if (size > 0U) {
-		p = dst__mem_alloc(size);
-		if (p != NULL && ptr != NULL)
-			memcpy(p, ptr, size);
-	}
-	if (ptr != NULL)
-		dst__mem_free(ptr);
-	return (p);
-}
-
 isc_result_t
 dst__entropy_getdata(void *buf, unsigned int len, isc_boolean_t pseudo) {
 	unsigned int flags = dst_entropy_flags;
diff --git a/lib/dns/dst_internal.h b/lib/dns/sec/dst/dst_internal.h
index c5fa21bf..f4dfa9fb 100644
--- a/lib/dns/dst_internal.h
+++ b/lib/dns/sec/dst/dst_internal.h
@@ -1,6 +1,6 @@
 /*
  * Portions Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Portions Copyright (C) 2000, 2001  Internet Software Consortium.
+ * Portions Copyright (C) 2000-2002  Internet Software Consortium.
  * Portions Copyright (C) 1995-2000 by Network Associates, Inc.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -16,7 +16,7 @@
  * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dst_internal.h,v 1.1.2.1 2004/12/09 03:18:14 marka Exp $ */
+/* $Id: dst_internal.h,v 1.38.12.3 2004/03/08 09:04:45 marka Exp $ */
 
 #ifndef DST_DST_INTERNAL_H
 #define DST_DST_INTERNAL_H 1
@@ -26,6 +26,7 @@
 #include <isc/int.h>
 #include <isc/magic.h>
 #include <isc/region.h>
+#include <isc/types.h>
 
 #include <dst/dst.h>
 
@@ -37,6 +38,8 @@ ISC_LANG_BEGINDECLS
 #define VALID_KEY(x) ISC_MAGIC_VALID(x, KEY_MAGIC)
 #define VALID_CTX(x) ISC_MAGIC_VALID(x, CTX_MAGIC)
 
+extern isc_mem_t *dst__memory_pool;
+
 /***
  *** Types
  ***/
@@ -85,14 +88,16 @@ struct dst_func {
 				      const dst_key_t *key2);
 	isc_result_t (*generate)(dst_key_t *key, int parms);
 	isc_boolean_t (*isprivate)(const dst_key_t *key);
-	isc_boolean_t (*issymmetric)(void);
 	void (*destroy)(dst_key_t *key);
 
 	/* conversion functions */
 	isc_result_t (*todns)(const dst_key_t *key, isc_buffer_t *data);
 	isc_result_t (*fromdns)(dst_key_t *key, isc_buffer_t *data);
 	isc_result_t (*tofile)(const dst_key_t *key, const char *directory);
-	isc_result_t (*fromfile)(dst_key_t *key, const char *filename);
+	isc_result_t (*parse)(dst_key_t *key, isc_lex_t *lexer);
+
+	/* cleanup */
+	void (*cleanup)(void);
 };
 
 /*
@@ -111,12 +116,6 @@ isc_result_t dst__gssapi_init(struct dst_func **funcp);
  */
 void dst__openssl_destroy(void);
 
-void dst__hmacmd5_destroy(void);
-void dst__opensslrsa_destroy(void);
-void dst__openssldsa_destroy(void);
-void dst__openssldh_destroy(void);
-void dst__gssapi_destroy(void);
-
 /*
  * Memory allocators using the DST memory pool.
  */
@@ -130,13 +129,6 @@ void * dst__mem_realloc(void *ptr, size_t size);
 isc_result_t dst__entropy_getdata(void *buf, unsigned int len,
 				  isc_boolean_t pseudo);
 
-/*
- * Generic helper functions.
- */
-isc_result_t
-dst__file_addsuffix(char *filename, unsigned int len,
-		    const char *ofilename, const char *suffix);
-
 ISC_LANG_ENDDECLS
 
 #endif /* DST_DST_INTERNAL_H */
diff --git a/lib/dns/dst_lib.c b/lib/dns/sec/dst/dst_lib.c
index e278d862..fdee148d 100644
--- a/lib/dns/dst_lib.c
+++ b/lib/dns/sec/dst/dst_lib.c
@@ -17,7 +17,7 @@
 
 /*
  * Principal Author: Brian Wellington
- * $Id: dst_lib.c,v 1.1.2.1 2004/12/09 03:18:14 marka Exp $
+ * $Id: dst_lib.c,v 1.8.12.3 2004/03/08 09:04:45 marka Exp $
  */
 
 #include <config.h>
@@ -34,7 +34,7 @@
  *** Globals
  ***/
 
-isc_msgcat_t *			dst_msgcat = NULL;
+LIBDNS_EXTERNAL_DATA isc_msgcat_t *		dst_msgcat = NULL;
 
 
 /***
diff --git a/lib/dns/sec/dst/dst_openssl.h b/lib/dns/sec/dst/dst_openssl.h
new file mode 100644
index 00000000..c774ca92
--- /dev/null
+++ b/lib/dns/sec/dst/dst_openssl.h
@@ -0,0 +1,33 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2002  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: dst_openssl.h,v 1.1.202.3 2004/03/08 09:04:45 marka Exp $ */
+
+#ifndef DST_OPENSSL_H
+#define DST_OPENSSL_H 1
+
+#include <isc/lang.h>
+#include <isc/result.h>
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+dst__openssl_toresult(isc_result_t fallback);
+
+ISC_LANG_ENDDECLS
+
+#endif /* DST_OPENSSL_H */
diff --git a/lib/dns/dst_parse.c b/lib/dns/sec/dst/dst_parse.c
index cd67fbd5..1c5378c1 100644
--- a/lib/dns/dst_parse.c
+++ b/lib/dns/sec/dst/dst_parse.c
@@ -1,6 +1,6 @@
 /*
  * Portions Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Portions Copyright (C) 1999-2001  Internet Software Consortium.
+ * Portions Copyright (C) 1999-2002  Internet Software Consortium.
  * Portions Copyright (C) 1995-2000 by Network Associates, Inc.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -18,7 +18,7 @@
 
 /*
  * Principal Author: Brian Wellington
- * $Id: dst_parse.c,v 1.1.2.1 2004/12/09 03:18:14 marka Exp $
+ * $Id: dst_parse.c,v 1.31.2.1.10.10 2004/03/16 05:50:22 marka Exp $
  */
 
 #include <config.h>
@@ -35,13 +35,10 @@
 #include "dst_parse.h"
 #include "dst/result.h"
 
+#define DST_AS_STR(t) ((t).value.as_textregion.base)
 
 #define PRIVATE_KEY_STR "Private-key-format:"
 #define ALGORITHM_STR "Algorithm:"
-#define RSA_STR "RSA"
-#define DH_STR "DH"
-#define DSA_STR "DSA"
-#define HMACMD5_STR "HMAC_MD5"
 
 struct parse_map {
 	const int value;
@@ -157,6 +154,7 @@ check_data(const dst_private_t *priv, const unsigned int alg) {
 	/* XXXVIX this switch statement is too sparse to gen a jump table. */
 	switch (alg) {
 	case DST_ALG_RSAMD5:
+	case DST_ALG_RSASHA1:
 		return (check_rsa(priv));
 	case DST_ALG_DH:
 		return (check_dh(priv));
@@ -185,56 +183,42 @@ dst__privstruct_free(dst_private_t *priv, isc_mem_t *mctx) {
 }
 
 int
-dst__privstruct_parsefile(dst_key_t *key, const char *filename,
-			  isc_mem_t *mctx, dst_private_t *priv)
+dst__privstruct_parse(dst_key_t *key, unsigned int alg, isc_lex_t *lex,
+		      isc_mem_t *mctx, dst_private_t *priv)
 {
 	int n = 0, major, minor;
 	isc_buffer_t b;
-	isc_lex_t *lex = NULL;
 	isc_token_t token;
+	unsigned char *data = NULL;
 	unsigned int opt = ISC_LEXOPT_EOL;
-	char *newfilename;
-	int newfilenamelen;
 	isc_result_t ret;
 
 	REQUIRE(priv != NULL);
 
-	newfilenamelen = strlen(filename) + 9;
-	newfilename = isc_mem_get(mctx, newfilenamelen);
-	if (newfilename == NULL)
-		return (ISC_R_NOMEMORY);
-	ret = dst__file_addsuffix(newfilename, newfilenamelen, filename,
-				  ".private");
-	INSIST(ret == ISC_R_SUCCESS);
-
 	priv->nelements = 0;
 
-	ret = isc_lex_create(mctx, 1024, &lex);
-	if (ret != ISC_R_SUCCESS)
-		return (ret);
-
-	ret = isc_lex_openfile(lex, newfilename);
-	if (ret != ISC_R_SUCCESS)
-		goto fail;
-
-#define NEXTTOKEN(lex, opt, token) \
-	{ \
-		ret = isc_lex_gettoken(lex, opt, token); \
-		if (ret != ISC_R_SUCCESS) \
-			goto fail; \
-	}
-
-#define READLINE(lex, opt, token) \
-	do { \
-		NEXTTOKEN(lex, opt, token) \
-	} while ((*token).type != isc_tokentype_eol) \
+#define NEXTTOKEN(lex, opt, token)				\
+	do {							\
+		ret = isc_lex_gettoken(lex, opt, token);	\
+		if (ret != ISC_R_SUCCESS)			\
+			goto fail;				\
+	} while (0)
+
+#define READLINE(lex, opt, token)				\
+	do {							\
+		ret = isc_lex_gettoken(lex, opt, token);	\
+		if (ret == ISC_R_EOF)				\
+			break;					\
+		else if (ret != ISC_R_SUCCESS)			\
+			goto fail;				\
+	} while ((*token).type != isc_tokentype_eol)
 
 	/*
 	 * Read the description line.
 	 */
 	NEXTTOKEN(lex, opt, &token);
 	if (token.type != isc_tokentype_string ||
-	    strcmp(token.value.as_pointer, PRIVATE_KEY_STR) != 0)
+	    strcmp(DST_AS_STR(token), PRIVATE_KEY_STR) != 0)
 	{
 		ret = DST_R_INVALIDPRIVATEKEY;
 		goto fail;
@@ -242,12 +226,12 @@ dst__privstruct_parsefile(dst_key_t *key, const char *filename,
 
 	NEXTTOKEN(lex, opt, &token);
 	if (token.type != isc_tokentype_string ||
-	    ((char *)token.value.as_pointer)[0] != 'v')
+	    (DST_AS_STR(token))[0] != 'v')
 	{
 		ret = DST_R_INVALIDPRIVATEKEY;
 		goto fail;
 	}
-	if (sscanf(token.value.as_pointer, "v%d.%d", &major, &minor) != 2)
+	if (sscanf(DST_AS_STR(token), "v%d.%d", &major, &minor) != 2)
 	{
 		ret = DST_R_INVALIDPRIVATEKEY;
 		goto fail;
@@ -267,7 +251,7 @@ dst__privstruct_parsefile(dst_key_t *key, const char *filename,
 	 */
 	NEXTTOKEN(lex, opt, &token);
 	if (token.type != isc_tokentype_string ||
-	    strcmp(token.value.as_pointer, ALGORITHM_STR) != 0)
+	    strcmp(DST_AS_STR(token), ALGORITHM_STR) != 0)
 	{
 		ret = DST_R_INVALIDPRIVATEKEY;
 		goto fail;
@@ -288,7 +272,6 @@ dst__privstruct_parsefile(dst_key_t *key, const char *filename,
 	 */
 	for (n = 0; n < MAXFIELDS; n++) {
 		int tag;
-		unsigned char *data;
 		isc_region_t r;
 
 		do {
@@ -305,8 +288,8 @@ dst__privstruct_parsefile(dst_key_t *key, const char *filename,
 		}
 
 		memset(&priv->elements[n], 0, sizeof(dst_private_element_t));
-		tag = find_value(token.value.as_pointer, dst_key_alg(key));
-		if (tag < 0 || TAG_ALG(tag) != dst_key_alg(key)) {
+		tag = find_value(DST_AS_STR(token), alg);
+		if (tag < 0 || TAG_ALG(tag) != alg) {
 			ret = DST_R_INVALIDPRIVATEKEY;
 			goto fail;
 		}
@@ -325,28 +308,22 @@ dst__privstruct_parsefile(dst_key_t *key, const char *filename,
 		priv->elements[n].data = r.base;
 
 		READLINE(lex, opt, &token);
+		data = NULL;
 	}
  done:
 	priv->nelements = n;
 
-	if (check_data(priv, dst_key_alg(key)) < 0)
+	if (check_data(priv, alg) < 0)
 		goto fail;
 
-	isc_lex_close(lex);
-	isc_lex_destroy(&lex);
-	isc_mem_put(mctx, newfilename, newfilenamelen);
-
 	return (ISC_R_SUCCESS);
 
 fail:
-	if (lex != NULL) {
-		isc_lex_close(lex);
-		isc_lex_destroy(&lex);
-	}
-	isc_mem_put(mctx, newfilename, newfilenamelen);
-
 	priv->nelements = n;
 	dst__privstruct_free(priv, mctx);
+	if (data != NULL)
+		isc_mem_put(mctx, data, MAXFIELDSIZE);
+
 	return (ret);
 }
 
@@ -397,6 +374,9 @@ dst__privstruct_writefile(const dst_key_t *key, const dst_private_t *priv,
 	case DST_ALG_DSA:
 		fprintf(fp, "(DSA)\n");
 		break;
+	case DST_ALG_RSASHA1:
+		fprintf(fp, "(RSASHA1)\n");
+		break;
 	case DST_ALG_HMACMD5:
 		fprintf(fp, "(HMAC_MD5)\n");
 		break;
diff --git a/lib/dns/dst_parse.h b/lib/dns/sec/dst/dst_parse.h
index 33aa9792..ff554dba 100644
--- a/lib/dns/dst_parse.h
+++ b/lib/dns/sec/dst/dst_parse.h
@@ -1,6 +1,6 @@
 /*
  * Portions Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Portions Copyright (C) 2000, 2001  Internet Software Consortium.
+ * Portions Copyright (C) 2000-2002  Internet Software Consortium.
  * Portions Copyright (C) 1995-2000 by Network Associates, Inc.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -16,7 +16,7 @@
  * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dst_parse.h,v 1.1.2.1 2004/12/09 03:18:15 marka Exp $ */
+/* $Id: dst_parse.h,v 1.19.12.4 2004/03/08 09:04:45 marka Exp $ */
 
 #ifndef DST_DST_PARSE_H
 #define DST_DST_PARSE_H 1
@@ -83,8 +83,8 @@ void
 dst__privstruct_free(dst_private_t *priv, isc_mem_t *mctx);
 
 int
-dst__privstruct_parsefile(dst_key_t *key, const char *filename,
-			  isc_mem_t *mctx, dst_private_t *priv);
+dst__privstruct_parse(dst_key_t *key, unsigned int alg, isc_lex_t *lex,
+		      isc_mem_t *mctx, dst_private_t *priv);
 
 int
 dst__privstruct_writefile(const dst_key_t *key, const dst_private_t *priv,
diff --git a/lib/dns/dst_result.c b/lib/dns/sec/dst/dst_result.c
index c7bbd883..da31c403 100644
--- a/lib/dns/dst_result.c
+++ b/lib/dns/sec/dst/dst_result.c
@@ -17,7 +17,7 @@
 
 /*
  * Principal Author: Brian Wellington
- * $Id: dst_result.c,v 1.1.2.1 2004/12/09 03:18:16 marka Exp $
+ * $Id: dst_result.c,v 1.18.2.1.8.1 2004/03/06 08:14:21 marka Exp $
  */
 
 #include <config.h>
diff --git a/lib/dns/gssapi_link.c b/lib/dns/sec/dst/gssapi_link.c
index d98cbb39..20f9f8f5 100644
--- a/lib/dns/gssapi_link.c
+++ b/lib/dns/sec/dst/gssapi_link.c
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
+ * Copyright (C) 2000-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -16,7 +16,7 @@
  */
 
 /*
- * $Id: gssapi_link.c,v 1.1.2.1 2004/12/09 03:18:17 marka Exp $
+ * $Id: gssapi_link.c,v 1.7.12.4 2004/03/08 09:04:46 marka Exp $
  */
 
 #ifdef GSSAPI
@@ -182,12 +182,6 @@ gssapi_isprivate(const dst_key_t *key) {
         return (ISC_TRUE);
 }
 
-static isc_boolean_t
-gssapi_issymmetric(const dst_key_t *key) {
-	UNUSED(key);
-        return (ISC_TRUE);
-}
-
 static void
 gssapi_destroy(dst_key_t *key) {
 	UNUSED(key);
@@ -205,25 +199,22 @@ static dst_func_t gssapi_functions = {
 	NULL, /* paramcompare */
 	gssapi_generate,
 	gssapi_isprivate,
-	gssapi_issymmetric,
 	gssapi_destroy,
 	NULL, /* todns */
 	NULL, /* fromdns */
 	NULL, /* tofile */
-	NULL, /* fromfile */
+	NULL, /* parse */
+	NULL, /* cleanup */
 };
 
 isc_result_t
 dst__gssapi_init(dst_func_t **funcp) {
-	REQUIRE(funcp != NULL && *funcp == NULL);
-	*funcp = &gssapi_functions;
+	REQUIRE(funcp != NULL);
+	if (*funcp == NULL)
+		*funcp = &gssapi_functions;
 	return (ISC_R_SUCCESS);
 }
 
-void
-dst__gssapi_destroy(void) {
-}
-
 #else
 int  gssapi_link_unneeded = 1;
 #endif
diff --git a/lib/dns/gssapictx.c b/lib/dns/sec/dst/gssapictx.c
index 59782688..0f749992 100644
--- a/lib/dns/gssapictx.c
+++ b/lib/dns/sec/dst/gssapictx.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: gssapictx.c,v 1.1.2.1 2004/12/09 03:18:17 marka Exp $ */
+/* $Id: gssapictx.c,v 1.3.2.1.8.1 2004/03/06 08:14:21 marka Exp $ */
 
 #include <config.h>
 
diff --git a/lib/dns/hmac_link.c b/lib/dns/sec/dst/hmac_link.c
index 02d27380..102121a6 100644
--- a/lib/dns/hmac_link.c
+++ b/lib/dns/sec/dst/hmac_link.c
@@ -1,6 +1,6 @@
 /*
  * Portions Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Portions Copyright (C) 1999-2001  Internet Software Consortium.
+ * Portions Copyright (C) 1999-2002  Internet Software Consortium.
  * Portions Copyright (C) 1995-2000 by Network Associates, Inc.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -18,7 +18,7 @@
 
 /*
  * Principal Author: Brian Wellington
- * $Id: hmac_link.c,v 1.1.2.1 2004/12/09 03:18:17 marka Exp $
+ * $Id: hmac_link.c,v 1.53.2.1.8.5 2004/03/08 09:04:46 marka Exp $
  */
 
 #include <config.h>
@@ -155,11 +155,6 @@ hmacmd5_isprivate(const dst_key_t *key) {
 	return (ISC_TRUE);
 }
 
-static isc_boolean_t
-hmacmd5_issymmetric(void) {
-        return (ISC_TRUE);
-}
-
 static void
 hmacmd5_destroy(dst_key_t *key) {
 	HMAC_Key *hkey = key->opaque;
@@ -240,14 +235,14 @@ hmacmd5_tofile(const dst_key_t *key, const char *directory) {
 }
 
 static isc_result_t
-hmacmd5_fromfile(dst_key_t *key, const char *filename) {
+hmacmd5_parse(dst_key_t *key, isc_lex_t *lexer) {
 	dst_private_t priv;
 	isc_result_t ret;
 	isc_buffer_t b;
 	isc_mem_t *mctx = key->mctx;
 
 	/* read private key file */
-	ret = dst__privstruct_parsefile(key, filename, mctx, &priv);
+	ret = dst__privstruct_parse(key, DST_ALG_HMACMD5, lexer, mctx, &priv);
 	if (ret != ISC_R_SUCCESS)
 		return (ret);
 
@@ -270,21 +265,18 @@ static dst_func_t hmacmd5_functions = {
 	NULL, /* paramcompare */
 	hmacmd5_generate,
 	hmacmd5_isprivate,
-	hmacmd5_issymmetric,
 	hmacmd5_destroy,
 	hmacmd5_todns,
 	hmacmd5_fromdns,
 	hmacmd5_tofile,
-	hmacmd5_fromfile,
+	hmacmd5_parse,
+	NULL, /* cleanup */
 };
 
 isc_result_t
 dst__hmacmd5_init(dst_func_t **funcp) {
-	REQUIRE(funcp != NULL && *funcp == NULL);
-	*funcp = &hmacmd5_functions;
+	REQUIRE(funcp != NULL);
+	if (*funcp == NULL)
+		*funcp = &hmacmd5_functions;
 	return (ISC_R_SUCCESS);
 }
-
-void
-dst__hmacmd5_destroy(void) {
-}
diff --git a/lib/dns/sec/dst/include/Makefile.in b/lib/dns/sec/dst/include/Makefile.in
new file mode 100644
index 00000000..4bf4922f
--- /dev/null
+++ b/lib/dns/sec/dst/include/Makefile.in
@@ -0,0 +1,25 @@
+# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 1998-2001  Internet Software Consortium.
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: Makefile.in,v 1.8.206.1 2004/03/06 08:14:23 marka Exp $
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+SUBDIRS =	dst
+TARGETS =
+
+@BIND9_MAKE_RULES@
diff --git a/lib/dns/include/dst/Makefile.in b/lib/dns/sec/dst/include/dst/Makefile.in
index 5a77910b..c59dbb49 100644
--- a/lib/dns/include/dst/Makefile.in
+++ b/lib/dns/sec/dst/include/dst/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.1.2.1 2004/12/09 03:18:23 marka Exp $
+# $Id: Makefile.in,v 1.10.206.1 2004/03/06 08:14:23 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/lib/dns/include/dst/dst.h b/lib/dns/sec/dst/include/dst/dst.h
index e3ebd2cf..7a64b723 100644
--- a/lib/dns/include/dst/dst.h
+++ b/lib/dns/sec/dst/include/dst/dst.h
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
+ * Copyright (C) 2000-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dst.h,v 1.1.2.1 2004/12/09 03:18:23 marka Exp $ */
+/* $Id: dst.h,v 1.42.2.1.8.5 2004/03/10 02:55:59 marka Exp $ */
 
 #ifndef DST_DST_H
 #define DST_DST_H 1
@@ -45,6 +45,8 @@ typedef struct dst_context 	dst_context_t;
 #define DST_ALG_RSA		DST_ALG_RSAMD5	/* backwards compatibility */
 #define DST_ALG_DH		2
 #define DST_ALG_DSA		3
+#define DST_ALG_ECC		4
+#define DST_ALG_RSASHA1		5
 #define DST_ALG_HMACMD5		157
 #define DST_ALG_GSSAPI		160
 #define DST_ALG_PRIVATE		254
@@ -61,6 +63,7 @@ typedef struct dst_context 	dst_context_t;
 #define DST_KEY_MAXTEXTSIZE	2048
 
 /* 'Type' for dst_read_key() */
+#define DST_TYPE_KEY		0x1000000	/* KEY key */
 #define DST_TYPE_PRIVATE	0x2000000
 #define DST_TYPE_PUBLIC		0x4000000
 
@@ -345,6 +348,26 @@ dst_key_tobuffer(const dst_key_t *key, isc_buffer_t *target);
  */
 
 isc_result_t
+dst_key_privatefrombuffer(dst_key_t *key, isc_buffer_t *buffer);
+/*
+ * Converts a public key into a private key, reading the private key
+ * information from the buffer.  The buffer should contain the same data
+ * as the .private key file would.
+ *
+ * Requires:
+ * 	"key" is a valid public key.
+ *	"buffer" is not NULL.
+ *
+ * Returns:
+ * 	ISC_R_SUCCESS
+ * 	any other result indicates failure
+ *
+ * Ensures:
+ *	If successful, key will contain a valid private key.
+ */
+
+
+isc_result_t
 dst_key_fromgssapi(dns_name_t *name, void *opaque, isc_mem_t *mctx,
 		                   dst_key_t **keyp);
 /*
diff --git a/lib/dns/include/dst/gssapi.h b/lib/dns/sec/dst/include/dst/gssapi.h
index 123e46f7..564e4883 100644
--- a/lib/dns/include/dst/gssapi.h
+++ b/lib/dns/sec/dst/include/dst/gssapi.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: gssapi.h,v 1.1.2.1 2004/12/09 03:18:23 marka Exp $ */
+/* $Id: gssapi.h,v 1.3.206.1 2004/03/06 08:14:25 marka Exp $ */
 
 #ifndef DST_GSSAPI_H
 #define DST_GSSAPI_H 1
diff --git a/lib/dns/include/dst/lib.h b/lib/dns/sec/dst/include/dst/lib.h
index 520705c0..11b23e30 100644
--- a/lib/dns/include/dst/lib.h
+++ b/lib/dns/sec/dst/include/dst/lib.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lib.h,v 1.1.2.1 2004/12/09 03:18:23 marka Exp $ */
+/* $Id: lib.h,v 1.6.12.3 2004/03/08 09:04:47 marka Exp $ */
 
 #ifndef DST_LIB_H
 #define DST_LIB_H 1
@@ -25,7 +25,7 @@
 
 ISC_LANG_BEGINDECLS
 
-extern isc_msgcat_t *dst_msgcat;
+LIBDNS_EXTERNAL_DATA extern isc_msgcat_t *dst_msgcat;
 
 void
 dst_lib_initmsgcat(void);
diff --git a/lib/dns/include/dst/result.h b/lib/dns/sec/dst/include/dst/result.h
index 9adbf581..bbac21ea 100644
--- a/lib/dns/include/dst/result.h
+++ b/lib/dns/sec/dst/include/dst/result.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: result.h,v 1.1.2.1 2004/12/09 03:18:24 marka Exp $ */
+/* $Id: result.h,v 1.20.206.1 2004/03/06 08:14:25 marka Exp $ */
 
 #ifndef DST_RESULT_H
 #define DST_RESULT_H 1
diff --git a/lib/dns/key.c b/lib/dns/sec/dst/key.c
index ffc8050c..e373cf6f 100644
--- a/lib/dns/key.c
+++ b/lib/dns/sec/dst/key.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: key.c,v 1.1.2.1 2004/12/09 03:18:17 marka Exp $ */
+/* $Id: key.c,v 1.6.206.1 2004/03/06 08:14:22 marka Exp $ */
 
 #include <config.h>
 
diff --git a/lib/dns/openssl_link.c b/lib/dns/sec/dst/openssl_link.c
index 0ca8ba9a..62b17c30 100644
--- a/lib/dns/openssl_link.c
+++ b/lib/dns/sec/dst/openssl_link.c
@@ -1,6 +1,6 @@
 /*
- * Portions Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
- * Portions Copyright (C) 1999-2001, 2003  Internet Software Consortium.
+ * Portions Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 1999-2003  Internet Software Consortium.
  * Portions Copyright (C) 1995-2000 by Network Associates, Inc.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -18,7 +18,7 @@
 
 /*
  * Principal Author: Brian Wellington
- * $Id: openssl_link.c,v 1.1.2.3 2006/05/23 23:51:02 marka Exp $
+ * $Id: openssl_link.c,v 1.46.2.2.2.9 2004/03/16 05:50:23 marka Exp $
  */
 #ifdef OPENSSL
 
@@ -33,11 +33,13 @@
 #include <isc/util.h>
 
 #include "dst_internal.h"
+#include "dst_openssl.h"
 
+#include <openssl/err.h>
 #include <openssl/rand.h>
 #include <openssl/crypto.h>
 
-#if defined(CRYPTO_LOCK_ENGINE) && (OPENSSL_VERSION_NUMBER != 0x00907000L)
+#if defined(CRYPTO_LOCK_ENGINE) && (OPENSSL_VERSION_NUMBER < 0x00907000L)
 #define USE_ENGINE 1
 #endif
 
@@ -97,14 +99,42 @@ id_callback(void) {
 	return ((unsigned long)isc_thread_self());
 }
 
+static void *
+mem_alloc(size_t size) {
+	INSIST(dst__memory_pool != NULL);
+	return (isc_mem_allocate(dst__memory_pool, size));
+}
+
+static void
+mem_free(void *ptr) {
+	INSIST(dst__memory_pool != NULL);
+	if (ptr != NULL)
+		isc_mem_free(dst__memory_pool, ptr);
+}
+
+static void *
+mem_realloc(void *ptr, size_t size) {
+	void *p;
+
+	INSIST(dst__memory_pool != NULL);
+	p = NULL;
+	if (size > 0U) {
+		p = mem_alloc(size);
+		if (p != NULL && ptr != NULL)
+			memcpy(p, ptr, size);
+	}
+	if (ptr != NULL)
+		mem_free(ptr);
+	return (p);
+}
+
 isc_result_t
 dst__openssl_init() {
 	isc_result_t result;
 
-	CRYPTO_set_mem_functions(dst__mem_alloc, dst__mem_realloc,
-				 dst__mem_free);
+	CRYPTO_set_mem_functions(mem_alloc, mem_realloc, mem_free);
 	nlocks = CRYPTO_num_locks();
-	locks = dst__mem_alloc(sizeof(isc_mutex_t) * nlocks);
+	locks = mem_alloc(sizeof(isc_mutex_t) * nlocks);
 	if (locks == NULL)
 		return (ISC_R_NOMEMORY);
 	result = isc_mutexblock_init(locks, nlocks);
@@ -112,7 +142,7 @@ dst__openssl_init() {
 		goto cleanup_mutexalloc;
 	CRYPTO_set_locking_callback(lock_callback);
 	CRYPTO_set_id_callback(id_callback);
-	rm = dst__mem_alloc(sizeof(RAND_METHOD));
+	rm = mem_alloc(sizeof(RAND_METHOD));
 	if (rm == NULL) {
 		result = ISC_R_NOMEMORY;
 		goto cleanup_mutexinit;
@@ -130,7 +160,7 @@ dst__openssl_init() {
 		goto cleanup_rm;
 	}
 	ENGINE_set_RAND(e, rm);
-	RAND_set_rand_method(rm);
+	RAND_set_rand_method(e);
 #else
 	RAND_set_rand_method(rm);
 #endif
@@ -138,17 +168,18 @@ dst__openssl_init() {
 
 #ifdef USE_ENGINE
  cleanup_rm:
-	dst__mem_free(rm);
+	mem_free(rm);
 #endif
  cleanup_mutexinit:
-	RUNTIME_CHECK(isc_mutexblock_destroy(locks, nlocks) == ISC_R_SUCCESS);
+	DESTROYMUTEXBLOCK(locks, nlocks);
  cleanup_mutexalloc:
-	dst__mem_free(locks);
+	mem_free(locks);
 	return (result);
 }
 
 void
 dst__openssl_destroy() {
+	ERR_clear_error();
 #ifdef USE_ENGINE
 	if (e != NULL) {
 		ENGINE_free(e);
@@ -156,12 +187,33 @@ dst__openssl_destroy() {
 	}
 #endif
 	if (locks != NULL) {
-		RUNTIME_CHECK(isc_mutexblock_destroy(locks, nlocks) ==
-			      ISC_R_SUCCESS);
-		dst__mem_free(locks);
+		DESTROYMUTEXBLOCK(locks, nlocks);
+		mem_free(locks);
 	}
 	if (rm != NULL)
-		dst__mem_free(rm);
+		mem_free(rm);
 }
 
+isc_result_t
+dst__openssl_toresult(isc_result_t fallback) {
+	isc_result_t result = fallback;
+	int err = ERR_get_error();
+
+	switch (ERR_GET_REASON(err)) {
+	case ERR_R_MALLOC_FAILURE:
+		result = ISC_R_NOMEMORY;
+		break;
+	default:
+		break;
+	}
+	ERR_clear_error();
+	return (result);
+}
+
+#else /* OPENSSL */
+
+#include <isc/util.h>
+
+EMPTY_TRANSLATION_UNIT
+
 #endif /* OPENSSL */
diff --git a/lib/dns/openssldh_link.c b/lib/dns/sec/dst/openssldh_link.c
index f49f20c4..dcee9768 100644
--- a/lib/dns/openssldh_link.c
+++ b/lib/dns/sec/dst/openssldh_link.c
@@ -1,6 +1,6 @@
 /*
- * Portions Copyright (C) 2004, 2006, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Portions Copyright (C) 1999-2001  Internet Software Consortium.
+ * Portions Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 1999-2002  Internet Software Consortium.
  * Portions Copyright (C) 1995-2000 by Network Associates, Inc.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -18,7 +18,7 @@
 
 /*
  * Principal Author: Brian Wellington
- * $Id: openssldh_link.c,v 1.1.2.7 2007/01/08 05:57:37 marka Exp $
+ * $Id: openssldh_link.c,v 1.38.2.2.8.7 2004/03/16 05:50:23 marka Exp $
  */
 
 #ifdef OPENSSL
@@ -34,6 +34,7 @@
 #include <dst/result.h>
 
 #include "dst_internal.h"
+#include "dst_openssl.h"
 #include "dst_parse.h"
 
 #include <openssl/dh.h>
@@ -47,9 +48,19 @@
 	"5F14374FE1356D6D51C245E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406" \
 	"B7EDEE386BFB5A899FA5AE9F24117C4B1FE649286651ECE65381FFFFFFFFFFFFFFFF"
 
+#define PRIME1536 "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD1" \
+	"29024E088A67CC74020BBEA63B139B22514A08798E3404DD" \
+	"EF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245" \
+	"E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7ED" \
+	"EE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3D" \
+	"C2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F" \
+	"83655D23DCA3AD961C62F356208552BB9ED529077096966D" \
+	"670C354E4ABC9804F1746C08CA237327FFFFFFFFFFFFFFFF"
+
+
 static isc_result_t openssldh_todns(const dst_key_t *key, isc_buffer_t *data);
 
-static BIGNUM bn2, bn768, bn1024;
+static BIGNUM bn2, bn768, bn1024, bn1536;
 
 static isc_result_t
 openssldh_computesecret(const dst_key_t *pub, const dst_key_t *priv,
@@ -72,7 +83,7 @@ openssldh_computesecret(const dst_key_t *pub, const dst_key_t *priv,
 		return (ISC_R_NOSPACE);
 	ret = DH_compute_key(r.base, dhpub->pub_key, dhpriv);
 	if (ret == 0)
-		return (DST_R_COMPUTESECRETFAILURE);
+		return (dst__openssl_toresult(DST_R_COMPUTESECRETFAILURE));
 	isc_buffer_add(secret, len);
 	return (ISC_R_SUCCESS);
 }
@@ -129,51 +140,38 @@ openssldh_paramcompare(const dst_key_t *key1, const dst_key_t *key2) {
 
 static isc_result_t
 openssldh_generate(dst_key_t *key, int generator) {
-#if OPENSSL_VERSION_NUMBER > 0x00908000L
-        BN_GENCB cb;
-#endif
 	DH *dh = NULL;
 
 	if (generator == 0) {
-		if (key->key_size == 768 || key->key_size == 1024) {
+		if (key->key_size == 768 ||
+		    key->key_size == 1024 ||
+		    key->key_size == 1536)
+		{
 			dh = DH_new();
 			if (dh == NULL)
 				return (ISC_R_NOMEMORY);
 			if (key->key_size == 768)
 				dh->p = &bn768;
-			else
+			else if (key->key_size == 1024)
 				dh->p = &bn1024;
+			else
+				dh->p = &bn1536;
 			dh->g = &bn2;
 		}
 		else
 			generator = 2;
 	}
 
-	if (generator != 0) {
-#if OPENSSL_VERSION_NUMBER > 0x00908000L
-		dh = DH_new();
-		if (dh == NULL)
-			return (DST_R_OPENSSLFAILURE);
-
-		BN_GENCB_set_old(&cb, NULL, NULL);
-
-		if (!DH_generate_parameters_ex(dh, key->key_size, generator,
-					       &cb)) {
-			DH_free(dh);
-			return (DST_R_OPENSSLFAILURE);
-		}
-#else
+	if (generator != 0)
 		dh = DH_generate_parameters(key->key_size, generator,
 					    NULL, NULL);
-#endif
-	}
 
 	if (dh == NULL)
-		return (DST_R_OPENSSLFAILURE);
+		return (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
 
 	if (DH_generate_key(dh) == 0) {
 		DH_free(dh);
-		return (DST_R_OPENSSLFAILURE);
+		return (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
 	}
 	dh->flags &= ~DH_FLAG_CACHE_MONT_P;
 
@@ -188,11 +186,6 @@ openssldh_isprivate(const dst_key_t *key) {
 	return (ISC_TF(dh != NULL && dh->priv_key != NULL));
 }
 
-static isc_boolean_t
-openssldh_issymmetric(void) {
-        return (ISC_FALSE);
-}
-
 static void
 openssldh_destroy(dst_key_t *key) {
 	DH *dh = key->opaque;
@@ -200,7 +193,7 @@ openssldh_destroy(dst_key_t *key) {
 	if (dh == NULL)
 		return;
 
-	if (dh->p == &bn768 || dh->p == &bn1024)
+	if (dh->p == &bn768 || dh->p == &bn1024 || dh->p == &bn1536)
 		dh->p = NULL;
 	if (dh->g == &bn2)
 		dh->g = NULL;
@@ -238,7 +231,8 @@ openssldh_todns(const dst_key_t *key, isc_buffer_t *data) {
 
 	isc_buffer_availableregion(data, &r);
 
-	if (dh->g == &bn2 && (dh->p == &bn768 || dh->p == &bn1024)) {
+	if (dh->g == &bn2 &&
+	    (dh->p == &bn768 || dh->p == &bn1024 || dh->p == &bn1536)) {
 		plen = 1;
 		glen = 0;
 	}
@@ -255,8 +249,10 @@ openssldh_todns(const dst_key_t *key, isc_buffer_t *data) {
 	if (plen == 1) {
 		if (dh->p == &bn768)
 			*r.base = 1;
-		else
+		else if (dh->p == &bn1024)
 			*r.base = 2;
+		else
+			*r.base = 3;
 	}
 	else
 		BN_bn2bin(dh->p, r.base);
@@ -321,6 +317,9 @@ openssldh_fromdns(dst_key_t *key, isc_buffer_t *data) {
 			case 2:
 				dh->p = &bn1024;
 				break;
+			case 3:
+				dh->p = &bn1536;
+				break;
 			default:
 				DH_free(dh);
 				return (DST_R_INVALIDPUBLICKEY);
@@ -449,7 +448,7 @@ openssldh_tofile(const dst_key_t *key, const char *directory) {
 }
 
 static isc_result_t
-openssldh_fromfile(dst_key_t *key, const char *filename) {
+openssldh_parse(dst_key_t *key, isc_lex_t *lexer) {
 	dst_private_t priv;
 	isc_result_t ret;
 	int i;
@@ -460,7 +459,7 @@ openssldh_fromfile(dst_key_t *key, const char *filename) {
 	mctx = key->mctx;
 
 	/* read private key file */
-	ret = dst__privstruct_parsefile(key, filename, mctx, &priv);
+	ret = dst__privstruct_parse(key, DST_ALG_DH, lexer, mctx, &priv);
 	if (ret != ISC_R_SUCCESS)
 		return (ret);
 
@@ -496,7 +495,9 @@ openssldh_fromfile(dst_key_t *key, const char *filename) {
 
 	key->key_size = BN_num_bits(dh->p);
 
-	if ((key->key_size == 768 || key->key_size == 1024) &&
+	if ((key->key_size == 768 ||
+	     key->key_size == 1024 ||
+	     key->key_size == 1536) &&
 	    BN_cmp(dh->g, &bn2) == 0)
 	{
 		if (key->key_size == 768 && BN_cmp(dh->p, &bn768) == 0) {
@@ -510,6 +511,12 @@ openssldh_fromfile(dst_key_t *key, const char *filename) {
 			BN_free(dh->g);
 			dh->p = &bn1024;
 			dh->g = &bn2;
+		} else if (key->key_size == 1536 &&
+			   BN_cmp(dh->p, &bn1536) == 0) {
+			BN_free(dh->p);
+			BN_free(dh->g);
+			dh->p = &bn1536;
+			dh->g = &bn2;
 		}
 	}
 
@@ -548,6 +555,14 @@ BN_fromhex(BIGNUM *b, const char *str) {
 	RUNTIME_CHECK(out != NULL);
 }
 
+static void
+openssldh_cleanup(void) {
+	BN_free(&bn2);
+	BN_free(&bn768);
+	BN_free(&bn1024);
+	BN_free(&bn1536);
+}
+
 static dst_func_t openssldh_functions = {
 	NULL, /* createctx */
 	NULL, /* destroyctx */
@@ -559,32 +574,35 @@ static dst_func_t openssldh_functions = {
 	openssldh_paramcompare,
 	openssldh_generate,
 	openssldh_isprivate,
-	openssldh_issymmetric,
 	openssldh_destroy,
 	openssldh_todns,
 	openssldh_fromdns,
 	openssldh_tofile,
-	openssldh_fromfile,
+	openssldh_parse,
+	openssldh_cleanup,
 };
 
 isc_result_t
 dst__openssldh_init(dst_func_t **funcp) {
-	REQUIRE(funcp != NULL && *funcp == NULL);
-	BN_init(&bn2);
-	BN_init(&bn768);
-	BN_init(&bn1024);
-	BN_set_word(&bn2, 2);
-	BN_fromhex(&bn768, PRIME768);
-	BN_fromhex(&bn1024, PRIME1024);
-	*funcp = &openssldh_functions;
+	REQUIRE(funcp != NULL);
+	if (*funcp == NULL) {
+		BN_init(&bn2);
+		BN_init(&bn768);
+		BN_init(&bn1024);
+		BN_init(&bn1536);
+		BN_set_word(&bn2, 2);
+		BN_fromhex(&bn768, PRIME768);
+		BN_fromhex(&bn1024, PRIME1024);
+		BN_fromhex(&bn1536, PRIME1536);
+		*funcp = &openssldh_functions;
+	}
 	return (ISC_R_SUCCESS);
 }
 
-void
-dst__openssldh_destroy(void) {
-	BN_free(&bn2);
-	BN_free(&bn768);
-	BN_free(&bn1024);
-}
+#else /* OPENSSL */
+
+#include <isc/util.h>
+
+EMPTY_TRANSLATION_UNIT
 
 #endif /* OPENSSL */
diff --git a/lib/dns/openssldsa_link.c b/lib/dns/sec/dst/openssldsa_link.c
index d14523ae..ec4a6d30 100644
--- a/lib/dns/openssldsa_link.c
+++ b/lib/dns/sec/dst/openssldsa_link.c
@@ -1,6 +1,6 @@
 /*
- * Portions Copyright (C) 2004, 2006, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Portions Copyright (C) 1999-2001  Internet Software Consortium.
+ * Portions Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 1999-2002  Internet Software Consortium.
  * Portions Copyright (C) 1995-2000 by Network Associates, Inc.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -16,7 +16,7 @@
  * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: openssldsa_link.c,v 1.1.2.8 2007/01/08 05:57:37 marka Exp $ */
+/* $Id: openssldsa_link.c,v 1.4.2.1.8.6 2004/03/08 09:04:46 marka Exp $ */
 
 #ifdef OPENSSL
 
@@ -32,6 +32,7 @@
 #include <dst/result.h>
 
 #include "dst_internal.h"
+#include "dst_openssl.h"
 #include "dst_parse.h"
 
 #include <openssl/dsa.h>
@@ -95,7 +96,7 @@ openssldsa_sign(dst_context_t *dctx, isc_buffer_t *sig) {
 
 	dsasig = DSA_do_sign(digest, ISC_SHA1_DIGESTLENGTH, dsa);
 	if (dsasig == NULL)
-		return (DST_R_SIGNFAILURE);
+		return (dst__openssl_toresult(DST_R_SIGNFAILURE));
 
 	*r.base++ = (key->key_size - 512)/64;
 	BN_bn2bin_fixed(dsasig->r, r.base, ISC_SHA1_DIGESTLENGTH);
@@ -133,7 +134,7 @@ openssldsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
 	status = DSA_do_verify(digest, ISC_SHA1_DIGESTLENGTH, dsasig, dsa);
 	DSA_SIG_free(dsasig);
 	if (status == 0)
-		return (DST_R_VERIFYFAILURE);
+		return (dst__openssl_toresult(DST_R_VERIFYFAILURE));
 
 	return (ISC_R_SUCCESS);
 }
@@ -170,9 +171,6 @@ openssldsa_compare(const dst_key_t *key1, const dst_key_t *key2) {
 
 static isc_result_t
 openssldsa_generate(dst_key_t *key, int unused) {
-#if OPENSSL_VERSION_NUMBER > 0x00908000L
-	BN_GENCB cb;
-#endif
 	DSA *dsa;
 	unsigned char rand_array[ISC_SHA1_DIGESTLENGTH];
 	isc_result_t result;
@@ -184,31 +182,16 @@ openssldsa_generate(dst_key_t *key, int unused) {
 	if (result != ISC_R_SUCCESS)
 		return (result);
 
-#if OPENSSL_VERSION_NUMBER > 0x00908000L
-	dsa = DSA_new();
-	if (dsa == NULL)
-		return (DST_R_OPENSSLFAILURE);
-
-	BN_GENCB_set_old(&cb, NULL, NULL);
-	
-	if (!DSA_generate_parameters_ex(dsa, key->key_size, rand_array,
-					ISC_SHA1_DIGESTLENGTH, NULL, NULL,
-					&cb)) {
-		DSA_free(dsa);
-		return (DST_R_OPENSSLFAILURE);
-	}
-#else
 	dsa = DSA_generate_parameters(key->key_size, rand_array,
 				      ISC_SHA1_DIGESTLENGTH, NULL, NULL,
 				      NULL, NULL);
 
 	if (dsa == NULL)
-		return (DST_R_OPENSSLFAILURE);
-#endif
+		return (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
 
 	if (DSA_generate_key(dsa) == 0) {
 		DSA_free(dsa);
-		return (DST_R_OPENSSLFAILURE);
+		return (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
 	}
 	dsa->flags &= ~DSA_FLAG_CACHE_MONT_P;
 
@@ -223,11 +206,6 @@ openssldsa_isprivate(const dst_key_t *key) {
 	return (ISC_TF(dsa != NULL && dsa->priv_key != NULL));
 }
 
-static isc_boolean_t
-openssldsa_issymmetric(void) {
-	return (ISC_FALSE);
-}
-
 static void
 openssldsa_destroy(dst_key_t *key) {
 	DSA *dsa = key->opaque;
@@ -372,7 +350,7 @@ openssldsa_tofile(const dst_key_t *key, const char *directory) {
 }
 
 static isc_result_t
-openssldsa_fromfile(dst_key_t *key, const char *filename) {
+openssldsa_parse(dst_key_t *key, isc_lex_t *lexer) {
 	dst_private_t priv;
 	isc_result_t ret;
 	int i;
@@ -381,7 +359,7 @@ openssldsa_fromfile(dst_key_t *key, const char *filename) {
 #define DST_RET(a) {ret = a; goto err;}
 
 	/* read private key file */
-	ret = dst__privstruct_parsefile(key, filename, mctx, &priv);
+	ret = dst__privstruct_parse(key, DST_ALG_DSA, lexer, mctx, &priv);
 	if (ret != ISC_R_SUCCESS)
 		return (ret);
 
@@ -440,23 +418,26 @@ static dst_func_t openssldsa_functions = {
 	NULL, /* paramcompare */
 	openssldsa_generate,
 	openssldsa_isprivate,
-	openssldsa_issymmetric,
 	openssldsa_destroy,
 	openssldsa_todns,
 	openssldsa_fromdns,
 	openssldsa_tofile,
-	openssldsa_fromfile,
+	openssldsa_parse,
+	NULL, /* cleanup */
 };
 
 isc_result_t
 dst__openssldsa_init(dst_func_t **funcp) {
-	REQUIRE(funcp != NULL && *funcp == NULL);
-	*funcp = &openssldsa_functions;
+	REQUIRE(funcp != NULL);
+	if (*funcp == NULL)
+		*funcp = &openssldsa_functions;
 	return (ISC_R_SUCCESS);
 }
 
-void
-dst__openssldsa_destroy(void) {
-}
+#else /* OPENSSL */
+
+#include <isc/util.h>
+
+EMPTY_TRANSLATION_UNIT
 
 #endif /* OPENSSL */
diff --git a/lib/dns/opensslrsa_link.c b/lib/dns/sec/dst/opensslrsa_link.c
index 289c296c..a9a48d98 100644
--- a/lib/dns/opensslrsa_link.c
+++ b/lib/dns/sec/dst/opensslrsa_link.c
@@ -1,6 +1,6 @@
 /*
- * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -17,7 +17,7 @@
 
 /*
  * Principal Author: Brian Wellington
- * $Id: opensslrsa_link.c,v 1.1.2.9 2006/11/07 21:28:45 marka Exp $
+ * $Id: opensslrsa_link.c,v 1.12.2.4.2.8 2004/03/16 05:50:24 marka Exp $
  */
 #ifdef OPENSSL
 
@@ -33,25 +33,46 @@
 #include <dst/result.h>
 
 #include "dst_internal.h"
+#include "dst_openssl.h"
 #include "dst_parse.h"
 
 #include <openssl/err.h>
 #include <openssl/objects.h>
 #include <openssl/rsa.h>
-#if OPENSSL_VERSION_NUMBER > 0x00908000L
-#include <openssl/bn.h>
-#endif
 
-/*
- * We don't use configure for windows so enforce the OpenSSL version
- * here.  Unlike with configure we don't support overriding this test.
- */
-#ifdef WIN32
-#if !((OPENSSL_VERSION_NUMBER >= 0x009070cfL && \
-       OPENSSL_VERSION_NUMBER < 0x00908000L) || \
-      OPENSSL_VERSION_NUMBER >= 0x0090804fL) 
-#error Please upgrade OpenSSL to 0.9.8d/0.9.7l or greater.
+	/*
+	 * XXXMPA  Temporarially disable RSA_BLINDING as it requires
+	 * good quality random data that cannot currently be guarenteed.
+	 * XXXMPA  Find which versions of openssl use pseudo random data
+	 * and set RSA_FLAG_BLINDING for those.
+	 */
+
+#if 0
+#if OPENSSL_VERSION_NUMBER < 0x0090601fL
+#define SET_FLAGS(rsa) \
+	do { \
+	(rsa)->flags &= ~(RSA_FLAG_CACHE_PUBLIC | RSA_FLAG_CACHE_PRIVATE); \
+	(rsa)->flags |= RSA_FLAG_BLINDING; \
+	} while (0)
+#else
+#define SET_FLAGS(rsa) \
+	do { \
+		(rsa)->flags |= RSA_FLAG_BLINDING; \
+	} while (0)
+#endif
 #endif
+
+#if OPENSSL_VERSION_NUMBER < 0x0090601fL
+#define SET_FLAGS(rsa) \
+	do { \
+	(rsa)->flags &= ~(RSA_FLAG_CACHE_PUBLIC | RSA_FLAG_CACHE_PRIVATE); \
+	(rsa)->flags &= ~RSA_FLAG_BLINDING; \
+	} while (0)
+#else
+#define SET_FLAGS(rsa) \
+	do { \
+		(rsa)->flags &= ~RSA_FLAG_BLINDING; \
+	} while (0)
 #endif
 
 static isc_result_t opensslrsa_todns(const dst_key_t *key, isc_buffer_t *data);
@@ -59,21 +80,19 @@ static isc_result_t opensslrsa_todns(const dst_key_t *key, isc_buffer_t *data);
 static isc_result_t
 opensslrsa_createctx(dst_key_t *key, dst_context_t *dctx) {
 	UNUSED(key);
+	REQUIRE(dctx->key->key_alg == DST_ALG_RSAMD5 ||
+		dctx->key->key_alg == DST_ALG_RSASHA1);
 
 	if (dctx->key->key_alg == DST_ALG_RSAMD5) {
 		isc_md5_t *md5ctx;
 
 		md5ctx = isc_mem_get(dctx->mctx, sizeof(isc_md5_t));
-		if (md5ctx == NULL)
-			return (ISC_R_NOMEMORY);
 		isc_md5_init(md5ctx);
 		dctx->opaque = md5ctx;
 	} else {
 		isc_sha1_t *sha1ctx;
 
 		sha1ctx = isc_mem_get(dctx->mctx, sizeof(isc_sha1_t));
-		if (sha1ctx == NULL)
-			return (ISC_R_NOMEMORY);
 		isc_sha1_init(sha1ctx);
 		dctx->opaque = sha1ctx;
 	}
@@ -83,6 +102,9 @@ opensslrsa_createctx(dst_key_t *key, dst_context_t *dctx) {
 
 static void
 opensslrsa_destroyctx(dst_context_t *dctx) {
+	REQUIRE(dctx->key->key_alg == DST_ALG_RSAMD5 ||
+		dctx->key->key_alg == DST_ALG_RSASHA1);
+
 	if (dctx->key->key_alg == DST_ALG_RSAMD5) {
 		isc_md5_t *md5ctx = dctx->opaque;
 
@@ -103,6 +125,9 @@ opensslrsa_destroyctx(dst_context_t *dctx) {
 
 static isc_result_t
 opensslrsa_adddata(dst_context_t *dctx, const isc_region_t *data) {
+	REQUIRE(dctx->key->key_alg == DST_ALG_RSAMD5 ||
+		dctx->key->key_alg == DST_ALG_RSASHA1);
+
 	if (dctx->key->key_alg == DST_ALG_RSAMD5) {
 		isc_md5_t *md5ctx = dctx->opaque;
 		isc_md5_update(md5ctx, data->base, data->length);
@@ -120,10 +145,17 @@ opensslrsa_sign(dst_context_t *dctx, isc_buffer_t *sig) {
 	isc_region_t r;
 	/* note: ISC_SHA1_DIGESTLENGTH > ISC_MD5_DIGESTLENGTH */
 	unsigned char digest[ISC_SHA1_DIGESTLENGTH];
-	unsigned int siglen;
+	unsigned int siglen = 0;
 	int status;
 	int type;
 	unsigned int digestlen;
+	char *message;
+	unsigned long err;
+	const char* file;
+	int line;
+
+	REQUIRE(dctx->key->key_alg == DST_ALG_RSAMD5 ||
+		dctx->key->key_alg == DST_ALG_RSASHA1);
 
 	isc_buffer_availableregion(sig, &r);
 
@@ -144,8 +176,13 @@ opensslrsa_sign(dst_context_t *dctx, isc_buffer_t *sig) {
 
 	status = RSA_sign(type, digest, digestlen, r.base, &siglen, rsa);
 	if (status == 0) {
-		ERR_clear_error();
-		return (DST_R_SIGNFAILURE);
+		err = ERR_peek_error_line(&file, &line);
+		if (err != 0U) {
+			message = ERR_error_string(err, NULL);
+			fprintf(stderr, "%s:%s:%d\n", message,
+				file ? file : "", line);
+		}
+		return (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
 	}
 
 	isc_buffer_add(sig, siglen);
@@ -163,6 +200,9 @@ opensslrsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
 	int type;
 	unsigned int digestlen;
 
+	REQUIRE(dctx->key->key_alg == DST_ALG_RSAMD5 ||
+		dctx->key->key_alg == DST_ALG_RSASHA1);
+
 	if (dctx->key->key_alg == DST_ALG_RSAMD5) {
 		isc_md5_t *md5ctx = dctx->opaque;
 		isc_md5_final(md5ctx, digest);
@@ -180,10 +220,8 @@ opensslrsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
 
 	status = RSA_verify(type, digest, digestlen, sig->base,
 			    RSA_size(rsa), rsa);
-	if (status == 0) {
-		ERR_clear_error();
-		return (DST_R_VERIFYFAILURE);
-	}
+	if (status == 0)
+		return (dst__openssl_toresult(DST_R_VERIFYFAILURE));
 
 	return (ISC_R_SUCCESS);
 }
@@ -222,62 +260,20 @@ opensslrsa_compare(const dst_key_t *key1, const dst_key_t *key2) {
 
 static isc_result_t
 opensslrsa_generate(dst_key_t *key, int exp) {
-#if OPENSSL_VERSION_NUMBER > 0x00908000L
-	BN_GENCB cb;
-	RSA *rsa = RSA_new();
-	BIGNUM *e = BN_new();
-
-	if (rsa == NULL || e == NULL)
-		goto err;
-
-	if (exp == 0) {
-		/* RSA_F4 0x10001 */
-		BN_set_bit(e, 0);
-		BN_set_bit(e, 16);
-	} else {
-		/* F5 0x100000001 */
-		BN_set_bit(e, 0);
-		BN_set_bit(e, 32);
-	}
-
-	BN_GENCB_set_old(&cb, NULL, NULL);
-
-	if (RSA_generate_key_ex(rsa, key->key_size, e, &cb)) {
-		BN_free(e);
-		rsa->flags &= ~(RSA_FLAG_CACHE_PUBLIC | RSA_FLAG_CACHE_PRIVATE);
-		rsa->flags |= RSA_FLAG_BLINDING;
-		key->opaque = rsa;
-		return (ISC_R_SUCCESS);
-	}
-
- err:
-	if (e != NULL)
-		BN_free(e);
-	if (rsa != NULL)
-		RSA_free(rsa);
-	ERR_clear_error();
-	return (DST_R_OPENSSLFAILURE);
-#else
 	RSA *rsa;
 	unsigned long e;
 
 	if (exp == 0)
-		e = RSA_F4;
+		e = RSA_3;
 	else
-		e = 0x40000003;
+		e = RSA_F4;
 	rsa = RSA_generate_key(key->key_size, e, NULL, NULL);
-	if (rsa == NULL) {
-		ERR_clear_error();
-		return (DST_R_OPENSSLFAILURE);
-	}
-
-	rsa->flags &= ~(RSA_FLAG_CACHE_PUBLIC | RSA_FLAG_CACHE_PRIVATE);
-	rsa->flags |= RSA_FLAG_BLINDING;
-
+	if (rsa == NULL)
+		return (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
+	SET_FLAGS(rsa);
 	key->opaque = rsa;
 
 	return (ISC_R_SUCCESS);
-#endif
 }
 
 static isc_boolean_t
@@ -286,11 +282,6 @@ opensslrsa_isprivate(const dst_key_t *key) {
 	return (ISC_TF(rsa != NULL && rsa->d != NULL));
 }
 
-static isc_boolean_t
-opensslrsa_issymmetric(void) {
-	return (ISC_FALSE);
-}
-
 static void
 opensslrsa_destroy(dst_key_t *key) {
 	RSA *rsa = key->opaque;
@@ -298,6 +289,7 @@ opensslrsa_destroy(dst_key_t *key) {
 	key->opaque = NULL;
 }
 
+
 static isc_result_t
 opensslrsa_todns(const dst_key_t *key, isc_buffer_t *data) {
 	RSA *rsa;
@@ -351,8 +343,7 @@ opensslrsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
 	rsa = RSA_new();
 	if (rsa == NULL)
 		return (ISC_R_NOMEMORY);
-	rsa->flags &= ~(RSA_FLAG_CACHE_PUBLIC | RSA_FLAG_CACHE_PRIVATE);
-	rsa->flags |= RSA_FLAG_BLINDING;
+	SET_FLAGS(rsa);
 
 	if (r.length < 1) {
 		RSA_free(rsa);
@@ -474,7 +465,7 @@ opensslrsa_tofile(const dst_key_t *key, const char *directory) {
 }
 
 static isc_result_t
-opensslrsa_fromfile(dst_key_t *key, const char *filename) {
+opensslrsa_parse(dst_key_t *key, isc_lex_t *lexer) {
 	dst_private_t priv;
 	isc_result_t ret;
 	int i;
@@ -483,15 +474,14 @@ opensslrsa_fromfile(dst_key_t *key, const char *filename) {
 #define DST_RET(a) {ret = a; goto err;}
 
 	/* read private key file */
-	ret = dst__privstruct_parsefile(key, filename, mctx, &priv);
+	ret = dst__privstruct_parse(key, DST_ALG_RSA, lexer, mctx, &priv);
 	if (ret != ISC_R_SUCCESS)
 		return (ret);
 
 	rsa = RSA_new();
 	if (rsa == NULL)
 		DST_RET(ISC_R_NOMEMORY);
-	rsa->flags &= ~(RSA_FLAG_CACHE_PUBLIC | RSA_FLAG_CACHE_PRIVATE);
-	rsa->flags |= RSA_FLAG_BLINDING;
+	SET_FLAGS(rsa);
 	key->opaque = rsa;
 
 	for (i = 0; i < priv.nelements; i++) {
@@ -552,23 +542,26 @@ static dst_func_t opensslrsa_functions = {
 	NULL, /* paramcompare */
 	opensslrsa_generate,
 	opensslrsa_isprivate,
-	opensslrsa_issymmetric,
 	opensslrsa_destroy,
 	opensslrsa_todns,
 	opensslrsa_fromdns,
 	opensslrsa_tofile,
-	opensslrsa_fromfile,
+	opensslrsa_parse,
+	NULL, /* cleanup */
 };
 
 isc_result_t
 dst__opensslrsa_init(dst_func_t **funcp) {
-	REQUIRE(funcp != NULL && *funcp == NULL);
-	*funcp = &opensslrsa_functions;
+	REQUIRE(funcp != NULL);
+	if (*funcp == NULL)
+		*funcp = &opensslrsa_functions;
 	return (ISC_R_SUCCESS);
 }
 
-void
-dst__opensslrsa_destroy(void) {
-}
+#else /* OPENSSL */
+
+#include <isc/util.h>
+
+EMPTY_TRANSLATION_UNIT
 
 #endif /* OPENSSL */
diff --git a/lib/dns/soa.c b/lib/dns/soa.c
index 1b88efec..c0e05184 100644
--- a/lib/dns/soa.c
+++ b/lib/dns/soa.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: soa.c,v 1.3.2.1 2004/03/09 06:11:08 marka Exp $ */
+/* $Id: soa.c,v 1.3.206.1 2004/03/06 08:13:45 marka Exp $ */
 
 #include <config.h>
 
diff --git a/lib/dns/ssu.c b/lib/dns/ssu.c
index d54878f3..a9ecdcee 100644
--- a/lib/dns/ssu.c
+++ b/lib/dns/ssu.c
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
+ * Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -16,7 +16,7 @@
  */
 
 /*
- * $Id: ssu.c,v 1.22.2.1 2004/03/09 06:11:08 marka Exp $
+ * $Id: ssu.c,v 1.22.206.3 2004/03/08 09:04:32 marka Exp $
  * Principal Author: Brian Wellington
  */
 
@@ -240,7 +240,7 @@ static inline isc_boolean_t
 isusertype(dns_rdatatype_t type) {
 	return (ISC_TF(type != dns_rdatatype_ns &&
 		       type != dns_rdatatype_soa &&
-		       type != dns_rdatatype_sig));
+		       type != dns_rdatatype_rrsig));
 }
 
 isc_boolean_t
diff --git a/lib/dns/stats.c b/lib/dns/stats.c
index d3c23522..aefcbe0b 100644
--- a/lib/dns/stats.c
+++ b/lib/dns/stats.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: stats.c,v 1.5.2.1 2004/03/09 06:11:08 marka Exp $ */
+/* $Id: stats.c,v 1.5.206.1 2004/03/06 08:13:46 marka Exp $ */
 
 #include <config.h>
 
diff --git a/lib/dns/tcpmsg.c b/lib/dns/tcpmsg.c
index 910097bb..4400a3a5 100644
--- a/lib/dns/tcpmsg.c
+++ b/lib/dns/tcpmsg.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: tcpmsg.c,v 1.24.2.3 2006/08/10 23:59:27 marka Exp $ */
+/* $Id: tcpmsg.c,v 1.24.206.1 2004/03/06 08:13:46 marka Exp $ */
 
 #include <config.h>
 
@@ -52,7 +52,6 @@ recv_length(isc_task_t *task, isc_event_t *ev_in) {
 	INSIST(VALID_TCPMSG(tcpmsg));
 
 	dev = &tcpmsg->event;
-	tcpmsg->address = ev->address;
 
 	if (ev->result != ISC_R_SUCCESS) {
 		tcpmsg->result = ev->result;
@@ -109,7 +108,6 @@ recv_message(isc_task_t *task, isc_event_t *ev_in) {
 	INSIST(VALID_TCPMSG(tcpmsg));
 
 	dev = &tcpmsg->event;
-	tcpmsg->address = ev->address;
 
 	if (ev->result != ISC_R_SUCCESS) {
 		tcpmsg->result = ev->result;
@@ -118,6 +116,7 @@ recv_message(isc_task_t *task, isc_event_t *ev_in) {
 
 	tcpmsg->result = ISC_R_SUCCESS;
 	isc_buffer_add(&tcpmsg->buffer, ev->n);
+	tcpmsg->address = ev->address;
 
 	XDEBUG(("Received %d bytes (of %d)\n", ev->n, tcpmsg->size));
 
diff --git a/lib/dns/time.c b/lib/dns/time.c
index 9555f651..49ca9873 100644
--- a/lib/dns/time.c
+++ b/lib/dns/time.c
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001, 2003  Internet Software Consortium.
+ * Copyright (C) 1998-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: time.c,v 1.18.2.5 2004/03/09 06:11:08 marka Exp $ */
+/* $Id: time.c,v 1.18.2.4.2.7 2004/03/11 04:23:00 marka Exp $ */
 
 #include <config.h>
 
@@ -35,7 +35,7 @@ static int days[12] = { 31, 28, 31, 30, 31, 30, 31, 31, 30, 31, 30, 31 };
 isc_result_t
 dns_time64_totext(isc_int64_t t, isc_buffer_t *target) {
 	struct tm tm;
-	char buf[sizeof "YYYYMMDDHHMMSS"];
+	char buf[sizeof("YYYYMMDDHHMMSS")];
 	int secs;
 	unsigned int l;
 	isc_region_t region;
@@ -74,10 +74,10 @@ dns_time64_totext(isc_int64_t t, isc_buffer_t *target) {
 		tm.tm_min++;
 	}
 	tm.tm_sec = (int)t;
-		    /* yy  mm  dd  HH  MM  SS */
-	sprintf(buf, "%04d%02d%02d%02d%02d%02d",
-		tm.tm_year + 1900, tm.tm_mon + 1, tm.tm_mday,
-		tm.tm_hour, tm.tm_min, tm.tm_sec);
+				 /* yyyy  mm  dd  HH  MM  SS */
+	snprintf(buf, sizeof(buf), "%04d%02d%02d%02d%02d%02d",
+		 tm.tm_year + 1900, tm.tm_mon + 1, tm.tm_mday,
+		 tm.tm_hour, tm.tm_min, tm.tm_sec);
 
 	isc_buffer_availableregion(target, &region);
 	l = strlen(buf);
@@ -115,7 +115,7 @@ dns_time32_totext(isc_uint32_t value, isc_buffer_t *target) {
 }
 
 isc_result_t
-dns_time64_fromtext(char *source, isc_int64_t *target) {
+dns_time64_fromtext(const char *source, isc_int64_t *target) {
 	int year, month, day, hour, minute, second;
 	isc_int64_t value;
 	int secs;
@@ -145,7 +145,7 @@ dns_time64_fromtext(char *source, isc_int64_t *target) {
 	 * Calulate seconds since epoch.
 	 */
 	value = second + (60 * minute) + (3600 * hour) + ((day - 1) * 86400);
-	for (i = 0; i < (month - 1) ; i++)
+	for (i = 0; i < (month - 1); i++)
 		value += days[i] * 86400;
 	if (is_leap(year) && month > 2)
 		value += 86400;
@@ -159,7 +159,7 @@ dns_time64_fromtext(char *source, isc_int64_t *target) {
 }
 
 isc_result_t
-dns_time32_fromtext(char *source, isc_uint32_t *target) {
+dns_time32_fromtext(const char *source, isc_uint32_t *target) {
 	isc_int64_t value64;
 	isc_result_t result;
 	result = dns_time64_fromtext(source, &value64);
diff --git a/lib/dns/timer.c b/lib/dns/timer.c
index 411b1c40..b364f54c 100644
--- a/lib/dns/timer.c
+++ b/lib/dns/timer.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: timer.c,v 1.2.2.1 2004/03/09 06:11:09 marka Exp $ */
+/* $Id: timer.c,v 1.2.206.1 2004/03/06 08:13:46 marka Exp $ */
 
 #include <config.h>
 
diff --git a/lib/dns/tkey.c b/lib/dns/tkey.c
index cc631a22..eb8be5ee 100644
--- a/lib/dns/tkey.c
+++ b/lib/dns/tkey.c
@@ -1,6 +1,6 @@
 /*
- * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -16,7 +16,7 @@
  */
 
 /*
- * $Id: tkey.c,v 1.71.2.6 2006/01/04 23:50:17 marka Exp $
+ * $Id: tkey.c,v 1.71.2.1.10.4 2004/03/08 02:07:58 marka Exp $
  */
 
 #include <config.h>
@@ -232,8 +232,7 @@ compute_secret(isc_buffer_t *shared, isc_region_t *queryrandomness,
 		for (i = 0; i < sizeof(digests); i++)
 			r.base[i] ^= digests[i];
 		isc_buffer_add(secret, r2.length);
-	}
-	else {
+	} else {
 		memcpy(r.base, digests, sizeof(digests));
 		for (i = 0; i < r2.length; i++)
 			r.base[i] ^= r2.base[i];
@@ -286,7 +285,7 @@ process_dhtkey(dns_message_t *msg, dns_name_t *signer, dns_name_t *name,
 		keyname = NULL;
 		dns_message_currentname(msg, DNS_SECTION_ADDITIONAL, &keyname);
 		keyset = NULL;
-		result = dns_message_findtype(keyname, dns_rdatatype_key, 0,
+		result = dns_message_findtype(keyname, dns_rdatatype_dnskey, 0,
 					      &keyset);
 		if (result != ISC_R_SUCCESS)
 			continue;
@@ -309,8 +308,7 @@ process_dhtkey(dns_message_t *msg, dns_name_t *signer, dns_name_t *name,
 					found_key = ISC_TRUE;
 					ttl = keyset->ttl;
 					break;
-				}
-				else
+				} else
 					found_incompatible = ISC_TRUE;
 			}
 			dst_key_free(&pubkey);
@@ -335,7 +333,7 @@ process_dhtkey(dns_message_t *msg, dns_name_t *signer, dns_name_t *name,
 	RETERR(dst_key_todns(tctx->dhkey, &ourkeybuf));
 	isc_buffer_usedregion(&ourkeybuf, &ourkeyr);
 	dns_rdata_fromregion(&ourkeyrdata, dns_rdataclass_any,
-			     dns_rdatatype_key, &ourkeyr);
+			     dns_rdatatype_dnskey, &ourkeyr);
 
 	dns_name_init(&ourname, NULL);
 	dns_name_clone(dst_key_name(tctx->dhkey), &ourname);
@@ -358,7 +356,7 @@ process_dhtkey(dns_message_t *msg, dns_name_t *signer, dns_name_t *name,
 
 	isc_buffer_init(&secret, secretdata, sizeof(secretdata));
 
-	randomdata = isc_mem_get(tkeyout->mctx, TKEY_RANDOM_AMOUNT);
+	randomdata = isc_mem_get(tctx->mctx, TKEY_RANDOM_AMOUNT);
 	if (randomdata == NULL)
 		goto failure;
 
@@ -399,8 +397,8 @@ process_dhtkey(dns_message_t *msg, dns_name_t *signer, dns_name_t *name,
 		isc_buffer_free(&shared);
 	if (pubkey != NULL)
 		dst_key_free(&pubkey);
-	if (randomdata != NULL)
-		isc_mem_put(tkeyout->mctx, randomdata, TKEY_RANDOM_AMOUNT);
+	if (randomdata == NULL)
+		isc_mem_put(tctx->mctx, randomdata, TKEY_RANDOM_AMOUNT);
 	return (result);
 }
 
@@ -443,17 +441,15 @@ process_gsstkey(dns_message_t *msg, dns_name_t *signer, dns_name_t *name,
 					   dstkey, ISC_TRUE, signer,
 					   tkeyin->inception, tkeyin->expire,
 					   msg->mctx, ring, NULL);
-#if 1
 	if (result != ISC_R_SUCCESS)
 		goto failure;
-#else
+
 	if (result == ISC_R_NOTFOUND) {
 		tkeyout->error = dns_tsigerror_badalg;
 		return (ISC_R_SUCCESS);
 	}
 	if (result != ISC_R_SUCCESS)
 		goto failure;
-#endif
 
 	/* This key is good for a long time */
 	isc_stdtime_get(&now);
@@ -645,10 +641,10 @@ dns_tkey_processquery(dns_message_t *msg, dns_tkeyctx_t *tctx,
 
 		if (!dns_name_equal(qname, dns_rootname)) {
 			unsigned int n = dns_name_countlabels(qname);
-			dns_name_copy(qname, keyname, NULL);
+			RUNTIME_CHECK(dns_name_copy(qname, keyname, NULL)
+				      == ISC_R_SUCCESS);
 			dns_name_getlabelsequence(keyname, 0, n - 1, keyname);
-		}
-		else {
+		} else {
 			static char hexdigits[16] = {
 				'0', '1', '2', '3', '4', '5', '6', '7',
 				'8', '9', 'A', 'B', 'C', 'D', 'E', 'F' };
@@ -686,11 +682,9 @@ dns_tkey_processquery(dns_message_t *msg, dns_tkeyctx_t *tctx,
 			tkeyout.error = dns_tsigerror_badname;
 			dns_tsigkey_detach(&tsigkey);
 			goto failure_with_tkey;
-		}
-		else if (result != ISC_R_NOTFOUND)
+		} else if (result != ISC_R_NOTFOUND)
 			goto failure;
-	}
-	else
+	} else
 		keyname = qname;
 
 	switch (tkeyin.mode) {
@@ -883,7 +877,7 @@ dns_tkey_builddhquery(dns_message_t *msg, dst_key_t *key, dns_name_t *name,
 	RETERR(dst_key_todns(key, dynbuf));
 	isc_buffer_usedregion(dynbuf, &r);
 	dns_rdata_fromregion(rdata, dns_rdataclass_any,
-			     dns_rdatatype_key, &r);
+			     dns_rdatatype_dnskey, &r);
 	dns_message_takebuffer(msg, &dynbuf);
 
 	dns_name_init(&keyname, NULL);
@@ -1055,7 +1049,7 @@ dns_tkey_processdhresponse(dns_message_t *qmsg, dns_message_t *rmsg,
 	ourkeyname = NULL;
 	ourkeyset = NULL;
 	RETERR(dns_message_findname(rmsg, DNS_SECTION_ANSWER, &keyname,
-				    dns_rdatatype_key, 0, &ourkeyname,
+				    dns_rdatatype_dnskey, 0, &ourkeyname,
 				    &ourkeyset));
 
 	result = dns_message_firstname(rmsg, DNS_SECTION_ANSWER);
@@ -1066,7 +1060,7 @@ dns_tkey_processdhresponse(dns_message_t *qmsg, dns_message_t *rmsg,
 		if (dns_name_equal(theirkeyname, ourkeyname))
 			goto next;
 		theirkeyset = NULL;
-		result = dns_message_findtype(theirkeyname, dns_rdatatype_key,
+		result = dns_message_findtype(theirkeyname, dns_rdatatype_dnskey,
 					      0, &theirkeyset);
 		if (result == ISC_R_SUCCESS) {
 			RETERR(dns_rdataset_first(theirkeyset));
diff --git a/lib/dns/tsig.c b/lib/dns/tsig.c
index 19f69673..fb1ac823 100644
--- a/lib/dns/tsig.c
+++ b/lib/dns/tsig.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -16,7 +16,7 @@
  */
 
 /*
- * $Id: tsig.c,v 1.112.2.10 2006/05/02 04:19:47 marka Exp $
+ * $Id: tsig.c,v 1.112.2.3.8.4 2004/03/08 09:04:32 marka Exp $
  */
 
 #include <config.h>
@@ -79,7 +79,7 @@ static dns_name_t gsstsig = {
 	{NULL, NULL}
 };
 
-dns_name_t *dns_tsig_gssapi_name = &gsstsig;
+LIBDNS_EXTERNAL_DATA dns_name_t *dns_tsig_gssapi_name = &gsstsig;
 
 /* It's nice of Microsoft to conform to their own standard. */
 static unsigned char gsstsigms_ndata[] = "\003gss\011microsoft\003com";
@@ -94,7 +94,7 @@ static dns_name_t gsstsigms = {
 	{NULL, NULL}
 };
 
-dns_name_t *dns_tsig_gssapims_name = &gsstsigms;
+LIBDNS_EXTERNAL_DATA dns_name_t *dns_tsig_gssapims_name = &gsstsigms;
 
 static isc_result_t
 tsig_verify_tcp(isc_buffer_t *source, dns_message_t *msg);
@@ -146,7 +146,7 @@ dns_tsigkey_createfromkey(dns_name_t *name, dns_name_t *algorithm,
 	ret = dns_name_dup(name, mctx, &tkey->name);
 	if (ret != ISC_R_SUCCESS)
 		goto cleanup_key;
-	dns_name_downcase(&tkey->name, &tkey->name, NULL);
+	(void)dns_name_downcase(&tkey->name, &tkey->name, NULL);
 
 	if (dns_name_equal(algorithm, DNS_TSIG_HMACMD5_NAME)) {
 		tkey->algorithm = DNS_TSIG_HMACMD5_NAME;
@@ -167,7 +167,7 @@ dns_tsigkey_createfromkey(dns_name_t *name, dns_name_t *algorithm,
 			goto cleanup_name;
 		}
 	} else {
-		if (dstkey != NULL) {
+		if (key != NULL) {
 			ret = DNS_R_BADALG;
 			goto cleanup_name;
 		}
@@ -180,7 +180,8 @@ dns_tsigkey_createfromkey(dns_name_t *name, dns_name_t *algorithm,
 		ret = dns_name_dup(algorithm, mctx, tkey->algorithm);
 		if (ret != ISC_R_SUCCESS)
 			goto cleanup_algorithm;
-		dns_name_downcase(tkey->algorithm, tkey->algorithm, NULL);
+		(void)dns_name_downcase(tkey->algorithm, tkey->algorithm,
+					NULL);
 	}
 
 	if (creator != NULL) {
@@ -362,7 +363,7 @@ dns_tsig_sign(dns_message_t *msg) {
 	isc_buffer_t databuf, sigbuf;
 	isc_buffer_t *dynbuf;
 	dns_name_t *owner;
-	dns_rdata_t *rdata = NULL;
+	dns_rdata_t *rdata;
 	dns_rdatalist_t *datalist;
 	dns_rdataset_t *dataset;
 	isc_region_t r;
@@ -554,12 +555,13 @@ dns_tsig_sign(dns_message_t *msg) {
 		tsig.signature = NULL;
 	}
 
+	rdata = NULL;
 	ret = dns_message_gettemprdata(msg, &rdata);
 	if (ret != ISC_R_SUCCESS)
 		goto cleanup_signature;
 	ret = isc_buffer_allocate(msg->mctx, &dynbuf, 512);
 	if (ret != ISC_R_SUCCESS)
-		goto cleanup_rdata;
+		goto cleanup_signature;
 	ret = dns_rdata_fromstruct(rdata, dns_rdataclass_any,
 				   dns_rdatatype_tsig, &tsig, dynbuf);
 	if (ret != ISC_R_SUCCESS)
@@ -575,7 +577,7 @@ dns_tsig_sign(dns_message_t *msg) {
 	owner = NULL;
 	ret = dns_message_gettempname(msg, &owner);
 	if (ret != ISC_R_SUCCESS)
-		goto cleanup_rdata;
+		goto cleanup_dynbuf;
 	dns_name_init(owner, NULL);
 	ret = dns_name_dup(&key->name, msg->mctx, owner);
 	if (ret != ISC_R_SUCCESS)
@@ -585,36 +587,34 @@ dns_tsig_sign(dns_message_t *msg) {
 	ret = dns_message_gettemprdatalist(msg, &datalist);
 	if (ret != ISC_R_SUCCESS)
 		goto cleanup_owner;
-	dataset = NULL;
-	ret = dns_message_gettemprdataset(msg, &dataset);
-	if (ret != ISC_R_SUCCESS)
-		goto cleanup_rdatalist;
 	datalist->rdclass = dns_rdataclass_any;
 	datalist->type = dns_rdatatype_tsig;
 	datalist->covers = 0;
 	datalist->ttl = 0;
 	ISC_LIST_INIT(datalist->rdata);
 	ISC_LIST_APPEND(datalist->rdata, rdata, link);
+	dataset = NULL;
+	ret = dns_message_gettemprdataset(msg, &dataset);
+	if (ret != ISC_R_SUCCESS)
+		goto cleanup_owner;
 	dns_rdataset_init(dataset);
-	dns_rdatalist_tordataset(datalist, dataset);
+	RUNTIME_CHECK(dns_rdatalist_tordataset(datalist, dataset)
+		      == ISC_R_SUCCESS);
 	msg->tsig = dataset;
 	msg->tsigname = owner;
 
 	return (ISC_R_SUCCESS);
 
- cleanup_rdatalist:
-	dns_message_puttemprdatalist(msg, &datalist);
- cleanup_owner:
-	dns_message_puttempname(msg, &owner);
-	goto cleanup_rdata;
- cleanup_dynbuf:
-	isc_buffer_free(&dynbuf);
- cleanup_rdata:
-	dns_message_puttemprdata(msg, &rdata);
- cleanup_signature:
+cleanup_owner:
+	if (owner != NULL)
+		dns_message_puttempname(msg, &owner);
+cleanup_dynbuf:
+	if (dynbuf != NULL)
+		isc_buffer_free(&dynbuf);
+cleanup_signature:
 	if (tsig.signature != NULL)
 		isc_mem_put(mctx, tsig.signature, sigsize);
- cleanup_context:
+cleanup_context:
 	if (ctx != NULL)
 		dst_context_destroy(&ctx);
 	return (ret);
@@ -646,11 +646,8 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg,
 
 	msg->verify_attempted = 1;
 
-	if (msg->tcp_continuation) {
-		if (tsigkey == NULL || msg->querytsig == NULL)
-			return (DNS_R_UNEXPECTEDTSIG);
+	if (msg->tcp_continuation)
 		return (tsig_verify_tcp(source, msg));
-	}
 
 	/*
 	 * There should be a TSIG record...
diff --git a/lib/dns/ttl.c b/lib/dns/ttl.c
index 09d8311f..1dad0fba 100644
--- a/lib/dns/ttl.c
+++ b/lib/dns/ttl.c
@@ -15,15 +15,17 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: ttl.c,v 1.21.2.1 2004/03/09 06:11:09 marka Exp $ */
+/* $Id: ttl.c,v 1.21.12.5 2004/03/08 09:04:32 marka Exp $ */
 
 #include <config.h>
 
 #include <ctype.h>
+#include <errno.h>
 #include <stdio.h>
 #include <stdlib.h>
 
 #include <isc/buffer.h>
+#include <isc/parseint.h>
 #include <isc/print.h>
 #include <isc/region.h>
 #include <isc/string.h>
@@ -60,7 +62,7 @@ ttlfmt(unsigned int t, const char *s, isc_boolean_t verbose,
 	else
 		len = snprintf(tmp, sizeof(tmp), "%u%c", t, s[0]);
 
-	INSIST(len + 1 <= sizeof tmp);
+	INSIST(len + 1 <= sizeof(tmp));
 	isc_buffer_availableregion(target, &region);
 	if (len > region.length)
 		return (ISC_R_NOSPACE);
@@ -145,61 +147,68 @@ dns_ttl_fromtext(isc_textregion_t *source, isc_uint32_t *ttl) {
 static isc_result_t
 bind_ttl(isc_textregion_t *source, isc_uint32_t *ttl) {
 	isc_uint32_t tmp = 0;
-	unsigned long n;
-	char *e, *s;
+	isc_uint32_t n;
+	char *s;
 	char buf[64];
+	char nbuf[64]; /* Number buffer */
 
 	/*
 	 * Copy the buffer as it may not be NULL terminated.
 	 * No legal counter / ttl is longer that 63 characters.
 	 */
 	if (source->length > sizeof(buf) - 1)
-		return(DNS_R_SYNTAX);
+		return (DNS_R_SYNTAX);
 	strncpy(buf, source->base, source->length);
 	buf[source->length] = '\0';
 	s = buf;
 
 	do {
-		n = strtoul(s, &e, 10);
-		if (s == e)
+		isc_result_t result;
+
+		char *np = nbuf;
+		while (*s != '\0' && isdigit((unsigned char)*s))
+			*np++ = *s++;
+		*np++ = '\0';
+		INSIST(np - nbuf <= (int)sizeof(nbuf));
+		result = isc_parse_uint32(&n, nbuf, 10);
+		if (result != ISC_R_SUCCESS)
 			return (DNS_R_SYNTAX);
-		switch (*e) {
+		switch (*s) {
 		case 'w':
 		case 'W':
 			tmp += n * 7 * 24 * 3600;
-			s = e + 1;
+			s++;
 			break;
 		case 'd':
 		case 'D':
 			tmp += n * 24 * 3600;
-			s = e + 1;
+			s++;
 			break;
 		case 'h':
 		case 'H':
 			tmp += n * 3600;
-			s = e + 1;
+			s++;
 			break;
 		case 'm':
 		case 'M':
 			tmp += n * 60;
-			s = e + 1;
+			s++;
 			break;
 		case 's':
 		case 'S':
 			tmp += n;
-			s = e + 1;
+			s++;
 			break;
 		case '\0':
 			/* Plain number? */
 			if (tmp != 0)
 				return (DNS_R_SYNTAX);
 			tmp = n;
-			s = e;
 			break;
 		default:
 			return (DNS_R_SYNTAX);
 		}
-	} while (*s != 0);
+	} while (*s != '\0');
 	*ttl = tmp;
 	return (ISC_R_SUCCESS);
 }
diff --git a/lib/dns/validator.c b/lib/dns/validator.c
index ba007a0e..401da6c1 100644
--- a/lib/dns/validator.c
+++ b/lib/dns/validator.c
@@ -1,6 +1,6 @@
 /*
- * Copyright (C) 2004, 2006, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000-2002  Internet Software Consortium.
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,22 +15,25 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: validator.c,v 1.91.2.14 2007/01/08 02:45:02 marka Exp $ */
+/* $Id: validator.c,v 1.91.2.5.8.8 2004/03/10 02:55:57 marka Exp $ */
 
 #include <config.h>
 
 #include <isc/mem.h>
 #include <isc/print.h>
+#include <isc/string.h>
 #include <isc/task.h>
 #include <isc/util.h>
 
 #include <dns/db.h>
+#include <dns/ds.h>
 #include <dns/dnssec.h>
 #include <dns/events.h>
 #include <dns/keytable.h>
 #include <dns/log.h>
 #include <dns/message.h>
-#include <dns/nxt.h>
+#include <dns/ncache.h>
+#include <dns/nsec.h>
 #include <dns/rdata.h>
 #include <dns/rdatastruct.h>
 #include <dns/rdataset.h>
@@ -41,37 +44,70 @@
 #include <dns/view.h>
 
 #define VALIDATOR_MAGIC			ISC_MAGIC('V', 'a', 'l', '?')
-#define VALID_VALIDATOR(v)	 	ISC_MAGIC_VALID(v, VALIDATOR_MAGIC)
+#define VALID_VALIDATOR(v)		ISC_MAGIC_VALID(v, VALIDATOR_MAGIC)
+
+#define VALATTR_SHUTDOWN		0x0001
+#define VALATTR_FOUNDNONEXISTENCE	0x0002
+#define VALATTR_TRIEDVERIFY		0x0004
+#define VALATTR_NEGATIVE		0x0008
+#define VALATTR_INSECURITY		0x0010
+#define VALATTR_DLV			0x0020
+#define VALATTR_DLVTRIED		0x0040
+
+#define VALATTR_NEEDNOQNAME		0x0100
+#define VALATTR_NEEDNOWILDCARD		0x0200
+#define VALATTR_NEEDNODATA		0x0400
+
+#define VALATTR_FOUNDNOQNAME		0x1000
+#define VALATTR_FOUNDNOWILDCARD		0x2000
+#define VALATTR_FOUNDNODATA		0x4000
+
+
+#define NEEDNODATA(val) ((val->attributes & VALATTR_NEEDNODATA) != 0)
+#define NEEDNOQNAME(val) ((val->attributes & VALATTR_NEEDNOQNAME) != 0)
+#define NEEDNOWILDCARD(val) ((val->attributes & VALATTR_NEEDNOWILDCARD) != 0)
+#define DLV(val) ((val->attributes & VALATTR_DLV) != 0)
+#define DLVTRIED(val) ((val->attributes & VALATTR_DLVTRIED) != 0)
 
-#define VALATTR_SHUTDOWN		0x01
-#define VALATTR_FOUNDNONEXISTENCE	0x02
-#define VALATTR_TRIEDVERIFY		0x04
 #define SHUTDOWN(v)		(((v)->attributes & VALATTR_SHUTDOWN) != 0)
 
 static void
-nullkeyvalidated(isc_task_t *task, isc_event_t *event);
-
-static inline isc_boolean_t
-containsnullkey(dns_validator_t *val, dns_rdataset_t *rdataset);
+destroy(dns_validator_t *val);
 
-static inline isc_result_t
-get_dst_key(dns_validator_t *val, dns_rdata_sig_t *siginfo,
+static isc_result_t
+get_dst_key(dns_validator_t *val, dns_rdata_rrsig_t *siginfo,
 	    dns_rdataset_t *rdataset);
 
-static inline isc_result_t
+static isc_result_t
 validate(dns_validator_t *val, isc_boolean_t resume);
 
-static inline isc_result_t
-nxtvalidate(dns_validator_t *val, isc_boolean_t resume);
+static isc_result_t
+validatezonekey(dns_validator_t *val);
 
-static inline isc_result_t
+static isc_result_t
+nsecvalidate(dns_validator_t *val, isc_boolean_t resume);
+
+static isc_result_t
 proveunsecure(dns_validator_t *val, isc_boolean_t resume);
 
 static void
+validator_logv(dns_validator_t *val, isc_logcategory_t *category,
+	       isc_logmodule_t *module, int level, const char *fmt, va_list ap)
+     ISC_FORMAT_PRINTF(5, 0);
+
+static void
 validator_log(dns_validator_t *val, int level, const char *fmt, ...)
      ISC_FORMAT_PRINTF(3, 4);
 
 static void
+validator_logcreate(dns_validator_t *val,
+		    dns_name_t *name, dns_rdatatype_t type,
+		    const char *caller, const char *operation);
+
+static isc_result_t
+dlv_validatezonekey(dns_validator_t *val);
+
+static void
 validator_done(dns_validator_t *val, isc_result_t result) {
 	isc_task_t *task;
 
@@ -89,7 +125,22 @@ validator_done(dns_validator_t *val, isc_result_t result) {
 	val->event->ev_action = val->action;
 	val->event->ev_arg = val->arg;
 	isc_task_sendanddetach(&task, (isc_event_t **)&val->event);
+}
+
+static inline isc_boolean_t
+exit_check(dns_validator_t *val) {
+	/*
+	 * Caller must be holding the lock.
+	 */
+	if (!SHUTDOWN(val))
+		return (ISC_FALSE);
+
+	INSIST(val->event == NULL);
 
+	if (val->fetch != NULL || val->subvalidator != NULL)
+		return (ISC_FALSE);
+
+	return (ISC_TRUE);
 }
 
 static void
@@ -114,11 +165,45 @@ auth_nonpending(dns_message_t *message) {
 	}
 }
 
+static isc_boolean_t
+isdelegation(dns_name_t *name, dns_rdataset_t *rdataset,
+	     isc_result_t dbresult)
+{
+	dns_rdataset_t set;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	isc_boolean_t found;
+	isc_result_t result;
+
+	REQUIRE(dbresult == DNS_R_NXRRSET || dbresult == DNS_R_NCACHENXRRSET);
+
+	dns_rdataset_init(&set);
+	if (dbresult == DNS_R_NXRRSET)
+		dns_rdataset_clone(rdataset, &set);
+	else {
+		result = dns_ncache_getrdataset(rdataset, name,
+						dns_rdatatype_nsec, &set);
+		if (result != ISC_R_SUCCESS)
+			return (ISC_FALSE);
+	}
+
+	INSIST(set.type == dns_rdatatype_nsec);
+
+	found = ISC_FALSE;
+	result = dns_rdataset_first(&set);
+	if (result == ISC_R_SUCCESS) {
+		dns_rdataset_current(&set, &rdata);
+		found = dns_nsec_typepresent(&rdata, dns_rdatatype_ns);
+	}
+	dns_rdataset_disassociate(&set);
+	return (found);
+}
+
 static void
 fetch_callback_validator(isc_task_t *task, isc_event_t *event) {
 	dns_fetchevent_t *devent;
 	dns_validator_t *val;
 	dns_rdataset_t *rdataset;
+	isc_boolean_t want_destroy;
 	isc_result_t result;
 	isc_result_t eresult;
 
@@ -132,16 +217,7 @@ fetch_callback_validator(isc_task_t *task, isc_event_t *event) {
 	isc_event_free(&event);
 	dns_resolver_destroyfetch(&val->fetch);
 
-	if (SHUTDOWN(val)) {
-		dns_validator_destroy(&val);
-		return;
-	}
-
-	if (val->event == NULL) {
-		validator_log(val, ISC_LOG_DEBUG(3),
-			      "fetch_callback_validator: event == NULL");
-		return;
-	}
+	INSIST(val->event != NULL);
 
 	validator_log(val, ISC_LOG_DEBUG(3), "in fetch_callback_validator");
 	LOCK(&val->lock);
@@ -157,34 +233,29 @@ fetch_callback_validator(isc_task_t *task, isc_event_t *event) {
 				val->keyset = &val->frdataset;
 		}
 		result = validate(val, ISC_TRUE);
-		if (result != DNS_R_WAIT) {
+		if (result != DNS_R_WAIT)
 			validator_done(val, result);
-			goto out;
-		}
 	} else {
 		validator_log(val, ISC_LOG_DEBUG(3),
 			      "fetch_callback_validator: got %s",
-			      dns_result_totext(eresult));
-		validator_done(val, DNS_R_NOVALIDKEY);
+			      isc_result_totext(eresult));
+		if (eresult == ISC_R_CANCELED)
+			validator_done(val, eresult);
+		else
+			validator_done(val, DNS_R_NOVALIDKEY);
 	}
-
- out:
+	want_destroy = exit_check(val);
 	UNLOCK(&val->lock);
-	/*
-	 * Free stuff from the event.
-	 */
-	if (dns_rdataset_isassociated(&val->frdataset) &&
-	    val->keyset != &val->frdataset)
-		dns_rdataset_disassociate(&val->frdataset);
-	if (dns_rdataset_isassociated(&val->fsigrdataset))
-		dns_rdataset_disassociate(&val->fsigrdataset);
+	if (want_destroy)
+		destroy(val);
 }
 
 static void
-fetch_callback_nullkey(isc_task_t *task, isc_event_t *event) {
+dsfetched(isc_task_t *task, isc_event_t *event) {
 	dns_fetchevent_t *devent;
 	dns_validator_t *val;
-	dns_rdataset_t *rdataset, *sigrdataset;
+	dns_rdataset_t *rdataset;
+	isc_boolean_t want_destroy;
 	isc_result_t result;
 	isc_result_t eresult;
 
@@ -193,115 +264,125 @@ fetch_callback_nullkey(isc_task_t *task, isc_event_t *event) {
 	devent = (dns_fetchevent_t *)event;
 	val = devent->ev_arg;
 	rdataset = &val->frdataset;
-	sigrdataset = &val->fsigrdataset;
 	eresult = devent->result;
 
+	isc_event_free(&event);
 	dns_resolver_destroyfetch(&val->fetch);
 
-	if (SHUTDOWN(val)) {
-		dns_validator_destroy(&val);
-		isc_event_free(&event);
-		return;
-	}
+	INSIST(val->event != NULL);
 
-	if (val->event == NULL) {
+	validator_log(val, ISC_LOG_DEBUG(3), "in dsfetched");
+	LOCK(&val->lock);
+	if (eresult == ISC_R_SUCCESS) {
 		validator_log(val, ISC_LOG_DEBUG(3),
-			      "fetch_callback_nullkey: event == NULL");
-		isc_event_free(&event);
-		return;
+			      "dsset with trust %d", rdataset->trust);
+		val->dsset = &val->frdataset;
+		result = validatezonekey(val);
+		if (result != DNS_R_WAIT)
+			validator_done(val, result);
+	} else if (val->view->dlv != NULL && !DLVTRIED(val) &&
+		   (eresult == DNS_R_NXRRSET ||
+		    eresult == DNS_R_NCACHENXRRSET) &&
+		   !dns_name_issubdomain(val->event->name,
+					 val->view->dlv))
+	{
+		validator_log(val, ISC_LOG_DEBUG(2),
+			      "no DS record: looking for DLV");
+
+		result = dlv_validatezonekey(val);
+		if (result != DNS_R_WAIT)
+			validator_done(val, result);
+	} else if (eresult == DNS_R_NXRRSET ||
+		   eresult == DNS_R_NCACHENXRRSET)
+	{
+		validator_log(val, ISC_LOG_DEBUG(3),
+			      "falling back to insecurity proof");
+		val->attributes |= VALATTR_INSECURITY;
+		result = proveunsecure(val, ISC_FALSE);
+		if (result != DNS_R_WAIT)
+			validator_done(val, result);
+	} else {
+		validator_log(val, ISC_LOG_DEBUG(3),
+			      "dsfetched: got %s",
+			      isc_result_totext(eresult));
+		if (eresult == ISC_R_CANCELED)
+			validator_done(val, eresult);
+		else
+			validator_done(val, DNS_R_NOVALIDDS);
 	}
+	want_destroy = exit_check(val);
+	UNLOCK(&val->lock);
+	if (want_destroy)
+		destroy(val);
+}
+
+/*
+ * XXX there's too much duplicated code here.
+ */
+static void
+dsfetched2(isc_task_t *task, isc_event_t *event) {
+	dns_fetchevent_t *devent;
+	dns_validator_t *val;
+	dns_rdataset_t *rdataset;
+	dns_name_t *tname;
+	isc_boolean_t want_destroy;
+	isc_result_t result;
+	isc_result_t eresult;
 
-	validator_log(val, ISC_LOG_DEBUG(3), "in fetch_callback_nullkey");
+	UNUSED(task);
+	INSIST(event->ev_type == DNS_EVENT_FETCHDONE);
+	devent = (dns_fetchevent_t *)event;
+	val = devent->ev_arg;
+	rdataset = &val->frdataset;
+	eresult = devent->result;
 
+	dns_resolver_destroyfetch(&val->fetch);
+
+	INSIST(val->event != NULL);
+
+	validator_log(val, ISC_LOG_DEBUG(3), "in dsfetched2");
 	LOCK(&val->lock);
-	if (eresult == ISC_R_SUCCESS) {
-		if (!containsnullkey(val, rdataset)) {
-			/*
-			 * No null key.
-			 */
-			validator_log(val, ISC_LOG_DEBUG(3),
-				      "found a keyset, no null key");
+	if (eresult == DNS_R_NXRRSET || eresult == DNS_R_NCACHENXRRSET) {
+		/*
+		 * There is no DS.  If this is a delegation, we're done.
+		 */
+		tname = dns_fixedname_name(&devent->foundname);
+		if (isdelegation(tname, &val->frdataset, eresult)) {
+			val->event->rdataset->trust = dns_trust_answer;
+			validator_done(val, ISC_R_SUCCESS);
+		} else {
 			result = proveunsecure(val, ISC_TRUE);
 			if (result != DNS_R_WAIT)
 				validator_done(val, result);
-			else {
-				/*
-				 * Don't free rdataset & sigrdataset, since
-				 * they'll be freed in nullkeyvalidated.
-				 */
-				isc_event_free(&event);
-				UNLOCK(&val->lock);
-				return;
-			}
-		} else {
-			validator_log(val, ISC_LOG_DEBUG(3),
-				      "found a keyset with a null key");
-			if (rdataset->trust >= dns_trust_secure) {
-				validator_log(val, ISC_LOG_DEBUG(3),
-					      "insecurity proof succeeded");
-				val->event->rdataset->trust = dns_trust_answer;
-				validator_done(val, ISC_R_SUCCESS);
-			} else if (!dns_rdataset_isassociated(sigrdataset)) {
-				validator_log(val, ISC_LOG_DEBUG(3),
-					      "insecurity proof failed");
-				validator_done(val, DNS_R_NOTINSECURE);
-			} else {
-				dns_name_t *tname;
-				tname = dns_fixedname_name(&devent->foundname);
-				result = dns_validator_create(val->view, tname,
-							   dns_rdatatype_key,
-							   rdataset,
-							   sigrdataset, NULL,
-							   0, val->task,
-							   nullkeyvalidated,
-							   val,
-							   &val->keyvalidator);
-				if (result != ISC_R_SUCCESS)
-					validator_done(val, result);
-				/*
-				 * Don't free rdataset & sigrdataset, since
-				 * they'll be freed in nullkeyvalidated.
-				 */
-				isc_event_free(&event);
-				UNLOCK(&val->lock);
-				return;
-			}
 		}
-	} else if (eresult ==  DNS_R_NCACHENXDOMAIN ||
-		   eresult == DNS_R_NCACHENXRRSET ||
+	} else if (eresult == ISC_R_SUCCESS ||
 		   eresult == DNS_R_NXDOMAIN ||
-		   eresult == DNS_R_NXRRSET)
+		   eresult == DNS_R_NCACHENXDOMAIN)
 	{
 		/*
-		 * No keys.
+		 * Either there is a DS or this is not a zone cut.  Continue.
 		 */
-		validator_log(val, ISC_LOG_DEBUG(3),
-			      "no keys found");
 		result = proveunsecure(val, ISC_TRUE);
 		if (result != DNS_R_WAIT)
 			validator_done(val, result);
 	} else {
-		validator_log(val, ISC_LOG_DEBUG(3),
-			      "fetch_callback_nullkey: got %s",
-			      dns_result_totext(eresult));
-		validator_done(val, DNS_R_NOVALIDKEY);
+		if (eresult == ISC_R_CANCELED)
+			validator_done(val, eresult);
+		else
+			validator_done(val, DNS_R_NOVALIDDS);
 	}
-	UNLOCK(&val->lock);
-
-	/*
-	 * Free stuff from the event.
-	 */
-	if (dns_rdataset_isassociated(&val->frdataset))
-		dns_rdataset_disassociate(&val->frdataset);
-	if (dns_rdataset_isassociated(&val->fsigrdataset))
-		dns_rdataset_disassociate(&val->fsigrdataset);
 	isc_event_free(&event);
+	want_destroy = exit_check(val);
+	UNLOCK(&val->lock);
+	if (want_destroy)
+		destroy(val);
 }
 
 static void
 keyvalidated(isc_task_t *task, isc_event_t *event) {
 	dns_validatorevent_t *devent;
 	dns_validator_t *val;
+	isc_boolean_t want_destroy;
 	isc_result_t result;
 	isc_result_t eresult;
 
@@ -313,14 +394,9 @@ keyvalidated(isc_task_t *task, isc_event_t *event) {
 	eresult = devent->result;
 
 	isc_event_free(&event);
+	dns_validator_destroy(&val->subvalidator);
 
-	if (SHUTDOWN(val)) {
-		dns_validator_destroy(&val);
-		return;
-	}
-
-	if (val->event == NULL)
-		return;
+	INSIST(val->event != NULL);
 
 	validator_log(val, ISC_LOG_DEBUG(3), "in keyvalidated");
 	LOCK(&val->lock);
@@ -333,150 +409,205 @@ keyvalidated(isc_task_t *task, isc_event_t *event) {
 		if (val->frdataset.trust >= dns_trust_secure)
 			(void) get_dst_key(val, val->siginfo, &val->frdataset);
 		result = validate(val, ISC_TRUE);
-		if (result != DNS_R_WAIT) {
+		if (result != DNS_R_WAIT)
 			validator_done(val, result);
-			goto out;
-		}
 	} else {
 		validator_log(val, ISC_LOG_DEBUG(3),
 			      "keyvalidated: got %s",
-			      dns_result_totext(eresult));
+			      isc_result_totext(eresult));
 		validator_done(val, eresult);
 	}
- out:
+	want_destroy = exit_check(val);
+	UNLOCK(&val->lock);
+	if (want_destroy)
+		destroy(val);
+}
+
+static void
+dsvalidated(isc_task_t *task, isc_event_t *event) {
+	dns_validatorevent_t *devent;
+	dns_validator_t *val;
+	isc_boolean_t want_destroy;
+	isc_result_t result;
+	isc_result_t eresult;
 
+	UNUSED(task);
+	INSIST(event->ev_type == DNS_EVENT_VALIDATORDONE);
+
+	devent = (dns_validatorevent_t *)event;
+	val = devent->ev_arg;
+	eresult = devent->result;
+
+	isc_event_free(&event);
+	dns_validator_destroy(&val->subvalidator);
+
+	INSIST(val->event != NULL);
+
+	validator_log(val, ISC_LOG_DEBUG(3), "in dsvalidated");
+	LOCK(&val->lock);
+	if (eresult == ISC_R_SUCCESS) {
+		validator_log(val, ISC_LOG_DEBUG(3),
+			      "dsset with trust %d", val->frdataset.trust);
+		if ((val->attributes & VALATTR_INSECURITY) != 0)
+			result = proveunsecure(val, ISC_TRUE);
+		else
+			result = validatezonekey(val);
+		if (result != DNS_R_WAIT)
+			validator_done(val, result);
+	} else {
+		validator_log(val, ISC_LOG_DEBUG(3),
+			      "dsvalidated: got %s",
+			      isc_result_totext(eresult));
+		validator_done(val, eresult);
+	}
+	want_destroy = exit_check(val);
 	UNLOCK(&val->lock);
-	dns_validator_destroy(&val->keyvalidator);
-	/*
-	 * Free stuff from the event.
-	 */
-	if (dns_rdataset_isassociated(&val->frdataset))
-		dns_rdataset_disassociate(&val->frdataset);
-	if (dns_rdataset_isassociated(&val->fsigrdataset))
-		dns_rdataset_disassociate(&val->fsigrdataset);
+	if (want_destroy)
+		destroy(val);
 }
 
-static isc_boolean_t
-nxtprovesnonexistence(dns_validator_t *val, dns_name_t *nxtname,
-		      dns_rdataset_t *nxtset, dns_rdataset_t *signxtset)
+/*
+ * Return ISC_R_SUCCESS if we can determine that the name doesn't exist
+ * or we can determine whether there is data or not at the name.
+ * If the name does not exist return the wildcard name.
+ */
+static isc_result_t
+nsecnoexistnodata(dns_validator_t *val, dns_name_t* name, dns_name_t *nsecname,
+		  dns_rdataset_t *nsecset, isc_boolean_t *exists,
+		  isc_boolean_t *data, dns_name_t *wild)
 {
 	int order;
 	dns_rdata_t rdata = DNS_RDATA_INIT;
-	isc_boolean_t isnxdomain;
 	isc_result_t result;
+	dns_namereln_t relation;
+	unsigned int olabels, nlabels, labels;
+	dns_rdata_nsec_t nsec;
+	isc_boolean_t atparent;
 
-	INSIST(DNS_MESSAGE_VALID(val->event->message));
-
-	if (val->event->message->rcode == dns_rcode_nxdomain)
-		isnxdomain = ISC_TRUE;
-	else
-		isnxdomain = ISC_FALSE;
+	REQUIRE(exists != NULL);
+	REQUIRE(data != NULL);
 
-	result = dns_rdataset_first(nxtset);
+	result = dns_rdataset_first(nsecset);
 	if (result != ISC_R_SUCCESS) {
 		validator_log(val, ISC_LOG_DEBUG(3),
-			"failure processing NXT set");
-		return (ISC_FALSE);
+			"failure processing NSEC set");
+		return (result);
 	}
-	dns_rdataset_current(nxtset, &rdata);
+	dns_rdataset_current(nsecset, &rdata);
 
-	validator_log(val, ISC_LOG_DEBUG(3),
-		      "looking for relevant nxt");
-	order = dns_name_compare(val->event->name, nxtname);
-	if (order == 0) {
+	validator_log(val, ISC_LOG_DEBUG(3), "looking for relevant nsec");
+	relation = dns_name_fullcompare(name, nsecname, &order, &olabels);
+
+	if (order < 0) {
 		/*
-		 * The names are the same.  Look for the type present bit.
+		 * The name is not within the NSEC range.
 		 */
-		if (isnxdomain) {
-			validator_log(val, ISC_LOG_DEBUG(3),
-				      "NXT record seen at nonexistent name");
-			return (ISC_FALSE);
-		}
-		if (val->event->type >= 128) {
-			validator_log(val, ISC_LOG_DEBUG(3), "invalid type %d",
-				      val->event->type);
-			return (ISC_FALSE);
-		}
-
-		if (dns_nxt_typepresent(&rdata, val->event->type)) {
-			validator_log(val, ISC_LOG_DEBUG(3),
-				      "type should not be present");
-			return (ISC_FALSE);
-		}
-		validator_log(val, ISC_LOG_DEBUG(3), "nxt bitmask ok");
-	} else if (order > 0) {
-		dns_rdata_nxt_t nxt;
+		validator_log(val, ISC_LOG_DEBUG(3),
+			      "NSEC does not cover name, before NSEC");
+		return (ISC_R_IGNORE);
+	}
 
+	if (order == 0) {
 		/*
-		 * The NXT owner name is less than the nonexistent name.
+		 * The names are the same.
 		 */
-		if (!isnxdomain) {
-			validator_log(val, ISC_LOG_DEBUG(3),
-				      "missing NXT record at name");
-			return (ISC_FALSE);
-		}
-		if (dns_name_issubdomain(val->event->name, nxtname) &&
-		    dns_nxt_typepresent(&rdata, dns_rdatatype_ns) &&
-		    !dns_nxt_typepresent(&rdata, dns_rdatatype_soa))
+		atparent = dns_rdatatype_atparent(val->event->type);
+		if (dns_nsec_typepresent(&rdata, dns_rdatatype_ns) &&
+		    !dns_nsec_typepresent(&rdata, dns_rdatatype_soa))
 		{
+			if (!atparent) {
+				/*
+				 * This NSEC record is from somewhere higher in
+				 * the DNS, and at the parent of a delegation.
+				 * It can not be legitimately used here.
+				 */
+				validator_log(val, ISC_LOG_DEBUG(3),
+					      "ignoring parent nsec");
+				return (ISC_R_IGNORE);
+			}
+		} else if (atparent) {
 			/*
-			 * This NXT record is from somewhere higher in
-			 * the DNS, and at the parent of a delegation.
+			 * This NSEC record is from the child.
 			 * It can not be legitimately used here.
 			 */
 			validator_log(val, ISC_LOG_DEBUG(3),
-				      "ignoring parent nxt");
-			return (ISC_FALSE);
+				      "ignoring child nsec");
+			return (ISC_R_IGNORE);
 		}
-		result = dns_rdata_tostruct(&rdata, &nxt, NULL);
-		if (result != ISC_R_SUCCESS)
-			return (ISC_FALSE);
-		dns_rdata_reset(&rdata);
-		order = dns_name_compare(val->event->name, &nxt.next);
-		if (order >= 0) {
-			/*
-			 * The NXT next name is less than the nonexistent
-			 * name.  This is only ok if the next name is the zone
-			 * name.
-			 */
-			dns_rdata_sig_t siginfo;
-			result = dns_rdataset_first(signxtset);
-			if (result != ISC_R_SUCCESS) {
-				validator_log(val, ISC_LOG_DEBUG(3),
-					"failure processing SIG NXT set");
-				dns_rdata_freestruct(&nxt);
-				return (ISC_FALSE);
-			}
-			dns_rdataset_current(signxtset, &rdata);
-			result = dns_rdata_tostruct(&rdata, &siginfo, NULL);
-			if (result != ISC_R_SUCCESS) {
-				validator_log(val, ISC_LOG_DEBUG(3),
-					"failure processing SIG NXT set");
-				dns_rdata_freestruct(&nxt);
-				return (ISC_FALSE);
-			}
-			if (!dns_name_equal(&siginfo.signer, &nxt.next)) {
-				validator_log(val, ISC_LOG_DEBUG(3),
-					"next name is not greater");
-				dns_rdata_freestruct(&nxt);
-				return (ISC_FALSE);
-			}
-			validator_log(val, ISC_LOG_DEBUG(3),
-				      "nxt points to zone apex, ok");
-		}
-		dns_rdata_freestruct(&nxt);
+		*exists = ISC_TRUE;
+		*data = dns_nsec_typepresent(&rdata, val->event->type);
 		validator_log(val, ISC_LOG_DEBUG(3),
-			      "nxt range ok");
-	} else {
+			      "nsec proves name exists (owner) data=%d",
+			      *data);
+		return (ISC_R_SUCCESS);
+	} 
+
+	if (relation == dns_namereln_subdomain &&
+	    dns_nsec_typepresent(&rdata, dns_rdatatype_ns) &&
+	    !dns_nsec_typepresent(&rdata, dns_rdatatype_soa))
+	{
+		/*
+		 * This NSEC record is from somewhere higher in
+		 * the DNS, and at the parent of a delegation.
+		 * It can not be legitimately used here.
+		 */
+		validator_log(val, ISC_LOG_DEBUG(3), "ignoring parent nsec");
+		return (ISC_R_IGNORE);
+	}
+
+	result = dns_rdata_tostruct(&rdata, &nsec, NULL);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	relation = dns_name_fullcompare(&nsec.next, name, &order, &nlabels);
+	if (order == 0) {
+		dns_rdata_freestruct(&nsec);
 		validator_log(val, ISC_LOG_DEBUG(3),
-			"nxt owner name is not less");
+			      "ignoring nsec matches next name");
+		return (ISC_R_IGNORE);
+	}
+
+	if (order < 0 && !dns_name_issubdomain(nsecname, &nsec.next)) {
 		/*
-		 * The NXT owner name is greater than the supposedly
-		 * nonexistent name.  This NXT is irrelevant.
+		 * The name is not within the NSEC range.
 		 */
-		return (ISC_FALSE);
+		dns_rdata_freestruct(&nsec);
+		validator_log(val, ISC_LOG_DEBUG(3),
+			    "ignoring nsec because name is past end of range");
+		return (ISC_R_IGNORE);
 	}
-	return (ISC_TRUE);
+
+	if (order > 0 && relation == dns_namereln_subdomain) {
+		validator_log(val, ISC_LOG_DEBUG(3),
+			      "nsec proves name exist (empty)");
+		dns_rdata_freestruct(&nsec);
+		*exists = ISC_TRUE;
+		*data = ISC_FALSE;
+		return (ISC_R_SUCCESS);
+	}
+	if (wild != NULL) {
+		dns_name_t common;
+		dns_name_init(&common, NULL);
+		if (olabels > nlabels) {
+			labels = dns_name_countlabels(nsecname);
+			dns_name_getlabelsequence(nsecname, labels - olabels,
+						  olabels, &common);
+		} else {
+			labels = dns_name_countlabels(&nsec.next);
+			dns_name_getlabelsequence(&nsec.next, labels - nlabels,
+						  nlabels, &common);
+		}
+		result = dns_name_concatenate(dns_wildcardname, &common,
+					       wild, NULL);
+		if (result != ISC_R_SUCCESS) {
+			validator_log(val, ISC_LOG_DEBUG(3),
+				    "failure generating wilcard name");
+			return (result);
+		}
+	}
+	dns_rdata_freestruct(&nsec);
+	validator_log(val, ISC_LOG_DEBUG(3), "nsec range ok");
+	*exists = ISC_FALSE;
+	return (ISC_R_SUCCESS);
 }
 
 static void
@@ -484,8 +615,9 @@ authvalidated(isc_task_t *task, isc_event_t *event) {
 	dns_validatorevent_t *devent;
 	dns_validator_t *val;
 	dns_rdataset_t *rdataset, *sigrdataset;
+	isc_boolean_t want_destroy;
 	isc_result_t result;
-	isc_result_t eresult;
+	isc_boolean_t exists, data;
 
 	UNUSED(task);
 	INSIST(event->ev_type == DNS_EVENT_VALIDATORDONE);
@@ -494,37 +626,62 @@ authvalidated(isc_task_t *task, isc_event_t *event) {
 	rdataset = devent->rdataset;
 	sigrdataset = devent->sigrdataset;
 	val = devent->ev_arg;
-	eresult = devent->result;
-	dns_validator_destroy(&val->authvalidator);
-
-	if (SHUTDOWN(val)) {
-		dns_validator_destroy(&val);
-		return;
-	}
+	result = devent->result;
+	dns_validator_destroy(&val->subvalidator);
 
-	if (val->event == NULL)
-		return;
+	INSIST(val->event != NULL);
 
 	validator_log(val, ISC_LOG_DEBUG(3), "in authvalidated");
 	LOCK(&val->lock);
-	if (eresult != ISC_R_SUCCESS) {
+	if (result != ISC_R_SUCCESS) {
 		validator_log(val, ISC_LOG_DEBUG(3),
 			      "authvalidated: got %s",
-			      dns_result_totext(eresult));
-		result = nxtvalidate(val, ISC_TRUE);
-		if (result != DNS_R_WAIT)
+			      isc_result_totext(result));
+		if (result == ISC_R_CANCELED)
 			validator_done(val, result);
+		else {
+			result = nsecvalidate(val, ISC_TRUE);
+			if (result != DNS_R_WAIT)
+				validator_done(val, result);
+		}
 	} else {
-		if (rdataset->type == dns_rdatatype_nxt &&
-		    nxtprovesnonexistence(val, devent->name, rdataset,
-			    		  sigrdataset))
-			val->attributes |= VALATTR_FOUNDNONEXISTENCE;
+		dns_name_t **proofs = val->event->proofs;
+		
+		if (rdataset->trust == dns_trust_secure)
+			val->seensig = ISC_TRUE;
 
-		result = nxtvalidate(val, ISC_TRUE);
+		if (val->nsecset != NULL &&
+		    rdataset->trust == dns_trust_secure &&
+		    ((val->attributes & VALATTR_NEEDNODATA) != 0 ||
+		     (val->attributes & VALATTR_NEEDNOQNAME) != 0) &&
+	            (val->attributes & VALATTR_FOUNDNODATA) == 0 &&
+		    (val->attributes & VALATTR_FOUNDNOQNAME) == 0 &&
+		    nsecnoexistnodata(val, val->event->name, devent->name,
+				      rdataset, &exists, &data,
+				      dns_fixedname_name(&val->wild))
+				      == ISC_R_SUCCESS)
+		 {
+			if (exists && !data) {
+				val->attributes |= VALATTR_FOUNDNODATA;
+				if (NEEDNODATA(val))
+					proofs[DNS_VALIDATOR_NODATAPROOF] =
+						devent->name;
+			}
+			if (!exists) {
+				val->attributes |= VALATTR_FOUNDNOQNAME;
+				if (NEEDNOQNAME(val))
+					proofs[DNS_VALIDATOR_NOQNAMEPROOF] =
+						devent->name;
+			}
+		}
+		result = nsecvalidate(val, ISC_TRUE);
 		if (result != DNS_R_WAIT)
 			validator_done(val, result);
 	}
+	want_destroy = exit_check(val);
 	UNLOCK(&val->lock);
+	if (want_destroy)
+		destroy(val);
 
 	/*
 	 * Free stuff from the event.
@@ -536,6 +693,7 @@ static void
 negauthvalidated(isc_task_t *task, isc_event_t *event) {
 	dns_validatorevent_t *devent;
 	dns_validator_t *val;
+	isc_boolean_t want_destroy;
 	isc_result_t eresult;
 
 	UNUSED(task);
@@ -545,15 +703,9 @@ negauthvalidated(isc_task_t *task, isc_event_t *event) {
 	val = devent->ev_arg;
 	eresult = devent->result;
 	isc_event_free(&event);
-	dns_validator_destroy(&val->authvalidator);
+	dns_validator_destroy(&val->subvalidator);
 
-	if (SHUTDOWN(val)) {
-		dns_validator_destroy(&val);
-		return;
-	}
-
-	if (val->event == NULL)
-		return;
+	INSIST(val->event != NULL);
 
 	validator_log(val, ISC_LOG_DEBUG(3), "in negauthvalidated");
 	LOCK(&val->lock);
@@ -566,104 +718,87 @@ negauthvalidated(isc_task_t *task, isc_event_t *event) {
 	} else {
 		validator_log(val, ISC_LOG_DEBUG(3),
 			      "negauthvalidated: got %s",
-			      dns_result_totext(eresult));
+			      isc_result_totext(eresult));
 		validator_done(val, eresult);
 	}
+	want_destroy = exit_check(val);
 	UNLOCK(&val->lock);
+	if (want_destroy)
+		destroy(val);
+}
 
-	/*
-	 * Free stuff from the event.
-	 */
+static inline isc_result_t
+view_find(dns_validator_t *val, dns_name_t *name, dns_rdatatype_t type) {
 	if (dns_rdataset_isassociated(&val->frdataset))
 		dns_rdataset_disassociate(&val->frdataset);
-}
-
-static void
-nullkeyvalidated(isc_task_t *task, isc_event_t *event) {
-	dns_validatorevent_t *devent;
-	dns_validator_t *val;
-	isc_result_t result;
-	isc_result_t eresult;
-
-	UNUSED(task);
-	INSIST(event->ev_type == DNS_EVENT_VALIDATORDONE);
-
-	devent = (dns_validatorevent_t *)event;
-	val = devent->ev_arg;
-	eresult = devent->result;
-
-	dns_name_free(devent->name, val->view->mctx);
-	isc_mem_put(val->view->mctx, devent->name, sizeof(dns_name_t));
-	dns_validator_destroy(&val->keyvalidator);
-	isc_event_free(&event);
+	if (dns_rdataset_isassociated(&val->fsigrdataset))
+		dns_rdataset_disassociate(&val->fsigrdataset);
 
-	if (SHUTDOWN(val)) {
-		dns_validator_destroy(&val);
-		return;
-	}
+	if (val->view->zonetable == NULL)
+		return (ISC_R_CANCELED);
+	return (dns_view_simplefind(val->view, name, type, 0,
+				    DNS_DBFIND_PENDINGOK, ISC_FALSE,
+				    &val->frdataset, &val->fsigrdataset));
+}
 
-	if (val->event == NULL)
-		return;
+static inline isc_boolean_t
+check_deadlock(dns_validator_t *val, dns_name_t *name, dns_rdatatype_t type) {
+	dns_validator_t *parent;
 
-	validator_log(val, ISC_LOG_DEBUG(3), "in nullkeyvalidated");
-	LOCK(&val->lock);
-	if (eresult == ISC_R_SUCCESS) {
-		validator_log(val, ISC_LOG_DEBUG(3),
-			      "proved that name is in an unsecure domain");
-		validator_log(val, ISC_LOG_DEBUG(3), "marking as answer");
-		val->event->rdataset->trust = dns_trust_answer;
-		validator_done(val, ISC_R_SUCCESS);
-	} else {
-		result = proveunsecure(val, ISC_TRUE);
-		if (result != DNS_R_WAIT)
-			validator_done(val, result);
+	for (parent = val->parent; parent != NULL; parent = parent->parent) {
+		if (parent->event != NULL &&
+		    parent->event->type == type &&
+		    dns_name_equal(parent->event->name, name))
+		{
+			validator_log(val, ISC_LOG_DEBUG(3),
+				      "continuing validation would lead to "
+				      "deadlock: aborting validation");
+			return (ISC_TRUE);
+		}
 	}
-	UNLOCK(&val->lock);
+	return (ISC_FALSE);
+}
 
-	/*
-	 * Free stuff from the event.
-	 */
+static inline isc_result_t
+create_fetch(dns_validator_t *val, dns_name_t *name, dns_rdatatype_t type,
+	     isc_taskaction_t callback, const char *caller)
+{
 	if (dns_rdataset_isassociated(&val->frdataset))
 		dns_rdataset_disassociate(&val->frdataset);
 	if (dns_rdataset_isassociated(&val->fsigrdataset))
 		dns_rdataset_disassociate(&val->fsigrdataset);
+
+	if (check_deadlock(val, name, type))
+		return (DNS_R_NOVALIDSIG);
+
+	validator_logcreate(val, name, type, caller, "fetch");
+	return (dns_resolver_createfetch(val->view->resolver, name, type,
+					 NULL, NULL, NULL, 0,
+					 val->event->ev_sender,
+					 callback, val,
+					 &val->frdataset,
+					 &val->fsigrdataset,
+					 &val->fetch));
 }
 
-/*
- * Try to find a null zone key among those in 'rdataset'.  If found, build
- * a dst_key_t for it and point val->key at it.
- */
-static inline isc_boolean_t
-containsnullkey(dns_validator_t *val, dns_rdataset_t *rdataset) {
+static inline isc_result_t
+create_validator(dns_validator_t *val, dns_name_t *name, dns_rdatatype_t type,
+		 dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset,
+		 isc_taskaction_t action, const char *caller)
+{
 	isc_result_t result;
-	dst_key_t *key = NULL;
-	isc_buffer_t b;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	isc_boolean_t found = ISC_FALSE;
 
-	result = dns_rdataset_first(rdataset);
-	if (result != ISC_R_SUCCESS)
-		return (ISC_FALSE);
-	while (result == ISC_R_SUCCESS && !found) {
-		dns_rdataset_current(rdataset, &rdata);
-		isc_buffer_init(&b, rdata.data, rdata.length);
-		isc_buffer_add(&b, rdata.length);
-		key = NULL;
-		/*
-		 * The key name is unimportant, so we can avoid any name/text
-		 * conversion.
-		 */
-		result = dst_key_fromdns(dns_rootname, rdata.rdclass, &b,
-					 val->view->mctx, &key);
-		if (result != ISC_R_SUCCESS)
-			continue;
-		if (dst_key_isnullkey(key))
-			found = ISC_TRUE;
-		dst_key_free(&key);
-		dns_rdata_reset(&rdata);
-		result = dns_rdataset_next(rdataset);
-	}
-	return (found);
+	if (check_deadlock(val, name, type))
+		return (DNS_R_NOVALIDSIG);
+
+	validator_logcreate(val, name, type, caller, "validator");
+	result = dns_validator_create(val->view, name, type,
+				      rdataset, sigrdataset, NULL, 0,
+				      val->task, action, val,
+				      &val->subvalidator);
+	if (result == ISC_R_SUCCESS)
+		val->subvalidator->parent = val;
+	return (result);
 }
 
 /*
@@ -673,8 +808,8 @@ containsnullkey(dns_validator_t *val, dns_rdataset_t *rdataset) {
  *
  * If val->key is non-NULL, this returns the next matching key.
  */
-static inline isc_result_t
-get_dst_key(dns_validator_t *val, dns_rdata_sig_t *siginfo,
+static isc_result_t
+get_dst_key(dns_validator_t *val, dns_rdata_rrsig_t *siginfo,
 	    dns_rdataset_t *rdataset)
 {
 	isc_result_t result;
@@ -734,75 +869,45 @@ get_dst_key(dns_validator_t *val, dns_rdata_sig_t *siginfo,
 	return (result);
 }
 
-static inline isc_result_t
-get_key(dns_validator_t *val, dns_rdata_sig_t *siginfo) {
+static isc_result_t
+get_key(dns_validator_t *val, dns_rdata_rrsig_t *siginfo) {
 	isc_result_t result;
-	dns_validatorevent_t *event;
-	unsigned int nbits, nlabels;
+	unsigned int nlabels;
 	int order;
 	dns_namereln_t namereln;
 
-	event = val->event;
-
 	/*
-	 * Is the key name appropriate for this signature?
-	 * This previously checked for self-signed keys.  Now, if the key
-	 * is self signed with a preconfigured key, it's ok.
+	 * Is the signer name appropriate for this signature?
+	 *
+	 * The signer name must be at the same level as the owner name
+	 * or closer to the the DNS root.
 	 */
-	namereln = dns_name_fullcompare(event->name, &siginfo->signer,
-					&order, &nlabels, &nbits);
+	namereln = dns_name_fullcompare(val->event->name, &siginfo->signer,
+					&order, &nlabels);
 	if (namereln != dns_namereln_subdomain &&
-	    namereln != dns_namereln_equal) {
-		/*
-		 * The key name is not at the same level
-		 * as 'rdataset', nor is it closer to the
-		 * DNS root.
-		 */
+	    namereln != dns_namereln_equal)
 		return (DNS_R_CONTINUE);
-	}
 
-	/*
-	 * Is the key used for the signature a security root?
-	 */
-	INSIST(val->keynode == NULL);
-	val->keytable = val->view->secroots;
-	result = dns_keytable_findkeynode(val->view->secroots,
-					  &siginfo->signer,
-					  siginfo->algorithm, siginfo->keyid,
-					  &val->keynode);
-	if (result == ISC_R_SUCCESS) {
+	if (namereln == dns_namereln_equal) {
 		/*
-		 * The key is a security root.
+		 * If this is a self-signed keyset, it must not be a zone key
+		 * (since get_key is not called from validatezonekey).
 		 */
-		val->key = dns_keynode_key(val->keynode);
-		return (ISC_R_SUCCESS);
-	}
+		if (val->event->rdataset->type == dns_rdatatype_dnskey)
+			return (DNS_R_CONTINUE);
 
-	/*
-	 * A key set may not be self-signed unless the signing key is a
-	 * security root.  We don't want a KEY RR to authenticate
-	 * itself, so we ignore the signature if it was not made by
-	 * an ancestor of the KEY or a preconfigured key.
-	 */
-	if (event->rdataset->type == dns_rdatatype_key &&
-	    namereln == dns_namereln_equal)
-	{
-		validator_log(val, ISC_LOG_DEBUG(3),
-			      "keyset was self-signed but not preconfigured");
-		return (DNS_R_CONTINUE);
+		/*
+		 * Records appearing in the parent zone at delegation
+		 * points cannot be self-signed.
+		 */
+		if (dns_rdatatype_atparent(val->event->rdataset->type))
+			return (DNS_R_CONTINUE);
 	}
 
 	/*
 	 * Do we know about this key?
 	 */
-	if (dns_rdataset_isassociated(&val->frdataset))
-		dns_rdataset_disassociate(&val->frdataset);
-	if (dns_rdataset_isassociated(&val->fsigrdataset))
-		dns_rdataset_disassociate(&val->fsigrdataset);
-	result = dns_view_simplefind(val->view, &siginfo->signer,
-				     dns_rdatatype_key, 0,
-				     DNS_DBFIND_PENDINGOK, ISC_FALSE,
-				     &val->frdataset, &val->fsigrdataset);
+	result = view_find(val, &siginfo->signer, dns_rdatatype_dnskey);
 	if (result == ISC_R_SUCCESS) {
 		/*
 		 * We have an rrset for the given keyname.
@@ -814,17 +919,12 @@ get_key(dns_validator_t *val, dns_rdata_sig_t *siginfo) {
 			/*
 			 * We know the key but haven't validated it yet.
 			 */
-			result = dns_validator_create(val->view,
-						      &siginfo->signer,
-						      dns_rdatatype_key,
-						      &val->frdataset,
-						      &val->fsigrdataset,
-						      NULL,
-						      0,
-						      val->task,
-						      keyvalidated,
-						      val,
-						      &val->keyvalidator);
+			result = create_validator(val, &siginfo->signer,
+						  dns_rdatatype_dnskey,
+						  &val->frdataset,
+						  &val->fsigrdataset,
+						  keyvalidated,
+						  "get_key");
 			if (result != ISC_R_SUCCESS)
 				return (result);
 			return (DNS_R_WAIT);
@@ -862,17 +962,8 @@ get_key(dns_validator_t *val, dns_rdata_sig_t *siginfo) {
 		/*
 		 * We don't know anything about this key.
 		 */
-		val->fetch = NULL;
-		result = dns_resolver_createfetch(val->view->resolver,
-						  &siginfo->signer,
-						  dns_rdatatype_key,
-						  NULL, NULL, NULL, 0,
-						  val->event->ev_sender,
-						  fetch_callback_validator,
-						  val,
-						  &val->frdataset,
-						  &val->fsigrdataset,
-						  &val->fetch);
+		result = create_fetch(val, &siginfo->signer, dns_rdatatype_dnskey,
+				      fetch_callback_validator, "get_key");
 		if (result != ISC_R_SUCCESS)
 			return (result);
 		return (DNS_R_WAIT);
@@ -896,67 +987,80 @@ get_key(dns_validator_t *val, dns_rdata_sig_t *siginfo) {
 	return (result);
 }
 
+static dns_keytag_t
+compute_keytag(dns_rdata_t *rdata, dns_rdata_dnskey_t *key) {
+	isc_region_t r;
+
+	dns_rdata_toregion(rdata, &r);
+	return (dst_region_computeid(&r, key->algorithm));
+}
+
 /*
- * If the rdataset being validated is a key set, is each key a security root?
+ * Is this keyset self-signed?
  */
 static isc_boolean_t
-issecurityroot(dns_validator_t *val) {
-	dns_name_t *name;
-	dns_rdataset_t *rdataset;
-	isc_mem_t *mctx;
-	dns_keytable_t *secroots;
+isselfsigned(dns_validator_t *val) {
+	dns_rdataset_t *rdataset, *sigrdataset;
 	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_rdata_t sigrdata = DNS_RDATA_INIT;
+	dns_rdata_dnskey_t key;
+	dns_rdata_rrsig_t sig;
+	dns_keytag_t keytag;
 	isc_result_t result;
-	dns_keynode_t *keynode, *nextnode;
-	dst_key_t *key, *secrootkey;
-	isc_boolean_t match = ISC_FALSE;
 
-	name = val->event->name;
 	rdataset = val->event->rdataset;
-	mctx = val->view->mctx;
-	secroots = val->view->secroots;
+	sigrdataset = val->event->sigrdataset;
+
+	INSIST(rdataset->type == dns_rdatatype_dnskey);
 
 	for (result = dns_rdataset_first(rdataset);
 	     result == ISC_R_SUCCESS;
 	     result = dns_rdataset_next(rdataset))
 	{
-		dns_rdataset_current(rdataset, &rdata);
-		key = NULL;
-		result = dns_dnssec_keyfromrdata(name, &rdata, mctx, &key);
 		dns_rdata_reset(&rdata);
-		if (result != ISC_R_SUCCESS)
-			 continue;
-		keynode = NULL;
-		result = dns_keytable_findkeynode(
-						secroots, name,
-						(dns_secalg_t)dst_key_alg(key),
-						dst_key_id(key),
-						&keynode);
-
-		match = ISC_FALSE;
-		while (result == ISC_R_SUCCESS) {
-			secrootkey = dns_keynode_key(keynode);
-			if (dst_key_compare(key, secrootkey)) {
-				match = ISC_TRUE;
-				dns_keytable_detachkeynode(secroots, &keynode);
-				break;
-			}
-			nextnode = NULL;
-			result = dns_keytable_findnextkeynode(secroots,
-							      keynode,
-							      &nextnode);
-			dns_keytable_detachkeynode(secroots, &keynode);
+		dns_rdataset_current(rdataset, &rdata);
+		(void)dns_rdata_tostruct(&rdata, &key, NULL);
+		keytag = compute_keytag(&rdata, &key);
+		for (result = dns_rdataset_first(sigrdataset);
+		     result == ISC_R_SUCCESS;
+		     result = dns_rdataset_next(sigrdataset))
+		{
+			dns_rdata_reset(&sigrdata);
+			dns_rdataset_current(sigrdataset, &sigrdata);
+			(void)dns_rdata_tostruct(&sigrdata, &sig, NULL);
+
+			if (sig.algorithm == key.algorithm &&
+			    sig.keyid == keytag)
+				return (ISC_TRUE);
 		}
+	}
+	return (ISC_FALSE);
+}
 
-		dst_key_free(&key);
-		if (!match)
-			return (ISC_FALSE);
+static isc_result_t
+verify(dns_validator_t *val, dst_key_t *key, dns_rdata_t *rdata) {
+	isc_result_t result;
+	dns_fixedname_t fixed;
+
+	val->attributes |= VALATTR_TRIEDVERIFY;
+	dns_fixedname_init(&fixed);
+	result = dns_dnssec_verify2(val->event->name, val->event->rdataset,
+				    key, ISC_FALSE, val->view->mctx, rdata,
+				    dns_fixedname_name(&fixed));
+	validator_log(val, ISC_LOG_DEBUG(3),
+		      "verify rdataset: %s",
+		      isc_result_totext(result));
+	if (result == DNS_R_FROMWILDCARD) {
+		if (!dns_name_equal(val->event->name,
+				    dns_fixedname_name(&fixed)))
+			val->attributes |= VALATTR_NEEDNOQNAME;
+		result = ISC_R_SUCCESS;
 	}
-	return (match);
+	return (result);
 }
 
 /*
- * Attempts positive response validation.
+ * Attempts positive response validation of a normal RRset.
  *
  * Returns:
  *	ISC_R_SUCCESS	Validation completed successfully
@@ -964,7 +1068,7 @@ issecurityroot(dns_validator_t *val) {
  *			for an event.
  *	Other return codes are possible and all indicate failure.
  */
-static inline isc_result_t
+static isc_result_t
 validate(dns_validator_t *val, isc_boolean_t resume) {
 	isc_result_t result;
 	dns_validatorevent_t *event;
@@ -976,28 +1080,6 @@ validate(dns_validator_t *val, isc_boolean_t resume) {
 
 	event = val->event;
 
-	/*
-	 * If this is a security root, it's ok.
-	 */
-	if (!resume) {
-		dns_fixedname_t fsecroot;
-		dns_name_t *secroot;
-
-		dns_fixedname_init(&fsecroot);
-		secroot = dns_fixedname_name(&fsecroot);
-		result = dns_keytable_finddeepestmatch(val->view->secroots,
-						       val->event->name,
-						       secroot);
-		if (result == ISC_R_SUCCESS &&
-		    val->event->type == dns_rdatatype_key &&
-		    dns_name_equal(val->event->name, secroot) &&
-		    issecurityroot(val))
-		{
-			val->event->rdataset->trust = dns_trust_secure;
-			return (ISC_R_SUCCESS);
-		}
-	}
-
 	if (resume) {
 		/*
 		 * We already have a sigrdataset.
@@ -1014,20 +1096,24 @@ validate(dns_validator_t *val, isc_boolean_t resume) {
 	{
 		dns_rdata_reset(&rdata);
 		dns_rdataset_current(event->sigrdataset, &rdata);
-		if (val->siginfo != NULL)
-			isc_mem_put(val->view->mctx, val->siginfo,
-				    sizeof *val->siginfo);
-		val->siginfo = isc_mem_get(val->view->mctx,
-					   sizeof *val->siginfo);
-		if (val->siginfo == NULL)
-			return (ISC_R_NOMEMORY);
-		dns_rdata_tostruct(&rdata, val->siginfo, NULL);
+		if (val->siginfo == NULL) {
+			val->siginfo = isc_mem_get(val->view->mctx,
+						   sizeof(*val->siginfo));
+			if (val->siginfo == NULL)
+				return (ISC_R_NOMEMORY);
+		}
+		result = dns_rdata_tostruct(&rdata, val->siginfo, NULL);
+		if (result != ISC_R_SUCCESS)
+			return (result);
 
 		/*
 		 * At this point we could check that the signature algorithm
-		 * was known and "sufficiently good".  For now, any algorithm
-		 * is acceptable.
+		 * was known and "sufficiently good".
 		 */
+		if (!dns_resolver_algorithm_supported(val->view->resolver,
+						      event->name,
+						      val->siginfo->algorithm))
+			continue;
 
 		if (!resume) {
 			result = get_key(val, val->siginfo);
@@ -1037,24 +1123,19 @@ validate(dns_validator_t *val, isc_boolean_t resume) {
 				return (result);
 		}
 
+		/*
+		 * The key is insecure, so mark the data as insecure also.
+		 */
 		if (val->key == NULL) {
 			event->rdataset->trust = dns_trust_answer;
 			event->sigrdataset->trust = dns_trust_answer;
 			validator_log(val, ISC_LOG_DEBUG(3),
 				      "marking as answer");
 			return (ISC_R_SUCCESS);
-
 		}
 
 		do {
-			val->attributes |= VALATTR_TRIEDVERIFY;
-			result = dns_dnssec_verify(event->name,
-						   event->rdataset,
-						   val->key, ISC_FALSE,
-						   val->view->mctx, &rdata);
-			validator_log(val, ISC_LOG_DEBUG(3),
-				      "verify rdataset: %s",
-				      isc_result_totext(result));
+			result = verify(val, val->key, &rdata);
 			if (result == ISC_R_SUCCESS)
 				break;
 			if (val->keynode != NULL) {
@@ -1105,7 +1186,16 @@ validate(dns_validator_t *val, isc_boolean_t resume) {
 			}
 		}
 		val->key = NULL;
-		if (result == ISC_R_SUCCESS) {
+		if ((val->attributes & VALATTR_NEEDNOQNAME) != 0) {
+			if (val->event->message == NULL) {
+				validator_log(val, ISC_LOG_DEBUG(3),
+				      "no message available for noqname proof");
+				return (DNS_R_NOVALIDSIG);
+			}
+			validator_log(val, ISC_LOG_DEBUG(3),
+				      "looking for noqname proof");
+			return (nsecvalidate(val, ISC_FALSE));
+		} else if (result == ISC_R_SUCCESS) {
 			event->rdataset->trust = dns_trust_secure;
 			event->sigrdataset->trust = dns_trust_secure;
 			validator_log(val, ISC_LOG_DEBUG(3),
@@ -1130,19 +1220,688 @@ validate(dns_validator_t *val, isc_boolean_t resume) {
 }
 
 
-static inline isc_result_t
-nxtvalidate(dns_validator_t *val, isc_boolean_t resume) {
+static void
+dlv_validated(isc_task_t *task, isc_event_t *event) {
+	dns_validatorevent_t *devent;
+	dns_validator_t *val;
+	isc_boolean_t want_destroy;
+	isc_result_t result;
+	isc_result_t eresult;
+
+	UNUSED(task);
+	INSIST(event->ev_type == DNS_EVENT_VALIDATORDONE);
+
+	devent = (dns_validatorevent_t *)event;
+	val = devent->ev_arg;
+	eresult = devent->result;
+
+	isc_event_free(&event);
+	dns_validator_destroy(&val->subvalidator);
+
+	INSIST(val->event != NULL);
+
+	validator_log(val, ISC_LOG_DEBUG(3), "in dsvalidated");
+	LOCK(&val->lock);
+	if (eresult == ISC_R_SUCCESS) {
+		validator_log(val, ISC_LOG_DEBUG(3),
+			      "dlv with trust %d", val->frdataset.trust);
+		if ((val->attributes & VALATTR_INSECURITY) != 0)
+			result = proveunsecure(val, ISC_TRUE);
+		else
+			result = validatezonekey(val);
+		if (result != DNS_R_WAIT)
+			validator_done(val, result);
+	} else {
+		validator_log(val, ISC_LOG_DEBUG(3),
+			      "dlv_validated: got %s",
+			      isc_result_totext(eresult));
+		validator_done(val, eresult);
+	}
+	want_destroy = exit_check(val);
+	UNLOCK(&val->lock);
+	if (want_destroy)
+		destroy(val);
+}
+
+static void
+dlv_fetched(isc_task_t *task, isc_event_t *event) {
+	dns_fetchevent_t *devent;
+	dns_validator_t *val;
+	dns_rdataset_t *rdataset;
+	isc_boolean_t want_destroy;
+	isc_result_t result;
+	isc_result_t eresult;
+
+	UNUSED(task);
+	INSIST(event->ev_type == DNS_EVENT_FETCHDONE);
+	devent = (dns_fetchevent_t *)event;
+	val = devent->ev_arg;
+	rdataset = &val->frdataset;
+	eresult = devent->result;
+
+	isc_event_free(&event);
+	dns_resolver_destroyfetch(&val->fetch);
+
+	INSIST(val->event != NULL);
+
+	validator_log(val, ISC_LOG_DEBUG(3), "in dlv_fetched");
+	LOCK(&val->lock);
+	if (eresult == ISC_R_SUCCESS) {
+		validator_log(val, ISC_LOG_DEBUG(3),
+			      "dlv set with trust %d", rdataset->trust);
+		val->dlv = &val->frdataset;
+		result = dlv_validatezonekey(val);
+		if (result != DNS_R_WAIT)
+			validator_done(val, result);
+	} else if (eresult == DNS_R_NXRRSET ||
+		   eresult == DNS_R_NCACHENXRRSET)
+	{
+		validator_log(val, ISC_LOG_DEBUG(3),
+			      "falling back to insecurity proof");
+		val->attributes |= VALATTR_INSECURITY;
+		result = proveunsecure(val, ISC_FALSE);
+		if (result != DNS_R_WAIT)
+			validator_done(val, result);
+	} else {
+		validator_log(val, ISC_LOG_DEBUG(3),
+			      "dlv_fetched: got %s",
+			      isc_result_totext(eresult));
+		if (eresult == ISC_R_CANCELED)
+			validator_done(val, eresult);
+		else
+			validator_done(val, DNS_R_NOVALIDDS);
+	}
+	want_destroy = exit_check(val);
+	UNLOCK(&val->lock);
+	if (want_destroy)
+		destroy(val);
+}
+
+static isc_result_t
+dlv_validatezonekey(dns_validator_t *val) {
+	dns_fixedname_t fixed;
+	dns_keytag_t keytag;
 	dns_name_t *name;
+	dns_name_t tname;
+	dns_rdata_dlv_t dlv;
+	dns_rdata_dnskey_t key;
+	dns_rdata_rrsig_t sig;
+	dns_rdata_t dlvrdata = DNS_RDATA_INIT;
+	dns_rdata_t keyrdata = DNS_RDATA_INIT;
+	dns_rdata_t newdsrdata = DNS_RDATA_INIT;
+	dns_rdata_t sigrdata = DNS_RDATA_INIT;
+	dns_rdataset_t trdataset;
+	dst_key_t *dstkey;
+	isc_boolean_t supported_algorithm;
+	isc_result_t result;
+	unsigned char dsbuf[DNS_DS_BUFFERSIZE];
+	unsigned int labels;
+
+	val->attributes |= VALATTR_DLVTRIED;
+
+	dns_name_init(&tname, NULL);
+	dns_fixedname_init(&fixed);
+	name = dns_fixedname_name(&fixed);
+	labels = dns_name_countlabels(val->event->name);
+	dns_name_getlabelsequence(val->event->name, 0, labels - 1, &tname);
+	result = dns_name_concatenate(&tname, val->view->dlv, name, NULL);
+	if (result != ISC_R_SUCCESS) {
+		validator_log(val, ISC_LOG_DEBUG(2),
+			      "DLV concatenate failed");
+		return (DNS_R_NOVALIDSIG);
+	}
+	if (val->dlv == NULL) {
+		result = view_find(val, name, dns_rdatatype_dlv);
+		if (result == ISC_R_SUCCESS) {
+			/*
+			 * We have DLV records.
+			 */
+			val->dsset = &val->frdataset;
+			if (val->frdataset.trust == dns_trust_pending &&
+			    dns_rdataset_isassociated(&val->fsigrdataset))
+			{
+				result = create_validator(val,
+							  val->event->name,
+							  dns_rdatatype_ds,
+							  &val->frdataset,
+							  &val->fsigrdataset,
+							  dlv_validated,
+							  "dlv_validatezonekey");
+				if (result != ISC_R_SUCCESS)
+					return (result);
+				return (DNS_R_WAIT);
+			} else if (val->frdataset.trust == dns_trust_pending) {
+				/*
+				 * There should never be an unsigned DLV.
+				 */
+				dns_rdataset_disassociate(&val->frdataset);
+				validator_log(val, ISC_LOG_DEBUG(2),
+					      "unsigned DLV record");
+				return (DNS_R_NOVALIDSIG);
+			} else
+				result = ISC_R_SUCCESS;
+		} else if (result == ISC_R_NOTFOUND) {
+			result = create_fetch(val, name, dns_rdatatype_dlv,
+					      dlv_fetched,
+					      "dlv_validatezonekey");
+			if (result != ISC_R_SUCCESS)
+				return (result);
+			return (DNS_R_WAIT);
+		} else if (result ==  DNS_R_NCACHENXDOMAIN ||
+		   result == DNS_R_NCACHENXRRSET ||
+		   result == DNS_R_NXDOMAIN ||
+		   result == DNS_R_NXRRSET)
+		{
+			/*
+			 * The DS does not exist.
+			 */
+			if (dns_rdataset_isassociated(&val->frdataset))
+				dns_rdataset_disassociate(&val->frdataset);
+			if (dns_rdataset_isassociated(&val->fsigrdataset))
+				dns_rdataset_disassociate(&val->fsigrdataset);
+			validator_log(val, ISC_LOG_DEBUG(2), "no DLV record");
+			return (DNS_R_NOVALIDSIG);
+		}
+	}
+
+	/*
+	 * We have a DLV set.
+	 */
+	INSIST(val->dlv != NULL);
+
+	if (val->dlv->trust < dns_trust_secure) {
+		val->event->rdataset->trust = dns_trust_answer;
+		val->event->sigrdataset->trust = dns_trust_answer;
+		return (ISC_R_SUCCESS);
+	}
+
+	/*
+	 * Look through the DLV record and find the keys that can sign the
+	 * key set and the matching signature.  For each such key, attempt
+	 * verification.
+	 */
+
+	supported_algorithm = ISC_FALSE;
+
+	for (result = dns_rdataset_first(val->dlv);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(val->dlv))
+	{
+		dns_rdata_reset(&dlvrdata);
+		dns_rdataset_current(val->dlv, &dlvrdata);
+		(void)dns_rdata_tostruct(&dlvrdata, &dlv, NULL);
+
+		if (!dns_resolver_algorithm_supported(val->view->resolver,
+						      val->event->name,
+						      dlv.algorithm))
+			continue;
+
+		supported_algorithm = ISC_TRUE;
+
+		dns_rdataset_init(&trdataset);
+		dns_rdataset_clone(val->event->rdataset, &trdataset);
+
+		for (result = dns_rdataset_first(&trdataset);
+		     result == ISC_R_SUCCESS;
+		     result = dns_rdataset_next(&trdataset))
+		{
+			dns_rdata_reset(&keyrdata);
+			dns_rdataset_current(&trdataset, &keyrdata);
+			(void)dns_rdata_tostruct(&keyrdata, &key, NULL);
+			keytag = compute_keytag(&keyrdata, &key);
+			if (dlv.key_tag != keytag ||
+			    dlv.algorithm != key.algorithm)
+				continue;
+			dns_rdata_reset(&newdsrdata);
+			result = dns_ds_buildrdata(val->event->name,
+						   &keyrdata, dlv.digest_type,
+						   dsbuf, &newdsrdata);
+			if (result != ISC_R_SUCCESS)
+				continue;
+			/* Covert to DLV */
+			newdsrdata.type = dns_rdatatype_dlv;
+			if (dns_rdata_compare(&dlvrdata, &newdsrdata) == 0)
+				break;
+		}
+		if (result != ISC_R_SUCCESS) {
+			validator_log(val, ISC_LOG_DEBUG(3),
+				      "no KEY matching DLV");
+			continue;
+		}
+		
+		for (result = dns_rdataset_first(val->event->sigrdataset);
+		     result == ISC_R_SUCCESS;
+		     result = dns_rdataset_next(val->event->sigrdataset))
+		{
+			dns_rdata_reset(&sigrdata);
+			dns_rdataset_current(val->event->sigrdataset,
+					     &sigrdata);
+			(void)dns_rdata_tostruct(&sigrdata, &sig, NULL);
+			if (dlv.key_tag != sig.keyid &&
+			    dlv.algorithm != sig.algorithm)
+				continue;
+
+			dstkey = NULL;
+			result = dns_dnssec_keyfromrdata(val->event->name,
+							 &keyrdata,
+							 val->view->mctx,
+							 &dstkey);
+			if (result != ISC_R_SUCCESS)
+				/*
+				 * This really shouldn't happen, but...
+				 */
+				continue;
+
+			result = verify(val, dstkey, &sigrdata);
+			dst_key_free(&dstkey);
+			if (result == ISC_R_SUCCESS)
+				break;
+		}
+		dns_rdataset_disassociate(&trdataset);
+		if (result == ISC_R_SUCCESS)
+			break;
+		validator_log(val, ISC_LOG_DEBUG(3), "no SIG matching DLV key");
+	}
+	if (result == ISC_R_SUCCESS) {
+		val->event->rdataset->trust = dns_trust_secure;
+		val->event->sigrdataset->trust = dns_trust_secure;
+		validator_log(val, ISC_LOG_DEBUG(3), "marking as secure");
+		return (result);
+	} else if (result == ISC_R_NOMORE && !supported_algorithm) {
+		val->event->rdataset->trust = dns_trust_answer;
+		val->event->sigrdataset->trust = dns_trust_answer;
+		validator_log(val, ISC_LOG_DEBUG(3),
+			      "no supported algorithm (dlv)");
+		return (ISC_R_SUCCESS);
+	} else
+		return (DNS_R_NOVALIDSIG);
+}
+
+/*
+ * Attempts positive response validation of an RRset containing zone keys.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS	Validation completed successfully
+ *	DNS_R_WAIT	Validation has started but is waiting
+ *			for an event.
+ *	Other return codes are possible and all indicate failure.
+ */
+static isc_result_t
+validatezonekey(dns_validator_t *val) {
+	isc_result_t result;
+	dns_validatorevent_t *event;
+	dns_rdataset_t trdataset;
+	dns_rdata_t dsrdata = DNS_RDATA_INIT;
+	dns_rdata_t newdsrdata = DNS_RDATA_INIT;
+	dns_rdata_t keyrdata = DNS_RDATA_INIT;
+	dns_rdata_t sigrdata = DNS_RDATA_INIT;
+	unsigned char dsbuf[DNS_DS_BUFFERSIZE];
+	dns_keytag_t keytag;
+	dns_rdata_ds_t ds;
+	dns_rdata_dnskey_t key;
+	dns_rdata_rrsig_t sig;
+	dst_key_t *dstkey;
+	isc_boolean_t supported_algorithm;
+
+	/*
+	 * Caller must be holding the validator lock.
+	 */
+
+	event = val->event;
+
+	if (val->dsset == NULL) {
+		/*
+		 * First, see if this key was signed by a trusted key.
+		 */
+		for (result = dns_rdataset_first(val->event->sigrdataset);
+		     result == ISC_R_SUCCESS;
+		     result = dns_rdataset_next(val->event->sigrdataset))
+		{
+			dns_keynode_t *keynode = NULL, *nextnode = NULL;
+
+			dns_rdata_reset(&sigrdata);
+			dns_rdataset_current(val->event->sigrdataset,
+					     &sigrdata);
+			(void)dns_rdata_tostruct(&sigrdata, &sig, NULL);
+			result = dns_keytable_findkeynode(val->keytable,
+							  val->event->name,
+							  sig.algorithm,
+							  sig.keyid,
+							  &keynode);
+			while (result == ISC_R_SUCCESS) {
+				dstkey = dns_keynode_key(keynode);
+				result = verify(val, dstkey, &sigrdata);
+				if (result == ISC_R_SUCCESS) {
+					dns_keytable_detachkeynode(val->keytable,
+								   &keynode);
+					break;
+				}
+				result = dns_keytable_findnextkeynode(
+								val->keytable,
+								keynode,
+								&nextnode);
+				dns_keytable_detachkeynode(val->keytable,
+							   &keynode);
+				keynode = nextnode;
+			}
+			if (result == ISC_R_SUCCESS) {
+				event->rdataset->trust = dns_trust_secure;
+				event->sigrdataset->trust = dns_trust_secure;
+				validator_log(val, ISC_LOG_DEBUG(3),
+					      "signed by trusted key; "
+					      "marking as secure");
+				return (result);
+			}
+		}
+
+		/*
+		 * If this is the root name and there was no trusted key,
+		 * give up, since there's no DS at the root.
+		 */
+		if (dns_name_equal(event->name, dns_rootname)) {
+			if ((val->attributes & VALATTR_TRIEDVERIFY) != 0)
+				return (DNS_R_NOVALIDSIG);
+			else
+				return (DNS_R_NOVALIDDS);
+		}
+
+		/*
+		 * Otherwise, try to find the DS record.
+		 */
+		result = view_find(val, val->event->name, dns_rdatatype_ds);
+		if (result == ISC_R_SUCCESS) {
+			/*
+			 * We have DS records.
+			 */
+			val->dsset = &val->frdataset;
+			if (val->frdataset.trust == dns_trust_pending &&
+			    dns_rdataset_isassociated(&val->fsigrdataset))
+			{
+				result = create_validator(val,
+							  val->event->name,
+							  dns_rdatatype_ds,
+							  &val->frdataset,
+							  &val->fsigrdataset,
+							  dsvalidated,
+							  "validatezonekey");
+				if (result != ISC_R_SUCCESS)
+					return (result);
+				return (DNS_R_WAIT);
+			} else if (val->frdataset.trust == dns_trust_pending) {
+				/*
+				 * There should never be an unsigned DS.
+				 */
+				dns_rdataset_disassociate(&val->frdataset);
+				validator_log(val, ISC_LOG_DEBUG(2),
+					      "unsigned DS record");
+				return (DNS_R_NOVALIDSIG);
+			} else
+				result = ISC_R_SUCCESS;
+		} else if (result == ISC_R_NOTFOUND) {
+			/*
+			 * We don't have the DS.  Find it.
+			 */
+			result = create_fetch(val, val->event->name,
+					      dns_rdatatype_ds, dsfetched,
+					      "validatezonekey");
+			if (result != ISC_R_SUCCESS)
+				return (result);
+			return (DNS_R_WAIT);
+		} else if (val->view->dlv != NULL && !DLVTRIED(val) &&
+			   (result == DNS_R_NCACHENXRRSET ||
+			    result == DNS_R_NXRRSET) &&
+			   !dns_name_issubdomain(val->event->name,
+						 val->view->dlv))
+		{
+
+			if (dns_rdataset_isassociated(&val->frdataset))
+				dns_rdataset_disassociate(&val->frdataset);
+			if (dns_rdataset_isassociated(&val->fsigrdataset))
+				dns_rdataset_disassociate(&val->fsigrdataset);
+
+			validator_log(val, ISC_LOG_DEBUG(2),
+				      "no DS record: looking for DLV");
+
+			return (dlv_validatezonekey(val));
+		 } else if (result ==  DNS_R_NCACHENXDOMAIN ||
+			   result == DNS_R_NCACHENXRRSET ||
+			   result == DNS_R_NXDOMAIN ||
+			   result == DNS_R_NXRRSET)
+		{
+			/*
+			 * The DS does not exist.
+			 */
+			if (dns_rdataset_isassociated(&val->frdataset))
+				dns_rdataset_disassociate(&val->frdataset);
+			if (dns_rdataset_isassociated(&val->fsigrdataset))
+				dns_rdataset_disassociate(&val->fsigrdataset);
+			validator_log(val, ISC_LOG_DEBUG(2), "no DS record");
+			return (DNS_R_NOVALIDSIG);
+		}
+	}
+
+	/*
+	 * We have a DS set.
+	 */
+	INSIST(val->dsset != NULL);
+
+	if (val->dsset->trust < dns_trust_secure) {
+		val->event->rdataset->trust = dns_trust_answer;
+		val->event->sigrdataset->trust = dns_trust_answer;
+		return (ISC_R_SUCCESS);
+	}
+
+	/*
+	 * Look through the DS record and find the keys that can sign the
+	 * key set and the matching signature.  For each such key, attempt
+	 * verification.
+	 */
+
+	supported_algorithm = ISC_FALSE;
+
+	for (result = dns_rdataset_first(val->dsset);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(val->dsset))
+	{
+		dns_rdata_reset(&dsrdata);
+		dns_rdataset_current(val->dsset, &dsrdata);
+		(void)dns_rdata_tostruct(&dsrdata, &ds, NULL);
+
+		if (!dns_resolver_algorithm_supported(val->view->resolver,
+						      val->event->name,
+						      ds.algorithm))
+			continue;
+
+		supported_algorithm = ISC_TRUE;
+
+		dns_rdataset_init(&trdataset);
+		dns_rdataset_clone(val->event->rdataset, &trdataset);
+
+		for (result = dns_rdataset_first(&trdataset);
+		     result == ISC_R_SUCCESS;
+		     result = dns_rdataset_next(&trdataset))
+		{
+			dns_rdata_reset(&keyrdata);
+			dns_rdataset_current(&trdataset, &keyrdata);
+			(void)dns_rdata_tostruct(&keyrdata, &key, NULL);
+			keytag = compute_keytag(&keyrdata, &key);
+			if (ds.key_tag != keytag ||
+			    ds.algorithm != key.algorithm)
+				continue;
+			dns_rdata_reset(&newdsrdata);
+			result = dns_ds_buildrdata(val->event->name,
+						   &keyrdata, ds.digest_type,
+						   dsbuf, &newdsrdata);
+			if (result != ISC_R_SUCCESS)
+				continue;
+			if (dns_rdata_compare(&dsrdata, &newdsrdata) == 0)
+				break;
+		}
+		if (result != ISC_R_SUCCESS) {
+			validator_log(val, ISC_LOG_DEBUG(3),
+				      "no KEY matching DS");
+			continue;
+		}
+		
+		for (result = dns_rdataset_first(val->event->sigrdataset);
+		     result == ISC_R_SUCCESS;
+		     result = dns_rdataset_next(val->event->sigrdataset))
+		{
+			dns_rdata_reset(&sigrdata);
+			dns_rdataset_current(val->event->sigrdataset,
+					     &sigrdata);
+			(void)dns_rdata_tostruct(&sigrdata, &sig, NULL);
+			if (ds.key_tag != sig.keyid &&
+			    ds.algorithm != sig.algorithm)
+				continue;
+
+			dstkey = NULL;
+			result = dns_dnssec_keyfromrdata(val->event->name,
+							 &keyrdata,
+							 val->view->mctx,
+							 &dstkey);
+			if (result != ISC_R_SUCCESS)
+				/*
+				 * This really shouldn't happen, but...
+				 */
+				continue;
+
+			result = verify(val, dstkey, &sigrdata);
+			dst_key_free(&dstkey);
+			if (result == ISC_R_SUCCESS)
+				break;
+		}
+		dns_rdataset_disassociate(&trdataset);
+		if (result == ISC_R_SUCCESS)
+			break;
+		validator_log(val, ISC_LOG_DEBUG(3), "no SIG matching DS key");
+	}
+	if (result == ISC_R_SUCCESS) {
+		event->rdataset->trust = dns_trust_secure;
+		event->sigrdataset->trust = dns_trust_secure;
+		validator_log(val, ISC_LOG_DEBUG(3), "marking as secure");
+		return (result);
+	} else if (result == ISC_R_NOMORE && val->view->dlv != NULL &&
+		   !DLVTRIED(val) && !dns_name_issubdomain(val->event->name,
+							   val->view->dlv))
+	{
+		validator_log(val, ISC_LOG_DEBUG(2),
+			      "no DS/DNSKEY pair: looking for DLV");
+
+		return (dlv_validatezonekey(val));
+	} else if (result == ISC_R_NOMORE && !supported_algorithm) {
+		val->event->rdataset->trust = dns_trust_answer;
+		val->event->sigrdataset->trust = dns_trust_answer;
+		validator_log(val, ISC_LOG_DEBUG(3),
+			      "no supported algorithm (ds)");
+		return (ISC_R_SUCCESS);
+	} else
+		return (DNS_R_NOVALIDSIG);
+}
+
+/*
+ * Starts a positive response validation.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS	Validation completed successfully
+ *	DNS_R_WAIT	Validation has started but is waiting
+ *			for an event.
+ *	Other return codes are possible and all indicate failure.
+ */
+static isc_result_t
+start_positive_validation(dns_validator_t *val) {
+	/*
+	 * If this is not a key, go straight into validate().
+	 */
+	if (val->event->type != dns_rdatatype_dnskey || !isselfsigned(val))
+		return (validate(val, ISC_FALSE));
+
+	return (validatezonekey(val));
+}
+
+static isc_result_t
+checkwildcard(dns_validator_t *val) {
+	dns_name_t *name, *wild;
 	dns_message_t *message = val->event->message;
 	isc_result_t result;
+	isc_boolean_t exists, data;
+	char namebuf[DNS_NAME_FORMATSIZE];
 
-	if (!resume) {
+	wild = dns_fixedname_name(&val->wild);
+	dns_name_format(wild, namebuf, sizeof(namebuf));
+	validator_log(val, ISC_LOG_DEBUG(3), "in checkwildcard: %s", namebuf);
+
+	for (result = dns_message_firstname(message, DNS_SECTION_AUTHORITY);
+	     result == ISC_R_SUCCESS;
+	     result = dns_message_nextname(message, DNS_SECTION_AUTHORITY))
+	{
+		dns_rdataset_t *rdataset = NULL, *sigrdataset = NULL;
+
+		name = NULL;
+		dns_message_currentname(message, DNS_SECTION_AUTHORITY, &name);
+
+		for (rdataset = ISC_LIST_HEAD(name->list);
+		     rdataset != NULL;
+		     rdataset = ISC_LIST_NEXT(rdataset, link))
+		{
+			if (rdataset->type != dns_rdatatype_nsec)
+				continue;
+			val->nsecset = rdataset;
+
+			for (sigrdataset = ISC_LIST_HEAD(name->list);
+			     sigrdataset != NULL;
+			     sigrdataset = ISC_LIST_NEXT(sigrdataset, link))
+			{
+				if (sigrdataset->type == dns_rdatatype_rrsig &&
+				    sigrdataset->covers == rdataset->type)
+					break;
+			}
+			if (sigrdataset == NULL)
+				continue;
+
+			if (rdataset->trust != dns_trust_secure)
+				continue;
+
+			if (((val->attributes & VALATTR_NEEDNODATA) != 0 ||
+			     (val->attributes & VALATTR_NEEDNOWILDCARD) != 0) &&
+			    (val->attributes & VALATTR_FOUNDNODATA) == 0 &&
+			    (val->attributes & VALATTR_FOUNDNOWILDCARD) == 0 &&
+			    nsecnoexistnodata(val, wild, name, rdataset,
+					      &exists, &data, NULL)
+					       == ISC_R_SUCCESS)
+			{
+				dns_name_t **proofs = val->event->proofs;
+				if (exists && !data)
+					val->attributes |= VALATTR_FOUNDNODATA;
+				if (exists && !data && NEEDNODATA(val))
+					proofs[DNS_VALIDATOR_NODATAPROOF] =
+							 name;
+				if (!exists)
+					val->attributes |=
+						 VALATTR_FOUNDNOWILDCARD;
+				if (!exists && NEEDNOQNAME(val))
+					proofs[DNS_VALIDATOR_NOWILDCARDPROOF] =
+							 name;
+				return (ISC_R_SUCCESS);
+			}
+		}
+	}
+	if (result == ISC_R_NOMORE)
+		result = ISC_R_SUCCESS;
+	return (result);
+}
+
+static isc_result_t
+nsecvalidate(dns_validator_t *val, isc_boolean_t resume) {
+	dns_name_t *name;
+	dns_message_t *message = val->event->message;
+	isc_result_t result;
+
+	if (!resume)
 		result = dns_message_firstname(message, DNS_SECTION_AUTHORITY);
-		if (result != ISC_R_SUCCESS)
-			validator_done(val, ISC_R_NOTFOUND);
-	} else {
+	else {
 		result = ISC_R_SUCCESS;
-		validator_log(val, ISC_LOG_DEBUG(3), "resuming nxtvalidate");
+		validator_log(val, ISC_LOG_DEBUG(3), "resuming nsecvalidate");
 	}
 
 	for (;
@@ -1157,66 +1916,64 @@ nxtvalidate(dns_validator_t *val, isc_boolean_t resume) {
 			rdataset = ISC_LIST_NEXT(val->currentset, link);
 			val->currentset = NULL;
 			resume = ISC_FALSE;
-		}
-		else
+		} else
 			rdataset = ISC_LIST_HEAD(name->list);
 
 		for (;
 		     rdataset != NULL;
 		     rdataset = ISC_LIST_NEXT(rdataset, link))
 		{
-			if (rdataset->type == dns_rdatatype_sig)
+			if (rdataset->type == dns_rdatatype_rrsig)
 				continue;
 
+			if (rdataset->type == dns_rdatatype_soa) {
+				val->soaset = rdataset;
+				val->soaname = name;
+			} else if (rdataset->type == dns_rdatatype_nsec)
+				val->nsecset = rdataset;
+
 			for (sigrdataset = ISC_LIST_HEAD(name->list);
 			     sigrdataset != NULL;
 			     sigrdataset = ISC_LIST_NEXT(sigrdataset,
 							 link))
 			{
-				if (sigrdataset->type == dns_rdatatype_sig &&
+				if (sigrdataset->type == dns_rdatatype_rrsig &&
 				    sigrdataset->covers == rdataset->type)
 					break;
 			}
 			if (sigrdataset == NULL)
 				continue;
-			val->seensig = ISC_TRUE;
 			/*
 			 * If a signed zone is missing the zone key, bad
 			 * things could happen.  A query for data in the zone
 			 * would lead to a query for the zone key, which
 			 * would return a negative answer, which would contain
-			 * an SOA and an NXT signed by the missing key, which
+			 * an SOA and an NSEC signed by the missing key, which
 			 * would trigger another query for the KEY (since the
 			 * first one is still in progress), and go into an
 			 * infinite loop.  Avoid that.
 			 */
-			if (val->event->type == dns_rdatatype_key &&
+			if (val->event->type == dns_rdatatype_dnskey &&
 			    dns_name_equal(name, val->event->name))
 			{
-				dns_rdata_t nxt = DNS_RDATA_INIT;
+				dns_rdata_t nsec = DNS_RDATA_INIT;
 
-				if (rdataset->type != dns_rdatatype_nxt)
+				if (rdataset->type != dns_rdatatype_nsec)
 					continue;
 
 				result = dns_rdataset_first(rdataset);
 				if (result != ISC_R_SUCCESS)
 					return (result);
-				dns_rdataset_current(rdataset, &nxt);
-				if (dns_nxt_typepresent(&nxt,
+				dns_rdataset_current(rdataset, &nsec);
+				if (dns_nsec_typepresent(&nsec,
 							dns_rdatatype_soa))
 					continue;
 			}
-			val->authvalidator = NULL;
 			val->currentset = rdataset;
-			result = dns_validator_create(val->view, name,
-						      rdataset->type,
-						      rdataset,
-						      sigrdataset,
-						      NULL, 0,
-						      val->task,
-						      authvalidated,
-						      val,
-						      &val->authvalidator);
+			result = create_validator(val, name, rdataset->type,
+						  rdataset, sigrdataset,
+						  authvalidated,
+						  "nsecvalidate");
 			if (result != ISC_R_SUCCESS)
 				return (result);
 			return (DNS_R_WAIT);
@@ -1226,25 +1983,61 @@ nxtvalidate(dns_validator_t *val, isc_boolean_t resume) {
 	if (result == ISC_R_NOMORE)
 		result = ISC_R_SUCCESS;
 	if (result != ISC_R_SUCCESS)
-		validator_done(val, result);
+		return (result);
+
+	/*
+	 * Do we only need to check for NOQNAME?
+	 */
+	if ((val->attributes & VALATTR_NEEDNODATA) == 0 &&
+	    (val->attributes & VALATTR_NEEDNOWILDCARD) == 0 &&
+	    (val->attributes & VALATTR_NEEDNOQNAME) != 0) {
+		if ((val->attributes & VALATTR_FOUNDNOQNAME) != 0) {
+			validator_log(val, ISC_LOG_DEBUG(3),
+				      "noqname proof found");
+			validator_log(val, ISC_LOG_DEBUG(3),
+				      "marking as secure");
+			val->event->rdataset->trust = dns_trust_secure;
+			val->event->sigrdataset->trust = dns_trust_secure;
+			return (ISC_R_SUCCESS);
+		}
+		validator_log(val, ISC_LOG_DEBUG(3),
+			      "noqname proof not found");
+		return (DNS_R_NOVALIDNSEC);
+	}
+
+	/*
+	 * Do we need to check for the wildcard?
+	 */
+	if ((val->attributes & VALATTR_FOUNDNOQNAME) != 0 &&
+	    (((val->attributes & VALATTR_NEEDNODATA) != 0 &&
+	      (val->attributes & VALATTR_FOUNDNODATA) == 0) ||
+	     (val->attributes & VALATTR_NEEDNOWILDCARD) != 0)) {
+		result = checkwildcard(val);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+	}
+
+	if (((val->attributes & VALATTR_NEEDNODATA) != 0 &&
+	     (val->attributes & VALATTR_FOUNDNODATA) != 0) ||
+	    ((val->attributes & VALATTR_NEEDNOQNAME) != 0 &&
+	     (val->attributes & VALATTR_FOUNDNOQNAME) != 0 &&
+	     (val->attributes & VALATTR_NEEDNOWILDCARD) != 0 &&
+	     (val->attributes & VALATTR_FOUNDNOWILDCARD) != 0))
+		val->attributes |= VALATTR_FOUNDNONEXISTENCE;
 
 	if ((val->attributes & VALATTR_FOUNDNONEXISTENCE) == 0) {
-		if (!val->seensig) {
-			result = dns_validator_create(val->view, name,
-						      dns_rdatatype_soa,
-						      &val->frdataset,
-						      NULL, NULL, 0,
-						      val->task,
-						      negauthvalidated,
-						      val,
-						      &val->authvalidator);
+		if (!val->seensig && val->soaset != NULL) {
+			result = create_validator(val, name, dns_rdatatype_soa,
+						  val->soaset, NULL,
+						  negauthvalidated,
+						  "nsecvalidate");
 			if (result != ISC_R_SUCCESS)
 				return (result);
 			return (DNS_R_WAIT);
 		}
 		validator_log(val, ISC_LOG_DEBUG(3),
 			      "nonexistence proof not found");
-		return (DNS_R_NOVALIDNXT);
+		return (DNS_R_NOVALIDNSEC);
 	} else {
 		validator_log(val, ISC_LOG_DEBUG(3),
 			      "nonexistence proof found");
@@ -1252,15 +2045,35 @@ nxtvalidate(dns_validator_t *val, isc_boolean_t resume) {
 	}
 }
 
-static inline isc_result_t
+static isc_boolean_t
+check_ds_algorithm(dns_validator_t *val, dns_name_t *name,
+		   dns_rdataset_t *rdataset) {
+	dns_rdata_t dsrdata = DNS_RDATA_INIT;
+	dns_rdata_ds_t ds;
+	isc_result_t result;
+
+	for (result = dns_rdataset_first(rdataset);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(rdataset)) {
+		dns_rdataset_current(rdataset, &dsrdata);
+		(void)dns_rdata_tostruct(&dsrdata, &ds, NULL);
+
+		if (dns_resolver_algorithm_supported(val->view->resolver,
+						     name, ds.algorithm))
+			return (ISC_TRUE);
+		dns_rdata_reset(&dsrdata);
+	}
+	return (ISC_FALSE);
+}
+
+static isc_result_t
 proveunsecure(dns_validator_t *val, isc_boolean_t resume) {
 	isc_result_t result;
-	dns_fixedname_t secroot, tfname;
+	dns_fixedname_t secroot;
 	dns_name_t *tname;
 
 	dns_fixedname_init(&secroot);
-	dns_fixedname_init(&tfname);
-	result = dns_keytable_finddeepestmatch(val->view->secroots,
+	result = dns_keytable_finddeepestmatch(val->keytable,
 					       val->event->name,
 					       dns_fixedname_name(&secroot));
 	/*
@@ -1272,130 +2085,131 @@ proveunsecure(dns_validator_t *val, isc_boolean_t resume) {
 	else if (result != ISC_R_SUCCESS)
 		return (result);
 
-	/*
-	 * If this is a security root, it's ok.
-	 */
-	if (val->event->type == dns_rdatatype_key &&
-	    dns_name_equal(val->event->name, dns_fixedname_name(&secroot)) &&
-	    issecurityroot(val))
-	{
-		val->event->rdataset->trust = dns_trust_secure;
-		return (ISC_R_SUCCESS);
-	}
-
-	if (!resume)
-		val->labels = dns_name_depth(dns_fixedname_name(&secroot)) + 1;
-	else {
+	if (!resume) {
+		val->labels =
+			dns_name_countlabels(dns_fixedname_name(&secroot)) + 1;
+	} else {
 		validator_log(val, ISC_LOG_DEBUG(3), "resuming proveunsecure");
+		if (val->frdataset.trust >= dns_trust_secure &&
+		    !check_ds_algorithm(val, dns_fixedname_name(&val->fname),
+					&val->frdataset)) {
+			validator_log(val, ISC_LOG_DEBUG(3),
+				      "no supported algorithm (ds)");
+			val->event->rdataset->trust = dns_trust_answer;
+			result = ISC_R_SUCCESS;
+			goto out;
+		}
 		val->labels++;
 	}
 
 	for (;
-	     val->labels <= dns_name_depth(val->event->name);
+	     val->labels <= dns_name_countlabels(val->event->name);
 	     val->labels++)
 	{
-		char namebuf[1024];
+		char namebuf[DNS_NAME_FORMATSIZE];
 
-		if (val->labels == dns_name_depth(val->event->name)) {
-			if (val->event->type == dns_rdatatype_key)
-				break;
-			tname = val->event->name;
-		} else {
-			tname = dns_fixedname_name(&tfname);
-			result = dns_name_splitatdepth(val->event->name,
-						       val->labels,
-						       NULL, tname);
-			if (result != ISC_R_SUCCESS)
-				return (result);
-		}
+		dns_fixedname_init(&val->fname);
+		tname = dns_fixedname_name(&val->fname);
+		if (val->labels == dns_name_countlabels(val->event->name))
+			dns_name_copy(val->event->name, tname, NULL);
+		else
+			dns_name_split(val->event->name, val->labels,
+				       NULL, tname);
 
 		dns_name_format(tname, namebuf, sizeof(namebuf));
 		validator_log(val, ISC_LOG_DEBUG(3),
-			      "looking for null keyset at '%s'",
+			      "checking existence of DS at '%s'",
 			      namebuf);
 
-		if (dns_rdataset_isassociated(&val->frdataset))
-			dns_rdataset_disassociate(&val->frdataset);
-		if (dns_rdataset_isassociated(&val->fsigrdataset))
-			dns_rdataset_disassociate(&val->fsigrdataset);
-
-		result = dns_view_simplefind(val->view, tname,
-					     dns_rdatatype_key, 0,
-					     DNS_DBFIND_PENDINGOK, ISC_FALSE,
-					     &val->frdataset,
-					     &val->fsigrdataset);
-		if (result == ISC_R_SUCCESS) {
-			dns_name_t *fname = NULL;
-
-			if (!dns_rdataset_isassociated(&val->fsigrdataset)) {
-				result = DNS_R_NOTINSECURE;
+		result = view_find(val, tname, dns_rdatatype_ds);
+		if (result == DNS_R_NXRRSET || result == DNS_R_NCACHENXRRSET) {
+			/*
+			 * There is no DS.  If this is a delegation,
+			 * we're done.
+			 */
+			if (val->frdataset.trust < dns_trust_secure) {
+				/*
+				 * This shouldn't happen, since the negative
+				 * response should have been validated.  Since
+				 * there's no way of validating existing
+				 * negative response blobs, give up.
+				 */
+				result = DNS_R_NOVALIDSIG;
 				goto out;
 			}
-			validator_log(val, ISC_LOG_DEBUG(3),
-				      "found keyset, looking for null key");
-			if (!containsnullkey(val, &val->frdataset))
-				continue;
-
-			if (val->frdataset.trust >= dns_trust_secure) {
-				validator_log(val, ISC_LOG_DEBUG(3),
-					      "insecurity proof succeeded");
+			if (isdelegation(tname, &val->frdataset, result)) {
 				val->event->rdataset->trust = dns_trust_answer;
-				result = ISC_R_SUCCESS;
-				goto out;
+				return (ISC_R_SUCCESS);
 			}
-
-			fname = isc_mem_get(val->view->mctx, sizeof *fname);
-			if (fname == NULL)
-				return (ISC_R_NOMEMORY);
-			dns_name_init(fname, NULL);
-			result = dns_name_dup(tname, val->view->mctx, fname);
-			if (result != ISC_R_SUCCESS) {
-				isc_mem_put(val->view->mctx, fname,
-					    sizeof *fname);
-				result = ISC_R_NOMEMORY;
+			continue;
+		} else if (result == ISC_R_SUCCESS) {
+			/*
+			 * There is a DS here.  Verify that it's secure and
+			 * continue.
+			 */
+			if (val->frdataset.trust >= dns_trust_secure) {
+				if (!check_ds_algorithm(val, tname,
+							&val->frdataset)) {
+					validator_log(val, ISC_LOG_DEBUG(3),
+					      "no supported algorithm (ds)");
+					val->event->rdataset->trust =
+							dns_trust_answer;
+					result = ISC_R_SUCCESS;
+					goto out;
+				}
+				continue;
+			}
+			else if (!dns_rdataset_isassociated(&val->fsigrdataset))
+			{
+				result = DNS_R_NOVALIDSIG;
 				goto out;
 			}
-
-			result = dns_validator_create(val->view,
-						      fname,
-						      dns_rdatatype_key,
-						      &val->frdataset,
-						      &val->fsigrdataset,
-						      NULL,
-						      0,
-						      val->task,
-						      nullkeyvalidated,
-						      val,
-						      &val->keyvalidator);
+			result = create_validator(val, tname, dns_rdatatype_ds,
+						  &val->frdataset,
+						  &val->fsigrdataset,
+						  dsvalidated,
+						  "proveunsecure");
 			if (result != ISC_R_SUCCESS)
 				goto out;
 			return (DNS_R_WAIT);
+		} else if (result == DNS_R_NXDOMAIN ||
+			   result == DNS_R_NCACHENXDOMAIN)
+		{
+			/*
+			 * This is not a zone cut.  Assuming things are
+			 * as expected, continue.
+			 */
+			if (!dns_rdataset_isassociated(&val->frdataset)) {
+				/*
+				 * There should be an NSEC here, since we
+				 * are still in a secure zone.
+				 */
+				result = DNS_R_NOVALIDNSEC;
+				goto out;
+			} else if (val->frdataset.trust < dns_trust_secure) {
+				/*
+				 * This shouldn't happen, since the negative
+				 * response should have been validated.  Since
+				 * there's no way of validating existing
+				 * negative response blobs, give up.
+				 */
+				result = DNS_R_NOVALIDSIG;
+				goto out;
+			}
+			continue;
 		} else if (result == ISC_R_NOTFOUND) {
-			val->fetch = NULL;
-			result = dns_resolver_createfetch(val->view->resolver,
-							tname,
-							dns_rdatatype_key,
-							NULL, NULL, NULL, 0,
-							val->event->ev_sender,
-							fetch_callback_nullkey,
-							val,
-							&val->frdataset,
-							&val->fsigrdataset,
-							&val->fetch);
+			/*
+			 * We don't know anything about the DS.  Find it.
+			 */
+			result = create_fetch(val, tname, dns_rdatatype_ds,
+					      dsfetched2, "proveunsecure");
 			if (result != ISC_R_SUCCESS)
 				goto out;
 			return (DNS_R_WAIT);
-		} else if (result == DNS_R_NCACHENXDOMAIN ||
-			 result == DNS_R_NCACHENXRRSET ||
-			 result == DNS_R_NXDOMAIN ||
-			 result == DNS_R_NXRRSET)
-		{
-			continue;
-		} else
-			goto out;
+		}
 	}
 	validator_log(val, ISC_LOG_DEBUG(3), "insecurity proof failed");
-	return (DNS_R_NOTINSECURE); /* Didn't find a null key */
+	return (DNS_R_NOTINSECURE); /* Couldn't complete insecurity proof */
 
  out:
 	if (dns_rdataset_isassociated(&val->frdataset))
@@ -1409,6 +2223,7 @@ static void
 validator_start(isc_task_t *task, isc_event_t *event) {
 	dns_validator_t *val;
 	dns_validatorevent_t *vevent;
+	isc_boolean_t want_destroy = ISC_FALSE;
 	isc_result_t result = ISC_R_FAILURE;
 
 	UNUSED(task);
@@ -1429,19 +2244,21 @@ validator_start(isc_task_t *task, isc_event_t *event) {
 
 		/*
 		 * This looks like a simple validation.  We say "looks like"
-		 * because we don't know if wildcards are involved yet so it
-		 * could still get complicated.
+		 * because it might end up requiring an insecurity proof.
 		 */
 		validator_log(val, ISC_LOG_DEBUG(3),
 			      "attempting positive response validation");
 
-		result = validate(val, ISC_FALSE);
+		INSIST(dns_rdataset_isassociated(val->event->rdataset));
+		INSIST(dns_rdataset_isassociated(val->event->sigrdataset));
+		result = start_positive_validation(val);
 		if (result == DNS_R_NOVALIDSIG &&
 		    (val->attributes & VALATTR_TRIEDVERIFY) == 0)
 		{
 			saved_result = result;
 			validator_log(val, ISC_LOG_DEBUG(3),
 				      "falling back to insecurity proof");
+			val->attributes |= VALATTR_INSECURITY;
 			result = proveunsecure(val, ISC_FALSE);
 			if (result == DNS_R_NOTINSECURE)
 				result = saved_result;
@@ -1451,12 +2268,14 @@ validator_start(isc_task_t *task, isc_event_t *event) {
 		 * This is either an unsecure subdomain or a response from
 		 * a broken server.
 		 */
+		INSIST(dns_rdataset_isassociated(val->event->rdataset));
 		validator_log(val, ISC_LOG_DEBUG(3),
 			      "attempting insecurity proof");
 
+		val->attributes |= VALATTR_INSECURITY;
 		result = proveunsecure(val, ISC_FALSE);
 	} else if (val->event->rdataset == NULL &&
-		 val->event->sigrdataset == NULL)
+		   val->event->sigrdataset == NULL)
 	{
 		/*
 		 * This is a nonexistence validation.
@@ -1464,7 +2283,13 @@ validator_start(isc_task_t *task, isc_event_t *event) {
 		validator_log(val, ISC_LOG_DEBUG(3),
 			      "attempting negative response validation");
 
-		result = nxtvalidate(val, ISC_FALSE);
+		val->attributes |= VALATTR_NEGATIVE;
+		if (val->event->message->rcode == dns_rcode_nxdomain) {
+			val->attributes |= VALATTR_NEEDNOQNAME;
+			val->attributes |= VALATTR_NEEDNOWILDCARD;
+		} else
+			val->attributes |= VALATTR_NEEDNODATA;
+		result = nsecvalidate(val, ISC_FALSE);
 	} else {
 		/*
 		 * This shouldn't happen.
@@ -1472,10 +2297,14 @@ validator_start(isc_task_t *task, isc_event_t *event) {
 		INSIST(0);
 	}
 
-	if (result != DNS_R_WAIT)
+	if (result != DNS_R_WAIT) {
+		want_destroy = exit_check(val);
 		validator_done(val, result);
+	}
 
 	UNLOCK(&val->lock);
+	if (want_destroy)
+		destroy(val);
 }
 
 isc_result_t
@@ -1500,7 +2329,7 @@ dns_validator_create(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type,
 	tclone = NULL;
 	result = ISC_R_FAILURE;
 
-	val = isc_mem_get(view->mctx, sizeof *val);
+	val = isc_mem_get(view->mctx, sizeof(*val));
 	if (val == NULL)
 		return (ISC_R_NOMEMORY);
 	val->view = NULL;
@@ -1509,7 +2338,7 @@ dns_validator_create(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type,
 		isc_event_allocate(view->mctx, task,
 				   DNS_EVENT_VALIDATORSTART,
 				   validator_start, NULL,
-				   sizeof (dns_validatorevent_t));
+				   sizeof(dns_validatorevent_t));
 	if (event == NULL) {
 		result = ISC_R_NOMEMORY;
 		goto cleanup_val;
@@ -1522,6 +2351,7 @@ dns_validator_create(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type,
 	event->rdataset = rdataset;
 	event->sigrdataset = sigrdataset;
 	event->message = message;
+	memset(event->proofs, 0, sizeof(event->proofs));
 	result = isc_mutex_init(&val->lock);
 	if (result != ISC_R_SUCCESS)
 		goto cleanup_event;
@@ -1529,8 +2359,10 @@ dns_validator_create(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type,
 	val->options = options;
 	val->attributes = 0;
 	val->fetch = NULL;
-	val->keyvalidator = NULL;
-	val->authvalidator = NULL;
+	val->subvalidator = NULL;
+	val->parent = NULL;
+	val->keytable = NULL;
+	dns_keytable_attach(val->view->secroots, &val->keytable);
 	val->keynode = NULL;
 	val->key = NULL;
 	val->siginfo = NULL;
@@ -1540,14 +2372,19 @@ dns_validator_create(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type,
 	val->labels = 0;
 	val->currentset = NULL;
 	val->keyset = NULL;
+	val->dsset = NULL;
+	val->dlv = NULL;
+	val->soaset = NULL;
+	val->nsecset = NULL;
+	val->soaname = NULL;
 	val->seensig = ISC_FALSE;
 	dns_rdataset_init(&val->frdataset);
 	dns_rdataset_init(&val->fsigrdataset);
+	dns_fixedname_init(&val->wild);
 	ISC_LINK_INIT(val, link);
 	val->magic = VALIDATOR_MAGIC;
 
-	if ((options & DNS_VALIDATOR_DEFER) == 0)
-		isc_task_send(task, ISC_EVENT_PTR(&event));
+	isc_task_send(task, (isc_event_t **) (void *)&event);
 
 	*validatorp = val;
 
@@ -1555,31 +2392,16 @@ dns_validator_create(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type,
 
  cleanup_event:
 	isc_task_detach(&tclone);
-	isc_event_free(ISC_EVENT_PTR(&event));
+	isc_event_free((isc_event_t **)&val->event);
 
  cleanup_val:
 	dns_view_weakdetach(&val->view);
-	isc_mem_put(view->mctx, val, sizeof *val);
+	isc_mem_put(view->mctx, val, sizeof(*val));
 
 	return (result);
 }
 
 void
-dns_validator_send(dns_validator_t *validator) {
-	isc_event_t *event;
-	REQUIRE(VALID_VALIDATOR(validator));
-
-	LOCK(&validator->lock);
-
-	INSIST((validator->options & DNS_VALIDATOR_DEFER) != 0);
-	event = (isc_event_t *)validator->event;
-	validator->options &= ~DNS_VALIDATOR_DEFER;
-	UNLOCK(&validator->lock);
-
-	isc_task_send(validator->task, ISC_EVENT_PTR(&event));
-}
-
-void
 dns_validator_cancel(dns_validator_t *validator) {
 	REQUIRE(VALID_VALIDATOR(validator));
 
@@ -1588,23 +2410,11 @@ dns_validator_cancel(dns_validator_t *validator) {
 	validator_log(validator, ISC_LOG_DEBUG(3), "dns_validator_cancel");
 
 	if (validator->event != NULL) {
-		validator_done(validator, ISC_R_CANCELED);
-
 		if (validator->fetch != NULL)
 			dns_resolver_cancelfetch(validator->fetch);
 
-		if (validator->keyvalidator != NULL)
-			dns_validator_cancel(validator->keyvalidator);
-
-		if (validator->authvalidator != NULL)
-			dns_validator_cancel(validator->authvalidator);
-
-		if ((validator->options & DNS_VALIDATOR_DEFER) != 0) {
-			isc_task_t *task = validator->event->ev_sender;
-			validator->options &= ~DNS_VALIDATOR_DEFER;
-			isc_event_free((isc_event_t **)&validator->event);
-			isc_task_detach(&task);
-		}
+		if (validator->subvalidator != NULL)
+			dns_validator_cancel(validator->subvalidator);
 	}
 	UNLOCK(&validator->lock);
 }
@@ -1621,17 +2431,17 @@ destroy(dns_validator_t *val) {
 		dns_keytable_detachkeynode(val->keytable, &val->keynode);
 	else if (val->key != NULL)
 		dst_key_free(&val->key);
-	if (val->keyvalidator != NULL)
-		dns_validator_destroy(&val->keyvalidator);
-	if (val->authvalidator != NULL)
-		dns_validator_destroy(&val->authvalidator);
+	if (val->keytable != NULL)
+		dns_keytable_detach(&val->keytable);
+	if (val->subvalidator != NULL)
+		dns_validator_destroy(&val->subvalidator);
 	mctx = val->view->mctx;
 	if (val->siginfo != NULL)
-		isc_mem_put(mctx, val->siginfo, sizeof *val->siginfo);
+		isc_mem_put(mctx, val->siginfo, sizeof(*val->siginfo));
 	DESTROYLOCK(&val->lock);
 	dns_view_weakdetach(&val->view);
 	val->magic = 0;
-	isc_mem_put(mctx, val, sizeof *val);
+	isc_mem_put(mctx, val, sizeof(*val));
 }
 
 void
@@ -1645,14 +2455,10 @@ dns_validator_destroy(dns_validator_t **validatorp) {
 
 	LOCK(&val->lock);
 
-	REQUIRE(val->event == NULL);
-
+	val->attributes |= VALATTR_SHUTDOWN;
 	validator_log(val, ISC_LOG_DEBUG(3), "dns_validator_destroy");
 
-	val->attributes |= VALATTR_SHUTDOWN;
-	if (val->fetch == NULL && val->keyvalidator == NULL &&
-	    val->authvalidator == NULL)
-		want_destroy = ISC_TRUE;
+	want_destroy = exit_check(val);
 
 	UNLOCK(&val->lock);
 
@@ -1662,12 +2468,6 @@ dns_validator_destroy(dns_validator_t **validatorp) {
 	*validatorp = NULL;
 }
 
-
-static void
-validator_logv(dns_validator_t *val, isc_logcategory_t *category,
-	       isc_logmodule_t *module, int level, const char *fmt, va_list ap)
-     ISC_FORMAT_PRINTF(5, 0);
-
 static void
 validator_logv(dns_validator_t *val, isc_logcategory_t *category,
 	       isc_logmodule_t *module, int level, const char *fmt, va_list ap)
@@ -1677,42 +2477,45 @@ validator_logv(dns_validator_t *val, isc_logcategory_t *category,
 	vsnprintf(msgbuf, sizeof(msgbuf), fmt, ap);
 
 	if (val->event != NULL && val->event->name != NULL) {
-		char namebuf[1024];
-		char typebuf[256];
-		isc_buffer_t b;
-		isc_region_t r;
+		char namebuf[DNS_NAME_FORMATSIZE];
+		char typebuf[DNS_RDATATYPE_FORMATSIZE];
 
 		dns_name_format(val->event->name, namebuf, sizeof(namebuf));
-
-		isc_buffer_init(&b, (unsigned char *)typebuf, sizeof(typebuf));
-		if (dns_rdatatype_totext(val->event->type, &b)
-		    != ISC_R_SUCCESS)
-		{
-			isc_buffer_clear(&b);
-			isc_buffer_putstr(&b, "<bad type>");
-		}
-		isc_buffer_usedregion(&b, &r);
+		dns_rdatatype_format(val->event->type, typebuf,
+				     sizeof(typebuf));
 		isc_log_write(dns_lctx, category, module, level,
-			      "validating %s %.*s: %s", namebuf,
-			      (int)r.length, (char *)r.base, msgbuf);
+			      "validating %s %s: %s", namebuf, typebuf,
+			      msgbuf);
 	} else {
 		isc_log_write(dns_lctx, category, module, level,
 			      "validator @%p: %s", val, msgbuf);
-
 	}
 }
 
 static void
-validator_log(dns_validator_t *val, int level, const char *fmt, ...)
-{
+validator_log(dns_validator_t *val, int level, const char *fmt, ...) {
 	va_list ap;
 
 	if (! isc_log_wouldlog(dns_lctx, level))
 		return;
 
 	va_start(ap, fmt);
+
 	validator_logv(val, DNS_LOGCATEGORY_DNSSEC,
 		       DNS_LOGMODULE_VALIDATOR, level, fmt, ap);
 	va_end(ap);
 }
 
+static void
+validator_logcreate(dns_validator_t *val,
+		    dns_name_t *name, dns_rdatatype_t type,
+		    const char *caller, const char *operation)
+{
+	char namestr[DNS_NAME_FORMATSIZE];
+	char typestr[DNS_RDATATYPE_FORMATSIZE];
+
+	dns_name_format(name, namestr, sizeof(namestr));
+	dns_rdatatype_format(type, typestr, sizeof(typestr));
+	validator_log(val, ISC_LOG_DEBUG(9), "%s: creating %s for %s %s",
+		      caller, operation, namestr, typestr);
+}
diff --git a/lib/dns/version.c b/lib/dns/version.c
index bc8bcfd6..6b043ab5 100644
--- a/lib/dns/version.c
+++ b/lib/dns/version.c
@@ -15,10 +15,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: version.c,v 1.9.2.1 2004/03/09 06:11:10 marka Exp $ */
+/* $Id: version.c,v 1.9.12.3 2004/03/08 09:04:33 marka Exp $ */
 
-char dns_version[] = VERSION;
+#include <dns/version.h>
 
-unsigned int dns_libinterface = LIBINTERFACE;
-unsigned int dns_librevision = LIBREVISION;
-unsigned int dns_libage = LIBAGE;
+const char dns_version[] = VERSION;
+
+const unsigned int dns_libinterface = LIBINTERFACE;
+const unsigned int dns_librevision = LIBREVISION;
+const unsigned int dns_libage = LIBAGE;
diff --git a/lib/dns/view.c b/lib/dns/view.c
index 33842f72..ac7af616 100644
--- a/lib/dns/view.c
+++ b/lib/dns/view.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: view.c,v 1.103.2.12 2007/03/06 02:10:58 tbox Exp $ */
+/* $Id: view.c,v 1.103.2.5.2.14 2004/03/10 02:55:58 marka Exp $ */
 
 #include <config.h>
 
@@ -33,6 +33,7 @@
 #include <dns/keytable.h>
 #include <dns/master.h>
 #include <dns/masterdump.h>
+#include <dns/order.h>
 #include <dns/peer.h>
 #include <dns/rdataset.h>
 #include <dns/request.h>
@@ -66,7 +67,7 @@ dns_view_create(isc_mem_t *mctx, dns_rdataclass_t rdclass,
 	REQUIRE(name != NULL);
 	REQUIRE(viewp != NULL && *viewp == NULL);
 
-	view = isc_mem_get(mctx, sizeof *view);
+	view = isc_mem_get(mctx, sizeof(*view));
 	if (view == NULL)
 		return (ISC_R_NOMEMORY);
 	view->name = isc_mem_strdup(mctx, name);
@@ -142,6 +143,10 @@ dns_view_create(isc_mem_t *mctx, dns_rdataclass_t rdclass,
 	if (result != ISC_R_SUCCESS)
 		goto cleanup_fwdtable;
 	view->peers = NULL;
+	view->order = NULL;
+	view->delonly = NULL;
+	view->rootdelonly = ISC_FALSE;
+	view->rootexclude = NULL;
 
 	/*
 	 * Initialize configuration data with default values.
@@ -150,38 +155,42 @@ dns_view_create(isc_mem_t *mctx, dns_rdataclass_t rdclass,
 	view->auth_nxdomain = ISC_FALSE; /* Was true in BIND 8 */
 	view->additionalfromcache = ISC_TRUE;
 	view->additionalfromauth = ISC_TRUE;
+	view->enablednssec = ISC_TRUE;
 	view->minimalresponses = ISC_FALSE;
 	view->transfer_format = dns_one_answer;
 	view->queryacl = NULL;
 	view->recursionacl = NULL;
-	view->v6synthesisacl = NULL;
 	view->sortlist = NULL;
 	view->requestixfr = ISC_TRUE;
 	view->provideixfr = ISC_TRUE;
 	view->maxcachettl = 7 * 24 * 3600;
 	view->maxncachettl = 3 * 3600;
 	view->dstport = 53;
+	view->preferred_glue = 0;
 	view->flush = ISC_FALSE;
-	view->delonly = NULL;
-	view->rootdelonly = ISC_FALSE;
-	view->rootexclude = NULL;
+	view->dlv = NULL;
+	dns_fixedname_init(&view->dlv_fixed);
 
-	result = dns_peerlist_new(view->mctx, &view->peers);
+	result = dns_order_create(view->mctx, &view->order);
 	if (result != ISC_R_SUCCESS)
 		goto cleanup_dynkeys;
 
+	result = dns_peerlist_new(view->mctx, &view->peers);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup_order;
+
 	result = dns_aclenv_init(view->mctx, &view->aclenv);
 	if (result != ISC_R_SUCCESS)
 		goto cleanup_peerlist;
 
 	ISC_LINK_INIT(view, link);
-	ISC_EVENT_INIT(&view->resevent, sizeof view->resevent, 0, NULL,
+	ISC_EVENT_INIT(&view->resevent, sizeof(view->resevent), 0, NULL,
 		       DNS_EVENT_VIEWRESSHUTDOWN, resolver_shutdown,
 		       view, NULL, NULL, NULL);
-	ISC_EVENT_INIT(&view->adbevent, sizeof view->adbevent, 0, NULL,
+	ISC_EVENT_INIT(&view->adbevent, sizeof(view->adbevent), 0, NULL,
 		       DNS_EVENT_VIEWADBSHUTDOWN, adb_shutdown,
 		       view, NULL, NULL, NULL);
-	ISC_EVENT_INIT(&view->reqevent, sizeof view->reqevent, 0, NULL,
+	ISC_EVENT_INIT(&view->reqevent, sizeof(view->reqevent), 0, NULL,
 		       DNS_EVENT_VIEWREQSHUTDOWN, req_shutdown,
 		       view, NULL, NULL, NULL);
 	view->magic = DNS_VIEW_MAGIC;
@@ -193,6 +202,9 @@ dns_view_create(isc_mem_t *mctx, dns_rdataclass_t rdclass,
  cleanup_peerlist:
 	dns_peerlist_detach(&view->peers);
 
+ cleanup_order:
+	dns_order_detach(&view->order);
+
  cleanup_dynkeys:
 	dns_tsigkeyring_destroy(&view->dynamickeys);
 
@@ -215,7 +227,7 @@ dns_view_create(isc_mem_t *mctx, dns_rdataclass_t rdclass,
 	isc_mem_free(mctx, view->name);
 
  cleanup_view:
-	isc_mem_put(mctx, view, sizeof *view);
+	isc_mem_put(mctx, view, sizeof(*view));
 
 	return (result);
 }
@@ -229,6 +241,8 @@ destroy(dns_view_t *view) {
 	REQUIRE(ADBSHUTDOWN(view));
 	REQUIRE(REQSHUTDOWN(view));
 
+	if (view->order != NULL)
+		dns_order_detach(&view->order);
 	if (view->peers != NULL)
 		dns_peerlist_detach(&view->peers);
 	if (view->dynamickeys != NULL)
@@ -257,8 +271,6 @@ destroy(dns_view_t *view) {
 		dns_acl_detach(&view->queryacl);
 	if (view->recursionacl != NULL)
 		dns_acl_detach(&view->recursionacl);
-	if (view->v6synthesisacl != NULL)
-		dns_acl_detach(&view->v6synthesisacl);
 	if (view->sortlist != NULL)
 		dns_acl_detach(&view->sortlist);
 	if (view->delonly != NULL) {
@@ -303,7 +315,7 @@ destroy(dns_view_t *view) {
 	DESTROYLOCK(&view->lock);
 	isc_refcount_destroy(&view->references);
 	isc_mem_free(view->mctx, view->name);
-	isc_mem_put(view->mctx, view, sizeof *view);
+	isc_mem_put(view->mctx, view, sizeof(*view));
 }
 
 /*
@@ -387,7 +399,7 @@ dialup(dns_zone_t *zone, void *dummy) {
 void
 dns_view_dialup(dns_view_t *view) {
 	REQUIRE(DNS_VIEW_VALID(view));
-	dns_zt_apply(view->zonetable, ISC_FALSE, dialup, NULL);
+	(void)dns_zt_apply(view->zonetable, ISC_FALSE, dialup, NULL);
 }
 
 void
@@ -510,6 +522,7 @@ dns_view_createresolver(dns_view_t *view,
 {
 	isc_result_t result;
 	isc_event_t *event;
+	isc_mem_t *mctx = NULL;
 
 	REQUIRE(DNS_VIEW_VALID(view));
 	REQUIRE(!view->frozen);
@@ -532,8 +545,14 @@ dns_view_createresolver(dns_view_t *view,
 	dns_resolver_whenshutdown(view->resolver, view->task, &event);
 	view->attributes &= ~DNS_VIEWATTR_RESSHUTDOWN;
 
-	result = dns_adb_create(view->mctx, view, timermgr, taskmgr,
-				&view->adb);
+	result = isc_mem_create(0, 0, &mctx);
+	if (result != ISC_R_SUCCESS) {
+		dns_resolver_shutdown(view->resolver);
+		return (result);
+	}
+
+	result = dns_adb_create(mctx, view, timermgr, taskmgr, &view->adb);
+	isc_mem_detach(&mctx);
 	if (result != ISC_R_SUCCESS) {
 		dns_resolver_shutdown(view->resolver);
 		return (result);
@@ -658,9 +677,8 @@ dns_view_find(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type,
 
 	REQUIRE(DNS_VIEW_VALID(view));
 	REQUIRE(view->frozen);
-	REQUIRE(type != dns_rdatatype_sig);
+	REQUIRE(type != dns_rdatatype_rrsig);
 	REQUIRE(rdataset != NULL);  /* XXXBEW - remove this */
-	REQUIRE(nodep == NULL || *nodep == NULL);
 
 	/*
 	 * Initialize.
@@ -861,7 +879,7 @@ dns_view_simplefind(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type,
 			       rdataset, sigrdataset);
 	if (result == DNS_R_NXDOMAIN) {
 		/*
-		 * The rdataset and sigrdataset of the relevant NXT record
+		 * The rdataset and sigrdataset of the relevant NSEC record
 		 * may be returned, but the caller cannot use them because
 		 * foundname is not returned by this simplified API.  We
 		 * disassociate them here to prevent any misuse by the caller.
@@ -1165,9 +1183,7 @@ dns_view_dumpdbtostream(dns_view_t *view, FILE *fp) {
 					  &dns_master_style_cache, fp);
 	if (result != ISC_R_SUCCESS)
 		return (result);
-#ifdef notyet /* clean up adb dump format first */
 	dns_adb_dump(view->adb, fp);
-#endif
 	return (ISC_R_SUCCESS);
 }
 
@@ -1190,6 +1206,18 @@ dns_view_flushcache(dns_view_t *view) {
 }
 
 isc_result_t
+dns_view_flushname(dns_view_t *view, dns_name_t *name) {
+
+	REQUIRE(DNS_VIEW_VALID(view));
+
+	if (view->adb != NULL)
+		dns_adb_flushname(view->adb, name);
+	if (view->cache == NULL)
+		return (ISC_R_SUCCESS);
+	return (dns_cache_flushname(view->cache, name));
+}
+
+isc_result_t
 dns_view_adddelegationonly(dns_view_t *view, dns_name_t *name) {
 	isc_result_t result;
 	dns_name_t *new;
diff --git a/lib/dns/win32/DLLMain.c b/lib/dns/win32/DLLMain.c
index 01663ce7..ae06c783 100644
--- a/lib/dns/win32/DLLMain.c
+++ b/lib/dns/win32/DLLMain.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,11 +15,13 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: DLLMain.c,v 1.3.2.3 2007/06/18 23:45:27 tbox Exp $ */
+/* $Id: DLLMain.c,v 1.3.206.1 2004/03/06 08:14:26 marka Exp $ */
 
 #include <windows.h>
 #include <signal.h>
 
+BOOL InitSockets(void);
+ 
 /*
  * Called when we enter the DLL
  */
diff --git a/lib/dns/win32/gen.dsp b/lib/dns/win32/gen.dsp
index 1d0fc34e..a176787a 100644
--- a/lib/dns/win32/gen.dsp
+++ b/lib/dns/win32/gen.dsp
@@ -1,107 +1,107 @@
-# Microsoft Developer Studio Project File - Name="gen" - Package Owner=<4>

-# Microsoft Developer Studio Generated Build File, Format Version 6.00

-# ** DO NOT EDIT **

-

-# TARGTYPE "Win32 (x86) Console Application" 0x0103

-

-CFG=gen - Win32 Debug

-!MESSAGE This is not a valid makefile. To build this project using NMAKE,

-!MESSAGE use the Export Makefile command and run

-!MESSAGE 

-!MESSAGE NMAKE /f "gen.mak".

-!MESSAGE 

-!MESSAGE You can specify a configuration when running NMAKE

-!MESSAGE by defining the macro CFG on the command line. For example:

-!MESSAGE 

-!MESSAGE NMAKE /f "gen.mak" CFG="gen - Win32 Debug"

-!MESSAGE 

-!MESSAGE Possible choices for configuration are:

-!MESSAGE 

-!MESSAGE "gen - Win32 Release" (based on "Win32 (x86) Console Application")

-!MESSAGE "gen - Win32 Debug" (based on "Win32 (x86) Console Application")

-!MESSAGE 

-

-# Begin Project

-# PROP AllowPerConfigDependencies 0

-# PROP Scc_ProjName ""

-# PROP Scc_LocalPath ""

-CPP=cl.exe

-RSC=rc.exe

-

-!IF  "$(CFG)" == "gen - Win32 Release"

-

-# PROP BASE Use_MFC 0

-# PROP BASE Use_Debug_Libraries 0

-# PROP BASE Output_Dir "Release"

-# PROP BASE Intermediate_Dir "Release"

-# PROP BASE Target_Dir ""

-# PROP Use_MFC 0

-# PROP Use_Debug_Libraries 0

-# PROP Output_Dir "Release"

-# PROP Intermediate_Dir "Release"

-# PROP Ignore_Export_Lib 0

-# PROP Target_Dir ""

-# ADD BASE CPP /nologo /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /c

-# ADD CPP /nologo /W3 /GX /O2 /I "./" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /D "NDEBUG" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /D "LIBISC_EXPORTS" /YX /FD /c

-# ADD BASE RSC /l 0x409 /d "NDEBUG"

-# ADD RSC /l 0x409 /d "NDEBUG"

-BSC32=bscmake.exe

-# ADD BASE BSC32 /nologo

-# ADD BSC32 /nologo

-LINK32=link.exe

-# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /machine:I386

-# ADD LINK32 user32.lib advapi32.lib /nologo /subsystem:console /machine:I386 /out:"../gen.exe"

-

-!ELSEIF  "$(CFG)" == "gen - Win32 Debug"

-

-# PROP BASE Use_MFC 0

-# PROP BASE Use_Debug_Libraries 1

-# PROP BASE Output_Dir "Debug"

-# PROP BASE Intermediate_Dir "Debug"

-# PROP BASE Target_Dir ""

-# PROP Use_MFC 0

-# PROP Use_Debug_Libraries 1

-# PROP Output_Dir "Debug"

-# PROP Intermediate_Dir "Debug"

-# PROP Ignore_Export_Lib 0

-# PROP Target_Dir ""

-# ADD BASE CPP /nologo /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /GZ /c

-# ADD CPP /nologo /W3 /Gm /GX /ZI /Od /I "./" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /D "_DEBUG" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /D "LIBISC_EXPORTS" /FR /FD /GZ /c

-# SUBTRACT CPP /X /YX

-# ADD BASE RSC /l 0x409 /d "_DEBUG"

-# ADD RSC /l 0x409 /d "_DEBUG"

-BSC32=bscmake.exe

-# ADD BASE BSC32 /nologo

-# ADD BSC32 /nologo

-LINK32=link.exe

-# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /debug /machine:I386 /pdbtype:sept

-# ADD LINK32 user32.lib advapi32.lib /nologo /subsystem:console /debug /machine:I386 /out:"../gen.exe" /pdbtype:sept

-

-!ENDIF 

-

-# Begin Target

-

-# Name "gen - Win32 Release"

-# Name "gen - Win32 Debug"

-# Begin Group "Source Files"

-

-# PROP Default_Filter "cpp;c;cxx;rc;def;r;odl;idl;hpj;bat"

-# Begin Source File

-

-SOURCE=..\gen.c

-# End Source File

-# End Group

-# Begin Group "Header Files"

-

-# PROP Default_Filter "h;hpp;hxx;hm;inl"

-# Begin Source File

-

-SOURCE="..\gen-win32.h"

-# End Source File

-# End Group

-# Begin Group "Resource Files"

-

-# PROP Default_Filter "ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe"

-# End Group

-# End Target

-# End Project

+# Microsoft Developer Studio Project File - Name="gen" - Package Owner=<4>
+# Microsoft Developer Studio Generated Build File, Format Version 6.00
+# ** DO NOT EDIT **
+
+# TARGTYPE "Win32 (x86) Console Application" 0x0103
+
+CFG=gen - Win32 Debug
+!MESSAGE This is not a valid makefile. To build this project using NMAKE,
+!MESSAGE use the Export Makefile command and run
+!MESSAGE 
+!MESSAGE NMAKE /f "gen.mak".
+!MESSAGE 
+!MESSAGE You can specify a configuration when running NMAKE
+!MESSAGE by defining the macro CFG on the command line. For example:
+!MESSAGE 
+!MESSAGE NMAKE /f "gen.mak" CFG="gen - Win32 Debug"
+!MESSAGE 
+!MESSAGE Possible choices for configuration are:
+!MESSAGE 
+!MESSAGE "gen - Win32 Release" (based on "Win32 (x86) Console Application")
+!MESSAGE "gen - Win32 Debug" (based on "Win32 (x86) Console Application")
+!MESSAGE 
+
+# Begin Project
+# PROP AllowPerConfigDependencies 0
+# PROP Scc_ProjName ""
+# PROP Scc_LocalPath ""
+CPP=cl.exe
+RSC=rc.exe
+
+!IF  "$(CFG)" == "gen - Win32 Release"
+
+# PROP BASE Use_MFC 0
+# PROP BASE Use_Debug_Libraries 0
+# PROP BASE Output_Dir "Release"
+# PROP BASE Intermediate_Dir "Release"
+# PROP BASE Target_Dir ""
+# PROP Use_MFC 0
+# PROP Use_Debug_Libraries 0
+# PROP Output_Dir "Release"
+# PROP Intermediate_Dir "Release"
+# PROP Ignore_Export_Lib 0
+# PROP Target_Dir ""
+# ADD BASE CPP /nologo /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /c
+# ADD CPP /nologo /W3 /GX /O2 /I "./" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /D "NDEBUG" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /D "LIBISC_EXPORTS" /YX /FD /c
+# ADD BASE RSC /l 0x409 /d "NDEBUG"
+# ADD RSC /l 0x409 /d "NDEBUG"
+BSC32=bscmake.exe
+# ADD BASE BSC32 /nologo
+# ADD BSC32 /nologo
+LINK32=link.exe
+# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /machine:I386
+# ADD LINK32 user32.lib advapi32.lib /nologo /subsystem:console /machine:I386 /out:"../gen.exe"
+
+!ELSEIF  "$(CFG)" == "gen - Win32 Debug"
+
+# PROP BASE Use_MFC 0
+# PROP BASE Use_Debug_Libraries 1
+# PROP BASE Output_Dir "Debug"
+# PROP BASE Intermediate_Dir "Debug"
+# PROP BASE Target_Dir ""
+# PROP Use_MFC 0
+# PROP Use_Debug_Libraries 1
+# PROP Output_Dir "Debug"
+# PROP Intermediate_Dir "Debug"
+# PROP Ignore_Export_Lib 0
+# PROP Target_Dir ""
+# ADD BASE CPP /nologo /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /GZ /c
+# ADD CPP /nologo /W3 /Gm /GX /ZI /Od /I "./" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /D "_DEBUG" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /D "LIBISC_EXPORTS" /FR /FD /GZ /c
+# SUBTRACT CPP /X /YX
+# ADD BASE RSC /l 0x409 /d "_DEBUG"
+# ADD RSC /l 0x409 /d "_DEBUG"
+BSC32=bscmake.exe
+# ADD BASE BSC32 /nologo
+# ADD BSC32 /nologo
+LINK32=link.exe
+# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /debug /machine:I386 /pdbtype:sept
+# ADD LINK32 user32.lib advapi32.lib /nologo /subsystem:console /debug /machine:I386 /out:"../gen.exe" /pdbtype:sept
+
+!ENDIF 
+
+# Begin Target
+
+# Name "gen - Win32 Release"
+# Name "gen - Win32 Debug"
+# Begin Group "Source Files"
+
+# PROP Default_Filter "cpp;c;cxx;rc;def;r;odl;idl;hpj;bat"
+# Begin Source File
+
+SOURCE=..\gen.c
+# End Source File
+# End Group
+# Begin Group "Header Files"
+
+# PROP Default_Filter "h;hpp;hxx;hm;inl"
+# Begin Source File
+
+SOURCE="..\gen-win32.h"
+# End Source File
+# End Group
+# Begin Group "Resource Files"
+
+# PROP Default_Filter "ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe"
+# End Group
+# End Target
+# End Project
diff --git a/lib/dns/win32/gen.dsw b/lib/dns/win32/gen.dsw
index e44f5893..e4c143cc 100644
--- a/lib/dns/win32/gen.dsw
+++ b/lib/dns/win32/gen.dsw
@@ -1,29 +1,29 @@
-Microsoft Developer Studio Workspace File, Format Version 6.00

-# WARNING: DO NOT EDIT OR DELETE THIS WORKSPACE FILE!

-

-###############################################################################

-

-Project: "gen"=".\gen.dsp" - Package Owner=<4>

-

-Package=<5>

-{{{

-}}}

-

-Package=<4>

-{{{

-}}}

-

-###############################################################################

-

-Global:

-

-Package=<5>

-{{{

-}}}

-

-Package=<3>

-{{{

-}}}

-

-###############################################################################

-

+Microsoft Developer Studio Workspace File, Format Version 6.00
+# WARNING: DO NOT EDIT OR DELETE THIS WORKSPACE FILE!
+
+###############################################################################
+
+Project: "gen"=".\gen.dsp" - Package Owner=<4>
+
+Package=<5>
+{{{
+}}}
+
+Package=<4>
+{{{
+}}}
+
+###############################################################################
+
+Global:
+
+Package=<5>
+{{{
+}}}
+
+Package=<3>
+{{{
+}}}
+
+###############################################################################
+
diff --git a/lib/dns/win32/gen.mak b/lib/dns/win32/gen.mak
index 5800af14..35044e54 100644
--- a/lib/dns/win32/gen.mak
+++ b/lib/dns/win32/gen.mak
@@ -1,267 +1,170 @@
-# Microsoft Developer Studio Generated NMAKE File, Based on gen.dsp

-!IF "$(CFG)" == ""

-CFG=gen - Win32 Debug

-!MESSAGE No configuration specified. Defaulting to gen - Win32 Debug.

-!ENDIF 

-

-!IF "$(CFG)" != "gen - Win32 Release" && "$(CFG)" != "gen - Win32 Debug"

-!MESSAGE Invalid configuration "$(CFG)" specified.

-!MESSAGE You can specify a configuration when running NMAKE

-!MESSAGE by defining the macro CFG on the command line. For example:

-!MESSAGE 

-!MESSAGE NMAKE /f "gen.mak" CFG="gen - Win32 Debug"

-!MESSAGE 

-!MESSAGE Possible choices for configuration are:

-!MESSAGE 

-!MESSAGE "gen - Win32 Release" (based on "Win32 (x86) Console Application")

-!MESSAGE "gen - Win32 Debug" (based on "Win32 (x86) Console Application")

-!MESSAGE 

-!ERROR An invalid configuration is specified.

-!ENDIF 

-

-!IF "$(OS)" == "Windows_NT"

-NULL=

-!ELSE 

-NULL=nul

-!ENDIF 

-

-CPP=cl.exe

-RSC=rc.exe

-

-!IF  "$(CFG)" == "gen - Win32 Release"

-_VC_MANIFEST_INC=0

-_VC_MANIFEST_BASENAME=__VC80

-!ELSE

-_VC_MANIFEST_INC=1

-_VC_MANIFEST_BASENAME=__VC80.Debug

-!ENDIF

-

-####################################################

-# Specifying name of temporary resource file used only in incremental builds:

-

-!if "$(_VC_MANIFEST_INC)" == "1"

-_VC_MANIFEST_AUTO_RES=$(_VC_MANIFEST_BASENAME).auto.res

-!else

-_VC_MANIFEST_AUTO_RES=

-!endif

-

-####################################################

-# _VC_MANIFEST_EMBED_EXE - command to embed manifest in EXE:

-

-!if "$(_VC_MANIFEST_INC)" == "1"

-

-#MT_SPECIAL_RETURN=1090650113

-#MT_SPECIAL_SWITCH=-notify_resource_update

-MT_SPECIAL_RETURN=0

-MT_SPECIAL_SWITCH=

-_VC_MANIFEST_EMBED_EXE= \

-if exist $@.manifest mt.exe -manifest $@.manifest -out:$(_VC_MANIFEST_BASENAME).auto.manifest $(MT_SPECIAL_SWITCH) & \

-if "%ERRORLEVEL%" == "$(MT_SPECIAL_RETURN)" \

-rc /r $(_VC_MANIFEST_BASENAME).auto.rc & \

-link $** /out:$@ $(LFLAGS)

-

-!else

-

-_VC_MANIFEST_EMBED_EXE= \

-if exist $@.manifest mt.exe -manifest $@.manifest -outputresource:$@;1

-

-!endif

-

-####################################################

-# _VC_MANIFEST_EMBED_DLL - command to embed manifest in DLL:

-

-!if "$(_VC_MANIFEST_INC)" == "1"

-

-#MT_SPECIAL_RETURN=1090650113

-#MT_SPECIAL_SWITCH=-notify_resource_update

-MT_SPECIAL_RETURN=0

-MT_SPECIAL_SWITCH=

-_VC_MANIFEST_EMBED_EXE= \

-if exist $@.manifest mt.exe -manifest $@.manifest -out:$(_VC_MANIFEST_BASENAME).auto.manifest $(MT_SPECIAL_SWITCH) & \

-if "%ERRORLEVEL%" == "$(MT_SPECIAL_RETURN)" \

-rc /r $(_VC_MANIFEST_BASENAME).auto.rc & \

-link $** /out:$@ $(LFLAGS)

-

-!else

-

-_VC_MANIFEST_EMBED_EXE= \

-if exist $@.manifest mt.exe -manifest $@.manifest -outputresource:$@;2

-

-!endif

-####################################################

-# _VC_MANIFEST_CLEAN - command to clean resources files generated temporarily:

-

-!if "$(_VC_MANIFEST_INC)" == "1"

-

-_VC_MANIFEST_CLEAN=-del $(_VC_MANIFEST_BASENAME).auto.res \

-    $(_VC_MANIFEST_BASENAME).auto.rc \

-    $(_VC_MANIFEST_BASENAME).auto.manifest

-

-!else

-

-_VC_MANIFEST_CLEAN=

-

-!endif

-

-!IF  "$(CFG)" == "gen - Win32 Release"

-

-OUTDIR=.\Release

-INTDIR=.\Release

-

-ALL : "..\gen.exe"

-

-

-CLEAN :

-	-@erase "$(INTDIR)\gen.obj"

-	-@erase "$(INTDIR)\vc60.idb"

-	-@erase "..\gen.exe"

-	-@$(_VC_MANIFEST_CLEAN)

-

-"$(OUTDIR)" :

-    if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"

-

-CPP_PROJ=/nologo /ML /W3 /GX /O2 /I "./" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /D "NDEBUG" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /D "LIBISC_EXPORTS" /Fp"$(INTDIR)\gen.pch" /YX /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c 

-BSC32=bscmake.exe

-BSC32_FLAGS=/nologo /o"$(OUTDIR)\gen.bsc" 

-BSC32_SBRS= \

-	

-LINK32=link.exe

-LINK32_FLAGS=user32.lib advapi32.lib /nologo /subsystem:console /incremental:no /pdb:"$(OUTDIR)\gen.pdb" /machine:I386 /out:"../gen.exe" 

-LINK32_OBJS= \

-	"$(INTDIR)\gen.obj"

-

-"..\gen.exe" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)

-    $(LINK32) @<<

-  $(LINK32_FLAGS) $(LINK32_OBJS)

-<<

-  $(_VC_MANIFEST_EMBED_EXE)

-

-!ELSEIF  "$(CFG)" == "gen - Win32 Debug"

-

-OUTDIR=.\Debug

-INTDIR=.\Debug

-# Begin Custom Macros

-OutDir=.\Debug

-# End Custom Macros

-

-ALL : "..\gen.exe" "$(OUTDIR)\gen.bsc"

-

-

-CLEAN :

-	-@erase "$(INTDIR)\gen.obj"

-	-@erase "$(INTDIR)\gen.sbr"

-	-@erase "$(INTDIR)\vc60.idb"

-	-@erase "$(INTDIR)\vc60.pdb"

-	-@erase "$(OUTDIR)\gen.bsc"

-	-@erase "$(OUTDIR)\gen.pdb"

-	-@erase "..\gen.exe"

-	-@erase "..\gen.ilk"

-	-@$(_VC_MANIFEST_CLEAN)

-

-"$(OUTDIR)" :

-    if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"

-

-CPP_PROJ=/nologo /MLd /W3 /Gm /GX /ZI /Od /I "./" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /D "_DEBUG" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /D "LIBISC_EXPORTS" /FR"$(INTDIR)\\" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c 

-BSC32=bscmake.exe

-BSC32_FLAGS=/nologo /o"$(OUTDIR)\gen.bsc" 

-BSC32_SBRS= \

-	"$(INTDIR)\gen.sbr"

-

-"$(OUTDIR)\gen.bsc" : "$(OUTDIR)" $(BSC32_SBRS)

-    $(BSC32) @<<

-  $(BSC32_FLAGS) $(BSC32_SBRS)

-<<

-

-LINK32=link.exe

-LINK32_FLAGS=user32.lib advapi32.lib /nologo /subsystem:console /incremental:yes /pdb:"$(OUTDIR)\gen.pdb" /debug /machine:I386 /out:"../gen.exe" /pdbtype:sept 

-LINK32_OBJS= \

-	"$(INTDIR)\gen.obj"

-

-"..\gen.exe" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)

-    $(LINK32) @<<

-  $(LINK32_FLAGS) $(LINK32_OBJS)

-<<

-  $(_VC_MANIFEST_EMBED_EXE)

-

-!ENDIF 

-

-.c{$(INTDIR)}.obj::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.cpp{$(INTDIR)}.obj::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.cxx{$(INTDIR)}.obj::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.c{$(INTDIR)}.sbr::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.cpp{$(INTDIR)}.sbr::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.cxx{$(INTDIR)}.sbr::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-

-!IF "$(NO_EXTERNAL_DEPS)" != "1"

-!IF EXISTS("gen.dep")

-!INCLUDE "gen.dep"

-!ELSE 

-!MESSAGE Warning: cannot find "gen.dep"

-!ENDIF 

-!ENDIF 

-

-

-!IF "$(CFG)" == "gen - Win32 Release" || "$(CFG)" == "gen - Win32 Debug"

-SOURCE=..\gen.c

-

-!IF  "$(CFG)" == "gen - Win32 Release"

-

-

-"$(INTDIR)\gen.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "gen - Win32 Debug"

-

-

-"$(INTDIR)\gen.obj"	"$(INTDIR)\gen.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-

-!ENDIF 

-

-####################################################

-# Commands to generate initial empty manifest file and the RC file

-# that references it, and for generating the .res file:

-

-$(_VC_MANIFEST_BASENAME).auto.res : $(_VC_MANIFEST_BASENAME).auto.rc

-

-$(_VC_MANIFEST_BASENAME).auto.rc : $(_VC_MANIFEST_BASENAME).auto.manifest

-    type <<$@

-#include <winuser.h>

-1RT_MANIFEST"$(_VC_MANIFEST_BASENAME).auto.manifest"

-<< KEEP

-

-$(_VC_MANIFEST_BASENAME).auto.manifest :

-    type <<$@

-<?xml version='1.0' encoding='UTF-8' standalone='yes'?>

-<assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'>

-</assembly>

-<< KEEP

+# Microsoft Developer Studio Generated NMAKE File, Based on gen.dsp
+!IF "$(CFG)" == ""
+CFG=gen - Win32 Debug
+!MESSAGE No configuration specified. Defaulting to gen - Win32 Debug.
+!ENDIF 
+
+!IF "$(CFG)" != "gen - Win32 Release" && "$(CFG)" != "gen - Win32 Debug"
+!MESSAGE Invalid configuration "$(CFG)" specified.
+!MESSAGE You can specify a configuration when running NMAKE
+!MESSAGE by defining the macro CFG on the command line. For example:
+!MESSAGE 
+!MESSAGE NMAKE /f "gen.mak" CFG="gen - Win32 Debug"
+!MESSAGE 
+!MESSAGE Possible choices for configuration are:
+!MESSAGE 
+!MESSAGE "gen - Win32 Release" (based on "Win32 (x86) Console Application")
+!MESSAGE "gen - Win32 Debug" (based on "Win32 (x86) Console Application")
+!MESSAGE 
+!ERROR An invalid configuration is specified.
+!ENDIF 
+
+!IF "$(OS)" == "Windows_NT"
+NULL=
+!ELSE 
+NULL=nul
+!ENDIF 
+
+CPP=cl.exe
+RSC=rc.exe
+
+!IF  "$(CFG)" == "gen - Win32 Release"
+
+OUTDIR=.\Release
+INTDIR=.\Release
+
+ALL : "..\gen.exe"
+
+
+CLEAN :
+	-@erase "$(INTDIR)\gen.obj"
+	-@erase "$(INTDIR)\vc60.idb"
+	-@erase "..\gen.exe"
+
+"$(OUTDIR)" :
+    if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
+
+CPP_PROJ=/nologo /ML /W3 /GX /O2 /I "./" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /D "NDEBUG" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /D "LIBISC_EXPORTS" /Fp"$(INTDIR)\gen.pch" /YX /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c 
+BSC32=bscmake.exe
+BSC32_FLAGS=/nologo /o"$(OUTDIR)\gen.bsc" 
+BSC32_SBRS= \
+	
+LINK32=link.exe
+LINK32_FLAGS=user32.lib advapi32.lib /nologo /subsystem:console /incremental:no /pdb:"$(OUTDIR)\gen.pdb" /machine:I386 /out:"../gen.exe" 
+LINK32_OBJS= \
+	"$(INTDIR)\gen.obj"
+
+"..\gen.exe" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)
+    $(LINK32) @<<
+  $(LINK32_FLAGS) $(LINK32_OBJS)
+<<
+
+!ELSEIF  "$(CFG)" == "gen - Win32 Debug"
+
+OUTDIR=.\Debug
+INTDIR=.\Debug
+# Begin Custom Macros
+OutDir=.\Debug
+# End Custom Macros
+
+ALL : "..\gen.exe" "$(OUTDIR)\gen.bsc"
+
+
+CLEAN :
+	-@erase "$(INTDIR)\gen.obj"
+	-@erase "$(INTDIR)\gen.sbr"
+	-@erase "$(INTDIR)\vc60.idb"
+	-@erase "$(INTDIR)\vc60.pdb"
+	-@erase "$(OUTDIR)\gen.bsc"
+	-@erase "$(OUTDIR)\gen.pdb"
+	-@erase "..\gen.exe"
+	-@erase "..\gen.ilk"
+
+"$(OUTDIR)" :
+    if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
+
+CPP_PROJ=/nologo /MLd /W3 /Gm /GX /ZI /Od /I "./" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /D "_DEBUG" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /D "LIBISC_EXPORTS" /FR"$(INTDIR)\\" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c 
+BSC32=bscmake.exe
+BSC32_FLAGS=/nologo /o"$(OUTDIR)\gen.bsc" 
+BSC32_SBRS= \
+	"$(INTDIR)\gen.sbr"
+
+"$(OUTDIR)\gen.bsc" : "$(OUTDIR)" $(BSC32_SBRS)
+    $(BSC32) @<<
+  $(BSC32_FLAGS) $(BSC32_SBRS)
+<<
+
+LINK32=link.exe
+LINK32_FLAGS=user32.lib advapi32.lib /nologo /subsystem:console /incremental:yes /pdb:"$(OUTDIR)\gen.pdb" /debug /machine:I386 /out:"../gen.exe" /pdbtype:sept 
+LINK32_OBJS= \
+	"$(INTDIR)\gen.obj"
+
+"..\gen.exe" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)
+    $(LINK32) @<<
+  $(LINK32_FLAGS) $(LINK32_OBJS)
+<<
+
+!ENDIF 
+
+.c{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cpp{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cxx{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.c{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cpp{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cxx{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+
+!IF "$(NO_EXTERNAL_DEPS)" != "1"
+!IF EXISTS("gen.dep")
+!INCLUDE "gen.dep"
+!ELSE 
+!MESSAGE Warning: cannot find "gen.dep"
+!ENDIF 
+!ENDIF 
+
+
+!IF "$(CFG)" == "gen - Win32 Release" || "$(CFG)" == "gen - Win32 Debug"
+SOURCE=..\gen.c
+
+!IF  "$(CFG)" == "gen - Win32 Release"
+
+
+"$(INTDIR)\gen.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "gen - Win32 Debug"
+
+
+"$(INTDIR)\gen.obj"	"$(INTDIR)\gen.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+
+!ENDIF 
+
diff --git a/lib/dns/win32/libdns.def b/lib/dns/win32/libdns.def
index f9b8022e..bf4ac364 100644
--- a/lib/dns/win32/libdns.def
+++ b/lib/dns/win32/libdns.def
@@ -3,703 +3,752 @@ LIBRARY libdns
 ; Exported Functions
 EXPORTS
 
-dns_a6_copy
-dns_a6_foreach
-dns_a6_init
-dns_a6_invalidate
-dns_a6_reset
-dns_acl_any
+dns_acl_create
 dns_acl_appendelement
+dns_acl_any
+dns_acl_none
 dns_acl_attach
-dns_acl_create
 dns_acl_detach
+dns_aclelement_equal
 dns_acl_equal
 dns_acl_isinsecure
-dns_acl_match
-dns_acl_none
-dns_aclelement_equal
-dns_aclelement_match
+dns_aclenv_init
 dns_aclenv_copy
 dns_aclenv_destroy
-dns_aclenv_init
-dns_adb_adjustsrtt
-dns_adb_attach
-dns_adb_cancelfind
-dns_adb_changeflags
+dns_acl_match
+dns_aclelement_match
 dns_adb_create
+dns_adb_attach
+dns_adb_detach
+dns_adb_whenshutdown
+dns_adb_shutdown
 dns_adb_createfind
+dns_adb_cancelfind
 dns_adb_destroyfind
-dns_adb_detach
 dns_adb_dump
 dns_adb_dumpfind
+dns_adb_marklame
+dns_adb_adjustsrtt
+dns_adb_changeflags
 dns_adb_findaddrinfo
-dns_adb_flush
 dns_adb_freeaddrinfo
-dns_adb_marklame
-dns_adb_shutdown
-dns_adb_whenshutdown
-dns_byaddr_cancel
+dns_adb_flush
+dns_adb_setadbsize
 dns_byaddr_create
-dns_byaddr_createptrname
-dns_byaddr_createptrname2
+dns_byaddr_cancel
 dns_byaddr_destroy
-dns_cache_attach
-dns_cache_attachdb
-dns_cache_clean
+dns_byaddr_createptrname
 dns_cache_create
+dns_cache_attach
 dns_cache_detach
-dns_cache_dump
-dns_cache_flush
+dns_cache_attachdb
+dns_cache_setfilename
 dns_cache_load
-dns_cache_setcachesize
+dns_cache_dump
+dns_cache_clean
 dns_cache_setcleaninginterval
-dns_cache_setfilename
+dns_cache_setcachesize
+dns_cache_flush
+dns_rdatacallbacks_init
+dns_rdatacallbacks_init_stdio
 dns_cert_fromtext
 dns_cert_totext
-dns_compress_add
-dns_compress_findglobal
-dns_compress_getedns
-dns_compress_getmethods
 dns_compress_init
 dns_compress_invalidate
-dns_compress_rollback
 dns_compress_setmethods
-dns_counter_fromtext
-dns_db_addrdataset
-dns_db_allrdatasets
+dns_compress_getmethods
+dns_compress_getedns
+dns_compress_findglobal
+dns_compress_add
+dns_compress_rollback
+dns_decompress_init
+dns_decompress_invalidate
+dns_decompress_setmethods
+dns_decompress_getmethods
+dns_decompress_edns
+dns_decompress_type
+dns_db_create
 dns_db_attach
-dns_db_attachnode
-dns_db_attachversion
-dns_db_beginload
+dns_db_detach
+dns_db_ondestroy
+dns_db_iscache
+dns_db_iszone
+dns_db_isstub
+dns_db_issecure
+dns_db_origin
 dns_db_class
-dns_db_closeversion
-dns_db_create
-dns_db_createiterator
-dns_db_createsoatuple
+dns_db_beginload
+dns_db_endload
+dns_db_load
+dns_db_dump
 dns_db_currentversion
-dns_db_deleterdataset
-dns_db_detach
+dns_db_newversion
+dns_db_attachversion
+dns_db_closeversion
+dns_db_findnode
+dns_db_find
+dns_db_findzonecut
+dns_db_attachnode
 dns_db_detachnode
-dns_db_diff
-dns_db_dump
-dns_db_endload
 dns_db_expirenode
-dns_db_find
-dns_db_findnode
+dns_db_printnode
+dns_db_createiterator
 dns_db_findrdataset
-dns_db_findzonecut
+dns_db_allrdatasets
+dns_db_addrdataset
+dns_db_subtractrdataset
+dns_db_deleterdataset
 dns_db_getsoaserial
-dns_db_iscache
-dns_db_ispersistent
-dns_db_issecure
-dns_db_isstub
-dns_db_iszone
-dns_db_load
-dns_db_newversion
-dns_db_nodecount
-dns_db_ondestroy
-dns_db_origin
 dns_db_overmem
-dns_db_printnode
+dns_db_nodecount
+dns_db_ispersistent
 dns_db_register
-dns_db_subtractrdataset
 dns_db_unregister
-dns_dbiterator_current
 dns_dbiterator_destroy
 dns_dbiterator_first
 dns_dbiterator_last
+dns_dbiterator_seek
+dns_dbiterator_prev
 dns_dbiterator_next
-dns_dbiterator_origin
+dns_dbiterator_current
 dns_dbiterator_pause
-dns_dbiterator_prev
-dns_dbiterator_seek
+dns_dbiterator_origin
 dns_dbiterator_setcleanmode
-dns_dbtable_add
-dns_dbtable_adddefault
-dns_dbtable_attach
 dns_dbtable_create
+dns_dbtable_attach
 dns_dbtable_detach
-dns_dbtable_find
-dns_dbtable_getdefault
+dns_dbtable_add
 dns_dbtable_remove
+dns_dbtable_adddefault
+dns_dbtable_getdefault
 dns_dbtable_removedefault
-dns_decompress_edns
-dns_decompress_getmethods
-dns_decompress_init
-dns_decompress_invalidate
-dns_decompress_setmethods
-dns_decompress_type
+dns_dbtable_find
+
+dns_difftuple_create
+dns_difftuple_free
+dns_difftuple_copy
+dns_diff_init
+dns_diff_clear
 dns_diff_append
 dns_diff_appendminimal
+dns_diff_sort
 dns_diff_apply
-dns_diff_clear
-dns_diff_init
 dns_diff_load
 dns_diff_print
-dns_diff_sort
-dns_difftuple_copy
-dns_difftuple_create
-dns_difftuple_free
-dns_dispatch_addresponse
-dns_dispatch_attach
-dns_dispatch_cancel
-dns_dispatch_changeattributes
+dns_dispatchmgr_create
+dns_dispatchmgr_destroy
+dns_dispatchmgr_setblackhole
+dns_dispatchmgr_getblackhole
+dns_dispatch_getudp
 dns_dispatch_createtcp
+dns_dispatch_attach
 dns_dispatch_detach
-dns_dispatch_getlocaladdress
+dns_dispatch_starttcp
+dns_dispatch_addresponse
+dns_dispatch_removeresponse
 dns_dispatch_getsocket
-dns_dispatch_getudp
-dns_dispatch_hash
+dns_dispatch_getlocaladdress
+dns_dispatch_cancel
+dns_dispatch_changeattributes
 dns_dispatch_importrecv
-dns_dispatch_removeresponse
-dns_dispatch_starttcp
-dns_dispatchmgr_create
-dns_dispatchmgr_destroy
-dns_dispatchmgr_getblackhole
-dns_dispatchmgr_setblackhole
-dns_dnssec_findzonekeys
 dns_dnssec_keyfromrdata
 dns_dnssec_sign
-dns_dnssec_signmessage
 dns_dnssec_verify
+dns_dnssec_findzonekeys
+dns_dnssec_signmessage
 dns_dnssec_verifymessage
-dns_fwdtable_add
 dns_fwdtable_create
-dns_fwdtable_destroy
+dns_fwdtable_add
 dns_fwdtable_find
+dns_fwdtable_destroy
+dns_db_createsoatuple
+dns_journal_open
+dns_journal_destroy
 dns_journal_begin_transaction
+dns_journal_writediff
 dns_journal_commit
-dns_journal_current_rr
-dns_journal_destroy
-dns_journal_first_rr
+dns_journal_writediff
+dns_journal_write_transaction
+dns_diff_sort
+dns_journal_writediff
 dns_journal_first_serial
-dns_journal_iter_init
 dns_journal_last_serial
+dns_journal_iter_init
+dns_journal_first_rr
 dns_journal_next_rr
-dns_journal_open
-dns_journal_print
+dns_journal_iter_init
+dns_journal_current_rr
 dns_journal_rollforward
-dns_journal_write_transaction
-dns_journal_writediff
+dns_journal_print
+dns_db_diff
 dns_keyflags_fromtext
-dns_keynode_key
-dns_keytable_add
-dns_keytable_attach
 dns_keytable_create
+dns_keytable_attach
 dns_keytable_detach
-dns_keytable_detachkeynode
-dns_keytable_finddeepestmatch
+dns_keytable_add
 dns_keytable_findkeynode
 dns_keytable_findnextkeynode
+dns_keytable_finddeepestmatch
+dns_keytable_detachkeynode
 dns_keytable_issecuredomain
-dns_label_countbits
-dns_label_getbit
-dns_label_type
+dns_keynode_key
 dns_lib_initmsgcat
-dns_loadctx_attach
-dns_loadctx_cancel
-dns_loadctx_detach
 dns_log_init
 dns_log_setcontext
-dns_lookup_cancel
 dns_lookup_create
+dns_lookup_cancel
 dns_lookup_destroy
-dns_master_dump
-dns_master_dumpnode
-dns_master_dumpnodetostream
-dns_master_dumptostream
-dns_master_loadbuffer
-dns_master_loadbufferinc
 dns_master_loadfile
-dns_master_loadfileinc
 dns_master_loadstream
+dns_master_loadbuffer
+dns_master_loadfileinc
 dns_master_loadstreaminc
-dns_master_questiontotext
+dns_master_loadbufferinc
+dns_loadctx_detach
+dns_loadctx_attach
+dns_loadctx_cancel
+dns_master_dumptostream
+dns_master_dump
 dns_master_rdatasettotext
-dns_message_addname
-dns_message_checksig
+dns_master_questiontotext
+dns_rdataset_towire
+dns_master_dumpnodetostream
+dns_master_dumpnode
+dns_message_gettempname
 dns_message_create
-dns_message_currentname
+dns_message_reset
 dns_message_destroy
-dns_message_find
+dns_message_sectiontotext
+dns_message_pseudosectiontotext
+dns_message_totext
+dns_message_parse
+dns_message_firstname
+dns_message_renderbegin
+dns_message_renderend
+dns_message_renderchangebuffer
+dns_message_renderend
+dns_message_renderreserve
+dns_message_renderrelease
+dns_message_rendersection
+dns_message_renderheader
+dns_message_renderend
+dns_message_renderend
+dns_message_renderreset
+dns_message_firstname
+dns_message_nextname
+dns_message_currentname
 dns_message_findname
 dns_message_findtype
-dns_message_firstname
-dns_message_getopt
-dns_message_getquerytsig
-dns_message_getrawmessage
-dns_message_getsig0
-dns_message_getsig0key
+dns_message_movename
+dns_message_addname
 dns_message_gettempname
 dns_message_gettempoffsets
 dns_message_gettemprdata
-dns_message_gettemprdatalist
 dns_message_gettemprdataset
-dns_message_gettimeadjust
-dns_message_gettsig
-dns_message_gettsigkey
-dns_message_movename
-dns_message_nextname
-dns_message_parse
-dns_message_peekheader
-dns_message_pseudosectiontotext
+dns_message_gettemprdatalist
 dns_message_puttempname
 dns_message_puttemprdata
-dns_message_puttemprdatalist
 dns_message_puttemprdataset
-dns_message_renderbegin
-dns_message_renderchangebuffer
-dns_message_renderend
-dns_message_renderheader
-dns_message_renderrelease
-dns_message_renderreserve
-dns_message_renderreset
-dns_message_rendersection
+dns_message_puttemprdatalist
+dns_message_peekheader
 dns_message_reply
-dns_message_reset
-dns_message_sectiontotext
+dns_message_getopt
 dns_message_setopt
+dns_message_gettsig
+dns_message_settsigkey
+dns_message_gettsigkey
 dns_message_setquerytsig
+dns_message_getquerytsig
+dns_message_getsig0
 dns_message_setsig0key
+dns_message_getsig0key
+dns_message_takebuffer
+dns_message_signer
+dns_message_checksig
+dns_message_getrawmessage
 dns_message_setsortorder
+dns_message_rendersection
 dns_message_settimeadjust
-dns_message_settsigkey
-dns_message_signer
-dns_message_takebuffer
-dns_message_totext
-dns_name_clone
-dns_name_compare
-dns_name_concatenate
-dns_name_copy
-dns_name_countlabels
-dns_name_depth
-dns_name_digest
-dns_name_downcase
-dns_name_dup
-dns_name_dupwithoffsets
-dns_name_dynamic
-dns_name_equal
-dns_name_format
-dns_name_free
-dns_name_fromregion
-dns_name_fromtext
-dns_name_fromwire
-dns_name_fullcompare
-dns_name_getlabel
-dns_name_getlabelsequence
-dns_name_hasbuffer
-dns_name_hash
+dns_message_gettimeadjust
 dns_name_init
+dns_name_reset
 dns_name_invalidate
+dns_name_setbuffer
+dns_name_hasbuffer
 dns_name_isabsolute
-dns_name_issubdomain
 dns_name_iswildcard
-dns_name_matcheswildcard
-dns_name_print
+dns_name_hash
+dns_name_fullcompare
+dns_name_compare
+dns_name_equal
 dns_name_rdatacompare
-dns_name_requiresedns
-dns_name_reset
-dns_name_setbuffer
-dns_name_split
-dns_name_splitatdepth
-dns_name_tofilenametext
+dns_name_issubdomain
+dns_name_matcheswildcard
+dns_name_countlabels
+dns_name_getlabel
+dns_name_getlabelsequence
+dns_name_clone
+dns_name_fromregion
 dns_name_toregion
-dns_name_totext
+dns_name_fromwire
 dns_name_towire
+dns_name_fromtext
+dns_name_totext
+dns_name_tofilenametext
+dns_name_downcase
+dns_name_concatenate
+dns_name_split
+dns_name_dup
+dns_name_dupwithoffsets
+dns_name_free
+dns_name_digest
+dns_name_dynamic
+dns_name_print
+dns_name_format
+dns_name_copy
 dns_ncache_add
 dns_ncache_towire
-dns_nxt_build
-dns_nxt_buildrdata
-dns_nxt_typepresent
+dns_nsec_buildrdata
+dns_nsec_build
+dns_nsec_typepresent
+dns_soa_getserial
+dns_soa_setserial
+dns_soa_getminimum
+dns_peerlist_new
+dns_peerlist_attach
+dns_peerlist_detach
+dns_peerlist_addpeer
+dns_peerlist_peerbyaddr
+dns_peerlist_currpeer
+dns_peer_new
 dns_peer_attach
 dns_peer_detach
+dns_peer_setbogus
 dns_peer_getbogus
-dns_peer_getkey
-dns_peer_getprovideixfr
+
+
+dns_peer_setrequestixfr
 dns_peer_getrequestixfr
-dns_peer_getsupportedns
-dns_peer_gettransferformat
-dns_peer_gettransfers
-dns_peer_new
-dns_peer_setbogus
-dns_peer_setkey
-dns_peer_setkeybycharp
 dns_peer_setprovideixfr
-dns_peer_setrequestixfr
+dns_peer_getprovideixfr
 dns_peer_setsupportedns
-dns_peer_settransferformat
+dns_peer_getsupportedns
 dns_peer_settransfers
-dns_peerlist_addpeer
-dns_peerlist_attach
-dns_peerlist_currpeer
-dns_peerlist_detach
-dns_peerlist_new
-dns_peerlist_peerbyaddr
+dns_peer_gettransfers
+dns_peer_settransferformat
+dns_peer_gettransferformat
+dns_peer_setkeybycharp
+dns_peer_getkey
+dns_peer_setkey
+dns_name_concatenate
+dns_name_totext
+dns_rbt_create
 dns_rbt_addname
 dns_rbt_addnode
-dns_rbt_create
-dns_rbt_deletename
-dns_rbt_deletenode
-dns_rbt_destroy
 dns_rbt_findname
 dns_rbt_findnode
-dns_rbt_formatnodename
-dns_rbt_fullnamefromnode
+dns_rbt_deletename
+dns_rbt_deletenode
 dns_rbt_namefromnode
+dns_rbt_fullnamefromnode
+dns_rbt_formatnodename
 dns_rbt_nodecount
+dns_rbt_destroy
 dns_rbt_printall
-dns_rbtnodechain_current
-dns_rbtnodechain_first
 dns_rbtnodechain_init
+dns_rbtnodechain_reset
 dns_rbtnodechain_invalidate
+dns_rbtnodechain_current
+dns_rbtnodechain_first
 dns_rbtnodechain_last
-dns_rbtnodechain_next
 dns_rbtnodechain_prev
-dns_rbtnodechain_reset
+dns_rbtnodechain_next
 dns_rcode_fromtext
 dns_rcode_totext
-dns_rdata_additionaldata
+dns_tsigrcode_fromtext
+dns_tsigrcode_totext
+dns_rdata_init
+dns_rdata_reset
 dns_rdata_clone
 dns_rdata_compare
-dns_rdata_covers
-dns_rdata_digest
-dns_rdata_freestruct
 dns_rdata_fromregion
-dns_rdata_fromstruct
-dns_rdata_fromtext
+dns_rdata_toregion
 dns_rdata_fromwire
-dns_rdata_init
-dns_rdata_reset
+dns_rdata_towire
+dns_rdata_fromtext
+
+dns_rdata_totext
 dns_rdata_tofmttext
-dns_rdata_toregion
+dns_rdata_fromstruct
 dns_rdata_tostruct
-dns_rdata_totext
-dns_rdata_towire
-dns_rdatacallbacks_init
-dns_rdatacallbacks_init_stdio
-dns_rdataclass_format
-dns_rdataclass_fromtext
+dns_rdata_freestruct
+dns_rdatatype_ismeta
+dns_rdatatype_issingleton
 dns_rdataclass_ismeta
+dns_rdatatype_isdnssec
+dns_rdatatype_iszonecutauth
+dns_rdatatype_isknown
+dns_rdata_additionaldata
+dns_rdata_digest
+dns_rdatatype_questiononly
+dns_rdatatype_notquestion
+dns_rdatatype_attributes
+dns_rdata_covers
+dns_rdataclass_fromtext
 dns_rdataclass_totext
+dns_rdataclass_format
 dns_rdatalist_init
 dns_rdatalist_tordataset
-dns_rdataset_additionaldata
-dns_rdataset_clone
-dns_rdataset_count
-dns_rdataset_current
-dns_rdataset_disassociate
-dns_rdataset_first
 dns_rdataset_init
 dns_rdataset_invalidate
+dns_rdataset_disassociate
 dns_rdataset_isassociated
 dns_rdataset_makequestion
+dns_rdataset_clone
+dns_rdataset_count
+dns_rdataset_first
 dns_rdataset_next
+dns_rdataset_current
 dns_rdataset_totext
 dns_rdataset_towire
 dns_rdataset_towiresorted
-dns_rdatasetiter_current
+dns_rdataset_additionaldata
 dns_rdatasetiter_destroy
 dns_rdatasetiter_first
 dns_rdatasetiter_next
-dns_rdataslab_equal
+dns_rdatasetiter_current
 dns_rdataslab_fromrdataset
-dns_rdataslab_merge
 dns_rdataslab_size
+dns_rdataslab_merge
 dns_rdataslab_subtract
-dns_rdatatype_attributes
-dns_rdatatype_format
+dns_rdataslab_equal
 dns_rdatatype_fromtext
-dns_rdatatype_isdnssec
-dns_rdatatype_isknown
-dns_rdatatype_ismeta
-dns_rdatatype_issingleton
-dns_rdatatype_iszonecutauth
-dns_rdatatype_notquestion
-dns_rdatatype_questiononly
 dns_rdatatype_totext
-dns_request_cancel
+dns_rdatatype_format
+dns_requestmgr_create
+dns_requestmgr_whenshutdown
+dns_requestmgr_shutdown
+dns_requestmgr_attach
+dns_requestmgr_detach
 dns_request_create
-dns_request_createraw
 dns_request_createvia
-dns_request_destroy
+dns_request_createraw
+dns_request_cancel
 dns_request_getresponse
 dns_request_usedtcp
-dns_requestmgr_attach
-dns_requestmgr_create
-dns_requestmgr_detach
-dns_requestmgr_shutdown
-dns_requestmgr_whenshutdown
-dns_resolver_attach
-dns_resolver_cancelfetch
+dns_request_destroy
+dns_resolver_createfetch
 dns_resolver_create
+dns_resolver_freeze
+dns_resolver_prime
+dns_resolver_whenshutdown
+dns_resolver_shutdown
+dns_resolver_attach
+dns_resolver_detach
 dns_resolver_createfetch
+dns_resolver_cancelfetch
 dns_resolver_destroyfetch
-dns_resolver_detach
 dns_resolver_dispatchmgr
 dns_resolver_dispatchv4
 dns_resolver_dispatchv6
-dns_resolver_freeze
-dns_resolver_getlamettl
-dns_resolver_prime
-dns_resolver_setlamettl
-dns_resolver_shutdown
 dns_resolver_socketmgr
 dns_resolver_taskmgr
-dns_resolver_whenshutdown
+dns_resolver_getlamettl
+dns_resolver_setlamettl
+dns_resolver_nrunning
+dns_result_totext
 dns_result_register
 dns_result_torcode
-dns_result_totext
 dns_rootns_create
-dns_sdb_putnamedrr
-dns_sdb_putrr
-dns_sdb_putsoa
 dns_sdb_register
 dns_sdb_unregister
+dns_sdb_putrr
+dns_sdb_putnamedrr
+dns_sdb_putsoa
+dns_sdb_putrdata
 dns_secalg_fromtext
 dns_secalg_totext
 dns_secproto_fromtext
 dns_secproto_totext
-dns_soa_getminimum
-dns_soa_getserial
-dns_soa_setserial
-dns_ssutable_addrule
-dns_ssutable_attach
-dns_ssutable_checkrules
 dns_ssutable_create
+dns_ssutable_attach
 dns_ssutable_detach
+dns_ssutable_addrule
+dns_ssutable_checkrules
 dns_stats_alloccounters
 dns_stats_freecounters
-dns_tcpmsg_cancelread
 dns_tcpmsg_init
-dns_tcpmsg_invalidate
-dns_tcpmsg_keepbuffer
-dns_tcpmsg_readmessage
 dns_tcpmsg_setmaxsize
-dns_time32_fromtext
-dns_time32_totext
+dns_tcpmsg_readmessage
+dns_tcpmsg_cancelread
+dns_tcpmsg_keepbuffer
+dns_tcpmsg_invalidate
 dns_time64_fromtext
+dns_time32_fromtext
 dns_time64_totext
+dns_time32_totext
 dns_timer_setidle
-dns_tkey_builddeletequery
+dns_tkeyctx_create
+dns_tkeyctx_destroy
+dns_tkey_processquery
 dns_tkey_builddhquery
 dns_tkey_buildgssquery
-dns_tkey_processdeleteresponse
+dns_tkey_builddeletequery
 dns_tkey_processdhresponse
 dns_tkey_processgssresponse
-dns_tkey_processquery
-dns_tkeyctx_create
-dns_tkeyctx_destroy
-dns_tsig_sign
-dns_tsig_verify
-dns_tsigkey_attach
+dns_tkey_processdeleteresponse
 dns_tsigkey_create
 dns_tsigkey_createfromkey
+dns_tsigkey_attach
 dns_tsigkey_detach
-dns_tsigkey_find
 dns_tsigkey_setdeleted
+dns_tsig_sign
+dns_tsig_verify
+dns_tsigkey_find
 dns_tsigkeyring_create
 dns_tsigkeyring_destroy
-dns_tsigrcode_fromtext
-dns_tsigrcode_totext
-dns_ttl_fromtext
 dns_ttl_totext
-dns_validator_cancel
+dns_counter_fromtext
+dns_ttl_fromtext
 dns_validator_create
+dns_validator_cancel
 dns_validator_destroy
-dns_view_adddelegationonly
-dns_view_addzone
-dns_view_attach
-dns_view_checksig
 dns_view_create
-dns_view_createresolver
+dns_view_attach
 dns_view_detach
-dns_view_dialup
-dns_view_dumpdbtostream
-dns_view_excludedelegationonly
-dns_view_find
-dns_view_findzone
-dns_view_findzonecut
 dns_view_flushanddetach
-dns_view_flushcache
-dns_view_freeze
-dns_view_getpeertsig
-dns_view_getrootdelonly
-dns_view_gettsig
-dns_view_isdelegationonly
-dns_view_load
-dns_view_loadnew
+dns_view_weakattach
+dns_view_weakdetach
+dns_view_createresolver
 dns_view_setcache
-dns_view_setdstport
 dns_view_sethints
 dns_view_setkeyring
-dns_view_setrootdelonly
+dns_view_setdstport
+dns_view_addzone
+dns_view_freeze
+dns_view_find
 dns_view_simplefind
-dns_view_weakattach
-dns_view_weakdetach
+dns_view_findzonecut
 dns_viewlist_find
-dns_xfrin_attach
+dns_view_findzone
+dns_view_load
+dns_view_loadnew
+dns_view_gettsig
+dns_view_getpeertsig
+dns_view_checksig
+dns_view_dialup
+dns_view_dumpdbtostream
+dns_view_flushcache
 dns_xfrin_create
-dns_xfrin_detach
 dns_xfrin_shutdown
-dns_zone_attach
-dns_zone_clearforwardacl
-dns_zone_clearnotifyacl
-dns_zone_clearqueryacl
-dns_zone_clearupdateacl
-dns_zone_clearxfracl
+dns_xfrin_detach
+dns_xfrin_attach
 dns_zone_create
-dns_zone_detach
-dns_zone_dialup
-dns_zone_dump
-dns_zone_dumptostream
-dns_zone_expire
-dns_zone_first
-dns_zone_flush
-dns_zone_forcereload
-dns_zone_forwardupdate
-dns_zone_getchecknames
+dns_zone_setclass
 dns_zone_getclass
-dns_zone_getdb
-dns_zone_getfile
-dns_zone_getforwardacl
-dns_zone_getidlein
-dns_zone_getidleout
-dns_zone_getjournal
-dns_zone_getjournalsize
-dns_zone_getmaxxfrin
-dns_zone_getmaxxfrout
-dns_zone_getmctx
-dns_zone_getmgr
-dns_zone_getnotifyacl
-dns_zone_getnotifysrc4
-dns_zone_getnotifysrc6
-dns_zone_getoptions
-dns_zone_getorigin
-dns_zone_getqueryacl
-dns_zone_getsigvalidityinterval
-dns_zone_getssutable
-dns_zone_getstatscounters
-dns_zone_gettask
-dns_zone_gettype
-dns_zone_getupdateacl
+dns_zone_settype
+dns_zone_setview
 dns_zone_getview
-dns_zone_getxfracl
-dns_zone_getxfrsource4
-dns_zone_getxfrsource6
+dns_zone_setorigin
+dns_zone_getorigin
+dns_zone_setfile
+dns_zone_getfile
+dns_zone_load
+dns_zone_attach
+dns_zone_detach
 dns_zone_iattach
 dns_zone_idetach
-dns_zone_isforced
-dns_zone_load
-dns_zone_log
-dns_zone_maintenance
+dns_zone_setflag
+dns_zone_getdb
+dns_zone_setdbtype
 dns_zone_markdirty
-dns_zone_next
-dns_zone_notify
-dns_zone_notifyreceive
+dns_zone_expire
 dns_zone_refresh
-dns_zone_replacedb
-dns_zone_setalsonotify
-dns_zone_setchecknames
-dns_zone_setclass
-dns_zone_setdbtype
-dns_zone_setdialup
-dns_zone_setfile
-dns_zone_setflag
-dns_zone_setforwardacl
-dns_zone_setidlein
-dns_zone_setidleout
-dns_zone_setjournal
-dns_zone_setjournalsize
+dns_zone_flush
+dns_zone_dump
+dns_zone_dumptostream
+dns_zone_maintenance
 dns_zone_setmasters
 dns_zone_setmasterswithkeys
-dns_zone_setmaxrefreshtime
-dns_zone_setmaxretrytime
-dns_zone_setmaxxfrin
-dns_zone_setmaxxfrout
+dns_zone_setmasters
+dns_zone_setalsonotify
+dns_zone_unload
+dns_zone_setoption
+
+dns_zone_getoptions
 dns_zone_setminrefreshtime
+dns_zone_setmaxrefreshtime
 dns_zone_setminretrytime
-dns_zone_setnotifyacl
+dns_zone_setmaxretrytime
+dns_zone_setxfrsource4
+dns_zone_getxfrsource4
+dns_zone_setxfrsource6
+dns_zone_getxfrsource6
 dns_zone_setnotifysrc4
+dns_zone_getnotifysrc4
 dns_zone_setnotifysrc6
-dns_zone_setnotifytype
-dns_zone_setoption
-dns_zone_setorigin
+dns_zone_getnotifysrc6
+dns_zone_setnotifyacl
 dns_zone_setqueryacl
-dns_zone_setsigvalidityinterval
-dns_zone_setssutable
-dns_zone_setstatistics
-dns_zone_settask
-dns_zone_settype
 dns_zone_setupdateacl
-dns_zone_setview
+dns_zone_setforwardacl
 dns_zone_setxfracl
-dns_zone_setxfrsource4
-dns_zone_setxfrsource6
-dns_zone_unload
-dns_zonekey_iszonekey
-dns_zonemgr_attach
+dns_zone_getnotifyacl
+dns_zone_getqueryacl
+dns_zone_getupdateacl
+dns_zone_getforwardacl
+dns_zone_getxfracl
+dns_zone_clearupdateacl
+dns_zone_clearforwardacl
+dns_zone_clearnotifyacl
+dns_zone_clearqueryacl
+dns_zone_clearxfracl
+dns_zone_setchecknames
+dns_zone_getchecknames
+dns_zone_setjournalsize
+dns_zone_getjournalsize
+dns_zone_notifyreceive
+dns_zone_setmaxxfrin
+dns_zone_getmaxxfrin
+dns_zone_setmaxxfrout
+dns_zone_getmaxxfrout
+dns_zone_setjournal
+dns_zone_getjournal
+dns_zone_gettype
+dns_zone_settask
+dns_zone_gettask
+dns_zone_notify
+dns_zone_replacedb
+dns_zone_getidlein
+dns_zone_setidlein
+dns_zone_getidleout
+dns_zone_setidleout
+dns_zone_getssutable
+dns_zone_setssutable
+dns_zone_getmctx
+dns_zone_getmgr
+dns_zone_setsigvalidityinterval
+dns_zone_getsigvalidityinterval
+dns_zone_setnotifytype
+dns_zone_forwardupdate
+dns_zone_next
+dns_zone_first
 dns_zonemgr_create
-dns_zonemgr_detach
+dns_zonemgr_managezone
 dns_zonemgr_forcemaint
-dns_zonemgr_getcount
-dns_zonemgr_getiolimit
-dns_zonemgr_getserialqueryrate
+dns_zonemgr_shutdown
+dns_zonemgr_attach
+dns_zonemgr_detach
+dns_zonemgr_releasezone
+dns_zonemgr_settransfersin
 dns_zonemgr_getttransfersin
+dns_zonemgr_settransfersperns
 dns_zonemgr_getttransfersperns
-dns_zonemgr_managezone
-dns_zonemgr_releasezone
 dns_zonemgr_setiolimit
+dns_zonemgr_getiolimit
 dns_zonemgr_setserialqueryrate
-dns_zonemgr_settransfersin
-dns_zonemgr_settransfersperns
-dns_zonemgr_shutdown
-dns_zt_apply
-dns_zt_attach
+dns_zonemgr_getserialqueryrate
+dns_zonemgr_getcount
+dns_zone_forcereload
+dns_zone_isforced
+dns_zone_setstatistics
+dns_zone_getstatscounters
+dns_zone_dialup
+dns_zone_setdialup
+dns_zone_log
+dns_zonekey_iszonekey
 dns_zt_create
-dns_zt_detach
+dns_zt_mount
+dns_zt_unmount
 dns_zt_find
+dns_zt_detach
 dns_zt_flushanddetach
+dns_zt_attach
 dns_zt_load
-dns_zt_mount
-dns_zt_unmount
+dns_zt_apply
+dst_lib_init
+dst_lib_destroy
 dst_algorithm_supported
-dst_context_adddata
 dst_context_create
 dst_context_destroy
+dst_context_adddata
 dst_context_sign
 dst_context_verify
-dst_gssapi_acceptctx
-dst_gssapi_acquirecred
-dst_gssapi_initctx
-dst_key_alg
-dst_key_buildfilename
-dst_key_class
-dst_key_compare
 dst_key_computesecret
-dst_key_flags
-dst_key_free
-dst_key_frombuffer
-dst_key_fromdns
 dst_key_fromfile
-dst_key_fromgssapi
 dst_key_fromnamedfile
+dst_key_tofile
+dst_key_fromdns
+dst_key_todns
+dst_key_frombuffer
+dst_key_tobuffer
+dst_key_fromgssapi
 dst_key_generate
+dst_key_compare
+dst_key_paramcompare
+dst_key_free
+dst_key_name
+dst_key_size
+dst_key_proto
+dst_key_alg
+dst_key_flags
 dst_key_id
-dst_key_isnullkey
+dst_key_class
 dst_key_isprivate
 dst_key_iszonekey
-dst_key_name
-dst_key_paramcompare
-dst_key_proto
-dst_key_secretsize
+dst_key_isnullkey
+dst_key_buildfilename
 dst_key_sigsize
-dst_key_size
-dst_key_tobuffer
-dst_key_todns
-dst_key_tofile
-dst_lib_destroy
-dst_lib_init
-dst_lib_initmsgcat
+dst_key_secretsize
 dst_region_computeid
-dst_result_register
+dst_gssapi_acquirecred
+dst_gssapi_initctx
+dst_gssapi_acceptctx
+dst_lib_initmsgcat
 dst_result_totext
+dst_result_register
+dns_ds_buildrdata
+dns_order_create
+dns_order_add
+dns_order_find
+dns_order_attach
+dns_order_detach
+dns_byaddr_createptrname2
+dns_diff_applysilently
+dns_master_stylecreate
+dns_master_styledestroy
+dns_message_resetsig
+dns_message_rechecksig
+dns_rdatatype_atparent
+dns_zone_name
+dns_view_flushname
+dns_zone_setupdatedisabled
+dns_zone_getupdatedisabled
+dns_zone_getkeydirectory
+dns_zone_setkeydirectory
+dns_dnssec_findzonekeys2
+dns_zone_fulldumptostream
+dns_request_createvia3
+dns_zone_setaltxfrsource4
+dns_zone_setaltxfrsource6
+dns_zone_checknames
+dns_zonemgr_resumexfrs
+dns_portlist_add
+dns_resolver_getudpsize
+dns_acl_elementmatch
+dns_rdata_checkowner
+dns_rdataset_getnoqname
+dns_portlist_detach
+dns_dispatchmgr_setblackportlist
+dns_portlist_create
+dns_view_excludedelegationonly
+dns_view_setrootdelonly
+dns_resolver_reset_algorithms
+dns_resolver_setudpsize
+dns_peer_settransfersource
+dns_resolver_disable_algorithm
+dns_resolver_addalternate
+dns_view_adddelegationonly
+dns_dumpctx_detach
+dns_master_dumptostreaminc
+
diff --git a/lib/dns/win32/libdns.dsp b/lib/dns/win32/libdns.dsp
index 56a57f7f..78ff4133 100644
--- a/lib/dns/win32/libdns.dsp
+++ b/lib/dns/win32/libdns.dsp
@@ -1,389 +1,702 @@
-# Microsoft Developer Studio Project File - Name="libdns" - Package Owner=<4>

-# Microsoft Developer Studio Generated Build File, Format Version 6.00

-# ** DO NOT EDIT **

-

-# TARGTYPE "Win32 (x86) Dynamic-Link Library" 0x0102

-

-CFG=libdns - Win32 Debug

-!MESSAGE This is not a valid makefile. To build this project using NMAKE,

-!MESSAGE use the Export Makefile command and run

-!MESSAGE 

-!MESSAGE NMAKE /f "libdns.mak".

-!MESSAGE 

-!MESSAGE You can specify a configuration when running NMAKE

-!MESSAGE by defining the macro CFG on the command line. For example:

-!MESSAGE 

-!MESSAGE NMAKE /f "libdns.mak" CFG="libdns - Win32 Debug"

-!MESSAGE 

-!MESSAGE Possible choices for configuration are:

-!MESSAGE 

-!MESSAGE "libdns - Win32 Release" (based on "Win32 (x86) Dynamic-Link Library")

-!MESSAGE "libdns - Win32 Debug" (based on "Win32 (x86) Dynamic-Link Library")

-!MESSAGE 

-

-# Begin Project

-# PROP AllowPerConfigDependencies 0

-# PROP Scc_ProjName ""

-# PROP Scc_LocalPath ""

-CPP=cl.exe

-MTL=midl.exe

-RSC=rc.exe

-

-!IF  "$(CFG)" == "libdns - Win32 Release"

-

-# PROP BASE Use_MFC 0

-# PROP BASE Use_Debug_Libraries 0

-# PROP BASE Output_Dir "Release"

-# PROP BASE Intermediate_Dir "Release"

-# PROP BASE Target_Dir ""

-# PROP Use_MFC 0

-# PROP Use_Debug_Libraries 0

-# PROP Output_Dir "Release"

-# PROP Intermediate_Dir "Release"

-# PROP Ignore_Export_Lib 0

-# PROP Target_Dir ""

-# ADD BASE CPP /nologo /MT /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "libdns_EXPORTS" /YX /FD /c

-# ADD CPP /nologo /MD /W3 /GX /O2 /I "../../../../../openssl-0.9.8d/inc32/openssl/include" /I "./" /I "../../../" /I "include" /I "../include" /I "../../isc/win32" /I "../../isc/win32/include" /I "../../isc/include" /I "../../../../openssl-0.9.8d/inc32" /D "NDEBUG" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" /D "OPENSSL" /D "DST_USE_PRIVATE_OPENSSL" /D "LIBDNS_EXPORTS" /YX /FD /c

-# SUBTRACT CPP /X

-# ADD BASE MTL /nologo /D "NDEBUG" /mktyplib203 /win32

-# ADD MTL /nologo /D "NDEBUG" /mktyplib203 /win32

-# ADD BASE RSC /l 0x409 /d "NDEBUG"

-# ADD RSC /l 0x409 /d "NDEBUG"

-BSC32=bscmake.exe

-# ADD BASE BSC32 /nologo

-# ADD BSC32 /nologo

-LINK32=link.exe

-# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /machine:I386

-# ADD LINK32 user32.lib advapi32.lib ws2_32.lib ../../isc/win32/Release/libisc.lib ../../../../openssl-0.9.8d/out32dll/libeay32.lib /nologo /dll /machine:I386 /out:"../../../Build/Release/libdns.dll"

-

-!ELSEIF  "$(CFG)" == "libdns - Win32 Debug"

-

-# PROP BASE Use_MFC 0

-# PROP BASE Use_Debug_Libraries 1

-# PROP BASE Output_Dir "Debug"

-# PROP BASE Intermediate_Dir "Debug"

-# PROP BASE Target_Dir ""

-# PROP Use_MFC 0

-# PROP Use_Debug_Libraries 1

-# PROP Output_Dir "Debug"

-# PROP Intermediate_Dir "Debug"

-# PROP Ignore_Export_Lib 0

-# PROP Target_Dir ""

-# ADD BASE CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "libdns_EXPORTS" /YX /FD /GZ /c

-# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../../../" /I "include" /I "../include" /I "../../isc/win32" /I "../../isc/win32/include" /I "../../isc/include" /I "../../../../openssl-0.9.8d/inc32" /D "_DEBUG" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" /D "OPENSSL" /D "DST_USE_PRIVATE_OPENSSL" /D "LIBDNS_EXPORTS" /FR /YX /FD /GZ /c

-# SUBTRACT CPP /X

-# ADD BASE MTL /nologo /D "_DEBUG" /mktyplib203 /win32

-# ADD MTL /nologo /D "_DEBUG" /mktyplib203 /win32

-# ADD BASE RSC /l 0x409 /d "_DEBUG"

-# ADD RSC /l 0x409 /d "_DEBUG"

-BSC32=bscmake.exe

-# ADD BASE BSC32 /nologo

-# ADD BSC32 /nologo

-LINK32=link.exe

-# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /debug /machine:I386 /pdbtype:sept

-# ADD LINK32 user32.lib advapi32.lib ws2_32.lib ../../isc/win32/debug/libisc.lib  ../../../../openssl-0.9.8d/out32dll/libeay32.lib /nologo /dll /map /debug /machine:I386 /out:"../../../Build/Debug/libdns.dll" /pdbtype:sept

-

-!ENDIF 

-

-# Begin Target

-

-# Name "libdns - Win32 Release"

-# Name "libdns - Win32 Debug"

-# Begin Group "Source Files"

-

-# PROP Default_Filter "cpp;c;cxx;rc;def;r;odl;idl;hpj;bat"

-# End Group

-# Begin Group "Header Files"

-

-# PROP Default_Filter "h;hpp;hxx;hm;inl"

-# End Group

-# Begin Group "Resource Files"

-

-# PROP Default_Filter "ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe"

-# End Group

-# Begin Group "Main Dns Lib"

-

-# PROP Default_Filter "c"

-# Begin Source File

-

-SOURCE=..\a6.c

-# End Source File

-# Begin Source File

-

-SOURCE=..\acl.c

-# End Source File

-# Begin Source File

-

-SOURCE=..\adb.c

-# End Source File

-# Begin Source File

-

-SOURCE=..\byaddr.c

-# End Source File

-# Begin Source File

-

-SOURCE=..\cache.c

-# End Source File

-# Begin Source File

-

-SOURCE=..\callbacks.c

-# End Source File

-# Begin Source File

-

-SOURCE=..\compress.c

-# End Source File

-# Begin Source File

-

-SOURCE=..\db.c

-# End Source File

-# Begin Source File

-

-SOURCE=..\dbiterator.c

-# End Source File

-# Begin Source File

-

-SOURCE=..\dbtable.c

-# End Source File

-# Begin Source File

-

-SOURCE=..\diff.c

-# End Source File

-# Begin Source File

-

-SOURCE=..\dispatch.c

-# End Source File

-# Begin Source File

-

-SOURCE=.\DLLMain.c

-# End Source File

-# Begin Source File

-

-SOURCE=..\dnssec.c

-# End Source File

-# Begin Source File

-

-SOURCE=..\forward.c

-# End Source File

-# Begin Source File

-

-SOURCE=..\journal.c

-# End Source File

-# Begin Source File

-

-SOURCE=..\keytable.c

-# End Source File

-# Begin Source File

-

-SOURCE=..\lib.c

-# End Source File

-# Begin Source File

-

-SOURCE=..\log.c

-# End Source File

-# Begin Source File

-

-SOURCE=..\lookup.c

-# End Source File

-# Begin Source File

-

-SOURCE=..\master.c

-# End Source File

-# Begin Source File

-

-SOURCE=..\masterdump.c

-# End Source File

-# Begin Source File

-

-SOURCE=..\message.c

-# End Source File

-# Begin Source File

-

-SOURCE=..\name.c

-# End Source File

-# Begin Source File

-

-SOURCE=..\ncache.c

-# End Source File

-# Begin Source File

-

-SOURCE=..\nxt.c

-# End Source File

-# Begin Source File

-

-SOURCE=..\peer.c

-# End Source File

-# Begin Source File

-

-SOURCE=..\rbt.c

-# End Source File

-# Begin Source File

-

-SOURCE=..\rbtdb.c

-# End Source File

-# Begin Source File

-

-SOURCE=..\rbtdb64.c

-# End Source File

-# Begin Source File

-

-SOURCE=..\rdata.c

-# End Source File

-# Begin Source File

-

-SOURCE=..\rdatalist.c

-# End Source File

-# Begin Source File

-

-SOURCE=..\rdataset.c

-# End Source File

-# Begin Source File

-

-SOURCE=..\rdatasetiter.c

-# End Source File

-# Begin Source File

-

-SOURCE=..\rdataslab.c

-# End Source File

-# Begin Source File

-

-SOURCE=..\request.c

-# End Source File

-# Begin Source File

-

-SOURCE=..\resolver.c

-# End Source File

-# Begin Source File

-

-SOURCE=..\result.c

-# End Source File

-# Begin Source File

-

-SOURCE=..\rootns.c

-# End Source File

-# Begin Source File

-

-SOURCE=..\sdb.c

-# End Source File

-# Begin Source File

-

-SOURCE=..\soa.c

-# End Source File

-# Begin Source File

-

-SOURCE=..\ssu.c

-# End Source File

-# Begin Source File

-

-SOURCE=..\stats.c

-# End Source File

-# Begin Source File

-

-SOURCE=..\tcpmsg.c

-# End Source File

-# Begin Source File

-

-SOURCE=..\time.c

-# End Source File

-# Begin Source File

-

-SOURCE=..\timer.c

-# End Source File

-# Begin Source File

-

-SOURCE=..\tkey.c

-# End Source File

-# Begin Source File

-

-SOURCE=..\tsig.c

-# End Source File

-# Begin Source File

-

-SOURCE=..\ttl.c

-# End Source File

-# Begin Source File

-

-SOURCE=..\validator.c

-# End Source File

-# Begin Source File

-

-SOURCE=.\version.c

-# End Source File

-# Begin Source File

-

-SOURCE=..\view.c

-# End Source File

-# Begin Source File

-

-SOURCE=..\xfrin.c

-# End Source File

-# Begin Source File

-

-SOURCE=..\zone.c

-# End Source File

-# Begin Source File

-

-SOURCE=..\zonekey.c

-# End Source File

-# Begin Source File

-

-SOURCE=..\zt.c

-# End Source File

-# End Group

-# Begin Group "dst"

-

-# PROP Default_Filter "c"

-# Begin Source File

-

-SOURCE=..\dst_api.c

-# End Source File

-# Begin Source File

-

-SOURCE=..\dst_lib.c

-# End Source File

-# Begin Source File

-

-SOURCE=..\dst_parse.c

-# End Source File

-# Begin Source File

-

-SOURCE=..\dst_result.c

-# End Source File

-# Begin Source File

-

-SOURCE=..\gssapi_link.c

-# End Source File

-# Begin Source File

-

-SOURCE=..\gssapictx.c

-# End Source File

-# Begin Source File

-

-SOURCE=..\hmac_link.c

-# End Source File

-# Begin Source File

-

-SOURCE=..\key.c

-# End Source File

-# Begin Source File

-

-SOURCE=..\openssl_link.c

-# End Source File

-# Begin Source File

-

-SOURCE=..\openssldh_link.c

-# End Source File

-# Begin Source File

-

-SOURCE=..\openssldsa_link.c

-# End Source File

-# Begin Source File

-

-SOURCE=..\opensslrsa_link.c

-# End Source File

-# End Group

-# Begin Source File

-

-SOURCE=.\libdns.def

-# End Source File

-# End Target

-# End Project

+# Microsoft Developer Studio Project File - Name="libdns" - Package Owner=<4>
+# Microsoft Developer Studio Generated Build File, Format Version 6.00
+# ** DO NOT EDIT **
+
+# TARGTYPE "Win32 (x86) Dynamic-Link Library" 0x0102
+
+CFG=libdns - Win32 Debug
+!MESSAGE This is not a valid makefile. To build this project using NMAKE,
+!MESSAGE use the Export Makefile command and run
+!MESSAGE 
+!MESSAGE NMAKE /f "libdns.mak".
+!MESSAGE 
+!MESSAGE You can specify a configuration when running NMAKE
+!MESSAGE by defining the macro CFG on the command line. For example:
+!MESSAGE 
+!MESSAGE NMAKE /f "libdns.mak" CFG="libdns - Win32 Debug"
+!MESSAGE 
+!MESSAGE Possible choices for configuration are:
+!MESSAGE 
+!MESSAGE "libdns - Win32 Release" (based on "Win32 (x86) Dynamic-Link Library")
+!MESSAGE "libdns - Win32 Debug" (based on "Win32 (x86) Dynamic-Link Library")
+!MESSAGE 
+
+# Begin Project
+# PROP AllowPerConfigDependencies 0
+# PROP Scc_ProjName ""
+# PROP Scc_LocalPath ""
+CPP=cl.exe
+MTL=midl.exe
+RSC=rc.exe
+
+!IF  "$(CFG)" == "libdns - Win32 Release"
+
+# PROP BASE Use_MFC 0
+# PROP BASE Use_Debug_Libraries 0
+# PROP BASE Output_Dir "Release"
+# PROP BASE Intermediate_Dir "Release"
+# PROP BASE Target_Dir ""
+# PROP Use_MFC 0
+# PROP Use_Debug_Libraries 0
+# PROP Output_Dir "Release"
+# PROP Intermediate_Dir "Release"
+# PROP Ignore_Export_Lib 0
+# PROP Target_Dir ""
+# ADD BASE CPP /nologo /MT /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "libdns_EXPORTS" /YX /FD /c
+# ADD CPP /nologo /MD /W3 /GX /O2 /I "../../../../../openssl-0.9.6k/inc32/openssl/include" /I "./" /I "../../../" /I "include" /I "../include" /I "../../isc/win32" /I "../../isc/win32/include" /I "../../isc/include" /I "../../dns/sec/dst/include" /I "../../../../openssl-0.9.6k/inc32" /D "NDEBUG" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" /D "OPENSSL" /D "DST_USE_PRIVATE_OPENSSL" /D "LIBDNS_EXPORTS" /YX /FD /c
+# SUBTRACT CPP /X
+# ADD BASE MTL /nologo /D "NDEBUG" /mktyplib203 /win32
+# ADD MTL /nologo /D "NDEBUG" /mktyplib203 /win32
+# ADD BASE RSC /l 0x409 /d "NDEBUG"
+# ADD RSC /l 0x409 /d "NDEBUG"
+BSC32=bscmake.exe
+# ADD BASE BSC32 /nologo
+# ADD BSC32 /nologo
+LINK32=link.exe
+# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /machine:I386
+# ADD LINK32 user32.lib advapi32.lib ws2_32.lib ../../isc/win32/Release/libisc.lib ../../../../openssl-0.9.6k/out32dll/libeay32.lib /nologo /dll /machine:I386 /out:"../../../Build/Release/libdns.dll"
+
+!ELSEIF  "$(CFG)" == "libdns - Win32 Debug"
+
+# PROP BASE Use_MFC 0
+# PROP BASE Use_Debug_Libraries 1
+# PROP BASE Output_Dir "Debug"
+# PROP BASE Intermediate_Dir "Debug"
+# PROP BASE Target_Dir ""
+# PROP Use_MFC 0
+# PROP Use_Debug_Libraries 1
+# PROP Output_Dir "Debug"
+# PROP Intermediate_Dir "Debug"
+# PROP Ignore_Export_Lib 0
+# PROP Target_Dir ""
+# ADD BASE CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "libdns_EXPORTS" /YX /FD /GZ /c
+# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../../../" /I "include" /I "../include" /I "../../isc/win32" /I "../../isc/win32/include" /I "../../isc/include" /I "../../dns/sec/dst/include" /I "../../../../openssl-0.9.6k/inc32" /D "_DEBUG" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" /D "OPENSSL" /D "DST_USE_PRIVATE_OPENSSL" /D "LIBDNS_EXPORTS" /FR /YX /FD /GZ /c
+# SUBTRACT CPP /X
+# ADD BASE MTL /nologo /D "_DEBUG" /mktyplib203 /win32
+# ADD MTL /nologo /D "_DEBUG" /mktyplib203 /win32
+# ADD BASE RSC /l 0x409 /d "_DEBUG"
+# ADD RSC /l 0x409 /d "_DEBUG"
+BSC32=bscmake.exe
+# ADD BASE BSC32 /nologo
+# ADD BSC32 /nologo
+LINK32=link.exe
+# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /debug /machine:I386 /pdbtype:sept
+# ADD LINK32 user32.lib advapi32.lib ws2_32.lib ../../isc/win32/debug/libisc.lib ../../../../openssl-0.9.6k/out32dll/libeay32.lib /nologo /dll /map /debug /machine:I386 /out:"../../../Build/Debug/libdns.dll" /pdbtype:sept
+
+!ENDIF 
+
+# Begin Target
+
+# Name "libdns - Win32 Release"
+# Name "libdns - Win32 Debug"
+# Begin Group "Source Files"
+
+# PROP Default_Filter "cpp;c;cxx;rc;def;r;odl;idl;hpj;bat"
+# End Group
+# Begin Group "Header Files"
+
+# PROP Default_Filter "h;hpp;hxx;hm;inl"
+# Begin Source File
+
+SOURCE=..\include\dns\acl.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\dns\adb.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\dns\bit.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\dns\byaddr.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\dns\cache.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\dns\callbacks.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\dns\cert.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\code.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\dns\compress.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\dns\db.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\dns\dbiterator.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\dns\dbtable.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\dns\diff.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\dns\dispatch.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\dns\dnssec.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\dns\ds.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\dns\enumclass.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\dns\enumtype.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\dns\events.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\dns\fixedname.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\dns\forward.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\dns\journal.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\dns\keyflags.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\dns\keytable.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\dns\keyvalues.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\dns\lib.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\dns\log.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\dns\lookup.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\dns\master.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\dns\masterdump.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\dns\message.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\dns\name.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\dns\ncache.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\dns\nsec.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\dns\order.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\dns\peer.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\dns\portlist.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\dns\rbt.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\rbtdb.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\rbtdb64.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\dns\rcode.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\dns\rdata.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\dns\rdataclass.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\dns\rdatalist.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\dns\rdataset.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\dns\rdatasetiter.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\dns\rdataslab.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\dns\rdatastruct.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\dns\rdatatype.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\dns\request.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\dns\resolver.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\dns\result.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\dns\rootns.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\dns\sdb.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\dns\secalg.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\dns\secproto.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\dns\soa.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\dns\ssu.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\dns\stats.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\dns\tcpmsg.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\dns\time.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\dns\timer.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\dns\tkey.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\dns\tsig.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\dns\ttl.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\dns\types.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\dns\validator.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\dns\version.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\dns\view.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\dns\xfrin.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\dns\zone.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\dns\zonekey.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\dns\zt.h
+# End Source File
+# End Group
+# Begin Group "Resource Files"
+
+# PROP Default_Filter "ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe"
+# End Group
+# Begin Group "Main Dns Lib"
+
+# PROP Default_Filter "c"
+# Begin Source File
+
+SOURCE=..\acl.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\adb.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\byaddr.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\cache.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\callbacks.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\compress.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\db.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\dbiterator.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\dbtable.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\diff.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\dispatch.c
+
+!IF  "$(CFG)" == "libdns - Win32 Release"
+
+!ELSEIF  "$(CFG)" == "libdns - Win32 Debug"
+
+# ADD CPP /I "../sec/dst/include"
+
+!ENDIF 
+
+# End Source File
+# Begin Source File
+
+SOURCE=.\DLLMain.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\dnssec.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\ds.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\forward.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\journal.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\keytable.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\lib.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\log.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\lookup.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\master.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\masterdump.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\message.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\name.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\ncache.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\nsec.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\order.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\peer.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\portlist.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\rbt.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\rbtdb.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\rbtdb64.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\rcode.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\rdata.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\rdatalist.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\rdataset.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\rdatasetiter.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\rdataslab.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\request.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\resolver.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\result.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\rootns.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\sdb.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\soa.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\ssu.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\stats.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\tcpmsg.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\time.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\timer.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\tkey.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\tsig.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\ttl.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\validator.c
+# End Source File
+# Begin Source File
+
+SOURCE=.\version.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\view.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\xfrin.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\zone.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\zonekey.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\zt.c
+# End Source File
+# End Group
+# Begin Group "dst"
+
+# PROP Default_Filter "c"
+# Begin Source File
+
+SOURCE=..\sec\dst\dst_api.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\sec\dst\dst_lib.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\sec\dst\dst_parse.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\sec\dst\dst_result.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\sec\dst\gssapi_link.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\sec\dst\gssapictx.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\sec\dst\hmac_link.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\sec\dst\key.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\sec\dst\openssl_link.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\sec\dst\openssldh_link.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\sec\dst\openssldsa_link.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\sec\dst\opensslrsa_link.c
+# End Source File
+# End Group
+# Begin Source File
+
+SOURCE=.\libdns.def
+# End Source File
+# End Target
+# End Project
diff --git a/lib/dns/win32/libdns.dsw b/lib/dns/win32/libdns.dsw
index 424a2cbb..c1685a0e 100644
--- a/lib/dns/win32/libdns.dsw
+++ b/lib/dns/win32/libdns.dsw
@@ -1,29 +1,29 @@
-Microsoft Developer Studio Workspace File, Format Version 6.00

-# WARNING: DO NOT EDIT OR DELETE THIS WORKSPACE FILE!

-

-###############################################################################

-

-Project: "libdns"=".\libdns.dsp" - Package Owner=<4>

-

-Package=<5>

-{{{

-}}}

-

-Package=<4>

-{{{

-}}}

-

-###############################################################################

-

-Global:

-

-Package=<5>

-{{{

-}}}

-

-Package=<3>

-{{{

-}}}

-

-###############################################################################

-

+Microsoft Developer Studio Workspace File, Format Version 6.00
+# WARNING: DO NOT EDIT OR DELETE THIS WORKSPACE FILE!
+
+###############################################################################
+
+Project: "libdns"=".\libdns.dsp" - Package Owner=<4>
+
+Package=<5>
+{{{
+}}}
+
+Package=<4>
+{{{
+}}}
+
+###############################################################################
+
+Global:
+
+Package=<5>
+{{{
+}}}
+
+Package=<3>
+{{{
+}}}
+
+###############################################################################
+
diff --git a/lib/dns/win32/libdns.mak b/lib/dns/win32/libdns.mak
index eac434c0..64b70be5 100644
--- a/lib/dns/win32/libdns.mak
+++ b/lib/dns/win32/libdns.mak
@@ -1,1923 +1,1949 @@
-# Microsoft Developer Studio Generated NMAKE File, Based on libdns.dsp

-!IF "$(CFG)" == ""

-CFG=libdns - Win32 Debug

-!MESSAGE No configuration specified. Defaulting to libdns - Win32 Debug.

-!ENDIF 

-

-!IF "$(CFG)" != "libdns - Win32 Release" && "$(CFG)" != "libdns - Win32 Debug"

-!MESSAGE Invalid configuration "$(CFG)" specified.

-!MESSAGE You can specify a configuration when running NMAKE

-!MESSAGE by defining the macro CFG on the command line. For example:

-!MESSAGE 

-!MESSAGE NMAKE /f "libdns.mak" CFG="libdns - Win32 Debug"

-!MESSAGE 

-!MESSAGE Possible choices for configuration are:

-!MESSAGE 

-!MESSAGE "libdns - Win32 Release" (based on "Win32 (x86) Dynamic-Link Library")

-!MESSAGE "libdns - Win32 Debug" (based on "Win32 (x86) Dynamic-Link Library")

-!MESSAGE 

-!ERROR An invalid configuration is specified.

-!ENDIF 

-

-!IF "$(OS)" == "Windows_NT"

-NULL=

-!ELSE 

-NULL=nul

-!ENDIF 

-

-!IF  "$(CFG)" == "libdns - Win32 Release"

-_VC_MANIFEST_INC=0

-_VC_MANIFEST_BASENAME=__VC80

-!ELSE

-_VC_MANIFEST_INC=1

-_VC_MANIFEST_BASENAME=__VC80.Debug

-!ENDIF

-

-####################################################

-# Specifying name of temporary resource file used only in incremental builds:

-

-!if "$(_VC_MANIFEST_INC)" == "1"

-_VC_MANIFEST_AUTO_RES=$(_VC_MANIFEST_BASENAME).auto.res

-!else

-_VC_MANIFEST_AUTO_RES=

-!endif

-

-####################################################

-# _VC_MANIFEST_EMBED_EXE - command to embed manifest in EXE:

-

-!if "$(_VC_MANIFEST_INC)" == "1"

-

-#MT_SPECIAL_RETURN=1090650113

-#MT_SPECIAL_SWITCH=-notify_resource_update

-MT_SPECIAL_RETURN=0

-MT_SPECIAL_SWITCH=

-_VC_MANIFEST_EMBED_EXE= \

-if exist $@.manifest mt.exe -manifest $@.manifest -out:$(_VC_MANIFEST_BASENAME).auto.manifest $(MT_SPECIAL_SWITCH) & \

-if "%ERRORLEVEL%" == "$(MT_SPECIAL_RETURN)" \

-rc /r $(_VC_MANIFEST_BASENAME).auto.rc & \

-link $** /out:$@ $(LFLAGS)

-

-!else

-

-_VC_MANIFEST_EMBED_EXE= \

-if exist $@.manifest mt.exe -manifest $@.manifest -outputresource:$@;1

-

-!endif

-

-####################################################

-# _VC_MANIFEST_EMBED_DLL - command to embed manifest in DLL:

-

-!if "$(_VC_MANIFEST_INC)" == "1"

-

-#MT_SPECIAL_RETURN=1090650113

-#MT_SPECIAL_SWITCH=-notify_resource_update

-MT_SPECIAL_RETURN=0

-MT_SPECIAL_SWITCH=

-_VC_MANIFEST_EMBED_EXE= \

-if exist $@.manifest mt.exe -manifest $@.manifest -out:$(_VC_MANIFEST_BASENAME).auto.manifest $(MT_SPECIAL_SWITCH) & \

-if "%ERRORLEVEL%" == "$(MT_SPECIAL_RETURN)" \

-rc /r $(_VC_MANIFEST_BASENAME).auto.rc & \

-link $** /out:$@ $(LFLAGS)

-

-!else

-

-_VC_MANIFEST_EMBED_EXE= \

-if exist $@.manifest mt.exe -manifest $@.manifest -outputresource:$@;2

-

-!endif

-####################################################

-# _VC_MANIFEST_CLEAN - command to clean resources files generated temporarily:

-

-!if "$(_VC_MANIFEST_INC)" == "1"

-

-_VC_MANIFEST_CLEAN=-del $(_VC_MANIFEST_BASENAME).auto.res \

-    $(_VC_MANIFEST_BASENAME).auto.rc \

-    $(_VC_MANIFEST_BASENAME).auto.manifest

-

-!else

-

-_VC_MANIFEST_CLEAN=

-

-!endif

-

-!IF  "$(CFG)" == "libdns - Win32 Release"

-

-OUTDIR=.\Release

-INTDIR=.\Release

-

-ALL : "..\..\..\Build\Release\libdns.dll"

-

-

-CLEAN :

-	-@erase "$(INTDIR)\a6.obj"

-	-@erase "$(INTDIR)\acl.obj"

-	-@erase "$(INTDIR)\adb.obj"

-	-@erase "$(INTDIR)\byaddr.obj"

-	-@erase "$(INTDIR)\cache.obj"

-	-@erase "$(INTDIR)\callbacks.obj"

-	-@erase "$(INTDIR)\compress.obj"

-	-@erase "$(INTDIR)\db.obj"

-	-@erase "$(INTDIR)\dbiterator.obj"

-	-@erase "$(INTDIR)\dbtable.obj"

-	-@erase "$(INTDIR)\diff.obj"

-	-@erase "$(INTDIR)\dispatch.obj"

-	-@erase "$(INTDIR)\DLLMain.obj"

-	-@erase "$(INTDIR)\dnssec.obj"

-	-@erase "$(INTDIR)\dst_api.obj"

-	-@erase "$(INTDIR)\dst_lib.obj"

-	-@erase "$(INTDIR)\dst_parse.obj"

-	-@erase "$(INTDIR)\dst_result.obj"

-	-@erase "$(INTDIR)\forward.obj"

-	-@erase "$(INTDIR)\gssapi_link.obj"

-	-@erase "$(INTDIR)\gssapictx.obj"

-	-@erase "$(INTDIR)\hmac_link.obj"

-	-@erase "$(INTDIR)\journal.obj"

-	-@erase "$(INTDIR)\key.obj"

-	-@erase "$(INTDIR)\keytable.obj"

-	-@erase "$(INTDIR)\lib.obj"

-	-@erase "$(INTDIR)\log.obj"

-	-@erase "$(INTDIR)\lookup.obj"

-	-@erase "$(INTDIR)\master.obj"

-	-@erase "$(INTDIR)\masterdump.obj"

-	-@erase "$(INTDIR)\message.obj"

-	-@erase "$(INTDIR)\name.obj"

-	-@erase "$(INTDIR)\ncache.obj"

-	-@erase "$(INTDIR)\nxt.obj"

-	-@erase "$(INTDIR)\openssl_link.obj"

-	-@erase "$(INTDIR)\openssldh_link.obj"

-	-@erase "$(INTDIR)\openssldsa_link.obj"

-	-@erase "$(INTDIR)\opensslrsa_link.obj"

-	-@erase "$(INTDIR)\peer.obj"

-	-@erase "$(INTDIR)\rbt.obj"

-	-@erase "$(INTDIR)\rbtdb.obj"

-	-@erase "$(INTDIR)\rbtdb64.obj"

-	-@erase "$(INTDIR)\rdata.obj"

-	-@erase "$(INTDIR)\rdatalist.obj"

-	-@erase "$(INTDIR)\rdataset.obj"

-	-@erase "$(INTDIR)\rdatasetiter.obj"

-	-@erase "$(INTDIR)\rdataslab.obj"

-	-@erase "$(INTDIR)\request.obj"

-	-@erase "$(INTDIR)\resolver.obj"

-	-@erase "$(INTDIR)\result.obj"

-	-@erase "$(INTDIR)\rootns.obj"

-	-@erase "$(INTDIR)\sdb.obj"

-	-@erase "$(INTDIR)\soa.obj"

-	-@erase "$(INTDIR)\ssu.obj"

-	-@erase "$(INTDIR)\stats.obj"

-	-@erase "$(INTDIR)\tcpmsg.obj"

-	-@erase "$(INTDIR)\time.obj"

-	-@erase "$(INTDIR)\timer.obj"

-	-@erase "$(INTDIR)\tkey.obj"

-	-@erase "$(INTDIR)\tsig.obj"

-	-@erase "$(INTDIR)\ttl.obj"

-	-@erase "$(INTDIR)\validator.obj"

-	-@erase "$(INTDIR)\vc60.idb"

-	-@erase "$(INTDIR)\version.obj"

-	-@erase "$(INTDIR)\view.obj"

-	-@erase "$(INTDIR)\xfrin.obj"

-	-@erase "$(INTDIR)\zone.obj"

-	-@erase "$(INTDIR)\zonekey.obj"

-	-@erase "$(INTDIR)\zt.obj"

-	-@erase "$(OUTDIR)\libdns.exp"

-	-@erase "$(OUTDIR)\libdns.lib"

-	-@erase "..\..\..\Build\Release\libdns.dll"

-	-@$(_VC_MANIFEST_CLEAN)

-

-"$(OUTDIR)" :

-    if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"

-

-CPP=cl.exe

-CPP_PROJ=/nologo /MD /W3 /GX /O2 /I "../../../../../openssl-0.9.8d/inc32/openssl/include" /I "./" /I "../../../" /I "include" /I "../include" /I "../../isc/win32" /I "../../isc/win32/include" /I "../../isc/include" /I "../../../../openssl-0.9.8d/inc32" /D "NDEBUG" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" /D "OPENSSL" /D "DST_USE_PRIVATE_OPENSSL" /D "LIBDNS_EXPORTS" /Fp"$(INTDIR)\libdns.pch" /YX /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c 

-

-.c{$(INTDIR)}.obj::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.cpp{$(INTDIR)}.obj::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.cxx{$(INTDIR)}.obj::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.c{$(INTDIR)}.sbr::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.cpp{$(INTDIR)}.sbr::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.cxx{$(INTDIR)}.sbr::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-MTL=midl.exe

-MTL_PROJ=/nologo /D "NDEBUG" /mktyplib203 /win32 

-RSC=rc.exe

-BSC32=bscmake.exe

-BSC32_FLAGS=/nologo /o"$(OUTDIR)\libdns.bsc" 

-BSC32_SBRS= \

-	

-LINK32=link.exe

-LINK32_FLAGS=user32.lib advapi32.lib ws2_32.lib ../../isc/win32/Release/libisc.lib ../../../../openssl-0.9.8d/out32dll/libeay32.lib /nologo /dll /incremental:no /pdb:"$(OUTDIR)\libdns.pdb" /machine:I386 /def:".\libdns.def" /out:"../../../Build/Release/libdns.dll" /implib:"$(OUTDIR)\libdns.lib" 

-DEF_FILE= \

-	".\libdns.def"

-LINK32_OBJS= \

-	"$(INTDIR)\a6.obj" \

-	"$(INTDIR)\acl.obj" \

-	"$(INTDIR)\adb.obj" \

-	"$(INTDIR)\byaddr.obj" \

-	"$(INTDIR)\cache.obj" \

-	"$(INTDIR)\callbacks.obj" \

-	"$(INTDIR)\compress.obj" \

-	"$(INTDIR)\db.obj" \

-	"$(INTDIR)\dbiterator.obj" \

-	"$(INTDIR)\dbtable.obj" \

-	"$(INTDIR)\diff.obj" \

-	"$(INTDIR)\dispatch.obj" \

-	"$(INTDIR)\DLLMain.obj" \

-	"$(INTDIR)\dnssec.obj" \

-	"$(INTDIR)\forward.obj" \

-	"$(INTDIR)\journal.obj" \

-	"$(INTDIR)\keytable.obj" \

-	"$(INTDIR)\lib.obj" \

-	"$(INTDIR)\log.obj" \

-	"$(INTDIR)\lookup.obj" \

-	"$(INTDIR)\master.obj" \

-	"$(INTDIR)\masterdump.obj" \

-	"$(INTDIR)\message.obj" \

-	"$(INTDIR)\name.obj" \

-	"$(INTDIR)\ncache.obj" \

-	"$(INTDIR)\nxt.obj" \

-	"$(INTDIR)\peer.obj" \

-	"$(INTDIR)\rbt.obj" \

-	"$(INTDIR)\rbtdb.obj" \

-	"$(INTDIR)\rbtdb64.obj" \

-	"$(INTDIR)\rdata.obj" \

-	"$(INTDIR)\rdatalist.obj" \

-	"$(INTDIR)\rdataset.obj" \

-	"$(INTDIR)\rdatasetiter.obj" \

-	"$(INTDIR)\rdataslab.obj" \

-	"$(INTDIR)\request.obj" \

-	"$(INTDIR)\resolver.obj" \

-	"$(INTDIR)\result.obj" \

-	"$(INTDIR)\rootns.obj" \

-	"$(INTDIR)\sdb.obj" \

-	"$(INTDIR)\soa.obj" \

-	"$(INTDIR)\ssu.obj" \

-	"$(INTDIR)\stats.obj" \

-	"$(INTDIR)\tcpmsg.obj" \

-	"$(INTDIR)\time.obj" \

-	"$(INTDIR)\timer.obj" \

-	"$(INTDIR)\tkey.obj" \

-	"$(INTDIR)\tsig.obj" \

-	"$(INTDIR)\ttl.obj" \

-	"$(INTDIR)\validator.obj" \

-	"$(INTDIR)\version.obj" \

-	"$(INTDIR)\view.obj" \

-	"$(INTDIR)\xfrin.obj" \

-	"$(INTDIR)\zone.obj" \

-	"$(INTDIR)\zonekey.obj" \

-	"$(INTDIR)\zt.obj" \

-	"$(INTDIR)\dst_api.obj" \

-	"$(INTDIR)\dst_lib.obj" \

-	"$(INTDIR)\dst_parse.obj" \

-	"$(INTDIR)\dst_result.obj" \

-	"$(INTDIR)\gssapi_link.obj" \

-	"$(INTDIR)\gssapictx.obj" \

-	"$(INTDIR)\hmac_link.obj" \

-	"$(INTDIR)\key.obj" \

-	"$(INTDIR)\openssl_link.obj" \

-	"$(INTDIR)\openssldh_link.obj" \

-	"$(INTDIR)\openssldsa_link.obj" \

-	"$(INTDIR)\opensslrsa_link.obj"

-

-"..\..\..\Build\Release\libdns.dll" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)

-    $(LINK32) @<<

-  $(LINK32_FLAGS) $(LINK32_OBJS)

-<<

-  $(_VC_MANIFEST_EMBED_DLL)

-

-!ELSEIF  "$(CFG)" == "libdns - Win32 Debug"

-

-OUTDIR=.\Debug

-INTDIR=.\Debug

-# Begin Custom Macros

-OutDir=.\Debug

-# End Custom Macros

-

-ALL : "..\..\..\Build\Debug\libdns.dll" "$(OUTDIR)\libdns.bsc"

-

-

-CLEAN :

-	-@erase "$(INTDIR)\a6.obj"

-	-@erase "$(INTDIR)\a6.sbr"

-	-@erase "$(INTDIR)\acl.obj"

-	-@erase "$(INTDIR)\acl.sbr"

-	-@erase "$(INTDIR)\adb.obj"

-	-@erase "$(INTDIR)\adb.sbr"

-	-@erase "$(INTDIR)\byaddr.obj"

-	-@erase "$(INTDIR)\byaddr.sbr"

-	-@erase "$(INTDIR)\cache.obj"

-	-@erase "$(INTDIR)\cache.sbr"

-	-@erase "$(INTDIR)\callbacks.obj"

-	-@erase "$(INTDIR)\callbacks.sbr"

-	-@erase "$(INTDIR)\compress.obj"

-	-@erase "$(INTDIR)\compress.sbr"

-	-@erase "$(INTDIR)\db.obj"

-	-@erase "$(INTDIR)\db.sbr"

-	-@erase "$(INTDIR)\dbiterator.obj"

-	-@erase "$(INTDIR)\dbiterator.sbr"

-	-@erase "$(INTDIR)\dbtable.obj"

-	-@erase "$(INTDIR)\dbtable.sbr"

-	-@erase "$(INTDIR)\diff.obj"

-	-@erase "$(INTDIR)\diff.sbr"

-	-@erase "$(INTDIR)\dispatch.obj"

-	-@erase "$(INTDIR)\dispatch.sbr"

-	-@erase "$(INTDIR)\DLLMain.obj"

-	-@erase "$(INTDIR)\DLLMain.sbr"

-	-@erase "$(INTDIR)\dnssec.obj"

-	-@erase "$(INTDIR)\dnssec.sbr"

-	-@erase "$(INTDIR)\dst_api.obj"

-	-@erase "$(INTDIR)\dst_api.sbr"

-	-@erase "$(INTDIR)\dst_lib.obj"

-	-@erase "$(INTDIR)\dst_lib.sbr"

-	-@erase "$(INTDIR)\dst_parse.obj"

-	-@erase "$(INTDIR)\dst_parse.sbr"

-	-@erase "$(INTDIR)\dst_result.obj"

-	-@erase "$(INTDIR)\dst_result.sbr"

-	-@erase "$(INTDIR)\forward.obj"

-	-@erase "$(INTDIR)\forward.sbr"

-	-@erase "$(INTDIR)\gssapi_link.obj"

-	-@erase "$(INTDIR)\gssapi_link.sbr"

-	-@erase "$(INTDIR)\gssapictx.obj"

-	-@erase "$(INTDIR)\gssapictx.sbr"

-	-@erase "$(INTDIR)\hmac_link.obj"

-	-@erase "$(INTDIR)\hmac_link.sbr"

-	-@erase "$(INTDIR)\journal.obj"

-	-@erase "$(INTDIR)\journal.sbr"

-	-@erase "$(INTDIR)\key.obj"

-	-@erase "$(INTDIR)\key.sbr"

-	-@erase "$(INTDIR)\keytable.obj"

-	-@erase "$(INTDIR)\keytable.sbr"

-	-@erase "$(INTDIR)\lib.obj"

-	-@erase "$(INTDIR)\lib.sbr"

-	-@erase "$(INTDIR)\log.obj"

-	-@erase "$(INTDIR)\log.sbr"

-	-@erase "$(INTDIR)\lookup.obj"

-	-@erase "$(INTDIR)\lookup.sbr"

-	-@erase "$(INTDIR)\master.obj"

-	-@erase "$(INTDIR)\master.sbr"

-	-@erase "$(INTDIR)\masterdump.obj"

-	-@erase "$(INTDIR)\masterdump.sbr"

-	-@erase "$(INTDIR)\message.obj"

-	-@erase "$(INTDIR)\message.sbr"

-	-@erase "$(INTDIR)\name.obj"

-	-@erase "$(INTDIR)\name.sbr"

-	-@erase "$(INTDIR)\ncache.obj"

-	-@erase "$(INTDIR)\ncache.sbr"

-	-@erase "$(INTDIR)\nxt.obj"

-	-@erase "$(INTDIR)\nxt.sbr"

-	-@erase "$(INTDIR)\openssl_link.obj"

-	-@erase "$(INTDIR)\openssl_link.sbr"

-	-@erase "$(INTDIR)\openssldh_link.obj"

-	-@erase "$(INTDIR)\openssldh_link.sbr"

-	-@erase "$(INTDIR)\openssldsa_link.obj"

-	-@erase "$(INTDIR)\openssldsa_link.sbr"

-	-@erase "$(INTDIR)\opensslrsa_link.obj"

-	-@erase "$(INTDIR)\opensslrsa_link.sbr"

-	-@erase "$(INTDIR)\peer.obj"

-	-@erase "$(INTDIR)\peer.sbr"

-	-@erase "$(INTDIR)\rbt.obj"

-	-@erase "$(INTDIR)\rbt.sbr"

-	-@erase "$(INTDIR)\rbtdb.obj"

-	-@erase "$(INTDIR)\rbtdb.sbr"

-	-@erase "$(INTDIR)\rbtdb64.obj"

-	-@erase "$(INTDIR)\rbtdb64.sbr"

-	-@erase "$(INTDIR)\rdata.obj"

-	-@erase "$(INTDIR)\rdata.sbr"

-	-@erase "$(INTDIR)\rdatalist.obj"

-	-@erase "$(INTDIR)\rdatalist.sbr"

-	-@erase "$(INTDIR)\rdataset.obj"

-	-@erase "$(INTDIR)\rdataset.sbr"

-	-@erase "$(INTDIR)\rdatasetiter.obj"

-	-@erase "$(INTDIR)\rdatasetiter.sbr"

-	-@erase "$(INTDIR)\rdataslab.obj"

-	-@erase "$(INTDIR)\rdataslab.sbr"

-	-@erase "$(INTDIR)\request.obj"

-	-@erase "$(INTDIR)\request.sbr"

-	-@erase "$(INTDIR)\resolver.obj"

-	-@erase "$(INTDIR)\resolver.sbr"

-	-@erase "$(INTDIR)\result.obj"

-	-@erase "$(INTDIR)\result.sbr"

-	-@erase "$(INTDIR)\rootns.obj"

-	-@erase "$(INTDIR)\rootns.sbr"

-	-@erase "$(INTDIR)\sdb.obj"

-	-@erase "$(INTDIR)\sdb.sbr"

-	-@erase "$(INTDIR)\soa.obj"

-	-@erase "$(INTDIR)\soa.sbr"

-	-@erase "$(INTDIR)\ssu.obj"

-	-@erase "$(INTDIR)\ssu.sbr"

-	-@erase "$(INTDIR)\stats.obj"

-	-@erase "$(INTDIR)\stats.sbr"

-	-@erase "$(INTDIR)\tcpmsg.obj"

-	-@erase "$(INTDIR)\tcpmsg.sbr"

-	-@erase "$(INTDIR)\time.obj"

-	-@erase "$(INTDIR)\time.sbr"

-	-@erase "$(INTDIR)\timer.obj"

-	-@erase "$(INTDIR)\timer.sbr"

-	-@erase "$(INTDIR)\tkey.obj"

-	-@erase "$(INTDIR)\tkey.sbr"

-	-@erase "$(INTDIR)\tsig.obj"

-	-@erase "$(INTDIR)\tsig.sbr"

-	-@erase "$(INTDIR)\ttl.obj"

-	-@erase "$(INTDIR)\ttl.sbr"

-	-@erase "$(INTDIR)\validator.obj"

-	-@erase "$(INTDIR)\validator.sbr"

-	-@erase "$(INTDIR)\vc60.idb"

-	-@erase "$(INTDIR)\vc60.pdb"

-	-@erase "$(INTDIR)\version.obj"

-	-@erase "$(INTDIR)\version.sbr"

-	-@erase "$(INTDIR)\view.obj"

-	-@erase "$(INTDIR)\view.sbr"

-	-@erase "$(INTDIR)\xfrin.obj"

-	-@erase "$(INTDIR)\xfrin.sbr"

-	-@erase "$(INTDIR)\zone.obj"

-	-@erase "$(INTDIR)\zone.sbr"

-	-@erase "$(INTDIR)\zonekey.obj"

-	-@erase "$(INTDIR)\zonekey.sbr"

-	-@erase "$(INTDIR)\zt.obj"

-	-@erase "$(INTDIR)\zt.sbr"

-	-@erase "$(OUTDIR)\libdns.bsc"

-	-@erase "$(OUTDIR)\libdns.exp"

-	-@erase "$(OUTDIR)\libdns.lib"

-	-@erase "$(OUTDIR)\libdns.map"

-	-@erase "$(OUTDIR)\libdns.pdb"

-	-@erase "..\..\..\Build\Debug\libdns.dll"

-	-@erase "..\..\..\Build\Debug\libdns.ilk"

-	-@$(_VC_MANIFEST_CLEAN)

-

-"$(OUTDIR)" :

-    if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"

-

-CPP=cl.exe

-CPP_PROJ=/nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../../../" /I "include" /I "../include" /I "../../isc/win32" /I "../../isc/win32/include" /I "../../isc/include" /I "../../../../openssl-0.9.8d/inc32" /D "_DEBUG" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" /D "OPENSSL" /D "DST_USE_PRIVATE_OPENSSL" /D "LIBDNS_EXPORTS" /FR"$(INTDIR)\\" /Fp"$(INTDIR)\libdns.pch" /YX /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c 

-

-.c{$(INTDIR)}.obj::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.cpp{$(INTDIR)}.obj::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.cxx{$(INTDIR)}.obj::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.c{$(INTDIR)}.sbr::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.cpp{$(INTDIR)}.sbr::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.cxx{$(INTDIR)}.sbr::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-MTL=midl.exe

-MTL_PROJ=/nologo /D "_DEBUG" /mktyplib203 /win32 

-RSC=rc.exe

-BSC32=bscmake.exe

-BSC32_FLAGS=/nologo /o"$(OUTDIR)\libdns.bsc" 

-BSC32_SBRS= \

-	"$(INTDIR)\a6.sbr" \

-	"$(INTDIR)\acl.sbr" \

-	"$(INTDIR)\adb.sbr" \

-	"$(INTDIR)\byaddr.sbr" \

-	"$(INTDIR)\cache.sbr" \

-	"$(INTDIR)\callbacks.sbr" \

-	"$(INTDIR)\compress.sbr" \

-	"$(INTDIR)\db.sbr" \

-	"$(INTDIR)\dbiterator.sbr" \

-	"$(INTDIR)\dbtable.sbr" \

-	"$(INTDIR)\diff.sbr" \

-	"$(INTDIR)\dispatch.sbr" \

-	"$(INTDIR)\DLLMain.sbr" \

-	"$(INTDIR)\dnssec.sbr" \

-	"$(INTDIR)\forward.sbr" \

-	"$(INTDIR)\journal.sbr" \

-	"$(INTDIR)\keytable.sbr" \

-	"$(INTDIR)\lib.sbr" \

-	"$(INTDIR)\log.sbr" \

-	"$(INTDIR)\lookup.sbr" \

-	"$(INTDIR)\master.sbr" \

-	"$(INTDIR)\masterdump.sbr" \

-	"$(INTDIR)\message.sbr" \

-	"$(INTDIR)\name.sbr" \

-	"$(INTDIR)\ncache.sbr" \

-	"$(INTDIR)\nxt.sbr" \

-	"$(INTDIR)\peer.sbr" \

-	"$(INTDIR)\rbt.sbr" \

-	"$(INTDIR)\rbtdb.sbr" \

-	"$(INTDIR)\rbtdb64.sbr" \

-	"$(INTDIR)\rdata.sbr" \

-	"$(INTDIR)\rdatalist.sbr" \

-	"$(INTDIR)\rdataset.sbr" \

-	"$(INTDIR)\rdatasetiter.sbr" \

-	"$(INTDIR)\rdataslab.sbr" \

-	"$(INTDIR)\request.sbr" \

-	"$(INTDIR)\resolver.sbr" \

-	"$(INTDIR)\result.sbr" \

-	"$(INTDIR)\rootns.sbr" \

-	"$(INTDIR)\sdb.sbr" \

-	"$(INTDIR)\soa.sbr" \

-	"$(INTDIR)\ssu.sbr" \

-	"$(INTDIR)\stats.sbr" \

-	"$(INTDIR)\tcpmsg.sbr" \

-	"$(INTDIR)\time.sbr" \

-	"$(INTDIR)\timer.sbr" \

-	"$(INTDIR)\tkey.sbr" \

-	"$(INTDIR)\tsig.sbr" \

-	"$(INTDIR)\ttl.sbr" \

-	"$(INTDIR)\validator.sbr" \

-	"$(INTDIR)\version.sbr" \

-	"$(INTDIR)\view.sbr" \

-	"$(INTDIR)\xfrin.sbr" \

-	"$(INTDIR)\zone.sbr" \

-	"$(INTDIR)\zonekey.sbr" \

-	"$(INTDIR)\zt.sbr" \

-	"$(INTDIR)\dst_api.sbr" \

-	"$(INTDIR)\dst_lib.sbr" \

-	"$(INTDIR)\dst_parse.sbr" \

-	"$(INTDIR)\dst_result.sbr" \

-	"$(INTDIR)\gssapi_link.sbr" \

-	"$(INTDIR)\gssapictx.sbr" \

-	"$(INTDIR)\hmac_link.sbr" \

-	"$(INTDIR)\key.sbr" \

-	"$(INTDIR)\openssl_link.sbr" \

-	"$(INTDIR)\openssldh_link.sbr" \

-	"$(INTDIR)\openssldsa_link.sbr" \

-	"$(INTDIR)\opensslrsa_link.sbr"

-

-"$(OUTDIR)\libdns.bsc" : "$(OUTDIR)" $(BSC32_SBRS)

-    $(BSC32) @<<

-  $(BSC32_FLAGS) $(BSC32_SBRS)

-<<

-

-LINK32=link.exe

-LINK32_FLAGS=user32.lib advapi32.lib ws2_32.lib ../../isc/win32/debug/libisc.lib ../../../../openssl-0.9.8d/out32dll/libeay32.lib /nologo /dll /incremental:yes /pdb:"$(OUTDIR)\libdns.pdb" /map:"$(INTDIR)\libdns.map" /debug /machine:I386 /def:".\libdns.def" /out:"../../../Build/Debug/libdns.dll" /implib:"$(OUTDIR)\libdns.lib" /pdbtype:sept 

-DEF_FILE= \

-	".\libdns.def"

-LINK32_OBJS= \

-	"$(INTDIR)\a6.obj" \

-	"$(INTDIR)\acl.obj" \

-	"$(INTDIR)\adb.obj" \

-	"$(INTDIR)\byaddr.obj" \

-	"$(INTDIR)\cache.obj" \

-	"$(INTDIR)\callbacks.obj" \

-	"$(INTDIR)\compress.obj" \

-	"$(INTDIR)\db.obj" \

-	"$(INTDIR)\dbiterator.obj" \

-	"$(INTDIR)\dbtable.obj" \

-	"$(INTDIR)\diff.obj" \

-	"$(INTDIR)\dispatch.obj" \

-	"$(INTDIR)\DLLMain.obj" \

-	"$(INTDIR)\dnssec.obj" \

-	"$(INTDIR)\forward.obj" \

-	"$(INTDIR)\journal.obj" \

-	"$(INTDIR)\keytable.obj" \

-	"$(INTDIR)\lib.obj" \

-	"$(INTDIR)\log.obj" \

-	"$(INTDIR)\lookup.obj" \

-	"$(INTDIR)\master.obj" \

-	"$(INTDIR)\masterdump.obj" \

-	"$(INTDIR)\message.obj" \

-	"$(INTDIR)\name.obj" \

-	"$(INTDIR)\ncache.obj" \

-	"$(INTDIR)\nxt.obj" \

-	"$(INTDIR)\peer.obj" \

-	"$(INTDIR)\rbt.obj" \

-	"$(INTDIR)\rbtdb.obj" \

-	"$(INTDIR)\rbtdb64.obj" \

-	"$(INTDIR)\rdata.obj" \

-	"$(INTDIR)\rdatalist.obj" \

-	"$(INTDIR)\rdataset.obj" \

-	"$(INTDIR)\rdatasetiter.obj" \

-	"$(INTDIR)\rdataslab.obj" \

-	"$(INTDIR)\request.obj" \

-	"$(INTDIR)\resolver.obj" \

-	"$(INTDIR)\result.obj" \

-	"$(INTDIR)\rootns.obj" \

-	"$(INTDIR)\sdb.obj" \

-	"$(INTDIR)\soa.obj" \

-	"$(INTDIR)\ssu.obj" \

-	"$(INTDIR)\stats.obj" \

-	"$(INTDIR)\tcpmsg.obj" \

-	"$(INTDIR)\time.obj" \

-	"$(INTDIR)\timer.obj" \

-	"$(INTDIR)\tkey.obj" \

-	"$(INTDIR)\tsig.obj" \

-	"$(INTDIR)\ttl.obj" \

-	"$(INTDIR)\validator.obj" \

-	"$(INTDIR)\version.obj" \

-	"$(INTDIR)\view.obj" \

-	"$(INTDIR)\xfrin.obj" \

-	"$(INTDIR)\zone.obj" \

-	"$(INTDIR)\zonekey.obj" \

-	"$(INTDIR)\zt.obj" \

-	"$(INTDIR)\dst_api.obj" \

-	"$(INTDIR)\dst_lib.obj" \

-	"$(INTDIR)\dst_parse.obj" \

-	"$(INTDIR)\dst_result.obj" \

-	"$(INTDIR)\gssapi_link.obj" \

-	"$(INTDIR)\gssapictx.obj" \

-	"$(INTDIR)\hmac_link.obj" \

-	"$(INTDIR)\key.obj" \

-	"$(INTDIR)\openssl_link.obj" \

-	"$(INTDIR)\openssldh_link.obj" \

-	"$(INTDIR)\openssldsa_link.obj" \

-	"$(INTDIR)\opensslrsa_link.obj"

-

-"..\..\..\Build\Debug\libdns.dll" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)

-    $(LINK32) @<<

-  $(LINK32_FLAGS) $(LINK32_OBJS)

-<<

-  $(_VC_MANIFEST_EMBED_DLL)

-

-!ENDIF 

-

-

-!IF "$(NO_EXTERNAL_DEPS)" != "1"

-!IF EXISTS("libdns.dep")

-!INCLUDE "libdns.dep"

-!ELSE 

-!MESSAGE Warning: cannot find "libdns.dep"

-!ENDIF 

-!ENDIF 

-

-

-!IF "$(CFG)" == "libdns - Win32 Release" || "$(CFG)" == "libdns - Win32 Debug"

-SOURCE=..\a6.c

-

-!IF  "$(CFG)" == "libdns - Win32 Release"

-

-

-"$(INTDIR)\a6.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "libdns - Win32 Debug"

-

-

-"$(INTDIR)\a6.obj"	"$(INTDIR)\a6.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-SOURCE=..\acl.c

-

-!IF  "$(CFG)" == "libdns - Win32 Release"

-

-

-"$(INTDIR)\acl.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "libdns - Win32 Debug"

-

-

-"$(INTDIR)\acl.obj"	"$(INTDIR)\acl.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-SOURCE=..\adb.c

-

-!IF  "$(CFG)" == "libdns - Win32 Release"

-

-

-"$(INTDIR)\adb.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "libdns - Win32 Debug"

-

-

-"$(INTDIR)\adb.obj"	"$(INTDIR)\adb.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-SOURCE=..\byaddr.c

-

-!IF  "$(CFG)" == "libdns - Win32 Release"

-

-

-"$(INTDIR)\byaddr.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "libdns - Win32 Debug"

-

-

-"$(INTDIR)\byaddr.obj"	"$(INTDIR)\byaddr.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-SOURCE=..\cache.c

-

-!IF  "$(CFG)" == "libdns - Win32 Release"

-

-

-"$(INTDIR)\cache.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "libdns - Win32 Debug"

-

-

-"$(INTDIR)\cache.obj"	"$(INTDIR)\cache.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-SOURCE=..\callbacks.c

-

-!IF  "$(CFG)" == "libdns - Win32 Release"

-

-

-"$(INTDIR)\callbacks.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "libdns - Win32 Debug"

-

-

-"$(INTDIR)\callbacks.obj"	"$(INTDIR)\callbacks.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-SOURCE=..\compress.c

-

-!IF  "$(CFG)" == "libdns - Win32 Release"

-

-

-"$(INTDIR)\compress.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "libdns - Win32 Debug"

-

-

-"$(INTDIR)\compress.obj"	"$(INTDIR)\compress.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-SOURCE=..\db.c

-

-!IF  "$(CFG)" == "libdns - Win32 Release"

-

-

-"$(INTDIR)\db.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "libdns - Win32 Debug"

-

-

-"$(INTDIR)\db.obj"	"$(INTDIR)\db.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-SOURCE=..\dbiterator.c

-

-!IF  "$(CFG)" == "libdns - Win32 Release"

-

-

-"$(INTDIR)\dbiterator.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "libdns - Win32 Debug"

-

-

-"$(INTDIR)\dbiterator.obj"	"$(INTDIR)\dbiterator.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-SOURCE=..\dbtable.c

-

-!IF  "$(CFG)" == "libdns - Win32 Release"

-

-

-"$(INTDIR)\dbtable.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "libdns - Win32 Debug"

-

-

-"$(INTDIR)\dbtable.obj"	"$(INTDIR)\dbtable.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-SOURCE=..\diff.c

-

-!IF  "$(CFG)" == "libdns - Win32 Release"

-

-

-"$(INTDIR)\diff.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "libdns - Win32 Debug"

-

-

-"$(INTDIR)\diff.obj"	"$(INTDIR)\diff.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-SOURCE=..\dispatch.c

-

-!IF  "$(CFG)" == "libdns - Win32 Release"

-

-CPP_SWITCHES=/nologo /MD /W3 /GX /O2 /I "../../../../../openssl-0.9.8d/inc32/openssl/include" /I "./" /I "../../../" /I "include" /I "../include" /I "../../isc/win32" /I "../../isc/win32/include" /I "../../isc/include" /I "../../../../openssl-0.9.8d/inc32" /D "NDEBUG" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" /D "OPENSSL" /D "DST_USE_PRIVATE_OPENSSL" /D "LIBDNS_EXPORTS" /Fp"$(INTDIR)\libdns.pch" /YX /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c 

-

-"$(INTDIR)\dispatch.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) @<<

-  $(CPP_SWITCHES) $(SOURCE)

-<<

-

-

-!ELSEIF  "$(CFG)" == "libdns - Win32 Debug"

-

-CPP_SWITCHES=/nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../../../" /I "include" /I "../include" /I "../../isc/win32" /I "../../isc/win32/include" /I "../../isc/include" /I "../../../../openssl-0.9.8d/inc32" /D "_DEBUG" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" /D "OPENSSL" /D "DST_USE_PRIVATE_OPENSSL" /D "LIBDNS_EXPORTS" /FR"$(INTDIR)\\" /Fp"$(INTDIR)\libdns.pch" /YX /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c 

-

-"$(INTDIR)\dispatch.obj"	"$(INTDIR)\dispatch.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) @<<

-  $(CPP_SWITCHES) $(SOURCE)

-<<

-

-

-!ENDIF 

-

-SOURCE=.\DLLMain.c

-

-!IF  "$(CFG)" == "libdns - Win32 Release"

-

-

-"$(INTDIR)\DLLMain.obj" : $(SOURCE) "$(INTDIR)"

-

-

-!ELSEIF  "$(CFG)" == "libdns - Win32 Debug"

-

-

-"$(INTDIR)\DLLMain.obj"	"$(INTDIR)\DLLMain.sbr" : $(SOURCE) "$(INTDIR)"

-

-

-!ENDIF 

-

-SOURCE=..\dnssec.c

-

-!IF  "$(CFG)" == "libdns - Win32 Release"

-

-

-"$(INTDIR)\dnssec.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "libdns - Win32 Debug"

-

-

-"$(INTDIR)\dnssec.obj"	"$(INTDIR)\dnssec.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-SOURCE=..\forward.c

-

-!IF  "$(CFG)" == "libdns - Win32 Release"

-

-

-"$(INTDIR)\forward.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "libdns - Win32 Debug"

-

-

-"$(INTDIR)\forward.obj"	"$(INTDIR)\forward.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-SOURCE=..\journal.c

-

-!IF  "$(CFG)" == "libdns - Win32 Release"

-

-

-"$(INTDIR)\journal.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "libdns - Win32 Debug"

-

-

-"$(INTDIR)\journal.obj"	"$(INTDIR)\journal.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-SOURCE=..\keytable.c

-

-!IF  "$(CFG)" == "libdns - Win32 Release"

-

-

-"$(INTDIR)\keytable.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "libdns - Win32 Debug"

-

-

-"$(INTDIR)\keytable.obj"	"$(INTDIR)\keytable.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-SOURCE=..\lib.c

-

-!IF  "$(CFG)" == "libdns - Win32 Release"

-

-

-"$(INTDIR)\lib.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "libdns - Win32 Debug"

-

-

-"$(INTDIR)\lib.obj"	"$(INTDIR)\lib.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-SOURCE=..\log.c

-

-!IF  "$(CFG)" == "libdns - Win32 Release"

-

-

-"$(INTDIR)\log.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "libdns - Win32 Debug"

-

-

-"$(INTDIR)\log.obj"	"$(INTDIR)\log.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-SOURCE=..\lookup.c

-

-!IF  "$(CFG)" == "libdns - Win32 Release"

-

-

-"$(INTDIR)\lookup.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "libdns - Win32 Debug"

-

-

-"$(INTDIR)\lookup.obj"	"$(INTDIR)\lookup.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-SOURCE=..\master.c

-

-!IF  "$(CFG)" == "libdns - Win32 Release"

-

-

-"$(INTDIR)\master.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "libdns - Win32 Debug"

-

-

-"$(INTDIR)\master.obj"	"$(INTDIR)\master.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-SOURCE=..\masterdump.c

-

-!IF  "$(CFG)" == "libdns - Win32 Release"

-

-

-"$(INTDIR)\masterdump.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "libdns - Win32 Debug"

-

-

-"$(INTDIR)\masterdump.obj"	"$(INTDIR)\masterdump.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-SOURCE=..\message.c

-

-!IF  "$(CFG)" == "libdns - Win32 Release"

-

-

-"$(INTDIR)\message.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "libdns - Win32 Debug"

-

-

-"$(INTDIR)\message.obj"	"$(INTDIR)\message.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-SOURCE=..\name.c

-

-!IF  "$(CFG)" == "libdns - Win32 Release"

-

-

-"$(INTDIR)\name.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "libdns - Win32 Debug"

-

-

-"$(INTDIR)\name.obj"	"$(INTDIR)\name.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-SOURCE=..\ncache.c

-

-!IF  "$(CFG)" == "libdns - Win32 Release"

-

-

-"$(INTDIR)\ncache.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "libdns - Win32 Debug"

-

-

-"$(INTDIR)\ncache.obj"	"$(INTDIR)\ncache.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-SOURCE=..\nxt.c

-

-!IF  "$(CFG)" == "libdns - Win32 Release"

-

-

-"$(INTDIR)\nxt.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "libdns - Win32 Debug"

-

-

-"$(INTDIR)\nxt.obj"	"$(INTDIR)\nxt.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-SOURCE=..\peer.c

-

-!IF  "$(CFG)" == "libdns - Win32 Release"

-

-

-"$(INTDIR)\peer.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "libdns - Win32 Debug"

-

-

-"$(INTDIR)\peer.obj"	"$(INTDIR)\peer.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-SOURCE=..\rbt.c

-

-!IF  "$(CFG)" == "libdns - Win32 Release"

-

-

-"$(INTDIR)\rbt.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "libdns - Win32 Debug"

-

-

-"$(INTDIR)\rbt.obj"	"$(INTDIR)\rbt.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-SOURCE=..\rbtdb.c

-

-!IF  "$(CFG)" == "libdns - Win32 Release"

-

-

-"$(INTDIR)\rbtdb.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "libdns - Win32 Debug"

-

-

-"$(INTDIR)\rbtdb.obj"	"$(INTDIR)\rbtdb.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-SOURCE=..\rbtdb64.c

-

-!IF  "$(CFG)" == "libdns - Win32 Release"

-

-

-"$(INTDIR)\rbtdb64.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "libdns - Win32 Debug"

-

-

-"$(INTDIR)\rbtdb64.obj"	"$(INTDIR)\rbtdb64.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-SOURCE=..\rdata.c

-

-!IF  "$(CFG)" == "libdns - Win32 Release"

-

-

-"$(INTDIR)\rdata.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "libdns - Win32 Debug"

-

-

-"$(INTDIR)\rdata.obj"	"$(INTDIR)\rdata.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-SOURCE=..\rdatalist.c

-

-!IF  "$(CFG)" == "libdns - Win32 Release"

-

-

-"$(INTDIR)\rdatalist.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "libdns - Win32 Debug"

-

-

-"$(INTDIR)\rdatalist.obj"	"$(INTDIR)\rdatalist.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-SOURCE=..\rdataset.c

-

-!IF  "$(CFG)" == "libdns - Win32 Release"

-

-

-"$(INTDIR)\rdataset.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "libdns - Win32 Debug"

-

-

-"$(INTDIR)\rdataset.obj"	"$(INTDIR)\rdataset.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-SOURCE=..\rdatasetiter.c

-

-!IF  "$(CFG)" == "libdns - Win32 Release"

-

-

-"$(INTDIR)\rdatasetiter.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "libdns - Win32 Debug"

-

-

-"$(INTDIR)\rdatasetiter.obj"	"$(INTDIR)\rdatasetiter.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-SOURCE=..\rdataslab.c

-

-!IF  "$(CFG)" == "libdns - Win32 Release"

-

-

-"$(INTDIR)\rdataslab.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "libdns - Win32 Debug"

-

-

-"$(INTDIR)\rdataslab.obj"	"$(INTDIR)\rdataslab.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-SOURCE=..\request.c

-

-!IF  "$(CFG)" == "libdns - Win32 Release"

-

-

-"$(INTDIR)\request.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "libdns - Win32 Debug"

-

-

-"$(INTDIR)\request.obj"	"$(INTDIR)\request.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-SOURCE=..\resolver.c

-

-!IF  "$(CFG)" == "libdns - Win32 Release"

-

-

-"$(INTDIR)\resolver.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "libdns - Win32 Debug"

-

-

-"$(INTDIR)\resolver.obj"	"$(INTDIR)\resolver.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-SOURCE=..\result.c

-

-!IF  "$(CFG)" == "libdns - Win32 Release"

-

-

-"$(INTDIR)\result.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "libdns - Win32 Debug"

-

-

-"$(INTDIR)\result.obj"	"$(INTDIR)\result.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-SOURCE=..\rootns.c

-

-!IF  "$(CFG)" == "libdns - Win32 Release"

-

-

-"$(INTDIR)\rootns.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "libdns - Win32 Debug"

-

-

-"$(INTDIR)\rootns.obj"	"$(INTDIR)\rootns.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-SOURCE=..\sdb.c

-

-!IF  "$(CFG)" == "libdns - Win32 Release"

-

-

-"$(INTDIR)\sdb.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "libdns - Win32 Debug"

-

-

-"$(INTDIR)\sdb.obj"	"$(INTDIR)\sdb.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-SOURCE=..\soa.c

-

-!IF  "$(CFG)" == "libdns - Win32 Release"

-

-

-"$(INTDIR)\soa.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "libdns - Win32 Debug"

-

-

-"$(INTDIR)\soa.obj"	"$(INTDIR)\soa.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-SOURCE=..\ssu.c

-

-!IF  "$(CFG)" == "libdns - Win32 Release"

-

-

-"$(INTDIR)\ssu.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "libdns - Win32 Debug"

-

-

-"$(INTDIR)\ssu.obj"	"$(INTDIR)\ssu.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-SOURCE=..\stats.c

-

-!IF  "$(CFG)" == "libdns - Win32 Release"

-

-

-"$(INTDIR)\stats.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "libdns - Win32 Debug"

-

-

-"$(INTDIR)\stats.obj"	"$(INTDIR)\stats.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-SOURCE=..\tcpmsg.c

-

-!IF  "$(CFG)" == "libdns - Win32 Release"

-

-

-"$(INTDIR)\tcpmsg.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "libdns - Win32 Debug"

-

-

-"$(INTDIR)\tcpmsg.obj"	"$(INTDIR)\tcpmsg.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-SOURCE=..\time.c

-

-!IF  "$(CFG)" == "libdns - Win32 Release"

-

-

-"$(INTDIR)\time.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "libdns - Win32 Debug"

-

-

-"$(INTDIR)\time.obj"	"$(INTDIR)\time.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-SOURCE=..\timer.c

-

-!IF  "$(CFG)" == "libdns - Win32 Release"

-

-

-"$(INTDIR)\timer.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "libdns - Win32 Debug"

-

-

-"$(INTDIR)\timer.obj"	"$(INTDIR)\timer.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-SOURCE=..\tkey.c

-

-!IF  "$(CFG)" == "libdns - Win32 Release"

-

-

-"$(INTDIR)\tkey.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "libdns - Win32 Debug"

-

-

-"$(INTDIR)\tkey.obj"	"$(INTDIR)\tkey.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-SOURCE=..\tsig.c

-

-!IF  "$(CFG)" == "libdns - Win32 Release"

-

-

-"$(INTDIR)\tsig.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "libdns - Win32 Debug"

-

-

-"$(INTDIR)\tsig.obj"	"$(INTDIR)\tsig.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-SOURCE=..\ttl.c

-

-!IF  "$(CFG)" == "libdns - Win32 Release"

-

-

-"$(INTDIR)\ttl.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "libdns - Win32 Debug"

-

-

-"$(INTDIR)\ttl.obj"	"$(INTDIR)\ttl.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-SOURCE=..\validator.c

-

-!IF  "$(CFG)" == "libdns - Win32 Release"

-

-

-"$(INTDIR)\validator.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "libdns - Win32 Debug"

-

-

-"$(INTDIR)\validator.obj"	"$(INTDIR)\validator.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-SOURCE=.\version.c

-

-!IF  "$(CFG)" == "libdns - Win32 Release"

-

-

-"$(INTDIR)\version.obj" : $(SOURCE) "$(INTDIR)"

-

-

-!ELSEIF  "$(CFG)" == "libdns - Win32 Debug"

-

-

-"$(INTDIR)\version.obj"	"$(INTDIR)\version.sbr" : $(SOURCE) "$(INTDIR)"

-

-

-!ENDIF 

-

-SOURCE=..\view.c

-

-!IF  "$(CFG)" == "libdns - Win32 Release"

-

-

-"$(INTDIR)\view.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "libdns - Win32 Debug"

-

-

-"$(INTDIR)\view.obj"	"$(INTDIR)\view.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-SOURCE=..\xfrin.c

-

-!IF  "$(CFG)" == "libdns - Win32 Release"

-

-

-"$(INTDIR)\xfrin.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "libdns - Win32 Debug"

-

-

-"$(INTDIR)\xfrin.obj"	"$(INTDIR)\xfrin.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-SOURCE=..\zone.c

-

-!IF  "$(CFG)" == "libdns - Win32 Release"

-

-

-"$(INTDIR)\zone.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "libdns - Win32 Debug"

-

-

-"$(INTDIR)\zone.obj"	"$(INTDIR)\zone.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-SOURCE=..\zonekey.c

-

-!IF  "$(CFG)" == "libdns - Win32 Release"

-

-

-"$(INTDIR)\zonekey.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "libdns - Win32 Debug"

-

-

-"$(INTDIR)\zonekey.obj"	"$(INTDIR)\zonekey.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-SOURCE=..\zt.c

-

-!IF  "$(CFG)" == "libdns - Win32 Release"

-

-

-"$(INTDIR)\zt.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "libdns - Win32 Debug"

-

-

-"$(INTDIR)\zt.obj"	"$(INTDIR)\zt.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-SOURCE=..\dst_api.c

-

-!IF  "$(CFG)" == "libdns - Win32 Release"

-

-

-"$(INTDIR)\dst_api.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "libdns - Win32 Debug"

-

-

-"$(INTDIR)\dst_api.obj"	"$(INTDIR)\dst_api.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-SOURCE=..\dst_lib.c

-

-!IF  "$(CFG)" == "libdns - Win32 Release"

-

-

-"$(INTDIR)\dst_lib.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "libdns - Win32 Debug"

-

-

-"$(INTDIR)\dst_lib.obj"	"$(INTDIR)\dst_lib.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-SOURCE=..\dst_parse.c

-

-!IF  "$(CFG)" == "libdns - Win32 Release"

-

-

-"$(INTDIR)\dst_parse.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "libdns - Win32 Debug"

-

-

-"$(INTDIR)\dst_parse.obj"	"$(INTDIR)\dst_parse.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-SOURCE=..\dst_result.c

-

-!IF  "$(CFG)" == "libdns - Win32 Release"

-

-

-"$(INTDIR)\dst_result.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "libdns - Win32 Debug"

-

-

-"$(INTDIR)\dst_result.obj"	"$(INTDIR)\dst_result.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-SOURCE=..\gssapi_link.c

-

-!IF  "$(CFG)" == "libdns - Win32 Release"

-

-

-"$(INTDIR)\gssapi_link.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "libdns - Win32 Debug"

-

-

-"$(INTDIR)\gssapi_link.obj"	"$(INTDIR)\gssapi_link.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-SOURCE=..\gssapictx.c

-

-!IF  "$(CFG)" == "libdns - Win32 Release"

-

-

-"$(INTDIR)\gssapictx.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "libdns - Win32 Debug"

-

-

-"$(INTDIR)\gssapictx.obj"	"$(INTDIR)\gssapictx.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-SOURCE=..\hmac_link.c

-

-!IF  "$(CFG)" == "libdns - Win32 Release"

-

-

-"$(INTDIR)\hmac_link.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "libdns - Win32 Debug"

-

-

-"$(INTDIR)\hmac_link.obj"	"$(INTDIR)\hmac_link.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-SOURCE=..\key.c

-

-!IF  "$(CFG)" == "libdns - Win32 Release"

-

-

-"$(INTDIR)\key.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "libdns - Win32 Debug"

-

-

-"$(INTDIR)\key.obj"	"$(INTDIR)\key.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-SOURCE=..\openssl_link.c

-

-!IF  "$(CFG)" == "libdns - Win32 Release"

-

-

-"$(INTDIR)\openssl_link.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "libdns - Win32 Debug"

-

-

-"$(INTDIR)\openssl_link.obj"	"$(INTDIR)\openssl_link.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-SOURCE=..\openssldh_link.c

-

-!IF  "$(CFG)" == "libdns - Win32 Release"

-

-

-"$(INTDIR)\openssldh_link.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "libdns - Win32 Debug"

-

-

-"$(INTDIR)\openssldh_link.obj"	"$(INTDIR)\openssldh_link.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-SOURCE=..\openssldsa_link.c

-

-!IF  "$(CFG)" == "libdns - Win32 Release"

-

-

-"$(INTDIR)\openssldsa_link.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "libdns - Win32 Debug"

-

-

-"$(INTDIR)\openssldsa_link.obj"	"$(INTDIR)\openssldsa_link.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-SOURCE=..\opensslrsa_link.c

-

-!IF  "$(CFG)" == "libdns - Win32 Release"

-

-

-"$(INTDIR)\opensslrsa_link.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "libdns - Win32 Debug"

-

-

-"$(INTDIR)\opensslrsa_link.obj"	"$(INTDIR)\opensslrsa_link.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-

-!ENDIF 

-

-####################################################

-# Commands to generate initial empty manifest file and the RC file

-# that references it, and for generating the .res file:

-

-$(_VC_MANIFEST_BASENAME).auto.res : $(_VC_MANIFEST_BASENAME).auto.rc

-

-$(_VC_MANIFEST_BASENAME).auto.rc : $(_VC_MANIFEST_BASENAME).auto.manifest

-    type <<$@

-#include <winuser.h>

-1RT_MANIFEST"$(_VC_MANIFEST_BASENAME).auto.manifest"

-<< KEEP

-

-$(_VC_MANIFEST_BASENAME).auto.manifest :

-    type <<$@

-<?xml version='1.0' encoding='UTF-8' standalone='yes'?>

-<assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'>

-</assembly>

-<< KEEP

+# Microsoft Developer Studio Generated NMAKE File, Based on libdns.dsp
+!IF "$(CFG)" == ""
+CFG=libdns - Win32 Debug
+!MESSAGE No configuration specified. Defaulting to libdns - Win32 Debug.
+!ENDIF 
+
+!IF "$(CFG)" != "libdns - Win32 Release" && "$(CFG)" != "libdns - Win32 Debug"
+!MESSAGE Invalid configuration "$(CFG)" specified.
+!MESSAGE You can specify a configuration when running NMAKE
+!MESSAGE by defining the macro CFG on the command line. For example:
+!MESSAGE 
+!MESSAGE NMAKE /f "libdns.mak" CFG="libdns - Win32 Debug"
+!MESSAGE 
+!MESSAGE Possible choices for configuration are:
+!MESSAGE 
+!MESSAGE "libdns - Win32 Release" (based on "Win32 (x86) Dynamic-Link Library")
+!MESSAGE "libdns - Win32 Debug" (based on "Win32 (x86) Dynamic-Link Library")
+!MESSAGE 
+!ERROR An invalid configuration is specified.
+!ENDIF 
+
+!IF "$(OS)" == "Windows_NT"
+NULL=
+!ELSE 
+NULL=nul
+!ENDIF 
+
+!IF  "$(CFG)" == "libdns - Win32 Release"
+
+OUTDIR=.\Release
+INTDIR=.\Release
+
+!IF "$(RECURSE)" == "0" 
+
+ALL : "..\..\..\Build\Release\libdns.dll"
+
+!ELSE 
+
+ALL : "libisc - Win32 Release" "..\..\..\Build\Release\libdns.dll"
+
+!ENDIF 
+
+!IF "$(RECURSE)" == "1" 
+CLEAN :"libisc - Win32 ReleaseCLEAN" 
+!ELSE 
+CLEAN :
+!ENDIF 
+	-@erase "$(INTDIR)\acl.obj"
+	-@erase "$(INTDIR)\adb.obj"
+	-@erase "$(INTDIR)\byaddr.obj"
+	-@erase "$(INTDIR)\cache.obj"
+	-@erase "$(INTDIR)\callbacks.obj"
+	-@erase "$(INTDIR)\compress.obj"
+	-@erase "$(INTDIR)\db.obj"
+	-@erase "$(INTDIR)\dbiterator.obj"
+	-@erase "$(INTDIR)\dbtable.obj"
+	-@erase "$(INTDIR)\diff.obj"
+	-@erase "$(INTDIR)\dispatch.obj"
+	-@erase "$(INTDIR)\DLLMain.obj"
+	-@erase "$(INTDIR)\dnssec.obj"
+	-@erase "$(INTDIR)\ds.obj"
+	-@erase "$(INTDIR)\dst_api.obj"
+	-@erase "$(INTDIR)\dst_lib.obj"
+	-@erase "$(INTDIR)\dst_parse.obj"
+	-@erase "$(INTDIR)\dst_result.obj"
+	-@erase "$(INTDIR)\forward.obj"
+	-@erase "$(INTDIR)\gssapi_link.obj"
+	-@erase "$(INTDIR)\gssapictx.obj"
+	-@erase "$(INTDIR)\hmac_link.obj"
+	-@erase "$(INTDIR)\journal.obj"
+	-@erase "$(INTDIR)\key.obj"
+	-@erase "$(INTDIR)\keytable.obj"
+	-@erase "$(INTDIR)\lib.obj"
+	-@erase "$(INTDIR)\log.obj"
+	-@erase "$(INTDIR)\lookup.obj"
+	-@erase "$(INTDIR)\master.obj"
+	-@erase "$(INTDIR)\masterdump.obj"
+	-@erase "$(INTDIR)\message.obj"
+	-@erase "$(INTDIR)\name.obj"
+	-@erase "$(INTDIR)\ncache.obj"
+	-@erase "$(INTDIR)\nsec.obj"
+	-@erase "$(INTDIR)\openssl_link.obj"
+	-@erase "$(INTDIR)\openssldh_link.obj"
+	-@erase "$(INTDIR)\openssldsa_link.obj"
+	-@erase "$(INTDIR)\opensslrsa_link.obj"
+	-@erase "$(INTDIR)\order.obj"
+	-@erase "$(INTDIR)\peer.obj"
+	-@erase "$(INTDIR)\portlist.obj"
+	-@erase "$(INTDIR)\rbt.obj"
+	-@erase "$(INTDIR)\rbtdb.obj"
+	-@erase "$(INTDIR)\rbtdb64.obj"
+	-@erase "$(INTDIR)\rcode.obj"
+	-@erase "$(INTDIR)\rdata.obj"
+	-@erase "$(INTDIR)\rdatalist.obj"
+	-@erase "$(INTDIR)\rdataset.obj"
+	-@erase "$(INTDIR)\rdatasetiter.obj"
+	-@erase "$(INTDIR)\rdataslab.obj"
+	-@erase "$(INTDIR)\request.obj"
+	-@erase "$(INTDIR)\resolver.obj"
+	-@erase "$(INTDIR)\result.obj"
+	-@erase "$(INTDIR)\rootns.obj"
+	-@erase "$(INTDIR)\sdb.obj"
+	-@erase "$(INTDIR)\soa.obj"
+	-@erase "$(INTDIR)\ssu.obj"
+	-@erase "$(INTDIR)\stats.obj"
+	-@erase "$(INTDIR)\tcpmsg.obj"
+	-@erase "$(INTDIR)\time.obj"
+	-@erase "$(INTDIR)\timer.obj"
+	-@erase "$(INTDIR)\tkey.obj"
+	-@erase "$(INTDIR)\tsig.obj"
+	-@erase "$(INTDIR)\ttl.obj"
+	-@erase "$(INTDIR)\validator.obj"
+	-@erase "$(INTDIR)\vc60.idb"
+	-@erase "$(INTDIR)\version.obj"
+	-@erase "$(INTDIR)\view.obj"
+	-@erase "$(INTDIR)\xfrin.obj"
+	-@erase "$(INTDIR)\zone.obj"
+	-@erase "$(INTDIR)\zonekey.obj"
+	-@erase "$(INTDIR)\zt.obj"
+	-@erase "$(OUTDIR)\libdns.exp"
+	-@erase "$(OUTDIR)\libdns.lib"
+	-@erase "..\..\..\Build\Release\libdns.dll"
+
+"$(OUTDIR)" :
+    if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
+
+CPP=cl.exe
+CPP_PROJ=/nologo /MD /W3 /GX /O2 /I "../../../../../openssl-0.9.6k/inc32/openssl/include" /I "./" /I "../../../" /I "include" /I "../include" /I "../../isc/win32" /I "../../isc/win32/include" /I "../../isc/include" /I "../../dns/sec/dst/include" /I "../../../../openssl-0.9.6k/inc32" /D "NDEBUG" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" /D "OPENSSL" /D "DST_USE_PRIVATE_OPENSSL" /D "LIBDNS_EXPORTS" /Fp"$(INTDIR)\libdns.pch" /YX /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c 
+
+.c{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cpp{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cxx{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.c{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cpp{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cxx{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+MTL=midl.exe
+MTL_PROJ=/nologo /D "NDEBUG" /mktyplib203 /win32 
+RSC=rc.exe
+BSC32=bscmake.exe
+BSC32_FLAGS=/nologo /o"$(OUTDIR)\libdns.bsc" 
+BSC32_SBRS= \
+	
+LINK32=link.exe
+LINK32_FLAGS=user32.lib advapi32.lib ws2_32.lib ../../isc/win32/Release/libisc.lib ../../../../openssl-0.9.6k/out32dll/libeay32.lib /nologo /dll /incremental:no /pdb:"$(OUTDIR)\libdns.pdb" /machine:I386 /def:".\libdns.def" /out:"../../../Build/Release/libdns.dll" /implib:"$(OUTDIR)\libdns.lib" 
+DEF_FILE= \
+	".\libdns.def"
+LINK32_OBJS= \
+	"$(INTDIR)\acl.obj" \
+	"$(INTDIR)\adb.obj" \
+	"$(INTDIR)\byaddr.obj" \
+	"$(INTDIR)\cache.obj" \
+	"$(INTDIR)\callbacks.obj" \
+	"$(INTDIR)\compress.obj" \
+	"$(INTDIR)\db.obj" \
+	"$(INTDIR)\dbiterator.obj" \
+	"$(INTDIR)\dbtable.obj" \
+	"$(INTDIR)\diff.obj" \
+	"$(INTDIR)\dispatch.obj" \
+	"$(INTDIR)\DLLMain.obj" \
+	"$(INTDIR)\dnssec.obj" \
+	"$(INTDIR)\ds.obj" \
+	"$(INTDIR)\forward.obj" \
+	"$(INTDIR)\journal.obj" \
+	"$(INTDIR)\keytable.obj" \
+	"$(INTDIR)\lib.obj" \
+	"$(INTDIR)\log.obj" \
+	"$(INTDIR)\lookup.obj" \
+	"$(INTDIR)\master.obj" \
+	"$(INTDIR)\masterdump.obj" \
+	"$(INTDIR)\message.obj" \
+	"$(INTDIR)\name.obj" \
+	"$(INTDIR)\ncache.obj" \
+	"$(INTDIR)\nsec.obj" \
+	"$(INTDIR)\order.obj" \
+	"$(INTDIR)\peer.obj" \
+	"$(INTDIR)\portlist.obj" \
+	"$(INTDIR)\rbt.obj" \
+	"$(INTDIR)\rbtdb.obj" \
+	"$(INTDIR)\rbtdb64.obj" \
+	"$(INTDIR)\rcode.obj" \
+	"$(INTDIR)\rdata.obj" \
+	"$(INTDIR)\rdatalist.obj" \
+	"$(INTDIR)\rdataset.obj" \
+	"$(INTDIR)\rdatasetiter.obj" \
+	"$(INTDIR)\rdataslab.obj" \
+	"$(INTDIR)\request.obj" \
+	"$(INTDIR)\resolver.obj" \
+	"$(INTDIR)\result.obj" \
+	"$(INTDIR)\rootns.obj" \
+	"$(INTDIR)\sdb.obj" \
+	"$(INTDIR)\soa.obj" \
+	"$(INTDIR)\ssu.obj" \
+	"$(INTDIR)\stats.obj" \
+	"$(INTDIR)\tcpmsg.obj" \
+	"$(INTDIR)\time.obj" \
+	"$(INTDIR)\timer.obj" \
+	"$(INTDIR)\tkey.obj" \
+	"$(INTDIR)\tsig.obj" \
+	"$(INTDIR)\ttl.obj" \
+	"$(INTDIR)\validator.obj" \
+	"$(INTDIR)\version.obj" \
+	"$(INTDIR)\view.obj" \
+	"$(INTDIR)\xfrin.obj" \
+	"$(INTDIR)\zone.obj" \
+	"$(INTDIR)\zonekey.obj" \
+	"$(INTDIR)\zt.obj" \
+	"$(INTDIR)\dst_api.obj" \
+	"$(INTDIR)\dst_lib.obj" \
+	"$(INTDIR)\dst_parse.obj" \
+	"$(INTDIR)\dst_result.obj" \
+	"$(INTDIR)\gssapi_link.obj" \
+	"$(INTDIR)\gssapictx.obj" \
+	"$(INTDIR)\hmac_link.obj" \
+	"$(INTDIR)\key.obj" \
+	"$(INTDIR)\openssl_link.obj" \
+	"$(INTDIR)\openssldh_link.obj" \
+	"$(INTDIR)\openssldsa_link.obj" \
+	"$(INTDIR)\opensslrsa_link.obj" \
+	"..\..\isc\win32\Release\libisc.lib"
+
+"..\..\..\Build\Release\libdns.dll" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)
+    $(LINK32) @<<
+  $(LINK32_FLAGS) $(LINK32_OBJS)
+<<
+
+!ELSEIF  "$(CFG)" == "libdns - Win32 Debug"
+
+OUTDIR=.\Debug
+INTDIR=.\Debug
+# Begin Custom Macros
+OutDir=.\Debug
+# End Custom Macros
+
+!IF "$(RECURSE)" == "0" 
+
+ALL : "..\..\..\Build\Debug\libdns.dll" "$(OUTDIR)\libdns.bsc"
+
+!ELSE 
+
+ALL : "libisc - Win32 Debug" "..\..\..\Build\Debug\libdns.dll" "$(OUTDIR)\libdns.bsc"
+
+!ENDIF 
+
+!IF "$(RECURSE)" == "1" 
+CLEAN :"libisc - Win32 DebugCLEAN" 
+!ELSE 
+CLEAN :
+!ENDIF 
+	-@erase "$(INTDIR)\acl.obj"
+	-@erase "$(INTDIR)\acl.sbr"
+	-@erase "$(INTDIR)\adb.obj"
+	-@erase "$(INTDIR)\adb.sbr"
+	-@erase "$(INTDIR)\byaddr.obj"
+	-@erase "$(INTDIR)\byaddr.sbr"
+	-@erase "$(INTDIR)\cache.obj"
+	-@erase "$(INTDIR)\cache.sbr"
+	-@erase "$(INTDIR)\callbacks.obj"
+	-@erase "$(INTDIR)\callbacks.sbr"
+	-@erase "$(INTDIR)\compress.obj"
+	-@erase "$(INTDIR)\compress.sbr"
+	-@erase "$(INTDIR)\db.obj"
+	-@erase "$(INTDIR)\db.sbr"
+	-@erase "$(INTDIR)\dbiterator.obj"
+	-@erase "$(INTDIR)\dbiterator.sbr"
+	-@erase "$(INTDIR)\dbtable.obj"
+	-@erase "$(INTDIR)\dbtable.sbr"
+	-@erase "$(INTDIR)\diff.obj"
+	-@erase "$(INTDIR)\diff.sbr"
+	-@erase "$(INTDIR)\dispatch.obj"
+	-@erase "$(INTDIR)\dispatch.sbr"
+	-@erase "$(INTDIR)\DLLMain.obj"
+	-@erase "$(INTDIR)\DLLMain.sbr"
+	-@erase "$(INTDIR)\dnssec.obj"
+	-@erase "$(INTDIR)\dnssec.sbr"
+	-@erase "$(INTDIR)\ds.obj"
+	-@erase "$(INTDIR)\ds.sbr"
+	-@erase "$(INTDIR)\dst_api.obj"
+	-@erase "$(INTDIR)\dst_api.sbr"
+	-@erase "$(INTDIR)\dst_lib.obj"
+	-@erase "$(INTDIR)\dst_lib.sbr"
+	-@erase "$(INTDIR)\dst_parse.obj"
+	-@erase "$(INTDIR)\dst_parse.sbr"
+	-@erase "$(INTDIR)\dst_result.obj"
+	-@erase "$(INTDIR)\dst_result.sbr"
+	-@erase "$(INTDIR)\forward.obj"
+	-@erase "$(INTDIR)\forward.sbr"
+	-@erase "$(INTDIR)\gssapi_link.obj"
+	-@erase "$(INTDIR)\gssapi_link.sbr"
+	-@erase "$(INTDIR)\gssapictx.obj"
+	-@erase "$(INTDIR)\gssapictx.sbr"
+	-@erase "$(INTDIR)\hmac_link.obj"
+	-@erase "$(INTDIR)\hmac_link.sbr"
+	-@erase "$(INTDIR)\journal.obj"
+	-@erase "$(INTDIR)\journal.sbr"
+	-@erase "$(INTDIR)\key.obj"
+	-@erase "$(INTDIR)\key.sbr"
+	-@erase "$(INTDIR)\keytable.obj"
+	-@erase "$(INTDIR)\keytable.sbr"
+	-@erase "$(INTDIR)\lib.obj"
+	-@erase "$(INTDIR)\lib.sbr"
+	-@erase "$(INTDIR)\log.obj"
+	-@erase "$(INTDIR)\log.sbr"
+	-@erase "$(INTDIR)\lookup.obj"
+	-@erase "$(INTDIR)\lookup.sbr"
+	-@erase "$(INTDIR)\master.obj"
+	-@erase "$(INTDIR)\master.sbr"
+	-@erase "$(INTDIR)\masterdump.obj"
+	-@erase "$(INTDIR)\masterdump.sbr"
+	-@erase "$(INTDIR)\message.obj"
+	-@erase "$(INTDIR)\message.sbr"
+	-@erase "$(INTDIR)\name.obj"
+	-@erase "$(INTDIR)\name.sbr"
+	-@erase "$(INTDIR)\ncache.obj"
+	-@erase "$(INTDIR)\ncache.sbr"
+	-@erase "$(INTDIR)\nsec.obj"
+	-@erase "$(INTDIR)\nsec.sbr"
+	-@erase "$(INTDIR)\openssl_link.obj"
+	-@erase "$(INTDIR)\openssl_link.sbr"
+	-@erase "$(INTDIR)\openssldh_link.obj"
+	-@erase "$(INTDIR)\openssldh_link.sbr"
+	-@erase "$(INTDIR)\openssldsa_link.obj"
+	-@erase "$(INTDIR)\openssldsa_link.sbr"
+	-@erase "$(INTDIR)\opensslrsa_link.obj"
+	-@erase "$(INTDIR)\opensslrsa_link.sbr"
+	-@erase "$(INTDIR)\order.obj"
+	-@erase "$(INTDIR)\order.sbr"
+	-@erase "$(INTDIR)\peer.obj"
+	-@erase "$(INTDIR)\peer.sbr"
+	-@erase "$(INTDIR)\portlist.obj"
+	-@erase "$(INTDIR)\portlist.sbr"
+	-@erase "$(INTDIR)\rbt.obj"
+	-@erase "$(INTDIR)\rbt.sbr"
+	-@erase "$(INTDIR)\rbtdb.obj"
+	-@erase "$(INTDIR)\rbtdb.sbr"
+	-@erase "$(INTDIR)\rbtdb64.obj"
+	-@erase "$(INTDIR)\rbtdb64.sbr"
+	-@erase "$(INTDIR)\rcode.obj"
+	-@erase "$(INTDIR)\rcode.sbr"
+	-@erase "$(INTDIR)\rdata.obj"
+	-@erase "$(INTDIR)\rdata.sbr"
+	-@erase "$(INTDIR)\rdatalist.obj"
+	-@erase "$(INTDIR)\rdatalist.sbr"
+	-@erase "$(INTDIR)\rdataset.obj"
+	-@erase "$(INTDIR)\rdataset.sbr"
+	-@erase "$(INTDIR)\rdatasetiter.obj"
+	-@erase "$(INTDIR)\rdatasetiter.sbr"
+	-@erase "$(INTDIR)\rdataslab.obj"
+	-@erase "$(INTDIR)\rdataslab.sbr"
+	-@erase "$(INTDIR)\request.obj"
+	-@erase "$(INTDIR)\request.sbr"
+	-@erase "$(INTDIR)\resolver.obj"
+	-@erase "$(INTDIR)\resolver.sbr"
+	-@erase "$(INTDIR)\result.obj"
+	-@erase "$(INTDIR)\result.sbr"
+	-@erase "$(INTDIR)\rootns.obj"
+	-@erase "$(INTDIR)\rootns.sbr"
+	-@erase "$(INTDIR)\sdb.obj"
+	-@erase "$(INTDIR)\sdb.sbr"
+	-@erase "$(INTDIR)\soa.obj"
+	-@erase "$(INTDIR)\soa.sbr"
+	-@erase "$(INTDIR)\ssu.obj"
+	-@erase "$(INTDIR)\ssu.sbr"
+	-@erase "$(INTDIR)\stats.obj"
+	-@erase "$(INTDIR)\stats.sbr"
+	-@erase "$(INTDIR)\tcpmsg.obj"
+	-@erase "$(INTDIR)\tcpmsg.sbr"
+	-@erase "$(INTDIR)\time.obj"
+	-@erase "$(INTDIR)\time.sbr"
+	-@erase "$(INTDIR)\timer.obj"
+	-@erase "$(INTDIR)\timer.sbr"
+	-@erase "$(INTDIR)\tkey.obj"
+	-@erase "$(INTDIR)\tkey.sbr"
+	-@erase "$(INTDIR)\tsig.obj"
+	-@erase "$(INTDIR)\tsig.sbr"
+	-@erase "$(INTDIR)\ttl.obj"
+	-@erase "$(INTDIR)\ttl.sbr"
+	-@erase "$(INTDIR)\validator.obj"
+	-@erase "$(INTDIR)\validator.sbr"
+	-@erase "$(INTDIR)\vc60.idb"
+	-@erase "$(INTDIR)\vc60.pdb"
+	-@erase "$(INTDIR)\version.obj"
+	-@erase "$(INTDIR)\version.sbr"
+	-@erase "$(INTDIR)\view.obj"
+	-@erase "$(INTDIR)\view.sbr"
+	-@erase "$(INTDIR)\xfrin.obj"
+	-@erase "$(INTDIR)\xfrin.sbr"
+	-@erase "$(INTDIR)\zone.obj"
+	-@erase "$(INTDIR)\zone.sbr"
+	-@erase "$(INTDIR)\zonekey.obj"
+	-@erase "$(INTDIR)\zonekey.sbr"
+	-@erase "$(INTDIR)\zt.obj"
+	-@erase "$(INTDIR)\zt.sbr"
+	-@erase "$(OUTDIR)\libdns.bsc"
+	-@erase "$(OUTDIR)\libdns.exp"
+	-@erase "$(OUTDIR)\libdns.lib"
+	-@erase "$(OUTDIR)\libdns.map"
+	-@erase "$(OUTDIR)\libdns.pdb"
+	-@erase "..\..\..\Build\Debug\libdns.dll"
+	-@erase "..\..\..\Build\Debug\libdns.ilk"
+
+"$(OUTDIR)" :
+    if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
+
+CPP=cl.exe
+CPP_PROJ=/nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../../../" /I "include" /I "../include" /I "../../isc/win32" /I "../../isc/win32/include" /I "../../isc/include" /I "../../dns/sec/dst/include" /I "../../../../openssl-0.9.6k/inc32" /D "_DEBUG" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" /D "OPENSSL" /D "DST_USE_PRIVATE_OPENSSL" /D "LIBDNS_EXPORTS" /FR"$(INTDIR)\\" /Fp"$(INTDIR)\libdns.pch" /YX /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c 
+
+.c{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cpp{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cxx{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.c{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cpp{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cxx{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+MTL=midl.exe
+MTL_PROJ=/nologo /D "_DEBUG" /mktyplib203 /win32 
+RSC=rc.exe
+BSC32=bscmake.exe
+BSC32_FLAGS=/nologo /o"$(OUTDIR)\libdns.bsc" 
+BSC32_SBRS= \
+	"$(INTDIR)\acl.sbr" \
+	"$(INTDIR)\adb.sbr" \
+	"$(INTDIR)\byaddr.sbr" \
+	"$(INTDIR)\cache.sbr" \
+	"$(INTDIR)\callbacks.sbr" \
+	"$(INTDIR)\compress.sbr" \
+	"$(INTDIR)\db.sbr" \
+	"$(INTDIR)\dbiterator.sbr" \
+	"$(INTDIR)\dbtable.sbr" \
+	"$(INTDIR)\diff.sbr" \
+	"$(INTDIR)\dispatch.sbr" \
+	"$(INTDIR)\DLLMain.sbr" \
+	"$(INTDIR)\dnssec.sbr" \
+	"$(INTDIR)\ds.sbr" \
+	"$(INTDIR)\forward.sbr" \
+	"$(INTDIR)\journal.sbr" \
+	"$(INTDIR)\keytable.sbr" \
+	"$(INTDIR)\lib.sbr" \
+	"$(INTDIR)\log.sbr" \
+	"$(INTDIR)\lookup.sbr" \
+	"$(INTDIR)\master.sbr" \
+	"$(INTDIR)\masterdump.sbr" \
+	"$(INTDIR)\message.sbr" \
+	"$(INTDIR)\name.sbr" \
+	"$(INTDIR)\ncache.sbr" \
+	"$(INTDIR)\nsec.sbr" \
+	"$(INTDIR)\order.sbr" \
+	"$(INTDIR)\peer.sbr" \
+	"$(INTDIR)\portlist.sbr" \
+	"$(INTDIR)\rbt.sbr" \
+	"$(INTDIR)\rbtdb.sbr" \
+	"$(INTDIR)\rbtdb64.sbr" \
+	"$(INTDIR)\rcode.sbr" \
+	"$(INTDIR)\rdata.sbr" \
+	"$(INTDIR)\rdatalist.sbr" \
+	"$(INTDIR)\rdataset.sbr" \
+	"$(INTDIR)\rdatasetiter.sbr" \
+	"$(INTDIR)\rdataslab.sbr" \
+	"$(INTDIR)\request.sbr" \
+	"$(INTDIR)\resolver.sbr" \
+	"$(INTDIR)\result.sbr" \
+	"$(INTDIR)\rootns.sbr" \
+	"$(INTDIR)\sdb.sbr" \
+	"$(INTDIR)\soa.sbr" \
+	"$(INTDIR)\ssu.sbr" \
+	"$(INTDIR)\stats.sbr" \
+	"$(INTDIR)\tcpmsg.sbr" \
+	"$(INTDIR)\time.sbr" \
+	"$(INTDIR)\timer.sbr" \
+	"$(INTDIR)\tkey.sbr" \
+	"$(INTDIR)\tsig.sbr" \
+	"$(INTDIR)\ttl.sbr" \
+	"$(INTDIR)\validator.sbr" \
+	"$(INTDIR)\version.sbr" \
+	"$(INTDIR)\view.sbr" \
+	"$(INTDIR)\xfrin.sbr" \
+	"$(INTDIR)\zone.sbr" \
+	"$(INTDIR)\zonekey.sbr" \
+	"$(INTDIR)\zt.sbr" \
+	"$(INTDIR)\dst_api.sbr" \
+	"$(INTDIR)\dst_lib.sbr" \
+	"$(INTDIR)\dst_parse.sbr" \
+	"$(INTDIR)\dst_result.sbr" \
+	"$(INTDIR)\gssapi_link.sbr" \
+	"$(INTDIR)\gssapictx.sbr" \
+	"$(INTDIR)\hmac_link.sbr" \
+	"$(INTDIR)\key.sbr" \
+	"$(INTDIR)\openssl_link.sbr" \
+	"$(INTDIR)\openssldh_link.sbr" \
+	"$(INTDIR)\openssldsa_link.sbr" \
+	"$(INTDIR)\opensslrsa_link.sbr"
+
+"$(OUTDIR)\libdns.bsc" : "$(OUTDIR)" $(BSC32_SBRS)
+    $(BSC32) @<<
+  $(BSC32_FLAGS) $(BSC32_SBRS)
+<<
+
+LINK32=link.exe
+LINK32_FLAGS=user32.lib advapi32.lib ws2_32.lib ../../isc/win32/debug/libisc.lib ../../../../openssl-0.9.6k/out32dll/libeay32.lib /nologo /dll /incremental:yes /pdb:"$(OUTDIR)\libdns.pdb" /map:"$(INTDIR)\libdns.map" /debug /machine:I386 /def:".\libdns.def" /out:"../../../Build/Debug/libdns.dll" /implib:"$(OUTDIR)\libdns.lib" /pdbtype:sept 
+DEF_FILE= \
+	".\libdns.def"
+LINK32_OBJS= \
+	"$(INTDIR)\acl.obj" \
+	"$(INTDIR)\adb.obj" \
+	"$(INTDIR)\byaddr.obj" \
+	"$(INTDIR)\cache.obj" \
+	"$(INTDIR)\callbacks.obj" \
+	"$(INTDIR)\compress.obj" \
+	"$(INTDIR)\db.obj" \
+	"$(INTDIR)\dbiterator.obj" \
+	"$(INTDIR)\dbtable.obj" \
+	"$(INTDIR)\diff.obj" \
+	"$(INTDIR)\dispatch.obj" \
+	"$(INTDIR)\DLLMain.obj" \
+	"$(INTDIR)\dnssec.obj" \
+	"$(INTDIR)\ds.obj" \
+	"$(INTDIR)\forward.obj" \
+	"$(INTDIR)\journal.obj" \
+	"$(INTDIR)\keytable.obj" \
+	"$(INTDIR)\lib.obj" \
+	"$(INTDIR)\log.obj" \
+	"$(INTDIR)\lookup.obj" \
+	"$(INTDIR)\master.obj" \
+	"$(INTDIR)\masterdump.obj" \
+	"$(INTDIR)\message.obj" \
+	"$(INTDIR)\name.obj" \
+	"$(INTDIR)\ncache.obj" \
+	"$(INTDIR)\nsec.obj" \
+	"$(INTDIR)\order.obj" \
+	"$(INTDIR)\peer.obj" \
+	"$(INTDIR)\portlist.obj" \
+	"$(INTDIR)\rbt.obj" \
+	"$(INTDIR)\rbtdb.obj" \
+	"$(INTDIR)\rbtdb64.obj" \
+	"$(INTDIR)\rcode.obj" \
+	"$(INTDIR)\rdata.obj" \
+	"$(INTDIR)\rdatalist.obj" \
+	"$(INTDIR)\rdataset.obj" \
+	"$(INTDIR)\rdatasetiter.obj" \
+	"$(INTDIR)\rdataslab.obj" \
+	"$(INTDIR)\request.obj" \
+	"$(INTDIR)\resolver.obj" \
+	"$(INTDIR)\result.obj" \
+	"$(INTDIR)\rootns.obj" \
+	"$(INTDIR)\sdb.obj" \
+	"$(INTDIR)\soa.obj" \
+	"$(INTDIR)\ssu.obj" \
+	"$(INTDIR)\stats.obj" \
+	"$(INTDIR)\tcpmsg.obj" \
+	"$(INTDIR)\time.obj" \
+	"$(INTDIR)\timer.obj" \
+	"$(INTDIR)\tkey.obj" \
+	"$(INTDIR)\tsig.obj" \
+	"$(INTDIR)\ttl.obj" \
+	"$(INTDIR)\validator.obj" \
+	"$(INTDIR)\version.obj" \
+	"$(INTDIR)\view.obj" \
+	"$(INTDIR)\xfrin.obj" \
+	"$(INTDIR)\zone.obj" \
+	"$(INTDIR)\zonekey.obj" \
+	"$(INTDIR)\zt.obj" \
+	"$(INTDIR)\dst_api.obj" \
+	"$(INTDIR)\dst_lib.obj" \
+	"$(INTDIR)\dst_parse.obj" \
+	"$(INTDIR)\dst_result.obj" \
+	"$(INTDIR)\gssapi_link.obj" \
+	"$(INTDIR)\gssapictx.obj" \
+	"$(INTDIR)\hmac_link.obj" \
+	"$(INTDIR)\key.obj" \
+	"$(INTDIR)\openssl_link.obj" \
+	"$(INTDIR)\openssldh_link.obj" \
+	"$(INTDIR)\openssldsa_link.obj" \
+	"$(INTDIR)\opensslrsa_link.obj" \
+	"..\..\isc\win32\Debug\libisc.lib"
+
+"..\..\..\Build\Debug\libdns.dll" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)
+    $(LINK32) @<<
+  $(LINK32_FLAGS) $(LINK32_OBJS)
+<<
+
+!ENDIF 
+
+
+!IF "$(NO_EXTERNAL_DEPS)" != "1"
+!IF EXISTS("libdns.dep")
+!INCLUDE "libdns.dep"
+!ELSE 
+!MESSAGE Warning: cannot find "libdns.dep"
+!ENDIF 
+!ENDIF 
+
+
+!IF "$(CFG)" == "libdns - Win32 Release" || "$(CFG)" == "libdns - Win32 Debug"
+SOURCE=..\acl.c
+
+!IF  "$(CFG)" == "libdns - Win32 Release"
+
+
+"$(INTDIR)\acl.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - Win32 Debug"
+
+
+"$(INTDIR)\acl.obj"	"$(INTDIR)\acl.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\adb.c
+
+!IF  "$(CFG)" == "libdns - Win32 Release"
+
+
+"$(INTDIR)\adb.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - Win32 Debug"
+
+
+"$(INTDIR)\adb.obj"	"$(INTDIR)\adb.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\byaddr.c
+
+!IF  "$(CFG)" == "libdns - Win32 Release"
+
+
+"$(INTDIR)\byaddr.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - Win32 Debug"
+
+
+"$(INTDIR)\byaddr.obj"	"$(INTDIR)\byaddr.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\cache.c
+
+!IF  "$(CFG)" == "libdns - Win32 Release"
+
+
+"$(INTDIR)\cache.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - Win32 Debug"
+
+
+"$(INTDIR)\cache.obj"	"$(INTDIR)\cache.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\callbacks.c
+
+!IF  "$(CFG)" == "libdns - Win32 Release"
+
+
+"$(INTDIR)\callbacks.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - Win32 Debug"
+
+
+"$(INTDIR)\callbacks.obj"	"$(INTDIR)\callbacks.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\compress.c
+
+!IF  "$(CFG)" == "libdns - Win32 Release"
+
+
+"$(INTDIR)\compress.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - Win32 Debug"
+
+
+"$(INTDIR)\compress.obj"	"$(INTDIR)\compress.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\db.c
+
+!IF  "$(CFG)" == "libdns - Win32 Release"
+
+
+"$(INTDIR)\db.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - Win32 Debug"
+
+
+"$(INTDIR)\db.obj"	"$(INTDIR)\db.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\dbiterator.c
+
+!IF  "$(CFG)" == "libdns - Win32 Release"
+
+
+"$(INTDIR)\dbiterator.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - Win32 Debug"
+
+
+"$(INTDIR)\dbiterator.obj"	"$(INTDIR)\dbiterator.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\dbtable.c
+
+!IF  "$(CFG)" == "libdns - Win32 Release"
+
+
+"$(INTDIR)\dbtable.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - Win32 Debug"
+
+
+"$(INTDIR)\dbtable.obj"	"$(INTDIR)\dbtable.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\diff.c
+
+!IF  "$(CFG)" == "libdns - Win32 Release"
+
+
+"$(INTDIR)\diff.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - Win32 Debug"
+
+
+"$(INTDIR)\diff.obj"	"$(INTDIR)\diff.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\dispatch.c
+
+!IF  "$(CFG)" == "libdns - Win32 Release"
+
+CPP_SWITCHES=/nologo /MD /W3 /GX /O2 /I "../../../../../openssl-0.9.6k/inc32/openssl/include" /I "./" /I "../../../" /I "include" /I "../include" /I "../../isc/win32" /I "../../isc/win32/include" /I "../../isc/include" /I "../../dns/sec/dst/include" /I "../../../../openssl-0.9.6k/inc32" /D "NDEBUG" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" /D "OPENSSL" /D "DST_USE_PRIVATE_OPENSSL" /D "LIBDNS_EXPORTS" /Fp"$(INTDIR)\libdns.pch" /YX /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c 
+
+"$(INTDIR)\dispatch.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) @<<
+  $(CPP_SWITCHES) $(SOURCE)
+<<
+
+
+!ELSEIF  "$(CFG)" == "libdns - Win32 Debug"
+
+CPP_SWITCHES=/nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../../../" /I "include" /I "../include" /I "../../isc/win32" /I "../../isc/win32/include" /I "../../isc/include" /I "../../dns/sec/dst/include" /I "../../../../openssl-0.9.6k/inc32" /I "../sec/dst/include" /D "_DEBUG" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" /D "OPENSSL" /D "DST_USE_PRIVATE_OPENSSL" /D "LIBDNS_EXPORTS" /FR"$(INTDIR)\\" /Fp"$(INTDIR)\libdns.pch" /YX /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c 
+
+"$(INTDIR)\dispatch.obj"	"$(INTDIR)\dispatch.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) @<<
+  $(CPP_SWITCHES) $(SOURCE)
+<<
+
+
+!ENDIF 
+
+SOURCE=.\DLLMain.c
+
+!IF  "$(CFG)" == "libdns - Win32 Release"
+
+
+"$(INTDIR)\DLLMain.obj" : $(SOURCE) "$(INTDIR)"
+
+
+!ELSEIF  "$(CFG)" == "libdns - Win32 Debug"
+
+
+"$(INTDIR)\DLLMain.obj"	"$(INTDIR)\DLLMain.sbr" : $(SOURCE) "$(INTDIR)"
+
+
+!ENDIF 
+
+SOURCE=..\dnssec.c
+
+!IF  "$(CFG)" == "libdns - Win32 Release"
+
+
+"$(INTDIR)\dnssec.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - Win32 Debug"
+
+
+"$(INTDIR)\dnssec.obj"	"$(INTDIR)\dnssec.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\ds.c
+
+!IF  "$(CFG)" == "libdns - Win32 Release"
+
+
+"$(INTDIR)\ds.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - Win32 Debug"
+
+
+"$(INTDIR)\ds.obj"	"$(INTDIR)\ds.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\forward.c
+
+!IF  "$(CFG)" == "libdns - Win32 Release"
+
+
+"$(INTDIR)\forward.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - Win32 Debug"
+
+
+"$(INTDIR)\forward.obj"	"$(INTDIR)\forward.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\journal.c
+
+!IF  "$(CFG)" == "libdns - Win32 Release"
+
+
+"$(INTDIR)\journal.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - Win32 Debug"
+
+
+"$(INTDIR)\journal.obj"	"$(INTDIR)\journal.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\keytable.c
+
+!IF  "$(CFG)" == "libdns - Win32 Release"
+
+
+"$(INTDIR)\keytable.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - Win32 Debug"
+
+
+"$(INTDIR)\keytable.obj"	"$(INTDIR)\keytable.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\lib.c
+
+!IF  "$(CFG)" == "libdns - Win32 Release"
+
+
+"$(INTDIR)\lib.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - Win32 Debug"
+
+
+"$(INTDIR)\lib.obj"	"$(INTDIR)\lib.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\log.c
+
+!IF  "$(CFG)" == "libdns - Win32 Release"
+
+
+"$(INTDIR)\log.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - Win32 Debug"
+
+
+"$(INTDIR)\log.obj"	"$(INTDIR)\log.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\lookup.c
+
+!IF  "$(CFG)" == "libdns - Win32 Release"
+
+
+"$(INTDIR)\lookup.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - Win32 Debug"
+
+
+"$(INTDIR)\lookup.obj"	"$(INTDIR)\lookup.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\master.c
+
+!IF  "$(CFG)" == "libdns - Win32 Release"
+
+
+"$(INTDIR)\master.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - Win32 Debug"
+
+
+"$(INTDIR)\master.obj"	"$(INTDIR)\master.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\masterdump.c
+
+!IF  "$(CFG)" == "libdns - Win32 Release"
+
+
+"$(INTDIR)\masterdump.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - Win32 Debug"
+
+
+"$(INTDIR)\masterdump.obj"	"$(INTDIR)\masterdump.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\message.c
+
+!IF  "$(CFG)" == "libdns - Win32 Release"
+
+
+"$(INTDIR)\message.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - Win32 Debug"
+
+
+"$(INTDIR)\message.obj"	"$(INTDIR)\message.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\name.c
+
+!IF  "$(CFG)" == "libdns - Win32 Release"
+
+
+"$(INTDIR)\name.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - Win32 Debug"
+
+
+"$(INTDIR)\name.obj"	"$(INTDIR)\name.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\ncache.c
+
+!IF  "$(CFG)" == "libdns - Win32 Release"
+
+
+"$(INTDIR)\ncache.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - Win32 Debug"
+
+
+"$(INTDIR)\ncache.obj"	"$(INTDIR)\ncache.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\nsec.c
+
+!IF  "$(CFG)" == "libdns - Win32 Release"
+
+
+"$(INTDIR)\nsec.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - Win32 Debug"
+
+
+"$(INTDIR)\nsec.obj"	"$(INTDIR)\nsec.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\order.c
+
+!IF  "$(CFG)" == "libdns - Win32 Release"
+
+
+"$(INTDIR)\order.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - Win32 Debug"
+
+
+"$(INTDIR)\order.obj"	"$(INTDIR)\order.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\peer.c
+
+!IF  "$(CFG)" == "libdns - Win32 Release"
+
+
+"$(INTDIR)\peer.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - Win32 Debug"
+
+
+"$(INTDIR)\peer.obj"	"$(INTDIR)\peer.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+
+SOURCE=..\portlist.c
+
+!IF  "$(CFG)" == "libdns - Win32 Release"
+
+
+"$(INTDIR)\portlist.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - Win32 Debug"
+
+
+"$(INTDIR)\portlist.obj"	"$(INTDIR)\portlist.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\rbt.c
+
+!IF  "$(CFG)" == "libdns - Win32 Release"
+
+
+"$(INTDIR)\rbt.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - Win32 Debug"
+
+
+"$(INTDIR)\rbt.obj"	"$(INTDIR)\rbt.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\rbtdb.c
+
+!IF  "$(CFG)" == "libdns - Win32 Release"
+
+
+"$(INTDIR)\rbtdb.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - Win32 Debug"
+
+
+"$(INTDIR)\rbtdb.obj"	"$(INTDIR)\rbtdb.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\rbtdb64.c
+
+!IF  "$(CFG)" == "libdns - Win32 Release"
+
+
+"$(INTDIR)\rbtdb64.obj" : $(SOURCE) "$(INTDIR)" "..\rbtdb.c"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - Win32 Debug"
+
+
+"$(INTDIR)\rbtdb64.obj"	"$(INTDIR)\rbtdb64.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\rcode.c
+
+!IF  "$(CFG)" == "libdns - Win32 Release"
+
+
+"$(INTDIR)\rcode.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - Win32 Debug"
+
+
+"$(INTDIR)\rcode.obj"	"$(INTDIR)\rcode.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\rdata.c
+
+!IF  "$(CFG)" == "libdns - Win32 Release"
+
+
+"$(INTDIR)\rdata.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - Win32 Debug"
+
+
+"$(INTDIR)\rdata.obj"	"$(INTDIR)\rdata.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\rdatalist.c
+
+!IF  "$(CFG)" == "libdns - Win32 Release"
+
+
+"$(INTDIR)\rdatalist.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - Win32 Debug"
+
+
+"$(INTDIR)\rdatalist.obj"	"$(INTDIR)\rdatalist.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\rdataset.c
+
+!IF  "$(CFG)" == "libdns - Win32 Release"
+
+
+"$(INTDIR)\rdataset.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - Win32 Debug"
+
+
+"$(INTDIR)\rdataset.obj"	"$(INTDIR)\rdataset.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\rdatasetiter.c
+
+!IF  "$(CFG)" == "libdns - Win32 Release"
+
+
+"$(INTDIR)\rdatasetiter.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - Win32 Debug"
+
+
+"$(INTDIR)\rdatasetiter.obj"	"$(INTDIR)\rdatasetiter.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\rdataslab.c
+
+!IF  "$(CFG)" == "libdns - Win32 Release"
+
+
+"$(INTDIR)\rdataslab.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - Win32 Debug"
+
+
+"$(INTDIR)\rdataslab.obj"	"$(INTDIR)\rdataslab.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\request.c
+
+!IF  "$(CFG)" == "libdns - Win32 Release"
+
+
+"$(INTDIR)\request.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - Win32 Debug"
+
+
+"$(INTDIR)\request.obj"	"$(INTDIR)\request.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\resolver.c
+
+!IF  "$(CFG)" == "libdns - Win32 Release"
+
+
+"$(INTDIR)\resolver.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - Win32 Debug"
+
+
+"$(INTDIR)\resolver.obj"	"$(INTDIR)\resolver.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\result.c
+
+!IF  "$(CFG)" == "libdns - Win32 Release"
+
+
+"$(INTDIR)\result.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - Win32 Debug"
+
+
+"$(INTDIR)\result.obj"	"$(INTDIR)\result.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\rootns.c
+
+!IF  "$(CFG)" == "libdns - Win32 Release"
+
+
+"$(INTDIR)\rootns.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - Win32 Debug"
+
+
+"$(INTDIR)\rootns.obj"	"$(INTDIR)\rootns.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\sdb.c
+
+!IF  "$(CFG)" == "libdns - Win32 Release"
+
+
+"$(INTDIR)\sdb.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - Win32 Debug"
+
+
+"$(INTDIR)\sdb.obj"	"$(INTDIR)\sdb.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\soa.c
+
+!IF  "$(CFG)" == "libdns - Win32 Release"
+
+
+"$(INTDIR)\soa.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - Win32 Debug"
+
+
+"$(INTDIR)\soa.obj"	"$(INTDIR)\soa.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\ssu.c
+
+!IF  "$(CFG)" == "libdns - Win32 Release"
+
+
+"$(INTDIR)\ssu.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - Win32 Debug"
+
+
+"$(INTDIR)\ssu.obj"	"$(INTDIR)\ssu.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\stats.c
+
+!IF  "$(CFG)" == "libdns - Win32 Release"
+
+
+"$(INTDIR)\stats.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - Win32 Debug"
+
+
+"$(INTDIR)\stats.obj"	"$(INTDIR)\stats.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\tcpmsg.c
+
+!IF  "$(CFG)" == "libdns - Win32 Release"
+
+
+"$(INTDIR)\tcpmsg.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - Win32 Debug"
+
+
+"$(INTDIR)\tcpmsg.obj"	"$(INTDIR)\tcpmsg.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\time.c
+
+!IF  "$(CFG)" == "libdns - Win32 Release"
+
+
+"$(INTDIR)\time.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - Win32 Debug"
+
+
+"$(INTDIR)\time.obj"	"$(INTDIR)\time.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\timer.c
+
+!IF  "$(CFG)" == "libdns - Win32 Release"
+
+
+"$(INTDIR)\timer.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - Win32 Debug"
+
+
+"$(INTDIR)\timer.obj"	"$(INTDIR)\timer.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\tkey.c
+
+!IF  "$(CFG)" == "libdns - Win32 Release"
+
+
+"$(INTDIR)\tkey.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - Win32 Debug"
+
+
+"$(INTDIR)\tkey.obj"	"$(INTDIR)\tkey.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\tsig.c
+
+!IF  "$(CFG)" == "libdns - Win32 Release"
+
+
+"$(INTDIR)\tsig.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - Win32 Debug"
+
+
+"$(INTDIR)\tsig.obj"	"$(INTDIR)\tsig.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\ttl.c
+
+!IF  "$(CFG)" == "libdns - Win32 Release"
+
+
+"$(INTDIR)\ttl.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - Win32 Debug"
+
+
+"$(INTDIR)\ttl.obj"	"$(INTDIR)\ttl.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\validator.c
+
+!IF  "$(CFG)" == "libdns - Win32 Release"
+
+
+"$(INTDIR)\validator.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - Win32 Debug"
+
+
+"$(INTDIR)\validator.obj"	"$(INTDIR)\validator.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=.\version.c
+
+!IF  "$(CFG)" == "libdns - Win32 Release"
+
+
+"$(INTDIR)\version.obj" : $(SOURCE) "$(INTDIR)"
+
+
+!ELSEIF  "$(CFG)" == "libdns - Win32 Debug"
+
+
+"$(INTDIR)\version.obj"	"$(INTDIR)\version.sbr" : $(SOURCE) "$(INTDIR)"
+
+
+!ENDIF 
+
+SOURCE=..\view.c
+
+!IF  "$(CFG)" == "libdns - Win32 Release"
+
+
+"$(INTDIR)\view.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - Win32 Debug"
+
+
+"$(INTDIR)\view.obj"	"$(INTDIR)\view.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\xfrin.c
+
+!IF  "$(CFG)" == "libdns - Win32 Release"
+
+
+"$(INTDIR)\xfrin.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - Win32 Debug"
+
+
+"$(INTDIR)\xfrin.obj"	"$(INTDIR)\xfrin.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\zone.c
+
+!IF  "$(CFG)" == "libdns - Win32 Release"
+
+
+"$(INTDIR)\zone.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - Win32 Debug"
+
+
+"$(INTDIR)\zone.obj"	"$(INTDIR)\zone.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\zonekey.c
+
+!IF  "$(CFG)" == "libdns - Win32 Release"
+
+
+"$(INTDIR)\zonekey.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - Win32 Debug"
+
+
+"$(INTDIR)\zonekey.obj"	"$(INTDIR)\zonekey.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\zt.c
+
+!IF  "$(CFG)" == "libdns - Win32 Release"
+
+
+"$(INTDIR)\zt.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - Win32 Debug"
+
+
+"$(INTDIR)\zt.obj"	"$(INTDIR)\zt.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\sec\dst\dst_api.c
+
+!IF  "$(CFG)" == "libdns - Win32 Release"
+
+
+"$(INTDIR)\dst_api.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - Win32 Debug"
+
+
+"$(INTDIR)\dst_api.obj"	"$(INTDIR)\dst_api.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\sec\dst\dst_lib.c
+
+!IF  "$(CFG)" == "libdns - Win32 Release"
+
+
+"$(INTDIR)\dst_lib.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - Win32 Debug"
+
+
+"$(INTDIR)\dst_lib.obj"	"$(INTDIR)\dst_lib.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\sec\dst\dst_parse.c
+
+!IF  "$(CFG)" == "libdns - Win32 Release"
+
+
+"$(INTDIR)\dst_parse.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - Win32 Debug"
+
+
+"$(INTDIR)\dst_parse.obj"	"$(INTDIR)\dst_parse.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\sec\dst\dst_result.c
+
+!IF  "$(CFG)" == "libdns - Win32 Release"
+
+
+"$(INTDIR)\dst_result.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - Win32 Debug"
+
+
+"$(INTDIR)\dst_result.obj"	"$(INTDIR)\dst_result.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\sec\dst\gssapi_link.c
+
+!IF  "$(CFG)" == "libdns - Win32 Release"
+
+
+"$(INTDIR)\gssapi_link.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - Win32 Debug"
+
+
+"$(INTDIR)\gssapi_link.obj"	"$(INTDIR)\gssapi_link.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\sec\dst\gssapictx.c
+
+!IF  "$(CFG)" == "libdns - Win32 Release"
+
+
+"$(INTDIR)\gssapictx.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - Win32 Debug"
+
+
+"$(INTDIR)\gssapictx.obj"	"$(INTDIR)\gssapictx.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\sec\dst\hmac_link.c
+
+!IF  "$(CFG)" == "libdns - Win32 Release"
+
+
+"$(INTDIR)\hmac_link.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - Win32 Debug"
+
+
+"$(INTDIR)\hmac_link.obj"	"$(INTDIR)\hmac_link.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\sec\dst\key.c
+
+!IF  "$(CFG)" == "libdns - Win32 Release"
+
+
+"$(INTDIR)\key.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - Win32 Debug"
+
+
+"$(INTDIR)\key.obj"	"$(INTDIR)\key.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\sec\dst\openssl_link.c
+
+!IF  "$(CFG)" == "libdns - Win32 Release"
+
+
+"$(INTDIR)\openssl_link.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - Win32 Debug"
+
+
+"$(INTDIR)\openssl_link.obj"	"$(INTDIR)\openssl_link.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\sec\dst\openssldh_link.c
+
+!IF  "$(CFG)" == "libdns - Win32 Release"
+
+
+"$(INTDIR)\openssldh_link.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - Win32 Debug"
+
+
+"$(INTDIR)\openssldh_link.obj"	"$(INTDIR)\openssldh_link.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\sec\dst\openssldsa_link.c
+
+!IF  "$(CFG)" == "libdns - Win32 Release"
+
+
+"$(INTDIR)\openssldsa_link.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - Win32 Debug"
+
+
+"$(INTDIR)\openssldsa_link.obj"	"$(INTDIR)\openssldsa_link.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\sec\dst\opensslrsa_link.c
+
+!IF  "$(CFG)" == "libdns - Win32 Release"
+
+
+"$(INTDIR)\opensslrsa_link.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - Win32 Debug"
+
+
+"$(INTDIR)\opensslrsa_link.obj"	"$(INTDIR)\opensslrsa_link.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+!IF  "$(CFG)" == "libdns - Win32 Release"
+
+"libisc - Win32 Release" : 
+   cd "..\..\isc\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\libisc.mak" CFG="libisc - Win32 Release" 
+   cd "..\..\dns\win32"
+
+"libisc - Win32 ReleaseCLEAN" : 
+   cd "..\..\isc\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\libisc.mak" CFG="libisc - Win32 Release" RECURSE=1 CLEAN 
+   cd "..\..\dns\win32"
+
+!ELSEIF  "$(CFG)" == "libdns - Win32 Debug"
+
+"libisc - Win32 Debug" : 
+   cd "..\..\isc\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\libisc.mak" CFG="libisc - Win32 Debug" 
+   cd "..\..\dns\win32"
+
+"libisc - Win32 DebugCLEAN" : 
+   cd "..\..\isc\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\libisc.mak" CFG="libisc - Win32 Debug" RECURSE=1 CLEAN 
+   cd "..\..\dns\win32"
+
+!ENDIF 
+
+
+!ENDIF 
+
diff --git a/lib/dns/win32/version.c b/lib/dns/win32/version.c
index 35b2221f..cf6d1d59 100644
--- a/lib/dns/win32/version.c
+++ b/lib/dns/win32/version.c
@@ -15,12 +15,14 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: version.c,v 1.1.2.1 2004/03/09 06:11:44 marka Exp $ */
+/* $Id: version.c,v 1.1.12.3 2004/03/08 09:04:47 marka Exp $ */
 
 #include <versions.h>
 
-char dns_version[] = VERSION;
+#include <dns/version.h>
 
-unsigned int dns_libinterface = LIBINTERFACE;
-unsigned int dns_librevision = LIBREVISION;
-unsigned int dns_libage = LIBAGE;
\ No newline at end of file
+LIBDNS_EXTERNAL_DATA const char dns_version[] = VERSION;
+
+LIBDNS_EXTERNAL_DATA const unsigned int dns_libinterface = LIBINTERFACE;
+LIBDNS_EXTERNAL_DATA const unsigned int dns_librevision = LIBREVISION;
+LIBDNS_EXTERNAL_DATA const unsigned int dns_libage = LIBAGE;
diff --git a/lib/dns/xfrin.c b/lib/dns/xfrin.c
index 45797615..c9f1d74a 100644
--- a/lib/dns/xfrin.c
+++ b/lib/dns/xfrin.c
@@ -1,6 +1,6 @@
 /*
- * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: xfrin.c,v 1.124.2.16 2007/05/24 02:57:42 marka Exp $ */
+/* $Id: xfrin.c,v 1.124.2.4.2.7 2004/03/08 09:04:33 marka Exp $ */
 
 #include <config.h>
 
@@ -73,8 +73,6 @@
  * when the first two (2) response RRs have already been received.
  */
 typedef enum {
-	XFRST_SOAQUERY,
-	XFRST_GOTSOA,
 	XFRST_INITIALSOA,
 	XFRST_FIRSTDATA,
 	XFRST_IXFR_DELSOA,
@@ -160,7 +158,7 @@ struct dns_xfrin_ctx {
 
 	struct {
 		isc_uint32_t 	request_serial;
-		isc_uint32_t 	end_serial;
+		isc_uint32_t 	current_serial;
 		dns_journal_t	*journal;
 
 	} ixfr;
@@ -185,6 +183,7 @@ xfrin_create(isc_mem_t *mctx,
 	     dns_rdataclass_t rdclass,
 	     dns_rdatatype_t reqtype,
 	     isc_sockaddr_t *masteraddr,
+	     isc_sockaddr_t *sourceaddr,
 	     dns_tsigkey_t *tsigkey,
 	     dns_xfrin_ctx_t **xfrp);
 
@@ -233,7 +232,7 @@ xfrin_log1(int level, dns_name_t *zonename, dns_rdataclass_t rdclass,
      ISC_FORMAT_PRINTF(5, 6);
 
 static void
-xfrin_log(dns_xfrin_ctx_t *xfr, int level, const char *fmt, ...)
+xfrin_log(dns_xfrin_ctx_t *xfr, unsigned int level, const char *fmt, ...)
      ISC_FORMAT_PRINTF(3, 4);
 
 /**************************************************************************/
@@ -276,6 +275,8 @@ axfr_putdata(dns_xfrin_ctx_t *xfr, dns_diffop_t op,
 	isc_result_t result;
 
 	dns_difftuple_t *tuple = NULL;
+
+	CHECK(dns_zone_checknames(xfr->zone, name, rdata));
 	CHECK(dns_difftuple_create(xfr->diff.mctx, op,
 				   name, ttl, rdata, &tuple));
 	dns_diff_append(&xfr->diff, &tuple);
@@ -352,6 +353,8 @@ ixfr_putdata(dns_xfrin_ctx_t *xfr, dns_diffop_t op,
 	isc_result_t result;
 
 	dns_difftuple_t *tuple = NULL;
+	if (op == DNS_DIFFOP_ADD)
+		CHECK(dns_zone_checknames(xfr->zone, name, rdata));
 	CHECK(dns_difftuple_create(xfr->diff.mctx, op,
 				   name, ttl, rdata, &tuple));
 	dns_diff_append(&xfr->diff, &tuple);
@@ -375,8 +378,11 @@ ixfr_apply(dns_xfrin_ctx_t *xfr) {
 			CHECK(dns_journal_begin_transaction(xfr->ixfr.journal));
 	}
 	CHECK(dns_diff_apply(&xfr->diff, xfr->db, xfr->ver));
-	if (xfr->ixfr.journal != NULL)
-		dns_journal_writediff(xfr->ixfr.journal, &xfr->diff);
+	if (xfr->ixfr.journal != NULL) {
+		result = dns_journal_writediff(xfr->ixfr.journal, &xfr->diff);
+		if (result != ISC_R_SUCCESS)
+			goto failure;
+	}
 	dns_diff_clear(&xfr->diff);
 	xfr->difflen = 0;
 	result = ISC_R_SUCCESS;
@@ -418,31 +424,6 @@ xfr_rr(dns_xfrin_ctx_t *xfr, dns_name_t *name, isc_uint32_t ttl,
 
  redo:
 	switch (xfr->state) {
-	case XFRST_SOAQUERY:
-		if (rdata->type != dns_rdatatype_soa) {
-			xfrin_log(xfr, ISC_LOG_ERROR,
-				  "non-SOA response to SOA query");
-			FAIL(DNS_R_FORMERR);
-		}
-		xfr->end_serial = dns_soa_getserial(rdata);
-		if (!DNS_SERIAL_GT(xfr->end_serial,
-				   xfr->ixfr.request_serial) &&
-		    !dns_zone_isforced(xfr->zone)) {
-			xfrin_log(xfr, ISC_LOG_DEBUG(3),
-				  "requested serial %u, "
-				  "master has %u, not updating",
-				  xfr->ixfr.request_serial, xfr->end_serial);
-			FAIL(DNS_R_UPTODATE);
-		}
-		xfr->state = XFRST_GOTSOA;
-		break;
-
-	case XFRST_GOTSOA:
-		/*
-		 * Skip other records in the answer section.
-		 */
-		break;
-
 	case XFRST_INITIALSOA:
 		if (rdata->type != dns_rdatatype_soa) {
 			xfrin_log(xfr, ISC_LOG_ERROR,
@@ -504,7 +485,7 @@ xfr_rr(dns_xfrin_ctx_t *xfr, dns_name_t *name, isc_uint32_t ttl,
 		if (rdata->type == dns_rdatatype_soa) {
 			isc_uint32_t soa_serial = dns_soa_getserial(rdata);
 			xfr->state = XFRST_IXFR_ADDSOA;
-			xfr->ixfr.end_serial = soa_serial;
+			xfr->ixfr.current_serial = soa_serial;
 			goto redo;
 		}
 		CHECK(ixfr_putdata(xfr, DNS_DIFFOP_DEL, name, ttl, rdata));
@@ -519,16 +500,24 @@ xfr_rr(dns_xfrin_ctx_t *xfr, dns_name_t *name, isc_uint32_t ttl,
 	case XFRST_IXFR_ADD:
 		if (rdata->type == dns_rdatatype_soa) {
 			isc_uint32_t soa_serial = dns_soa_getserial(rdata);
+			CHECK(ixfr_commit(xfr));
 			if (soa_serial == xfr->end_serial) {
-				CHECK(ixfr_commit(xfr));
 				xfr->state = XFRST_END;
 				break;
+			} else if (soa_serial != xfr->ixfr.current_serial) {
+				xfrin_log(xfr, ISC_LOG_ERROR,
+					  "IXFR out of sync: "
+					  "expected serial %u, got %u",
+					  xfr->ixfr.current_serial, soa_serial);
+				FAIL(DNS_R_FORMERR);
 			} else {
-				CHECK(ixfr_commit(xfr));
 				xfr->state = XFRST_IXFR_DELSOA;
 				goto redo;
 			}
 		}
+		if (rdata->type == dns_rdatatype_ns &&
+		    dns_name_iswildcard(name))
+			FAIL(DNS_R_INVALIDNS);
 		CHECK(ixfr_putdata(xfr, DNS_DIFFOP_ADD, name, ttl, rdata));
 		break;
 
@@ -565,8 +554,33 @@ dns_xfrin_create(dns_zone_t *zone, dns_rdatatype_t xfrtype,
 		 isc_socketmgr_t *socketmgr, isc_task_t *task,
 		 dns_xfrindone_t done, dns_xfrin_ctx_t **xfrp)
 {
+	isc_sockaddr_t sourceaddr;
+
+	switch (isc_sockaddr_pf(masteraddr)) {
+	case PF_INET:
+		sourceaddr = *dns_zone_getxfrsource4(zone);
+		break;
+	case PF_INET6:
+		sourceaddr = *dns_zone_getxfrsource6(zone);
+		break;
+	default:
+		INSIST(0);
+	}
+
+	return(dns_xfrin_create2(zone, xfrtype, masteraddr, &sourceaddr,
+				 tsigkey, mctx, timermgr, socketmgr,
+				 task, done, xfrp));
+}
+
+isc_result_t
+dns_xfrin_create2(dns_zone_t *zone, dns_rdatatype_t xfrtype,
+		  isc_sockaddr_t *masteraddr, isc_sockaddr_t *sourceaddr,
+		  dns_tsigkey_t *tsigkey, isc_mem_t *mctx,
+		  isc_timermgr_t *timermgr, isc_socketmgr_t *socketmgr,
+		  isc_task_t *task, dns_xfrindone_t done, dns_xfrin_ctx_t **xfrp)
+{
 	dns_name_t *zonename = dns_zone_getorigin(zone);
-	dns_xfrin_ctx_t *xfr = NULL;
+	dns_xfrin_ctx_t *xfr;
 	isc_result_t result;
 	dns_db_t *db = NULL;
 
@@ -576,7 +590,7 @@ dns_xfrin_create(dns_zone_t *zone, dns_rdatatype_t xfrtype,
 
 	CHECK(xfrin_create(mctx, zone, db, task, timermgr, socketmgr, zonename,
 			   dns_zone_getclass(zone), xfrtype, masteraddr,
-			   tsigkey, &xfr));
+			   sourceaddr, tsigkey, &xfr));
 
 	CHECK(xfrin_start(xfr));
 
@@ -673,11 +687,6 @@ xfrin_fail(dns_xfrin_ctx_t *xfr, isc_result_t result, const char *msg) {
 			result = DNS_R_BADIXFR;
 	}
 	xfrin_cancelio(xfr);
-	/*
-	 * Close the journal.
-	 */
-	if (xfr->ixfr.journal != NULL)
-		dns_journal_destroy(&xfr->ixfr.journal);
 	if (xfr->done != NULL) {
 		(xfr->done)(xfr->zone, result);
 		xfr->done = NULL;
@@ -697,6 +706,7 @@ xfrin_create(isc_mem_t *mctx,
 	     dns_rdataclass_t rdclass,
 	     dns_rdatatype_t reqtype,
 	     isc_sockaddr_t *masteraddr,
+	     isc_sockaddr_t *sourceaddr,
 	     dns_tsigkey_t *tsigkey,
 	     dns_xfrin_ctx_t **xfrp)
 {
@@ -757,7 +767,7 @@ xfrin_create(isc_mem_t *mctx,
 	xfr->is_ixfr = ISC_FALSE;
 
 	/* ixfr.request_serial */
-	/* ixfr.end_serial */
+	/* ixfr.current_serial */
 	xfr->ixfr.journal = NULL;
 
 	xfr->axfr.add_func = NULL;
@@ -774,16 +784,8 @@ xfrin_create(isc_mem_t *mctx,
 
 	xfr->masteraddr = *masteraddr;
 
-	switch (isc_sockaddr_pf(masteraddr)) {
-	case PF_INET:
-		xfr->sourceaddr = *dns_zone_getxfrsource4(zone);
-		break;
-	case PF_INET6:
-		xfr->sourceaddr = *dns_zone_getxfrsource6(zone);
-		break;
-	default:
-		INSIST(0);
-	}
+	INSIST(isc_sockaddr_pf(masteraddr) == isc_sockaddr_pf(sourceaddr));
+	xfr->sourceaddr = *sourceaddr;
 	isc_sockaddr_setport(&xfr->sourceaddr, 0);
 
 	isc_buffer_init(&xfr->qbuffer, xfr->qbuffer_data,
@@ -794,18 +796,7 @@ xfrin_create(isc_mem_t *mctx,
 	return (ISC_R_SUCCESS);
 
  failure:
-	if (xfr->timer != NULL)
-		isc_timer_detach(&xfr->timer);
-	if (dns_name_dynamic(&xfr->name))
-		dns_name_free(&xfr->name, xfr->mctx);
-	if (xfr->tsigkey != NULL)
-		dns_tsigkey_detach(&xfr->tsigkey);
-	if (xfr->db != NULL)
-		dns_db_detach(&xfr->db);
-	isc_task_detach(&xfr->task);
-	dns_zone_idetach(&xfr->zone);
-	isc_mem_put(mctx, xfr, sizeof(*xfr));
-
+	xfrin_fail(xfr, result, "failed creating transfer context");
 	return (result);
 }
 
@@ -816,9 +807,7 @@ xfrin_start(dns_xfrin_ctx_t *xfr) {
 				isc_sockaddr_pf(&xfr->sourceaddr),
 				isc_sockettype_tcp,
 				&xfr->socket));
-#ifndef BROKEN_TCP_BIND_BEFORE_CONNECT
 	CHECK(isc_socket_bind(xfr->socket, &xfr->sourceaddr));
-#endif
 	CHECK(isc_socket_connect(xfr->socket, &xfr->masteraddr, xfr->task,
 				 xfrin_connect_done, xfr));
 	xfr->connects++;
@@ -860,6 +849,8 @@ xfrin_connect_done(isc_task_t *task, isc_event_t *event) {
 	dns_xfrin_ctx_t *xfr = (dns_xfrin_ctx_t *) event->ev_arg;
 	isc_result_t evresult = cev->result;
 	isc_result_t result;
+	char sourcetext[ISC_SOCKADDR_FORMATSIZE];
+	isc_sockaddr_t sockaddr;
 
 	REQUIRE(VALID_XFRIN(xfr));
 
@@ -875,7 +866,12 @@ xfrin_connect_done(isc_task_t *task, isc_event_t *event) {
 	}
 
 	CHECK(evresult);
-	xfrin_log(xfr, ISC_LOG_DEBUG(3), "connected");
+	result = isc_socket_getsockname(xfr->socket, &sockaddr);
+	if (result == ISC_R_SUCCESS) {
+		isc_sockaddr_format(&sockaddr, sourcetext, sizeof(sourcetext));
+	} else
+		strcpy(sourcetext, "<UNKNOWN>");
+	xfrin_log(xfr, ISC_LOG_INFO, "connected using %s", sourcetext);
 
 	dns_tcpmsg_init(xfr->mctx, xfr->socket, &xfr->tcpmsg);
 	xfr->tcpmsg_valid = ISC_TRUE;
@@ -926,10 +922,9 @@ tuple2msgname(dns_difftuple_t *tuple, dns_message_t *msg, dns_name_t **target)
 
  failure:
 
-	if (rds != NULL) {
+	if (rds != NULL)
 		dns_rdataset_disassociate(rds);
 		dns_message_puttemprdataset(msg, &rds);
-	}
 	if (rdl != NULL) {
 		ISC_LIST_UNLINK(rdl->rdata, rdata, link);
 		dns_message_puttemprdatalist(msg, &rdl);
@@ -983,6 +978,7 @@ xfrin_send_request(dns_xfrin_ctx_t *xfr) {
 		CHECK(dns_db_createsoatuple(xfr->db, ver, xfr->mctx,
 					    DNS_DIFFOP_EXISTS, &soatuple));
 		xfr->ixfr.request_serial = dns_soa_getserial(&soatuple->rdata);
+		xfr->ixfr.current_serial = xfr->ixfr.request_serial;
 		xfrin_log(xfr, ISC_LOG_DEBUG(3),
 			  "requesting IXFR for serial %u",
 			  xfr->ixfr.request_serial);
@@ -1127,8 +1123,8 @@ xfrin_recv_done(isc_task_t *task, isc_event_t *ev) {
 
 	CHECK(dns_message_create(xfr->mctx, DNS_MESSAGE_INTENTPARSE, &msg));
 
-	dns_message_settsigkey(msg, xfr->tsigkey);
-	dns_message_setquerytsig(msg, xfr->lasttsig);
+	CHECK(dns_message_settsigkey(msg, xfr->tsigkey));
+	CHECK(dns_message_setquerytsig(msg, xfr->lasttsig));
 	msg->tsigctx = xfr->tsigctx;
 	if (xfr->nmsg > 0)
 		msg->tcp_continuation = 1;
@@ -1150,9 +1146,9 @@ xfrin_recv_done(isc_task_t *task, isc_event_t *ev) {
  try_axfr:
 		dns_message_destroy(&msg);
 		xfrin_reset(xfr);
-		xfr->reqtype = dns_rdatatype_soa;
-		xfr->state = XFRST_SOAQUERY;
-		xfrin_start(xfr);
+		xfr->reqtype = dns_rdatatype_axfr;
+		xfr->state = XFRST_INITIALSOA;
+		(void)xfrin_start(xfr);
 		return;
 	}
 
@@ -1170,6 +1166,11 @@ xfrin_recv_done(isc_task_t *task, isc_event_t *ev) {
 		goto try_axfr;
 	}
 
+	if (xfr->reqtype == dns_rdatatype_soa &&
+	    (msg->flags & DNS_MESSAGEFLAG_AA) == 0) {
+		FAIL(DNS_R_NOTAUTHORITATIVE);
+	}
+
 
 	result = dns_message_checksig(msg, dns_zone_getview(xfr->zone));
 	if (result != ISC_R_SUCCESS) {
@@ -1243,16 +1244,7 @@ xfrin_recv_done(isc_task_t *task, isc_event_t *ev) {
 
 	dns_message_destroy(&msg);
 
-	if (xfr->state == XFRST_GOTSOA) {
-		xfr->reqtype = dns_rdatatype_axfr;
-		xfr->state = XFRST_INITIALSOA;
-		CHECK(xfrin_send_request(xfr));
-	} else if (xfr->state == XFRST_END) {
-		/*
-		 * Close the journal.
-		 */
-		if (xfr->ixfr.journal != NULL)
-			dns_journal_destroy(&xfr->ixfr.journal);
+	if (xfr->state == XFRST_END) {
 		/*
 		 * Inform the caller we succeeded.
 		 */
@@ -1397,7 +1389,7 @@ xfrin_log1(int level, dns_name_t *zonename, dns_rdataclass_t rdclass,
  */
 
 static void
-xfrin_log(dns_xfrin_ctx_t *xfr, int level, const char *fmt, ...)
+xfrin_log(dns_xfrin_ctx_t *xfr, unsigned int level, const char *fmt, ...)
 {
 	va_list ap;
 
diff --git a/lib/dns/zone.c b/lib/dns/zone.c
index c7fe4911..cc22ee0d 100644
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: zone.c,v 1.333.2.48 2007/02/26 23:45:24 tbox Exp $ */
+/* $Id: zone.c,v 1.333.2.23.2.42 2004/03/17 05:29:54 marka Exp $ */
 
 #include <config.h>
 
@@ -48,6 +48,7 @@
 #include <dns/rdatalist.h>
 #include <dns/rdataset.h>
 #include <dns/rdatastruct.h>
+#include <dns/rdatatype.h>
 #include <dns/request.h>
 #include <dns/resolver.h>
 #include <dns/result.h>
@@ -139,7 +140,7 @@ struct dns_zone {
 	isc_timer_t		*timer;
 	unsigned int		irefs;
 	dns_name_t		origin;
-	char 			*masterfile;
+	char			*masterfile;
 	char			*journal;
 	isc_int32_t		journalsize;
 	dns_rdataclass_t	rdclass;
@@ -157,6 +158,7 @@ struct dns_zone {
 	isc_uint32_t		retry;
 	isc_uint32_t		expire;
 	isc_uint32_t		minimum;
+	char			*keydirectory;
 
 	isc_uint32_t		maxrefresh;
 	isc_uint32_t		minrefresh;
@@ -167,7 +169,6 @@ struct dns_zone {
 	dns_name_t		**masterkeynames;
 	unsigned int		masterscnt;
 	unsigned int		curmaster;
-	unsigned int		refreshcnt;
 	isc_sockaddr_t		masteraddr;
 	dns_notifytype_t	notifytype;
 	isc_sockaddr_t		*notify;
@@ -178,23 +179,29 @@ struct dns_zone {
 	isc_sockaddr_t	 	notifysrc6;
 	isc_sockaddr_t	 	xfrsource4;
 	isc_sockaddr_t	 	xfrsource6;
+	isc_sockaddr_t	 	altxfrsource4;
+	isc_sockaddr_t	 	altxfrsource6;
+	isc_sockaddr_t	 	sourceaddr;
 	dns_xfrin_ctx_t		*xfr;		/* task locked */
+	dns_tsigkey_t		*tsigkey;	/* key used for xfr */
 	/* Access Control Lists */
 	dns_acl_t		*update_acl;
 	dns_acl_t		*forward_acl;
 	dns_acl_t		*notify_acl;
 	dns_acl_t		*query_acl;
 	dns_acl_t		*xfr_acl;
+	isc_boolean_t		update_disabled;
 	dns_severity_t		check_names;
 	ISC_LIST(dns_notify_t)	notifies;
 	dns_request_t		*request;
 	dns_loadctx_t		*lctx;
 	dns_io_t		*readio;
+	dns_dumpctx_t		*dctx;
+	dns_io_t		*writeio;
 	isc_uint32_t		maxxfrin;
 	isc_uint32_t		maxxfrout;
 	isc_uint32_t		idlein;
 	isc_uint32_t		idleout;
-	isc_boolean_t		diff_on_reload;
 	isc_event_t		ctlevent;
 	dns_ssutable_t		*ssutable;
 	isc_uint32_t		sigvalidityinterval;
@@ -254,6 +261,8 @@ struct dns_zone {
 #define DNS_ZONEFLG_SHUTDOWN	0x00080000U
 #define DNS_ZONEFLAG_NOIXFR	0x00100000U	/* IXFR failed, force AXFR */
 #define DNS_ZONEFLG_FLUSH	0x00200000U
+#define DNS_ZONEFLG_NOEDNS	0x00400000U
+#define DNS_ZONEFLG_USEALTXFRSRC 0x00800000U
 
 #define DNS_ZONE_OPTION(z,o) (((z)->options & (o)) != 0)
 
@@ -263,7 +272,7 @@ struct dns_zone {
 struct dns_zonemgr {
 	unsigned int		magic;
 	isc_mem_t *		mctx;
-	int			refs; 		/* Locked by rwlock */
+	int			refs;		/* Locked by rwlock */
 	isc_taskmgr_t *		taskmgr;
 	isc_timermgr_t *	timermgr;
 	isc_socketmgr_t *	socketmgr;
@@ -302,7 +311,6 @@ struct dns_notify {
 	dns_request_t		*request;
 	dns_name_t		ns;
 	isc_sockaddr_t		dst;
-	unsigned int		attempt;
 	ISC_LINK(dns_notify_t)	link;
 };
 
@@ -346,7 +354,7 @@ struct dns_forward {
 	isc_uint32_t		which;
 	isc_sockaddr_t		addr;
 	dns_updatecallback_t	callback;
-	void 			*callback_arg;
+	void			*callback_arg;
 };
 
 /*
@@ -361,6 +369,8 @@ struct dns_io {
 	isc_event_t	*event;
 };
 
+#define SEND_BUFFER_SIZE 2048
+
 static void zone_settimer(dns_zone_t *, isc_time_t *);
 static void cancel_refresh(dns_zone_t *);
 static void zone_debuglog(dns_zone_t *zone, const char *, int debuglevel,
@@ -405,7 +415,7 @@ static isc_result_t notify_createmessage(dns_zone_t *zone,
 					 dns_message_t **messagep);
 static void notify_done(isc_task_t *task, isc_event_t *event);
 static void notify_send_toaddr(isc_task_t *task, isc_event_t *event);
-static isc_result_t zone_dump(dns_zone_t *);
+static isc_result_t zone_dump(dns_zone_t *, isc_boolean_t);
 static void got_transfer_quota(isc_task_t *task, isc_event_t *event);
 static isc_result_t zmgr_start_xfrin_ifquota(dns_zonemgr_t *zmgr,
 					     dns_zone_t *zone);
@@ -429,12 +439,41 @@ static void zone_saveunique(dns_zone_t *zone, const char *path,
 			    const char *templat);
 static void zone_maintenance(dns_zone_t *zone);
 static void zone_notify(dns_zone_t *zone);
+static void dump_done(void *arg, isc_result_t result);
 
 #define ENTER zone_debuglog(zone, me, 1, "enter")
 
 static const unsigned int dbargc_default = 1;
 static const char *dbargv_default[] = { "rbt" };
 
+#define DNS_ZONE_JITTER_ADD(a, b, c) \
+	do { \
+		isc_interval_t _i; \
+		isc_uint32_t _j; \
+		_j = isc_random_jitter((b), (b)/4); \
+		isc_interval_set(&_i, _j, 0); \
+		if (isc_time_add((a), &_i, (c)) != ISC_R_SUCCESS) { \
+			dns_zone_log(zone, ISC_LOG_WARNING, \
+				     "epoch approaching: upgrade required: " \
+				     "now + %s failed", #b); \
+			isc_interval_set(&_i, _j/2, 0); \
+			(void)isc_time_add((a), &_i, (c)); \
+		} \
+	} while (0)
+
+#define DNS_ZONE_TIME_ADD(a, b, c) \
+	do { \
+		isc_interval_t _i; \
+		isc_interval_set(&_i, (b), 0); \
+		if (isc_time_add((a), &_i, (c)) != ISC_R_SUCCESS) { \
+			dns_zone_log(zone, ISC_LOG_WARNING, \
+				     "epoch approaching: upgrade required: " \
+				     "now + %s failed", #b); \
+			isc_interval_set(&_i, (b)/2, 0); \
+			(void)isc_time_add((a), &_i, (c)); \
+		} \
+	} while (0)
+
 /***
  ***	Public functions.
  ***/
@@ -447,13 +486,13 @@ dns_zone_create(dns_zone_t **zonep, isc_mem_t *mctx) {
 	REQUIRE(zonep != NULL && *zonep == NULL);
 	REQUIRE(mctx != NULL);
 
-	zone = isc_mem_get(mctx, sizeof *zone);
+	zone = isc_mem_get(mctx, sizeof(*zone));
 	if (zone == NULL)
 		return (ISC_R_NOMEMORY);
 
 	result = isc_mutex_init(&zone->lock);
 	if (result != ISC_R_SUCCESS) {
-		isc_mem_put(mctx, zone, sizeof *zone);
+		isc_mem_put(mctx, zone, sizeof(*zone));
 		UNEXPECTED_ERROR(__FILE__, __LINE__,
 				 "isc_mutex_init() failed: %s",
 				 isc_result_totext(result));
@@ -473,6 +512,7 @@ dns_zone_create(dns_zone_t **zonep, isc_mem_t *mctx) {
 	zone->irefs = 0;
 	dns_name_init(&zone->origin, NULL);
 	zone->masterfile = NULL;
+	zone->keydirectory = NULL;
 	zone->journalsize = -1;
 	zone->journal = NULL;
 	zone->rdclass = dns_rdataclass_none;
@@ -498,7 +538,6 @@ dns_zone_create(dns_zone_t **zonep, isc_mem_t *mctx) {
 	zone->masterkeynames = NULL;
 	zone->masterscnt = 0;
 	zone->curmaster = 0;
-	zone->refreshcnt = 0;
 	zone->notify = NULL;
 	zone->notifytype = dns_notifytype_yes;
 	zone->notifycnt = 0;
@@ -508,10 +547,13 @@ dns_zone_create(dns_zone_t **zonep, isc_mem_t *mctx) {
 	zone->notify_acl = NULL;
 	zone->query_acl = NULL;
 	zone->xfr_acl = NULL;
+	zone->update_disabled = ISC_FALSE;
 	zone->check_names = dns_severity_ignore;
 	zone->request = NULL;
 	zone->lctx = NULL;
 	zone->readio = NULL;
+	zone->dctx = NULL;
+	zone->writeio = NULL;
 	zone->timer = NULL;
 	zone->idlein = DNS_DEFAULT_IDLEIN;
 	zone->idleout = DNS_DEFAULT_IDLEOUT;
@@ -520,10 +562,12 @@ dns_zone_create(dns_zone_t **zonep, isc_mem_t *mctx) {
 	isc_sockaddr_any6(&zone->notifysrc6);
 	isc_sockaddr_any(&zone->xfrsource4);
 	isc_sockaddr_any6(&zone->xfrsource6);
+	isc_sockaddr_any(&zone->altxfrsource4);
+	isc_sockaddr_any6(&zone->altxfrsource6);
 	zone->xfr = NULL;
+	zone->tsigkey = NULL;
 	zone->maxxfrin = MAX_XFER_TIME;
 	zone->maxxfrout = MAX_XFER_TIME;
-	zone->diff_on_reload = ISC_FALSE;
 	zone->ssutable = NULL;
 	zone->sigvalidityinterval = 30 * 24 * 3600;
 	zone->view = NULL;
@@ -537,7 +581,7 @@ dns_zone_create(dns_zone_t **zonep, isc_mem_t *mctx) {
 	result = dns_zone_setdbtype(zone, dbargc_default, dbargv_default);
 	if (result != ISC_R_SUCCESS)
 		goto free_mutex;
-	
+
 	ISC_EVENT_INIT(&zone->ctlevent, sizeof(zone->ctlevent), 0, NULL,
 		       DNS_EVENT_ZONECONTROL, zone_shutdown, zone, zone,
 		       NULL, NULL);
@@ -546,8 +590,7 @@ dns_zone_create(dns_zone_t **zonep, isc_mem_t *mctx) {
 
  free_mutex:
 	DESTROYLOCK(&zone->lock);
-	isc_mem_putanddetach(&zone->mctx, zone, sizeof(*zone));
-	return (result);
+	return (ISC_R_NOMEMORY);
 }
 
 /*
@@ -571,6 +614,7 @@ zone_free(dns_zone_t *zone) {
 		dns_request_destroy(&zone->request); /* XXXMPA */
 	INSIST(zone->readio == NULL);
 	INSIST(zone->statelist == NULL);
+	INSIST(zone->writeio == NULL);
 
 	if (zone->task != NULL)
 		isc_task_detach(&zone->task);
@@ -581,6 +625,9 @@ zone_free(dns_zone_t *zone) {
 	if (zone->masterfile != NULL)
 		isc_mem_free(zone->mctx, zone->masterfile);
 	zone->masterfile = NULL;
+	if (zone->keydirectory != NULL)
+		isc_mem_free(zone->mctx, zone->keydirectory);
+	zone->keydirectory = NULL;
 	zone->journalsize = -1;
 	if (zone->journal != NULL)
 		isc_mem_free(zone->mctx, zone->journal);
@@ -590,8 +637,10 @@ zone_free(dns_zone_t *zone) {
 	if (zone->db != NULL)
 		dns_db_detach(&zone->db);
 	zone_freedbargs(zone);
-	dns_zone_setmasterswithkeys(zone, NULL, NULL, 0);
-	dns_zone_setalsonotify(zone, NULL, 0);
+	RUNTIME_CHECK(dns_zone_setmasterswithkeys(zone, NULL, NULL, 0)
+		      == ISC_R_SUCCESS);
+	RUNTIME_CHECK(dns_zone_setalsonotify(zone, NULL, 0)
+		      == ISC_R_SUCCESS);
 	zone->check_names = dns_severity_ignore;
 	if (zone->update_acl != NULL)
 		dns_acl_detach(&zone->update_acl);
@@ -613,7 +662,7 @@ zone_free(dns_zone_t *zone) {
 	isc_refcount_destroy(&zone->erefs);
 	zone->magic = 0;
 	mctx = zone->mctx;
-	isc_mem_put(mctx, zone, sizeof *zone);
+	isc_mem_put(mctx, zone, sizeof(*zone));
 	isc_mem_detach(&mctx);
 }
 
@@ -679,7 +728,7 @@ zone_freedbargs(dns_zone_t *zone) {
 		for (i = 0; i < zone->db_argc; i++)
 			isc_mem_free(zone->mctx, zone->db_argv[i]);
 		isc_mem_put(zone->mctx, zone->db_argv,
-			    zone->db_argc * sizeof *zone->db_argv);
+			    zone->db_argc * sizeof(*zone->db_argv));
 	}
 	zone->db_argc = 0;
 	zone->db_argv = NULL;
@@ -699,7 +748,7 @@ dns_zone_setdbtype(dns_zone_t *zone,
 	LOCK_ZONE(zone);
 
 	/* Set up a new database argument list. */
-	new = isc_mem_get(zone->mctx, dbargc * sizeof *new);
+	new = isc_mem_get(zone->mctx, dbargc * sizeof(*new));
 	if (new == NULL)
 		goto nomem;
 	for (i = 0; i < dbargc; i++)
@@ -717,17 +766,18 @@ dns_zone_setdbtype(dns_zone_t *zone,
 	zone->db_argv = new;
 	result = ISC_R_SUCCESS;
 	goto unlock;
-	
+
  nomem:
 	if (new != NULL) {
 		for (i = 0; i < dbargc; i++) {
 			if (zone->db_argv[i] != NULL)
 				isc_mem_free(zone->mctx, new[i]);
+			isc_mem_put(zone->mctx, new,
+				    dbargc * sizeof(*new));
 		}
-		isc_mem_put(zone->mctx, new, dbargc * sizeof *new);
 	}
 	result = ISC_R_NOMEMORY;
-	
+
  unlock:
 	UNLOCK_ZONE(zone);
 	return (result);
@@ -754,7 +804,7 @@ dns_zone_getview(dns_zone_t *zone) {
 
 
 isc_result_t
-dns_zone_setorigin(dns_zone_t *zone, const dns_name_t *origin) {
+dns_zone_setorigin(dns_zone_t *zone, dns_name_t *origin) {
 	isc_result_t result;
 
 	REQUIRE(DNS_ZONE_VALID(zone));
@@ -770,7 +820,7 @@ dns_zone_setorigin(dns_zone_t *zone, const dns_name_t *origin) {
 	return (result);
 }
 
-	
+
 static isc_result_t
 dns_zone_setstring(dns_zone_t *zone, char **field, const char *value) {
 	char *copy;
@@ -788,7 +838,7 @@ dns_zone_setstring(dns_zone_t *zone, char **field, const char *value) {
 
 	*field = copy;
 	return (ISC_R_SUCCESS);
-}	
+}
 
 isc_result_t
 dns_zone_setfile(dns_zone_t *zone, const char *file) {
@@ -822,7 +872,7 @@ default_journal(dns_zone_t *zone) {
 
 	if (zone->masterfile != NULL) {
 		/* Calculate string length including '\0'. */
-		int len = strlen(zone->masterfile) + sizeof ".jnl";
+		int len = strlen(zone->masterfile) + sizeof(".jnl");
 		journal = isc_mem_allocate(zone->mctx, len);
 		if (journal == NULL)
 			return (ISC_R_NOMEMORY);
@@ -844,7 +894,7 @@ dns_zone_setjournal(dns_zone_t *zone, const char *journal) {
 	REQUIRE(DNS_ZONE_VALID(zone));
 
 	LOCK_ZONE(zone);
-	result = dns_zone_setstring(zone, &zone->journal, journal);	
+	result = dns_zone_setstring(zone, &zone->journal, journal);
 	UNLOCK_ZONE(zone);
 
 	return (result);
@@ -872,9 +922,9 @@ zone_isdynamic(dns_zone_t *zone) {
 
 	return (ISC_TF(zone->type == dns_zone_slave ||
 		       zone->type == dns_zone_stub ||
-		       zone->ssutable != NULL ||
-		       (zone->update_acl != NULL &&
-			! (zone->update_acl->length == 1 && 
+		       (!zone->update_disabled && zone->ssutable != NULL) ||
+		       (!zone->update_disabled && zone->update_acl != NULL &&
+			! (zone->update_acl->length == 1 &&
 			   zone->update_acl->elements[0].negative == ISC_TRUE
 			   &&
 			   zone->update_acl->elements[0].type ==
@@ -892,7 +942,7 @@ zone_load(dns_zone_t *zone, unsigned int flags) {
 	REQUIRE(DNS_ZONE_VALID(zone));
 
 	LOCK_ZONE(zone);
-	isc_time_now(&now);
+	TIME_NOW(&now);
 
 	INSIST(zone->type != dns_zone_none);
 
@@ -926,7 +976,7 @@ zone_load(dns_zone_t *zone, unsigned int flags) {
 			result = ISC_R_SUCCESS;
 		goto cleanup;
 	}
-		
+
 	/*
 	 * Don't do the load if the file that stores the zone is older
 	 * than the last time the zone was loaded.  If the zone has not
@@ -945,29 +995,18 @@ zone_load(dns_zone_t *zone, unsigned int flags) {
 			result = isc_file_getmodtime(zone->masterfile,
 						     &filetime);
 			if (result == ISC_R_SUCCESS &&
-			    DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED) &&
-			    isc_time_compare(&filetime, &zone->loadtime) <= 0) {
+			    isc_time_compare(&filetime, &zone->loadtime) < 0) {
 				dns_zone_log(zone, ISC_LOG_DEBUG(1),
 					     "skipping load: master file older "
 					     "than last load");
-				result = ISC_R_SUCCESS;
+				result = DNS_R_UPTODATE;
 				goto cleanup;
 			}
 		}
-	} 
+	}
 
 	INSIST(zone->db_argc >= 1);
 
-	/*
-	 * Built in zones don't need to be reloaded.
-	 */
-	if (zone->type == dns_zone_master &&
-	    strcmp(zone->db_argv[0], "_builtin") == 0 &&
-	    DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED)) {
-		result = ISC_R_SUCCESS;
-		goto cleanup;
-	}
-
 	if ((zone->type == dns_zone_slave || zone->type == dns_zone_stub) &&
 	    (strcmp(zone->db_argv[0], "rbt") == 0 ||
 	     strcmp(zone->db_argv[0], "rbt64") == 0)) {
@@ -992,9 +1031,7 @@ zone_load(dns_zone_t *zone, unsigned int flags) {
 	 * zone->loadtime is set, then the file will still be reloaded
 	 * the next time dns_zone_load is called.
 	 */
-	result = isc_time_now(&loadtime);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
+	TIME_NOW(&loadtime);
 
 	result = dns_db_create(zone->mctx, zone->db_argv[0],
 			       &zone->origin, (zone->type == dns_zone_stub) ?
@@ -1029,7 +1066,6 @@ zone_load(dns_zone_t *zone, unsigned int flags) {
 
 	if (result == DNS_R_CONTINUE) {
 		DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_LOADING);
-		result = ISC_R_SUCCESS;
 		goto cleanup;
 	}
 
@@ -1069,6 +1105,14 @@ zone_gotreadhandle(isc_task_t *task, isc_event_t *event) {
 	options = DNS_MASTER_ZONE;
 	if (load->zone->type == dns_zone_slave)
 		options |= DNS_MASTER_SLAVE;
+	if (DNS_ZONE_OPTION(load->zone, DNS_ZONEOPT_CHECKNS))
+		options |= DNS_MASTER_CHECKNS;
+	if (DNS_ZONE_OPTION(load->zone, DNS_ZONEOPT_FATALNS))
+		options |= DNS_MASTER_FATALNS;
+	if (DNS_ZONE_OPTION(load->zone, DNS_ZONEOPT_CHECKNAMES))
+		options |= DNS_MASTER_CHECKNAMES;
+	if (DNS_ZONE_OPTION(load->zone, DNS_ZONEOPT_CHECKNAMESFAIL))
+		options |= DNS_MASTER_CHECKNAMESFAIL;
 	result = dns_master_loadfileinc(load->zone->masterfile,
 					dns_db_origin(load->db),
 					dns_db_origin(load->db),
@@ -1086,6 +1130,39 @@ zone_gotreadhandle(isc_task_t *task, isc_event_t *event) {
 	zone_loaddone(load, result);
 }
 
+static void
+zone_gotwritehandle(isc_task_t *task, isc_event_t *event) {
+	const char me[] = "zone_gotwritehandle";
+	dns_zone_t *zone = event->ev_arg;
+	isc_result_t result = ISC_R_SUCCESS;
+	dns_dbversion_t *version = NULL;
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+	INSIST(task == zone->task);
+	ENTER;
+
+	if ((event->ev_attributes & ISC_EVENTATTR_CANCELED) != 0)
+		result = ISC_R_CANCELED;
+	isc_event_free(&event);
+	if (result == ISC_R_CANCELED)
+		goto fail;
+
+	LOCK_ZONE(zone);
+	dns_db_currentversion(zone->db, &version);
+	result = dns_master_dumpinc(zone->mctx, zone->db, version,
+				    &dns_master_style_default,
+				    zone->masterfile, zone->task,
+				    dump_done, zone, &zone->dctx);
+	dns_db_closeversion(zone->db, &version, ISC_FALSE);
+	UNLOCK_ZONE(zone);
+	if (result != DNS_R_CONTINUE)
+		goto fail;
+	return;
+
+ fail:
+	dump_done(zone, result);
+}
+
 static isc_result_t
 zone_startload(dns_db_t *db, dns_zone_t *zone, isc_time_t loadtime) {
 	dns_load_t *load;
@@ -1096,8 +1173,17 @@ zone_startload(dns_db_t *db, dns_zone_t *zone, isc_time_t loadtime) {
 	options = DNS_MASTER_ZONE;
 	if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_MANYERRORS))
 		options |= DNS_MASTER_MANYERRORS;
+	if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKNS))
+		options |= DNS_MASTER_CHECKNS;
+	if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_FATALNS))
+		options |= DNS_MASTER_FATALNS;
 	if (zone->type == dns_zone_slave)
 		options |= DNS_MASTER_SLAVE;
+	if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKNAMES))
+		options |= DNS_MASTER_CHECKNAMES;
+	if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKNAMESFAIL))
+		options |= DNS_MASTER_CHECKNAMESFAIL;
+
 	if (zone->zmgr != NULL && zone->db != NULL && zone->task != NULL) {
 		load = isc_mem_get(zone->mctx, sizeof(*load));
 		if (load == NULL)
@@ -1117,21 +1203,19 @@ zone_startload(dns_db_t *db, dns_zone_t *zone, isc_time_t loadtime) {
 					  &load->callbacks.add_private);
 		if (result != ISC_R_SUCCESS)
 			goto cleanup;
-		result = zonemgr_getio(zone->zmgr, ISC_TRUE, zone->task, 
+		result = zonemgr_getio(zone->zmgr, ISC_TRUE, zone->task,
 				       zone_gotreadhandle, load,
 				       &zone->readio);
 		if (result != ISC_R_SUCCESS) {
-			/*
-			 * We can't report multiple errors so ignore
-			 * the result of dns_db_endload().
-			 */
-			(void)dns_db_endload(load->db,
-					     &load->callbacks.add_private);
+			tresult = dns_db_endload(load->db,
+						 &load->callbacks.add_private);
+			if (result == ISC_R_SUCCESS)
+				result = tresult;
 			goto cleanup;
 		} else
 			result = DNS_R_CONTINUE;
-	} else if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_MANYERRORS)) {
-		dns_rdatacallbacks_t    callbacks;
+	} else {
+		dns_rdatacallbacks_t callbacks;
 
 		dns_rdatacallbacks_init(&callbacks);
 		result = dns_db_beginload(db, &callbacks.add,
@@ -1144,8 +1228,6 @@ zone_startload(dns_db_t *db, dns_zone_t *zone, isc_time_t loadtime) {
 		tresult = dns_db_endload(db, &callbacks.add_private);
 		if (result == ISC_R_SUCCESS)
 			result = tresult;
-	} else {
-		result = dns_db_load(db, zone->masterfile);
 	}
 
 	return (result);
@@ -1159,59 +1241,6 @@ zone_startload(dns_db_t *db, dns_zone_t *zone, isc_time_t loadtime) {
 	return (result);
 }
 
-/*
- * OpenSSL verification of RSA keys with exponent 3 is known to be
- * broken prior OpenSSL 0.9.8c/0.9.7k.  Look for such keys and warn
- * if they are in use.
- */
-static void
-zone_check_keys(dns_zone_t *zone, dns_db_t *db) {
-	dns_dbnode_t *node = NULL;
-	dns_dbversion_t *version = NULL;
-	dns_rdata_key_t key;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	dns_rdataset_t rdataset;
-	isc_result_t result;
-
-	result = dns_db_findnode(db, &zone->origin, ISC_FALSE, &node);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-
-	dns_db_currentversion(db, &version);
-	dns_rdataset_init(&rdataset);
-	result = dns_db_findrdataset(db, node, version, dns_rdatatype_key,
-				     dns_rdatatype_none, 0, &rdataset, NULL);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-
-	for (result = dns_rdataset_first(&rdataset);
-	     result == ISC_R_SUCCESS;
-	     result = dns_rdataset_next(&rdataset)) 
-	{
-		dns_rdataset_current(&rdataset, &rdata);
-		result = dns_rdata_tostruct(&rdata, &key, NULL);
-		INSIST(result == ISC_R_SUCCESS);
-		
-		if (key.algorithm == DST_ALG_RSAMD5 && key.datalen > 1 &&
-		    key.data[0] == 1 && key.data[1] == 3)
-		{
-			dns_zone_log(zone, ISC_LOG_WARNING,
-				     "weak RSAMD5 (%u) key found "
-				     "(exponent=3)", key.algorithm);
-			break;
-		}
-		dns_rdata_reset(&rdata);
-	}
-	dns_rdataset_disassociate(&rdataset);
-
- cleanup:
-	if (node != NULL)
-		dns_db_detachnode(db, &node);
-	if (version != NULL)
-		dns_db_closeversion(db, &version, ISC_FALSE);
-	
-}
-
 static isc_result_t
 zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime,
 	      isc_result_t result)
@@ -1222,7 +1251,7 @@ zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime,
 	isc_time_t now;
 	isc_boolean_t needdump = ISC_FALSE;
 
-	isc_time_now(&now);
+	TIME_NOW(&now);
 
 	/*
 	 * Initiate zone transfer?  We may need a error code that
@@ -1251,17 +1280,21 @@ zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime,
 	dns_zone_log(zone, ISC_LOG_DEBUG(2),
 		     "number of nodes in database: %u",
 		     dns_db_nodecount(db));
+	zone->loadtime = loadtime;
+
+	dns_zone_log(zone, ISC_LOG_DEBUG(1), "loaded");
 
 	if (result == DNS_R_SEENINCLUDE)
 		DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_HASINCLUDE);
 	else
 		DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_HASINCLUDE);
-
 	/*
-	 * Apply update log, if any.
+	 * Apply update log, if any, on initial load.
 	 */
 	if (zone->journal != NULL &&
-	    ! DNS_ZONE_OPTION(zone, DNS_ZONEOPT_NOMERGE)) {
+	    ! DNS_ZONE_OPTION(zone, DNS_ZONEOPT_NOMERGE) &&
+	    ! DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED))
+	{
 		result = dns_journal_rollforward(zone->mctx, db,
 						 zone->journal);
 		if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND &&
@@ -1286,10 +1319,6 @@ zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime,
 			needdump = ISC_TRUE;
 	}
 
-	zone->loadtime = loadtime;
-
-	dns_zone_log(zone, ISC_LOG_DEBUG(1), "loaded");
-
 	/*
 	 * Obtain ns and soa counts for top of zone.
 	 */
@@ -1344,26 +1373,23 @@ zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime,
 		if (zone->type == dns_zone_slave ||
 		    zone->type == dns_zone_stub) {
 			isc_time_t t;
-			isc_interval_t i;
-			unsigned int delay;
+			isc_uint32_t delay;
 
 			result = isc_file_getmodtime(zone->journal, &t);
 			if (result != ISC_R_SUCCESS)
 				result = isc_file_getmodtime(zone->masterfile,
 							     &t);
+			if (result == ISC_R_SUCCESS)
+				DNS_ZONE_TIME_ADD(&t, zone->expire,
+						  &zone->expiretime);
+			else
+				DNS_ZONE_TIME_ADD(&now, zone->retry,
+						  &zone->expiretime);
 
-			if (result == ISC_R_SUCCESS) {
-				isc_interval_set(&i, zone->expire, 0);
-				isc_time_add(&t, &i, &zone->expiretime);
-			} else {
-				isc_interval_set(&i, zone->retry, 0);
-				isc_time_add(&now, &i, &zone->expiretime);
-			}
 			delay = isc_random_jitter(zone->retry,
 						  (zone->retry * 3) / 4);
-			isc_interval_set(&i, delay, 0);
-			isc_time_add(&now, &i, &zone->refreshtime);
-			if (isc_time_compare(&zone->refreshtime,   
+			DNS_ZONE_TIME_ADD(&now, delay, &zone->refreshtime);
+			if (isc_time_compare(&zone->refreshtime,
 					     &zone->expiretime) >= 0)
 				zone->refreshtime = now;
 		}
@@ -1376,12 +1402,6 @@ zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime,
 	}
 
 
-	/*
-	 * Check for weak KEY's.
-	 */
-	if (zone->type == dns_zone_master)
-		zone_check_keys(zone, db);
-
 #if 0
 	/* destroy notification example. */
 	{
@@ -1408,7 +1428,10 @@ zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime,
 		zone_needdump(zone, DNS_DUMP_DELAY);
 	if (zone->task != NULL)
 		zone_settimer(zone, &now);
-	dns_zone_log(zone, ISC_LOG_INFO, "loaded serial %u", zone->serial);
+
+	if (! dns_db_ispersistent(db))
+		dns_zone_log(zone, ISC_LOG_INFO, "loaded serial %u", zone->serial);
+
 	return (result);
 
  cleanup:
@@ -1463,7 +1486,7 @@ zone_count_ns_rr(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
 		result = ISC_R_SUCCESS;
 		goto invalidate_rdataset;
 	}
-	if (result != ISC_R_SUCCESS)
+	else if (result != ISC_R_SUCCESS)
 		goto invalidate_rdataset;
 
 	count = 0;
@@ -1499,22 +1522,6 @@ zone_load_soa_rr(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
 	dns_rdataset_init(&rdataset);
 	result = dns_db_findrdataset(db, node, version, dns_rdatatype_soa,
 				     dns_rdatatype_none, 0, &rdataset, NULL);
-	if (result == ISC_R_NOTFOUND) {
-		if (soacount != NULL)
-			*soacount = 0;
-		if (serial != NULL)
-			*serial = 0;
-		if (refresh != NULL)
-			*refresh = 0;
-		if (retry != NULL)
-			*retry = 0;
-		if (expire != NULL)
-			*expire = 0;
-		if (minimum != NULL)
-			*minimum = 0;
-		result = ISC_R_SUCCESS;
-		goto invalidate_rdataset;
-	}
 	if (result != ISC_R_SUCCESS)
 		goto invalidate_rdataset;
 
@@ -1524,8 +1531,10 @@ zone_load_soa_rr(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
 		dns_rdata_init(&rdata);
 		dns_rdataset_current(&rdataset, &rdata);
 		count++;
-		if (count == 1)
-			dns_rdata_tostruct(&rdata, &soa, NULL);
+		if (count == 1) {
+			result = dns_rdata_tostruct(&rdata, &soa, NULL);
+			RUNTIME_CHECK(result == ISC_R_SUCCESS);
+		}
 
 		result = dns_rdataset_next(&rdataset);
 		dns_rdata_reset(&rdata);
@@ -1768,7 +1777,7 @@ dns_zone_getoptions(dns_zone_t *zone) {
 }
 
 isc_result_t
-dns_zone_setxfrsource4(dns_zone_t *zone, const isc_sockaddr_t *xfrsource) {
+dns_zone_setxfrsource4(dns_zone_t *zone, isc_sockaddr_t *xfrsource) {
 	REQUIRE(DNS_ZONE_VALID(zone));
 
 	LOCK_ZONE(zone);
@@ -1785,7 +1794,7 @@ dns_zone_getxfrsource4(dns_zone_t *zone) {
 }
 
 isc_result_t
-dns_zone_setxfrsource6(dns_zone_t *zone, const isc_sockaddr_t *xfrsource) {
+dns_zone_setxfrsource6(dns_zone_t *zone, isc_sockaddr_t *xfrsource) {
 	REQUIRE(DNS_ZONE_VALID(zone));
 
 	LOCK_ZONE(zone);
@@ -1802,7 +1811,41 @@ dns_zone_getxfrsource6(dns_zone_t *zone) {
 }
 
 isc_result_t
-dns_zone_setnotifysrc4(dns_zone_t *zone, const isc_sockaddr_t *notifysrc) {
+dns_zone_setaltxfrsource4(dns_zone_t *zone, isc_sockaddr_t *altxfrsource) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+	zone->altxfrsource4 = *altxfrsource;
+	UNLOCK_ZONE(zone);
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_sockaddr_t *
+dns_zone_getaltxfrsource4(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+	return (&zone->altxfrsource4);
+}
+
+isc_result_t
+dns_zone_setaltxfrsource6(dns_zone_t *zone, isc_sockaddr_t *altxfrsource) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+	zone->altxfrsource6 = *altxfrsource;
+	UNLOCK_ZONE(zone);
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_sockaddr_t *
+dns_zone_getaltxfrsource6(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+	return (&zone->altxfrsource6);
+}
+
+isc_result_t
+dns_zone_setnotifysrc4(dns_zone_t *zone, isc_sockaddr_t *notifysrc) {
 	REQUIRE(DNS_ZONE_VALID(zone));
 
 	LOCK_ZONE(zone);
@@ -1819,7 +1862,7 @@ dns_zone_getnotifysrc4(dns_zone_t *zone) {
 }
 
 isc_result_t
-dns_zone_setnotifysrc6(dns_zone_t *zone, const isc_sockaddr_t *notifysrc) {
+dns_zone_setnotifysrc6(dns_zone_t *zone, isc_sockaddr_t *notifysrc) {
 	REQUIRE(DNS_ZONE_VALID(zone));
 
 	LOCK_ZONE(zone);
@@ -1836,7 +1879,7 @@ dns_zone_getnotifysrc6(dns_zone_t *zone) {
 }
 
 isc_result_t
-dns_zone_setalsonotify(dns_zone_t *zone, const isc_sockaddr_t *notify,
+dns_zone_setalsonotify(dns_zone_t *zone, isc_sockaddr_t *notify,
 		       isc_uint32_t count)
 {
 	isc_sockaddr_t *new;
@@ -1847,17 +1890,17 @@ dns_zone_setalsonotify(dns_zone_t *zone, const isc_sockaddr_t *notify,
 	LOCK_ZONE(zone);
 	if (zone->notify != NULL) {
 		isc_mem_put(zone->mctx, zone->notify,
-			    zone->notifycnt * sizeof *new);
+			    zone->notifycnt * sizeof(*new));
 		zone->notify = NULL;
 		zone->notifycnt = 0;
 	}
 	if (count != 0) {
-		new = isc_mem_get(zone->mctx, count * sizeof *new);
+		new = isc_mem_get(zone->mctx, count * sizeof(*new));
 		if (new == NULL) {
 			UNLOCK_ZONE(zone);
 			return (ISC_R_NOMEMORY);
 		}
-		memcpy(new, notify, count * sizeof *new);
+		memcpy(new, notify, count * sizeof(*new));
 		zone->notify = new;
 		zone->notifycnt = count;
 	}
@@ -1866,7 +1909,7 @@ dns_zone_setalsonotify(dns_zone_t *zone, const isc_sockaddr_t *notify,
 }
 
 isc_result_t
-dns_zone_setmasters(dns_zone_t *zone, const isc_sockaddr_t *masters,
+dns_zone_setmasters(dns_zone_t *zone, isc_sockaddr_t *masters,
 		    isc_uint32_t count)
 {
 	isc_result_t result;
@@ -1875,42 +1918,9 @@ dns_zone_setmasters(dns_zone_t *zone, const isc_sockaddr_t *masters,
 	return (result);
 }
 
-static isc_boolean_t
-same_masters(const isc_sockaddr_t *old, const isc_sockaddr_t *new,
-	     isc_uint32_t count)
-{
-	unsigned int i;
-
-	for (i = 0; i < count; i++)
-		if (!isc_sockaddr_equal(&old[i], &new[i]))
-			return (ISC_FALSE);
-	return (ISC_TRUE);
-}
-
-static isc_boolean_t
-same_keynames(dns_name_t **old, dns_name_t **new, isc_uint32_t count) {
-	unsigned int i;
-
-	if (old == NULL && new == NULL)
-		return (ISC_TRUE);
-	if (old == NULL || new == NULL)
-		return (ISC_FALSE);
-
-	for (i = 0; i < count; i++) {
-		if (old[i] == NULL && new[i] == NULL)
-			continue;
-		if (old[i] == NULL || new[i] == NULL ||
-		     !dns_name_equal(old[i], new[i]))
-			return (ISC_FALSE);
-	}
-	return (ISC_TRUE);
-}
-
 isc_result_t
-dns_zone_setmasterswithkeys(dns_zone_t *zone,
-			    const isc_sockaddr_t *masters,
-			    dns_name_t **keynames,
-			    isc_uint32_t count)
+dns_zone_setmasterswithkeys(dns_zone_t *zone, isc_sockaddr_t *masters,
+			    dns_name_t **keynames, isc_uint32_t count)
 {
 	isc_sockaddr_t *new;
 	isc_result_t result = ISC_R_SUCCESS;
@@ -1924,22 +1934,9 @@ dns_zone_setmasterswithkeys(dns_zone_t *zone,
 	}
 
 	LOCK_ZONE(zone);
-	/* 
-	 * The refresh code assumes that 'masters' wouldn't change under it.
-	 * If it will change then kill off any current refresh in progress
-	 * and update the masters info.  If it won't change then we can just
-	 * unlock and exit.
-	 */
-	if (count != zone->masterscnt ||
-	    !same_masters(zone->masters, masters, count) ||
-	    !same_keynames(zone->masterkeynames, keynames, count)) {
-		if (zone->request != NULL)
-			dns_request_cancel(zone->request);
-	} else
-		goto unlock;
 	if (zone->masters != NULL) {
 		isc_mem_put(zone->mctx, zone->masters,
-			    zone->masterscnt * sizeof *new);
+			    zone->masterscnt * sizeof(*new));
 		zone->masters = NULL;
 	}
 	if (zone->masterkeynames != NULL) {
@@ -1974,7 +1971,7 @@ dns_zone_setmasterswithkeys(dns_zone_t *zone,
 		result = ISC_R_NOMEMORY;
 		goto unlock;
 	}
-	memcpy(new, masters, count * sizeof *new);
+	memcpy(new, masters, count * sizeof(*new));
 	zone->masters = new;
 	zone->masterscnt = count;
 	DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_NOMASTERS);
@@ -1988,7 +1985,7 @@ dns_zone_setmasterswithkeys(dns_zone_t *zone,
 		if (newname == NULL) {
 			result = ISC_R_NOMEMORY;
 			isc_mem_put(zone->mctx, zone->masters,
-				    count * sizeof *new);
+				    count * sizeof(*new));
 			goto unlock;
 		}
 		for (i = 0; i < count; i++)
@@ -2010,9 +2007,9 @@ dns_zone_setmasterswithkeys(dns_zone_t *zone,
 							       newname[i],
 							       zone->mctx);
 					isc_mem_put(zone->mctx, zone->masters,
-						    count * sizeof *new);
+						    count * sizeof(*new));
 					isc_mem_put(zone->mctx, newname,
-						    count * sizeof *newname);
+						    count * sizeof(*newname));
 					goto unlock;
 				}
 			}
@@ -2053,7 +2050,7 @@ dns_zone_maintenance(dns_zone_t *zone) {
 	ENTER;
 
 	LOCK_ZONE(zone);
-	isc_time_now(&now);
+	TIME_NOW(&now);
 	zone_settimer(zone, &now);
 	UNLOCK_ZONE(zone);
 }
@@ -2061,7 +2058,7 @@ dns_zone_maintenance(dns_zone_t *zone) {
 static inline isc_boolean_t
 was_dumping(dns_zone_t *zone) {
 	isc_boolean_t dumping;
-	
+
 	REQUIRE(LOCKED_ZONE(zone));
 
 	dumping = DNS_ZONE_FLAG(zone, DNS_ZONEFLG_DUMPING);
@@ -2093,7 +2090,7 @@ zone_maintenance(dns_zone_t *zone) {
 	if (zone->view == NULL || zone->view->adb == NULL)
 		return;
 
-	isc_time_now(&now);
+	TIME_NOW(&now);
 
 	/*
 	 * Expire check.
@@ -2143,7 +2140,7 @@ zone_maintenance(dns_zone_t *zone) {
 			dumping = ISC_TRUE;
 		UNLOCK_ZONE(zone);
 		if (!dumping) {
-			result = zone_dump(zone);
+			result = zone_dump(zone, ISC_TRUE); /* task locked */
 			if (result != ISC_R_SUCCESS)
 				dns_zone_log(zone, ISC_LOG_WARNING,
 					     "dump failed: %s",
@@ -2200,6 +2197,7 @@ zone_expire(dns_zone_t *zone) {
 	zone->refresh = DNS_ZONE_DEFAULTREFRESH;
 	zone->retry = DNS_ZONE_DEFAULTRETRY;
 	DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_HAVETIMERS);
+	DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_NEEDDUMP);
 	zone_unload(zone);
 }
 
@@ -2207,7 +2205,6 @@ void
 dns_zone_refresh(dns_zone_t *zone) {
 	isc_interval_t i;
 	isc_uint32_t oldflags;
-	isc_result_t result;
 
 	REQUIRE(DNS_ZONE_VALID(zone));
 
@@ -2229,6 +2226,8 @@ dns_zone_refresh(dns_zone_t *zone) {
 		goto unlock;
 	}
 	DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_REFRESH);
+	DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_NOEDNS);
+	DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_USEALTXFRSRC);
 	if ((oldflags & (DNS_ZONEFLG_REFRESH|DNS_ZONEFLG_LOADING)) != 0)
 		goto unlock;
 
@@ -2239,22 +2238,17 @@ dns_zone_refresh(dns_zone_t *zone) {
 	 */
 	isc_interval_set(&i, isc_random_jitter(zone->retry, zone->retry / 4),
 			 0);
-	result = isc_time_nowplusinterval(&zone->refreshtime, &i);
-	if (result |= ISC_R_SUCCESS)
-		dns_zone_log(zone, ISC_LOG_WARNING,
-			     "isc_time_nowplusinterval() failed: %s",
-			     dns_result_totext(result));
+	isc_time_nowplusinterval(&zone->refreshtime, &i);
 
 	/*
 	 * When lacking user-specified timer values from the SOA,
-	 * do exponential backoff of the retry time up to a 
+	 * do exponential backoff of the retry time up to a
 	 * maximum of six hours.
 	 */
 	if (! DNS_ZONE_FLAG(zone, DNS_ZONEFLG_HAVETIMERS))
 		zone->retry = ISC_MIN(zone->retry * 2, 6 * 3600);
 
 	zone->curmaster = 0;
-	zone->refreshcnt = 0;
 	/* initiate soa query */
 	queue_soa_query(zone);
  unlock:
@@ -2263,7 +2257,7 @@ dns_zone_refresh(dns_zone_t *zone) {
 
 isc_result_t
 dns_zone_flush(dns_zone_t *zone) {
-	isc_result_t result = ISC_R_ALREADYRUNNING;
+	isc_result_t result = ISC_R_SUCCESS;
 	isc_boolean_t dumping;
 
 	REQUIRE(DNS_ZONE_VALID(zone));
@@ -2271,13 +2265,14 @@ dns_zone_flush(dns_zone_t *zone) {
 	LOCK_ZONE(zone);
 	DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_FLUSH);
 	if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDDUMP) &&
-	    zone->masterfile != NULL)
+	    zone->masterfile != NULL) {
+		result = ISC_R_ALREADYRUNNING;
 		dumping = was_dumping(zone);
-	else
+	} else
 		dumping = ISC_TRUE;
 	UNLOCK_ZONE(zone);
 	if (!dumping)
-		result = zone_dump(zone);
+		result = zone_dump(zone, ISC_FALSE);	/* Unknown task. */
 	return (result);
 }
 
@@ -2292,7 +2287,7 @@ dns_zone_dump(dns_zone_t *zone) {
 	dumping = was_dumping(zone);
 	UNLOCK_ZONE(zone);
 	if (!dumping)
-		result = zone_dump(zone);
+		result = zone_dump(zone, ISC_FALSE);	/* Unknown task. */
 	return (result);
 }
 
@@ -2300,7 +2295,6 @@ static void
 zone_needdump(dns_zone_t *zone, unsigned int delay) {
 	isc_time_t dumptime;
 	isc_time_t now;
-	isc_interval_t i;
 
 	/*
 	 * 'zone' locked by caller
@@ -2316,12 +2310,9 @@ zone_needdump(dns_zone_t *zone, unsigned int delay) {
 	    DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED) == 0)
 		return;
 
-	isc_interval_set(&i, delay, 0);
-	isc_time_now(&now);
-	isc_time_add(&now, &i, &dumptime);
-
+	TIME_NOW(&now);
 	/* add some noise */
-	delay = isc_random_jitter(delay, delay/4);
+	DNS_ZONE_JITTER_ADD(&now, delay, &dumptime);
 
 	DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NEEDDUMP);
 	if (isc_time_isepoch(&zone->dumptime) ||
@@ -2331,15 +2322,92 @@ zone_needdump(dns_zone_t *zone, unsigned int delay) {
 		zone_settimer(zone, &now);
 }
 
+static void
+dump_done(void *arg, isc_result_t result) {
+	const char me[] = "dump_done";
+	dns_zone_t *zone = arg;
+	dns_db_t *db;
+	dns_dbversion_t *version;
+	isc_boolean_t again = ISC_FALSE;
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	ENTER;
+
+	if (result == ISC_R_SUCCESS && zone->journal != NULL &&
+	    zone->journalsize != -1) {
+		isc_uint32_t serial;
+		isc_result_t tresult;
+
+		/*
+		 * We don't own these, zone->dctx must stay valid.
+		 */
+		db = dns_dumpctx_db(zone->dctx);
+		version = dns_dumpctx_version(zone->dctx);
+
+		tresult = dns_db_getsoaserial(db, version, &serial);
+		if (tresult == ISC_R_SUCCESS) {
+			tresult = dns_journal_compact(zone->mctx, zone->journal,
+						     serial, zone->journalsize);
+			switch (tresult) {
+			case ISC_R_SUCCESS:
+			case ISC_R_NOSPACE:
+			case ISC_R_NOTFOUND:
+				dns_zone_log(zone, ISC_LOG_DEBUG(3),
+					     "dns_journal_compact: %s",
+					     dns_result_totext(tresult));
+				break;
+			default:
+				dns_zone_log(zone, ISC_LOG_ERROR,
+					     "dns_journal_compact failed: %s",
+					     dns_result_totext(tresult));
+				break;
+			}
+		}
+	}
+
+	LOCK_ZONE(zone);
+	DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_DUMPING);
+	if (result != ISC_R_SUCCESS && result != ISC_R_CANCELED) {
+		/*
+		 * Try again in a short while.
+		 */
+		zone_needdump(zone, DNS_DUMP_DELAY);
+	} else if (result == ISC_R_SUCCESS &&
+		   DNS_ZONE_FLAG(zone, DNS_ZONEFLG_FLUSH) &&
+		   DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDDUMP) &&
+		   DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED)) {
+		DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_NEEDDUMP);
+		DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_DUMPING);
+		isc_time_settoepoch(&zone->dumptime);
+		again = ISC_TRUE;
+	} else if (result == ISC_R_SUCCESS)
+		DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_FLUSH);
+
+	if (zone->dctx != NULL)
+		dns_dumpctx_detach(&zone->dctx);
+	UNLOCK_ZONE(zone);
+	if (again)
+		(void)zone_dump(zone, ISC_FALSE);
+	zonemgr_putio(&zone->writeio);
+	dns_zone_idetach(&zone);
+}
+
 static isc_result_t
-zone_dump(dns_zone_t *zone) {
+zone_dump(dns_zone_t *zone, isc_boolean_t compact) {
+	const char me[] = "zone_dump";
 	isc_result_t result;
 	dns_dbversion_t *version = NULL;
 	isc_boolean_t again;
 	dns_db_t *db = NULL;
 	char *masterfile = NULL;
 
+/*
+ * 'compact' MUST only be set if we are task locked.
+ */
+
 	REQUIRE(DNS_ZONE_VALID(zone));
+	ENTER;
 
  redo:
 	LOCK_ZONE(zone);
@@ -2356,12 +2424,26 @@ zone_dump(dns_zone_t *zone) {
 		result = DNS_R_NOMASTERFILE;
 		goto fail;
 	}
-	dns_db_currentversion(db, &version);
-
-	result = dns_master_dump(zone->mctx, db, version,
-				 &dns_master_style_default, masterfile);
 
-	dns_db_closeversion(db, &version, ISC_FALSE);
+	if (compact) {
+		dns_zone_t *dummy = NULL;
+		LOCK_ZONE(zone);
+		zone_iattach(zone, &dummy);
+		result = zonemgr_getio(zone->zmgr, ISC_FALSE, zone->task,
+				       zone_gotwritehandle, zone,
+				       &zone->writeio);
+		if (result != ISC_R_SUCCESS)
+			zone_idetach(&dummy);
+		else
+			result = DNS_R_CONTINUE;
+		UNLOCK_ZONE(zone);
+	} else {
+		dns_db_currentversion(db, &version);
+		result = dns_master_dump(zone->mctx, db, version,
+					 &dns_master_style_default,
+					 masterfile);
+		dns_db_closeversion(db, &version, ISC_FALSE);
+	}
  fail:
 	if (db != NULL)
 		dns_db_detach(&db);
@@ -2369,6 +2451,9 @@ zone_dump(dns_zone_t *zone) {
 		isc_mem_free(zone->mctx, masterfile);
 	masterfile = NULL;
 
+	if (result == DNS_R_CONTINUE)
+		return (ISC_R_SUCCESS); /* XXXMPA */
+
 	again = ISC_FALSE;
 	LOCK_ZONE(zone);
 	DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_DUMPING);
@@ -2384,7 +2469,8 @@ zone_dump(dns_zone_t *zone) {
 		DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_DUMPING);
 		isc_time_settoepoch(&zone->dumptime);
 		again = ISC_TRUE;
-	}
+	} else
+		DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_FLUSH);
 	UNLOCK_ZONE(zone);
 	if (again)
 		goto redo;
@@ -2392,8 +2478,8 @@ zone_dump(dns_zone_t *zone) {
 	return (result);
 }
 
-isc_result_t
-dns_zone_dumptostream(dns_zone_t *zone, FILE *fd) {
+static isc_result_t
+dumptostream(dns_zone_t *zone, FILE *fd, const dns_master_style_t *style) {
 	isc_result_t result;
 	dns_dbversion_t *version = NULL;
 	dns_db_t *db = NULL;
@@ -2408,13 +2494,22 @@ dns_zone_dumptostream(dns_zone_t *zone, FILE *fd) {
 		return (DNS_R_NOTLOADED);
 
 	dns_db_currentversion(db, &version);
-	result = dns_master_dumptostream(zone->mctx, db, version,
-					 &dns_master_style_default, fd);
+	result = dns_master_dumptostream(zone->mctx, db, version, style, fd);
 	dns_db_closeversion(db, &version, ISC_FALSE);
 	dns_db_detach(&db);
 	return (result);
 }
 
+isc_result_t
+dns_zone_dumptostream(dns_zone_t *zone, FILE *fd) {
+	return dumptostream(zone, fd, &dns_master_style_default);
+}
+
+isc_result_t
+dns_zone_fulldumptostream(dns_zone_t *zone, FILE *fd) {
+	return dumptostream(zone, fd, &dns_master_style_full);
+}
+
 void
 dns_zone_unload(dns_zone_t *zone) {
 	REQUIRE(DNS_ZONE_VALID(zone));
@@ -2449,13 +2544,12 @@ zone_unload(dns_zone_t *zone) {
 
 	/*
 	 * 'zone' locked by caller.
-	 */ 
+	 */
 
 	REQUIRE(LOCKED_ZONE(zone));
 
 	dns_db_detach(&zone->db);
 	DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_LOADED);
-	DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_NEEDDUMP);
 }
 
 void
@@ -2537,7 +2631,7 @@ notify_destroy(dns_notify_t *notify, isc_boolean_t locked) {
 	if (dns_name_dynamic(&notify->ns))
 		dns_name_free(&notify->ns, notify->mctx);
 	mctx = notify->mctx;
-	isc_mem_put(notify->mctx, notify, sizeof *notify);
+	isc_mem_put(notify->mctx, notify, sizeof(*notify));
 	isc_mem_detach(&mctx);
 }
 
@@ -2547,7 +2641,7 @@ notify_create(isc_mem_t *mctx, unsigned int flags, dns_notify_t **notifyp) {
 
 	REQUIRE(notifyp != NULL && *notifyp == NULL);
 
-	notify = isc_mem_get(mctx, sizeof *notify);
+	notify = isc_mem_get(mctx, sizeof(*notify));
 	if (notify == NULL)
 		return (ISC_R_NOMEMORY);
 
@@ -2559,7 +2653,6 @@ notify_create(isc_mem_t *mctx, unsigned int flags, dns_notify_t **notifyp) {
 	notify->request = NULL;
 	isc_sockaddr_any(&notify->dst);
 	dns_name_init(&notify->ns, NULL);
-	notify->attempt = 0;
 	ISC_LINK_INIT(notify, link);
 	notify->magic = NOTIFY_MAGIC;
 	*notifyp = notify;
@@ -2605,7 +2698,7 @@ notify_find_address(dns_notify_t *notify) {
 
 	if (notify->zone->view->adb == NULL)
 		goto destroy;
-	
+
 	result = dns_adb_createfind(notify->zone->view->adb,
 				    notify->zone->task,
 				    process_adb_event, notify,
@@ -2683,6 +2776,20 @@ notify_send_toaddr(isc_task_t *task, isc_event_t *event) {
 		goto cleanup;
 	}
 
+	/*
+	 * The raw IPv4 address should also exist.  Don't send to the
+	 * mapped form.
+	 */
+	if (isc_sockaddr_pf(&notify->dst) == PF_INET6 &&
+	    IN6_IS_ADDR_V4MAPPED(&notify->dst.type.sin6.sin6_addr)) {
+	        isc_sockaddr_format(&notify->dst, addrbuf, sizeof(addrbuf));
+		notify_log(notify->zone, ISC_LOG_DEBUG(3),
+			   "notify: ignoring IPv6 mapped IPV4 address: %s",
+			   addrbuf);
+		result = ISC_R_CANCELED;
+		goto cleanup;
+	}
+
 	result = notify_createmessage(notify->zone, notify->flags, &message);
 	if (result != ISC_R_SUCCESS)
 		goto cleanup;
@@ -2707,11 +2814,11 @@ notify_send_toaddr(isc_task_t *task, isc_event_t *event) {
 	timeout = 15;
 	if (DNS_ZONE_FLAG(notify->zone, DNS_ZONEFLG_DIALNOTIFY))
 		timeout = 30;
-	result = dns_request_createvia(notify->zone->view->requestmgr, message,
-				       &src, &notify->dst, 0, key, timeout,
-				       notify->zone->task,
-				       notify_done, notify,
-				       &notify->request);
+	result = dns_request_createvia2(notify->zone->view->requestmgr,
+					message, &src, &notify->dst, 0, key,
+					timeout * 3, timeout,
+					notify->zone->task, notify_done,
+					notify, &notify->request);
  cleanup_key:
 	if (key != NULL)
 		dns_tsigkey_detach(&key);
@@ -2771,7 +2878,7 @@ dns_zone_notify(dns_zone_t *zone) {
 	LOCK_ZONE(zone);
 	DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NEEDNOTIFY);
 
-	isc_time_now(&now);
+	TIME_NOW(&now);
 	zone_settimer(zone, &now);
 	UNLOCK_ZONE(zone);
 }
@@ -2784,7 +2891,7 @@ zone_notify(dns_zone_t *zone) {
 	dns_name_t master;
 	dns_rdata_ns_t ns;
 	dns_rdata_soa_t soa;
-	isc_uint32_t serial;
+	isc_uint32_t serial = 0;
 	dns_rdata_t rdata = DNS_RDATA_INIT;
 	dns_rdataset_t nsrdset;
 	dns_rdataset_t soardset;
@@ -2796,7 +2903,6 @@ zone_notify(dns_zone_t *zone) {
 	dns_notifytype_t notifytype;
 	unsigned int flags = 0;
 	isc_boolean_t loggednotify = ISC_FALSE;
-	dns_db_t *db = NULL;
 
 	REQUIRE(DNS_ZONE_VALID(zone));
 
@@ -2811,13 +2917,6 @@ zone_notify(dns_zone_t *zone) {
 	if (notifytype == dns_notifytype_no)
 		return;
 
-	LOCK_ZONE(zone);
-	if (zone->db != NULL)
-		dns_db_attach(zone->db, &db);
-	UNLOCK_ZONE(zone);
-	if (db == NULL)
-		return;
-
 	origin = &zone->origin;
 
 	/*
@@ -2828,37 +2927,6 @@ zone_notify(dns_zone_t *zone) {
 		flags |= DNS_NOTIFY_NOSOA;
 
 	/*
-	 * Get SOA RRset.
-	 */
-	dns_db_currentversion(db, &version);
-	result = dns_db_findnode(db, origin, ISC_FALSE, &node);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup1;
-
-	dns_rdataset_init(&soardset);
-	result = dns_db_findrdataset(db, node, version, dns_rdatatype_soa,
-				     dns_rdatatype_none, 0, &soardset, NULL);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup2;
-
-	/*
-	 * Find serial and master server's name.
-	 */
-	dns_name_init(&master, NULL);
-	result = dns_rdataset_first(&soardset);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup3;
-	dns_rdataset_current(&soardset, &rdata);
-	result = dns_rdata_tostruct(&rdata, &soa, NULL);
-	RUNTIME_CHECK(result == ISC_R_SUCCESS);
-	dns_rdata_reset(&rdata);
-	result = dns_name_dup(&soa.origin, zone->mctx, &master);
-	serial = soa.serial;
-	dns_rdataset_disassociate(&soardset);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup3;
-
-	/*
 	 * Enqueue notify requests for 'also-notify' servers.
 	 */
 	LOCK_ZONE(zone);
@@ -2867,14 +2935,19 @@ zone_notify(dns_zone_t *zone) {
 		if (notify_isqueued(zone, NULL, &dst))
 			continue;
 		result = notify_create(zone->mctx, flags, &notify);
-		if (result != ISC_R_SUCCESS)
-			continue;
+		if (result != ISC_R_SUCCESS) {
+			UNLOCK_ZONE(zone);
+			return;
+		}
 		zone_iattach(zone, &notify->zone);
 		notify->dst = dst;
 		ISC_LIST_APPEND(zone->notifies, notify, link);
 		result = notify_send_queue(notify);
-		if (result != ISC_R_SUCCESS)
+		if (result != ISC_R_SUCCESS) {
 			notify_destroy(notify, ISC_TRUE);
+			UNLOCK_ZONE(zone);
+			return;
+		}
 		if (!loggednotify) {
 			notify_log(zone, ISC_LOG_INFO,
 				   "sending notifies (serial %u)",
@@ -2886,14 +2959,44 @@ zone_notify(dns_zone_t *zone) {
 	UNLOCK_ZONE(zone);
 
 	if (notifytype == dns_notifytype_explicit)
-		goto cleanup3;
-  
+		return;
+
 	/*
 	 * Process NS RRset to generate notifies.
 	 */
 
+	dns_db_currentversion(zone->db, &version);
+	result = dns_db_findnode(zone->db, origin, ISC_FALSE, &node);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup1;
+
+	dns_rdataset_init(&soardset);
+	result = dns_db_findrdataset(zone->db, node, version,
+				     dns_rdatatype_soa,
+				     dns_rdatatype_none, 0, &soardset, NULL);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup2;
+
+	/*
+	 * Find master server's name.
+	 */
+	dns_name_init(&master, NULL);
+	result = dns_rdataset_first(&soardset);
+	if (result == ISC_R_SUCCESS) {
+		dns_rdataset_current(&soardset, &rdata);
+		result = dns_rdata_tostruct(&rdata, &soa, NULL);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+		dns_rdata_reset(&rdata);
+		result = dns_name_dup(&soa.origin, zone->mctx, &master);
+		serial = soa.serial;
+		dns_rdataset_disassociate(&soardset);
+	}
+	if (result != ISC_R_SUCCESS)
+		goto cleanup3;
+
 	dns_rdataset_init(&nsrdset);
-	result = dns_db_findrdataset(db, node, version, dns_rdatatype_ns,
+	result = dns_db_findrdataset(zone->db, node, version,
+				     dns_rdatatype_ns,
 				     dns_rdatatype_none, 0, &nsrdset, NULL);
 	if (result != ISC_R_SUCCESS)
 		goto cleanup3;
@@ -2902,9 +3005,8 @@ zone_notify(dns_zone_t *zone) {
 	while (result == ISC_R_SUCCESS) {
 		dns_rdataset_current(&nsrdset, &rdata);
 		result = dns_rdata_tostruct(&rdata, &ns, NULL);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
 		dns_rdata_reset(&rdata);
-		if (result != ISC_R_SUCCESS)
-			continue;
 		/*
 		 * don't notify the master server.
 		 */
@@ -2951,10 +3053,9 @@ zone_notify(dns_zone_t *zone) {
 	if (dns_name_dynamic(&master))
 		dns_name_free(&master, zone->mctx);
  cleanup2:
-	dns_db_detachnode(db, &node);
+	dns_db_detachnode(zone->db, &node);
  cleanup1:
-	dns_db_closeversion(db, &version, ISC_FALSE);
-	dns_db_detach(&db);
+	dns_db_closeversion(zone->db, &version, ISC_FALSE);
 }
 
 /***
@@ -3000,28 +3101,12 @@ save_nsrrset(dns_message_t *message, dns_name_t *name,
 	     result = dns_rdataset_next(nsrdataset)) {
 		dns_rdataset_current(nsrdataset, &rdata);
 		result = dns_rdata_tostruct(&rdata, &ns, NULL);
-		dns_rdata_reset(&rdata);
 		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+		dns_rdata_reset(&rdata);
 		if (!dns_name_issubdomain(&ns.name, name))
 			continue;
 		rdataset = NULL;
 		result = dns_message_findname(message, DNS_SECTION_ADDITIONAL,
-					      &ns.name, dns_rdatatype_a6,
-					      dns_rdatatype_none, NULL,
-					      &rdataset);
-		if (result == ISC_R_SUCCESS) {
-			result = dns_db_findnode(db, &ns.name,
-						 ISC_TRUE, &node);
-			if (result != ISC_R_SUCCESS)
-				goto fail;
-			result = dns_db_addrdataset(db, node, version, 0,
-						    rdataset, 0, NULL);
-			dns_db_detachnode(db, &node);
-			if (result != ISC_R_SUCCESS)
-				goto fail;
-		}
-		rdataset = NULL;
-		result = dns_message_findname(message, DNS_SECTION_ADDITIONAL,
 					      &ns.name, dns_rdatatype_aaaa,
 					      dns_rdatatype_none, NULL,
 					      &rdataset);
@@ -3070,6 +3155,7 @@ stub_callback(isc_task_t *task, isc_event_t *event) {
 	dns_message_t *msg = NULL;
 	dns_zone_t *zone = NULL;
 	char master[ISC_SOCKADDR_FORMATSIZE];
+	char source[ISC_SOCKADDR_FORMATSIZE];
 	isc_uint32_t nscnt, cnamecnt;
 	isc_result_t result;
 	isc_time_t now;
@@ -3085,7 +3171,7 @@ stub_callback(isc_task_t *task, isc_event_t *event) {
 
 	ENTER;
 
-	isc_time_now(&now);
+	TIME_NOW(&now);
 
 	if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_EXITING)) {
 		zone_debuglog(zone, me, 1, "exiting");
@@ -3094,11 +3180,24 @@ stub_callback(isc_task_t *task, isc_event_t *event) {
 	}
 
 	isc_sockaddr_format(&zone->masteraddr, master, sizeof(master));
+	isc_sockaddr_format(&zone->sourceaddr, source, sizeof(source));
 
 	if (revent->result != ISC_R_SUCCESS) {
+		if (revent->result == ISC_R_TIMEDOUT &&
+		    !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NOEDNS)) {
+			LOCK_ZONE(zone);
+			DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NOEDNS);
+			UNLOCK_ZONE(zone);
+			dns_zone_log(zone, ISC_LOG_DEBUG(1),
+				     "refreshing stub: timeout retrying "
+				     " without EDNS master %s (source %s)",
+				     master, source);
+			goto same_master;
+		}
 		dns_zone_log(zone, ISC_LOG_INFO,
-			     "could not refresh stub from master %s: %s",
-			     master, dns_result_totext(revent->result));
+			     "could not refresh stub from master %s"
+			     " (source %s): %s", master, source,
+			     dns_result_totext(revent->result));
 		goto next_master;
 	}
 
@@ -3118,12 +3217,26 @@ stub_callback(isc_task_t *task, isc_event_t *event) {
 		isc_buffer_t rb;
 
 		isc_buffer_init(&rb, rcode, sizeof(rcode));
-		dns_rcode_totext(msg->rcode, &rb);
+		(void)dns_rcode_totext(msg->rcode, &rb);
+
+		if (!DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NOEDNS) &&
+		    (msg->rcode == dns_rcode_servfail ||
+		     msg->rcode == dns_rcode_notimp ||
+		     msg->rcode == dns_rcode_formerr)) {
+			dns_zone_log(zone, ISC_LOG_DEBUG(1),
+				     "refreshing stub: rcode (%.*s) retrying "
+				     "without EDNS master %s (source %s)",
+				     (int)rb.used, rcode, master, source);
+			LOCK_ZONE(zone);
+			DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NOEDNS);
+			UNLOCK_ZONE(zone);
+			goto same_master;
+		}
 
 		dns_zone_log(zone, ISC_LOG_INFO,
 			     "refreshing stub: "
-			     "unexpected rcode (%.*s) from %s",
-			     (int)rb.used, rcode, master);
+			     "unexpected rcode (%.*s) from %s (source %s)",
+			     (int)rb.used, rcode, master, source);
 		goto next_master;
 	}
 
@@ -3133,9 +3246,9 @@ stub_callback(isc_task_t *task, isc_event_t *event) {
 	if ((msg->flags & DNS_MESSAGEFLAG_TC) != 0) {
 		if (dns_request_usedtcp(revent->request)) {
 			dns_zone_log(zone, ISC_LOG_INFO,
-				     "refreshing stub: "
-				     "truncated TCP response from master %s",
-				 master);
+				     "refreshing stub: truncated TCP "
+				     "response from master %s (source %s)",
+				     master, source);
 			goto next_master;
 		}
 		LOCK_ZONE(zone);
@@ -3149,8 +3262,8 @@ stub_callback(isc_task_t *task, isc_event_t *event) {
 	 */
 	if ((msg->flags & DNS_MESSAGEFLAG_AA) == 0) {
 		dns_zone_log(zone, ISC_LOG_INFO, "refreshing stub: "
-			     "non-authoritative answer from master %s",
-			     master);
+			     "non-authoritative answer from "
+			     "master %s (source %s)", master, source);
 		goto next_master;
 	}
 
@@ -3163,14 +3276,14 @@ stub_callback(isc_task_t *task, isc_event_t *event) {
 	if (cnamecnt != 0) {
 		dns_zone_log(zone, ISC_LOG_INFO,
 			     "refreshing stub: unexpected CNAME response "
-			     "from master %s", master);
+			     "from master %s (source %s)", master, source);
 		goto next_master;
 	}
 
 	if (nscnt == 0) {
 		dns_zone_log(zone, ISC_LOG_INFO,
 			     "refreshing stub: no NS records in response "
-			     "from master %s", master);
+			     "from master %s (source %s)", master, source);
 		goto next_master;
 	}
 
@@ -3181,7 +3294,7 @@ stub_callback(isc_task_t *task, isc_event_t *event) {
 	if (result != ISC_R_SUCCESS) {
 		dns_zone_log(zone, ISC_LOG_INFO,
 			     "refreshing stub: unable to save NS records "
-			     "from master %s", master);
+			     "from master %s (source %s)", master, source);
 		goto next_master;
 	}
 
@@ -3197,7 +3310,7 @@ stub_callback(isc_task_t *task, isc_event_t *event) {
 
 	if (zone->masterfile != NULL) {
 		dns_zone_dump(zone);
-		(void)isc_time_now(&zone->loadtime);
+		TIME_NOW(&zone->loadtime);
 	}
 
 	dns_message_destroy(&msg);
@@ -3205,11 +3318,9 @@ stub_callback(isc_task_t *task, isc_event_t *event) {
 	LOCK_ZONE(zone);
 	dns_request_destroy(&zone->request);
 	DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_REFRESH);
-	isc_interval_set(&i, isc_random_jitter(zone->refresh,
-			 zone->refresh / 4), 0);
-	isc_time_add(&now, &i, &zone->refreshtime);
+	DNS_ZONE_JITTER_ADD(&now, zone->refresh, &zone->refreshtime);
 	isc_interval_set(&i, zone->expire, 0);
-	isc_time_add(&now, &i, &zone->expiretime);
+	DNS_ZONE_TIME_ADD(&now, zone->expire, &zone->expiretime);
 	zone_settimer(zone, &now);
 	UNLOCK_ZONE(zone);
 	goto free_stub;
@@ -3225,13 +3336,20 @@ stub_callback(isc_task_t *task, isc_event_t *event) {
 	LOCK_ZONE(zone);
 	dns_request_destroy(&zone->request);
 	zone->curmaster++;
-	zone->refreshcnt = 0;
+	DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_NOEDNS);
 	if (exiting || zone->curmaster >= zone->masterscnt) {
-		DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_REFRESH);
+		if (!exiting &&
+		    DNS_ZONE_OPTION(zone, DNS_ZONEOPT_USEALTXFRSRC) &&
+		    !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_USEALTXFRSRC)) {
+			zone->curmaster = 0;
+			DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_USEALTXFRSRC);
+		} else {
+			DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_REFRESH);
 
-		zone_settimer(zone, &now);
-		UNLOCK_ZONE(zone);
-		goto free_stub;
+			zone_settimer(zone, &now);
+			UNLOCK_ZONE(zone);
+			goto free_stub;
+		}
 	}
 	queue_soa_query(zone);
 	UNLOCK_ZONE(zone);
@@ -3271,12 +3389,12 @@ refresh_callback(isc_task_t *task, isc_event_t *event) {
 	isc_uint32_t soacnt, cnamecnt, soacount, nscount;
 	isc_time_t now;
 	char master[ISC_SOCKADDR_FORMATSIZE];
-	dns_rdataset_t *rdataset;
+	char source[ISC_SOCKADDR_FORMATSIZE];
+	dns_rdataset_t *rdataset = NULL;
 	dns_rdata_t rdata = DNS_RDATA_INIT;
 	dns_rdata_soa_t soa;
 	isc_result_t result;
 	isc_uint32_t serial;
-	isc_interval_t i;
 
 	zone = revent->ev_arg;
 	INSIST(DNS_ZONE_VALID(zone));
@@ -3290,22 +3408,35 @@ refresh_callback(isc_task_t *task, isc_event_t *event) {
 	 */
 
 	isc_sockaddr_format(&zone->masteraddr, master, sizeof(master));
+	isc_sockaddr_format(&zone->sourceaddr, source, sizeof(source));
 
-	isc_time_now(&now);
+	TIME_NOW(&now);
 
 	if (revent->result != ISC_R_SUCCESS) {
-		dns_zone_log(zone, ISC_LOG_INFO,
-			     "refresh: failure trying master %s: %s",
-			     master, dns_result_totext(revent->result));
+		if (revent->result == ISC_R_TIMEDOUT &&
+		    !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NOEDNS)) {
+			LOCK_ZONE(zone);
+			DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NOEDNS);
+			UNLOCK_ZONE(zone);
+			dns_zone_log(zone, ISC_LOG_DEBUG(1),
+				     "refresh: timeout retrying without EDNS "
+				     "master %s (source %s)", master, source);
+			goto same_master;
+		}
 		if (revent->result == ISC_R_TIMEDOUT &&
 		    !dns_request_usedtcp(revent->request)) {
-			if (zone->refreshcnt < 3)
-				goto same_master;
 			dns_zone_log(zone, ISC_LOG_INFO,
 				     "refresh: retry limit for "
-				     "master %s exceeded",
-				     master);
-		}
+				     "master %s exceeded (source %s)",
+				     master, source);
+			/* Try with slave with TCP. */
+			if (zone->type == dns_zone_slave)
+				goto tcp_transfer;
+		} else
+			dns_zone_log(zone, ISC_LOG_INFO,
+				     "refresh: failure trying master "
+				     "%s (source %s): %s", master, source,
+				     dns_result_totext(revent->result));
 		goto next_master;
 	}
 
@@ -3315,8 +3446,9 @@ refresh_callback(isc_task_t *task, isc_event_t *event) {
 	result = dns_request_getresponse(revent->request, msg, 0);
 	if (result != ISC_R_SUCCESS) {
 		dns_zone_log(zone, ISC_LOG_INFO,
-			     "refresh: failure trying master %s: %s",
-			     master, dns_result_totext(result));
+			     "refresh: failure trying master "
+			     "%s (source %s): %s", master, source,
+			     dns_result_totext(result));
 		goto next_master;
 	}
 
@@ -3328,11 +3460,31 @@ refresh_callback(isc_task_t *task, isc_event_t *event) {
 		isc_buffer_t rb;
 
 		isc_buffer_init(&rb, rcode, sizeof(rcode));
-		dns_rcode_totext(msg->rcode, &rb);
-
+		(void)dns_rcode_totext(msg->rcode, &rb);
+
+		if (!DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NOEDNS) &&
+		    (msg->rcode == dns_rcode_servfail ||
+		     msg->rcode == dns_rcode_notimp ||
+		     msg->rcode == dns_rcode_formerr)) {
+			dns_zone_log(zone, ISC_LOG_DEBUG(1),
+				     "refresh: rcode (%.*s) retrying without "
+				     "EDNS master %s (source %s)",
+				     (int)rb.used, rcode, master, source);
+			LOCK_ZONE(zone);
+			DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NOEDNS);
+			UNLOCK_ZONE(zone);
+			goto same_master;
+		}
 		dns_zone_log(zone, ISC_LOG_INFO,
-			     "refresh: unexpected rcode (%.*s) from master %s",
-			     (int)rb.used, rcode, master);
+			     "refresh: unexpected rcode (%.*s) from "
+			     "master %s (source %s)", (int)rb.used, rcode,
+			     master, source);
+		/*
+		 * Perhaps AXFR/IXFR is allowed even if SOA queries arn't.
+		 */
+		if (msg->rcode == dns_rcode_refused &&
+		    zone->type == dns_zone_slave)
+			goto tcp_transfer;
 		goto next_master;
 	}
 
@@ -3344,16 +3496,16 @@ refresh_callback(isc_task_t *task, isc_event_t *event) {
 			dns_zone_log(zone, ISC_LOG_INFO,
 				     "refresh: truncated UDP answer, "
 				     "initiating TCP zone xfer "
-				     "for master %s",
-				 master);
+				     "for master %s (source %s)",
+				     master, source);
 			goto tcp_transfer;
 		} else {
 			INSIST(zone->type == dns_zone_stub);
 			if (dns_request_usedtcp(revent->request)) {
 				dns_zone_log(zone, ISC_LOG_INFO,
 					     "refresh: truncated TCP response "
-					     "from master %s",
-					     master);
+					     "from master %s (source %s)",
+					     master, source);
 				goto next_master;
 			}
 			LOCK_ZONE(zone);
@@ -3369,7 +3521,7 @@ refresh_callback(isc_task_t *task, isc_event_t *event) {
 	if ((msg->flags & DNS_MESSAGEFLAG_AA) == 0) {
 		dns_zone_log(zone, ISC_LOG_INFO,
 			     "refresh: non-authoritative answer from "
-			     "master %s", master);
+			     "master %s (source %s)", master, source);
 		goto next_master;
 	}
 
@@ -3385,7 +3537,7 @@ refresh_callback(isc_task_t *task, isc_event_t *event) {
 	if (cnamecnt != 0) {
 		dns_zone_log(zone, ISC_LOG_INFO,
 			     "refresh: CNAME at top of zone "
-			     "in master %s", master);
+			     "in master %s (source %s)", master, source);
 		goto next_master;
 	}
 
@@ -3395,7 +3547,7 @@ refresh_callback(isc_task_t *task, isc_event_t *event) {
 	if (soacnt == 0 && soacount == 0 && nscount != 0) {
 		dns_zone_log(zone, ISC_LOG_INFO,
 			     "refresh: referral response "
-			     "from master %s", master);
+			     "from master %s (source %s)", master, source);
 		goto next_master;
 	}
 
@@ -3405,7 +3557,7 @@ refresh_callback(isc_task_t *task, isc_event_t *event) {
 	if (soacnt == 0 && (nscount == 0 || soacount != 0)) {
 		dns_zone_log(zone, ISC_LOG_INFO,
 			     "refresh: NODATA response "
-			     "from master %s", master);
+			     "from master %s (source %s)", master, source);
 		goto next_master;
 	}
 
@@ -3415,8 +3567,8 @@ refresh_callback(isc_task_t *task, isc_event_t *event) {
 	if (soacnt != 1) {
 		dns_zone_log(zone, ISC_LOG_INFO,
 			     "refresh: answer SOA count (%d) != 1 "
-			     "from master %s",
-			 soacnt, master);
+			     "from master %s (source %s)",
+			     soacnt, master, source);
 		goto next_master;
 	}
 	/*
@@ -3429,7 +3581,7 @@ refresh_callback(isc_task_t *task, isc_event_t *event) {
 	if (result != ISC_R_SUCCESS) {
 		dns_zone_log(zone, ISC_LOG_INFO,
 			     "refresh: unable to get SOA record "
-			     "from master %s", master);
+			     "from master %s (source %s)", master, source);
 		goto next_master;
 	}
 
@@ -3442,11 +3594,7 @@ refresh_callback(isc_task_t *task, isc_event_t *event) {
 
 	dns_rdataset_current(rdataset, &rdata);
 	result = dns_rdata_tostruct(&rdata, &soa, NULL);
-	if (result != ISC_R_SUCCESS) {
-		dns_zone_log(zone, ISC_LOG_INFO,
-			     "refresh: dns_rdata_tostruct() failed");
-		goto next_master;
-	}
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
 
 	serial = soa.serial;
 
@@ -3470,32 +3618,29 @@ refresh_callback(isc_task_t *task, isc_event_t *event) {
 			dns_message_destroy(&msg);
 	} else if (isc_serial_eq(soa.serial, zone->serial)) {
 		if (zone->masterfile != NULL) {
-			result = ISC_R_FAILURE;
-			if (zone->journal != NULL)
-				result = isc_file_settime(zone->journal, &now);
-			if (result == ISC_R_SUCCESS &&
-			    !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDDUMP) &&
-			    !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_DUMPING)) {
-				result = isc_file_settime(zone->masterfile,
-							  &now);
+			result = isc_file_settime(zone->masterfile, &now);
+			/* Someone removed the file from underneath us! */
+			if (result == ISC_R_FILENOTFOUND) {
+				LOCK_ZONE(zone);
+				zone_needdump(zone, DNS_DUMP_DELAY);
+				UNLOCK_ZONE(zone);
 			} else if (result != ISC_R_SUCCESS)
-				result = isc_file_settime(zone->masterfile,
-							  &now);
-			if (result != ISC_R_SUCCESS)
 				dns_zone_log(zone, ISC_LOG_ERROR,
 					     "refresh: could not set file "
 					     "modification time of '%s': %s",
 					     zone->masterfile,
 					     dns_result_totext(result));
 		}
-		isc_interval_set(&i, isc_random_jitter(zone->refresh,
-					 zone->refresh / 4), 0);
-		isc_time_add(&now, &i, &zone->refreshtime);
-		isc_interval_set(&i, zone->expire, 0);
-		isc_time_add(&now, &i, &zone->expiretime);
+		DNS_ZONE_JITTER_ADD(&now, zone->refresh, &zone->refreshtime);
+		DNS_ZONE_TIME_ADD(&now, zone->expire, &zone->expiretime);
 		goto next_master;
 	} else {
-		zone_debuglog(zone, me, 1, "ahead");
+		if (!DNS_ZONE_OPTION(zone, DNS_ZONEOPT_MULTIMASTER))
+			dns_zone_log(zone, ISC_LOG_INFO, "serial number (%u) "
+				     "received from master %s < ours (%u)",
+				     soa.serial, master, zone->serial);
+		else
+			zone_debuglog(zone, me, 1, "ahead");
 		goto next_master;
 	}
 	if (msg != NULL)
@@ -3509,23 +3654,31 @@ refresh_callback(isc_task_t *task, isc_event_t *event) {
 	LOCK_ZONE(zone);
 	dns_request_destroy(&zone->request);
 	zone->curmaster++;
-	zone->refreshcnt = 0;
+	DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_NOEDNS);
 	if (zone->curmaster >= zone->masterscnt) {
+		if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_USEALTXFRSRC) &&
+		    !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_USEALTXFRSRC)) {
+			DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_USEALTXFRSRC);
+			zone->curmaster = 0;
+			goto requeue;
+		}
 		DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_REFRESH);
 		if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDREFRESH)) {
 			DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_NEEDREFRESH);
 			zone->refreshtime = now;
 		}
+		DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_USEALTXFRSRC);
 		zone_settimer(zone, &now);
 		UNLOCK_ZONE(zone);
 		goto detach;
 	}
+
+ requeue:
 	queue_soa_query(zone);
 	UNLOCK_ZONE(zone);
 	goto detach;
 
  same_master:
-	zone->refreshcnt++;
 	if (msg != NULL)
 		dns_message_destroy(&msg);
 	isc_event_free(&event);
@@ -3533,6 +3686,7 @@ refresh_callback(isc_task_t *task, isc_event_t *event) {
 	dns_request_destroy(&zone->request);
 	queue_soa_query(zone);
 	UNLOCK_ZONE(zone);
+
  detach:
 	dns_zone_idetach(&zone);
 	return;
@@ -3627,19 +3781,77 @@ create_query(dns_zone_t *zone, dns_rdatatype_t rdtype,
 	return (result);
 }
 
+static isc_result_t
+add_opt(dns_message_t *message) {
+	dns_rdataset_t *rdataset = NULL;
+	dns_rdatalist_t *rdatalist = NULL;
+	dns_rdata_t *rdata = NULL;
+	isc_result_t result;
+
+	result = dns_message_gettemprdatalist(message, &rdatalist);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+	result = dns_message_gettemprdata(message, &rdata);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+	result = dns_message_gettemprdataset(message, &rdataset);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+	dns_rdataset_init(rdataset);
+	
+	rdatalist->type = dns_rdatatype_opt;
+	rdatalist->covers = 0;
+
+	/*
+	 * Set Maximum UDP buffer size.
+	 */
+	rdatalist->rdclass = SEND_BUFFER_SIZE;
+
+	/*
+	 * Set EXTENDED-RCODE, VERSION, DO and Z to 0.
+	 */
+	rdatalist->ttl = 0;
+
+	/*
+	 * No EDNS options.
+	 */
+	rdata->data = NULL;
+	rdata->length = 0;
+	rdata->rdclass = rdatalist->rdclass;
+	rdata->type = rdatalist->type;
+	rdata->flags = 0;
+
+	ISC_LIST_INIT(rdatalist->rdata);
+	ISC_LIST_APPEND(rdatalist->rdata, rdata, link);
+	RUNTIME_CHECK(dns_rdatalist_tordataset(rdatalist, rdataset)
+		      == ISC_R_SUCCESS);
+
+	return (dns_message_setopt(message, rdataset));
+
+ cleanup:
+	if (rdatalist != NULL)
+		dns_message_puttemprdatalist(message, &rdatalist);
+	if (rdataset != NULL)
+		dns_message_puttemprdataset(message, &rdataset);
+	if (rdata != NULL)
+		dns_message_puttemprdata(message, &rdata);
+	
+	return (result);
+}
+
 static void
 soa_query(isc_task_t *task, isc_event_t *event) {
 	const char me[] = "soa_query";
-	isc_result_t result;
+	isc_result_t result = ISC_R_FAILURE;
 	dns_message_t *message = NULL;
 	dns_zone_t *zone = event->ev_arg;
 	dns_zone_t *dummy = NULL;
 	isc_netaddr_t masterip;
 	dns_tsigkey_t *key = NULL;
 	isc_uint32_t options;
-	isc_sockaddr_t src;
 	isc_boolean_t cancel = ISC_TRUE;
 	int timeout;
+	isc_boolean_t have_xfrsource;
 
 	REQUIRE(DNS_ZONE_VALID(zone));
 
@@ -3663,8 +3875,10 @@ soa_query(isc_task_t *task, isc_event_t *event) {
 	if (result != ISC_R_SUCCESS)
 		goto cleanup;
 
+ again:
 	INSIST(zone->masterscnt > 0);
 	INSIST(zone->curmaster < zone->masterscnt);
+
 	zone->masteraddr = zone->masters[zone->curmaster];
 
 	isc_netaddr_fromsockaddr(&masterip, &zone->masteraddr);
@@ -3687,31 +3901,71 @@ soa_query(isc_task_t *task, isc_event_t *event) {
 	if (key == NULL)
 		(void)dns_view_getpeertsig(zone->view, &masterip, &key);
 
-	options = DNS_ZONE_FLAG(zone, DNS_ZONEFLG_USEVC) ?
-		  DNS_REQUESTOPT_TCP : 0;
+	have_xfrsource = ISC_FALSE;
+	if (zone->view->peers != NULL) {
+		dns_peer_t *peer = NULL;
+		isc_boolean_t edns;
+		result = dns_peerlist_peerbyaddr(zone->view->peers,
+						 &masterip, &peer);
+		if (result == ISC_R_SUCCESS) {
+			result = dns_peer_getsupportedns(peer, &edns);
+			if (result == ISC_R_SUCCESS && !edns)
+				DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NOEDNS);
+			result = dns_peer_gettransfersource(peer,
+							    &zone->sourceaddr);
+			if (result == ISC_R_SUCCESS)
+				have_xfrsource = ISC_TRUE;
+		}
+	}
+
 	switch (isc_sockaddr_pf(&zone->masteraddr)) {
 	case PF_INET:
-		src = zone->xfrsource4;
+		if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_USEALTXFRSRC)) {
+			if (isc_sockaddr_equal(&zone->altxfrsource4,
+					       &zone->xfrsource4))
+				goto skip_master;
+			zone->sourceaddr = zone->altxfrsource4;
+		} else if (!have_xfrsource)
+			zone->sourceaddr = zone->xfrsource4;
 		break;
 	case PF_INET6:
-		src = zone->xfrsource6;
+		if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_USEALTXFRSRC)) {
+			if (isc_sockaddr_equal(&zone->altxfrsource6,
+					       &zone->xfrsource6))
+				goto skip_master;
+			zone->sourceaddr = zone->altxfrsource6;
+		} else if (!have_xfrsource)
+			zone->sourceaddr = zone->xfrsource6;
 		break;
 	default:
 		result = ISC_R_NOTIMPLEMENTED;
 		goto cleanup;
 	}
+
+	options = DNS_ZONE_FLAG(zone, DNS_ZONEFLG_USEVC) ?
+		  DNS_REQUESTOPT_TCP : 0;
+
+	if (!DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NOEDNS)) {
+		result = add_opt(message);
+		if (result != ISC_R_SUCCESS)
+			zone_debuglog(zone, me, 1,
+				      "unable to add opt record: %s",
+				      dns_result_totext(result));
+	}
+
 	zone_iattach(zone, &dummy);
 	timeout = 15;
 	if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_DIALREFRESH))
 		timeout = 30;
-	result = dns_request_createvia(zone->view->requestmgr, message,
-				       &src, &zone->masteraddr, options, key,
-				       timeout, zone->task,
-				       refresh_callback, zone, &zone->request);
+	result = dns_request_createvia2(zone->view->requestmgr, message,
+					&zone->sourceaddr, &zone->masteraddr,
+					options, key, timeout * 3, timeout,
+					zone->task, refresh_callback, zone,
+					&zone->request);
 	if (result != ISC_R_SUCCESS) {
 		zone_idetach(&dummy);
 		zone_debuglog(zone, me, 1,
-			      "dns_request_createvia() failed: %s",
+			      "dns_request_createvia2() failed: %s",
 			      dns_result_totext(result));
 		goto cleanup;
 	}
@@ -3720,6 +3974,8 @@ soa_query(isc_task_t *task, isc_event_t *event) {
  cleanup:
 	if (key != NULL)
 		dns_tsigkey_detach(&key);
+	if (result != ISC_R_SUCCESS)
+		DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_REFRESH);
 	if (message != NULL)
 		dns_message_destroy(&message);
 	if (cancel)
@@ -3728,6 +3984,13 @@ soa_query(isc_task_t *task, isc_event_t *event) {
 	UNLOCK_ZONE(zone);
 	dns_zone_idetach(&zone);
 	return;
+
+ skip_master:
+	zone->curmaster++;
+	if (zone->curmaster < zone->masterscnt)
+		goto again;
+	zone->curmaster = 0;
+	goto cleanup;
 }
 
 static void
@@ -3738,8 +4001,8 @@ ns_query(dns_zone_t *zone, dns_rdataset_t *soardataset, dns_stub_t *stub) {
 	isc_netaddr_t masterip;
 	dns_tsigkey_t *key = NULL;
 	dns_dbnode_t *node = NULL;
-	isc_sockaddr_t src;
 	int timeout;
+	isc_boolean_t have_xfrsource = ISC_FALSE;
 
 	REQUIRE(DNS_ZONE_VALID(zone));
 	REQUIRE((soardataset != NULL && stub == NULL) ||
@@ -3750,7 +4013,7 @@ ns_query(dns_zone_t *zone, dns_rdataset_t *soardataset, dns_stub_t *stub) {
 
 	LOCK_ZONE(zone);
 	if (stub == NULL) {
-		stub = isc_mem_get(zone->mctx, sizeof *stub);
+		stub = isc_mem_get(zone->mctx, sizeof(*stub));
 		if (stub == NULL)
 			goto cleanup;
 		stub->magic = STUB_MAGIC;
@@ -3772,7 +4035,7 @@ ns_query(dns_zone_t *zone, dns_rdataset_t *soardataset, dns_stub_t *stub) {
 		if (zone->db != NULL)
 			dns_db_attach(zone->db, &stub->db);
 		else {
-			INSIST(zone->db_argc >= 1);			
+			INSIST(zone->db_argc >= 1);
 			result = dns_db_create(zone->mctx, zone->db_argv[0],
 					       &zone->origin, dns_dbtype_stub,
 					       zone->rdclass,
@@ -3783,7 +4046,7 @@ ns_query(dns_zone_t *zone, dns_rdataset_t *soardataset, dns_stub_t *stub) {
 				dns_zone_log(zone, ISC_LOG_ERROR,
 					     "refreshing stub: "
 					     "could not create "
-					     "database: %s", 
+					     "database: %s",
 					     dns_result_totext(result));
 				goto cleanup;
 			}
@@ -3840,21 +4103,51 @@ ns_query(dns_zone_t *zone, dns_rdataset_t *soardataset, dns_stub_t *stub) {
 			char namebuf[DNS_NAME_FORMATSIZE];
 			dns_name_format(keyname, namebuf, sizeof(namebuf));
 			dns_zone_log(zone, ISC_LOG_ERROR,
-				     "unable to find key: %s", namebuf);
+			             "unable to find key: %s", namebuf);
 		}
 	}
 	if (key == NULL)
 		(void)dns_view_getpeertsig(zone->view, &masterip, &key);	
 
+	if (zone->view->peers != NULL) {
+		dns_peer_t *peer = NULL;
+		isc_boolean_t edns;
+		result = dns_peerlist_peerbyaddr(zone->view->peers,
+						 &masterip, &peer);
+		if (result == ISC_R_SUCCESS) {
+			result = dns_peer_getsupportedns(peer, &edns);
+			if (result == ISC_R_SUCCESS && !edns)
+				DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NOEDNS);
+			result = dns_peer_gettransfersource(peer,
+							    &zone->sourceaddr);
+			if (result == ISC_R_SUCCESS)
+				have_xfrsource = ISC_TRUE;
+		}
+		
+	}
+	if (!DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NOEDNS)) {
+		result = add_opt(message);
+		if (result != ISC_R_SUCCESS)
+			zone_debuglog(zone, me, 1,
+				      "unable to add opt record: %s",
+				      dns_result_totext(result));
+	}
+
 	/*
 	 * Always use TCP so that we shouldn't truncate in additional section.
 	 */
 	switch (isc_sockaddr_pf(&zone->masteraddr)) {
 	case PF_INET:
-		src = zone->xfrsource4;
+		if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_USEALTXFRSRC))
+			zone->sourceaddr = zone->altxfrsource4;
+		else if (!have_xfrsource)
+			zone->sourceaddr = zone->xfrsource4;
 		break;
 	case PF_INET6:
-		src = zone->xfrsource6;
+		if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_USEALTXFRSRC))
+			zone->sourceaddr = zone->altxfrsource6;
+		else if (!have_xfrsource)
+			zone->sourceaddr = zone->xfrsource6;
 		break;
 	default:
 		result = ISC_R_NOTIMPLEMENTED;
@@ -3863,11 +4156,11 @@ ns_query(dns_zone_t *zone, dns_rdataset_t *soardataset, dns_stub_t *stub) {
 	timeout = 15;
 	if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_DIALREFRESH))
 		timeout = 30;
-	result = dns_request_createvia(zone->view->requestmgr, message,
-				       &src, &zone->masteraddr,
-				       DNS_REQUESTOPT_TCP, key, timeout,
-				       zone->task, stub_callback, stub,
-				       &zone->request);
+	result = dns_request_createvia2(zone->view->requestmgr, message,
+					&zone->sourceaddr, &zone->masteraddr,
+					DNS_REQUESTOPT_TCP, key, timeout * 3,
+					timeout, zone->task, stub_callback,
+					stub, &zone->request);
 	if (result != ISC_R_SUCCESS) {
 		zone_debuglog(zone, me, 1,
 			      "dns_request_createvia() failed: %s",
@@ -3893,7 +4186,7 @@ ns_query(dns_zone_t *zone, dns_rdataset_t *soardataset, dns_stub_t *stub) {
 	if (message != NULL)
 		dns_message_destroy(&message);
   unlock:
-	if (key != NULL)
+        if (key != NULL)
 		dns_tsigkey_detach(&key);
 	UNLOCK_ZONE(zone);
 	return;
@@ -3956,9 +4249,15 @@ zone_shutdown(isc_task_t *task, isc_event_t *event) {
 	if (zone->readio != NULL)
 		zonemgr_cancelio(zone->readio);
 
+	if (zone->writeio != NULL)
+		zonemgr_cancelio(zone->writeio);
+
 	if (zone->lctx != NULL)
 		dns_loadctx_cancel(zone->lctx);
 
+	if (zone->dctx != NULL)
+		dns_dumpctx_cancel(zone->dctx);
+
 	notify_cancel(zone);
 
 	if (zone->timer != NULL) {
@@ -4016,7 +4315,7 @@ zone_settimer(dns_zone_t *zone, isc_time_t *now) {
 		if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDDUMP) &&
 		    !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_DUMPING)) {
 			INSIST(!isc_time_isepoch(&zone->dumptime));
-		    	if (isc_time_isepoch(&next) ||
+			if (isc_time_isepoch(&next) ||
 			    isc_time_compare(&zone->dumptime, &next) < 0)
 				next = zone->dumptime;
 		}
@@ -4033,16 +4332,23 @@ zone_settimer(dns_zone_t *zone, isc_time_t *now) {
 		    !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NOREFRESH) &&
 		    !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADING)) {
 			INSIST(!isc_time_isepoch(&zone->refreshtime));
-		    	if (isc_time_isepoch(&next) ||
+			if (isc_time_isepoch(&next) ||
 			    isc_time_compare(&zone->refreshtime, &next) < 0)
 				next = zone->refreshtime;
 		}
 		if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED)) {
 			INSIST(!isc_time_isepoch(&zone->expiretime));
-		    	if (isc_time_isepoch(&next) ||
+			if (isc_time_isepoch(&next) ||
 			    isc_time_compare(&zone->expiretime, &next) < 0)
 				next = zone->expiretime;
 		}
+		if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDDUMP) &&
+		    !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_DUMPING)) {
+			INSIST(!isc_time_isepoch(&zone->dumptime));
+			if (isc_time_isepoch(&next) ||
+			    isc_time_compare(&zone->dumptime, &next) < 0)
+				next = zone->dumptime;
+		}
 		break;
 
 	default:
@@ -4084,7 +4390,7 @@ cancel_refresh(dns_zone_t *zone) {
 	ENTER;
 
 	DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_REFRESH);
-	isc_time_now(&now);
+	TIME_NOW(&now);
 	zone_settimer(zone, &now);
 }
 
@@ -4321,14 +4627,14 @@ dns_zone_notifyreceive(dns_zone_t *zone, isc_sockaddr_t *from,
 	 */
 	if (i >= zone->masterscnt && zone->notify_acl != NULL &&
 	    dns_acl_match(&netaddr, NULL, zone->notify_acl,
-		    	  &zone->view->aclenv,
+			  &zone->view->aclenv,
 			  &match, NULL) == ISC_R_SUCCESS &&
 	    match > 0)
 	{
 		/* Accept notify. */
 	} else if (i >= zone->masterscnt) {
 		UNLOCK_ZONE(zone);
-		dns_zone_log(zone, ISC_LOG_DEBUG(3),
+		dns_zone_log(zone, ISC_LOG_INFO,
 			     "refused notify from non-master: %s", fromtext);
 		return (DNS_R_REFUSED);
 	}
@@ -4354,16 +4660,15 @@ dns_zone_notifyreceive(dns_zone_t *zone, isc_sockaddr_t *from,
 
 			dns_rdataset_current(rdataset, &rdata);
 			result = dns_rdata_tostruct(&rdata, &soa, NULL);
-			if (result == ISC_R_SUCCESS) {
-				serial = soa.serial;
-				if (isc_serial_le(serial, zone->serial)) {
-					dns_zone_log(zone, ISC_LOG_DEBUG(3),
-						     "notify from %s: "
-						     "zone is up to date",
-						     fromtext);
-					UNLOCK_ZONE(zone);
-					return (ISC_R_SUCCESS);
-				}
+			RUNTIME_CHECK(result == ISC_R_SUCCESS);
+			serial = soa.serial;
+			if (isc_serial_le(serial, zone->serial)) {
+			  dns_zone_log(zone, ISC_LOG_INFO,
+					     "notify from %s: "
+					     "zone is up to date",
+					     fromtext);
+				UNLOCK_ZONE(zone);
+				return (ISC_R_SUCCESS);
 			}
 		}
 	}
@@ -4377,7 +4682,7 @@ dns_zone_notifyreceive(dns_zone_t *zone, isc_sockaddr_t *from,
 		DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NEEDREFRESH);
 		zone->notifyfrom = *from;
 		UNLOCK_ZONE(zone);
-		dns_zone_log(zone, ISC_LOG_DEBUG(3),
+		dns_zone_log(zone, ISC_LOG_INFO,
 			     "notify from %s: refresh in progress, "
 			     "refresh check queued",
 			     fromtext);
@@ -4544,6 +4849,19 @@ dns_zone_clearxfracl(dns_zone_t *zone) {
 	UNLOCK_ZONE(zone);
 }
 
+isc_boolean_t
+dns_zone_getupdatedisabled(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+	return (zone->update_disabled);
+
+}
+
+void
+dns_zone_setupdatedisabled(dns_zone_t *zone, isc_boolean_t state) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+	zone->update_disabled = state;
+}
+
 void
 dns_zone_setchecknames(dns_zone_t *zone, dns_severity_t severity) {
 
@@ -4590,14 +4908,31 @@ zone_tostr(dns_zone_t *zone, char *buf, size_t length) {
 	isc_buffer_init(&buffer, buf, length - 1);
 	if (dns_name_dynamic(&zone->origin))
 		result = dns_name_totext(&zone->origin, ISC_TRUE, &buffer);
-	if (result != ISC_R_SUCCESS)
+	if (result != ISC_R_SUCCESS &&
+	    isc_buffer_availablelength(&buffer) >= (sizeof("<UNKNOWN>") - 1))
 		isc_buffer_putstr(&buffer, "<UNKNOWN>");
 
-	isc_buffer_putstr(&buffer, "/");
+	if (isc_buffer_availablelength(&buffer) > 0)
+		isc_buffer_putstr(&buffer, "/");
 	(void)dns_rdataclass_totext(zone->rdclass, &buffer);
+
+	if (zone->view != NULL && strcmp(zone->view->name, "_bind") != 0 &&
+	    strcmp(zone->view->name, "_default") != 0 &&
+	    strlen(zone->view->name) < isc_buffer_availablelength(&buffer)) {
+		isc_buffer_putstr(&buffer, "/");
+		isc_buffer_putstr(&buffer, zone->view->name);
+	}
+
 	buf[isc_buffer_usedlength(&buffer)] = '\0';
 }
 
+void
+dns_zone_name(dns_zone_t *zone, char *buf, size_t length) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+	REQUIRE(buf != NULL);
+	zone_tostr(zone, buf, length);
+}
+
 static void
 notify_log(dns_zone_t *zone, int level, const char *fmt, ...) {
 	va_list ap;
@@ -4610,13 +4945,32 @@ notify_log(dns_zone_t *zone, int level, const char *fmt, ...) {
 	zone_tostr(zone, namebuf, sizeof(namebuf));
 
 	va_start(ap, fmt);
-	vsnprintf(message, sizeof message, fmt, ap);
+	vsnprintf(message, sizeof(message), fmt, ap);
 	va_end(ap);
 	isc_log_write(dns_lctx, DNS_LOGCATEGORY_NOTIFY, DNS_LOGMODULE_ZONE,
 		      level, "zone %s: %s", namebuf, message);
 }
 
 void
+dns_zone_logc(dns_zone_t *zone, isc_logcategory_t *category,
+	      int level, const char *fmt, ...) {
+	va_list ap;
+	char message[4096];
+	char namebuf[1024+32];
+
+	if (isc_log_wouldlog(dns_lctx, level) == ISC_FALSE)
+		return;
+
+	zone_tostr(zone, namebuf, sizeof(namebuf));
+
+	va_start(ap, fmt);
+	vsnprintf(message, sizeof(message), fmt, ap);
+	va_end(ap);
+	isc_log_write(dns_lctx, category, DNS_LOGMODULE_ZONE,
+		      level, "zone %s: %s", namebuf, message);
+}
+
+void
 dns_zone_log(dns_zone_t *zone, int level, const char *fmt, ...) {
 	va_list ap;
 	char message[4096];
@@ -4628,7 +4982,7 @@ dns_zone_log(dns_zone_t *zone, int level, const char *fmt, ...) {
 	zone_tostr(zone, namebuf, sizeof(namebuf));
 
 	va_start(ap, fmt);
-	vsnprintf(message, sizeof message, fmt, ap);
+	vsnprintf(message, sizeof(message), fmt, ap);
 	va_end(ap);
 	isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL, DNS_LOGMODULE_ZONE,
 		      level, "zone %s: %s", namebuf, message);
@@ -4649,7 +5003,7 @@ zone_debuglog(dns_zone_t *zone, const char *me, int debuglevel,
 	zone_tostr(zone, namebuf, sizeof(namebuf));
 
 	va_start(ap, fmt);
-	vsnprintf(message, sizeof message, fmt, ap);
+	vsnprintf(message, sizeof(message), fmt, ap);
 	va_end(ap);
 	isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL, DNS_LOGMODULE_ZONE,
 		      level, "%s: zone %s: %s", me, namebuf, message);
@@ -4801,7 +5155,7 @@ notify_done(isc_task_t *task, isc_event_t *event) {
 			   "notify response from %s: %.*s",
 			   addrbuf, (int)buf.used, rcode);
 	else
-		notify_log(notify->zone, ISC_LOG_DEBUG(1),
+		notify_log(notify->zone, ISC_LOG_DEBUG(2),
 			   "notify to %s failed: %s", addrbuf,
 			   dns_result_totext(result));
 
@@ -4812,10 +5166,8 @@ notify_done(isc_task_t *task, isc_event_t *event) {
 	isc_event_free(&event);
 	if ((result == ISC_R_TIMEDOUT ||
 	     (message != NULL && message->rcode == dns_rcode_formerr &&
-	      (notify->flags & DNS_NOTIFY_NOSOA) == 0)) &&
-	     notify->attempt < 3) {
+	      (notify->flags & DNS_NOTIFY_NOSOA) == 0))) {
 		notify->flags |= DNS_NOTIFY_NOSOA;
-		notify->attempt++;
 		dns_request_destroy(&notify->request);
 		result = notify_send_queue(notify);
 		if (result != ISC_R_SUCCESS)
@@ -4845,8 +5197,6 @@ static isc_result_t
 zone_replacedb(dns_zone_t *zone, dns_db_t *db, isc_boolean_t dump) {
 	dns_dbversion_t *ver;
 	isc_result_t result;
-	unsigned int soacount = 0;
-	unsigned int nscount = 0;
 
 	/*
 	 * 'zone' locked by caller.
@@ -4854,27 +5204,6 @@ zone_replacedb(dns_zone_t *zone, dns_db_t *db, isc_boolean_t dump) {
 	REQUIRE(DNS_ZONE_VALID(zone));
 	REQUIRE(LOCKED_ZONE(zone));
 
-	result = zone_get_from_db(db, &zone->origin, &nscount, &soacount,
-				  NULL, NULL, NULL, NULL, NULL);
-	if (result == ISC_R_SUCCESS) {
-		if (soacount != 1) {
-			dns_zone_log(zone, ISC_LOG_ERROR,
-				     "has %d SOA records", soacount);
-			result = DNS_R_BADZONE;
-		}
-		if (nscount == 0) {
-			dns_zone_log(zone, ISC_LOG_ERROR, "has no NS records");
-			result = DNS_R_BADZONE;
-		}
-		if (result != ISC_R_SUCCESS)
-			return (result);
-	} else {
-		dns_zone_log(zone, ISC_LOG_ERROR,
-			    "retrieving SOA and NS records failed: %s",
-			    dns_result_totext(result));
-		return (result);
-	}
-
 	ver = NULL;
 	dns_db_currentversion(db, &ver);
 
@@ -4884,7 +5213,7 @@ zone_replacedb(dns_zone_t *zone, dns_db_t *db, isc_boolean_t dump) {
 	 * is enabled in the configuration.
 	 */
 	if (zone->db != NULL && zone->journal != NULL &&
-	    zone->diff_on_reload) {
+	    DNS_ZONE_OPTION(zone, DNS_ZONEOPT_IXFRFROMDIFFS)) {
 		isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
 			      DNS_LOGMODULE_ZONE, ISC_LOG_DEBUG(3),
 			      "generating diffs");
@@ -4893,6 +5222,8 @@ zone_replacedb(dns_zone_t *zone, dns_db_t *db, isc_boolean_t dump) {
 				     zone->journal);
 		if (result != ISC_R_SUCCESS)
 			goto fail;
+		if (dump)
+			zone_needdump(zone, DNS_DUMP_DELAY);
 	} else {
 		if (dump && zone->masterfile != NULL) {
 			isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
@@ -4909,7 +5240,7 @@ zone_replacedb(dns_zone_t *zone, dns_db_t *db, isc_boolean_t dump) {
 			 * fails for some reason, all that happens is
 			 * the timestamp is not updated.
 			 */
-			(void)isc_time_now(&zone->loadtime);
+			TIME_NOW(&zone->loadtime);
 		}
 
 		if (dump && zone->journal != NULL) {
@@ -4930,7 +5261,7 @@ zone_replacedb(dns_zone_t *zone, dns_db_t *db, isc_boolean_t dump) {
 			(void)remove(zone->journal);
 		}
 	}
-	
+
 	dns_db_closeversion(db, &ver, ISC_FALSE);
 
 	isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
@@ -4952,7 +5283,6 @@ zone_replacedb(dns_zone_t *zone, dns_db_t *db, isc_boolean_t dump) {
 static void
 zone_xfrdone(dns_zone_t *zone, isc_result_t result) {
 	isc_time_t now;
-	isc_interval_t i;
 	isc_boolean_t again = ISC_FALSE;
 	unsigned int soacount;
 	unsigned int nscount;
@@ -4969,7 +5299,7 @@ zone_xfrdone(dns_zone_t *zone, isc_result_t result) {
 	INSIST((zone->flags & DNS_ZONEFLG_REFRESH) != 0);
 	DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_REFRESH);
 
-	isc_time_now(&now);
+	TIME_NOW(&now);
 	switch (result) {
 	case ISC_R_SUCCESS:
 		DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NEEDNOTIFY);
@@ -4998,19 +5328,10 @@ zone_xfrdone(dns_zone_t *zone, isc_result_t result) {
 					     "transferred zone "
 					     "has %d SOA record%s", soacount,
 					     (soacount != 0) ? "s" : "");
-			if (nscount == 0) {
+			if (nscount == 0)
 				dns_zone_log(zone, ISC_LOG_ERROR,
 					     "transferred zone "
 					     "has no NS records");
-				if (DNS_ZONE_FLAG(zone,
-						  DNS_ZONEFLG_HAVETIMERS)) {
-					zone->refresh = DNS_ZONE_DEFAULTREFRESH;
-					zone->retry = DNS_ZONE_DEFAULTRETRY;
-				}
-				DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_HAVETIMERS);
-				zone_unload(zone);
-				goto next_master;
-			}
 			zone->serial = serial;
 			zone->refresh = RANGE(refresh, zone->minrefresh,
 					      zone->maxrefresh);
@@ -5029,18 +5350,28 @@ zone_xfrdone(dns_zone_t *zone, isc_result_t result) {
 		if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDREFRESH)) {
 			DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_NEEDREFRESH);
 			zone->refreshtime = now;
-			isc_interval_set(&i, zone->expire, 0);
-			isc_time_add(&now, &i, &zone->expiretime);
+			DNS_ZONE_TIME_ADD(&now, zone->expire,
+					  &zone->expiretime);
 		} else {
-			isc_interval_set(&i, isc_random_jitter(zone->refresh,
-						  zone->refresh / 4), 0);
-			isc_time_add(&now, &i, &zone->refreshtime);
-			isc_interval_set(&i, zone->expire, 0);
-			isc_time_add(&now, &i, &zone->expiretime);
+			DNS_ZONE_JITTER_ADD(&now, zone->refresh,
+					    &zone->refreshtime);
+			DNS_ZONE_TIME_ADD(&now, zone->expire,
+					  &zone->expiretime);
 		}
-		if (result == ISC_R_SUCCESS && xfrresult == ISC_R_SUCCESS)
+		if (result == ISC_R_SUCCESS && xfrresult == ISC_R_SUCCESS) {
+			char buf[DNS_NAME_FORMATSIZE + sizeof(": TSIG ''")];
+			if (zone->tsigkey != NULL) {
+				char namebuf[DNS_NAME_FORMATSIZE];
+				dns_name_format(&zone->tsigkey->name, namebuf,
+						sizeof(namebuf));
+				snprintf(buf, sizeof(buf), ": TSIG '%s'",
+					 namebuf);
+			} else
+				buf[0] = '\0';
 			dns_zone_log(zone, ISC_LOG_INFO,
-				     "transferred serial %u", zone->serial);
+				     "transferred serial %u%s",
+				     zone->serial, buf);
+		}
 
 		/*
 		 * This is not neccessary if we just performed a AXFR
@@ -5075,12 +5406,18 @@ zone_xfrdone(dns_zone_t *zone, isc_result_t result) {
 		goto same_master;
 
 	default:
-	next_master:
 		zone->curmaster++;
 	same_master:
-		if (zone->curmaster >= zone->masterscnt)
+		if (zone->curmaster >= zone->masterscnt) {
 			zone->curmaster = 0;
-		else {
+			if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_USEALTXFRSRC) &&
+			    !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_USEALTXFRSRC)) {
+				DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_REFRESH);
+				DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_USEALTXFRSRC);
+				again = ISC_TRUE;
+			} else
+				DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_USEALTXFRSRC);
+		} else {
 			DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_REFRESH);
 			again = ISC_TRUE;
 		}
@@ -5098,6 +5435,9 @@ zone_xfrdone(dns_zone_t *zone, isc_result_t result) {
 	if (zone->xfr != NULL)
 		dns_xfrin_detach(&zone->xfr);
 
+	if (zone->tsigkey != NULL)
+		dns_tsigkey_detach(&zone->tsigkey);
+
 	/*
 	 * This transfer finishing freed up a transfer quota slot.
 	 * Let any other zones waiting for quota have it.
@@ -5150,7 +5490,7 @@ zone_loaddone(void *arg, isc_result_t result) {
 	if (load->zone->lctx != NULL)
 		dns_loadctx_detach(&load->zone->lctx);
 	dns_zone_idetach(&load->zone);
-	isc_mem_putanddetach(&load->mctx, load, sizeof (*load));
+	isc_mem_putanddetach(&load->mctx, load, sizeof(*load));
 }
 
 void
@@ -5211,12 +5551,12 @@ queue_xfrin(dns_zone_t *zone) {
 	RWUNLOCK(&zmgr->rwlock, isc_rwlocktype_write);
 
 	if (result == ISC_R_QUOTA) {
-		dns_zone_log(zone, ISC_LOG_DEBUG(1),
-			     "zone transfer deferred due to quota");
+		dns_zone_logc(zone, DNS_LOGCATEGORY_XFER_IN, ISC_LOG_INFO,
+			      "zone transfer deferred due to quota");
 	} else if (result != ISC_R_SUCCESS) {
-		dns_zone_log(zone, ISC_LOG_ERROR,
-			     "starting zone transfer: %s",
-			     isc_result_totext(result));
+		dns_zone_logc(zone, DNS_LOGCATEGORY_XFER_IN, ISC_LOG_ERROR,
+			      "starting zone transfer: %s",
+			      isc_result_totext(result));
 	}
 }
 
@@ -5229,11 +5569,12 @@ static void
 got_transfer_quota(isc_task_t *task, isc_event_t *event) {
 	isc_result_t result;
 	dns_peer_t *peer = NULL;
-	dns_tsigkey_t *tsigkey = NULL;
 	char mastertext[256];
 	dns_rdatatype_t xfrtype;
 	dns_zone_t *zone = event->ev_arg;
 	isc_netaddr_t masterip;
+	isc_sockaddr_t sourceaddr;
+	isc_sockaddr_t masteraddr;
 
 	UNUSED(task);
 
@@ -5254,18 +5595,18 @@ got_transfer_quota(isc_task_t *task, isc_event_t *event) {
 	 * Decide whether we should request IXFR or AXFR.
 	 */
 	if (zone->db == NULL) {
-		dns_zone_log(zone, ISC_LOG_DEBUG(3),
+		dns_zone_log(zone, ISC_LOG_DEBUG(1),
 			     "no database exists yet, "
 			     "requesting AXFR of "
 			     "initial version from %s", mastertext);
 		xfrtype = dns_rdatatype_axfr;
 	} else if (dns_zone_isforced(zone)) {
-		dns_zone_log(zone, ISC_LOG_DEBUG(3),
+		dns_zone_log(zone, ISC_LOG_DEBUG(1),
 			     "forced reload, requesting AXFR of "
 			     "initial version from %s", mastertext);
 		xfrtype = dns_rdatatype_axfr;
 	} else if (DNS_ZONE_FLAG(zone, DNS_ZONEFLAG_NOIXFR)) {
-		dns_zone_log(zone, ISC_LOG_DEBUG(3),
+		dns_zone_log(zone, ISC_LOG_DEBUG(1),
 			     "retrying with AXFR from %s due to "
 			     "previous IXFR failure", mastertext);
 		xfrtype = dns_rdatatype_axfr;
@@ -5282,13 +5623,13 @@ got_transfer_quota(isc_task_t *task, isc_event_t *event) {
 			use_ixfr = zone->view->requestixfr;
 		}
 		if (use_ixfr == ISC_FALSE) {
-			dns_zone_log(zone, ISC_LOG_DEBUG(3),
+			dns_zone_log(zone, ISC_LOG_DEBUG(1),
 				     "IXFR disabled, "
 				     "requesting AXFR from %s",
 				     mastertext);
 			xfrtype = dns_rdatatype_axfr;
 		} else {
-			dns_zone_log(zone, ISC_LOG_DEBUG(3),
+			dns_zone_log(zone, ISC_LOG_DEBUG(1),
 				     "requesting IXFR from %s",
 				     mastertext);
 			xfrtype = dns_rdatatype_ixfr;
@@ -5307,10 +5648,11 @@ got_transfer_quota(isc_task_t *task, isc_event_t *event) {
 	    (zone->masterkeynames[zone->curmaster] != NULL)) {
 		dns_view_t *view = dns_zone_getview(zone);
 		dns_name_t *keyname = zone->masterkeynames[zone->curmaster];
-		result = dns_view_gettsig(view, keyname, &tsigkey);
+		result = dns_view_gettsig(view, keyname, &zone->tsigkey);
 	}
-	if (tsigkey == NULL)
-		result = dns_view_getpeertsig(zone->view, &masterip, &tsigkey);
+	if (zone->tsigkey == NULL)
+		result = dns_view_getpeertsig(zone->view, &masterip,
+					      &zone->tsigkey);
 
 	if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND) {
 		dns_zone_log(zone, ISC_LOG_ERROR,
@@ -5319,10 +5661,15 @@ got_transfer_quota(isc_task_t *task, isc_event_t *event) {
 			     isc_result_totext(result));
 	}
 
-	result = dns_xfrin_create(zone, xfrtype, &zone->masteraddr,
-				  tsigkey, zone->mctx,
-				  zone->zmgr->timermgr, zone->zmgr->socketmgr,
-				  zone->task, zone_xfrdone, &zone->xfr);
+	LOCK_ZONE(zone);
+	masteraddr = zone->masteraddr;
+	sourceaddr = zone->sourceaddr;
+	UNLOCK_ZONE(zone);
+	INSIST(isc_sockaddr_pf(&masteraddr) == isc_sockaddr_pf(&sourceaddr));
+	result = dns_xfrin_create2(zone, xfrtype, &masteraddr, &sourceaddr,
+				   zone->tsigkey, zone->mctx,
+				   zone->zmgr->timermgr, zone->zmgr->socketmgr,
+				   zone->task, zone_xfrdone, &zone->xfr);
  cleanup:
 	/*
 	 * Any failure in this function is handled like a failed
@@ -5332,9 +5679,6 @@ got_transfer_quota(isc_task_t *task, isc_event_t *event) {
 	if (result != ISC_R_SUCCESS)
 		zone_xfrdone(zone, result);
 
-	if (tsigkey != NULL)
-		dns_tsigkey_detach(&tsigkey);
-
 	isc_event_free(&event);
 }
 
@@ -5352,7 +5696,7 @@ forward_destroy(dns_forward_t *forward) {
 		isc_buffer_free(&forward->msgbuf);
 	if (forward->zone != NULL)
 		dns_zone_idetach(&forward->zone);
-	isc_mem_putanddetach(&forward->mctx, forward, sizeof (*forward));
+	isc_mem_putanddetach(&forward->mctx, forward, sizeof(*forward));
 }
 
 static isc_result_t
@@ -5407,14 +5751,14 @@ forward_callback(isc_task_t *task, isc_event_t *event) {
 	dns_zone_t *zone;
 
 	UNUSED(task);
-	
+
 	forward = revent->ev_arg;
 	INSIST(DNS_FORWARD_VALID(forward));
 	zone = forward->zone;
 	INSIST(DNS_ZONE_VALID(zone));
-	
+
 	ENTER;
-	
+
 	isc_sockaddr_format(&forward->addr, master, sizeof(master));
 
 	if (revent->result != ISC_R_SUCCESS) {
@@ -5453,7 +5797,7 @@ forward_callback(isc_task_t *task, isc_event_t *event) {
 		isc_buffer_t rb;
 
 		isc_buffer_init(&rb, rcode, sizeof(rcode));
-		dns_rcode_totext(msg->rcode, &rb);
+		(void)dns_rcode_totext(msg->rcode, &rb);
 		dns_zone_log(zone, ISC_LOG_WARNING,
 			     "forwarding dynamic update: "
 			     "unexpected response: master %s returned: %.*s",
@@ -5518,7 +5862,7 @@ dns_zone_forwardupdate(dns_zone_t *zone, dns_message_t *msg,
 	forward->callback = callback;
 	forward->callback_arg = callback_arg;
 	forward->magic = FORWARD_MAGIC;
-	
+
 	mr = dns_message_getrawmessage(msg);
 	if (mr == NULL) {
 		result = ISC_R_UNEXPECTEDEND;
@@ -5531,7 +5875,7 @@ dns_zone_forwardupdate(dns_zone_t *zone, dns_message_t *msg,
 	result = isc_buffer_copyregion(forward->msgbuf, mr);
 	if (result != ISC_R_SUCCESS)
 		goto cleanup;
-	
+
 	isc_mem_attach(zone->mctx, &forward->mctx);
 	dns_zone_iattach(zone, &forward->zone);
 	result = sendtomaster(forward);
@@ -5580,7 +5924,7 @@ dns_zonemgr_create(isc_mem_t *mctx, isc_taskmgr_t *taskmgr,
 	isc_result_t result;
 	isc_interval_t interval;
 
-	zmgr = isc_mem_get(mctx, sizeof *zmgr);
+	zmgr = isc_mem_get(mctx, sizeof(*zmgr));
 	if (zmgr == NULL)
 		return (ISC_R_NOMEMORY);
 	zmgr->mctx = NULL;
@@ -5657,7 +6001,7 @@ dns_zonemgr_create(isc_mem_t *mctx, isc_taskmgr_t *taskmgr,
  free_rwlock:
 	isc_rwlock_destroy(&zmgr->rwlock);
  free_mem:
-	isc_mem_put(zmgr->mctx, zmgr, sizeof *zmgr);
+	isc_mem_put(zmgr->mctx, zmgr, sizeof(*zmgr));
 	isc_mem_detach(&mctx);
 	return (result);
 }
@@ -5799,6 +6143,16 @@ dns_zonemgr_forcemaint(dns_zonemgr_t *zmgr) {
 }
 
 void
+dns_zonemgr_resumexfrs(dns_zonemgr_t *zmgr) {
+
+	REQUIRE(DNS_ZONEMGR_VALID(zmgr));
+
+	RWLOCK(&zmgr->rwlock, isc_rwlocktype_write);
+	zmgr_resume_xfrs(zmgr, ISC_TRUE);
+	RWUNLOCK(&zmgr->rwlock, isc_rwlocktype_write);
+}
+
+void
 dns_zonemgr_shutdown(dns_zonemgr_t *zmgr) {
 	REQUIRE(DNS_ZONEMGR_VALID(zmgr));
 
@@ -5824,7 +6178,7 @@ zonemgr_free(dns_zonemgr_t *zmgr) {
 
 	isc_rwlock_destroy(&zmgr->rwlock);
 	mctx = zmgr->mctx;
-	isc_mem_put(zmgr->mctx, zmgr, sizeof *zmgr);
+	isc_mem_put(zmgr->mctx, zmgr, sizeof(*zmgr));
 	isc_mem_detach(&mctx);
 }
 
@@ -5891,7 +6245,7 @@ zmgr_resume_xfrs(dns_zonemgr_t *zmgr, isc_boolean_t multi) {
 			 */
 			continue;
 		} else {
-			dns_zone_log(zone, ISC_LOG_DEBUG(3),
+			dns_zone_log(zone, ISC_LOG_DEBUG(1),
 				     "starting zone transfer: %s",
 				     isc_result_totext(result));
 			break;
@@ -5982,6 +6336,7 @@ zmgr_start_xfrin_ifquota(dns_zonemgr_t *zmgr, dns_zone_t *zone) {
 	ISC_LIST_APPEND(zmgr->xfrin_in_progress, zone, statelink);
 	zone->statelist = &zmgr->xfrin_in_progress;
 	isc_task_send(zone->task, &e);
+	dns_zone_log(zone, ISC_LOG_INFO, "Transfer started.");
 	UNLOCK_ZONE(zone);
 
 	return (ISC_R_SUCCESS);
@@ -6009,7 +6364,7 @@ dns_zonemgr_getiolimit(dns_zonemgr_t *zmgr) {
  * An event will be sent to action when one is available.
  * There are two queues available (high and low), the high
  * queue will be serviced before the low one.
- * 
+ *
  * zonemgr_putio() must be called after the event is delivered to
  * 'action'.
  */
@@ -6035,10 +6390,10 @@ zonemgr_getio(dns_zonemgr_t *zmgr, isc_boolean_t high,
 		return (ISC_R_NOMEMORY);
 	}
 	io->zmgr = zmgr;
-	io->high = high; 
+	io->high = high;
 	io->task = NULL;
 	isc_task_attach(task, &io->task);
-	ISC_LINK_INIT(io, link); 
+	ISC_LINK_INIT(io, link);
 	io->magic = IO_MAGIC;
 
 	LOCK(&zmgr->iolock);
@@ -6115,7 +6470,7 @@ zonemgr_cancelio(dns_io_t *io) {
 
 		send_event = ISC_TRUE;
 		INSIST(io->event != NULL);
-	} 
+	}
 	UNLOCK(&io->zmgr->iolock);
 	if (send_event) {
 		io->event->ev_attributes |= ISC_EVENTATTR_CANCELED;
@@ -6128,7 +6483,7 @@ zone_saveunique(dns_zone_t *zone, const char *path, const char *templat) {
 	char *buf;
 	int buflen;
 	isc_result_t result;
-	
+
 	buflen = strlen(path) + strlen(templat) + 2;
 
 	buf = isc_mem_get(zone->mctx, buflen);
@@ -6181,7 +6536,7 @@ dns_zonemgr_setserialqueryrate(dns_zonemgr_t *zmgr, unsigned int value) {
 	if (value == 1) {
 		s = 1;
 		ns = 0;
-		pertic = 1;		
+		pertic = 1;
 	} else if (value <= 10) {
 		s = 0;
 		ns = 1000000000 / value;
@@ -6226,7 +6581,7 @@ dns_zone_isforced(dns_zone_t *zone) {
 
 isc_result_t
 dns_zone_setstatistics(dns_zone_t *zone, isc_boolean_t on) {
-	isc_result_t result = ISC_R_SUCCESS;	
+	isc_result_t result = ISC_R_SUCCESS;
 
 	LOCK_ZONE(zone);
 	if (on) {
@@ -6236,7 +6591,7 @@ dns_zone_setstatistics(dns_zone_t *zone, isc_boolean_t on) {
 	} else {
 		if (zone->counters == NULL)
 			goto done;
-		dns_stats_freecounters(zone->mctx, &zone->counters);		
+		dns_stats_freecounters(zone->mctx, &zone->counters);
 	}
  done:
 	UNLOCK_ZONE(zone);
@@ -6250,14 +6605,14 @@ dns_zone_getstatscounters(dns_zone_t *zone) {
 
 void
 dns_zone_dialup(dns_zone_t *zone) {
-	
+
 	REQUIRE(DNS_ZONE_VALID(zone));
 
 	zone_debuglog(zone, "dns_zone_dialup", 3,
 		      "notify = %d, refresh = %d",
 		      DNS_ZONE_FLAG(zone, DNS_ZONEFLG_DIALNOTIFY),
 		      DNS_ZONE_FLAG(zone, DNS_ZONEFLG_DIALREFRESH));
-	
+
 	if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_DIALNOTIFY))
 		dns_zone_notify(zone);
 	if (zone->type != dns_zone_master &&
@@ -6301,6 +6656,25 @@ dns_zone_setdialup(dns_zone_t *zone, dns_dialuptype_t dialup) {
 	UNLOCK_ZONE(zone);
 }
 
+isc_result_t
+dns_zone_setkeydirectory(dns_zone_t *zone, const char *directory) {
+	isc_result_t result = ISC_R_SUCCESS;
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+	result = dns_zone_setstring(zone, &zone->keydirectory, directory);
+	UNLOCK_ZONE(zone);
+
+	return (result);
+}
+
+const char *
+dns_zone_getkeydirectory(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	return (zone->keydirectory);
+}
 unsigned int
 dns_zonemgr_getcount(dns_zonemgr_t *zmgr, int state) {
 	dns_zone_t *zone;
@@ -6332,8 +6706,12 @@ dns_zonemgr_getcount(dns_zonemgr_t *zmgr, int state) {
 	case DNS_ZONESTATE_ANY:
 		for (zone = ISC_LIST_HEAD(zmgr->zones);
 		     zone != NULL;
-		     zone = ISC_LIST_NEXT(zone, link))
+		     zone = ISC_LIST_NEXT(zone, link)) {
+			dns_view_t *view = zone->view;
+			if (view != NULL && strcmp(view->name, "_bind") == 0)
+				continue;
 			count++;
+		}
 		break;
 	default:
 		INSIST(0);
@@ -6343,3 +6721,48 @@ dns_zonemgr_getcount(dns_zonemgr_t *zmgr, int state) {
 
 	return (count);
 }
+
+isc_result_t
+dns_zone_checknames(dns_zone_t *zone, dns_name_t *name, dns_rdata_t *rdata) {
+	isc_boolean_t ok = ISC_TRUE;
+	isc_boolean_t fail = ISC_FALSE;
+	char namebuf[DNS_NAME_FORMATSIZE];
+	char namebuf2[DNS_NAME_FORMATSIZE];
+	char typebuf[DNS_RDATATYPE_FORMATSIZE];
+	int level = ISC_LOG_WARNING;
+	dns_name_t bad;
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	if (!DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKNAMES))
+		return (ISC_R_SUCCESS);
+
+	if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKNAMESFAIL)) {
+		level = ISC_LOG_ERROR;
+		fail = ISC_TRUE;
+	}
+
+	ok = dns_rdata_checkowner(name, rdata->rdclass, rdata->type, ISC_TRUE);
+	if (!ok) {
+		dns_name_format(name, namebuf, sizeof(namebuf));
+		dns_rdatatype_format(rdata->type, typebuf, sizeof(typebuf));
+		dns_zone_log(zone, level, "%s/%s: %s", namebuf, typebuf,
+			     dns_result_totext(DNS_R_BADOWNERNAME));
+		if (fail)
+			return (DNS_R_BADOWNERNAME);
+	}
+
+	dns_name_init(&bad, NULL);
+	ok = dns_rdata_checknames(rdata, name, &bad);
+	if (!ok) {
+		dns_name_format(name, namebuf, sizeof(namebuf));
+		dns_name_format(&bad, namebuf2, sizeof(namebuf2));
+		dns_rdatatype_format(rdata->type, typebuf, sizeof(typebuf));
+		dns_zone_log(zone, level, "%s/%s: %s: %s ", namebuf, typebuf,
+			     namebuf2, dns_result_totext(DNS_R_BADNAME));
+		if (fail)
+			return (DNS_R_BADNAME);
+	}
+
+	return (ISC_R_SUCCESS);
+}
diff --git a/lib/dns/zonekey.c b/lib/dns/zonekey.c
index 66998654..dc7ae0f6 100644
--- a/lib/dns/zonekey.c
+++ b/lib/dns/zonekey.c
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2001  Internet Software Consortium.
+ * Copyright (C) 2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: zonekey.c,v 1.3.2.1 2004/03/09 06:11:11 marka Exp $ */
+/* $Id: zonekey.c,v 1.3.206.3 2004/03/08 09:04:33 marka Exp $ */
 
 #include <config.h>
 
@@ -32,7 +32,7 @@
 isc_boolean_t
 dns_zonekey_iszonekey(dns_rdata_t *keyrdata) {
 	isc_result_t result;
-	dns_rdata_key_t key;
+	dns_rdata_dnskey_t key;
 	isc_boolean_t iszonekey = ISC_TRUE;
 
 	REQUIRE(keyrdata != NULL);
diff --git a/lib/dns/zt.c b/lib/dns/zt.c
index 9efdee7c..7aa6a9f4 100644
--- a/lib/dns/zt.c
+++ b/lib/dns/zt.c
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
+ * Copyright (C) 1999-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: zt.c,v 1.33.2.3 2004/04/15 01:38:09 marka Exp $ */
+/* $Id: zt.c,v 1.33.12.6 2004/03/08 21:06:28 marka Exp $ */
 
 #include <config.h>
 
@@ -58,7 +58,7 @@ dns_zt_create(isc_mem_t *mctx, dns_rdataclass_t rdclass, dns_zt_t **ztp) {
 
 	REQUIRE(ztp != NULL && *ztp == NULL);
 
-	zt = isc_mem_get(mctx, sizeof *zt);
+	zt = isc_mem_get(mctx, sizeof(*zt));
 	if (zt == NULL)
 		return (ISC_R_NOMEMORY);
 
@@ -88,7 +88,7 @@ dns_zt_create(isc_mem_t *mctx, dns_rdataclass_t rdclass, dns_zt_t **ztp) {
 	dns_rbt_destroy(&zt->table);
 
    cleanup_zt:
-	isc_mem_put(mctx, zt, sizeof *zt);
+	isc_mem_put(mctx, zt, sizeof(*zt));
 
 	return (result);
 }
@@ -204,7 +204,7 @@ zt_flushanddetach(dns_zt_t **ztp, isc_boolean_t need_flush) {
 		dns_rbt_destroy(&zt->table);
 		isc_rwlock_destroy(&zt->rwlock);
 		zt->magic = 0;
-		isc_mem_put(zt->mctx, zt, sizeof *zt);
+		isc_mem_put(zt->mctx, zt, sizeof(*zt));
 	}
 
 	*ztp = NULL;
@@ -234,8 +234,12 @@ dns_zt_load(dns_zt_t *zt, isc_boolean_t stop) {
 
 static isc_result_t
 load(dns_zone_t *zone, void *uap) {
+	isc_result_t result;
 	UNUSED(uap);
-	return (dns_zone_load(zone));
+	result = dns_zone_load(zone);
+	if (result == DNS_R_CONTINUE || result == DNS_R_UPTODATE)
+		result = ISC_R_SUCCESS;
+	return (result);
 }
 
 isc_result_t
diff --git a/lib/isc/Makefile.in b/lib/isc/Makefile.in
index 158ca13a..afad0a8e 100644
--- a/lib/isc/Makefile.in
+++ b/lib/isc/Makefile.in
@@ -1,5 +1,5 @@
 # Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 1998-2001, 2003  Internet Software Consortium.
+# Copyright (C) 1998-2003  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.71.2.6 2004/07/20 07:00:19 marka Exp $
+# $Id: Makefile.in,v 1.71.2.2.2.7 2004/03/08 09:04:48 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
@@ -53,12 +53,12 @@ OBJS =		@ISC_EXTRA_OBJS@ \
 		assertions.@O@ base64.@O@ bitstring.@O@ buffer.@O@ \
 		bufferlist.@O@ commandline.@O@ error.@O@ event.@O@ \
 		hash.@O@ heap.@O@ hex.@O@ hmacmd5.@O@ \
-		lex.@O@ lfsr.@O@ lib.@O@ log.@O@ \
-		md5.@O@ mem.@O@ mutexblock.@O@ netaddr.@O@ ondestroy.@O@ \
-		quota.@O@ random.@O@ \
-		ratelimiter.@O@ result.@O@ rwlock.@O@ \
-		serial.@O@ sha1.@O@ sockaddr.@O@ string.@O@ symtab.@O@ \
-		task.@O@ taskpool.@O@ timer.@O@ version.@O@ \
+		lex.@O@ lfsr.@O@ lib.@O@ log.@O@ md5.@O@ \
+		mem.@O@ mutexblock.@O@ netaddr.@O@ netscope.@O@ ondestroy.@O@ \
+		parseint.@O@ quota.@O@ random.@O@ \
+		ratelimiter.@O@ region.@O@ result.@O@ rwlock.@O@ \
+		serial.@O@ sha1.@O@ sockaddr.@O@ string.@O@ strtoul.@O@ \
+		symtab.@O@ task.@O@ taskpool.@O@ timer.@O@ version.@O@ \
 		${UNIXOBJS} ${NLSOBJS} ${THREADOBJS}
 
 # Alphabetically
@@ -67,10 +67,10 @@ SRCS =		@ISC_EXTRA_SRCS@ \
 		bufferlist.c commandline.c error.c event.c \
 		heap.c hex.c hmacmd5.c \
 		lex.c lfsr.c lib.c log.c \
-		md5.c mem.c mutexblock.c netaddr.c ondestroy.c \
-		quota.c random.c \
+		md5.c mem.c mutexblock.c netaddr.c netscope.c ondestroy.c \
+		parseint.c quota.c random.c \
 		ratelimiter.c result.c rwlock.c \
-		serial.c sha1.c sockaddr.c string.c symtab.c \
+		serial.c sha1.c sockaddr.c string.c strtoul.c symtab.c \
 		task.c taskpool.c timer.c version.c
 
 LIBS =		@LIBS@
@@ -94,7 +94,7 @@ libisc.@SA@: ${OBJS}
 
 libisc.la: ${OBJS}
 	${LIBTOOL_MODE_LINK} \
-		${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libisc.la -rpath ${libdir} \
+		${CC} ${ALL_CFLAGS} -o libisc.la -rpath ${libdir} \
 		-version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \
 		${OBJS} ${LIBS}
 
diff --git a/lib/isc/api b/lib/isc/api
index c5bcb934..ca58b051 100644
--- a/lib/isc/api
+++ b/lib/isc/api
@@ -1,3 +1,3 @@
 LIBINTERFACE = 9
-LIBREVISION = 2
-LIBAGE = 2
+LIBREVISION = 1
+LIBAGE = 0
diff --git a/lib/isc/assertions.c b/lib/isc/assertions.c
index 9fd45179..94c6732f 100644
--- a/lib/isc/assertions.c
+++ b/lib/isc/assertions.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: assertions.c,v 1.16.2.1 2004/03/09 06:11:44 marka Exp $ */
+/* $Id: assertions.c,v 1.16.206.1 2004/03/06 08:14:27 marka Exp $ */
 
 #include <config.h>
 
diff --git a/lib/isc/base64.c b/lib/isc/base64.c
index 3b86fd62..445f8f56 100644
--- a/lib/isc/base64.c
+++ b/lib/isc/base64.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: base64.c,v 1.23.2.3 2004/03/09 06:11:45 marka Exp $ */
+/* $Id: base64.c,v 1.23.2.2.2.3 2004/03/06 08:14:27 marka Exp $ */
 
 #include <config.h>
 
@@ -55,7 +55,7 @@ isc_base64_totext(isc_region_t *source, int wordlength,
 	if (wordlength < 4)
 		wordlength = 4;
 
-	memset(buf, 0, sizeof buf);
+	memset(buf, 0, sizeof(buf));
 	while (source->length > 2) {
 		buf[0] = base64[(source->base[0]>>2)&0x3f];
 		buf[1] = base64[((source->base[0]<<4)&0x30)|
@@ -191,7 +191,7 @@ isc_base64_tobuffer(isc_lex_t *lexer, isc_buffer_t *target, int length) {
 		if (token.type != isc_tokentype_string)
 			break;
 		tr = &token.value.as_textregion;
-		for (i = 0 ;i < tr->length; i++)
+		for (i = 0; i < tr->length; i++)
 			RETERR(base64_decode_char(&ctx, tr->base[i]));
 	}
 	if (ctx.length < 0 && !ctx.seen_end)
diff --git a/lib/isc/bitstring.c b/lib/isc/bitstring.c
index 87ec6867..e77ed39b 100644
--- a/lib/isc/bitstring.c
+++ b/lib/isc/bitstring.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: bitstring.c,v 1.12.2.1 2004/03/09 06:11:45 marka Exp $ */
+/* $Id: bitstring.c,v 1.12.206.1 2004/03/06 08:14:27 marka Exp $ */
 
 #include <config.h>
 
diff --git a/lib/isc/buffer.c b/lib/isc/buffer.c
index 929c41c6..30ce529e 100644
--- a/lib/isc/buffer.c
+++ b/lib/isc/buffer.c
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001  Internet Software Consortium.
+ * Copyright (C) 1998-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: buffer.c,v 1.36.2.1 2004/03/09 06:11:45 marka Exp $ */
+/* $Id: buffer.c,v 1.36.12.2 2004/03/08 09:04:48 marka Exp $ */
 
 #include <config.h>
 
diff --git a/lib/isc/bufferlist.c b/lib/isc/bufferlist.c
index 026f23cf..6d64a3f6 100644
--- a/lib/isc/bufferlist.c
+++ b/lib/isc/bufferlist.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: bufferlist.c,v 1.12.2.1 2004/03/09 06:11:45 marka Exp $ */
+/* $Id: bufferlist.c,v 1.12.206.1 2004/03/06 08:14:28 marka Exp $ */
 
 #include <config.h>
 
diff --git a/lib/isc/commandline.c b/lib/isc/commandline.c
index 817c0be0..4c8af7f0 100644
--- a/lib/isc/commandline.c
+++ b/lib/isc/commandline.c
@@ -48,7 +48,7 @@
  * SUCH DAMAGE.
  */
 
-/* $Id: commandline.c,v 1.15.2.1 2004/03/09 06:11:45 marka Exp $ */
+/* $Id: commandline.c,v 1.15.206.1 2004/03/06 08:14:28 marka Exp $ */
 
 /*
  * This file was adapted from the NetBSD project's source tree, RCS ID:
diff --git a/lib/isc/entropy.c b/lib/isc/entropy.c
index 89ba433f..8834eefd 100644
--- a/lib/isc/entropy.c
+++ b/lib/isc/entropy.c
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
+ * Copyright (C) 2000-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: entropy.c,v 1.3.2.4 2004/03/09 06:11:45 marka Exp $ */
+/* $Id: entropy.c,v 1.3.2.2.2.7 2004/03/08 09:04:48 marka Exp $ */
 
 /*
  * This is the system independent part of the entropy module.  It is
@@ -147,12 +147,14 @@ struct isc_entropysource {
 		isc_entropysamplesource_t	sample;
 		isc_entropyfilesource_t		file;
 		isc_cbsource_t			callback;
+		isc_entropyusocketsource_t	usocket;
 	} sources;
 };
 
 #define ENTROPY_SOURCETYPE_SAMPLE	1	/* Type is a sample source */
 #define ENTROPY_SOURCETYPE_FILE		2	/* Type is a file source */
 #define ENTROPY_SOURCETYPE_CALLBACK	3	/* Type is a callback source */
+#define ENTROPY_SOURCETYPE_USOCKET	4	/* Type is a Unix socket source */
 
 /*
  * The random pool "taps"
@@ -176,6 +178,9 @@ wait_for_sources(isc_entropy_t *);
 static void
 destroyfilesource(isc_entropyfilesource_t *source);
 
+static void
+destroyusocketsource(isc_entropyusocketsource_t *source);
+
 
 static void
 samplequeue_release(isc_entropy_t *ent, sample_queue_t *sq) {
@@ -320,7 +325,7 @@ entropypool_adddata(isc_entropy_t *ent, void *p, unsigned int len,
 		entropypool_add_word(&ent->pool, val);
 	}
 
-	for (; len > 3 ; len -= 4) {
+	for (; len > 3; len -= 4) {
 		val = *((isc_uint32_t *)buf);
 
 		entropypool_add_word(&ent->pool, val);
@@ -347,15 +352,14 @@ entropypool_adddata(isc_entropy_t *ent, void *p, unsigned int len,
 
 static inline void
 reseed(isc_entropy_t *ent) {
-	isc_result_t result;
 	isc_time_t t;
 	pid_t pid;
 
 	if (ent->initcount == 0) {
 		pid = getpid();
-		entropypool_adddata(ent, &pid, sizeof pid, 0);
+		entropypool_adddata(ent, &pid, sizeof(pid), 0);
 		pid = getppid();
-		entropypool_adddata(ent, &pid, sizeof pid, 0);
+		entropypool_adddata(ent, &pid, sizeof(pid), 0);
 	}
 
 	/*
@@ -367,11 +371,9 @@ reseed(isc_entropy_t *ent) {
 		if ((ent->initcount % 50) != 0)
 			return;
 
-	result = isc_time_now(&t);
-	if (result == ISC_R_SUCCESS) {
-		entropypool_adddata(ent, &t, sizeof t, 0);
-		ent->initcount++;
-	}
+	TIME_NOW(&t);
+	entropypool_adddata(ent, &t, sizeof(t), 0);
+	ent->initcount++;
 }
 
 static inline unsigned int
@@ -382,7 +384,7 @@ estimate_entropy(sample_queue_t *sq, isc_uint32_t t) {
 
 	/*
 	 * If the time counter has overflowed, calculate the real difference.
-	 * If it has not, it is simplier.
+	 * If it has not, it is simpler.
 	 */
 	if (t < sq->last_time)
 		delta = UINT_MAX - sq->last_time + t;
@@ -438,10 +440,10 @@ crunchsamples(isc_entropy_t *ent, sample_queue_t *sq) {
 	 * Prime the values by adding in the first 4 samples in.  This
 	 * should completely initialize the delta calculations.
 	 */
-	for (ns = 0 ; ns < 4 ; ns++)
+	for (ns = 0; ns < 4; ns++)
 		(void)estimate_entropy(sq, sq->samples[ns]);
 
-	for (ns = 4 ; ns < sq->nsamples ; ns++)
+	for (ns = 4; ns < sq->nsamples; ns++)
 		added += estimate_entropy(sq, sq->samples[ns]);
 
 	entropypool_adddata(ent, sq->samples, sq->nsamples * 4, added);
@@ -451,7 +453,7 @@ crunchsamples(isc_entropy_t *ent, sample_queue_t *sq) {
 	 * Move the last 4 samples into the first 4 positions, and start
 	 * adding new samples from that point.
 	 */
-	for (ns = 0 ; ns < 4 ; ns++) {
+	for (ns = 0; ns < 4; ns++) {
 		sq->samples[ns] = sq->samples[sq->nsamples - 4 + ns];
 		sq->extra[ns] = sq->extra[sq->nsamples - 4 + ns];
 	}
@@ -724,6 +726,10 @@ destroysource(isc_entropysource_t **sourcep) {
 		if (! source->bad)
 			destroyfilesource(&source->sources.file);
 		break;
+	case ENTROPY_SOURCETYPE_USOCKET:
+		if (! source->bad)
+			destroyusocketsource(&source->sources.usocket);
+		break;
 	case ENTROPY_SOURCETYPE_SAMPLE:
 		samplequeue_release(ent, &source->sources.sample.samplequeue);
 		break;
@@ -753,6 +759,7 @@ destroy_check(isc_entropy_t *ent) {
 	while (source != NULL) {
 		switch (source->type) {
 		case ENTROPY_SOURCETYPE_FILE:
+		case ENTROPY_SOURCETYPE_USOCKET:
 			break;
 		default:
 			return (ISC_FALSE);
@@ -784,6 +791,7 @@ destroy(isc_entropy_t **entp) {
 	while (source != NULL) {
 		switch(source->type) {
 		case ENTROPY_SOURCETYPE_FILE:
+		case ENTROPY_SOURCETYPE_USOCKET:
 			destroysource(&source);
 			break;
 		}
@@ -1176,9 +1184,7 @@ kbdget(isc_entropysource_t *source, void *arg, isc_boolean_t blocking) {
 	if (result != ISC_R_SUCCESS)
 		return (result);
 
-	result = isc_time_now(&t);
-	if (result != ISC_R_SUCCESS)
-		return (result);
+	TIME_NOW(&t);
 
 	sample = isc_time_nanoseconds(&t);
 	extra = c;
diff --git a/lib/isc/error.c b/lib/isc/error.c
index b048c0de..ceb7d2a4 100644
--- a/lib/isc/error.c
+++ b/lib/isc/error.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: error.c,v 1.16.2.1 2004/03/09 06:11:45 marka Exp $ */
+/* $Id: error.c,v 1.16.206.1 2004/03/06 08:14:28 marka Exp $ */
 
 #include <config.h>
 
diff --git a/lib/isc/event.c b/lib/isc/event.c
index 364a2872..f767870e 100644
--- a/lib/isc/event.c
+++ b/lib/isc/event.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: event.c,v 1.15.2.1 2004/03/09 06:11:46 marka Exp $ */
+/* $Id: event.c,v 1.15.12.3 2004/03/08 09:04:48 marka Exp $ */
 
 /*
  * Principal Author: Bob Halley
@@ -45,7 +45,7 @@ isc_event_allocate(isc_mem_t *mctx, void *sender, isc_eventtype_t type,
 	isc_event_t *event;
 	void *deconst_arg;
 
-	REQUIRE(size >= sizeof (struct isc_event));
+	REQUIRE(size >= sizeof(struct isc_event));
 	REQUIRE(action != NULL);
 
 	event = isc_mem_get(mctx, size);
diff --git a/lib/isc/fsaccess.c b/lib/isc/fsaccess.c
index 0954c026..11934724 100644
--- a/lib/isc/fsaccess.c
+++ b/lib/isc/fsaccess.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: fsaccess.c,v 1.5.2.1 2004/03/09 06:11:46 marka Exp $ */
+/* $Id: fsaccess.c,v 1.5.206.1 2004/03/06 08:14:29 marka Exp $ */
 
 /*
  * This file contains the OS-independent functionality of the API.
diff --git a/lib/isc/hash.c b/lib/isc/hash.c
index 98a5649b..22f37006 100644
--- a/lib/isc/hash.c
+++ b/lib/isc/hash.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: hash.c,v 1.2.2.7 2006/01/04 00:37:21 marka Exp $ */
+/* $Id: hash.c,v 1.2.2.4.2.1 2004/03/06 08:14:29 marka Exp $ */
 
 /*
  * Some portion of this code was derived from universal hash function
@@ -68,6 +68,7 @@ if advised of the possibility of such damage.
 #include <isc/once.h>
 #include <isc/random.h>
 #include <isc/refcount.h>
+#include <isc/rwlock.h>
 #include <isc/string.h>
 #include <isc/util.h>
 
@@ -98,7 +99,7 @@ struct isc_hash {
 	hash_random_t	*rndvector; /* random vector for universal hashing */
 };
 
-static isc_mutex_t createlock;
+static isc_rwlock_t createlock;
 static isc_once_t once = ISC_ONCE_INIT;
 static isc_hash_t *hash = NULL;
 
@@ -208,7 +209,7 @@ isc_hash_ctxcreate(isc_mem_t *mctx, isc_entropy_t *entropy,
 
 static void
 initialize_lock(void) {
-	RUNTIME_CHECK(isc_mutex_init(&createlock) == ISC_R_SUCCESS);
+	RUNTIME_CHECK(isc_rwlock_init(&createlock, 0, 0) == ISC_R_SUCCESS);
 }
 
 isc_result_t
@@ -220,12 +221,12 @@ isc_hash_create(isc_mem_t *mctx, isc_entropy_t *entropy, size_t limit) {
 
 	RUNTIME_CHECK(isc_once_do(&once, initialize_lock) == ISC_R_SUCCESS);
 
-	LOCK(&createlock);
+	RWLOCK(&createlock, isc_rwlocktype_write);
 
 	if (hash == NULL)
 		result = isc_hash_ctxcreate(mctx, entropy, limit, &hash);
 
-	UNLOCK(&createlock);
+	RWUNLOCK(&createlock, isc_rwlocktype_write);
 
 	return (result);
 }
diff --git a/lib/isc/heap.c b/lib/isc/heap.c
index 65976bba..78b19254 100644
--- a/lib/isc/heap.c
+++ b/lib/isc/heap.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1997-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,15 +15,15 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: heap.c,v 1.28.2.2 2006/04/17 18:27:07 explorer Exp $ */
+/* $Id: heap.c,v 1.28.12.3 2004/03/08 09:04:48 marka Exp $ */
 
-/*! \file
+/*
  * Heap implementation of priority queues adapted from the following:
  *
- *	\li "Introduction to Algorithms," Cormen, Leiserson, and Rivest,
+ *	_Introduction to Algorithms_, Cormen, Leiserson, and Rivest,
  *	MIT Press / McGraw Hill, 1990, ISBN 0-262-03141-8, chapter 7.
  *
- *	\li "Algorithms," Second Edition, Sedgewick, Addison-Wesley, 1988,
+ *	_Algorithms_, Second Edition, Sedgewick, Addison-Wesley, 1988,
  *	ISBN 0-201-06673-4, chapter 11.
  */
 
@@ -35,23 +35,20 @@
 #include <isc/string.h>		/* Required for memcpy. */
 #include <isc/util.h>
 
-/*@{*/
-/*%
+/*
  * Note: to make heap_parent and heap_left easy to compute, the first
  * element of the heap array is not used; i.e. heap subscripts are 1-based,
- * not 0-based.  The parent is index/2, and the left-child is index*2.
- * The right child is index*2+1.
+ * not 0-based.
  */
 #define heap_parent(i)			((i) >> 1)
 #define heap_left(i)			((i) << 1)
-/*@}*/
 
 #define SIZE_INCREMENT			1024
 
 #define HEAP_MAGIC			ISC_MAGIC('H', 'E', 'A', 'P')
 #define VALID_HEAP(h)			ISC_MAGIC_VALID(h, HEAP_MAGIC)
 
-/*%
+/*
  * When the heap is in a consistent state, the following invariant
  * holds true: for every element i > 1, heap_parent(i) has a priority
  * higher than or equal to that of i.
@@ -60,7 +57,6 @@
 			  ! heap->compare(heap->array[(i)], \
 					  heap->array[heap_parent(i)]))
 
-/*% ISC heap structure. */
 struct isc_heap {
 	unsigned int			magic;
 	isc_mem_t *			mctx;
@@ -145,8 +141,8 @@ static void
 float_up(isc_heap_t *heap, unsigned int i, void *elt) {
 	unsigned int p;
 
-	for (p = heap_parent(i) ;
-	     i > 1 && heap->compare(elt, heap->array[p]) ;
+	for (p = heap_parent(i);
+	     i > 1 && heap->compare(elt, heap->array[p]);
 	     i = p, p = heap_parent(i)) {
 		heap->array[i] = heap->array[p];
 		if (heap->index != NULL)
@@ -200,48 +196,48 @@ isc_heap_insert(isc_heap_t *heap, void *elt) {
 }
 
 void
-isc_heap_delete(isc_heap_t *heap, unsigned int index) {
+isc_heap_delete(isc_heap_t *heap, unsigned int i) {
 	void *elt;
 	isc_boolean_t less;
 
 	REQUIRE(VALID_HEAP(heap));
-	REQUIRE(index >= 1 && index <= heap->last);
+	REQUIRE(i >= 1 && i <= heap->last);
 
-	if (index == heap->last) {
+	if (i == heap->last) {
 		heap->last--;
 	} else {
 		elt = heap->array[heap->last--];
-		less = heap->compare(elt, heap->array[index]);
-		heap->array[index] = elt;
+		less = heap->compare(elt, heap->array[i]);
+		heap->array[i] = elt;
 		if (less)
-			float_up(heap, index, heap->array[index]);
+			float_up(heap, i, heap->array[i]);
 		else
-			sink_down(heap, index, heap->array[index]);
+			sink_down(heap, i, heap->array[i]);
 	}
 }
 
 void
-isc_heap_increased(isc_heap_t *heap, unsigned int index) {
+isc_heap_increased(isc_heap_t *heap, unsigned int i) {
 	REQUIRE(VALID_HEAP(heap));
-	REQUIRE(index >= 1 && index <= heap->last);
+	REQUIRE(i >= 1 && i <= heap->last);
 
-	float_up(heap, index, heap->array[index]);
+	float_up(heap, i, heap->array[i]);
 }
 
 void
-isc_heap_decreased(isc_heap_t *heap, unsigned int index) {
+isc_heap_decreased(isc_heap_t *heap, unsigned int i) {
 	REQUIRE(VALID_HEAP(heap));
-	REQUIRE(index >= 1 && index <= heap->last);
+	REQUIRE(i >= 1 && i <= heap->last);
 
-	sink_down(heap, index, heap->array[index]);
+	sink_down(heap, i, heap->array[i]);
 }
 
 void *
-isc_heap_element(isc_heap_t *heap, unsigned int index) {
+isc_heap_element(isc_heap_t *heap, unsigned int i) {
 	REQUIRE(VALID_HEAP(heap));
-	REQUIRE(index >= 1 && index <= heap->last);
+	REQUIRE(i >= 1 && i <= heap->last);
 
-	return (heap->array[index]);
+	return (heap->array[i]);
 }
 
 void
@@ -251,6 +247,6 @@ isc_heap_foreach(isc_heap_t *heap, isc_heapaction_t action, void *uap) {
 	REQUIRE(VALID_HEAP(heap));
 	REQUIRE(action != NULL);
 
-	for (i = 1 ; i <= heap->last ; i++)
+	for (i = 1; i <= heap->last; i++)
 		(action)(heap->array[i], uap);
 }
diff --git a/lib/isc/hex.c b/lib/isc/hex.c
index 1236ee90..a90f1ce0 100644
--- a/lib/isc/hex.c
+++ b/lib/isc/hex.c
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000-2002  Internet Software Consortium.
+ * Copyright (C) 2000-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: hex.c,v 1.8.2.3 2004/03/09 06:11:46 marka Exp $ */
+/* $Id: hex.c,v 1.8.2.2.8.3 2004/03/06 08:14:30 marka Exp $ */
 
 #include <config.h>
 
@@ -55,7 +55,7 @@ isc_hex_totext(isc_region_t *source, int wordlength,
 	if (wordlength < 2)
 		wordlength = 2;
 
-	memset(buf, 0, sizeof buf);
+	memset(buf, 0, sizeof(buf));
 	while (source->length > 0) {
 		buf[0] = hex[(source->base[0] >> 4) & 0xf];
 		buf[1] = hex[(source->base[0]) & 0xf];
@@ -144,7 +144,7 @@ isc_hex_tobuffer(isc_lex_t *lexer, isc_buffer_t *target, int length) {
 		if (token.type != isc_tokentype_string)
 			break;
 		tr = &token.value.as_textregion;
-		for (i = 0 ;i < tr->length; i++)
+		for (i = 0; i < tr->length; i++)
 			RETERR(hex_decode_char(&ctx, tr->base[i]));
 	}
 	if (ctx.length < 0)
diff --git a/lib/isc/hmacmd5.c b/lib/isc/hmacmd5.c
index e6836f1d..04dc8c5e 100644
--- a/lib/isc/hmacmd5.c
+++ b/lib/isc/hmacmd5.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: hmacmd5.c,v 1.5.2.3 2006/02/26 23:49:47 marka Exp $ */
+/* $Id: hmacmd5.c,v 1.5.12.3 2004/03/08 09:04:48 marka Exp $ */
 
 /*
  * This code implements the HMAC-MD5 keyed hash algorithm
@@ -45,7 +45,7 @@ isc_hmacmd5_init(isc_hmacmd5_t *ctx, const unsigned char *key,
 	unsigned char ipad[PADLEN];
 	int i;
 
-	memset(ctx->key, 0, sizeof (ctx->key));
+	memset(ctx->key, 0, sizeof(ctx->key));
 	if (len > sizeof(ctx->key)) {
 		isc_md5_t md5ctx;
 		isc_md5_init(&md5ctx);
@@ -55,7 +55,7 @@ isc_hmacmd5_init(isc_hmacmd5_t *ctx, const unsigned char *key,
 		memcpy(ctx->key, key, len);
 
 	isc_md5_init(&ctx->md5ctx);
-	memset(ipad, IPAD, sizeof (ipad));
+	memset(ipad, IPAD, sizeof(ipad));
 	for (i = 0; i < PADLEN; i++)
 		ipad[i] ^= ctx->key[i];
 	isc_md5_update(&ctx->md5ctx, ipad, sizeof(ipad));
@@ -64,7 +64,8 @@ isc_hmacmd5_init(isc_hmacmd5_t *ctx, const unsigned char *key,
 void
 isc_hmacmd5_invalidate(isc_hmacmd5_t *ctx) {
 	isc_md5_invalidate(&ctx->md5ctx);
-	memset(ctx->key, 0, sizeof (ctx->key));
+	memset(ctx->key, 0, sizeof(ctx->key));
+	memset(ctx, 0, sizeof(ctx));
 }
 
 /*
@@ -88,7 +89,7 @@ isc_hmacmd5_sign(isc_hmacmd5_t *ctx, unsigned char *digest) {
 
 	isc_md5_final(&ctx->md5ctx, digest);
 
-	memset(opad, OPAD, sizeof (opad));
+	memset(opad, OPAD, sizeof(opad));
 	for (i = 0; i < PADLEN; i++)
 		opad[i] ^= ctx->key[i];
 
diff --git a/lib/isc/include/Makefile.in b/lib/isc/include/Makefile.in
index 1387f698..59d66c72 100644
--- a/lib/isc/include/Makefile.in
+++ b/lib/isc/include/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.10.2.1 2004/03/09 06:11:53 marka Exp $
+# $Id: Makefile.in,v 1.10.206.1 2004/03/06 08:14:38 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/lib/isc/include/isc/Makefile.in b/lib/isc/include/isc/Makefile.in
index e111b2ee..10cad7e0 100644
--- a/lib/isc/include/isc/Makefile.in
+++ b/lib/isc/include/isc/Makefile.in
@@ -1,5 +1,5 @@
-# Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 1998-2001  Internet Software Consortium.
+# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 1998-2001, 2003  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.50.2.3 2005/03/22 02:31:40 marka Exp $
+# $Id: Makefile.in,v 1.50.12.4 2004/03/06 08:14:38 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
@@ -28,16 +28,16 @@ top_srcdir =	@top_srcdir@
 #
 HEADERS =	app.h assertions.h base64.h bitstring.h boolean.h buffer.h \
 		bufferlist.h commandline.h entropy.h error.h event.h \
-		eventclass.h file.h formatcheck.h fsaccess.h \
-		hash.h heap.h hex.h hmacmd5.h \
+		eventclass.h \
+		file.h formatcheck.h fsaccess.h heap.h hex.h hmacmd5.h \
 		interfaceiter.h @ISC_IPV6_H@ lang.h lex.h \
 		lfsr.h lib.h list.h log.h magic.h md5.h mem.h msgcat.h msgs.h \
-		mutexblock.h netaddr.h ondestroy.h os.h \
+		mutexblock.h netaddr.h ondestroy.h os.h parseint.h \
 		print.h quota.h random.h ratelimiter.h \
 		refcount.h region.h resource.h \
 		result.h resultclass.h rwlock.h serial.h sha1.h sockaddr.h \
-		socket.h stdio.h string.h symtab.h task.h taskpool.h timer.h \
-		types.h util.h
+		socket.h stdio.h stdlib.h string.h symtab.h task.h taskpool.h \
+		timer.h types.h util.h version.h
 
 SUBDIRS =
 TARGETS =
diff --git a/lib/isc/include/isc/app.h b/lib/isc/include/isc/app.h
index bb3d5c30..f77057b3 100644
--- a/lib/isc/include/isc/app.h
+++ b/lib/isc/include/isc/app.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: app.h,v 1.1.2.1 2004/03/09 06:11:53 marka Exp $ */
+/* $Id: app.h,v 1.1.206.1 2004/03/06 08:14:38 marka Exp $ */
 
 #ifndef ISC_APP_H
 #define ISC_APP_H 1
diff --git a/lib/isc/include/isc/assertions.h b/lib/isc/include/isc/assertions.h
index 89112dc7..6091de9a 100644
--- a/lib/isc/include/isc/assertions.h
+++ b/lib/isc/include/isc/assertions.h
@@ -16,7 +16,7 @@
  */
 
 /*
- * $Id: assertions.h,v 1.17.2.1 2004/03/09 06:11:54 marka Exp $
+ * $Id: assertions.h,v 1.17.206.1 2004/03/06 08:14:38 marka Exp $
  */
 
 #ifndef ISC_ASSERTIONS_H
diff --git a/lib/isc/include/isc/base64.h b/lib/isc/include/isc/base64.h
index 73a267a4..260dd1d2 100644
--- a/lib/isc/include/isc/base64.h
+++ b/lib/isc/include/isc/base64.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: base64.h,v 1.15.2.1 2004/03/09 06:11:54 marka Exp $ */
+/* $Id: base64.h,v 1.15.206.1 2004/03/06 08:14:38 marka Exp $ */
 
 #ifndef ISC_BASE64_H
 #define ISC_BASE64_H 1
diff --git a/lib/isc/include/isc/bitstring.h b/lib/isc/include/isc/bitstring.h
index 920fa567..6d6a555f 100644
--- a/lib/isc/include/isc/bitstring.h
+++ b/lib/isc/include/isc/bitstring.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: bitstring.h,v 1.7.2.1 2004/03/09 06:11:54 marka Exp $ */
+/* $Id: bitstring.h,v 1.7.206.1 2004/03/06 08:14:38 marka Exp $ */
 
 #ifndef ISC_BITSTRING_H
 #define ISC_BITSTRING_H 1
diff --git a/lib/isc/include/isc/boolean.h b/lib/isc/include/isc/boolean.h
index 8390e597..0081447d 100644
--- a/lib/isc/include/isc/boolean.h
+++ b/lib/isc/include/isc/boolean.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: boolean.h,v 1.12.2.1 2004/03/09 06:11:54 marka Exp $ */
+/* $Id: boolean.h,v 1.12.206.1 2004/03/06 08:14:39 marka Exp $ */
 
 #ifndef ISC_BOOLEAN_H
 #define ISC_BOOLEAN_H 1
diff --git a/lib/isc/include/isc/buffer.h b/lib/isc/include/isc/buffer.h
index 5eda38e8..02b82bcb 100644
--- a/lib/isc/include/isc/buffer.h
+++ b/lib/isc/include/isc/buffer.h
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001  Internet Software Consortium.
+ * Copyright (C) 1998-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: buffer.h,v 1.39.2.1 2004/03/09 06:11:54 marka Exp $ */
+/* $Id: buffer.h,v 1.39.12.2 2004/03/08 09:04:51 marka Exp $ */
 
 #ifndef ISC_BUFFER_H
 #define ISC_BUFFER_H 1
diff --git a/lib/isc/include/isc/bufferlist.h b/lib/isc/include/isc/bufferlist.h
index 04053b94..b24cde0c 100644
--- a/lib/isc/include/isc/bufferlist.h
+++ b/lib/isc/include/isc/bufferlist.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: bufferlist.h,v 1.10.2.1 2004/03/09 06:11:54 marka Exp $ */
+/* $Id: bufferlist.h,v 1.10.206.1 2004/03/06 08:14:39 marka Exp $ */
 
 #ifndef ISC_BUFFERLIST_H
 #define ISC_BUFFERLIST_H 1
diff --git a/lib/isc/include/isc/commandline.h b/lib/isc/include/isc/commandline.h
index e8dffe30..250f7f0f 100644
--- a/lib/isc/include/isc/commandline.h
+++ b/lib/isc/include/isc/commandline.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: commandline.h,v 1.9.2.1 2004/03/09 06:11:54 marka Exp $ */
+/* $Id: commandline.h,v 1.9.206.1 2004/03/06 08:14:39 marka Exp $ */
 
 #ifndef ISC_COMMANDLINE_H
 #define ISC_COMMANDLINE_H 1
diff --git a/lib/isc/include/isc/entropy.h b/lib/isc/include/isc/entropy.h
index 1eb55e6d..7200a127 100644
--- a/lib/isc/include/isc/entropy.h
+++ b/lib/isc/include/isc/entropy.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: entropy.h,v 1.23.2.2 2004/03/09 06:11:55 marka Exp $ */
+/* $Id: entropy.h,v 1.23.2.1.10.1 2004/03/06 08:14:40 marka Exp $ */
 
 #ifndef ISC_ENTROPY_H
 #define ISC_ENTROPY_H 1
diff --git a/lib/isc/include/isc/error.h b/lib/isc/include/isc/error.h
index 87471478..61429262 100644
--- a/lib/isc/include/isc/error.h
+++ b/lib/isc/include/isc/error.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: error.h,v 1.13.2.1 2004/03/09 06:11:55 marka Exp $ */
+/* $Id: error.h,v 1.13.206.1 2004/03/06 08:14:40 marka Exp $ */
 
 #ifndef ISC_ERROR_H
 #define ISC_ERROR_H 1
diff --git a/lib/isc/include/isc/event.h b/lib/isc/include/isc/event.h
index f3cca874..b52cdf02 100644
--- a/lib/isc/include/isc/event.h
+++ b/lib/isc/include/isc/event.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: event.h,v 1.24.2.4 2004/04/15 02:16:29 marka Exp $ */
+/* $Id: event.h,v 1.24.2.2.8.1 2004/03/06 08:14:40 marka Exp $ */
 
 #ifndef ISC_EVENT_H
 #define ISC_EVENT_H 1
@@ -82,8 +82,6 @@ struct isc_event {
 #define ISC_EVENTTYPE_FIRSTEVENT	0x00000000
 #define ISC_EVENTTYPE_LASTEVENT		0xffffffff
 
-#define ISC_EVENT_PTR(p) ((isc_event_t **)(void *)(p))
-
 ISC_LANG_BEGINDECLS
 
 isc_event_t *
diff --git a/lib/isc/include/isc/eventclass.h b/lib/isc/include/isc/eventclass.h
index 56208d09..a783d35c 100644
--- a/lib/isc/include/isc/eventclass.h
+++ b/lib/isc/include/isc/eventclass.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: eventclass.h,v 1.13.2.1 2004/03/09 06:11:55 marka Exp $ */
+/* $Id: eventclass.h,v 1.13.206.1 2004/03/06 08:14:40 marka Exp $ */
 
 #ifndef ISC_EVENTCLASS_H
 #define ISC_EVENTCLASS_H 1
diff --git a/lib/isc/include/isc/file.h b/lib/isc/include/isc/file.h
index 03326619..6de6c8a8 100644
--- a/lib/isc/include/isc/file.h
+++ b/lib/isc/include/isc/file.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: file.h,v 1.24.2.1 2004/03/09 06:11:55 marka Exp $ */
+/* $Id: file.h,v 1.24.12.3 2004/03/08 09:04:51 marka Exp $ */
 
 #ifndef ISC_FILE_H
 #define ISC_FILE_H 1
@@ -241,6 +241,12 @@ isc_file_absolutepath(const char *filename, char *path, size_t pathlen);
  * (see write_open() in BIND 8's ns_config.c).
  */
 
+isc_result_t
+isc_file_truncate(const char *filename, isc_offset_t size);
+/*
+ * Truncate/extend the file specified to 'size' bytes.
+ */
+
 ISC_LANG_ENDDECLS
 
 #endif /* ISC_FILE_H */
diff --git a/lib/isc/include/isc/formatcheck.h b/lib/isc/include/isc/formatcheck.h
index e5cba848..a7f26c15 100644
--- a/lib/isc/include/isc/formatcheck.h
+++ b/lib/isc/include/isc/formatcheck.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: formatcheck.h,v 1.6.2.1 2004/03/09 06:11:55 marka Exp $ */
+/* $Id: formatcheck.h,v 1.6.206.1 2004/03/06 08:14:41 marka Exp $ */
 
 #ifndef ISC_FORMATCHECK_H
 #define ISC_FORMATCHECK_H 1
diff --git a/lib/isc/include/isc/fsaccess.h b/lib/isc/include/isc/fsaccess.h
index 4fa72309..0f0c8ceb 100644
--- a/lib/isc/include/isc/fsaccess.h
+++ b/lib/isc/include/isc/fsaccess.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: fsaccess.h,v 1.7.2.1 2004/03/09 06:11:56 marka Exp $ */
+/* $Id: fsaccess.h,v 1.7.206.1 2004/03/06 08:14:41 marka Exp $ */
 
 #ifndef ISC_FSACCESS_H
 #define ISC_FSACCESS_H 1
diff --git a/lib/isc/include/isc/hash.h b/lib/isc/include/isc/hash.h
index b0067d4f..b94142b4 100644
--- a/lib/isc/include/isc/hash.h
+++ b/lib/isc/include/isc/hash.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: hash.h,v 1.2.2.2 2004/03/09 06:11:56 marka Exp $ */
+/* $Id: hash.h,v 1.2.2.1.2.2 2004/03/06 08:14:41 marka Exp $ */
 
 #ifndef ISC_HASH_H
 #define ISC_HASH_H 1
@@ -40,8 +40,8 @@
  *
  *	Altough the API is generic about the hash keys, it mainly expects
  *	DNS names (and sometimes IPv4/v6 addresses) as inputs.  It has an
- *	upper limit of the input length, and may run slow to calculaate the
- *	has values for large inputs.
+ *	upper limit of the input length, and may run slow to calculate the
+ *	hash values for large inputs.
  *
  *	This API is designed to be general so that it can provide multiple
  *	different hash contexts that have different random vectors.  However,
diff --git a/lib/isc/include/isc/heap.h b/lib/isc/include/isc/heap.h
index 89a8470b..5ebf4047 100644
--- a/lib/isc/include/isc/heap.h
+++ b/lib/isc/include/isc/heap.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1997-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,155 +15,36 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: heap.h,v 1.16.2.2 2006/04/17 18:27:07 explorer Exp $ */
+/* $Id: heap.h,v 1.16.206.1 2004/03/06 08:14:41 marka Exp $ */
 
 #ifndef ISC_HEAP_H
 #define ISC_HEAP_H 1
 
-/*! \file */
-
 #include <isc/lang.h>
 #include <isc/types.h>
 
 ISC_LANG_BEGINDECLS
 
-/*%
+/*
  * The comparision function returns ISC_TRUE if the first argument has
  * higher priority than the second argument, and ISC_FALSE otherwise.
  */
 typedef isc_boolean_t (*isc_heapcompare_t)(void *, void *);
 
-/*%
- * The index function allows the client of the heap to receive a callback
- * when an item's index number changes.  This allows it to maintain
- * sync with its external state, but still delete itself, since deletions
- * from the heap require the index be provided.
- */
 typedef void (*isc_heapindex_t)(void *, unsigned int);
-
-/*%
- * The heapaction function is used when iterating over the heap.
- *
- * NOTE:  The heap structure CANNOT BE MODIFIED during the call to
- * isc_heap_foreach().
- */
 typedef void (*isc_heapaction_t)(void *, void *);
 
 typedef struct isc_heap isc_heap_t;
 
-isc_result_t
-isc_heap_create(isc_mem_t *mctx, isc_heapcompare_t compare,
-		isc_heapindex_t index, unsigned int size_increment,
-		isc_heap_t **heapp);
-/*!<
- * \brief Create a new heap.  The heap is implemented using a space-efficient
- * storage method.  When the heap elements are deleted space is not freed
- * but will be reused when new elements are inserted.
- *
- * Requires:
- *\li	"mctx" is valid.
- *\li	"compare" is a function which takes two void * arguments and
- *	returns ISC_TRUE if the first argument has a higher priority than
- *	the second, and ISC_FALSE otherwise.
- *\li	"index" is a function which takes a void *, and an unsigned int
- *	argument.  This function will be called whenever an element's
- *	index value changes, so it may continue to delete itself from the
- *	heap.  This option may be NULL if this functionality is unneeded.
- *\li	"size_increment" is a hint about how large the heap should grow
- *	when resizing is needed.  If this is 0, a default size will be
- *	used, which is currently 1024, allowing space for an additional 1024
- *	heap elements to be inserted before adding more space.
- *\li	"heapp" is not NULL, and "*heap" is NULL.
- *
- * Returns:
- *\li	ISC_R_SUCCESS		- success
- *\li	ISC_R_NOMEMORY		- insufficient memory
- */
-
-void
-isc_heap_destroy(isc_heap_t **heapp);
-/*!<
- * \brief Destroys a heap.
- *
- * Requires:
- *\li	"heapp" is not NULL and "*heap" points to a valid isc_heap_t.
- */
-
-isc_result_t
-isc_heap_insert(isc_heap_t *heap, void *elt);
-/*!<
- * \brief Inserts a new element into a heap.
- *
- * Requires:
- *\li	"heapp" is not NULL and "*heap" points to a valid isc_heap_t.
- */
-
-void
-isc_heap_delete(isc_heap_t *heap, unsigned int index);
-/*!<
- * \brief Deletes an element from a heap, by element index.
- *
- * Requires:
- *\li	"heapp" is not NULL and "*heap" points to a valid isc_heap_t.
- *\li	"index" is a valid element index, as provided by the "index" callback
- *	provided during heap creation.
- */
-
-void
-isc_heap_increased(isc_heap_t *heap, unsigned int index);
-/*!<
- * \brief Indicates to the heap that an element's priority has increased.
- * This function MUST be called whenever an element has increased in priority.
- *
- * Requires:
- *\li	"heapp" is not NULL and "*heap" points to a valid isc_heap_t.
- *\li	"index" is a valid element index, as provided by the "index" callback
- *	provided during heap creation.
- */
-
-void
-isc_heap_decreased(isc_heap_t *heap, unsigned int index);
-/*!<
- * \brief Indicates to the heap that an element's priority has decreased.
- * This function MUST be called whenever an element has decreased in priority.
- *
- * Requires:
- *\li	"heapp" is not NULL and "*heap" points to a valid isc_heap_t.
- *\li	"index" is a valid element index, as provided by the "index" callback
- *	provided during heap creation.
- */
-
-void *
-isc_heap_element(isc_heap_t *heap, unsigned int index);
-/*!<
- * \brief Returns the element for a specific element index.
- *
- * Requires:
- *\li	"heapp" is not NULL and "*heap" points to a valid isc_heap_t.
- *\li	"index" is a valid element index, as provided by the "index" callback
- *	provided during heap creation.
- *
- * Returns:
- *\li	A pointer to the element for the element index.
- */
-
-void
-isc_heap_foreach(isc_heap_t *heap, isc_heapaction_t action, void *uap);
-/*!<
- * \brief Iterate over the heap, calling an action for each element.  The
- * order of iteration is not sorted.
- *
- * Requires:
- *\li	"heapp" is not NULL and "*heap" points to a valid isc_heap_t.
- *\li	"action" is not NULL, and is a function which takes two arguments.
- *	The first is a void *, representing the element, and the second is
- *	"uap" as provided to isc_heap_foreach.
- *\li	"uap" is a caller-provided argument, and may be NULL.
- *
- * Note:
- *\li	The heap structure CANNOT be modified during this iteration.  The only
- *	safe function to call while iterating the heap is isc_heap_element().
- */
+isc_result_t	isc_heap_create(isc_mem_t *, isc_heapcompare_t,
+				isc_heapindex_t, unsigned int, isc_heap_t **);
+void		isc_heap_destroy(isc_heap_t **);
+isc_result_t	isc_heap_insert(isc_heap_t *, void *);
+void		isc_heap_delete(isc_heap_t *, unsigned int);
+void		isc_heap_increased(isc_heap_t *, unsigned int);
+void		isc_heap_decreased(isc_heap_t *, unsigned int);
+void *		isc_heap_element(isc_heap_t *, unsigned int);
+void		isc_heap_foreach(isc_heap_t *, isc_heapaction_t, void *);
 
 ISC_LANG_ENDDECLS
 
diff --git a/lib/isc/include/isc/hex.h b/lib/isc/include/isc/hex.h
index 32ecb504..cf7dfd0e 100644
--- a/lib/isc/include/isc/hex.h
+++ b/lib/isc/include/isc/hex.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: hex.h,v 1.4.2.1 2004/03/09 06:11:56 marka Exp $ */
+/* $Id: hex.h,v 1.4.206.1 2004/03/06 08:14:41 marka Exp $ */
 
 #ifndef ISC_HEX_H
 #define ISC_HEX_H 1
diff --git a/lib/isc/include/isc/hmacmd5.h b/lib/isc/include/isc/hmacmd5.h
index 4af3fee3..6e8647fa 100644
--- a/lib/isc/include/isc/hmacmd5.h
+++ b/lib/isc/include/isc/hmacmd5.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: hmacmd5.h,v 1.4.2.1 2004/03/09 06:11:56 marka Exp $ */
+/* $Id: hmacmd5.h,v 1.4.206.1 2004/03/06 08:14:42 marka Exp $ */
 
 /*
  * This is the header file for the HMAC-MD5 keyed hash algorithm
diff --git a/lib/isc/include/isc/interfaceiter.h b/lib/isc/include/isc/interfaceiter.h
index 70acf70c..3a9b21ba 100644
--- a/lib/isc/include/isc/interfaceiter.h
+++ b/lib/isc/include/isc/interfaceiter.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: interfaceiter.h,v 1.10.2.1 2004/03/09 06:11:56 marka Exp $ */
+/* $Id: interfaceiter.h,v 1.10.206.1 2004/03/06 08:14:42 marka Exp $ */
 
 #ifndef ISC_INTERFACEITER_H
 #define ISC_INTERFACEITER_H 1
diff --git a/lib/isc/include/isc/ipv6.h b/lib/isc/include/isc/ipv6.h
index 3ab3bd6a..8b4b0eb3 100644
--- a/lib/isc/include/isc/ipv6.h
+++ b/lib/isc/include/isc/ipv6.h
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
+ * Copyright (C) 1999-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: ipv6.h,v 1.17.2.1 2004/03/09 06:11:57 marka Exp $ */
+/* $Id: ipv6.h,v 1.17.12.4 2004/03/09 05:21:09 marka Exp $ */
 
 #ifndef ISC_IPV6_H
 #define ISC_IPV6_H 1
@@ -75,8 +75,8 @@ struct in6_addr {
 #define IN6ADDR_ANY_INIT 	{{{ 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 }}}
 #define IN6ADDR_LOOPBACK_INIT 	{{{ 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1 }}}
 
-extern const struct in6_addr in6addr_any;
-extern const struct in6_addr in6addr_loopback;
+LIBISC_EXTERNAL_DATA extern const struct in6_addr in6addr_any;
+LIBISC_EXTERNAL_DATA extern const struct in6_addr in6addr_loopback;
 
 struct sockaddr_in6 {
 #ifdef ISC_PLATFORM_HAVESALEN
@@ -137,4 +137,12 @@ struct sockaddr_in6 {
 #define IN6_IS_ADDR_MULTICAST(a)	\
 	((a)->s6_addr8[0] == 0xffU)
 
+/*
+ * Unicast link / site local.
+ */
+#define IN6_IS_ADDR_LINKLOCAL(a)	\
+	(((a)->s6_addr[0] == 0xfe) && (((a)->s6_addr[1] & 0xc0) == 0x80))
+#define IN6_IS_ADDR_SITELOCAL(a)	\
+	(((a)->s6_addr[0] == 0xfe) && (((a)->s6_addr[1] & 0xc0) == 0xc0))
+
 #endif /* ISC_IPV6_H */
diff --git a/lib/isc/include/isc/lang.h b/lib/isc/include/isc/lang.h
index 703df772..f94f1231 100644
--- a/lib/isc/include/isc/lang.h
+++ b/lib/isc/include/isc/lang.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lang.h,v 1.6.2.1 2004/03/09 06:11:57 marka Exp $ */
+/* $Id: lang.h,v 1.6.206.1 2004/03/06 08:14:42 marka Exp $ */
 
 #ifndef ISC_LANG_H
 #define ISC_LANG_H 1
diff --git a/lib/isc/include/isc/lex.h b/lib/isc/include/isc/lex.h
index 38c655e2..29bdb2fe 100644
--- a/lib/isc/include/isc/lex.h
+++ b/lib/isc/include/isc/lex.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lex.h,v 1.26.2.3 2004/03/09 06:11:57 marka Exp $ */
+/* $Id: lex.h,v 1.26.2.2.8.3 2004/03/08 09:04:51 marka Exp $ */
 
 #ifndef ISC_LEX_H
 #define ISC_LEX_H 1
@@ -376,6 +376,21 @@ isc_lex_getsourceline(isc_lex_t *lex);
  * 	Current line number or 0 if no current source.
  */
 
+isc_result_t
+isc_lex_setsourcename(isc_lex_t *lex, const char *name);
+/*
+ * Assigns a new name to the input source.
+ *
+ * Requires:
+ *
+ * 	'lex' is a valid lexer.
+ *
+ * Returns:
+ * 	ISC_R_SUCCESS
+ * 	ISC_R_NOMEMORY
+ * 	ISC_R_NOTFOUND - there are no sources.
+ */
+
 isc_boolean_t
 isc_lex_isfile(isc_lex_t *lex);
 /*
diff --git a/lib/isc/include/isc/lfsr.h b/lib/isc/include/isc/lfsr.h
index 53c67821..e562380c 100644
--- a/lib/isc/include/isc/lfsr.h
+++ b/lib/isc/include/isc/lfsr.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lfsr.h,v 1.10.2.1 2004/03/09 06:11:57 marka Exp $ */
+/* $Id: lfsr.h,v 1.10.206.1 2004/03/06 08:14:43 marka Exp $ */
 
 #ifndef ISC_LFSR_H
 #define ISC_LFSR_H 1
diff --git a/lib/isc/include/isc/lib.h b/lib/isc/include/isc/lib.h
index 6746fd43..1ad44931 100644
--- a/lib/isc/include/isc/lib.h
+++ b/lib/isc/include/isc/lib.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lib.h,v 1.6.2.1 2004/03/09 06:11:57 marka Exp $ */
+/* $Id: lib.h,v 1.6.12.3 2004/03/08 09:04:51 marka Exp $ */
 
 #ifndef ISC_LIB_H
 #define ISC_LIB_H 1
@@ -25,7 +25,7 @@
 
 ISC_LANG_BEGINDECLS
 
-extern isc_msgcat_t *isc_msgcat;
+LIBISC_EXTERNAL_DATA extern isc_msgcat_t *isc_msgcat;
 
 void
 isc_lib_initmsgcat(void);
diff --git a/lib/isc/include/isc/list.h b/lib/isc/include/isc/list.h
index 8f72487d..962336ad 100644
--- a/lib/isc/include/isc/list.h
+++ b/lib/isc/include/isc/list.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1997-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: list.h,v 1.18.2.5 2006/06/06 00:11:39 marka Exp $ */
+/* $Id: list.h,v 1.18.2.2.8.1 2004/03/06 08:14:43 marka Exp $ */
 
 #ifndef ISC_LIST_H
 #define ISC_LIST_H 1
@@ -90,16 +90,12 @@
 	do { \
 		if ((elt)->link.next != NULL) \
 			(elt)->link.next->link.prev = (elt)->link.prev; \
-		else { \
-			ISC_INSIST((list).tail == (elt)); \
+		else \
 			(list).tail = (elt)->link.prev; \
-		} \
 		if ((elt)->link.prev != NULL) \
 			(elt)->link.prev->link.next = (elt)->link.next; \
-		else { \
-			ISC_INSIST((list).head == (elt)); \
+		else \
 			(list).head = (elt)->link.next; \
-		} \
 		(elt)->link.prev = (type *)(-1); \
 		(elt)->link.next = (type *)(-1); \
 	} while (0)
diff --git a/lib/isc/include/isc/log.h b/lib/isc/include/isc/log.h
index 6f917205..97aeba0c 100644
--- a/lib/isc/include/isc/log.h
+++ b/lib/isc/include/isc/log.h
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2003  Internet Software Consortium.
+ * Copyright (C) 1999-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: log.h,v 1.39.2.6 2004/04/10 04:30:06 marka Exp $ */
+/* $Id: log.h,v 1.39.2.4.2.7 2004/04/10 04:31:40 marka Exp $ */
 
 #ifndef ISC_LOG_H
 #define ISC_LOG_H 1
@@ -143,6 +143,8 @@ LIBISC_EXTERNAL_DATA extern isc_logmodule_t isc_modules[];
 
 #define ISC_LOGMODULE_SOCKET (&isc_modules[0])
 #define ISC_LOGMODULE_TIME (&isc_modules[1])
+#define ISC_LOGMODULE_INTERFACE (&isc_modules[2])
+#define ISC_LOGMODULE_TIMER (&isc_modules[3])
 
 ISC_LANG_BEGINDECLS
 
@@ -739,9 +741,6 @@ isc_log_settag(isc_logconfig_t *lcfg, const char *tag);
  *	ISC_LOG_PRINTTAG channel flag to not print anything.  If tag equals the
  *	empty string, calls to isc_log_gettag will return NULL.
  *
- *	Because the name is used by ISC_LOG_PRINTTAG, it should not be
- *	altered or destroyed after isc_log_settag().
- *
  * Returns:
  *	ISC_R_SUCCESS	Success
  *	ISC_R_NOMEMORY  Resource Limit: Out of memory
diff --git a/lib/isc/include/isc/magic.h b/lib/isc/include/isc/magic.h
index e9a18f97..729e5123 100644
--- a/lib/isc/include/isc/magic.h
+++ b/lib/isc/include/isc/magic.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: magic.h,v 1.11.2.1 2004/03/09 06:11:58 marka Exp $ */
+/* $Id: magic.h,v 1.11.206.1 2004/03/06 08:14:43 marka Exp $ */
 
 #ifndef ISC_MAGIC_H
 #define ISC_MAGIC_H 1
diff --git a/lib/isc/include/isc/md5.h b/lib/isc/include/isc/md5.h
index dfd3ae27..c6c38258 100644
--- a/lib/isc/include/isc/md5.h
+++ b/lib/isc/include/isc/md5.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: md5.h,v 1.8.2.1 2004/03/09 06:11:58 marka Exp $ */
+/* $Id: md5.h,v 1.8.206.1 2004/03/06 08:14:43 marka Exp $ */
 
 /*
  * This is the header file for the MD5 message-digest algorithm.
diff --git a/lib/isc/include/isc/mem.h b/lib/isc/include/isc/mem.h
index 9b5ccf72..301803ed 100644
--- a/lib/isc/include/isc/mem.h
+++ b/lib/isc/include/isc/mem.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: mem.h,v 1.54.2.2 2004/10/11 05:55:37 marka Exp $ */
+/* $Id: mem.h,v 1.54.12.3 2004/03/08 09:04:52 marka Exp $ */
 
 #ifndef ISC_MEM_H
 #define ISC_MEM_H 1
@@ -37,18 +37,20 @@ typedef void * (*isc_memalloc_t)(void *, size_t);
 typedef void (*isc_memfree_t)(void *, void *);
 
 /*
- * ISC_MEM_DEBUG is enabled by default; set ISC_MEM_DEBUG=0 to disable it.
+ * Define ISC_MEM_DEBUG=1 to make all functions that free memory
+ * set the pointer being freed to NULL after being freed.
+ * This is the default; set ISC_MEM_DEBUG=0 to disable it.
  */
 #ifndef ISC_MEM_DEBUG
 #define ISC_MEM_DEBUG 1
 #endif
 
 /*
- * Define ISC_MEM_TRACKLINES=1 to turn on detailed tracing of memory allocation
- * and freeing by file and line number.
+ * Define ISC_MEM_TRACKLINES=1 to turn on detailed tracing of memory
+ * allocation and freeing by file and line number.
  */
 #ifndef ISC_MEM_TRACKLINES
-#define ISC_MEM_TRACKLINES 0
+#define ISC_MEM_TRACKLINES 1
 #endif
 
 /*
@@ -56,11 +58,11 @@ typedef void (*isc_memfree_t)(void *, void *);
  * the requested space.  This will increase the size of each allocation.
  */
 #ifndef ISC_MEM_CHECKOVERRUN
-#define ISC_MEM_CHECKOVERRUN 1
+#define ISC_MEM_CHECKOVERRUN 0
 #endif
 
 /*
- * Define ISC_MEM_FILL to fill each block of memory returned to the system
+ * Define ISC_MEM_FILL=1 to fill each block of memory returned to the system
  * with the byte string '0xbe'.  This helps track down uninitialized pointers
  * and the like.  On freeing memory, the space is filled with '0xde' for
  * the same reasons.
@@ -70,27 +72,36 @@ typedef void (*isc_memfree_t)(void *, void *);
 #endif
 
 /*
- * Define this to turn on memory pool names.
+ * Define ISC_MEMPOOL_NAMES=1 to make memory pools store a symbolic
+ * name so that the leaking pool can be more readily identified in
+ * case of a memory leak.
  */
 #ifndef ISC_MEMPOOL_NAMES
 #define ISC_MEMPOOL_NAMES 1
 #endif
 
-/*
- * _DEBUGTRACE
- *	log (to isc_lctx) each allocation and free.
- *
- * _DEBUGRECORD
- *	remember each allocation, and match them up on free.  Crash if
- *	a free doesn't match an allocation
- * _DEBUGUSAGE
- *	if a hi_water mark is set print the maximium inuse memory every
- *	time it is raised once it exceeds the hi_water mark
- */
 LIBISC_EXTERNAL_DATA extern unsigned int isc_mem_debugging;
 #define ISC_MEM_DEBUGTRACE		0x00000001U
 #define ISC_MEM_DEBUGRECORD		0x00000002U
 #define ISC_MEM_DEBUGUSAGE		0x00000004U
+/*
+ * The variable isc_mem_debugging holds a set of flags for
+ * turning certain memory debugging options on or off at
+ * runtime.  Its is intialized to the value ISC_MEM_DEGBUGGING,
+ * which is 0 by default but may be overridden at compile time.
+ * The following flags can be specified:
+ *
+ * ISC_MEM_DEBUGTRACE
+ *	Log each allocation and free to isc_lctx.
+ *
+ * ISC_MEM_DEBUGRECORD
+ *	Remember each allocation, and match them up on free.
+ *	Crash if a free doesn't match an allocation.
+ *
+ * ISC_MEM_DEBUGUSAGE
+ *	If a hi_water mark is set, print the maximium inuse memory
+ *	every time it is raised once it exceeds the hi_water mark.
+ */
 
 #if ISC_MEM_TRACKLINES
 #define _ISC_MEM_FILELINE	, __FILE__, __LINE__
@@ -161,12 +172,12 @@ LIBISC_EXTERNAL_DATA extern unsigned int isc_mem_debugging;
 
 isc_result_t 
 isc_mem_create(size_t max_size, size_t target_size,
-			    isc_mem_t **mctxp);
+	       isc_mem_t **mctxp);
 
 isc_result_t 
 isc_mem_createx(size_t max_size, size_t target_size,
-			     isc_memalloc_t memalloc, isc_memfree_t memfree,
-			     void *arg, isc_mem_t **mctxp);
+		isc_memalloc_t memalloc, isc_memfree_t memfree,
+		void *arg, isc_mem_t **mctxp);
 /*
  * Create a memory context.
  *
@@ -176,8 +187,12 @@ isc_mem_createx(size_t max_size, size_t target_size,
  * 'target_size' from the system allocator and breaking them up into
  * pieces; larger allocations will use the system allocator directly.
  * If 'max_size' and/or 'target_size' are zero, default values will be
- * used.  When ISC_MEM_USE_INTERNAL_MALLOC is false, 'max_size' and
- * 'target_size' are ignored.
+ * used.  When ISC_MEM_USE_INTERNAL_MALLOC is false, 'target_size' is
+ * ignored.
+ *
+ * 'max_size' is also used to size the statistics arrays and the array
+ * used to record active memory when ISC_MEM_DEBUGRECORD is set.  Settin
+ * 'max_size' too low can have detrimental effects on performance.
  *
  * A memory context created using isc_mem_createx() will obtain
  * memory from the system by calling 'memalloc' and 'memfree',
@@ -213,8 +228,8 @@ isc_mem_destroy(isc_mem_t **);
 
 isc_result_t 
 isc_mem_ondestroy(isc_mem_t *ctx,
-			       isc_task_t *task,
-			       isc_event_t **event);
+		  isc_task_t *task,
+		  isc_event_t **event);
 /*
  * Request to be notified with an event when a memory context has
  * been successfully destroyed.
@@ -228,7 +243,7 @@ isc_mem_stats(isc_mem_t *mctx, FILE *out);
 
 void 
 isc_mem_setdestroycheck(isc_mem_t *mctx,
-			     isc_boolean_t on);
+			isc_boolean_t on);
 /*
  * Iff 'on' is ISC_TRUE, 'mctx' will check for memory leaks when
  * destroyed and abort the program if any are present.
diff --git a/lib/isc/include/isc/msgcat.h b/lib/isc/include/isc/msgcat.h
index aafa9225..97839fad 100644
--- a/lib/isc/include/isc/msgcat.h
+++ b/lib/isc/include/isc/msgcat.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: msgcat.h,v 1.8.2.1 2004/03/09 06:11:58 marka Exp $ */
+/* $Id: msgcat.h,v 1.8.206.1 2004/03/06 08:14:44 marka Exp $ */
 
 #ifndef ISC_MSGCAT_H
 #define ISC_MSGCAT_H 1
diff --git a/lib/isc/include/isc/msgs.h b/lib/isc/include/isc/msgs.h
index 05d67855..967005bf 100644
--- a/lib/isc/include/isc/msgs.h
+++ b/lib/isc/include/isc/msgs.h
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000-2002  Internet Software Consortium.
+ * Copyright (C) 2000-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: msgs.h,v 1.5.2.3 2004/03/09 06:11:58 marka Exp $ */
+/* $Id: msgs.h,v 1.5.2.2.8.3 2004/03/06 08:14:44 marka Exp $ */
 
 #ifndef ISC_MSGS_H
 #define ISC_MSGS_H 1
@@ -48,6 +48,7 @@
 #define ISC_MSGSET_TASK		18
 #define ISC_MSGSET_TIMER	19
 #define ISC_MSGSET_UTIL		20
+#define ISC_MSGSET_IFITERGETIFADDRS 21
 
 /*
  * Message numbers.  They are only required to be unique per message set,
@@ -145,6 +146,7 @@
 #define ISC_MSG_ACCEPTRETURNED 1418 /* accept() returned %d/%s */
 #define ISC_MSG_TOOMANYFDS     1419 /* %s: too many open file descriptors */
 #define ISC_MSG_ZEROPORT       1420 /* dropping source port zero packet */
+#define ISC_MSG_FILTER	       1420 /* setsockopt(SO_ACCEPTFILTER): %s */
 
 #define ISC_MSG_AWAKE	       1502 /* "awake" */
 #define ISC_MSG_WORKING	       1503 /* "working" */
@@ -175,6 +177,7 @@
 #define ISC_MSG_UTILWAIT       1710 /* "WAIT" */
 #define ISC_MSG_WAITED	       1711 /* "WAITED" */
 
+#define ISC_MSG_GETIFADDRS     1801 /* "getting interface addresses: ..." */
 
 
 #endif /* ISC_MSGS_H */
diff --git a/lib/isc/include/isc/mutexblock.h b/lib/isc/include/isc/mutexblock.h
index 13241f30..9bfd90cc 100644
--- a/lib/isc/include/isc/mutexblock.h
+++ b/lib/isc/include/isc/mutexblock.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: mutexblock.h,v 1.10.2.1 2004/03/09 06:11:58 marka Exp $ */
+/* $Id: mutexblock.h,v 1.10.206.1 2004/03/06 08:14:44 marka Exp $ */
 
 #ifndef ISC_MUTEXBLOCK_H
 #define ISC_MUTEXBLOCK_H 1
diff --git a/lib/isc/include/isc/netaddr.h b/lib/isc/include/isc/netaddr.h
index 17847857..e209a9fa 100644
--- a/lib/isc/include/isc/netaddr.h
+++ b/lib/isc/include/isc/netaddr.h
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001  Internet Software Consortium.
+ * Copyright (C) 1998-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: netaddr.h,v 1.18.2.2 2004/03/09 06:11:59 marka Exp $ */
+/* $Id: netaddr.h,v 1.18.12.7 2004/03/08 09:04:52 marka Exp $ */
 
 #ifndef ISC_NETADDR_H
 #define ISC_NETADDR_H 1
@@ -32,6 +32,7 @@ struct isc_netaddr {
     		struct in_addr in;
 		struct in6_addr in6;
 	} type;
+	isc_uint32_t zone;
 };
 
 isc_boolean_t
@@ -72,7 +73,7 @@ isc_netaddr_totext(const isc_netaddr_t *netaddr, isc_buffer_t *target);
  */
 
 void
-isc_netaddr_format(isc_netaddr_t *na, char *array, unsigned int size);
+isc_netaddr_format(const isc_netaddr_t *na, char *array, unsigned int size);
 /*
  * Format a human-readable representation of the network address '*na'
  * into the character array 'array', which is of size 'size'.
@@ -95,6 +96,12 @@ void
 isc_netaddr_fromin6(isc_netaddr_t *netaddr, const struct in6_addr *ina6);
 
 void
+isc_netaddr_setzone(isc_netaddr_t *netaddr, isc_uint32_t zone);
+
+isc_uint32_t
+isc_netaddr_getzone(const isc_netaddr_t *netaddr);
+
+void
 isc_netaddr_any(isc_netaddr_t *netaddr);
 /*
  * Return the IPv4 wildcard address.
@@ -109,7 +116,7 @@ isc_netaddr_any6(isc_netaddr_t *netaddr);
 isc_boolean_t
 isc_netaddr_ismulticast(isc_netaddr_t *na);
 /*
- * Returns ISC_TRUE if the address is a multicast address
+ * Returns ISC_TRUE if the address is a multicast address.
  */
 
 isc_boolean_t
@@ -118,6 +125,18 @@ isc_netaddr_isexperimental(isc_netaddr_t *na);
  * Returns ISC_TRUE if the address is a experimental (CLASS E) address.
  */
 
+isc_boolean_t
+isc_netaddr_islinklocal(isc_netaddr_t *na);
+/*
+ * Returns ISC_TRUE if the address is a link local address.
+ */
+
+isc_boolean_t
+isc_netaddr_issitelocal(isc_netaddr_t *na);
+/*
+ * Returns ISC_TRUE if the address is a site local address.
+ */
+
 void
 isc_netaddr_fromv4mapped(isc_netaddr_t *t, const isc_netaddr_t *s);
 /*
diff --git a/lib/isc/include/isc/netscope.h b/lib/isc/include/isc/netscope.h
new file mode 100644
index 00000000..7cc0f182
--- /dev/null
+++ b/lib/isc/include/isc/netscope.h
@@ -0,0 +1,40 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2002  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: netscope.h,v 1.4.142.5 2004/03/08 09:04:52 marka Exp $ */
+
+#ifndef ISC_NETSCOPE_H
+#define ISC_NETSCOPE_H 1
+
+ISC_LANG_BEGINDECLS
+
+/*
+ * Convert a string of an IPv6 scope zone to zone index.  If the conversion
+ * succeeds, 'zoneid' will store the index value.
+ * XXXJT: when a standard interface for this purpose is defined,
+ * we should use it.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS: conversion succeeds
+ *	ISC_R_FAILURE: conversion fails
+ */
+isc_result_t
+isc_netscope_pton(int af, char *scopename, void *addr, isc_uint32_t *zoneid);
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_NETADDR_H */
diff --git a/lib/isc/include/isc/ondestroy.h b/lib/isc/include/isc/ondestroy.h
index 23ebcaaf..a2c584a9 100644
--- a/lib/isc/include/isc/ondestroy.h
+++ b/lib/isc/include/isc/ondestroy.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: ondestroy.h,v 1.7.2.1 2004/03/09 06:11:59 marka Exp $ */
+/* $Id: ondestroy.h,v 1.7.206.1 2004/03/06 08:14:45 marka Exp $ */
 
 #ifndef ISC_ONDESTROY_H
 #define ISC_ONDESTROY_H 1
diff --git a/lib/isc/include/isc/os.h b/lib/isc/include/isc/os.h
index 93737c69..5c3bd620 100644
--- a/lib/isc/include/isc/os.h
+++ b/lib/isc/include/isc/os.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: os.h,v 1.5.2.1 2004/03/09 06:11:59 marka Exp $ */
+/* $Id: os.h,v 1.5.206.1 2004/03/06 08:14:45 marka Exp $ */
 
 #ifndef ISC_OS_H
 #define ISC_OS_H 1
diff --git a/lib/isc/include/isc/parseint.h b/lib/isc/include/isc/parseint.h
new file mode 100644
index 00000000..c877131c
--- /dev/null
+++ b/lib/isc/include/isc/parseint.h
@@ -0,0 +1,63 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2001, 2002  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: parseint.h,v 1.2.202.4 2004/03/08 09:04:52 marka Exp $ */
+
+#ifndef ISC_PARSEINT_H
+#define ISC_PARSEINT_H 1
+
+#include <isc/lang.h>
+#include <isc/types.h>
+
+/*
+ * Parse integers, in a saner way than atoi() or strtoul() do.
+ */
+
+/***
+ ***	Functions
+ ***/
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+isc_parse_uint32(isc_uint32_t *uip, const char *string, int base);
+
+isc_result_t
+isc_parse_uint16(isc_uint16_t *uip, const char *string, int base);
+
+isc_result_t
+isc_parse_uint8(isc_uint8_t *uip, const char *string, int base);
+/*
+ * Parse the null-terminated string 'string' containing a base 'base'
+ * integer, storing the result in '*uip'.  The base is interpreted
+ * as in strtoul().  Unlike strtoul(), leading whitespace, minus or
+ * plus signs are not accepted, and all errors (including overflow)
+ * are reported uniformly through the return value.
+ *
+ * Requires:
+ *	'string' points to a null-terminated string
+ *	0 <= 'base' <= 36
+ *
+ * Returns:
+ *	ISC_R_SUCCESS
+ *	ISC_R_BADNUMBER   The string is not numeric (in the given base)
+ *	ISC_R_RANGE	  The number is not representable as the requested type.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_PARSEINT_H */
diff --git a/lib/isc/include/isc/platform.h.in b/lib/isc/include/isc/platform.h.in
index 4b9897ce..7a803d7d 100644
--- a/lib/isc/include/isc/platform.h.in
+++ b/lib/isc/include/isc/platform.h.in
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
+ * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: platform.h.in,v 1.24.2.2 2004/03/09 06:11:59 marka Exp $ */
+/* $Id: platform.h.in,v 1.24.2.1.10.11 2004/03/08 09:04:52 marka Exp $ */
 
 #ifndef ISC_PLATFORM_H
 #define ISC_PLATFORM_H 1
@@ -77,6 +77,11 @@
 @ISC_PLATFORM_HAVEINADDR6@
 
 /*
+ * If this system has sin6_scope_id, ISC_PLATFORM_HAVESCOPEID will be defined.
+ */
+@ISC_PLATFORM_HAVESCOPEID@
+
+/*
  * If this system needs inet_ntop(), ISC_PLATFORM_NEEDNTOP will be defined.
  */
 @ISC_PLATFORM_NEEDNTOP@
@@ -102,6 +107,16 @@
 @ISC_PLATFORM_NEEDSTRSEP@
 
 /*
+ * If the system needs strlcpy(), ISC_PLATFORM_NEEDSTRLCPY will be defined.
+ */
+@ISC_PLATFORM_NEEDSTRLCPY@
+
+/*
+ * If the system needs strlcat(), ISC_PLATFORM_NEEDSTRLCAT will be defined.
+ */
+@ISC_PLATFORM_NEEDSTRLCAT@
+
+/*
  * Define either ISC_PLATFORM_BSD44MSGHDR or ISC_PLATFORM_BSD43MSGHDR.
  */
 @ISC_PLATFORM_MSGHDRFLAVOR@
@@ -129,6 +144,11 @@
 @ISC_PLATFORM_NEEDVSNPRINTF@
 
 /*
+ * If this system need a modern sprintf() that returns (int) not (char*).
+ */
+@ISC_PLATFORM_NEEDSPRINTF@
+
+/*
  * The printf format string modifier to use with isc_uint64_t values.
  */
 @ISC_PLATFORM_QUADFORMAT@
@@ -154,15 +174,48 @@
 @ISC_PLATFORM_HAVELONGLONG@
 
 /*
+ * Define if the system has struct lifconf which is a extended struct ifconf
+ * for IPv6.
+ */
+@ISC_PLATFORM_HAVELIFCONF@
+
+/*
+ * Define if the system has struct if_laddrconf which is a extended struct
+ * ifconf for IPv6.
+ */
+@ISC_PLATFORM_HAVEIF_LADDRCONF@
+
+/*
+ * Define if the system has struct if_laddrreq.
+ */
+@ISC_PLATFORM_HAVEIF_LADDRREQ@
+
+/*
  * Used to control how extern data is linked; needed for Win32 platforms.
  */
 @ISC_PLATFORM_USEDECLSPEC@
 
+/*
+ * Define if the system supports if_nametoindex.
+ */
+@ISC_PLATFORM_HAVEIFNAMETOINDEX@
+
+/*
+ * Define if this system needs strtoul.
+ */
+@ISC_PLATFORM_NEEDSTRTOUL@
+
+/*
+ * Define if this system needs memmove.
+ */
+@ISC_PLATFORM_NEEDMEMMOVE@
+
 #ifndef ISC_PLATFORM_USEDECLSPEC
 #define LIBISC_EXTERNAL_DATA
 #define LIBDNS_EXTERNAL_DATA
 #define LIBISCCC_EXTERNAL_DATA
 #define LIBISCCFG_EXTERNAL_DATA
+#define LIBBIND9_EXTERNAL_DATA
 #else /* ISC_PLATFORM_USEDECLSPEC */
 #ifdef LIBISC_EXPORTS
 #define LIBISC_EXTERNAL_DATA __declspec(dllexport)
@@ -184,6 +237,11 @@
 #else
 #define LIBISCCFG_EXTERNAL_DATA __declspec(dllimport)
 #endif
+#ifdef LIBBIND9_EXPORTS
+#define LIBBIND9_EXTERNAL_DATA __declspec(dllexport)
+#else
+#define LIBBIND9_EXTERNAL_DATA __declspec(dllimport)
+#endif
 #endif /* ISC_PLATFORM_USEDECLSPEC */
 
 /*
diff --git a/lib/isc/include/isc/print.h b/lib/isc/include/isc/print.h
index e5840009..19da6b09 100644
--- a/lib/isc/include/isc/print.h
+++ b/lib/isc/include/isc/print.h
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
+ * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: print.h,v 1.17.2.1 2004/03/09 06:11:59 marka Exp $ */
+/* $Id: print.h,v 1.17.188.2 2004/03/06 08:14:46 marka Exp $ */
 
 #ifndef ISC_PRINT_H
 #define ISC_PRINT_H 1
@@ -38,6 +38,10 @@
 #define ISC_PLATFORM_NEEDVSNPRINTF
 #endif
 
+#if !defined(ISC_PLATFORM_NEEDSPRINTF) && defined(ISC__PRINT_SOURCE)
+#define ISC_PLATFORM_NEEDSPRINTF
+#endif
+
 /***
  *** Macros
  ***/
@@ -50,9 +54,11 @@
 #ifdef ISC_PLATFORM_NEEDVSNPRINTF
 #include <stdarg.h>
 #include <stddef.h>
+#endif
 
 ISC_LANG_BEGINDECLS
 
+#ifdef ISC_PLATFORM_NEEDVSNPRINTF
 int
 isc_print_vsnprintf(char *str, size_t size, const char *format, va_list ap)
      ISC_FORMAT_PRINTF(3, 0);
@@ -62,8 +68,14 @@ int
 isc_print_snprintf(char *str, size_t size, const char *format, ...)
      ISC_FORMAT_PRINTF(3, 4);
 #define snprintf isc_print_snprintf
+#endif /* ISC_PLATFORM_NEEDVSNPRINTF */
+
+#ifdef ISC_PLATFORM_NEEDSPRINTF
+int
+isc_print_sprintf(char *str, const char *format, ...) ISC_FORMAT_PRINTF(2, 3);
+#define sprintf isc_print_sprintf
+#endif
 
 ISC_LANG_ENDDECLS
-#endif /* ISC_PLATFORM_NEEDVSNPRINTF */
 
 #endif /* ISC_PRINT_H */
diff --git a/lib/isc/include/isc/quota.h b/lib/isc/include/isc/quota.h
index df885d85..86478761 100644
--- a/lib/isc/include/isc/quota.h
+++ b/lib/isc/include/isc/quota.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: quota.h,v 1.8.2.1 2004/03/09 06:11:59 marka Exp $ */
+/* $Id: quota.h,v 1.8.12.3 2004/03/08 09:04:52 marka Exp $ */
 
 #ifndef ISC_QUOTA_H
 #define ISC_QUOTA_H 1
@@ -53,6 +53,7 @@ struct isc_quota {
 	/* Locked by lock. */
 	int 		max;
 	int 		used;
+	isc_boolean_t	soft;
 };
 
 isc_result_t
@@ -71,6 +72,12 @@ isc_quota_destroy(isc_quota_t *quota);
  * Destroy a quota object.
  */
 
+void
+isc_quota_soft(isc_quota_t *quota, isc_boolean_t soft);
+/*
+ * Turn on/off soft quotas.
+ */
+
 isc_result_t
 isc_quota_reserve(isc_quota_t *quota);
 /*
@@ -78,6 +85,7 @@ isc_quota_reserve(isc_quota_t *quota);
  *
  * Returns:
  * 	ISC_R_SUCCESS	Success
+ *	ISC_R_SOFTQUOTA	Success soft quota reached
  *	ISC_R_QUOTA	Quota is full
  */
 
@@ -91,7 +99,7 @@ isc_result_t
 isc_quota_attach(isc_quota_t *quota, isc_quota_t **p);
 /*
  * Like isc_quota_reserve, and also attaches '*p' to the
- * quota if successful.
+ * quota if successful (ISC_R_SUCCESS or ISC_R_SOFTQUOTA).
  */
 
 void
diff --git a/lib/isc/include/isc/random.h b/lib/isc/include/isc/random.h
index db78157c..ee416c5b 100644
--- a/lib/isc/include/isc/random.h
+++ b/lib/isc/include/isc/random.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: random.h,v 1.11.2.1 2004/03/09 06:12:00 marka Exp $ */
+/* $Id: random.h,v 1.11.206.1 2004/03/06 08:14:46 marka Exp $ */
 
 #ifndef ISC_RANDOM_H
 #define ISC_RANDOM_H 1
diff --git a/lib/isc/include/isc/ratelimiter.h b/lib/isc/include/isc/ratelimiter.h
index 3602e3b5..2acab34b 100644
--- a/lib/isc/include/isc/ratelimiter.h
+++ b/lib/isc/include/isc/ratelimiter.h
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
+ * Copyright (C) 1999-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: ratelimiter.h,v 1.13.2.1 2004/03/09 06:12:00 marka Exp $ */
+/* $Id: ratelimiter.h,v 1.13.14.3 2004/03/08 09:04:53 marka Exp $ */
 
 #ifndef ISC_RATELIMITER_H
 #define ISC_RATELIMITER_H 1
@@ -115,6 +115,18 @@ isc_ratelimiter_detach(isc_ratelimiter_t **ratelimiterp);
  * Detach from a rate limiter.
  */
 
+isc_result_t
+isc_ratelimiter_stall(isc_ratelimiter_t *rl);
+/*
+ * Stall event processing.
+ */
+
+isc_result_t
+isc_ratelimiter_release(isc_ratelimiter_t *rl);
+/*
+ * Release a stalled rate limiter.
+ */
+
 ISC_LANG_ENDDECLS
 
 #endif /* ISC_RATELIMITER_H */
diff --git a/lib/isc/include/isc/refcount.h b/lib/isc/include/isc/refcount.h
index d6e40715..f4704828 100644
--- a/lib/isc/include/isc/refcount.h
+++ b/lib/isc/include/isc/refcount.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: refcount.h,v 1.3.2.5 2004/04/14 05:20:19 marka Exp $ */
+/* $Id: refcount.h,v 1.3.2.2.2.1 2004/03/06 08:14:46 marka Exp $ */
 
 #ifndef ISC_REFCOUNT_H
 #define ISC_REFCOUNT_H 1
@@ -143,18 +143,16 @@ typedef struct isc_refcount {
 
 #define isc_refcount_increment(rp, tp)					\
 	do {								\
-		unsigned int *_tmp = (unsigned int *)(tp);		\
 		int _n = ++(rp)->refs;					\
-		if (_tmp != NULL)					\
-			*_tmp = _n;					\
+		if ((tp) != NULL)					\
+			*(unsigned int *)(tp) = (unsigned int)(_n);	\
 	} while (0)
 
 #define isc_refcount_decrement(rp, tp)					\
 	do {								\
-		unsigned int *_tmp = (unsigned int *)(tp);		\
 		int _n = --(rp)->refs;					\
-		if (_tmp != NULL)					\
-			*_tmp = _n;					\
+		if ((tp) != NULL)					\
+			*(unsigned int *)(tp) = (unsigned int)(_n);	\
 	} while (0)
 
 #endif
diff --git a/lib/isc/include/isc/region.h b/lib/isc/include/isc/region.h
index bd96e0e9..5622394a 100644
--- a/lib/isc/include/isc/region.h
+++ b/lib/isc/include/isc/region.h
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001  Internet Software Consortium.
+ * Copyright (C) 1998-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: region.h,v 1.16.2.1 2004/03/09 06:12:00 marka Exp $ */
+/* $Id: region.h,v 1.16.12.3 2004/03/08 09:04:53 marka Exp $ */
 
 #ifndef ISC_REGION_H
 #define ISC_REGION_H 1
@@ -77,4 +77,19 @@ struct isc_consttextregion {
 		_r->length -= _l; \
 	} while (0)
 
+int
+isc_region_compare(isc_region_t *r1, isc_region_t *r2);
+/*
+ * Compares the contents of two regions 
+ *
+ * Requires: 
+ *	'r1' is a valid region
+ *	'r2' is a valid region
+ *
+ * Returns:
+ *	 < 0 if r1 is lexicographically less than r2
+ *	 = 0 if r1 is lexicographically identical to r2
+ *	 > 0 if r1 is lexicographically greater than r2
+ */
+
 #endif /* ISC_REGION_H */
diff --git a/lib/isc/include/isc/resource.h b/lib/isc/include/isc/resource.h
index be0ae1c7..2c2a8298 100644
--- a/lib/isc/include/isc/resource.h
+++ b/lib/isc/include/isc/resource.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: resource.h,v 1.4.2.1 2004/03/09 06:12:00 marka Exp $ */
+/* $Id: resource.h,v 1.4.206.1 2004/03/06 08:14:47 marka Exp $ */
 
 #ifndef ISC_RESOURCE_H
 #define ISC_RESOURCE_H 1
diff --git a/lib/isc/include/isc/result.h b/lib/isc/include/isc/result.h
index 6035b8c6..fd35f867 100644
--- a/lib/isc/include/isc/result.h
+++ b/lib/isc/include/isc/result.h
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2002  Internet Software Consortium.
+ * Copyright (C) 1998-2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: result.h,v 1.57.2.5 2004/05/14 06:41:51 marka Exp $ */
+/* $Id: result.h,v 1.57.2.2.8.4 2004/03/08 09:04:53 marka Exp $ */
 
 #ifndef ISC_RESULT_H
 #define ISC_RESULT_H 1
diff --git a/lib/isc/include/isc/resultclass.h b/lib/isc/include/isc/resultclass.h
index c35c6beb..adb53383 100644
--- a/lib/isc/include/isc/resultclass.h
+++ b/lib/isc/include/isc/resultclass.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: resultclass.h,v 1.11.2.1 2004/03/09 06:12:01 marka Exp $ */
+/* $Id: resultclass.h,v 1.11.206.1 2004/03/06 08:14:47 marka Exp $ */
 
 #ifndef ISC_RESULTCLASS_H
 #define ISC_RESULTCLASS_H 1
diff --git a/lib/isc/include/isc/rwlock.h b/lib/isc/include/isc/rwlock.h
index c839a6ea..44edfcc6 100644
--- a/lib/isc/include/isc/rwlock.h
+++ b/lib/isc/include/isc/rwlock.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rwlock.h,v 1.18.2.4 2004/03/09 06:12:01 marka Exp $ */
+/* $Id: rwlock.h,v 1.18.2.3.2.1 2004/03/06 08:14:47 marka Exp $ */
 
 #ifndef ISC_RWLOCK_H
 #define ISC_RWLOCK_H 1
diff --git a/lib/isc/include/isc/serial.h b/lib/isc/include/isc/serial.h
index 492ebce1..cb054a6f 100644
--- a/lib/isc/include/isc/serial.h
+++ b/lib/isc/include/isc/serial.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: serial.h,v 1.9.2.1 2004/03/09 06:12:01 marka Exp $ */
+/* $Id: serial.h,v 1.9.206.1 2004/03/06 08:14:48 marka Exp $ */
 
 #ifndef ISC_SERIAL_H
 #define ISC_SERIAL_H 1
diff --git a/lib/isc/include/isc/sha1.h b/lib/isc/include/isc/sha1.h
index cbee21c2..935578b2 100644
--- a/lib/isc/include/isc/sha1.h
+++ b/lib/isc/include/isc/sha1.h
@@ -18,7 +18,7 @@
 #ifndef ISC_SHA1_H
 #define ISC_SHA1_H 1
 
-/* $Id: sha1.h,v 1.8.2.1 2004/03/09 06:12:01 marka Exp $ */
+/* $Id: sha1.h,v 1.8.206.1 2004/03/06 08:14:48 marka Exp $ */
 
 /*	$NetBSD: sha1.h,v 1.2 1998/05/29 22:55:44 thorpej Exp $	*/
 
diff --git a/lib/isc/include/isc/sockaddr.h b/lib/isc/include/isc/sockaddr.h
index 6d8e00b1..ffe4105d 100644
--- a/lib/isc/include/isc/sockaddr.h
+++ b/lib/isc/include/isc/sockaddr.h
@@ -1,6 +1,6 @@
 /*
- * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001  Internet Software Consortium.
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1998-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: sockaddr.h,v 1.35.2.4 2006/03/02 00:37:17 marka Exp $ */
+/* $Id: sockaddr.h,v 1.35.12.6 2004/03/08 09:04:53 marka Exp $ */
 
 #ifndef ISC_SOCKADDR_H
 #define ISC_SOCKADDR_H 1
@@ -64,6 +64,9 @@ isc_sockaddr_hash(const isc_sockaddr_t *sockaddr, isc_boolean_t address_only);
 /*
  * Return a hash value for the socket address 'sockaddr'.  If 'address_only'
  * is ISC_TRUE, the hash value will not depend on the port.
+ *
+ * IPv6 addresses containing mapped IPv4 addresses generate the same hash
+ * value as the equivalent IPv4 address.
  */
 
 void
@@ -138,7 +141,7 @@ isc_sockaddr_setport(isc_sockaddr_t *sockaddr, in_port_t port);
  */
 
 in_port_t
-isc_sockaddr_getport(const isc_sockaddr_t *sockaddr);
+isc_sockaddr_getport(isc_sockaddr_t *sockaddr);
 /*
  * Get the port stored in 'sockaddr'.
  */
@@ -165,17 +168,29 @@ isc_sockaddr_format(const isc_sockaddr_t *sa, char *array, unsigned int size);
  */
 
 isc_boolean_t
-isc_sockaddr_ismulticast(const isc_sockaddr_t *sa);
+isc_sockaddr_ismulticast(isc_sockaddr_t *sa);
 /*
- * Returns ISC_TRUE if the address is a multicast address
+ * Returns ISC_TRUE if the address is a multicast address.
  */
 
 isc_boolean_t
-isc_sockaddr_isexperimental(const isc_sockaddr_t *sa);
+isc_sockaddr_isexperimental(isc_sockaddr_t *sa);
 /*
  * Returns ISC_TRUE if the address is a experimental (CLASS E) address.
  */
 
+isc_boolean_t
+isc_sockaddr_islinklocal(isc_sockaddr_t *sa);
+/*
+ * Returns ISC_TRUE if the address is a link local addresss.
+ */
+
+isc_boolean_t
+isc_sockaddr_issitelocal(isc_sockaddr_t *sa);
+/*
+ * Returns ISC_TRUE if the address is a sitelocal address.
+ */
+
 #define ISC_SOCKADDR_FORMATSIZE \
 	sizeof("xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:XXX.XXX.XXX.XXX#YYYYY")
 /*
diff --git a/lib/isc/include/isc/socket.h b/lib/isc/include/isc/socket.h
index 2fb6e709..9dcadb21 100644
--- a/lib/isc/include/isc/socket.h
+++ b/lib/isc/include/isc/socket.h
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001  Internet Software Consortium.
+ * Copyright (C) 1998-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: socket.h,v 1.54.2.1 2004/03/09 06:12:02 marka Exp $ */
+/* $Id: socket.h,v 1.54.12.4 2004/03/08 09:04:53 marka Exp $ */
 
 #ifndef ISC_SOCKET_H
 #define ISC_SOCKET_H 1
@@ -327,6 +327,13 @@ isc_socket_bind(isc_socket_t *sock, isc_sockaddr_t *addressp);
  */
 
 isc_result_t
+isc_socket_filter(isc_socket_t *sock, const char *filter);
+/*
+ * Inform the kernel that it should perform accept filtering.
+ * If filter is NULL the current filter will be removed.:w
+ */
+
+isc_result_t
 isc_socket_listen(isc_socket_t *sock, unsigned int backlog);
 /*
  * Set listen mode on the socket.  After this call, the only function that
@@ -682,6 +689,16 @@ isc_socket_gettype(isc_socket_t *sock);
 isc_boolean_t
 isc_socket_isbound(isc_socket_t *sock);
 
+void
+isc_socket_ipv6only(isc_socket_t *sock, isc_boolean_t yes);
+/*
+ * If the socket is an IPv6 socket set/clear the IPV6_IPV6ONLY socket
+ * option if the host OS supports this option.
+ *
+ * Requires:
+ *	'sock' is a valid socket.
+ */
+
 ISC_LANG_ENDDECLS
 
 #endif /* ISC_SOCKET_H */
diff --git a/lib/isc/include/isc/stdio.h b/lib/isc/include/isc/stdio.h
index e6d86b11..7dad2848 100644
--- a/lib/isc/include/isc/stdio.h
+++ b/lib/isc/include/isc/stdio.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: stdio.h,v 1.6.2.1 2004/03/09 06:12:02 marka Exp $ */
+/* $Id: stdio.h,v 1.6.206.1 2004/03/06 08:14:48 marka Exp $ */
 
 #ifndef ISC_STDIO_H
 #define ISC_STDIO_H 1
diff --git a/bin/named/include/named/ns_smf_globals.h b/lib/isc/include/isc/stdlib.h
index 0713d1d3..7b75584a 100644
--- a/bin/named/include/named/ns_smf_globals.h
+++ b/lib/isc/include/isc/stdlib.h
@@ -1,5 +1,6 @@
 /*
- * Copyright (C) 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,31 +15,24 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: ns_smf_globals.h,v 1.2.6.3 2005/05/13 01:21:56 marka Exp $ */
-
-#ifndef NS_SMF_GLOBALS_H
-#define NS_SMF_GLOBALS_H 1
- 
-#include <libscf.h>
- 
-#undef EXTERN
-#undef INIT
-#ifdef NS_MAIN
-#define EXTERN
-#define INIT(v) = (v)
-#else
-#define EXTERN extern
-#define INIT(v)
+/* $Id: stdlib.h,v 1.1.32.2 2004/03/06 08:14:48 marka Exp $ */
+
+#ifndef ISC_STDLIB_H
+#define ISC_STDLIB_H 1
+
+#include <stdlib.h>
+
+#include <isc/lang.h>
+#include <isc/platform.h>
+
+#ifdef ISC_PLATFORM_NEEDSTRTOUL
+#define strtoul isc_strtoul
+#endif
+
+ISC_LANG_BEGINDECLS
+
+unsigned long isc_strtoul(const char *, char **, int);
+
+ISC_LANG_ENDDECLS
+
 #endif
-                
-EXTERN unsigned int	ns_smf_got_instance	INIT(0);
-EXTERN unsigned int	ns_smf_chroot		INIT(0);
-
-isc_result_t ns_smf_add_message(isc_buffer_t *text);
-isc_result_t ns_smf_get_instance(char **name, int debug, isc_mem_t *mctx);
-isc_result_t ns_smf_disable(const char *name);
-
-#undef EXTERN
-#undef INIT
- 
-#endif /* NS_SMF_GLOBALS_H */
diff --git a/lib/isc/include/isc/string.h b/lib/isc/include/isc/string.h
index 7da27cad..4fbfe190 100644
--- a/lib/isc/include/isc/string.h
+++ b/lib/isc/include/isc/string.h
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
+ * Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: string.h,v 1.9.2.1 2004/03/09 06:12:02 marka Exp $ */
+/* $Id: string.h,v 1.9.164.3 2004/03/06 08:14:49 marka Exp $ */
 
 #ifndef ISC_STRING_H
 #define ISC_STRING_H 1
@@ -51,6 +51,26 @@ isc_string_separate(char **stringp, const char *delim);
 #define strsep isc_string_separate
 #endif
 
+#ifdef ISC_PLATFORM_NEEDMEMMOVE
+#define memmove(a,b,c) bcopy(b,a,c)
+#endif
+
+size_t
+isc_string_strlcpy(char *dst, const char *src, size_t size);
+
+
+#ifdef ISC_PLATFORM_NEEDSTRLCPY
+#define strlcpy isc_string_strlcpy
+#endif
+
+
+size_t
+isc_string_strlcat(char *dst, const char *src, size_t size);
+
+#ifdef ISC_PLATFORM_NEEDSTRLCAT
+#define strlcat isc_string_strlcat
+#endif
+
 ISC_LANG_ENDDECLS
 
 #endif /* ISC_STRING_H */
diff --git a/lib/isc/include/isc/symtab.h b/lib/isc/include/isc/symtab.h
index 2294fb28..d8dbd210 100644
--- a/lib/isc/include/isc/symtab.h
+++ b/lib/isc/include/isc/symtab.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1996-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: symtab.h,v 1.16.2.3 2006/03/02 00:37:17 marka Exp $ */
+/* $Id: symtab.h,v 1.16.206.1 2004/03/06 08:14:49 marka Exp $ */
 
 #ifndef ISC_SYMTAB_H
 #define ISC_SYMTAB_H 1
@@ -88,7 +88,6 @@
 
 typedef union isc_symvalue {
 	void *				as_pointer;
-	const void *			as_cpointer;
 	int				as_integer;
 	unsigned int			as_uinteger;
 } isc_symvalue_t;
diff --git a/lib/isc/include/isc/task.h b/lib/isc/include/isc/task.h
index c128d25a..0e8190a3 100644
--- a/lib/isc/include/isc/task.h
+++ b/lib/isc/include/isc/task.h
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001  Internet Software Consortium.
+ * Copyright (C) 1998-2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: task.h,v 1.49.2.1 2004/03/09 06:12:02 marka Exp $ */
+/* $Id: task.h,v 1.49.206.3 2004/03/09 05:21:09 marka Exp $ */
 
 #ifndef ISC_TASK_H
 #define ISC_TASK_H 1
@@ -58,9 +58,10 @@
  *** Imports.
  ***/
 
+#include <isc/eventclass.h>
 #include <isc/lang.h>
+#include <isc/stdtime.h>
 #include <isc/types.h>
-#include <isc/eventclass.h>
 
 #define ISC_TASKEVENT_FIRSTEVENT	(ISC_EVENTCLASS_TASK + 0)
 #define ISC_TASKEVENT_SHUTDOWN		(ISC_EVENTCLASS_TASK + 1)
@@ -518,6 +519,19 @@ isc_task_endexclusive(isc_task_t *task);
  *		exclusive access by calling isc_task_spl().
  */
 
+void
+isc_task_getcurrenttime(isc_task_t *task, isc_stdtime_t *t);
+/*
+ * Provide the most recent timestamp on the task.  The timestamp is considered
+ * as the "current time" in the second-order granularity.
+ *
+ * Requires:
+ *	'task' is a valid task.
+ *	't' is a valid non NULL pointer.
+ *
+ * Ensures:
+ *	'*t' has the "current time".
+ */
 
 /*****
  ***** Task Manager.
diff --git a/lib/isc/include/isc/taskpool.h b/lib/isc/include/isc/taskpool.h
index f2c5cb72..42066d21 100644
--- a/lib/isc/include/isc/taskpool.h
+++ b/lib/isc/include/isc/taskpool.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: taskpool.h,v 1.8.2.1 2004/03/09 06:12:03 marka Exp $ */
+/* $Id: taskpool.h,v 1.8.206.1 2004/03/06 08:14:49 marka Exp $ */
 
 #ifndef ISC_TASKPOOL_H
 #define ISC_TASKPOOL_H 1
diff --git a/lib/isc/include/isc/timer.h b/lib/isc/include/isc/timer.h
index 938cc122..be32911a 100644
--- a/lib/isc/include/isc/timer.h
+++ b/lib/isc/include/isc/timer.h
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001  Internet Software Consortium.
+ * Copyright (C) 1998-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: timer.h,v 1.28.2.1 2004/03/09 06:12:03 marka Exp $ */
+/* $Id: timer.h,v 1.28.12.4 2004/03/08 09:04:53 marka Exp $ */
 
 #ifndef ISC_TIMER_H
 #define ISC_TIMER_H 1
@@ -38,6 +38,9 @@
  *	They are used to implement both (possibly expiring) idle timers and
  *	'one-shot' timers.
  *
+ *	'limited' timers generate a periodic tick event until they reach
+ *	their lifetime when they generate a life timeout event.
+ *
  *	'inactive' timers generate no events.
  *
  * Timers can change type.  It is typical to create a timer as
@@ -87,7 +90,8 @@ ISC_LANG_BEGINDECLS
 typedef enum {
 	isc_timertype_ticker = 0,
 	isc_timertype_once = 1,
-	isc_timertype_inactive = 2
+	isc_timertype_limited = 2,
+	isc_timertype_inactive = 3
 } isc_timertype_t;
 
 typedef struct isc_timerevent {
@@ -274,6 +278,9 @@ isc_timer_detach(isc_timer_t **timerp);
  */
 
 isc_result_t
+isc_timer_gettype(isc_timer_t *timer);
+
+isc_result_t
 isc_timermgr_create(isc_mem_t *mctx, isc_timermgr_t **managerp);
 /*
  * Create a timer manager.
@@ -322,6 +329,8 @@ isc_timermgr_destroy(isc_timermgr_t **managerp);
  *	All resources used by the manager have been freed.
  */
 
+void isc_timermgr_poke(isc_timermgr_t *m);
+
 ISC_LANG_ENDDECLS
 
 #endif /* ISC_TIMER_H */
diff --git a/lib/isc/include/isc/types.h b/lib/isc/include/isc/types.h
index 92e41c1d..fad77da9 100644
--- a/lib/isc/include/isc/types.h
+++ b/lib/isc/include/isc/types.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: types.h,v 1.32.2.5 2004/03/09 06:12:03 marka Exp $ */
+/* $Id: types.h,v 1.32.2.3.2.1 2004/03/06 08:14:50 marka Exp $ */
 
 #ifndef ISC_TYPES_H
 #define ISC_TYPES_H 1
diff --git a/lib/isc/include/isc/util.h b/lib/isc/include/isc/util.h
index 6e5a38f5..c2798d6d 100644
--- a/lib/isc/include/isc/util.h
+++ b/lib/isc/include/isc/util.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: util.h,v 1.21.2.1 2004/03/09 06:12:03 marka Exp $ */
+/* $Id: util.h,v 1.21.12.5 2004/03/08 09:04:53 marka Exp $ */
 
 #ifndef ISC_UTIL_H
 #define ISC_UTIL_H 1
@@ -65,6 +65,12 @@
 	} while (0)
 
 /*
+ * Use this in translation units that would otherwise be empty, to
+ * suppress compiler warnings.
+ */
+#define EMPTY_TRANSLATION_UNIT static void isc__empty(void) { isc__empty(); }
+
+/*
  * We use macros instead of calling the routines directly because
  * the capital letters make the locking stand out.
  *
@@ -166,6 +172,9 @@
 	RUNTIME_CHECK(isc_rwlock_unlock((lp), (t)) == ISC_R_SUCCESS); \
 	} while (0)
 
+#define DESTROYMUTEXBLOCK(bp, n) \
+	RUNTIME_CHECK(isc_mutexblock_destroy((bp), (n)) == ISC_R_SUCCESS)
+
 /*
  * List Macros.
  */
@@ -208,4 +217,9 @@
 #define FATAL_ERROR			isc_error_fatal
 #define RUNTIME_CHECK(cond)		ISC_ERROR_RUNTIMECHECK(cond)
 
+/*
+ * Time
+ */
+#define TIME_NOW(tp) 	RUNTIME_CHECK(isc_time_now((tp)) == ISC_R_SUCCESS)
+
 #endif /* ISC_UTIL_H */
diff --git a/lib/isc/include/isc/version.h b/lib/isc/include/isc/version.h
new file mode 100644
index 00000000..3da836c3
--- /dev/null
+++ b/lib/isc/include/isc/version.h
@@ -0,0 +1,26 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: version.h,v 1.2.220.3 2004/03/08 09:04:54 marka Exp $ */
+
+#include <isc/platform.h>
+
+LIBISC_EXTERNAL_DATA extern const char isc_version[];
+
+LIBISC_EXTERNAL_DATA extern const unsigned int isc_libinterface;
+LIBISC_EXTERNAL_DATA extern const unsigned int isc_librevision;
+LIBISC_EXTERNAL_DATA extern const unsigned int isc_libage;
diff --git a/lib/isc/inet_aton.c b/lib/isc/inet_aton.c
index dcba7e0e..530b0103 100644
--- a/lib/isc/inet_aton.c
+++ b/lib/isc/inet_aton.c
@@ -70,7 +70,7 @@
 
 #if defined(LIBC_SCCS) && !defined(lint)
 static char sccsid[] = "@(#)inet_addr.c	8.1 (Berkeley) 6/17/93";
-static char rcsid[] = "$Id: inet_aton.c,v 1.15.2.1 2004/03/09 06:11:47 marka Exp $";
+static char rcsid[] = "$Id: inet_aton.c,v 1.15.12.3 2004/03/08 09:04:49 marka Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 #include <config.h>
@@ -113,7 +113,7 @@ isc_net_aton(const char *cp, struct in_addr *addr) {
 				base = 16, c = *++cp;
 			else {
 				base = 8;
-				digit = 1 ;
+				digit = 1;
 			}
 		}
 		for (;;) {
diff --git a/lib/isc/inet_ntop.c b/lib/isc/inet_ntop.c
index 2dfb7a11..9b8fe047 100644
--- a/lib/isc/inet_ntop.c
+++ b/lib/isc/inet_ntop.c
@@ -17,7 +17,7 @@
 
 #if defined(LIBC_SCCS) && !defined(lint)
 static char rcsid[] =
-	"$Id: inet_ntop.c,v 1.12.2.1 2004/03/09 06:11:47 marka Exp $";
+	"$Id: inet_ntop.c,v 1.12.12.3 2004/03/08 09:04:49 marka Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 #include <config.h>
@@ -84,7 +84,7 @@ static const char *
 inet_ntop4(const unsigned char *src, char *dst, size_t size)
 {
 	static const char *fmt = "%u.%u.%u.%u";
-	char tmp[sizeof "255.255.255.255"];
+	char tmp[sizeof("255.255.255.255")];
 
 	if ((size_t)sprintf(tmp, fmt, src[0], src[1], src[2], src[3]) >= size)
 	{
@@ -113,7 +113,7 @@ inet_ntop6(const unsigned char *src, char *dst, size_t size)
 	 * Keep this in mind if you think this function should have been coded
 	 * to use pointer overlays.  All the world's not a VAX.
 	 */
-	char tmp[sizeof "ffff:ffff:ffff:ffff:ffff:ffff:255.255.255.255"], *tp;
+	char tmp[sizeof("ffff:ffff:ffff:ffff:ffff:ffff:255.255.255.255")], *tp;
 	struct { int base, len; } best, cur;
 	unsigned int words[NS_IN6ADDRSZ / NS_INT16SZ];
 	int i;
@@ -123,7 +123,7 @@ inet_ntop6(const unsigned char *src, char *dst, size_t size)
 	 *	Copy the input (bytewise) array into a wordwise array.
 	 *	Find the longest run of 0x00's in src[] for :: shorthanding.
 	 */
-	memset(words, '\0', sizeof words);
+	memset(words, '\0', sizeof(words));
 	for (i = 0; i < NS_IN6ADDRSZ; i++)
 		words[i / 2] |= (src[i] << ((1 - (i % 2)) << 3));
 	best.base = -1;
@@ -168,7 +168,7 @@ inet_ntop6(const unsigned char *src, char *dst, size_t size)
 		if (i == 6 && best.base == 0 &&
 		    (best.len == 6 || (best.len == 5 && words[5] == 0xffff))) {
 			if (!inet_ntop4(src+12, tp,
-					sizeof tmp - (tp - tmp)))
+					sizeof(tmp) - (tp - tmp)))
 				return (NULL);
 			tp += strlen(tp);
 			break;
diff --git a/lib/isc/inet_pton.c b/lib/isc/inet_pton.c
index c44dfb97..b253069e 100644
--- a/lib/isc/inet_pton.c
+++ b/lib/isc/inet_pton.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1996-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -17,7 +17,7 @@
 
 #if defined(LIBC_SCCS) && !defined(lint)
 static char rcsid[] =
-	"$Id: inet_pton.c,v 1.10.2.7 2005/03/31 23:58:01 marka Exp $";
+	"$Id: inet_pton.c,v 1.10.2.4.2.1 2004/03/06 08:14:31 marka Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 #include <config.h>
@@ -132,7 +132,7 @@ inet_pton6(const char *src, unsigned char *dst) {
 			  xdigits_u[] = "0123456789ABCDEF";
 	unsigned char tmp[NS_IN6ADDRSZ], *tp, *endp, *colonp;
 	const char *xdigits, *curtok;
-	int ch, seen_xdigits;
+	int ch, saw_xdigit;
 	unsigned int val;
 
 	memset((tp = tmp), '\0', NS_IN6ADDRSZ);
@@ -143,7 +143,7 @@ inet_pton6(const char *src, unsigned char *dst) {
 		if (*++src != ':')
 			return (0);
 	curtok = src;
-	seen_xdigits = 0;
+	saw_xdigit = 0;
 	val = 0;
 	while ((ch = *src++) != '\0') {
 		const char *pch;
@@ -153,13 +153,14 @@ inet_pton6(const char *src, unsigned char *dst) {
 		if (pch != NULL) {
 			val <<= 4;
 			val |= (pch - xdigits);
-			if (++seen_xdigits > 4)
+			if (val > 0xffff)
 				return (0);
+			saw_xdigit = 1;
 			continue;
 		}
 		if (ch == ':') {
 			curtok = src;
-			if (!seen_xdigits) {
+			if (!saw_xdigit) {
 				if (colonp)
 					return (0);
 				colonp = tp;
@@ -169,19 +170,19 @@ inet_pton6(const char *src, unsigned char *dst) {
 				return (0);
 			*tp++ = (unsigned char) (val >> 8) & 0xff;
 			*tp++ = (unsigned char) val & 0xff;
-			seen_xdigits = 0;
+			saw_xdigit = 0;
 			val = 0;
 			continue;
 		}
 		if (ch == '.' && ((tp + NS_INADDRSZ) <= endp) &&
 		    inet_pton4(curtok, tp) > 0) {
 			tp += NS_INADDRSZ;
-			seen_xdigits = 0;
+			saw_xdigit = 0;
 			break;	/* '\0' was seen by inet_pton4(). */
 		}
 		return (0);
 	}
-	if (seen_xdigits) {
+	if (saw_xdigit) {
 		if (tp + NS_INT16SZ > endp)
 			return (0);
 		*tp++ = (unsigned char) (val >> 8) & 0xff;
diff --git a/lib/isc/lex.c b/lib/isc/lex.c
index 03123fe2..b03788bd 100644
--- a/lib/isc/lex.c
+++ b/lib/isc/lex.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lex.c,v 1.66.2.10 2006/01/04 23:50:17 marka Exp $ */
+/* $Id: lex.c,v 1.66.2.6.2.7 2004/03/06 08:14:31 marka Exp $ */
 
 #include <config.h>
 
@@ -28,6 +28,7 @@
 #include <isc/lex.h>
 #include <isc/mem.h>
 #include <isc/msgs.h>
+#include <isc/parseint.h>
 #include <isc/stdio.h>
 #include <isc/string.h>
 #include <isc/util.h>
@@ -55,7 +56,6 @@ struct isc_lex {
 	isc_mem_t *			mctx;
 	size_t				max_token;
 	char *				data;
-	unsigned int			options;
 	unsigned int			comments;
 	isc_boolean_t			comment_ok;
 	isc_boolean_t			last_was_eol;
@@ -94,12 +94,12 @@ isc_lex_create(isc_mem_t *mctx, size_t max_token, isc_lex_t **lexp) {
 	REQUIRE(lexp != NULL && *lexp == NULL);
 	REQUIRE(max_token > 0U);
 
-	lex = isc_mem_get(mctx, sizeof *lex);
+	lex = isc_mem_get(mctx, sizeof(*lex));
 	if (lex == NULL)
 		return (ISC_R_NOMEMORY);
 	lex->data = isc_mem_get(mctx, max_token + 1);
 	if (lex->data == NULL) {
-		isc_mem_put(mctx, lex, sizeof *lex);
+		isc_mem_put(mctx, lex, sizeof(*lex));
 		return (ISC_R_NOMEMORY);
 	}
 	lex->mctx = mctx;
@@ -131,11 +131,11 @@ isc_lex_destroy(isc_lex_t **lexp) {
 	REQUIRE(VALID_LEX(lex));
 
 	while (!EMPTY(lex->sources))
-		isc_lex_close(lex);
+		RUNTIME_CHECK(isc_lex_close(lex) == ISC_R_SUCCESS);
 	if (lex->data != NULL)
 		isc_mem_put(lex->mctx, lex->data, lex->max_token + 1);
 	lex->magic = 0;
-	isc_mem_put(lex->mctx, lex, sizeof *lex);
+	isc_mem_put(lex->mctx, lex, sizeof(*lex));
 
 	*lexp = NULL;
 }
@@ -192,7 +192,7 @@ new_source(isc_lex_t *lex, isc_boolean_t is_file, isc_boolean_t need_close,
 	inputsource *source;
 	isc_result_t result;
 
-	source = isc_mem_get(lex->mctx, sizeof *source);
+	source = isc_mem_get(lex->mctx, sizeof(*source));
 	if (source == NULL)
 		return (ISC_R_NOMEMORY);
 	source->result = ISC_R_SUCCESS;
@@ -202,7 +202,7 @@ new_source(isc_lex_t *lex, isc_boolean_t is_file, isc_boolean_t need_close,
 	source->input = input;
 	source->name = isc_mem_strdup(lex->mctx, name);
 	if (source->name == NULL) {
-		isc_mem_put(lex->mctx, source, sizeof *source);
+		isc_mem_put(lex->mctx, source, sizeof(*source));
 		return (ISC_R_NOMEMORY);
 	}
 	source->pushback = NULL;
@@ -210,7 +210,7 @@ new_source(isc_lex_t *lex, isc_boolean_t is_file, isc_boolean_t need_close,
 				     lex->max_token);
 	if (result != ISC_R_SUCCESS) {
 		isc_mem_free(lex->mctx, source->name);
-		isc_mem_put(lex->mctx, source, sizeof *source);
+		isc_mem_put(lex->mctx, source, sizeof(*source));
 		return (result);
 	}
 	source->ignored = 0;
@@ -237,7 +237,7 @@ isc_lex_openfile(isc_lex_t *lex, const char *filename) {
 
 	result = new_source(lex, ISC_TRUE, ISC_TRUE, stream, filename);
 	if (result != ISC_R_SUCCESS)
-		fclose(stream);
+		(void)fclose(stream);
 	return (result);
 }
 
@@ -251,8 +251,7 @@ isc_lex_openstream(isc_lex_t *lex, FILE *stream) {
 
 	REQUIRE(VALID_LEX(lex));
 
-	/* This is safe. */
-	sprintf(name, "stream-%p", stream);
+	snprintf(name, sizeof(name), "stream-%p", stream);
 
 	return (new_source(lex, ISC_TRUE, ISC_FALSE, stream, name));
 }
@@ -267,8 +266,7 @@ isc_lex_openbuffer(isc_lex_t *lex, isc_buffer_t *buffer) {
 
 	REQUIRE(VALID_LEX(lex));
 
-	/* This is safe. */
-	sprintf(name, "buffer-%p", buffer);
+	snprintf(name, sizeof(name), "buffer-%p", buffer);
 
 	return (new_source(lex, ISC_FALSE, ISC_FALSE, buffer, name));
 }
@@ -290,11 +288,11 @@ isc_lex_close(isc_lex_t *lex) {
 	ISC_LIST_UNLINK(lex->sources, source, link);
 	if (source->is_file) {
 		if (source->need_close)
-			fclose((FILE *)(source->input));
+			(void)fclose((FILE *)(source->input));
 	}
 	isc_mem_free(lex->mctx, source->name);
 	isc_buffer_free(&source->pushback);
-	isc_mem_put(lex->mctx, source, sizeof *source);
+	isc_mem_put(lex->mctx, source, sizeof(*source));
 
 	return (ISC_R_SUCCESS);
 }
@@ -361,9 +359,8 @@ isc_lex_gettoken(isc_lex_t *lex, unsigned int options, isc_token_t *tokenp) {
 	FILE *stream;
 	char *curr, *prev;
 	size_t remaining;
-	unsigned long as_ulong;
+	isc_uint32_t as_ulong;
 	unsigned int saved_options;
-	char *e;
 	isc_result_t result;
 
 	/*
@@ -374,6 +371,9 @@ isc_lex_gettoken(isc_lex_t *lex, unsigned int options, isc_token_t *tokenp) {
 	source = HEAD(lex->sources);
 	REQUIRE(tokenp != NULL);
 
+	lex->saved_paren_count = lex->paren_count;
+	source->saved_line = source->line;
+
 	if (source == NULL) {
 		if ((options & ISC_LEXOPT_NOMORE) != 0) {
 			tokenp->type = isc_tokentype_nomore;
@@ -385,9 +385,6 @@ isc_lex_gettoken(isc_lex_t *lex, unsigned int options, isc_token_t *tokenp) {
 	if (source->result != ISC_R_SUCCESS)
 		return (source->result);
 
-	lex->saved_paren_count = lex->paren_count;
-	source->saved_line = source->line;
-
 	if (isc_buffer_remaininglength(source->pushback) == 0 &&
 	    source->at_eof)
 	{
@@ -522,7 +519,7 @@ isc_lex_gettoken(isc_lex_t *lex, unsigned int options, isc_token_t *tokenp) {
 				    != 0) {
 					lex->last_was_eol = ISC_FALSE;
 					tokenp->type = isc_tokentype_initialws;
-					tokenp->value.as_char = c;
+ 					tokenp->value.as_char = c;
 					done = ISC_TRUE;
 				}
 			} else if (c == '\n') {
@@ -591,17 +588,16 @@ isc_lex_gettoken(isc_lex_t *lex, unsigned int options, isc_token_t *tokenp) {
 					else
 						base = 10;
 					pushback(source, c);
-					as_ulong = strtoul(lex->data, &e, base);
-					if (as_ulong == ULONG_MAX &&
-					    errno == ERANGE) {
-						result = ISC_R_RANGE;
-						goto done;
-					} else if (*e == 0) {
+
+					result = isc_parse_uint32(&as_ulong,
+								  lex->data,
+								  base);
+					if (result == ISC_R_SUCCESS) {
 						tokenp->type =
 							isc_tokentype_number;
 						tokenp->value.as_ulong =
 							as_ulong;
-					} else {
+					} else if (result == ISC_R_BADNUMBER) {
 						isc_tokenvalue_t *v;
 
 						tokenp->type =
@@ -612,7 +608,8 @@ isc_lex_gettoken(isc_lex_t *lex, unsigned int options, isc_token_t *tokenp) {
 						v->as_textregion.length =
 							lex->max_token -
 							remaining;
-					}
+					} else
+						goto done;
 					done = ISC_TRUE;
 					continue;
 				} else if (!(options & ISC_LEXOPT_CNUMBER) ||
@@ -635,13 +632,9 @@ isc_lex_gettoken(isc_lex_t *lex, unsigned int options, isc_token_t *tokenp) {
 			remaining--;
 			break;
 		case lexstate_string:
-			/*
-			 * EOF needs to be checked before lex->specials[c]
-			 * as lex->specials[EOF] is not a good idea.
-			 */
-			if (c == '\r' || c == '\n' || c == EOF ||
-			    (!escaped &&
-			     (c == ' ' || c == '\t' || lex->specials[c]))) {
+			if ((!escaped &&
+			     (c == ' ' || c == '\t' || lex->specials[c])) ||
+			    c == '\r' || c == '\n' || c == EOF) {
 				pushback(source, c);
 				if (source->result != ISC_R_SUCCESS) {
 					result = source->result;
@@ -875,7 +868,7 @@ isc_lex_getsourcename(isc_lex_t *lex) {
 	source = HEAD(lex->sources);
 
 	if (source == NULL)
-		return(NULL);
+		return (NULL);
 
 	return (source->name);
 }
@@ -888,11 +881,30 @@ isc_lex_getsourceline(isc_lex_t *lex) {
 	source = HEAD(lex->sources);
 
 	if (source == NULL)
-		return(0);
+		return (0);
 
 	return (source->line);
 }
 
+
+isc_result_t
+isc_lex_setsourcename(isc_lex_t *lex, const char *name) {
+	inputsource *source;
+	char *newname;
+
+	REQUIRE(VALID_LEX(lex));
+	source = HEAD(lex->sources);
+
+	if (source == NULL)
+		return(ISC_R_NOTFOUND);
+	newname = isc_mem_strdup(lex->mctx, name);
+	if (newname == NULL)
+		return (ISC_R_NOMEMORY);
+	isc_mem_free(lex->mctx, source->name);
+	source->name = newname;
+	return (ISC_R_SUCCESS);
+}
+
 isc_boolean_t
 isc_lex_isfile(isc_lex_t *lex) {
 	inputsource *source;
diff --git a/lib/isc/lfsr.c b/lib/isc/lfsr.c
index b982d3ac..e1de6aa2 100644
--- a/lib/isc/lfsr.c
+++ b/lib/isc/lfsr.c
@@ -1,6 +1,6 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lfsr.c,v 1.11.2.5 2005/10/14 02:13:04 marka Exp $ */
+/* $Id: lfsr.c,v 1.11.2.2.2.3 2004/03/08 09:04:49 marka Exp $ */
 
 #include <config.h>
 
@@ -55,6 +55,9 @@ isc_lfsr_init(isc_lfsr_t *lfsr, isc_uint32_t state, unsigned int bits,
 static inline isc_uint32_t
 lfsr_generate(isc_lfsr_t *lfsr)
 {
+	unsigned int highbit;
+
+	highbit = 1 << (lfsr->bits - 1);
 
 	/*
 	 * If the previous state is zero, we must fill it with something
@@ -95,7 +98,7 @@ isc_lfsr_generate(isc_lfsr_t *lfsr, void *data, unsigned int count)
 
 	while (byte--) {
 		*p = 0;
-		for (bit = 0 ; bit < 7 ; bit++) {
+		for (bit = 0; bit < 7; bit++) {
 			*p |= lfsr_generate(lfsr);
 			*p <<= 1;
 		}
diff --git a/lib/isc/lib.c b/lib/isc/lib.c
index e03f7cd1..fa30abf1 100644
--- a/lib/isc/lib.c
+++ b/lib/isc/lib.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lib.c,v 1.8.2.1 2004/03/09 06:11:47 marka Exp $ */
+/* $Id: lib.c,v 1.8.12.3 2004/03/08 09:04:49 marka Exp $ */
 
 #include <config.h>
 
@@ -30,7 +30,7 @@
  *** Globals
  ***/
 
-isc_msgcat_t *			isc_msgcat = NULL;
+LIBISC_EXTERNAL_DATA isc_msgcat_t *		isc_msgcat = NULL;
 
 
 /***
diff --git a/lib/isc/log.c b/lib/isc/log.c
index 2020bf66..e678364e 100644
--- a/lib/isc/log.c
+++ b/lib/isc/log.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: log.c,v 1.70.2.14 2004/06/11 00:36:39 marka Exp $ */
+/* $Id: log.c,v 1.70.2.8.2.10 2004/04/10 04:31:40 marka Exp $ */
 
 /* Principal Authors: DCL */
 
@@ -27,7 +27,6 @@
 #include <time.h>
 
 #include <sys/types.h>	/* dev_t FreeBSD 2.1 */
-#include <sys/stat.h>
 
 #include <isc/dir.h>
 #include <isc/file.h>
@@ -202,6 +201,8 @@ LIBISC_EXTERNAL_DATA isc_logcategory_t isc_categories[] = {
 LIBISC_EXTERNAL_DATA isc_logmodule_t isc_modules[] = {
 	{ "socket", 0 },
 	{ "time", 0 },
+	{ "interface", 0 },
+	{ "timer", 0 },
 	{ NULL, 0 }
 };
 
@@ -1016,7 +1017,7 @@ isc_log_gettag(isc_logconfig_t *lcfg) {
 /* XXXDCL NT  -- This interface will assuredly be changing. */
 void
 isc_log_opensyslog(const char *tag, int options, int facility) {
-	openlog(tag, options, facility);
+	(void)openlog(tag, options, facility);
 }
 
 void
@@ -1139,10 +1140,6 @@ greatest_version(isc_logchannel_t *channel, int *greatestp) {
 	unsigned int basenamelen;
 	isc_dir_t dir;
 	isc_result_t result;
-	char sep = '/';
-#ifdef _WIN32
-	char *basename2;
-#endif
 
 	REQUIRE(channel->type == ISC_LOG_TOFILE);
 
@@ -1150,15 +1147,7 @@ greatest_version(isc_logchannel_t *channel, int *greatestp) {
 	 * It is safe to DE_CONST the file.name because it was copied
 	 * with isc_mem_strdup in isc_log_createchannel.
 	 */
-	basename = strrchr(FILE_NAME(channel), sep);
-#ifdef _WIN32
-	basename2 = strrchr(FILE_NAME(channel), '\\');
-	if ((basename != NULL && basename2 != NULL && basename2 > basename) ||
-	    (basename == NULL && basename2 != NULL)) {
-		basename = basename2;
-		sep = '\\';
-	}
-#endif
+	basename = strrchr(FILE_NAME(channel), '/');
 	if (basename != NULL) {
 		*basename++ = '\0';
 		dirname = FILE_NAME(channel);
@@ -1175,7 +1164,7 @@ greatest_version(isc_logchannel_t *channel, int *greatestp) {
 	 * Replace the file separator if it was taken out.
 	 */
 	if (basename != FILE_NAME(channel))
-		*(basename - 1) = sep;
+		*(basename - 1) = '/';
 
 	/*
 	 * Return if the directory open failed.
@@ -1328,11 +1317,8 @@ isc_log_open(isc_logchannel_t *channel) {
 	if (stat(path, &statbuf) == 0) {
 		regular_file = S_ISREG(statbuf.st_mode) ? ISC_TRUE : ISC_FALSE;
 		/* XXXDCL if not regular_file complain? */
-		if ((FILE_MAXSIZE(channel) == 0 &&
-		     FILE_VERSIONS(channel) != ISC_LOG_ROLLNEVER) ||
-		    (FILE_MAXSIZE(channel) > 0 &&
-		     statbuf.st_size >= FILE_MAXSIZE(channel)))
-			roll = regular_file;
+		roll = ISC_TF(regular_file && FILE_MAXSIZE(channel) > 0 &&
+			      statbuf.st_size >= FILE_MAXSIZE(channel));
 	} else if (errno == ENOENT)
 		regular_file = ISC_TRUE;
 	else
@@ -1498,39 +1484,29 @@ isc_log_doit(isc_log_t *lctx, isc_logcategory_t *category,
 
 		if ((channel->flags & ISC_LOG_PRINTTIME) != 0 &&
 		    time_string[0] == '\0') {
-		    isc_time_t isctime;
-
-		    result = isc_time_now(&isctime);
-			if (result == ISC_R_SUCCESS)
-				isc_time_formattimestamp(&isctime, time_string,
-							 sizeof(time_string));
-			else
-				/*
-				 * "Should never happen."
-				 */
-				snprintf(time_string, sizeof(time_string),
-					 isc_msgcat_get(isc_msgcat,
-						      ISC_MSGSET_LOG,
-						      ISC_MSG_BADTIME,
-						      "Bad 00 99:99:99.999"));
-
+			isc_time_t isctime;
+			
+			TIME_NOW(&isctime);
+			isc_time_formattimestamp(&isctime, time_string,
+						 sizeof(time_string));
 		}
 
 		if ((channel->flags & ISC_LOG_PRINTLEVEL) != 0 &&
 		    level_string[0] == '\0') {
 			if (level < ISC_LOG_CRITICAL)
-				sprintf(level_string,
-					isc_msgcat_get(isc_msgcat,
-						       ISC_MSGSET_LOG,
-						       ISC_MSG_LEVEL,
-						       "level %d: "),
-					level);
+				snprintf(level_string, sizeof(level_string),
+					 isc_msgcat_get(isc_msgcat,
+						        ISC_MSGSET_LOG,
+						        ISC_MSG_LEVEL,
+						        "level %d: "),
+					 level);
 			else if (level > ISC_LOG_DYNAMIC)
-				sprintf(level_string, "%s %d: ",
-					log_level_strings[0], level);
+				snprintf(level_string, sizeof(level_string),
+					 "%s %d: ", log_level_strings[0],
+					 level);
 			else
-				sprintf(level_string, "%s: ",
-					log_level_strings[-level]);
+				snprintf(level_string, sizeof(level_string),
+					 "%s: ", log_level_strings[-level]);
 		}
 
 		/*
@@ -1556,10 +1532,9 @@ isc_log_doit(isc_log_t *lctx, isc_logcategory_t *category,
 				 * which fall within the duplicate_interval
 				 * range.
 				 */
-				if (isc_time_now(&oldest) != ISC_R_SUCCESS ||
-				    isc_time_subtract(&oldest, &interval,
-						      &oldest) !=
-				    ISC_R_SUCCESS)
+				TIME_NOW(&oldest);
+				if (isc_time_subtract(&oldest, &interval, &oldest)
+				    != ISC_R_SUCCESS)
 					/*
 					 * Can't effectively do the checking
 					 * without having a valid time.
@@ -1631,16 +1606,7 @@ isc_log_doit(isc_log_t *lctx, isc_logcategory_t *category,
 					new->text = (char *)(new + 1);
 					strcpy(new->text, lctx->buffer);
 
-					if (isc_time_now(&new->time) !=
-					    ISC_R_SUCCESS)
-						/*
-						 * This will cause the message
-						 * to immediately expire on
-						 * the next call to [v]write1.
-						 * What's a fella to do if
-						 * getting the time fails?
-						 */
-					       isc_time_settoepoch(&new->time);
+					TIME_NOW(&new->time);
 
 					ISC_LIST_APPEND(lctx->messages,
 							new, link);
@@ -1676,7 +1642,7 @@ isc_log_doit(isc_log_t *lctx, isc_logcategory_t *category,
 				    (stat(FILE_NAME(channel), &statbuf) != 0 &&
 				     errno == ENOENT) ||
 				    statbuf.st_size < FILE_MAXSIZE(channel)) {
-					fclose(FILE_STREAM(channel));
+					(void)fclose(FILE_STREAM(channel));
 					FILE_STREAM(channel) = NULL;
 					FILE_MAXREACHED(channel) = ISC_FALSE;
 				} else
@@ -1746,10 +1712,9 @@ isc_log_doit(isc_log_t *lctx, isc_logcategory_t *category,
 			else
 				syslog_level = syslog_map[-level];
 
-			syslog(FACILITY(channel) | syslog_level,
-			       "%s%s%s%s%s%s%s%s%s%s",
+			(void)syslog(FACILITY(channel) | syslog_level,
+			       "%s%s%s%s%s%s%s%s%s",
 			       printtime     ? time_string	: "",
-			       printtime     ? " "		: "",
 			       printtag      ? lcfg->tag	: "",
 			       printtag      ? ": "		: "",
 			       printcategory ? category->name	: "",
diff --git a/lib/isc/md5.c b/lib/isc/md5.c
index 202b5930..863612b9 100644
--- a/lib/isc/md5.c
+++ b/lib/isc/md5.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: md5.c,v 1.9.2.1 2004/03/09 06:11:48 marka Exp $ */
+/* $Id: md5.c,v 1.9.206.1 2004/03/06 08:14:32 marka Exp $ */
 
 /*
  * This code implements the MD5 message-digest algorithm.
diff --git a/lib/isc/mem.c b/lib/isc/mem.c
index 612df43a..762aa177 100644
--- a/lib/isc/mem.c
+++ b/lib/isc/mem.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1997-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: mem.c,v 1.98.2.14 2006/12/08 05:03:13 marka Exp $ */
+/* $Id: mem.c,v 1.98.2.7.2.5 2004/03/16 05:50:24 marka Exp $ */
 
 #include <config.h>
 
@@ -68,6 +68,7 @@ typedef struct debuglink debuglink_t;
 struct debuglink {
 	ISC_LINK(debuglink_t)	link;
 	const void	       *ptr[DEBUGLIST_COUNT];
+	unsigned int		size[DEBUGLIST_COUNT];
 	const char	       *file[DEBUGLIST_COUNT];
 	unsigned int		line[DEBUGLIST_COUNT];
 	unsigned int		count;
@@ -107,6 +108,10 @@ struct stats {
 #define MEM_MAGIC		ISC_MAGIC('M', 'e', 'm', 'C')
 #define VALID_CONTEXT(c)	ISC_MAGIC_VALID(c, MEM_MAGIC)
 
+#if ISC_MEM_TRACKLINES
+typedef ISC_LIST(debuglink_t)	debuglist_t;
+#endif
+
 struct isc_mem {
 	unsigned int		magic;
 	isc_ondestroy_t		ondestroy;
@@ -141,8 +146,7 @@ struct isc_mem {
 #endif /* ISC_MEM_USE_INTERNAL_MALLOC */
 
 #if ISC_MEM_TRACKLINES
-	ISC_LIST(debuglink_t)	debuglist;
-	unsigned int		debugging;
+	debuglist_t *	 	debuglist;
 #endif
 
 	unsigned int		memalloc_failures;
@@ -183,12 +187,14 @@ struct isc_mempool {
 #define DELETE_TRACE(a, b, c, d, e)
 #else
 #define ADD_TRACE(a, b, c, d, e) \
-	do { if (b != NULL) add_trace_entry(a, b, c, d, e); } while (0)
+	do { \
+		if ((isc_mem_debugging & (ISC_MEM_DEBUGTRACE | \
+					  ISC_MEM_DEBUGRECORD)) != 0 && \
+		     b != NULL) \
+		         add_trace_entry(a, b, c, d, e); \
+	} while (0)
 #define DELETE_TRACE(a, b, c, d, e)	delete_trace_entry(a, b, c, d, e)
 
-#define MEM_TRACE	((isc_mem_debugging & ISC_MEM_DEBUGTRACE) != 0)
-#define MEM_RECORD	((mctx->debugging & ISC_MEM_DEBUGRECORD) != 0)
-
 static void
 print_active(isc_mem_t *ctx, FILE *out);
 
@@ -202,23 +208,27 @@ add_trace_entry(isc_mem_t *mctx, const void *ptr, unsigned int size
 	debuglink_t *dl;
 	unsigned int i;
 
-	if (MEM_TRACE)
+	if ((isc_mem_debugging & ISC_MEM_DEBUGTRACE) != 0)
 		fprintf(stderr, isc_msgcat_get(isc_msgcat, ISC_MSGSET_MEM,
 					       ISC_MSG_ADDTRACE,
 					       "add %p size %u "
 					       "file %s line %u mctx %p\n"),
 			ptr, size, file, line, mctx);
 
-	if (!MEM_RECORD)
+	if (mctx->debuglist == NULL)
 		return;
 
-	dl = ISC_LIST_HEAD(mctx->debuglist);
+	if (size > mctx->max_size)
+		size = mctx->max_size;
+
+	dl = ISC_LIST_HEAD(mctx->debuglist[size]);
 	while (dl != NULL) {
 		if (dl->count == DEBUGLIST_COUNT)
 			goto next;
-		for (i = 0 ; i < DEBUGLIST_COUNT ; i++) {
+		for (i = 0; i < DEBUGLIST_COUNT; i++) {
 			if (dl->ptr[i] == NULL) {
 				dl->ptr[i] = ptr;
+				dl->size[i] = size;
 				dl->file[i] = file;
 				dl->line[i] = line;
 				dl->count++;
@@ -233,18 +243,20 @@ add_trace_entry(isc_mem_t *mctx, const void *ptr, unsigned int size
 	INSIST(dl != NULL);
 
 	ISC_LINK_INIT(dl, link);
-	for (i = 1 ; i < DEBUGLIST_COUNT ; i++) {
+	for (i = 1; i < DEBUGLIST_COUNT; i++) {
 		dl->ptr[i] = NULL;
+		dl->size[i] = 0;
 		dl->file[i] = NULL;
 		dl->line[i] = 0;
 	}
 
 	dl->ptr[0] = ptr;
+	dl->size[0] = size;
 	dl->file[0] = file;
 	dl->line[0] = line;
 	dl->count = 1;
 
-	ISC_LIST_PREPEND(mctx->debuglist, dl, link);
+	ISC_LIST_PREPEND(mctx->debuglist[size], dl, link);
 }
 
 static inline void
@@ -254,28 +266,32 @@ delete_trace_entry(isc_mem_t *mctx, const void *ptr, unsigned int size,
 	debuglink_t *dl;
 	unsigned int i;
 
-	if (MEM_TRACE)
+	if ((isc_mem_debugging & ISC_MEM_DEBUGTRACE) != 0)
 		fprintf(stderr, isc_msgcat_get(isc_msgcat, ISC_MSGSET_MEM,
 					       ISC_MSG_DELTRACE,
 					       "del %p size %u "
 					       "file %s line %u mctx %p\n"),
 			ptr, size, file, line, mctx);
 
-	if (!MEM_RECORD)
+	if (mctx->debuglist == NULL)
 		return;
 
-	dl = ISC_LIST_HEAD(mctx->debuglist);
+	if (size > mctx->max_size)
+		size = mctx->max_size;
+
+	dl = ISC_LIST_HEAD(mctx->debuglist[size]);
 	while (dl != NULL) {
-		for (i = 0 ; i < DEBUGLIST_COUNT ; i++) {
+		for (i = 0; i < DEBUGLIST_COUNT; i++) {
 			if (dl->ptr[i] == ptr) {
 				dl->ptr[i] = NULL;
+				dl->size[i] = 0;
 				dl->file[i] = NULL;
 				dl->line[i] = 0;
 
 				INSIST(dl->count > 0);
 				dl->count--;
 				if (dl->count == 0) {
-					ISC_LIST_UNLINK(mctx->debuglist,
+					ISC_LIST_UNLINK(mctx->debuglist[size],
 							dl, link);
 					free(dl);
 				}
@@ -297,7 +313,7 @@ delete_trace_entry(isc_mem_t *mctx, const void *ptr, unsigned int size,
 static inline size_t
 rmsize(size_t size) {
 	/*
-	 * round down to ALIGNMENT_SIZE
+ 	 * round down to ALIGNMENT_SIZE
 	 */
 	return (size & (~(ALIGNMENT_SIZE - 1)));
 }
@@ -338,7 +354,7 @@ more_basic_blocks(isc_mem_t *ctx) {
 	if (ctx->basic_table_count == ctx->basic_table_size) {
 		table_size = ctx->basic_table_size + TABLE_INCREMENT;
 		table = (ctx->memalloc)(ctx->arg,
-					table_size * sizeof (unsigned char *));
+					table_size * sizeof(unsigned char *));
 		if (table == NULL) {
 			ctx->memalloc_failures++;
 			return (ISC_FALSE);
@@ -346,7 +362,7 @@ more_basic_blocks(isc_mem_t *ctx) {
 		if (ctx->basic_table_size != 0) {
 			memcpy(table, ctx->basic_table,
 			       ctx->basic_table_size *
-			       sizeof (unsigned char *));
+			       sizeof(unsigned char *));
 			(ctx->memfree)(ctx->arg, ctx->basic_table);
 		}
 		ctx->basic_table = table;
@@ -697,19 +713,10 @@ isc_mem_createx(size_t init_max_size, size_t target_size,
 	UNUSED(target_size);
 #endif
 
-	ctx = (memalloc)(arg, sizeof *ctx);
+	ctx = (memalloc)(arg, sizeof(*ctx));
 	if (ctx == NULL)
 		return (ISC_R_NOMEMORY);
 
-	if (isc_mutex_init(&ctx->lock) != ISC_R_SUCCESS) {
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "isc_mutex_init() %s",
-				 isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
-						ISC_MSG_FAILED, "failed"));
-		(memfree)(arg, ctx);
-		return (ISC_R_UNEXPECTED);
-	}
-
 	if (init_max_size == 0U)
 		ctx->max_size = DEF_MAX_SIZE;
 	else
@@ -731,6 +738,9 @@ isc_mem_createx(size_t init_max_size, size_t target_size,
 	ctx->arg = arg;
 	ctx->stats = NULL;
 	ctx->checkfree = ISC_TRUE;
+#if ISC_MEM_TRACKLINES
+	ctx->debuglist = NULL;
+#endif
 	ISC_LIST_INIT(ctx->pools);
 
 #if ISC_MEM_USE_INTERNAL_MALLOC
@@ -738,25 +748,25 @@ isc_mem_createx(size_t init_max_size, size_t target_size,
 #endif /* ISC_MEM_USE_INTERNAL_MALLOC */
 
 	ctx->stats = (memalloc)(arg,
-				(ctx->max_size+1) * sizeof (struct stats));
+				(ctx->max_size+1) * sizeof(struct stats));
 	if (ctx->stats == NULL) {
 		result = ISC_R_NOMEMORY;
 		goto error;
 	}
-	memset(ctx->stats, 0, (ctx->max_size + 1) * sizeof (struct stats));
+	memset(ctx->stats, 0, (ctx->max_size + 1) * sizeof(struct stats));
 
 #if ISC_MEM_USE_INTERNAL_MALLOC
 	if (target_size == 0)
 		ctx->mem_target = DEF_MEM_TARGET;
 	else
 		ctx->mem_target = target_size;
-	ctx->freelists = (memalloc)(arg, ctx->max_size * sizeof (element *));
+	ctx->freelists = (memalloc)(arg, ctx->max_size * sizeof(element *));
 	if (ctx->freelists == NULL) {
 		result = ISC_R_NOMEMORY;
 		goto error;
 	}
 	memset(ctx->freelists, 0,
-	       ctx->max_size * sizeof (element *));
+	       ctx->max_size * sizeof(element *));
 	ctx->basic_blocks = NULL;
 	ctx->basic_table = NULL;
 	ctx->basic_table_count = 0;
@@ -765,9 +775,28 @@ isc_mem_createx(size_t init_max_size, size_t target_size,
 	ctx->highest = NULL;
 #endif /* ISC_MEM_USE_INTERNAL_MALLOC */
 
+	if (isc_mutex_init(&ctx->lock) != ISC_R_SUCCESS) {
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "isc_mutex_init() %s",
+				 isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
+						ISC_MSG_FAILED, "failed"));
+		result = ISC_R_UNEXPECTED;
+		goto error;
+	}
+
 #if ISC_MEM_TRACKLINES
-	ISC_LIST_INIT(ctx->debuglist);
-	ctx->debugging = isc_mem_debugging;
+	if ((isc_mem_debugging & ISC_MEM_DEBUGRECORD) != 0) {
+		unsigned int i;
+
+		ctx->debuglist = (memalloc)(arg,
+				      (ctx->max_size+1) * sizeof(debuglist_t));
+		if (ctx->debuglist == NULL) {
+			result = ISC_R_NOMEMORY;
+			goto error;
+		}
+		for (i = 0; i <= ctx->max_size; i++)
+			ISC_LIST_INIT(ctx->debuglist[i]);
+	}
 #endif
 
 	ctx->memalloc_failures = 0;
@@ -776,14 +805,17 @@ isc_mem_createx(size_t init_max_size, size_t target_size,
 	return (ISC_R_SUCCESS);
 
   error:
-	if (ctx != NULL) {
-		if (ctx->stats != NULL)
+	if (ctx) {
+		if (ctx->stats)
 			(memfree)(arg, ctx->stats);
 #if ISC_MEM_USE_INTERNAL_MALLOC
-		if (ctx->freelists != NULL)
+		if (ctx->freelists)
 			(memfree)(arg, ctx->freelists);
 #endif /* ISC_MEM_USE_INTERNAL_MALLOC */
-		DESTROYLOCK(&ctx->lock);
+#if ISC_MEM_TRACKLINES
+		if (ctx->debuglist)
+			(ctx->memfree)(ctx->arg, ctx->debuglist);
+#endif /* ISC_MEM_TRACKLINES */
 		(memfree)(arg, ctx);
 	}
 
@@ -811,19 +843,26 @@ destroy(isc_mem_t *ctx) {
 #endif /* ISC_MEM_USE_INTERNAL_MALLOC */
 
 #if ISC_MEM_TRACKLINES
-	if (ctx->checkfree) {
-		if (!ISC_LIST_EMPTY(ctx->debuglist))
-			print_active(ctx, stderr);
-		INSIST(ISC_LIST_EMPTY(ctx->debuglist));
-	} else {
-		debuglink_t *dl;
-
-		for (dl = ISC_LIST_HEAD(ctx->debuglist);
-		     dl != NULL;
-		     dl = ISC_LIST_HEAD(ctx->debuglist)) {
-			ISC_LIST_UNLINK(ctx->debuglist, dl, link);
-			free(dl);
+	if (ctx->debuglist != NULL) {
+		if (ctx->checkfree) {
+			for (i = 0; i <= ctx->max_size; i++) {
+				if (!ISC_LIST_EMPTY(ctx->debuglist[i]))
+					print_active(ctx, stderr);
+				INSIST(ISC_LIST_EMPTY(ctx->debuglist[i]));
+			}
+		} else {
+			debuglink_t *dl;
+
+			for (i = 0; i <= ctx->max_size; i++)
+				for (dl = ISC_LIST_HEAD(ctx->debuglist[i]);
+				     dl != NULL;
+				     dl = ISC_LIST_HEAD(ctx->debuglist[i])) {
+					ISC_LIST_UNLINK(ctx->debuglist[i],
+						 	dl, link);
+					free(dl);
+				}
 		}
+		(ctx->memfree)(ctx->arg, ctx->debuglist);
 	}
 #endif
 	INSIST(ctx->references == 0);
@@ -831,7 +870,7 @@ destroy(isc_mem_t *ctx) {
 	if (ctx->checkfree) {
 		for (i = 0; i <= ctx->max_size; i++) {
 #if ISC_MEM_TRACKLINES
-			if (ctx->stats[i].gets != 0)
+			if (ctx->stats[i].gets != 0U)
 				print_active(ctx, stderr);
 #endif
 			INSIST(ctx->stats[i].gets == 0U);
@@ -988,7 +1027,7 @@ isc__mem_get(isc_mem_t *ctx, size_t size FLARG) {
 #else /* ISC_MEM_USE_INTERNAL_MALLOC */
 	ptr = mem_get(ctx, size);
 	LOCK(&ctx->lock);
-	if (ptr)
+	if (ptr != NULL)
 		mem_getstats(ctx, size);
 #endif /* ISC_MEM_USE_INTERNAL_MALLOC */
 
@@ -1007,9 +1046,8 @@ isc__mem_get(isc_mem_t *ctx, size_t size FLARG) {
 	}
 	UNLOCK(&ctx->lock);
 
-	if (call_water) {
+	if (call_water)
 		(ctx->water)(ctx->water_arg, ISC_MEM_HIWATER);
-	}
 
 	return (ptr);
 }
@@ -1047,41 +1085,47 @@ isc__mem_put(isc_mem_t *ctx, void *ptr, size_t size FLARG)
 	}
 	UNLOCK(&ctx->lock);
 
-	if (call_water) {
+	if (call_water)
 		(ctx->water)(ctx->water_arg, ISC_MEM_LOWATER);
-	}
 }
 
 #if ISC_MEM_TRACKLINES
 static void
 print_active(isc_mem_t *mctx, FILE *out) {
-	if (MEM_RECORD) {
+	if (mctx->debuglist != NULL) {
 		debuglink_t *dl;
-		unsigned int i;
+		unsigned int i, j;
+		const char *format;
+		isc_boolean_t found;
 
 		fprintf(out, isc_msgcat_get(isc_msgcat, ISC_MSGSET_MEM,
 					    ISC_MSG_DUMPALLOC,
 					    "Dump of all outstanding "
 					    "memory allocations:\n"));
-		dl = ISC_LIST_HEAD(mctx->debuglist);
-		if (dl == NULL)
-			fprintf(out, isc_msgcat_get(isc_msgcat, ISC_MSGSET_MEM,
-						    ISC_MSG_NONE,
-						    "\tNone.\n"));
-		while (dl != NULL) {
-			for (i = 0 ; i < DEBUGLIST_COUNT ; i++)
-				if (dl->ptr[i] != NULL)
-					fprintf(out,
-						isc_msgcat_get(isc_msgcat,
-							   ISC_MSGSET_MEM,
-							   ISC_MSG_PTRFILELINE,
-							   "\tptr %p "
-							   "file %s "
-							   "line %u\n"),
-						dl->ptr[i], dl->file[i],
-						dl->line[i]);
-			dl = ISC_LIST_NEXT(dl, link);
+		found = ISC_FALSE;
+		format = isc_msgcat_get(isc_msgcat, ISC_MSGSET_MEM,
+				        ISC_MSG_PTRFILELINE,
+					"\tptr %p size %u file %s line %u\n");
+		for (i = 0; i <= mctx->max_size; i++) {
+			dl = ISC_LIST_HEAD(mctx->debuglist[i]);
+			
+			if (dl != NULL)
+				found = ISC_TRUE;
+
+			while (dl != NULL) {
+				for (j = 0; j < DEBUGLIST_COUNT; j++)
+					if (dl->ptr[j] != NULL)
+						fprintf(out, format,
+							dl->ptr[j],
+							dl->size[j],
+							dl->file[j],
+							dl->line[j]);
+				dl = ISC_LIST_NEXT(dl, link);
+			}
 		}
+		if (!found)
+			fprintf(out, isc_msgcat_get(isc_msgcat, ISC_MSGSET_MEM,
+						    ISC_MSG_NONE, "\tNone.\n"));
 	}
 }
 #endif
@@ -1199,8 +1243,7 @@ isc__mem_allocate(isc_mem_t *ctx, size_t size FLARG) {
 #endif /* ISC_MEM_USE_INTERNAL_MALLOC */
 
 #if ISC_MEM_TRACKLINES
-	if (si != NULL)
-		ADD_TRACE(ctx, si, si[-1].u.size, file, line);
+	ADD_TRACE(ctx, si, si[-1].u.size, file, line);
 #endif
 
 	UNLOCK(&ctx->lock);
@@ -1310,30 +1353,19 @@ isc_mem_inuse(isc_mem_t *ctx) {
 
 void
 isc_mem_setwater(isc_mem_t *ctx, isc_mem_water_t water, void *water_arg,
-		 size_t hiwater, size_t lowater)
+                 size_t hiwater, size_t lowater)
 {
-	isc_boolean_t callwater = ISC_FALSE;
-	isc_mem_water_t oldwater;
-	void *oldwater_arg;
-
 	REQUIRE(VALID_CONTEXT(ctx));
 	REQUIRE(hiwater >= lowater);
 
 	LOCK(&ctx->lock);
-	oldwater = ctx->water;
-	oldwater_arg = ctx->water_arg;
 	if (water == NULL) {
-		callwater = ctx->hi_called;
 		ctx->water = NULL;
 		ctx->water_arg = NULL;
 		ctx->hi_water = 0;
 		ctx->lo_water = 0;
 		ctx->hi_called = ISC_FALSE;
 	} else {
-		if (ctx->hi_called &&
-		    (ctx->water != water || ctx->water_arg != water_arg ||
-		     ctx->inuse < lowater || lowater == 0U))
-			callwater = ISC_TRUE;
 		ctx->water = water;
 		ctx->water_arg = water_arg;
 		ctx->hi_water = hiwater;
@@ -1341,9 +1373,6 @@ isc_mem_setwater(isc_mem_t *ctx, isc_mem_water_t water, void *water_arg,
 		ctx->hi_called = ISC_FALSE;
 	}
 	UNLOCK(&ctx->lock);
-
-	if (callwater && oldwater != NULL)
-		(oldwater)(oldwater_arg, ISC_MEM_LOWATER);
 }
 
 /*
@@ -1438,6 +1467,7 @@ isc_mempool_destroy(isc_mempool_t **mpctxp) {
 	/*
 	 * Return any items on the free list
 	 */
+	LOCK(&mctx->lock);
 	while (mpctx->items != NULL) {
 		INSIST(mpctx->freecount > 0);
 		mpctx->freecount--;
@@ -1445,13 +1475,13 @@ isc_mempool_destroy(isc_mempool_t **mpctxp) {
 		mpctx->items = item->next;
 
 #if ISC_MEM_USE_INTERNAL_MALLOC
-		LOCK(&mctx->lock);
 		mem_putunlocked(mctx, item, mpctx->size);
-		UNLOCK(&mctx->lock);
 #else /* ISC_MEM_USE_INTERNAL_MALLOC */
 		mem_put(mctx, item, mpctx->size);
+		mem_putstats(mctx, item, mpctx->size);
 #endif /* ISC_MEM_USE_INTERNAL_MALLOC */
 	}
+	UNLOCK(&mctx->lock);
 
 	/*
 	 * Remove our linked list entry from the memory context.
@@ -1517,13 +1547,14 @@ isc__mempool_get(isc_mempool_t *mpctx FLARG) {
 	 * We need to dip into the well.  Lock the memory context here and
 	 * fill up our free list.
 	 */
-	for (i = 0 ; i < mpctx->fillcount ; i++) {
+	LOCK(&mctx->lock);
+	for (i = 0; i < mpctx->fillcount; i++) {
 #if ISC_MEM_USE_INTERNAL_MALLOC
-		LOCK(&mctx->lock);
 		item = mem_getunlocked(mctx, mpctx->size);
-		UNLOCK(&mctx->lock);
 #else /* ISC_MEM_USE_INTERNAL_MALLOC */
 		item = mem_get(mctx, mpctx->size);
+		if (item != NULL)
+			mem_getstats(mctx, mpctx->size);
 #endif /* ISC_MEM_USE_INTERNAL_MALLOC */
 		if (item == NULL)
 			break;
@@ -1531,6 +1562,7 @@ isc__mempool_get(isc_mempool_t *mpctx FLARG) {
 		mpctx->items = item;
 		mpctx->freecount++;
 	}
+	UNLOCK(&mctx->lock);
 
 	/*
 	 * If we didn't get any items, return NULL.
@@ -1591,6 +1623,9 @@ isc__mempool_put(isc_mempool_t *mpctx, void *mem FLARG) {
 		UNLOCK(&mctx->lock);
 #else /* ISC_MEM_USE_INTERNAL_MALLOC */
 		mem_put(mctx, mem, mpctx->size);
+		LOCK(&mctx->lock);
+		mem_putstats(mctx, mem, mpctx->size);
+		UNLOCK(&mctx->lock);
 #endif /* ISC_MEM_USE_INTERNAL_MALLOC */
 		if (mpctx->lock != NULL)
 			UNLOCK(mpctx->lock);
diff --git a/lib/isc/mutexblock.c b/lib/isc/mutexblock.c
index 5293c2e0..dc7c23d8 100644
--- a/lib/isc/mutexblock.c
+++ b/lib/isc/mutexblock.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: mutexblock.c,v 1.14.2.1 2004/03/09 06:11:48 marka Exp $ */
+/* $Id: mutexblock.c,v 1.14.12.3 2004/03/08 09:04:49 marka Exp $ */
 
 #include <config.h>
 
@@ -27,7 +27,7 @@ isc_mutexblock_init(isc_mutex_t *block, unsigned int count) {
 	isc_result_t result;
 	unsigned int i;
 
-	for (i = 0 ; i < count ; i++) {
+	for (i = 0; i < count; i++) {
 		result = isc_mutex_init(&block[i]);
 		if (result != ISC_R_SUCCESS) {
 			i--;
@@ -47,7 +47,7 @@ isc_mutexblock_destroy(isc_mutex_t *block, unsigned int count) {
 	isc_result_t result;
 	unsigned int i;
 
-	for (i = 0 ; i < count ; i++) {
+	for (i = 0; i < count; i++) {
 		result = isc_mutex_destroy(&block[i]);
 		if (result != ISC_R_SUCCESS)
 			return (result);
diff --git a/lib/isc/netaddr.c b/lib/isc/netaddr.c
index d18e6bd2..a658d254 100644
--- a/lib/isc/netaddr.c
+++ b/lib/isc/netaddr.c
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
+ * Copyright (C) 1999-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: netaddr.c,v 1.18.2.2 2004/03/09 06:11:49 marka Exp $ */
+/* $Id: netaddr.c,v 1.18.12.8 2004/03/08 09:04:49 marka Exp $ */
 
 #include <config.h>
 
@@ -37,14 +37,17 @@ isc_netaddr_equal(const isc_netaddr_t *a, const isc_netaddr_t *b) {
 	if (a->family != b->family)
 		return (ISC_FALSE);
 
+	if (a->zone != b->zone)
+		return (ISC_FALSE);
+
 	switch (a->family) {
 	case AF_INET:
 		if (a->type.in.s_addr != b->type.in.s_addr)
 			return (ISC_FALSE);
 		break;
 	case AF_INET6:
-		if (memcmp(&a->type.in6, &b->type.in6, sizeof a->type.in6)
-		    != 0)
+		if (memcmp(&a->type.in6, &b->type.in6,
+			   sizeof(a->type.in6)) != 0)
 			return (ISC_FALSE);
 		break;
 	default:
@@ -67,6 +70,9 @@ isc_netaddr_eqprefix(const isc_netaddr_t *a, const isc_netaddr_t *b,
 	if (a->family != b->family)
 		return (ISC_FALSE);
 
+	if (a->zone != b->zone)
+		return (ISC_FALSE);
+
 	switch (a->family) {
 	case AF_INET:
 		pa = (const unsigned char *) &a->type.in;
@@ -112,29 +118,51 @@ isc_netaddr_eqprefix(const isc_netaddr_t *a, const isc_netaddr_t *b,
 
 isc_result_t
 isc_netaddr_totext(const isc_netaddr_t *netaddr, isc_buffer_t *target) {
-	char abuf[sizeof "xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:255.255.255.255"];
+	char abuf[sizeof("xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:255.255.255.255")];
+	char zbuf[sizeof("%4294967295")];
 	unsigned int alen;
+	int zlen;
 	const char *r;
+	const void *type;
 
 	REQUIRE(netaddr != NULL);
 
-	r = inet_ntop(netaddr->family, &netaddr->type, abuf, sizeof abuf);
+	switch (netaddr->family) {
+	case AF_INET:
+		type = &netaddr->type.in;
+		break;
+	case AF_INET6:
+		type = &netaddr->type.in6;
+		break;
+	default:
+		return (ISC_R_FAILURE);
+	}
+	r = inet_ntop(netaddr->family, type, abuf, sizeof(abuf));
 	if (r == NULL)
 		return (ISC_R_FAILURE);
 
 	alen = strlen(abuf);
 	INSIST(alen < sizeof(abuf));
 
-	if (alen > isc_buffer_availablelength(target))
+	zlen = 0;
+	if (netaddr->family == AF_INET6 && netaddr->zone != 0) {
+		zlen = snprintf(zbuf, sizeof(zbuf), "%%%u", netaddr->zone);
+		if (zlen < 0)
+			return (ISC_R_FAILURE);
+		INSIST((unsigned int)zlen < sizeof(zbuf));
+	}
+
+	if (alen + zlen > isc_buffer_availablelength(target))
 		return (ISC_R_NOSPACE);
 
 	isc_buffer_putmem(target, (unsigned char *)abuf, alen);
+	isc_buffer_putmem(target, (unsigned char *)zbuf, zlen);
 
 	return (ISC_R_SUCCESS);
 }
 
 void
-isc_netaddr_format(isc_netaddr_t *na, char *array, unsigned int size) {
+isc_netaddr_format(const isc_netaddr_t *na, char *array, unsigned int size) {
 	isc_result_t result;
 	isc_buffer_t buf;
 
@@ -205,44 +233,63 @@ isc_netaddr_masktoprefixlen(const isc_netaddr_t *s, unsigned int *lenp) {
 
 void
 isc_netaddr_fromin(isc_netaddr_t *netaddr, const struct in_addr *ina) {
-	memset(netaddr, 0, sizeof *netaddr);
+	memset(netaddr, 0, sizeof(*netaddr));
 	netaddr->family = AF_INET;
 	netaddr->type.in = *ina;
 }
 
 void
 isc_netaddr_fromin6(isc_netaddr_t *netaddr, const struct in6_addr *ina6) {
-	memset(netaddr, 0, sizeof *netaddr);
+	memset(netaddr, 0, sizeof(*netaddr));
 	netaddr->family = AF_INET6;
 	netaddr->type.in6 = *ina6;
 }
 
 void
+isc_netaddr_setzone(isc_netaddr_t *netaddr, isc_uint32_t zone) {
+	/* we currently only support AF_INET6. */
+	REQUIRE(netaddr->family == AF_INET6);
+
+	netaddr->zone = zone;
+}
+
+isc_uint32_t
+isc_netaddr_getzone(const isc_netaddr_t *netaddr) {
+	return (netaddr->zone);
+}
+
+void
 isc_netaddr_fromsockaddr(isc_netaddr_t *t, const isc_sockaddr_t *s) {
 	int family = s->type.sa.sa_family;
 	t->family = family;
 	switch (family) {
-        case AF_INET:
+	case AF_INET:
 		t->type.in = s->type.sin.sin_addr;
-                break;
-        case AF_INET6:
+		t->zone = 0;
+		break;
+	case AF_INET6:
 		memcpy(&t->type.in6, &s->type.sin6.sin6_addr, 16);
-                break;
-        default:
-                INSIST(0);
-        }
+#ifdef ISC_PLATFORM_HAVESCOPEID
+		t->zone = s->type.sin6.sin6_scope_id;
+#else
+		t->zone = 0;
+#endif
+		break;
+	default:
+		INSIST(0);
+	}
 }
 
 void
 isc_netaddr_any(isc_netaddr_t *netaddr) {
-	memset(netaddr, 0, sizeof *netaddr);
+	memset(netaddr, 0, sizeof(*netaddr));
 	netaddr->family = AF_INET;
 	netaddr->type.in.s_addr = INADDR_ANY;
 }
 
 void
 isc_netaddr_any6(isc_netaddr_t *netaddr) {
-	memset(netaddr, 0, sizeof *netaddr);
+	memset(netaddr, 0, sizeof(*netaddr));
 	netaddr->family = AF_INET6;
 	netaddr->type.in6 = in6addr_any;
 }
@@ -269,6 +316,30 @@ isc_netaddr_isexperimental(isc_netaddr_t *na) {
 	}
 }
 
+isc_boolean_t
+isc_netaddr_islinklocal(isc_netaddr_t *na) {
+	switch (na->family) {
+	case AF_INET:
+		return (ISC_FALSE);
+	case AF_INET6:
+		return (ISC_TF(IN6_IS_ADDR_LINKLOCAL(&na->type.in6)));
+	default:
+		return (ISC_FALSE);
+	}
+}
+
+isc_boolean_t
+isc_netaddr_issitelocal(isc_netaddr_t *na) {
+	switch (na->family) {
+	case AF_INET:
+		return (ISC_FALSE);
+	case AF_INET6:
+		return (ISC_TF(IN6_IS_ADDR_SITELOCAL(&na->type.in6)));
+	default:
+		return (ISC_FALSE);
+	}
+}
+
 void
 isc_netaddr_fromv4mapped(isc_netaddr_t *t, const isc_netaddr_t *s) {
 	isc_netaddr_t *src;
diff --git a/lib/isc/netscope.c b/lib/isc/netscope.c
new file mode 100644
index 00000000..843c46df
--- /dev/null
+++ b/lib/isc/netscope.c
@@ -0,0 +1,72 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2002  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#if defined(LIBC_SCCS) && !defined(lint)
+static char rcsid[] =
+	"$Id: netscope.c,v 1.5.142.7 2004/03/12 10:31:26 marka Exp $";
+#endif /* LIBC_SCCS and not lint */
+
+#include <isc/string.h>
+#include <isc/net.h>
+#include <isc/netscope.h>
+#include <isc/result.h>
+
+isc_result_t
+isc_netscope_pton(int af, char *scopename, void *addr, isc_uint32_t *zoneid) {
+	char *ep;
+#ifdef ISC_PLATFORM_HAVEIFNAMETOINDEX
+	unsigned int ifid;
+#endif
+	struct in6_addr *in6;
+	isc_uint32_t zone;
+	isc_uint64_t llz;
+
+	/* at this moment, we only support AF_INET6 */
+	if (af != AF_INET6)
+		return (ISC_R_FAILURE);
+
+	in6 = (struct in6_addr *)addr;
+
+	/*
+	 * Basically, "names" are more stable than numeric IDs in terms of
+	 * renumbering, and are more preferred.  However, since there is no
+	 * standard naming convention and APIs to deal with the names.  Thus,
+	 * we only handle the case of link-local addresses, for which we use
+	 * interface names as link names, assuming one to one mapping between
+	 * interfaces and links.
+	 */
+#ifdef ISC_PLATFORM_HAVEIFNAMETOINDEX
+	if (IN6_IS_ADDR_LINKLOCAL(in6) &&
+	    (ifid = if_nametoindex((const char *)scopename)) != 0)
+		zone = (isc_uint32_t)ifid;
+	else {
+#endif
+		llz = isc_string_touint64(scopename, &ep, 10);
+		if (ep == scopename)
+			return (ISC_R_FAILURE);
+
+		/* check overflow */
+		zone = (isc_uint32_t)(llz & 0xffffffffUL);
+		if (zone != llz)
+			return (ISC_R_FAILURE);
+#ifdef ISC_PLATFORM_HAVEIFNAMETOINDEX
+	}
+#endif
+
+	*zoneid = zone;
+	return (ISC_R_SUCCESS);
+}
diff --git a/lib/isc/nls/Makefile.in b/lib/isc/nls/Makefile.in
index b0a42e95..f16b4cb8 100644
--- a/lib/isc/nls/Makefile.in
+++ b/lib/isc/nls/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.11.2.1 2004/03/09 06:12:03 marka Exp $
+# $Id: Makefile.in,v 1.11.206.1 2004/03/06 08:14:50 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/lib/isc/nls/msgcat.c b/lib/isc/nls/msgcat.c
index ed3c0c9d..484ab514 100644
--- a/lib/isc/nls/msgcat.c
+++ b/lib/isc/nls/msgcat.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: msgcat.c,v 1.10.2.1 2004/03/09 06:12:04 marka Exp $ */
+/* $Id: msgcat.c,v 1.10.12.4 2004/03/08 09:04:54 marka Exp $ */
 
 /*
  * Principal Author: Bob Halley
@@ -62,7 +62,7 @@ isc_msgcat_open(const char *name, isc_msgcat_t **msgcatp) {
 	REQUIRE(name != NULL);
 	REQUIRE(msgcatp != NULL && *msgcatp == NULL);
 
-	msgcat = malloc(sizeof *msgcat);
+	msgcat = malloc(sizeof(*msgcat));
 	if (msgcat == NULL) {
 		*msgcatp = NULL;
 		return;
@@ -96,7 +96,7 @@ isc_msgcat_close(isc_msgcat_t **msgcatp) {
 	if (msgcat != NULL) {
 #ifdef HAVE_CATGETS
 		if (msgcat->catalog != (nl_catd)(-1))
-			catclose(msgcat->catalog);
+			(void)catclose(msgcat->catalog);
 #endif
 		msgcat->magic = 0;
 		free(msgcat);
diff --git a/lib/isc/nothreads/Makefile.in b/lib/isc/nothreads/Makefile.in
index 6ea35145..639c9fa6 100644
--- a/lib/isc/nothreads/Makefile.in
+++ b/lib/isc/nothreads/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.4.2.1 2004/03/09 06:12:04 marka Exp $
+# $Id: Makefile.in,v 1.4.206.1 2004/03/06 08:14:51 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/lib/isc/nothreads/condition.c b/lib/isc/nothreads/condition.c
index 0b3ee772..0bc6196a 100644
--- a/lib/isc/nothreads/condition.c
+++ b/lib/isc/nothreads/condition.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,21 +15,8 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: condition.c,v 1.4.2.3 2006/08/25 05:25:49 marka Exp $ */
+/* $Id: condition.c,v 1.4.12.3 2004/03/08 09:04:54 marka Exp $ */
 
-#include <config.h>
-
-/*
- * This file intentionally left blank.
- */
-
-/*
- * Well, not completely.  The stupid hack below shuts up compilers
- * from complaining about an empty file.
- */
-
-static void
-isc_condition_nothreads(void) {
-	isc_condition_nothreads();
-}
+#include <isc/util.h>
 
+EMPTY_TRANSLATION_UNIT
diff --git a/lib/isc/nothreads/include/Makefile.in b/lib/isc/nothreads/include/Makefile.in
index 93953e91..4c582695 100644
--- a/lib/isc/nothreads/include/Makefile.in
+++ b/lib/isc/nothreads/include/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.2.2.1 2004/03/09 06:12:04 marka Exp $
+# $Id: Makefile.in,v 1.2.206.1 2004/03/06 08:14:52 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/lib/isc/nothreads/include/isc/Makefile.in b/lib/isc/nothreads/include/isc/Makefile.in
index 23d36bbd..6717404b 100644
--- a/lib/isc/nothreads/include/isc/Makefile.in
+++ b/lib/isc/nothreads/include/isc/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.4.2.1 2004/03/09 06:12:05 marka Exp $
+# $Id: Makefile.in,v 1.4.206.1 2004/03/06 08:14:52 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/lib/isc/nothreads/include/isc/condition.h b/lib/isc/nothreads/include/isc/condition.h
index ff2a2f01..b899a826 100644
--- a/lib/isc/nothreads/include/isc/condition.h
+++ b/lib/isc/nothreads/include/isc/condition.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: condition.h,v 1.3.2.1 2004/03/09 06:12:05 marka Exp $ */
+/* $Id: condition.h,v 1.3.206.1 2004/03/06 08:14:52 marka Exp $ */
 
 /*
  * This provides a limited subset of the isc_condition_t
diff --git a/lib/isc/nothreads/include/isc/mutex.h b/lib/isc/nothreads/include/isc/mutex.h
index 5af2adb5..c80a945b 100644
--- a/lib/isc/nothreads/include/isc/mutex.h
+++ b/lib/isc/nothreads/include/isc/mutex.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: mutex.h,v 1.3.2.1 2004/03/09 06:12:05 marka Exp $ */
+/* $Id: mutex.h,v 1.3.206.1 2004/03/06 08:14:53 marka Exp $ */
 
 #ifndef ISC_MUTEX_H
 #define ISC_MUTEX_H 1
diff --git a/lib/isc/nothreads/include/isc/once.h b/lib/isc/nothreads/include/isc/once.h
index a6372e36..9f54ac8f 100644
--- a/lib/isc/nothreads/include/isc/once.h
+++ b/lib/isc/nothreads/include/isc/once.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: once.h,v 1.3.2.1 2004/03/09 06:12:06 marka Exp $ */
+/* $Id: once.h,v 1.3.206.1 2004/03/06 08:14:53 marka Exp $ */
 
 #ifndef ISC_ONCE_H
 #define ISC_ONCE_H 1
diff --git a/lib/isc/nothreads/include/isc/thread.h b/lib/isc/nothreads/include/isc/thread.h
index 849566c1..e045b98b 100644
--- a/lib/isc/nothreads/include/isc/thread.h
+++ b/lib/isc/nothreads/include/isc/thread.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: thread.h,v 1.3.2.1 2004/03/09 06:12:06 marka Exp $ */
+/* $Id: thread.h,v 1.3.206.1 2004/03/06 08:14:53 marka Exp $ */
 
 #ifndef ISC_THREAD_H
 #define ISC_THREAD_H 1
diff --git a/lib/isc/nothreads/mutex.c b/lib/isc/nothreads/mutex.c
index 2c760bda..cc7572a6 100644
--- a/lib/isc/nothreads/mutex.c
+++ b/lib/isc/nothreads/mutex.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,16 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: mutex.c,v 1.4.2.3 2006/08/25 05:25:49 marka Exp $ */
+/* $Id: mutex.c,v 1.4.12.3 2004/03/08 09:04:54 marka Exp $ */
 
-#include <config.h>
+#include <isc/util.h>
 
-/*
- * Well, not completely.  The stupid hack below shuts up compilers
- * from complaining about an empty file.
- */
-static void
-isc_mutex_nothreads(void) {
-	isc_mutex_nothreads();
-}
+EMPTY_TRANSLATION_UNIT
 
diff --git a/lib/isc/nothreads/thread.c b/lib/isc/nothreads/thread.c
index eb0386d3..1aea72ad 100644
--- a/lib/isc/nothreads/thread.c
+++ b/lib/isc/nothreads/thread.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: thread.c,v 1.2.2.1 2004/03/09 06:12:04 marka Exp $ */
+/* $Id: thread.c,v 1.2.206.1 2004/03/06 08:14:52 marka Exp $ */
 
 #include <config.h>
 
diff --git a/lib/isc/ondestroy.c b/lib/isc/ondestroy.c
index 859494d8..aacb8f2d 100644
--- a/lib/isc/ondestroy.c
+++ b/lib/isc/ondestroy.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: ondestroy.c,v 1.11.2.1 2004/03/09 06:11:50 marka Exp $ */
+/* $Id: ondestroy.c,v 1.11.206.1 2004/03/06 08:14:33 marka Exp $ */
 
 #include <config.h>
 
diff --git a/lib/isc/parseint.c b/lib/isc/parseint.c
new file mode 100644
index 00000000..fe74e57c
--- /dev/null
+++ b/lib/isc/parseint.c
@@ -0,0 +1,70 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2001-2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: parseint.c,v 1.3.26.5 2004/03/08 09:04:49 marka Exp $ */
+
+#include <config.h>
+
+#include <ctype.h>
+#include <errno.h>
+#include <limits.h>
+
+#include <isc/parseint.h>
+#include <isc/result.h>
+#include <isc/stdlib.h>
+
+isc_result_t
+isc_parse_uint32(isc_uint32_t *uip, const char *string, int base) {
+	unsigned long n;
+	char *e;
+	if (! isalnum((unsigned char)(string[0])))
+		return (ISC_R_BADNUMBER);
+	errno = 0;
+	n = strtoul(string, &e, base);
+	if (*e != '\0')
+		return (ISC_R_BADNUMBER);
+	if (n == ULONG_MAX && errno == ERANGE)
+		return (ISC_R_RANGE);
+	*uip = n;
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_parse_uint16(isc_uint16_t *uip, const char *string, int base) {
+	isc_uint32_t val;
+	isc_result_t result;
+	result = isc_parse_uint32(&val, string, base);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	if (val > 0xFFFF)
+		return (ISC_R_RANGE);
+	*uip = (isc_uint16_t) val;
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_parse_uint8(isc_uint8_t *uip, const char *string, int base) {
+	isc_uint32_t val;
+	isc_result_t result;
+	result = isc_parse_uint32(&val, string, base);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	if (val > 0xFF)
+		return (ISC_R_RANGE);
+	*uip = (isc_uint8_t) val;
+	return (ISC_R_SUCCESS);
+}
diff --git a/lib/isc/print.c b/lib/isc/print.c
index 87c1e6e9..6542fe4f 100644
--- a/lib/isc/print.c
+++ b/lib/isc/print.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,15 +15,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: print.c,v 1.22.2.5 2006/04/17 18:27:07 explorer Exp $ */
-
-/*! \file */
+/* $Id: print.c,v 1.22.2.3.2.3 2004/03/06 08:14:33 marka Exp $ */
 
 #include <config.h>
 
 #include <ctype.h>
-#include <stdio.h>		/* for sprintf() */
-#include <string.h>		/* for strlen() */
+#include <stdio.h>		/* for sprintf */
 
 #define	ISC__PRINT_SOURCE	/* Used to get the isc_print_* prototypes. */
 
@@ -44,7 +41,7 @@ isc_print_sprintf(char *str, const char *format, ...) {
 	return (strlen(str));
 }
 
-/*!
+/*
  * Return length of string that would have been written if not truncated.
  */
 
@@ -60,7 +57,7 @@ isc_print_snprintf(char *str, size_t size, const char *format, ...) {
 
 }
 
-/*!
+/*
  * Return length of string that would have been written if not truncated.
  */
 
diff --git a/lib/isc/pthreads/Makefile.in b/lib/isc/pthreads/Makefile.in
index 7be52037..f245afa9 100644
--- a/lib/isc/pthreads/Makefile.in
+++ b/lib/isc/pthreads/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.16.2.1 2004/03/09 06:12:06 marka Exp $
+# $Id: Makefile.in,v 1.16.206.1 2004/03/06 08:14:53 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/lib/isc/pthreads/condition.c b/lib/isc/pthreads/condition.c
index e840a30b..489980c1 100644
--- a/lib/isc/pthreads/condition.c
+++ b/lib/isc/pthreads/condition.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: condition.c,v 1.30.2.2 2004/03/09 06:12:06 marka Exp $ */
+/* $Id: condition.c,v 1.30.2.1.10.1 2004/03/06 08:14:53 marka Exp $ */
 
 #include <config.h>
 
diff --git a/lib/isc/pthreads/include/Makefile.in b/lib/isc/pthreads/include/Makefile.in
index 160d10de..5fec836c 100644
--- a/lib/isc/pthreads/include/Makefile.in
+++ b/lib/isc/pthreads/include/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.11.2.1 2004/03/09 06:12:07 marka Exp $
+# $Id: Makefile.in,v 1.11.206.1 2004/03/06 08:14:54 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/lib/isc/pthreads/include/isc/Makefile.in b/lib/isc/pthreads/include/isc/Makefile.in
index 074b4213..dd15a11b 100644
--- a/lib/isc/pthreads/include/isc/Makefile.in
+++ b/lib/isc/pthreads/include/isc/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.13.2.1 2004/03/09 06:12:07 marka Exp $
+# $Id: Makefile.in,v 1.13.206.1 2004/03/06 08:14:56 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/lib/isc/pthreads/include/isc/condition.h b/lib/isc/pthreads/include/isc/condition.h
index ff211e44..c33772f1 100644
--- a/lib/isc/pthreads/include/isc/condition.h
+++ b/lib/isc/pthreads/include/isc/condition.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: condition.h,v 1.21.2.1 2004/03/09 06:12:07 marka Exp $ */
+/* $Id: condition.h,v 1.21.206.1 2004/03/06 08:14:56 marka Exp $ */
 
 #ifndef ISC_CONDITION_H
 #define ISC_CONDITION_H 1
diff --git a/lib/isc/pthreads/include/isc/mutex.h b/lib/isc/pthreads/include/isc/mutex.h
index 3e304c3c..f6e526d8 100644
--- a/lib/isc/pthreads/include/isc/mutex.h
+++ b/lib/isc/pthreads/include/isc/mutex.h
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001  Internet Software Consortium.
+ * Copyright (C) 1998-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: mutex.h,v 1.23.2.1 2004/03/09 06:12:08 marka Exp $ */
+/* $Id: mutex.h,v 1.23.26.3 2004/03/08 09:04:55 marka Exp $ */
 
 #ifndef ISC_MUTEX_H
 #define ISC_MUTEX_H 1
@@ -65,10 +65,15 @@ typedef pthread_mutex_t	isc_mutex_t;
 #define isc_mutex_init(mp) \
 	isc_mutex_init_profile((mp), __FILE__, __LINE__)
 #else
+#if ISC_MUTEX_DEBUG && defined(PTHREAD_MUTEX_ERRORCHECK)
+#define isc_mutex_init(mp) \
+        isc_mutex_init_errcheck((mp))
+#else
 #define isc_mutex_init(mp) \
 	((pthread_mutex_init((mp), ISC__MUTEX_ATTRS) == 0) ? \
 	 ISC_R_SUCCESS : ISC_R_UNEXPECTED)
 #endif
+#endif
 
 #if ISC_MUTEX_PROFILE
 #define isc_mutex_lock(mp) \
@@ -126,6 +131,9 @@ isc_mutex_unlock_profile(isc_mutex_t *mp, const char * _file, int _line);
 void
 isc_mutex_statsprofile(FILE *fp);
 
+isc_result_t
+isc_mutex_init_errcheck(isc_mutex_t *mp);
+
 #endif /* ISC_MUTEX_PROFILE */
 
 #endif /* ISC_MUTEX_H */
diff --git a/lib/isc/pthreads/include/isc/once.h b/lib/isc/pthreads/include/isc/once.h
index 05b29aa8..39b4885a 100644
--- a/lib/isc/pthreads/include/isc/once.h
+++ b/lib/isc/pthreads/include/isc/once.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: once.h,v 1.8.2.1 2004/03/09 06:12:08 marka Exp $ */
+/* $Id: once.h,v 1.8.206.1 2004/03/06 08:14:57 marka Exp $ */
 
 #ifndef ISC_ONCE_H
 #define ISC_ONCE_H 1
diff --git a/lib/isc/pthreads/include/isc/thread.h b/lib/isc/pthreads/include/isc/thread.h
index fe5fcc39..6287dcd0 100644
--- a/lib/isc/pthreads/include/isc/thread.h
+++ b/lib/isc/pthreads/include/isc/thread.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: thread.h,v 1.19.2.1 2004/03/09 06:12:08 marka Exp $ */
+/* $Id: thread.h,v 1.19.206.1 2004/03/06 08:14:57 marka Exp $ */
 
 #ifndef ISC_THREAD_H
 #define ISC_THREAD_H 1
diff --git a/lib/isc/pthreads/mutex.c b/lib/isc/pthreads/mutex.c
index da330783..e29e92bd 100644
--- a/lib/isc/pthreads/mutex.c
+++ b/lib/isc/pthreads/mutex.c
@@ -1,6 +1,6 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: mutex.c,v 1.6.2.3 2005/03/17 03:59:33 marka Exp $ */
+/* $Id: mutex.c,v 1.6.26.3 2004/03/08 09:04:55 marka Exp $ */
 
 #include <config.h>
 
@@ -126,19 +126,6 @@ isc_mutex_lock_profile(isc_mutex_t *mp, const char *file, int line) {
 	isc_mutexlocker_t *locker = NULL;
 	int i;
 
-	gettimeofday(&prelock_t, NULL);
-
-	if (pthread_mutex_lock(&mp->mutex) != 0)
-		return (ISC_R_UNEXPECTED);
-
-	gettimeofday(&postlock_t, NULL);
-	mp->stats->lock_t = postlock_t;
-
-	timevalsub(&postlock_t, &prelock_t);
-
-	mp->stats->count++;
-	timevaladd(&mp->stats->wait_total, &postlock_t);
-
 	for (i = 0; i < ISC_MUTEX_MAX_LOCKERS; i++) {
 		if (mp->stats->lockers[i].file == NULL) {
 			locker = &mp->stats->lockers[i];
@@ -152,6 +139,19 @@ isc_mutex_lock_profile(isc_mutex_t *mp, const char *file, int line) {
 		}
 	}
 
+	gettimeofday(&prelock_t, NULL);
+
+	if (pthread_mutex_lock(&mp->mutex) != 0)
+		return (ISC_R_UNEXPECTED);
+
+	gettimeofday(&postlock_t, NULL);
+	mp->stats->lock_t = postlock_t;
+
+	timevalsub(&postlock_t, &prelock_t);
+
+	mp->stats->count++;
+	timevaladd(&mp->stats->wait_total, &postlock_t);
+
 	if (locker != NULL) {
 		locker->count++;
 		timevaladd(&locker->wait_total, &postlock_t);
@@ -214,6 +214,25 @@ isc_mutex_statsprofile(FILE *fp) {
 
 #endif /* ISC_MUTEX_PROFILE */
 
+#if ISC_MUTEX_DEBUG && defined(PTHREAD_MUTEX_ERRORCHECK)
+isc_result_t
+isc_mutex_init_errcheck(isc_mutex_t *mp)
+{
+	pthread_mutexattr_t attr;
+
+	if (pthread_mutexattr_init(&attr) != 0)
+		return ISC_R_UNEXPECTED;
+
+	if (pthread_mutexattr_settype(&attr, PTHREAD_MUTEX_ERRORCHECK) != 0)
+		return ISC_R_UNEXPECTED;
+  
+	if (pthread_mutex_init(mp, &attr) != 0)
+		return ISC_R_UNEXPECTED;
+
+	return ISC_R_SUCCESS;
+}
+#endif
+
 #if ISC_MUTEX_DEBUG && defined(__NetBSD__) && defined(PTHREAD_MUTEX_ERRORCHECK)
 pthread_mutexattr_t isc__mutex_attrs = {
 	PTHREAD_MUTEX_ERRORCHECK,	/* m_type */
diff --git a/lib/isc/pthreads/thread.c b/lib/isc/pthreads/thread.c
index f662d1ed..0f552d7e 100644
--- a/lib/isc/pthreads/thread.c
+++ b/lib/isc/pthreads/thread.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: thread.c,v 1.9.2.5 2004/12/04 06:44:37 marka Exp $ */
+/* $Id: thread.c,v 1.9.2.2.2.1 2004/03/06 08:14:54 marka Exp $ */
 
 #include <config.h>
 
@@ -49,12 +49,6 @@ isc_thread_create(isc_threadfunc_t func, isc_threadarg_t arg,
 	}
 #endif
 
-#if defined(PTHREAD_SCOPE_SYSTEM) && defined(NEED_PTHREAD_SCOPE_SYSTEM)
-	ret = pthread_attr_setscope(&attr, PTHREAD_SCOPE_SYSTEM);
-	if (ret != 0)
-		return (ISC_R_UNEXPECTED);
-#endif
-
 	ret = pthread_create(thread, &attr, func, arg);
 	if (ret != 0)
 		return (ISC_R_UNEXPECTED);
diff --git a/lib/isc/quota.c b/lib/isc/quota.c
index 6977c427..012bfbb3 100644
--- a/lib/isc/quota.c
+++ b/lib/isc/quota.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: quota.c,v 1.11.2.1 2004/03/09 06:11:50 marka Exp $ */
+/* $Id: quota.c,v 1.11.12.3 2004/03/08 09:04:49 marka Exp $ */
 
 #include <config.h>
 
@@ -28,6 +28,7 @@ isc_result_t
 isc_quota_init(isc_quota_t *quota, int max) {
 	quota->max = max;
 	quota->used = 0;
+	quota->soft = ISC_FALSE;
 	return (isc_mutex_init(&quota->lock));
 }
 
@@ -36,9 +37,15 @@ isc_quota_destroy(isc_quota_t *quota) {
 	INSIST(quota->used == 0);
 	quota->max = -1;
 	quota->used = -1;
+	quota->soft = ISC_FALSE;
 	DESTROYLOCK(&quota->lock);
 }
 
+void
+isc_quota_soft(isc_quota_t *quota, isc_boolean_t soft) {
+	quota->soft = soft;
+}
+
 isc_result_t
 isc_quota_reserve(isc_quota_t *quota) {
 	isc_result_t result;
@@ -47,7 +54,11 @@ isc_quota_reserve(isc_quota_t *quota) {
 		quota->used++;
 		result = ISC_R_SUCCESS;
 	} else {
-		result = ISC_R_QUOTA;
+		if (quota->soft) {
+			quota->used++;
+			result = ISC_R_SOFTQUOTA;
+		} else
+			result = ISC_R_QUOTA;
 	}
 	UNLOCK(&quota->lock);
 	return (result);
@@ -67,10 +78,9 @@ isc_quota_attach(isc_quota_t *quota, isc_quota_t **p)
 	isc_result_t result;
 	INSIST(p != NULL && *p == NULL);
 	result = isc_quota_reserve(quota);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	*p = quota;
-	return (ISC_R_SUCCESS);
+	if (result == ISC_R_SUCCESS || result == ISC_R_SOFTQUOTA)
+		*p = quota;
+	return (result);
 }
 
 void
diff --git a/lib/isc/random.c b/lib/isc/random.c
index 50be302a..e5c4d311 100644
--- a/lib/isc/random.c
+++ b/lib/isc/random.c
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
+ * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: random.c,v 1.15.2.5 2004/03/09 06:11:50 marka Exp $ */
+/* $Id: random.c,v 1.15.74.5 2004/03/08 09:04:49 marka Exp $ */
 
 #include <config.h>
 
@@ -82,7 +82,7 @@ isc_random_get(isc_uint32_t *val)
 	 * rand()'s lower bits are not random.
 	 * rand()'s upper bit is zero.
 	 */
-	*val = ((rand() >> 4) & 0xffff) | ((rand() << 12) & 0xffff0000) ;
+	*val = ((rand() >> 4) & 0xffff) | ((rand() << 12) & 0xffff0000);
 #else
 	*val = arc4random();
 #endif
diff --git a/lib/isc/ratelimiter.c b/lib/isc/ratelimiter.c
index e051741c..211363cc 100644
--- a/lib/isc/ratelimiter.c
+++ b/lib/isc/ratelimiter.c
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
+ * Copyright (C) 1999-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: ratelimiter.c,v 1.18.2.1 2004/03/09 06:11:50 marka Exp $ */
+/* $Id: ratelimiter.c,v 1.18.14.4 2004/03/08 09:04:50 marka Exp $ */
 
 #include <config.h>
 
@@ -27,9 +27,10 @@
 #include <isc/util.h>
 
 typedef enum {
-	isc_ratelimiter_ratelimited,
-	isc_ratelimiter_worklimited,
-	isc_ratelimiter_shuttingdown
+	isc_ratelimiter_stalled = 0,
+	isc_ratelimiter_ratelimited = 1,
+	isc_ratelimiter_idle = 2,
+	isc_ratelimiter_shuttingdown = 3
 } isc_ratelimiter_state_t;
 
 struct isc_ratelimiter {
@@ -70,7 +71,7 @@ isc_ratelimiter_create(isc_mem_t *mctx, isc_timermgr_t *timermgr,
 	isc_interval_set(&rl->interval, 0, 0);
 	rl->timer = NULL;
 	rl->pertic = 1;
-	rl->state = isc_ratelimiter_worklimited;
+	rl->state = isc_ratelimiter_idle;
 	ISC_LIST_INIT(rl->pending);
 
 	result = isc_mutex_init(&rl->lock);
@@ -139,12 +140,13 @@ isc_ratelimiter_enqueue(isc_ratelimiter_t *rl, isc_task_t *task,
 	REQUIRE(ev->ev_sender == NULL);
 
 	LOCK(&rl->lock);
-        if (rl->state == isc_ratelimiter_ratelimited) {
+        if (rl->state == isc_ratelimiter_ratelimited ||
+	    rl->state == isc_ratelimiter_stalled) {
 		isc_event_t *ev = *eventp;
 		ev->ev_sender = task;
                 ISC_LIST_APPEND(rl->pending, ev, ev_link);
 		*eventp = NULL;
-        } else if (rl->state == isc_ratelimiter_worklimited) {
+        } else if (rl->state == isc_ratelimiter_idle) {
 		result = isc_timer_reset(rl->timer, isc_timertype_ticker, NULL,
 					 &rl->interval, ISC_FALSE);
 		if (result == ISC_R_SUCCESS) {
@@ -191,7 +193,7 @@ ratelimiter_tick(isc_task_t *task, isc_event_t *event) {
 						 isc_timertype_inactive,
 						 NULL, NULL, ISC_FALSE);
 			RUNTIME_CHECK(result == ISC_R_SUCCESS);
-			rl->state = isc_ratelimiter_worklimited;
+			rl->state = isc_ratelimiter_idle;
 			pertic = 0;	/* Force the loop to exit. */
 		}
 		UNLOCK(&rl->lock);
@@ -274,3 +276,51 @@ isc_ratelimiter_detach(isc_ratelimiter_t **rlp) {
 	*rlp = NULL;
 }
 
+isc_result_t
+isc_ratelimiter_stall(isc_ratelimiter_t *rl) {
+	isc_result_t result = ISC_R_SUCCESS;
+
+	LOCK(&rl->lock);
+	switch (rl->state) {
+	case isc_ratelimiter_shuttingdown:
+		result = ISC_R_SHUTTINGDOWN;
+		break;
+	case isc_ratelimiter_ratelimited:
+		result = isc_timer_reset(rl->timer, isc_timertype_inactive,
+				 	 NULL, NULL, ISC_FALSE);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+	case isc_ratelimiter_idle:
+	case isc_ratelimiter_stalled:
+		rl->state = isc_ratelimiter_stalled;
+		break;
+	}
+	UNLOCK(&rl->lock);
+	return (result);
+}
+
+isc_result_t
+isc_ratelimiter_release(isc_ratelimiter_t *rl) {
+	isc_result_t result = ISC_R_SUCCESS;
+
+	LOCK(&rl->lock);
+	switch (rl->state) {
+	case isc_ratelimiter_shuttingdown:
+		result = ISC_R_SHUTTINGDOWN;
+		break;
+	case isc_ratelimiter_stalled:
+		if (!ISC_LIST_EMPTY(rl->pending)) {
+			result = isc_timer_reset(rl->timer,
+						 isc_timertype_ticker, NULL,
+						 &rl->interval, ISC_FALSE);
+			if (result == ISC_R_SUCCESS)
+				rl->state = isc_ratelimiter_ratelimited;
+		} else 
+			rl->state = isc_ratelimiter_idle;
+		break;
+	case isc_ratelimiter_ratelimited:
+	case isc_ratelimiter_idle:
+		break;
+	}
+	UNLOCK(&rl->lock);
+	return (result);
+}
diff --git a/lib/isc/region.c b/lib/isc/region.c
new file mode 100644
index 00000000..92f4f027
--- /dev/null
+++ b/lib/isc/region.c
@@ -0,0 +1,43 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2002  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: region.c,v 1.2.202.3 2004/03/08 09:04:50 marka Exp $ */
+
+#include <config.h>
+
+#include <stdlib.h>
+#include <string.h>
+
+#include <isc/region.h>
+#include <isc/util.h>
+
+int
+isc_region_compare(isc_region_t *r1, isc_region_t *r2) {
+	unsigned int l;
+	int result;
+
+	REQUIRE(r1 != NULL);
+	REQUIRE(r2 != NULL);
+	       
+	l = (r1->length < r2->length) ? r1->length : r2->length;
+
+	if ((result = memcmp(r1->base, r2->base, l)) != 0)
+		return ((result < 0) ? -1 : 1);
+	else
+		return ((r1->length == r2->length) ? 0 :
+			(r1->length < r2->length) ? -1 : 1);
+}
diff --git a/lib/isc/result.c b/lib/isc/result.c
index 4e8c6579..e1d854cd 100644
--- a/lib/isc/result.c
+++ b/lib/isc/result.c
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2002  Internet Software Consortium.
+ * Copyright (C) 1998-2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: result.c,v 1.56.2.5 2004/06/11 00:35:05 marka Exp $ */
+/* $Id: result.c,v 1.56.2.2.8.5 2004/03/08 09:04:50 marka Exp $ */
 
 #include <config.h>
 
@@ -120,11 +120,11 @@ register_table(unsigned int base, unsigned int nresults, const char **text,
 	 * We use malloc() here because we we want to be able to use
 	 * isc_result_totext() even if there is no memory context.
 	 */
-	table = malloc(sizeof *table);
+	table = malloc(sizeof(*table));
 	if (table == NULL)
 		return (ISC_R_NOMEMORY);
 	table->base = base;
-	table->last = base + nresults - 1;
+	table->last = base + nresults;
 	table->text = text;
 	table->msgcat = msgcat;
 	table->set = set;
diff --git a/lib/isc/rwlock.c b/lib/isc/rwlock.c
index f98f5d4b..63f0c68d 100644
--- a/lib/isc/rwlock.c
+++ b/lib/isc/rwlock.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rwlock.c,v 1.33.2.7 2005/03/16 00:57:43 marka Exp $ */
+/* $Id: rwlock.c,v 1.33.2.4.2.1 2004/03/06 08:14:35 marka Exp $ */
 
 #include <config.h>
 
@@ -109,9 +109,7 @@ isc_rwlock_init(isc_rwlock_t *rwl, unsigned int read_quota,
 				 isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
 						ISC_MSG_FAILED, "failed"),
 				 isc_result_totext(result));
-		result = ISC_R_UNEXPECTED;
-		goto destroy_lock;
-
+		return (ISC_R_UNEXPECTED);
 	}
 	result = isc_condition_init(&rwl->writeable);
 	if (result != ISC_R_SUCCESS) {
@@ -120,20 +118,12 @@ isc_rwlock_init(isc_rwlock_t *rwl, unsigned int read_quota,
 				 isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
 						ISC_MSG_FAILED, "failed"),
 				 isc_result_totext(result));
-		result = ISC_R_UNEXPECTED;
-		goto destroy_rcond;
+		return (ISC_R_UNEXPECTED);
 	}
 
 	rwl->magic = RWLOCK_MAGIC;
 
 	return (ISC_R_SUCCESS);
-
-  destroy_rcond:
-	(void)isc_condition_destroy(&rwl->readable);
-  destroy_lock:
-	DESTROYLOCK(&rwl->lock);
-
-	return (result);
 }
 
 static isc_result_t
diff --git a/lib/isc/serial.c b/lib/isc/serial.c
index d9dfdfc0..4fe0ee59 100644
--- a/lib/isc/serial.c
+++ b/lib/isc/serial.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: serial.c,v 1.7.2.1 2004/03/09 06:11:51 marka Exp $ */
+/* $Id: serial.c,v 1.7.206.1 2004/03/06 08:14:35 marka Exp $ */
 #include <config.h>
 
 #include <isc/serial.h>
diff --git a/lib/isc/sha1.c b/lib/isc/sha1.c
index c9d3c450..0549e887 100644
--- a/lib/isc/sha1.c
+++ b/lib/isc/sha1.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: sha1.c,v 1.10.2.4 2004/03/09 06:11:51 marka Exp $ */
+/* $Id: sha1.c,v 1.10.2.2.2.3 2004/03/06 08:14:35 marka Exp $ */
 
 /*	$NetBSD: sha1.c,v 1.5 2000/01/22 22:19:14 mycroft Exp $	*/
 /*	$OpenBSD: sha1.c,v 1.9 1997/07/23 21:12:32 kstailey Exp $	*/
@@ -259,7 +259,7 @@ isc_sha1_update(isc_sha1_t *context, const unsigned char *data,
 	if ((j + len) > 63) {
 		(void)memcpy(&context->buffer[j], data, (i = 64 - j));
 		transform(context->state, context->buffer);
-		for ( ; i + 63 < len; i += 64)
+		for (; i + 63 < len; i += 64)
 			transform(context->state, &data[i]);
 		j = 0;
 	} else {
diff --git a/lib/isc/sockaddr.c b/lib/isc/sockaddr.c
index 95106b83..b222f4e8 100644
--- a/lib/isc/sockaddr.c
+++ b/lib/isc/sockaddr.c
@@ -1,6 +1,6 @@
 /*
- * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: sockaddr.c,v 1.48.2.7 2006/03/02 00:37:17 marka Exp $ */
+/* $Id: sockaddr.c,v 1.48.2.1.2.9 2004/03/08 09:04:50 marka Exp $ */
 
 #include <config.h>
 
@@ -121,10 +121,10 @@ isc_sockaddr_totext(const isc_sockaddr_t *sockaddr, isc_buffer_t *target) {
 	 */
 	switch (sockaddr->type.sa.sa_family) {
 	case AF_INET:
-		sprintf(pbuf, "%u", ntohs(sockaddr->type.sin.sin_port));
+		snprintf(pbuf, sizeof(pbuf), "%u", ntohs(sockaddr->type.sin.sin_port));
 		break;
 	case AF_INET6:
-		sprintf(pbuf, "%u", ntohs(sockaddr->type.sin6.sin6_port));
+		snprintf(pbuf, sizeof(pbuf), "%u", ntohs(sockaddr->type.sin6.sin6_port));
 		break;
 	default:
 		return (ISC_R_FAILURE);
@@ -184,6 +184,7 @@ isc_sockaddr_hash(const isc_sockaddr_t *sockaddr, isc_boolean_t address_only) {
 	const struct in6_addr *in6;
 
 	REQUIRE(sockaddr != NULL);
+
 	switch (sockaddr->type.sa.sa_family) {
 	case AF_INET:
 		s = (const unsigned char *)&sockaddr->type.sin.sin_addr;
@@ -204,8 +205,8 @@ isc_sockaddr_hash(const isc_sockaddr_t *sockaddr, isc_boolean_t address_only) {
 	default:
 		UNEXPECTED_ERROR(__FILE__, __LINE__,
 				 isc_msgcat_get(isc_msgcat,
-					        ISC_MSGSET_SOCKADDR,
-				       		ISC_MSG_UNKNOWNFAMILY,
+						ISC_MSGSET_SOCKADDR,
+						ISC_MSG_UNKNOWNFAMILY,
 						"unknown address family: %d"),
 					     (int)sockaddr->type.sa.sa_family);
 		s = (const unsigned char *)&sockaddr->type;
@@ -361,6 +362,9 @@ isc_sockaddr_fromnetaddr(isc_sockaddr_t *sockaddr, const isc_netaddr_t *na,
 		sockaddr->type.sin6.sin6_len = sizeof(sockaddr->type.sin6);
 #endif
 		memcpy(&sockaddr->type.sin6.sin6_addr, &na->type.in6, 16);
+#ifdef ISC_PLATFORM_HAVESCOPEID
+		sockaddr->type.sin6.sin6_scope_id = isc_netaddr_getzone(na);
+#endif
 		sockaddr->type.sin6.sin6_port = htons(port);
 		break;
         default:
@@ -388,7 +392,7 @@ isc_sockaddr_setport(isc_sockaddr_t *sockaddr, in_port_t port) {
 }
 
 in_port_t
-isc_sockaddr_getport(const isc_sockaddr_t *sockaddr) {
+isc_sockaddr_getport(isc_sockaddr_t *sockaddr) {
 	in_port_t port = 0;
 
 	switch (sockaddr->type.sa.sa_family) {
@@ -410,7 +414,7 @@ isc_sockaddr_getport(const isc_sockaddr_t *sockaddr) {
 }
 
 isc_boolean_t
-isc_sockaddr_ismulticast(const isc_sockaddr_t *sockaddr) {
+isc_sockaddr_ismulticast(isc_sockaddr_t *sockaddr) {
 	isc_netaddr_t netaddr;
 
 	isc_netaddr_fromsockaddr(&netaddr, sockaddr);
@@ -418,7 +422,7 @@ isc_sockaddr_ismulticast(const isc_sockaddr_t *sockaddr) {
 }
 
 isc_boolean_t
-isc_sockaddr_isexperimental(const isc_sockaddr_t *sockaddr) {
+isc_sockaddr_isexperimental(isc_sockaddr_t *sockaddr) {
 	isc_netaddr_t netaddr;
 
 	if (sockaddr->type.sa.sa_family == AF_INET) {
@@ -427,3 +431,25 @@ isc_sockaddr_isexperimental(const isc_sockaddr_t *sockaddr) {
 	}
 	return (ISC_FALSE);
 }
+
+isc_boolean_t
+isc_sockaddr_issitelocal(isc_sockaddr_t *sockaddr) {
+	isc_netaddr_t netaddr;
+
+	if (sockaddr->type.sa.sa_family == AF_INET6) {
+		isc_netaddr_fromsockaddr(&netaddr, sockaddr);
+		return (isc_netaddr_issitelocal(&netaddr));
+	}
+	return (ISC_FALSE);
+}
+
+isc_boolean_t
+isc_sockaddr_islinklocal(isc_sockaddr_t *sockaddr) {
+	isc_netaddr_t netaddr;
+
+	if (sockaddr->type.sa.sa_family == AF_INET6) {
+		isc_netaddr_fromsockaddr(&netaddr, sockaddr);
+		return (isc_netaddr_islinklocal(&netaddr));
+	}
+	return (ISC_FALSE);
+}
diff --git a/lib/isc/string.c b/lib/isc/string.c
index ba5abbb8..9de2b817 100644
--- a/lib/isc/string.c
+++ b/lib/isc/string.c
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
+ * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: string.c,v 1.6.2.2 2004/09/16 01:00:40 marka Exp $ */
+/* $Id: string.c,v 1.6.164.4 2004/03/16 05:50:24 marka Exp $ */
 
 #include <config.h>
 
@@ -60,7 +60,7 @@ isc_string_touint64(char *source, char **end, int base) {
 	tmp = 0;
 
 	while ((c = *s) != 0) {
-		c = tolower(c&0xff);
+		c = tolower(c);
 		/* end ? */
 		if ((o = strchr(digits, c)) == NULL) {
 			*end = s;
@@ -109,3 +109,57 @@ isc_string_separate(char **stringp, const char *delim) {
 	*stringp = NULL;
 	return (string);
 }
+
+size_t
+isc_string_strlcpy(char *dst, const char *src, size_t size)
+{
+	char *d = dst;
+	const char *s = src;
+	size_t n = size;
+
+	/* Copy as many bytes as will fit */
+	if (n != 0U && --n != 0U) {
+		do {
+			if ((*d++ = *s++) == 0)
+				break;
+		} while (--n != 0U);
+	}
+
+	/* Not enough room in dst, add NUL and traverse rest of src */
+	if (n == 0U) {
+		if (size != 0U)
+			*d = '\0';		/* NUL-terminate dst */
+		while (*s++)
+			;
+	}
+
+	return(s - src - 1);	/* count does not include NUL */
+}
+
+size_t
+isc_string_strlcat(char *dst, const char *src, size_t size)
+{
+	char *d = dst;
+	const char *s = src;
+	size_t n = size;
+	size_t dlen;
+
+	/* Find the end of dst and adjust bytes left but don't go past end */
+	while (n-- != 0U && *d != '\0')
+		d++;
+	dlen = d - dst;
+	n = size - dlen;
+
+	if (n == 0U)
+		return(dlen + strlen(s));
+	while (*s != '\0') {
+		if (n != 1U) {
+			*d++ = *s;
+			n--;
+		}
+		s++;
+	}
+	*d = '\0';
+
+	return(dlen + (s - src));	/* count does not include NUL */
+}
diff --git a/lib/isc/strtoul.c b/lib/isc/strtoul.c
new file mode 100644
index 00000000..b3d7e499
--- /dev/null
+++ b/lib/isc/strtoul.c
@@ -0,0 +1,128 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/*
+ * Copyright (c) 1990, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#if defined(LIBC_SCCS) && !defined(lint)
+static char sccsid[] = "@(#)strtoul.c	8.1 (Berkeley) 6/4/93";
+#endif /* LIBC_SCCS and not lint */
+
+/* $Id: strtoul.c,v 1.2.14.3 2004/03/06 08:14:36 marka Exp $ */
+
+#include <config.h>
+
+#include <limits.h>
+#include <ctype.h>
+#include <errno.h>
+
+#include <isc/stdlib.h>
+#include <isc/util.h>
+
+/*
+ * Convert a string to an unsigned long integer.
+ *
+ * Ignores `locale' stuff.  Assumes that the upper and lower case
+ * alphabets and digits are each contiguous.
+ */
+unsigned long
+isc_strtoul(const char *nptr, char **endptr, int base) {
+	const char *s = nptr;
+	unsigned long acc;
+	unsigned char c;
+	unsigned long cutoff;
+	int neg = 0, any, cutlim;
+
+	/*
+	 * See strtol for comments as to the logic used.
+	 */
+	do {
+		c = *s++;
+	} while (isspace(c));
+	if (c == '-') {
+		neg = 1;
+		c = *s++;
+	} else if (c == '+')
+		c = *s++;
+	if ((base == 0 || base == 16) &&
+	    c == '0' && (*s == 'x' || *s == 'X')) {
+		c = s[1];
+		s += 2;
+		base = 16;
+	}
+	if (base == 0)
+		base = c == '0' ? 8 : 10;
+	cutoff = (unsigned long)ULONG_MAX / (unsigned long)base;
+	cutlim = (unsigned long)ULONG_MAX % (unsigned long)base;
+	for (acc = 0, any = 0;; c = *s++) {
+		if (!isascii(c))
+			break;
+		if (isdigit(c))
+			c -= '0';
+		else if (isalpha(c))
+			c -= isupper(c) ? 'A' - 10 : 'a' - 10;
+		else
+			break;
+		if (c >= base)
+			break;
+		if (any < 0 || acc > cutoff || (acc == cutoff && c > cutlim))
+			any = -1;
+		else {
+			any = 1;
+			acc *= base;
+			acc += c;
+		}
+	}
+	if (any < 0) {
+		acc = ULONG_MAX;
+		errno = ERANGE;
+	} else if (neg)
+		acc = -acc;
+	if (endptr != 0)
+		DE_CONST(any ? s - 1 : nptr, *endptr);
+	return (acc);
+}
diff --git a/lib/isc/symtab.c b/lib/isc/symtab.c
index ebebf451..8b2b8c46 100644
--- a/lib/isc/symtab.c
+++ b/lib/isc/symtab.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: symtab.c,v 1.24.2.1 2004/03/09 06:11:52 marka Exp $ */
+/* $Id: symtab.c,v 1.24.12.3 2004/03/08 09:04:50 marka Exp $ */
 
 #include <config.h>
 
@@ -64,13 +64,13 @@ isc_symtab_create(isc_mem_t *mctx, unsigned int size,
 	REQUIRE(symtabp != NULL && *symtabp == NULL);
 	REQUIRE(size > 0);	/* Should be prime. */
 
-	symtab = (isc_symtab_t *)isc_mem_get(mctx, sizeof *symtab);
+	symtab = (isc_symtab_t *)isc_mem_get(mctx, sizeof(*symtab));
 	if (symtab == NULL)
 		return (ISC_R_NOMEMORY);
 	symtab->table = (eltlist_t *)isc_mem_get(mctx,
-						 size * sizeof (eltlist_t));
+						 size * sizeof(eltlist_t));
 	if (symtab->table == NULL) {
-		isc_mem_put(mctx, symtab, sizeof *symtab);
+		isc_mem_put(mctx, symtab, sizeof(*symtab));
 		return (ISC_R_NOMEMORY);
 	}
 	for (i = 0; i < size; i++)
@@ -105,13 +105,13 @@ isc_symtab_destroy(isc_symtab_t **symtabp) {
 							 elt->type,
 							 elt->value,
 							 symtab->undefine_arg);
-			isc_mem_put(symtab->mctx, elt, sizeof *elt);
+			isc_mem_put(symtab->mctx, elt, sizeof(*elt));
 		}
 	}
 	isc_mem_put(symtab->mctx, symtab->table,
-		    symtab->size * sizeof (eltlist_t));
+		    symtab->size * sizeof(eltlist_t));
 	symtab->magic = 0;
-	isc_mem_put(symtab->mctx, symtab, sizeof *symtab);
+	isc_mem_put(symtab->mctx, symtab, sizeof(*symtab));
 
 	*symtabp = NULL;
 }
@@ -202,7 +202,7 @@ isc_symtab_define(isc_symtab_t *symtab, const char *key, unsigned int type,
 						  elt->value,
 						  symtab->undefine_arg);
 	} else {
-		elt = (elt_t *)isc_mem_get(symtab->mctx, sizeof *elt);
+		elt = (elt_t *)isc_mem_get(symtab->mctx, sizeof(*elt));
 		if (elt == NULL)
 			return (ISC_R_NOMEMORY);
 		ISC_LINK_INIT(elt, link);
@@ -244,7 +244,7 @@ isc_symtab_undefine(isc_symtab_t *symtab, const char *key, unsigned int type) {
 		(symtab->undefine_action)(elt->key, elt->type,
 					  elt->value, symtab->undefine_arg);
 	UNLINK(symtab->table[bucket], elt, link);
-	isc_mem_put(symtab->mctx, elt, sizeof *elt);
+	isc_mem_put(symtab->mctx, elt, sizeof(*elt));
 
 	return (ISC_R_SUCCESS);
 }
diff --git a/lib/isc/task.c b/lib/isc/task.c
index c1043d32..dc416957 100644
--- a/lib/isc/task.c
+++ b/lib/isc/task.c
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2002  Internet Software Consortium.
+ * Copyright (C) 1998-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: task.c,v 1.85.2.6 2004/10/15 00:41:54 marka Exp $ */
+/* $Id: task.c,v 1.85.2.3.8.4 2004/03/08 21:06:29 marka Exp $ */
 
 /*
  * Principal Author: Bob Halley
@@ -82,6 +82,7 @@ struct isc_task {
 	isc_eventlist_t			on_shutdown;
 	unsigned int			quantum;
 	unsigned int			flags;
+	isc_stdtime_t			now;
 #ifdef ISC_TASK_NAMES
 	char				name[16];
 	void *				tag;
@@ -104,8 +105,8 @@ struct isc_taskmgr {
 	unsigned int			magic;
 	isc_mem_t *			mctx;
 	isc_mutex_t			lock;
-#ifdef ISC_PLATFORM_USETHREADS
 	unsigned int			workers;
+#ifdef ISC_PLATFORM_USETHREADS
 	isc_thread_t *			threads;
 #endif /* ISC_PLATFORM_USETHREADS */
 	/* Locked by task manager lock. */
@@ -164,7 +165,7 @@ task_finished(isc_task_t *task) {
 
 	DESTROYLOCK(&task->lock);
 	task->magic = 0;
-	isc_mem_put(manager->mctx, task, sizeof *task);
+	isc_mem_put(manager->mctx, task, sizeof(*task));
 }
 
 isc_result_t
@@ -177,13 +178,13 @@ isc_task_create(isc_taskmgr_t *manager, unsigned int quantum,
 	REQUIRE(VALID_MANAGER(manager));
 	REQUIRE(taskp != NULL && *taskp == NULL);
 
-	task = isc_mem_get(manager->mctx, sizeof *task);
+	task = isc_mem_get(manager->mctx, sizeof(*task));
 	if (task == NULL)
 		return (ISC_R_NOMEMORY);
 	XTRACE("isc_task_create");
 	task->manager = manager;
 	if (isc_mutex_init(&task->lock) != ISC_R_SUCCESS) {
-		isc_mem_put(manager->mctx, task, sizeof *task);
+		isc_mem_put(manager->mctx, task, sizeof(*task));
 		UNEXPECTED_ERROR(__FILE__, __LINE__,
 				 "isc_mutex_init() %s",
 				 isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
@@ -196,8 +197,9 @@ isc_task_create(isc_taskmgr_t *manager, unsigned int quantum,
 	INIT_LIST(task->on_shutdown);
 	task->quantum = quantum;
 	task->flags = 0;
+	task->now = 0;
 #ifdef ISC_TASK_NAMES
-	memset(task->name, 0, sizeof task->name);
+	memset(task->name, 0, sizeof(task->name));
 	task->tag = NULL;
 #endif
 	INIT_LINK(task, link);
@@ -215,7 +217,7 @@ isc_task_create(isc_taskmgr_t *manager, unsigned int quantum,
 
 	if (exiting) {
 		DESTROYLOCK(&task->lock);
-		isc_mem_put(manager->mctx, task, sizeof *task);
+		isc_mem_put(manager->mctx, task, sizeof(*task));
 		return (ISC_R_SHUTTINGDOWN);
 	}
 
@@ -636,7 +638,7 @@ isc_task_onshutdown(isc_task_t *task, isc_taskaction_t action, const void *arg)
 				   ISC_TASKEVENT_SHUTDOWN,
 				   action,
 				   arg,
-				   sizeof *event);
+				   sizeof(*event));
 	if (event == NULL)
 		return (ISC_R_NOMEMORY);
 
@@ -649,7 +651,7 @@ isc_task_onshutdown(isc_task_t *task, isc_taskaction_t action, const void *arg)
 	UNLOCK(&task->lock);
 
 	if (disallowed)
-		isc_mem_put(task->manager->mctx, event, sizeof *event);
+		isc_mem_put(task->manager->mctx, event, sizeof(*event));
 
 	return (result);
 }
@@ -717,6 +719,17 @@ isc_task_gettag(isc_task_t *task) {
 	return (task->tag);
 }
 
+void
+isc_task_getcurrenttime(isc_task_t *task, isc_stdtime_t *t) {
+	REQUIRE(VALID_TASK(task));
+	REQUIRE(t != NULL);
+
+	LOCK(&task->lock);
+
+	*t = task->now;
+
+	UNLOCK(&task->lock);
+}
 
 /***
  *** Task Manager.
@@ -838,6 +851,7 @@ dispatch(isc_taskmgr_t *manager) {
 			task->state = task_state_running;
 			XTRACE(isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
 					      ISC_MSG_RUNNING, "running"));
+			isc_stdtime_get(&task->now);
 			do {
 				if (!EMPTY(task->events)) {
 					event = HEAD(task->events);
@@ -1011,12 +1025,13 @@ manager_free(isc_taskmgr_t *manager) {
 #ifdef ISC_PLATFORM_USETHREADS
 	(void)isc_condition_destroy(&manager->exclusive_granted);	
 	(void)isc_condition_destroy(&manager->work_available);
-	isc_mem_free(manager->mctx, manager->threads);
+	isc_mem_put(manager->mctx, manager->threads,
+		    manager->workers * sizeof(isc_thread_t));
 #endif /* ISC_PLATFORM_USETHREADS */
 	DESTROYLOCK(&manager->lock);
 	manager->magic = 0;
 	mctx = manager->mctx;
-	isc_mem_put(mctx, manager, sizeof *manager);
+	isc_mem_put(mctx, manager, sizeof(*manager));
 	isc_mem_detach(&mctx);
 }
 
@@ -1047,11 +1062,12 @@ isc_taskmgr_create(isc_mem_t *mctx, unsigned int workers,
 	}
 #endif /* ISC_PLATFORM_USETHREADS */
 
-	manager = isc_mem_get(mctx, sizeof *manager);
+	manager = isc_mem_get(mctx, sizeof(*manager));
 	if (manager == NULL)
 		return (ISC_R_NOMEMORY);
 	manager->magic = TASK_MANAGER_MAGIC;
 	manager->mctx = NULL;
+	manager->workers = 0;
 	if (isc_mutex_init(&manager->lock) != ISC_R_SUCCESS) {
 		UNEXPECTED_ERROR(__FILE__, __LINE__,
 				 "isc_mutex_init() %s",
@@ -1061,9 +1077,7 @@ isc_taskmgr_create(isc_mem_t *mctx, unsigned int workers,
 		goto cleanup_mgr;
 	}
 #ifdef ISC_PLATFORM_USETHREADS
-	manager->workers = 0;
-	manager->threads = isc_mem_allocate(mctx,
-					    workers * sizeof(isc_thread_t));
+	manager->threads = isc_mem_get(mctx, workers * sizeof(isc_thread_t));
 	if (manager->threads == NULL) {
 		result = ISC_R_NOMEMORY;
 		goto cleanup_lock;
@@ -1093,6 +1107,7 @@ isc_taskmgr_create(isc_mem_t *mctx, unsigned int workers,
 	manager->tasks_running = 0;
 	manager->exclusive_requested = ISC_FALSE;
 	manager->exiting = ISC_FALSE;
+	manager->workers = 0;
 
 	isc_mem_attach(mctx, &manager->mctx);
 
@@ -1129,12 +1144,12 @@ isc_taskmgr_create(isc_mem_t *mctx, unsigned int workers,
  cleanup_workavailable:
 	(void)isc_condition_destroy(&manager->work_available);
  cleanup_threads:
-	isc_mem_free(mctx, manager->threads);
+	isc_mem_put(mctx, manager->threads, workers * sizeof(isc_thread_t));
  cleanup_lock:
 	DESTROYLOCK(&manager->lock);
 #endif
  cleanup_mgr:
-	isc_mem_put(mctx, manager, sizeof *manager);
+	isc_mem_put(mctx, manager, sizeof(*manager));
 	return (result);
 }
 
diff --git a/lib/isc/task_p.h b/lib/isc/task_p.h
index e25549c8..f842c5bf 100644
--- a/lib/isc/task_p.h
+++ b/lib/isc/task_p.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: task_p.h,v 1.6.2.1 2004/03/09 06:11:52 marka Exp $ */
+/* $Id: task_p.h,v 1.6.206.1 2004/03/06 08:14:36 marka Exp $ */
 
 #ifndef ISC_TASK_P_H
 #define ISC_TASK_P_H
diff --git a/lib/isc/taskpool.c b/lib/isc/taskpool.c
index 83ac6746..0b400bf7 100644
--- a/lib/isc/taskpool.c
+++ b/lib/isc/taskpool.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: taskpool.c,v 1.10.2.3 2006/01/04 23:50:17 marka Exp $ */
+/* $Id: taskpool.c,v 1.10.12.3 2004/03/08 09:04:50 marka Exp $ */
 
 #include <config.h>
 
@@ -46,16 +46,12 @@ isc_taskpool_create(isc_taskmgr_t *tmgr, isc_mem_t *mctx,
 	isc_result_t result;
 
 	INSIST(ntasks > 0);
-	pool = isc_mem_get(mctx, sizeof *pool);
+	pool = isc_mem_get(mctx, sizeof(*pool));
 	if (pool == NULL)
 		return (ISC_R_NOMEMORY);
 	pool->mctx = mctx;
 	pool->ntasks = ntasks;
 	pool->tasks = isc_mem_get(mctx, ntasks * sizeof(isc_task_t *));
-	if (pool->tasks == NULL) {
-		isc_mem_put(mctx, pool, sizeof(*pool));
-		return (ISC_R_NOMEMORY);
-	}
 	for (i = 0; i < ntasks; i++)
 		pool->tasks[i] = NULL;
 	for (i = 0; i < ntasks; i++) {
diff --git a/lib/isc/timer.c b/lib/isc/timer.c
index 209986e4..f3cdd916 100644
--- a/lib/isc/timer.c
+++ b/lib/isc/timer.c
@@ -1,6 +1,6 @@
 /*
- * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001  Internet Software Consortium.
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1998-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,12 +15,13 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: timer.c,v 1.64.2.3 2006/01/04 23:50:17 marka Exp $ */
+/* $Id: timer.c,v 1.64.12.9 2004/03/08 09:04:50 marka Exp $ */
 
 #include <config.h>
 
 #include <isc/condition.h>
 #include <isc/heap.h>
+#include <isc/log.h>
 #include <isc/magic.h>
 #include <isc/mem.h>
 #include <isc/msgs.h>
@@ -36,16 +37,19 @@
 #endif /* ISC_PLATFORM_USETHREADS */
 
 #ifdef ISC_TIMER_TRACE
-#define XTRACE(s)			printf("%s\n", (s))
-#define XTRACEID(s, t)			printf("%s %p\n", (s), (t))
-#define XTRACETIME(s, d)		printf("%s %u.%09u\n", (s), \
+#define XTRACE(s)			fprintf(stderr, "%s\n", (s))
+#define XTRACEID(s, t)			fprintf(stderr, "%s %p\n", (s), (t))
+#define XTRACETIME(s, d)		fprintf(stderr, "%s %u.%09u\n", (s), \
 					       (d).seconds, (d).nanoseconds)
-#define XTRACETIMER(s, t, d)		printf("%s %p %u.%09u\n", (s), (t), \
+#define XTRACETIME2(s, d, n)		fprintf(stderr, "%s %u.%09u %u.%09u\n", (s), \
+					       (d).seconds, (d).nanoseconds, (n).seconds, (n).nanoseconds)
+#define XTRACETIMER(s, t, d)		fprintf(stderr, "%s %p %u.%09u\n", (s), (t), \
 					       (d).seconds, (d).nanoseconds)
 #else
 #define XTRACE(s)
 #define XTRACEID(s, t)
 #define XTRACETIME(s, d)
+#define XTRACETIME2(s, d, n)
 #define XTRACETIMER(s, t, d)
 #endif /* ISC_TIMER_TRACE */
 
@@ -107,6 +111,9 @@ schedule(isc_timer_t *timer, isc_time_t *now, isc_boolean_t signal_ok) {
 	isc_timermgr_t *manager;
 	isc_time_t due;
 	int cmp;
+#ifdef ISC_PLATFORM_USETHREADS
+	isc_boolean_t timedwait;
+#endif
 
 	/*
 	 * Note: the caller must ensure locking.
@@ -118,13 +125,27 @@ schedule(isc_timer_t *timer, isc_time_t *now, isc_boolean_t signal_ok) {
 	UNUSED(signal_ok);
 #endif /* ISC_PLATFORM_USETHREADS */
 
+	manager = timer->manager;
+
+#ifdef ISC_PLATFORM_USETHREADS
+	/*
+	 * If the manager was timed wait, we may need to signal the
+	 * manager to force a wakeup.
+	 */
+	timedwait = ISC_TF(manager->nscheduled > 0 &&
+			   isc_time_seconds(&manager->due) != 0);
+#endif
+
 	/*
 	 * Compute the new due time.
 	 */
-	if (timer->type == isc_timertype_ticker) {
+	if (timer->type != isc_timertype_once) {
 		result = isc_time_add(now, &timer->interval, &due);
 		if (result != ISC_R_SUCCESS)
 			return (result);
+		if (timer->type == isc_timertype_limited &&
+		    isc_time_compare(&timer->expires, &due) < 0)
+			due = timer->expires;
 	} else {
 		if (isc_time_isepoch(&timer->idle))
 			due = timer->expires;
@@ -139,7 +160,7 @@ schedule(isc_timer_t *timer, isc_time_t *now, isc_boolean_t signal_ok) {
 	/*
 	 * Schedule the timer.
 	 */
-	manager = timer->manager;
+
 	if (timer->index > 0) {
 		/*
 		 * Already scheduled.
@@ -177,6 +198,31 @@ schedule(isc_timer_t *timer, isc_time_t *now, isc_boolean_t signal_ok) {
 	 * run thread, or explicitly setting the value in the manager.
 	 */
 #ifdef ISC_PLATFORM_USETHREADS
+
+	/*
+	 * This is a temporary (probably) hack to fix a bug on tru64 5.1
+	 * and 5.1a.  Sometimes, pthread_cond_timedwait() doesn't actually
+	 * return when the time expires, so here, we check to see if
+	 * we're 15 seconds or more behind, and if we are, we signal
+	 * the dispatcher.  This isn't such a bad idea as a general purpose
+	 * watchdog, so perhaps we should just leave it in here.
+	 */
+	if (signal_ok && timedwait) {
+		isc_interval_t fifteen;
+		isc_time_t then;
+
+		isc_interval_set(&fifteen, 15, 0);
+		isc_time_add(&manager->due, &fifteen, &then);
+
+		if (isc_time_compare(&then, now) < 0) {
+			SIGNAL(&manager->wakeup);
+			signal_ok = ISC_FALSE;
+			isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL,
+				      ISC_LOGMODULE_TIMER, ISC_LOG_WARNING,
+				      "*** POKED TIMER ***");
+		}
+	}
+		
 	if (timer->index == 1 && signal_ok) {
 		XTRACE(isc_msgcat_get(isc_msgcat, ISC_MSGSET_TIMER,
 				      ISC_MSG_SIGNALSCHED,
@@ -230,11 +276,11 @@ destroy(isc_timer_t *timer) {
 
 	LOCK(&manager->lock);
 
-	isc_task_purgerange(timer->task,
-			    timer,
-			    ISC_TIMEREVENT_FIRSTEVENT,
-			    ISC_TIMEREVENT_LASTEVENT,
-			    NULL);
+	(void)isc_task_purgerange(timer->task,
+				  timer,
+				  ISC_TIMEREVENT_FIRSTEVENT,
+				  ISC_TIMEREVENT_LASTEVENT,
+				  NULL);
 	deschedule(timer);
 	UNLINK(manager->timers, timer, link);
 
@@ -243,7 +289,7 @@ destroy(isc_timer_t *timer) {
 	isc_task_detach(&timer->task);
 	DESTROYLOCK(&timer->lock);
 	timer->magic = 0;
-	isc_mem_put(manager->mctx, timer, sizeof *timer);
+	isc_mem_put(manager->mctx, timer, sizeof(*timer));
 }
 
 isc_result_t
@@ -274,22 +320,14 @@ isc_timer_create(isc_timermgr_t *manager, isc_timertype_t type,
 	REQUIRE(type == isc_timertype_inactive ||
 		!(isc_time_isepoch(expires) && isc_interval_iszero(interval)));
 	REQUIRE(timerp != NULL && *timerp == NULL);
+	REQUIRE(type != isc_timertype_limited ||
+		!(isc_time_isepoch(expires) || isc_interval_iszero(interval)));
 
 	/*
 	 * Get current time.
 	 */
 	if (type != isc_timertype_inactive) {
-		result = isc_time_now(&now);
-		if (result != ISC_R_SUCCESS) {
-			UNEXPECTED_ERROR(__FILE__, __LINE__,
-					 "isc_time_now() %s: %s",
-					 isc_msgcat_get(isc_msgcat,
-							ISC_MSGSET_GENERAL,
-							ISC_MSG_FAILED,
-							"failed"),
-					 isc_result_totext(result));
-			return (ISC_R_UNEXPECTED);
-		}
+		TIME_NOW(&now);
 	} else {
 		/*
 		 * We don't have to do this, but it keeps the compiler from
@@ -300,7 +338,7 @@ isc_timer_create(isc_timermgr_t *manager, isc_timertype_t type,
 	}
 
 
-	timer = isc_mem_get(manager->mctx, sizeof *timer);
+	timer = isc_mem_get(manager->mctx, sizeof(*timer));
 	if (timer == NULL)
 		return (ISC_R_NOMEMORY);
 
@@ -309,10 +347,8 @@ isc_timer_create(isc_timermgr_t *manager, isc_timertype_t type,
 
 	if (type == isc_timertype_once && !isc_interval_iszero(interval)) {
 		result = isc_time_add(&now, interval, &timer->idle);
-		if (result != ISC_R_SUCCESS) {
-			isc_mem_put(manager->mctx, timer, sizeof(*timer));
+		if (result != ISC_R_SUCCESS)
 			return (result);
-		}
 	} else
 		isc_time_settoepoch(&timer->idle);
 
@@ -336,7 +372,7 @@ isc_timer_create(isc_timermgr_t *manager, isc_timertype_t type,
 	timer->index = 0;
 	if (isc_mutex_init(&timer->lock) != ISC_R_SUCCESS) {
 		isc_task_detach(&timer->task);
-		isc_mem_put(manager->mctx, timer, sizeof *timer);
+		isc_mem_put(manager->mctx, timer, sizeof(*timer));
 		UNEXPECTED_ERROR(__FILE__, __LINE__,
 				 "isc_mutex_init() %s",
 				 isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
@@ -366,7 +402,7 @@ isc_timer_create(isc_timermgr_t *manager, isc_timertype_t type,
 		timer->magic = 0;
 		DESTROYLOCK(&timer->lock);
 		isc_task_detach(&timer->task);
-		isc_mem_put(manager->mctx, timer, sizeof *timer);
+		isc_mem_put(manager->mctx, timer, sizeof(*timer));
 		return (result);
 	}
 
@@ -399,22 +435,14 @@ isc_timer_reset(isc_timer_t *timer, isc_timertype_t type,
 		interval = isc_interval_zero;
 	REQUIRE(type == isc_timertype_inactive ||
 		!(isc_time_isepoch(expires) && isc_interval_iszero(interval)));
+	REQUIRE(type != isc_timertype_limited ||
+		!(isc_time_isepoch(expires) || isc_interval_iszero(interval)));
 
 	/*
 	 * Get current time.
 	 */
 	if (type != isc_timertype_inactive) {
-		result = isc_time_now(&now);
-		if (result != ISC_R_SUCCESS) {
-			UNEXPECTED_ERROR(__FILE__, __LINE__,
-					 "isc_time_now() %s: %s",
-					 isc_msgcat_get(isc_msgcat,
-							ISC_MSGSET_GENERAL,
-							ISC_MSG_FAILED,
-							"failed"),
-					 isc_result_totext(result));
-			return (ISC_R_UNEXPECTED);
-		}
+		TIME_NOW(&now);
 	} else {
 		/*
 		 * We don't have to do this, but it keeps the compiler from
@@ -430,11 +458,11 @@ isc_timer_reset(isc_timer_t *timer, isc_timertype_t type,
 	LOCK(&timer->lock);
 
 	if (purge)
-		isc_task_purgerange(timer->task,
-				    timer,
-				    ISC_TIMEREVENT_FIRSTEVENT,
-				    ISC_TIMEREVENT_LASTEVENT,
-				    NULL);
+		(void)isc_task_purgerange(timer->task,
+					  timer,
+					  ISC_TIMEREVENT_FIRSTEVENT,
+					  ISC_TIMEREVENT_LASTEVENT,
+					  NULL);
 	timer->type = type;
 	timer->expires = *expires;
 	timer->interval = *interval;
@@ -460,6 +488,19 @@ isc_timer_reset(isc_timer_t *timer, isc_timertype_t type,
 }
 
 isc_result_t
+isc_timer_gettype(isc_timer_t *timer) {
+	isc_timertype_t t;
+
+	REQUIRE(VALID_TIMER(timer));
+
+	LOCK(&timer->lock);
+	t = timer->type;
+	UNLOCK(&timer->lock);
+
+	return (t);
+}
+
+isc_result_t
 isc_timer_touch(isc_timer_t *timer) {
 	isc_result_t result;
 	isc_time_t now;
@@ -481,16 +522,8 @@ isc_timer_touch(isc_timer_t *timer) {
 	 * don't want to do.
 	 */
 
-	result = isc_time_now(&now);
-	if (result != ISC_R_SUCCESS) {
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "isc_time_now() %s: %s",
-				 isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
-						ISC_MSG_FAILED, "failed"),
-				 isc_result_totext(result));
-		result = ISC_R_UNEXPECTED;
-	} else
-		result = isc_time_add(&now, &timer->interval, &timer->idle);
+	TIME_NOW(&now);
+	result = isc_time_add(&now, &timer->interval, &timer->idle);
 
 	UNLOCK(&timer->lock);
 
@@ -559,6 +592,18 @@ dispatch(isc_timermgr_t *manager, isc_time_t *now) {
 				type = ISC_TIMEREVENT_TICK;
 				post_event = ISC_TRUE;
 				need_schedule = ISC_TRUE;
+			} else if (timer->type == isc_timertype_limited) {
+				int cmp;
+				cmp = isc_time_compare(now, &timer->expires);
+				if (cmp >= 0) {
+					type = ISC_TIMEREVENT_LIFE;
+					post_event = ISC_TRUE;
+					need_schedule = ISC_FALSE;
+				} else {
+					type = ISC_TIMEREVENT_TICK;
+					post_event = ISC_TRUE;
+					need_schedule = ISC_TRUE;
+				}
 			} else if (!isc_time_isepoch(&timer->expires) &&
 				   isc_time_compare(now,
 						    &timer->expires) >= 0) {
@@ -597,7 +642,7 @@ dispatch(isc_timermgr_t *manager, isc_time_t *now) {
 							   type,
 							   timer->action,
 							   timer->arg,
-							   sizeof *event);
+							   sizeof(*event));
 
 				if (event != NULL)
 					isc_task_send(timer->task, &event);
@@ -644,7 +689,7 @@ run(void *uap) {
 
 	LOCK(&manager->lock);
 	while (!manager->done) {
-		RUNTIME_CHECK(isc_time_now(&now) == ISC_R_SUCCESS);
+		TIME_NOW(&now);
 
 		XTRACETIME(isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
 					  ISC_MSG_RUNNING,
@@ -653,18 +698,17 @@ run(void *uap) {
 		dispatch(manager, &now);
 
 		if (manager->nscheduled > 0) {
-			XTRACETIME(isc_msgcat_get(isc_msgcat,
-						  ISC_MSGSET_GENERAL,
-						  ISC_MSG_WAITUNTIL,
-						  "waituntil"),
-				   manager->due);
-			result = WAITUNTIL(&manager->wakeup, &manager->lock,
-					   &manager->due);
+			XTRACETIME2(isc_msgcat_get(isc_msgcat,
+						   ISC_MSGSET_GENERAL,
+						   ISC_MSG_WAITUNTIL,
+						   "waituntil"),
+				    manager->due, now);
+			result = WAITUNTIL(&manager->wakeup, &manager->lock, &manager->due);
 			INSIST(result == ISC_R_SUCCESS ||
 			       result == ISC_R_TIMEDOUT);
 		} else {
-			XTRACE(isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
-					      ISC_MSG_WAIT, "wait"));
+			XTRACETIME(isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
+						  ISC_MSG_WAIT, "wait"), now);
 			WAIT(&manager->wakeup, &manager->lock);
 		}
 		XTRACE(isc_msgcat_get(isc_msgcat, ISC_MSGSET_TIMER,
@@ -719,7 +763,7 @@ isc_timermgr_create(isc_mem_t *mctx, isc_timermgr_t **managerp) {
 	}
 #endif /* ISC_PLATFORM_USETHREADS */
 
-	manager = isc_mem_get(mctx, sizeof *manager);
+	manager = isc_mem_get(mctx, sizeof(*manager));
 	if (manager == NULL)
 		return (ISC_R_NOMEMORY);
 
@@ -733,12 +777,12 @@ isc_timermgr_create(isc_mem_t *mctx, isc_timermgr_t **managerp) {
 	result = isc_heap_create(mctx, sooner, set_index, 0, &manager->heap);
 	if (result != ISC_R_SUCCESS) {
 		INSIST(result == ISC_R_NOMEMORY);
-		isc_mem_put(mctx, manager, sizeof *manager);
+		isc_mem_put(mctx, manager, sizeof(*manager));
 		return (ISC_R_NOMEMORY);
 	}
 	if (isc_mutex_init(&manager->lock) != ISC_R_SUCCESS) {
 		isc_heap_destroy(&manager->heap);
-		isc_mem_put(mctx, manager, sizeof *manager);
+		isc_mem_put(mctx, manager, sizeof(*manager));
 		UNEXPECTED_ERROR(__FILE__, __LINE__,
 				 "isc_mutex_init() %s",
 				 isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
@@ -751,7 +795,7 @@ isc_timermgr_create(isc_mem_t *mctx, isc_timermgr_t **managerp) {
 		isc_mem_detach(&manager->mctx);
 		DESTROYLOCK(&manager->lock);
 		isc_heap_destroy(&manager->heap);
-		isc_mem_put(mctx, manager, sizeof *manager);
+		isc_mem_put(mctx, manager, sizeof(*manager));
 		UNEXPECTED_ERROR(__FILE__, __LINE__,
 				 "isc_condition_init() %s",
 				 isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
@@ -764,7 +808,7 @@ isc_timermgr_create(isc_mem_t *mctx, isc_timermgr_t **managerp) {
 		(void)isc_condition_destroy(&manager->wakeup);
 		DESTROYLOCK(&manager->lock);
 		isc_heap_destroy(&manager->heap);
-		isc_mem_put(mctx, manager, sizeof *manager);
+		isc_mem_put(mctx, manager, sizeof(*manager));
 		UNEXPECTED_ERROR(__FILE__, __LINE__,
 				 "isc_thread_create() %s",
 				 isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
@@ -782,6 +826,17 @@ isc_timermgr_create(isc_mem_t *mctx, isc_timermgr_t **managerp) {
 }
 
 void
+isc_timermgr_poke(isc_timermgr_t *manager) {
+#ifdef ISC_PLATFORM_USETHREADS
+	REQUIRE(VALID_MANAGER(manager));
+
+	SIGNAL(&manager->wakeup);
+#else
+	UNUSED(manager);
+#endif
+}
+
+void
 isc_timermgr_destroy(isc_timermgr_t **managerp) {
 	isc_timermgr_t *manager;
 	isc_mem_t *mctx;
@@ -839,7 +894,7 @@ isc_timermgr_destroy(isc_timermgr_t **managerp) {
 	isc_heap_destroy(&manager->heap);
 	manager->magic = 0;
 	mctx = manager->mctx;
-	isc_mem_put(mctx, manager, sizeof *manager);
+	isc_mem_put(mctx, manager, sizeof(*manager));
 	isc_mem_detach(&mctx);
 
 	*managerp = NULL;
@@ -854,13 +909,12 @@ isc__timermgr_nextevent(isc_time_t *when) {
 	return (ISC_R_SUCCESS);
 }
 
-isc_result_t
+void
 isc__timermgr_dispatch(void) {
 	isc_time_t now;
 	if (timermgr == NULL)
-		return (ISC_R_NOTFOUND);
-	isc_time_now(&now);
+		return;
+	TIME_NOW(&now);
 	dispatch(timermgr, &now);
-	return (ISC_R_SUCCESS);
 }
 #endif /* ISC_PLATFORM_USETHREADS */
diff --git a/lib/isc/timer_p.h b/lib/isc/timer_p.h
index f9bbd70b..ad7a5d04 100644
--- a/lib/isc/timer_p.h
+++ b/lib/isc/timer_p.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: timer_p.h,v 1.4.2.1 2004/03/09 06:11:53 marka Exp $ */
+/* $Id: timer_p.h,v 1.4.12.3 2004/03/08 09:04:50 marka Exp $ */
 
 #ifndef ISC_TIMER_P_H
 #define ISC_TIMER_P_H
@@ -23,7 +23,7 @@
 isc_result_t
 isc__timermgr_nextevent(isc_time_t *when);
 
-isc_result_t
+void
 isc__timermgr_dispatch(void);
 
 #endif /* ISC_TIMER_P_H */
diff --git a/lib/isc/unix/Makefile.in b/lib/isc/unix/Makefile.in
index cd4fe2ca..63780a72 100644
--- a/lib/isc/unix/Makefile.in
+++ b/lib/isc/unix/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.35.2.3 2004/06/22 02:55:36 marka Exp $
+# $Id: Makefile.in,v 1.35.2.1.10.1 2004/03/06 08:14:57 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
@@ -46,6 +46,3 @@ SUBDIRS =	include
 TARGETS =	${OBJS}
 
 @BIND9_MAKE_RULES@
-
-interfaceiter.@O@: interfaceiter.c ifiter_ioctl.c ifiter_sysctl.c
-
diff --git a/lib/isc/unix/app.c b/lib/isc/unix/app.c
index cac6768f..811d67be 100644
--- a/lib/isc/unix/app.c
+++ b/lib/isc/unix/app.c
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2002  Internet Software Consortium.
+ * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: app.c,v 1.43.2.4 2004/03/09 06:12:09 marka Exp $ */
+/* $Id: app.c,v 1.43.2.3.8.5 2004/03/08 02:08:05 marka Exp $ */
 
 #include <config.h>
 
@@ -101,7 +101,7 @@ handle_signal(int sig, void (*handler)(int)) {
 	struct sigaction sa;
 	char strbuf[ISC_STRERRORSIZE];
 
-	memset(&sa, 0, sizeof sa);
+	memset(&sa, 0, sizeof(sa));
 	sa.sa_handler = handler;
 
 	if (sigfillset(&sa.sa_mask) != 0 ||
@@ -274,7 +274,7 @@ isc_app_onrun(isc_mem_t *mctx, isc_task_t *task, isc_taskaction_t action,
 	 */
 	isc_task_attach(task, &cloned_task);
 	event = isc_event_allocate(mctx, cloned_task, ISC_APPEVENT_SHUTDOWN,
-				   action, arg, sizeof *event);
+				   action, arg, sizeof(*event));
 	if (event == NULL) {
 		result = ISC_R_NOMEMORY;
 		goto unlock;
@@ -304,12 +304,14 @@ evloop() {
 		fd_set readfds, writefds;
 		int maxfd;
 		isc_boolean_t readytasks;
+		isc_boolean_t call_timer_dispatch = ISC_FALSE;
 
 		readytasks = isc__taskmgr_ready();
 		if (readytasks) {
 			tv.tv_sec = 0;
 			tv.tv_usec = 0;
 			tvp = &tv;
+			call_timer_dispatch = ISC_TRUE;
 		} else {
 			result = isc__timermgr_nextevent(&when);
 			if (result != ISC_R_SUCCESS)
@@ -317,8 +319,10 @@ evloop() {
 			else {
 				isc_uint64_t us;
 
-				(void)isc_time_now(&now);
+				TIME_NOW(&now);
 				us = isc_time_microdiff(&when, &now);
+				if (us == 0)
+					call_timer_dispatch = ISC_TRUE;
 				tv.tv_sec = us / 1000000;
 				tv.tv_usec = us % 1000000;
 				tvp = &tv;
@@ -328,7 +332,23 @@ evloop() {
 		isc__socketmgr_getfdsets(&readfds, &writefds, &maxfd);
 		n = select(maxfd, &readfds, &writefds, NULL, tvp);
 
-		(void)isc__timermgr_dispatch();
+		if (n == 0 || call_timer_dispatch) {
+			/*
+			 * We call isc__timermgr_dispatch() only when
+			 * necessary, in order to reduce overhead.  If the
+			 * select() call indicates a timeout, we need the
+			 * dispatch.  Even if not, if we set the 0-timeout 
+			 * for the select() call, we need to check the timer
+			 * events.  In the 'readytasks' case, there may be no
+			 * timeout event actually, but there is no other way
+			 * to reduce the overhead.
+			 * Note that we do not have to worry about the case
+			 * where a new timer is inserted during the select()
+			 * call, since this loop only runs in the non-thread
+			 * mode.
+			 */
+			isc__timermgr_dispatch();
+		}
 		if (n > 0)
 			(void)isc__socketmgr_dispatch(&readfds, &writefds,
 						      maxfd);
@@ -367,16 +387,16 @@ static isc_boolean_t signalled = ISC_FALSE;
 isc_result_t
 isc__nothread_wait_hack(isc_condition_t *cp, isc_mutex_t *mp) {
 	isc_result_t result;
-	
+
 	UNUSED(cp);
 	UNUSED(mp);
-	
+
 	INSIST(!in_recursive_evloop);
 	in_recursive_evloop = ISC_TRUE;
 
 	INSIST(*mp == 1); /* Mutex must be locked on entry. */
 	--*mp;
-	
+
 	result = evloop();
 	if (result == ISC_R_RELOAD)
 		want_reload = ISC_TRUE;
@@ -394,7 +414,7 @@ isc_result_t
 isc__nothread_signal_hack(isc_condition_t *cp) {
 
 	UNUSED(cp);
-	
+
 	INSIST(in_recursive_evloop);
 
 	want_shutdown = ISC_TRUE;
@@ -528,9 +548,6 @@ isc_app_run(void) {
 	if (result != ISC_R_SUCCESS)
 		return (result);
 
-	while (isc__taskmgr_ready())
-		(void)isc__taskmgr_dispatch();
-
 #endif /* ISC_PLATFORM_USETHREADS */
 
 	return (ISC_R_SUCCESS);
diff --git a/lib/isc/unix/dir.c b/lib/isc/unix/dir.c
index 7405ca03..85a12173 100644
--- a/lib/isc/unix/dir.c
+++ b/lib/isc/unix/dir.c
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
+ * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dir.c,v 1.18.2.3 2004/03/09 06:12:09 marka Exp $ */
+/* $Id: dir.c,v 1.18.2.1.2.3 2004/03/08 09:04:55 marka Exp $ */
 
 /* Principal Authors: DCL */
 
@@ -156,34 +156,6 @@ isc_dir_chroot(const char *dirname) {
 }
 
 isc_result_t
-isc_dir_current(char *dirname, size_t length, isc_boolean_t end_sep) {
-	char *cwd;
-	isc_result_t result = ISC_R_SUCCESS;
-
-	/*
-	 * XXXDCL Could automatically allocate memory if dirname == NULL.
-	 */
-	REQUIRE(dirname != NULL);
-	REQUIRE(length > 0U);
-
-	cwd = getcwd(dirname, length);
-
-	if (cwd == NULL) {
-		if (errno == ERANGE)
-			result = ISC_R_NOSPACE;
-		else
-			result = isc__errno2result(errno);
-	} else if (end_sep) {
-		if (strlen(dirname) + 1 == length)
-			result = ISC_R_NOSPACE;
-		else if (dirname[1] != '\0')
-			strcat(dirname, "/");
-	}
-
-	return (result);
-}
-
-isc_result_t
 isc_dir_createunique(char *templet) {
 	isc_result_t result;
 	char *x;
diff --git a/lib/isc/unix/entropy.c b/lib/isc/unix/entropy.c
index a2a9ba90..a2cbb3c6 100644
--- a/lib/isc/unix/entropy.c
+++ b/lib/isc/unix/entropy.c
@@ -1,6 +1,6 @@
 /*
- * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000-2002  Internet Software Consortium.
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: entropy.c,v 1.60.2.8 2006/12/07 23:57:55 marka Exp $ */
+/* $Id: entropy.c,v 1.60.2.3.8.9 2004/03/16 05:02:31 marka Exp $ */
 
 /*
  * This is the system depenedent part of the ISC entropy API.
@@ -26,6 +26,9 @@
 #include <sys/param.h>	/* Openserver 5.0.6A and FD_SETSIZE */
 #include <sys/types.h>
 #include <sys/time.h>
+#include <sys/stat.h>
+#include <sys/socket.h>
+#include <sys/un.h>
 
 #include <unistd.h>
 
@@ -47,6 +50,19 @@
  */
 #define FILESOURCE_HANDLE_TYPE	int
 
+typedef struct {
+	int	handle;
+	enum	{
+		isc_usocketsource_disconnected,
+		isc_usocketsource_connecting,
+		isc_usocketsource_connected,
+		isc_usocketsource_ndesired,
+		isc_usocketsource_wrote,
+		isc_usocketsource_reading
+	} status;
+	size_t	sz_to_recv;
+} isc_entropyusocketsource_t;
+
 #include "../entropy.c"
 
 static unsigned int
@@ -69,20 +85,146 @@ get_from_filesource(isc_entropysource_t *source, isc_uint32_t desired) {
 		if (n < 0) {
 			if (errno == EAGAIN || errno == EINTR)
 				goto out;
-			close(fd);
-			source->bad = ISC_TRUE;
-			goto out;
+			goto err;
 		}
-		if (n == 0) {
-			close(fd);
-			source->bad = ISC_TRUE;
-			goto out;
+		if (n == 0)
+			goto err;
+
+		entropypool_adddata(ent, buf, n, n * 8);
+		added += n * 8;
+		desired -= n;
+	}
+	goto out;
+
+ err:
+	(void)close(fd);
+	source->sources.file.handle = -1;
+	source->bad = ISC_TRUE;
+
+ out:
+	return (added);
+}
+
+static unsigned int
+get_from_usocketsource(isc_entropysource_t *source, isc_uint32_t desired) {
+	isc_entropy_t *ent = source->ent;
+	unsigned char buf[128];
+	int fd = source->sources.usocket.handle;
+	ssize_t n = 0, ndesired;
+	unsigned int added;
+	size_t sz_to_recv = source->sources.usocket.sz_to_recv;
+
+	if (source->bad)
+		return (0);
+
+	desired = desired / 8 + (((desired & 0x07) > 0) ? 1 : 0);
+
+	added = 0;
+	while (desired > 0) {
+		ndesired = ISC_MIN(desired, sizeof(buf));
+ eagain_loop:
+
+		switch ( source->sources.usocket.status ) {
+		case isc_usocketsource_ndesired:
+			buf[0] = ndesired;
+			if ((n = send(fd, buf, 1, 0)) < 0) {
+				if (errno == EWOULDBLOCK || errno == EINTR ||
+				    errno == ECONNRESET)
+					goto out;
+				goto err;
+			}
+			INSIST(n == 1);
+			source->sources.usocket.status =
+						isc_usocketsource_wrote;
+			goto eagain_loop;
+
+		case isc_usocketsource_connecting:
+		case isc_usocketsource_connected:
+			buf[0] = 1;
+			buf[1] = ndesired;
+			if ((n = send(fd, buf, 2, 0)) < 0) {
+				if (errno == EWOULDBLOCK || errno == EINTR ||
+				    errno == ECONNRESET)
+					goto out;
+				goto err;
+			}
+			if (n == 1) {
+				source->sources.usocket.status =
+					isc_usocketsource_ndesired;
+				goto eagain_loop;
+			}	
+			INSIST(n == 2);
+			source->sources.usocket.status =
+						isc_usocketsource_wrote;
+			/*FALLTHROUGH*/
+		
+		case isc_usocketsource_wrote:
+			if (recv(fd, buf, 1, 0) != 1) {
+				if (errno == EAGAIN) {
+					/*
+					 * The problem of EAGAIN (try again
+					 * later) is a major issue on HP-UX.
+					 * Solaris actually tries the recv
+					 * call again, while HP-UX just dies. 
+					 * This code is an attempt to let the
+					 * entropy pool fill back up (at least
+					 * that's what I think the problem is.)
+					 * We go to eagain_loop because if we 
+					 * just "break", then the "desired"
+					 * amount gets borked.
+					 */
+					usleep(1000);
+					goto eagain_loop;
+				}
+				if (errno == EWOULDBLOCK || errno == EINTR)
+					goto out;
+				goto err;
+			}
+			source->sources.usocket.status =
+					isc_usocketsource_reading;
+			sz_to_recv = buf[0];
+			source->sources.usocket.sz_to_recv = sz_to_recv;
+			if (sz_to_recv > sizeof(buf))
+				goto err;
+			/*FALLTHROUGH*/
+
+		case isc_usocketsource_reading:
+			if (sz_to_recv != 0U) {
+				n = recv(fd, buf, sz_to_recv, 0);
+				if (n < 0) {
+					if (errno == EWOULDBLOCK ||
+					    errno == EINTR)
+						goto out;
+					goto err;
+				}
+			} else
+				n = 0;
+			break;
+		
+		default:
+			goto err;
 		}
 
+		if ((size_t)n != sz_to_recv)
+			source->sources.usocket.sz_to_recv -= n;
+		else
+			source->sources.usocket.status =
+				isc_usocketsource_connected;
+
+		if (n == 0)
+			goto out;
+
 		entropypool_adddata(ent, buf, n, n * 8);
 		added += n * 8;
 		desired -= n;
 	}
+	goto out;
+
+ err:
+	close(fd);
+	source->bad = ISC_TRUE;
+	source->sources.usocket.status = isc_usocketsource_disconnected;
+	source->sources.usocket.handle = -1;
 
  out:
 	return (added);
@@ -167,7 +309,7 @@ fillpool(isc_entropy_t *ent, unsigned int desired, isc_boolean_t blocking) {
 	}
 	source = ent->nextsource;
  again_file:
-	for (nsource = 0 ; nsource < ent->nsources ; nsource++) {
+	for (nsource = 0; nsource < ent->nsources; nsource++) {
 		unsigned int got;
 
 		if (remaining == 0)
@@ -175,8 +317,15 @@ fillpool(isc_entropy_t *ent, unsigned int desired, isc_boolean_t blocking) {
 
 		got = 0;
 
-		if (source->type == ENTROPY_SOURCETYPE_FILE)
+		switch ( source->type ) {
+		case ENTROPY_SOURCETYPE_FILE:
 			got = get_from_filesource(source, remaining);
+			break;
+
+		case ENTROPY_SOURCETYPE_USOCKET:
+			got = get_from_usocketsource(source, remaining);
+			break;
+		}
 
 		added += got;
 
@@ -231,9 +380,11 @@ wait_for_sources(isc_entropy_t *ent) {
 	int maxfd, fd;
 	int cc;
 	fd_set reads;
+	fd_set writes;
 
 	maxfd = -1;
 	FD_ZERO(&reads);
+	FD_ZERO(&writes);
 
 	source = ISC_LIST_HEAD(ent->sources);
 	while (source != NULL) {
@@ -244,13 +395,33 @@ wait_for_sources(isc_entropy_t *ent) {
 				FD_SET(fd, &reads);
 			}
 		}
+		if (source->type == ENTROPY_SOURCETYPE_USOCKET) {
+			fd = source->sources.usocket.handle;
+			if (fd >= 0) {
+				switch (source->sources.usocket.status) {
+				case isc_usocketsource_disconnected:
+					break;
+				case isc_usocketsource_connecting:
+				case isc_usocketsource_connected:
+				case isc_usocketsource_ndesired:
+					maxfd = ISC_MAX(maxfd, fd);
+					FD_SET(fd, &writes);
+					break;
+				case isc_usocketsource_wrote:
+				case isc_usocketsource_reading:
+					maxfd = ISC_MAX(maxfd, fd);
+					FD_SET(fd, &reads);
+					break;
+				}
+			}
+		}
 		source = ISC_LIST_NEXT(source, link);
 	}
 
 	if (maxfd < 0)
 		return (-1);
 
-	cc = select(maxfd + 1, &reads, NULL, NULL, NULL);
+	cc = select(maxfd + 1, &reads, &writes, NULL, NULL);
 	if (cc < 0)
 		return (-1);
 
@@ -259,6 +430,11 @@ wait_for_sources(isc_entropy_t *ent) {
 
 static void
 destroyfilesource(isc_entropyfilesource_t *source) {
+	(void)close(source->handle);
+}
+
+static void
+destroyusocketsource(isc_entropyusocketsource_t *source) {
 	close(source->handle);
 }
 
@@ -270,25 +446,16 @@ make_nonblock(int fd) {
 	int ret;
 	int flags;
 	char strbuf[ISC_STRERRORSIZE];
-#ifdef USE_FIONBIO_IOCTL
-	int on = 1;
 
-	ret = ioctl(fd, FIONBIO, (char *)&on);
-#else
 	flags = fcntl(fd, F_GETFL, 0);
-	flags |= PORT_NONBLOCK;
+	flags |= O_NONBLOCK;
 	ret = fcntl(fd, F_SETFL, flags);
-#endif
 
 	if (ret == -1) {
 		isc__strerror(errno, strbuf, sizeof(strbuf));
 		UNEXPECTED_ERROR(__FILE__, __LINE__,
-#ifdef USE_FIONBIO_IOCTL
-				 "ioctl(%d, FIONBIO, &on): %s", fd,
-#else
-				 "fcntl(%d, F_SETFL, %d): %s", fd, flags,
-#endif
-				 strbuf);
+				 "fcntl(%d, F_SETFL, %d): %s",
+				 fd, flags, strbuf);
 
 		return (ISC_R_UNEXPECTED);
 	}
@@ -299,6 +466,9 @@ make_nonblock(int fd) {
 isc_result_t
 isc_entropy_createfilesource(isc_entropy_t *ent, const char *fname) {
 	int fd;
+	struct stat _stat;
+	isc_boolean_t is_usocket = ISC_FALSE;
+	isc_boolean_t is_connected = ISC_FALSE;
 	isc_result_t ret;
 	isc_entropysource_t *source;
 
@@ -309,15 +479,64 @@ isc_entropy_createfilesource(isc_entropy_t *ent, const char *fname) {
 
 	source = NULL;
 
-	fd = open(fname, O_RDONLY | PORT_NONBLOCK, 0);
+	if (stat(fname, &_stat) < 0) {
+		ret = isc__errno2result(errno);
+		goto errout;
+	}
+	/* 
+	 * Solaris 2.5.1 does not have support for sockets (S_IFSOCK),
+	 * but it does return type S_IFIFO (the OS believes that
+	 * the socket is a fifo).  This may be an issue if we tell
+	 * the program to look at an actual FIFO as its source of
+	 * entropy.
+	 */
+#if defined(S_ISSOCK)
+	if (S_ISSOCK(_stat.st_mode))
+		is_usocket = ISC_TRUE;
+#endif
+#if defined(S_ISFIFO)
+	if (S_ISFIFO(_stat.st_mode))
+		is_usocket = ISC_TRUE;
+#endif
+	if (is_usocket)
+		fd = socket(PF_UNIX, SOCK_STREAM, 0);
+	else
+		fd = open(fname, O_RDONLY | O_NONBLOCK, 0);
+
 	if (fd < 0) {
 		ret = isc__errno2result(errno);
 		goto errout;
 	}
+
 	ret = make_nonblock(fd);
 	if (ret != ISC_R_SUCCESS)
 		goto closefd;
 
+	if (is_usocket) {
+		struct sockaddr_un sname;
+
+		memset(&sname, 0, sizeof(sname));
+		sname.sun_family = AF_UNIX;
+		strncpy(sname.sun_path, fname, sizeof(sname.sun_path));
+		sname.sun_path[sizeof(sname.sun_path)-1] = '0';
+#ifdef ISC_PLATFORM_HAVESALEN
+#if !defined(SUN_LEN)
+#define SUN_LEN(su) \
+	(sizeof(*(su)) - sizeof((su)->sun_path) + strlen((su)->sun_path))
+#endif
+		sname.sun_len = SUN_LEN(&sname);
+#endif
+
+		if (connect(fd, (struct sockaddr *) &sname,
+			    sizeof(struct sockaddr_un)) < 0) {
+			if (errno != EINPROGRESS) {
+				ret = isc__errno2result(errno);
+				goto closefd;
+			}
+		} else
+			is_connected = ISC_TRUE;
+	}
+
 	source = isc_mem_get(ent->mctx, sizeof(isc_entropysource_t));
 	if (source == NULL) {
 		ret = ISC_R_NOMEMORY;
@@ -328,13 +547,25 @@ isc_entropy_createfilesource(isc_entropy_t *ent, const char *fname) {
 	 * From here down, no failures can occur.
 	 */
 	source->magic = SOURCE_MAGIC;
-	source->type = ENTROPY_SOURCETYPE_FILE;
 	source->ent = ent;
 	source->total = 0;
 	source->bad = ISC_FALSE;
 	memset(source->name, 0, sizeof(source->name));
 	ISC_LINK_INIT(source, link);
-	source->sources.file.handle = fd;
+	if (is_usocket) {
+		source->sources.usocket.handle = fd;
+		if (is_connected)
+			source->sources.usocket.status =
+					isc_usocketsource_connected;
+		else
+			source->sources.usocket.status =
+					isc_usocketsource_connecting;
+		source->sources.usocket.sz_to_recv = 0;
+		source->type = ENTROPY_SOURCETYPE_USOCKET;
+	} else {
+		source->sources.file.handle = fd;
+		source->type = ENTROPY_SOURCETYPE_FILE;
+	}
 
 	/*
 	 * Hook it into the entropy system.
@@ -346,9 +577,12 @@ isc_entropy_createfilesource(isc_entropy_t *ent, const char *fname) {
 	return (ISC_R_SUCCESS);
 
  closefd:
-	close(fd);
+	(void)close(fd);
 
  errout:
+	if (source != NULL)
+		isc_mem_put(ent->mctx, source, sizeof(isc_entropysource_t));
+
 	UNLOCK(&ent->lock);
 
 	return (ret);
diff --git a/lib/isc/unix/errno2result.c b/lib/isc/unix/errno2result.c
index 9b1eb88d..66a4e916 100644
--- a/lib/isc/unix/errno2result.c
+++ b/lib/isc/unix/errno2result.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: errno2result.c,v 1.8.2.5 2004/03/09 06:12:09 marka Exp $ */
+/* $Id: errno2result.c,v 1.8.2.4.8.1 2004/03/06 08:14:59 marka Exp $ */
 
 #include <config.h>
 
diff --git a/lib/isc/unix/errno2result.h b/lib/isc/unix/errno2result.h
index 99d1bda6..9a8d07c6 100644
--- a/lib/isc/unix/errno2result.h
+++ b/lib/isc/unix/errno2result.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: errno2result.h,v 1.7.2.1 2004/03/09 06:12:09 marka Exp $ */
+/* $Id: errno2result.h,v 1.7.206.1 2004/03/06 08:14:59 marka Exp $ */
 
 #ifndef UNIX_ERRNO2RESULT_H
 #define UNIX_ERRNO2RESULT_H 1
diff --git a/lib/isc/unix/file.c b/lib/isc/unix/file.c
index ad1f55be..7ed6272e 100644
--- a/lib/isc/unix/file.c
+++ b/lib/isc/unix/file.c
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
+ * Copyright (C) 2000-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,21 +15,57 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: file.c,v 1.38.2.1 2004/03/09 06:12:09 marka Exp $ */
+/*
+ * Portions Copyright (c) 1987, 1993
+ *      The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *      This product includes software developed by the University of
+ *      California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/* $Id: file.c,v 1.38.12.8 2004/03/16 05:50:25 marka Exp $ */
 
 #include <config.h>
 
 #include <errno.h>
+#include <fcntl.h>
 #include <limits.h>
 #include <stdlib.h>
 #include <time.h>		/* Required for utimes on some platforms. */
 #include <unistd.h>		/* Required for mkstemp on NetBSD. */
 
+
 #include <sys/stat.h>
 #include <sys/time.h>
 
 #include <isc/dir.h>
 #include <isc/file.h>
+#include <isc/random.h>
 #include <isc/string.h>
 #include <isc/time.h>
 #include <isc/util.h>
@@ -115,7 +151,6 @@ isc_file_settime(const char *file, isc_time_t *time) {
 		return (isc__errno2result(errno));
 
 	return (ISC_R_SUCCESS);
-
 }
 
 #undef TEMPLATE
@@ -158,57 +193,102 @@ isc_file_template(const char *path, const char *templet, char *buf,
 	return (ISC_R_SUCCESS);
 }
 
+static char alphnum[] =
+	"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
+
 isc_result_t
 isc_file_renameunique(const char *file, char *templet) {
-	int fd = -1;
-	int res = 0;
-	isc_result_t result = ISC_R_SUCCESS;
+	char *x;
+	char *cp;
+	isc_uint32_t which;
 
 	REQUIRE(file != NULL);
 	REQUIRE(templet != NULL);
 
-	fd = mkstemp(templet);
-	if (fd == -1) {
-		result = isc__errno2result(errno);
+	cp = templet;
+	while (*cp != '\0')
+		cp++;
+	if (cp == templet)
+		return (ISC_R_FAILURE);
+
+	x = cp--;
+	while (cp >= templet && *cp == 'X') {
+		isc_random_get(&which);
+		*cp = alphnum[which % (sizeof(alphnum) - 1)];
+		x = cp--;
 	}
-	if (result == ISC_R_SUCCESS) {
-		res = rename(file, templet);
-		if (res != 0) {
-			result = isc__errno2result(errno);
-			(void)unlink(templet);
+	while (link(file, templet) == -1) {
+		if (errno != EEXIST)
+			return (isc__errno2result(errno));
+		for (cp = x;;) {
+			char *t;
+			if (*cp == '\0')
+				return (ISC_R_FAILURE);
+			t = strchr(alphnum, *cp);
+			if (t == NULL || *++t == '\0')
+				*cp++ = alphnum[0];
+			else {
+				*cp = *t;
+				break;
+			}
 		}
 	}
-	if (fd != -1)
-		close(fd);
-	return (result);
+	(void)unlink(file);
+	return (ISC_R_SUCCESS);
 }
 
+
 isc_result_t
 isc_file_openunique(char *templet, FILE **fp) {
 	int fd;
 	FILE *f;
 	isc_result_t result = ISC_R_SUCCESS;
+	char *x;
+	char *cp;
+	isc_uint32_t which;
+	int mode;
 
 	REQUIRE(templet != NULL);
 	REQUIRE(fp != NULL && *fp == NULL);
 
-	/*
-	 * Win32 does not have mkstemp.
-	 */
-	fd = mkstemp(templet);
-
-	if (fd == -1)
-		result = isc__errno2result(errno);
-	if (result == ISC_R_SUCCESS) {
-		f = fdopen(fd, "w+");
-		if (f == NULL) {
-			result = isc__errno2result(errno);
-			(void)remove(templet);
-			(void)close(fd);
+	cp = templet;
+	while (*cp != '\0')
+		cp++;
+	if (cp == templet)
+		return (ISC_R_FAILURE);
+
+	x = cp--;
+	while (cp >= templet && *cp == 'X') {
+		isc_random_get(&which);
+		*cp = alphnum[which % (sizeof(alphnum) - 1)];
+		x = cp--;
+	}
 
-		} else
-			*fp = f;
+	mode = S_IWUSR|S_IRUSR|S_IRGRP|S_IWGRP|S_IROTH|S_IWOTH;
+
+	while ((fd = open(templet, O_RDWR|O_CREAT|O_EXCL, mode)) == -1) {
+		if (errno != EEXIST)
+			return (isc__errno2result(errno));
+		for (cp = x;;) {
+			char *t;
+			if (*cp == '\0')
+				return (ISC_R_FAILURE);
+			t = strchr(alphnum, *cp);
+			if (t == NULL || *++t == '\0')
+				*cp++ = alphnum[0];
+			else {
+				*cp = *t;
+				break;
+			}
+		}
 	}
+	f = fdopen(fd, "w+");
+	if (f == NULL) {
+		result = isc__errno2result(errno);
+		(void)remove(templet);
+		(void)close(fd);
+	} else
+		*fp = f;
 
 	return (result);
 }
@@ -302,10 +382,41 @@ isc_file_progname(const char *filename, char *buf, size_t buflen) {
 	return (ISC_R_SUCCESS);
 }
 
+/*
+ * Put the absolute name of the current directory into 'dirname', which is
+ * a buffer of at least 'length' characters.  End the string with the 
+ * appropriate path separator, such that the final product could be
+ * concatenated with a relative pathname to make a valid pathname string.
+ */
+static isc_result_t
+dir_current(char *dirname, size_t length) {
+	char *cwd;
+	isc_result_t result = ISC_R_SUCCESS;
+
+	REQUIRE(dirname != NULL);
+	REQUIRE(length > 0U);
+
+	cwd = getcwd(dirname, length);
+
+	if (cwd == NULL) {
+		if (errno == ERANGE)
+			result = ISC_R_NOSPACE;
+		else
+			result = isc__errno2result(errno);
+	} else {
+		if (strlen(dirname) + 1 == length)
+			result = ISC_R_NOSPACE;
+		else if (dirname[1] != '\0')
+			strcat(dirname, "/");
+	}
+
+	return (result);
+}
+
 isc_result_t
 isc_file_absolutepath(const char *filename, char *path, size_t pathlen) {
 	isc_result_t result;
-	result = isc_dir_current(path, pathlen, ISC_TRUE);
+	result = dir_current(path, pathlen);
 	if (result != ISC_R_SUCCESS)
 		return (result);
 	if (strlen(path) + strlen(filename) + 1 > pathlen)
@@ -313,3 +424,12 @@ isc_file_absolutepath(const char *filename, char *path, size_t pathlen) {
 	strcat(path, filename);
 	return (ISC_R_SUCCESS);
 }
+
+isc_result_t
+isc_file_truncate(const char *filename, isc_offset_t size) {
+	isc_result_t result = ISC_R_SUCCESS;
+
+	if (truncate(filename, size) < 0) 
+		result = isc__errno2result(errno);
+	return (result);
+}
diff --git a/lib/isc/unix/fsaccess.c b/lib/isc/unix/fsaccess.c
index 6092a532..5fa4fb47 100644
--- a/lib/isc/unix/fsaccess.c
+++ b/lib/isc/unix/fsaccess.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,9 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: fsaccess.c,v 1.6.2.3 2006/08/25 05:25:49 marka Exp $ */
-
-#include <config.h>
+/* $Id: fsaccess.c,v 1.6.206.1 2004/03/06 08:14:59 marka Exp $ */
 
 #include <sys/types.h>
 #include <sys/stat.h>
diff --git a/lib/isc/unix/ifiter_getifaddrs.c b/lib/isc/unix/ifiter_getifaddrs.c
new file mode 100644
index 00000000..ad6e1e0b
--- /dev/null
+++ b/lib/isc/unix/ifiter_getifaddrs.c
@@ -0,0 +1,178 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: ifiter_getifaddrs.c,v 1.2.68.3 2004/03/06 08:14:59 marka Exp $ */
+
+/*
+ * Obtain the list of network interfaces using the getifaddrs(3) library.
+ */
+
+#include <ifaddrs.h>
+
+#define IFITER_MAGIC		ISC_MAGIC('I', 'F', 'I', 'G')
+#define VALID_IFITER(t)		ISC_MAGIC_VALID(t, IFITER_MAGIC)
+
+struct isc_interfaceiter {
+	unsigned int		magic;		/* Magic number. */
+	isc_mem_t		*mctx;
+	void			*buf;		/* (unused) */
+	unsigned int		bufsize;	/* (always 0) */
+	struct ifaddrs		*ifaddrs;	/* List of ifaddrs */
+	struct ifaddrs		*pos;		/* Ptr to current ifaddr */
+	isc_interface_t		current;	/* Current interface data. */
+	isc_result_t		result;		/* Last result code. */
+};
+
+isc_result_t
+isc_interfaceiter_create(isc_mem_t *mctx, isc_interfaceiter_t **iterp) {
+	isc_interfaceiter_t *iter;
+	isc_result_t result;
+	char strbuf[ISC_STRERRORSIZE];
+
+	REQUIRE(mctx != NULL);
+	REQUIRE(iterp != NULL);
+	REQUIRE(*iterp == NULL);
+
+	iter = isc_mem_get(mctx, sizeof(*iter));
+	if (iter == NULL)
+		return (ISC_R_NOMEMORY);
+
+	iter->mctx = mctx;
+	iter->buf = NULL;
+	iter->bufsize = 0;
+	iter->ifaddrs = NULL;
+
+	if (getifaddrs(&iter->ifaddrs) < 0) {
+		isc__strerror(errno, strbuf, sizeof(strbuf));
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 isc_msgcat_get(isc_msgcat,
+						ISC_MSGSET_IFITERGETIFADDRS,
+						ISC_MSG_GETIFADDRS,
+						"getting interface "
+						"addresses: getifaddrs: %s"),
+				 strbuf);
+		result = ISC_R_UNEXPECTED;
+		goto failure;
+	}
+
+	/*
+	 * A newly created iterator has an undefined position
+	 * until isc_interfaceiter_first() is called.
+	 */
+	iter->pos = NULL;
+	iter->result = ISC_R_FAILURE;
+
+	iter->magic = IFITER_MAGIC;
+	*iterp = iter;
+	return (ISC_R_SUCCESS);
+
+ failure:
+	if (iter->ifaddrs != NULL) /* just in case */
+		freeifaddrs(iter->ifaddrs);
+	isc_mem_put(mctx, iter, sizeof(*iter));
+	return (result);
+}
+
+/*
+ * Get information about the current interface to iter->current.
+ * If successful, return ISC_R_SUCCESS.
+ * If the interface has an unsupported address family,
+ * return ISC_R_IGNORE.
+ */
+
+static isc_result_t
+internal_current(isc_interfaceiter_t *iter) {
+	struct ifaddrs *ifa;
+	int family;
+	unsigned int namelen;
+
+	REQUIRE(VALID_IFITER(iter));
+
+	ifa = iter->pos;
+
+	INSIST(ifa != NULL);
+	INSIST(ifa->ifa_name != NULL);
+	INSIST(ifa->ifa_addr != NULL);
+
+	family = ifa->ifa_addr->sa_family;
+	if (family != AF_INET && family != AF_INET6)
+		return (ISC_R_IGNORE);
+
+	memset(&iter->current, 0, sizeof(iter->current));
+
+	namelen = strlen(ifa->ifa_name);
+	if (namelen > sizeof(iter->current.name) - 1)
+		namelen = sizeof(iter->current.name) - 1;
+
+	memset(iter->current.name, 0, sizeof(iter->current.name));
+	memcpy(iter->current.name, ifa->ifa_name, namelen);
+
+	iter->current.flags = 0;
+
+	if ((ifa->ifa_flags & IFF_UP) != 0)
+		iter->current.flags |= INTERFACE_F_UP;
+
+	if ((ifa->ifa_flags & IFF_POINTOPOINT) != 0)
+		iter->current.flags |= INTERFACE_F_POINTTOPOINT;
+
+	if ((ifa->ifa_flags & IFF_LOOPBACK) != 0)
+		iter->current.flags |= INTERFACE_F_LOOPBACK;
+
+	iter->current.af = family;
+
+	get_addr(family, &iter->current.address, ifa->ifa_addr, ifa->ifa_name);
+
+	if (ifa->ifa_netmask != NULL)
+		get_addr(family, &iter->current.netmask, ifa->ifa_netmask,
+			 ifa->ifa_name);
+
+	if (ifa->ifa_dstaddr != NULL &&
+	    (iter->current.flags & IFF_POINTOPOINT) != 0)
+		get_addr(family, &iter->current.dstaddress, ifa->ifa_dstaddr,
+			 ifa->ifa_name);
+
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * Step the iterator to the next interface.  Unlike
+ * isc_interfaceiter_next(), this may leave the iterator
+ * positioned on an interface that will ultimately
+ * be ignored.  Return ISC_R_NOMORE if there are no more
+ * interfaces, otherwise ISC_R_SUCCESS.
+ */
+static isc_result_t
+internal_next(isc_interfaceiter_t *iter) {
+	iter->pos = iter->pos->ifa_next;
+
+	if (iter->pos == NULL)
+		return (ISC_R_NOMORE);
+
+	return (ISC_R_SUCCESS);
+}
+
+static void
+internal_destroy(isc_interfaceiter_t *iter) {
+	if (iter->ifaddrs)
+		freeifaddrs(iter->ifaddrs);
+	iter->ifaddrs = NULL;
+}
+
+static
+void internal_first(isc_interfaceiter_t *iter) {
+	iter->pos = iter->ifaddrs;
+}
diff --git a/lib/isc/unix/ifiter_ioctl.c b/lib/isc/unix/ifiter_ioctl.c
index 76f6250e..641b4565 100644
--- a/lib/isc/unix/ifiter_ioctl.c
+++ b/lib/isc/unix/ifiter_ioctl.c
@@ -1,6 +1,6 @@
 /*
- * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,70 +15,83 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: ifiter_ioctl.c,v 1.19.2.9 2006/02/06 06:23:48 marka Exp $ */
+/* $Id: ifiter_ioctl.c,v 1.19.2.5.2.9 2004/03/08 09:04:56 marka Exp $ */
 
 /*
  * Obtain the list of network interfaces using the SIOCGLIFCONF ioctl.
  * See netintro(4).
  */
-#ifdef __hpux
-#undef SIOCGLIFCONF
-#undef lifc_len
-#undef lifc_buf
-#undef lifc_req
-#undef lifconf
-#undef SIOCGLIFADDR
-#undef SIOCGLIFFLAGS
-#undef SIOCGLIFDSTADDR
-#undef SIOCGLIFNETMASK
-#undef lifr_addr
-#undef lifr_name
-#undef lifr_dstaddr
-#undef lifr_flags
-#undef ss_family
-#undef lifreq
-#endif
-
-#ifndef SIOCGLIFCONF
-#define SIOCGLIFCONF SIOCGIFCONF
-#define lifc_len ifc_len
-#define lifc_buf ifc_buf
-#define lifc_req ifc_req
-#define lifconf ifconf
+
+#if defined(SIOCGLIFCONF) && defined(SIOCGLIFADDR)
+#ifdef ISC_PLATFORM_HAVEIF_LADDRCONF
+#define lifc_len iflc_len
+#define lifc_buf iflc_buf
+#define lifc_req iflc_req
+#define LIFCONF if_laddrconf
 #else
 #define ISC_HAVE_LIFC_FAMILY 1
 #define ISC_HAVE_LIFC_FLAGS 1
+#define LIFCONF lifconf
 #endif
-#ifndef SIOCGLIFADDR
-#define SIOCGLIFADDR SIOCGIFADDR
-#define SIOCGLIFFLAGS SIOCGIFFLAGS
-#define SIOCGLIFDSTADDR SIOCGIFDSTADDR
-#define SIOCGLIFNETMASK SIOCGIFNETMASK
-#define lifr_addr ifr_addr
-#define lifr_name ifr_name
-#define	lifr_dstaddr ifr_dstaddr
-#define lifr_flags ifr_flags
+
+#ifdef ISC_PLATFORM_HAVEIF_LADDRREQ
+#define lifr_addr iflr_addr
+#define lifr_name iflr_name
+#define lifr_dstaddr iflr_dstaddr
+#define lifr_flags iflr_flags
 #define ss_family sa_family
-#define lifreq ifreq
+#define LIFREQ if_laddrreq
+#else
+#define LIFREQ lifreq
+#endif
 #endif
-
 
 #define IFITER_MAGIC		ISC_MAGIC('I', 'F', 'I', 'T')
 #define VALID_IFITER(t)		ISC_MAGIC_VALID(t, IFITER_MAGIC)
 
+#define ISC_IF_INET6_SZ \
+	 sizeof("00000000000000000000000000000001 01 80 10 80       lo\n")
+
 struct isc_interfaceiter {
 	unsigned int		magic;		/* Magic number. */
 	isc_mem_t		*mctx;
+	int			mode;
 	int			socket;
-	struct lifconf 		ifc;
+	struct ifconf 		ifc;
 	void			*buf;		/* Buffer for sysctl data. */
 	unsigned int		bufsize;	/* Bytes allocated. */
 	unsigned int		pos;		/* Current offset in
+						   SIOCGIFCONF data */
+#if defined(SIOCGLIFCONF) && defined(SIOCGLIFADDR)
+	int			socket6;
+	struct LIFCONF 		lifc;
+	void			*buf6;		/* Buffer for sysctl data. */
+	unsigned int		bufsize6;	/* Bytes allocated. */
+	unsigned int		pos6;		/* Current offset in
 						   SIOCGLIFCONF data */
+	isc_result_t		result6;	/* Last result code. */
+	isc_boolean_t		first6;
+#endif
+#ifdef HAVE_TRUCLUSTER
+	int			clua_context;	/* Cluster alias context */
+	isc_boolean_t		clua_done;
+	struct sockaddr		clua_sa;
+#endif
+#ifdef	__linux
+	FILE *			proc;
+	char			entry[ISC_IF_INET6_SZ];
+	isc_result_t		valid;
+	isc_boolean_t		first;
+#endif
 	isc_interface_t		current;	/* Current interface data. */
 	isc_result_t		result;		/* Last result code. */
 };
 
+#ifdef HAVE_TRUCLUSTER
+#include <clua/clua.h>
+#include <sys/socket.h>
+#endif
+
 
 /*
  * Size of buffer for SIOCGLIFCONF, in bytes.  We assume no sane system
@@ -87,68 +100,127 @@ struct isc_interfaceiter {
 #define IFCONF_BUFSIZE_INITIAL	4096
 #define IFCONF_BUFSIZE_MAX	1048576
 
-isc_result_t
-isc_interfaceiter_create(isc_mem_t *mctx, isc_interfaceiter_t **iterp) {
-	isc_interfaceiter_t *iter;
-	isc_result_t result;
+static isc_result_t
+getbuf4(isc_interfaceiter_t *iter) {
 	char strbuf[ISC_STRERRORSIZE];
 
-	REQUIRE(mctx != NULL);
-	REQUIRE(iterp != NULL);
-	REQUIRE(*iterp == NULL);
+	iter->bufsize = IFCONF_BUFSIZE_INITIAL;
 
-	iter = isc_mem_get(mctx, sizeof(*iter));
-	if (iter == NULL)
-		return (ISC_R_NOMEMORY);
+	for (;;) {
+		iter->buf = isc_mem_get(iter->mctx, iter->bufsize);
+		if (iter->buf == NULL)
+			return (ISC_R_NOMEMORY);
 
-	iter->mctx = mctx;
-	iter->buf = NULL;
+		memset(&iter->ifc.ifc_len, 0, sizeof(iter->ifc.ifc_len));
+		iter->ifc.ifc_len = iter->bufsize;
+		iter->ifc.ifc_buf = iter->buf;
+		/*
+		 * Ignore the HP/UX warning about "interger overflow during
+		 * conversion".  It comes from its own macro definition,
+		 * and is really hard to shut up.
+		 */
+		if (ioctl(iter->socket, SIOCGIFCONF, (char *)&iter->ifc)
+		    == -1) {
+			if (errno != EINVAL) {
+				isc__strerror(errno, strbuf, sizeof(strbuf));
+				UNEXPECTED_ERROR(__FILE__, __LINE__,
+						 isc_msgcat_get(isc_msgcat,
+							ISC_MSGSET_IFITERIOCTL,
+							ISC_MSG_GETIFCONFIG,
+							"get interface "
+							"configuration: %s"),
+						 strbuf);
+				goto unexpected;
+			}
+			/*
+			 * EINVAL.  Retry with a bigger buffer.
+			 */
+		} else {
+			/*
+			 * The ioctl succeeded.
+			 * Some OS's just return what will fit rather
+			 * than set EINVAL if the buffer is too small
+			 * to fit all the interfaces in.  If
+			 * ifc.lifc_len is too near to the end of the
+			 * buffer we will grow it just in case and
+			 * retry.
+			 */
+			if (iter->ifc.ifc_len + 2 * sizeof(struct ifreq)
+			    < iter->bufsize)
+				break;
+		}
+		if (iter->bufsize >= IFCONF_BUFSIZE_MAX) {
+			UNEXPECTED_ERROR(__FILE__, __LINE__,
+					 isc_msgcat_get(isc_msgcat,
+							ISC_MSGSET_IFITERIOCTL,
+							ISC_MSG_BUFFERMAX,
+							"get interface "
+							"configuration: "
+							"maximum buffer "
+							"size exceeded"));
+			goto unexpected;
+		}
+		isc_mem_put(iter->mctx, iter->buf, iter->bufsize);
 
-	/*
-	 * Create an unbound datagram socket to do the SIOCGLIFADDR ioctl on.
-	 */
-	if ((iter->socket = socket(AF_INET, SOCK_DGRAM, 0)) < 0) {
-		isc__strerror(errno, strbuf, sizeof(strbuf));
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 isc_msgcat_get(isc_msgcat,
-						ISC_MSGSET_IFITERIOCTL,
-						ISC_MSG_MAKESCANSOCKET,
-						"making interface "
-						"scan socket: %s"),
-				 strbuf);
-		result = ISC_R_UNEXPECTED;
-		goto socket_failure;
+		iter->bufsize *= 2;
 	}
+	return (ISC_R_SUCCESS);
 
-	/*
-	 * Get the interface configuration, allocating more memory if
-	 * necessary.
-	 */
-	iter->bufsize = IFCONF_BUFSIZE_INITIAL;
+ unexpected:
+	isc_mem_put(iter->mctx, iter->buf, iter->bufsize);
+	iter->buf = NULL;
+	return (ISC_R_UNEXPECTED);
+}
+
+#if defined(SIOCGLIFCONF) && defined(SIOCGLIFADDR)
+static isc_result_t
+getbuf6(isc_interfaceiter_t *iter) {
+	char strbuf[ISC_STRERRORSIZE];
+	isc_result_t result;
+
+	iter->bufsize6 = IFCONF_BUFSIZE_INITIAL;
 
 	for (;;) {
-		iter->buf = isc_mem_get(mctx, iter->bufsize);
-		if (iter->buf == NULL) {
-			result = ISC_R_NOMEMORY;
-			goto alloc_failure;
-		}
+		iter->buf6 = isc_mem_get(iter->mctx, iter->bufsize6);
+		if (iter->buf6 == NULL)
+			return (ISC_R_NOMEMORY);
 
-		memset(&iter->ifc, 0, sizeof(iter->ifc));
+		memset(&iter->lifc, 0, sizeof(iter->lifc));
 #ifdef ISC_HAVE_LIFC_FAMILY
-		iter->ifc.lifc_family = AF_UNSPEC;
+		iter->lifc.lifc_family = AF_INET6;
 #endif
 #ifdef ISC_HAVE_LIFC_FLAGS
-		iter->ifc.lifc_flags = 0;
+		iter->lifc.lifc_flags = 0;
 #endif
-		iter->ifc.lifc_len = iter->bufsize;
-		iter->ifc.lifc_buf = iter->buf;
+		iter->lifc.lifc_len = iter->bufsize6;
+		iter->lifc.lifc_buf = iter->buf6;
 		/*
 		 * Ignore the HP/UX warning about "interger overflow during
 		 * conversion".  It comes from its own macro definition,
 		 * and is really hard to shut up.
 		 */
-		if (ioctl(iter->socket, SIOCGLIFCONF, (char *)&iter->ifc)
+		if (ioctl(iter->socket6, SIOCGLIFCONF, (char *)&iter->lifc)
 		    == -1) {
+#ifdef __hpux
+			/*
+			 * IPv6 interface scanning is not available on all
+			 * kernels w/ IPv6 sockets.
+			 */
+			if (errno == ENOENT) {
+				isc__strerror(errno, strbuf, sizeof(strbuf));
+				isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL,
+					      ISC_LOGMODULE_INTERFACE,
+					      ISC_LOG_DEBUG(1),
+					      isc_msgcat_get(isc_msgcat,
+							ISC_MSGSET_IFITERIOCTL,
+							ISC_MSG_GETIFCONFIG,
+							"get interface "
+							"configuration: %s"),
+					       strbuf);
+				result = ISC_R_FAILURE;
+				goto cleanup;
+			}
+#endif
 			if (errno != EINVAL) {
 				isc__strerror(errno, strbuf, sizeof(strbuf));
 				UNEXPECTED_ERROR(__FILE__, __LINE__,
@@ -159,7 +231,7 @@ isc_interfaceiter_create(isc_mem_t *mctx, isc_interfaceiter_t **iterp) {
 							"configuration: %s"),
 						 strbuf);
 				result = ISC_R_UNEXPECTED;
-				goto ioctl_failure;
+				goto cleanup;
 			}
 			/*
 			 * EINVAL.  Retry with a bigger buffer.
@@ -170,15 +242,15 @@ isc_interfaceiter_create(isc_mem_t *mctx, isc_interfaceiter_t **iterp) {
 			 * Some OS's just return what will fit rather
 			 * than set EINVAL if the buffer is too small
 			 * to fit all the interfaces in.  If
-			 * ifc.lifc_len is too near to the end of the
+			 * ifc.ifc_len is too near to the end of the
 			 * buffer we will grow it just in case and
 			 * retry.
 			 */
-			if (iter->ifc.lifc_len + 2 * sizeof(struct lifreq)
-			    < iter->bufsize)
+			if (iter->lifc.lifc_len + 2 * sizeof(struct LIFREQ)
+			    < iter->bufsize6)
 				break;
 		}
-		if (iter->bufsize >= IFCONF_BUFSIZE_MAX) {
+		if (iter->bufsize6 >= IFCONF_BUFSIZE_MAX) {
 			UNEXPECTED_ERROR(__FILE__, __LINE__,
 					 isc_msgcat_get(isc_msgcat,
 							ISC_MSGSET_IFITERIOCTL,
@@ -188,18 +260,109 @@ isc_interfaceiter_create(isc_mem_t *mctx, isc_interfaceiter_t **iterp) {
 							"maximum buffer "
 							"size exceeded"));
 			result = ISC_R_UNEXPECTED;
-			goto ioctl_failure;
+			goto cleanup;
 		}
-		isc_mem_put(mctx, iter->buf, iter->bufsize);
+		isc_mem_put(iter->mctx, iter->buf6, iter->bufsize6);
 
-		iter->bufsize *= 2;
+		iter->bufsize6 *= 2;
+	}
+
+	iter->mode = 6;
+	return (ISC_R_SUCCESS);
+
+ cleanup:
+	isc_mem_put(iter->mctx, iter->buf6, iter->bufsize6);
+	iter->buf6 = NULL;
+	return (result);
+}
+#endif
+
+isc_result_t
+isc_interfaceiter_create(isc_mem_t *mctx, isc_interfaceiter_t **iterp) {
+	isc_interfaceiter_t *iter;
+	isc_result_t result;
+	char strbuf[ISC_STRERRORSIZE];
+
+	REQUIRE(mctx != NULL);
+	REQUIRE(iterp != NULL);
+	REQUIRE(*iterp == NULL);
+
+	iter = isc_mem_get(mctx, sizeof(*iter));
+	if (iter == NULL)
+		return (ISC_R_NOMEMORY);
+
+	iter->mctx = mctx;
+	iter->mode = 4;
+	iter->buf = NULL;
+	iter->pos = (unsigned int) -1;
+#if defined(SIOCGLIFCONF) && defined(SIOCGLIFADDR)
+	iter->buf6 = NULL;
+	iter->pos6 = (unsigned int) -1;
+	iter->result6 = ISC_R_NOMORE;
+	iter->socket6 = -1;
+	iter->first6 = ISC_FALSE;
+#endif
+
+	/*
+	 * Get the interface configuration, allocating more memory if
+	 * necessary.
+	 */
+
+#if defined(SIOCGLIFCONF) && defined(SIOCGLIFADDR)
+	result = isc_net_probeipv6();
+	if (result == ISC_R_SUCCESS) {
+		/*
+		 * Create an unbound datagram socket to do the SIOCGLIFCONF
+		 * ioctl on.  HP/UX requires an AF_INET6 socket for
+		 * SIOCGLIFCONF to get IPv6 addresses.
+		 */
+		if ((iter->socket6 = socket(AF_INET6, SOCK_DGRAM, 0)) < 0) {
+			isc__strerror(errno, strbuf, sizeof(strbuf));
+			UNEXPECTED_ERROR(__FILE__, __LINE__,
+					 isc_msgcat_get(isc_msgcat,
+							ISC_MSGSET_IFITERIOCTL,
+							ISC_MSG_MAKESCANSOCKET,
+							"making interface "
+							"scan socket: %s"),
+					 strbuf);
+			result = ISC_R_UNEXPECTED;
+			goto socket6_failure;
+		}
+		iter->result6 = getbuf6(iter);
+		if (iter->result6 != ISC_R_NOTIMPLEMENTED &&
+		    iter->result6 != ISC_R_SUCCESS)
+			goto ioctl6_failure;
 	}
+#endif
+	if ((iter->socket = socket(AF_INET, SOCK_DGRAM, 0)) < 0) {
+		isc__strerror(errno, strbuf, sizeof(strbuf));
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 isc_msgcat_get(isc_msgcat,
+						ISC_MSGSET_IFITERIOCTL,
+						ISC_MSG_MAKESCANSOCKET,
+						"making interface "
+						"scan socket: %s"),
+				 strbuf);
+		result = ISC_R_UNEXPECTED;
+		goto socket_failure;
+	}
+	result = getbuf4(iter);
+	if (result != ISC_R_SUCCESS)
+		goto ioctl_failure;
 
 	/*
 	 * A newly created iterator has an undefined position
 	 * until isc_interfaceiter_first() is called.
 	 */
-	iter->pos = (unsigned int) -1;
+#ifdef HAVE_TRUCLUSTER
+	iter->clua_context = -1;
+	iter->clua_done = ISC_TRUE;
+#endif
+#ifdef __linux
+	iter->proc = fopen("/proc/net/if_inet6", "r");
+	iter->valid = ISC_R_FAILURE;
+	iter->first = ISC_FALSE;
+#endif
 	iter->result = ISC_R_FAILURE;
 
 	iter->magic = IFITER_MAGIC;
@@ -207,16 +370,117 @@ isc_interfaceiter_create(isc_mem_t *mctx, isc_interfaceiter_t **iterp) {
 	return (ISC_R_SUCCESS);
 
  ioctl_failure:
-	isc_mem_put(mctx, iter->buf, iter->bufsize);
-
- alloc_failure:
+	if (iter->buf != NULL)
+		isc_mem_put(mctx, iter->buf, iter->bufsize);
 	(void) close(iter->socket);
 
  socket_failure:
-	isc_mem_put(mctx, iter, sizeof *iter);
+#if defined(SIOCGLIFCONF) && defined(SIOCGLIFADDR)
+	if (iter->buf6 != NULL)
+		isc_mem_put(mctx, iter->buf6, iter->bufsize6);
+  ioctl6_failure:
+	if (iter->socket6 != -1)
+		(void) close(iter->socket6);
+  socket6_failure:
+#endif
+ 
+	isc_mem_put(mctx, iter, sizeof(*iter));
 	return (result);
 }
 
+#ifdef HAVE_TRUCLUSTER
+static void
+get_inaddr(isc_netaddr_t *dst, struct in_addr *src) {
+	dst->family = AF_INET;
+	memcpy(&dst->type.in, src, sizeof(struct in_addr));
+}
+
+static isc_result_t
+internal_current_clusteralias(isc_interfaceiter_t *iter) {
+	struct clua_info ci;
+	if (clua_getaliasinfo(&iter->clua_sa, &ci) != CLUA_SUCCESS)
+		return (ISC_R_IGNORE);
+	memset(&iter->current, 0, sizeof(iter->current));
+	iter->current.af = iter->clua_sa.sa_family;
+	memset(iter->current.name, 0, sizeof(iter->current.name));
+	sprintf(iter->current.name, "clua%d", ci.aliasid);
+	iter->current.flags = INTERFACE_F_UP;
+	get_inaddr(&iter->current.address, &ci.addr);
+	get_inaddr(&iter->current.netmask, &ci.netmask);
+	return (ISC_R_SUCCESS);
+}
+#endif
+
+#ifdef __linux
+static isc_result_t
+linux_if_inet6_next(isc_interfaceiter_t *iter) {
+	if (iter->proc != NULL &&
+	    fgets(iter->entry, sizeof(iter->entry), iter->proc) != NULL)
+		iter->valid = ISC_R_SUCCESS;
+	else
+		iter->valid = ISC_R_NOMORE;
+	return (iter->valid);
+}
+
+static void
+linux_if_inet6_first(isc_interfaceiter_t *iter) {
+	if (iter->proc != NULL) {
+		rewind(iter->proc);
+		(void)linux_if_inet6_next(iter);
+	} else
+		iter->valid = ISC_R_NOMORE;
+	iter->first = ISC_FALSE;
+}
+
+static isc_result_t
+linux_if_inet6_current(isc_interfaceiter_t *iter) {
+	char address[33];
+	char name[IF_NAMESIZE+1];
+	struct in6_addr addr6;
+	int ifindex, prefix, flag3, flag4;
+	int res;
+	unsigned int i;
+
+	if (iter->valid != ISC_R_SUCCESS)
+		return (iter->valid);
+	if (iter->proc == NULL)
+		return (ISC_R_FAILURE);
+
+	res = sscanf(iter->entry, "%32[a-f0-9] %x %x %x %x %16s\n",
+		     address, &ifindex, &prefix, &flag3, &flag4, name);
+	if (res != 6)
+		return (ISC_R_FAILURE);
+	if (strlen(address) != 32)
+		return (ISC_R_FAILURE);
+	for (i = 0; i < 16; i++) {
+		unsigned char byte;
+		static const char hex[] = "0123456789abcdef";
+		byte = ((index(hex, address[i * 2]) - hex) << 4) |
+		       (index(hex, address[i * 2 + 1]) - hex);
+		addr6.s6_addr[i] = byte;
+	}
+	iter->current.af = AF_INET6;
+	iter->current.flags = INTERFACE_F_UP;
+	isc_netaddr_fromin6(&iter->current.address, &addr6);
+	if (isc_netaddr_islinklocal(&iter->current.address)) {
+		isc_netaddr_setzone(&iter->current.address,
+				    (isc_uint32_t)ifindex);
+	}
+	for (i = 0; i < 16; i++) {
+		if (prefix > 8) {
+			addr6.s6_addr[i] = 0xff;
+			prefix -= 8;
+		} else {
+			addr6.s6_addr[i] = (0xff << (8 - prefix)) & 0xff;
+			prefix = 0;
+		}
+	}
+	isc_netaddr_fromin6(&iter->current.netmask, &addr6);
+	strncpy(iter->current.name, name, sizeof(iter->current.name));
+	return (ISC_R_SUCCESS);
+}
+#endif
+
 /*
  * Get information about the current interface to iter->current.
  * If successful, return ISC_R_SUCCESS.
@@ -226,37 +490,53 @@ isc_interfaceiter_create(isc_mem_t *mctx, isc_interfaceiter_t **iterp) {
  */
 
 static isc_result_t
-internal_current(isc_interfaceiter_t *iter) {
-	struct lifreq *ifrp;
-	struct lifreq lifreq;
+internal_current4(isc_interfaceiter_t *iter) {
+	struct ifreq *ifrp;
+	struct ifreq ifreq;
 	int family;
 	char strbuf[ISC_STRERRORSIZE];
+#if !defined(ISC_PLATFORM_HAVEIF_LADDRREQ) && defined(SIOCGLIFADDR)
+	struct lifreq lifreq;
+#else
+	char sabuf[256];
+#endif
+	int i, bits, prefixlen;
+#ifdef __linux
+	isc_result_t result;
+#endif
 
 	REQUIRE(VALID_IFITER(iter));
-	REQUIRE(iter->ifc.lifc_len == 0 ||
-		iter->pos < (unsigned int) iter->ifc.lifc_len);
+	REQUIRE (iter->pos < (unsigned int) iter->ifc.ifc_len);
 
-	if (iter->ifc.lifc_len == 0)
-		return (ISC_R_NOMORE);
+#ifdef __linux
+	result = linux_if_inet6_current(iter);
+	if (result != ISC_R_NOMORE)
+		return (result);
+	iter->first = ISC_TRUE;
+#endif
 
-	ifrp = (struct lifreq *)((char *) iter->ifc.lifc_req + iter->pos);
+	ifrp = (struct ifreq *)((char *) iter->ifc.ifc_req + iter->pos);
 
-	memset(&lifreq, 0, sizeof lifreq);
-	memcpy(&lifreq, ifrp, sizeof lifreq);
+	memset(&ifreq, 0, sizeof(ifreq));
+	memcpy(&ifreq, ifrp, sizeof(ifreq));
 
-	family = lifreq.lifr_addr.ss_family;
+	family = ifreq.ifr_addr.sa_family;
+#if defined(ISC_PLATFORM_HAVEIPV6)
+	if (family != AF_INET && family != AF_INET6)
+#else
 	if (family != AF_INET)
+#endif
 		return (ISC_R_IGNORE);
 
 	memset(&iter->current, 0, sizeof(iter->current));
 	iter->current.af = family;
 
-	INSIST(sizeof(lifreq.lifr_name) <= sizeof(iter->current.name));
+	INSIST(sizeof(ifreq.ifr_name) <= sizeof(iter->current.name));
 	memset(iter->current.name, 0, sizeof(iter->current.name));
-	memcpy(iter->current.name, lifreq.lifr_name, sizeof(lifreq.lifr_name));
+	memcpy(iter->current.name, ifreq.ifr_name, sizeof(ifreq.ifr_name));
 
 	get_addr(family, &iter->current.address,
-		 (struct sockaddr *)&lifreq.lifr_addr);
+		 (struct sockaddr *)&ifrp->ifr_addr, ifreq.ifr_name);
 
 	/*
 	 * If the interface does not have a address ignore it.
@@ -284,23 +564,75 @@ internal_current(isc_interfaceiter_t *iter) {
 	 * conversion.  It comes from its own macro definition,
 	 * and is really hard to shut up.
 	 */
-	if (ioctl(iter->socket, SIOCGLIFFLAGS, (char *) &lifreq) < 0) {
+	if (ioctl(iter->socket, SIOCGIFFLAGS, (char *) &ifreq) < 0) {
 		isc__strerror(errno, strbuf, sizeof(strbuf));
 		UNEXPECTED_ERROR(__FILE__, __LINE__,
 				 "%s: getting interface flags: %s",
-				 lifreq.lifr_name, strbuf);
+				 ifreq.ifr_name, strbuf);
 		return (ISC_R_IGNORE);
 	}
 
-	if ((lifreq.lifr_flags & IFF_UP) != 0)
+	if ((ifreq.ifr_flags & IFF_UP) != 0)
 		iter->current.flags |= INTERFACE_F_UP;
 
-	if ((lifreq.lifr_flags & IFF_POINTOPOINT) != 0)
+#ifdef IFF_POINTOPOINT
+	if ((ifreq.ifr_flags & IFF_POINTOPOINT) != 0)
 		iter->current.flags |= INTERFACE_F_POINTTOPOINT;
+#endif
 
-	if ((lifreq.lifr_flags & IFF_LOOPBACK) != 0)
+	if ((ifreq.ifr_flags & IFF_LOOPBACK) != 0)
 		iter->current.flags |= INTERFACE_F_LOOPBACK;
 
+	if (family == AF_INET)
+		goto inet;
+
+#if !defined(ISC_PLATFORM_HAVEIF_LADDRREQ) && defined(SIOCGLIFADDR)
+	memset(&lifreq, 0, sizeof(lifreq));
+	memcpy(lifreq.lifr_name, iter->current.name, sizeof(lifreq.lifr_name));
+	memcpy(&lifreq.lifr_addr, &iter->current.address.type.in6,
+	       sizeof(iter->current.address.type.in6));
+
+	if (ioctl(iter->socket, SIOCGLIFADDR, &lifreq) < 0) {
+		isc__strerror(errno, strbuf, sizeof(strbuf));
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "%s: getting interface address: %s",
+				 ifreq.ifr_name, strbuf);
+		return (ISC_R_IGNORE);
+	}
+	prefixlen = lifreq.lifr_addrlen;
+#else
+	isc_netaddr_format(&iter->current.address, sabuf, sizeof(sabuf));
+	isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL,
+		      ISC_LOGMODULE_INTERFACE,
+		      ISC_LOG_INFO,
+		      isc_msgcat_get(isc_msgcat,
+				     ISC_MSGSET_IFITERIOCTL,
+				     ISC_MSG_GETIFCONFIG,
+				     "prefix length for %s is unknown "
+				     "(assume 128)"), sabuf);
+	prefixlen = 128;
+#endif
+
+	/*
+	 * Netmask already zeroed.
+	 */
+	iter->current.netmask.family = family;
+	for (i = 0; i < 16; i++) {
+		if (prefixlen > 8) {
+			bits = 0;
+			prefixlen -= 8;
+		} else {
+			bits = 8 - prefixlen;
+			prefixlen = 0;
+		}
+		iter->current.netmask.type.in6.s6_addr[i] = (~0 << bits) & 0xff;
+	}
+	return (ISC_R_SUCCESS);
+
+ inet:
+	if (family != AF_INET)
+		return (ISC_R_IGNORE);
+#ifdef IFF_POINTOPOINT
 	/*
 	 * If the interface is point-to-point, get the destination address.
 	 */
@@ -310,7 +642,7 @@ internal_current(isc_interfaceiter_t *iter) {
 		 * conversion.  It comes from its own macro definition,
 		 * and is really hard to shut up.
 		 */
-		if (ioctl(iter->socket, SIOCGLIFDSTADDR, (char *)&lifreq)
+		if (ioctl(iter->socket, SIOCGIFDSTADDR, (char *)&ifreq)
 		    < 0) {
 			isc__strerror(errno, strbuf, sizeof(strbuf));
 			UNEXPECTED_ERROR(__FILE__, __LINE__,
@@ -319,60 +651,218 @@ internal_current(isc_interfaceiter_t *iter) {
 					       ISC_MSG_GETDESTADDR,
 					       "%s: getting "
 					       "destination address: %s"),
-					 lifreq.lifr_name, strbuf);
+					 ifreq.ifr_name, strbuf);
 			return (ISC_R_IGNORE);
 		}
 		get_addr(family, &iter->current.dstaddress,
-			 (struct sockaddr *)&lifreq.lifr_dstaddr);
+			 (struct sockaddr *)&ifreq.ifr_dstaddr, ifreq.ifr_name);
 	}
+#endif
 
 	/*
 	 * Get the network mask.
 	 */
-	memset(&lifreq, 0, sizeof lifreq);
-	memcpy(&lifreq, ifrp, sizeof lifreq);
+	memset(&ifreq, 0, sizeof(ifreq));
+	memcpy(&ifreq, ifrp, sizeof(ifreq));
+	/*
+	 * Ignore the HP/UX warning about "interger overflow during
+	 * conversion.  It comes from its own macro definition,
+	 * and is really hard to shut up.
+	 */
+	if (ioctl(iter->socket, SIOCGIFNETMASK, (char *)&ifreq) < 0) {
+		isc__strerror(errno, strbuf, sizeof(strbuf));
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+			isc_msgcat_get(isc_msgcat,
+				       ISC_MSGSET_IFITERIOCTL,
+				       ISC_MSG_GETNETMASK,
+				       "%s: getting netmask: %s"),
+				       ifreq.ifr_name, strbuf);
+		return (ISC_R_IGNORE);
+	}
+	get_addr(family, &iter->current.netmask,
+		 (struct sockaddr *)&ifreq.ifr_addr, ifreq.ifr_name);
+	return (ISC_R_SUCCESS);
+}
+
+#if defined(SIOCGLIFCONF) && defined(SIOCGLIFADDR)
+static isc_result_t
+internal_current6(isc_interfaceiter_t *iter) {
+	struct LIFREQ *ifrp;
+	struct LIFREQ lifreq;
+	int family;
+	char strbuf[ISC_STRERRORSIZE];
+	int fd;
+
+	REQUIRE(VALID_IFITER(iter));
+	if (iter->result6 != ISC_R_SUCCESS)
+		return (iter->result6);
+	REQUIRE(iter->pos6 < (unsigned int) iter->lifc.lifc_len);
+
+	ifrp = (struct LIFREQ *)((char *) iter->lifc.lifc_req + iter->pos6);
+
+	memset(&lifreq, 0, sizeof(lifreq));
+	memcpy(&lifreq, ifrp, sizeof(lifreq));
+
+	family = lifreq.lifr_addr.ss_family;
+#ifdef ISC_PLATFORM_HAVEIPV6
+	if (family != AF_INET && family != AF_INET6)
+#else
+	if (family != AF_INET)
+#endif
+		return (ISC_R_IGNORE);
+
+	memset(&iter->current, 0, sizeof(iter->current));
+	iter->current.af = family;
+
+	INSIST(sizeof(lifreq.lifr_name) <= sizeof(iter->current.name));
+	memset(iter->current.name, 0, sizeof(iter->current.name));
+	memcpy(iter->current.name, lifreq.lifr_name, sizeof(lifreq.lifr_name));
+
+	get_addr(family, &iter->current.address,
+		 (struct sockaddr *)&lifreq.lifr_addr, lifreq.lifr_name);
+
+	/*
+	 * If the interface does not have a address ignore it.
+	 */
 	switch (family) {
 	case AF_INET:
+		if (iter->current.address.type.in.s_addr == htonl(INADDR_ANY))
+			return (ISC_R_IGNORE);
+		break;
+	case AF_INET6:
+		if (memcmp(&iter->current.address.type.in6, &in6addr_any,
+			   sizeof(in6addr_any)) == 0)
+			return (ISC_R_IGNORE);
+		break;
+	}
+
+	/*
+	 * Get interface flags.
+	 */
+
+	iter->current.flags = 0;
+
+	if (family == AF_INET6)
+		fd = iter->socket6;
+	else
+		fd = iter->socket;
+
+	/*
+	 * Ignore the HP/UX warning about "interger overflow during
+	 * conversion.  It comes from its own macro definition,
+	 * and is really hard to shut up.
+	 */
+	if (ioctl(fd, SIOCGLIFFLAGS, (char *) &lifreq) < 0) {
+		isc__strerror(errno, strbuf, sizeof(strbuf));
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "%s: getting interface flags: %s",
+				 lifreq.lifr_name, strbuf);
+		return (ISC_R_IGNORE);
+	}
+
+	if ((lifreq.lifr_flags & IFF_UP) != 0)
+		iter->current.flags |= INTERFACE_F_UP;
+
+#ifdef IFF_POINTOPOINT
+	if ((lifreq.lifr_flags & IFF_POINTOPOINT) != 0)
+		iter->current.flags |= INTERFACE_F_POINTTOPOINT;
+#endif
+
+	if ((lifreq.lifr_flags & IFF_LOOPBACK) != 0)
+		iter->current.flags |= INTERFACE_F_LOOPBACK;
+
+#ifdef IFF_POINTOPOINT
+	/*
+	 * If the interface is point-to-point, get the destination address.
+	 */
+	if ((iter->current.flags & INTERFACE_F_POINTTOPOINT) != 0) {
 		/*
 		 * Ignore the HP/UX warning about "interger overflow during
 		 * conversion.  It comes from its own macro definition,
 		 * and is really hard to shut up.
 		 */
-		if (ioctl(iter->socket, SIOCGLIFNETMASK, (char *)&lifreq)
+		if (ioctl(fd, SIOCGLIFDSTADDR, (char *)&lifreq)
 		    < 0) {
 			isc__strerror(errno, strbuf, sizeof(strbuf));
 			UNEXPECTED_ERROR(__FILE__, __LINE__,
 				isc_msgcat_get(isc_msgcat,
 					       ISC_MSGSET_IFITERIOCTL,
-					       ISC_MSG_GETNETMASK,
-					       "%s: getting netmask: %s"),
+					       ISC_MSG_GETDESTADDR,
+					       "%s: getting "
+					       "destination address: %s"),
 					 lifreq.lifr_name, strbuf);
 			return (ISC_R_IGNORE);
 		}
-		get_addr(family, &iter->current.netmask,
-			 (struct sockaddr *)&lifreq.lifr_addr);
-		break;
-	case AF_INET6: {
+		get_addr(family, &iter->current.dstaddress,
+			 (struct sockaddr *)&lifreq.lifr_dstaddr,
+			 lifreq.lifr_name);
+	}
+#endif
+
+	/*
+	 * Get the network mask.  Netmask already zeroed.
+	 */
+	memset(&lifreq, 0, sizeof(lifreq));
+	memcpy(&lifreq, ifrp, sizeof(lifreq));
+
 #ifdef lifr_addrlen
+	/*
+	 * Special case: if the system provides lifr_addrlen member, the
+	 * netmask of an IPv6 address can be derived from the length, since
+	 * an IPv6 address always has a contiguous mask.
+	 */
+	if (family == AF_INET6) {
 		int i, bits;
 
-		/*
-		 * Netmask already zeroed.
-		 */
 		iter->current.netmask.family = family;
-		for (i = 0 ; i < lifreq.lifr_addrlen; i += 8) {
+		for (i = 0; i < lifreq.lifr_addrlen; i += 8) {
 			bits = lifreq.lifr_addrlen - i;
-			bits = (bits < 8 ) ? (8-bits) : 0;
-			iter->current.netmask.type.in6.s6_addr[i/8] =
-				 (~0 << bits) &0xff;
+			bits = (bits < 8) ? (8 - bits) : 0;
+			iter->current.netmask.type.in6.s6_addr[i / 8] =
+				(~0 << bits) & 0xff;
 		}
-#endif
-		break;
+
+		return (ISC_R_SUCCESS);
 	}
+#endif
+
+	/*
+	 * Ignore the HP/UX warning about "interger overflow during
+	 * conversion.  It comes from its own macro definition,
+	 * and is really hard to shut up.
+	 */
+	if (ioctl(fd, SIOCGLIFNETMASK, (char *)&lifreq) < 0) {
+		isc__strerror(errno, strbuf, sizeof(strbuf));
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 isc_msgcat_get(isc_msgcat,
+						ISC_MSGSET_IFITERIOCTL,
+						ISC_MSG_GETNETMASK,
+						"%s: getting netmask: %s"),
+				 lifreq.lifr_name, strbuf);
+		return (ISC_R_IGNORE);
 	}
+	get_addr(family, &iter->current.netmask,
+		 (struct sockaddr *)&lifreq.lifr_addr, lifreq.lifr_name);
 
 	return (ISC_R_SUCCESS);
 }
+#endif
+
+static isc_result_t
+internal_current(isc_interfaceiter_t *iter) {
+#if defined(SIOCGLIFCONF) && defined(SIOCGLIFADDR)
+	if (iter->mode == 6) {
+		iter->result6 = internal_current6(iter);
+		if (iter->result6 != ISC_R_NOMORE)
+			return (iter->result6);
+	}
+#endif
+#ifdef HAVE_TRUCLUSTER
+	if (!iter->clua_done)
+		return(internal_current_clusteralias(iter));
+#endif
+	return (internal_current4(iter));
+}
 
 /*
  * Step the iterator to the next interface.  Unlike
@@ -382,27 +872,121 @@ internal_current(isc_interfaceiter_t *iter) {
  * interfaces, otherwise ISC_R_SUCCESS.
  */
 static isc_result_t
-internal_next(isc_interfaceiter_t *iter) {
-	struct lifreq *ifrp;
+internal_next4(isc_interfaceiter_t *iter) {
+	struct ifreq *ifrp;
 
-	REQUIRE (iter->pos < (unsigned int) iter->ifc.lifc_len);
+	REQUIRE (iter->pos < (unsigned int) iter->ifc.ifc_len);
 
-	ifrp = (struct lifreq *)((char *) iter->ifc.lifc_req + iter->pos);
+#ifdef __linux
+	if (linux_if_inet6_next(iter) == ISC_R_SUCCESS)
+		return (ISC_R_SUCCESS);
+	if (!iter->first)
+		return (ISC_R_SUCCESS);
+#endif
+	ifrp = (struct ifreq *)((char *) iter->ifc.ifc_req + iter->pos);
+
+#ifdef ISC_PLATFORM_HAVESALEN
+	if (ifrp->ifr_addr.sa_len > sizeof(struct sockaddr))
+		iter->pos += sizeof(ifrp->ifr_name) + ifrp->ifr_addr.sa_len;
+	else
+#endif
+		iter->pos += sizeof(*ifrp);
+
+	if (iter->pos >= (unsigned int) iter->ifc.ifc_len)
+		return (ISC_R_NOMORE);
+
+	return (ISC_R_SUCCESS);
+}
+
+#if defined(SIOCGLIFCONF) && defined(SIOCGLIFADDR)
+static isc_result_t
+internal_next6(isc_interfaceiter_t *iter) {
+	struct LIFREQ *ifrp;
+	
+	if (iter->result6 != ISC_R_SUCCESS && iter->result6 != ISC_R_IGNORE)
+		return (iter->result6);
+
+	REQUIRE(iter->pos6 < (unsigned int) iter->lifc.lifc_len);
+
+	ifrp = (struct LIFREQ *)((char *) iter->lifc.lifc_req + iter->pos6);
 
 #ifdef ISC_PLATFORM_HAVESALEN
 	if (ifrp->lifr_addr.sa_len > sizeof(struct sockaddr))
-		iter->pos += sizeof(ifrp->lifr_name) + ifrp->lifr_addr.sa_len;
+		iter->pos6 += sizeof(ifrp->lifr_name) + ifrp->lifr_addr.sa_len;
 	else
 #endif
-		iter->pos += sizeof *ifrp;
+		iter->pos6 += sizeof(*ifrp);
 
-	if (iter->pos >= (unsigned int) iter->ifc.lifc_len)
+	if (iter->pos6 >= (unsigned int) iter->lifc.lifc_len)
 		return (ISC_R_NOMORE);
 
 	return (ISC_R_SUCCESS);
 }
+#endif
+
+static isc_result_t
+internal_next(isc_interfaceiter_t *iter) {
+#ifdef HAVE_TRUCLUSTER
+	int clua_result;
+#endif
+#if defined(SIOCGLIFCONF) && defined(SIOCGLIFADDR)
+	if (iter->mode == 6) {
+		iter->result6 = internal_next6(iter);
+		if (iter->result6 != ISC_R_NOMORE)
+			return (iter->result6);
+		if (iter->first6) {
+			iter->first6 = ISC_FALSE;
+			return (ISC_R_SUCCESS);
+		}
+	}
+#endif
+#ifdef HAVE_TRUCLUSTER
+	if (!iter->clua_done) {
+		clua_result = clua_getaliasaddress(&intr->clua_sa,
+						   &iter->clua_context);
+		if (clua_result != CLUA_SUCCESS)
+			iter->clua_done = ISC_TRUE;
+		return (ISC_R_SUCCESS);
+	}
+#endif
+	return (internal_next4(iter));
+}
 
 static void
 internal_destroy(isc_interfaceiter_t *iter) {
 	(void) close(iter->socket);
+#if defined(SIOCGLIFCONF) && defined(SIOCGLIFADDR)
+	if (iter->socket6 != -1)
+		(void) close(iter->socket6);
+	if (iter->buf6 != NULL) {
+		isc_mem_put(iter->mctx, iter->buf6, iter->bufsize6);
+	}
+#endif
+#ifdef __linux
+	if (iter->proc != NULL)
+		fclose(iter->proc);
+#endif
+}
+
+static
+void internal_first(isc_interfaceiter_t *iter) {
+#ifdef HAVE_TRUCLUSTER
+	int clua_result;
+#endif
+	iter->pos = 0;
+#if defined(SIOCGLIFCONF) && defined(SIOCGLIFADDR)
+	iter->pos6 = 0;
+	if (iter->result6 == ISC_R_NOMORE)
+		iter->result6 = ISC_R_SUCCESS;
+	iter->first6 = ISC_TRUE;
+#endif
+#ifdef HAVE_TRUCLUSTER
+	iter->clua_context = 0;
+	clua_result = clua_getaliasaddress(&intr->clua_sa,
+					   &iter->clua_context);
+	iter->clua_done = ISC_TF(clua_result != CLUA_SUCCESS);
+#endif
+#ifdef __linux
+	linux_if_inet6_first(iter);
+#endif
 }
diff --git a/lib/isc/unix/ifiter_sysctl.c b/lib/isc/unix/ifiter_sysctl.c
index 6eb1c9cd..c0f678b9 100644
--- a/lib/isc/unix/ifiter_sysctl.c
+++ b/lib/isc/unix/ifiter_sysctl.c
@@ -1,6 +1,6 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: ifiter_sysctl.c,v 1.14.2.3 2005/03/16 00:57:44 marka Exp $ */
+/* $Id: ifiter_sysctl.c,v 1.14.12.7 2004/03/08 09:04:56 marka Exp $ */
 
 /*
  * Obtain the list of network interfaces using sysctl.
@@ -69,6 +69,8 @@ isc_interfaceiter_create(isc_mem_t *mctx, isc_interfaceiter_t **iterp) {
 	isc_result_t result;
 	size_t bufsize;
 	size_t bufused;
+	char strbuf[ISC_STRERRORSIZE];
+
 	REQUIRE(mctx != NULL);
 	REQUIRE(iterp != NULL);
 	REQUIRE(*iterp == NULL);
@@ -85,13 +87,14 @@ isc_interfaceiter_create(isc_mem_t *mctx, isc_interfaceiter_t **iterp) {
 	 */
 	bufsize = 0;
 	if (sysctl(mib, 6, NULL, &bufsize, NULL, (size_t) 0) < 0) {
+		isc__strerror(errno, strbuf, sizeof(strbuf));
 		UNEXPECTED_ERROR(__FILE__, __LINE__,
 				 isc_msgcat_get(isc_msgcat,
 						ISC_MSGSET_IFITERSYSCTL,
 						ISC_MSG_GETIFLISTSIZE,
 						"getting interface "
 						"list size: sysctl: %s"),
-				 strerror(errno));
+				 strbuf);
 		result = ISC_R_UNEXPECTED;
 		goto failure;
 	}
@@ -105,13 +108,14 @@ isc_interfaceiter_create(isc_mem_t *mctx, isc_interfaceiter_t **iterp) {
 
 	bufused = bufsize;
 	if (sysctl(mib, 6, iter->buf, &bufused, NULL, (size_t) 0) < 0) {
+		isc__strerror(errno, strbuf, sizeof(strbuf));
 		UNEXPECTED_ERROR(__FILE__, __LINE__,
 				 isc_msgcat_get(isc_msgcat,
 						ISC_MSGSET_IFITERSYSCTL,
 						ISC_MSG_GETIFLIST,
 						"getting interface list: "
 						"sysctl: %s"),
-				 strerror(errno));
+				 strbuf);
 		result = ISC_R_UNEXPECTED;
 		goto failure;
 	}
@@ -132,7 +136,7 @@ isc_interfaceiter_create(isc_mem_t *mctx, isc_interfaceiter_t **iterp) {
  failure:
 	if (iter->buf != NULL)
 		isc_mem_put(mctx, iter->buf, iter->bufsize);
-	isc_mem_put(mctx, iter, sizeof *iter);
+	isc_mem_put(mctx, iter, sizeof(*iter));
 	return (result);
 }
 
@@ -234,19 +238,22 @@ internal_current(isc_interfaceiter_t *iter) {
 			return (ISC_R_IGNORE);
 
 		family = addr_sa->sa_family;
-		if (family != AF_INET) /* XXX IP6 */
+		if (family != AF_INET && family != AF_INET6)
 			return (ISC_R_IGNORE);
 
 		iter->current.af = family;
 
-		get_addr(family, &iter->current.address, addr_sa);
+		get_addr(family, &iter->current.address, addr_sa,
+			 iter->current.name);
 
 		if (mask_sa != NULL)
-			get_addr(family, &iter->current.netmask, mask_sa);
+			get_addr(family, &iter->current.netmask, mask_sa,
+				 iter->current.name);
 
 		if (dst_sa != NULL &&
-		    (iter->current.flags & INTERFACE_F_POINTTOPOINT) != 0)
-			get_addr(family, &iter->current.dstaddress, dst_sa);
+		    (iter->current.flags & IFF_POINTOPOINT) != 0)
+			get_addr(family, &iter->current.dstaddress, dst_sa,
+				 iter->current.name);
 
 		return (ISC_R_SUCCESS);
 	} else {
@@ -288,3 +295,7 @@ internal_destroy(isc_interfaceiter_t *iter) {
 	 */
 }
 
+static
+void internal_first(isc_interfaceiter_t *iter) {
+	iter->pos = 0;
+}
diff --git a/lib/isc/unix/include/Makefile.in b/lib/isc/unix/include/Makefile.in
index 03d4c51a..5a06022f 100644
--- a/lib/isc/unix/include/Makefile.in
+++ b/lib/isc/unix/include/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.11.2.1 2004/03/09 06:12:12 marka Exp $
+# $Id: Makefile.in,v 1.11.206.1 2004/03/06 08:15:03 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/lib/isc/unix/include/isc/Makefile.in b/lib/isc/unix/include/isc/Makefile.in
index 6dfb1a5d..4c5bae2c 100644
--- a/lib/isc/unix/include/isc/Makefile.in
+++ b/lib/isc/unix/include/isc/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.27.2.1 2004/03/09 06:12:13 marka Exp $
+# $Id: Makefile.in,v 1.27.206.1 2004/03/06 08:15:03 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/lib/isc/unix/include/isc/dir.h b/lib/isc/unix/include/isc/dir.h
index 48117448..53b51df0 100644
--- a/lib/isc/unix/include/isc/dir.h
+++ b/lib/isc/unix/include/isc/dir.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dir.h,v 1.15.2.1 2004/03/09 06:12:13 marka Exp $ */
+/* $Id: dir.h,v 1.15.12.3 2004/03/08 09:04:57 marka Exp $ */
 
 /* Principal Authors: DCL */
 
@@ -77,16 +77,6 @@ isc_result_t
 isc_dir_chroot(const char *dirname);
 
 isc_result_t
-isc_dir_current(char *dirname, size_t length, isc_boolean_t end_sep);
-/*
- * Put the absolute name of the current directory into 'dirname', which is a
- * buffer of at least 'length' characters.  If 'end_sep' is true, end the
- * string with the appropriate path separator, such that the final product
- * could be concatenated with a relative pathname to make a valid pathname
- * string. 
- */
-
-isc_result_t
 isc_dir_createunique(char *templet);
 /*
  * Use a templet (such as from isc_file_mktemplate()) to create a uniquely
diff --git a/lib/isc/unix/include/isc/int.h b/lib/isc/unix/include/isc/int.h
index 36da3c84..be36ccb1 100644
--- a/lib/isc/unix/include/isc/int.h
+++ b/lib/isc/unix/include/isc/int.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: int.h,v 1.11.2.1 2004/03/09 06:12:13 marka Exp $ */
+/* $Id: int.h,v 1.11.206.1 2004/03/06 08:15:04 marka Exp $ */
 
 #ifndef ISC_INT_H
 #define ISC_INT_H 1
diff --git a/lib/isc/unix/include/isc/keyboard.h b/lib/isc/unix/include/isc/keyboard.h
index bd580a3c..31005b10 100644
--- a/lib/isc/unix/include/isc/keyboard.h
+++ b/lib/isc/unix/include/isc/keyboard.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: keyboard.h,v 1.6.2.1 2004/03/09 06:12:13 marka Exp $ */
+/* $Id: keyboard.h,v 1.6.206.1 2004/03/06 08:15:04 marka Exp $ */
 
 #ifndef ISC_KEYBOARD_H
 #define ISC_KEYBOARD_H 1
diff --git a/lib/isc/unix/include/isc/net.h b/lib/isc/unix/include/isc/net.h
index 64c5266f..8d13ee3e 100644
--- a/lib/isc/unix/include/isc/net.h
+++ b/lib/isc/unix/include/isc/net.h
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
+ * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: net.h,v 1.31.2.4 2004/03/09 06:12:14 marka Exp $ */
+/* $Id: net.h,v 1.31.2.2.10.7 2004/03/08 09:04:57 marka Exp $ */
 
 #ifndef ISC_NET_H
 #define ISC_NET_H 1
@@ -75,6 +75,8 @@
 #include <sys/types.h>
 #include <sys/socket.h>		/* Contractual promise. */
 
+#include <net/if.h>
+
 #include <netinet/in.h>		/* Contractual promise. */
 #include <arpa/inet.h>		/* Contractual promise. */
 #ifdef ISC_PLATFORM_NEEDNETINETIN6H
@@ -137,6 +139,17 @@
 #define IN6_IS_ADDR_MULTICAST(a)        ((a)->s6_addr[0] == 0xff)
 #endif
 
+#ifndef IN6_IS_ADDR_LINKLOCAL
+#define IN6_IS_ADDR_LINKLOCAL(a) \
+	(((a)->s6_addr[0] == 0xfe) && (((a)->s6_addr[1] & 0xc0) == 0x80))
+#endif
+
+#ifndef IN6_IS_ADDR_SITELOCAL
+#define IN6_IS_ADDR_SITELOCAL(a) \
+	(((a)->s6_addr[0] == 0xfe) && (((a)->s6_addr[1] & 0xc0) == 0xc0))
+#endif
+
+
 #ifndef IN6_IS_ADDR_LOOPBACK
 #define IN6_IS_ADDR_LOOPBACK(x) \
 	(memcmp((x)->s6_addr, in6addr_loopback.s6_addr, 16) == 0)
@@ -236,6 +249,7 @@ isc_net_probeipv4(void);
  *
  *	ISC_R_SUCCESS		IPv4 is supported.
  *	ISC_R_NOTFOUND		IPv4 is not supported.
+ *	ISC_R_DISABLED		IPv4 is disabled.
  *	ISC_R_UNEXPECTED
  */
 
@@ -248,9 +262,34 @@ isc_net_probeipv6(void);
  *
  *	ISC_R_SUCCESS		IPv6 is supported.
  *	ISC_R_NOTFOUND		IPv6 is not supported.
+ *	ISC_R_DISABLED		IPv6 is disabled.
+ *	ISC_R_UNEXPECTED
+ */
+
+isc_result_t
+isc_net_probe_ipv6only(void);
+/*
+ * Check if the system's kernel supports the IPV6_V6ONLY socket option.
+ *
+ * Returns:
+ *
+ *	ISC_R_SUCCESS		the option is supported for both TCP and UDP.
+ *	ISC_R_NOTFOUND		IPv6 itself or the option is not supported.
  *	ISC_R_UNEXPECTED
  */
 
+void
+isc_net_disableipv4(void);
+
+void
+isc_net_disableipv6(void);
+
+void
+isc_net_enableipv4(void);
+
+void
+isc_net_enableipv6(void);
+
 #ifdef ISC_PLATFORM_NEEDNTOP
 const char *
 isc_net_ntop(int af, const void *src, char *dst, size_t size);
diff --git a/lib/isc/unix/include/isc/netdb.h b/lib/isc/unix/include/isc/netdb.h
index c86f1ff1..beb91375 100644
--- a/lib/isc/unix/include/isc/netdb.h
+++ b/lib/isc/unix/include/isc/netdb.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: netdb.h,v 1.6.2.1 2004/03/09 06:12:14 marka Exp $ */
+/* $Id: netdb.h,v 1.6.206.1 2004/03/06 08:15:04 marka Exp $ */
 
 #ifndef ISC_NETDB_H
 #define ISC_NETDB_H 1
diff --git a/lib/isc/unix/include/isc/offset.h b/lib/isc/unix/include/isc/offset.h
index a6f49f4a..0ea13625 100644
--- a/lib/isc/unix/include/isc/offset.h
+++ b/lib/isc/unix/include/isc/offset.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: offset.h,v 1.10.2.1 2004/03/09 06:12:14 marka Exp $ */
+/* $Id: offset.h,v 1.10.206.1 2004/03/06 08:15:04 marka Exp $ */
 
 #ifndef ISC_OFFSET_H
 #define ISC_OFFSET_H 1
diff --git a/lib/isc/unix/include/isc/stat.h b/lib/isc/unix/include/isc/stat.h
index ad54f5e0..43042086 100644
--- a/lib/isc/unix/include/isc/stat.h
+++ b/lib/isc/unix/include/isc/stat.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: stat.h,v 1.1.2.2 2004/03/09 06:12:14 marka Exp $ */
+/* $Id: stat.h,v 1.1.2.1.4.1 2004/03/06 08:15:05 marka Exp $ */
 
 #ifndef ISC_STAT_H
 #define ISC_STAT_H 1
diff --git a/lib/isc/unix/include/isc/stdtime.h b/lib/isc/unix/include/isc/stdtime.h
index 6e531208..9b855c70 100644
--- a/lib/isc/unix/include/isc/stdtime.h
+++ b/lib/isc/unix/include/isc/stdtime.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: stdtime.h,v 1.8.2.1 2004/03/09 06:12:14 marka Exp $ */
+/* $Id: stdtime.h,v 1.8.206.1 2004/03/06 08:15:05 marka Exp $ */
 
 #ifndef ISC_STDTIME_H
 #define ISC_STDTIME_H 1
diff --git a/lib/isc/unix/include/isc/strerror.h b/lib/isc/unix/include/isc/strerror.h
index ae4da79e..f51fbdc2 100644
--- a/lib/isc/unix/include/isc/strerror.h
+++ b/lib/isc/unix/include/isc/strerror.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: strerror.h,v 1.2.2.1 2004/03/09 06:12:15 marka Exp $ */
+/* $Id: strerror.h,v 1.2.12.3 2004/03/08 09:04:57 marka Exp $ */
 
 #ifndef ISC_STRERROR_H
 #define ISC_STRERROR_H
@@ -30,12 +30,11 @@ ISC_LANG_BEGINDECLS
 
 /*
  * Provide a thread safe wrapper to strerrror().
- * 'buf' is always returned.
  *
  * Requires:
  * 	'buf' to be non NULL.
  */
-char *
+void
 isc__strerror(int num, char *buf, size_t bufsize);
 
 ISC_LANG_ENDDECLS
diff --git a/lib/isc/unix/include/isc/syslog.h b/lib/isc/unix/include/isc/syslog.h
index 695526b9..2c0625eb 100644
--- a/lib/isc/unix/include/isc/syslog.h
+++ b/lib/isc/unix/include/isc/syslog.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: syslog.h,v 1.2.2.1 2004/03/09 06:12:15 marka Exp $ */
+/* $Id: syslog.h,v 1.2.206.1 2004/03/06 08:15:05 marka Exp $ */
 
 #ifndef ISC_SYSLOG_H
 #define ISC_SYSLOG_H 1
diff --git a/lib/isc/unix/include/isc/time.h b/lib/isc/unix/include/isc/time.h
index cdc3e7a4..6021c13d 100644
--- a/lib/isc/unix/include/isc/time.h
+++ b/lib/isc/unix/include/isc/time.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: time.h,v 1.25.2.2 2004/03/09 06:12:15 marka Exp $ */
+/* $Id: time.h,v 1.25.2.1.10.4 2004/03/08 09:04:58 marka Exp $ */
 
 #ifndef ISC_TIME_H
 #define ISC_TIME_H 1
@@ -57,7 +57,7 @@ isc_interval_set(isc_interval_t *i,
  */
 
 isc_boolean_t
-isc_interval_iszero(isc_interval_t *i);
+isc_interval_iszero(const isc_interval_t *i);
 /*
  * Returns ISC_TRUE iff. 'i' is the zero interval.
  *
@@ -115,7 +115,7 @@ isc_time_settoepoch(isc_time_t *t);
  */
 
 isc_boolean_t
-isc_time_isepoch(isc_time_t *t);
+isc_time_isepoch(const isc_time_t *t);
 /*
  * Returns ISC_TRUE iff. 't' is the epoch ("time zero").
  *
@@ -144,7 +144,7 @@ isc_time_now(isc_time_t *t);
  */
 
 isc_result_t
-isc_time_nowplusinterval(isc_time_t *t, isc_interval_t *i);
+isc_time_nowplusinterval(isc_time_t *t, const isc_interval_t *i);
 /*
  * Set *t to the current absolute time + i.
  *
@@ -169,7 +169,7 @@ isc_time_nowplusinterval(isc_time_t *t, isc_interval_t *i);
  */
 
 int
-isc_time_compare(isc_time_t *t1, isc_time_t *t2);
+isc_time_compare(const isc_time_t *t1, const isc_time_t *t2);
 /*
  * Compare the times referenced by 't1' and 't2'
  *
@@ -185,7 +185,7 @@ isc_time_compare(isc_time_t *t1, isc_time_t *t2);
  */
 
 isc_result_t
-isc_time_add(isc_time_t *t, isc_interval_t *i, isc_time_t *result);
+isc_time_add(const isc_time_t *t, const isc_interval_t *i, isc_time_t *result);
 /*
  * Add 'i' to 't', storing the result in 'result'.
  *
@@ -201,7 +201,8 @@ isc_time_add(isc_time_t *t, isc_interval_t *i, isc_time_t *result);
  */
 
 isc_result_t
-isc_time_subtract(isc_time_t *t, isc_interval_t *i, isc_time_t *result);
+isc_time_subtract(const isc_time_t *t, const isc_interval_t *i,
+		  isc_time_t *result);
 /*
  * Subtract 'i' from 't', storing the result in 'result'.
  *
@@ -216,7 +217,7 @@ isc_time_subtract(isc_time_t *t, isc_interval_t *i, isc_time_t *result);
  */
 
 isc_uint64_t
-isc_time_microdiff(isc_time_t *t1, isc_time_t *t2);
+isc_time_microdiff(const isc_time_t *t1, const isc_time_t *t2);
 /*
  * Find the difference in microseconds between time t1 and time t2.
  * t2 is the subtrahend of t1; ie, difference = t1 - t2.
@@ -230,7 +231,7 @@ isc_time_microdiff(isc_time_t *t1, isc_time_t *t2);
  */
 
 isc_uint32_t
-isc_time_seconds(isc_time_t *t);
+isc_time_seconds(const isc_time_t *t);
 /*
  * Return the number of seconds since the epoch stored in a time structure.
  *
@@ -240,7 +241,7 @@ isc_time_seconds(isc_time_t *t);
  */
 
 isc_result_t
-isc_time_secondsastimet(isc_time_t *t, time_t *secondsp);
+isc_time_secondsastimet(const isc_time_t *t, time_t *secondsp);
 /*
  * Ensure the number of seconds in an isc_time_t is representable by a time_t.
  *
@@ -263,7 +264,7 @@ isc_time_secondsastimet(isc_time_t *t, time_t *secondsp);
  */
 
 isc_uint32_t
-isc_time_nanoseconds(isc_time_t *t);
+isc_time_nanoseconds(const isc_time_t *t);
 /*
  * Return the number of nanoseconds stored in a time structure.
  *
@@ -283,7 +284,7 @@ void
 isc_time_formattimestamp(const isc_time_t *t, char *buf, unsigned int len);
 /*
  * Format the time 't' into the buffer 'buf' of length 'len',
- * using a format like "Aug 30 04:06:47.997" and the local time zone.
+ * using a format like "30-Aug-2000 04:06:47.997" and the local time zone.
  * If the text does not fit in the buffer, the result is indeterminate,
  * but is always guaranteed to be null terminated.
  *
diff --git a/lib/isc/unix/interfaceiter.c b/lib/isc/unix/interfaceiter.c
index 9d9175da..e245a102 100644
--- a/lib/isc/unix/interfaceiter.c
+++ b/lib/isc/unix/interfaceiter.c
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
+ * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: interfaceiter.c,v 1.22.2.2 2004/03/09 06:12:10 marka Exp $ */
+/* $Id: interfaceiter.c,v 1.22.2.1.10.11 2004/03/08 09:04:56 marka Exp $ */
 
 #include <config.h>
 
@@ -30,6 +30,8 @@
 #include <unistd.h>
 #include <errno.h>
 
+#include <isc/interfaceiter.h>
+#include <isc/log.h>
 #include <isc/magic.h>
 #include <isc/mem.h>
 #include <isc/msgs.h>
@@ -38,24 +40,34 @@
 #include <isc/strerror.h>
 #include <isc/string.h>
 #include <isc/types.h>
-#include <isc/interfaceiter.h>
 #include <isc/util.h>
 
-#include <net/if.h>		/* Must follow <isc/net.h>. */
+/* Must follow <isc/net.h>. */
+#ifdef HAVE_NET_IF6_H
+#include <net/if6.h>
+#endif
+#include <net/if.h>
 
 /* Common utility functions */
 
 /*
  * Extract the network address part from a "struct sockaddr".
  *
- * The address family is given explicity
+ * The address family is given explicitly
  * instead of using src->sa_family, because the latter does not work
  * for copying a network mask obtained by SIOCGIFNETMASK (it does
  * not have a valid address family).
  */
 
 static void
-get_addr(unsigned int family, isc_netaddr_t *dst, struct sockaddr *src) {
+get_addr(unsigned int family, isc_netaddr_t *dst, struct sockaddr *src,
+	 char *ifname)
+{
+	struct sockaddr_in6 *sa6;
+
+	/* clear any remaining value for safety */
+	memset(dst, 0, sizeof(*dst));
+
 	dst->family = family;
 	switch (family) {
 	case AF_INET:
@@ -63,10 +75,55 @@ get_addr(unsigned int family, isc_netaddr_t *dst, struct sockaddr *src) {
 		       &((struct sockaddr_in *) src)->sin_addr,
 		       sizeof(struct in_addr));
 		break;
-	case	AF_INET6:
-		memcpy(&dst->type.in6,
-		       &((struct sockaddr_in6 *) src)->sin6_addr,
+	case AF_INET6:
+		sa6 = (struct sockaddr_in6 *)src;
+		memcpy(&dst->type.in6, &sa6->sin6_addr,
 		       sizeof(struct in6_addr));
+#ifdef ISC_PLATFORM_HAVESCOPEID
+		if (sa6->sin6_scope_id != 0)
+			isc_netaddr_setzone(dst, sa6->sin6_scope_id);
+		else {
+			/*
+			 * BSD variants embed scope zone IDs in the 128bit
+			 * address as a kernel internal form.  Unfortunately,
+			 * the embedded IDs are not hidden from applications
+			 * when getting access to them by sysctl or ioctl.
+			 * We convert the internal format to the pure address
+			 * part and the zone ID part.
+			 * Since multicast addresses should not appear here
+			 * and they cannot be distinguished from netmasks,
+			 * we only consider unicast link-local addresses.
+			 */
+			if (IN6_IS_ADDR_LINKLOCAL(&sa6->sin6_addr)) {
+				isc_uint16_t zone16;
+
+				memcpy(&zone16, &sa6->sin6_addr.s6_addr[2],
+				       sizeof(zone16));
+				zone16 = ntohs(zone16);
+				if (zone16 != 0) {
+					/* the zone ID is embedded */
+					isc_netaddr_setzone(dst,
+							    (isc_uint32_t)zone16);
+					dst->type.in6.s6_addr[2] = 0;
+					dst->type.in6.s6_addr[3] = 0;
+				} else if (ifname != NULL) {
+					unsigned int zone;
+
+					/*
+					 * sin6_scope_id is still not provided,
+					 * but the corresponding interface name
+					 * is know.  Use the interface ID as
+					 * the link ID.
+					 */
+					zone = if_nametoindex(ifname);
+					if (zone != 0) {
+						isc_netaddr_setzone(dst,
+								    (isc_uint32_t)zone);
+					}
+				}
+			}
+		}
+#endif
 		break;
 	default:
 		INSIST(0);
@@ -78,7 +135,9 @@ get_addr(unsigned int family, isc_netaddr_t *dst, struct sockaddr *src) {
  * Include system-dependent code.
  */
 
-#if HAVE_IFLIST_SYSCTL
+#if HAVE_GETIFADDRS
+#include "ifiter_getifaddrs.c"
+#elif HAVE_IFLIST_SYSCTL
 #include "ifiter_sysctl.c"
 #else
 #include "ifiter_ioctl.c"
@@ -103,7 +162,7 @@ isc_interfaceiter_first(isc_interfaceiter_t *iter) {
 
 	REQUIRE(VALID_IFITER(iter));
 
-	iter->pos = 0;
+	internal_first(iter);
 	for (;;) {
 		result = internal_current(iter);
 		if (result != ISC_R_IGNORE)
@@ -144,9 +203,10 @@ isc_interfaceiter_destroy(isc_interfaceiter_t **iterp)
 	REQUIRE(VALID_IFITER(iter));
 
 	internal_destroy(iter);
-	isc_mem_put(iter->mctx, iter->buf, iter->bufsize);
+	if (iter->buf != NULL)
+		isc_mem_put(iter->mctx, iter->buf, iter->bufsize);
 
 	iter->magic = 0;
-	isc_mem_put(iter->mctx, iter, sizeof *iter);
+	isc_mem_put(iter->mctx, iter, sizeof(*iter));
 	*iterp = NULL;
 }
diff --git a/lib/isc/unix/ipv6.c b/lib/isc/unix/ipv6.c
index b7e7bfd3..25e0c57b 100644
--- a/lib/isc/unix/ipv6.c
+++ b/lib/isc/unix/ipv6.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,9 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: ipv6.c,v 1.7.2.3 2006/08/25 05:25:49 marka Exp $ */
-
-#include <config.h>
+/* $Id: ipv6.c,v 1.7.206.1 2004/03/06 08:15:00 marka Exp $ */
 
 #include <isc/ipv6.h>
 
diff --git a/lib/isc/unix/keyboard.c b/lib/isc/unix/keyboard.c
index 743f4057..146338ae 100644
--- a/lib/isc/unix/keyboard.c
+++ b/lib/isc/unix/keyboard.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: keyboard.c,v 1.9.2.1 2004/03/09 06:12:10 marka Exp $ */
+/* $Id: keyboard.c,v 1.9.12.3 2004/03/08 09:04:56 marka Exp $ */
 
 #include <config.h>
 
@@ -87,7 +87,7 @@ isc_keyboard_close(isc_keyboard_t *keyboard, unsigned int sleeptime) {
 		(void)sleep(sleeptime);
 
 	(void)tcsetattr(keyboard->fd, TCSAFLUSH, &keyboard->saved_mode);
-	close(keyboard->fd);
+	(void)close(keyboard->fd);
 
 	keyboard->fd = -1;
 
diff --git a/lib/isc/unix/net.c b/lib/isc/unix/net.c
index 7cbe374f..ddd4a270 100644
--- a/lib/isc/unix/net.c
+++ b/lib/isc/unix/net.c
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
+ * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: net.c,v 1.22.2.3 2004/03/09 06:12:11 marka Exp $ */
+/* $Id: net.c,v 1.22.2.2.10.6 2004/03/08 09:04:57 marka Exp $ */
 
 #include <config.h>
 
@@ -39,8 +39,10 @@ const struct in6_addr isc_net_in6addrloop = IN6ADDR_LOOPBACK_INIT;
 #endif
 
 static isc_once_t 	once = ISC_ONCE_INIT;
+static isc_once_t 	once_ipv6only = ISC_ONCE_INIT;
 static isc_result_t	ipv4_result = ISC_R_NOTFOUND;
 static isc_result_t	ipv6_result = ISC_R_NOTFOUND;
+static isc_result_t	ipv6only_result = ISC_R_NOTFOUND;
 
 static isc_result_t
 try_proto(int domain) {
@@ -93,7 +95,7 @@ try_proto(int domain) {
 				      "socket from the kernel failed.");
 			isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL,
 				      ISC_LOGMODULE_SOCKET, ISC_LOG_ERROR,
-				      "IPv6 support is disabled.");
+				      "IPv6 is not supported.");
 			result = ISC_R_NOTFOUND;
 		} else {
 			if (len == sizeof(struct sockaddr_in6))
@@ -109,7 +111,7 @@ try_proto(int domain) {
 					      ISC_LOGCATEGORY_GENERAL,
 					      ISC_LOGMODULE_SOCKET,
 					      ISC_LOG_ERROR,
-					      "IPv6 support is disabled.");
+					      "IPv6 is not supported.");
 				result = ISC_R_NOTFOUND;
 			}
 		}
@@ -118,7 +120,7 @@ try_proto(int domain) {
 #endif
 #endif
 
-	close(s);
+	(void)close(s);
 
 	return (result);
 }
@@ -151,3 +153,125 @@ isc_net_probeipv6(void) {
 	initialize();
 	return (ipv6_result);
 }
+
+#ifdef ISC_PLATFORM_HAVEIPV6
+#ifdef WANT_IPV6
+static void
+try_ipv6only(void) {
+#ifdef IPV6_V6ONLY
+	int s, on;
+	char strbuf[ISC_STRERRORSIZE];
+#endif
+	isc_result_t result;
+
+	result = isc_net_probeipv6();
+	if (result != ISC_R_SUCCESS) {
+		ipv6only_result = result;
+		return;
+	}
+
+#ifndef IPV6_V6ONLY
+	ipv6only_result = ISC_R_NOTFOUND;
+	return;
+#else
+	/* check for TCP sockets */
+	s = socket(PF_INET6, SOCK_STREAM, 0);
+	if (s == -1) {
+		isc__strerror(errno, strbuf, sizeof(strbuf));
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "socket() %s: %s",
+				 isc_msgcat_get(isc_msgcat,
+						ISC_MSGSET_GENERAL,
+						ISC_MSG_FAILED,
+						"failed"),
+				 strbuf);
+		ipv6only_result = ISC_R_UNEXPECTED;
+		return;
+	}
+
+	on = 1;
+	if (setsockopt(s, IPPROTO_IPV6, IPV6_V6ONLY, &on, sizeof(on)) < 0) {
+		ipv6only_result = ISC_R_NOTFOUND;
+		goto close;
+	}
+
+	close(s);
+
+	/* check for UDP sockets */
+	s = socket(PF_INET6, SOCK_DGRAM, 0);
+	if (s == -1) {
+		isc__strerror(errno, strbuf, sizeof(strbuf));
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "socket() %s: %s",
+				 isc_msgcat_get(isc_msgcat,
+						ISC_MSGSET_GENERAL,
+						ISC_MSG_FAILED,
+						"failed"),
+				 strbuf);
+		ipv6only_result = ISC_R_UNEXPECTED;
+		return;
+	}
+
+	on = 1;
+	if (setsockopt(s, IPPROTO_IPV6, IPV6_V6ONLY, &on, sizeof(on)) < 0) {
+		ipv6only_result = ISC_R_NOTFOUND;
+		goto close;
+	}
+
+	close(s);
+
+	ipv6only_result = ISC_R_SUCCESS;
+
+close:
+	close(s);
+	return;
+#endif
+}
+
+static void
+initialize_ipv6only(void) {
+	RUNTIME_CHECK(isc_once_do(&once_ipv6only,
+				  try_ipv6only) == ISC_R_SUCCESS);
+}
+#endif
+#endif
+
+isc_result_t
+isc_net_probe_ipv6only(void) {
+#ifdef ISC_PLATFORM_HAVEIPV6
+#ifdef WANT_IPV6
+	initialize_ipv6only();
+#else
+	ipv6only_result = ISC_R_NOTFOUND;
+#endif
+#endif
+	return (ipv6only_result);
+}
+
+void
+isc_net_disableipv4(void) {
+	initialize();
+	if (ipv4_result == ISC_R_SUCCESS)
+		ipv4_result = ISC_R_DISABLED;
+}
+
+void
+isc_net_disableipv6(void) {
+	initialize();
+	if (ipv6_result == ISC_R_SUCCESS)
+		ipv6_result = ISC_R_DISABLED;
+}
+
+void
+isc_net_enableipv4(void) {
+	initialize();
+	if (ipv4_result == ISC_R_DISABLED)
+		ipv4_result = ISC_R_SUCCESS;
+}
+
+void
+isc_net_enableipv6(void) {
+	initialize();
+	if (ipv6_result == ISC_R_DISABLED)
+		ipv6_result = ISC_R_SUCCESS;
+}
diff --git a/lib/isc/unix/os.c b/lib/isc/unix/os.c
index 8101d1cd..62d69a37 100644
--- a/lib/isc/unix/os.c
+++ b/lib/isc/unix/os.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: os.c,v 1.11.2.4 2005/10/14 02:13:05 marka Exp $ */
+/* $Id: os.c,v 1.11.12.3 2004/03/08 09:04:57 marka Exp $ */
 
 #include <config.h>
 
@@ -26,7 +26,6 @@
 
 #include <unistd.h>
 
-#ifndef __hpux
 static inline long
 sysconf_ncpus(void) {
 #if defined(_SC_NPROCESSORS_ONLN)
@@ -37,7 +36,6 @@ sysconf_ncpus(void) {
 	return (0);
 #endif
 }
-#endif
 #endif /* HAVE_SYSCONF */
 
 
@@ -57,8 +55,7 @@ hpux_ncpus(void) {
 #endif /* __hpux */
 
 #if defined(HAVE_SYS_SYSCTL_H) && defined(HAVE_SYSCTLBYNAME)
-#include <sys/types.h>  /* for FreeBSD */
-#include <sys/param.h>  /* for NetBSD */
+#include <sys/types.h>
 #include <sys/sysctl.h>
 
 static int
@@ -66,7 +63,7 @@ sysctl_ncpus(void) {
 	int ncpu, result;
 	size_t len;
 
-	len = sizeof ncpu;
+	len = sizeof(ncpu);
 	result = sysctlbyname("hw.ncpu", &ncpu, &len , 0, 0);
 	if (result != -1)
 		return (ncpu);
diff --git a/lib/isc/unix/resource.c b/lib/isc/unix/resource.c
index 2bdcdd1b..b6faf32a 100644
--- a/lib/isc/unix/resource.c
+++ b/lib/isc/unix/resource.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: resource.c,v 1.11.2.1 2004/03/09 06:12:11 marka Exp $ */
+/* $Id: resource.c,v 1.11.206.1 2004/03/06 08:15:01 marka Exp $ */
 
 #include <config.h>
 
diff --git a/lib/isc/unix/socket.c b/lib/isc/unix/socket.c
index 459103b0..f418c403 100644
--- a/lib/isc/unix/socket.c
+++ b/lib/isc/unix/socket.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: socket.c,v 1.207.2.45 2007/05/21 01:57:16 marka Exp $ */
+/* $Id: socket.c,v 1.207.2.19.2.9 2004/03/17 05:25:21 marka Exp $ */
 
 #include <config.h>
 
@@ -42,7 +42,6 @@
 #include <isc/msgs.h>
 #include <isc/mutex.h>
 #include <isc/net.h>
-#include <isc/once.h>
 #include <isc/platform.h>
 #include <isc/print.h>
 #include <isc/region.h>
@@ -58,10 +57,6 @@
 #include "socket_p.h"
 #endif /* ISC_PLATFORM_USETHREADS */
 
-#if defined(SO_BSDCOMPAT) && defined(__linux__)
-#include <sys/utsname.h>
-#endif
-
 /*
  * Some systems define the socket length argument as an int, some as size_t,
  * some as socklen_t.  This is here so it can be easily changed if needed.
@@ -114,7 +109,7 @@ typedef isc_event_t intev_t;
  * to collect the destination address and interface so the client can
  * set them on outgoing packets.
  */
-#ifdef ISC_PLATFORM_HAVEIN6PKTINFO
+#ifdef ISC_PLATFORM_HAVEIPV6
 #ifndef USE_CMSG
 #define USE_CMSG	1
 #endif
@@ -285,7 +280,7 @@ socket_log(isc_socket_t *sock, isc_sockaddr_t *address,
 	   const char *fmt, ...)
 {
 	char msgbuf[2048];
-	char peerbuf[ISC_SOCKADDR_FORMATSIZE];
+	char peerbuf[256];
 	va_list ap;
 
 	if (! isc_log_wouldlog(isc_lctx, level))
@@ -323,7 +318,7 @@ wakeup_socket(isc_socketmgr_t *manager, int fd, int msg) {
 		manager->fdstate[fd] = CLOSED;
 		FD_CLR(fd, &manager->read_fds);
 		FD_CLR(fd, &manager->write_fds);
-		close(fd);
+		(void)close(fd);
 		return;
 	}
 	if (manager->fdstate[fd] != MANAGED)
@@ -368,7 +363,7 @@ select_poke(isc_socketmgr_t *mgr, int fd, int msg) {
 		}
 #endif
 	} while (cc < 0 && SOFT_ERROR(errno));
-
+			        
 	if (cc < 0) {
 		isc__strerror(errno, strbuf, sizeof(strbuf));
 		FATAL_ERROR(__FILE__, __LINE__,
@@ -394,7 +389,6 @@ select_readmsg(isc_socketmgr_t *mgr, int *fd, int *msg) {
 	cc = read(mgr->pipe_fds[0], buf, sizeof(buf));
 	if (cc < 0) {
 		*msg = SELECT_POKE_NOTHING;
-		*fd = -1;	/* Silence compiler. */
 		if (SOFT_ERROR(errno))
 			return;
 
@@ -435,25 +429,16 @@ make_nonblock(int fd) {
 	int ret;
 	int flags;
 	char strbuf[ISC_STRERRORSIZE];
-#ifdef USE_FIONBIO_IOCTL
-	int on = 1;
 
-	ret = ioctl(fd, FIONBIO, (char *)&on);
-#else
 	flags = fcntl(fd, F_GETFL, 0);
-	flags |= PORT_NONBLOCK;
+	flags |= O_NONBLOCK;
 	ret = fcntl(fd, F_SETFL, flags);
-#endif
 
 	if (ret == -1) {
 		isc__strerror(errno, strbuf, sizeof(strbuf));
 		UNEXPECTED_ERROR(__FILE__, __LINE__,
-#ifdef USE_FIONBIO_IOCTL
-				 "ioctl(%d, FIONBIO, &on): %s", fd,
-#else
-				 "fcntl(%d, F_SETFL, %d): %s", fd, flags,
-#endif
-				 strbuf);
+				 "fcntl(%d, F_SETFL, %d): %s",
+				 fd, flags, strbuf);
 
 		return (ISC_R_UNEXPECTED);
 	}
@@ -476,11 +461,7 @@ cmsg_len(ISC_SOCKADDR_LEN_T len) {
 #else
 	ISC_SOCKADDR_LEN_T hdrlen;
 
-	/*
-	 * Cast NULL so that any pointer arithmetic performed by CMSG_DATA
-	 * is correct.
-	 */
-	hdrlen = (ISC_SOCKADDR_LEN_T)CMSG_DATA(((struct cmsghdr *)NULL));
+	hdrlen = (ISC_SOCKADDR_LEN_T)CMSG_DATA(NULL); /* XXX */
 	return (hdrlen + len);
 #endif
 }
@@ -521,7 +502,7 @@ static void
 process_cmsg(isc_socket_t *sock, struct msghdr *msg, isc_socketevent_t *dev) {
 #ifdef USE_CMSG
 	struct cmsghdr *cmsgp;
-#ifdef ISC_PLATFORM_HAVEIN6PKTINFO
+#ifdef ISC_PLATFORM_HAVEIPV6
 	struct in6_pktinfo *pktinfop;
 #endif
 #ifdef SO_TIMESTAMP
@@ -560,7 +541,7 @@ process_cmsg(isc_socket_t *sock, struct msghdr *msg, isc_socketevent_t *dev) {
 #ifdef SO_TIMESTAMP
 	timevalp = NULL;
 #endif
-#ifdef ISC_PLATFORM_HAVEIN6PKTINFO
+#ifdef ISC_PLATFORM_HAVEIPV6
 	pktinfop = NULL;
 #endif
 
@@ -570,7 +551,7 @@ process_cmsg(isc_socket_t *sock, struct msghdr *msg, isc_socketevent_t *dev) {
 			   isc_msgcat, ISC_MSGSET_SOCKET, ISC_MSG_PROCESSCMSG,
 			   "processing cmsg %p", cmsgp);
 
-#ifdef ISC_PLATFORM_HAVEIN6PKTINFO
+#ifdef ISC_PLATFORM_HAVEIPV6
 		if (cmsgp->cmsg_level == IPPROTO_IPV6
 		    && cmsgp->cmsg_type == IPV6_PKTINFO) {
 
@@ -695,7 +676,7 @@ build_msghdr_send(isc_socket_t *sock, isc_socketevent_t *dev,
 	msg->msg_control = NULL;
 	msg->msg_controllen = 0;
 	msg->msg_flags = 0;
-#if defined(USE_CMSG) && defined(ISC_PLATFORM_HAVEIN6PKTINFO)
+#if defined(USE_CMSG) && defined(ISC_PLATFORM_HAVEIPV6)
 	if ((sock->type == isc_sockettype_udp)
 	    && ((dev->attributes & ISC_SOCKEVENTATTR_PKTINFO) != 0)) {
 		struct cmsghdr *cmsgp;
@@ -752,26 +733,8 @@ build_msghdr_recv(isc_socket_t *sock, isc_socketevent_t *dev,
 
 	if (sock->type == isc_sockettype_udp) {
 		memset(&dev->address, 0, sizeof(dev->address));
-#ifdef BROKEN_RECVMSG
-		if (sock->pf == AF_INET) {
-			msg->msg_name = (void *)&dev->address.type.sin;
-			msg->msg_namelen = sizeof(dev->address.type.sin6);
-		} else if (sock->pf == AF_INET6) {
-			msg->msg_name = (void *)&dev->address.type.sin6;
-			msg->msg_namelen = sizeof(dev->address.type.sin6);
-#ifdef ISC_PLATFORM_HAVESYSUNH
-		} else if (sock->pf == AF_UNIX) {
-			msg->msg_name = (void *)&dev->address.type.sunix;
-			msg->msg_namelen = sizeof(dev->address.type.sunix);
-#endif
-		} else {
-			msg->msg_name = (void *)&dev->address.type.sa;
-			msg->msg_namelen = sizeof(dev->address.type);
-		}
-#else
 		msg->msg_name = (void *)&dev->address.type.sa;
 		msg->msg_namelen = sizeof(dev->address.type);
-#endif
 #ifdef ISC_NET_RECVOVERFLOW
 		/* If needed, steal one iovec for overflow detection. */
 		maxiov--;
@@ -908,7 +871,7 @@ dump_msg(struct msghdr *msg) {
 	printf("MSGHDR %p\n", msg);
 	printf("\tname %p, namelen %d\n", msg->msg_name, msg->msg_namelen);
 	printf("\tiov %p, iovlen %d\n", msg->msg_iov, msg->msg_iovlen);
-	for (i = 0 ; i < (unsigned int)msg->msg_iovlen ; i++)
+	for (i = 0; i < (unsigned int)msg->msg_iovlen; i++)
 		printf("\t\t%d\tbase %p, len %d\n", i,
 		       msg->msg_iov[i].iov_base,
 		       msg->msg_iov[i].iov_len);
@@ -944,10 +907,6 @@ doio_recv(isc_socket_t *sock, isc_socketevent_t *dev) {
 	cc = recvmsg(sock->fd, &msghdr, 0);
 	recv_errno = errno;
 
-#if defined(ISC_SOCKET_DEBUG)
-	dump_msg(&msghdr);
-#endif
-
 	if (cc < 0) {
 		if (SOFT_ERROR(recv_errno))
 			return (DOIO_SOFT);
@@ -1256,25 +1215,25 @@ allocate_socket(isc_socketmgr_t *manager, isc_sockettype_t type,
 	 * set up cmsg buffers
 	 */
 	cmsgbuflen = 0;
-#if defined(USE_CMSG) && defined(ISC_PLATFORM_HAVEIN6PKTINFO)
+#if defined(USE_CMSG) && defined(ISC_PLATFORM_HAVEIPV6)
 	cmsgbuflen = cmsg_space(sizeof(struct in6_pktinfo));
 #endif
 #if defined(USE_CMSG) && defined(SO_TIMESTAMP)
 	cmsgbuflen += cmsg_space(sizeof(struct timeval));
 #endif
 	sock->recvcmsgbuflen = cmsgbuflen;
-	if (sock->recvcmsgbuflen != 0U) {
+	if (sock->recvcmsgbuflen != 0) {
 		sock->recvcmsgbuf = isc_mem_get(manager->mctx, cmsgbuflen);
 		if (sock->recvcmsgbuf == NULL)
 			goto error;
 	}
 
 	cmsgbuflen = 0;
-#if defined(USE_CMSG) && defined(ISC_PLATFORM_HAVEIN6PKTINFO)
+#if defined(USE_CMSG) && defined(ISC_PLATFORM_HAVEIPV6)
 	cmsgbuflen = cmsg_space(sizeof(struct in6_pktinfo));
 #endif
 	sock->sendcmsgbuflen = cmsgbuflen;
-	if (sock->sendcmsgbuflen != 0U) {
+	if (sock->sendcmsgbuflen != 0) {
 		sock->sendcmsgbuf = isc_mem_get(manager->mctx, cmsgbuflen);
 		if (sock->sendcmsgbuf == NULL)
 			goto error;
@@ -1373,45 +1332,7 @@ free_socket(isc_socket_t **socketp) {
 	*socketp = NULL;
 }
 
-#ifdef SO_BSDCOMPAT
 /*
- * This really should not be necessary to do.  Having to workout
- * which kernel version we are on at run time so that we don't cause
- * the kernel to issue a warning about us using a deprecated socket option.
- * Such warnings should *never* be on by default in production kernels.
- *
- * We can't do this a build time because executables are moved between
- * machines and hence kernels.
- *
- * We can't just not set SO_BSDCOMAT because some kernels require it.
- */
-
-static isc_once_t         bsdcompat_once = ISC_ONCE_INIT;
-isc_boolean_t bsdcompat = ISC_TRUE;
-
-static void
-clear_bsdcompat(void) {
-#ifdef __linux__
-	 struct utsname buf;
-	 char *endp;
-	 long int major;
-	 long int minor;
-
-	 uname(&buf);    /* Can only fail if buf is bad in Linux. */
-
-	 /* Paranoia in parsing can be increased, but we trust uname(). */
-	 major = strtol(buf.release, &endp, 10);
-	 if (*endp == '.') {
-		minor = strtol(endp+1, &endp, 10);
-		if ((major > 2) || ((major == 2) && (minor >= 4))) {
-			bsdcompat = ISC_FALSE;
-		}
-	 }
-#endif /* __linux __ */
-}
-#endif
-
-/*%
  * Create a new 'type' socket managed by 'manager'.  Events
  * will be posted to 'task' and when dispatched 'action' will be
  * called with 'arg' as the arg value.  The new socket is returned
@@ -1427,8 +1348,6 @@ isc_socket_create(isc_socketmgr_t *manager, int pf, isc_sockettype_t type,
 	int on = 1;
 #endif
 	char strbuf[ISC_STRERRORSIZE];
-	const char *err = "socket";
-	int try = 0;
 
 	REQUIRE(VALID_MANAGER(manager));
 	REQUIRE(socketp != NULL && *socketp == NULL);
@@ -1438,7 +1357,6 @@ isc_socket_create(isc_socketmgr_t *manager, int pf, isc_sockettype_t type,
 		return (ret);
 
 	sock->pf = pf;
- again:
 	switch (type) {
 	case isc_sockettype_udp:
 		sock->fd = socket(pf, SOCK_DGRAM, IPPROTO_UDP);
@@ -1447,28 +1365,25 @@ isc_socket_create(isc_socketmgr_t *manager, int pf, isc_sockettype_t type,
 		sock->fd = socket(pf, SOCK_STREAM, IPPROTO_TCP);
 		break;
 	}
-	if (sock->fd == -1 && errno == EINTR && try++ < 42)
-		goto again;
 
 #ifdef F_DUPFD
-	/*
-	 * Leave a space for stdio to work in.
-	 */
-	if (sock->fd >= 0 && sock->fd < 20) {
-		int new, tmp;
-		new = fcntl(sock->fd, F_DUPFD, 20);
-		tmp = errno;
-		(void)close(sock->fd);
-		errno = tmp;
-		sock->fd = new;
-		err = "isc_socket_create: fcntl";
-	}
+        /*
+         * Leave a space for stdio to work in.
+         */
+        if (sock->fd >= 0 && sock->fd < 20) {
+                int new, tmp;
+                new = fcntl(sock->fd, F_DUPFD, 20);
+                tmp = errno;
+                (void)close(sock->fd);
+                errno = tmp;
+                sock->fd = new;
+        }
 #endif
 
 	if (sock->fd >= (int)FD_SETSIZE) {
 		(void)close(sock->fd);
 		isc_log_iwrite(isc_lctx, ISC_LOGCATEGORY_GENERAL,
-			       ISC_LOGMODULE_SOCKET, ISC_LOG_ERROR,
+			      ISC_LOGMODULE_SOCKET, ISC_LOG_ERROR,
 			       isc_msgcat, ISC_MSGSET_SOCKET,
 			       ISC_MSG_TOOMANYFDS,
 			       "%s: too many open file descriptors", "socket");
@@ -1498,7 +1413,7 @@ isc_socket_create(isc_socketmgr_t *manager, int pf, isc_sockettype_t type,
 		default:
 			isc__strerror(errno, strbuf, sizeof(strbuf));
 			UNEXPECTED_ERROR(__FILE__, __LINE__,
-					 "%s() %s: %s", err,
+					 "socket() %s: %s",
 					 isc_msgcat_get(isc_msgcat,
 							ISC_MSGSET_GENERAL,
 							ISC_MSG_FAILED,
@@ -1515,10 +1430,8 @@ isc_socket_create(isc_socketmgr_t *manager, int pf, isc_sockettype_t type,
 	}
 
 #ifdef SO_BSDCOMPAT
-	RUNTIME_CHECK(isc_once_do(&bsdcompat_once,
-				  clear_bsdcompat) == ISC_R_SUCCESS);
-	if (bsdcompat && setsockopt(sock->fd, SOL_SOCKET, SO_BSDCOMPAT,
-			            (void *)&on, sizeof(on)) < 0) {
+	if (setsockopt(sock->fd, SOL_SOCKET, SO_BSDCOMPAT,
+		       (void *)&on, sizeof(on)) < 0) {
 		isc__strerror(errno, strbuf, sizeof(strbuf));
 		UNEXPECTED_ERROR(__FILE__, __LINE__,
 				 "setsockopt(%d, SO_BSDCOMPAT) %s: %s",
@@ -1551,7 +1464,7 @@ isc_socket_create(isc_socketmgr_t *manager, int pf, isc_sockettype_t type,
 #endif /* SO_TIMESTAMP */
 
 #if defined(ISC_PLATFORM_HAVEIPV6)
-		if (pf == AF_INET6 && sock->recvcmsgbuflen == 0U) {
+		if (pf == AF_INET6 && sock->recvcmsgbuflen == 0) {
 			/*
 			 * Warn explicitly because this anomaly can be hidden
 			 * in usual operation (and unexpectedly appear later).
@@ -1560,9 +1473,8 @@ isc_socket_create(isc_socketmgr_t *manager, int pf, isc_sockettype_t type,
 					 "No buffer available to receive "
 					 "IPv6 destination");
 		}
-#ifdef ISC_PLATFORM_HAVEIN6PKTINFO
 #ifdef IPV6_RECVPKTINFO
-		/* RFC 3542 */
+		/* 2292bis */
 		if ((pf == AF_INET6)
 		    && (setsockopt(sock->fd, IPPROTO_IPV6, IPV6_RECVPKTINFO,
 				   (void *)&on, sizeof(on)) < 0)) {
@@ -1577,7 +1489,7 @@ isc_socket_create(isc_socketmgr_t *manager, int pf, isc_sockettype_t type,
 					 strbuf);
 		}
 #else
-		/* RFC 2292 */
+		/* 2292 */
 		if ((pf == AF_INET6)
 		    && (setsockopt(sock->fd, IPPROTO_IPV6, IPV6_PKTINFO,
 				   (void *)&on, sizeof(on)) < 0)) {
@@ -1592,8 +1504,7 @@ isc_socket_create(isc_socketmgr_t *manager, int pf, isc_sockettype_t type,
 					 strbuf);
 		}
 #endif /* IPV6_RECVPKTINFO */
-#endif /* ISC_PLATFORM_HAVEIN6PKTINFO */
-#ifdef IPV6_USE_MIN_MTU        /* RFC 3542, not too common yet*/
+#ifdef IPV6_USE_MIN_MTU        /*2292bis, not too common yet*/
 		/* use minimum MTU */
 		if (pf == AF_INET6) {
 			(void)setsockopt(sock->fd, IPPROTO_IPV6,
@@ -1851,7 +1762,6 @@ internal_accept(isc_task_t *me, isc_event_t *ev) {
 	int fd;
 	isc_result_t result = ISC_R_SUCCESS;
 	char strbuf[ISC_STRERRORSIZE];
-	const char *err = "accept";
 
 	UNUSED(me);
 
@@ -1905,18 +1815,17 @@ internal_accept(isc_task_t *me, isc_event_t *ev) {
 		    (void *)&addrlen);
 
 #ifdef F_DUPFD
-	/*
-	 * Leave a space for stdio to work in.
-	 */
-	if (fd >= 0 && fd < 20) {
-		int new, tmp;
-		new = fcntl(fd, F_DUPFD, 20);
-		tmp = errno;
-		(void)close(fd);
-		errno = tmp;
-		fd = new;
-		err = "fcntl";
-	}
+        /*
+         * Leave a space for stdio to work in.
+         */
+        if (fd >= 0 && fd < 20) {
+                int new, tmp;
+                new = fcntl(fd, F_DUPFD, 20);
+                tmp = errno;
+                (void)close(fd);
+                errno = tmp;
+                fd = new;
+        }
 #endif
 
 	if (fd < 0) {
@@ -1945,7 +1854,7 @@ internal_accept(isc_task_t *me, isc_event_t *ev) {
 		}
 		isc__strerror(errno, strbuf, sizeof(strbuf));
 		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "internal_accept: %s() %s: %s", err,
+				 "internal_accept: accept() %s: %s",
 				 isc_msgcat_get(isc_msgcat,
 						ISC_MSGSET_GENERAL,
 						ISC_MSG_FAILED,
@@ -1954,7 +1863,7 @@ internal_accept(isc_task_t *me, isc_event_t *ev) {
 		fd = -1;
 		result = ISC_R_UNEXPECTED;
 	} else {
-		if (addrlen == 0U) {
+		if (addrlen == 0) {
 			UNEXPECTED_ERROR(__FILE__, __LINE__,
 					 "internal_accept(): "
 					 "accept() failed to return "
@@ -2005,7 +1914,7 @@ internal_accept(isc_task_t *me, isc_event_t *ev) {
 	UNLOCK(&sock->lock);
 
 	if (fd != -1 && (make_nonblock(fd) != ISC_R_SUCCESS)) {
-		close(fd);
+		(void)close(fd);
 		fd = -1;
 		result = ISC_R_UNEXPECTED;
 	}
@@ -2049,7 +1958,7 @@ internal_accept(isc_task_t *me, isc_event_t *ev) {
 	task = dev->ev_sender;
 	dev->ev_sender = sock;
 
-	isc_task_sendanddetach(&task, ISC_EVENT_PTR(&dev));
+	isc_task_sendanddetach(&task, (isc_event_t **) (void *)&dev);
 	return;
 
  soft_error:
@@ -2192,7 +2101,7 @@ process_fds(isc_socketmgr_t *manager, int maxfd,
 	 * Process read/writes on other fds here.  Avoid locking
 	 * and unlocking twice if both reads and writes are possible.
 	 */
-	for (i = 0 ; i < maxfd ; i++) {
+	for (i = 0; i < maxfd; i++) {
 #ifdef ISC_PLATFORM_USETHREADS
 		if (i == manager->pipe_fds[0] || i == manager->pipe_fds[1])
 			continue;
@@ -2203,7 +2112,7 @@ process_fds(isc_socketmgr_t *manager, int maxfd,
 			FD_CLR(i, &manager->read_fds);
 			FD_CLR(i, &manager->write_fds);
 
-			close(i);
+			(void)close(i);
 
 			continue;
 		}
@@ -2286,7 +2195,7 @@ watcher(void *uap) {
 			cc = select(maxfd, &readfds, &writefds, NULL, NULL);
 			if (cc < 0) {
 				if (!SOFT_ERROR(errno)) {
-					isc__strerror(errno, strbuf,
+				        isc__strerror(errno, strbuf,
 						      sizeof(strbuf));
 					FATAL_ERROR(__FILE__, __LINE__,
 						    "select() %s: %s",
@@ -2447,8 +2356,8 @@ isc_socketmgr_create(isc_mem_t *mctx, isc_socketmgr_t **managerp) {
 	 */
 	if (isc_thread_create(watcher, manager, &manager->watcher) !=
 	    ISC_R_SUCCESS) {
-		close(manager->pipe_fds[0]);
-		close(manager->pipe_fds[1]);
+		(void)close(manager->pipe_fds[0]);
+		(void)close(manager->pipe_fds[1]);
 		DESTROYLOCK(&manager->lock);
 		isc_mem_put(mctx, manager, sizeof(*manager));
 		UNEXPECTED_ERROR(__FILE__, __LINE__,
@@ -2540,14 +2449,14 @@ isc_socketmgr_destroy(isc_socketmgr_t **managerp) {
 	 * Clean up.
 	 */
 #ifdef ISC_PLATFORM_USETHREADS
-	close(manager->pipe_fds[0]);
-	close(manager->pipe_fds[1]);
+	(void)close(manager->pipe_fds[0]);
+	(void)close(manager->pipe_fds[1]);
 	(void)isc_condition_destroy(&manager->shutdown_ok);
 #endif /* ISC_PLATFORM_USETHREADS */
 
-	for (i = 0 ; i < (int)FD_SETSIZE ; i++)
+	for (i = 0; i < (int)FD_SETSIZE; i++)
 		if (manager->fdstate[i] == CLOSE_PENDING)
-			close(i);
+			(void)close(i);
 
 	DESTROYLOCK(&manager->lock);
 	manager->magic = 0;
@@ -2749,18 +2658,22 @@ socket_send(isc_socket_t *sock, isc_socketevent_t *dev, isc_task_t *task,
 
 	set_dev_address(address, sock, dev);
 	if (pktinfo != NULL) {
-		socket_log(sock, NULL, TRACE, isc_msgcat, ISC_MSGSET_SOCKET,
-			   ISC_MSG_PKTINFOPROVIDED,
-			   "pktinfo structure provided, ifindex %u (set to 0)",
-			   pktinfo->ipi6_ifindex);
-
 		dev->attributes |= ISC_SOCKEVENTATTR_PKTINFO;
 		dev->pktinfo = *pktinfo;
-		/*
-		 * Set the pktinfo index to 0 here, to let the kernel decide
-		 * what interface it should send on.
-		 */
-		dev->pktinfo.ipi6_ifindex = 0;
+
+		if (!isc_sockaddr_issitelocal(address) &&
+		    !isc_sockaddr_islinklocal(address)) {
+			socket_log(sock, NULL, TRACE, isc_msgcat,
+				   ISC_MSGSET_SOCKET, ISC_MSG_PKTINFOPROVIDED,
+				   "pktinfo structure provided, ifindex %u "
+				   "(set to 0)", pktinfo->ipi6_ifindex);
+
+			/*
+			 * Set the pktinfo index to 0 here, to let the
+			 * kernel decide what interface it should send on.
+			 */
+			dev->pktinfo.ipi6_ifindex = 0;
+		}
 	}
 
 	if (sock->type == isc_sockettype_udp)
@@ -2942,11 +2855,7 @@ isc_socket_bind(isc_socket_t *sock, isc_sockaddr_t *sockaddr) {
 		UNLOCK(&sock->lock);
 		return (ISC_R_FAMILYMISMATCH);
 	}
-	/*
-	 * Only set SO_REUSEADDR when we want a specific port.
-	 */
-	if (isc_sockaddr_getport(sockaddr) != (in_port_t)0 &&
-	    setsockopt(sock->fd, SOL_SOCKET, SO_REUSEADDR, (void *)&on,
+	if (setsockopt(sock->fd, SOL_SOCKET, SO_REUSEADDR, (void *)&on,
 		       sizeof(on)) < 0) {
 		UNEXPECTED_ERROR(__FILE__, __LINE__,
 				 "setsockopt(%d) %s", sock->fd,
@@ -2981,6 +2890,35 @@ isc_socket_bind(isc_socket_t *sock, isc_sockaddr_t *sockaddr) {
 	return (ISC_R_SUCCESS);
 }
 
+isc_result_t
+isc_socket_filter(isc_socket_t *sock, const char *filter) {
+#ifdef SO_ACCEPTFILTER
+	char strbuf[ISC_STRERRORSIZE];
+	struct accept_filter_arg afa;
+#else
+	UNUSED(sock);
+	UNUSED(filter);
+#endif
+
+	REQUIRE(VALID_SOCKET(sock));
+
+#ifdef SO_ACCEPTFILTER
+	bzero(&afa, sizeof(afa));
+	strncpy(afa.af_name, filter, sizeof(afa.af_name));
+	if (setsockopt(sock->fd, SOL_SOCKET, SO_ACCEPTFILTER,
+			 &afa, sizeof(afa)) == -1) {
+		isc__strerror(errno, strbuf, sizeof(strbuf));
+		socket_log(sock, NULL, CREATION, isc_msgcat, ISC_MSGSET_SOCKET,
+			   ISC_MSG_FILTER, "setsockopt(SO_ACCEPTFILTER): %s",
+			   strbuf);
+		return (ISC_R_FAILURE);
+	}
+	return (ISC_R_SUCCESS);
+#else
+	return (ISC_R_NOTIMPLEMENTED);
+#endif
+}
+
 /*
  * Set up to listen on a given socket.  We do this by creating an internal
  * event that will be dispatched when the socket has read activity.  The
@@ -3059,7 +2997,7 @@ isc_socket_accept(isc_socket_t *sock,
 
 	ret = allocate_socket(manager, sock->type, &nsock);
 	if (ret != ISC_R_SUCCESS) {
-		isc_event_free(ISC_EVENT_PTR(&dev));
+		isc_event_free((isc_event_t **) (void *)&dev);
 		UNLOCK(&sock->lock);
 		return (ret);
 	}
@@ -3150,7 +3088,6 @@ isc_socket_connect(isc_socket_t *sock, isc_sockaddr_t *addr,
 			ERROR_MATCH(ENOBUFS, ISC_R_NORESOURCES);
 			ERROR_MATCH(EPERM, ISC_R_HOSTUNREACH);
 			ERROR_MATCH(EPIPE, ISC_R_NOTCONNECTED);
-			ERROR_MATCH(ECONNRESET, ISC_R_CONNECTIONRESET);
 #undef ERROR_MATCH
 		}
 
@@ -3160,12 +3097,12 @@ isc_socket_connect(isc_socket_t *sock, isc_sockaddr_t *addr,
 		UNEXPECTED_ERROR(__FILE__, __LINE__, "%d/%s", errno, strbuf);
 
 		UNLOCK(&sock->lock);
-		isc_event_free(ISC_EVENT_PTR(&dev));
+		isc_event_free((isc_event_t **) (void *)&dev);
 		return (ISC_R_UNEXPECTED);
 
 	err_exit:
 		sock->connected = 0;
-		isc_task_send(task, ISC_EVENT_PTR(&dev));
+		isc_task_send(task, (isc_event_t **) (void *)&dev);
 
 		UNLOCK(&sock->lock);
 		return (ISC_R_SUCCESS);
@@ -3178,7 +3115,7 @@ isc_socket_connect(isc_socket_t *sock, isc_sockaddr_t *addr,
 		sock->connected = 1;
 		sock->bound = 1;
 		dev->result = ISC_R_SUCCESS;
-		isc_task_send(task, ISC_EVENT_PTR(&dev));
+		isc_task_send(task, (isc_event_t **) (void *)&dev);
 
 		UNLOCK(&sock->lock);
 		return (ISC_R_SUCCESS);
@@ -3220,7 +3157,6 @@ internal_connect(isc_task_t *me, isc_event_t *ev) {
 	int cc;
 	ISC_SOCKADDR_LEN_T optlen;
 	char strbuf[ISC_STRERRORSIZE];
-	char peerbuf[ISC_SOCKADDR_FORMATSIZE];
 
 	UNUSED(me);
 	INSIST(ev->ev_type == ISC_SOCKEVENT_INTW);
@@ -3297,16 +3233,13 @@ internal_connect(isc_task_t *me, isc_event_t *ev) {
 			ERROR_MATCH(EPERM, ISC_R_HOSTUNREACH);
 			ERROR_MATCH(EPIPE, ISC_R_NOTCONNECTED);
 			ERROR_MATCH(ETIMEDOUT, ISC_R_TIMEDOUT);
-			ERROR_MATCH(ECONNRESET, ISC_R_CONNECTIONRESET);
 #undef ERROR_MATCH
 		default:
 			dev->result = ISC_R_UNEXPECTED;
-			isc_sockaddr_format(&sock->address, peerbuf,
-					    sizeof(peerbuf));
 			isc__strerror(errno, strbuf, sizeof(strbuf));
 			UNEXPECTED_ERROR(__FILE__, __LINE__,
-					 "internal_connect: connect(%s) %s",
-					 peerbuf, strbuf);
+					 "internal_connect: connect() %s",
+					 strbuf);
 		}
 	} else {
 		dev->result = ISC_R_SUCCESS;
@@ -3320,7 +3253,7 @@ internal_connect(isc_task_t *me, isc_event_t *ev) {
 
 	task = dev->ev_sender;
 	dev->ev_sender = sock;
-	isc_task_sendanddetach(&task, ISC_EVENT_PTR(&dev));
+	isc_task_sendanddetach(&task, (isc_event_t **) (void *)&dev);
 }
 
 isc_result_t
@@ -3468,7 +3401,7 @@ isc_socket_cancel(isc_socket_t *sock, isc_task_t *task, unsigned int how) {
 				dev->result = ISC_R_CANCELED;
 				dev->ev_sender = sock;
 				isc_task_sendanddetach(&current_task,
-						       ISC_EVENT_PTR(&dev));
+					        (isc_event_t **) (void *)&dev);
 			}
 
 			dev = next;
@@ -3495,7 +3428,7 @@ isc_socket_cancel(isc_socket_t *sock, isc_task_t *task, unsigned int how) {
 			dev->result = ISC_R_CANCELED;
 			dev->ev_sender = sock;
 			isc_task_sendanddetach(&current_task,
-					       ISC_EVENT_PTR(&dev));
+					       (isc_event_t **) (void *)&dev);
 		}
 	}
 
@@ -3520,6 +3453,25 @@ isc_socket_isbound(isc_socket_t *sock) {
 	return (val);
 }
 
+void
+isc_socket_ipv6only(isc_socket_t *sock, isc_boolean_t yes) {
+#if defined(IPV6_V6ONLY)
+	int onoff = yes ? 1 : 0;
+#else
+	UNUSED(yes);
+	UNUSED(sock);
+#endif
+
+	REQUIRE(VALID_SOCKET(sock));
+
+#ifdef IPV6_V6ONLY
+	if (sock->pf == AF_INET6) {
+		(void)setsockopt(sock->fd, IPPROTO_IPV6, IPV6_V6ONLY,
+				 (void *)&onoff, sizeof(onoff));
+	}
+#endif
+}
+
 #ifndef ISC_PLATFORM_USETHREADS
 void
 isc__socketmgr_getfdsets(fd_set *readset, fd_set *writeset, int *maxfd) {
diff --git a/lib/isc/unix/socket_p.h b/lib/isc/unix/socket_p.h
index 94ff24b2..f430bf22 100644
--- a/lib/isc/unix/socket_p.h
+++ b/lib/isc/unix/socket_p.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: socket_p.h,v 1.6.2.1 2004/03/09 06:12:11 marka Exp $ */
+/* $Id: socket_p.h,v 1.6.206.1 2004/03/06 08:15:02 marka Exp $ */
 
 #ifndef ISC_SOCKET_P_H
 #define ISC_SOCKET_P_H
diff --git a/lib/isc/unix/stdio.c b/lib/isc/unix/stdio.c
index 95859a02..794164e7 100644
--- a/lib/isc/unix/stdio.c
+++ b/lib/isc/unix/stdio.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: stdio.c,v 1.5.2.1 2004/03/09 06:12:12 marka Exp $ */
+/* $Id: stdio.c,v 1.5.206.1 2004/03/06 08:15:02 marka Exp $ */
 
 #include <config.h>
 
diff --git a/lib/isc/unix/stdtime.c b/lib/isc/unix/stdtime.c
index b9806b3d..8946a605 100644
--- a/lib/isc/unix/stdtime.c
+++ b/lib/isc/unix/stdtime.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: stdtime.c,v 1.11.2.2 2004/03/09 06:12:12 marka Exp $ */
+/* $Id: stdtime.c,v 1.11.2.1.10.3 2004/03/08 09:04:57 marka Exp $ */
 
 #include <config.h>
 
@@ -55,7 +55,7 @@ fix_tv_usec(struct timeval *tv) {
 	 * Call syslog directly as we are called from the logging functions.
 	 */
 	if (fixed)
-		syslog(LOG_ERR, "gettimeofday returned bad tv_usec: corrected");
+		(void)syslog(LOG_ERR, "gettimeofday returned bad tv_usec: corrected");
 }
 #endif
 
diff --git a/lib/isc/unix/strerror.c b/lib/isc/unix/strerror.c
index ab694e33..863867e1 100644
--- a/lib/isc/unix/strerror.c
+++ b/lib/isc/unix/strerror.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: strerror.c,v 1.1.2.2 2004/03/09 06:12:12 marka Exp $ */
+/* $Id: strerror.c,v 1.1.2.1.10.3 2004/03/08 09:04:57 marka Exp $ */
 
 #include <config.h>
 
@@ -41,7 +41,7 @@ extern const char * const sys_errlist[];
 extern const int sys_nerr;
 #endif
 
-char *
+void
 isc__strerror(int num, char *buf, size_t size) {
 #ifdef HAVE_STRERROR
 	char *msg;
@@ -59,7 +59,6 @@ isc__strerror(int num, char *buf, size_t size) {
 	else
 		snprintf(buf, size, "Unknown error: %u", unum);
 	UNLOCK(&isc_strerror_lock);
-	return (buf);
 #else
 	unsigned int unum = num;
 
@@ -69,6 +68,5 @@ isc__strerror(int num, char *buf, size_t size) {
 		snprintf(buf, size, "%s", sys_errlist[num]);
 	else
 		snprintf(buf, size, "Unknown error: %u", unum);
-	return (buf);
 #endif
 }
diff --git a/lib/isc/unix/syslog.c b/lib/isc/unix/syslog.c
index b71e6186..e5315445 100644
--- a/lib/isc/unix/syslog.c
+++ b/lib/isc/unix/syslog.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: syslog.c,v 1.1.2.1 2004/03/09 06:12:12 marka Exp $ */
+/* $Id: syslog.c,v 1.1.12.3 2004/03/08 09:04:57 marka Exp $ */
 
 #include <config.h>
 
@@ -71,7 +71,7 @@ isc_syslog_facilityfromstring(const char *str, int *facilityp) {
 	REQUIRE(str != NULL);
 	REQUIRE(facilityp != NULL);
 
-	for (i = 0 ; facilities[i].strval != NULL ; i++) {
+	for (i = 0; facilities[i].strval != NULL; i++) {
 		if (strcasecmp(facilities[i].strval, str) == 0) {
 			*facilityp = facilities[i].val;
 			return (ISC_R_SUCCESS);
diff --git a/lib/isc/unix/time.c b/lib/isc/unix/time.c
index 41112a97..39c851ce 100644
--- a/lib/isc/unix/time.c
+++ b/lib/isc/unix/time.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: time.c,v 1.34.2.8 2004/03/09 06:12:12 marka Exp $ */
+/* $Id: time.c,v 1.34.2.6.2.4 2004/03/06 08:15:03 marka Exp $ */
 
 #include <config.h>
 
@@ -77,7 +77,7 @@ fix_tv_usec(struct timeval *tv) {
 	 * Call syslog directly as was are called from the logging functions.
 	 */
 	if (fixed)
-		syslog(LOG_ERR, "gettimeofday returned bad tv_usec: corrected");
+		(void)syslog(LOG_ERR, "gettimeofday returned bad tv_usec: corrected");
 }
 #endif
 
@@ -93,7 +93,7 @@ isc_interval_set(isc_interval_t *i,
 }
 
 isc_boolean_t
-isc_interval_iszero(isc_interval_t *i) {
+isc_interval_iszero(const isc_interval_t *i) {
 	REQUIRE(i != NULL);
 	INSIST(i->nanoseconds < NS_PER_S);
 
@@ -129,7 +129,7 @@ isc_time_settoepoch(isc_time_t *t) {
 }
 
 isc_boolean_t
-isc_time_isepoch(isc_time_t *t) {
+isc_time_isepoch(const isc_time_t *t) {
 	REQUIRE(t != NULL);
 	INSIST(t->nanoseconds < NS_PER_S);
 
@@ -183,7 +183,7 @@ isc_time_now(isc_time_t *t) {
 }
 
 isc_result_t
-isc_time_nowplusinterval(isc_time_t *t, isc_interval_t *i) {
+isc_time_nowplusinterval(isc_time_t *t, const isc_interval_t *i) {
 	struct timeval tv;
 	char strbuf[ISC_STRERRORSIZE];
 
@@ -234,7 +234,7 @@ isc_time_nowplusinterval(isc_time_t *t, isc_interval_t *i) {
 }
 
 int
-isc_time_compare(isc_time_t *t1, isc_time_t *t2) {
+isc_time_compare(const isc_time_t *t1, const isc_time_t *t2) {
 	REQUIRE(t1 != NULL && t2 != NULL);
 	INSIST(t1->nanoseconds < NS_PER_S && t2->nanoseconds < NS_PER_S);
 
@@ -250,7 +250,8 @@ isc_time_compare(isc_time_t *t1, isc_time_t *t2) {
 }
 
 isc_result_t
-isc_time_add(isc_time_t *t, isc_interval_t *i, isc_time_t *result) {
+isc_time_add(const isc_time_t *t, const isc_interval_t *i, isc_time_t *result)
+{
 	REQUIRE(t != NULL && i != NULL && result != NULL);
 	INSIST(t->nanoseconds < NS_PER_S && i->nanoseconds < NS_PER_S);
 
@@ -275,7 +276,9 @@ isc_time_add(isc_time_t *t, isc_interval_t *i, isc_time_t *result) {
 }
 
 isc_result_t
-isc_time_subtract(isc_time_t *t, isc_interval_t *i, isc_time_t *result) {
+isc_time_subtract(const isc_time_t *t, const isc_interval_t *i,
+		  isc_time_t *result)
+{
 	REQUIRE(t != NULL && i != NULL && result != NULL);
 	INSIST(t->nanoseconds < NS_PER_S && i->nanoseconds < NS_PER_S);
 
@@ -297,7 +300,7 @@ isc_time_subtract(isc_time_t *t, isc_interval_t *i, isc_time_t *result) {
 }
 
 isc_uint64_t
-isc_time_microdiff(isc_time_t *t1, isc_time_t *t2) {
+isc_time_microdiff(const isc_time_t *t1, const isc_time_t *t2) {
 	isc_uint64_t i1, i2, i3;
 
 	REQUIRE(t1 != NULL && t2 != NULL);
@@ -320,7 +323,7 @@ isc_time_microdiff(isc_time_t *t1, isc_time_t *t2) {
 }
 
 isc_uint32_t
-isc_time_seconds(isc_time_t *t) {
+isc_time_seconds(const isc_time_t *t) {
 	REQUIRE(t != NULL);
 	INSIST(t->nanoseconds < NS_PER_S);
 
@@ -328,7 +331,7 @@ isc_time_seconds(isc_time_t *t) {
 }
 
 isc_result_t
-isc_time_secondsastimet(isc_time_t *t, time_t *secondsp) {
+isc_time_secondsastimet(const isc_time_t *t, time_t *secondsp) {
 	isc_uint64_t i;
 	time_t seconds;
 
@@ -383,7 +386,7 @@ isc_time_secondsastimet(isc_time_t *t, time_t *secondsp) {
 }
 
 isc_uint32_t
-isc_time_nanoseconds(isc_time_t *t) {
+isc_time_nanoseconds(const isc_time_t *t) {
 	REQUIRE(t != NULL);
 
 	ENSURE(t->nanoseconds < NS_PER_S);
@@ -399,11 +402,11 @@ isc_time_formattimestamp(const isc_time_t *t, char *buf, unsigned int len) {
 	REQUIRE(len > 0);
 
 	now = (time_t) t->seconds;
-	flen = strftime(buf, len, "%b %d %X", localtime(&now));
+	flen = strftime(buf, len, "%d-%b-%Y %X", localtime(&now));
 	INSIST(flen < len);
 	if (flen != 0)
 		snprintf(buf + flen, len - flen,
 			 ".%03u", t->nanoseconds / 1000000);
 	else
-                snprintf(buf, len, "Bad 00 99:99:99.999");
+                snprintf(buf, len, "99-Bad-9999 99:99:99.999");
 }
diff --git a/lib/isc/version.c b/lib/isc/version.c
index 72bc06dd..d0f270d4 100644
--- a/lib/isc/version.c
+++ b/lib/isc/version.c
@@ -15,10 +15,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: version.c,v 1.9.2.1 2004/03/09 06:11:53 marka Exp $ */
+/* $Id: version.c,v 1.9.12.3 2004/03/08 09:04:51 marka Exp $ */
 
-char isc_version[] = VERSION;
+#include <isc/version.h>
 
-unsigned int isc_libinterface = LIBINTERFACE;
-unsigned int isc_librevision = LIBREVISION;
-unsigned int isc_libage = LIBAGE;
+const char isc_version[] = VERSION;
+
+const unsigned int isc_libinterface = LIBINTERFACE;
+const unsigned int isc_librevision = LIBREVISION;
+const unsigned int isc_libage = LIBAGE;
diff --git a/lib/isc/win32/DLLMain.c b/lib/isc/win32/DLLMain.c
index 3baeb21b..8f87b3d3 100644
--- a/lib/isc/win32/DLLMain.c
+++ b/lib/isc/win32/DLLMain.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,11 +15,13 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: DLLMain.c,v 1.3.2.4 2007/06/18 23:45:27 tbox Exp $ */
+/* $Id: DLLMain.c,v 1.3.2.1.10.1 2004/03/06 08:15:06 marka Exp $ */
 
 #include <windows.h>
 #include <stdio.h>
 
+BOOL InitSockets(void);
+ 
 /*
  * Called when we enter the DLL
  */
@@ -33,6 +35,8 @@ __declspec(dllexport) BOOL WINAPI DllMain(HINSTANCE hinstDLL,
 	 * initialization or a call to LoadLibrary. 
 	 */
 	case DLL_PROCESS_ATTACH: 
+		if (!InitSockets())
+			return (FALSE);
 		break; 
  
 	/* The attached process creates a new thread.  */
diff --git a/lib/isc/win32/Makefile.in b/lib/isc/win32/Makefile.in
index a8837fe4..fb6827c7 100644
--- a/lib/isc/win32/Makefile.in
+++ b/lib/isc/win32/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.8.2.1 2004/03/09 06:12:16 marka Exp $
+# $Id: Makefile.in,v 1.8.206.1 2004/03/06 08:15:06 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/lib/isc/win32/app.c b/lib/isc/win32/app.c
index a02467af..07c9e038 100644
--- a/lib/isc/win32/app.c
+++ b/lib/isc/win32/app.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: app.c,v 1.3.2.1 2004/03/09 06:12:16 marka Exp $ */
+/* $Id: app.c,v 1.3.12.3 2004/03/08 09:04:58 marka Exp $ */
 
 #include <config.h>
 
@@ -118,7 +118,7 @@ isc_app_onrun(isc_mem_t *mctx, isc_task_t *task, isc_taskaction_t action,
 	 */
 	isc_task_attach(task, &cloned_task);
 	event = isc_event_allocate(mctx, cloned_task, ISC_APPEVENT_SHUTDOWN,
-				   action, arg, sizeof *event);
+				   action, arg, sizeof(*event));
 	if (event == NULL) {
 		result = ISC_R_NOMEMORY;
 		goto unlock;
diff --git a/lib/isc/win32/condition.c b/lib/isc/win32/condition.c
index c73242f0..b24fbade 100644
--- a/lib/isc/win32/condition.c
+++ b/lib/isc/win32/condition.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2006, 2007  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,14 +15,13 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: condition.c,v 1.17.2.5 2007/05/10 23:45:26 tbox Exp $ */
+/* $Id: condition.c,v 1.17.206.1 2004/03/06 08:15:06 marka Exp $ */
 
 #include <config.h>
 
 #include <isc/condition.h>
 #include <isc/assertions.h>
 #include <isc/util.h>
-#include <isc/thread.h>
 #include <isc/time.h>
 
 #define LSIGNAL		0
@@ -35,92 +34,23 @@ isc_condition_init(isc_condition_t *cond) {
 	REQUIRE(cond != NULL);
 
 	cond->waiters = 0;
-	/*
-	 * This handle is shared across all threads
-	 */
 	h = CreateEvent(NULL, FALSE, FALSE, NULL);
 	if (h == NULL) {
 		/* XXX */
 		return (ISC_R_UNEXPECTED);
 	}
 	cond->events[LSIGNAL] = h;
-
-	/*
-	 * The threadlist will hold the actual events needed
-	 * for the wait condition
-	 */
-	ISC_LIST_INIT(cond->threadlist);
-
-	return (ISC_R_SUCCESS);
-}
-
-/*
- * Add the thread to the threadlist along with the required events
- */
-static isc_result_t
-register_thread(unsigned long thrd, isc_condition_t *gblcond,
-		isc_condition_thread_t **localcond)
-{
-	HANDLE hc;
-	isc_condition_thread_t *newthread;
-
-	REQUIRE(localcond != NULL && *localcond == NULL);
-
-	newthread = malloc(sizeof(isc_condition_thread_t));
-	if (newthread == NULL)
-		return (ISC_R_NOMEMORY);
-
-	/*
-	 * Create the thread-specific handle
-	 */
-	hc = CreateEvent(NULL, FALSE, FALSE, NULL);
-	if (hc == NULL) {
-		free(newthread);
+	h = CreateEvent(NULL, TRUE, FALSE, NULL);
+	if (h == NULL) {
+		(void)CloseHandle(cond->events[LSIGNAL]);
+		/* XXX */
 		return (ISC_R_UNEXPECTED);
 	}
+	cond->events[LBROADCAST] = h;
 
-	/*
-	 * Add the thread ID and handles to list of threads for broadcast
-	 */
-	newthread->handle[LSIGNAL] = gblcond->events[LSIGNAL];
-	newthread->handle[LBROADCAST] = hc;
-	newthread->th = thrd;
-
-	/*
-	 * The thread is holding the manager lock so this is safe
-	 */
-	ISC_LIST_APPEND(gblcond->threadlist, newthread, link);
-	*localcond = newthread;
 	return (ISC_R_SUCCESS);
 }
 
-static isc_result_t
-find_thread_condition(unsigned long thrd, isc_condition_t *cond,
-		      isc_condition_thread_t **threadcondp)
-{
-	isc_condition_thread_t *threadcond;
-
-	REQUIRE(threadcondp != NULL && *threadcondp == NULL);
-
-	/*
-	 * Look for the thread ID.
-	 */
-	for (threadcond = ISC_LIST_HEAD(cond->threadlist);
-	     threadcond != NULL;
-	     threadcond = ISC_LIST_NEXT(threadcond, link)) {
-
-		if (threadcond->th == thrd) {
-			*threadcondp = threadcond;
-			return (ISC_R_SUCCESS);
-		}
-	}
-
-	/*
-	 * Not found, so add it.
-	 */
-	return (register_thread(thrd, cond, threadcondp));
-}
-
 isc_result_t
 isc_condition_signal(isc_condition_t *cond) {
 
@@ -130,7 +60,8 @@ isc_condition_signal(isc_condition_t *cond) {
 	 */
 	REQUIRE(cond != NULL);
 
-	if (!SetEvent(cond->events[LSIGNAL])) {
+	if (cond->waiters > 0 &&
+	    !SetEvent(cond->events[LSIGNAL])) {
 		/* XXX */
 		return (ISC_R_UNEXPECTED);
 	}
@@ -141,28 +72,17 @@ isc_condition_signal(isc_condition_t *cond) {
 isc_result_t
 isc_condition_broadcast(isc_condition_t *cond) {
 
-	isc_condition_thread_t *threadcond;
-	isc_boolean_t failed = ISC_FALSE;
-
 	/*
 	 * Unlike pthreads, the caller MUST hold the lock associated with
 	 * the condition variable when calling us.
 	 */
 	REQUIRE(cond != NULL);
 
-	/*
-	 * Notify every thread registered for this
-	 */
-	for (threadcond = ISC_LIST_HEAD(cond->threadlist);
-	     threadcond != NULL;
-	     threadcond = ISC_LIST_NEXT(threadcond, link)) {
-
-		if (!SetEvent(threadcond->handle[LBROADCAST]))
-			failed = ISC_TRUE;
-	}
-
-	if (failed)
+	if (cond->waiters > 0 &&
+	    !SetEvent(cond->events[LBROADCAST])) {
+		/* XXX */
 		return (ISC_R_UNEXPECTED);
+	}
 
 	return (ISC_R_SUCCESS);
 }
@@ -170,61 +90,34 @@ isc_condition_broadcast(isc_condition_t *cond) {
 isc_result_t
 isc_condition_destroy(isc_condition_t *cond) {
 
-	isc_condition_thread_t *next, *threadcond;
-
 	REQUIRE(cond != NULL);
-	REQUIRE(cond->waiters == 0);
 
 	(void)CloseHandle(cond->events[LSIGNAL]);
-
-	/*
-	 * Delete the threadlist
-	 */
-	threadcond = ISC_LIST_HEAD(cond->threadlist);
-
-	while (threadcond != NULL) {
-		next = ISC_LIST_NEXT(threadcond, link);
-		DEQUEUE(cond->threadlist, threadcond, link);
-		(void) CloseHandle(threadcond->handle[LBROADCAST]);
-		free(threadcond);
-		threadcond = next;
-	}
+	(void)CloseHandle(cond->events[LBROADCAST]);
 
 	return (ISC_R_SUCCESS);
 }
 
-/*
- * This is always called when the mutex (lock) is held, but because
- * we are waiting we need to release it and reacquire it as soon as the wait
- * is over. This allows other threads to make use of the object guarded
- * by the mutex but it should never try to delete it as long as the
- * number of waiters > 0. Always reacquire the mutex regardless of the
- * result of the wait. Note that EnterCriticalSection will wait to acquire
- * the mutex.
- */
 static isc_result_t
 wait(isc_condition_t *cond, isc_mutex_t *mutex, DWORD milliseconds) {
 	DWORD result;
-	isc_result_t tresult;
-	isc_condition_thread_t *threadcond = NULL;
-
-	/*
-	 * Get the thread events needed for the wait
-	 */
-	tresult = find_thread_condition(isc_thread_self(), cond, &threadcond);
-	if (tresult !=  ISC_R_SUCCESS)
-		return (tresult);
 
 	cond->waiters++;
 	LeaveCriticalSection(mutex);
-	result = WaitForMultipleObjects(2, threadcond->handle, FALSE,
-					milliseconds);
+	result = WaitForMultipleObjects(2, cond->events, FALSE, milliseconds);
+	if (result == WAIT_FAILED) {
+		/* XXX */
+		return (ISC_R_UNEXPECTED);
+	}
 	EnterCriticalSection(mutex);
 	cond->waiters--;
-	if (result == WAIT_FAILED) {
+	if (cond->waiters == 0 &&
+	    !ResetEvent(cond->events[LBROADCAST])) {
 		/* XXX */
+		LeaveCriticalSection(mutex);
 		return (ISC_R_UNEXPECTED);
 	}
+
 	if (result == WAIT_TIMEOUT)
 		return (ISC_R_TIMEDOUT);
 
diff --git a/lib/isc/win32/dir.c b/lib/isc/win32/dir.c
index 7e331137..2953a0bb 100644
--- a/lib/isc/win32/dir.c
+++ b/lib/isc/win32/dir.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dir.c,v 1.10.2.1 2004/03/09 06:12:17 marka Exp $ */
+/* $Id: dir.c,v 1.10.12.3 2004/03/08 09:04:58 marka Exp $ */
 
 /* Principal Authors: DCL */
 
@@ -246,34 +246,6 @@ isc_dir_chroot(const char *dirname) {
 }
 
 isc_result_t
-isc_dir_current(char *dirname, size_t length, isc_boolean_t end_sep) {
-	char *cwd;
-	isc_result_t result = ISC_R_SUCCESS;
-
-	/*
-	 * XXXDCL Could automatically allocate memory if dirname == NULL.
-	 */
-	REQUIRE(dirname != NULL);
-	REQUIRE(length > 0);
-
-	cwd = getcwd(dirname, length);
-
-	if (cwd == NULL) {
-		if (errno == ERANGE)
-			result = ISC_R_NOSPACE;
-		else
-			result = isc__errno2result(errno);
-	} else if (end_sep) {
-		if (strlen(dirname) + 1 == length)
-			result = ISC_R_NOSPACE;
-		else if (dirname[1] != '\0')
-			strcat(dirname, "/");
-	}
-
-	return (result);
-}
-
-isc_result_t
 isc_dir_createunique(char *templet) {
 	isc_result_t result;
 	char *x;
diff --git a/lib/isc/win32/entropy.c b/lib/isc/win32/entropy.c
index d35ba3b1..00c838c1 100644
--- a/lib/isc/win32/entropy.c
+++ b/lib/isc/win32/entropy.c
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
+ * Copyright (C) 2000-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: entropy.c,v 1.3.2.1 2004/03/09 06:12:17 marka Exp $ */
+/* $Id: entropy.c,v 1.3.12.4 2004/03/08 09:04:58 marka Exp $ */
 
 /*
  * This is the system depenedent part of the ISC entropy API.
@@ -39,6 +39,10 @@
  */
 #define FILESOURCE_HANDLE_TYPE	HCRYPTPROV
 
+typedef struct {
+	int dummy;
+} isc_entropyusocketsource_t;
+
 #include "../entropy.c"
 
 static unsigned int
@@ -157,7 +161,7 @@ fillpool(isc_entropy_t *ent, unsigned int desired, isc_boolean_t blocking) {
 	 */
 	firstsource = source;
  again_file:
-	for (nsource = 0 ; nsource < ent->nsources ; nsource++) {
+	for (nsource = 0; nsource < ent->nsources; nsource++) {
 		unsigned int got;
 
 		if (remaining == 0)
@@ -227,6 +231,11 @@ destroyfilesource(isc_entropyfilesource_t *source) {
 	CryptReleaseContext(source->handle, 0);
 }
 
+static void
+destroyusocketsource(isc_entropyusocketsource_t *source) {
+	UNUSED(source);
+}
+
 
 isc_result_t
 isc_entropy_createfilesource(isc_entropy_t *ent, const char *fname) {
diff --git a/lib/isc/win32/errno2result.c b/lib/isc/win32/errno2result.c
index b2487b40..2209e997 100644
--- a/lib/isc/win32/errno2result.c
+++ b/lib/isc/win32/errno2result.c
@@ -1,6 +1,6 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000-2003  Internet Software Consortium.
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: errno2result.c,v 1.4.2.9 2005/09/01 03:15:40 marka Exp $ */
+/* $Id: errno2result.c,v 1.4.2.5.2.3 2004/03/08 09:04:59 marka Exp $ */
 
 #include <config.h>
 
@@ -32,19 +32,23 @@
  * not already there.
  */
 isc_result_t
-isc__errno2resultx(int posixerrno, const char *file, int line) {
+isc__errno2result(int posixerrno) {
 	char strbuf[ISC_STRERRORSIZE];
 
 	switch (posixerrno) {
 	case ENOTDIR:
 	case WSAELOOP:
+	case WSAEINVAL:
 	case EINVAL:		/* XXX sometimes this is not for files */
 	case ENAMETOOLONG:
+	case WSAENAMETOOLONG:
 	case EBADF:
+	case WSAEBADF:
 		return (ISC_R_INVALIDFILE);
 	case ENOENT:
 		return (ISC_R_FILENOTFOUND);
 	case EACCES:
+	case WSAEACCES:
 	case EPERM:
 		return (ISC_R_NOPERM);
 	case EEXIST:
@@ -55,29 +59,14 @@ isc__errno2resultx(int posixerrno, const char *file, int line) {
 		return (ISC_R_NOMEMORY);
 	case ENFILE:
 	case EMFILE:
+	case WSAEMFILE:
 		return (ISC_R_TOOMANYOPENFILES);
-	case ERROR_OPERATION_ABORTED:
-		return (ISC_R_CONNECTIONRESET);
-	case ERROR_PORT_UNREACHABLE:
-		return (ISC_R_HOSTUNREACH);
-	case ERROR_HOST_UNREACHABLE:
-		return (ISC_R_HOSTUNREACH);
-	case ERROR_NETWORK_UNREACHABLE:
-		return (ISC_R_NETUNREACH);
-	case WSAEADDRNOTAVAIL:
-		return (ISC_R_ADDRNOTAVAIL);
-	case WSAEHOSTUNREACH:
-		return (ISC_R_HOSTUNREACH);
-	case WSAEHOSTDOWN:
-		return (ISC_R_HOSTUNREACH);
-	case WSAENETUNREACH:
-		return (ISC_R_NETUNREACH);
-	case WSAENOBUFS:
-		return (ISC_R_NORESOURCES);
 	default:
 		isc__strerror(posixerrno, strbuf, sizeof(strbuf));
-		UNEXPECTED_ERROR(file, line, "unable to convert errno "
-				 "to isc_result: %d: %s", posixerrno, strbuf);
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "unable to convert errno "
+				 "to isc_result: %d: %s",
+				 posixerrno, strbuf);
 		/*
 		 * XXXDCL would be nice if perhaps this function could
 		 * return the system's error string, so the caller
@@ -87,3 +76,4 @@ isc__errno2resultx(int posixerrno, const char *file, int line) {
 		return (ISC_R_UNEXPECTED);
 	}
 }
+
diff --git a/lib/isc/win32/errno2result.h b/lib/isc/win32/errno2result.h
index fbd5778c..961ee40c 100644
--- a/lib/isc/win32/errno2result.h
+++ b/lib/isc/win32/errno2result.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: errno2result.h,v 1.4.2.3 2005/06/09 23:53:30 marka Exp $ */
+/* $Id: errno2result.h,v 1.4.12.3 2004/03/08 09:04:59 marka Exp $ */
 
 #ifndef UNIX_ERRNO2RESULT_H
 #define UNIX_ERRNO2RESULT_H 1
@@ -29,20 +29,8 @@
 
 ISC_LANG_BEGINDECLS
 
-#define isc__errno2result(posixerrno) \
-	isc__errno2resultx(posixerrno, __FILE__, __LINE__)
-
 isc_result_t
-isc__errno2resultx(int posixerrno, const char *file, int line);
-
-char *
-isc_FormatError(int error);
-
-char *
-GetWSAErrorMessage(int errval);
-
-char *  __cdecl
-NTstrerror(int err);
+isc__errno2result(int posixerrno);
 
 ISC_LANG_ENDDECLS
 
diff --git a/lib/isc/win32/file.c b/lib/isc/win32/file.c
index 7325b252..8eea75ba 100644
--- a/lib/isc/win32/file.c
+++ b/lib/isc/win32/file.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: file.c,v 1.20.2.5 2004/03/09 06:12:17 marka Exp $ */
+/* $Id: file.c,v 1.20.2.4.8.3 2004/03/08 09:04:59 marka Exp $ */
 
 #include <config.h>
 
@@ -183,9 +183,8 @@ isc_file_safemovefile(const char *oldname, const char *newname) {
 		 */
 		if (exists == TRUE) {
 			filestatus = MoveFile(buf, newname);
-			if (filestatus == 0) {
+			if (filestatus == 0)
 				errno = EACCES;
-			}
 		}
 		return (-1);
 	}
@@ -488,3 +487,21 @@ isc_file_absolutepath(const char *filename, char *path, size_t pathlen) {
 		return (ISC_R_NOSPACE);
 	return (ISC_R_SUCCESS);
 }
+
+isc_result_t
+isc_file_truncate(const char *filename, isc_offset_t size) {
+	int fh;
+
+	REQUIRE(filename != NULL && size >= 0);
+
+	if ((fh = open(filename, _O_RDWR | _O_BINARY)) < 0)
+		return (isc__errno2result(errno));
+
+	if(_chsize(fh, size) != 0) {
+		close(fh);
+		return (isc__errno2result(errno));
+	}
+	close(fh);
+
+	return (ISC_R_SUCCESS);
+}
diff --git a/lib/isc/win32/fsaccess.c b/lib/isc/win32/fsaccess.c
index 44ec4f11..cb7434fb 100644
--- a/lib/isc/win32/fsaccess.c
+++ b/lib/isc/win32/fsaccess.c
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
+ * Copyright (C) 2000-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: fsaccess.c,v 1.9.2.1 2004/03/09 06:12:18 marka Exp $ */
+/* $Id: fsaccess.c,v 1.9.12.3 2004/03/08 09:04:59 marka Exp $ */
 
 /*
  * Note that Win32 does not have the concept of files having access
@@ -29,11 +29,14 @@
 
 #include <config.h>
 
+#include <aclapi.h>
+
 #include <sys/types.h>
 #include <sys/stat.h>
 #include <io.h>
 #include <errno.h>
 
+#include <isc/file.h>
 #include <isc/stat.h>
 
 #include "errno2result.h"
@@ -43,25 +46,74 @@
  */
 #include "../fsaccess.c"
 
-isc_result_t
-isc_fsaccess_set(const char *path, isc_fsaccess_t access) {
-	struct stat statb;
-	int mode;
-	isc_boolean_t is_dir = ISC_FALSE;
-	isc_fsaccess_t bits;
-	isc_result_t result;
+/* Store the user account name locally */
+static char username[255] = "\0";
+static DWORD namelen = 0;
 
-	if (stat(path, &statb) != 0)
-		return (isc__errno2result(errno));
+/*
+ * In order to set or retrieve access information, we need to obtain
+ * the File System type.  These could be UNC-type shares.
+ */
 
-	if ((statb.st_mode & S_IFDIR) != 0)
-		is_dir = ISC_TRUE;
-	else if ((statb.st_mode & S_IFREG) == 0)
-		return (ISC_R_INVALIDFILE);
+BOOL
+is_ntfs(const char * file) {
 
-	result = check_bad_bits(access, is_dir);
-	if (result != ISC_R_SUCCESS)
-		return (result);
+	char drive[255];
+	char FSType[20];
+	char tmpbuf[256];
+	char *machinename;
+	char *sharename;
+	char filename[1024];
+
+	REQUIRE(filename != NULL);
+
+	if (isc_file_absolutepath(file, filename,
+		sizeof(filename)) != ISC_R_SUCCESS) {
+		return (FALSE);
+	}
+
+	/*
+	 * Look for c:\path\... style, c:/path/... or \\computer\shar\path...
+	 * the UNC style file specs
+	 */
+	if (isalpha(filename[0]) && filename[1] == ':' && 
+		(filename[2] == '\\' || filename[2] == '/')) {
+		strncpy(drive, filename, 3);
+		drive[3] = '\0';
+	}
+
+	else if ((filename[0] == '\\') && (filename[1] == '\\')) {
+		/* Find the machine and share name and rebuild the UNC */
+		strcpy(tmpbuf, filename);
+		machinename = strtok(tmpbuf, "\\");
+		sharename = strtok(NULL, "\\");
+		strcpy(drive, "\\\\");
+		strcat(drive, machinename);
+		strcat(drive, "\\");
+		strcat(drive, sharename);
+		strcat(drive, "\\");
+
+	}
+	else /* Not determinable */
+		return (FALSE);
+		
+	GetVolumeInformation(drive, NULL, 0, NULL, 0, NULL, FSType,
+			     sizeof(FSType));
+	if(strcmp(FSType,"NTFS") == 0)
+		return (TRUE);
+	else
+		return (FALSE);
+}
+
+/*
+ * If it's not NTFS, we assume that it is FAT and proceed
+ * with almost nothing to do. Only the write flag can be set or
+ * cleared.
+ */
+isc_result_t
+FAT_fsaccess_set(const char *path, isc_fsaccess_t access) {
+	int mode;
+	isc_fsaccess_t bits;
 
 	/*
 	 * Done with checking bad bits.  Set mode_t.
@@ -90,20 +142,234 @@ isc_fsaccess_set(const char *path, isc_fsaccess_t access) {
 
 	SET_AND_CLEAR(S_IWUSR, S_IWGRP, S_IWOTH);
 
-#ifdef notyet
+	INSIST(access == 0);
+
+	if (_chmod(path, mode) < 0)
+		return (isc__errno2result(errno));
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+NTFS_Access_Control(const char *filename, const char *user, int access,
+		    isc_boolean_t isdir) {
+	SECURITY_DESCRIPTOR sd;
+	BYTE aclBuffer[1024];
+	PACL pacl=(PACL)&aclBuffer;
+	BYTE sidBuffer[100];
+	PSID psid=(PSID) &sidBuffer;
+	DWORD sidBufferSize = sizeof(sidBuffer);
+	BYTE adminSidBuffer[100];
+	PSID padminsid=(PSID) &adminSidBuffer;
+	DWORD adminSidBufferSize = sizeof(adminSidBuffer);
+	BYTE otherSidBuffer[100];
+	PSID pothersid=(PSID) &otherSidBuffer;
+	DWORD otherSidBufferSize = sizeof(otherSidBuffer);
+	char domainBuffer[100];
+	DWORD domainBufferSize = sizeof(domainBuffer);
+	SID_NAME_USE snu;
+	int errval;
+	DWORD NTFSbits;
+	int caccess;
+
+
+	/* Initialize an ACL */
+	if (!InitializeSecurityDescriptor(&sd, SECURITY_DESCRIPTOR_REVISION))
+		return (ISC_R_NOPERM);
+	if (!InitializeAcl(pacl, sizeof(aclBuffer), ACL_REVISION))
+		return (ISC_R_NOPERM);
+	if (!LookupAccountName(0, user, psid, &sidBufferSize, domainBuffer,
+			  &domainBufferSize, &snu))
+		return (ISC_R_NOPERM);
+	domainBufferSize = sizeof(domainBuffer);
+	if (!LookupAccountName(0, "Administrators", padminsid,
+		&adminSidBufferSize, domainBuffer, &domainBufferSize, &snu)) {
+		errval = GetLastError();
+		return (ISC_R_NOPERM);
+	}
+	domainBufferSize = sizeof(domainBuffer);
+	if (!LookupAccountName(0, "Everyone", pothersid,
+		&otherSidBufferSize, domainBuffer, &domainBufferSize, &snu)) {
+		errval = GetLastError();
+		return (ISC_R_NOPERM);
+	}
+
+	caccess = access;
+	/* Owner check */
+
+	NTFSbits = 0;
+	if (caccess & ISC_FSACCESS_READ)
+		NTFSbits |= FILE_GENERIC_READ;
+	if (caccess & ISC_FSACCESS_WRITE)
+		NTFSbits |= FILE_GENERIC_WRITE;
+	if (caccess & ISC_FSACCESS_EXECUTE)
+		NTFSbits |= FILE_GENERIC_EXECUTE;
+
+	/* For directories check the directory-specific bits */
+	if (isdir == ISC_TRUE) {
+		if (caccess & ISC_FSACCESS_CREATECHILD)
+			NTFSbits |= FILE_ADD_SUBDIRECTORY | FILE_ADD_FILE;
+		if (caccess & ISC_FSACCESS_DELETECHILD)
+			NTFSbits |= FILE_DELETE_CHILD;
+		if (caccess & ISC_FSACCESS_LISTDIRECTORY)
+			NTFSbits |= FILE_LIST_DIRECTORY;
+		if (caccess & ISC_FSACCESS_ACCESSCHILD)
+			NTFSbits |= FILE_TRAVERSE;
+	}
+
+	if (NTFSbits == (FILE_GENERIC_READ | FILE_GENERIC_WRITE
+		     | FILE_GENERIC_EXECUTE))
+		     NTFSbits |= FILE_ALL_ACCESS;
 	/*
-	 * WIN32 doesn't have the concept of execute bits. We leave this here
-	 * for when we review this module.
+	 * Owner and Administrator also get STANDARD_RIGHTS_ALL
+	 * to ensure that they have full control
 	 */
-	bits = ISC_FSACCESS_EXECUTE |
-	       ISC_FSACCESS_ACCESSCHILD;
 
-	SET_AND_CLEAR(S_IXUSR, S_IXGRP, S_IXOTH);
-#endif
-	INSIST(access == 0);
+	NTFSbits |= STANDARD_RIGHTS_ALL;
 
-	if (_chmod(path, mode) < 0)
+	/* Add the ACE to the ACL */
+	if (!AddAccessAllowedAce(pacl, ACL_REVISION, NTFSbits, psid))
+		return (ISC_R_NOPERM);
+	if (!AddAccessAllowedAce(pacl, ACL_REVISION, NTFSbits, padminsid))
+		return (ISC_R_NOPERM);
+
+	/*
+	 * Group is ignored since we can be in multiple groups or no group
+	 * and its meaning is not clear on Win32
+	 */
+
+	caccess = caccess >> STEP;
+
+	/*
+	 * Other check.  We translate this to be the same as Everyone
+	 */
+
+	caccess = caccess >> STEP;
+
+	NTFSbits = 0;
+	if (caccess & ISC_FSACCESS_READ)
+		NTFSbits |= FILE_GENERIC_READ;
+	if (caccess & ISC_FSACCESS_WRITE)
+		NTFSbits |= FILE_GENERIC_WRITE;
+	if (caccess & ISC_FSACCESS_EXECUTE)
+		NTFSbits |= FILE_GENERIC_EXECUTE;
+
+	/* For directories check the directory-specific bits */
+	if (isdir == TRUE) {
+		if (caccess & ISC_FSACCESS_CREATECHILD)
+			NTFSbits |= FILE_ADD_SUBDIRECTORY | FILE_ADD_FILE;
+		if (caccess & ISC_FSACCESS_DELETECHILD)
+			NTFSbits |= FILE_DELETE_CHILD;
+		if (caccess & ISC_FSACCESS_LISTDIRECTORY)
+			NTFSbits |= FILE_LIST_DIRECTORY;
+		if (caccess & ISC_FSACCESS_ACCESSCHILD)
+			NTFSbits |= FILE_TRAVERSE;
+	}
+	/* Add the ACE to the ACL */
+	if (!AddAccessAllowedAce(pacl, ACL_REVISION, NTFSbits,
+				 pothersid))
+		return (ISC_R_NOPERM);
+
+	if (!SetSecurityDescriptorDacl(&sd, TRUE, pacl, FALSE))
+		return (ISC_R_NOPERM);
+	if (!SetFileSecurity(filename, DACL_SECURITY_INFORMATION, &sd)) {
+		return (ISC_R_NOPERM);
+	}
+
+	return(ISC_R_SUCCESS);
+}
+
+isc_result_t
+NTFS_fsaccess_set(const char *path, isc_fsaccess_t access,
+		  isc_boolean_t isdir){
+
+	/*
+	 * For NTFS we first need to get the name of the account under
+	 * which BIND is running
+	 */
+	if (namelen <= 0) {
+		namelen = sizeof(username);
+		if (GetUserName(username, &namelen) == 0)
+			return (ISC_R_FAILURE);
+	}
+	return (NTFS_Access_Control(path, username, access, isdir));
+}
+
+isc_result_t
+isc_fsaccess_set(const char *path, isc_fsaccess_t access) {
+	struct stat statb;
+	isc_boolean_t is_dir = ISC_FALSE;
+	isc_result_t result;
+
+	if (stat(path, &statb) != 0)
 		return (isc__errno2result(errno));
 
+	if ((statb.st_mode & S_IFDIR) != 0)
+		is_dir = ISC_TRUE;
+	else if ((statb.st_mode & S_IFREG) == 0)
+		return (ISC_R_INVALIDFILE);
+
+	result = check_bad_bits(access, is_dir);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	/*
+	 * Determine if this is a FAT or NTFS disk and
+	 * call the appropriate function to set the permissions
+	 */
+	if (is_ntfs(path))
+		return (NTFS_fsaccess_set(path, access, is_dir));
+	else
+		return (FAT_fsaccess_set(path, access));
+}
+
+isc_result_t
+isc_fsaccess_changeowner(const char *filename, const char *user) {
+	SECURITY_DESCRIPTOR psd;
+	BYTE sidBuffer[500];
+	BYTE groupBuffer[500];
+	PSID psid=(PSID) &sidBuffer;
+	DWORD sidBufferSize = sizeof(sidBuffer);
+	char domainBuffer[100];
+	DWORD domainBufferSize = sizeof(domainBuffer);
+	SID_NAME_USE snu;
+	PSID pSidGroup = (PSID) &groupBuffer;
+	DWORD groupBufferSize = sizeof(groupBuffer);
+
+
+	/*
+	 * Determine if this is a FAT or NTFS disk and
+	 * call the appropriate function to set the ownership
+	 * FAT disks do not have ownership attributes so it's
+	 * a noop.
+	 */
+	if (is_ntfs(filename) == FALSE)
+		return (ISC_R_SUCCESS);
+
+	if (!InitializeSecurityDescriptor(&psd, SECURITY_DESCRIPTOR_REVISION))
+		return (ISC_R_NOPERM);
+
+	if (!LookupAccountName(0, user, psid, &sidBufferSize, domainBuffer,
+		&domainBufferSize, &snu))
+		return (ISC_R_NOPERM);
+
+	/* Make sure administrators can get to it */
+	domainBufferSize = sizeof(domainBuffer);
+	if (!LookupAccountName(0, "Administrators", pSidGroup,
+		&groupBufferSize, domainBuffer, &domainBufferSize, &snu))
+		return (ISC_R_NOPERM);
+
+	if (!SetSecurityDescriptorOwner(&psd, psid, FALSE))
+		return (ISC_R_NOPERM);
+
+	if (!SetSecurityDescriptorGroup(&psd, pSidGroup, FALSE))
+		return (ISC_R_NOPERM);
+
+	if (!SetFileSecurity(filename,
+		OWNER_SECURITY_INFORMATION | GROUP_SECURITY_INFORMATION,
+		&psd))
+		return (ISC_R_NOPERM);
+
 	return (ISC_R_SUCCESS);
 }
+
diff --git a/lib/isc/win32/include/Makefile.in b/lib/isc/win32/include/Makefile.in
index f6cb2069..99f24cbd 100644
--- a/lib/isc/win32/include/Makefile.in
+++ b/lib/isc/win32/include/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.6.2.1 2004/03/09 06:12:21 marka Exp $
+# $Id: Makefile.in,v 1.6.206.1 2004/03/06 08:15:13 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/lib/isc/win32/include/isc/Makefile.in b/lib/isc/win32/include/isc/Makefile.in
index ea630253..47ebc16a 100644
--- a/lib/isc/win32/include/isc/Makefile.in
+++ b/lib/isc/win32/include/isc/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.8.2.1 2004/03/09 06:12:22 marka Exp $
+# $Id: Makefile.in,v 1.8.206.1 2004/03/06 08:15:13 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/lib/isc/win32/include/isc/bind_registry.h b/lib/isc/win32/include/isc/bind_registry.h
index 22fcc3e7..2c44ddf1 100644
--- a/lib/isc/win32/include/isc/bind_registry.h
+++ b/lib/isc/win32/include/isc/bind_registry.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: bind_registry.h,v 1.4.2.1 2004/03/09 06:12:22 marka Exp $ */
+/* $Id: bind_registry.h,v 1.4.12.3 2004/03/08 09:05:02 marka Exp $ */
 
 #ifndef ISC_BINDREGISTRY_H
 #define ISC_BINDREGISTRY_H
@@ -37,6 +37,10 @@
 	"SYSTEM\\CurrentControlSet\\Services\\EventLog\\Application\\named"
 #define BIND_MESSAGE_NAME	"named"
 
+#define BIND_SERVICE_SUBKEY	\
+	"SYSTEM\\CurrentControlSet\\Services\\named"
+
+
 #define BIND_CONFIGFILE		0
 #define BIND_DEBUGLEVEL		1
 #define BIND_QUERYLOG		2
diff --git a/lib/isc/win32/include/isc/bindevt.h b/lib/isc/win32/include/isc/bindevt.h
index 36bde112..7bab690a 100644
--- a/lib/isc/win32/include/isc/bindevt.h
+++ b/lib/isc/win32/include/isc/bindevt.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: bindevt.h,v 1.3.2.1 2004/03/09 06:12:22 marka Exp $ */
+/* $Id: bindevt.h,v 1.3.206.1 2004/03/06 08:15:14 marka Exp $ */
 
 #ifndef ISC_BINDEVT_H
 #define ISC_BINDEVT_H 1
diff --git a/lib/isc/win32/include/isc/condition.h b/lib/isc/win32/include/isc/condition.h
index 1ba384c4..9a7fe50e 100644
--- a/lib/isc/win32/include/isc/condition.h
+++ b/lib/isc/win32/include/isc/condition.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: condition.h,v 1.13.2.3 2007/05/10 23:45:26 tbox Exp $ */
+/* $Id: condition.h,v 1.13.206.1 2004/03/06 08:15:14 marka Exp $ */
 
 #ifndef ISC_CONDITION_H
 #define ISC_CONDITION_H 1
@@ -24,22 +24,11 @@
 
 #include <isc/lang.h>
 #include <isc/mutex.h>
-#include <isc/thread.h>
 #include <isc/types.h>
 
-typedef struct isc_condition_thread isc_condition_thread_t;
-
-struct isc_condition_thread {
-	unsigned long				th;
-	HANDLE					handle[2];
-	ISC_LINK(isc_condition_thread_t)	link;
-
-};
-
 typedef struct isc_condition {
 	HANDLE 		events[2];
 	unsigned int	waiters;
-	ISC_LIST(isc_condition_thread_t) threadlist;
 } isc_condition_t;
 
 ISC_LANG_BEGINDECLS
diff --git a/lib/isc/win32/include/isc/dir.h b/lib/isc/win32/include/isc/dir.h
index b0639d04..dfedba49 100644
--- a/lib/isc/win32/include/isc/dir.h
+++ b/lib/isc/win32/include/isc/dir.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dir.h,v 1.11.2.1 2004/03/09 06:12:22 marka Exp $ */
+/* $Id: dir.h,v 1.11.12.3 2004/03/08 09:05:02 marka Exp $ */
 
 /* Principal Authors: DCL */
 
@@ -70,16 +70,6 @@ isc_result_t
 isc_dir_chroot(const char *dirname);
 
 isc_result_t
-isc_dir_current(char *dirname, size_t length, isc_boolean_t end_sep);
-/*
- * Put the absolute name of the current directory into 'dirname', which is a
- * buffer of at least 'length' characters.  If 'end_sep' is true, end the
- * string with the appropriate path separator, such that the final product
- * could be concatenated with a relative pathname to make a valid pathname
- * string. 
- */
-
-isc_result_t
 isc_dir_createunique(char *templet);
 /*
  * Use a templet (such as from isc_file_mktemplate()) to create a uniquely
diff --git a/lib/isc/win32/include/isc/int.h b/lib/isc/win32/include/isc/int.h
index e7370271..8deecb87 100644
--- a/lib/isc/win32/include/isc/int.h
+++ b/lib/isc/win32/include/isc/int.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: int.h,v 1.10.2.1 2004/03/09 06:12:22 marka Exp $ */
+/* $Id: int.h,v 1.10.206.1 2004/03/06 08:15:14 marka Exp $ */
 
 #ifndef ISC_INT_H
 #define ISC_INT_H 1
diff --git a/lib/isc/win32/include/isc/ipv6.h b/lib/isc/win32/include/isc/ipv6.h
index b98a9008..44988580 100644
--- a/lib/isc/win32/include/isc/ipv6.h
+++ b/lib/isc/win32/include/isc/ipv6.h
@@ -1,6 +1,6 @@
 /*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: ipv6.h,v 1.9.2.7 2007/01/18 00:06:02 marka Exp $ */
+/* $Id: ipv6.h,v 1.9.2.2.2.4 2004/03/11 05:58:43 marka Exp $ */
 
 #ifndef ISC_IPV6_H
 #define ISC_IPV6_H 1
@@ -25,82 +25,96 @@
  *****/
 
 /*
- * This file defines additional information necessary for IP v6 support
+ * IPv6 definitions for systems which do not support IPv6.
+ *
+ * MP:
+ *	No impact.
+ *
+ * Reliability:
+ *	No anticipated impact.
+ *
+ * Resources:
+ *	N/A.
+ *
+ * Security:
+ *	No anticipated impact.
+ *
+ * Standards:
+ *	RFC 2553.
  */
 
-#ifndef AF_INET6
-#define AF_INET6 99
-#endif
-
-#ifndef PF_INET6
-#define PF_INET6 AF_INET6
-#endif
-
-#if _MSC_VER < 1300
-#define s6_addr8	s6_addr
-#define in6_addr in_addr6
-
+#ifndef IN6ADDR_ANY_INIT
 #define IN6ADDR_ANY_INIT 	{{ 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 }}
+#endif
+#ifndef IN6ADDR_LOOPBACK_INIT
 #define IN6ADDR_LOOPBACK_INIT 	{{ 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1 }}
-
-LIBISC_EXTERNAL_DATA extern const struct in_addr6 in6addr_any;
-LIBISC_EXTERNAL_DATA extern const struct in_addr6 in6addr_loopback;
-
-#ifndef ISC_PLATFORM_HAVEIN6PKTINFO
-struct in6_pktinfo {
-	struct in6_addr ipi6_addr;    /* src/dst IPv6 address */
-	unsigned int    ipi6_ifindex; /* send/recv interface index */
-};
 #endif
 
+LIBISC_EXTERNAL_DATA extern const struct in6_addr isc_in6addr_any;
+LIBISC_EXTERNAL_DATA extern const struct in6_addr isc_in6addr_loopback;
+
 /*
  * Unspecified
  */
-
-#define IN6_IS_ADDR_UNSPECIFIED(x) (\
-*((u_long *)((x)->s6_addr)    ) == 0 && \
-*((u_long *)((x)->s6_addr) + 1) == 0 && \
-*((u_long *)((x)->s6_addr) + 2) == 0 && \
-*((u_long *)((x)->s6_addr) + 3) == 1 \
+#ifndef IN6_IS_ADDR_UNSPECIFIED
+#define IN6_IS_ADDR_UNSPECIFIED(a)      \
+*((u_long *)((a)->s6_addr)    ) == 0 && \
+*((u_long *)((a)->s6_addr) + 1) == 0 && \
+*((u_long *)((a)->s6_addr) + 2) == 0 && \
+*((u_long *)((a)->s6_addr) + 3) == 0 \
 )
+#endif
 
 /*
  * Loopback
  */
-#define IN6_IS_ADDR_LOOPBACK(x) (\
-*((u_long *)((x)->s6_addr)    ) == 0 && \
-*((u_long *)((x)->s6_addr) + 1) == 0 && \
-*((u_long *)((x)->s6_addr) + 2) == 0 && \
-*((u_long *)((x)->s6_addr) + 3) == 1 \
+#ifndef IN6_IS_ADDR_LOOPBACK
+#define IN6_IS_ADDR_LOOPBACK(a) (\
+*((u_long *)((a)->s6_addr)    ) == 0 && \
+*((u_long *)((a)->s6_addr) + 1) == 0 && \
+*((u_long *)((a)->s6_addr) + 2) == 0 && \
+*((u_long *)((a)->s6_addr) + 3) == htonl(1) \
 )
+#endif
 
 /*
  * IPv4 compatible
  */
-#define IN6_IS_ADDR_V4COMPAT(x)  (\
-*((u_long *)((x)->s6_addr)    ) == 0 && \
-*((u_long *)((x)->s6_addr) + 1) == 0 && \
-*((u_long *)((x)->s6_addr) + 2) == 0 && \
-*((u_long *)((x)->s6_addr) + 3) != 0 && \
-*((u_long *)((x)->s6_addr) + 3) != htonl(1) \
+#define IN6_IS_ADDR_V4COMPAT(a)  (\
+*((u_long *)((a)->s6_addr)    ) == 0 && \
+*((u_long *)((a)->s6_addr) + 1) == 0 && \
+*((u_long *)((a)->s6_addr) + 2) == 0 && \
+*((u_long *)((a)->s6_addr) + 3) != 0 && \
+*((u_long *)((a)->s6_addr) + 3) != htonl(1) \
 )
 
 /*
  * Mapped
  */
-#define IN6_IS_ADDR_V4MAPPED(x) (\
-*((u_long *)((x)->s6_addr)    ) == 0 && \
-*((u_long *)((x)->s6_addr) + 1) == 0 && \
-*((u_long *)((x)->s6_addr) + 2) == htonl(0x0000ffff))
+#define IN6_IS_ADDR_V4MAPPED(a) (\
+*((u_long *)((a)->s6_addr)    ) == 0 && \
+*((u_long *)((a)->s6_addr) + 1) == 0 && \
+*((u_long *)((a)->s6_addr) + 2) == htonl(0x0000ffff))
 
 /*
  * Multicast
  */
 #define IN6_IS_ADDR_MULTICAST(a)	\
-	((a)->s6_addr8[0] == 0xffU)
+	((a)->s6_addr[0] == 0xffU)
 
+/*
+ * Unicast link / site local.
+ */
+#ifndef IN6_IS_ADDR_LINKLOCAL
+#define IN6_IS_ADDR_LINKLOCAL(a)	(\
+(*((u_long *)((a)->s6_addr)    ) == 0xfe) && \
+((*((u_long *)((a)->s6_addr) + 1) & 0xc0) == 0x80))
 #endif
 
-ISC_LANG_ENDDECLS
+#ifndef IN6_IS_ADDR_SITELOCAL
+#define IN6_IS_ADDR_SITELOCAL(a)	(\
+(*((u_long *)((a)->s6_addr)    ) == 0xfe) && \
+((*((u_long *)((a)->s6_addr) + 1) & 0xc0) == 0xc0))
+#endif
 
 #endif /* ISC_IPV6_H */
diff --git a/lib/isc/win32/include/isc/keyboard.h b/lib/isc/win32/include/isc/keyboard.h
index a75729a3..ee4a649d 100644
--- a/lib/isc/win32/include/isc/keyboard.h
+++ b/lib/isc/win32/include/isc/keyboard.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: keyboard.h,v 1.3.2.1 2004/03/09 06:12:23 marka Exp $ */
+/* $Id: keyboard.h,v 1.3.206.1 2004/03/06 08:15:15 marka Exp $ */
 
 #ifndef ISC_KEYBOARD_H
 #define ISC_KEYBOARD_H 1
diff --git a/lib/isc/win32/include/isc/mutex.h b/lib/isc/win32/include/isc/mutex.h
index 72747f29..f799a979 100644
--- a/lib/isc/win32/include/isc/mutex.h
+++ b/lib/isc/win32/include/isc/mutex.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: mutex.h,v 1.16.2.1 2004/03/09 06:12:23 marka Exp $ */
+/* $Id: mutex.h,v 1.16.206.1 2004/03/06 08:15:15 marka Exp $ */
 
 #ifndef ISC_MUTEX_H
 #define ISC_MUTEX_H 1
diff --git a/lib/isc/win32/include/isc/net.h b/lib/isc/win32/include/isc/net.h
index 1603d3bf..9a8e5ef5 100644
--- a/lib/isc/win32/include/isc/net.h
+++ b/lib/isc/win32/include/isc/net.h
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
+ * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: net.h,v 1.15.2.2 2004/03/09 06:12:23 marka Exp $ */
+/* $Id: net.h,v 1.15.12.8 2004/03/09 05:21:09 marka Exp $ */
 
 #ifndef ISC_NET_H
 #define ISC_NET_H 1
@@ -105,6 +105,18 @@
  * a variable
  */
 #undef interface 
+
+#ifndef INADDR_LOOPBACK
+#define INADDR_LOOPBACK 0x7f000001UL
+#endif
+
+#ifndef ISC_PLATFORM_HAVEIN6PKTINFO
+struct in6_pktinfo {
+	struct in6_addr ipi6_addr;    /* src/dst IPv6 address */
+	unsigned int    ipi6_ifindex; /* send/recv interface index */
+};
+#endif
+
 /*
  * Ensure type in_port_t is defined.
  */
@@ -137,7 +149,7 @@ typedef isc_uint16_t in_port_t;
 #undef FD_CLR
 #define FD_CLR(fd, set) do { \
     u_int __i; \
-    for (__i = 0; __i < ((fd_set FAR *)(set))->fd_count ; __i++) { \
+    for (__i = 0; __i < ((fd_set FAR *)(set))->fd_count; __i++) { \
         if (((fd_set FAR *)(set))->fd_array[__i] == (SOCKET) fd) { \
             while (__i < ((fd_set FAR *)(set))->fd_count-1) { \
                 ((fd_set FAR *)(set))->fd_array[__i] = \
@@ -224,6 +236,7 @@ isc_net_probeipv4(void);
  *
  *	ISC_R_SUCCESS		IPv4 is supported.
  *	ISC_R_NOTFOUND		IPv4 is not supported.
+ *	ISC_R_DISABLED		IPv4 is disabled.
  *	ISC_R_UNEXPECTED
  */
 
@@ -236,9 +249,34 @@ isc_net_probeipv6(void);
  *
  *	ISC_R_SUCCESS		IPv6 is supported.
  *	ISC_R_NOTFOUND		IPv6 is not supported.
+ *	ISC_R_DISABLED		IPv6 is disabled.
+ *	ISC_R_UNEXPECTED
+ */
+
+isc_result_t
+isc_net_probe_ipv6only(void);
+/*
+ * Check if the system's kernel supports the IPV6_V6ONLY socket option.
+ *
+ * Returns:
+ *
+ *	ISC_R_SUCCESS		the option is supported for both TCP and UDP.
+ *	ISC_R_NOTFOUND		IPv6 itself or the option is not supported.
  *	ISC_R_UNEXPECTED
  */
 
+void
+isc_net_disableipv4(void);
+
+void
+isc_net_disableipv6(void);
+
+void
+isc_net_enableipv4(void);
+
+void
+isc_net_enableipv6(void);
+
 #ifdef ISC_PLATFORM_NEEDNTOP
 const char *
 isc_net_ntop(int af, const void *src, char *dst, size_t size);
diff --git a/lib/isc/win32/include/isc/netdb.h b/lib/isc/win32/include/isc/netdb.h
index 713c85dd..e4c881b6 100644
--- a/lib/isc/win32/include/isc/netdb.h
+++ b/lib/isc/win32/include/isc/netdb.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: netdb.h,v 1.6.2.1 2004/03/09 06:12:23 marka Exp $ */
+/* $Id: netdb.h,v 1.6.206.1 2004/03/06 08:15:15 marka Exp $ */
 
 #ifndef ISC_NETDB_H
 #define ISC_NETDB_H 1
diff --git a/lib/isc/win32/include/isc/ntgroups.h b/lib/isc/win32/include/isc/ntgroups.h
new file mode 100644
index 00000000..7ab6c7eb
--- /dev/null
+++ b/lib/isc/win32/include/isc/ntgroups.h
@@ -0,0 +1,35 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: ntgroups.h,v 1.2.200.3 2004/03/08 09:05:03 marka Exp $ */
+
+#ifndef ISC_NTGROUPS_H
+#define ISC_NTGROUPS_H 1
+
+#include <isc/lang.h>
+#include <isc/result.h>
+
+ISC_LANG_BEGINDECLS
+
+
+isc_result_t
+isc_ntsecurity_getaccountgroups(char *name, char **Groups, unsigned int maxgroups,
+	     unsigned int *total);
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_NTGROUPS_H */
diff --git a/lib/isc/win32/include/isc/ntpaths.h b/lib/isc/win32/include/isc/ntpaths.h
index b5aa0363..b7967266 100644
--- a/lib/isc/win32/include/isc/ntpaths.h
+++ b/lib/isc/win32/include/isc/ntpaths.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: ntpaths.h,v 1.12.2.2 2004/03/09 06:12:23 marka Exp $ */
+/* $Id: ntpaths.h,v 1.12.2.1.10.1 2004/03/06 08:15:16 marka Exp $ */
 
 /*
  * Windows-specific path definitions
diff --git a/lib/isc/win32/include/isc/offset.h b/lib/isc/win32/include/isc/offset.h
index 1ed5dc38..4d7b59ac 100644
--- a/lib/isc/win32/include/isc/offset.h
+++ b/lib/isc/win32/include/isc/offset.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: offset.h,v 1.2.2.1 2004/03/09 06:12:23 marka Exp $ */
+/* $Id: offset.h,v 1.2.206.2 2004/03/11 05:58:43 marka Exp $ */
 
 #ifndef ISC_OFFSET_H
 #define ISC_OFFSET_H 1
@@ -26,7 +26,7 @@
 #include <limits.h>             /* Required for CHAR_BIT. */
 #include <sys/types.h>
 
-typedef off_t isc_offset_t;
+typedef _off_t isc_offset_t;
 
 /*
  * POSIX says "Additionally, blkcnt_t and off_t are extended signed integral
diff --git a/lib/isc/win32/include/isc/once.h b/lib/isc/win32/include/isc/once.h
index 82ebbca6..901760fb 100644
--- a/lib/isc/win32/include/isc/once.h
+++ b/lib/isc/win32/include/isc/once.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: once.h,v 1.6.2.1 2004/03/09 06:12:24 marka Exp $ */
+/* $Id: once.h,v 1.6.206.1 2004/03/06 08:15:16 marka Exp $ */
 
 #ifndef ISC_ONCE_H
 #define ISC_ONCE_H 1
diff --git a/lib/isc/win32/include/isc/platform.h b/lib/isc/win32/include/isc/platform.h
index ad883a31..34960660 100644
--- a/lib/isc/win32/include/isc/platform.h
+++ b/lib/isc/win32/include/isc/platform.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: platform.h,v 1.5.2.1 2004/03/09 06:12:24 marka Exp $ */
+/* $Id: platform.h,v 1.5.12.5 2004/03/11 05:58:43 marka Exp $ */
 
 #ifndef ISC_PLATFORM_H
 #define ISC_PLATFORM_H 1
@@ -31,6 +31,7 @@
  ***/
 
 #define ISC_PLATFORM_HAVEIPV6
+#define ISC_PLATFORM_HAVEIN6PKTINFO
 #define ISC_PLATFORM_NEEDPORTT
 #undef MSG_TRUNC
 #define ISC_PLATFORM_NEEDNTOP
@@ -40,6 +41,7 @@
 #define ISC_PLATFORM_QUADFORMAT "I64"
 
 #define ISC_PLATFORM_NEEDSTRSEP
+#define ISC_PLATFORM_NEEDSTRLCPY
 
 /*
  * Used to control how extern data is linked; needed for Win32 platforms.
@@ -56,27 +58,33 @@
  */
 
 #ifdef LIBISC_EXPORTS
-#define LIBISC_EXTERNAL_DATA __declspec( dllexport )
+#define LIBISC_EXTERNAL_DATA __declspec(dllexport)
 #else
-#define LIBISC_EXTERNAL_DATA __declspec( dllimport ) 
+#define LIBISC_EXTERNAL_DATA __declspec(dllimport) 
 #endif
 
 #ifdef LIBISCCFG_EXPORTS
-#define LIBISCCFG_EXTERNAL_DATA __declspec( dllexport )
+#define LIBISCCFG_EXTERNAL_DATA __declspec(dllexport)
 #else
-#define LIBISCCFG_EXTERNAL_DATA __declspec( dllimport ) 
+#define LIBISCCFG_EXTERNAL_DATA __declspec(dllimport) 
 #endif
 
 #ifdef LIBISCCC_EXPORTS
-#define LIBISCCC_EXTERNAL_DATA __declspec( dllexport )
+#define LIBISCCC_EXTERNAL_DATA __declspec(dllexport)
 #else
-#define LIBISCCC_EXTERNAL_DATA __declspec( dllimport ) 
+#define LIBISCCC_EXTERNAL_DATA __declspec(dllimport) 
 #endif
 
 #ifdef LIBDNS_EXPORTS
-#define LIBDNS_EXTERNAL_DATA __declspec( dllexport )
+#define LIBDNS_EXTERNAL_DATA __declspec(dllexport)
 #else
-#define LIBDNS_EXTERNAL_DATA __declspec( dllimport )
+#define LIBDNS_EXTERNAL_DATA __declspec(dllimport)
+#endif
+
+#ifdef LIBBIND9_EXPORTS
+#define LIBBIND9_EXTERNAL_DATA __declspec(dllexport)
+#else
+#define LIBBIND9_EXTERNAL_DATA __declspec(dllimport)
 #endif
 
 #endif /* ISC_PLATFORM_H */
diff --git a/lib/isc/win32/include/isc/stat.h b/lib/isc/win32/include/isc/stat.h
index c9398312..52f28354 100644
--- a/lib/isc/win32/include/isc/stat.h
+++ b/lib/isc/win32/include/isc/stat.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: stat.h,v 1.3.2.3 2004/03/09 06:12:24 marka Exp $ */
+/* $Id: stat.h,v 1.3.2.2.2.1 2004/03/06 08:15:17 marka Exp $ */
 
 #ifndef ISC_STAT_H
 #define ISC_STAT_H 1
diff --git a/lib/isc/win32/include/isc/stdtime.h b/lib/isc/win32/include/isc/stdtime.h
index f27edac4..5ca205ce 100644
--- a/lib/isc/win32/include/isc/stdtime.h
+++ b/lib/isc/win32/include/isc/stdtime.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: stdtime.h,v 1.7.2.1 2004/03/09 06:12:24 marka Exp $ */
+/* $Id: stdtime.h,v 1.7.206.1 2004/03/06 08:15:17 marka Exp $ */
 
 #ifndef ISC_STDTIME_H
 #define ISC_STDTIME_H 1
diff --git a/lib/isc/win32/include/isc/strerror.h b/lib/isc/win32/include/isc/strerror.h
index 4223e7c6..d8825596 100644
--- a/lib/isc/win32/include/isc/strerror.h
+++ b/lib/isc/win32/include/isc/strerror.h
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2001, 2002  Internet Software Consortium.
+ * Copyright (C) 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: strerror.h,v 1.2.2.3 2004/03/09 06:12:24 marka Exp $ */
+/* $Id: strerror.h,v 1.2.2.2.8.2 2004/03/08 09:05:03 marka Exp $ */
 
 #ifndef ISC_STRERROR_H
 #define ISC_STRERROR_H
diff --git a/lib/isc/win32/include/isc/syslog.h b/lib/isc/win32/include/isc/syslog.h
index a88a2e85..8a0b1287 100644
--- a/lib/isc/win32/include/isc/syslog.h
+++ b/lib/isc/win32/include/isc/syslog.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: syslog.h,v 1.2.2.1 2004/03/09 06:12:24 marka Exp $ */
+/* $Id: syslog.h,v 1.2.206.1 2004/03/06 08:15:17 marka Exp $ */
 
 #ifndef ISC_SYSLOG_H
 #define ISC_SYSLOG_H 1
diff --git a/lib/isc/win32/include/isc/thread.h b/lib/isc/win32/include/isc/thread.h
index 0a0d9d78..89f676cd 100644
--- a/lib/isc/win32/include/isc/thread.h
+++ b/lib/isc/win32/include/isc/thread.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: thread.h,v 1.15.2.1 2004/03/09 06:12:24 marka Exp $ */
+/* $Id: thread.h,v 1.15.206.1 2004/03/06 08:15:17 marka Exp $ */
 
 #ifndef ISC_THREAD_H
 #define ISC_THREAD_H 1
diff --git a/lib/isc/win32/include/isc/time.h b/lib/isc/win32/include/isc/time.h
index b2a47c87..5033ed15 100644
--- a/lib/isc/win32/include/isc/time.h
+++ b/lib/isc/win32/include/isc/time.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: time.h,v 1.19.2.2 2004/03/09 06:12:24 marka Exp $ */
+/* $Id: time.h,v 1.19.2.1.10.5 2004/03/11 05:58:43 marka Exp $ */
 
 #ifndef ISC_TIME_H
 #define ISC_TIME_H 1
@@ -39,7 +39,7 @@ struct isc_interval {
 	isc_int64_t interval;
 };
 
-extern isc_interval_t *isc_interval_zero;
+LIBISC_EXTERNAL_DATA extern isc_interval_t *isc_interval_zero;
 
 ISC_LANG_BEGINDECLS
 
@@ -58,7 +58,7 @@ isc_interval_set(isc_interval_t *i,
  */
 
 isc_boolean_t
-isc_interval_iszero(isc_interval_t *i);
+isc_interval_iszero(const isc_interval_t *i);
 /*
  * Returns ISC_TRUE iff. 'i' is the zero interval.
  *
@@ -82,7 +82,7 @@ struct isc_time {
 	FILETIME absolute;
 };
 
-extern isc_time_t *isc_time_epoch;
+LIBISC_EXTERNAL_DATA extern isc_time_t *isc_time_epoch;
 
 void
 isc_time_settoepoch(isc_time_t *t);
@@ -98,7 +98,7 @@ isc_time_settoepoch(isc_time_t *t);
  */
 
 isc_boolean_t
-isc_time_isepoch(isc_time_t *t);
+isc_time_isepoch(const isc_time_t *t);
 /*
  * Returns ISC_TRUE iff. 't' is the epoch ("time zero").
  *
@@ -127,7 +127,7 @@ isc_time_now(isc_time_t *t);
  */
 
 isc_result_t
-isc_time_nowplusinterval(isc_time_t *t, isc_interval_t *i);
+isc_time_nowplusinterval(isc_time_t *t, const isc_interval_t *i);
 /*
  * Set *t to the current absolute time + i.
  *
@@ -152,7 +152,7 @@ isc_time_nowplusinterval(isc_time_t *t, isc_interval_t *i);
  */
 
 int
-isc_time_compare(isc_time_t *t1, isc_time_t *t2);
+isc_time_compare(const isc_time_t *t1, const isc_time_t *t2);
 /*
  * Compare the times referenced by 't1' and 't2'
  *
@@ -168,7 +168,7 @@ isc_time_compare(isc_time_t *t1, isc_time_t *t2);
  */
 
 isc_result_t
-isc_time_add(isc_time_t *t, isc_interval_t *i, isc_time_t *result);
+isc_time_add(const isc_time_t *t, const isc_interval_t *i, isc_time_t *result);
 /*
  * Add 'i' to 't', storing the result in 'result'.
  *
@@ -184,7 +184,8 @@ isc_time_add(isc_time_t *t, isc_interval_t *i, isc_time_t *result);
  */
 
 isc_result_t
-isc_time_subtract(isc_time_t *t, isc_interval_t *i, isc_time_t *result);
+isc_time_subtract(const isc_time_t *t, const isc_interval_t *i,
+		  isc_time_t *result);
 /*
  * Subtract 'i' from 't', storing the result in 'result'.
  *
@@ -199,7 +200,7 @@ isc_time_subtract(isc_time_t *t, isc_interval_t *i, isc_time_t *result);
  */
 
 isc_uint64_t
-isc_time_microdiff(isc_time_t *t1, isc_time_t *t2);
+isc_time_microdiff(const isc_time_t *t1, const isc_time_t *t2);
 /*
  * Find the difference in milliseconds between time t1 and time t2.
  * t2 is the subtrahend of t1; ie, difference = t1 - t2.
@@ -213,7 +214,7 @@ isc_time_microdiff(isc_time_t *t1, isc_time_t *t2);
  */
 
 isc_uint32_t
-isc_time_nanoseconds(isc_time_t *t);
+isc_time_nanoseconds(const isc_time_t *t);
 /*
  * Return the number of nanoseconds stored in a time structure.
  *
@@ -233,7 +234,7 @@ void
 isc_time_formattimestamp(const isc_time_t *t, char *buf, unsigned int len);
 /*
  * Format the time 't' into the buffer 'buf' of length 'len',
- * using a format like "Aug 30 04:06:47.997" and the local time zone.
+ * using a format like "30-Aug-2000 04:06:47.997" and the local time zone.
  * If the text does not fit in the buffer, the result is indeterminate,
  * but is always guaranteed to be null terminated.
  *
@@ -242,6 +243,8 @@ isc_time_formattimestamp(const isc_time_t *t, char *buf, unsigned int len);
  *      'buf' points to an array of at least len chars
  *
  */
+isc_uint32_t
+isc_time_seconds(const isc_time_t *t);
 
 ISC_LANG_ENDDECLS
 
diff --git a/lib/isc/win32/include/isc/win32os.h b/lib/isc/win32/include/isc/win32os.h
index 7965b2e2..f112709a 100644
--- a/lib/isc/win32/include/isc/win32os.h
+++ b/lib/isc/win32/include/isc/win32os.h
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2002, 2003  Internet Software Consortium.
+ * Copyright (C) 2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: win32os.h,v 1.2.176.3 2004/03/09 06:12:25 marka Exp $ */
+/* $Id: win32os.h,v 1.2.176.2.2.2 2004/03/08 09:05:04 marka Exp $ */
 
 #ifndef ISC_WIN32OS_H
 #define ISC_WIN32OS_H 1
diff --git a/lib/isc/win32/interfaceiter.c b/lib/isc/win32/interfaceiter.c
index 7383d4e2..5b562e59 100644
--- a/lib/isc/win32/interfaceiter.c
+++ b/lib/isc/win32/interfaceiter.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: interfaceiter.c,v 1.4.2.3 2007/06/18 23:45:27 tbox Exp $ */
+/* $Id: interfaceiter.c,v 1.4.12.4 2004/03/08 09:04:59 marka Exp $ */
 
 /*
  * Note that this code will need to be revisited to support IPv6 Interfaces.
@@ -35,11 +35,9 @@
 #include <isc/mem.h>
 #include <isc/result.h>
 #include <isc/string.h>
+#include <isc/strerror.h>
 #include <isc/types.h>
 #include <isc/util.h>
-#include "errno2result.h"
-
-void InitSockets(void);
 
 /* Common utility functions */
 
@@ -103,6 +101,7 @@ get_addr(unsigned int family, isc_netaddr_t *dst, struct sockaddr *src) {
 
 isc_result_t
 isc_interfaceiter_create(isc_mem_t *mctx, isc_interfaceiter_t **iterp) {
+	char strbuf[ISC_STRERRORSIZE]; 
 	isc_interfaceiter_t *iter;
 	isc_result_t result;
 	int error;
@@ -116,8 +115,6 @@ isc_interfaceiter_create(isc_mem_t *mctx, isc_interfaceiter_t **iterp) {
 	if (iter == NULL)
 		return (ISC_R_NOMEMORY);
 
-	InitSockets();
-
 	iter->mctx = mctx;
 	iter->buf = NULL;
 
@@ -126,9 +123,11 @@ isc_interfaceiter_create(isc_mem_t *mctx, isc_interfaceiter_t **iterp) {
 	 * SIO_GET_INTERFACE_LIST WSAIoctl on.
 	 */
 	if ((iter->socket = socket(AF_INET, SOCK_DGRAM, 0)) < 0) {
+		error = WSAGetLastError();
+		isc__strerror(error, strbuf, sizeof(strbuf));
 		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "making interface scan socket: %s",
-				 strerror(errno));
+				"making interface scan socket: %s",
+				strbuf);
 		result = ISC_R_UNEXPECTED;
 		goto socket_failure;
 	}
@@ -148,15 +147,15 @@ isc_interfaceiter_create(isc_mem_t *mctx, isc_interfaceiter_t **iterp) {
 
 		if (WSAIoctl(iter->socket, SIO_GET_INTERFACE_LIST,
 			     0, 0, iter->buf, iter->bufsize,
-			     &bytesReturned, 0, 0)
-		    == SOCKET_ERROR)
+			     &bytesReturned, 0, 0) == SOCKET_ERROR)
 		{
 			error = WSAGetLastError();
 			if (error != WSAEFAULT && error != WSAENOBUFS) {
 				errno = error;
+				isc__strerror(error, strbuf, sizeof(strbuf));
 				UNEXPECTED_ERROR(__FILE__, __LINE__,
-					     "get interface configuration: %s",
-						 NTstrerror(error));
+						"get interface configuration: %s",
+						strbuf);
 				result = ISC_R_UNEXPECTED;
 				goto ioctl_failure;
 			}
@@ -210,7 +209,7 @@ isc_interfaceiter_create(isc_mem_t *mctx, isc_interfaceiter_t **iterp) {
 	(void) closesocket(iter->socket);
 
  socket_failure:
-	isc_mem_put(mctx, iter, sizeof *iter);
+	isc_mem_put(mctx, iter, sizeof(*iter));
 	return (result);
 }
 
@@ -375,7 +374,7 @@ isc_interfaceiter_destroy(isc_interfaceiter_t **iterp) {
 	isc_mem_put(iter->mctx, iter->buf, iter->bufsize);
 
 	iter->magic = 0;
-	isc_mem_put(iter->mctx, iter, sizeof *iter);
+	isc_mem_put(iter->mctx, iter, sizeof(*iter));
 	*iterp = NULL;
 }
 
diff --git a/lib/isc/win32/ipv6.c b/lib/isc/win32/ipv6.c
index 0399a357..702eb8c3 100644
--- a/lib/isc/win32/ipv6.c
+++ b/lib/isc/win32/ipv6.c
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
+ * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,17 +15,13 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: ipv6.c,v 1.4.2.3 2004/03/09 06:12:18 marka Exp $ */
-
-#define off_t _off_t
+/* $Id: ipv6.c,v 1.4.2.2.2.4 2004/03/11 05:58:41 marka Exp $ */
 
 #include <isc/net.h>
 #include <isc/platform.h>
 
-#if _MSC_VER < 1300
-LIBISC_EXTERNAL_DATA const struct in6_addr in6addr_any =
+LIBISC_EXTERNAL_DATA const struct in6_addr isc_in6addr_any =
 	IN6ADDR_ANY_INIT;
 
-LIBISC_EXTERNAL_DATA const struct in6_addr in6addr_loopback =
+LIBISC_EXTERNAL_DATA const struct in6_addr isc_in6addr_loopback =
 	IN6ADDR_LOOPBACK_INIT;
-#endif
diff --git a/lib/isc/win32/keyboard.c b/lib/isc/win32/keyboard.c
index baa657a6..8adbf0a4 100644
--- a/lib/isc/win32/keyboard.c
+++ b/lib/isc/win32/keyboard.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: keyboard.c,v 1.4.2.1 2004/03/09 06:12:18 marka Exp $ */
+/* $Id: keyboard.c,v 1.4.206.1 2004/03/06 08:15:08 marka Exp $ */
 
 #include <config.h>
 
diff --git a/lib/isc/win32/libisc.def b/lib/isc/win32/libisc.def
index f0225f73..0018d2a3 100644
--- a/lib/isc/win32/libisc.def
+++ b/lib/isc/win32/libisc.def
@@ -1,118 +1,89 @@
 LIBRARY libisc
 
 ; Exported Functions
-
 EXPORTS
 
-isc__buffer_activeregion
-isc__buffer_add
-isc__buffer_availableregion
-isc__buffer_back
-isc__buffer_clear
-isc__buffer_consumedregion
-isc__buffer_first
-isc__buffer_forward
-isc__buffer_init
-isc__buffer_invalidate
-isc__buffer_putmem
-isc__buffer_putstr
-isc__buffer_putuint16
-isc__buffer_putuint32
-isc__buffer_putuint8
-isc__buffer_region
-isc__buffer_remainingregion
-isc__buffer_setactive
-isc__buffer_subtract
-isc__buffer_usedregion
-isc__mem_allocate
-isc__mem_free
-isc__mem_get
-isc__mem_put
-isc__mem_putanddetach
-isc__mem_strdup
-isc__mempool_get
-isc__mempool_put
-isc__strerror
-isc_app_block
-isc_app_finish
-isc_app_onrun
-isc_app_reload
-isc_app_run
-isc_app_shutdown
-isc_app_start
-isc_app_unblock
 isc_assertion_setcallback
 isc_assertion_typetotext
+isc_base64_totext
 isc_base64_decodestring
 isc_base64_tobuffer
-isc_base64_totext
-isc_bitstring_copy
 isc_bitstring_init
 isc_bitstring_invalidate
+isc_bitstring_copy
 isc_buffer_allocate
-isc_buffer_compact
-isc_buffer_copyregion
 isc_buffer_free
+isc__buffer_init
+isc__buffer_invalidate
+isc__buffer_region
+isc__buffer_usedregion
+isc__buffer_availableregion
+isc__buffer_add
+isc__buffer_subtract
+isc__buffer_clear
+isc__buffer_consumedregion
+isc__buffer_remainingregion
+isc__buffer_activeregion
+isc__buffer_setactive
+isc__buffer_first
+isc__buffer_forward
+isc__buffer_back
+isc_buffer_compact
+isc_buffer_getuint8
+isc__buffer_putuint8
 isc_buffer_getuint16
+isc__buffer_putuint16
 isc_buffer_getuint32
-isc_buffer_getuint8
-isc_bufferlist_availablecount
+isc__buffer_putuint32
+isc__buffer_putmem
+isc__buffer_putstr
+isc_buffer_copyregion
 isc_bufferlist_usedcount
+isc_bufferlist_availablecount
 isc_commandline_parse
-isc_condition_broadcast
-isc_condition_destroy
-isc_condition_init
-isc_condition_signal
-isc_condition_wait
-isc_condition_waituntil
-isc_dir_chdir
-isc_dir_chroot
-isc_dir_close
-isc_dir_current
-isc_dir_init
-isc_dir_open
-isc_dir_read
-isc_dir_reset
-isc_entropy_addcallbacksample
-isc_entropy_addsample
-isc_entropy_attach
+
+
 isc_entropy_create
-isc_entropy_createcallbacksource
+isc_entropy_attach
+isc_entropy_detach
 isc_entropy_createfilesource
-isc_entropy_createsamplesource
 isc_entropy_destroysource
-isc_entropy_detach
+isc_entropy_createsamplesource
+isc_entropy_createcallbacksource
+isc_entropy_stopcallbacksources
+isc_entropy_addcallbacksample
+isc_entropy_addsample
 isc_entropy_getdata
 isc_entropy_putdata
 isc_entropy_stats
-isc_entropy_stopcallbacksources
 isc_entropy_usebestsource
-isc_error_fatal
-isc_error_runtimecheck
-isc_error_setfatal
 isc_error_setunexpected
+isc_error_setfatal
 isc_error_unexpected
+isc_error_fatal
+isc_error_runtimecheck
 isc_event_allocate
 isc_event_free
-isc_file_absolutepath
-isc_file_basename
-isc_file_exists
+isc_file_settime
 isc_file_getmodtime
-isc_file_isabsolute
-isc_file_ischdiridempotent
-isc_file_iscurrentdir
 isc_file_mktemplate
 isc_file_openunique
-isc_file_progname
 isc_file_remove
 isc_file_rename
+isc_file_exists
+isc_file_ischdiridempotent
+isc_file_isabsolute
+isc_file_iscurrentdir
+isc_file_template
 isc_file_renameunique
+isc_file_basename
+isc_file_progname
 isc_file_safemovefile
-isc_file_settime
-isc_file_template
+isc_file_absolutepath
 isc_fsaccess_add
 isc_fsaccess_remove
 isc_fsaccess_set
+isc_fsaccess_changeowner
 isc_hash_calc
 isc_hash_create
 isc_hash_ctxattach
@@ -122,289 +93,356 @@ isc_hash_ctxdetach
 isc_hash_ctxinit
 isc_hash_destroy
 isc_hash_init
+isc_hex_totext
 isc_hex_decodestring
 isc_hex_tobuffer
-isc_hex_totext
 isc_hmacmd5_init
 isc_hmacmd5_invalidate
-isc_hmacmd5_sign
 isc_hmacmd5_update
+isc_hmacmd5_sign
 isc_hmacmd5_verify
 isc_interfaceiter_create
-isc_interfaceiter_current
-isc_interfaceiter_destroy
 isc_interfaceiter_first
+isc_interfaceiter_current
 isc_interfaceiter_next
-isc_interval_iszero
-isc_interval_set
-isc_keyboard_canceled
-isc_keyboard_close
-isc_keyboard_getchar
-isc_keyboard_open
-isc_lex_close
+isc_interfaceiter_destroy
+isc_lex_setcomments
 isc_lex_create
 isc_lex_destroy
 isc_lex_getcomments
-isc_lex_getlasttokentext
-isc_lex_getmastertoken
-isc_lex_getsourceline
-isc_lex_getsourcename
+isc_lex_setcomments
 isc_lex_getspecials
-isc_lex_gettoken
-isc_lex_isfile
-isc_lex_openbuffer
+isc_lex_setspecials
 isc_lex_openfile
 isc_lex_openstream
-isc_lex_setcomments
-isc_lex_setspecials
+isc_lex_openbuffer
+isc_lex_close
+isc_lex_gettoken
+isc_lex_getmastertoken
 isc_lex_ungettoken
-isc_lfsr_generate
-isc_lfsr_generate32
+isc_lex_getlasttokentext
+isc_lex_getsourcename
+isc_lex_getsourceline
+isc_lex_isfile
 isc_lfsr_init
+isc_lfsr_generate
 isc_lfsr_skip
+isc_lfsr_generate32
 isc_lib_initmsgcat
-isc_log_categorybyname
-isc_log_closefilelogs
-isc_log_create
 isc_log_createchannel
+isc_log_createchannel
+isc_log_create
+isc_logconfig_create
+isc_logconfig_get
+isc_logconfig_use
 isc_log_destroy
-isc_log_getdebuglevel
-isc_log_getduplicateinterval
-isc_log_gettag
-isc_log_ivwrite
-isc_log_ivwrite1
-isc_log_iwrite
-isc_log_iwrite1
-isc_log_modulebyname
-isc_log_opensyslog
+isc_logconfig_destroy
 isc_log_registercategories
 isc_log_registermodules
-isc_log_setcontext
-isc_log_setdebuglevel
-isc_log_setduplicateinterval
-isc_log_settag
+isc_log_createchannel
 isc_log_usechannel
+isc_log_write
 isc_log_vwrite
+isc_log_write1
 isc_log_vwrite1
+isc_log_iwrite
+isc_log_ivwrite
+isc_log_iwrite1
+isc_log_ivwrite1
+isc_log_setdebuglevel
+isc_log_getdebuglevel
 isc_log_wouldlog
 isc_log_write
-isc_log_write1
-isc_logconfig_create
-isc_logconfig_destroy
-isc_logconfig_get
-isc_logconfig_use
-isc_md5_final
+isc_log_setduplicateinterval
+isc_log_getduplicateinterval
+isc_log_settag
+isc_log_gettag
+isc_log_opensyslog
+isc_log_closefilelogs
+isc_log_categorybyname
+isc_log_modulebyname
+isc_log_setcontext
 isc_md5_init
 isc_md5_invalidate
 isc_md5_update
+isc_md5_final
 isc_mem_attach
+isc_mem_detach
+isc_mem_detach
 isc_mem_create
 isc_mem_createx
-isc_mem_destroy
+isc_mem_attach
 isc_mem_detach
-isc_mem_getquota
-isc_mem_inuse
+isc_mem_destroy
 isc_mem_ondestroy
+isc_mem_stats
 isc_mem_setdestroycheck
 isc_mem_setquota
+isc_mem_getquota
+isc_mem_inuse
 isc_mem_setwater
-isc_mem_stats
-isc_mempool_associatelock
 isc_mempool_create
 isc_mempool_destroy
-isc_mempool_getallocated
-isc_mempool_getfillcount
-isc_mempool_getfreecount
+isc_mempool_setname
+isc_mempool_associatelock
 isc_mempool_getfreemax
-isc_mempool_getmaxalloc
-isc_mempool_setfillcount
 isc_mempool_setfreemax
+isc_mempool_getfreecount
+isc_mempool_getmaxalloc
 isc_mempool_setmaxalloc
-isc_mempool_setname
+isc_mempool_getallocated
+isc_mempool_getfillcount
+isc_mempool_setfillcount
+isc__mem_get
+isc__mem_putanddetach
+isc__mem_put
+isc__mem_allocate
+isc__mem_free
+isc__mem_strdup
+isc__mempool_get
+isc__mempool_put
+isc_msgcat_open
 isc_msgcat_close
 isc_msgcat_get
-isc_msgcat_open
-isc_mutexblock_destroy
 isc_mutexblock_init
-isc_net_aton
-isc_net_ntop
-isc_net_probeipv4
-isc_net_probeipv6
-isc_net_pton
-isc_netaddr_any
-isc_netaddr_any6
-isc_netaddr_eqprefix
+isc_mutexblock_destroy
 isc_netaddr_equal
+isc_netaddr_eqprefix
+isc_netaddr_masktoprefixlen
+isc_netaddr_totext
 isc_netaddr_format
+isc_netaddr_fromsockaddr
 isc_netaddr_fromin
 isc_netaddr_fromin6
-isc_netaddr_fromsockaddr
-isc_netaddr_fromv4mapped
-isc_netaddr_isexperimental
+isc_netaddr_any
+isc_netaddr_any6
 isc_netaddr_ismulticast
-isc_netaddr_masktoprefixlen
-isc_netaddr_totext
-isc_ntpaths_get
+isc_netaddr_fromv4mapped
+isc_netaddr_setzone
+isc_netscope_pton
 isc_ntpaths_init
-isc_once_do
+isc_ntpaths_get
 isc_ondestroy_init
-isc_ondestroy_notify
 isc_ondestroy_register
+isc_ondestroy_notify
+isc_task_sendanddetach
 isc_os_ncpus
-isc_quota_attach
-isc_quota_destroy
-isc_quota_detach
 isc_quota_init
-isc_quota_release
+isc_quota_destroy
+isc_quota_soft
 isc_quota_reserve
+isc_quota_release
+isc_quota_attach
+isc_quota_detach
+isc_random_seed
 isc_random_get
 isc_random_jitter
-isc_random_seed
-isc_ratelimiter_attach
 isc_ratelimiter_create
-isc_ratelimiter_detach
-isc_ratelimiter_enqueue
 isc_ratelimiter_setinterval
 isc_ratelimiter_setpertic
+isc_ratelimiter_enqueue
 isc_ratelimiter_shutdown
-isc_resource_getlimit
+isc_ratelimiter_attach
+isc_ratelimiter_detach
 isc_resource_setlimit
-isc_result_register
+isc_resource_getlimit
 isc_result_totext
-isc_rwlock_destroy
-isc_rwlock_downgrade
+isc_result_register
 isc_rwlock_init
 isc_rwlock_lock
 isc_rwlock_trylock
-isc_rwlock_tryupgrade
 isc_rwlock_unlock
-isc_serial_eq
-isc_serial_ge
+isc_rwlock_destroy
+isc_serial_lt
 isc_serial_gt
 isc_serial_le
-isc_serial_lt
+isc_serial_ge
+isc_serial_eq
 isc_serial_ne
-isc_sha1_final
 isc_sha1_init
 isc_sha1_invalidate
 isc_sha1_update
+isc_sha1_final
+isc_sockaddr_equal
+isc_sockaddr_eqaddr
+isc_sockaddr_eqaddrprefix
+isc_sockaddr_hash
 isc_sockaddr_any
 isc_sockaddr_any6
 isc_sockaddr_anyofpf
-isc_sockaddr_eqaddr
-isc_sockaddr_eqaddrprefix
-isc_sockaddr_equal
-isc_sockaddr_format
 isc_sockaddr_fromin
 isc_sockaddr_fromin6
+isc_sockaddr_v6fromin
 isc_sockaddr_fromnetaddr
-isc_sockaddr_getport
-isc_sockaddr_hash
-isc_sockaddr_isexperimental
-isc_sockaddr_ismulticast
 isc_sockaddr_pf
 isc_sockaddr_setport
+isc_sockaddr_getport
 isc_sockaddr_totext
-isc_sockaddr_v6fromin
-isc_socket_accept
+isc_sockaddr_format
+isc_sockaddr_ismulticast
+isc_socket_create
+isc_socket_cancel
+;isc_socket_shutdown
 isc_socket_attach
+isc_socket_detach
 isc_socket_bind
-isc_socket_cancel
+isc_socket_listen
+isc_socket_accept
 isc_socket_connect
-isc_socket_create
-isc_socket_detach
 isc_socket_getpeername
 isc_socket_getsockname
-isc_socket_gettype
-isc_socket_isbound
-isc_socket_listen
 isc_socket_recv
-isc_socket_recv2
 isc_socket_recvv
+isc_socket_recv2
 isc_socket_send
 isc_socket_sendto
-isc_socket_sendto2
-isc_socket_sendtov
 isc_socket_sendv
-;isc_socket_shutdown
+isc_socket_sendtov
+isc_socket_sendto2
 isc_socketmgr_create
 isc_socketmgr_destroy
-isc_stdio_close
-isc_stdio_flush
+isc_socket_gettype
+isc_socket_isbound
 isc_stdio_open
-isc_stdio_read
+isc_stdio_close
 isc_stdio_seek
-isc_stdio_sync
+isc_stdio_read
 isc_stdio_write
-isc_stdtime_get
-isc_string_separate
+isc_stdio_flush
+isc_stdio_sync
 isc_string_touint64
+isc_string_separate
 isc_symtab_create
-isc_symtab_define
 isc_symtab_destroy
 isc_symtab_lookup
+isc_symtab_define
 isc_symtab_undefine
-isc_syslog_facilityfromstring
-isc_task_attach
-isc_task_beginexclusive
 isc_task_create
-isc_task_destroy
+isc_task_attach
 isc_task_detach
-isc_task_endexclusive
-isc_task_getname
-isc_task_gettag
-isc_task_onshutdown
-isc_task_purge
-isc_task_purgeevent
-isc_task_purgerange
 isc_task_send
 isc_task_sendanddetach
-isc_task_setname
-isc_task_shutdown
-isc_task_unsend
+isc_task_purgerange
+isc_task_purge
+isc_task_purgeevent
 isc_task_unsendrange
+isc_task_unsend
+isc_task_onshutdown
+isc_task_shutdown
+isc_task_destroy
+isc_task_setname
+isc_task_getname
+isc_task_gettag
+isc_task_beginexclusive
+isc_task_endexclusive
+isc_task_endexclusive
 isc_taskmgr_create
 isc_taskmgr_destroy
 isc_taskpool_create
-isc_taskpool_destroy
 isc_taskpool_gettask
+isc_taskpool_destroy
+isc_timer_create
+isc_timer_reset
+isc_timer_touch
+isc_timer_attach
+isc_timer_detach
+isc_timermgr_create
+isc_timermgr_destroy
+isc_condition_init
+isc_condition_wait
+isc_condition_signal
+isc_condition_broadcast
+isc_condition_destroy
+isc_condition_waituntil
+isc_dir_init
+isc_dir_open
+isc_dir_read
+isc_dir_reset
+isc_dir_close
+isc_dir_chdir
+isc_dir_chroot
+isc_net_probeipv4
+isc_net_probeipv6
+isc_net_ntop
+isc_net_pton
+isc_net_aton
+isc_once_do
+isc_stdtime_get
+
 isc_thread_create
 isc_thread_join
 isc_thread_setconcurrency
-isc_time_add
-isc_time_compare
+isc_interval_set
+isc_time_subtract
+isc_interval_iszero
+isc_time_settoepoch
 isc_time_isepoch
-isc_time_microdiff
-isc_time_nanoseconds
 isc_time_now
 isc_time_nowplusinterval
-isc_time_settoepoch
+isc_time_compare
+isc_time_add
 isc_time_subtract
-isc_timer_attach
-isc_timer_create
-isc_timer_detach
-isc_timer_reset
-isc_timer_touch
-isc_timermgr_create
-isc_timermgr_destroy
-
-closelog
+isc_time_microdiff
+isc_time_nanoseconds
+isc_keyboard_open
+isc_keyboard_close
+isc_keyboard_getchar
+isc_keyboard_canceled
+isc_app_start
+isc_app_onrun
+isc_app_run
+isc_app_shutdown
+isc_app_reload
+isc_app_finish
+isc_app_block
+isc_app_unblock
+isc_thread_create
+isc_thread_join
+isc_thread_setconcurrency
+isc_net_probeipv4
+isc_net_probeipv6
+isc_net_ntop
+isc_net_pton
+isc_net_aton
 openlog
 syslog
+closelog
+isc_syslog_facilityfromstring
+NTReportError
+
+isc_file_truncate
+isc__strerror
+isc_parse_uint32
+isc_parse_uint16
+isc_parse_uint8
+isc_win32os_majorversion
+isc_win32os_minorversion
+isc_win32os_servicepackmajor
+isc_win32os_servicepackminor
+isc_win32os_versioncheck
+isc_socket_ipv6only
+isc_region_compare
+isc_socket_filter
+isc_string_strlcpy
+isc_rwlock_tryupgrade
+isc_rwlock_downgrade
+isc_sockaddr_isexperimental
+isc_net_disableipv4
+isc_net_disableipv6
+isc_task_getcurrenttime
+isc_net_probe_ipv6only
 
 ; Exported Data
 
 EXPORTS
 
-;isc_categories
-;isc_lctx
-;isc_modules
-
 isc_mem_debugging		DATA
-isc_commandline_index		DATA
+
+isc_commandline_index	
 isc_commandline_option		DATA
 isc_commandline_argument	DATA
 isc_commandline_progname	DATA
 isc_commandline_errprint	DATA
 isc_commandline_reset		DATA
-isc_assertion_failed	    	DATA
+isc_assertion_failed		DATA
+			
diff --git a/lib/isc/win32/libisc.dsp b/lib/isc/win32/libisc.dsp
index 25ad6790..7434387d 100644
--- a/lib/isc/win32/libisc.dsp
+++ b/lib/isc/win32/libisc.dsp
@@ -369,6 +369,10 @@ SOURCE=..\include\isc\netaddr.h
 # End Source File

 # Begin Source File

 

+SOURCE=..\include\isc\netscope.h

+# End Source File

+# Begin Source File

+

 SOURCE=.\include\isc\netdb.h

 # End Source File

 # Begin Source File

@@ -389,6 +393,10 @@ SOURCE=..\include\isc\ondestroy.h
 # End Source File

 # Begin Source File

 

+SOURCE=..\include\isc\parseint.h

+# End Source File

+# Begin Source File

+

 SOURCE=..\include\isc\os.h

 # End Source File

 # Begin Source File

@@ -625,10 +633,18 @@ SOURCE=..\netaddr.c
 # End Source File

 # Begin Source File

 

+SOURCE=..\netscope.c

+# End Source File

+# Begin Source File

+

 SOURCE=..\ondestroy.c

 # End Source File

 # Begin Source File

 

+SOURCE=..\parseint.c

+# End Source File

+# Begin Source File

+

 SOURCE=..\quota.c

 # End Source File

 # Begin Source File

@@ -641,6 +657,10 @@ SOURCE=..\ratelimiter.c
 # End Source File

 # Begin Source File

 

+SOURCE=..\region.c

+# End Source File

+# Begin Source File

+

 SOURCE=..\result.c

 # End Source File

 # Begin Source File

diff --git a/lib/isc/win32/libisc.dsw b/lib/isc/win32/libisc.dsw
index 49c089c8..c66c56e5 100644
--- a/lib/isc/win32/libisc.dsw
+++ b/lib/isc/win32/libisc.dsw
@@ -1,29 +1,29 @@
-Microsoft Developer Studio Workspace File, Format Version 6.00

-# WARNING: DO NOT EDIT OR DELETE THIS WORKSPACE FILE!

-

-###############################################################################

-

-Project: "libisc"=".\libisc.dsp" - Package Owner=<4>

-

-Package=<5>

-{{{

-}}}

-

-Package=<4>

-{{{

-}}}

-

-###############################################################################

-

-Global:

-

-Package=<5>

-{{{

-}}}

-

-Package=<3>

-{{{

-}}}

-

-###############################################################################

-

+Microsoft Developer Studio Workspace File, Format Version 6.00
+# WARNING: DO NOT EDIT OR DELETE THIS WORKSPACE FILE!
+
+###############################################################################
+
+Project: "libisc"=".\libisc.dsp" - Package Owner=<4>
+
+Package=<5>
+{{{
+}}}
+
+Package=<4>
+{{{
+}}}
+
+###############################################################################
+
+Global:
+
+Package=<5>
+{{{
+}}}
+
+Package=<3>
+{{{
+}}}
+
+###############################################################################
+
diff --git a/lib/isc/win32/libisc.mak b/lib/isc/win32/libisc.mak
index d44c5153..cba3a9fe 100644
--- a/lib/isc/win32/libisc.mak
+++ b/lib/isc/win32/libisc.mak
@@ -1,1752 +1,1692 @@
-# Microsoft Developer Studio Generated NMAKE File, Based on libisc.dsp

-!IF "$(CFG)" == ""

-CFG=libisc - Win32 Debug

-!MESSAGE No configuration specified. Defaulting to libisc - Win32 Debug.

-!ENDIF 

-

-!IF "$(CFG)" != "libisc - Win32 Release" && "$(CFG)" != "libisc - Win32 Debug"

-!MESSAGE Invalid configuration "$(CFG)" specified.

-!MESSAGE You can specify a configuration when running NMAKE

-!MESSAGE by defining the macro CFG on the command line. For example:

-!MESSAGE 

-!MESSAGE NMAKE /f "libisc.mak" CFG="libisc - Win32 Debug"

-!MESSAGE 

-!MESSAGE Possible choices for configuration are:

-!MESSAGE 

-!MESSAGE "libisc - Win32 Release" (based on "Win32 (x86) Dynamic-Link Library")

-!MESSAGE "libisc - Win32 Debug" (based on "Win32 (x86) Dynamic-Link Library")

-!MESSAGE 

-!ERROR An invalid configuration is specified.

-!ENDIF 

-

-!IF "$(OS)" == "Windows_NT"

-NULL=

-!ELSE 

-NULL=nul

-!ENDIF 

-

-!IF  "$(CFG)" == "libisc - Win32 Release"

-_VC_MANIFEST_INC=0

-_VC_MANIFEST_BASENAME=__VC80

-!ELSE

-_VC_MANIFEST_INC=1

-_VC_MANIFEST_BASENAME=__VC80.Debug

-!ENDIF

-

-####################################################

-# Specifying name of temporary resource file used only in incremental builds:

-

-!if "$(_VC_MANIFEST_INC)" == "1"

-_VC_MANIFEST_AUTO_RES=$(_VC_MANIFEST_BASENAME).auto.res

-!else

-_VC_MANIFEST_AUTO_RES=

-!endif

-

-####################################################

-# _VC_MANIFEST_EMBED_EXE - command to embed manifest in EXE:

-

-!if "$(_VC_MANIFEST_INC)" == "1"

-

-#MT_SPECIAL_RETURN=1090650113

-#MT_SPECIAL_SWITCH=-notify_resource_update

-MT_SPECIAL_RETURN=0

-MT_SPECIAL_SWITCH=

-_VC_MANIFEST_EMBED_EXE= \

-if exist $@.manifest mt.exe -manifest $@.manifest -out:$(_VC_MANIFEST_BASENAME).auto.manifest $(MT_SPECIAL_SWITCH) & \

-if "%ERRORLEVEL%" == "$(MT_SPECIAL_RETURN)" \

-rc /r $(_VC_MANIFEST_BASENAME).auto.rc & \

-link $** /out:$@ $(LFLAGS)

-

-!else

-

-_VC_MANIFEST_EMBED_EXE= \

-if exist $@.manifest mt.exe -manifest $@.manifest -outputresource:$@;1

-

-!endif

-

-####################################################

-# _VC_MANIFEST_EMBED_DLL - command to embed manifest in DLL:

-

-!if "$(_VC_MANIFEST_INC)" == "1"

-

-#MT_SPECIAL_RETURN=1090650113

-#MT_SPECIAL_SWITCH=-notify_resource_update

-MT_SPECIAL_RETURN=0

-MT_SPECIAL_SWITCH=

-_VC_MANIFEST_EMBED_EXE= \

-if exist $@.manifest mt.exe -manifest $@.manifest -out:$(_VC_MANIFEST_BASENAME).auto.manifest $(MT_SPECIAL_SWITCH) & \

-if "%ERRORLEVEL%" == "$(MT_SPECIAL_RETURN)" \

-rc /r $(_VC_MANIFEST_BASENAME).auto.rc & \

-link $** /out:$@ $(LFLAGS)

-

-!else

-

-_VC_MANIFEST_EMBED_EXE= \

-if exist $@.manifest mt.exe -manifest $@.manifest -outputresource:$@;2

-

-!endif

-####################################################

-# _VC_MANIFEST_CLEAN - command to clean resources files generated temporarily:

-

-!if "$(_VC_MANIFEST_INC)" == "1"

-

-_VC_MANIFEST_CLEAN=-del $(_VC_MANIFEST_BASENAME).auto.res \

-    $(_VC_MANIFEST_BASENAME).auto.rc \

-    $(_VC_MANIFEST_BASENAME).auto.manifest

-

-!else

-

-_VC_MANIFEST_CLEAN=

-

-!endif

-

-!IF  "$(CFG)" == "libisc - Win32 Release"

-

-OUTDIR=.\Release

-INTDIR=.\Release

-

-ALL : "..\..\..\Build\Release\libisc.dll"

-

-

-CLEAN :

-	-@erase "$(INTDIR)\app.obj"

-	-@erase "$(INTDIR)\assertions.obj"

-	-@erase "$(INTDIR)\base64.obj"

-	-@erase "$(INTDIR)\bitstring.obj"

-	-@erase "$(INTDIR)\buffer.obj"

-	-@erase "$(INTDIR)\bufferlist.obj"

-	-@erase "$(INTDIR)\commandline.obj"

-	-@erase "$(INTDIR)\condition.obj"

-	-@erase "$(INTDIR)\dir.obj"

-	-@erase "$(INTDIR)\DLLMain.obj"

-	-@erase "$(INTDIR)\entropy.obj"

-	-@erase "$(INTDIR)\errno2result.obj"

-	-@erase "$(INTDIR)\error.obj"

-	-@erase "$(INTDIR)\event.obj"

-	-@erase "$(INTDIR)\file.obj"

-	-@erase "$(INTDIR)\fsaccess.obj"

-	-@erase "$(INTDIR)\hash.obj"

-	-@erase "$(INTDIR)\heap.obj"

-	-@erase "$(INTDIR)\hex.obj"

-	-@erase "$(INTDIR)\hmacmd5.obj"

-	-@erase "$(INTDIR)\inet_aton.obj"

-	-@erase "$(INTDIR)\inet_ntop.obj"

-	-@erase "$(INTDIR)\inet_pton.obj"

-	-@erase "$(INTDIR)\interfaceiter.obj"

-	-@erase "$(INTDIR)\ipv6.obj"

-	-@erase "$(INTDIR)\keyboard.obj"

-	-@erase "$(INTDIR)\lex.obj"

-	-@erase "$(INTDIR)\lfsr.obj"

-	-@erase "$(INTDIR)\lib.obj"

-	-@erase "$(INTDIR)\log.obj"

-	-@erase "$(INTDIR)\md5.obj"

-	-@erase "$(INTDIR)\mem.obj"

-	-@erase "$(INTDIR)\msgcat.obj"

-	-@erase "$(INTDIR)\mutexblock.obj"

-	-@erase "$(INTDIR)\net.obj"

-	-@erase "$(INTDIR)\netaddr.obj"

-	-@erase "$(INTDIR)\ntpaths.obj"

-	-@erase "$(INTDIR)\once.obj"

-	-@erase "$(INTDIR)\ondestroy.obj"

-	-@erase "$(INTDIR)\os.obj"

-	-@erase "$(INTDIR)\quota.obj"

-	-@erase "$(INTDIR)\random.obj"

-	-@erase "$(INTDIR)\ratelimiter.obj"

-	-@erase "$(INTDIR)\resource.obj"

-	-@erase "$(INTDIR)\result.obj"

-	-@erase "$(INTDIR)\rwlock.obj"

-	-@erase "$(INTDIR)\serial.obj"

-	-@erase "$(INTDIR)\sha1.obj"

-	-@erase "$(INTDIR)\sockaddr.obj"

-	-@erase "$(INTDIR)\socket.obj"

-	-@erase "$(INTDIR)\stdio.obj"

-	-@erase "$(INTDIR)\strerror.obj"

-	-@erase "$(INTDIR)\stdtime.obj"

-	-@erase "$(INTDIR)\string.obj"

-	-@erase "$(INTDIR)\symtab.obj"

-	-@erase "$(INTDIR)\syslog.obj"

-	-@erase "$(INTDIR)\task.obj"

-	-@erase "$(INTDIR)\taskpool.obj"

-	-@erase "$(INTDIR)\thread.obj"

-	-@erase "$(INTDIR)\time.obj"

-	-@erase "$(INTDIR)\timer.obj"

-	-@erase "$(INTDIR)\vc60.idb"

-	-@erase "$(INTDIR)\version.obj"

-	-@erase "$(INTDIR)\win32os.obj"

-	-@erase "$(OUTDIR)\libisc.exp"

-	-@erase "$(OUTDIR)\libisc.lib"

-	-@erase "..\..\..\Build\Release\libisc.dll"

-	-@$(_VC_MANIFEST_CLEAN)

-

-"$(OUTDIR)" :

-    if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"

-

-CPP=cl.exe

-CPP_PROJ=/nologo /MD /W3 /GX /O2 /I "./" /I "../../../" /I "include" /I "../include" /I "win32" /I "../../isccfg/include" /D "WIN32" /D "NDEBUG" /D "__STDC__" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "LIBISC_EXPORTS" /Fp"$(INTDIR)\libisc.pch" /YX /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c 

-

-.c{$(INTDIR)}.obj::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.cpp{$(INTDIR)}.obj::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.cxx{$(INTDIR)}.obj::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.c{$(INTDIR)}.sbr::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.cpp{$(INTDIR)}.sbr::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.cxx{$(INTDIR)}.sbr::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-MTL=midl.exe

-MTL_PROJ=/nologo /D "NDEBUG" /mktyplib203 /win32 

-RSC=rc.exe

-BSC32=bscmake.exe

-BSC32_FLAGS=/nologo /o"$(OUTDIR)\libisc.bsc" 

-BSC32_SBRS= \

-	

-LINK32=link.exe

-LINK32_FLAGS=user32.lib advapi32.lib ws2_32.lib /nologo /dll /incremental:no /pdb:"$(OUTDIR)\libisc.pdb" /machine:I386 /def:".\libisc.def" /out:"../../../Build/Release/libisc.dll" /implib:"$(OUTDIR)\libisc.lib" 

-DEF_FILE= \

-	".\libisc.def"

-LINK32_OBJS= \

-	"$(INTDIR)\app.obj" \

-	"$(INTDIR)\condition.obj" \

-	"$(INTDIR)\dir.obj" \

-	"$(INTDIR)\DLLMain.obj" \

-	"$(INTDIR)\entropy.obj" \

-	"$(INTDIR)\errno2result.obj" \

-	"$(INTDIR)\file.obj" \

-	"$(INTDIR)\fsaccess.obj" \

-	"$(INTDIR)\interfaceiter.obj" \

-	"$(INTDIR)\ipv6.obj" \

-	"$(INTDIR)\keyboard.obj" \

-	"$(INTDIR)\net.obj" \

-	"$(INTDIR)\ntpaths.obj" \

-	"$(INTDIR)\once.obj" \

-	"$(INTDIR)\os.obj" \

-	"$(INTDIR)\resource.obj" \

-	"$(INTDIR)\socket.obj" \

-	"$(INTDIR)\stdio.obj" \

-	"$(INTDIR)\strerror.obj" \

-	"$(INTDIR)\stdtime.obj" \

-	"$(INTDIR)\syslog.obj" \

-	"$(INTDIR)\thread.obj" \

-	"$(INTDIR)\time.obj" \

-	"$(INTDIR)\version.obj" \

-	"$(INTDIR)\assertions.obj" \

-	"$(INTDIR)\base64.obj" \

-	"$(INTDIR)\bitstring.obj" \

-	"$(INTDIR)\buffer.obj" \

-	"$(INTDIR)\bufferlist.obj" \

-	"$(INTDIR)\commandline.obj" \

-	"$(INTDIR)\error.obj" \

-	"$(INTDIR)\event.obj" \

-	"$(INTDIR)\hash.obj" \

-	"$(INTDIR)\heap.obj" \

-	"$(INTDIR)\hex.obj" \

-	"$(INTDIR)\hmacmd5.obj" \

-	"$(INTDIR)\inet_aton.obj" \

-	"$(INTDIR)\inet_ntop.obj" \

-	"$(INTDIR)\inet_pton.obj" \

-	"$(INTDIR)\lex.obj" \

-	"$(INTDIR)\lfsr.obj" \

-	"$(INTDIR)\lib.obj" \

-	"$(INTDIR)\log.obj" \

-	"$(INTDIR)\md5.obj" \

-	"$(INTDIR)\mem.obj" \

-	"$(INTDIR)\msgcat.obj" \

-	"$(INTDIR)\mutexblock.obj" \

-	"$(INTDIR)\netaddr.obj" \

-	"$(INTDIR)\ondestroy.obj" \

-	"$(INTDIR)\quota.obj" \

-	"$(INTDIR)\random.obj" \

-	"$(INTDIR)\ratelimiter.obj" \

-	"$(INTDIR)\result.obj" \

-	"$(INTDIR)\rwlock.obj" \

-	"$(INTDIR)\serial.obj" \

-	"$(INTDIR)\sha1.obj" \

-	"$(INTDIR)\sockaddr.obj" \

-	"$(INTDIR)\string.obj" \

-	"$(INTDIR)\symtab.obj" \

-	"$(INTDIR)\task.obj" \

-	"$(INTDIR)\taskpool.obj" \

-	"$(INTDIR)\timer.obj" \

-	"$(INTDIR)\win32os.obj"

-

-"..\..\..\Build\Release\libisc.dll" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)

-    $(LINK32) @<<

-  $(LINK32_FLAGS) $(LINK32_OBJS)

-<<

-  $(_VC_MANIFEST_EMBED_DLL)

-

-!ELSEIF  "$(CFG)" == "libisc - Win32 Debug"

-

-OUTDIR=.\Debug

-INTDIR=.\Debug

-# Begin Custom Macros

-OutDir=.\Debug

-# End Custom Macros

-

-ALL : "..\..\..\Build\Debug\libisc.dll" "$(OUTDIR)\libisc.bsc"

-

-

-CLEAN :

-	-@erase "$(INTDIR)\app.obj"

-	-@erase "$(INTDIR)\app.sbr"

-	-@erase "$(INTDIR)\assertions.obj"

-	-@erase "$(INTDIR)\assertions.sbr"

-	-@erase "$(INTDIR)\base64.obj"

-	-@erase "$(INTDIR)\base64.sbr"

-	-@erase "$(INTDIR)\bitstring.obj"

-	-@erase "$(INTDIR)\bitstring.sbr"

-	-@erase "$(INTDIR)\buffer.obj"

-	-@erase "$(INTDIR)\buffer.sbr"

-	-@erase "$(INTDIR)\bufferlist.obj"

-	-@erase "$(INTDIR)\bufferlist.sbr"

-	-@erase "$(INTDIR)\commandline.obj"

-	-@erase "$(INTDIR)\commandline.sbr"

-	-@erase "$(INTDIR)\condition.obj"

-	-@erase "$(INTDIR)\condition.sbr"

-	-@erase "$(INTDIR)\dir.obj"

-	-@erase "$(INTDIR)\dir.sbr"

-	-@erase "$(INTDIR)\DLLMain.obj"

-	-@erase "$(INTDIR)\DLLMain.sbr"

-	-@erase "$(INTDIR)\entropy.obj"

-	-@erase "$(INTDIR)\entropy.sbr"

-	-@erase "$(INTDIR)\errno2result.obj"

-	-@erase "$(INTDIR)\errno2result.sbr"

-	-@erase "$(INTDIR)\error.obj"

-	-@erase "$(INTDIR)\error.sbr"

-	-@erase "$(INTDIR)\event.obj"

-	-@erase "$(INTDIR)\event.sbr"

-	-@erase "$(INTDIR)\file.obj"

-	-@erase "$(INTDIR)\file.sbr"

-	-@erase "$(INTDIR)\fsaccess.obj"

-	-@erase "$(INTDIR)\fsaccess.sbr"

-	-@erase "$(INTDIR)\hash.obj"

-	-@erase "$(INTDIR)\hash.sbr"

-	-@erase "$(INTDIR)\heap.obj"

-	-@erase "$(INTDIR)\heap.sbr"

-	-@erase "$(INTDIR)\hex.obj"

-	-@erase "$(INTDIR)\hex.sbr"

-	-@erase "$(INTDIR)\hmacmd5.obj"

-	-@erase "$(INTDIR)\hmacmd5.sbr"

-	-@erase "$(INTDIR)\inet_aton.obj"

-	-@erase "$(INTDIR)\inet_aton.sbr"

-	-@erase "$(INTDIR)\inet_ntop.obj"

-	-@erase "$(INTDIR)\inet_ntop.sbr"

-	-@erase "$(INTDIR)\inet_pton.obj"

-	-@erase "$(INTDIR)\inet_pton.sbr"

-	-@erase "$(INTDIR)\interfaceiter.obj"

-	-@erase "$(INTDIR)\interfaceiter.sbr"

-	-@erase "$(INTDIR)\ipv6.obj"

-	-@erase "$(INTDIR)\ipv6.sbr"

-	-@erase "$(INTDIR)\keyboard.obj"

-	-@erase "$(INTDIR)\keyboard.sbr"

-	-@erase "$(INTDIR)\lex.obj"

-	-@erase "$(INTDIR)\lex.sbr"

-	-@erase "$(INTDIR)\lfsr.obj"

-	-@erase "$(INTDIR)\lfsr.sbr"

-	-@erase "$(INTDIR)\lib.obj"

-	-@erase "$(INTDIR)\lib.sbr"

-	-@erase "$(INTDIR)\log.obj"

-	-@erase "$(INTDIR)\log.sbr"

-	-@erase "$(INTDIR)\md5.obj"

-	-@erase "$(INTDIR)\md5.sbr"

-	-@erase "$(INTDIR)\mem.obj"

-	-@erase "$(INTDIR)\mem.sbr"

-	-@erase "$(INTDIR)\msgcat.obj"

-	-@erase "$(INTDIR)\msgcat.sbr"

-	-@erase "$(INTDIR)\mutexblock.obj"

-	-@erase "$(INTDIR)\mutexblock.sbr"

-	-@erase "$(INTDIR)\net.obj"

-	-@erase "$(INTDIR)\net.sbr"

-	-@erase "$(INTDIR)\netaddr.obj"

-	-@erase "$(INTDIR)\netaddr.sbr"

-	-@erase "$(INTDIR)\ntpaths.obj"

-	-@erase "$(INTDIR)\ntpaths.sbr"

-	-@erase "$(INTDIR)\once.obj"

-	-@erase "$(INTDIR)\once.sbr"

-	-@erase "$(INTDIR)\ondestroy.obj"

-	-@erase "$(INTDIR)\ondestroy.sbr"

-	-@erase "$(INTDIR)\os.obj"

-	-@erase "$(INTDIR)\os.sbr"

-	-@erase "$(INTDIR)\quota.obj"

-	-@erase "$(INTDIR)\quota.sbr"

-	-@erase "$(INTDIR)\random.obj"

-	-@erase "$(INTDIR)\random.sbr"

-	-@erase "$(INTDIR)\ratelimiter.obj"

-	-@erase "$(INTDIR)\ratelimiter.sbr"

-	-@erase "$(INTDIR)\resource.obj"

-	-@erase "$(INTDIR)\resource.sbr"

-	-@erase "$(INTDIR)\result.obj"

-	-@erase "$(INTDIR)\result.sbr"

-	-@erase "$(INTDIR)\rwlock.obj"

-	-@erase "$(INTDIR)\rwlock.sbr"

-	-@erase "$(INTDIR)\serial.obj"

-	-@erase "$(INTDIR)\serial.sbr"

-	-@erase "$(INTDIR)\sha1.obj"

-	-@erase "$(INTDIR)\sha1.sbr"

-	-@erase "$(INTDIR)\sockaddr.obj"

-	-@erase "$(INTDIR)\sockaddr.sbr"

-	-@erase "$(INTDIR)\socket.obj"

-	-@erase "$(INTDIR)\socket.sbr"

-	-@erase "$(INTDIR)\stdio.obj"

-	-@erase "$(INTDIR)\stdio.sbr"

-	-@erase "$(INTDIR)\strerror.obj"

-	-@erase "$(INTDIR)\strerror.sbr"

-	-@erase "$(INTDIR)\stdtime.obj"

-	-@erase "$(INTDIR)\stdtime.sbr"

-	-@erase "$(INTDIR)\string.obj"

-	-@erase "$(INTDIR)\string.sbr"

-	-@erase "$(INTDIR)\symtab.obj"

-	-@erase "$(INTDIR)\symtab.sbr"

-	-@erase "$(INTDIR)\syslog.obj"

-	-@erase "$(INTDIR)\syslog.sbr"

-	-@erase "$(INTDIR)\task.obj"

-	-@erase "$(INTDIR)\task.sbr"

-	-@erase "$(INTDIR)\taskpool.obj"

-	-@erase "$(INTDIR)\taskpool.sbr"

-	-@erase "$(INTDIR)\thread.obj"

-	-@erase "$(INTDIR)\thread.sbr"

-	-@erase "$(INTDIR)\time.obj"

-	-@erase "$(INTDIR)\time.sbr"

-	-@erase "$(INTDIR)\timer.obj"

-	-@erase "$(INTDIR)\timer.sbr"

-	-@erase "$(INTDIR)\vc60.idb"

-	-@erase "$(INTDIR)\vc60.pdb"

-	-@erase "$(INTDIR)\version.obj"

-	-@erase "$(INTDIR)\version.sbr"

-	-@erase "$(INTDIR)\win32os.obj"

-	-@erase "$(INTDIR)\win32os.sbr"

-	-@erase "$(OUTDIR)\libisc.bsc"

-	-@erase "$(OUTDIR)\libisc.exp"

-	-@erase "$(OUTDIR)\libisc.lib"

-	-@erase "$(OUTDIR)\libisc.map"

-	-@erase "$(OUTDIR)\libisc.pdb"

-	-@erase "..\..\..\Build\Debug\libisc.dll"

-	-@erase "..\..\..\Build\Debug\libisc.ilk"

-	-@$(_VC_MANIFEST_CLEAN)

-

-"$(OUTDIR)" :

-    if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"

-

-CPP=cl.exe

-CPP_PROJ=/nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../../../" /I "include" /I "../include" /I "win32" /I "../../isccfg/include" /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "LIBISC_EXPORTS" /FR"$(INTDIR)\\" /Fp"$(INTDIR)\libisc.pch" /YX /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c 

-

-.c{$(INTDIR)}.obj::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.cpp{$(INTDIR)}.obj::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.cxx{$(INTDIR)}.obj::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.c{$(INTDIR)}.sbr::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.cpp{$(INTDIR)}.sbr::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.cxx{$(INTDIR)}.sbr::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-MTL=midl.exe

-MTL_PROJ=/nologo /D "_DEBUG" /mktyplib203 /win32 

-RSC=rc.exe

-BSC32=bscmake.exe

-BSC32_FLAGS=/nologo /o"$(OUTDIR)\libisc.bsc" 

-BSC32_SBRS= \

-	"$(INTDIR)\app.sbr" \

-	"$(INTDIR)\condition.sbr" \

-	"$(INTDIR)\dir.sbr" \

-	"$(INTDIR)\DLLMain.sbr" \

-	"$(INTDIR)\entropy.sbr" \

-	"$(INTDIR)\errno2result.sbr" \

-	"$(INTDIR)\file.sbr" \

-	"$(INTDIR)\fsaccess.sbr" \

-	"$(INTDIR)\interfaceiter.sbr" \

-	"$(INTDIR)\ipv6.sbr" \

-	"$(INTDIR)\keyboard.sbr" \

-	"$(INTDIR)\net.sbr" \

-	"$(INTDIR)\once.sbr" \

-	"$(INTDIR)\os.sbr" \

-	"$(INTDIR)\resource.sbr" \

-	"$(INTDIR)\socket.sbr" \

-	"$(INTDIR)\stdio.sbr" \

-	"$(INTDIR)\strerror.sbr" \

-	"$(INTDIR)\stdtime.sbr" \

-	"$(INTDIR)\syslog.sbr" \

-	"$(INTDIR)\thread.sbr" \

-	"$(INTDIR)\time.sbr" \

-	"$(INTDIR)\version.sbr" \

-	"$(INTDIR)\assertions.sbr" \

-	"$(INTDIR)\base64.sbr" \

-	"$(INTDIR)\bitstring.sbr" \

-	"$(INTDIR)\buffer.sbr" \

-	"$(INTDIR)\bufferlist.sbr" \

-	"$(INTDIR)\commandline.sbr" \

-	"$(INTDIR)\error.sbr" \

-	"$(INTDIR)\event.sbr" \

-	"$(INTDIR)\hash.sbr" \

-	"$(INTDIR)\heap.sbr" \

-	"$(INTDIR)\hex.sbr" \

-	"$(INTDIR)\hmacmd5.sbr" \

-	"$(INTDIR)\inet_aton.sbr" \

-	"$(INTDIR)\inet_ntop.sbr" \

-	"$(INTDIR)\inet_pton.sbr" \

-	"$(INTDIR)\lex.sbr" \

-	"$(INTDIR)\lfsr.sbr" \

-	"$(INTDIR)\lib.sbr" \

-	"$(INTDIR)\log.sbr" \

-	"$(INTDIR)\md5.sbr" \

-	"$(INTDIR)\mem.sbr" \

-	"$(INTDIR)\msgcat.sbr" \

-	"$(INTDIR)\mutexblock.sbr" \

-	"$(INTDIR)\netaddr.sbr" \

-	"$(INTDIR)\ondestroy.sbr" \

-	"$(INTDIR)\quota.sbr" \

-	"$(INTDIR)\random.sbr" \

-	"$(INTDIR)\ratelimiter.sbr" \

-	"$(INTDIR)\result.sbr" \

-	"$(INTDIR)\rwlock.sbr" \

-	"$(INTDIR)\serial.sbr" \

-	"$(INTDIR)\sha1.sbr" \

-	"$(INTDIR)\sockaddr.sbr" \

-	"$(INTDIR)\string.sbr" \

-	"$(INTDIR)\symtab.sbr" \

-	"$(INTDIR)\task.sbr" \

-	"$(INTDIR)\taskpool.sbr" \

-	"$(INTDIR)\timer.sbr" \

-	"$(INTDIR)\win32os.sbr" \

-

-"$(OUTDIR)\libisc.bsc" : "$(OUTDIR)" $(BSC32_SBRS)

-    $(BSC32) @<<

-  $(BSC32_FLAGS) $(BSC32_SBRS)

-<<

-

-LINK32=link.exe

-LINK32_FLAGS=user32.lib advapi32.lib ws2_32.lib /nologo /dll /incremental:yes /pdb:"$(OUTDIR)\libisc.pdb" /map:"$(INTDIR)\libisc.map" /debug /machine:I386 /def:".\libisc.def" /out:"../../../Build/Debug/libisc.dll" /implib:"$(OUTDIR)\libisc.lib" /pdbtype:sept 

-DEF_FILE= \

-	".\libisc.def"

-LINK32_OBJS= \

-	"$(INTDIR)\app.obj" \

-	"$(INTDIR)\condition.obj" \

-	"$(INTDIR)\dir.obj" \

-	"$(INTDIR)\DLLMain.obj" \

-	"$(INTDIR)\entropy.obj" \

-	"$(INTDIR)\errno2result.obj" \

-	"$(INTDIR)\file.obj" \

-	"$(INTDIR)\fsaccess.obj" \

-	"$(INTDIR)\interfaceiter.obj" \

-	"$(INTDIR)\ipv6.obj" \

-	"$(INTDIR)\keyboard.obj" \

-	"$(INTDIR)\net.obj" \

-	"$(INTDIR)\ntpaths.obj" \

-	"$(INTDIR)\once.obj" \

-	"$(INTDIR)\os.obj" \

-	"$(INTDIR)\resource.obj" \

-	"$(INTDIR)\socket.obj" \

-	"$(INTDIR)\stdio.obj" \

-	"$(INTDIR)\strerror.obj" \

-	"$(INTDIR)\stdtime.obj" \

-	"$(INTDIR)\syslog.obj" \

-	"$(INTDIR)\thread.obj" \

-	"$(INTDIR)\time.obj" \

-	"$(INTDIR)\version.obj" \

-	"$(INTDIR)\assertions.obj" \

-	"$(INTDIR)\base64.obj" \

-	"$(INTDIR)\bitstring.obj" \

-	"$(INTDIR)\buffer.obj" \

-	"$(INTDIR)\bufferlist.obj" \

-	"$(INTDIR)\commandline.obj" \

-	"$(INTDIR)\error.obj" \

-	"$(INTDIR)\event.obj" \

-	"$(INTDIR)\hash.obj" \

-	"$(INTDIR)\heap.obj" \

-	"$(INTDIR)\hex.obj" \

-	"$(INTDIR)\hmacmd5.obj" \

-	"$(INTDIR)\inet_aton.obj" \

-	"$(INTDIR)\inet_ntop.obj" \

-	"$(INTDIR)\inet_pton.obj" \

-	"$(INTDIR)\lex.obj" \

-	"$(INTDIR)\lfsr.obj" \

-	"$(INTDIR)\lib.obj" \

-	"$(INTDIR)\log.obj" \

-	"$(INTDIR)\md5.obj" \

-	"$(INTDIR)\mem.obj" \

-	"$(INTDIR)\msgcat.obj" \

-	"$(INTDIR)\mutexblock.obj" \

-	"$(INTDIR)\netaddr.obj" \

-	"$(INTDIR)\ondestroy.obj" \

-	"$(INTDIR)\quota.obj" \

-	"$(INTDIR)\random.obj" \

-	"$(INTDIR)\ratelimiter.obj" \

-	"$(INTDIR)\result.obj" \

-	"$(INTDIR)\rwlock.obj" \

-	"$(INTDIR)\serial.obj" \

-	"$(INTDIR)\sha1.obj" \

-	"$(INTDIR)\sockaddr.obj" \

-	"$(INTDIR)\string.obj" \

-	"$(INTDIR)\symtab.obj" \

-	"$(INTDIR)\task.obj" \

-	"$(INTDIR)\taskpool.obj" \

-	"$(INTDIR)\timer.obj" \

-	"$(INTDIR)\win32os.obj"

-

-"..\..\..\Build\Debug\libisc.dll" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)

-    $(LINK32) @<<

-  $(LINK32_FLAGS) $(LINK32_OBJS)

-<<

-  $(_VC_MANIFEST_EMBED_DLL)

-

-!ENDIF 

-

-

-!IF "$(NO_EXTERNAL_DEPS)" != "1"

-!IF EXISTS("libisc.dep")

-!INCLUDE "libisc.dep"

-!ELSE 

-!MESSAGE Warning: cannot find "libisc.dep"

-!ENDIF 

-!ENDIF 

-

-

-!IF "$(CFG)" == "libisc - Win32 Release" || "$(CFG)" == "libisc - Win32 Debug"

-SOURCE=.\app.c

-

-!IF  "$(CFG)" == "libisc - Win32 Release"

-

-

-"$(INTDIR)\app.obj" : $(SOURCE) "$(INTDIR)"

-

-

-!ELSEIF  "$(CFG)" == "libisc - Win32 Debug"

-

-

-"$(INTDIR)\app.obj"	"$(INTDIR)\app.sbr" : $(SOURCE) "$(INTDIR)"

-

-

-!ENDIF 

-

-SOURCE=.\condition.c

-

-!IF  "$(CFG)" == "libisc - Win32 Release"

-

-

-"$(INTDIR)\condition.obj" : $(SOURCE) "$(INTDIR)"

-

-

-!ELSEIF  "$(CFG)" == "libisc - Win32 Debug"

-

-

-"$(INTDIR)\condition.obj"	"$(INTDIR)\condition.sbr" : $(SOURCE) "$(INTDIR)"

-

-

-!ENDIF 

-

-SOURCE=.\dir.c

-

-!IF  "$(CFG)" == "libisc - Win32 Release"

-

-

-"$(INTDIR)\dir.obj" : $(SOURCE) "$(INTDIR)"

-

-

-!ELSEIF  "$(CFG)" == "libisc - Win32 Debug"

-

-

-"$(INTDIR)\dir.obj"	"$(INTDIR)\dir.sbr" : $(SOURCE) "$(INTDIR)"

-

-

-!ENDIF 

-

-SOURCE=.\DLLMain.c

-

-!IF  "$(CFG)" == "libisc - Win32 Release"

-

-

-"$(INTDIR)\DLLMain.obj" : $(SOURCE) "$(INTDIR)"

-

-

-!ELSEIF  "$(CFG)" == "libisc - Win32 Debug"

-

-

-"$(INTDIR)\DLLMain.obj"	"$(INTDIR)\DLLMain.sbr" : $(SOURCE) "$(INTDIR)"

-

-

-!ENDIF 

-

-SOURCE=.\entropy.c

-

-!IF  "$(CFG)" == "libisc - Win32 Release"

-

-

-"$(INTDIR)\entropy.obj" : $(SOURCE) "$(INTDIR)"

-

-

-!ELSEIF  "$(CFG)" == "libisc - Win32 Debug"

-

-

-"$(INTDIR)\entropy.obj"	"$(INTDIR)\entropy.sbr" : $(SOURCE) "$(INTDIR)"

-

-

-!ENDIF 

-

-SOURCE=.\errno2result.c

-

-!IF  "$(CFG)" == "libisc - Win32 Release"

-

-

-"$(INTDIR)\errno2result.obj" : $(SOURCE) "$(INTDIR)"

-

-

-!ELSEIF  "$(CFG)" == "libisc - Win32 Debug"

-

-

-"$(INTDIR)\errno2result.obj"	"$(INTDIR)\errno2result.sbr" : $(SOURCE) "$(INTDIR)"

-

-

-!ENDIF 

-

-SOURCE=.\file.c

-

-!IF  "$(CFG)" == "libisc - Win32 Release"

-

-

-"$(INTDIR)\file.obj" : $(SOURCE) "$(INTDIR)"

-

-

-!ELSEIF  "$(CFG)" == "libisc - Win32 Debug"

-

-

-"$(INTDIR)\file.obj"	"$(INTDIR)\file.sbr" : $(SOURCE) "$(INTDIR)"

-

-

-!ENDIF 

-

-SOURCE=.\fsaccess.c

-

-!IF  "$(CFG)" == "libisc - Win32 Release"

-

-

-"$(INTDIR)\fsaccess.obj" : $(SOURCE) "$(INTDIR)"

-

-

-!ELSEIF  "$(CFG)" == "libisc - Win32 Debug"

-

-

-"$(INTDIR)\fsaccess.obj"	"$(INTDIR)\fsaccess.sbr" : $(SOURCE) "$(INTDIR)"

-

-

-!ENDIF 

-

-SOURCE=.\interfaceiter.c

-

-!IF  "$(CFG)" == "libisc - Win32 Release"

-

-

-"$(INTDIR)\interfaceiter.obj" : $(SOURCE) "$(INTDIR)"

-

-

-!ELSEIF  "$(CFG)" == "libisc - Win32 Debug"

-

-

-"$(INTDIR)\interfaceiter.obj"	"$(INTDIR)\interfaceiter.sbr" : $(SOURCE) "$(INTDIR)"

-

-

-!ENDIF 

-

-SOURCE=.\ipv6.c

-

-!IF  "$(CFG)" == "libisc - Win32 Release"

-

-

-"$(INTDIR)\ipv6.obj" : $(SOURCE) "$(INTDIR)"

-

-

-!ELSEIF  "$(CFG)" == "libisc - Win32 Debug"

-

-

-"$(INTDIR)\ipv6.obj"	"$(INTDIR)\ipv6.sbr" : $(SOURCE) "$(INTDIR)"

-

-

-!ENDIF 

-

-SOURCE=.\keyboard.c

-

-!IF  "$(CFG)" == "libisc - Win32 Release"

-

-

-"$(INTDIR)\keyboard.obj" : $(SOURCE) "$(INTDIR)"

-

-

-!ELSEIF  "$(CFG)" == "libisc - Win32 Debug"

-

-

-"$(INTDIR)\keyboard.obj"	"$(INTDIR)\keyboard.sbr" : $(SOURCE) "$(INTDIR)"

-

-

-!ENDIF 

-

-SOURCE=.\net.c

-

-!IF  "$(CFG)" == "libisc - Win32 Release"

-

-

-"$(INTDIR)\net.obj" : $(SOURCE) "$(INTDIR)"

-

-

-!ELSEIF  "$(CFG)" == "libisc - Win32 Debug"

-

-

-"$(INTDIR)\net.obj"	"$(INTDIR)\net.sbr" : $(SOURCE) "$(INTDIR)"

-

-

-!ENDIF 

-

-SOURCE=.\ntpaths.c

-

-!IF  "$(CFG)" == "libisc - Win32 Release"

-

-

-"$(INTDIR)\ntpaths.obj" : $(SOURCE) "$(INTDIR)"

-

-

-!ELSEIF  "$(CFG)" == "libisc - Win32 Debug"

-

-

-"$(INTDIR)\ntpaths.obj"	"$(INTDIR)\ntpaths.sbr" : $(SOURCE) "$(INTDIR)"

-

-

-!ENDIF 

-

-SOURCE=.\once.c

-

-!IF  "$(CFG)" == "libisc - Win32 Release"

-

-

-"$(INTDIR)\once.obj" : $(SOURCE) "$(INTDIR)"

-

-

-!ELSEIF  "$(CFG)" == "libisc - Win32 Debug"

-

-

-"$(INTDIR)\once.obj"	"$(INTDIR)\once.sbr" : $(SOURCE) "$(INTDIR)"

-

-

-!ENDIF 

-

-SOURCE=.\os.c

-

-!IF  "$(CFG)" == "libisc - Win32 Release"

-

-

-"$(INTDIR)\os.obj" : $(SOURCE) "$(INTDIR)"

-

-

-!ELSEIF  "$(CFG)" == "libisc - Win32 Debug"

-

-

-"$(INTDIR)\os.obj"	"$(INTDIR)\os.sbr" : $(SOURCE) "$(INTDIR)"

-

-

-!ENDIF 

-

-SOURCE=.\resource.c

-

-!IF  "$(CFG)" == "libisc - Win32 Release"

-

-

-"$(INTDIR)\resource.obj" : $(SOURCE) "$(INTDIR)"

-

-

-!ELSEIF  "$(CFG)" == "libisc - Win32 Debug"

-

-

-"$(INTDIR)\resource.obj"	"$(INTDIR)\resource.sbr" : $(SOURCE) "$(INTDIR)"

-

-

-!ENDIF 

-

-SOURCE=.\socket.c

-

-!IF  "$(CFG)" == "libisc - Win32 Release"

-

-

-"$(INTDIR)\socket.obj" : $(SOURCE) "$(INTDIR)"

-

-

-!ELSEIF  "$(CFG)" == "libisc - Win32 Debug"

-

-

-"$(INTDIR)\socket.obj"	"$(INTDIR)\socket.sbr" : $(SOURCE) "$(INTDIR)"

-

-

-!ENDIF 

-

-SOURCE=.\stdio.c

-

-!IF  "$(CFG)" == "libisc - Win32 Release"

-

-

-"$(INTDIR)\stdio.obj" : $(SOURCE) "$(INTDIR)"

-

-

-!ELSEIF  "$(CFG)" == "libisc - Win32 Debug"

-

-

-"$(INTDIR)\stdio.obj"	"$(INTDIR)\stdio.sbr" : $(SOURCE) "$(INTDIR)"

-

-

-!ENDIF 

-

-SOURCE=.\strerror.c

-

-!IF  "$(CFG)" == "libisc - Win32 Release"

-

-

-"$(INTDIR)\strerror.obj" : $(SOURCE) "$(INTDIR)"

-

-

-!ELSEIF  "$(CFG)" == "libisc - Win32 Debug"

-

-

-"$(INTDIR)\strerror.obj"	"$(INTDIR)\strerror.sbr" : $(SOURCE) "$(INTDIR)"

-

-

-!ENDIF 

-

-SOURCE=.\stdtime.c

-

-!IF  "$(CFG)" == "libisc - Win32 Release"

-

-

-"$(INTDIR)\stdtime.obj" : $(SOURCE) "$(INTDIR)"

-

-

-!ELSEIF  "$(CFG)" == "libisc - Win32 Debug"

-

-

-"$(INTDIR)\stdtime.obj"	"$(INTDIR)\stdtime.sbr" : $(SOURCE) "$(INTDIR)"

-

-

-!ENDIF 

-

-SOURCE=.\syslog.c

-

-!IF  "$(CFG)" == "libisc - Win32 Release"

-

-

-"$(INTDIR)\syslog.obj" : $(SOURCE) "$(INTDIR)"

-

-

-!ELSEIF  "$(CFG)" == "libisc - Win32 Debug"

-

-

-"$(INTDIR)\syslog.obj"	"$(INTDIR)\syslog.sbr" : $(SOURCE) "$(INTDIR)"

-

-

-!ENDIF 

-

-SOURCE=.\thread.c

-

-!IF  "$(CFG)" == "libisc - Win32 Release"

-

-

-"$(INTDIR)\thread.obj" : $(SOURCE) "$(INTDIR)"

-

-

-!ELSEIF  "$(CFG)" == "libisc - Win32 Debug"

-

-

-"$(INTDIR)\thread.obj"	"$(INTDIR)\thread.sbr" : $(SOURCE) "$(INTDIR)"

-

-

-!ENDIF 

-

-SOURCE=.\time.c

-

-!IF  "$(CFG)" == "libisc - Win32 Release"

-

-

-"$(INTDIR)\time.obj" : $(SOURCE) "$(INTDIR)"

-

-

-!ELSEIF  "$(CFG)" == "libisc - Win32 Debug"

-

-

-"$(INTDIR)\time.obj"	"$(INTDIR)\time.sbr" : $(SOURCE) "$(INTDIR)"

-

-

-!ENDIF 

-

-SOURCE=.\version.c

-

-!IF  "$(CFG)" == "libisc - Win32 Release"

-

-

-"$(INTDIR)\version.obj" : $(SOURCE) "$(INTDIR)"

-

-

-!ELSEIF  "$(CFG)" == "libisc - Win32 Debug"

-

-

-"$(INTDIR)\version.obj"	"$(INTDIR)\version.sbr" : $(SOURCE) "$(INTDIR)"

-

-

-!ENDIF 

-

-SOURCE=..\assertions.c

-

-!IF  "$(CFG)" == "libisc - Win32 Release"

-

-

-"$(INTDIR)\assertions.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "libisc - Win32 Debug"

-

-

-"$(INTDIR)\assertions.obj"	"$(INTDIR)\assertions.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-SOURCE=..\base64.c

-

-!IF  "$(CFG)" == "libisc - Win32 Release"

-

-

-"$(INTDIR)\base64.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "libisc - Win32 Debug"

-

-

-"$(INTDIR)\base64.obj"	"$(INTDIR)\base64.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-SOURCE=..\bitstring.c

-

-!IF  "$(CFG)" == "libisc - Win32 Release"

-

-

-"$(INTDIR)\bitstring.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "libisc - Win32 Debug"

-

-

-"$(INTDIR)\bitstring.obj"	"$(INTDIR)\bitstring.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-SOURCE=..\buffer.c

-

-!IF  "$(CFG)" == "libisc - Win32 Release"

-

-

-"$(INTDIR)\buffer.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "libisc - Win32 Debug"

-

-

-"$(INTDIR)\buffer.obj"	"$(INTDIR)\buffer.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-SOURCE=..\bufferlist.c

-

-!IF  "$(CFG)" == "libisc - Win32 Release"

-

-

-"$(INTDIR)\bufferlist.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "libisc - Win32 Debug"

-

-

-"$(INTDIR)\bufferlist.obj"	"$(INTDIR)\bufferlist.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-SOURCE=..\commandline.c

-

-!IF  "$(CFG)" == "libisc - Win32 Release"

-

-

-"$(INTDIR)\commandline.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "libisc - Win32 Debug"

-

-

-"$(INTDIR)\commandline.obj"	"$(INTDIR)\commandline.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-SOURCE=..\error.c

-

-!IF  "$(CFG)" == "libisc - Win32 Release"

-

-

-"$(INTDIR)\error.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "libisc - Win32 Debug"

-

-

-"$(INTDIR)\error.obj"	"$(INTDIR)\error.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-SOURCE=..\event.c

-

-!IF  "$(CFG)" == "libisc - Win32 Release"

-

-

-"$(INTDIR)\event.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "libisc - Win32 Debug"

-

-

-"$(INTDIR)\event.obj"	"$(INTDIR)\event.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-SOURCE=..\hash.c

-

-!IF  "$(CFG)" == "libisc - Win32 Release"

-

-

-"$(INTDIR)\hash.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "libisc - Win32 Debug"

-

-

-"$(INTDIR)\hash.obj"	"$(INTDIR)\hash.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-SOURCE=..\heap.c

-

-!IF  "$(CFG)" == "libisc - Win32 Release"

-

-

-"$(INTDIR)\heap.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "libisc - Win32 Debug"

-

-

-"$(INTDIR)\heap.obj"	"$(INTDIR)\heap.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-SOURCE=..\hex.c

-

-!IF  "$(CFG)" == "libisc - Win32 Release"

-

-

-"$(INTDIR)\hex.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "libisc - Win32 Debug"

-

-

-"$(INTDIR)\hex.obj"	"$(INTDIR)\hex.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-SOURCE=..\hmacmd5.c

-

-!IF  "$(CFG)" == "libisc - Win32 Release"

-

-

-"$(INTDIR)\hmacmd5.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "libisc - Win32 Debug"

-

-

-"$(INTDIR)\hmacmd5.obj"	"$(INTDIR)\hmacmd5.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-SOURCE=..\inet_aton.c

-

-!IF  "$(CFG)" == "libisc - Win32 Release"

-

-

-"$(INTDIR)\inet_aton.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "libisc - Win32 Debug"

-

-

-"$(INTDIR)\inet_aton.obj"	"$(INTDIR)\inet_aton.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-SOURCE=..\inet_ntop.c

-

-!IF  "$(CFG)" == "libisc - Win32 Release"

-

-

-"$(INTDIR)\inet_ntop.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "libisc - Win32 Debug"

-

-

-"$(INTDIR)\inet_ntop.obj"	"$(INTDIR)\inet_ntop.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-SOURCE=..\inet_pton.c

-

-!IF  "$(CFG)" == "libisc - Win32 Release"

-

-

-"$(INTDIR)\inet_pton.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "libisc - Win32 Debug"

-

-

-"$(INTDIR)\inet_pton.obj"	"$(INTDIR)\inet_pton.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-SOURCE=..\lex.c

-

-!IF  "$(CFG)" == "libisc - Win32 Release"

-

-

-"$(INTDIR)\lex.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "libisc - Win32 Debug"

-

-

-"$(INTDIR)\lex.obj"	"$(INTDIR)\lex.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-SOURCE=..\lfsr.c

-

-!IF  "$(CFG)" == "libisc - Win32 Release"

-

-

-"$(INTDIR)\lfsr.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "libisc - Win32 Debug"

-

-

-"$(INTDIR)\lfsr.obj"	"$(INTDIR)\lfsr.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-SOURCE=..\lib.c

-

-!IF  "$(CFG)" == "libisc - Win32 Release"

-

-

-"$(INTDIR)\lib.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "libisc - Win32 Debug"

-

-

-"$(INTDIR)\lib.obj"	"$(INTDIR)\lib.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-SOURCE=..\log.c

-

-!IF  "$(CFG)" == "libisc - Win32 Release"

-

-

-"$(INTDIR)\log.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "libisc - Win32 Debug"

-

-

-"$(INTDIR)\log.obj"	"$(INTDIR)\log.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-SOURCE=..\md5.c

-

-!IF  "$(CFG)" == "libisc - Win32 Release"

-

-

-"$(INTDIR)\md5.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "libisc - Win32 Debug"

-

-

-"$(INTDIR)\md5.obj"	"$(INTDIR)\md5.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-SOURCE=..\mem.c

-

-!IF  "$(CFG)" == "libisc - Win32 Release"

-

-

-"$(INTDIR)\mem.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "libisc - Win32 Debug"

-

-

-"$(INTDIR)\mem.obj"	"$(INTDIR)\mem.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-SOURCE=..\nls\msgcat.c

-

-!IF  "$(CFG)" == "libisc - Win32 Release"

-

-

-"$(INTDIR)\msgcat.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "libisc - Win32 Debug"

-

-

-"$(INTDIR)\msgcat.obj"	"$(INTDIR)\msgcat.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-SOURCE=..\mutexblock.c

-

-!IF  "$(CFG)" == "libisc - Win32 Release"

-

-

-"$(INTDIR)\mutexblock.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "libisc - Win32 Debug"

-

-

-"$(INTDIR)\mutexblock.obj"	"$(INTDIR)\mutexblock.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-SOURCE=..\netaddr.c

-

-!IF  "$(CFG)" == "libisc - Win32 Release"

-

-

-"$(INTDIR)\netaddr.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "libisc - Win32 Debug"

-

-

-"$(INTDIR)\netaddr.obj"	"$(INTDIR)\netaddr.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-SOURCE=..\ondestroy.c

-

-!IF  "$(CFG)" == "libisc - Win32 Release"

-

-

-"$(INTDIR)\ondestroy.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "libisc - Win32 Debug"

-

-

-"$(INTDIR)\ondestroy.obj"	"$(INTDIR)\ondestroy.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-SOURCE=..\quota.c

-

-!IF  "$(CFG)" == "libisc - Win32 Release"

-

-

-"$(INTDIR)\quota.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "libisc - Win32 Debug"

-

-

-"$(INTDIR)\quota.obj"	"$(INTDIR)\quota.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-SOURCE=..\random.c

-

-!IF  "$(CFG)" == "libisc - Win32 Release"

-

-

-"$(INTDIR)\random.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "libisc - Win32 Debug"

-

-

-"$(INTDIR)\random.obj"	"$(INTDIR)\random.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-SOURCE=..\ratelimiter.c

-

-!IF  "$(CFG)" == "libisc - Win32 Release"

-

-

-"$(INTDIR)\ratelimiter.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "libisc - Win32 Debug"

-

-

-"$(INTDIR)\ratelimiter.obj"	"$(INTDIR)\ratelimiter.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-SOURCE=..\result.c

-

-!IF  "$(CFG)" == "libisc - Win32 Release"

-

-

-"$(INTDIR)\result.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "libisc - Win32 Debug"

-

-

-"$(INTDIR)\result.obj"	"$(INTDIR)\result.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-SOURCE=..\rwlock.c

-

-!IF  "$(CFG)" == "libisc - Win32 Release"

-

-

-"$(INTDIR)\rwlock.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "libisc - Win32 Debug"

-

-

-"$(INTDIR)\rwlock.obj"	"$(INTDIR)\rwlock.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-SOURCE=..\serial.c

-

-!IF  "$(CFG)" == "libisc - Win32 Release"

-

-

-"$(INTDIR)\serial.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "libisc - Win32 Debug"

-

-

-"$(INTDIR)\serial.obj"	"$(INTDIR)\serial.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-SOURCE=..\sha1.c

-

-!IF  "$(CFG)" == "libisc - Win32 Release"

-

-

-"$(INTDIR)\sha1.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "libisc - Win32 Debug"

-

-

-"$(INTDIR)\sha1.obj"	"$(INTDIR)\sha1.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-SOURCE=..\sockaddr.c

-

-!IF  "$(CFG)" == "libisc - Win32 Release"

-

-

-"$(INTDIR)\sockaddr.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "libisc - Win32 Debug"

-

-

-"$(INTDIR)\sockaddr.obj"	"$(INTDIR)\sockaddr.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-SOURCE=..\string.c

-

-!IF  "$(CFG)" == "libisc - Win32 Release"

-

-

-"$(INTDIR)\string.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "libisc - Win32 Debug"

-

-

-"$(INTDIR)\string.obj"	"$(INTDIR)\string.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-SOURCE=..\symtab.c

-

-!IF  "$(CFG)" == "libisc - Win32 Release"

-

-

-"$(INTDIR)\symtab.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "libisc - Win32 Debug"

-

-

-"$(INTDIR)\symtab.obj"	"$(INTDIR)\symtab.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-SOURCE=..\task.c

-

-!IF  "$(CFG)" == "libisc - Win32 Release"

-

-

-"$(INTDIR)\task.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "libisc - Win32 Debug"

-

-

-"$(INTDIR)\task.obj"	"$(INTDIR)\task.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-SOURCE=..\taskpool.c

-

-!IF  "$(CFG)" == "libisc - Win32 Release"

-

-

-"$(INTDIR)\taskpool.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "libisc - Win32 Debug"

-

-

-"$(INTDIR)\taskpool.obj"	"$(INTDIR)\taskpool.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-SOURCE=..\timer.c

-

-!IF  "$(CFG)" == "libisc - Win32 Release"

-

-

-"$(INTDIR)\timer.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "libisc - Win32 Debug"

-

-

-"$(INTDIR)\timer.obj"	"$(INTDIR)\timer.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-SOURCE=.\win32os.c

-

-!IF  "$(CFG)" == "libisc - Win32 Release"

-

-

-"$(INTDIR)\win32os.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "libisc - Win32 Debug"

-

-

-"$(INTDIR)\win32os.obj"	"$(INTDIR)\win32os.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-

-!ENDIF 

-

-####################################################

-# Commands to generate initial empty manifest file and the RC file

-# that references it, and for generating the .res file:

-

-$(_VC_MANIFEST_BASENAME).auto.res : $(_VC_MANIFEST_BASENAME).auto.rc

-

-$(_VC_MANIFEST_BASENAME).auto.rc : $(_VC_MANIFEST_BASENAME).auto.manifest

-    type <<$@

-#include <winuser.h>

-1RT_MANIFEST"$(_VC_MANIFEST_BASENAME).auto.manifest"

-<< KEEP

-

-$(_VC_MANIFEST_BASENAME).auto.manifest :

-    type <<$@

-<?xml version='1.0' encoding='UTF-8' standalone='yes'?>

-<assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'>

-</assembly>

-<< KEEP

+# Microsoft Developer Studio Generated NMAKE File, Based on libisc.dsp
+!IF "$(CFG)" == ""
+CFG=libisc - Win32 Debug
+!MESSAGE No configuration specified. Defaulting to libisc - Win32 Debug.
+!ENDIF 
+
+!IF "$(CFG)" != "libisc - Win32 Release" && "$(CFG)" != "libisc - Win32 Debug"
+!MESSAGE Invalid configuration "$(CFG)" specified.
+!MESSAGE You can specify a configuration when running NMAKE
+!MESSAGE by defining the macro CFG on the command line. For example:
+!MESSAGE 
+!MESSAGE NMAKE /f "libisc.mak" CFG="libisc - Win32 Debug"
+!MESSAGE 
+!MESSAGE Possible choices for configuration are:
+!MESSAGE 
+!MESSAGE "libisc - Win32 Release" (based on "Win32 (x86) Dynamic-Link Library")
+!MESSAGE "libisc - Win32 Debug" (based on "Win32 (x86) Dynamic-Link Library")
+!MESSAGE 
+!ERROR An invalid configuration is specified.
+!ENDIF 
+
+!IF "$(OS)" == "Windows_NT"
+NULL=
+!ELSE 
+NULL=nul
+!ENDIF 
+
+CPP=cl.exe
+MTL=midl.exe
+RSC=rc.exe
+
+!IF  "$(CFG)" == "libisc - Win32 Release"
+
+OUTDIR=.\Release
+INTDIR=.\Release
+
+ALL : "..\..\..\Build\Release\libisc.dll"
+
+
+CLEAN :
+	-@erase "$(INTDIR)\app.obj"
+	-@erase "$(INTDIR)\assertions.obj"
+	-@erase "$(INTDIR)\base64.obj"
+	-@erase "$(INTDIR)\bitstring.obj"
+	-@erase "$(INTDIR)\buffer.obj"
+	-@erase "$(INTDIR)\bufferlist.obj"
+	-@erase "$(INTDIR)\commandline.obj"
+	-@erase "$(INTDIR)\condition.obj"
+	-@erase "$(INTDIR)\dir.obj"
+	-@erase "$(INTDIR)\DLLMain.obj"
+	-@erase "$(INTDIR)\entropy.obj"
+	-@erase "$(INTDIR)\errno2result.obj"
+	-@erase "$(INTDIR)\error.obj"
+	-@erase "$(INTDIR)\event.obj"
+	-@erase "$(INTDIR)\file.obj"
+	-@erase "$(INTDIR)\fsaccess.obj"
+	-@erase "$(INTDIR)\hash.obj"
+	-@erase "$(INTDIR)\heap.obj"
+	-@erase "$(INTDIR)\hex.obj"
+	-@erase "$(INTDIR)\hmacmd5.obj"
+	-@erase "$(INTDIR)\inet_aton.obj"
+	-@erase "$(INTDIR)\inet_ntop.obj"
+	-@erase "$(INTDIR)\inet_pton.obj"
+	-@erase "$(INTDIR)\interfaceiter.obj"
+	-@erase "$(INTDIR)\ipv6.obj"
+	-@erase "$(INTDIR)\keyboard.obj"
+	-@erase "$(INTDIR)\lex.obj"
+	-@erase "$(INTDIR)\lfsr.obj"
+	-@erase "$(INTDIR)\lib.obj"
+	-@erase "$(INTDIR)\log.obj"
+	-@erase "$(INTDIR)\md5.obj"
+	-@erase "$(INTDIR)\mem.obj"
+	-@erase "$(INTDIR)\msgcat.obj"
+	-@erase "$(INTDIR)\mutexblock.obj"
+	-@erase "$(INTDIR)\net.obj"
+	-@erase "$(INTDIR)\netaddr.obj"
+	-@erase "$(INTDIR)\netscope.obj"
+	-@erase "$(INTDIR)\ntpaths.obj"
+	-@erase "$(INTDIR)\once.obj"
+	-@erase "$(INTDIR)\ondestroy.obj"
+	-@erase "$(INTDIR)\os.obj"
+	-@erase "$(INTDIR)\parseint.obj"
+	-@erase "$(INTDIR)\quota.obj"
+	-@erase "$(INTDIR)\random.obj"
+	-@erase "$(INTDIR)\ratelimiter.obj"
+	-@erase "$(INTDIR)\region.obj"
+	-@erase "$(INTDIR)\resource.obj"
+	-@erase "$(INTDIR)\result.obj"
+	-@erase "$(INTDIR)\rwlock.obj"
+	-@erase "$(INTDIR)\serial.obj"
+	-@erase "$(INTDIR)\sha1.obj"
+	-@erase "$(INTDIR)\sockaddr.obj"
+	-@erase "$(INTDIR)\socket.obj"
+	-@erase "$(INTDIR)\stdio.obj"
+	-@erase "$(INTDIR)\stdtime.obj"
+	-@erase "$(INTDIR)\strerror.obj"
+	-@erase "$(INTDIR)\string.obj"
+	-@erase "$(INTDIR)\symtab.obj"
+	-@erase "$(INTDIR)\syslog.obj"
+	-@erase "$(INTDIR)\task.obj"
+	-@erase "$(INTDIR)\taskpool.obj"
+	-@erase "$(INTDIR)\thread.obj"
+	-@erase "$(INTDIR)\time.obj"
+	-@erase "$(INTDIR)\timer.obj"
+	-@erase "$(INTDIR)\vc60.idb"
+	-@erase "$(INTDIR)\version.obj"
+	-@erase "$(INTDIR)\win32os.obj"
+	-@erase "$(OUTDIR)\libisc.exp"
+	-@erase "$(OUTDIR)\libisc.lib"
+	-@erase "..\..\..\Build\Release\libisc.dll"
+
+"$(OUTDIR)" :
+    if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
+
+CPP_PROJ=/nologo /MD /W3 /GX /O2 /I "./" /I "../../../" /I "include" /I "../include" /I "win32" /I "../../isccfg/include" /D "WIN32" /D "NDEBUG" /D "__STDC__" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "LIBISC_EXPORTS" /Fp"$(INTDIR)\libisc.pch" /YX /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c 
+MTL_PROJ=/nologo /D "NDEBUG" /mktyplib203 /win32 
+BSC32=bscmake.exe
+BSC32_FLAGS=/nologo /o"$(OUTDIR)\libisc.bsc" 
+BSC32_SBRS= \
+	
+LINK32=link.exe
+LINK32_FLAGS=user32.lib advapi32.lib ws2_32.lib /nologo /dll /incremental:no /pdb:"$(OUTDIR)\libisc.pdb" /machine:I386 /def:".\libisc.def" /out:"../../../Build/Release/libisc.dll" /implib:"$(OUTDIR)\libisc.lib" 
+DEF_FILE= \
+	".\libisc.def"
+LINK32_OBJS= \
+	"$(INTDIR)\app.obj" \
+	"$(INTDIR)\condition.obj" \
+	"$(INTDIR)\dir.obj" \
+	"$(INTDIR)\DLLMain.obj" \
+	"$(INTDIR)\entropy.obj" \
+	"$(INTDIR)\errno2result.obj" \
+	"$(INTDIR)\file.obj" \
+	"$(INTDIR)\fsaccess.obj" \
+	"$(INTDIR)\interfaceiter.obj" \
+	"$(INTDIR)\ipv6.obj" \
+	"$(INTDIR)\keyboard.obj" \
+	"$(INTDIR)\net.obj" \
+	"$(INTDIR)\ntpaths.obj" \
+	"$(INTDIR)\once.obj" \
+	"$(INTDIR)\os.obj" \
+	"$(INTDIR)\resource.obj" \
+	"$(INTDIR)\socket.obj" \
+	"$(INTDIR)\stdio.obj" \
+	"$(INTDIR)\stdtime.obj" \
+	"$(INTDIR)\strerror.obj" \
+	"$(INTDIR)\syslog.obj" \
+	"$(INTDIR)\thread.obj" \
+	"$(INTDIR)\time.obj" \
+	"$(INTDIR)\version.obj" \
+	"$(INTDIR)\win32os.obj" \
+	"$(INTDIR)\assertions.obj" \
+	"$(INTDIR)\base64.obj" \
+	"$(INTDIR)\bitstring.obj" \
+	"$(INTDIR)\buffer.obj" \
+	"$(INTDIR)\bufferlist.obj" \
+	"$(INTDIR)\commandline.obj" \
+	"$(INTDIR)\error.obj" \
+	"$(INTDIR)\event.obj" \
+	"$(INTDIR)\hash.obj" \
+	"$(INTDIR)\heap.obj" \
+	"$(INTDIR)\hex.obj" \
+	"$(INTDIR)\hmacmd5.obj" \
+	"$(INTDIR)\inet_aton.obj" \
+	"$(INTDIR)\inet_ntop.obj" \
+	"$(INTDIR)\inet_pton.obj" \
+	"$(INTDIR)\lex.obj" \
+	"$(INTDIR)\lfsr.obj" \
+	"$(INTDIR)\lib.obj" \
+	"$(INTDIR)\log.obj" \
+	"$(INTDIR)\md5.obj" \
+	"$(INTDIR)\mem.obj" \
+	"$(INTDIR)\msgcat.obj" \
+	"$(INTDIR)\mutexblock.obj" \
+	"$(INTDIR)\netaddr.obj" \
+	"$(INTDIR)\netscope.obj" \
+	"$(INTDIR)\ondestroy.obj" \
+	"$(INTDIR)\quota.obj" \
+	"$(INTDIR)\random.obj" \
+	"$(INTDIR)\ratelimiter.obj" \
+	"$(INTDIR)\result.obj" \
+	"$(INTDIR)\rwlock.obj" \
+	"$(INTDIR)\serial.obj" \
+	"$(INTDIR)\sha1.obj" \
+	"$(INTDIR)\sockaddr.obj" \
+	"$(INTDIR)\string.obj" \
+	"$(INTDIR)\symtab.obj" \
+	"$(INTDIR)\task.obj" \
+	"$(INTDIR)\taskpool.obj" \
+	"$(INTDIR)\timer.obj" \
+	"$(INTDIR)\parseint.obj" \
+	"$(INTDIR)\region.obj"
+
+"..\..\..\Build\Release\libisc.dll" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)
+    $(LINK32) @<<
+  $(LINK32_FLAGS) $(LINK32_OBJS)
+<<
+
+!ELSEIF  "$(CFG)" == "libisc - Win32 Debug"
+
+OUTDIR=.\Debug
+INTDIR=.\Debug
+# Begin Custom Macros
+OutDir=.\Debug
+# End Custom Macros
+
+ALL : "..\..\..\Build\Debug\libisc.dll" "$(OUTDIR)\libisc.bsc"
+
+
+CLEAN :
+	-@erase "$(INTDIR)\app.obj"
+	-@erase "$(INTDIR)\app.sbr"
+	-@erase "$(INTDIR)\assertions.obj"
+	-@erase "$(INTDIR)\assertions.sbr"
+	-@erase "$(INTDIR)\base64.obj"
+	-@erase "$(INTDIR)\base64.sbr"
+	-@erase "$(INTDIR)\bitstring.obj"
+	-@erase "$(INTDIR)\bitstring.sbr"
+	-@erase "$(INTDIR)\buffer.obj"
+	-@erase "$(INTDIR)\buffer.sbr"
+	-@erase "$(INTDIR)\bufferlist.obj"
+	-@erase "$(INTDIR)\bufferlist.sbr"
+	-@erase "$(INTDIR)\commandline.obj"
+	-@erase "$(INTDIR)\commandline.sbr"
+	-@erase "$(INTDIR)\condition.obj"
+	-@erase "$(INTDIR)\condition.sbr"
+	-@erase "$(INTDIR)\dir.obj"
+	-@erase "$(INTDIR)\dir.sbr"
+	-@erase "$(INTDIR)\DLLMain.obj"
+	-@erase "$(INTDIR)\DLLMain.sbr"
+	-@erase "$(INTDIR)\entropy.obj"
+	-@erase "$(INTDIR)\entropy.sbr"
+	-@erase "$(INTDIR)\errno2result.obj"
+	-@erase "$(INTDIR)\errno2result.sbr"
+	-@erase "$(INTDIR)\error.obj"
+	-@erase "$(INTDIR)\error.sbr"
+	-@erase "$(INTDIR)\event.obj"
+	-@erase "$(INTDIR)\event.sbr"
+	-@erase "$(INTDIR)\file.obj"
+	-@erase "$(INTDIR)\file.sbr"
+	-@erase "$(INTDIR)\fsaccess.obj"
+	-@erase "$(INTDIR)\fsaccess.sbr"
+	-@erase "$(INTDIR)\hash.obj"
+	-@erase "$(INTDIR)\hash.sbr"
+	-@erase "$(INTDIR)\heap.obj"
+	-@erase "$(INTDIR)\heap.sbr"
+	-@erase "$(INTDIR)\hex.obj"
+	-@erase "$(INTDIR)\hex.sbr"
+	-@erase "$(INTDIR)\hmacmd5.obj"
+	-@erase "$(INTDIR)\hmacmd5.sbr"
+	-@erase "$(INTDIR)\inet_aton.obj"
+	-@erase "$(INTDIR)\inet_aton.sbr"
+	-@erase "$(INTDIR)\inet_ntop.obj"
+	-@erase "$(INTDIR)\inet_ntop.sbr"
+	-@erase "$(INTDIR)\inet_pton.obj"
+	-@erase "$(INTDIR)\inet_pton.sbr"
+	-@erase "$(INTDIR)\interfaceiter.obj"
+	-@erase "$(INTDIR)\interfaceiter.sbr"
+	-@erase "$(INTDIR)\ipv6.obj"
+	-@erase "$(INTDIR)\ipv6.sbr"
+	-@erase "$(INTDIR)\keyboard.obj"
+	-@erase "$(INTDIR)\keyboard.sbr"
+	-@erase "$(INTDIR)\lex.obj"
+	-@erase "$(INTDIR)\lex.sbr"
+	-@erase "$(INTDIR)\lfsr.obj"
+	-@erase "$(INTDIR)\lfsr.sbr"
+	-@erase "$(INTDIR)\lib.obj"
+	-@erase "$(INTDIR)\lib.sbr"
+	-@erase "$(INTDIR)\log.obj"
+	-@erase "$(INTDIR)\log.sbr"
+	-@erase "$(INTDIR)\md5.obj"
+	-@erase "$(INTDIR)\md5.sbr"
+	-@erase "$(INTDIR)\mem.obj"
+	-@erase "$(INTDIR)\mem.sbr"
+	-@erase "$(INTDIR)\msgcat.obj"
+	-@erase "$(INTDIR)\msgcat.sbr"
+	-@erase "$(INTDIR)\mutexblock.obj"
+	-@erase "$(INTDIR)\mutexblock.sbr"
+	-@erase "$(INTDIR)\net.obj"
+	-@erase "$(INTDIR)\net.sbr"
+	-@erase "$(INTDIR)\netaddr.obj"
+	-@erase "$(INTDIR)\netaddr.sbr"
+	-@erase "$(INTDIR)\netscope.obj"
+	-@erase "$(INTDIR)\netscope.sbr"
+	-@erase "$(INTDIR)\ntpaths.obj"
+	-@erase "$(INTDIR)\ntpaths.sbr"
+	-@erase "$(INTDIR)\once.obj"
+	-@erase "$(INTDIR)\once.sbr"
+	-@erase "$(INTDIR)\ondestroy.obj"
+	-@erase "$(INTDIR)\ondestroy.sbr"
+	-@erase "$(INTDIR)\os.obj"
+	-@erase "$(INTDIR)\os.sbr"
+	-@erase "$(INTDIR)\parseint.obj"
+	-@erase "$(INTDIR)\parseint.sbr"
+	-@erase "$(INTDIR)\quota.obj"
+	-@erase "$(INTDIR)\quota.sbr"
+	-@erase "$(INTDIR)\random.obj"
+	-@erase "$(INTDIR)\random.sbr"
+	-@erase "$(INTDIR)\ratelimiter.obj"
+	-@erase "$(INTDIR)\ratelimiter.sbr"
+	-@erase "$(INTDIR)\region.obj"
+	-@erase "$(INTDIR)\region.sbr"
+	-@erase "$(INTDIR)\resource.obj"
+	-@erase "$(INTDIR)\resource.sbr"
+	-@erase "$(INTDIR)\result.obj"
+	-@erase "$(INTDIR)\result.sbr"
+	-@erase "$(INTDIR)\rwlock.obj"
+	-@erase "$(INTDIR)\rwlock.sbr"
+	-@erase "$(INTDIR)\serial.obj"
+	-@erase "$(INTDIR)\serial.sbr"
+	-@erase "$(INTDIR)\sha1.obj"
+	-@erase "$(INTDIR)\sha1.sbr"
+	-@erase "$(INTDIR)\sockaddr.obj"
+	-@erase "$(INTDIR)\sockaddr.sbr"
+	-@erase "$(INTDIR)\socket.obj"
+	-@erase "$(INTDIR)\socket.sbr"
+	-@erase "$(INTDIR)\stdio.obj"
+	-@erase "$(INTDIR)\stdio.sbr"
+	-@erase "$(INTDIR)\stdtime.obj"
+	-@erase "$(INTDIR)\stdtime.sbr"
+	-@erase "$(INTDIR)\strerror.obj"
+	-@erase "$(INTDIR)\strerror.sbr"
+	-@erase "$(INTDIR)\string.obj"
+	-@erase "$(INTDIR)\string.sbr"
+	-@erase "$(INTDIR)\symtab.obj"
+	-@erase "$(INTDIR)\symtab.sbr"
+	-@erase "$(INTDIR)\syslog.obj"
+	-@erase "$(INTDIR)\syslog.sbr"
+	-@erase "$(INTDIR)\task.obj"
+	-@erase "$(INTDIR)\task.sbr"
+	-@erase "$(INTDIR)\taskpool.obj"
+	-@erase "$(INTDIR)\taskpool.sbr"
+	-@erase "$(INTDIR)\thread.obj"
+	-@erase "$(INTDIR)\thread.sbr"
+	-@erase "$(INTDIR)\time.obj"
+	-@erase "$(INTDIR)\time.sbr"
+	-@erase "$(INTDIR)\timer.obj"
+	-@erase "$(INTDIR)\timer.sbr"
+	-@erase "$(INTDIR)\vc60.idb"
+	-@erase "$(INTDIR)\vc60.pdb"
+	-@erase "$(INTDIR)\version.obj"
+	-@erase "$(INTDIR)\version.sbr"
+	-@erase "$(INTDIR)\win32os.obj"
+	-@erase "$(INTDIR)\win32os.sbr"
+	-@erase "$(OUTDIR)\libisc.bsc"
+	-@erase "$(OUTDIR)\libisc.exp"
+	-@erase "$(OUTDIR)\libisc.lib"
+	-@erase "$(OUTDIR)\libisc.map"
+	-@erase "$(OUTDIR)\libisc.pdb"
+	-@erase "..\..\..\Build\Debug\libisc.dll"
+	-@erase "..\..\..\Build\Debug\libisc.ilk"
+
+"$(OUTDIR)" :
+    if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
+
+CPP_PROJ=/nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../../../" /I "include" /I "../include" /I "win32" /I "../../isccfg/include" /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "LIBISC_EXPORTS" /FR"$(INTDIR)\\" /Fp"$(INTDIR)\libisc.pch" /YX /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c 
+MTL_PROJ=/nologo /D "_DEBUG" /mktyplib203 /win32 
+BSC32=bscmake.exe
+BSC32_FLAGS=/nologo /o"$(OUTDIR)\libisc.bsc" 
+BSC32_SBRS= \
+	"$(INTDIR)\app.sbr" \
+	"$(INTDIR)\condition.sbr" \
+	"$(INTDIR)\dir.sbr" \
+	"$(INTDIR)\DLLMain.sbr" \
+	"$(INTDIR)\entropy.sbr" \
+	"$(INTDIR)\errno2result.sbr" \
+	"$(INTDIR)\file.sbr" \
+	"$(INTDIR)\fsaccess.sbr" \
+	"$(INTDIR)\interfaceiter.sbr" \
+	"$(INTDIR)\ipv6.sbr" \
+	"$(INTDIR)\keyboard.sbr" \
+	"$(INTDIR)\net.sbr" \
+	"$(INTDIR)\ntpaths.sbr" \
+	"$(INTDIR)\once.sbr" \
+	"$(INTDIR)\os.sbr" \
+	"$(INTDIR)\resource.sbr" \
+	"$(INTDIR)\socket.sbr" \
+	"$(INTDIR)\stdio.sbr" \
+	"$(INTDIR)\stdtime.sbr" \
+	"$(INTDIR)\strerror.sbr" \
+	"$(INTDIR)\syslog.sbr" \
+	"$(INTDIR)\thread.sbr" \
+	"$(INTDIR)\time.sbr" \
+	"$(INTDIR)\version.sbr" \
+	"$(INTDIR)\win32os.sbr" \
+	"$(INTDIR)\assertions.sbr" \
+	"$(INTDIR)\base64.sbr" \
+	"$(INTDIR)\bitstring.sbr" \
+	"$(INTDIR)\buffer.sbr" \
+	"$(INTDIR)\bufferlist.sbr" \
+	"$(INTDIR)\commandline.sbr" \
+	"$(INTDIR)\error.sbr" \
+	"$(INTDIR)\event.sbr" \
+	"$(INTDIR)\hash.sbr" \
+	"$(INTDIR)\heap.sbr" \
+	"$(INTDIR)\hex.sbr" \
+	"$(INTDIR)\hmacmd5.sbr" \
+	"$(INTDIR)\inet_aton.sbr" \
+	"$(INTDIR)\inet_ntop.sbr" \
+	"$(INTDIR)\inet_pton.sbr" \
+	"$(INTDIR)\lex.sbr" \
+	"$(INTDIR)\lfsr.sbr" \
+	"$(INTDIR)\lib.sbr" \
+	"$(INTDIR)\log.sbr" \
+	"$(INTDIR)\md5.sbr" \
+	"$(INTDIR)\mem.sbr" \
+	"$(INTDIR)\msgcat.sbr" \
+	"$(INTDIR)\mutexblock.sbr" \
+	"$(INTDIR)\netaddr.sbr" \
+	"$(INTDIR)\netscope.sbr" \
+	"$(INTDIR)\ondestroy.sbr" \
+	"$(INTDIR)\quota.sbr" \
+	"$(INTDIR)\random.sbr" \
+	"$(INTDIR)\ratelimiter.sbr" \
+	"$(INTDIR)\result.sbr" \
+	"$(INTDIR)\rwlock.sbr" \
+	"$(INTDIR)\serial.sbr" \
+	"$(INTDIR)\sha1.sbr" \
+	"$(INTDIR)\sockaddr.sbr" \
+	"$(INTDIR)\string.sbr" \
+	"$(INTDIR)\symtab.sbr" \
+	"$(INTDIR)\task.sbr" \
+	"$(INTDIR)\taskpool.sbr" \
+	"$(INTDIR)\timer.sbr" \
+	"$(INTDIR)\parseint.sbr" \
+	"$(INTDIR)\region.sbr"
+
+"$(OUTDIR)\libisc.bsc" : "$(OUTDIR)" $(BSC32_SBRS)
+    $(BSC32) @<<
+  $(BSC32_FLAGS) $(BSC32_SBRS)
+<<
+
+LINK32=link.exe
+LINK32_FLAGS=user32.lib advapi32.lib ws2_32.lib /nologo /dll /incremental:yes /pdb:"$(OUTDIR)\libisc.pdb" /map:"$(INTDIR)\libisc.map" /debug /machine:I386 /def:".\libisc.def" /out:"../../../Build/Debug/libisc.dll" /implib:"$(OUTDIR)\libisc.lib" /pdbtype:sept 
+DEF_FILE= \
+	".\libisc.def"
+LINK32_OBJS= \
+	"$(INTDIR)\app.obj" \
+	"$(INTDIR)\condition.obj" \
+	"$(INTDIR)\dir.obj" \
+	"$(INTDIR)\DLLMain.obj" \
+	"$(INTDIR)\entropy.obj" \
+	"$(INTDIR)\errno2result.obj" \
+	"$(INTDIR)\file.obj" \
+	"$(INTDIR)\fsaccess.obj" \
+	"$(INTDIR)\interfaceiter.obj" \
+	"$(INTDIR)\ipv6.obj" \
+	"$(INTDIR)\keyboard.obj" \
+	"$(INTDIR)\net.obj" \
+	"$(INTDIR)\ntpaths.obj" \
+	"$(INTDIR)\once.obj" \
+	"$(INTDIR)\os.obj" \
+	"$(INTDIR)\resource.obj" \
+	"$(INTDIR)\socket.obj" \
+	"$(INTDIR)\stdio.obj" \
+	"$(INTDIR)\stdtime.obj" \
+	"$(INTDIR)\strerror.obj" \
+	"$(INTDIR)\syslog.obj" \
+	"$(INTDIR)\thread.obj" \
+	"$(INTDIR)\time.obj" \
+	"$(INTDIR)\version.obj" \
+	"$(INTDIR)\win32os.obj" \
+	"$(INTDIR)\assertions.obj" \
+	"$(INTDIR)\base64.obj" \
+	"$(INTDIR)\bitstring.obj" \
+	"$(INTDIR)\buffer.obj" \
+	"$(INTDIR)\bufferlist.obj" \
+	"$(INTDIR)\commandline.obj" \
+	"$(INTDIR)\error.obj" \
+	"$(INTDIR)\event.obj" \
+	"$(INTDIR)\hash.obj" \
+	"$(INTDIR)\heap.obj" \
+	"$(INTDIR)\hex.obj" \
+	"$(INTDIR)\hmacmd5.obj" \
+	"$(INTDIR)\inet_aton.obj" \
+	"$(INTDIR)\inet_ntop.obj" \
+	"$(INTDIR)\inet_pton.obj" \
+	"$(INTDIR)\lex.obj" \
+	"$(INTDIR)\lfsr.obj" \
+	"$(INTDIR)\lib.obj" \
+	"$(INTDIR)\log.obj" \
+	"$(INTDIR)\md5.obj" \
+	"$(INTDIR)\mem.obj" \
+	"$(INTDIR)\msgcat.obj" \
+	"$(INTDIR)\mutexblock.obj" \
+	"$(INTDIR)\netaddr.obj" \
+	"$(INTDIR)\netscope.obj" \
+	"$(INTDIR)\ondestroy.obj" \
+	"$(INTDIR)\quota.obj" \
+	"$(INTDIR)\random.obj" \
+	"$(INTDIR)\ratelimiter.obj" \
+	"$(INTDIR)\result.obj" \
+	"$(INTDIR)\rwlock.obj" \
+	"$(INTDIR)\serial.obj" \
+	"$(INTDIR)\sha1.obj" \
+	"$(INTDIR)\sockaddr.obj" \
+	"$(INTDIR)\string.obj" \
+	"$(INTDIR)\symtab.obj" \
+	"$(INTDIR)\task.obj" \
+	"$(INTDIR)\taskpool.obj" \
+	"$(INTDIR)\timer.obj" \
+	"$(INTDIR)\parseint.obj" \
+	"$(INTDIR)\region.obj"
+
+"..\..\..\Build\Debug\libisc.dll" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)
+    $(LINK32) @<<
+  $(LINK32_FLAGS) $(LINK32_OBJS)
+<<
+
+!ENDIF 
+
+.c{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cpp{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cxx{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.c{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cpp{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cxx{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+
+!IF "$(NO_EXTERNAL_DEPS)" != "1"
+!IF EXISTS("libisc.dep")
+!INCLUDE "libisc.dep"
+!ELSE 
+!MESSAGE Warning: cannot find "libisc.dep"
+!ENDIF 
+!ENDIF 
+
+
+!IF "$(CFG)" == "libisc - Win32 Release" || "$(CFG)" == "libisc - Win32 Debug"
+SOURCE=.\app.c
+
+!IF  "$(CFG)" == "libisc - Win32 Release"
+
+
+"$(INTDIR)\app.obj" : $(SOURCE) "$(INTDIR)"
+
+
+!ELSEIF  "$(CFG)" == "libisc - Win32 Debug"
+
+
+"$(INTDIR)\app.obj"	"$(INTDIR)\app.sbr" : $(SOURCE) "$(INTDIR)"
+
+
+!ENDIF 
+
+SOURCE=.\condition.c
+
+!IF  "$(CFG)" == "libisc - Win32 Release"
+
+
+"$(INTDIR)\condition.obj" : $(SOURCE) "$(INTDIR)"
+
+
+!ELSEIF  "$(CFG)" == "libisc - Win32 Debug"
+
+
+"$(INTDIR)\condition.obj"	"$(INTDIR)\condition.sbr" : $(SOURCE) "$(INTDIR)"
+
+
+!ENDIF 
+
+SOURCE=.\dir.c
+
+!IF  "$(CFG)" == "libisc - Win32 Release"
+
+
+"$(INTDIR)\dir.obj" : $(SOURCE) "$(INTDIR)"
+
+
+!ELSEIF  "$(CFG)" == "libisc - Win32 Debug"
+
+
+"$(INTDIR)\dir.obj"	"$(INTDIR)\dir.sbr" : $(SOURCE) "$(INTDIR)"
+
+
+!ENDIF 
+
+SOURCE=.\DLLMain.c
+
+!IF  "$(CFG)" == "libisc - Win32 Release"
+
+
+"$(INTDIR)\DLLMain.obj" : $(SOURCE) "$(INTDIR)"
+
+
+!ELSEIF  "$(CFG)" == "libisc - Win32 Debug"
+
+
+"$(INTDIR)\DLLMain.obj"	"$(INTDIR)\DLLMain.sbr" : $(SOURCE) "$(INTDIR)"
+
+
+!ENDIF 
+
+SOURCE=.\entropy.c
+
+!IF  "$(CFG)" == "libisc - Win32 Release"
+
+
+"$(INTDIR)\entropy.obj" : $(SOURCE) "$(INTDIR)"
+
+
+!ELSEIF  "$(CFG)" == "libisc - Win32 Debug"
+
+
+"$(INTDIR)\entropy.obj"	"$(INTDIR)\entropy.sbr" : $(SOURCE) "$(INTDIR)"
+
+
+!ENDIF 
+
+SOURCE=.\errno2result.c
+
+!IF  "$(CFG)" == "libisc - Win32 Release"
+
+
+"$(INTDIR)\errno2result.obj" : $(SOURCE) "$(INTDIR)"
+
+
+!ELSEIF  "$(CFG)" == "libisc - Win32 Debug"
+
+
+"$(INTDIR)\errno2result.obj"	"$(INTDIR)\errno2result.sbr" : $(SOURCE) "$(INTDIR)"
+
+
+!ENDIF 
+
+SOURCE=.\file.c
+
+!IF  "$(CFG)" == "libisc - Win32 Release"
+
+
+"$(INTDIR)\file.obj" : $(SOURCE) "$(INTDIR)"
+
+
+!ELSEIF  "$(CFG)" == "libisc - Win32 Debug"
+
+
+"$(INTDIR)\file.obj"	"$(INTDIR)\file.sbr" : $(SOURCE) "$(INTDIR)"
+
+
+!ENDIF 
+
+SOURCE=.\fsaccess.c
+
+!IF  "$(CFG)" == "libisc - Win32 Release"
+
+
+"$(INTDIR)\fsaccess.obj" : $(SOURCE) "$(INTDIR)"
+
+
+!ELSEIF  "$(CFG)" == "libisc - Win32 Debug"
+
+
+"$(INTDIR)\fsaccess.obj"	"$(INTDIR)\fsaccess.sbr" : $(SOURCE) "$(INTDIR)"
+
+
+!ENDIF 
+
+SOURCE=.\interfaceiter.c
+
+!IF  "$(CFG)" == "libisc - Win32 Release"
+
+
+"$(INTDIR)\interfaceiter.obj" : $(SOURCE) "$(INTDIR)"
+
+
+!ELSEIF  "$(CFG)" == "libisc - Win32 Debug"
+
+
+"$(INTDIR)\interfaceiter.obj"	"$(INTDIR)\interfaceiter.sbr" : $(SOURCE) "$(INTDIR)"
+
+
+!ENDIF 
+
+SOURCE=.\ipv6.c
+
+!IF  "$(CFG)" == "libisc - Win32 Release"
+
+
+"$(INTDIR)\ipv6.obj" : $(SOURCE) "$(INTDIR)"
+
+
+!ELSEIF  "$(CFG)" == "libisc - Win32 Debug"
+
+
+"$(INTDIR)\ipv6.obj"	"$(INTDIR)\ipv6.sbr" : $(SOURCE) "$(INTDIR)"
+
+
+!ENDIF 
+
+SOURCE=.\keyboard.c
+
+!IF  "$(CFG)" == "libisc - Win32 Release"
+
+
+"$(INTDIR)\keyboard.obj" : $(SOURCE) "$(INTDIR)"
+
+
+!ELSEIF  "$(CFG)" == "libisc - Win32 Debug"
+
+
+"$(INTDIR)\keyboard.obj"	"$(INTDIR)\keyboard.sbr" : $(SOURCE) "$(INTDIR)"
+
+
+!ENDIF 
+
+SOURCE=.\net.c
+
+!IF  "$(CFG)" == "libisc - Win32 Release"
+
+
+"$(INTDIR)\net.obj" : $(SOURCE) "$(INTDIR)"
+
+
+!ELSEIF  "$(CFG)" == "libisc - Win32 Debug"
+
+
+"$(INTDIR)\net.obj"	"$(INTDIR)\net.sbr" : $(SOURCE) "$(INTDIR)"
+
+
+!ENDIF 
+
+SOURCE=.\ntpaths.c
+
+!IF  "$(CFG)" == "libisc - Win32 Release"
+
+
+"$(INTDIR)\ntpaths.obj" : $(SOURCE) "$(INTDIR)"
+
+
+!ELSEIF  "$(CFG)" == "libisc - Win32 Debug"
+
+
+"$(INTDIR)\ntpaths.obj"	"$(INTDIR)\ntpaths.sbr" : $(SOURCE) "$(INTDIR)"
+
+
+!ENDIF 
+
+SOURCE=.\once.c
+
+!IF  "$(CFG)" == "libisc - Win32 Release"
+
+
+"$(INTDIR)\once.obj" : $(SOURCE) "$(INTDIR)"
+
+
+!ELSEIF  "$(CFG)" == "libisc - Win32 Debug"
+
+
+"$(INTDIR)\once.obj"	"$(INTDIR)\once.sbr" : $(SOURCE) "$(INTDIR)"
+
+
+!ENDIF 
+
+SOURCE=.\os.c
+
+!IF  "$(CFG)" == "libisc - Win32 Release"
+
+
+"$(INTDIR)\os.obj" : $(SOURCE) "$(INTDIR)"
+
+
+!ELSEIF  "$(CFG)" == "libisc - Win32 Debug"
+
+
+"$(INTDIR)\os.obj"	"$(INTDIR)\os.sbr" : $(SOURCE) "$(INTDIR)"
+
+
+!ENDIF 
+
+SOURCE=.\resource.c
+
+!IF  "$(CFG)" == "libisc - Win32 Release"
+
+
+"$(INTDIR)\resource.obj" : $(SOURCE) "$(INTDIR)"
+
+
+!ELSEIF  "$(CFG)" == "libisc - Win32 Debug"
+
+
+"$(INTDIR)\resource.obj"	"$(INTDIR)\resource.sbr" : $(SOURCE) "$(INTDIR)"
+
+
+!ENDIF 
+
+SOURCE=.\socket.c
+
+!IF  "$(CFG)" == "libisc - Win32 Release"
+
+
+"$(INTDIR)\socket.obj" : $(SOURCE) "$(INTDIR)"
+
+
+!ELSEIF  "$(CFG)" == "libisc - Win32 Debug"
+
+
+"$(INTDIR)\socket.obj"	"$(INTDIR)\socket.sbr" : $(SOURCE) "$(INTDIR)"
+
+
+!ENDIF 
+
+SOURCE=.\stdio.c
+
+!IF  "$(CFG)" == "libisc - Win32 Release"
+
+
+"$(INTDIR)\stdio.obj" : $(SOURCE) "$(INTDIR)"
+
+
+!ELSEIF  "$(CFG)" == "libisc - Win32 Debug"
+
+
+"$(INTDIR)\stdio.obj"	"$(INTDIR)\stdio.sbr" : $(SOURCE) "$(INTDIR)"
+
+
+!ENDIF 
+
+SOURCE=.\stdtime.c
+
+!IF  "$(CFG)" == "libisc - Win32 Release"
+
+
+"$(INTDIR)\stdtime.obj" : $(SOURCE) "$(INTDIR)"
+
+
+!ELSEIF  "$(CFG)" == "libisc - Win32 Debug"
+
+
+"$(INTDIR)\stdtime.obj"	"$(INTDIR)\stdtime.sbr" : $(SOURCE) "$(INTDIR)"
+
+
+!ENDIF 
+
+SOURCE=.\strerror.c
+
+!IF  "$(CFG)" == "libisc - Win32 Release"
+
+
+"$(INTDIR)\strerror.obj" : $(SOURCE) "$(INTDIR)"
+
+
+!ELSEIF  "$(CFG)" == "libisc - Win32 Debug"
+
+
+"$(INTDIR)\strerror.obj"	"$(INTDIR)\strerror.sbr" : $(SOURCE) "$(INTDIR)"
+
+
+!ENDIF 
+
+SOURCE=.\syslog.c
+
+!IF  "$(CFG)" == "libisc - Win32 Release"
+
+
+"$(INTDIR)\syslog.obj" : $(SOURCE) "$(INTDIR)"
+
+
+!ELSEIF  "$(CFG)" == "libisc - Win32 Debug"
+
+
+"$(INTDIR)\syslog.obj"	"$(INTDIR)\syslog.sbr" : $(SOURCE) "$(INTDIR)"
+
+
+!ENDIF 
+
+SOURCE=.\thread.c
+
+!IF  "$(CFG)" == "libisc - Win32 Release"
+
+
+"$(INTDIR)\thread.obj" : $(SOURCE) "$(INTDIR)"
+
+
+!ELSEIF  "$(CFG)" == "libisc - Win32 Debug"
+
+
+"$(INTDIR)\thread.obj"	"$(INTDIR)\thread.sbr" : $(SOURCE) "$(INTDIR)"
+
+
+!ENDIF 
+
+SOURCE=.\time.c
+
+!IF  "$(CFG)" == "libisc - Win32 Release"
+
+
+"$(INTDIR)\time.obj" : $(SOURCE) "$(INTDIR)"
+
+
+!ELSEIF  "$(CFG)" == "libisc - Win32 Debug"
+
+
+"$(INTDIR)\time.obj"	"$(INTDIR)\time.sbr" : $(SOURCE) "$(INTDIR)"
+
+
+!ENDIF 
+
+SOURCE=.\version.c
+
+!IF  "$(CFG)" == "libisc - Win32 Release"
+
+
+"$(INTDIR)\version.obj" : $(SOURCE) "$(INTDIR)"
+
+
+!ELSEIF  "$(CFG)" == "libisc - Win32 Debug"
+
+
+"$(INTDIR)\version.obj"	"$(INTDIR)\version.sbr" : $(SOURCE) "$(INTDIR)"
+
+
+!ENDIF 
+
+SOURCE=.\win32os.c
+
+!IF  "$(CFG)" == "libisc - Win32 Release"
+
+
+"$(INTDIR)\win32os.obj" : $(SOURCE) "$(INTDIR)"
+
+
+!ELSEIF  "$(CFG)" == "libisc - Win32 Debug"
+
+
+"$(INTDIR)\win32os.obj"	"$(INTDIR)\win32os.sbr" : $(SOURCE) "$(INTDIR)"
+
+
+!ENDIF 
+
+SOURCE=..\assertions.c
+
+!IF  "$(CFG)" == "libisc - Win32 Release"
+
+
+"$(INTDIR)\assertions.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libisc - Win32 Debug"
+
+
+"$(INTDIR)\assertions.obj"	"$(INTDIR)\assertions.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\base64.c
+
+!IF  "$(CFG)" == "libisc - Win32 Release"
+
+
+"$(INTDIR)\base64.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libisc - Win32 Debug"
+
+
+"$(INTDIR)\base64.obj"	"$(INTDIR)\base64.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\bitstring.c
+
+!IF  "$(CFG)" == "libisc - Win32 Release"
+
+
+"$(INTDIR)\bitstring.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libisc - Win32 Debug"
+
+
+"$(INTDIR)\bitstring.obj"	"$(INTDIR)\bitstring.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\buffer.c
+
+!IF  "$(CFG)" == "libisc - Win32 Release"
+
+
+"$(INTDIR)\buffer.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libisc - Win32 Debug"
+
+
+"$(INTDIR)\buffer.obj"	"$(INTDIR)\buffer.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\bufferlist.c
+
+!IF  "$(CFG)" == "libisc - Win32 Release"
+
+
+"$(INTDIR)\bufferlist.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libisc - Win32 Debug"
+
+
+"$(INTDIR)\bufferlist.obj"	"$(INTDIR)\bufferlist.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\commandline.c
+
+!IF  "$(CFG)" == "libisc - Win32 Release"
+
+
+"$(INTDIR)\commandline.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libisc - Win32 Debug"
+
+
+"$(INTDIR)\commandline.obj"	"$(INTDIR)\commandline.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\error.c
+
+!IF  "$(CFG)" == "libisc - Win32 Release"
+
+
+"$(INTDIR)\error.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libisc - Win32 Debug"
+
+
+"$(INTDIR)\error.obj"	"$(INTDIR)\error.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\event.c
+
+!IF  "$(CFG)" == "libisc - Win32 Release"
+
+
+"$(INTDIR)\event.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libisc - Win32 Debug"
+
+
+"$(INTDIR)\event.obj"	"$(INTDIR)\event.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\hash.c
+
+!IF  "$(CFG)" == "libisc - Win32 Release"
+
+
+"$(INTDIR)\hash.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libisc - Win32 Debug"
+
+
+"$(INTDIR)\hash.obj"	"$(INTDIR)\hash.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\heap.c
+
+!IF  "$(CFG)" == "libisc - Win32 Release"
+
+
+"$(INTDIR)\heap.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libisc - Win32 Debug"
+
+
+"$(INTDIR)\heap.obj"	"$(INTDIR)\heap.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\hex.c
+
+!IF  "$(CFG)" == "libisc - Win32 Release"
+
+
+"$(INTDIR)\hex.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libisc - Win32 Debug"
+
+
+"$(INTDIR)\hex.obj"	"$(INTDIR)\hex.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\hmacmd5.c
+
+!IF  "$(CFG)" == "libisc - Win32 Release"
+
+
+"$(INTDIR)\hmacmd5.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libisc - Win32 Debug"
+
+
+"$(INTDIR)\hmacmd5.obj"	"$(INTDIR)\hmacmd5.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\inet_aton.c
+
+!IF  "$(CFG)" == "libisc - Win32 Release"
+
+
+"$(INTDIR)\inet_aton.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libisc - Win32 Debug"
+
+
+"$(INTDIR)\inet_aton.obj"	"$(INTDIR)\inet_aton.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\inet_ntop.c
+
+!IF  "$(CFG)" == "libisc - Win32 Release"
+
+
+"$(INTDIR)\inet_ntop.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libisc - Win32 Debug"
+
+
+"$(INTDIR)\inet_ntop.obj"	"$(INTDIR)\inet_ntop.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\inet_pton.c
+
+!IF  "$(CFG)" == "libisc - Win32 Release"
+
+
+"$(INTDIR)\inet_pton.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libisc - Win32 Debug"
+
+
+"$(INTDIR)\inet_pton.obj"	"$(INTDIR)\inet_pton.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\lex.c
+
+!IF  "$(CFG)" == "libisc - Win32 Release"
+
+
+"$(INTDIR)\lex.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libisc - Win32 Debug"
+
+
+"$(INTDIR)\lex.obj"	"$(INTDIR)\lex.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\lfsr.c
+
+!IF  "$(CFG)" == "libisc - Win32 Release"
+
+
+"$(INTDIR)\lfsr.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libisc - Win32 Debug"
+
+
+"$(INTDIR)\lfsr.obj"	"$(INTDIR)\lfsr.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\lib.c
+
+!IF  "$(CFG)" == "libisc - Win32 Release"
+
+
+"$(INTDIR)\lib.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libisc - Win32 Debug"
+
+
+"$(INTDIR)\lib.obj"	"$(INTDIR)\lib.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\log.c
+
+!IF  "$(CFG)" == "libisc - Win32 Release"
+
+
+"$(INTDIR)\log.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libisc - Win32 Debug"
+
+
+"$(INTDIR)\log.obj"	"$(INTDIR)\log.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\md5.c
+
+!IF  "$(CFG)" == "libisc - Win32 Release"
+
+
+"$(INTDIR)\md5.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libisc - Win32 Debug"
+
+
+"$(INTDIR)\md5.obj"	"$(INTDIR)\md5.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\mem.c
+
+!IF  "$(CFG)" == "libisc - Win32 Release"
+
+
+"$(INTDIR)\mem.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libisc - Win32 Debug"
+
+
+"$(INTDIR)\mem.obj"	"$(INTDIR)\mem.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\nls\msgcat.c
+
+!IF  "$(CFG)" == "libisc - Win32 Release"
+
+
+"$(INTDIR)\msgcat.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libisc - Win32 Debug"
+
+
+"$(INTDIR)\msgcat.obj"	"$(INTDIR)\msgcat.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\mutexblock.c
+
+!IF  "$(CFG)" == "libisc - Win32 Release"
+
+
+"$(INTDIR)\mutexblock.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libisc - Win32 Debug"
+
+
+"$(INTDIR)\mutexblock.obj"	"$(INTDIR)\mutexblock.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\netaddr.c
+
+!IF  "$(CFG)" == "libisc - Win32 Release"
+
+
+"$(INTDIR)\netaddr.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libisc - Win32 Debug"
+
+
+"$(INTDIR)\netaddr.obj"	"$(INTDIR)\netaddr.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\netscope.c
+
+!IF  "$(CFG)" == "libisc - Win32 Release"
+
+
+"$(INTDIR)\netscope.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libisc - Win32 Debug"
+
+
+"$(INTDIR)\netscope.obj"	"$(INTDIR)\netscope.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\ondestroy.c
+
+!IF  "$(CFG)" == "libisc - Win32 Release"
+
+
+"$(INTDIR)\ondestroy.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libisc - Win32 Debug"
+
+
+"$(INTDIR)\ondestroy.obj"	"$(INTDIR)\ondestroy.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\parseint.c
+
+!IF  "$(CFG)" == "libisc - Win32 Release"
+
+
+"$(INTDIR)\parseint.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libisc - Win32 Debug"
+
+
+"$(INTDIR)\parseint.obj"	"$(INTDIR)\parseint.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\quota.c
+
+!IF  "$(CFG)" == "libisc - Win32 Release"
+
+
+"$(INTDIR)\quota.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libisc - Win32 Debug"
+
+
+"$(INTDIR)\quota.obj"	"$(INTDIR)\quota.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\random.c
+
+!IF  "$(CFG)" == "libisc - Win32 Release"
+
+
+"$(INTDIR)\random.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libisc - Win32 Debug"
+
+
+"$(INTDIR)\random.obj"	"$(INTDIR)\random.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\ratelimiter.c
+
+!IF  "$(CFG)" == "libisc - Win32 Release"
+
+
+"$(INTDIR)\ratelimiter.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libisc - Win32 Debug"
+
+
+"$(INTDIR)\ratelimiter.obj"	"$(INTDIR)\ratelimiter.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\region.c
+
+!IF  "$(CFG)" == "libisc - Win32 Release"
+
+
+"$(INTDIR)\region.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libisc - Win32 Debug"
+
+
+"$(INTDIR)\region.obj"	"$(INTDIR)\region.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\result.c
+
+!IF  "$(CFG)" == "libisc - Win32 Release"
+
+
+"$(INTDIR)\result.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libisc - Win32 Debug"
+
+
+"$(INTDIR)\result.obj"	"$(INTDIR)\result.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\rwlock.c
+
+!IF  "$(CFG)" == "libisc - Win32 Release"
+
+
+"$(INTDIR)\rwlock.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libisc - Win32 Debug"
+
+
+"$(INTDIR)\rwlock.obj"	"$(INTDIR)\rwlock.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\serial.c
+
+!IF  "$(CFG)" == "libisc - Win32 Release"
+
+
+"$(INTDIR)\serial.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libisc - Win32 Debug"
+
+
+"$(INTDIR)\serial.obj"	"$(INTDIR)\serial.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\sha1.c
+
+!IF  "$(CFG)" == "libisc - Win32 Release"
+
+
+"$(INTDIR)\sha1.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libisc - Win32 Debug"
+
+
+"$(INTDIR)\sha1.obj"	"$(INTDIR)\sha1.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\sockaddr.c
+
+!IF  "$(CFG)" == "libisc - Win32 Release"
+
+
+"$(INTDIR)\sockaddr.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libisc - Win32 Debug"
+
+
+"$(INTDIR)\sockaddr.obj"	"$(INTDIR)\sockaddr.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\string.c
+
+!IF  "$(CFG)" == "libisc - Win32 Release"
+
+
+"$(INTDIR)\string.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libisc - Win32 Debug"
+
+
+"$(INTDIR)\string.obj"	"$(INTDIR)\string.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\symtab.c
+
+!IF  "$(CFG)" == "libisc - Win32 Release"
+
+
+"$(INTDIR)\symtab.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libisc - Win32 Debug"
+
+
+"$(INTDIR)\symtab.obj"	"$(INTDIR)\symtab.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\task.c
+
+!IF  "$(CFG)" == "libisc - Win32 Release"
+
+
+"$(INTDIR)\task.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libisc - Win32 Debug"
+
+
+"$(INTDIR)\task.obj"	"$(INTDIR)\task.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\taskpool.c
+
+!IF  "$(CFG)" == "libisc - Win32 Release"
+
+
+"$(INTDIR)\taskpool.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libisc - Win32 Debug"
+
+
+"$(INTDIR)\taskpool.obj"	"$(INTDIR)\taskpool.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\timer.c
+
+!IF  "$(CFG)" == "libisc - Win32 Release"
+
+
+"$(INTDIR)\timer.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libisc - Win32 Debug"
+
+
+"$(INTDIR)\timer.obj"	"$(INTDIR)\timer.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+
+!ENDIF 
+
diff --git a/lib/isc/win32/net.c b/lib/isc/win32/net.c
index 666b8a00..7d23ce57 100644
--- a/lib/isc/win32/net.c
+++ b/lib/isc/win32/net.c
@@ -1,6 +1,6 @@
 /*
- * Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: net.c,v 1.3.2.5 2007/06/18 23:45:27 tbox Exp $ */
+/* $Id: net.c,v 1.3.2.2.4.6 2004/03/11 05:58:42 marka Exp $ */
 
 #include <config.h>
 
@@ -26,6 +26,7 @@
 #include <isc/msgs.h>
 #include <isc/net.h>
 #include <isc/once.h>
+#include <isc/strerror.h>
 #include <isc/string.h>
 #include <isc/util.h>
 
@@ -34,31 +35,35 @@ const struct in6_addr isc_net_in6addrany = IN6ADDR_ANY_INIT;
 #endif
 
 static isc_once_t 	once = ISC_ONCE_INIT;
+static isc_once_t 	once_ipv6only = ISC_ONCE_INIT;
 static isc_result_t	ipv4_result = ISC_R_NOTFOUND;
 static isc_result_t	ipv6_result = ISC_R_NOTFOUND;
-
-void InitSockets(void);
+static isc_result_t	ipv6only_result = ISC_R_NOTFOUND;
 
 static isc_result_t
 try_proto(int domain) {
 	SOCKET s;
 	isc_result_t result = ISC_R_SUCCESS;
+	char strbuf[ISC_STRERRORSIZE];
+	int errval;
 
 	s = socket(domain, SOCK_STREAM, 0);
 	if (s == INVALID_SOCKET) {
-		switch (WSAGetLastError()) {
+		errval = WSAGetLastError();
+		switch (errval) {
 		case WSAEAFNOSUPPORT:
 		case WSAEPROTONOSUPPORT:
 		case WSAEINVAL:
 			return (ISC_R_NOTFOUND);
 		default:
+			isc__strerror(errval, strbuf, sizeof(strbuf));
 			UNEXPECTED_ERROR(__FILE__, __LINE__,
 					 "socket() %s: %s",
 					 isc_msgcat_get(isc_msgcat,
 							ISC_MSGSET_GENERAL,
 							ISC_MSG_FAILED,
 							"failed"),
-					 strerror(errno));
+					 strbuf);
 			return (ISC_R_UNEXPECTED);
 		}
 	}
@@ -114,7 +119,6 @@ try_proto(int domain) {
 
 static void
 initialize_action(void) {
-	InitSockets();
 	ipv4_result = try_proto(PF_INET);
 #ifdef ISC_PLATFORM_HAVEIPV6
 #ifdef WANT_IPV6
@@ -141,3 +145,126 @@ isc_net_probeipv6(void) {
 	initialize();
 	return (ipv6_result);
 }
+
+#ifdef ISC_PLATFORM_HAVEIPV6
+#ifdef WANT_IPV6
+static void
+try_ipv6only(void) {
+#ifdef IPV6_V6ONLY
+	SOCKET s;
+	int on;
+	char strbuf[ISC_STRERRORSIZE];
+#endif
+	isc_result_t result;
+
+	result = isc_net_probeipv6();
+	if (result != ISC_R_SUCCESS) {
+		ipv6only_result = result;
+		return;
+	}
+
+#ifndef IPV6_V6ONLY
+	ipv6only_result = ISC_R_NOTFOUND;
+	return;
+#else
+	/* check for TCP sockets */
+	s = socket(PF_INET6, SOCK_STREAM, 0);
+	if (s == INVALID_SOCKET) {
+		isc__strerror(errno, strbuf, sizeof(strbuf));
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "socket() %s: %s",
+				 isc_msgcat_get(isc_msgcat,
+						ISC_MSGSET_GENERAL,
+						ISC_MSG_FAILED,
+						"failed"),
+				 strbuf);
+		ipv6only_result = ISC_R_UNEXPECTED;
+		return;
+	}
+
+	on = 1;
+	if (setsockopt(s, IPPROTO_IPV6, IPV6_V6ONLY, &on, sizeof(on)) < 0) {
+		ipv6only_result = ISC_R_NOTFOUND;
+		goto close;
+	}
+
+	close(s);
+
+	/* check for UDP sockets */
+	s = socket(PF_INET6, SOCK_DGRAM, 0);
+	if (s == INVALID_SOCKET) {
+		isc__strerror(errno, strbuf, sizeof(strbuf));
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "socket() %s: %s",
+				 isc_msgcat_get(isc_msgcat,
+						ISC_MSGSET_GENERAL,
+						ISC_MSG_FAILED,
+						"failed"),
+				 strbuf);
+		ipv6only_result = ISC_R_UNEXPECTED;
+		return;
+	}
+
+	on = 1;
+	if (setsockopt(s, IPPROTO_IPV6, IPV6_V6ONLY, &on, sizeof(on)) < 0) {
+		ipv6only_result = ISC_R_NOTFOUND;
+		goto close;
+	}
+
+	close(s);
+
+	ipv6only_result = ISC_R_SUCCESS;
+
+close:
+	close(s);
+	return;
+#endif
+}
+
+static void
+initialize_ipv6only(void) {
+	RUNTIME_CHECK(isc_once_do(&once_ipv6only,
+				  try_ipv6only) == ISC_R_SUCCESS);
+}
+#endif
+#endif
+
+isc_result_t
+isc_net_probe_ipv6only(void) {
+#ifdef ISC_PLATFORM_HAVEIPV6
+#ifdef WANT_IPV6
+	initialize_ipv6only();
+#else
+	ipv6only_result = ISC_R_NOTFOUND;
+#endif
+#endif
+	return (ipv6only_result);
+}
+
+void
+isc_net_disableipv4(void) {
+	initialize();
+	if (ipv4_result == ISC_R_SUCCESS)
+		ipv4_result = ISC_R_DISABLED;
+}
+
+void
+isc_net_disableipv6(void) {
+	initialize();
+	if (ipv6_result == ISC_R_SUCCESS)
+		ipv6_result = ISC_R_DISABLED;
+}
+
+void
+isc_net_enableipv4(void) {
+	initialize();
+	if (ipv4_result == ISC_R_DISABLED)
+		ipv4_result = ISC_R_SUCCESS;
+}
+
+void
+isc_net_enableipv6(void) {
+	initialize();
+	if (ipv6_result == ISC_R_DISABLED)
+		ipv6_result = ISC_R_SUCCESS;
+}
diff --git a/lib/isc/win32/netdb.h b/lib/isc/win32/netdb.h
index 10a0da36..9df74d11 100644
--- a/lib/isc/win32/netdb.h
+++ b/lib/isc/win32/netdb.h
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
+ * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: netdb.h,v 1.2.2.3 2004/03/09 06:12:18 marka Exp $ */
+/* $Id: netdb.h,v 1.2.2.2.2.3 2004/03/11 01:02:38 marka Exp $ */
 
 #ifndef NETDB_H
 #define NETDB_H 1
@@ -26,7 +26,7 @@
 /*
  * Define if <netdb.h> does not declare struct addrinfo.
  */
-#if _MSC_VER < 1300
+
 struct addrinfo {
 	int		ai_flags;      /* AI_PASSIVE, AI_CANONNAME */
 	int		ai_family;     /* PF_xxx */
@@ -37,7 +37,7 @@ struct addrinfo {
 	struct sockaddr	*ai_addr;      /* Binary address */
 	struct addrinfo	*ai_next;      /* Next structure in linked list */
 };
-#endif
+
 
 /*
  * Undefine all #defines we are interested in as <netdb.h> may or may not have
diff --git a/lib/isc/win32/ntgroups.c b/lib/isc/win32/ntgroups.c
new file mode 100644
index 00000000..500a098b
--- /dev/null
+++ b/lib/isc/win32/ntgroups.c
@@ -0,0 +1,181 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: ntgroups.c,v 1.5.200.3 2004/03/08 09:05:00 marka Exp $ */
+
+/*
+ * The NT Groups have two groups that are not well documented and are
+ * not normally seen: None and Everyone.  A user account belongs to
+ * any number of groups, but if it is not a member of any group then
+ * it is a member of the None Group. The None group is not listed
+ * anywhere. You cannot remove an account from the none group except
+ * by making it a member of some other group, The second group is the
+ * Everyone group.  All accounts, no matter how many groups that they
+ * belong to, also belong to the Everyone group. You cannot remove an
+ * account from the Everyone group.
+ */
+
+#ifndef UNICODE
+#define UNICODE
+#endif /* UNICODE */
+
+#include <windows.h>
+#include <assert.h>
+#include <lm.h>
+
+#include <isc/ntgroups.h>
+#include <isc/result.h>
+
+#define MAX_NAME_LENGTH 256
+
+isc_result_t
+isc_ntsecurity_getaccountgroups(char *username, char **GroupList,
+				unsigned int maxgroups,
+				unsigned int *totalGroups) {
+	LPGROUP_USERS_INFO_0 pTmpBuf;
+	LPLOCALGROUP_USERS_INFO_0 pTmpLBuf;
+	DWORD i;
+	LPLOCALGROUP_USERS_INFO_0 pBuf = NULL;
+	LPGROUP_USERS_INFO_0 pgrpBuf = NULL;
+	DWORD dwLevel = 0;
+	DWORD dwFlags = LG_INCLUDE_INDIRECT;
+	DWORD dwPrefMaxLen = MAX_PREFERRED_LENGTH;
+	DWORD dwEntriesRead = 0;
+	DWORD dwTotalEntries = 0;
+	NET_API_STATUS nStatus;
+	DWORD dwTotalCount = 0;
+	int retlen;
+	wchar_t user[MAX_NAME_LENGTH];
+
+	retlen = mbstowcs(user, username, MAX_NAME_LENGTH);
+
+	*totalGroups = 0;
+	/*
+	 * Call the NetUserGetLocalGroups function 
+	 * specifying information level 0.
+	 *
+	 * The LG_INCLUDE_INDIRECT flag specifies that the 
+	 * function should also return the names of the local 
+	 * groups in which the user is indirectly a member.
+	 */
+	nStatus = NetUserGetLocalGroups(NULL,
+                                   user,
+                                   dwLevel,
+                                   dwFlags,
+                                   (LPBYTE *) &pBuf,
+                                   dwPrefMaxLen,
+                                   &dwEntriesRead,
+                                   &dwTotalEntries);
+	/*
+	 * See if the call succeeds,
+	 */
+	if (nStatus != NERR_Success) {
+		if (nStatus == ERROR_ACCESS_DENIED)
+			return (ISC_R_NOPERM);
+		if (nStatus == ERROR_MORE_DATA)
+			return (ISC_R_NOSPACE);
+		if (nStatus == NERR_UserNotFound)
+			dwEntriesRead = 0;
+	}
+
+	dwTotalCount = 0;
+	if (pBuf != NULL) {
+		pTmpLBuf = pBuf;
+		/*
+		 * Loop through the entries
+		 */
+	         for (i = 0;
+		     (i < dwEntriesRead && *totalGroups < maxgroups); i++) {
+			assert(pTmpLBuf != NULL);
+			if (pTmpLBuf == NULL)
+				break;
+			retlen = wcslen(pTmpLBuf->lgrui0_name);
+			GroupList[*totalGroups] = (char *) malloc(retlen +1);
+			if (GroupList[*totalGroups] == NULL)
+				return (ISC_R_NOMEMORY);
+
+			retlen = wcstombs(GroupList[*totalGroups],
+				 pTmpLBuf->lgrui0_name, retlen);
+			GroupList[*totalGroups][retlen] = '\0';
+			if (strcmp(GroupList[*totalGroups], "None") == 0)
+				free(GroupList[*totalGroups]);
+			else
+				(*totalGroups)++;
+			pTmpLBuf++;
+		}
+	}
+	/* Free the allocated memory. */
+	if (pBuf != NULL)
+		NetApiBufferFree(pBuf);
+
+   
+	/*
+	 * Call the NetUserGetGroups function, specifying level 0.
+	 */
+	nStatus = NetUserGetGroups(NULL,
+                              user,
+                              dwLevel,
+                              (LPBYTE*)&pgrpBuf,
+                              dwPrefMaxLen,
+                              &dwEntriesRead,
+                              &dwTotalEntries);
+	/*
+	 * See if the call succeeds,
+	 */
+	if (nStatus != NERR_Success) {
+		if (nStatus == ERROR_ACCESS_DENIED)
+			return (ISC_R_NOPERM);
+		if (nStatus == ERROR_MORE_DATA)
+			return (ISC_R_NOSPACE);
+		if (nStatus == NERR_UserNotFound)
+			dwEntriesRead = 0;
+	}
+ 
+	if (pgrpBuf != NULL) {
+		pTmpBuf = pgrpBuf;
+		/*
+		 * Loop through the entries
+		 */
+	         for (i = 0;
+		     (i < dwEntriesRead && *totalGroups < maxgroups); i++) {
+			assert(pTmpBuf != NULL);
+
+			if (pTmpBuf == NULL)
+				break;
+			retlen = wcslen(pTmpBuf->grui0_name);
+			GroupList[*totalGroups] = (char *) malloc(retlen +1);
+			if (GroupList[*totalGroups] == NULL)
+				return (ISC_R_NOMEMORY);
+
+			retlen = wcstombs(GroupList[*totalGroups],
+				 pTmpBuf->grui0_name, retlen);
+			GroupList[*totalGroups][retlen] = '\0';
+			if (strcmp(GroupList[*totalGroups], "None") == 0)
+				free(GroupList[*totalGroups]);
+			else
+				(*totalGroups)++;
+			pTmpBuf++;
+		}
+	}
+	/*
+	 * Free the allocated memory.
+	 */
+	if (pgrpBuf != NULL)
+		NetApiBufferFree(pgrpBuf);
+
+	return (ISC_R_SUCCESS);
+}
diff --git a/lib/isc/win32/ntpaths.c b/lib/isc/win32/ntpaths.c
index f834844b..2b1c3f7f 100644
--- a/lib/isc/win32/ntpaths.c
+++ b/lib/isc/win32/ntpaths.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: ntpaths.c,v 1.6.2.5 2007/06/18 23:45:27 tbox Exp $ */
+/* $Id: ntpaths.c,v 1.6.2.2.10.1 2004/03/06 08:15:09 marka Exp $ */
 
 /*
  * This module fetches the required path information that is specific
@@ -63,8 +63,9 @@ isc_ntpaths_init() {
 		if (RegQueryValueEx(hKey, "InstallDir", NULL, NULL,
 			(LPBYTE)namedBase, &baseLen) != ERROR_SUCCESS)
 			keyFound = FALSE;
-		RegCloseKey(hKey);
 	}
+	
+	RegCloseKey(hKey);
 
 	GetSystemDirectory(systemDir, MAX_PATH);
 
diff --git a/lib/isc/win32/once.c b/lib/isc/win32/once.c
index c8147d66..073424b5 100644
--- a/lib/isc/win32/once.c
+++ b/lib/isc/win32/once.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: once.c,v 1.9.2.3 2007/06/18 23:45:27 tbox Exp $ */
+/* $Id: once.c,v 1.9.206.1 2004/03/06 08:15:09 marka Exp $ */
 
 /* Principal Authors: DCL */
 
@@ -41,11 +41,8 @@ isc_once_do(isc_once_t *controller, void(*function)(void)) {
 		} else {
 			while (controller->status == ISC_ONCE_INIT_NEEDED) {
 				/*
-				 * Sleep(0) indicates that this thread 
-				 * should be suspended to allow other 
-				 * waiting threads to execute.
+				 * Spin wait.
 				 */
-				Sleep(0);
 			}
 		}
 	}
diff --git a/lib/isc/win32/os.c b/lib/isc/win32/os.c
index 315fee83..fc9c40a8 100644
--- a/lib/isc/win32/os.c
+++ b/lib/isc/win32/os.c
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
+ * Copyright (C) 2000-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,24 +15,21 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: os.c,v 1.4.2.1 2004/03/09 06:12:19 marka Exp $ */
+/* $Id: os.c,v 1.4.14.3 2004/03/08 09:05:00 marka Exp $ */
 
 #include <windows.h>
 
+#include <isc/os.h>
+
 static BOOL bInit = FALSE;
 static SYSTEM_INFO SystemInfo;
-static OSVERSIONINFO osVer;
 
 static void
 initialize_action(void) {
-	BOOL bSuccess;
-
 	if (bInit)
 		return;
 	
 	GetSystemInfo(&SystemInfo);
-	osVer.dwOSVersionInfoSize = sizeof(osVer);
-	bSuccess = GetVersionEx(&osVer);
 	bInit = TRUE;
 }
 
@@ -46,15 +43,3 @@ isc_os_ncpus(void) {
 
 	return ((unsigned int)ncpus);
 }
-
-unsigned int
-isc_os_majorversion(void) {
-	initialize_action();
-	return ((unsigned int)osVer.dwMajorVersion);
-}
-
-unsigned int
-isc_os_minorversion(void) {
-	initialize_action();
-	return ((unsigned int)osVer.dwMinorVersion);
-}
diff --git a/lib/isc/win32/resource.c b/lib/isc/win32/resource.c
index db9386d3..79988dcd 100644
--- a/lib/isc/win32/resource.c
+++ b/lib/isc/win32/resource.c
@@ -15,10 +15,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: resource.c,v 1.2.2.1 2004/03/09 06:12:19 marka Exp $ */
+/* $Id: resource.c,v 1.2.12.3 2004/03/08 09:05:00 marka Exp $ */
 
 #include <config.h>
 
+#include <stdio.h>
+
 #include <isc/platform.h>
 #include <isc/resource.h>
 #include <isc/result.h>
@@ -26,13 +28,40 @@
 
 #include "errno2result.h"
 
+/*
+ * Windows limits the maximum number of open files to 2048
+ */
+
+#define WIN32_MAX_OPEN_FILES	2048
+
 isc_result_t
 isc_resource_setlimit(isc_resource_t resource, isc_resourcevalue_t value) {
-	return (ISC_R_NOTIMPLEMENTED);
+	isc_resourcevalue_t rlim_value;
+	int wresult;
+
+	if (resource != isc_resource_openfiles)
+		return (ISC_R_NOTIMPLEMENTED);
 
+
+	if (value == ISC_RESOURCE_UNLIMITED)
+		rlim_value = WIN32_MAX_OPEN_FILES;
+	else
+		rlim_value = min(value, WIN32_MAX_OPEN_FILES);
+
+	wresult = _setmaxstdio((int) rlim_value);
+
+	if (wresult > 0)
+		return (ISC_R_SUCCESS);
+	else
+		return (isc__errno2result(errno));
 }
 
 isc_result_t
 isc_resource_getlimit(isc_resource_t resource, isc_resourcevalue_t *value) {
-	return (ISC_R_NOTIMPLEMENTED);
+
+	if (resource != isc_resource_openfiles)
+		return (ISC_R_NOTIMPLEMENTED);
+
+	*value = WIN32_MAX_OPEN_FILES;
+	return (ISC_R_SUCCESS);
 }
diff --git a/lib/isc/win32/socket.c b/lib/isc/win32/socket.c
index 72f7a796..c9a96d17 100644
--- a/lib/isc/win32/socket.c
+++ b/lib/isc/win32/socket.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: socket.c,v 1.5.2.33 2007/06/18 03:30:31 marka Exp $ */
+/* $Id: socket.c,v 1.5.2.13.2.8 2004/03/06 08:15:10 marka Exp $ */
 
 /* This code has been rewritten to take advantage of Windows Sockets
  * I/O Completion Ports and Events. I/O Completion Ports is ONLY
@@ -77,7 +77,6 @@
 #include <isc/msgs.h>
 #include <isc/mutex.h>
 #include <isc/net.h>
-#include <isc/once.h>
 #include <isc/os.h>
 #include <isc/platform.h>
 #include <isc/print.h>
@@ -99,8 +98,8 @@
  * NOTE: This requires that Windows 2000 systems install Service Pack 2
  * or later.
  */
-#ifndef SIO_UDP_CONNRESET
-#define SIO_UDP_CONNRESET _WSAIOW(IOC_VENDOR,12)
+#ifndef SIO_UDP_CONNRESET 
+#define SIO_UDP_CONNRESET _WSAIOW(IOC_VENDOR,12) 
 #endif
 
 /*
@@ -114,26 +113,19 @@
 /*
  * Define what the possible "soft" errors can be.  These are non-fatal returns
  * of various network related functions, like recv() and so on.
+ *
+ * For some reason, BSDI (and perhaps others) will sometimes return <0
+ * from recv() but will have errno==0.  This is broken, but we have to
+ * work around it here.
  */
 #define SOFT_ERROR(e)	((e) == WSAEINTR || \
+			 (e) == WSA_IO_PENDING || \
 			 (e) == WSAEWOULDBLOCK || \
 			 (e) == EWOULDBLOCK || \
 			 (e) == EINTR || \
 			 (e) == EAGAIN || \
 			 (e) == 0)
 
-/*
- * Pending errors are not really errors and should be
- * kept separate
- */
-#define PENDING_ERROR(e) ((e) == WSA_IO_PENDING || (e) == 0)
-
-#define DOIO_SUCCESS	  0       /* i/o ok, event sent */
-#define DOIO_SOFT	     1       /* i/o ok, soft error, no event sent */
-#define DOIO_HARD	     2       /* i/o error, event sent */
-#define DOIO_EOF	      3       /* EOF, no event sent */
-#define DOIO_PENDING	  4       /* status when i/o is in process */
-
 #define DLVL(x) ISC_LOGCATEGORY_GENERAL, ISC_LOGMODULE_SOCKET, ISC_LOG_DEBUG(x)
 
 /*
@@ -172,8 +164,14 @@ typedef isc_event_t intev_t;
 #endif
 
 /*
+ * NetBSD and FreeBSD can timestamp packets.  XXXMLG Should we have
+ * a setsockopt() like interface to request timestamps, and if the OS
+ * doesn't do it for us, call gettimeofday() on every UDP receive?
+ */
+
+/*
  * We really  don't want to try and use these control messages. Win32
- * doesn't have this mechanism before XP.
+ * doesn't have this mechanism
  */
 #undef USE_CMSG
 
@@ -184,19 +182,17 @@ typedef isc_event_t intev_t;
 
 
 struct msghdr {
-	void	*msg_name;		/* optional address */
-	u_int   msg_namelen;		/* size of address */
-	WSABUF	*msg_iov;		/* scatter/gather array */
-	u_int   msg_iovlen;		/* # elements in msg_iov */
-	void	*msg_control;		/* ancillary data, see below */
-	u_int   msg_controllen;		/* ancillary data buffer len */
-	int     msg_flags;		/* flags on received message */
-	int	msg_totallen;		/* total length of this message */
+        void	*msg_name;              /* optional address */
+        u_int   msg_namelen;            /* size of address */
+        WSABUF  *msg_iov;		/* scatter/gather array */
+        u_int   msg_iovlen;             /* # elements in msg_iov */
+        void	*msg_control;           /* ancillary data, see below */
+        u_int   msg_controllen;         /* ancillary data buffer len */
+        int     msg_flags;              /* flags on received message */
 } msghdr;
-
+	
 /*
- * The number of times a send operation is repeated if the result
- * is WSAEINTR.
+ * The number of times a send operation is repeated if the result is EINTR.
  */
 #define NRETRIES 10
 
@@ -209,11 +205,13 @@ struct isc_socket {
 	OVERLAPPED		overlapped;
 	/* Pointers to scatter/gather buffers */
 	WSABUF			iov[ISC_SOCKET_MAXSCATTERGATHER];
+	size_t			totalBytes;
 	WSAEVENT		hEvent;		/* Event Handle */
 	long			wait_type;	/* Events to wait on */
 	WSAEVENT		hAlert;		/* Alert Event Handle */
 	DWORD			evthread_id;	/* Event Thread Id for socket */
 
+
 	/* Locked by socket lock. */
 	ISC_LINK(isc_socket_t)	link;
 	unsigned int		references;
@@ -241,10 +239,8 @@ struct isc_socket {
 				listener : 1,	/* listener socket */
 				connected : 1,
 				connecting : 1, /* connect pending */
-				bound : 1,	/* bound to local addr */
-				pending_free: 1;
-	unsigned int		pending_recv;
-	unsigned int		pending_send;
+				bound : 1;	/* bound to local addr */
+
 };
 
 /*
@@ -284,7 +280,7 @@ struct event_change {
 
 /*
  * Note: We are using an array here since *WaitForMultiple* wants an array
- * WARNING: This value may not be greater than 64 since the
+ * WARNING: This value may not be greater than 64 since the 
  * WSAWaitForMultipleEvents function is limited to 64 events.
  */
 
@@ -335,6 +331,10 @@ struct isc_socketmgr {
 	DWORD				dwIOCPThreadIds[MAX_IOCPTHREADS];
 };
 
+#define CLOSED		0	/* this one must be zero */
+#define MANAGED		1
+#define CLOSE_PENDING	2
+
 /*
  * send() and recv() iovec counts
  */
@@ -346,8 +346,11 @@ static isc_threadresult_t WINAPI SocketIoThread(LPVOID ThreadContext);
 static void free_socket(isc_socket_t **);
 
 enum {
+	SOCKET_CANCEL,
+	SOCKET_SHUTDOWN,
 	SOCKET_RECV,
 	SOCKET_SEND,
+	SOCK_ACCEPT
 };
 
 enum {
@@ -355,6 +358,9 @@ enum {
 	EVENT_DELETE
 };
 
+#define SOCK_DEAD(s)			((s)->references == 0)
+
+
 #if defined(ISC_SOCKET_DEBUG)
 /*
  * This is used to dump the contents of the sock structure
@@ -448,7 +454,7 @@ iocompletionport_createthreads(int total_threads, isc_socketmgr_t *manager) {
 	 * We need at least one
 	 */
 	for (i = 0; i < total_threads; i++) {
-		manager->hIOCPThreads[i] = CreateThread(NULL, 0, SocketIoThread,
+		manager->hIOCPThreads[i] = CreateThread( NULL, 0, SocketIoThread,
 						manager, 0,
 						&manager->dwIOCPThreadIds[i]);
 		if(manager->hIOCPThreads[i] == NULL) {
@@ -495,13 +501,13 @@ iocompletionport_init(isc_socketmgr_t *manager) {
 				strbuf);
 		exit(1);
 	}
-
+	
 	/*
 	 * Worker threads for servicing the I/O
  	 */
 	iocompletionport_createthreads(manager->maxIOCPThreads, manager);
 }
-
+	
 
 void
 iocompletionport_exit(isc_socketmgr_t *manager) {
@@ -515,8 +521,7 @@ iocompletionport_exit(isc_socketmgr_t *manager) {
 }
 
 /*
- * Add sockets in here and pass the sock data in as part of the
- * information needed.
+ * Add sockets in here and pass the sock data in as part of the information needed
  */
 void
 iocompletionport_update(isc_socket_t *sock) {
@@ -647,21 +652,19 @@ socket_eventlist_add(event_change_t *evchange, sock_event_list *evlist,
 	sock->evthread_id = GetCurrentThreadId();
 	return (ISC_TRUE);
 }
-
 /*
- * Note that the eventLock is locked before calling this function.
- * All Events and associated sockets are closed here.
+ * Note that the eventLock is locked before calling this function
+ * All Events and associated sockes are closed here
  */
 isc_boolean_t
 socket_eventlist_delete(event_change_t *evchange, sock_event_list *evlist) {
 	int i;
 	WSAEVENT hEvent;
 	int iEvent = -1;
-	isc_boolean_t dofree = ISC_FALSE;
 
 	REQUIRE(evchange != NULL);
 	/*  Make sure this is the right thread from which to delete the event */
-	if (evchange->evthread_id != GetCurrentThreadId())
+	if(evchange->evthread_id != GetCurrentThreadId())
 		return (ISC_FALSE);
 
 	REQUIRE(evlist != NULL);
@@ -675,7 +678,6 @@ socket_eventlist_delete(event_change_t *evchange, sock_event_list *evlist) {
 			break;
 		}
 	}
-
 	/* Actual event start at 1 */
 	if (iEvent < 1)
 		return (ISC_FALSE);
@@ -684,34 +686,18 @@ socket_eventlist_delete(event_change_t *evchange, sock_event_list *evlist) {
 		evlist->aEventList[i] = evlist->aEventList[i + 1];
 		evlist->aSockList[i] = evlist->aSockList[i + 1];
 	}
-
 	evlist->aEventList[evlist->max_event - 1] = 0;
 	evlist->aSockList[evlist->max_event - 1] = NULL;
 
 	/* Cleanup */
 	WSACloseEvent(hEvent);
-
-	LOCK(&evchange->sock->lock);
-	if (evchange->sock->pending_close) {
-		evchange->sock->pending_close = 0;
+	if (evchange->fd >= 0)
 		closesocket(evchange->fd);
-	}
-	if (evchange->sock->pending_recv == 0 &&
-	    evchange->sock->pending_send == 0 &&
-	    evchange->sock->pending_free) {
-		evchange->sock->pending_free = 0;
-		dofree = ISC_TRUE;
-	}
-	UNLOCK(&evchange->sock->lock);
-	if (dofree)
-		free_socket(&evchange->sock);
-
 	evlist->max_event--;
 	evlist->total_events--;
 
 	return (ISC_TRUE);
 }
-
 /*
  * Get the event changes off of the list and apply the
  * requested changes. The manager lock is taken out at
@@ -736,20 +722,15 @@ process_eventlist(sock_event_list *evlist, isc_socketmgr_t *manager) {
 
 	LOCK(&manager->lock);
 
-	/*
-	 * First the deletes.
-	 */
+	/* First the deletes */
 	evchange = ISC_LIST_HEAD(manager->event_updates);
 	while (evchange != NULL) {
 		next = ISC_LIST_NEXT(evchange, link);
 		del = ISC_FALSE;
-		if (evchange->action == EVENT_DELETE) {
+		if(evchange->action == EVENT_DELETE) {
 			del = socket_eventlist_delete(evchange, evlist);
 
-			/*
-			 * Delete only if this thread's socket list was
-			 * updated.
-			 */
+			/* Delete only if this thread's socket list was updated */
 			if (del) {
 				ISC_LIST_DEQUEUE(manager->event_updates,
 						 evchange, link);
@@ -759,21 +740,15 @@ process_eventlist(sock_event_list *evlist, isc_socketmgr_t *manager) {
 		}
 		evchange = next;
 	}
-
-	/*
-	 * Now the adds.
-	 */
+	/* Now the adds */
 	evchange = ISC_LIST_HEAD(manager->event_updates);
 	while (evchange != NULL) {
 		next = ISC_LIST_NEXT(evchange, link);
 		del = ISC_FALSE;
-		if (evchange->action == EVENT_ADD) {
+		if(evchange->action == EVENT_ADD) {
 			del = socket_eventlist_add(evchange, evlist, manager);
 
-			/*
-			 * Delete only if this thread's socket list was
-			 * updated.
-			 */
+			/* Delete only if this thread's socket list was updated */
 			if (del) {
 				ISC_LIST_DEQUEUE(manager->event_updates,
 						 evchange, link);
@@ -786,21 +761,19 @@ process_eventlist(sock_event_list *evlist, isc_socketmgr_t *manager) {
 	UNLOCK(&manager->lock);
 	return (ISC_R_SUCCESS);
 }
-
 /*
  * Add the event list changes to the queue and notify the
  * event loop
  */
 static void
 notify_eventlist(isc_socket_t *sock, isc_socketmgr_t *manager,
-		 unsigned int action)
-{
+		 unsigned int action) {
 
 	event_change_t *evchange;
 
 	REQUIRE(VALID_MANAGER(manager));
 	REQUIRE(sock != NULL);
-
+	
 	evchange = HeapAlloc(hHeapHandle, HEAP_ZERO_MEMORY,
 			     sizeof(event_change_t));
 	evchange->sock = sock;
@@ -820,7 +793,6 @@ notify_eventlist(isc_socket_t *sock, isc_socketmgr_t *manager,
 	else
 		WSASetEvent(manager->prime_alert);
 }
-
 /*
  * Note that the socket is already locked before calling this function
  */
@@ -837,7 +809,7 @@ socket_event_add(isc_socket_t *sock, long type) {
 	if (hEvent == WSA_INVALID_EVENT) {
 		stat = WSAGetLastError();
 		isc__strerror(stat, strbuf, sizeof(strbuf));
-		msg = isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
+		msg = isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,	
 				     ISC_MSG_FAILED, "failed"),
 		UNEXPECTED_ERROR(__FILE__, __LINE__, "WSACreateEvent: %s: %s",
 				 msg, strbuf);
@@ -846,7 +818,7 @@ socket_event_add(isc_socket_t *sock, long type) {
 	if (WSAEventSelect(sock->fd, hEvent, type) != 0) {
 		stat = WSAGetLastError();
 		isc__strerror(stat, strbuf, sizeof(strbuf));
-		msg = isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
+		msg = isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,	
 				     ISC_MSG_FAILED, "failed");
 		UNEXPECTED_ERROR(__FILE__, __LINE__, "WSAEventSelect: %s: %s",
 				 msg, strbuf);
@@ -858,7 +830,6 @@ socket_event_add(isc_socket_t *sock, long type) {
 	notify_eventlist(sock, sock->manager, EVENT_ADD);
 	return (ISC_R_SUCCESS);
 }
-
 /*
  * Note that the socket is not locked before calling this function
  */
@@ -868,14 +839,16 @@ socket_event_delete(isc_socket_t *sock) {
 	REQUIRE(sock != NULL);
 	REQUIRE(sock->hEvent != NULL);
 
-	sock->wait_type = 0;
-	sock->pending_close = 1;
-	notify_eventlist(sock, sock->manager, EVENT_DELETE);
-	sock->hEvent = NULL;
-	sock->hAlert = NULL;
-	sock->evthread_id = 0;
-}
+	if (sock->hEvent != NULL) {
+		sock->wait_type = 0;
+		sock->pending_close = 1;
+		notify_eventlist(sock, sock->manager, EVENT_DELETE);
+		sock->hEvent = NULL;
+		sock->hAlert = NULL;
+		sock->evthread_id = 0;
+	}
 
+}
 /*
  * Routine to cleanup and then close the socket.
  * Only close the socket here if it is NOT associated
@@ -887,92 +860,77 @@ void
 socket_close(isc_socket_t *sock) {
 
 	REQUIRE(sock != NULL);
-
-	sock->pending_close = 0;
+	sock->pending_close = 1;
 	if (sock->hEvent != NULL)
 		socket_event_delete(sock);
-	else
+	else {
 		closesocket(sock->fd);
-
+	}
 	if (sock->iocp) {
 		sock->iocp = 0;
 		InterlockedDecrement(&iocp_total);
 	}
-}
-
-static isc_once_t initialise_once = ISC_ONCE_INIT;
-static isc_boolean_t initialised = ISC_FALSE;
 
-static void
-initialise(void) {
+}
+/*
+ * Initialize socket services
+ */
+BOOL InitSockets() {
 	WORD wVersionRequested;
 	WSADATA wsaData;
 	int err;
 
 	/* Need Winsock 2.0 or better */
 	wVersionRequested = MAKEWORD(2, 0);
-
+ 
 	err = WSAStartup(wVersionRequested, &wsaData);
-	if (err != 0) {
-		char strbuf[ISC_STRERRORSIZE];
-		isc__strerror(err, strbuf, sizeof(strbuf));
-		FATAL_ERROR(__FILE__, __LINE__, "WSAStartup() %s: %s",
-			    isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
-					   ISC_MSG_FAILED, "failed"),
-			    strbuf);
-	} else
-		initialised = ISC_TRUE;
-}
-
-/*
- * Initialize socket services
- */
-void
-InitSockets(void) {
-	RUNTIME_CHECK(isc_once_do(&initialise_once,
-                                  initialise) == ISC_R_SUCCESS);
-	if (!initialised)
-		exit(1);
+	if ( err != 0 ) {
+		/* Tell the user that we could not find a usable Winsock DLL */
+		return(FALSE);
+	}
+	return(TRUE);
 }
 
 int
 internal_sendmsg(isc_socket_t *sock, IoCompletionInfo *lpo,
-		 struct msghdr *messagehdr, int flags, int *Error)
-{
+		 struct msghdr *messagehdr, int flags, int *Error) {
 	int Result;
 	DWORD BytesSent;
 	DWORD Flags = flags;
 	int total_sent;
 
 	*Error = 0;
-	Result = WSASendTo((SOCKET) sock->fd, messagehdr->msg_iov,
-			   messagehdr->msg_iovlen, &BytesSent,
-			   Flags, messagehdr->msg_name,
-			   messagehdr->msg_namelen, (LPOVERLAPPED) lpo,
-			   NULL);
+	Result = WSASendTo((SOCKET) sock->fd, 
+			messagehdr->msg_iov, 
+			messagehdr->msg_iovlen, 
+			&BytesSent,
+			Flags,
+			messagehdr->msg_name,
+			messagehdr->msg_namelen,
+			(LPOVERLAPPED) lpo,
+			NULL);
 
 	total_sent = (int) BytesSent;
-
+    
 	/* Check for errors.*/
 	if (Result == SOCKET_ERROR) {
 
 		*Error = WSAGetLastError();
+        
+	        switch (*Error) {
 
-		switch (*Error) {
-		case WSA_IO_INCOMPLETE :
-		case WSA_WAIT_IO_COMPLETION :
-		case WSA_IO_PENDING :
-			sock->pending_send++;
-		case NO_ERROR :
-			break;
+			case NO_ERROR :
+			case WSA_IO_INCOMPLETE :
+			case WSA_WAIT_IO_COMPLETION :
+			case WSA_IO_PENDING :
+				break;
 
-		default :
-			return (-1);
-			break;
-		}
-	} else
-		sock->pending_send++;
-	if (lpo != NULL)
+			default :
+				return (-1);
+				break;
+			}
+	}
+	if(lpo != NULL)
 		return (0);
 	else
 		return (total_sent);
@@ -980,8 +938,7 @@ internal_sendmsg(isc_socket_t *sock, IoCompletionInfo *lpo,
 
 int
 internal_recvmsg(isc_socket_t *sock, IoCompletionInfo *lpo,
-		 struct msghdr *messagehdr, int flags, int *Error)
-{
+		 struct msghdr *messagehdr, int flags, int *Error) {
 	DWORD Flags = 0;
 	DWORD NumBytes = 0;
 	int total_bytes = 0;
@@ -989,14 +946,14 @@ internal_recvmsg(isc_socket_t *sock, IoCompletionInfo *lpo,
 
 	*Error = 0;
 	Result = WSARecvFrom((SOCKET) sock->fd,
-			     messagehdr->msg_iov,
-			     messagehdr->msg_iovlen,
-			     &NumBytes,
-			     &Flags,
-			     messagehdr->msg_name,
-			     (int *)&(messagehdr->msg_namelen),
-			     (LPOVERLAPPED) lpo,
-			     NULL);
+			messagehdr->msg_iov,
+			messagehdr->msg_iovlen,
+			&NumBytes,
+			&Flags,
+			messagehdr->msg_name,
+			(int *)&(messagehdr->msg_namelen),
+			(LPOVERLAPPED) lpo,
+			NULL);
 
 	total_bytes = (int) NumBytes;
 
@@ -1004,34 +961,33 @@ internal_recvmsg(isc_socket_t *sock, IoCompletionInfo *lpo,
 	if (Result == SOCKET_ERROR) {
 
 		*Error = WSAGetLastError();
+        
+	        switch (*Error) {
 
-		switch (*Error) {
-		case WSA_IO_INCOMPLETE:
-		case WSA_WAIT_IO_COMPLETION:
-		case WSA_IO_PENDING:
-			sock->pending_recv++;
-		case NO_ERROR:
-			break;
-
-		default :
-			return (-1);
-			break;
-		}
-	} else
-		sock->pending_recv++;
+			case NO_ERROR :
+			case WSA_IO_INCOMPLETE :
+			case WSA_WAIT_IO_COMPLETION :
+			case WSA_IO_PENDING :
+					break;
 
+			default :
+					return (-1);
+					break;
+			}
+	}
 	/* Return the flags received in header */
 	messagehdr->msg_flags = Flags;
-	if (lpo != NULL)
+	if(lpo != NULL)
 		return (-1);
 	else
 		return (total_bytes);
-}
+
+} 
 
 static void
-manager_log(isc_socketmgr_t *sockmgr, isc_logcategory_t *category,
-	    isc_logmodule_t *module, int level, const char *fmt, ...)
-{
+manager_log(isc_socketmgr_t *sockmgr,
+	    isc_logcategory_t *category, isc_logmodule_t *module, int level,
+	    const char *fmt, ...) {
 	char msgbuf[2048];
 	va_list ap;
 
@@ -1051,13 +1007,11 @@ socket_log(isc_socket_t *sock, isc_sockaddr_t *address,
 	   isc_logcategory_t *category, isc_logmodule_t *module, int level,
 	   isc_msgcat_t *msgcat, int msgset, int message,
 	   const char *fmt, ...) ISC_FORMAT_PRINTF(9, 10);
-
 static void
 socket_log(isc_socket_t *sock, isc_sockaddr_t *address,
 	   isc_logcategory_t *category, isc_logmodule_t *module, int level,
 	   isc_msgcat_t *msgcat, int msgset, int message,
-	   const char *fmt, ...)
-{
+	   const char *fmt, ...) {
 	char msgbuf[2048];
 	char peerbuf[256];
 	va_list ap;
@@ -1104,7 +1058,6 @@ make_nonblock(SOCKET fd) {
 
 	return (ISC_R_SUCCESS);
 }
-
 /*
  * Windows 2000 systems incorrectly cause UDP sockets using WASRecvFrom
  * to not work correctly, returning a WSACONNRESET error when a WSASendTo
@@ -1147,11 +1100,14 @@ connection_reset_fix(SOCKET fd) {
  *
  * Nothing can be NULL, and the done event must list at least one buffer
  * on the buffer linked list for this function to be meaningful.
+ *
+ * If write_countp != NULL, *write_countp will hold the number of bytes
+ * this transaction can send.
  */
 static void
 build_msghdr_send(isc_socket_t *sock, isc_socketevent_t *dev,
-		  struct msghdr *msg, char *cmsg, WSABUF *iov)
-{
+		  struct msghdr *msg, char *cmsg,
+		  WSABUF *iov, size_t *write_countp) {
 	unsigned int iovcount;
 	isc_buffer_t *buffer;
 	isc_region_t used;
@@ -1218,7 +1174,9 @@ build_msghdr_send(isc_socket_t *sock, isc_socketevent_t *dev,
  config:
 	msg->msg_iov = iov;
 	msg->msg_iovlen = iovcount;
-	msg->msg_totallen = write_count;
+
+	if (write_countp != NULL)
+		*write_countp = write_count;
 }
 
 /*
@@ -1229,11 +1187,14 @@ build_msghdr_send(isc_socket_t *sock, isc_socketevent_t *dev,
  *
  * Nothing can be NULL, and the done event must list at least one buffer
  * on the buffer linked list for this function to be meaningful.
+ *
+ * If read_countp != NULL, *read_countp will hold the number of bytes
+ * this transaction can receive.
  */
 static void
 build_msghdr_recv(isc_socket_t *sock, isc_socketevent_t *dev,
-		  struct msghdr *msg, char *cmsg, WSABUF *iov)
-{
+		  struct msghdr *msg, char *cmsg,
+		  WSABUF *iov, size_t *read_countp) {
 	unsigned int iovcount;
 	isc_buffer_t *buffer;
 	isc_region_t available;
@@ -1263,10 +1224,10 @@ build_msghdr_recv(isc_socket_t *sock, isc_socketevent_t *dev,
 		iov[0].len = read_count;
 		iovcount = 1;
 	} else {
-		/*
-		 * Multibuffer I/O.
-		 * Skip empty buffers.
-		 */
+	/*
+	 * Multibuffer I/O.
+	 * Skip empty buffers.
+	 */
 		while (buffer != NULL) {
 			REQUIRE(ISC_BUFFER_VALID(buffer));
 			if (isc_buffer_availablelength(buffer) != 0)
@@ -1298,13 +1259,14 @@ build_msghdr_recv(isc_socket_t *sock, isc_socketevent_t *dev,
 
 	msg->msg_iov = iov;
 	msg->msg_iovlen = iovcount;
-	msg->msg_totallen = read_count;
+
+	if (read_countp != NULL)
+		*read_countp = read_count;
 }
 
 static void
 set_dev_address(isc_sockaddr_t *address, isc_socket_t *sock,
-		isc_socketevent_t *dev)
-{
+		isc_socketevent_t *dev) {
 	if (sock->type == isc_sockettype_udp) {
 		if (address != NULL)
 			dev->address = *address;
@@ -1318,14 +1280,14 @@ set_dev_address(isc_sockaddr_t *address, isc_socket_t *sock,
 
 static isc_socketevent_t *
 allocate_socketevent(isc_socket_t *sock, isc_eventtype_t eventtype,
-		     isc_taskaction_t action, const void *arg)
-{
+		     isc_taskaction_t action, const void *arg) {
 	isc_socketevent_t *ev;
 
 	ev = (isc_socketevent_t *)isc_event_allocate(sock->manager->mctx,
 						     sock, eventtype,
 						     action, arg,
 						     sizeof(*ev));
+
 	if (ev == NULL)
 		return (NULL);
 
@@ -1355,10 +1317,14 @@ dump_msg(struct msghdr *msg, isc_socket_t *sock) {
 }
 #endif
 
+#define DOIO_SUCCESS		0	/* i/o ok, event sent */
+#define DOIO_SOFT		1	/* i/o ok, soft error, no event sent */
+#define DOIO_HARD		2	/* i/o error, event sent */
+#define DOIO_EOF		3	/* EOF, no event sent */
+
 static int
 completeio_recv(isc_socket_t *sock, isc_socketevent_t *dev,
-		struct msghdr *messagehdr, int cc, int recv_errno)
-{
+		struct msghdr *messagehdr, int cc, int recv_errno) {
 	size_t actual_count;
 	isc_buffer_t *buffer;
 
@@ -1391,11 +1357,9 @@ completeio_recv(isc_socket_t *sock, isc_socketevent_t *dev,
 		SOFT_OR_HARD(WSAEDISCON, ISC_R_CONNECTIONRESET);
 		SOFT_OR_HARD(WSAENETDOWN, ISC_R_NETDOWN);
 		ALWAYS_HARD(ERROR_OPERATION_ABORTED, ISC_R_CONNECTIONRESET);
-		ALWAYS_HARD(ERROR_NETNAME_DELETED, ISC_R_CONNECTIONRESET);
 		ALWAYS_HARD(ERROR_PORT_UNREACHABLE, ISC_R_HOSTUNREACH);
 		ALWAYS_HARD(ERROR_HOST_UNREACHABLE, ISC_R_HOSTUNREACH);
 		ALWAYS_HARD(ERROR_NETWORK_UNREACHABLE, ISC_R_NETUNREACH);
-		ALWAYS_HARD(ERROR_NETNAME_DELETED, ISC_R_NETUNREACH);
 		ALWAYS_HARD(WSAENOBUFS, ISC_R_NORESOURCES);
 
 #undef SOFT_OR_HARD
@@ -1419,7 +1383,7 @@ completeio_recv(isc_socket_t *sock, isc_socketevent_t *dev,
 			if (isc_log_wouldlog(isc_lctx, IOEVENT_LEVEL)) {
 				socket_log(sock, &dev->address, IOEVENT,
 					   isc_msgcat, ISC_MSGSET_SOCKET,
-					   ISC_MSG_ZEROPORT,
+					   ISC_MSG_ZEROPORT, 
 					   "dropping source port zero packet");
 			}
 			return (DOIO_SOFT);
@@ -1469,7 +1433,7 @@ completeio_recv(isc_socket_t *sock, isc_socketevent_t *dev,
 	 * If we read less than we expected, update counters,
 	 * and let the upper layer handle it.
 	 */
-	if ((cc != messagehdr->msg_totallen) && (dev->n < dev->minimum))
+	if (((size_t)cc != sock->totalBytes) && (dev->n < dev->minimum))
 		return (DOIO_SOFT);
 
 	/*
@@ -1478,26 +1442,31 @@ completeio_recv(isc_socket_t *sock, isc_socketevent_t *dev,
 	dev->result = ISC_R_SUCCESS;
 	return (DOIO_SUCCESS);
 }
-
 static int
 startio_recv(isc_socket_t *sock, isc_socketevent_t *dev, int *nbytes,
-	     int *recv_errno)
-{
+	     BOOL bwait, int *recv_errno) {
 	char *cmsg = NULL;
 	char strbuf[ISC_STRERRORSIZE];
 	IoCompletionInfo *lpo;
 	int status;
+	struct msghdr messagehdr;
 	struct msghdr *msghdr;
 
-	lpo = (IoCompletionInfo *) HeapAlloc(hHeapHandle,
-					     HEAP_ZERO_MEMORY,
-					     sizeof(IoCompletionInfo));
-	lpo->request_type = SOCKET_RECV;
-	lpo->dev = dev;
-	msghdr = &lpo->messagehdr;
+	if (!bwait) {
+		lpo = (IoCompletionInfo *) HeapAlloc(hHeapHandle,
+			HEAP_ZERO_MEMORY, sizeof(IoCompletionInfo));
+		lpo->request_type = SOCKET_RECV;
+		lpo->dev = dev;
+		msghdr = &lpo->messagehdr;
+	} else {	/* Wait for recv to complete */
+		lpo = NULL;
+		msghdr = &messagehdr;
+	}
+	sock->references++;
 	memset(msghdr, 0, sizeof(struct msghdr));
 
-	build_msghdr_recv(sock, dev, msghdr, cmsg, sock->iov);
+	build_msghdr_recv(sock, dev, msghdr, cmsg, sock->iov,
+			&(sock->totalBytes));
 
 #if defined(ISC_SOCKET_DEBUG)
 	dump_msg(msghdr, sock);
@@ -1506,32 +1475,23 @@ startio_recv(isc_socket_t *sock, isc_socketevent_t *dev, int *nbytes,
 	*nbytes = internal_recvmsg(sock, lpo, msghdr, 0, recv_errno);
 
 	if (*nbytes < 0) {
-		/*
-		 * I/O has been initiated
-		 * return will be via the completion port
-		 */
-		if (PENDING_ERROR(*recv_errno)) {
-			status = DOIO_PENDING;
-			goto done;
-		}
 		if (SOFT_ERROR(*recv_errno)) {
 			status = DOIO_SOFT;
 			goto done;
 		}
 
-		/*
-		 * If we got this far something is wrong
-		 */
 		if (isc_log_wouldlog(isc_lctx, IOEVENT_LEVEL)) {
 			isc__strerror(*recv_errno, strbuf, sizeof(strbuf));
 			socket_log(sock, NULL, IOEVENT,
 				   isc_msgcat, ISC_MSGSET_SOCKET,
-				   ISC_MSG_DOIORECV,
-				  "startio_recv: recvmsg(%d) %d bytes, "
-				  "err %d/%s",
+				   ISC_MSG_DOIORECV, 
+				  "startio_recv: recvmsg(%d) %d bytes, err %d/%s",
 				   sock->fd, *nbytes, *recv_errno, strbuf);
 		}
-		status = DOIO_HARD;
+		status = completeio_recv(sock, dev, msghdr, *nbytes, *recv_errno);
+		if(status != DOIO_SOFT) {
+			sock->references--;
+		}
 		goto done;
 	}
 	dev->result = ISC_R_SUCCESS;
@@ -1539,7 +1499,6 @@ startio_recv(isc_socket_t *sock, isc_socketevent_t *dev, int *nbytes,
 done:
 	return (status);
 }
-
 /*
  * Returns:
  *	DOIO_SUCCESS	The operation succeeded.  dev->result contains
@@ -1554,15 +1513,13 @@ done:
  *	No other return values are possible.
  */
 static int
-completeio_send(isc_socket_t *sock, isc_socketevent_t *dev,
-		struct msghdr *messagehdr, int cc, int send_errno)
-{
+completeio_send(isc_socket_t *sock, isc_socketevent_t *dev, struct msghdr *messagehdr, int cc,
+		int send_errno) {
 	char addrbuf[ISC_SOCKADDR_FORMATSIZE];
 	char strbuf[ISC_STRERRORSIZE];
 
 	if(send_errno != 0) {
 
-
 		if (SOFT_ERROR(send_errno))
 			return (DOIO_SOFT);
 
@@ -1590,7 +1547,6 @@ completeio_send(isc_socket_t *sock, isc_socketevent_t *dev,
 		SOFT_OR_HARD(WSAEDISCON, ISC_R_CONNECTIONRESET);
 		SOFT_OR_HARD(WSAENETDOWN, ISC_R_NETDOWN);
 		ALWAYS_HARD(ERROR_OPERATION_ABORTED, ISC_R_CONNECTIONRESET);
-		ALWAYS_HARD(ERROR_NETNAME_DELETED, ISC_R_CONNECTIONRESET);
 		ALWAYS_HARD(ERROR_PORT_UNREACHABLE, ISC_R_HOSTUNREACH);
 		ALWAYS_HARD(ERROR_HOST_UNREACHABLE, ISC_R_HOSTUNREACH);
 		ALWAYS_HARD(ERROR_NETWORK_UNREACHABLE, ISC_R_NETUNREACH);
@@ -1626,7 +1582,7 @@ completeio_send(isc_socket_t *sock, isc_socketevent_t *dev,
 	 * If we write less than we expected, update counters, poke.
 	 */
 	dev->n += cc;
-	if (cc != messagehdr->msg_totallen)
+	if ((size_t)cc != sock->totalBytes)
 		return (DOIO_SOFT);
 
 	/*
@@ -1636,65 +1592,59 @@ completeio_send(isc_socket_t *sock, isc_socketevent_t *dev,
 	dev->result = ISC_R_SUCCESS;
 	return (DOIO_SUCCESS);
 }
-
 static int
 startio_send(isc_socket_t *sock, isc_socketevent_t *dev, int *nbytes,
-	     int *send_errno)
-{
+	     BOOL bwait, int *send_errno) {
 	char *cmsg = NULL;
 	char strbuf[ISC_STRERRORSIZE];
 	IoCompletionInfo *lpo;
 	int status;
+	struct msghdr messagehdr;
 	struct msghdr *msghdr;
 
-	lpo = (IoCompletionInfo *) HeapAlloc(hHeapHandle,
-					     HEAP_ZERO_MEMORY,
-					     sizeof(IoCompletionInfo));
-	lpo->request_type = SOCKET_SEND;
-	lpo->dev = dev;
-	msghdr = &lpo->messagehdr;
+	if (!bwait) {
+		lpo = (IoCompletionInfo *) HeapAlloc(hHeapHandle,
+			HEAP_ZERO_MEMORY, sizeof(IoCompletionInfo));
+		lpo->request_type = SOCKET_SEND;
+		lpo->dev = dev;
+		msghdr = &lpo->messagehdr;
+	} else {	/* Wait for send to complete */
+		lpo = NULL;
+		msghdr = &messagehdr;
+	}
 	memset(msghdr, 0, sizeof(struct msghdr));
+	sock->references++;
 
-	build_msghdr_send(sock, dev, msghdr, cmsg, sock->iov);
+	build_msghdr_send(sock, dev, msghdr, cmsg, sock->iov,
+			&(sock->totalBytes));
 
 	*nbytes = internal_sendmsg(sock, lpo, msghdr, 0, send_errno);
 
-
 	if (*nbytes < 0) {
-		/*
-		 * I/O has been initiated
-		 * completion will be through the completion port
-		 */
-		if (PENDING_ERROR(*send_errno)) {
-			status = DOIO_PENDING;
-			goto done;
-		}
-
 		if (SOFT_ERROR(*send_errno)) {
 			status = DOIO_SOFT;
 			goto done;
 		}
 
-		/*
-		 * If we got this far then something is wrong
-		 */
 		if (isc_log_wouldlog(isc_lctx, IOEVENT_LEVEL)) {
 			isc__strerror(*send_errno, strbuf, sizeof(strbuf));
 			socket_log(sock, NULL, IOEVENT,
 				   isc_msgcat, ISC_MSGSET_SOCKET,
-				   ISC_MSG_INTERNALSEND,
-				   "startio_send: internal_sendmsg(%d) %d "
-				   "bytes, err %d/%s",
+				   ISC_MSG_INTERNALSEND, 
+				  "startio_send: internal_sendmsg(%d) %d bytes, err %d/%s",
 				   sock->fd, *nbytes, *send_errno, strbuf);
 		}
+		status = completeio_send(sock, dev, msghdr, *nbytes, *send_errno);
+		if(status != DOIO_SOFT) {
+			sock->references--;
+		}
 		goto done;
 	}
 	dev->result = ISC_R_SUCCESS;
 	status = DOIO_SOFT;
- done:
+done:
 	return (status);
 }
-
 /*
  * Kill.
  *
@@ -1705,30 +1655,28 @@ static void
 destroy_socket(isc_socket_t **sockp) {
 	isc_socket_t *sock = *sockp;
 	isc_socketmgr_t *manager = sock->manager;
-	isc_boolean_t dofree = ISC_TRUE;
 
 	REQUIRE(sock != NULL);
 
 	socket_log(sock, NULL, CREATION, isc_msgcat, ISC_MSGSET_SOCKET,
 		   ISC_MSG_DESTROYING, "destroying socket %d", sock->fd);
 
-	LOCK(&manager->lock);
-
-	LOCK(&sock->lock);
-
 	INSIST(ISC_LIST_EMPTY(sock->accept_list));
 	INSIST(ISC_LIST_EMPTY(sock->recv_list));
 	INSIST(ISC_LIST_EMPTY(sock->send_list));
 	INSIST(sock->connect_ev == NULL);
 
+	LOCK(&manager->lock);
+
+	/*
+	 * No one has this socket open and the socket doesn't have to be
+	 * locked. The socket_close function makes sure that if needed
+	 * the event_wait loop removes any associated event from the list
+	 * of events being waited on.
+	 */
 	socket_close(sock);
-	if (sock->pending_recv != 0 || sock->pending_send != 0 ||
-	    sock->pending_close != 0) {
-		dofree = ISC_FALSE;
-		sock->pending_free = 1;
-	}
+
 	ISC_LIST_UNLINK(manager->socklist, sock, link);
-	UNLOCK(&sock->lock);
 
 	if (ISC_LIST_EMPTY(manager->socklist))
 		SIGNAL(&manager->shutdown_ok);
@@ -1736,10 +1684,10 @@ destroy_socket(isc_socket_t **sockp) {
 	/*
 	 * XXX should reset manager->maxfd here
 	 */
+
 	UNLOCK(&manager->lock);
 
-	if (dofree)
-		free_socket(sockp);
+	free_socket(sockp);
 }
 
 static isc_result_t
@@ -1773,9 +1721,6 @@ allocate_socket(isc_socketmgr_t *manager, isc_sockettype_t type,
 	sock->connect_ev = NULL;
 	sock->pending_accept = 0;
 	sock->pending_close = 0;
-	sock->pending_recv = 0;
-	sock->pending_send = 0;
-	sock->pending_free = 0;
 	sock->iocp = 0;
 	sock->listener = 0;
 	sock->connected = 0;
@@ -1860,7 +1805,7 @@ isc_socket_create(isc_socketmgr_t *manager, int pf, isc_sockettype_t type,
 		  isc_socket_t **socketp) {
 	isc_socket_t *sock = NULL;
 	isc_result_t result;
-#if defined(USE_CMSG)
+#if defined(USE_CMSG) || defined(SO_BSDCOMPAT)
 	int on = 1;
 #endif
 	int socket_errno;
@@ -1877,20 +1822,18 @@ isc_socket_create(isc_socketmgr_t *manager, int pf, isc_sockettype_t type,
 	switch (type) {
 	case isc_sockettype_udp:
 		sock->fd = socket(pf, SOCK_DGRAM, IPPROTO_UDP);
-		if (sock->fd != INVALID_SOCKET) {
-			result = connection_reset_fix(sock->fd);
-			if (result != ISC_R_SUCCESS) {
-				closesocket(sock->fd);
-				free_socket(&sock);
-				return (result);
-			}
+		result = connection_reset_fix(sock->fd);
+		if (result != ISC_R_SUCCESS) {
+			closesocket(sock->fd);
+			free_socket(&sock);
+			return (result);
 		}
 		break;
 	case isc_sockettype_tcp:
 		sock->fd = socket(pf, SOCK_STREAM, IPPROTO_TCP);
 		break;
 	}
-
+	
 	if (sock->fd == INVALID_SOCKET) {
 		socket_errno = WSAGetLastError();
 		free_socket(&sock);
@@ -1920,7 +1863,6 @@ isc_socket_create(isc_socketmgr_t *manager, int pf, isc_sockettype_t type,
 
 	result = make_nonblock(sock->fd);
 	if (result != ISC_R_SUCCESS) {
-		closesocket(sock->fd);
 		free_socket(&sock);
 		return (result);
 	}
@@ -1950,7 +1892,7 @@ isc_socket_create(isc_socketmgr_t *manager, int pf, isc_sockettype_t type,
 		if ((pf == AF_INET6)
 		    && (setsockopt(sock->fd, IPPROTO_IPV6, IPV6_PKTINFO,
 				   (void *)&on, sizeof(on)) < 0)) {
-			isc__strerror(WSAGetLastError(), strbuf, sizeof(strbuf));
+			isc__strerror(WSAGetLaastError(), strbuf, sizeof(strbuf));
 			UNEXPECTED_ERROR(__FILE__, __LINE__,
 					 "setsockopt(%d, IPV6_PKTINFO) %s: %s",
 					 sock->fd,
@@ -1961,7 +1903,7 @@ isc_socket_create(isc_socketmgr_t *manager, int pf, isc_sockettype_t type,
 					 strbuf);
 		}
 #endif /* IPV6_RECVPKTINFO */
-#ifdef IPV6_USE_MIN_MTU	/*2292bis, not too common yet*/
+#ifdef IPV6_USE_MIN_MTU        /*2292bis, not too common yet*/
 		/* use minimum MTU */
 		if (pf == AF_INET6) {
 			(void)setsockopt(sock->fd, IPPROTO_IPV6,
@@ -2124,6 +2066,14 @@ internal_accept(isc_socket_t *sock, int accept_errno) {
 	INSIST(sock->pending_accept == 1);
 	sock->pending_accept = 0;
 
+	INSIST(sock->references > 0);
+	sock->references--;  /* the internal event is done with this socket */
+	if (sock->references == 0) {
+		UNLOCK(&sock->lock);
+		destroy_socket(&sock);
+		return;
+	}
+
 	/*
 	 * Check any possible error status from the event notification here.
 	 * Note that we don't take any action since it was only
@@ -2149,7 +2099,7 @@ internal_accept(isc_socket_t *sock, int accept_errno) {
 		UNLOCK(&sock->lock);
 		return;
 	}
-
+	
 	/*
 	 * Get the first item off the accept list.
 	 * If it is empty, unlock the socket and return.
@@ -2178,7 +2128,7 @@ internal_accept(isc_socket_t *sock, int accept_errno) {
 
 	/*
 	 * Try to accept the new connection.  If the accept fails with
-	 * WSAEINTR, the event wait will be notified again since
+	 * EAGAIN or EINTR, the event wait will be notified again since
 	 * the event will be reset on return to caller.
 	 */
 	addrlen = sizeof(dev->newsocket->address.type);
@@ -2216,7 +2166,7 @@ internal_accept(isc_socket_t *sock, int accept_errno) {
 			UNEXPECTED_ERROR(__FILE__, __LINE__,
 					 "internal_accept(): "
 					 "accept() returned peer address "
-					 "family %u (expected %u)",
+					 "family %u (expected %u)", 
 					 dev->newsocket->address.
 					 type.sa.sa_family,
 					 sock->pf);
@@ -2244,7 +2194,7 @@ internal_accept(isc_socket_t *sock, int accept_errno) {
 		const char *msg;
 		stat = WSAGetLastError();
 		isc__strerror(stat, strbuf, sizeof(strbuf));
-		msg = isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
+		msg = isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,	
 				     ISC_MSG_FAILED, "failed");
 		UNEXPECTED_ERROR(__FILE__, __LINE__, "WSAEventSelect: %s: %s",
 				 msg, strbuf);
@@ -2284,7 +2234,7 @@ internal_accept(isc_socket_t *sock, int accept_errno) {
 			const char *msg;
 			stat = WSAGetLastError();
 			isc__strerror(stat, strbuf, sizeof(strbuf));
-			msg = isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
+			msg = isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,	
 					     ISC_MSG_FAILED, "failed");
 			UNEXPECTED_ERROR(__FILE__, __LINE__,
 					 "WSAEventSelect: %s: %s", msg, strbuf);
@@ -2335,6 +2285,18 @@ internal_connect(isc_socket_t *sock, int connect_errno) {
 	LOCK(&sock->lock);
 
 	/*
+	 * When the internal event was sent the reference count was bumped
+	 * to keep the socket around for us.  Decrement the count here.
+	 */
+	INSIST(sock->references > 0);
+	sock->references--;
+	if (sock->references == 0) {
+		UNLOCK(&sock->lock);
+		destroy_socket(&sock);
+		return;
+	}
+
+	/*
 	 * Has this event been canceled?
 	 */
 	dev = sock->connect_ev;
@@ -2352,7 +2314,7 @@ internal_connect(isc_socket_t *sock, int connect_errno) {
 	 */
 	if (connect_errno != 0) {
 		/*
-		 * If the error is SOFT, just try again on this
+		 * If the error is EAGAIN, just try again on this
 		 * fd and pretend nothing strange happened.
 		 */
 		if (SOFT_ERROR(connect_errno) ||
@@ -2404,9 +2366,7 @@ internal_connect(isc_socket_t *sock, int connect_errno) {
 }
 
 static void
-internal_recv(isc_socket_t *sock, isc_socketevent_t *dev,
-	      struct msghdr *messagehdr, int nbytes, int recv_errno)
-{
+internal_recv(isc_socket_t *sock, isc_socketevent_t *dev, struct msghdr *messagehdr, int nbytes, int recv_errno) {
 	isc_socketevent_t *ldev;
 	int io_state;
 	int cc;
@@ -2418,8 +2378,14 @@ internal_recv(isc_socket_t *sock, isc_socketevent_t *dev,
 		   isc_msgcat, ISC_MSGSET_SOCKET, ISC_MSG_INTERNALRECV,
 		   "internal_recv: task got socket event %p", dev);
 
-	INSIST(sock->pending_recv > 0);
-	sock->pending_recv--;
+	INSIST(sock->references > 0);
+	sock->references--;  /* the internal event is done with this socket */
+	if (sock->references == 0) {
+		UNLOCK(&sock->lock);
+		destroy_socket(&sock);
+		return;
+	}
+
 	/* If the event is no longer in the list we can just return */
 	ldev = ISC_LIST_HEAD(sock->recv_list);
 	while (ldev != NULL && ldev != dev) {
@@ -2432,37 +2398,37 @@ internal_recv(isc_socket_t *sock, isc_socketevent_t *dev,
 	 * Try to do as much I/O as possible on this socket.  There are no
 	 * limits here, currently.
 	 */
-	switch (completeio_recv(sock, dev, messagehdr, nbytes, recv_errno)) {
-	case DOIO_SOFT:
-		cc = 0;
-		recv_errno = 0;
-		io_state = startio_recv(sock, dev, &cc, &recv_errno);
-		goto done;
+		switch (completeio_recv(sock, dev, messagehdr, nbytes, recv_errno)) {
+		case DOIO_SOFT:
+			cc = 0;
+			recv_errno = 0;
+			io_state = startio_recv(sock, dev, &cc, FALSE, &recv_errno);
+			goto done;
 
-	case DOIO_EOF:
-		/*
-		 * read of 0 means the remote end was closed.
-		 * Run through the event queue and dispatch all
-		 * the events with an EOF result code.
-		 */
-		dev->result = ISC_R_EOF;
-		send_recvdone_event(sock, &dev);
-		goto done;
+		case DOIO_EOF:
+			/*
+			 * read of 0 means the remote end was closed.
+			 * Run through the event queue and dispatch all
+			 * the events with an EOF result code.
+			 */
+			dev->result = ISC_R_EOF;
+			send_recvdone_event(sock, &dev);
+			goto done;
 
-	case DOIO_SUCCESS:
-	case DOIO_HARD:
-		send_recvdone_event(sock, &dev);
-		break;
-	}
+		case DOIO_SUCCESS:
+		case DOIO_HARD:
+			send_recvdone_event(sock, &dev);
+			break;
+		}
  done:
 	UNLOCK(&sock->lock);
 }
 
 static void
-internal_send(isc_socket_t *sock, isc_socketevent_t *dev,
-	      struct msghdr *messagehdr, int nbytes, int send_errno)
-{
+internal_send(isc_socket_t *sock, isc_socketevent_t *dev, struct msghdr *messagehdr, int nbytes, int send_errno) {
 	isc_socketevent_t *ldev;
+	int io_state;
+	int cc;
 
 	/*
 	 * Find out what socket this is and lock it.
@@ -2474,8 +2440,13 @@ internal_send(isc_socket_t *sock, isc_socketevent_t *dev,
 		   isc_msgcat, ISC_MSGSET_SOCKET, ISC_MSG_INTERNALSEND,
 		   "internal_send: task got socket event %p", dev);
 
-	INSIST(sock->pending_send > 0);
-	sock->pending_send--;
+	INSIST(sock->references > 0);
+	sock->references--;  /* the internal event is done with this socket */
+	if (sock->references == 0) {
+		UNLOCK(&sock->lock);
+		destroy_socket(&sock);
+		return;
+	}
 
 	/* If the event is no longer in the list we can just return */
 	ldev = ISC_LIST_HEAD(sock->send_list);
@@ -2490,7 +2461,11 @@ internal_send(isc_socket_t *sock, isc_socketevent_t *dev,
 	 */
 	switch (completeio_send(sock, dev, messagehdr, nbytes, send_errno)) {
 	case DOIO_SOFT:
-		break;
+		cc = 0;
+		send_errno = 0;
+		io_state = startio_send(sock, dev, &cc, FALSE, &send_errno);
+		goto done;
+
 	case DOIO_HARD:
 	case DOIO_SUCCESS:
 		send_senddone_event(sock, &dev);
@@ -2512,6 +2487,8 @@ SocketIoThread(LPVOID ThreadContext) {
 	isc_socketmgr_t *manager = ThreadContext;
 	BOOL bSuccess = FALSE;
 	DWORD nbytes;
+	DWORD tbytes;
+	DWORD tflags;
 	IoCompletionInfo *lpo = NULL;
 	isc_socket_t *sock = NULL;
 	int request;
@@ -2527,9 +2504,7 @@ SocketIoThread(LPVOID ThreadContext) {
 	 *	preempt normal recv packet processing, but not
 	 * 	higher than the timer sync thread.
 	 */
-	if (!SetThreadPriority(GetCurrentThread(),
-			       THREAD_PRIORITY_ABOVE_NORMAL))
-	{
+	if (!SetThreadPriority(GetCurrentThread(), THREAD_PRIORITY_ABOVE_NORMAL)) {
 		errval = GetLastError();
 		isc__strerror(errval, strbuf, sizeof(strbuf));
 		FATAL_ERROR(__FILE__, __LINE__,
@@ -2539,54 +2514,33 @@ SocketIoThread(LPVOID ThreadContext) {
 				strbuf);
 	}
 
+
 	/*
 	 * Loop forever waiting on I/O Completions and then processing them
 	 */
-	while (TRUE) {
-		bSuccess = GetQueuedCompletionStatus(manager->hIoCompletionPort,
-						     &nbytes, (LPDWORD) &sock,
-						     (LPOVERLAPPED *)&lpo,
-						     INFINITE);
-		if (lpo == NULL) {
+	while(TRUE) {
+		bSuccess = GetQueuedCompletionStatus (
+                                       manager->hIoCompletionPort,
+                                       &nbytes,
+                                       (LPDWORD) &sock,
+                                       (LPOVERLAPPED *)&lpo,
+                                       INFINITE
+					);
+		if(lpo == NULL ) {
 			/*
 			 * Received request to exit
 			 */
 			break;
 		}
 		errstatus = 0;
-		if (!bSuccess) {
-			isc_boolean_t dofree = ISC_FALSE;
-			REQUIRE(VALID_SOCKET(sock));
+		if(!bSuccess) {
 			/*
-			 * Was this the socket closed under us?
+			 * I/O Failure
+			 * Find out why
 			 */
-			errstatus = GetLastError();
-			if (nbytes == 0 && errstatus == WSA_OPERATION_ABORTED) {
-				LOCK(&sock->lock);
-				switch (lpo->request_type) {
-				case SOCKET_RECV:
-					INSIST(sock->pending_recv > 0);
-					sock->pending_recv--;
-					break;
-				case SOCKET_SEND:
-					INSIST(sock->pending_send > 0);
-					sock->pending_send--;
-					break;
-				}
-				if (sock->pending_recv == 0 &&
-				    sock->pending_send == 0 &&
-				    sock->pending_close == 0 &&
-				    sock->pending_free) {
-					sock->pending_free = 0;
-					dofree = ISC_TRUE;
-				}
-				UNLOCK(&sock->lock);
-				if (dofree)
-					free_socket(&sock);
-				if (lpo != NULL)
-					HeapFree(hHeapHandle, 0, lpo);
-				continue;
-			}
+			WSAGetOverlappedResult(sock->fd, (LPWSAOVERLAPPED) &lpo,
+						&tbytes, FALSE, &tflags);
+			dev = lpo->dev;
 		}
 
 		request = lpo->request_type;
@@ -2594,17 +2548,20 @@ SocketIoThread(LPVOID ThreadContext) {
 		messagehdr = &lpo->messagehdr;
 
 		switch (request) {
+		case SOCKET_CANCEL:
+			break;
 		case SOCKET_RECV:
 			internal_recv(sock, dev, messagehdr, nbytes, errstatus);
 			break;
 		case SOCKET_SEND:
 			internal_send(sock, dev, messagehdr, nbytes, errstatus);
 			break;
+		default:
+			break;	/* Unknown: Just ignore it */
 		}
 		if (lpo != NULL)
 			HeapFree(hHeapHandle, 0, lpo);
 	}
-
 	/*
 	 * Exit Completion Port Thread
 	 */
@@ -2613,7 +2570,6 @@ SocketIoThread(LPVOID ThreadContext) {
 				   ISC_MSG_EXITING, "SocketIoThread exiting"));
 	return ((isc_threadresult_t)0);
 }
-
 /*
  * This is the thread that will loop forever, waiting for an event to
  * happen.
@@ -2660,7 +2616,7 @@ event_wait(void *uap) {
 			if (cc == WSA_WAIT_FAILED) {
 				event_errno = WSAGetLastError();
 				if (!SOFT_ERROR(event_errno)) {
-					isc__strerror(event_errno, strbuf,
+				        isc__strerror(event_errno, strbuf,
 					      sizeof(strbuf));
 					FATAL_ERROR(__FILE__, __LINE__,
 					   "WSAWaitForMultipleEvents() %s: %s",
@@ -2675,6 +2631,7 @@ event_wait(void *uap) {
 		} while (cc < 0 && !manager->bShutdown
 			 && manager->event_written == 0);
 
+
 		if (manager->bShutdown)
 			break;
 
@@ -2733,9 +2690,11 @@ event_wait(void *uap) {
 			if (wsock->listener == 1 &&
 			    wsock->pending_accept == 0) {
 				wsock->pending_accept = 1;
+				wsock->references++;
 				internal_accept(wsock, event_errno);
 			}
 			else {
+				wsock->references++;
 				internal_connect(wsock, event_errno);
 			}
 		}
@@ -2747,7 +2706,6 @@ event_wait(void *uap) {
 
 	return ((isc_threadresult_t)0);
 }
-
 /*
  * Create a new socket manager.
  */
@@ -2763,8 +2721,6 @@ isc_socketmgr_create(isc_mem_t *mctx, isc_socketmgr_t **managerp) {
 	if (manager == NULL)
 		return (ISC_R_NOMEMORY);
 
-	InitSockets();
-
 	manager->magic = SOCKET_MANAGER_MAGIC;
 	manager->mctx = NULL;
 	ISC_LIST_INIT(manager->socklist);
@@ -2905,8 +2861,7 @@ isc_socketmgr_destroy(isc_socketmgr_t **managerp) {
 
 static isc_result_t
 socket_recv(isc_socket_t *sock, isc_socketevent_t *dev, isc_task_t *task,
-	    unsigned int flags)
-{
+	    unsigned int flags) {
 	int io_state;
 	int cc = 0;
 	isc_task_t *ntask = NULL;
@@ -2917,10 +2872,9 @@ socket_recv(isc_socket_t *sock, isc_socketevent_t *dev, isc_task_t *task,
 
 	LOCK(&sock->lock);
 	iocompletionport_update(sock);
-	io_state = startio_recv(sock, dev, &cc, &recv_errno);
+	io_state = startio_recv(sock, dev, &cc, FALSE, &recv_errno);
 
 	switch (io_state) {
-	case DOIO_PENDING:	/* I/O Started. Nothing to be done */
 	case DOIO_SOFT:
 		/*
 		 * We couldn't read all or part of the request right now, so
@@ -3096,36 +3050,34 @@ socket_send(isc_socket_t *sock, isc_socketevent_t *dev, isc_task_t *task,
 	LOCK(&sock->lock);
 	have_lock = ISC_TRUE;
 	iocompletionport_update(sock);
-	io_state = startio_send(sock, dev, &cc, &send_errno);
+	io_state = startio_send(sock, dev, &cc, FALSE, &send_errno);
 
 	switch (io_state) {
-	case DOIO_PENDING:	/* I/O started. Nothing more to do */
 	case DOIO_SOFT:
 		/*
 		 * We couldn't send all or part of the request right now, so
 		 * queue it unless ISC_SOCKFLAG_NORETRY is set.
 		 */
-		if ((flags & ISC_SOCKFLAG_NORETRY) == 0) {
-			isc_task_attach(task, &ntask);
-			dev->attributes |= ISC_SOCKEVENTATTR_ATTACHED;
-			if (!have_lock) {
-				LOCK(&sock->lock);
-				have_lock = ISC_TRUE;
-			}
+		isc_task_attach(task, &ntask);
+		dev->attributes |= ISC_SOCKEVENTATTR_ATTACHED;
 
-			/*
-			 * Enqueue the request.
-			 */
-			ISC_LIST_ENQUEUE(sock->send_list, dev, ev_link);
+		if (!have_lock) {
+			LOCK(&sock->lock);
+			have_lock = ISC_TRUE;
+		}
+
+		/*
+		 * Enqueue the request.
+		 */
+		ISC_LIST_ENQUEUE(sock->send_list, dev, ev_link);
 
-			socket_log(sock, NULL, EVENT, NULL, 0, 0,
-				   "socket_send: event %p -> task %p",
-				   dev, ntask);
+		socket_log(sock, NULL, EVENT, NULL, 0, 0,
+			   "socket_send: event %p -> task %p",
+			   dev, ntask);
 
-			if ((flags & ISC_SOCKFLAG_IMMEDIATE) != 0)
-				result = ISC_R_INPROGRESS;
-			break;
-		}
+		if ((flags & ISC_SOCKFLAG_IMMEDIATE) != 0)
+			result = ISC_R_INPROGRESS;
+		break;
 
 	case DOIO_SUCCESS:
 		break;
@@ -3257,11 +3209,7 @@ isc_socket_bind(isc_socket_t *sock, isc_sockaddr_t *sockaddr) {
 		UNLOCK(&sock->lock);
 		return (ISC_R_FAMILYMISMATCH);
 	}
-	/*
-	 * Only set SO_REUSEADDR when we want a specific port.
-	 */
-	if (isc_sockaddr_getport(sockaddr) != (in_port_t)0 &&
-	    setsockopt(sock->fd, SOL_SOCKET, SO_REUSEADDR, (void *)&on,
+	if (setsockopt(sock->fd, SOL_SOCKET, SO_REUSEADDR, (void *)&on,
 		       sizeof(on)) < 0) {
 		UNEXPECTED_ERROR(__FILE__, __LINE__,
 				 "setsockopt(%d) %s", sock->fd,
@@ -3299,10 +3247,10 @@ isc_socket_bind(isc_socket_t *sock, isc_sockaddr_t *sockaddr) {
 
 isc_result_t
 isc_socket_filter(isc_socket_t *sock, const char *filter) {
-	UNUSED(sock);
-	UNUSED(filter);
+        UNUSED(sock);
+        UNUSED(filter);
 
-	REQUIRE(VALID_SOCKET(sock));
+        REQUIRE(VALID_SOCKET(sock));
 	return (ISC_R_NOTIMPLEMENTED);
 }
 
@@ -3356,6 +3304,7 @@ isc_socket_listen(isc_socket_t *sock, unsigned int backlog) {
 		return (retstat);
 	}
 
+
 	UNLOCK(&sock->lock);
 	return (ISC_R_SUCCESS);
 }
@@ -3421,7 +3370,7 @@ isc_socket_accept(isc_socket_t *sock,
 		const char *msg;
 		stat = WSAGetLastError();
 		isc__strerror(stat, strbuf, sizeof(strbuf));
-		msg = isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
+		msg = isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,	
 				     ISC_MSG_FAILED, "failed");
 		UNEXPECTED_ERROR(__FILE__, __LINE__, "WSAEventSelect: %s: %s",
 				 msg, strbuf);
@@ -3694,6 +3643,7 @@ isc_socket_cancel(isc_socket_t *sock, isc_task_t *task, unsigned int how) {
 		isc_task_t	       *current_task;
 
 		dev = ISC_LIST_HEAD(sock->accept_list);
+		socket_event_delete(sock);
 
 		while (dev != NULL) {
 			current_task = dev->ev_sender;
@@ -3722,7 +3672,7 @@ isc_socket_cancel(isc_socket_t *sock, isc_task_t *task, unsigned int how) {
 			const char *msg;
 			stat = WSAGetLastError();
 			isc__strerror(stat, strbuf, sizeof(strbuf));
-			msg = isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
+			msg = isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,	
 					     ISC_MSG_FAILED, "failed");
 			UNEXPECTED_ERROR(__FILE__, __LINE__,
 					 "WSAEventSelect: %s: %s", msg, strbuf);
diff --git a/lib/isc/win32/stdio.c b/lib/isc/win32/stdio.c
index 9bb9aef8..60ee80ba 100644
--- a/lib/isc/win32/stdio.c
+++ b/lib/isc/win32/stdio.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: stdio.c,v 1.3.2.1 2004/03/09 06:12:20 marka Exp $ */
+/* $Id: stdio.c,v 1.3.206.1 2004/03/06 08:15:10 marka Exp $ */
 
 #include <config.h>
 
diff --git a/lib/isc/win32/stdtime.c b/lib/isc/win32/stdtime.c
index 3f3ab605..f225c15b 100644
--- a/lib/isc/win32/stdtime.c
+++ b/lib/isc/win32/stdtime.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: stdtime.c,v 1.9.2.1 2004/03/09 06:12:20 marka Exp $ */
+/* $Id: stdtime.c,v 1.9.206.1 2004/03/06 08:15:10 marka Exp $ */
 
 #include <config.h>
 
diff --git a/lib/isc/win32/strerror.c b/lib/isc/win32/strerror.c
index dff9b5fa..ba329310 100644
--- a/lib/isc/win32/strerror.c
+++ b/lib/isc/win32/strerror.c
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2002, 2003  Internet Software Consortium.
+ * Copyright (C) 2001, 2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: strerror.c,v 1.5.186.3 2004/03/09 06:12:21 marka Exp $ */
+/* $Id: strerror.c,v 1.5.186.2.2.2 2004/03/08 09:05:01 marka Exp $ */
 
 #include <config.h>
 
diff --git a/lib/isc/win32/syslog.c b/lib/isc/win32/syslog.c
index 45dec399..ac90225e 100644
--- a/lib/isc/win32/syslog.c
+++ b/lib/isc/win32/syslog.c
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2001  Internet Software Consortium.
+ * Copyright (C) 2001-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: syslog.c,v 1.3.2.1 2004/03/09 06:12:21 marka Exp $ */
+/* $Id: syslog.c,v 1.3.12.5 2004/03/08 09:05:01 marka Exp $ */
 
 #include <config.h>
 
@@ -78,7 +78,7 @@ isc_syslog_facilityfromstring(const char *str, int *facilityp) {
 	REQUIRE(str != NULL);
 	REQUIRE(facilityp != NULL);
 
-	for (i = 0 ; facilities[i].strval != NULL ; i++) {
+	for (i = 0; facilities[i].strval != NULL; i++) {
 		if (strcasecmp(facilities[i].strval, str) == 0) {
 			*facilityp = facilities[i].val;
 			return (ISC_R_SUCCESS);
@@ -159,4 +159,23 @@ InitNTLogging(FILE *stream, int debug) {
 	log_stream = stream;
 	ModifyLogLevel(debug);
 }
+/*
+ * This function is for reporting errors to the application
+ * event log in case the regular syslog is not available
+ * mainly during startup. It should not be used under normal
+ * circumstances.
+ */
+void
+NTReportError(const char *name, const char *str) {
+	HANDLE hNTAppLog = NULL;
+	const char *buf[1];
+
+	buf[0] = str;
 
+	hNTAppLog = RegisterEventSource(NULL, name);
+
+	ReportEvent(hNTAppLog, EVENTLOG_ERROR_TYPE, 0,
+		    BIND_ERR_MSG, NULL, 1, 0, buf, NULL);
+
+	DeregisterEventSource(hNTAppLog);
+}
diff --git a/lib/isc/win32/syslog.h b/lib/isc/win32/syslog.h
index 7a52baed..e33cf891 100644
--- a/lib/isc/win32/syslog.h
+++ b/lib/isc/win32/syslog.h
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2001  Internet Software Consortium.
+ * Copyright (C) 2001, 2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: syslog.h,v 1.3.2.1 2004/03/09 06:12:21 marka Exp $ */
+/* $Id: syslog.h,v 1.3.14.3 2004/03/08 09:05:01 marka Exp $ */
 
 #ifndef _SYSLOG_H
 #define _SYSLOG_H
@@ -66,6 +66,8 @@ ModifyLogLevel(int level);
 void
 InitNTLogging(FILE *, int);
 
+void
+NTReportError(const char *, const char *);
 /*
  * Include the event codes required for logging.
  */
diff --git a/lib/isc/win32/thread.c b/lib/isc/win32/thread.c
index e36fefd7..a2d5cfb1 100644
--- a/lib/isc/win32/thread.c
+++ b/lib/isc/win32/thread.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: thread.c,v 1.17.2.1 2004/03/09 06:12:21 marka Exp $ */
+/* $Id: thread.c,v 1.17.206.1 2004/03/06 08:15:11 marka Exp $ */
 
 #include <config.h>
 
diff --git a/lib/isc/win32/time.c b/lib/isc/win32/time.c
index c5f1a958..cc396b78 100644
--- a/lib/isc/win32/time.c
+++ b/lib/isc/win32/time.c
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001  Internet Software Consortium.
+ * Copyright (C) 1998-2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: time.c,v 1.24.2.4 2004/03/09 06:12:21 marka Exp $ */
+/* $Id: time.c,v 1.24.2.3.10.4 2004/03/11 05:58:42 marka Exp $ */
 
 #include <config.h>
 
@@ -48,14 +48,14 @@
  ***/
 
 static isc_time_t epoch = { { 0, 0 } };
-isc_time_t *isc_time_epoch = &epoch;
+LIBISC_EXTERNAL_DATA isc_time_t *isc_time_epoch = &epoch;
 
 /***
  *** Intervals
  ***/
 
 static isc_interval_t zero_interval = { 0 };
-isc_interval_t *isc_interval_zero = &zero_interval;
+LIBISC_EXTERNAL_DATA isc_interval_t *isc_interval_zero = &zero_interval;
 
 void
 isc_interval_set(isc_interval_t *i, unsigned int seconds,
@@ -69,7 +69,7 @@ isc_interval_set(isc_interval_t *i, unsigned int seconds,
 }
 
 isc_boolean_t
-isc_interval_iszero(isc_interval_t *i) {
+isc_interval_iszero(const isc_interval_t *i) {
 	REQUIRE(i != NULL);
 	if (i->interval == 0)
 		return (ISC_TRUE);
@@ -86,7 +86,7 @@ isc_time_settoepoch(isc_time_t *t) {
 }
 
 isc_boolean_t
-isc_time_isepoch(isc_time_t *t) {
+isc_time_isepoch(const isc_time_t *t) {
 	REQUIRE(t != NULL);
 
 	if (t->absolute.dwLowDateTime == 0 &&
@@ -106,7 +106,7 @@ isc_time_now(isc_time_t *t) {
 }
 
 isc_result_t
-isc_time_nowplusinterval(isc_time_t *t, isc_interval_t *i) {
+isc_time_nowplusinterval(isc_time_t *t, const isc_interval_t *i) {
 	ULARGE_INTEGER i1;
 
 	REQUIRE(t != NULL);
@@ -129,14 +129,15 @@ isc_time_nowplusinterval(isc_time_t *t, isc_interval_t *i) {
 }
 
 int
-isc_time_compare(isc_time_t *t1, isc_time_t *t2) {
+isc_time_compare(const isc_time_t *t1, const isc_time_t *t2) {
 	REQUIRE(t1 != NULL && t2 != NULL);
 
 	return ((int)CompareFileTime(&t1->absolute, &t2->absolute));
 }
 
 isc_result_t
-isc_time_add(isc_time_t *t, isc_interval_t *i, isc_time_t *result) {
+isc_time_add(const isc_time_t *t, const isc_interval_t *i, isc_time_t *result)
+{
 	ULARGE_INTEGER i1;
 
 	REQUIRE(t != NULL && i != NULL && result != NULL);
@@ -156,7 +157,8 @@ isc_time_add(isc_time_t *t, isc_interval_t *i, isc_time_t *result) {
 }
 
 isc_result_t
-isc_time_subtract(isc_time_t *t, isc_interval_t *i, isc_time_t *result) {
+isc_time_subtract(const isc_time_t *t, const isc_interval_t *i,
+		  isc_time_t *result) {
 	ULARGE_INTEGER i1;
 
 	REQUIRE(t != NULL && i != NULL && result != NULL);
@@ -176,7 +178,7 @@ isc_time_subtract(isc_time_t *t, isc_interval_t *i, isc_time_t *result) {
 }
 
 isc_uint64_t
-isc_time_microdiff(isc_time_t *t1, isc_time_t *t2) {
+isc_time_microdiff(const isc_time_t *t1, const isc_time_t *t2) {
 	ULARGE_INTEGER i1, i2;
 	LONGLONG i3;
 
@@ -199,7 +201,20 @@ isc_time_microdiff(isc_time_t *t1, isc_time_t *t2) {
 }
 
 isc_uint32_t
-isc_time_nanoseconds(isc_time_t *t) {
+isc_time_seconds(const isc_time_t *t) {
+	SYSTEMTIME st;
+
+	/*
+	 * Convert the time to a SYSTEMTIME structure and the grab the
+	 * milliseconds
+	 */
+	FileTimeToSystemTime(&t->absolute, &st);
+
+	return ((isc_uint32_t)(st.wMilliseconds / 1000));
+}
+
+isc_uint32_t
+isc_time_nanoseconds(const isc_time_t *t) {
 	SYSTEMTIME st;
 
 	/*
@@ -215,21 +230,22 @@ void
 isc_time_formattimestamp(const isc_time_t *t, char *buf, unsigned int len) {
 	FILETIME localft;
 	SYSTEMTIME st;
-
-	static const char badtime[] = "Bad 00 99:99:99.999";
-	static const char *months[] = {
-		"Jan", "Feb", "Mar", "Apr", "May", "Jun",
-		"Jul", "Aug", "Sep", "Oct", "Nov", "Dec"
-	};
+	char DateBuf[50];
+	char TimeBuf[50];
+	
+	static const char badtime[] = "99-Bad-9999 99:99:99.999";
 	
 	REQUIRE(len > 0);
 	if (FileTimeToLocalFileTime(&t->absolute, &localft) &&
-	    FileTimeToSystemTime(&localft, &st))
-	{
-		snprintf(buf, len, "%s %2u %02u:%02u:%02u.%03u",
-		months[st.wMonth - 1], st.wDay, st.wHour, st.wMinute,
-		st.wSecond, st.wMilliseconds);
-	} else {
+	    FileTimeToSystemTime(&localft, &st)) {
+		GetDateFormat(LOCALE_USER_DEFAULT, 0, &st, "dd-MMM-yyyy",
+			      DateBuf, 50);
+		GetTimeFormat(LOCALE_USER_DEFAULT, TIME_NOTIMEMARKER|
+			      TIME_FORCE24HOURFORMAT, &st, NULL, TimeBuf, 50);
+		
+		snprintf(buf, len, "%s %s.%03u", DateBuf, TimeBuf,
+			 st.wMilliseconds);
+		
+	} else
 		snprintf(buf, len, badtime);
-	}
 }
diff --git a/lib/isc/win32/unistd.h b/lib/isc/win32/unistd.h
index 86b7bb18..8551c6ca 100644
--- a/lib/isc/win32/unistd.h
+++ b/lib/isc/win32/unistd.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: unistd.h,v 1.3.2.1 2004/03/09 06:12:21 marka Exp $ */
+/* $Id: unistd.h,v 1.3.206.1 2004/03/06 08:15:12 marka Exp $ */
 
 /* None of these are defined in NT, so define them for our use */
 #define O_NONBLOCK 1
diff --git a/lib/isc/win32/version.c b/lib/isc/win32/version.c
index f24654e4..e96def51 100644
--- a/lib/isc/win32/version.c
+++ b/lib/isc/win32/version.c
@@ -15,12 +15,14 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: version.c,v 1.2.2.1 2004/03/09 06:12:21 marka Exp $ */
+/* $Id: version.c,v 1.2.12.3 2004/03/08 09:05:01 marka Exp $ */
 
 #include <versions.h>
 
-char isc_version[] = VERSION;
+#include <isc/version.h>
 
-unsigned int isc_libinterface = LIBINTERFACE;
-unsigned int isc_librevision = LIBREVISION;
-unsigned int isc_libage = LIBAGE;
+LIBISC_EXTERNAL_DATA const char isc_version[] = VERSION;
+
+LIBISC_EXTERNAL_DATA const unsigned int isc_libinterface = LIBINTERFACE;
+LIBISC_EXTERNAL_DATA const unsigned int isc_librevision = LIBREVISION;
+LIBISC_EXTERNAL_DATA const unsigned int isc_libage = LIBAGE;
diff --git a/lib/isc/win32/win32os.c b/lib/isc/win32/win32os.c
index b34082d1..9bce2e21 100644
--- a/lib/isc/win32/win32os.c
+++ b/lib/isc/win32/win32os.c
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2002, 2003  Internet Software Consortium.
+ * Copyright (C) 2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: win32os.c,v 1.2.176.3 2004/03/09 06:12:21 marka Exp $ */
+/* $Id: win32os.c,v 1.2.176.2.2.2 2004/03/08 09:05:01 marka Exp $ */
 
 #include <windows.h>
 
diff --git a/lib/isccc/Makefile.in b/lib/isccc/Makefile.in
index 83a80705..8e6a50f8 100644
--- a/lib/isccc/Makefile.in
+++ b/lib/isccc/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.2.2.5 2004/07/20 07:00:20 marka Exp $
+# $Id: Makefile.in,v 1.2.12.4 2004/03/06 08:15:18 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
@@ -23,7 +23,7 @@ top_srcdir =	@top_srcdir@
 
 @LIBISCCC_API@
 
-@BIND9_INCLUDES@
+@BIND9_MAKE_INCLUDES@
 
 CINCLUDES =	-I. ${DNS_INCLUDES} ${ISC_INCLUDES} ${ISCCC_INCLUDES}
 
@@ -69,7 +69,7 @@ libisccc.@SA@: ${OBJS}
 
 libisccc.la: ${OBJS}
 	${LIBTOOL_MODE_LINK} \
-		${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libisccc.la -rpath ${libdir} \
+		${CC} ${ALL_CFLAGS} -o libisccc.la -rpath ${libdir} \
 		-version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \
 		${OBJS} ${LIBS} ${ISCLIBS}
 
diff --git a/lib/isccc/alist.c b/lib/isccc/alist.c
index 3c01a757..21b14a25 100644
--- a/lib/isccc/alist.c
+++ b/lib/isccc/alist.c
@@ -16,7 +16,7 @@
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: alist.c,v 1.2.2.1 2004/03/09 06:12:25 marka Exp $ */
+/* $Id: alist.c,v 1.2.206.1 2004/03/06 08:15:18 marka Exp $ */
 
 #include <config.h>
 
diff --git a/lib/isccc/api b/lib/isccc/api
index c4ea7bd8..8cf13ed4 100644
--- a/lib/isccc/api
+++ b/lib/isccc/api
@@ -1,3 +1,3 @@
-LIBINTERFACE = 1
-LIBREVISION = 1
-LIBAGE = 1
+LIBINTERFACE = 2
+LIBREVISION = 0
+LIBAGE = 2
diff --git a/lib/isccc/base64.c b/lib/isccc/base64.c
index 688a5311..81d356c8 100644
--- a/lib/isccc/base64.c
+++ b/lib/isccc/base64.c
@@ -16,7 +16,7 @@
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: base64.c,v 1.2.2.1 2004/03/09 06:12:25 marka Exp $ */
+/* $Id: base64.c,v 1.2.206.1 2004/03/06 08:15:19 marka Exp $ */
 
 #include <config.h>
 
diff --git a/lib/isccc/cc.c b/lib/isccc/cc.c
index 2ae3024b..962000cb 100644
--- a/lib/isccc/cc.c
+++ b/lib/isccc/cc.c
@@ -1,5 +1,5 @@
 /*
- * Portions Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
  * Portions Copyright (C) 2001-2003  Internet Software Consortium.
  * Portions Copyright (C) 2001  Nominum, Inc.
  *
@@ -16,20 +16,21 @@
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: cc.c,v 1.4.2.7 2006/12/07 23:57:56 marka Exp $ */
+/* $Id: cc.c,v 1.4.2.3.2.4 2004/03/06 08:15:19 marka Exp $ */
 
 #include <config.h>
 
 #include <stdio.h>
-#include <stdlib.h>
 #include <string.h>
 #include <errno.h>
 
-#include <isccc/alist.h>
 #include <isc/assertions.h>
+#include <isc/hmacmd5.h>
+#include <isc/stdlib.h>
+
+#include <isccc/alist.h>
 #include <isccc/base64.h>
 #include <isccc/cc.h>
-#include <isc/hmacmd5.h>
 #include <isccc/result.h>
 #include <isccc/sexpr.h>
 #include <isccc/symtab.h>
@@ -218,7 +219,7 @@ isccc_cc_towire(isccc_sexpr_t *alist, isccc_region_t *target,
 	unsigned char *hmd5_rstart, *signed_rstart;
 	isc_result_t result;
 
-	if (REGION_SIZE(*target) < 4 + sizeof auth_hmd5)
+	if (REGION_SIZE(*target) < 4 + sizeof(auth_hmd5))
 		return (ISC_R_NOSPACE);
 	/*
 	 * Emit protocol version.
@@ -231,7 +232,7 @@ isccc_cc_towire(isccc_sexpr_t *alist, isccc_region_t *target,
 		 * we know what it is.
 		 */
 		hmd5_rstart = target->rstart + HMD5_OFFSET;
-		PUT_MEM(auth_hmd5, sizeof auth_hmd5, target->rstart);
+		PUT_MEM(auth_hmd5, sizeof(auth_hmd5), target->rstart);
 	} else
 		hmd5_rstart = NULL;
 	signed_rstart = target->rstart;
@@ -464,21 +465,12 @@ createmessage(isc_uint32_t version, const char *from, const char *to,
 	result = ISC_R_NOMEMORY;
 
 	_ctrl = isccc_alist_create();
-	if (_ctrl == NULL)
-		goto bad;
-	if (isccc_alist_define(alist, "_ctrl", _ctrl) == NULL) {
-		isccc_sexpr_free(&_ctrl);
-		goto bad;
-	}
-
 	_data = isccc_alist_create();
-	if (_data == NULL)
+	if (_ctrl == NULL || _data == NULL)
 		goto bad;
-	if (isccc_alist_define(alist, "_data", _data) == NULL) {
-		isccc_sexpr_free(&_data);
+	if (isccc_alist_define(alist, "_ctrl", _ctrl) == NULL ||
+	    isccc_alist_define(alist, "_data", _data) == NULL)
 		goto bad;
-	}
-
 	if (isccc_cc_defineuint32(_ctrl, "_ser", serial) == NULL ||
 	    isccc_cc_defineuint32(_ctrl, "_tim", now) == NULL ||
 	    (want_expires &&
@@ -656,7 +648,7 @@ isccc_cc_defineuint32(isccc_sexpr_t *alist, const char *key, isc_uint32_t i)
 	size_t len;
 	isccc_region_t r;
 
-	sprintf(b, "%u", i);
+	snprintf(b, sizeof(b), "%u", i);
 	len = strlen(b);
 	r.rstart = (unsigned char *)b;
 	r.rend = (unsigned char *)b + len;
@@ -801,7 +793,7 @@ isccc_cc_checkdup(isccc_symtab_t *symtab, isccc_sexpr_t *message,
 	key = malloc(len);
 	if (key == NULL)
 		return (ISC_R_NOMEMORY);
-	sprintf(key, "%s;%s;%s;%s", _frm, _to, _ser, _tim);
+	snprintf(key, len, "%s;%s;%s;%s", _frm, _to, _ser, _tim);
 	value.as_uinteger = now;
 	result = isccc_symtab_define(symtab, key, ISCCC_SYMTYPE_CCDUP, value,
 				   isccc_symexists_reject);
diff --git a/lib/isccc/ccmsg.c b/lib/isccc/ccmsg.c
index 873bef3e..fc5fae8a 100644
--- a/lib/isccc/ccmsg.c
+++ b/lib/isccc/ccmsg.c
@@ -16,7 +16,7 @@
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: ccmsg.c,v 1.4.2.1 2004/03/09 06:12:25 marka Exp $ */
+/* $Id: ccmsg.c,v 1.4.206.1 2004/03/06 08:15:19 marka Exp $ */
 
 #include <config.h>
 
diff --git a/lib/isccc/include/Makefile.in b/lib/isccc/include/Makefile.in
index 4491e827..91a2bca7 100644
--- a/lib/isccc/include/Makefile.in
+++ b/lib/isccc/include/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.2.2.1 2004/03/09 06:12:26 marka Exp $
+# $Id: Makefile.in,v 1.2.206.1 2004/03/06 08:15:20 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/lib/isccc/include/isccc/Makefile.in b/lib/isccc/include/isccc/Makefile.in
index d2b28fe1..b86e50cf 100644
--- a/lib/isccc/include/isccc/Makefile.in
+++ b/lib/isccc/include/isccc/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.3.2.1 2004/03/09 06:12:26 marka Exp $
+# $Id: Makefile.in,v 1.3.12.3 2004/03/08 09:05:05 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
@@ -27,7 +27,7 @@ top_srcdir =	@top_srcdir@
 # install target below.
 #
 HEADERS =	alist.h base64.h cc.h ccmsg.h events.h lib.h result.h \
-		sexpr.h symtab.h symtype.h types.h util.h
+		sexpr.h symtab.h symtype.h types.h util.h version.h
 SUBDIRS =
 TARGETS =
 
diff --git a/lib/isccc/include/isccc/alist.h b/lib/isccc/include/isccc/alist.h
index 6a8cbaed..409c48b8 100644
--- a/lib/isccc/include/isccc/alist.h
+++ b/lib/isccc/include/isccc/alist.h
@@ -16,7 +16,7 @@
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: alist.h,v 1.2.2.1 2004/03/09 06:12:26 marka Exp $ */
+/* $Id: alist.h,v 1.2.206.1 2004/03/06 08:15:21 marka Exp $ */
 
 #ifndef ISCCC_ALIST_H
 #define ISCCC_ALIST_H 1
diff --git a/lib/isccc/include/isccc/base64.h b/lib/isccc/include/isccc/base64.h
index aff82556..14fbe577 100644
--- a/lib/isccc/include/isccc/base64.h
+++ b/lib/isccc/include/isccc/base64.h
@@ -16,7 +16,7 @@
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: base64.h,v 1.2.2.1 2004/03/09 06:12:27 marka Exp $ */
+/* $Id: base64.h,v 1.2.206.1 2004/03/06 08:15:21 marka Exp $ */
 
 #ifndef ISCCC_BASE64_H
 #define ISCCC_BASE64_H 1
diff --git a/lib/isccc/include/isccc/cc.h b/lib/isccc/include/isccc/cc.h
index 4f6d7dc1..aedf1f75 100644
--- a/lib/isccc/include/isccc/cc.h
+++ b/lib/isccc/include/isccc/cc.h
@@ -16,7 +16,7 @@
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: cc.h,v 1.3.2.1 2004/03/09 06:12:27 marka Exp $ */
+/* $Id: cc.h,v 1.3.206.1 2004/03/06 08:15:21 marka Exp $ */
 
 #ifndef ISCCC_CC_H
 #define ISCCC_CC_H 1
diff --git a/lib/isccc/include/isccc/ccmsg.h b/lib/isccc/include/isccc/ccmsg.h
index c2487ce7..54734bb2 100644
--- a/lib/isccc/include/isccc/ccmsg.h
+++ b/lib/isccc/include/isccc/ccmsg.h
@@ -16,7 +16,7 @@
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: ccmsg.h,v 1.3.2.1 2004/03/09 06:12:27 marka Exp $ */
+/* $Id: ccmsg.h,v 1.3.206.1 2004/03/06 08:15:21 marka Exp $ */
 
 #ifndef ISCCC_CCMSG_H
 #define ISCCC_CCMSG_H 1
diff --git a/lib/isccc/include/isccc/events.h b/lib/isccc/include/isccc/events.h
index 70c19963..b78fc658 100644
--- a/lib/isccc/include/isccc/events.h
+++ b/lib/isccc/include/isccc/events.h
@@ -16,7 +16,7 @@
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: events.h,v 1.2.2.1 2004/03/09 06:12:27 marka Exp $ */
+/* $Id: events.h,v 1.2.206.1 2004/03/06 08:15:22 marka Exp $ */
 
 #ifndef ISCCC_EVENTS_H
 #define ISCCC_EVENTS_H 1
diff --git a/lib/isccc/include/isccc/lib.h b/lib/isccc/include/isccc/lib.h
index acdac8d6..a57357d2 100644
--- a/lib/isccc/include/isccc/lib.h
+++ b/lib/isccc/include/isccc/lib.h
@@ -16,7 +16,7 @@
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lib.h,v 1.2.2.1 2004/03/09 06:12:27 marka Exp $ */
+/* $Id: lib.h,v 1.2.12.3 2004/03/08 09:05:05 marka Exp $ */
 
 #ifndef ISCCC_LIB_H
 #define ISCCC_LIB_H 1
@@ -26,7 +26,7 @@
 
 ISC_LANG_BEGINDECLS
 
-extern isc_msgcat_t *isccc_msgcat;
+LIBISCCC_EXTERNAL_DATA extern isc_msgcat_t *isccc_msgcat;
 
 void
 isccc_lib_initmsgcat(void);
diff --git a/lib/isccc/include/isccc/result.h b/lib/isccc/include/isccc/result.h
index c695bb05..33bbb4fc 100644
--- a/lib/isccc/include/isccc/result.h
+++ b/lib/isccc/include/isccc/result.h
@@ -16,7 +16,7 @@
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: result.h,v 1.3.2.3 2004/03/09 06:12:28 marka Exp $ */
+/* $Id: result.h,v 1.3.2.2.2.1 2004/03/06 08:15:22 marka Exp $ */
 
 #ifndef ISCCC_RESULT_H
 #define ISCCC_RESULT_H 1
diff --git a/lib/isccc/include/isccc/sexpr.h b/lib/isccc/include/isccc/sexpr.h
index 30b95e1a..0195a946 100644
--- a/lib/isccc/include/isccc/sexpr.h
+++ b/lib/isccc/include/isccc/sexpr.h
@@ -16,7 +16,7 @@
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: sexpr.h,v 1.3.2.1 2004/03/09 06:12:28 marka Exp $ */
+/* $Id: sexpr.h,v 1.3.206.1 2004/03/06 08:15:22 marka Exp $ */
 
 #ifndef ISCCC_SEXPR_H
 #define ISCCC_SEXPR_H 1
diff --git a/lib/isccc/include/isccc/symtab.h b/lib/isccc/include/isccc/symtab.h
index c4d890d4..53f30e7a 100644
--- a/lib/isccc/include/isccc/symtab.h
+++ b/lib/isccc/include/isccc/symtab.h
@@ -16,7 +16,7 @@
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: symtab.h,v 1.2.2.1 2004/03/09 06:12:28 marka Exp $ */
+/* $Id: symtab.h,v 1.2.206.1 2004/03/06 08:15:22 marka Exp $ */
 
 #ifndef ISCCC_SYMTAB_H
 #define ISCCC_SYMTAB_H 1
diff --git a/lib/isccc/include/isccc/symtype.h b/lib/isccc/include/isccc/symtype.h
index cd4c627f..2c15603e 100644
--- a/lib/isccc/include/isccc/symtype.h
+++ b/lib/isccc/include/isccc/symtype.h
@@ -16,7 +16,7 @@
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: symtype.h,v 1.2.2.1 2004/03/09 06:12:28 marka Exp $ */
+/* $Id: symtype.h,v 1.2.206.1 2004/03/06 08:15:22 marka Exp $ */
 
 #ifndef ISCCC_SYMTYPE_H
 #define ISCCC_SYMTYPE_H 1
diff --git a/lib/isccc/include/isccc/types.h b/lib/isccc/include/isccc/types.h
index beeda8d8..9b21ca15 100644
--- a/lib/isccc/include/isccc/types.h
+++ b/lib/isccc/include/isccc/types.h
@@ -16,7 +16,7 @@
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: types.h,v 1.2.2.1 2004/03/09 06:12:29 marka Exp $ */
+/* $Id: types.h,v 1.2.206.1 2004/03/06 08:15:23 marka Exp $ */
 
 #ifndef ISCCC_TYPES_H
 #define ISCCC_TYPES_H 1
diff --git a/lib/isccc/include/isccc/util.h b/lib/isccc/include/isccc/util.h
index 2e97601f..84425867 100644
--- a/lib/isccc/include/isccc/util.h
+++ b/lib/isccc/include/isccc/util.h
@@ -16,7 +16,7 @@
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: util.h,v 1.3.2.1 2004/03/09 06:12:29 marka Exp $ */
+/* $Id: util.h,v 1.3.206.1 2004/03/06 08:15:23 marka Exp $ */
 
 #ifndef ISCCC_UTIL_H
 #define ISCCC_UTIL_H 1
diff --git a/lib/isccc/include/isccc/version.h b/lib/isccc/include/isccc/version.h
new file mode 100644
index 00000000..36a909c5
--- /dev/null
+++ b/lib/isccc/include/isccc/version.h
@@ -0,0 +1,26 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: version.h,v 1.2.222.3 2004/03/08 09:05:05 marka Exp $ */
+
+#include <isc/platform.h>
+
+LIBISCCC_EXTERNAL_DATA extern const char isccc_version[];
+
+LIBISCCC_EXTERNAL_DATA extern const unsigned int isccc_libinterface;
+LIBISCCC_EXTERNAL_DATA extern const unsigned int isccc_librevision;
+LIBISCCC_EXTERNAL_DATA extern const unsigned int isccc_libage;
diff --git a/lib/isccc/lib.c b/lib/isccc/lib.c
index 1f74460f..d37e28c7 100644
--- a/lib/isccc/lib.c
+++ b/lib/isccc/lib.c
@@ -16,7 +16,7 @@
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lib.c,v 1.2.2.1 2004/03/09 06:12:25 marka Exp $ */
+/* $Id: lib.c,v 1.2.12.3 2004/03/08 09:05:04 marka Exp $ */
 
 #include <config.h>
 
@@ -32,7 +32,7 @@
  *** Globals
  ***/
 
-isc_msgcat_t *			isccc_msgcat = NULL;
+LIBISCCC_EXTERNAL_DATA isc_msgcat_t *		isccc_msgcat = NULL;
 
 
 /***
diff --git a/lib/isccc/result.c b/lib/isccc/result.c
index 7cd0ffde..e63e85fa 100644
--- a/lib/isccc/result.c
+++ b/lib/isccc/result.c
@@ -16,7 +16,7 @@
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: result.c,v 1.3.2.3 2004/03/09 06:12:25 marka Exp $ */
+/* $Id: result.c,v 1.3.2.2.2.1 2004/03/06 08:15:19 marka Exp $ */
 
 #include <config.h>
 
diff --git a/lib/isccc/sexpr.c b/lib/isccc/sexpr.c
index bd0aa2d7..a372a7d2 100644
--- a/lib/isccc/sexpr.c
+++ b/lib/isccc/sexpr.c
@@ -16,7 +16,7 @@
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: sexpr.c,v 1.2.2.1 2004/03/09 06:12:25 marka Exp $ */
+/* $Id: sexpr.c,v 1.2.12.3 2004/03/08 09:05:04 marka Exp $ */
 
 #include <config.h>
 
@@ -38,7 +38,7 @@ isccc_sexpr_cons(isccc_sexpr_t *car, isccc_sexpr_t *cdr)
 {
 	isccc_sexpr_t *sexpr;
 
-	sexpr = malloc(sizeof *sexpr);
+	sexpr = malloc(sizeof(*sexpr));
 	if (sexpr == NULL)
 		return (NULL);
 	sexpr->type = ISCCC_SEXPRTYPE_DOTTEDPAIR;
@@ -59,7 +59,7 @@ isccc_sexpr_fromstring(const char *str)
 {
 	isccc_sexpr_t *sexpr;
 
-	sexpr = malloc(sizeof *sexpr);
+	sexpr = malloc(sizeof(*sexpr));
 	if (sexpr == NULL)
 		return (NULL);
 	sexpr->type = ISCCC_SEXPRTYPE_STRING;
@@ -78,7 +78,7 @@ isccc_sexpr_frombinary(const isccc_region_t *region)
 	isccc_sexpr_t *sexpr;
 	unsigned int region_size;
 
-	sexpr = malloc(sizeof *sexpr);
+	sexpr = malloc(sizeof(*sexpr));
 	if (sexpr == NULL)
 		return (NULL);
 	sexpr->type = ISCCC_SEXPRTYPE_BINARY;
diff --git a/lib/isccc/symtab.c b/lib/isccc/symtab.c
index d7a6ad9e..6aca4850 100644
--- a/lib/isccc/symtab.c
+++ b/lib/isccc/symtab.c
@@ -16,7 +16,7 @@
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: symtab.c,v 1.3.2.1 2004/03/09 06:12:26 marka Exp $ */
+/* $Id: symtab.c,v 1.3.12.3 2004/03/08 09:05:04 marka Exp $ */
 
 #include <config.h>
 
@@ -65,10 +65,10 @@ isccc_symtab_create(unsigned int size,
 	REQUIRE(symtabp != NULL && *symtabp == NULL);
 	REQUIRE(size > 0);	/* Should be prime. */
 
-	symtab = malloc(sizeof *symtab);
+	symtab = malloc(sizeof(*symtab));
 	if (symtab == NULL)
 		return (ISC_R_NOMEMORY);
-	symtab->table = malloc(size * sizeof (eltlist_t));
+	symtab->table = malloc(size * sizeof(eltlist_t));
 	if (symtab->table == NULL) {
 		free(symtab);
 		return (ISC_R_NOMEMORY);
@@ -220,7 +220,7 @@ isccc_symtab_define(isccc_symtab_t *symtab, char *key, unsigned int type,
 						  elt->value,
 						  symtab->undefine_arg);
 	} else {
-		elt = malloc(sizeof *elt);
+		elt = malloc(sizeof(*elt));
 		if (elt == NULL)
 			return (ISC_R_NOMEMORY);
 		ISC_LINK_INIT(elt, link);
diff --git a/lib/isccc/version.c b/lib/isccc/version.c
index a97797cb..08cda2f3 100644
--- a/lib/isccc/version.c
+++ b/lib/isccc/version.c
@@ -15,10 +15,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: version.c,v 1.1.2.1 2004/03/09 06:12:26 marka Exp $ */
+/* $Id: version.c,v 1.1.12.3 2004/03/08 09:05:04 marka Exp $ */
 
-char isccc_version[] = VERSION;
+#include <isccc/version.h>
 
-unsigned int isccc_libinterface = LIBINTERFACE;
-unsigned int isccc_librevision = LIBREVISION;
-unsigned int isccc_libage = LIBAGE;
+const char isccc_version[] = VERSION;
+
+const unsigned int isccc_libinterface = LIBINTERFACE;
+const unsigned int isccc_librevision = LIBREVISION;
+const unsigned int isccc_libage = LIBAGE;
diff --git a/lib/isccc/win32/DLLMain.c b/lib/isccc/win32/DLLMain.c
index e4789dfc..8987bb2f 100644
--- a/lib/isccc/win32/DLLMain.c
+++ b/lib/isccc/win32/DLLMain.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,11 +15,13 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: DLLMain.c,v 1.3.2.3 2007/06/18 23:45:27 tbox Exp $ */
+/* $Id: DLLMain.c,v 1.3.206.1 2004/03/06 08:15:23 marka Exp $ */
 
 #include <windows.h>
 #include <signal.h>
 
+BOOL InitSockets(void);
+
 /*
  * Called when we enter the DLL
  */
diff --git a/lib/isccc/win32/libisccc.def b/lib/isccc/win32/libisccc.def
index f8fdf87b..5d32a528 100644
--- a/lib/isccc/win32/libisccc.def
+++ b/lib/isccc/win32/libisccc.def
@@ -1,66 +1,66 @@
-LIBRARY libisccc

-

-; Exported Functions

-EXPORTS

-

-isccc_alist_create

-isccc_alist_alistp

-isccc_alist_emptyp

-isccc_alist_first

-isccc_alist_assq

-isccc_alist_delete

-isccc_alist_define

-isccc_alist_definestring

-isccc_alist_definebinary

-isccc_alist_lookup

-isccc_alist_lookupstring

-isccc_alist_lookupbinary

-isccc_alist_prettyprint

-isccc_base64_encode

-isccc_base64_decode

-isccc_cc_towire

-isccc_cc_fromwire

-isccc_cc_createmessage

-isccc_cc_createack

-isccc_cc_isack

-isccc_cc_isreply

-isccc_cc_createresponse

-isccc_cc_definestring

-isccc_cc_defineuint32

-isccc_cc_lookupstring

-isccc_cc_lookupuint32

-isccc_cc_createsymtab

-isccc_cc_cleansymtab

-isccc_cc_checkdup

-isccc_ccmsg_init

-isccc_ccmsg_setmaxsize

-isccc_ccmsg_readmessage

-isccc_ccmsg_cancelread

-isccc_ccmsg_invalidate

-isccc_lib_initmsgcat

-isccc_result_totext

-isccc_result_register

-isccc_sexpr_cons

-isccc_sexpr_tconst

-isccc_sexpr_fromstring

-isccc_sexpr_frombinary

-isccc_sexpr_free

-isccc_sexpr_print

-isccc_sexpr_car

-isccc_sexpr_cdr

-isccc_sexpr_setcar

-isccc_sexpr_setcdr

-isccc_sexpr_addtolist

-isccc_sexpr_listp

-isccc_sexpr_emptyp

-isccc_sexpr_stringp

-isccc_sexpr_binaryp

-isccc_sexpr_tostring

-isccc_sexpr_tobinary

-isccc_symtab_destroy

-isccc_symtab_create

-isccc_symtab_destroy

-isccc_symtab_lookup

-isccc_symtab_define

-isccc_symtab_undefine

-isccc_symtab_foreach

+LIBRARY libisccc
+
+; Exported Functions
+EXPORTS
+
+isccc_alist_create
+isccc_alist_alistp
+isccc_alist_emptyp
+isccc_alist_first
+isccc_alist_assq
+isccc_alist_delete
+isccc_alist_define
+isccc_alist_definestring
+isccc_alist_definebinary
+isccc_alist_lookup
+isccc_alist_lookupstring
+isccc_alist_lookupbinary
+isccc_alist_prettyprint
+isccc_base64_encode
+isccc_base64_decode
+isccc_cc_towire
+isccc_cc_fromwire
+isccc_cc_createmessage
+isccc_cc_createack
+isccc_cc_isack
+isccc_cc_isreply
+isccc_cc_createresponse
+isccc_cc_definestring
+isccc_cc_defineuint32
+isccc_cc_lookupstring
+isccc_cc_lookupuint32
+isccc_cc_createsymtab
+isccc_cc_cleansymtab
+isccc_cc_checkdup
+isccc_ccmsg_init
+isccc_ccmsg_setmaxsize
+isccc_ccmsg_readmessage
+isccc_ccmsg_cancelread
+isccc_ccmsg_invalidate
+isccc_lib_initmsgcat
+isccc_result_totext
+isccc_result_register
+isccc_sexpr_cons
+isccc_sexpr_tconst
+isccc_sexpr_fromstring
+isccc_sexpr_frombinary
+isccc_sexpr_free
+isccc_sexpr_print
+isccc_sexpr_car
+isccc_sexpr_cdr
+isccc_sexpr_setcar
+isccc_sexpr_setcdr
+isccc_sexpr_addtolist
+isccc_sexpr_listp
+isccc_sexpr_emptyp
+isccc_sexpr_stringp
+isccc_sexpr_binaryp
+isccc_sexpr_tostring
+isccc_sexpr_tobinary
+isccc_symtab_destroy
+isccc_symtab_create
+isccc_symtab_destroy
+isccc_symtab_lookup
+isccc_symtab_define
+isccc_symtab_undefine
+isccc_symtab_foreach
diff --git a/lib/isccc/win32/libisccc.dsp b/lib/isccc/win32/libisccc.dsp
index 2870ffad..33c7ba8a 100644
--- a/lib/isccc/win32/libisccc.dsp
+++ b/lib/isccc/win32/libisccc.dsp
@@ -1,197 +1,197 @@
-# Microsoft Developer Studio Project File - Name="libisccc" - Package Owner=<4>

-# Microsoft Developer Studio Generated Build File, Format Version 6.00

-# ** DO NOT EDIT **

-

-# TARGTYPE "Win32 (x86) Dynamic-Link Library" 0x0102

-

-CFG=libisccc - Win32 Release

-!MESSAGE This is not a valid makefile. To build this project using NMAKE,

-!MESSAGE use the Export Makefile command and run

-!MESSAGE 

-!MESSAGE NMAKE /f "libisccc.mak".

-!MESSAGE 

-!MESSAGE You can specify a configuration when running NMAKE

-!MESSAGE by defining the macro CFG on the command line. For example:

-!MESSAGE 

-!MESSAGE NMAKE /f "libisccc.mak" CFG="libisccc - Win32 Release"

-!MESSAGE 

-!MESSAGE Possible choices for configuration are:

-!MESSAGE 

-!MESSAGE "libisccc - Win32 Release" (based on "Win32 (x86) Dynamic-Link Library")

-!MESSAGE "libisccc - Win32 Debug" (based on "Win32 (x86) Dynamic-Link Library")

-!MESSAGE 

-

-# Begin Project

-# PROP AllowPerConfigDependencies 0

-# PROP Scc_ProjName ""

-# PROP Scc_LocalPath ""

-CPP=cl.exe

-MTL=midl.exe

-RSC=rc.exe

-

-!IF  "$(CFG)" == "libisccc - Win32 Release"

-

-# PROP BASE Use_MFC 0

-# PROP BASE Use_Debug_Libraries 0

-# PROP BASE Output_Dir "Release"

-# PROP BASE Intermediate_Dir "Release"

-# PROP BASE Target_Dir ""

-# PROP Use_MFC 0

-# PROP Use_Debug_Libraries 0

-# PROP Output_Dir "Release"

-# PROP Intermediate_Dir "Release"

-# PROP Ignore_Export_Lib 0

-# PROP Target_Dir ""

-# ADD BASE CPP /nologo /MT /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "libisccc_EXPORTS" /YX /FD /c

-# ADD CPP /nologo /MD /W3 /GX /O2 /I "./" /I "../../../" /I "include" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/dns/win32/include" /I "../../../lib/dns/include" /I "../../../lib/isc/include" /I "../..../lib/dns/sec/openssl/include" /D "NDEBUG" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" /D "OPENSSL" /D "DST_USE_PRIVATE_OPENSSL" /D "LIBISCCC_EXPORTS" /YX /FD /c

-# SUBTRACT CPP /X

-# ADD BASE MTL /nologo /D "NDEBUG" /mktyplib203 /win32

-# ADD MTL /nologo /D "NDEBUG" /mktyplib203 /win32

-# ADD BASE RSC /l 0x409 /d "NDEBUG"

-# ADD RSC /l 0x409 /d "NDEBUG"

-BSC32=bscmake.exe

-# ADD BASE BSC32 /nologo

-# ADD BSC32 /nologo

-LINK32=link.exe

-# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /machine:I386

-# ADD LINK32 user32.lib advapi32.lib ws2_32.lib ../../isc/win32/Release/libisc.lib /nologo /dll /machine:I386 /out:"../../../Build/Release/libisccc.dll"

-

-!ELSEIF  "$(CFG)" == "libisccc - Win32 Debug"

-

-# PROP BASE Use_MFC 0

-# PROP BASE Use_Debug_Libraries 1

-# PROP BASE Output_Dir "Debug"

-# PROP BASE Intermediate_Dir "Debug"

-# PROP BASE Target_Dir ""

-# PROP Use_MFC 0

-# PROP Use_Debug_Libraries 1

-# PROP Output_Dir "Debug"

-# PROP Intermediate_Dir "Debug"

-# PROP Ignore_Export_Lib 0

-# PROP Target_Dir ""

-# ADD BASE CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "libisccc_EXPORTS" /YX /FD /GZ /c

-# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../../../" /I "include" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/dns/win32/include" /I "../../../lib/dns/include" /I "../../../lib/isc/include" /I "../..../lib/dns/sec/openssl/include" /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" /D "OPENSSL" /D "DST_USE_PRIVATE_OPENSSL" /D "LIBISCCC_EXPORTS" /FR /YX /FD /GZ /c

-# SUBTRACT CPP /X

-# ADD BASE MTL /nologo /D "_DEBUG" /mktyplib203 /win32

-# ADD MTL /nologo /D "_DEBUG" /mktyplib203 /win32

-# ADD BASE RSC /l 0x409 /d "_DEBUG"

-# ADD RSC /l 0x409 /d "_DEBUG"

-BSC32=bscmake.exe

-# ADD BASE BSC32 /nologo

-# ADD BSC32 /nologo

-LINK32=link.exe

-# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /debug /machine:I386 /pdbtype:sept

-# ADD LINK32 user32.lib advapi32.lib ws2_32.lib ../../isc/win32/debug/libisc.lib /nologo /dll /debug /machine:I386 /out:"../../../Build/Debug/libisccc.dll" /pdbtype:sept

-

-!ENDIF 

-

-# Begin Target

-

-# Name "libisccc - Win32 Release"

-# Name "libisccc - Win32 Debug"

-# Begin Group "Source Files"

-

-# PROP Default_Filter "cpp;c;cxx;rc;def;r;odl;idl;hpj;bat"

-# Begin Source File

-

-SOURCE=..\alist.c

-# End Source File

-# Begin Source File

-

-SOURCE=..\base64.c

-# End Source File

-# Begin Source File

-

-SOURCE=..\cc.c

-# End Source File

-# Begin Source File

-

-SOURCE=..\ccmsg.c

-# End Source File

-# Begin Source File

-

-SOURCE=.\DLLMain.c

-# End Source File

-# Begin Source File

-

-SOURCE=..\lib.c

-# End Source File

-# Begin Source File

-

-SOURCE=..\result.c

-# End Source File

-# Begin Source File

-

-SOURCE=..\sexpr.c

-# End Source File

-# Begin Source File

-

-SOURCE=..\symtab.c

-# End Source File

-# Begin Source File

-

-SOURCE=.\version.c

-# End Source File

-# End Group

-# Begin Group "Header Files"

-

-# PROP Default_Filter "h;hpp;hxx;hm;inl"

-# Begin Source File

-

-SOURCE=..\include\isccc\alist.h

-# End Source File

-# Begin Source File

-

-SOURCE=..\include\isccc\base64.h

-# End Source File

-# Begin Source File

-

-SOURCE=..\include\isccc\cc.h

-# End Source File

-# Begin Source File

-

-SOURCE=..\include\isccc\ccmsg.h

-# End Source File

-# Begin Source File

-

-SOURCE=..\include\isccc\events.h

-# End Source File

-# Begin Source File

-

-SOURCE=..\include\isccc\lib.h

-# End Source File

-# Begin Source File

-

-SOURCE=..\include\isccc\result.h

-# End Source File

-# Begin Source File

-

-SOURCE=..\include\isccc\sexpr.h

-# End Source File

-# Begin Source File

-

-SOURCE=..\include\isccc\symtab.h

-# End Source File

-# Begin Source File

-

-SOURCE=..\include\isccc\symtype.h

-# End Source File

-# Begin Source File

-

-SOURCE=..\include\isccc\types.h

-# End Source File

-# Begin Source File

-

-SOURCE=..\include\isccc\util.h

-# End Source File

-# End Group

-# Begin Group "Resource Files"

-

-# PROP Default_Filter "ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe"

-# End Group

-# Begin Source File

-

-SOURCE=.\libisccc.def

-# End Source File

-# End Target

-# End Project

+# Microsoft Developer Studio Project File - Name="libisccc" - Package Owner=<4>
+# Microsoft Developer Studio Generated Build File, Format Version 6.00
+# ** DO NOT EDIT **
+
+# TARGTYPE "Win32 (x86) Dynamic-Link Library" 0x0102
+
+CFG=libisccc - Win32 Release
+!MESSAGE This is not a valid makefile. To build this project using NMAKE,
+!MESSAGE use the Export Makefile command and run
+!MESSAGE 
+!MESSAGE NMAKE /f "libisccc.mak".
+!MESSAGE 
+!MESSAGE You can specify a configuration when running NMAKE
+!MESSAGE by defining the macro CFG on the command line. For example:
+!MESSAGE 
+!MESSAGE NMAKE /f "libisccc.mak" CFG="libisccc - Win32 Release"
+!MESSAGE 
+!MESSAGE Possible choices for configuration are:
+!MESSAGE 
+!MESSAGE "libisccc - Win32 Release" (based on "Win32 (x86) Dynamic-Link Library")
+!MESSAGE "libisccc - Win32 Debug" (based on "Win32 (x86) Dynamic-Link Library")
+!MESSAGE 
+
+# Begin Project
+# PROP AllowPerConfigDependencies 0
+# PROP Scc_ProjName ""
+# PROP Scc_LocalPath ""
+CPP=cl.exe
+MTL=midl.exe
+RSC=rc.exe
+
+!IF  "$(CFG)" == "libisccc - Win32 Release"
+
+# PROP BASE Use_MFC 0
+# PROP BASE Use_Debug_Libraries 0
+# PROP BASE Output_Dir "Release"
+# PROP BASE Intermediate_Dir "Release"
+# PROP BASE Target_Dir ""
+# PROP Use_MFC 0
+# PROP Use_Debug_Libraries 0
+# PROP Output_Dir "Release"
+# PROP Intermediate_Dir "Release"
+# PROP Ignore_Export_Lib 0
+# PROP Target_Dir ""
+# ADD BASE CPP /nologo /MT /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "libisccc_EXPORTS" /YX /FD /c
+# ADD CPP /nologo /MD /W3 /GX /O2 /I "./" /I "../../../" /I "include" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/dns/win32/include" /I "../../../lib/dns/include" /I "../../../lib/isc/include" /I "../..../lib/dns/sec/openssl/include" /I "../../../lib/dns/sec/dst/include" /D "NDEBUG" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" /D "OPENSSL" /D "DST_USE_PRIVATE_OPENSSL" /D "LIBISCCC_EXPORTS" /YX /FD /c
+# SUBTRACT CPP /X
+# ADD BASE MTL /nologo /D "NDEBUG" /mktyplib203 /win32
+# ADD MTL /nologo /D "NDEBUG" /mktyplib203 /win32
+# ADD BASE RSC /l 0x409 /d "NDEBUG"
+# ADD RSC /l 0x409 /d "NDEBUG"
+BSC32=bscmake.exe
+# ADD BASE BSC32 /nologo
+# ADD BSC32 /nologo
+LINK32=link.exe
+# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /machine:I386
+# ADD LINK32 user32.lib advapi32.lib ws2_32.lib ../../isc/win32/Release/libisc.lib /nologo /dll /machine:I386 /out:"../../../Build/Release/libisccc.dll"
+
+!ELSEIF  "$(CFG)" == "libisccc - Win32 Debug"
+
+# PROP BASE Use_MFC 0
+# PROP BASE Use_Debug_Libraries 1
+# PROP BASE Output_Dir "Debug"
+# PROP BASE Intermediate_Dir "Debug"
+# PROP BASE Target_Dir ""
+# PROP Use_MFC 0
+# PROP Use_Debug_Libraries 1
+# PROP Output_Dir "Debug"
+# PROP Intermediate_Dir "Debug"
+# PROP Ignore_Export_Lib 0
+# PROP Target_Dir ""
+# ADD BASE CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "libisccc_EXPORTS" /YX /FD /GZ /c
+# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../../../" /I "include" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/dns/win32/include" /I "../../../lib/dns/include" /I "../../../lib/isc/include" /I "../..../lib/dns/sec/openssl/include" /I "../../../lib/dns/sec/dst/include" /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" /D "OPENSSL" /D "DST_USE_PRIVATE_OPENSSL" /D "LIBISCCC_EXPORTS" /FR /YX /FD /GZ /c
+# SUBTRACT CPP /X
+# ADD BASE MTL /nologo /D "_DEBUG" /mktyplib203 /win32
+# ADD MTL /nologo /D "_DEBUG" /mktyplib203 /win32
+# ADD BASE RSC /l 0x409 /d "_DEBUG"
+# ADD RSC /l 0x409 /d "_DEBUG"
+BSC32=bscmake.exe
+# ADD BASE BSC32 /nologo
+# ADD BSC32 /nologo
+LINK32=link.exe
+# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /debug /machine:I386 /pdbtype:sept
+# ADD LINK32 user32.lib advapi32.lib ws2_32.lib ../../isc/win32/debug/libisc.lib /nologo /dll /debug /machine:I386 /out:"../../../Build/Debug/libisccc.dll" /pdbtype:sept
+
+!ENDIF 
+
+# Begin Target
+
+# Name "libisccc - Win32 Release"
+# Name "libisccc - Win32 Debug"
+# Begin Group "Source Files"
+
+# PROP Default_Filter "cpp;c;cxx;rc;def;r;odl;idl;hpj;bat"
+# Begin Source File
+
+SOURCE=..\alist.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\base64.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\cc.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\ccmsg.c
+# End Source File
+# Begin Source File
+
+SOURCE=.\DLLMain.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\lib.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\result.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\sexpr.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\symtab.c
+# End Source File
+# Begin Source File
+
+SOURCE=.\version.c
+# End Source File
+# End Group
+# Begin Group "Header Files"
+
+# PROP Default_Filter "h;hpp;hxx;hm;inl"
+# Begin Source File
+
+SOURCE=..\include\isccc\alist.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\isccc\base64.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\isccc\cc.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\isccc\ccmsg.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\isccc\events.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\isccc\lib.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\isccc\result.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\isccc\sexpr.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\isccc\symtab.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\isccc\symtype.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\isccc\types.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\isccc\util.h
+# End Source File
+# End Group
+# Begin Group "Resource Files"
+
+# PROP Default_Filter "ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe"
+# End Group
+# Begin Source File
+
+SOURCE=.\libisccc.def
+# End Source File
+# End Target
+# End Project
diff --git a/lib/isccc/win32/libisccc.dsw b/lib/isccc/win32/libisccc.dsw
index 28eaa74f..3bcecf04 100644
--- a/lib/isccc/win32/libisccc.dsw
+++ b/lib/isccc/win32/libisccc.dsw
@@ -1,29 +1,29 @@
-Microsoft Developer Studio Workspace File, Format Version 6.00

-# WARNING: DO NOT EDIT OR DELETE THIS WORKSPACE FILE!

-

-###############################################################################

-

-Project: "libisccc"=.\libisccc.dsp - Package Owner=<4>

-

-Package=<5>

-{{{

-}}}

-

-Package=<4>

-{{{

-}}}

-

-###############################################################################

-

-Global:

-

-Package=<5>

-{{{

-}}}

-

-Package=<3>

-{{{

-}}}

-

-###############################################################################

-

+Microsoft Developer Studio Workspace File, Format Version 6.00
+# WARNING: DO NOT EDIT OR DELETE THIS WORKSPACE FILE!
+
+###############################################################################
+
+Project: "libisccc"=.\libisccc.dsp - Package Owner=<4>
+
+Package=<5>
+{{{
+}}}
+
+Package=<4>
+{{{
+}}}
+
+###############################################################################
+
+Global:
+
+Package=<5>
+{{{
+}}}
+
+Package=<3>
+{{{
+}}}
+
+###############################################################################
+
diff --git a/lib/isccc/win32/libisccc.mak b/lib/isccc/win32/libisccc.mak
index ffc5c071..e9ef5393 100644
--- a/lib/isccc/win32/libisccc.mak
+++ b/lib/isccc/win32/libisccc.mak
@@ -1,524 +1,443 @@
-# Microsoft Developer Studio Generated NMAKE File, Based on libisccc.dsp

-!IF "$(CFG)" == ""

-CFG=libisccc - Win32 Release

-!MESSAGE No configuration specified. Defaulting to libisccc - Win32 Release.

-!ENDIF 

-

-!IF "$(CFG)" != "libisccc - Win32 Release" && "$(CFG)" != "libisccc - Win32 Debug"

-!MESSAGE Invalid configuration "$(CFG)" specified.

-!MESSAGE You can specify a configuration when running NMAKE

-!MESSAGE by defining the macro CFG on the command line. For example:

-!MESSAGE 

-!MESSAGE NMAKE /f "libisccc.mak" CFG="libisccc - Win32 Release"

-!MESSAGE 

-!MESSAGE Possible choices for configuration are:

-!MESSAGE 

-!MESSAGE "libisccc - Win32 Release" (based on "Win32 (x86) Dynamic-Link Library")

-!MESSAGE "libisccc - Win32 Debug" (based on "Win32 (x86) Dynamic-Link Library")

-!MESSAGE 

-!ERROR An invalid configuration is specified.

-!ENDIF 

-

-!IF "$(OS)" == "Windows_NT"

-NULL=

-!ELSE 

-NULL=nul

-!ENDIF 

-

-!IF  "$(CFG)" == "libisccc - Win32 Release"

-_VC_MANIFEST_INC=0

-_VC_MANIFEST_BASENAME=__VC80

-!ELSE

-_VC_MANIFEST_INC=1

-_VC_MANIFEST_BASENAME=__VC80.Debug

-!ENDIF

-

-####################################################

-# Specifying name of temporary resource file used only in incremental builds:

-

-!if "$(_VC_MANIFEST_INC)" == "1"

-_VC_MANIFEST_AUTO_RES=$(_VC_MANIFEST_BASENAME).auto.res

-!else

-_VC_MANIFEST_AUTO_RES=

-!endif

-

-####################################################

-# _VC_MANIFEST_EMBED_EXE - command to embed manifest in EXE:

-

-!if "$(_VC_MANIFEST_INC)" == "1"

-

-#MT_SPECIAL_RETURN=1090650113

-#MT_SPECIAL_SWITCH=-notify_resource_update

-MT_SPECIAL_RETURN=0

-MT_SPECIAL_SWITCH=

-_VC_MANIFEST_EMBED_EXE= \

-if exist $@.manifest mt.exe -manifest $@.manifest -out:$(_VC_MANIFEST_BASENAME).auto.manifest $(MT_SPECIAL_SWITCH) & \

-if "%ERRORLEVEL%" == "$(MT_SPECIAL_RETURN)" \

-rc /r $(_VC_MANIFEST_BASENAME).auto.rc & \

-link $** /out:$@ $(LFLAGS)

-

-!else

-

-_VC_MANIFEST_EMBED_EXE= \

-if exist $@.manifest mt.exe -manifest $@.manifest -outputresource:$@;1

-

-!endif

-

-####################################################

-# _VC_MANIFEST_EMBED_DLL - command to embed manifest in DLL:

-

-!if "$(_VC_MANIFEST_INC)" == "1"

-

-#MT_SPECIAL_RETURN=1090650113

-#MT_SPECIAL_SWITCH=-notify_resource_update

-MT_SPECIAL_RETURN=0

-MT_SPECIAL_SWITCH=

-_VC_MANIFEST_EMBED_EXE= \

-if exist $@.manifest mt.exe -manifest $@.manifest -out:$(_VC_MANIFEST_BASENAME).auto.manifest $(MT_SPECIAL_SWITCH) & \

-if "%ERRORLEVEL%" == "$(MT_SPECIAL_RETURN)" \

-rc /r $(_VC_MANIFEST_BASENAME).auto.rc & \

-link $** /out:$@ $(LFLAGS)

-

-!else

-

-_VC_MANIFEST_EMBED_EXE= \

-if exist $@.manifest mt.exe -manifest $@.manifest -outputresource:$@;2

-

-!endif

-####################################################

-# _VC_MANIFEST_CLEAN - command to clean resources files generated temporarily:

-

-!if "$(_VC_MANIFEST_INC)" == "1"

-

-_VC_MANIFEST_CLEAN=-del $(_VC_MANIFEST_BASENAME).auto.res \

-    $(_VC_MANIFEST_BASENAME).auto.rc \

-    $(_VC_MANIFEST_BASENAME).auto.manifest

-

-!else

-

-_VC_MANIFEST_CLEAN=

-

-!endif

-

-!IF  "$(CFG)" == "libisccc - Win32 Release"

-

-OUTDIR=.\Release

-INTDIR=.\Release

-

-ALL : "..\..\..\Build\Release\libisccc.dll"

-

-

-CLEAN :

-	-@erase "$(INTDIR)\alist.obj"

-	-@erase "$(INTDIR)\base64.obj"

-	-@erase "$(INTDIR)\cc.obj"

-	-@erase "$(INTDIR)\ccmsg.obj"

-	-@erase "$(INTDIR)\DLLMain.obj"

-	-@erase "$(INTDIR)\lib.obj"

-	-@erase "$(INTDIR)\result.obj"

-	-@erase "$(INTDIR)\sexpr.obj"

-	-@erase "$(INTDIR)\symtab.obj"

-	-@erase "$(INTDIR)\vc60.idb"

-	-@erase "$(INTDIR)\version.obj"

-	-@erase "$(OUTDIR)\libisccc.exp"

-	-@erase "$(OUTDIR)\libisccc.lib"

-	-@erase "..\..\..\Build\Release\libisccc.dll"

-	-@$(_VC_MANIFEST_CLEAN)

-

-"$(OUTDIR)" :

-    if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"

-

-CPP=cl.exe

-CPP_PROJ=/nologo /MD /W3 /GX /O2 /I "./" /I "../../../" /I "include" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/dns/win32/include" /I "../../../lib/dns/include" /I "../../../lib/isc/include" /I "../..../lib/dns/sec/openssl/include" /D "NDEBUG" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" /D "OPENSSL" /D "DST_USE_PRIVATE_OPENSSL" /D "LIBISCCC_EXPORTS" /Fp"$(INTDIR)\libisccc.pch" /YX /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c 

-

-.c{$(INTDIR)}.obj::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.cpp{$(INTDIR)}.obj::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.cxx{$(INTDIR)}.obj::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.c{$(INTDIR)}.sbr::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.cpp{$(INTDIR)}.sbr::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.cxx{$(INTDIR)}.sbr::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-MTL=midl.exe

-MTL_PROJ=/nologo /D "NDEBUG" /mktyplib203 /win32 

-RSC=rc.exe

-BSC32=bscmake.exe

-BSC32_FLAGS=/nologo /o"$(OUTDIR)\libisccc.bsc" 

-BSC32_SBRS= \

-	

-LINK32=link.exe

-LINK32_FLAGS=user32.lib advapi32.lib ws2_32.lib ../../isc/win32/Release/libisc.lib /nologo /dll /incremental:no /pdb:"$(OUTDIR)\libisccc.pdb" /machine:I386 /def:".\libisccc.def" /out:"../../../Build/Release/libisccc.dll" /implib:"$(OUTDIR)\libisccc.lib" 

-DEF_FILE= \

-	".\libisccc.def"

-LINK32_OBJS= \

-	"$(INTDIR)\alist.obj" \

-	"$(INTDIR)\base64.obj" \

-	"$(INTDIR)\cc.obj" \

-	"$(INTDIR)\ccmsg.obj" \

-	"$(INTDIR)\DLLMain.obj" \

-	"$(INTDIR)\lib.obj" \

-	"$(INTDIR)\result.obj" \

-	"$(INTDIR)\sexpr.obj" \

-	"$(INTDIR)\symtab.obj" \

-	"$(INTDIR)\version.obj"

-

-"..\..\..\Build\Release\libisccc.dll" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)

-    $(LINK32) @<<

-  $(LINK32_FLAGS) $(LINK32_OBJS)

-<<

-  $(_VC_MANIFEST_EMBED_DLL)

-

-!ELSEIF  "$(CFG)" == "libisccc - Win32 Debug"

-

-OUTDIR=.\Debug

-INTDIR=.\Debug

-# Begin Custom Macros

-OutDir=.\Debug

-# End Custom Macros

-

-ALL : "..\..\..\Build\Debug\libisccc.dll" "$(OUTDIR)\libisccc.bsc"

-

-

-CLEAN :

-	-@erase "$(INTDIR)\alist.obj"

-	-@erase "$(INTDIR)\alist.sbr"

-	-@erase "$(INTDIR)\base64.obj"

-	-@erase "$(INTDIR)\base64.sbr"

-	-@erase "$(INTDIR)\cc.obj"

-	-@erase "$(INTDIR)\cc.sbr"

-	-@erase "$(INTDIR)\ccmsg.obj"

-	-@erase "$(INTDIR)\ccmsg.sbr"

-	-@erase "$(INTDIR)\DLLMain.obj"

-	-@erase "$(INTDIR)\DLLMain.sbr"

-	-@erase "$(INTDIR)\lib.obj"

-	-@erase "$(INTDIR)\lib.sbr"

-	-@erase "$(INTDIR)\result.obj"

-	-@erase "$(INTDIR)\result.sbr"

-	-@erase "$(INTDIR)\sexpr.obj"

-	-@erase "$(INTDIR)\sexpr.sbr"

-	-@erase "$(INTDIR)\symtab.obj"

-	-@erase "$(INTDIR)\symtab.sbr"

-	-@erase "$(INTDIR)\vc60.idb"

-	-@erase "$(INTDIR)\vc60.pdb"

-	-@erase "$(INTDIR)\version.obj"

-	-@erase "$(INTDIR)\version.sbr"

-	-@erase "$(OUTDIR)\libisccc.bsc"

-	-@erase "$(OUTDIR)\libisccc.exp"

-	-@erase "$(OUTDIR)\libisccc.lib"

-	-@erase "$(OUTDIR)\libisccc.pdb"

-	-@erase "..\..\..\Build\Debug\libisccc.dll"

-	-@erase "..\..\..\Build\Debug\libisccc.ilk"

-	-@$(_VC_MANIFEST_CLEAN)

-

-"$(OUTDIR)" :

-    if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"

-

-CPP=cl.exe

-CPP_PROJ=/nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../../../" /I "include" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/dns/win32/include" /I "../../../lib/dns/include" /I "../../../lib/isc/include" /I "../..../lib/dns/sec/openssl/include" /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" /D "OPENSSL" /D "DST_USE_PRIVATE_OPENSSL" /D "LIBISCCC_EXPORTS" /FR"$(INTDIR)\\" /Fp"$(INTDIR)\libisccc.pch" /YX /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c 

-

-.c{$(INTDIR)}.obj::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.cpp{$(INTDIR)}.obj::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.cxx{$(INTDIR)}.obj::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.c{$(INTDIR)}.sbr::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.cpp{$(INTDIR)}.sbr::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.cxx{$(INTDIR)}.sbr::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-MTL=midl.exe

-MTL_PROJ=/nologo /D "_DEBUG" /mktyplib203 /win32 

-RSC=rc.exe

-BSC32=bscmake.exe

-BSC32_FLAGS=/nologo /o"$(OUTDIR)\libisccc.bsc" 

-BSC32_SBRS= \

-	"$(INTDIR)\alist.sbr" \

-	"$(INTDIR)\base64.sbr" \

-	"$(INTDIR)\cc.sbr" \

-	"$(INTDIR)\ccmsg.sbr" \

-	"$(INTDIR)\DLLMain.sbr" \

-	"$(INTDIR)\lib.sbr" \

-	"$(INTDIR)\result.sbr" \

-	"$(INTDIR)\sexpr.sbr" \

-	"$(INTDIR)\symtab.sbr" \

-	"$(INTDIR)\version.sbr"

-

-"$(OUTDIR)\libisccc.bsc" : "$(OUTDIR)" $(BSC32_SBRS)

-    $(BSC32) @<<

-  $(BSC32_FLAGS) $(BSC32_SBRS)

-<<

-

-LINK32=link.exe

-LINK32_FLAGS=user32.lib advapi32.lib ws2_32.lib ../../isc/win32/debug/libisc.lib /nologo /dll /incremental:yes /pdb:"$(OUTDIR)\libisccc.pdb" /debug /machine:I386 /def:".\libisccc.def" /out:"../../../Build/Debug/libisccc.dll" /implib:"$(OUTDIR)\libisccc.lib" /pdbtype:sept 

-DEF_FILE= \

-	".\libisccc.def"

-LINK32_OBJS= \

-	"$(INTDIR)\alist.obj" \

-	"$(INTDIR)\base64.obj" \

-	"$(INTDIR)\cc.obj" \

-	"$(INTDIR)\ccmsg.obj" \

-	"$(INTDIR)\DLLMain.obj" \

-	"$(INTDIR)\lib.obj" \

-	"$(INTDIR)\result.obj" \

-	"$(INTDIR)\sexpr.obj" \

-	"$(INTDIR)\symtab.obj" \

-	"$(INTDIR)\version.obj"

-

-"..\..\..\Build\Debug\libisccc.dll" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)

-    $(LINK32) @<<

-  $(LINK32_FLAGS) $(LINK32_OBJS)

-<<

-  $(_VC_MANIFEST_EMBED_DLL)

-

-!ENDIF 

-

-

-!IF "$(NO_EXTERNAL_DEPS)" != "1"

-!IF EXISTS("libisccc.dep")

-!INCLUDE "libisccc.dep"

-!ELSE 

-!MESSAGE Warning: cannot find "libisccc.dep"

-!ENDIF 

-!ENDIF 

-

-

-!IF "$(CFG)" == "libisccc - Win32 Release" || "$(CFG)" == "libisccc - Win32 Debug"

-SOURCE=..\alist.c

-

-!IF  "$(CFG)" == "libisccc - Win32 Release"

-

-

-"$(INTDIR)\alist.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "libisccc - Win32 Debug"

-

-

-"$(INTDIR)\alist.obj"	"$(INTDIR)\alist.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-SOURCE=..\base64.c

-

-!IF  "$(CFG)" == "libisccc - Win32 Release"

-

-

-"$(INTDIR)\base64.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "libisccc - Win32 Debug"

-

-

-"$(INTDIR)\base64.obj"	"$(INTDIR)\base64.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-SOURCE=..\cc.c

-

-!IF  "$(CFG)" == "libisccc - Win32 Release"

-

-

-"$(INTDIR)\cc.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "libisccc - Win32 Debug"

-

-

-"$(INTDIR)\cc.obj"	"$(INTDIR)\cc.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-SOURCE=..\ccmsg.c

-

-!IF  "$(CFG)" == "libisccc - Win32 Release"

-

-

-"$(INTDIR)\ccmsg.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "libisccc - Win32 Debug"

-

-

-"$(INTDIR)\ccmsg.obj"	"$(INTDIR)\ccmsg.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-SOURCE=.\DLLMain.c

-

-!IF  "$(CFG)" == "libisccc - Win32 Release"

-

-

-"$(INTDIR)\DLLMain.obj" : $(SOURCE) "$(INTDIR)"

-

-

-!ELSEIF  "$(CFG)" == "libisccc - Win32 Debug"

-

-

-"$(INTDIR)\DLLMain.obj"	"$(INTDIR)\DLLMain.sbr" : $(SOURCE) "$(INTDIR)"

-

-

-!ENDIF 

-

-SOURCE=..\lib.c

-

-!IF  "$(CFG)" == "libisccc - Win32 Release"

-

-

-"$(INTDIR)\lib.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "libisccc - Win32 Debug"

-

-

-"$(INTDIR)\lib.obj"	"$(INTDIR)\lib.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-SOURCE=..\result.c

-

-!IF  "$(CFG)" == "libisccc - Win32 Release"

-

-

-"$(INTDIR)\result.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "libisccc - Win32 Debug"

-

-

-"$(INTDIR)\result.obj"	"$(INTDIR)\result.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-SOURCE=..\sexpr.c

-

-!IF  "$(CFG)" == "libisccc - Win32 Release"

-

-

-"$(INTDIR)\sexpr.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "libisccc - Win32 Debug"

-

-

-"$(INTDIR)\sexpr.obj"	"$(INTDIR)\sexpr.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-SOURCE=..\symtab.c

-

-!IF  "$(CFG)" == "libisccc - Win32 Release"

-

-

-"$(INTDIR)\symtab.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "libisccc - Win32 Debug"

-

-

-"$(INTDIR)\symtab.obj"	"$(INTDIR)\symtab.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-SOURCE=.\version.c

-

-!IF  "$(CFG)" == "libisccc - Win32 Release"

-

-

-"$(INTDIR)\version.obj" : $(SOURCE) "$(INTDIR)"

-

-

-!ELSEIF  "$(CFG)" == "libisccc - Win32 Debug"

-

-

-"$(INTDIR)\version.obj"	"$(INTDIR)\version.sbr" : $(SOURCE) "$(INTDIR)"

-

-

-!ENDIF 

-

-

-!ENDIF 

-

-####################################################

-# Commands to generate initial empty manifest file and the RC file

-# that references it, and for generating the .res file:

-

-$(_VC_MANIFEST_BASENAME).auto.res : $(_VC_MANIFEST_BASENAME).auto.rc

-

-$(_VC_MANIFEST_BASENAME).auto.rc : $(_VC_MANIFEST_BASENAME).auto.manifest

-    type <<$@

-#include <winuser.h>

-1RT_MANIFEST"$(_VC_MANIFEST_BASENAME).auto.manifest"

-<< KEEP

-

-$(_VC_MANIFEST_BASENAME).auto.manifest :

-    type <<$@

-<?xml version='1.0' encoding='UTF-8' standalone='yes'?>

-<assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'>

-</assembly>

-<< KEEP

+# Microsoft Developer Studio Generated NMAKE File, Based on libisccc.dsp
+!IF "$(CFG)" == ""
+CFG=libisccc - Win32 Release
+!MESSAGE No configuration specified. Defaulting to libisccc - Win32 Release.
+!ENDIF 
+
+!IF "$(CFG)" != "libisccc - Win32 Release" && "$(CFG)" != "libisccc - Win32 Debug"
+!MESSAGE Invalid configuration "$(CFG)" specified.
+!MESSAGE You can specify a configuration when running NMAKE
+!MESSAGE by defining the macro CFG on the command line. For example:
+!MESSAGE 
+!MESSAGE NMAKE /f "libisccc.mak" CFG="libisccc - Win32 Release"
+!MESSAGE 
+!MESSAGE Possible choices for configuration are:
+!MESSAGE 
+!MESSAGE "libisccc - Win32 Release" (based on "Win32 (x86) Dynamic-Link Library")
+!MESSAGE "libisccc - Win32 Debug" (based on "Win32 (x86) Dynamic-Link Library")
+!MESSAGE 
+!ERROR An invalid configuration is specified.
+!ENDIF 
+
+!IF "$(OS)" == "Windows_NT"
+NULL=
+!ELSE 
+NULL=nul
+!ENDIF 
+
+CPP=cl.exe
+MTL=midl.exe
+RSC=rc.exe
+
+!IF  "$(CFG)" == "libisccc - Win32 Release"
+
+OUTDIR=.\Release
+INTDIR=.\Release
+
+!IF "$(RECURSE)" == "0" 
+
+ALL : "..\..\..\Build\Release\libisccc.dll"
+
+!ELSE 
+
+ALL : "libisc - Win32 Release" "..\..\..\Build\Release\libisccc.dll"
+
+!ENDIF 
+
+!IF "$(RECURSE)" == "1" 
+CLEAN :"libisc - Win32 ReleaseCLEAN" 
+!ELSE 
+CLEAN :
+!ENDIF 
+	-@erase "$(INTDIR)\alist.obj"
+	-@erase "$(INTDIR)\base64.obj"
+	-@erase "$(INTDIR)\cc.obj"
+	-@erase "$(INTDIR)\ccmsg.obj"
+	-@erase "$(INTDIR)\DLLMain.obj"
+	-@erase "$(INTDIR)\lib.obj"
+	-@erase "$(INTDIR)\result.obj"
+	-@erase "$(INTDIR)\sexpr.obj"
+	-@erase "$(INTDIR)\symtab.obj"
+	-@erase "$(INTDIR)\vc60.idb"
+	-@erase "$(INTDIR)\version.obj"
+	-@erase "$(OUTDIR)\libisccc.exp"
+	-@erase "$(OUTDIR)\libisccc.lib"
+	-@erase "..\..\..\Build\Release\libisccc.dll"
+
+"$(OUTDIR)" :
+    if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
+
+CPP_PROJ=/nologo /MD /W3 /GX /O2 /I "./" /I "../../../" /I "include" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/dns/win32/include" /I "../../../lib/dns/include" /I "../../../lib/isc/include" /I "../..../lib/dns/sec/openssl/include" /I "../../../lib/dns/sec/dst/include" /D "NDEBUG" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" /D "OPENSSL" /D "DST_USE_PRIVATE_OPENSSL" /D "LIBISCCC_EXPORTS" /Fp"$(INTDIR)\libisccc.pch" /YX /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c 
+MTL_PROJ=/nologo /D "NDEBUG" /mktyplib203 /win32 
+BSC32=bscmake.exe
+BSC32_FLAGS=/nologo /o"$(OUTDIR)\libisccc.bsc" 
+BSC32_SBRS= \
+	
+LINK32=link.exe
+LINK32_FLAGS=user32.lib advapi32.lib ws2_32.lib ../../isc/win32/Release/libisc.lib /nologo /dll /incremental:no /pdb:"$(OUTDIR)\libisccc.pdb" /machine:I386 /def:".\libisccc.def" /out:"../../../Build/Release/libisccc.dll" /implib:"$(OUTDIR)\libisccc.lib" 
+DEF_FILE= \
+	".\libisccc.def"
+LINK32_OBJS= \
+	"$(INTDIR)\alist.obj" \
+	"$(INTDIR)\base64.obj" \
+	"$(INTDIR)\cc.obj" \
+	"$(INTDIR)\ccmsg.obj" \
+	"$(INTDIR)\DLLMain.obj" \
+	"$(INTDIR)\lib.obj" \
+	"$(INTDIR)\result.obj" \
+	"$(INTDIR)\sexpr.obj" \
+	"$(INTDIR)\symtab.obj" \
+	"$(INTDIR)\version.obj" \
+	"..\..\isc\win32\Release\libisc.lib"
+
+"..\..\..\Build\Release\libisccc.dll" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)
+    $(LINK32) @<<
+  $(LINK32_FLAGS) $(LINK32_OBJS)
+<<
+
+!ELSEIF  "$(CFG)" == "libisccc - Win32 Debug"
+
+OUTDIR=.\Debug
+INTDIR=.\Debug
+# Begin Custom Macros
+OutDir=.\Debug
+# End Custom Macros
+
+!IF "$(RECURSE)" == "0" 
+
+ALL : "..\..\..\Build\Debug\libisccc.dll" "$(OUTDIR)\libisccc.bsc"
+
+!ELSE 
+
+ALL : "libisc - Win32 Debug" "..\..\..\Build\Debug\libisccc.dll" "$(OUTDIR)\libisccc.bsc"
+
+!ENDIF 
+
+!IF "$(RECURSE)" == "1" 
+CLEAN :"libisc - Win32 DebugCLEAN" 
+!ELSE 
+CLEAN :
+!ENDIF 
+	-@erase "$(INTDIR)\alist.obj"
+	-@erase "$(INTDIR)\alist.sbr"
+	-@erase "$(INTDIR)\base64.obj"
+	-@erase "$(INTDIR)\base64.sbr"
+	-@erase "$(INTDIR)\cc.obj"
+	-@erase "$(INTDIR)\cc.sbr"
+	-@erase "$(INTDIR)\ccmsg.obj"
+	-@erase "$(INTDIR)\ccmsg.sbr"
+	-@erase "$(INTDIR)\DLLMain.obj"
+	-@erase "$(INTDIR)\DLLMain.sbr"
+	-@erase "$(INTDIR)\lib.obj"
+	-@erase "$(INTDIR)\lib.sbr"
+	-@erase "$(INTDIR)\result.obj"
+	-@erase "$(INTDIR)\result.sbr"
+	-@erase "$(INTDIR)\sexpr.obj"
+	-@erase "$(INTDIR)\sexpr.sbr"
+	-@erase "$(INTDIR)\symtab.obj"
+	-@erase "$(INTDIR)\symtab.sbr"
+	-@erase "$(INTDIR)\vc60.idb"
+	-@erase "$(INTDIR)\vc60.pdb"
+	-@erase "$(INTDIR)\version.obj"
+	-@erase "$(INTDIR)\version.sbr"
+	-@erase "$(OUTDIR)\libisccc.bsc"
+	-@erase "$(OUTDIR)\libisccc.exp"
+	-@erase "$(OUTDIR)\libisccc.lib"
+	-@erase "$(OUTDIR)\libisccc.pdb"
+	-@erase "..\..\..\Build\Debug\libisccc.dll"
+	-@erase "..\..\..\Build\Debug\libisccc.ilk"
+
+"$(OUTDIR)" :
+    if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
+
+CPP_PROJ=/nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../../../" /I "include" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/dns/win32/include" /I "../../../lib/dns/include" /I "../../../lib/isc/include" /I "../..../lib/dns/sec/openssl/include" /I "../../../lib/dns/sec/dst/include" /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" /D "OPENSSL" /D "DST_USE_PRIVATE_OPENSSL" /D "LIBISCCC_EXPORTS" /FR"$(INTDIR)\\" /Fp"$(INTDIR)\libisccc.pch" /YX /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c 
+MTL_PROJ=/nologo /D "_DEBUG" /mktyplib203 /win32 
+BSC32=bscmake.exe
+BSC32_FLAGS=/nologo /o"$(OUTDIR)\libisccc.bsc" 
+BSC32_SBRS= \
+	"$(INTDIR)\alist.sbr" \
+	"$(INTDIR)\base64.sbr" \
+	"$(INTDIR)\cc.sbr" \
+	"$(INTDIR)\ccmsg.sbr" \
+	"$(INTDIR)\DLLMain.sbr" \
+	"$(INTDIR)\lib.sbr" \
+	"$(INTDIR)\result.sbr" \
+	"$(INTDIR)\sexpr.sbr" \
+	"$(INTDIR)\symtab.sbr" \
+	"$(INTDIR)\version.sbr"
+
+"$(OUTDIR)\libisccc.bsc" : "$(OUTDIR)" $(BSC32_SBRS)
+    $(BSC32) @<<
+  $(BSC32_FLAGS) $(BSC32_SBRS)
+<<
+
+LINK32=link.exe
+LINK32_FLAGS=user32.lib advapi32.lib ws2_32.lib ../../isc/win32/debug/libisc.lib /nologo /dll /incremental:yes /pdb:"$(OUTDIR)\libisccc.pdb" /debug /machine:I386 /def:".\libisccc.def" /out:"../../../Build/Debug/libisccc.dll" /implib:"$(OUTDIR)\libisccc.lib" /pdbtype:sept 
+DEF_FILE= \
+	".\libisccc.def"
+LINK32_OBJS= \
+	"$(INTDIR)\alist.obj" \
+	"$(INTDIR)\base64.obj" \
+	"$(INTDIR)\cc.obj" \
+	"$(INTDIR)\ccmsg.obj" \
+	"$(INTDIR)\DLLMain.obj" \
+	"$(INTDIR)\lib.obj" \
+	"$(INTDIR)\result.obj" \
+	"$(INTDIR)\sexpr.obj" \
+	"$(INTDIR)\symtab.obj" \
+	"$(INTDIR)\version.obj" \
+	"..\..\isc\win32\Debug\libisc.lib"
+
+"..\..\..\Build\Debug\libisccc.dll" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)
+    $(LINK32) @<<
+  $(LINK32_FLAGS) $(LINK32_OBJS)
+<<
+
+!ENDIF 
+
+.c{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cpp{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cxx{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.c{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cpp{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cxx{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+
+!IF "$(NO_EXTERNAL_DEPS)" != "1"
+!IF EXISTS("libisccc.dep")
+!INCLUDE "libisccc.dep"
+!ELSE 
+!MESSAGE Warning: cannot find "libisccc.dep"
+!ENDIF 
+!ENDIF 
+
+
+!IF "$(CFG)" == "libisccc - Win32 Release" || "$(CFG)" == "libisccc - Win32 Debug"
+SOURCE=..\alist.c
+
+!IF  "$(CFG)" == "libisccc - Win32 Release"
+
+
+"$(INTDIR)\alist.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libisccc - Win32 Debug"
+
+
+"$(INTDIR)\alist.obj"	"$(INTDIR)\alist.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\base64.c
+
+!IF  "$(CFG)" == "libisccc - Win32 Release"
+
+
+"$(INTDIR)\base64.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libisccc - Win32 Debug"
+
+
+"$(INTDIR)\base64.obj"	"$(INTDIR)\base64.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\cc.c
+
+!IF  "$(CFG)" == "libisccc - Win32 Release"
+
+
+"$(INTDIR)\cc.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libisccc - Win32 Debug"
+
+
+"$(INTDIR)\cc.obj"	"$(INTDIR)\cc.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\ccmsg.c
+
+!IF  "$(CFG)" == "libisccc - Win32 Release"
+
+
+"$(INTDIR)\ccmsg.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libisccc - Win32 Debug"
+
+
+"$(INTDIR)\ccmsg.obj"	"$(INTDIR)\ccmsg.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=.\DLLMain.c
+
+!IF  "$(CFG)" == "libisccc - Win32 Release"
+
+
+"$(INTDIR)\DLLMain.obj" : $(SOURCE) "$(INTDIR)"
+
+
+!ELSEIF  "$(CFG)" == "libisccc - Win32 Debug"
+
+
+"$(INTDIR)\DLLMain.obj"	"$(INTDIR)\DLLMain.sbr" : $(SOURCE) "$(INTDIR)"
+
+
+!ENDIF 
+
+SOURCE=..\lib.c
+
+!IF  "$(CFG)" == "libisccc - Win32 Release"
+
+
+"$(INTDIR)\lib.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libisccc - Win32 Debug"
+
+
+"$(INTDIR)\lib.obj"	"$(INTDIR)\lib.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\result.c
+
+!IF  "$(CFG)" == "libisccc - Win32 Release"
+
+
+"$(INTDIR)\result.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libisccc - Win32 Debug"
+
+
+"$(INTDIR)\result.obj"	"$(INTDIR)\result.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\sexpr.c
+
+!IF  "$(CFG)" == "libisccc - Win32 Release"
+
+
+"$(INTDIR)\sexpr.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libisccc - Win32 Debug"
+
+
+"$(INTDIR)\sexpr.obj"	"$(INTDIR)\sexpr.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\symtab.c
+
+!IF  "$(CFG)" == "libisccc - Win32 Release"
+
+
+"$(INTDIR)\symtab.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libisccc - Win32 Debug"
+
+
+"$(INTDIR)\symtab.obj"	"$(INTDIR)\symtab.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=.\version.c
+
+!IF  "$(CFG)" == "libisccc - Win32 Release"
+
+
+"$(INTDIR)\version.obj" : $(SOURCE) "$(INTDIR)"
+
+
+!ELSEIF  "$(CFG)" == "libisccc - Win32 Debug"
+
+
+"$(INTDIR)\version.obj"	"$(INTDIR)\version.sbr" : $(SOURCE) "$(INTDIR)"
+
+
+!ENDIF 
+
+!IF  "$(CFG)" == "libisccc - Win32 Release"
+
+"libisc - Win32 Release" : 
+   cd "..\..\isc\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\libisc.mak" CFG="libisc - Win32 Release" 
+   cd "..\..\isccc\win32"
+
+"libisc - Win32 ReleaseCLEAN" : 
+   cd "..\..\isc\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\libisc.mak" CFG="libisc - Win32 Release" RECURSE=1 CLEAN 
+   cd "..\..\isccc\win32"
+
+!ELSEIF  "$(CFG)" == "libisccc - Win32 Debug"
+
+"libisc - Win32 Debug" : 
+   cd "..\..\isc\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\libisc.mak" CFG="libisc - Win32 Debug" 
+   cd "..\..\isccc\win32"
+
+"libisc - Win32 DebugCLEAN" : 
+   cd "..\..\isc\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\libisc.mak" CFG="libisc - Win32 Debug" RECURSE=1 CLEAN 
+   cd "..\..\isccc\win32"
+
+!ENDIF 
+
+
+!ENDIF 
+
diff --git a/lib/isccc/win32/version.c b/lib/isccc/win32/version.c
index 881759b4..dca780dc 100644
--- a/lib/isccc/win32/version.c
+++ b/lib/isccc/win32/version.c
@@ -15,12 +15,14 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: version.c,v 1.2.2.1 2004/03/09 06:12:29 marka Exp $ */
+/* $Id: version.c,v 1.2.12.3 2004/03/08 09:05:05 marka Exp $ */
 
 #include <versions.h>
 
-char isccc_version[] = VERSION;
+#include <isccc/version.h>
 
-unsigned int isccc_libinterface = LIBINTERFACE;
-unsigned int isccc_librevision = LIBREVISION;
-unsigned int isccc_libage = LIBAGE;
+LIBISCCC_EXTERNAL_DATA const char isccc_version[] = VERSION;
+
+LIBISCCC_EXTERNAL_DATA const unsigned int isccc_libinterface = LIBINTERFACE;
+LIBISCCC_EXTERNAL_DATA const unsigned int isccc_librevision = LIBREVISION;
+LIBISCCC_EXTERNAL_DATA const unsigned int isccc_libage = LIBAGE;
diff --git a/lib/isccfg/Makefile.in b/lib/isccfg/Makefile.in
index 66e2d807..22ed8a46 100644
--- a/lib/isccfg/Makefile.in
+++ b/lib/isccfg/Makefile.in
@@ -1,5 +1,5 @@
 # Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 2001, 2003  Internet Software Consortium.
+# Copyright (C) 2001-2003  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.6.2.5 2004/07/20 07:00:20 marka Exp $
+# $Id: Makefile.in,v 1.6.12.7 2004/03/09 05:21:09 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
@@ -23,7 +23,7 @@ top_srcdir =	@top_srcdir@
 
 @LIBISCCFG_API@
 
-@BIND9_INCLUDES@
+@BIND9_MAKE_INCLUDES@
 
 CINCLUDES =	-I. ${DNS_INCLUDES} ${ISC_INCLUDES} ${ISCCFG_INCLUDES}
 
@@ -43,10 +43,10 @@ LIBS =		@LIBS@
 SUBDIRS =	include
 
 # Alphabetically
-OBJS =		check.@O@ log.@O@ parser.@O@ version.@O@
+OBJS =		log.@O@ namedconf.@O@ parser.@O@ version.@O@
 
 # Alphabetically
-SRCS =		check.c log.c parser.c version.c
+SRCS =		log.c namedconf.c parser.c version.c
 
 TARGETS = 	timestamp
 
@@ -66,7 +66,7 @@ libisccfg.@SA@: ${OBJS}
 
 libisccfg.la: ${OBJS}
 	 ${LIBTOOL_MODE_LINK} \
-		${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libisccfg.la -rpath ${libdir} \
+		${CC} ${ALL_CFLAGS} -o libisccfg.la -rpath ${libdir} \
 		-version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \
 		${OBJS} ${LIBS} ${DNSLIBS} ${ISCCCLIBS} ${ISCLIBS}
 
diff --git a/lib/isccfg/api b/lib/isccfg/api
index 455a7f43..593ba235 100644
--- a/lib/isccfg/api
+++ b/lib/isccfg/api
@@ -1,3 +1,3 @@
-LIBINTERFACE = 0
-LIBREVISION = 13
+LIBINTERFACE = 1
+LIBREVISION = 1
 LIBAGE = 0
diff --git a/lib/isccfg/check.c b/lib/isccfg/check.c
deleted file mode 100644
index 3879b056..00000000
--- a/lib/isccfg/check.c
+++ /dev/null
@@ -1,761 +0,0 @@
-/*
- * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2001-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: check.c,v 1.14.2.28 2006/03/02 00:37:18 marka Exp $ */
-
-#include <config.h>
-
-#include <stdlib.h>
-#include <string.h>
-
-#include <isc/buffer.h>
-#include <isc/log.h>
-#include <isc/mem.h>
-#include <isc/netaddr.h>
-#include <isc/result.h>
-#include <isc/sockaddr.h>
-#include <isc/symtab.h>
-#include <isc/util.h>
-
-#include <dns/fixedname.h>
-#include <dns/rdataclass.h>
-
-#include <isccfg/cfg.h>
-#include <isccfg/check.h>
-
-static void
-freekey(char *key, unsigned int type, isc_symvalue_t value, void *userarg) {
-	UNUSED(type);
-	UNUSED(value);
-	isc_mem_free(userarg, key);
-}
-
-static isc_result_t
-check_forward(const cfg_obj_t *options, isc_log_t *logctx) {
-	const cfg_obj_t *forward = NULL;
-	const cfg_obj_t *forwarders = NULL;
-
-	(void)cfg_map_get(options, "forward", &forward);
-	(void)cfg_map_get(options, "forwarders", &forwarders);
-
-	if (forward != NULL && forwarders == NULL) {
-		cfg_obj_log(forward, logctx, ISC_LOG_ERROR,
-			    "no matching 'forwarders' statement");
-		return (ISC_R_FAILURE);
-	}
-	return (ISC_R_SUCCESS);
-}
-
-typedef struct {
-	const char *name;
-	unsigned int scale;
-} intervaltable;
-
-static isc_result_t
-check_options(const cfg_obj_t *options, isc_log_t *logctx) {
-	isc_result_t result = ISC_R_SUCCESS;
-	unsigned int i;
-	const cfg_obj_t *obj;
-
-	static intervaltable intervals[] = {
-	{ "cleaning-interval", 60 },
-	{ "heartbeat-interval", 60 },
-	{ "interface-interval", 60 },
-	{ "max-transfer-idle-in", 60 },
-	{ "max-transfer-idle-out", 60 },
-	{ "max-transfer-time-in", 60 },
-	{ "max-transfer-time-out", 60 },
-	{ "sig-validity-interval", 86400},
-	{ "statistics-interval", 60 },
-	};
-
-	/*
-	 * Check that fields specified in units of time other than seconds
-	 * have reasonable values.
-	 */
-	for (i = 0; i < sizeof(intervals) / sizeof(intervals[0]); i++) {
-		isc_uint32_t val;
-		const cfg_obj_t *obj = NULL;
-		(void)cfg_map_get(options, intervals[i].name, &obj);
-		if (obj == NULL)
-			continue;
-		val = cfg_obj_asuint32(obj);
-		if (val > (ISC_UINT32_MAX / intervals[i].scale)) {
-			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
-				    "%s '%d' is out of range",
-				    intervals[i].name, val);
-			result = ISC_R_RANGE;
-		}
-	}
-
-	obj = NULL;
-	(void)cfg_map_get(options, "root-delegation-only", &obj);
-	if (obj != NULL) {
-		if (!cfg_obj_isvoid(obj)) {
-			const cfg_listelt_t *element;
-			const cfg_obj_t *exclude;
-			const char *str;
-			dns_fixedname_t fixed;
-			dns_name_t *name;
-			isc_buffer_t b;
-			isc_result_t tresult;
-
-			dns_fixedname_init(&fixed);
-			name = dns_fixedname_name(&fixed);
-			for (element = cfg_list_first(obj);
-			     element != NULL;
-			     element = cfg_list_next(element)) {
-				exclude = cfg_listelt_value(element);
-				str = cfg_obj_asstring(exclude);
-				isc_buffer_init(&b, str, strlen(str));
-				isc_buffer_add(&b, strlen(str));
-				tresult = dns_name_fromtext(name, &b,
-							   dns_rootname,
-                                                           ISC_FALSE, NULL);
-				if (tresult != ISC_R_SUCCESS) {
-					cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
-						    "bad domain name '%s'",
-						    str);
-					result = tresult;
-				}
-			}
-		}
-	}
-	return (result);
-}
-
-#define MASTERZONE	1
-#define SLAVEZONE	2
-#define STUBZONE	4
-#define HINTZONE	8
-#define FORWARDZONE	16
-#define DELEGATIONZONE	32
-
-typedef struct {
-	const char *name;
-	int allowed;
-} optionstable;
-
-static isc_result_t
-check_zoneconf(const cfg_obj_t *zconfig, isc_symtab_t *symtab,
-	       isc_log_t *logctx, isc_mem_t *mctx)
-{
-	const char *zname;
-	const char *typestr;
-	unsigned int ztype;
-	const cfg_obj_t *zoptions;
-	const cfg_obj_t *obj = NULL;
-	const cfg_obj_t *addrlist = NULL;
-	isc_symvalue_t symvalue;
-	isc_result_t result = ISC_R_SUCCESS;
-	isc_result_t tresult;
-	unsigned int i;
- 	dns_fixedname_t fixedname;
- 	isc_buffer_t b;
-
-	static optionstable options[] = {
-	{ "allow-query", MASTERZONE | SLAVEZONE | STUBZONE },
-	{ "allow-notify", SLAVEZONE },
-	{ "allow-transfer", MASTERZONE | SLAVEZONE },
-	{ "notify", MASTERZONE | SLAVEZONE },
-	{ "also-notify", MASTERZONE | SLAVEZONE },
-	{ "dialup", MASTERZONE | SLAVEZONE | STUBZONE },
-	{ "delegation-only", HINTZONE | STUBZONE },
-	{ "forward", MASTERZONE | SLAVEZONE | STUBZONE | FORWARDZONE },
-	{ "forwarders", MASTERZONE | SLAVEZONE | STUBZONE | FORWARDZONE },
-	{ "maintain-ixfr-base", MASTERZONE | SLAVEZONE },
-	{ "max-ixfr-log-size", MASTERZONE | SLAVEZONE },
-	{ "notify-source", MASTERZONE | SLAVEZONE },
-	{ "notify-source-v6", MASTERZONE | SLAVEZONE },
-	{ "transfer-source", SLAVEZONE | STUBZONE },
-	{ "transfer-source-v6", SLAVEZONE | STUBZONE },
-	{ "max-transfer-time-in", SLAVEZONE | STUBZONE },
-	{ "max-transfer-time-out", MASTERZONE | SLAVEZONE },
-	{ "max-transfer-idle-in", SLAVEZONE | STUBZONE },
-	{ "max-transfer-idle-out", MASTERZONE | SLAVEZONE },
-	{ "max-retry-time", SLAVEZONE | STUBZONE },
-	{ "min-retry-time", SLAVEZONE | STUBZONE },
-	{ "max-refresh-time", SLAVEZONE | STUBZONE },
-	{ "min-refresh-time", SLAVEZONE | STUBZONE },
-	{ "sig-validity-interval", MASTERZONE },
-	{ "zone-statistics", MASTERZONE | SLAVEZONE | STUBZONE },
-	{ "allow-update", MASTERZONE },
-	{ "allow-update-forwarding", SLAVEZONE },
-	{ "file", MASTERZONE | SLAVEZONE | STUBZONE | HINTZONE },
-	{ "ixfr-base", MASTERZONE | SLAVEZONE },
-	{ "ixfr-tmp-file", MASTERZONE | SLAVEZONE },
-	{ "masters", SLAVEZONE | STUBZONE },
-	{ "pubkey", MASTERZONE | SLAVEZONE | STUBZONE },
-	{ "update-policy", MASTERZONE },
-	{ "database", MASTERZONE | SLAVEZONE | STUBZONE },
-	};
-
-	static optionstable dialups[] = {
-	{ "notify", MASTERZONE | SLAVEZONE },
-	{ "notify-passive", SLAVEZONE },
-	{ "refresh", SLAVEZONE | STUBZONE },
-	{ "passive", SLAVEZONE | STUBZONE },
-	};
-
-	zname = cfg_obj_asstring(cfg_tuple_get(zconfig, "name"));
-
-	zoptions = cfg_tuple_get(zconfig, "options");
-
-	obj = NULL;
-	(void)cfg_map_get(zoptions, "type", &obj);
-	if (obj == NULL) {
-		cfg_obj_log(zconfig, logctx, ISC_LOG_ERROR,
-			    "zone '%s': type not present", zname);
-		return (ISC_R_FAILURE);
-	}
-
-	typestr = cfg_obj_asstring(obj);
-	if (strcasecmp(typestr, "master") == 0)
-		ztype = MASTERZONE;
-	else if (strcasecmp(typestr, "slave") == 0)
-		ztype = SLAVEZONE;
-	else if (strcasecmp(typestr, "stub") == 0)
-		ztype = STUBZONE;
-	else if (strcasecmp(typestr, "forward") == 0)
-		ztype = FORWARDZONE;
-	else if (strcasecmp(typestr, "hint") == 0)
-		ztype = HINTZONE;
-	else if (strcasecmp(typestr, "delegation-only") == 0)
-		ztype = DELEGATIONZONE;
-	else {
-		cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
-			    "zone '%s': invalid type %s",
-			    zname, typestr);
-		return (ISC_R_FAILURE);
-	}
-
-	/*
-	 * Look for an already existing zone.
-	 * We need to make this cannonical as isc_symtab_define()
-	 * deals with strings.
-	 */
-	dns_fixedname_init(&fixedname);
-	isc_buffer_init(&b, zname, strlen(zname));
-	isc_buffer_add(&b, strlen(zname));
-	result = dns_name_fromtext(dns_fixedname_name(&fixedname), &b,
-				   dns_rootname, ISC_TRUE, NULL);
-	if (result != ISC_R_SUCCESS) {
-		cfg_obj_log(zconfig, logctx, ISC_LOG_ERROR,
-			    "zone '%s': is not a valid name", zname);
-		result = ISC_R_FAILURE;
-	} else {
-		char namebuf[DNS_NAME_FORMATSIZE];
-		char *key;
-
-		dns_name_format(dns_fixedname_name(&fixedname),
-				namebuf, sizeof(namebuf));
-		key = isc_mem_strdup(mctx, namebuf);
-		if (key == NULL)
-			return (ISC_R_NOMEMORY);
-		symvalue.as_pointer = NULL;
-		tresult = isc_symtab_define(symtab, key,
-					    ztype == HINTZONE ? 1 : 2,
-					    symvalue, isc_symexists_reject);
-		if (tresult == ISC_R_EXISTS) {
-			isc_mem_free(mctx, key);
-			cfg_obj_log(zconfig, logctx, ISC_LOG_ERROR,
-				    "zone '%s': already exists ", zname);
-			result = ISC_R_FAILURE;
-		} else if (tresult != ISC_R_SUCCESS) {
-			isc_mem_free(mctx, key);
-
-			return (tresult);
-		}
-	}
-
-	/*
-	 * Look for inappropriate options for the given zone type.
-	 */
-	for (i = 0; i < sizeof(options) / sizeof(options[0]); i++) {
-		obj = NULL;
-		if ((options[i].allowed & ztype) == 0 &&
-		    cfg_map_get(zoptions, options[i].name, &obj) ==
-		    ISC_R_SUCCESS)
-		{
-			if (strcmp(options[i].name, "allow-update") != 0 ||
-			    ztype != SLAVEZONE) {
-				cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
-					    "option '%s' is not allowed "
-					    "in '%s' zone '%s'",
-					    options[i].name, typestr, zname);
-					result = ISC_R_FAILURE;
-			} else
-				cfg_obj_log(obj, logctx, ISC_LOG_WARNING,
-					    "option '%s' is not allowed "
-					    "in '%s' zone '%s'",
-					    options[i].name, typestr, zname);
-		}
-	}
-
-	/*
-	 * Slave & stub zones must have a "masters" field.
-	 */
-	if (ztype == SLAVEZONE || ztype == STUBZONE) {
-		obj = NULL;
-		if (cfg_map_get(zoptions, "masters", &obj) != ISC_R_SUCCESS) {
-			cfg_obj_log(zoptions, logctx, ISC_LOG_ERROR,
-				    "zone '%s': missing 'masters' entry",
-				    zname);
-			result = ISC_R_FAILURE;
-		} else {
-			addrlist = cfg_tuple_get(obj, "addresses");
-			if (cfg_list_first(addrlist) == NULL) {
-				cfg_obj_log(zoptions, logctx, ISC_LOG_ERROR,
-					    "zone '%s': empty 'masters' entry",
-					    zname);
-				result = ISC_R_FAILURE;
-			}
-		}
-	}
-
-	/*
-	 * Master zones can't have both "allow-update" and "update-policy".
-	 */
-	if (ztype == MASTERZONE) {
-		isc_result_t res1, res2;
-		obj = NULL;
-		res1 = cfg_map_get(zoptions, "allow-update", &obj);
-		obj = NULL;
-		res2 = cfg_map_get(zoptions, "update-policy", &obj);
-		if (res1 == ISC_R_SUCCESS && res2 == ISC_R_SUCCESS) {
-			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
-				    "zone '%s': 'allow-update' is ignored "
-				    "when 'update-policy' is present",
-				    zname);
-			result = ISC_R_FAILURE;
-		}
-	}
-
-	/*
-	 * Check the excessively complicated "dialup" option.
-	 */
-	if (ztype == MASTERZONE || ztype == SLAVEZONE || ztype == STUBZONE) {
-		const cfg_obj_t *dialup = NULL;
-		cfg_map_get(zoptions, "dialup", &dialup);
-		if (dialup != NULL && cfg_obj_isstring(dialup)) {
-			const char *str = cfg_obj_asstring(dialup);
-			for (i = 0;
-			     i < sizeof(dialups) / sizeof(dialups[0]);
-			     i++)
-			{
-				if (strcasecmp(dialups[i].name, str) != 0)
-					continue;
-				if ((dialups[i].allowed & ztype) == 0) {
-					cfg_obj_log(obj, logctx,
-						    ISC_LOG_ERROR,
-						    "dialup type '%s' is not "
-						    "allowed in '%s' "
-						    "zone '%s'",
-						    str, typestr, zname);
-					result = ISC_R_FAILURE;
-				}
-				break;
-			}
-			if (i == sizeof(dialups) / sizeof(dialups[0])) {
-				cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
-					    "invalid dialup type '%s' in zone "
-					    "'%s'", str, zname);
-				result = ISC_R_FAILURE;
-			}
-		}
-	}
-
-	/*
-	 * Check that forwarding is reasonable.
-	 */
-	if (check_forward(zoptions, logctx) != ISC_R_SUCCESS)
-		result = ISC_R_FAILURE;
-
-	/*
-	 * Check various options.
-	 */
-	tresult = check_options(zoptions, logctx);
-	if (tresult != ISC_R_SUCCESS)
-		result = tresult;
-
-	/*
-	 * If the zone type is rbt/rbt64 then master/hint zones
-	 * require file clauses.
-	 */
-	obj = NULL;
-	tresult = cfg_map_get(zoptions, "database", &obj);
-	if (tresult == ISC_R_NOTFOUND ||
-	    (tresult == ISC_R_SUCCESS &&
-	     (strcmp("rbt", cfg_obj_asstring(obj)) == 0 ||
-	      strcmp("rbt64", cfg_obj_asstring(obj)) == 0))) {
-		obj = NULL;
-		tresult = cfg_map_get(zoptions, "file", &obj);
-		if (tresult != ISC_R_SUCCESS &&
-		    (ztype == MASTERZONE || ztype == HINTZONE)) {
-			cfg_obj_log(zconfig, logctx, ISC_LOG_ERROR,
-				    "zone '%s': missing 'file' entry",
-				    zname);
-			result = tresult;
-		}
-	}
-
-	return (result);
-}
-
-isc_result_t
-cfg_check_key(const cfg_obj_t *key, isc_log_t *logctx) {
-	const cfg_obj_t *algobj = NULL;
-	const cfg_obj_t *secretobj = NULL;
-	const char *keyname = cfg_obj_asstring(cfg_map_getname(key));
-	
-	cfg_map_get(key, "algorithm", &algobj);
-	cfg_map_get(key, "secret", &secretobj);
-	if (secretobj == NULL || algobj == NULL) {
-		cfg_obj_log(key, logctx, ISC_LOG_ERROR,
-			    "key '%s' must have both 'secret' and "
-			    "'algorithm' defined",
-			    keyname);
-		return ISC_R_FAILURE;
-	}
-	return ISC_R_SUCCESS;
-}
-		
-static isc_result_t
-check_keylist(const cfg_obj_t *keys, isc_symtab_t *symtab, isc_log_t *logctx) {
-	isc_result_t result = ISC_R_SUCCESS;
-	isc_result_t tresult;
-	const cfg_listelt_t *element;
-
-	for (element = cfg_list_first(keys);
-	     element != NULL;
-	     element = cfg_list_next(element))
-	{
-		const cfg_obj_t *key = cfg_listelt_value(element);
-		const char *keyname = cfg_obj_asstring(cfg_map_getname(key));
-		isc_symvalue_t symvalue;
-
-		symvalue.as_pointer = NULL;
-		tresult = isc_symtab_define(symtab, keyname, 1,
-					    symvalue, isc_symexists_reject);
-		if (tresult == ISC_R_EXISTS) {
-			cfg_obj_log(key, logctx, ISC_LOG_ERROR,
-				    "key '%s': already exists ", keyname);
-			result = tresult;
-		} else if (tresult != ISC_R_SUCCESS)
-			return (tresult);
-
-		tresult = cfg_check_key(key, logctx);
-		if (tresult != ISC_R_SUCCESS)
-			return (tresult);
-	}
-	return (result);
-}
-
-static isc_result_t
-check_servers(const cfg_obj_t *servers, isc_log_t *logctx) {
-	isc_result_t result = ISC_R_SUCCESS;
-	const cfg_listelt_t *e1, *e2;
-	const cfg_obj_t *v1, *v2;
-	const isc_sockaddr_t *s1, *s2;
-	isc_netaddr_t na;
-
-	for (e1 = cfg_list_first(servers); e1 != NULL; e1 = cfg_list_next(e1)) {
-		v1 = cfg_listelt_value(e1);
-		s1 = cfg_obj_assockaddr(cfg_map_getname(v1));
-		e2 = e1;
-		while ((e2 = cfg_list_next(e2)) != NULL) {
-			v2 = cfg_listelt_value(e2);
-			s2 = cfg_obj_assockaddr(cfg_map_getname(v2));
-			if (isc_sockaddr_eqaddr(s1, s2)) {
-				isc_buffer_t target;
-				char buf[128];
-
-				isc_netaddr_fromsockaddr(&na, s2);
-				isc_buffer_init(&target, buf, sizeof(buf) - 1);
-				INSIST(isc_netaddr_totext(&na, &target)
-				       == ISC_R_SUCCESS);
-				buf[isc_buffer_usedlength(&target)] = '\0';
-
-				cfg_obj_log(v2, logctx, ISC_LOG_ERROR,
-					    "server '%s': already exists",
-					    buf);
-				result = ISC_R_FAILURE;
-			}
-		}
-	}
-	return (result);
-}
-  		
-static isc_result_t
-check_viewconf(const cfg_obj_t *config, const cfg_obj_t *vconfig,
-	       isc_log_t *logctx, isc_mem_t *mctx)
-{
-	const cfg_obj_t *servers = NULL;
-	const cfg_obj_t *zones = NULL;
-	const cfg_obj_t *keys = NULL;
-	const cfg_listelt_t *element;
-	isc_symtab_t *symtab = NULL;
-	isc_result_t result = ISC_R_SUCCESS;
-	isc_result_t tresult = ISC_R_SUCCESS;
-
-	/*
-	 * Check that all zone statements are syntactically correct and
-	 * there are no duplicate zones.
-	 */
-	tresult = isc_symtab_create(mctx, 100, freekey, mctx,
-				    ISC_FALSE, &symtab);
-	if (tresult != ISC_R_SUCCESS)
-		return (ISC_R_NOMEMORY);
-
-	if (vconfig != NULL)
-		(void)cfg_map_get(vconfig, "zone", &zones);
-	else
-		(void)cfg_map_get(config, "zone", &zones);
-
-	for (element = cfg_list_first(zones);
-	     element != NULL;
-	     element = cfg_list_next(element))
-	{
-		const cfg_obj_t *zone = cfg_listelt_value(element);
-
-		if (check_zoneconf(zone, symtab, logctx, mctx) != ISC_R_SUCCESS)
-			result = ISC_R_FAILURE;
-	}
-
-	isc_symtab_destroy(&symtab);
-
-	/*
-	 * Check that all key statements are syntactically correct and
-	 * there are no duplicate keys.
-	 */
-	tresult = isc_symtab_create(mctx, 100, NULL, NULL, ISC_TRUE, &symtab);
-	if (tresult != ISC_R_SUCCESS)
-		return (ISC_R_NOMEMORY);
-
-	cfg_map_get(config, "key", &keys);
-	tresult = check_keylist(keys, symtab, logctx);
-	if (tresult == ISC_R_EXISTS)
-		result = ISC_R_FAILURE;
-	else if (tresult != ISC_R_SUCCESS) {
-		isc_symtab_destroy(&symtab);
-		return (tresult);
-	}
-	
-	if (vconfig != NULL) {
-		keys = NULL;
-		(void)cfg_map_get(vconfig, "key", &keys);
-		tresult = check_keylist(keys, symtab, logctx);
-		if (tresult == ISC_R_EXISTS)
-			result = ISC_R_FAILURE;
-		else if (tresult != ISC_R_SUCCESS) {
-			isc_symtab_destroy(&symtab);
-			return (tresult);
-		}
-	}
-
-	isc_symtab_destroy(&symtab);
-
-	/*
-	 * Check that forwarding is reasonable.
-	 */
-	if (vconfig == NULL) {
-		const cfg_obj_t *options = NULL;
-		cfg_map_get(config, "options", &options);
-		if (options != NULL)
-			if (check_forward(options, logctx) != ISC_R_SUCCESS)
-				result = ISC_R_FAILURE;
-	} else {
-		if (check_forward(vconfig, logctx) != ISC_R_SUCCESS)
-			result = ISC_R_FAILURE;
-	}
-
-
-	if (vconfig != NULL) {
-		(void)cfg_map_get(vconfig, "server", &servers);
-		if (servers != NULL &&
-		    check_servers(servers, logctx) != ISC_R_SUCCESS)
-			result = ISC_R_FAILURE;
-	}
-
-	if (vconfig != NULL)
-		tresult = check_options(vconfig, logctx);
-	else
-		tresult = check_options(config, logctx);
-	if (tresult != ISC_R_SUCCESS)
-		result = tresult;
-	
-	return (result);
-}
-
-
-isc_result_t
-cfg_check_namedconf(const cfg_obj_t *config, isc_log_t *logctx,
-		    isc_mem_t *mctx)
-{ 
-	const cfg_obj_t *options = NULL;
-	const cfg_obj_t *servers = NULL;
-	const cfg_obj_t *views = NULL;
-	const cfg_obj_t *acls = NULL;
-	const cfg_obj_t *obj;
-	const cfg_listelt_t *velement;
-	isc_result_t result = ISC_R_SUCCESS;
-	isc_result_t tresult;
-	isc_symtab_t *symtab = NULL;
-
-	static const char *builtin[] = { "localhost", "localnets",
-					 "any", "none" };
-
-	(void)cfg_map_get(config, "options", &options);
-
-	if (options != NULL &&
-	    check_options(options, logctx) != ISC_R_SUCCESS)
-		result = ISC_R_FAILURE;
-
-	(void)cfg_map_get(config, "server", &servers);
-	if (servers != NULL &&
-	    check_servers(servers, logctx) != ISC_R_SUCCESS)
-		result = ISC_R_FAILURE;
-
-	(void)cfg_map_get(config, "view", &views);
-
-	if (views == NULL) {
-		if (check_viewconf(config, NULL, logctx, mctx)
-				   != ISC_R_SUCCESS)
-			result = ISC_R_FAILURE;
-	} else {
-		const cfg_obj_t *zones = NULL;
-
-		(void)cfg_map_get(config, "zone", &zones);
-		if (zones != NULL) {
-			cfg_obj_log(zones, logctx, ISC_LOG_ERROR,
-				    "when using 'view' statements, "
-				    "all zones must be in views");
-			result = ISC_R_FAILURE;
-		}
-	}
-
-	tresult = isc_symtab_create(mctx, 100, NULL, NULL, ISC_TRUE, &symtab);
-	if (tresult != ISC_R_SUCCESS)
-		result = tresult;
-	for (velement = cfg_list_first(views);
-	     velement != NULL;
-	     velement = cfg_list_next(velement))
-	{
-		const cfg_obj_t *view = cfg_listelt_value(velement);
-		const cfg_obj_t *vname = cfg_tuple_get(view, "name");
-		const cfg_obj_t *voptions = cfg_tuple_get(view, "options");
-		const cfg_obj_t *vclassobj = cfg_tuple_get(view, "class");
-		dns_rdataclass_t vclass = dns_rdataclass_in;
-		isc_result_t tresult = ISC_R_SUCCESS;
-		const char *key = cfg_obj_asstring(vname);
-		isc_symvalue_t symvalue;
-
-		if (cfg_obj_isstring(vclassobj)) {
-			isc_textregion_t r;
-		
-			DE_CONST(cfg_obj_asstring(vclassobj), r.base);
-			r.length = strlen(r.base);
-			tresult = dns_rdataclass_fromtext(&vclass, &r);
-			if (tresult != ISC_R_SUCCESS)
-				cfg_obj_log(vclassobj, logctx, ISC_LOG_ERROR,
-					    "view '%s': invalid class %s",
-					    cfg_obj_asstring(vname), r.base);
-		}
-		if (tresult == ISC_R_SUCCESS && symtab != NULL) {
-			symvalue.as_cpointer = view;
-			tresult = isc_symtab_define(symtab, key, vclass,
-						    symvalue,
-						    isc_symexists_reject);
-			if (tresult == ISC_R_EXISTS) {
-				cfg_obj_log(view, logctx, ISC_LOG_ERROR,
-					    "view '%s': already exists", key);
-				result = tresult;
-			} else if (result != ISC_R_SUCCESS) {
-				result = tresult;
-			} else if ((strcasecmp(key, "_bind") == 0 &&
-				    vclass == dns_rdataclass_ch) ||
-				   (strcasecmp(key, "_default") == 0 &&
-				    vclass == dns_rdataclass_in)) {
-				cfg_obj_log(view, logctx, ISC_LOG_ERROR,
-					    "attempt to redefine builtin view "
-					    "'%s'", key);
-				result = ISC_R_EXISTS;
-			}
-		}
-		if (check_viewconf(config, voptions, logctx, mctx)
-		    != ISC_R_SUCCESS)
-			result = ISC_R_FAILURE;
-	}
-	if (symtab != NULL)
-		isc_symtab_destroy(&symtab);
-
-	if (views != NULL && options != NULL) {
-		obj = NULL;
-		tresult = cfg_map_get(options, "cache-file", &obj);
-		if (tresult == ISC_R_SUCCESS) {
-			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
-				    "'cache-file' cannot be a global "
-				    "option if views are present");
-			result = ISC_R_FAILURE;
-		}
-	}
-
-        tresult = cfg_map_get(config, "acl", &acls);
-        if (tresult == ISC_R_SUCCESS) {
-		const cfg_listelt_t *elt;
-		const cfg_listelt_t *elt2;
-		const char *aclname;
-
-		for (elt = cfg_list_first(acls);
-		     elt != NULL;
-		     elt = cfg_list_next(elt)) {
-			const cfg_obj_t *acl = cfg_listelt_value(elt);
-			unsigned int i;
-
-			aclname = cfg_obj_asstring(cfg_tuple_get(acl, "name"));
-			for (i = 0;
-			     i < sizeof(builtin) / sizeof(builtin[0]);
-			     i++)
-				if (strcasecmp(aclname, builtin[i]) == 0) {
-					cfg_obj_log(acl, logctx, ISC_LOG_ERROR,
-						    "attempt to redefine "
-						    "builtin acl '%s'",
-				    		    aclname);
-					result = ISC_R_FAILURE;
-					break;
-				}
-
-			for (elt2 = cfg_list_next(elt);
-			     elt2 != NULL;
-			     elt2 = cfg_list_next(elt2)) {
-				const cfg_obj_t *acl2 = cfg_listelt_value(elt2);
-				const char *name;
-				name = cfg_obj_asstring(cfg_tuple_get(acl2,
-								      "name"));
-				if (strcasecmp(aclname, name) == 0) {
-					cfg_obj_log(acl2, logctx, ISC_LOG_ERROR,
-						    "attempt to redefine "
-						    "acl '%s'", name);
-					result = ISC_R_FAILURE;
-					break;
-				}
-			}
-		}
-	}
-
-	return (result);
-}
diff --git a/lib/isccfg/include/Makefile.in b/lib/isccfg/include/Makefile.in
index fc199ab3..77d32196 100644
--- a/lib/isccfg/include/Makefile.in
+++ b/lib/isccfg/include/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.4.2.1 2004/03/09 06:12:31 marka Exp $
+# $Id: Makefile.in,v 1.4.206.1 2004/03/06 08:15:27 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/lib/isccfg/include/isccfg/Makefile.in b/lib/isccfg/include/isccfg/Makefile.in
index 3737dfa9..dc8b1b1e 100644
--- a/lib/isccfg/include/isccfg/Makefile.in
+++ b/lib/isccfg/include/isccfg/Makefile.in
@@ -1,5 +1,5 @@
 # Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 2001  Internet Software Consortium.
+# Copyright (C) 2001, 2002  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.4.2.1 2004/03/09 06:12:31 marka Exp $
+# $Id: Makefile.in,v 1.4.12.3 2004/03/08 09:05:07 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
@@ -26,7 +26,7 @@ top_srcdir =	@top_srcdir@
 # machine generated.  The latter are handled specially in the
 # install target below.
 #
-HEADERS =	cfg.h check.h log.h
+HEADERS =	cfg.h grammar.h log.h namedconf.h version.h
 
 SUBDIRS =
 TARGETS =
diff --git a/lib/isccfg/include/isccfg/cfg.h b/lib/isccfg/include/isccfg/cfg.h
index b95eab4b..b4081cd7 100644
--- a/lib/isccfg/include/isccfg/cfg.h
+++ b/lib/isccfg/include/isccfg/cfg.h
@@ -1,6 +1,6 @@
 /*
- * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: cfg.h,v 1.30.2.3 2006/03/02 00:37:18 marka Exp $ */
+/* $Id: cfg.h,v 1.30.12.4 2004/03/08 09:05:07 marka Exp $ */
 
 #ifndef ISCCFG_CFG_H
 #define ISCCFG_CFG_H 1
@@ -28,7 +28,6 @@
  * This is the new, table-driven, YACC-free configuration file parser.
  */
 
-
 /***
  *** Imports
  ***/
@@ -75,7 +74,7 @@ typedef struct cfg_listelt cfg_listelt_t;
  * "directory".
  */
 typedef isc_result_t
-(*cfg_parsecallback_t)(const char *clausename, const cfg_obj_t *obj, void *arg);
+(*cfg_parsecallback_t)(const char *clausename, cfg_obj_t *obj, void *arg);
 
 /***
  *** Functions
@@ -144,20 +143,20 @@ cfg_parser_destroy(cfg_parser_t **pctxp);
  */
 
 isc_boolean_t
-cfg_obj_isvoid(const cfg_obj_t *obj);
+cfg_obj_isvoid(cfg_obj_t *obj);
 /*
  * Return true iff 'obj' is of void type (e.g., an optional 
  * value not specified).
  */
 
 isc_boolean_t
-cfg_obj_ismap(const cfg_obj_t *obj);
+cfg_obj_ismap(cfg_obj_t *obj);
 /*
  * Return true iff 'obj' is of a map type.
  */
 
 isc_result_t
-cfg_map_get(const cfg_obj_t *mapobj, const char* name, const cfg_obj_t **obj);
+cfg_map_get(cfg_obj_t *mapobj, const char* name, cfg_obj_t **obj);
 /*
  * Extract an element from a configuration object, which
  * must be of a map type.
@@ -172,8 +171,8 @@ cfg_map_get(const cfg_obj_t *mapobj, const char* name, const cfg_obj_t **obj);
  *      ISC_R_NOTFOUND                 - name not found in map
  */
 
-const cfg_obj_t *
-cfg_map_getname(const cfg_obj_t *mapobj);
+cfg_obj_t *
+cfg_map_getname(cfg_obj_t *mapobj);
 /*
  * Get the name of a named map object, like a server "key" clause.
  *
@@ -186,13 +185,13 @@ cfg_map_getname(const cfg_obj_t *mapobj);
  */
 
 isc_boolean_t
-cfg_obj_istuple(const cfg_obj_t *obj);
+cfg_obj_istuple(cfg_obj_t *obj);
 /*
  * Return true iff 'obj' is of a map type.
  */
 
-const cfg_obj_t *
-cfg_tuple_get(const cfg_obj_t *tupleobj, const char *name);
+cfg_obj_t *
+cfg_tuple_get(cfg_obj_t *tupleobj, const char *name);
 /*
  * Extract an element from a configuration object, which
  * must be of a tuple type.
@@ -204,13 +203,13 @@ cfg_tuple_get(const cfg_obj_t *tupleobj, const char *name);
  */
 
 isc_boolean_t
-cfg_obj_isuint32(const cfg_obj_t *obj);
+cfg_obj_isuint32(cfg_obj_t *obj);
 /*
  * Return true iff 'obj' is of integer type.
  */
 
 isc_uint32_t
-cfg_obj_asuint32(const cfg_obj_t *obj);
+cfg_obj_asuint32(cfg_obj_t *obj);
 /*
  * Returns the value of a configuration object of 32-bit integer type.
  *
@@ -222,13 +221,13 @@ cfg_obj_asuint32(const cfg_obj_t *obj);
  */
 
 isc_boolean_t
-cfg_obj_isuint64(const cfg_obj_t *obj);
+cfg_obj_isuint64(cfg_obj_t *obj);
 /*
  * Return true iff 'obj' is of integer type.
  */
 
 isc_uint64_t
-cfg_obj_asuint64(const cfg_obj_t *obj);
+cfg_obj_asuint64(cfg_obj_t *obj);
 /*
  * Returns the value of a configuration object of 64-bit integer type.
  *
@@ -240,13 +239,13 @@ cfg_obj_asuint64(const cfg_obj_t *obj);
  */
 
 isc_boolean_t
-cfg_obj_isstring(const cfg_obj_t *obj);
+cfg_obj_isstring(cfg_obj_t *obj);
 /*
  * Return true iff 'obj' is of string type.
  */
 
-const char *
-cfg_obj_asstring(const cfg_obj_t *obj);
+char *
+cfg_obj_asstring(cfg_obj_t *obj);
 /*
  * Returns the value of a configuration object of a string type
  * as a null-terminated string.
@@ -259,13 +258,13 @@ cfg_obj_asstring(const cfg_obj_t *obj);
  */
 
 isc_boolean_t
-cfg_obj_isboolean(const cfg_obj_t *obj);
+cfg_obj_isboolean(cfg_obj_t *obj);
 /*
  * Return true iff 'obj' is of a boolean type.
  */
 
 isc_boolean_t
-cfg_obj_asboolean(const cfg_obj_t *obj);
+cfg_obj_asboolean(cfg_obj_t *obj);
 /*
  * Returns the value of a configuration object of a boolean type.
  *
@@ -277,13 +276,13 @@ cfg_obj_asboolean(const cfg_obj_t *obj);
  */
 
 isc_boolean_t
-cfg_obj_issockaddr(const cfg_obj_t *obj);
+cfg_obj_issockaddr(cfg_obj_t *obj);
 /*
  * Return true iff 'obj' is a socket address.
  */
 
-const isc_sockaddr_t *
-cfg_obj_assockaddr(const cfg_obj_t *obj);
+isc_sockaddr_t *
+cfg_obj_assockaddr(cfg_obj_t *obj);
 /*
  * Returns the value of a configuration object representing a socket address.
  *
@@ -296,13 +295,13 @@ cfg_obj_assockaddr(const cfg_obj_t *obj);
  */
 
 isc_boolean_t
-cfg_obj_isnetprefix(const cfg_obj_t *obj);
+cfg_obj_isnetprefix(cfg_obj_t *obj);
 /*
  * Return true iff 'obj' is a network prefix.
  */
 
 void
-cfg_obj_asnetprefix(const cfg_obj_t *obj, isc_netaddr_t *netaddr,
+cfg_obj_asnetprefix(cfg_obj_t *obj, isc_netaddr_t *netaddr,
 		    unsigned int *prefixlen);
 /*
  * Gets the value of a configuration object representing a network
@@ -315,13 +314,13 @@ cfg_obj_asnetprefix(const cfg_obj_t *obj, isc_netaddr_t *netaddr,
  */
 
 isc_boolean_t
-cfg_obj_islist(const cfg_obj_t *obj);
+cfg_obj_islist(cfg_obj_t *obj);
 /*
  * Return true iff 'obj' is of list type.
  */
 
-const cfg_listelt_t *
-cfg_list_first(const cfg_obj_t *obj);
+cfg_listelt_t *
+cfg_list_first(cfg_obj_t *obj);
 /*
  * Returns the first list element in a configuration object of a list type.
  *
@@ -333,8 +332,8 @@ cfg_list_first(const cfg_obj_t *obj);
  * 	or NULL if the list is empty or nonexistent.
  */
 
-const cfg_listelt_t *
-cfg_list_next(const cfg_listelt_t *elt);
+cfg_listelt_t *
+cfg_list_next(cfg_listelt_t *elt);
 /*
  * Returns the next element of a list of configuration objects.
  *
@@ -347,8 +346,8 @@ cfg_list_next(const cfg_listelt_t *elt);
  * 	or NULL if there are no more elements.
  */
 
-const cfg_obj_t *
-cfg_listelt_value(const cfg_listelt_t *elt);
+cfg_obj_t *
+cfg_listelt_value(cfg_listelt_t *elt);
 /*
  * Returns the configuration object associated with cfg_listelt_t.
  *
@@ -361,7 +360,7 @@ cfg_listelt_value(const cfg_listelt_t *elt);
  */
 
 void
-cfg_print(const cfg_obj_t *obj,
+cfg_print(cfg_obj_t *obj,
 	  void (*f)(void *closure, const char *text, int textlen),
 	  void *closure);
 /*
@@ -379,7 +378,7 @@ cfg_print_grammar(const cfg_type_t *type,
  */
 
 isc_boolean_t
-cfg_obj_istype(const cfg_obj_t *obj, const cfg_type_t *type);
+cfg_obj_istype(cfg_obj_t *obj, const cfg_type_t *type);
 /*
  * Return true iff 'obj' is of type 'type'. 
  */
@@ -390,8 +389,7 @@ void cfg_obj_destroy(cfg_parser_t *pctx, cfg_obj_t **obj);
  */
 
 void
-cfg_obj_log(const cfg_obj_t *obj, isc_log_t *lctx, int level,
-            const char *fmt, ...)
+cfg_obj_log(cfg_obj_t *obj, isc_log_t *lctx, int level, const char *fmt, ...)
 	ISC_FORMAT_PRINTF(4, 5);
 /*
  * Log a message concerning configuration object 'obj' to the logging
@@ -399,20 +397,18 @@ cfg_obj_log(const cfg_obj_t *obj, isc_log_t *lctx, int level,
  * with the file name(s) and line number where 'obj' was defined.
  */
 
+const char *
+cfg_obj_file(cfg_obj_t *obj);
 /*
- * Configuration object types.
+ * Return the file that defined this object.
  */
-LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_namedconf;
-/* A complete named.conf file. */
 
-LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_rndcconf;
-/* A complete rndc.conf file. */
-
-LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_rndckey;
-/* A complete rndc.key file. */
+unsigned int
+cfg_obj_line(cfg_obj_t *obj);
+/*
+ * Return the line in file where this object was defined.
+ */
 
-LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_keyref;
-/* A key reference, used as an ACL element */
 
 ISC_LANG_ENDDECLS
 
diff --git a/lib/isccfg/include/isccfg/grammar.h b/lib/isccfg/include/isccfg/grammar.h
new file mode 100644
index 00000000..1b5d8d10
--- /dev/null
+++ b/lib/isccfg/include/isccfg/grammar.h
@@ -0,0 +1,439 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2002, 2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: grammar.h,v 1.3.50.3 2004/03/08 09:05:07 marka Exp $ */
+
+#ifndef ISCCFG_GRAMMAR_H
+#define ISCCFG_GRAMMAR_H 1
+
+#include <isc/lex.h>
+#include <isc/netaddr.h>
+#include <isc/sockaddr.h>
+#include <isc/region.h>
+#include <isc/types.h>
+
+#include <isccfg/cfg.h>
+
+/*
+ * Definitions shared between the configuration parser
+ * and the grammars; not visible to users of the parser.
+ */
+
+/* Clause may occur multiple times (e.g., "zone") */
+#define CFG_CLAUSEFLAG_MULTI 		0x00000001
+/* Clause is obsolete */
+#define CFG_CLAUSEFLAG_OBSOLETE 	0x00000002
+/* Clause is not implemented, and may never be */
+#define CFG_CLAUSEFLAG_NOTIMP	 	0x00000004
+/* Clause is not implemented yet */
+#define CFG_CLAUSEFLAG_NYI 		0x00000008
+/* Default value has changed since earlier release */
+#define CFG_CLAUSEFLAG_NEWDEFAULT	0x00000010
+/*
+ * Clause needs to be interpreted during parsing
+ * by calling a callback function, like the
+ * "directory" option.
+ */
+#define CFG_CLAUSEFLAG_CALLBACK		0x00000020
+
+typedef struct cfg_clausedef cfg_clausedef_t;
+typedef struct cfg_tuplefielddef cfg_tuplefielddef_t;
+typedef struct cfg_printer cfg_printer_t;
+typedef ISC_LIST(cfg_listelt_t) cfg_list_t;
+typedef struct cfg_map cfg_map_t;
+typedef struct cfg_rep cfg_rep_t;
+
+/*
+ * Function types for configuration object methods
+ */
+
+typedef isc_result_t (*cfg_parsefunc_t)(cfg_parser_t *, const cfg_type_t *type,
+					cfg_obj_t **);
+typedef void	     (*cfg_printfunc_t)(cfg_printer_t *, cfg_obj_t *);
+typedef void	     (*cfg_docfunc_t)(cfg_printer_t *, const cfg_type_t *);
+typedef void	     (*cfg_freefunc_t)(cfg_parser_t *, cfg_obj_t *);
+
+/*
+ * Structure definitions
+ */
+
+/*
+ * A configuration printer object.  This is an abstract
+ * interface to a destination to which text can be printed
+ * by calling the function 'f'.
+ */
+struct cfg_printer {
+	void (*f)(void *closure, const char *text, int textlen);
+	void *closure;
+	int indent;
+};
+
+/* A clause definition. */
+
+struct cfg_clausedef {
+	const char      *name;
+	cfg_type_t      *type;
+	unsigned int	flags;
+};
+
+/* A tuple field definition. */
+
+struct cfg_tuplefielddef {
+	const char      *name;
+	cfg_type_t      *type;
+	unsigned int	flags;
+};
+
+/* A configuration object type definition. */
+struct cfg_type {
+	const char *name;	/* For debugging purposes only */
+	cfg_parsefunc_t	parse;
+	cfg_printfunc_t print;
+	cfg_docfunc_t	doc;	/* Print grammar description */
+	cfg_rep_t *	rep;	/* Data representation */
+	const void *	of;	/* Additional data for meta-types */
+};
+
+/* A keyword-type definition, for things like "port <integer>". */
+
+typedef struct {
+	const char *name;
+	const cfg_type_t *type;
+} keyword_type_t;
+
+struct cfg_map {
+	cfg_obj_t	 *id; /* Used for 'named maps' like keys, zones, &c */
+	const cfg_clausedef_t * const *clausesets; /* The clauses that
+						      can occur in this map;
+						      used for printing */
+	isc_symtab_t     *symtab;
+};
+
+typedef struct cfg_netprefix cfg_netprefix_t;
+
+struct cfg_netprefix {
+	isc_netaddr_t address; /* IP4/IP6 */
+	unsigned int prefixlen;
+};
+
+/*
+ * A configuration data representation.
+ */
+struct cfg_rep {
+	const char *	name;	/* For debugging only */
+	cfg_freefunc_t 	free;	/* How to free this kind of data. */
+};
+
+/*
+ * A configuration object.  This is the main building block
+ * of the configuration parse tree.
+ */
+
+struct cfg_obj {
+	const cfg_type_t *type;
+	union {
+		isc_uint32_t  	uint32;
+		isc_uint64_t  	uint64;
+		isc_textregion_t string; /* null terminated, too */
+		isc_boolean_t 	boolean;
+		cfg_map_t	map;
+		cfg_list_t	list;
+		cfg_obj_t **	tuple;
+		isc_sockaddr_t	sockaddr;
+		cfg_netprefix_t netprefix;
+	}               value;
+	char *		file;
+	unsigned int    line;
+};
+
+
+/* A list element. */
+
+struct cfg_listelt {
+	cfg_obj_t               *obj;
+	ISC_LINK(cfg_listelt_t)  link;
+};
+
+/* The parser object. */
+struct cfg_parser {
+	isc_mem_t *	mctx;
+	isc_log_t *	lctx;
+	isc_lex_t *	lexer;
+	unsigned int    errors;
+	unsigned int    warnings;
+	isc_token_t     token;
+
+	/* We are at the end of all input. */
+	isc_boolean_t	seen_eof;
+
+	/* The current token has been pushed back. */
+	isc_boolean_t	ungotten;
+
+	/*
+	 * The stack of currently active files, represented
+	 * as a configuration list of configuration strings.
+	 * The head is the top-level file, subsequent elements 
+	 * (if any) are the nested include files, and the 
+	 * last element is the file currently being parsed.
+	 */
+	cfg_obj_t *	open_files;
+
+	/*
+	 * Names of files that we have parsed and closed
+	 * and were previously on the open_file list.
+	 * We keep these objects around after closing
+	 * the files because the file names may still be
+	 * referenced from other configuration objects
+	 * for use in reporting semantic errors after
+	 * parsing is complete.
+	 */
+	cfg_obj_t *	closed_files;
+
+	/*
+	 * Current line number.  We maintain our own
+	 * copy of this so that it is available even
+	 * when a file has just been closed.
+	 */
+	unsigned int	line;
+
+	cfg_parsecallback_t callback;
+	void *callbackarg;
+};
+
+
+/*
+ * Flags defining whether to accept certain types of network addresses.
+ */
+#define CFG_ADDR_V4OK 		0x00000001
+#define CFG_ADDR_V4PREFIXOK 	0x00000002
+#define CFG_ADDR_V6OK 		0x00000004
+#define CFG_ADDR_WILDOK		0x00000008
+
+/*
+ * Predefined data representation types.
+ */
+LIBISCCFG_EXTERNAL_DATA cfg_rep_t cfg_rep_uint32;
+LIBISCCFG_EXTERNAL_DATA cfg_rep_t cfg_rep_uint64;
+LIBISCCFG_EXTERNAL_DATA cfg_rep_t cfg_rep_string;
+LIBISCCFG_EXTERNAL_DATA cfg_rep_t cfg_rep_boolean;
+LIBISCCFG_EXTERNAL_DATA cfg_rep_t cfg_rep_map;
+LIBISCCFG_EXTERNAL_DATA cfg_rep_t cfg_rep_list;
+LIBISCCFG_EXTERNAL_DATA cfg_rep_t cfg_rep_tuple;
+LIBISCCFG_EXTERNAL_DATA cfg_rep_t cfg_rep_sockaddr;
+LIBISCCFG_EXTERNAL_DATA cfg_rep_t cfg_rep_netprefix;
+LIBISCCFG_EXTERNAL_DATA cfg_rep_t cfg_rep_void;
+
+/*
+ * Predefined configuration object types.
+ */
+LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_boolean;
+LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_uint32;
+LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_uint64;
+LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_qstring;
+LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_astring;
+LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_ustring;
+LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_sockaddr;
+LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_netaddr;
+LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_netprefix;
+LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_void;
+LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_token;
+LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_unsupported;
+
+isc_result_t
+cfg_gettoken(cfg_parser_t *pctx, int options);
+
+isc_result_t
+cfg_peektoken(cfg_parser_t *pctx, int options);
+
+void
+cfg_ungettoken(cfg_parser_t *pctx);
+
+#define CFG_LEXOPT_QSTRING (ISC_LEXOPT_QSTRING | ISC_LEXOPT_QSTRINGMULTILINE)
+
+isc_result_t
+cfg_create_obj(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **objp);
+
+void
+cfg_print_rawuint(cfg_printer_t *pctx, unsigned int u);
+
+isc_result_t
+cfg_parse_uint32(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
+
+void
+cfg_print_uint32(cfg_printer_t *pctx, cfg_obj_t *obj);
+
+void
+cfg_print_uint64(cfg_printer_t *pctx, cfg_obj_t *obj);
+
+isc_result_t
+cfg_parse_qstring(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
+
+void
+cfg_print_ustring(cfg_printer_t *pctx, cfg_obj_t *obj);
+
+isc_result_t
+cfg_parse_astring(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
+
+isc_result_t
+cfg_parse_rawaddr(cfg_parser_t *pctx, unsigned int flags, isc_netaddr_t *na);
+
+void
+cfg_print_rawaddr(cfg_printer_t *pctx, isc_netaddr_t *na);
+
+isc_boolean_t
+cfg_lookingat_netaddr(cfg_parser_t *pctx, unsigned int flags);
+
+isc_result_t
+cfg_parse_rawport(cfg_parser_t *pctx, unsigned int flags, in_port_t *port);
+
+isc_result_t
+cfg_parse_sockaddr(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
+
+void
+cfg_print_sockaddr(cfg_printer_t *pctx, cfg_obj_t *obj);
+
+void
+cfg_doc_sockaddr(cfg_printer_t *pctx, const cfg_type_t *type);
+
+isc_result_t
+cfg_parse_netprefix(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
+
+isc_result_t
+cfg_parse_special(cfg_parser_t *pctx, int special);
+/* Parse a required special character 'special'. */
+
+isc_result_t
+cfg_create_tuple(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **objp);
+
+isc_result_t
+cfg_parse_tuple(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
+
+void
+cfg_print_tuple(cfg_printer_t *pctx, cfg_obj_t *obj);
+
+void
+cfg_doc_tuple(cfg_printer_t *pctx, const cfg_type_t *type);
+
+isc_result_t
+cfg_create_list(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **objp);
+
+isc_result_t
+cfg_parse_listelt(cfg_parser_t *pctx, const cfg_type_t *elttype,
+		  cfg_listelt_t **ret);
+
+isc_result_t
+cfg_parse_bracketed_list(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
+
+void
+cfg_print_bracketed_list(cfg_printer_t *pctx, cfg_obj_t *obj);
+
+void
+cfg_doc_bracketed_list(cfg_printer_t *pctx, const cfg_type_t *type);
+
+isc_result_t
+cfg_parse_spacelist(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
+
+void
+cfg_print_spacelist(cfg_printer_t *pctx, cfg_obj_t *obj);
+
+isc_result_t
+cfg_parse_enum(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
+
+void
+cfg_doc_enum(cfg_printer_t *pctx, const cfg_type_t *type);
+
+void
+cfg_print_chars(cfg_printer_t *pctx, const char *text, int len);
+/* Print 'len' characters at 'text' */
+
+void
+cfg_print_cstr(cfg_printer_t *pctx, const char *s);
+/* Print the null-terminated string 's' */
+
+isc_result_t
+cfg_parse_map(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
+
+isc_result_t
+cfg_parse_named_map(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
+
+isc_result_t
+cfg_parse_addressed_map(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
+
+void
+cfg_print_map(cfg_printer_t *pctx, cfg_obj_t *obj);
+
+void
+cfg_doc_map(cfg_printer_t *pctx, const cfg_type_t *type);
+
+isc_result_t
+cfg_parse_mapbody(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
+
+void
+cfg_print_mapbody(cfg_printer_t *pctx, cfg_obj_t *obj);
+
+void
+cfg_doc_mapbody(cfg_printer_t *pctx, const cfg_type_t *type);
+
+isc_result_t
+cfg_parse_void(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
+
+void
+cfg_print_void(cfg_printer_t *pctx, cfg_obj_t *obj);
+
+void
+cfg_doc_void(cfg_printer_t *pctx, const cfg_type_t *type);
+
+isc_result_t
+cfg_parse_obj(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
+
+void
+cfg_print_obj(cfg_printer_t *pctx, cfg_obj_t *obj);
+
+void
+cfg_doc_obj(cfg_printer_t *pctx, const cfg_type_t *type);
+/*
+ * Print a description of the grammar of an arbitrary configuration
+ * type 'type'
+ */
+
+void
+cfg_doc_terminal(cfg_printer_t *pctx, const cfg_type_t *type);
+/*
+ * Document the type 'type' as a terminal by printing its
+ * name in angle brackets, e.g., <uint32>.
+ */
+
+void
+cfg_parser_error(cfg_parser_t *pctx, unsigned int flags,
+		 const char *fmt, ...) ISC_FORMAT_PRINTF(3, 4);
+/*
+ * Pass one of these flags to cfg_parser_error() to include the
+ * token text in log message.
+ */
+#define CFG_LOG_NEAR    0x00000001	/* Say "near <token>" */
+#define CFG_LOG_BEFORE  0x00000002	/* Say "before <token>" */
+#define CFG_LOG_NOPREP  0x00000004	/* Say just "<token>" */
+
+void
+cfg_parser_warning(cfg_parser_t *pctx, unsigned int flags,
+		   const char *fmt, ...) ISC_FORMAT_PRINTF(3, 4);
+
+isc_boolean_t
+cfg_is_enum(const char *s, const char *const *enums);
+/* Return true iff the string 's' is one of the strings in 'enums' */
+
+#endif /* ISCCFG_GRAMMAR_H */
diff --git a/lib/isccfg/include/isccfg/log.h b/lib/isccfg/include/isccfg/log.h
index 6bd71dd4..b3d2da7d 100644
--- a/lib/isccfg/include/isccfg/log.h
+++ b/lib/isccfg/include/isccfg/log.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: log.h,v 1.3.2.2 2004/03/09 06:12:31 marka Exp $ */
+/* $Id: log.h,v 1.3.2.1.10.3 2004/03/08 09:05:07 marka Exp $ */
 
 #ifndef ISCCFG_LOG_H
 #define ISCCFG_LOG_H 1
@@ -28,7 +28,7 @@ LIBISCCFG_EXTERNAL_DATA extern isc_logmodule_t cfg_modules[];
 
 #define CFG_LOGCATEGORY_CONFIG	(&cfg_categories[0])
 
-#define CFG_LOGMODULE_PARSER		(&cfg_modules[0])
+#define CFG_LOGMODULE_PARSER	(&cfg_modules[0])
 
 ISC_LANG_BEGINDECLS
 
diff --git a/lib/isccfg/include/isccfg/namedconf.h b/lib/isccfg/include/isccfg/namedconf.h
new file mode 100644
index 00000000..4d5bd0b2
--- /dev/null
+++ b/lib/isccfg/include/isccfg/namedconf.h
@@ -0,0 +1,44 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2002  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: namedconf.h,v 1.2.202.3 2004/03/08 09:05:07 marka Exp $ */
+
+#ifndef ISCCFG_NAMEDCONF_H
+#define ISCCFG_NAMEDCONF_H 1
+
+/*
+ * This module defines the named.conf, rndc.conf, and rndc.key grammars.
+ */
+
+#include <isccfg/cfg.h>
+
+/*
+ * Configuration object types.
+ */
+LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_namedconf;
+/* A complete named.conf file. */
+
+LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_rndcconf;
+/* A complete rndc.conf file. */
+
+LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_rndckey;
+/* A complete rndc.key file. */
+
+LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_keyref;
+/* A key reference, used as an ACL element */
+
+#endif /* ISCCFG_CFG_H */
diff --git a/lib/isccfg/include/isccfg/version.h b/lib/isccfg/include/isccfg/version.h
new file mode 100644
index 00000000..d02a814b
--- /dev/null
+++ b/lib/isccfg/include/isccfg/version.h
@@ -0,0 +1,26 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: version.h,v 1.2.222.3 2004/03/08 09:05:08 marka Exp $ */
+
+#include <isc/platform.h>
+
+LIBISCCFG_EXTERNAL_DATA extern const char cfg_version[];
+
+LIBISCCFG_EXTERNAL_DATA extern const unsigned int cfg_libinterface;
+LIBISCCFG_EXTERNAL_DATA extern const unsigned int cfg_librevision;
+LIBISCCFG_EXTERNAL_DATA extern const unsigned int cfg_libage;
diff --git a/lib/isccfg/log.c b/lib/isccfg/log.c
index c16dc848..b16b4d3b 100644
--- a/lib/isccfg/log.c
+++ b/lib/isccfg/log.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: log.c,v 1.2.2.2 2004/03/09 06:12:30 marka Exp $ */
+/* $Id: log.c,v 1.2.2.1.10.3 2004/03/08 09:05:06 marka Exp $ */
 
 #include <config.h>
 
@@ -37,7 +37,7 @@ LIBISCCFG_EXTERNAL_DATA isc_logcategory_t cfg_categories[] = {
  * #define to <isccfg/log.h>.
  */
 LIBISCCFG_EXTERNAL_DATA isc_logmodule_t cfg_modules[] = {
-	{ "isccfg/parser",	 0 },
+	{ "isccfg/parser",	0 },
 	{ NULL, 		0 }
 };
 
diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c
new file mode 100644
index 00000000..d7191e49
--- /dev/null
+++ b/lib/isccfg/namedconf.c
@@ -0,0 +1,1870 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2002, 2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: namedconf.c,v 1.21.44.26 2004/03/10 02:55:59 marka Exp $ */
+
+#include <config.h>
+
+#include <string.h>
+
+#include <isc/lex.h>
+#include <isc/result.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#include <isccfg/cfg.h>
+#include <isccfg/grammar.h>
+#include <isccfg/log.h>
+
+#define TOKEN_STRING(pctx) (pctx->token.value.as_textregion.base)
+
+/* Check a return value. */
+#define CHECK(op) 						\
+     	do { result = (op); 					\
+		if (result != ISC_R_SUCCESS) goto cleanup; 	\
+	} while (0)
+
+/* Clean up a configuration object if non-NULL. */
+#define CLEANUP_OBJ(obj) \
+	do { if ((obj) != NULL) cfg_obj_destroy(pctx, &(obj)); } while (0)
+
+
+/*
+ * Forward declarations of static functions.
+ */
+
+static isc_result_t
+parse_enum_or_other(cfg_parser_t *pctx, const cfg_type_t *enumtype,
+		    const cfg_type_t *othertype, cfg_obj_t **ret);
+
+static isc_result_t
+parse_keyvalue(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
+
+static isc_result_t
+parse_optional_keyvalue(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
+
+static void
+print_keyvalue(cfg_printer_t *pctx, cfg_obj_t *obj);
+
+static void
+doc_keyvalue(cfg_printer_t *pctx, const cfg_type_t *type);
+
+static void
+doc_optional_keyvalue(cfg_printer_t *pctx, const cfg_type_t *type);
+
+static cfg_type_t cfg_type_acl;
+static cfg_type_t cfg_type_addrmatchelt;
+static cfg_type_t cfg_type_bracketed_aml;
+static cfg_type_t cfg_type_bracketed_namesockaddrkeylist;
+static cfg_type_t cfg_type_bracketed_sockaddrlist;
+static cfg_type_t cfg_type_controls;
+static cfg_type_t cfg_type_controls_sockaddr;
+static cfg_type_t cfg_type_destinationlist;
+static cfg_type_t cfg_type_dialuptype;
+static cfg_type_t cfg_type_key;
+static cfg_type_t cfg_type_logfile;
+static cfg_type_t cfg_type_logging;
+static cfg_type_t cfg_type_logseverity;
+static cfg_type_t cfg_type_lwres;
+static cfg_type_t cfg_type_masterselement;
+static cfg_type_t cfg_type_nameportiplist;
+static cfg_type_t cfg_type_negated;
+static cfg_type_t cfg_type_notifytype;
+static cfg_type_t cfg_type_optional_class;
+static cfg_type_t cfg_type_optional_facility;
+static cfg_type_t cfg_type_optional_facility;
+static cfg_type_t cfg_type_optional_keyref;
+static cfg_type_t cfg_type_optional_port;
+static cfg_type_t cfg_type_options;
+static cfg_type_t cfg_type_portiplist;
+static cfg_type_t cfg_type_querysource4;
+static cfg_type_t cfg_type_querysource6;
+static cfg_type_t cfg_type_querysource;
+static cfg_type_t cfg_type_server;
+static cfg_type_t cfg_type_server_key_kludge;
+static cfg_type_t cfg_type_size;
+static cfg_type_t cfg_type_sizenodefault;
+static cfg_type_t cfg_type_sockaddr4wild;
+static cfg_type_t cfg_type_sockaddr6wild;
+static cfg_type_t cfg_type_view;
+static cfg_type_t cfg_type_viewopts;
+static cfg_type_t cfg_type_zone;
+static cfg_type_t cfg_type_zoneopts;
+
+/* tkey-dhkey */
+
+static cfg_tuplefielddef_t tkey_dhkey_fields[] = {
+	{ "name", &cfg_type_qstring, 0 },
+	{ "keyid", &cfg_type_uint32, 0 },
+	{ NULL, NULL, 0 }
+};
+
+static cfg_type_t cfg_type_tkey_dhkey = {
+	"tkey-dhkey", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple, &cfg_rep_tuple,
+	tkey_dhkey_fields
+};
+
+/* listen-on */
+
+static cfg_tuplefielddef_t listenon_fields[] = {
+	{ "port", &cfg_type_optional_port, 0 },
+	{ "acl", &cfg_type_bracketed_aml, 0 },
+	{ NULL, NULL, 0 }
+};
+static cfg_type_t cfg_type_listenon = {
+	"listenon", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple, &cfg_rep_tuple, listenon_fields };
+
+/* acl */
+
+static cfg_tuplefielddef_t acl_fields[] = {
+	{ "name", &cfg_type_astring, 0 },
+	{ "value", &cfg_type_bracketed_aml, 0 },
+	{ NULL, NULL, 0 }
+};
+
+static cfg_type_t cfg_type_acl = {
+	"acl", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple, &cfg_rep_tuple, acl_fields };
+
+/* masters */
+static cfg_tuplefielddef_t masters_fields[] = {
+	{ "name", &cfg_type_astring, 0 },
+	{ "port", &cfg_type_optional_port, 0 },
+	{ "addresses", &cfg_type_bracketed_namesockaddrkeylist, 0 },
+	{ NULL, NULL, 0 }
+};
+
+static cfg_type_t cfg_type_masters = {
+	"masters", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple, &cfg_rep_tuple, masters_fields };
+
+/*
+ * "sockaddrkeylist", a list of socket addresses with optional keys
+ * and an optional default port, as used in the masters option.
+ * E.g.,
+ *   "port 1234 { mymasters; 10.0.0.1 key foo; 1::2 port 69; }"
+ */
+
+static cfg_tuplefielddef_t namesockaddrkey_fields[] = {
+	{ "masterselement", &cfg_type_masterselement, 0 },
+	{ "key", &cfg_type_optional_keyref, 0 },
+	{ NULL, NULL, 0 },
+};
+
+static cfg_type_t cfg_type_namesockaddrkey = {
+	"namesockaddrkey", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple, &cfg_rep_tuple,
+	namesockaddrkey_fields
+};
+
+static cfg_type_t cfg_type_bracketed_namesockaddrkeylist = {
+	"bracketed_namesockaddrkeylist", cfg_parse_bracketed_list,
+	cfg_print_bracketed_list, cfg_doc_bracketed_list, &cfg_rep_list, &cfg_type_namesockaddrkey
+};
+
+static cfg_tuplefielddef_t namesockaddrkeylist_fields[] = {
+	{ "port", &cfg_type_optional_port, 0 },
+	{ "addresses", &cfg_type_bracketed_namesockaddrkeylist, 0 },
+	{ NULL, NULL, 0 }
+};
+static cfg_type_t cfg_type_namesockaddrkeylist = {
+	"sockaddrkeylist", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple, &cfg_rep_tuple,
+	namesockaddrkeylist_fields
+};
+
+/*
+ * A list of socket addresses with an optional default port,
+ * as used in the also-notify option.  E.g.,
+ * "port 1234 { 10.0.0.1; 1::2 port 69; }"
+ */
+static cfg_tuplefielddef_t portiplist_fields[] = {
+	{ "port", &cfg_type_optional_port, 0 },
+	{ "addresses", &cfg_type_bracketed_sockaddrlist, 0 },
+	{ NULL, NULL, 0 }
+};
+static cfg_type_t cfg_type_portiplist = {
+	"portiplist", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple, &cfg_rep_tuple,
+	portiplist_fields
+};
+
+/*
+ * A public key, as in the "pubkey" statement.
+ */
+static cfg_tuplefielddef_t pubkey_fields[] = {
+	{ "flags", &cfg_type_uint32, 0 },
+	{ "protocol", &cfg_type_uint32, 0 },
+	{ "algorithm", &cfg_type_uint32, 0 },
+	{ "key", &cfg_type_qstring, 0 },
+	{ NULL, NULL, 0 }
+};
+static cfg_type_t cfg_type_pubkey = {
+	"pubkey", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple, &cfg_rep_tuple, pubkey_fields };
+
+/*
+ * A list of RR types, used in grant statements.
+ * Note that the old parser allows quotes around the RR type names.
+ */
+static cfg_type_t cfg_type_rrtypelist = {
+ 	"rrtypelist", cfg_parse_spacelist, cfg_print_spacelist, cfg_doc_terminal,
+	&cfg_rep_list, &cfg_type_astring
+};
+
+static const char *mode_enums[] = { "grant", "deny", NULL };
+static cfg_type_t cfg_type_mode = {
+	"mode", cfg_parse_enum, cfg_print_ustring, cfg_doc_enum, &cfg_rep_string,
+	&mode_enums
+};
+
+static const char *matchtype_enums[] = {
+	"name", "subdomain", "wildcard", "self", NULL };
+static cfg_type_t cfg_type_matchtype = {
+	"matchtype", cfg_parse_enum, cfg_print_ustring, cfg_doc_enum, &cfg_rep_string,
+	&matchtype_enums
+};
+
+/*
+ * A grant statement, used in the update policy.
+ */
+static cfg_tuplefielddef_t grant_fields[] = {
+	{ "mode", &cfg_type_mode, 0 },
+	{ "identity", &cfg_type_astring, 0 }, /* domain name */ 
+	{ "matchtype", &cfg_type_matchtype, 0 },
+	{ "name", &cfg_type_astring, 0 }, /* domain name */
+	{ "types", &cfg_type_rrtypelist, 0 },
+	{ NULL, NULL, 0 }
+};
+static cfg_type_t cfg_type_grant = {
+	"grant", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple, &cfg_rep_tuple, grant_fields };
+
+static cfg_type_t cfg_type_updatepolicy = {
+	"update_policy", cfg_parse_bracketed_list, cfg_print_bracketed_list, cfg_doc_bracketed_list,
+	&cfg_rep_list, &cfg_type_grant
+};
+
+/*
+ * A view statement.
+ */
+static cfg_tuplefielddef_t view_fields[] = {
+	{ "name", &cfg_type_astring, 0 },
+	{ "class", &cfg_type_optional_class, 0 },
+	{ "options", &cfg_type_viewopts, 0 },
+	{ NULL, NULL, 0 }
+};
+static cfg_type_t cfg_type_view = {
+	"view", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple, &cfg_rep_tuple, view_fields };
+
+/*
+ * A zone statement.
+ */
+static cfg_tuplefielddef_t zone_fields[] = {
+	{ "name", &cfg_type_astring, 0 },
+	{ "class", &cfg_type_optional_class, 0 },
+	{ "options", &cfg_type_zoneopts, 0 },
+	{ NULL, NULL, 0 }
+};
+static cfg_type_t cfg_type_zone = {
+	"zone", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple, &cfg_rep_tuple, zone_fields };
+
+/*
+ * A "category" clause in the "logging" statement.
+ */
+static cfg_tuplefielddef_t category_fields[] = {
+	{ "name", &cfg_type_astring, 0 },
+	{ "destinations", &cfg_type_destinationlist,0 },
+	{ NULL, NULL, 0 }
+};
+static cfg_type_t cfg_type_category = {
+	"category", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple, &cfg_rep_tuple, category_fields };
+
+
+/*
+ * A trusted key, as used in the "trusted-keys" statement.
+ */
+static cfg_tuplefielddef_t trustedkey_fields[] = {
+	{ "name", &cfg_type_astring, 0 },
+	{ "flags", &cfg_type_uint32, 0 },
+	{ "protocol", &cfg_type_uint32, 0 },
+	{ "algorithm", &cfg_type_uint32, 0 },
+	{ "key", &cfg_type_qstring, 0 },
+	{ NULL, NULL, 0 }
+};
+static cfg_type_t cfg_type_trustedkey = {
+	"trustedkey", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple, &cfg_rep_tuple,
+	trustedkey_fields
+};
+
+static keyword_type_t wild_class_kw = { "class", &cfg_type_ustring };
+
+static cfg_type_t cfg_type_optional_wild_class = {
+	"optional_wild_class", parse_optional_keyvalue, print_keyvalue,
+	doc_optional_keyvalue, &cfg_rep_string, &wild_class_kw
+};
+
+static keyword_type_t wild_type_kw = { "type", &cfg_type_ustring };
+
+static cfg_type_t cfg_type_optional_wild_type = {
+	"optional_wild_type", parse_optional_keyvalue,
+	print_keyvalue, doc_optional_keyvalue, &cfg_rep_string, &wild_type_kw
+};
+
+static keyword_type_t wild_name_kw = { "name", &cfg_type_qstring };
+
+static cfg_type_t cfg_type_optional_wild_name = {
+	"optional_wild_name", parse_optional_keyvalue,
+	print_keyvalue, doc_optional_keyvalue, &cfg_rep_string, &wild_name_kw
+};
+
+/*
+ * An rrset ordering element.
+ */
+static cfg_tuplefielddef_t rrsetorderingelement_fields[] = {
+	{ "class", &cfg_type_optional_wild_class, 0 },
+	{ "type", &cfg_type_optional_wild_type, 0 },
+	{ "name", &cfg_type_optional_wild_name, 0 },
+	{ "order", &cfg_type_ustring, 0 }, /* must be literal "order" */ 
+	{ "ordering", &cfg_type_ustring, 0 },
+	{ NULL, NULL, 0 }
+};
+static cfg_type_t cfg_type_rrsetorderingelement = {
+	"rrsetorderingelement", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple, &cfg_rep_tuple,
+	rrsetorderingelement_fields
+};
+
+/*
+ * A global or view "check-names" option.  Note that the zone
+ * "check-names" option has a different syntax.
+ */
+
+static const char *checktype_enums[] = { "master", "slave", "response", NULL };
+static cfg_type_t cfg_type_checktype = {
+	"checktype", cfg_parse_enum, cfg_print_ustring, cfg_doc_enum,
+	&cfg_rep_string, &checktype_enums
+};
+
+static const char *checkmode_enums[] = { "fail", "warn", "ignore", NULL };
+static cfg_type_t cfg_type_checkmode = {
+	"checkmode", cfg_parse_enum, cfg_print_ustring, cfg_doc_enum,
+	&cfg_rep_string, &checkmode_enums
+};
+
+static cfg_tuplefielddef_t checknames_fields[] = {
+	{ "type", &cfg_type_checktype, 0 },
+	{ "mode", &cfg_type_checkmode, 0 },
+	{ NULL, NULL, 0 }
+};
+static cfg_type_t cfg_type_checknames = {
+	"checknames", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple, &cfg_rep_tuple,
+	checknames_fields
+};
+
+static cfg_type_t cfg_type_bracketed_sockaddrlist = {
+	"bracketed_sockaddrlist", cfg_parse_bracketed_list, cfg_print_bracketed_list, cfg_doc_bracketed_list,
+	&cfg_rep_list, &cfg_type_sockaddr
+};
+
+static cfg_type_t cfg_type_rrsetorder = {
+	"rrsetorder", cfg_parse_bracketed_list, cfg_print_bracketed_list, cfg_doc_bracketed_list,
+	&cfg_rep_list, &cfg_type_rrsetorderingelement
+};
+
+static keyword_type_t port_kw = { "port", &cfg_type_uint32 };
+
+static cfg_type_t cfg_type_optional_port = {
+	"optional_port", parse_optional_keyvalue, print_keyvalue,
+	doc_optional_keyvalue, &cfg_rep_uint32, &port_kw
+};
+
+/* A list of keys, as in the "key" clause of the controls statement. */
+static cfg_type_t cfg_type_keylist = {
+	"keylist", cfg_parse_bracketed_list, cfg_print_bracketed_list, cfg_doc_bracketed_list, &cfg_rep_list,
+	&cfg_type_astring
+};
+
+static cfg_type_t cfg_type_trustedkeys = {
+	"trusted-keys", cfg_parse_bracketed_list, cfg_print_bracketed_list, cfg_doc_bracketed_list, &cfg_rep_list,
+	&cfg_type_trustedkey
+};
+
+static const char *forwardtype_enums[] = { "first", "only", NULL };
+static cfg_type_t cfg_type_forwardtype = {
+	"forwardtype", cfg_parse_enum, cfg_print_ustring, cfg_doc_enum, &cfg_rep_string,
+	&forwardtype_enums
+};
+
+static const char *zonetype_enums[] = {
+	"master", "slave", "stub", "hint", "forward", "delegation-only", NULL };
+static cfg_type_t cfg_type_zonetype = {
+	"zonetype", cfg_parse_enum, cfg_print_ustring, cfg_doc_enum, &cfg_rep_string,
+	&zonetype_enums
+};
+
+static const char *loglevel_enums[] = {
+	"critical", "error", "warning", "notice", "info", "dynamic", NULL };
+static cfg_type_t cfg_type_loglevel = {
+	"loglevel", cfg_parse_enum, cfg_print_ustring, cfg_doc_enum, &cfg_rep_string,
+	&loglevel_enums
+};
+
+static const char *transferformat_enums[] = {
+	"many-answers", "one-answer", NULL };
+static cfg_type_t cfg_type_transferformat = {
+	"transferformat", cfg_parse_enum, cfg_print_ustring, cfg_doc_enum, &cfg_rep_string,
+	&transferformat_enums
+};
+
+/*
+ * The special keyword "none", as used in the pid-file option.
+ */
+
+static void
+print_none(cfg_printer_t *pctx, cfg_obj_t *obj) {
+	UNUSED(obj);
+	cfg_print_chars(pctx, "none", 4);
+}
+
+static cfg_type_t cfg_type_none = {
+	"none", NULL, print_none, NULL, &cfg_rep_void, NULL
+};
+
+/*
+ * A quoted string or the special keyword "none".  Used in the pid-file option.
+ */
+static isc_result_t
+parse_qstringornone(cfg_parser_t *pctx, const cfg_type_t *type,
+		    cfg_obj_t **ret)
+{
+	isc_result_t result;
+	CHECK(cfg_gettoken(pctx, CFG_LEXOPT_QSTRING));
+	if (pctx->token.type == isc_tokentype_string &&
+	    strcasecmp(TOKEN_STRING(pctx), "none") == 0)
+		return (cfg_create_obj(pctx, &cfg_type_none, ret));
+	cfg_ungettoken(pctx);
+	return (cfg_parse_qstring(pctx, type, ret));
+ cleanup:
+	return (result);
+}
+
+static void
+doc_qstringornone(cfg_printer_t *pctx, const cfg_type_t *type) {
+	UNUSED(type);
+	cfg_print_chars(pctx, "( <quoted_string> | none )", 26);
+}
+
+static cfg_type_t cfg_type_qstringornone = {
+	"qstringornone", parse_qstringornone, NULL, doc_qstringornone, NULL, NULL };
+
+/*
+ * keyword hostname
+ */
+
+static void
+print_hostname(cfg_printer_t *pctx, cfg_obj_t *obj) {
+	UNUSED(obj);
+	cfg_print_chars(pctx, "hostname", 4);
+}
+
+static cfg_type_t cfg_type_hostname = {
+	"hostname", NULL, print_hostname, NULL, &cfg_rep_boolean, NULL
+};
+
+/*
+ * "server-id" arguement.
+ */
+
+static isc_result_t
+parse_serverid(cfg_parser_t *pctx, const cfg_type_t *type,
+		    cfg_obj_t **ret)
+{
+	isc_result_t result;
+	CHECK(cfg_gettoken(pctx, CFG_LEXOPT_QSTRING));
+	if (pctx->token.type == isc_tokentype_string &&
+	    strcasecmp(TOKEN_STRING(pctx), "none") == 0)
+		return (cfg_create_obj(pctx, &cfg_type_none, ret));
+	if (pctx->token.type == isc_tokentype_string &&
+	    strcasecmp(TOKEN_STRING(pctx), "hostname") == 0) {
+		return (cfg_create_obj(pctx, &cfg_type_hostname, ret));
+	}
+	cfg_ungettoken(pctx);
+	return (cfg_parse_qstring(pctx, type, ret));
+ cleanup:
+	return (result);
+}
+
+static void
+doc_serverid(cfg_printer_t *pctx, const cfg_type_t *type) {
+	UNUSED(type);
+	cfg_print_chars(pctx, "( <quoted_string> | none | hostname )", 26);
+}
+
+static cfg_type_t cfg_type_serverid = {
+	"serverid", parse_serverid, NULL, doc_serverid, NULL, NULL };
+
+/*
+ * Port list.
+ */
+static isc_result_t
+parse_port(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
+	isc_result_t result;
+	
+	UNUSED(type);
+
+	CHECK(cfg_parse_uint32(pctx, NULL, ret));
+	if ((*ret)->value.uint32 > 0xffff) {
+		cfg_parser_error(pctx, CFG_LOG_NEAR, "invalid port");
+		cfg_obj_destroy(pctx, ret);
+		result = ISC_R_RANGE;
+	}
+ cleanup:
+	return (result);
+}
+
+static cfg_type_t cfg_type_port = {
+	"port", parse_port, NULL, cfg_doc_terminal,
+	NULL, NULL
+};
+
+static cfg_type_t cfg_type_bracketed_portlist = {
+	"bracketed_sockaddrlist", cfg_parse_bracketed_list, cfg_print_bracketed_list, cfg_doc_bracketed_list,
+	&cfg_rep_list, &cfg_type_port
+};
+
+/*
+ * Clauses that can be found within the top level of the named.conf
+ * file only.
+ */
+static cfg_clausedef_t
+namedconf_clauses[] = {
+	{ "options", &cfg_type_options, 0 },
+	{ "controls", &cfg_type_controls, CFG_CLAUSEFLAG_MULTI },
+	{ "acl", &cfg_type_acl, CFG_CLAUSEFLAG_MULTI },
+	{ "masters", &cfg_type_masters, CFG_CLAUSEFLAG_MULTI },
+	{ "logging", &cfg_type_logging, 0 },
+	{ "view", &cfg_type_view, CFG_CLAUSEFLAG_MULTI },
+	{ "lwres", &cfg_type_lwres, CFG_CLAUSEFLAG_MULTI },
+	{ NULL, NULL, 0 }
+};
+
+/*
+ * Clauses that can occur at the top level or in the view
+ * statement, but not in the options block.
+ */
+static cfg_clausedef_t
+namedconf_or_view_clauses[] = {
+	{ "key", &cfg_type_key, CFG_CLAUSEFLAG_MULTI },
+	{ "zone", &cfg_type_zone, CFG_CLAUSEFLAG_MULTI },
+	{ "server", &cfg_type_server, CFG_CLAUSEFLAG_MULTI },
+	{ "trusted-keys", &cfg_type_trustedkeys, CFG_CLAUSEFLAG_MULTI },
+	{ NULL, NULL, 0 }
+};
+
+/*
+ * Clauses that can be found within the 'options' statement.
+ */
+static cfg_clausedef_t
+options_clauses[] = {
+	{ "avoid-v4-udp-ports", &cfg_type_bracketed_portlist, 0 },
+	{ "avoid-v6-udp-ports", &cfg_type_bracketed_portlist, 0 },
+	{ "blackhole", &cfg_type_bracketed_aml, 0 },
+	{ "coresize", &cfg_type_size, 0 },
+	{ "datasize", &cfg_type_size, 0 },
+	{ "deallocate-on-exit", &cfg_type_boolean, CFG_CLAUSEFLAG_OBSOLETE },
+	{ "directory", &cfg_type_qstring, CFG_CLAUSEFLAG_CALLBACK },
+	{ "dump-file", &cfg_type_qstring, 0 },
+	{ "fake-iquery", &cfg_type_boolean, CFG_CLAUSEFLAG_OBSOLETE },
+	{ "files", &cfg_type_size, 0 },
+	{ "has-old-clients", &cfg_type_boolean, CFG_CLAUSEFLAG_OBSOLETE },
+	{ "heartbeat-interval", &cfg_type_uint32, 0 },
+	{ "host-statistics", &cfg_type_boolean, CFG_CLAUSEFLAG_NOTIMP },
+	{ "hostname", &cfg_type_qstringornone, 0 },
+	{ "interface-interval", &cfg_type_uint32, 0 },
+	{ "listen-on", &cfg_type_listenon, CFG_CLAUSEFLAG_MULTI },
+	{ "listen-on-v6", &cfg_type_listenon, CFG_CLAUSEFLAG_MULTI },
+	{ "match-mapped-addresses", &cfg_type_boolean, 0 },
+	{ "memstatistics-file", &cfg_type_qstring, 0 },
+	{ "multiple-cnames", &cfg_type_boolean, CFG_CLAUSEFLAG_OBSOLETE },
+	{ "named-xfer", &cfg_type_qstring, CFG_CLAUSEFLAG_OBSOLETE },
+	{ "pid-file", &cfg_type_qstringornone, 0 },
+	{ "port", &cfg_type_uint32, 0 },
+	{ "querylog", &cfg_type_boolean, 0 },
+	{ "recursing-file", &cfg_type_qstring, 0 },
+	{ "random-device", &cfg_type_qstring, 0 },
+	{ "recursive-clients", &cfg_type_uint32, 0 },
+	{ "serial-queries", &cfg_type_uint32, CFG_CLAUSEFLAG_OBSOLETE },
+	{ "serial-query-rate", &cfg_type_uint32, 0 },
+	{ "server-id", &cfg_type_serverid, 0 },
+	{ "stacksize", &cfg_type_size, 0 },
+	{ "statistics-file", &cfg_type_qstring, 0 },
+	{ "statistics-interval", &cfg_type_uint32, CFG_CLAUSEFLAG_NYI },
+	{ "tcp-clients", &cfg_type_uint32, 0 },
+	{ "tcp-listen-queue", &cfg_type_uint32, 0 },
+	{ "tkey-dhkey", &cfg_type_tkey_dhkey, 0 },
+	{ "tkey-gssapi-credential", &cfg_type_qstring, 0 },
+	{ "tkey-domain", &cfg_type_qstring, 0 },
+	{ "transfers-per-ns", &cfg_type_uint32, 0 },
+	{ "transfers-in", &cfg_type_uint32, 0 },
+	{ "transfers-out", &cfg_type_uint32, 0 },
+	{ "treat-cr-as-space", &cfg_type_boolean, CFG_CLAUSEFLAG_OBSOLETE },
+	{ "use-id-pool", &cfg_type_boolean, CFG_CLAUSEFLAG_OBSOLETE },
+	{ "use-ixfr", &cfg_type_boolean, 0 },
+	{ "version", &cfg_type_qstringornone, 0 },
+	{ NULL, NULL, 0 }
+};
+
+
+static cfg_type_t cfg_type_namelist = {
+	"namelist", cfg_parse_bracketed_list, cfg_print_bracketed_list,
+	cfg_doc_bracketed_list, &cfg_rep_list, &cfg_type_qstring };
+
+static keyword_type_t exclude_kw = { "exclude", &cfg_type_namelist };
+
+static cfg_type_t cfg_type_optional_exclude = {
+	"optional_exclude", parse_optional_keyvalue, print_keyvalue,
+	doc_optional_keyvalue, &cfg_rep_list, &exclude_kw };
+
+static cfg_type_t cfg_type_algorithmlist = {
+	"algorithmlist", cfg_parse_bracketed_list, cfg_print_bracketed_list,
+	cfg_doc_bracketed_list, &cfg_rep_list, &cfg_type_astring };
+
+static cfg_tuplefielddef_t disablealgorithm_fields[] = {
+	{ "name", &cfg_type_astring, 0 },
+	{ "algorithms", &cfg_type_algorithmlist, 0 },
+	{ NULL, NULL, 0 }
+};
+
+static cfg_type_t cfg_type_disablealgorithm = {
+	"disablealgorithm", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple,
+	&cfg_rep_tuple, disablealgorithm_fields
+};
+
+/*
+ * Clauses that can be found within the 'view' statement,
+ * with defaults in the 'options' statement.
+ */
+
+static cfg_clausedef_t
+view_clauses[] = {
+	{ "allow-recursion", &cfg_type_bracketed_aml, 0 },
+	{ "allow-v6-synthesis", &cfg_type_bracketed_aml,
+	  CFG_CLAUSEFLAG_OBSOLETE },
+	{ "sortlist", &cfg_type_bracketed_aml, 0 },
+	{ "topology", &cfg_type_bracketed_aml, CFG_CLAUSEFLAG_NOTIMP },
+	{ "auth-nxdomain", &cfg_type_boolean, CFG_CLAUSEFLAG_NEWDEFAULT },
+	{ "minimal-responses", &cfg_type_boolean, 0 },
+	{ "recursion", &cfg_type_boolean, 0 },
+	{ "rrset-order", &cfg_type_rrsetorder, 0 },
+	{ "provide-ixfr", &cfg_type_boolean, 0 },
+	{ "request-ixfr", &cfg_type_boolean, 0 },
+	{ "fetch-glue", &cfg_type_boolean, CFG_CLAUSEFLAG_OBSOLETE },
+	{ "rfc2308-type1", &cfg_type_boolean, CFG_CLAUSEFLAG_NYI },
+	{ "additional-from-auth", &cfg_type_boolean, 0 },
+	{ "additional-from-cache", &cfg_type_boolean, 0 },
+	/*
+	 * Note that the query-source option syntax is different
+	 * from the other -source options.
+	 */
+	{ "query-source", &cfg_type_querysource4, 0 },
+	{ "query-source-v6", &cfg_type_querysource6, 0 },
+	{ "cleaning-interval", &cfg_type_uint32, 0 },
+	{ "min-roots", &cfg_type_uint32, CFG_CLAUSEFLAG_NOTIMP },
+	{ "lame-ttl", &cfg_type_uint32, 0 },
+	{ "max-ncache-ttl", &cfg_type_uint32, 0 },
+	{ "max-cache-ttl", &cfg_type_uint32, 0 },
+	{ "transfer-format", &cfg_type_transferformat, 0 },
+	{ "max-cache-size", &cfg_type_sizenodefault, 0 },
+	{ "check-names", &cfg_type_checknames, CFG_CLAUSEFLAG_MULTI },
+	{ "cache-file", &cfg_type_qstring, 0 },
+	{ "suppress-initial-notify", &cfg_type_boolean, CFG_CLAUSEFLAG_NYI },
+	{ "preferred-glue", &cfg_type_astring, 0 },
+	{ "dual-stack-servers", &cfg_type_nameportiplist, 0 },
+	{ "edns-udp-size", &cfg_type_uint32, 0 },
+	{ "root-delegation-only",  &cfg_type_optional_exclude, 0 },
+	{ "disable-algorithms", &cfg_type_disablealgorithm,
+	  CFG_CLAUSEFLAG_MULTI },
+	{ "dnssec-enable", &cfg_type_boolean, 0 },
+	{ "dnssec-lookaside", &cfg_type_astring, 0 },
+	{ NULL, NULL, 0 }
+};
+
+/*
+ * Clauses that can be found within the 'view' statement only.
+ */
+static cfg_clausedef_t
+view_only_clauses[] = {
+	{ "match-clients", &cfg_type_bracketed_aml, 0 },
+	{ "match-destinations", &cfg_type_bracketed_aml, 0 },
+	{ "match-recursive-only", &cfg_type_boolean, 0 },
+	{ NULL, NULL, 0 }
+};
+
+/*
+ * Clauses that can be found in a 'zone' statement,
+ * with defaults in the 'view' or 'options' statement.
+ */
+static cfg_clausedef_t
+zone_clauses[] = {
+	{ "allow-query", &cfg_type_bracketed_aml, 0 },
+	{ "allow-transfer", &cfg_type_bracketed_aml, 0 },
+	{ "allow-update-forwarding", &cfg_type_bracketed_aml, 0 },
+	{ "allow-notify", &cfg_type_bracketed_aml, 0 },
+	{ "notify", &cfg_type_notifytype, 0 },
+	{ "notify-source", &cfg_type_sockaddr4wild, 0 },
+	{ "notify-source-v6", &cfg_type_sockaddr6wild, 0 },
+	{ "also-notify", &cfg_type_portiplist, 0 },
+	{ "dialup", &cfg_type_dialuptype, 0 },
+	{ "forward", &cfg_type_forwardtype, 0 },
+	{ "forwarders", &cfg_type_portiplist, 0 },
+	{ "ixfr-from-differences", &cfg_type_boolean, 0 },
+	{ "maintain-ixfr-base", &cfg_type_boolean, CFG_CLAUSEFLAG_OBSOLETE },
+	{ "max-ixfr-log-size", &cfg_type_size, CFG_CLAUSEFLAG_OBSOLETE },
+	{ "max-journal-size", &cfg_type_sizenodefault, 0 },
+	{ "max-transfer-time-in", &cfg_type_uint32, 0 },
+	{ "max-transfer-time-out", &cfg_type_uint32, 0 },
+	{ "max-transfer-idle-in", &cfg_type_uint32, 0 },
+	{ "max-transfer-idle-out", &cfg_type_uint32, 0 },
+	{ "max-retry-time", &cfg_type_uint32, 0 },
+	{ "min-retry-time", &cfg_type_uint32, 0 },
+	{ "max-refresh-time", &cfg_type_uint32, 0 },
+	{ "min-refresh-time", &cfg_type_uint32, 0 },
+	{ "multi-master", &cfg_type_boolean, 0 },
+	{ "sig-validity-interval", &cfg_type_uint32, 0 },
+	{ "transfer-source", &cfg_type_sockaddr4wild, 0 },
+	{ "transfer-source-v6", &cfg_type_sockaddr6wild, 0 },
+	{ "alt-transfer-source", &cfg_type_sockaddr4wild, 0 },
+	{ "alt-transfer-source-v6", &cfg_type_sockaddr6wild, 0 },
+	{ "use-alt-transfer-source", &cfg_type_boolean, 0 },
+	{ "zone-statistics", &cfg_type_boolean, 0 },
+	{ "key-directory", &cfg_type_qstring, 0 },
+	{ NULL, NULL, 0 }
+};
+
+/*
+ * Clauses that can be found in a 'zone' statement
+ * only.
+ */
+static cfg_clausedef_t
+zone_only_clauses[] = {
+	{ "type", &cfg_type_zonetype, 0 },
+	{ "allow-update", &cfg_type_bracketed_aml, 0 },
+	{ "file", &cfg_type_qstring, 0 },
+	{ "ixfr-base", &cfg_type_qstring, CFG_CLAUSEFLAG_OBSOLETE },
+	{ "ixfr-tmp-file", &cfg_type_qstring, CFG_CLAUSEFLAG_OBSOLETE },
+	{ "masters", &cfg_type_namesockaddrkeylist, 0 },
+	{ "pubkey", &cfg_type_pubkey,
+	  CFG_CLAUSEFLAG_MULTI | CFG_CLAUSEFLAG_OBSOLETE },
+	{ "update-policy", &cfg_type_updatepolicy, 0 },
+	{ "database", &cfg_type_astring, 0 },
+	{ "delegation-only", &cfg_type_boolean, 0 },
+	/*
+	 * Note that the format of the check-names option is different between
+	 * the zone options and the global/view options.  Ugh.
+	 */
+	{ "check-names", &cfg_type_checkmode, 0 },
+	{ NULL, NULL, 0 }
+};
+
+
+/* The top-level named.conf syntax. */
+
+static cfg_clausedef_t *
+namedconf_clausesets[] = {
+	namedconf_clauses,
+	namedconf_or_view_clauses,
+	NULL
+};
+
+LIBISCCFG_EXTERNAL_DATA cfg_type_t cfg_type_namedconf = {
+	"namedconf", cfg_parse_mapbody, cfg_print_mapbody, cfg_doc_mapbody,
+	&cfg_rep_map, namedconf_clausesets
+};
+
+/* The "options" statement syntax. */
+
+static cfg_clausedef_t *
+options_clausesets[] = {
+	options_clauses,
+	view_clauses,
+	zone_clauses,
+	NULL
+};
+static cfg_type_t cfg_type_options = {
+	"options", cfg_parse_map, cfg_print_map, cfg_doc_map, &cfg_rep_map, options_clausesets };
+
+/* The "view" statement syntax. */
+
+static cfg_clausedef_t *
+view_clausesets[] = {
+	view_only_clauses,
+	namedconf_or_view_clauses,
+	view_clauses,
+	zone_clauses,
+	NULL
+};
+static cfg_type_t cfg_type_viewopts = {
+	"view", cfg_parse_map, cfg_print_map, cfg_doc_map, &cfg_rep_map, view_clausesets };
+
+/* The "zone" statement syntax. */
+
+static cfg_clausedef_t *
+zone_clausesets[] = {
+	zone_only_clauses,
+	zone_clauses,
+	NULL
+};
+static cfg_type_t cfg_type_zoneopts = {
+	"zoneopts", cfg_parse_map, cfg_print_map, cfg_doc_map, &cfg_rep_map, zone_clausesets };
+
+/*
+ * Clauses that can be found within the 'key' statement.
+ */
+static cfg_clausedef_t
+key_clauses[] = {
+	{ "algorithm", &cfg_type_astring, 0 },
+	{ "secret", &cfg_type_astring, 0 },
+	{ NULL, NULL, 0 }
+};
+
+static cfg_clausedef_t *
+key_clausesets[] = {
+	key_clauses,
+	NULL
+};
+static cfg_type_t cfg_type_key = {
+	"key", cfg_parse_named_map, cfg_print_map, cfg_doc_map, &cfg_rep_map, key_clausesets };
+
+
+/*
+ * Clauses that can be found in a 'server' statement.
+ */
+static cfg_clausedef_t
+server_clauses[] = {
+	{ "bogus", &cfg_type_boolean, 0 },
+	{ "provide-ixfr", &cfg_type_boolean, 0 },
+	{ "request-ixfr", &cfg_type_boolean, 0 },
+	{ "support-ixfr", &cfg_type_boolean, CFG_CLAUSEFLAG_OBSOLETE },
+	{ "transfers", &cfg_type_uint32, 0 },
+	{ "transfer-format", &cfg_type_transferformat, 0 },
+	{ "keys", &cfg_type_server_key_kludge, 0 },
+	{ "edns", &cfg_type_boolean, 0 },
+	{ "transfer-source", &cfg_type_sockaddr4wild, 0 },
+	{ "transfer-source-v6", &cfg_type_sockaddr6wild, 0 },
+	{ NULL, NULL, 0 }
+};
+static cfg_clausedef_t *
+server_clausesets[] = {
+	server_clauses,
+	NULL
+};
+static cfg_type_t cfg_type_server = {
+	"server", cfg_parse_addressed_map, cfg_print_map, cfg_doc_map, &cfg_rep_map,
+	server_clausesets
+};
+
+
+/*
+ * Clauses that can be found in a 'channel' clause in the
+ * 'logging' statement.
+ *
+ * These have some additional constraints that need to be
+ * checked after parsing:
+ *  - There must exactly one of file/syslog/null/stderr
+ *
+ */
+static cfg_clausedef_t
+channel_clauses[] = {
+	/* Destinations.  We no longer require these to be first. */
+	{ "file", &cfg_type_logfile, 0 },
+	{ "syslog", &cfg_type_optional_facility, 0 },
+	{ "null", &cfg_type_void, 0 },
+	{ "stderr", &cfg_type_void, 0 },
+	/* Options.  We now accept these for the null channel, too. */
+	{ "severity", &cfg_type_logseverity, 0 },
+	{ "print-time", &cfg_type_boolean, 0 },
+	{ "print-severity", &cfg_type_boolean, 0 },
+	{ "print-category", &cfg_type_boolean, 0 },
+	{ NULL, NULL, 0 }
+};
+static cfg_clausedef_t *
+channel_clausesets[] = {
+	channel_clauses,
+	NULL
+};
+static cfg_type_t cfg_type_channel = {
+	"channel", cfg_parse_named_map, cfg_print_map, cfg_doc_map,
+	&cfg_rep_map, channel_clausesets
+};
+
+/* A list of log destination, used in the "category" clause. */
+static cfg_type_t cfg_type_destinationlist = {
+	"destinationlist", cfg_parse_bracketed_list, cfg_print_bracketed_list, cfg_doc_bracketed_list,
+	&cfg_rep_list, &cfg_type_astring };
+
+/*
+ * Clauses that can be found in a 'logging' statement.
+ */
+static cfg_clausedef_t
+logging_clauses[] = {
+	{ "channel", &cfg_type_channel, CFG_CLAUSEFLAG_MULTI },
+	{ "category", &cfg_type_category, CFG_CLAUSEFLAG_MULTI },
+	{ NULL, NULL, 0 }
+};
+static cfg_clausedef_t *
+logging_clausesets[] = {
+	logging_clauses,
+	NULL
+};
+static cfg_type_t cfg_type_logging = {
+	"logging", cfg_parse_map, cfg_print_map, cfg_doc_map, &cfg_rep_map, logging_clausesets };
+
+
+static isc_result_t
+parse_unitstring(char *str, isc_resourcevalue_t *valuep) {
+	char *endp;
+	unsigned int len;
+	isc_uint64_t value;
+	isc_uint64_t unit;
+
+	value = isc_string_touint64(str, &endp, 10);
+	if (*endp == 0) {
+		*valuep = value;
+		return (ISC_R_SUCCESS);
+	}
+
+	len = strlen(str);
+	if (len < 2 || endp[1] != '\0')
+		return (ISC_R_FAILURE);
+
+	switch (str[len - 1]) {
+	case 'k':
+	case 'K':
+		unit = 1024;
+		break;
+	case 'm':
+	case 'M':
+		unit = 1024 * 1024;
+		break;
+	case 'g':
+	case 'G':
+		unit = 1024 * 1024 * 1024;
+		break;
+	default:
+		return (ISC_R_FAILURE);
+	}
+	if (value > ISC_UINT64_MAX / unit)
+		return (ISC_R_FAILURE);
+	*valuep = value * unit;
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+parse_sizeval(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
+	isc_result_t result;
+	cfg_obj_t *obj = NULL;
+	isc_uint64_t val;
+
+	UNUSED(type);
+
+	CHECK(cfg_gettoken(pctx, 0));
+	if (pctx->token.type != isc_tokentype_string) {
+		result = ISC_R_UNEXPECTEDTOKEN;
+		goto cleanup;
+	}
+	CHECK(parse_unitstring(TOKEN_STRING(pctx), &val));
+
+	CHECK(cfg_create_obj(pctx, &cfg_type_uint64, &obj));
+	obj->value.uint64 = val;
+	*ret = obj;
+	return (ISC_R_SUCCESS);
+
+ cleanup:
+	cfg_parser_error(pctx, CFG_LOG_NEAR, "expected integer and optional unit");
+	return (result);
+}
+
+/*
+ * A size value (number + optional unit).
+ */
+static cfg_type_t cfg_type_sizeval = {
+	"sizeval", parse_sizeval, cfg_print_uint64, cfg_doc_terminal,
+	&cfg_rep_uint64, NULL };
+
+/*
+ * A size, "unlimited", or "default".
+ */
+
+static isc_result_t
+parse_size(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
+	return (parse_enum_or_other(pctx, type, &cfg_type_sizeval, ret));
+}
+
+static const char *size_enums[] = { "unlimited", "default", NULL };
+static cfg_type_t cfg_type_size = {
+	"size", parse_size, cfg_print_ustring, cfg_doc_terminal,
+	&cfg_rep_string, size_enums
+};
+
+/*
+ * A size or "unlimited", but not "default".
+ */
+static const char *sizenodefault_enums[] = { "unlimited", NULL };
+static cfg_type_t cfg_type_sizenodefault = {
+	"size_no_default", parse_size, cfg_print_ustring, cfg_doc_terminal,
+	&cfg_rep_string, sizenodefault_enums
+};
+
+/*
+ * optional_keyvalue
+ */
+static isc_result_t
+parse_maybe_optional_keyvalue(cfg_parser_t *pctx, const cfg_type_t *type,
+			      isc_boolean_t optional, cfg_obj_t **ret)
+{
+        isc_result_t result;
+	cfg_obj_t *obj = NULL;
+	const keyword_type_t *kw = type->of;
+
+	CHECK(cfg_peektoken(pctx, 0));
+	if (pctx->token.type == isc_tokentype_string &&
+	    strcasecmp(TOKEN_STRING(pctx), kw->name) == 0) {
+		CHECK(cfg_gettoken(pctx, 0));
+		CHECK(kw->type->parse(pctx, kw->type, &obj));
+		obj->type = type; /* XXX kludge */
+	} else {
+		if (optional) {
+			CHECK(cfg_parse_void(pctx, NULL, &obj));
+		} else {
+			cfg_parser_error(pctx, CFG_LOG_NEAR, "expected '%s'",
+				     kw->name);
+			result = ISC_R_UNEXPECTEDTOKEN;
+			goto cleanup;
+		}
+	}
+	*ret = obj;
+ cleanup:
+	return (result);
+}
+
+static isc_result_t
+parse_enum_or_other(cfg_parser_t *pctx, const cfg_type_t *enumtype,
+		    const cfg_type_t *othertype, cfg_obj_t **ret)
+{
+        isc_result_t result;
+	CHECK(cfg_peektoken(pctx, 0));
+	if (pctx->token.type == isc_tokentype_string &&
+	    cfg_is_enum(TOKEN_STRING(pctx), enumtype->of)) {
+		CHECK(cfg_parse_enum(pctx, enumtype, ret));
+	} else {
+		CHECK(cfg_parse_obj(pctx, othertype, ret));
+	}
+ cleanup:
+	return (result);
+}
+
+static void
+doc_enum_or_other(cfg_printer_t *pctx, const cfg_type_t *type) {
+	cfg_doc_terminal(pctx, type);
+#if 0 /* XXX */
+	cfg_print_chars(pctx, "( ", 2);...
+#endif
+
+}
+
+static isc_result_t
+parse_keyvalue(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
+	return (parse_maybe_optional_keyvalue(pctx, type, ISC_FALSE, ret));
+}
+
+static isc_result_t
+parse_optional_keyvalue(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
+	return (parse_maybe_optional_keyvalue(pctx, type, ISC_TRUE, ret));
+}
+
+static void
+print_keyvalue(cfg_printer_t *pctx, cfg_obj_t *obj) {
+	const keyword_type_t *kw = obj->type->of;
+	cfg_print_cstr(pctx, kw->name);
+	cfg_print_chars(pctx, " ", 1);
+	kw->type->print(pctx, obj);
+}
+
+static void
+doc_keyvalue(cfg_printer_t *pctx, const cfg_type_t *type) {
+	const keyword_type_t *kw = type->of;
+	cfg_print_cstr(pctx, kw->name);
+	cfg_print_chars(pctx, " ", 1);
+	cfg_doc_obj(pctx, kw->type);
+}
+
+static void
+doc_optional_keyvalue(cfg_printer_t *pctx, const cfg_type_t *type) {
+	const keyword_type_t *kw = type->of;
+	cfg_print_chars(pctx, "[ ", 2);
+	cfg_print_cstr(pctx, kw->name);
+	cfg_print_chars(pctx, " ", 1);
+	cfg_doc_obj(pctx, kw->type);
+	cfg_print_chars(pctx, " ]", 2);
+}
+
+static const char *dialup_enums[] = {
+	"notify", "notify-passive", "refresh", "passive", NULL };
+static isc_result_t
+parse_dialup_type(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
+	return (parse_enum_or_other(pctx, type, &cfg_type_boolean, ret));
+}
+static cfg_type_t cfg_type_dialuptype = {
+	"dialuptype", parse_dialup_type, cfg_print_ustring, doc_enum_or_other,
+	&cfg_rep_string, dialup_enums
+};
+
+static const char *notify_enums[] = { "explicit", NULL };
+static isc_result_t
+parse_notify_type(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
+	return (parse_enum_or_other(pctx, type, &cfg_type_boolean, ret));
+}
+static cfg_type_t cfg_type_notifytype = {
+	"notifytype", parse_notify_type, cfg_print_ustring, doc_enum_or_other,
+ 	&cfg_rep_string, notify_enums,
+};
+
+static keyword_type_t key_kw = { "key", &cfg_type_astring };
+
+LIBISCCFG_EXTERNAL_DATA cfg_type_t cfg_type_keyref = {
+	"keyref", parse_keyvalue, print_keyvalue, doc_keyvalue,
+	&cfg_rep_string, &key_kw
+};
+
+static cfg_type_t cfg_type_optional_keyref = {
+	"optional_keyref", parse_optional_keyvalue, print_keyvalue,
+	doc_optional_keyvalue, &cfg_rep_string, &key_kw
+};
+
+/*
+ * A "controls" statement is represented as a map with the multivalued
+ * "inet" and "unix" clauses.  Inet controls are tuples; unix controls
+ * are cfg_unsupported_t objects.
+ */
+
+static keyword_type_t controls_allow_kw = {
+	"allow", &cfg_type_bracketed_aml };
+static cfg_type_t cfg_type_controls_allow = {
+	"controls_allow", parse_keyvalue,
+	print_keyvalue, doc_keyvalue,
+	&cfg_rep_list, &controls_allow_kw
+};
+
+static keyword_type_t controls_keys_kw = {
+	"keys", &cfg_type_keylist };
+static cfg_type_t cfg_type_controls_keys = {
+	"controls_keys", parse_optional_keyvalue,
+	print_keyvalue, doc_optional_keyvalue,
+	&cfg_rep_list, &controls_keys_kw
+};
+
+static cfg_tuplefielddef_t inetcontrol_fields[] = {
+	{ "address", &cfg_type_controls_sockaddr, 0 },
+	{ "allow", &cfg_type_controls_allow, 0 },
+	{ "keys", &cfg_type_controls_keys, 0 },
+	{ NULL, NULL, 0 }
+};
+static cfg_type_t cfg_type_inetcontrol = {
+	"inetcontrol", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple, &cfg_rep_tuple,
+	inetcontrol_fields
+};
+
+static cfg_clausedef_t
+controls_clauses[] = {
+	{ "inet", &cfg_type_inetcontrol, CFG_CLAUSEFLAG_MULTI },
+	{ "unix", &cfg_type_unsupported,
+	  CFG_CLAUSEFLAG_MULTI|CFG_CLAUSEFLAG_NOTIMP },
+	{ NULL, NULL, 0 }
+};
+static cfg_clausedef_t *
+controls_clausesets[] = {
+	controls_clauses,
+	NULL
+};
+static cfg_type_t cfg_type_controls = {
+	"controls", cfg_parse_map, cfg_print_map, cfg_doc_map, &cfg_rep_map,	&controls_clausesets
+};
+
+/*
+ * An optional class, as used in view and zone statements.
+ */
+static isc_result_t
+parse_optional_class(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
+	isc_result_t result;
+	UNUSED(type);
+	CHECK(cfg_peektoken(pctx, 0));
+	if (pctx->token.type == isc_tokentype_string)
+		CHECK(cfg_parse_obj(pctx, &cfg_type_ustring, ret));
+	else
+		CHECK(cfg_parse_obj(pctx, &cfg_type_void, ret));
+ cleanup:
+	return (result);
+}
+
+static cfg_type_t cfg_type_optional_class = {
+	"optional_class", parse_optional_class, NULL, cfg_doc_terminal,
+	NULL, NULL
+};
+
+static isc_result_t
+parse_querysource(cfg_parser_t *pctx, int flags, cfg_obj_t **ret) {
+	isc_result_t result;
+	cfg_obj_t *obj = NULL;
+	isc_netaddr_t netaddr;
+	in_port_t port;
+	unsigned int have_address = 0;
+	unsigned int have_port = 0;
+
+	if ((flags & CFG_ADDR_V4OK) != 0)
+		isc_netaddr_any(&netaddr);
+	else if ((flags & CFG_ADDR_V6OK) != 0)
+		isc_netaddr_any6(&netaddr);
+	else
+		INSIST(0);
+
+	port = 0;
+
+	CHECK(cfg_create_obj(pctx, &cfg_type_querysource, &obj));
+	for (;;) {
+		CHECK(cfg_peektoken(pctx, 0));
+		if (pctx->token.type == isc_tokentype_string) {
+			if (strcasecmp(TOKEN_STRING(pctx),
+				       "address") == 0)
+			{
+				/* read "address" */
+				CHECK(cfg_gettoken(pctx, 0)); 
+				CHECK(cfg_parse_rawaddr(pctx,
+						flags | CFG_ADDR_WILDOK,
+							&netaddr));
+				have_address++;
+			} else if (strcasecmp(TOKEN_STRING(pctx), "port") == 0)
+			{
+				/* read "port" */
+				CHECK(cfg_gettoken(pctx, 0)); 
+				CHECK(cfg_parse_rawport(pctx,
+							CFG_ADDR_WILDOK,
+							&port));
+				have_port++;
+			} else {
+				cfg_parser_error(pctx, CFG_LOG_NEAR,
+					     "expected 'address' or 'port'");
+				return (ISC_R_UNEXPECTEDTOKEN);
+			}
+		} else
+			break;
+	}
+	if (have_address > 1 || have_port > 1 ||
+	    have_address + have_port == 0) {
+		cfg_parser_error(pctx, 0, "expected one address and/or port");
+		return (ISC_R_UNEXPECTEDTOKEN);
+	}
+
+	isc_sockaddr_fromnetaddr(&obj->value.sockaddr, &netaddr, port);
+	*ret = obj;
+	return (ISC_R_SUCCESS);
+
+ cleanup:
+	cfg_parser_error(pctx, CFG_LOG_NEAR, "invalid query source");
+	CLEANUP_OBJ(obj);
+	return (result);
+}
+
+static isc_result_t
+parse_querysource4(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
+	UNUSED(type);
+	return (parse_querysource(pctx, CFG_ADDR_V4OK, ret));
+}
+
+static isc_result_t
+parse_querysource6(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
+	UNUSED(type);
+	return (parse_querysource(pctx, CFG_ADDR_V6OK, ret));
+}
+
+static void
+print_querysource(cfg_printer_t *pctx, cfg_obj_t *obj) {
+	isc_netaddr_t na;
+	isc_netaddr_fromsockaddr(&na, &obj->value.sockaddr);
+	cfg_print_chars(pctx, "address ", 8);
+	cfg_print_rawaddr(pctx, &na);
+	cfg_print_chars(pctx, " port ", 6);
+	cfg_print_rawuint(pctx, isc_sockaddr_getport(&obj->value.sockaddr));
+}
+
+static cfg_type_t cfg_type_querysource4 = {
+	"querysource4", parse_querysource4, NULL, cfg_doc_terminal,
+	NULL, NULL
+};
+static cfg_type_t cfg_type_querysource6 = {
+	"querysource6", parse_querysource6, NULL, cfg_doc_terminal,
+	NULL, NULL
+};
+static cfg_type_t cfg_type_querysource = {
+	"querysource", NULL, print_querysource, NULL, &cfg_rep_sockaddr, NULL };
+
+/* addrmatchelt */
+
+static isc_result_t
+parse_addrmatchelt(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
+        isc_result_t result;
+	UNUSED(type);
+
+	CHECK(cfg_peektoken(pctx, CFG_LEXOPT_QSTRING));
+
+	if (pctx->token.type == isc_tokentype_string ||
+	    pctx->token.type == isc_tokentype_qstring) {
+		if (pctx->token.type == isc_tokentype_string &&
+		    (strcasecmp(TOKEN_STRING(pctx), "key") == 0)) {
+			CHECK(cfg_parse_obj(pctx, &cfg_type_keyref, ret));
+		} else {
+			if (cfg_lookingat_netaddr(pctx, CFG_ADDR_V4OK |
+						  CFG_ADDR_V4PREFIXOK |
+						  CFG_ADDR_V6OK))
+			{
+				CHECK(cfg_parse_netprefix(pctx, NULL, ret));
+			} else {
+				CHECK(cfg_parse_astring(pctx, NULL, ret));
+			}
+		}
+	} else if (pctx->token.type == isc_tokentype_special) {
+		if (pctx->token.value.as_char == '{') {
+			/* Nested match list. */
+			CHECK(cfg_parse_obj(pctx, &cfg_type_bracketed_aml, ret));
+		} else if (pctx->token.value.as_char == '!') {
+			CHECK(cfg_gettoken(pctx, 0)); /* read "!" */
+			CHECK(cfg_parse_obj(pctx, &cfg_type_negated, ret));
+		} else {
+			goto bad;
+		}
+	} else {
+	bad:
+		cfg_parser_error(pctx, CFG_LOG_NEAR,
+			     "expected IP match list element");
+		return (ISC_R_UNEXPECTEDTOKEN);
+	}
+ cleanup:
+	return (result);
+}
+
+/*
+ * A negated address match list element (like "! 10.0.0.1").
+ * Somewhat sneakily, the caller is expected to parse the
+ * "!", but not to print it.
+ */
+
+static cfg_tuplefielddef_t negated_fields[] = {
+	{ "value", &cfg_type_addrmatchelt, 0 },
+	{ NULL, NULL, 0 }
+};
+
+static void
+print_negated(cfg_printer_t *pctx, cfg_obj_t *obj) {
+	cfg_print_chars(pctx, "!", 1);
+	cfg_print_tuple(pctx, obj);
+}
+
+static cfg_type_t cfg_type_negated = {
+	"negated", cfg_parse_tuple, print_negated, NULL, &cfg_rep_tuple,
+	&negated_fields
+};
+
+/* An address match list element */
+
+static cfg_type_t cfg_type_addrmatchelt = {
+	"address_match_element", parse_addrmatchelt, NULL, cfg_doc_terminal,
+	NULL, NULL
+};
+
+/* A bracketed address match list */
+
+static cfg_type_t cfg_type_bracketed_aml = {
+	"bracketed_aml", cfg_parse_bracketed_list, cfg_print_bracketed_list,
+	cfg_doc_bracketed_list, &cfg_rep_list, &cfg_type_addrmatchelt
+};
+
+/*
+ * The socket address syntax in the "controls" statement is silly.
+ * It allows both socket address families, but also allows "*",
+ * whis is gratuitously interpreted as the IPv4 wildcard address.
+ */
+static unsigned int controls_sockaddr_flags =
+	CFG_ADDR_V4OK | CFG_ADDR_V6OK | CFG_ADDR_WILDOK;
+static cfg_type_t cfg_type_controls_sockaddr = {
+	"controls_sockaddr", cfg_parse_sockaddr, cfg_print_sockaddr,
+	cfg_doc_sockaddr, &cfg_rep_sockaddr, &controls_sockaddr_flags
+};
+
+/*
+ * Handle the special kludge syntax of the "keys" clause in the "server"
+ * statement, which takes a single key with or without braces and semicolon.
+ */
+static isc_result_t
+parse_server_key_kludge(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret)
+{
+	isc_result_t result;
+	isc_boolean_t braces = ISC_FALSE;
+	UNUSED(type);
+
+	/* Allow opening brace. */
+	CHECK(cfg_peektoken(pctx, 0));
+	if (pctx->token.type == isc_tokentype_special &&
+	    pctx->token.value.as_char == '{') {
+		result = cfg_gettoken(pctx, 0);
+		braces = ISC_TRUE;
+	}
+
+	CHECK(cfg_parse_obj(pctx, &cfg_type_astring, ret));
+
+	if (braces) {
+		/* Skip semicolon if present. */
+		CHECK(cfg_peektoken(pctx, 0));
+		if (pctx->token.type == isc_tokentype_special &&
+		    pctx->token.value.as_char == ';')
+			CHECK(cfg_gettoken(pctx, 0));
+
+		CHECK(cfg_parse_special(pctx, '}'));
+	}
+ cleanup:
+	return (result);
+}
+static cfg_type_t cfg_type_server_key_kludge = {
+	"server_key", parse_server_key_kludge, NULL, cfg_doc_terminal,
+	NULL, NULL
+};
+
+
+/*
+ * An optional logging facility.
+ */
+
+static isc_result_t
+parse_optional_facility(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret)
+{
+	isc_result_t result;
+	UNUSED(type);
+
+	CHECK(cfg_peektoken(pctx, CFG_LEXOPT_QSTRING));
+	if (pctx->token.type == isc_tokentype_string ||
+	    pctx->token.type == isc_tokentype_qstring) {
+		CHECK(cfg_parse_obj(pctx, &cfg_type_astring, ret));
+	} else {
+		CHECK(cfg_parse_obj(pctx, &cfg_type_void, ret));
+	}
+ cleanup:
+	return (result);
+}
+
+static cfg_type_t cfg_type_optional_facility = {
+	"optional_facility", parse_optional_facility, NULL, cfg_doc_terminal,
+	NULL, NULL };
+
+
+/*
+ * A log severity.  Return as a string, except "debug N",
+ * which is returned as a keyword object.
+ */
+
+static keyword_type_t debug_kw = { "debug", &cfg_type_uint32 };
+static cfg_type_t cfg_type_debuglevel = {
+	"debuglevel", parse_keyvalue,
+	print_keyvalue, doc_keyvalue,
+	&cfg_rep_uint32, &debug_kw
+};
+
+static isc_result_t
+parse_logseverity(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
+	isc_result_t result;
+	UNUSED(type);
+
+	CHECK(cfg_peektoken(pctx, 0));
+	if (pctx->token.type == isc_tokentype_string &&
+	    strcasecmp(TOKEN_STRING(pctx), "debug") == 0) {
+		CHECK(cfg_gettoken(pctx, 0)); /* read "debug" */
+		CHECK(cfg_peektoken(pctx, ISC_LEXOPT_NUMBER));
+		if (pctx->token.type == isc_tokentype_number) {
+			CHECK(cfg_parse_uint32(pctx, NULL, ret));
+		} else {
+			/*
+			 * The debug level is optional and defaults to 1.
+			 * This makes little sense, but we support it for
+			 * compatibility with BIND 8.
+			 */
+			CHECK(cfg_create_obj(pctx, &cfg_type_uint32, ret));
+			(*ret)->value.uint32 = 1;
+		}
+		(*ret)->type = &cfg_type_debuglevel; /* XXX kludge */
+	} else {
+		CHECK(cfg_parse_obj(pctx, &cfg_type_loglevel, ret));
+	}
+ cleanup:
+	return (result);
+}
+
+static cfg_type_t cfg_type_logseverity = {
+	"log_severity", parse_logseverity, NULL, cfg_doc_terminal,
+	NULL, NULL };
+
+/*
+ * The "file" clause of the "channel" statement.
+ * This is yet another special case.
+ */
+
+static const char *logversions_enums[] = { "unlimited", NULL };
+static isc_result_t
+parse_logversions(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
+	return (parse_enum_or_other(pctx, type, &cfg_type_uint32, ret));
+}
+static cfg_type_t cfg_type_logversions = {
+	"logversions", parse_logversions, cfg_print_ustring, cfg_doc_terminal,
+	&cfg_rep_string, logversions_enums
+};
+
+static cfg_tuplefielddef_t logfile_fields[] = {
+	{ "file", &cfg_type_qstring, 0 },
+	{ "versions", &cfg_type_logversions, 0 },
+	{ "size", &cfg_type_size, 0 },
+	{ NULL, NULL, 0 }
+};
+
+static isc_result_t
+parse_logfile(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
+	isc_result_t result;
+	cfg_obj_t *obj = NULL;
+	const cfg_tuplefielddef_t *fields = type->of;	
+
+	CHECK(cfg_create_tuple(pctx, type, &obj));	
+
+	/* Parse the mandatory "file" field */
+	CHECK(cfg_parse_obj(pctx, fields[0].type, &obj->value.tuple[0]));
+
+	/* Parse "versions" and "size" fields in any order. */
+	for (;;) {
+		CHECK(cfg_peektoken(pctx, 0));
+		if (pctx->token.type == isc_tokentype_string) {
+			CHECK(cfg_gettoken(pctx, 0));		
+			if (strcasecmp(TOKEN_STRING(pctx),
+				       "versions") == 0 &&
+			    obj->value.tuple[1] == NULL) {
+				CHECK(cfg_parse_obj(pctx, fields[1].type,
+					    &obj->value.tuple[1]));
+			} else if (strcasecmp(TOKEN_STRING(pctx),
+					      "size") == 0 &&
+				   obj->value.tuple[2] == NULL) {
+				CHECK(cfg_parse_obj(pctx, fields[2].type,
+					    &obj->value.tuple[2]));
+			} else {
+				break;
+			}
+		} else {
+			break;
+		}
+	}
+
+	/* Create void objects for missing optional values. */
+	if (obj->value.tuple[1] == NULL)
+		CHECK(cfg_parse_void(pctx, NULL, &obj->value.tuple[1]));
+	if (obj->value.tuple[2] == NULL)
+		CHECK(cfg_parse_void(pctx, NULL, &obj->value.tuple[2]));
+
+	*ret = obj;
+	return (ISC_R_SUCCESS);
+
+ cleanup:
+	CLEANUP_OBJ(obj);	
+	return (result);
+}
+
+static void
+print_logfile(cfg_printer_t *pctx, cfg_obj_t *obj) {
+	cfg_print_obj(pctx, obj->value.tuple[0]); /* file */
+	if (obj->value.tuple[1]->type->print != cfg_print_void) {
+		cfg_print_chars(pctx, " versions ", 10);
+		cfg_print_obj(pctx, obj->value.tuple[1]);
+	}
+	if (obj->value.tuple[2]->type->print != cfg_print_void) {
+		cfg_print_chars(pctx, " size ", 6);
+		cfg_print_obj(pctx, obj->value.tuple[2]);
+	}
+}
+
+static cfg_type_t cfg_type_logfile = {
+	"log_file", parse_logfile, print_logfile, cfg_doc_terminal,
+	&cfg_rep_tuple, logfile_fields
+};
+
+/* An IPv4/IPv6 address with optional port, "*" accepted as wildcard. */
+static unsigned int sockaddr4wild_flags = CFG_ADDR_WILDOK | CFG_ADDR_V4OK;
+static cfg_type_t cfg_type_sockaddr4wild = {
+	"sockaddr4wild", cfg_parse_sockaddr, cfg_print_sockaddr,
+	cfg_doc_sockaddr, &cfg_rep_sockaddr, &sockaddr4wild_flags
+};
+
+static unsigned int sockaddr6wild_flags = CFG_ADDR_WILDOK | CFG_ADDR_V6OK;
+static cfg_type_t cfg_type_sockaddr6wild = {
+	"v6addrportwild", cfg_parse_sockaddr, cfg_print_sockaddr,
+	cfg_doc_sockaddr, &cfg_rep_sockaddr, &sockaddr6wild_flags
+};
+
+/*
+ * lwres
+ */
+
+static cfg_tuplefielddef_t lwres_view_fields[] = {
+	{ "name", &cfg_type_astring, 0 },
+	{ "class", &cfg_type_optional_class, 0 },
+	{ NULL, NULL, 0 }
+};
+static cfg_type_t cfg_type_lwres_view = {
+	"lwres_view", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple, &cfg_rep_tuple,
+	lwres_view_fields
+};
+
+static cfg_type_t cfg_type_lwres_searchlist = {
+	"lwres_searchlist", cfg_parse_bracketed_list, cfg_print_bracketed_list, cfg_doc_bracketed_list,
+	&cfg_rep_list, &cfg_type_astring };
+
+static cfg_clausedef_t
+lwres_clauses[] = {
+	{ "listen-on", &cfg_type_portiplist, 0 },
+	{ "view", &cfg_type_lwres_view, 0 },
+	{ "search", &cfg_type_lwres_searchlist, 0 },
+	{ "ndots", &cfg_type_uint32, 0 },
+	{ NULL, NULL, 0 }
+};
+
+static cfg_clausedef_t *
+lwres_clausesets[] = {
+	lwres_clauses,
+	NULL
+};
+static cfg_type_t cfg_type_lwres = {
+	"lwres", cfg_parse_map, cfg_print_map, cfg_doc_map, &cfg_rep_map, lwres_clausesets };
+
+/*
+ * rndc
+ */
+
+static cfg_clausedef_t
+rndcconf_options_clauses[] = {
+	{ "default-server", &cfg_type_astring, 0 },
+	{ "default-key", &cfg_type_astring, 0 },
+	{ "default-port", &cfg_type_uint32, 0 },
+	{ NULL, NULL, 0 }
+};
+
+static cfg_clausedef_t *
+rndcconf_options_clausesets[] = {
+	rndcconf_options_clauses,
+	NULL
+};
+
+static cfg_type_t cfg_type_rndcconf_options = {
+	"rndcconf_options", cfg_parse_map, cfg_print_map, cfg_doc_map, &cfg_rep_map,
+	rndcconf_options_clausesets
+};
+
+static cfg_clausedef_t
+rndcconf_server_clauses[] = {
+	{ "key", &cfg_type_astring, 0 },
+	{ "port", &cfg_type_uint32, 0 },
+	{ NULL, NULL, 0 }
+};
+
+static cfg_clausedef_t *
+rndcconf_server_clausesets[] = {
+	rndcconf_server_clauses,
+	NULL
+};
+
+static cfg_type_t cfg_type_rndcconf_server = {
+	"rndcconf_server", cfg_parse_named_map, cfg_print_map, cfg_doc_map, &cfg_rep_map,
+	rndcconf_server_clausesets
+};
+
+static cfg_clausedef_t
+rndcconf_clauses[] = {
+	{ "key", &cfg_type_key, CFG_CLAUSEFLAG_MULTI },
+	{ "server", &cfg_type_rndcconf_server, CFG_CLAUSEFLAG_MULTI },
+	{ "options", &cfg_type_rndcconf_options, 0 },
+	{ NULL, NULL, 0 }
+};
+
+static cfg_clausedef_t *
+rndcconf_clausesets[] = {
+	rndcconf_clauses,
+	NULL
+};
+
+LIBISCCFG_EXTERNAL_DATA cfg_type_t cfg_type_rndcconf = {
+	"rndcconf", cfg_parse_mapbody, cfg_print_mapbody, cfg_doc_mapbody,
+	&cfg_rep_map, rndcconf_clausesets
+};
+
+static cfg_clausedef_t
+rndckey_clauses[] = {
+	{ "key", &cfg_type_key, 0 },
+	{ NULL, NULL, 0 }
+};
+
+static cfg_clausedef_t *
+rndckey_clausesets[] = {
+	rndckey_clauses,
+	NULL
+};
+
+LIBISCCFG_EXTERNAL_DATA cfg_type_t cfg_type_rndckey = {
+	"rndckey", cfg_parse_mapbody, cfg_print_mapbody, cfg_doc_mapbody,
+	&cfg_rep_map, rndckey_clausesets
+};
+
+static cfg_tuplefielddef_t nameport_fields[] = {
+	{ "name", &cfg_type_astring, 0 },
+	{ "port", &cfg_type_optional_port, 0 },
+	{ NULL, NULL, 0 }
+};
+static cfg_type_t cfg_type_nameport = {
+	"nameport", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple,
+	&cfg_rep_tuple, nameport_fields
+};
+
+static void
+doc_sockaddrnameport(cfg_printer_t *pctx, const cfg_type_t *type) {
+	UNUSED(type);
+	cfg_print_chars(pctx, "( ", 2);
+	cfg_print_cstr(pctx, "<quoted_string>");
+	cfg_print_chars(pctx, " ", 1);
+	cfg_print_cstr(pctx, "[port <integer>]");
+	cfg_print_chars(pctx, " | ", 3);
+	cfg_print_cstr(pctx, "<ipv4_address>");
+	cfg_print_chars(pctx, " ", 1);
+	cfg_print_cstr(pctx, "[port <integer>]");
+	cfg_print_chars(pctx, " | ", 3);
+	cfg_print_cstr(pctx, "<ipv6_address>");
+	cfg_print_chars(pctx, " ", 1);
+	cfg_print_cstr(pctx, "[port <integer>]");
+	cfg_print_chars(pctx, " )", 2);
+}
+
+static isc_result_t
+parse_sockaddrnameport(cfg_parser_t *pctx, const cfg_type_t *type,
+		       cfg_obj_t **ret)
+{
+        isc_result_t result;
+	cfg_obj_t *obj = NULL;
+	UNUSED(type);
+
+	CHECK(cfg_peektoken(pctx, CFG_LEXOPT_QSTRING));
+	if (pctx->token.type == isc_tokentype_string ||
+	    pctx->token.type == isc_tokentype_qstring) {
+		if (cfg_lookingat_netaddr(pctx, CFG_ADDR_V4OK | CFG_ADDR_V6OK))
+			CHECK(cfg_parse_sockaddr(pctx, &cfg_type_sockaddr, ret));
+		else {
+			const cfg_tuplefielddef_t *fields =
+						   cfg_type_nameport.of;	
+			CHECK(cfg_create_tuple(pctx, &cfg_type_nameport,
+					       &obj));	
+			CHECK(cfg_parse_obj(pctx, fields[0].type,
+					    &obj->value.tuple[0]));
+			CHECK(cfg_parse_obj(pctx, fields[1].type,
+					    &obj->value.tuple[1]));
+			*ret = obj;
+			obj = NULL;
+		}
+	} else {
+		cfg_parser_error(pctx, CFG_LOG_NEAR,
+			     "expected IP address or hostname");
+		return (ISC_R_UNEXPECTEDTOKEN);
+	}
+ cleanup:
+	CLEANUP_OBJ(obj);	
+	return (result);
+}
+
+static cfg_type_t cfg_type_sockaddrnameport = {
+	"sockaddrnameport_element", parse_sockaddrnameport, NULL,
+	 doc_sockaddrnameport, NULL, NULL
+};
+
+static cfg_type_t cfg_type_bracketed_sockaddrnameportlist = {
+	"bracketed_sockaddrnameportlist", cfg_parse_bracketed_list,
+	cfg_print_bracketed_list, cfg_doc_bracketed_list,
+	&cfg_rep_list, &cfg_type_sockaddrnameport
+};
+
+/*
+ * A list of socket addresses or name with an optional default port,
+ * as used in the dual-stack-servers option.  E.g.,
+ * "port 1234 { dual-stack-servers.net; 10.0.0.1; 1::2 port 69; }"
+ */
+static cfg_tuplefielddef_t nameportiplist_fields[] = {
+	{ "port", &cfg_type_optional_port, 0 },
+	{ "addresses", &cfg_type_bracketed_sockaddrnameportlist, 0 },
+	{ NULL, NULL, 0 }
+};
+
+static cfg_type_t cfg_type_nameportiplist = {
+	"nameportiplist", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple,
+	&cfg_rep_tuple, nameportiplist_fields
+};
+
+/*
+ * masters element.
+ */
+
+static void
+doc_masterselement(cfg_printer_t *pctx, const cfg_type_t *type) {
+	UNUSED(type);
+	cfg_print_chars(pctx, "( ", 2);
+	cfg_print_cstr(pctx, "<masters>");
+	cfg_print_chars(pctx, " | ", 3);
+	cfg_print_cstr(pctx, "<ipv4_address>");
+	cfg_print_chars(pctx, " ", 1);
+	cfg_print_cstr(pctx, "[port <integer>]");
+	cfg_print_chars(pctx, " | ", 3);
+	cfg_print_cstr(pctx, "<ipv6_address>");
+	cfg_print_chars(pctx, " ", 1);
+	cfg_print_cstr(pctx, "[port <integer>]");
+	cfg_print_chars(pctx, " )", 2);
+}
+
+static isc_result_t
+parse_masterselement(cfg_parser_t *pctx, const cfg_type_t *type,
+		     cfg_obj_t **ret)
+{
+        isc_result_t result;
+	cfg_obj_t *obj = NULL;
+	UNUSED(type);
+
+	CHECK(cfg_peektoken(pctx, CFG_LEXOPT_QSTRING));
+	if (pctx->token.type == isc_tokentype_string ||
+	    pctx->token.type == isc_tokentype_qstring) {
+		if (cfg_lookingat_netaddr(pctx, CFG_ADDR_V4OK | CFG_ADDR_V6OK))
+			CHECK(cfg_parse_sockaddr(pctx, &cfg_type_sockaddr, ret));
+		else
+			CHECK(cfg_parse_astring(pctx, &cfg_type_astring, ret));
+	} else {
+		cfg_parser_error(pctx, CFG_LOG_NEAR,
+			     "expected IP address or masters name");
+		return (ISC_R_UNEXPECTEDTOKEN);
+	}
+ cleanup:
+	CLEANUP_OBJ(obj);	
+	return (result);
+}
+
+static cfg_type_t cfg_type_masterselement = {
+	"masters_element", parse_masterselement, NULL,
+	 doc_masterselement, NULL, NULL
+};
diff --git a/lib/isccfg/parser.c b/lib/isccfg/parser.c
index 32146a16..5101e031 100644
--- a/lib/isccfg/parser.c
+++ b/lib/isccfg/parser.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: parser.c,v 1.70.2.28 2006/03/01 01:34:07 marka Exp $ */
+/* $Id: parser.c,v 1.70.2.20.2.17 2004/03/16 12:38:15 marka Exp $ */
 
 #include <config.h>
 
@@ -30,52 +30,21 @@
 #include <isc/print.h>
 #include <isc/string.h>
 #include <isc/sockaddr.h>
+#include <isc/netscope.h>
 #include <isc/util.h>
 #include <isc/symtab.h>
 
 #include <isccfg/cfg.h>
+#include <isccfg/grammar.h>
 #include <isccfg/log.h>
 
 /* Shorthand */
 #define CAT CFG_LOGCATEGORY_CONFIG
 #define MOD CFG_LOGMODULE_PARSER
 
-#define QSTRING (ISC_LEXOPT_QSTRING | ISC_LEXOPT_QSTRINGMULTILINE)
-
-/*
- * Pass one of these flags to parser_error() to include the
- * token text in log message.
- */
-#define LOG_NEAR    0x00000001	/* Say "near <token>" */
-#define LOG_BEFORE  0x00000002	/* Say "before <token>" */
-#define LOG_NOPREP  0x00000004	/* Say just "<token>" */
-
 #define MAP_SYM 1 	/* Unique type for isc_symtab */
 
-/* Clause may occur multiple times (e.g., "zone") */
-#define CFG_CLAUSEFLAG_MULTI 		0x00000001
-/* Clause is obsolete */
-#define CFG_CLAUSEFLAG_OBSOLETE 	0x00000002
-/* Clause is not implemented, and may never be */
-#define CFG_CLAUSEFLAG_NOTIMP	 	0x00000004
-/* Clause is not implemented yet */
-#define CFG_CLAUSEFLAG_NYI 		0x00000008
-/* Default value has changed since earlier release */
-#define CFG_CLAUSEFLAG_NEWDEFAULT	0x00000010
-/*
- * Clause needs to be interpreted during parsing
- * by calling a callback function, like the
- * "directory" option.
- */
-#define CFG_CLAUSEFLAG_CALLBACK		0x00000020
-
-/*
- * Flags defining whether to accept certain types of network addresses.
- */
-#define V4OK 		0x00000001
-#define V4PREFIXOK 	0x00000002
-#define V6OK 		0x00000004
-#define WILDOK		0x00000008
+#define TOKEN_STRING(pctx) (pctx->token.value.as_textregion.base)
 
 /* Check a return value. */
 #define CHECK(op) 						\
@@ -88,186 +57,26 @@
 	do { if ((obj) != NULL) cfg_obj_destroy(pctx, &(obj)); } while (0)
 
 
-typedef struct cfg_clausedef cfg_clausedef_t;
-typedef struct cfg_tuplefielddef cfg_tuplefielddef_t;
-typedef struct cfg_printer cfg_printer_t;
-typedef ISC_LIST(cfg_listelt_t) cfg_list_t;
-typedef struct cfg_map cfg_map_t;
-typedef struct cfg_rep cfg_rep_t;
-
-/*
- * Function types for configuration object methods
- */
-
-typedef isc_result_t (*cfg_parsefunc_t)(cfg_parser_t *, const cfg_type_t *type,
-					cfg_obj_t **);
-typedef void	     (*cfg_printfunc_t)(cfg_printer_t *, const cfg_obj_t *);
-typedef void	     (*cfg_freefunc_t)(cfg_parser_t *, cfg_obj_t *);
-
-
-/*
- * Structure definitions
- */
-
-/* The parser object. */
-struct cfg_parser {
-	isc_mem_t *	mctx;
-	isc_log_t *	lctx;
-	isc_lex_t *	lexer;
-	unsigned int    errors;
-	unsigned int    warnings;
-	isc_token_t     token;
-
-	/* We are at the end of all input. */
-	isc_boolean_t	seen_eof;
-
-	/* The current token has been pushed back. */
-	isc_boolean_t	ungotten;
-
-	/*
-	 * The stack of currently active files, represented
-	 * as a configuration list of configuration strings.
-	 * The head is the top-level file, subsequent elements 
-	 * (if any) are the nested include files, and the 
-	 * last element is the file currently being parsed.
-	 */
-	cfg_obj_t *	open_files;
-
-	/*
-	 * Names of files that we have parsed and closed
-	 * and were previously on the open_file list.
-	 * We keep these objects around after closing
-	 * the files because the file names may still be
-	 * referenced from other configuration objects
-	 * for use in reporting semantic errors after
-	 * parsing is complete.
-	 */
-	cfg_obj_t *	closed_files;
-
-	/*
-	 * Current line number.  We maintain our own
-	 * copy of this so that it is available even
-	 * when a file has just been closed.
-	 */
-	unsigned int	line;
-
-	cfg_parsecallback_t callback;
-	void *callbackarg;
-};
-
-/*
- * A configuration printer object.  This is an abstract
- * interface to a destination to which text can be printed
- * by calling the function 'f'.
- */
-struct cfg_printer {
-	void (*f)(void *closure, const char *text, int textlen);
-	void *closure;
-	int indent;
-};
-
-/* A clause definition. */
-
-struct cfg_clausedef {
-	const char      *name;
-	cfg_type_t      *type;
-	unsigned int	flags;
-};
-
-/* A tuple field definition. */
-
-struct cfg_tuplefielddef {
-	const char      *name;
-	cfg_type_t      *type;
-	unsigned int	flags;
-};
-
-/* A configuration object type definition. */
-struct cfg_type {
-	const char *name;	/* For debugging purposes only */
-	cfg_parsefunc_t  parse;
-	cfg_printfunc_t  print;
-	cfg_rep_t *	 rep;	/* Data representation */
-	const void *	 of;	/* For meta-types */
-};
-
-/* A keyword-type definition, for things like "port <integer>". */
-
-typedef struct {
-	const char *name;
-	const cfg_type_t *type;
-} keyword_type_t;
-
-struct cfg_map {
-	cfg_obj_t	 *id; /* Used for 'named maps' like keys, zones, &c */
-	const cfg_clausedef_t * const *clausesets; /* The clauses that
-						      can occur in this map;
-						      used for printing */
-	isc_symtab_t     *symtab;
-};
-
-typedef struct cfg_netprefix cfg_netprefix_t;
-
-struct cfg_netprefix {
-	isc_netaddr_t address; /* IP4/IP6 */
-	unsigned int prefixlen;
-};
-
-/*
- * A configuration data representation.
- */
-struct cfg_rep {
-	const char *	name;	/* For debugging only */
-	cfg_freefunc_t 	free;	/* How to free this kind of data. */
-};
-
-/*
- * A configuration object.  This is the main building block
- * of the configuration parse tree.
- */
-
-struct cfg_obj {
-	const cfg_type_t *type;
-	union {
-		isc_uint32_t  	uint32;
-		isc_uint64_t  	uint64;
-		isc_textregion_t string; /* null terminated, too */
-		isc_boolean_t 	boolean;
-		cfg_map_t	map;
-		cfg_list_t	list;
-		cfg_obj_t **	tuple;
-		isc_sockaddr_t	sockaddr;
-		cfg_netprefix_t netprefix;
-	}               value;
-	char *		file;
-	unsigned int    line;
-};
-
-
-/* A list element. */
-
-struct cfg_listelt {
-	cfg_obj_t               *obj;
-	ISC_LINK(cfg_listelt_t)  link;
-};
-
 /*
  * Forward declarations of static functions.
  */
 
-static isc_result_t
-create_cfgobj(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **objp);
+static void
+free_tuple(cfg_parser_t *pctx, cfg_obj_t *obj);
 
 static isc_result_t
-create_list(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **objp);
+parse_list(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
 
-static isc_result_t
-create_listelt(cfg_parser_t *pctx, cfg_listelt_t **eltp);
+static void
+print_list(cfg_printer_t *pctx, cfg_obj_t *obj);
 
 static void
 free_list(cfg_parser_t *pctx, cfg_obj_t *obj);
 
 static isc_result_t
+create_listelt(cfg_parser_t *pctx, cfg_listelt_t **eltp);
+
+static isc_result_t
 create_string(cfg_parser_t *pctx, const char *contents, const cfg_type_t *type,
 	      cfg_obj_t **ret);
 
@@ -277,86 +86,10 @@ free_string(cfg_parser_t *pctx, cfg_obj_t *obj);
 static isc_result_t
 create_map(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **objp);
 
-static isc_result_t
-create_tuple(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **objp);
-
 static void
 free_map(cfg_parser_t *pctx, cfg_obj_t *obj);
 
 static isc_result_t
-get_addr(cfg_parser_t *pctx, unsigned int flags, isc_netaddr_t *na);
-
-static void
-print(cfg_printer_t *pctx, const char *text, int len);
-
-static void
-print_void(cfg_printer_t *pctx, const cfg_obj_t *obj);
-
-static isc_result_t
-parse_enum_or_other(cfg_parser_t *pctx, const cfg_type_t *enumtype,
-		    const cfg_type_t *othertype, cfg_obj_t **ret);
-
-static isc_result_t
-parse_mapbody(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
-
-static void
-print_mapbody(cfg_printer_t *pctx, const cfg_obj_t *obj);
-
-static isc_result_t
-parse_map(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
-
-static void
-print_map(cfg_printer_t *pctx, const cfg_obj_t *obj);
-
-static isc_result_t
-parse_named_map(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
-
-static isc_result_t
-parse_addressed_map(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
-
-static isc_result_t
-parse_list(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
-
-static void
-print_list(cfg_printer_t *pctx, const cfg_obj_t *obj);
-
-static isc_result_t
-parse_tuple(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
-
-static void
-print_tuple(cfg_printer_t *pctx, const cfg_obj_t *obj);
-
-static void
-free_tuple(cfg_parser_t *pctx, cfg_obj_t *obj);
-
-static isc_result_t
-parse_spacelist(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
-
-static void
-print_spacelist(cfg_printer_t *pctx, const cfg_obj_t *obj);
-
-static void
-print_sockaddr(cfg_printer_t *pctx, const cfg_obj_t *obj);
-
-static isc_result_t
-parse_addrmatchelt(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
-
-static isc_result_t
-parse_bracketed_list(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
-
-static void
-print_bracketed_list(cfg_printer_t *pctx, const cfg_obj_t *obj);
-
-static isc_result_t
-parse_keyvalue(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
-
-static isc_result_t
-parse_optional_keyvalue(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
-
-static void
-print_keyvalue(cfg_printer_t *pctx, const cfg_obj_t *obj);
-
-static isc_result_t
 parse_symtab_elt(cfg_parser_t *pctx, const char *name,
 		 cfg_type_t *elttype, isc_symtab_t *symtab,
 		 isc_boolean_t callback);
@@ -365,38 +98,12 @@ static void
 free_noop(cfg_parser_t *pctx, cfg_obj_t *obj);
 
 static isc_result_t
-cfg_gettoken(cfg_parser_t *pctx, int options);
-
-static void
-cfg_ungettoken(cfg_parser_t *pctx);
-
-static isc_result_t
-cfg_peektoken(cfg_parser_t *pctx, int options);
-
-static isc_result_t
 cfg_getstringtoken(cfg_parser_t *pctx);
 
 static void
-parser_error(cfg_parser_t *pctx, unsigned int flags,
-	     const char *fmt, ...) ISC_FORMAT_PRINTF(3, 4);
-
-static void
-parser_warning(cfg_parser_t *pctx, unsigned int flags,
-	       const char *fmt, ...) ISC_FORMAT_PRINTF(3, 4);
-
-static void
 parser_complain(cfg_parser_t *pctx, isc_boolean_t is_warning,
 		unsigned int flags, const char *format, va_list args);
 
-static void
-print_uint32(cfg_printer_t *pctx, const cfg_obj_t *obj);
-
-static void
-print_ustring(cfg_printer_t *pctx, const cfg_obj_t *obj);
-
-static isc_result_t
-parse_enum(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
-
 /*
  * Data representations.  These correspond to members of the
  * "value" union in struct cfg_obj (except "void", which does
@@ -415,735 +122,30 @@ cfg_rep_t cfg_rep_netprefix = { "netprefix", free_noop };
 cfg_rep_t cfg_rep_void = { "void", free_noop };
 
 /*
- * Forward declarations of configuration type definitions.
- * Additional types are declared publicly in cfg.h.
- */
-
-static cfg_type_t cfg_type_boolean;
-static cfg_type_t cfg_type_uint32;
-static cfg_type_t cfg_type_qstring;
-static cfg_type_t cfg_type_astring;
-static cfg_type_t cfg_type_ustring;
-static cfg_type_t cfg_type_optional_port;
-static cfg_type_t cfg_type_bracketed_aml;
-static cfg_type_t cfg_type_acl;
-static cfg_type_t cfg_type_portiplist;
-static cfg_type_t cfg_type_bracketed_sockaddrlist;
-static cfg_type_t cfg_type_sockaddr;
-static cfg_type_t cfg_type_netaddr;
-static cfg_type_t cfg_type_optional_keyref;
-static cfg_type_t cfg_type_options;
-static cfg_type_t cfg_type_view;
-static cfg_type_t cfg_type_viewopts;
-static cfg_type_t cfg_type_key;
-static cfg_type_t cfg_type_server;
-static cfg_type_t cfg_type_controls;
-static cfg_type_t cfg_type_bracketed_sockaddrkeylist;
-static cfg_type_t cfg_type_querysource4;
-static cfg_type_t cfg_type_querysource6;
-static cfg_type_t cfg_type_querysource;
-static cfg_type_t cfg_type_sockaddr4wild;
-static cfg_type_t cfg_type_sockaddr6wild;
-static cfg_type_t cfg_type_sockaddr;
-static cfg_type_t cfg_type_netprefix;
-static cfg_type_t cfg_type_zone;
-static cfg_type_t cfg_type_zoneopts;
-static cfg_type_t cfg_type_logging;
-static cfg_type_t cfg_type_optional_facility;
-static cfg_type_t cfg_type_void;
-static cfg_type_t cfg_type_optional_class;
-static cfg_type_t cfg_type_destinationlist;
-static cfg_type_t cfg_type_size;
-static cfg_type_t cfg_type_sizenodefault;
-static cfg_type_t cfg_type_negated;
-static cfg_type_t cfg_type_addrmatchelt;
-static cfg_type_t cfg_type_unsupported;
-static cfg_type_t cfg_type_token;
-static cfg_type_t cfg_type_server_key_kludge;
-static cfg_type_t cfg_type_optional_facility;
-static cfg_type_t cfg_type_logseverity;
-static cfg_type_t cfg_type_logfile;
-static cfg_type_t cfg_type_lwres;
-static cfg_type_t cfg_type_controls_sockaddr;
-static cfg_type_t cfg_type_notifytype;
-static cfg_type_t cfg_type_dialuptype;
-
-/*
  * Configuration type definitions.
  */
 
-/* tkey-dhkey */
-
-static cfg_tuplefielddef_t tkey_dhkey_fields[] = {
-	{ "name", &cfg_type_qstring, 0 },
-	{ "keyid", &cfg_type_uint32, 0 },
-	{ NULL, NULL, 0 }
-};
-
-static cfg_type_t cfg_type_tkey_dhkey = {
-	"tkey-dhkey", parse_tuple, print_tuple, &cfg_rep_tuple,
-	tkey_dhkey_fields
-};
-
-/* listen-on */
-
-static cfg_tuplefielddef_t listenon_fields[] = {
-	{ "port", &cfg_type_optional_port, 0 },
-	{ "acl", &cfg_type_bracketed_aml, 0 },
-	{ NULL, NULL, 0 }
-};
-static cfg_type_t cfg_type_listenon = {
-	"listenon", parse_tuple, print_tuple, &cfg_rep_tuple, listenon_fields };
-
-/* acl */
-
-static cfg_tuplefielddef_t acl_fields[] = {
-	{ "name", &cfg_type_astring, 0 },
-	{ "value", &cfg_type_bracketed_aml, 0 },
-	{ NULL, NULL, 0 }
-};
-
-static cfg_type_t cfg_type_acl = {
-	"acl", parse_tuple, print_tuple, &cfg_rep_tuple, acl_fields };
-
-
-/*
- * "sockaddrkeylist", a list of socket addresses with optional keys
- * and an optional default port, as used in the masters option.
- * E.g.,
- *   "port 1234 { 10.0.0.1 key foo; 1::2 port 69; }"
- */
-
-static cfg_tuplefielddef_t sockaddrkey_fields[] = {
-	{ "sockaddr", &cfg_type_sockaddr, 0 },
-	{ "key", &cfg_type_optional_keyref, 0 },
-	{ NULL, NULL, 0 },
-};
-
-static cfg_type_t cfg_type_sockaddrkey = {
-	"sockaddrkey", parse_tuple, print_tuple, &cfg_rep_tuple,
-	sockaddrkey_fields
-};
-
-static cfg_type_t cfg_type_bracketed_sockaddrkeylist = {
-	"bracketed_sockaddrkeylist", parse_bracketed_list,
-	print_bracketed_list, &cfg_rep_list, &cfg_type_sockaddrkey
-};
-
-static cfg_tuplefielddef_t sockaddrkeylist_fields[] = {
-	{ "port", &cfg_type_optional_port, 0 },
-	{ "addresses", &cfg_type_bracketed_sockaddrkeylist, 0 },
-	{ NULL, NULL, 0 }
-};
-static cfg_type_t cfg_type_sockaddrkeylist = {
-	"sockaddrkeylist", parse_tuple, print_tuple, &cfg_rep_tuple,
-	sockaddrkeylist_fields
-};
-
-/*
- * A list of socket addresses with an optional default port,
- * as used in the also-notify option.  E.g.,
- * "port 1234 { 10.0.0.1; 1::2 port 69; }"
- */
-static cfg_tuplefielddef_t portiplist_fields[] = {
-	{ "port", &cfg_type_optional_port, 0 },
-	{ "addresses", &cfg_type_bracketed_sockaddrlist, 0 },
-	{ NULL, NULL, 0 }
-};
-static cfg_type_t cfg_type_portiplist = {
-	"portiplist", parse_tuple, print_tuple, &cfg_rep_tuple,
-	portiplist_fields
-};
-
-/*
- * A public key, as in the "pubkey" statement.
- */
-static cfg_tuplefielddef_t pubkey_fields[] = {
-	{ "flags", &cfg_type_uint32, 0 },
-	{ "protocol", &cfg_type_uint32, 0 },
-	{ "algorithm", &cfg_type_uint32, 0 },
-	{ "key", &cfg_type_qstring, 0 },
-	{ NULL, NULL, 0 }
-};
-static cfg_type_t cfg_type_pubkey = {
-	"pubkey", parse_tuple, print_tuple, &cfg_rep_tuple, pubkey_fields };
-
-
-/*
- * A list of RR types, used in grant statements.
- * Note that the old parser allows quotes around the RR type names.
- */
-static cfg_type_t cfg_type_rrtypelist = {
-	"rrtypelist", parse_spacelist, print_spacelist, &cfg_rep_list,
-	&cfg_type_astring
-};
-
-static const char *mode_enums[] = { "grant", "deny", NULL };
-static cfg_type_t cfg_type_mode = {
-	"mode", parse_enum, print_ustring, &cfg_rep_string,
-	&mode_enums
-};
-
-static const char *matchtype_enums[] = {
-	"name", "subdomain", "wildcard", "self", NULL };
-static cfg_type_t cfg_type_matchtype = {
-	"matchtype", parse_enum, print_ustring, &cfg_rep_string,
-	&matchtype_enums
-};
-
-/*
- * A grant statement, used in the update policy.
- */
-static cfg_tuplefielddef_t grant_fields[] = {
-	{ "mode", &cfg_type_mode, 0 },
-	{ "identity", &cfg_type_astring, 0 }, /* domain name */ 
-	{ "matchtype", &cfg_type_matchtype, 0 },
-	{ "name", &cfg_type_astring, 0 }, /* domain name */
-	{ "types", &cfg_type_rrtypelist, 0 },
-	{ NULL, NULL, 0 }
-};
-static cfg_type_t cfg_type_grant = {
-	"grant", parse_tuple, print_tuple, &cfg_rep_tuple, grant_fields };
-
-static cfg_type_t cfg_type_updatepolicy = {
-	"update_policy", parse_bracketed_list, print_bracketed_list,
-	&cfg_rep_list, &cfg_type_grant
-};
-
-/*
- * A view statement.
- */
-static cfg_tuplefielddef_t view_fields[] = {
-	{ "name", &cfg_type_astring, 0 },
-	{ "class", &cfg_type_optional_class, 0 },
-	{ "options", &cfg_type_viewopts, 0 },
-	{ NULL, NULL, 0 }
-};
-static cfg_type_t cfg_type_view = {
-	"view", parse_tuple, print_tuple, &cfg_rep_tuple, view_fields };
-
-/*
- * A zone statement.
- */
-static cfg_tuplefielddef_t zone_fields[] = {
-	{ "name", &cfg_type_astring, 0 },
-	{ "class", &cfg_type_optional_class, 0 },
-	{ "options", &cfg_type_zoneopts, 0 },
-	{ NULL, NULL, 0 }
-};
-static cfg_type_t cfg_type_zone = {
-	"zone", parse_tuple, print_tuple, &cfg_rep_tuple, zone_fields };
-
-/*
- * A "category" clause in the "logging" statement.
- */
-static cfg_tuplefielddef_t category_fields[] = {
-	{ "name", &cfg_type_astring, 0 },
-	{ "destinations", &cfg_type_destinationlist,0 },
-	{ NULL, NULL, 0 }
-};
-static cfg_type_t cfg_type_category = {
-	"category", parse_tuple, print_tuple, &cfg_rep_tuple, category_fields };
-
-
-/*
- * A trusted key, as used in the "trusted-keys" statement.
- */
-static cfg_tuplefielddef_t trustedkey_fields[] = {
-	{ "name", &cfg_type_astring, 0 },
-	{ "flags", &cfg_type_uint32, 0 },
-	{ "protocol", &cfg_type_uint32, 0 },
-	{ "algorithm", &cfg_type_uint32, 0 },
-	{ "key", &cfg_type_qstring, 0 },
-	{ NULL, NULL, 0 }
-};
-static cfg_type_t cfg_type_trustedkey = {
-	"trustedkey", parse_tuple, print_tuple, &cfg_rep_tuple,
-	trustedkey_fields
-};
-
-
-static keyword_type_t wild_class_kw = { "class", &cfg_type_ustring };
-
-static cfg_type_t cfg_type_optional_wild_class = {
-	"optional_wild_class", parse_optional_keyvalue,
-	print_keyvalue, &cfg_rep_string, &wild_class_kw
-};
-
-static keyword_type_t wild_type_kw = { "type", &cfg_type_ustring };
-
-static cfg_type_t cfg_type_optional_wild_type = {
-	"optional_wild_type", parse_optional_keyvalue,
-	print_keyvalue, &cfg_rep_string, &wild_type_kw
-};
-
-static keyword_type_t wild_name_kw = { "name", &cfg_type_qstring };
-
-static cfg_type_t cfg_type_optional_wild_name = {
-	"optional_wild_name", parse_optional_keyvalue,
-	print_keyvalue, &cfg_rep_string, &wild_name_kw
-};
-
-/*
- * An rrset ordering element.
- */
-static cfg_tuplefielddef_t rrsetorderingelement_fields[] = {
-	{ "class", &cfg_type_optional_wild_class, 0 },
-	{ "type", &cfg_type_optional_wild_type, 0 },
-	{ "name", &cfg_type_optional_wild_name, 0 },
-	{ "order", &cfg_type_ustring, 0 }, /* must be literal "order" */ 
-	{ "ordering", &cfg_type_ustring, 0 },
-	{ NULL, NULL, 0 }
-};
-static cfg_type_t cfg_type_rrsetorderingelement = {
-	"rrsetorderingelement", parse_tuple, print_tuple, &cfg_rep_tuple,
-	rrsetorderingelement_fields
-};
-
-/*
- * A global or view "check-names" option.  Note that the zone
- * "check-names" option has a different syntax.
- */
-static cfg_tuplefielddef_t checknames_fields[] = {
-	{ "type", &cfg_type_ustring, 0 },
-	{ "mode", &cfg_type_ustring, 0 },
-	{ NULL, NULL, 0 }
-};
-static cfg_type_t cfg_type_checknames = {
-	"checknames", parse_tuple, print_tuple, &cfg_rep_tuple,
-	checknames_fields
-};
-
-static cfg_type_t cfg_type_bracketed_sockaddrlist = {
-	"bracketed_sockaddrlist", parse_bracketed_list, print_bracketed_list,
-	&cfg_rep_list, &cfg_type_sockaddr
-};
-
-static cfg_type_t cfg_type_rrsetorder = {
-	"rrsetorder", parse_bracketed_list, print_bracketed_list,
-	&cfg_rep_list, &cfg_type_rrsetorderingelement
-};
-
-static keyword_type_t port_kw = { "port", &cfg_type_uint32 };
-
-static cfg_type_t cfg_type_optional_port = {
-	"optional_port", parse_optional_keyvalue, print_keyvalue,
-	&cfg_rep_uint32, &port_kw
-};
-
-/* A list of keys, as in the "key" clause of the controls statement. */
-static cfg_type_t cfg_type_keylist = {
-	"keylist", parse_bracketed_list, print_bracketed_list, &cfg_rep_list,
-	&cfg_type_astring
-};
-
-static cfg_type_t cfg_type_trustedkeys = {
-	"trusted-keys", parse_bracketed_list, print_bracketed_list, &cfg_rep_list,
-	&cfg_type_trustedkey
-};
-
 /*
  * An implicit list.  These are formed by clauses that occur multiple times.
  */
 static cfg_type_t cfg_type_implicitlist = {
-	"implicitlist", NULL, print_list, &cfg_rep_list, NULL };
-
-static const char *forwardtype_enums[] = { "first", "only", NULL };
-static cfg_type_t cfg_type_forwardtype = {
-	"forwardtype", parse_enum, print_ustring, &cfg_rep_string,
-	&forwardtype_enums
-};
-
-static const char *zonetype_enums[] = {
-	"master", "slave", "stub", "hint", "forward", "delegation-only", NULL };
-static cfg_type_t cfg_type_zonetype = {
-	"zonetype", parse_enum, print_ustring, &cfg_rep_string,
-	&zonetype_enums
-};
-
-static const char *loglevel_enums[] = {
-	"critical", "error", "warning", "notice", "info", "dynamic", NULL };
-static cfg_type_t cfg_type_loglevel = {
-	"loglevel", parse_enum, print_ustring, &cfg_rep_string,
-	&loglevel_enums
-};
-
-static const char *transferformat_enums[] = {
-	"many-answers", "one-answer", NULL };
-static cfg_type_t cfg_type_transferformat = {
-	"transferformat", parse_enum, print_ustring, &cfg_rep_string,
-	&transferformat_enums
-};
-
-/*
- * Clauses that can be found within the top level of the named.conf
- * file only.
- */
-static cfg_clausedef_t
-namedconf_clauses[] = {
-	{ "options", &cfg_type_options, 0 },
-	{ "controls", &cfg_type_controls, CFG_CLAUSEFLAG_MULTI },
-	{ "acl", &cfg_type_acl, CFG_CLAUSEFLAG_MULTI },
-	{ "logging", &cfg_type_logging, 0 },
-	{ "view", &cfg_type_view, CFG_CLAUSEFLAG_MULTI },
-	{ "lwres", &cfg_type_lwres, CFG_CLAUSEFLAG_MULTI },
-	{ NULL, NULL, 0 }
-};
-
-/*
- * Clauses that can occur at the top level or in the view
- * statement, but not in the options block.
- */
-static cfg_clausedef_t
-namedconf_or_view_clauses[] = {
-	{ "key", &cfg_type_key, CFG_CLAUSEFLAG_MULTI },
-	{ "zone", &cfg_type_zone, CFG_CLAUSEFLAG_MULTI },
-	{ "server", &cfg_type_server, CFG_CLAUSEFLAG_MULTI },
-#ifdef ISC_RFC2535
-	{ "trusted-keys", &cfg_type_trustedkeys, CFG_CLAUSEFLAG_MULTI },
-#else
-	{ "trusted-keys", &cfg_type_trustedkeys,
-		 CFG_CLAUSEFLAG_MULTI|CFG_CLAUSEFLAG_OBSOLETE },
-#endif
-	{ NULL, NULL, 0 }
-};
-
-/*
- * Clauses that can be found within the 'options' statement.
- */
-static cfg_clausedef_t
-options_clauses[] = {
-	{ "blackhole", &cfg_type_bracketed_aml, 0 },
-	{ "coresize", &cfg_type_size, 0 },
-	{ "datasize", &cfg_type_size, 0 },
-	{ "deallocate-on-exit", &cfg_type_boolean, CFG_CLAUSEFLAG_OBSOLETE },
-	{ "directory", &cfg_type_qstring, CFG_CLAUSEFLAG_CALLBACK },
-	{ "dump-file", &cfg_type_qstring, 0 },
-	{ "fake-iquery", &cfg_type_boolean, CFG_CLAUSEFLAG_OBSOLETE },
-	{ "files", &cfg_type_size, 0 },
-	{ "has-old-clients", &cfg_type_boolean, CFG_CLAUSEFLAG_OBSOLETE },
-	{ "heartbeat-interval", &cfg_type_uint32, 0 },
-	{ "host-statistics", &cfg_type_boolean, CFG_CLAUSEFLAG_NOTIMP },
-	{ "host-statistics-max", &cfg_type_uint32, CFG_CLAUSEFLAG_NOTIMP },
-	{ "interface-interval", &cfg_type_uint32, 0 },
-	{ "listen-on", &cfg_type_listenon, CFG_CLAUSEFLAG_MULTI },
-	{ "listen-on-v6", &cfg_type_listenon, CFG_CLAUSEFLAG_MULTI },
-	{ "match-mapped-addresses", &cfg_type_boolean, 0 },
-	{ "memstatistics-file", &cfg_type_qstring, CFG_CLAUSEFLAG_NOTIMP },
-	{ "multiple-cnames", &cfg_type_boolean, CFG_CLAUSEFLAG_OBSOLETE },
-	{ "named-xfer", &cfg_type_qstring, CFG_CLAUSEFLAG_OBSOLETE },
-	{ "pid-file", &cfg_type_qstring, 0 },
-	{ "port", &cfg_type_uint32, 0 },
-	{ "random-device", &cfg_type_qstring, 0 },
-	{ "recursive-clients", &cfg_type_uint32, 0 },
-	{ "rrset-order", &cfg_type_rrsetorder, CFG_CLAUSEFLAG_NOTIMP },
-	{ "serial-queries", &cfg_type_uint32, CFG_CLAUSEFLAG_OBSOLETE },
-	{ "serial-query-rate", &cfg_type_uint32, 0 },
-	{ "stacksize", &cfg_type_size, 0 },
-	{ "statistics-file", &cfg_type_qstring, 0 },
-	{ "statistics-interval", &cfg_type_uint32, CFG_CLAUSEFLAG_NYI },
-	{ "tcp-clients", &cfg_type_uint32, 0 },
-	{ "tkey-dhkey", &cfg_type_tkey_dhkey, 0 },
-	{ "tkey-gssapi-credential", &cfg_type_qstring, 0 },
-	{ "tkey-domain", &cfg_type_qstring, 0 },
-	{ "transfers-per-ns", &cfg_type_uint32, 0 },
-	{ "transfers-in", &cfg_type_uint32, 0 },
-	{ "transfers-out", &cfg_type_uint32, 0 },
-	{ "treat-cr-as-space", &cfg_type_boolean, CFG_CLAUSEFLAG_OBSOLETE },
-	{ "use-id-pool", &cfg_type_boolean, CFG_CLAUSEFLAG_OBSOLETE },
-	{ "use-ixfr", &cfg_type_boolean, 0 },
-	{ "version", &cfg_type_qstring, 0 },
-	{ NULL, NULL, 0 }
-};
-
-
-static cfg_type_t cfg_type_namelist = {
-	"namelist", parse_bracketed_list, print_bracketed_list,
-	&cfg_rep_list, &cfg_type_qstring };
-
-static keyword_type_t exclude_kw = { "exclude", &cfg_type_namelist };
-
-static cfg_type_t cfg_type_optional_exclude = {
-	"optional_exclude", parse_optional_keyvalue, print_keyvalue,
-	&cfg_rep_list, &exclude_kw };
-
-/*
- * Clauses that can be found within the 'view' statement,
- * with defaults in the 'options' statement.
- */
-
-static cfg_clausedef_t
-view_clauses[] = {
-	{ "allow-recursion", &cfg_type_bracketed_aml, 0 },
-	{ "allow-v6-synthesis", &cfg_type_bracketed_aml, 0 },
-	{ "sortlist", &cfg_type_bracketed_aml, 0 },
-	{ "topology", &cfg_type_bracketed_aml, CFG_CLAUSEFLAG_NOTIMP },
-	{ "auth-nxdomain", &cfg_type_boolean, CFG_CLAUSEFLAG_NEWDEFAULT },
-	{ "minimal-responses", &cfg_type_boolean, 0 },
-	{ "recursion", &cfg_type_boolean, 0 },
-	{ "provide-ixfr", &cfg_type_boolean, 0 },
-	{ "request-ixfr", &cfg_type_boolean, 0 },
-	{ "fetch-glue", &cfg_type_boolean, CFG_CLAUSEFLAG_OBSOLETE },
-	{ "rfc2308-type1", &cfg_type_boolean, CFG_CLAUSEFLAG_NYI },
-	{ "additional-from-auth", &cfg_type_boolean, 0 },
-	{ "additional-from-cache", &cfg_type_boolean, 0 },
-	/*
-	 * Note that the query-source option syntax is different
-	 * from the other -source options.
-	 */
-	{ "query-source", &cfg_type_querysource4, 0 },
-	{ "query-source-v6", &cfg_type_querysource6, 0 },
-	{ "cleaning-interval", &cfg_type_uint32, 0 },
-	{ "min-roots", &cfg_type_uint32, CFG_CLAUSEFLAG_NOTIMP },
-	{ "lame-ttl", &cfg_type_uint32, 0 },
-	{ "max-ncache-ttl", &cfg_type_uint32, 0 },
-	{ "max-cache-ttl", &cfg_type_uint32, 0 },
-	{ "transfer-format", &cfg_type_transferformat, 0 },
-	{ "max-cache-size", &cfg_type_sizenodefault, 0 },
-	{ "check-names", &cfg_type_checknames,
-	  CFG_CLAUSEFLAG_MULTI | CFG_CLAUSEFLAG_NOTIMP },
-	{ "cache-file", &cfg_type_qstring, 0 },
-	{ "root-delegation-only",  &cfg_type_optional_exclude, 0 },
-	{ NULL, NULL, 0 }
-};
-
-/*
- * Clauses that can be found within the 'view' statement only.
- */
-static cfg_clausedef_t
-view_only_clauses[] = {
-	{ "match-clients", &cfg_type_bracketed_aml, 0 },
-	{ "match-destinations", &cfg_type_bracketed_aml, 0 },
-	{ "match-recursive-only", &cfg_type_boolean, 0 },
-	{ NULL, NULL, 0 }
-};
-
-/*
- * Clauses that can be found in a 'zone' statement,
- * with defaults in the 'view' or 'options' statement.
- */
-static cfg_clausedef_t
-zone_clauses[] = {
-	{ "allow-query", &cfg_type_bracketed_aml, 0 },
-	{ "allow-transfer", &cfg_type_bracketed_aml, 0 },
-	{ "allow-update-forwarding", &cfg_type_bracketed_aml, 0 },
-	{ "allow-notify", &cfg_type_bracketed_aml, 0 },
-	{ "notify", &cfg_type_notifytype, 0 },
-	{ "notify-source", &cfg_type_sockaddr4wild, 0 },
-	{ "notify-source-v6", &cfg_type_sockaddr6wild, 0 },
-	{ "also-notify", &cfg_type_portiplist, 0 },
-	{ "dialup", &cfg_type_dialuptype, 0 },
-	{ "forward", &cfg_type_forwardtype, 0 },
-	{ "forwarders", &cfg_type_portiplist, 0 },
-	{ "maintain-ixfr-base", &cfg_type_boolean, CFG_CLAUSEFLAG_OBSOLETE },
-	{ "max-ixfr-log-size", &cfg_type_size, CFG_CLAUSEFLAG_OBSOLETE },
-	{ "transfer-source", &cfg_type_sockaddr4wild, 0 },
-	{ "transfer-source-v6", &cfg_type_sockaddr6wild, 0 },
-	{ "max-transfer-time-in", &cfg_type_uint32, 0 },
-	{ "max-transfer-time-out", &cfg_type_uint32, 0 },
-	{ "max-transfer-idle-in", &cfg_type_uint32, 0 },
-	{ "max-transfer-idle-out", &cfg_type_uint32, 0 },
-	{ "max-retry-time", &cfg_type_uint32, 0 },
-	{ "min-retry-time", &cfg_type_uint32, 0 },
-	{ "max-refresh-time", &cfg_type_uint32, 0 },
-	{ "min-refresh-time", &cfg_type_uint32, 0 },
-	{ "sig-validity-interval", &cfg_type_uint32, 0 },
-	{ "zone-statistics", &cfg_type_boolean, 0 },
-	{ NULL, NULL, 0 }
-};
-
-/*
- * Clauses that can be found in a 'zone' statement
- * only.
- */
-static cfg_clausedef_t
-zone_only_clauses[] = {
-	{ "type", &cfg_type_zonetype, 0 },
-	{ "allow-update", &cfg_type_bracketed_aml, 0 },
-	{ "file", &cfg_type_qstring, 0 },
-	{ "ixfr-base", &cfg_type_qstring, CFG_CLAUSEFLAG_OBSOLETE },
-	{ "ixfr-tmp-file", &cfg_type_qstring, CFG_CLAUSEFLAG_OBSOLETE },
-	{ "masters", &cfg_type_sockaddrkeylist, 0 },
-	{ "pubkey", &cfg_type_pubkey,
-	  CFG_CLAUSEFLAG_MULTI | CFG_CLAUSEFLAG_OBSOLETE },
-	{ "update-policy", &cfg_type_updatepolicy, 0 },
-	{ "database", &cfg_type_astring, 0 },
-	{ "delegation-only", &cfg_type_boolean, 0 },
-	/*
-	 * Note that the format of the check-names option is different between
-	 * the zone options and the global/view options.  Ugh.
-	 */
-	{ "check-names", &cfg_type_ustring, CFG_CLAUSEFLAG_NOTIMP },
-	{ NULL, NULL, 0 }
-};
-
-
-/* The top-level named.conf syntax. */
-
-static cfg_clausedef_t *
-namedconf_clausesets[] = {
-	namedconf_clauses,
-	namedconf_or_view_clauses,
-	NULL
-};
-
-LIBISCCFG_EXTERNAL_DATA cfg_type_t cfg_type_namedconf = {
-	"namedconf", parse_mapbody, print_mapbody, &cfg_rep_map,
-	namedconf_clausesets
-};
-
-/* The "options" statement syntax. */
-
-static cfg_clausedef_t *
-options_clausesets[] = {
-	options_clauses,
-	view_clauses,
-	zone_clauses,
-	NULL
-};
-static cfg_type_t cfg_type_options = {
-	"options", parse_map, print_map, &cfg_rep_map, options_clausesets };
-
-/* The "view" statement syntax. */
-
-static cfg_clausedef_t *
-view_clausesets[] = {
-	view_only_clauses,
-	namedconf_or_view_clauses,
-	view_clauses,
-	zone_clauses,
-	NULL
-};
-static cfg_type_t cfg_type_viewopts = {
-	"view", parse_map, print_map, &cfg_rep_map, view_clausesets };
-
-/* The "zone" statement syntax. */
-
-static cfg_clausedef_t *
-zone_clausesets[] = {
-	zone_only_clauses,
-	zone_clauses,
-	NULL
-};
-static cfg_type_t cfg_type_zoneopts = {
-	"zoneopts", parse_map, print_map, &cfg_rep_map, zone_clausesets };
-
-/*
- * Clauses that can be found within the 'key' statement.
- */
-static cfg_clausedef_t
-key_clauses[] = {
-	{ "algorithm", &cfg_type_astring, 0 },
-	{ "secret", &cfg_type_astring, 0 },
-	{ NULL, NULL, 0 }
-};
-
-static cfg_clausedef_t *
-key_clausesets[] = {
-	key_clauses,
-	NULL
-};
-static cfg_type_t cfg_type_key = {
-	"key", parse_named_map, print_map, &cfg_rep_map, key_clausesets };
-
-
-/*
- * Clauses that can be found in a 'server' statement.
- */
-static cfg_clausedef_t
-server_clauses[] = {
-	{ "bogus", &cfg_type_boolean, 0 },
-	{ "provide-ixfr", &cfg_type_boolean, 0 },
-	{ "request-ixfr", &cfg_type_boolean, 0 },
-	{ "support-ixfr", &cfg_type_boolean, CFG_CLAUSEFLAG_OBSOLETE },
-	{ "transfers", &cfg_type_uint32, 0 },
-	{ "transfer-format", &cfg_type_transferformat, 0 },
-	{ "keys", &cfg_type_server_key_kludge, 0 },
-	{ "edns", &cfg_type_boolean, 0 },
-	{ NULL, NULL, 0 }
-};
-static cfg_clausedef_t *
-server_clausesets[] = {
-	server_clauses,
-	NULL
-};
-static cfg_type_t cfg_type_server = {
-	"server", parse_addressed_map, print_map, &cfg_rep_map,
-	server_clausesets
-};
-
-
-/*
- * Clauses that can be found in a 'channel' clause in the
- * 'logging' statement.
- *
- * These have some additional constraints that need to be
- * checked after parsing:
- *  - There must exactly one of file/syslog/null/stderr
- *
- */
-static cfg_clausedef_t
-channel_clauses[] = {
-	/* Destinations.  We no longer require these to be first. */
-	{ "file", &cfg_type_logfile, 0 },
-	{ "syslog", &cfg_type_optional_facility, 0 },
-	{ "null", &cfg_type_void, 0 },
-	{ "stderr", &cfg_type_void, 0 },
-	/* Options.  We now accept these for the null channel, too. */
-	{ "severity", &cfg_type_logseverity, 0 },
-	{ "print-time", &cfg_type_boolean, 0 },
-	{ "print-severity", &cfg_type_boolean, 0 },
-	{ "print-category", &cfg_type_boolean, 0 },
-	{ NULL, NULL, 0 }
-};
-static cfg_clausedef_t *
-channel_clausesets[] = {
-	channel_clauses,
-	NULL
-};
-static cfg_type_t cfg_type_channel = {
-	"channel", parse_named_map, print_map,
-	&cfg_rep_map, channel_clausesets
-};
-
-/* A list of log destination, used in the "category" clause. */
-static cfg_type_t cfg_type_destinationlist = {
-	"destinationlist", parse_bracketed_list, print_bracketed_list,
-	&cfg_rep_list, &cfg_type_astring };
-
-/*
- * Clauses that can be found in a 'logging' statement.
- */
-static cfg_clausedef_t
-logging_clauses[] = {
-	{ "channel", &cfg_type_channel, CFG_CLAUSEFLAG_MULTI },
-	{ "category", &cfg_type_category, CFG_CLAUSEFLAG_MULTI },
-	{ NULL, NULL, 0 }
-};
-static cfg_clausedef_t *
-logging_clausesets[] = {
-	logging_clauses,
-	NULL
-};
-static cfg_type_t cfg_type_logging = {
-	"logging", parse_map, print_map, &cfg_rep_map, logging_clausesets };
-
+	"implicitlist", NULL, print_list, NULL, &cfg_rep_list, NULL };
 
 /* Functions. */
 
-static void
-print_obj(cfg_printer_t *pctx, const cfg_obj_t *obj) {
+void
+cfg_print_obj(cfg_printer_t *pctx, cfg_obj_t *obj) {
 	obj->type->print(pctx, obj);
 }
 
-static void
-print(cfg_printer_t *pctx, const char *text, int len) {
+void
+cfg_print_chars(cfg_printer_t *pctx, const char *text, int len) {
 	pctx->f(pctx->closure, text, len);
 }
 
 static void
 print_open(cfg_printer_t *pctx) {
-	print(pctx, "{\n", 2);
+	cfg_print_chars(pctx, "{\n", 2);
 	pctx->indent++;
 }
 
@@ -1151,7 +153,7 @@ static void
 print_indent(cfg_printer_t *pctx) {
 	int indent = pctx->indent;
 	while (indent > 0) {
-		print(pctx, "\t", 1);
+		cfg_print_chars(pctx, "\t", 1);
 		indent--;
 	}
 }
@@ -1160,11 +162,11 @@ static void
 print_close(cfg_printer_t *pctx) {
 	pctx->indent--;
 	print_indent(pctx);
-	print(pctx, "}", 1);
+	cfg_print_chars(pctx, "}", 1);
 }
 
-static isc_result_t
-parse(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
+isc_result_t
+cfg_parse_obj(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
 	isc_result_t result;
 	INSIST(ret != NULL && *ret == NULL);
 	result = type->parse(pctx, type, ret);
@@ -1175,7 +177,7 @@ parse(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
 }
 
 void
-cfg_print(const cfg_obj_t *obj,
+cfg_print(cfg_obj_t *obj,
 	  void (*f)(void *closure, const char *text, int textlen),
 	  void *closure)
 {
@@ -1189,8 +191,8 @@ cfg_print(const cfg_obj_t *obj,
 
 /* Tuples. */
   
-static isc_result_t
-create_tuple(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
+isc_result_t
+cfg_create_tuple(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
 	isc_result_t result;
 	const cfg_tuplefielddef_t *fields = type->of;
 	const cfg_tuplefielddef_t *f;
@@ -1201,7 +203,7 @@ create_tuple(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
 	for (f = fields; f->name != NULL; f++)
 		nfields++;
 
-	CHECK(create_cfgobj(pctx, type, &obj));
+	CHECK(cfg_create_obj(pctx, type, &obj));
 	obj->value.tuple = isc_mem_get(pctx->mctx,
 				       nfields * sizeof(cfg_obj_t *));
 	if (obj->value.tuple == NULL) {
@@ -1219,8 +221,8 @@ create_tuple(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
 	return (result);
 }
 
-static isc_result_t
-parse_tuple(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret)
+isc_result_t
+cfg_parse_tuple(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret)
 {
 	isc_result_t result;
 	const cfg_tuplefielddef_t *fields = type->of;
@@ -1228,9 +230,9 @@ parse_tuple(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret)
 	cfg_obj_t *obj = NULL;
 	unsigned int i;
 
-	CHECK(create_tuple(pctx, type, &obj));
+	CHECK(cfg_create_tuple(pctx, type, &obj));
 	for (f = fields, i = 0; f->name != NULL; f++, i++)
-		CHECK(parse(pctx, f->type, &obj->value.tuple[i]));
+		CHECK(cfg_parse_obj(pctx, f->type, &obj->value.tuple[i]));
 
 	*ret = obj;
 	return (ISC_R_SUCCESS);
@@ -1240,8 +242,8 @@ parse_tuple(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret)
 	return (result);
 }
 
-static void
-print_tuple(cfg_printer_t *pctx, const cfg_obj_t *obj) {
+void
+cfg_print_tuple(cfg_printer_t *pctx, cfg_obj_t *obj) {
 	unsigned int i;
 	const cfg_tuplefielddef_t *fields = obj->type->of;
 	const cfg_tuplefielddef_t *f;
@@ -1250,9 +252,23 @@ print_tuple(cfg_printer_t *pctx, const cfg_obj_t *obj) {
 	for (f = fields, i = 0; f->name != NULL; f++, i++) {
 		cfg_obj_t *fieldobj = obj->value.tuple[i];
 		if (need_space)
-			print(pctx, " ", 1);
-		print_obj(pctx, fieldobj);
-		need_space = ISC_TF(fieldobj->type->print != print_void);
+			cfg_print_chars(pctx, " ", 1);
+		cfg_print_obj(pctx, fieldobj);
+		need_space = ISC_TF(fieldobj->type->print != cfg_print_void);
+	}
+}
+
+void
+cfg_doc_tuple(cfg_printer_t *pctx, const cfg_type_t *type) {
+	const cfg_tuplefielddef_t *fields = type->of;
+	const cfg_tuplefielddef_t *f;
+	isc_boolean_t need_space = ISC_FALSE;
+
+	for (f = fields; f->name != NULL; f++) {
+		if (need_space)
+			cfg_print_chars(pctx, " ", 1);
+		cfg_doc_obj(pctx, f->type);
+		need_space = ISC_TF(f->type->print != cfg_print_void);
 	}
 }
 
@@ -1275,13 +291,13 @@ free_tuple(cfg_parser_t *pctx, cfg_obj_t *obj) {
 }
 
 isc_boolean_t
-cfg_obj_istuple(const cfg_obj_t *obj) {
+cfg_obj_istuple(cfg_obj_t *obj) {
 	REQUIRE(obj != NULL);
 	return (ISC_TF(obj->type->rep == &cfg_rep_tuple));
 }
 
-const cfg_obj_t *
-cfg_tuple_get(const cfg_obj_t *tupleobj, const char* name) {
+cfg_obj_t *
+cfg_tuple_get(cfg_obj_t *tupleobj, const char* name) {
 	unsigned int i;
 	const cfg_tuplefielddef_t *fields;
 	const cfg_tuplefielddef_t *f;
@@ -1297,18 +313,15 @@ cfg_tuple_get(const cfg_obj_t *tupleobj, const char* name) {
 	return (NULL);
 }
 
-/*
- * Parse a required special character.
- */
-static isc_result_t
-parse_special(cfg_parser_t *pctx, int special) {
+isc_result_t
+cfg_parse_special(cfg_parser_t *pctx, int special) {
         isc_result_t result;
 	CHECK(cfg_gettoken(pctx, 0));
 	if (pctx->token.type == isc_tokentype_special &&
 	    pctx->token.value.as_char == special)
 		return (ISC_R_SUCCESS);
 
-	parser_error(pctx, LOG_NEAR, "'%c' expected", special);
+	cfg_parser_error(pctx, CFG_LOG_NEAR, "'%c' expected", special);
 	return (ISC_R_UNEXPECTEDTOKEN);
  cleanup:
 	return (result);
@@ -1329,7 +342,7 @@ parse_semicolon(cfg_parser_t *pctx) {
 	    pctx->token.value.as_char == ';')
 		return (ISC_R_SUCCESS);
 
-	parser_error(pctx, LOG_BEFORE, "missing ';'");
+	cfg_parser_error(pctx, CFG_LOG_BEFORE, "missing ';'");
 	cfg_ungettoken(pctx);
  cleanup:
 	return (result);
@@ -1346,22 +359,21 @@ parse_eof(cfg_parser_t *pctx) {
 	if (pctx->token.type == isc_tokentype_eof)
 		return (ISC_R_SUCCESS);
 
-	parser_error(pctx, LOG_NEAR, "syntax error");
+	cfg_parser_error(pctx, CFG_LOG_NEAR, "syntax error");
 	return (ISC_R_UNEXPECTEDTOKEN);
  cleanup:
-	return(result);
+	return (result);
 }
 
 /* A list of files, used internally for pctx->files. */
 
 static cfg_type_t cfg_type_filelist = {
-	"filelist", NULL, print_list, &cfg_rep_list,
+	"filelist", NULL, print_list, NULL, &cfg_rep_list,
 	&cfg_type_qstring
 };
 
 isc_result_t
-cfg_parser_create(isc_mem_t *mctx, isc_log_t *lctx, cfg_parser_t **ret)
-{
+cfg_parser_create(isc_mem_t *mctx, isc_log_t *lctx, cfg_parser_t **ret) {
 	isc_result_t result;
 	cfg_parser_t *pctx;
 	isc_lexspecials_t specials;
@@ -1402,8 +414,8 @@ cfg_parser_create(isc_mem_t *mctx, isc_log_t *lctx, cfg_parser_t **ret)
 					 ISC_LEXCOMMENT_CPLUSPLUS |
 					 ISC_LEXCOMMENT_SHELL));
 
-	CHECK(create_list(pctx, &cfg_type_filelist, &pctx->open_files));
-	CHECK(create_list(pctx, &cfg_type_filelist, &pctx->closed_files));
+	CHECK(cfg_create_list(pctx, &cfg_type_filelist, &pctx->open_files));
+	CHECK(cfg_create_list(pctx, &cfg_type_filelist, &pctx->closed_files));
 
 	*ret = pctx;
 	return (ISC_R_SUCCESS);
@@ -1425,7 +437,7 @@ parser_openfile(cfg_parser_t *pctx, const char *filename) {
 
 	result = isc_lex_openfile(pctx->lexer, filename);
 	if (result != ISC_R_SUCCESS) {
-		parser_error(pctx, 0, "open: %s: %s",
+		cfg_parser_error(pctx, 0, "open: %s: %s",
 			     filename, isc_result_totext(result));
 		goto cleanup;
 	}
@@ -1459,7 +471,7 @@ parse2(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
 	isc_result_t result;
 	cfg_obj_t *obj = NULL;
 
-	result = parse(pctx, type, &obj);
+	result = cfg_parse_obj(pctx, type, &obj);
 
 	if (pctx->errors != 0) {
 		/* Errors have been logged. */
@@ -1470,7 +482,7 @@ parse2(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
 
 	if (result != ISC_R_SUCCESS) {
 		/* Parsing failed but no errors have been logged. */
-		parser_error(pctx, 0, "parsing failed");
+		cfg_parser_error(pctx, 0, "parsing failed");
 		goto cleanup;
 	}
 
@@ -1529,44 +541,51 @@ cfg_parser_destroy(cfg_parser_t **pctxp) {
 /*
  * void
  */
-static isc_result_t
-parse_void(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
+isc_result_t
+cfg_parse_void(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
 	UNUSED(type);
-	return (create_cfgobj(pctx, &cfg_type_void, ret));
+	return (cfg_create_obj(pctx, &cfg_type_void, ret));
 }
 
-static void
-print_void(cfg_printer_t *pctx, const cfg_obj_t *obj) {
+void
+cfg_print_void(cfg_printer_t *pctx, cfg_obj_t *obj) {
 	UNUSED(pctx);
 	UNUSED(obj);
 }
 
+void
+cfg_doc_void(cfg_printer_t *pctx, const cfg_type_t *type) {
+	UNUSED(pctx);
+	UNUSED(type);
+}
+
 isc_boolean_t
-cfg_obj_isvoid(const cfg_obj_t *obj) {
+cfg_obj_isvoid(cfg_obj_t *obj) {
 	REQUIRE(obj != NULL);
 	return (ISC_TF(obj->type->rep == &cfg_rep_void));
 }
 
-static cfg_type_t cfg_type_void = {
-	"void", parse_void, print_void, &cfg_rep_void, NULL };
+cfg_type_t cfg_type_void = {
+	"void", cfg_parse_void, cfg_print_void, cfg_doc_void, &cfg_rep_void,
+	NULL };
 
 
 /*
  * uint32
  */
-static isc_result_t
-parse_uint32(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
+isc_result_t
+cfg_parse_uint32(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
         isc_result_t result;
 	cfg_obj_t *obj = NULL;
 	UNUSED(type);
 
 	CHECK(cfg_gettoken(pctx, ISC_LEXOPT_NUMBER | ISC_LEXOPT_CNUMBER));
 	if (pctx->token.type != isc_tokentype_number) {
-		parser_error(pctx, LOG_NEAR, "expected number");
+		cfg_parser_error(pctx, CFG_LOG_NEAR, "expected number");
 		return (ISC_R_UNEXPECTEDTOKEN);
 	}
 
-	CHECK(create_cfgobj(pctx, &cfg_type_uint32, &obj));
+	CHECK(cfg_create_obj(pctx, &cfg_type_uint32, &obj));
 
 	obj->value.uint32 = pctx->token.value.as_ulong;
 	*ret = obj;
@@ -1574,209 +593,72 @@ parse_uint32(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
 	return (result);
 }
 
-static void
-print_cstr(cfg_printer_t *pctx, const char *s) {
-	print(pctx, s, strlen(s));
+void
+cfg_print_cstr(cfg_printer_t *pctx, const char *s) {
+	cfg_print_chars(pctx, s, strlen(s));
 }
 
-static void
-print_uint(cfg_printer_t *pctx, unsigned int u) {
+void
+cfg_print_rawuint(cfg_printer_t *pctx, unsigned int u) {
 	char buf[32];
 	snprintf(buf, sizeof(buf), "%u", u);
-	print_cstr(pctx, buf);
+	cfg_print_cstr(pctx, buf);
 }
 
-static void
-print_uint32(cfg_printer_t *pctx, const cfg_obj_t *obj) {
-	print_uint(pctx, obj->value.uint32);
+void
+cfg_print_uint32(cfg_printer_t *pctx, cfg_obj_t *obj) {
+	cfg_print_rawuint(pctx, obj->value.uint32);
 }
 
 isc_boolean_t
-cfg_obj_isuint32(const cfg_obj_t *obj) {
+cfg_obj_isuint32(cfg_obj_t *obj) {
 	REQUIRE(obj != NULL);
 	return (ISC_TF(obj->type->rep == &cfg_rep_uint32));
 }
 
 isc_uint32_t
-cfg_obj_asuint32(const cfg_obj_t *obj) {
+cfg_obj_asuint32(cfg_obj_t *obj) {
 	REQUIRE(obj != NULL && obj->type->rep == &cfg_rep_uint32);
 	return (obj->value.uint32);
 }
 
-static cfg_type_t cfg_type_uint32 = {
-	"integer", parse_uint32, print_uint32, &cfg_rep_uint32, NULL };
+cfg_type_t cfg_type_uint32 = {
+	"integer", cfg_parse_uint32, cfg_print_uint32, cfg_doc_terminal,
+	&cfg_rep_uint32, NULL
+};
 
 
 /*
  * uint64
  */
 isc_boolean_t
-cfg_obj_isuint64(const cfg_obj_t *obj) {
+cfg_obj_isuint64(cfg_obj_t *obj) {
 	REQUIRE(obj != NULL);
 	return (ISC_TF(obj->type->rep == &cfg_rep_uint64));
 }
 
 isc_uint64_t
-cfg_obj_asuint64(const cfg_obj_t *obj) {
+cfg_obj_asuint64(cfg_obj_t *obj) {
 	REQUIRE(obj != NULL && obj->type->rep == &cfg_rep_uint64);
 	return (obj->value.uint64);
 }
 
-static isc_result_t
-parse_unitstring(char *str, isc_resourcevalue_t *valuep) {
-	char *endp;
-	unsigned int len;
-	isc_uint64_t value;
-	isc_uint64_t unit;
-
-	value = isc_string_touint64(str, &endp, 10);
-	if (*endp == 0) {
-		*valuep = value;
-		return (ISC_R_SUCCESS);
-	}
-
-	len = strlen(str);
-	if (len < 2 || endp[1] != '\0')
-		return (ISC_R_FAILURE);
-
-	switch (str[len - 1]) {
-	case 'k':
-	case 'K':
-		unit = 1024;
-		break;
-	case 'm':
-	case 'M':
-		unit = 1024 * 1024;
-		break;
-	case 'g':
-	case 'G':
-		unit = 1024 * 1024 * 1024;
-		break;
-	default:
-		return (ISC_R_FAILURE);
-	}
-	if (value > ISC_UINT64_MAX / unit)
-		return (ISC_R_FAILURE);
-	*valuep = value * unit;
-	return (ISC_R_SUCCESS);
-}
-
-static void
-print_uint64(cfg_printer_t *pctx, const cfg_obj_t *obj) {
+void
+cfg_print_uint64(cfg_printer_t *pctx, cfg_obj_t *obj) {
 	char buf[32];
-	sprintf(buf, "%" ISC_PRINT_QUADFORMAT "u", obj->value.uint64);
-	print_cstr(pctx, buf);
-}
-
-static cfg_type_t cfg_type_uint64 = {
-	"64_bit_integer", NULL, print_uint64, &cfg_rep_uint64, NULL };
-
-static isc_result_t
-parse_sizeval(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
-	isc_result_t result;
-	cfg_obj_t *obj = NULL;
-	isc_uint64_t val;
-
-	UNUSED(type);
-
-	CHECK(cfg_gettoken(pctx, 0));
-	if (pctx->token.type != isc_tokentype_string) {
-		result = ISC_R_UNEXPECTEDTOKEN;
-		goto cleanup;
-	}
-	CHECK(parse_unitstring(pctx->token.value.as_pointer, &val));
-
-	CHECK(create_cfgobj(pctx, &cfg_type_uint64, &obj));
-	obj->value.uint64 = val;
-	*ret = obj;
-	return (ISC_R_SUCCESS);
-
- cleanup:
-	parser_error(pctx, LOG_NEAR, "expected integer and optional unit");
-	return (result);
-}
-
-/*
- * A size value (number + optional unit).
- */
-static cfg_type_t cfg_type_sizeval = {
-	"sizeval", parse_sizeval, print_uint64, &cfg_rep_uint64, NULL };
-
-/*
- * A size, "unlimited", or "default".
- */
-
-static isc_result_t
-parse_size(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
-	return (parse_enum_or_other(pctx, type, &cfg_type_sizeval, ret));
+	snprintf(buf, sizeof(buf), "%" ISC_PRINT_QUADFORMAT "u",
+		 obj->value.uint64);
+	cfg_print_cstr(pctx, buf);
 }
 
-static const char *size_enums[] = { "unlimited", "default", NULL };
-static cfg_type_t cfg_type_size = {
-	"size", parse_size, print_ustring, &cfg_rep_string, size_enums
+cfg_type_t cfg_type_uint64 = {
+	"64_bit_integer", NULL, cfg_print_uint64, cfg_doc_terminal,
+	&cfg_rep_uint64, NULL
 };
 
 /*
- * A size or "unlimited", but not "default".
- */
-static const char *sizenodefault_enums[] = { "unlimited", NULL };
-static cfg_type_t cfg_type_sizenodefault = {
-	"size_no_default", parse_size, print_ustring, &cfg_rep_string,
-	sizenodefault_enums
-};
-
-/*
- * optional_keyvalue
- */
-static isc_result_t
-parse_maybe_optional_keyvalue(cfg_parser_t *pctx, const cfg_type_t *type,
-			      isc_boolean_t optional, cfg_obj_t **ret)
-{
-        isc_result_t result;
-	cfg_obj_t *obj = NULL;
-	const keyword_type_t *kw = type->of;
-
-	CHECK(cfg_peektoken(pctx, 0));
-	if (pctx->token.type == isc_tokentype_string &&
-	    strcasecmp(pctx->token.value.as_pointer, kw->name) == 0) {
-		CHECK(cfg_gettoken(pctx, 0));
-		CHECK(kw->type->parse(pctx, kw->type, &obj));
-		obj->type = type; /* XXX kludge */
-	} else {
-		if (optional) {
-			CHECK(parse_void(pctx, NULL, &obj));
-		} else {
-			parser_error(pctx, LOG_NEAR, "expected '%s'",
-				     kw->name);
-			result = ISC_R_UNEXPECTEDTOKEN;
-			goto cleanup;
-		}
-	}
-	*ret = obj;
- cleanup:
-	return (result);
-}
-
-static isc_result_t
-parse_keyvalue(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
-	return (parse_maybe_optional_keyvalue(pctx, type, ISC_FALSE, ret));
-}
-
-static isc_result_t
-parse_optional_keyvalue(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
-	return (parse_maybe_optional_keyvalue(pctx, type, ISC_TRUE, ret));
-}
-
-static void
-print_keyvalue(cfg_printer_t *pctx, const cfg_obj_t *obj) {
-	const keyword_type_t *kw = obj->type->of;
-	print_cstr(pctx, kw->name);
-	print(pctx, " ", 1);
-	kw->type->print(pctx, obj);
-}
-
-/*
- * qstring, ustring, astring
+ * qstring (quoted string), ustring (unquoted string), astring
+ * (any string)
  */
 
 /* Create a string object from a null-terminated C string. */
@@ -1788,7 +670,7 @@ create_string(cfg_parser_t *pctx, const char *contents, const cfg_type_t *type,
 	cfg_obj_t *obj = NULL;
 	int len;
 
-	CHECK(create_cfgobj(pctx, type, &obj));
+	CHECK(cfg_create_obj(pctx, type, &obj));
 	len = strlen(contents);
 	obj->value.string.length = len;
 	obj->value.string.base = isc_mem_get(pctx->mctx, len + 1);
@@ -1804,18 +686,18 @@ create_string(cfg_parser_t *pctx, const char *contents, const cfg_type_t *type,
 	return (result);
 }
 
-static isc_result_t
-parse_qstring(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
+isc_result_t
+cfg_parse_qstring(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
         isc_result_t result;
 	UNUSED(type);
 
-	CHECK(cfg_gettoken(pctx, QSTRING));
+	CHECK(cfg_gettoken(pctx, CFG_LEXOPT_QSTRING));
 	if (pctx->token.type != isc_tokentype_qstring) {
-		parser_error(pctx, LOG_NEAR, "expected quoted string");
+		cfg_parser_error(pctx, CFG_LOG_NEAR, "expected quoted string");
 		return (ISC_R_UNEXPECTEDTOKEN);
 	}
 	return (create_string(pctx,
-			      pctx->token.value.as_pointer,
+			      TOKEN_STRING(pctx),
 			      &cfg_type_qstring,
 			      ret));
  cleanup:
@@ -1829,33 +711,33 @@ parse_ustring(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
 
 	CHECK(cfg_gettoken(pctx, 0));
 	if (pctx->token.type != isc_tokentype_string) {
-		parser_error(pctx, LOG_NEAR, "expected unquoted string");
+		cfg_parser_error(pctx, CFG_LOG_NEAR, "expected unquoted string");
 		return (ISC_R_UNEXPECTEDTOKEN);
 	}
 	return (create_string(pctx,
-			      pctx->token.value.as_pointer,
+			      TOKEN_STRING(pctx),
 			      &cfg_type_ustring,
 			      ret));
  cleanup:
 	return (result);
 }
 
-static isc_result_t
-parse_astring(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
+isc_result_t
+cfg_parse_astring(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
         isc_result_t result;
 	UNUSED(type);
 
 	CHECK(cfg_getstringtoken(pctx));
 	return (create_string(pctx,
-			      pctx->token.value.as_pointer,
+			      TOKEN_STRING(pctx),
 			      &cfg_type_qstring,
 			      ret));
  cleanup:
 	return (result);
 }
 
-static isc_boolean_t
-is_enum(const char *s, const char *const *enums) {
+isc_boolean_t
+cfg_is_enum(const char *s, const char *const *enums) {
 	const char * const *p;
 	for (p = enums; *p != NULL; p++) {
 		if (strcasecmp(*p, s) == 0)
@@ -1867,14 +749,14 @@ is_enum(const char *s, const char *const *enums) {
 static isc_result_t
 check_enum(cfg_parser_t *pctx, cfg_obj_t *obj, const char *const *enums) {
 	const char *s = obj->value.string.base;
-	if (is_enum(s, enums))
+	if (cfg_is_enum(s, enums))
 		return (ISC_R_SUCCESS);
-	parser_error(pctx, 0, "'%s' unexpected", s);
+	cfg_parser_error(pctx, 0, "'%s' unexpected", s);
 	return (ISC_R_UNEXPECTEDTOKEN);
 }
 
-static isc_result_t
-parse_enum(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
+isc_result_t
+cfg_parse_enum(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
         isc_result_t result;
 	cfg_obj_t *obj = NULL;
 	CHECK(parse_ustring(pctx, NULL, &obj));
@@ -1886,36 +768,28 @@ parse_enum(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
 	return (result);
 }
 
-static isc_result_t
-parse_enum_or_other(cfg_parser_t *pctx, const cfg_type_t *enumtype,
-		    const cfg_type_t *othertype, cfg_obj_t **ret)
-{
-        isc_result_t result;
-	CHECK(cfg_peektoken(pctx, 0));
-	if (pctx->token.type == isc_tokentype_string &&
-	    is_enum(pctx->token.value.as_pointer, enumtype->of)) {
-		CHECK(parse_enum(pctx, enumtype, ret));
-	} else {
-		CHECK(parse(pctx, othertype, ret));
+void
+cfg_doc_enum(cfg_printer_t *pctx, const cfg_type_t *type) {
+	const char * const *p;
+	cfg_print_chars(pctx, "( ", 2);
+	for (p = type->of; *p != NULL; p++) {
+		cfg_print_cstr(pctx, *p);
+		if (p[1] != NULL)
+			cfg_print_chars(pctx, " | ", 3);
 	}
- cleanup:
-	return (result);
+	cfg_print_chars(pctx, " )", 2);
 }
 
-
-/*
- * Print a string object.
- */
-static void
-print_ustring(cfg_printer_t *pctx, const cfg_obj_t *obj) {
-	print(pctx, obj->value.string.base, obj->value.string.length);
+void
+cfg_print_ustring(cfg_printer_t *pctx, cfg_obj_t *obj) {
+	cfg_print_chars(pctx, obj->value.string.base, obj->value.string.length);
 }
 
 static void
-print_qstring(cfg_printer_t *pctx, const cfg_obj_t *obj) {
-	print(pctx, "\"", 1);
-	print_ustring(pctx, obj);
-	print(pctx, "\"", 1);
+print_qstring(cfg_printer_t *pctx, cfg_obj_t *obj) {
+	cfg_print_chars(pctx, "\"", 1);
+	cfg_print_ustring(pctx, obj);
+	cfg_print_chars(pctx, "\"", 1);
 }
 
 static void
@@ -1925,45 +799,51 @@ free_string(cfg_parser_t *pctx, cfg_obj_t *obj) {
 }
 
 isc_boolean_t
-cfg_obj_isstring(const cfg_obj_t *obj) {
+cfg_obj_isstring(cfg_obj_t *obj) {
 	REQUIRE(obj != NULL);
 	return (ISC_TF(obj->type->rep == &cfg_rep_string));
 }
 
-const char *
-cfg_obj_asstring(const cfg_obj_t *obj) {
+char *
+cfg_obj_asstring(cfg_obj_t *obj) {
 	REQUIRE(obj != NULL && obj->type->rep == &cfg_rep_string);
 	return (obj->value.string.base);
 }
 
+/* Quoted string only */
+cfg_type_t cfg_type_qstring = {
+	"quoted_string", cfg_parse_qstring, print_qstring, cfg_doc_terminal,
+	&cfg_rep_string, NULL
+};
+
+/* Unquoted string only */
+cfg_type_t cfg_type_ustring = {
+	"string", parse_ustring, cfg_print_ustring, cfg_doc_terminal,
+	&cfg_rep_string, NULL
+};
+
+/* Any string (quoted or unquoted); printed with quotes */
+cfg_type_t cfg_type_astring = {
+	"string", cfg_parse_astring, print_qstring, cfg_doc_terminal,
+	&cfg_rep_string, NULL
+};
+
+/*
+ * Booleans
+ */
+
 isc_boolean_t
-cfg_obj_isboolean(const cfg_obj_t *obj) {
+cfg_obj_isboolean(cfg_obj_t *obj) {
 	REQUIRE(obj != NULL);
 	return (ISC_TF(obj->type->rep == &cfg_rep_boolean));
 }
 
 isc_boolean_t
-cfg_obj_asboolean(const cfg_obj_t *obj) {
+cfg_obj_asboolean(cfg_obj_t *obj) {
 	REQUIRE(obj != NULL && obj->type->rep == &cfg_rep_boolean);
 	return (obj->value.boolean);
 }
 
-/* Quoted string only */
-static cfg_type_t cfg_type_qstring = {
-	"quoted_string", parse_qstring, print_qstring, &cfg_rep_string, NULL };
-
-/* Unquoted string only */
-static cfg_type_t cfg_type_ustring = {
-	"string", parse_ustring, print_ustring, &cfg_rep_string, NULL };
-
-/* Any string (quoted or unquoted); printed with quotes */
-static cfg_type_t cfg_type_astring = {
-	"string", parse_astring, print_qstring, &cfg_rep_string, NULL };
-
-
-/*
- * boolean
- */
 static isc_result_t
 parse_boolean(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret)
 {
@@ -1979,25 +859,25 @@ parse_boolean(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret)
 	if (pctx->token.type != isc_tokentype_string)
 		goto bad_boolean;
 
-	if ((strcasecmp(pctx->token.value.as_pointer, "true") == 0) ||
-	    (strcasecmp(pctx->token.value.as_pointer, "yes") == 0) ||
-	    (strcmp(pctx->token.value.as_pointer, "1") == 0)) {
+	if ((strcasecmp(TOKEN_STRING(pctx), "true") == 0) ||
+	    (strcasecmp(TOKEN_STRING(pctx), "yes") == 0) ||
+	    (strcmp(TOKEN_STRING(pctx), "1") == 0)) {
 		value = ISC_TRUE;
-	} else if ((strcasecmp(pctx->token.value.as_pointer, "false") == 0) ||
-		   (strcasecmp(pctx->token.value.as_pointer, "no") == 0) ||
-		   (strcmp(pctx->token.value.as_pointer, "0") == 0)) {
+	} else if ((strcasecmp(TOKEN_STRING(pctx), "false") == 0) ||
+		   (strcasecmp(TOKEN_STRING(pctx), "no") == 0) ||
+		   (strcmp(TOKEN_STRING(pctx), "0") == 0)) {
 		value = ISC_FALSE;
 	} else {
 		goto bad_boolean;
 	}
 
-	CHECK(create_cfgobj(pctx, &cfg_type_boolean, &obj));
+	CHECK(cfg_create_obj(pctx, &cfg_type_boolean, &obj));
 	obj->value.boolean = value;
 	*ret = obj;
 	return (result);
 
  bad_boolean:
-	parser_error(pctx, LOG_NEAR, "boolean expected");
+	cfg_parser_error(pctx, CFG_LOG_NEAR, "boolean expected");
 	return (ISC_R_UNEXPECTEDTOKEN);
 
  cleanup:
@@ -2005,58 +885,26 @@ parse_boolean(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret)
 }
 
 static void
-print_boolean(cfg_printer_t *pctx, const cfg_obj_t *obj) {
+print_boolean(cfg_printer_t *pctx, cfg_obj_t *obj) {
 	if (obj->value.boolean)
-		print(pctx, "yes", 3);
+		cfg_print_chars(pctx, "yes", 3);
 	else
-		print(pctx, "no", 2);
-}
-
-static cfg_type_t cfg_type_boolean = {
-	"boolean", parse_boolean, print_boolean, &cfg_rep_boolean, NULL };
-
-static const char *dialup_enums[] = {
-	"notify", "notify-passive", "refresh", "passive", NULL };
-static isc_result_t
-parse_dialup_type(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
-	return (parse_enum_or_other(pctx, type, &cfg_type_boolean, ret));
-}
-static cfg_type_t cfg_type_dialuptype = {
-	"dialuptype", parse_dialup_type, print_ustring, 
-	&cfg_rep_string, dialup_enums
-};
-
-static const char *notify_enums[] = { "explicit", NULL };
-static isc_result_t
-parse_notify_type(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
-	return (parse_enum_or_other(pctx, type, &cfg_type_boolean, ret));
+		cfg_print_chars(pctx, "no", 2);
 }
-static cfg_type_t cfg_type_notifytype = {
-	"notifytype", parse_notify_type, print_ustring, 
-	&cfg_rep_string, notify_enums,
-};
-
-static keyword_type_t key_kw = { "key", &cfg_type_astring };
 
-LIBISCCFG_EXTERNAL_DATA cfg_type_t cfg_type_keyref = {
-	"keyref", parse_keyvalue, print_keyvalue,
-	&cfg_rep_string, &key_kw
+cfg_type_t cfg_type_boolean = {
+	"boolean", parse_boolean, print_boolean, cfg_doc_terminal,
+	&cfg_rep_boolean, NULL
 };
 
-static cfg_type_t cfg_type_optional_keyref = {
-	"optional_keyref", parse_optional_keyvalue, print_keyvalue,
-	&cfg_rep_string, &key_kw
-};
-
-
 /*
  * Lists.
  */
 
-static isc_result_t
-create_list(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **obj) {
+isc_result_t
+cfg_create_list(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **obj) {
 	isc_result_t result;
-	CHECK(create_cfgobj(pctx, type, obj));
+	CHECK(cfg_create_obj(pctx, type, obj));
 	ISC_LIST_INIT((*obj)->value.list);
  cleanup:
 	return (result);
@@ -2092,9 +940,9 @@ free_list(cfg_parser_t *pctx, cfg_obj_t *obj) {
 	}
 }
 
-static isc_result_t
-parse_list_elt(cfg_parser_t *pctx, const cfg_type_t *elttype,
-	       cfg_listelt_t **ret)
+isc_result_t
+cfg_parse_listelt(cfg_parser_t *pctx, const cfg_type_t *elttype,
+		  cfg_listelt_t **ret)
 {
 	isc_result_t result;
 	cfg_listelt_t *elt = NULL;
@@ -2102,7 +950,7 @@ parse_list_elt(cfg_parser_t *pctx, const cfg_type_t *elttype,
 
 	CHECK(create_listelt(pctx, &elt));
 
-	result = parse(pctx, elttype, &value);
+	result = cfg_parse_obj(pctx, elttype, &value);
 	if (result != ISC_R_SUCCESS)
 		goto cleanup;
 
@@ -2128,14 +976,14 @@ parse_list(cfg_parser_t *pctx, const cfg_type_t *listtype, cfg_obj_t **ret)
 	isc_result_t result;
 	cfg_listelt_t *elt = NULL;
 
-	CHECK(create_list(pctx, listtype, &listobj));
+	CHECK(cfg_create_list(pctx, listtype, &listobj));
 
 	for (;;) {
 		CHECK(cfg_peektoken(pctx, 0));
 		if (pctx->token.type == isc_tokentype_special &&
 		    pctx->token.value.as_char == /*{*/ '}')
 			break;
-		CHECK(parse_list_elt(pctx, listof, &elt));
+		CHECK(cfg_parse_listelt(pctx, listof, &elt));
 		CHECK(parse_semicolon(pctx));
 		ISC_LIST_APPEND(listobj->value.list, elt, link);
 		elt = NULL;
@@ -2151,50 +999,59 @@ parse_list(cfg_parser_t *pctx, const cfg_type_t *listtype, cfg_obj_t **ret)
 }
 
 static void
-print_list(cfg_printer_t *pctx, const cfg_obj_t *obj) {
-	const cfg_list_t *list = &obj->value.list;
-	const cfg_listelt_t *elt;
+print_list(cfg_printer_t *pctx, cfg_obj_t *obj) {
+	cfg_list_t *list = &obj->value.list;
+	cfg_listelt_t *elt;
 
 	for (elt = ISC_LIST_HEAD(*list);
 	     elt != NULL;
 	     elt = ISC_LIST_NEXT(elt, link)) {
 		print_indent(pctx);
-		print_obj(pctx, elt->obj);
-		print(pctx, ";\n", 2);
+		cfg_print_obj(pctx, elt->obj);
+		cfg_print_chars(pctx, ";\n", 2);
 	}
 }
 
-static isc_result_t
-parse_bracketed_list(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret)
+isc_result_t
+cfg_parse_bracketed_list(cfg_parser_t *pctx, const cfg_type_t *type,
+		     cfg_obj_t **ret)
 {
 	isc_result_t result;
-	CHECK(parse_special(pctx, '{'));
+	CHECK(cfg_parse_special(pctx, '{'));
 	CHECK(parse_list(pctx, type, ret));
-	CHECK(parse_special(pctx, '}'));
+	CHECK(cfg_parse_special(pctx, '}'));
  cleanup:
 	return (result);
 }
 
-static void
-print_bracketed_list(cfg_printer_t *pctx, const cfg_obj_t *obj) {
+void
+cfg_print_bracketed_list(cfg_printer_t *pctx, cfg_obj_t *obj) {
 	print_open(pctx);
 	print_list(pctx, obj);
 	print_close(pctx);
 }
 
+void
+cfg_doc_bracketed_list(cfg_printer_t *pctx, const cfg_type_t *type) {
+	cfg_print_chars(pctx, "{ ", 2);
+	cfg_doc_obj(pctx, type->of);
+	cfg_print_chars(pctx, "; ... }", 7);
+}
+
 /*
  * Parse a homogeneous list whose elements are of type 'elttype'
  * and where elements are separated by space.  The list ends
  * before the first semicolon.
  */
-static isc_result_t
-parse_spacelist(cfg_parser_t *pctx, const cfg_type_t *listtype, cfg_obj_t **ret)
+isc_result_t
+cfg_parse_spacelist(cfg_parser_t *pctx, const cfg_type_t *listtype,
+		    cfg_obj_t **ret)
 {
 	cfg_obj_t *listobj = NULL;
 	const cfg_type_t *listof = listtype->of;
 	isc_result_t result;
 
-	CHECK(create_list(pctx, listtype, &listobj));
+	CHECK(cfg_create_list(pctx, listtype, &listobj));
 
 	for (;;) {
 		cfg_listelt_t *elt = NULL;
@@ -2203,7 +1060,7 @@ parse_spacelist(cfg_parser_t *pctx, const cfg_type_t *listtype, cfg_obj_t **ret)
 		if (pctx->token.type == isc_tokentype_special &&
 		    pctx->token.value.as_char == ';')
 			break;
-		CHECK(parse_list_elt(pctx, listof, &elt));
+		CHECK(cfg_parse_listelt(pctx, listof, &elt));
 		ISC_LIST_APPEND(listobj->value.list, elt, link);
 	}
 	*ret = listobj;
@@ -2214,42 +1071,43 @@ parse_spacelist(cfg_parser_t *pctx, const cfg_type_t *listtype, cfg_obj_t **ret)
 	return (result);
 }
 
-static void
-print_spacelist(cfg_printer_t *pctx, const cfg_obj_t *obj) {
-	const cfg_list_t *list = &obj->value.list;
-	const cfg_listelt_t *elt;
+void
+cfg_print_spacelist(cfg_printer_t *pctx, cfg_obj_t *obj) {
+	cfg_list_t *list = &obj->value.list;
+	cfg_listelt_t *elt;
 
 	for (elt = ISC_LIST_HEAD(*list);
 	     elt != NULL;
 	     elt = ISC_LIST_NEXT(elt, link)) {
-		print_obj(pctx, elt->obj);
+		cfg_print_obj(pctx, elt->obj);
 		if (ISC_LIST_NEXT(elt, link) != NULL)
-			print(pctx, " ", 1);
+			cfg_print_chars(pctx, " ", 1);
 	}
 }
 
+
 isc_boolean_t
-cfg_obj_islist(const cfg_obj_t *obj) {
+cfg_obj_islist(cfg_obj_t *obj) {
 	REQUIRE(obj != NULL);
 	return (ISC_TF(obj->type->rep == &cfg_rep_list));
 }
 
-const cfg_listelt_t *
-cfg_list_first(const cfg_obj_t *obj) {
+cfg_listelt_t *
+cfg_list_first(cfg_obj_t *obj) {
 	REQUIRE(obj == NULL || obj->type->rep == &cfg_rep_list);
 	if (obj == NULL)
 		return (NULL);
 	return (ISC_LIST_HEAD(obj->value.list));
 }
 
-const cfg_listelt_t *
-cfg_list_next(const cfg_listelt_t *elt) {
+cfg_listelt_t *
+cfg_list_next(cfg_listelt_t *elt) {
 	REQUIRE(elt != NULL);
 	return (ISC_LIST_NEXT(elt, link));
 }
 
-const cfg_obj_t *
-cfg_listelt_value(const cfg_listelt_t *elt) {
+cfg_obj_t *
+cfg_listelt_value(cfg_listelt_t *elt) {
 	REQUIRE(elt != NULL);
 	return (elt->obj);
 }
@@ -2268,8 +1126,8 @@ cfg_listelt_value(const cfg_listelt_t *elt) {
  * the named.conf syntax, as well as for the body of the
  * options, view, zone, and other statements.
  */
-static isc_result_t
-parse_mapbody(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret)
+isc_result_t
+cfg_parse_mapbody(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret)
 {
 	const cfg_clausedef_t * const *clausesets = type->of;
 	isc_result_t result;
@@ -2304,13 +1162,13 @@ parse_mapbody(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret)
 		 * We accept "include" statements wherever a map body
 		 * clause can occur.
 		 */
-		if (strcasecmp(pctx->token.value.as_pointer, "include") == 0) {
+		if (strcasecmp(TOKEN_STRING(pctx), "include") == 0) {
 			/*
 			 * Turn the file name into a temporary configuration
 			 * object just so that it is not overwritten by the
 			 * semicolon token.
 			 */
-			CHECK(parse(pctx, &cfg_type_qstring, &includename));
+			CHECK(cfg_parse_obj(pctx, &cfg_type_qstring, &includename));
 			CHECK(parse_semicolon(pctx));
 			CHECK(parser_openfile(pctx, includename->
 					      value.string.base));
@@ -2323,35 +1181,35 @@ parse_mapbody(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret)
 			for (clause = *clauseset;
 			     clause->name != NULL;
 			     clause++) {
-				if (strcasecmp(pctx->token.value.as_pointer,
+				if (strcasecmp(TOKEN_STRING(pctx),
 					   clause->name) == 0)
 					goto done;
 			}
 		}
 	done:
 		if (clause == NULL || clause->name == NULL) {
-			parser_error(pctx, LOG_NOPREP, "unknown option");
+			cfg_parser_error(pctx, CFG_LOG_NOPREP, "unknown option");
 			/*
 			 * Try to recover by parsing this option as an unknown
 			 * option and discarding it.
 			 */
-			 CHECK(parse(pctx, &cfg_type_unsupported, &eltobj));
-			 cfg_obj_destroy(pctx, &eltobj);
-			 CHECK(parse_semicolon(pctx));
-			 continue;
+			CHECK(cfg_parse_obj(pctx, &cfg_type_unsupported, &eltobj));
+			cfg_obj_destroy(pctx, &eltobj);
+			CHECK(parse_semicolon(pctx));
+			continue;
 		}
 
 		/* Clause is known. */
 
 		/* Issue warnings if appropriate */
 		if ((clause->flags & CFG_CLAUSEFLAG_OBSOLETE) != 0)
-			parser_warning(pctx, 0, "option '%s' is obsolete",
+			cfg_parser_warning(pctx, 0, "option '%s' is obsolete",
 				       clause->name);
 		if ((clause->flags & CFG_CLAUSEFLAG_NOTIMP) != 0)
-			parser_warning(pctx, 0, "option '%s' is "
+			cfg_parser_warning(pctx, 0, "option '%s' is "
 				       "not implemented", clause->name);
 		if ((clause->flags & CFG_CLAUSEFLAG_NYI) != 0)
-			parser_warning(pctx, 0, "option '%s' is "
+			cfg_parser_warning(pctx, 0, "option '%s' is "
 				       "not implemented", clause->name);
 		/*
 		 * Don't log options with CFG_CLAUSEFLAG_NEWDEFAULT
@@ -2367,7 +1225,7 @@ parse_mapbody(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret)
 			/* Multivalued clause */
 			cfg_obj_t *listobj = NULL;
 			if (result == ISC_R_NOTFOUND) {
-				CHECK(create_list(pctx,
+				CHECK(cfg_create_list(pctx,
 						  &cfg_type_implicitlist,
 						  &listobj));
 				symval.as_pointer = listobj;
@@ -2377,7 +1235,7 @@ parse_mapbody(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret)
 						   1, symval,
 						   isc_symexists_reject);
 				if (result != ISC_R_SUCCESS) {
-					parser_error(pctx, LOG_NEAR,
+					cfg_parser_error(pctx, CFG_LOG_NEAR,
 						     "isc_symtab_define(%s) "
 						     "failed", clause->name);
 					isc_mem_put(pctx->mctx, list,
@@ -2390,7 +1248,7 @@ parse_mapbody(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret)
 			}
 
 			elt = NULL;
-			CHECK(parse_list_elt(pctx, clause->type, &elt));
+			CHECK(cfg_parse_listelt(pctx, clause->type, &elt));
 			CHECK(parse_semicolon(pctx));
 
 			ISC_LIST_APPEND(listobj->value.list, elt, link);
@@ -2406,12 +1264,12 @@ parse_mapbody(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret)
 						       callback));
 				CHECK(parse_semicolon(pctx));
 			} else if (result == ISC_R_SUCCESS) {
-				parser_error(pctx, LOG_NEAR, "'%s' redefined",
+				cfg_parser_error(pctx, CFG_LOG_NEAR, "'%s' redefined",
 					     clause->name);
 				result = ISC_R_EXISTS;
 				goto cleanup;
 			} else {
-				parser_error(pctx, LOG_NEAR,
+				cfg_parser_error(pctx, CFG_LOG_NEAR,
 					     "isc_symtab_define() failed");
 				goto cleanup;
 			}
@@ -2439,7 +1297,7 @@ parse_symtab_elt(cfg_parser_t *pctx, const char *name,
 	cfg_obj_t *obj = NULL;
 	isc_symvalue_t symval;
 
-	CHECK(parse(pctx, elttype, &obj));
+	CHECK(cfg_parse_obj(pctx, elttype, &obj));
 
 	if (callback && pctx->callback != NULL)
 		CHECK(pctx->callback(name, obj, pctx->callbackarg));
@@ -2458,19 +1316,18 @@ parse_symtab_elt(cfg_parser_t *pctx, const char *name,
 /*
  * Parse a map; e.g., "{ foo 1; bar { glub; }; zap true; zap false; }"
  */
-static isc_result_t
-parse_map(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret)
-{
+isc_result_t
+cfg_parse_map(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
 	isc_result_t result;
-	CHECK(parse_special(pctx, '{'));
-	CHECK(parse_mapbody(pctx, type, ret));
-	CHECK(parse_special(pctx, '}'));
+	CHECK(cfg_parse_special(pctx, '{'));
+	CHECK(cfg_parse_mapbody(pctx, type, ret));
+	CHECK(cfg_parse_special(pctx, '}'));
  cleanup:
 	return (result);
 }
 
 /*
- * Subroutine for parse_named_map() and parse_addressed_map().
+ * Subroutine for cfg_parse_named_map() and cfg_parse_addressed_map().
  */
 static isc_result_t
 parse_any_named_map(cfg_parser_t *pctx, cfg_type_t *nametype, const cfg_type_t *type,
@@ -2480,8 +1337,8 @@ parse_any_named_map(cfg_parser_t *pctx, cfg_type_t *nametype, const cfg_type_t *
 	cfg_obj_t *idobj = NULL;
 	cfg_obj_t *mapobj = NULL;
 
-	CHECK(parse(pctx, nametype, &idobj));
-	CHECK(parse_map(pctx, type, &mapobj));
+	CHECK(cfg_parse_obj(pctx, nametype, &idobj));
+	CHECK(cfg_parse_map(pctx, type, &mapobj));
 	mapobj->value.map.id = idobj;
 	idobj = NULL;
 	*ret = mapobj;
@@ -2494,8 +1351,8 @@ parse_any_named_map(cfg_parser_t *pctx, cfg_type_t *nametype, const cfg_type_t *
  * Parse a map identified by a string name.  E.g., "name { foo 1; }".  
  * Used for the "key" and "channel" statements.
  */
-static isc_result_t
-parse_named_map(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
+isc_result_t
+cfg_parse_named_map(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
 	return (parse_any_named_map(pctx, &cfg_type_astring, type, ret));
 }
 
@@ -2503,13 +1360,13 @@ parse_named_map(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
  * Parse a map identified by a network address.
  * Used for the "server" statement.
  */
-static isc_result_t
-parse_addressed_map(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
+isc_result_t
+cfg_parse_addressed_map(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
 	return (parse_any_named_map(pctx, &cfg_type_netaddr, type, ret));
 }
 
-static void
-print_mapbody(cfg_printer_t *pctx, const cfg_obj_t *obj) {
+void
+cfg_print_mapbody(cfg_printer_t *pctx, cfg_obj_t *obj) {
 	isc_result_t result = ISC_R_SUCCESS;
 
 	const cfg_clausedef_t * const *clauseset;
@@ -2536,18 +1393,18 @@ print_mapbody(cfg_printer_t *pctx, const cfg_obj_t *obj) {
 					     elt != NULL;
 					     elt = ISC_LIST_NEXT(elt, link)) {
 						print_indent(pctx);
-						print_cstr(pctx, clause->name);
-						print(pctx, " ", 1);
-						print_obj(pctx, elt->obj);
-						print(pctx, ";\n", 2);
+						cfg_print_cstr(pctx, clause->name);
+						cfg_print_chars(pctx, " ", 1);
+						cfg_print_obj(pctx, elt->obj);
+						cfg_print_chars(pctx, ";\n", 2);
 					}
 				} else {
 					/* Single-valued. */
 					print_indent(pctx);
-					print_cstr(pctx, clause->name);
-					print(pctx, " ", 1);
-					print_obj(pctx, obj);
-					print(pctx, ";\n", 2);
+					cfg_print_cstr(pctx, clause->name);
+					cfg_print_chars(pctx, " ", 1);
+					cfg_print_obj(pctx, obj);
+					cfg_print_chars(pctx, ";\n", 2);
 				}
 			} else if (result == ISC_R_NOTFOUND) {
 				; /* do nothing */
@@ -2558,28 +1415,106 @@ print_mapbody(cfg_printer_t *pctx, const cfg_obj_t *obj) {
 	}
 }
 
-static void
-print_map(cfg_printer_t *pctx, const cfg_obj_t *obj) {
+void
+cfg_doc_mapbody(cfg_printer_t *pctx, const cfg_type_t *type) {
+	const cfg_clausedef_t * const *clauseset;
+	const cfg_clausedef_t *clause;
+	
+	for (clauseset = type->of; *clauseset != NULL; clauseset++) {
+		for (clause = *clauseset;
+		     clause->name != NULL;
+		     clause++) {
+			cfg_print_cstr(pctx, clause->name);
+			cfg_print_chars(pctx, " ", 1);
+			cfg_doc_obj(pctx, clause->type);
+			cfg_print_chars(pctx, ";", 1);
+			/* XXX print flags here? */
+			cfg_print_chars(pctx, "\n\n", 2);
+		}
+	}
+}
+
+static struct flagtext {
+	unsigned int flag;
+	const char *text;
+} flagtexts[] = {
+	{ CFG_CLAUSEFLAG_NOTIMP, "not implemented" },
+	{ CFG_CLAUSEFLAG_NYI, "not yet implemented" },
+	{ CFG_CLAUSEFLAG_OBSOLETE, "obsolete" },
+	{ CFG_CLAUSEFLAG_NEWDEFAULT, "default changed" },
+	{ 0, NULL }
+};
+
+void
+cfg_print_map(cfg_printer_t *pctx, cfg_obj_t *obj) {
 	if (obj->value.map.id != NULL) {
-		print_obj(pctx, obj->value.map.id);
-		print(pctx, " ", 1);
+		cfg_print_obj(pctx, obj->value.map.id);
+		cfg_print_chars(pctx, " ", 1);
 	}
 	print_open(pctx);
-	print_mapbody(pctx, obj);
+	cfg_print_mapbody(pctx, obj);
+	print_close(pctx);
+}
+
+static void
+print_clause_flags(cfg_printer_t *pctx, unsigned int flags) {
+	struct flagtext *p;
+	isc_boolean_t first = ISC_TRUE;
+	for (p = flagtexts; p->flag != 0; p++) {
+		if ((flags & p->flag) != 0) {
+			if (first)
+				cfg_print_chars(pctx, " // ", 4);
+			else
+				cfg_print_chars(pctx, ", ", 2);
+			cfg_print_cstr(pctx, p->text);
+			first = ISC_FALSE;
+		}
+	}
+}
+
+void
+cfg_doc_map(cfg_printer_t *pctx, const cfg_type_t *type) {
+	const cfg_clausedef_t * const *clauseset;
+	const cfg_clausedef_t *clause;
+	
+	if (type->parse == cfg_parse_named_map) {
+		cfg_doc_obj(pctx, &cfg_type_astring);
+		cfg_print_chars(pctx, " ", 1);
+	} else if (type->parse == cfg_parse_addressed_map) {
+		cfg_doc_obj(pctx, &cfg_type_netaddr);
+		cfg_print_chars(pctx, " ", 1);
+	}
+	
+	print_open(pctx);
+	
+	for (clauseset = type->of; *clauseset != NULL; clauseset++) {
+		for (clause = *clauseset;
+		     clause->name != NULL;
+		     clause++) {
+			print_indent(pctx);
+			cfg_print_cstr(pctx, clause->name);
+			if (clause->type->print != cfg_print_void)
+				cfg_print_chars(pctx, " ", 1);
+			cfg_doc_obj(pctx, clause->type);
+			cfg_print_chars(pctx, ";", 1);
+			print_clause_flags(pctx, clause->flags);
+			cfg_print_chars(pctx, "\n", 1);
+		}
+	}
 	print_close(pctx);
 }
 
 isc_boolean_t
-cfg_obj_ismap(const cfg_obj_t *obj) {
+cfg_obj_ismap(cfg_obj_t *obj) {
 	REQUIRE(obj != NULL);
 	return (ISC_TF(obj->type->rep == &cfg_rep_map));
 }
 
 isc_result_t
-cfg_map_get(const cfg_obj_t *mapobj, const char* name, const cfg_obj_t **obj) {
+cfg_map_get(cfg_obj_t *mapobj, const char* name, cfg_obj_t **obj) {
 	isc_result_t result;
 	isc_symvalue_t val;
-	const cfg_map_t *map;
+	cfg_map_t *map;
 	
 	REQUIRE(mapobj != NULL && mapobj->type->rep == &cfg_rep_map);
 	REQUIRE(name != NULL);
@@ -2594,8 +1529,8 @@ cfg_map_get(const cfg_obj_t *mapobj, const char* name, const cfg_obj_t **obj) {
 	return (ISC_R_SUCCESS);
 }
 
-const cfg_obj_t *
-cfg_map_getname(const cfg_obj_t *mapobj) {
+cfg_obj_t *
+cfg_map_getname(cfg_obj_t *mapobj) {
 	REQUIRE(mapobj != NULL && mapobj->type->rep == &cfg_rep_map);
 	return (mapobj->value.map.id);
 }
@@ -2610,8 +1545,8 @@ parse_token(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
 
 	UNUSED(type);
 
-	CHECK(create_cfgobj(pctx, &cfg_type_token, &obj));
-	CHECK(cfg_gettoken(pctx, QSTRING));
+	CHECK(cfg_create_obj(pctx, &cfg_type_token, &obj));
+	CHECK(cfg_gettoken(pctx, CFG_LEXOPT_QSTRING));
 	if (pctx->token.type == isc_tokentype_eof) {
 		cfg_ungettoken(pctx);
 		result = ISC_R_EOF;
@@ -2621,24 +1556,19 @@ parse_token(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
 	isc_lex_getlasttokentext(pctx->lexer, &pctx->token, &r);
 
 	obj->value.string.base = isc_mem_get(pctx->mctx, r.length + 1);
-	if (obj->value.string.base == NULL) {
-		result = ISC_R_NOMEMORY;
-		goto cleanup;
-	}
 	obj->value.string.length = r.length;
 	memcpy(obj->value.string.base, r.base, r.length);
 	obj->value.string.base[r.length] = '\0';
 	*ret = obj;
-	return (result);
 
  cleanup:
-	if (obj != NULL)
-		isc_mem_put(pctx->mctx, obj, sizeof(*obj));
 	return (result);
 }
 
-static cfg_type_t cfg_type_token = {
-	"token", parse_token, print_ustring, &cfg_rep_string, NULL };
+cfg_type_t cfg_type_token = {
+	"token", parse_token, cfg_print_ustring, cfg_doc_terminal,
+	&cfg_rep_string, NULL
+};
 
 /*
  * An unsupported option.  This is just a list of tokens with balanced braces
@@ -2651,7 +1581,7 @@ parse_unsupported(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
 	isc_result_t result;
 	int braces = 0;
 
-	CHECK(create_list(pctx, type, &listobj));
+	CHECK(cfg_create_list(pctx, type, &listobj));
 
 	for (;;) {
 		cfg_listelt_t *elt = NULL;
@@ -2667,12 +1597,12 @@ parse_unsupported(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
 					break;
 		}
 		if (pctx->token.type == isc_tokentype_eof || braces < 0) {
-			parser_error(pctx, LOG_NEAR, "unexpected token");
+			cfg_parser_error(pctx, CFG_LOG_NEAR, "unexpected token");
 			result = ISC_R_UNEXPECTEDTOKEN;
 			goto cleanup;
 		}
 
-		CHECK(parse_list_elt(pctx, &cfg_type_token, &elt));
+		CHECK(cfg_parse_listelt(pctx, &cfg_type_token, &elt));
 		ISC_LIST_APPEND(listobj->value.list, elt, link);
 	}
 	INSIST(braces == 0);
@@ -2684,85 +1614,18 @@ parse_unsupported(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
 	return (result);
 }
 
-static cfg_type_t cfg_type_unsupported = {
-	"unsupported", parse_unsupported, print_spacelist,
+cfg_type_t cfg_type_unsupported = {
+	"unsupported", parse_unsupported, cfg_print_spacelist, cfg_doc_terminal,
 	&cfg_rep_list, NULL
 };
 
 /*
- * A "controls" statement is represented as a map with the multivalued
- * "inet" and "unix" clauses.  Inet controls are tuples; unix controls
- * are cfg_unsupported_t objects.
- */
-
-static keyword_type_t controls_allow_kw = {
-	"allow", &cfg_type_bracketed_aml };
-static cfg_type_t cfg_type_controls_allow = {
-	"controls_allow", parse_keyvalue,
-	print_keyvalue, &cfg_rep_list, &controls_allow_kw
-};
-
-static keyword_type_t controls_keys_kw = {
-	"keys", &cfg_type_keylist };
-static cfg_type_t cfg_type_controls_keys = {
-	"controls_keys", parse_optional_keyvalue,
-	print_keyvalue, &cfg_rep_list, &controls_keys_kw
-};
-
-static cfg_tuplefielddef_t inetcontrol_fields[] = {
-	{ "address", &cfg_type_controls_sockaddr, 0 },
-	{ "allow", &cfg_type_controls_allow, 0 },
-	{ "keys", &cfg_type_controls_keys, 0 },
-	{ NULL, NULL, 0 }
-};
-static cfg_type_t cfg_type_inetcontrol = {
-	"inetcontrol", parse_tuple, print_tuple, &cfg_rep_tuple,
-	inetcontrol_fields
-};
-
-static cfg_clausedef_t
-controls_clauses[] = {
-	{ "inet", &cfg_type_inetcontrol, CFG_CLAUSEFLAG_MULTI },
-	{ "unix", &cfg_type_unsupported,
-	  CFG_CLAUSEFLAG_MULTI|CFG_CLAUSEFLAG_NOTIMP },
-	{ NULL, NULL, 0 }
-};
-static cfg_clausedef_t *
-controls_clausesets[] = {
-	controls_clauses,
-	NULL
-};
-static cfg_type_t cfg_type_controls = {
-	"controls", parse_map, print_map, &cfg_rep_map,	&controls_clausesets
-};
-
-/*
- * An optional class, as used in view and zone statements.
- */
-static isc_result_t
-parse_optional_class(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
-	isc_result_t result;
-	UNUSED(type);
-	CHECK(cfg_peektoken(pctx, 0));
-	if (pctx->token.type == isc_tokentype_string)
-		CHECK(parse(pctx, &cfg_type_ustring, ret));
-	else
-		CHECK(parse(pctx, &cfg_type_void, ret));
- cleanup:
-	return (result);
-}
-
-static cfg_type_t cfg_type_optional_class = {
-	"optional_class", parse_optional_class, NULL, NULL, NULL };
-
-
-/*
  * Try interpreting the current token as a network address.
  *
- * If WILDOK is set in flags, "*" can be used as a wildcard
- * and at least one of V4OK and V6OK must also be set.  The
- * "*" is interpreted as the IPv4 wildcard address if V4OK is 
- * set (including the case where V4OK and V6OK are both set),
+ * If CFG_ADDR_WILDOK is set in flags, "*" can be used as a wildcard
+ * and at least one of CFG_ADDR_V4OK and CFG_ADDR_V6OK must also be set.  The
+ * "*" is interpreted as the IPv4 wildcard address if CFG_ADDR_V4OK is 
+ * set (including the case where CFG_ADDR_V4OK and CFG_ADDR_V6OK are both set),
  * and the IPv6 wildcard address otherwise.
  */
 static isc_result_t
@@ -2774,25 +1637,25 @@ token_addr(cfg_parser_t *pctx, unsigned int flags, isc_netaddr_t *na) {
 	if (pctx->token.type != isc_tokentype_string)
 		return (ISC_R_UNEXPECTEDTOKEN);
 
-	s = pctx->token.value.as_pointer;
-	if ((flags & WILDOK) != 0 && strcmp(s, "*") == 0) {
-		if ((flags & V4OK) != 0) {
+	s = TOKEN_STRING(pctx);
+	if ((flags & CFG_ADDR_WILDOK) != 0 && strcmp(s, "*") == 0) {
+		if ((flags & CFG_ADDR_V4OK) != 0) {
 			isc_netaddr_any(na);
 			return (ISC_R_SUCCESS);
-		} else if ((flags & V6OK) != 0) {
+		} else if ((flags & CFG_ADDR_V6OK) != 0) {
 			isc_netaddr_any6(na);
 			return (ISC_R_SUCCESS);
 		} else {
 			INSIST(0);
 		}
 	} else {
-		if ((flags & (V4OK | V4PREFIXOK)) != 0) {
+		if ((flags & (CFG_ADDR_V4OK | CFG_ADDR_V4PREFIXOK)) != 0) {
 			if (inet_pton(AF_INET, s, &in4a) == 1) {
 				isc_netaddr_fromin(na, &in4a);
 				return (ISC_R_SUCCESS);
 			}
 		}
-		if ((flags & V4PREFIXOK) != 0 &&
+		if ((flags & CFG_ADDR_V4PREFIXOK) != 0 &&
 		    strlen(s) <= 15U) {
 			char buf[64];
 			int i;
@@ -2806,9 +1669,31 @@ token_addr(cfg_parser_t *pctx, unsigned int flags, isc_netaddr_t *na) {
 				}
 			}
 		}
-		if (flags & V6OK) {
-			if (inet_pton(AF_INET6, s, &in6a) == 1) {
+		if ((flags & CFG_ADDR_V6OK) != 0 &&
+		    strlen(s) <= 127U) {
+			char buf[128];
+			char *d; /* zone delimiter */
+			isc_uint32_t zone = 0; /* scope zone ID */
+
+			strcpy(buf, s);
+			d = strchr(buf, '%');
+			if (d != NULL)
+				*d = '\0';
+
+			if (inet_pton(AF_INET6, buf, &in6a) == 1) {
+				if (d != NULL) {
+					isc_result_t result;
+
+					result = isc_netscope_pton(AF_INET6,
+								   d + 1,
+								   &in6a,
+								   &zone);
+					if (result != ISC_R_SUCCESS)
+						return (result);
+				}
+
 				isc_netaddr_fromin6(na, &in6a);
+				isc_netaddr_setzone(na, zone);
 				return (ISC_R_SUCCESS);
 			}
 		}
@@ -2816,44 +1701,44 @@ token_addr(cfg_parser_t *pctx, unsigned int flags, isc_netaddr_t *na) {
 	return (ISC_R_UNEXPECTEDTOKEN);
 }
 
-static isc_result_t
-get_addr(cfg_parser_t *pctx, unsigned int flags, isc_netaddr_t *na) {
+isc_result_t
+cfg_parse_rawaddr(cfg_parser_t *pctx, unsigned int flags, isc_netaddr_t *na) {
 	isc_result_t result;
 	CHECK(cfg_gettoken(pctx, 0));
 	result = token_addr(pctx, flags, na);
 	if (result == ISC_R_UNEXPECTEDTOKEN)
-		parser_error(pctx, LOG_NEAR, "expected IP address");
+		cfg_parser_error(pctx, CFG_LOG_NEAR, "expected IP address");
  cleanup:
 	return (result);
 }
 
-static isc_boolean_t
-looking_at_netaddr(cfg_parser_t *pctx, unsigned int flags) {
+isc_boolean_t
+cfg_lookingat_netaddr(cfg_parser_t *pctx, unsigned int flags) {
 	isc_result_t result;
 	isc_netaddr_t na_dummy;
 	result = token_addr(pctx, flags, &na_dummy);
 	return (ISC_TF(result == ISC_R_SUCCESS));
 }
 
-static isc_result_t
-get_port(cfg_parser_t *pctx, unsigned int flags, in_port_t *port) {
+isc_result_t
+cfg_parse_rawport(cfg_parser_t *pctx, unsigned int flags, in_port_t *port) {
 	isc_result_t result;
 
 	CHECK(cfg_gettoken(pctx, ISC_LEXOPT_NUMBER));
 
-	if ((flags & WILDOK) != 0 &&
+	if ((flags & CFG_ADDR_WILDOK) != 0 &&
 	    pctx->token.type == isc_tokentype_string &&
-	    strcmp(pctx->token.value.as_pointer, "*") == 0) {
+	    strcmp(TOKEN_STRING(pctx), "*") == 0) {
 		*port = 0;
 		return (ISC_R_SUCCESS);
 	}
 	if (pctx->token.type != isc_tokentype_number) {
-		parser_error(pctx, LOG_NEAR,
+		cfg_parser_error(pctx, CFG_LOG_NEAR,
 			     "expected port number or '*'");
 		return (ISC_R_UNEXPECTEDTOKEN);
 	}
 	if (pctx->token.value.as_ulong >= 65536U) {
-		parser_error(pctx, LOG_NEAR,
+		cfg_parser_error(pctx, CFG_LOG_NEAR,
 			     "port number out of range");
 		return (ISC_R_UNEXPECTEDTOKEN);
 	}
@@ -2863,80 +1748,8 @@ get_port(cfg_parser_t *pctx, unsigned int flags, in_port_t *port) {
 	return (result);
 }
 
-static isc_result_t
-parse_querysource(cfg_parser_t *pctx, int flags, cfg_obj_t **ret) {
-	isc_result_t result;
-	cfg_obj_t *obj = NULL;
-	isc_netaddr_t netaddr;
-	in_port_t port;
-	unsigned int have_address = 0;
-	unsigned int have_port = 0;
-
-	if ((flags & V4OK) != 0)
-		isc_netaddr_any(&netaddr);
-	else if ((flags & V6OK) != 0)
-		isc_netaddr_any6(&netaddr);
-	else
-		INSIST(0);
-
-	port = 0;
-
-	CHECK(create_cfgobj(pctx, &cfg_type_querysource, &obj));
-	for (;;) {
-		CHECK(cfg_peektoken(pctx, 0));
-		if (pctx->token.type == isc_tokentype_string) {
-			if (strcasecmp(pctx->token.value.as_pointer,
-				       "address") == 0)
-			{
-				/* read "address" */
-				CHECK(cfg_gettoken(pctx, 0)); 
-				CHECK(get_addr(pctx, flags|WILDOK, &netaddr));
-				have_address++;
-			} else if (strcasecmp(pctx->token.value.as_pointer,
-					      "port") == 0)
-			{
-				/* read "port" */
-				CHECK(cfg_gettoken(pctx, 0)); 
-				CHECK(get_port(pctx, WILDOK, &port));
-				have_port++;
-			} else {
-				parser_error(pctx, LOG_NEAR,
-					     "expected 'address' or 'port'");
-				return (ISC_R_UNEXPECTEDTOKEN);
-			}
-		} else
-			break;
-	}
-	if (have_address > 1 || have_port > 1 ||
-	    have_address + have_port == 0) {
-		parser_error(pctx, 0, "expected one address and/or port");
-		return (ISC_R_UNEXPECTEDTOKEN);
-	}
-
-	isc_sockaddr_fromnetaddr(&obj->value.sockaddr, &netaddr, port);
-	*ret = obj;
-	return (ISC_R_SUCCESS);
-
- cleanup:
-	parser_error(pctx, LOG_NEAR, "invalid query source");
-	CLEANUP_OBJ(obj);
-	return (result);
-}
-
-static isc_result_t
-parse_querysource4(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
-	UNUSED(type);
-	return (parse_querysource(pctx, V4OK, ret));
-}
-
-static isc_result_t
-parse_querysource6(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
-	UNUSED(type);
-	return (parse_querysource(pctx, V6OK, ret));
-}
-
-static void
-print_isc_netaddr(cfg_printer_t *pctx, const isc_netaddr_t *na) {
+void
+cfg_print_rawaddr(cfg_printer_t *pctx, isc_netaddr_t *na) {
 	isc_result_t result;
 	char text[128];
 	isc_buffer_t buf;
@@ -2944,26 +1757,9 @@ print_isc_netaddr(cfg_printer_t *pctx, const isc_netaddr_t *na) {
 	isc_buffer_init(&buf, text, sizeof(text));
 	result = isc_netaddr_totext(na, &buf);
 	RUNTIME_CHECK(result == ISC_R_SUCCESS);
-	print(pctx, isc_buffer_base(&buf), isc_buffer_usedlength(&buf));
+	cfg_print_chars(pctx, isc_buffer_base(&buf), isc_buffer_usedlength(&buf));
 }
 
-static void
-print_querysource(cfg_printer_t *pctx, const cfg_obj_t *obj) {
-	isc_netaddr_t na;
-	isc_netaddr_fromsockaddr(&na, &obj->value.sockaddr);
-	print(pctx, "address ", 8);
-	print_isc_netaddr(pctx, &na);
-	print(pctx, " port ", 6);
-	print_uint(pctx, isc_sockaddr_getport(&obj->value.sockaddr));
-}
-
-static cfg_type_t cfg_type_querysource4 = {
-	"querysource4", parse_querysource4, NULL, NULL, NULL };
-static cfg_type_t cfg_type_querysource6 = {
-	"querysource6", parse_querysource6, NULL, NULL, NULL };
-static cfg_type_t cfg_type_querysource = {
-	"querysource", NULL, print_querysource, &cfg_rep_sockaddr, NULL };
-
 /* netaddr */
 
 static isc_result_t
@@ -2972,8 +1768,8 @@ parse_netaddr(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
 	cfg_obj_t *obj = NULL;
 	isc_netaddr_t netaddr;
 	UNUSED(type);
-	CHECK(create_cfgobj(pctx, type, &obj));
-	CHECK(get_addr(pctx, V4OK|V6OK, &netaddr));
+	CHECK(cfg_create_obj(pctx, type, &obj));
+	CHECK(cfg_parse_rawaddr(pctx, CFG_ADDR_V4OK | CFG_ADDR_V6OK, &netaddr));
 	isc_sockaddr_fromnetaddr(&obj->value.sockaddr, &netaddr, 0);
 	*ret = obj;
 	return (ISC_R_SUCCESS);
@@ -2982,20 +1778,25 @@ parse_netaddr(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
 	return (result);
 }
 
-static cfg_type_t cfg_type_netaddr = {
-	"netaddr", parse_netaddr, print_sockaddr, &cfg_rep_sockaddr, NULL };
+cfg_type_t cfg_type_netaddr = {
+	"netaddr", parse_netaddr, cfg_print_sockaddr, cfg_doc_terminal,
+	&cfg_rep_sockaddr, NULL
+};
 
 /* netprefix */
 
-static isc_result_t
-parse_netprefix(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
+isc_result_t
+cfg_parse_netprefix(cfg_parser_t *pctx, const cfg_type_t *type,
+		    cfg_obj_t **ret)
+{
 	cfg_obj_t *obj = NULL;
 	isc_result_t result;
 	isc_netaddr_t netaddr;
 	unsigned int addrlen, prefixlen;
 	UNUSED(type);
 
-	CHECK(get_addr(pctx, V4OK|V4PREFIXOK|V6OK, &netaddr));
+	CHECK(cfg_parse_rawaddr(pctx, CFG_ADDR_V4OK | CFG_ADDR_V4PREFIXOK |
+				CFG_ADDR_V6OK, &netaddr));
 	switch (netaddr.family) {
 	case AF_INET:
 		addrlen = 32;
@@ -3014,124 +1815,54 @@ parse_netprefix(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
 		CHECK(cfg_gettoken(pctx, 0)); /* read "/" */
 		CHECK(cfg_gettoken(pctx, ISC_LEXOPT_NUMBER));
 		if (pctx->token.type != isc_tokentype_number) {
-			parser_error(pctx, LOG_NEAR,
+			cfg_parser_error(pctx, CFG_LOG_NEAR,
 				     "expected prefix length");
 			return (ISC_R_UNEXPECTEDTOKEN);
 		}
 		prefixlen = pctx->token.value.as_ulong;
 		if (prefixlen > addrlen) {
-			parser_error(pctx, LOG_NOPREP,
+			cfg_parser_error(pctx, CFG_LOG_NOPREP,
 				     "invalid prefix length");
 			return (ISC_R_RANGE);
 		}
 	} else {
 		prefixlen = addrlen;
 	}
-	CHECK(create_cfgobj(pctx, &cfg_type_netprefix, &obj));
+	CHECK(cfg_create_obj(pctx, &cfg_type_netprefix, &obj));
 	obj->value.netprefix.address = netaddr;
 	obj->value.netprefix.prefixlen = prefixlen;
 	*ret = obj;
 	return (ISC_R_SUCCESS);
  cleanup:
-	parser_error(pctx, LOG_NEAR, "expected network prefix");
+	cfg_parser_error(pctx, CFG_LOG_NEAR, "expected network prefix");
 	return (result);
 }
 
 static void
-print_netprefix(cfg_printer_t *pctx, const cfg_obj_t *obj) {
-	const cfg_netprefix_t *p = &obj->value.netprefix;
-	print_isc_netaddr(pctx, &p->address);
-	print(pctx, "/", 1);
-	print_uint(pctx, p->prefixlen);
+print_netprefix(cfg_printer_t *pctx, cfg_obj_t *obj) {
+	cfg_netprefix_t *p = &obj->value.netprefix;
+	cfg_print_rawaddr(pctx, &p->address);
+	cfg_print_chars(pctx, "/", 1);
+	cfg_print_rawuint(pctx, p->prefixlen);
 }
 
 isc_boolean_t
-cfg_obj_isnetprefix(const cfg_obj_t *obj) {
+cfg_obj_isnetprefix(cfg_obj_t *obj) {
 	REQUIRE(obj != NULL);
 	return (ISC_TF(obj->type->rep == &cfg_rep_netprefix));
 }
 
 void
-cfg_obj_asnetprefix(const cfg_obj_t *obj, isc_netaddr_t *netaddr,
+cfg_obj_asnetprefix(cfg_obj_t *obj, isc_netaddr_t *netaddr,
 		    unsigned int *prefixlen) {
 	REQUIRE(obj != NULL && obj->type->rep == &cfg_rep_netprefix);
 	*netaddr = obj->value.netprefix.address;
 	*prefixlen = obj->value.netprefix.prefixlen;
 }
 
-static cfg_type_t cfg_type_netprefix = {
-	"netprefix", parse_netprefix, print_netprefix, &cfg_rep_netprefix, NULL };
-
-/* addrmatchelt */
-
-static isc_result_t
-parse_addrmatchelt(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
-        isc_result_t result;
-	UNUSED(type);
-
-	CHECK(cfg_peektoken(pctx, QSTRING));
-
-	if (pctx->token.type == isc_tokentype_string ||
-	    pctx->token.type == isc_tokentype_qstring) {
-		if (pctx->token.type == isc_tokentype_string &&
-		    (strcasecmp(pctx->token.value.as_pointer, "key") == 0)) {
-			CHECK(parse(pctx, &cfg_type_keyref, ret));
-		} else {
-			if (looking_at_netaddr(pctx, V4OK|V4PREFIXOK|V6OK)) {
-				CHECK(parse_netprefix(pctx, NULL, ret));
-			} else {
-				CHECK(parse_astring(pctx, NULL, ret));
-			}
-		}
-	} else if (pctx->token.type == isc_tokentype_special) {
-		if (pctx->token.value.as_char == '{') {
-			/* Nested match list. */
-			CHECK(parse(pctx, &cfg_type_bracketed_aml, ret));
-		} else if (pctx->token.value.as_char == '!') {
-			CHECK(cfg_gettoken(pctx, 0)); /* read "!" */
-			CHECK(parse(pctx, &cfg_type_negated, ret));
-		} else {
-			goto bad;
-		}
-	} else {
-	bad:
-		parser_error(pctx, LOG_NEAR,
-			     "expected IP match list element");
-		return (ISC_R_UNEXPECTEDTOKEN);
-	}
- cleanup:
-	return (result);
-}
-
-/*
- * A negated address match list element (like "! 10.0.0.1").
- * Somewhat sneakily, the caller is expected to parse the
- * "!", but not to print it.
- */
-
-static cfg_tuplefielddef_t negated_fields[] = {
-	{ "value", &cfg_type_addrmatchelt, 0 },
-	{ NULL, NULL, 0 }
-};
-
-static void
-print_negated(cfg_printer_t *pctx, const cfg_obj_t *obj) {
-	print(pctx, "!", 1);
-	print_tuple(pctx, obj);
-}
-
-static cfg_type_t cfg_type_negated = {
-	"negated", parse_tuple, print_negated, &cfg_rep_tuple,
-	&negated_fields
-};
-
-/* an address match list element */
-
-static cfg_type_t cfg_type_addrmatchelt = {
-	"address_match_element", parse_addrmatchelt, NULL, NULL, NULL };
-static cfg_type_t cfg_type_bracketed_aml = {
-	"bracketed_aml", parse_bracketed_list, print_bracketed_list,
-	&cfg_rep_list, &cfg_type_addrmatchelt
+cfg_type_t cfg_type_netprefix = {
+	"netprefix", cfg_parse_netprefix, print_netprefix, cfg_doc_terminal,
+	&cfg_rep_netprefix, NULL
 };
 
 static isc_result_t
@@ -3143,13 +1874,13 @@ parse_sockaddrsub(cfg_parser_t *pctx, const cfg_type_t *type,
 	in_port_t port = 0;
 	cfg_obj_t *obj = NULL;
 
-	CHECK(create_cfgobj(pctx, type, &obj));
-	CHECK(get_addr(pctx, flags, &netaddr));
+	CHECK(cfg_create_obj(pctx, type, &obj));
+	CHECK(cfg_parse_rawaddr(pctx, flags, &netaddr));
 	CHECK(cfg_peektoken(pctx, 0));
 	if (pctx->token.type == isc_tokentype_string &&
-	    strcasecmp(pctx->token.value.as_pointer, "port") == 0) {
+	    strcasecmp(TOKEN_STRING(pctx), "port") == 0) {
 		CHECK(cfg_gettoken(pctx, 0)); /* read "port" */
-		CHECK(get_port(pctx, flags, &port));
+		CHECK(cfg_parse_rawport(pctx, flags, &port));
 	}
 	isc_sockaddr_fromnetaddr(&obj->value.sockaddr, &netaddr, port);
 	*ret = obj;
@@ -3160,378 +1891,78 @@ parse_sockaddrsub(cfg_parser_t *pctx, const cfg_type_t *type,
 	return (result);
 }
 
-static isc_result_t
-parse_sockaddr(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
+static unsigned int sockaddr_flags = CFG_ADDR_V4OK | CFG_ADDR_V6OK;
+cfg_type_t cfg_type_sockaddr = {
+	"sockaddr", cfg_parse_sockaddr, cfg_print_sockaddr, cfg_doc_sockaddr,
+	&cfg_rep_sockaddr, &sockaddr_flags
+};
+
+isc_result_t
+cfg_parse_sockaddr(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
 	const unsigned int *flagp = type->of;
-	return (parse_sockaddrsub(pctx, &cfg_type_sockaddr4wild, *flagp, ret));
+	return (parse_sockaddrsub(pctx, &cfg_type_sockaddr, *flagp, ret));
 }
 
-static void
-print_sockaddr(cfg_printer_t *pctx, const cfg_obj_t *obj) {
+void
+cfg_print_sockaddr(cfg_printer_t *pctx, cfg_obj_t *obj) {
 	isc_netaddr_t netaddr;
 	in_port_t port;
 	char buf[ISC_NETADDR_FORMATSIZE];
 
 	isc_netaddr_fromsockaddr(&netaddr, &obj->value.sockaddr);
 	isc_netaddr_format(&netaddr, buf, sizeof(buf));
-	print_cstr(pctx, buf);
+	cfg_print_cstr(pctx, buf);
 	port = isc_sockaddr_getport(&obj->value.sockaddr);
 	if (port != 0) {
-		print(pctx, " port ", 6);
-		print_uint(pctx, port);
+		cfg_print_chars(pctx, " port ", 6);
+		cfg_print_rawuint(pctx, port);
 	}
 }
 
-isc_boolean_t
-cfg_obj_issockaddr(const cfg_obj_t *obj) {
-	REQUIRE(obj != NULL);
-	return (ISC_TF(obj->type->rep == &cfg_rep_sockaddr));
-}
-
-const isc_sockaddr_t *
-cfg_obj_assockaddr(const cfg_obj_t *obj) {
-	REQUIRE(obj != NULL && obj->type->rep == &cfg_rep_sockaddr);
-	return (&obj->value.sockaddr);
-}
-
-/* An IPv4/IPv6 address with optional port, "*" accepted as wildcard. */
-static unsigned int sockaddr4wild_flags = WILDOK|V4OK;
-static cfg_type_t cfg_type_sockaddr4wild = {
-	"sockaddr4wild", parse_sockaddr, print_sockaddr,
-	&cfg_rep_sockaddr, &sockaddr4wild_flags
-};
-
-static unsigned int sockaddr6wild_flags = WILDOK|V6OK;
-static cfg_type_t cfg_type_sockaddr6wild = {
-	"v6addrportwild", parse_sockaddr, print_sockaddr,
-	&cfg_rep_sockaddr, &sockaddr6wild_flags
-};
-
-static unsigned int sockaddr_flags = V4OK|V6OK;
-static cfg_type_t cfg_type_sockaddr = {
-	"sockaddr", parse_sockaddr, print_sockaddr,
-	&cfg_rep_sockaddr, &sockaddr_flags
-};
-
-/*
- * The socket address syntax in the "controls" statement is silly.
- * It allows both socket address families, but also allows "*",
- * whis is gratuitously interpreted as the IPv4 wildcard address.
- */
-static unsigned int controls_sockaddr_flags = V4OK|V6OK|WILDOK;
-static cfg_type_t cfg_type_controls_sockaddr = {
-	"controls_sockaddr", parse_sockaddr, print_sockaddr,
-	&cfg_rep_sockaddr, &controls_sockaddr_flags };
-
-
-/*
- * Handle the special kludge syntax of the "keys" clause in the "server"
- * statement, which takes a single key with our without braces and semicolon.
- */
-static isc_result_t
-parse_server_key_kludge(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret)
-{
-	isc_result_t result;
-	isc_boolean_t braces = ISC_FALSE;
-	UNUSED(type);
-
-	/* Allow opening brace. */
-	CHECK(cfg_peektoken(pctx, 0));
-	if (pctx->token.type == isc_tokentype_special &&
-	    pctx->token.value.as_char == '{') {
-		result = cfg_gettoken(pctx, 0);
-		braces = ISC_TRUE;
+void
+cfg_doc_sockaddr(cfg_printer_t *pctx, const cfg_type_t *type) {
+	const unsigned int *flagp = type->of;
+	int n = 0;
+	cfg_print_chars(pctx, "( ", 2);
+	if (*flagp & CFG_ADDR_V4OK) {
+		if (n != 0)
+			cfg_print_chars(pctx, " | ", 3);
+		cfg_print_cstr(pctx, "<ipv4_address>");
+		n++;
 	}
-
-	CHECK(parse(pctx, &cfg_type_astring, ret));
-
-	if (braces) {
-		/* Skip semicolon if present. */
-		CHECK(cfg_peektoken(pctx, 0));
-		if (pctx->token.type == isc_tokentype_special &&
-		    pctx->token.value.as_char == ';')
-			CHECK(cfg_gettoken(pctx, 0));
-
-		CHECK(parse_special(pctx, '}'));
+	if (*flagp & CFG_ADDR_V6OK) {
+		if (n != 0)
+			cfg_print_chars(pctx, " | ", 3);
+		cfg_print_cstr(pctx, "<ipv6_address>");
+		n++;			
 	}
- cleanup:
-	return (result);
-}
-static cfg_type_t cfg_type_server_key_kludge = {
-	"server_key", parse_server_key_kludge, NULL, NULL, NULL };
-
-
-/*
- * An optional logging facility.
- */
-
-static isc_result_t
-parse_optional_facility(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret)
-{
-	isc_result_t result;
-	UNUSED(type);
-
-	CHECK(cfg_peektoken(pctx, QSTRING));
-	if (pctx->token.type == isc_tokentype_string ||
-	    pctx->token.type == isc_tokentype_qstring) {
-		CHECK(parse(pctx, &cfg_type_astring, ret));
-	} else {
-		CHECK(parse(pctx, &cfg_type_void, ret));
+	if (*flagp & CFG_ADDR_WILDOK) {
+		if (n != 0)
+			cfg_print_chars(pctx, " | ", 3);
+		cfg_print_chars(pctx, "*", 1);
+		n++;
 	}
- cleanup:
-	return (result);
-}
-
-static cfg_type_t cfg_type_optional_facility = {
-	"optional_facility", parse_optional_facility, NULL, NULL, NULL };
-
-
-/*
- * A log severity.  Return as a string, except "debug N",
- * which is returned as a keyword object.
- */
-
-static keyword_type_t debug_kw = { "debug", &cfg_type_uint32 };
-static cfg_type_t cfg_type_debuglevel = {
-	"debuglevel", parse_keyvalue,
-	print_keyvalue, &cfg_rep_uint32, &debug_kw
-};
-
-static isc_result_t
-parse_logseverity(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
-	isc_result_t result;
-	UNUSED(type);
-
-	CHECK(cfg_peektoken(pctx, 0));
-	if (pctx->token.type == isc_tokentype_string &&
-	    strcasecmp(pctx->token.value.as_pointer, "debug") == 0) {
-		CHECK(cfg_gettoken(pctx, 0)); /* read "debug" */
-		CHECK(cfg_peektoken(pctx, ISC_LEXOPT_NUMBER));
-		if (pctx->token.type == isc_tokentype_number) {
-			CHECK(parse_uint32(pctx, NULL, ret));
-		} else {
-			/*
-			 * The debug level is optional and defaults to 1.
-			 * This makes little sense, but we support it for
-			 * compatibility with BIND 8.
-			 */
-			CHECK(create_cfgobj(pctx, &cfg_type_uint32, ret));
-			(*ret)->value.uint32 = 1;
-		}
-		(*ret)->type = &cfg_type_debuglevel; /* XXX kludge */
+	cfg_print_chars(pctx, " ) ", 3);
+	if (*flagp & CFG_ADDR_WILDOK) {
+		cfg_print_cstr(pctx, "[ port ( <integer> | * ) ]");
 	} else {
-		CHECK(parse(pctx, &cfg_type_loglevel, ret));
+		cfg_print_cstr(pctx, "[ port <integer> ]");
 	}
- cleanup:
-	return (result);
 }
 
-static cfg_type_t cfg_type_logseverity = {
-	"logseverity", parse_logseverity, NULL, NULL, NULL };
-
-/*
- * The "file" clause of the "channel" statement.
- * This is yet another special case.
- */
-
-static const char *logversions_enums[] = { "unlimited", NULL };
-static isc_result_t
-parse_logversions(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
-	return (parse_enum_or_other(pctx, type, &cfg_type_uint32, ret));
-}
-static cfg_type_t cfg_type_logversions = {
-	"logversions", parse_logversions, print_ustring, 
-	&cfg_rep_string, logversions_enums
-};
-
-static cfg_tuplefielddef_t logfile_fields[] = {
-	{ "file", &cfg_type_qstring, 0 },
-	{ "versions", &cfg_type_logversions, 0 },
-	{ "size", &cfg_type_size, 0 },
-	{ NULL, NULL, 0 }
-};
-
-static isc_result_t
-parse_logfile(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
-	isc_result_t result;
-	cfg_obj_t *obj = NULL;
-	const cfg_tuplefielddef_t *fields = type->of;	
-
-	CHECK(create_tuple(pctx, type, &obj));	
-
-	/* Parse the mandatory "file" field */
-	CHECK(parse(pctx, fields[0].type, &obj->value.tuple[0]));
-
-	/* Parse "versions" and "size" fields in any order. */
-	for (;;) {
-		CHECK(cfg_peektoken(pctx, 0));
-		if (pctx->token.type == isc_tokentype_string) {
-			CHECK(cfg_gettoken(pctx, 0));		
-			if (strcasecmp(pctx->token.value.as_pointer,
-				       "versions") == 0 &&
-			    obj->value.tuple[1] == NULL) {
-				CHECK(parse(pctx, fields[1].type,
-					    &obj->value.tuple[1]));
-			} else if (strcasecmp(pctx->token.value.as_pointer,
-					      "size") == 0 &&
-				   obj->value.tuple[2] == NULL) {
-				CHECK(parse(pctx, fields[2].type,
-					    &obj->value.tuple[2]));
-			} else {
-				break;
-			}
-		} else {
-			break;
-		}
-	}
-
-	/* Create void objects for missing optional values. */
-	if (obj->value.tuple[1] == NULL)
-		CHECK(parse_void(pctx, NULL, &obj->value.tuple[1]));
-	if (obj->value.tuple[2] == NULL)
-		CHECK(parse_void(pctx, NULL, &obj->value.tuple[2]));
-
-	*ret = obj;
-	return (ISC_R_SUCCESS);
-
- cleanup:
-	CLEANUP_OBJ(obj);	
-	return (result);
+isc_boolean_t
+cfg_obj_issockaddr(cfg_obj_t *obj) {
+	REQUIRE(obj != NULL);
+	return (ISC_TF(obj->type->rep == &cfg_rep_sockaddr));
 }
 
-static void
-print_logfile(cfg_printer_t *pctx, const cfg_obj_t *obj) {
-	print_obj(pctx, obj->value.tuple[0]); /* file */
-	if (obj->value.tuple[1]->type->print != print_void) {
-		print(pctx, " versions ", 10);
-		print_obj(pctx, obj->value.tuple[1]);
-	}
-	if (obj->value.tuple[2]->type->print != print_void) {
-		print(pctx, " size ", 6);
-		print_obj(pctx, obj->value.tuple[2]);
-	}
+isc_sockaddr_t *
+cfg_obj_assockaddr(cfg_obj_t *obj) {
+	REQUIRE(obj != NULL && obj->type->rep == &cfg_rep_sockaddr);
+	return (&obj->value.sockaddr);
 }
 
-static cfg_type_t cfg_type_logfile = {
-	"logfile", parse_logfile, print_logfile, &cfg_rep_tuple,
-	logfile_fields
-};
-
-
-/*
- * lwres
- */
-
-static cfg_tuplefielddef_t lwres_view_fields[] = {
-	{ "name", &cfg_type_astring, 0 },
-	{ "class", &cfg_type_optional_class, 0 },
-	{ NULL, NULL, 0 }
-};
-static cfg_type_t cfg_type_lwres_view = {
-	"lwres_view", parse_tuple, print_tuple, &cfg_rep_tuple,
-	lwres_view_fields
-};
-
-static cfg_type_t cfg_type_lwres_searchlist = {
-	"lwres_searchlist", parse_bracketed_list, print_bracketed_list,
-	&cfg_rep_list, &cfg_type_astring };
-
-static cfg_clausedef_t
-lwres_clauses[] = {
-	{ "listen-on", &cfg_type_portiplist, 0 },
-	{ "view", &cfg_type_lwres_view, 0 },
-	{ "search", &cfg_type_lwres_searchlist, 0 },
-	{ "ndots", &cfg_type_uint32, 0 },
-	{ NULL, NULL, 0 }
-};
-
-static cfg_clausedef_t *
-lwres_clausesets[] = {
-	lwres_clauses,
-	NULL
-};
-static cfg_type_t cfg_type_lwres = {
-	"lwres", parse_map, print_map, &cfg_rep_map, lwres_clausesets };
-
-/*
- * rndc
- */
-
-static cfg_clausedef_t
-rndcconf_options_clauses[] = {
-	{ "default-server", &cfg_type_astring, 0 },
-	{ "default-key", &cfg_type_astring, 0 },
-	{ "default-port", &cfg_type_uint32, 0 },
-	{ NULL, NULL, 0 }
-};
-
-static cfg_clausedef_t *
-rndcconf_options_clausesets[] = {
-	rndcconf_options_clauses,
-	NULL
-};
-
-static cfg_type_t cfg_type_rndcconf_options = {
-	"rndcconf_options", parse_map, print_map, &cfg_rep_map,
-	rndcconf_options_clausesets
-};
-
-static cfg_clausedef_t
-rndcconf_server_clauses[] = {
-	{ "key", &cfg_type_astring, 0 },
-	{ "port", &cfg_type_uint32, 0 },
-	{ NULL, NULL, 0 }
-};
-
-static cfg_clausedef_t *
-rndcconf_server_clausesets[] = {
-	rndcconf_server_clauses,
-	NULL
-};
-
-static cfg_type_t cfg_type_rndcconf_server = {
-	"rndcconf_server", parse_named_map, print_map, &cfg_rep_map,
-	rndcconf_server_clausesets
-};
-
-static cfg_clausedef_t
-rndcconf_clauses[] = {
-	{ "key", &cfg_type_key, CFG_CLAUSEFLAG_MULTI },
-	{ "server", &cfg_type_rndcconf_server, CFG_CLAUSEFLAG_MULTI },
-	{ "options", &cfg_type_rndcconf_options, 0 },
-	{ NULL, NULL, 0 }
-};
-
-static cfg_clausedef_t *
-rndcconf_clausesets[] = {
-	rndcconf_clauses,
-	NULL
-};
-
-LIBISCCFG_EXTERNAL_DATA cfg_type_t cfg_type_rndcconf = {
-	"rndcconf", parse_mapbody, print_mapbody, &cfg_rep_map,
-	rndcconf_clausesets
-};
-
-static cfg_clausedef_t
-rndckey_clauses[] = {
-	{ "key", &cfg_type_key, 0 },
-	{ NULL, NULL, 0 }
-};
-
-static cfg_clausedef_t *
-rndckey_clausesets[] = {
-	rndckey_clauses,
-	NULL
-};
-
-LIBISCCFG_EXTERNAL_DATA cfg_type_t cfg_type_rndckey = {
-	"rndckey", parse_mapbody, print_mapbody, &cfg_rep_map,
-	rndckey_clausesets
-};
-
-
-static isc_result_t
+isc_result_t
 cfg_gettoken(cfg_parser_t *pctx, int options) {
 	isc_result_t result;
 
@@ -3573,23 +2004,23 @@ cfg_gettoken(cfg_parser_t *pctx, int options) {
 
 	case ISC_R_NOSPACE:
 		/* More understandable than "ran out of space". */
-		parser_error(pctx, LOG_NEAR, "token too big");
+		cfg_parser_error(pctx, CFG_LOG_NEAR, "token too big");
 		break;
 
 	case ISC_R_IOERROR:
-		parser_error(pctx, 0, "%s",
+		cfg_parser_error(pctx, 0, "%s",
 				 isc_result_totext(result));
 		break;
 
 	default:
-		parser_error(pctx, LOG_NEAR, "%s",
-			     isc_result_totext(result));
+		cfg_parser_error(pctx, CFG_LOG_NEAR, "%s",
+				 isc_result_totext(result));
 		break;
 	}
 	return (result);
 }
 
-static void
+void
 cfg_ungettoken(cfg_parser_t *pctx) {
 	if (pctx->seen_eof)
 		return;
@@ -3597,7 +2028,7 @@ cfg_ungettoken(cfg_parser_t *pctx) {
 	pctx->ungotten = ISC_TRUE;
 }
 
-static isc_result_t
+isc_result_t
 cfg_peektoken(cfg_parser_t *pctx, int options) {
 	isc_result_t result;
 	CHECK(cfg_gettoken(pctx, options));
@@ -3614,20 +2045,20 @@ static isc_result_t
 cfg_getstringtoken(cfg_parser_t *pctx) {
 	isc_result_t result;
 
-	result = cfg_gettoken(pctx, QSTRING);
+	result = cfg_gettoken(pctx, CFG_LEXOPT_QSTRING);
 	if (result != ISC_R_SUCCESS)
 		return (result);
 
 	if (pctx->token.type != isc_tokentype_string &&
 	    pctx->token.type != isc_tokentype_qstring) {
-		parser_error(pctx, LOG_NEAR, "expected string");
+		cfg_parser_error(pctx, CFG_LOG_NEAR, "expected string");
 		return (ISC_R_UNEXPECTEDTOKEN);
 	}
 	return (ISC_R_SUCCESS);
 }
 
-static void
-parser_error(cfg_parser_t *pctx, unsigned int flags, const char *fmt, ...) {
+void
+cfg_parser_error(cfg_parser_t *pctx, unsigned int flags, const char *fmt, ...) {
 	va_list args;
 	va_start(args, fmt);
 	parser_complain(pctx, ISC_FALSE, flags, fmt, args);
@@ -3635,8 +2066,8 @@ parser_error(cfg_parser_t *pctx, unsigned int flags, const char *fmt, ...) {
 	pctx->errors++;
 }
 
-static void
-parser_warning(cfg_parser_t *pctx, unsigned int flags, const char *fmt, ...) {
+void
+cfg_parser_warning(cfg_parser_t *pctx, unsigned int flags, const char *fmt, ...) {
 	va_list args;
 	va_start(args, fmt);
 	parser_complain(pctx, ISC_TRUE, flags, fmt, args);
@@ -3673,17 +2104,20 @@ parser_complain(cfg_parser_t *pctx, isc_boolean_t is_warning,
 	static char message[2048];
 	int level = ISC_LOG_ERROR;
 	const char *prep = "";
+	size_t len;
 
 	if (is_warning)
 		level = ISC_LOG_WARNING;
 
-	sprintf(where, "%s:%u: ", current_file(pctx), pctx->line);
+	snprintf(where, sizeof(where), "%s:%u: ",
+		 current_file(pctx), pctx->line);
 
-	if ((unsigned int)vsprintf(message, format, args) >= sizeof message)
+	len = vsnprintf(message, sizeof(message), format, args);
+	if (len >= sizeof(message))
 		FATAL_ERROR(__FILE__, __LINE__,
 			    "error message would overflow");
 
-	if ((flags & (LOG_NEAR|LOG_BEFORE|LOG_NOPREP)) != 0) {
+	if ((flags & (CFG_LOG_NEAR|CFG_LOG_BEFORE|CFG_LOG_NOPREP)) != 0) {
 		isc_region_t r;
 
 		if (pctx->ungotten)
@@ -3706,9 +2140,9 @@ parser_complain(cfg_parser_t *pctx, isc_boolean_t is_warning,
 		}
 
 		/* Choose a preposition. */
-		if (flags & LOG_NEAR)
+		if (flags & CFG_LOG_NEAR)
 			prep = " near ";
-		else if (flags & LOG_BEFORE)
+		else if (flags & CFG_LOG_BEFORE)
 			prep = " before ";
 		else
 			prep = " ";
@@ -3720,8 +2154,7 @@ parser_complain(cfg_parser_t *pctx, isc_boolean_t is_warning,
 }
 
 void
-cfg_obj_log(const cfg_obj_t *obj, isc_log_t *lctx, int level,
-	    const char *fmt, ...) {
+cfg_obj_log(cfg_obj_t *obj, isc_log_t *lctx, int level, const char *fmt, ...) {
 	va_list ap;
 	char msgbuf[2048];
 
@@ -3738,8 +2171,18 @@ cfg_obj_log(const cfg_obj_t *obj, isc_log_t *lctx, int level,
 	va_end(ap);
 }
 
-static isc_result_t
-create_cfgobj(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
+const char *
+cfg_obj_file(cfg_obj_t *obj) {
+	return (obj->file);
+}
+
+unsigned int
+cfg_obj_line(cfg_obj_t *obj) {
+	return (obj->line);
+}
+
+isc_result_t
+cfg_create_obj(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
 	cfg_obj_t *obj;
 
 	obj = isc_mem_get(pctx->mctx, sizeof(cfg_obj_t));
@@ -3772,10 +2215,11 @@ create_map(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
 	isc_symtab_t *symtab = NULL;
 	cfg_obj_t *obj = NULL;
 
-	CHECK(create_cfgobj(pctx, type, &obj));
+	CHECK(cfg_create_obj(pctx, type, &obj));
 	CHECK(isc_symtab_create(pctx->mctx, 5, /* XXX */
 				map_symtabitem_destroy,
 				pctx, ISC_FALSE, &symtab));
+
 	obj->value.map.symtab = symtab;
 	obj->value.map.id = NULL;
 
@@ -3795,7 +2239,7 @@ free_map(cfg_parser_t *pctx, cfg_obj_t *obj) {
 }
 
 isc_boolean_t
-cfg_obj_istype(const cfg_obj_t *obj, const cfg_type_t *type) {
+cfg_obj_istype(cfg_obj_t *obj, const cfg_type_t *type) {
 	return (ISC_TF(obj->type == type));
 }
 
@@ -3816,154 +2260,16 @@ free_noop(cfg_parser_t *pctx, cfg_obj_t *obj) {
 	UNUSED(obj);
 }
 
-/*
- * Data and functions for printing grammar summaries.
- */
-static struct flagtext {
-	unsigned int flag;
-	const char *text;
-} flagtexts[] = {
-	{ CFG_CLAUSEFLAG_NOTIMP, "not implemented" },
-	{ CFG_CLAUSEFLAG_NYI, "not yet implemented" },
-	{ CFG_CLAUSEFLAG_OBSOLETE, "obsolete" },
-	{ CFG_CLAUSEFLAG_NEWDEFAULT, "default changed" },
-	{ 0, NULL }
-};
-
-static void
-print_clause_flags(cfg_printer_t *pctx, unsigned int flags) {
-	struct flagtext *p;
-	isc_boolean_t first = ISC_TRUE;
-	for (p = flagtexts; p->flag != 0; p++) {
-		if ((flags & p->flag) != 0) {
-			if (first)
-				print(pctx, " // ", 4);
-			else
-				print(pctx, ", ", 2);
-			print_cstr(pctx, p->text);
-			first = ISC_FALSE;
-		}
-	}
+void
+cfg_doc_obj(cfg_printer_t *pctx, const cfg_type_t *type) {
+	type->doc(pctx, type);
 }
 
-static void
-print_grammar(cfg_printer_t *pctx, const cfg_type_t *type) {
-	if (type->print == print_mapbody) {
-		const cfg_clausedef_t * const *clauseset;
-		const cfg_clausedef_t *clause;
-
-		for (clauseset = type->of; *clauseset != NULL; clauseset++) {
-			for (clause = *clauseset;
-			     clause->name != NULL;
-		     clause++) {
-				print_cstr(pctx, clause->name);
-				print(pctx, " ", 1);
-				print_grammar(pctx, clause->type);
-				print(pctx, ";", 1);
-				/* XXX print flags here? */
-				print(pctx, "\n\n", 2);
-			}
-		}
-	} else if (type->print == print_map) {
-		const cfg_clausedef_t * const *clauseset;
-		const cfg_clausedef_t *clause;
-
-		if (type->parse == parse_named_map) {
-			print_grammar(pctx, &cfg_type_astring);
-			print(pctx, " ", 1);
-		} else if (type->parse == parse_addressed_map) {
-			print_grammar(pctx, &cfg_type_netaddr);
-			print(pctx, " ", 1);
-		}
-		
-		print_open(pctx);
-
-		for (clauseset = type->of; *clauseset != NULL; clauseset++) {
-			for (clause = *clauseset;
-			     clause->name != NULL;
-			     clause++) {
-				print_indent(pctx);
-				print_cstr(pctx, clause->name);
-				if (clause->type->print != print_void)
-					print(pctx, " ", 1);
-				print_grammar(pctx, clause->type);
-				print(pctx, ";", 1);
-				print_clause_flags(pctx, clause->flags);
-				print(pctx, "\n", 1);
-			}
-		}
-		print_close(pctx);
-	} else if (type->print == print_tuple) {
-		const cfg_tuplefielddef_t *fields = type->of;
-		const cfg_tuplefielddef_t *f;
-		isc_boolean_t need_space = ISC_FALSE;
-
-		for (f = fields; f->name != NULL; f++) {
-			if (need_space)
-				print(pctx, " ", 1);
-			print_grammar(pctx, f->type);
-			need_space = ISC_TF(f->type->print != print_void);
-		}
-	} else if (type->parse == parse_enum) {
-		const char * const *p;
-		print(pctx, "( ", 2);
-		for (p = type->of; *p != NULL; p++) {
-			print_cstr(pctx, *p);
-			if (p[1] != NULL)
-				print(pctx, " | ", 3);
-		}
-		print(pctx, " )", 2);
-	} else if (type->print == print_bracketed_list) {
-		print(pctx, "{ ", 2);
-		print_grammar(pctx, type->of);
-		print(pctx, "; ... }", 7);
-	} else if (type->parse == parse_keyvalue) {
-		const keyword_type_t *kw = type->of;
-		print_cstr(pctx, kw->name);
-		print(pctx, " ", 1);
-		print_grammar(pctx, kw->type);
-	} else if (type->parse == parse_optional_keyvalue) {
-		const keyword_type_t *kw = type->of;
-		print(pctx, "[ ", 2);
-		print_cstr(pctx, kw->name);
-		print(pctx, " ", 1);
-		print_grammar(pctx, kw->type);
-		print(pctx, " ]", 2);
-	} else if (type->parse == parse_sockaddr) {
-		const unsigned int *flagp = type->of;
-		int n = 0;
-		print(pctx, "( ", 2);
-		if (*flagp & V4OK) {
-			if (n != 0)
-				print(pctx, " | ", 3);
-			print_cstr(pctx, "<ipv4_address>");
-			n++;
-		}
-		if (*flagp & V6OK) {
-			if (n != 0)
-				print(pctx, " | ", 3);
-			print_cstr(pctx, "<ipv6_address>");
-			n++;			
-		}
-		if (*flagp & WILDOK) {
-			if (n != 0)
-				print(pctx, " | ", 3);
-			print(pctx, "*", 1);
-			n++;
-		}
-		print(pctx, " ) ", 3);
-		if (*flagp & WILDOK) {
-			print_cstr(pctx, "[ port ( <integer> | * ) ]");
-		} else {
-			print_cstr(pctx, "[ port <integer> ]");
-		}
-	} else if (type->print == print_void) {
-		/* Print nothing. */
-	} else {
-		print(pctx, "<", 1);
-		print_cstr(pctx, type->name);
-		print(pctx, ">", 1);
-	}
+void
+cfg_doc_terminal(cfg_printer_t *pctx, const cfg_type_t *type) {
+	cfg_print_chars(pctx, "<", 1);
+	cfg_print_cstr(pctx, type->name);
+	cfg_print_chars(pctx, ">", 1);
 }
 
 void
@@ -3975,5 +2281,5 @@ cfg_print_grammar(const cfg_type_t *type,
 	pctx.f = f;
 	pctx.closure = closure;
 	pctx.indent = 0;
-	print_grammar(&pctx, type);
+	cfg_doc_obj(&pctx, type);
 }
diff --git a/lib/isccfg/version.c b/lib/isccfg/version.c
index 051a0f3f..fe001d74 100644
--- a/lib/isccfg/version.c
+++ b/lib/isccfg/version.c
@@ -15,10 +15,13 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: version.c,v 1.1.2.1 2004/03/09 06:12:30 marka Exp $ */
+/* $Id: version.c,v 1.1.12.3 2004/03/08 09:05:06 marka Exp $ */
 
-char cfg_version[] = VERSION;
+#include <isccfg/version.h>
+
+const char cfg_version[] = VERSION;
+
+const unsigned int cfg_libinterface = LIBINTERFACE;
+const unsigned int cfg_librevision = LIBREVISION;
+const unsigned int cfg_libage = LIBAGE;
 
-unsigned int cfg_libinterface = LIBINTERFACE;
-unsigned int cfg_librevision = LIBREVISION;
-unsigned int cfg_libage = LIBAGE;
diff --git a/lib/isccfg/win32/DLLMain.c b/lib/isccfg/win32/DLLMain.c
index 3ce348e7..9dbd6b9b 100644
--- a/lib/isccfg/win32/DLLMain.c
+++ b/lib/isccfg/win32/DLLMain.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,11 +15,13 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: DLLMain.c,v 1.3.2.3 2007/06/18 23:45:27 tbox Exp $ */
+/* $Id: DLLMain.c,v 1.3.206.1 2004/03/06 08:15:29 marka Exp $ */
 
 #include <windows.h>
 #include <signal.h>
 
+BOOL InitSockets(void);
+ 
 /*
  * Called when we enter the DLL
  */
diff --git a/lib/isccfg/win32/libisccfg.def b/lib/isccfg/win32/libisccfg.def
index 4070f895..ca8c11c3 100644
--- a/lib/isccfg/win32/libisccfg.def
+++ b/lib/isccfg/win32/libisccfg.def
@@ -1,44 +1,44 @@
-LIBRARY libisccfg

-

-; Exported Functions

-EXPORTS

-

-cfg_parser_create

-cfg_parser_setcallback

-cfg_parse_file

-cfg_parse_buffer

-cfg_parser_destroy

-cfg_obj_isvoid

-cfg_obj_ismap

-cfg_map_get

-cfg_map_getname

-cfg_obj_istuple

-cfg_tuple_get

-cfg_obj_isuint32

-cfg_obj_asuint32

-cfg_obj_isuint64

-cfg_obj_asuint64

-cfg_obj_isstring

-cfg_obj_asstring

-cfg_obj_isboolean

-cfg_obj_asboolean

-cfg_obj_issockaddr

-cfg_obj_assockaddr

-cfg_obj_isnetprefix

-cfg_obj_asnetprefix

-cfg_obj_islist

-cfg_list_first

-cfg_list_next

-cfg_listelt_value

-cfg_obj_istype

-cfg_obj_destroy

-cfg_obj_log

-cfg_check_namedconf

-cfg_check_key

-cfg_log_init

-

-

-

-; Exported Data

-

-;cfg_type_rndcconf

+LIBRARY libisccfg
+
+; Exported Functions
+EXPORTS
+
+cfg_parser_create
+cfg_parser_setcallback
+cfg_parse_file
+cfg_parse_buffer
+cfg_parser_destroy
+cfg_obj_isvoid
+cfg_obj_ismap
+cfg_map_get
+cfg_map_getname
+cfg_obj_istuple
+cfg_tuple_get
+cfg_obj_isuint32
+cfg_obj_asuint32
+cfg_obj_isuint64
+cfg_obj_asuint64
+cfg_obj_isstring
+cfg_obj_asstring
+cfg_obj_isboolean
+cfg_obj_asboolean
+cfg_obj_issockaddr
+cfg_obj_assockaddr
+cfg_obj_isnetprefix
+cfg_obj_asnetprefix
+cfg_obj_islist
+cfg_list_first
+cfg_list_next
+cfg_listelt_value
+cfg_obj_istype
+cfg_obj_destroy
+cfg_obj_log
+cfg_log_init
+cfg_obj_line
+cfg_obj_file
+
+
+
+; Exported Data
+
+;cfg_type_rndcconf
diff --git a/lib/isccfg/win32/libisccfg.dsp b/lib/isccfg/win32/libisccfg.dsp
index d11b0c93..734b4bac 100644
--- a/lib/isccfg/win32/libisccfg.dsp
+++ b/lib/isccfg/win32/libisccfg.dsp
@@ -1,141 +1,149 @@
-# Microsoft Developer Studio Project File - Name="libisccfg" - Package Owner=<4>

-# Microsoft Developer Studio Generated Build File, Format Version 6.00

-# ** DO NOT EDIT **

-

-# TARGTYPE "Win32 (x86) Dynamic-Link Library" 0x0102

-

-CFG=libisccfg - Win32 Debug

-!MESSAGE This is not a valid makefile. To build this project using NMAKE,

-!MESSAGE use the Export Makefile command and run

-!MESSAGE 

-!MESSAGE NMAKE /f "libisccfg.mak".

-!MESSAGE 

-!MESSAGE You can specify a configuration when running NMAKE

-!MESSAGE by defining the macro CFG on the command line. For example:

-!MESSAGE 

-!MESSAGE NMAKE /f "libisccfg.mak" CFG="libisccfg - Win32 Debug"

-!MESSAGE 

-!MESSAGE Possible choices for configuration are:

-!MESSAGE 

-!MESSAGE "libisccfg - Win32 Release" (based on "Win32 (x86) Dynamic-Link Library")

-!MESSAGE "libisccfg - Win32 Debug" (based on "Win32 (x86) Dynamic-Link Library")

-!MESSAGE 

-

-# Begin Project

-# PROP AllowPerConfigDependencies 0

-# PROP Scc_ProjName ""

-# PROP Scc_LocalPath ""

-CPP=cl.exe

-MTL=midl.exe

-RSC=rc.exe

-

-!IF  "$(CFG)" == "libisccfg - Win32 Release"

-

-# PROP BASE Use_MFC 0

-# PROP BASE Use_Debug_Libraries 0

-# PROP BASE Output_Dir "Release"

-# PROP BASE Intermediate_Dir "Release"

-# PROP BASE Target_Dir ""

-# PROP Use_MFC 0

-# PROP Use_Debug_Libraries 0

-# PROP Output_Dir "Release"

-# PROP Intermediate_Dir "Release"

-# PROP Ignore_Export_Lib 0

-# PROP Target_Dir ""

-# ADD BASE CPP /nologo /MT /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "libisccfg_EXPORTS" /YX /FD /c

-# ADD CPP /nologo /MD /W3 /GX /O2 /I "./" /I "../../../" /I "include" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/win32/include" /I "../../../lib/dns/include" /I "../..../lib/dns/sec/openssl/include" /D "NDEBUG" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" /D "OPENSSL" /D "DST_USE_PRIVATE_OPENSSL" /D "LIBISCCFG_EXPORTS" /YX /FD /c

-# SUBTRACT CPP /X

-# ADD BASE MTL /nologo /D "NDEBUG" /mktyplib203 /win32

-# ADD MTL /nologo /D "NDEBUG" /mktyplib203 /win32

-# ADD BASE RSC /l 0x409 /d "NDEBUG"

-# ADD RSC /l 0x409 /d "NDEBUG"

-BSC32=bscmake.exe

-# ADD BASE BSC32 /nologo

-# ADD BSC32 /nologo

-LINK32=link.exe

-# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /machine:I386

-# ADD LINK32 user32.lib advapi32.lib ws2_32.lib ../../isc/win32/Release/libisc.lib ../../dns/win32/Release/libdns.lib /nologo /dll /machine:I386 /out:"../../../Build/Release/libisccfg.dll"

-

-!ELSEIF  "$(CFG)" == "libisccfg - Win32 Debug"

-

-# PROP BASE Use_MFC 0

-# PROP BASE Use_Debug_Libraries 1

-# PROP BASE Output_Dir "Debug"

-# PROP BASE Intermediate_Dir "Debug"

-# PROP BASE Target_Dir ""

-# PROP Use_MFC 0

-# PROP Use_Debug_Libraries 1

-# PROP Output_Dir "Debug"

-# PROP Intermediate_Dir "Debug"

-# PROP Ignore_Export_Lib 0

-# PROP Target_Dir ""

-# ADD BASE CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "libisccfg_EXPORTS" /YX /FD /GZ /c

-# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../../../" /I "include" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/win32/include" /I "../../../lib/dns/include" /I "../..../lib/dns/sec/openssl/include" /D "_DEBUG" /D "WIN32" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "LIBISCCFG_EXPORTS" /FR /YX /FD /GZ /c

-# SUBTRACT CPP /X

-# ADD BASE MTL /nologo /D "_DEBUG" /mktyplib203 /win32

-# ADD MTL /nologo /D "_DEBUG" /mktyplib203 /win32

-# ADD BASE RSC /l 0x409 /d "_DEBUG"

-# ADD RSC /l 0x409 /d "_DEBUG"

-BSC32=bscmake.exe

-# ADD BASE BSC32 /nologo

-# ADD BSC32 /nologo

-LINK32=link.exe

-# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /debug /machine:I386 /pdbtype:sept

-# ADD LINK32 user32.lib advapi32.lib ws2_32.lib ../../isc/win32/debug/libisc.lib ../../dns/win32/debug/libdns.lib /nologo /dll /debug /machine:I386 /out:"../../../Build/Debug/libisccfg.dll" /pdbtype:sept

-

-!ENDIF 

-

-# Begin Target

-

-# Name "libisccfg - Win32 Release"

-# Name "libisccfg - Win32 Debug"

-# Begin Group "Source Files"

-

-# PROP Default_Filter "cpp;c;cxx;rc;def;r;odl;idl;hpj;bat"

-# Begin Source File

-

-SOURCE=..\check.c

-# End Source File

-# Begin Source File

-

-SOURCE=.\DLLMain.c

-# End Source File

-# Begin Source File

-

-SOURCE=..\log.c

-# End Source File

-# Begin Source File

-

-SOURCE=..\parser.c

-# End Source File

-# Begin Source File

-

-SOURCE=.\version.c

-# End Source File

-# End Group

-# Begin Group "Header Files"

-

-# PROP Default_Filter "h;hpp;hxx;hm;inl"

-# Begin Source File

-

-SOURCE=..\include\isccfg\cfg.h

-# End Source File

-# Begin Source File

-

-SOURCE=..\include\isccfg\check.h

-# End Source File

-# Begin Source File

-

-SOURCE=..\include\isccfg\log.h

-# End Source File

-# End Group

-# Begin Group "Resource Files"

-

-# PROP Default_Filter "ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe"

-# End Group

-# Begin Source File

-

-SOURCE=.\libisccfg.def

-# End Source File

-# End Target

-# End Project

+# Microsoft Developer Studio Project File - Name="libisccfg" - Package Owner=<4>
+# Microsoft Developer Studio Generated Build File, Format Version 6.00
+# ** DO NOT EDIT **
+
+# TARGTYPE "Win32 (x86) Dynamic-Link Library" 0x0102
+
+CFG=libisccfg - Win32 Debug
+!MESSAGE This is not a valid makefile. To build this project using NMAKE,
+!MESSAGE use the Export Makefile command and run
+!MESSAGE 
+!MESSAGE NMAKE /f "libisccfg.mak".
+!MESSAGE 
+!MESSAGE You can specify a configuration when running NMAKE
+!MESSAGE by defining the macro CFG on the command line. For example:
+!MESSAGE 
+!MESSAGE NMAKE /f "libisccfg.mak" CFG="libisccfg - Win32 Debug"
+!MESSAGE 
+!MESSAGE Possible choices for configuration are:
+!MESSAGE 
+!MESSAGE "libisccfg - Win32 Release" (based on "Win32 (x86) Dynamic-Link Library")
+!MESSAGE "libisccfg - Win32 Debug" (based on "Win32 (x86) Dynamic-Link Library")
+!MESSAGE 
+
+# Begin Project
+# PROP AllowPerConfigDependencies 0
+# PROP Scc_ProjName ""
+# PROP Scc_LocalPath ""
+CPP=cl.exe
+MTL=midl.exe
+RSC=rc.exe
+
+!IF  "$(CFG)" == "libisccfg - Win32 Release"
+
+# PROP BASE Use_MFC 0
+# PROP BASE Use_Debug_Libraries 0
+# PROP BASE Output_Dir "Release"
+# PROP BASE Intermediate_Dir "Release"
+# PROP BASE Target_Dir ""
+# PROP Use_MFC 0
+# PROP Use_Debug_Libraries 0
+# PROP Output_Dir "Release"
+# PROP Intermediate_Dir "Release"
+# PROP Ignore_Export_Lib 0
+# PROP Target_Dir ""
+# ADD BASE CPP /nologo /MT /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "libisccfg_EXPORTS" /YX /FD /c
+# ADD CPP /nologo /MD /W3 /GX /O2 /I "./" /I "../../../" /I "include" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/win32/include" /I "../../../lib/dns/include" /I "../..../lib/dns/sec/openssl/include" /I "../../../lib/dns/sec/dst/include" /D "NDEBUG" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" /D "OPENSSL" /D "DST_USE_PRIVATE_OPENSSL" /D "LIBISCCFG_EXPORTS" /YX /FD /c
+# SUBTRACT CPP /X
+# ADD BASE MTL /nologo /D "NDEBUG" /mktyplib203 /win32
+# ADD MTL /nologo /D "NDEBUG" /mktyplib203 /win32
+# ADD BASE RSC /l 0x409 /d "NDEBUG"
+# ADD RSC /l 0x409 /d "NDEBUG"
+BSC32=bscmake.exe
+# ADD BASE BSC32 /nologo
+# ADD BSC32 /nologo
+LINK32=link.exe
+# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /machine:I386
+# ADD LINK32 user32.lib advapi32.lib ws2_32.lib ../../isc/win32/Release/libisc.lib /nologo /dll /machine:I386 /out:"../../../Build/Release/libisccfg.dll"
+
+!ELSEIF  "$(CFG)" == "libisccfg - Win32 Debug"
+
+# PROP BASE Use_MFC 0
+# PROP BASE Use_Debug_Libraries 1
+# PROP BASE Output_Dir "Debug"
+# PROP BASE Intermediate_Dir "Debug"
+# PROP BASE Target_Dir ""
+# PROP Use_MFC 0
+# PROP Use_Debug_Libraries 1
+# PROP Output_Dir "Debug"
+# PROP Intermediate_Dir "Debug"
+# PROP Ignore_Export_Lib 0
+# PROP Target_Dir ""
+# ADD BASE CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "libisccfg_EXPORTS" /YX /FD /GZ /c
+# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../../../" /I "include" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/win32/include" /I "../../../lib/dns/include" /I "../..../lib/dns/sec/openssl/include" /I "../../../lib/dns/sec/dst/include" /D "_DEBUG" /D "WIN32" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "LIBISCCFG_EXPORTS" /FR /YX /FD /GZ /c
+# SUBTRACT CPP /X
+# ADD BASE MTL /nologo /D "_DEBUG" /mktyplib203 /win32
+# ADD MTL /nologo /D "_DEBUG" /mktyplib203 /win32
+# ADD BASE RSC /l 0x409 /d "_DEBUG"
+# ADD RSC /l 0x409 /d "_DEBUG"
+BSC32=bscmake.exe
+# ADD BASE BSC32 /nologo
+# ADD BSC32 /nologo
+LINK32=link.exe
+# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /debug /machine:I386 /pdbtype:sept
+# ADD LINK32 user32.lib advapi32.lib ws2_32.lib ../../isc/win32/debug/libisc.lib /nologo /dll /debug /machine:I386 /out:"../../../Build/Debug/libisccfg.dll" /pdbtype:sept
+
+!ENDIF 
+
+# Begin Target
+
+# Name "libisccfg - Win32 Release"
+# Name "libisccfg - Win32 Debug"
+# Begin Group "Source Files"
+
+# PROP Default_Filter "cpp;c;cxx;rc;def;r;odl;idl;hpj;bat"
+# Begin Source File
+
+SOURCE=.\DLLMain.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\log.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\namedconf.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\parser.c
+# End Source File
+# Begin Source File
+
+SOURCE=.\version.c
+# End Source File
+# End Group
+# Begin Group "Header Files"
+
+# PROP Default_Filter "h;hpp;hxx;hm;inl"
+# Begin Source File
+
+SOURCE=..\include\isccfg\cfg.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\isccfg\check.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\isccfg\grammar.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\isccfg\log.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\isccfg\namedconf.h
+# End Source File
+# End Group
+# Begin Group "Resource Files"
+
+# PROP Default_Filter "ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe"
+# End Group
+# Begin Source File
+
+SOURCE=.\libisccfg.def
+# End Source File
+# End Target
+# End Project
diff --git a/lib/isccfg/win32/libisccfg.dsw b/lib/isccfg/win32/libisccfg.dsw
index 2851ea80..ccc8711e 100644
--- a/lib/isccfg/win32/libisccfg.dsw
+++ b/lib/isccfg/win32/libisccfg.dsw
@@ -1,29 +1,29 @@
-Microsoft Developer Studio Workspace File, Format Version 6.00

-# WARNING: DO NOT EDIT OR DELETE THIS WORKSPACE FILE!

-

-###############################################################################

-

-Project: "libisccfg"=".\libisccfg.dsp" - Package Owner=<4>

-

-Package=<5>

-{{{

-}}}

-

-Package=<4>

-{{{

-}}}

-

-###############################################################################

-

-Global:

-

-Package=<5>

-{{{

-}}}

-

-Package=<3>

-{{{

-}}}

-

-###############################################################################

-

+Microsoft Developer Studio Workspace File, Format Version 6.00
+# WARNING: DO NOT EDIT OR DELETE THIS WORKSPACE FILE!
+
+###############################################################################
+
+Project: "libisccfg"=".\libisccfg.dsp" - Package Owner=<4>
+
+Package=<5>
+{{{
+}}}
+
+Package=<4>
+{{{
+}}}
+
+###############################################################################
+
+Global:
+
+Package=<5>
+{{{
+}}}
+
+Package=<3>
+{{{
+}}}
+
+###############################################################################
+
diff --git a/lib/isccfg/win32/libisccfg.mak b/lib/isccfg/win32/libisccfg.mak
index fc4fcb0a..c4fccafc 100644
--- a/lib/isccfg/win32/libisccfg.mak
+++ b/lib/isccfg/win32/libisccfg.mak
@@ -1,448 +1,323 @@
-# Microsoft Developer Studio Generated NMAKE File, Based on libisccfg.dsp

-!IF "$(CFG)" == ""

-CFG=libisccfg - Win32 Debug

-!MESSAGE No configuration specified. Defaulting to libisccfg - Win32 Debug.

-!ENDIF 

-

-!IF "$(CFG)" != "libisccfg - Win32 Release" && "$(CFG)" != "libisccfg - Win32 Debug"

-!MESSAGE Invalid configuration "$(CFG)" specified.

-!MESSAGE You can specify a configuration when running NMAKE

-!MESSAGE by defining the macro CFG on the command line. For example:

-!MESSAGE 

-!MESSAGE NMAKE /f "libisccfg.mak" CFG="libisccfg - Win32 Debug"

-!MESSAGE 

-!MESSAGE Possible choices for configuration are:

-!MESSAGE 

-!MESSAGE "libisccfg - Win32 Release" (based on "Win32 (x86) Dynamic-Link Library")

-!MESSAGE "libisccfg - Win32 Debug" (based on "Win32 (x86) Dynamic-Link Library")

-!MESSAGE 

-!ERROR An invalid configuration is specified.

-!ENDIF 

-

-!IF "$(OS)" == "Windows_NT"

-NULL=

-!ELSE 

-NULL=nul

-!ENDIF 

-

-CPP=cl.exe

-MTL=midl.exe

-RSC=rc.exe

-

-!IF  "$(CFG)" == "libisccfg - Win32 Release"

-_VC_MANIFEST_INC=0

-_VC_MANIFEST_BASENAME=__VC80

-!ELSE

-_VC_MANIFEST_INC=1

-_VC_MANIFEST_BASENAME=__VC80.Debug

-!ENDIF

-

-####################################################

-# Specifying name of temporary resource file used only in incremental builds:

-

-!if "$(_VC_MANIFEST_INC)" == "1"

-_VC_MANIFEST_AUTO_RES=$(_VC_MANIFEST_BASENAME).auto.res

-!else

-_VC_MANIFEST_AUTO_RES=

-!endif

-

-####################################################

-# _VC_MANIFEST_EMBED_EXE - command to embed manifest in EXE:

-

-!if "$(_VC_MANIFEST_INC)" == "1"

-

-#MT_SPECIAL_RETURN=1090650113

-#MT_SPECIAL_SWITCH=-notify_resource_update

-MT_SPECIAL_RETURN=0

-MT_SPECIAL_SWITCH=

-_VC_MANIFEST_EMBED_EXE= \

-if exist $@.manifest mt.exe -manifest $@.manifest -out:$(_VC_MANIFEST_BASENAME).auto.manifest $(MT_SPECIAL_SWITCH) & \

-if "%ERRORLEVEL%" == "$(MT_SPECIAL_RETURN)" \

-rc /r $(_VC_MANIFEST_BASENAME).auto.rc & \

-link $** /out:$@ $(LFLAGS)

-

-!else

-

-_VC_MANIFEST_EMBED_EXE= \

-if exist $@.manifest mt.exe -manifest $@.manifest -outputresource:$@;1

-

-!endif

-

-####################################################

-# _VC_MANIFEST_EMBED_DLL - command to embed manifest in DLL:

-

-!if "$(_VC_MANIFEST_INC)" == "1"

-

-#MT_SPECIAL_RETURN=1090650113

-#MT_SPECIAL_SWITCH=-notify_resource_update

-MT_SPECIAL_RETURN=0

-MT_SPECIAL_SWITCH=

-_VC_MANIFEST_EMBED_EXE= \

-if exist $@.manifest mt.exe -manifest $@.manifest -out:$(_VC_MANIFEST_BASENAME).auto.manifest $(MT_SPECIAL_SWITCH) & \

-if "%ERRORLEVEL%" == "$(MT_SPECIAL_RETURN)" \

-rc /r $(_VC_MANIFEST_BASENAME).auto.rc & \

-link $** /out:$@ $(LFLAGS)

-

-!else

-

-_VC_MANIFEST_EMBED_EXE= \

-if exist $@.manifest mt.exe -manifest $@.manifest -outputresource:$@;2

-

-!endif

-####################################################

-# _VC_MANIFEST_CLEAN - command to clean resources files generated temporarily:

-

-!if "$(_VC_MANIFEST_INC)" == "1"

-

-_VC_MANIFEST_CLEAN=-del $(_VC_MANIFEST_BASENAME).auto.res \

-    $(_VC_MANIFEST_BASENAME).auto.rc \

-    $(_VC_MANIFEST_BASENAME).auto.manifest

-

-!else

-

-_VC_MANIFEST_CLEAN=

-

-!endif

-

-!IF  "$(CFG)" == "libisccfg - Win32 Release"

-

-OUTDIR=.\Release

-INTDIR=.\Release

-

-!IF "$(RECURSE)" == "0" 

-

-ALL : "..\..\..\Build\Release\libisccfg.dll"

-

-!ELSE 

-

-ALL : "libdns - Win32 Release" "libisc - Win32 Release" "..\..\..\Build\Release\libisccfg.dll"

-

-!ENDIF 

-

-!IF "$(RECURSE)" == "1" 

-CLEAN :"libisc - Win32 ReleaseCLEAN" "libdns - Win32 ReleaseCLEAN" 

-!ELSE 

-CLEAN :

-!ENDIF 

-	-@erase "$(INTDIR)\check.obj"

-	-@erase "$(INTDIR)\DLLMain.obj"

-	-@erase "$(INTDIR)\log.obj"

-	-@erase "$(INTDIR)\parser.obj"

-	-@erase "$(INTDIR)\vc60.idb"

-	-@erase "$(INTDIR)\version.obj"

-	-@erase "$(OUTDIR)\libisccfg.exp"

-	-@erase "$(OUTDIR)\libisccfg.lib"

-	-@erase "..\..\..\Build\Release\libisccfg.dll"

-	-@$(_VC_MANIFEST_CLEAN)

-

-"$(OUTDIR)" :

-    if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"

-

-CPP_PROJ=/nologo /MD /W3 /GX /O2 /I "./" /I "../../../" /I "include" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/win32/include" /I "../../../lib/dns/include" /I "../..../lib/dns/sec/openssl/include" /D "NDEBUG" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" /D "OPENSSL" /D "DST_USE_PRIVATE_OPENSSL" /D "LIBISCCFG_EXPORTS" /Fp"$(INTDIR)\libisccfg.pch" /YX /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c 

-MTL_PROJ=/nologo /D "NDEBUG" /mktyplib203 /win32 

-BSC32=bscmake.exe

-BSC32_FLAGS=/nologo /o"$(OUTDIR)\libisccfg.bsc" 

-BSC32_SBRS= \

-	

-LINK32=link.exe

-LINK32_FLAGS=user32.lib advapi32.lib ws2_32.lib ../../isc/win32/Release/libisc.lib ../../dns/win32/Release/libdns.lib /nologo /dll /incremental:no /pdb:"$(OUTDIR)\libisccfg.pdb" /machine:I386 /def:".\libisccfg.def" /out:"../../../Build/Release/libisccfg.dll" /implib:"$(OUTDIR)\libisccfg.lib" 

-DEF_FILE= \

-	".\libisccfg.def"

-LINK32_OBJS= \

-	"$(INTDIR)\check.obj" \

-	"$(INTDIR)\DLLMain.obj" \

-	"$(INTDIR)\log.obj" \

-	"$(INTDIR)\parser.obj" \

-	"$(INTDIR)\version.obj" \

-	"..\..\isc\win32\Release\libisc.lib" \

-	"..\..\dns\win32\Release\libdns.lib"

-

-"..\..\..\Build\Release\libisccfg.dll" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)

-    $(LINK32) @<<

-  $(LINK32_FLAGS) $(LINK32_OBJS)

-<<

-  $(_VC_MANIFEST_EMBED_DLL)

-

-!ELSEIF  "$(CFG)" == "libisccfg - Win32 Debug"

-

-OUTDIR=.\Debug

-INTDIR=.\Debug

-# Begin Custom Macros

-OutDir=.\Debug

-# End Custom Macros

-

-!IF "$(RECURSE)" == "0" 

-

-ALL : "..\..\..\Build\Debug\libisccfg.dll" "$(OUTDIR)\libisccfg.bsc"

-

-!ELSE 

-

-ALL : "libdns - Win32 Debug" "libisc - Win32 Debug" "..\..\..\Build\Debug\libisccfg.dll" "$(OUTDIR)\libisccfg.bsc"

-

-!ENDIF 

-

-!IF "$(RECURSE)" == "1" 

-CLEAN :"libisc - Win32 DebugCLEAN" "libdns - Win32 DebugCLEAN" 

-!ELSE 

-CLEAN :

-!ENDIF 

-	-@erase "$(INTDIR)\check.obj"

-	-@erase "$(INTDIR)\check.sbr"

-	-@erase "$(INTDIR)\DLLMain.obj"

-	-@erase "$(INTDIR)\DLLMain.sbr"

-	-@erase "$(INTDIR)\log.obj"

-	-@erase "$(INTDIR)\log.sbr"

-	-@erase "$(INTDIR)\parser.obj"

-	-@erase "$(INTDIR)\parser.sbr"

-	-@erase "$(INTDIR)\vc60.idb"

-	-@erase "$(INTDIR)\vc60.pdb"

-	-@erase "$(INTDIR)\version.obj"

-	-@erase "$(INTDIR)\version.sbr"

-	-@erase "$(OUTDIR)\libisccfg.bsc"

-	-@erase "$(OUTDIR)\libisccfg.exp"

-	-@erase "$(OUTDIR)\libisccfg.lib"

-	-@erase "$(OUTDIR)\libisccfg.pdb"

-	-@erase "..\..\..\Build\Debug\libisccfg.dll"

-	-@erase "..\..\..\Build\Debug\libisccfg.ilk"

-	-@$(_VC_MANIFEST_CLEAN)

-

-"$(OUTDIR)" :

-    if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"

-

-CPP_PROJ=/nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../../../" /I "include" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/win32/include" /I "../../../lib/dns/include" /I "../..../lib/dns/sec/openssl/include" /D "_DEBUG" /D "WIN32" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "LIBISCCFG_EXPORTS" /FR"$(INTDIR)\\" /Fp"$(INTDIR)\libisccfg.pch" /YX /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c 

-MTL_PROJ=/nologo /D "_DEBUG" /mktyplib203 /win32 

-BSC32=bscmake.exe

-BSC32_FLAGS=/nologo /o"$(OUTDIR)\libisccfg.bsc" 

-BSC32_SBRS= \

-	"$(INTDIR)\check.sbr" \

-	"$(INTDIR)\DLLMain.sbr" \

-	"$(INTDIR)\log.sbr" \

-	"$(INTDIR)\parser.sbr" \

-	"$(INTDIR)\version.sbr"

-

-"$(OUTDIR)\libisccfg.bsc" : "$(OUTDIR)" $(BSC32_SBRS)

-    $(BSC32) @<<

-  $(BSC32_FLAGS) $(BSC32_SBRS)

-<<

-

-LINK32=link.exe

-LINK32_FLAGS=user32.lib advapi32.lib ws2_32.lib ../../isc/win32/debug/libisc.lib ../../dns/win32/debug/libdns.lib /nologo /dll /incremental:yes /pdb:"$(OUTDIR)\libisccfg.pdb" /debug /machine:I386 /def:".\libisccfg.def" /out:"../../../Build/Debug/libisccfg.dll" /implib:"$(OUTDIR)\libisccfg.lib" /pdbtype:sept 

-DEF_FILE= \

-	".\libisccfg.def"

-LINK32_OBJS= \

-	"$(INTDIR)\check.obj" \

-	"$(INTDIR)\DLLMain.obj" \

-	"$(INTDIR)\log.obj" \

-	"$(INTDIR)\parser.obj" \

-	"$(INTDIR)\version.obj" \

-	"..\..\isc\win32\Debug\libisc.lib" \

-	"..\..\dns\win32\Debug\libdns.lib"

-

-"..\..\..\Build\Debug\libisccfg.dll" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)

-    $(LINK32) @<<

-  $(LINK32_FLAGS) $(LINK32_OBJS)

-<<

-  $(_VC_MANIFEST_EMBED_DLL)

-

-!ENDIF 

-

-.c{$(INTDIR)}.obj::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.cpp{$(INTDIR)}.obj::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.cxx{$(INTDIR)}.obj::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.c{$(INTDIR)}.sbr::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.cpp{$(INTDIR)}.sbr::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.cxx{$(INTDIR)}.sbr::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-

-!IF "$(NO_EXTERNAL_DEPS)" != "1"

-!IF EXISTS("libisccfg.dep")

-!INCLUDE "libisccfg.dep"

-!ELSE 

-!MESSAGE Warning: cannot find "libisccfg.dep"

-!ENDIF 

-!ENDIF 

-

-

-!IF "$(CFG)" == "libisccfg - Win32 Release" || "$(CFG)" == "libisccfg - Win32 Debug"

-SOURCE=..\check.c

-

-!IF  "$(CFG)" == "libisccfg - Win32 Release"

-

-

-"$(INTDIR)\check.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "libisccfg - Win32 Debug"

-

-

-"$(INTDIR)\check.obj"	"$(INTDIR)\check.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-SOURCE=.\DLLMain.c

-

-!IF  "$(CFG)" == "libisccfg - Win32 Release"

-

-

-"$(INTDIR)\DLLMain.obj" : $(SOURCE) "$(INTDIR)"

-

-

-!ELSEIF  "$(CFG)" == "libisccfg - Win32 Debug"

-

-

-"$(INTDIR)\DLLMain.obj"	"$(INTDIR)\DLLMain.sbr" : $(SOURCE) "$(INTDIR)"

-

-

-!ENDIF 

-

-SOURCE=..\log.c

-

-!IF  "$(CFG)" == "libisccfg - Win32 Release"

-

-

-"$(INTDIR)\log.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "libisccfg - Win32 Debug"

-

-

-"$(INTDIR)\log.obj"	"$(INTDIR)\log.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-SOURCE=..\parser.c

-

-!IF  "$(CFG)" == "libisccfg - Win32 Release"

-

-

-"$(INTDIR)\parser.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "libisccfg - Win32 Debug"

-

-

-"$(INTDIR)\parser.obj"	"$(INTDIR)\parser.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-SOURCE=.\version.c

-

-!IF  "$(CFG)" == "libisccfg - Win32 Release"

-

-

-"$(INTDIR)\version.obj" : $(SOURCE) "$(INTDIR)"

-

-

-!ELSEIF  "$(CFG)" == "libisccfg - Win32 Debug"

-

-

-"$(INTDIR)\version.obj"	"$(INTDIR)\version.sbr" : $(SOURCE) "$(INTDIR)"

-

-

-!ENDIF 

-

-!IF  "$(CFG)" == "libisccfg - Win32 Release"

-

-"libisc - Win32 Release" : 

-   cd "..\..\isc\win32"

-   $(MAKE) /$(MAKEFLAGS) /F ".\libisc.mak" CFG="libisc - Win32 Release" 

-   cd "..\..\isccfg\win32"

-

-"libisc - Win32 ReleaseCLEAN" : 

-   cd "..\..\isc\win32"

-   $(MAKE) /$(MAKEFLAGS) /F ".\libisc.mak" CFG="libisc - Win32 Release" RECURSE=1 CLEAN 

-   cd "..\..\isccfg\win32"

-

-!ELSEIF  "$(CFG)" == "libisccfg - Win32 Debug"

-

-"libisc - Win32 Debug" : 

-   cd "..\..\isc\win32"

-   $(MAKE) /$(MAKEFLAGS) /F ".\libisc.mak" CFG="libisc - Win32 Debug" 

-   cd "..\..\isccfg\win32"

-

-"libisc - Win32 DebugCLEAN" : 

-   cd "..\..\isc\win32"

-   $(MAKE) /$(MAKEFLAGS) /F ".\libisc.mak" CFG="libisc - Win32 Debug" RECURSE=1 CLEAN 

-   cd "..\..\isccfg\win32"

-

-!ENDIF 

-

-!IF  "$(CFG)" == "libisccfg - Win32 Release"

-

-"libdns - Win32 Release" : 

-   cd "..\..\dns\win32"

-   $(MAKE) /$(MAKEFLAGS) /F ".\libdns.mak" CFG="libdns - Win32 Release" 

-   cd "..\..\isccfg\win32"

-

-"libdns - Win32 ReleaseCLEAN" : 

-   cd "..\..\dns\win32"

-   $(MAKE) /$(MAKEFLAGS) /F ".\libdns.mak" CFG="libdns - Win32 Release" RECURSE=1 CLEAN 

-   cd "..\..\isccfg\win32"

-

-!ELSEIF  "$(CFG)" == "libisccfg - Win32 Debug"

-

-"libdns - Win32 Debug" : 

-   cd "..\..\dns\win32"

-   $(MAKE) /$(MAKEFLAGS) /F ".\libdns.mak" CFG="libdns - Win32 Debug" 

-   cd "..\..\isccfg\win32"

-

-"libdns - Win32 DebugCLEAN" : 

-   cd "..\..\dns\win32"

-   $(MAKE) /$(MAKEFLAGS) /F ".\libdns.mak" CFG="libdns - Win32 Debug" RECURSE=1 CLEAN 

-   cd "..\..\isccfg\win32"

-

-!ENDIF 

-

-

-!ENDIF 

-

-####################################################

-# Commands to generate initial empty manifest file and the RC file

-# that references it, and for generating the .res file:

-

-$(_VC_MANIFEST_BASENAME).auto.res : $(_VC_MANIFEST_BASENAME).auto.rc

-

-$(_VC_MANIFEST_BASENAME).auto.rc : $(_VC_MANIFEST_BASENAME).auto.manifest

-    type <<$@

-#include <winuser.h>

-1RT_MANIFEST"$(_VC_MANIFEST_BASENAME).auto.manifest"

-<< KEEP

-

-$(_VC_MANIFEST_BASENAME).auto.manifest :

-    type <<$@

-<?xml version='1.0' encoding='UTF-8' standalone='yes'?>

-<assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'>

-</assembly>

-<< KEEP

+# Microsoft Developer Studio Generated NMAKE File, Based on libisccfg.dsp
+!IF "$(CFG)" == ""
+CFG=libisccfg - Win32 Debug
+!MESSAGE No configuration specified. Defaulting to libisccfg - Win32 Debug.
+!ENDIF 
+
+!IF "$(CFG)" != "libisccfg - Win32 Release" && "$(CFG)" != "libisccfg - Win32 Debug"
+!MESSAGE Invalid configuration "$(CFG)" specified.
+!MESSAGE You can specify a configuration when running NMAKE
+!MESSAGE by defining the macro CFG on the command line. For example:
+!MESSAGE 
+!MESSAGE NMAKE /f "libisccfg.mak" CFG="libisccfg - Win32 Debug"
+!MESSAGE 
+!MESSAGE Possible choices for configuration are:
+!MESSAGE 
+!MESSAGE "libisccfg - Win32 Release" (based on "Win32 (x86) Dynamic-Link Library")
+!MESSAGE "libisccfg - Win32 Debug" (based on "Win32 (x86) Dynamic-Link Library")
+!MESSAGE 
+!ERROR An invalid configuration is specified.
+!ENDIF 
+
+!IF "$(OS)" == "Windows_NT"
+NULL=
+!ELSE 
+NULL=nul
+!ENDIF 
+
+CPP=cl.exe
+MTL=midl.exe
+RSC=rc.exe
+
+!IF  "$(CFG)" == "libisccfg - Win32 Release"
+
+OUTDIR=.\Release
+INTDIR=.\Release
+
+!IF "$(RECURSE)" == "0" 
+
+ALL : "..\..\..\Build\Release\libisccfg.dll"
+
+!ELSE 
+
+ALL : "libisc - Win32 Release" "..\..\..\Build\Release\libisccfg.dll"
+
+!ENDIF 
+
+!IF "$(RECURSE)" == "1" 
+CLEAN :"libisc - Win32 ReleaseCLEAN" 
+!ELSE 
+CLEAN :
+!ENDIF 
+	-@erase "$(INTDIR)\DLLMain.obj"
+	-@erase "$(INTDIR)\log.obj"
+	-@erase "$(INTDIR)\namedconf.obj"
+	-@erase "$(INTDIR)\parser.obj"
+	-@erase "$(INTDIR)\vc60.idb"
+	-@erase "$(INTDIR)\version.obj"
+	-@erase "$(OUTDIR)\libisccfg.exp"
+	-@erase "$(OUTDIR)\libisccfg.lib"
+	-@erase "..\..\..\Build\Release\libisccfg.dll"
+
+"$(OUTDIR)" :
+    if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
+
+CPP_PROJ=/nologo /MD /W3 /GX /O2 /I "./" /I "../../../" /I "include" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/win32/include" /I "../../../lib/dns/include" /I "../..../lib/dns/sec/openssl/include" /I "../../../lib/dns/sec/dst/include" /D "NDEBUG" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" /D "OPENSSL" /D "DST_USE_PRIVATE_OPENSSL" /D "LIBISCCFG_EXPORTS" /Fp"$(INTDIR)\libisccfg.pch" /YX /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c 
+MTL_PROJ=/nologo /D "NDEBUG" /mktyplib203 /win32 
+BSC32=bscmake.exe
+BSC32_FLAGS=/nologo /o"$(OUTDIR)\libisccfg.bsc" 
+BSC32_SBRS= \
+	
+LINK32=link.exe
+LINK32_FLAGS=user32.lib advapi32.lib ws2_32.lib ../../isc/win32/Release/libisc.lib /nologo /dll /incremental:no /pdb:"$(OUTDIR)\libisccfg.pdb" /machine:I386 /def:".\libisccfg.def" /out:"../../../Build/Release/libisccfg.dll" /implib:"$(OUTDIR)\libisccfg.lib" 
+DEF_FILE= \
+	".\libisccfg.def"
+LINK32_OBJS= \
+	"$(INTDIR)\DLLMain.obj" \
+	"$(INTDIR)\log.obj" \
+	"$(INTDIR)\parser.obj" \
+	"$(INTDIR)\version.obj" \
+	"$(INTDIR)\namedconf.obj" \
+	"..\..\isc\win32\Release\libisc.lib"
+
+"..\..\..\Build\Release\libisccfg.dll" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)
+    $(LINK32) @<<
+  $(LINK32_FLAGS) $(LINK32_OBJS)
+<<
+
+!ELSEIF  "$(CFG)" == "libisccfg - Win32 Debug"
+
+OUTDIR=.\Debug
+INTDIR=.\Debug
+# Begin Custom Macros
+OutDir=.\Debug
+# End Custom Macros
+
+!IF "$(RECURSE)" == "0" 
+
+ALL : "..\..\..\Build\Debug\libisccfg.dll" "$(OUTDIR)\libisccfg.bsc"
+
+!ELSE 
+
+ALL : "libisc - Win32 Debug" "..\..\..\Build\Debug\libisccfg.dll" "$(OUTDIR)\libisccfg.bsc"
+
+!ENDIF 
+
+!IF "$(RECURSE)" == "1" 
+CLEAN :"libisc - Win32 DebugCLEAN" 
+!ELSE 
+CLEAN :
+!ENDIF 
+	-@erase "$(INTDIR)\DLLMain.obj"
+	-@erase "$(INTDIR)\DLLMain.sbr"
+	-@erase "$(INTDIR)\log.obj"
+	-@erase "$(INTDIR)\log.sbr"
+	-@erase "$(INTDIR)\namedconf.obj"
+	-@erase "$(INTDIR)\namedconf.sbr"
+	-@erase "$(INTDIR)\parser.obj"
+	-@erase "$(INTDIR)\parser.sbr"
+	-@erase "$(INTDIR)\vc60.idb"
+	-@erase "$(INTDIR)\vc60.pdb"
+	-@erase "$(INTDIR)\version.obj"
+	-@erase "$(INTDIR)\version.sbr"
+	-@erase "$(OUTDIR)\libisccfg.bsc"
+	-@erase "$(OUTDIR)\libisccfg.exp"
+	-@erase "$(OUTDIR)\libisccfg.lib"
+	-@erase "$(OUTDIR)\libisccfg.pdb"
+	-@erase "..\..\..\Build\Debug\libisccfg.dll"
+	-@erase "..\..\..\Build\Debug\libisccfg.ilk"
+
+"$(OUTDIR)" :
+    if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
+
+CPP_PROJ=/nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../../../" /I "include" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/win32/include" /I "../../../lib/dns/include" /I "../..../lib/dns/sec/openssl/include" /I "../../../lib/dns/sec/dst/include" /D "_DEBUG" /D "WIN32" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "LIBISCCFG_EXPORTS" /FR"$(INTDIR)\\" /Fp"$(INTDIR)\libisccfg.pch" /YX /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c 
+MTL_PROJ=/nologo /D "_DEBUG" /mktyplib203 /win32 
+BSC32=bscmake.exe
+BSC32_FLAGS=/nologo /o"$(OUTDIR)\libisccfg.bsc" 
+BSC32_SBRS= \
+	"$(INTDIR)\DLLMain.sbr" \
+	"$(INTDIR)\log.sbr" \
+	"$(INTDIR)\parser.sbr" \
+	"$(INTDIR)\version.sbr" \
+	"$(INTDIR)\namedconf.sbr"
+
+"$(OUTDIR)\libisccfg.bsc" : "$(OUTDIR)" $(BSC32_SBRS)
+    $(BSC32) @<<
+  $(BSC32_FLAGS) $(BSC32_SBRS)
+<<
+
+LINK32=link.exe
+LINK32_FLAGS=user32.lib advapi32.lib ws2_32.lib ../../isc/win32/debug/libisc.lib /nologo /dll /incremental:yes /pdb:"$(OUTDIR)\libisccfg.pdb" /debug /machine:I386 /def:".\libisccfg.def" /out:"../../../Build/Debug/libisccfg.dll" /implib:"$(OUTDIR)\libisccfg.lib" /pdbtype:sept 
+DEF_FILE= \
+	".\libisccfg.def"
+LINK32_OBJS= \
+	"$(INTDIR)\DLLMain.obj" \
+	"$(INTDIR)\log.obj" \
+	"$(INTDIR)\parser.obj" \
+	"$(INTDIR)\version.obj" \
+	"$(INTDIR)\namedconf.obj" \
+	"..\..\isc\win32\Debug\libisc.lib"
+
+"..\..\..\Build\Debug\libisccfg.dll" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)
+    $(LINK32) @<<
+  $(LINK32_FLAGS) $(LINK32_OBJS)
+<<
+
+!ENDIF 
+
+.c{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cpp{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cxx{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.c{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cpp{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cxx{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+
+!IF "$(NO_EXTERNAL_DEPS)" != "1"
+!IF EXISTS("libisccfg.dep")
+!INCLUDE "libisccfg.dep"
+!ELSE 
+!MESSAGE Warning: cannot find "libisccfg.dep"
+!ENDIF 
+!ENDIF 
+
+
+!IF "$(CFG)" == "libisccfg - Win32 Release" || "$(CFG)" == "libisccfg - Win32 Debug"
+SOURCE=.\DLLMain.c
+
+!IF  "$(CFG)" == "libisccfg - Win32 Release"
+
+
+"$(INTDIR)\DLLMain.obj" : $(SOURCE) "$(INTDIR)"
+
+
+!ELSEIF  "$(CFG)" == "libisccfg - Win32 Debug"
+
+
+"$(INTDIR)\DLLMain.obj"	"$(INTDIR)\DLLMain.sbr" : $(SOURCE) "$(INTDIR)"
+
+
+!ENDIF 
+
+SOURCE=..\log.c
+
+!IF  "$(CFG)" == "libisccfg - Win32 Release"
+
+
+"$(INTDIR)\log.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libisccfg - Win32 Debug"
+
+
+"$(INTDIR)\log.obj"	"$(INTDIR)\log.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\namedconf.c
+
+!IF  "$(CFG)" == "libisccfg - Win32 Release"
+
+
+"$(INTDIR)\namedconf.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libisccfg - Win32 Debug"
+
+
+"$(INTDIR)\namedconf.obj"	"$(INTDIR)\namedconf.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\parser.c
+
+!IF  "$(CFG)" == "libisccfg - Win32 Release"
+
+
+"$(INTDIR)\parser.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libisccfg - Win32 Debug"
+
+
+"$(INTDIR)\parser.obj"	"$(INTDIR)\parser.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=.\version.c
+
+!IF  "$(CFG)" == "libisccfg - Win32 Release"
+
+
+"$(INTDIR)\version.obj" : $(SOURCE) "$(INTDIR)"
+
+
+!ELSEIF  "$(CFG)" == "libisccfg - Win32 Debug"
+
+
+"$(INTDIR)\version.obj"	"$(INTDIR)\version.sbr" : $(SOURCE) "$(INTDIR)"
+
+
+!ENDIF 
+
+!IF  "$(CFG)" == "libisccfg - Win32 Release"
+
+"libisc - Win32 Release" : 
+   cd "..\..\isc\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\libisc.mak" CFG="libisc - Win32 Release" 
+   cd "..\..\isccfg\win32"
+
+"libisc - Win32 ReleaseCLEAN" : 
+   cd "..\..\isc\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\libisc.mak" CFG="libisc - Win32 Release" RECURSE=1 CLEAN 
+   cd "..\..\isccfg\win32"
+
+!ELSEIF  "$(CFG)" == "libisccfg - Win32 Debug"
+
+"libisc - Win32 Debug" : 
+   cd "..\..\isc\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\libisc.mak" CFG="libisc - Win32 Debug" 
+   cd "..\..\isccfg\win32"
+
+"libisc - Win32 DebugCLEAN" : 
+   cd "..\..\isc\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\libisc.mak" CFG="libisc - Win32 Debug" RECURSE=1 CLEAN 
+   cd "..\..\isccfg\win32"
+
+!ENDIF 
+
+
+!ENDIF 
+
diff --git a/lib/isccfg/win32/version.c b/lib/isccfg/win32/version.c
index 210c5476..3af1d201 100644
--- a/lib/isccfg/win32/version.c
+++ b/lib/isccfg/win32/version.c
@@ -15,12 +15,15 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: version.c,v 1.1.2.1 2004/03/09 06:12:32 marka Exp $ */
+/* $Id: version.c,v 1.1.12.3 2004/03/08 09:05:08 marka Exp $ */
 
 #include <versions.h>
 
-char cfg_version[] = VERSION;
+#include <isccfg/version.h>
+
+LIBISCCFG_EXTERNAL_DATA const char cfg_version[] = VERSION;
+
+LIBISCCFG_EXTERNAL_DATA const unsigned int cfg_libinterface = LIBINTERFACE;
+LIBISCCFG_EXTERNAL_DATA const unsigned int cfg_librevision = LIBREVISION;
+LIBISCCFG_EXTERNAL_DATA const unsigned int cfg_libage = LIBAGE;
 
-unsigned int cfg_libinterface = LIBINTERFACE;
-unsigned int cfg_librevision = LIBREVISION;
-unsigned int cfg_libage = LIBAGE;
diff --git a/lib/lwres/Makefile.in b/lib/lwres/Makefile.in
index 600d26ef..3b0f1195 100644
--- a/lib/lwres/Makefile.in
+++ b/lib/lwres/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.25.2.4 2004/08/28 06:15:27 marka Exp $
+# $Id: Makefile.in,v 1.25.12.4 2004/03/08 09:05:09 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
@@ -23,7 +23,7 @@ top_srcdir =	@top_srcdir@
 
 @LIBLWRES_API@
 
-@BIND9_INCLUDES@
+@BIND9_MAKE_INCLUDES@
 
 CINCLUDES =	-I${srcdir}/unix/include \
 		-I. -I./include -I${srcdir}/include ${ISC_INCLUDES}
@@ -35,14 +35,14 @@ OBJS =		context.@O@ gai_strerror.@O@ getaddrinfo.@O@ gethost.@O@ \
 		getipnode.@O@ getnameinfo.@O@ getrrset.@O@ herror.@O@ \
 		lwbuffer.@O@ lwconfig.@O@ lwpacket.@O@ lwresutil.@O@ \
 		lwres_gabn.@O@ lwres_gnba.@O@ lwres_grbn.@O@ lwres_noop.@O@ \
-		lwinetaton.@O@ lwinetpton.@O@ lwinetntop.@O@ print.@O@
+		lwinetaton.@O@ lwinetpton.@O@ lwinetntop.@O@
 
 # Alphabetically
 SRCS =		context.c gai_strerror.c getaddrinfo.c gethost.c \
 		getipnode.c getnameinfo.c getrrset.c herror.c \
 		lwbuffer.c lwconfig.c lwpacket.c lwresutil.c \
 		lwres_gabn.c lwres_gnba.c lwres_grbn.c lwres_noop.c \
-		lwinetaton.c lwinetpton.c lwinetntop.c print.c
+		lwinetaton.c lwinetpton.c lwinetntop.c
 
 LIBS =		@LIBS@
 
@@ -65,7 +65,7 @@ liblwres.@SA@: ${OBJS} version.@O@
 
 liblwres.la: ${OBJS} version.@O@
 	${LIBTOOL_MODE_LINK} \
-		${CC} ${ALL_CFLAGS} ${LDFLAGS} -o liblwres.la -rpath ${libdir} \
+		${CC} ${ALL_CFLAGS} -o liblwres.la -rpath ${libdir} \
 		-version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \
 		${OBJS} version.@O@ ${LIBS}
 
diff --git a/lib/lwres/api b/lib/lwres/api
index f62822b0..44e7ba41 100644
--- a/lib/lwres/api
+++ b/lib/lwres/api
@@ -1,3 +1,3 @@
-LIBINTERFACE = 2
-LIBREVISION = 8
-LIBAGE = 1
+LIBINTERFACE = 3
+LIBREVISION = 0
+LIBAGE = 2
diff --git a/lib/lwres/assert_p.h b/lib/lwres/assert_p.h
index 05947244..78b4b792 100644
--- a/lib/lwres/assert_p.h
+++ b/lib/lwres/assert_p.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: assert_p.h,v 1.9.2.1 2004/03/09 06:12:32 marka Exp $ */
+/* $Id: assert_p.h,v 1.9.206.1 2004/03/06 08:15:30 marka Exp $ */
 
 #ifndef LWRES_ASSERT_P_H
 #define LWRES_ASSERT_P_H 1
diff --git a/lib/lwres/context.c b/lib/lwres/context.c
index b2c84f03..42bb4160 100644
--- a/lib/lwres/context.c
+++ b/lib/lwres/context.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: context.c,v 1.41.2.6 2007/06/18 23:45:27 tbox Exp $ */
+/* $Id: context.c,v 1.41.2.1.2.3 2004/03/06 08:15:30 marka Exp $ */
 
 #include <config.h>
 
@@ -60,8 +60,8 @@ do { \
 } while (0)
 #endif
 
-lwres_uint16_t lwres_udp_port = LWRES_UDP_PORT;
-const char *lwres_resolv_conf = LWRES_RESOLV_CONF;
+LIBLWRES_EXTERNAL_DATA lwres_uint16_t lwres_udp_port = LWRES_UDP_PORT;
+LIBLWRES_EXTERNAL_DATA const char *lwres_resolv_conf = LWRES_RESOLV_CONF;
 
 static void *
 lwres_malloc(void *, size_t);
@@ -128,10 +128,7 @@ lwres_context_destroy(lwres_context_t **contextp) {
 	*contextp = NULL;
 
 	if (ctx->sock != -1) {
-#ifdef WIN32
-		DestroySockets();
-#endif
-		close(ctx->sock);
+		(void)close(ctx->sock);
 		ctx->sock = -1;
 	}
 
@@ -234,34 +231,19 @@ context_connect(lwres_context_t *ctx) {
 	} else
 		return (LWRES_R_IOERROR);
 
-#ifdef WIN32
-	InitSockets();
-#endif
-
 	s = socket(domain, SOCK_DGRAM, IPPROTO_UDP);
-	if (s < 0) {
-#ifdef WIN32
-		DestroySockets();
-#endif
+	if (s < 0)
 		return (LWRES_R_IOERROR);
-	}
 
 	ret = connect(s, sa, salen);
 	if (ret != 0) {
-#ifdef WIN32
-		DestroySockets();
-#endif
-		close(s);
+		(void)close(s);
 		return (LWRES_R_IOERROR);
 	}
 
 	MAKE_NONBLOCKING(s, ret);
-	if (ret < 0) {
-#ifdef WIN32
-		DestroySockets();
-#endif
+	if (ret < 0)
 		return (LWRES_R_IOERROR);
-	}
 
 	ctx->sock = s;
 
@@ -364,12 +346,13 @@ lwres_context_sendrecv(lwres_context_t *ctx,
 	struct timeval timeout;
 
 	/*
-	 * Type of tv_sec is 32 bits long. 
+	 * Type of tv_sec is long, so make sure the unsigned long timeout
+	 * does not overflow it.
 	 */
-	if (ctx->timeout <= 0x7FFFFFFFU)
-		timeout.tv_sec = (int)ctx->timeout;
+	if (ctx->timeout <= (unsigned int)LONG_MAX)
+		timeout.tv_sec = (long)ctx->timeout;
 	else
-		timeout.tv_sec = 0x7FFFFFFF;
+		timeout.tv_sec = LONG_MAX;
 
 	timeout.tv_usec = 0;
 
diff --git a/lib/lwres/context_p.h b/lib/lwres/context_p.h
index 7574b227..3e22bc00 100644
--- a/lib/lwres/context_p.h
+++ b/lib/lwres/context_p.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: context_p.h,v 1.12.2.1 2004/03/09 06:12:32 marka Exp $ */
+/* $Id: context_p.h,v 1.12.206.1 2004/03/06 08:15:30 marka Exp $ */
 
 #ifndef LWRES_CONTEXT_P_H
 #define LWRES_CONTEXT_P_H 1
diff --git a/lib/lwres/gai_strerror.c b/lib/lwres/gai_strerror.c
index e87f37f9..ae819dda 100644
--- a/lib/lwres/gai_strerror.c
+++ b/lib/lwres/gai_strerror.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,9 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: gai_strerror.c,v 1.14.2.4 2006/08/25 05:25:49 marka Exp $ */
-
-#include <config.h>
+/* $Id: gai_strerror.c,v 1.14.2.1.10.1 2004/03/06 08:15:30 marka Exp $ */
 
 #include <lwres/netdb.h>
 
diff --git a/lib/lwres/getaddrinfo.c b/lib/lwres/getaddrinfo.c
index ce1779f0..86f48aa9 100644
--- a/lib/lwres/getaddrinfo.c
+++ b/lib/lwres/getaddrinfo.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * This code is derived from software contributed to ISC by
@@ -18,7 +18,7 @@
  * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: getaddrinfo.c,v 1.41.2.4 2006/11/13 11:58:34 marka Exp $ */
+/* $Id: getaddrinfo.c,v 1.41.206.1 2004/03/06 08:15:30 marka Exp $ */
 
 #include <config.h>
 
@@ -325,10 +325,8 @@ lwres_getaddrinfo(const char *hostname, const char *servname,
 						      NULL, 0,
 						      NI_NUMERICHOST) == 0) {
 					ai->ai_canonname = strdup(nbuf);
-					if (ai->ai_canonname == NULL) {
-						lwres_freeaddrinfo(ai_list);
+					if (ai->ai_canonname == NULL)
 						return (EAI_MEMORY);
-					}
 				} else {
 					/* XXX raise error? */
 					ai->ai_canonname = NULL;
@@ -437,7 +435,7 @@ static char v4_loop[4] = { 127, 0, 0, 1 };
  * The test against 0 is there to keep the Solaris compiler
  * from complaining about "end-of-loop code not reached".
  */
-#define SETERROR(code) \
+#define ERR(code) \
 	do { result = (code);			\
 		if (result != 0) goto cleanup;	\
 	} while (0)
@@ -455,13 +453,13 @@ add_ipv4(const char *hostname, int flags, struct addrinfo **aip,
 
 	lwres = lwres_context_create(&lwrctx, NULL, NULL, NULL, 0);
 	if (lwres != LWRES_R_SUCCESS)
-		SETERROR(EAI_FAIL);
+		ERR(EAI_FAIL);
 	(void) lwres_conf_parse(lwrctx, lwres_resolv_conf);
 	if (hostname == NULL && (flags & AI_PASSIVE) == 0) {
 		ai = ai_clone(*aip, AF_INET);
 		if (ai == NULL) {
 			lwres_freeaddrinfo(*aip);
-			SETERROR(EAI_MEMORY);
+			ERR(EAI_MEMORY);
 		}
 
 		*aip = ai;
@@ -475,14 +473,14 @@ add_ipv4(const char *hostname, int flags, struct addrinfo **aip,
 			if (lwres == LWRES_R_NOTFOUND)
 				goto cleanup;
 			else
-				SETERROR(EAI_FAIL);
+				ERR(EAI_FAIL);
 		}
 		addr = LWRES_LIST_HEAD(by->addrs);
 		while (addr != NULL) {
 			ai = ai_clone(*aip, AF_INET);
 			if (ai == NULL) {
 				lwres_freeaddrinfo(*aip);
-				SETERROR(EAI_MEMORY);
+				ERR(EAI_MEMORY);
 			}
 			*aip = ai;
 			ai->ai_socktype = socktype;
@@ -492,7 +490,7 @@ add_ipv4(const char *hostname, int flags, struct addrinfo **aip,
 			if (flags & AI_CANONNAME) {
 				ai->ai_canonname = strdup(by->realname);
 				if (ai->ai_canonname == NULL)
-					SETERROR(EAI_MEMORY);
+					ERR(EAI_MEMORY);
 			}
 			addr = LWRES_LIST_NEXT(addr, link);
 		}
@@ -522,14 +520,14 @@ add_ipv6(const char *hostname, int flags, struct addrinfo **aip,
 
 	lwres = lwres_context_create(&lwrctx, NULL, NULL, NULL, 0);
 	if (lwres != LWRES_R_SUCCESS)
-		SETERROR(EAI_FAIL);
+		ERR(EAI_FAIL);
 	(void) lwres_conf_parse(lwrctx, lwres_resolv_conf);
 
 	if (hostname == NULL && (flags & AI_PASSIVE) == 0) {
 		ai = ai_clone(*aip, AF_INET6);
 		if (ai == NULL) {
 			lwres_freeaddrinfo(*aip);
-			SETERROR(EAI_MEMORY);
+			ERR(EAI_MEMORY);
 		}
 
 		*aip = ai;
@@ -543,14 +541,14 @@ add_ipv6(const char *hostname, int flags, struct addrinfo **aip,
 			if (lwres == LWRES_R_NOTFOUND)
 				goto cleanup;
 			else
-				SETERROR(EAI_FAIL);
+				ERR(EAI_FAIL);
 		}
 		addr = LWRES_LIST_HEAD(by->addrs);
 		while (addr != NULL) {
 			ai = ai_clone(*aip, AF_INET6);
 			if (ai == NULL) {
 				lwres_freeaddrinfo(*aip);
-				SETERROR(EAI_MEMORY);
+				ERR(EAI_MEMORY);
 			}
 			*aip = ai;
 			ai->ai_socktype = socktype;
@@ -560,7 +558,7 @@ add_ipv6(const char *hostname, int flags, struct addrinfo **aip,
 			if (flags & AI_CANONNAME) {
 				ai->ai_canonname = strdup(by->realname);
 				if (ai->ai_canonname == NULL)
-					SETERROR(EAI_MEMORY);
+					ERR(EAI_MEMORY);
 			}
 			addr = LWRES_LIST_NEXT(addr, link);
 		}
diff --git a/lib/lwres/gethost.c b/lib/lwres/gethost.c
index 823876d6..9c362b92 100644
--- a/lib/lwres/gethost.c
+++ b/lib/lwres/gethost.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: gethost.c,v 1.29.2.1 2004/03/09 06:12:33 marka Exp $ */
+/* $Id: gethost.c,v 1.29.206.1 2004/03/06 08:15:30 marka Exp $ */
 
 #include <config.h>
 
diff --git a/lib/lwres/getipnode.c b/lib/lwres/getipnode.c
index 4fd66676..5bda15e6 100644
--- a/lib/lwres/getipnode.c
+++ b/lib/lwres/getipnode.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,13 +15,14 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: getipnode.c,v 1.30.2.10 2007/06/18 23:45:27 tbox Exp $ */
+/* $Id: getipnode.c,v 1.30.2.4.2.4 2004/03/06 08:15:31 marka Exp $ */
 
 #include <config.h>
 
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
+#include <errno.h>
 
 #include <lwres/lwres.h>
 #include <lwres/net.h>
@@ -330,8 +331,6 @@ lwres_getipnodebyaddr(const void *src, size_t len, int af, int *error_num) {
 		n = lwres_getnamebyaddr(lwrctx, LWRES_ADDRTYPE_V6, IN6ADDRSZ,
 					src, &by);
 	if (n != 0) {
-		lwres_conf_clear(lwrctx);
-		lwres_context_destroy(&lwrctx);
 		*error_num = HOST_NOT_FOUND;
 		return (NULL);
 	}
@@ -339,7 +338,6 @@ lwres_getipnodebyaddr(const void *src, size_t len, int af, int *error_num) {
 	lwres_gnbaresponse_free(lwrctx, &by);
 	if (he1 == NULL)
 		*error_num = NO_RECOVERY;
-	lwres_conf_clear(lwrctx);
 	lwres_context_destroy(&lwrctx);
 	return (he1);
 }
@@ -385,23 +383,195 @@ lwres_freehostent(struct hostent *he) {
  *	-1 on failure.
  */
 
+#if defined(SIOCGLIFCONF) && defined(SIOCGLIFADDR) && \
+    !defined(IRIX_EMUL_IOCTL_SIOCGIFCONF) 
+
+#ifdef __hpux
+#define lifc_len iflc_len
+#define lifc_buf iflc_buf
+#define lifc_req iflc_req
+#define LIFCONF if_laddrconf
+#else
+#define ISC_HAVE_LIFC_FAMILY 1
+#define ISC_HAVE_LIFC_FLAGS 1
+#define LIFCONF lifconf
+#endif
+ 
+#ifdef __hpux
+#define lifr_addr iflr_addr
+#define lifr_name iflr_name
+#define lifr_dstaddr iflr_dstaddr
+#define lifr_flags iflr_flags
+#define ss_family sa_family
+#define LIFREQ if_laddrreq
+#else
+#define LIFREQ lifreq
+#endif
+
+static int
+scan_interfaces6(int *have_v4, int *have_v6) {
+	struct LIFCONF lifc;
+	struct LIFREQ lifreq;
+	struct in_addr in4;
+	struct in6_addr in6;
+	char *buf = NULL, *cp, *cplim;
+	static unsigned int bufsiz = 4095;
+	int s, cpsize, n;
+
+	/*
+	 * Set to zero.  Used as loop terminators below.
+	 */
+	*have_v4 = *have_v6 = 0;
+
+	/*
+	 * Get interface list from system.
+	 */
+	if ((s = socket(AF_INET6, SOCK_DGRAM, 0)) == -1)
+		goto err_ret;
+
+	/*
+	 * Grow buffer until large enough to contain all interface
+	 * descriptions.
+	 */
+	for (;;) {
+		buf = malloc(bufsiz);
+		if (buf == NULL)
+			goto err_ret;
+#ifdef ISC_HAVE_LIFC_FAMILY
+		lifc.lifc_family = AF_UNSPEC;	/* request all families */
+#endif
+#ifdef ISC_HAVE_LIFC_FLAGS
+		lifc.lifc_flags = 0;
+#endif
+		lifc.lifc_len = bufsiz;
+		lifc.lifc_buf = buf;
+		if ((n = ioctl(s, SIOCGLIFCONF, (char *)&lifc)) != -1) {
+			/*
+			 * Some OS's just return what will fit rather
+			 * than set EINVAL if the buffer is too small
+			 * to fit all the interfaces in.  If 
+			 * lifc.lifc_len is too near to the end of the
+			 * buffer we will grow it just in case and
+			 * retry.
+			 */
+			if (lifc.lifc_len + 2 * sizeof(lifreq) < bufsiz)
+				break;
+		}
+		if ((n == -1) && errno != EINVAL)
+			goto err_ret;
+
+		if (bufsiz > 1000000)
+			goto err_ret;
+
+		free(buf);
+		bufsiz += 4096;
+	}
+
+	/*
+	 * Parse system's interface list.
+	 */
+	cplim = buf + lifc.lifc_len;    /* skip over if's with big ifr_addr's */
+	for (cp = buf;
+	     (*have_v4 == 0 || *have_v6 == 0) && cp < cplim;
+	     cp += cpsize) {
+		memcpy(&lifreq, cp, sizeof(lifreq));
+#ifdef LWRES_PLATFORM_HAVESALEN
+#ifdef FIX_ZERO_SA_LEN
+		if (lifreq.lifr_addr.sa_len == 0)
+			lifreq.lifr_addr.sa_len = 16;
+#endif
+#ifdef HAVE_MINIMUM_IFREQ
+		cpsize = sizeof(lifreq);
+		if (lifreq.lifr_addr.sa_len > sizeof(struct sockaddr))
+			cpsize += (int)lifreq.lifr_addr.sa_len -
+				(int)(sizeof(struct sockaddr));
+#else
+		cpsize = sizeof(lifreq.lifr_name) + lifreq.lifr_addr.sa_len;
+#endif /* HAVE_MINIMUM_IFREQ */
+#elif defined SIOCGIFCONF_ADDR
+		cpsize = sizeof(lifreq);
+#else
+		cpsize = sizeof(lifreq.lifr_name);
+		/* XXX maybe this should be a hard error? */
+		if (ioctl(s, SIOCGLIFADDR, (char *)&lifreq) < 0)
+			continue;
+#endif
+		switch (lifreq.lifr_addr.ss_family) {
+		case AF_INET:
+			if (*have_v4 == 0) {
+				memcpy(&in4,
+				       &((struct sockaddr_in *)
+				       &lifreq.lifr_addr)->sin_addr,
+				       sizeof(in4));
+				if (in4.s_addr == INADDR_ANY)
+					break;
+				n = ioctl(s, SIOCGLIFFLAGS, (char *)&lifreq);
+				if (n < 0)
+					break;
+				if ((lifreq.lifr_flags & IFF_UP) == 0)
+					break;
+				*have_v4 = 1;
+			} 
+			break;
+		case AF_INET6:
+			if (*have_v6 == 0) {
+				memcpy(&in6,
+				       &((struct sockaddr_in6 *)
+				       &lifreq.lifr_addr)->sin6_addr, 
+				       sizeof(in6));
+				if (memcmp(&in6, &in6addr_any,
+					   sizeof(in6)) == 0)
+					break;
+				n = ioctl(s, SIOCGLIFFLAGS, (char *)&lifreq);
+				if (n < 0)
+					break;
+				if ((lifreq.lifr_flags & IFF_UP) == 0)
+					break;
+				*have_v6 = 1;
+			}
+			break;
+		}
+	}
+	if (buf != NULL)
+		free(buf);
+	close(s);
+	return (0);
+ err_ret:
+	if (buf != NULL)
+		free(buf);
+	if (s != -1)
+		close(s);
+	return (-1);
+}
+#endif
+
 static int
 scan_interfaces(int *have_v4, int *have_v6) {
-#if 1
+#if !defined(SIOCGIFCONF) || !defined(SIOCGIFADDR)
 	*have_v4 = *have_v6 = 1;
 	return (0);
 #else
 	struct ifconf ifc;
-	struct ifreq ifreq;
+	union {
+		char _pad[256];		/* leave space for IPv6 addresses */
+		struct ifreq ifreq;
+	} u;
 	struct in_addr in4;
 	struct in6_addr in6;
 	char *buf = NULL, *cp, *cplim;
-	static int bufsiz = 4095;
-	int s, cpsize, n;
+	static unsigned int bufsiz = 4095;
+	int s, n;
+	size_t cpsize;
 
-#ifdef WIN32
-	InitSockets();
+#if defined(SIOCGLIFCONF) && defined(SIOCGLIFADDR) && \
+    !defined(IRIX_EMUL_IOCTL_SIOCGIFCONF) 
+	/*
+	 * Try to scan the interfaces using IPv6 ioctls().
+	 */
+	if (!scan_interfaces6(have_v4, have_v6))
+		return (0);
 #endif
+
 	/*
 	 * Set to zero.  Used as loop terminators below.
 	 */
@@ -436,12 +606,12 @@ scan_interfaces(int *have_v4, int *have_v6) {
 			/*
 			 * Some OS's just return what will fit rather
 			 * than set EINVAL if the buffer is too small
-			 * to fit all the interfaces in.  If
+			 * to fit all the interfaces in.  If 
 			 * ifc.ifc_len is too near to the end of the
 			 * buffer we will grow it just in case and
 			 * retry.
 			 */
-			if (ifc.ifc_len + 2 * sizeof(ifreq) < bufsiz)
+			if (ifc.ifc_len + 2 * sizeof(u.ifreq) < bufsiz)
 				break;
 		}
 #endif
@@ -462,58 +632,60 @@ scan_interfaces(int *have_v4, int *have_v6) {
 	for (cp = buf;
 	     (*have_v4 == 0 || *have_v6 == 0) && cp < cplim;
 	     cp += cpsize) {
-		memcpy(&ifreq, cp, sizeof ifreq);
+		memcpy(&u.ifreq, cp, sizeof(u.ifreq));
 #ifdef LWRES_PLATFORM_HAVESALEN
 #ifdef FIX_ZERO_SA_LEN
-		if (ifreq.ifr_addr.sa_len == 0)
-			ifreq.ifr_addr.sa_len = IN6ADDRSZ;
+		if (u.ifreq.ifr_addr.sa_len == 0)
+			u.ifreq.ifr_addr.sa_len = 16;
 #endif
 #ifdef HAVE_MINIMUM_IFREQ
-		cpsize = sizeof ifreq;
-		if (ifreq.ifr_addr.sa_len > sizeof (struct sockaddr))
-			cpsize += (int)ifreq.ifr_addr.sa_len -
+		cpsize = sizeof(u.ifreq);
+		if (u.ifreq.ifr_addr.sa_len > sizeof(struct sockaddr))
+			cpsize += (int)u.ifreq.ifr_addr.sa_len -
 				(int)(sizeof(struct sockaddr));
 #else
-		cpsize = sizeof ifreq.ifr_name + ifreq.ifr_addr.sa_len;
+		cpsize = sizeof(u.ifreq.ifr_name) + u.ifreq.ifr_addr.sa_len;
 #endif /* HAVE_MINIMUM_IFREQ */
+		if (cpsize > sizeof(u.ifreq) && cpsize <= sizeof(u))
+			memcpy(&u.ifreq, cp, cpsize);
 #elif defined SIOCGIFCONF_ADDR
-		cpsize = sizeof ifreq;
+		cpsize = sizeof(u.ifreq);
 #else
-		cpsize = sizeof ifreq.ifr_name;
+		cpsize = sizeof(u.ifreq.ifr_name);
 		/* XXX maybe this should be a hard error? */
-		if (ioctl(s, SIOCGIFADDR, (char *)&ifreq) < 0)
+		if (ioctl(s, SIOCGIFADDR, (char *)&u.ifreq) < 0)
 			continue;
-#endif /* LWRES_PLATFORM_HAVESALEN */
-		switch (ifreq.ifr_addr.sa_family) {
+#endif
+		switch (u.ifreq.ifr_addr.sa_family) {
 		case AF_INET:
 			if (*have_v4 == 0) {
 				memcpy(&in4,
 				       &((struct sockaddr_in *)
-				       &ifreq.ifr_addr)->sin_addr,
+				       &u.ifreq.ifr_addr)->sin_addr,
 				       sizeof(in4));
 				if (in4.s_addr == INADDR_ANY)
 					break;
-				n = ioctl(s, SIOCGIFFLAGS, (char *)&ifreq);
+				n = ioctl(s, SIOCGIFFLAGS, (char *)&u.ifreq);
 				if (n < 0)
 					break;
-				if ((ifreq.ifr_flags & IFF_UP) == 0)
+				if ((u.ifreq.ifr_flags & IFF_UP) == 0)
 					break;
 				*have_v4 = 1;
-			}
+			} 
 			break;
 		case AF_INET6:
 			if (*have_v6 == 0) {
 				memcpy(&in6,
 				       &((struct sockaddr_in6 *)
-				       &ifreq.ifr_addr)->sin6_addr,
+				       &u.ifreq.ifr_addr)->sin6_addr,
 				       sizeof(in6));
 				if (memcmp(&in6, &in6addr_any,
 					   sizeof(in6)) == 0)
 					break;
-				n = ioctl(s, SIOCGIFFLAGS, (char *)&ifreq);
+				n = ioctl(s, SIOCGIFFLAGS, (char *)&u.ifreq);
 				if (n < 0)
 					break;
-				if ((ifreq.ifr_flags & IFF_UP) == 0)
+				if ((u.ifreq.ifr_flags & IFF_UP) == 0)
 					break;
 				*have_v6 = 1;
 			}
@@ -522,20 +694,13 @@ scan_interfaces(int *have_v4, int *have_v6) {
 	}
 	if (buf != NULL)
 		free(buf);
-#ifdef WIN32
-	DestroySockets();
-#endif
 	close(s);
 	return (0);
-
  err_ret:
 	if (buf != NULL)
 		free(buf);
 	if (s != -1)
 		close(s);
-#ifdef WIN32
-	DestroySockets();
-#endif
 	return (-1);
 #endif
 }
@@ -585,7 +750,7 @@ copyandmerge(struct hostent *he1, struct hostent *he2, int af, int *error_num)
 		return (NULL);
 	}
 
-	he = malloc(sizeof *he);
+	he = malloc(sizeof(*he));
 	if (he == NULL)
 		goto no_recovery;
 
@@ -609,8 +774,8 @@ copyandmerge(struct hostent *he1, struct hostent *he2, int af, int *error_num)
 			 */
 			if (af == AF_INET6 && he1->h_addrtype == AF_INET) {
 				memcpy(*npp, in6addr_mapped,
-				       sizeof in6addr_mapped);
-				memcpy(*npp + sizeof in6addr_mapped, *cpp,
+				       sizeof(in6addr_mapped));
+				memcpy(*npp + sizeof(in6addr_mapped), *cpp,
 				       INADDRSZ);
 			} else {
 				memcpy(*npp, *cpp,
@@ -632,8 +797,8 @@ copyandmerge(struct hostent *he1, struct hostent *he2, int af, int *error_num)
 			 */
 			if (af == AF_INET6 && he2->h_addrtype == AF_INET) {
 				memcpy(*npp, in6addr_mapped,
-				       sizeof in6addr_mapped);
-				memcpy(*npp + sizeof in6addr_mapped, *cpp,
+				       sizeof(in6addr_mapped));
+				memcpy(*npp + sizeof(in6addr_mapped), *cpp,
 				       INADDRSZ);
 			} else {
 				memcpy(*npp, *cpp,
@@ -710,7 +875,7 @@ hostfromaddr(lwres_gnbaresponse_t *addr, int af, const void *src) {
 	struct hostent *he;
 	int i;
 
-	he = malloc(sizeof *he);
+	he = malloc(sizeof(*he));
 	if (he == NULL)
 		goto cleanup;
 	memset(he, 0, sizeof(*he));
@@ -743,7 +908,7 @@ hostfromaddr(lwres_gnbaresponse_t *addr, int af, const void *src) {
 	he->h_aliases = malloc(sizeof(char *) * (addr->naliases + 1));
 	if (he->h_aliases == NULL)
 		goto cleanup;
-	for (i = 0 ; i < addr->naliases; i++) {
+	for (i = 0; i < addr->naliases; i++) {
 		he->h_aliases[i] = strdup(addr->aliases[i]);
 		if (he->h_aliases[i] == NULL)
 			goto cleanup;
@@ -787,7 +952,7 @@ hostfromname(lwres_gabnresponse_t *name, int af) {
 	int i;
 	lwres_addr_t *addr;
 
-	he = malloc(sizeof *he);
+	he = malloc(sizeof(*he));
 	if (he == NULL)
 		goto cleanup;
 	memset(he, 0, sizeof(*he));
@@ -818,7 +983,7 @@ hostfromname(lwres_gabnresponse_t *name, int af) {
 	 * Copy aliases.
 	 */
 	he->h_aliases = malloc(sizeof(char *) * (name->naliases + 1));
-	for (i = 0 ; i < name->naliases; i++) {
+	for (i = 0; i < name->naliases; i++) {
 		he->h_aliases[i] = strdup(name->aliases[i]);
 		if (he->h_aliases[i] == NULL)
 			goto cleanup;
diff --git a/lib/lwres/getnameinfo.c b/lib/lwres/getnameinfo.c
index f0bdbcff..6056cda1 100644
--- a/lib/lwres/getnameinfo.c
+++ b/lib/lwres/getnameinfo.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: getnameinfo.c,v 1.30.2.5 2004/08/28 06:15:28 marka Exp $ */
+/* $Id: getnameinfo.c,v 1.30.2.3.2.3 2004/03/06 08:15:31 marka Exp $ */
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -63,7 +63,6 @@
 #include <lwres/netdb.h>
 
 #include "assert_p.h"
-#include "print_p.h"
 
 #define SUCCESS 0
 
@@ -169,7 +168,7 @@ lwres_getnameinfo(const struct sockaddr *sa, size_t salen, char *host,
 		 */
 	} else if ((flags & NI_NUMERICSERV) != 0 ||
 		   (sp = getservbyport(port, proto)) == NULL) {
-		sprintf(numserv, "%d", ntohs(port));
+		snprintf(numserv, sizeof(numserv), "%d", ntohs(port));
 		if ((strlen(numserv) + 1) > servlen)
 			ERR(ENI_MEMORY);
 		strcpy(serv, numserv);
diff --git a/lib/lwres/getrrset.c b/lib/lwres/getrrset.c
index fe3dd855..6160039b 100644
--- a/lib/lwres/getrrset.c
+++ b/lib/lwres/getrrset.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: getrrset.c,v 1.11.2.5 2004/03/09 06:12:33 marka Exp $ */
+/* $Id: getrrset.c,v 1.11.2.3.2.2 2004/03/06 08:15:31 marka Exp $ */
 
 #include <config.h>
 
diff --git a/lib/lwres/herror.c b/lib/lwres/herror.c
index 4b91945d..1d0756a0 100644
--- a/lib/lwres/herror.c
+++ b/lib/lwres/herror.c
@@ -1,6 +1,6 @@
 /*
  * Portions Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Portions Copyright (C) 2000, 2001  Internet Software Consortium.
+ * Portions Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -51,7 +51,7 @@
 #if defined(LIBC_SCCS) && !defined(lint)
 static const char sccsid[] = "@(#)herror.c	8.1 (Berkeley) 6/4/93";
 static const char rcsid[] =
-	"$Id: herror.c,v 1.10.2.1 2004/03/09 06:12:33 marka Exp $";
+	"$Id: herror.c,v 1.10.12.2 2004/03/06 08:15:31 marka Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 #include <config.h>
@@ -75,7 +75,7 @@ static const char *h_errlist[] = {
 	"No address associated with name",	/* 4 NO_ADDRESS */
 };
 
-static int	h_nerr = { sizeof h_errlist / sizeof h_errlist[0] };
+static int	h_nerr = { sizeof(h_errlist) / sizeof(h_errlist[0]) };
 
 
 /*
diff --git a/lib/lwres/include/Makefile.in b/lib/lwres/include/Makefile.in
index 11358205..dc075b95 100644
--- a/lib/lwres/include/Makefile.in
+++ b/lib/lwres/include/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.5.2.1 2004/03/09 06:12:36 marka Exp $
+# $Id: Makefile.in,v 1.5.206.1 2004/03/06 08:15:33 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/lib/lwres/include/lwres/Makefile.in b/lib/lwres/include/lwres/Makefile.in
index 980a2b26..48c28f62 100644
--- a/lib/lwres/include/lwres/Makefile.in
+++ b/lib/lwres/include/lwres/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.19.2.1 2004/03/09 06:12:36 marka Exp $
+# $Id: Makefile.in,v 1.19.12.3 2004/03/08 09:05:11 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
@@ -25,7 +25,7 @@ top_srcdir =	@top_srcdir@
 # install target below.
 #
 HEADERS =	context.h lwbuffer.h lwpacket.h lwres.h result.h \
-		int.h lang.h list.h ipv6.h
+		int.h lang.h list.h ipv6.h version.h
 
 SUBDIRS =
 TARGETS =
diff --git a/lib/lwres/include/lwres/context.h b/lib/lwres/include/lwres/context.h
index 7d360fd2..962b142e 100644
--- a/lib/lwres/include/lwres/context.h
+++ b/lib/lwres/include/lwres/context.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: context.h,v 1.14.2.1 2004/03/09 06:12:36 marka Exp $ */
+/* $Id: context.h,v 1.14.206.1 2004/03/06 08:15:34 marka Exp $ */
 
 #ifndef LWRES_CONTEXT_H
 #define LWRES_CONTEXT_H 1
diff --git a/lib/lwres/include/lwres/int.h b/lib/lwres/include/lwres/int.h
index 70baf7ef..2523924e 100644
--- a/lib/lwres/include/lwres/int.h
+++ b/lib/lwres/include/lwres/int.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: int.h,v 1.7.2.1 2004/03/09 06:12:36 marka Exp $ */
+/* $Id: int.h,v 1.7.206.1 2004/03/06 08:15:34 marka Exp $ */
 
 #ifndef LWRES_INT_H
 #define LWRES_INT_H 1
diff --git a/lib/lwres/include/lwres/ipv6.h b/lib/lwres/include/lwres/ipv6.h
index ba85a2ed..5dc06d6a 100644
--- a/lib/lwres/include/lwres/ipv6.h
+++ b/lib/lwres/include/lwres/ipv6.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: ipv6.h,v 1.9.2.1 2004/03/09 06:12:36 marka Exp $ */
+/* $Id: ipv6.h,v 1.9.206.1 2004/03/06 08:15:34 marka Exp $ */
 
 #ifndef LWRES_IPV6_H
 #define LWRES_IPV6_H 1
diff --git a/lib/lwres/include/lwres/lang.h b/lib/lwres/include/lwres/lang.h
index 9aa33fd4..bd99ec01 100644
--- a/lib/lwres/include/lwres/lang.h
+++ b/lib/lwres/include/lwres/lang.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lang.h,v 1.6.2.1 2004/03/09 06:12:36 marka Exp $ */
+/* $Id: lang.h,v 1.6.206.1 2004/03/06 08:15:35 marka Exp $ */
 
 #ifndef LWRES_LANG_H
 #define LWRES_LANG_H 1
diff --git a/lib/lwres/include/lwres/list.h b/lib/lwres/include/lwres/list.h
index cd6772ac..9b617879 100644
--- a/lib/lwres/include/lwres/list.h
+++ b/lib/lwres/include/lwres/list.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: list.h,v 1.7.2.1 2004/03/09 06:12:37 marka Exp $ */
+/* $Id: list.h,v 1.7.206.1 2004/03/06 08:15:35 marka Exp $ */
 
 #ifndef LWRES_LIST_H
 #define LWRES_LIST_H 1
diff --git a/lib/lwres/include/lwres/lwbuffer.h b/lib/lwres/include/lwres/lwbuffer.h
index a14caeb6..97f7b9d9 100644
--- a/lib/lwres/include/lwres/lwbuffer.h
+++ b/lib/lwres/include/lwres/lwbuffer.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lwbuffer.h,v 1.15.2.1 2004/03/09 06:12:37 marka Exp $ */
+/* $Id: lwbuffer.h,v 1.15.206.1 2004/03/06 08:15:35 marka Exp $ */
 
 #ifndef LWRES_LWBUFFER_H
 #define LWRES_LWBUFFER_H 1
diff --git a/lib/lwres/include/lwres/lwpacket.h b/lib/lwres/include/lwres/lwpacket.h
index c1ae1dec..48f6a348 100644
--- a/lib/lwres/include/lwres/lwpacket.h
+++ b/lib/lwres/include/lwres/lwpacket.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lwpacket.h,v 1.17.2.1 2004/03/09 06:12:37 marka Exp $ */
+/* $Id: lwpacket.h,v 1.17.206.1 2004/03/06 08:15:35 marka Exp $ */
 
 #ifndef LWRES_LWPACKET_H
 #define LWRES_LWPACKET_H 1
diff --git a/lib/lwres/include/lwres/lwres.h b/lib/lwres/include/lwres/lwres.h
index 6a77e29b..7260b00f 100644
--- a/lib/lwres/include/lwres/lwres.h
+++ b/lib/lwres/include/lwres/lwres.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lwres.h,v 1.49.2.1 2004/03/09 06:12:37 marka Exp $ */
+/* $Id: lwres.h,v 1.49.12.3 2004/03/08 09:05:11 marka Exp $ */
 
 #ifndef LWRES_LWRES_H
 #define LWRES_LWRES_H 1
@@ -26,6 +26,7 @@
 #include <lwres/lang.h>
 #include <lwres/list.h>
 #include <lwres/lwpacket.h>
+#include <lwres/platform.h>
 
 /*
  * Design notes:
@@ -252,9 +253,9 @@ LWRES_LANG_BEGINDECLS
 /*
  * This is in host byte order.
  */
-extern lwres_uint16_t lwres_udp_port;
+LIBLWRES_EXTERNAL_DATA extern lwres_uint16_t lwres_udp_port;
 
-extern const char *lwres_resolv_conf;
+LIBLWRES_EXTERNAL_DATA extern const char *lwres_resolv_conf;
 
 lwres_result_t
 lwres_gabnrequest_render(lwres_context_t *ctx, lwres_gabnrequest_t *req,
diff --git a/lib/lwres/include/lwres/netdb.h.in b/lib/lwres/include/lwres/netdb.h.in
index e07ff20e..7bf545f4 100644
--- a/lib/lwres/include/lwres/netdb.h.in
+++ b/lib/lwres/include/lwres/netdb.h.in
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: netdb.h.in,v 1.34.2.1 2004/03/09 06:12:37 marka Exp $ */
+/* $Id: netdb.h.in,v 1.34.206.1 2004/03/06 08:15:35 marka Exp $ */
 
 #ifndef LWRES_NETDB_H
 #define LWRES_NETDB_H 1
diff --git a/lib/lwres/include/lwres/platform.h.in b/lib/lwres/include/lwres/platform.h.in
index abbdfb77..4363ca7d 100644
--- a/lib/lwres/include/lwres/platform.h.in
+++ b/lib/lwres/include/lwres/platform.h.in
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: platform.h.in,v 1.12.2.5 2005/05/08 23:54:56 marka Exp $ */
+/* $Id: platform.h.in,v 1.12.2.1.10.1 2004/03/06 08:15:36 marka Exp $ */
 
 #ifndef LWRES_PLATFORM_H
 #define LWRES_PLATFORM_H 1
@@ -78,16 +78,6 @@
  */
 @LWRES_PLATFORM_USEDECLSPEC@
 
-/*
- * Defined this system needs vsnprintf() and snprintf().
- */
-@LWRES_PLATFORM_NEEDVSNPRINTF@
-
-/*
- * The printf format string modifier to use with lwres_uint64_t values.
- */
-@LWRES_PLATFORM_QUADFORMAT@
-
 #ifndef LWRES_PLATFORM_USEDECLSPEC
 #define LIBLWRES_EXTERNAL_DATA
 #else
diff --git a/lib/lwres/include/lwres/result.h b/lib/lwres/include/lwres/result.h
index 67e85d83..617ae322 100644
--- a/lib/lwres/include/lwres/result.h
+++ b/lib/lwres/include/lwres/result.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: result.h,v 1.14.2.1 2004/03/09 06:12:38 marka Exp $ */
+/* $Id: result.h,v 1.14.206.1 2004/03/06 08:15:36 marka Exp $ */
 
 #ifndef LWRES_RESULT_H
 #define LWRES_RESULT_H 1
diff --git a/lib/lwres/win32/socket.c b/lib/lwres/include/lwres/version.h
index fdcd6d63..1b291cee 100644
--- a/lib/lwres/win32/socket.c
+++ b/lib/lwres/include/lwres/version.h
@@ -1,5 +1,6 @@
 /*
- * Copyright (C) 2007  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,28 +15,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: socket.c,v 1.3.10.2 2007/08/06 07:23:12 tbox Exp $ */
+/* $Id: version.h,v 1.2.224.3 2004/03/08 09:05:11 marka Exp $ */
 
-#include <stdio.h>
 #include <lwres/platform.h>
-#include <Winsock2.h>
 
-void
-InitSockets(void) {
-	WORD wVersionRequested;
-	WSADATA wsaData;
-	int err;
- 
-	wVersionRequested = MAKEWORD(2, 0);
- 
-	err = WSAStartup( wVersionRequested, &wsaData );
-	if (err != 0) {
-		fprintf(stderr, "WSAStartup() failed: %d\n", err);
-		exit(1);
-	}
-}
+LIBLWRES_EXTERNAL_DATA extern const char lwres_version[];
 
-void
-DestroySockets(void) {
-	WSACleanup();
-}
+LIBLWRES_EXTERNAL_DATA extern const unsigned int lwres_libinterface;
+LIBLWRES_EXTERNAL_DATA extern const unsigned int lwres_librevision;
+LIBLWRES_EXTERNAL_DATA extern const unsigned int lwres_libage;
diff --git a/lib/lwres/lwbuffer.c b/lib/lwres/lwbuffer.c
index 6fc71cce..69009f00 100644
--- a/lib/lwres/lwbuffer.c
+++ b/lib/lwres/lwbuffer.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lwbuffer.c,v 1.10.2.1 2004/03/09 06:12:34 marka Exp $ */
+/* $Id: lwbuffer.c,v 1.10.206.1 2004/03/06 08:15:31 marka Exp $ */
 
 #include <config.h>
 
diff --git a/lib/lwres/lwconfig.c b/lib/lwres/lwconfig.c
index 07240f18..9fc78250 100644
--- a/lib/lwres/lwconfig.c
+++ b/lib/lwres/lwconfig.c
@@ -1,6 +1,6 @@
 /*
- * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lwconfig.c,v 1.33.2.7 2006/10/03 23:50:49 marka Exp $ */
+/* $Id: lwconfig.c,v 1.33.2.1.2.5 2004/03/08 09:05:10 marka Exp $ */
 
 /***
  *** Module for parsing resolv.conf files.
@@ -220,13 +220,13 @@ lwres_conf_init(lwres_context_t *ctx) {
 	confdata->ndots = 1;
 	confdata->no_tld_query = 0;
 
-	for (i = 0 ; i < LWRES_CONFMAXNAMESERVERS ; i++)
+	for (i = 0; i < LWRES_CONFMAXNAMESERVERS; i++)
 		lwres_resetaddr(&confdata->nameservers[i]);
 
-	for (i = 0 ; i < LWRES_CONFMAXSEARCH ; i++)
+	for (i = 0; i < LWRES_CONFMAXSEARCH; i++)
 		confdata->search[i] = NULL;
 
-	for (i = 0 ; i < LWRES_CONFMAXSORTLIST ; i++) {
+	for (i = 0; i < LWRES_CONFMAXSORTLIST; i++) {
 		lwres_resetaddr(&confdata->sortlist[i].addr);
 		lwres_resetaddr(&confdata->sortlist[i].mask);
 	}
@@ -240,7 +240,7 @@ lwres_conf_clear(lwres_context_t *ctx) {
 	REQUIRE(ctx != NULL);
 	confdata = &ctx->confdata;
 
-	for (i = 0 ; i < confdata->nsnext ; i++)
+	for (i = 0; i < confdata->nsnext; i++)
 		lwres_resetaddr(&confdata->nameservers[i]);
 
 	if (confdata->domainname != NULL) {
@@ -249,7 +249,7 @@ lwres_conf_clear(lwres_context_t *ctx) {
 		confdata->domainname = NULL;
 	}
 
-	for (i = 0 ; i < confdata->searchnxt ; i++) {
+	for (i = 0; i < confdata->searchnxt; i++) {
 		if (confdata->search[i] != NULL) {
 			CTXFREE(confdata->search[i],
 				strlen(confdata->search[i]) + 1);
@@ -257,7 +257,7 @@ lwres_conf_clear(lwres_context_t *ctx) {
 		}
 	}
 
-	for (i = 0 ; i < LWRES_CONFMAXSORTLIST ; i++) {
+	for (i = 0; i < LWRES_CONFMAXSORTLIST; i++) {
 		lwres_resetaddr(&confdata->sortlist[i].addr);
 		lwres_resetaddr(&confdata->sortlist[i].mask);
 	}
@@ -277,7 +277,6 @@ lwres_conf_parsenameserver(lwres_context_t *ctx,  FILE *fp) {
 	char word[LWRES_CONFMAXLINELEN];
 	int res;
 	lwres_conf_t *confdata;
-	lwres_addr_t address;
 
 	confdata = &ctx->confdata;
 
@@ -293,9 +292,10 @@ lwres_conf_parsenameserver(lwres_context_t *ctx,  FILE *fp) {
 	if (res != EOF && res != '\n')
 		return (LWRES_R_FAILURE); /* Extra junk on line. */
 
-	res = lwres_create_addr(word, &address, 1);
-	if (res == LWRES_R_SUCCESS)
-		confdata->nameservers[confdata->nsnext++] = address;
+	res = lwres_create_addr(word,
+				&confdata->nameservers[confdata->nsnext++], 1);
+	if (res != LWRES_R_SUCCESS)
+		return (res);
 
 	return (LWRES_R_SUCCESS);
 }
@@ -352,7 +352,7 @@ lwres_conf_parsedomain(lwres_context_t *ctx,  FILE *fp) {
 	/*
 	 * Search and domain are mutually exclusive.
 	 */
-	for (i = 0 ; i < LWRES_CONFMAXSEARCH ; i++) {
+	for (i = 0; i < LWRES_CONFMAXSEARCH; i++) {
 		if (confdata->search[i] != NULL) {
 			CTXFREE(confdata->search[i],
 				strlen(confdata->search[i])+1);
@@ -389,7 +389,7 @@ lwres_conf_parsesearch(lwres_context_t *ctx,  FILE *fp) {
 	/*
 	 * Remove any previous search definitions.
 	 */
-	for (idx = 0 ; idx < LWRES_CONFMAXSEARCH ; idx++) {
+	for (idx = 0; idx < LWRES_CONFMAXSEARCH; idx++) {
 		if (confdata->search[idx] != NULL) {
 			CTXFREE(confdata->search[idx],
 				strlen(confdata->search[idx])+1);
@@ -559,7 +559,7 @@ lwres_conf_parse(lwres_context_t *ctx, const char *filename) {
 
 	errno = 0;
 	if ((fp = fopen(filename, "r")) == NULL)
-		return (LWRES_R_NOTFOUND);
+		return (LWRES_R_FAILURE);
 
 	ret = LWRES_R_SUCCESS;
 	do {
@@ -581,7 +581,7 @@ lwres_conf_parse(lwres_context_t *ctx, const char *filename) {
 			rval = lwres_conf_parsesearch(ctx, fp);
 		else if (strcmp(word, "sortlist") == 0)
 			rval = lwres_conf_parsesortlist(ctx, fp);
-		else if (strcmp(word, "option") == 0)
+		else if (strcmp(word, "options") == 0)
 			rval = lwres_conf_parseoption(ctx, fp);
 		else {
 			/* unrecognised word. Ignore entire line */
@@ -604,7 +604,7 @@ lwres_result_t
 lwres_conf_print(lwres_context_t *ctx, FILE *fp) {
 	int i;
 	int af;
-	char tmp[sizeof "ffff:ffff:ffff:ffff:ffff:ffff:255.255.255.255"];
+	char tmp[sizeof("ffff:ffff:ffff:ffff:ffff:ffff:255.255.255.255")];
 	const char *p;
 	lwres_conf_t *confdata;
 	lwres_addr_t tmpaddr;
@@ -614,7 +614,7 @@ lwres_conf_print(lwres_context_t *ctx, FILE *fp) {
 
 	REQUIRE(confdata->nsnext <= LWRES_CONFMAXNAMESERVERS);
 
-	for (i = 0 ; i < confdata->nsnext ; i++) {
+	for (i = 0; i < confdata->nsnext; i++) {
 		af = lwresaddr2af(confdata->nameservers[i].family);
 
 		p = lwres_net_ntop(af, confdata->nameservers[i].address,
@@ -625,7 +625,7 @@ lwres_conf_print(lwres_context_t *ctx, FILE *fp) {
 		fprintf(fp, "nameserver %s\n", tmp);
 	}
 
-	for (i = 0 ; i < confdata->lwnext ; i++) {
+	for (i = 0; i < confdata->lwnext; i++) {
 		af = lwresaddr2af(confdata->lwservers[i].family);
 
 		p = lwres_net_ntop(af, confdata->lwservers[i].address,
@@ -642,7 +642,7 @@ lwres_conf_print(lwres_context_t *ctx, FILE *fp) {
 		REQUIRE(confdata->searchnxt <= LWRES_CONFMAXSEARCH);
 
 		fprintf(fp, "search");
-		for (i = 0 ; i < confdata->searchnxt ; i++)
+		for (i = 0; i < confdata->searchnxt; i++)
 			fprintf(fp, " %s", confdata->search[i]);
 		fputc('\n', fp);
 	}
@@ -651,7 +651,7 @@ lwres_conf_print(lwres_context_t *ctx, FILE *fp) {
 
 	if (confdata->sortlistnxt > 0) {
 		fputs("sortlist", fp);
-		for (i = 0 ; i < confdata->sortlistnxt ; i++) {
+		for (i = 0; i < confdata->sortlistnxt; i++) {
 			af = lwresaddr2af(confdata->sortlist[i].addr.family);
 
 			p = lwres_net_ntop(af,
diff --git a/lib/lwres/lwinetaton.c b/lib/lwres/lwinetaton.c
index 660437f2..aa630271 100644
--- a/lib/lwres/lwinetaton.c
+++ b/lib/lwres/lwinetaton.c
@@ -70,7 +70,7 @@
 
 #if defined(LIBC_SCCS) && !defined(lint)
 static char sccsid[] = "@(#)inet_addr.c	8.1 (Berkeley) 6/17/93";
-static char rcsid[] = "$Id: lwinetaton.c,v 1.10.2.3 2004/03/09 06:12:34 marka Exp $";
+static char rcsid[] = "$Id: lwinetaton.c,v 1.10.2.1.2.1 2004/03/06 08:15:32 marka Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 #include <config.h>
diff --git a/lib/lwres/lwinetntop.c b/lib/lwres/lwinetntop.c
index fdb60878..e0a1d9e8 100644
--- a/lib/lwres/lwinetntop.c
+++ b/lib/lwres/lwinetntop.c
@@ -1,6 +1,6 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1996-2001  Internet Software Consortium.
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1996-2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -17,7 +17,7 @@
 
 #if defined(LIBC_SCCS) && !defined(lint)
 static char rcsid[] =
-	"$Id: lwinetntop.c,v 1.9.2.3 2005/11/04 00:16:32 marka Exp $";
+	"$Id: lwinetntop.c,v 1.9.12.2 2004/03/06 08:15:32 marka Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 #include <config.h>
@@ -82,10 +82,11 @@ lwres_net_ntop(int af, const void *src, char *dst, size_t size) {
 static const char *
 inet_ntop4(const unsigned char *src, char *dst, size_t size) {
 	static const char fmt[] = "%u.%u.%u.%u";
-	char tmp[sizeof "255.255.255.255"];
+	char tmp[sizeof("255.255.255.255")];
+	size_t len;
 
-	if ((size_t)sprintf(tmp, fmt, src[0], src[1], src[2], src[3]) >= size)
-	{
+	len = snprintf(tmp, sizeof(tmp), fmt, src[0], src[1], src[2], src[3]);
+	if (len >= size) {
 		errno = ENOSPC;
 		return (NULL);
 	}
@@ -110,7 +111,7 @@ inet_ntop6(const unsigned char *src, char *dst, size_t size) {
 	 * Keep this in mind if you think this function should have been coded
 	 * to use pointer overlays.  All the world's not a VAX.
 	 */
-	char tmp[sizeof "ffff:ffff:ffff:ffff:ffff:ffff:255.255.255.255"], *tp;
+	char tmp[sizeof("ffff:ffff:ffff:ffff:ffff:ffff:255.255.255.255")], *tp;
 	struct { int base, len; } best, cur;
 	unsigned int words[NS_IN6ADDRSZ / NS_INT16SZ];
 	int i;
@@ -120,13 +121,11 @@ inet_ntop6(const unsigned char *src, char *dst, size_t size) {
 	 *	Copy the input (bytewise) array into a wordwise array.
 	 *	Find the longest run of 0x00's in src[] for :: shorthanding.
 	 */
-	memset(words, '\0', sizeof words);
+	memset(words, '\0', sizeof(words));
 	for (i = 0; i < NS_IN6ADDRSZ; i++)
 		words[i / 2] |= (src[i] << ((1 - (i % 2)) << 3));
 	best.base = -1;
-	best.len = 0;
 	cur.base = -1;
-	cur.len = 0;
 	for (i = 0; i < (NS_IN6ADDRSZ / NS_INT16SZ); i++) {
 		if (words[i] == 0) {
 			if (cur.base == -1)
@@ -167,12 +166,12 @@ inet_ntop6(const unsigned char *src, char *dst, size_t size) {
 		if (i == 6 && best.base == 0 &&
 		    (best.len == 6 || (best.len == 5 && words[5] == 0xffff))) {
 			if (!inet_ntop4(src+12, tp,
-					sizeof tmp - (tp - tmp)))
+					sizeof(tmp) - (tp - tmp)))
 				return (NULL);
 			tp += strlen(tp);
 			break;
 		}
-		tp += sprintf(tp, "%x", words[i]);
+		tp += sprintf(tp, "%x", words[i]); /* XXX */
 	}
 	/* Was it a trailing run of 0x00's? */
 	if (best.base != -1 && (best.base + best.len) ==
diff --git a/lib/lwres/lwinetpton.c b/lib/lwres/lwinetpton.c
index 3ba98bed..280b077c 100644
--- a/lib/lwres/lwinetpton.c
+++ b/lib/lwres/lwinetpton.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1996-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -16,7 +16,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static char rcsid[] = "$Id: lwinetpton.c,v 1.6.2.3 2005/03/31 23:58:02 marka Exp $";
+static char rcsid[] = "$Id: lwinetpton.c,v 1.6.206.1 2004/03/06 08:15:32 marka Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 #include <config.h>
@@ -129,7 +129,7 @@ inet_pton6(const char *src, unsigned char *dst) {
 			  xdigits_u[] = "0123456789ABCDEF";
 	unsigned char tmp[NS_IN6ADDRSZ], *tp, *endp, *colonp;
 	const char *xdigits, *curtok;
-	int ch, seen_xdigits;
+	int ch, saw_xdigit;
 	unsigned int val;
 
 	memset((tp = tmp), '\0', NS_IN6ADDRSZ);
@@ -140,7 +140,7 @@ inet_pton6(const char *src, unsigned char *dst) {
 		if (*++src != ':')
 			return (0);
 	curtok = src;
-	seen_xdigits = 0;
+	saw_xdigit = 0;
 	val = 0;
 	while ((ch = *src++) != '\0') {
 		const char *pch;
@@ -150,13 +150,14 @@ inet_pton6(const char *src, unsigned char *dst) {
 		if (pch != NULL) {
 			val <<= 4;
 			val |= (pch - xdigits);
-			if (++seen_xdigits > 4)
+			if (val > 0xffff)
 				return (0);
+			saw_xdigit = 1;
 			continue;
 		}
 		if (ch == ':') {
 			curtok = src;
-			if (!seen_xdigits) {
+			if (!saw_xdigit) {
 				if (colonp)
 					return (0);
 				colonp = tp;
@@ -166,19 +167,19 @@ inet_pton6(const char *src, unsigned char *dst) {
 				return (0);
 			*tp++ = (unsigned char) (val >> 8) & 0xff;
 			*tp++ = (unsigned char) val & 0xff;
-			seen_xdigits = 0;
+			saw_xdigit = 0;
 			val = 0;
 			continue;
 		}
 		if (ch == '.' && ((tp + NS_INADDRSZ) <= endp) &&
 		    inet_pton4(curtok, tp) > 0) {
 			tp += NS_INADDRSZ;
-			seen_xdigits = 0;
+			saw_xdigit = 0;
 			break;	/* '\0' was seen by inet_pton4(). */
 		}
 		return (0);
 	}
-	if (seen_xdigits) {
+	if (saw_xdigit) {
 		if (tp + NS_INT16SZ > endp)
 			return (0);
 		*tp++ = (unsigned char) (val >> 8) & 0xff;
diff --git a/lib/lwres/lwpacket.c b/lib/lwres/lwpacket.c
index 903b356e..6e28df02 100644
--- a/lib/lwres/lwpacket.c
+++ b/lib/lwres/lwpacket.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lwpacket.c,v 1.13.2.1 2004/03/09 06:12:34 marka Exp $ */
+/* $Id: lwpacket.c,v 1.13.206.1 2004/03/06 08:15:32 marka Exp $ */
 
 #include <config.h>
 
diff --git a/lib/lwres/lwres_gabn.c b/lib/lwres/lwres_gabn.c
index c4032ada..9df87ce6 100644
--- a/lib/lwres/lwres_gabn.c
+++ b/lib/lwres/lwres_gabn.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lwres_gabn.c,v 1.27.2.1 2004/03/09 06:12:34 marka Exp $ */
+/* $Id: lwres_gabn.c,v 1.27.12.3 2004/03/08 09:05:10 marka Exp $ */
 
 #include <config.h>
 
@@ -120,7 +120,7 @@ lwres_gabnresponse_render(lwres_context_t *ctx, lwres_gabnresponse_t *req,
 	/* real name encoding */
 	payload_length += 2 + req->realnamelen + 1;
 	/* each alias */
-	for (x = 0 ; x < req->naliases ; x++)
+	for (x = 0; x < req->naliases; x++)
 		payload_length += 2 + req->aliaslen[x] + 1;
 	/* each address */
 	x = 0;
@@ -172,7 +172,7 @@ lwres_gabnresponse_render(lwres_context_t *ctx, lwres_gabnresponse_t *req,
 	lwres_buffer_putuint8(b, 0);
 
 	/* encode the aliases */
-	for (x = 0 ; x < req->naliases ; x++) {
+	for (x = 0; x < req->naliases; x++) {
 		datalen = req->aliaslen[x];
 		lwres_buffer_putuint16(b, datalen);
 		lwres_buffer_putmem(b, (unsigned char *)req->aliases[x],
@@ -303,7 +303,7 @@ lwres_gabnresponse_parse(lwres_context_t *ctx, lwres_buffer_t *b,
 		}
 	}
 
-	for (x = 0 ; x < naddrs ; x++) {
+	for (x = 0; x < naddrs; x++) {
 		addr = CTXMALLOC(sizeof(lwres_addr_t));
 		if (addr == NULL) {
 			ret = LWRES_R_NOMEMORY;
@@ -323,7 +323,7 @@ lwres_gabnresponse_parse(lwres_context_t *ctx, lwres_buffer_t *b,
 	/*
 	 * Parse off the aliases.
 	 */
-	for (x = 0 ; x < gabn->naliases ; x++) {
+	for (x = 0; x < gabn->naliases; x++) {
 		ret = lwres_string_parse(b, &gabn->aliases[x],
 					 &gabn->aliaslen[x]);
 		if (ret != LWRES_R_SUCCESS)
@@ -335,7 +335,7 @@ lwres_gabnresponse_parse(lwres_context_t *ctx, lwres_buffer_t *b,
 	 * up above.
 	 */
 	addr = LWRES_LIST_HEAD(addrlist);
-	for (x = 0 ; x < gabn->naddrs ; x++) {
+	for (x = 0; x < gabn->naddrs; x++) {
 		INSIST(addr != NULL);
 		ret = lwres_addr_parse(b, addr);
 		if (ret != LWRES_R_SUCCESS)
diff --git a/lib/lwres/lwres_gnba.c b/lib/lwres/lwres_gnba.c
index 3da74745..a11c0665 100644
--- a/lib/lwres/lwres_gnba.c
+++ b/lib/lwres/lwres_gnba.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lwres_gnba.c,v 1.20.2.3 2004/03/09 06:12:35 marka Exp $ */
+/* $Id: lwres_gnba.c,v 1.20.2.2.8.4 2004/03/08 09:05:11 marka Exp $ */
 
 #include <config.h>
 
@@ -110,7 +110,7 @@ lwres_gnbaresponse_render(lwres_context_t *ctx, lwres_gnbaresponse_t *req,
 	payload_length = 4;			       /* flags */
 	payload_length += 2;			       /* naliases */
 	payload_length += 2 + req->realnamelen + 1;    /* real name encoding */
-	for (x = 0 ; x < req->naliases ; x++)	       /* each alias */
+	for (x = 0; x < req->naliases; x++)	       /* each alias */
 		payload_length += 2 + req->aliaslen[x] + 1;
 
 	buflen = LWRES_LWPACKET_LENGTH + payload_length;
@@ -146,7 +146,7 @@ lwres_gnbaresponse_render(lwres_context_t *ctx, lwres_gnbaresponse_t *req,
 	lwres_buffer_putuint8(b, 0);
 
 	/* encode the aliases */
-	for (x = 0 ; x < req->naliases ; x++) {
+	for (x = 0; x < req->naliases; x++) {
 		datalen = req->aliaslen[x];
 		lwres_buffer_putuint16(b, datalen);
 		lwres_buffer_putmem(b, (unsigned char *)req->aliases[x],
@@ -264,7 +264,7 @@ lwres_gnbaresponse_parse(lwres_context_t *ctx, lwres_buffer_t *b,
 	/*
 	 * Parse off the aliases.
 	 */
-	for (x = 0 ; x < gnba->naliases ; x++) {
+	for (x = 0; x < gnba->naliases; x++) {
 		ret = lwres_string_parse(b, &gnba->aliases[x],
 					 &gnba->aliaslen[x]);
 		if (ret != LWRES_R_SUCCESS)
diff --git a/lib/lwres/lwres_grbn.c b/lib/lwres/lwres_grbn.c
index eaf3164d..f8147fc6 100644
--- a/lib/lwres/lwres_grbn.c
+++ b/lib/lwres/lwres_grbn.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lwres_grbn.c,v 1.4.2.1 2004/03/09 06:12:35 marka Exp $ */
+/* $Id: lwres_grbn.c,v 1.4.12.3 2004/03/08 09:05:11 marka Exp $ */
 
 #include <config.h>
 
@@ -124,9 +124,9 @@ lwres_grbnresponse_render(lwres_context_t *ctx, lwres_grbnresponse_t *req,
 	/* real name encoding */
 	payload_length += 2 + req->realnamelen + 1;
 	/* each rr */
-	for (x = 0 ; x < req->nrdatas ; x++)
+	for (x = 0; x < req->nrdatas; x++)
 		payload_length += 2 + req->rdatalen[x];
-	for (x = 0 ; x < req->nsigs ; x++)
+	for (x = 0; x < req->nsigs; x++)
 		payload_length += 2 + req->siglen[x];
 
 	buflen = LWRES_LWPACKET_LENGTH + payload_length;
@@ -171,14 +171,14 @@ lwres_grbnresponse_render(lwres_context_t *ctx, lwres_grbnresponse_t *req,
 	lwres_buffer_putuint8(b, 0);
 
 	/* encode the rdatas */
-	for (x = 0 ; x < req->nrdatas ; x++) {
+	for (x = 0; x < req->nrdatas; x++) {
 		datalen = req->rdatalen[x];
 		lwres_buffer_putuint16(b, datalen);
 		lwres_buffer_putmem(b, req->rdatas[x], datalen);
 	}
 
 	/* encode the signatures */
-	for (x = 0 ; x < req->nsigs ; x++) {
+	for (x = 0; x < req->nsigs; x++) {
 		datalen = req->siglen[x];
 		lwres_buffer_putuint16(b, datalen);
 		lwres_buffer_putmem(b, req->sigs[x], datalen);
@@ -335,7 +335,7 @@ lwres_grbnresponse_parse(lwres_context_t *ctx, lwres_buffer_t *b,
 	/*
 	 * Parse off the rdatas.
 	 */
-	for (x = 0 ; x < grbn->nrdatas ; x++) {
+	for (x = 0; x < grbn->nrdatas; x++) {
 		ret = lwres_data_parse(b, &grbn->rdatas[x],
 					 &grbn->rdatalen[x]);
 		if (ret != LWRES_R_SUCCESS)
@@ -345,7 +345,7 @@ lwres_grbnresponse_parse(lwres_context_t *ctx, lwres_buffer_t *b,
 	/*
 	 * Parse off the signatures.
 	 */
-	for (x = 0 ; x < grbn->nsigs ; x++) {
+	for (x = 0; x < grbn->nsigs; x++) {
 		ret = lwres_data_parse(b, &grbn->sigs[x], &grbn->siglen[x]);
 		if (ret != LWRES_R_SUCCESS)
 			goto out;
diff --git a/lib/lwres/lwres_noop.c b/lib/lwres/lwres_noop.c
index dacdb279..f67c2b3c 100644
--- a/lib/lwres/lwres_noop.c
+++ b/lib/lwres/lwres_noop.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lwres_noop.c,v 1.14.2.1 2004/03/09 06:12:35 marka Exp $ */
+/* $Id: lwres_noop.c,v 1.14.206.1 2004/03/06 08:15:33 marka Exp $ */
 
 #include <config.h>
 
diff --git a/lib/lwres/lwresutil.c b/lib/lwres/lwresutil.c
index cc53bdd1..1035f170 100644
--- a/lib/lwres/lwresutil.c
+++ b/lib/lwres/lwresutil.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lwresutil.c,v 1.29.2.1 2004/03/09 06:12:35 marka Exp $ */
+/* $Id: lwresutil.c,v 1.29.206.1 2004/03/06 08:15:33 marka Exp $ */
 
 #include <config.h>
 
diff --git a/lib/lwres/man/Makefile.in b/lib/lwres/man/Makefile.in
index ce06ef2a..a591a2a2 100644
--- a/lib/lwres/man/Makefile.in
+++ b/lib/lwres/man/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.6.2.1 2004/03/09 06:12:38 marka Exp $
+# $Id: Makefile.in,v 1.6.206.1 2004/03/06 08:15:36 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/lib/lwres/man/lwres.3 b/lib/lwres/man/lwres.3
index ee115b40..ad125d26 100644
--- a/lib/lwres/man/lwres.3
+++ b/lib/lwres/man/lwres.3
@@ -1,145 +1,144 @@
-.\" Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
-.\" Copyright (C) 2000, 2001 Internet Software Consortium.
-.\" 
+.\" Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2000, 2001  Internet Software Consortium.
+.\"
 .\" Permission to use, copy, modify, and distribute this software for any
 .\" purpose with or without fee is hereby granted, provided that the above
 .\" copyright notice and this permission notice appear in all copies.
-.\" 
+.\"
 .\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
 .\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+.\" AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
 .\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
 .\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: lwres.3,v 1.15.2.8 2007/01/30 00:10:37 marka Exp $
-.\"
-.hy 0
-.ad l
-.\"     Title: lwres
-.\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
-.\"      Date: Jun 30, 2000
-.\"    Manual: BIND9
-.\"    Source: BIND9
+.\" $Id: lwres.3,v 1.15.206.1 2004/03/06 07:41:42 marka Exp $
 .\"
-.TH "LWRES" "3" "Jun 30, 2000" "BIND9" "BIND9"
-.\" disable hyphenation
-.nh
-.\" disable justification (adjust text to left margin only)
-.ad l
-.SH "NAME"
+.TH "LWRES" "3" "Jun 30, 2000" "BIND9" ""
+.SH NAME
 lwres \- introduction to the lightweight resolver library
-.SH "SYNOPSIS"
-.nf
-#include <lwres/lwres.h>
-.fi
+.SH SYNOPSIS
+\fB#include <lwres/lwres.h>\fR
 .SH "DESCRIPTION"
 .PP
-The BIND 9 lightweight resolver library is a simple, name service independent stub resolver library. It provides hostname\-to\-address and address\-to\-hostname lookup services to applications by transmitting lookup requests to a resolver daemon
+The BIND 9 lightweight resolver library is a simple, name service
+independent stub resolver library. It provides hostname-to-address
+and address-to-hostname lookup services to applications by
+transmitting lookup requests to a resolver daemon
 \fBlwresd\fR
-running on the local host. The resover daemon performs the lookup using the DNS or possibly other name service protocols, and returns the results to the application through the library. The library and resolver daemon communicate using a simple UDP\-based protocol.
+running on the local host. The resover daemon performs the
+lookup using the DNS or possibly other name service protocols,
+and returns the results to the application through the library. 
+The library and resolver daemon communicate using a simple
+UDP-based protocol.
 .SH "OVERVIEW"
 .PP
-The lwresd library implements multiple name service APIs. The standard
+The lwresd library implements multiple name service APIs.
+The standard
 \fBgethostbyname()\fR,
 \fBgethostbyaddr()\fR,
 \fBgethostbyname_r()\fR,
 \fBgethostbyaddr_r()\fR,
 \fBgetaddrinfo()\fR,
-\fBgetipnodebyname()\fR, and
+\fBgetipnodebyname()\fR,
+and
 \fBgetipnodebyaddr()\fR
-functions are all supported. To allow the lwres library to coexist with system libraries that define functions of the same name, the library defines these functions with names prefixed by
-lwres_. To define the standard names, applications must include the header file
+functions are all supported. To allow the lwres library to coexist
+with system libraries that define functions of the same name,
+the library defines these functions with names prefixed by
+lwres_.
+To define the standard names, applications must include the
+header file
 \fI<lwres/netdb.h>\fR
-which contains macro definitions mapping the standard function names into
+which contains macro definitions mapping the standard function names
+into
 lwres_
-prefixed ones. Operating system vendors who integrate the lwres library into their base distributions should rename the functions in the library proper so that the renaming macros are not needed.
+prefixed ones. Operating system vendors who integrate the lwres
+library into their base distributions should rename the functions
+in the library proper so that the renaming macros are not needed.
 .PP
 The library also provides a native API consisting of the functions
 \fBlwres_getaddrsbyname()\fR
 and
-\fBlwres_getnamebyaddr()\fR. These may be called by applications that require more detailed control over the lookup process than the standard functions provide.
-.PP
-In addition to these name service independent address lookup functions, the library implements a new, experimental API for looking up arbitrary DNS resource records, using the
+\fBlwres_getnamebyaddr()\fR.
+These may be called by applications that require more detailed
+control over the lookup process than the standard functions
+provide.
+.PP
+In addition to these name service independent address lookup
+functions, the library implements a new, experimental API
+for looking up arbitrary DNS resource records, using the
 \fBlwres_getaddrsbyname()\fR
 function.
 .PP
-Finally, there is a low\-level API for converting lookup requests and responses to and from raw lwres protocol packets. This API can be used by clients requiring nonblocking operation, and is also used when implementing the server side of the lwres protocol, for example in the
+Finally, there is a low-level API for converting lookup
+requests and responses to and from raw lwres protocol packets. 
+This API can be used by clients requiring nonblocking operation, 
+and is also used when implementing the server side of the lwres
+protocol, for example in the
 \fBlwresd\fR
-resolver daemon. The use of this low\-level API in clients and servers is outlined in the following sections.
-.SH "CLIENT\-SIDE LOW\-LEVEL API CALL FLOW"
+resolver daemon. The use of this low-level API in clients
+and servers is outlined in the following sections.
+.SH "CLIENT-SIDE LOW-LEVEL API CALL FLOW"
 .PP
-When a client program wishes to make an lwres request using the native low\-level API, it typically performs the following sequence of actions.
+When a client program wishes to make an lwres request using the
+native low-level API, it typically performs the following 
+sequence of actions.
 .PP
-(1) Allocate or use an existing
-\fBlwres_packet_t\fR, called
-\fIpkt\fR
-below.
+(1) Allocate or use an existing \fBlwres_packet_t\fR,
+called pkt below.
 .PP
-(2) Set
-pkt.recvlength
-to the maximum length we will accept. This is done so the receiver of our packets knows how large our receive buffer is. The "default" is a constant in
-\fIlwres.h\fR:
-\fBLWRES_RECVLENGTH = 4096\fR.
+(2) Set \fBpkt.recvlength\fR to the maximum length we will accept. 
+This is done so the receiver of our packets knows how large our receive 
+buffer is. The "default" is a constant in
+\fIlwres.h\fR: LWRES_RECVLENGTH = 4096.
 .PP
-(3) Set
-pkt.serial
-to a unique serial number. This value is echoed back to the application by the remote server.
+(3) Set \fBpkt.serial\fR
+to a unique serial number. This value is echoed
+back to the application by the remote server.
 .PP
-(4) Set
-pkt.pktflags. Usually this is set to 0.
+(4) Set \fBpkt.pktflags\fR. Usually this is set to 0.
 .PP
-(5) Set
-pkt.result
-to 0.
+(5) Set \fBpkt.result\fR to 0.
 .PP
-(6) Call
-\fBlwres_*request_render()\fR, or marshall in the data using the primitives such as
-\fBlwres_packet_render()\fR
+(6) Call \fBlwres_*request_render()\fR, 
+or marshall in the data using the primitives
+such as \fBlwres_packet_render()\fR
 and storing the packet data.
 .PP
 (7) Transmit the resulting buffer.
 .PP
-(8) Call
-\fBlwres_*response_parse()\fR
+(8) Call \fBlwres_*response_parse()\fR
 to parse any packets received.
 .PP
-(9) Verify that the opcode and serial match a request, and process the packet specific information contained in the body.
-.SH "SERVER\-SIDE LOW\-LEVEL API CALL FLOW"
+(9) Verify that the opcode and serial match a request, and process the
+packet specific information contained in the body.
+.SH "SERVER-SIDE LOW-LEVEL API CALL FLOW"
 .PP
-When implementing the server side of the lightweight resolver protocol using the lwres library, a sequence of actions like the following is typically involved in processing each request packet.
+When implementing the server side of the lightweight resolver
+protocol using the lwres library, a sequence of actions like the
+following is typically involved in processing each request packet.
 .PP
-Note that the same
-\fBlwres_packet_t\fR
-is used in both the
-\fB_parse()\fR
-and
-\fB_render()\fR
-calls, with only a few modifications made to the packet header's contents between uses. This method is recommended as it keeps the serial, opcode, and other fields correct.
+Note that the same \fBlwres_packet_t\fR is used
+in both the \fB_parse()\fR and \fB_render()\fR calls,
+with only a few modifications made
+to the packet header's contents between uses. This method is recommended
+as it keeps the serial, opcode, and other fields correct.
 .PP
-(1) When a packet is received, call
-\fBlwres_*request_parse()\fR
-to unmarshall it. This returns a
-\fBlwres_packet_t\fR
-(also called
-\fIpkt\fR, below) as well as a data specific type, such as
-\fBlwres_gabnrequest_t\fR.
+(1) When a packet is received, call \fBlwres_*request_parse()\fR to
+unmarshall it. This returns a \fBlwres_packet_t\fR (also called pkt, below)
+as well as a data specific type, such as \fBlwres_gabnrequest_t\fR.
 .PP
 (2) Process the request in the data specific type.
 .PP
-(3) Set the
-pkt.result,
-pkt.recvlength
-as above. All other fields can be left untouched since they were filled in by the
-\fB*_parse()\fR
-call above. If using
-\fBlwres_*response_render()\fR,
-pkt.pktflags
-will be set up properly. Otherwise, the
-\fBLWRES_LWPACKETFLAG_RESPONSE\fR
-bit should be set.
+(3) Set the \fBpkt.result\fR,
+\fBpkt.recvlength\fR as above. All other fields can
+be left untouched since they were filled in by the \fB*_parse()\fR call
+above. If using \fBlwres_*response_render()\fR,
+\fBpkt.pktflags\fR will be set up
+properly. Otherwise, the LWRES_LWPACKETFLAG_RESPONSE bit should be
+set.
 .PP
 (4) Call the data specific rendering function, such as
 \fBlwres_gabnresponse_render()\fR.
@@ -158,8 +157,3 @@ bit should be set.
 \fBlwres_config\fR(3),
 \fBresolver\fR(5),
 \fBlwresd\fR(8).
-.SH "COPYRIGHT"
-Copyright \(co 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
-.br
-Copyright \(co 2000, 2001 Internet Software Consortium.
-.br
diff --git a/lib/lwres/man/lwres.docbook b/lib/lwres/man/lwres.docbook
index c388c3ab..511d82e9 100644
--- a/lib/lwres/man/lwres.docbook
+++ b/lib/lwres/man/lwres.docbook
@@ -1,9 +1,7 @@
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
-               "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
-	       [<!ENTITY mdash "&#8212;">]>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
 <!--
- - Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000, 2001  Internet Software Consortium.
+ - Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2001  Internet Software Consortium.
  -
  - Permission to use, copy, modify, and distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
@@ -18,7 +16,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: lwres.docbook,v 1.3.2.5 2007/01/29 23:57:17 marka Exp $ -->
+<!-- $Id: lwres.docbook,v 1.3.206.1 2004/03/06 08:15:37 marka Exp $ -->
 
 <refentry>
 <refentryinfo>
@@ -30,21 +28,6 @@
 <manvolnum>3</manvolnum>
 <refmiscinfo>BIND9</refmiscinfo>
 </refmeta>
-
-  <docinfo>
-    <copyright>
-      <year>2004</year>
-      <year>2005</year>
-      <year>2007</year>
-      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
-    </copyright>
-    <copyright>
-      <year>2000</year>
-      <year>2001</year>
-      <holder>Internet Software Consortium.</holder>
-    </copyright>
-  </docinfo>
-
 <refnamediv>
 <refname>lwres</refname>
 <refpurpose>introduction to the lightweight resolver library</refpurpose>
diff --git a/lib/lwres/man/lwres.html b/lib/lwres/man/lwres.html
index 20c0e667..0e54c66d 100644
--- a/lib/lwres/man/lwres.html
+++ b/lib/lwres/man/lwres.html
@@ -1,216 +1,447 @@
 <!--
- - Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000, 2001 Internet Software Consortium.
- - 
+ - Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2001  Internet Software Consortium.
+ -
  - Permission to use, copy, modify, and distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
  - copyright notice and this permission notice appear in all copies.
- - 
+ -
  - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
  - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
  - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
  - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: lwres.html,v 1.4.2.16 2007/01/30 00:10:38 marka Exp $ -->
-<html>
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>lwres</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2476275"></a><div class="titlepage"></div>
-<div class="refnamediv">
-<h2>Name</h2>
-<p>lwres &#8212; introduction to the lightweight resolver library</p>
-</div>
-<div class="refsynopsisdiv">
-<h2>Synopsis</h2>
-<div class="funcsynopsis"><pre class="funcsynopsisinfo">#include &lt;lwres/lwres.h&gt;</pre></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543338"></a><h2>DESCRIPTION</h2>
-<p>
-The BIND 9 lightweight resolver library is a simple, name service
+
+<!-- $Id: lwres.html,v 1.4.2.1.4.1 2004/03/06 08:15:37 marka Exp $ -->
+
+<HTML
+><HEAD
+><TITLE
+>lwres</TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.73
+"></HEAD
+><BODY
+CLASS="REFENTRY"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><H1
+><A
+NAME="AEN1"
+>lwres</A
+></H1
+><DIV
+CLASS="REFNAMEDIV"
+><A
+NAME="AEN8"
+></A
+><H2
+>Name</H2
+>lwres&nbsp;--&nbsp;introduction to the lightweight resolver library</DIV
+><DIV
+CLASS="REFSYNOPSISDIV"
+><A
+NAME="AEN11"
+></A
+><H2
+>Synopsis</H2
+><DIV
+CLASS="FUNCSYNOPSIS"
+><A
+NAME="AEN12"
+></A
+><P
+></P
+><PRE
+CLASS="FUNCSYNOPSISINFO"
+>#include &lt;lwres/lwres.h&gt;</PRE
+><P
+></P
+></DIV
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN14"
+></A
+><H2
+>DESCRIPTION</H2
+><P
+>The BIND 9 lightweight resolver library is a simple, name service
 independent stub resolver library.  It provides hostname-to-address
 and address-to-hostname lookup services to applications by
 transmitting lookup requests to a resolver daemon
-<span><strong class="command">lwresd</strong></span>
+<B
+CLASS="COMMAND"
+>lwresd</B
+>
 running on the local host. The resover daemon performs the
 lookup using the DNS or possibly other name service protocols,
 and returns the results to the application through the library.  
 The library and resolver daemon communicate using a simple
-UDP-based protocol.
-</p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543351"></a><h2>OVERVIEW</h2>
-<p>
-The lwresd library implements multiple name service APIs.
+UDP-based protocol.</P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN18"
+></A
+><H2
+>OVERVIEW</H2
+><P
+>The lwresd library implements multiple name service APIs.
 The standard
-<code class="function">gethostbyname()</code>,
-<code class="function">gethostbyaddr()</code>,
-<code class="function">gethostbyname_r()</code>,
-<code class="function">gethostbyaddr_r()</code>,
-<code class="function">getaddrinfo()</code>,
-<code class="function">getipnodebyname()</code>,
+<TT
+CLASS="FUNCTION"
+>gethostbyname()</TT
+>,
+<TT
+CLASS="FUNCTION"
+>gethostbyaddr()</TT
+>,
+<TT
+CLASS="FUNCTION"
+>gethostbyname_r()</TT
+>,
+<TT
+CLASS="FUNCTION"
+>gethostbyaddr_r()</TT
+>,
+<TT
+CLASS="FUNCTION"
+>getaddrinfo()</TT
+>,
+<TT
+CLASS="FUNCTION"
+>getipnodebyname()</TT
+>,
 and
-<code class="function">getipnodebyaddr()</code>
+<TT
+CLASS="FUNCTION"
+>getipnodebyaddr()</TT
+>
 functions are all supported.  To allow the lwres library to coexist
 with system libraries that define functions of the same name,
 the library defines these functions with names prefixed by
-<code class="literal">lwres_</code>.
+<TT
+CLASS="LITERAL"
+>lwres_</TT
+>.
 To define the standard names, applications must include the
 header file
-<code class="filename">&lt;lwres/netdb.h&gt;</code>
+<TT
+CLASS="FILENAME"
+>&lt;lwres/netdb.h&gt;</TT
+>
 which contains macro definitions mapping the standard function names
 into
-<code class="literal">lwres_</code>
+<TT
+CLASS="LITERAL"
+>lwres_</TT
+>
 prefixed ones.  Operating system vendors who integrate the lwres
 library into their base distributions should rename the functions
-in the library proper so that the renaming macros are not needed.
-</p>
-<p>
-The library also provides a native API consisting of the functions
-<code class="function">lwres_getaddrsbyname()</code>
+in the library proper so that the renaming macros are not needed.</P
+><P
+>The library also provides a native API consisting of the functions
+<TT
+CLASS="FUNCTION"
+>lwres_getaddrsbyname()</TT
+>
 and
-<code class="function">lwres_getnamebyaddr()</code>.
+<TT
+CLASS="FUNCTION"
+>lwres_getnamebyaddr()</TT
+>.
 These may be called by applications that require more detailed
 control over the lookup process than the standard functions
-provide.
-</p>
-<p>
-In addition to these name service independent address lookup
+provide.</P
+><P
+>In addition to these name service independent address lookup
 functions, the library implements a new, experimental API
 for looking up arbitrary DNS resource records, using the
-<code class="function">lwres_getaddrsbyname()</code>
-function.
-</p>
-<p>
-Finally, there is a low-level API for converting lookup
+<TT
+CLASS="FUNCTION"
+>lwres_getaddrsbyname()</TT
+>
+function.</P
+><P
+>Finally, there is a low-level API for converting lookup
 requests and responses to and from raw lwres protocol packets.  
 This API can be used by clients requiring nonblocking operation, 
 and is also used when implementing the server side of the lwres
 protocol, for example in the
-<span><strong class="command">lwresd</strong></span>
+<B
+CLASS="COMMAND"
+>lwresd</B
+>
 resolver daemon.  The use of this low-level API in clients
-and servers is outlined in the following sections.
-</p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543415"></a><h2>CLIENT-SIDE LOW-LEVEL API CALL FLOW</h2>
-<p>
-When a client program wishes to make an lwres request using the
+and servers is outlined in the following sections.</P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN38"
+></A
+><H2
+>CLIENT-SIDE LOW-LEVEL API CALL FLOW</H2
+><P
+>When a client program wishes to make an lwres request using the
 native low-level API, it typically performs the following 
-sequence of actions.
-</p>
-<p>
-(1) Allocate or use an existing <span class="type">lwres_packet_t</span>,
-called <code class="varname">pkt</code> below.
-</p>
-<p>
-(2) Set <em class="structfield"><code>pkt.recvlength</code></em> to the maximum length we will accept.  
+sequence of actions.</P
+><P
+>(1) Allocate or use an existing <SPAN
+CLASS="TYPE"
+>lwres_packet_t</SPAN
+>,
+called <TT
+CLASS="VARNAME"
+>pkt</TT
+> below.</P
+><P
+>(2) Set <TT
+CLASS="STRUCTFIELD"
+><I
+>pkt.recvlength</I
+></TT
+> to the maximum length we will accept.  
 This is done so the receiver of our packets knows how large our receive 
 buffer is.  The "default" is a constant in
-<code class="filename">lwres.h</code>: <code class="constant">LWRES_RECVLENGTH = 4096</code>.
-</p>
-<p>
-(3) Set <em class="structfield"><code>pkt.serial</code></em>
+<TT
+CLASS="FILENAME"
+>lwres.h</TT
+>: <TT
+CLASS="CONSTANT"
+>LWRES_RECVLENGTH = 4096</TT
+>.</P
+><P
+>(3) Set <TT
+CLASS="STRUCTFIELD"
+><I
+>pkt.serial</I
+></TT
+>
 to a unique serial number.  This value is echoed
-back to the application by the remote server.
-</p>
-<p>
-(4) Set <em class="structfield"><code>pkt.pktflags</code></em>.  Usually this is set to 0.
-</p>
-<p>
-(5) Set <em class="structfield"><code>pkt.result</code></em> to 0.
-</p>
-<p>
-(6) Call <code class="function">lwres_*request_render()</code>, 
+back to the application by the remote server.</P
+><P
+>(4) Set <TT
+CLASS="STRUCTFIELD"
+><I
+>pkt.pktflags</I
+></TT
+>.  Usually this is set to 0.</P
+><P
+>(5) Set <TT
+CLASS="STRUCTFIELD"
+><I
+>pkt.result</I
+></TT
+> to 0.</P
+><P
+>(6) Call <TT
+CLASS="FUNCTION"
+>lwres_*request_render()</TT
+>, 
 or marshall in the data using the primitives
-such as <code class="function">lwres_packet_render()</code>
-and storing the packet data.
-</p>
-<p>
-(7) Transmit the resulting buffer.
-</p>
-<p>
-(8) Call <code class="function">lwres_*response_parse()</code>
-to parse any packets received.
-</p>
-<p>
-(9) Verify that the opcode and serial match a request, and process the
-packet specific information contained in the body.
-</p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543494"></a><h2>SERVER-SIDE LOW-LEVEL API CALL FLOW</h2>
-<p>
-When implementing the server side of the lightweight resolver
+such as <TT
+CLASS="FUNCTION"
+>lwres_packet_render()</TT
+>
+and storing the packet data.</P
+><P
+>(7) Transmit the resulting buffer.</P
+><P
+>(8) Call <TT
+CLASS="FUNCTION"
+>lwres_*response_parse()</TT
+>
+to parse any packets received.</P
+><P
+>(9) Verify that the opcode and serial match a request, and process the
+packet specific information contained in the body.</P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN61"
+></A
+><H2
+>SERVER-SIDE LOW-LEVEL API CALL FLOW</H2
+><P
+>When implementing the server side of the lightweight resolver
 protocol using the lwres library, a sequence of actions like the
-following is typically involved in processing each request packet.
-</p>
-<p>
-Note that the same <span class="type">lwres_packet_t</span> is used
-in both the <code class="function">_parse()</code> and <code class="function">_render()</code> calls,
+following is typically involved in processing each request packet.</P
+><P
+>Note that the same <SPAN
+CLASS="TYPE"
+>lwres_packet_t</SPAN
+> is used
+in both the <TT
+CLASS="FUNCTION"
+>_parse()</TT
+> and <TT
+CLASS="FUNCTION"
+>_render()</TT
+> calls,
 with only a few modifications made
 to the packet header's contents between uses.  This method is recommended
-as it keeps the serial, opcode, and other fields correct.
-</p>
-<p>
-(1) When a packet is received, call <code class="function">lwres_*request_parse()</code> to
-unmarshall it.  This returns a <span class="type">lwres_packet_t</span> (also called <code class="varname">pkt</code>, below)
-as well as a data specific type, such as <span class="type">lwres_gabnrequest_t</span>.
-</p>
-<p>
-(2) Process the request in the data specific type.
-</p>
-<p>
-(3) Set the <em class="structfield"><code>pkt.result</code></em>,
-<em class="structfield"><code>pkt.recvlength</code></em> as above.  All other fields can
-be left untouched since they were filled in by the <code class="function">*_parse()</code> call
-above.  If using <code class="function">lwres_*response_render()</code>,
-<em class="structfield"><code>pkt.pktflags</code></em> will be set up
-properly.  Otherwise, the <code class="constant">LWRES_LWPACKETFLAG_RESPONSE</code> bit should be
-set.
-</p>
-<p>
-(4) Call the data specific rendering function, such as
-<code class="function">lwres_gabnresponse_render()</code>.
-</p>
-<p>
-(5) Send the resulting packet to the client.
-</p>
-<p>
-</p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543579"></a><h2>SEE ALSO</h2>
-<p>
-<span class="citerefentry"><span class="refentrytitle">lwres_gethostent</span>(3)</span>,
-
-<span class="citerefentry"><span class="refentrytitle">lwres_getipnode</span>(3)</span>,
+as it keeps the serial, opcode, and other fields correct.</P
+><P
+>(1) When a packet is received, call <TT
+CLASS="FUNCTION"
+>lwres_*request_parse()</TT
+> to
+unmarshall it.  This returns a <SPAN
+CLASS="TYPE"
+>lwres_packet_t</SPAN
+> (also called <TT
+CLASS="VARNAME"
+>pkt</TT
+>, below)
+as well as a data specific type, such as <SPAN
+CLASS="TYPE"
+>lwres_gabnrequest_t</SPAN
+>.</P
+><P
+>(2) Process the request in the data specific type.</P
+><P
+>(3) Set the <TT
+CLASS="STRUCTFIELD"
+><I
+>pkt.result</I
+></TT
+>,
+<TT
+CLASS="STRUCTFIELD"
+><I
+>pkt.recvlength</I
+></TT
+> as above.  All other fields can
+be left untouched since they were filled in by the <TT
+CLASS="FUNCTION"
+>*_parse()</TT
+> call
+above.  If using <TT
+CLASS="FUNCTION"
+>lwres_*response_render()</TT
+>,
+<TT
+CLASS="STRUCTFIELD"
+><I
+>pkt.pktflags</I
+></TT
+> will be set up
+properly.  Otherwise, the <TT
+CLASS="CONSTANT"
+>LWRES_LWPACKETFLAG_RESPONSE</TT
+> bit should be
+set.</P
+><P
+>(4) Call the data specific rendering function, such as
+<TT
+CLASS="FUNCTION"
+>lwres_gabnresponse_render()</TT
+>.</P
+><P
+>(5) Send the resulting packet to the client.</P
+><P
+></P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN85"
+></A
+><H2
+>SEE ALSO</H2
+><P
+><SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>lwres_gethostent</SPAN
+>(3)</SPAN
+>,
 
-<span class="citerefentry"><span class="refentrytitle">lwres_getnameinfo</span>(3)</span>,
+<SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>lwres_getipnode</SPAN
+>(3)</SPAN
+>,
 
-<span class="citerefentry"><span class="refentrytitle">lwres_noop</span>(3)</span>,
+<SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>lwres_getnameinfo</SPAN
+>(3)</SPAN
+>,
 
-<span class="citerefentry"><span class="refentrytitle">lwres_gabn</span>(3)</span>,
+<SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>lwres_noop</SPAN
+>(3)</SPAN
+>,
 
-<span class="citerefentry"><span class="refentrytitle">lwres_gnba</span>(3)</span>,
+<SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>lwres_gabn</SPAN
+>(3)</SPAN
+>,
 
-<span class="citerefentry"><span class="refentrytitle">lwres_context</span>(3)</span>,
+<SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>lwres_gnba</SPAN
+>(3)</SPAN
+>,
 
-<span class="citerefentry"><span class="refentrytitle">lwres_config</span>(3)</span>,
+<SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>lwres_context</SPAN
+>(3)</SPAN
+>,
 
-<span class="citerefentry"><span class="refentrytitle">resolver</span>(5)</span>,
+<SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>lwres_config</SPAN
+>(3)</SPAN
+>,
 
-<span class="citerefentry"><span class="refentrytitle">lwresd</span>(8)</span>.
+<SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>resolver</SPAN
+>(5)</SPAN
+>,
 
-</p>
-</div>
-</div></body>
-</html>
+<SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>lwresd</SPAN
+>(8)</SPAN
+>.&#13;</P
+></DIV
+></BODY
+></HTML
+>
diff --git a/lib/lwres/man/lwres_buffer.3 b/lib/lwres/man/lwres_buffer.3
index 78208eac..232742aa 100644
--- a/lib/lwres/man/lwres_buffer.3
+++ b/lib/lwres/man/lwres_buffer.3
@@ -1,119 +1,169 @@
-.\" Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
-.\" Copyright (C) 2000, 2001 Internet Software Consortium.
-.\" 
+.\" Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2000, 2001  Internet Software Consortium.
+.\"
 .\" Permission to use, copy, modify, and distribute this software for any
 .\" purpose with or without fee is hereby granted, provided that the above
 .\" copyright notice and this permission notice appear in all copies.
-.\" 
+.\"
 .\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
 .\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+.\" AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
 .\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
 .\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: lwres_buffer.3,v 1.12.2.9 2007/01/30 00:10:37 marka Exp $
-.\"
-.hy 0
-.ad l
-.\"     Title: lwres_buffer
-.\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
-.\"      Date: Jun 30, 2000
-.\"    Manual: BIND9
-.\"    Source: BIND9
+.\" $Id: lwres_buffer.3,v 1.12.2.1.8.1 2004/03/06 07:41:42 marka Exp $
 .\"
-.TH "LWRES_BUFFER" "3" "Jun 30, 2000" "BIND9" "BIND9"
-.\" disable hyphenation
-.nh
-.\" disable justification (adjust text to left margin only)
-.ad l
-.SH "NAME"
+.TH "LWRES_BUFFER" "3" "Jun 30, 2000" "BIND9" ""
+.SH NAME
 lwres_buffer_init, lwres_buffer_invalidate, lwres_buffer_add, lwres_buffer_subtract, lwres_buffer_clear, lwres_buffer_first, lwres_buffer_forward, lwres_buffer_back, lwres_buffer_getuint8, lwres_buffer_putuint8, lwres_buffer_getuint16, lwres_buffer_putuint16, lwres_buffer_getuint32, lwres_buffer_putuint32, lwres_buffer_putmem, lwres_buffer_getmem \- lightweight resolver buffer management
-.SH "SYNOPSIS"
-.nf
-#include <lwres/lwbuffer.h>
-.fi
-.HP 23
-.BI "void lwres_buffer_init(lwres_buffer_t\ *b, void\ *base, unsigned\ int\ length);"
-.HP 29
-.BI "void lwres_buffer_invalidate(lwres_buffer_t\ *b);"
-.HP 22
-.BI "void lwres_buffer_add(lwres_buffer_t\ *b, unsigned\ int\ n);"
-.HP 27
-.BI "void lwres_buffer_subtract(lwres_buffer_t\ *b, unsigned\ int\ n);"
-.HP 24
-.BI "void lwres_buffer_clear(lwres_buffer_t\ *b);"
-.HP 24
-.BI "void lwres_buffer_first(lwres_buffer_t\ *b);"
-.HP 26
-.BI "void lwres_buffer_forward(lwres_buffer_t\ *b, unsigned\ int\ n);"
-.HP 23
-.BI "void lwres_buffer_back(lwres_buffer_t\ *b, unsigned\ int\ n);"
-.HP 36
-.BI "lwres_uint8_t lwres_buffer_getuint8(lwres_buffer_t\ *b);"
-.HP 27
-.BI "void lwres_buffer_putuint8(lwres_buffer_t\ *b, lwres_uint8_t\ val);"
-.HP 38
-.BI "lwres_uint16_t lwres_buffer_getuint16(lwres_buffer_t\ *b);"
-.HP 28
-.BI "void lwres_buffer_putuint16(lwres_buffer_t\ *b, lwres_uint16_t\ val);"
-.HP 38
-.BI "lwres_uint32_t lwres_buffer_getuint32(lwres_buffer_t\ *b);"
-.HP 28
-.BI "void lwres_buffer_putuint32(lwres_buffer_t\ *b, lwres_uint32_t\ val);"
-.HP 25
-.BI "void lwres_buffer_putmem(lwres_buffer_t\ *b, const\ unsigned\ char\ *base, unsigned\ int\ length);"
-.HP 25
-.BI "void lwres_buffer_getmem(lwres_buffer_t\ *b, unsigned\ char\ *base, unsigned\ int\ length);"
+.SH SYNOPSIS
+\fB#include <lwres/lwbuffer.h>
+.sp
+.na
+void
+lwres_buffer_init(lwres_buffer_t *b, void *base, unsigned int length);
+.ad
+.sp
+.na
+void
+lwres_buffer_invalidate(lwres_buffer_t *b);
+.ad
+.sp
+.na
+void
+lwres_buffer_add(lwres_buffer_t *b, unsigned int n);
+.ad
+.sp
+.na
+void
+lwres_buffer_subtract(lwres_buffer_t *b, unsigned int n);
+.ad
+.sp
+.na
+void
+lwres_buffer_clear(lwres_buffer_t *b);
+.ad
+.sp
+.na
+void
+lwres_buffer_first(lwres_buffer_t *b);
+.ad
+.sp
+.na
+void
+lwres_buffer_forward(lwres_buffer_t *b, unsigned int n);
+.ad
+.sp
+.na
+void
+lwres_buffer_back(lwres_buffer_t *b, unsigned int n);
+.ad
+.sp
+.na
+lwres_uint8_t
+lwres_buffer_getuint8(lwres_buffer_t *b);
+.ad
+.sp
+.na
+void
+lwres_buffer_putuint8(lwres_buffer_t *b, lwres_uint8_t val);
+.ad
+.sp
+.na
+lwres_uint16_t
+lwres_buffer_getuint16(lwres_buffer_t *b);
+.ad
+.sp
+.na
+void
+lwres_buffer_putuint16(lwres_buffer_t *b, lwres_uint16_t val);
+.ad
+.sp
+.na
+lwres_uint32_t
+lwres_buffer_getuint32(lwres_buffer_t *b);
+.ad
+.sp
+.na
+void
+lwres_buffer_putuint32(lwres_buffer_t *b, lwres_uint32_t val);
+.ad
+.sp
+.na
+void
+lwres_buffer_putmem(lwres_buffer_t *b, const unsigned char *base, unsigned int length);
+.ad
+.sp
+.na
+void
+lwres_buffer_getmem(lwres_buffer_t *b, unsigned char *base, unsigned int length);
+.ad
+\fR
 .SH "DESCRIPTION"
 .PP
-These functions provide bounds checked access to a region of memory where data is being read or written. They are based on, and similar to, the
+These functions provide bounds checked access to a region of memory
+where data is being read or written.
+They are based on, and similar to, the
 isc_buffer_
 functions in the ISC library.
 .PP
-A buffer is a region of memory, together with a set of related subregions. The
-\fIused region\fR
-and the
-\fIavailable\fR
-region are disjoint, and their union is the buffer's region. The used region extends from the beginning of the buffer region to the last used byte. The available region extends from one byte greater than the last used byte to the end of the buffer's region. The size of the used region can be changed using various buffer commands. Initially, the used region is empty.
+A buffer is a region of memory, together with a set of related
+subregions.
+The \fBused region\fR and the
+\fBavailable\fR region are disjoint, and
+their union is the buffer's region.
+The used region extends from the beginning of the buffer region to the
+last used byte.
+The available region extends from one byte greater than the last used
+byte to the end of the buffer's region.
+The size of the used region can be changed using various
+buffer commands.
+Initially, the used region is empty.
 .PP
 The used region is further subdivided into two disjoint regions: the
-\fIconsumed region\fR
-and the
-\fIremaining region\fR. The union of these two regions is the used region. The consumed region extends from the beginning of the used region to the byte before the
-\fIcurrent\fR
-offset (if any). The
-\fIremaining\fR
-region the current pointer to the end of the used region. The size of the consumed region can be changed using various buffer commands. Initially, the consumed region is empty.
+\fBconsumed region\fR and the \fBremaining region\fR.
+The union of these two regions is the used region.
+The consumed region extends from the beginning of the used region to
+the byte before the \fBcurrent\fR offset (if any).
+The \fBremaining\fR region the current pointer to the end of the used
+region.
+The size of the consumed region can be changed using various
+buffer commands.
+Initially, the consumed region is empty.
 .PP
-The
-\fIactive region\fR
-is an (optional) subregion of the remaining region. It extends from the current offset to an offset in the remaining region. Initially, the active region is empty. If the current offset advances beyond the chosen offset, the active region will also be empty.
+The \fBactive region\fR is an (optional) subregion of the remaining
+region.
+It extends from the current offset to an offset in the
+remaining region.
+Initially, the active region is empty.
+If the current offset advances beyond the chosen offset,
+the active region will also be empty.
 .PP
 .sp
-.RS 4
 .nf
-   /\-\-\-\-\-\-\-\-\-\-\-\-entire length\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\\\\
-   /\-\-\-\-\- used region \-\-\-\-\-\\\\/\-\- available \-\-\\\\
-   +\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-+
+ 
+   /------------entire length---------------\\\\
+   /----- used region -----\\\\/-- available --\\\\
+   +----------------------------------------+
    | consumed  | remaining |                |
-   +\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-+
+   +----------------------------------------+
    a           b     c     d                e
+ 
   a == base of buffer.
   b == current pointer.  Can be anywhere between a and d.
   c == active pointer.  Meaningful between b and d.
   d == used pointer.
   e == length of buffer.
-  a\-e == entire length of buffer.
-  a\-d == used region.
-  a\-b == consumed region.
-  b\-d == remaining region.
-  b\-c == optional active region.
-.fi
-.RE
+ 
+  a-e == entire length of buffer.
+  a-d == used region.
+  a-b == consumed region.
+  b-d == remaining region.
+  b-c == optional active region.
 .sp
+.fi
 .PP
 \fBlwres_buffer_init()\fR
 initializes the
@@ -127,13 +177,15 @@ bytes starting at location
 \fBlwres_buffer_invalidate()\fR
 marks the buffer
 \fI*b\fR
-as invalid. Invalidating a buffer after use is not required, but makes it possible to catch its possible accidental use.
+as invalid. Invalidating a buffer after use is not required,
+but makes it possible to catch its possible accidental use.
 .PP
 The functions
 \fBlwres_buffer_add()\fR
 and
 \fBlwres_buffer_subtract()\fR
-respectively increase and decrease the used space in buffer
+respectively increase and decrease the used space in
+buffer
 \fI*b\fR
 by
 \fIn\fR
@@ -141,23 +193,25 @@ bytes.
 \fBlwres_buffer_add()\fR
 checks for buffer overflow and
 \fBlwres_buffer_subtract()\fR
-checks for underflow. These functions do not allocate or deallocate memory. They just change the value of
-used.
+checks for underflow.
+These functions do not allocate or deallocate memory.
+They just change the value of
+\fBused\fR.
 .PP
-A buffer is re\-initialised by
-\fBlwres_buffer_clear()\fR. The function sets
-used
-,
-current
+A buffer is re-initialised by
+\fBlwres_buffer_clear()\fR.
+The function sets
+\fBused\fR ,
+\fBcurrent\fR
 and
-active
+\fBactive\fR
 to zero.
 .PP
 \fBlwres_buffer_first\fR
 makes the consumed region of buffer
 \fI*p\fR
 empty by setting
-current
+\fBcurrent\fR
 to zero (the start of the buffer).
 .PP
 \fBlwres_buffer_forward()\fR
@@ -165,19 +219,21 @@ increases the consumed region of buffer
 \fI*b\fR
 by
 \fIn\fR
-bytes, checking for overflow. Similarly,
+bytes, checking for overflow.
+Similarly,
 \fBlwres_buffer_back()\fR
 decreases buffer
-\fIb\fR's consumed region by
+\fIb\fR's
+consumed region by
 \fIn\fR
 bytes and checks for underflow.
 .PP
 \fBlwres_buffer_getuint8()\fR
-reads an unsigned 8\-bit integer from
+reads an unsigned 8-bit integer from
 \fI*b\fR
 and returns it.
 \fBlwres_buffer_putuint8()\fR
-writes the unsigned 8\-bit integer
+writes the unsigned 8-bit integer
 \fIval\fR
 to buffer
 \fI*b\fR.
@@ -187,17 +243,21 @@ and
 \fBlwres_buffer_getuint32()\fR
 are identical to
 \fBlwres_buffer_putuint8()\fR
-except that they respectively read an unsigned 16\-bit or 32\-bit integer in network byte order from
-\fIb\fR. Similarly,
+except that they respectively read an unsigned 16-bit or 32-bit integer 
+in network byte order from
+\fIb\fR.
+Similarly,
 \fBlwres_buffer_putuint16()\fR
 and
 \fBlwres_buffer_putuint32()\fR
-writes the unsigned 16\-bit or 32\-bit integer
+writes the unsigned 16-bit or 32-bit integer
 \fIval\fR
 to buffer
-\fIb\fR, in network byte order.
+\fIb\fR,
+in network byte order.
 .PP
-Arbitrary amounts of data are read or written from a lightweight resolver buffer with
+Arbitrary amounts of data are read or written from a lightweight
+resolver buffer with
 \fBlwres_buffer_getmem()\fR
 and
 \fBlwres_buffer_putmem()\fR
@@ -208,7 +268,8 @@ copies
 bytes of memory at
 \fIbase\fR
 to
-\fIb\fR. Conversely,
+\fIb\fR.
+Conversely,
 \fBlwres_buffer_getmem()\fR
 copies
 \fIlength\fR
@@ -216,8 +277,3 @@ bytes of memory from
 \fIb\fR
 to
 \fIbase\fR.
-.SH "COPYRIGHT"
-Copyright \(co 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
-.br
-Copyright \(co 2000, 2001 Internet Software Consortium.
-.br
diff --git a/lib/lwres/man/lwres_buffer.docbook b/lib/lwres/man/lwres_buffer.docbook
index 7ca4e1de..4db9fd3a 100644
--- a/lib/lwres/man/lwres_buffer.docbook
+++ b/lib/lwres/man/lwres_buffer.docbook
@@ -1,9 +1,7 @@
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
-               "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
-	       [<!ENTITY mdash "&#8212;">]>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
 <!--
- - Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000, 2001  Internet Software Consortium.
+ - Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2001  Internet Software Consortium.
  -
  - Permission to use, copy, modify, and distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
@@ -18,7 +16,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: lwres_buffer.docbook,v 1.3.2.5 2007/01/29 23:57:17 marka Exp $ -->
+<!-- $Id: lwres_buffer.docbook,v 1.3.206.1 2004/03/06 08:15:37 marka Exp $ -->
 
 <refentry>
 <refentryinfo>
@@ -31,20 +29,6 @@
 <refmiscinfo>BIND9</refmiscinfo>
 </refmeta>
 
-<docinfo>
-    <copyright>
-      <year>2004</year>
-      <year>2005</year>
-      <year>2007</year>
-      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
-    </copyright>
-    <copyright>
-      <year>2000</year>
-      <year>2001</year>
-      <holder>Internet Software Consortium.</holder>
-    </copyright>
-  </docinfo>
-
 <refnamediv>
 <refname>lwres_buffer_init</refname>
 <refname>lwres_buffer_invalidate</refname>
diff --git a/lib/lwres/man/lwres_buffer.html b/lib/lwres/man/lwres_buffer.html
index fd1abe5d..f278eede 100644
--- a/lib/lwres/man/lwres_buffer.html
+++ b/lib/lwres/man/lwres_buffer.html
@@ -1,267 +1,232 @@
 <!--
- - Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000, 2001 Internet Software Consortium.
- - 
+ - Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2001  Internet Software Consortium.
+ -
  - Permission to use, copy, modify, and distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
  - copyright notice and this permission notice appear in all copies.
- - 
+ -
  - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
  - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
  - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
  - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: lwres_buffer.html,v 1.4.2.14 2007/01/30 00:10:38 marka Exp $ -->
-<html>
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>lwres_buffer</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2476275"></a><div class="titlepage"></div>
-<div class="refnamediv">
-<h2>Name</h2>
-<p>lwres_buffer_init, lwres_buffer_invalidate, lwres_buffer_add, lwres_buffer_subtract, lwres_buffer_clear, lwres_buffer_first, lwres_buffer_forward, lwres_buffer_back, lwres_buffer_getuint8, lwres_buffer_putuint8, lwres_buffer_getuint16, lwres_buffer_putuint16, lwres_buffer_getuint32, lwres_buffer_putuint32, lwres_buffer_putmem, lwres_buffer_getmem &#8212; lightweight resolver buffer management</p>
-</div>
-<div class="refsynopsisdiv">
-<h2>Synopsis</h2>
-<div class="funcsynopsis">
-<pre class="funcsynopsisinfo">
-#include &lt;lwres/lwbuffer.h&gt;
-</pre>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
-<tr>
-<td><code class="funcdef">
-void
-<b class="fsfunc">lwres_buffer_init</b>(</code></td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>
-<code>)</code>;</td>
-</tr>
-</table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em"><tr>
-<td><code class="funcdef">
-void
-<b class="fsfunc">lwres_buffer_invalidate</b>(</code></td>
-<td> </td>
-<td>
-<code>)</code>;</td>
-</tr></table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
-<tr>
-<td><code class="funcdef">
-void
-<b class="fsfunc">lwres_buffer_add</b>(</code></td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>
-<code>)</code>;</td>
-</tr>
-</table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
-<tr>
-<td><code class="funcdef">
-void
-<b class="fsfunc">lwres_buffer_subtract</b>(</code></td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>
-<code>)</code>;</td>
-</tr>
-</table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em"><tr>
-<td><code class="funcdef">
-void
-<b class="fsfunc">lwres_buffer_clear</b>(</code></td>
-<td> </td>
-<td>
-<code>)</code>;</td>
-</tr></table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em"><tr>
-<td><code class="funcdef">
-void
-<b class="fsfunc">lwres_buffer_first</b>(</code></td>
-<td> </td>
-<td>
-<code>)</code>;</td>
-</tr></table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
-<tr>
-<td><code class="funcdef">
-void
-<b class="fsfunc">lwres_buffer_forward</b>(</code></td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>
-<code>)</code>;</td>
-</tr>
-</table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
-<tr>
-<td><code class="funcdef">
-void
-<b class="fsfunc">lwres_buffer_back</b>(</code></td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>
-<code>)</code>;</td>
-</tr>
-</table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em"><tr>
-<td><code class="funcdef">
-lwres_uint8_t
-<b class="fsfunc">lwres_buffer_getuint8</b>(</code></td>
-<td> </td>
-<td>
-<code>)</code>;</td>
-</tr></table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
-<tr>
-<td><code class="funcdef">
-void
-<b class="fsfunc">lwres_buffer_putuint8</b>(</code></td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>
-<code>)</code>;</td>
-</tr>
-</table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em"><tr>
-<td><code class="funcdef">
-lwres_uint16_t
-<b class="fsfunc">lwres_buffer_getuint16</b>(</code></td>
-<td> </td>
-<td>
-<code>)</code>;</td>
-</tr></table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
-<tr>
-<td><code class="funcdef">
-void
-<b class="fsfunc">lwres_buffer_putuint16</b>(</code></td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>
-<code>)</code>;</td>
-</tr>
-</table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em"><tr>
-<td><code class="funcdef">
-lwres_uint32_t
-<b class="fsfunc">lwres_buffer_getuint32</b>(</code></td>
-<td> </td>
-<td>
-<code>)</code>;</td>
-</tr></table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
-<tr>
-<td><code class="funcdef">
-void
-<b class="fsfunc">lwres_buffer_putuint32</b>(</code></td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>
-<code>)</code>;</td>
-</tr>
-</table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
-<tr>
-<td><code class="funcdef">
-void
-<b class="fsfunc">lwres_buffer_putmem</b>(</code></td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>
-<code>)</code>;</td>
-</tr>
-</table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0">
-<tr>
-<td><code class="funcdef">
-void
-<b class="fsfunc">lwres_buffer_getmem</b>(</code></td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>
-<code>)</code>;</td>
-</tr>
-</table>
-</div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543616"></a><h2>DESCRIPTION</h2>
-<p>
-These functions provide bounds checked access to a region of memory
+
+<!-- $Id: lwres_buffer.html,v 1.4.2.1.4.1 2004/03/06 08:15:37 marka Exp $ -->
+
+<HTML
+><HEAD
+><TITLE
+>lwres_buffer</TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.73
+"></HEAD
+><BODY
+CLASS="REFENTRY"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><H1
+><A
+NAME="AEN1"
+>lwres_buffer</A
+></H1
+><DIV
+CLASS="REFNAMEDIV"
+><A
+NAME="AEN8"
+></A
+><H2
+>Name</H2
+>lwres_buffer_init, lwres_buffer_invalidate, lwres_buffer_add, lwres_buffer_subtract, lwres_buffer_clear, lwres_buffer_first, lwres_buffer_forward, lwres_buffer_back, lwres_buffer_getuint8, lwres_buffer_putuint8, lwres_buffer_getuint16, lwres_buffer_putuint16, lwres_buffer_getuint32, lwres_buffer_putuint32, lwres_buffer_putmem, lwres_buffer_getmem&nbsp;--&nbsp;lightweight resolver buffer management</DIV
+><DIV
+CLASS="REFSYNOPSISDIV"
+><A
+NAME="AEN26"
+></A
+><H2
+>Synopsis</H2
+><DIV
+CLASS="FUNCSYNOPSIS"
+><A
+NAME="AEN27"
+></A
+><P
+></P
+><PRE
+CLASS="FUNCSYNOPSISINFO"
+>#include &lt;lwres/lwbuffer.h&gt;</PRE
+><P
+><CODE
+><CODE
+CLASS="FUNCDEF"
+>void
+lwres_buffer_init</CODE
+>(lwres_buffer_t *b, void *base, unsigned int length);</CODE
+></P
+><P
+><CODE
+><CODE
+CLASS="FUNCDEF"
+>void
+lwres_buffer_invalidate</CODE
+>(lwres_buffer_t *b);</CODE
+></P
+><P
+><CODE
+><CODE
+CLASS="FUNCDEF"
+>void
+lwres_buffer_add</CODE
+>(lwres_buffer_t *b, unsigned int n);</CODE
+></P
+><P
+><CODE
+><CODE
+CLASS="FUNCDEF"
+>void
+lwres_buffer_subtract</CODE
+>(lwres_buffer_t *b, unsigned int n);</CODE
+></P
+><P
+><CODE
+><CODE
+CLASS="FUNCDEF"
+>void
+lwres_buffer_clear</CODE
+>(lwres_buffer_t *b);</CODE
+></P
+><P
+><CODE
+><CODE
+CLASS="FUNCDEF"
+>void
+lwres_buffer_first</CODE
+>(lwres_buffer_t *b);</CODE
+></P
+><P
+><CODE
+><CODE
+CLASS="FUNCDEF"
+>void
+lwres_buffer_forward</CODE
+>(lwres_buffer_t *b, unsigned int n);</CODE
+></P
+><P
+><CODE
+><CODE
+CLASS="FUNCDEF"
+>void
+lwres_buffer_back</CODE
+>(lwres_buffer_t *b, unsigned int n);</CODE
+></P
+><P
+><CODE
+><CODE
+CLASS="FUNCDEF"
+>lwres_uint8_t
+lwres_buffer_getuint8</CODE
+>(lwres_buffer_t *b);</CODE
+></P
+><P
+><CODE
+><CODE
+CLASS="FUNCDEF"
+>void
+lwres_buffer_putuint8</CODE
+>(lwres_buffer_t *b, lwres_uint8_t val);</CODE
+></P
+><P
+><CODE
+><CODE
+CLASS="FUNCDEF"
+>lwres_uint16_t
+lwres_buffer_getuint16</CODE
+>(lwres_buffer_t *b);</CODE
+></P
+><P
+><CODE
+><CODE
+CLASS="FUNCDEF"
+>void
+lwres_buffer_putuint16</CODE
+>(lwres_buffer_t *b, lwres_uint16_t val);</CODE
+></P
+><P
+><CODE
+><CODE
+CLASS="FUNCDEF"
+>lwres_uint32_t
+lwres_buffer_getuint32</CODE
+>(lwres_buffer_t *b);</CODE
+></P
+><P
+><CODE
+><CODE
+CLASS="FUNCDEF"
+>void
+lwres_buffer_putuint32</CODE
+>(lwres_buffer_t *b, lwres_uint32_t val);</CODE
+></P
+><P
+><CODE
+><CODE
+CLASS="FUNCDEF"
+>void
+lwres_buffer_putmem</CODE
+>(lwres_buffer_t *b, const unsigned char *base, unsigned int length);</CODE
+></P
+><P
+><CODE
+><CODE
+CLASS="FUNCDEF"
+>void
+lwres_buffer_getmem</CODE
+>(lwres_buffer_t *b, unsigned char *base, unsigned int length);</CODE
+></P
+><P
+></P
+></DIV
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN106"
+></A
+><H2
+>DESCRIPTION</H2
+><P
+>These functions provide bounds checked access to a region of memory
 where data is being read or written.
 They are based on, and similar to, the
-<code class="literal">isc_buffer_</code>
-functions in the ISC library.
-</p>
-<p>
-A buffer is a region of memory, together with a set of related
+<TT
+CLASS="LITERAL"
+>isc_buffer_</TT
+>
+functions in the ISC library.</P
+><P
+>A buffer is a region of memory, together with a set of related
 subregions.
-The <span class="emphasis"><em>used region</em></span> and the
-<span class="emphasis"><em>available</em></span> region are disjoint, and
+The <SPAN
+CLASS="emphasis"
+><I
+CLASS="EMPHASIS"
+>used region</I
+></SPAN
+> and the
+<SPAN
+CLASS="emphasis"
+><I
+CLASS="EMPHASIS"
+>available</I
+></SPAN
+> region are disjoint, and
 their union is the buffer's region.
 The used region extends from the beginning of the buffer region to the
 last used byte.
@@ -269,33 +234,60 @@ The available region extends from one byte greater than the last used
 byte to the end of the  buffer's region.
 The size of the used region can be changed using various
 buffer commands.
-Initially, the used region is empty.
-</p>
-<p>
-The used region is further subdivided into two disjoint regions: the
-<span class="emphasis"><em>consumed region</em></span> and the <span class="emphasis"><em>remaining region</em></span>.
+Initially, the used region is empty.</P
+><P
+>The used region is further subdivided into two disjoint regions: the
+<SPAN
+CLASS="emphasis"
+><I
+CLASS="EMPHASIS"
+>consumed region</I
+></SPAN
+> and the <SPAN
+CLASS="emphasis"
+><I
+CLASS="EMPHASIS"
+>remaining region</I
+></SPAN
+>.
 The union of these two regions is the used region.
 The consumed region extends from the beginning of the used region to
-the byte before the <span class="emphasis"><em>current</em></span> offset (if any).
-The <span class="emphasis"><em>remaining</em></span> region the current pointer to the end of the used
+the byte before the <SPAN
+CLASS="emphasis"
+><I
+CLASS="EMPHASIS"
+>current</I
+></SPAN
+> offset (if any).
+The <SPAN
+CLASS="emphasis"
+><I
+CLASS="EMPHASIS"
+>remaining</I
+></SPAN
+> region the current pointer to the end of the used
 region.
 The size of the consumed region can be changed using various
 buffer commands.
-Initially, the consumed region is empty.
-</p>
-<p>
-The <span class="emphasis"><em>active region</em></span> is an (optional) subregion of the remaining
+Initially, the consumed region is empty.</P
+><P
+>The <SPAN
+CLASS="emphasis"
+><I
+CLASS="EMPHASIS"
+>active region</I
+></SPAN
+> is an (optional) subregion of the remaining
 region.
 It extends from the current offset to an offset in the
 remaining region.
 Initially, the active region is empty.
 If the current offset advances beyond the chosen offset,
-the active region will also be empty.
-</p>
-<p>
-</p>
-<pre class="programlisting">
- 
+the active region will also be empty.</P
+><P
+><PRE
+CLASS="PROGRAMLISTING"
+> 
    /------------entire length---------------\\
    /----- used region -----\\/-- available --\\
    +----------------------------------------+
@@ -313,132 +305,328 @@ the active region will also be empty.
   a-d == used region.
   a-b == consumed region.
   b-d == remaining region.
-  b-c == optional active region.
-</pre>
-<p>
-</p>
-<p>
-<code class="function">lwres_buffer_init()</code>
+  b-c == optional active region.</PRE
+></P
+><P
+><TT
+CLASS="FUNCTION"
+>lwres_buffer_init()</TT
+>
 initializes the
-<span class="type">lwres_buffer_t</span>
-<em class="parameter"><code>*b</code></em>
+<SPAN
+CLASS="TYPE"
+>lwres_buffer_t</SPAN
+>
+<TT
+CLASS="PARAMETER"
+><I
+>*b</I
+></TT
+>
 and assocates it with the memory region of size
-<em class="parameter"><code>length</code></em>
+<TT
+CLASS="PARAMETER"
+><I
+>length</I
+></TT
+>
 bytes starting at location
-<em class="parameter"><code>base.</code></em>
-</p>
-<p>
-<code class="function">lwres_buffer_invalidate()</code>
+<TT
+CLASS="PARAMETER"
+><I
+>base.</I
+></TT
+></P
+><P
+><TT
+CLASS="FUNCTION"
+>lwres_buffer_invalidate()</TT
+>
 marks the buffer
-<em class="parameter"><code>*b</code></em>
+<TT
+CLASS="PARAMETER"
+><I
+>*b</I
+></TT
+>
 as invalid.  Invalidating a buffer after use is not required,
-but makes it possible to catch its possible accidental use.
-</p>
-<p>
-The functions
-<code class="function">lwres_buffer_add()</code>
+but makes it possible to catch its possible accidental use.</P
+><P
+>The functions
+<TT
+CLASS="FUNCTION"
+>lwres_buffer_add()</TT
+>
 and
-<code class="function">lwres_buffer_subtract()</code>
+<TT
+CLASS="FUNCTION"
+>lwres_buffer_subtract()</TT
+>
 respectively increase and decrease the used space in
 buffer
-<em class="parameter"><code>*b</code></em>
+<TT
+CLASS="PARAMETER"
+><I
+>*b</I
+></TT
+>
 by
-<em class="parameter"><code>n</code></em>
+<TT
+CLASS="PARAMETER"
+><I
+>n</I
+></TT
+>
 bytes.
-<code class="function">lwres_buffer_add()</code>
+<TT
+CLASS="FUNCTION"
+>lwres_buffer_add()</TT
+>
 checks for buffer overflow and
-<code class="function">lwres_buffer_subtract()</code>
+<TT
+CLASS="FUNCTION"
+>lwres_buffer_subtract()</TT
+>
 checks for underflow.
 These functions do not allocate or deallocate memory.
 They just change the value of
-<em class="structfield"><code>used</code></em>.
-</p>
-<p>
-A buffer is re-initialised by
-<code class="function">lwres_buffer_clear()</code>.
+<TT
+CLASS="STRUCTFIELD"
+><I
+>used</I
+></TT
+>.</P
+><P
+>A buffer is re-initialised by
+<TT
+CLASS="FUNCTION"
+>lwres_buffer_clear()</TT
+>.
 The function sets
-<em class="structfield"><code>used</code></em> ,
-<em class="structfield"><code>current</code></em>
+<TT
+CLASS="STRUCTFIELD"
+><I
+>used</I
+></TT
+> ,
+<TT
+CLASS="STRUCTFIELD"
+><I
+>current</I
+></TT
+>
 and
-<em class="structfield"><code>active</code></em>
-to zero.
-</p>
-<p>
-<code class="function">lwres_buffer_first</code>
+<TT
+CLASS="STRUCTFIELD"
+><I
+>active</I
+></TT
+>
+to zero.</P
+><P
+><TT
+CLASS="FUNCTION"
+>lwres_buffer_first</TT
+>
 makes the consumed region of buffer
-<em class="parameter"><code>*p</code></em>
+<TT
+CLASS="PARAMETER"
+><I
+>*p</I
+></TT
+>
 empty by setting
-<em class="structfield"><code>current</code></em>
-to zero (the start of the buffer).
-</p>
-<p>
-<code class="function">lwres_buffer_forward()</code>
+<TT
+CLASS="STRUCTFIELD"
+><I
+>current</I
+></TT
+>
+to zero (the start of the buffer).</P
+><P
+><TT
+CLASS="FUNCTION"
+>lwres_buffer_forward()</TT
+>
 increases the consumed region of buffer
-<em class="parameter"><code>*b</code></em>
+<TT
+CLASS="PARAMETER"
+><I
+>*b</I
+></TT
+>
 by
-<em class="parameter"><code>n</code></em>
+<TT
+CLASS="PARAMETER"
+><I
+>n</I
+></TT
+>
 bytes, checking for overflow.
 Similarly,
-<code class="function">lwres_buffer_back()</code>
+<TT
+CLASS="FUNCTION"
+>lwres_buffer_back()</TT
+>
 decreases buffer
-<em class="parameter"><code>b</code></em>'s
+<TT
+CLASS="PARAMETER"
+><I
+>b</I
+></TT
+>'s
 consumed region by
-<em class="parameter"><code>n</code></em>
-bytes and checks for underflow.
-</p>
-<p>
-<code class="function">lwres_buffer_getuint8()</code>
+<TT
+CLASS="PARAMETER"
+><I
+>n</I
+></TT
+>
+bytes and checks for underflow.</P
+><P
+><TT
+CLASS="FUNCTION"
+>lwres_buffer_getuint8()</TT
+>
 reads an unsigned 8-bit integer from
-<em class="parameter"><code>*b</code></em>
+<TT
+CLASS="PARAMETER"
+><I
+>*b</I
+></TT
+>
 and returns it.
-<code class="function">lwres_buffer_putuint8()</code>
+<TT
+CLASS="FUNCTION"
+>lwres_buffer_putuint8()</TT
+>
 writes the unsigned 8-bit integer
-<em class="parameter"><code>val</code></em>
+<TT
+CLASS="PARAMETER"
+><I
+>val</I
+></TT
+>
 to buffer
-<em class="parameter"><code>*b</code></em>.
-</p>
-<p>
-<code class="function">lwres_buffer_getuint16()</code>
+<TT
+CLASS="PARAMETER"
+><I
+>*b</I
+></TT
+>.</P
+><P
+><TT
+CLASS="FUNCTION"
+>lwres_buffer_getuint16()</TT
+>
 and
-<code class="function">lwres_buffer_getuint32()</code>
+<TT
+CLASS="FUNCTION"
+>lwres_buffer_getuint32()</TT
+>
 are identical to
-<code class="function">lwres_buffer_putuint8()</code>
+<TT
+CLASS="FUNCTION"
+>lwres_buffer_putuint8()</TT
+>
 except that they respectively read an unsigned 16-bit or 32-bit integer 
 in network byte order from
-<em class="parameter"><code>b</code></em>.
+<TT
+CLASS="PARAMETER"
+><I
+>b</I
+></TT
+>.
 Similarly,
-<code class="function">lwres_buffer_putuint16()</code>
+<TT
+CLASS="FUNCTION"
+>lwres_buffer_putuint16()</TT
+>
 and
-<code class="function">lwres_buffer_putuint32()</code>
+<TT
+CLASS="FUNCTION"
+>lwres_buffer_putuint32()</TT
+>
 writes the unsigned 16-bit or 32-bit integer
-<em class="parameter"><code>val</code></em>
+<TT
+CLASS="PARAMETER"
+><I
+>val</I
+></TT
+>
 to buffer
-<em class="parameter"><code>b</code></em>,
-in network byte order.
-</p>
-<p>
-Arbitrary amounts of data are read or written from a lightweight
+<TT
+CLASS="PARAMETER"
+><I
+>b</I
+></TT
+>,
+in network byte order.</P
+><P
+>Arbitrary amounts of data are read or written from a lightweight
 resolver buffer with
-<code class="function">lwres_buffer_getmem()</code>
+<TT
+CLASS="FUNCTION"
+>lwres_buffer_getmem()</TT
+>
 and
-<code class="function">lwres_buffer_putmem()</code>
+<TT
+CLASS="FUNCTION"
+>lwres_buffer_putmem()</TT
+>
 respectively.
-<code class="function">lwres_buffer_putmem()</code>
+<TT
+CLASS="FUNCTION"
+>lwres_buffer_putmem()</TT
+>
 copies
-<em class="parameter"><code>length</code></em>
+<TT
+CLASS="PARAMETER"
+><I
+>length</I
+></TT
+>
 bytes of memory at
-<em class="parameter"><code>base</code></em>
+<TT
+CLASS="PARAMETER"
+><I
+>base</I
+></TT
+>
 to
-<em class="parameter"><code>b</code></em>.
+<TT
+CLASS="PARAMETER"
+><I
+>b</I
+></TT
+>.
 Conversely,
-<code class="function">lwres_buffer_getmem()</code>
+<TT
+CLASS="FUNCTION"
+>lwres_buffer_getmem()</TT
+>
 copies
-<em class="parameter"><code>length</code></em>
+<TT
+CLASS="PARAMETER"
+><I
+>length</I
+></TT
+>
 bytes of memory from
-<em class="parameter"><code>b</code></em>
+<TT
+CLASS="PARAMETER"
+><I
+>b</I
+></TT
+>
 to
-<em class="parameter"><code>base</code></em>.
-</p>
-</div>
-</div></body>
-</html>
+<TT
+CLASS="PARAMETER"
+><I
+>base</I
+></TT
+>.</P
+></DIV
+></BODY
+></HTML
+>
diff --git a/lib/lwres/man/lwres_config.3 b/lib/lwres/man/lwres_config.3
index a19fd358..0c345efa 100644
--- a/lib/lwres/man/lwres_config.3
+++ b/lib/lwres/man/lwres_config.3
@@ -1,50 +1,51 @@
-.\" Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
-.\" Copyright (C) 2000, 2001 Internet Software Consortium.
-.\" 
+.\" Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2000, 2001  Internet Software Consortium.
+.\"
 .\" Permission to use, copy, modify, and distribute this software for any
 .\" purpose with or without fee is hereby granted, provided that the above
 .\" copyright notice and this permission notice appear in all copies.
-.\" 
+.\"
 .\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
 .\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+.\" AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
 .\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
 .\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: lwres_config.3,v 1.12.2.9 2007/01/30 00:10:38 marka Exp $
-.\"
-.hy 0
-.ad l
-.\"     Title: lwres_config
-.\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
-.\"      Date: Jun 30, 2000
-.\"    Manual: BIND9
-.\"    Source: BIND9
+.\" $Id: lwres_config.3,v 1.12.2.1.8.1 2004/03/06 07:41:42 marka Exp $
 .\"
-.TH "LWRES_CONFIG" "3" "Jun 30, 2000" "BIND9" "BIND9"
-.\" disable hyphenation
-.nh
-.\" disable justification (adjust text to left margin only)
-.ad l
-.SH "NAME"
+.TH "LWRES_CONFIG" "3" "Jun 30, 2000" "BIND9" ""
+.SH NAME
 lwres_conf_init, lwres_conf_clear, lwres_conf_parse, lwres_conf_print, lwres_conf_get \- lightweight resolver configuration
-.SH "SYNOPSIS"
-.nf
-#include <lwres/lwres.h>
-.fi
-.HP 21
-.BI "void lwres_conf_init(lwres_context_t\ *ctx);"
-.HP 22
-.BI "void lwres_conf_clear(lwres_context_t\ *ctx);"
-.HP 32
-.BI "lwres_result_t lwres_conf_parse(lwres_context_t\ *ctx, const\ char\ *filename);"
-.HP 32
-.BI "lwres_result_t lwres_conf_print(lwres_context_t\ *ctx, FILE\ *fp);"
-.HP 30
-.BI "lwres_conf_t * lwres_conf_get(lwres_context_t\ *ctx);"
+.SH SYNOPSIS
+\fB#include <lwres/lwres.h>
+.sp
+.na
+void
+lwres_conf_init(lwres_context_t *ctx);
+.ad
+.sp
+.na
+void
+lwres_conf_clear(lwres_context_t *ctx);
+.ad
+.sp
+.na
+lwres_result_t
+lwres_conf_parse(lwres_context_t *ctx, const char *filename);
+.ad
+.sp
+.na
+lwres_result_t
+lwres_conf_print(lwres_context_t *ctx, FILE *fp);
+.ad
+.sp
+.na
+lwres_conf_t *
+lwres_conf_get(lwres_context_t *ctx);
+.ad
+\fR
 .SH "DESCRIPTION"
 .PP
 \fBlwres_conf_init()\fR
@@ -54,7 +55,8 @@ structure for lightweight resolver context
 \fIctx\fR.
 .PP
 \fBlwres_conf_clear()\fR
-frees up all the internal memory used by that
+frees up all the internal memory used by
+that
 \fBlwres_conf_t\fR
 structure in resolver context
 \fIctx\fR.
@@ -79,19 +81,23 @@ to the
 .PP
 \fBlwres_conf_parse()\fR
 returns
-\fBLWRES_R_SUCCESS\fR
+LWRES_R_SUCCESS
 if it successfully read and parsed
-\fIfilename\fR. It returns
-\fBLWRES_R_FAILURE\fR
+\fIfilename\fR.
+It returns
+LWRES_R_FAILURE
 if
 \fIfilename\fR
-could not be opened or contained incorrect resolver statements.
+could not be opened or contained incorrect
+resolver statements.
 .PP
 \fBlwres_conf_print()\fR
 returns
-\fBLWRES_R_SUCCESS\fR
-unless an error occurred when converting the network addresses to a numeric host address string. If this happens, the function returns
-\fBLWRES_R_FAILURE\fR.
+LWRES_R_SUCCESS
+unless an error occurred when converting the network addresses to a
+numeric host address string.
+If this happens, the function returns
+LWRES_R_FAILURE.
 .SH "SEE ALSO"
 .PP
 \fBstdio\fR(3),
@@ -99,8 +105,3 @@ unless an error occurred when converting the network addresses to a numeric host
 .SH "FILES"
 .PP
 \fI/etc/resolv.conf\fR
-.SH "COPYRIGHT"
-Copyright \(co 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
-.br
-Copyright \(co 2000, 2001 Internet Software Consortium.
-.br
diff --git a/lib/lwres/man/lwres_config.docbook b/lib/lwres/man/lwres_config.docbook
index f4cbb8bf..eeb244ed 100644
--- a/lib/lwres/man/lwres_config.docbook
+++ b/lib/lwres/man/lwres_config.docbook
@@ -1,9 +1,7 @@
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
-               "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
-	       [<!ENTITY mdash "&#8212;">]>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
 <!--
- - Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000, 2001  Internet Software Consortium.
+ - Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2001  Internet Software Consortium.
  -
  - Permission to use, copy, modify, and distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
@@ -18,7 +16,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: lwres_config.docbook,v 1.2.2.5 2007/01/29 23:57:17 marka Exp $ -->
+<!-- $Id: lwres_config.docbook,v 1.2.206.1 2004/03/06 08:15:37 marka Exp $ -->
 
 <refentry>
 <refentryinfo>
@@ -32,20 +30,6 @@
 <refmiscinfo>BIND9</refmiscinfo>
 </refmeta>
 
-<docinfo>
-    <copyright>
-      <year>2004</year>
-      <year>2005</year>
-      <year>2007</year>
-      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
-    </copyright>
-    <copyright>
-      <year>2000</year>
-      <year>2001</year>
-      <holder>Internet Software Consortium.</holder>
-    </copyright>
-  </docinfo>
-
 <refnamediv>
 <refname>lwres_conf_init</refname>
 <refname>lwres_conf_clear</refname>
@@ -165,7 +149,6 @@ If this happens, the function returns
 <citerefentry>
 <refentrytitle>resolver</refentrytitle><manvolnum>5</manvolnum>
 </citerefentry>.
-</para>
 </refsect1>
 <refsect1>
 <title>FILES</title>
diff --git a/lib/lwres/man/lwres_config.html b/lib/lwres/man/lwres_config.html
index 12432c3c..65860cf1 100644
--- a/lib/lwres/man/lwres_config.html
+++ b/lib/lwres/man/lwres_config.html
@@ -1,166 +1,298 @@
 <!--
- - Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000, 2001 Internet Software Consortium.
- - 
+ - Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2001  Internet Software Consortium.
+ -
  - Permission to use, copy, modify, and distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
  - copyright notice and this permission notice appear in all copies.
- - 
+ -
  - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
  - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
  - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
  - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: lwres_config.html,v 1.4.2.15 2007/01/30 00:10:38 marka Exp $ -->
-<html>
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>lwres_config</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2476275"></a><div class="titlepage"></div>
-<div class="refnamediv">
-<h2>Name</h2>
-<p>lwres_conf_init, lwres_conf_clear, lwres_conf_parse, lwres_conf_print, lwres_conf_get &#8212; lightweight resolver configuration</p>
-</div>
-<div class="refsynopsisdiv">
-<h2>Synopsis</h2>
-<div class="funcsynopsis">
-<pre class="funcsynopsisinfo">#include &lt;lwres/lwres.h&gt;</pre>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em"><tr>
-<td><code class="funcdef">
-void
-<b class="fsfunc">lwres_conf_init</b>(</code></td>
-<td> </td>
-<td>
-<code>)</code>;</td>
-</tr></table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em"><tr>
-<td><code class="funcdef">
-void
-<b class="fsfunc">lwres_conf_clear</b>(</code></td>
-<td> </td>
-<td>
-<code>)</code>;</td>
-</tr></table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
-<tr>
-<td><code class="funcdef">
-lwres_result_t
-<b class="fsfunc">lwres_conf_parse</b>(</code></td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>
-<code>)</code>;</td>
-</tr>
-</table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
-<tr>
-<td><code class="funcdef">
-lwres_result_t
-<b class="fsfunc">lwres_conf_print</b>(</code></td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>
-<code>)</code>;</td>
-</tr>
-</table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0"><tr>
-<td><code class="funcdef">
-lwres_conf_t *
-<b class="fsfunc">lwres_conf_get</b>(</code></td>
-<td> </td>
-<td>
-<code>)</code>;</td>
-</tr></table>
-</div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543416"></a><h2>DESCRIPTION</h2>
-<p>
-<code class="function">lwres_conf_init()</code>
+
+<!-- $Id: lwres_config.html,v 1.4.2.1.4.1 2004/03/06 08:15:38 marka Exp $ -->
+
+<HTML
+><HEAD
+><TITLE
+>lwres_config</TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.73
+"></HEAD
+><BODY
+CLASS="REFENTRY"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><H1
+><A
+NAME="AEN1"
+>lwres_config</A
+></H1
+><DIV
+CLASS="REFNAMEDIV"
+><A
+NAME="AEN8"
+></A
+><H2
+>Name</H2
+>lwres_conf_init, lwres_conf_clear, lwres_conf_parse, lwres_conf_print, lwres_conf_get&nbsp;--&nbsp;lightweight resolver configuration</DIV
+><DIV
+CLASS="REFSYNOPSISDIV"
+><A
+NAME="AEN15"
+></A
+><H2
+>Synopsis</H2
+><DIV
+CLASS="FUNCSYNOPSIS"
+><A
+NAME="AEN16"
+></A
+><P
+></P
+><PRE
+CLASS="FUNCSYNOPSISINFO"
+>#include &lt;lwres/lwres.h&gt;</PRE
+><P
+><CODE
+><CODE
+CLASS="FUNCDEF"
+>void
+lwres_conf_init</CODE
+>(lwres_context_t *ctx);</CODE
+></P
+><P
+><CODE
+><CODE
+CLASS="FUNCDEF"
+>void
+lwres_conf_clear</CODE
+>(lwres_context_t *ctx);</CODE
+></P
+><P
+><CODE
+><CODE
+CLASS="FUNCDEF"
+>lwres_result_t
+lwres_conf_parse</CODE
+>(lwres_context_t *ctx, const char *filename);</CODE
+></P
+><P
+><CODE
+><CODE
+CLASS="FUNCDEF"
+>lwres_result_t
+lwres_conf_print</CODE
+>(lwres_context_t *ctx, FILE *fp);</CODE
+></P
+><P
+><CODE
+><CODE
+CLASS="FUNCDEF"
+>lwres_conf_t *
+lwres_conf_get</CODE
+>(lwres_context_t *ctx);</CODE
+></P
+><P
+></P
+></DIV
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN40"
+></A
+><H2
+>DESCRIPTION</H2
+><P
+><TT
+CLASS="FUNCTION"
+>lwres_conf_init()</TT
+>
 creates an empty
-<span class="type">lwres_conf_t</span>
+<SPAN
+CLASS="TYPE"
+>lwres_conf_t</SPAN
+>
 structure for lightweight resolver context
-<em class="parameter"><code>ctx</code></em>.
-</p>
-<p>
-<code class="function">lwres_conf_clear()</code>
+<TT
+CLASS="PARAMETER"
+><I
+>ctx</I
+></TT
+>.</P
+><P
+><TT
+CLASS="FUNCTION"
+>lwres_conf_clear()</TT
+>
 frees up all the internal memory used by
 that
-<span class="type">lwres_conf_t</span>
+<SPAN
+CLASS="TYPE"
+>lwres_conf_t</SPAN
+>
 structure in resolver context
-<em class="parameter"><code>ctx</code></em>.
-</p>
-<p>
-<code class="function">lwres_conf_parse()</code>
+<TT
+CLASS="PARAMETER"
+><I
+>ctx</I
+></TT
+>.</P
+><P
+><TT
+CLASS="FUNCTION"
+>lwres_conf_parse()</TT
+>
 opens the file
-<em class="parameter"><code>filename</code></em>
+<TT
+CLASS="PARAMETER"
+><I
+>filename</I
+></TT
+>
 and parses it to initialise the resolver context
-<em class="parameter"><code>ctx</code></em>'s
-<span class="type">lwres_conf_t</span>
-structure.
-</p>
-<p>
-<code class="function">lwres_conf_print()</code>
+<TT
+CLASS="PARAMETER"
+><I
+>ctx</I
+></TT
+>'s
+<SPAN
+CLASS="TYPE"
+>lwres_conf_t</SPAN
+>
+structure.</P
+><P
+><TT
+CLASS="FUNCTION"
+>lwres_conf_print()</TT
+>
 prints the
-<span class="type">lwres_conf_t</span>
+<SPAN
+CLASS="TYPE"
+>lwres_conf_t</SPAN
+>
 structure for resolver context
-<em class="parameter"><code>ctx</code></em>
+<TT
+CLASS="PARAMETER"
+><I
+>ctx</I
+></TT
+>
 to the
-<span class="type">FILE</span>
-<em class="parameter"><code>fp</code></em>.
-</p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543488"></a><h2>RETURN VALUES</h2>
-<p>
-<code class="function">lwres_conf_parse()</code>
+<SPAN
+CLASS="TYPE"
+>FILE</SPAN
+>
+<TT
+CLASS="PARAMETER"
+><I
+>fp</I
+></TT
+>.</P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN61"
+></A
+><H2
+>RETURN VALUES</H2
+><P
+><TT
+CLASS="FUNCTION"
+>lwres_conf_parse()</TT
+>
 returns
-<span class="errorcode">LWRES_R_SUCCESS</span>
+<SPAN
+CLASS="ERRORCODE"
+>LWRES_R_SUCCESS</SPAN
+>
 if it successfully read and parsed
-<em class="parameter"><code>filename</code></em>.
+<TT
+CLASS="PARAMETER"
+><I
+>filename</I
+></TT
+>.
 It returns
-<span class="errorcode">LWRES_R_FAILURE</span>
+<SPAN
+CLASS="ERRORCODE"
+>LWRES_R_FAILURE</SPAN
+>
 if
-<em class="parameter"><code>filename</code></em>
+<TT
+CLASS="PARAMETER"
+><I
+>filename</I
+></TT
+>
 could not be opened or contained incorrect
-resolver statements.
-</p>
-<p>
-<code class="function">lwres_conf_print()</code>
+resolver statements.</P
+><P
+><TT
+CLASS="FUNCTION"
+>lwres_conf_print()</TT
+>
 returns
-<span class="errorcode">LWRES_R_SUCCESS</span>
+<SPAN
+CLASS="ERRORCODE"
+>LWRES_R_SUCCESS</SPAN
+>
 unless an error occurred when converting the network addresses to a
 numeric host address string.
 If this happens, the function returns
-<span class="errorcode">LWRES_R_FAILURE</span>.
-</p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543527"></a><h2>SEE ALSO</h2>
-<p>
-<span class="citerefentry"><span class="refentrytitle">stdio</span>(3)</span>,
-<span class="citerefentry"><span class="refentrytitle">resolver</span>(5)</span>.
-</p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543554"></a><h2>FILES</h2>
-<p>
-<code class="filename">/etc/resolv.conf</code>
-</p>
-</div>
-</div></body>
-</html>
+<SPAN
+CLASS="ERRORCODE"
+>LWRES_R_FAILURE</SPAN
+>.</P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN73"
+></A
+><H2
+>SEE ALSO</H2
+><P
+><SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>stdio</SPAN
+>(3)</SPAN
+>,
+<SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>resolver</SPAN
+>(5)</SPAN
+>.</P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN82"
+></A
+><H2
+>FILES</H2
+><P
+><TT
+CLASS="FILENAME"
+>/etc/resolv.conf</TT
+></P
+></DIV
+></BODY
+></HTML
+>
diff --git a/lib/lwres/man/lwres_context.3 b/lib/lwres/man/lwres_context.3
index ccf09015..d19b18a2 100644
--- a/lib/lwres/man/lwres_context.3
+++ b/lib/lwres/man/lwres_context.3
@@ -1,85 +1,103 @@
-.\" Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
-.\" Copyright (C) 2000, 2001, 2003 Internet Software Consortium.
-.\" 
+.\" Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2000, 2001  Internet Software Consortium.
+.\"
 .\" Permission to use, copy, modify, and distribute this software for any
 .\" purpose with or without fee is hereby granted, provided that the above
 .\" copyright notice and this permission notice appear in all copies.
-.\" 
+.\"
 .\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
 .\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+.\" AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
 .\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
 .\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: lwres_context.3,v 1.13.2.10 2007/01/30 00:10:38 marka Exp $
+.\" $Id: lwres_context.3,v 1.13.2.2.2.2 2004/03/08 09:05:12 marka Exp $
 .\"
-.hy 0
-.ad l
-.\"     Title: lwres_context
-.\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
-.\"      Date: Jun 30, 2000
-.\"    Manual: BIND9
-.\"    Source: BIND9
-.\"
-.TH "LWRES_CONTEXT" "3" "Jun 30, 2000" "BIND9" "BIND9"
-.\" disable hyphenation
-.nh
-.\" disable justification (adjust text to left margin only)
-.ad l
-.SH "NAME"
+.TH "LWRES_CONTEXT" "3" "Jun 30, 2000" "BIND9" ""
+.SH NAME
 lwres_context_create, lwres_context_destroy, lwres_context_nextserial, lwres_context_initserial, lwres_context_freemem, lwres_context_allocmem, lwres_context_sendrecv \- lightweight resolver context management
-.SH "SYNOPSIS"
-.nf
-#include <lwres/lwres.h>
-.fi
-.HP 36
-.BI "lwres_result_t lwres_context_create(lwres_context_t\ **contextp, void\ *arg, lwres_malloc_t\ malloc_function, lwres_free_t\ free_function);"
-.HP 37
-.BI "lwres_result_t lwres_context_destroy(lwres_context_t\ **contextp);"
-.HP 30
-.BI "void lwres_context_initserial(lwres_context_t\ *ctx, lwres_uint32_t\ serial);"
-.HP 40
-.BI "lwres_uint32_t lwres_context_nextserial(lwres_context_t\ *ctx);"
-.HP 27
-.BI "void lwres_context_freemem(lwres_context_t\ *ctx, void\ *mem, size_t\ len);"
-.HP 28
-.BI "void lwres_context_allocmem(lwres_context_t\ *ctx, size_t\ len);"
-.HP 30
-.BI "void * lwres_context_sendrecv(lwres_context_t\ *ctx, void\ *sendbase, int\ sendlen, void\ *recvbase, int\ recvlen, int\ *recvd_len);"
+.SH SYNOPSIS
+\fB#include <lwres/lwres.h>
+.sp
+.na
+lwres_result_t
+lwres_context_create(lwres_context_t **contextp, void *arg, lwres_malloc_t malloc_function, lwres_free_t free_function);
+.ad
+.sp
+.na
+lwres_result_t
+lwres_context_destroy(lwres_context_t **contextp);
+.ad
+.sp
+.na
+void
+lwres_context_initserial(lwres_context_t *ctx, lwres_uint32_t serial);
+.ad
+.sp
+.na
+lwres_uint32_t
+lwres_context_nextserial(lwres_context_t *ctx);
+.ad
+.sp
+.na
+void
+lwres_context_freemem(lwres_context_t *ctx, void *mem, size_t len);
+.ad
+.sp
+.na
+void
+lwres_context_allocmem(lwres_context_t *ctx, size_t len);
+.ad
+.sp
+.na
+void *
+lwres_context_sendrecv(lwres_context_t *ctx, void *sendbase, int sendlen, void *recvbase, int recvlen, int *recvd_len);
+.ad
+\fR
 .SH "DESCRIPTION"
 .PP
 \fBlwres_context_create()\fR
 creates a
 \fBlwres_context_t\fR
-structure for use in lightweight resolver operations. It holds a socket and other data needed for communicating with a resolver daemon. The new
+structure for use in lightweight resolver operations.
+It holds a socket and other data needed for communicating
+with a resolver daemon.
+The new
 \fBlwres_context_t\fR
 is returned through
-\fIcontextp\fR, a pointer to a
+\fIcontextp\fR,
+a pointer to a
 \fBlwres_context_t\fR
-pointer. This
+pointer. This 
 \fBlwres_context_t\fR
-pointer must initially be NULL, and is modified to point to the newly created
+pointer must initially be NULL, and is modified 
+to point to the newly created
 \fBlwres_context_t\fR.
 .PP
-When the lightweight resolver needs to perform dynamic memory allocation, it will call
+When the lightweight resolver needs to perform dynamic memory
+allocation, it will call
 \fImalloc_function\fR
 to allocate memory and
 \fIfree_function\fR
-to free it. If
+to free it. If 
 \fImalloc_function\fR
 and
 \fIfree_function\fR
-are NULL, memory is allocated using .Xr malloc 3 and
-\fBfree\fR(3). It is not permitted to have a NULL
+are NULL, memory is allocated using
+\&.Xr malloc 3
+and
+\fBfree\fR(3).
+It is not permitted to have a NULL
 \fImalloc_function\fR
-and a non\-NULL
+and a non-NULL
 \fIfree_function\fR
 or vice versa.
 \fIarg\fR
-is passed as the first parameter to the memory allocation functions. If
+is passed as the first parameter to the memory
+allocation functions. 
+If
 \fImalloc_function\fR
 and
 \fIfree_function\fR
@@ -87,18 +105,23 @@ are NULL,
 \fIarg\fR
 is unused and should be passed as NULL.
 .PP
-Once memory for the structure has been allocated, it is initialized using
+Once memory for the structure has been allocated,
+it is initialized using
 \fBlwres_conf_init\fR(3)
 and returned via
 \fI*contextp\fR.
 .PP
 \fBlwres_context_destroy()\fR
-destroys a
-\fBlwres_context_t\fR, closing its socket.
+destroys a 
+\fBlwres_context_t\fR,
+closing its socket.
 \fIcontextp\fR
-is a pointer to a pointer to the context that is to be destroyed. The pointer will be set to NULL when the context has been destroyed.
+is a pointer to a pointer to the context that is to be destroyed.
+The pointer will be set to NULL when the context has been destroyed.
 .PP
-The context holds a serial number that is used to identify resolver request packets and associate responses with the corresponding requests. This serial number is controlled using
+The context holds a serial number that is used to identify resolver
+request packets and associate responses with the corresponding requests.
+This serial number is controlled using
 \fBlwres_context_initserial()\fR
 and
 \fBlwres_context_nextserial()\fR.
@@ -113,12 +136,15 @@ increments the serial number and returns the previous value.
 Memory for a lightweight resolver context is allocated and freed using
 \fBlwres_context_allocmem()\fR
 and
-\fBlwres_context_freemem()\fR. These use whatever allocations were defined when the context was created with
+\fBlwres_context_freemem()\fR.
+These use whatever allocations were defined when the context was
+created with
 \fBlwres_context_create()\fR.
 \fBlwres_context_allocmem()\fR
 allocates
 \fIlen\fR
-bytes of memory and if successful returns a pointer to the allocated storage.
+bytes of memory and if successful returns a pointer to the allocated
+storage.
 \fBlwres_context_freemem()\fR
 frees
 \fIlen\fR
@@ -127,33 +153,39 @@ bytes of space starting at location
 .PP
 \fBlwres_context_sendrecv()\fR
 performs I/O for the context
-\fIctx\fR. Data are read and written from the context's socket. It writes data from
+\fIctx\fR.
+Data are read and written from the context's socket.
+It writes data from
 \fIsendbase\fR
-\(em typically a lightweight resolver query packet \(em and waits for a reply which is copied to the receive buffer at
-\fIrecvbase\fR. The number of bytes that were written to this receive buffer is returned in
+\(em typically a lightweight resolver query packet \(em
+and waits for a reply which is copied to the receive buffer at
+\fIrecvbase\fR.
+The number of bytes that were written to this receive buffer is
+returned in
 \fI*recvd_len\fR.
 .SH "RETURN VALUES"
 .PP
 \fBlwres_context_create()\fR
 returns
-\fBLWRES_R_NOMEMORY\fR
+LWRES_R_NOMEMORY
 if memory for the
 \fBstruct lwres_context\fR
-could not be allocated,
-\fBLWRES_R_SUCCESS\fR
+could not be allocated, 
+LWRES_R_SUCCESS
 otherwise.
 .PP
 Successful calls to the memory allocator
 \fBlwres_context_allocmem()\fR
-return a pointer to the start of the allocated space. It returns NULL if memory could not be allocated.
+return a pointer to the start of the allocated space.
+It returns NULL if memory could not be allocated.
 .PP
-\fBLWRES_R_SUCCESS\fR
+LWRES_R_SUCCESS
 is returned when
 \fBlwres_context_sendrecv()\fR
 completes successfully.
-\fBLWRES_R_IOERROR\fR
+LWRES_R_IOERROR
 is returned if an I/O error occurs and
-\fBLWRES_R_TIMEOUT\fR
+LWRES_R_TIMEOUT
 is returned if
 \fBlwres_context_sendrecv()\fR
 times out waiting for a response.
@@ -161,9 +193,4 @@ times out waiting for a response.
 .PP
 \fBlwres_conf_init\fR(3),
 \fBmalloc\fR(3),
-\fBfree\fR(3 ).
-.SH "COPYRIGHT"
-Copyright \(co 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
-.br
-Copyright \(co 2000, 2001, 2003 Internet Software Consortium.
-.br
+\fBfree\fR(3).
diff --git a/lib/lwres/man/lwres_context.docbook b/lib/lwres/man/lwres_context.docbook
index b70ee91c..137e4bc2 100644
--- a/lib/lwres/man/lwres_context.docbook
+++ b/lib/lwres/man/lwres_context.docbook
@@ -1,9 +1,7 @@
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
-               "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
-	       [<!ENTITY mdash "&#8212;">]>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
 <!--
- - Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
+ - Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2001, 2003  Internet Software Consortium.
  -
  - Permission to use, copy, modify, and distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
@@ -18,7 +16,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: lwres_context.docbook,v 1.3.2.7 2007/01/29 23:57:17 marka Exp $ -->
+<!-- $Id: lwres_context.docbook,v 1.3.2.2.2.1 2004/03/06 08:15:38 marka Exp $ -->
 
 <refentry>
 <refentryinfo>
@@ -31,22 +29,6 @@
 <manvolnum>3</manvolnum>
 <refmiscinfo>BIND9</refmiscinfo>
 </refmeta>
-
-  <docinfo>
-    <copyright>
-      <year>2004</year>
-      <year>2005</year>
-      <year>2007</year>
-      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
-    </copyright>
-    <copyright>
-      <year>2000</year>
-      <year>2001</year>
-      <year>2003</year>
-      <holder>Internet Software Consortium.</holder>
-    </copyright>
-  </docinfo>
-
 <refnamediv>
 <refname>lwres_context_create</refname>
 <refname>lwres_context_destroy</refname>
diff --git a/lib/lwres/man/lwres_context.html b/lib/lwres/man/lwres_context.html
index 05783def..53b624ce 100644
--- a/lib/lwres/man/lwres_context.html
+++ b/lib/lwres/man/lwres_context.html
@@ -1,335 +1,522 @@
 <!--
- - Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000, 2001, 2003 Internet Software Consortium.
- - 
+ - Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2001  Internet Software Consortium.
+ -
  - Permission to use, copy, modify, and distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
  - copyright notice and this permission notice appear in all copies.
- - 
+ -
  - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
  - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
  - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
  - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: lwres_context.html,v 1.5.2.16 2007/01/30 00:10:38 marka Exp $ -->
-<html>
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>lwres_context</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2476275"></a><div class="titlepage"></div>
-<div class="refnamediv">
-<h2>Name</h2>
-<p>lwres_context_create, lwres_context_destroy, lwres_context_nextserial, lwres_context_initserial, lwres_context_freemem, lwres_context_allocmem, lwres_context_sendrecv &#8212; lightweight resolver context management</p>
-</div>
-<div class="refsynopsisdiv">
-<h2>Synopsis</h2>
-<div class="funcsynopsis">
-<pre class="funcsynopsisinfo">#include &lt;lwres/lwres.h&gt;</pre>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
-<tr>
-<td><code class="funcdef">
-lwres_result_t
-<b class="fsfunc">lwres_context_create</b>(</code></td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>
-<code>)</code>;</td>
-</tr>
-</table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em"><tr>
-<td><code class="funcdef">
-lwres_result_t
-<b class="fsfunc">lwres_context_destroy</b>(</code></td>
-<td> </td>
-<td>
-<code>)</code>;</td>
-</tr></table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
-<tr>
-<td><code class="funcdef">
-void
-<b class="fsfunc">lwres_context_initserial</b>(</code></td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>
-<code>)</code>;</td>
-</tr>
-</table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em"><tr>
-<td><code class="funcdef">
-lwres_uint32_t
-<b class="fsfunc">lwres_context_nextserial</b>(</code></td>
-<td> </td>
-<td>
-<code>)</code>;</td>
-</tr></table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
-<tr>
-<td><code class="funcdef">
-void
-<b class="fsfunc">lwres_context_freemem</b>(</code></td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>
-<code>)</code>;</td>
-</tr>
-</table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
-<tr>
-<td><code class="funcdef">
-void
-<b class="fsfunc">lwres_context_allocmem</b>(</code></td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>
-<code>)</code>;</td>
-</tr>
-</table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0">
-<tr>
-<td><code class="funcdef">
-void *
-<b class="fsfunc">lwres_context_sendrecv</b>(</code></td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>
-<code>)</code>;</td>
-</tr>
-</table>
-</div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543481"></a><h2>DESCRIPTION</h2>
-<p>
-<code class="function">lwres_context_create()</code>
+
+<!-- $Id: lwres_context.html,v 1.5.2.2.2.2 2004/03/08 09:05:12 marka Exp $ -->
+
+<HTML
+><HEAD
+><TITLE
+>lwres_context</TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.73
+"></HEAD
+><BODY
+CLASS="REFENTRY"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><H1
+><A
+NAME="AEN1"
+>lwres_context</A
+></H1
+><DIV
+CLASS="REFNAMEDIV"
+><A
+NAME="AEN8"
+></A
+><H2
+>Name</H2
+>lwres_context_create, lwres_context_destroy, lwres_context_nextserial, lwres_context_initserial, lwres_context_freemem, lwres_context_allocmem, lwres_context_sendrecv&nbsp;--&nbsp;lightweight resolver context management</DIV
+><DIV
+CLASS="REFSYNOPSISDIV"
+><A
+NAME="AEN17"
+></A
+><H2
+>Synopsis</H2
+><DIV
+CLASS="FUNCSYNOPSIS"
+><A
+NAME="AEN18"
+></A
+><P
+></P
+><PRE
+CLASS="FUNCSYNOPSISINFO"
+>#include &lt;lwres/lwres.h&gt;</PRE
+><P
+><CODE
+><CODE
+CLASS="FUNCDEF"
+>lwres_result_t
+lwres_context_create</CODE
+>(lwres_context_t **contextp, void *arg, lwres_malloc_t malloc_function, lwres_free_t free_function);</CODE
+></P
+><P
+><CODE
+><CODE
+CLASS="FUNCDEF"
+>lwres_result_t
+lwres_context_destroy</CODE
+>(lwres_context_t **contextp);</CODE
+></P
+><P
+><CODE
+><CODE
+CLASS="FUNCDEF"
+>void
+lwres_context_initserial</CODE
+>(lwres_context_t *ctx, lwres_uint32_t serial);</CODE
+></P
+><P
+><CODE
+><CODE
+CLASS="FUNCDEF"
+>lwres_uint32_t
+lwres_context_nextserial</CODE
+>(lwres_context_t *ctx);</CODE
+></P
+><P
+><CODE
+><CODE
+CLASS="FUNCDEF"
+>void
+lwres_context_freemem</CODE
+>(lwres_context_t *ctx, void *mem, size_t len);</CODE
+></P
+><P
+><CODE
+><CODE
+CLASS="FUNCDEF"
+>void
+lwres_context_allocmem</CODE
+>(lwres_context_t *ctx, size_t len);</CODE
+></P
+><P
+><CODE
+><CODE
+CLASS="FUNCDEF"
+>void *
+lwres_context_sendrecv</CODE
+>(lwres_context_t *ctx, void *sendbase, int sendlen, void *recvbase, int recvlen, int *recvd_len);</CODE
+></P
+><P
+></P
+></DIV
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN60"
+></A
+><H2
+>DESCRIPTION</H2
+><P
+><TT
+CLASS="FUNCTION"
+>lwres_context_create()</TT
+>
 creates a
-<span class="type">lwres_context_t</span>
+<SPAN
+CLASS="TYPE"
+>lwres_context_t</SPAN
+>
 structure for use in lightweight resolver operations.
 It holds a socket and other data needed for communicating
 with a resolver daemon.
 The new
-<span class="type">lwres_context_t</span>
+<SPAN
+CLASS="TYPE"
+>lwres_context_t</SPAN
+>
 is returned through
-<em class="parameter"><code>contextp</code></em>,
+<TT
+CLASS="PARAMETER"
+><I
+>contextp</I
+></TT
+>,
 
 a pointer to a
-<span class="type">lwres_context_t</span>
+<SPAN
+CLASS="TYPE"
+>lwres_context_t</SPAN
+>
 pointer.  This 
-<span class="type">lwres_context_t</span>
+<SPAN
+CLASS="TYPE"
+>lwres_context_t</SPAN
+>
 pointer must initially be NULL, and is modified 
 to point to the newly created
-<span class="type">lwres_context_t</span>.
-
-</p>
-<p>
-When the lightweight resolver needs to perform dynamic memory
+<SPAN
+CLASS="TYPE"
+>lwres_context_t</SPAN
+>.&#13;</P
+><P
+>When the lightweight resolver needs to perform dynamic memory
 allocation, it will call
-<em class="parameter"><code>malloc_function</code></em>
+<TT
+CLASS="PARAMETER"
+><I
+>malloc_function</I
+></TT
+>
 to allocate memory and
-<em class="parameter"><code>free_function</code></em>
+<TT
+CLASS="PARAMETER"
+><I
+>free_function</I
+></TT
+>
 
 to free it.  If 
-<em class="parameter"><code>malloc_function</code></em>
+<TT
+CLASS="PARAMETER"
+><I
+>malloc_function</I
+></TT
+>
 and
-<em class="parameter"><code>free_function</code></em>
+<TT
+CLASS="PARAMETER"
+><I
+>free_function</I
+></TT
+>
 
 are NULL, memory is allocated using
 .Xr malloc 3
 and
-<span class="citerefentry"><span class="refentrytitle">free</span>(3)</span>.
+<SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>free</SPAN
+>(3)</SPAN
+>.
 
 It is not permitted to have a NULL
-<em class="parameter"><code>malloc_function</code></em>
+<TT
+CLASS="PARAMETER"
+><I
+>malloc_function</I
+></TT
+>
 and a non-NULL
-<em class="parameter"><code>free_function</code></em>
+<TT
+CLASS="PARAMETER"
+><I
+>free_function</I
+></TT
+>
 or vice versa.
-<em class="parameter"><code>arg</code></em>
+<TT
+CLASS="PARAMETER"
+><I
+>arg</I
+></TT
+>
 is passed as the first parameter to the memory
 allocation functions.  
 If
-<em class="parameter"><code>malloc_function</code></em>
+<TT
+CLASS="PARAMETER"
+><I
+>malloc_function</I
+></TT
+>
 and
-<em class="parameter"><code>free_function</code></em>
+<TT
+CLASS="PARAMETER"
+><I
+>free_function</I
+></TT
+>
 are NULL,
-<em class="parameter"><code>arg</code></em>
+<TT
+CLASS="PARAMETER"
+><I
+>arg</I
+></TT
+>
 
-is unused and should be passed as NULL.
-</p>
-<p>
-Once memory for the structure has been allocated,
+is unused and should be passed as NULL.</P
+><P
+>Once memory for the structure has been allocated,
 it is initialized using
-<span class="citerefentry"><span class="refentrytitle">lwres_conf_init</span>(3)</span>
+<SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>lwres_conf_init</SPAN
+>(3)</SPAN
+>
 
 and returned via
-<em class="parameter"><code>*contextp</code></em>.
-
-</p>
-<p>
-<code class="function">lwres_context_destroy()</code>
+<TT
+CLASS="PARAMETER"
+><I
+>*contextp</I
+></TT
+>.&#13;</P
+><P
+><TT
+CLASS="FUNCTION"
+>lwres_context_destroy()</TT
+>
 destroys a 
-<span class="type">lwres_context_t</span>,
+<SPAN
+CLASS="TYPE"
+>lwres_context_t</SPAN
+>,
 
 closing its socket.
-<em class="parameter"><code>contextp</code></em>
+<TT
+CLASS="PARAMETER"
+><I
+>contextp</I
+></TT
+>
 is a pointer to a pointer to the context that is to be destroyed.
-The pointer will be set to NULL when the context has been destroyed.
-</p>
-<p>
-The context holds a serial number that is used to identify resolver
+The pointer will be set to NULL when the context has been destroyed.</P
+><P
+>The context holds a serial number that is used to identify resolver
 request packets and associate responses with the corresponding requests.
 This serial number is controlled using
-<code class="function">lwres_context_initserial()</code>
+<TT
+CLASS="FUNCTION"
+>lwres_context_initserial()</TT
+>
 and
-<code class="function">lwres_context_nextserial()</code>.
-<code class="function">lwres_context_initserial()</code>
+<TT
+CLASS="FUNCTION"
+>lwres_context_nextserial()</TT
+>.
+<TT
+CLASS="FUNCTION"
+>lwres_context_initserial()</TT
+>
 sets the serial number for context
-<em class="parameter"><code>*ctx</code></em>
+<TT
+CLASS="PARAMETER"
+><I
+>*ctx</I
+></TT
+>
 to
-<em class="parameter"><code>serial</code></em>.
+<TT
+CLASS="PARAMETER"
+><I
+>serial</I
+></TT
+>.
 
-<code class="function">lwres_context_nextserial()</code>
-increments the serial number and returns the previous value.
-</p>
-<p>
-Memory for a lightweight resolver context is allocated and freed using
-<code class="function">lwres_context_allocmem()</code>
+<TT
+CLASS="FUNCTION"
+>lwres_context_nextserial()</TT
+>
+increments the serial number and returns the previous value.</P
+><P
+>Memory for a lightweight resolver context is allocated and freed using
+<TT
+CLASS="FUNCTION"
+>lwres_context_allocmem()</TT
+>
 and
-<code class="function">lwres_context_freemem()</code>.
+<TT
+CLASS="FUNCTION"
+>lwres_context_freemem()</TT
+>.
 These use whatever allocations were defined when the context was
 created with
-<code class="function">lwres_context_create()</code>.
-<code class="function">lwres_context_allocmem()</code>
+<TT
+CLASS="FUNCTION"
+>lwres_context_create()</TT
+>.
+<TT
+CLASS="FUNCTION"
+>lwres_context_allocmem()</TT
+>
 allocates
-<em class="parameter"><code>len</code></em>
+<TT
+CLASS="PARAMETER"
+><I
+>len</I
+></TT
+>
 bytes of memory and if successful returns a pointer to the allocated
 storage.
-<code class="function">lwres_context_freemem()</code>
+<TT
+CLASS="FUNCTION"
+>lwres_context_freemem()</TT
+>
 frees
-<em class="parameter"><code>len</code></em>
+<TT
+CLASS="PARAMETER"
+><I
+>len</I
+></TT
+>
 bytes of space starting at location
-<em class="parameter"><code>mem</code></em>.
-
-</p>
-<p>
-<code class="function">lwres_context_sendrecv()</code>
+<TT
+CLASS="PARAMETER"
+><I
+>mem</I
+></TT
+>.&#13;</P
+><P
+><TT
+CLASS="FUNCTION"
+>lwres_context_sendrecv()</TT
+>
 performs I/O for the context
-<em class="parameter"><code>ctx</code></em>.
+<TT
+CLASS="PARAMETER"
+><I
+>ctx</I
+></TT
+>.
 
 Data are read and written from the context's socket.
 It writes data from
-<em class="parameter"><code>sendbase</code></em>
-&#8212; typically a lightweight resolver query packet &#8212;
+<TT
+CLASS="PARAMETER"
+><I
+>sendbase</I
+></TT
+>
+&mdash; typically a lightweight resolver query packet &mdash;
 and waits for a reply which is copied to the receive buffer at
-<em class="parameter"><code>recvbase</code></em>.
+<TT
+CLASS="PARAMETER"
+><I
+>recvbase</I
+></TT
+>.
 
 The number of bytes that were written to this receive buffer is
 returned in
-<em class="parameter"><code>*recvd_len</code></em>.
-
-</p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543662"></a><h2>RETURN VALUES</h2>
-<p>
-<code class="function">lwres_context_create()</code>
+<TT
+CLASS="PARAMETER"
+><I
+>*recvd_len</I
+></TT
+>.&#13;</P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN115"
+></A
+><H2
+>RETURN VALUES</H2
+><P
+><TT
+CLASS="FUNCTION"
+>lwres_context_create()</TT
+>
 returns
-<span class="errorcode">LWRES_R_NOMEMORY</span>
+<SPAN
+CLASS="ERRORCODE"
+>LWRES_R_NOMEMORY</SPAN
+>
 if memory for the
-<span class="type">struct lwres_context</span>
+<SPAN
+CLASS="TYPE"
+>struct lwres_context</SPAN
+>
 could not be allocated, 
-<span class="errorcode">LWRES_R_SUCCESS</span>
-otherwise.
-</p>
-<p>
-Successful calls to the memory allocator
-<code class="function">lwres_context_allocmem()</code>
+<SPAN
+CLASS="ERRORCODE"
+>LWRES_R_SUCCESS</SPAN
+>
+otherwise.</P
+><P
+>Successful calls to the memory allocator
+<TT
+CLASS="FUNCTION"
+>lwres_context_allocmem()</TT
+>
 return a pointer to the start of the allocated space.
-It returns NULL if memory could not be allocated.
-</p>
-<p>
-<span class="errorcode">LWRES_R_SUCCESS</span>
+It returns NULL if memory could not be allocated.</P
+><P
+><SPAN
+CLASS="ERRORCODE"
+>LWRES_R_SUCCESS</SPAN
+>
 is returned when
-<code class="function">lwres_context_sendrecv()</code>
+<TT
+CLASS="FUNCTION"
+>lwres_context_sendrecv()</TT
+>
 completes successfully.
-<span class="errorcode">LWRES_R_IOERROR</span>
+<SPAN
+CLASS="ERRORCODE"
+>LWRES_R_IOERROR</SPAN
+>
 is returned if an I/O error occurs and
-<span class="errorcode">LWRES_R_TIMEOUT</span>
+<SPAN
+CLASS="ERRORCODE"
+>LWRES_R_TIMEOUT</SPAN
+>
 is returned if
-<code class="function">lwres_context_sendrecv()</code>
-times out waiting for a response.
-</p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543714"></a><h2>SEE ALSO</h2>
-<p>
-<span class="citerefentry"><span class="refentrytitle">lwres_conf_init</span>(3)</span>,
+<TT
+CLASS="FUNCTION"
+>lwres_context_sendrecv()</TT
+>
+times out waiting for a response.</P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN130"
+></A
+><H2
+>SEE ALSO</H2
+><P
+><SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>lwres_conf_init</SPAN
+>(3)</SPAN
+>,
 
-<span class="citerefentry"><span class="refentrytitle">malloc</span>(3)</span>,
+<SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>malloc</SPAN
+>(3)</SPAN
+>,
 
-<span class="citerefentry"><span class="refentrytitle">free</span>(3
-)</span>.
-</p>
-</div>
-</div></body>
-</html>
+<SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>free</SPAN
+>(3)</SPAN
+>.</P
+></DIV
+></BODY
+></HTML
+>
diff --git a/lib/lwres/man/lwres_gabn.3 b/lib/lwres/man/lwres_gabn.3
index 59138897..a309f3e6 100644
--- a/lib/lwres/man/lwres_gabn.3
+++ b/lib/lwres/man/lwres_gabn.3
@@ -1,76 +1,91 @@
-.\" Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
-.\" Copyright (C) 2000, 2001 Internet Software Consortium.
-.\" 
+.\" Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2000, 2001  Internet Software Consortium.
+.\"
 .\" Permission to use, copy, modify, and distribute this software for any
 .\" purpose with or without fee is hereby granted, provided that the above
 .\" copyright notice and this permission notice appear in all copies.
-.\" 
+.\"
 .\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
 .\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+.\" AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
 .\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
 .\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: lwres_gabn.3,v 1.13.2.9 2007/01/30 00:10:38 marka Exp $
+.\" $Id: lwres_gabn.3,v 1.13.2.1.8.1 2004/03/06 07:41:42 marka Exp $
 .\"
-.hy 0
-.ad l
-.\"     Title: lwres_gabn
-.\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
-.\"      Date: Jun 30, 2000
-.\"    Manual: BIND9
-.\"    Source: BIND9
-.\"
-.TH "LWRES_GABN" "3" "Jun 30, 2000" "BIND9" "BIND9"
-.\" disable hyphenation
-.nh
-.\" disable justification (adjust text to left margin only)
-.ad l
-.SH "NAME"
+.TH "LWRES_GABN" "3" "Jun 30, 2000" "BIND9" ""
+.SH NAME
 lwres_gabnrequest_render, lwres_gabnresponse_render, lwres_gabnrequest_parse, lwres_gabnresponse_parse, lwres_gabnresponse_free, lwres_gabnrequest_free \- lightweight resolver getaddrbyname message handling
-.SH "SYNOPSIS"
-.nf
-#include <lwres/lwres.h>
-.fi
-.HP 40
-.BI "lwres_result_t lwres_gabnrequest_render(lwres_context_t\ *ctx, lwres_gabnrequest_t\ *req, lwres_lwpacket_t\ *pkt, lwres_buffer_t\ *b);"
-.HP 41
-.BI "lwres_result_t lwres_gabnresponse_render(lwres_context_t\ *ctx, lwres_gabnresponse_t\ *req, lwres_lwpacket_t\ *pkt, lwres_buffer_t\ *b);"
-.HP 39
-.BI "lwres_result_t lwres_gabnrequest_parse(lwres_context_t\ *ctx, lwres_buffer_t\ *b, lwres_lwpacket_t\ *pkt, lwres_gabnrequest_t\ **structp);"
-.HP 40
-.BI "lwres_result_t lwres_gabnresponse_parse(lwres_context_t\ *ctx, lwres_buffer_t\ *b, lwres_lwpacket_t\ *pkt, lwres_gabnresponse_t\ **structp);"
-.HP 29
-.BI "void lwres_gabnresponse_free(lwres_context_t\ *ctx, lwres_gabnresponse_t\ **structp);"
-.HP 28
-.BI "void lwres_gabnrequest_free(lwres_context_t\ *ctx, lwres_gabnrequest_t\ **structp);"
+.SH SYNOPSIS
+\fB#include <lwres/lwres.h>
+.sp
+.na
+lwres_result_t
+lwres_gabnrequest_render(lwres_context_t *ctx, lwres_gabnrequest_t *req, lwres_lwpacket_t *pkt, lwres_buffer_t *b);
+.ad
+.sp
+.na
+lwres_result_t
+lwres_gabnresponse_render(lwres_context_t *ctx, lwres_gabnresponse_t *req, lwres_lwpacket_t *pkt, lwres_buffer_t *b);
+.ad
+.sp
+.na
+lwres_result_t
+lwres_gabnrequest_parse(lwres_context_t *ctx, lwres_buffer_t *b, lwres_lwpacket_t *pkt, lwres_gabnrequest_t **structp);
+.ad
+.sp
+.na
+lwres_result_t
+lwres_gabnresponse_parse(lwres_context_t *ctx, lwres_buffer_t *b, lwres_lwpacket_t *pkt, lwres_gabnresponse_t **structp);
+.ad
+.sp
+.na
+void
+lwres_gabnresponse_free(lwres_context_t *ctx, lwres_gabnresponse_t **structp);
+.ad
+.sp
+.na
+void
+lwres_gabnrequest_free(lwres_context_t *ctx, lwres_gabnrequest_t **structp);
+.ad
+\fR
 .SH "DESCRIPTION"
 .PP
-These are low\-level routines for creating and parsing lightweight resolver name\-to\-address lookup request and response messages.
+These are low-level routines for creating and parsing
+lightweight resolver name-to-address lookup request and 
+response messages.
 .PP
-There are four main functions for the getaddrbyname opcode. One render function converts a getaddrbyname request structure \(em
-\fBlwres_gabnrequest_t\fR
-\(em to the lighweight resolver's canonical format. It is complemented by a parse function that converts a packet in this canonical format to a getaddrbyname request structure. Another render function converts the getaddrbyname response structure \(em
-\fBlwres_gabnresponse_t\fR
-\(em to the canonical format. This is complemented by a parse function which converts a packet in canonical format to a getaddrbyname response structure.
+There are four main functions for the getaddrbyname opcode.
+One render function converts a getaddrbyname request structure \(em
+\fBlwres_gabnrequest_t\fR \(em
+to the lighweight resolver's canonical format.
+It is complemented by a parse function that converts a packet in this
+canonical format to a getaddrbyname request structure.
+Another render function converts the getaddrbyname response structure \(em
+\fBlwres_gabnresponse_t\fR \(em
+to the canonical format.
+This is complemented by a parse function which converts a packet in
+canonical format to a getaddrbyname response structure.
 .PP
 These structures are defined in
-\fI<lwres/lwres.h>\fR. They are shown below.
+\fI<lwres/lwres.h>\fR.
+They are shown below.
 .sp
-.RS 4
 .nf
 #define LWRES_OPCODE_GETADDRSBYNAME     0x00010001U
+
 typedef struct lwres_addr lwres_addr_t;
 typedef LWRES_LIST(lwres_addr_t) lwres_addrlist_t;
+
 typedef struct {
         lwres_uint32_t  flags;
         lwres_uint32_t  addrtypes;
         lwres_uint16_t  namelen;
         char           *name;
 } lwres_gabnrequest_t;
+
 typedef struct {
         lwres_uint32_t          flags;
         lwres_uint16_t          naliases;
@@ -83,19 +98,21 @@ typedef struct {
         void                   *base;
         size_t                  baselen;
 } lwres_gabnresponse_t;
-.fi
-.RE
 .sp
+.fi
 .PP
 \fBlwres_gabnrequest_render()\fR
 uses resolver context
 \fIctx\fR
 to convert getaddrbyname request structure
 \fIreq\fR
-to canonical format. The packet header structure
+to canonical format.
+The packet header structure
 \fIpkt\fR
-is initialised and transferred to buffer
-\fIb\fR. The contents of
+is initialised and transferred to
+buffer
+\fIb\fR.
+The contents of
 \fI*req\fR
 are then appended to the buffer in canonical format.
 \fBlwres_gabnresponse_render()\fR
@@ -110,9 +127,11 @@ to convert the contents of packet
 \fIpkt\fR
 to a
 \fBlwres_gabnrequest_t\fR
-structure. Buffer
+structure.
+Buffer
 \fIb\fR
-provides space to be used for storing this structure. When the function succeeds, the resulting
+provides space to be used for storing this structure.
+When the function succeeds, the resulting
 \fBlwres_gabnrequest_t\fR
 is made available through
 \fI*structp\fR.
@@ -133,21 +152,24 @@ that was allocated to the
 or
 \fBlwres_gabnrequest_t\fR
 structures referenced via
-\fIstructp\fR. Any memory associated with ancillary buffers and strings for those structures is also discarded.
+\fIstructp\fR.
+Any memory associated with ancillary buffers and strings for those
+structures is also discarded.
 .SH "RETURN VALUES"
 .PP
 The getaddrbyname opcode functions
-\fBlwres_gabnrequest_render()\fR,
+\fBlwres_gabnrequest_render()\fR, 
 \fBlwres_gabnresponse_render()\fR
 \fBlwres_gabnrequest_parse()\fR
 and
 \fBlwres_gabnresponse_parse()\fR
 all return
-\fBLWRES_R_SUCCESS\fR
-on success. They return
-\fBLWRES_R_NOMEMORY\fR
+LWRES_R_SUCCESS
+on success.
+They return
+LWRES_R_NOMEMORY
 if memory allocation fails.
-\fBLWRES_R_UNEXPECTEDEND\fR
+LWRES_R_UNEXPECTEDEND
 is returned if the available space in the buffer
 \fIb\fR
 is too small to accommodate the packet header or the
@@ -159,19 +181,15 @@ structures.
 and
 \fBlwres_gabnresponse_parse()\fR
 will return
-\fBLWRES_R_UNEXPECTEDEND\fR
-if the buffer is not empty after decoding the received packet. These functions will return
-\fBLWRES_R_FAILURE\fR
+LWRES_R_UNEXPECTEDEND
+if the buffer is not empty after decoding the received packet.
+These functions will return
+LWRES_R_FAILURE
 if
-pktflags
+\fBpktflags\fR
 in the packet header structure
 \fBlwres_lwpacket_t\fR
 indicate that the packet is not a response to an earlier query.
 .SH "SEE ALSO"
 .PP
-\fBlwres_packet\fR(3 )
-.SH "COPYRIGHT"
-Copyright \(co 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
-.br
-Copyright \(co 2000, 2001 Internet Software Consortium.
-.br
+\fBlwres_packet\fR(3)
diff --git a/lib/lwres/man/lwres_gabn.docbook b/lib/lwres/man/lwres_gabn.docbook
index 40b97484..cb9481f4 100644
--- a/lib/lwres/man/lwres_gabn.docbook
+++ b/lib/lwres/man/lwres_gabn.docbook
@@ -1,9 +1,7 @@
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
-               "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
-	       [<!ENTITY mdash "&#8212;">]>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
 <!--
- - Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000, 2001  Internet Software Consortium.
+ - Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2001  Internet Software Consortium.
  -
  - Permission to use, copy, modify, and distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
@@ -18,7 +16,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: lwres_gabn.docbook,v 1.3.2.5 2007/01/29 23:57:17 marka Exp $ -->
+<!-- $Id: lwres_gabn.docbook,v 1.3.206.1 2004/03/06 08:15:38 marka Exp $ -->
 
 <refentry>
 <refentryinfo>
@@ -31,21 +29,6 @@
 <manvolnum>3</manvolnum>
 <refmiscinfo>BIND9</refmiscinfo>
 </refmeta>
-
-  <docinfo>
-    <copyright>
-      <year>2004</year>
-      <year>2005</year>
-      <year>2007</year>
-      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
-    </copyright>
-    <copyright>
-      <year>2000</year>
-      <year>2001</year>
-      <holder>Internet Software Consortium.</holder>
-    </copyright>
-  </docinfo>
-
 <refnamediv>
 <refname>lwres_gabnrequest_render</refname>
 <refname>lwres_gabnresponse_render</refname>
diff --git a/lib/lwres/man/lwres_gabn.html b/lib/lwres/man/lwres_gabn.html
index 65abeb47..ad0867fe 100644
--- a/lib/lwres/man/lwres_gabn.html
+++ b/lib/lwres/man/lwres_gabn.html
@@ -1,195 +1,158 @@
 <!--
- - Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000, 2001 Internet Software Consortium.
- - 
+ - Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2001  Internet Software Consortium.
+ -
  - Permission to use, copy, modify, and distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
  - copyright notice and this permission notice appear in all copies.
- - 
+ -
  - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
  - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
  - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
  - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: lwres_gabn.html,v 1.6.2.15 2007/01/30 00:10:38 marka Exp $ -->
-<html>
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>lwres_gabn</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2476275"></a><div class="titlepage"></div>
-<div class="refnamediv">
-<h2>Name</h2>
-<p>lwres_gabnrequest_render, lwres_gabnresponse_render, lwres_gabnrequest_parse, lwres_gabnresponse_parse, lwres_gabnresponse_free, lwres_gabnrequest_free &#8212; lightweight resolver getaddrbyname message handling</p>
-</div>
-<div class="refsynopsisdiv">
-<h2>Synopsis</h2>
-<div class="funcsynopsis">
-<pre class="funcsynopsisinfo">#include &lt;lwres/lwres.h&gt;</pre>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
-<tr>
-<td><code class="funcdef">
-lwres_result_t
-<b class="fsfunc">lwres_gabnrequest_render</b>(</code></td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>
-<code>)</code>;</td>
-</tr>
-</table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
-<tr>
-<td><code class="funcdef">
-lwres_result_t
-<b class="fsfunc">lwres_gabnresponse_render</b>(</code></td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>
-<code>)</code>;</td>
-</tr>
-</table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
-<tr>
-<td><code class="funcdef">
-lwres_result_t
-<b class="fsfunc">lwres_gabnrequest_parse</b>(</code></td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>
-<code>)</code>;</td>
-</tr>
-</table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
-<tr>
-<td><code class="funcdef">
-lwres_result_t
-<b class="fsfunc">lwres_gabnresponse_parse</b>(</code></td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>
-<code>)</code>;</td>
-</tr>
-</table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
-<tr>
-<td><code class="funcdef">
-void
-<b class="fsfunc">lwres_gabnresponse_free</b>(</code></td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>
-<code>)</code>;</td>
-</tr>
-</table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0">
-<tr>
-<td><code class="funcdef">
-void
-<b class="fsfunc">lwres_gabnrequest_free</b>(</code></td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>
-<code>)</code>;</td>
-</tr>
-</table>
-</div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543469"></a><h2>DESCRIPTION</h2>
-<p>
-These are low-level routines for creating and parsing
+
+<!-- $Id: lwres_gabn.html,v 1.6.2.1.4.1 2004/03/06 08:15:38 marka Exp $ -->
+
+<HTML
+><HEAD
+><TITLE
+>lwres_gabn</TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.73
+"></HEAD
+><BODY
+CLASS="REFENTRY"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><H1
+><A
+NAME="AEN1"
+>lwres_gabn</A
+></H1
+><DIV
+CLASS="REFNAMEDIV"
+><A
+NAME="AEN8"
+></A
+><H2
+>Name</H2
+>lwres_gabnrequest_render, lwres_gabnresponse_render, lwres_gabnrequest_parse, lwres_gabnresponse_parse, lwres_gabnresponse_free, lwres_gabnrequest_free&nbsp;--&nbsp;lightweight resolver getaddrbyname message handling</DIV
+><DIV
+CLASS="REFSYNOPSISDIV"
+><A
+NAME="AEN16"
+></A
+><H2
+>Synopsis</H2
+><DIV
+CLASS="FUNCSYNOPSIS"
+><A
+NAME="AEN17"
+></A
+><P
+></P
+><PRE
+CLASS="FUNCSYNOPSISINFO"
+>#include &lt;lwres/lwres.h&gt;</PRE
+><P
+><CODE
+><CODE
+CLASS="FUNCDEF"
+>lwres_result_t
+lwres_gabnrequest_render</CODE
+>(lwres_context_t *ctx, lwres_gabnrequest_t *req, lwres_lwpacket_t *pkt, lwres_buffer_t *b);</CODE
+></P
+><P
+><CODE
+><CODE
+CLASS="FUNCDEF"
+>lwres_result_t
+lwres_gabnresponse_render</CODE
+>(lwres_context_t *ctx, lwres_gabnresponse_t *req, lwres_lwpacket_t *pkt, lwres_buffer_t *b);</CODE
+></P
+><P
+><CODE
+><CODE
+CLASS="FUNCDEF"
+>lwres_result_t
+lwres_gabnrequest_parse</CODE
+>(lwres_context_t *ctx, lwres_buffer_t *b, lwres_lwpacket_t *pkt, lwres_gabnrequest_t **structp);</CODE
+></P
+><P
+><CODE
+><CODE
+CLASS="FUNCDEF"
+>lwres_result_t
+lwres_gabnresponse_parse</CODE
+>(lwres_context_t *ctx, lwres_buffer_t *b, lwres_lwpacket_t *pkt, lwres_gabnresponse_t **structp);</CODE
+></P
+><P
+><CODE
+><CODE
+CLASS="FUNCDEF"
+>void
+lwres_gabnresponse_free</CODE
+>(lwres_context_t *ctx, lwres_gabnresponse_t **structp);</CODE
+></P
+><P
+><CODE
+><CODE
+CLASS="FUNCDEF"
+>void
+lwres_gabnrequest_free</CODE
+>(lwres_context_t *ctx, lwres_gabnrequest_t **structp);</CODE
+></P
+><P
+></P
+></DIV
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN57"
+></A
+><H2
+>DESCRIPTION</H2
+><P
+>These are low-level routines for creating and parsing
 lightweight resolver name-to-address lookup request and 
-response messages.
-</p>
-<p>
-There are four main functions for the getaddrbyname opcode.
-One render function converts a getaddrbyname request structure &#8212;
-<span class="type">lwres_gabnrequest_t</span> &#8212;
+response messages.</P
+><P
+>There are four main functions for the getaddrbyname opcode.
+One render function converts a getaddrbyname request structure &mdash;
+<SPAN
+CLASS="TYPE"
+>lwres_gabnrequest_t</SPAN
+> &mdash;
 to the lighweight resolver's canonical format.
 It is complemented by a parse function that converts a packet in this
 canonical format to a getaddrbyname request structure.
-Another render function converts the getaddrbyname response structure &#8212;
-<span class="type">lwres_gabnresponse_t</span> &#8212;
+Another render function converts the getaddrbyname response structure &mdash;
+<SPAN
+CLASS="TYPE"
+>lwres_gabnresponse_t</SPAN
+> &mdash;
 to the canonical format.
 This is complemented by a parse function which converts a packet in
-canonical format to a getaddrbyname response structure.
-</p>
-<p>
-These structures are defined in
-<code class="filename">&lt;lwres/lwres.h&gt;</code>.
+canonical format to a getaddrbyname response structure.</P
+><P
+>These structures are defined in
+<TT
+CLASS="FILENAME"
+>&lt;lwres/lwres.h&gt;</TT
+>.
 They are shown below.
-</p>
-<pre class="programlisting">
-#define LWRES_OPCODE_GETADDRSBYNAME     0x00010001U
+<PRE
+CLASS="PROGRAMLISTING"
+>#define LWRES_OPCODE_GETADDRSBYNAME     0x00010001U
 
 typedef struct lwres_addr lwres_addr_t;
 typedef LWRES_LIST(lwres_addr_t) lwres_addrlist_t;
@@ -212,116 +175,271 @@ typedef struct {
         lwres_addrlist_t        addrs;
         void                   *base;
         size_t                  baselen;
-} lwres_gabnresponse_t;
-</pre>
-<p>
-</p>
-<p>
-<code class="function">lwres_gabnrequest_render()</code>
+} lwres_gabnresponse_t;</PRE
+></P
+><P
+><TT
+CLASS="FUNCTION"
+>lwres_gabnrequest_render()</TT
+>
 uses resolver context
-<em class="parameter"><code>ctx</code></em>
+<TT
+CLASS="PARAMETER"
+><I
+>ctx</I
+></TT
+>
 to convert getaddrbyname request structure
-<em class="parameter"><code>req</code></em>
+<TT
+CLASS="PARAMETER"
+><I
+>req</I
+></TT
+>
 to canonical format.
 The packet header structure
-<em class="parameter"><code>pkt</code></em>
+<TT
+CLASS="PARAMETER"
+><I
+>pkt</I
+></TT
+>
 is initialised and transferred to
 buffer
-<em class="parameter"><code>b</code></em>.
+<TT
+CLASS="PARAMETER"
+><I
+>b</I
+></TT
+>.
 
 The contents of
-<em class="parameter"><code>*req</code></em>
+<TT
+CLASS="PARAMETER"
+><I
+>*req</I
+></TT
+>
 are then appended to the buffer in canonical format.
-<code class="function">lwres_gabnresponse_render()</code>
+<TT
+CLASS="FUNCTION"
+>lwres_gabnresponse_render()</TT
+>
 performs the same task, except it converts a getaddrbyname response structure
-<span class="type">lwres_gabnresponse_t</span>
-to the lightweight resolver's canonical format.
-</p>
-<p>
-<code class="function">lwres_gabnrequest_parse()</code>
+<SPAN
+CLASS="TYPE"
+>lwres_gabnresponse_t</SPAN
+>
+to the lightweight resolver's canonical format.</P
+><P
+><TT
+CLASS="FUNCTION"
+>lwres_gabnrequest_parse()</TT
+>
 uses context
-<em class="parameter"><code>ctx</code></em>
+<TT
+CLASS="PARAMETER"
+><I
+>ctx</I
+></TT
+>
 to convert the contents of packet
-<em class="parameter"><code>pkt</code></em>
+<TT
+CLASS="PARAMETER"
+><I
+>pkt</I
+></TT
+>
 to a
-<span class="type">lwres_gabnrequest_t</span>
+<SPAN
+CLASS="TYPE"
+>lwres_gabnrequest_t</SPAN
+>
 structure.
 Buffer
-<em class="parameter"><code>b</code></em>
+<TT
+CLASS="PARAMETER"
+><I
+>b</I
+></TT
+>
 provides space to be used for storing this structure.
 When the function succeeds, the resulting
-<span class="type">lwres_gabnrequest_t</span>
+<SPAN
+CLASS="TYPE"
+>lwres_gabnrequest_t</SPAN
+>
 is made available through
-<em class="parameter"><code>*structp</code></em>.
+<TT
+CLASS="PARAMETER"
+><I
+>*structp</I
+></TT
+>.
 
-<code class="function">lwres_gabnresponse_parse()</code>
+<TT
+CLASS="FUNCTION"
+>lwres_gabnresponse_parse()</TT
+>
 offers the same semantics as
-<code class="function">lwres_gabnrequest_parse()</code>
+<TT
+CLASS="FUNCTION"
+>lwres_gabnrequest_parse()</TT
+>
 except it yields a
-<span class="type">lwres_gabnresponse_t</span>
-structure.
-</p>
-<p>
-<code class="function">lwres_gabnresponse_free()</code>
+<SPAN
+CLASS="TYPE"
+>lwres_gabnresponse_t</SPAN
+>
+structure.</P
+><P
+><TT
+CLASS="FUNCTION"
+>lwres_gabnresponse_free()</TT
+>
 and
-<code class="function">lwres_gabnrequest_free()</code>
+<TT
+CLASS="FUNCTION"
+>lwres_gabnrequest_free()</TT
+>
 release the memory in resolver context
-<em class="parameter"><code>ctx</code></em>
+<TT
+CLASS="PARAMETER"
+><I
+>ctx</I
+></TT
+>
 that was allocated to the
-<span class="type">lwres_gabnresponse_t</span>
+<SPAN
+CLASS="TYPE"
+>lwres_gabnresponse_t</SPAN
+>
 or
-<span class="type">lwres_gabnrequest_t</span>
+<SPAN
+CLASS="TYPE"
+>lwres_gabnrequest_t</SPAN
+>
 structures referenced via
-<em class="parameter"><code>structp</code></em>.
+<TT
+CLASS="PARAMETER"
+><I
+>structp</I
+></TT
+>.
 
 Any memory associated with ancillary buffers and strings for those
-structures is also discarded.
-</p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543593"></a><h2>RETURN VALUES</h2>
-<p>
-The getaddrbyname opcode functions
-<code class="function">lwres_gabnrequest_render()</code>, 
-<code class="function">lwres_gabnresponse_render()</code>
-<code class="function">lwres_gabnrequest_parse()</code>
+structures is also discarded.</P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN93"
+></A
+><H2
+>RETURN VALUES</H2
+><P
+>The getaddrbyname opcode functions
+<TT
+CLASS="FUNCTION"
+>lwres_gabnrequest_render()</TT
+>, 
+<TT
+CLASS="FUNCTION"
+>lwres_gabnresponse_render()</TT
+>
+<TT
+CLASS="FUNCTION"
+>lwres_gabnrequest_parse()</TT
+>
 and
-<code class="function">lwres_gabnresponse_parse()</code>
+<TT
+CLASS="FUNCTION"
+>lwres_gabnresponse_parse()</TT
+>
 all return
-<span class="errorcode">LWRES_R_SUCCESS</span>
+<SPAN
+CLASS="ERRORCODE"
+>LWRES_R_SUCCESS</SPAN
+>
 on success.
 They return
-<span class="errorcode">LWRES_R_NOMEMORY</span>
+<SPAN
+CLASS="ERRORCODE"
+>LWRES_R_NOMEMORY</SPAN
+>
 if memory allocation fails.
-<span class="errorcode">LWRES_R_UNEXPECTEDEND</span>
+<SPAN
+CLASS="ERRORCODE"
+>LWRES_R_UNEXPECTEDEND</SPAN
+>
 is returned if the available space in the buffer
-<em class="parameter"><code>b</code></em>
+<TT
+CLASS="PARAMETER"
+><I
+>b</I
+></TT
+>
 is too small to accommodate the packet header or the
-<span class="type">lwres_gabnrequest_t</span>
+<SPAN
+CLASS="TYPE"
+>lwres_gabnrequest_t</SPAN
+>
 and
-<span class="type">lwres_gabnresponse_t</span>
+<SPAN
+CLASS="TYPE"
+>lwres_gabnresponse_t</SPAN
+>
 structures.
-<code class="function">lwres_gabnrequest_parse()</code>
+<TT
+CLASS="FUNCTION"
+>lwres_gabnrequest_parse()</TT
+>
 and
-<code class="function">lwres_gabnresponse_parse()</code>
+<TT
+CLASS="FUNCTION"
+>lwres_gabnresponse_parse()</TT
+>
 will return
-<span class="errorcode">LWRES_R_UNEXPECTEDEND</span>
+<SPAN
+CLASS="ERRORCODE"
+>LWRES_R_UNEXPECTEDEND</SPAN
+>
 if the buffer is not empty after decoding the received packet.
 These functions will return
-<span class="errorcode">LWRES_R_FAILURE</span>
+<SPAN
+CLASS="ERRORCODE"
+>LWRES_R_FAILURE</SPAN
+>
 if
-<em class="structfield"><code>pktflags</code></em>
+<TT
+CLASS="STRUCTFIELD"
+><I
+>pktflags</I
+></TT
+>
 in the packet header structure
-<span class="type">lwres_lwpacket_t</span>
-indicate that the packet is not a response to an earlier query.
-</p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543658"></a><h2>SEE ALSO</h2>
-<p>
-<span class="citerefentry"><span class="refentrytitle">lwres_packet</span>(3
-)</span>
-</p>
-</div>
-</div></body>
-</html>
+<SPAN
+CLASS="TYPE"
+>lwres_lwpacket_t</SPAN
+>
+indicate that the packet is not a response to an earlier query.</P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN112"
+></A
+><H2
+>SEE ALSO</H2
+><P
+><SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>lwres_packet</SPAN
+>(3)</SPAN
+></P
+></DIV
+></BODY
+></HTML
+>
diff --git a/lib/lwres/man/lwres_gai_strerror.3 b/lib/lwres/man/lwres_gai_strerror.3
index 7fa24c49..ea75066f 100644
--- a/lib/lwres/man/lwres_gai_strerror.3
+++ b/lib/lwres/man/lwres_gai_strerror.3
@@ -1,117 +1,81 @@
-.\" Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
-.\" Copyright (C) 2000, 2001 Internet Software Consortium.
-.\" 
+.\" Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2000, 2001  Internet Software Consortium.
+.\"
 .\" Permission to use, copy, modify, and distribute this software for any
 .\" purpose with or without fee is hereby granted, provided that the above
 .\" copyright notice and this permission notice appear in all copies.
-.\" 
+.\"
 .\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
 .\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+.\" AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
 .\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
 .\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: lwres_gai_strerror.3,v 1.13.2.9 2007/01/30 00:10:38 marka Exp $
+.\" $Id: lwres_gai_strerror.3,v 1.13.2.1.8.1 2004/03/06 07:41:43 marka Exp $
 .\"
-.hy 0
-.ad l
-.\"     Title: lwres_gai_strerror
-.\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
-.\"      Date: Jun 30, 2000
-.\"    Manual: BIND9
-.\"    Source: BIND9
-.\"
-.TH "LWRES_GAI_STRERROR" "3" "Jun 30, 2000" "BIND9" "BIND9"
-.\" disable hyphenation
-.nh
-.\" disable justification (adjust text to left margin only)
-.ad l
-.SH "NAME"
+.TH "LWRES_GAI_STRERROR" "3" "Jun 30, 2000" "BIND9" ""
+.SH NAME
 gai_strerror \- print suitable error string
-.SH "SYNOPSIS"
-.nf
-#include <lwres/netdb.h>
-.fi
-.HP 20
-.BI "char * gai_strerror(int\ ecode);"
+.SH SYNOPSIS
+\fB#include <lwres/netdb.h>
+.sp
+.na
+char *
+gai_strerror(int ecode);
+.ad
+\fR
 .SH "DESCRIPTION"
 .PP
 \fBlwres_gai_strerror()\fR
 returns an error message corresponding to an error code returned by
-\fBgetaddrinfo()\fR. The following error codes and their meaning are defined in
+\fBgetaddrinfo()\fR.
+The following error codes and their meaning are defined in
 \fIinclude/lwres/netdb.h\fR.
-.PP
+.TP
 \fBEAI_ADDRFAMILY\fR
-.RS 4
 address family for hostname not supported
-.RE
-.PP
+.TP
 \fBEAI_AGAIN\fR
-.RS 4
 temporary failure in name resolution
-.RE
-.PP
+.TP
 \fBEAI_BADFLAGS\fR
-.RS 4
 invalid value for
-\fBai_flags\fR
-.RE
-.PP
+ai_flags
+.TP
 \fBEAI_FAIL\fR
-.RS 4
-non\-recoverable failure in name resolution
-.RE
-.PP
+non-recoverable failure in name resolution
+.TP
 \fBEAI_FAMILY\fR
-.RS 4
-\fBai_family\fR
-not supported
-.RE
-.PP
+ai_family not supported
+.TP
 \fBEAI_MEMORY\fR
-.RS 4
 memory allocation failure
-.RE
-.PP
+.TP
 \fBEAI_NODATA\fR
-.RS 4
 no address associated with hostname
-.RE
-.PP
+.TP
 \fBEAI_NONAME\fR
-.RS 4
 hostname or servname not provided, or not known
-.RE
-.PP
+.TP
 \fBEAI_SERVICE\fR
-.RS 4
-servname not supported for
-\fBai_socktype\fR
-.RE
-.PP
+servname not supported for ai_socktype
+.TP
 \fBEAI_SOCKTYPE\fR
-.RS 4
-\fBai_socktype\fR
-not supported
-.RE
-.PP
+ai_socktype not supported
+.TP
 \fBEAI_SYSTEM\fR
-.RS 4
 system error returned in errno
-.RE
-The message
-invalid error code
-is returned if
+.PP
+The message \fBinvalid error code\fR is returned if
 \fIecode\fR
 is out of range.
 .PP
-\fBai_flags\fR,
-\fBai_family\fR
+ai_flags,
+ai_family
 and
-\fBai_socktype\fR
+ai_socktype
 are elements of the
 \fBstruct addrinfo\fR
 used by
@@ -121,9 +85,4 @@ used by
 \fBstrerror\fR(3),
 \fBlwres_getaddrinfo\fR(3),
 \fBgetaddrinfo\fR(3),
-\fBRFC2133\fR().
-.SH "COPYRIGHT"
-Copyright \(co 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
-.br
-Copyright \(co 2000, 2001 Internet Software Consortium.
-.br
+\fBRFC2133\fR.
diff --git a/lib/lwres/man/lwres_gai_strerror.docbook b/lib/lwres/man/lwres_gai_strerror.docbook
index 1c1ec4c4..475d4441 100644
--- a/lib/lwres/man/lwres_gai_strerror.docbook
+++ b/lib/lwres/man/lwres_gai_strerror.docbook
@@ -1,9 +1,7 @@
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
-               "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
-	       [<!ENTITY mdash "&#8212;">]>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
 <!--
- - Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000, 2001  Internet Software Consortium.
+ - Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2001  Internet Software Consortium.
  -
  - Permission to use, copy, modify, and distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
@@ -18,7 +16,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: lwres_gai_strerror.docbook,v 1.3.2.5 2007/01/29 23:57:17 marka Exp $ -->
+<!-- $Id: lwres_gai_strerror.docbook,v 1.3.206.1 2004/03/06 08:15:38 marka Exp $ -->
 
 <refentry>
 <refentryinfo>
@@ -31,21 +29,6 @@
 <manvolnum>3</manvolnum>
 <refmiscinfo>BIND9</refmiscinfo>
 </refmeta>
-
-  <docinfo>
-    <copyright>
-      <year>2004</year>
-      <year>2005</year>
-      <year>2007</year>
-      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
-    </copyright>
-    <copyright>
-      <year>2000</year>
-      <year>2001</year>
-      <holder>Internet Software Consortium.</holder>
-    </copyright>
-  </docinfo>
-
 <refnamediv>
 <refname>gai_strerror</refname>
 <refpurpose>print suitable error string</refpurpose>
diff --git a/lib/lwres/man/lwres_gai_strerror.html b/lib/lwres/man/lwres_gai_strerror.html
index eaa46b6a..b2bc0fac 100644
--- a/lib/lwres/man/lwres_gai_strerror.html
+++ b/lib/lwres/man/lwres_gai_strerror.html
@@ -1,129 +1,297 @@
 <!--
- - Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000, 2001 Internet Software Consortium.
- - 
+ - Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2001  Internet Software Consortium.
+ -
  - Permission to use, copy, modify, and distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
  - copyright notice and this permission notice appear in all copies.
- - 
+ -
  - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
  - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
  - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
  - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: lwres_gai_strerror.html,v 1.5.2.16 2007/01/30 00:10:38 marka Exp $ -->
-<html>
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>lwres_gai_strerror</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2476275"></a><div class="titlepage"></div>
-<div class="refnamediv">
-<h2>Name</h2>
-<p>gai_strerror &#8212; print suitable error string</p>
-</div>
-<div class="refsynopsisdiv">
-<h2>Synopsis</h2>
-<div class="funcsynopsis">
-<pre class="funcsynopsisinfo">#include &lt;lwres/netdb.h&gt;</pre>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0"><tr>
-<td><code class="funcdef">
-char *
-<b class="fsfunc">gai_strerror</b>(</code></td>
-<td> </td>
-<td>
-<code>)</code>;</td>
-</tr></table>
-</div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543349"></a><h2>DESCRIPTION</h2>
-<p>
-<code class="function">lwres_gai_strerror()</code>
+
+<!-- $Id: lwres_gai_strerror.html,v 1.5.2.1.4.1 2004/03/06 08:15:39 marka Exp $ -->
+
+<HTML
+><HEAD
+><TITLE
+>lwres_gai_strerror</TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.73
+"></HEAD
+><BODY
+CLASS="REFENTRY"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><H1
+><A
+NAME="AEN1"
+>lwres_gai_strerror</A
+></H1
+><DIV
+CLASS="REFNAMEDIV"
+><A
+NAME="AEN8"
+></A
+><H2
+>Name</H2
+>gai_strerror&nbsp;--&nbsp;print suitable error string</DIV
+><DIV
+CLASS="REFSYNOPSISDIV"
+><A
+NAME="AEN11"
+></A
+><H2
+>Synopsis</H2
+><DIV
+CLASS="FUNCSYNOPSIS"
+><A
+NAME="AEN12"
+></A
+><P
+></P
+><PRE
+CLASS="FUNCSYNOPSISINFO"
+>#include &lt;lwres/netdb.h&gt;</PRE
+><P
+><CODE
+><CODE
+CLASS="FUNCDEF"
+>char *
+gai_strerror</CODE
+>(int ecode);</CODE
+></P
+><P
+></P
+></DIV
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN18"
+></A
+><H2
+>DESCRIPTION</H2
+><P
+><TT
+CLASS="FUNCTION"
+>lwres_gai_strerror()</TT
+>
 returns an error message corresponding to an error code returned by
-<code class="function">getaddrinfo()</code>.
+<TT
+CLASS="FUNCTION"
+>getaddrinfo()</TT
+>.
 The following error codes and their meaning are defined in
-<code class="filename">include/lwres/netdb.h</code>.
-</p>
-<div class="variablelist"><dl>
-<dt><span class="term"><span class="errorcode">EAI_ADDRFAMILY</span></span></dt>
-<dd><p>
-address family for hostname not supported
-</p></dd>
-<dt><span class="term"><span class="errorcode">EAI_AGAIN</span></span></dt>
-<dd><p>
-temporary failure in name resolution
-</p></dd>
-<dt><span class="term"><span class="errorcode">EAI_BADFLAGS</span></span></dt>
-<dd><p>
-invalid value for
-<code class="constant">ai_flags</code>
-</p></dd>
-<dt><span class="term"><span class="errorcode">EAI_FAIL</span></span></dt>
-<dd><p>
-non-recoverable failure in name resolution
-</p></dd>
-<dt><span class="term"><span class="errorcode">EAI_FAMILY</span></span></dt>
-<dd><p>
-<code class="constant">ai_family</code> not supported
-</p></dd>
-<dt><span class="term"><span class="errorcode">EAI_MEMORY</span></span></dt>
-<dd><p>
-memory allocation failure
-</p></dd>
-<dt><span class="term"><span class="errorcode">EAI_NODATA</span></span></dt>
-<dd><p>
-no address associated with hostname
-</p></dd>
-<dt><span class="term"><span class="errorcode">EAI_NONAME</span></span></dt>
-<dd><p>
-hostname or servname not provided, or not known
-</p></dd>
-<dt><span class="term"><span class="errorcode">EAI_SERVICE</span></span></dt>
-<dd><p>
-servname not supported for <code class="constant">ai_socktype</code>
-</p></dd>
-<dt><span class="term"><span class="errorcode">EAI_SOCKTYPE</span></span></dt>
-<dd><p>
-<code class="constant">ai_socktype</code> not supported
-</p></dd>
-<dt><span class="term"><span class="errorcode">EAI_SYSTEM</span></span></dt>
-<dd><p>
-system error returned in errno
-</p></dd>
-</dl></div>
-<p>
-The message <span class="errorname">invalid error code</span> is returned if
-<em class="parameter"><code>ecode</code></em>
-is out of range.
-</p>
-<p>
-<code class="constant">ai_flags</code>,
-<code class="constant">ai_family</code>
+<TT
+CLASS="FILENAME"
+>include/lwres/netdb.h</TT
+>.
+<P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+><SPAN
+CLASS="ERRORCODE"
+>EAI_ADDRFAMILY</SPAN
+></DT
+><DD
+><P
+>address family for hostname not supported</P
+></DD
+><DT
+><SPAN
+CLASS="ERRORCODE"
+>EAI_AGAIN</SPAN
+></DT
+><DD
+><P
+>temporary failure in name resolution</P
+></DD
+><DT
+><SPAN
+CLASS="ERRORCODE"
+>EAI_BADFLAGS</SPAN
+></DT
+><DD
+><P
+>invalid value for
+<TT
+CLASS="CONSTANT"
+>ai_flags</TT
+></P
+></DD
+><DT
+><SPAN
+CLASS="ERRORCODE"
+>EAI_FAIL</SPAN
+></DT
+><DD
+><P
+>non-recoverable failure in name resolution</P
+></DD
+><DT
+><SPAN
+CLASS="ERRORCODE"
+>EAI_FAMILY</SPAN
+></DT
+><DD
+><P
+><TT
+CLASS="CONSTANT"
+>ai_family</TT
+> not supported</P
+></DD
+><DT
+><SPAN
+CLASS="ERRORCODE"
+>EAI_MEMORY</SPAN
+></DT
+><DD
+><P
+>memory allocation failure</P
+></DD
+><DT
+><SPAN
+CLASS="ERRORCODE"
+>EAI_NODATA</SPAN
+></DT
+><DD
+><P
+>no address associated with hostname</P
+></DD
+><DT
+><SPAN
+CLASS="ERRORCODE"
+>EAI_NONAME</SPAN
+></DT
+><DD
+><P
+>hostname or servname not provided, or not known</P
+></DD
+><DT
+><SPAN
+CLASS="ERRORCODE"
+>EAI_SERVICE</SPAN
+></DT
+><DD
+><P
+>servname not supported for <TT
+CLASS="CONSTANT"
+>ai_socktype</TT
+></P
+></DD
+><DT
+><SPAN
+CLASS="ERRORCODE"
+>EAI_SOCKTYPE</SPAN
+></DT
+><DD
+><P
+><TT
+CLASS="CONSTANT"
+>ai_socktype</TT
+> not supported</P
+></DD
+><DT
+><SPAN
+CLASS="ERRORCODE"
+>EAI_SYSTEM</SPAN
+></DT
+><DD
+><P
+>system error returned in errno</P
+></DD
+></DL
+></DIV
+>
+The message <SPAN
+CLASS="ERRORNAME"
+>invalid error code</SPAN
+> is returned if
+<TT
+CLASS="PARAMETER"
+><I
+>ecode</I
+></TT
+>
+is out of range.</P
+><P
+><TT
+CLASS="CONSTANT"
+>ai_flags</TT
+>,
+<TT
+CLASS="CONSTANT"
+>ai_family</TT
+>
 and
-<code class="constant">ai_socktype</code>
+<TT
+CLASS="CONSTANT"
+>ai_socktype</TT
+>
 are elements of the
-<span class="type">struct  addrinfo</span>
+<SPAN
+CLASS="TYPE"
+>struct  addrinfo</SPAN
+>
 used by
-<code class="function">lwres_getaddrinfo()</code>.
-</p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543546"></a><h2>SEE ALSO</h2>
-<p>
-<span class="citerefentry"><span class="refentrytitle">strerror</span>(3)</span>,
+<TT
+CLASS="FUNCTION"
+>lwres_getaddrinfo()</TT
+>.</P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN92"
+></A
+><H2
+>SEE ALSO</H2
+><P
+><SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>strerror</SPAN
+>(3)</SPAN
+>,
 
-<span class="citerefentry"><span class="refentrytitle">lwres_getaddrinfo</span>(3)</span>,
+<SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>lwres_getaddrinfo</SPAN
+>(3)</SPAN
+>,
 
-<span class="citerefentry"><span class="refentrytitle">getaddrinfo</span>(3)</span>,
+<SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>getaddrinfo</SPAN
+>(3)</SPAN
+>,
 
-<span class="citerefentry"><span class="refentrytitle">RFC2133</span></span>.
-</p>
-</div>
-</div></body>
-</html>
+<SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>RFC2133</SPAN
+></SPAN
+>.</P
+></DIV
+></BODY
+></HTML
+>
diff --git a/lib/lwres/man/lwres_getaddrinfo.3 b/lib/lwres/man/lwres_getaddrinfo.3
index 4a88912b..d360b3e8 100644
--- a/lib/lwres/man/lwres_getaddrinfo.3
+++ b/lib/lwres/man/lwres_getaddrinfo.3
@@ -1,49 +1,41 @@
-.\" Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
-.\" Copyright (C) 2000, 2001, 2003 Internet Software Consortium.
-.\" 
+.\" Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2000, 2001  Internet Software Consortium.
+.\"
 .\" Permission to use, copy, modify, and distribute this software for any
 .\" purpose with or without fee is hereby granted, provided that the above
 .\" copyright notice and this permission notice appear in all copies.
-.\" 
+.\"
 .\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
 .\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+.\" AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
 .\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
 .\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: lwres_getaddrinfo.3,v 1.16.2.10 2007/01/30 00:10:38 marka Exp $
-.\"
-.hy 0
-.ad l
-.\"     Title: lwres_getaddrinfo
-.\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
-.\"      Date: Jun 30, 2000
-.\"    Manual: BIND9
-.\"    Source: BIND9
+.\" $Id: lwres_getaddrinfo.3,v 1.16.2.1.8.2 2004/03/06 07:41:43 marka Exp $
 .\"
-.TH "LWRES_GETADDRINFO" "3" "Jun 30, 2000" "BIND9" "BIND9"
-.\" disable hyphenation
-.nh
-.\" disable justification (adjust text to left margin only)
-.ad l
-.SH "NAME"
+.TH "LWRES_GETADDRINFO" "3" "Jun 30, 2000" "BIND9" ""
+.SH NAME
 lwres_getaddrinfo, lwres_freeaddrinfo \- socket address structure to host and service name
-.SH "SYNOPSIS"
-.nf
-#include <lwres/netdb.h>
-.fi
-.HP 22
-.BI "int lwres_getaddrinfo(const\ char\ *hostname, const\ char\ *servname, const\ struct\ addrinfo\ *hints, struct\ addrinfo\ **res);"
-.HP 24
-.BI "void lwres_freeaddrinfo(struct\ addrinfo\ *ai);"
+.SH SYNOPSIS
+\fB#include <lwres/netdb.h>
+.sp
+.na
+int
+lwres_getaddrinfo(const char *hostname, const char *servname, const struct addrinfo *hints, struct addrinfo **res);
+.ad
+.sp
+.na
+void
+lwres_freeaddrinfo(struct addrinfo *ai);
+.ad
+\fR
 .PP
 If the operating system does not provide a
-\fBstruct addrinfo\fR, the following structure is used:
+\fBstruct addrinfo\fR,
+the following structure is used:
 .sp
-.RS 4
 .nf
 struct  addrinfo {
         int             ai_flags;       /* AI_PASSIVE, AI_CANONNAME */
@@ -55,155 +47,170 @@ struct  addrinfo {
         struct sockaddr *ai_addr;       /* binary address */
         struct addrinfo *ai_next;       /* next structure in linked list */
 };
-.fi
-.RE
 .sp
+.fi
 .SH "DESCRIPTION"
 .PP
 \fBlwres_getaddrinfo()\fR
 is used to get a list of IP addresses and port numbers for host
 \fIhostname\fR
 and service
-\fIservname\fR. The function is the lightweight resolver's implementation of
+\fIservname\fR.
+The function is the lightweight resolver's implementation of
 \fBgetaddrinfo()\fR
 as defined in RFC2133.
 \fIhostname\fR
 and
 \fIservname\fR
-are pointers to null\-terminated strings or
+are pointers to null-terminated
+strings or
 \fBNULL\fR.
 \fIhostname\fR
-is either a host name or a numeric host address string: a dotted decimal IPv4 address or an IPv6 address.
+is either a host name or a numeric host address string: a dotted decimal
+IPv4 address or an IPv6 address.
 \fIservname\fR
 is either a decimal port number or a service name as listed in
 \fI/etc/services\fR.
 .PP
 \fIhints\fR
 is an optional pointer to a
-\fBstruct addrinfo\fR. This structure can be used to provide hints concerning the type of socket that the caller supports or wishes to use. The caller can supply the following structure elements in
+\fBstruct addrinfo\fR.
+This structure can be used to provide hints concerning the type of socket
+that the caller supports or wishes to use.
+The caller can supply the following structure elements in
 \fI*hints\fR:
-.PP
-\fBai_family\fR
-.RS 4
-The protocol family that should be used. When
+.TP
 \fBai_family\fR
+The protocol family that should be used.
+When
+ai_family
 is set to
-\fBPF_UNSPEC\fR, it means the caller will accept any protocol family supported by the operating system.
-.RE
-.PP
+\fBPF_UNSPEC\fR,
+it means the caller will accept any protocol family supported by the
+operating system.
+.TP
 \fBai_socktype\fR
-.RS 4
 denotes the type of socket \(em
 \fBSOCK_STREAM\fR,
 \fBSOCK_DGRAM\fR
 or
 \fBSOCK_RAW\fR
-\(em that is wanted. When
-\fBai_socktype\fR
+\(em that is wanted.
+When
+ai_socktype
 is zero the caller will accept any socket type.
-.RE
-.PP
-\fBai_protocol\fR
-.RS 4
-indicates which transport protocol is wanted: IPPROTO_UDP or IPPROTO_TCP. If
+.TP
 \fBai_protocol\fR
+indicates which transport protocol is wanted: IPPROTO_UDP or 
+IPPROTO_TCP.
+If
+ai_protocol
 is zero the caller will accept any protocol.
-.RE
-.PP
+.TP
 \fBai_flags\fR
-.RS 4
-Flag bits. If the
+Flag bits.
+If the
 \fBAI_CANONNAME\fR
 bit is set, a successful call to
 \fBlwres_getaddrinfo()\fR
-will return a null\-terminated string containing the canonical name of the specified hostname in
-\fBai_canonname\fR
+will return a null-terminated string containing the canonical name
+of the specified hostname in
+ai_canonname
 of the first
 \fBaddrinfo\fR
-structure returned. Setting the
+structure returned.
+Setting the
 \fBAI_PASSIVE\fR
-bit indicates that the returned socket address structure is intended for used in a call to
-\fBbind\fR(2). In this case, if the hostname argument is a
+bit indicates that the returned socket address structure is intended
+for used in a call to
+\fBbind\fR(2).
+In this case, if the hostname argument is a
 \fBNULL\fR
-pointer, then the IP address portion of the socket address structure will be set to
+pointer, then the IP address portion of the socket
+address structure will be set to
 \fBINADDR_ANY\fR
 for an IPv4 address or
 \fBIN6ADDR_ANY_INIT\fR
 for an IPv6 address.
-.sp
+
 When
-\fBai_flags\fR
+ai_flags
 does not set the
 \fBAI_PASSIVE\fR
-bit, the returned socket address structure will be ready for use in a call to
-\fBconnect\fR(2 )
-for a connection\-oriented protocol or
+bit, the returned socket address structure will be ready
+for use in a call to
+\fBconnect\fR(2)
+for a connection-oriented protocol or
 \fBconnect\fR(2),
-\fBsendto\fR(2), or
-\fBsendmsg\fR(2 )
-if a connectionless protocol was chosen. The IP address portion of the socket address structure will be set to the loopback address if
+\fBsendto\fR(2),
+or
+\fBsendmsg\fR(2)
+if a connectionless protocol was chosen.
+The IP address portion of the socket address structure will be
+set to the loopback address if
 \fIhostname\fR
 is a
 \fBNULL\fR
 pointer and
 \fBAI_PASSIVE\fR
 is not set in
-\fBai_flags\fR.
-.sp
+ai_flags.
+
 If
-\fBai_flags\fR
+ai_flags
 is set to
 \fBAI_NUMERICHOST\fR
 it indicates that
 \fIhostname\fR
-should be treated as a numeric string defining an IPv4 or IPv6 address and no name resolution should be attempted.
-.RE
+should be treated as a numeric string defining an IPv4 or IPv6 address
+and no name resolution should be attempted.
 .PP
-All other elements of the
-\fBstruct addrinfo\fR
-passed via
-\fIhints\fR
-must be zero.
+All other elements of the \fBstruct addrinfo\fR passed
+via \fIhints\fR must be zero.
 .PP
-A
-\fIhints\fR
-of
-\fBNULL\fR
-is treated as if the caller provided a
-\fBstruct addrinfo\fR
-initialized to zero with
-\fBai_family\fRset to
-\fBPF_UNSPEC\fR.
+A \fIhints\fR of \fBNULL\fR is treated as if
+the caller provided a \fBstruct addrinfo\fR initialized to zero
+with ai_familyset to
+PF_UNSPEC.
 .PP
 After a successful call to
 \fBlwres_getaddrinfo()\fR,
 \fI*res\fR
 is a pointer to a linked list of one or more
 \fBaddrinfo\fR
-structures. Each
+structures.
+Each
 \fBstruct addrinfo\fR
-in this list cn be processed by following the
-\fBai_next\fR
+in this list cn be processed by following
+the
+ai_next
 pointer, until a
 \fBNULL\fR
-pointer is encountered. The three members
-\fBai_family\fR,
-\fBai_socktype\fR, and
-\fBai_protocol\fR
-in each returned
+pointer is encountered.
+The three members
+ai_family,
+ai_socktype,
+and
+ai_protocol
+in each
+returned
 \fBaddrinfo\fR
 structure contain the corresponding arguments for a call to
-\fBsocket\fR(2). For each
+\fBsocket\fR(2).
+For each
 \fBaddrinfo\fR
 structure in the list, the
-\fBai_addr\fR
-member points to a filled\-in socket address structure of length
-\fBai_addrlen\fR.
+ai_addr
+member points to a filled-in socket address structure of length
+ai_addrlen.
 .PP
 All of the information returned by
 \fBlwres_getaddrinfo()\fR
-is dynamically allocated: the addrinfo structures, and the socket address structures and canonical host name strings pointed to by the
-\fBaddrinfo\fRstructures. Memory allocated for the dynamically allocated structures created by a successful call to
+is dynamically allocated: the addrinfo structures, and the socket
+address structures and canonical host name strings pointed to by the
+addrinfostructures.
+Memory allocated for the dynamically allocated structures created by
+a successful call to
 \fBlwres_getaddrinfo()\fR
 is released by
 \fBlwres_freeaddrinfo()\fR.
@@ -216,8 +223,9 @@ created by a call to
 .PP
 \fBlwres_getaddrinfo()\fR
 returns zero on success or one of the error codes listed in
-\fBgai_strerror\fR(3 )
-if an error occurs. If both
+\fBgai_strerror\fR(3)
+if an error occurs.
+If both
 \fIhostname\fR
 and
 \fIservname\fR
@@ -225,22 +233,17 @@ are
 \fBNULL\fR
 \fBlwres_getaddrinfo()\fR
 returns
-\fBEAI_NONAME\fR.
+EAI_NONAME.
 .SH "SEE ALSO"
 .PP
 \fBlwres\fR(3),
 \fBlwres_getaddrinfo\fR(3),
 \fBlwres_freeaddrinfo\fR(3),
 \fBlwres_gai_strerror\fR(3),
-\fBRFC2133\fR(),
+\fBRFC2133\fR,
 \fBgetservbyname\fR(3),
 \fBbind\fR(2),
 \fBconnect\fR(2),
 \fBsendto\fR(2),
 \fBsendmsg\fR(2),
 \fBsocket\fR(2).
-.SH "COPYRIGHT"
-Copyright \(co 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
-.br
-Copyright \(co 2000, 2001, 2003 Internet Software Consortium.
-.br
diff --git a/lib/lwres/man/lwres_getaddrinfo.docbook b/lib/lwres/man/lwres_getaddrinfo.docbook
index 1b4f0cfe..2f2fc829 100644
--- a/lib/lwres/man/lwres_getaddrinfo.docbook
+++ b/lib/lwres/man/lwres_getaddrinfo.docbook
@@ -1,9 +1,7 @@
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
-               "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
-	       [<!ENTITY mdash "&#8212;">]>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
 <!--
- - Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
+ - Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2001, 2003  Internet Software Consortium.
  -
  - Permission to use, copy, modify, and distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
@@ -18,7 +16,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: lwres_getaddrinfo.docbook,v 1.5.2.6 2007/01/29 23:57:17 marka Exp $ -->
+<!-- $Id: lwres_getaddrinfo.docbook,v 1.5.206.2 2004/03/06 08:15:39 marka Exp $ -->
 
 <refentry>
 
@@ -32,21 +30,6 @@
 <refmiscinfo>BIND9</refmiscinfo>
 </refmeta>
 
-  <docinfo>
-    <copyright>
-      <year>2004</year>
-      <year>2005</year>
-      <year>2007</year>
-      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
-    </copyright>
-    <copyright>
-      <year>2000</year>
-      <year>2001</year>
-      <year>2003</year>
-      <holder>Internet Software Consortium.</holder>
-    </copyright>
-  </docinfo>
-
 <refnamediv>
 <refname>lwres_getaddrinfo</refname>
 <refname>lwres_freeaddrinfo</refname>
diff --git a/lib/lwres/man/lwres_getaddrinfo.html b/lib/lwres/man/lwres_getaddrinfo.html
index dc9f543f..3df2afd3 100644
--- a/lib/lwres/man/lwres_getaddrinfo.html
+++ b/lib/lwres/man/lwres_getaddrinfo.html
@@ -1,78 +1,97 @@
 <!--
- - Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000, 2001, 2003 Internet Software Consortium.
- - 
+ - Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2001, 2003  Internet Software Consortium.
+ -
  - Permission to use, copy, modify, and distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
  - copyright notice and this permission notice appear in all copies.
- - 
+ -
  - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
  - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
  - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
  - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: lwres_getaddrinfo.html,v 1.8.2.16 2007/01/30 00:10:38 marka Exp $ -->
-<html>
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>lwres_getaddrinfo</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2476275"></a><div class="titlepage"></div>
-<div class="refnamediv">
-<h2>Name</h2>
-<p>lwres_getaddrinfo, lwres_freeaddrinfo &#8212; socket address structure to host and service name</p>
-</div>
-<div class="refsynopsisdiv">
-<h2>Synopsis</h2>
-<div class="funcsynopsis">
-<pre class="funcsynopsisinfo">#include &lt;lwres/netdb.h&gt;</pre>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
-<tr>
-<td><code class="funcdef">
-int
-<b class="fsfunc">lwres_getaddrinfo</b>(</code></td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>
-<code>)</code>;</td>
-</tr>
-</table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0"><tr>
-<td><code class="funcdef">
-void
-<b class="fsfunc">lwres_freeaddrinfo</b>(</code></td>
-<td> </td>
-<td>
-<code>)</code>;</td>
-</tr></table>
-</div>
-<p>
-If the operating system does not provide a
-<span class="type">struct addrinfo</span>,
+
+<!-- $Id: lwres_getaddrinfo.html,v 1.8.2.1.4.2 2004/03/06 08:15:39 marka Exp $ -->
+
+<HTML
+><HEAD
+><TITLE
+>lwres_getaddrinfo</TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.73
+"></HEAD
+><BODY
+CLASS="REFENTRY"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><H1
+><A
+NAME="AEN1"
+>lwres_getaddrinfo</A
+></H1
+><DIV
+CLASS="REFNAMEDIV"
+><A
+NAME="AEN8"
+></A
+><H2
+>Name</H2
+>lwres_getaddrinfo, lwres_freeaddrinfo&nbsp;--&nbsp;socket address structure to host and service name</DIV
+><DIV
+CLASS="REFSYNOPSISDIV"
+><A
+NAME="AEN12"
+></A
+><H2
+>Synopsis</H2
+><DIV
+CLASS="FUNCSYNOPSIS"
+><A
+NAME="AEN13"
+></A
+><P
+></P
+><PRE
+CLASS="FUNCSYNOPSISINFO"
+>#include &lt;lwres/netdb.h&gt;</PRE
+><P
+><CODE
+><CODE
+CLASS="FUNCDEF"
+>int
+lwres_getaddrinfo</CODE
+>(const char *hostname, const char *servname, const struct addrinfo *hints, struct addrinfo **res);</CODE
+></P
+><P
+><CODE
+><CODE
+CLASS="FUNCDEF"
+>void
+lwres_freeaddrinfo</CODE
+>(struct addrinfo *ai);</CODE
+></P
+><P
+></P
+></DIV
+><P
+>If the operating system does not provide a
+<SPAN
+CLASS="TYPE"
+>struct addrinfo</SPAN
+>,
 the following structure is used:
 
-</p>
-<pre class="programlisting">
-struct  addrinfo {
+<PRE
+CLASS="PROGRAMLISTING"
+>struct  addrinfo {
         int             ai_flags;       /* AI_PASSIVE, AI_CANONNAME */
         int             ai_family;      /* PF_xxx */
         int             ai_socktype;    /* SOCK_xxx */
@@ -81,253 +100,626 @@ struct  addrinfo {
         char            *ai_canonname;  /* canonical name for hostname */
         struct sockaddr *ai_addr;       /* binary address */
         struct addrinfo *ai_next;       /* next structure in linked list */
-};
-</pre>
-<p>
-</p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543389"></a><h2>DESCRIPTION</h2>
-<p>
-<code class="function">lwres_getaddrinfo()</code>
+};</PRE
+></P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN29"
+></A
+><H2
+>DESCRIPTION</H2
+><P
+><TT
+CLASS="FUNCTION"
+>lwres_getaddrinfo()</TT
+>
 is used to get a list of IP addresses and port numbers for host
-<em class="parameter"><code>hostname</code></em>
+<TT
+CLASS="PARAMETER"
+><I
+>hostname</I
+></TT
+>
 and service
-<em class="parameter"><code>servname</code></em>.
+<TT
+CLASS="PARAMETER"
+><I
+>servname</I
+></TT
+>.
 
 The function is the lightweight resolver's implementation of
-<code class="function">getaddrinfo()</code>
+<TT
+CLASS="FUNCTION"
+>getaddrinfo()</TT
+>
 as defined in RFC2133.
-<em class="parameter"><code>hostname</code></em>
+<TT
+CLASS="PARAMETER"
+><I
+>hostname</I
+></TT
+>
 and
-<em class="parameter"><code>servname</code></em>
+<TT
+CLASS="PARAMETER"
+><I
+>servname</I
+></TT
+>
 are pointers to null-terminated
 strings or
-<span class="type">NULL</span>.
+<SPAN
+CLASS="TYPE"
+>NULL</SPAN
+>.
 
-<em class="parameter"><code>hostname</code></em>
+<TT
+CLASS="PARAMETER"
+><I
+>hostname</I
+></TT
+>
 is either a host name or a numeric host address string: a dotted decimal
 IPv4 address or an IPv6 address.
-<em class="parameter"><code>servname</code></em>
+<TT
+CLASS="PARAMETER"
+><I
+>servname</I
+></TT
+>
 is either a decimal port number or a service name as listed in
-<code class="filename">/etc/services</code>.
-</p>
-<p>
-<em class="parameter"><code>hints</code></em>
+<TT
+CLASS="FILENAME"
+>/etc/services</TT
+>.</P
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>hints</I
+></TT
+>
 is an optional pointer to a
-<span class="type">struct addrinfo</span>.
+<SPAN
+CLASS="TYPE"
+>struct addrinfo</SPAN
+>.
 This structure can be used to provide hints concerning the type of socket
 that the caller supports or wishes to use.
 The caller can supply the following structure elements in
-<em class="parameter"><code>*hints</code></em>:
+<TT
+CLASS="PARAMETER"
+><I
+>*hints</I
+></TT
+>:
 
-</p>
-<div class="variablelist"><dl>
-<dt><span class="term"><code class="constant">ai_family</code></span></dt>
-<dd><p>The protocol family that should be used.
+<P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+><TT
+CLASS="CONSTANT"
+>ai_family</TT
+></DT
+><DD
+><P
+>The protocol family that should be used.
 When
-<code class="constant">ai_family</code>
+<TT
+CLASS="CONSTANT"
+>ai_family</TT
+>
 is set to
-<span class="type">PF_UNSPEC</span>,
+<SPAN
+CLASS="TYPE"
+>PF_UNSPEC</SPAN
+>,
 it means the caller will accept any protocol family supported by the
-operating system.
-</p></dd>
-<dt><span class="term"><code class="constant">ai_socktype</code></span></dt>
-<dd><p>
-denotes the type of socket &#8212;
-<span class="type">SOCK_STREAM</span>,
-<span class="type">SOCK_DGRAM</span>
+operating system.</P
+></DD
+><DT
+><TT
+CLASS="CONSTANT"
+>ai_socktype</TT
+></DT
+><DD
+><P
+>denotes the type of socket &mdash;
+<SPAN
+CLASS="TYPE"
+>SOCK_STREAM</SPAN
+>,
+<SPAN
+CLASS="TYPE"
+>SOCK_DGRAM</SPAN
+>
 or
-<span class="type">SOCK_RAW</span>
-&#8212; that is wanted.
+<SPAN
+CLASS="TYPE"
+>SOCK_RAW</SPAN
+>
+&mdash; that is wanted.
 When
-<code class="constant">ai_socktype</code>
-is zero the caller will accept any socket type.
-</p></dd>
-<dt><span class="term"><code class="constant">ai_protocol</code></span></dt>
-<dd><p>
-indicates which transport protocol is wanted: IPPROTO_UDP or 
+<TT
+CLASS="CONSTANT"
+>ai_socktype</TT
+>
+is zero the caller will accept any socket type.</P
+></DD
+><DT
+><TT
+CLASS="CONSTANT"
+>ai_protocol</TT
+></DT
+><DD
+><P
+>indicates which transport protocol is wanted: IPPROTO_UDP or 
 IPPROTO_TCP.
 If
-<code class="constant">ai_protocol</code>
-is zero the caller will accept any protocol.
-</p></dd>
-<dt><span class="term"><code class="constant">ai_flags</code></span></dt>
-<dd>
-<p>
-Flag bits.
+<TT
+CLASS="CONSTANT"
+>ai_protocol</TT
+>
+is zero the caller will accept any protocol.</P
+></DD
+><DT
+><TT
+CLASS="CONSTANT"
+>ai_flags</TT
+></DT
+><DD
+><P
+>Flag bits.
 If the
-<span class="type">AI_CANONNAME</span>
+<SPAN
+CLASS="TYPE"
+>AI_CANONNAME</SPAN
+>
 bit is set, a successful call to
-<code class="function">lwres_getaddrinfo()</code>
+<TT
+CLASS="FUNCTION"
+>lwres_getaddrinfo()</TT
+>
 will return a null-terminated string containing the canonical name
 of the specified hostname in
-<code class="constant">ai_canonname</code>
+<TT
+CLASS="CONSTANT"
+>ai_canonname</TT
+>
 of the first
-<span class="type">addrinfo</span>
+<SPAN
+CLASS="TYPE"
+>addrinfo</SPAN
+>
 structure returned.
 Setting the
-<span class="type">AI_PASSIVE</span>
+<SPAN
+CLASS="TYPE"
+>AI_PASSIVE</SPAN
+>
 bit indicates that the returned socket address structure is intended
 for used in a call to
-<span class="citerefentry"><span class="refentrytitle">bind</span>(2)</span>.
+<SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>bind</SPAN
+>(2)</SPAN
+>.
 
 In this case, if the hostname argument is a
-<span class="type">NULL</span>
+<SPAN
+CLASS="TYPE"
+>NULL</SPAN
+>
 pointer, then the IP address portion of the socket
 address structure will be set to
-<span class="type">INADDR_ANY</span>
+<SPAN
+CLASS="TYPE"
+>INADDR_ANY</SPAN
+>
 for an IPv4 address or
-<span class="type">IN6ADDR_ANY_INIT</span>
-for an IPv6 address.
-</p>
-<p>
-When
-<code class="constant">ai_flags</code>
+<SPAN
+CLASS="TYPE"
+>IN6ADDR_ANY_INIT</SPAN
+>
+for an IPv6 address.</P
+><P
+>When
+<TT
+CLASS="CONSTANT"
+>ai_flags</TT
+>
 does not set the
-<span class="type">AI_PASSIVE</span>
+<SPAN
+CLASS="TYPE"
+>AI_PASSIVE</SPAN
+>
 bit, the returned socket address structure will be ready
 for use in a call to
-<span class="citerefentry"><span class="refentrytitle">connect</span>(2
-)</span>
+<SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>connect</SPAN
+>(2)</SPAN
+>
 for a connection-oriented protocol or
-<span class="citerefentry"><span class="refentrytitle">connect</span>(2)</span>,
+<SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>connect</SPAN
+>(2)</SPAN
+>,
 
-<span class="citerefentry"><span class="refentrytitle">sendto</span>(2)</span>,
+<SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>sendto</SPAN
+>(2)</SPAN
+>,
 
 or
-<span class="citerefentry"><span class="refentrytitle">sendmsg</span>(2
-)</span>
+<SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>sendmsg</SPAN
+>(2)</SPAN
+>
 if a connectionless protocol was chosen.
 The IP address portion of the socket address structure will be
 set to the loopback address if
-<em class="parameter"><code>hostname</code></em>
+<TT
+CLASS="PARAMETER"
+><I
+>hostname</I
+></TT
+>
 is a
-<span class="type">NULL</span>
+<SPAN
+CLASS="TYPE"
+>NULL</SPAN
+>
 pointer and
-<span class="type">AI_PASSIVE</span>
+<SPAN
+CLASS="TYPE"
+>AI_PASSIVE</SPAN
+>
 is not set in
-<code class="constant">ai_flags</code>.
-</p>
-<p>
-If
-<code class="constant">ai_flags</code>
+<TT
+CLASS="CONSTANT"
+>ai_flags</TT
+>.</P
+><P
+>If
+<TT
+CLASS="CONSTANT"
+>ai_flags</TT
+>
 is set to
-<span class="type">AI_NUMERICHOST</span>
+<SPAN
+CLASS="TYPE"
+>AI_NUMERICHOST</SPAN
+>
 it indicates that
-<em class="parameter"><code>hostname</code></em>
+<TT
+CLASS="PARAMETER"
+><I
+>hostname</I
+></TT
+>
 should be treated as a numeric string defining an IPv4 or IPv6 address
-and no name resolution should be attempted.
-</p>
-</dd>
-</dl></div>
-<p>
-</p>
-<p>
-All other elements of the <span class="type">struct addrinfo</span> passed
-via <em class="parameter"><code>hints</code></em> must be zero.
-</p>
-<p>
-A <em class="parameter"><code>hints</code></em> of <span class="type">NULL</span> is treated as if
-the caller provided a <span class="type">struct addrinfo</span> initialized to zero
-with <code class="constant">ai_family</code>set to
-<code class="constant">PF_UNSPEC</code>.
-</p>
-<p>
-After a successful call to
-<code class="function">lwres_getaddrinfo()</code>,
-<em class="parameter"><code>*res</code></em>
+and no name resolution should be attempted.</P
+></DD
+></DL
+></DIV
+></P
+><P
+>All other elements of the <SPAN
+CLASS="TYPE"
+>struct addrinfo</SPAN
+> passed
+via <TT
+CLASS="PARAMETER"
+><I
+>hints</I
+></TT
+> must be zero.</P
+><P
+>A <TT
+CLASS="PARAMETER"
+><I
+>hints</I
+></TT
+> of <SPAN
+CLASS="TYPE"
+>NULL</SPAN
+> is treated as if
+the caller provided a <SPAN
+CLASS="TYPE"
+>struct addrinfo</SPAN
+> initialized to zero
+with <TT
+CLASS="CONSTANT"
+>ai_family</TT
+>set to
+<TT
+CLASS="CONSTANT"
+>PF_UNSPEC</TT
+>.</P
+><P
+>After a successful call to
+<TT
+CLASS="FUNCTION"
+>lwres_getaddrinfo()</TT
+>,
+<TT
+CLASS="PARAMETER"
+><I
+>*res</I
+></TT
+>
 is a pointer to a linked list of one or more
-<span class="type">addrinfo</span>
+<SPAN
+CLASS="TYPE"
+>addrinfo</SPAN
+>
 structures.
 Each
-<span class="type">struct addrinfo</span>
+<SPAN
+CLASS="TYPE"
+>struct addrinfo</SPAN
+>
 in this list cn be processed by following
 the
-<code class="constant">ai_next</code>
+<TT
+CLASS="CONSTANT"
+>ai_next</TT
+>
 pointer, until a
-<span class="type">NULL</span>
+<SPAN
+CLASS="TYPE"
+>NULL</SPAN
+>
 pointer is encountered.
 The three members
-<code class="constant">ai_family</code>,
-<code class="constant">ai_socktype</code>,
+<TT
+CLASS="CONSTANT"
+>ai_family</TT
+>,
+<TT
+CLASS="CONSTANT"
+>ai_socktype</TT
+>,
 and
-<code class="constant">ai_protocol</code>
+<TT
+CLASS="CONSTANT"
+>ai_protocol</TT
+>
 in each
 returned
-<span class="type">addrinfo</span>
+<SPAN
+CLASS="TYPE"
+>addrinfo</SPAN
+>
 structure contain the corresponding arguments for a call to
-<span class="citerefentry"><span class="refentrytitle">socket</span>(2)</span>.
+<SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>socket</SPAN
+>(2)</SPAN
+>.
 For each
-<span class="type">addrinfo</span>
+<SPAN
+CLASS="TYPE"
+>addrinfo</SPAN
+>
 structure in the list, the
-<code class="constant">ai_addr</code>
+<TT
+CLASS="CONSTANT"
+>ai_addr</TT
+>
 member points to a filled-in socket address structure of length
-<code class="constant">ai_addrlen</code>.
-</p>
-<p>
-All of the information returned by
-<code class="function">lwres_getaddrinfo()</code>
+<TT
+CLASS="CONSTANT"
+>ai_addrlen</TT
+>.</P
+><P
+>All of the information returned by
+<TT
+CLASS="FUNCTION"
+>lwres_getaddrinfo()</TT
+>
 is dynamically allocated: the addrinfo structures, and the socket
 address structures and canonical host name strings pointed to by the
-<code class="constant">addrinfo</code>structures.
+<TT
+CLASS="CONSTANT"
+>addrinfo</TT
+>structures.
 Memory allocated for the dynamically allocated structures created by
 a successful call to
-<code class="function">lwres_getaddrinfo()</code>
+<TT
+CLASS="FUNCTION"
+>lwres_getaddrinfo()</TT
+>
 is released by
-<code class="function">lwres_freeaddrinfo()</code>.
-<em class="parameter"><code>ai</code></em>
+<TT
+CLASS="FUNCTION"
+>lwres_freeaddrinfo()</TT
+>.
+<TT
+CLASS="PARAMETER"
+><I
+>ai</I
+></TT
+>
 is a pointer to a
-<span class="type">struct addrinfo</span>
+<SPAN
+CLASS="TYPE"
+>struct addrinfo</SPAN
+>
 created by a call to
-<code class="function">lwres_getaddrinfo()</code>.
-</p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543747"></a><h2>RETURN VALUES</h2>
-<p>
-<code class="function">lwres_getaddrinfo()</code>
+<TT
+CLASS="FUNCTION"
+>lwres_getaddrinfo()</TT
+>.</P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN142"
+></A
+><H2
+>RETURN VALUES</H2
+><P
+><TT
+CLASS="FUNCTION"
+>lwres_getaddrinfo()</TT
+>
 returns zero on success or one of the error codes listed in
-<span class="citerefentry"><span class="refentrytitle">gai_strerror</span>(3
-)</span>
+<SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>gai_strerror</SPAN
+>(3)</SPAN
+>
 if an error occurs.
 If both
-<em class="parameter"><code>hostname</code></em>
+<TT
+CLASS="PARAMETER"
+><I
+>hostname</I
+></TT
+>
 and
-<em class="parameter"><code>servname</code></em>
+<TT
+CLASS="PARAMETER"
+><I
+>servname</I
+></TT
+>
 are
-<span class="type">NULL</span>
-<code class="function">lwres_getaddrinfo()</code>
+<SPAN
+CLASS="TYPE"
+>NULL</SPAN
+>
+<TT
+CLASS="FUNCTION"
+>lwres_getaddrinfo()</TT
+>
 returns
-<span class="errorcode">EAI_NONAME</span>.
-
-</p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543785"></a><h2>SEE ALSO</h2>
-<p>
-<span class="citerefentry"><span class="refentrytitle">lwres</span>(3)</span>,
+<SPAN
+CLASS="ERRORCODE"
+>EAI_NONAME</SPAN
+>.&#13;</P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN154"
+></A
+><H2
+>SEE ALSO</H2
+><P
+><SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>lwres</SPAN
+>(3)</SPAN
+>,
 
-<span class="citerefentry"><span class="refentrytitle">lwres_getaddrinfo</span>(3)</span>,
+<SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>lwres_getaddrinfo</SPAN
+>(3)</SPAN
+>,
 
-<span class="citerefentry"><span class="refentrytitle">lwres_freeaddrinfo</span>(3)</span>,
+<SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>lwres_freeaddrinfo</SPAN
+>(3)</SPAN
+>,
 
-<span class="citerefentry"><span class="refentrytitle">lwres_gai_strerror</span>(3)</span>,
+<SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>lwres_gai_strerror</SPAN
+>(3)</SPAN
+>,
 
-<span class="citerefentry"><span class="refentrytitle">RFC2133</span></span>,
+<SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>RFC2133</SPAN
+></SPAN
+>,
 
-<span class="citerefentry"><span class="refentrytitle">getservbyname</span>(3)</span>,
+<SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>getservbyname</SPAN
+>(3)</SPAN
+>,
 
-<span class="citerefentry"><span class="refentrytitle">bind</span>(2)</span>,
+<SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>bind</SPAN
+>(2)</SPAN
+>,
 
-<span class="citerefentry"><span class="refentrytitle">connect</span>(2)</span>,
+<SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>connect</SPAN
+>(2)</SPAN
+>,
 
-<span class="citerefentry"><span class="refentrytitle">sendto</span>(2)</span>,
+<SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>sendto</SPAN
+>(2)</SPAN
+>,
 
-<span class="citerefentry"><span class="refentrytitle">sendmsg</span>(2)</span>,
+<SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>sendmsg</SPAN
+>(2)</SPAN
+>,
 
-<span class="citerefentry"><span class="refentrytitle">socket</span>(2)</span>.
-</p>
-</div>
-</div></body>
-</html>
+<SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>socket</SPAN
+>(2)</SPAN
+>.</P
+></DIV
+></BODY
+></HTML
+>
diff --git a/lib/lwres/man/lwres_gethostent.3 b/lib/lwres/man/lwres_gethostent.3
index 55b40367..5a423479 100644
--- a/lib/lwres/man/lwres_gethostent.3
+++ b/lib/lwres/man/lwres_gethostent.3
@@ -1,72 +1,93 @@
-.\" Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
-.\" Copyright (C) 2001 Internet Software Consortium.
-.\" 
+.\" Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2001  Internet Software Consortium.
+.\"
 .\" Permission to use, copy, modify, and distribute this software for any
 .\" purpose with or without fee is hereby granted, provided that the above
 .\" copyright notice and this permission notice appear in all copies.
-.\" 
+.\"
 .\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
 .\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+.\" AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
 .\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
 .\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: lwres_gethostent.3,v 1.16.2.9 2007/01/30 00:10:38 marka Exp $
+.\" $Id: lwres_gethostent.3,v 1.16.2.1.8.1 2004/03/06 07:41:43 marka Exp $
 .\"
-.hy 0
-.ad l
-.\"     Title: lwres_gethostent
-.\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
-.\"      Date: Jun 30, 2000
-.\"    Manual: BIND9
-.\"    Source: BIND9
-.\"
-.TH "LWRES_GETHOSTENT" "3" "Jun 30, 2000" "BIND9" "BIND9"
-.\" disable hyphenation
-.nh
-.\" disable justification (adjust text to left margin only)
-.ad l
-.SH "NAME"
+.TH "LWRES_GETHOSTENT" "3" "Jun 30, 2000" "BIND9" ""
+.SH NAME
 lwres_gethostbyname, lwres_gethostbyname2, lwres_gethostbyaddr, lwres_gethostent, lwres_sethostent, lwres_endhostent, lwres_gethostbyname_r, lwres_gethostbyaddr_r, lwres_gethostent_r, lwres_sethostent_r, lwres_endhostent_r \- lightweight resolver get network host entry
-.SH "SYNOPSIS"
-.nf
-#include <lwres/netdb.h>
-.fi
-.HP 37
-.BI "struct hostent * lwres_gethostbyname(const\ char\ *name);"
-.HP 38
-.BI "struct hostent * lwres_gethostbyname2(const\ char\ *name, int\ af);"
-.HP 37
-.BI "struct hostent * lwres_gethostbyaddr(const\ char\ *addr, int\ len, int\ type);"
-.HP 34
-.BI "struct hostent * lwres_gethostent(void);"
-.HP 22
-.BI "void lwres_sethostent(int\ stayopen);"
-.HP 22
-.BI "void lwres_endhostent(void);"
-.HP 39
-.BI "struct hostent * lwres_gethostbyname_r(const\ char\ *name, struct\ hostent\ *resbuf, char\ *buf, int\ buflen, int\ *error);"
-.HP 39
-.BI "struct hostent * lwres_gethostbyaddr_r(const\ char\ *addr, int\ len, int\ type, struct\ hostent\ *resbuf, char\ *buf, int\ buflen, int\ *error);"
-.HP 36
-.BI "struct hostent * lwres_gethostent_r(struct\ hostent\ *resbuf, char\ *buf, int\ buflen, int\ *error);"
-.HP 24
-.BI "void lwres_sethostent_r(int\ stayopen);"
-.HP 24
-.BI "void lwres_endhostent_r(void);"
+.SH SYNOPSIS
+\fB#include <lwres/netdb.h>
+.sp
+.na
+struct hostent *
+lwres_gethostbyname(const char *name);
+.ad
+.sp
+.na
+struct hostent *
+lwres_gethostbyname2(const char *name, int af);
+.ad
+.sp
+.na
+struct hostent *
+lwres_gethostbyaddr(const char *addr, int len, int type);
+.ad
+.sp
+.na
+struct hostent *
+lwres_gethostent(void);
+.ad
+.sp
+.na
+void
+lwres_sethostent(int stayopen);
+.ad
+.sp
+.na
+void
+lwres_endhostent(void);
+.ad
+.sp
+.na
+struct hostent *
+lwres_gethostbyname_r(const char *name, struct hostent *resbuf, char *buf, int buflen, int *error);
+.ad
+.sp
+.na
+struct hostent *
+lwres_gethostbyaddr_r(const char *addr, int len, int type, struct hostent *resbuf, char *buf, int buflen, int *error);
+.ad
+.sp
+.na
+struct hostent *
+lwres_gethostent_r(struct hostent *resbuf, char *buf, int buflen, int *error);
+.ad
+.sp
+.na
+void
+lwres_sethostent_r(int stayopen);
+.ad
+.sp
+.na
+void
+lwres_endhostent_r(void);
+.ad
+\fR
 .SH "DESCRIPTION"
 .PP
-These functions provide hostname\-to\-address and address\-to\-hostname lookups by means of the lightweight resolver. They are similar to the standard
-\fBgethostent\fR(3 )
-functions provided by most operating systems. They use a
+These functions provide hostname-to-address and
+address-to-hostname lookups by means of the lightweight resolver.
+They are similar to the standard
+\fBgethostent\fR(3)
+functions provided by most operating systems.
+They use a
 \fBstruct hostent\fR
 which is usually defined in
 \fI<namedb.h>\fR.
 .sp
-.RS 4
 .nf
 struct  hostent {
         char    *h_name;        /* official name of host */
@@ -76,46 +97,35 @@ struct  hostent {
         char    **h_addr_list;  /* list of addresses from name server */
 };
 #define h_addr  h_addr_list[0]  /* address, for backward compatibility */
-.fi
-.RE
 .sp
+.fi
 .PP
 The members of this structure are:
-.PP
+.TP
 \fBh_name\fR
-.RS 4
 The official (canonical) name of the host.
-.RE
-.PP
+.TP
 \fBh_aliases\fR
-.RS 4
-A NULL\-terminated array of alternate names (nicknames) for the host.
-.RE
-.PP
+A NULL-terminated array of alternate names (nicknames) for the host.
+.TP
 \fBh_addrtype\fR
-.RS 4
 The type of address being returned \(em
 \fBPF_INET\fR
 or
 \fBPF_INET6\fR.
-.RE
-.PP
+.TP
 \fBh_length\fR
-.RS 4
 The length of the address in bytes.
-.RE
-.PP
+.TP
 \fBh_addr_list\fR
-.RS 4
-A
-\fBNULL\fR
-terminated array of network addresses for the host. Host addresses are returned in network byte order.
-.RE
+A \fBNULL\fR
+terminated array of network addresses for the host.
+Host addresses are returned in network byte order.
 .PP
 For backward compatibility with very old software,
-\fBh_addr\fR
+h_addr
 is the first address in
-\fBh_addr_list.\fR
+h_addr_list.
 .PP
 \fBlwres_gethostent()\fR,
 \fBlwres_sethostent()\fR,
@@ -124,136 +134,96 @@ is the first address in
 \fBlwres_sethostent_r()\fR
 and
 \fBlwres_endhostent_r()\fR
-provide iteration over the known host entries on systems that provide such functionality through facilities like
+provide iteration over the known host entries on systems that
+provide such functionality through facilities like
 \fI/etc/hosts\fR
-or NIS. The lightweight resolver does not currently implement these functions; it only provides them as stub functions that always return failure.
+or NIS. The lightweight resolver does not currently implement
+these functions; it only provides them as stub functions that always
+return failure.
 .PP
-\fBlwres_gethostbyname()\fR
-and
-\fBlwres_gethostbyname2()\fR
-look up the hostname
+\fBlwres_gethostbyname()\fR and
+\fBlwres_gethostbyname2()\fR look up the hostname
 \fIname\fR.
-\fBlwres_gethostbyname()\fR
-always looks for an IPv4 address while
-\fBlwres_gethostbyname2()\fR
-looks for an address of protocol family
-\fIaf\fR: either
-\fBPF_INET\fR
-or
-\fBPF_INET6\fR
-\(em IPv4 or IPV6 addresses respectively. Successful calls of the functions return a
+\fBlwres_gethostbyname()\fR always looks for an IPv4
+address while \fBlwres_gethostbyname2()\fR looks for an
+address of protocol family \fIaf\fR: either
+\fBPF_INET\fR or \fBPF_INET6\fR \(em IPv4 or IPV6
+addresses respectively. Successful calls of the functions return a
 \fBstruct hostent\fRfor the name that was looked up.
-\fBNULL\fR
-is returned if the lookups by
-\fBlwres_gethostbyname()\fR
-or
-\fBlwres_gethostbyname2()\fR
-fail.
+\fBNULL\fR is returned if the lookups by
+\fBlwres_gethostbyname()\fR or
+\fBlwres_gethostbyname2()\fR fail.
 .PP
 Reverse lookups of addresses are performed by
 \fBlwres_gethostbyaddr()\fR.
-\fIaddr\fR
-is an address of length
-\fIlen\fR
-bytes and protocol family
-\fItype\fR
-\(em
-\fBPF_INET\fR
-or
+\fIaddr\fR is an address of length
+\fIlen\fR bytes and protocol family
+\fItype\fR \(em \fBPF_INET\fR or
 \fBPF_INET6\fR.
-\fBlwres_gethostbyname_r()\fR
-is a thread\-safe function for forward lookups. If an error occurs, an error code is returned in
+\fBlwres_gethostbyname_r()\fR is a thread-safe function
+for forward lookups. If an error occurs, an error code is returned in
 \fI*error\fR.
-\fIresbuf\fR
-is a pointer to a
-\fBstruct hostent\fR
-which is initialised by a successful call to
-\fBlwres_gethostbyname_r()\fR
-.
-\fIbuf\fR
-is a buffer of length
-\fIlen\fR
-bytes which is used to store the
-\fBh_name\fR,
-\fBh_aliases\fR, and
-\fBh_addr_list\fR
-elements of the
-\fBstruct hostent\fR
-returned in
-\fIresbuf\fR. Successful calls to
-\fBlwres_gethostbyname_r()\fR
-return
-\fIresbuf\fR, which is a pointer to the
-\fBstruct hostent\fR
-it created.
+\fIresbuf\fR is a pointer to a \fBstruct
+hostent\fR which is initialised by a successful call to
+\fBlwres_gethostbyname_r()\fR .
+\fIbuf\fR is a buffer of length
+\fIlen\fR bytes which is used to store the
+h_name, h_aliases, and
+h_addr_list elements of the \fBstruct
+hostent\fR returned in \fIresbuf\fR.
+Successful calls to \fBlwres_gethostbyname_r()\fR
+return \fIresbuf\fR,
+which is a pointer to the \fBstruct hostent\fR it created.
 .PP
-\fBlwres_gethostbyaddr_r()\fR
-is a thread\-safe function that performs a reverse lookup of address
-\fIaddr\fR
-which is
-\fIlen\fR
-bytes long and is of protocol family
-\fItype\fR
-\(em
-\fBPF_INET\fR
-or
-\fBPF_INET6\fR. If an error occurs, the error code is returned in
-\fI*error\fR. The other function parameters are identical to those in
-\fBlwres_gethostbyname_r()\fR.
-\fIresbuf\fR
-is a pointer to a
-\fBstruct hostent\fR
-which is initialised by a successful call to
+\fBlwres_gethostbyaddr_r()\fR is a thread-safe function
+that performs a reverse lookup of address \fIaddr\fR
+which is \fIlen\fR bytes long and is of protocol
+family \fItype\fR \(em \fBPF_INET\fR or
+\fBPF_INET6\fR. If an error occurs, the error code is returned
+in \fI*error\fR. The other function parameters are
+identical to those in \fBlwres_gethostbyname_r()\fR.
+\fIresbuf\fR is a pointer to a \fBstruct
+hostent\fR which is initialised by a successful call to
 \fBlwres_gethostbyaddr_r()\fR.
-\fIbuf\fR
-is a buffer of length
-\fIlen\fR
-bytes which is used to store the
-\fBh_name\fR,
-\fBh_aliases\fR, and
-\fBh_addr_list\fR
-elements of the
-\fBstruct hostent\fR
-returned in
-\fIresbuf\fR. Successful calls to
-\fBlwres_gethostbyaddr_r()\fR
-return
+\fIbuf\fR is a buffer of length
+\fIlen\fR bytes which is used to store the
+h_name, h_aliases, and
+h_addr_list elements of the \fBstruct
+hostent\fR returned in \fIresbuf\fR. Successful
+calls to \fBlwres_gethostbyaddr_r()\fR return
 \fIresbuf\fR, which is a pointer to the
-\fBstruct hostent()\fR
-it created.
+\fBstruct hostent()\fR it created.
 .SH "RETURN VALUES"
 .PP
 The functions
 \fBlwres_gethostbyname()\fR,
 \fBlwres_gethostbyname2()\fR,
-\fBlwres_gethostbyaddr()\fR, and
+\fBlwres_gethostbyaddr()\fR,
+and
 \fBlwres_gethostent()\fR
 return NULL to indicate an error. In this case the global variable
 \fBlwres_h_errno\fR
 will contain one of the following error codes defined in
 \fI<lwres/netdb.h>\fR:
-.PP
+.TP
 \fBHOST_NOT_FOUND\fR
-.RS 4
 The host or address was not found.
-.RE
-.PP
+.TP
 \fBTRY_AGAIN\fR
-.RS 4
-A recoverable error occurred, e.g., a timeout. Retrying the lookup may succeed.
-.RE
-.PP
+A recoverable error occurred, e.g., a timeout.
+Retrying the lookup may succeed.
+.TP
 \fBNO_RECOVERY\fR
-.RS 4
-A non\-recoverable error occurred.
-.RE
-.PP
+A non-recoverable error occurred.
+.TP
 \fBNO_DATA\fR
-.RS 4
-The name exists, but has no address information associated with it (or vice versa in the case of a reverse lookup). The code NO_ADDRESS is accepted as a synonym for NO_DATA for backwards compatibility.
-.RE
+The name exists, but has no address information
+associated with it (or vice versa in the case
+of a reverse lookup). The code NO_ADDRESS
+is accepted as a synonym for NO_DATA for backwards
+compatibility.
 .PP
-\fBlwres_hstrerror\fR(3 )
+\fBlwres_hstrerror\fR(3)
 translates these error codes to suitable error messages.
 .PP
 \fBlwres_gethostent()\fR
@@ -262,37 +232,23 @@ and
 always return
 \fBNULL\fR.
 .PP
-Successful calls to
-\fBlwres_gethostbyname_r()\fR
-and
-\fBlwres_gethostbyaddr_r()\fR
-return
-\fIresbuf\fR, a pointer to the
-\fBstruct hostent\fR
-that was initialised by these functions. They return
-\fBNULL\fR
-if the lookups fail or if
-\fIbuf\fR
-was too small to hold the list of addresses and names referenced by the
-\fBh_name\fR,
-\fBh_aliases\fR, and
-\fBh_addr_list\fR
-elements of the
-\fBstruct hostent\fR. If
-\fIbuf\fR
-was too small, both
-\fBlwres_gethostbyname_r()\fR
-and
-\fBlwres_gethostbyaddr_r()\fR
-set the global variable
-\fBerrno\fR
-to
-\fBERANGE\fR.
+Successful calls to \fBlwres_gethostbyname_r()\fR and
+\fBlwres_gethostbyaddr_r()\fR return
+\fIresbuf\fR, a pointer to the \fBstruct
+hostent\fR that was initialised by these functions. They return
+\fBNULL\fR if the lookups fail or if \fIbuf\fR
+was too small to hold the list of addresses and names referenced by
+the h_name, h_aliases, and
+h_addr_list elements of the \fBstruct
+hostent\fR. If \fIbuf\fR was too small, both
+\fBlwres_gethostbyname_r()\fR and
+\fBlwres_gethostbyaddr_r()\fR set the global variable
+\fBerrno\fR to ERANGE.
 .SH "SEE ALSO"
 .PP
 \fBgethostent\fR(3),
 \fBlwres_getipnode\fR(3),
-\fBlwres_hstrerror\fR(3 )
+\fBlwres_hstrerror\fR(3)
 .SH "BUGS"
 .PP
 \fBlwres_gethostbyname()\fR,
@@ -300,17 +256,17 @@ to
 \fBlwres_gethostbyaddr()\fR
 and
 \fBlwres_endhostent()\fR
-are not thread safe; they return pointers to static data and provide error codes through a global variable. Thread\-safe versions for name and address lookup are provided by
-\fBlwres_gethostbyname_r()\fR, and
+are not thread safe; they return pointers to static data and 
+provide error codes through a global variable.
+Thread-safe versions for name and address lookup are provided by
+\fBlwres_gethostbyname_r()\fR,
+and
 \fBlwres_gethostbyaddr_r()\fR
 respectively.
 .PP
-The resolver daemon does not currently support any non\-DNS name services such as
+The resolver daemon does not currently support any non-DNS
+name services such as 
 \fI/etc/hosts\fR
 or
-\fBNIS\fR, consequently the above functions don't, either.
-.SH "COPYRIGHT"
-Copyright \(co 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
-.br
-Copyright \(co 2001 Internet Software Consortium.
-.br
+\fBNIS\fR,
+consequently the above functions don't, either.
diff --git a/lib/lwres/man/lwres_gethostent.docbook b/lib/lwres/man/lwres_gethostent.docbook
index 835cdd43..10324c31 100644
--- a/lib/lwres/man/lwres_gethostent.docbook
+++ b/lib/lwres/man/lwres_gethostent.docbook
@@ -1,8 +1,6 @@
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
-               "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
-	       [<!ENTITY mdash "&#8212;">]>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
 <!--
- - Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2001  Internet Software Consortium.
  -
  - Permission to use, copy, modify, and distribute this software for any
@@ -18,7 +16,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: lwres_gethostent.docbook,v 1.5.2.5 2007/01/29 23:57:17 marka Exp $ -->
+<!-- $Id: lwres_gethostent.docbook,v 1.5.206.1 2004/03/06 08:15:39 marka Exp $ -->
 
 <refentry>
 
@@ -32,19 +30,6 @@
 <refmiscinfo>BIND9</refmiscinfo>
 </refmeta>
 
-  <docinfo>
-    <copyright>
-      <year>2004</year>
-      <year>2005</year>
-      <year>2007</year>
-      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
-    </copyright>
-    <copyright>
-      <year>2001</year>
-      <holder>Internet Software Consortium.</holder>
-    </copyright>
-  </docinfo>
-
 <refnamediv>
 <refname>lwres_gethostbyname</refname>
 <refname>lwres_gethostbyname2</refname>
diff --git a/lib/lwres/man/lwres_gethostent.html b/lib/lwres/man/lwres_gethostent.html
index 0ccba972..b132bee3 100644
--- a/lib/lwres/man/lwres_gethostent.html
+++ b/lib/lwres/man/lwres_gethostent.html
@@ -1,455 +1,830 @@
 <!--
- - Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2001 Internet Software Consortium.
- - 
+ - Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2001  Internet Software Consortium.
+ -
  - Permission to use, copy, modify, and distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
  - copyright notice and this permission notice appear in all copies.
- - 
+ -
  - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
  - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
  - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
  - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: lwres_gethostent.html,v 1.8.2.14 2007/01/30 00:10:38 marka Exp $ -->
-<html>
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>lwres_gethostent</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2476275"></a><div class="titlepage"></div>
-<div class="refnamediv">
-<h2>Name</h2>
-<p>lwres_gethostbyname, lwres_gethostbyname2, lwres_gethostbyaddr, lwres_gethostent, lwres_sethostent, lwres_endhostent, lwres_gethostbyname_r, lwres_gethostbyaddr_r, lwres_gethostent_r, lwres_sethostent_r, lwres_endhostent_r &#8212; lightweight resolver get network host entry</p>
-</div>
-<div class="refsynopsisdiv">
-<h2>Synopsis</h2>
-<div class="funcsynopsis">
-<pre class="funcsynopsisinfo">#include &lt;lwres/netdb.h&gt;</pre>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em"><tr>
-<td><code class="funcdef">
-struct hostent *
-<b class="fsfunc">lwres_gethostbyname</b>(</code></td>
-<td> </td>
-<td>
-<code>)</code>;</td>
-</tr></table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
-<tr>
-<td><code class="funcdef">
-struct hostent *
-<b class="fsfunc">lwres_gethostbyname2</b>(</code></td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>
-<code>)</code>;</td>
-</tr>
-</table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
-<tr>
-<td><code class="funcdef">
-struct hostent *
-<b class="fsfunc">lwres_gethostbyaddr</b>(</code></td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>
-<code>)</code>;</td>
-</tr>
-</table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em"><tr>
-<td><code class="funcdef">
-struct hostent *
-<b class="fsfunc">lwres_gethostent</b>(</code></td>
-<td> </td>
-<td>
-<code>)</code>;</td>
-</tr></table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em"><tr>
-<td><code class="funcdef">
-void
-<b class="fsfunc">lwres_sethostent</b>(</code></td>
-<td> </td>
-<td>
-<code>)</code>;</td>
-</tr></table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em"><tr>
-<td><code class="funcdef">
-void
-<b class="fsfunc">lwres_endhostent</b>(</code></td>
-<td> </td>
-<td>
-<code>)</code>;</td>
-</tr></table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
-<tr>
-<td><code class="funcdef">
-struct hostent *
-<b class="fsfunc">lwres_gethostbyname_r</b>(</code></td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>
-<code>)</code>;</td>
-</tr>
-</table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
-<tr>
-<td><code class="funcdef">
-struct hostent  *
-<b class="fsfunc">lwres_gethostbyaddr_r</b>(</code></td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>
-<code>)</code>;</td>
-</tr>
-</table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
-<tr>
-<td><code class="funcdef">
-struct hostent  *
-<b class="fsfunc">lwres_gethostent_r</b>(</code></td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>
-<code>)</code>;</td>
-</tr>
-</table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em"><tr>
-<td><code class="funcdef">
-void
-<b class="fsfunc">lwres_sethostent_r</b>(</code></td>
-<td> </td>
-<td>
-<code>)</code>;</td>
-</tr></table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0"><tr>
-<td><code class="funcdef">
-void
-<b class="fsfunc">lwres_endhostent_r</b>(</code></td>
-<td> </td>
-<td>
-<code>)</code>;</td>
-</tr></table>
-</div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543547"></a><h2>DESCRIPTION</h2>
-<p>
-These functions provide hostname-to-address and
+
+<!-- $Id: lwres_gethostent.html,v 1.8.2.1.4.1 2004/03/06 08:15:39 marka Exp $ -->
+
+<HTML
+><HEAD
+><TITLE
+>lwres_gethostent</TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.73
+"></HEAD
+><BODY
+CLASS="REFENTRY"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><H1
+><A
+NAME="AEN1"
+>lwres_gethostent</A
+></H1
+><DIV
+CLASS="REFNAMEDIV"
+><A
+NAME="AEN8"
+></A
+><H2
+>Name</H2
+>lwres_gethostbyname, lwres_gethostbyname2, lwres_gethostbyaddr, lwres_gethostent, lwres_sethostent, lwres_endhostent, lwres_gethostbyname_r, lwres_gethostbyaddr_r, lwres_gethostent_r, lwres_sethostent_r, lwres_endhostent_r&nbsp;--&nbsp;lightweight resolver get network host entry</DIV
+><DIV
+CLASS="REFSYNOPSISDIV"
+><A
+NAME="AEN21"
+></A
+><H2
+>Synopsis</H2
+><DIV
+CLASS="FUNCSYNOPSIS"
+><A
+NAME="AEN22"
+></A
+><P
+></P
+><PRE
+CLASS="FUNCSYNOPSISINFO"
+>#include &lt;lwres/netdb.h&gt;</PRE
+><P
+><CODE
+><CODE
+CLASS="FUNCDEF"
+>struct hostent *
+lwres_gethostbyname</CODE
+>(const char *name);</CODE
+></P
+><P
+><CODE
+><CODE
+CLASS="FUNCDEF"
+>struct hostent *
+lwres_gethostbyname2</CODE
+>(const char *name, int af);</CODE
+></P
+><P
+><CODE
+><CODE
+CLASS="FUNCDEF"
+>struct hostent *
+lwres_gethostbyaddr</CODE
+>(const char *addr, int len, int type);</CODE
+></P
+><P
+><CODE
+><CODE
+CLASS="FUNCDEF"
+>struct hostent *
+lwres_gethostent</CODE
+>(void);</CODE
+></P
+><P
+><CODE
+><CODE
+CLASS="FUNCDEF"
+>void
+lwres_sethostent</CODE
+>(int stayopen);</CODE
+></P
+><P
+><CODE
+><CODE
+CLASS="FUNCDEF"
+>void
+lwres_endhostent</CODE
+>(void);</CODE
+></P
+><P
+><CODE
+><CODE
+CLASS="FUNCDEF"
+>struct hostent *
+lwres_gethostbyname_r</CODE
+>(const char *name, struct hostent *resbuf, char *buf, int buflen, int *error);</CODE
+></P
+><P
+><CODE
+><CODE
+CLASS="FUNCDEF"
+>struct hostent  *
+lwres_gethostbyaddr_r</CODE
+>(const char *addr, int len, int type, struct hostent *resbuf, char *buf, int buflen, int *error);</CODE
+></P
+><P
+><CODE
+><CODE
+CLASS="FUNCDEF"
+>struct hostent  *
+lwres_gethostent_r</CODE
+>(struct hostent *resbuf, char *buf, int buflen, int *error);</CODE
+></P
+><P
+><CODE
+><CODE
+CLASS="FUNCDEF"
+>void
+lwres_sethostent_r</CODE
+>(int stayopen);</CODE
+></P
+><P
+><CODE
+><CODE
+CLASS="FUNCDEF"
+>void
+lwres_endhostent_r</CODE
+>(void);</CODE
+></P
+><P
+></P
+></DIV
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN84"
+></A
+><H2
+>DESCRIPTION</H2
+><P
+>These functions provide hostname-to-address and
 address-to-hostname lookups by means of the lightweight resolver.
 They are similar to the standard
-<span class="citerefentry"><span class="refentrytitle">gethostent</span>(3
-)</span>
+<SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>gethostent</SPAN
+>(3)</SPAN
+>
 functions provided by most operating systems.
 They use a
-<span class="type">struct hostent</span>
+<SPAN
+CLASS="TYPE"
+>struct hostent</SPAN
+>
 which is usually defined in
-<code class="filename">&lt;namedb.h&gt;</code>.
+<TT
+CLASS="FILENAME"
+>&lt;namedb.h&gt;</TT
+>.
 
-</p>
-<pre class="programlisting">
-struct  hostent {
+<PRE
+CLASS="PROGRAMLISTING"
+>struct  hostent {
         char    *h_name;        /* official name of host */
         char    **h_aliases;    /* alias list */
         int     h_addrtype;     /* host address type */
         int     h_length;       /* length of address */
         char    **h_addr_list;  /* list of addresses from name server */
 };
-#define h_addr  h_addr_list[0]  /* address, for backward compatibility */
-</pre>
-<p>
-</p>
-<p>
-The members of this structure are:
-</p>
-<div class="variablelist"><dl>
-<dt><span class="term"><code class="constant">h_name</code></span></dt>
-<dd><p>
-The official (canonical) name of the host.
-</p></dd>
-<dt><span class="term"><code class="constant">h_aliases</code></span></dt>
-<dd><p>
-A NULL-terminated array of alternate names (nicknames) for the host.
-</p></dd>
-<dt><span class="term"><code class="constant">h_addrtype</code></span></dt>
-<dd><p>
-The type of address being returned &#8212;
-<span class="type">PF_INET</span>
+#define h_addr  h_addr_list[0]  /* address, for backward compatibility */</PRE
+></P
+><P
+>The members of this structure are:
+<P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+><TT
+CLASS="CONSTANT"
+>h_name</TT
+></DT
+><DD
+><P
+>The official (canonical) name of the host.</P
+></DD
+><DT
+><TT
+CLASS="CONSTANT"
+>h_aliases</TT
+></DT
+><DD
+><P
+>A NULL-terminated array of alternate names (nicknames) for the host.</P
+></DD
+><DT
+><TT
+CLASS="CONSTANT"
+>h_addrtype</TT
+></DT
+><DD
+><P
+>The type of address being returned &mdash;
+<SPAN
+CLASS="TYPE"
+>PF_INET</SPAN
+>
 or
-<span class="type">PF_INET6</span>.
-</p></dd>
-<dt><span class="term"><code class="constant">h_length</code></span></dt>
-<dd><p>
-The length of the address in bytes.
-</p></dd>
-<dt><span class="term"><code class="constant">h_addr_list</code></span></dt>
-<dd><p>
-A <span class="type">NULL</span>
+<SPAN
+CLASS="TYPE"
+>PF_INET6</SPAN
+>.</P
+></DD
+><DT
+><TT
+CLASS="CONSTANT"
+>h_length</TT
+></DT
+><DD
+><P
+>The length of the address in bytes.</P
+></DD
+><DT
+><TT
+CLASS="CONSTANT"
+>h_addr_list</TT
+></DT
+><DD
+><P
+>A <SPAN
+CLASS="TYPE"
+>NULL</SPAN
+>
 terminated array of network addresses for the host.
-Host addresses are returned in network byte order.
-</p></dd>
-</dl></div>
-<p>
-</p>
-<p>
-For backward compatibility with very old software,
-<code class="constant">h_addr</code>
+Host addresses are returned in network byte order.</P
+></DD
+></DL
+></DIV
+></P
+><P
+>For backward compatibility with very old software,
+<TT
+CLASS="CONSTANT"
+>h_addr</TT
+>
 is the first address in
-<code class="constant">h_addr_list.</code>
-</p>
-<p>
-<code class="function">lwres_gethostent()</code>,
-<code class="function">lwres_sethostent()</code>,
-<code class="function">lwres_endhostent()</code>,
-<code class="function">lwres_gethostent_r()</code>,
-<code class="function">lwres_sethostent_r()</code>
+<TT
+CLASS="CONSTANT"
+>h_addr_list.</TT
+></P
+><P
+><TT
+CLASS="FUNCTION"
+>lwres_gethostent()</TT
+>,
+<TT
+CLASS="FUNCTION"
+>lwres_sethostent()</TT
+>,
+<TT
+CLASS="FUNCTION"
+>lwres_endhostent()</TT
+>,
+<TT
+CLASS="FUNCTION"
+>lwres_gethostent_r()</TT
+>,
+<TT
+CLASS="FUNCTION"
+>lwres_sethostent_r()</TT
+>
 and
-<code class="function">lwres_endhostent_r()</code>
+<TT
+CLASS="FUNCTION"
+>lwres_endhostent_r()</TT
+>
 provide iteration over the known host entries on systems that
 provide such functionality through facilities like
-<code class="filename">/etc/hosts</code>
+<TT
+CLASS="FILENAME"
+>/etc/hosts</TT
+>
 or NIS.  The lightweight resolver does not currently implement
 these functions; it only provides them as stub functions that always
-return failure.
-</p>
-<p>
-<code class="function">lwres_gethostbyname()</code> and
-<code class="function">lwres_gethostbyname2()</code> look up the hostname
-<em class="parameter"><code>name</code></em>.
-<code class="function">lwres_gethostbyname()</code> always looks for an IPv4
-address while <code class="function">lwres_gethostbyname2()</code> looks for an
-address of protocol family <em class="parameter"><code>af</code></em>: either
-<span class="type">PF_INET</span> or <span class="type">PF_INET6</span> &#8212; IPv4 or IPV6
+return failure.</P
+><P
+><TT
+CLASS="FUNCTION"
+>lwres_gethostbyname()</TT
+> and
+<TT
+CLASS="FUNCTION"
+>lwres_gethostbyname2()</TT
+> look up the hostname
+<TT
+CLASS="PARAMETER"
+><I
+>name</I
+></TT
+>.
+<TT
+CLASS="FUNCTION"
+>lwres_gethostbyname()</TT
+> always looks for an IPv4
+address while <TT
+CLASS="FUNCTION"
+>lwres_gethostbyname2()</TT
+> looks for an
+address of protocol family <TT
+CLASS="PARAMETER"
+><I
+>af</I
+></TT
+>: either
+<SPAN
+CLASS="TYPE"
+>PF_INET</SPAN
+> or <SPAN
+CLASS="TYPE"
+>PF_INET6</SPAN
+> &mdash; IPv4 or IPV6
 addresses respectively.  Successful calls of the functions return a
-<span class="type">struct hostent</span>for the name that was looked up.
-<span class="type">NULL</span> is returned if the lookups by
-<code class="function">lwres_gethostbyname()</code> or
-<code class="function">lwres_gethostbyname2()</code> fail.
-</p>
-<p>
-Reverse lookups of addresses are performed by
-<code class="function">lwres_gethostbyaddr()</code>.
-<em class="parameter"><code>addr</code></em> is an address of length
-<em class="parameter"><code>len</code></em> bytes and protocol family
-<em class="parameter"><code>type</code></em> &#8212; <span class="type">PF_INET</span> or
-<span class="type">PF_INET6</span>.
-<code class="function">lwres_gethostbyname_r()</code> is a thread-safe function
+<SPAN
+CLASS="TYPE"
+>struct hostent</SPAN
+>for the name that was looked up.
+<SPAN
+CLASS="TYPE"
+>NULL</SPAN
+> is returned if the lookups by
+<TT
+CLASS="FUNCTION"
+>lwres_gethostbyname()</TT
+> or
+<TT
+CLASS="FUNCTION"
+>lwres_gethostbyname2()</TT
+> fail.</P
+><P
+>Reverse lookups of addresses are performed by
+<TT
+CLASS="FUNCTION"
+>lwres_gethostbyaddr()</TT
+>.
+<TT
+CLASS="PARAMETER"
+><I
+>addr</I
+></TT
+> is an address of length
+<TT
+CLASS="PARAMETER"
+><I
+>len</I
+></TT
+> bytes and protocol family
+<TT
+CLASS="PARAMETER"
+><I
+>type</I
+></TT
+> &mdash; <SPAN
+CLASS="TYPE"
+>PF_INET</SPAN
+> or
+<SPAN
+CLASS="TYPE"
+>PF_INET6</SPAN
+>.
+<TT
+CLASS="FUNCTION"
+>lwres_gethostbyname_r()</TT
+> is a thread-safe function
 for forward lookups.  If an error occurs, an error code is returned in
-<em class="parameter"><code>*error</code></em>.
-<em class="parameter"><code>resbuf</code></em> is a pointer to a <span class="type">struct
-hostent</span> which is initialised by a successful call to
-<code class="function">lwres_gethostbyname_r()</code> .
-<em class="parameter"><code>buf</code></em> is a buffer of length
-<em class="parameter"><code>len</code></em> bytes which is used to store the
-<code class="constant">h_name</code>, <code class="constant">h_aliases</code>, and
-<code class="constant">h_addr_list</code> elements of the <span class="type">struct
-hostent</span> returned in <em class="parameter"><code>resbuf</code></em>.
-Successful calls to <code class="function">lwres_gethostbyname_r()</code>
-return <em class="parameter"><code>resbuf</code></em>,
-which is a pointer to the <span class="type">struct hostent</span> it created.
-</p>
-<p>
-<code class="function">lwres_gethostbyaddr_r()</code> is a thread-safe function
-that performs a reverse lookup of address <em class="parameter"><code>addr</code></em>
-which is <em class="parameter"><code>len</code></em> bytes long and is of protocol
-family <em class="parameter"><code>type</code></em> &#8212; <span class="type">PF_INET</span> or
-<span class="type">PF_INET6</span>.  If an error occurs, the error code is returned
-in <em class="parameter"><code>*error</code></em>.  The other function parameters are
-identical to those in <code class="function">lwres_gethostbyname_r()</code>.
-<em class="parameter"><code>resbuf</code></em> is a pointer to a <span class="type">struct
-hostent</span> which is initialised by a successful call to
-<code class="function">lwres_gethostbyaddr_r()</code>.
-<em class="parameter"><code>buf</code></em> is a buffer of length
-<em class="parameter"><code>len</code></em> bytes which is used to store the
-<code class="constant">h_name</code>, <code class="constant">h_aliases</code>, and
-<code class="constant">h_addr_list</code> elements of the <span class="type">struct
-hostent</span> returned in <em class="parameter"><code>resbuf</code></em>.  Successful
-calls to <code class="function">lwres_gethostbyaddr_r()</code> return
-<em class="parameter"><code>resbuf</code></em>, which is a pointer to the
-<code class="function">struct hostent()</code> it created.
-</p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543886"></a><h2>RETURN VALUES</h2>
-<p>
-The functions
-<code class="function">lwres_gethostbyname()</code>,
-<code class="function">lwres_gethostbyname2()</code>,
-<code class="function">lwres_gethostbyaddr()</code>,
+<TT
+CLASS="PARAMETER"
+><I
+>*error</I
+></TT
+>.
+<TT
+CLASS="PARAMETER"
+><I
+>resbuf</I
+></TT
+> is a pointer to a <SPAN
+CLASS="TYPE"
+>struct
+hostent</SPAN
+> which is initialised by a successful call to
+<TT
+CLASS="FUNCTION"
+>lwres_gethostbyname_r()</TT
+> .
+<TT
+CLASS="PARAMETER"
+><I
+>buf</I
+></TT
+> is a buffer of length
+<TT
+CLASS="PARAMETER"
+><I
+>len</I
+></TT
+> bytes which is used to store the
+<TT
+CLASS="CONSTANT"
+>h_name</TT
+>, <TT
+CLASS="CONSTANT"
+>h_aliases</TT
+>, and
+<TT
+CLASS="CONSTANT"
+>h_addr_list</TT
+> elements of the <SPAN
+CLASS="TYPE"
+>struct
+hostent</SPAN
+> returned in <TT
+CLASS="PARAMETER"
+><I
+>resbuf</I
+></TT
+>.
+Successful calls to <TT
+CLASS="FUNCTION"
+>lwres_gethostbyname_r()</TT
+>
+return <TT
+CLASS="PARAMETER"
+><I
+>resbuf</I
+></TT
+>,
+which is a pointer to the <SPAN
+CLASS="TYPE"
+>struct hostent</SPAN
+> it created.</P
+><P
+><TT
+CLASS="FUNCTION"
+>lwres_gethostbyaddr_r()</TT
+> is a thread-safe function
+that performs a reverse lookup of address <TT
+CLASS="PARAMETER"
+><I
+>addr</I
+></TT
+>
+which is <TT
+CLASS="PARAMETER"
+><I
+>len</I
+></TT
+> bytes long and is of protocol
+family <TT
+CLASS="PARAMETER"
+><I
+>type</I
+></TT
+> &mdash; <SPAN
+CLASS="TYPE"
+>PF_INET</SPAN
+> or
+<SPAN
+CLASS="TYPE"
+>PF_INET6</SPAN
+>.  If an error occurs, the error code is returned
+in <TT
+CLASS="PARAMETER"
+><I
+>*error</I
+></TT
+>.  The other function parameters are
+identical to those in <TT
+CLASS="FUNCTION"
+>lwres_gethostbyname_r()</TT
+>.
+<TT
+CLASS="PARAMETER"
+><I
+>resbuf</I
+></TT
+> is a pointer to a <SPAN
+CLASS="TYPE"
+>struct
+hostent</SPAN
+> which is initialised by a successful call to
+<TT
+CLASS="FUNCTION"
+>lwres_gethostbyaddr_r()</TT
+>.
+<TT
+CLASS="PARAMETER"
+><I
+>buf</I
+></TT
+> is a buffer of length
+<TT
+CLASS="PARAMETER"
+><I
+>len</I
+></TT
+> bytes which is used to store the
+<TT
+CLASS="CONSTANT"
+>h_name</TT
+>, <TT
+CLASS="CONSTANT"
+>h_aliases</TT
+>, and
+<TT
+CLASS="CONSTANT"
+>h_addr_list</TT
+> elements of the <SPAN
+CLASS="TYPE"
+>struct
+hostent</SPAN
+> returned in <TT
+CLASS="PARAMETER"
+><I
+>resbuf</I
+></TT
+>.  Successful
+calls to <TT
+CLASS="FUNCTION"
+>lwres_gethostbyaddr_r()</TT
+> return
+<TT
+CLASS="PARAMETER"
+><I
+>resbuf</I
+></TT
+>, which is a pointer to the
+<TT
+CLASS="FUNCTION"
+>struct hostent()</TT
+> it created.</P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN191"
+></A
+><H2
+>RETURN VALUES</H2
+><P
+>The functions
+<TT
+CLASS="FUNCTION"
+>lwres_gethostbyname()</TT
+>,
+<TT
+CLASS="FUNCTION"
+>lwres_gethostbyname2()</TT
+>,
+<TT
+CLASS="FUNCTION"
+>lwres_gethostbyaddr()</TT
+>,
 and
-<code class="function">lwres_gethostent()</code>
+<TT
+CLASS="FUNCTION"
+>lwres_gethostent()</TT
+>
 return NULL to indicate an error.  In this case the global variable
-<span class="type">lwres_h_errno</span>
+<SPAN
+CLASS="TYPE"
+>lwres_h_errno</SPAN
+>
 will contain one of the following error codes defined in
-<code class="filename">&lt;lwres/netdb.h&gt;</code>:
+<TT
+CLASS="FILENAME"
+>&lt;lwres/netdb.h&gt;</TT
+>:
 
-</p>
-<div class="variablelist"><dl>
-<dt><span class="term"><code class="constant">HOST_NOT_FOUND</code></span></dt>
-<dd><p>
-The host or address was not found.
-</p></dd>
-<dt><span class="term"><code class="constant">TRY_AGAIN</code></span></dt>
-<dd><p>
-A recoverable error occurred, e.g., a timeout.
-Retrying the lookup may succeed.
-</p></dd>
-<dt><span class="term"><code class="constant">NO_RECOVERY</code></span></dt>
-<dd><p>
-A non-recoverable error occurred.
-</p></dd>
-<dt><span class="term"><code class="constant">NO_DATA</code></span></dt>
-<dd><p>
-The name exists, but has no address information
+<P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+><TT
+CLASS="CONSTANT"
+>HOST_NOT_FOUND</TT
+></DT
+><DD
+><P
+>The host or address was not found.</P
+></DD
+><DT
+><TT
+CLASS="CONSTANT"
+>TRY_AGAIN</TT
+></DT
+><DD
+><P
+>A recoverable error occurred, e.g., a timeout.
+Retrying the lookup may succeed.</P
+></DD
+><DT
+><TT
+CLASS="CONSTANT"
+>NO_RECOVERY</TT
+></DT
+><DD
+><P
+>A non-recoverable error occurred.</P
+></DD
+><DT
+><TT
+CLASS="CONSTANT"
+>NO_DATA</TT
+></DT
+><DD
+><P
+>The name exists, but has no address information
 associated with it (or vice versa in the case
 of a reverse lookup).  The code NO_ADDRESS
 is accepted as a synonym for NO_DATA for backwards
-compatibility.
-</p></dd>
-</dl></div>
-<p>
-</p>
-<p>
-<span class="citerefentry"><span class="refentrytitle">lwres_hstrerror</span>(3
-)</span>
-translates these error codes to suitable error messages.
-</p>
-<p>
-<code class="function">lwres_gethostent()</code>
+compatibility.</P
+></DD
+></DL
+></DIV
+></P
+><P
+><SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>lwres_hstrerror</SPAN
+>(3)</SPAN
+>
+translates these error codes to suitable error messages.</P
+><P
+><TT
+CLASS="FUNCTION"
+>lwres_gethostent()</TT
+>
 and
-<code class="function">lwres_gethostent_r()</code>
+<TT
+CLASS="FUNCTION"
+>lwres_gethostent_r()</TT
+>
 always return
-<span class="type">NULL</span>.
-</p>
-<p>
-Successful calls to <code class="function">lwres_gethostbyname_r()</code> and
-<code class="function">lwres_gethostbyaddr_r()</code> return
-<em class="parameter"><code>resbuf</code></em>, a pointer to the <span class="type">struct
-hostent</span> that was initialised by these functions.  They return
-<span class="type">NULL</span> if the lookups fail or if <em class="parameter"><code>buf</code></em>
+<SPAN
+CLASS="TYPE"
+>NULL</SPAN
+>.</P
+><P
+>Successful calls to <TT
+CLASS="FUNCTION"
+>lwres_gethostbyname_r()</TT
+> and
+<TT
+CLASS="FUNCTION"
+>lwres_gethostbyaddr_r()</TT
+> return
+<TT
+CLASS="PARAMETER"
+><I
+>resbuf</I
+></TT
+>, a pointer to the <SPAN
+CLASS="TYPE"
+>struct
+hostent</SPAN
+> that was initialised by these functions.  They return
+<SPAN
+CLASS="TYPE"
+>NULL</SPAN
+> if the lookups fail or if <TT
+CLASS="PARAMETER"
+><I
+>buf</I
+></TT
+>
 was too small to hold the list of addresses and names referenced by
-the <code class="constant">h_name</code>, <code class="constant">h_aliases</code>, and
-<code class="constant">h_addr_list</code> elements of the <span class="type">struct
-hostent</span>.  If <em class="parameter"><code>buf</code></em> was too small, both
-<code class="function">lwres_gethostbyname_r()</code> and
-<code class="function">lwres_gethostbyaddr_r()</code> set the global variable
-<span class="type">errno</span> to <span class="errorcode">ERANGE</span>.
-</p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2544046"></a><h2>SEE ALSO</h2>
-<p>
-<span class="citerefentry"><span class="refentrytitle">gethostent</span>(3)</span>,
+the <TT
+CLASS="CONSTANT"
+>h_name</TT
+>, <TT
+CLASS="CONSTANT"
+>h_aliases</TT
+>, and
+<TT
+CLASS="CONSTANT"
+>h_addr_list</TT
+> elements of the <SPAN
+CLASS="TYPE"
+>struct
+hostent</SPAN
+>.  If <TT
+CLASS="PARAMETER"
+><I
+>buf</I
+></TT
+> was too small, both
+<TT
+CLASS="FUNCTION"
+>lwres_gethostbyname_r()</TT
+> and
+<TT
+CLASS="FUNCTION"
+>lwres_gethostbyaddr_r()</TT
+> set the global variable
+<SPAN
+CLASS="TYPE"
+>errno</SPAN
+> to <SPAN
+CLASS="ERRORCODE"
+>ERANGE</SPAN
+>.</P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN245"
+></A
+><H2
+>SEE ALSO</H2
+><P
+><SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>gethostent</SPAN
+>(3)</SPAN
+>,
 
-<span class="citerefentry"><span class="refentrytitle">lwres_getipnode</span>(3)</span>,
+<SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>lwres_getipnode</SPAN
+>(3)</SPAN
+>,
 
-<span class="citerefentry"><span class="refentrytitle">lwres_hstrerror</span>(3
-)</span>
-</p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2544082"></a><h2>BUGS</h2>
-<p>
-<code class="function">lwres_gethostbyname()</code>,
-<code class="function">lwres_gethostbyname2()</code>,
-<code class="function">lwres_gethostbyaddr()</code>
+<SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>lwres_hstrerror</SPAN
+>(3)</SPAN
+></P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN257"
+></A
+><H2
+>BUGS</H2
+><P
+><TT
+CLASS="FUNCTION"
+>lwres_gethostbyname()</TT
+>,
+<TT
+CLASS="FUNCTION"
+>lwres_gethostbyname2()</TT
+>,
+<TT
+CLASS="FUNCTION"
+>lwres_gethostbyaddr()</TT
+>
 and
-<code class="function">lwres_endhostent()</code>
+<TT
+CLASS="FUNCTION"
+>lwres_endhostent()</TT
+>
 are not thread safe; they return pointers to static data and 
 provide error codes through a global variable.
 Thread-safe versions for name and address lookup are provided by
-<code class="function">lwres_gethostbyname_r()</code>,
+<TT
+CLASS="FUNCTION"
+>lwres_gethostbyname_r()</TT
+>,
 and
-<code class="function">lwres_gethostbyaddr_r()</code>
-respectively.
-</p>
-<p>
-The resolver daemon does not currently support any non-DNS
+<TT
+CLASS="FUNCTION"
+>lwres_gethostbyaddr_r()</TT
+>
+respectively.</P
+><P
+>The resolver daemon does not currently support any non-DNS
 name services such as 
-<code class="filename">/etc/hosts</code>
+<TT
+CLASS="FILENAME"
+>/etc/hosts</TT
+>
 or
-<span class="type">NIS</span>,
-consequently the above functions don't, either.
-</p>
-</div>
-</div></body>
-</html>
+<SPAN
+CLASS="TYPE"
+>NIS</SPAN
+>,
+consequently the above functions don't, either.</P
+></DIV
+></BODY
+></HTML
+>
diff --git a/lib/lwres/man/lwres_getipnode.3 b/lib/lwres/man/lwres_getipnode.3
index 947f20f0..815a8415 100644
--- a/lib/lwres/man/lwres_getipnode.3
+++ b/lib/lwres/man/lwres_getipnode.3
@@ -1,56 +1,52 @@
-.\" Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
-.\" Copyright (C) 2000, 2001, 2003 Internet Software Consortium.
-.\" 
+.\" Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2000, 2001  Internet Software Consortium.
+.\"
 .\" Permission to use, copy, modify, and distribute this software for any
 .\" purpose with or without fee is hereby granted, provided that the above
 .\" copyright notice and this permission notice appear in all copies.
-.\" 
+.\"
 .\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
 .\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+.\" AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
 .\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
 .\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: lwres_getipnode.3,v 1.13.2.10 2007/01/30 00:10:38 marka Exp $
+.\" $Id: lwres_getipnode.3,v 1.13.2.2.4.2 2004/03/09 05:21:10 marka Exp $
 .\"
-.hy 0
-.ad l
-.\"     Title: lwres_getipnode
-.\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
-.\"      Date: Jun 30, 2000
-.\"    Manual: BIND9
-.\"    Source: BIND9
-.\"
-.TH "LWRES_GETIPNODE" "3" "Jun 30, 2000" "BIND9" "BIND9"
-.\" disable hyphenation
-.nh
-.\" disable justification (adjust text to left margin only)
-.ad l
-.SH "NAME"
+.TH "LWRES_GETIPNODE" "3" "Jun 30, 2000" "BIND9" ""
+.SH NAME
 lwres_getipnodebyname, lwres_getipnodebyaddr, lwres_freehostent \- lightweight resolver nodename / address translation API
-.SH "SYNOPSIS"
-.nf
-#include <lwres/netdb.h>
-.fi
-.HP 39
-.BI "struct hostent * lwres_getipnodebyname(const\ char\ *name, int\ af, int\ flags, int\ *error_num);"
-.HP 39
-.BI "struct hostent * lwres_getipnodebyaddr(const\ void\ *src, size_t\ len, int\ af, int\ *error_num);"
-.HP 23
-.BI "void lwres_freehostent(struct\ hostent\ *he);"
+.SH SYNOPSIS
+\fB#include <lwres/netdb.h>
+.sp
+.na
+struct hostent *
+lwres_getipnodebyname(const char *name, int af, int flags, int *error_num);
+.ad
+.sp
+.na
+struct hostent *
+lwres_getipnodebyaddr(const void *src, size_t len, int af, int *error_num);
+.ad
+.sp
+.na
+void
+lwres_freehostent(struct hostent *he);
+.ad
+\fR
 .SH "DESCRIPTION"
 .PP
-These functions perform thread safe, protocol independent nodename\-to\-address and address\-to\-nodename translation as defined in RFC2553.
+These functions perform thread safe, protocol independent
+nodename-to-address and address-to-nodename 
+translation as defined in RFC2553.
 .PP
 They use a
 \fBstruct hostent\fR
 which is defined in
 \fInamedb.h\fR:
 .sp
-.RS 4
 .nf
 struct  hostent {
         char    *h_name;        /* official name of host */
@@ -60,80 +56,72 @@ struct  hostent {
         char    **h_addr_list;  /* list of addresses from name server */
 };
 #define h_addr  h_addr_list[0]  /* address, for backward compatibility */
-.fi
-.RE
 .sp
+.fi
 .PP
 The members of this structure are:
-.PP
+.TP
 \fBh_name\fR
-.RS 4
 The official (canonical) name of the host.
-.RE
-.PP
+.TP
 \fBh_aliases\fR
-.RS 4
-A NULL\-terminated array of alternate names (nicknames) for the host.
-.RE
-.PP
+A NULL-terminated array of alternate names (nicknames) for the host.
+.TP
 \fBh_addrtype\fR
-.RS 4
-The type of address being returned \- usually
+The type of address being returned - usually
 \fBPF_INET\fR
 or
 \fBPF_INET6\fR.
-.RE
-.PP
+.TP
 \fBh_length\fR
-.RS 4
 The length of the address in bytes.
-.RE
-.PP
+.TP
 \fBh_addr_list\fR
-.RS 4
 A
 \fBNULL\fR
-terminated array of network addresses for the host. Host addresses are returned in network byte order.
-.RE
+terminated array of network addresses for the host.
+Host addresses are returned in network byte order.
 .PP
 \fBlwres_getipnodebyname()\fR
 looks up addresses of protocol family
 \fIaf\fR
 for the hostname
-\fIname\fR. The
+\fIname\fR.
+The
 \fIflags\fR
-parameter contains ORed flag bits to specify the types of addresses that are searched for, and the types of addresses that are returned. The flag bits are:
-.PP
+parameter contains ORed flag bits to 
+specify the types of addresses that are searched
+for, and the types of addresses that are returned. 
+The flag bits are:
+.TP
 \fBAI_V4MAPPED\fR
-.RS 4
 This is used with an
 \fIaf\fR
-of AF_INET6, and causes IPv4 addresses to be returned as IPv4\-mapped IPv6 addresses.
-.RE
-.PP
+of AF_INET6, and causes IPv4 addresses to be returned as IPv4-mapped
+IPv6 addresses.
+.TP
 \fBAI_ALL\fR
-.RS 4
 This is used with an
 \fIaf\fR
-of AF_INET6, and causes all known addresses (IPv6 and IPv4) to be returned. If AI_V4MAPPED is also set, the IPv4 addresses are return as mapped IPv6 addresses.
-.RE
-.PP
+of AF_INET6, and causes all known addresses (IPv6 and IPv4) to be returned.
+If AI_V4MAPPED is also set, the IPv4 addresses are return as mapped
+IPv6 addresses.
+.TP
 \fBAI_ADDRCONFIG\fR
-.RS 4
-Only return an IPv6 or IPv4 address if here is an active network interface of that type. This is not currently implemented in the BIND 9 lightweight resolver, and the flag is ignored.
-.RE
-.PP
+Only return an IPv6 or IPv4 address if here is an active network
+interface of that type. This is not currently implemented
+in the BIND 9 lightweight resolver, and the flag is ignored.
+.TP
 \fBAI_DEFAULT\fR
-.RS 4
 This default sets the
-\fBAI_V4MAPPED\fR
+AI_V4MAPPED
 and
-\fBAI_ADDRCONFIG\fR
+AI_ADDRCONFIG
 flag bits.
-.RE
 .PP
 \fBlwres_getipnodebyaddr()\fR
-performs a reverse lookup of address
+performs a reverse lookup
+of address
 \fIsrc\fR
 which is
 \fIlen\fR
@@ -145,14 +133,16 @@ or
 \fBPF_INET6\fR.
 .PP
 \fBlwres_freehostent()\fR
-releases all the memory associated with the
+releases all the memory associated with
+the
 \fBstruct hostent\fR
 pointer
-\fIhe\fR. Any memory allocated for the
-\fBh_name\fR,
-\fBh_addr_list\fR
+\fIhe\fR.
+Any memory allocated for the
+h_name,
+h_addr_list
 and
-\fBh_aliases\fR
+h_aliases
 is freed, as is the memory for the
 \fBhostent\fR
 structure itself.
@@ -166,41 +156,34 @@ set
 \fI*error_num\fR
 to an appropriate error code and the function returns a
 \fBNULL\fR
-pointer. The error codes and their meanings are defined in
+pointer.
+The error codes and their meanings are defined in
 \fI<lwres/netdb.h>\fR:
-.PP
+.TP
 \fBHOST_NOT_FOUND\fR
-.RS 4
 No such host is known.
-.RE
-.PP
+.TP
 \fBNO_ADDRESS\fR
-.RS 4
-The server recognised the request and the name but no address is available. Another type of request to the name server for the domain might return an answer.
-.RE
-.PP
+The server recognised the request and the name but no address is
+available. Another type of request to the name server for the
+domain might return an answer.
+.TP
 \fBTRY_AGAIN\fR
-.RS 4
-A temporary and possibly transient error occurred, such as a failure of a server to respond. The request may succeed if retried.
-.RE
-.PP
+A temporary and possibly transient error occurred, such as a
+failure of a server to respond. The request may succeed if
+retried.
+.TP
 \fBNO_RECOVERY\fR
-.RS 4
-An unexpected failure occurred, and retrying the request is pointless.
-.RE
+An unexpected failure occurred, and retrying the request
+is pointless.
 .PP
-\fBlwres_hstrerror\fR(3 )
+\fBlwres_hstrerror\fR(3)
 translates these error codes to suitable error messages.
 .SH "SEE ALSO"
 .PP
-\fBRFC2553\fR(),
+\fBRFC2553\fR,
 \fBlwres\fR(3),
 \fBlwres_gethostent\fR(3),
 \fBlwres_getaddrinfo\fR(3),
 \fBlwres_getnameinfo\fR(3),
 \fBlwres_hstrerror\fR(3).
-.SH "COPYRIGHT"
-Copyright \(co 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
-.br
-Copyright \(co 2000, 2001, 2003 Internet Software Consortium.
-.br
diff --git a/lib/lwres/man/lwres_getipnode.docbook b/lib/lwres/man/lwres_getipnode.docbook
index 343826ce..30c04a35 100644
--- a/lib/lwres/man/lwres_getipnode.docbook
+++ b/lib/lwres/man/lwres_getipnode.docbook
@@ -1,9 +1,7 @@
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
-               "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
-	       [<!ENTITY mdash "&#8212;">]>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
 <!--
- - Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
+ - Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2001, 2003  Internet Software Consortium.
  -
  - Permission to use, copy, modify, and distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
@@ -18,7 +16,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: lwres_getipnode.docbook,v 1.4.2.7 2007/01/29 23:57:17 marka Exp $ -->
+<!-- $Id: lwres_getipnode.docbook,v 1.4.2.2.4.1 2004/03/06 08:15:39 marka Exp $ -->
 
 <refentry>
 
@@ -32,21 +30,6 @@
 <refmiscinfo>BIND9</refmiscinfo>
 </refmeta>
 
-  <docinfo>
-    <copyright>
-      <year>2004</year>
-      <year>2005</year>
-      <year>2007</year>
-      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
-    </copyright>
-    <copyright>
-      <year>2000</year>
-      <year>2001</year>
-      <year>2003</year>
-      <holder>Internet Software Consortium.</holder>
-    </copyright>
-  </docinfo>
-
 <refnamediv>
 <refname>lwres_getipnodebyname</refname>
 <refname>lwres_getipnodebyaddr</refname>
diff --git a/lib/lwres/man/lwres_getipnode.html b/lib/lwres/man/lwres_getipnode.html
index 1f7fa642..40c871e8 100644
--- a/lib/lwres/man/lwres_getipnode.html
+++ b/lib/lwres/man/lwres_getipnode.html
@@ -1,298 +1,532 @@
 <!--
- - Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000, 2001, 2003 Internet Software Consortium.
- - 
+ - Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2001, 2003  Internet Software Consortium.
+ -
  - Permission to use, copy, modify, and distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
  - copyright notice and this permission notice appear in all copies.
- - 
+ -
  - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
  - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
  - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
  - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: lwres_getipnode.html,v 1.7.2.15 2007/01/30 00:10:38 marka Exp $ -->
-<html>
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>lwres_getipnode</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2476275"></a><div class="titlepage"></div>
-<div class="refnamediv">
-<h2>Name</h2>
-<p>lwres_getipnodebyname, lwres_getipnodebyaddr, lwres_freehostent &#8212; lightweight resolver nodename / address translation API</p>
-</div>
-<div class="refsynopsisdiv">
-<h2>Synopsis</h2>
-<div class="funcsynopsis">
-<pre class="funcsynopsisinfo">#include &lt;lwres/netdb.h&gt;</pre>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
-<tr>
-<td><code class="funcdef">
-struct hostent *
-<b class="fsfunc">lwres_getipnodebyname</b>(</code></td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>
-<code>)</code>;</td>
-</tr>
-</table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
-<tr>
-<td><code class="funcdef">
-struct hostent *
-<b class="fsfunc">lwres_getipnodebyaddr</b>(</code></td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>
-<code>)</code>;</td>
-</tr>
-</table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0"><tr>
-<td><code class="funcdef">
-void
-<b class="fsfunc">lwres_freehostent</b>(</code></td>
-<td> </td>
-<td>
-<code>)</code>;</td>
-</tr></table>
-</div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543402"></a><h2>DESCRIPTION</h2>
-<p>
-These functions perform thread safe, protocol independent
+
+<!-- $Id: lwres_getipnode.html,v 1.7.2.1.4.1 2004/03/06 08:15:40 marka Exp $ -->
+
+<HTML
+><HEAD
+><TITLE
+>lwres_getipnode</TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.73
+"></HEAD
+><BODY
+CLASS="REFENTRY"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><H1
+><A
+NAME="AEN1"
+>lwres_getipnode</A
+></H1
+><DIV
+CLASS="REFNAMEDIV"
+><A
+NAME="AEN8"
+></A
+><H2
+>Name</H2
+>lwres_getipnodebyname, lwres_getipnodebyaddr, lwres_freehostent&nbsp;--&nbsp;lightweight resolver nodename / address translation API</DIV
+><DIV
+CLASS="REFSYNOPSISDIV"
+><A
+NAME="AEN13"
+></A
+><H2
+>Synopsis</H2
+><DIV
+CLASS="FUNCSYNOPSIS"
+><A
+NAME="AEN14"
+></A
+><P
+></P
+><PRE
+CLASS="FUNCSYNOPSISINFO"
+>#include &lt;lwres/netdb.h&gt;</PRE
+><P
+><CODE
+><CODE
+CLASS="FUNCDEF"
+>struct hostent *
+lwres_getipnodebyname</CODE
+>(const char *name, int af, int flags, int *error_num);</CODE
+></P
+><P
+><CODE
+><CODE
+CLASS="FUNCDEF"
+>struct hostent *
+lwres_getipnodebyaddr</CODE
+>(const void *src, size_t len, int af, int *error_num);</CODE
+></P
+><P
+><CODE
+><CODE
+CLASS="FUNCDEF"
+>void
+lwres_freehostent</CODE
+>(struct hostent *he);</CODE
+></P
+><P
+></P
+></DIV
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN34"
+></A
+><H2
+>DESCRIPTION</H2
+><P
+>These functions perform thread safe, protocol independent
 nodename-to-address and address-to-nodename 
-translation as defined in RFC2553.
-</p>
-<p>
-They use a
-<span class="type">struct hostent</span>
+translation as defined in RFC2553.</P
+><P
+>They use a
+<SPAN
+CLASS="TYPE"
+>struct hostent</SPAN
+>
 which is defined in
-<code class="filename">namedb.h</code>:
-</p>
-<pre class="programlisting">
-struct  hostent {
+<TT
+CLASS="FILENAME"
+>namedb.h</TT
+>:
+<PRE
+CLASS="PROGRAMLISTING"
+>struct  hostent {
         char    *h_name;        /* official name of host */
         char    **h_aliases;    /* alias list */
         int     h_addrtype;     /* host address type */
         int     h_length;       /* length of address */
         char    **h_addr_list;  /* list of addresses from name server */
 };
-#define h_addr  h_addr_list[0]  /* address, for backward compatibility */
-</pre>
-<p>
-</p>
-<p>
-The members of this structure are:
-</p>
-<div class="variablelist"><dl>
-<dt><span class="term"><code class="constant">h_name</code></span></dt>
-<dd><p>
-The official (canonical) name of the host.
-</p></dd>
-<dt><span class="term"><code class="constant">h_aliases</code></span></dt>
-<dd><p>
-A NULL-terminated array of alternate names (nicknames) for the host.
-</p></dd>
-<dt><span class="term"><code class="constant">h_addrtype</code></span></dt>
-<dd><p>
-The type of address being returned - usually
-<span class="type">PF_INET</span>
+#define h_addr  h_addr_list[0]  /* address, for backward compatibility */</PRE
+></P
+><P
+>The members of this structure are:
+<P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+><TT
+CLASS="CONSTANT"
+>h_name</TT
+></DT
+><DD
+><P
+>The official (canonical) name of the host.</P
+></DD
+><DT
+><TT
+CLASS="CONSTANT"
+>h_aliases</TT
+></DT
+><DD
+><P
+>A NULL-terminated array of alternate names (nicknames) for the host.</P
+></DD
+><DT
+><TT
+CLASS="CONSTANT"
+>h_addrtype</TT
+></DT
+><DD
+><P
+>The type of address being returned - usually
+<SPAN
+CLASS="TYPE"
+>PF_INET</SPAN
+>
 or
-<span class="type">PF_INET6</span>.
-
-</p></dd>
-<dt><span class="term"><code class="constant">h_length</code></span></dt>
-<dd><p>
-The length of the address in bytes.
-</p></dd>
-<dt><span class="term"><code class="constant">h_addr_list</code></span></dt>
-<dd><p>
-A
-<span class="type">NULL</span>
+<SPAN
+CLASS="TYPE"
+>PF_INET6</SPAN
+>.&#13;</P
+></DD
+><DT
+><TT
+CLASS="CONSTANT"
+>h_length</TT
+></DT
+><DD
+><P
+>The length of the address in bytes.</P
+></DD
+><DT
+><TT
+CLASS="CONSTANT"
+>h_addr_list</TT
+></DT
+><DD
+><P
+>A
+<SPAN
+CLASS="TYPE"
+>NULL</SPAN
+>
 terminated array of network addresses for the host.
-Host addresses are returned in network byte order.
-</p></dd>
-</dl></div>
-<p>
-</p>
-<p>
-<code class="function">lwres_getipnodebyname()</code>
+Host addresses are returned in network byte order.</P
+></DD
+></DL
+></DIV
+></P
+><P
+><TT
+CLASS="FUNCTION"
+>lwres_getipnodebyname()</TT
+>
 looks up addresses of protocol family
-<em class="parameter"><code>af</code></em>
+<TT
+CLASS="PARAMETER"
+><I
+>af</I
+></TT
+>
 
 for the hostname
-<em class="parameter"><code>name</code></em>.
+<TT
+CLASS="PARAMETER"
+><I
+>name</I
+></TT
+>.
 
 The
-<em class="parameter"><code>flags</code></em>
+<TT
+CLASS="PARAMETER"
+><I
+>flags</I
+></TT
+>
 parameter contains ORed flag bits to 
 specify the types of addresses that are searched
 for, and the types of addresses that are returned. 
 The flag bits are:
-</p>
-<div class="variablelist"><dl>
-<dt><span class="term"><code class="constant">AI_V4MAPPED</code></span></dt>
-<dd><p>
-This is used with an
-<em class="parameter"><code>af</code></em>
+<P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+><TT
+CLASS="CONSTANT"
+>AI_V4MAPPED</TT
+></DT
+><DD
+><P
+>This is used with an
+<TT
+CLASS="PARAMETER"
+><I
+>af</I
+></TT
+>
 of AF_INET6, and causes IPv4 addresses to be returned as IPv4-mapped
-IPv6 addresses.
-</p></dd>
-<dt><span class="term"><code class="constant">AI_ALL</code></span></dt>
-<dd><p>
-This is used with an
-<em class="parameter"><code>af</code></em>
+IPv6 addresses.</P
+></DD
+><DT
+><TT
+CLASS="CONSTANT"
+>AI_ALL</TT
+></DT
+><DD
+><P
+>This is used with an
+<TT
+CLASS="PARAMETER"
+><I
+>af</I
+></TT
+>
 of AF_INET6, and causes all known addresses (IPv6 and IPv4) to be returned.
 If AI_V4MAPPED is also set, the IPv4 addresses are return as mapped
-IPv6 addresses.
-</p></dd>
-<dt><span class="term"><code class="constant">AI_ADDRCONFIG</code></span></dt>
-<dd><p>
-Only return an IPv6 or IPv4 address if here is an active network
+IPv6 addresses.</P
+></DD
+><DT
+><TT
+CLASS="CONSTANT"
+>AI_ADDRCONFIG</TT
+></DT
+><DD
+><P
+>Only return an IPv6 or IPv4 address if here is an active network
 interface of that type.  This is not currently implemented
-in the BIND 9 lightweight resolver, and the flag is ignored.
-</p></dd>
-<dt><span class="term"><code class="constant">AI_DEFAULT</code></span></dt>
-<dd><p>
-This default sets the
-<code class="constant">AI_V4MAPPED</code>
+in the BIND 9 lightweight resolver, and the flag is ignored.</P
+></DD
+><DT
+><TT
+CLASS="CONSTANT"
+>AI_DEFAULT</TT
+></DT
+><DD
+><P
+>This default sets the
+<TT
+CLASS="CONSTANT"
+>AI_V4MAPPED</TT
+>
 and
-<code class="constant">AI_ADDRCONFIG</code>
-flag bits.
-</p></dd>
-</dl></div>
-<p>
-</p>
-<p>
-<code class="function">lwres_getipnodebyaddr()</code>
+<TT
+CLASS="CONSTANT"
+>AI_ADDRCONFIG</TT
+>
+flag bits.</P
+></DD
+></DL
+></DIV
+></P
+><P
+><TT
+CLASS="FUNCTION"
+>lwres_getipnodebyaddr()</TT
+>
 performs a reverse lookup
 of address
-<em class="parameter"><code>src</code></em>
+<TT
+CLASS="PARAMETER"
+><I
+>src</I
+></TT
+>
 which is
-<em class="parameter"><code>len</code></em>
+<TT
+CLASS="PARAMETER"
+><I
+>len</I
+></TT
+>
 bytes long.
-<em class="parameter"><code>af</code></em>
+<TT
+CLASS="PARAMETER"
+><I
+>af</I
+></TT
+>
 denotes the protocol family, typically
-<span class="type">PF_INET</span>
+<SPAN
+CLASS="TYPE"
+>PF_INET</SPAN
+>
 or
-<span class="type">PF_INET6</span>.
-
-</p>
-<p>
-<code class="function">lwres_freehostent()</code>
+<SPAN
+CLASS="TYPE"
+>PF_INET6</SPAN
+>.&#13;</P
+><P
+><TT
+CLASS="FUNCTION"
+>lwres_freehostent()</TT
+>
 releases all the memory associated with
 the
-<span class="type">struct hostent</span>
+<SPAN
+CLASS="TYPE"
+>struct hostent</SPAN
+>
 pointer
-<em class="parameter"><code>he</code></em>.
+<TT
+CLASS="PARAMETER"
+><I
+>he</I
+></TT
+>.
 
 Any memory allocated for the
-<code class="constant">h_name</code>,
+<TT
+CLASS="CONSTANT"
+>h_name</TT
+>,
 
-<code class="constant">h_addr_list</code>
+<TT
+CLASS="CONSTANT"
+>h_addr_list</TT
+>
 and
-<code class="constant">h_aliases</code>
+<TT
+CLASS="CONSTANT"
+>h_aliases</TT
+>
 is freed, as is the memory for the
-<span class="type">hostent</span>
-structure itself.
-</p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543637"></a><h2>RETURN VALUES</h2>
-<p>
-If an error occurs,
-<code class="function">lwres_getipnodebyname()</code>
+<SPAN
+CLASS="TYPE"
+>hostent</SPAN
+>
+structure itself.</P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN116"
+></A
+><H2
+>RETURN VALUES</H2
+><P
+>If an error occurs,
+<TT
+CLASS="FUNCTION"
+>lwres_getipnodebyname()</TT
+>
 and
-<code class="function">lwres_getipnodebyaddr()</code>
+<TT
+CLASS="FUNCTION"
+>lwres_getipnodebyaddr()</TT
+>
 set
-<em class="parameter"><code>*error_num</code></em>
+<TT
+CLASS="PARAMETER"
+><I
+>*error_num</I
+></TT
+>
 to an appropriate error code and the function returns a
-<span class="type">NULL</span>
+<SPAN
+CLASS="TYPE"
+>NULL</SPAN
+>
 pointer.
 The error codes and their meanings are defined in
-<code class="filename">&lt;lwres/netdb.h&gt;</code>:
-</p>
-<div class="variablelist"><dl>
-<dt><span class="term"><code class="constant">HOST_NOT_FOUND</code></span></dt>
-<dd><p>
-No such host is known.
-</p></dd>
-<dt><span class="term"><code class="constant">NO_ADDRESS</code></span></dt>
-<dd><p>
-The server recognised the request and the name but no address is
+<TT
+CLASS="FILENAME"
+>&lt;lwres/netdb.h&gt;</TT
+>:
+<P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+><TT
+CLASS="CONSTANT"
+>HOST_NOT_FOUND</TT
+></DT
+><DD
+><P
+>No such host is known.</P
+></DD
+><DT
+><TT
+CLASS="CONSTANT"
+>NO_ADDRESS</TT
+></DT
+><DD
+><P
+>The server recognised the request and the name but no address is
 available.  Another type of request to the name server for the
-domain might return an answer.
-</p></dd>
-<dt><span class="term"><code class="constant">TRY_AGAIN</code></span></dt>
-<dd><p>
-A temporary and possibly transient error occurred, such as a
+domain might return an answer.</P
+></DD
+><DT
+><TT
+CLASS="CONSTANT"
+>TRY_AGAIN</TT
+></DT
+><DD
+><P
+>A temporary and possibly transient error occurred, such as a
 failure of a server to respond.  The request may succeed if
-retried.
-</p></dd>
-<dt><span class="term"><code class="constant">NO_RECOVERY</code></span></dt>
-<dd><p>
-An unexpected failure occurred, and retrying the request
-is pointless.
-</p></dd>
-</dl></div>
-<p>
-</p>
-<p>
-<span class="citerefentry"><span class="refentrytitle">lwres_hstrerror</span>(3
-)</span>
-translates these error codes to suitable error messages.
-</p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543728"></a><h2>SEE ALSO</h2>
-<p>
-<span class="citerefentry"><span class="refentrytitle">RFC2553</span></span>,
+retried.</P
+></DD
+><DT
+><TT
+CLASS="CONSTANT"
+>NO_RECOVERY</TT
+></DT
+><DD
+><P
+>An unexpected failure occurred, and retrying the request
+is pointless.</P
+></DD
+></DL
+></DIV
+></P
+><P
+><SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>lwres_hstrerror</SPAN
+>(3)</SPAN
+>
+translates these error codes to suitable error messages.</P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN149"
+></A
+><H2
+>SEE ALSO</H2
+><P
+><SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>RFC2553</SPAN
+></SPAN
+>,
 
-<span class="citerefentry"><span class="refentrytitle">lwres</span>(3)</span>,
+<SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>lwres</SPAN
+>(3)</SPAN
+>,
 
-<span class="citerefentry"><span class="refentrytitle">lwres_gethostent</span>(3)</span>,
+<SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>lwres_gethostent</SPAN
+>(3)</SPAN
+>,
 
-<span class="citerefentry"><span class="refentrytitle">lwres_getaddrinfo</span>(3)</span>,
+<SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>lwres_getaddrinfo</SPAN
+>(3)</SPAN
+>,
 
-<span class="citerefentry"><span class="refentrytitle">lwres_getnameinfo</span>(3)</span>,
+<SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>lwres_getnameinfo</SPAN
+>(3)</SPAN
+>,
 
-<span class="citerefentry"><span class="refentrytitle">lwres_hstrerror</span>(3)</span>.
-</p>
-</div>
-</div></body>
-</html>
+<SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>lwres_hstrerror</SPAN
+>(3)</SPAN
+>.</P
+></DIV
+></BODY
+></HTML
+>
diff --git a/lib/lwres/man/lwres_getnameinfo.3 b/lib/lwres/man/lwres_getnameinfo.3
index 1f970d02..a5122706 100644
--- a/lib/lwres/man/lwres_getnameinfo.3
+++ b/lib/lwres/man/lwres_getnameinfo.3
@@ -1,105 +1,79 @@
-.\" Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
-.\" Copyright (C) 2000, 2001 Internet Software Consortium.
-.\" 
+.\" Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2000, 2001  Internet Software Consortium.
+.\"
 .\" Permission to use, copy, modify, and distribute this software for any
 .\" purpose with or without fee is hereby granted, provided that the above
 .\" copyright notice and this permission notice appear in all copies.
-.\" 
+.\"
 .\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
 .\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+.\" AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
 .\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
 .\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: lwres_getnameinfo.3,v 1.15.2.9 2007/01/30 00:10:38 marka Exp $
-.\"
-.hy 0
-.ad l
-.\"     Title: lwres_getnameinfo
-.\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
-.\"      Date: Jun 30, 2000
-.\"    Manual: BIND9
-.\"    Source: BIND9
+.\" $Id: lwres_getnameinfo.3,v 1.15.2.1.8.1 2004/03/06 07:41:43 marka Exp $
 .\"
-.TH "LWRES_GETNAMEINFO" "3" "Jun 30, 2000" "BIND9" "BIND9"
-.\" disable hyphenation
-.nh
-.\" disable justification (adjust text to left margin only)
-.ad l
-.SH "NAME"
+.TH "LWRES_GETNAMEINFO" "3" "Jun 30, 2000" "BIND9" ""
+.SH NAME
 lwres_getnameinfo \- lightweight resolver socket address structure to hostname and service name
-.SH "SYNOPSIS"
-.nf
-#include <lwres/netdb.h>
-.fi
-.HP 22
-.BI "int lwres_getnameinfo(const\ struct\ sockaddr\ *sa, size_t\ salen, char\ *host, size_t\ hostlen, char\ *serv, size_t\ servlen, int\ flags);"
+.SH SYNOPSIS
+\fB#include <lwres/netdb.h>
+.sp
+.na
+int
+lwres_getnameinfo(const struct sockaddr *sa, size_t salen, char *host, size_t hostlen, char *serv, size_t servlen, int flags);
+.ad
+\fR
 .SH "DESCRIPTION"
 .PP
-This function is equivalent to the
-\fBgetnameinfo\fR(3)
-function defined in RFC2133.
-\fBlwres_getnameinfo()\fR
-returns the hostname for the
-\fBstruct sockaddr\fR
-\fIsa\fR
-which is
-\fIsalen\fR
-bytes long. The hostname is of length
-\fIhostlen\fR
-and is returned via
-\fI*host.\fR
-The maximum length of the hostname is 1025 bytes:
-\fBNI_MAXHOST\fR.
+This function is equivalent to the \fBgetnameinfo\fR(3) function defined in RFC2133.
+\fBlwres_getnameinfo()\fR returns the hostname for the
+\fBstruct sockaddr\fR \fIsa\fR which is
+\fIsalen\fR bytes long. The hostname is of length
+\fIhostlen\fR and is returned via
+\fI*host.\fR The maximum length of the hostname is
+1025 bytes: NI_MAXHOST.
 .PP
 The name of the service associated with the port number in
-\fIsa\fR
-is returned in
-\fI*serv.\fR
-It is
-\fIservlen\fR
-bytes long. The maximum length of the service name is
-\fBNI_MAXSERV\fR
-\- 32 bytes.
-.PP
-The
-\fIflags\fR
-argument sets the following bits:
+\fIsa\fR is returned in \fI*serv.\fR
+It is \fIservlen\fR bytes long. The maximum length
+of the service name is NI_MAXSERV - 32 bytes.
 .PP
+The \fIflags\fR argument sets the following
+bits:
+.TP
 \fBNI_NOFQDN\fR
-.RS 4
-A fully qualified domain name is not required for local hosts. The local part of the fully qualified domain name is returned instead.
-.RE
-.PP
+A fully qualified domain name is not required for local hosts.
+The local part of the fully qualified domain name is returned instead.
+.TP
 \fBNI_NUMERICHOST\fR
-.RS 4
-Return the address in numeric form, as if calling inet_ntop(), instead of a host name.
-.RE
-.PP
+Return the address in numeric form, as if calling inet_ntop(),
+instead of a host name.
+.TP
 \fBNI_NAMEREQD\fR
-.RS 4
-A name is required. If the hostname cannot be found in the DNS and this flag is set, a non\-zero error code is returned. If the hostname is not found and the flag is not set, the address is returned in numeric form.
-.RE
-.PP
+A name is required. If the hostname cannot be found in the DNS and
+this flag is set, a non-zero error code is returned.
+If the hostname is not found and the flag is not set, the 
+address is returned in numeric form.
+.TP
 \fBNI_NUMERICSERV\fR
-.RS 4
 The service name is returned as a digit string representing the port number.
-.RE
-.PP
+.TP
 \fBNI_DGRAM\fR
-.RS 4
-Specifies that the service being looked up is a datagram service, and causes getservbyport() to be called with a second argument of "udp" instead of its default of "tcp". This is required for the few ports (512\-514) that have different services for UDP and TCP.
-.RE
+Specifies that the service being looked up is a datagram
+service, and causes getservbyport() to be called with a second
+argument of "udp" instead of its default of "tcp". This is required
+for the few ports (512-514) that have different services for UDP and
+TCP.
 .SH "RETURN VALUES"
 .PP
 \fBlwres_getnameinfo()\fR
-returns 0 on success or a non\-zero error code if an error occurs.
+returns 0 on success or a non-zero error code if an error occurs.
 .SH "SEE ALSO"
 .PP
-\fBRFC2133\fR(),
+\fBRFC2133\fR,
 \fBgetservbyport\fR(3),
 \fBlwres\fR(3),
 \fBlwres_getnameinfo\fR(3),
@@ -110,8 +84,3 @@ returns 0 on success or a non\-zero error code if an error occurs.
 RFC2133 fails to define what the nonzero return values of
 \fBgetnameinfo\fR(3)
 are.
-.SH "COPYRIGHT"
-Copyright \(co 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
-.br
-Copyright \(co 2000, 2001 Internet Software Consortium.
-.br
diff --git a/lib/lwres/man/lwres_getnameinfo.docbook b/lib/lwres/man/lwres_getnameinfo.docbook
index 09c44f0c..ff2eaad0 100644
--- a/lib/lwres/man/lwres_getnameinfo.docbook
+++ b/lib/lwres/man/lwres_getnameinfo.docbook
@@ -1,9 +1,7 @@
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
-               "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
-	       [<!ENTITY mdash "&#8212;">]>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
 <!--
- - Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000, 2001  Internet Software Consortium.
+ - Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2001  Internet Software Consortium.
  -
  - Permission to use, copy, modify, and distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
@@ -18,7 +16,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: lwres_getnameinfo.docbook,v 1.3.2.5 2007/01/29 23:57:17 marka Exp $ -->
+<!-- $Id: lwres_getnameinfo.docbook,v 1.3.206.1 2004/03/06 08:15:40 marka Exp $ -->
 
 <refentry>
 
@@ -32,20 +30,6 @@
 <refmiscinfo>BIND9</refmiscinfo>
 </refmeta>
 
-  <docinfo>
-    <copyright>
-      <year>2004</year>
-      <year>2005</year>
-      <year>2007</year>
-      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
-    </copyright>
-    <copyright>
-      <year>2000</year>
-      <year>2001</year>
-      <holder>Internet Software Consortium.</holder>
-    </copyright>
-  </docinfo>
-
 <refnamediv>
 <refname>lwres_getnameinfo</refname>
 <refpurpose>lightweight resolver socket address structure to hostname and service name</refpurpose>
@@ -156,7 +140,6 @@ returns 0 on success or a non-zero error code if an error occurs.
 <citerefentry>
 <refentrytitle>lwres_net_ntop</refentrytitle><manvolnum>3</manvolnum>
 </citerefentry>.
-</para>
 </refsect1>
 <refsect1>
 <title>BUGS</title>
diff --git a/lib/lwres/man/lwres_getnameinfo.html b/lib/lwres/man/lwres_getnameinfo.html
index 4b58f8fd..b939d381 100644
--- a/lib/lwres/man/lwres_getnameinfo.html
+++ b/lib/lwres/man/lwres_getnameinfo.html
@@ -1,154 +1,306 @@
 <!--
- - Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000, 2001 Internet Software Consortium.
- - 
+ - Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2001  Internet Software Consortium.
+ -
  - Permission to use, copy, modify, and distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
  - copyright notice and this permission notice appear in all copies.
- - 
+ -
  - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
  - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
  - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
  - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: lwres_getnameinfo.html,v 1.5.2.16 2007/01/30 00:10:38 marka Exp $ -->
-<html>
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>lwres_getnameinfo</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2476275"></a><div class="titlepage"></div>
-<div class="refnamediv">
-<h2>Name</h2>
-<p>lwres_getnameinfo &#8212; lightweight resolver socket address structure to hostname and service name</p>
-</div>
-<div class="refsynopsisdiv">
-<h2>Synopsis</h2>
-<div class="funcsynopsis">
-<pre class="funcsynopsisinfo">#include &lt;lwres/netdb.h&gt;</pre>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0">
-<tr>
-<td><code class="funcdef">
-int
-<b class="fsfunc">lwres_getnameinfo</b>(</code></td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>
-<code>)</code>;</td>
-</tr>
-</table>
-</div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543368"></a><h2>DESCRIPTION</h2>
-<p> This function is equivalent to the <span class="citerefentry"><span class="refentrytitle">getnameinfo</span>(3)</span> function defined in RFC2133.
-<code class="function">lwres_getnameinfo()</code> returns the hostname for the
-<span class="type">struct sockaddr</span> <em class="parameter"><code>sa</code></em> which is
-<em class="parameter"><code>salen</code></em> bytes long.  The hostname is of length
-<em class="parameter"><code>hostlen</code></em> and is returned via
-<em class="parameter"><code>*host.</code></em> The maximum length of the hostname is
-1025 bytes: <code class="constant">NI_MAXHOST</code>.</p>
-<p> The name of the service associated with the port number in
-<em class="parameter"><code>sa</code></em> is returned in <em class="parameter"><code>*serv.</code></em>
-It is <em class="parameter"><code>servlen</code></em> bytes long.  The maximum length
-of the service name is <code class="constant">NI_MAXSERV</code> - 32 bytes.
-</p>
-<p> The <em class="parameter"><code>flags</code></em> argument sets the following
+
+<!-- $Id: lwres_getnameinfo.html,v 1.5.2.1.4.1 2004/03/06 08:15:40 marka Exp $ -->
+
+<HTML
+><HEAD
+><TITLE
+>lwres_getnameinfo</TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.73
+"></HEAD
+><BODY
+CLASS="REFENTRY"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><H1
+><A
+NAME="AEN1"
+>lwres_getnameinfo</A
+></H1
+><DIV
+CLASS="REFNAMEDIV"
+><A
+NAME="AEN8"
+></A
+><H2
+>Name</H2
+>lwres_getnameinfo&nbsp;--&nbsp;lightweight resolver socket address structure to hostname and service name</DIV
+><DIV
+CLASS="REFSYNOPSISDIV"
+><A
+NAME="AEN11"
+></A
+><H2
+>Synopsis</H2
+><DIV
+CLASS="FUNCSYNOPSIS"
+><A
+NAME="AEN12"
+></A
+><P
+></P
+><PRE
+CLASS="FUNCSYNOPSISINFO"
+>#include &lt;lwres/netdb.h&gt;</PRE
+><P
+><CODE
+><CODE
+CLASS="FUNCDEF"
+>int
+lwres_getnameinfo</CODE
+>(const struct sockaddr *sa, size_t salen, char *host, size_t hostlen, char *serv, size_t servlen, int flags);</CODE
+></P
+><P
+></P
+></DIV
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN24"
+></A
+><H2
+>DESCRIPTION</H2
+><P
+> This function is equivalent to the <SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>getnameinfo</SPAN
+>(3)</SPAN
+> function defined in RFC2133.
+<TT
+CLASS="FUNCTION"
+>lwres_getnameinfo()</TT
+> returns the hostname for the
+<SPAN
+CLASS="TYPE"
+>struct sockaddr</SPAN
+> <TT
+CLASS="PARAMETER"
+><I
+>sa</I
+></TT
+> which is
+<TT
+CLASS="PARAMETER"
+><I
+>salen</I
+></TT
+> bytes long.  The hostname is of length
+<TT
+CLASS="PARAMETER"
+><I
+>hostlen</I
+></TT
+> and is returned via
+<TT
+CLASS="PARAMETER"
+><I
+>*host.</I
+></TT
+> The maximum length of the hostname is
+1025 bytes: <TT
+CLASS="CONSTANT"
+>NI_MAXHOST</TT
+>.</P
+><P
+> The name of the service associated with the port number in
+<TT
+CLASS="PARAMETER"
+><I
+>sa</I
+></TT
+> is returned in <TT
+CLASS="PARAMETER"
+><I
+>*serv.</I
+></TT
+>
+It is <TT
+CLASS="PARAMETER"
+><I
+>servlen</I
+></TT
+> bytes long.  The maximum length
+of the service name is <TT
+CLASS="CONSTANT"
+>NI_MAXSERV</TT
+> - 32 bytes.</P
+><P
+> The <TT
+CLASS="PARAMETER"
+><I
+>flags</I
+></TT
+> argument sets the following
 bits:
-</p>
-<div class="variablelist"><dl>
-<dt><span class="term"><code class="constant">NI_NOFQDN</code></span></dt>
-<dd><p>
-A fully qualified domain name is not required for local hosts.
-The local part of the fully qualified domain name is returned instead.
-</p></dd>
-<dt><span class="term"><code class="constant">NI_NUMERICHOST</code></span></dt>
-<dd><p>
-Return the address in numeric form, as if calling inet_ntop(),
-instead of a host name.
-</p></dd>
-<dt><span class="term"><code class="constant">NI_NAMEREQD</code></span></dt>
-<dd><p>
-A name is required. If the hostname cannot be found in the DNS and
+<P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+><TT
+CLASS="CONSTANT"
+>NI_NOFQDN</TT
+></DT
+><DD
+><P
+>A fully qualified domain name is not required for local hosts.
+The local part of the fully qualified domain name is returned instead.</P
+></DD
+><DT
+><TT
+CLASS="CONSTANT"
+>NI_NUMERICHOST</TT
+></DT
+><DD
+><P
+>Return the address in numeric form, as if calling inet_ntop(),
+instead of a host name.</P
+></DD
+><DT
+><TT
+CLASS="CONSTANT"
+>NI_NAMEREQD</TT
+></DT
+><DD
+><P
+>A name is required. If the hostname cannot be found in the DNS and
 this flag is set, a non-zero error code is returned.
 If the hostname is not found and the flag is not set, the 
-address is returned in numeric form.
-</p></dd>
-<dt><span class="term"><code class="constant">NI_NUMERICSERV</code></span></dt>
-<dd><p>
-The service name is returned as a digit string representing the port number.
-</p></dd>
-<dt><span class="term"><code class="constant">NI_DGRAM</code></span></dt>
-<dd><p>
-Specifies that the service being looked up is a datagram
+address is returned in numeric form.</P
+></DD
+><DT
+><TT
+CLASS="CONSTANT"
+>NI_NUMERICSERV</TT
+></DT
+><DD
+><P
+>The service name is returned as a digit string representing the port number.</P
+></DD
+><DT
+><TT
+CLASS="CONSTANT"
+>NI_DGRAM</TT
+></DT
+><DD
+><P
+>Specifies that the service being looked up is a datagram
 service,  and causes getservbyport() to be called with a second
 argument of "udp" instead of its default of "tcp".  This is required
 for the few ports (512-514) that have different services for UDP and
-TCP.
-</p></dd>
-</dl></div>
-<p>
-</p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543494"></a><h2>RETURN VALUES</h2>
-<p>
-<code class="function">lwres_getnameinfo()</code>
-returns 0 on success or a non-zero error code if an error occurs.
-</p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543507"></a><h2>SEE ALSO</h2>
-<p>
-<span class="citerefentry"><span class="refentrytitle">RFC2133</span></span>,
-<span class="citerefentry"><span class="refentrytitle">getservbyport</span>(3)</span>,
-<span class="citerefentry"><span class="refentrytitle">lwres</span>(3)</span>,
-<span class="citerefentry"><span class="refentrytitle">lwres_getnameinfo</span>(3)</span>,
-<span class="citerefentry"><span class="refentrytitle">lwres_getnamebyaddr</span>(3)</span>.
-<span class="citerefentry"><span class="refentrytitle">lwres_net_ntop</span>(3)</span>.
-</p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543565"></a><h2>BUGS</h2>
-<p>
-RFC2133 fails to define what the nonzero return values of
-<span class="citerefentry"><span class="refentrytitle">getnameinfo</span>(3)</span>
-are.
-</p>
-</div>
-</div></body>
-</html>
+TCP.</P
+></DD
+></DL
+></DIV
+></P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN70"
+></A
+><H2
+>RETURN VALUES</H2
+><P
+><TT
+CLASS="FUNCTION"
+>lwres_getnameinfo()</TT
+>
+returns 0 on success or a non-zero error code if an error occurs.</P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN74"
+></A
+><H2
+>SEE ALSO</H2
+><P
+><SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>RFC2133</SPAN
+></SPAN
+>,
+<SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>getservbyport</SPAN
+>(3)</SPAN
+>,
+<SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>lwres</SPAN
+>(3)</SPAN
+>,
+<SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>lwres_getnameinfo</SPAN
+>(3)</SPAN
+>,
+<SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>lwres_getnamebyaddr</SPAN
+>(3)</SPAN
+>.
+<SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>lwres_net_ntop</SPAN
+>(3)</SPAN
+>.</P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN94"
+></A
+><H2
+>BUGS</H2
+><P
+>RFC2133 fails to define what the nonzero return values of
+<SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>getnameinfo</SPAN
+>(3)</SPAN
+>
+are.</P
+></DIV
+></BODY
+></HTML
+>
diff --git a/lib/lwres/man/lwres_getrrsetbyname.3 b/lib/lwres/man/lwres_getrrsetbyname.3
index 114aff62..1558f6d5 100644
--- a/lib/lwres/man/lwres_getrrsetbyname.3
+++ b/lib/lwres/man/lwres_getrrsetbyname.3
@@ -1,53 +1,45 @@
-.\" Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
-.\" Copyright (C) 2000, 2001 Internet Software Consortium.
-.\" 
+.\" Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2000, 2001  Internet Software Consortium.
+.\"
 .\" Permission to use, copy, modify, and distribute this software for any
 .\" purpose with or without fee is hereby granted, provided that the above
 .\" copyright notice and this permission notice appear in all copies.
-.\" 
+.\"
 .\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
 .\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+.\" AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
 .\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
 .\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: lwres_getrrsetbyname.3,v 1.11.2.9 2007/01/30 00:10:38 marka Exp $
-.\"
-.hy 0
-.ad l
-.\"     Title: lwres_getrrsetbyname
-.\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
-.\"      Date: Oct 18, 2000
-.\"    Manual: BIND9
-.\"    Source: BIND9
+.\" $Id: lwres_getrrsetbyname.3,v 1.11.2.1.8.1 2004/03/06 07:41:43 marka Exp $
 .\"
-.TH "LWRES_GETRRSETBYNAME" "3" "Oct 18, 2000" "BIND9" "BIND9"
-.\" disable hyphenation
-.nh
-.\" disable justification (adjust text to left margin only)
-.ad l
-.SH "NAME"
+.TH "LWRES_GETRRSETBYNAME" "3" "Oct 18, 2000" "BIND9" ""
+.SH NAME
 lwres_getrrsetbyname, lwres_freerrset \- retrieve DNS records
-.SH "SYNOPSIS"
-.nf
-#include <lwres/netdb.h>
-.fi
-.HP 25
-.BI "int lwres_getrrsetbyname(const\ char\ *hostname, unsigned\ int\ rdclass, unsigned\ int\ rdtype, unsigned\ int\ flags, struct\ rrsetinfo\ **res);"
-.HP 21
-.BI "void lwres_freerrset(struct\ rrsetinfo\ *rrset);"
+.SH SYNOPSIS
+\fB#include <lwres/netdb.h>
+.sp
+.na
+int
+lwres_getrrsetbyname(const char *hostname, unsigned int rdclass, unsigned int rdtype, unsigned int flags, struct rrsetinfo **res);
+.ad
+.sp
+.na
+void
+lwres_freerrset(struct rrsetinfo *rrset);
+.ad
+\fR
 .PP
 The following structures are used:
 .sp
-.RS 4
 .nf
 struct  rdatainfo {
         unsigned int            rdi_length;     /* length of data */
         unsigned char           *rdi_data;      /* record data */
 };
+
 struct  rrsetinfo {
         unsigned int            rri_flags;      /* RRSET_VALIDATED... */
         unsigned int            rri_rdclass;    /* class number */
@@ -59,18 +51,19 @@ struct  rrsetinfo {
         struct rdatainfo        *rri_rdatas;    /* individual records */
         struct rdatainfo        *rri_sigs;      /* individual signatures */
 };
-.fi
-.RE
 .sp
+.fi
 .SH "DESCRIPTION"
 .PP
 \fBlwres_getrrsetbyname()\fR
 gets a set of resource records associated with a
 \fIhostname\fR,
-\fIclass\fR, and
+\fIclass\fR,
+and
 \fItype\fR.
 \fIhostname\fR
-is a pointer a to null\-terminated string. The
+is
+a pointer a to null-terminated string. The
 \fIflags\fR
 field is currently unused and must be zero.
 .PP
@@ -83,30 +76,38 @@ structure, containing a list of one or more
 \fBrdatainfo\fR
 structures containing resource records and potentially another list of
 \fBrdatainfo\fR
-structures containing SIG resource records associated with those records. The members
-\fBrri_rdclass\fR
+structures containing SIG resource records
+associated with those records.
+The members
+rri_rdclass
 and
-\fBrri_rdtype\fR
+rri_rdtype
 are copied from the parameters.
-\fBrri_ttl\fR
+rri_ttl
 and
-\fBrri_name\fR
-are properties of the obtained rrset. The resource records contained in
-\fBrri_rdatas\fR
+rri_name
+are properties of the obtained rrset.
+The resource records contained in
+rri_rdatas
 and
-\fBrri_sigs\fR
-are in uncompressed DNS wire format. Properties of the rdataset are represented in the
-\fBrri_flags\fR
-bitfield. If the RRSET_VALIDATED bit is set, the data has been DNSSEC validated and the signatures verified.
+rri_sigs
+are in uncompressed DNS wire format.
+Properties of the rdataset are represented in the
+rri_flags
+bitfield. If the RRSET_VALIDATED bit is set, the data has been DNSSEC
+validated and the signatures verified. 
 .PP
 All of the information returned by
 \fBlwres_getrrsetbyname()\fR
 is dynamically allocated: the
-\fBrrsetinfo\fR
+rrsetinfo
 and
-\fBrdatainfo\fR
-structures, and the canonical host name strings pointed to by the
-\fBrrsetinfo\fRstructure. Memory allocated for the dynamically allocated structures created by a successful call to
+rdatainfo
+structures,
+and the canonical host name strings pointed to by the
+rrsetinfostructure.
+Memory allocated for the dynamically allocated structures created by
+a successful call to
 \fBlwres_getrrsetbyname()\fR
 is released by
 \fBlwres_freerrset()\fR.
@@ -119,40 +120,25 @@ created by a call to
 .SH "RETURN VALUES"
 .PP
 \fBlwres_getrrsetbyname()\fR
-returns zero on success, and one of the following error codes if an error occurred:
-.PP
+returns zero on success, and one of the following error
+codes if an error occurred:
+.TP
 \fBERRSET_NONAME\fR
-.RS 4
 the name does not exist
-.RE
-.PP
+.TP
 \fBERRSET_NODATA\fR
-.RS 4
 the name exists, but does not have data of the desired type
-.RE
-.PP
+.TP
 \fBERRSET_NOMEMORY\fR
-.RS 4
 memory could not be allocated
-.RE
-.PP
+.TP
 \fBERRSET_INVAL\fR
-.RS 4
 a parameter is invalid
-.RE
-.PP
+.TP
 \fBERRSET_FAIL\fR
-.RS 4
 other failure
-.RE
-.PP
-.RS 4
-.RE
+.TP
+\fB\fR
 .SH "SEE ALSO"
 .PP
 \fBlwres\fR(3).
-.SH "COPYRIGHT"
-Copyright \(co 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
-.br
-Copyright \(co 2000, 2001 Internet Software Consortium.
-.br
diff --git a/lib/lwres/man/lwres_getrrsetbyname.docbook b/lib/lwres/man/lwres_getrrsetbyname.docbook
index 53b2a692..5ec7884b 100644
--- a/lib/lwres/man/lwres_getrrsetbyname.docbook
+++ b/lib/lwres/man/lwres_getrrsetbyname.docbook
@@ -1,9 +1,7 @@
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
-               "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
-	       [<!ENTITY mdash "&#8212;">]>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
 <!--
- - Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000, 2001  Internet Software Consortium.
+ - Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2001  Internet Software Consortium.
  -
  - Permission to use, copy, modify, and distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
@@ -18,7 +16,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: lwres_getrrsetbyname.docbook,v 1.3.2.5 2007/01/29 23:57:17 marka Exp $ -->
+<!-- $Id: lwres_getrrsetbyname.docbook,v 1.3.206.1 2004/03/06 08:15:40 marka Exp $ -->
 
 <refentry>
 <refentryinfo>
@@ -31,21 +29,6 @@
 <manvolnum>3</manvolnum>
 <refmiscinfo>BIND9</refmiscinfo>
 </refmeta>
-
-  <docinfo>
-    <copyright>
-      <year>2004</year>
-      <year>2005</year>
-      <year>2007</year>
-      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
-    </copyright>
-    <copyright>
-      <year>2000</year>
-      <year>2001</year>
-      <holder>Internet Software Consortium.</holder>
-    </copyright>
-  </docinfo>
-
 <refnamediv>
 <refname>lwres_getrrsetbyname</refname>
 <refname>lwres_freerrset</refname>
diff --git a/lib/lwres/man/lwres_getrrsetbyname.html b/lib/lwres/man/lwres_getrrsetbyname.html
index 77036c5a..589f7b0c 100644
--- a/lib/lwres/man/lwres_getrrsetbyname.html
+++ b/lib/lwres/man/lwres_getrrsetbyname.html
@@ -1,80 +1,91 @@
 <!--
- - Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000, 2001 Internet Software Consortium.
- - 
+ - Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2001  Internet Software Consortium.
+ -
  - Permission to use, copy, modify, and distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
  - copyright notice and this permission notice appear in all copies.
- - 
+ -
  - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
  - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
  - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
  - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: lwres_getrrsetbyname.html,v 1.5.2.15 2007/01/30 00:10:38 marka Exp $ -->
-<html>
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>lwres_getrrsetbyname</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2476275"></a><div class="titlepage"></div>
-<div class="refnamediv">
-<h2>Name</h2>
-<p>lwres_getrrsetbyname, lwres_freerrset &#8212; retrieve DNS records</p>
-</div>
-<div class="refsynopsisdiv">
-<h2>Synopsis</h2>
-<div class="funcsynopsis">
-<pre class="funcsynopsisinfo">#include &lt;lwres/netdb.h&gt;</pre>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
-<tr>
-<td><code class="funcdef">
-int
-<b class="fsfunc">lwres_getrrsetbyname</b>(</code></td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>
-<code>)</code>;</td>
-</tr>
-</table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0"><tr>
-<td><code class="funcdef">
-void
-<b class="fsfunc">lwres_freerrset</b>(</code></td>
-<td> </td>
-<td>
-<code>)</code>;</td>
-</tr></table>
-</div>
-<p>
-The following structures are used:
-</p>
-<pre class="programlisting">
-struct  rdatainfo {
+
+<!-- $Id: lwres_getrrsetbyname.html,v 1.5.2.1.4.1 2004/03/06 08:15:40 marka Exp $ -->
+
+<HTML
+><HEAD
+><TITLE
+>lwres_getrrsetbyname</TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.73
+"></HEAD
+><BODY
+CLASS="REFENTRY"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><H1
+><A
+NAME="AEN1"
+>lwres_getrrsetbyname</A
+></H1
+><DIV
+CLASS="REFNAMEDIV"
+><A
+NAME="AEN8"
+></A
+><H2
+>Name</H2
+>lwres_getrrsetbyname, lwres_freerrset&nbsp;--&nbsp;retrieve DNS records</DIV
+><DIV
+CLASS="REFSYNOPSISDIV"
+><A
+NAME="AEN12"
+></A
+><H2
+>Synopsis</H2
+><DIV
+CLASS="FUNCSYNOPSIS"
+><A
+NAME="AEN13"
+></A
+><P
+></P
+><PRE
+CLASS="FUNCSYNOPSISINFO"
+>#include &lt;lwres/netdb.h&gt;</PRE
+><P
+><CODE
+><CODE
+CLASS="FUNCDEF"
+>int
+lwres_getrrsetbyname</CODE
+>(const char *hostname, unsigned int rdclass, unsigned int rdtype, unsigned int flags, struct rrsetinfo **res);</CODE
+></P
+><P
+><CODE
+><CODE
+CLASS="FUNCDEF"
+>void
+lwres_freerrset</CODE
+>(struct rrsetinfo *rrset);</CODE
+></P
+><P
+></P
+></DIV
+><P
+>The following structures are used:
+<PRE
+CLASS="PROGRAMLISTING"
+>struct  rdatainfo {
         unsigned int            rdi_length;     /* length of data */
         unsigned char           *rdi_data;      /* record data */
 };
@@ -89,129 +100,275 @@ struct  rrsetinfo {
         char                    *rri_name;      /* canonical name */
         struct rdatainfo        *rri_rdatas;    /* individual records */
         struct rdatainfo        *rri_sigs;      /* individual signatures */
-};
-</pre>
-<p>
-</p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543384"></a><h2>DESCRIPTION</h2>
-<p>
-<code class="function">lwres_getrrsetbyname()</code>
+};</PRE
+></P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN29"
+></A
+><H2
+>DESCRIPTION</H2
+><P
+><TT
+CLASS="FUNCTION"
+>lwres_getrrsetbyname()</TT
+>
 gets a set of resource records associated with a
-<em class="parameter"><code>hostname</code></em>,
+<TT
+CLASS="PARAMETER"
+><I
+>hostname</I
+></TT
+>,
 
-<em class="parameter"><code>class</code></em>,
+<TT
+CLASS="PARAMETER"
+><I
+>class</I
+></TT
+>,
 
 and
-<em class="parameter"><code>type</code></em>.
+<TT
+CLASS="PARAMETER"
+><I
+>type</I
+></TT
+>.
 
-<em class="parameter"><code>hostname</code></em>
+<TT
+CLASS="PARAMETER"
+><I
+>hostname</I
+></TT
+>
 is
 a pointer a to null-terminated string.  The
-<em class="parameter"><code>flags</code></em>
-field is currently unused and must be zero.
-</p>
-<p>
-After a successful call to
-<code class="function">lwres_getrrsetbyname()</code>,
+<TT
+CLASS="PARAMETER"
+><I
+>flags</I
+></TT
+>
+field is currently unused and must be zero.</P
+><P
+>After a successful call to
+<TT
+CLASS="FUNCTION"
+>lwres_getrrsetbyname()</TT
+>,
 
-<em class="parameter"><code>*res</code></em>
+<TT
+CLASS="PARAMETER"
+><I
+>*res</I
+></TT
+>
 is a pointer to an
-<span class="type">rrsetinfo</span>
+<SPAN
+CLASS="TYPE"
+>rrsetinfo</SPAN
+>
 structure, containing a list of one or more
-<span class="type">rdatainfo</span>
+<SPAN
+CLASS="TYPE"
+>rdatainfo</SPAN
+>
 structures containing resource records and potentially another list of
-<span class="type">rdatainfo</span>
+<SPAN
+CLASS="TYPE"
+>rdatainfo</SPAN
+>
 structures containing SIG resource records
 associated with those records.
 The members
-<code class="constant">rri_rdclass</code>
+<TT
+CLASS="CONSTANT"
+>rri_rdclass</TT
+>
 and
-<code class="constant">rri_rdtype</code>
+<TT
+CLASS="CONSTANT"
+>rri_rdtype</TT
+>
 are copied from the parameters.
-<code class="constant">rri_ttl</code>
+<TT
+CLASS="CONSTANT"
+>rri_ttl</TT
+>
 and
-<code class="constant">rri_name</code>
+<TT
+CLASS="CONSTANT"
+>rri_name</TT
+>
 are properties of the obtained rrset.
 The resource records contained in
-<code class="constant">rri_rdatas</code>
+<TT
+CLASS="CONSTANT"
+>rri_rdatas</TT
+>
 and
-<code class="constant">rri_sigs</code>
+<TT
+CLASS="CONSTANT"
+>rri_sigs</TT
+>
 are in uncompressed DNS wire format.
 Properties of the rdataset are represented in the
-<code class="constant">rri_flags</code>
+<TT
+CLASS="CONSTANT"
+>rri_flags</TT
+>
 bitfield.  If the RRSET_VALIDATED bit is set, the data has been DNSSEC
-validated and the signatures verified.  
-</p>
-<p>
-All of the information returned by
-<code class="function">lwres_getrrsetbyname()</code>
+validated and the signatures verified.  </P
+><P
+>All of the information returned by
+<TT
+CLASS="FUNCTION"
+>lwres_getrrsetbyname()</TT
+>
 is dynamically allocated: the
-<code class="constant">rrsetinfo</code>
+<TT
+CLASS="CONSTANT"
+>rrsetinfo</TT
+>
 and
-<code class="constant">rdatainfo</code>
+<TT
+CLASS="CONSTANT"
+>rdatainfo</TT
+>
 structures,
 and the canonical host name strings pointed to by the
-<code class="constant">rrsetinfo</code>structure.
+<TT
+CLASS="CONSTANT"
+>rrsetinfo</TT
+>structure.
 
 Memory allocated for the dynamically allocated structures created by
 a successful call to
-<code class="function">lwres_getrrsetbyname()</code>
+<TT
+CLASS="FUNCTION"
+>lwres_getrrsetbyname()</TT
+>
 is released by
-<code class="function">lwres_freerrset()</code>.
+<TT
+CLASS="FUNCTION"
+>lwres_freerrset()</TT
+>.
 
-<em class="parameter"><code>rrset</code></em>
+<TT
+CLASS="PARAMETER"
+><I
+>rrset</I
+></TT
+>
 is a pointer to a
-<span class="type">struct rrset</span>
+<SPAN
+CLASS="TYPE"
+>struct rrset</SPAN
+>
 created by a call to
-<code class="function">lwres_getrrsetbyname()</code>.
-
-</p>
-<p>
-</p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543496"></a><h2>RETURN VALUES</h2>
-<p>
-<code class="function">lwres_getrrsetbyname()</code>
+<TT
+CLASS="FUNCTION"
+>lwres_getrrsetbyname()</TT
+>.&#13;</P
+><P
+></P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN62"
+></A
+><H2
+>RETURN VALUES</H2
+><P
+><TT
+CLASS="FUNCTION"
+>lwres_getrrsetbyname()</TT
+>
 returns zero on success, and one of the following error
 codes if an error occurred:
-</p>
-<div class="variablelist"><dl>
-<dt><span class="term"><code class="constant">ERRSET_NONAME</code></span></dt>
-<dd><p>
-the name does not exist
-</p></dd>
-<dt><span class="term"><code class="constant">ERRSET_NODATA</code></span></dt>
-<dd><p>
-the name exists, but does not have data of the desired type
-</p></dd>
-<dt><span class="term"><code class="constant">ERRSET_NOMEMORY</code></span></dt>
-<dd><p>
-memory could not be allocated
-</p></dd>
-<dt><span class="term"><code class="constant">ERRSET_INVAL</code></span></dt>
-<dd><p>
-a parameter is invalid
-</p></dd>
-<dt><span class="term"><code class="constant">ERRSET_FAIL</code></span></dt>
-<dd><p>
-other failure
-</p></dd>
-<dt><span class="term"><code class="constant"></code></span></dt>
-<dd><p>
-</p></dd>
-</dl></div>
-<p>
-
-</p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543570"></a><h2>SEE ALSO</h2>
-<p>
-<span class="citerefentry"><span class="refentrytitle">lwres</span>(3)</span>.
-</p>
-</div>
-</div></body>
-</html>
+<P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+><TT
+CLASS="CONSTANT"
+>ERRSET_NONAME</TT
+></DT
+><DD
+><P
+>the name does not exist</P
+></DD
+><DT
+><TT
+CLASS="CONSTANT"
+>ERRSET_NODATA</TT
+></DT
+><DD
+><P
+>the name exists, but does not have data of the desired type</P
+></DD
+><DT
+><TT
+CLASS="CONSTANT"
+>ERRSET_NOMEMORY</TT
+></DT
+><DD
+><P
+>memory could not be allocated</P
+></DD
+><DT
+><TT
+CLASS="CONSTANT"
+>ERRSET_INVAL</TT
+></DT
+><DD
+><P
+>a parameter is invalid</P
+></DD
+><DT
+><TT
+CLASS="CONSTANT"
+>ERRSET_FAIL</TT
+></DT
+><DD
+><P
+>other failure</P
+></DD
+><DT
+><TT
+CLASS="CONSTANT"
+></TT
+></DT
+><DD
+><P
+></P
+></DD
+></DL
+></DIV
+>&#13;</P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN97"
+></A
+><H2
+>SEE ALSO</H2
+><P
+><SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>lwres</SPAN
+>(3)</SPAN
+>.</P
+></DIV
+></BODY
+></HTML
+>
diff --git a/lib/lwres/man/lwres_gnba.3 b/lib/lwres/man/lwres_gnba.3
index 32f10be2..404ae414 100644
--- a/lib/lwres/man/lwres_gnba.3
+++ b/lib/lwres/man/lwres_gnba.3
@@ -1,72 +1,86 @@
-.\" Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
-.\" Copyright (C) 2000, 2001 Internet Software Consortium.
-.\" 
+.\" Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2000, 2001  Internet Software Consortium.
+.\"
 .\" Permission to use, copy, modify, and distribute this software for any
 .\" purpose with or without fee is hereby granted, provided that the above
 .\" copyright notice and this permission notice appear in all copies.
-.\" 
+.\"
 .\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
 .\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+.\" AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
 .\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
 .\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: lwres_gnba.3,v 1.13.2.9 2007/01/30 00:10:38 marka Exp $
+.\" $Id: lwres_gnba.3,v 1.13.2.1.8.1 2004/03/06 07:41:43 marka Exp $
 .\"
-.hy 0
-.ad l
-.\"     Title: lwres_gnba
-.\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
-.\"      Date: Jun 30, 2000
-.\"    Manual: BIND9
-.\"    Source: BIND9
-.\"
-.TH "LWRES_GNBA" "3" "Jun 30, 2000" "BIND9" "BIND9"
-.\" disable hyphenation
-.nh
-.\" disable justification (adjust text to left margin only)
-.ad l
-.SH "NAME"
+.TH "LWRES_GNBA" "3" "Jun 30, 2000" "BIND9" ""
+.SH NAME
 lwres_gnbarequest_render, lwres_gnbaresponse_render, lwres_gnbarequest_parse, lwres_gnbaresponse_parse, lwres_gnbaresponse_free, lwres_gnbarequest_free \- lightweight resolver getnamebyaddress message handling
-.SH "SYNOPSIS"
-.nf
-#include <lwres/lwres.h>
-.fi
-.HP 40
-.BI "lwres_result_t lwres_gnbarequest_render(lwres_context_t\ *" "ctx" ", lwres_gnbarequest_t\ *" "req" ", lwres_lwpacket_t\ *" "pkt" ", lwres_buffer_t\ *" "b" ");"
-.HP 41
-.BI "lwres_result_t lwres_gnbaresponse_render(lwres_context_t\ *ctx, lwres_gnbaresponse_t\ *req, lwres_lwpacket_t\ *pkt, lwres_buffer_t\ *b);"
-.HP 39
-.BI "lwres_result_t lwres_gnbarequest_parse(lwres_context_t\ *ctx, lwres_buffer_t\ *b, lwres_lwpacket_t\ *pkt, lwres_gnbarequest_t\ **structp);"
-.HP 40
-.BI "lwres_result_t lwres_gnbaresponse_parse(lwres_context_t\ *ctx, lwres_buffer_t\ *b, lwres_lwpacket_t\ *pkt, lwres_gnbaresponse_t\ **structp);"
-.HP 29
-.BI "void lwres_gnbaresponse_free(lwres_context_t\ *ctx, lwres_gnbaresponse_t\ **structp);"
-.HP 28
-.BI "void lwres_gnbarequest_free(lwres_context_t\ *ctx, lwres_gnbarequest_t\ **structp);"
+.SH SYNOPSIS
+\fB#include <lwres/lwres.h>
+.sp
+.na
+lwres_result_t
+lwres_gnbarequest_render(lwres_context_t *\fIctx\fB, lwres_gnbarequest_t *\fIreq\fB, lwres_lwpacket_t *\fIpkt\fB, lwres_buffer_t *\fIb\fB);
+.ad
+.sp
+.na
+lwres_result_t
+lwres_gnbaresponse_render(lwres_context_t *ctx, lwres_gnbaresponse_t *req, lwres_lwpacket_t *pkt, lwres_buffer_t *b);
+.ad
+.sp
+.na
+lwres_result_t
+lwres_gnbarequest_parse(lwres_context_t *ctx, lwres_buffer_t *b, lwres_lwpacket_t *pkt, lwres_gnbarequest_t **structp);
+.ad
+.sp
+.na
+lwres_result_t
+lwres_gnbaresponse_parse(lwres_context_t *ctx, lwres_buffer_t *b, lwres_lwpacket_t *pkt, lwres_gnbaresponse_t **structp);
+.ad
+.sp
+.na
+void
+lwres_gnbaresponse_free(lwres_context_t *ctx, lwres_gnbaresponse_t **structp);
+.ad
+.sp
+.na
+void
+lwres_gnbarequest_free(lwres_context_t *ctx, lwres_gnbarequest_t **structp);
+.ad
+\fR
 .SH "DESCRIPTION"
 .PP
-These are low\-level routines for creating and parsing lightweight resolver address\-to\-name lookup request and response messages.
+These are low-level routines for creating and parsing
+lightweight resolver address-to-name lookup request and 
+response messages.
 .PP
-There are four main functions for the getnamebyaddr opcode. One render function converts a getnamebyaddr request structure \(em
-\fBlwres_gnbarequest_t\fR
-\(em to the lightweight resolver's canonical format. It is complemented by a parse function that converts a packet in this canonical format to a getnamebyaddr request structure. Another render function converts the getnamebyaddr response structure \(em
+There are four main functions for the getnamebyaddr opcode.
+One render function converts a getnamebyaddr request structure \(em
+\fBlwres_gnbarequest_t\fR \(em
+to the lightweight resolver's canonical format.
+It is complemented by a parse function that converts a packet in this
+canonical format to a getnamebyaddr request structure.
+Another render function converts the getnamebyaddr response structure \(em
 \fBlwres_gnbaresponse_t\fR
-to the canonical format. This is complemented by a parse function which converts a packet in canonical format to a getnamebyaddr response structure.
+to the canonical format.
+This is complemented by a parse function which converts a packet in
+canonical format to a getnamebyaddr response structure.
 .PP
 These structures are defined in
-\fIlwres/lwres.h\fR. They are shown below.
+\fIlwres/lwres.h\fR.
+They are shown below.
 .sp
-.RS 4
 .nf
 #define LWRES_OPCODE_GETNAMEBYADDR      0x00010002U
+
 typedef struct {
         lwres_uint32_t  flags;
         lwres_addr_t    addr;
 } lwres_gnbarequest_t;
+
 typedef struct {
         lwres_uint32_t  flags;
         lwres_uint16_t  naliases;
@@ -77,20 +91,22 @@ typedef struct {
         void           *base;
         size_t          baselen;
 } lwres_gnbaresponse_t;
-.fi
-.RE
 .sp
+.fi
 .PP
 \fBlwres_gnbarequest_render()\fR
 uses resolver context
-\fIctx\fR
+ctx
 to convert getnamebyaddr request structure
-\fIreq\fR
-to canonical format. The packet header structure
-\fIpkt\fR
-is initialised and transferred to buffer
-\fIb\fR. The contents of
-\fI*req\fR
+req
+to canonical format.
+The packet header structure
+pkt
+is initialised and transferred to
+buffer
+b.
+The contents of
+*req
 are then appended to the buffer in canonical format.
 \fBlwres_gnbaresponse_render()\fR
 performs the same task, except it converts a getnamebyaddr response structure
@@ -99,17 +115,19 @@ to the lightweight resolver's canonical format.
 .PP
 \fBlwres_gnbarequest_parse()\fR
 uses context
-\fIctx\fR
+ctx
 to convert the contents of packet
-\fIpkt\fR
+pkt
 to a
 \fBlwres_gnbarequest_t\fR
-structure. Buffer
-\fIb\fR
-provides space to be used for storing this structure. When the function succeeds, the resulting
+structure.
+Buffer
+b
+provides space to be used for storing this structure.
+When the function succeeds, the resulting
 \fBlwres_gnbarequest_t\fR
 is made available through
-\fI*structp\fR.
+*structp.
 \fBlwres_gnbaresponse_parse()\fR
 offers the same semantics as
 \fBlwres_gnbarequest_parse()\fR
@@ -121,13 +139,15 @@ structure.
 and
 \fBlwres_gnbarequest_free()\fR
 release the memory in resolver context
-\fIctx\fR
+ctx
 that was allocated to the
 \fBlwres_gnbaresponse_t\fR
 or
 \fBlwres_gnbarequest_t\fR
 structures referenced via
-\fIstructp\fR. Any memory associated with ancillary buffers and strings for those structures is also discarded.
+structp.
+Any memory associated with ancillary buffers and strings for those
+structures is also discarded.
 .SH "RETURN VALUES"
 .PP
 The getnamebyaddr opcode functions
@@ -137,13 +157,14 @@ The getnamebyaddr opcode functions
 and
 \fBlwres_gnbaresponse_parse()\fR
 all return
-\fBLWRES_R_SUCCESS\fR
-on success. They return
-\fBLWRES_R_NOMEMORY\fR
+LWRES_R_SUCCESS
+on success.
+They return
+LWRES_R_NOMEMORY
 if memory allocation fails.
-\fBLWRES_R_UNEXPECTEDEND\fR
+LWRES_R_UNEXPECTEDEND
 is returned if the available space in the buffer
-\fIb\fR
+b
 is too small to accommodate the packet header or the
 \fBlwres_gnbarequest_t\fR
 and
@@ -153,19 +174,15 @@ structures.
 and
 \fBlwres_gnbaresponse_parse()\fR
 will return
-\fBLWRES_R_UNEXPECTEDEND\fR
-if the buffer is not empty after decoding the received packet. These functions will return
-\fBLWRES_R_FAILURE\fR
+LWRES_R_UNEXPECTEDEND
+if the buffer is not empty after decoding the received packet.
+These functions will return
+LWRES_R_FAILURE
 if
-pktflags
+\fBpktflags\fR
 in the packet header structure
 \fBlwres_lwpacket_t\fR
 indicate that the packet is not a response to an earlier query.
 .SH "SEE ALSO"
 .PP
 \fBlwres_packet\fR(3).
-.SH "COPYRIGHT"
-Copyright \(co 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
-.br
-Copyright \(co 2000, 2001 Internet Software Consortium.
-.br
diff --git a/lib/lwres/man/lwres_gnba.docbook b/lib/lwres/man/lwres_gnba.docbook
index 4c8d6758..5bd41724 100644
--- a/lib/lwres/man/lwres_gnba.docbook
+++ b/lib/lwres/man/lwres_gnba.docbook
@@ -1,9 +1,7 @@
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
-               "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
-	       [<!ENTITY mdash "&#8212;">]>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
 <!--
- - Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000, 2001  Internet Software Consortium.
+ - Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2001  Internet Software Consortium.
  -
  - Permission to use, copy, modify, and distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
@@ -18,7 +16,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: lwres_gnba.docbook,v 1.4.2.5 2007/01/29 23:57:17 marka Exp $ -->
+<!-- $Id: lwres_gnba.docbook,v 1.4.206.1 2004/03/06 08:15:40 marka Exp $ -->
 
 <refentry>
 
@@ -32,20 +30,6 @@
 <refmiscinfo>BIND9</refmiscinfo>
 </refmeta>
 
-<docinfo>
-    <copyright>
-      <year>2004</year>
-      <year>2005</year>
-      <year>2007</year>
-      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
-    </copyright>
-    <copyright>
-      <year>2000</year>
-      <year>2001</year>
-      <holder>Internet Software Consortium.</holder>
-    </copyright>
-  </docinfo>
-
 <refnamediv>
 <refname>lwres_gnbarequest_render</refname>
 <refname>lwres_gnbaresponse_render</refname>
diff --git a/lib/lwres/man/lwres_gnba.html b/lib/lwres/man/lwres_gnba.html
index 363b0fa2..7a13ce9d 100644
--- a/lib/lwres/man/lwres_gnba.html
+++ b/lib/lwres/man/lwres_gnba.html
@@ -1,203 +1,158 @@
 <!--
- - Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000, 2001 Internet Software Consortium.
- - 
+ - Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2001  Internet Software Consortium.
+ -
  - Permission to use, copy, modify, and distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
  - copyright notice and this permission notice appear in all copies.
- - 
+ -
  - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
  - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
  - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
  - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: lwres_gnba.html,v 1.6.2.15 2007/01/30 00:10:38 marka Exp $ -->
-<html>
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>lwres_gnba</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2476275"></a><div class="titlepage"></div>
-<div class="refnamediv">
-<h2>Name</h2>
-<p>lwres_gnbarequest_render, lwres_gnbaresponse_render, lwres_gnbarequest_parse, lwres_gnbaresponse_parse, lwres_gnbaresponse_free, lwres_gnbarequest_free &#8212; lightweight resolver getnamebyaddress message handling</p>
-</div>
-<div class="refsynopsisdiv">
-<h2>Synopsis</h2>
-<div class="funcsynopsis">
-<pre class="funcsynopsisinfo">
-#include &lt;lwres/lwres.h&gt;
-</pre>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
-<tr>
-<td><code class="funcdef">
-lwres_result_t
-<b class="fsfunc">lwres_gnbarequest_render</b>
-(</code></td>
-<td>lwres_context_t * </td>
-<td>
-<var class="pdparam">ctx</var>, </td>
-</tr>
-<tr>
-<td> </td>
-<td>lwres_gnbarequest_t * </td>
-<td>
-<var class="pdparam">req</var>, </td>
-</tr>
-<tr>
-<td> </td>
-<td>lwres_lwpacket_t * </td>
-<td>
-<var class="pdparam">pkt</var>, </td>
-</tr>
-<tr>
-<td> </td>
-<td>lwres_buffer_t * </td>
-<td>
-<var class="pdparam">b</var><code>)</code>;</td>
-</tr>
-</table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
-<tr>
-<td><code class="funcdef">
-lwres_result_t
-<b class="fsfunc">lwres_gnbaresponse_render</b>
-(</code></td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>
-<code>)</code>;</td>
-</tr>
-</table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
-<tr>
-<td><code class="funcdef">
-lwres_result_t
-<b class="fsfunc">lwres_gnbarequest_parse</b>(</code></td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>
-<code>)</code>;</td>
-</tr>
-</table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
-<tr>
-<td><code class="funcdef">
-lwres_result_t
-<b class="fsfunc">lwres_gnbaresponse_parse</b>(</code></td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>
-<code>)</code>;</td>
-</tr>
-</table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
-<tr>
-<td><code class="funcdef">
-void
-<b class="fsfunc">lwres_gnbaresponse_free</b>
-(</code></td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>
-<code>)</code>;</td>
-</tr>
-</table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0">
-<tr>
-<td><code class="funcdef">
-void
-<b class="fsfunc">lwres_gnbarequest_free</b>(</code></td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>
-<code>)</code>;</td>
-</tr>
-</table>
-</div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543481"></a><h2>DESCRIPTION</h2>
-<p>
-These are low-level routines for creating and parsing
+
+<!-- $Id: lwres_gnba.html,v 1.6.2.1.4.1 2004/03/06 08:15:40 marka Exp $ -->
+
+<HTML
+><HEAD
+><TITLE
+>lwres_gnba</TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.73
+"></HEAD
+><BODY
+CLASS="REFENTRY"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><H1
+><A
+NAME="AEN1"
+>lwres_gnba</A
+></H1
+><DIV
+CLASS="REFNAMEDIV"
+><A
+NAME="AEN8"
+></A
+><H2
+>Name</H2
+>lwres_gnbarequest_render, lwres_gnbaresponse_render, lwres_gnbarequest_parse, lwres_gnbaresponse_parse, lwres_gnbaresponse_free, lwres_gnbarequest_free&nbsp;--&nbsp;lightweight resolver getnamebyaddress message handling</DIV
+><DIV
+CLASS="REFSYNOPSISDIV"
+><A
+NAME="AEN16"
+></A
+><H2
+>Synopsis</H2
+><DIV
+CLASS="FUNCSYNOPSIS"
+><A
+NAME="AEN17"
+></A
+><P
+></P
+><PRE
+CLASS="FUNCSYNOPSISINFO"
+>#include &lt;lwres/lwres.h&gt;</PRE
+><P
+><CODE
+><CODE
+CLASS="FUNCDEF"
+>lwres_result_t
+lwres_gnbarequest_render</CODE
+>(lwres_context_t *ctx, lwres_gnbarequest_t *req, lwres_lwpacket_t *pkt, lwres_buffer_t *b);</CODE
+></P
+><P
+><CODE
+><CODE
+CLASS="FUNCDEF"
+>lwres_result_t
+lwres_gnbaresponse_render</CODE
+>(lwres_context_t *ctx, lwres_gnbaresponse_t *req, lwres_lwpacket_t *pkt, lwres_buffer_t *b);</CODE
+></P
+><P
+><CODE
+><CODE
+CLASS="FUNCDEF"
+>lwres_result_t
+lwres_gnbarequest_parse</CODE
+>(lwres_context_t *ctx, lwres_buffer_t *b, lwres_lwpacket_t *pkt, lwres_gnbarequest_t **structp);</CODE
+></P
+><P
+><CODE
+><CODE
+CLASS="FUNCDEF"
+>lwres_result_t
+lwres_gnbaresponse_parse</CODE
+>(lwres_context_t *ctx, lwres_buffer_t *b, lwres_lwpacket_t *pkt, lwres_gnbaresponse_t **structp);</CODE
+></P
+><P
+><CODE
+><CODE
+CLASS="FUNCDEF"
+>void
+lwres_gnbaresponse_free</CODE
+>(lwres_context_t *ctx, lwres_gnbaresponse_t **structp);</CODE
+></P
+><P
+><CODE
+><CODE
+CLASS="FUNCDEF"
+>void
+lwres_gnbarequest_free</CODE
+>(lwres_context_t *ctx, lwres_gnbarequest_t **structp);</CODE
+></P
+><P
+></P
+></DIV
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN61"
+></A
+><H2
+>DESCRIPTION</H2
+><P
+>These are low-level routines for creating and parsing
 lightweight resolver address-to-name lookup request and 
-response messages.
-</p>
-<p>
-There are four main functions for the getnamebyaddr opcode.
-One render function converts a getnamebyaddr request structure &#8212;
-<span class="type">lwres_gnbarequest_t</span> &#8212;
+response messages.</P
+><P
+>There are four main functions for the getnamebyaddr opcode.
+One render function converts a getnamebyaddr request structure &mdash;
+<SPAN
+CLASS="TYPE"
+>lwres_gnbarequest_t</SPAN
+> &mdash;
 to the lightweight resolver's canonical format.
 It is complemented by a parse function that converts a packet in this
 canonical format to a getnamebyaddr request structure.
-Another render function converts the getnamebyaddr response structure &#8212;
-<span class="type">lwres_gnbaresponse_t</span>
+Another render function converts the getnamebyaddr response structure &mdash;
+<SPAN
+CLASS="TYPE"
+>lwres_gnbaresponse_t</SPAN
+>
 to the canonical format.
 This is complemented by a parse function which converts a packet in
-canonical format to a getnamebyaddr response structure.
-</p>
-<p>
-These structures are defined in
-<code class="filename">lwres/lwres.h</code>.
+canonical format to a getnamebyaddr response structure.</P
+><P
+>These structures are defined in
+<TT
+CLASS="FILENAME"
+>lwres/lwres.h</TT
+>.
 They are shown below.
-</p>
-<pre class="programlisting">
-#define LWRES_OPCODE_GETNAMEBYADDR      0x00010002U
+<PRE
+CLASS="PROGRAMLISTING"
+>#define LWRES_OPCODE_GETNAMEBYADDR      0x00010002U
 
 typedef struct {
         lwres_uint32_t  flags;
@@ -213,112 +168,244 @@ typedef struct {
         lwres_uint16_t *aliaslen;
         void           *base;
         size_t          baselen;
-} lwres_gnbaresponse_t;
-</pre>
-<p>
-</p>
-<p>
-<code class="function">lwres_gnbarequest_render()</code>
+} lwres_gnbaresponse_t;</PRE
+></P
+><P
+><TT
+CLASS="FUNCTION"
+>lwres_gnbarequest_render()</TT
+>
 uses resolver context
-<code class="varname">ctx</code>
+<TT
+CLASS="VARNAME"
+>ctx</TT
+>
 to convert getnamebyaddr request structure
-<code class="varname">req</code>
+<TT
+CLASS="VARNAME"
+>req</TT
+>
 to canonical format.
 The packet header structure
-<code class="varname">pkt</code>
+<TT
+CLASS="VARNAME"
+>pkt</TT
+>
 is initialised and transferred to
 buffer
-<code class="varname">b</code>.
+<TT
+CLASS="VARNAME"
+>b</TT
+>.
 The contents of
-<code class="varname">*req</code>
+<TT
+CLASS="VARNAME"
+>*req</TT
+>
 are then appended to the buffer in canonical format.
-<code class="function">lwres_gnbaresponse_render()</code>
+<TT
+CLASS="FUNCTION"
+>lwres_gnbaresponse_render()</TT
+>
 performs the same task, except it converts a getnamebyaddr response structure
-<span class="type">lwres_gnbaresponse_t</span>
-to the lightweight resolver's canonical format.
-</p>
-<p>
-<code class="function">lwres_gnbarequest_parse()</code>
+<SPAN
+CLASS="TYPE"
+>lwres_gnbaresponse_t</SPAN
+>
+to the lightweight resolver's canonical format.</P
+><P
+><TT
+CLASS="FUNCTION"
+>lwres_gnbarequest_parse()</TT
+>
 uses context
-<code class="varname">ctx</code>
+<TT
+CLASS="VARNAME"
+>ctx</TT
+>
 to convert the contents of packet
-<code class="varname">pkt</code>
+<TT
+CLASS="VARNAME"
+>pkt</TT
+>
 to a
-<span class="type">lwres_gnbarequest_t</span>
+<SPAN
+CLASS="TYPE"
+>lwres_gnbarequest_t</SPAN
+>
 structure.
 Buffer
-<code class="varname">b</code>
+<TT
+CLASS="VARNAME"
+>b</TT
+>
 provides space to be used for storing this structure.
 When the function succeeds, the resulting
-<span class="type">lwres_gnbarequest_t</span>
+<SPAN
+CLASS="TYPE"
+>lwres_gnbarequest_t</SPAN
+>
 is made available through
-<code class="varname">*structp</code>.
-<code class="function">lwres_gnbaresponse_parse()</code>
+<TT
+CLASS="VARNAME"
+>*structp</TT
+>.
+<TT
+CLASS="FUNCTION"
+>lwres_gnbaresponse_parse()</TT
+>
 offers the same semantics as
-<code class="function">lwres_gnbarequest_parse()</code>
+<TT
+CLASS="FUNCTION"
+>lwres_gnbarequest_parse()</TT
+>
 except it yields a
-<span class="type">lwres_gnbaresponse_t</span>
-structure.
-</p>
-<p>
-<code class="function">lwres_gnbaresponse_free()</code>
+<SPAN
+CLASS="TYPE"
+>lwres_gnbaresponse_t</SPAN
+>
+structure.</P
+><P
+><TT
+CLASS="FUNCTION"
+>lwres_gnbaresponse_free()</TT
+>
 and
-<code class="function">lwres_gnbarequest_free()</code>
+<TT
+CLASS="FUNCTION"
+>lwres_gnbarequest_free()</TT
+>
 release the memory in resolver context
-<code class="varname">ctx</code>
+<TT
+CLASS="VARNAME"
+>ctx</TT
+>
 that was allocated to the
-<span class="type">lwres_gnbaresponse_t</span>
+<SPAN
+CLASS="TYPE"
+>lwres_gnbaresponse_t</SPAN
+>
 or
-<span class="type">lwres_gnbarequest_t</span>
+<SPAN
+CLASS="TYPE"
+>lwres_gnbarequest_t</SPAN
+>
 structures referenced via
-<code class="varname">structp</code>.
+<TT
+CLASS="VARNAME"
+>structp</TT
+>.
 Any memory associated with ancillary buffers and strings for those
-structures is also discarded.
-</p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543606"></a><h2>RETURN VALUES</h2>
-<p>
-The getnamebyaddr opcode functions
-<code class="function">lwres_gnbarequest_render()</code>,
-<code class="function">lwres_gnbaresponse_render()</code>
-<code class="function">lwres_gnbarequest_parse()</code>
+structures is also discarded.</P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN97"
+></A
+><H2
+>RETURN VALUES</H2
+><P
+>The getnamebyaddr opcode functions
+<TT
+CLASS="FUNCTION"
+>lwres_gnbarequest_render()</TT
+>,
+<TT
+CLASS="FUNCTION"
+>lwres_gnbaresponse_render()</TT
+>
+<TT
+CLASS="FUNCTION"
+>lwres_gnbarequest_parse()</TT
+>
 and
-<code class="function">lwres_gnbaresponse_parse()</code>
+<TT
+CLASS="FUNCTION"
+>lwres_gnbaresponse_parse()</TT
+>
 all return
-<span class="errorcode">LWRES_R_SUCCESS</span>
+<SPAN
+CLASS="ERRORCODE"
+>LWRES_R_SUCCESS</SPAN
+>
 on success.
 They return
-<span class="errorcode">LWRES_R_NOMEMORY</span>
+<SPAN
+CLASS="ERRORCODE"
+>LWRES_R_NOMEMORY</SPAN
+>
 if memory allocation fails.
-<span class="errorcode">LWRES_R_UNEXPECTEDEND</span>
+<SPAN
+CLASS="ERRORCODE"
+>LWRES_R_UNEXPECTEDEND</SPAN
+>
 is returned if the available space in the buffer
-<code class="varname">b</code>
+<TT
+CLASS="VARNAME"
+>b</TT
+>
 is too small to accommodate the packet header or the
-<span class="type">lwres_gnbarequest_t</span>
+<SPAN
+CLASS="TYPE"
+>lwres_gnbarequest_t</SPAN
+>
 and
-<span class="type">lwres_gnbaresponse_t</span>
+<SPAN
+CLASS="TYPE"
+>lwres_gnbaresponse_t</SPAN
+>
 structures.
-<code class="function">lwres_gnbarequest_parse()</code>
+<TT
+CLASS="FUNCTION"
+>lwres_gnbarequest_parse()</TT
+>
 and
-<code class="function">lwres_gnbaresponse_parse()</code>
+<TT
+CLASS="FUNCTION"
+>lwres_gnbaresponse_parse()</TT
+>
 will return
-<span class="errorcode">LWRES_R_UNEXPECTEDEND</span>
+<SPAN
+CLASS="ERRORCODE"
+>LWRES_R_UNEXPECTEDEND</SPAN
+>
 if the buffer is not empty after decoding the received packet.
 These functions will return
-<span class="errorcode">LWRES_R_FAILURE</span>
+<SPAN
+CLASS="ERRORCODE"
+>LWRES_R_FAILURE</SPAN
+>
 if
-<em class="structfield"><code>pktflags</code></em>
+<TT
+CLASS="STRUCTFIELD"
+><I
+>pktflags</I
+></TT
+>
 in the packet header structure
-<span class="type">lwres_lwpacket_t</span>
-indicate that the packet is not a response to an earlier query.
-</p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543671"></a><h2>SEE ALSO</h2>
-<p>
-<span class="citerefentry"><span class="refentrytitle">lwres_packet</span>(3)</span>.
-</p>
-</div>
-</div></body>
-</html>
+<SPAN
+CLASS="TYPE"
+>lwres_lwpacket_t</SPAN
+>
+indicate that the packet is not a response to an earlier query.</P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN116"
+></A
+><H2
+>SEE ALSO</H2
+><P
+><SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>lwres_packet</SPAN
+>(3)</SPAN
+>.</P
+></DIV
+></BODY
+></HTML
+>
diff --git a/lib/lwres/man/lwres_hstrerror.3 b/lib/lwres/man/lwres_hstrerror.3
index 8ac6f423..2260088e 100644
--- a/lib/lwres/man/lwres_hstrerror.3
+++ b/lib/lwres/man/lwres_hstrerror.3
@@ -1,99 +1,69 @@
-.\" Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
-.\" Copyright (C) 2000, 2001 Internet Software Consortium.
-.\" 
+.\" Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2000, 2001  Internet Software Consortium.
+.\"
 .\" Permission to use, copy, modify, and distribute this software for any
 .\" purpose with or without fee is hereby granted, provided that the above
 .\" copyright notice and this permission notice appear in all copies.
-.\" 
+.\"
 .\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
 .\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+.\" AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
 .\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
 .\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: lwres_hstrerror.3,v 1.13.2.9 2007/01/30 00:10:38 marka Exp $
-.\"
-.hy 0
-.ad l
-.\"     Title: lwres_hstrerror
-.\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
-.\"      Date: Jun 30, 2000
-.\"    Manual: BIND9
-.\"    Source: BIND9
+.\" $Id: lwres_hstrerror.3,v 1.13.2.1.8.1 2004/03/06 07:41:43 marka Exp $
 .\"
-.TH "LWRES_HSTRERROR" "3" "Jun 30, 2000" "BIND9" "BIND9"
-.\" disable hyphenation
-.nh
-.\" disable justification (adjust text to left margin only)
-.ad l
-.SH "NAME"
+.TH "LWRES_HSTRERROR" "3" "Jun 30, 2000" "BIND9" ""
+.SH NAME
 lwres_herror, lwres_hstrerror \- lightweight resolver error message generation
-.SH "SYNOPSIS"
-.nf
-#include <lwres/netdb.h>
-.fi
-.HP 18
-.BI "void lwres_herror(const\ char\ *s);"
-.HP 29
-.BI "const char * lwres_hstrerror(int\ err);"
+.SH SYNOPSIS
+\fB#include <lwres/netdb.h>
+.sp
+.na
+void
+lwres_herror(const char *s);
+.ad
+.sp
+.na
+const char *
+lwres_hstrerror(int err);
+.ad
+\fR
 .SH "DESCRIPTION"
 .PP
-\fBlwres_herror()\fR
-prints the string
-\fIs\fR
-on
-\fBstderr\fR
-followed by the string generated by
-\fBlwres_hstrerror()\fR
-for the error code stored in the global variable
-\fBlwres_h_errno\fR.
-.PP
-\fBlwres_hstrerror()\fR
-returns an appropriate string for the error code gievn by
-\fIerr\fR. The values of the error codes and messages are as follows:
+\fBlwres_herror()\fR prints the string
+\fIs\fR on \fBstderr\fR followed by the string
+generated by \fBlwres_hstrerror()\fR for the error code
+stored in the global variable lwres_h_errno.
 .PP
+\fBlwres_hstrerror()\fR returns an appropriate string
+for the error code gievn by \fIerr\fR. The values of
+the error codes and messages are as follows:
+.TP
 \fBNETDB_SUCCESS\fR
-.RS 4
-Resolver Error 0 (no error)
-.RE
-.PP
+\fBResolver Error 0 (no error)\fR
+.TP
 \fBHOST_NOT_FOUND\fR
-.RS 4
-Unknown host
-.RE
-.PP
+\fBUnknown host\fR
+.TP
 \fBTRY_AGAIN\fR
-.RS 4
-Host name lookup failure
-.RE
-.PP
+\fBHost name lookup failure\fR
+.TP
 \fBNO_RECOVERY\fR
-.RS 4
-Unknown server error
-.RE
-.PP
+\fBUnknown server error\fR
+.TP
 \fBNO_DATA\fR
-.RS 4
-No address associated with name
-.RE
+\fBNo address associated with name\fR
 .SH "RETURN VALUES"
 .PP
-The string
-Unknown resolver error
-is returned by
+The string \fBUnknown resolver error\fR is returned by
 \fBlwres_hstrerror()\fR
 when the value of
-\fBlwres_h_errno\fR
+lwres_h_errno
 is not a valid error code.
 .SH "SEE ALSO"
 .PP
 \fBherror\fR(3),
 \fBlwres_hstrerror\fR(3).
-.SH "COPYRIGHT"
-Copyright \(co 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
-.br
-Copyright \(co 2000, 2001 Internet Software Consortium.
-.br
diff --git a/lib/lwres/man/lwres_hstrerror.docbook b/lib/lwres/man/lwres_hstrerror.docbook
index 99709135..2ad4c498 100644
--- a/lib/lwres/man/lwres_hstrerror.docbook
+++ b/lib/lwres/man/lwres_hstrerror.docbook
@@ -1,9 +1,7 @@
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
-               "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
-	       [<!ENTITY mdash "&#8212;">]>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
 <!--
- - Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000, 2001  Internet Software Consortium.
+ - Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2001  Internet Software Consortium.
  -
  - Permission to use, copy, modify, and distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
@@ -18,7 +16,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: lwres_hstrerror.docbook,v 1.4.2.5 2007/01/29 23:57:17 marka Exp $ -->
+<!-- $Id: lwres_hstrerror.docbook,v 1.4.206.1 2004/03/06 08:15:41 marka Exp $ -->
 
 <refentry>
 
@@ -32,20 +30,6 @@
 <refmiscinfo>BIND9</refmiscinfo>
 </refmeta>
 
-  <docinfo>
-    <copyright>
-      <year>2004</year>
-      <year>2005</year>
-      <year>2007</year>
-      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
-    </copyright>
-    <copyright>
-      <year>2000</year>
-      <year>2001</year>
-      <holder>Internet Software Consortium.</holder>
-    </copyright>
-  </docinfo>
-
 <refnamediv>
 <refname>lwres_herror</refname>
 <refname>lwres_hstrerror</refname>
diff --git a/lib/lwres/man/lwres_hstrerror.html b/lib/lwres/man/lwres_hstrerror.html
index e136aab4..2319898a 100644
--- a/lib/lwres/man/lwres_hstrerror.html
+++ b/lib/lwres/man/lwres_hstrerror.html
@@ -1,110 +1,245 @@
 <!--
- - Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000, 2001 Internet Software Consortium.
- - 
+ - Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2001  Internet Software Consortium.
+ -
  - Permission to use, copy, modify, and distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
  - copyright notice and this permission notice appear in all copies.
- - 
+ -
  - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
  - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
  - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
  - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: lwres_hstrerror.html,v 1.5.2.16 2007/01/30 00:10:38 marka Exp $ -->
-<html>
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>lwres_hstrerror</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2476275"></a><div class="titlepage"></div>
-<div class="refnamediv">
-<h2>Name</h2>
-<p>lwres_herror, lwres_hstrerror &#8212; lightweight resolver error message generation</p>
-</div>
-<div class="refsynopsisdiv">
-<h2>Synopsis</h2>
-<div class="funcsynopsis">
-<pre class="funcsynopsisinfo">#include &lt;lwres/netdb.h&gt;</pre>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em"><tr>
-<td><code class="funcdef">
-void
-<b class="fsfunc">lwres_herror</b>(</code></td>
-<td> </td>
-<td>
-<code>)</code>;</td>
-</tr></table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0"><tr>
-<td><code class="funcdef">
-const char *
-<b class="fsfunc">lwres_hstrerror</b>(</code></td>
-<td> </td>
-<td>
-<code>)</code>;</td>
-</tr></table>
-</div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543365"></a><h2>DESCRIPTION</h2>
-<p>
-<code class="function">lwres_herror()</code> prints the string
-<em class="parameter"><code>s</code></em> on <span class="type">stderr</span> followed by the string
-generated by <code class="function">lwres_hstrerror()</code> for the error code
-stored in the global variable <code class="constant">lwres_h_errno</code>.
-</p>
-<p>
-<code class="function">lwres_hstrerror()</code> returns an appropriate string
-for the error code gievn by <em class="parameter"><code>err</code></em>.  The values of
+
+<!-- $Id: lwres_hstrerror.html,v 1.5.2.1.4.1 2004/03/06 08:15:41 marka Exp $ -->
+
+<HTML
+><HEAD
+><TITLE
+>lwres_hstrerror</TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.73
+"></HEAD
+><BODY
+CLASS="REFENTRY"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><H1
+><A
+NAME="AEN1"
+>lwres_hstrerror</A
+></H1
+><DIV
+CLASS="REFNAMEDIV"
+><A
+NAME="AEN8"
+></A
+><H2
+>Name</H2
+>lwres_herror, lwres_hstrerror&nbsp;--&nbsp;lightweight resolver error message generation</DIV
+><DIV
+CLASS="REFSYNOPSISDIV"
+><A
+NAME="AEN12"
+></A
+><H2
+>Synopsis</H2
+><DIV
+CLASS="FUNCSYNOPSIS"
+><A
+NAME="AEN13"
+></A
+><P
+></P
+><PRE
+CLASS="FUNCSYNOPSISINFO"
+>#include &lt;lwres/netdb.h&gt;</PRE
+><P
+><CODE
+><CODE
+CLASS="FUNCDEF"
+>void
+lwres_herror</CODE
+>(const char *s);</CODE
+></P
+><P
+><CODE
+><CODE
+CLASS="FUNCDEF"
+>const char *
+lwres_hstrerror</CODE
+>(int err);</CODE
+></P
+><P
+></P
+></DIV
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN23"
+></A
+><H2
+>DESCRIPTION</H2
+><P
+><TT
+CLASS="FUNCTION"
+>lwres_herror()</TT
+> prints the string
+<TT
+CLASS="PARAMETER"
+><I
+>s</I
+></TT
+> on <SPAN
+CLASS="TYPE"
+>stderr</SPAN
+> followed by the string
+generated by <TT
+CLASS="FUNCTION"
+>lwres_hstrerror()</TT
+> for the error code
+stored in the global variable <TT
+CLASS="CONSTANT"
+>lwres_h_errno</TT
+>.</P
+><P
+><TT
+CLASS="FUNCTION"
+>lwres_hstrerror()</TT
+> returns an appropriate string
+for the error code gievn by <TT
+CLASS="PARAMETER"
+><I
+>err</I
+></TT
+>.  The values of
 the error codes and messages are as follows:
 
-</p>
-<div class="variablelist"><dl>
-<dt><span class="term"><span class="errorcode">NETDB_SUCCESS</span></span></dt>
-<dd><p>
-<span class="errorname">Resolver Error 0 (no error)</span>
-</p></dd>
-<dt><span class="term"><span class="errorcode">HOST_NOT_FOUND</span></span></dt>
-<dd><p>
-<span class="errorname">Unknown host</span>
-</p></dd>
-<dt><span class="term"><span class="errorcode">TRY_AGAIN</span></span></dt>
-<dd><p>
-<span class="errorname">Host name lookup failure</span>
-</p></dd>
-<dt><span class="term"><span class="errorcode">NO_RECOVERY</span></span></dt>
-<dd><p>
-<span class="errorname">Unknown server error</span>
-</p></dd>
-<dt><span class="term"><span class="errorcode">NO_DATA</span></span></dt>
-<dd><p>
-<span class="errorname">No address associated with name</span>
-</p></dd>
-</dl></div>
-<p>
-</p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543477"></a><h2>RETURN VALUES</h2>
-<p>
-The string <span class="errorname">Unknown resolver error</span> is returned by
-<code class="function">lwres_hstrerror()</code>
+<P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+><SPAN
+CLASS="ERRORCODE"
+>NETDB_SUCCESS</SPAN
+></DT
+><DD
+><P
+><SPAN
+CLASS="ERRORNAME"
+>Resolver Error 0 (no error)</SPAN
+></P
+></DD
+><DT
+><SPAN
+CLASS="ERRORCODE"
+>HOST_NOT_FOUND</SPAN
+></DT
+><DD
+><P
+><SPAN
+CLASS="ERRORNAME"
+>Unknown host</SPAN
+></P
+></DD
+><DT
+><SPAN
+CLASS="ERRORCODE"
+>TRY_AGAIN</SPAN
+></DT
+><DD
+><P
+><SPAN
+CLASS="ERRORNAME"
+>Host name lookup failure</SPAN
+></P
+></DD
+><DT
+><SPAN
+CLASS="ERRORCODE"
+>NO_RECOVERY</SPAN
+></DT
+><DD
+><P
+><SPAN
+CLASS="ERRORNAME"
+>Unknown server error</SPAN
+></P
+></DD
+><DT
+><SPAN
+CLASS="ERRORCODE"
+>NO_DATA</SPAN
+></DT
+><DD
+><P
+><SPAN
+CLASS="ERRORNAME"
+>No address associated with name</SPAN
+></P
+></DD
+></DL
+></DIV
+></P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN65"
+></A
+><H2
+>RETURN VALUES</H2
+><P
+>The string <SPAN
+CLASS="ERRORNAME"
+>Unknown resolver error</SPAN
+> is returned by
+<TT
+CLASS="FUNCTION"
+>lwres_hstrerror()</TT
+>
 when the value of
-<code class="constant">lwres_h_errno</code>
-is not a valid error code.
-</p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543496"></a><h2>SEE ALSO</h2>
-<p>
-<span class="citerefentry"><span class="refentrytitle">herror</span>(3)</span>,
+<TT
+CLASS="CONSTANT"
+>lwres_h_errno</TT
+>
+is not a valid error code.</P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN71"
+></A
+><H2
+>SEE ALSO</H2
+><P
+><SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>herror</SPAN
+>(3)</SPAN
+>,
 
-<span class="citerefentry"><span class="refentrytitle">lwres_hstrerror</span>(3)</span>.
-</p>
-</div>
-</div></body>
-</html>
+<SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>lwres_hstrerror</SPAN
+>(3)</SPAN
+>.</P
+></DIV
+></BODY
+></HTML
+>
diff --git a/lib/lwres/man/lwres_inetntop.3 b/lib/lwres/man/lwres_inetntop.3
index 87a9b911..a4603c60 100644
--- a/lib/lwres/man/lwres_inetntop.3
+++ b/lib/lwres/man/lwres_inetntop.3
@@ -1,77 +1,54 @@
-.\" Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
-.\" Copyright (C) 2000, 2001 Internet Software Consortium.
-.\" 
+.\" Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2000, 2001  Internet Software Consortium.
+.\"
 .\" Permission to use, copy, modify, and distribute this software for any
 .\" purpose with or without fee is hereby granted, provided that the above
 .\" copyright notice and this permission notice appear in all copies.
-.\" 
+.\"
 .\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
 .\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+.\" AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
 .\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
 .\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: lwres_inetntop.3,v 1.12.2.9 2007/01/30 00:10:38 marka Exp $
-.\"
-.hy 0
-.ad l
-.\"     Title: lwres_inetntop
-.\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
-.\"      Date: Jun 30, 2000
-.\"    Manual: BIND9
-.\"    Source: BIND9
+.\" $Id: lwres_inetntop.3,v 1.12.2.1.8.1 2004/03/06 07:41:44 marka Exp $
 .\"
-.TH "LWRES_INETNTOP" "3" "Jun 30, 2000" "BIND9" "BIND9"
-.\" disable hyphenation
-.nh
-.\" disable justification (adjust text to left margin only)
-.ad l
-.SH "NAME"
+.TH "LWRES_INETNTOP" "3" "Jun 30, 2000" "BIND9" ""
+.SH NAME
 lwres_net_ntop \- lightweight resolver IP address presentation
-.SH "SYNOPSIS"
-.nf
-#include <lwres/net.h>
-.fi
-.HP 28
-.BI "const char * lwres_net_ntop(int\ af, const\ void\ *src, char\ *dst, size_t\ size);"
+.SH SYNOPSIS
+\fB#include <lwres/net.h>
+.sp
+.na
+const char *
+lwres_net_ntop(int af, const void *src, char *dst, size_t size);
+.ad
+\fR
 .SH "DESCRIPTION"
 .PP
-\fBlwres_net_ntop()\fR
-converts an IP address of protocol family
-\fIaf\fR
-\(em IPv4 or IPv6 \(em at location
-\fIsrc\fR
-from network format to its conventional representation as a string. For IPv4 addresses, that string would be a dotted\-decimal. An IPv6 address would be represented in colon notation as described in RFC1884.
+\fBlwres_net_ntop()\fR converts an IP address of
+protocol family \fIaf\fR \(em IPv4 or IPv6 \(em
+at location \fIsrc\fR from network format to its
+conventional representation as a string. For IPv4 addresses, that
+string would be a dotted-decimal. An IPv6 address would be
+represented in colon notation as described in RFC1884.
 .PP
-The generated string is copied to
-\fIdst\fR
-provided
-\fIsize\fR
-indicates it is long enough to store the ASCII representation of the address.
+The generated string is copied to \fIdst\fR provided
+\fIsize\fR indicates it is long enough to store the
+ASCII representation of the address.
 .SH "RETURN VALUES"
 .PP
-If successful, the function returns
-\fIdst\fR: a pointer to a string containing the presentation format of the address.
-\fBlwres_net_ntop()\fR
-returns
-\fBNULL\fR
-and sets the global variable
-\fBerrno\fR
-to
-\fBEAFNOSUPPORT\fR
-if the protocol family given in
-\fIaf\fR
-is not supported.
+If successful, the function returns \fIdst\fR:
+a pointer to a string containing the presentation format of the
+address. \fBlwres_net_ntop()\fR returns
+\fBNULL\fR and sets the global variable
+errno to EAFNOSUPPORT if
+the protocol family given in \fIaf\fR is not
+supported.
 .SH "SEE ALSO"
 .PP
-\fBRFC1884\fR(),
+\fBRFC1884\fR,
 \fBinet_ntop\fR(3),
 \fBerrno\fR(3).
-.SH "COPYRIGHT"
-Copyright \(co 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
-.br
-Copyright \(co 2000, 2001 Internet Software Consortium.
-.br
diff --git a/lib/lwres/man/lwres_inetntop.docbook b/lib/lwres/man/lwres_inetntop.docbook
index 716640cf..e771478b 100644
--- a/lib/lwres/man/lwres_inetntop.docbook
+++ b/lib/lwres/man/lwres_inetntop.docbook
@@ -1,9 +1,7 @@
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
-               "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
-	       [<!ENTITY mdash "&#8212;">]>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
 <!--
- - Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000, 2001  Internet Software Consortium.
+ - Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2001  Internet Software Consortium.
  -
  - Permission to use, copy, modify, and distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
@@ -18,7 +16,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: lwres_inetntop.docbook,v 1.3.2.5 2007/01/29 23:57:17 marka Exp $ -->
+<!-- $Id: lwres_inetntop.docbook,v 1.3.206.1 2004/03/06 08:15:41 marka Exp $ -->
 
 <refentry>
 
@@ -32,20 +30,6 @@
 <refmiscinfo>BIND9</refmiscinfo>
 </refmeta>
 
-  <docinfo>
-    <copyright>
-      <year>2004</year>
-      <year>2005</year>
-      <year>2007</year>
-      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
-    </copyright>
-    <copyright>
-      <year>2000</year>
-      <year>2001</year>
-      <holder>Internet Software Consortium.</holder>
-    </copyright>
-  </docinfo>
-
 <refnamediv>
 <refname>lwres_net_ntop</refname>
 <refpurpose>lightweight resolver IP address presentation</refpurpose>
diff --git a/lib/lwres/man/lwres_inetntop.html b/lib/lwres/man/lwres_inetntop.html
index 8f08a549..2a7450c3 100644
--- a/lib/lwres/man/lwres_inetntop.html
+++ b/lib/lwres/man/lwres_inetntop.html
@@ -1,98 +1,189 @@
 <!--
- - Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000, 2001 Internet Software Consortium.
- - 
+ - Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2001  Internet Software Consortium.
+ -
  - Permission to use, copy, modify, and distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
  - copyright notice and this permission notice appear in all copies.
- - 
+ -
  - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
  - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
  - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
  - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: lwres_inetntop.html,v 1.5.2.16 2007/01/30 00:10:38 marka Exp $ -->
-<html>
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>lwres_inetntop</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2476275"></a><div class="titlepage"></div>
-<div class="refnamediv">
-<h2>Name</h2>
-<p>lwres_net_ntop &#8212; lightweight resolver IP address presentation</p>
-</div>
-<div class="refsynopsisdiv">
-<h2>Synopsis</h2>
-<div class="funcsynopsis">
-<pre class="funcsynopsisinfo">#include &lt;lwres/net.h&gt;</pre>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0">
-<tr>
-<td><code class="funcdef">
-const char *
-<b class="fsfunc">lwres_net_ntop</b>(</code></td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>
-<code>)</code>;</td>
-</tr>
-</table>
-</div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543361"></a><h2>DESCRIPTION</h2>
-<p>
-<code class="function">lwres_net_ntop()</code> converts an IP address of
-protocol family <em class="parameter"><code>af</code></em> &#8212; IPv4 or IPv6 &#8212;
-at location <em class="parameter"><code>src</code></em> from network format to its
+
+<!-- $Id: lwres_inetntop.html,v 1.5.2.1.4.1 2004/03/06 08:15:41 marka Exp $ -->
+
+<HTML
+><HEAD
+><TITLE
+>lwres_inetntop</TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.73
+"></HEAD
+><BODY
+CLASS="REFENTRY"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><H1
+><A
+NAME="AEN1"
+>lwres_inetntop</A
+></H1
+><DIV
+CLASS="REFNAMEDIV"
+><A
+NAME="AEN8"
+></A
+><H2
+>Name</H2
+>lwres_net_ntop&nbsp;--&nbsp;lightweight resolver IP address presentation</DIV
+><DIV
+CLASS="REFSYNOPSISDIV"
+><A
+NAME="AEN11"
+></A
+><H2
+>Synopsis</H2
+><DIV
+CLASS="FUNCSYNOPSIS"
+><A
+NAME="AEN12"
+></A
+><P
+></P
+><PRE
+CLASS="FUNCSYNOPSISINFO"
+>#include &lt;lwres/net.h&gt;</PRE
+><P
+><CODE
+><CODE
+CLASS="FUNCDEF"
+>const char *
+lwres_net_ntop</CODE
+>(int af, const void *src, char *dst, size_t size);</CODE
+></P
+><P
+></P
+></DIV
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN21"
+></A
+><H2
+>DESCRIPTION</H2
+><P
+><TT
+CLASS="FUNCTION"
+>lwres_net_ntop()</TT
+> converts an IP address of
+protocol family <TT
+CLASS="PARAMETER"
+><I
+>af</I
+></TT
+> &mdash; IPv4 or IPv6 &mdash;
+at location <TT
+CLASS="PARAMETER"
+><I
+>src</I
+></TT
+> from network format to its
 conventional representation as a string.  For IPv4 addresses, that
 string would be a dotted-decimal.  An IPv6 address would be
-represented in colon notation as described in RFC1884.
-</p>
-<p>
-The generated string is copied to <em class="parameter"><code>dst</code></em> provided
-<em class="parameter"><code>size</code></em> indicates it is long enough to store the
-ASCII representation of the address.
-</p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543394"></a><h2>RETURN VALUES</h2>
-<p>
-If successful, the function returns <em class="parameter"><code>dst</code></em>:
+represented in colon notation as described in RFC1884.</P
+><P
+>The generated string is copied to <TT
+CLASS="PARAMETER"
+><I
+>dst</I
+></TT
+> provided
+<TT
+CLASS="PARAMETER"
+><I
+>size</I
+></TT
+> indicates it is long enough to store the
+ASCII representation of the address.</P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN30"
+></A
+><H2
+>RETURN VALUES</H2
+><P
+>If successful, the function returns <TT
+CLASS="PARAMETER"
+><I
+>dst</I
+></TT
+>:
 a pointer to a string containing the presentation format of the
-address.  <code class="function">lwres_net_ntop()</code> returns
-<span class="type">NULL</span> and sets the global variable
-<code class="constant">errno</code> to <span class="errorcode">EAFNOSUPPORT</span> if
-the protocol family given in <em class="parameter"><code>af</code></em> is not
-supported.
-</p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543425"></a><h2>SEE ALSO</h2>
-<p>
-<span class="citerefentry"><span class="refentrytitle">RFC1884</span></span>,
-<span class="citerefentry"><span class="refentrytitle">inet_ntop</span>(3)</span>,
-<span class="citerefentry"><span class="refentrytitle">errno</span>(3)</span>.
-</p>
-</div>
-</div></body>
-</html>
+address.  <TT
+CLASS="FUNCTION"
+>lwres_net_ntop()</TT
+> returns
+<SPAN
+CLASS="TYPE"
+>NULL</SPAN
+> and sets the global variable
+<TT
+CLASS="CONSTANT"
+>errno</TT
+> to <SPAN
+CLASS="ERRORCODE"
+>EAFNOSUPPORT</SPAN
+> if
+the protocol family given in <TT
+CLASS="PARAMETER"
+><I
+>af</I
+></TT
+> is not
+supported.</P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN39"
+></A
+><H2
+>SEE ALSO</H2
+><P
+><SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>RFC1884</SPAN
+></SPAN
+>,
+<SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>inet_ntop</SPAN
+>(3)</SPAN
+>,
+<SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>errno</SPAN
+>(3)</SPAN
+>.</P
+></DIV
+></BODY
+></HTML
+>
diff --git a/lib/lwres/man/lwres_noop.3 b/lib/lwres/man/lwres_noop.3
index bb3b427f..36bb9042 100644
--- a/lib/lwres/man/lwres_noop.3
+++ b/lib/lwres/man/lwres_noop.3
@@ -1,146 +1,142 @@
-.\" Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
-.\" Copyright (C) 2000, 2001 Internet Software Consortium.
-.\" 
+.\" Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2000, 2001  Internet Software Consortium.
+.\"
 .\" Permission to use, copy, modify, and distribute this software for any
 .\" purpose with or without fee is hereby granted, provided that the above
 .\" copyright notice and this permission notice appear in all copies.
-.\" 
+.\"
 .\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
 .\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+.\" AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
 .\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
 .\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: lwres_noop.3,v 1.14.2.9 2007/01/30 00:10:38 marka Exp $
+.\" $Id: lwres_noop.3,v 1.14.2.1.8.1 2004/03/06 07:41:44 marka Exp $
 .\"
-.hy 0
-.ad l
-.\"     Title: lwres_noop
-.\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
-.\"      Date: Jun 30, 2000
-.\"    Manual: BIND9
-.\"    Source: BIND9
-.\"
-.TH "LWRES_NOOP" "3" "Jun 30, 2000" "BIND9" "BIND9"
-.\" disable hyphenation
-.nh
-.\" disable justification (adjust text to left margin only)
-.ad l
-.SH "NAME"
-lwres_nooprequest_render, lwres_noopresponse_render, lwres_nooprequest_parse, lwres_noopresponse_parse, lwres_noopresponse_free, lwres_nooprequest_free \- lightweight resolver no\-op message handling
-.SH "SYNOPSIS"
-.nf
-#include <lwres/lwres.h>
-.fi
-.HP 40
-.BI "lwres_result_t lwres_nooprequest_render(lwres_context_t\ *ctx, lwres_nooprequest_t\ *req, lwres_lwpacket_t\ *pkt, lwres_buffer_t\ *b);"
-.HP 41
-.BI "lwres_result_t lwres_noopresponse_render(lwres_context_t\ *ctx, lwres_noopresponse_t\ *req, lwres_lwpacket_t\ *pkt, lwres_buffer_t\ *b);"
-.HP 39
-.BI "lwres_result_t lwres_nooprequest_parse(lwres_context_t\ *ctx, lwres_buffer_t\ *b, lwres_lwpacket_t\ *pkt, lwres_nooprequest_t\ **structp);"
-.HP 40
-.BI "lwres_result_t lwres_noopresponse_parse(lwres_context_t\ *ctx, lwres_buffer_t\ *b, lwres_lwpacket_t\ *pkt, lwres_noopresponse_t\ **structp);"
-.HP 29
-.BI "void lwres_noopresponse_free(lwres_context_t\ *ctx, lwres_noopresponse_t\ **structp);"
-.HP 28
-.BI "void lwres_nooprequest_free(lwres_context_t\ *ctx, lwres_nooprequest_t\ **structp);"
+.TH "LWRES_NOOP" "3" "Jun 30, 2000" "BIND9" ""
+.SH NAME
+lwres_nooprequest_render, lwres_noopresponse_render, lwres_nooprequest_parse, lwres_noopresponse_parse, lwres_noopresponse_free, lwres_nooprequest_free \- lightweight resolver no-op message handling
+.SH SYNOPSIS
+\fB#include <lwres/lwres.h>
+.sp
+.na
+lwres_result_t
+lwres_nooprequest_render(lwres_context_t *ctx, lwres_nooprequest_t *req, lwres_lwpacket_t *pkt, lwres_buffer_t *b);
+.ad
+.sp
+.na
+lwres_result_t
+lwres_noopresponse_render(lwres_context_t *ctx, lwres_noopresponse_t *req, lwres_lwpacket_t *pkt, lwres_buffer_t *b);
+.ad
+.sp
+.na
+lwres_result_t
+lwres_nooprequest_parse(lwres_context_t *ctx, lwres_buffer_t *b, lwres_lwpacket_t *pkt, lwres_nooprequest_t **structp);
+.ad
+.sp
+.na
+lwres_result_t
+lwres_noopresponse_parse(lwres_context_t *ctx, lwres_buffer_t *b, lwres_lwpacket_t *pkt, lwres_noopresponse_t **structp);
+.ad
+.sp
+.na
+void
+lwres_noopresponse_free(lwres_context_t *ctx, lwres_noopresponse_t **structp);
+.ad
+.sp
+.na
+void
+lwres_nooprequest_free(lwres_context_t *ctx, lwres_nooprequest_t **structp);
+.ad
+\fR
 .SH "DESCRIPTION"
 .PP
-These are low\-level routines for creating and parsing lightweight resolver no\-op request and response messages.
+These are low-level routines for creating and parsing
+lightweight resolver no-op request and response messages.
 .PP
-The no\-op message is analogous to a
-\fBping\fR
-packet: a packet is sent to the resolver daemon and is simply echoed back. The opcode is intended to allow a client to determine if the server is operational or not.
+The no-op message is analogous to a \fBping\fR packet: 
+a packet is sent to the resolver daemon and is simply echoed back.
+The opcode is intended to allow a client to determine if the server is
+operational or not.
 .PP
-There are four main functions for the no\-op opcode. One render function converts a no\-op request structure \(em
-\fBlwres_nooprequest_t\fR
-\(em to the lighweight resolver's canonical format. It is complemented by a parse function that converts a packet in this canonical format to a no\-op request structure. Another render function converts the no\-op response structure \(em
+There are four main functions for the no-op opcode.
+One render function converts a no-op request structure \(em
+\fBlwres_nooprequest_t\fR \(em
+to the lighweight resolver's canonical format.
+It is complemented by a parse function that converts a packet in this
+canonical format to a no-op request structure.
+Another render function converts the no-op response structure \(em
 \fBlwres_noopresponse_t\fR
-to the canonical format. This is complemented by a parse function which converts a packet in canonical format to a no\-op response structure.
+to the canonical format.
+This is complemented by a parse function which converts a packet in
+canonical format to a no-op response structure.
 .PP
 These structures are defined in
-\fIlwres/lwres.h\fR. They are shown below.
+\fIlwres/lwres.h\fR.
+They are shown below.
 .sp
-.RS 4
 .nf
 #define LWRES_OPCODE_NOOP       0x00000000U
+
 typedef struct {
         lwres_uint16_t  datalength;
         unsigned char   *data;
 } lwres_nooprequest_t;
+
 typedef struct {
         lwres_uint16_t  datalength;
         unsigned char   *data;
 } lwres_noopresponse_t;
-.fi
-.RE
 .sp
-Although the structures have different types, they are identical. This is because the no\-op opcode simply echos whatever data was sent: the response is therefore identical to the request.
+.fi
+Although the structures have different types, they are identical.
+This is because the no-op opcode simply echos whatever data was sent:
+the response is therefore identical to the request.
 .PP
-\fBlwres_nooprequest_render()\fR
-uses resolver context
-\fIctx\fR
-to convert no\-op request structure
-\fIreq\fR
-to canonical format. The packet header structure
-\fIpkt\fR
-is initialised and transferred to buffer
-\fIb\fR. The contents of
-\fI*req\fR
-are then appended to the buffer in canonical format.
-\fBlwres_noopresponse_render()\fR
-performs the same task, except it converts a no\-op response structure
-\fBlwres_noopresponse_t\fR
-to the lightweight resolver's canonical format.
+\fBlwres_nooprequest_render()\fR uses resolver
+context \fIctx\fR to convert no-op request structure
+\fIreq\fR to canonical format. The packet header
+structure \fIpkt\fR is initialised and transferred to
+buffer \fIb\fR. The contents of
+\fI*req\fR are then appended to the buffer in
+canonical format. \fBlwres_noopresponse_render()\fR
+performs the same task, except it converts a no-op response structure
+\fBlwres_noopresponse_t\fR to the lightweight resolver's
+canonical format.
 .PP
-\fBlwres_nooprequest_parse()\fR
-uses context
-\fIctx\fR
-to convert the contents of packet
-\fIpkt\fR
-to a
-\fBlwres_nooprequest_t\fR
-structure. Buffer
-\fIb\fR
-provides space to be used for storing this structure. When the function succeeds, the resulting
-\fBlwres_nooprequest_t\fR
-is made available through
+\fBlwres_nooprequest_parse()\fR uses context
+\fIctx\fR to convert the contents of packet
+\fIpkt\fR to a \fBlwres_nooprequest_t\fR
+structure. Buffer \fIb\fR provides space to be used
+for storing this structure. When the function succeeds, the resulting
+\fBlwres_nooprequest_t\fR is made available through
 \fI*structp\fR.
-\fBlwres_noopresponse_parse()\fR
-offers the same semantics as
-\fBlwres_nooprequest_parse()\fR
-except it yields a
-\fBlwres_noopresponse_t\fR
-structure.
+\fBlwres_noopresponse_parse()\fR offers the same
+semantics as \fBlwres_nooprequest_parse()\fR except it
+yields a \fBlwres_noopresponse_t\fR structure.
 .PP
-\fBlwres_noopresponse_free()\fR
-and
-\fBlwres_nooprequest_free()\fR
-release the memory in resolver context
-\fIctx\fR
-that was allocated to the
-\fBlwres_noopresponse_t\fR
-or
-\fBlwres_nooprequest_t\fR
-structures referenced via
-\fIstructp\fR.
+\fBlwres_noopresponse_free()\fR and
+\fBlwres_nooprequest_free()\fR release the memory in
+resolver context \fIctx\fR that was allocated to the
+\fBlwres_noopresponse_t\fR or \fBlwres_nooprequest_t\fR
+structures referenced via \fIstructp\fR.
 .SH "RETURN VALUES"
 .PP
-The no\-op opcode functions
+The no-op opcode functions
 \fBlwres_nooprequest_render()\fR,
 \fBlwres_noopresponse_render()\fR
 \fBlwres_nooprequest_parse()\fR
 and
 \fBlwres_noopresponse_parse()\fR
 all return
-\fBLWRES_R_SUCCESS\fR
-on success. They return
-\fBLWRES_R_NOMEMORY\fR
+LWRES_R_SUCCESS
+on success.
+They return
+LWRES_R_NOMEMORY
 if memory allocation fails.
-\fBLWRES_R_UNEXPECTEDEND\fR
+LWRES_R_UNEXPECTEDEND
 is returned if the available space in the buffer
 \fIb\fR
 is too small to accommodate the packet header or the
@@ -152,19 +148,15 @@ structures.
 and
 \fBlwres_noopresponse_parse()\fR
 will return
-\fBLWRES_R_UNEXPECTEDEND\fR
-if the buffer is not empty after decoding the received packet. These functions will return
-\fBLWRES_R_FAILURE\fR
+LWRES_R_UNEXPECTEDEND
+if the buffer is not empty after decoding the received packet.
+These functions will return
+LWRES_R_FAILURE
 if
-\fBpktflags\fR
+pktflags
 in the packet header structure
 \fBlwres_lwpacket_t\fR
 indicate that the packet is not a response to an earlier query.
 .SH "SEE ALSO"
 .PP
-\fBlwres_packet\fR(3 )
-.SH "COPYRIGHT"
-Copyright \(co 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
-.br
-Copyright \(co 2000, 2001 Internet Software Consortium.
-.br
+\fBlwres_packet\fR(3)
diff --git a/lib/lwres/man/lwres_noop.docbook b/lib/lwres/man/lwres_noop.docbook
index 5f60bf16..dde2795c 100644
--- a/lib/lwres/man/lwres_noop.docbook
+++ b/lib/lwres/man/lwres_noop.docbook
@@ -1,9 +1,7 @@
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
-               "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
-	       [<!ENTITY mdash "&#8212;">]>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
 <!--
- - Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000, 2001  Internet Software Consortium.
+ - Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2001  Internet Software Consortium.
  -
  - Permission to use, copy, modify, and distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
@@ -18,7 +16,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: lwres_noop.docbook,v 1.4.2.5 2007/01/29 23:57:17 marka Exp $ -->
+<!-- $Id: lwres_noop.docbook,v 1.4.206.1 2004/03/06 08:15:41 marka Exp $ -->
 
 <refentry>
 
@@ -32,20 +30,6 @@
 <refmiscinfo>BIND9</refmiscinfo>
 </refmeta>
 
-  <docinfo>
-    <copyright>
-      <year>2004</year>
-      <year>2005</year>
-      <year>2007</year>
-      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
-    </copyright>
-    <copyright>
-      <year>2000</year>
-      <year>2001</year>
-      <holder>Internet Software Consortium.</holder>
-    </copyright>
-  </docinfo>
-
 <refnamediv>
 <refname>lwres_nooprequest_render</refname>
 <refname>lwres_noopresponse_render</refname>
diff --git a/lib/lwres/man/lwres_noop.html b/lib/lwres/man/lwres_noop.html
index 1391b783..2a456fc7 100644
--- a/lib/lwres/man/lwres_noop.html
+++ b/lib/lwres/man/lwres_noop.html
@@ -1,202 +1,166 @@
 <!--
- - Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000, 2001 Internet Software Consortium.
- - 
+ - Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2001  Internet Software Consortium.
+ -
  - Permission to use, copy, modify, and distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
  - copyright notice and this permission notice appear in all copies.
- - 
+ -
  - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
  - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
  - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
  - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: lwres_noop.html,v 1.7.2.15 2007/01/30 00:10:38 marka Exp $ -->
-<html>
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>lwres_noop</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2476275"></a><div class="titlepage"></div>
-<div class="refnamediv">
-<h2>Name</h2>
-<p>lwres_nooprequest_render, lwres_noopresponse_render, lwres_nooprequest_parse, lwres_noopresponse_parse, lwres_noopresponse_free, lwres_nooprequest_free &#8212; lightweight resolver no-op message handling</p>
-</div>
-<div class="refsynopsisdiv">
-<h2>Synopsis</h2>
-<div class="funcsynopsis">
-<pre class="funcsynopsisinfo">
-#include &lt;lwres/lwres.h&gt;</pre>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
-<tr>
-<td><code class="funcdef">
-lwres_result_t
-<b class="fsfunc">lwres_nooprequest_render</b>(</code></td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>
-<code>)</code>;</td>
-</tr>
-</table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
-<tr>
-<td><code class="funcdef">
-lwres_result_t
-<b class="fsfunc">lwres_noopresponse_render</b>(</code></td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>
-<code>)</code>;</td>
-</tr>
-</table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
-<tr>
-<td><code class="funcdef">
-lwres_result_t
-<b class="fsfunc">lwres_nooprequest_parse</b>(</code></td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>
-<code>)</code>;</td>
-</tr>
-</table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
-<tr>
-<td><code class="funcdef">
-lwres_result_t
-<b class="fsfunc">lwres_noopresponse_parse</b>(</code></td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>
-<code>)</code>;</td>
-</tr>
-</table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
-<tr>
-<td><code class="funcdef">
-void
-<b class="fsfunc">lwres_noopresponse_free</b>(</code></td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>
-<code>)</code>;</td>
-</tr>
-</table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0">
-<tr>
-<td><code class="funcdef">
-void
-<b class="fsfunc">lwres_nooprequest_free</b>(</code></td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>
-<code>)</code>;</td>
-</tr>
-</table>
-</div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543469"></a><h2>DESCRIPTION</h2>
-<p>
-These are low-level routines for creating and parsing
-lightweight resolver no-op request and response messages.
-</p>
-<p>
-The no-op message is analogous to a <span><strong class="command">ping</strong></span> packet: 
+
+<!-- $Id: lwres_noop.html,v 1.7.2.1.4.1 2004/03/06 08:15:41 marka Exp $ -->
+
+<HTML
+><HEAD
+><TITLE
+>lwres_noop</TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.73
+"></HEAD
+><BODY
+CLASS="REFENTRY"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><H1
+><A
+NAME="AEN1"
+>lwres_noop</A
+></H1
+><DIV
+CLASS="REFNAMEDIV"
+><A
+NAME="AEN8"
+></A
+><H2
+>Name</H2
+>lwres_nooprequest_render, lwres_noopresponse_render, lwres_nooprequest_parse, lwres_noopresponse_parse, lwres_noopresponse_free, lwres_nooprequest_free&nbsp;--&nbsp;lightweight resolver no-op message handling</DIV
+><DIV
+CLASS="REFSYNOPSISDIV"
+><A
+NAME="AEN16"
+></A
+><H2
+>Synopsis</H2
+><DIV
+CLASS="FUNCSYNOPSIS"
+><A
+NAME="AEN17"
+></A
+><P
+></P
+><PRE
+CLASS="FUNCSYNOPSISINFO"
+>#include &lt;lwres/lwres.h&gt;</PRE
+><P
+><CODE
+><CODE
+CLASS="FUNCDEF"
+>lwres_result_t
+lwres_nooprequest_render</CODE
+>(lwres_context_t *ctx, lwres_nooprequest_t *req, lwres_lwpacket_t *pkt, lwres_buffer_t *b);</CODE
+></P
+><P
+><CODE
+><CODE
+CLASS="FUNCDEF"
+>lwres_result_t
+lwres_noopresponse_render</CODE
+>(lwres_context_t *ctx, lwres_noopresponse_t *req, lwres_lwpacket_t *pkt, lwres_buffer_t *b);</CODE
+></P
+><P
+><CODE
+><CODE
+CLASS="FUNCDEF"
+>lwres_result_t
+lwres_nooprequest_parse</CODE
+>(lwres_context_t *ctx, lwres_buffer_t *b, lwres_lwpacket_t *pkt, lwres_nooprequest_t **structp);</CODE
+></P
+><P
+><CODE
+><CODE
+CLASS="FUNCDEF"
+>lwres_result_t
+lwres_noopresponse_parse</CODE
+>(lwres_context_t *ctx, lwres_buffer_t *b, lwres_lwpacket_t *pkt, lwres_noopresponse_t **structp);</CODE
+></P
+><P
+><CODE
+><CODE
+CLASS="FUNCDEF"
+>void
+lwres_noopresponse_free</CODE
+>(lwres_context_t *ctx, lwres_noopresponse_t **structp);</CODE
+></P
+><P
+><CODE
+><CODE
+CLASS="FUNCDEF"
+>void
+lwres_nooprequest_free</CODE
+>(lwres_context_t *ctx, lwres_nooprequest_t **structp);</CODE
+></P
+><P
+></P
+></DIV
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN57"
+></A
+><H2
+>DESCRIPTION</H2
+><P
+>These are low-level routines for creating and parsing
+lightweight resolver no-op request and response messages.</P
+><P
+>The no-op message is analogous to a <B
+CLASS="COMMAND"
+>ping</B
+> packet: 
 a packet is sent to the resolver daemon and is simply echoed back.
 The opcode is intended to allow a client to determine if the server is
-operational or not.
-</p>
-<p>
-There are four main functions for the no-op opcode.
-One render function converts a no-op request structure &#8212;
-<span class="type">lwres_nooprequest_t</span> &#8212;
+operational or not.</P
+><P
+>There are four main functions for the no-op opcode.
+One render function converts a no-op request structure &mdash;
+<SPAN
+CLASS="TYPE"
+>lwres_nooprequest_t</SPAN
+> &mdash;
 to the lighweight resolver's canonical format.
 It is complemented by a parse function that converts a packet in this
 canonical format to a no-op request structure.
-Another render function converts the no-op response structure &#8212;
-<span class="type">lwres_noopresponse_t</span>
+Another render function converts the no-op response structure &mdash;
+<SPAN
+CLASS="TYPE"
+>lwres_noopresponse_t</SPAN
+>
 to the canonical format.
 This is complemented by a parse function which converts a packet in
-canonical format to a no-op response structure.
-</p>
-<p>
-These structures are defined in
-<code class="filename">lwres/lwres.h</code>.
+canonical format to a no-op response structure.</P
+><P
+>These structures are defined in
+<TT
+CLASS="FILENAME"
+>lwres/lwres.h</TT
+>.
 
 They are shown below.
-</p>
-<pre class="programlisting">
-#define LWRES_OPCODE_NOOP       0x00000000U
+<PRE
+CLASS="PROGRAMLISTING"
+>#define LWRES_OPCODE_NOOP       0x00000000U
 
 typedef struct {
         lwres_uint16_t  datalength;
@@ -206,90 +170,243 @@ typedef struct {
 typedef struct {
         lwres_uint16_t  datalength;
         unsigned char   *data;
-} lwres_noopresponse_t;
-</pre>
-<p>
+} lwres_noopresponse_t;</PRE
+>
 Although the structures have different types, they are identical.
 This is because the no-op opcode simply echos whatever data was sent:
-the response is therefore identical to the request.
-</p>
-<p>
-<code class="function">lwres_nooprequest_render()</code> uses resolver
-context <em class="parameter"><code>ctx</code></em> to convert no-op request structure
-<em class="parameter"><code>req</code></em> to canonical format.  The packet header
-structure <em class="parameter"><code>pkt</code></em> is initialised and transferred to
-buffer <em class="parameter"><code>b</code></em>.  The contents of
-<em class="parameter"><code>*req</code></em> are then appended to the buffer in
-canonical format.  <code class="function">lwres_noopresponse_render()</code>
+the response is therefore identical to the request.</P
+><P
+><TT
+CLASS="FUNCTION"
+>lwres_nooprequest_render()</TT
+> uses resolver
+context <TT
+CLASS="PARAMETER"
+><I
+>ctx</I
+></TT
+> to convert no-op request structure
+<TT
+CLASS="PARAMETER"
+><I
+>req</I
+></TT
+> to canonical format.  The packet header
+structure <TT
+CLASS="PARAMETER"
+><I
+>pkt</I
+></TT
+> is initialised and transferred to
+buffer <TT
+CLASS="PARAMETER"
+><I
+>b</I
+></TT
+>.  The contents of
+<TT
+CLASS="PARAMETER"
+><I
+>*req</I
+></TT
+> are then appended to the buffer in
+canonical format.  <TT
+CLASS="FUNCTION"
+>lwres_noopresponse_render()</TT
+>
 performs the same task, except it converts a no-op response structure
-<span class="type">lwres_noopresponse_t</span> to the lightweight resolver's
-canonical format.
-</p>
-<p>
-<code class="function">lwres_nooprequest_parse()</code> uses context
-<em class="parameter"><code>ctx</code></em> to convert the contents of packet
-<em class="parameter"><code>pkt</code></em> to a <span class="type">lwres_nooprequest_t</span>
-structure.  Buffer <em class="parameter"><code>b</code></em> provides space to be used
+<SPAN
+CLASS="TYPE"
+>lwres_noopresponse_t</SPAN
+> to the lightweight resolver's
+canonical format.</P
+><P
+><TT
+CLASS="FUNCTION"
+>lwres_nooprequest_parse()</TT
+> uses context
+<TT
+CLASS="PARAMETER"
+><I
+>ctx</I
+></TT
+> to convert the contents of packet
+<TT
+CLASS="PARAMETER"
+><I
+>pkt</I
+></TT
+> to a <SPAN
+CLASS="TYPE"
+>lwres_nooprequest_t</SPAN
+>
+structure.  Buffer <TT
+CLASS="PARAMETER"
+><I
+>b</I
+></TT
+> provides space to be used
 for storing this structure.  When the function succeeds, the resulting
-<span class="type">lwres_nooprequest_t</span> is made available through
-<em class="parameter"><code>*structp</code></em>.
-<code class="function">lwres_noopresponse_parse()</code> offers the same
-semantics as <code class="function">lwres_nooprequest_parse()</code> except it
-yields a <span class="type">lwres_noopresponse_t</span> structure.
-</p>
-<p>
-<code class="function">lwres_noopresponse_free()</code> and
-<code class="function">lwres_nooprequest_free()</code> release the memory in
-resolver context <em class="parameter"><code>ctx</code></em> that was allocated to the
-<span class="type">lwres_noopresponse_t</span> or <span class="type">lwres_nooprequest_t</span>
-structures referenced via <em class="parameter"><code>structp</code></em>.
-</p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543602"></a><h2>RETURN VALUES</h2>
-<p>
-The no-op opcode functions
-<code class="function">lwres_nooprequest_render()</code>,
+<SPAN
+CLASS="TYPE"
+>lwres_nooprequest_t</SPAN
+> is made available through
+<TT
+CLASS="PARAMETER"
+><I
+>*structp</I
+></TT
+>.
+<TT
+CLASS="FUNCTION"
+>lwres_noopresponse_parse()</TT
+> offers the same
+semantics as <TT
+CLASS="FUNCTION"
+>lwres_nooprequest_parse()</TT
+> except it
+yields a <SPAN
+CLASS="TYPE"
+>lwres_noopresponse_t</SPAN
+> structure.</P
+><P
+><TT
+CLASS="FUNCTION"
+>lwres_noopresponse_free()</TT
+> and
+<TT
+CLASS="FUNCTION"
+>lwres_nooprequest_free()</TT
+> release the memory in
+resolver context <TT
+CLASS="PARAMETER"
+><I
+>ctx</I
+></TT
+> that was allocated to the
+<SPAN
+CLASS="TYPE"
+>lwres_noopresponse_t</SPAN
+> or <SPAN
+CLASS="TYPE"
+>lwres_nooprequest_t</SPAN
+>
+structures referenced via <TT
+CLASS="PARAMETER"
+><I
+>structp</I
+></TT
+>.</P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN95"
+></A
+><H2
+>RETURN VALUES</H2
+><P
+>The no-op opcode functions
+<TT
+CLASS="FUNCTION"
+>lwres_nooprequest_render()</TT
+>,
 
-<code class="function">lwres_noopresponse_render()</code>
-<code class="function">lwres_nooprequest_parse()</code>
+<TT
+CLASS="FUNCTION"
+>lwres_noopresponse_render()</TT
+>
+<TT
+CLASS="FUNCTION"
+>lwres_nooprequest_parse()</TT
+>
 and
-<code class="function">lwres_noopresponse_parse()</code>
+<TT
+CLASS="FUNCTION"
+>lwres_noopresponse_parse()</TT
+>
 all return
-<span class="errorcode">LWRES_R_SUCCESS</span>
+<SPAN
+CLASS="ERRORCODE"
+>LWRES_R_SUCCESS</SPAN
+>
 on success.
 They return
-<span class="errorcode">LWRES_R_NOMEMORY</span>
+<SPAN
+CLASS="ERRORCODE"
+>LWRES_R_NOMEMORY</SPAN
+>
 if memory allocation fails.
-<span class="errorcode">LWRES_R_UNEXPECTEDEND</span>
+<SPAN
+CLASS="ERRORCODE"
+>LWRES_R_UNEXPECTEDEND</SPAN
+>
 is returned if the available space in the buffer
-<em class="parameter"><code>b</code></em>
+<TT
+CLASS="PARAMETER"
+><I
+>b</I
+></TT
+>
 is too small to accommodate the packet header or the
-<span class="type">lwres_nooprequest_t</span>
+<SPAN
+CLASS="TYPE"
+>lwres_nooprequest_t</SPAN
+>
 and
-<span class="type">lwres_noopresponse_t</span>
+<SPAN
+CLASS="TYPE"
+>lwres_noopresponse_t</SPAN
+>
 structures.
-<code class="function">lwres_nooprequest_parse()</code>
+<TT
+CLASS="FUNCTION"
+>lwres_nooprequest_parse()</TT
+>
 and
-<code class="function">lwres_noopresponse_parse()</code>
+<TT
+CLASS="FUNCTION"
+>lwres_noopresponse_parse()</TT
+>
 will return
-<span class="errorcode">LWRES_R_UNEXPECTEDEND</span>
+<SPAN
+CLASS="ERRORCODE"
+>LWRES_R_UNEXPECTEDEND</SPAN
+>
 if the buffer is not empty after decoding the received packet.
 These functions will return
-<span class="errorcode">LWRES_R_FAILURE</span>
+<SPAN
+CLASS="ERRORCODE"
+>LWRES_R_FAILURE</SPAN
+>
 if
-<code class="constant">pktflags</code>
+<TT
+CLASS="CONSTANT"
+>pktflags</TT
+>
 in the packet header structure
-<span class="type">lwres_lwpacket_t</span>
-indicate that the packet is not a response to an earlier query.
-</p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543666"></a><h2>SEE ALSO</h2>
-<p>
-<span class="citerefentry"><span class="refentrytitle">lwres_packet</span>(3
-)</span>
-</p>
-</div>
-</div></body>
-</html>
+<SPAN
+CLASS="TYPE"
+>lwres_lwpacket_t</SPAN
+>
+indicate that the packet is not a response to an earlier query.</P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN114"
+></A
+><H2
+>SEE ALSO</H2
+><P
+><SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>lwres_packet</SPAN
+>(3)</SPAN
+></P
+></DIV
+></BODY
+></HTML
+>
diff --git a/lib/lwres/man/lwres_packet.3 b/lib/lwres/man/lwres_packet.3
index ebaa00a8..1fbc417e 100644
--- a/lib/lwres/man/lwres_packet.3
+++ b/lib/lwres/man/lwres_packet.3
@@ -1,44 +1,36 @@
-.\" Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
-.\" Copyright (C) 2000, 2001 Internet Software Consortium.
-.\" 
+.\" Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2000, 2001  Internet Software Consortium.
+.\"
 .\" Permission to use, copy, modify, and distribute this software for any
 .\" purpose with or without fee is hereby granted, provided that the above
 .\" copyright notice and this permission notice appear in all copies.
-.\" 
+.\"
 .\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
 .\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+.\" AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
 .\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
 .\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: lwres_packet.3,v 1.15.2.9 2007/01/30 00:10:38 marka Exp $
-.\"
-.hy 0
-.ad l
-.\"     Title: lwres_packet
-.\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
-.\"      Date: Jun 30, 2000
-.\"    Manual: BIND9
-.\"    Source: BIND9
+.\" $Id: lwres_packet.3,v 1.15.2.1.8.1 2004/03/06 07:41:44 marka Exp $
 .\"
-.TH "LWRES_PACKET" "3" "Jun 30, 2000" "BIND9" "BIND9"
-.\" disable hyphenation
-.nh
-.\" disable justification (adjust text to left margin only)
-.ad l
-.SH "NAME"
+.TH "LWRES_PACKET" "3" "Jun 30, 2000" "BIND9" ""
+.SH NAME
 lwres_lwpacket_renderheader, lwres_lwpacket_parseheader \- lightweight resolver packet handling functions
-.SH "SYNOPSIS"
-.nf
-#include <lwres/lwpacket.h>
-.fi
-.HP 43
-.BI "lwres_result_t lwres_lwpacket_renderheader(lwres_buffer_t\ *b, lwres_lwpacket_t\ *pkt);"
-.HP 42
-.BI "lwres_result_t lwres_lwpacket_parseheader(lwres_buffer_t\ *b, lwres_lwpacket_t\ *pkt);"
+.SH SYNOPSIS
+\fB#include <lwres/lwpacket.h>
+.sp
+.na
+lwres_result_t
+lwres_lwpacket_renderheader(lwres_buffer_t *b, lwres_lwpacket_t *pkt);
+.ad
+.sp
+.na
+lwres_result_t
+lwres_lwpacket_parseheader(lwres_buffer_t *b, lwres_lwpacket_t *pkt);
+.ad
+\fR
 .SH "DESCRIPTION"
 .PP
 These functions rely on a
@@ -46,9 +38,9 @@ These functions rely on a
 which is defined in
 \fIlwres/lwpacket.h\fR.
 .sp
-.RS 4
 .nf
 typedef struct lwres_lwpacket lwres_lwpacket_t;
+
 struct lwres_lwpacket {
         lwres_uint32_t          length;
         lwres_uint16_t          version;
@@ -60,105 +52,100 @@ struct lwres_lwpacket {
         lwres_uint16_t          authtype;
         lwres_uint16_t          authlength;
 };
-.fi
-.RE
 .sp
+.fi
 .PP
 The elements of this structure are:
-.PP
+.TP
 \fBlength\fR
-.RS 4
-the overall packet length, including the entire packet header. This field is filled in by the lwres_gabn_*() and lwres_gnba_*() calls.
-.RE
-.PP
+the overall packet length, including the entire packet header.
+This field is filled in by the lwres_gabn_*() and lwres_gnba_*()
+calls.
+.TP
 \fBversion\fR
-.RS 4
 the header format. There is currently only one format,
-\fBLWRES_LWPACKETVERSION_0\fR. This field is filled in by the lwres_gabn_*() and lwres_gnba_*() calls.
-.RE
-.PP
+\fBLWRES_LWPACKETVERSION_0\fR.
+This field is filled in by the lwres_gabn_*() and lwres_gnba_*()
+calls.
+.TP
 \fBpktflags\fR
-.RS 4
-library\-defined flags for this packet: for instance whether the packet is a request or a reply. Flag values can be set, but not defined by the caller. This field is filled in by the application wit the exception of the LWRES_LWPACKETFLAG_RESPONSE bit, which is set by the library in the lwres_gabn_*() and lwres_gnba_*() calls.
-.RE
-.PP
+library-defined flags for this packet: for instance whether the packet
+is a request or a reply. Flag values can be set, but not defined by
+the caller.
+This field is filled in by the application wit the exception of the
+LWRES_LWPACKETFLAG_RESPONSE bit, which is set by the library in the
+lwres_gabn_*() and lwres_gnba_*() calls.
+.TP
 \fBserial\fR
-.RS 4
-is set by the requestor and is returned in all replies. If two or more packets from the same source have the same serial number and are from the same source, they are assumed to be duplicates and the latter ones may be dropped. This field must be set by the application.
-.RE
-.PP
+is set by the requestor and is returned in all replies. If two or more
+packets from the same source have the same serial number and are from
+the same source, they are assumed to be duplicates and the latter ones
+may be dropped.
+This field must be set by the application.
+.TP
 \fBopcode\fR
-.RS 4
-indicates the operation. Opcodes between 0x00000000 and 0x03ffffff are reserved for use by the lightweight resolver library. Opcodes between 0x04000000 and 0xffffffff are application defined. This field is filled in by the lwres_gabn_*() and lwres_gnba_*() calls.
-.RE
-.PP
+indicates the operation.
+Opcodes between 0x00000000 and 0x03ffffff are
+reserved for use by the lightweight resolver library. Opcodes between
+0x04000000 and 0xffffffff are application defined.
+This field is filled in by the lwres_gabn_*() and lwres_gnba_*()
+calls.
+.TP
 \fBresult\fR
-.RS 4
-is only valid for replies. Results between 0x04000000 and 0xffffffff are application defined. Results between 0x00000000 and 0x03ffffff are reserved for library use. This field is filled in by the lwres_gabn_*() and lwres_gnba_*() calls.
-.RE
-.PP
+is only valid for replies.
+Results between 0x04000000 and 0xffffffff are application defined.
+Results between 0x00000000 and 0x03ffffff are reserved for library use.
+This field is filled in by the lwres_gabn_*() and lwres_gnba_*()
+calls.
+.TP
 \fBrecvlength\fR
-.RS 4
-is the maximum buffer size that the receiver can handle on requests and the size of the buffer needed to satisfy a request when the buffer is too large for replies. This field is supplied by the application.
-.RE
-.PP
+is the maximum buffer size that the receiver can handle on requests
+and the size of the buffer needed to satisfy a request when the buffer
+is too large for replies.
+This field is supplied by the application.
+.TP
 \fBauthtype\fR
-.RS 4
-defines the packet level authentication that is used. Authorisation types between 0x1000 and 0xffff are application defined and types between 0x0000 and 0x0fff are reserved for library use. Currently these are not used and must be zero.
-.RE
-.PP
+defines the packet level authentication that is used.
+Authorisation types between 0x1000 and 0xffff are application defined
+and types between 0x0000 and 0x0fff are reserved for library use.
+Currently these are not used and must be zero.
+.TP
 \fBauthlen\fR
-.RS 4
-gives the length of the authentication data. Since packet authentication is currently not used, this must be zero.
-.RE
+gives the length of the authentication data.
+Since packet authentication is currently not used, this must be zero.
 .PP
 The following opcodes are currently defined:
-.PP
+.TP
 \fBNOOP\fR
-.RS 4
-Success is always returned and the packet contents are echoed. The lwres_noop_*() functions should be used for this type.
-.RE
-.PP
+Success is always returned and the packet contents are echoed.
+The lwres_noop_*() functions should be used for this type.
+.TP
 \fBGETADDRSBYNAME\fR
-.RS 4
-returns all known addresses for a given name. The lwres_gabn_*() functions should be used for this type.
-.RE
-.PP
+returns all known addresses for a given name.
+The lwres_gabn_*() functions should be used for this type.
+.TP
 \fBGETNAMEBYADDR\fR
-.RS 4
-return the hostname for the given address. The lwres_gnba_*() functions should be used for this type.
-.RE
+return the hostname for the given address.
+The lwres_gnba_*() functions should be used for this type.
 .PP
-\fBlwres_lwpacket_renderheader()\fR
-transfers the contents of lightweight resolver packet structure
-\fBlwres_lwpacket_t\fR
-\fI*pkt\fR
-in network byte order to the lightweight resolver buffer,
+\fBlwres_lwpacket_renderheader()\fR transfers the
+contents of lightweight resolver packet structure
+\fBlwres_lwpacket_t\fR \fI*pkt\fR in network
+byte order to the lightweight resolver buffer,
 \fI*b\fR.
 .PP
-\fBlwres_lwpacket_parseheader()\fR
-performs the converse operation. It transfers data in network byte order from buffer
-\fI*b\fR
-to resolver packet
+\fBlwres_lwpacket_parseheader()\fR performs the
+converse operation. It transfers data in network byte order from
+buffer \fI*b\fR to resolver packet
 \fI*pkt\fR. The contents of the buffer
-\fIb\fR
-should correspond to a
+\fIb\fR should correspond to a
 \fBlwres_lwpacket_t\fR.
 .SH "RETURN VALUES"
 .PP
 Successful calls to
-\fBlwres_lwpacket_renderheader()\fR
-and
-\fBlwres_lwpacket_parseheader()\fR
-return
-\fBLWRES_R_SUCCESS\fR. If there is insufficient space to copy data between the buffer
-\fI*b\fR
-and lightweight resolver packet
-\fI*pkt\fR
-both functions return
-\fBLWRES_R_UNEXPECTEDEND\fR.
-.SH "COPYRIGHT"
-Copyright \(co 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
-.br
-Copyright \(co 2000, 2001 Internet Software Consortium.
-.br
+\fBlwres_lwpacket_renderheader()\fR and
+\fBlwres_lwpacket_parseheader()\fR return
+LWRES_R_SUCCESS. If there is insufficient
+space to copy data between the buffer \fI*b\fR and
+lightweight resolver packet \fI*pkt\fR both functions
+return LWRES_R_UNEXPECTEDEND.
diff --git a/lib/lwres/man/lwres_packet.docbook b/lib/lwres/man/lwres_packet.docbook
index 847775c9..7795ebc7 100644
--- a/lib/lwres/man/lwres_packet.docbook
+++ b/lib/lwres/man/lwres_packet.docbook
@@ -1,9 +1,7 @@
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
-               "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
-	       [<!ENTITY mdash "&#8212;">]>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
 <!--
- - Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000, 2001  Internet Software Consortium.
+ - Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2001  Internet Software Consortium.
  -
  - Permission to use, copy, modify, and distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
@@ -18,7 +16,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: lwres_packet.docbook,v 1.6.2.5 2007/01/29 23:57:17 marka Exp $ -->
+<!-- $Id: lwres_packet.docbook,v 1.6.206.1 2004/03/06 08:15:42 marka Exp $ -->
 
 <refentry>
 
@@ -32,20 +30,6 @@
 <refmiscinfo>BIND9</refmiscinfo>
 </refmeta>
 
-  <docinfo>
-    <copyright>
-      <year>2004</year>
-      <year>2005</year>
-      <year>2007</year>
-      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
-    </copyright>
-    <copyright>
-      <year>2000</year>
-      <year>2001</year>
-      <holder>Internet Software Consortium.</holder>
-    </copyright>
-  </docinfo>
-
 <refnamediv>
 <refname>lwres_lwpacket_renderheader</refname>
 <refname>lwres_lwpacket_parseheader</refname>
diff --git a/lib/lwres/man/lwres_packet.html b/lib/lwres/man/lwres_packet.html
index d16b36f8..f8f54b05 100644
--- a/lib/lwres/man/lwres_packet.html
+++ b/lib/lwres/man/lwres_packet.html
@@ -1,79 +1,109 @@
 <!--
- - Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000, 2001 Internet Software Consortium.
- - 
+ - Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2001  Internet Software Consortium.
+ -
  - Permission to use, copy, modify, and distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
  - copyright notice and this permission notice appear in all copies.
- - 
+ -
  - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
  - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
  - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
  - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: lwres_packet.html,v 1.8.2.16 2007/01/30 00:10:38 marka Exp $ -->
-<html>
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>lwres_packet</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2476275"></a><div class="titlepage"></div>
-<div class="refnamediv">
-<h2>Name</h2>
-<p>lwres_lwpacket_renderheader, lwres_lwpacket_parseheader &#8212; lightweight resolver packet handling functions</p>
-</div>
-<div class="refsynopsisdiv">
-<h2>Synopsis</h2>
-<div class="funcsynopsis">
-<pre class="funcsynopsisinfo">#include &lt;lwres/lwpacket.h&gt;</pre>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
-<tr>
-<td><code class="funcdef">
-lwres_result_t
-<b class="fsfunc">lwres_lwpacket_renderheader</b>(</code></td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>
-<code>)</code>;</td>
-</tr>
-</table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0">
-<tr>
-<td><code class="funcdef">
-lwres_result_t
-<b class="fsfunc">lwres_lwpacket_parseheader</b>(</code></td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>
-<code>)</code>;</td>
-</tr>
-</table>
-</div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543371"></a><h2>DESCRIPTION</h2>
-<p>
-These functions rely on a
-<span class="type">struct lwres_lwpacket</span>
+
+<!-- $Id: lwres_packet.html,v 1.8.2.1.4.1 2004/03/06 08:15:42 marka Exp $ -->
+
+<HTML
+><HEAD
+><TITLE
+>lwres_packet</TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.73
+"></HEAD
+><BODY
+CLASS="REFENTRY"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><H1
+><A
+NAME="AEN1"
+>lwres_packet</A
+></H1
+><DIV
+CLASS="REFNAMEDIV"
+><A
+NAME="AEN8"
+></A
+><H2
+>Name</H2
+>lwres_lwpacket_renderheader, lwres_lwpacket_parseheader&nbsp;--&nbsp;lightweight resolver packet handling functions</DIV
+><DIV
+CLASS="REFSYNOPSISDIV"
+><A
+NAME="AEN12"
+></A
+><H2
+>Synopsis</H2
+><DIV
+CLASS="FUNCSYNOPSIS"
+><A
+NAME="AEN13"
+></A
+><P
+></P
+><PRE
+CLASS="FUNCSYNOPSISINFO"
+>#include &lt;lwres/lwpacket.h&gt;</PRE
+><P
+><CODE
+><CODE
+CLASS="FUNCDEF"
+>lwres_result_t
+lwres_lwpacket_renderheader</CODE
+>(lwres_buffer_t *b, lwres_lwpacket_t *pkt);</CODE
+></P
+><P
+><CODE
+><CODE
+CLASS="FUNCDEF"
+>lwres_result_t
+lwres_lwpacket_parseheader</CODE
+>(lwres_buffer_t *b, lwres_lwpacket_t *pkt);</CODE
+></P
+><P
+></P
+></DIV
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN25"
+></A
+><H2
+>DESCRIPTION</H2
+><P
+>These functions rely on a
+<SPAN
+CLASS="TYPE"
+>struct lwres_lwpacket</SPAN
+>
 which is defined in
-<code class="filename">lwres/lwpacket.h</code>.
+<TT
+CLASS="FILENAME"
+>lwres/lwpacket.h</TT
+>.
 
-</p>
-<pre class="programlisting">
-typedef struct lwres_lwpacket lwres_lwpacket_t;
+<PRE
+CLASS="PROGRAMLISTING"
+>typedef struct lwres_lwpacket lwres_lwpacket_t;
 
 struct lwres_lwpacket {
         lwres_uint32_t          length;
@@ -85,132 +115,262 @@ struct lwres_lwpacket {
         lwres_uint32_t          recvlength;
         lwres_uint16_t          authtype;
         lwres_uint16_t          authlength;
-};
-</pre>
-<p>
-</p>
-<p>
-The elements of this structure are:
-</p>
-<div class="variablelist"><dl>
-<dt><span class="term"><code class="constant">length</code></span></dt>
-<dd><p>
-the overall packet length, including the entire packet header.
+};</PRE
+></P
+><P
+>The elements of this structure are:
+<P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+><TT
+CLASS="CONSTANT"
+>length</TT
+></DT
+><DD
+><P
+>the overall packet length, including the entire packet header.
 This field is filled in by the lwres_gabn_*() and lwres_gnba_*()
-calls.
-</p></dd>
-<dt><span class="term"><code class="constant">version</code></span></dt>
-<dd><p>
-the header format. There is currently only one format,
-<span class="type">LWRES_LWPACKETVERSION_0</span>.
+calls.</P
+></DD
+><DT
+><TT
+CLASS="CONSTANT"
+>version</TT
+></DT
+><DD
+><P
+>the header format. There is currently only one format,
+<SPAN
+CLASS="TYPE"
+>LWRES_LWPACKETVERSION_0</SPAN
+>.
 
 This field is filled in by the lwres_gabn_*() and lwres_gnba_*()
-calls.
-</p></dd>
-<dt><span class="term"><code class="constant">pktflags</code></span></dt>
-<dd><p>
-library-defined flags for this packet: for instance whether the packet
+calls.</P
+></DD
+><DT
+><TT
+CLASS="CONSTANT"
+>pktflags</TT
+></DT
+><DD
+><P
+>library-defined flags for this packet: for instance whether the packet
 is a request or a reply. Flag values can be set, but not defined by
 the caller.
 This field is filled in by the application wit the exception of the
 LWRES_LWPACKETFLAG_RESPONSE bit, which is set by the library in the
-lwres_gabn_*() and lwres_gnba_*() calls.
-</p></dd>
-<dt><span class="term"><code class="constant">serial</code></span></dt>
-<dd><p>
-is set by the requestor and is returned in all replies. If two or more
+lwres_gabn_*() and lwres_gnba_*() calls.</P
+></DD
+><DT
+><TT
+CLASS="CONSTANT"
+>serial</TT
+></DT
+><DD
+><P
+>is set by the requestor and is returned in all replies. If two or more
 packets from the same source have the same serial number and are from
 the same source, they are assumed to be duplicates and the latter ones
 may be dropped.
-This field must be set by the application.
-</p></dd>
-<dt><span class="term"><code class="constant">opcode</code></span></dt>
-<dd><p>
-indicates the operation.
+This field must be set by the application.</P
+></DD
+><DT
+><TT
+CLASS="CONSTANT"
+>opcode</TT
+></DT
+><DD
+><P
+>indicates the operation.
 Opcodes between 0x00000000 and 0x03ffffff are
 reserved for use by the lightweight resolver library. Opcodes between
 0x04000000 and 0xffffffff are application defined.
 This field is filled in by the lwres_gabn_*() and lwres_gnba_*()
-calls.
-</p></dd>
-<dt><span class="term"><code class="constant">result</code></span></dt>
-<dd><p>
-is only valid for replies.
+calls.</P
+></DD
+><DT
+><TT
+CLASS="CONSTANT"
+>result</TT
+></DT
+><DD
+><P
+>is only valid for replies.
 Results between 0x04000000 and 0xffffffff are application defined.
 Results between 0x00000000 and 0x03ffffff are reserved for library use.
 This field is filled in by the lwres_gabn_*() and lwres_gnba_*()
-calls.
-</p></dd>
-<dt><span class="term"><code class="constant">recvlength</code></span></dt>
-<dd><p>
-is the maximum buffer size that the receiver can handle on requests
+calls.</P
+></DD
+><DT
+><TT
+CLASS="CONSTANT"
+>recvlength</TT
+></DT
+><DD
+><P
+>is the maximum buffer size that the receiver can handle on requests
 and the size of the buffer needed to satisfy a request when the buffer
 is too large for replies.
-This field is supplied by the application.
-</p></dd>
-<dt><span class="term"><code class="constant">authtype</code></span></dt>
-<dd><p>
-defines the packet level authentication that is used.
+This field is supplied by the application.</P
+></DD
+><DT
+><TT
+CLASS="CONSTANT"
+>authtype</TT
+></DT
+><DD
+><P
+>defines the packet level authentication that is used.
 Authorisation types between 0x1000 and 0xffff are application defined
 and types between 0x0000 and 0x0fff are reserved for library use.
-Currently these are not used and must be zero.
-</p></dd>
-<dt><span class="term"><code class="constant">authlen</code></span></dt>
-<dd><p>
-gives the length of the authentication data.
-Since packet authentication is currently not used, this must be zero.
-</p></dd>
-</dl></div>
-<p>
-</p>
-<p>
-The following opcodes are currently defined:
-</p>
-<div class="variablelist"><dl>
-<dt><span class="term"><code class="constant">NOOP</code></span></dt>
-<dd><p>
-Success is always returned and the packet contents are echoed.
-The lwres_noop_*() functions should be used for this type.
-</p></dd>
-<dt><span class="term"><code class="constant">GETADDRSBYNAME</code></span></dt>
-<dd><p>
-returns all known addresses for a given name.
-The lwres_gabn_*() functions should be used for this type.
-</p></dd>
-<dt><span class="term"><code class="constant">GETNAMEBYADDR</code></span></dt>
-<dd><p>
-return the hostname for the given address.
-The lwres_gnba_*() functions should be used for this type.
-</p></dd>
-</dl></div>
-<p>
-</p>
-<p>
-<code class="function">lwres_lwpacket_renderheader()</code> transfers the
+Currently these are not used and must be zero.</P
+></DD
+><DT
+><TT
+CLASS="CONSTANT"
+>authlen</TT
+></DT
+><DD
+><P
+>gives the length of the authentication data.
+Since packet authentication is currently not used, this must be zero.</P
+></DD
+></DL
+></DIV
+></P
+><P
+>The following opcodes are currently defined:
+<P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+><TT
+CLASS="CONSTANT"
+>NOOP</TT
+></DT
+><DD
+><P
+>Success is always returned and the packet contents are echoed.
+The lwres_noop_*() functions should be used for this type.</P
+></DD
+><DT
+><TT
+CLASS="CONSTANT"
+>GETADDRSBYNAME</TT
+></DT
+><DD
+><P
+>returns all known addresses for a given name.
+The lwres_gabn_*() functions should be used for this type.</P
+></DD
+><DT
+><TT
+CLASS="CONSTANT"
+>GETNAMEBYADDR</TT
+></DT
+><DD
+><P
+>return the hostname for the given address.
+The lwres_gnba_*() functions should be used for this type.</P
+></DD
+></DL
+></DIV
+></P
+><P
+><TT
+CLASS="FUNCTION"
+>lwres_lwpacket_renderheader()</TT
+> transfers the
 contents of lightweight resolver packet structure
-<span class="type">lwres_lwpacket_t</span> <em class="parameter"><code>*pkt</code></em> in network
+<SPAN
+CLASS="TYPE"
+>lwres_lwpacket_t</SPAN
+> <TT
+CLASS="PARAMETER"
+><I
+>*pkt</I
+></TT
+> in network
 byte order to the lightweight resolver buffer,
-<em class="parameter"><code>*b</code></em>.
-</p>
-<p>
-<code class="function">lwres_lwpacket_parseheader()</code> performs the
+<TT
+CLASS="PARAMETER"
+><I
+>*b</I
+></TT
+>.</P
+><P
+><TT
+CLASS="FUNCTION"
+>lwres_lwpacket_parseheader()</TT
+> performs the
 converse operation.  It transfers data in network byte order from
-buffer <em class="parameter"><code>*b</code></em> to resolver packet
-<em class="parameter"><code>*pkt</code></em>.  The contents of the buffer
-<em class="parameter"><code>b</code></em> should correspond to a
-<span class="type">lwres_lwpacket_t</span>.
-</p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543642"></a><h2>RETURN VALUES</h2>
-<p> Successful calls to
-<code class="function">lwres_lwpacket_renderheader()</code> and
-<code class="function">lwres_lwpacket_parseheader()</code> return
-<span class="errorcode">LWRES_R_SUCCESS</span>.  If there is insufficient
-space to copy data between the buffer <em class="parameter"><code>*b</code></em> and
-lightweight resolver packet <em class="parameter"><code>*pkt</code></em> both functions
-return <span class="errorcode">LWRES_R_UNEXPECTEDEND</span>.
-</p>
-</div>
-</div></body>
-</html>
+buffer <TT
+CLASS="PARAMETER"
+><I
+>*b</I
+></TT
+> to resolver packet
+<TT
+CLASS="PARAMETER"
+><I
+>*pkt</I
+></TT
+>.  The contents of the buffer
+<TT
+CLASS="PARAMETER"
+><I
+>b</I
+></TT
+> should correspond to a
+<SPAN
+CLASS="TYPE"
+>lwres_lwpacket_t</SPAN
+>.</P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN107"
+></A
+><H2
+>RETURN VALUES</H2
+><P
+> Successful calls to
+<TT
+CLASS="FUNCTION"
+>lwres_lwpacket_renderheader()</TT
+> and
+<TT
+CLASS="FUNCTION"
+>lwres_lwpacket_parseheader()</TT
+> return
+<SPAN
+CLASS="ERRORCODE"
+>LWRES_R_SUCCESS</SPAN
+>.  If there is insufficient
+space to copy data between the buffer <TT
+CLASS="PARAMETER"
+><I
+>*b</I
+></TT
+> and
+lightweight resolver packet <TT
+CLASS="PARAMETER"
+><I
+>*pkt</I
+></TT
+> both functions
+return <SPAN
+CLASS="ERRORCODE"
+>LWRES_R_UNEXPECTEDEND</SPAN
+>.</P
+></DIV
+></BODY
+></HTML
+>
diff --git a/lib/lwres/man/lwres_resutil.3 b/lib/lwres/man/lwres_resutil.3
index ed28499c..d73122d3 100644
--- a/lib/lwres/man/lwres_resutil.3
+++ b/lib/lwres/man/lwres_resutil.3
@@ -1,71 +1,68 @@
-.\" Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
-.\" Copyright (C) 2000, 2001 Internet Software Consortium.
-.\" 
+.\" Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2000, 2001  Internet Software Consortium.
+.\"
 .\" Permission to use, copy, modify, and distribute this software for any
 .\" purpose with or without fee is hereby granted, provided that the above
 .\" copyright notice and this permission notice appear in all copies.
-.\" 
+.\"
 .\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
 .\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+.\" AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
 .\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
 .\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: lwres_resutil.3,v 1.14.2.9 2007/01/30 00:10:38 marka Exp $
-.\"
-.hy 0
-.ad l
-.\"     Title: lwres_resutil
-.\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
-.\"      Date: Jun 30, 2000
-.\"    Manual: BIND9
-.\"    Source: BIND9
+.\" $Id: lwres_resutil.3,v 1.14.2.1.8.1 2004/03/06 07:41:44 marka Exp $
 .\"
-.TH "LWRES_RESUTIL" "3" "Jun 30, 2000" "BIND9" "BIND9"
-.\" disable hyphenation
-.nh
-.\" disable justification (adjust text to left margin only)
-.ad l
-.SH "NAME"
+.TH "LWRES_RESUTIL" "3" "Jun 30, 2000" "BIND9" ""
+.SH NAME
 lwres_string_parse, lwres_addr_parse, lwres_getaddrsbyname, lwres_getnamebyaddr \- lightweight resolver utility functions
-.SH "SYNOPSIS"
-.nf
-#include <lwres/lwres.h>
-.fi
-.HP 34
-.BI "lwres_result_t lwres_string_parse(lwres_buffer_t\ *b, char\ **c, lwres_uint16_t\ *len);"
-.HP 32
-.BI "lwres_result_t lwres_addr_parse(lwres_buffer_t\ *b, lwres_addr_t\ *addr);"
-.HP 36
-.BI "lwres_result_t lwres_getaddrsbyname(lwres_context_t\ *ctx, const\ char\ *name, lwres_uint32_t\ addrtypes, lwres_gabnresponse_t\ **structp);"
-.HP 35
-.BI "lwres_result_t lwres_getnamebyaddr(lwres_context_t\ *ctx, lwres_uint32_t\ addrtype, lwres_uint16_t\ addrlen, const\ unsigned\ char\ *addr, lwres_gnbaresponse_t\ **structp);"
+.SH SYNOPSIS
+\fB#include <lwres/lwres.h>
+.sp
+.na
+lwres_result_t
+lwres_string_parse(lwres_buffer_t *b, char **c, lwres_uint16_t *len);
+.ad
+.sp
+.na
+lwres_result_t
+lwres_addr_parse(lwres_buffer_t *b, lwres_addr_t *addr);
+.ad
+.sp
+.na
+lwres_result_t
+lwres_getaddrsbyname(lwres_context_t *ctx, const char *name, lwres_uint32_t addrtypes, lwres_gabnresponse_t **structp);
+.ad
+.sp
+.na
+lwres_result_t
+lwres_getnamebyaddr(lwres_context_t *ctx, lwres_uint32_t addrtype, lwres_uint16_t addrlen, const unsigned char *addr, lwres_gnbaresponse_t **structp);
+.ad
+\fR
 .SH "DESCRIPTION"
 .PP
-\fBlwres_string_parse()\fR
-retrieves a DNS\-encoded string starting the current pointer of lightweight resolver buffer
-\fIb\fR: i.e.
-\fBb\->current\fR. When the function returns, the address of the first byte of the encoded string is returned via
-\fI*c\fR
-and the length of that string is given by
-\fI*len\fR. The buffer's current pointer is advanced to point at the character following the string length, the encoded string, and the trailing
-\fBNULL\fR
-character.
+\fBlwres_string_parse()\fR retrieves a DNS-encoded
+string starting the current pointer of lightweight resolver buffer
+\fIb\fR: i.e. b->current.
+When the function returns, the address of the first byte of the
+encoded string is returned via \fI*c\fR and the
+length of that string is given by \fI*len\fR. The
+buffer's current pointer is advanced to point at the character
+following the string length, the encoded string, and the trailing
+\fBNULL\fR character.
 .PP
-\fBlwres_addr_parse()\fR
-extracts an address from the buffer
-\fIb\fR. The buffer's current pointer
-\fBb\->current\fR
-is presumed to point at an encoded address: the address preceded by a 32\-bit protocol family identifier and a 16\-bit length field. The encoded address is copied to
-\fBaddr\->address\fR
-and
-\fBaddr\->length\fR
-indicates the size in bytes of the address that was copied.
-\fBb\->current\fR
-is advanced to point at the next byte of available data in the buffer following the encoded address.
+\fBlwres_addr_parse()\fR extracts an address from the
+buffer \fIb\fR. The buffer's current pointer
+b->current is presumed to point at an encoded
+address: the address preceded by a 32-bit protocol family identifier
+and a 16-bit length field. The encoded address is copied to
+addr->address and
+addr->length indicates the size in bytes of
+the address that was copied. b->current is
+advanced to point at the next byte of available data in the buffer
+following the encoded address.
 .PP
 \fBlwres_getaddrsbyname()\fR
 and
@@ -74,7 +71,6 @@ use the
 \fBlwres_gnbaresponse_t\fR
 structure defined below:
 .sp
-.RS 4
 .nf
 typedef struct {
         lwres_uint32_t          flags;
@@ -88,41 +84,31 @@ typedef struct {
         void                   *base;
         size_t                  baselen;
 } lwres_gabnresponse_t;
-.fi
-.RE
 .sp
-The contents of this structure are not manipulated directly but they are controlled through the
-\fBlwres_gabn\fR(3 )
+.fi
+The contents of this structure are not manipulated directly but
+they are controlled through the
+\fBlwres_gabn\fR(3)
 functions.
 .PP
 The lightweight resolver uses
-\fBlwres_getaddrsbyname()\fR
-to perform foward lookups. Hostname
-\fIname\fR
-is looked up using the resolver context
-\fIctx\fR
-for memory allocation.
-\fIaddrtypes\fR
-is a bitmask indicating which type of addresses are to be looked up. Current values for this bitmask are
-\fBLWRES_ADDRTYPE_V4\fR
-for IPv4 addresses and
-\fBLWRES_ADDRTYPE_V6\fR
-for IPv6 addresses. Results of the lookup are returned in
-\fI*structp\fR.
+\fBlwres_getaddrsbyname()\fR to perform foward lookups.
+Hostname \fIname\fR is looked up using the resolver
+context \fIctx\fR for memory allocation.
+\fIaddrtypes\fR is a bitmask indicating which type of
+addresses are to be looked up. Current values for this bitmask are
+\fBLWRES_ADDRTYPE_V4\fR for IPv4 addresses and
+\fBLWRES_ADDRTYPE_V6\fR for IPv6 addresses. Results of the
+lookup are returned in \fI*structp\fR.
 .PP
-\fBlwres_getnamebyaddr()\fR
-performs reverse lookups. Resolver context
-\fIctx\fR
-is used for memory allocation. The address type is indicated by
-\fIaddrtype\fR:
-\fBLWRES_ADDRTYPE_V4\fR
-or
-\fBLWRES_ADDRTYPE_V6\fR. The address to be looked up is given by
-\fIaddr\fR
-and its length is
-\fIaddrlen\fR
-bytes. The result of the function call is made available through
-\fI*structp\fR.
+\fBlwres_getnamebyaddr()\fR performs reverse lookups.
+Resolver context \fIctx\fR is used for memory
+allocation. The address type is indicated by
+\fIaddrtype\fR: \fBLWRES_ADDRTYPE_V4\fR or
+\fBLWRES_ADDRTYPE_V6\fR. The address to be looked up is given
+by \fIaddr\fR and its length is
+\fIaddrlen\fR bytes. The result of the function call
+is made available through \fI*structp\fR.
 .SH "RETURN VALUES"
 .PP
 Successful calls to
@@ -130,23 +116,24 @@ Successful calls to
 and
 \fBlwres_addr_parse()\fR
 return
-\fBLWRES_R_SUCCESS.\fR
+LWRES_R_SUCCESS.
 Both functions return
-\fBLWRES_R_FAILURE\fR
+LWRES_R_FAILURE
 if the buffer is corrupt or
-\fBLWRES_R_UNEXPECTEDEND\fR
-if the buffer has less space than expected for the components of the encoded string or address.
+LWRES_R_UNEXPECTEDEND
+if the buffer has less space than expected for the components of the
+encoded string or address.
 .PP
 \fBlwres_getaddrsbyname()\fR
 returns
-\fBLWRES_R_SUCCESS\fR
+LWRES_R_SUCCESS
 on success and it returns
-\fBLWRES_R_NOTFOUND\fR
+LWRES_R_NOTFOUND
 if the hostname
 \fIname\fR
 could not be found.
 .PP
-\fBLWRES_R_SUCCESS\fR
+LWRES_R_SUCCESS
 is returned by a successful call to
 \fBlwres_getnamebyaddr()\fR.
 .PP
@@ -155,16 +142,12 @@ Both
 and
 \fBlwres_getnamebyaddr()\fR
 return
-\fBLWRES_R_NOMEMORY\fR
+LWRES_R_NOMEMORY
 when memory allocation requests fail and
-\fBLWRES_R_UNEXPECTEDEND\fR
-if the buffers used for sending queries and receiving replies are too small.
+LWRES_R_UNEXPECTEDEND
+if the buffers used for sending queries and receiving replies are too
+small.
 .SH "SEE ALSO"
 .PP
 \fBlwres_buffer\fR(3),
 \fBlwres_gabn\fR(3).
-.SH "COPYRIGHT"
-Copyright \(co 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
-.br
-Copyright \(co 2000, 2001 Internet Software Consortium.
-.br
diff --git a/lib/lwres/man/lwres_resutil.docbook b/lib/lwres/man/lwres_resutil.docbook
index 3b5fb1da..e5f891fa 100644
--- a/lib/lwres/man/lwres_resutil.docbook
+++ b/lib/lwres/man/lwres_resutil.docbook
@@ -1,9 +1,7 @@
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
-               "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
-	       [<!ENTITY mdash "&#8212;">]>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
 <!--
- - Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000, 2001  Internet Software Consortium.
+ - Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2001  Internet Software Consortium.
  -
  - Permission to use, copy, modify, and distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
@@ -18,7 +16,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: lwres_resutil.docbook,v 1.5.2.5 2007/01/29 23:57:17 marka Exp $ -->
+<!-- $Id: lwres_resutil.docbook,v 1.5.206.1 2004/03/06 08:15:42 marka Exp $ -->
 
 <refentry>
 
@@ -32,20 +30,6 @@
   <refmiscinfo>BIND9</refmiscinfo>
 </refmeta>
 
-  <docinfo>
-    <copyright>
-      <year>2004</year>
-      <year>2005</year>
-      <year>2007</year>
-      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
-    </copyright>
-    <copyright>
-      <year>2000</year>
-      <year>2001</year>
-      <holder>Internet Software Consortium.</holder>
-    </copyright>
-  </docinfo>
-
 <refnamediv>
 <refname>lwres_string_parse</refname>
 <refname>lwres_addr_parse</refname>
diff --git a/lib/lwres/man/lwres_resutil.html b/lib/lwres/man/lwres_resutil.html
index 9604fa4e..3b9e5f8d 100644
--- a/lib/lwres/man/lwres_resutil.html
+++ b/lib/lwres/man/lwres_resutil.html
@@ -1,163 +1,194 @@
 <!--
- - Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000, 2001 Internet Software Consortium.
- - 
+ - Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2001  Internet Software Consortium.
+ -
  - Permission to use, copy, modify, and distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
  - copyright notice and this permission notice appear in all copies.
- - 
+ -
  - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
  - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
  - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
  - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: lwres_resutil.html,v 1.8.2.15 2007/01/30 00:10:38 marka Exp $ -->
-<html>
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>lwres_resutil</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2476275"></a><div class="titlepage"></div>
-<div class="refnamediv">
-<h2>Name</h2>
-<p>lwres_string_parse, lwres_addr_parse, lwres_getaddrsbyname, lwres_getnamebyaddr &#8212; lightweight resolver utility functions</p>
-</div>
-<div class="refsynopsisdiv">
-<h2>Synopsis</h2>
-<div class="funcsynopsis">
-<pre class="funcsynopsisinfo">#include &lt;lwres/lwres.h&gt;</pre>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
-<tr>
-<td><code class="funcdef">
-lwres_result_t
-<b class="fsfunc">lwres_string_parse</b>(</code></td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>
-<code>)</code>;</td>
-</tr>
-</table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
-<tr>
-<td><code class="funcdef">
-lwres_result_t
-<b class="fsfunc">lwres_addr_parse</b>(</code></td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>
-<code>)</code>;</td>
-</tr>
-</table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
-<tr>
-<td><code class="funcdef">
-lwres_result_t
-<b class="fsfunc">lwres_getaddrsbyname</b>(</code></td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>
-<code>)</code>;</td>
-</tr>
-</table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0">
-<tr>
-<td><code class="funcdef">
-lwres_result_t
-<b class="fsfunc">lwres_getnamebyaddr</b>(</code></td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>
-<code>)</code>;</td>
-</tr>
-</table>
-</div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543427"></a><h2>DESCRIPTION</h2>
-<p>
-<code class="function">lwres_string_parse()</code> retrieves a DNS-encoded
+
+<!-- $Id: lwres_resutil.html,v 1.8.2.1.4.1 2004/03/06 08:15:42 marka Exp $ -->
+
+<HTML
+><HEAD
+><TITLE
+>lwres_resutil</TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.73
+"></HEAD
+><BODY
+CLASS="REFENTRY"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><H1
+><A
+NAME="AEN1"
+>lwres_resutil</A
+></H1
+><DIV
+CLASS="REFNAMEDIV"
+><A
+NAME="AEN8"
+></A
+><H2
+>Name</H2
+>lwres_string_parse, lwres_addr_parse, lwres_getaddrsbyname, lwres_getnamebyaddr&nbsp;--&nbsp;lightweight resolver utility functions</DIV
+><DIV
+CLASS="REFSYNOPSISDIV"
+><A
+NAME="AEN14"
+></A
+><H2
+>Synopsis</H2
+><DIV
+CLASS="FUNCSYNOPSIS"
+><A
+NAME="AEN15"
+></A
+><P
+></P
+><PRE
+CLASS="FUNCSYNOPSISINFO"
+>#include &lt;lwres/lwres.h&gt;</PRE
+><P
+><CODE
+><CODE
+CLASS="FUNCDEF"
+>lwres_result_t
+lwres_string_parse</CODE
+>(lwres_buffer_t *b, char **c, lwres_uint16_t *len);</CODE
+></P
+><P
+><CODE
+><CODE
+CLASS="FUNCDEF"
+>lwres_result_t
+lwres_addr_parse</CODE
+>(lwres_buffer_t *b, lwres_addr_t *addr);</CODE
+></P
+><P
+><CODE
+><CODE
+CLASS="FUNCDEF"
+>lwres_result_t
+lwres_getaddrsbyname</CODE
+>(lwres_context_t *ctx, const char *name, lwres_uint32_t addrtypes, lwres_gabnresponse_t **structp);</CODE
+></P
+><P
+><CODE
+><CODE
+CLASS="FUNCDEF"
+>lwres_result_t
+lwres_getnamebyaddr</CODE
+>(lwres_context_t *ctx, lwres_uint32_t addrtype, lwres_uint16_t addrlen, const unsigned char *addr, lwres_gnbaresponse_t **structp);</CODE
+></P
+><P
+></P
+></DIV
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN43"
+></A
+><H2
+>DESCRIPTION</H2
+><P
+><TT
+CLASS="FUNCTION"
+>lwres_string_parse()</TT
+> retrieves a DNS-encoded
 string starting the current pointer of lightweight resolver buffer
-<em class="parameter"><code>b</code></em>: i.e.  <code class="constant">b-&gt;current</code>.
+<TT
+CLASS="PARAMETER"
+><I
+>b</I
+></TT
+>: i.e.  <TT
+CLASS="CONSTANT"
+>b-&gt;current</TT
+>.
 When the function returns, the address of the first byte of the
-encoded string is returned via <em class="parameter"><code>*c</code></em> and the
-length of that string is given by <em class="parameter"><code>*len</code></em>.  The
+encoded string is returned via <TT
+CLASS="PARAMETER"
+><I
+>*c</I
+></TT
+> and the
+length of that string is given by <TT
+CLASS="PARAMETER"
+><I
+>*len</I
+></TT
+>.  The
 buffer's current pointer is advanced to point at the character
 following the string length, the encoded string, and the trailing
-<span class="type">NULL</span> character.
-</p>
-<p>
-<code class="function">lwres_addr_parse()</code> extracts an address from the
-buffer <em class="parameter"><code>b</code></em>.  The buffer's current pointer
-<code class="constant">b-&gt;current</code> is presumed to point at an encoded
+<SPAN
+CLASS="TYPE"
+>NULL</SPAN
+> character.</P
+><P
+><TT
+CLASS="FUNCTION"
+>lwres_addr_parse()</TT
+> extracts an address from the
+buffer <TT
+CLASS="PARAMETER"
+><I
+>b</I
+></TT
+>.  The buffer's current pointer
+<TT
+CLASS="CONSTANT"
+>b-&gt;current</TT
+> is presumed to point at an encoded
 address: the address preceded by a 32-bit protocol family identifier
 and a 16-bit length field.  The encoded address is copied to
-<code class="constant">addr-&gt;address</code> and
-<code class="constant">addr-&gt;length</code> indicates the size in bytes of
-the address that was copied.  <code class="constant">b-&gt;current</code> is
+<TT
+CLASS="CONSTANT"
+>addr-&gt;address</TT
+> and
+<TT
+CLASS="CONSTANT"
+>addr-&gt;length</TT
+> indicates the size in bytes of
+the address that was copied.  <TT
+CLASS="CONSTANT"
+>b-&gt;current</TT
+> is
 advanced to point at the next byte of available data in the buffer
-following the encoded address.
-</p>
-<p>
-<code class="function">lwres_getaddrsbyname()</code>
+following the encoded address.</P
+><P
+><TT
+CLASS="FUNCTION"
+>lwres_getaddrsbyname()</TT
+>
 and
-<code class="function">lwres_getnamebyaddr()</code>
+<TT
+CLASS="FUNCTION"
+>lwres_getnamebyaddr()</TT
+>
 use the
-<span class="type">lwres_gnbaresponse_t</span>
+<SPAN
+CLASS="TYPE"
+>lwres_gnbaresponse_t</SPAN
+>
 structure defined below:
-</p>
-<pre class="programlisting">
-typedef struct {
+<PRE
+CLASS="PROGRAMLISTING"
+>typedef struct {
         lwres_uint32_t          flags;
         lwres_uint16_t          naliases;
         lwres_uint16_t          naddrs;
@@ -168,88 +199,217 @@ typedef struct {
         lwres_addrlist_t        addrs;
         void                   *base;
         size_t                  baselen;
-} lwres_gabnresponse_t;
-</pre>
-<p>
+} lwres_gabnresponse_t;</PRE
+>
 The contents of this structure are not manipulated directly but
 they are controlled through the
-<span class="citerefentry"><span class="refentrytitle">lwres_gabn</span>(3
-)</span>
-functions.
-</p>
-<p>
-The lightweight resolver uses
-<code class="function">lwres_getaddrsbyname()</code> to perform foward lookups.
-Hostname <em class="parameter"><code>name</code></em> is looked up using the resolver
-context <em class="parameter"><code>ctx</code></em> for memory allocation.
-<em class="parameter"><code>addrtypes</code></em> is a bitmask indicating which type of
+<SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>lwres_gabn</SPAN
+>(3)</SPAN
+>
+functions.</P
+><P
+>The lightweight resolver uses
+<TT
+CLASS="FUNCTION"
+>lwres_getaddrsbyname()</TT
+> to perform foward lookups.
+Hostname <TT
+CLASS="PARAMETER"
+><I
+>name</I
+></TT
+> is looked up using the resolver
+context <TT
+CLASS="PARAMETER"
+><I
+>ctx</I
+></TT
+> for memory allocation.
+<TT
+CLASS="PARAMETER"
+><I
+>addrtypes</I
+></TT
+> is a bitmask indicating which type of
 addresses are to be looked up.  Current values for this bitmask are
-<span class="type">LWRES_ADDRTYPE_V4</span> for IPv4 addresses and
-<span class="type">LWRES_ADDRTYPE_V6</span> for IPv6 addresses.  Results of the
-lookup are returned in <em class="parameter"><code>*structp</code></em>.
-</p>
-<p>
-<code class="function">lwres_getnamebyaddr()</code> performs reverse lookups.
-Resolver context <em class="parameter"><code>ctx</code></em> is used for memory
+<SPAN
+CLASS="TYPE"
+>LWRES_ADDRTYPE_V4</SPAN
+> for IPv4 addresses and
+<SPAN
+CLASS="TYPE"
+>LWRES_ADDRTYPE_V6</SPAN
+> for IPv6 addresses.  Results of the
+lookup are returned in <TT
+CLASS="PARAMETER"
+><I
+>*structp</I
+></TT
+>.</P
+><P
+><TT
+CLASS="FUNCTION"
+>lwres_getnamebyaddr()</TT
+> performs reverse lookups.
+Resolver context <TT
+CLASS="PARAMETER"
+><I
+>ctx</I
+></TT
+> is used for memory
 allocation.  The address type is indicated by
-<em class="parameter"><code>addrtype</code></em>: <span class="type">LWRES_ADDRTYPE_V4</span> or
-<span class="type">LWRES_ADDRTYPE_V6</span>.  The address to be looked up is given
-by <em class="parameter"><code>addr</code></em> and its length is
-<em class="parameter"><code>addrlen</code></em> bytes.  The result of the function call
-is made available through <em class="parameter"><code>*structp</code></em>.
-</p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543566"></a><h2>RETURN VALUES</h2>
-<p>
-Successful calls to
-<code class="function">lwres_string_parse()</code>
+<TT
+CLASS="PARAMETER"
+><I
+>addrtype</I
+></TT
+>: <SPAN
+CLASS="TYPE"
+>LWRES_ADDRTYPE_V4</SPAN
+> or
+<SPAN
+CLASS="TYPE"
+>LWRES_ADDRTYPE_V6</SPAN
+>.  The address to be looked up is given
+by <TT
+CLASS="PARAMETER"
+><I
+>addr</I
+></TT
+> and its length is
+<TT
+CLASS="PARAMETER"
+><I
+>addrlen</I
+></TT
+> bytes.  The result of the function call
+is made available through <TT
+CLASS="PARAMETER"
+><I
+>*structp</I
+></TT
+>.</P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN84"
+></A
+><H2
+>RETURN VALUES</H2
+><P
+>Successful calls to
+<TT
+CLASS="FUNCTION"
+>lwres_string_parse()</TT
+>
 and
-<code class="function">lwres_addr_parse()</code>
+<TT
+CLASS="FUNCTION"
+>lwres_addr_parse()</TT
+>
 return
-<span class="errorcode">LWRES_R_SUCCESS.</span>
+<SPAN
+CLASS="ERRORCODE"
+>LWRES_R_SUCCESS.</SPAN
+>
 Both functions return
-<span class="errorcode">LWRES_R_FAILURE</span>
+<SPAN
+CLASS="ERRORCODE"
+>LWRES_R_FAILURE</SPAN
+>
 if the buffer is corrupt or
-<span class="errorcode">LWRES_R_UNEXPECTEDEND</span>
+<SPAN
+CLASS="ERRORCODE"
+>LWRES_R_UNEXPECTEDEND</SPAN
+>
 if the buffer has less space than expected for the components of the
-encoded string or address.
-</p>
-<p>
-<code class="function">lwres_getaddrsbyname()</code>
+encoded string or address.</P
+><P
+><TT
+CLASS="FUNCTION"
+>lwres_getaddrsbyname()</TT
+>
 returns
-<span class="errorcode">LWRES_R_SUCCESS</span>
+<SPAN
+CLASS="ERRORCODE"
+>LWRES_R_SUCCESS</SPAN
+>
 on success and it returns
-<span class="errorcode">LWRES_R_NOTFOUND</span>
+<SPAN
+CLASS="ERRORCODE"
+>LWRES_R_NOTFOUND</SPAN
+>
 if the hostname
-<em class="parameter"><code>name</code></em>
-could not be found.
-</p>
-<p>
-<span class="errorcode">LWRES_R_SUCCESS</span>
+<TT
+CLASS="PARAMETER"
+><I
+>name</I
+></TT
+>
+could not be found.</P
+><P
+><SPAN
+CLASS="ERRORCODE"
+>LWRES_R_SUCCESS</SPAN
+>
 is returned by a successful call to
-<code class="function">lwres_getnamebyaddr()</code>.
-</p>
-<p>
-Both
-<code class="function">lwres_getaddrsbyname()</code>
+<TT
+CLASS="FUNCTION"
+>lwres_getnamebyaddr()</TT
+>.</P
+><P
+>Both
+<TT
+CLASS="FUNCTION"
+>lwres_getaddrsbyname()</TT
+>
 and
-<code class="function">lwres_getnamebyaddr()</code>
+<TT
+CLASS="FUNCTION"
+>lwres_getnamebyaddr()</TT
+>
 return
-<span class="errorcode">LWRES_R_NOMEMORY</span>
+<SPAN
+CLASS="ERRORCODE"
+>LWRES_R_NOMEMORY</SPAN
+>
 when memory allocation requests fail and
-<span class="errorcode">LWRES_R_UNEXPECTEDEND</span>
+<SPAN
+CLASS="ERRORCODE"
+>LWRES_R_UNEXPECTEDEND</SPAN
+>
 if the buffers used for sending queries and receiving replies are too
-small.
-</p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543636"></a><h2>SEE ALSO</h2>
-<p>
-<span class="citerefentry"><span class="refentrytitle">lwres_buffer</span>(3)</span>,
+small.</P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN105"
+></A
+><H2
+>SEE ALSO</H2
+><P
+><SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>lwres_buffer</SPAN
+>(3)</SPAN
+>,
 
-<span class="citerefentry"><span class="refentrytitle">lwres_gabn</span>(3)</span>.
-</p>
-</div>
-</div></body>
-</html>
+<SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>lwres_gabn</SPAN
+>(3)</SPAN
+>.</P
+></DIV
+></BODY
+></HTML
+>
diff --git a/lib/lwres/print.c b/lib/lwres/print.c
deleted file mode 100644
index d2d11d04..00000000
--- a/lib/lwres/print.c
+++ /dev/null
@@ -1,550 +0,0 @@
-/*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: print.c,v 1.1.6.6 2005/10/14 01:37:57 marka Exp $ */
-
-#include <config.h>
-
-#include <ctype.h>
-#include <stdio.h>		/* for sprintf */
-#include <string.h>
-
-#define	LWRES__PRINT_SOURCE	/* Used to get the lwres_print_* prototypes. */
-
-#include <stdlib.h>
-
-#include "assert_p.h"
-#include "print_p.h"
-
-/*
- * Return length of string that would have been written if not truncated.
- */
-
-#define LWRES_PRINT_QUADFORMAT LWRES_PLATFORM_QUADFORMAT
-
-int
-lwres__print_snprintf(char *str, size_t size, const char *format, ...) {
-	va_list ap;
-	int ret;
-
-	va_start(ap, format);
-	ret = vsnprintf(str, size, format, ap);
-	va_end(ap);
-	return (ret);
-
-}
-
-/*
- * Return length of string that would have been written if not truncated.
- */
-
-int
-lwres__print_vsnprintf(char *str, size_t size, const char *format, va_list ap) {
-	int h;
-	int l;
-	int q;
-	int alt;
-	int zero;
-	int left;
-	int plus;
-	int space;
-	long long tmpi;
-	unsigned long long tmpui;
-	unsigned long width;
-	unsigned long precision;
-	unsigned int length;
-	char buf[1024];
-	char c;
-	void *v;
-	char *save = str;
-	const char *cp;
-	const char *head;
-	int count = 0;
-	int pad;
-	int zeropad;
-	int dot;
-	double dbl;
-#ifdef HAVE_LONG_DOUBLE
-	long double ldbl;
-#endif
-	char fmt[32];
-
-	INSIST(str != NULL);
-	INSIST(format != NULL);
-
-	while (*format != '\0') {
-		if (*format != '%') {
-			if (size > 1U) {
-				*str++ = *format;
-				size--;
-			}
-			count++;
-			format++;
-			continue;
-		}
-		format++;
-
-		/*
-		 * Reset flags.
-		 */
-		dot = space = plus = left = zero = alt = h = l = q = 0;
-		width = precision = 0;
-		head = "";
-		length = pad = zeropad = 0;
-
-		do {
-			if (*format == '#') {
-				alt = 1;
-				format++;
-			} else if (*format == '-') {
-				left = 1;
-				zero = 0;
-				format++;
-			} else if (*format == ' ') {
-				if (!plus)
-					space = 1;
-				format++;
-			} else if (*format == '+') {
-				plus = 1;
-				space = 0;
-				format++;
-			} else if (*format == '0') {
-				if (!left)
-					zero = 1;
-				format++;
-			} else
-				break;
-		} while (1);
-
-		/*
-		 * Width.
-		 */
-		if (*format == '*') {
-			width = va_arg(ap, int);
-			format++;
-		} else if (isdigit((unsigned char)*format)) {
-			char *e;
-			width = strtoul(format, &e, 10);
-			format = e;
-		}
-
-		/*
-		 * Precision.
-		 */
-		if (*format == '.') {
-			format++;
-			dot = 1;
-			if (*format == '*') {
-				precision = va_arg(ap, int);
-				format++;
-			} else if (isdigit((unsigned char)*format)) {
-				char *e;
-				precision = strtoul(format, &e, 10);
-				format = e;
-			}
-		}
-
-		switch (*format) {
-		case '\0':
-			continue;
-		case '%':
-			if (size > 1U) {
-				*str++ = *format;
-				size--;
-			}
-			count++;
-			break;
-		case 'q':
-			q = 1;
-			format++;
-			goto doint;
-		case 'h':
-			h = 1;
-			format++;
-			goto doint;
-		case 'l':
-			l = 1;
-			format++;
-			if (*format == 'l') {
-				q = 1;
-				format++;
-			}
-			goto doint;
-		case 'n':
-		case 'i':
-		case 'd':
-		case 'o':
-		case 'u':
-		case 'x':
-		case 'X':
-		doint:
-			if (precision != 0U)
-				zero = 0;
-			switch (*format) {
-			case 'n':
-				if (h) {
-					short int *p;
-					p = va_arg(ap, short *);
-					REQUIRE(p != NULL);
-					*p = str - save;
-				} else if (l) {
-					long int *p;
-					p = va_arg(ap, long *);
-					REQUIRE(p != NULL);
-					*p = str - save;
-				} else {
-					int *p;
-					p = va_arg(ap, int *);
-					REQUIRE(p != NULL);
-					*p = str - save;
-				}
-				break;
-			case 'i':
-			case 'd':
-				if (q)
-					tmpi = va_arg(ap, long long int);
-				else if (l)
-					tmpi = va_arg(ap, long int);
-				else
-					tmpi = va_arg(ap, int);
-				if (tmpi < 0) {
-					head = "-";
-					tmpui = -tmpi;
-				} else {
-					if (plus)
-						head = "+";
-					else if (space)
-						head = " ";
-					else
-						head = "";
-					tmpui = tmpi;
-				}
-				sprintf(buf, "%" LWRES_PRINT_QUADFORMAT "u",
-					tmpui);
-				goto printint;
-			case 'o':
-				if (q)
-					tmpui = va_arg(ap,
-						       unsigned long long int);
-				else if (l)
-					tmpui = va_arg(ap, long int);
-				else
-					tmpui = va_arg(ap, int);
-				sprintf(buf,
-					alt ? "%#" LWRES_PRINT_QUADFORMAT "o"
-					    : "%" LWRES_PRINT_QUADFORMAT "o",
-					tmpui);
-				goto printint;
-			case 'u':
-				if (q)
-					tmpui = va_arg(ap,
-						       unsigned long long int);
-				else if (l)
-					tmpui = va_arg(ap, unsigned long int);
-				else
-					tmpui = va_arg(ap, unsigned int);
-				sprintf(buf, "%" LWRES_PRINT_QUADFORMAT "u",
-					tmpui);
-				goto printint;
-			case 'x':
-				if (q)
-					tmpui = va_arg(ap,
-						       unsigned long long int);
-				else if (l)
-					tmpui = va_arg(ap, unsigned long int);
-				else
-					tmpui = va_arg(ap, unsigned int);
-				if (alt) {
-					head = "0x";
-					if (precision > 2U)
-						precision -= 2;
-				}
-				sprintf(buf, "%" LWRES_PRINT_QUADFORMAT "x",
-					tmpui);
-				goto printint;
-			case 'X':
-				if (q)
-					tmpui = va_arg(ap,
-						       unsigned long long int);
-				else if (l)
-					tmpui = va_arg(ap, unsigned long int);
-				else
-					tmpui = va_arg(ap, unsigned int);
-				if (alt) {
-					head = "0X";
-					if (precision > 2U)
-						precision -= 2;
-				}
-				sprintf(buf, "%" LWRES_PRINT_QUADFORMAT "X",
-					tmpui);
-				goto printint;
-			printint:
-				if (precision != 0U || width != 0U) {
-					length = strlen(buf);
-					if (length < precision)
-						zeropad = precision - length;
-					else if (length < width && zero)
-						zeropad = width - length;
-					if (width != 0U) {
-						pad = width - length -
-						      zeropad - strlen(head);
-						if (pad < 0)
-							pad = 0;
-					}
-				}
-				count += strlen(head) + strlen(buf) + pad +
-					 zeropad;
-				if (!left) {
-					while (pad > 0 && size > 1U) {
-						*str++ = ' ';
-						size--;
-						pad--;
-					}
-				}
-				cp = head;
-				while (*cp != '\0' && size > 1U) {
-					*str++ = *cp++;
-					size--;
-				}
-				while (zeropad > 0 && size > 1U) {
-					*str++ = '0';
-					size--;
-					zeropad--;
-				}
-				cp = buf;
-				while (*cp != '\0' && size > 1U) {
-					*str++ = *cp++;
-					size--;
-				}
-				while (pad > 0 && size > 1U) {
-					*str++ = ' ';
-					size--;
-					pad--;
-				}
-				break;
-			default:
-				break;
-			}
-			break;
-		case 's':
-			cp = va_arg(ap, char *);
-			REQUIRE(cp != NULL);
-
-			if (precision != 0U) {
-				/*
-				 * cp need not be NULL terminated.
-				 */
-				const char *tp;
-				unsigned long n;
-
-				n = precision;
-				tp = cp;
-				while (n != 0U && *tp != '\0')
-					n--, tp++;
-				length = precision - n;
-			} else {
-				length = strlen(cp);
-			}
-			if (width != 0U) {
-				pad = width - length;
-				if (pad < 0)
-					pad = 0;
-			}
-			count += pad + length;
-			if (!left)
-				while (pad > 0 && size > 1U) {
-					*str++ = ' ';
-					size--;
-					pad--;
-				}
-			if (precision != 0U)
-				while (precision > 0U && *cp != '\0' &&
-				       size > 1U) {
-					*str++ = *cp++;
-					size--;
-					precision--;
-				}
-			else
-				while (*cp != '\0' && size > 1U) {
-					*str++ = *cp++;
-					size--;
-				}
-			while (pad > 0 && size > 1U) {
-				*str++ = ' ';
-				size--;
-				pad--;
-			}
-			break;
-		case 'c':
-			c = va_arg(ap, int);
-			if (width > 0U) {
-				count += width;
-				width--;
-				if (left) {
-					*str++ = c;
-					size--;
-				}
-				while (width-- > 0U && size > 1U) {
-					*str++ = ' ';
-					size--;
-				}
-				if (!left && size > 1U) {
-					*str++ = c;
-					size--;
-				}
-			} else {
-				count++;
-				if (size > 1U) {
-					*str++ = c;
-					size--;
-				}
-			}
-			break;
-		case 'p':
-			v = va_arg(ap, void *);
-			sprintf(buf, "%p", v);
-			length = strlen(buf);
-			if (precision > length)
-				zeropad = precision - length;
-			if (width > 0U) {
-				pad = width - length - zeropad;
-				if (pad < 0)
-					pad = 0;
-			}
-			count += length + pad + zeropad;
-			if (!left)
-				while (pad > 0 && size > 1U) {
-					*str++ = ' ';
-					size--;
-					pad--;
-				}
-			cp = buf;
-			if (zeropad > 0 && buf[0] == '0' &&
-			    (buf[1] == 'x' || buf[1] == 'X')) {
-				if (size > 1U) {
-					*str++ = *cp++;
-					size--;
-				}
-				if (size > 1U) {
-					*str++ = *cp++;
-					size--;
-				}
-				while (zeropad > 0 && size > 1U) {
-					*str++ = '0';
-					size--;
-					zeropad--;
-				}
-			}
-			while (*cp != '\0' && size > 1U) {
-				*str++ = *cp++;
-				size--;
-			}
-			while (pad > 0 && size > 1U) {
-				*str++ = ' ';
-				size--;
-				pad--;
-			}
-			break;
-		case 'D':	/*deprecated*/
-			INSIST("use %ld instead of %D" == NULL);
-		case 'O':	/*deprecated*/
-			INSIST("use %lo instead of %O" == NULL);
-		case 'U':	/*deprecated*/
-			INSIST("use %lu instead of %U" == NULL);
-
-		case 'L':
-#ifdef HAVE_LONG_DOUBLE
-			l = 1;
-#else
-			INSIST("long doubles are not supported" == NULL);
-#endif
-			/*FALLTHROUGH*/
-		case 'e':
-		case 'E':
-		case 'f':
-		case 'g':
-		case 'G':
-			if (!dot)
-				precision = 6;
-			/*
-			 * IEEE floating point.
-			 * MIN 2.2250738585072014E-308
-			 * MAX 1.7976931348623157E+308
-			 * VAX floating point has a smaller range than IEEE.
-			 *
-			 * precisions > 324 don't make much sense.
-			 * if we cap the precision at 512 we will not
-			 * overflow buf.
-			 */
-			if (precision > 512U)
-				precision = 512;
-			sprintf(fmt, "%%%s%s.%lu%s%c", alt ? "#" : "",
-				plus ? "+" : space ? " " : "",
-				precision, l ? "L" : "", *format);
-			switch (*format) {
-			case 'e':
-			case 'E':
-			case 'f':
-			case 'g':
-			case 'G':
-#ifdef HAVE_LONG_DOUBLE
-				if (l) {
-					ldbl = va_arg(ap, long double);
-					sprintf(buf, fmt, ldbl);
-				} else
-#endif
-				{
-					dbl = va_arg(ap, double);
-					sprintf(buf, fmt, dbl);
-				}
-				length = strlen(buf);
-				if (width > 0U) {
-					pad = width - length;
-					if (pad < 0)
-						pad = 0;
-				}
-				count += length + pad;
-				if (!left)
-					while (pad > 0 && size > 1U) {
-						*str++ = ' ';
-						size--;
-						pad--;
-					}
-				cp = buf;
-				while (*cp != ' ' && size > 1U) {
-					*str++ = *cp++;
-					size--;
-				}
-				while (pad > 0 && size > 1U) {
-					*str++ = ' ';
-					size--;
-					pad--;
-				}
-				break;
-			default:
-				continue;
-			}
-			break;
-		default:
-			continue;
-		}
-		format++;
-	}
-	if (size > 0U)
-		*str = '\0';
-	return (count);
-}
diff --git a/lib/lwres/print_p.h b/lib/lwres/print_p.h
deleted file mode 100644
index 91a2e472..00000000
--- a/lib/lwres/print_p.h
+++ /dev/null
@@ -1,76 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: print_p.h,v 1.1.6.1 2004/08/28 06:18:29 marka Exp $ */
-
-#ifndef LWRES_PRINT_P_H
-#define LWRES_PRINT_P_H 1
-
-/***
- *** Imports
- ***/
-
-#include <lwres/lang.h>
-#include <lwres/platform.h>
-
-/*
- * This block allows lib/lwres/print.c to be cleanly compiled even if
- * the platform does not need it.  The standard Makefile will still
- * not compile print.c or archive print.o, so this is just to make test
- * compilation ("make print.o") easier.
- */
-#if !defined(LWRES_PLATFORM_NEEDVSNPRINTF) && defined(LWRES__PRINT_SOURCE)
-#define LWRES_PLATFORM_NEEDVSNPRINTF
-#endif
-
-/***
- *** Macros.
- ***/
-
-#ifdef __GNUC__
-#define LWRES_FORMAT_PRINTF(fmt, args) \
-        __attribute__((__format__(__printf__, fmt, args)))
-#else
-#define LWRES_FORMAT_PRINTF(fmt, args)
-#endif
-
-/***
- *** Functions
- ***/
-
-#ifdef LWRES_PLATFORM_NEEDVSNPRINTF
-#include <stdarg.h>
-#include <stddef.h>
-#endif
-
-LWRES_LANG_BEGINDECLS
-
-#ifdef LWRES_PLATFORM_NEEDVSNPRINTF
-int
-lwres__print_vsnprintf(char *str, size_t size, const char *format, va_list ap)
-     LWRES_FORMAT_PRINTF(3, 0);
-#define vsnprintf lwres__print_vsnprintf
-
-int
-lwres__print_snprintf(char *str, size_t size, const char *format, ...)
-     LWRES_FORMAT_PRINTF(3, 4);
-#define snprintf lwres__print_snprintf
-#endif /* LWRES_PLATFORM_NEEDVSNPRINTF */
-
-LWRES_LANG_ENDDECLS
-
-#endif /* LWRES_PRINT_P_H */
diff --git a/lib/lwres/unix/Makefile.in b/lib/lwres/unix/Makefile.in
index 0d42450a..b734bc1e 100644
--- a/lib/lwres/unix/Makefile.in
+++ b/lib/lwres/unix/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.1.2.1 2004/03/09 06:12:41 marka Exp $
+# $Id: Makefile.in,v 1.1.206.1 2004/03/06 08:15:43 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/lib/lwres/unix/include/Makefile.in b/lib/lwres/unix/include/Makefile.in
index 07201a12..8f3798e4 100644
--- a/lib/lwres/unix/include/Makefile.in
+++ b/lib/lwres/unix/include/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.1.2.1 2004/03/09 06:12:41 marka Exp $
+# $Id: Makefile.in,v 1.1.206.1 2004/03/06 08:15:43 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/lib/lwres/unix/include/lwres/Makefile.in b/lib/lwres/unix/include/lwres/Makefile.in
index 6c1343e8..e969f504 100644
--- a/lib/lwres/unix/include/lwres/Makefile.in
+++ b/lib/lwres/unix/include/lwres/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.1.2.1 2004/03/09 06:12:42 marka Exp $
+# $Id: Makefile.in,v 1.1.206.1 2004/03/06 08:15:43 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/lib/lwres/unix/include/lwres/net.h b/lib/lwres/unix/include/lwres/net.h
index cae96d83..b214de6b 100644
--- a/lib/lwres/unix/include/lwres/net.h
+++ b/lib/lwres/unix/include/lwres/net.h
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
+ * Copyright (C) 2000-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: net.h,v 1.3.2.1 2004/03/09 06:12:42 marka Exp $ */
+/* $Id: net.h,v 1.3.12.3 2004/03/08 09:05:12 marka Exp $ */
 
 #ifndef LWRES_NET_H
 #define LWRES_NET_H 1
@@ -52,8 +52,10 @@
 
 #include <lwres/platform.h>	/* Required for LWRES_PLATFORM_*. */
 
+#include <unistd.h>
 #include <sys/types.h>
 #include <sys/socket.h>		/* Contractual promise. */
+#include <sys/ioctl.h>
 #include <sys/time.h>
 #include <sys/un.h>
 
@@ -65,6 +67,7 @@
 #ifdef LWRES_PLATFORM_NEEDNETINET6IN6H
 #include <netinet6/in6.h>	/* Required on BSD/OS for in6_pktinfo. */
 #endif
+#include <net/if.h>	
 
 #include <lwres/lang.h>
 
diff --git a/lib/lwres/version.c b/lib/lwres/version.c
index 098d4e4c..ac3e6c80 100644
--- a/lib/lwres/version.c
+++ b/lib/lwres/version.c
@@ -15,10 +15,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: version.c,v 1.6.2.1 2004/03/09 06:12:35 marka Exp $ */
+/* $Id: version.c,v 1.6.12.3 2004/03/08 09:05:11 marka Exp $ */
 
-char lwres_version[] = VERSION;
+#include <lwres/version.h>
 
-unsigned int lwres_libinterface = LIBINTERFACE;
-unsigned int lwres_librevision = LIBREVISION;
-unsigned int lwres_libage = LIBAGE;
+const char lwres_version[] = VERSION;
+
+const unsigned int lwres_libinterface = LIBINTERFACE;
+const unsigned int lwres_librevision = LIBREVISION;
+const unsigned int lwres_libage = LIBAGE;
diff --git a/lib/lwres/win32/DLLMain.c b/lib/lwres/win32/DLLMain.c
index a5596a5f..f35fa81b 100644
--- a/lib/lwres/win32/DLLMain.c
+++ b/lib/lwres/win32/DLLMain.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,11 +15,13 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: DLLMain.c,v 1.2.2.3 2007/06/18 23:45:28 tbox Exp $ */
+/* $Id: DLLMain.c,v 1.2.206.1 2004/03/06 08:15:44 marka Exp $ */
 
 #include <windows.h>
 #include <signal.h>
 
+BOOL InitSockets(void);
+
 /*
  * Called when we enter the DLL
  */
diff --git a/lib/lwres/win32/Makefile.in b/lib/lwres/win32/Makefile.in
index feb38b68..9b410635 100644
--- a/lib/lwres/win32/Makefile.in
+++ b/lib/lwres/win32/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.1.2.1 2004/03/09 06:12:42 marka Exp $
+# $Id: Makefile.in,v 1.1.206.1 2004/03/06 08:15:44 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/lib/lwres/win32/include/Makefile.in b/lib/lwres/win32/include/Makefile.in
index 38151fa9..cefa56b1 100644
--- a/lib/lwres/win32/include/Makefile.in
+++ b/lib/lwres/win32/include/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.1.2.1 2004/03/09 06:12:43 marka Exp $
+# $Id: Makefile.in,v 1.1.206.1 2004/03/06 08:15:45 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/lib/lwres/win32/include/lwres/Makefile.in b/lib/lwres/win32/include/lwres/Makefile.in
index c92934e3..39d6020d 100644
--- a/lib/lwres/win32/include/lwres/Makefile.in
+++ b/lib/lwres/win32/include/lwres/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.1.2.1 2004/03/09 06:12:43 marka Exp $
+# $Id: Makefile.in,v 1.1.206.1 2004/03/06 08:15:45 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/lib/lwres/win32/include/lwres/int.h b/lib/lwres/win32/include/lwres/int.h
index 2b865662..96be81b9 100644
--- a/lib/lwres/win32/include/lwres/int.h
+++ b/lib/lwres/win32/include/lwres/int.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: int.h,v 1.1.2.1 2004/03/09 06:12:43 marka Exp $ */
+/* $Id: int.h,v 1.1.206.1 2004/03/06 08:15:45 marka Exp $ */
 
 #ifndef LWRES_INT_H
 #define LWRES_INT_H 1
diff --git a/lib/lwres/win32/include/lwres/net.h b/lib/lwres/win32/include/lwres/net.h
index 5f2f24e6..a603f692 100644
--- a/lib/lwres/win32/include/lwres/net.h
+++ b/lib/lwres/win32/include/lwres/net.h
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000-2002  Internet Software Consortium.
+ * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: net.h,v 1.2.2.3 2004/03/09 06:12:43 marka Exp $ */
+/* $Id: net.h,v 1.2.2.2.8.3 2004/03/08 09:05:13 marka Exp $ */
 
 #ifndef LWRES_NET_H
 #define LWRES_NET_H 1
@@ -77,7 +77,7 @@
 #undef FD_CLR
 #define FD_CLR(fd, set) do { \
     u_int __i; \
-    for (__i = 0; __i < ((fd_set FAR *)(set))->fd_count ; __i++) { \
+    for (__i = 0; __i < ((fd_set FAR *)(set))->fd_count; __i++) { \
         if (((fd_set FAR *)(set))->fd_array[__i] == (SOCKET) fd) { \
             while (__i < ((fd_set FAR *)(set))->fd_count-1) { \
                 ((fd_set FAR *)(set))->fd_array[__i] = \
diff --git a/lib/lwres/win32/include/lwres/netdb.h b/lib/lwres/win32/include/lwres/netdb.h
index b262291a..132301b0 100644
--- a/lib/lwres/win32/include/lwres/netdb.h
+++ b/lib/lwres/win32/include/lwres/netdb.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: netdb.h,v 1.2.2.1 2004/03/09 06:12:44 marka Exp $ */
+/* $Id: netdb.h,v 1.2.206.1 2004/03/06 08:15:46 marka Exp $ */
 
 #ifndef LWRES_NETDB_H
 #define LWRES_NETDB_H 1
diff --git a/lib/lwres/win32/include/lwres/platform.h b/lib/lwres/win32/include/lwres/platform.h
index b87a2196..d2685b87 100644
--- a/lib/lwres/win32/include/lwres/platform.h
+++ b/lib/lwres/win32/include/lwres/platform.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: platform.h,v 1.4.2.3 2007/06/18 23:45:28 tbox Exp $ */
+/* $Id: platform.h,v 1.4.206.1 2004/03/06 08:15:46 marka Exp $ */
 
 #ifndef LWRES_PLATFORM_H
 #define LWRES_PLATFORM_H 1
@@ -92,11 +92,4 @@ do { \
 #undef  close
 #define close closesocket
 
-/*
- * Internal to liblwres.
- */
-void InitSockets(void);
-
-void DestroySockets(void);
-
 #endif /* LWRES_PLATFORM_H */
diff --git a/lib/lwres/win32/liblwres.def b/lib/lwres/win32/liblwres.def
index 54bc85bb..e3638fcb 100644
--- a/lib/lwres/win32/liblwres.def
+++ b/lib/lwres/win32/liblwres.def
@@ -1,78 +1,78 @@
-LIBRARY liblwres

-

-; Exported Functions

-EXPORTS

-

-lwres_context_create

-lwres_context_destroy

-lwres_context_nextserial

-lwres_context_initserial

-lwres_context_freemem

-lwres_context_allocmem

-lwres_context_getsocket

-lwres_context_send

-lwres_context_recv

-lwres_context_sendrecv

-lwres_buffer_init

-lwres_buffer_invalidate

-lwres_buffer_add

-lwres_buffer_subtract

-lwres_buffer_clear

-lwres_buffer_first

-lwres_buffer_forward

-lwres_buffer_back

-lwres_buffer_getuint8

-lwres_buffer_putuint8

-lwres_buffer_getuint16

-lwres_buffer_putuint16

-lwres_buffer_getuint32

-lwres_buffer_putuint32

-lwres_buffer_putmem

-lwres_buffer_getmem

-lwres_lwpacket_renderheader

-lwres_lwpacket_parseheader

-lwres_gabnrequest_render

-lwres_gabnresponse_render

-lwres_gabnrequest_parse

-lwres_gabnresponse_parse

-lwres_gabnrequest_free

-lwres_gabnresponse_free

-lwres_gnbarequest_render

-lwres_gnbaresponse_render

-lwres_gnbarequest_parse

-lwres_gnbaresponse_parse

-lwres_gnbarequest_free

-lwres_gnbaresponse_free

-lwres_grbnrequest_render

-lwres_grbnresponse_render

-lwres_grbnrequest_parse

-lwres_grbnresponse_parse

-lwres_grbnrequest_free

-lwres_grbnresponse_free

-lwres_nooprequest_render

-lwres_noopresponse_render

-lwres_nooprequest_parse

-lwres_noopresponse_parse

-lwres_nooprequest_free

-lwres_noopresponse_free

-lwres_conf_parse

-lwres_conf_print

-lwres_conf_init

-lwres_conf_clear

-lwres_conf_get

-lwres_data_parse

-lwres_string_parse

-lwres_addr_parse

-lwres_net_ntop

-lwres_net_pton

-lwres_net_aton

-lwres_gethostbyname

-lwres_freeaddrinfo

-lwres_gai_strerror

-lwres_getaddrinfo

-

-; Exported Data

-

-EXPORTS

-

-;lwres_h_errno		DATA

+LIBRARY liblwres
+
+; Exported Functions
+EXPORTS
+
+lwres_context_create
+lwres_context_destroy
+lwres_context_nextserial
+lwres_context_initserial
+lwres_context_freemem
+lwres_context_allocmem
+lwres_context_getsocket
+lwres_context_send
+lwres_context_recv
+lwres_context_sendrecv
+lwres_buffer_init
+lwres_buffer_invalidate
+lwres_buffer_add
+lwres_buffer_subtract
+lwres_buffer_clear
+lwres_buffer_first
+lwres_buffer_forward
+lwres_buffer_back
+lwres_buffer_getuint8
+lwres_buffer_putuint8
+lwres_buffer_getuint16
+lwres_buffer_putuint16
+lwres_buffer_getuint32
+lwres_buffer_putuint32
+lwres_buffer_putmem
+lwres_buffer_getmem
+lwres_lwpacket_renderheader
+lwres_lwpacket_parseheader
+lwres_gabnrequest_render
+lwres_gabnresponse_render
+lwres_gabnrequest_parse
+lwres_gabnresponse_parse
+lwres_gabnrequest_free
+lwres_gabnresponse_free
+lwres_gnbarequest_render
+lwres_gnbaresponse_render
+lwres_gnbarequest_parse
+lwres_gnbaresponse_parse
+lwres_gnbarequest_free
+lwres_gnbaresponse_free
+lwres_grbnrequest_render
+lwres_grbnresponse_render
+lwres_grbnrequest_parse
+lwres_grbnresponse_parse
+lwres_grbnrequest_free
+lwres_grbnresponse_free
+lwres_nooprequest_render
+lwres_noopresponse_render
+lwres_nooprequest_parse
+lwres_noopresponse_parse
+lwres_nooprequest_free
+lwres_noopresponse_free
+lwres_conf_parse
+lwres_conf_print
+lwres_conf_init
+lwres_conf_clear
+lwres_conf_get
+lwres_data_parse
+lwres_string_parse
+lwres_addr_parse
+lwres_net_ntop
+lwres_net_pton
+lwres_net_aton
+lwres_gethostbyname
+lwres_freeaddrinfo
+lwres_gai_strerror
+lwres_getaddrinfo
+
+; Exported Data
+
+EXPORTS
+
+;lwres_h_errno		DATA
diff --git a/lib/lwres/win32/liblwres.dsp b/lib/lwres/win32/liblwres.dsp
index 363e3095..02300ac8 100644
--- a/lib/lwres/win32/liblwres.dsp
+++ b/lib/lwres/win32/liblwres.dsp
@@ -1,245 +1,241 @@
-# Microsoft Developer Studio Project File - Name="liblwres" - Package Owner=<4>

-# Microsoft Developer Studio Generated Build File, Format Version 6.00

-# ** DO NOT EDIT **

-

-# TARGTYPE "Win32 (x86) Dynamic-Link Library" 0x0102

-

-CFG=liblwres - Win32 Debug

-!MESSAGE This is not a valid makefile. To build this project using NMAKE,

-!MESSAGE use the Export Makefile command and run

-!MESSAGE 

-!MESSAGE NMAKE /f "liblwres.mak".

-!MESSAGE 

-!MESSAGE You can specify a configuration when running NMAKE

-!MESSAGE by defining the macro CFG on the command line. For example:

-!MESSAGE 

-!MESSAGE NMAKE /f "liblwres.mak" CFG="liblwres - Win32 Debug"

-!MESSAGE 

-!MESSAGE Possible choices for configuration are:

-!MESSAGE 

-!MESSAGE "liblwres - Win32 Release" (based on "Win32 (x86) Dynamic-Link Library")

-!MESSAGE "liblwres - Win32 Debug" (based on "Win32 (x86) Dynamic-Link Library")

-!MESSAGE 

-

-# Begin Project

-# PROP AllowPerConfigDependencies 0

-# PROP Scc_ProjName ""

-# PROP Scc_LocalPath ""

-CPP=cl.exe

-MTL=midl.exe

-RSC=rc.exe

-

-!IF  "$(CFG)" == "liblwres - Win32 Release"

-

-# PROP BASE Use_MFC 0

-# PROP BASE Use_Debug_Libraries 0

-# PROP BASE Output_Dir "Release"

-# PROP BASE Intermediate_Dir "Release"

-# PROP BASE Target_Dir ""

-# PROP Use_MFC 0

-# PROP Use_Debug_Libraries 0

-# PROP Output_Dir "Release"

-# PROP Intermediate_Dir "Release"

-# PROP Ignore_Export_Lib 0

-# PROP Target_Dir ""

-# ADD BASE CPP /nologo /MT /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "liblwres_EXPORTS" /YX /FD /c

-# ADD CPP /nologo /MD /W3 /GX /O2 /I "./" /I "../../../lib/lwres/win32/include/lwres" /I "include" /I "../include" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/dns/win32/include" /I "../../../lib/dns/include" /I "../../../lib/isc/include" /I "../..../lib/dns/sec/openssl/include" /D "NDEBUG" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" /D "OPENSSL" /D "DST_USE_PRIVATE_OPENSSL" /D "LIBLWRES_EXPORTS" /YX /FD /c

-# SUBTRACT CPP /X

-# ADD BASE MTL /nologo /D "NDEBUG" /mktyplib203 /win32

-# ADD MTL /nologo /D "NDEBUG" /mktyplib203 /win32

-# ADD BASE RSC /l 0x409 /d "NDEBUG"

-# ADD RSC /l 0x409 /d "NDEBUG"

-BSC32=bscmake.exe

-# ADD BASE BSC32 /nologo

-# ADD BSC32 /nologo

-LINK32=link.exe

-# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /machine:I386

-# ADD LINK32 user32.lib advapi32.lib ws2_32.lib /nologo /dll /machine:I386 /out:"../../../Build/Release/liblwres.dll"

-

-!ELSEIF  "$(CFG)" == "liblwres - Win32 Debug"

-

-# PROP BASE Use_MFC 0

-# PROP BASE Use_Debug_Libraries 1

-# PROP BASE Output_Dir "Debug"

-# PROP BASE Intermediate_Dir "Debug"

-# PROP BASE Target_Dir ""

-# PROP Use_MFC 0

-# PROP Use_Debug_Libraries 1

-# PROP Output_Dir "Debug"

-# PROP Intermediate_Dir "Debug"

-# PROP Ignore_Export_Lib 0

-# PROP Target_Dir ""

-# ADD BASE CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "liblwres_EXPORTS" /YX /FD /GZ /c

-# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../../../lib/lwres/win32/include/lwres" /I "include" /I "../include" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/include" /D "_DEBUG" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" /D "OPENSSL" /D "DST_USE_PRIVATE_OPENSSL" /D "LIBLWRES_EXPORTS" /FR /YX /FD /GZ /c

-# SUBTRACT CPP /X

-# ADD BASE MTL /nologo /D "_DEBUG" /mktyplib203 /win32

-# ADD MTL /nologo /D "_DEBUG" /mktyplib203 /win32

-# ADD BASE RSC /l 0x409 /d "_DEBUG"

-# ADD RSC /l 0x409 /d "_DEBUG"

-BSC32=bscmake.exe

-# ADD BASE BSC32 /nologo

-# ADD BSC32 /nologo

-LINK32=link.exe

-# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /debug /machine:I386 /pdbtype:sept

-# ADD LINK32 user32.lib advapi32.lib ws2_32.lib /nologo /dll /debug /machine:I386 /out:"../../../Build/Debug/liblwres.dll" /pdbtype:sept

-

-!ENDIF 

-

-# Begin Target

-

-# Name "liblwres - Win32 Release"

-# Name "liblwres - Win32 Debug"

-# Begin Group "Source Files"

-

-# PROP Default_Filter "cpp;c;cxx;rc;def;r;odl;idl;hpj;bat"

-# Begin Source File

-

-SOURCE=..\context.c

-# End Source File

-# Begin Source File

-

-SOURCE=.\DLLMain.c

-# End Source File

-# Begin Source File

-

-SOURCE=..\gai_strerror.c

-# End Source File

-# Begin Source File

-

-SOURCE=..\getaddrinfo.c

-# End Source File

-# Begin Source File

-

-SOURCE=..\gethost.c

-# End Source File

-# Begin Source File

-

-SOURCE=..\getipnode.c

-# End Source File

-# Begin Source File

-

-SOURCE=..\getnameinfo.c

-# End Source File

-# Begin Source File

-

-SOURCE=..\getrrset.c

-# End Source File

-# Begin Source File

-

-SOURCE=..\herror.c

-# End Source File

-# Begin Source File

-

-SOURCE=..\lwbuffer.c

-# End Source File

-# Begin Source File

-

-SOURCE=..\lwconfig.c

-# End Source File

-# Begin Source File

-

-SOURCE=..\lwinetaton.c

-# End Source File

-# Begin Source File

-

-SOURCE=..\lwinetntop.c

-# End Source File

-# Begin Source File

-

-SOURCE=..\lwinetpton.c

-# End Source File

-# Begin Source File

-

-SOURCE=..\lwpacket.c

-# End Source File

-# Begin Source File

-

-SOURCE=..\lwres_gabn.c

-# End Source File

-# Begin Source File

-

-SOURCE=..\lwres_gnba.c

-# End Source File

-# Begin Source File

-

-SOURCE=..\lwres_grbn.c

-# End Source File

-# Begin Source File

-

-SOURCE=..\lwres_noop.c

-# End Source File

-# Begin Source File

-

-SOURCE=..\lwresutil.c

-# End Source File

-# Begin Source File

-

-SOURCE=.\socket.c

-# End Source File

-# Begin Source File

-

-SOURCE=.\version.c

-# End Source File

-# End Group

-# Begin Group "Header Files"

-

-# PROP Default_Filter "h;hpp;hxx;hm;inl"

-# Begin Source File

-

-SOURCE=..\include\lwres\context.h

-# End Source File

-# Begin Source File

-

-SOURCE=.\include\lwres\int.h

-# End Source File

-# Begin Source File

-

-SOURCE=..\include\lwres\ipv6.h

-# End Source File

-# Begin Source File

-

-SOURCE=..\include\lwres\lang.h

-# End Source File

-# Begin Source File

-

-SOURCE=..\include\lwres\list.h

-# End Source File

-# Begin Source File

-

-SOURCE=..\include\lwres\lwbuffer.h

-# End Source File

-# Begin Source File

-

-SOURCE=..\include\lwres\lwpacket.h

-# End Source File

-# Begin Source File

-

-SOURCE=..\include\lwres\lwres.h

-# End Source File

-# Begin Source File

-

-SOURCE=.\include\lwres\net.h

-# End Source File

-# Begin Source File

-

-SOURCE=.\include\lwres\netdb.h

-# End Source File

-# Begin Source File

-

-SOURCE=.\include\lwres\platform.h

-# End Source File

-# Begin Source File

-

-SOURCE=..\include\lwres\result.h

-# End Source File

-# End Group

-# Begin Group "Resource Files"

-

-# PROP Default_Filter "ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe"

-# End Group

-# Begin Source File

-

-SOURCE=.\liblwres.def

-# End Source File

-# End Target

-# End Project

+# Microsoft Developer Studio Project File - Name="liblwres" - Package Owner=<4>
+# Microsoft Developer Studio Generated Build File, Format Version 6.00
+# ** DO NOT EDIT **
+
+# TARGTYPE "Win32 (x86) Dynamic-Link Library" 0x0102
+
+CFG=liblwres - Win32 Debug
+!MESSAGE This is not a valid makefile. To build this project using NMAKE,
+!MESSAGE use the Export Makefile command and run
+!MESSAGE 
+!MESSAGE NMAKE /f "liblwres.mak".
+!MESSAGE 
+!MESSAGE You can specify a configuration when running NMAKE
+!MESSAGE by defining the macro CFG on the command line. For example:
+!MESSAGE 
+!MESSAGE NMAKE /f "liblwres.mak" CFG="liblwres - Win32 Debug"
+!MESSAGE 
+!MESSAGE Possible choices for configuration are:
+!MESSAGE 
+!MESSAGE "liblwres - Win32 Release" (based on "Win32 (x86) Dynamic-Link Library")
+!MESSAGE "liblwres - Win32 Debug" (based on "Win32 (x86) Dynamic-Link Library")
+!MESSAGE 
+
+# Begin Project
+# PROP AllowPerConfigDependencies 0
+# PROP Scc_ProjName ""
+# PROP Scc_LocalPath ""
+CPP=cl.exe
+MTL=midl.exe
+RSC=rc.exe
+
+!IF  "$(CFG)" == "liblwres - Win32 Release"
+
+# PROP BASE Use_MFC 0
+# PROP BASE Use_Debug_Libraries 0
+# PROP BASE Output_Dir "Release"
+# PROP BASE Intermediate_Dir "Release"
+# PROP BASE Target_Dir ""
+# PROP Use_MFC 0
+# PROP Use_Debug_Libraries 0
+# PROP Output_Dir "Release"
+# PROP Intermediate_Dir "Release"
+# PROP Ignore_Export_Lib 0
+# PROP Target_Dir ""
+# ADD BASE CPP /nologo /MT /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "liblwres_EXPORTS" /YX /FD /c
+# ADD CPP /nologo /MD /W3 /GX /O2 /I "./" /I "../../../lib/lwres/win32/include/lwres" /I "include" /I "../include" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/dns/win32/include" /I "../../../lib/dns/include" /I "../../../lib/isc/include" /I "../..../lib/dns/sec/openssl/include" /I "../../../lib/dns/sec/dst/include" /D "NDEBUG" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" /D "OPENSSL" /D "DST_USE_PRIVATE_OPENSSL" /D "LIBLWRES_EXPORTS" /YX /FD /c
+# SUBTRACT CPP /X
+# ADD BASE MTL /nologo /D "NDEBUG" /mktyplib203 /win32
+# ADD MTL /nologo /D "NDEBUG" /mktyplib203 /win32
+# ADD BASE RSC /l 0x409 /d "NDEBUG"
+# ADD RSC /l 0x409 /d "NDEBUG"
+BSC32=bscmake.exe
+# ADD BASE BSC32 /nologo
+# ADD BSC32 /nologo
+LINK32=link.exe
+# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /machine:I386
+# ADD LINK32 user32.lib advapi32.lib ws2_32.lib iphlpapi.lib /nologo /dll /machine:I386 /out:"../../../Build/Release/liblwres.dll"
+
+!ELSEIF  "$(CFG)" == "liblwres - Win32 Debug"
+
+# PROP BASE Use_MFC 0
+# PROP BASE Use_Debug_Libraries 1
+# PROP BASE Output_Dir "Debug"
+# PROP BASE Intermediate_Dir "Debug"
+# PROP BASE Target_Dir ""
+# PROP Use_MFC 0
+# PROP Use_Debug_Libraries 1
+# PROP Output_Dir "Debug"
+# PROP Intermediate_Dir "Debug"
+# PROP Ignore_Export_Lib 0
+# PROP Target_Dir ""
+# ADD BASE CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "liblwres_EXPORTS" /YX /FD /GZ /c
+# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../../../lib/lwres/win32/include/lwres" /I "include" /I "../include" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/include" /D "_DEBUG" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" /D "OPENSSL" /D "DST_USE_PRIVATE_OPENSSL" /D "LIBLWRES_EXPORTS" /FR /YX /FD /GZ /c
+# SUBTRACT CPP /X
+# ADD BASE MTL /nologo /D "_DEBUG" /mktyplib203 /win32
+# ADD MTL /nologo /D "_DEBUG" /mktyplib203 /win32
+# ADD BASE RSC /l 0x409 /d "_DEBUG"
+# ADD RSC /l 0x409 /d "_DEBUG"
+BSC32=bscmake.exe
+# ADD BASE BSC32 /nologo
+# ADD BSC32 /nologo
+LINK32=link.exe
+# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /debug /machine:I386 /pdbtype:sept
+# ADD LINK32 user32.lib advapi32.lib ws2_32.lib iphlpapi.lib /nologo /dll /debug /machine:I386 /out:"../../../Build/Debug/liblwres.dll" /pdbtype:sept
+
+!ENDIF 
+
+# Begin Target
+
+# Name "liblwres - Win32 Release"
+# Name "liblwres - Win32 Debug"
+# Begin Group "Source Files"
+
+# PROP Default_Filter "cpp;c;cxx;rc;def;r;odl;idl;hpj;bat"
+# Begin Source File
+
+SOURCE=..\context.c
+# End Source File
+# Begin Source File
+
+SOURCE=.\DLLMain.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\gai_strerror.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\getaddrinfo.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\gethost.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\getipnode.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\getnameinfo.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\getrrset.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\herror.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\lwbuffer.c
+# End Source File
+# Begin Source File
+
+SOURCE=.\lwconfig.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\lwinetaton.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\lwinetntop.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\lwinetpton.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\lwpacket.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\lwres_gabn.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\lwres_gnba.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\lwres_grbn.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\lwres_noop.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\lwresutil.c
+# End Source File
+# Begin Source File
+
+SOURCE=.\version.c
+# End Source File
+# End Group
+# Begin Group "Header Files"
+
+# PROP Default_Filter "h;hpp;hxx;hm;inl"
+# Begin Source File
+
+SOURCE=..\include\lwres\context.h
+# End Source File
+# Begin Source File
+
+SOURCE=.\include\lwres\int.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\lwres\ipv6.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\lwres\lang.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\lwres\list.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\lwres\lwbuffer.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\lwres\lwpacket.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\lwres\lwres.h
+# End Source File
+# Begin Source File
+
+SOURCE=.\include\lwres\net.h
+# End Source File
+# Begin Source File
+
+SOURCE=.\include\lwres\netdb.h
+# End Source File
+# Begin Source File
+
+SOURCE=.\include\lwres\platform.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\lwres\result.h
+# End Source File
+# End Group
+# Begin Group "Resource Files"
+
+# PROP Default_Filter "ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe"
+# End Group
+# Begin Source File
+
+SOURCE=.\liblwres.def
+# End Source File
+# End Target
+# End Project
diff --git a/lib/lwres/win32/liblwres.dsw b/lib/lwres/win32/liblwres.dsw
index 06267b54..fa317209 100644
--- a/lib/lwres/win32/liblwres.dsw
+++ b/lib/lwres/win32/liblwres.dsw
@@ -1,29 +1,29 @@
-Microsoft Developer Studio Workspace File, Format Version 6.00

-# WARNING: DO NOT EDIT OR DELETE THIS WORKSPACE FILE!

-

-###############################################################################

-

-Project: "liblwres"=".\liblwres.dsp" - Package Owner=<4>

-

-Package=<5>

-{{{

-}}}

-

-Package=<4>

-{{{

-}}}

-

-###############################################################################

-

-Global:

-

-Package=<5>

-{{{

-}}}

-

-Package=<3>

-{{{

-}}}

-

-###############################################################################

-

+Microsoft Developer Studio Workspace File, Format Version 6.00
+# WARNING: DO NOT EDIT OR DELETE THIS WORKSPACE FILE!
+
+###############################################################################
+
+Project: "liblwres"=".\liblwres.dsp" - Package Owner=<4>
+
+Package=<5>
+{{{
+}}}
+
+Package=<4>
+{{{
+}}}
+
+###############################################################################
+
+Global:
+
+Package=<5>
+{{{
+}}}
+
+Package=<3>
+{{{
+}}}
+
+###############################################################################
+
diff --git a/lib/lwres/win32/liblwres.mak b/lib/lwres/win32/liblwres.mak
index 0e4c8ecc..9a55c46b 100644
--- a/lib/lwres/win32/liblwres.mak
+++ b/lib/lwres/win32/liblwres.mak
@@ -1,812 +1,655 @@
-# Microsoft Developer Studio Generated NMAKE File, Based on liblwres.dsp

-!IF "$(CFG)" == ""

-CFG=liblwres - Win32 Debug

-!MESSAGE No configuration specified. Defaulting to liblwres - Win32 Debug.

-!ENDIF 

-

-!IF "$(CFG)" != "liblwres - Win32 Release" && "$(CFG)" != "liblwres - Win32 Debug"

-!MESSAGE Invalid configuration "$(CFG)" specified.

-!MESSAGE You can specify a configuration when running NMAKE

-!MESSAGE by defining the macro CFG on the command line. For example:

-!MESSAGE 

-!MESSAGE NMAKE /f "liblwres.mak" CFG="liblwres - Win32 Debug"

-!MESSAGE 

-!MESSAGE Possible choices for configuration are:

-!MESSAGE 

-!MESSAGE "liblwres - Win32 Release" (based on "Win32 (x86) Dynamic-Link Library")

-!MESSAGE "liblwres - Win32 Debug" (based on "Win32 (x86) Dynamic-Link Library")

-!MESSAGE 

-!ERROR An invalid configuration is specified.

-!ENDIF 

-

-!IF "$(OS)" == "Windows_NT"

-NULL=

-!ELSE 

-NULL=nul

-!ENDIF 

-

-!IF  "$(CFG)" == "liblwres - Win32 Release"

-_VC_MANIFEST_INC=0

-_VC_MANIFEST_BASENAME=__VC80

-!ELSE

-_VC_MANIFEST_INC=1

-_VC_MANIFEST_BASENAME=__VC80.Debug

-!ENDIF

-

-####################################################

-# Specifying name of temporary resource file used only in incremental builds:

-

-!if "$(_VC_MANIFEST_INC)" == "1"

-_VC_MANIFEST_AUTO_RES=$(_VC_MANIFEST_BASENAME).auto.res

-!else

-_VC_MANIFEST_AUTO_RES=

-!endif

-

-####################################################

-# _VC_MANIFEST_EMBED_EXE - command to embed manifest in EXE:

-

-!if "$(_VC_MANIFEST_INC)" == "1"

-

-#MT_SPECIAL_RETURN=1090650113

-#MT_SPECIAL_SWITCH=-notify_resource_update

-MT_SPECIAL_RETURN=0

-MT_SPECIAL_SWITCH=

-_VC_MANIFEST_EMBED_EXE= \

-if exist $@.manifest mt.exe -manifest $@.manifest -out:$(_VC_MANIFEST_BASENAME).auto.manifest $(MT_SPECIAL_SWITCH) & \

-if "%ERRORLEVEL%" == "$(MT_SPECIAL_RETURN)" \

-rc /r $(_VC_MANIFEST_BASENAME).auto.rc & \

-link $** /out:$@ $(LFLAGS)

-

-!else

-

-_VC_MANIFEST_EMBED_EXE= \

-if exist $@.manifest mt.exe -manifest $@.manifest -outputresource:$@;1

-

-!endif

-

-####################################################

-# _VC_MANIFEST_EMBED_DLL - command to embed manifest in DLL:

-

-!if "$(_VC_MANIFEST_INC)" == "1"

-

-#MT_SPECIAL_RETURN=1090650113

-#MT_SPECIAL_SWITCH=-notify_resource_update

-MT_SPECIAL_RETURN=0

-MT_SPECIAL_SWITCH=

-_VC_MANIFEST_EMBED_EXE= \

-if exist $@.manifest mt.exe -manifest $@.manifest -out:$(_VC_MANIFEST_BASENAME).auto.manifest $(MT_SPECIAL_SWITCH) & \

-if "%ERRORLEVEL%" == "$(MT_SPECIAL_RETURN)" \

-rc /r $(_VC_MANIFEST_BASENAME).auto.rc & \

-link $** /out:$@ $(LFLAGS)

-

-!else

-

-_VC_MANIFEST_EMBED_EXE= \

-if exist $@.manifest mt.exe -manifest $@.manifest -outputresource:$@;2

-

-!endif

-####################################################

-# _VC_MANIFEST_CLEAN - command to clean resources files generated temporarily:

-

-!if "$(_VC_MANIFEST_INC)" == "1"

-

-_VC_MANIFEST_CLEAN=-del $(_VC_MANIFEST_BASENAME).auto.res \

-    $(_VC_MANIFEST_BASENAME).auto.rc \

-    $(_VC_MANIFEST_BASENAME).auto.manifest

-

-!else

-

-_VC_MANIFEST_CLEAN=

-

-!endif

-

-!IF  "$(CFG)" == "liblwres - Win32 Release"

-

-OUTDIR=.\Release

-INTDIR=.\Release

-

-ALL : "..\..\..\Build\Release\liblwres.dll"

-

-

-CLEAN :

-	-@erase "$(INTDIR)\context.obj"

-	-@erase "$(INTDIR)\DLLMain.obj"

-	-@erase "$(INTDIR)\gai_strerror.obj"

-	-@erase "$(INTDIR)\getaddrinfo.obj"

-	-@erase "$(INTDIR)\gethost.obj"

-	-@erase "$(INTDIR)\getipnode.obj"

-	-@erase "$(INTDIR)\getnameinfo.obj"

-	-@erase "$(INTDIR)\getrrset.obj"

-	-@erase "$(INTDIR)\herror.obj"

-	-@erase "$(INTDIR)\lwbuffer.obj"

-	-@erase "$(INTDIR)\lwconfig.obj"

-	-@erase "$(INTDIR)\lwinetaton.obj"

-	-@erase "$(INTDIR)\lwinetntop.obj"

-	-@erase "$(INTDIR)\lwinetpton.obj"

-	-@erase "$(INTDIR)\lwpacket.obj"

-	-@erase "$(INTDIR)\lwres_gabn.obj"

-	-@erase "$(INTDIR)\lwres_gnba.obj"

-	-@erase "$(INTDIR)\lwres_grbn.obj"

-	-@erase "$(INTDIR)\lwres_noop.obj"

-	-@erase "$(INTDIR)\lwresutil.obj"

-	-@erase "$(INTDIR)\socket.obj"

-	-@erase "$(INTDIR)\vc60.idb"

-	-@erase "$(INTDIR)\socket.obj"

-	-@erase "$(INTDIR)\version.obj"

-	-@erase "$(OUTDIR)\liblwres.exp"

-	-@erase "$(OUTDIR)\liblwres.lib"

-	-@erase "..\..\..\Build\Release\liblwres.dll"

-	-@$(_VC_MANIFEST_CLEAN)

-

-"$(OUTDIR)" :

-    if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"

-

-CPP=cl.exe

-CPP_PROJ=/nologo /MD /W3 /GX /O2 /I "./" /I "../../../lib/lwres/win32/include/lwres" /I "include" /I "../include" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/dns/win32/include" /I "../../../lib/dns/include" /I "../../../lib/isc/include" /I "../..../lib/dns/sec/openssl/include" /D "NDEBUG" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" /D "OPENSSL" /D "DST_USE_PRIVATE_OPENSSL" /D "LIBLWRES_EXPORTS" /Fp"$(INTDIR)\liblwres.pch" /YX /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c 

-

-.c{$(INTDIR)}.obj::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.cpp{$(INTDIR)}.obj::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.cxx{$(INTDIR)}.obj::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.c{$(INTDIR)}.sbr::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.cpp{$(INTDIR)}.sbr::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.cxx{$(INTDIR)}.sbr::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-MTL=midl.exe

-MTL_PROJ=/nologo /D "NDEBUG" /mktyplib203 /win32 

-RSC=rc.exe

-BSC32=bscmake.exe

-BSC32_FLAGS=/nologo /o"$(OUTDIR)\liblwres.bsc" 

-BSC32_SBRS= \

-	

-LINK32=link.exe

-LINK32_FLAGS=user32.lib advapi32.lib ws2_32.lib /nologo /dll /incremental:no /pdb:"$(OUTDIR)\liblwres.pdb" /machine:I386 /def:".\liblwres.def" /out:"../../../Build/Release/liblwres.dll" /implib:"$(OUTDIR)\liblwres.lib" 

-DEF_FILE= \

-	".\liblwres.def"

-LINK32_OBJS= \

-	"$(INTDIR)\context.obj" \

-	"$(INTDIR)\DLLMain.obj" \

-	"$(INTDIR)\gai_strerror.obj" \

-	"$(INTDIR)\getaddrinfo.obj" \

-	"$(INTDIR)\gethost.obj" \

-	"$(INTDIR)\getipnode.obj" \

-	"$(INTDIR)\getnameinfo.obj" \

-	"$(INTDIR)\getrrset.obj" \

-	"$(INTDIR)\herror.obj" \

-	"$(INTDIR)\lwbuffer.obj" \

-	"$(INTDIR)\lwconfig.obj" \

-	"$(INTDIR)\lwinetaton.obj" \

-	"$(INTDIR)\lwinetntop.obj" \

-	"$(INTDIR)\lwinetpton.obj" \

-	"$(INTDIR)\lwpacket.obj" \

-	"$(INTDIR)\lwres_gabn.obj" \

-	"$(INTDIR)\lwres_gnba.obj" \

-	"$(INTDIR)\lwres_grbn.obj" \

-	"$(INTDIR)\lwres_noop.obj" \

-	"$(INTDIR)\lwresutil.obj" \

-	"$(INTDIR)\socket.obj" \

-	"$(INTDIR)\version.obj"

-

-"..\..\..\Build\Release\liblwres.dll" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)

-    $(LINK32) @<<

-  $(LINK32_FLAGS) $(LINK32_OBJS)

-<<

-  $(_VC_MANIFEST_EMBED_DLL)

-

-!ELSEIF  "$(CFG)" == "liblwres - Win32 Debug"

-

-OUTDIR=.\Debug

-INTDIR=.\Debug

-# Begin Custom Macros

-OutDir=.\Debug

-# End Custom Macros

-

-ALL : "..\..\..\Build\Debug\liblwres.dll" "$(OUTDIR)\liblwres.bsc"

-

-

-CLEAN :

-	-@erase "$(INTDIR)\context.obj"

-	-@erase "$(INTDIR)\context.sbr"

-	-@erase "$(INTDIR)\DLLMain.obj"

-	-@erase "$(INTDIR)\DLLMain.sbr"

-	-@erase "$(INTDIR)\gai_strerror.obj"

-	-@erase "$(INTDIR)\gai_strerror.sbr"

-	-@erase "$(INTDIR)\getaddrinfo.obj"

-	-@erase "$(INTDIR)\getaddrinfo.sbr"

-	-@erase "$(INTDIR)\gethost.obj"

-	-@erase "$(INTDIR)\gethost.sbr"

-	-@erase "$(INTDIR)\getipnode.obj"

-	-@erase "$(INTDIR)\getipnode.sbr"

-	-@erase "$(INTDIR)\getnameinfo.obj"

-	-@erase "$(INTDIR)\getnameinfo.sbr"

-	-@erase "$(INTDIR)\getrrset.obj"

-	-@erase "$(INTDIR)\getrrset.sbr"

-	-@erase "$(INTDIR)\herror.obj"

-	-@erase "$(INTDIR)\herror.sbr"

-	-@erase "$(INTDIR)\lwbuffer.obj"

-	-@erase "$(INTDIR)\lwbuffer.sbr"

-	-@erase "$(INTDIR)\lwconfig.obj"

-	-@erase "$(INTDIR)\lwconfig.sbr"

-	-@erase "$(INTDIR)\lwinetaton.obj"

-	-@erase "$(INTDIR)\lwinetaton.sbr"

-	-@erase "$(INTDIR)\lwinetntop.obj"

-	-@erase "$(INTDIR)\lwinetntop.sbr"

-	-@erase "$(INTDIR)\lwinetpton.obj"

-	-@erase "$(INTDIR)\lwinetpton.sbr"

-	-@erase "$(INTDIR)\lwpacket.obj"

-	-@erase "$(INTDIR)\lwpacket.sbr"

-	-@erase "$(INTDIR)\lwres_gabn.obj"

-	-@erase "$(INTDIR)\lwres_gabn.sbr"

-	-@erase "$(INTDIR)\lwres_gnba.obj"

-	-@erase "$(INTDIR)\lwres_gnba.sbr"

-	-@erase "$(INTDIR)\lwres_grbn.obj"

-	-@erase "$(INTDIR)\lwres_grbn.sbr"

-	-@erase "$(INTDIR)\lwres_noop.obj"

-	-@erase "$(INTDIR)\lwres_noop.sbr"

-	-@erase "$(INTDIR)\lwresutil.obj"

-	-@erase "$(INTDIR)\lwresutil.sbr"

-	-@erase "$(INTDIR)\socket.obj"

-	-@erase "$(INTDIR)\socket.sbr"

-	-@erase "$(INTDIR)\vc60.idb"

-	-@erase "$(INTDIR)\vc60.pdb"

-	-@erase "$(INTDIR)\socket.obj"

-	-@erase "$(INTDIR)\socket.sbr"

-	-@erase "$(INTDIR)\version.obj"

-	-@erase "$(INTDIR)\version.sbr"

-	-@erase "$(OUTDIR)\liblwres.bsc"

-	-@erase "$(OUTDIR)\liblwres.exp"

-	-@erase "$(OUTDIR)\liblwres.lib"

-	-@erase "$(OUTDIR)\liblwres.pdb"

-	-@erase "..\..\..\Build\Debug\liblwres.dll"

-	-@erase "..\..\..\Build\Debug\liblwres.ilk"

-	-@$(_VC_MANIFEST_CLEAN)

-

-"$(OUTDIR)" :

-    if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"

-

-CPP=cl.exe

-CPP_PROJ=/nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../../../lib/lwres/win32/include/lwres" /I "include" /I "../include" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/include" /D "_DEBUG" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" /D "OPENSSL" /D "DST_USE_PRIVATE_OPENSSL" /D "LIBLWRES_EXPORTS" /FR"$(INTDIR)\\" /Fp"$(INTDIR)\liblwres.pch" /YX /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c 

-

-.c{$(INTDIR)}.obj::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.cpp{$(INTDIR)}.obj::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.cxx{$(INTDIR)}.obj::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.c{$(INTDIR)}.sbr::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.cpp{$(INTDIR)}.sbr::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.cxx{$(INTDIR)}.sbr::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-MTL=midl.exe

-MTL_PROJ=/nologo /D "_DEBUG" /mktyplib203 /win32 

-RSC=rc.exe

-BSC32=bscmake.exe

-BSC32_FLAGS=/nologo /o"$(OUTDIR)\liblwres.bsc" 

-BSC32_SBRS= \

-	"$(INTDIR)\context.sbr" \

-	"$(INTDIR)\DLLMain.sbr" \

-	"$(INTDIR)\gai_strerror.sbr" \

-	"$(INTDIR)\getaddrinfo.sbr" \

-	"$(INTDIR)\gethost.sbr" \

-	"$(INTDIR)\getipnode.sbr" \

-	"$(INTDIR)\getnameinfo.sbr" \

-	"$(INTDIR)\getrrset.sbr" \

-	"$(INTDIR)\herror.sbr" \

-	"$(INTDIR)\lwbuffer.sbr" \

-	"$(INTDIR)\lwconfig.sbr" \

-	"$(INTDIR)\lwinetaton.sbr" \

-	"$(INTDIR)\lwinetntop.sbr" \

-	"$(INTDIR)\lwinetpton.sbr" \

-	"$(INTDIR)\lwpacket.sbr" \

-	"$(INTDIR)\lwres_gabn.sbr" \

-	"$(INTDIR)\lwres_gnba.sbr" \

-	"$(INTDIR)\lwres_grbn.sbr" \

-	"$(INTDIR)\lwres_noop.sbr" \

-	"$(INTDIR)\lwresutil.sbr" \

-	"$(INTDIR)\version.sbr"

-

-"$(OUTDIR)\liblwres.bsc" : "$(OUTDIR)" $(BSC32_SBRS)

-    $(BSC32) @<<

-  $(BSC32_FLAGS) $(BSC32_SBRS)

-<<

-

-LINK32=link.exe

-LINK32_FLAGS=user32.lib advapi32.lib ws2_32.lib /nologo /dll /incremental:yes /pdb:"$(OUTDIR)\liblwres.pdb" /debug /machine:I386 /def:".\liblwres.def" /out:"../../../Build/Debug/liblwres.dll" /implib:"$(OUTDIR)\liblwres.lib" /pdbtype:sept 

-DEF_FILE= \

-	".\liblwres.def"

-LINK32_OBJS= \

-	"$(INTDIR)\context.obj" \

-	"$(INTDIR)\DLLMain.obj" \

-	"$(INTDIR)\gai_strerror.obj" \

-	"$(INTDIR)\getaddrinfo.obj" \

-	"$(INTDIR)\gethost.obj" \

-	"$(INTDIR)\getipnode.obj" \

-	"$(INTDIR)\getnameinfo.obj" \

-	"$(INTDIR)\getrrset.obj" \

-	"$(INTDIR)\herror.obj" \

-	"$(INTDIR)\lwbuffer.obj" \

-	"$(INTDIR)\lwconfig.obj" \

-	"$(INTDIR)\lwinetaton.obj" \

-	"$(INTDIR)\lwinetntop.obj" \

-	"$(INTDIR)\lwinetpton.obj" \

-	"$(INTDIR)\lwpacket.obj" \

-	"$(INTDIR)\lwres_gabn.obj" \

-	"$(INTDIR)\lwres_gnba.obj" \

-	"$(INTDIR)\lwres_grbn.obj" \

-	"$(INTDIR)\lwres_noop.obj" \

-	"$(INTDIR)\lwresutil.obj" \

-	"$(INTDIR)\socket.obj" \

-	"$(INTDIR)\version.obj"

-

-"..\..\..\Build\Debug\liblwres.dll" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)

-    $(LINK32) @<<

-  $(LINK32_FLAGS) $(LINK32_OBJS)

-<<

-  $(_VC_MANIFEST_EMBED_DLL)

-

-!ENDIF 

-

-

-!IF "$(NO_EXTERNAL_DEPS)" != "1"

-!IF EXISTS("liblwres.dep")

-!INCLUDE "liblwres.dep"

-!ELSE 

-!MESSAGE Warning: cannot find "liblwres.dep"

-!ENDIF 

-!ENDIF 

-

-

-!IF "$(CFG)" == "liblwres - Win32 Release" || "$(CFG)" == "liblwres - Win32 Debug"

-SOURCE=..\context.c

-

-!IF  "$(CFG)" == "liblwres - Win32 Release"

-

-

-"$(INTDIR)\context.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "liblwres - Win32 Debug"

-

-

-"$(INTDIR)\context.obj"	"$(INTDIR)\context.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-SOURCE=.\DLLMain.c

-

-!IF  "$(CFG)" == "liblwres - Win32 Release"

-

-

-"$(INTDIR)\DLLMain.obj" : $(SOURCE) "$(INTDIR)"

-

-

-!ELSEIF  "$(CFG)" == "liblwres - Win32 Debug"

-

-

-"$(INTDIR)\DLLMain.obj"	"$(INTDIR)\DLLMain.sbr" : $(SOURCE) "$(INTDIR)"

-

-

-!ENDIF 

-

-SOURCE=..\gai_strerror.c

-

-!IF  "$(CFG)" == "liblwres - Win32 Release"

-

-

-"$(INTDIR)\gai_strerror.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "liblwres - Win32 Debug"

-

-

-"$(INTDIR)\gai_strerror.obj"	"$(INTDIR)\gai_strerror.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-SOURCE=..\getaddrinfo.c

-

-!IF  "$(CFG)" == "liblwres - Win32 Release"

-

-

-"$(INTDIR)\getaddrinfo.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "liblwres - Win32 Debug"

-

-

-"$(INTDIR)\getaddrinfo.obj"	"$(INTDIR)\getaddrinfo.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-SOURCE=..\gethost.c

-

-!IF  "$(CFG)" == "liblwres - Win32 Release"

-

-

-"$(INTDIR)\gethost.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "liblwres - Win32 Debug"

-

-

-"$(INTDIR)\gethost.obj"	"$(INTDIR)\gethost.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-SOURCE=..\getipnode.c

-

-!IF  "$(CFG)" == "liblwres - Win32 Release"

-

-

-"$(INTDIR)\getipnode.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "liblwres - Win32 Debug"

-

-

-"$(INTDIR)\getipnode.obj"	"$(INTDIR)\getipnode.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-SOURCE=..\getnameinfo.c

-

-!IF  "$(CFG)" == "liblwres - Win32 Release"

-

-

-"$(INTDIR)\getnameinfo.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "liblwres - Win32 Debug"

-

-

-"$(INTDIR)\getnameinfo.obj"	"$(INTDIR)\getnameinfo.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-SOURCE=..\getrrset.c

-

-!IF  "$(CFG)" == "liblwres - Win32 Release"

-

-

-"$(INTDIR)\getrrset.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "liblwres - Win32 Debug"

-

-

-"$(INTDIR)\getrrset.obj"	"$(INTDIR)\getrrset.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-SOURCE=..\herror.c

-

-!IF  "$(CFG)" == "liblwres - Win32 Release"

-

-

-"$(INTDIR)\herror.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "liblwres - Win32 Debug"

-

-

-"$(INTDIR)\herror.obj"	"$(INTDIR)\herror.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-SOURCE=..\lwbuffer.c

-

-!IF  "$(CFG)" == "liblwres - Win32 Release"

-

-

-"$(INTDIR)\lwbuffer.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "liblwres - Win32 Debug"

-

-

-"$(INTDIR)\lwbuffer.obj"	"$(INTDIR)\lwbuffer.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-SOURCE=..\lwconfig.c

-

-!IF  "$(CFG)" == "liblwres - Win32 Release"

-

-

-"$(INTDIR)\lwconfig.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "liblwres - Win32 Debug"

-

-

-"$(INTDIR)\lwconfig.obj"	"$(INTDIR)\lwconfig.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-SOURCE=..\lwinetaton.c

-

-!IF  "$(CFG)" == "liblwres - Win32 Release"

-

-

-"$(INTDIR)\lwinetaton.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "liblwres - Win32 Debug"

-

-

-"$(INTDIR)\lwinetaton.obj"	"$(INTDIR)\lwinetaton.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-SOURCE=..\lwinetntop.c

-

-!IF  "$(CFG)" == "liblwres - Win32 Release"

-

-

-"$(INTDIR)\lwinetntop.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "liblwres - Win32 Debug"

-

-

-"$(INTDIR)\lwinetntop.obj"	"$(INTDIR)\lwinetntop.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-SOURCE=..\lwinetpton.c

-

-!IF  "$(CFG)" == "liblwres - Win32 Release"

-

-

-"$(INTDIR)\lwinetpton.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "liblwres - Win32 Debug"

-

-

-"$(INTDIR)\lwinetpton.obj"	"$(INTDIR)\lwinetpton.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-SOURCE=..\lwpacket.c

-

-!IF  "$(CFG)" == "liblwres - Win32 Release"

-

-

-"$(INTDIR)\lwpacket.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "liblwres - Win32 Debug"

-

-

-"$(INTDIR)\lwpacket.obj"	"$(INTDIR)\lwpacket.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-SOURCE=..\lwres_gabn.c

-

-!IF  "$(CFG)" == "liblwres - Win32 Release"

-

-

-"$(INTDIR)\lwres_gabn.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "liblwres - Win32 Debug"

-

-

-"$(INTDIR)\lwres_gabn.obj"	"$(INTDIR)\lwres_gabn.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-SOURCE=..\lwres_gnba.c

-

-!IF  "$(CFG)" == "liblwres - Win32 Release"

-

-

-"$(INTDIR)\lwres_gnba.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "liblwres - Win32 Debug"

-

-

-"$(INTDIR)\lwres_gnba.obj"	"$(INTDIR)\lwres_gnba.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-SOURCE=..\lwres_grbn.c

-

-!IF  "$(CFG)" == "liblwres - Win32 Release"

-

-

-"$(INTDIR)\lwres_grbn.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "liblwres - Win32 Debug"

-

-

-"$(INTDIR)\lwres_grbn.obj"	"$(INTDIR)\lwres_grbn.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-SOURCE=..\lwres_noop.c

-

-!IF  "$(CFG)" == "liblwres - Win32 Release"

-

-

-"$(INTDIR)\lwres_noop.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "liblwres - Win32 Debug"

-

-

-"$(INTDIR)\lwres_noop.obj"	"$(INTDIR)\lwres_noop.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-SOURCE=..\lwresutil.c

-

-!IF  "$(CFG)" == "liblwres - Win32 Release"

-

-

-"$(INTDIR)\lwresutil.obj" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ELSEIF  "$(CFG)" == "liblwres - Win32 Debug"

-

-

-"$(INTDIR)\lwresutil.obj"	"$(INTDIR)\lwresutil.sbr" : $(SOURCE) "$(INTDIR)"

-	$(CPP) $(CPP_PROJ) $(SOURCE)

-

-

-!ENDIF 

-

-SOURCE=.\socket.c

-

-!IF  "$(CFG)" == "liblwres - Win32 Release"

-

-

-"$(INTDIR)\socket.obj" : $(SOURCE) "$(INTDIR)"

-

-

-!ELSEIF  "$(CFG)" == "liblwres - Win32 Debug"

-

-

-"$(INTDIR)\socket.obj"	"$(INTDIR)\socket.sbr" : $(SOURCE) "$(INTDIR)"

-

-

-!ENDIF 

-

-SOURCE=.\version.c

-

-!IF  "$(CFG)" == "liblwres - Win32 Release"

-

-

-"$(INTDIR)\version.obj" : $(SOURCE) "$(INTDIR)"

-

-

-!ELSEIF  "$(CFG)" == "liblwres - Win32 Debug"

-

-

-"$(INTDIR)\version.obj"	"$(INTDIR)\version.sbr" : $(SOURCE) "$(INTDIR)"

-

-

-!ENDIF 

-

-

-!ENDIF 

-

-####################################################

-# Commands to generate initial empty manifest file and the RC file

-# that references it, and for generating the .res file:

-

-$(_VC_MANIFEST_BASENAME).auto.res : $(_VC_MANIFEST_BASENAME).auto.rc

-

-$(_VC_MANIFEST_BASENAME).auto.rc : $(_VC_MANIFEST_BASENAME).auto.manifest

-    type <<$@

-#include <winuser.h>

-1RT_MANIFEST"$(_VC_MANIFEST_BASENAME).auto.manifest"

-<< KEEP

-

-$(_VC_MANIFEST_BASENAME).auto.manifest :

-    type <<$@

-<?xml version='1.0' encoding='UTF-8' standalone='yes'?>

-<assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'>

-</assembly>

-<< KEEP

+# Microsoft Developer Studio Generated NMAKE File, Based on liblwres.dsp
+!IF "$(CFG)" == ""
+CFG=liblwres - Win32 Debug
+!MESSAGE No configuration specified. Defaulting to liblwres - Win32 Debug.
+!ENDIF 
+
+!IF "$(CFG)" != "liblwres - Win32 Release" && "$(CFG)" != "liblwres - Win32 Debug"
+!MESSAGE Invalid configuration "$(CFG)" specified.
+!MESSAGE You can specify a configuration when running NMAKE
+!MESSAGE by defining the macro CFG on the command line. For example:
+!MESSAGE 
+!MESSAGE NMAKE /f "liblwres.mak" CFG="liblwres - Win32 Debug"
+!MESSAGE 
+!MESSAGE Possible choices for configuration are:
+!MESSAGE 
+!MESSAGE "liblwres - Win32 Release" (based on "Win32 (x86) Dynamic-Link Library")
+!MESSAGE "liblwres - Win32 Debug" (based on "Win32 (x86) Dynamic-Link Library")
+!MESSAGE 
+!ERROR An invalid configuration is specified.
+!ENDIF 
+
+!IF "$(OS)" == "Windows_NT"
+NULL=
+!ELSE 
+NULL=nul
+!ENDIF 
+
+CPP=cl.exe
+MTL=midl.exe
+RSC=rc.exe
+
+!IF  "$(CFG)" == "liblwres - Win32 Release"
+
+OUTDIR=.\Release
+INTDIR=.\Release
+
+ALL : "..\..\..\Build\Release\liblwres.dll"
+
+
+CLEAN :
+	-@erase "$(INTDIR)\context.obj"
+	-@erase "$(INTDIR)\DLLMain.obj"
+	-@erase "$(INTDIR)\gai_strerror.obj"
+	-@erase "$(INTDIR)\getaddrinfo.obj"
+	-@erase "$(INTDIR)\gethost.obj"
+	-@erase "$(INTDIR)\getipnode.obj"
+	-@erase "$(INTDIR)\getnameinfo.obj"
+	-@erase "$(INTDIR)\getrrset.obj"
+	-@erase "$(INTDIR)\herror.obj"
+	-@erase "$(INTDIR)\lwbuffer.obj"
+	-@erase "$(INTDIR)\lwconfig.obj"
+	-@erase "$(INTDIR)\lwinetaton.obj"
+	-@erase "$(INTDIR)\lwinetntop.obj"
+	-@erase "$(INTDIR)\lwinetpton.obj"
+	-@erase "$(INTDIR)\lwpacket.obj"
+	-@erase "$(INTDIR)\lwres_gabn.obj"
+	-@erase "$(INTDIR)\lwres_gnba.obj"
+	-@erase "$(INTDIR)\lwres_grbn.obj"
+	-@erase "$(INTDIR)\lwres_noop.obj"
+	-@erase "$(INTDIR)\lwresutil.obj"
+	-@erase "$(INTDIR)\vc60.idb"
+	-@erase "$(INTDIR)\version.obj"
+	-@erase "$(OUTDIR)\liblwres.exp"
+	-@erase "$(OUTDIR)\liblwres.lib"
+	-@erase "..\..\..\Build\Release\liblwres.dll"
+
+"$(OUTDIR)" :
+    if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
+
+CPP_PROJ=/nologo /MD /W3 /GX /O2 /I "./" /I "../../../lib/lwres/win32/include/lwres" /I "include" /I "../include" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/dns/win32/include" /I "../../../lib/dns/include" /I "../../../lib/isc/include" /I "../..../lib/dns/sec/openssl/include" /I "../../../lib/dns/sec/dst/include" /D "NDEBUG" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" /D "OPENSSL" /D "DST_USE_PRIVATE_OPENSSL" /D "LIBLWRES_EXPORTS" /Fp"$(INTDIR)\liblwres.pch" /YX /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c 
+MTL_PROJ=/nologo /D "NDEBUG" /mktyplib203 /win32 
+BSC32=bscmake.exe
+BSC32_FLAGS=/nologo /o"$(OUTDIR)\liblwres.bsc" 
+BSC32_SBRS= \
+	
+LINK32=link.exe
+LINK32_FLAGS=user32.lib advapi32.lib ws2_32.lib iphlpapi.lib /nologo /dll /incremental:no /pdb:"$(OUTDIR)\liblwres.pdb" /machine:I386 /def:".\liblwres.def" /out:"../../../Build/Release/liblwres.dll" /implib:"$(OUTDIR)\liblwres.lib" 
+DEF_FILE= \
+	".\liblwres.def"
+LINK32_OBJS= \
+	"$(INTDIR)\context.obj" \
+	"$(INTDIR)\DLLMain.obj" \
+	"$(INTDIR)\gai_strerror.obj" \
+	"$(INTDIR)\getaddrinfo.obj" \
+	"$(INTDIR)\gethost.obj" \
+	"$(INTDIR)\getipnode.obj" \
+	"$(INTDIR)\getnameinfo.obj" \
+	"$(INTDIR)\getrrset.obj" \
+	"$(INTDIR)\herror.obj" \
+	"$(INTDIR)\lwbuffer.obj" \
+	"$(INTDIR)\lwinetaton.obj" \
+	"$(INTDIR)\lwinetntop.obj" \
+	"$(INTDIR)\lwinetpton.obj" \
+	"$(INTDIR)\lwpacket.obj" \
+	"$(INTDIR)\lwres_gabn.obj" \
+	"$(INTDIR)\lwres_gnba.obj" \
+	"$(INTDIR)\lwres_grbn.obj" \
+	"$(INTDIR)\lwres_noop.obj" \
+	"$(INTDIR)\lwresutil.obj" \
+	"$(INTDIR)\version.obj" \
+	"$(INTDIR)\lwconfig.obj"
+
+"..\..\..\Build\Release\liblwres.dll" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)
+    $(LINK32) @<<
+  $(LINK32_FLAGS) $(LINK32_OBJS)
+<<
+
+!ELSEIF  "$(CFG)" == "liblwres - Win32 Debug"
+
+OUTDIR=.\Debug
+INTDIR=.\Debug
+# Begin Custom Macros
+OutDir=.\Debug
+# End Custom Macros
+
+ALL : "..\..\..\Build\Debug\liblwres.dll" "$(OUTDIR)\liblwres.bsc"
+
+
+CLEAN :
+	-@erase "$(INTDIR)\context.obj"
+	-@erase "$(INTDIR)\context.sbr"
+	-@erase "$(INTDIR)\DLLMain.obj"
+	-@erase "$(INTDIR)\DLLMain.sbr"
+	-@erase "$(INTDIR)\gai_strerror.obj"
+	-@erase "$(INTDIR)\gai_strerror.sbr"
+	-@erase "$(INTDIR)\getaddrinfo.obj"
+	-@erase "$(INTDIR)\getaddrinfo.sbr"
+	-@erase "$(INTDIR)\gethost.obj"
+	-@erase "$(INTDIR)\gethost.sbr"
+	-@erase "$(INTDIR)\getipnode.obj"
+	-@erase "$(INTDIR)\getipnode.sbr"
+	-@erase "$(INTDIR)\getnameinfo.obj"
+	-@erase "$(INTDIR)\getnameinfo.sbr"
+	-@erase "$(INTDIR)\getrrset.obj"
+	-@erase "$(INTDIR)\getrrset.sbr"
+	-@erase "$(INTDIR)\herror.obj"
+	-@erase "$(INTDIR)\herror.sbr"
+	-@erase "$(INTDIR)\lwbuffer.obj"
+	-@erase "$(INTDIR)\lwbuffer.sbr"
+	-@erase "$(INTDIR)\lwconfig.obj"
+	-@erase "$(INTDIR)\lwconfig.sbr"
+	-@erase "$(INTDIR)\lwinetaton.obj"
+	-@erase "$(INTDIR)\lwinetaton.sbr"
+	-@erase "$(INTDIR)\lwinetntop.obj"
+	-@erase "$(INTDIR)\lwinetntop.sbr"
+	-@erase "$(INTDIR)\lwinetpton.obj"
+	-@erase "$(INTDIR)\lwinetpton.sbr"
+	-@erase "$(INTDIR)\lwpacket.obj"
+	-@erase "$(INTDIR)\lwpacket.sbr"
+	-@erase "$(INTDIR)\lwres_gabn.obj"
+	-@erase "$(INTDIR)\lwres_gabn.sbr"
+	-@erase "$(INTDIR)\lwres_gnba.obj"
+	-@erase "$(INTDIR)\lwres_gnba.sbr"
+	-@erase "$(INTDIR)\lwres_grbn.obj"
+	-@erase "$(INTDIR)\lwres_grbn.sbr"
+	-@erase "$(INTDIR)\lwres_noop.obj"
+	-@erase "$(INTDIR)\lwres_noop.sbr"
+	-@erase "$(INTDIR)\lwresutil.obj"
+	-@erase "$(INTDIR)\lwresutil.sbr"
+	-@erase "$(INTDIR)\vc60.idb"
+	-@erase "$(INTDIR)\vc60.pdb"
+	-@erase "$(INTDIR)\version.obj"
+	-@erase "$(INTDIR)\version.sbr"
+	-@erase "$(OUTDIR)\liblwres.bsc"
+	-@erase "$(OUTDIR)\liblwres.exp"
+	-@erase "$(OUTDIR)\liblwres.lib"
+	-@erase "$(OUTDIR)\liblwres.pdb"
+	-@erase "..\..\..\Build\Debug\liblwres.dll"
+	-@erase "..\..\..\Build\Debug\liblwres.ilk"
+
+"$(OUTDIR)" :
+    if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
+
+CPP_PROJ=/nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../../../lib/lwres/win32/include/lwres" /I "include" /I "../include" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/include" /D "_DEBUG" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" /D "OPENSSL" /D "DST_USE_PRIVATE_OPENSSL" /D "LIBLWRES_EXPORTS" /FR"$(INTDIR)\\" /Fp"$(INTDIR)\liblwres.pch" /YX /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c 
+MTL_PROJ=/nologo /D "_DEBUG" /mktyplib203 /win32 
+BSC32=bscmake.exe
+BSC32_FLAGS=/nologo /o"$(OUTDIR)\liblwres.bsc" 
+BSC32_SBRS= \
+	"$(INTDIR)\context.sbr" \
+	"$(INTDIR)\DLLMain.sbr" \
+	"$(INTDIR)\gai_strerror.sbr" \
+	"$(INTDIR)\getaddrinfo.sbr" \
+	"$(INTDIR)\gethost.sbr" \
+	"$(INTDIR)\getipnode.sbr" \
+	"$(INTDIR)\getnameinfo.sbr" \
+	"$(INTDIR)\getrrset.sbr" \
+	"$(INTDIR)\herror.sbr" \
+	"$(INTDIR)\lwbuffer.sbr" \
+	"$(INTDIR)\lwinetaton.sbr" \
+	"$(INTDIR)\lwinetntop.sbr" \
+	"$(INTDIR)\lwinetpton.sbr" \
+	"$(INTDIR)\lwpacket.sbr" \
+	"$(INTDIR)\lwres_gabn.sbr" \
+	"$(INTDIR)\lwres_gnba.sbr" \
+	"$(INTDIR)\lwres_grbn.sbr" \
+	"$(INTDIR)\lwres_noop.sbr" \
+	"$(INTDIR)\lwresutil.sbr" \
+	"$(INTDIR)\version.sbr" \
+	"$(INTDIR)\lwconfig.sbr"
+
+"$(OUTDIR)\liblwres.bsc" : "$(OUTDIR)" $(BSC32_SBRS)
+    $(BSC32) @<<
+  $(BSC32_FLAGS) $(BSC32_SBRS)
+<<
+
+LINK32=link.exe
+LINK32_FLAGS=user32.lib advapi32.lib ws2_32.lib iphlpapi.lib /nologo /dll /incremental:yes /pdb:"$(OUTDIR)\liblwres.pdb" /debug /machine:I386 /def:".\liblwres.def" /out:"../../../Build/Debug/liblwres.dll" /implib:"$(OUTDIR)\liblwres.lib" /pdbtype:sept 
+DEF_FILE= \
+	".\liblwres.def"
+LINK32_OBJS= \
+	"$(INTDIR)\context.obj" \
+	"$(INTDIR)\DLLMain.obj" \
+	"$(INTDIR)\gai_strerror.obj" \
+	"$(INTDIR)\getaddrinfo.obj" \
+	"$(INTDIR)\gethost.obj" \
+	"$(INTDIR)\getipnode.obj" \
+	"$(INTDIR)\getnameinfo.obj" \
+	"$(INTDIR)\getrrset.obj" \
+	"$(INTDIR)\herror.obj" \
+	"$(INTDIR)\lwbuffer.obj" \
+	"$(INTDIR)\lwinetaton.obj" \
+	"$(INTDIR)\lwinetntop.obj" \
+	"$(INTDIR)\lwinetpton.obj" \
+	"$(INTDIR)\lwpacket.obj" \
+	"$(INTDIR)\lwres_gabn.obj" \
+	"$(INTDIR)\lwres_gnba.obj" \
+	"$(INTDIR)\lwres_grbn.obj" \
+	"$(INTDIR)\lwres_noop.obj" \
+	"$(INTDIR)\lwresutil.obj" \
+	"$(INTDIR)\version.obj" \
+	"$(INTDIR)\lwconfig.obj"
+
+"..\..\..\Build\Debug\liblwres.dll" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)
+    $(LINK32) @<<
+  $(LINK32_FLAGS) $(LINK32_OBJS)
+<<
+
+!ENDIF 
+
+.c{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cpp{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cxx{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.c{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cpp{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cxx{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+
+!IF "$(NO_EXTERNAL_DEPS)" != "1"
+!IF EXISTS("liblwres.dep")
+!INCLUDE "liblwres.dep"
+!ELSE 
+!MESSAGE Warning: cannot find "liblwres.dep"
+!ENDIF 
+!ENDIF 
+
+
+!IF "$(CFG)" == "liblwres - Win32 Release" || "$(CFG)" == "liblwres - Win32 Debug"
+SOURCE=..\context.c
+
+!IF  "$(CFG)" == "liblwres - Win32 Release"
+
+
+"$(INTDIR)\context.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "liblwres - Win32 Debug"
+
+
+"$(INTDIR)\context.obj"	"$(INTDIR)\context.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=.\DLLMain.c
+
+!IF  "$(CFG)" == "liblwres - Win32 Release"
+
+
+"$(INTDIR)\DLLMain.obj" : $(SOURCE) "$(INTDIR)"
+
+
+!ELSEIF  "$(CFG)" == "liblwres - Win32 Debug"
+
+
+"$(INTDIR)\DLLMain.obj"	"$(INTDIR)\DLLMain.sbr" : $(SOURCE) "$(INTDIR)"
+
+
+!ENDIF 
+
+SOURCE=..\gai_strerror.c
+
+!IF  "$(CFG)" == "liblwres - Win32 Release"
+
+
+"$(INTDIR)\gai_strerror.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "liblwres - Win32 Debug"
+
+
+"$(INTDIR)\gai_strerror.obj"	"$(INTDIR)\gai_strerror.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\getaddrinfo.c
+
+!IF  "$(CFG)" == "liblwres - Win32 Release"
+
+
+"$(INTDIR)\getaddrinfo.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "liblwres - Win32 Debug"
+
+
+"$(INTDIR)\getaddrinfo.obj"	"$(INTDIR)\getaddrinfo.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\gethost.c
+
+!IF  "$(CFG)" == "liblwres - Win32 Release"
+
+
+"$(INTDIR)\gethost.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "liblwres - Win32 Debug"
+
+
+"$(INTDIR)\gethost.obj"	"$(INTDIR)\gethost.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\getipnode.c
+
+!IF  "$(CFG)" == "liblwres - Win32 Release"
+
+
+"$(INTDIR)\getipnode.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "liblwres - Win32 Debug"
+
+
+"$(INTDIR)\getipnode.obj"	"$(INTDIR)\getipnode.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\getnameinfo.c
+
+!IF  "$(CFG)" == "liblwres - Win32 Release"
+
+
+"$(INTDIR)\getnameinfo.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "liblwres - Win32 Debug"
+
+
+"$(INTDIR)\getnameinfo.obj"	"$(INTDIR)\getnameinfo.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\getrrset.c
+
+!IF  "$(CFG)" == "liblwres - Win32 Release"
+
+
+"$(INTDIR)\getrrset.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "liblwres - Win32 Debug"
+
+
+"$(INTDIR)\getrrset.obj"	"$(INTDIR)\getrrset.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\herror.c
+
+!IF  "$(CFG)" == "liblwres - Win32 Release"
+
+
+"$(INTDIR)\herror.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "liblwres - Win32 Debug"
+
+
+"$(INTDIR)\herror.obj"	"$(INTDIR)\herror.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\lwbuffer.c
+
+!IF  "$(CFG)" == "liblwres - Win32 Release"
+
+
+"$(INTDIR)\lwbuffer.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "liblwres - Win32 Debug"
+
+
+"$(INTDIR)\lwbuffer.obj"	"$(INTDIR)\lwbuffer.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=.\lwconfig.c
+
+!IF  "$(CFG)" == "liblwres - Win32 Release"
+
+
+"$(INTDIR)\lwconfig.obj" : $(SOURCE) "$(INTDIR)"
+
+
+!ELSEIF  "$(CFG)" == "liblwres - Win32 Debug"
+
+
+"$(INTDIR)\lwconfig.obj"	"$(INTDIR)\lwconfig.sbr" : $(SOURCE) "$(INTDIR)"
+
+
+!ENDIF 
+
+SOURCE=..\lwinetaton.c
+
+!IF  "$(CFG)" == "liblwres - Win32 Release"
+
+
+"$(INTDIR)\lwinetaton.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "liblwres - Win32 Debug"
+
+
+"$(INTDIR)\lwinetaton.obj"	"$(INTDIR)\lwinetaton.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\lwinetntop.c
+
+!IF  "$(CFG)" == "liblwres - Win32 Release"
+
+
+"$(INTDIR)\lwinetntop.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "liblwres - Win32 Debug"
+
+
+"$(INTDIR)\lwinetntop.obj"	"$(INTDIR)\lwinetntop.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\lwinetpton.c
+
+!IF  "$(CFG)" == "liblwres - Win32 Release"
+
+
+"$(INTDIR)\lwinetpton.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "liblwres - Win32 Debug"
+
+
+"$(INTDIR)\lwinetpton.obj"	"$(INTDIR)\lwinetpton.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\lwpacket.c
+
+!IF  "$(CFG)" == "liblwres - Win32 Release"
+
+
+"$(INTDIR)\lwpacket.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "liblwres - Win32 Debug"
+
+
+"$(INTDIR)\lwpacket.obj"	"$(INTDIR)\lwpacket.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\lwres_gabn.c
+
+!IF  "$(CFG)" == "liblwres - Win32 Release"
+
+
+"$(INTDIR)\lwres_gabn.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "liblwres - Win32 Debug"
+
+
+"$(INTDIR)\lwres_gabn.obj"	"$(INTDIR)\lwres_gabn.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\lwres_gnba.c
+
+!IF  "$(CFG)" == "liblwres - Win32 Release"
+
+
+"$(INTDIR)\lwres_gnba.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "liblwres - Win32 Debug"
+
+
+"$(INTDIR)\lwres_gnba.obj"	"$(INTDIR)\lwres_gnba.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\lwres_grbn.c
+
+!IF  "$(CFG)" == "liblwres - Win32 Release"
+
+
+"$(INTDIR)\lwres_grbn.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "liblwres - Win32 Debug"
+
+
+"$(INTDIR)\lwres_grbn.obj"	"$(INTDIR)\lwres_grbn.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\lwres_noop.c
+
+!IF  "$(CFG)" == "liblwres - Win32 Release"
+
+
+"$(INTDIR)\lwres_noop.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "liblwres - Win32 Debug"
+
+
+"$(INTDIR)\lwres_noop.obj"	"$(INTDIR)\lwres_noop.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\lwresutil.c
+
+!IF  "$(CFG)" == "liblwres - Win32 Release"
+
+
+"$(INTDIR)\lwresutil.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "liblwres - Win32 Debug"
+
+
+"$(INTDIR)\lwresutil.obj"	"$(INTDIR)\lwresutil.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=.\version.c
+
+!IF  "$(CFG)" == "liblwres - Win32 Release"
+
+
+"$(INTDIR)\version.obj" : $(SOURCE) "$(INTDIR)"
+
+
+!ELSEIF  "$(CFG)" == "liblwres - Win32 Debug"
+
+
+"$(INTDIR)\version.obj"	"$(INTDIR)\version.sbr" : $(SOURCE) "$(INTDIR)"
+
+
+!ENDIF 
+
+
+!ENDIF 
+
diff --git a/lib/lwres/win32/lwconfig.c b/lib/lwres/win32/lwconfig.c
new file mode 100644
index 00000000..d15e8fd4
--- /dev/null
+++ b/lib/lwres/win32/lwconfig.c
@@ -0,0 +1,153 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2002  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: lwconfig.c,v 1.1.222.3 2004/03/08 09:05:12 marka Exp $ */
+
+/*
+ * We do this so that we may incorporate everything in the main routines
+ * so that we can take advantage of the fixes and changes made there
+ * without having to add them twice. We can then call the parse routine
+ * if there is a resolv.conf file and fetch our own data from the
+ * Windows environment otherwise.
+ */
+
+/*
+ * Note that on Win32 there is normally no resolv.conf since all information
+ * is stored in the registry. Therefore there is no ordering like the
+ * contents of resolv.conf. Since the "search" or "domain" keyword, on
+ * Win32 if a search list is found it is used, otherwise the domain name
+ * is used since they are mutually exclusive. The search list can be entered
+ * in the DNS tab of the "Advanced TCP/IP settings" window under the same place
+ * that you add your nameserver list.
+ */
+
+#define lwres_conf_parse generic_lwres_conf_parse
+#include "../lwconfig.c"
+#undef lwres_conf_parse
+
+#include <iphlpapi.h>
+
+#define TCPIP_SUBKEY	\
+	"SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters"
+
+void
+get_win32_searchlist(lwres_context_t *ctx) {
+	HKEY hKey;
+	BOOL keyFound = TRUE;
+	char searchlist[MAX_PATH];
+	DWORD searchlen = MAX_PATH;
+	char *cp;
+	int idx;
+	lwres_conf_t *confdata;
+
+	REQUIRE(ctx != NULL);
+	confdata = &ctx->confdata;
+
+	memset(searchlist, 0, MAX_PATH);
+	if (RegOpenKeyEx(HKEY_LOCAL_MACHINE, TCPIP_SUBKEY, 0, KEY_READ, &hKey)
+		!= ERROR_SUCCESS)
+		keyFound = FALSE;
+	
+	if (keyFound == TRUE) {
+		/* Get the named directory */
+		if (RegQueryValueEx(hKey, "SearchList", NULL, NULL,
+			(LPBYTE)searchlist, &searchlen) != ERROR_SUCCESS)
+			keyFound = FALSE;
+	}
+	
+	RegCloseKey(hKey);
+
+	confdata->searchnxt = 0;
+
+	idx = 0;
+	cp = strtok((char *)searchlist, ", \0");
+	while (cp != NULL) {
+		if (confdata->searchnxt == LWRES_CONFMAXSEARCH)
+			break;
+		if (strlen(cp) <= MAX_PATH && strlen(cp) > 0) {
+			confdata->search[idx] = lwres_strdup(ctx, cp);
+		}
+		idx++;
+		confdata->searchnxt++;
+		cp = strtok(NULL, ", \0");
+	}
+}
+
+lwres_result_t
+lwres_conf_parse(lwres_context_t *ctx, const char *filename) {
+	lwres_result_t ret = LWRES_R_SUCCESS;
+	lwres_result_t res;
+	lwres_conf_t *confdata;
+	FIXED_INFO * FixedInfo;
+	ULONG    BufLen = sizeof(FIXED_INFO);
+	DWORD    dwRetVal;
+	IP_ADDR_STRING *pIPAddr;
+
+	REQUIRE(ctx != NULL);
+	confdata = &ctx->confdata;
+	REQUIRE(confdata != NULL);
+
+	/* Use the resolver if there is one */
+	ret = generic_lwres_conf_parse(ctx, filename);
+	if (confdata->nsnext > 0)
+		return (ret);
+
+	/*
+	 * We didn't get any nameservers so we need to do this ourselves
+	 */
+	FixedInfo = (FIXED_INFO *) GlobalAlloc(GPTR, BufLen);
+	dwRetVal = GetNetworkParams(FixedInfo, &BufLen);
+	if (dwRetVal == ERROR_BUFFER_OVERFLOW) {
+		GlobalFree(FixedInfo);
+		FixedInfo = GlobalAlloc(GPTR, BufLen);
+		dwRetVal = GetNetworkParams(FixedInfo, &BufLen);
+	}
+	if (dwRetVal != ERROR_SUCCESS) {
+		GlobalFree(FixedInfo);
+		return (LWRES_R_FAILURE);
+	}
+
+	/* Get the search list from the registry */
+	get_win32_searchlist(ctx);
+
+	/* Use only if there is no search list */
+	if (confdata->searchnxt == 0) {
+		confdata->domainname = lwres_strdup(ctx, FixedInfo->DomainName);
+		if (confdata->domainname == NULL) {
+			GlobalFree(FixedInfo);
+			return (LWRES_R_FAILURE);
+		}
+	}
+
+	/* Get the list of nameservers */
+	pIPAddr = &FixedInfo->DnsServerList;
+	while (pIPAddr) {
+		if (confdata->nsnext >= LWRES_CONFMAXNAMESERVERS)
+			break;
+
+		res = lwres_create_addr(pIPAddr->IpAddress.String,
+				&confdata->nameservers[confdata->nsnext++], 1);
+		if (res != LWRES_R_SUCCESS) {
+			GlobalFree(FixedInfo);
+			return (res);
+		}
+		pIPAddr = pIPAddr ->Next;
+	}
+
+	GlobalFree(FixedInfo);
+	return (ret);
+}
diff --git a/lib/lwres/win32/version.c b/lib/lwres/win32/version.c
index a2d4d590..a6ce8316 100644
--- a/lib/lwres/win32/version.c
+++ b/lib/lwres/win32/version.c
@@ -15,12 +15,14 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: version.c,v 1.1.2.1 2004/03/09 06:12:42 marka Exp $ */
+/* $Id: version.c,v 1.1.12.3 2004/03/08 09:05:13 marka Exp $ */
 
 #include <versions.h>
 
-char lwres_version[] = VERSION;
+#include <lwres/version.h>
 
-unsigned int lwres_libinterface = LIBINTERFACE;
-unsigned int lwres_librevision = LIBREVISION;
-unsigned int lwres_libage = LIBAGE;
+LIBLWRES_EXTERNAL_DATA const char lwres_version[] = VERSION;
+
+LIBLWRES_EXTERNAL_DATA const unsigned int lwres_libinterface = LIBINTERFACE;
+LIBLWRES_EXTERNAL_DATA const unsigned int lwres_librevision = LIBREVISION;
+LIBLWRES_EXTERNAL_DATA const unsigned int lwres_libage = LIBAGE;
diff --git a/lib/tests/Makefile.in b/lib/tests/Makefile.in
index d873a5d2..a85fdb53 100644
--- a/lib/tests/Makefile.in
+++ b/lib/tests/Makefile.in
@@ -13,13 +13,13 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.14.2.7 2004/12/06 22:51:04 marka Exp $
+# $Id: Makefile.in,v 1.14.12.6 2004/03/06 08:15:46 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
 top_srcdir =	@top_srcdir@
 
-@BIND9_INCLUDES@
+@BIND9_MAKE_INCLUDES@
 
 CINCLUDES =	${DNS_INCLUDES} ${ISC_INCLUDES} ${TEST_INCLUDES}
 CDEFINES =
@@ -46,8 +46,8 @@ libt_api.@SA@: ${OBJS}
 
 libt_api.la: ${OBJS}
 	${LIBTOOL_MODE_LINK} \
-		${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libt_api.la -rpath ${libdir} \
-		${OBJS} ${ISCLIBS} ${LIBS} @LIBTOOL_ALLOW_UNDEFINED@ @LIBTOOL_IN_MAIN@
+		${CC} ${ALL_CFLAGS} -o libt_api.la -rpath ${libdir} \
+		${OBJS} ${ISCLIBS} ${LIBS} -allow-undefined
 
 timestamp: libt_api.@A@
 	touch timestamp
diff --git a/lib/tests/T_testlist.imp b/lib/tests/T_testlist.imp
deleted file mode 100644
index 722caff2..00000000
--- a/lib/tests/T_testlist.imp
+++ /dev/null
@@ -1,3 +0,0 @@
-#! .
-
-T_testlist
diff --git a/lib/tests/include/Makefile.in b/lib/tests/include/Makefile.in
index 844e67f6..a16f0ed3 100644
--- a/lib/tests/include/Makefile.in
+++ b/lib/tests/include/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.8.2.1 2004/03/09 06:12:45 marka Exp $
+# $Id: Makefile.in,v 1.8.206.1 2004/03/06 08:15:47 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/lib/tests/include/tests/Makefile.in b/lib/tests/include/tests/Makefile.in
index 505c9652..23ab1ac8 100644
--- a/lib/tests/include/tests/Makefile.in
+++ b/lib/tests/include/tests/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.6.2.1 2004/03/09 06:12:45 marka Exp $
+# $Id: Makefile.in,v 1.6.206.1 2004/03/06 08:15:47 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/lib/tests/include/tests/t_api.h b/lib/tests/include/tests/t_api.h
index 4ac77739..6836db9d 100644
--- a/lib/tests/include/tests/t_api.h
+++ b/lib/tests/include/tests/t_api.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: t_api.h,v 1.14.2.2 2004/06/21 07:08:36 marka Exp $ */
+/* $Id: t_api.h,v 1.14.206.1 2004/03/06 08:15:47 marka Exp $ */
 
 #ifndef TESTS_T_API_H
 #define TESTS_T_API_H 1
@@ -37,7 +37,6 @@
 #define	T_UNRESOLVED	0x3
 #define	T_UNSUPPORTED	0x4
 #define	T_UNTESTED	0x5
-#define	T_THREADONLY	0x6
 
 /*
  *
diff --git a/lib/tests/t_api.c b/lib/tests/t_api.c
index 958b5c81..464b7f75 100644
--- a/lib/tests/t_api.c
+++ b/lib/tests/t_api.c
@@ -1,6 +1,6 @@
 /*
- * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: t_api.c,v 1.48.2.6 2006/01/04 23:50:18 marka Exp $ */
+/* $Id: t_api.c,v 1.48.2.1.2.4 2004/03/08 09:05:13 marka Exp $ */
 
 #include <config.h>
 
@@ -253,7 +253,7 @@ main(int argc, char **argv) {
 	 * Output start stanza to journal.
 	 */
 
-	sprintf(T_buf, "%s:", argv[0]);
+	snprintf(T_buf, sizeof(T_buf), "%s:", argv[0]);
 	len = strlen(T_buf);
 	(void) t_getdate(T_buf + len, T_BIGBUF - len);
 	t_putinfo("S", T_buf);
@@ -334,7 +334,7 @@ main(int argc, char **argv) {
 		++tnum;
 	}
 
-	sprintf(T_buf, "%s:", argv[0]);
+	snprintf(T_buf, sizeof(T_buf), "%s:", argv[0]);
 	len = strlen(T_buf);
 	(void) t_getdate(T_buf + len, T_BIGBUF - len);
 	t_putinfo("E", T_buf);
@@ -353,7 +353,7 @@ t_assert(const char *component, int anum, int class, const char *what, ...) {
 	 * Format text to a buffer.
 	 */
 	va_start(args, what);
-	(void)vsprintf(T_buf, what, args);
+	(void)vsnprintf(T_buf, sizeof(T_buf), what, args);
 	va_end(args);
 
 	(void)t_putinfo("A", T_buf);
@@ -365,7 +365,7 @@ t_info(const char *format, ...) {
 	va_list	args;
 
 	va_start(args, format);
-	(void) vsprintf(T_buf, format, args);
+	(void) vsnprintf(T_buf, sizeof(T_buf), format, args);
 	va_end(args);
 	(void) t_putinfo("I", T_buf);
 }
@@ -390,9 +390,6 @@ t_result(int result) {
 		case T_UNTESTED:
 			p = "UNTESTED";
 			break;
-		case T_THREADONLY:
-			p = "THREADONLY";
-			break;
 		default:
 			p = "UNKNOWN";
 			break;
@@ -537,11 +534,7 @@ t_fgetbs(FILE *fp) {
 			}
 		}
 		*p = '\0';
-		if (c == EOF && n == 0U) {
-			free(buf);
-			return (NULL);
-		}
-		return (buf);
+		return(((c == EOF) && (n == 0U)) ? NULL : buf);
 	} else {
 		fprintf(stderr, "malloc failed %d", errno);
 		return(NULL);
@@ -595,8 +588,8 @@ struct dns_errormap {
 	{ ISC_R_RANGE,			"ISC_R_RANGE"		},
 	{ DNS_R_LABELTOOLONG,		"DNS_R_LABELTOOLONG"	},
 	{ DNS_R_BADESCAPE,		"DNS_R_BADESCAPE"	},
-	{ DNS_R_BADBITSTRING,		"DNS_R_BADBITSTRING"	},
-	{ DNS_R_BITSTRINGTOOLONG,	"DNS_R_BITSTRINGTOOLONG"},
+	/* { DNS_R_BADBITSTRING,	"DNS_R_BADBITSTRING"	}, */
+	/* { DNS_R_BITSTRINGTOOLONG,	"DNS_R_BITSTRINGTOOLONG"}, */
 	{ DNS_R_EMPTYLABEL,		"DNS_R_EMPTYLABEL"	},
 	{ DNS_R_BADDOTTEDQUAD,		"DNS_R_BADDOTTEDQUAD"	},
 	{ DNS_R_UNKNOWN,		"DNS_R_UNKNOWN"		},
@@ -748,10 +741,8 @@ t_eval(const char *filename, int (*func)(char **), int nargs) {
 			/*
 			 * Skip comment lines.
 			 */
-			if ((isspace((unsigned char)*p)) || (*p == '#')) {
-				(void)free(p);
+			if ((isspace((unsigned char)*p)) || (*p == '#'))
 				continue;
-			}
 
 			cnt = t_bustline(p, tokens);
 			if (cnt == nargs) {
diff --git a/lib/win32/bindevt/bindevt.c b/lib/win32/bindevt/bindevt.c
index 872051c5..eadea3f7 100644
--- a/lib/win32/bindevt/bindevt.c
+++ b/lib/win32/bindevt/bindevt.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: bindevt.c,v 1.2.2.1 2004/03/09 06:12:45 marka Exp $ */
+/* $Id: bindevt.c,v 1.2.206.1 2004/03/06 08:15:48 marka Exp $ */
 
 /*
  * bindevt.c : Defines the entry point for event log viewer DLL.
diff --git a/lib/win32/bindevt/bindevt.dsp b/lib/win32/bindevt/bindevt.dsp
index 6aafb193..4c9dc6b6 100644
--- a/lib/win32/bindevt/bindevt.dsp
+++ b/lib/win32/bindevt/bindevt.dsp
@@ -1,132 +1,132 @@
-# Microsoft Developer Studio Project File - Name="bindevt" - Package Owner=<4>

-# Microsoft Developer Studio Generated Build File, Format Version 6.00

-# ** DO NOT EDIT **

-

-# TARGTYPE "Win32 (x86) Dynamic-Link Library" 0x0102

-

-CFG=bindevt - Win32 Debug

-!MESSAGE This is not a valid makefile. To build this project using NMAKE,

-!MESSAGE use the Export Makefile command and run

-!MESSAGE 

-!MESSAGE NMAKE /f "bindevt.mak".

-!MESSAGE 

-!MESSAGE You can specify a configuration when running NMAKE

-!MESSAGE by defining the macro CFG on the command line. For example:

-!MESSAGE 

-!MESSAGE NMAKE /f "bindevt.mak" CFG="bindevt - Win32 Debug"

-!MESSAGE 

-!MESSAGE Possible choices for configuration are:

-!MESSAGE 

-!MESSAGE "bindevt - Win32 Release" (based on "Win32 (x86) Dynamic-Link Library")

-!MESSAGE "bindevt - Win32 Debug" (based on "Win32 (x86) Dynamic-Link Library")

-!MESSAGE 

-

-# Begin Project

-# PROP AllowPerConfigDependencies 0

-# PROP Scc_ProjName ""

-# PROP Scc_LocalPath ""

-CPP=cl.exe

-MTL=midl.exe

-RSC=rc.exe

-

-!IF  "$(CFG)" == "bindevt - Win32 Release"

-

-# PROP BASE Use_MFC 0

-# PROP BASE Use_Debug_Libraries 0

-# PROP BASE Output_Dir "Release"

-# PROP BASE Intermediate_Dir "Release"

-# PROP BASE Target_Dir ""

-# PROP Use_MFC 0

-# PROP Use_Debug_Libraries 0

-# PROP Output_Dir "Release"

-# PROP Intermediate_Dir "Release"

-# PROP Ignore_Export_Lib 1

-# PROP Target_Dir ""

-# ADD BASE CPP /nologo /MT /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "BINDEVT_EXPORTS" /Yu"stdafx.h" /FD /c

-# ADD CPP /nologo /MT /W3 /GX /O2 /I "..\include" /I "..\..\..\include" /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "BINDEVT_EXPORTS" /FD /c

-# SUBTRACT CPP /YX /Yc /Yu

-# ADD BASE MTL /nologo /D "NDEBUG" /mktyplib203 /win32

-# ADD MTL /nologo /D "NDEBUG" /mktyplib203 /win32

-# ADD BASE RSC /l 0x409 /d "NDEBUG"

-# ADD RSC /l 0x409 /d "NDEBUG"

-BSC32=bscmake.exe

-# ADD BASE BSC32 /nologo

-# ADD BSC32 /nologo

-LINK32=link.exe

-# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /machine:I386

-# ADD LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /pdb:none /machine:I386 /out:"..\..\..\Build\Release\bindevt.dll"

-

-!ELSEIF  "$(CFG)" == "bindevt - Win32 Debug"

-

-# PROP BASE Use_MFC 0

-# PROP BASE Use_Debug_Libraries 1

-# PROP BASE Output_Dir "Debug"

-# PROP BASE Intermediate_Dir "Debug"

-# PROP BASE Target_Dir ""

-# PROP Use_MFC 0

-# PROP Use_Debug_Libraries 1

-# PROP Output_Dir "Debug"

-# PROP Intermediate_Dir "Debug"

-# PROP Ignore_Export_Lib 1

-# PROP Target_Dir ""

-# ADD BASE CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "BINDEVT_EXPORTS" /Yu"stdafx.h" /FD /GZ /c

-# ADD CPP /nologo /MTd /W3 /Gm /GX /Zi /Od /I "..\include" /I "..\..\..\include" /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "BINDEVT_EXPORTS" /FR /FD /GZ /c

-# SUBTRACT CPP /YX /Yc /Yu

-# ADD BASE MTL /nologo /D "_DEBUG" /mktyplib203 /win32

-# ADD MTL /nologo /D "_DEBUG" /mktyplib203 /win32

-# ADD BASE RSC /l 0x409 /d "_DEBUG"

-# ADD RSC /l 0x409 /d "_DEBUG"

-BSC32=bscmake.exe

-# ADD BASE BSC32 /nologo

-# ADD BSC32 /nologo

-LINK32=link.exe

-# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /debug /machine:I386 /pdbtype:sept

-# ADD LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /pdb:none /debug /machine:I386 /out:"..\..\..\Build\Debug\bindevt.dll"

-

-!ENDIF 

-

-# Begin Target

-

-# Name "bindevt - Win32 Release"

-# Name "bindevt - Win32 Debug"

-# Begin Source File

-

-SOURCE=.\bindevt.c

-# End Source File

-# Begin Source File

-

-SOURCE=.\bindevt.mc

-

-!IF  "$(CFG)" == "bindevt - Win32 Release"

-

-# Begin Custom Build

-TargetName=bindevt

-InputPath=.\bindevt.mc

-InputName=bindevt

-

-"$(TargetName).rc" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)"

-	mc $(InputName).mc

-

-# End Custom Build

-

-!ELSEIF  "$(CFG)" == "bindevt - Win32 Debug"

-

-# Begin Custom Build

-TargetName=bindevt

-InputPath=.\bindevt.mc

-InputName=bindevt

-

-"$(TargetName).rc" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)"

-	mc $(InputName).mc

-

-# End Custom Build

-

-!ENDIF 

-

-# End Source File

-# Begin Source File

-

-SOURCE=.\bindevt.rc

-# End Source File

-# End Target

-# End Project

+# Microsoft Developer Studio Project File - Name="bindevt" - Package Owner=<4>
+# Microsoft Developer Studio Generated Build File, Format Version 6.00
+# ** DO NOT EDIT **
+
+# TARGTYPE "Win32 (x86) Dynamic-Link Library" 0x0102
+
+CFG=bindevt - Win32 Debug
+!MESSAGE This is not a valid makefile. To build this project using NMAKE,
+!MESSAGE use the Export Makefile command and run
+!MESSAGE 
+!MESSAGE NMAKE /f "bindevt.mak".
+!MESSAGE 
+!MESSAGE You can specify a configuration when running NMAKE
+!MESSAGE by defining the macro CFG on the command line. For example:
+!MESSAGE 
+!MESSAGE NMAKE /f "bindevt.mak" CFG="bindevt - Win32 Debug"
+!MESSAGE 
+!MESSAGE Possible choices for configuration are:
+!MESSAGE 
+!MESSAGE "bindevt - Win32 Release" (based on "Win32 (x86) Dynamic-Link Library")
+!MESSAGE "bindevt - Win32 Debug" (based on "Win32 (x86) Dynamic-Link Library")
+!MESSAGE 
+
+# Begin Project
+# PROP AllowPerConfigDependencies 0
+# PROP Scc_ProjName ""
+# PROP Scc_LocalPath ""
+CPP=cl.exe
+MTL=midl.exe
+RSC=rc.exe
+
+!IF  "$(CFG)" == "bindevt - Win32 Release"
+
+# PROP BASE Use_MFC 0
+# PROP BASE Use_Debug_Libraries 0
+# PROP BASE Output_Dir "Release"
+# PROP BASE Intermediate_Dir "Release"
+# PROP BASE Target_Dir ""
+# PROP Use_MFC 0
+# PROP Use_Debug_Libraries 0
+# PROP Output_Dir "Release"
+# PROP Intermediate_Dir "Release"
+# PROP Ignore_Export_Lib 1
+# PROP Target_Dir ""
+# ADD BASE CPP /nologo /MT /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "BINDEVT_EXPORTS" /Yu"stdafx.h" /FD /c
+# ADD CPP /nologo /MT /W3 /GX /O2 /I "..\include" /I "..\..\..\include" /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "BINDEVT_EXPORTS" /FD /c
+# SUBTRACT CPP /YX /Yc /Yu
+# ADD BASE MTL /nologo /D "NDEBUG" /mktyplib203 /win32
+# ADD MTL /nologo /D "NDEBUG" /mktyplib203 /win32
+# ADD BASE RSC /l 0x409 /d "NDEBUG"
+# ADD RSC /l 0x409 /d "NDEBUG"
+BSC32=bscmake.exe
+# ADD BASE BSC32 /nologo
+# ADD BSC32 /nologo
+LINK32=link.exe
+# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /machine:I386
+# ADD LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /pdb:none /machine:I386 /out:"..\..\..\Build\Release\bindevt.dll"
+
+!ELSEIF  "$(CFG)" == "bindevt - Win32 Debug"
+
+# PROP BASE Use_MFC 0
+# PROP BASE Use_Debug_Libraries 1
+# PROP BASE Output_Dir "Debug"
+# PROP BASE Intermediate_Dir "Debug"
+# PROP BASE Target_Dir ""
+# PROP Use_MFC 0
+# PROP Use_Debug_Libraries 1
+# PROP Output_Dir "Debug"
+# PROP Intermediate_Dir "Debug"
+# PROP Ignore_Export_Lib 1
+# PROP Target_Dir ""
+# ADD BASE CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "BINDEVT_EXPORTS" /Yu"stdafx.h" /FD /GZ /c
+# ADD CPP /nologo /MTd /W3 /Gm /GX /Zi /Od /I "..\include" /I "..\..\..\include" /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "BINDEVT_EXPORTS" /FR /FD /GZ /c
+# SUBTRACT CPP /YX /Yc /Yu
+# ADD BASE MTL /nologo /D "_DEBUG" /mktyplib203 /win32
+# ADD MTL /nologo /D "_DEBUG" /mktyplib203 /win32
+# ADD BASE RSC /l 0x409 /d "_DEBUG"
+# ADD RSC /l 0x409 /d "_DEBUG"
+BSC32=bscmake.exe
+# ADD BASE BSC32 /nologo
+# ADD BSC32 /nologo
+LINK32=link.exe
+# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /debug /machine:I386 /pdbtype:sept
+# ADD LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /pdb:none /debug /machine:I386 /out:"..\..\..\Build\Debug\bindevt.dll"
+
+!ENDIF 
+
+# Begin Target
+
+# Name "bindevt - Win32 Release"
+# Name "bindevt - Win32 Debug"
+# Begin Source File
+
+SOURCE=.\bindevt.c
+# End Source File
+# Begin Source File
+
+SOURCE=.\bindevt.mc
+
+!IF  "$(CFG)" == "bindevt - Win32 Release"
+
+# Begin Custom Build
+TargetName=bindevt
+InputPath=.\bindevt.mc
+InputName=bindevt
+
+"$(TargetName).rc" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)"
+	mc $(InputName).mc
+
+# End Custom Build
+
+!ELSEIF  "$(CFG)" == "bindevt - Win32 Debug"
+
+# Begin Custom Build
+TargetName=bindevt
+InputPath=.\bindevt.mc
+InputName=bindevt
+
+"$(TargetName).rc" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)"
+	mc $(InputName).mc
+
+# End Custom Build
+
+!ENDIF 
+
+# End Source File
+# Begin Source File
+
+SOURCE=.\bindevt.rc
+# End Source File
+# End Target
+# End Project
diff --git a/lib/win32/bindevt/bindevt.dsw b/lib/win32/bindevt/bindevt.dsw
index 7421804f..c9e02a01 100644
--- a/lib/win32/bindevt/bindevt.dsw
+++ b/lib/win32/bindevt/bindevt.dsw
@@ -1,29 +1,29 @@
-Microsoft Developer Studio Workspace File, Format Version 6.00

-# WARNING: DO NOT EDIT OR DELETE THIS WORKSPACE FILE!

-

-###############################################################################

-

-Project: "bindevt"=.\bindevt.dsp - Package Owner=<4>

-

-Package=<5>

-{{{

-}}}

-

-Package=<4>

-{{{

-}}}

-

-###############################################################################

-

-Global:

-

-Package=<5>

-{{{

-}}}

-

-Package=<3>

-{{{

-}}}

-

-###############################################################################

-

+Microsoft Developer Studio Workspace File, Format Version 6.00
+# WARNING: DO NOT EDIT OR DELETE THIS WORKSPACE FILE!
+
+###############################################################################
+
+Project: "bindevt"=.\bindevt.dsp - Package Owner=<4>
+
+Package=<5>
+{{{
+}}}
+
+Package=<4>
+{{{
+}}}
+
+###############################################################################
+
+Global:
+
+Package=<5>
+{{{
+}}}
+
+Package=<3>
+{{{
+}}}
+
+###############################################################################
+
diff --git a/lib/win32/bindevt/bindevt.mak b/lib/win32/bindevt/bindevt.mak
index f0a4ea16..f6399227 100644
--- a/lib/win32/bindevt/bindevt.mak
+++ b/lib/win32/bindevt/bindevt.mak
@@ -1,310 +1,213 @@
-# Microsoft Developer Studio Generated NMAKE File, Based on bindevt.dsp

-!IF "$(CFG)" == ""

-CFG=bindevt - Win32 Debug

-!MESSAGE No configuration specified. Defaulting to bindevt - Win32 Debug.

-!ENDIF 

-

-!IF "$(CFG)" != "bindevt - Win32 Release" && "$(CFG)" != "bindevt - Win32 Debug"

-!MESSAGE Invalid configuration "$(CFG)" specified.

-!MESSAGE You can specify a configuration when running NMAKE

-!MESSAGE by defining the macro CFG on the command line. For example:

-!MESSAGE 

-!MESSAGE NMAKE /f "bindevt.mak" CFG="bindevt - Win32 Debug"

-!MESSAGE 

-!MESSAGE Possible choices for configuration are:

-!MESSAGE 

-!MESSAGE "bindevt - Win32 Release" (based on "Win32 (x86) Dynamic-Link Library")

-!MESSAGE "bindevt - Win32 Debug" (based on "Win32 (x86) Dynamic-Link Library")

-!MESSAGE 

-!ERROR An invalid configuration is specified.

-!ENDIF 

-

-!IF "$(OS)" == "Windows_NT"

-NULL=

-!ELSE 

-NULL=nul

-!ENDIF 

-

-CPP=cl.exe

-MTL=midl.exe

-RSC=rc.exe

-

-!IF  "$(CFG)" == "bindevt - Win32 Release"

-_VC_MANIFEST_INC=0

-_VC_MANIFEST_BASENAME=__VC80

-!ELSE

-_VC_MANIFEST_INC=1

-_VC_MANIFEST_BASENAME=__VC80.Debug

-!ENDIF

-

-####################################################

-# Specifying name of temporary resource file used only in incremental builds:

-

-!if "$(_VC_MANIFEST_INC)" == "1"

-_VC_MANIFEST_AUTO_RES=$(_VC_MANIFEST_BASENAME).auto.res

-!else

-_VC_MANIFEST_AUTO_RES=

-!endif

-

-####################################################

-# _VC_MANIFEST_EMBED_EXE - command to embed manifest in EXE:

-

-!if "$(_VC_MANIFEST_INC)" == "1"

-

-#MT_SPECIAL_RETURN=1090650113

-#MT_SPECIAL_SWITCH=-notify_resource_update

-MT_SPECIAL_RETURN=0

-MT_SPECIAL_SWITCH=

-_VC_MANIFEST_EMBED_EXE= \

-if exist $@.manifest mt.exe -manifest $@.manifest -out:$(_VC_MANIFEST_BASENAME).auto.manifest $(MT_SPECIAL_SWITCH) & \

-if "%ERRORLEVEL%" == "$(MT_SPECIAL_RETURN)" \

-rc /r $(_VC_MANIFEST_BASENAME).auto.rc & \

-link $** /out:$@ $(LFLAGS)

-

-!else

-

-_VC_MANIFEST_EMBED_EXE= \

-if exist $@.manifest mt.exe -manifest $@.manifest -outputresource:$@;1

-

-!endif

-

-####################################################

-# _VC_MANIFEST_EMBED_DLL - command to embed manifest in DLL:

-

-!if "$(_VC_MANIFEST_INC)" == "1"

-

-#MT_SPECIAL_RETURN=1090650113

-#MT_SPECIAL_SWITCH=-notify_resource_update

-MT_SPECIAL_RETURN=0

-MT_SPECIAL_SWITCH=

-_VC_MANIFEST_EMBED_EXE= \

-if exist $@.manifest mt.exe -manifest $@.manifest -out:$(_VC_MANIFEST_BASENAME).auto.manifest $(MT_SPECIAL_SWITCH) & \

-if "%ERRORLEVEL%" == "$(MT_SPECIAL_RETURN)" \

-rc /r $(_VC_MANIFEST_BASENAME).auto.rc & \

-link $** /out:$@ $(LFLAGS)

-

-!else

-

-_VC_MANIFEST_EMBED_EXE= \

-if exist $@.manifest mt.exe -manifest $@.manifest -outputresource:$@;2

-

-!endif

-####################################################

-# _VC_MANIFEST_CLEAN - command to clean resources files generated temporarily:

-

-!if "$(_VC_MANIFEST_INC)" == "1"

-

-_VC_MANIFEST_CLEAN=-del $(_VC_MANIFEST_BASENAME).auto.res \

-    $(_VC_MANIFEST_BASENAME).auto.rc \

-    $(_VC_MANIFEST_BASENAME).auto.manifest

-

-!else

-

-_VC_MANIFEST_CLEAN=

-

-!endif

-

-!IF  "$(CFG)" == "bindevt - Win32 Release"

-

-OUTDIR=.\Release

-INTDIR=.\Release

-

-ALL : "..\..\..\Build\Release\bindevt.dll"

-

-

-CLEAN :

-	-@erase "$(INTDIR)\bindevt.obj"

-	-@erase "$(INTDIR)\bindevt.res"

-	-@erase "$(INTDIR)\vc60.idb"

-	-@erase "$(OUTDIR)\bindevt.exp"

-	-@erase "..\..\..\Build\Release\bindevt.dll"

-	-@$(_VC_MANIFEST_CLEAN)

-

-"$(OUTDIR)" :

-    if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"

-

-CPP_PROJ=/nologo /MT /W3 /GX /O2 /I "..\include" /I "..\..\..\include" /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "BINDEVT_EXPORTS" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c 

-MTL_PROJ=/nologo /D "NDEBUG" /mktyplib203 /win32 

-RSC_PROJ=/l 0x409 /fo"$(INTDIR)\bindevt.res" /d "NDEBUG" 

-BSC32=bscmake.exe

-BSC32_FLAGS=/nologo /o"$(OUTDIR)\bindevt.bsc" 

-BSC32_SBRS= \

-	

-LINK32=link.exe

-LINK32_FLAGS=kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /pdb:none /machine:I386 /out:"..\..\..\Build\Release\bindevt.dll" /implib:"$(OUTDIR)\bindevt.lib" 

-LINK32_OBJS= \

-	"$(INTDIR)\bindevt.obj" \

-	"$(INTDIR)\bindevt.res"

-

-"..\..\..\Build\Release\bindevt.dll" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)

-    $(LINK32) @<<

-  $(LINK32_FLAGS) $(LINK32_OBJS)

-<<

-  $(_VC_MANIFEST_EMBED_DLL)

-

-!ELSEIF  "$(CFG)" == "bindevt - Win32 Debug"

-

-OUTDIR=.\Debug

-INTDIR=.\Debug

-# Begin Custom Macros

-OutDir=.\Debug

-# End Custom Macros

-

-ALL : "..\..\..\Build\Debug\bindevt.dll" "$(OUTDIR)\bindevt.bsc"

-

-

-CLEAN :

-	-@erase "$(INTDIR)\bindevt.obj"

-	-@erase "$(INTDIR)\bindevt.res"

-	-@erase "$(INTDIR)\bindevt.sbr"

-	-@erase "$(INTDIR)\vc60.idb"

-	-@erase "$(INTDIR)\vc60.pdb"

-	-@erase "$(OUTDIR)\bindevt.bsc"

-	-@erase "$(OUTDIR)\bindevt.exp"

-	-@erase "..\..\..\Build\Debug\bindevt.dll"

-	-@$(_VC_MANIFEST_CLEAN)

-

-"$(OUTDIR)" :

-    if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"

-

-CPP_PROJ=/nologo /MTd /W3 /Gm /GX /Zi /Od /I "..\include" /I "..\..\..\include" /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "BINDEVT_EXPORTS" /FR"$(INTDIR)\\" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c 

-MTL_PROJ=/nologo /D "_DEBUG" /mktyplib203 /win32 

-RSC_PROJ=/l 0x409 /fo"$(INTDIR)\bindevt.res" /d "_DEBUG" 

-BSC32=bscmake.exe

-BSC32_FLAGS=/nologo /o"$(OUTDIR)\bindevt.bsc" 

-BSC32_SBRS= \

-	"$(INTDIR)\bindevt.sbr"

-

-"$(OUTDIR)\bindevt.bsc" : "$(OUTDIR)" $(BSC32_SBRS)

-    $(BSC32) @<<

-  $(BSC32_FLAGS) $(BSC32_SBRS)

-<<

-

-LINK32=link.exe

-LINK32_FLAGS=kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /pdb:none /debug /machine:I386 /out:"..\..\..\Build\Debug\bindevt.dll" /implib:"$(OUTDIR)\bindevt.lib" 

-LINK32_OBJS= \

-	"$(INTDIR)\bindevt.obj" \

-	"$(INTDIR)\bindevt.res"

-

-"..\..\..\Build\Debug\bindevt.dll" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)

-    $(LINK32) @<<

-  $(LINK32_FLAGS) $(LINK32_OBJS)

-<<

-  $(_VC_MANIFEST_EMBED_DLL)

-

-!ENDIF 

-

-.c{$(INTDIR)}.obj::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.cpp{$(INTDIR)}.obj::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.cxx{$(INTDIR)}.obj::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.c{$(INTDIR)}.sbr::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.cpp{$(INTDIR)}.sbr::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-.cxx{$(INTDIR)}.sbr::

-   $(CPP) @<<

-   $(CPP_PROJ) $< 

-<<

-

-

-!IF "$(NO_EXTERNAL_DEPS)" != "1"

-!IF EXISTS("bindevt.dep")

-!INCLUDE "bindevt.dep"

-!ELSE 

-!MESSAGE Warning: cannot find "bindevt.dep"

-!ENDIF 

-!ENDIF 

-

-

-!IF "$(CFG)" == "bindevt - Win32 Release" || "$(CFG)" == "bindevt - Win32 Debug"

-SOURCE=.\bindevt.c

-

-!IF  "$(CFG)" == "bindevt - Win32 Release"

-

-

-"$(INTDIR)\bindevt.obj" : $(SOURCE) "$(INTDIR)"

-

-

-!ELSEIF  "$(CFG)" == "bindevt - Win32 Debug"

-

-

-"$(INTDIR)\bindevt.obj"	"$(INTDIR)\bindevt.sbr" : $(SOURCE) "$(INTDIR)"

-

-

-!ENDIF 

-

-SOURCE=.\bindevt.mc

-

-!IF  "$(CFG)" == "bindevt - Win32 Release"

-

-TargetName=bindevt

-InputPath=.\bindevt.mc

-InputName=bindevt

-

-".\bindevt.rc" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)"

-	<<tempfile.bat 

-	@echo off 

-	mc $(InputName).mc

-<< 

-	

-

-!ELSEIF  "$(CFG)" == "bindevt - Win32 Debug"

-

-TargetName=bindevt

-InputPath=.\bindevt.mc

-InputName=bindevt

-

-".\bindevt.rc" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)"

-	<<tempfile.bat 

-	@echo off 

-	mc $(InputName).mc

-<< 

-	

-

-!ENDIF 

-

-SOURCE=.\bindevt.rc

-

-"$(INTDIR)\bindevt.res" : $(SOURCE) "$(INTDIR)"

-	$(RSC) $(RSC_PROJ) $(SOURCE)

-

-

-

-!ENDIF 

-

-####################################################

-# Commands to generate initial empty manifest file and the RC file

-# that references it, and for generating the .res file:

-

-$(_VC_MANIFEST_BASENAME).auto.res : $(_VC_MANIFEST_BASENAME).auto.rc

-

-$(_VC_MANIFEST_BASENAME).auto.rc : $(_VC_MANIFEST_BASENAME).auto.manifest

-    type <<$@

-#include <winuser.h>

-1RT_MANIFEST"$(_VC_MANIFEST_BASENAME).auto.manifest"

-<< KEEP

-

-$(_VC_MANIFEST_BASENAME).auto.manifest :

-    type <<$@

-<?xml version='1.0' encoding='UTF-8' standalone='yes'?>

-<assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'>

-</assembly>

-<< KEEP

+# Microsoft Developer Studio Generated NMAKE File, Based on bindevt.dsp
+!IF "$(CFG)" == ""
+CFG=bindevt - Win32 Debug
+!MESSAGE No configuration specified. Defaulting to bindevt - Win32 Debug.
+!ENDIF 
+
+!IF "$(CFG)" != "bindevt - Win32 Release" && "$(CFG)" != "bindevt - Win32 Debug"
+!MESSAGE Invalid configuration "$(CFG)" specified.
+!MESSAGE You can specify a configuration when running NMAKE
+!MESSAGE by defining the macro CFG on the command line. For example:
+!MESSAGE 
+!MESSAGE NMAKE /f "bindevt.mak" CFG="bindevt - Win32 Debug"
+!MESSAGE 
+!MESSAGE Possible choices for configuration are:
+!MESSAGE 
+!MESSAGE "bindevt - Win32 Release" (based on "Win32 (x86) Dynamic-Link Library")
+!MESSAGE "bindevt - Win32 Debug" (based on "Win32 (x86) Dynamic-Link Library")
+!MESSAGE 
+!ERROR An invalid configuration is specified.
+!ENDIF 
+
+!IF "$(OS)" == "Windows_NT"
+NULL=
+!ELSE 
+NULL=nul
+!ENDIF 
+
+CPP=cl.exe
+MTL=midl.exe
+RSC=rc.exe
+
+!IF  "$(CFG)" == "bindevt - Win32 Release"
+
+OUTDIR=.\Release
+INTDIR=.\Release
+
+ALL : "..\..\..\Build\Release\bindevt.dll"
+
+
+CLEAN :
+	-@erase "$(INTDIR)\bindevt.obj"
+	-@erase "$(INTDIR)\bindevt.res"
+	-@erase "$(INTDIR)\vc60.idb"
+	-@erase "$(OUTDIR)\bindevt.exp"
+	-@erase "..\..\..\Build\Release\bindevt.dll"
+
+"$(OUTDIR)" :
+    if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
+
+CPP_PROJ=/nologo /MT /W3 /GX /O2 /I "..\include" /I "..\..\..\include" /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "BINDEVT_EXPORTS" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c 
+MTL_PROJ=/nologo /D "NDEBUG" /mktyplib203 /win32 
+RSC_PROJ=/l 0x409 /fo"$(INTDIR)\bindevt.res" /d "NDEBUG" 
+BSC32=bscmake.exe
+BSC32_FLAGS=/nologo /o"$(OUTDIR)\bindevt.bsc" 
+BSC32_SBRS= \
+	
+LINK32=link.exe
+LINK32_FLAGS=kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /pdb:none /machine:I386 /out:"..\..\..\Build\Release\bindevt.dll" /implib:"$(OUTDIR)\bindevt.lib" 
+LINK32_OBJS= \
+	"$(INTDIR)\bindevt.obj" \
+	"$(INTDIR)\bindevt.res"
+
+"..\..\..\Build\Release\bindevt.dll" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)
+    $(LINK32) @<<
+  $(LINK32_FLAGS) $(LINK32_OBJS)
+<<
+
+!ELSEIF  "$(CFG)" == "bindevt - Win32 Debug"
+
+OUTDIR=.\Debug
+INTDIR=.\Debug
+# Begin Custom Macros
+OutDir=.\Debug
+# End Custom Macros
+
+ALL : "..\..\..\Build\Debug\bindevt.dll" "$(OUTDIR)\bindevt.bsc"
+
+
+CLEAN :
+	-@erase "$(INTDIR)\bindevt.obj"
+	-@erase "$(INTDIR)\bindevt.res"
+	-@erase "$(INTDIR)\bindevt.sbr"
+	-@erase "$(INTDIR)\vc60.idb"
+	-@erase "$(INTDIR)\vc60.pdb"
+	-@erase "$(OUTDIR)\bindevt.bsc"
+	-@erase "$(OUTDIR)\bindevt.exp"
+	-@erase "..\..\..\Build\Debug\bindevt.dll"
+
+"$(OUTDIR)" :
+    if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
+
+CPP_PROJ=/nologo /MTd /W3 /Gm /GX /Zi /Od /I "..\include" /I "..\..\..\include" /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "BINDEVT_EXPORTS" /FR"$(INTDIR)\\" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c 
+MTL_PROJ=/nologo /D "_DEBUG" /mktyplib203 /win32 
+RSC_PROJ=/l 0x409 /fo"$(INTDIR)\bindevt.res" /d "_DEBUG" 
+BSC32=bscmake.exe
+BSC32_FLAGS=/nologo /o"$(OUTDIR)\bindevt.bsc" 
+BSC32_SBRS= \
+	"$(INTDIR)\bindevt.sbr"
+
+"$(OUTDIR)\bindevt.bsc" : "$(OUTDIR)" $(BSC32_SBRS)
+    $(BSC32) @<<
+  $(BSC32_FLAGS) $(BSC32_SBRS)
+<<
+
+LINK32=link.exe
+LINK32_FLAGS=kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /pdb:none /debug /machine:I386 /out:"..\..\..\Build\Debug\bindevt.dll" /implib:"$(OUTDIR)\bindevt.lib" 
+LINK32_OBJS= \
+	"$(INTDIR)\bindevt.obj" \
+	"$(INTDIR)\bindevt.res"
+
+"..\..\..\Build\Debug\bindevt.dll" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)
+    $(LINK32) @<<
+  $(LINK32_FLAGS) $(LINK32_OBJS)
+<<
+
+!ENDIF 
+
+.c{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cpp{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cxx{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.c{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cpp{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cxx{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+
+!IF "$(NO_EXTERNAL_DEPS)" != "1"
+!IF EXISTS("bindevt.dep")
+!INCLUDE "bindevt.dep"
+!ELSE 
+!MESSAGE Warning: cannot find "bindevt.dep"
+!ENDIF 
+!ENDIF 
+
+
+!IF "$(CFG)" == "bindevt - Win32 Release" || "$(CFG)" == "bindevt - Win32 Debug"
+SOURCE=.\bindevt.c
+
+!IF  "$(CFG)" == "bindevt - Win32 Release"
+
+
+"$(INTDIR)\bindevt.obj" : $(SOURCE) "$(INTDIR)"
+
+
+!ELSEIF  "$(CFG)" == "bindevt - Win32 Debug"
+
+
+"$(INTDIR)\bindevt.obj"	"$(INTDIR)\bindevt.sbr" : $(SOURCE) "$(INTDIR)"
+
+
+!ENDIF 
+
+SOURCE=.\bindevt.mc
+
+!IF  "$(CFG)" == "bindevt - Win32 Release"
+
+TargetName=bindevt
+InputPath=.\bindevt.mc
+InputName=bindevt
+
+".\bindevt.rc" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)"
+	<<tempfile.bat 
+	@echo off 
+	mc $(InputName).mc
+<< 
+	
+
+!ELSEIF  "$(CFG)" == "bindevt - Win32 Debug"
+
+TargetName=bindevt
+InputPath=.\bindevt.mc
+InputName=bindevt
+
+".\bindevt.rc" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)"
+	<<tempfile.bat 
+	@echo off 
+	mc $(InputName).mc
+<< 
+	
+
+!ENDIF 
+
+SOURCE=.\bindevt.rc
+
+"$(INTDIR)\bindevt.res" : $(SOURCE) "$(INTDIR)"
+	$(RSC) $(RSC_PROJ) $(SOURCE)
+
+
+
+!ENDIF 
+
diff --git a/lib/win32/bindevt/bindevt.mc b/lib/win32/bindevt/bindevt.mc
index c67a189c..13868c75 100644
--- a/lib/win32/bindevt/bindevt.mc
+++ b/lib/win32/bindevt/bindevt.mc
@@ -13,7 +13,7 @@
 ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 ; PERFORMANCE OF THIS SOFTWARE.
 
-; $Id: bindevt.mc,v 1.1.2.1 2004/03/15 04:45:05 marka Exp $
+; $Id: bindevt.mc,v 1.1.206.1 2004/03/15 01:02:55 marka Exp $
 
 MessageIdTypedef=DWORD
 
diff --git a/libtool.m4 b/libtool.m4
index 551ffd0d..bbcc5f25 100644
--- a/libtool.m4
+++ b/libtool.m4
@@ -1,5 +1,5 @@
 # libtool.m4 - Configure libtool for the host system. -*-Autoconf-*-
-## Copyright 1996, 1997, 1998, 1999, 2000, 2001, 2003, 2004
+## Copyright 1996, 1997, 1998, 1999, 2000, 2001
 ## Free Software Foundation, Inc.
 ## Originally by Gordon Matzigkeit <gord@gnu.ai.mit.edu>, 1996
 ##
@@ -200,8 +200,6 @@ if test -n "$RANLIB"; then
   old_archive_cmds="$old_archive_cmds~\$RANLIB \$oldlib"
 fi
 
-cc_basename=`$echo X"$compiler" | $Xsed -e 's%^.*/%%'`
-
 # Only perform the check for file, if the check method requires it
 case $deplibs_check_method in
 file_magic*)
@@ -319,7 +317,7 @@ fi
 
 # The HP-UX ksh and POSIX shell print the target directory to stdout
 # if CDPATH is set.
-(unset CDPATH) >/dev/null 2>&1 && unset CDPATH
+if test "X${CDPATH+set}" = Xset; then CDPATH=:; export CDPATH; fi
 
 if test -z "$ECHO"; then
 if test "X${echo_test_string+set}" != Xset; then
@@ -643,7 +641,7 @@ AC_DEFUN([AC_LIBTOOL_SYS_MAX_CMD_LEN],
 AC_MSG_CHECKING([the maximum length of command line arguments])
 AC_CACHE_VAL([lt_cv_sys_max_cmd_len], [dnl
   i=0
-  teststring="ABCD"
+  testring="ABCD"
 
   case $build_os in
   msdosdjgpp*)
@@ -678,34 +676,20 @@ AC_CACHE_VAL([lt_cv_sys_max_cmd_len], [dnl
     lt_cv_sys_max_cmd_len=8192;
     ;;
 
-  netbsd* | freebsd* | openbsd* | darwin* )
-    # This has been around since 386BSD, at least.  Likely further.
-    if test -x /sbin/sysctl; then
-      lt_cv_sys_max_cmd_len=`/sbin/sysctl -n kern.argmax`
-    elif test -x /usr/sbin/sysctl; then
-      lt_cv_sys_max_cmd_len=`/usr/sbin/sysctl -n kern.argmax`
-    else
-      lt_cv_sys_max_cmd_len=65536 # usable default for *BSD
-    fi
-    # And add a safety zone
-    lt_cv_sys_max_cmd_len=`expr $lt_cv_sys_max_cmd_len \/ 4`
-    ;;
-
  *)
     # If test is not a shell built-in, we'll probably end up computing a
     # maximum length that is only half of the actual maximum length, but
     # we can't tell.
-    SHELL=${SHELL-${CONFIG_SHELL-/bin/sh}}
-    while (test "X"`$SHELL [$]0 --fallback-echo "X$teststring" 2>/dev/null` \
-	       = "XX$teststring") >/dev/null 2>&1 &&
-	    new_result=`expr "X$teststring" : ".*" 2>&1` &&
+    while (test "X"`$CONFIG_SHELL [$]0 --fallback-echo "X$testring" 2>/dev/null` \
+	       = "XX$testring") >/dev/null 2>&1 &&
+	    new_result=`expr "X$testring" : ".*" 2>&1` &&
 	    lt_cv_sys_max_cmd_len=$new_result &&
 	    test $i != 17 # 1/2 MB should be enough
     do
       i=`expr $i + 1`
-      teststring=$teststring$teststring
+      testring=$testring$testring
     done
-    teststring=
+    testring=
     # Add a significant safety factor because C++ compilers can tack on massive
     # amounts of additional arguments before passing them to the linker.
     # It appears as though 1/2 is a usable value.
@@ -1030,8 +1014,8 @@ AC_DEFUN([AC_LIBTOOL_PROG_LD_HARDCODE_LIBPATH],
 [AC_MSG_CHECKING([how to hardcode library paths into programs])
 _LT_AC_TAGVAR(hardcode_action, $1)=
 if test -n "$_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)" || \
-   test -n "$_LT_AC_TAGVAR(runpath_var, $1)" || \
-   test "X$_LT_AC_TAGVAR(hardcode_automatic, $1)" = "Xyes" ; then
+   test -n "$_LT_AC_TAGVAR(runpath_var $1)" || \
+   test "X$_LT_AC_TAGVAR(hardcode_automatic, $1)"="Xyes" ; then
 
   # We can hardcode non-existant directories.
   if test "$_LT_AC_TAGVAR(hardcode_direct, $1)" != no &&
@@ -1101,7 +1085,7 @@ AC_DEFUN([AC_LIBTOOL_SYS_DYNAMIC_LINKER],
 library_names_spec=
 libname_spec='lib$name'
 soname_spec=
-shrext_cmds=".so"
+shrext=".so"
 postinstall_cmds=
 postuninstall_cmds=
 finish_cmds=
@@ -1198,7 +1182,7 @@ beos*)
   shlibpath_var=LIBRARY_PATH
   ;;
 
-bsdi[[45]]*)
+bsdi4*)
   version_type=linux
   need_version=no
   library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
@@ -1214,7 +1198,7 @@ bsdi[[45]]*)
 
 cygwin* | mingw* | pw32*)
   version_type=windows
-  shrext_cmds=".dll"
+  shrext=".dll"
   need_version=no
   need_lib_prefix=no
 
@@ -1279,7 +1263,7 @@ darwin* | rhapsody*)
   soname_spec='${libname}${release}${major}$shared_ext'
   shlibpath_overrides_runpath=yes
   shlibpath_var=DYLD_LIBRARY_PATH
-  shrext_cmds='$(test .$module = .yes && echo .so || echo .dylib)'
+  shrext='$(test .$module = .yes && echo .so || echo .dylib)'
   # Apple's gcc prints 'gcc -print-search-dirs' doesn't operate the same.
   if test "$GCC" = yes; then
     sys_lib_search_path_spec=`$CC -print-search-dirs | tr "\n" "$PATH_SEPARATOR" | sed -e 's/libraries:/@libraries:/' | tr "@" "\n" | grep "^libraries:" | sed -e "s/^libraries://" -e "s,=/,/,g" -e "s,$PATH_SEPARATOR, ,g" -e "s,.*,& /lib /usr/lib /usr/local/lib,g"`
@@ -1362,7 +1346,7 @@ hpux9* | hpux10* | hpux11*)
   need_version=no
   case "$host_cpu" in
   ia64*)
-    shrext_cmds='.so'
+    shrext='.so'
     hardcode_into_libs=yes
     dynamic_linker="$host_os dld.so"
     shlibpath_var=LD_LIBRARY_PATH
@@ -1377,7 +1361,7 @@ hpux9* | hpux10* | hpux11*)
     sys_lib_dlsearch_path_spec=$sys_lib_search_path_spec
     ;;
    hppa*64*)
-     shrext_cmds='.sl'
+     shrext='.sl'
      hardcode_into_libs=yes
      dynamic_linker="$host_os dld.sl"
      shlibpath_var=LD_LIBRARY_PATH # How should we handle SHLIB_PATH
@@ -1388,7 +1372,7 @@ hpux9* | hpux10* | hpux11*)
      sys_lib_dlsearch_path_spec=$sys_lib_search_path_spec
      ;;
    *)
-    shrext_cmds='.sl'
+    shrext='.sl'
     dynamic_linker="$host_os dld.sl"
     shlibpath_var=SHLIB_PATH
     shlibpath_overrides_runpath=no # +s is required to enable SHLIB_PATH
@@ -1459,8 +1443,8 @@ linux*)
 
   # Append ld.so.conf contents to the search path
   if test -f /etc/ld.so.conf; then
-    lt_ld_extra=`$SED -e 's/[:,\t]/ /g;s/=[^=]*$//;s/=[^= ]* / /g' /etc/ld.so.conf | tr '\n' ' '`
-    sys_lib_dlsearch_path_spec="/lib /usr/lib $lt_ld_extra"
+    ld_extra=`$SED -e 's/[:,\t]/ /g;s/=[^=]*$//;s/=[^= ]* / /g' /etc/ld.so.conf`
+    sys_lib_dlsearch_path_spec="/lib /usr/lib $ld_extra"
   fi
 
   # We used to test for /lib/ld.so.1 and disable shared libraries on
@@ -1522,7 +1506,7 @@ nto-qnx*)
 openbsd*)
   version_type=sunos
   need_lib_prefix=no
-  need_version=no
+  need_version=yes
   library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${shared_ext}$versuffix'
   finish_cmds='PATH="\$PATH:/sbin" ldconfig -m $libdir'
   shlibpath_var=LD_LIBRARY_PATH
@@ -1542,7 +1526,7 @@ openbsd*)
 
 os2*)
   libname_spec='$name'
-  shrext_cmds=".dll"
+  shrext=".dll"
   need_lib_prefix=no
   library_names_spec='$libname${shared_ext} $libname.a'
   dynamic_linker='OS/2 ld.exe'
@@ -1688,9 +1672,7 @@ if test -f "$ltmain" && test -n "$tagnames"; then
 
       case $tagname in
       CXX)
-	if test -n "$CXX" && ( test "X$CXX" != "Xno" &&
-	    ( (test "X$CXX" = "Xg++" && `g++ -v >/dev/null 2>&1` ) || 
-	    (test "X$CXX" != "Xg++"))) ; then
+	if test -n "$CXX" && test "X$CXX" != "Xno"; then
 	  AC_LIBTOOL_LANG_CXX_CONFIG
 	else
 	  tagname=""
@@ -2095,15 +2077,6 @@ case $reload_flag in
 *) reload_flag=" $reload_flag" ;;
 esac
 reload_cmds='$LD$reload_flag -o $output$reload_objs'
-case $host_os in
-  darwin*)
-    if test "$GCC" = yes; then
-      reload_cmds='$CC -nostdlib ${wl}-r -o $output$reload_objs'
-    else
-      reload_cmds='$LD$reload_flag -o $output$reload_objs'
-    fi
-    ;;
-esac
 ])# AC_PROG_LD_RELOAD_FLAG
 
 
@@ -2137,21 +2110,21 @@ beos*)
   lt_cv_deplibs_check_method=pass_all
   ;;
 
-bsdi[[45]]*)
+bsdi4*)
   lt_cv_deplibs_check_method='file_magic ELF [[0-9]][[0-9]]*-bit [[ML]]SB (shared object|dynamic lib)'
   lt_cv_file_magic_cmd='/usr/bin/file -L'
   lt_cv_file_magic_test_file=/shlib/libc.so
   ;;
 
 cygwin*)
-  # func_win32_libid is a shell function defined in ltmain.sh
+  # win32_libid is a shell function defined in ltmain.sh
   lt_cv_deplibs_check_method='file_magic ^x86 archive import|^x86 DLL'
-  lt_cv_file_magic_cmd='func_win32_libid'
+  lt_cv_file_magic_cmd='win32_libid'
   ;;
 
 mingw* | pw32*)
   # Base MSYS/MinGW do not provide the 'file' command needed by
-  # func_win32_libid shell function, so use a weaker test based on 'objdump'.
+  # win32_libid shell function, so use a weaker test based on 'objdump'.
   lt_cv_deplibs_check_method='file_magic file format pei*-i386(.*architecture: i386)?'
   lt_cv_file_magic_cmd='$OBJDUMP -f'
   ;;
@@ -2210,6 +2183,15 @@ irix5* | irix6* | nonstopux*)
 
 # This must be Linux ELF.
 linux*)
+  case $host_cpu in
+  alpha*|hppa*|i*86|ia64*|m68*|mips*|powerpc*|sparc*|s390*|sh*)
+    lt_cv_deplibs_check_method=pass_all ;;
+  *)
+    # glibc up to 2.1.1 does not perform some relocations on ARM
+    # this will be overridden with pass_all, but let us keep it just in case
+    lt_cv_deplibs_check_method='file_magic ELF [[0-9]][[0-9]]*-bit [[LM]]SB (shared object|dynamic lib )' ;;
+  esac
+  lt_cv_file_magic_test_file=`echo /lib/libc.so* /lib/libc-*.so`
   lt_cv_deplibs_check_method=pass_all
   ;;
 
@@ -2232,10 +2214,12 @@ nto-qnx*)
   ;;
 
 openbsd*)
+  lt_cv_file_magic_cmd=/usr/bin/file
+  lt_cv_file_magic_test_file=`echo /usr/lib/libc.so.*`
   if test -z "`echo __ELF__ | $CC -E - | grep __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then
-    lt_cv_deplibs_check_method='match_pattern /lib[[^/]]+(\.so\.[[0-9]]+\.[[0-9]]+|\.so|_pic\.a)$'
+    lt_cv_deplibs_check_method='file_magic ELF [[0-9]][[0-9]]*-bit [[LM]]SB shared object'
   else
-    lt_cv_deplibs_check_method='match_pattern /lib[[^/]]+(\.so\.[[0-9]]+\.[[0-9]]+|_pic\.a)$'
+    lt_cv_deplibs_check_method='file_magic OpenBSD.* shared library'
   fi
   ;;
 
@@ -2425,21 +2409,10 @@ AC_DEFUN([AC_LIBTOOL_CXX],
 # ---------------
 AC_DEFUN([_LT_AC_LANG_CXX],
 [AC_REQUIRE([AC_PROG_CXX])
-AC_REQUIRE([_LT_AC_PROG_CXXCPP])
+AC_REQUIRE([AC_PROG_CXXCPP])
 _LT_AC_SHELL_INIT([tagnames=${tagnames+${tagnames},}CXX])
 ])# _LT_AC_LANG_CXX
 
-# _LT_AC_PROG_CXXCPP
-# ---------------
-AC_DEFUN([_LT_AC_PROG_CXXCPP],
-[
-AC_REQUIRE([AC_PROG_CXX])
-if test -n "$CXX" && ( test "X$CXX" != "Xno" &&
-    ( (test "X$CXX" = "Xg++" && `g++ -v >/dev/null 2>&1` ) || 
-    (test "X$CXX" != "Xg++"))) ; then
-  AC_PROG_CXXCPP
-fi
-])# _LT_AC_PROG_CXXCPP
 
 # AC_LIBTOOL_F77
 # --------------
@@ -2557,7 +2530,7 @@ AC_LIBTOOL_PROG_LD_HARDCODE_LIBPATH($1)
 AC_LIBTOOL_SYS_LIB_STRIP
 AC_LIBTOOL_DLOPEN_SELF($1)
 
-# Report which libraries types will actually be built
+# Report which librarie types wil actually be built
 AC_MSG_CHECKING([if libtool supports shared libraries])
 AC_MSG_RESULT([$can_build_shared])
 
@@ -2575,10 +2548,47 @@ aix3*)
   fi
   ;;
 
-aix4* | aix5*)
+aix4*)
   if test "$host_cpu" != ia64 && test "$aix_use_runtimelinking" = no ; then
     test "$enable_shared" = yes && enable_static=no
   fi
+  ;;
+  darwin* | rhapsody*)
+  if test "$GCC" = yes; then
+    _LT_AC_TAGVAR(archive_cmds_need_lc, $1)=no
+    case "$host_os" in
+    rhapsody* | darwin1.[[012]])
+      _LT_AC_TAGVAR(allow_undefined_flag, $1)='-undefined suppress'
+      ;;
+    *) # Darwin 1.3 on
+      if test -z ${MACOSX_DEPLOYMENT_TARGET} ; then
+      	_LT_AC_TAGVAR(allow_undefined_flag, $1)='-flat_namespace -undefined suppress'
+      else
+        case ${MACOSX_DEPLOYMENT_TARGET} in
+          10.[[012]])
+            _LT_AC_TAGVAR(allow_undefined_flag, $1)='-flat_namespace -undefined suppress'
+            ;;
+          10.*)
+            _LT_AC_TAGVAR(allow_undefined_flag, $1)='-undefined dynamic_lookup'
+            ;;
+        esac
+      fi
+      ;;
+    esac
+    output_verbose_link_cmd='echo'
+    _LT_AC_TAGVAR(archive_cmds, $1)='$CC -dynamiclib $allow_undefined_flag -o $lib $libobjs $deplibs$compiler_flags -install_name $rpath/$soname $verstring'
+    _LT_AC_TAGVAR(module_cmds, $1)='$CC $allow_undefined_flag -o $lib -bundle $libobjs $deplibs$compiler_flags'
+    # Don't fix this by using the ld -exported_symbols_list flag, it doesn't exist in older darwin ld's
+    _LT_AC_TAGVAR(archive_expsym_cmds, $1)='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -dynamiclib $allow_undefined_flag  -o $lib $libobjs $deplibs$compiler_flags -install_name $rpath/$soname $verstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
+    _LT_AC_TAGVAR(module_expsym_cmds, $1)='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC $allow_undefined_flag  -o $lib -bundle $libobjs $deplibs$compiler_flags~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
+    _LT_AC_TAGVAR(hardcode_direct, $1)=no
+    _LT_AC_TAGVAR(hardcode_automatic, $1)=yes
+    _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=unsupported
+    _LT_AC_TAGVAR(whole_archive_flag_spec, $1)='-all_load $convenience'
+    _LT_AC_TAGVAR(link_all_deplibs, $1)=yes
+  else
+    _LT_AC_TAGVAR(ld_shlibs, $1)=no
+  fi
     ;;
 esac
 AC_MSG_RESULT([$enable_shared])
@@ -2604,7 +2614,7 @@ AC_DEFUN([AC_LIBTOOL_LANG_CXX_CONFIG], [_LT_AC_LANG_CXX_CONFIG(CXX)])
 AC_DEFUN([_LT_AC_LANG_CXX_CONFIG],
 [AC_LANG_PUSH(C++)
 AC_REQUIRE([AC_PROG_CXX])
-AC_REQUIRE([_LT_AC_PROG_CXXCPP])
+AC_REQUIRE([AC_PROG_CXXCPP])
 
 _LT_AC_TAGVAR(archive_cmds_need_lc, $1)=no
 _LT_AC_TAGVAR(allow_undefined_flag, $1)=
@@ -2856,7 +2866,6 @@ case $host_os in
     esac
     ;;
 
-
   cygwin* | mingw* | pw32*)
     # _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1) is actually meaningless,
     # as there is no search path for DLLs.
@@ -2880,68 +2889,57 @@ case $host_os in
       _LT_AC_TAGVAR(ld_shlibs, $1)=no
     fi
   ;;
-      darwin* | rhapsody*)
-        case "$host_os" in
-        rhapsody* | darwin1.[[012]])
-         _LT_AC_TAGVAR(allow_undefined_flag, $1)='${wl}-undefined ${wl}suppress'
-         ;;
-       *) # Darwin 1.3 on
-         if test -z ${MACOSX_DEPLOYMENT_TARGET} ; then
-           _LT_AC_TAGVAR(allow_undefined_flag, $1)='${wl}-flat_namespace ${wl}-undefined ${wl}suppress'
-         else
-           case ${MACOSX_DEPLOYMENT_TARGET} in
-             10.[[012]])
-               _LT_AC_TAGVAR(allow_undefined_flag, $1)='${wl}-flat_namespace ${wl}-undefined ${wl}suppress'
-               ;;
-             10.*)
-               _LT_AC_TAGVAR(allow_undefined_flag, $1)='${wl}-undefined ${wl}dynamic_lookup'
-               ;;
-           esac
-         fi
-         ;;
-        esac
-      _LT_AC_TAGVAR(archive_cmds_need_lc, $1)=no
-      _LT_AC_TAGVAR(hardcode_direct, $1)=no
-      _LT_AC_TAGVAR(hardcode_automatic, $1)=yes
-      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=unsupported
-      _LT_AC_TAGVAR(whole_archive_flag_spec, $1)=''
-      _LT_AC_TAGVAR(link_all_deplibs, $1)=yes
 
-    if test "$GXX" = yes ; then
-      lt_int_apple_cc_single_mod=no
-      output_verbose_link_cmd='echo'
-      if $CC -dumpspecs 2>&1 | $EGREP 'single_module' >/dev/null ; then
-       lt_int_apple_cc_single_mod=yes
-      fi
-      if test "X$lt_int_apple_cc_single_mod" = Xyes ; then
-       _LT_AC_TAGVAR(archive_cmds, $1)='$CC -dynamiclib -single_module $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags -install_name $rpath/$soname $verstring'
-      else
-          _LT_AC_TAGVAR(archive_cmds, $1)='$CC -r -keep_private_externs -nostdlib -o ${lib}-master.o $libobjs~$CC -dynamiclib $allow_undefined_flag -o $lib ${lib}-master.o $deplibs $compiler_flags -install_name $rpath/$soname $verstring'
-        fi
-        _LT_AC_TAGVAR(module_cmds, $1)='$CC $allow_undefined_flag -o $lib -bundle $libobjs $deplibs$compiler_flags'
-        # Don't fix this by using the ld -exported_symbols_list flag, it doesn't exist in older darwin ld's
-          if test "X$lt_int_apple_cc_single_mod" = Xyes ; then
-            _LT_AC_TAGVAR(archive_expsym_cmds, $1)='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -dynamiclib -single_module $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags -install_name $rpath/$soname $verstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
-          else
-            _LT_AC_TAGVAR(archive_expsym_cmds, $1)='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -r -keep_private_externs -nostdlib -o ${lib}-master.o $libobjs~$CC -dynamiclib $allow_undefined_flag -o $lib ${lib}-master.o $deplibs $compiler_flags -install_name $rpath/$soname $verstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
-          fi
-            _LT_AC_TAGVAR(module_expsym_cmds, $1)='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC $allow_undefined_flag  -o $lib -bundle $libobjs $deplibs$compiler_flags~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
+  darwin* | rhapsody*)
+  if test "$GXX" = yes; then
+    _LT_AC_TAGVAR(archive_cmds_need_lc, $1)=no
+    case "$host_os" in
+    rhapsody* | darwin1.[[012]])
+      _LT_AC_TAGVAR(allow_undefined_flag, $1)='-undefined suppress'
+      ;;
+    *) # Darwin 1.3 on
+      if test -z ${MACOSX_DEPLOYMENT_TARGET} ; then
+      	_LT_AC_TAGVAR(allow_undefined_flag, $1)='-flat_namespace -undefined suppress'
       else
-      case "$cc_basename" in
-        xlc*)
-         output_verbose_link_cmd='echo'
-          _LT_AC_TAGVAR(archive_cmds, $1)='$CC -qmkshrobj ${wl}-single_module $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-install_name ${wl}`echo $rpath/$soname` $verstring'
-          _LT_AC_TAGVAR(module_cmds, $1)='$CC $allow_undefined_flag -o $lib -bundle $libobjs $deplibs$compiler_flags'
-          # Don't fix this by using the ld -exported_symbols_list flag, it doesn't exist in older darwin ld's
-          _LT_AC_TAGVAR(archive_expsym_cmds, $1)='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -qmkshrobj ${wl}-single_module $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-install_name ${wl}$rpath/$soname $verstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
-          _LT_AC_TAGVAR(module_expsym_cmds, $1)='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC $allow_undefined_flag  -o $lib -bundle $libobjs $deplibs$compiler_flags~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
-          ;;
-       *)
-         _LT_AC_TAGVAR(ld_shlibs, $1)=no
-          ;;
-      esac
+        case ${MACOSX_DEPLOYMENT_TARGET} in
+          10.[[012]])
+            _LT_AC_TAGVAR(allow_undefined_flag, $1)='-flat_namespace -undefined suppress'
+            ;;
+          10.*)
+            _LT_AC_TAGVAR(allow_undefined_flag, $1)='-undefined dynamic_lookup'
+            ;;
+        esac
       fi
-        ;;
+      ;;
+    esac
+    lt_int_apple_cc_single_mod=no
+    output_verbose_link_cmd='echo'
+    if $CC -dumpspecs 2>&1 | grep 'single_module' >/dev/null ; then
+      lt_int_apple_cc_single_mod=yes
+    fi
+    if test "X$lt_int_apple_cc_single_mod" = Xyes ; then
+      _LT_AC_TAGVAR(archive_cmds, $1)='$CC -dynamiclib -single_module $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags -install_name $rpath/$soname $verstring'
+    else
+      _LT_AC_TAGVAR(archive_cmds, $1)='$CC -r ${wl}-bind_at_load -keep_private_externs -nostdlib -o ${lib}-master.o $libobjs~$CC -dynamiclib $allow_undefined_flag -o $lib ${lib}-master.o $deplibs $compiler_flags -install_name $rpath/$soname $verstring'
+    fi
+    _LT_AC_TAGVAR(module_cmds, $1)='$CC ${wl}-bind_at_load $allow_undefined_flag -o $lib -bundle $libobjs $deplibs$compiler_flags'
+
+    # Don't fix this by using the ld -exported_symbols_list flag, it doesn't exist in older darwin ld's
+    if test "X$lt_int_apple_cc_single_mod" = Xyes ; then
+      _LT_AC_TAGVAR(archive_expsym_cmds, $1)='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -dynamiclib -single_module $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags -install_name $rpath/$soname $verstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
+    else
+      _LT_AC_TAGVAR(archive_expsym_cmds, $1)='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -r ${wl}-bind_at_load -keep_private_externs -nostdlib -o ${lib}-master.o $libobjs~$CC -dynamiclib $allow_undefined_flag -o $lib ${lib}-master.o $deplibs $compiler_flags -install_name $rpath/$soname $verstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
+    fi
+    _LT_AC_TAGVAR(module_expsym_cmds, $1)='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC $allow_undefined_flag  -o $lib -bundle $libobjs $deplibs$compiler_flags~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
+    _LT_AC_TAGVAR(hardcode_direct, $1)=no
+    _LT_AC_TAGVAR(hardcode_automatic, $1)=yes
+    _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=unsupported
+    _LT_AC_TAGVAR(whole_archive_flag_spec, $1)='-all_load $convenience'
+    _LT_AC_TAGVAR(link_all_deplibs, $1)=yes
+  else
+    _LT_AC_TAGVAR(ld_shlibs, $1)=no
+  fi
+    ;;
 
   dgux*)
     case $cc_basename in
@@ -2998,7 +2996,7 @@ case $host_os in
       # explicitly linking system object files so we need to strip them
       # from the output so that they don't get included in the library
       # dependencies.
-      output_verbose_link_cmd='templist=`($CC -b $CFLAGS -v conftest.$objext 2>&1) | grep "[-]L"`; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; echo $list'
+      output_verbose_link_cmd='templist=`($CC -b $CFLAGS -v conftest.$objext 2>&1) | egrep "\-L"`; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; echo $list'
       ;;
     *)
       if test "$GXX" = yes; then
@@ -3147,20 +3145,9 @@ case $host_os in
       icpc)
 	# Intel C++
 	with_gnu_ld=yes
-	# version 8.0 and above of icpc choke on multiply defined symbols
-	# if we add $predep_objects and $postdep_objects, however 7.1 and
-	# earlier do not add the objects themselves.
-	case `$CC -V 2>&1` in
-	*"Version 7."*)
-  	  _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname -o $lib'
-  	  _LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
-	  ;;
-	*)  # Version 8.0 or newer
-  	  _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
-  	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
-	  ;;
-	esac
 	_LT_AC_TAGVAR(archive_cmds_need_lc, $1)=no
+	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname -o $lib'
+	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
 	_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath,$libdir'
 	_LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}--export-dynamic'
 	_LT_AC_TAGVAR(whole_archive_flag_spec, $1)='${wl}--whole-archive$convenience ${wl}--no-whole-archive'
@@ -3217,22 +3204,6 @@ case $host_os in
     # Workaround some broken pre-1.5 toolchains
     output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | grep conftest.$objext | $SED -e "s:-lgcc -lc -lgcc::"'
     ;;
-  openbsd2*)
-    # C++ shared libraries are fairly broken
-    _LT_AC_TAGVAR(ld_shlibs, $1)=no
-    ;;
-  openbsd*)
-    _LT_AC_TAGVAR(hardcode_direct, $1)=yes
-    _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
-    _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -o $lib'
-    _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath,$libdir'
-    if test -z "`echo __ELF__ | $CC -E - | grep __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then
-      _LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $pic_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-retain-symbols-file,$export_symbols -o $lib'
-      _LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-E'
-      _LT_AC_TAGVAR(whole_archive_flag_spec, $1)="$wlarc"'--whole-archive$convenience '"$wlarc"'--no-whole-archive'
-    fi
-    output_verbose_link_cmd='echo'
-    ;;
   osf3*)
     case $cc_basename in
       KCC)
@@ -3732,7 +3703,7 @@ aix3*)
     postinstall_cmds='$RANLIB $lib'
   fi
   ;;
-aix4* | aix5*)
+aix4*)
   test "$enable_shared" = yes && enable_static=no
   ;;
 esac
@@ -3999,7 +3970,7 @@ Xsed="$SED -e s/^X//"
 
 # The HP-UX ksh and POSIX shell print the target directory to stdout
 # if CDPATH is set.
-(unset CDPATH) >/dev/null 2>&1 && unset CDPATH
+if test "X\${CDPATH+set}" = Xset; then CDPATH=:; export CDPATH; fi
 
 # The names of the tagged configurations supported by this script.
 available_tags=
@@ -4091,7 +4062,7 @@ objext="$ac_objext"
 libext="$libext"
 
 # Shared library suffix (normally ".so").
-shrext_cmds='$shrext_cmds'
+shrext='$shrext'
 
 # Executable file suffix (normally "").
 exeext="$exeext"
@@ -4404,13 +4375,6 @@ hpux*) # Its linker distinguishes data from code symbols
   lt_cv_sys_global_symbol_to_cdecl="sed -n -e 's/^T .* \(.*\)$/extern int \1();/p' -e 's/^$symcode* .* \(.*\)$/extern char \1;/p'"
   lt_cv_sys_global_symbol_to_c_name_address="sed -n -e 's/^: \([[^ ]]*\) $/  {\\\"\1\\\", (lt_ptr) 0},/p' -e 's/^$symcode* \([[^ ]]*\) \([[^ ]]*\)$/  {\"\2\", (lt_ptr) \&\2},/p'"
   ;;
-linux*)
-  if test "$host_cpu" = ia64; then
-    symcode='[[ABCDGIRSTW]]'
-    lt_cv_sys_global_symbol_to_cdecl="sed -n -e 's/^T .* \(.*\)$/extern int \1();/p' -e 's/^$symcode* .* \(.*\)$/extern char \1;/p'"
-    lt_cv_sys_global_symbol_to_c_name_address="sed -n -e 's/^: \([[^ ]]*\) $/  {\\\"\1\\\", (lt_ptr) 0},/p' -e 's/^$symcode* \([[^ ]]*\) \([[^ ]]*\)$/  {\"\2\", (lt_ptr) \&\2},/p'"
-  fi
-  ;;
 irix* | nonstopux*)
   symcode='[[BCDEGRST]]'
   ;;
@@ -4638,16 +4602,6 @@ AC_MSG_CHECKING([for $compiler option to produce PIC])
 	  ;;
 	esac
 	;;
-       darwin*)
-         # PIC is the default on this platform
-         # Common symbols not allowed in MH_DYLIB files
-         case "$cc_basename" in
-           xlc*)
-           _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-qnocommon'
-           _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
-           ;;
-         esac
-       ;;
       dgux*)
 	case $cc_basename in
 	  ec++)
@@ -4901,16 +4855,6 @@ AC_MSG_CHECKING([for $compiler option to produce PIC])
 	_LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-bnso -bI:/lib/syscalls.exp'
       fi
       ;;
-      darwin*)
-        # PIC is the default on this platform
-        # Common symbols not allowed in MH_DYLIB files
-       case "$cc_basename" in
-         xlc*)
-         _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-qnocommon'
-         _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
-         ;;
-       esac
-       ;;
 
     mingw* | pw32* | os2*)
       # This hack is so that the source file can tell whether it is being
@@ -5226,7 +5170,7 @@ EOF
       ;;
 
   linux*)
-    if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
+    if $LD --help 2>&1 | egrep ': supported targets:.* elf' > /dev/null; then
         tmp_archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
 	_LT_AC_TAGVAR(archive_cmds, $1)="$tmp_archive_cmds"
       supports_anon_versioning=no
@@ -5412,7 +5356,7 @@ $echo "local: *; };" >> $output_objdir/$libname.ver~
       _LT_AC_TAGVAR(ld_shlibs, $1)=no
       ;;
 
-    bsdi[[45]]*)
+    bsdi4*)
       _LT_AC_TAGVAR(export_dynamic_flag_spec, $1)=-rdynamic
       ;;
 
@@ -5426,7 +5370,7 @@ $echo "local: *; };" >> $output_objdir/$libname.ver~
       # Tell ltmain to make .lib files, not .a files.
       libext=lib
       # Tell ltmain to make .dll files, not .so files.
-      shrext_cmds=".dll"
+      shrext=".dll"
       # FIXME: Setting linknames here is a bad hack.
       _LT_AC_TAGVAR(archive_cmds, $1)='$CC -o $lib $libobjs $compiler_flags `echo "$deplibs" | $SED -e '\''s/ -lc$//'\''` -link -dll~linknames='
       # The linker will automatically build a .lib file if we build a DLL.
@@ -5438,52 +5382,52 @@ $echo "local: *; };" >> $output_objdir/$libname.ver~
       ;;
 
     darwin* | rhapsody*)
+    if test "$GXX" = yes ; then
+      _LT_AC_TAGVAR(archive_cmds_need_lc, $1)=no
       case "$host_os" in
-        rhapsody* | darwin1.[[012]])
-         _LT_AC_TAGVAR(allow_undefined_flag, $1)='${wl}-undefined ${wl}suppress'
-         ;;
-       *) # Darwin 1.3 on
-         if test -z ${MACOSX_DEPLOYMENT_TARGET} ; then
-           _LT_AC_TAGVAR(allow_undefined_flag, $1)='${wl}-flat_namespace ${wl}-undefined ${wl}suppress'
-         else
-           case ${MACOSX_DEPLOYMENT_TARGET} in
-             10.[[012]])
-               _LT_AC_TAGVAR(allow_undefined_flag, $1)='${wl}-flat_namespace ${wl}-undefined ${wl}suppress'
-               ;;
-             10.*)
-               _LT_AC_TAGVAR(allow_undefined_flag, $1)='${wl}-undefined ${wl}dynamic_lookup'
-               ;;
-           esac
-         fi
-         ;;
+      rhapsody* | darwin1.[[012]])
+	_LT_AC_TAGVAR(allow_undefined_flag, $1)='-undefined suppress'
+	;;
+      *) # Darwin 1.3 on
+      if test -z ${MACOSX_DEPLOYMENT_TARGET} ; then
+      	_LT_AC_TAGVAR(allow_undefined_flag, $1)='-flat_namespace -undefined suppress'
+      else
+        case ${MACOSX_DEPLOYMENT_TARGET} in
+          10.[[012]])
+            _LT_AC_TAGVAR(allow_undefined_flag, $1)='-flat_namespace -undefined suppress'
+            ;;
+          10.*)
+            _LT_AC_TAGVAR(allow_undefined_flag, $1)='-undefined dynamic_lookup'
+            ;;
+        esac
+      fi
+	;;
       esac
-      _LT_AC_TAGVAR(archive_cmds_need_lc, $1)=no
+    	lt_int_apple_cc_single_mod=no
+    	output_verbose_link_cmd='echo'
+    	if $CC -dumpspecs 2>&1 | grep 'single_module' >/dev/null ; then
+    	  lt_int_apple_cc_single_mod=yes
+    	fi
+    	if test "X$lt_int_apple_cc_single_mod" = Xyes ; then
+    	  _LT_AC_TAGVAR(archive_cmds, $1)='$CC -dynamiclib -single_module $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags -install_name $rpath/$soname $verstring'
+    	else
+        _LT_AC_TAGVAR(archive_cmds, $1)='$CC -r ${wl}-bind_at_load -keep_private_externs -nostdlib -o ${lib}-master.o $libobjs~$CC -dynamiclib $allow_undefined_flag -o $lib ${lib}-master.o $deplibs $compiler_flags -install_name $rpath/$soname $verstring'
+      fi
+      _LT_AC_TAGVAR(module_cmds, $1)='$CC ${wl}-bind_at_load $allow_undefined_flag -o $lib -bundle $libobjs $deplibs$compiler_flags'
+      # Don't fix this by using the ld -exported_symbols_list flag, it doesn't exist in older darwin ld's
+        if test "X$lt_int_apple_cc_single_mod" = Xyes ; then
+          _LT_AC_TAGVAR(archive_expsym_cmds, $1)='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -dynamiclib -single_module $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags -install_name $rpath/$soname $verstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
+        else
+          _LT_AC_TAGVAR(archive_expsym_cmds, $1)='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -r ${wl}-bind_at_load -keep_private_externs -nostdlib -o ${lib}-master.o $libobjs~$CC -dynamiclib $allow_undefined_flag -o $lib ${lib}-master.o $deplibs $compiler_flags -install_name $rpath/$soname $verstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
+        fi
+          _LT_AC_TAGVAR(module_expsym_cmds, $1)='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC $allow_undefined_flag  -o $lib -bundle $libobjs $deplibs$compiler_flags~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
       _LT_AC_TAGVAR(hardcode_direct, $1)=no
       _LT_AC_TAGVAR(hardcode_automatic, $1)=yes
       _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=unsupported
-      _LT_AC_TAGVAR(whole_archive_flag_spec, $1)=''
+      _LT_AC_TAGVAR(whole_archive_flag_spec, $1)='-all_load $convenience'
       _LT_AC_TAGVAR(link_all_deplibs, $1)=yes
-    if test "$GCC" = yes ; then
-    	output_verbose_link_cmd='echo'
-        _LT_AC_TAGVAR(archive_cmds, $1)='$CC -dynamiclib $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags -install_name $rpath/$soname $verstring'
-      _LT_AC_TAGVAR(module_cmds, $1)='$CC $allow_undefined_flag -o $lib -bundle $libobjs $deplibs$compiler_flags'
-      # Don't fix this by using the ld -exported_symbols_list flag, it doesn't exist in older darwin ld's
-      _LT_AC_TAGVAR(archive_expsym_cmds, $1)='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -dynamiclib $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags -install_name $rpath/$soname $verstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
-      _LT_AC_TAGVAR(module_expsym_cmds, $1)='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC $allow_undefined_flag  -o $lib -bundle $libobjs $deplibs$compiler_flags~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
     else
-      case "$cc_basename" in
-        xlc*)
-         output_verbose_link_cmd='echo'
-         _LT_AC_TAGVAR(archive_cmds, $1)='$CC -qmkshrobj $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-install_name ${wl}`echo $rpath/$soname` $verstring'
-         _LT_AC_TAGVAR(module_cmds, $1)='$CC $allow_undefined_flag -o $lib -bundle $libobjs $deplibs$compiler_flags'
-          # Don't fix this by using the ld -exported_symbols_list flag, it doesn't exist in older darwin ld's
-         _LT_AC_TAGVAR(archive_expsym_cmds, $1)='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -qmkshrobj $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-install_name ${wl}$rpath/$soname $verstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
-          _LT_AC_TAGVAR(module_expsym_cmds, $1)='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC $allow_undefined_flag  -o $lib -bundle $libobjs $deplibs$compiler_flags~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
-          ;;
-       *)
-         _LT_AC_TAGVAR(ld_shlibs, $1)=no
-          ;;
-      esac
+      _LT_AC_TAGVAR(ld_shlibs, $1)=no
     fi
       ;;
 
@@ -5628,7 +5572,6 @@ $echo "local: *; };" >> $output_objdir/$libname.ver~
       _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
       if test -z "`echo __ELF__ | $CC -E - | grep __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then
 	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags'
-	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-retain-symbols-file,$export_symbols'
 	_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath,$libdir'
 	_LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-E'
       else
@@ -5994,7 +5937,7 @@ for lt_ac_sed in $lt_ac_sed_list /usr/xpg4/bin/sed; do
     fi
   done
 done
-])
 SED=$lt_cv_path_SED
+])
 AC_MSG_RESULT([$SED])
 ])
diff --git a/ltmain.sh b/ltmain.sh
index 48f55455..47fa4f17 100644
--- a/ltmain.sh
+++ b/ltmain.sh
@@ -1,7 +1,7 @@
 # ltmain.sh - Provide generalized library-building support services.
 # NOTE: Changing this file will not affect anything until you rerun configure.
 #
-# Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2003, 2004
+# Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2003
 # Free Software Foundation, Inc.
 # Originally by Gordon Matzigkeit <gord@gnu.ai.mit.edu>, 1996
 #
@@ -24,34 +24,6 @@
 # configuration script generated by Autoconf, you may include it under
 # the same distribution terms that you use for the rest of that program.
 
-basename="s,^.*/,,g"
-
-# Work around backward compatibility issue on IRIX 6.5. On IRIX 6.4+, sh
-# is ksh but when the shell is invoked as "sh" and the current value of
-# the _XPG environment variable is not equal to 1 (one), the special
-# positional parameter $0, within a function call, is the name of the
-# function.
-progpath="$0"
-
-# The name of this program:
-progname=`echo "$progpath" | $SED $basename`
-modename="$progname"
-
-# Global variables:
-EXIT_SUCCESS=0
-EXIT_FAILURE=1
-
-PROGRAM=ltmain.sh
-PACKAGE=libtool
-VERSION=1.5.10
-TIMESTAMP=" (1.1220.2.131 2004/09/19 12:46:56)"
-
-# See if we are running on zsh, and set the options which allow our
-# commands through without removal of \ escapes.
-if test -n "${ZSH_VERSION+set}" ; then
-  setopt NO_GLOB_SUBST
-fi
-
 # Check that we have a working $echo.
 if test "X$1" = X--no-reexec; then
   # Discard the --no-reexec flag, and continue.
@@ -64,7 +36,7 @@ elif test "X`($echo '\t') 2>/dev/null`" = 'X\t'; then
   :
 else
   # Restart under the correct shell, and then maybe $echo will work.
-  exec $SHELL "$progpath" --no-reexec ${1+"$@"}
+  exec $SHELL "$0" --no-reexec ${1+"$@"}
 fi
 
 if test "X$1" = X--fallback-echo; then
@@ -73,9 +45,19 @@ if test "X$1" = X--fallback-echo; then
   cat <<EOF
 $*
 EOF
-  exit $EXIT_SUCCESS
+  exit 0
 fi
 
+# The name of this program.
+progname=`$echo "$0" | ${SED} 's%^.*/%%'`
+modename="$progname"
+
+# Constants.
+PROGRAM=ltmain.sh
+PACKAGE=libtool
+VERSION=1.5.2
+TIMESTAMP=" (1.1220.2.60 2004/01/25 12:25:08)"
+
 default_mode=
 help="Try \`$progname --help' for more information."
 magic="%%%MAGIC variable%%%"
@@ -118,7 +100,7 @@ fi
 if test "$build_libtool_libs" != yes && test "$build_old_libs" != yes; then
   $echo "$modename: not configured to build any kind of library" 1>&2
   $echo "Fatal configuration error.  See the $PACKAGE docs for more information." 1>&2
-  exit $EXIT_FAILURE
+  exit 1
 fi
 
 # Global variables.
@@ -137,13 +119,10 @@ o2lo="s/\\.${objext}\$/.lo/"
 # Shell function definitions:
 # This seems to be the best place for them
 
-# func_win32_libid arg
-# return the library type of file 'arg'
-#
 # Need a lot of goo to handle *both* DLLs and import libs
 # Has to be a shell function in order to 'eat' the argument
 # that is supplied when $file_magic_command is called.
-func_win32_libid () {
+win32_libid () {
   win32_libid_type="unknown"
   win32_fileres=`file -L $1 2>/dev/null`
   case $win32_fileres in
@@ -152,7 +131,7 @@ func_win32_libid () {
     ;;
   *ar\ archive*) # could be an import, or static
     if eval $OBJDUMP -f $1 | $SED -e '10q' 2>/dev/null | \
-      $EGREP -e 'file format pe-i386(.*architecture: i386)?' >/dev/null ; then
+      grep -E 'file format pe-i386(.*architecture: i386)?' >/dev/null ; then
       win32_nmres=`eval $NM -f posix -A $1 | \
 	sed -n -e '1,100{/ I /{x;/import/!{s/^/import/;h;p;};x;};}'`
       if test "X$win32_nmres" = "Ximport" ; then
@@ -162,7 +141,7 @@ func_win32_libid () {
       fi
     fi
     ;;
-  *DLL*)
+  *DLL*) 
     win32_libid_type="x86 DLL"
     ;;
   *executable*) # but shell scripts are "executable" too...
@@ -176,192 +155,9 @@ func_win32_libid () {
   $echo $win32_libid_type
 }
 
-
-# func_infer_tag arg
-# Infer tagged configuration to use if any are available and
-# if one wasn't chosen via the "--tag" command line option.
-# Only attempt this if the compiler in the base compile
-# command doesn't match the default compiler.
-# arg is usually of the form 'gcc ...'
-func_infer_tag () {
-    if test -n "$available_tags" && test -z "$tagname"; then
-      CC_quoted=
-      for arg in $CC; do
-	case $arg in
-	  *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \	]*|*]*|"")
-	  arg="\"$arg\""
-	  ;;
-	esac
-	CC_quoted="$CC_quoted $arg"
-      done
-      case $@ in
-      # Blanks in the command may have been stripped by the calling shell,
-      # but not from the CC environment variable when configure was run.
-      " $CC "* | "$CC "* | " `$echo $CC` "* | "`$echo $CC` "* | " $CC_quoted"* | "$CC_quoted "* | " `$echo $CC_quoted` "* | "`$echo $CC_quoted` "*) ;;
-      # Blanks at the start of $base_compile will cause this to fail
-      # if we don't check for them as well.
-      *)
-	for z in $available_tags; do
-	  if grep "^# ### BEGIN LIBTOOL TAG CONFIG: $z$" < "$progpath" > /dev/null; then
-	    # Evaluate the configuration.
-	    eval "`${SED} -n -e '/^# ### BEGIN LIBTOOL TAG CONFIG: '$z'$/,/^# ### END LIBTOOL TAG CONFIG: '$z'$/p' < $progpath`"
-	    CC_quoted=
-	    for arg in $CC; do
-	    # Double-quote args containing other shell metacharacters.
-	    case $arg in
-	      *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \	]*|*]*|"")
-	      arg="\"$arg\""
-	      ;;
-	    esac
-	    CC_quoted="$CC_quoted $arg"
-	  done
-	    case "$@ " in
-	      " $CC "* | "$CC "* | " `$echo $CC` "* | "`$echo $CC` "* | " $CC_quoted"* | "$CC_quoted "* | " `$echo $CC_quoted` "* | "`$echo $CC_quoted` "*)
-	      # The compiler in the base compile command matches
-	      # the one in the tagged configuration.
-	      # Assume this is the tagged configuration we want.
-	      tagname=$z
-	      break
-	      ;;
-	    esac
-	  fi
-	done
-	# If $tagname still isn't set, then no tagged configuration
-	# was found and let the user know that the "--tag" command
-	# line option must be used.
-	if test -z "$tagname"; then
-	  $echo "$modename: unable to infer tagged configuration"
-	  $echo "$modename: specify a tag with \`--tag'" 1>&2
-	  exit $EXIT_FAILURE
-#        else
-#          $echo "$modename: using $tagname tagged configuration"
-	fi
-	;;
-      esac
-    fi
-}
-
-
-# func_extract_archives gentop oldlib ...
-func_extract_archives () {
-    my_gentop="$1"; shift
-    my_oldlibs=${1+"$@"}
-    my_oldobjs=""
-    my_xlib=""
-    my_xabs=""
-    my_xdir=""
-    my_status=""
-
-    $show "${rm}r $my_gentop"
-    $run ${rm}r "$my_gentop"
-    $show "$mkdir $my_gentop"
-    $run $mkdir "$my_gentop"
-    my_status=$?
-    if test "$my_status" -ne 0 && test ! -d "$my_gentop"; then
-      exit $my_status
-    fi
-
-    for my_xlib in $my_oldlibs; do
-      # Extract the objects.
-      case $my_xlib in
-	[\\/]* | [A-Za-z]:[\\/]*) my_xabs="$my_xlib" ;;
-	*) my_xabs=`pwd`"/$my_xlib" ;;
-      esac
-      my_xlib=`$echo "X$my_xlib" | $Xsed -e 's%^.*/%%'`
-      my_xdir="$my_gentop/$my_xlib"
-
-      $show "${rm}r $my_xdir"
-      $run ${rm}r "$my_xdir"
-      $show "$mkdir $my_xdir"
-      $run $mkdir "$my_xdir"
-      status=$?
-      if test "$status" -ne 0 && test ! -d "$my_xdir"; then
-	exit $status
-      fi
-      case $host in
-      *-darwin*)
-	$show "Extracting $my_xabs"
-	# Do not bother doing anything if just a dry run
-	if test -z "$run"; then
-	  darwin_orig_dir=`pwd`
-	  cd $my_xdir || exit $?
-	  darwin_archive=$my_xabs
-	  darwin_curdir=`pwd`
-	  darwin_base_archive=`basename $darwin_archive`
-	  darwin_arches=`lipo -info "$darwin_archive" 2>/dev/null | $EGREP Architectures 2>/dev/null`
-	  if test -n "$darwin_arches"; then 
-	    darwin_arches=`echo "$darwin_arches" | $SED -e 's/.*are://'`
-	    darwin_arch=
-	    $show "$darwin_base_archive has multiple architectures $darwin_arches"
-	    for darwin_arch in  $darwin_arches ; do
-	      mkdir -p "unfat-$$/${darwin_base_archive}-${darwin_arch}"
-	      lipo -thin $darwin_arch -output "unfat-$$/${darwin_base_archive}-${darwin_arch}/${darwin_base_archive}" "${darwin_archive}"
-	      # Remove the table of contents from the thin files.
-	      $AR -d "unfat-$$/${darwin_base_archive}-${darwin_arch}/${darwin_base_archive}" __.SYMDEF 2>/dev/null || true
-	      $AR -d "unfat-$$/${darwin_base_archive}-${darwin_arch}/${darwin_base_archive}" __.SYMDEF\ SORTED 2>/dev/null || true
-	      cd "unfat-$$/${darwin_base_archive}-${darwin_arch}"
-	      $AR -xo "${darwin_base_archive}"
-	      rm "${darwin_base_archive}"
-	      cd "$darwin_curdir"
-	    done # $darwin_arches
-      ## Okay now we have a bunch of thin objects, gotta fatten them up :)
-	    darwin_filelist=`find unfat-$$ -type f | xargs basename | sort -u | $NL2SP`
-	    darwin_file=
-	    darwin_files=
-	    for darwin_file in $darwin_filelist; do
-	      darwin_files=`find unfat-$$ -name $darwin_file -print | $NL2SP`
-	      lipo -create -output "$darwin_file" $darwin_files
-	    done # $darwin_filelist
-	    rm -rf unfat-$$
-	    cd "$darwin_orig_dir"
-	  else
-	    cd $darwin_orig_dir
-	    (cd $my_xdir && $AR x $my_xabs) || exit $?
-	  fi # $darwin_arches
-	fi # $run
-      ;;
-      *)
-	# We will extract separately just the conflicting names and we will
-	# no longer touch any unique names. It is faster to leave these
-	# extract automatically by $AR in one run.
-	$show "(cd $my_xdir && $AR x $my_xabs)"
-	$run eval "(cd \$my_xdir && $AR x \$my_xabs)" || exit $?
-	if ($AR t "$my_xabs" | sort | sort -uc >/dev/null 2>&1); then
-	  :
-	else
-	  $echo "$modename: warning: object name conflicts; renaming object files" 1>&2
-	  $echo "$modename: warning: to ensure that they will not overwrite" 1>&2
-	  $AR t "$my_xabs" | sort | uniq -cd | while read -r count name
-	  do
-	    i=1
-	    while test "$i" -le "$count"
-	    do
-	      # Put our $i before any first dot (extension)
-	      # Never overwrite any file
-	      name_to="$name"
-	      while test "X$name_to" = "X$name" || test -f "$my_xdir/$name_to"
-	      do
-		name_to=`$echo "X$name_to" | $Xsed -e "s/\([^.]*\)/\1-$i/"`
-	      done
-	      $show "(cd $my_xdir && $AR xN $i $my_xabs '$name' && $mv '$name' '$name_to')"
-	      $run eval "(cd \$my_xdir && $AR xN $i \$my_xabs '$name' && $mv '$name' '$name_to')" || exit $?
-	      i=`expr $i + 1`
-	    done
-	  done
-	fi
-	;;
-      esac
-      my_oldobjs="$my_oldobjs "`find $my_xdir -name \*.$objext -print -o -name \*.lo -print | $NL2SP`
-    done
-
-    func_extract_archives_result="$my_oldobjs"
-}
 # End of Shell function definitions
 #####################################
 
-# Darwin sucks
-eval std_shrext=\"$shrext_cmds\"
-
 # Parse our command line options once, thoroughly.
 while test "$#" -gt 0
 do
@@ -387,7 +183,7 @@ do
       case $tagname in
       *[!-_A-Za-z0-9,/]*)
 	$echo "$progname: invalid tag name: $tagname" 1>&2
-	exit $EXIT_FAILURE
+	exit 1
 	;;
       esac
 
@@ -397,10 +193,10 @@ do
 	# not specially marked.
 	;;
       *)
-	if grep "^# ### BEGIN LIBTOOL TAG CONFIG: $tagname$" < "$progpath" > /dev/null; then
+	if grep "^# ### BEGIN LIBTOOL TAG CONFIG: $tagname$" < "$0" > /dev/null; then
 	  taglist="$taglist $tagname"
 	  # Evaluate the configuration.
-	  eval "`${SED} -n -e '/^# ### BEGIN LIBTOOL TAG CONFIG: '$tagname'$/,/^# ### END LIBTOOL TAG CONFIG: '$tagname'$/p' < $progpath`"
+	  eval "`${SED} -n -e '/^# ### BEGIN LIBTOOL TAG CONFIG: '$tagname'$/,/^# ### END LIBTOOL TAG CONFIG: '$tagname'$/p' < $0`"
 	else
 	  $echo "$progname: ignoring unknown tag $tagname" 1>&2
 	fi
@@ -429,16 +225,16 @@ do
     $echo "Copyright (C) 2003  Free Software Foundation, Inc."
     $echo "This is free software; see the source for copying conditions.  There is NO"
     $echo "warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE."
-    exit $EXIT_SUCCESS
+    exit 0
     ;;
 
   --config)
-    ${SED} -e '1,/^# ### BEGIN LIBTOOL CONFIG/d' -e '/^# ### END LIBTOOL CONFIG/,$d' $progpath
+    ${SED} -e '1,/^# ### BEGIN LIBTOOL CONFIG/d' -e '/^# ### END LIBTOOL CONFIG/,$d' $0
     # Now print the configurations for the tags.
     for tagname in $taglist; do
-      ${SED} -n -e "/^# ### BEGIN LIBTOOL TAG CONFIG: $tagname$/,/^# ### END LIBTOOL TAG CONFIG: $tagname$/p" < "$progpath"
+      ${SED} -n -e "/^# ### BEGIN LIBTOOL TAG CONFIG: $tagname$/,/^# ### END LIBTOOL TAG CONFIG: $tagname$/p" < "$0"
     done
-    exit $EXIT_SUCCESS
+    exit 0
     ;;
 
   --debug)
@@ -463,7 +259,7 @@ do
     else
       $echo "disable static libraries"
     fi
-    exit $EXIT_SUCCESS
+    exit 0
     ;;
 
   --finish) mode="finish" ;;
@@ -494,7 +290,7 @@ do
   -*)
     $echo "$modename: unrecognized option \`$arg'" 1>&2
     $echo "$help" 1>&2
-    exit $EXIT_FAILURE
+    exit 1
     ;;
 
   *)
@@ -507,7 +303,7 @@ done
 if test -n "$prevopt"; then
   $echo "$modename: option \`$prevopt' requires an argument" 1>&2
   $echo "$help" 1>&2
-  exit $EXIT_FAILURE
+  exit 1
 fi
 
 # If this variable is set in any of the actions, the command in it
@@ -563,7 +359,7 @@ if test -z "$show_help"; then
   if test -n "$execute_dlfiles" && test "$mode" != execute; then
     $echo "$modename: unrecognized option \`-dlopen'" 1>&2
     $echo "$help" 1>&2
-    exit $EXIT_FAILURE
+    exit 1
   fi
 
   # Change the help message to a mode-specific one.
@@ -605,7 +401,7 @@ if test -z "$show_help"; then
 	-o)
 	  if test -n "$libobj" ; then
 	    $echo "$modename: you cannot specify \`-o' more than once" 1>&2
-	    exit $EXIT_FAILURE
+	    exit 1
 	  fi
 	  arg_mode=target
 	  continue
@@ -630,7 +426,7 @@ if test -z "$show_help"; then
 	  args=`$echo "X$arg" | $Xsed -e "s/^-Wc,//"`
 	  lastarg=
 	  save_ifs="$IFS"; IFS=','
- 	  for arg in $args; do
+	  for arg in $args; do
 	    IFS="$save_ifs"
 
 	    # Double-quote args containing other shell metacharacters.
@@ -680,11 +476,11 @@ if test -z "$show_help"; then
     case $arg_mode in
     arg)
       $echo "$modename: you must specify an argument for -Xcompile"
-      exit $EXIT_FAILURE
+      exit 1
       ;;
     target)
       $echo "$modename: you must specify a target with \`-o'" 1>&2
-      exit $EXIT_FAILURE
+      exit 1
       ;;
     *)
       # Get the name of the library object.
@@ -717,11 +513,50 @@ if test -z "$show_help"; then
     *.lo) obj=`$echo "X$libobj" | $Xsed -e "$lo2o"` ;;
     *)
       $echo "$modename: cannot determine name of library object from \`$libobj'" 1>&2
-      exit $EXIT_FAILURE
+      exit 1
       ;;
     esac
 
-    func_infer_tag $base_compile
+    # Infer tagged configuration to use if any are available and
+    # if one wasn't chosen via the "--tag" command line option.
+    # Only attempt this if the compiler in the base compile
+    # command doesn't match the default compiler.
+    if test -n "$available_tags" && test -z "$tagname"; then
+      case $base_compile in
+      # Blanks in the command may have been stripped by the calling shell,
+      # but not from the CC environment variable when configure was run.
+      " $CC "* | "$CC "* | " `$echo $CC` "* | "`$echo $CC` "*) ;;
+      # Blanks at the start of $base_compile will cause this to fail
+      # if we don't check for them as well.
+      *)
+	for z in $available_tags; do
+	  if grep "^# ### BEGIN LIBTOOL TAG CONFIG: $z$" < "$0" > /dev/null; then
+	    # Evaluate the configuration.
+	    eval "`${SED} -n -e '/^# ### BEGIN LIBTOOL TAG CONFIG: '$z'$/,/^# ### END LIBTOOL TAG CONFIG: '$z'$/p' < $0`"
+	    case "$base_compile " in
+	    "$CC "* | " $CC "* | "`$echo $CC` "* | " `$echo $CC` "*)
+	      # The compiler in the base compile command matches
+	      # the one in the tagged configuration.
+	      # Assume this is the tagged configuration we want.
+	      tagname=$z
+	      break
+	      ;;
+	    esac
+	  fi
+	done
+	# If $tagname still isn't set, then no tagged configuration
+	# was found and let the user know that the "--tag" command
+	# line option must be used.
+	if test -z "$tagname"; then
+	  $echo "$modename: unable to infer tagged configuration"
+	  $echo "$modename: specify a tag with \`--tag'" 1>&2
+	  exit 1
+#        else
+#          $echo "$modename: using $tagname tagged configuration"
+	fi
+	;;
+      esac
+    fi
 
     for arg in $later; do
       case $arg in
@@ -754,7 +589,7 @@ if test -z "$show_help"; then
     if test -z "$base_compile"; then
       $echo "$modename: you must specify a compilation command" 1>&2
       $echo "$help" 1>&2
-      exit $EXIT_FAILURE
+      exit 1
     fi
 
     # Delete any leftover library objects.
@@ -765,7 +600,7 @@ if test -z "$show_help"; then
     fi
 
     $run $rm $removelist
-    trap "$run $rm $removelist; exit $EXIT_FAILURE" 1 2 15
+    trap "$run $rm $removelist; exit 1" 1 2 15
 
     # On Cygwin there's no "real" PIC flag so we must build both object types
     case $host_os in
@@ -784,7 +619,7 @@ if test -z "$show_help"; then
       output_obj=`$echo "X$srcfile" | $Xsed -e 's%^.*/%%' -e 's%\.[^.]*$%%'`.${objext}
       lockfile="$output_obj.lock"
       removelist="$removelist $output_obj $lockfile"
-      trap "$run $rm $removelist; exit $EXIT_FAILURE" 1 2 15
+      trap "$run $rm $removelist; exit 1" 1 2 15
     else
       output_obj=
       need_locks=no
@@ -794,7 +629,7 @@ if test -z "$show_help"; then
     # Lock this critical section if it is needed
     # We use this script file to make the link, it avoids creating a new file
     if test "$need_locks" = yes; then
-      until $run ln "$progpath" "$lockfile" 2>/dev/null; do
+      until $run ln "$0" "$lockfile" 2>/dev/null; do
 	$show "Waiting for $lockfile to be removed"
 	sleep 2
       done
@@ -812,7 +647,7 @@ avoid parallel builds (make -j) in this platform, or get a better
 compiler."
 
 	$run $rm $removelist
-	exit $EXIT_FAILURE
+	exit 1
       fi
       $echo $srcfile > "$lockfile"
     fi
@@ -867,7 +702,7 @@ EOF
       if $run eval "$command"; then :
       else
 	test -n "$output_obj" && $run $rm $removelist
-	exit $EXIT_FAILURE
+	exit 1
       fi
 
       if test "$need_locks" = warn &&
@@ -887,7 +722,7 @@ avoid parallel builds (make -j) in this platform, or get a better
 compiler."
 
 	$run $rm $removelist
-	exit $EXIT_FAILURE
+	exit 1
       fi
 
       # Just move the object if needed, then go on to compile the next one
@@ -939,7 +774,7 @@ EOF
       if $run eval "$command"; then :
       else
 	$run $rm $removelist
-	exit $EXIT_FAILURE
+	exit 1
       fi
 
       if test "$need_locks" = warn &&
@@ -959,7 +794,7 @@ avoid parallel builds (make -j) in this platform, or get a better
 compiler."
 
 	$run $rm $removelist
-	exit $EXIT_FAILURE
+	exit 1
       fi
 
       # Just move the object if needed
@@ -997,7 +832,7 @@ EOF
       $run $rm "$lockfile"
     fi
 
-    exit $EXIT_SUCCESS
+    exit 0
     ;;
 
   # libtool link mode
@@ -1069,7 +904,46 @@ EOF
     vinfo=
     vinfo_number=no
 
-    func_infer_tag $base_compile
+    # Infer tagged configuration to use if any are available and
+    # if one wasn't chosen via the "--tag" command line option.
+    # Only attempt this if the compiler in the base link
+    # command doesn't match the default compiler.
+    if test -n "$available_tags" && test -z "$tagname"; then
+      case $base_compile in
+      # Blanks in the command may have been stripped by the calling shell,
+      # but not from the CC environment variable when configure was run.
+      "$CC "* | " $CC "* | "`$echo $CC` "* | " `$echo $CC` "*) ;;
+      # Blanks at the start of $base_compile will cause this to fail
+      # if we don't check for them as well.
+      *)
+	for z in $available_tags; do
+	  if grep "^# ### BEGIN LIBTOOL TAG CONFIG: $z$" < "$0" > /dev/null; then
+	    # Evaluate the configuration.
+	    eval "`${SED} -n -e '/^# ### BEGIN LIBTOOL TAG CONFIG: '$z'$/,/^# ### END LIBTOOL TAG CONFIG: '$z'$/p' < $0`"
+	    case $base_compile in
+	    "$CC "* | " $CC "* | "`$echo $CC` "* | " `$echo $CC` "*)
+	      # The compiler in $compile_command matches
+	      # the one in the tagged configuration.
+	      # Assume this is the tagged configuration we want.
+	      tagname=$z
+	      break
+	      ;;
+	    esac
+	  fi
+	done
+	# If $tagname still isn't set, then no tagged configuration
+	# was found and let the user know that the "--tag" command
+	# line option must be used.
+	if test -z "$tagname"; then
+	  $echo "$modename: unable to infer tagged configuration"
+	  $echo "$modename: specify a tag with \`--tag'" 1>&2
+	  exit 1
+#       else
+#         $echo "$modename: using $tagname tagged configuration"
+	fi
+	;;
+      esac
+    fi
 
     # We need to know -static, to get the right output filenames.
     for arg
@@ -1165,7 +1039,7 @@ EOF
 	  export_symbols="$arg"
 	  if test ! -f "$arg"; then
 	    $echo "$modename: symbol file \`$arg' does not exist"
-	    exit $EXIT_FAILURE
+	    exit 1
 	  fi
 	  prev=
 	  continue
@@ -1217,7 +1091,7 @@ EOF
 		   test "$pic_object" = none && \
 		   test "$non_pic_object" = none; then
 		  $echo "$modename: cannot find name of object for \`$arg'" 1>&2
-		  exit $EXIT_FAILURE
+		  exit 1
 		fi
 
 		# Extract subdirectory from the argument.
@@ -1270,7 +1144,7 @@ EOF
 		# Only an error if not doing a dry-run.
 		if test -z "$run"; then
 		  $echo "$modename: \`$arg' is not a valid libtool object" 1>&2
-		  exit $EXIT_FAILURE
+		  exit 1
 		else
 		  # Dry-run case.
 
@@ -1291,7 +1165,7 @@ EOF
 	    done
 	  else
 	    $echo "$modename: link input file \`$save_arg' does not exist"
-	    exit $EXIT_FAILURE
+	    exit 1
 	  fi
 	  arg=$save_arg
 	  prev=
@@ -1303,7 +1177,7 @@ EOF
 	  [\\/]* | [A-Za-z]:[\\/]*) ;;
 	  *)
 	    $echo "$modename: only absolute run-paths are allowed" 1>&2
-	    exit $EXIT_FAILURE
+	    exit 1
 	    ;;
 	  esac
 	  if test "$prev" = rpath; then
@@ -1343,11 +1217,6 @@ EOF
 	  finalize_command="$finalize_command $qarg"
 	  continue
 	  ;;
-	shrext)
-  	  shrext_cmds="$arg"
-	  prev=
-	  continue
-	  ;;
 	*)
 	  eval "$prev=\"\$arg\""
 	  prev=
@@ -1396,7 +1265,7 @@ EOF
       -export-symbols | -export-symbols-regex)
 	if test -n "$export_symbols" || test -n "$export_symbols_regex"; then
 	  $echo "$modename: more than one -exported-symbols argument is not allowed"
-	  exit $EXIT_FAILURE
+	  exit 1
 	fi
 	if test "X$arg" = "X-export-symbols"; then
 	  prev=expsyms
@@ -1432,7 +1301,7 @@ EOF
 	  absdir=`cd "$dir" && pwd`
 	  if test -z "$absdir"; then
 	    $echo "$modename: cannot determine absolute directory name of \`$dir'" 1>&2
-	    exit $EXIT_FAILURE
+	    exit 1
 	  fi
 	  dir="$absdir"
 	  ;;
@@ -1488,18 +1357,7 @@ EOF
 	;;
 
      -mt|-mthreads|-kthread|-Kthread|-pthread|-pthreads|--thread-safe)
-        case $host in
-        *-*-freebsd*)
-           compile_command="$compile_command $arg"
-           finalize_command="$finalize_command $arg"
-           ;;
-        *)  
-           case "$archive_cmds" in
-             *"\$LD"*) ;;  
-             *) deplibs="$deplibs $arg";;
-           esac
-           ;;
-	esac
+	deplibs="$deplibs $arg"
 	continue
 	;;
 
@@ -1594,7 +1452,7 @@ EOF
 	[\\/]* | [A-Za-z]:[\\/]*) ;;
 	*)
 	  $echo "$modename: only absolute run-paths are allowed" 1>&2
-	  exit $EXIT_FAILURE
+	  exit 1
 	  ;;
 	esac
 	case "$xrpath " in
@@ -1717,7 +1575,7 @@ EOF
 	     test "$pic_object" = none && \
 	     test "$non_pic_object" = none; then
 	    $echo "$modename: cannot find name of object for \`$arg'" 1>&2
-	    exit $EXIT_FAILURE
+	    exit 1
 	  fi
 
 	  # Extract subdirectory from the argument.
@@ -1770,7 +1628,7 @@ EOF
 	  # Only an error if not doing a dry-run.
 	  if test -z "$run"; then
 	    $echo "$modename: \`$arg' is not a valid libtool object" 1>&2
-	    exit $EXIT_FAILURE
+	    exit 1
 	  else
 	    # Dry-run case.
 
@@ -1837,7 +1695,7 @@ EOF
     if test -n "$prev"; then
       $echo "$modename: the \`$prevarg' option requires an argument" 1>&2
       $echo "$help" 1>&2
-      exit $EXIT_FAILURE
+      exit 1
     fi
 
     if test "$export_dynamic" = yes && test -n "$export_dynamic_flag_spec"; then
@@ -1881,7 +1739,7 @@ EOF
     "")
       $echo "$modename: you must specify an output file" 1>&2
       $echo "$help" 1>&2
-      exit $EXIT_FAILURE
+      exit 1
       ;;
     *.$libext) linkmode=oldlib ;;
     *.lo | *.$objext) linkmode=obj ;;
@@ -1891,7 +1749,7 @@ EOF
 
     case $host in
     *cygwin* | *mingw* | *pw32*)
-      # don't eliminate duplications in $postdeps and $predeps
+      # don't eliminate duplcations in $postdeps and $predeps
       duplicate_compiler_generated_deps=yes
       ;;
     *)
@@ -1944,7 +1802,7 @@ EOF
 	  *.la) ;;
 	  *)
 	    $echo "$modename: libraries can \`-dlopen' only libtool libraries: $file" 1>&2
-	    exit $EXIT_FAILURE
+	    exit 1
 	    ;;
 	  esac
 	done
@@ -1987,10 +1845,7 @@ EOF
 	    compile_deplibs="$deplib $compile_deplibs"
 	    finalize_deplibs="$deplib $finalize_deplibs"
 	  else
-	    case "$archive_cmds" in
-	      *"\$LD"*) ;;
-	      *) deplibs="$deplibs $arg";;
-	    esac
+	    deplibs="$deplib $deplibs"
 	  fi
 	  continue
 	  ;;
@@ -2005,7 +1860,7 @@ EOF
 	  fi
 	  name=`$echo "X$deplib" | $Xsed -e 's/^-l//'`
 	  for searchdir in $newlib_search_path $lib_search_path $sys_lib_search_path $shlib_search_path; do
-	    for search_ext in .la $std_shrext .so .a; do
+	    for search_ext in .la $shrext .so .a; do
 	      # Search the libtool library
 	      lib="$searchdir/lib${name}${search_ext}"
 	      if test -f "$lib"; then
@@ -2081,11 +1936,11 @@ EOF
 	    fi
 	    if test "$pass" = scan; then
 	      deplibs="$deplib $deplibs"
+	      newlib_search_path="$newlib_search_path "`$echo "X$deplib" | $Xsed -e 's/^-L//'`
 	    else
 	      compile_deplibs="$deplib $compile_deplibs"
 	      finalize_deplibs="$deplib $finalize_deplibs"
 	    fi
-	    newlib_search_path="$newlib_search_path "`$echo "X$deplib" | $Xsed -e 's/^-L//'`
 	    ;;
 	  *)
 	    $echo "$modename: warning: \`-L' is ignored for archives/objects" 1>&2
@@ -2113,22 +1968,7 @@ EOF
 	  fi
 	  case $linkmode in
 	  lib)
-	    valid_a_lib=no
-	    case $deplibs_check_method in
-	      match_pattern*)
-		set dummy $deplibs_check_method
-	        match_pattern_regex=`expr "$deplibs_check_method" : "$2 \(.*\)"`
-		if eval $echo \"$deplib\" 2>/dev/null \
-		    | $SED 10q \
-		    | $EGREP "$match_pattern_regex" > /dev/null; then
-		  valid_a_lib=yes
-		fi
-		;;
-	      pass_all)
-		valid_a_lib=yes
-		;;
-            esac
-	    if test "$valid_a_lib" != yes; then
+	    if test "$deplibs_check_method" != pass_all; then
 	      $echo
 	      $echo "*** Warning: Trying to link with static lib archive $deplib."
 	      $echo "*** I have the capability to make that library automatically link in when"
@@ -2179,14 +2019,14 @@ EOF
 	if test "$found" = yes || test -f "$lib"; then :
 	else
 	  $echo "$modename: cannot find the library \`$lib'" 1>&2
-	  exit $EXIT_FAILURE
+	  exit 1
 	fi
 
 	# Check to see that this really is a libtool archive.
 	if (${SED} -e '2q' $lib | grep "^# Generated by .*$PACKAGE") >/dev/null 2>&1; then :
 	else
 	  $echo "$modename: \`$lib' is not a valid libtool archive" 1>&2
-	  exit $EXIT_FAILURE
+	  exit 1
 	fi
 
 	ladir=`$echo "X$lib" | $Xsed -e 's%/[^/]*$%%'`
@@ -2222,7 +2062,7 @@ EOF
 	  if test -z "$libdir"; then
 	    if test -z "$old_library"; then
 	      $echo "$modename: cannot find name of link library for \`$lib'" 1>&2
-	      exit $EXIT_FAILURE
+	      exit 1
 	    fi
 	    # It is a libtool convenience library, so add in its objects.
 	    convenience="$convenience $ladir/$objdir/$old_library"
@@ -2239,12 +2079,12 @@ EOF
 	    done
 	  elif test "$linkmode" != prog && test "$linkmode" != lib; then
 	    $echo "$modename: \`$lib' is not a convenience library" 1>&2
-	    exit $EXIT_FAILURE
+	    exit 1
 	  fi
 	  continue
 	fi # $pass = conv
 
-
+    
 	# Get the name of the library we link against.
 	linklib=
 	for l in $old_library $library_names; do
@@ -2252,18 +2092,16 @@ EOF
 	done
 	if test -z "$linklib"; then
 	  $echo "$modename: cannot find name of link library for \`$lib'" 1>&2
-	  exit $EXIT_FAILURE
+	  exit 1
 	fi
 
 	# This library was specified with -dlopen.
 	if test "$pass" = dlopen; then
 	  if test -z "$libdir"; then
 	    $echo "$modename: cannot -dlopen a convenience library: \`$lib'" 1>&2
-	    exit $EXIT_FAILURE
+	    exit 1
 	  fi
-	  if test -z "$dlname" ||
-	     test "$dlopen_support" != yes ||
-	     test "$build_libtool_libs" = no; then
+	  if test -z "$dlname" || test "$dlopen_support" != yes || test "$build_libtool_libs" = no; then
 	    # If there is no dlname, no dlopen support or we're linking
 	    # statically, we need to preload.  We also need to preload any
 	    # dependent libraries so libltdl's deplib preloader doesn't
@@ -2301,17 +2139,10 @@ EOF
 	    absdir="$libdir"
 	  fi
 	else
-	  if test ! -f "$ladir/$objdir/$linklib" && test -f "$abs_ladir/$linklib"; then
-	    dir="$ladir"
-	    absdir="$abs_ladir"
-	    # Remove this search path later
-	    notinst_path="$notinst_path $abs_ladir"
-	  else
-	    dir="$ladir/$objdir"
-	    absdir="$abs_ladir/$objdir"
-	    # Remove this search path later
-	    notinst_path="$notinst_path $abs_ladir"
-	  fi
+	  dir="$ladir/$objdir"
+	  absdir="$abs_ladir/$objdir"
+	  # Remove this search path later
+	  notinst_path="$notinst_path $abs_ladir"
 	fi # $installed = yes
 	name=`$echo "X$laname" | $Xsed -e 's/\.la$//' -e 's/^lib//'`
 
@@ -2319,7 +2150,7 @@ EOF
 	if test "$pass" = dlpreopen; then
 	  if test -z "$libdir"; then
 	    $echo "$modename: cannot -dlpreopen a convenience library: \`$lib'" 1>&2
-	    exit $EXIT_FAILURE
+	    exit 1
 	  fi
 	  # Prefer using a static library (so that no silly _DYNAMIC symbols
 	  # are required to link).
@@ -2346,7 +2177,7 @@ EOF
 	  continue
 	fi
 
-
+    
 	if test "$linkmode" = prog && test "$pass" != link; then
 	  newlib_search_path="$newlib_search_path $ladir"
 	  deplibs="$lib $deplibs"
@@ -2433,18 +2264,17 @@ EOF
 	    need_relink=yes
 	  fi
 	  # This is a shared library
-
-	  # Warn about portability, can't link against -module's on
-	  # some systems (darwin)
-	  if test "$shouldnotlink" = yes && test "$pass" = link ; then
+	
+      # Warn about portability, can't link against -module's on some systems (darwin)
+      if test "$shouldnotlink" = yes && test "$pass" = link ; then
 	    $echo
 	    if test "$linkmode" = prog; then
 	      $echo "*** Warning: Linking the executable $output against the loadable module"
 	    else
 	      $echo "*** Warning: Linking the shared library $output against the loadable module"
 	    fi
-	    $echo "*** $linklib is not portable!"
-	  fi
+	    $echo "*** $linklib is not portable!"    
+      fi	  
 	  if test "$linkmode" = lib &&
 	     test "$hardcode_into_libs" = yes; then
 	    # Hardcode the library path.
@@ -2542,9 +2372,9 @@ EOF
 		case $host in
 		  *-*-sco3.2v5* ) add_dir="-L$dir" ;;
 		  *-*-darwin* )
-		    # if the lib is a module then we can not link against
-		    # it, someone is ignoring the new warnings I added
-		    if /usr/bin/file -L $add 2> /dev/null | $EGREP "bundle" >/dev/null ; then
+		    # if the lib is a module then we can not link against it, someone
+		    # is ignoring the new warnings I added
+		    if /usr/bin/file -L $add 2> /dev/null | grep "bundle" >/dev/null ; then
 		      $echo "** Warning, lib $linklib is a module, not a shared library"
 		      if test -z "$old_library" ; then
 		        $echo
@@ -2552,7 +2382,7 @@ EOF
 		        $echo "** The link will probably fail, sorry"
 		      else
 		        add="$dir/$old_library"
-		      fi
+		      fi 
 		    fi
 		esac
 	      elif test "$hardcode_minus_L" = no; then
@@ -2594,7 +2424,7 @@ EOF
 
 	    if test "$lib_linked" != yes; then
 	      $echo "$modename: configuration error: unsupported hardcode properties"
-	      exit $EXIT_FAILURE
+	      exit 1
 	    fi
 
 	    if test -n "$add_shlibpath"; then
@@ -2637,8 +2467,7 @@ EOF
 	      esac
 	      add="-l$name"
 	    elif test "$hardcode_automatic" = yes; then
-	      if test -n "$inst_prefix_dir" &&
-		 test -f "$inst_prefix_dir$libdir/$linklib" ; then
+	      if test -n "$inst_prefix_dir" && test -f "$inst_prefix_dir$libdir/$linklib" ; then
 	        add="$inst_prefix_dir$libdir/$linklib"
 	      else
 	        add="$libdir/$linklib"
@@ -2718,8 +2547,7 @@ EOF
 
 	if test "$linkmode" = lib; then
 	  if test -n "$dependency_libs" &&
-	     { test "$hardcode_into_libs" != yes ||
-	       test "$build_old_libs" = yes ||
+	     { test "$hardcode_into_libs" != yes || test "$build_old_libs" = yes ||
 	       test "$link_static" = yes; }; then
 	    # Extract -R from dependency_libs
 	    temp_deplibs=
@@ -2776,7 +2604,7 @@ EOF
 		  eval libdir=`${SED} -n -e 's/^libdir=\(.*\)$/\1/p' $deplib`
 		  if test -z "$libdir"; then
 		    $echo "$modename: \`$deplib' is not a valid libtool archive" 1>&2
-		    exit $EXIT_FAILURE
+		    exit 1
 		  fi
 		  if test "$absdir" != "$libdir"; then
 		    $echo "$modename: warning: \`$deplib' seems to be moved" 1>&2
@@ -2786,8 +2614,7 @@ EOF
 		depdepl=
 		case $host in
 		*-*-darwin*)
-		  # we do not want to link against static libs,
-		  # but need to link against shared
+		  # we do not want to link against static libs, but need to link against shared
 		  eval deplibrary_names=`${SED} -n -e 's/^library_names=\(.*\)$/\1/p' $deplib`
 		  if test -n "$deplibrary_names" ; then
 		    for tmp in $deplibrary_names ; do
@@ -2795,7 +2622,7 @@ EOF
 		    done
 		    if test -f "$path/$depdepl" ; then
 		      depdepl="$path/$depdepl"
-		    fi
+		   fi
 		    # do not add paths which are already there
 		    case " $newlib_search_path " in
 		    *" $path "*) ;;
@@ -2805,32 +2632,33 @@ EOF
 		  path=""
 		  ;;
 		*)
-		  path="-L$path"
-		  ;;
-		esac
+		path="-L$path"
 		;;
-	      -l*)
+		esac 
+		
+		;;
+		  -l*)
 		case $host in
 		*-*-darwin*)
-		  # Again, we only want to link against shared libraries
-		  eval tmp_libs=`$echo "X$deplib" | $Xsed -e "s,^\-l,,"`
-		  for tmp in $newlib_search_path ; do
-		    if test -f "$tmp/lib$tmp_libs.dylib" ; then
-		      eval depdepl="$tmp/lib$tmp_libs.dylib"
-		      break
-		    fi
-		  done
-		  path=""
+		 # Again, we only want to link against shared libraries
+		 eval tmp_libs=`$echo "X$deplib" | $Xsed -e "s,^\-l,,"`
+		 for tmp in $newlib_search_path ; do
+		     if test -f "$tmp/lib$tmp_libs.dylib" ; then
+		       eval depdepl="$tmp/lib$tmp_libs.dylib"
+		       break
+		     fi  
+         done
+         path=""
 		  ;;
 		*) continue ;;
-		esac
+		esac  		  
 		;;
 	      *) continue ;;
 	      esac
 	      case " $deplibs " in
 	      *" $depdepl "*) ;;
-	      *) deplibs="$depdepl $deplibs" ;;
-	      esac
+	      *) deplibs="$deplibs $depdepl" ;;
+	      esac	      
 	      case " $deplibs " in
 	      *" $path "*) ;;
 	      *) deplibs="$deplibs $path" ;;
@@ -2920,8 +2748,7 @@ EOF
 	  eval $var=\"$tmp_libs\"
 	done # for var
       fi
-      # Last step: remove runtime libs from dependency_libs
-      # (they stay in deplibs)
+      # Last step: remove runtime libs from dependency_libs (they stay in deplibs)
       tmp_libs=
       for i in $dependency_libs ; do
 	case " $predeps $postdeps $compiler_lib_search_path " in
@@ -2981,19 +2808,19 @@ EOF
       case $outputname in
       lib*)
 	name=`$echo "X$outputname" | $Xsed -e 's/\.la$//' -e 's/^lib//'`
-	eval shared_ext=\"$shrext_cmds\"
+	eval shared_ext=\"$shrext\"
 	eval libname=\"$libname_spec\"
 	;;
       *)
 	if test "$module" = no; then
 	  $echo "$modename: libtool library \`$output' must begin with \`lib'" 1>&2
 	  $echo "$help" 1>&2
-	  exit $EXIT_FAILURE
+	  exit 1
 	fi
 	if test "$need_lib_prefix" != no; then
 	  # Add the "lib" prefix for modules if required
 	  name=`$echo "X$outputname" | $Xsed -e 's/\.la$//'`
-	  eval shared_ext=\"$shrext_cmds\"
+	  eval shared_ext=\"$shrext\"
 	  eval libname=\"$libname_spec\"
 	else
 	  libname=`$echo "X$outputname" | $Xsed -e 's/\.la$//'`
@@ -3004,7 +2831,7 @@ EOF
       if test -n "$objs"; then
 	if test "$deplibs_check_method" != pass_all; then
 	  $echo "$modename: cannot build libtool library \`$output' from non-libtool objects on this host:$objs" 2>&1
-	  exit $EXIT_FAILURE
+	  exit 1
 	else
 	  $echo
 	  $echo "*** Warning: Linking the shared library $output against the non-libtool"
@@ -3052,13 +2879,13 @@ EOF
 	if test -n "$8"; then
 	  $echo "$modename: too many parameters to \`-version-info'" 1>&2
 	  $echo "$help" 1>&2
-	  exit $EXIT_FAILURE
+	  exit 1
 	fi
 
 	# convert absolute version numbers to libtool ages
 	# this retains compatibility with .la files and attempts
 	# to make the code below a bit more comprehensible
-
+	
 	case $vinfo_number in
 	yes)
 	  number_major="$2"
@@ -3102,7 +2929,7 @@ EOF
 	*)
 	  $echo "$modename: CURRENT \`$current' is not a nonnegative integer" 1>&2
 	  $echo "$modename: \`$vinfo' is not valid version information" 1>&2
-	  exit $EXIT_FAILURE
+	  exit 1
 	  ;;
 	esac
 
@@ -3111,7 +2938,7 @@ EOF
 	*)
 	  $echo "$modename: REVISION \`$revision' is not a nonnegative integer" 1>&2
 	  $echo "$modename: \`$vinfo' is not valid version information" 1>&2
-	  exit $EXIT_FAILURE
+	  exit 1
 	  ;;
 	esac
 
@@ -3120,14 +2947,14 @@ EOF
 	*)
 	  $echo "$modename: AGE \`$age' is not a nonnegative integer" 1>&2
 	  $echo "$modename: \`$vinfo' is not valid version information" 1>&2
-	  exit $EXIT_FAILURE
+	  exit 1
 	  ;;
 	esac
 
 	if test "$age" -gt "$current"; then
 	  $echo "$modename: AGE \`$age' is greater than the current interface number \`$current'" 1>&2
 	  $echo "$modename: \`$vinfo' is not valid version information" 1>&2
-	  exit $EXIT_FAILURE
+	  exit 1
 	fi
 
 	# Calculate the version variables.
@@ -3144,7 +2971,7 @@ EOF
 	  versuffix="$major.$age.$revision"
 	  # Darwin ld doesn't like 0 for these options...
 	  minor_current=`expr $current + 1`
-	  verstring="${wl}-compatibility_version ${wl}$minor_current ${wl}-current_version ${wl}$minor_current.$revision"
+	  verstring="-compatibility_version $minor_current -current_version $minor_current.$revision"
 	  ;;
 
 	freebsd-aout)
@@ -3216,7 +3043,7 @@ EOF
 	*)
 	  $echo "$modename: unknown library version type \`$version_type'" 1>&2
 	  $echo "Fatal configuration error.  See the $PACKAGE docs for more information." 1>&2
-	  exit $EXIT_FAILURE
+	  exit 1
 	  ;;
 	esac
 
@@ -3270,11 +3097,9 @@ EOF
 	    *.$objext)
 	       ;;
 	    $output_objdir/$outputname | $output_objdir/$libname.* | $output_objdir/${libname}${release}.*)
-	       if test "X$precious_files_regex" != "X"; then
-	         if echo $p | $EGREP -e "$precious_files_regex" >/dev/null 2>&1
-	         then
-		   continue
-		 fi
+	       if echo $p | $EGREP -e "$precious_files_regex" >/dev/null 2>&1
+	       then
+		 continue
 	       fi
 	       removelist="$removelist $p"
 	       ;;
@@ -3755,7 +3580,7 @@ EOF
 	fi
 
 	# Get the real and link names of the library.
-	eval shared_ext=\"$shrext_cmds\"
+	eval shared_ext=\"$shrext\"
 	eval library_names=\"$library_names_spec\"
 	set dummy $library_names
 	realname="$2"
@@ -3819,12 +3644,12 @@ EOF
 	for test_deplib in $deplibs; do
 		case " $convenience " in
 		*" $test_deplib "*) ;;
-		*)
+		*) 
 			tmp_deplibs="$tmp_deplibs $test_deplib"
 			;;
 		esac
 	done
-	deplibs="$tmp_deplibs"
+	deplibs="$tmp_deplibs" 
 
 	if test -n "$convenience"; then
 	  if test -n "$whole_archive_flag_spec"; then
@@ -3832,13 +3657,67 @@ EOF
 	    eval libobjs=\"\$libobjs $whole_archive_flag_spec\"
 	  else
 	    gentop="$output_objdir/${outputname}x"
+	    $show "${rm}r $gentop"
+	    $run ${rm}r "$gentop"
+	    $show "$mkdir $gentop"
+	    $run $mkdir "$gentop"
+	    status=$?
+	    if test "$status" -ne 0 && test ! -d "$gentop"; then
+	      exit $status
+	    fi
 	    generated="$generated $gentop"
 
-	    func_extract_archives $gentop $convenience
-	    libobjs="$libobjs $func_extract_archives_result"
+	    for xlib in $convenience; do
+	      # Extract the objects.
+	      case $xlib in
+	      [\\/]* | [A-Za-z]:[\\/]*) xabs="$xlib" ;;
+	      *) xabs=`pwd`"/$xlib" ;;
+	      esac
+	      xlib=`$echo "X$xlib" | $Xsed -e 's%^.*/%%'`
+	      xdir="$gentop/$xlib"
+
+	      $show "${rm}r $xdir"
+	      $run ${rm}r "$xdir"
+	      $show "$mkdir $xdir"
+	      $run $mkdir "$xdir"
+	      status=$?
+	      if test "$status" -ne 0 && test ! -d "$xdir"; then
+		exit $status
+	      fi
+	      # We will extract separately just the conflicting names and we will no
+	      # longer touch any unique names. It is faster to leave these extract
+	      # automatically by $AR in one run.
+	      $show "(cd $xdir && $AR x $xabs)"
+	      $run eval "(cd \$xdir && $AR x \$xabs)" || exit $?
+	      if ($AR t "$xabs" | sort | sort -uc >/dev/null 2>&1); then
+		:
+	      else
+		$echo "$modename: warning: object name conflicts; renaming object files" 1>&2
+		$echo "$modename: warning: to ensure that they will not overwrite" 1>&2
+		$AR t "$xabs" | sort | uniq -cd | while read -r count name
+		do
+		  i=1
+		  while test "$i" -le "$count"
+		  do
+		   # Put our $i before any first dot (extension)
+		   # Never overwrite any file
+		   name_to="$name"
+		   while test "X$name_to" = "X$name" || test -f "$xdir/$name_to"
+		   do
+		     name_to=`$echo "X$name_to" | $Xsed -e "s/\([^.]*\)/\1-$i/"`
+		   done
+		   $show "(cd $xdir && $AR xN $i $xabs '$name' && $mv '$name' '$name_to')"
+		   $run eval "(cd \$xdir && $AR xN $i \$xabs '$name' && $mv '$name' '$name_to')" || exit $?
+		   i=`expr $i + 1`
+		  done
+		done
+	      fi
+
+	      libobjs="$libobjs "`find $xdir -name \*.$objext -print -o -name \*.lo -print | $NL2SP`
+	    done
 	  fi
 	fi
-	
+
 	if test "$thread_safe" = yes && test -n "$thread_safe_flag_spec"; then
 	  eval flag=\"$thread_safe_flag_spec\"
 	  linker_flags="$linker_flags $flag"
@@ -3953,6 +3832,7 @@ EOF
 	  save_ifs="$IFS"; IFS='~'
 	  for cmd in $concat_cmds; do
 	    IFS="$save_ifs"
+	    eval cmd=\"$cmd\"
 	    $show "$cmd"
 	    $run eval "$cmd" || exit $?
 	  done
@@ -3999,7 +3879,7 @@ EOF
 	# Restore the uninstalled library and exit
 	if test "$mode" = relink; then
 	  $run eval '(cd $output_objdir && $rm ${realname}T && $mv $realname ${realname}T && $mv "$realname"U $realname)' || exit $?
-	  exit $EXIT_SUCCESS
+	  exit 0
 	fi
 
 	# Create links to the real library.
@@ -4047,7 +3927,7 @@ EOF
       *.lo)
 	if test -n "$objs$old_deplibs"; then
 	  $echo "$modename: cannot build library object \`$output' from non-libtool objects" 1>&2
-	  exit $EXIT_FAILURE
+	  exit 1
 	fi
 	libobj="$output"
 	obj=`$echo "X$output" | $Xsed -e "$lo2o"`
@@ -4076,10 +3956,64 @@ EOF
 	  eval reload_conv_objs=\"\$reload_objs $whole_archive_flag_spec\"
 	else
 	  gentop="$output_objdir/${obj}x"
+	  $show "${rm}r $gentop"
+	  $run ${rm}r "$gentop"
+	  $show "$mkdir $gentop"
+	  $run $mkdir "$gentop"
+	  status=$?
+	  if test "$status" -ne 0 && test ! -d "$gentop"; then
+	    exit $status
+	  fi
 	  generated="$generated $gentop"
 
-	  func_extract_archives $gentop $convenience
-	  reload_conv_objs="$reload_objs $func_extract_archives_result"
+	  for xlib in $convenience; do
+	    # Extract the objects.
+	    case $xlib in
+	    [\\/]* | [A-Za-z]:[\\/]*) xabs="$xlib" ;;
+	    *) xabs=`pwd`"/$xlib" ;;
+	    esac
+	    xlib=`$echo "X$xlib" | $Xsed -e 's%^.*/%%'`
+	    xdir="$gentop/$xlib"
+
+	    $show "${rm}r $xdir"
+	    $run ${rm}r "$xdir"
+	    $show "$mkdir $xdir"
+	    $run $mkdir "$xdir"
+	    status=$?
+	    if test "$status" -ne 0 && test ! -d "$xdir"; then
+	      exit $status
+	    fi
+	    # We will extract separately just the conflicting names and we will no
+	    # longer touch any unique names. It is faster to leave these extract
+	    # automatically by $AR in one run.
+	    $show "(cd $xdir && $AR x $xabs)"
+	    $run eval "(cd \$xdir && $AR x \$xabs)" || exit $?
+	    if ($AR t "$xabs" | sort | sort -uc >/dev/null 2>&1); then
+	      :
+	    else
+	      $echo "$modename: warning: object name conflicts; renaming object files" 1>&2
+	      $echo "$modename: warning: to ensure that they will not overwrite" 1>&2
+	      $AR t "$xabs" | sort | uniq -cd | while read -r count name
+	      do
+		i=1
+		while test "$i" -le "$count"
+		do
+		 # Put our $i before any first dot (extension)
+		 # Never overwrite any file
+		 name_to="$name"
+		 while test "X$name_to" = "X$name" || test -f "$xdir/$name_to"
+		 do
+		   name_to=`$echo "X$name_to" | $Xsed -e "s/\([^.]*\)/\1-$i/"`
+		 done
+		 $show "(cd $xdir && $AR xN $i $xabs '$name' && $mv '$name' '$name_to')"
+		 $run eval "(cd \$xdir && $AR xN $i \$xabs '$name' && $mv '$name' '$name_to')" || exit $?
+		 i=`expr $i + 1`
+		done
+	      done
+	    fi
+
+	    reload_conv_objs="$reload_objs "`find $xdir -name \*.$objext -print -o -name \*.lo -print | $NL2SP`
+	  done
 	fi
       fi
 
@@ -4104,7 +4038,7 @@ EOF
 	  $run ${rm}r $gentop
 	fi
 
-	exit $EXIT_SUCCESS
+	exit 0
       fi
 
       if test "$build_libtool_libs" != yes; then
@@ -4117,7 +4051,7 @@ EOF
 	# accidentally link it into a program.
 	# $show "echo timestamp > $libobj"
 	# $run eval "echo timestamp > $libobj" || exit $?
-	exit $EXIT_SUCCESS
+	exit 0
       fi
 
       if test -n "$pic_flag" || test "$pic_mode" != default; then
@@ -4140,7 +4074,7 @@ EOF
 	$run ${rm}r $gentop
       fi
 
-      exit $EXIT_SUCCESS
+      exit 0
       ;;
 
     prog)
@@ -4458,7 +4392,7 @@ static const void *lt_preloaded_setup() {
 	  ;;
 	*)
 	  $echo "$modename: unknown suffix for \`$dlsyms'" 1>&2
-	  exit $EXIT_FAILURE
+	  exit 1
 	  ;;
 	esac
       else
@@ -4546,7 +4480,7 @@ static const void *lt_preloaded_setup() {
 	# Link the executable and exit
 	$show "$link_command"
 	$run eval "$link_command" || exit $?
-	exit $EXIT_SUCCESS
+	exit 0
       fi
 
       if test "$hardcode_action" = relink; then
@@ -4601,10 +4535,10 @@ static const void *lt_preloaded_setup() {
       fi
 
       # Quote $echo for shipping.
-      if test "X$echo" = "X$SHELL $progpath --fallback-echo"; then
-	case $progpath in
-	[\\/]* | [A-Za-z]:[\\/]*) qecho="$SHELL $progpath --fallback-echo";;
-	*) qecho="$SHELL `pwd`/$progpath --fallback-echo";;
+      if test "X$echo" = "X$SHELL $0 --fallback-echo"; then
+	case $0 in
+	[\\/]* | [A-Za-z]:[\\/]*) qecho="$SHELL $0 --fallback-echo";;
+	*) qecho="$SHELL `pwd`/$0 --fallback-echo";;
 	esac
 	qecho=`$echo "X$qecho" | $Xsed -e "$sed_quote_subst"`
       else
@@ -4630,7 +4564,7 @@ static const void *lt_preloaded_setup() {
 	    cwrappersource=`$echo ${objdir}/lt-${output}.c`
 	    cwrapper=`$echo ${output}.exe`
 	    $rm $cwrappersource $cwrapper
-	    trap "$rm $cwrappersource $cwrapper; exit $EXIT_FAILURE" 1 2 15
+	    trap "$rm $cwrappersource $cwrapper; exit 1" 1 2 15
 
 	    cat > $cwrappersource <<EOF
 
@@ -4639,7 +4573,7 @@ static const void *lt_preloaded_setup() {
 
    The $output program cannot be directly executed until all the libtool
    libraries that it depends on are installed.
-
+   
    This wrapper executable should never be moved out of the build directory.
    If it is, it will not operate correctly.
 
@@ -4671,7 +4605,7 @@ EOF
 #if defined (_WIN32) || defined (__MSDOS__) || defined (__DJGPP__) || \
   defined (__OS2__)
 #define HAVE_DOS_BASED_FILE_SYSTEM
-#ifndef DIR_SEPARATOR_2
+#ifndef DIR_SEPARATOR_2 
 #define DIR_SEPARATOR_2 '\\'
 #endif
 #endif
@@ -4702,7 +4636,7 @@ main (int argc, char *argv[])
 {
   char **newargz;
   int i;
-
+  
   program_name = (char *) xstrdup ((char *) basename (argv[0]));
   newargz = XMALLOC(char *, argc+2);
 EOF
@@ -4715,7 +4649,7 @@ EOF
   newargz[1] = fnqualify(argv[0]);
   /* we know the script has the same name, without the .exe */
   /* so make sure newargz[1] doesn't end in .exe */
-  strendzap(newargz[1],".exe");
+  strendzap(newargz[1],".exe"); 
   for (i = 1; i < argc; i++)
     newargz[i+1] = xstrdup(argv[i]);
   newargz[argc+1] = NULL;
@@ -4738,7 +4672,7 @@ xmalloc (size_t num)
   return p;
 }
 
-char *
+char * 
 xstrdup (const char *string)
 {
   return string ? strcpy ((char *) xmalloc (strlen (string) + 1), string) : NULL
@@ -4752,7 +4686,7 @@ basename (const char *name)
 
 #if defined (HAVE_DOS_BASED_FILE_SYSTEM)
   /* Skip over the disk name in MSDOS pathnames. */
-  if (isalpha (name[0]) && name[1] == ':')
+  if (isalpha (name[0]) && name[1] == ':') 
     name += 2;
 #endif
 
@@ -4762,7 +4696,7 @@ basename (const char *name)
   return (char *) base;
 }
 
-char *
+char * 
 fnqualify(const char *path)
 {
   size_t size;
@@ -4790,7 +4724,7 @@ fnqualify(const char *path)
 }
 
 char *
-strendzap(char *str, const char *pat)
+strendzap(char *str, const char *pat) 
 {
   size_t len, patlen;
 
@@ -4810,7 +4744,7 @@ strendzap(char *str, const char *pat)
 }
 
 static void
-lt_error_core (int exit_status, const char * mode,
+lt_error_core (int exit_status, const char * mode, 
           const char * message, va_list ap)
 {
   fprintf (stderr, "%s: %s: ", program_name, mode);
@@ -4839,7 +4773,7 @@ EOF
 	  ;;
 	esac
 	$rm $output
-	trap "$rm $output; exit $EXIT_FAILURE" 1 2 15
+	trap "$rm $output; exit 1" 1 2 15
 
 	$echo > $output "\
 #! $SHELL
@@ -4860,7 +4794,7 @@ sed_quote_subst='$sed_quote_subst'
 
 # The HP-UX ksh and POSIX shell print the target directory to stdout
 # if CDPATH is set.
-(unset CDPATH) >/dev/null 2>&1 && unset CDPATH
+if test \"\${CDPATH+set}\" = set; then CDPATH=:; export CDPATH; fi
 
 relink_command=\"$relink_command\"
 
@@ -4939,7 +4873,7 @@ else
       else
 	$echo \"\$relink_command_output\" >&2
 	$rm \"\$progdir/\$file\"
-	exit $EXIT_FAILURE
+	exit 1
       fi
     fi
 
@@ -5001,20 +4935,20 @@ else
 	esac
 	$echo >> $output "\
       \$echo \"\$0: cannot exec \$program \${1+\"\$@\"}\"
-      exit $EXIT_FAILURE
+      exit 1
     fi
   else
     # The program doesn't exist.
     \$echo \"\$0: error: \$progdir/\$program does not exist\" 1>&2
     \$echo \"This script is just a wrapper for \$program.\" 1>&2
     $echo \"See the $PACKAGE documentation for more information.\" 1>&2
-    exit $EXIT_FAILURE
+    exit 1
   fi
 fi\
 "
 	chmod +x $output
       fi
-      exit $EXIT_SUCCESS
+      exit 0
       ;;
     esac
 
@@ -5037,10 +4971,65 @@ fi\
 
       if test -n "$addlibs"; then
 	gentop="$output_objdir/${outputname}x"
+	$show "${rm}r $gentop"
+	$run ${rm}r "$gentop"
+	$show "$mkdir $gentop"
+	$run $mkdir "$gentop"
+	status=$?
+	if test "$status" -ne 0 && test ! -d "$gentop"; then
+	  exit $status
+	fi
 	generated="$generated $gentop"
 
-	func_extract_archives $gentop $addlibs
-	oldobjs="$oldobjs $func_extract_archives_result"
+	# Add in members from convenience archives.
+	for xlib in $addlibs; do
+	  # Extract the objects.
+	  case $xlib in
+	  [\\/]* | [A-Za-z]:[\\/]*) xabs="$xlib" ;;
+	  *) xabs=`pwd`"/$xlib" ;;
+	  esac
+	  xlib=`$echo "X$xlib" | $Xsed -e 's%^.*/%%'`
+	  xdir="$gentop/$xlib"
+
+	  $show "${rm}r $xdir"
+	  $run ${rm}r "$xdir"
+	  $show "$mkdir $xdir"
+	  $run $mkdir "$xdir"
+	  status=$?
+	  if test "$status" -ne 0 && test ! -d "$xdir"; then
+	    exit $status
+	  fi
+	  # We will extract separately just the conflicting names and we will no
+	  # longer touch any unique names. It is faster to leave these extract
+	  # automatically by $AR in one run.
+	  $show "(cd $xdir && $AR x $xabs)"
+	  $run eval "(cd \$xdir && $AR x \$xabs)" || exit $?
+	  if ($AR t "$xabs" | sort | sort -uc >/dev/null 2>&1); then
+	    :
+	  else
+	    $echo "$modename: warning: object name conflicts; renaming object files" 1>&2
+	    $echo "$modename: warning: to ensure that they will not overwrite" 1>&2
+	    $AR t "$xabs" | sort | uniq -cd | while read -r count name
+	    do
+	      i=1
+	      while test "$i" -le "$count"
+	      do
+	       # Put our $i before any first dot (extension)
+	       # Never overwrite any file
+	       name_to="$name"
+	       while test "X$name_to" = "X$name" || test -f "$xdir/$name_to"
+	       do
+		 name_to=`$echo "X$name_to" | $Xsed -e "s/\([^.]*\)/\1-$i/"`
+	       done
+	       $show "(cd $xdir && $AR xN $i $xabs '$name' && $mv '$name' '$name_to')"
+	       $run eval "(cd \$xdir && $AR xN $i \$xabs '$name' && $mv '$name' '$name_to')" || exit $?
+	       i=`expr $i + 1`
+	      done
+	    done
+	  fi
+
+	  oldobjs="$oldobjs "`find $xdir -name \*.${objext} -print -o -name \*.lo -print | $NL2SP`
+	done
       fi
 
       # Do each command in the archive commands.
@@ -5078,7 +5067,7 @@ fi\
 	  for obj in $save_oldobjs
 	  do
 	    last_oldobj=$obj
-	  done
+	  done  
 	  for obj in $save_oldobjs
 	  do
 	    oldobjs="$objlist $obj"
@@ -5092,7 +5081,7 @@ fi\
 	      oldobjs=$objlist
 	      if test "$obj" = "$last_oldobj" ; then
 	        RANLIB=$save_RANLIB
-	      fi
+	      fi  
 	      test -z "$concat_cmds" || concat_cmds=$concat_cmds~
 	      eval concat_cmds=\"\${concat_cmds}$old_archive_cmds\"
 	      objlist=
@@ -5141,13 +5130,11 @@ fi\
 	fi
       done
       # Quote the link command for shipping.
-      relink_command="(cd `pwd`; $SHELL $progpath $preserve_args --mode=relink $libtool_args @inst_prefix_dir@)"
+      relink_command="(cd `pwd`; $SHELL $0 $preserve_args --mode=relink $libtool_args @inst_prefix_dir@)"
       relink_command=`$echo "X$relink_command" | $Xsed -e "$sed_quote_subst"`
       if test "$hardcode_automatic" = yes ; then
-	relink_command=
-      fi
-
-
+        relink_command=
+      fi  
       # Only create the output if not a dry run.
       if test -z "$run"; then
 	for installed in no yes; do
@@ -5165,7 +5152,7 @@ fi\
 		eval libdir=`${SED} -n -e 's/^libdir=\(.*\)$/\1/p' $deplib`
 		if test -z "$libdir"; then
 		  $echo "$modename: \`$deplib' is not a valid libtool archive" 1>&2
-		  exit $EXIT_FAILURE
+		  exit 1
 		fi
 		newdependency_libs="$newdependency_libs $libdir/$name"
 		;;
@@ -5179,7 +5166,7 @@ fi\
 	      eval libdir=`${SED} -n -e 's/^libdir=\(.*\)$/\1/p' $lib`
 	      if test -z "$libdir"; then
 		$echo "$modename: \`$lib' is not a valid libtool archive" 1>&2
-		exit $EXIT_FAILURE
+		exit 1
 	      fi
 	      newdlfiles="$newdlfiles $libdir/$name"
 	    done
@@ -5190,7 +5177,7 @@ fi\
 	      eval libdir=`${SED} -n -e 's/^libdir=\(.*\)$/\1/p' $lib`
 	      if test -z "$libdir"; then
 		$echo "$modename: \`$lib' is not a valid libtool archive" 1>&2
-		exit $EXIT_FAILURE
+		exit 1
 	      fi
 	      newdlprefiles="$newdlprefiles $libdir/$name"
 	    done
@@ -5198,7 +5185,7 @@ fi\
 	  else
 	    newdlfiles=
 	    for lib in $dlfiles; do
-	      case $lib in
+	      case $lib in 
 		[\\/]* | [A-Za-z]:[\\/]*) abs="$lib" ;;
 		*) abs=`pwd`"/$lib" ;;
 	      esac
@@ -5207,7 +5194,7 @@ fi\
 	    dlfiles="$newdlfiles"
 	    newdlprefiles=
 	    for lib in $dlprefiles; do
-	      case $lib in
+	      case $lib in 
 		[\\/]* | [A-Za-z]:[\\/]*) abs="$lib" ;;
 		*) abs=`pwd`"/$lib" ;;
 	      esac
@@ -5270,7 +5257,7 @@ relink_command=\"$relink_command\""
       $run eval '(cd $output_objdir && $rm $outputname && $LN_S ../$outputname $outputname)' || exit $?
       ;;
     esac
-    exit $EXIT_SUCCESS
+    exit 0
     ;;
 
   # libtool install mode
@@ -5359,13 +5346,13 @@ relink_command=\"$relink_command\""
     if test -z "$install_prog"; then
       $echo "$modename: you must specify an install program" 1>&2
       $echo "$help" 1>&2
-      exit $EXIT_FAILURE
+      exit 1
     fi
 
     if test -n "$prev"; then
       $echo "$modename: the \`$prev' option requires an argument" 1>&2
       $echo "$help" 1>&2
-      exit $EXIT_FAILURE
+      exit 1
     fi
 
     if test -z "$files"; then
@@ -5375,7 +5362,7 @@ relink_command=\"$relink_command\""
 	$echo "$modename: you must specify a destination" 1>&2
       fi
       $echo "$help" 1>&2
-      exit $EXIT_FAILURE
+      exit 1
     fi
 
     # Strip any trailing slash from the destination.
@@ -5396,7 +5383,7 @@ relink_command=\"$relink_command\""
       if test "$#" -gt 2; then
 	$echo "$modename: \`$dest' is not a directory" 1>&2
 	$echo "$help" 1>&2
-	exit $EXIT_FAILURE
+	exit 1
       fi
     fi
     case $destdir in
@@ -5408,7 +5395,7 @@ relink_command=\"$relink_command\""
 	*)
 	  $echo "$modename: \`$destdir' must be an absolute directory name" 1>&2
 	  $echo "$help" 1>&2
-	  exit $EXIT_FAILURE
+	  exit 1
 	  ;;
 	esac
       done
@@ -5437,7 +5424,7 @@ relink_command=\"$relink_command\""
 	else
 	  $echo "$modename: \`$file' is not a valid libtool archive" 1>&2
 	  $echo "$help" 1>&2
-	  exit $EXIT_FAILURE
+	  exit 1
 	fi
 
 	library_names=
@@ -5479,7 +5466,7 @@ relink_command=\"$relink_command\""
 	  # but it's something to keep an eye on.
 	  if test "$inst_prefix_dir" = "$destdir"; then
 	    $echo "$modename: error: cannot install \`$file' to a directory not ending in $libdir" 1>&2
-	    exit $EXIT_FAILURE
+	    exit 1
 	  fi
 
 	  if test -n "$inst_prefix_dir"; then
@@ -5494,7 +5481,7 @@ relink_command=\"$relink_command\""
 	  if $run eval "$relink_command"; then :
 	  else
 	    $echo "$modename: error: relink \`$file' with the above command before installing it" 1>&2
-	    exit $EXIT_FAILURE
+	    exit 1
 	  fi
 	fi
 
@@ -5573,7 +5560,7 @@ relink_command=\"$relink_command\""
 	*)
 	  $echo "$modename: cannot copy a libtool object to \`$destfile'" 1>&2
 	  $echo "$help" 1>&2
-	  exit $EXIT_FAILURE
+	  exit 1
 	  ;;
 	esac
 
@@ -5591,7 +5578,7 @@ relink_command=\"$relink_command\""
 	  $show "$install_prog $staticobj $staticdest"
 	  $run eval "$install_prog \$staticobj \$staticdest" || exit $?
 	fi
-	exit $EXIT_SUCCESS
+	exit 0
 	;;
 
       *)
@@ -5645,7 +5632,7 @@ relink_command=\"$relink_command\""
 	  # Check the variables that should have been set.
 	  if test -z "$notinst_deplibs"; then
 	    $echo "$modename: invalid libtool wrapper script \`$wrapper'" 1>&2
-	    exit $EXIT_FAILURE
+	    exit 1
 	  fi
 
 	  finalize=yes
@@ -5686,12 +5673,8 @@ relink_command=\"$relink_command\""
 	      tmpdir="/tmp"
 	      test -n "$TMPDIR" && tmpdir="$TMPDIR"
 	      tmpdir="$tmpdir/libtool-$$"
-	      save_umask=`umask`
-	      umask 0077
-	      if $mkdir "$tmpdir"; then
-	        umask $save_umask
+	      if $mkdir "$tmpdir" && chmod 700 "$tmpdir"; then :
 	      else
-	        umask $save_umask
 		$echo "$modename: error: cannot create temporary directory \`$tmpdir'" 1>&2
 		continue
 	      fi
@@ -5774,9 +5757,9 @@ relink_command=\"$relink_command\""
     if test -n "$current_libdirs"; then
       # Maybe just do a dry run.
       test -n "$run" && current_libdirs=" -n$current_libdirs"
-      exec_cmd='$SHELL $progpath $preserve_args --finish$current_libdirs'
+      exec_cmd='$SHELL $0 $preserve_args --finish$current_libdirs'
     else
-      exit $EXIT_SUCCESS
+      exit 0
     fi
     ;;
 
@@ -5816,7 +5799,7 @@ relink_command=\"$relink_command\""
     fi
 
     # Exit here if they wanted silent mode.
-    test "$show" = : && exit $EXIT_SUCCESS
+    test "$show" = : && exit 0
 
     $echo "----------------------------------------------------------------------"
     $echo "Libraries have been installed in:"
@@ -5852,7 +5835,7 @@ relink_command=\"$relink_command\""
     $echo "See any operating system documentation about shared libraries for"
     $echo "more information, such as the ld(1) and ld.so(8) manual pages."
     $echo "----------------------------------------------------------------------"
-    exit $EXIT_SUCCESS
+    exit 0
     ;;
 
   # libtool execute mode
@@ -5864,7 +5847,7 @@ relink_command=\"$relink_command\""
     if test -z "$cmd"; then
       $echo "$modename: you must specify a COMMAND" 1>&2
       $echo "$help"
-      exit $EXIT_FAILURE
+      exit 1
     fi
 
     # Handle -dlopen flags immediately.
@@ -5872,7 +5855,7 @@ relink_command=\"$relink_command\""
       if test ! -f "$file"; then
 	$echo "$modename: \`$file' is not a file" 1>&2
 	$echo "$help" 1>&2
-	exit $EXIT_FAILURE
+	exit 1
       fi
 
       dir=
@@ -5883,7 +5866,7 @@ relink_command=\"$relink_command\""
 	else
 	  $echo "$modename: \`$lib' is not a valid libtool archive" 1>&2
 	  $echo "$help" 1>&2
-	  exit $EXIT_FAILURE
+	  exit 1
 	fi
 
 	# Read the libtool library.
@@ -5910,7 +5893,7 @@ relink_command=\"$relink_command\""
 	  dir="$dir/$objdir"
 	else
 	  $echo "$modename: cannot find \`$dlname' in \`$dir' or \`$dir/$objdir'" 1>&2
-	  exit $EXIT_FAILURE
+	  exit 1
 	fi
 	;;
 
@@ -5990,7 +5973,7 @@ relink_command=\"$relink_command\""
 	$echo "export $shlibpath_var"
       fi
       $echo "$cmd$args"
-      exit $EXIT_SUCCESS
+      exit 0
     fi
     ;;
 
@@ -6018,7 +6001,7 @@ relink_command=\"$relink_command\""
     if test -z "$rm"; then
       $echo "$modename: you must specify an RM program" 1>&2
       $echo "$help" 1>&2
-      exit $EXIT_FAILURE
+      exit 1
     fi
 
     rmdirs=
@@ -6132,7 +6115,7 @@ relink_command=\"$relink_command\""
 	if test "$mode" = clean ; then
 	  noexename=$name
 	  case $file in
-	  *.exe)
+	  *.exe) 
 	    file=`$echo $file|${SED} 's,.exe$,,'`
 	    noexename=`$echo $name|${SED} 's,.exe$,,'`
 	    # $file with .exe has already been added to rmfiles,
@@ -6177,20 +6160,20 @@ relink_command=\"$relink_command\""
   "")
     $echo "$modename: you must specify a MODE" 1>&2
     $echo "$generic_help" 1>&2
-    exit $EXIT_FAILURE
+    exit 1
     ;;
   esac
 
   if test -z "$exec_cmd"; then
     $echo "$modename: invalid operation mode \`$mode'" 1>&2
     $echo "$generic_help" 1>&2
-    exit $EXIT_FAILURE
+    exit 1
   fi
 fi # test -z "$show_help"
 
 if test -n "$exec_cmd"; then
   eval exec $exec_cmd
-  exit $EXIT_FAILURE
+  exit 1
 fi
 
 # We need to display help for each of the modes.
@@ -6226,7 +6209,7 @@ MODE-ARGS vary depending on the MODE.  Try \`$modename --help --mode=MODE' for
 a more detailed description of MODE.
 
 Report bugs to <bug-libtool@gnu.org>."
-  exit $EXIT_SUCCESS
+  exit 0
   ;;
 
 clean)
@@ -6381,14 +6364,14 @@ Otherwise, only FILE itself is deleted using RM."
 *)
   $echo "$modename: invalid operation mode \`$mode'" 1>&2
   $echo "$help" 1>&2
-  exit $EXIT_FAILURE
+  exit 1
   ;;
 esac
 
 $echo
 $echo "Try \`$modename --help' for more information about other modes."
 
-exit $EXIT_SUCCESS
+exit 0
 
 # The TAGs below are defined such that we never get into a situation
 # in which we disable both kinds of libraries.  Given conflicting
diff --git a/make/Makefile.in b/make/Makefile.in
index 65c3a32b..73efb1f7 100644
--- a/make/Makefile.in
+++ b/make/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.13.2.1 2004/03/09 06:12:46 marka Exp $
+# $Id: Makefile.in,v 1.13.206.1 2004/03/06 13:16:21 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/make/includes.in b/make/includes.in
index e14ca1de..8d170a42 100644
--- a/make/includes.in
+++ b/make/includes.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: includes.in,v 1.15.2.2 2004/12/09 03:18:36 marka Exp $
+# $Id: includes.in,v 1.15.12.3 2004/03/08 09:05:14 marka Exp $
 
 # Search for machine-generated header files in the build tree,
 # and for normal headers in the source tree (${top_srcdir}).
@@ -34,11 +34,15 @@ ISCCFG_INCLUDES = @BIND9_ISCCFG_BUILDINCLUDE@ \
        -I${top_srcdir}/lib/isccfg/include
 
 DNS_INCLUDES = @BIND9_DNS_BUILDINCLUDE@ \
-	-I${top_srcdir}/lib/dns/include
+	-I${top_srcdir}/lib/dns/include \
+	-I${top_srcdir}/lib/dns/sec/dst/include
 
 LWRES_INCLUDES = @BIND9_LWRES_BUILDINCLUDE@ \
 	-I${top_srcdir}/lib/lwres/unix/include \
 	-I${top_srcdir}/lib/lwres/include
 
+BIND9_INCLUDES = @BIND9_BIND9_BUILDINCLUDE@ \
+	-I${top_srcdir}/lib/bind9/include
+
 TEST_INCLUDES = \
 	-I${top_srcdir}/lib/tests/include
diff --git a/make/rules.in b/make/rules.in
index abb41039..00cfa615 100644
--- a/make/rules.in
+++ b/make/rules.in
@@ -1,4 +1,4 @@
-# Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 1998-2003  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and distribute this software for any
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: rules.in,v 1.40.2.17 2007/01/29 23:57:17 marka Exp $
+# $Id: rules.in,v 1.40.2.5.4.3 2004/03/06 13:16:21 marka Exp $
 
 ###
 ### Common Makefile rules for BIND 9.
@@ -87,7 +87,6 @@ install clean distclean maintainer-clean doc docclean man manclean::
 ###	CC
 ### Makefile may define
 ###	CFLAGS
-###	LDFLAGS
 ###	CINCLUDES
 ###	CDEFINES
 ###	CWARNINGS
@@ -96,17 +95,10 @@ install clean distclean maintainer-clean doc docclean man manclean::
 
 CC = 		@CC@
 CFLAGS =	@CFLAGS@
-LDFLAGS =	@LDFLAGS@
 STD_CINCLUDES =	@STD_CINCLUDES@
 STD_CDEFINES =	@STD_CDEFINES@
 STD_CWARNINGS =	@STD_CWARNINGS@
 
-BUILD_CC = @BUILD_CC@
-BUILD_CFLAGS = @BUILD_CFLAGS@
-BUILD_CPPFLAGS = @BUILD_CPPFLAGS@
-BUILD_LDFAGS = @BUILD_LDFAGS@
-BUILD_LIBS = @BUILD_LIBS@
-
 .SUFFIXES:
 .SUFFIXES: .c .@O@
 
@@ -118,7 +110,8 @@ ALL_CPPFLAGS = \
 	${ALWAYS_INCLUDES} ${CINCLUDES} ${STD_CINCLUDES} \
 	${ALWAYS_DEFINES} ${CDEFINES} ${STD_CDEFINES}
 
-ALL_CFLAGS = ${EXT_CFLAGS} ${ALL_CPPFLAGS} ${CFLAGS} \
+ALL_CFLAGS = ${EXT_CFLAGS} ${CFLAGS} \
+	${ALL_CPPFLAGS} \
 	${ALWAYS_WARNINGS} ${STD_CWARNINGS} ${CWARNINGS}
 
 .c.@O@:
@@ -137,7 +130,7 @@ cleandir: distclean
 superclean: maintainer-clean
 
 clean distclean maintainer-clean::
-	rm -f *.@O@ *.o *.lo *.la core *.core .depend
+	rm -f *.@O@ *.lo *.la core *.core .depend
 	rm -rf .libs
 
 distclean maintainer-clean::
@@ -186,45 +179,48 @@ INSTALL_SCRIPT =	@INSTALL_SCRIPT@
 INSTALL_DATA =		@INSTALL_DATA@
 
 ###
-### Programs used when generating documentation.  It's ok for these
-### not to exist when not generating documentation.
-###
-
-XSLTPROC =		@XSLTPROC@ --novalid --xinclude --nonet
-PERL =			@PERL@
-LATEX =			@LATEX@
-PDFLATEX =		@PDFLATEX@
-
-###
 ### DocBook -> HTML
 ### DocBook -> man page
 ###
 
 .SUFFIXES: .docbook .html .1 .2 .3 .4 .5 .6 .7 .8
 
+OPENJADE = @OPENJADE@
+SGMLCATALOG = @SGMLCATALOG@
+HTMLSTYLE = @HTMLSTYLE@
+XMLDCL = @XMLDCL@
+DOCBOOK2MANSPEC = @DOCBOOK2MANSPEC@
+JADETEX = @JADETEX@
+PDFJADETEX = @PDFJADETEX@
+
+ONSGMLS = onsgmls
+SGMLSPL = sgmlspl
+
+#
+# Note: this rule assumes the docbook.dsl stylesheet
+# is being used.  If another stylesheet is used, the
+# filename 'r1.htm' in the rule might have to be
+# be changed.
+#
 .docbook.html:
-	${XSLTPROC} -o $@ ${top_srcdir}/doc/xsl/isc-docbook-html.xsl $<
+	${OPENJADE} -c ${SGMLCATALOG} -t sgml -d ${HTMLSTYLE} $<
+	echo "" >> r1.htm
+	cat ${top_srcdir}/docutil/HTML_COPYRIGHT r1.htm > $@
+	rm -f r1.htm
 
 .docbook.1:
-	${XSLTPROC} -o $@ ${top_srcdir}/doc/xsl/isc-manpage.xsl $<
-
+	sh ${top_srcdir}/docutil/docbook2man-wrapper.sh ${top_srcdir} $< $@
 .docbook.2:
-	${XSLTPROC} -o $@ ${top_srcdir}/doc/xsl/isc-manpage.xsl $<
-
+	sh ${top_srcdir}/docutil/docbook2man-wrapper.sh ${top_srcdir} $< $@
 .docbook.3:
-	${XSLTPROC} -o $@ ${top_srcdir}/doc/xsl/isc-manpage.xsl $<
-
+	sh ${top_srcdir}/docutil/docbook2man-wrapper.sh ${top_srcdir} $< $@
 .docbook.4:
-	${XSLTPROC} -o $@ ${top_srcdir}/doc/xsl/isc-manpage.xsl $<
-
+	sh ${top_srcdir}/docutil/docbook2man-wrapper.sh ${top_srcdir} $< $@
 .docbook.5:
-	${XSLTPROC} -o $@ ${top_srcdir}/doc/xsl/isc-manpage.xsl $<
-
+	sh ${top_srcdir}/docutil/docbook2man-wrapper.sh ${top_srcdir} $< $@
 .docbook.6:
-	${XSLTPROC} -o $@ ${top_srcdir}/doc/xsl/isc-manpage.xsl $<
-
+	sh ${top_srcdir}/docutil/docbook2man-wrapper.sh ${top_srcdir} $< $@
 .docbook.7:
-	${XSLTPROC} -o $@ ${top_srcdir}/doc/xsl/isc-manpage.xsl $<
-
+	sh ${top_srcdir}/docutil/docbook2man-wrapper.sh ${top_srcdir} $< $@
 .docbook.8:
-	${XSLTPROC} -o $@ ${top_srcdir}/doc/xsl/isc-manpage.xsl $<
+	sh ${top_srcdir}/docutil/docbook2man-wrapper.sh ${top_srcdir} $< $@
diff --git a/mkinstalldirs b/mkinstalldirs
index 4992567c..4992567c 100755..100644
--- a/mkinstalldirs
+++ b/mkinstalldirs
diff --git a/version b/version
index b2fd4c53..0e9f7a9c 100644
--- a/version
+++ b/version
@@ -1,10 +1,10 @@
-# $Id: version,v 1.26.2.49 2007/08/06 01:43:11 marka Exp $
+# $Id: version,v 1.26.2.17.2.3 2004/04/13 03:22:31 marka Exp $
 #
 # This file must follow /bin/sh rules.  It is imported directly via
 # configure.
 #
 MAJORVER=9
-MINORVER=2
-PATCHVER=9
-RELEASETYPE=b
-RELEASEVER=1
+MINORVER=3
+PATCHVER=0
+RELEASETYPE=beta
+RELEASEVER=2
diff --git a/win32utils/BINDBuild.dsw b/win32utils/BINDBuild.dsw
index 165855f9..b3a9e15e 100644
--- a/win32utils/BINDBuild.dsw
+++ b/win32utils/BINDBuild.dsw
@@ -1,434 +1,392 @@
-Microsoft Developer Studio Workspace File, Format Version 6.00

-# WARNING: DO NOT EDIT OR DELETE THIS WORKSPACE FILE!

-

-###############################################################################

-

-Project: "BINDInstall"="..\bin\win32\BINDInstall\BINDInstall.dsp" - Package Owner=<4>

-

-Package=<5>

-{{{

-}}}

-

-Package=<4>

-{{{

-}}}

-

-###############################################################################

-

-Project: "bindevt"="..\lib\win32\bindevt\bindevt.dsp" - Package Owner=<4>

-

-Package=<5>

-{{{

-}}}

-

-Package=<4>

-{{{

-}}}

-

-###############################################################################

-

-Project: "dig"="..\bin\dig\win32\dig.dsp" - Package Owner=<4>

-

-Package=<5>

-{{{

-}}}

-

-Package=<4>

-{{{

-    Begin Project Dependency

-    Project_Dep_Name libdns

-    End Project Dependency

-    Begin Project Dependency

-    Project_Dep_Name libisc

-    End Project Dependency

-    Begin Project Dependency

-    Project_Dep_Name dighost

-    End Project Dependency

-}}}

-

-###############################################################################

-

-Project: "dighost"="..\bin\dig\win32\dighost.dsp" - Package Owner=<4>

-

-Package=<5>

-{{{

-}}}

-

-Package=<4>

-{{{

-}}}

-

-###############################################################################

-

-Project: "host"="..\bin\dig\win32\host.dsp" - Package Owner=<4>

-

-Package=<5>

-{{{

-}}}

-

-Package=<4>

-{{{

-    Begin Project Dependency

-    Project_Dep_Name libdns

-    End Project Dependency

-    Begin Project Dependency

-    Project_Dep_Name libisc

-    End Project Dependency

-    Begin Project Dependency

-    Project_Dep_Name dighost

-    End Project Dependency

-}}}

-

-###############################################################################

-

-Project: "keygen"="..\bin\dnssec\win32\keygen.dsp" - Package Owner=<4>

-

-Package=<5>

-{{{

-}}}

-

-Package=<4>

-{{{

-    Begin Project Dependency

-    Project_Dep_Name libdns

-    End Project Dependency

-    Begin Project Dependency

-    Project_Dep_Name libisc

-    End Project Dependency

-    Begin Project Dependency

-    Project_Dep_Name dnssectool

-    End Project Dependency

-}}}

-

-###############################################################################

-

-Project: "libdns"="..\lib\dns\win32\libdns.dsp" - Package Owner=<4>

-

-Package=<5>

-{{{

-}}}

-

-Package=<4>

-{{{

-    Begin Project Dependency

-    Project_Dep_Name libisc

-    End Project Dependency

-}}}

-

-###############################################################################

-

-Project: "libisc"="..\lib\isc\win32\libisc.dsp" - Package Owner=<4>

-

-Package=<5>

-{{{

-}}}

-

-Package=<4>

-{{{

-}}}

-

-###############################################################################

-

-Project: "libisccc"="..\lib\isccc\win32\libisccc.dsp" - Package Owner=<4>

-

-Package=<5>

-{{{

-}}}

-

-Package=<4>

-{{{

-    Begin Project Dependency

-    Project_Dep_Name libisc

-    End Project Dependency

-}}}

-

-###############################################################################

-

-Project: "libisccfg"="..\lib\isccfg\win32\libisccfg.dsp" - Package Owner=<4>

-

-Package=<5>

-{{{

-}}}

-

-Package=<4>

-{{{

-    Begin Project Dependency

-    Project_Dep_Name libisc

-    End Project Dependency

-    Begin Project Dependency

-    Project_Dep_Name libdns

-    End Project Dependency

-}}}

-

-###############################################################################

-

-Project: "liblwres"="..\lib\lwres\win32\liblwres.dsp" - Package Owner=<4>

-

-Package=<5>

-{{{

-}}}

-

-Package=<4>

-{{{

-}}}

-

-###############################################################################

-

-Project: "makekeyset"="..\bin\dnssec\win32\makekeyset.dsp" - Package Owner=<4>

-

-Package=<5>

-{{{

-}}}

-

-Package=<4>

-{{{

-    Begin Project Dependency

-    Project_Dep_Name libdns

-    End Project Dependency

-    Begin Project Dependency

-    Project_Dep_Name libisc

-    End Project Dependency

-    Begin Project Dependency

-    Project_Dep_Name dnssectool

-    End Project Dependency

-}}}

-

-###############################################################################

-

-Project: "named"="..\bin\named\win32\named.dsp" - Package Owner=<4>

-

-Package=<5>

-{{{

-}}}

-

-Package=<4>

-{{{

-    Begin Project Dependency

-    Project_Dep_Name libdns

-    End Project Dependency

-    Begin Project Dependency

-    Project_Dep_Name libisc

-    End Project Dependency

-    Begin Project Dependency

-    Project_Dep_Name libisccc

-    End Project Dependency

-    Begin Project Dependency

-    Project_Dep_Name libisccfg

-    End Project Dependency

-    Begin Project Dependency

-    Project_Dep_Name liblwres

-    End Project Dependency

-}}}

-

-###############################################################################

-

-Project: "namedcheckconf"="..\bin\check\win32\namedcheckconf.dsp" - Package Owner=<4>

-

-Package=<5>

-{{{

-}}}

-

-Package=<4>

-{{{

-    Begin Project Dependency

-    Project_Dep_Name libisc

-    End Project Dependency

-    Begin Project Dependency

-    Project_Dep_Name libisccfg

-    End Project Dependency

-    Begin Project Dependency

-    Project_Dep_Name checktool

-    End Project Dependency

-}}}

-

-###############################################################################

-

-Project: "namedcheckzone"="..\bin\check\win32\namedcheckzone.dsp" - Package Owner=<4>

-

-Package=<5>

-{{{

-}}}

-

-Package=<4>

-{{{

-    Begin Project Dependency

-    Project_Dep_Name libdns

-    End Project Dependency

-    Begin Project Dependency

-    Project_Dep_Name libisc

-    End Project Dependency

-    Begin Project Dependency

-    Project_Dep_Name checktool

-    End Project Dependency

-}}}

-

-###############################################################################

-

-Project: "nslookup"="..\bin\dig\win32\nslookup.dsp" - Package Owner=<4>

-

-Package=<5>

-{{{

-}}}

-

-Package=<4>

-{{{

-    Begin Project Dependency

-    Project_Dep_Name libdns

-    End Project Dependency

-    Begin Project Dependency

-    Project_Dep_Name libisc

-    End Project Dependency

-    Begin Project Dependency

-    Project_Dep_Name dighost

-    End Project Dependency

-}}}

-

-###############################################################################

-

-Project: "nsupdate"="..\bin\nsupdate\win32\nsupdate.dsp" - Package Owner=<4>

-

-Package=<5>

-{{{

-}}}

-

-Package=<4>

-{{{

-    Begin Project Dependency

-    Project_Dep_Name libdns

-    End Project Dependency

-    Begin Project Dependency

-    Project_Dep_Name libisc

-    End Project Dependency

-}}}

-

-###############################################################################

-

-Project: "rndc"="..\bin\rndc\win32\rndc.dsp" - Package Owner=<4>

-

-Package=<5>

-{{{

-}}}

-

-Package=<4>

-{{{

-    Begin Project Dependency

-    Project_Dep_Name libisc

-    End Project Dependency

-    Begin Project Dependency

-    Project_Dep_Name libisccc

-    End Project Dependency

-    Begin Project Dependency

-    Project_Dep_Name libisccfg

-    End Project Dependency

-    Begin Project Dependency

-    Project_Dep_Name rndcutil

-    End Project Dependency

-}}}

-

-###############################################################################

-

-Project: "rndcconfgen"="..\bin\rndc\win32\confgen.dsp" - Package Owner=<4>

-

-Package=<5>

-{{{

-}}}

-

-Package=<4>

-{{{

-    Begin Project Dependency

-    Project_Dep_Name rndcutil

-    End Project Dependency

-}}}

-

-###############################################################################

-

-Project: "signkey"="..\bin\dnssec\win32\signkey.dsp" - Package Owner=<4>

-

-Package=<5>

-{{{

-}}}

-

-Package=<4>

-{{{

-    Begin Project Dependency

-    Project_Dep_Name libdns

-    End Project Dependency

-    Begin Project Dependency

-    Project_Dep_Name libisc

-    End Project Dependency

-    Begin Project Dependency

-    Project_Dep_Name dnssectool

-    End Project Dependency

-}}}

-

-###############################################################################

-

-Project: "signzone"="..\bin\dnssec\win32\signzone.dsp" - Package Owner=<4>

-

-Package=<5>

-{{{

-}}}

-

-Package=<4>

-{{{

-    Begin Project Dependency

-    Project_Dep_Name libdns

-    End Project Dependency

-    Begin Project Dependency

-    Project_Dep_Name libisc

-    End Project Dependency

-    Begin Project Dependency

-    Project_Dep_Name dnssectool

-    End Project Dependency

-}}}

-

-###############################################################################

-

-Project: "dnssectool"="..\bin\dnssec\win32\dnssectool.dsp" - Package Owner=<4>

-

-Package=<5>

-{{{

-}}}

-

-Package=<4>

-{{{

-}}}

-

-###############################################################################

-

-Project: "rndcutil"="..\bin\rndc\win32\rndcutil.dsp" - Package Owner=<4>

-

-Package=<5>

-{{{

-}}}

-

-Package=<4>

-{{{

-}}}

-

-###############################################################################

-

-Project: "checktool"="..\bin\check\win32\checktool.dsp" - Package Owner=<4>

-

-Package=<5>

-{{{

-}}}

-

-Package=<4>

-{{{

-}}}

-

-###############################################################################

-

-Global:

-

-Package=<5>

-{{{

-}}}

-

-Package=<3>

-{{{

-}}}

-

-###############################################################################

-

+Microsoft Developer Studio Workspace File, Format Version 6.00
+# WARNING: DO NOT EDIT OR DELETE THIS WORKSPACE FILE!
+
+###############################################################################
+
+Project: "BINDInstall"="..\bin\win32\BINDInstall\BINDInstall.dsp" - Package Owner=<4>
+
+Package=<5>
+{{{
+}}}
+
+Package=<4>
+{{{
+}}}
+
+###############################################################################
+
+Project: "bindevt"="..\lib\win32\bindevt\bindevt.dsp" - Package Owner=<4>
+
+Package=<5>
+{{{
+}}}
+
+Package=<4>
+{{{
+}}}
+
+###############################################################################
+
+Project: "dig"="..\bin\dig\win32\dig.dsp" - Package Owner=<4>
+
+Package=<5>
+{{{
+}}}
+
+Package=<4>
+{{{
+    Begin Project Dependency
+    Project_Dep_Name libdns
+    End Project Dependency
+    Begin Project Dependency
+    Project_Dep_Name libisc
+    End Project Dependency
+    Begin Project Dependency
+    Project_Dep_Name libbind9
+    End Project Dependency
+}}}
+
+###############################################################################
+
+Project: "host"="..\bin\dig\win32\host.dsp" - Package Owner=<4>
+
+Package=<5>
+{{{
+}}}
+
+Package=<4>
+{{{
+    Begin Project Dependency
+    Project_Dep_Name libdns
+    End Project Dependency
+    Begin Project Dependency
+    Project_Dep_Name libisc
+    End Project Dependency
+    Begin Project Dependency
+    Project_Dep_Name libbind9
+    End Project Dependency
+}}}
+
+###############################################################################
+
+Project: "keygen"="..\bin\dnssec\win32\keygen.dsp" - Package Owner=<4>
+
+Package=<5>
+{{{
+}}}
+
+Package=<4>
+{{{
+    Begin Project Dependency
+    Project_Dep_Name libdns
+    End Project Dependency
+    Begin Project Dependency
+    Project_Dep_Name libisc
+    End Project Dependency
+}}}
+
+###############################################################################
+
+Project: "libbind9"="..\lib\bind9\win32\libbind9.dsp" - Package Owner=<4>
+
+Package=<5>
+{{{
+}}}
+
+Package=<4>
+{{{
+    Begin Project Dependency
+    Project_Dep_Name libdns
+    End Project Dependency
+    Begin Project Dependency
+    Project_Dep_Name libisc
+    End Project Dependency
+    Begin Project Dependency
+    Project_Dep_Name libisccfg
+    End Project Dependency
+}}}
+
+###############################################################################
+
+Project: "libdns"="..\lib\dns\win32\libdns.dsp" - Package Owner=<4>
+
+Package=<5>
+{{{
+}}}
+
+Package=<4>
+{{{
+    Begin Project Dependency
+    Project_Dep_Name libisc
+    End Project Dependency
+}}}
+
+###############################################################################
+
+Project: "libisc"="..\lib\isc\win32\libisc.dsp" - Package Owner=<4>
+
+Package=<5>
+{{{
+}}}
+
+Package=<4>
+{{{
+}}}
+
+###############################################################################
+
+Project: "libisccc"="..\lib\isccc\win32\libisccc.dsp" - Package Owner=<4>
+
+Package=<5>
+{{{
+}}}
+
+Package=<4>
+{{{
+    Begin Project Dependency
+    Project_Dep_Name libisc
+    End Project Dependency
+}}}
+
+###############################################################################
+
+Project: "libisccfg"="..\lib\isccfg\win32\libisccfg.dsp" - Package Owner=<4>
+
+Package=<5>
+{{{
+}}}
+
+Package=<4>
+{{{
+    Begin Project Dependency
+    Project_Dep_Name libisc
+    End Project Dependency
+}}}
+
+###############################################################################
+
+Project: "liblwres"="..\lib\lwres\win32\liblwres.dsp" - Package Owner=<4>
+
+Package=<5>
+{{{
+}}}
+
+Package=<4>
+{{{
+}}}
+
+###############################################################################
+
+Project: "makekeyset"="..\bin\dnssec\win32\makekeyset.dsp" - Package Owner=<4>
+
+Package=<5>
+{{{
+}}}
+
+Package=<4>
+{{{
+    Begin Project Dependency
+    Project_Dep_Name libdns
+    End Project Dependency
+    Begin Project Dependency
+    Project_Dep_Name libisc
+    End Project Dependency
+}}}
+
+###############################################################################
+
+Project: "named"="..\bin\named\win32\named.dsp" - Package Owner=<4>
+
+Package=<5>
+{{{
+}}}
+
+Package=<4>
+{{{
+    Begin Project Dependency
+    Project_Dep_Name libdns
+    End Project Dependency
+    Begin Project Dependency
+    Project_Dep_Name libisc
+    End Project Dependency
+    Begin Project Dependency
+    Project_Dep_Name libisccc
+    End Project Dependency
+    Begin Project Dependency
+    Project_Dep_Name libisccfg
+    End Project Dependency
+    Begin Project Dependency
+    Project_Dep_Name liblwres
+    End Project Dependency
+    Begin Project Dependency
+    Project_Dep_Name libbind9
+    End Project Dependency
+}}}
+
+###############################################################################
+
+Project: "namedcheckconf"="..\bin\check\win32\namedcheckconf.dsp" - Package Owner=<4>
+
+Package=<5>
+{{{
+}}}
+
+Package=<4>
+{{{
+    Begin Project Dependency
+    Project_Dep_Name libisc
+    End Project Dependency
+    Begin Project Dependency
+    Project_Dep_Name libisccfg
+    End Project Dependency
+    Begin Project Dependency
+    Project_Dep_Name libdns
+    End Project Dependency
+}}}
+
+###############################################################################
+
+Project: "namedcheckzone"="..\bin\check\win32\namedcheckzone.dsp" - Package Owner=<4>
+
+Package=<5>
+{{{
+}}}
+
+Package=<4>
+{{{
+    Begin Project Dependency
+    Project_Dep_Name libdns
+    End Project Dependency
+    Begin Project Dependency
+    Project_Dep_Name libisc
+    End Project Dependency
+}}}
+
+###############################################################################
+
+Project: "nslookup"="..\bin\dig\win32\nslookup.dsp" - Package Owner=<4>
+
+Package=<5>
+{{{
+}}}
+
+Package=<4>
+{{{
+    Begin Project Dependency
+    Project_Dep_Name libdns
+    End Project Dependency
+    Begin Project Dependency
+    Project_Dep_Name libisc
+    End Project Dependency
+    Begin Project Dependency
+    Project_Dep_Name libbind9
+    End Project Dependency
+}}}
+
+###############################################################################
+
+Project: "nsupdate"="..\bin\nsupdate\win32\nsupdate.dsp" - Package Owner=<4>
+
+Package=<5>
+{{{
+}}}
+
+Package=<4>
+{{{
+    Begin Project Dependency
+    Project_Dep_Name libdns
+    End Project Dependency
+    Begin Project Dependency
+    Project_Dep_Name libisc
+    End Project Dependency
+    Begin Project Dependency
+    Project_Dep_Name libbind9
+    End Project Dependency
+}}}
+
+###############################################################################
+
+Project: "rndc"="..\bin\rndc\win32\rndc.dsp" - Package Owner=<4>
+
+Package=<5>
+{{{
+}}}
+
+Package=<4>
+{{{
+    Begin Project Dependency
+    Project_Dep_Name libisc
+    End Project Dependency
+    Begin Project Dependency
+    Project_Dep_Name libisccc
+    End Project Dependency
+    Begin Project Dependency
+    Project_Dep_Name libisccfg
+    End Project Dependency
+    Begin Project Dependency
+    Project_Dep_Name libbind9
+    End Project Dependency
+}}}
+
+###############################################################################
+
+Project: "rndcconfgen"="..\bin\rndc\win32\confgen.dsp" - Package Owner=<4>
+
+Package=<5>
+{{{
+}}}
+
+Package=<4>
+{{{
+}}}
+
+###############################################################################
+
+Project: "signkey"="..\bin\dnssec\win32\signkey.dsp" - Package Owner=<4>
+
+Package=<5>
+{{{
+}}}
+
+Package=<4>
+{{{
+    Begin Project Dependency
+    Project_Dep_Name libdns
+    End Project Dependency
+    Begin Project Dependency
+    Project_Dep_Name libisc
+    End Project Dependency
+}}}
+
+###############################################################################
+
+Project: "signzone"="..\bin\dnssec\win32\signzone.dsp" - Package Owner=<4>
+
+Package=<5>
+{{{
+}}}
+
+Package=<4>
+{{{
+    Begin Project Dependency
+    Project_Dep_Name libdns
+    End Project Dependency
+    Begin Project Dependency
+    Project_Dep_Name libisc
+    End Project Dependency
+}}}
+
+###############################################################################
+
+Global:
+
+Package=<5>
+{{{
+}}}
+
+Package=<3>
+{{{
+}}}
+
+###############################################################################
+
diff --git a/win32utils/BuildAll.bat b/win32utils/BuildAll.bat
index 5d7ef04e..22222ad7 100644
--- a/win32utils/BuildAll.bat
+++ b/win32utils/BuildAll.bat
@@ -1,117 +1,126 @@
-echo off

-rem

-rem Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")

-rem Copyright (C) 2001,2003  Internet Software Consortium.

-rem

-rem Permission to use, copy, modify, and distribute this software for any

-rem purpose with or without fee is hereby granted, provided that the above

-rem copyright notice and this permission notice appear in all copies.

-rem

-rem THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH

-rem REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY

-rem AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,

-rem INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM

-rem LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE

-rem OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR

-rem PERFORMANCE OF THIS SOFTWARE.

-

-rem BuildAll.bat

-rem This script sets up the files necessary ready to build BIND 9

-rem and then builds all of the binaries that make up the installation kit.

-rem This requires perl to be installed on the system.

-

-rem IMPORTANT NOTE:

-rem OpenSSL is a prerequisite for building and running this release of

-rem BIND 9. You must fetch the OpenSSL sources yourself from

-rem http://www.OpenSSL.org/ and compile it yourself.  The code must reside

-rem at the same level as the bind 9.2.0 source tree and it's top-level

-rem directory be named openssl-0.9.6k. This restriction will be lifted in

-rem a future release of BIND 9 for Windows NT/2000/XP.

-

-echo Setting up the BIND files required for the build

-

-rem Setup the files

-call BuildSetup.bat

-

-echo Build all of the Library files

-

-cd ..\lib

-

-cd isc\win32

-nmake /nologo -f libisc.mak CFG="libisc - Win32 Release"  NO_EXTERNAL_DEPS="1"

-cd ..\..

-

-cd dns\win32

-nmake /nologo -f libdns.mak CFG="libdns - Win32 Release"  NO_EXTERNAL_DEPS="1"

-cd ..\..

-

-cd isccfg\win32

-nmake /nologo -f libisccfg.mak CFG="libisccfg - Win32 Release"  NO_EXTERNAL_DEPS="1"

-cd ..\..

-

-cd isccc\win32

-nmake /nologo -f libisccc.mak CFG="libisccc - Win32 Release"  NO_EXTERNAL_DEPS="1"

-cd ..\..

-

-cd lwres\win32

-nmake /nologo -f liblwres.mak CFG="liblwres - Win32 Release"  NO_EXTERNAL_DEPS="1"

-cd ..\..

-

-rem This is the DLL required for the event Viewer

-

-cd win32\bindevt

-nmake /nologo -f bindevt.mak CFG="bindevt - Win32 Release"  NO_EXTERNAL_DEPS="1"

-cd ..\..

-

-cd ..

-

-echo Now build the apps

-

-cd bin

-

-cd named\win32

-nmake /nologo -f named.mak CFG="named - Win32 Release"  NO_EXTERNAL_DEPS="1"

-

-cd ..\..

-

-cd rndc\win32

-nmake /nologo -f rndc.mak CFG="rndc - Win32 Release"  NO_EXTERNAL_DEPS="1"

-nmake /nologo -f confgen.mak CFG="rndcconfgen - Win32 Release"  NO_EXTERNAL_DEPS="1"

-

-cd ..\..

-

-cd dig\win32

-nmake /nologo -f dig.mak CFG="dig - Win32 Release"  NO_EXTERNAL_DEPS="1"

-nmake /nologo /nologo -f host.mak CFG="host - Win32 Release"  NO_EXTERNAL_DEPS="1"

-nmake /nologo -f nslookup.mak CFG="nslookup - Win32 Release"  NO_EXTERNAL_DEPS="1"

-cd ..\..

-

-cd nsupdate\win32

-nmake /nologo -f nsupdate.mak CFG="nsupdate - Win32 Release"  NO_EXTERNAL_DEPS="1"

-cd ..\..

-

-cd check\win32

-nmake /nologo -f namedcheckconf.mak CFG="namedcheckconf - Win32 Release"  NO_EXTERNAL_DEPS="1"

-nmake /nologo -f namedcheckzone.mak CFG="namedcheckzone - Win32 Release"  NO_EXTERNAL_DEPS="1"

-cd ..\..

-

-cd dnssec\win32

-nmake /nologo -f keygen.mak CFG="keygen - Win32 Release"  NO_EXTERNAL_DEPS="1"

-nmake /nologo -f makekeyset.mak CFG="makekeyset - Win32 Release"  NO_EXTERNAL_DEPS="1"

-nmake /nologo -f signkey.mak CFG="signkey - Win32 Release"  NO_EXTERNAL_DEPS="1"

-nmake /nologo -f signzone.mak CFG="signzone - Win32 Release"  NO_EXTERNAL_DEPS="1"

-cd ..\..

-

-rem This is the BIND 9 Installer

-

-cd win32\BINDInstall

-nmake /nologo -f BINDInstall.mak CFG="BINDInstall - Win32 Release"  NO_EXTERNAL_DEPS="1"

-cd ..\..

-

-cd ..

-

-cd win32utils

-

-echo Done.

-

-rem exit here.

+echo off
+rem
+rem Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+rem Copyright (C) 2001-2002  Internet Software Consortium.
+rem
+rem Permission to use, copy, modify, and distribute this software for any
+rem purpose with or without fee is hereby granted, provided that the above
+rem copyright notice and this permission notice appear in all copies.
+rem 
+rem THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+rem REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+rem AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+rem INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+rem LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+rem OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+rem PERFORMANCE OF THIS SOFTWARE.
+
+rem BuildAll.bat
+rem This script sets up the files necessary ready to build BIND 9
+rem and then builds all of the binaries that make up the installation kit.
+rem This requires perl to be installed on the system.
+
+rem IMPORTANT NOTE:
+rem OpenSSL is a prerequisite for building and running this release of
+rem BIND 9. You must fetch the OpenSSL sources yourself from
+rem http://www.OpenSSL.org/ and compile it yourself.  The code must reside
+rem at the same level as the bind 9.2.0 source tree and it's top-level
+rem directory be named openssl-0.9.6k. This restriction will be lifted in
+rem a future release of BIND 9 for Windows NT/2000/XP.
+
+echo Setting up the BIND files required for the build
+
+call BuildSetup.bat
+
+echo Build all of the Library files
+
+cd ..\lib
+
+cd isc\win32
+nmake /nologo -f libisc.mak CFG="libisc - Win32 Release"  NO_EXTERNAL_DEPS="1"
+cd ..\..
+
+cd dns\win32
+nmake /nologo -f libdns.mak CFG="libdns - Win32 Release"  NO_EXTERNAL_DEPS="1"
+cd ..\..
+
+cd isccfg\win32
+nmake /nologo -f libisccfg.mak CFG="libisccfg - Win32 Release"  NO_EXTERNAL_DEPS="1"
+cd ..\..
+
+cd isccc\win32
+nmake /nologo -f libisccc.mak CFG="libisccc - Win32 Release"  NO_EXTERNAL_DEPS="1"
+cd ..\..
+
+cd bind9\win32
+nmake /nologo -f libbind9.mak CFG="libbind9 - Win32 Release"  NO_EXTERNAL_DEPS="1"
+cd ..\..
+
+cd lwres\win32
+nmake /nologo -f liblwres.mak CFG="liblwres - Win32 Release"  NO_EXTERNAL_DEPS="1"
+cd ..\..
+
+rem This is the DLL required for the event Viewer
+
+cd win32\bindevt
+nmake /nologo -f bindevt.mak CFG="bindevt - Win32 Release"  NO_EXTERNAL_DEPS="1"
+cd ..\..
+
+cd ..
+
+echo Now build the apps
+
+cd bin
+
+cd named\win32
+nmake /nologo -f named.mak CFG="named - Win32 Release"  NO_EXTERNAL_DEPS="1"
+
+copy ..\named.html ..\..\..\Build\Release
+cd ..\..
+
+cd rndc\win32
+nmake /nologo -f rndc.mak CFG="rndc - Win32 Release"  NO_EXTERNAL_DEPS="1"
+nmake /nologo -f confgen.mak CFG="rndcconfgen - Win32 Release"  NO_EXTERNAL_DEPS="1"
+
+copy ..\*.html ..\..\..\Build\Release
+cd ..\..
+
+cd dig\win32
+nmake /nologo -f dig.mak CFG="dig - Win32 Release"  NO_EXTERNAL_DEPS="1"
+nmake /nologo /nologo -f host.mak CFG="host - Win32 Release"  NO_EXTERNAL_DEPS="1"
+nmake /nologo -f nslookup.mak CFG="nslookup - Win32 Release"  NO_EXTERNAL_DEPS="1"
+copy ..\*.html ..\..\..\Build\Release
+cd ..\..
+
+cd nsupdate\win32
+nmake /nologo -f nsupdate.mak CFG="nsupdate - Win32 Release"  NO_EXTERNAL_DEPS="1"
+copy ..\*.html ..\..\..\Build\Release
+cd ..\..
+
+cd check\win32
+nmake /nologo -f namedcheckconf.mak CFG="namedcheckconf - Win32 Release"  NO_EXTERNAL_DEPS="1"
+nmake /nologo -f namedcheckzone.mak CFG="namedcheckzone - Win32 Release"  NO_EXTERNAL_DEPS="1"
+copy ..\*.html ..\..\..\Build\Release
+cd ..\..
+
+cd dnssec\win32
+nmake /nologo -f keygen.mak CFG="keygen - Win32 Release"  NO_EXTERNAL_DEPS="1"
+nmake /nologo -f makekeyset.mak CFG="makekeyset - Win32 Release"  NO_EXTERNAL_DEPS="1"
+nmake /nologo -f signkey.mak CFG="signkey - Win32 Release"  NO_EXTERNAL_DEPS="1"
+nmake /nologo -f signzone.mak CFG="signzone - Win32 Release"  NO_EXTERNAL_DEPS="1"
+copy ..\*.html ..\..\..\Build\Release
+cd ..\..
+
+rem This is the BIND 9 Installer
+
+cd win32\BINDInstall
+nmake /nologo -f BINDInstall.mak CFG="BINDInstall - Win32 Release"  NO_EXTERNAL_DEPS="1"
+cd ..\..
+
+cd ..
+
+cd win32utils
+
+echo Done.
+
+rem exit here.
diff --git a/win32utils/BuildOpenSSL.bat b/win32utils/BuildOpenSSL.bat
deleted file mode 100644
index 7d597f32..00000000
--- a/win32utils/BuildOpenSSL.bat
+++ /dev/null
@@ -1,26 +0,0 @@
-echo off

-rem

-rem Copyright (C) 2007  Internet Systems Consortium, Inc. ("ISC")

-rem 

-rem Permission to use, copy, modify, and distribute this software for any

-rem purpose with or without fee is hereby granted, provided that the above

-rem copyright notice and this permission notice appear in all copies.

-rem 

-rem THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH

-rem REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY

-rem AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,

-rem INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM

-rem LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE

-rem OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR

-rem PERFORMANCE OF THIS SOFTWARE.

-

-rem BuildOpenSSL.bat

-rem This script copys the OpenSSL dlls into place.

-rem This script may be modified by updateopenssl.pl.

-

-echo Copying the OpenSSL DLL.

-

-copy ..\..\openssl-0.9.8d\out32dll\libeay32.dll ..\Build\Release\

-copy ..\..\openssl-0.9.8d\out32dll\libeay32.dll ..\Build\Debug\

-

-rem Done

diff --git a/win32utils/BuildSetup.bat b/win32utils/BuildSetup.bat
index 66ef08af..d59d7908 100644
--- a/win32utils/BuildSetup.bat
+++ b/win32utils/BuildSetup.bat
@@ -1,106 +1,56 @@
-echo off

-rem

-rem Copyright (C) 2004,2005  Internet Systems Consortium, Inc. ("ISC")

-rem Copyright (C) 2001-2003  Internet Software Consortium.

-rem

-rem Permission to use, copy, modify, and distribute this software for any

-rem purpose with or without fee is hereby granted, provided that the above

-rem copyright notice and this permission notice appear in all copies.

-rem

-rem THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH

-rem REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY

-rem AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,

-rem INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM

-rem LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE

-rem OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR

-rem PERFORMANCE OF THIS SOFTWARE.

-

-rem BuildSetup.bat

-rem This script sets up the files necessary ready to build BIND 9.

-rem This requires perl to be installed on the system.

-

-rem Get and update for the latest build of the openssl library

-perl updateopenssl.pl

-

-rem Set up the configuration file

-cd ..

-copy config.h.win32 config.h

-cd win32utils

-

-rem Generate the version information

-perl makeversion.pl

-

-rem Generate header files for lib/dns

-

-call dnsheadergen.bat

-

-rem Make sure that the Build directories are there.

-

-if NOT Exist ..\Build mkdir ..\Build

-if NOT Exist ..\Build\Release mkdir ..\Build\Release

-if NOT Exist ..\Build\Debug mkdir ..\Build\Debug

-

-echo Copying the ARM and the Installation Notes.

- 

-copy ..\COPYRIGHT ..\Build\Release

-copy ..\README ..\Build\Release

-copy readme1st.txt ..\Build\Release

-copy index.html ..\Build\Release

-copy ..\doc\arm\*.html ..\Build\Release

-copy ..\doc\arm\Bv9ARM.pdf ..\Build\Release

-copy ..\CHANGES ..\Build\Release

-copy ..\FAQ ..\Build\Release

-

-echo Copying the standalone manual pages.

-

-copy ..\bin\named\named.html ..\Build\Release

-copy ..\bin\rndc\*.html ..\Build\Release

-copy ..\bin\dig\*.html ..\Build\Release

-copy ..\bin\nsupdate\*.html ..\Build\Release

-copy ..\bin\check\*.html ..\Build\Release

-copy ..\bin\dnssec\*.html ..\Build\Release

-

-echo Copying the migration notes.

-

-copy ..\doc\misc\migration ..\Build\Release

-copy ..\doc\misc\migration-4to9 ..\Build\Release

- 

-call BuildOpenSSL.bat

-

-rem

-rem set vcredist here so that it is correctly expanded in the if body 

-rem

-set vcredist=BootStrapper\Packages\vcredist_x86\vcredist_x86.exe

-

-if Defined FrameworkSDKDir (

-

-rem

-rem vcredist_x86.exe path relative to FrameworkSDKDir

-rem

-

-if Exist "%FrameworkSDKDir%\%vcredist%" (

-

-echo Copying Visual C x86 Redistributable Installer

-

-rem

-rem Use /Y so we allways have the current version of the installer.

-rem

-

-copy /Y "%FrameworkSDKDir%\%vcredist%" ..\Build\Release\

-copy /Y "%FrameworkSDKDir%\%vcredist%" ..\Build\Debug\

-

-) else (

-	echo "**** %FrameworkSDKDir%\%vcredist% not found ****"

-)

-) else (

-	echo "**** Warning FrameworkSDKDir not defined ****"

-	echo "****         Run vsvars32.bat            ****"

-)

-

-echo Running Message Compiler

-

-cd ..\lib\win32\bindevt

-mc bindevt.mc

-cd ..\..\..\win32utils

-

-rem Done

+echo off
+rem
+rem Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+rem Copyright (C) 2001-2002  Internet Software Consortium.
+rem 
+rem Permission to use, copy, modify, and distribute this software for any
+rem purpose with or without fee is hereby granted, provided that the above
+rem copyright notice and this permission notice appear in all copies.
+rem 
+rem THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+rem REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+rem AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+rem INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+rem LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+rem OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+rem PERFORMANCE OF THIS SOFTWARE.
+
+rem BuildSetup.bat
+rem This script sets up the files necessary ready to build BIND 9.
+rem This requires perl to be installed on the system.
+
+rem Set up the configuration file
+cd ..
+copy config.h.win32 config.h
+cd win32utils
+
+rem Generate the version information
+perl makeversion.pl
+
+rem Generate header files for lib/dns
+
+call dnsheadergen.bat
+
+echo Ensure that the OpenSSL sources are at the same level in
+echo the directory tree and is named openssl-0.9.6k or libdns
+echo will not build. 
+
+rem Make sure that the Build directories are there.
+
+if NOT Exist ..\Build mkdir ..\Build
+if NOT Exist ..\Build\Release mkdir ..\Build\Release
+
+echo Copying the ARM and the Installation Notes.
+
+copy ..\COPYRIGHT ..\Build\Release
+copy readme1st.txt ..\Build\Release
+copy ..\doc\arm\*.html ..\Build\Release
+copy ..\CHANGES ..\Build\Release
+copy ..\FAQ ..\Build\Release
+
+echo Copying the OpenSSL DLL.
+
+copy ..\..\openssl-0.9.6k\out32dll\libeay32.dll ..\Build\Release\
+
+
+rem Done
diff --git a/win32utils/dnsheadergen.bat b/win32utils/dnsheadergen.bat
index 83f6268e..09422fe8 100644
--- a/win32utils/dnsheadergen.bat
+++ b/win32utils/dnsheadergen.bat
@@ -1,26 +1,26 @@
-echo off

-rem

-rem Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")

-rem Copyright (C) 2001,2003  Internet Software Consortium.

-rem

-rem Permission to use, copy, modify, and distribute this software for any

-rem purpose with or without fee is hereby granted, provided that the above

-rem copyright notice and this permission notice appear in all copies.

-rem

-rem THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH

-rem REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY

-rem AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,

-rem INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM

-rem LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE

-rem OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR

-rem PERFORMANCE OF THIS SOFTWARE.

-

-cd ..\lib\dns

-cd win32

-nmake /nologo /f gen.mak CFG="gen - Win32 Release"  NO_EXTERNAL_DEPS="1"

-cd ..

-gen -s . -t > include/dns/enumtype.h

-gen -s . -c > include/dns/enumclass.h

-gen -s . -i -P ./rdata/rdatastructpre.h -S ./rdata/rdatastructsuf.h > include/dns/rdatastruct.h

-gen -s . > code.h

-cd ..\..\win32utils

+echo off
+rem
+rem Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+rem Copyright (C) 2001-2002  Internet Software Consortium.
+rem 
+rem Permission to use, copy, modify, and distribute this software for any
+rem purpose with or without fee is hereby granted, provided that the above
+rem copyright notice and this permission notice appear in all copies.
+rem 
+rem THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+rem REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+rem AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+rem INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+rem LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+rem OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+rem PERFORMANCE OF THIS SOFTWARE.
+
+cd ..\lib\dns
+cd win32
+nmake /nologo /f gen.mak CFG="gen - Win32 Release"  NO_EXTERNAL_DEPS="1"
+cd ..
+gen -s . -t > include/dns/enumtype.h
+gen -s . -c > include/dns/enumclass.h
+gen -s . -i -P ./rdata/rdatastructpre.h -S ./rdata/rdatastructsuf.h > include/dns/rdatastruct.h
+gen -s . > code.h
+cd ..\..\win32utils
diff --git a/win32utils/index.html b/win32utils/index.html
deleted file mode 100644
index 75b51ae2..00000000
--- a/win32utils/index.html
+++ /dev/null
@@ -1,54 +0,0 @@
-<!--
- - Copyright (C) 2006  Internet Systems Consortium, Inc. ("ISC")
- -
- - Permission to use, copy, modify, and distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- -
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-
-<!-- $Id: index.html,v 1.1.4.3 2006/10/02 07:16:12 marka Exp $ -->
-
-<html>
-<head>
-<title>Bind9 docs index</title>
-</head>
-<body>
-<big><b>Bind 9.x documents</b></big>
-<ul>
-    <li><a href="readme1st.txt">readme1st.txt</a> |
-    <a href="README">README</a>
-    <li><a href="FAQ">FAQ</a> |
-    <a href="CHANGES">CHANGES</a> |
-    <a href="COPYRIGHT">COPYRIGHT</a>
-    <li>Migration: <a href="migration">v8 to v9</a> |
-    <a href="migration-4to9">v4 to v9</a>
-    <li><a href="named.html">named</a> |
-    <a href="Bv9ARM.html"><b>BIND 9 Administrator Reference Manual</b></a> (ARM) |
-    <a href="Bv9ARM.pdf">ARM</a> (PDF version)
-</ul>
-<b>BIND tools:</b>
-<ul>
-    <li><a href="dig.html">dig</a><br>
-    <li><a href="dnssec-keygen.html">dnssec-keygen</a> |
-    <a href="dnssec-signkey.html">dnssec-signkey</a> |
-    <a href="dnssec-signzone.html">dnssec-signzone</a>
-    <li><a href="host.html">host</a>
-    <li>
-    <a href="named-checkconf.html">named-checkconf</a> |
-    <a href="named-checkzone.html">named-checkzone</a>
-    <li><a href="nslookup.html">nslookup</a>
-    <li><a href="nsupdate.html">nsupdate</a>
-    <li><a href="rndc.html">rndc</a> |
-    <a href="rndc.conf.html">rndc.conf</a> |
-    <a href="rndc-confgen.html">rndc-confgen</a>
-</ul>
-</body>
-</html>
diff --git a/win32utils/makedefs.pl b/win32utils/makedefs.pl
index 49334a57..db3a7f98 100644
--- a/win32utils/makedefs.pl
+++ b/win32utils/makedefs.pl
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: makedefs.pl,v 1.5.2.1 2004/03/09 06:12:48 marka Exp $
+# $Id: makedefs.pl,v 1.5.206.1 2004/03/06 13:16:25 marka Exp $
 
 # makedefs.pl
 # This script goes through all of the lib header files and creates a .def file
diff --git a/win32utils/makeversion.pl b/win32utils/makeversion.pl
index 6464c4da..94667b6b 100644
--- a/win32utils/makeversion.pl
+++ b/win32utils/makeversion.pl
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: makeversion.pl,v 1.4.2.1 2004/03/09 06:12:48 marka Exp $ 
+# $Id: makeversion.pl,v 1.4.12.3 2004/03/08 09:05:15 marka Exp $ 
 
 # This script takes the version information from the version file located
 # at the root of the source tree and the api files in each library directory
@@ -24,12 +24,14 @@
 # This program was written by PDM. danny.mayer@nominum.com 1-Jul-2001.
 
 # List of directories with version files
-@dirlist = ("isc","dns","isccc","isccfg","lwres");
+@dirlist = ("isc","dns","isccc","isccfg","lwres","bind9");
 $LibMacros{"isc"} = "LIBISC_EXPORTS";
 $LibMacros{"dns"} = "LIBDNS_EXPORTS";
 $LibMacros{"isccc"} = "LIBISCCC_EXPORTS";
 $LibMacros{"isccfg"} = "LIBISCCFG_EXPORTS";
 $LibMacros{"lwres"} = "LIBLWRES_EXPORTS";
+$LibMacros{"bind9"} = "LIBBIND9_EXPORTS";
+
 
 @VersionNames = ("LIBINTERFACE", "LIBREVISION", "LIBAGE");
 $versionfile = "versions.h";
diff --git a/win32utils/readme1st.txt b/win32utils/readme1st.txt
index 771d6dbe..b0a66467 100644
--- a/win32utils/readme1st.txt
+++ b/win32utils/readme1st.txt
@@ -1,130 +1,122 @@
-Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")

-Copyright (C) 2001, 2003  Internet Software Consortium.

-See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.

-

-$Id: readme1st.txt,v 1.7.2.9 2007/05/02 23:45:26 tbox Exp $

-

-	   Release of BIND 9.2 for Window 2000

-

-This is a maintenance release of BIND 9.2 for Window 2000.  Only

-IPv4 stacks are supported on the box running this version of BIND.

-IPv6 stacks will be supported in a future release.

-  

-	Kit Installation Information

-

-If you have previously installed BIND 8 or BIND 4 on the system that

-you wish to install this kit, you MUST use the BIND 8 or BIND 4 installer

-to uninstall the previous kit.  For BIND 8.2.x, you can use the

-BINDInstall that comes with the BIND 8 kit to uninstall it. The BIND 9

-installer will NOT uninstall the BIND 8 binaries.  That will be fixed

-in a future release.

-

-Unpack the kit into any convenient directory and run the BINDInstall

-program.  This will install the named and associated programs into

-the correct directories and set up the required registry keys.

-

-It is important that on Windows the directory directive is used in

-the options section to tell BIND where to find the files used in

-named.conf (default %WINDOWS%\system32\dns\etc\named.conf).

-

-e.g.

-        options {

-                directory "C:\WINDOWS\system32\dns\etc";

-        };

-

-	Controlling BIND

-

-Windows NT/2000 uses the same rndc program as is used on Unix

-systems.  The rndc.conf file must be configured for your system in

-order to work. You will need to generate a key for this. To do this

-use the rndc-confgen program. The program will be installed in the

-same directory as named: dns/bin/.  From the DOS prompt, use the

-command this way:

-

-rndc-confgen -a

-

-which will create a rndc.key file in the dns/etc directory. This will

-allow you to run rndc without an explicit rndc.conf file or key and

-control entry in named.conf file. See section 3.4.1.2 of the ARM for

-details of this. An rndc.conf can also be generated by running:

-

-rndc-confgen > rndc.conf

-

-which will create the rndc.conf file in the current directory, but not

-copy it to the dns/etc directory where it needs to reside. If you create

-rndc.conf this way you will need to copy the same key statement into

-named.conf.

-

-The additions look like the following:

-

-key "rndc-key" { algorithm hmac-md5; secret "xxxxxxxxx=="; };

-

-controls {

-	inet 127.0.0.1 port 953 allow { localhost; } keys { "rndc-key"; };

-};

-

-Note that the value of the secret must come from the key generated

-above for rndc and must be the same key value for both. Details of

-this may be found in section 3.4.1.2 of the ARM. If you have rndc

-on a Unix box you can use it to control BIND on the NT/W2K box as

-well as using the Windows version of rndc to control a BIND 9

-daemon on a Unix box. However you must have key statements valid for

-the servers you wish to control, specifically the IP address and key

-in both named.conf and rndc.conf. Again see section 3.4.1.2 of the

-ARM for details.

-

-In addition BIND is installed as a win32 system service, can be

-started and stopped in the same way as any other service and

-automatically starts whenever the system is booted. Signals are

-not supported and are in fact ignored.

-

-Note: Unlike most Windows applications, named does not, change its

-working directory when started as a service.  If you wish to use

-relative files in named.conf you will need to specify a working

-directory.

-

-	Documentation

-

-This kit includes Documentation in HTML format.  The documentation is not

-copied during the installation process so you should move it to any convenient

-location for later reference. Of particular importance is the BIND 9

-Administrator's Reference Manual (Bv9ARM*.html) which provides detailed

-information on BIND 9. In addition, there are HTML pages for each of the

-BIND 9 applications.

-

-	DNS Tools

-

-The following tools have been built for Windows NT: dig, nslookup, host,

-nsupdate, rndc, rndc-confgen, named-checkconf, named-checkzone, dnssec-keygen,

-dnssec-makekeyset, dnssec-signkey, dnssec-signzone. The tools will NOT run on

-Win9x, only WinNT and Win2000. The latter tools are for use with DNSSEC. All

-tools are installed in the dns/bin directory.

-

-IMPORTANT NOTE ON USING THE TOOLS:

-If you wish to use nsupdate on a win32 platform to do dynamic updates

-to a zone you MUST create a resolv.conf in the System32\Drivers\etc

-directory containing a list of nameserver addresses to use to find

-the nameserver authoritative for the zone. The format of this file is:

-

-nameserver 1.2.3.4

-nameserver 5.6.7.8

-

-Replace the IP addresses with your real addresses.  127.0.0.1 is a valid

-address if you are running a nameserver on the localhost. 

-

-In addition, if you use dig, host or nslookup, you will need this

-file on the system where you are running these tools unless you have

-BIND running on that system.

-

-This will be fixed in a future release.

-

-Messages are logged to the Application log in the EventViewer.

-

-	Problems

-

-Please report all problems to bind9-bugs@isc.org and not to me. All

-other questions should go to the bind-users@isc.org mailing list or the

-comp.protocol.dns.bind news group.

-

-	Danny Mayer

-

+Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+Copyright (C) 2001, 2003  Internet Software Consortium.
+See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
+
+$Id: readme1st.txt,v 1.7.2.4.4.1 2004/03/06 13:16:25 marka Exp $
+
+	   Release of BIND 9.2.2 for Window NT/2000
+
+This is a maintenance release of BIND 9.2 for Window NT/2000.  Only
+IPv4 stacks are supported on the box running this version of BIND.
+IPv6 stacks will be supported in a future release.
+  
+	Kit Installation Information
+
+If you have previously installed BIND 8 or BIND 4 on the system that
+you wish to install this kit, you MUST use the BIND 8 or BIND 4 installer
+to uninstall the previous kit.  For BIND 8.2.x, you can use the
+BINDInstall that comes with the BIND 8 kit to uninstall it. The BIND 9
+installer will NOT uninstall the BIND 8 binaries.  That will be fixed
+in a future release.
+
+Unpack the kit into any convenient directory and run the BINDInstall
+program.  This will install the named and associated programs into
+the correct directories and set up the required registry keys.
+
+	Controlling BIND
+
+Windows NT/2000 uses the same rndc program as is used on Unix
+systems.  The rndc.conf file must be configured for your system in
+order to work. You will need to generate a key for this. To do this
+use the rndc-confgen program. The program will be installed in the
+same directory as named: dns/bin/.  From the DOS prompt, use the
+command this way:
+
+rndc-confgen -a
+
+which will create a rndc.key file in the dns/etc directory. This will
+allow you to run rndc without an explicit rndc.conf file or key and
+control entry in named.conf file. See section 3.4.1.2 of the ARM for
+details of this. An rndc.conf can also be generated by running:
+
+rndc-confgen > rndc.conf
+
+which will create the rndc.conf file in the current directory, but not
+copy it to the dns/etc directory where it needs to reside. If you create
+rndc.conf this way you will need to copy the same key statement into
+named.conf.
+
+The additions look like the following:
+
+key "rndc-key" { algorithm hmac-md5; secret "xxxxxxxxx=="; };
+
+controls {
+	inet 127.0.0.1 port 953 allow { localhost; } keys { "rndc-key"; };
+};
+
+Note that the value of the secret must come from the key generated
+above for rndc and must be the same key value for both. Details of
+this may be found in section 3.4.1.2 of the ARM. If you have rndc
+on a Unix box you can use it to control BIND on the NT/W2K box as
+well as using the Windows version of rndc to control a BIND 9
+daemon on a Unix box. However you must have key statements valid for
+the servers you wish to control, specifically the IP address and key
+in both named.conf and rndc.conf. Again see section 3.4.1.2 of the
+ARM for details.
+
+In addition BIND is installed as a win32 system service, can be
+started and stopped in the same way as any other service and
+automatically starts whenever the system is booted. Signals are
+not supported and are in fact ignored.
+
+Note: Unlike most Windows applications, named does not, change its
+working directory when started as a service.  If you wish to use
+relative files in named.conf you will need to specify a working
+directory.
+
+	Documentation
+
+This kit includes Documentation in HTML format.  The documentation is not
+copied during the installation process so you should move it to any convenient
+location for later reference. Of particular importance is the BIND 9
+Administrator's Reference Manual (Bv9ARM*.html) which provides detailed
+information on BIND 9. In addition, there are HTML pages for each of the
+BIND 9 applications.
+
+	DNS Tools
+
+The following tools have been built for Windows NT: dig, nslookup, host,
+nsupdate, rndc, rndc-confgen, named-checkconf, named-checkzone, dnssec-keygen,
+dnssec-makekeyset, dnssec-signkey, dnssec-signzone. The tools will NOT run on
+Win9x, only WinNT and Win2000. The latter tools are for use with DNSSEC. All
+tools are installed in the dns/bin directory.
+
+IMPORTANT NOTE ON USING THE TOOLS:
+If you wish to use nsupdate on a win32 platform to do dynamic updates
+to a zone you MUST create a resolv.conf in the System32\Drivers\etc
+directory containing a list of nameserver addresses to use to find
+the nameserver authoritative for the zone. The format of this file is:
+
+nameserver 1.2.3.4
+nameserver 5.6.7.8
+
+Replace the IP addresses with your real addresses.  127.0.0.1 is a valid
+address if you are running a nameserver on the localhost. 
+
+In addition, if you use dig, host or nslookup, you will need this
+file on the system where you are running these tools unless you have
+BIND running on that system.
+
+This will be fixed in a future release.
+
+Messages are logged to the Application log in the EventViewer.
+
+	Problems
+
+Please report all problems to bind9-bugs@isc.org and not to me. All
+other questions should go to the bind-users@isc.org mailing list or the
+comp.protocol.dns.bind news group.
+
+	Danny Mayer
+	danny.mayer@nominum.com
+
diff --git a/win32utils/updateopenssl.pl b/win32utils/updateopenssl.pl
deleted file mode 100644
index f5d4d1b4..00000000
--- a/win32utils/updateopenssl.pl
+++ /dev/null
@@ -1,106 +0,0 @@
-#!/usr/bin/perl
-#
-# Copyright (C) 2006, 2007  Internet Systems Consortium, Inc. ("ISC")
-#
-# Permission to use, copy, modify, and distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id: updateopenssl.pl,v 1.3.8.5 2007/08/06 07:23:12 tbox Exp $
-
-# updateopenssl.pl
-# This script locates the latest version of OpenSSL in the grandparent
-# directory and updates the build scripts to use that version.
-#
-# Path and directory
-$path = "..\\..\\";
-
-# List of files that need to be updated with the actual version of the
-# openssl directory
-@filelist = ("BuildOpenSSL.bat",
-             "../lib/dns/win32/libdns.mak",
-             "../lib/dns/win32/libdns.dsp");
-
-# Locate the openssl directory
-$substr = getdirectory();
-if ($substr eq 0) {
-     print "No directory found\n";
-}
-else {
-     print "Found $substr directory\n";
-}
-#Update the list of files
-if ($substr ne 0) {
-   $ind = 0;
-   foreach $file (@filelist) {
-        print "Updating file $file\n";
-	updatefile($file, $substr);
-	$ind++;
-   }
-}
-
-# Function to find the
-sub getdirectory {
-    my(@namelist);
-    my($file, $name);
-    my($cnt);
-    opendir(DIR,$path) || die "No Directory: $!";
-    @namelist = grep (/^openssl-[0-9]+\.[0-9]+\.[0-9]+[a-z]$/i, readdir(DIR));
-    closedir(DIR);
-
-    # Make sure we have something
-    if (scalar(@namelist) == 0) {
-        return (0);
-    }
-    # Now see if we have a directory or just a file.
-    # Make sure we are case insensitive
-    foreach $file (sort {uc($a) cmp uc($b)} @namelist) {
-        if (-d $path.$file) {
-           $name = $file;
-        }
-    }
-
-    # If we have one use it otherwise report the error
-    # Note that we are only interested in the last one
-    # since the sort should have taken care of getting
-    # the latest
-    if (defined($name)) {
-        return ($name);
-    }
-    else {
-        return (0);
-    }
-}
-
-# function to replace the openssl directory name with the latest one
-sub updatefile {
-        my($filename, $substr, $line);
-        my(@Lines);
-
-        $filename = $_[0];
-        $substr   = $_[1];
-
-        open (RFILE, $filename) || die "Can't open file $filename: $!";
-        @Lines = <RFILE>;
-        close (RFILE);
-
-        # Replace the string
-        foreach $line (@Lines) {
-                $line =~ s/openssl-[0-9]+\.[0-9]+\.[0-9]+[a-z]/$substr/gi;
-        }
-        #update the file
-        open (RFILE, ">$filename") || die "Can't open file $filename: $!";
-        foreach $line (@Lines) {
-               print RFILE $line;
-        }
-        close(RFILE);
-}
-
diff --git a/win32utils/win32-build.txt b/win32utils/win32-build.txt
index b132f65f..fcc8b59c 100644
--- a/win32utils/win32-build.txt
+++ b/win32utils/win32-build.txt
@@ -1,112 +1,112 @@
-Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")

-Copyright (C) 2001, 2003  Internet Software Consortium.

-See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.

-

-$Id: win32-build.txt,v 1.5.2.2 2004/03/09 06:12:49 marka Exp $

-

-       BIND 9.2.0 Beta for Win32 Source Build Instructions.  28-Jul-2001

-

-Building BIND 9.2 on Windows NT/2000 has two prerequisites:

-1) You need to install Perl for Windows NT/2000. ActiveState

-(http://www.activestate.com/) is the one most people install and use;

-2) OpenSSL (http://www.openssl.org) needs to be downloaded and built

-on the system on which you are building BIND.

-

-The instructions assume a Visual C++ 6.0 compiler with Visual Studio and

-Visual Studio Service Pack 3 or later. It may build and work with earlier

-versions but it has not been tested. The binaries may be built and run on

-any of the following platforms: NT 4.0 Workstation (SP3 or later), NT 4.0

-Server (SP3 or later), Windows 2000 Professional (SP1 or later),

-Windows 2000 Server or any kind (SP1 or later). It should run on the

-to-be-released Windows XP platforms of various flavors. It will NOT build

-or run on Windows 95, Windows 98, etc. platforms.

-

-Step 1: Download and Build OpenSSL

-

-Download and untar the OpenSSL sources from http://www.openssl.org/.

-if you have place the BIND sources in /BIND9 you should place the

-OpenSSL sources in /OpenSSL-0.9.6b. If you place the sources anywhere

-else you will have to edit the libdns.dsp or libdns.mak files to point

-the include directories and the link library location to the correct

-places as well as move the DLL to the BUILD/Release subdirectory.

-

-Note: Building OpenSSL also requires that you install Perl as it uses

-it during its build process. Follow the instructions for NT given

-in the INSTALL.W32 file to build the kit. This will produce libeay32.lib

-and libeay32.dll in the out32dll subdirectory. 

-

-

-Step 2 Building BIND

-

-From the command prompt cd to the win32utils under the BIND root.

-Execute the BuildAll.bat file. This will do the following:

-1) copy config.h.win32 to config.h in the root.

-2) create the versions.h file in the root.

-3) Build the gen application in the lib/dns directory.

-4) Run the gen application and build the required lib/dns header

-   files.

-5) Create the Build/Release subdirectory under the root of the BIND

-   source tree which will hold the binaries being built.

-6) Build the libraries, named, application tools like dig, rndc

-   dnssec tools, installer, checkconf and checkzones programs,

-   BIND 9 Installer.

-7) Copies the release notes and the OpenSSL DLL to the BUILD/Release

-   directory.

-8) Copies the BIND 9 ARM HTML files and the application HTML files

-   to the Build\Release area.

-

-If you wish to use Visual Studio for building, you can just run the

-BuildSetup.bat file which will create all the necessary files and you

-can then use the BINDBuild.dsw to open the workspace for all of the

-libraries and applications. These files reside in the same win32utils

-directory as this file.

-

-The following files are built:

-

-libisc.dll

-libdns.dll

-libisccc.dll

-libisccfg.dll

-liblwres.dll

-named.exe

-bindevt.dll 

-BINDInstall.exe

-

-rndc.exe

-dig.exe

-host.exe

-nslookup.exe

-nsupdate.exe

-

-named-checkconf.exe

-named-checkzone.exe

-

-dnssec-keygen.exe

-dnssec-makekeyset.exe

-dnssec-signkey.exe

-dnssec-signzone.exe

-

-You should end up with 20 binaries in the bind9/Build/Release

-directory. The Install instructions Readme1st.txt from win32utils

-and libeay32.dll from the openssl/out32dll/ directory are also copied

-into the Build area. In addition you should have 22 HTML files.

-

-The set of files in the directory bind9/Build/Release form the

-installation kit which can then be zipped and distributed to any

-suitable Windows NT 4.0 or Windows 2000 platform.

-

-Installation is accomplished by running the BINDInstall program. All DLL's

-are copied to the system32 area and all applications (including BINDInstall

-which may be necessary for uninstalling BIND 9) to the dns/bin directory.

-If BIND 8 has previously been installed on the system it must be uninstalled

-first by running it's own BINDInstall program.  The BIND 9 installer does

-not yet do this.

-

-All bugs found, whether in the process of building the application or

-running BIND or the tools should be reported to the bind9 bugs email

-account at bind9-bugs@isc.org.

-

-	Danny Mayer

-	danny.mayer@nominum.com

-

-

+Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+Copyright (C) 2001, 2002  Internet Software Consortium.
+See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
+
+$Id: win32-build.txt,v 1.5.2.1.4.2 2004/03/08 09:05:15 marka Exp $
+
+       BIND 9.2.0 Beta for Win32 Source Build Instructions.  28-Jul-2001
+
+Building BIND 9.2 on Windows NT/2000 has two prerequisites:
+1) You need to install Perl for Windows NT/2000. ActiveState
+(http://www.activestate.com/) is the one most people install and use;
+2) OpenSSL (http://www.openssl.org) needs to be downloaded and built
+on the system on which you are building BIND.
+
+The instructions assume a Visual C++ 6.0 compiler with Visual Studio and
+Visual Studio Service Pack 3 or later. It may build and work with earlier
+versions but it has not been tested. The binaries may be built and run on
+any of the following platforms: NT 4.0 Workstation (SP3 or later), NT 4.0
+Server (SP3 or later), Windows 2000 Professional (SP1 or later),
+Windows 2000 Server or any kind (SP1 or later). It should run on the
+to-be-released Windows XP platforms of various flavors. It will NOT build
+or run on Windows 95, Windows 98, etc. platforms.
+
+Step 1: Download and Build OpenSSL
+
+Download and untar the OpenSSL sources from http://www.openssl.org/.
+if you have place the BIND sources in /BIND9 you should place the
+OpenSSL sources in /OpenSSL-0.9.6b. If you place the sources anywhere
+else you will have to edit the libdns.dsp or libdns.mak files to point
+the include directories and the link library location to the correct
+places as well as move the DLL to the BUILD/Release subdirectory.
+
+Note: Building OpenSSL also requires that you install Perl as it uses
+it during its build process. Follow the instructions for NT given
+in the INSTALL.W32 file to build the kit. This will produce libeay32.lib
+and libeay32.dll in the out32dll subdirectory. 
+
+
+Step 2 Building BIND
+
+From the command prompt cd to the win32utils under the BIND root.
+Execute the BuildAll.bat file. This will do the following:
+1) copy config.h.win32 to config.h in the root.
+2) create the versions.h file in the root.
+3) Build the gen application in the lib/dns directory.
+4) Run the gen application and build the required lib/dns header
+   files.
+5) Create the Build/Release subdirectory under the root of the BIND
+   source tree which will hold the binaries being built.
+6) Build the libraries, named, application tools like dig, rndc
+   dnssec tools, installer, checkconf and checkzones programs,
+   BIND 9 Installer.
+7) Copies the release notes and the OpenSSL DLL to the BUILD/Release
+   directory.
+8) Copies the BIND 9 ARM HTML files and the application HTML files
+   to the Build\Release area.
+
+If you wish to use Visual Studio for building, you can just run the
+BuildSetup.bat file which will create all the necessary files and you
+can then use the BINDBuild.dsw to open the workspace for all of the
+libraries and applications. These files reside in the same win32utils
+directory as this file.
+
+The following files are built:
+
+libisc.dll
+libdns.dll
+libisccc.dll
+libisccfg.dll
+liblwres.dll
+named.exe
+bindevt.dll 
+BINDInstall.exe
+
+rndc.exe
+dig.exe
+host.exe
+nslookup.exe
+nsupdate.exe
+
+named-checkconf.exe
+named-checkzone.exe
+
+dnssec-keygen.exe
+dnssec-makekeyset.exe
+dnssec-signkey.exe
+dnssec-signzone.exe
+
+You should end up with 20 binaries in the bind9/Build/Release
+directory. The Install instructions Readme1st.txt from win32utils
+and libeay32.dll from the openssl/out32dll/ directory are also copied
+into the Build area. In addition you should have 22 HTML files.
+
+The set of files in the directory bind9/Build/Release form the
+installation kit which can then be zipped and distributed to any
+suitable Windows NT 4.0 or Windows 2000 platform.
+
+Installation is accomplished by running the BINDInstall program. All DLL's
+are copied to the system32 area and all applications (including BINDInstall
+which may be necessary for uninstalling BIND 9) to the dns/bin directory.
+If BIND 8 has previously been installed on the system it must be uninstalled
+first by running it's own BINDInstall program.  The BIND 9 installer does
+not yet do this.
+
+All bugs found, whether in the process of building the application or
+running BIND or the tools should be reported to the bind9 bugs email
+account at bind9-bugs@isc.org.
+
+	Danny Mayer
+	danny.mayer@nominum.com
+
+